From nobody Wed Jul 1 06:14:29 2020 Return-Path: X-Original-To: oauth@ietf.org Delivered-To: oauth@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 307423A0AB3; Wed, 1 Jul 2020 06:14:23 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: oauth@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.6.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: oauth@ietf.org Message-ID: <159360926310.29368.17616782975245600683@ietfa.amsl.com> Date: Wed, 01 Jul 2020 06:14:23 -0700 Archived-At: Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-24.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jul 2020 13:14:23 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR) Authors : Nat Sakimura John Bradley Filename : draft-ietf-oauth-jwsreq-24.txt Pages : 33 Date : 2020-07-01 Abstract: The authorization request in OAuth 2.0 described in RFC 6749 utilizes query parameter serialization, which means that Authorization Request parameters are encoded in the URI of the request and sent through user agents such as web browsers. While it is easy to implement, it means that (a) the communication through the user agents are not integrity protected and thus the parameters can be tainted, and (b) the source of the communication is not authenticated. Because of these weaknesses, several attacks to the protocol have now been put forward. This document introduces the ability to send request parameters in a JSON Web Token (JWT) instead, which allows the request to be signed with JSON Web Signature (JWS) and encrypted with JSON Web Encryption (JWE) so that the integrity, source authentication and confidentiality property of the Authorization Request is attained. The request can be sent by value or by reference. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-24 https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-24 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-jwsreq-24 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Wed Jul 1 10:29:54 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4482D3A0403; Wed, 1 Jul 2020 10:29:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mail.ru Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YqBT_OubV2Pp; Wed, 1 Jul 2020 10:29:47 -0700 (PDT) Received: from smtp60.i.mail.ru (smtp60.i.mail.ru [217.69.128.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E63C03A0645; Wed, 1 Jul 2020 10:29:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mail.ru; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References:To:Subject; bh=GFgXR/A+7f74aNi1vYvUa9LEgL3GnTFEOmbddamrS6I=; b=Ic2h3CW4S64bLVcWYAHFIz2QCp3TxRofD/5/OHo6117GCpyGjWXq1TbGqM18PLQvxYEFAmPnl/MXo0MeuEB3nFiHUMTpgasNRT7vWTtZji3KaPlhoVDOMuaDQePBmaeYKh7rragvnYvAWJTFk4wrhbkHy/jW8o2OpNrgMkTttLQ=; Received: by smtp60.i.mail.ru with esmtpa (envelope-from ) id 1jqgYG-0002t7-Ns; Wed, 01 Jul 2020 20:29:41 +0300 To: oauth@ietf.org, internet-drafts@ietf.org, i-d-announce@ietf.org References: <159360926310.29368.17616782975245600683@ietfa.amsl.com> From: Tangui Le Pense Message-ID: <040466fc-f05b-13a7-8981-eff63552d570@mail.ru> Date: Wed, 1 Jul 2020 20:29:40 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0 MIME-Version: 1.0 In-Reply-To: <159360926310.29368.17616782975245600683@ietfa.amsl.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Authentication-Results: smtp60.i.mail.ru; auth=pass smtp.auth=tangui.lepense@mail.ru smtp.mailfrom=tangui.lepense@mail.ru X-7564579A: 78E4E2B564C1792B X-77F55803: 4F1203BC0FB41BD9AAC5A87EC32CE31E96AC8E84EC5BB5D797C056DF1623C71F182A05F538085040DB01FCB43D8A1DC02AAF93B460F3B33D6B89AFAD5FA4BABE014C54FF4B30FA2C X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE79145AB6E9E75F07EEA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F79006375AC38C7EC4509C8B8638F802B75D45FF5571747095F342E8C7A0BC55FA0FE5FC6A25CCC208BB6E51AB835542AF1CCAEF4293ED7948FA8E65389733CBF5DBD5E913377AFFFEAFD269A417C69337E82CC2CC7F00164DA146DAFE8445B8C89999725571747095F342E8C26CFBAC0749D213D2E47CDBA5A9658378DA827A17800CE767883B903EA3BAEA9FA2833FD35BB23DF004C906525384303BDABC7E18AA350CD8FC6C240DEA76428AA50765F7900637CA786513AE8B4513D81D268191BDAD3DBD4B6F7A4D31EC0BD28E6F1989ABE784D81D268191BDAD3D78DA827A17800CE7A3A480E845649B12EC76A7562686271EACF85BE98DE5FEAF35872C767BF85DA29E625A9149C048EE0A3850AC1BE2E7358CCB3ED2A1DE23044AD6D5ED66289B524E70A05D1297E1BB35872C767BF85DA227C277FBC8AE2E8BEBEE3B39F980227375ECD9A6C639B01B4E70A05D1297E1BBC6867C52282FAC85D9B7C4F32B44FF57285124B2A10EEC6C00306258E7E6ABB4E4A6367B16DE6309 X-C8649E89: 271166402B797F67E7CC1FF6C31D6D5E23257B67E590DF2F94DC842EC4ADC5CBD8C9D1B39D7D4BA4 X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2biojI/NPKmdP1NY+Wlh0O8Fg+g== X-Mailru-Sender: 583F1D7ACE8F49BD9992EFD99BFCA825F897663E60E1B31307AB0AC95B934FEF538B242C63C5AD33A5D2D6C63D114D6383AFC63A7763B797302201EBD47025992073CDDE12DEC8CD6F486DAF1ACEF02CC676CB43868BEEFB8FF63FEAB625EE02EAB4BC95F72C04283CDA0F3B3F5B9367 X-Mras: Ok Archived-At: Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-24.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jul 2020 17:29:52 -0000 Hello, There seems to be a typo: 9.2 and 9.3: "require_signed_request_objects" 10.5: "require_signed_request_object" Regards, -- Tangui 01.07.2020 16:14, internet-drafts@ietf.org пишет: > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Web Authorization Protocol WG of the IETF. > > Title : The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR) > Authors : Nat Sakimura > John Bradley > Filename : draft-ietf-oauth-jwsreq-24.txt > Pages : 33 > Date : 2020-07-01 > > Abstract: > The authorization request in OAuth 2.0 described in RFC 6749 utilizes > query parameter serialization, which means that Authorization Request > parameters are encoded in the URI of the request and sent through > user agents such as web browsers. While it is easy to implement, it > means that (a) the communication through the user agents are not > integrity protected and thus the parameters can be tainted, and (b) > the source of the communication is not authenticated. Because of > these weaknesses, several attacks to the protocol have now been put > forward. > > This document introduces the ability to send request parameters in a > JSON Web Token (JWT) instead, which allows the request to be signed > with JSON Web Signature (JWS) and encrypted with JSON Web Encryption > (JWE) so that the integrity, source authentication and > confidentiality property of the Authorization Request is attained. > The request can be sent by value or by reference. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-24 > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-24 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-jwsreq-24 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Wed Jul 1 16:41:59 2020 Return-Path: X-Original-To: oauth@ietf.org Delivered-To: oauth@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 54E923A11FD; Wed, 1 Jul 2020 16:41:46 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: oauth@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.7.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: oauth@ietf.org Message-ID: <159364690629.14685.12665819085520928473@ietfa.amsl.com> Date: Wed, 01 Jul 2020 16:41:46 -0700 Archived-At: Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-25.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jul 2020 23:41:54 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR) Authors : Nat Sakimura John Bradley Filename : draft-ietf-oauth-jwsreq-25.txt Pages : 33 Date : 2020-07-01 Abstract: The authorization request in OAuth 2.0 described in RFC 6749 utilizes query parameter serialization, which means that Authorization Request parameters are encoded in the URI of the request and sent through user agents such as web browsers. While it is easy to implement, it means that (a) the communication through the user agents are not integrity protected and thus the parameters can be tainted, and (b) the source of the communication is not authenticated. Because of these weaknesses, several attacks to the protocol have now been put forward. This document introduces the ability to send request parameters in a JSON Web Token (JWT) instead, which allows the request to be signed with JSON Web Signature (JWS) and encrypted with JSON Web Encryption (JWE) so that the integrity, source authentication and confidentiality property of the Authorization Request is attained. The request can be sent by value or by reference. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-25 https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-25 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-jwsreq-25 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Wed Jul 1 16:43:25 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C76EA3A123B; Wed, 1 Jul 2020 16:43:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1E-ZmKKeXZe4; Wed, 1 Jul 2020 16:43:14 -0700 (PDT) Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95A8B3A1258; Wed, 1 Jul 2020 16:43:13 -0700 (PDT) Received: by mail-wr1-x433.google.com with SMTP id s10so25837288wrw.12; Wed, 01 Jul 2020 16:43:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wj77HfIg9UNXHtJ4HLERQ3Fjdne1OrCwoTA3+CCfnno=; b=rRhg4pVdSvSw0bsX2lsDtdcnkaHoIyTemKNpThQZT0LFSIFKveZVGos3sETEHB4LkV z6rE2Jc73L+esibX3qpTUifE+fo4sq1/CWdbQIwjuQMHE/jM9zU9GbYTDScJzRnbo+te /xj3jSEy2myJPiP8INo3wrZ36QecZMxgWm6VNv4KzO4tWPiiWmflUs4DLA5zw83VCUjr jFP6BFaBKRfnnqJNaVgcKj1u5nNLhncITvqyVa91U0NaYqAUnRc41AQ0k92H6bD1gH1Q LdueHpwHt5Zn1nsGt+AAFEFEZoJIrhgwX8YsV/7Sijwtm6YIXqWx4MJR96oIm7pqzWFu om6w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wj77HfIg9UNXHtJ4HLERQ3Fjdne1OrCwoTA3+CCfnno=; b=gN8SHtPoqy7aSk5/aWRD1dQJPgILxUfZXwXu1cIMsleJcxeVRNTmm/bVdPxtK4FSVS f9LnqGBIPg/xK9aH5TBlNlwAabAkL4qNkEoXvwAGnxqCdojqwtFJRQ5xYeT6XFxauSna 9GB0EXYEFhEHmtsxKqublE4O8ptK/SU1XVWyAPoF8l8QAAf7LlMZA0a16MIFxj/sDcs5 gliX3Dz0Wvj5ExCCPXoMA/uuI4NHm2WIVjPuvwZjHWlaWMKeHHlL1dRp2tlfndWiBLRJ y52R6IUcNDyga5cWBre5xBe+OYCZMEqeFx9dwTUOqWokFFnULB8L//zJgtzjqq5Xrwk2 oj+g== X-Gm-Message-State: AOAM5335r5umKo2/jahDmG+SPFBB9sOnupdUVucjIu6w6c36DUQBKhxD M08Dxk9QKLKBvI6V2P6vvk3K6cEG6h0kf3AS/WYi2Bpv058= X-Google-Smtp-Source: ABdhPJxIEXS5RcpZPCvKCR2QiaKnzhPAjBGzJNdjXQz/1WWimNJaHHA5Z9ohWk/w++6OKExAKjeHBnO8x40doxicRx4= X-Received: by 2002:a5d:6cce:: with SMTP id c14mr27507023wrc.377.1593646991886; Wed, 01 Jul 2020 16:43:11 -0700 (PDT) MIME-Version: 1.0 References: <159360926310.29368.17616782975245600683@ietfa.amsl.com> <040466fc-f05b-13a7-8981-eff63552d570@mail.ru> In-Reply-To: <040466fc-f05b-13a7-8981-eff63552d570@mail.ru> From: Nat Sakimura Date: Thu, 2 Jul 2020 08:43:00 +0900 Message-ID: To: Tangui Le Pense Cc: oauth , internet-drafts@ietf.org, i-d-announce@ietf.org Content-Type: multipart/alternative; boundary="000000000000d94c8e05a969da6a" Archived-At: Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-24.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jul 2020 23:43:24 -0000 --000000000000d94c8e05a969da6a Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Thanks for the quick check. I updated the draft. Also, Mike Jones pointed me that It MUST also reject the request if the request object uses "alg":"none". needs to be added, so I did. On Thu, Jul 2, 2020 at 2:30 AM Tangui Le Pense wrote: > Hello, > > There seems to be a typo: > > 9.2 and 9.3: "require_signed_request_objects" > > 10.5: "require_signed_request_object" > > Regards, > > -- > > Tangui > > 01.07.2020 16:14, internet-drafts@ietf.org =D0=BF=D0=B8=D1=88=D0=B5=D1=82= : > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > This draft is a work item of the Web Authorization Protocol WG of the > IETF. > > > > Title : The OAuth 2.0 Authorization Framework: JWT > Secured Authorization Request (JAR) > > Authors : Nat Sakimura > > John Bradley > > Filename : draft-ietf-oauth-jwsreq-24.txt > > Pages : 33 > > Date : 2020-07-01 > > > > Abstract: > > The authorization request in OAuth 2.0 described in RFC 6749 utiliz= es > > query parameter serialization, which means that Authorization Reque= st > > parameters are encoded in the URI of the request and sent through > > user agents such as web browsers. While it is easy to implement, i= t > > means that (a) the communication through the user agents are not > > integrity protected and thus the parameters can be tainted, and (b) > > the source of the communication is not authenticated. Because of > > these weaknesses, several attacks to the protocol have now been put > > forward. > > > > This document introduces the ability to send request parameters in = a > > JSON Web Token (JWT) instead, which allows the request to be signed > > with JSON Web Signature (JWS) and encrypted with JSON Web Encryptio= n > > (JWE) so that the integrity, source authentication and > > confidentiality property of the Authorization Request is attained. > > The request can be sent by value or by reference. > > > > > > The IETF datatracker status page for this draft is: > > https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/ > > > > There are also htmlized versions available at: > > https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-24 > > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-24 > > > > A diff from the previous version is available at: > > https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-jwsreq-24 > > > > > > Please note that it may take a couple of minutes from the time of > submission > > until the htmlized version and diff are available at tools.ietf.org. > > > > Internet-Drafts are also available by anonymous FTP at: > > ftp://ftp.ietf.org/internet-drafts/ > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --=20 Nat Sakimura (=3Dnat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en --000000000000d94c8e05a969da6a Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Thanks for the quick check. I updated the draft.=C2=A0Also, Mike Jones pointed me that=C2=A0=C2=A0It MUST also reject the reques= t if the request object uses "alg":"none". needs to be = added, so I did.=C2=A0

On Thu, Jul 2, 2020 at 2:30 AM Tangui Le Pens= e <tangui.lepense=3D40mail.r= u@dmarc.ietf.org> wrote:
Hello,

There seems to be a typo:

9.2 and 9.3: "require_signed_request_objects"

10.5: "require_signed_request_object"

Regards,

--

Tangui

01.07.2020 16:14, internet-drafts@ietf.org =D0=BF=D0=B8=D1=88=D0=B5=D1=82:
> A New Internet-Draft is available from the on-line Internet-Drafts dir= ectories.
> This draft is a work item of the Web Authorization Protocol WG of the = IETF.
>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Title=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0: The OAuth 2.0 Authorization Framework: JWT Secured Authorizatio= n Request (JAR)
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Authors=C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0: Nat Sakimura
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 John Bradley
>=C2=A0 =C2=A0 =C2=A0 =C2=A0Filename=C2=A0 =C2=A0 =C2=A0 =C2=A0 : draft-= ietf-oauth-jwsreq-24.txt
>=C2=A0 =C2=A0 =C2=A0 =C2=A0Pages=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0: 33
>=C2=A0 =C2=A0 =C2=A0 =C2=A0Date=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 : 2020-07-01
>
> Abstract:
>=C2=A0 =C2=A0 =C2=A0The authorization request in OAuth 2.0 described in= RFC 6749 utilizes
>=C2=A0 =C2=A0 =C2=A0query parameter serialization, which means that Aut= horization Request
>=C2=A0 =C2=A0 =C2=A0parameters are encoded in the URI of the request an= d sent through
>=C2=A0 =C2=A0 =C2=A0user agents such as web browsers.=C2=A0 While it is= easy to implement, it
>=C2=A0 =C2=A0 =C2=A0means that (a) the communication through the user a= gents are not
>=C2=A0 =C2=A0 =C2=A0integrity protected and thus the parameters can be = tainted, and (b)
>=C2=A0 =C2=A0 =C2=A0the source of the communication is not authenticate= d.=C2=A0 Because of
>=C2=A0 =C2=A0 =C2=A0these weaknesses, several attacks to the protocol h= ave now been put
>=C2=A0 =C2=A0 =C2=A0forward.
>
>=C2=A0 =C2=A0 =C2=A0This document introduces the ability to send reques= t parameters in a
>=C2=A0 =C2=A0 =C2=A0JSON Web Token (JWT) instead, which allows the requ= est to be signed
>=C2=A0 =C2=A0 =C2=A0with JSON Web Signature (JWS) and encrypted with JS= ON Web Encryption
>=C2=A0 =C2=A0 =C2=A0(JWE) so that the integrity, source authentication = and
>=C2=A0 =C2=A0 =C2=A0confidentiality property of the Authorization Reque= st is attained.
>=C2=A0 =C2=A0 =C2=A0The request can be sent by value or by reference. >
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft= -ietf-oauth-jwsreq/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-oa= uth-jwsreq-24
> https://datatracker.ietf.org/do= c/html/draft-ietf-oauth-jwsreq-24
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2= =3Ddraft-ietf-oauth-jwsreq-24
>
>
> Please note that it may take a couple of minutes from the time of subm= ission
> until the htmlized version and diff are available at tools.ietf.org. >
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org=
> https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
Nat Sakimura (=3Dnat)
Chairman, OpenID Found= ation
http://nat.= sakimura.org/
@_nat_en
--000000000000d94c8e05a969da6a-- From nobody Thu Jul 2 14:48:35 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29EB03A0BE5 for ; Thu, 2 Jul 2020 14:48:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oaJ9Iy8wfwrg for ; Thu, 2 Jul 2020 14:48:32 -0700 (PDT) Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E2C33A0BE4 for ; Thu, 2 Jul 2020 14:48:31 -0700 (PDT) Received: by mail-wm1-x32c.google.com with SMTP id f139so30450276wmf.5 for ; Thu, 02 Jul 2020 14:48:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3djl340pHfVJ8SNHxYQSRB+0TwaNVPUVDqcdmJqXLXU=; b=RaasfKOXr/QF5F+vSFFO7hJqaJt54pVYAz0y6kgw+L67AHNObWhKqTY5lIesZTT+ZR NRDDKvPmMwvRqr/Pj+r8u13JXhGT5BblIhwQH/ehJUCn+4g0mf/lVBQ4FrSKm8Xfg7AG e0tyc5HMZWhyHiqRYyF7KX8f9mUZ2IuNN1PHQuq64OZ5G/KBnSM8/ojw1ZOyiaf8GYcb 1XAb2Km1X9TkW78PJ3lr81qw8L5Fp8eAFxe5RwVU8pj+ogEyw6lWQXrfBcSQQnxWZrN7 Lv0IgSQ6Cj53MamAFhvsDgzm4YzSR9vXAQ4kLQ+i6ociwP8zb2QqX5Bcp8844OiUgAUR DiiQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3djl340pHfVJ8SNHxYQSRB+0TwaNVPUVDqcdmJqXLXU=; b=bV7IBxmjMm8+QFfYdehp8RUD0Za/BxMejkdFdap/ljU23OVMCNmXOINSwHmGh8I+tR IwpR/WejZQ6Y5WlKxAv8OEUkEL7uvK4VYRBkf4wF2z9Ci8Q0dVXqy1ojL/25M6G6KAgS LHqzrDjJBQ91vz19R9ZAFp09NE5CxmqzfxHG3Lx8gzUyHY9FcBe7ziPMDz/9sKkjhYar Ec1bOgs+0BcBsMlayzIYt3Ck9fEir7P/XFqgI7DX4FA4cn6oHK/Ke0OD8dFngMugbiEq PS5WN9wENyhrq2mdhsqJadIllxyH9wuGCPGZFVNSSHJjGs7uc98Q7gHmcG8TQDZ8bpUT PPQA== X-Gm-Message-State: AOAM532u+amp2ZYckD5S1FuN+4tOakMJlsLYuJapt/Xgl3Fljclle23F TCpRPb0oyj5wNMX5M9+KS0mGtaMen5tzT+fPtI8= X-Google-Smtp-Source: ABdhPJxadhD+25MaTo4/l1yvbFQ93B1aN1OW8RyBbh4hPqdO+VIEjDE7SKdRHq6yy832A5wIrZnnI9df21CXrp71MHc= X-Received: by 2002:a1c:a70d:: with SMTP id q13mr32057555wme.55.1593726510340; Thu, 02 Jul 2020 14:48:30 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Rifaat Shekh-Yusef Date: Thu, 2 Jul 2020 17:48:19 -0400 Message-ID: To: Torsten Lodderstedt Cc: Falk Andreas , Dick Hardt , oauth Content-Type: multipart/alternative; boundary="000000000000849e4e05a97c5ef4" Archived-At: Subject: Re: [OAUTH-WG] A proposal for OAuth WG Interim Meetings in place of IETF108 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Jul 2020 21:48:34 -0000 --000000000000849e4e05a97c5ef4 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable All, Unfortunately, based on the following email from the IESG, we will not be able to host any interim meetings before IETF108: https://mailarchive.ietf.org/arch/msg/ietf/dQlwTFZGOgx1rpoGc-KD_ZG8evg/ The plan now is to start these interim meetings in *August*. Regards, Rifaat & Hannes On Sun, Jun 21, 2020 at 5:41 PM Torsten Lodderstedt wrote: > +1 > > Am 21.06.2020 um 22:39 schrieb Falk Andreas >: > > =EF=BB=BF > +1 > ------------------------------ > *Von:* OAuth im Auftrag von Dick Hardt < > dick.hardt@gmail.com> > *Gesendet:* Sonntag, 21. Juni 2020 20:42 > *An:* Rifaat Shekh-Yusef > *Cc:* oauth > *Betreff:* Re: [OAUTH-WG] A proposal for OAuth WG Interim Meetings in > place of IETF108 > > +1 > > On Sat, Jun 20, 2020 at 12:34 PM Rifaat Shekh-Yusef < > rifaat.s.ietf@gmail.com> wrote: > > All, > > As you know, IETF108 will be online, and based on the discussion during > the last interim meeting series, our plan is to schedule another series o= f > these meetings for the OAuth WG. > Based on the WG feedback, the plan is to have a series of *one hour* > meetings, and to discuss *one document* per meeting. > > Based on the above, we would like to get the WG opinion on the following > proposal: > > 1. Meeting day/time would be *Monday @ 12:00pm Eastern Time *(same as the > last interim series) > > 2. Have around 9 meetings spread over 3 months: > > - *July *meetings, before IETF108: *July 6, 13, and 20* > - *August* meetings: *August 3, 10, 17* > - *September *meetings: *September 7, 14, 21* > > > Thoughts? > > Regards, > Rifaat & Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > --000000000000849e4e05a97c5ef4 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
All,

Unfortunately, based on the follow= ing email from the IESG, we will not be able to host any interim meetings b= efore IETF108:

The plan = now is to start these interim meetings in August.=C2=A0
Regards,
=C2=A0Rifaat & Hannes=C2=A0

On= Sun, Jun 21, 2020 at 5:41 PM Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
+1

Am 21.06.2020 u= m 22:39 schrieb Falk Andreas <Andreas.Falk@novatec-gmbh.de>:

=EF=BB=BF
+1
Von= : OAuth <oauth-bounces@ietf.org> im Auftrag von Dick Hardt <dick.hardt@gmail.com> Gesendet: Sonntag, 21. Juni 2020 20:42
An: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Cc: oauth <oa= uth@ietf.org>
Betreff: Re: [OAUTH-WG] A proposal for OAuth WG Interim Meetings in = place of IETF108
=C2=A0
+1

On Sat, Jun 20, 2020 at 12:34 PM Rifaat Shekh-Yusef <rifaat.s.ietf@gm= ail.com> wrote:
All,

As you know, IETF108 will be online, and based on the discussion durin= g the last interim meeting series, our plan is to schedule=C2=A0another ser= ies of these meetings for the OAuth WG.
Based on the WG feedback, the plan is to have a series of one hour<= /b> meetings, and to discuss one document per meeting.=C2=A0

Based on the above, we would like to get the WG opinion on the followi= ng proposal:

1. Meeting day/time would be Monday @ 12:00pm Eastern Time (sam= e as the last interim series)

2. Have around 9 meetings spread over 3 months:
  • July meetings, before IETF108: July 6, 13, and 20
    • August meetings: August 3, 10, 17
  • September m= eetings: September 7, 14, 21

Thoughts?=C2=A0

Regards,
=C2=A0Rifaat & Hannes

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth= mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listi= nfo/oauth
--000000000000849e4e05a97c5ef4-- From nobody Sun Jul 5 12:49:53 2020 Return-Path: X-Original-To: oauth@ietf.org Delivered-To: oauth@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F5A03A0AB9; Sun, 5 Jul 2020 12:49:52 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Rifaat Shekh-Yusef via Datatracker To: X-Test-IDTracker: no X-IETF-IDTracker: 7.7.0 Auto-Submitted: auto-generated Precedence: bulk Cc: iesg-secretary@ietf.org, rifaat.s.ietf@gmail.com, Rifaat Shekh-Yusef , oauth@ietf.org, oauth-chairs@ietf.org Message-ID: <159397859217.25691.15197946443296403823@ietfa.amsl.com> Date: Sun, 05 Jul 2020 12:49:52 -0700 Archived-At: Subject: [OAUTH-WG] Publication has been requested for draft-ietf-oauth-jwt-introspection-response-09 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Jul 2020 19:49:52 -0000 Rifaat Shekh-Yusef has requested publication of draft-ietf-oauth-jwt-introspection-response-09 as Proposed Standard on behalf of the OAUTH working group. Please verify the document's state at https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-introspection-response/ From nobody Mon Jul 6 09:32:49 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DE863A171E for ; Mon, 6 Jul 2020 09:32:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yCjXX3E_TvXS for ; Mon, 6 Jul 2020 09:32:43 -0700 (PDT) Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39FDC3A1720 for ; Mon, 6 Jul 2020 09:32:42 -0700 (PDT) Received: by mail-wm1-x32b.google.com with SMTP id 17so42757629wmo.1 for ; Mon, 06 Jul 2020 09:32:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:mime-version:subject:message-id:date:to; bh=UfwZpHuZowZUp/bTwpivio0OreB5nn5VBNJfJjRQ3J4=; b=YIxFMH5upIWI5BK0jpUPoIYuRloSY6CrPR5+pPbfU3thNY2uNwrFMHXxI1O1XnWQTx EY4XIYyTB2Z22dv0z3CZ2nl1OamtZ7vncCH9d6kDW5O9vf/qaIogkXp5IcF4cu/sfMqs AqakAh6cBgZ6C+nipWVPEG6uQ1DDyfUApJvxM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:date:to; bh=UfwZpHuZowZUp/bTwpivio0OreB5nn5VBNJfJjRQ3J4=; b=bmK1q6+Ay9LjHeKKw93/OczdzuFwcYXFxp/xtFId4xz9fLXUkYV3FL87K7Lg1lsbgg ZoqmjeL+IPVEdueCLLSwyMArcS6EIKV7lVMNKHivxmS+A+TJ599+DDvSvJ4ihjJvJ/9x RpGThX28X+Z7P1xTXmqfL0NiraSZ8bTan2TQosCMd8mzwFYQxYW87WOwxRfxeLw6KV5Y RC4pOw2kBHerIrFedUq0luOlyIy+Lw9fXY7TTGi7dNQQip5/es75Dqs9XV1U8hD9eUH+ lDMFeEcFZE+/jBGKe8gyxDWY1tuUU6Q8z4Nbc/Qa1wt2mALWdcz9KE8GjZMAheXL5NEW HVbg== X-Gm-Message-State: AOAM53140379fH2ucxNiAGShZggUlYoSW+sYcakRl3jp0lBLv4xELYWk gdXvMLew6AXequRoVMkbWlmqhclVkojhYIUsw2bPTY/laPPKhI4LJymmPl/0KlSfIQiAf9QWM5f ZTXu0s84TOQM65/csGo1+CtAZ88ppHwTdcOcQG7lYcwJrZoCmm4t+qhXY9/jRoviIPw== X-Google-Smtp-Source: ABdhPJypcUgDIBi3oUdSBHPsvL3YBv6zV/i9zkaCLG+99j6ulk8KVoZp86l+/DvSNg+4cbOUIqfadw== X-Received: by 2002:a1c:df04:: with SMTP id w4mr22762wmg.34.1594053160569; Mon, 06 Jul 2020 09:32:40 -0700 (PDT) Received: from [10.0.0.2] (128.211.93.209.dyn.plus.net. [209.93.211.128]) by smtp.gmail.com with ESMTPSA id k11sm26976411wrd.23.2020.07.06.09.32.40 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 06 Jul 2020 09:32:40 -0700 (PDT) From: Neil Madden Content-Type: multipart/alternative; boundary="Apple-Mail=_C6D0F3D7-FCF4-4162-A11B-4240BB686244" Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Message-Id: <19057F94-1B09-4376-86A3-78662DCA5836@forgerock.com> Date: Mon, 6 Jul 2020 17:32:39 +0100 To: oauth X-Mailer: Apple Mail (2.3608.80.23.2.2) Archived-At: Subject: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2020 16:32:47 -0000 --Apple-Mail=_C6D0F3D7-FCF4-4162-A11B-4240BB686244 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 I=E2=80=99m reading draft-ietf-oauth-rar-01 in a bit more detail now I = have some time, and I have a few comments. An assumption in the draft appears to be that the client knows ahead of = time what it wants to gain access to and can describe it in detail. For = example, the last example in section 2.1 is a client requesting access = to particular files, which assumes that the client already knows the = paths of the files it wants to access. This in turn seems to imply that = the client already has some level of access to be able to determine = this, e.g. to list directories, which may not be desirable. In many = cases like this I think it=E2=80=99s more natural for the client to not = know exactly what it is asking for but instead to want access to *some* = file, chosen by the user. An example of this is the Dropbox Chooser [1] = and Saver [2] APIs, which notably are not built on top of OAuth. In = these cases it would be more natural for the client to send a more = generic request and for the details to be filled in by the user as part = of the consent process. Another issue is that as far as I can see in the current draft, any = client can initiate a rich authorization request at any time without any = kind of prior approval. This seems problematic for the main example in = the draft, i.e. payment initiation. As an attacker, if I can get a = consent screen up on a user=E2=80=99s device requesting to move money = around then it seems like half my job is already done - some fraction of = users will probably approve such a transaction without properly checking = it. It feels like the ability to ask for transaction approval should = already be a privileged operation that should require consent and = approval. A related issue is that each approval is in effect a completely isolated = incident. In a normal OAuth2 interaction I would grant an app some = longish-term access to data and it would get an access token and = optionally a refresh token. At some later point I can go to the AS and = see that I have granted this access and revoke it if I choose. With RAR = there is no representation of a long-term relationship between the RO = and the client and each transaction starts from fresh. Again, this seems = potentially problematic and not quite in keeping with how OAuth = currently operates. Each grant of access is ephemeral. (Do refresh = tokens make sense in the context of RAR?) I think a better approach would be a two-phase authorization process: 1. In step 1 an app gets a normal long-lived access and/or refresh token = that grants it permissions to ask to initial transactions (RARs) - e.g. = with scope initiate_payments 2. In step 2 the app requests authorization for individual = RARs/transactions using some proof of its grant from step 1 I have ideas for how this could be achieved, but I=E2=80=99d prefer to = see what others think of this general idea rather than getting bogged = down in specific details. [1]: https://www.dropbox.com/developers/chooser = [2]: https://www.dropbox.com/developers/saver = =20 =E2=80=94 Neil= --Apple-Mail=_C6D0F3D7-FCF4-4162-A11B-4240BB686244 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 I=E2=80= =99m reading draft-ietf-oauth-rar-01 in a bit more detail now I = have some time, and I have a few comments.

An assumption in the draft appears to = be that the client knows ahead of time what it wants to gain access to = and can describe it in detail. For example, the last example in section = 2.1 is a client requesting access to particular files, which assumes = that the client already knows the paths of the files it wants to access. = This in turn seems to imply that the client already has some level of = access to be able to determine this, e.g. to list directories, which may = not be desirable. In many cases like this I think it=E2=80=99s more = natural for the client to not know exactly what it is asking for but = instead to want access to *some* file, chosen by the user. An example of = this is the Dropbox Chooser [1] and Saver [2] APIs, which notably are = not built on top of OAuth. In these cases it would be more natural for = the client to send a more generic request and for the details to be = filled in by the user as part of the consent process.

Another issue is that as = far as I can see in the current draft, any client can initiate a rich = authorization request at any time without any kind of prior approval. = This seems problematic for the main example in the draft, i.e. payment = initiation. As an attacker, if I can get a consent screen up on a = user=E2=80=99s device requesting to move money around then it seems like = half my job is already done - some fraction of users will probably = approve such a transaction without properly checking it. It feels like = the ability to ask for transaction approval should already be a = privileged operation that should require consent and approval.

A related issue is that = each approval is in effect a completely isolated incident. In a normal = OAuth2 interaction I would grant an app some longish-term access to data = and it would get an access token and optionally a refresh token. At some = later point I can go to the AS and see that I have granted this access = and revoke it if I choose. With RAR there is no representation of a = long-term relationship between the RO and the client and each = transaction starts from fresh. Again, this seems potentially problematic = and not quite in keeping with how OAuth currently operates. Each grant = of access is ephemeral. (Do refresh tokens make sense in the context of = RAR?)

I think = a better approach would be a two-phase authorization process:

1. In step 1 an app gets = a normal long-lived access and/or refresh token that grants it = permissions to ask to initial transactions (RARs) - e.g. with scope = initiate_payments
2. In step 2 the app requests = authorization for individual RARs/transactions using some proof of its = grant from step 1

I have ideas for how this could be achieved, but I=E2=80=99d = prefer to see what others think of this general idea rather than getting = bogged down in specific details.

[1]: https://www.dropbox.com/developers/chooser
[2]: https://www.dropbox.com/developers/saver 

=E2=80=94 = Neil
= --Apple-Mail=_C6D0F3D7-FCF4-4162-A11B-4240BB686244-- From nobody Mon Jul 6 09:44:34 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B78C3A1760 for ; Mon, 6 Jul 2020 09:44:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JynaB1CL2Ofs for ; Mon, 6 Jul 2020 09:44:29 -0700 (PDT) Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2D813A176E for ; Mon, 6 Jul 2020 09:44:28 -0700 (PDT) Received: by mail-lf1-x12f.google.com with SMTP id y18so22954699lfh.11 for ; Mon, 06 Jul 2020 09:44:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=g3AcGHPVX2vMDLTjFOimJ32sMHrdOegRwDEuemGAp0A=; b=Lldmesw78Z1bMHOGbzl4dNo5NdrciXPBqxXRvwuVBTytXXt+QOFKnfWm+uSFnOGSIK Ib2TVm8i4nMfbPet2sNp8vXeQNclf4Li3zroPG2Taruc4DLJB/e2+UyeUSI0PQH3apCZ ouMqcyo/XPoNOMZlCjkWA8X8ndPYWNugXepLH6XI4Feb3bkaaYVxzOITCmY5mn1lqYSI Fa8P0lm1WK2XeMd5aVwex3rdFDcINvmoSK3qZL8DC3JNRd4wsRBNCTW8lpoIBOjVvBQe aXAJgcZ8FESYbGoxSGUrQT0pakuG5iyIBMYK/YgdwFC3OOEpdWSn1PXaqn2rwXdKeb8a 6dZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=g3AcGHPVX2vMDLTjFOimJ32sMHrdOegRwDEuemGAp0A=; b=Ucunqym4uG4soQA42C8eS7IMW+L5L+yMqNwPRT1IEwM4TlLGSMQThX8ZM564xD2v5v SAcorIA8JNWSFbuleVdKnO58NQg4ESEbQAtn/ziiFzor6ezbOXsRkNv5UGiBjwPutDnR LopsVM//nZyCWnw6Nxcb2qPqXs4eBdTEpQHutN8fgLWPfbDX19pDy2+KlJpjqAL1CX5E ynEa2dv5UZl4Y9v3ufqInRVgrY1DvxH8Ngg38w9DGOkaz2BGgpniTcNgoLKlR/u68aO2 e5yz0Jdy+Z/wzq/csHyyQOy7gkHgZHNZh9ZYZ5sQEYZw8L07oxqaHMiaVewM/AWAbuka MUwQ== X-Gm-Message-State: AOAM530wWXero1wL5EMSSMxuxGDfFhbqMfsa8m6bB26ysjedaFUV5+kE Ju/H2CkityeOKZY/TmIARIBwv1xEX8smbUwqb9HLIn/ajBE= X-Google-Smtp-Source: ABdhPJxtgwaC1R7qxFYhqrNwUt07ArsBNoI14gTJrRO79Vz2O2sgPplGcl5ayEdOwWp/oI7pkGNtHQ+c8P+ig9bJ8YY= X-Received: by 2002:ac2:5093:: with SMTP id f19mr31077757lfm.10.1594053866435; Mon, 06 Jul 2020 09:44:26 -0700 (PDT) MIME-Version: 1.0 From: Dick Hardt Date: Mon, 6 Jul 2020 09:43:50 -0700 Message-ID: To: oauth@ietf.org Content-Type: multipart/alternative; boundary="0000000000007639c505a9c89693" Archived-At: Subject: [OAUTH-WG] OAuth 2.1-03 - WG adoption? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2020 16:44:33 -0000 --0000000000007639c505a9c89693 Content-Type: text/plain; charset="UTF-8" Aaron, Torsten, and I -- with some help from Daniel -- have created a new version of draft-pareck-oauth-v2-1. I think we are ready for a WG adoption call (assuming the updated charter). Here is the doc: https://tools.ietf.org/html/draft-parecki-oauth-v2-1-03 Here is a link to the diff from -02: https://tools.ietf.org/rfcdiff?url2=draft-parecki-oauth-v2-1-03.txt This version incorporates feedback from the WG, as well as editorial changes to improve readability. Highlights: - Appendix of current known extensions, and references to the Appendix so that readers become aware of related work. - defined new client type - credentialed clients - a client that has credentials, but the AS has not confirmed the identity of the client. Confidential clients have had their identity confirmed by the AS. We talked about changing the names of confidential and public, but thought that would be confusing. This new definition cleans up the text substantially. - consistent use of redirect URI rather than mixing in redirect endpoint URI and redirect endpoint. - adopted new language on when PKCE is required. - removed IANA section (nothing new is in 2.1) / Dick --0000000000007639c505a9c89693 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Aaron, Torsten, and I --= with some help from Daniel -- have created a new version of draft-pareck-o= auth-v2-1. I think we are ready for a WG adoption call (assuming the update= d charter).

Here is the do= c:


=


This version incorpo= rates feedback from the WG, as well as editorial changes to improve readabi= lity. Highlights:

- Appendix of current known exte= nsions, and references to the Appendix so that readers become aware of rela= ted work.

- defined new client type - credentialed= clients - a client that has credentials, but the AS has not confirmed the = identity of the client. Confidential clients have had their identity confir= med by the AS. We talked about changing the names of confidential and publi= c, but thought that would be confusing. This new definition cleans up the t= ext substantially.

- consistent use of redirect UR= I rather than mixing in redirect endpoint URI and redirect endpoint.
<= div>
- adopted new language on when PKCE is required.

- removed IANA section (nothing new is in 2.1)
=
/ Dick



--0000000000007639c505a9c89693-- From nobody Mon Jul 6 14:46:09 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 927F03A0B58 for ; Mon, 6 Jul 2020 14:46:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1G22o2jcV2hd for ; Mon, 6 Jul 2020 14:46:04 -0700 (PDT) Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC30A3A0B55 for ; Mon, 6 Jul 2020 14:46:02 -0700 (PDT) Received: by mail-wr1-x431.google.com with SMTP id z2so20604975wrp.2 for ; Mon, 06 Jul 2020 14:46:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=7n4dh9h1lnuuVGq7T1G0aagdj8zfeoZMAL1IFNPYpg0=; b=J1fjiMxh+zyCl1wv7u5k/0isqUKnyKmeqvK+vFEbXD0a4Uv2btmrPlQQlBRAhtkr4+ OlQQeMrml2UW7ehdFhQfFA5LSqTVrl8WnwYfwmUHaQNWusSDWybQfnpENj2j3J/I2KCj O7Ipsl8HcvWP1eg8JK9l5iTtHGD51TZ2iVqMm2fEnQhuvQaDLQH3Anr2sM0gJ2BzoEas HomY16hFgUBvNCjUcz3LPVz1v1jVU3YbpPwLWAmCfnoa696e0uYA0QrkEWUTwL/DtII1 CGEsH64RZzTLFyBJkBINx2iGsTtnprHaJjfdHFlS4szQ8Op7U+Px+EiYfqLY4NASi5ae m5Uw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=7n4dh9h1lnuuVGq7T1G0aagdj8zfeoZMAL1IFNPYpg0=; b=eCwIiiKeji5YPqEHPdcO451iI9qf8B4d9QIWQ8VyMiqrfwUoolOsDmikMCES5G85mx hrixWFcrnXYBPZNvlUwg2LLTz3i5bylfqbjhXnZ4i+83dTiIdhigJrUwv6ics34wdv7i gprsIOJp1gvMlMYdCpT9zcxUzrqnwMPJySChVIEd1lICb1kCYcbva3J8d5QhDm/yryQm JWTkhlI2KzHZ2gNUmIbRFmFRYTmgQ7qCRdToy/J9Zb9yWFXi+tM95Y1ijUsLDg+gf0M4 MkYWkiqsjplC+bt/Vyru1kJoh5n89YKHgYkGe1n2XWuLfppUruPpF9MRdbySLKBL6DMm Im0g== X-Gm-Message-State: AOAM5326W+j9qrZ3JKpm1e7BPwwmqGFdFiBicGSqlqB0st7T6aGysNoG V7SL2wI+32W/kFYKViTvJgtGpEuFgPD0JyLCwMC9Xo5c X-Google-Smtp-Source: ABdhPJwO+p5lEOHjyuj4g7enAXjEOqXbcMxFT5Rc2OCHrFD1rwzl4PHlRrnMddBhvaSj2jM62YHl0FHkdN0PRYduYfQ= X-Received: by 2002:adf:de0a:: with SMTP id b10mr49608867wrm.72.1594071961112; Mon, 06 Jul 2020 14:46:01 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Sascha Preibisch Date: Mon, 6 Jul 2020 14:44:48 -0700 Message-ID: To: Dick Hardt Cc: IETF oauth WG Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2020 21:46:07 -0000 Hi all! I am reading through this document for the first time. I am mainly looking at it in comparison to OAuth 2.0 (RFC 6749) and with the eyes of a developer. I am trying to understand where phrases have changed and, of course, where features are changing. What is the best way to provide feedback? In this mailing list? Thanks, Sascha On Mon, 6 Jul 2020 at 09:44, Dick Hardt wrote: > > Aaron, Torsten, and I -- with some help from Daniel -- have created a new= version of draft-pareck-oauth-v2-1. I think we are ready for a WG adoption= call (assuming the updated charter). > > Here is the doc: > > https://tools.ietf.org/html/draft-parecki-oauth-v2-1-03 > > Here is a link to the diff from -02: > > https://tools.ietf.org/rfcdiff?url2=3Ddraft-parecki-oauth-v2-1-03.txt > > This version incorporates feedback from the WG, as well as editorial chan= ges to improve readability. Highlights: > > - Appendix of current known extensions, and references to the Appendix so= that readers become aware of related work. > > - defined new client type - credentialed clients - a client that has cred= entials, but the AS has not confirmed the identity of the client. Confident= ial clients have had their identity confirmed by the AS. We talked about ch= anging the names of confidential and public, but thought that would be conf= using. This new definition cleans up the text substantially. > > - consistent use of redirect URI rather than mixing in redirect endpoint = URI and redirect endpoint. > > - adopted new language on when PKCE is required. > > - removed IANA section (nothing new is in 2.1) > > / Dick > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Mon Jul 6 15:20:03 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D20C83A0B8C for ; Mon, 6 Jul 2020 15:20:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.096 X-Spam-Level: X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Fc2hLVk1NRN for ; Mon, 6 Jul 2020 15:20:00 -0700 (PDT) Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40CB63A0B8A for ; Mon, 6 Jul 2020 15:19:59 -0700 (PDT) Received: by mail-lj1-x230.google.com with SMTP id q4so11779326lji.2 for ; Mon, 06 Jul 2020 15:19:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=c1ZH/hjPPjVKQWurhER/mxSgxEuOzpxCxkCqNtyiQ0k=; b=JZ3mgMf8kSYQzYWN9Jl/Rbeldd9/e4mUo45uMmiEPKK08Pd4jnFV6TMWBdaxtga5aR NMt+IkHwthhe5KQCP0C5iwk743pbJzjezXGajIhHaKBmjWHs9O+MAqxxoAootlyD0wti iaFonWS52ZEtxx9dienGw7GOXkWF/p81bPksCEvzD8279aE4gTSyUEbBKokbvt54Ibn8 cADxos+A8Ud5kAzxU59BMIOHbvhtJd02/TiMWv+Dz1qMAqTIAhErdFVGPMR1yZTAuXE2 owZCnc5UYb1OUhjPCVERducMC+Y9490zV/hUJpdiJjNsXAANYko1qooa7ccEEwZACA0T cKkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=c1ZH/hjPPjVKQWurhER/mxSgxEuOzpxCxkCqNtyiQ0k=; b=TJCpdMKnHWz2Kyc1w3ujV+C0ZuuKC3XwpJkNV6LirMT9f9hzWhd6kDPrT33EbAtOwn IsdRex1v+NdSRx0gvOuSyi20vqVjBqMhZIHJzL0xgFJFvlhIrZswNC1dVFTFSes6aWEh 9X5lvJVtlm281cUOTFHPdtWQwAABOSeCwnBaHiU/mBsSlDO+esHDJYrBgWot+4ByzcQB yJ9INA1q4Xbi2+xnI/CCVre7ny1Ot6Xr9oY9FnsaeZs8cuXdICr0P6lxJ+MiVFFDC4ZU 5H2eZZKmzkkhSDIispZVDuzaE8nRoD7YcNksxtyoWAd+es3BiE/mN0mw/aBHuB3ORP2u 4TNw== X-Gm-Message-State: AOAM530db/8AQ0PtlATy6yM8AS2lrwRzC78oIC2Gwkps5etDChgBt2u6 OWCegv/8vJwjMtf3k8h1OguWozDg0xm+kejX+UaRI5mz9Qg= X-Google-Smtp-Source: ABdhPJzky4Mqf7td947tsoBeSDzPUFJkx98twH2eY0UKSTatJ88sIOkF6odQV9X5+kFPYBpOPdwRqn7GAl0669hWWZM= X-Received: by 2002:a2e:b607:: with SMTP id r7mr22937074ljn.5.1594073996840; Mon, 06 Jul 2020 15:19:56 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Dick Hardt Date: Mon, 6 Jul 2020 15:19:20 -0700 Message-ID: To: Sascha Preibisch Cc: IETF oauth WG Content-Type: multipart/related; boundary="000000000000542cca05a9cd46f5" Archived-At: Subject: Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2020 22:20:02 -0000 --000000000000542cca05a9cd46f5 Content-Type: multipart/alternative; boundary="000000000000542cc805a9cd46f4" --000000000000542cc805a9cd46f4 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hey Sascha This slide below from one of Aaron's presentations may help guide you what OAuth 2.1 is about. There are no "new" features -- everything already exists. There are no changed definitions. We added "credentialed" client. Yes, this list is the right place to discuss the OAuth 2.1 doc ... :) /Dick [image: image.png] =E1=90=A7 On Mon, Jul 6, 2020 at 2:46 PM Sascha Preibisch wrote: > Hi all! > > I am reading through this document for the first time. I am mainly > looking at it in comparison to OAuth 2.0 (RFC 6749) and with the eyes > of a developer. I am trying to understand where phrases have changed > and, of course, where features are changing. > > What is the best way to provide feedback? In this mailing list? > > Thanks, > Sascha > > On Mon, 6 Jul 2020 at 09:44, Dick Hardt wrote: > > > > Aaron, Torsten, and I -- with some help from Daniel -- have created a > new version of draft-pareck-oauth-v2-1. I think we are ready for a WG > adoption call (assuming the updated charter). > > > > Here is the doc: > > > > https://tools.ietf.org/html/draft-parecki-oauth-v2-1-03 > > > > Here is a link to the diff from -02: > > > > https://tools.ietf.org/rfcdiff?url2=3Ddraft-parecki-oauth-v2-1-03.txt > > > > This version incorporates feedback from the WG, as well as editorial > changes to improve readability. Highlights: > > > > - Appendix of current known extensions, and references to the Appendix > so that readers become aware of related work. > > > > - defined new client type - credentialed clients - a client that has > credentials, but the AS has not confirmed the identity of the client. > Confidential clients have had their identity confirmed by the AS. We talk= ed > about changing the names of confidential and public, but thought that wou= ld > be confusing. This new definition cleans up the text substantially. > > > > - consistent use of redirect URI rather than mixing in redirect endpoin= t > URI and redirect endpoint. > > > > - adopted new language on when PKCE is required. > > > > - removed IANA section (nothing new is in 2.1) > > > > / Dick > > > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > --000000000000542cc805a9cd46f4 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hey Sascha

This slide below from one of= Aaron's presentations may help guide you what OAuth 2.1 is about.

There are no "new" features -- everything al= ready exists.
There are no changed definitions. We added "cr= edentialed" client.=C2=A0

Yes, this list is t= he right place to discuss the OAuth 2.1 doc ... :)

/Dick

3D"i=
3D""=E1= =90=A7

On Mon, Jul 6, 2020 at 2:46 PM Sascha Preibisch <saschapreibisch@gmail.com> wrote:=
Hi all!

I am reading through this document for the first time. I am mainly
looking at it in comparison to OAuth 2.0 (RFC 6749) and with the eyes
of a developer. I am trying to understand where phrases have changed
and, of course, where features are changing.

What is the best way to provide feedback? In this mailing list?

Thanks,
Sascha

On Mon, 6 Jul 2020 at 09:44, Dick Hardt <dick.hardt@gmail.com> wrote:
>
> Aaron, Torsten, and I -- with some help from Daniel -- have created a = new version of draft-pareck-oauth-v2-1. I think we are ready for a WG adopt= ion call (assuming the updated charter).
>
> Here is the doc:
>
> https://tools.ietf.org/html/draft-pareck= i-oauth-v2-1-03
>
> Here is a link to the diff from -02:
>
> https://tools.ietf.org/rfc= diff?url2=3Ddraft-parecki-oauth-v2-1-03.txt
>
> This version incorporates feedback from the WG, as well as editorial c= hanges to improve readability. Highlights:
>
> - Appendix of current known extensions, and references to the Appendix= so that readers become aware of related work.
>
> - defined new client type - credentialed clients - a client that has c= redentials, but the AS has not confirmed the identity of the client. Confid= ential clients have had their identity confirmed by the AS. We talked about= changing the names of confidential and public, but thought that would be c= onfusing. This new definition cleans up the text substantially.
>
> - consistent use of redirect URI rather than mixing in redirect endpoi= nt URI and redirect endpoint.
>
> - adopted new language on when PKCE is required.
>
> - removed IANA section (nothing new is in 2.1)
>
> / Dick
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org=
> https://www.ietf.org/mailman/listinfo/oauth
--000000000000542cc805a9cd46f4-- --000000000000542cca05a9cd46f5 Content-Type: image/png; name="image.png" Content-Disposition: inline; filename="image.png" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: ii_kcb2egra0 iVBORw0KGgoAAAANSUhEUgAAB4AAAAQ4CAYAAADo08FDAAAgAElEQVR4AezdB/wUxf3/8ahgRcUa 7Iq9oiJRf4ot9gD2XmM3fxsae+8gEU0UNWLDgr1gV9RYsSGoYEUFNXZsCHad/+N9yZr7Hnf33fls 33vt4/F9XPnu7c48Z7bMfnZnfueYEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQRK IfC7UuSCTCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIOALAVAIEEEAAAQQQQAAB BBBAAAEEEEAAAQQQQAABBBBAAAEEEECgJAIEgEtSkGQDAQQQQAABBBBAAAEEEEAAAQQQQAABBBBA AAEEEEAAAQQQIABMHUAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQRKIkAAuCQFSTYQ QAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABAsDUAQQQQAABBBBAAAEEEEAAAQQQQAAB BBBAAAEEEEAAAQQQQKAkAgSAS1KQZAMBBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBAg AEwdQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBEoiQAC4JAVJNhBAAAEEEEAAAQQQ QAABBBBAAAEEEEAAAQQQQAABBBBAAAECwNQBBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAAB BBBAoCQCBIBLUpBkAwEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEECAATB1AAAEEEEAA AQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEESiJAALgkBUk2EEAAAQQQQAABBBBAAAEEEEAAAQQQ QAABBBBAAAEEEEAAAQLA1AEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEECgJAIEgEtS kGQDAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQIABMHUAAAQQQQAABBBBAAAEEEEAA AQQQQAABBBBAAAEEEEAAAQRKIkAAuCQFSTYQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQ QAABAsDUAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQKAkAgSAS1KQZAMBBBBAAAEE EEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBAgAEwdQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAA AQQQQAABBEoiQAC4JAVJNhBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAECwNQBBBBA AAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAoCQCBIBLUpBkAwEEEEAAAQQQQAABBBBAAAEE EEAAAQQQQAABBBBAAAEEECAATB1AAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEESiJA ALgkBUk2EEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQLA1AEEEEAAAQQQQAABBBBA AAEEEEAAAQQQQAABBBBAAAEEEECgJAIEgEtSkGQDAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEE EEAAAQQQIABMHUAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQRKIkAAuCQFSTYQQAAB BBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABAsDUAQQQQAABBBBAAAEEEEAAAQQQQAABBBBA AAEEEEAAAQQQQKAkAgSAS1KQZAMBBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBAgAEwd QAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBEoiQAC4JAVJNhBAAAEEEEAAAQQQQAAB BBBAAAEEEEAAAQQQQAABBBBAAAECwNQBBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBA oCQCBIBLUpBkAwEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEECAATB1AAAEEEEAAAQQQ QAABBBBAAAEEEEAAAQQQQAABBBBAAAEESiJAALgkBUk2EEAAAQQQQAABBBBAAAEEEEAAAQQQQAAB BBBAAAEEEEAAAQLA1AEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEECgJAIEgEtSkGQD AQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQIABMHUAAAQQQQAABBBBAAAEEEEAAAQQQ QAABBBBAAAEEEEAAAQRKIkAAuCQFSTYQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAAB AsDUAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQKAkAgSAS1KQZAMBBBBAAAEEEEAA AQQQQAABBBBAAAEEEEAAAQQQQAABBBAgAEwdQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQ QAABBEoiQAC4JAVJNhBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAECwNQBBBBAAAEE EEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAoCQCBIBLUpBkAwEEEEAAAQQQQAABBBBAAAEEEEAA AQQQQAABBBBAAAEEECAATB1AAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEESiJAALgk BUk2EEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQLA1AEEEEAAAQQQQAABBBBAAAEE EEAAAQQQQAABBBBAAAEEEECgJAIEgEtSkGQDAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAA AQQQIABMHUAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQRKIkAAuCQFSTYQQAABBBBA AAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABAsDUAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEE EEAAAQQQQKAkAgSAS1KQZAMBBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBAgAEwdQAAB BBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBEoiQAC4JAVJNhBAAAEEEEAAAQQQQAABBBBA AAEEEEAAAQQQQAABBBBAAAECwNQBBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAoCQC BIBLUpBkAwEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEECAATB1AAAEEEEAAAQQQQAAB BBBAAAEEEEAAAQQQQAABBBBAAAEESiJAALgkBUk2EEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBA AAEEEEAAAQLA1AEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEECgJAIEgEtSkGQDAQQQ QAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQIABMHUAAAQQQQAABBBBAAAEEEEAAAQQQQAAB BBBAAAEEEEAAAQRKIkAAuCQFSTYQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABAsDU AQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQKAkAgSAS1KQZAMBBBBAAAEEEEAAAQQQ QAABBBBAAAEEEEAAAQQQQAABBBAgAEwdQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAAB BEoiQAC4JAVJNhBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAECwNQBBBBAAAEEEEAA AQQQQAABBBBAAAEEEEAAAQQQQAABBBBAoCQCBIBLUpBkAwEEEEAAAQQQQAABBBBAAAEEEEAAAQQQ QAABBBBAAAEEECAATB1AAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEESiJAALgkBUk2 EEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQLA1AEEEEAAAQQQQAABBBBAAAEEEEAA AQQQQAABBBBAAAEEEECgJAIEgEtSkGQDAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQ IABMHUAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQRKIkAAuCQFSTYQQKC+wKRJk9zI kSPdPffc42688UZ32WWXufPPP9+dffbZ7h//+Ie79tpr3b333uueffZZN27cOPf555+7X375pf7C +BYBBBBAAIEqAR0vxo8fXznOPPTQQ+7mm292l156qRswYEDlT8ecW2+91T3yyCNu9OjRbsKECe7b b7+tWgJvEUAAAQQQyLdAo/bUFVdc4QYOHOgGDx7srr/+enfXXXe5Z555xn3xxRf5zhCpQwABBBBA AAEEEECgRQQIALdIQZNNBFpBYPLkyZVAb9++fd3666/v5p9/fve73/3O+2+mmWZyPXv2dEcffbQb NmyY+/TTT1uBjzwigAACCDQR+PXXX93YsWPdkCFD3KGHHurWXntt16lTJ+9jzHTTTedWWmklt88+ +1SCxS+99JL7+eefm6yZfyGAAAIIIJCOQFztqXnmmadynDzwwAPdLbfcQlA4neJjLQgggAACCCCA AAIItBEgANyGgw8IIFA0AT2xqyd611lnHdexY0fvC/FhA8RLLrlk5WL9iBEjikZEehFAAAEEIgi8 /PLLlRuCFlpoocSOMbPMMovbeuutKzcxEQyOUFj8FAEEEKgS0I07n332mdONNurxR70ynHbaaZWb eI444gh37LHHulNOOaXSM9DFF1/s7rzzTjdq1Cj35ZdfVi2l/G/TaE9NO+207g9/+IM744wz3Acf fFB+VOcqx/RDDjnEWf/UawgTAu0JqPcZ3zp27rnntrdY/p+BwE8//VTZP77wwguV/Yd6WTjrrLOc HnDQwwnqceG6665zw4cPd2qffPLJJ/ReF6GcdKx/+OGHKzf3qnfA008/3encQN4nnXRSxfvyyy+v nBu89957EdbETxFAAIFsBQgAZ+vP2hFAwCjw5JNPul133dXNOOOMiV2QbxQc1pNbF110kVN3aEwI IIAAAuUTUPeV/fv3rzyp2+hYkNT3Cy64oDvxxBMrXUuXT5YcIYAAAskKfPPNN5UL5H369InUTujV q1eyCc3B0rNqT3Xo0MFtueWWlaC8gvRlnbp16xapnXr88ceXlYZ8xSjw//7f//OuZ7oZgykfAroh ZtCgQW7DDTd02jf6ti/0EMSmm25a6YpfNzwxNRb47rvvKsPC7bDDDm7xxRf3tlbPFrI+77zzKsH3 xmviPwgggEC+BAgA56s8SA0CCLQj8M4777jevXt7n6z5nkiHmV9df+63337urbfeaifV/BsBBBBA oAgCevr2wgsvdHPNNVfmx5lpppnGbbvttu7f//53EehIIwIIIJC5gJ6M0gXaMOfx7c2z6qqrZp6f pBKQp/bUWmut5V588cWksprZcp9//vnI9VA9j/zyyy+Z5YEVF0OAAHAxyqk6lRpibMCAAW7NNdd0 Ot9v73gU9v8aZmaDDTaoPKzw1VdfVa+ypd+PGzfOHXDAAa5z586xWStYrxvN9DQ2EwIIIJB3AQLA eS8h0ocAAhUB3a136qmnRrqTP+yJs+98GjO4X79+Tl32MCGAAAIIFFPggQcecMsvv3xsFwZ8jyWN 5p911lndBRdcwEXgYlYrUo0AAikIaNxaPbHbaD9q+b6MAeC8tqcUtFAXtmUKWFiCcvXqqbouZ0Kg mYClrvEEcDPR5P6nG03V1XCcgch6+w199/vf/95dc801yWWmAEvWuYGGeph++uljPT+oNVePFuPH jy+ACElEAIFWFSAA3KolT74RKJDA3XffbeqipfbELOnP6uZLd3szIYAAAggUR+D77793O++8c6IX BuI4/uhi3ejRo4sDS0oRQACBFAR0A+Zmm20W+z68bAHgIrSnFLC4+uqrU6g1ya7i22+/dXPMMUcs dXKbbbZJNrEsvfACBICLUYSPPfaYW3HFFWPZL/i0K9Zbbz336quvFgMpxlSOGjXKqRcFH6so82po Oo0XzIQAAgjkUYAAcB5LhTQhgEBF4N133610qxLlRCzt3+oO9r59+zoFFJgQQACBPAicfvrprmvX rl5/J5xwQh6SnngaNNZvz549U7s4EPWYpHG+br755sRdqDOJE3utgPLw4mLmFhPYc889E9mHlyUA XMT2lI7LY8eOLWxNHjp0aGx1Uk+uMa5nPqtCXo7NBIDzWT+CVKnnhd133z22fYKlLaH2w5lnnhkk qfSvjz/+uJt99tkzMVfX3kwIIIBA3gQIAOetREgPAghUBF566aVKtzWWE9w8/GbDDTd0U6ZMoTQR QACBzAX+7//+z7sBvP/++2ee7qQTMGHCBLfssst622R9jNGNRkl36UadSbr2+S2f8vDzYu7WEXj0 0UcT24eXIQBc5PZUp06d3COPPFLIyqx2YJznCgMHDiykQ9kTnZdjMwHg/Na0SZMmufXXXz/W/UGU fYseVCj7pN4uNERbFKeov1W300wIIIBAngQIAOepNEgLAghUBEaMGBFbt1lRT96i/H6ttdZyX3/9 NaWKAAIIZCqQlwtUmSLUrPyNN95wXbp0yfTiQJTjy7TTTusGDx5ck6v4PlJn4rOMY0mURxyKLKOM AjrXjrIvbfbbogeAy9CemmGGGdywYcMKVXXfeecdN80008RaL9VtLFP+BPJybCYAnL+6oRRNnDjR 9ejRI9Z9QbNjVtj/7bfffu6XX37JJ1rEVF133XWuQ4cOuTDXzdRldY5YTPwcAQQyECAAnAE6q0QA gcYCDz74oJtllllycdIW9iS62Xzdu3evnPw3zjH/QQABBJIVyMsFqmRzGX7pP/zwg1t55ZULf5zR BeZLLrkkfMY95qTOeGClMCvlkQIyqyicwP3335/ofrzIAeAytad0MT/pXi/irPynnHJKIvXy2Wef jTOZLCsGgbwcmwkAx1CYMS/igw8+cMstt1wi+4Jm157C/m+33XZzv/76a8y5znZxl156aew334T1 bDTfjjvuWDrnbEuZtSOAgFWAALBVjt8hgEDsArfeeqvTnd6NTqCK+v0KK6xAEDj22sICEUAgrEBe LlCFTW/S8x122GGlOc5obMBXXnkldjLqTOykkRZIeUTi48clFdhrr70S3ZcXNQBcxvaUbni68MIL c1+T9bTXIosskki9bIWhOXJfwDUJzMuxmQBwTcFk/FE3mnbr1i2R/UCc18MuuuiijKXiW73GjFeb KE6fuJY1aNCg+DLKkhBAAAGjAAFgIxw/QwCBeAWuuuoqp3EN4zrRql2OLhzMM888bpVVVnG9evVy e++9t9tll13cZptt5lZffXW3wAILJLZupWWbbbaJF4ylIYAAAiEF8nKBKmRyE53t3nvvTeTucN28 tOiiizpZa3+/xx57uE022cQts8wybuaZZ070+PKHP/zB/fzzz7G6UWdi5Yy8MMojMiELKKHAYost lui+tYgB4LTbU2pHbbnllm611VarDKug4Qlq22Bxfj7jjDNyXZOHDx+eWP5nn312N2XKlFznv9US l5djMwHgfNU8jf8a534vqWWp17233347X3iG1OjGG13PS8op6nJnnXVW9+677xpyxk8QQACB+AQI AMdnyZIQQMAo8Nhjj7m4Lxgo4Lvhhhs6jQOisZi+//77dlM3fvx4pwsne+65p+vcuXPsJ5FDhgxp Nw3MgAACCMQtkJcLVHHny3d5X375pZt33nlj27erd4d+/fo5HTvamz799FM3cuRId9NNN7nevXvH HoTu379/e0nw+j91xosr8Zkpj8SJWUHBBLTfjXJRdskll3QDBgxwuilozJgxlT+NmXvPPfe4c845 x+20007u3HPPLZRKHtpTP/74Y+VC9+23314JDHfs2DFSOdUrY7Xt8jqp3tRLc1zfXX311XnNekum Ky/HZgLA+al+Tz31VGwPNeiJVt3opLHu11tvPbfsssu6OeaYI9Z9TM+ePQs/Tu3AgQNjM5lpppnc SiutVBm7Oc7rgZtuuml+KikpQQCBlhQgANySxU6mEciPwFdffRVrV1k6ST711FMj32U3adIkp5PJ hRZaKLYTytlmmy1yuvJTcqQEAQSKIpCXC1RZe11wwQWR9+e6GHDkkUe6l156KVJ23njjDXfAAQc4 XWiI48LwjDPO6F5//fVIaar+MXWmWiP795RH9mVACvIloBs2rftOjZ2uJ4bKNOW1PfXJJ59UAum6 YcpaXrW/05OweXya6vPPP3c6FtemN87P6667bpmqbeHzkpdjMwHgfFSlyZMnu8UXXzzSPkDXiw48 8EA3atSohmPHan9/xRVXuD/+8Y+xPERx8cUX5wPQkIq33norck9LKrOhQ4dWbuitPTf4+OOP3f33 3+/WXnvtSOWq4wAPgxgKmJ8ggEBsAgSAY6NkQQggYBHYddddI59M6YRKJ8s6qfr1118tyWj4m59+ +smdeeaZLq472HX3ZtxpbJh4/oEAAgg4V+mW2PcCZBnHmos6Htc666wT+0XniRMnutNPP71yDPMt o9r5NaxBXFNeLmrGlZ+iL4fyKHoJkv64BU477TRT++HQQw+NOym5WF7e21NC0tPVXbp0MZVb7fFO gdDaC/VZF4TGeaxNZ9yf1cPVuHHjss4q6/+vQF6OzQSA81El+/btG2kf8Je//MUpiOwz6YbSNddc M9J6NVxNESddU1t//fXNeVfXzOrJSWM2h5luuOEGt/DCC5vXN+ecczoFlJkQQACBLAQIAGehzjoR QKAioJOoOBrGOulVN89JTs8//7xbaqmlYknv5ZdfnmRSWTYCCCDQRiAvF6jaJCrlD9qHRznebLfd dolebH7xxRfdfPPNFymNGmv4m2++iUWWOhMLY2wLoTxio2RBJRGwXGjv0KFDqCFhikZUpPaUhkPo 1atXpGNdcCyPe+iDqOXevXv3WPIV5K/R63HHHRc1qfw+JoG8HJsJAMdUoBEW8/XXX7tOnTqZ9gHq OUC9Wlinn3/+2Wl89Eb7jDDfP/zww9bVZ/a7YcOGmfM811xzOQXPfSf1Erjqqqua16ttlQkBBBDI QoAAcBbqrBMBBNz7778feZzd6aabzp100klOT+mmMenEvkePHuYTvuDkW+OKMCGAAAJpCeTlAlVa +a23Hj3RHOyDfV/V7VeYceTrrdfnuwkTJkQeEiGu8QGpMz4ll/y8lEfyxqyhWAJ77rmn9z5d4/6W bSpie0plcOGFF0buLlnjY44ePToXRaruWn3PLfQ0r+XJvQUXXNAp4MOUvUBejs0EgLOvC1GGmdFN PHFMeprVdz8UzL/tttvGkYRUl7H55pub8jvDDDO4J554wpzWjz76yC266KKmdWsIgylTppjXzQ8R QAABqwABYKscv0MAAbNA1O5adKI67bTTuttvv92cBusPv/jiCxe1G1Gl//HHH7cmgd8hgAACXgJ5 uUDlleiYZ9bYvcFFDp9XXaB99dVXY05N48U9+OCDpnQGedp4440bL9zjP9QZD6wUZqU8UkBmFYUS 6NOnj/e+snfv3oXKY3uJLXJ7SnkbMWKEm2mmmbzLMTje6XW55ZZz3333XXtUif//kEMO8c6H9ut3 3XWX9++Ub3WnzZS9QF6OzQSAs68L6ka5et8U9v0BBxwQa+K1vLDrrp5PPWRoWJqiTO+99555/OM4 Au6vvfaam2OOOUzWV155ZVGYSScCCJRIgABwiQqTrCBQFIFrrrnGdLJUfZJ63nnnZZZddV8WtavO HXbYIbP0s2IEEGgtgbxcoMpK/fPPPzcfcxRkSHuyPNkWHB/VM4buTI86tXqdieoX9+8pj7hFWV7R BTQme7DfC/u63377FT3bbdJf9PaUMnPLLbc43WgVtgzrzaeuT7Oc1EOIuhOtl7Zm3+kpaI09qXEh m81X739bb711lllm3f8VyMuxmQBwtlXyoYce8t6GtV0vssgisd/A8tVXX7l55pnHlJ477rgjW0iP tZ9yyimmPG6zzTYea2k+q3Xcd+03mBBAAIG0BQgApy3O+hBAwK288sqmE7agAXzQQQdlrhhlzBHl o2PHju7DDz/MPB8kAAEEyi+QlwtUWUlrfN3g+OH7euONN6aebN3VHuWC+HXXXRc5za1eZyIDxrwA yiNmUBZXeAG2CVeK9pQq4oABA8zHaB3Tu3TpksowDY02mptuusk7/XraTjcUa9p33329f6/ur4Pf N0oX3ycvkJf9EAHg5Mu62RrUfbJv+0Lzn3/++c0Wa/6ftTvqo48+2rzONH/4yy+/uIUWWsjbXD0I jh07Nrak6gYea1fQcaYjtgyxIAQQKLUAAeBSFy+ZQyB/AtY7JIOT6l69euVm3KOdd97Z+8QzyIde TzvttPwVEClCAIHSCeTlAlVWsHfffbd5X/38889nkmzL023B8aV///6R09zqdSYyYMwLoDxiBmVx hRdo9W2iTO0pVUZrt6XBce+KK67IrE5vuumm3ucY+k0wPfLII96/V77PPffcYBG8ZiSQl/0QAeCM KoBzTl3xW7oC1m8mT56cSMK//PLLysMGwf4x7GvPnj0TSU/cC1UX+GHzVD3fTjvtFHdSnI491esI +/7QQw+NPS0sEAEEEGgmQAC4mQ7/QwCB2AU222wz00mSTqZ0oqwxePMyRRl7RPlZf/3185IV0tFA 4Ouvv67UuUmTJuXmxoMgqXlIm1ymTJkSJKnlX7/99lunrrd0MSBPU14uUGVlcvHFF5uPO9rPZzFd cskl5jRrLMKoUyvUmZ9//rmyvWqb1fs8Tx2tOQYAACAASURBVK1QHvLnmJJNLdQYqrpgnLdjVzON VtkmGhmUqT2lPP74449uiSWWMB/3VlhhhUZUiX7/7rvvmsahvPrqq39Ll55mm3/++b3znlWef0s4 b1xe9kNZBYDz2u5Js2q++uqr3tuurgMl3aPdxhtv7J0ujcmu/VHep+233947bzJ//fXXY8+a2g9d u3b1To+GDSiCdexgLBABBDITIACcGT0rRqD1BF555ZVI3Vr+7W9/yx2a5a5vnYDqr3PnzrnLTysn 6I033qjcTb/hhhtWuvOZYYYZpjqZ18n62muvnTpTlml7++23K11UHXbYYU5jV+vu4MUXX9zNPPPM v/no5owVV1zR6YKkxtjT0+1Dhgwpbfd0n332mbv00kvdUUcd5dQI/cMf/uDmnXfe3zzUxZTGdNPF zB49ejiN6XrZZZe51157LZML7Hm5QJX6hvPfFR5//PG/lU2w/w37+swzz2SS7Lfeesuc5jjGtyp6 ndEFmVGjRrnrr7++sj/abbfd3BprrFHZt88999xuxhlnnMpX+zR1JbrMMsu43r17V7bvK6+80j33 3HOZB4iLXh7VGxHHlGqNdN5re3jyyScr28L+++/vttpqK7fWWmtVjlGzzTbbb9uCuqXVNtCtWze3 0UYbuV122cUdfvjhleNXHGOLx5nbMm0Tvi5lbE/J4Oabb/6tLoY9RlfPd//99/tSRp7/9NNP906z giy62aV66tu3r/dylPeszlGq097K7/OyH0o6AKxhqzRmteqpxp/u3r17m3Fm89buSbNOXn755aZt V70TJTmdfPLJpnSpjZv3ab755vPOm+psUtOxxx7rnR7tv8eMGZNUklguAgggMJUAAeCpSPgCAQSS Eth7771NJ0c6QdL4Gt9//31SSTMvN+rFCl3kDzPpDnOdyJ900kmh/xSgSnpSI+GUU04JnSal/7zz zjMla+TIkd4GYVY0evRo59Pd6iyzzDLVYvOctqkSG+KL8ePHu3POOcetttpq5m1W263Guu7Tp4+7 9dZbncbJSWuylIeeAmxv0oU2BZLq3Ryg/Ib5000EekIz7LbfLE0TJkxwp556arvbX5h01c6jhrLP /iZPvTPUmuku+9r8hf2swH0WkwI2GuMvbDqr51tzzTUbJrnMdUZPaw8ePNhpLDbdYFVtEvW9bnLR sA9Dhw6NtSeSMpdHdSUs+jGlOi9Fea8nem+44Qa36667Oh13om4DGpdc5wQ659MxNqmnhXVeeeaZ Z7Z7/LHkx+e4poB5XqcytqcCa92oYylb/UY3LaQ5aRuwPPmlGwdrJ91oZMm3xg9Oc2qV9mjRjs1J BID1dKJuqtANQ7o5yFI/9Zs42z1p1vWw67Lsj3V+n1T3z0G6dT5sKTPdrJznSeeTlnwlOfSarg9Y 0pTGtbo8lyVpQwCBdAUIAKfrzdoQaFmBTz75JFLQRBdd8zgpqKWniSwnffrNTTfdFCpblgCGnkpM elLwyTfviy22mClZlsZtswuUusioJ2F017JPHuoFgPOcNh9sBWpVb3w8ws6rJ2Ll9NJLL/kkyTSv pTyadfWrrvpWXXXVWF1U77bYYovK04WmTDrnonQTHLbcws73zjvvWLOR+O+OO+44c9llOUbTcsst Z0r3wgsv3NC0jHXmqaeecr169YrUw0jYeq75dOHuwAMPdLoQHnUqY3lUm5TlmFKdp7y/101tm2++ eaQL9mG2Bz2Bc/bZZzt1ARrnZB3bL0yafebRTXB5nMrangqsFXj3KafaedM4xwzS+q9//cuU1jvu uCNYRJtX9a5Tm5/2PusJ/jSHYmmV9mjRjs2Wdk+j6wS6AVHjS6u93l798/l/HO2eNhtMTj4su+yy 3k5p9Cam4L1P+QTzPvHEEzmRrZ8MXRMM0urz+vLLL9dfYAzf6nqT5alk9RDGhAACCKQlQAA4LWnW g0CLC+hCis9JWvW8K6+8cmJPGsRRLOoatzq9Pu+POeaYUEmIs2EXaoUhZ7J0L5R1APinn35yf//7 381PiCUZAE4ibWGKUk+jRhlPzqfOTzfddJWuVTXmYFKTZXupFwBWF316mtAnf77zykNPVOmCi+9U tAtUvvmLa/4BAwaYy1D7q2+++SaupHgtR8GV7bbbzvuv2QWFMtWZBx98sNIlve82F9f8CgSry3t1 jWidylQe1QZlO6ZU5y2v7/XEmp721ZO6cdXxMMtZcMEF3RVXXBHbWHYEgJvXsDK3p4Kcqwv+MHWv 3jxJj6sZpFGv6hGmXhqafafeJBr1iHPCCSd4L0/ruuqqq6qTleh7y/l1o0BjnAmNuz1atGNzXOWi G9sUnGxWh6P+L0q7J846E8eydPOF5Zi7xx57xLH6pssYO3asqRyHDRvWdLlZ/9NyE4p6akh60kMF vtvG0ksvnXSyWD4CCCDwmwAB4N8oeIMAAkkKRBkrV8G6PE8av8P3hC+Yf5NNNgmVtbgadqFW5jFT 3A3uZqu2GNQ+AayLLnoyJvC3vCYVAE4qbc1MFYRVGdYbD9Ni4/Mb3TGd1NhllrpSGwDWncJLLbVU pLri46ELLrVpaFZ2+l/RLlC1l5+k/m8dnysoPwX5yjKVoc78+OOPznIBKCjPuF81/vcjjzxiqiJl KI/qjJf1mFKdx7y9V/f7RxxxRKReduLYJlZYYQWn4G3UiQBwc8Eyt6eCnN9+++3mcy+dW6YxqYt1 jeXru+3ss88+DZOnsZ19l6f5NYxNWpPl/JoAcLghYhqVfZgeduIoFw1rFffwGY3ypO8t7Z606nnY 9Shg3iyPjf53/PHHh12Feb433njDlLb77rvPvM40fqihHBq5Nvpe3XQnPd14443e6VJ6P//886ST xvIRQACBigABYCoCAggkLqCnGjt16mQ6KVJ3QVGerkk8c/9dwcUXX+z0lJnvn7rnCTPF0bALsx7f eYoUANYTlltvvbWpHlY3KJIIACeZtkZl+uabb7oll1wyske1je973QV+9NFHxz6+t2V7qQ6+6mkK y4U93/zXzr/EEks4dU0edipb8Chsvn3ns47NVF0+9957r+9qczl/0euMzgfWWmutTPdb1fUieK99 Wb9+/bx7Kyl6eVRX8jIfU6rzmaf3ugFRXb4H9TAPrwcffLCpR4vAlQBwIDH1ayu0p5Tr77//3qlr Y2t9/vjjj6fGi/kb6767vZuFVlppJVO+tf9NY7KcXxMAzn8AOKub6nzbPWnUcZ91vPjii6bt9aKL LvJZjWleBXIt+9CRI0ea1pfGj/TEtWU86jQeJnn11VdN3nfffXcadKwDAQQQcASAqQQIIJC4wNNP P206IdJJ63rrrZd4+oqwglZpcDcrC4tB8ATwL7/84nbZZRdzPaxuQMUdAE46bfVM1WD9/e9/H4tH tY31/RprrBFrN7uWuhIEgK+//vpMXf7v//7Phe0e23oB0lpOzX4X5gmFenUxje/k2bFjx0jlOuus s7orr7wyjeQmuo4i15kXXnjBdenSJVI5NqvDcfwv7LAOQSEXuTyCPOi17MeU6rzm5f0DDzwQKUgW R31vtAx14Tt58mQTFQHgxmyt1J7afffdzfv6G264oTFiTP9RULNR/W/0/QILLNBuV+m6kajR75t9 f+yxx8aUs+aLsZxfEwDOdwC4f//+pjrXrD76/M+n3dO8dqb/X93Q4ZPXYN4777wz8cQq6Bmsz+dV w0nkdbIeA9u78SaO/OpmfkuPaqeeemocq2cZCCCAQLsCBIDbJWIGBBCIKnDWWWeZTkB1sqona5mc a5UGd7OythgoAKy/fffd11wHaxtNcQaA00hbremIESNS7eKr1q/R53XXXdd9++23tck1fbbUFQWA NV6SyrdRGtP6fueddw6V77IEj0JlNuJMq666aizlutVWW3k9pR0x2bH/vKh15pNPPnEaazStbTDK etQNXNipqOVRnb9WOKZU5zcP7wcPHmx6CiZKvfb9rfa5lh58CAA3rmGt1J5Srxu+dS6Y/4ADDmiM GMN/NERIsC6f18MPP7zdtY8fP940pqiCywpAJD1Zzq8JAOc3AKztTL2t+dTjJOYN2+5Jun77Lv+W W24x2Y0aNcp3Vd7zW7ZVla2ess3rZO1meeLEialkydLWTKN76lQyz0oQQCD3AgSAc19EJBCB4gts vPHGppNjdano0x1q8aUa58ByEl/EBndjAVsQXAHWCy64wFT/GjVw4wwAp5G2atMHH3wwFwHORrYa 205jIUedLNuLutJMc8zfRgbB9wqqtDeVIXjUXh7j+n+UC+dBmQSvc889d6Xr8nHjxsWVvNSWU8Q6 ozF/e/bsGet+PCjLJF5nnnnmyhOxYQq1iOVRna9WOaZU5znr93paJIl6m8QyF1poIffWW295kREA bszVSu0p7ffnnHNOU11feumlGyPG8B8Fci3bS9iuVfVEpGX5d911Vwy5a74Iy/l1EdujRTs2W8pl 9tlnd/qz1LUkfhOm3dO8dqb/30svvdTk9+mnnyaeWEswUl3v53n629/+5u09//zzp5alPfbYwzt9 Oq4zIYAAAmkIEABOQ5l1INDCAmrAW5+oW2GFFVpYrm3WLQ27Ija42+a67SeLgcYB69y5s/fJeLOG bVwB4LTSFijq6VZL10TNLJL4n8ZpjvoUg6WudO/ePdZ6EtVmo402Coqu4WvRLlA1zEgK//jggw+c biqKWi7Vv59mmmncBhts4K699trC3KxUxDpj2Z6ryymL93/84x9D1eoilkeQsVY6pgR5zvp12LBh se7D0tg2dBFaY7qGnQgA15dqxfbUn/70J3N9/+ijj+pDRvxWNynOM8883unyCUpbbw5VDyVJT5bj cRHbo0U7NlvKJY39v886wrR7kq7fvss/55xzvPcFM8wwQ6V3Mt91+cz/2GOPeadLZaV9bp6nQw89 1Dtf66yzTmpZOv30073Tt+yyy6aWPlaEAAKtLUAAuLXLn9wjkLjAU0895X0iFDQWdt1118TTV5QV WBp2RWxwNysPi4HlN0H9a/QaVwA4rbTJVBdfV1ppJfO2WG2hINoSSyzh1lprLaeLTb169XK6wGu5 IFa93Or3Bx10ULOq0O7/krCtTl+nTp2cblDZcMMN3RZbbOFWXnllp6f+queJ4/0TTzzRNK9Fu0DV NDMp/LNPnz6xl1FQzgoGazvQGLAPP/ywV8Ajhaz/toqi1RkFGQPjuF61D19mmWWcLjZuv/32Tj0P rL766m7JJZeMtVvdV1555Tf3Rm+KVh5BPlrtmBLkO8vXd999180xxxyxbg86lgXbwpZbbunWWGMN p65k4+4SVMfksBMB4PpSrdieOv744831fejQofUhI3576623mtJ0yimnhF6zbhC13LDWsWNHp+ES kpws59dFbI8W7dhsKRefc6q8tHuSrNuWZb/zzjtOPaH4/D366KOWVXn9xtreOf/8873Wk/bMuknc p95q3t69e6eWTMvNO9q2mBBAAIE0BAgAp6HMOhBoYYFBgwZ5n6gFJ3bnnntuC8u1zbqlYVfEBnfb XLf9ZDGwdh8X1MF6r3EFgNNKmxT79u1r3g5loItK2267rbvmmmvc559/3rZgqj6pe7sjjjjCqbul enZhv1Mw7Zlnnqlast9bS11pL21qoGmcHl2crtdNtbobnzBhgrv//vvdnnvuGSn/QVr+/Oc/N824 gmP77LOP22uvvZr+zTvvvN7p0dMq7S23+v9F6K7/1VdfddNPP723RVAePq8zzTSTU7deAwYMcKNH j078bv+mFaXqn0WrM9rmfNzrzav91w477OD+9a9/Nd1/ienrr792N998s9O216VLl0jrDjMOZdHK I6hKrXZMCfKd1aue/lRwtl799v1uscUWc3pKRePeN5p++ukn98ADD1SO+9p+fNdRb36NlRhmUrq0 7VQfX+q9T/q4dt9994VJbmrztGJ7yjq+purf0UcfnUjZWJ9KfuONN7zSY+3uW12kJjlZzq+L2B4t 2rHZUi719tPV3+Wx3ZNk3S7LsrWvUTu6uizDvg9z42KWTj169PDOV5oPlFx99dXe6VPZfPnll1my sm4EEGgRAQLALVLQZBOBrASijFWmp6iY/iNgadgVscHdrLwtBmEbPNXzqctoPd2piy/bbLNN5VUN Do37qfniCgBXrzPse0vadFeytSGodMnAd6zTb775xu28886mRlBgscoqq5i7go67rigv6kLYZ1Kg WE9SBfmxvC6yyCI+q2w4r2U8uf3337/h8or8jyhPFFnKMPiNghU77bSTu/zyyys3CuTdMA91RmOk Rem2fq655nInnnii97YblI26otcNLUEZ+r7qWKHAXRxTHsojyEcrHlOCvGf1+te//tVcD4N6qyd9 FdTVzUo+k54oPPbYY01PJAbr1qvGmnz77bd9Vt103jxtE00TGtM/W7E9pfGjq+uQz3vdNBD39O9/ /9u0Hay22mreSbnyyitNeV9++eW91+XzA8v5ddnao9VeedkPWcql2fZU9HZPdRm10nsd3zfbbDPT viOuNmeS3pYbM7VtpDXdcccdJvsxY8aklUTWgwACLSxAALiFC5+sI5CGgLpybdbAaPa/Zk8appH2 PK3D0rArW4PbYtCsflX/b9FFF3VHHnmke/bZZ5teHP3qq69cvbtj85o2Pc1mfRpXwWZdLI4yXXrp pZECOH//+99Nq4+rPNSt8913321Kg36kO3q322478z5QdTSOC+Z5uUBlhozxh999913lBo/q7T+L 9+pGXUH2m266yU2cODHGHMazqDzUGXWZaS0bdUmvJ77jmHQh3vrkuLoHjGPKQ3koH616TImjDK3L 0NM8Ubtk3nfffd2UKVOsSaj8TkMSLLzwwuZtUtuyehKJa8rLNhFXftpbTiu2pxTMmG222Ux1Tl2g xj2dffbZprQMHDjQOylqb2isUMsx8Omnn/ZeX9gfWM6vy9YerbbKy37IUi716lZZ2j3VZdRK7/v1 62faZ6guJN17QNRy+OWXX0w3tB933HFRVx369+ppqN521d53Ua+3hE4gMyKAQEsLEABu6eIn8wgk L7DjjjuaToR0hx/T/wQsDbuyNbgtBu2dcCvI+Y9//MP8pGlQQnlNm7qfbc+g3v/VRWRcwZOXXnrJ qTvheutp7ztd+Pvwww8D5tCvcZSH6saTTz4Zep2NZtRYmcsuu6wp//IZPHhwo0WH/j4vF6hCJzjh GfUUj276aK/+pfV/PaGvJ971lJ+6EI8aqImDLw91xjpuubbdUaNGxcHw2zKGDx9uqi+6GBTHlIfy UD5a9ZgSRxlal6HgrXVfpHFEr7/+euuqp/qdbmraYIMNzOlRINu3R5GpEvHfL/KyTTRKX9zft2p7 Sm0ZS/1fc801Yy0CBaM1TrxvWlTnfXuQCRK+1VZbea9P6dPQIElNlvPrsrVHq23zsh+ylEttXS5T u6e6jFrlvdqsHTp0MO0z5phjDqfeu/I8TZ482ZQ3BcXTmtT2qN2uwny+7bbb0koi60EAgRYWIADc woVP1hFIQ2DDDTc0nQgtt9xyaSSvMOuwNOzK1uC2GDQ76dbTAeraMI4pj2lT16MLLrig9/anLlff fPPNOFh+W4YalUsttZR3WlR+GgPUd4qjPMKOVxgmbXpyqlldbPa/ww47LMwqms6TlwtUTROZ8j9V xy1jSDYrq7j+p6dN11tvPXfmmWdWxg9OmaayuqzrjLpftjz9pItfI0aMSIRs8803996OhwwZEkta si4PZaKVjymxFKJhIR999JFpOwj2RXHcQFSb7EmTJrmVV17Ze1sI0hTX8AJ52CZqbZL83KrtqU03 3dRU1xSsjXOynsfphgnrpB5Cgu3G51U3TypYksRkOb8uW3u02jUv+yFLudTWqTK1e6rLqBXev//+ +6Y2f1AHNDxO3icNCxOk1+f14osvTi1r6rXLJ23BvNdee21qaWRFCCDQugIEgFu37Mk5AqkIdOvW zXQiFPed26lkNsGVWBp2ZWtwWwyCE+va11133TXyU7/VxZ3HtCnwUJvvMJ+TulNW3RuFWX/tPBpH 0/dCVtTyWHfddauLN5b31n3hbrvtFnn9eblAFTkjMS9AQWBrudTW0yQ/K40XXnihU5eQaU1Z1xmV jcVUgfOkpptvvtk7Taeffnosycm6PJSJVj6mxFKIhoUcc8wx3nUu2G5OOukkwxrD/UQ9c2i8wGBd Pq+6ySyOm+/ysE2E04pnLuuxqujtKeuTz3qiLc5pzz33NNX3yy67zJyMb7/91s0666ym9WrogiQm y/l12dqj1a552Q9ZyqV6v122dk91GZX9/XvvvecWX3xx035CdWDuuefO5VA0teU2YcIEUx6HDh1a u6jEPmtIn+rtKux7DZnFhAACCCQtQAA4aWGWj0CLCyywwAKmE6HNNtusxeXaZt/SsCtbg9tiUO/E e6+99nIaRybOKY9pW3HFFb23PXVD+9NPP8VJ02ZZW2+9tXeaVIZXX311m+W09yFKeai7vtGjR7e3 Cu//q6vxevWxve/01GHUKS8XqKLmI4nfa0zgKF2stld+cf5fY7MdfPDBlbGlk7CoXmbWdeaOO+4w bS/qojipydK1W1xPVWRdHjJt5WNKUnWq2XL1pO3ss89u2g569uzZbNGx/M/6RKT2iXFsF3nYJmKB DLmQVm1PHXDAAaZtQEMrxHU+q7HPdTOi7/FcvVio2/Qok24C9F2v5l977bWjrLbhby3n12Vrj1bj 5GU/ZCmXoF6Vsd1TXUZlfq/gb9euXU37iKD84xwmIklrDU0VpNnn9Z577kkyWW2WrZ5yfNIWzHv+ +ee3WQ4fEEAAgSQECAAnocoyEUDgNwFLF446Gdppp51+WwZvnLM07MrW4LYYBCfWwesKK6zgfvjh h9irVN7SpnFEgzyHfdVYgS+88ELsNtUL1N27CmKFTVMwn7o+9JmilIeCgUlMY8aM8c638r/66qtH Tk5eLlBFzkiCC9DTnVHuoA/qahqv6rpaT/doTMKkpqzrzFlnnWXaXuIau7yeq2UbjiPQpbRkXR6t fkypVx+S/u7yyy83bQMKfCV9LA/yvv3225vS+Pvf/z5YhPk1623CnHDjD1u1PRXlKfiPP/7YqN32 Z3qK13Js33LLLdsuyPDp3nvvNa1b6X3jjTcMa2z+E8v5ddnao9VCedkPWcolqNNlbPdUl1FZ348b Ny5y8FfjjBdlGjlypGlfqLGR05xmmmkm73SqzcOEAAIIJC1AADhpYZaPQAsLqOuqoHHh+7rffvu1 sNzUWbc07MrW4LYYVNe7jh07Oj3BlcSUt7Rp+6nOe5j3Rx11VBI0Uy3zjDPO8E6b7k7X+EZhJ2t5 aNy0OLqmrJdOPXXeqVMn77zHMY5dXi5Q1XPJ03d6WkhjZi688MLe5RRmG4t7Ht0YEfXpokb+WdeZ /v37ux49enj9xfG0fCMPfX/nnXd614uyBIBb/ZjSrF4k9T8NVWHZZ/z5z39OKklTLXf8+PFOXTpb 0vnKK69MtTyfL7LeR/mkNeq8rdyeOvPMM031S3Xytddei0pf+b2lrmn9GsM36qTzEnXRatnGjj76 6Kirn+r3lvPrsrVHq1EsdSOucdCr02EpF9WpsrZ7qm3K+P6GG26olJ1lvxD8RjdiffTRR4Xhefzx x037wZdffjnVPHbp0sU7nSeccEKqaWRlCCDQmgIEgFuz3Mk1AqkI/Pzzz05PIgQnmj6vGmuJ6X8C loZd2RrcFoPqOnfsscf+DzTmd3lL2xJLLOG13Wk7TasRqAuZlqeAfcYmtpaHLrgnOVkuFC222GKR k2RZbxIXqCJnJKUFqJcAPX230UYbuQ4dOnhtS9X7nDTeL7PMMu7tt9+OXYY6MzXpYYcd5l0XyhIA bvVjytS1IflvFlxwQe/6pn3OW2+9lXziqtawzz77mNI5aNCgqqX4v22lfVQrt6dOPvlkU/3StqAb FKJOulHBcizX2L06341jsnaDPf/88zvVnTgny/l12dqj1Z552Q9ZykX1uqztnuoyKtN7DVtjuSGv dh8255xzurQDo1HLYfjw4aZ9cdrnRJYuudO6CT9qGfB7BBAotgAB4GKXH6lHIPcCOsGsPekM8zmO brNyj+ORQEvDrmwNbotBUNemn376xJ7sVDHmKW3vvvuu9za35ppretTG6LP27t3bO40+45lZy0Pd 6iY5bbPNNt75JgCcZIm0v+yJEyc6df+46aabOvUiEOxT8vSqp4NefPHF9jPjMUdeLmp6JDnRWdW1 tKX8yxAA5piSaNWqu3B17WjZx6Rx3leb4IcfftiU1m233bZ2UV6fW20f1artqUMPPdRUv7T9fPPN N151qt7MRx55pGn9u+++e73Fmb577LHHTGmQgXquiHOynF+nsV+y3ChQpvNrS7mofpS13RNnnc/L stSjwYorrmjeFwTnFHrq+7nnnstLtkKnw/oEsIZvSXPiCeA0tVkXAgj4CBAA9tFiXgQQ8BZYaqml TCeq6623nve6yvwDS8OubA1ui0HQ2Nltt90SrR55SttVV13lvc35PF0bB+Q///lP7zTq4mfYyVoe CnQkOVme4ijTBaokbdNY9uTJk53G4zv88MPdSiutZO7hItgvxfmqpwU//PDD2BhaLbjSDO7ZZ591 2g4t5VWGADDHlGa1I5n/qSt6S307//zzk0lQk6VqeIP55pvPO73zzDNPpHHMW20f1artqT322MO7 bmnbUdfkUacff/zRWS7ma/0aNz2u6ddff3XWHgHivqHacn5dtvZodbnmZT9kKRfV07K2e6rLqAzv hwwZ4maZZRbTvrD6XEI9cCmQWsSJMYCLWGqkGQEE8iRAADhPpUFaECihgKVhpBPVVVZZpYQa9ixZ GnZla3BbDIJGT9J3uuYpbXrqIMh32Nf77rvPXjkNv1S3U2HTVj1f2G6qLeWhp/uSnjTGT3V+wrwn AJx0qdiX//HHH7vrrrvOaczNhRZaU6VgUQAAIABJREFUyLtsw5S/zzzdu3d3U6ZMsWeo6peWY3fZ ug0fPXq0O/DAA01P/gblVoYAMMeUqg0jpbe77LKLaX8S500gPlk9+OCDTekdO3asz2razNtq+yhL frUfKnp7aosttjDVLQVMo07Dhg0zrXveeed1Grs3zumvf/2rKS06t9W5SlyT5fy6bO3RakvLdpnE uZKlXMrc7qkuoyK/142n1ptggvPQ4FW9oT3wwAOF5VBPPEFefF7vueee1PKsm4Z80hbMm8XNe6mh sCIEEMiNAAHg3BQFCUGgnAJ9+vQxnQjFEfQok6ilYVe2BrfFQCfWcVwEaq8u5SltlifV1KhKc9K4 aJbxwdXVZJjJUh56ginp6ZRTTvHeH8axL8zLBaqkfbNevrptvfTSS91OO+1kfmoouBhgfT3ooINi YWilOqMxEl9//XV3yy23OG2j6prW+rRdbbmVIQDMMSWWTcprId26dfM+ViyyyCJe64hz5qFDh3qn V9vKDTfcYE5GK+2jhNSq7al1113XVLdWXnllc90KfmgNPsd1HA7SodcXXnjB5KDt7JxzzqleVKT3 lvPrsrVHqwHzsh+ylEuZ2z3VZVTU988//7xbZpllzNt99flohw4d3O23315Uikq6J0yYYLLQ+Ula k4YNqnYP+15tRyYEEEAgaQECwEkLs3wEWlxgr732Mp0IzTDDDLHfPV3korA07MrW4LYY6MR7hx12 SLzo85Q2bTthGxzBfLqwuPPOO6f6F6zb5/WCCy4IVZaW8lCXvklPBICTFs7X8nVjxaBBg9xWW23l Onfu7L1d+mwbwbzTTTed05OrUae8XNSMmo/g9+pC8/3333ePPPJIJUivcR3VNebyyy/vLPvMwLu9 1zIEgC0+ZTumBPUordcFFljAe38Rd1evPnnV2ITtbQv1/n/hhRf6rKbNvGXbR7XJXJ0PrdqestyA orq24YYb1lEM/5WeplfQpF69be+7ESNGhF+Rx5zWG5OWW245j7U0n9Vyfl229mi1UF72Q5ZyKXO7 p7qMivZeT5GedNJJ5v1P7f5J3eHfeOONRWOYKr2ffvqpaX98ySWXTLWspL54++23TWm89tprk0oS y0UAAQR+EyAA/BsFbxBAIAmBo446ynQipJNXdRPL9B8BS8OubA1ui4HqUdigYZS6lpe0TZo0yby9 1TYY8/hZ3bGGmSzlUbbtpdopLxeoqtPUau/1lKkuCp966qlurbXWiu3CTr3tdM0114w0tqbKpqh1 RhfOFHi/9dZb3RlnnOHUle6qq64ay9hp9azb+67oAWCOKdnsqXTBtr26Vfv/0047LZvEOuc0DrBl fELtD61TUfdR1vy2Ynvqq6++8t4Ogu1ixx13tFJXfqenZoNl+bzG0WtLo4SffPLJpjQp/U899VSj xXp9z/l1W6687Icol7blUtRPGhZB56w++5xm83bt2jWWm0Lz4KnusJvltdH/+vfvn1ryR40aZUrj bbfdlloaWRECCLSuAAHg1i17co5AKgIDBgwwnQjpJO7qq69OJY1FWAkNO+csBqpHOhlPespL2qx3 njZqNOXt+8022yxUUVrKgwDw79rsq5MYoyxU4bXITF988YW78sor3eabb+40Llfc21rY7tIbcefl omaj9AXfa2xDOaqnh2WXXTbSeL1xl4GWV/QAMMeUoKal92q9yHnzzTenl8g6a7JctNbYwdapKPso a/5qf9eK7alHH33UfGyM2g2zjieWY8Kcc87pLr744kT+Dj30UFOalI+99967tkqZPnN+3ZYtL/sh yqVtuRTtk26i0j7e0uNKo/1Ur1693Jdfflk0iobplZFl+Kjjjjuu4TLj/of1mFXksZnjNmR5CCCQ nAAB4ORsWTICCDjnrr/+enNjtW/fvoUx1FNHOsn2/dPvwkw07OwB4K+//joMcaR5LOWjBlvcaXvm mWfM21ujBmSevu/du3eocrKUBwFgAsChKlcCM+m4cdVVV7nVVlsttu036tNPebmoWY97ypQp7rzz znM9evQwXQxKc59W9AAwx5R6NTDZ76zj3EW96SNqrtTlru+2pfHSrVOe91HWPDX7Xau0p6oNzj// fO86FdTBfv36VS/K67166wiWU5bXWWed1X3zzTdeDvVm5vy6rUpe9kOUS9tyKdIn3Wi39tprx7bP mXbaaSs94Gjok7JNXbp08XbStpHWNGzYMO/06RgzZsyYtJLIehBAoIUFCAC3cOGTdQTSEPj3v/9t OhHSydD666+fRhJjWcff/vY3Uz7XW2+9UOunYWcLAGs8zDQmS/kkkba77rrLVA+LcoFr2223DVWc lvIgAEwAOFTlSnim22+/3S299NKRt2M9VfzZZ5+ZU5uXi5rVGdANM2eeeaabe+65I/uktc8regCY Y0p1DUzn/QsvvGCq3/pdlpOOz77b1UYbbWROch73UebMhPhhq7Snqin23HNP7zoV1MEoXR7vs88+ 5vUG68/j6xVXXFHNa3rP+XVbtrzshyiXtuVSlE8an9YyfEKj/YvOjx988MGiZN87nbrxs1HeG32/ 2267ea/H+gP1XtgoHc2+L9OT2lY7focAAskLEABO3pg1INDyAksssYTpZKhz586VccWKALjXXnuZ 8qixIMNMNOxsAWA1hNKYLOWTRNqGDBliqofNGiV5+p/G8wwzWcqDADAB4DB1K415FOjceOONI2/L 1113nTm5ebmoGWTgkUcecfPOO29kk7T3Z0UPAHNMCWpgeq8PPfSQqZ6PGzcuvUTWWZPlPFgXc61T 3vZR1nz4/K4V2lPVHiussIJpW1BAJWwPS9Xr03s9JaunZdM+VqSxvrBtzlqT6s+cX1drOJeX/RDl 0rZc8v5J45tbbppqtp/QU8Tvvfde3rMeKX1bb7219765T58+kdbp8+MLLrjAO32dOnXyWQXzIoAA AmYBAsBmOn6IAAJhBaLcSZ11l3Zh87jGGmt4n/DpJF53t4eZaNjZAsBLLrlkGN7I81jKJ4m0DR06 1FQPmzUo8/S/sGOYWcqDADAB4Mg7ghgX8NNPP7mdd9450vb8l7/8xZyivFzUVAY0Lpp6TMhqX7Tg ggu6U045xc0888zeaSh6AJhjinkTMv9QTy5a6vrYsWPN64zjh7pByzfd66yzjnnVedpHmTPh+cNW aE8FJLqhwbc+BfPrBirrpOEYguWU8fX111+30lR+x/l1W7687Icol7blkudPzz//vOvatWts+5mZ ZpqpMiyKxsgt+2QZB33ddddNjeWMM87wLleNN8+EAAIIpCFAADgNZdaBQIsL6CkkayN6v/32K4Te bLPNZsqjurMMM9GwswWANaZmGpOlfJJI2/3332+qh9btM+3fhQ1oWcqDAHC5AsAfffSR01Ojlr80 9hlh1vHFF1+4Oeec07xNr7zyymFWU3eevFzU3H///c35j7J/6tixo9t8883dnXfe6X7++eeKkW7a 8V1m0QPAHFPqbh6JfqkAjW890/xPPvlkoulqb+F/+tOfvNO91VZbtbfYhv/Pyz6qYQIT+EcrtKcC NsuF9GC7Oeuss4LFeL/27NnTux4H6y3C61FHHeVtUv0Dzq+rNXgCuK3G1J9OPvlk7+1pscUWm3pB JfnmoosuchqiJa59hZ76ffPNN0ui0342LEOu6SbOtCZLTyhRblhKK1+sBwEEyiFAALgc5UguEMi1 wAcffGA+0Z1rrrmcnoTK8/Tqq6+a83fTTTeFyhoNblsAOI2gngowL+Xz3HPPmetiXI3RJJdz5JFH sr2EEmg7UyteKD/88MPN20KexmI6//zzzfmYYYYZ2lYEj095qDNXXnmlOe9h9kMK8iqou9lmm7mD Djqo8gSFxrx944036p53tGIAmGOKx0YT06wTJ0401fu77747phTYFqPuZcNsd9Xz7LvvvraVufwE XswZMPyw7O2papIVV1zRuz4FdWvEiBHViwr93nrzRbDeIrzON998dY9vYZHy0t6pTW9WgcY8nCvJ gnKprRH5+6wbAuPaR7TSU7/VJXnjjTeaDNNq1+nmft8yDtu7WbUD7xFAAAGLAAFgixq/QQABbwHL hdPgBOree+/1Xl+aP+jfv7/3yV6Qt9GjR4dKKg27/DZuVYB5KZ+3337bVBcHDx7s9GRJ3v/effdd tpdQAm1nyssFqrapSvaTelcI9rO+r6+99lqyifNYusYx7Ny5szkvGs/QMmVdZ8aMGWPqcrlRWS+9 9NJOwaZLLrnEDR8+3L3zzju/Pdkb1sdyHlP0J4A5poStHfHNp24cp512Wu9t/uKLL44vEYYlLbLI It5pPuaYYwxr+s9Pst5HmRMe8YeW/VCwX8x7eyqgeeWVV7zrUpBHjf9rvXH42GOPNa83WH8RXocN GxZQe7/mpb1Tm3ACwP/Pu+6mcZN0VuVSWz+y/KxeZHT+Gde+odWe+q0uu6efftrk+Pjjj1cvJpH3 OnezDBVz6qmnJpIeFooAAgjUChAArhXhMwIIJCIQ5cR39913TyRNcS3U8tRD0AiYPHlyqGTktcF9 xBFHeJ+IW7t2yquBCjAvadMdrkHd8nl97733QtXDosyUl/Ko9crqQkgrXigfMmSIaVvQdvPoo4/W Fl2mny13lAfb//jx401pz7rOrLLKKubyC/K+wQYbOPWy8fHHH5sMan9kCbwUPQDMMaW2FqTzWb3f BPU47GuWQ6Z8/vnn3ulVvjS+t3XKeh9lTXfU35W5PRXYnHDCCab6pDq1ySabBIvxelXQeP755zev N+x2mof5+vTp42VTPXNez6/TbI9We+RlP5TXcsmq3VNdRlm+135FQx3Esd2rVx91gdwKY/02KrMp U6a4Dh06eHteeOGFjRYZ2/fqittSzln33hIbAAtCAIHcCxAAzn0RkUAEyiGgkxvLSZF+o7FS3nrr rVxCfPrpp6YnNZSvrl27hs5TXht222+/vXe5EgD+z1irSdx5/euvv7rpppvOu0xefPHF0HWxCDPm dXvJ6kJIXi5QpVl3Hn74Ye/tIDhG3XDDDWkmtd11bbfddua8vPzyy+0uv94MWdaZ559/3pxflaEC v0nc7d+KAWCOKfW2juS/W2qppby3gR49eiSfsAZreOihh7zTq21V3bxbpyz3UdY0x/G7sranAhvd dDLnnHOa6pPq1KBBg4JFeb3ec8895nUG5w5FeVUA5aOPPvLyCWbO6/l1mu3RwEKvedkP5bVcsmr3 VJdRlu///Oc/x7JfWXXVVZ16RmByrnv37t6m+++/f+J0t956q3e6dMzQDXRMCCCAQBoCBIDTUGYd CCDgdBFRXTBaG8dq2OVx0p2Y1jz99a9/DZ0lS8OuW7duoZdvnXGNNdbwzj8B4OQCwCrHLl26eJfJ LbfcYq0CufydZXtJIiBfi5PVhZC8XKCq9Ujys8Zxte6bNX5wnqajjjrKnBeNGWmZsqwzf/nLX8z5 1ZAMSU2tGACWJceUpGpU4+Wuv/763tvAjDPO6NRlfBbTOeec451e7Z8ffPBBc3Kz3EeZEx3DD8va ngpo1DayHrvnmGMOF7ZnpWB9wevWW29tXq81vVn+znqstJxfl609GtQZveZlP2QplzK3e6rLKKv3 UXoyCPYNulnjpJNOMndrn1Xek1zvQQcd5L2vXmaZZZJMUmXZBx98sHe6dG2UCQEEEEhLgABwWtKs BwEEKmPvBSe0ltdnnnkmV4rfffed6cJokPdnn302dH4sDTufJ4xDJ6RmRkt3aQSAkw0Aq2u3oI6F fVXXaWWaLNtLmS+E5OUCVZp1TN2Eha3/tfNpLMs8TZYbB5QnXTiydhWXVZ3RcdU65vFuu+2WaLG1 agCYY0qi1aruwk888UTT/uu+++6ru7ykv1xnnXW806veSiZNmmROWlb7KHOCY/yhxjKvPW75fM5b eyqgmTBhglM3pz55qZ5XY/hapk8++cR17NjRtF7dILPccstl8rf44oub0iwza0DEcn5dtvZodR3L y37IUi5lbvdUl1EW76Puo4NtVD3iMLUVGDp0qGm/9/rrr7ddUMyfFl54Ye907bnnnjGngsUhgAAC jQUIADe24T8IIBCzwLfffuvmnntu75OjoHG/9tprx5yiaIvTeCJB2nxfF110Ua+VH3nkkd7rmmee ebzW4TuznjSZdtppvdNFADjZALDlSRxdwCjTxIWQtqWZlwtUbVOV/Cc9DeS7bw7mf+6555JPYMg1 HHDAAaZ8LLTQQiHXMPVsWdWZRx55xJRXXchU8DjJqVUDwBxTkqxV9Zdt7cJ+1113rb/ABL997733 3DTTTOO93UYNPmS1j0qQMvSiy9aeCjK+yy67eNej4Jit4YI+/PDDYFFerwMHDjSv98knn/RaV5wz 65g322yzpZp22qNtSzAv+yHaPW3LJctPI0eONN9QEuzPdCxP+pw2S6Mo6x4/frxpn9evX78oq236 21GjRpnSdOmllzZdLv9EAAEE4hQgABynJstCAIF2BdSNTXBya3kdMmRIu+tIYwZdfNHFdUse9Buf 7p+VnzPOOMN7XboYYn36K4yh9QScAHCyAeCnn37aVFfKNAYNF0LabsF5uUDVNlXJf1p33XW9t4Vg n37ooYcmn8CQa1httdVM+VhzzTVDrmHq2bKqM9dee60prxoXM+nJMi7l8ccfH0uysioPJZ5jSixF 6LUQnWPqHC7YH4V97dSpk9Nv05zUlWzY9FXPp67to0xZbhNR0h3Xb8vSngo8/vWvf5luJAjq1B57 7BEsyvt1hRVWMNVh3cyrLrmznKKMMarf+k60R9uK5WU/RLunbblk9Uld0C+11FKm/UmwLzvmmGMy 369k5Rd2vfPNN5+3sYYtS2qyHo/HjBmTVJJYLgIIIDCVAAHgqUj4AgEEkhRQN1tRuvfSb7O82zqw 2Xfffb1PPIMTe736Pl1mfdpY42AmNd1zzz0mAwLAyQaA9WT2TDPN5F025557blJVZarlfvzxx26D DTZwGucw7J9PQI4LIW3J83KBqm2qkv80aNAg7+0g2E+rO8ixY8cmn8h21qAxfC1P1ykf2223XTtL b/zvrOqM5WlTPQH1ww8/NM5MDP/56quvTHWpDAFgjikxVCDDInr27Gmqc4MHDzaszfaTn376yXyx W+eQUaas9lFR0hznb8vSnpKJuuaM0mOHjncvvfSSiVftseC47/t63HHHmdYZ54+GDx9uTr9uGPnm m2+8kkN7tC1XXvZDtHvalktWn6JcH1Kvamq3MLUvsP3223vv99SWevvtt9tfuOccethCY/n6Hj/m mmuuRB/U8MwGsyOAQAsIEABugUImiwjkTWCfffbxPkmqPqnSCdO4ceMyy9b1118fKf1LLLGEd9qv ueYa0zpvuukm73WF/YHGW6wul7DvCQAnGwBW+VmefFTjJa2pb9++3nWHALC9dCwXqMowLtGnn37q NM5k2H1T7Xxyy/rpntNOO82c/sMPP9xcabKqM4cddph3frt3727OZ9gfahy22voR5nOWAeA4t+FW P6aErSdxznfCCSeY6pyejPEN6ljTfcEFF5jSGHX8X6XXso/af//9rVnN5e+K3p4Sqo7TGiM2zP60 0TwbbbSRuXxUJxott73vX3nlFfN64/qhgg+Wp+GCvF122WVeSaE92pbLsh+K89gcpIYAcCCR3et9 991n3pfoxu3bb789u8QXbM3WhxCi9BTRiMjac5HPdY1G6+Z7BBBAwEeAALCPFvMigEAsAm+++aab ccYZzSfJarRqLL6JEyfGkh6fheiJ2llnnTVS2hVA9p3uvPNO0zo1VlMS05QpU5zuHA8uIPi8EgBO PgB85plnmsrmxhtvTKK6tFnmRx99ZHpCWWODhp24ENJWynKBatttt227kIJ+2njjjU3bQrBP0xOp WU0az3CWWWYxpz/KxaSs6swOO+zgnd8oF//Dlq01SJBlADjObbjVjylh60mc8z377LPe20Kw31Lw OOnpyy+/dLohM1inz6t6AIk6WfZRZQsAF7k9pfLXGJcaqsCn7tTOq6e6Hn/8cVN1Ultm9tlnN62/ W7dupnUm8SPLTZWBo7Yjn4n2aFsty34ozmNzkBraPYFENq+6EWOllVYy7UvUi81TTz2VTcILulZ5 W4Zi081nr732Wmy5Vg85iy++uKnc89DLVGwQLAgBBAohQAC4EMVEIhEon8A//vEP08lS0GDVq8ZF fOedd1LDGT16tOvSpUukdK+++uqmJ8pGjRplWq9OjnWSHPfUr18/U3pUbgSAkw8AW7sGnHfeeRO/ scLyhJ+6BlRXk2EnLoS0lbJcoNpkk03aLqSgn6644grzvio43gwYMCD13Ouiwuabb25Ou45VPttM bQazqjOWPK+88sq1yY/1swLx1qErsgwAx7kNt/oxJdYK5bEwazfQepoo6bHl9t57b/P+6d577/VQ qD+rZR9VtgCwZIrYnlK69eSv9lHBcdb6esQRR9SvICG+tT7NqrRmeXNYbdZGjhwZydEnIEJ7tK2+ ZT8U57E5SA3tnkAim1frU6Dal9x6663ZJDqGtSrtqs/WPx2/rNMpp5xi2u9FGR6nNq2XXHKJKQ3a bzAhgAACaQsQAE5bnPUhgEBFQN1qxtHw112TOulOenr44Yed1mW9QBH8znqHp4IB1gvQDzzwQKw8 Gj/FMsZsYEAAOPkAsAp8r732MtXXHXfcMdb6Ur0wdZdnqTu77LJL9WLafc+FkLZEa621lndd0J3s ZZj0lJp13xnss/R60kknpcbx888/V8bvrV6/7/ujjz46UnqzqjO77767d13VPkXlnMSk5Vou8Abl FVcAOKvyqDZt5WNKtUOa7++++27v7SGoe7oBUGOIJzFZxuoO0rXiiivGkiTLdlnGAHDR2lMq/Pvv vz/yDbWqTzpP+f777831af311zdtX3rq+P333zevN4kfWsagDLZJn96iaI+2Lb08HJuVIto9bcsl zU/aJqzd2Be9G+CDDz7YtA8N9j1Rjsnvvfee07jJwbLCvmr/HccQaeoV0NoLypVXXplmFWVdCCCA QEWAADAVAQEEMhPQUzXWE6fak7ydd97Zff3117Hn5Ycffqjc5T399NN7n2DWpjFql096erh2mWE+ q5sy5SOOafLkyc7S2K1OJwHgdALAL7/8sqm+qKzUoIt70hMGv//9701p0sVCn4kLIW21tthiC5O7 GtdlmA488EBT/qv3W3q/zjrrOG1XSU66wWa99daLnN5x48ZFSmZWdeaYY44x5T3KeMeNoPTUq54u rq0HPp+PPfbYRov3+j6r8qhOZCsfU6od0nyv4N7yyy9vroOqv3GPB6yhInQB1Wc7qJ5XT13GMREA /p9iEdpTSq2CteoFJkr9CeqSbuyK8pT7W2+9ZU6HjtF5m0499VTzNunbY0irt0eryz4Px2alh3ZP damk+9769K/axFFuYEk3l/XXlmUAWCmy9BqkY4iGonvyySfrZyrEtx9//HGlR7vgeOTzqmEHNPwA EwIIIJC2AAHgtMVZHwIItBG47bbbzA3W2pOtRRZZxJ133nmVbsXarMT4QU9eaKzh2vVYPiuArAv7 UaaDDjrInJYoXaQFaVaA3XLBrdaLAHA6AWCV2x//+EdznTnggAOcnkSMY3r99dfNT3so6OY7cSGk rZh136H9aRmmr776ys0333zmbaF6H6bxow455JDYn/7R/lVP1c0888yR0xnHxems6oy1O9MOHTq4 gQMHxlZddfPDUkstFbkstB+NY8qqPGrT3qrHlFqHND9fddVVkeqhbgL06eK1Ud4UjNY+qmPHjub0 LLzwwpG6pq9Om+V8NMrTRtXrzuP7PLendHy79NJLI93MUH0c1vuo5ycnnniiuR4rL3mbdNNXrZHP 59tvvz10lqzHI6WnDO3RaiirRdT6W50GvafdUyuS3udNN93UtO2phxjdoJ+3Px3rw05ZB4CHDRtm ste+SA+h6Cle32nSpEmue/fu5vVqW2VCAAEEshAgAJyFOutEAIE2AtZuBRs1bHVxaquttnJ33XWX 94UmdZd30UUXVZ70arR8y/fnnntumzxbPgwZMsR8sqk06y5Ja3eATzzxRGwXbggApxcAVvfflvoa /GbVVVd1zz//vKW6Vn6jRqQaZ1GCb5Zu07kQ0rbI+vfvb6oHukM6jS7226Y2mU+33HKLySDYFmpf 9QSTuo+8/PLLzd0Pa3x2bV8KSnTq1CmW9CldcXT7n1WdueOOOyI5qKcNXZyxTroQN3ToUKdAVW2Z Wz737t3bmpQ2v8uqPNokwrlK3bI4BL8p6jGl1iHNz+peMurNiLqxZPDgweZkf/TRR26jjTaKvE1o vLy4JgLAU0vmqT2l879HHnnE7bbbbrHc2BTsQ/SquugTpKiV0s2N6iK9eplh3+uG3i+++KJ2kbn4 bH0yV3n3OVa1enu0urDzcmym3VNdKum9V08xugEx7P6jCPP5tPuzDgDrOGDtyl9lMeuss7p+/fqF 7invhhtuiNQ+mHPOOZ2eHmZCAAEEshAgAJyFOutEAIE2AuqeLkoXd81OptWtVa9evZyewjnjjDOc xtwYPny4e/HFFytdvygoMGjQIHfcccc5NZzj6JasNj377bdfm/xaP2gsQsv4qdXp6dy5s7v66qtD J2HUqFFO469WLyPqewLA6QWAVdB77713pPLT+Dr77ruve/rpp0NfcFOXVrrYvMwyy0Rad58+fULX 1eoZuRBSreHc9ddfH6kctA9Qt5+6KPDmm29W/saOHesefPDByv5TT3RMnDix7Upz+MnaVV97+zwd NxZffHG3zTbbVI4zukCgbstHjBjh5KRuKnUTjXqVUPenJ5xwQuXpfF14aG/Zvv+PqyvkrOqMzgei PgWtJ3cvuOAC9+6774auhe+8845T99PzzDNPrGWivMTRBW9W5VEPsBWPKfUc0vzuhRdeiGUs8zXW WMNdccUVTsN5hJm071KPBzogQBq7AAAgAElEQVR39N0X1c5vPZ43SicB4KllsmhPjR49uhLo1bHt 7LPPrjyJuOWWW7pFF100cp2prUP6PP/885tvZg3EdHyut+ww3ylveZ3+/ve/m/OlIJa6Eg8ztXp7 tNooL8dm2j3VpZLee2uvNWH2NVnNU6QAsEpa3flHbTeoDaebP8ePH+90c271pICtjhlrr722ef8a lKVunmFCAAEEshIgAJyVPOtFAIE2AgoerLbaapFPrIITrLy8brjhht5PIbeBqfnw5z//ORajJZZY wm299dZOXaApWDFy5Ej37LPPVp6a1sVBNSStd8e3Z08AON0AsC70Lr300rHUG9UJXQxW93d33nln pc7oJgEFtnQjxdFHH+123HFH81i/1XVnttlmqwQaazaBUB+5ENKWSeMcVdsm8V4BtLxP77//fuVu 7yTyn4dl6hiqpwXjmLKsMzvssENs9XWVVVapHOfUje59993nFEjTxS11l6ouGDUepbo11o0uSZWh bi679957K8NAqJvOhx56yH322WdexZRledQmtBWPKbUGWXy+8MILY6ujOr7qfFJdOiuAofr12GOP Veqpju86N1SwOK5tQk/Ux/3UJAHg+rWwrO0p1UVdpI/jXGP77bc31+2bb765PnwOvlWgQsNUWLdb PQkXdmrl9mi1UV6OzbR7qkslvfcbbLCBeXuzbqdJ/65oAWCVtoaAictFD1ustNJKrkePHrHc/Bak S12FMyGAAAJZChAAzlKfdSOAQBsBdduosQuDE6Wivy677LJOY0/GOSlIW3QXAsDpBoBV/xSkVbd1 Rak7eqJSXUdbJy6EtJXTk5BJl30cF2XbpjqZTxoaYIYZZkjcI2nv2uUroKO74OOasqwzUcb0qnXJ 62c9Ve8zZVke9dLZaseUegZZfKdeBvJapxulS08WqgeRuCcCwI1Fy9aeUt1accUVnboijzrp5hvr OYCOs999913UJCT6+0022cS8j9DNomGnVm6PVhvl5dhMu6e6VNJ5r+6HtU9odOwr6vdFDADrqd0o XeAnXVbq8Un7CiYEEEAgSwECwFnqs24EEJhKQA1rjUOU9IlY0sufd955Y7lLfSog53L1pPQss8zi XVYEgNMPAKseaRzqpOt9XMs/+eST61X90N9xIaQtlRrG2ifFVT71llOUALBk9DSmxjeul48ifqcn fuJ+KinLOvPTTz+5bt26laZ86tUp9cDhM2VZHo3S2UrHlEYGaX+vmwq7du1aqG1jwIABiTARAG7O Wpb2lPafeho9rifIo3TZuueeezZHz8F/NcxPvWNO2O80XEXYKU89d6XZHq32ycuxmXZPdamk8/71 11+PtK2F3SbTnq+IAWCVuIbcyevN7uoljQkBBBDIWoAAcNYlwPoRQGAqAV383XXXXQt7Uq0uJzWG SFKTnrzp2LFj5j4a30vdR/s2TAgAZxMA1p3KRx11lHd5+ZZv1Pn1hJPSGmXiQsjUegcddFCiZV+k ALB0NH5x1DHVo9b1OH6vu8rVtXESU5Z1Rl0168nBOIzyuAzfALDKN8vyqFe/WumYUi//WX03YcIE t/zyy+d+21BPHmeccUZiTASA26ctentK+24NpRN2zOr2RVykm4uGDx8eZhWZzqOnv6Oc2/gEuVu1 PVpbwHk4NtPuqS2V5D9fe+21uT8OW85/ixoAVolrCAude1jyndRvNDRW1Osayddm1oAAAq0gQAC4 FUqZPCJQQAGdKPXt2zd3J3HtnRzuscceqXQPdvbZZ2d6cqsAtLr/euCBB7zTQQA4mwBwsBu44IIL Eh3vsr1tpNn/999/f/fzzz8HSTW/ciFkarqku+srWgBYQg8//LCbeeaZvfdhzepwmv/TuJovv/zy 1IUd0zdZ15ljjz22sGXTXj2wBICzLo9G1aoVjimN8p7V93oSWIGx9upZVv9XF7tDhw5NlIcAcDje oranVHd32mkn98MPP4TLaIi5FNiwbhNdunRxetqzCNMOO+xgzmenTp2cgshhp1Zsj9ba5OHYTLun tlSS/3z44YebtzPrfiiN3xU5AKxSv+6663JzA6muaxTluJH8FsMaEEAgawECwFmXAOtHAIGmAho3 bNVVV839Cba6nLnoooua5iXOf+pksmfPnpm5DBw4sJIdAsD/KdW8Nrwb1bnbbrstV13g6m5dXUSK a8preahra9/Gu/WGiXqW++67r/f6w6a3iAFgGY0ZM8ZZAglhXZKaT10vxjEeYr16Uv1dlnXmxx9/ dNtvv31iddanbNTN9mmnnVb58/ldo3ktAWCVS5blUV0vat+X/ZhSm988fNb2sffee+di+6iu53PN NZfz6UbWamnZb+tibKtORWlPqS4tscQSlaEa4i4ry7lhULcPO+ywuJOT2PLuvPPOSPuFwYMHh05b K7ZH6+FkfWy21O0//OEP9bIS63dZt3tizUzNwvRkZ7B/KNNr0QPAKqa77747Uk8IcZSnbmJlQgAB BPIkQAA4T6VBWhBAoK6AGpcXX3yxm3POOXN5or344os7XVhJe/ryyy/dBhtskKqJnpa78sorf8sq AeD/UOS14f1bQdV58+STTzo9QRhHIyfKMuaee25300031Umh/au8lkfWF0K++eYbt9RSSyVS5kUN AKuW6QkpdRs2xxxzJGITZfuo/e3ss89euVlC4zumMWVdZ9QjgLqkrHVI8/NCCy30W0Dr3XffjaVn EmsAOOvyaFbnynxMaZbvrP+nsZj11F6a20Sjda2++uruzTffTIWEALA/c97bU2pjnHnmmbE+9Rso 6ZgZ5RjvExQJ1pnVq24OidJm1pjLPlOrtUfr2WR9bKbdU69Ukv1u4403zsVxt9Hx2Pq9z77u4IMP jmSQ5E1Zjz/+uFObyeoQ5XcDBgxItvKxdAQQQMAgQADYgMZPEEAgG4GJEyc6nShOO+20mZzM1Z4I 6sm8yy+/3GmMrawmNfLV7XRt2pL4vOyyy7qxY8e2ySoB4P9w5LXh3aaw6nzQBTE9eTvbbLOlUoeq 66W24wMPPNB98cUXdVIW7au8lkfWAWCpfvbZZ4l0HVrkAHBQ2z755JPcjj+vXiYOPfRQp+Ng2lPW dUYB+lNPPdWpW9nqfUga77fddlv3+eeftyGPo+tdawBYCcm6PNpg1Hwo6zGlJpu5+/jxxx+7Aw44 ILNuD/XEZtw3crWHTAC4PaHG/89be0r78u2228699957jRMd8T/XX3+9+fihG+eKNqm9HOUY+eqr r3pluZXao41gsjw20+5pVCrJfa+eeKJsY3n9bVkCwCp5jVOumzjTsp5xxhkr1waTq3UsGQEEELAL EAC22/FLBBDISGDkyJFuk002ySwQvOiii7rLLrss08BvLf21117r9CRyUie4u+22m5s8eXLtahkD +L8ieW14T1VgDb7QRYuDDjootYvHenL9hRdeaJCa6F/ntTzyEACWrp6qPOecc9wCCywQ2z6jDAHg oOaNHj3a6a52dWWa1D417HJnmmmmSlD67bffDpKXyWse6swbb7zh/vjHPyZeJrPOOqvTPuS1116r a/3vf/+70kVp2DKsN1+UALASlYfyqIvz3y/Ldkxpltc8/e/11193W221VeLbSFCn55lnHqcxoBX8 SXsiABxdPOv2lOqRyvGhhx6Knpl2lhDlxh3dgFS0SU+/Bdup5fWII44wZbkV2qPNYLI6NtPuaVYq yfxPDwJYtq28/6ZMAWCVvK5fqTtm3UibpP2WW27pxo8fn0xlY6kIIIBADAIEgGNAZBEIIJCNgE6y TjzxxFiDGI1ODHXSuP766zuNi5TFha4wwkrXJZdc4uJqkCjwoPHlFAxpNFmeAF5xxRUbLa7p90cd dZT3iXvv3r2bLjOuf+Y5bT55VNeNxx9/vOvWrZu3daNtJ/i+S5cu7phjjkmle8i8loclAOzbFZ9P eav3ghtuuKESMFhwwQXNZT7LLLM4dY1btumHH35wt9xyi+vVq1dqN0doe9G+d5tttqmUTb0bb7J0 zkOduffeeyt1tkOHDuY6G+yXql+XX375SjBr0qRJ7RK///77rmvXrub1Rw0ABwnMQ3kEaan3WpZj Sr285fk7XcA98sgjnXpuqa7jcbxXN706t9L5ZphtJSknAsDxyabZnlId1M1Vffv2da+88kp8mWiy JO0ndWOPtf6PGzeuydLz+S/1nBFlmJc111zTnLGyt0fDwKR9bKbdE6ZU4p0nieOrdR8V1++mmWYa 5/P0vwKrUdadZBfQtaWt/bh6SuncuXOkNFfnV+2QPn36uOHDh9eujs8IIIBA7gQIAOeuSEgQAgj4 Cuhu22eeeaYybpSCtHF1E7nkkktWnoq866676j796pvONOcfM2aM69+/v1t33XVdx44dvU501dXZ 3/72t0S65k3TgHVFE1BXfBp7+09/+lMlIFXd4AnzXt1K64mLE044wd1///25emI+mkx5f61uRFVW eoLjoosucv369XPHHXdcZdxvNfLVXfigQYPcNddcU5lP+xmN/dYKk2zUhaSeitF+Nc5u0xVAV6B/ v/32q6wjb0HfZuWbZZ3RunWsUjBKTyKG2S8F8+iiTY8ePdxhhx3mbr75Zvfhhx82y2bd/2nMP40d 3b1791Dr1lhkm266aeXp+6TGSc2yPOoiVX3JMaUKI8W36j3g73//u9too43MT8AokKQhG+655x73 7bffpph6VpWmQFLtKe1vFVDUTbuPPvpoImP8punEusIL0B79j1Wej83hS5M5ESi+gIYqufHGG90O O+xg6j1P7Q2dy5933nlOQwcxIYAAAkURIABclJIinQggEFpAJ3Z6alUnd6eddlql+8yNN9640s2Y nj7VE7LqQlqBzrXWWqvyJJHuQFSg6h//+EflqasydWf6yy+/VMbVeuKJJyqBnbPOOqvSFc7hhx9e ufh97rnnujvuuMOpkT5lypTQzszYOgK6KKiLFy+99FLlLtfrrruu0vDRE70KoOjJVl1gVmBQF4g1 VrTqHRMCZRXQ0zXqblXbwkknneQOOeQQp67yFYzs2bOn07FG406pm209JaAAry4Y6IKDAr36jZ4u ViCQbSWeWqJAl45lGqJhwIABleOcxk2WtbqpVQBfXY2++OKLsR/r1F303XffXXkqUucSWq96U9Dx ddiwYZW6Qjn/r5w5pvzPIs13gfvLL79c2RaCY7lu8NGx/PTTT3f//Oc/K9vRiBEjnLYp3ejA1JoC YdtTGhpnhRVWqBzndOPfjjvuWNnv6mYyPY1OHWrN+lOba9qjtSJ8RgCBrAV0I/PDDz/srr766sp1 QJ0H6WZf9VKh9sPAgQMr4/reeeediY5Tn7UD60cAgfILEAAufxmTQwQQQAABBBBAAAEEEEAAAQQQ QAABBBBAAAEEEEAAAQQQaBEBAsAtUtBkEwEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEE yi9AALj8ZUwOEUAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEECgRQQIALdIQZNNBBBAAAEE EEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBAovwAB4PKXMTlEAAEEEEAAAQQQQAABBBBAAAEEEEAA AQQQQAABBBBAAIEWESAA3CIFTTYRQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQKD8AgSA y1/G5BABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBFpEgABwixQ02UQAAQQQQAABBBBA AAEEEEAAAQQQQAABBBBAAAEEEEAAgfILEAAufxmTQwQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEE EEAAAQQQaBEBAsAtUtBkEwEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEyi9AALj8ZUwO EUAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEECgRQQIALdIQZNNBBBAAAEEEEAAAQQQQAAB BBBAAAEEEEAAAQQQQAABBBAovwAB4PKXMTlEAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBA AIEWESAA3CIFTTYRQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQKD8AgSAy1/G5BABBBBA AAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBFpEgABwixQ02UQAAQQQQAABBBBAAAEEEEAAAQQQ QAABBBBAAAEEEEAAgfILEAAufxmTQwQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQaBEB AsAtUtBkEwEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEyi9AALj8ZUwOEUAAAQQQQAAB BBBAAAEEEEAAAQQQQAABBBBAAAEEEECgRQQIALdIQZNNBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAA AQQQQAABBBAovwAB4PKXMTlEAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAIEWESAA3CIF TTYRQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQKD8AgSAy1/G5BABBBBAAAEEEEAAAQQQ QAABBBBAAAEEEEAAAQQQQOD/s3ce0FFUXxgPYC9/FUVAsACiKCqKgqAUUURR7NjBghTBhiI2VEQF 7KAgKNWCotKRTui9995Ch1BDS8/9n2/wLW9m3szuJrsp5Hvn5MybmfvabyabzXxz7yUBEsgnBCgA 55MLzWWSAAmQAAmQAAmQAAmQAAmQAAmQAAmQAAmQAAmQAAmQAAmQAAmQAAmc/AQoAJ/815grJAES IAESIAESIAESIAESIAESIAESIAESIAESiBKBjLQ0ORK3URJWr4jSCKF1e3jjOlnXq4tsGfJXaA1o RQIkQAIkQAIkcNISoAB80l5aLowESIAESIAESIAESIAESIAESIAESIAESIAESCAaBI7t2iHLv/hI YuvcIoNKniYDi8bImNuujsZQQfvEXKY9eY81B8xjZMXLgrahAQmQAAmQAAmQwMlNgALwyX19uToS IAESIAESIAESIAESIAESIAESIAESIAESIIEIEoj76xcZUursgOAK0fX4TwFJPXI4giOd6Cr16FHZ O2+mrO/dVea1bCSxtSvK/sXz5ejWzfJv+aKuuSTt23uiMWskQAIkQAIkQAL5jgAF4Hx3yblgEiAB EiABEiABEiABEiABEiABEiABEiABEiCBzBCInzFZBhYr6BJclQi8Z/a0zHQbtM30BvVcY67v86NM vK+q6zjmsmvyuKB90oAESIAESIAESODkJUAB+OS9tlwZCZAACZAACZAACZAACZAACZAACZAACZAA CZCARiAjPV2S9+/TjoRXnfn8w0bBFR7B8MrdNWV8SB2mHEqQgyuXWULt7mkT5dC61b7tlrX/wDXu 2NvLuY4pIXp1ly99++NJEiABEiABEiCBk5sABeCT+/pydSRAAiRAAiRAAiRAAiRAAiRAAiRAAiRA AiSQLwmkp6TIgeWLZVP/vrLog9dkUr3bZUipc2T8nTdmmsegS05xia5zX2koyQf2B+0z+eAB2fDb zzK1fm0x9TO2+rWyrsf3Ajtn2Tp8gGtcJfaq7eDLzpA5LRoIPIOPbIlzdsF9EiABEiABEiCBfESA AnA+uthcKgmQAAmQAAmQAAmQAAmQAAmQAAmQAAmQAAmcjATSEhNl34I5suGX7jL/rSYSW+cWGXzp 6UbRdFCJUyU9OTlTGEzC7a5JY4P2tXvqBBl2dWHjfJSAq7ZDrjhLdk4cY+vzcNwG37ZzX3s+S57N tsG4QwIkQAIkQAIkkOcJUADO85eQCyABEiABEiABEiABEiABEiABEiABEiABEiCB/EMA4ZPjZ06R tT06y9xXn5NxNa+TgcUL+QqkSlxV2/1LFmQK2ODLz3SNs+KbdrKxXy9Z+G4LWfLxW65+IebCO1eN HcoWIvCeOdNtfQ0re76xj8mP3CHpqak2W+6QAAmQAAmQAAnkbwIUgPP39efqSYAESIAESIAESIAE SIAESIAESIAESIAESCBPENg8sJ+MqVJWBhYtYBRCQxFWlc3Gfj3DXnPqkSMy8qZLfceGl69ekBPY yxMZthCvvcThoVeeJwlrVwW6m/JoLePY20YMCtiwQgIkQAIkQAIkQAIgQAGY9wEJkAAJkAAJkAAJ kAAJkAAJkAAJkAAJkAAJkECuJ7B5wO9GAVSJuqFuR91yhWz6o3fI64375zcZW+0aGVisYEjj6/l3 kXfYOS+IyBhfhaE+un2rTH/2fpcd2i14u1lgnvAudvaF/aPbtgRsWCEBEiABEiABEiABEKAAzPuA BEiABEiABEiABEiABEiABEiABEiABEiABEggWwhArNwy5C9Z+3MnWdb+fVnxVVvZ1L+vJMbvCjp+ wuoVRgHUJIpax4oVlLG3l5M5Lz8ja378WpCHN/nA/qDjOA3gLew5RtEY27khpc6WPbOnWV0cWrfa dg59IIfwvoVznUNIRkaGTH6ohsseYZ+R3xgFHtCmeRyJ2+jqjwdIgARIgARIgATyNwEKwPn7+nP1 JEACJEACJEACJEACJEACJEACJEACJEACJBBVAhB31/X8QY57w3qFby4gE+tWkdVdvpT0lBTjfDLS 0gS5cU0i6KASp8r4O2+UeW+8KOt6dZG9c2cIQjZHoiBfsGlM/RgEZoRrzkhPDwy59NN3XO3mNH82 cN5Z8RK4twzub5kmrFnp6g9z2DtvprMr7pMACZAACZAACeRzAhSA8/kNwOWTAAmQAAmQAAmQAAmQ AAmQAAmQAAmQAAmQQDQIwKt11fcdZfDlZxqFS11A1esT779NEnfvNE4JIrFuq+qHN6032kfiIEI1 I2z0tKfriknUxRy2jx7qGmrmC4+45rqm2zcuO/1AbO2KrjZzX2lomUBcNgngG377We+CdRIgARIg ARIgARJgCGjeAyRAAiRAAiRAAiRAAiRAAiRAAiRAAiRAAiRAApElgLDFs5o84RIzlWAbbDvihktk 34I5rkktfLeFsc/tY4a5bKN1YHSl0q45rPjyY9dws5s+6bILJtYua/+Bq82sRo8F+p54X1XXeT1P cMCQFRIgARIgARIggXxNgB7A+fryc/EkQAIkQAIkQAIkQAIkQAIkQAIkQAIkQAIkEBoBeKAir+2W wX/K0natZdEHrxkbwvN3+rP3u4TKYKKv8/yoSqUE3rd68crHi1zCoRSEo945YbTsmz87FHOjDQRZ 51ynN6jnsoXnrtNuxdefuOz0A6b1zWj4QMBk4XuvuPqccE+lwHlWSIAESIAESIAESAAEKADzPiAB EiABEiABEiABEiABEiABEiABEiABEiABEjASSDmUYAm9yN87pNQ5NvFxU/++xjarf/jCZucUQcdW v1ZWdvpc1vX4XmY1flyGlDrb0x65g/XilY93RsMHdTOrfnTrZtk2aojAOxcCLbyK1Vxmvvioyz7U A6s6tw/0o/obUaGEq/n8Nxu77KY+Ucdlpx/YPOgPV5tpT94TMNnYr5fr/ODLzpD01NSADSskQAIk QAIkQAIkQAGY9wAJkAAJkAAJkAAJkAAJkAAJkAAJkAAJkAAJkICRgFfI5enP3Ge0P7ZrhwwqeZpL pIRQOumBarJz4hiBh7BekvbtlWlP3Wts82/5iyX1yOGAOTyCB5U41WULuy1D/rJy9E6tX1uGl7vQ ZaPEWmyR0zezBR7Eel+qnhi/29blmh+/dtmBTcrhQzY7fQditepPbXVx+8DSha7zsDu4cqneDesk QAIkQAIkQAL5nAAF4Hx+A3D5JEACJEACJEACJEACJEACJEACJEACJEAC+YcAPHrjZ06RtT06y7zX X5Cj27Z4Ln7vvJkysFhBl+A4rOz5cmzHNmO7pZ+967KHQDm2RnlJO3bM2AYHIQpPfqiGvW2xggJv 4fgZk23txt95o92uaEym9pMP7Lf1G+oOwkgrcVbfQhjWS+LunTKweCGX7ZJP3tbNAvW0pCSLk94n 6psH/B6wsQRwg8Ae99cvARtWSIAESIAESIAESIACMO8BEiABEiABEiABEiABEiABEiABEiABEiAB EjjJCWwe2E/GVCkrA4sWsAmSW4f9Y1x5ekqKjKt5nc1WCZNeoZ/R0b/XFXO1GXz5mZKwarlxHP0g bBa1eV3W9/lRID6nHj2qnw7U57Vs5BpDzS2crVNYDgwQQkUPJ63GXNW5g6ulKRfyoEtOkW0jB9ts IY4vaNXUtS6I7WmJiTbb8Xfd5LIDNxYSIAESIAESIAESUAQoACsS3JIACZAACZAACZAACZAACZAA CZAACZAACZDASUoAXqRKqNS3yz5/z7hi5OjV7VTdK/QzOjm0Ya2xzawmTxjHyOzB9b27GsdRczRt IUJPqHurLHynuWz8vYfsXzxfIHJntiCnsHOcWS/Vd3WHHMROO7U/q9FjsuGX7lbY6uHXXGS0W/xh S1ef8998yWY75IqzZNH7r7rseIAESIAESIAESCD/EqAAnH+vPVdOAiRAAiRAAiRAAiRAAiRAAiRA AiRAAiSQhwjAE3TfgjmWaDj/rSYysW4VGX5tESsn7rCrLpDY2hVlXc8fBGGenSVh9QqbaKhEyKlP 1HGaWkLu4MvOcNn7hX5GJ5sH/eFqg3HWdP/WNUZWDuydO8M4jlrT0DL/s8JJQzyN++c3ObhymWSk pWVlSFfb5V985JrD6EqlXXY44BUWW83XawuB2CRS7xg3QpZ8/JbAqzthzUrJSE83jsuDJEACJEAC JEAC+ZcABeD8e+25chIgARIgARIgARIgARIgARIgARIgARIggVxKQM/VO/fV546HYzbkkzWJh0NL nyurf/jCtjIIoPAUddpDQHaWKY/WctmhnV/oZ/Sxvm83Y7v46ZOcQ2RpP/XIEXNu4qsLy+GN66x8 wlkaIITGXp69KQkHjbFqMWcAACAASURBVK0XtH7ZyMZ5PdT+nBYNIi5aGyfGgyRAAiRAAiRAAicl AQrAJ+Vl5aJIgARIgARIgARIgARIgARIgARIgARIgATyIgGvXL1KGAxnC0FWL/AYNrU/un1rwAwi r8nGL/SzagzR2dQ2K7l2Vd/O7dhq1xjGKmD0fna2jcT+0a2bDePHiJfYDS9dhHsed8cNxnbHuRWQ ifdVlY39etGrNxIXiX2QQBYIrFmzRnr06CGvvPKK3HffffLAAw/I559/Lhs2bMhCr2xKAiRAAtlH gAJw9rHmSCRAAiRAAiRAAiRAAiRAAiRAAiRAAiRAAiTgS8ArV69JWA16rFhB2T1tYmC8he+2MIqP 28cMs2yS9sTLsKsLu2yChX5WA6z87jNXW8xx678DlUmmt2nHjtnazmn+rHGsaIjNtoG1neHlLnTN IZRw13vnz5Iln7wtWMPsZk9b4ZyR1/joti1a76ySAAlkJ4HNmzdL3759pWHDhlKiRAmJiYnx/Klf v74kJydn5/Q4FgmQAAmETYACcNjI2IAESIAESIAESIAESIAESIAESIAESIAESIAEokPAK1evSeyF ADmu5nUCgdZ0HsdmPv9wYKIb+/U02q34qq1l4yWqBgv9rAbY9GcfY//ISxxOObZjm2wd+reVOxc5 iodfc5GMq3m9rYs13b4xjrX25042O9MO8uoeWLpQNv3RWxa+94pAGM9MmVq/tmsOCN3MQgIkkPsJ HD58WPr37y9NmjSRMmXKeIq9XkJwvXr1JCUlJfcvlDMkARLItwQoAOfbS8+FkwAJkAAJkAAJkAAJ kAAJkAAJkAAJkAAJ5DYCXrl6IebOavKEldt31+RxkrR3T2DqGRkZsrZHZxlU8jSXIDmoxKmStG+v Zbt/yQLXefQ7o+GDsnPiGOO50ZXLBMYJVtk9NdbYx7Sn6wZrajs/740XXf3E3n2zzQaezSbRe+4r DW12qUePCjxu1/f5Uea/2Vhia1d0cUJuZIRoDrcs/fSdwBzQB8I3r+7yZbjd0J4ESCAHCCxZsiRs 0dcpBv/66685MHMOSQIkQAKhEaAAHBonWpEACZAACZAACZAACZAACZAACZAACZAACZBAthAIJVev aSILWjUNCJK6OLp12D+WeXpyskAQ1s+hjrDPoyqVch1Xdks+fss0nOtY6pHDMqTU2a5+IEynJBx0 2XsdmPnCI64+pjx2p808+eABlw3mO+rmy2XtT98JPHHHVr9WBhYvZLRTa1PbhDUrbf2HsnNw5VJB zma0hXDPQgIkkPMEUlNTZePGjbJy5UpfD128OHPRRRcZReBTTz1VqlevLm3atJEBAwbIsGHDrH2n AFyxYsWcXzBnQAIkQAIeBCgAe4DhYRIgARIgARIgARIgARIgARIgARIgARIgARLICQLBcvV6zWnf wrlGsROhmVUZf+eNRhslhHptF7zdTCCYBCvwwDX1sa5Xl2BNrfMYA17Hzj4gCjuLn2jtbB9sH0Iu CwmQQN4kkJCQIF988YVceeWVUqhQoYCoe9ZZZ0mtWrWkQ4cOkpiY6Foccvk6RV3YHj161GWbnp4u 5cuXd9lv3brVZcsDJEACJJAbCFAAzg1XgXMgARIgARIgARIgARIgARIgARIgARIgARIggf8IBMvV 6wXqyOZNLuEUwifCH6syr2Ujo00wgRTnIe4G83T1CgM9pNQ5cjhug5qG53b31AnG+S364DVXm1mN HjPahrIWp83Sdq1d/fMACZBA7iawd+9e+eijj+T88893CbNOYRfi7eLFi20L6tatm6sd+vMq3bt3 d9lPnTrVy5zHSYAESCBHCVAAzlH8HJwESIAESIAESIAESIAESIAESIAESIAESIAE7AT8cvXaLe17 W4b8ZRREN/zSPWC4vndXo41TEPXah+ianpIS6M9ZQS7dkTddahxjUr3bJfXIEWeTwH7SnngZW6O8 oW0BSVi1PGCnKqs6tzfYxgQ/VryQFR4aYaLXdP9W4qdPkpRDCapbbkmABPIAgT179kipUqVcgqxT +NX3TzvtNJk1a1ZgdatXr3a1v/322wPnnZW///7bZT9q1CinGfdJgARIIFcQoACcKy4DJ0ECJEAC JEACJEACJEACJEACJEACJEACJEACxwl45eodeWNJT0T7F82TEdcXN4ifBeTIlrhAu71zZxhs7KJp sDDR05+5T9IM4VTVICu//dRzDIjD20YMUqbWFl7FO2NHybia1xnbTX/2fpu92kEbL6FaHUf+4fF3 3STz33zJ8oTeO2+mpBrCu6o+uSUBEsj9BFJSUqRGjRouMVaJvX4ewRUqVJA0LWd3iRIlbP0g/+8R w4sqCAF9991322wLFCgg8fHxuR8YZ0gCJJAvCVAAzpeXnYsmARIgARIgARIgARIgARIgARIgARIg ARLIzQS8RFh4yaLA0zZh7SrZ+HsPmfn8wzKwaAGjGAqvW73AA3dgsYJGW4imsXffLOmpqbLq+46e NrCb8tidnt68EHRnNHzAt31s7Yoyu9nTgty+I264xNc2fsZkfQmBemL8Llu7IVecJRPvqyoL33tF NvbrJQeWLhSI6SyRIwBP6fiZU2Rtj85yaMPayHXMnkggDAJNmjSxCbEQfs844wxp2bKl7Ny50+pp x44dVu7f008/3WX77bffBkZr0KCB6/zo0aMD51NTU2XMmDECz2AlMKvtLbfcErBjhQRIgARyGwEK wLntinA+JEACJEACJEACJEACJEACJEACJEACJEAC+Z6AV67e6Q3qycT7b5Mhpc62iZ/K41XfDipx quVZ64Q5tto1xrbwlj24clnAPFiIZcwjJeFgwF6vwMt2wr2VjePocwxWhxDtV1Z80042D+wnCWtW WqK4ny3PZZ7Awneay5gqZW0vGkAEZiGBrBBYs2aN/PTTT9K0aVPLo7dkyZKCXL1PPPGELFy40Nj1 1q1bXUIsPH43btxotB87dqzAUxeibdmyZaVZs2Yybty4gG2fPn1c/T3zzDPSuXNneeihhzzzC8NT ePz48YF+WCEBEiCB3EaAAnBuuyKcDwmQAAmQAAmQAAmQAAmQAAmQAAmQAAmQQL4nkNVcvRB/t40c bOQ4p/mzRmF2eYc2LvuV331mtFXCLTx5k/btdbXDgcT43TK6chnf9qof53bQJafIpv59jf3yYPYT mPJoLdd1nPvqc9k/EY6Ypwls3rxZ+vbtKw0bNhRn6GXlVau2EFh79+7tWm+vXr1cgq3JTm84ffp0 gXBsKnFxca7+1Bz8tr/99pupOx4jARIggVxDgAJwrrkUnAgJkAAJkAAJkAAJkAAJkAAJkAAJkAAJ kAAJHCcQSq5ep2iq9kdUKCE7xv7riXJNt29cYh7arv25k7GNX05ftBtbo7wk7j4edtXZwbGd22V2 s6eM46n5OrfIdbxj/EhnV9zPQQJL2rZyXcNxNa/PwRlx6LxA4PDhw9K/f39ByOYyZcqELbRecMEF gj708vjjj9v6KVKkiH46U/XSpUvb+vQSfuFJfOedd9LzN1OU2YgESCC7CVAAzm7iHI8ESIAESIAE SIAESIAESIAESIAESIAESIAEghAIlqvXKZoOu7qwzGryhMT9/aukJSb69r572kSXmIf+5r7S0LPd iq8/MbZR80B44KNbN3u23ztvpixo/bL8W/5iYz/Dr7nIOo98v8hvzJK7CGwe9IfrusFLO9i9lrtW wdlkN4ElS5aEJKx6Ca443qmT/cWUwoUL2/qsWbNmlpfVuHFjW5/6fM4991ypV6+efPfdd7Jp06Ys j8UOSIAESCC7CFAAzi7SHIcESIAESIAESIAESIAESIAESIAESIAESIAEwiDglat3eLkLZdpT98qy 9h/I1n8HyuG4DZKRkRFyz8kHD7jEPAi58OT1Kyu+/NjYTonAo26+XA5vWu/XhTVPeAvvXzxfdk0e JweWLpTE+F0UfX2peZ9MOZQg8TOnCPLxHtqw1tswi2eQY1ldZ327b8GcLPbM5iczAXwuXXTRRUZx FSGeq1evLm3btpUxY8bIokWLLE9hXXxF/a233rIhglewblO/fn3b+czs/Pnnn7Y+0X/lypVl1qxZ kpqampku2YYESIAEcpwABeAcvwScAAmQAAmQAAmQAAmQAAmQAAmQAAmQAAmQAAm4CXjl6oWXbFbL qEql3IJe8UKSduyYb9fLO37oblc0JnBsxPXFBWIhS3QJLHynucDremDRAgH2EIGjVeCVPaTU2YGx lAi84defojUk+z1JCECg1QVb1Dt06CBHjx51rRCC8XXXXWezb926tc2uXLlytvO33HKL7XywnUOH DsnIkSOlVatWsmDBAst8586dtj4xx/Ll/V+ICTYOz5MACZBAThOgAJzTV4DjkwAJkAAJkAAJkAAJ kAAJkAAJkAAJkAAJkICBQLi5eg1deB6a1egxl5gHUW/f/NmebdSJ5R3auNqOrlRaZr1UX1Z17kAB WIGK4nbKo7Vc12Duq89FcUSRifff5hpzQaumUR2Tned9At26dXOJqx999JHnwho0aGCzh1islzvu uMN2/vzzzw8pAsLu3bulatWqcsoppwTaQwhW5dprrw0cV4L1rl271Ok8vc1I3pen58/JkwAJZI4A BeDMcWMrEiABEiABEiABEiABEiABEiABEiABEiABEogqgczk6g11Qqs6t3eJeRCA1/ftFlIX6/v8 KGu6fyvx0ydJSsLBkNrQKHQC6ampcnDlUvEKsbykbSvX9RtX8/rQB/jPMvXoUUuw3zlhtGwbMUiQ qzkxfrexn4XvveIaM7ZOeN6Xxo558KQmsHr1apewevvttxvXPHPmTIGgqwTYa665xuUp/NRTTwXO K7vY2Fhjf/rB9evXu9qNGDEiYPLqq6+6zvfv3z9wPi9VMlIOSNquEZKyrKUkTSgriaMLS0YGc6vn pWvIuZJAJAhQAI4ERfZBAiRAAiRAAiRAAiRAAiRAAiRAAiRAAiRAAhEmkNlcvaFMY2fsKJeYBwF4 /puNQ2lOmygQgNi74O1mMuHeyjL4sjOs6zP+rpuMI20e9Ifr+o2+9UqjrfPg/kXzBKG8x9eq4Orj eGjnAoLw40c2b7I13fRHb5f94EtPF4jVLCTgR6BEiRI2cRX5f48cOWI1OXDggAwdOlSeeeYZKVCg gM3uySeflFGjRkl6+gnx8vvvv7fZQAR++umn/Ya3zs2YMcPVTheABw8e7DrfpEmToP3mBoOM9GRJ 3zdDUle3k6Tp1SVxeEFJHB5j+0nfPzc3TJVzIAESyEYCFICzETaHIgESIAESIAESIAESIAESIAES IAESIAESIIFwCGQ2V2+wMRLjd9nEvCFXnCUT76sqa3/6LlhTno8Sgbi/f7VdE4ixg0qeJunJya4R j8RtlDkvPyOru34lu6fGSvL+4CFej27fKl6hv48LvydyOWN/aJn/2fo9sGyRa36wO7hiiWt+PEAC OgFnWGeIto899phUqlRJChUq5BJelWev2lasWFG2bNlidYkcvv/73/9sbRDWecqUKfqQrvrbb79t a4O+16xZE7Dbv3+/FCxY0GZTpkyZwPncVEGu5PRDKyR1w/eSPOcBSRxxpk3sdYq/2E9daw+lnZvW w7mQAAlEhwAF4OhwZa8kQAIkQAIkQAIkQAIkQAIkQAIkQAIkQAIkkGUCXoJdKLl6gw2+4pt2snlg PysEcIbmYResHc9HhwBCPpuE2ANLF2Z5wD2zpsqQUucY+zeNqY4h37Mq6SkpliCtzqntpv59lQm3 JGAk0KdPH5uwqoTdcLaPP/54oO+33nrL1V/RokVl69atARu9MnXqVDn99NNtbapVq6abWHUIzc45 bd682WWXEwcyEndI2pbfJHnhc5I45qKggq9TBE6ecWdOTJtjkgAJ5CABCsA5CJ9DkwAJkAAJkAAJ kAAJkMDJSCAtLU2mTZsmffv2lY4dO0rLli0Fb/0jhNp7770n33zzjUyaNMmVz+tkZME1RZeA173W rFkzadu2rXTv3t0KKQiPDhYSiBQBr/uOn3GRIsx+nASymqvX2R/3cy8BhFJWoZ+VuIrtxn69jJNG /l7k7F3fu6vMa9lIEC56cZs3XLYIJT6y4mVG8XdC3Vtl2efvWaGnB5U41WUztPS5Ng/k2NoVXTaL 2rzuGpMHTg4C+Ju3ZMkSGTJkiPWzaZM9LHioq4yLi3MJq06hFQIuQj5//PHH8uKLLxo9g/E/BArm YfIchmdwu3btBGGlMXfkH27VqpWcc845rvF/+eUX1/R1L+HLLrtMXnjhBWssl2E2HMhI3i9pO4dL yrLXJSm2TNiCr1MAThxxhmSkJWbDzDkECZBAbiFAATi3XAnOgwRIgARIgARIgARIIE8QwFvh5cuX j8hPzZo15bXXXpOePXvKnDlzJCkpKWQGkZyHaT2vvx7egzyEIfv333+thyQXXnih6wGL8wEP9pH7 q27dujJ//vyQ1x3M8NixY/Lbb79J69atrQdIVatWlRtvvNEKMdemTRvr3IoVK4J1Ezi/du1aWbVq VVR+8FAqqwUPtUzzUyHywukfD9I6depkifV33XWX3HDDDVKlShWL3RtvvCFdunSR3bt3h9NlVGwz c68hLOCdd94pP/zwg0RbDG7YsKHv58ODDz4YFS65tVN8lpg+Y3Ds008/za3Tds0rM/ddND7jXBPj gXxBgLl688VlDiwS+X918Rf1mc8/bInAC99tIRPvv00SVh//LgOx12kbW+eWQF+qsvjDli670ZVK y67J45SJtd30Zx+XHfrfv2RBwA45op1jTnrA7UkZaMBKniSQmpoq8Nq98sorbd/rIbo+9dRTsnTp 0rDXVbp0aVtf+H/g7rvvtr6fLV++3NXf77//7rKvVatWwK5fv35GEVj93+EM56yOY4v/QZINodUh dvfo0UPWr18fGCe7KhlpSZK+d5qkrG4rSdNuM+bxdYm6jjy/wc6n7R6bXcvhOCRAArmAAAXgXHAR OAUSIAESIAESIAESIIG8Q+CMM85wPYjQHyZkpY6HIrGxsSHBiOY8sIaHH344pHnAaNasWXLrrbdm iQtygEHIzGyJj4+3vItDFZ/r168vEHf9ysCBA7O0pmD3ws6dO/2GD3quW7dunvODgBtq2b59u9x7 772efenrgKD1xBNPyLx580LtPqJ2kbjXChcuLF27dhU82Ix0gXdLgQIFgrLMzEPTSM81u/rDZ4l+ D+n1cD5nsmu+pnEicd9l9TPONC8eyz8EmKs3/1xrePTOeO4hl8DqFFwh1KKYBNvBl54u8CTWy7Qn 73H1idDfznI4boPLDmPrHsjr+3Zz2SC0NEOIO2nmrX3k1R05cqTlLYvv5K+++qrn32/8LUc45Rkz ZoS1yMaNG7v6hGexV0lPT5dLL73U1ub666+3mUMk9hN69e8dqg7ROTEx5z1hrTy+CcskdUMnSZ59 v8BDN5iAm9XzKSta2/hxhwRI4OQmQAH45L6+XB0JkAAJkAAJkAAJkECECURbeMWDCYQ8C+alGO15 hCLM4K35Ro0ahSR4qQcuflt4FODBkOltfL/LOHfuXClZsqTt4ZDfOOocvELxcMvLExfhg5VtNLZZ EYAXLVokfvdAqALwgAEDBIJouOuDEAwRNbtKpO81rBceqFl56cC0dni0hsISeevyUqlXr55UqFDB +PPjjz/6LiUvC8CRvu8y+xnnC5gn8w0B5uo9uS/1njnTZWy1a2RgsYIucdUp/mJ/0QevWUAOLFtk tD+4YokN2Lg7brDZQbDVvXphnHL4kMxu9rTNTo0Nz2NV9s6fZbQ5tG61MuE2jxFAmGN8L1bfYfC3 OxRRtUiRIrJhw4aQV/vnn38GxlBjIRqSX7nppptsbcqWLesy79+/f0j/C+A77/vvvy+IGJRTJePY Nknb8oskL3hWEkdfGHXB1ykYJ02+KaeWznFJgARygAAF4ByAziFJgARIgARIgARIgATyLgE/0U09 yIjEFuGh8Va4V4n2PIIJwPASQEjdSKzV2QceQoVa/vnnH18h1Nm3aR/hjU0ltwrAYH/VVVf5sg8m ACPc+PPPP+/bh4mV81jz5s1N6CJ6LJr3GjzGZ8+eHZH54vfVFNrQyQz7yHEXDQ/kiCzE0EmZMmU8 75WPPvrI0OLEobwqAEfzvgvnM+4ESdZIgATyMgF41iJP79JP37Fy9K7p9o0kxp9Iq3Bg+WKjqKoE WH07pNTZsuj9Vy0c6SkpMqjkaa62m/r3teFCqOil7VrLlsH9BUKt8tbF3y6IzwvfaS7Dri7s6keN O7FulUB/aceOycDihVy26Jsl6wSOHDkiY8aMkXfffVcmTpyY5Q6RvgN5c//66y9ra/r+ARHW9H0F xx566CFrPvjOjZfnnHbB/mfQF4CXH53t0adXwYuKTntEHTIVeAuDGyLVqP+TEJUFL4ni/yp8rz96 9KipaVSPZSTvlbSdQyVl6auSFFs62wVfpwCcOLygYE4sJEAC+YMABeD8cZ25ShIgARIgARIgARIg gQgRUA8UnA8jorGPfKVeJdrz8HuYk5CQIMhBHI01qz47dOjgtfTAceQOjhSHX375JdCvquRWAfiZ Z54Jyj6YANyuXbugfahrEWyLUNTRKtlxr5199tnWA9GsrmHy5MlhMUXO7LxS8psAnB33XSifcXnl /uA8SSA3EYAgCjEVAii8ZJGbFh6rOVUw9swXHzV69g6+/ExZ/NGblhiLeSN0sxJcTdsFrZpKwtpV AfFWrSn27ptd7Ra1eV2dNm6PxG20BOERN1ziamsae8gVZ0lGWlqgr7E1yrvaQWBmyTyBESNGSLVq 1QRRVtR3r+LFi8vevZkT69asWWO97Kd79qLfK664QhC9Ay8DqoIwzGpMfYvIJnpBZIzKlSvbbBHd Ytu2bbqZb/3aa6+1tcd4u3btCrTZt2+fIA0LUieY0moMGjQoYOtVwYsNBw4csK3RyzbSxzPSEiV9 7xRJWfWhJE2tIonDC+QC0TfGNoe07X9HetnsjwRIIJcSoACcSy8Mp0UCJEACJEACJEACJJA7CURK cNQfrnjVzzrrLFm3bp0RRLTn4ScAhyJAeq0p1ON44ANPA6+yZ88eueyyy1wPkJz946GU88GX0wb7 yGOGB2V6yY0CcK9evYKuGevxE4BxT2G9Jg6ZOXbaaafJggULdHQRq2fHvYY1FytWTJBHOisFXp3h 8MODzbxS8psAnB33XbDPuLxyb3CeJJDbCIyseJlLmFzT/duoThN5e/fOm2l5+M5r2Uhia1eU/Yvn y775s2XQJae45uMUWFd939Ga34yGD8i0p+vK8g5txLSOJR+b0wfMf7OxawwI36aSeuSwYI6eoaaL F7JEc+ccsZ+wekWgyzktGrjGnPLYXYHzrIRPoGnTpsbvEaF+X1i5cqWVnuPLL7+UuLg4Oeecc4z9 qe8q8OyF1ywKUs84Qz6fd955RgF19erVLmHWKRT7rd6UWxipMVq1aiUI9+ych5ovtog+5BchyW/c aJ3LyEiX9IQlkrr+W0meXVcSR5xuE1vdHrh2MTYnzqcsbhItHOyXBEgglxGgAJzLLginQwIkQAIk QAIkQAIkkLsJBBNeGzZsKC1atPD8efzxx6VSpUohC3Be4VWDzUN/WJKZuldY5N9++833YZI+VokS JQQPdH7++WfrTf5OnTpZOX4htul2XvUzzzzTUwA3PTzS+4F3AcLAwVMhJSXFCqGHnGG6jbP++eef 226+3CYAL1u2TMDEOW/Tvp8AfPfddwft47bbbpN33nnH+qlevbrvwziMf++999rYRWIns/cavFjQ tn379lK1atWga1X87r///kxP+/DhwwJPYtVXKFsI5/ByyQslPwnAmb3v4K0Uyc+4vHBfcI4kkBsJ TK1f2yVMQqyMZpneoJ5rTIi6oyuVdh03CauDSpxqE1cx13mvv+BqO/mRO4zLWN+3m8sWOX5VmGfV KHn/Phl965UuW8xp7O3lZGWnz+XIljhJS0oyCtebB/yuupK1P33n6gchpFkyT+C+++7z/B5hilSj Rpo3b571Ipv67vG///1Pateu7dmXssMWoqsqN998s60Nov14lTvuuMNmW69ePS9T1/HBgwfb2urz 8as3a9bM+k7v6jAHDmQc2yKpm3tL8vynJXF04Vwv+DpFZoSiZiEBEsgfBCgA54/rzFWSAAmQAAmQ AAmQAAlEiEAw4XXTpk0hjbR161aBWOz3oAPnvB6oBJvHkiVLrNBnCH+WmR/lEaAvBv3goVKwOSN0 HTxVTX2gP4hlELbh4Rysr9dfd4cw3LJli6+AjtB2Bw8e1Kdu1RHW9corr/Qc05lTDCF6IaRm9sdv bXjIpofec03WcQD54K655hrPuTvH8hKAIVI5bfV9iJK//vqrY3SRYcOGBfUkiaQXcKTuNSxk6dKl 4idg6uv/888/XWsP5UCfPn18uepj6PWuXbuG0n2O2/jx83pJRU06L+UAjtR9l9XPOMWOWxIggfAJ IMeuU2QdW/3asDpCjtvDm9Zboiy8e4OVZe0/cI3pnIO1X6ygpx360Mu6Ht+7bIeVPV83CdQRZto0 HnL96gV5fp12/5a/WLaPGaabWfVRN1/ustU9kONnTHadR98QkFkyR+CGG27w/C5x7rnnitf/GIiK YwqVjO8bRYsWlc6dOwvSVLz55pu28NLq+8jixYutCbdu3do2Pl7k9Crw+FXtsfXL4+vsw+RtrPel 1/G9FDl9I5EL2TmPcPYzkvZI2o7BkrK0hSSNvyLPCb5OARj76Uc2hIOAtiRAAnmUAAXgPHrhOG0S IAESIAESIAESIIGcIRBMePV6OGOaLUKYwbtSf9DhrJcsWdLUNGju23DmYRzAcLBjx46+c8XcIeqO GjXK0Np9aPr06UHXAcEZYope/Lx/IT7Pnj1bN7fVp02b5rkGPDzTc5DZGoa5g7y4zmup9vGAL1zP z3DDC3sJwPBAsylVeAAAIABJREFUV/Mwbf0EUFwvUxt1DHOMVIn0vYbreuONN/rOH+uoUKFCppYQ 7PdYMXJub7nllkyNl92NckIAxgsS4bwkEQkmkb7vMvsZF+5ajh496vnCTbh9ZcY+LS0tU15ZiM6A KA0s+ZuAM2fv5IdrStLePZmGsmXIX25hsnghCSbkYh5bh/0jUx67UwYWLWDrY0yVsrJl8J+eoWe3 Dh9gs9dF1sGXnSErv/tMjm7dbM0B4ahN4ZfH3XGDbc17Zk8z9nk4zi3aYG0Dixdy2W8Z3N/Wpykc 9e5pE202agdis74O1Cc9WF2dlpSEgy5OsNk2cnDAhpXwCBQuXNj3ewryA3u9XInvL87vGEWKFHHl Dzbl+n355ZetiY4ePdrVh9f3YrwsqI934YUXhrVYeBfr7fX61VdfLc2bN5cBAwaE/X05rEn4GGek HZO0PRMlZeUHkjS1cq7M42sSdcM5lrrpJx8CPEUCJHCyEKAAfLJcSa6DBEiABEiABEiABEggWwhE UgDGhMeOHev5AEQ9DIFXmrNEeh7O/p37eEhfvHhx37mef/75MnPmTGdT3/1BgwZ5ei2o9eOBlCp4 8HXxxRd7zuOTTz5Rpp7bypUre7bv39/+sNSzE58TyMHmFaoZXrzh5ppF2D/FItStSQAGO7+HixBI g+VVQx46rzng/ohEida9Bq/wUITacePGhbUM5FT2YhLK8eXLl4c8HjxgcD+YfkL1jkHoRVN7HIOX PAqES93Gbx0PPvigzRbtFi1aFFhTqB7AuD4IF4+wknhorcZEaO2aNWvKu+++K+PHjw/0G+lKtO67 cD/jgq0Ln7HwukaYdrwgpPJ5I985Phuvv/56wcP8oUOHCoThcIrf/eWMqoDfE3welCtXzvIoQ85G XDuvcuzYMSuSQKNGjSxPMYgFymMNdcz7ySeftOZNUdiLYt4/npGWJkfiNgbCHScfPCCDLz3dJTTu mhze57BO5tD6Na7+IEzCS9arbPqzj/xbvqixnS6CTqh7q5XX19kPRFndTq9vHfq301wWvveK0f7Y zu0BW+TqNQnFEJtNZWyN8q4+l7ZrHTAFe31eqp4YvytgoyoQu9V5fTuo5GkC72hVRlcu47Jb/sVH 6jS3YRDA57X6u6e2iGij6mqLF5VMBd69ykZtO3ToYDIVZ557eBdjfESbwYuUqj22335rzp+N47od ItuEU95+++1A+8suu0zwEiFSMGzbti2cbiJma+XxPbhIUtd9Lcmz7skTeXzDEXtNtsnz6keMHzsi ARLIvQQoAOfea8OZkQAJkAAJkAAJkAAJ5EICkRZeN2/eHHgAoj9I0eu5QQD++++/g87TmUM31MtX o0YN374RZk4VPw9eMENo7WAFIicedJl+UlNTgzX3PQ/h4qabbjKuB6IwxOFwCuy9cssq8US/V1Td JADjoZo6b9oi53GwMnXqVN8+EG45qyWa99ratWsDopOJAY498sgjYS3hww8/9GUC4dJrLBxHyMVQ S6hiqld/yBPoN5c1a9ZYTRFy0c8u2Lm2bdsGphDKnBFi3O/FDn28Jk2aSGJiYqD/SFWied+F8xnn tZ64uDipU6dOWNcFD9WRCz3U4net/vrrL6ub1atXW3ns9Wui6sizbioQ7iFWK7tgWwjCPXv2NHXF Y3mQwLFdOwSiYGydWwQCIgTFMbddHVjJv9cVc4mIq3/4InA+3Ar+xg8tfa6rz/V9fjR2tbFfT6Mn qy586vUhV5wlCWvcf8tNHrM4Znqx6uDKZa75YYzto4fa5jim6lUuu2Xt37fZqB3kOdbnifqUx+5S p628vs7z2NcFW4jO4GRai2q7c8KJl/JmNX7cNeb0Z+8PjMlK6ATw/cT52bhs2TJXuhQItAsXLnR1 jLQlzvZI+2EqCAfttFUvbt1+++22cwgh7fQCRvQGhHzW+2jRooVpKM9jSFXTo0cPWb9+vadNtE+k H90kqXE9JXn+k5I46vyTIqyzSej1PDb6QuPnU7S5s38SIIHsJUABOHt5czQSIAESIAESIAESIIE8 TiDSAvCOHTtsD1D0hymoQ/wzlUjPwzSGfqxp06a+84QXWrierap/POh3rlvfb9CggTKV999/39O2 UqVKATu9As81iJ/Z4VWmezToa0A93Hyv8JiDV5yzH+xD2IGnpekcjpkEYDzc87LH8UmTJunYjHXk bfPrAx6cWS3RvNcwt7p16/quAZ7sXiEWnWuD3aWXXurZX+nSpS2x8rzzzvO0gec0QuiGUvwEOpwL VmbNmuU5D1xXJQDDm9PvOgc7F44A/NVXX4U9FsKob9y4MdhywzofzfsunM8456QhHuGz45xzzgmb k7pOzz//vOB3N1jxu78QHh7exxBnVb/OrVMAxmfYa6+9FvSlC2c/av+ee+7JsfCfwVjxfGgE4v76 RYaUOtslEiLEMsRGlOnP3Oc6P6vJE6EN4GGFUMVKsFTb+W++5LKO+/tXT/F36JXnCcI3q/b6dnyt Cpagqnc45dFaLtsJ91bWTWz1kTeWdNmv+PJjm83sZk+5bKY9da/NRu2s/ek7l+2wqwur05bQY/LY xbrG33WTTH38bsGa9XWa6pMfOeHpv6pzB5s9xPFZjR4LjMlK6AQQgUF99mGLFCgo3333ne04ziGa jPNFKETwQCQIvQ+vF2nwncP5otfw4cOt8RBhQu8DdYRrnjNnjnUeL/rde++9Lhu8yJXbS0ZSvKRt HygpS16WxPGX5T/Bd3iMa83pB+bn9svG+ZEACWSRAAXgLAJkcxIgARIgARIgARIggfxFINLCazCP SoTXNJVIz8M0hn4MD/adD4T0/eeee043D6sOT1x4I3j97N27N9CfXw5bFeoOXtXwGoYnrs4JHrPw ZICgDE8Jk1dOYKBMVGJjYz2Fjvvuuy/sHuHpqDNW9VNOOcUSYvCwTh1zbk0CMObntNP3FyxYENIc nQ8Y9T7atWsXUh9+RtG81zAuclTrczbVQ2WBMLim9uoYvINRguVwHjlypB+SwDk/gS4vCsDwis+s 2Pz0008HuESiEs37LpzPOH0tyH8ezHtY3WvBtsWKFQsaot/v/oJQjzChfuPoAjC8u5DH0c8+lHO3 3nqrFZZU58J63iAQP2OyMYSxEhWR4xZleYc2ARFx2FUXWDl4IWYGK8ipixDHY6tfK/+Wv1jGVrtG IJgeWrdaFrV5PdCnGi+2dkVbl2mJiYLx1Hm1hfiswkUjzy08ZNU5fbv4w5a2/pZ8/JbLDoKrV4FQ qveH+vQG9Wzmq7t+5bIZfm0R4/cXi3fRGJf9kS1xgT5Xd/nSdd45B7WPnMRzX2l4wr54IYs1PI1V GOj9SxbIkratZPPAfpZXdEZ6emAsVsIjgPDH+mei+jzFi2YI+a+fQ/311193DYDPS91O5fZ1GYpI qVKlbLYqCgxeBtT70OtnnXWW8RxCSufGkpF6VNLiYyVl5XuSNOWWkzKPr6d3r0HsNdmmrst8tIXc eM05JxIgATcBCsBuJjxCAiRAAiRAAiRAAiRAAp4EdEFRfyii6ps2bfJsazoB4VS1NW2bN29uamYT Nk3twp2HcZD/DgbzUsb48CzMjuJ8uKWvHfmUu3Tp4hkyWbdFHR4MzrB2mV0DPDG8PEEhcCG0XzgF 3nbO+ar9L7/80uoqXAEYIQNVH6YtcoYGK9u3b/ftw+t+DdavOp8d9xqEf1NePZ0JPG5CKc48enof qK9atcrqBmF4nef0/SeeCM3bzU+gy4sCsM4g3DpehAgl5Hso1zE77rtQ5uG0admype99Ey4zCApO rzF9TL/7K5SxlGCBaAt4eSmUNqHYZOYFGn1drOcMgZnPP3xCPNSESXgEQ4zdNeV4Tu+Etatk24hB cmRzaN+fjm7fKhBpB11yirH/QSVOldGVSrvOIfx0enJyAIYpz+28lo0C5/XKog9ec/UH72AlhMIW IqgST9UW+Y0hNJvKqs7tXfYjKpSwme6eGuuyQd+7p0207NJTUwPhqCFWw7Naja2220YODvSZfGC/ 5e2rznlt4UGN/hC+e8Mv3WXvvJmSGmZO8cCg+ayC7xjz588PO7QxXmLUPw+rVasWIIfQ+87/P/BS I7736sUZJQcRG7yi3zhf6MGLkShJSUmCl7P0ufjVEakG3se5oWRkpEn6gQWSuu5LSZ55tyT+e5rL 49UkgubnY8kza+eGS8c5kAAJRJEABeAowmXXJEACJEACJEACJEACJx8B5wMY50ORUIVXvNH/008/ BX3AYsrzBarB5vHQQw9ZoTcRfjOcH+fDJIyFsJ/OdTr3jxw5ki0X+5JLLvGci593sHO+ah95R+ER mtXSuXNnz3mFKu6pOUAsdj6YU/OFEKI8l8MVgHGN/PIGv/POO2oKnluIxGoupu2jjz7q2TaUE9l1 r9WrV893HSbPGuf8kZvb7yEpQiaqgtzSF110keeYCKGe1RC9kRSA4UFeq1atwI/fOnEf6Lao6y+E hCsqhuMRjPzKkSjZdd+FM1cICH7e9ur3D38Lbr75ZilSpIjn/aVssVVe6aa5hHut9H5RVwIwIjA4 zzn3Me9bbrnFyieMUKfO8879f/75xzRlHsvFBEwCLTxKIUL6FfyNO7xpvdEOgivEYy/hMtjxA0tP 5E6dWr+2o58Ckhi/yzY1ay5xG2TDrz85bI972u4YfyJ6A/ICm8bft3CurU+1g1y6JvvE+N3KRJL3 7zPaDCl1jky4p5IMLfM/QQ5lVUwhnvUcv7BD6O25rz1vtdXHR95kXJ+dE8dIRohpCdS43B4ngEgr KvIBvpOGU5BDV//cc36fwst/+nnU8Z143759gWGQb91po6dkUIamlwz1NC74DqD3U6FCBSuyTuHC ha3jyEOMtCtIRQLBOCdL+pENkhr3syTPe1wSR51HwTdEz9+A6D3iTMlIM7+kkpPXlWOTAAlEjgAF 4MixZE8kQAIkQAIkQAIkQAL5gEAw4fWbb76RgQMHev5069ZNILR55XbVH7jceeednkSDzUPvJ5x6 +/btXWP6CY3oGw+EsqOkpKRkOlxsMAa4LpktCO+K0NJeYyD3bqgFD9IQutrUV4kSJWTPnj2Brvyu Cx7emQpyB5v6xjHkvj106JCpWeCYnwc2+kCYwqwUvzWh/0jda84HrU4moYQzDPYCBz4L9NKsWTNP 9hg/lHvQT6CLpACszxv1MmXKeM4d+QL9it+cFXfkOkf4yXXr1ln5l3fv3i39+vXzfBFCtYOAGImS XfddqHNFfka8QKDWadri/PTp023eXStXrhSE/DTZq2N4cL9ixQrjVEK5VqoftYVIjTzW+JsE8R8v sOCFBnXeuUXY0SlTpgheilAF60WIab+/a4iwkNNCg5ovt6ERMAnAuybZPRZVT9tHD5XFH70pyC+r 8tCu/bmTOh3YmnLiKhFzeLkLZeRNlxoFU2WzsV+vQF/O3MQjK14mCatXyOYBvwvCOetzUe2d20Xv vxroD+GPkQPXabPht58DNnoFYrPTFvsQhvUypupVRju9beLunVaTWS/Vd9lOf/Z+vbtAHd7DEKcR OvrgyqWensqBBqzYCOD7EtI3tGrVyor2gZcJEZlCfebhpS/1wp6tocfOgw8+GGiLPlREFeS779Wr lzz55JO282ocXWhG3nXn5y9eqvrss88E31XxGfr9999b3/dUe2zxvVMv+F9AP498wegbBS+/4TM7 p0pG0i5J2/6PpCxuKonjLqXgG67ga7BHmGwWEiCBk5cABeCT99pyZSRAAiRAAiRAAiRAAlEg4PeA Wn9YktV6yZIlfcObRmseJgG4T58+tgdBzrXBMyA7CryrnWNHav+8886ziavhrAfChdc8wg1d6iVM QmRBvmi9+IlWXgJwnTp1POeKNTRq1MgS4PRxVB3htb3WqY5DKMxKya57rWPHjr5rAadgxU8MxwNX hMvWi19ePfBDf8GKn0CXVwVghKhUobKd658zZ47vdcLnZCRKdt13oc412O9a5cqVrYfwXv299957 vtzuuOMOY1O/+0v9jmN7wQUXSKdOnazoEBAVUCB04CUdp+eY3g4eY7q3mnMSv/76q++8Bw8+EcrW 2Zb7uY/A4MvPdImRK75pJxBhF77bwhJZ1aynPHany3buq8+p09YWOYN10VPVx9W8XrYOHyAq/+zO 2FGeQvDC914J9KmEZtVPZrZjby8X6A+VifdVdc1xwdvNbDb6zogbLnHZr+rcQTcRUx5g51yVJzLa 6ucgSCPXMEtkCbzwwgs2sRcCqylCDXKhh1qcL/0gQk2wdBXq8xX5g1WpWbOm8XMUL//oArVqi/8n li5dqppbW0TxUOfVFt7FOVEyUo9IWvw4SVnxjiRNqUjB1yDgBrx5M3kuZUVkoqnkxP3BMUmABIIT oAAcnBEtSIAESIAESIAESIAESCBAIFrCq3rAgi0ekjvFo8AE/qtEax4mAfjbb791PQjS54tcutlR IIDq4war42EcQqOWL1/eN/Sx6ueVV048GA51PYcPH/YN7QsPvVDLgAEDPNf3+eefu7rJjACMh4Rq vV5biEDIN6fKli1bBGy87PXjCOWalRJMAIqUxyfCFurzdtbxO+hX4EHpbKPvm7z3Efbd9IBYb+cl hKq5+Al0eVUARs5Cv3L77bd7ssYD7XA8rLzGyS2fcWp+fmuGJ5YeqlO1cW5r167tyQ33HPIeO4vf /aXu02uuucby1Ha2xT68f5WdaauHBje1x7Hq1at79vHYYxSyvLjltuOpR454irBKoBx29YnoIUs+ edsmXMJmXM3rbMta3qGNywZev8hT6yyHN64T5OhVY6ktBFpV0FYdD21bQMZUKSuzmz4pq7t8Kbsm j5OkfXtVd9YWArOzL4Rq9irTG9Rz2cOLVy8YI5gX8Mbfe1hN9i9ZIEvatrLyESMktRLF9f5YD42A 398WpFbRP+Oc4frxHR2fweF8B4Tgq/cZTh3fveLi4qyFtWvXLuR+8LIavIudBREanKlIgv2tdvaR 2f3jeXznSerajpI8405J/PdUir6ZFHZDFYaTptyc2cvFdiRAAnmAAAXgPHCROEUSIAESIAESIAES IIHcQyBawqt60OPngalTiNY8TALwjz/+6PswqVq1avrUolafPHmy7zwUQ4RKRk5PvUDsqFKlim97 eEbowqfe3qsOYVaN69zWqFHDq5nr+IYNGwReyM4+sH/33XcbvXIzIwDjgSZEcdM4zmMII+g1J6et 2scDzKyU7LrXunbt6ssAIpRfQRh3tWbTtnfv3sbmb7zxhm+7YDlt/QS6vCoA4wUDv+LnYQ/2oYih fv3jXHbdd8HmgfMIK2ry0lL3mR7u06+/v//+2/de+/33313N/e4vjA9BwM+D1+/3qmrVE8Kba2Dt wM8//+w5b4QK9xNltG5YzSECcf/8JmOrXSMDixV0CZtOYRT7R7YcF602D/rDbV+8kCDnryqxd9/s sln9wxfqtGu74qu2Lnt4xCpRFLlzTXPCMYSvhmcxvJDX9ugse2ZNlZTD9hQJ6EeFXlaDw7vZ2SeE aIRbNhXk53Xaj65U2mUKQX3F15/IjIYPyKQHqsmsJk/I0natZcvgP+XYTnu0CVdjHgiJAEIb4zsw wiHjuw8+hxHVBLl38bKfXoYMGeL5OQVxeNcuey5pva2pjtDMBQoU8OxTff5jPk2aNJEbbrjBZYvv nHjRbNq0aa5zn3zyieDFNNUPwlMjxDTSBniV+++/P2CPdqFEKfHqK9jx9CPrJHVTd0me95gkjvof Bd8oC75uYbigZCSfyCUd7HrxPAmQQN4iQAE4b10vzpYESIAESIAESIAESCCHCURLeFUPZbDFQ5yd O4/nc/NabrTmYRKA//nnH9tDIH2uqCM3Y3YUPKhyju3cR45bL3YIVernXYa+ENY01HLw4EErFKpz Dmp/zJgxIXWVnJws8GxV7fRtsWLFBPlQTSUzAjD6Qf5NfYxI1iEuZ6Vk173WunVrXwaPPvqo5zLg GYOcp17cIJzj3jAVU1hFvR+8vIAHuF7FT6DLiwIwwj8HK3/88Ycna7Bbs2ZNsC6Cns+u+y7oREL4 /RwxYkQo3Vi5Hv1e4IBI4Sx+9xdYv/nmm84mtn2vHJVoi3v7ueeeC/qjixT674aq42UZlpwhcDhu g6zv3VWWfvqOLG7zhqzp9o0kxtv/Pm3s19MlaDoFTrWPHLwI64ySsHaVsd2+BXMCizXlFN491Tt3 5aH1a4x9wjMWxRSueXTlMoIx0xITA+Pqld3TJgq8fCfef5tg/v+WL6qflgNLFxrHRI5dU9k2aojR PiXB/DfE1AePZZ1A27ZtXR6v6jMH28KFCwv+Fqmyf/9+gfesboP6008/rUzC2iLPr7Mv7ONzs0GD BoI0BcrDFx0vX75cEA3C2QZiNULx42UZ/dxHH31kzQdCs1PM9pqoMzIGvJwTEhK8zMM6npG4U9K2 /SUpi16SxHElKPhmu+Ab42Ketn1AWNeQxiRAAnmHAAXgvHOtOFMSIAESIAESIAESIIFcQCBawqv+ oAZ1eNXiIY5XCTYPeAmUK1cu7B94XznLxIkTbQ+SnHPFQyGIYtEueODmHNu537NnT99pzJgxw7eP Zs28c/U5O+7evbtnX+HkJv3uu++M/eDh4oQJE5zDBvYzKwCjg1BDOjv5Btt/5JFHAvPLTCW77rUn nnjCyFytr2nTpp7ThwCn7ExbP/EYnQbL6ef34oCfQJcXBWCEZw9WkHfQxFkdi4QAnF33XbC14rxf KHisGbnQQy1+3v4Qa53F7/4KZWy8vKSuS7S2+NxjyV4Ce+fPkpkvPmr06kWe38UfvRnwqkUIYiXw em3X/Pi1JfgqT1ysBnUIqs42G37pHljs0NLnus7vXzQvcN5UGVWplKvN5oH9LFP07RwPc0g9Yvf2 VP2mJSVZIaD1Ns78uunJyTKo5GmufuP++kV1Y9se3br5hG3xQjK2+rUyp0UDSYwPz4PU1il3wiIQ ashkpBxAKhJVTJ+veMEuM8WU4sTv+x/G+PTTT12ftxCFkXf4nnvusZ1DWoFwy6JFiwJ9nHXWWVKn Th2bCB1OfxmphyVt9xhJWfG2JE2+0SU+uj1S3QIlbaLLJGVJ6P//hHPtaUsCJJDzBCgA5/w14AxI gARIgARIgARIgATyEIFgwiseqjdu3Nj4g3OVK1f29RrVH5rj4Y5XCTaPcEQCrzHU8WD5TjHndevW KfNMbevVq2d5PkNAMP2kpaVZ/Zo8HhQzeGj4ieZqYl7etuinZs2ayizo1s9TDaG8Qy3wzFBrcG4R ctXr58wzz/Rsh36c7fAwTy/wZkHeOOeYfvsIG/jss896tnn99df1IcKuZ8e9hkmZHtzq61beMqYF 1K9f33P9qg+EkPT6UTZe26eeeso0rHXMT6DLiwIwciQGK8G8piMhAGfHfRfqZ5zfiyW4Z+DBFWrB mF732V133eXqxu/+Ov/88132zgPID+w1XqSOI383S+QJpB49KnvnzbQ8fOe1bCSxtSvK/sXzZd/8 2VY4ZF30NNVXfd/RmhQE0FG3XCHTnq5reQqbbLePHmpcALxqnfbz32oSsB1xfXHX+R3jRwbOmypT HrvL1WbJx29ZpskHDxjzBCO8si5Ow/jI5k0yo+GDrr7W9+3mGnb8XTe57Ba18f7biLDRYI9rwJI1 Agi93LlzZ8FLXgiTXKRIEbn++uvl+eefF1P0gP79+7s+s/DdrkuXLoKwyfgepX92ob+tW7dakzRF Esnsd+E///zTNg7G9Au3jwng+26FChWsdkWLFhV8d+jRo4cVNQaewPq8IV6H6vmrrgDC7Xfs2NES vRGpJpySkZ4q6fvnSOqazyV5xh2S+O8pFH1zgZevn4ieFFsmnEtMWxIggTxEgAJwHrpYnCoJkAAJ kAAJkAAJkEDOE4iE8IoH+F988YXgjXr9AY2zXqpUKc8FR2Ienp07TiAk7QUXXOA71w8//NDRKvTd VatW+faNMMiqwLPWyUnth+rhgPxpqo1zq4+lxjRtkXcUns/O9mof+TdDLX4CsOovEtsFCxa4poSw g8jNGUr/9957ryBf6wsvvOBp/80337jGCOdAtO81zGXZsmWe81ccRo0aZZz23r17jWEXVbtIbPG7 7RVC2k+gC0UADuYB7yWmIqKA19r8xHJAzOqcs0MAjvZ9F85nHAROL9Y4Hk6BIODVlyknr9+1uu66 64IOjRD8XuNF6jhCobJEnsD0BvVcoiVEXeSjdYqypv1BJU6VhNUrXBMztV/x5ccuOxxY9P6rrrFi 69wSsB1T9SrX+WXt3w+cN1VmPv+wq82UR2sFTOc0f9Z1HuubWLeKQNxFjt0FbzcTrM+5boR/Ttq3 N9CXqsx/8yWbLfIOY20s0SOAv83PPPOM7/cypGdAuH+9OF8Gc+ZGx98fZ072Nm3aWF2MHj3a9XkX G+sdklwf11l35rqHYBtKvnOEhUY4aGeZN2+ea26YbzRL+uE1krrxR0me+4gkjjyXgm8uF3xNYnD6 0dAjjETzXmLfJEACkSUQ3n8PkR2bvZEACZAACZAACZAACZBAniMQSeEV4ZaDPRSfPXu2kVEk52Ec wHHQTxjAGuAZmuiRM8/RlWv3xx9/9OWge6r5ee8+9thjrr5NB5DrzYs7PGJDKX7XDqGbg3lu6GPk pACMeUD8mjRpkjRv3lwqVapk5bc955xz5PLLL5dbb73Vyvs5ffr0wJSvvPJKT37hCN+BDh2VaN5r GAoe+l7XH8fxsNfLU+aHH37wbevXbzjnTKHYMXc/Ng8++KCDpHt32LBhvvPPrwJwMLa4dtn1Gde7 d2/fa+T1coD7aovAw9rrvqtbt66rid/9hZCiwYryRvMaMxLHe/XqFWwa+f58yqEEObhymeyaPE6Q s/bQutVBmSxr/4FNtHSKnYH9YgU97dCHsyBEcqBt0RirDrHZVDb92cdlO/jS0yX9v3QYs5s+6ToP UdivjLsMwi38AAAgAElEQVTjBlebYWVPeLPDC9hk45yzaX/7GHM48h3jRgi8jBFqGvmGnd7EfvPl ufAJ4AUbvLwXyucLPHiRTgQFL7TpbeD5q5cdO3ZIv379LC9i3a506dKW2ZEjRwRCrX4OnreZKYie ovdzySWXZKabQBt8r0PUBr1PeCxHsmQkbpe0rX9IyqIXJXFscQq+eVDwdYrAqXH+aXQief+wLxIg gewjQAE4+1hzJBIgARIgARIgARIggZOAQCSFV7zdf+ONN9oe0OgPa1CHOGoqkZyHqX/nsVCEr8w+ mEfYZee69f033ngjMJ2HHnrI07ZKlSoBO79KixYtPPtQD/b82uOcn7CCMN/hlJwWgMOZa7BQuUuX Lg2nO6NtNO+1PXv2SLDfndtuu804LxxEWGf93oxW3eSdifH9BDrkDQ9W/F5cwFryswAczfsunM84 v9zeuEYrV64MdpkD56+99lrP+/W5554L2KmK3/2Fc8EKXtbx+p3AyySTJ0/O8s/OnTuDTSNfnoeQ ueG3n2Vq/drGkM3ILbuux/cCO1PZOnyASyhVoufgy86Qld99JshXizDFa7p/a8wHDCHVWVZ1bu/q d0SFEk4za//AskUuW8zhwPLF1vltIwcbz+t5gvWOIXybPHfR5+G4DQHTY7t2iClXsFq/cwse63p1 CbRnJXsI4LOva9eu8uijj1p/i9WoznQcCEUPO+R2x3doPV0GXmxTecT79u1r+7yCB/HAgQMF3xHL lStnO+f8XFMvZyLyjH4ulBdl1Lz1Ldak91OxYkX9dKbq+vflsmXLytdff52pflSjjNRDkrZrlKQs f0uSJt1AwfckEHydAnDyvCfU5eaWBEjgJCJAAfgkuphcCgmQAAmQAAmQAAmQQPQJBBOPws29i1By +kMfZ/3NN980LirS8zAOoh3EQ3eEz3POT99HyGqVG01r6lv99ddffftE/2PGjAn0gRDD+ph6Hd67 oXghQyjT2+n1UERkiIh+4Z/DDYednQLw+vXrBaGgnT8IixxKjrcOHTp4srviiisC1ykrlWjda/CI QR5A/Xqb6t26uXM6Yj2LFy8O2tbUX2aPmcRYv/zDeMAbrCCnod98TGOiz5M9BDTWGK37LtzPuIUL F/peI6+XgpzXHt5rfp9TH3zg9tbMqgD84osves4doVZZokNg99QJMuzqwkZx1CleIhzxzokn/qaq GUEQddqq/a1D3SkNFr73itH+2M7tqktru3PCaKNdYvxumx124OkLj181rtpu6t/Xsk1LSpKhZf7n Oj+k1DmWp7PeIYTuCXVvddmqPrf+O1A3lyNb4mRBq6YypNTZnm0GFi8kU5+oYwx1beuMOxEnMHjw YNtnC8LNo+A7t/43DWJvQkKCbXx48fbs2dOVA9iUd1fvy1nH39hmzZoJIp2oMZzf384++2wrN69t AiHs4KVCvCTz/vvvy/jx4+XYsWMhtPI3mTBhguDvT7jfy1WvGekpkr5vpqSu+VSSptdgHt+TUPB1 CsCJYy4KKfS4uke4JQESyBsEKADnjevEWZIACZAACZAACZAACeQSApEWXvGAxvmQSd/3Cmsc6XmE gtcvd66a86WXXhqyhxoEigsvvNB3/RdffLGkpaUFpgcPUzWWafvtt98GbE2VuXPn+rZ/5ZVXTM1s x3r06OHbx9SpU232wXY+//xz3/5M6wz3GMJSQ9yD159X22BrP3r0qPiFf27ZsmWwpYZ8PtL3GvJu 43fJa+3qOO43r5cIsD5llx1bk0Dn572OB98ISelX/EKoY02ZEYDxwNqvZFVUzI4cwGr+kb7vMvMZ FywfcaieYX4va+Bajxs3Ti07sM3qtfITu3F/Hjp0KDCWXwUhXadNm+b6QQ7rk7WkHD5khQuOnz5J 4mdOkeT9+0JaKsRceKQqYTOULUTgPXNOhPVXAyE0srM9jplykSLEtNMW+9tHD1XdWdvE+F1GOwjD phJ7980u+0UfvBYwXfzRm67zx+dRQOa++pxs+PUnWdTmdYEobJqfOmYKV41BIByv7dFZZjd7SqY8 dpfMaPigLGj9smzs10uS9u4JzIOVyBNQIZebNm0qqOsFoqv+d7d8+fLWaWcYZ9jgO9XGjRsFeYG3 bdsmePENP7t32186wGeg3qezju+zeGlMF1Hx+YyXdNTfSqTPcLbDZ1e4xfQ7Fm4fkbBPP7RKUjd2 keQ5D0niyHPo5ZsfRF/HGtMPLozErcQ+SIAEchEBCsC56GJwKiRAAiRAAiRAAiRAArmfQKSFV7yZ 73x4pO/ffffdRiiRnodxEMdBPPCCkKjPz1QvXLiwzJw509HavotcpEWLFg3a19tvv21vKGLlpjWN i2PI07l582ZXGxyAh+sdd9zhO+bQofaH16aOnn76ac8+kDs3NTXV1Mzz2IEDByxeYBbOz1dffeU5 Dwh9el/Lly+3xu/fv79nG1y3+Ph4z3m+9NJLnm3Bfv78+Z5twz0RyXsNOVODXXd1P+HBsamkpKS4 8gCqNmqL3H94UBzqTzCxEQ+f8bBZL5999pnvNfjll190c1s9mJCKdaiH2raGQTyAGzVq5DS37WdV VAw2b6852yYR4k4k77usfMYFe1khNjbWd0XIcQmPfHVvOrf4+2F60SGr12r79u2eY2IOobwkAtHG mbtSzf+qq/zzvfpCyYUnk/btlXU9f5DJD9cUeJcqcdLaFisosbUryvIvPpK0xETj7HdNGW/0mEV7 eASPq3mdpzg89MrzJGHtKlu/Ux6tZZ9D0RiZcK93SoORN5Z02a/48mNbn9gZccMlLrtVnTu47HBg /ltNXLaT6t0esIUX8Pi7bnLZ2Nj9l2tYHUPIaVVX22lP3Rvok5WcJYAXQ5whlyEC68XpravSJOza tcv3M0d9dqht8eLF5b333rM+/0xRPZCWBakS1q1bpw9v7SNMM74noS+kDEDBy2V6iGmca9euna1t bt7JOLZN0rb+LskLn5fEscUo+DrEUJeHbD44n7ruq9x8y3JuJEACmSBAATgT0NiEBEiABEiABEiA BEgg/xKItPAKsbBAgQKeD7C88slGeh6hXtFWrVp5zlU9YMMWQjHyQfbp00fgtbV69WorrF2nTp3k kUceCakPPOw3eTQGy9UJYdnpKbZv3z4JloezZMmSAi/XYMUvbzPOZVfxyxUK9qYCsfnUU0/15F+3 bl1jKGg/4RjX+8EHHzQNl6Vjmb3X8OAWHjoQ4Bo3biwIDa7fm171q6++2ni/YRHO8JPOPhAiOdwC sSzYCxVOL03k2XaOre/DQxueT86CEN/4fdJtTXUvMdUvBDR+3yDaeZWsiorZKQBjDZm97yL5GYfP L7+/CwgzivyWpoKXOPw+o3DdsUZTyeq1Qp9+UQYQkho5Nr0KficqVKjgeZ8i+sLJUnaMGyHDrrrA JUwqgVLfjq9VQQ5vtAtS4ABhVLdDfeRNl8qmP3pLenKyhero9q0y/dn7XXawXfB2MxvOJR+/5bIb Xdn7s21Wo8dc9tMb1LP1iR0cc85z1kv1XXY4sL5vN5ctvHkztJdhwMIUCto5BvYhrsPb2TpXvJAg F/Kc5s+KCittnAQPRoUAhN6RI0cKPPz1gu8lzr9H+KzQ7X7//XebTZ06dQJd4EVJZ/tg+48//rjl 2e78u3j//fcH+tUrDRs2tI0xffoJD3pn7nN818ytJSMlQdJ2jZCUZS0ladJ1FHwNgu6GvjHSs2WM PFsrRgZ+GBMRRkeHxsiqHjEy5vMYmd05RvYNiEy/0RCok2ed+N3Krfcx50UCJBAeAQrA4fGiNQmQ AAmQAAmQAAmQQD4nEA3hFWFnvR5WQdAxlWjMwzSO8xg8IYOFkfVaSzjHIVJ6eZQiN1oo3sMQ9J56 6impUaOGBOOFuQ0aNMi5XNc+wvQ5vT30dXk9PHR1FIEDmRGAMazzYaU+f9QhHuEhLYTEOXPmSPPm zX1ziUKoWrRoUQRWZO8iu+41rBn5rf3WAIHbyUnfRx7AzBTcm3o/zvqzzz5r6zZYyEq0L1KkiMBz vnfv3tK5c2dLBD/rrLN8x1HjegnA119/vW97iOy4r/Byx2233SZdu3YNzDuromJ2C8DZdd/5fcYB 3ssvv+zLHJ9DCAn+xx9/yIoVK2T06NGC/ON+Yj2uMzyDTS/WYMysXiv0gTCrF1xwge/c8aIJhGCE 9EcUDFzj1q1by7nnnuvZrkSJEsaXUwI3Wh6q7Jo8ztNz1yRi4hjE4uQD+wOrPLRutUsoHXTJKbJv 4dyAjarg79bkh2q47BHeWfcu3jywn8sGOXl1G9Untqs6t3fZw9vWWeDF7FzX6EqlnWbW/r75s122 aIv16iVh9QqZ9nRdo60aa9wdN8ixHdssMXzfgjmSGsILXvoYrGedAL6vtWnTRuCxe8opp1i/31Wq VLGFFYcwrP4G6duHHnooMAFEt9DP1a9/4gUChHdGn/r5YHV8b1m5cqV069bN1a5jx46BcZEbHuKv /kIOvrPrOXrbt28f6APfJe69N/d4lx/P4ztdUld/IknTq0ni8EIRETSjITzmdJ9Tvo6RcpfGBK4l 7qHzz46Rtb0zJ9buHxAjfd6KkbtujJHTTrH3i74frhojq3tlru+oshpxpmSkJQV+B1ghARLI+wQo AOf9a8gVkAAJkAAJkAAJkAAJZCOBYELipk2bwp6Nn7cWhBVTicY8TOOYjuFhG0ItB3vAlpXzCG/s VyB6ZKV/Z9tQhVtcX2dbfb9ZM7tHld8asnouswIwwlzrc85qPVgO2KysMzvuNay/e/funtNEiEn1 4NqLle6p5NmR4cSPP/7oey0g3CYkJARaImIAQkN7zSOrx70EYD+vTtOYbdu2Dcw5q6JidgvAmHh2 3HfBPuMQuhzhSk18s3Js1KhRgWvjrGT1Wqn+8PuUlTma2n733Xeq+zy93TN7miAHrxIp9e3wchcK PG71Y3odQqoqSz99x2UHz1avAsFU70vVtwzuH2iSsGal0cYkKqMR8viqfvRtYrw91+q2UUOMdikJ BwNjq0rasWPucNhFY2TL4D+ViW2LMNjwRIbYO+qWK2RC3Vtl4bstrDzKuSWvqm3CJ+HO4cOHJS4u ziaK6ss0pWDAdzhVEHnF9DuPYyqfrjP6hTP1ANIlLFmyROApDFEXP3gJClEDvv32W0uUdY4xZswY K+oLXi5xnsPfWXw3N73w17dvXzV1a4sXcD744AMryo0uDNuMsnEn/dAKSd3wvSTPeUASR55Nwdfg 5WsSUDu/7BZpcV/cfm2MHBkSnlAb+0WMlCpm7k+/1844LUbm/RBe36a5R/pY2h5zhJFsvI05FAmQ QAQJUACOIEx2RQIkQAIkQAIkQAIkcPITiIbwGizf47Zt21xgozEP1yA+ByAUlSpVyvXQTH+wkdk6 PAlDeXD72muvRWR8iGyhCvfwsvNbF3K0ZlfJrACM+SEHnt86Qj13zz33uPLURnr90bzXIOwiTLlf +eabb3xZ3XTTTX7Nfc/BWxKhLv149+zZ09YHcg372WflnJcAHCzsunPMvC4AA3g077tQP+PgJetk m5V9RETwK5ESgCHGVKpUKWJzBy9TzmK/teTWc6awzfCatcI2p6RY04ZIPKZKWZdoiry9yQcPWDYz X3jEdX5Nt298l42cwrpQi/rcVxoG2iDMskmc3vDbzwEbvZIYv8vVH/qEMKyXo1s3G+3ip0/SzQL1 sTXKu+yXfPJ24DwrOU9g9uzZVoQVPYINvF/xGYJ8vYikoArC4+Oc/tkFgVWJpcijq5/T6yrXL/Ly 6sffeOMN1X1IW3ynvPbaa219jBgxwmqLtBGhvliF752hfD8NaVIRMso4tkXStvwqyQsbSuKYiyn4 /if4Iuzyjj9j5NDg0ATW1vW9Bds2T4fWB4RYeP0WKODdl34fo17xyvAF5kgLvs7+UlZ+EKG7k92Q AAnkBgIUgHPDVeAcSIAESIAESIAESIAE8gyBaAivHTp0sD2Ucj4c+Pfff118ojEP1yBBDsAz8tZb b/Wdu3MtwfYhhsPzLZSCB4zI4xasT7/zeOg3aZL5IbRpDvBC8+vP6Rli6iNSx7IiAEOgQRhWv7UE O1erVi1B7r7sKNG418477zzx84ZU67ruuut8OX399dfKNFNbiFt+rKtVq2brd//+/b6hcv36wjUr VqyY53heAjAekIeaSxnjnwwCMKBH474L5zMOc4Dn2/nnn+95zfyutzqH8KVNmza1eZPbbqr/diIl AKM7vNzw6KOPZmnemD/yeyqhyDTnvHTsuBBawCFuFpA9s6a6lgEReGDRAjKoxKmCHMDz3nhR1vX8 ISAAz276pKOfGPESalXny9p/4GoD71m9TLyvqsvGmStYtx9xwyUu+1WdO+gmVh3ezU7xeU33b112 OABR2rJVOXtbNJDto4cabXkwewns2LHDCvOvPlu8tvXq1bO9tIG/CU7bTz/91Jo8Ilvo58qXL2/b R3oOZ6hmZ9oFpAxBVAWEXy5cuLAsWLDABgZ/w5wh5ufOPREuHS8BwlNZD/Wszwl/p5VgbOs4B3Yy Ug5I2s7hkrLsdUmaeA0F3/8EX5W7t8FdMVKhdIzAu1Zdw+rXxcgvrWLk4CBvIRc5f5W9c1uwYIzA q9cplDr3MYfzzrb3U/7yGOnSIkZmfBcjc76PkSdrnDgPofimMjGysGvwvp1jRXM/aWqlHLizOSQJ kEC0CFAAjhZZ9ksCJEACJEACJEACJHBSEoiG8IowdM6HDfo+Hso7SzTm4RwjlH0IifCgzGqoUuSM 7NKlSyhDumwQ3i9YiF6dp6ojv2qoYrMaFCKKam/ajh8/XplGfZsVARiTQ2hheLMgF6lpLX7H3nrr LUlLS4v6GvUBInWv4V5B7tQ9e/bo3Rvr8+bN82WDh8XIYZqVghCVfqxxDg+v9bJ8+XJxPiQP1kf1 6tWtNft5OnkJwBgboTjPPvvsoHPFPE4WARjrjtR9l5XPOIgufuKs37UvW7asTJ48Wb99POt+Y5j+ Dnl2pJ3o37+/XHjhhSHdN8514AWfk8XzF0hWd/3KJYJOb1BPo2WvHt2+VdKSzLkYAyJp0ZhAnyu+ /sTegWNvY7+eAVslxs5o+IDNauF7r7hsJtzjLQZg/qovtZ310on8rKrzqfVru+zmtGigTtu2CauW y955M5mz10bFfwd5vfFdEnnA8eIFvF1LlixpiZqff/65zSPXv6fjZ+HlClEV4fBVwQtfwfLB67/D d955Z+D3F16+V199te1zAH9Ptm/fbnnU6u0GDx5s+1tz1VVXifPlOz2EPj6jS5cubesbLzp9//33 MmDAAHn33XcFL3zpY+j5hdX6sEXEHYzVvHlzqx08jxHiOSdLRnqypO+dKimrP5akabcxj+9/gm/8 XzEy8MMYaVHPnbtXv9Z6/bKLYwQirUk8veOGE8Is2lxd0r5/6UXHPYpNbdWxLxrZ2zxUNUbgiazO Y4tw0h8+EyN/vBsj2/+wn9PtcrZeSPCiAQsJkMDJQYAC8MlxHbkKEiABEiABEiABEiCBbCKAB2r6 wwRnPdRQwvp04+PjfftEDrLk5GS9ifVgzzm2vp+ZedgGCHMHDx/x0AzeigULFvRdjz5PhJGGByVy yGWl4AEdxMxQPOXKlSsnf//9d6aGe/LJJ33XltlcsJmZTFYFYDUmHvBiXV6eL+p6IYRjw4YNZc6c Oappjmwze69dfvnl1j0SzsPcYOGfa9asmWUGe/fuDfoCgylMNfImNm7cOGgIaXxmde7cORCq2y/n uJ8AjIWuXLnSeijufNiu7hG11QVgzFEdd25DERVzIgew6aJm9r6L1Gcc5vTPP/9IMI90xRgCCPJz hyOgZvVambjhGDypGzRo4PLAU3PVt/h7hxdtwvk99Ro3tx2f+eKjLhE0mGjrtYb5bzZ29TX1iTpe 5tbxzYP+cLWZ9uQ9tjYb+/Vy2Qy+7AxJT0212akd5CVWwq/ajq5UWp0ObPWcxQgzDU/j1V2+DJxn JTwC+E6IFzs+/vhj63tXsBe5br755pBfeIuNjQ2ItXgJQ5XatWvbPsuRvgC5eIcNG2b9jdHDQavf 6Z9++kk1t6KtqONq+/zzz1vn9e8f+Mz/5JNPbGNBBFZtsNX7RQfhhMuvWLGibNmyJTCv3FaB+J6e sExSN3SS5Nn3SeLIs2wCYs4KgzknWB4ectwLt81TMVL1mhgpVNAutur3h1/9hlIxsudv9zquKnGi v8LnxsjMTu4xHq7qbqdfj3YNT/SBObz3hL+93ja31dN2DMptvxqcDwmQQCYJUADOJDg2IwESIAES IAESIAESIAESMBOAoP3bb79ZXoDNmjWzPNfgfVinTh155pln5PXXXxd4PW7YsMHcQRaOIlTo2LFj rbCpeID4zjvvWPOAIAVPjmACVxaGzvNN9+3bJ3jw+uuvv0qbNm2sB7vg17VrV4HYjOua24rXvYYw kHiwjPl36tRJFi9enNumHrH54OUJhDH/4osv5OWXX5YXX3xRWrZsKfCMh9dutPIVwhsMv8PwksY4 yAm5aNEi68F6dnuHRwxmiB153XfZ8RmHKcJrrl+/ftKxY0eBNz7yQr/66qvSrl07SxhZsmRJiCvJ XjOE7YdoBc88fMZgzrhv4aH4+++/W/dRdoWVz96VHx9tdrOnXWLp+t5dMzWVNT9+7eprUMnTJOXw Ic/+Vnz5savNjIYP2uwPLF3osoGwe3DlUpud2tk2aojRPiXBnsoB7TcP7CcJa1ZKRjZHj1Bzzetb fL4iZQiEWLwo4Sdymc7h98xZDh06JCNHjpRWrVoJXmBDWgQ9ospFF11k/Q3Bi2LOPiEU6wVh350p BuD1q/8NeuGFF2z9QPiFp7E+5syZMwUvOJUoUcJmq4//xx9/6ENbdXye+L2AiEgE+NxxvlDp6igH DmQc2yqpW/pK8oJnJXFMEQq+/3n56qLoyh52cVW/H5z1C8+NkerlY6RKuRhB+Gbn+XcedwuzZ59x wq5siePnkfvX2bZrC3dbNc+Pn7XbQ6RufG+M9GwZI/3eiZGfXouRrxvHyOfPx0jHF48fR/jnY8O8 +1R9Z/c2ZUnzHPhN4JAkQALRIEABOBpU2ScJkAAJkAAJkAAJkAAJkAAJkAAJkAAJkAAJ/EdgXstG LrF0xVdtQ+KTGL9bdk4YbYWRTj1yWBJ375SBxQu5+lvyydvG/hBKemyN8i77zQN+t9mnJycLhGTl zau2cX/9YrNTO8fzGv8XhlrL2ZsYv0uZcBshAo888ohLjHKKU377RYoUsYWChhirC6+fffaZXHLJ Ja4x8EIJQi7rfSPHr6n89ddfNrv/s3ce0FFVXxd/oXcQ6UgREf+IgKAoKCAKKiogCqIUKyIiCiJi oSliA1FRUTCAFAFBqhTpvfcivffeAoSUKftbZ/K95PWZSZ0k+62V9dq55977e/dNsrLnnCNtJDW1 uknGCxGVtb7kC4KSYUS9tnr1ap/56NGj46+p99T9rFmzVJe6vXwhqUOHDqhfvz6qVauGpk2b4sMP P8SMGTN0c9c1SoMTb8xluM/MQOyOzoheVJGCr4XgayV4ShpmdQ1o93lyKniipgJJwbzhJ72gOucL c13eYoUURGjqAZ+bqPcrEcbS/7VpCu6toL8ntYXtavZu/81acNaO1epYhOodQ0NLBI5efGcavBns kgRIICUIUABOCar0SQIkQAIkQAIkQAIkQAIkQAIkQAIkQAIkQAL/T8Cqvq4xBbMR1rZeXTG7Wimd IHv9aFz2jFVtn9FdF7F2aqlsODlnms6N++ZNbO7+lsn2nzsLwR0VpbOVk4UNa5hst/bqYrJTL0ja aNbsVWmk3P7nn3+2FL9EUJJU/6+88gqkXIBE1EodXauSJRLxq25SNkMrRklKZ+15rly5fNHGq1at 8tUV1t6TurpWm0TXGmt+SykF7SZZRrS+jMfSn2xS27dGjRqWtoHWNdf2m5bHXnc0PBeWIXZPb0Sv qI2omVko+mpEX6mLayX4Gq+90kgvxsra+be/Xsw1tpFzY2pmaTf/q4Q+t/6q99vkwYR7m35RkCOb /n6VcgquTEmw0fbZ/km9rXF9253fVkTBVY0orfWZVsfeyGNp+dqwbxIggWQiQAE4mUDSDQmQAAmQ AAmQAAmQAAmQAAmQAAmQAAmQAAlYEdgz+GuTsOpL22xIl6xtO6/2naY2IujKZpd+WYTgtW+0wKHR QyG1d2dWLmLyITbber+v7Sr+eFO39jp7qdm79dN34+/zIG0I7Ny50ySGSo3x/fv3Ww5IaoYbxSZJ raxu06dPN91X7UUcltrd6ia1ftV7sn/nnXfUW6b9s88+q7OVUgzG7bHHHtPZaH1LSQF1k/IG2nvq 8ZYtW1STkNzH1fHdDtfBQYhZ2xhRs3MHJHCmldCXmv1GzlAwva+C1g0USN1diaiV51q8kIKnayno 00bBwVHW4uqYD83i6pIB1rbaOZ2eYG439N2EdhIlrK4t2b/6eMI98dP/Ff19sen4tN5G7U/SOf/0 toIKJc1ttH1YHQ/qYO1T9Z3ae9exkSH5fnFQJEACwRGgABwcL1qTAAmQAAmQAAmQAAmQAAmQAAmQ AAmQAAmQQFAEbhw/iiklsujEVRFit/f9wNLPtYP7MKV4mM5+RsWCOtsd/T/W3Rd/gfyIQOyJjdX5 Uk9OL5jtG1N8zV6PR73FfRoTKF68uE6oypEjB27+/xcCjEMz1u3NkycPXC5XvNnly5cta+a2bt06 3kY9kIhfrWD10EMPqbdM+y5duuhspS69cRPRWpv2Wet7xYoVOnOtoCzzf+mllyCppENtk2hJEcxi NrVG1LwiFHw1Eb4iXIowKgJnueL+hdFb8ikY/7FZDD021ty2dxuznZVQmj+3vq22XXgX/b3uLfQ+ JUL5gbv0NrJmJ/fS2xn7PTVeweZf4tJSS3roQ6MUSLrpE+Pi2hpF4pcbOvsz+k/pc1nL3EiABNI/ AdotnrkAACAASURBVArA6f8ZcgYkQAIkQAIkQAIkQAIkQAIkQAIkQAIkQAIhTmDFC4+bBFpf2ubZ U3Ujj71+DcuerW+yXf92G52dnGzu8bbJzkkEXv9OO3jdbpMfXkg5Ah6XC1d378ClzeuT1ImIn1qx VI4XLlxo8imRviK8am0lPbRxu++++3Q2Yr98+XKjGQYPHqyzCwsLw9GjR012cqFt27Y62x49elja ffHFFzo7dazG/g8dOoRffvkFEgEdSps35hLcp6cidnsnRC+6g4KvQfDVipMX/1bwbB2zgKo+c7u9 pG7W+pHjquX1fh6+22xjbLN3uIKwMH07EX1Vu8/a6e99/XrCPdVGavSq0crqeAvnt49WVts57ef2 1/crKa6d7FP93rxikGh2biRAAumbAAXg9P38OHoSIAESIAESIAESIAESIAESIAESIAESIIF0QODE P3/birUizB7+MxzbP//QVPdXBF0Riq8fOWiapdfj8aV7XtCgmq1viSRe8nQdSL1eseeW8gRE7N38 YUcsbvwAppXN5Xs2Ul85KVt4eLhJNP300099LkWo2b59O3744QeUKVNGZ5c/f34MHz7cJNqKOKuK Wer+wIEDpiGePHkS2bNn19mK0Gvczpw5g4IFC+rs1qxZYzTznUu94MqVK+ts8+bN66thbNkgjS96 3VFwX1iC2N09Eb3iAdbxdRB8tUJlxFQF1SvohU51rd2aX8GDdymoWVFBnpxmG7kmUb9af12b6+2y ZVVwYZLeRmsv/TerrW8j/UttX9Wuw1P6+1pxWCKX1/6o4KvXFBQpoLcTP/XuUSBprVVf6l4ifn/s qKBdQwWXJpvvi933HfT+pH6w2j5U9p6r29L4zWP3JEACSSVAATipBNmeBEiABEiABEiABEiABEiA BEiABEiABEggVQg8//zzqFOnDnr27OmLfrRLgZsqg0lEJ1t7dXEQau1TOO/oZx1JqR3CxU1rfQLy +k5tsa5ja18q54MjhyDy5HGtGY9TgcDRSWNMz1lqPntiYoLuXUT76EsXsW/7Vp1gKgJU+fLl0apV KxQtWtR0TxXa1L2kXf7+++/j+587d66pzaJFi+Lvaw/atWtnshUB+caNGz4zqd1bq1YtnU3p0qUd Iwgl3bPUA+7Xrx+kfaxNWnLtOFLr2Ov1wHN1C1wHBiJm7ROImp0r5MS5UBEJncYhIqi6/tR9g2oK Fn2rFztPjrOOEu7cVG/3z2dmf9P66G1kPNemKZjSW0GtSmb7KuUUSFpnddzPPKC3EWH2t3cVtKir QERqddx2e4kgVn1Jv+UNaa5fe1yBCNGqzeHRCt5vriBrlgTfcrzhpwQb1Tat91LHmhsJkED6JkAB OH0/P46eBEiABEiABEiABEiABEiABEiABEiABDIFARGIJEpQ+494qYNar1499O3bF0uXLkV0dHRI s5BIzY1dXzeJg7Zpm0tkwb5fvwvpOXFwZgKS8tnqmV7ZscVsbLjiunEdJ+dMw6Zub2Je7TsxtXT2 eF8jimdFr0IKquZIEI+074O/46xZs/oihaVLEW+Nkb0DBgwwjCbuVKKLrer2FihQACVLltS9kzKG 3Llz+0RdS2chetETeQSuo8MRs+lFRM0tHC/YpbUIl177vzxZQYlb9OtUxFCJqrWa0/XpCiqWSrAX 8fXVx/W2kk46e7YEG1lr7zaLs5Go3oHtFTS+X0HeXHob9b2Q+sK7w/U+77WJUFbb+NuLeLt0YILP Tk3MfZcqrOCxexXcU96cjlr8iyBsxSStr8WsbRyibyuHRQIkECgBCsCBkqIdCZAACZAACZAACZAA CZAACZAACZAACZBAmhFYtWqVSWgy/nM+V65cePTRRyE1RkMtqlAFJzV4JTJ3fr2744U9o1goKZ9X vtQY51ZYR2SqvrgPTQJS91dN/ax9tpKG226TSN+Do37DP5VusV0XWl8d8yvIoujFJhF4a9euja5d u/qi5O+55x7TO9OgQYP4ITz88MO6+08++WT8PeOBRAcbv4BhfP/kXETl2bNnG5uH3Lk3+gLcpyYj dntHRC+8PSQFuLQWAJPS/8rv9WtT1sb5ic5C5/yv4tItS9plO6G4XhW93/y5FRQvpL9mtS7Fbs4X 5v6LBdBW/FUoqeDNxgresRB4yxZTcPavON+Stjpfbv/jEZ+SwlpqDtvNNSn8k6XtnDzweoLPWhBy LzsHRAKZmAAF4Ez88Dl1EiABEiABEiABEiABEiABEiABEiABEkgvBPr3768Tq6z+yW+8lidPHjz+ +OP4+uuvsXbtWrhcrpCa7vnVy7Ct9/tY99aLWNu+Jbb2fA+HxgxD9MULITVODiZ4AlL/VyvYyvGa V5v7ajFv+fgdLHnmIUTs3eVz7ImNxdJm9Uz2xvbG80a5FRQpUgTdunXDrFmzEBERoRtoZGQkqlat anpvli9f7rPr06eP7p4IvE6pmOUdeuihhxAWFqZrJ++d1BoW4fnQoUO6MYTKidd9E+7zixC7+xNE L78fUTPDKPoGWMs3MWLi3z3NIuiZCWYBNljffdua/Ro/97XnEkksou3BUea+JWWz1lZ7LDV/W9aN Swe9d7i+7RM1ze3EVp3LliEKatxhtlH958yu4MX6cfWF1TahuvdcWBYqrzDHQQIkkAgCFIATAY1N SIAESIAESIAESIAESIAESIAESIAESIAEUpeA1AtV/4Ge2L2IVE8//TS+++47nDlzJnUnwN4yDQFX ZCRWv/KsX0H3yIQ/fEx2ftvH0nbWPSWwsvVTWN6ioWVE8e9FFNxXraoj12HDhpnem6lTp/raSNp0 47skkfP+tuPHj2PIkCHo3bs3fvzxR0yfPt0kPvvzkdL3fXV8r2yC68C3iFnTCFGzc8YLdKEqtmWk cS342iyANq+TIJImdq7LvzP7Na7hSqUVvP2Mgqm94+oB2/W1b6TelxqRu26wc1TuoVEKJJ20sd9h 7yXMT1Jaiwjep42CF+opeKWRgn4vKxj/sYLTySCE280pua/H7umd0q8q/ZMACaQgAQrAKQiXrkmA BEiABEiABEiABEiABEiABEiABEiABJJOQGr7Snpn4z/ck3IuNU3bt2+PXbviojCTPkp6yOwELqxf hfl1K2NKiSyWgq4xglcivmMjrmJKyax6+xJZcGT8SEhaaHWL2L8H08vnibcbXVTBZ7coKJdNwYUL 9hHjf//9t+m9GT9+vM+tvFdSr1f7HvXr10/tMt3tPTcOwXX0d8RsfAFRc2+h4JuCEb7+hEYROY31 emWd1btHQa/WCib1VDCtj4LpfeN+5FgEW/lZMkCB1Pu16uPGdAUF8ujFV4mofekRBeFdFBz4w7qd lS/pR7v2S98aeNsxH+rbip88ORVs/y1wH1ZjCrVr0Stqp7vPAQ6YBEgggQAF4AQWPCIBEiABEiAB EiABEiABEiABEiABEiABEghBAsuWLdP9o177T/ukHks625YtWyIqKioEZ555hxR7LQLn1yzH/vDB uHZof5qDuH70kK92844vPsK2Xl2x77dBiDp/TjeuKzu3xQu0RrHXeD799rzY+um7iDx53NRGIn+l jrBxO/nvdPRp+gSKZtGLT5MnTzaa+s4lJXSdOnVM787cuXPj7Rs2bKi7/8gjj8TfC/UDb/R5uE9N Quy2DohaWM5SMAw1QS0zjUfSHCf28zksLE4sXvOjWVBt+qDebzDCrZb/uI/0fqpXMPeltTcet6ib 0D53DgWNaiiY+XlwPow+Q+88K7yxV0P9o4DjIwESsCFAAdgGDC+TAAmQAAmQAAmQAAmQAAmQAAmQ AAmQAAmEBoHPPvss0UJCoAJE06ZNQ65GcGjQT91RbPmoE+bVvhNTiofFC6MiAqfVdnHTWqx5/XnL qN5p5XJjW59u8ZG6Ust3Wpmc8eM2ir5yvrn7W5BoXjW6V46t7NZ1fAnnVi5B5KkTcN24Hi8IW0X0 durUKR6Px+PBli1bIDWzy5Yta3pvqlWrBq/XG2//1VdfxdtIVHzjxo3j74XagdcVCff5BYjd9RGi l9VgHd9UjPA9P1HBjx0VtHtMwdExgYmc+0cqKFk4QSQN9LNYaydC8Ihu+v5kHFobOd6WiMjbge31 fh67V9+PPzH25DgFvdsomP+VgqtTg2vrz3co3Xefnh5qHwUcDwmQQIAEKAAHCIpmJEACJEACJEAC JEACJEACJEACJEACJEACaUOgfv36pn/4awUAiXL8/vvv0aRJExQsWNDRVtvOeNyuXTudOJY2s834 vTpF9y5//lGTILrh3VdSFIrU7L24cY0vwnfj+29gUaOauLxtEy5tWoeppbKZxmMUbPf89E38+Fa/ 3NRXt3fn170wp2ZZU9vtfT+It5WD60cOmmyM/uPPS2TBjLsK48dbFXQqoKBWzjgBq1y5cr6avM8/ /zwKFy5su/5F4F2wYIGuf0mB3rNnTyxcuBA3b97U3UvrE6/XDc/lDXDt/xoxqx9D1KwcjPJNRdFX FSEnfKKgUN4EsfSPDwIXOzf/ouChygltjZ+5gZxLbd4VgxL6lDTLxnY/vJVwXx23v/37zfV+JGLZ X5vMeD92R+e0/ihg/yRAAokkQAE4keDYjARIgARIgARIgARIgARIgARIgARIgARIIOUJiCiVI0cO 0z/8tQLAkCFD4gfidruxYcMGDBgwwBfNmC9fPse2Wj9yPG7cuHhfVgcisongHKqimdWYQ+VaING9 2z/rbhJEFzxSNUWnsKpdE1OfIurOrVXBdD1ejC2uxN+bWjo7Ivaaa0lv7PJavI3abtlzDUxzWdb8 EZOdau9v/2FBBbnC9EKWcU3LecmSJbF27VpT36F2wXPjAFxHhiJmw3OI+rcQBbmZCiJnKJjzhYJu zyl4tLqClxumnFApUbu/d1HQpoGCvSPiUhpnNaQclyjgYIVQiZL9rF2c32ceUCA/TR5U0Ky2guZ1 FEhaZ4nA/V8Z67Us97V9Stpn7ToXX9r7gRy/UE/vo3PT4H0E0k+6tZmdE9ErH4br2MhQ+5jgeEiA BAIkQAE4QFA0IwESIAESIAESIAESIAESIAESIAESIAESSH0CixYt0v2jX/tPf/VYohjtNpfLBfHR unVrSASk2sZu/+STT9q5QmxsLPLmzavzIeJ0vXr10LdvXyxduhTR0dG27TP7jUCie49NHW8SQ+c+ WDFodO6bN33RtSLMSoSv0/bfVz1NfVoKryWy2NqJD+N2IPwnk/0/dxYymuHSlg2Qur+WfWqEZrv7 LTXRmcZ1XbFiRd+XIS5evGjqNxQueKPPwX3yL8RubY+oBWWCFvHSrbgWYCTv0oEKyhbVC5U5sim4 PDn5xcq+bfX9SKrlO0rqr8n6uq1I8vetfY4bf1Zwewl9v5IKWjvndg319wvkUXBjenDjevhuvQ+Z v3Ycme84DNFLqiD2v65wn50Frzu0MgKEwucVx0AC6Y0ABeD09sQ4XhIgARIgARIgARIgARIgARIg ARIgARLIRAR69eqlE1yNAlfx4sUDprFz506UKVPG0V/WrFlx9uxZS5+rVq1ybCtjy5UrFx599FF8 8cUXWLlypU80tnSWCS8GEt174+hhrH+7DfYOGYhzKxYh5vKlgElJDd4T//yN5S0e09UQFuFU6gof nzbBMsX3iZmTbcXXaWVzYfcP/RF54phPSN439HvLesALGlQzjfPCupWWfq8fPWSyjb54Af99+QkW PXG/3zrCRiF4ZFEFWZU4MUu+oCB1fAcOHIhNmzZZztfUeSpe8LpuwH1uHmJ3dkf0suqs4+sgBO8J V5Azu16kVD//JCI4uQXKv3vq+zJG2d5/p4I/eyjY9Xvy922cyyTDWGTe639K6FfSUKss1P2ygQn3 jf6szqtXUPDAXQo+aaVg/tcKIjJwHV+r+fuuzS+FmC2vwH18LLwxofklkVT8eGJXJJDhCFAAznCP lBMiARIgARIgARIgARIgARIgARIgARIggYxD4KGHHjL9o1/9h7/sX3zxxaAmu2PHDkd/4nP48OGW Pvv37++3rXZscpwnTx488cQT+Oabb7Bu3TpIRHJm3ayie6XGrjsqKslIjkz4A7OqFLcUXLWC6eKn HvTV9tV2KIKs1kZ7fGLGJK2p73jLJ50t7W+eOaWzdd24bikWi+Dsb3PduIGbp0/i2sF9uLx9M07P nwVfWuoH7rDsu3+vT0PyCwdxdXzXwbXvS8SsbsA6vg6Cr1Gkk5TJxs+T5x9WMPx9Becm+hc7RdCc 1U/BT28r6N5CQY+WCsZ9pODKFOu2Z/9SkMWQ7lntX9JPG8eXkucnxpnnvvbHhDEcGWO+36dNwv1A xiaptQOxy1A2cwsjZn0zuA7/DM8N8xdR/H0u8T4JkED6IkABOH09L46WBEiABEiABEiABEiABEiA BEiABEiABDINgRs3biB79uwmEUQVJWQ/bNiwoHlUr17d0eevv/5q6fOxxx5zbKcdl91x/vz58fTT T+O7777zRWh6PB7LvjLixYh9uy3Fy0ub1+umKymbL25cg4Mjh2Dj+29gYcMa2Narq85Ge3J43HBT xK9WxDUeTy+fBzIW7SapmY12cs3r9WrNfMdXd/9nspW2p+bOMNnOq1PJZPvfV5+a7IwXvDbrIvLU Ccu5et1uo4s0O/dc3wfX4SGI2dAcUf8WzHwiWxAir5O42LqBXuQMtEbtyXFx9XaLF9K3Vz+T8ueO qyO8b6RZAJWIWNVO3desGHx6ZXVekrZ5dr+4+sUScVu5bFxNY/W+3f7f/uZxHBurH2+VcnqbulX0 9+18Z6rrs3MhelU9uPb2g+fSGsvPszT7oGDHJEACKU6AAnCKI2YHJEACJEACJEACJEACJEACJEAC JEACJEACiSEwb948kxihihLqft++fUG7lhTNanur/fjx400+pbavpHe2sk/KtYIFC6JZs2b48ccf sW3btgz9D3oRNaffntckiB4aoxfxRew1irGSGtlqOzppjKUgKu1nVCwISeFs9CXnCx+tDremXrNV feLFjR+w6tJ3bc69t5n87hrQ12S/ruNLJruVLzXW2cVcveJLXS3C8MoXn8TMu4tiUaOaOhv1RFJk G+cjc0zLzRt1Bu4T4xG79XVELbiNgq9GAL4+XYGkJr42LXhxUqJ2tZ8tvVr79yGpofPk1LfT+tAe S21hSTOtFUQlHbLWRo6TUhv30xfN/sb20Pep7V+ORcCucYe+nZW4+16zOBuZ7+M14yKdjb4y33kY opdWRezObnCfnQOvO+nZFdLys4V9kwAJJI0ABeCk8WNrEiABEiABEiABEiABEiABEiABEiABEiCB FCLw8ccfm8QIrThRqlSpoHuWiNty5co5+p0zZ47J77JlyxzbaMeVlGOpM5yRtyXPPGQSMDd3f0s3 ZUnnbBI5y+SEx5A+W1JH/1PpFpPt2g6tcHHTWp/P2Iir2PltH5ON+N/W+/34frf3/cBkM/eBO+Lv Gw/WvtHCZL+qXROjma+WsXEuIvBqI4vjIqPDTP529OsBqWusbufXLMf8h/9nslvV5mnVJFX2Xtd1 n7gkIpOITZlPZHMWMLcMUTCog4KnaynIlztOpJQas8Fy+uEtvQhap7ICqdP79jMK5NiYwlj6LZBH 30Y+i6SWb9XyCrJnM9+7rYheBJZxGj+/pB5vsGNX7SWVc95cep+35FMw8VOzTxHJx3yooGIpvb2M Z8kAs73UIs60tXs1XzKQL13EbnnN9yUMb0zgNdNT5cOCnZAACaQpAQrAaYqfnZMACZAACZAACZAA CZAACZAACZAACZAACdgReOCBB0xihFacaNOmjV1T2+szZ8509Cn+16xZY2r/2Wef+W2nHVtijnPk yIHIyEhT3xnpglX9XGN075X/tppEThFRr+7arkNxfNoEk52kjLbatvZ8z2QrkbPumzd95semjDPf L5PTtj7xnsFfmexnVy9t6vrcikUmO5nLuZVLfLYiaosAbCUoi9302/Nh8ZO1MLtqSUs/cj/yxDFT v8l5wetx+dLHuvZ9gehV9RE1K3uiBUFVGMxI+0Oj4urytmmgoGRhs3gpnwUSWRvsnBd+Y+1L/WxZ 9X2Cz1PjFZQtprevVFqBVrzdO0JBu4Z6G/HVsm6CH6kbbIwg/rVzwv1g5yD2H79g7lP6FRH7nSZx 6aGfraOgmE3KauGamH4zbJu5t/rSq0uadU/kkeR81emLBEgggxGgAJzBHiinQwIkQAIkQAIkQAIk QAIkQAIkQAIkQAIZgUBERASyZs3qV3StW7cu+vTpgyVLliAqyjndpcvlwiOPPOLos0iRIojVRF2q LOvXr+/YrlChQrjlllscbVThxm5fr149tbt0tY+9fs0nYp5ftRQSpRpz2T4K7cj4kSYhc5ohulei XqfelsNkd+SvUTouK1o2MtiEIer8WZ2NRNpeP3oIkmbaGIkr56cXxkV7x0XhKiabS1s26PypJ2cW zzXZir+o8+dUE99eWFj1qwq7M+4ogFn3lMCVndtsU1lbtZdrMysXwal5/+j6S64Tz7XdcB3+GTHr myHq3wIU4DQRl+cnKpjSO068/F8Za3HT+I5Lbd1ABcm/PlHwRE0FuXI4++7/SoLPoe/qbUvcouDM hIT72r47PKW3zZpFgbYesKRT1o6/R0trP1qfTscyDhmP1megx5L2+uY/SevfaWzp4t7s3Ihe/Qhc +76E5/I6XfaA5Hrf6YcESCBjEqAAnDGfK2dFAiRAAiRAAiRAAiRAAiRAAiRAAiRAAumawOzZs4MW DKRGb4MGDdCvXz+sWLECMTEx8QwuXLiAZ5991q/Prl27xrdRD27evAmJznUSLYYMGQJJL71582YM GjQIzzzzDAoUKODYxuivb19zDVl1DFb7w4cPY+LEifjpp5/Qu3dv9OrVC+Hh4Vi0aBHkngjeKbVF X7qIA8N/xrLmj2BKyax6kbNEFl8NW0m9LGmatVug0b2LHr9P77O4gq29umhdmeoJz6lZFhF7d+HY 5D8hKZ2XPdfAVwfYTkCV61s/fdfn01efuHweU5+Hxv6u61M9EaHZyq8Iw8ZtXp1Klrba9lHnzkCi hWUO2utWx1NLZ8fGLq9BnkFybd6o03Cf+BMxW15F1PxSAYuV6UJA04i3iRmv1PFd9K2CXi/FRa2K YGp8d+3Os2RRUKtScHV0pR87fyIKN6+j4OdOCg78kSCMyjVtm9HdE+4Z5yyplo3CddfmCfbfvK73 9VDlhHtGX4GeHxuroFENvV/teI3HVcopmN436f0GOr7QssuC6GXVEbuzO9zn5sLrjk6u15x+SIAE MhkBCsCZ7IFzuiRAAiRAAiRAAiRAAiRAAiRAAiRAAiSQHgh0795dJ2gYBYJAzrNly4aKFSvi9ttv D8iXiLx79uwx4RFB1V9/u3btMrVzu91Yv349vv32Wzz55JPImzevo5+lS5eafBgv7N+/H507d0b5 8uUdfcl4Zf7S76xZs3zitNFXYs9PL5htWXvXSqxc+Gh1XD98IL6rQKN7N3V70ySELm1aN96PHMyo WNBkYzUGp2tSU1fdljxdx+Rv84cd1dum/exqpUz2ewZ/bbLbO2Sgyc44JjUSOfZaBPb89A3Wtm+J ebXvxD93FvLtlz1bH5Le+sTMyRCbpG5e1zW4z85C7H9dEb2kCgVfB5F4d3jgwqW8d1LDtuPTcemX 7aJwnQRHEZvtPm/uq2gWRW9MN9f+FcHVqY8fO+r7kHTRqv2Gn/T3smVVcGFSwn3VLti9RPIOaK/g /jsV5Myu70PmK7WKX26oYNnApPcV7NjS3H5hWcRubQ/3yb/gjbmc1Neb7UmABEjAR4ACMBcCCZAA CZAACZAACZAACZAACZAACZAACZBAyBGoWbOmrQhiJ44k9foPP/xgyUEia518Fy9e3LKd8aKkll69 ejW+/PJLNGzYELlz5473K9HL0dH2kV4i/D7//PPIkiVLfBunMRnvVahQAd999x0uX06auHB22QJI ymajgOl0/k+lWxBzJaHfRY1qmtobo3sPjvrNZCNpkyVSV91m/u9Wk43TOKYUD/OJqeveehF7fxkA mYs2itaqPrHU37XbVrVrYupfhFvjJn34iwI+/Ge4sVmynns9sfBcWgXX3s8RvaouomZlixf80lz8 chBfQ2VsZYqYBUv1HZPatS/WV/B7FwX7RyZdvJQIXakZPLufgnWD9f2GhSk4bUjtLPbqWGQv4qo/ buJD2yZ/7oQ2ItQWLai/P61Pwn1/vgO5L1HVIjTP/FyB1DJODoE5kH5DxmZeUcRseB6uI7/BG3k0 Wd91OiMBEiABlQAFYJUE9yRAAiRAAiRAAiRAAiRAAiRAAiRAAiRAAiFBQETKxAqdWlEjmOO2bdva 1lZ86KGHdGKJ0e+LL76YKG6Sonr58uX4/PPP0bNnT1sfkuZZKxYb+w/mXPyMHTvWti+nGxfWrcR0 izTJIrqKGDv3gTtMgqgqyEo6aHULJLr34qa1lr6uHdiruvHVzlX9G/dTS2XDgkeqYsO7r2B/+GBc WLsCUqtYu4mYLKmX1e3wuBGmPqeVzQWPTSptmZOx37m1KqjudHvXjRvY9d3nWP1yU0gk89oOrbCj Xw8cnzYBN8+c0tkm14nn2k64Dg1GzLomiJqTz68oGDLiWAoLwluGKJjaW4FEwfZ8UcGQd+LESImk tWPwSiO9ICrv3JevxrVL6Rq1EhmrfccnfGIeZ5ECeptzE802xrndml/f5uLfCW1a1dffe7dZwj2j H54HwGZOHsSsfgyu/V/Dc3mD7e+a5Hr36YcESIAEhAAFYK4DEiABEiABEiABEiABEiABEiABEiAB EiCBkCIwY8YMneChFT/U40KFCvm1UW2d9vnz58fo0aNt53/jxg1kz57dsa9hw4bZtk/qDRGHw8LC HPt3mp/VPfE3cODAoIe2tMnDJsFzdvXSODJ+JCS1s2wiEkvqYqMwKumaY65e8dkEEt3riow0JBsK KAAAIABJREFU1xYuruD4tL/ix22VsllE6Eub15tqD6uNzq1cAon0XfLMQ74awrOqJERvX9mxxTRu mcfV3TvU5rr9yX+nW9rHRlzV2aXWiffmSbiPj0HMlpcRNb+krZiZGQU7EXelLm7V8nphU/t+5M2l oHUDBafGmwW9MR+a2y0ZYLZLCbbtGur7frOxuV/jvBZ+Y7Yxjq1sMb3fncMS2gx7T3+vctmEe0Y/ PLdikxXRy2ogdlcPuM/Nh9eTUI8+tT4P2A8JkAAJUADmGiABEiABEiABEiABEiABEiABEiABEiAB EggpAl27dnUUPCWdsdfrxbZt2/Djjz+iWbNmCFYQbtSoEaZPn46ICOd6qvPmzXMciwhI+/btSxF+ 77//vt++tQJWsMfdunULOBIt8sQxSAplvbAb5ousNU5eRGCxnVo6O6QG8Maur+PA8J/jBeBAonvF 5/z6VQz9Kb6oWbW/Q6OHmu5Pvz0vXDeuqya6vTs62iROr32jRbyNJyYGU2/LYfJ5dKL1FwTimChx 9iWzYn69u7H+nXaIOn823mdKHnhjI+A+8w9id7yH6CWVKfjaRA7/2llBueJ6QdPpXSlxi4IZn+lF Pampa2zTu43eJqWE0D8+0PddoaS536dr6W1ENHYaz5UpCiSdtDonSRt9eXJCm30jE+6pNkfGJNx3 8p1Z70UvvB2x2zrAfWoSvLFxX3ZJyfefvkmABEjAHwEKwP4I8T4JkAAJkAAJkAAJkAAJkAAJkAAJ kAAJkECqEqhWrVq8MKGKD9p9+/btTePxeDzYtGmTr87tfffd59hefBUtWhTr1q0z+TFe+Pjjjx19 5cmTB1evJn/E55gxYxz71fJIyvErr7xinLLl+d4hA03CqNTAtdsiT52ACK5Wm/vmTb/RvdJOxFS9 4KxgeYuG8S4lolhSNBttJL2ytlawNLhx7AhWv9zMZCvRyNptYcMaJhtjfWKtvaSNvrhxDSRiOaU3 Xx3fiysQu7cvolfWYR1fG8FXK0D2esksZAb6vsztrxc8jVG2D9+tv6/tV44lNfSaH+NSRT92r4K2 jzrbG9ur5yK8Gse8d4Te17iP9Da5cijQRvSqvtT9iG56+0Y19P7E7o6SepuR3cw2qr9MuZ9XDDEb W8J1ZBi8N4+n9OtP/yRAAiQQNAEKwEEjYwMSIAESIAESIAESIAESIAESIAESIAESIIGUInDhwgW/ KY/HjRvnt/vNmzejXr16JuFEK6TceuutiPQj3D3wwAOOPsRf1qxZcf/996NHjx74999/cf26dQSq 30H/v4EI2bly5fLbrzoXEcwlmnfAgAH46KOP0KJFCxQsWDDg9pMmTXIc2u7duzG0prm+r9S0Tezm L7pX/O4f9oNJjP3nrsK6Ltd3amuyEUF4yVO1IeKu1Njd/GFHXzSyUSiW9M/Rly7q/G3q1l7nT2oe b/30XZ1Nap54InbAdfAHxKx7GlFz8jpGdWYWEe7waAUiYIqgem8FBXa1e6f31QuY8e/L7QokKnjB 13GRvl2eVZA/t9m2YikFV6cmiJ5dm+ttsmVVcGFSwn3hvyc8zneLugoKG2rsFsxrP1Z/z65KOX3f Q9/V9ysMyhbV29x1mwKrWsDCz1j/d2B7vT8ZT4enEvwJC0mh7W+cGfr+nLyIWdMIrgPfwnNlU2p+ DLAvEiABEkgUAQrAicLGRiRAAiRAAiRAAiRAApmRwKBtwEsL+EMGXANcA1wDXANcAym5Bh7uM8Wv cHnq1KmA/hQRcbdBgwaO/n799VdbX5IeWsRdVTgKdJ8tWzbUrl0bn376KRYsWOBXZNYOQFJbi5gc SF+1atXC+vXrtc3jj0WEHjx4MMqUKePXV8mSJR1FaxGWuxb4/1THxRP2U7u8iUuXLsX3GcyBv+he 8XV+9TKdGKsKuDeOH43vSqKAFzSoZmmn2tvtT82bGe9HPTi9YDa29/0Ax6aMQ8S+3aZIYtUupfbe myfgOj4KMZvbIGpe8cwtuBkifCWi9X9lEkRJeUe+ft1alNwdrqBQXr1t+eJxIqZE5hqFyl2/W9cH 1qZ5/uczvT/pf/j7CiT69o0nFYh/f+/tikHmvo1jsTp/r5ne9wv1zH6+fUNvI2MRUVjq+V6arODo GAX9XjaL3XeXtRaKJXr59y4K9o8092U1xox3LSuil9+H2F0fw31+ISQCnxsJkAAJpCcCFIDT09Pi WEmABEiABEiABEiABNKUwLNzgbCh/CEDrgGuAa4BrgGugZRcA8ojnR1FlEqVKgX198DSpUsd/UmU sN02e/Zsx7b+xB71fvbs2VG3bl306dMHS5YsQVRUlF2XmDhxYkB9duzYES6Xy9aPeuPcuXOoXr26 X5/Dhw9Xm5j2jRs3RicLAbhVXqkjGoZ7773XF4E8c+ZMy3TYUefP4cziuZA00mp93kCie2MjrlrU HVZwcs403Rhvnj2Nf2vdHrAILGmjD4z4RecjrU/cZ2cjevFdJmEy44lqiRcTm9XWC5ySojhCE6Gr ZfVQZb2tRN/6q2ErQuct+eLaSYRsy7oKxn+cMN6LfyvInk3vV33HA9lLFO/8rxL8acfr79gYzVyk QFyKaW2769MVPP9wcOMrXkiB1PvV+snMx9GL7kDsjnfhPjUZUmObGwmQAAmkZwIUgNPz0+PYSYAE SIAESIAESIAEUpUABWAKHikpeNA31xfXANcA10DcGlBK3O0oVorwGcwmtYGd0iHfcccdtu66d+/u OJZARB8rm5w5c+LLL7809RsbGwsZj1Ub7TURrQMRf9UOLl++DH91lUWgttqkn3z58qF9/oTIXzWi tnchs9ikTYc9o92zmFW1hE6YvX70kK+bQKJ7xXDuA+bU0zu/7WMaqkQFb+7+FqbfnlfXnzpW375k Vqxo9QQi9u4ytU/rC56LKzK1CHd5srMIOf9r81qb1se6zYlxZluJgg1E2Fw3WIH8WEUJS/t6Vcy+ te+m9vi2IgpebqhgVPe46NtA+rezkVTTknJa61/GabSXVNCt6uvttG20xyKgr/7B7MPoM0Ofzy+B mI2t4DoaDu/Nk2n9McD+SYAESCBZCVAATlacdEYCJEACJEACJEACJJCRCVAApjhDcYZrgGuAa4Br IGXXgDLgrE7g0IoV6rFEyAa7lS5d2tZv/vz5bd3VrFnTtp06nsTuJT2zcZsxY4bf/ooVK4ZAU2Br /S9cuNCv7ytXrmib+I7XrFnja/dcHrMA/FcxBXnC7MWmX241t7n2/zV3A43uXdu+pUnQXdX2GdM4 1QuSEnp/+GCs6/gSlrdoiNUvN8PmHm/j8LgRiL54QTULub2kl81MNX6lDq2kT27TQEGJWxRIzVw7 oTFyRlytX+279nhNe3tJyay1lRTHdr6Dvd63rd63tp8CeRQ0fVDBjx0VbP8t+fpUx/jw3fq+7dJf iwgsovMTNRVkzaJvI+MVEfvvngqEq+o70+zn5EPM2ifgOjAQnqtbQu5zgAMiARIggeQkQAE4OWnS FwmQAAmQAAmQAAmQQIYmQAE4Zf/pT1GFfLkGuAa4BrgGlPb+0x+fPXs26L83RDTVCjXa4wIFClj6 k6jZLFmy2LbT+kjM8fbt2039tm7d2m9/IuQmdnvkkUcc/a9bt87k+quvvvK1KZJFwd/FzILuq/+f MtfIoGRWBZMN9mOKKsiRI0d8OuxpVUuZxF1jdO+ewV/rbKaXz4O1b7QwjTMjXIhZ93SmEeRE+NWu GUm5bBd1G95FbyuRsNscBNb2T+rtpa/kEjiXf6f3LXMQ0Veui/CaXP1Y+ZF6xFpmjWr47+/YWAUS KT3xUwVrf1RwfqL/NlZ9p9trs7IhekUtxO7+FO4LS1jHNyN8UHIOJEACAROgABwwKhqSAAmQAAmQ AAmQAAlkdgIUgClMUJziGuAa4BrgGkjZNaDU7agTOLRihxzffffdQf85cv369UT5DCQad/HixZDa uW3atEHJkiUd+9HOpUiRIvB6vbq53Lx505dqWWtnPH7wwQd1bYI96devn+MYx4wZY3LZpEmT+DZ9 CpkF4EnFFDyYUy9M5QpT8MUtZtuuBfR2HxQ02xijey9v34ztn3XHsSnjELFvN7wej2mMGeWC69CP KSoghpKI97tB1JW1vuZHszgpdXdLFtavm/eame20c6tUWm//eTtne21bf8ci8kqkr/bdbPdY8vl3 6n/JAH2/uXPY10B28pPR70UvvhOx2zvBfXoqvK5rGeXjgfMgARIggaAJUAAOGhkbkAAJkAAJkAAJ kAAJZFYCFIBT9p/+FFXIl2uAa4BrgGtAKVZJJ6xoRRY57ty5c9B/hmzZssXR5xNPPGHps2vXro7t KlSoYGq3d+9eDB06FK1atYJT1HGLFuYI1pkzZzr2J/MfNmyYqc9gLoSHhzv2MWLECJO7M2fOYMKE CejQoQOeK6ev56utr/teAQWNcit4OZ+C8CJmYVeE4uKGGqbGtNIZObrXBNbigifivwwhAEtq4dMT FFybZi+M7h+pFzNlfX/5qtm+54t6uyIFFJz9y2ynFTXvNAjAP3dytte2DeRYIn61n02lb01e/3Zj uD5dQf7cCvLkVCApsL99Q8GVKanTt92YQuL6/JKI2fQSXMdGwht1yuLN4iUSIAESyJwEKABnzufO WZMACZAACZAACZAACSSCAAVgChMUp7gGuAa4BtLrGmgwaT2em7oQxUZeRKjOQfk5CkqugjphRSuy yPGUKVOC/g0uNYONfrTn3bp1s/RZrVo1x3bt27e3bKdelAjfnTt34pdffsHzzz+PW2+9Nd7fkCFD VLP4/RdffBF/Xzs+9Th37ty4evVqvH1iDg4ePIi3334bd911l2VfgdRXXtn1dV1KZq0I7HQswrA6 F3V/ezYFa3t0cozuPXz4MCZNmgSJXm7bti1efvll9O3bF6NHj8bmzZsTgyFk28iaiZpXPN2JwIdG xdXzbddQQfUKCnLlSHjW9e5RMLq7gqtTzUKlUah97F69zYE/FEiUq7peZD/kHb2NlQApfWrbfNjC fxsrP3JN0lJL6uRlAxN8SI1frX85dkpJrfUtIq5E8ko6Z6uIZ62t1bH0E2HB0so2w16bkx8xaxvD dXAQPFe3hez7zIGRAAmQQFoToACc1k+A/ZMACZAACZAACZAACaQbAhSAKfyEqmjCcXFtcg1wDfhb A1PWvYfYw/f4frbteBY/L+uPltPmotQf50JKEFZ+dUP5eAOU5wZAubsxlJz54oWWsLAwXLhwIei/ G/wJq+PGjTP5lH6kP6PIoz23amdypLkg4t62bdt8gvCJEyc0d+IOX3zxRcf+JM10cm6nT5/G+PHj 8eabb+KOO+7w9b1ixQq/Xcg8NgYhAkvd4GaGlLkqR6eU3qtWrULz5s391mGuWbMmRo0ahaioKL9j Tw8GMZvbhrwALHVkp/RW8E4TBf8rYxZD1eer3ZctpkCEYq0o2fFpfVsRjrVCsbFOcLXbFUh0sdaH 1XGr+nq/zz/sv43Rz4KvFbSsq0BqE8s8Xn08wcf23/T+5f4PbyXcN/ra+quCQR0UPF0rLoJX5fLB 8/ZtjD4y9bmvju+DiN3TG54Ly+D1uNLDq8wxkgAJkECaE6AAnOaPgAMgARIgARIgARIgARJILwQo AFNg8Sew8D7XCNcA10BorgEvzu59KF4AVoVgdb/zv2cwdPlnaD1jFm7740xoCcJDXFB6rEHlV79C ly5dEvUnw3vvvecorP73338mvxJprIo0dvtTp5I31WiVKlUc+/z5559N40zOC+fPnw/YndftxsGR QzC/3t220cB/lwhDr0IKqhoiOLU8rVJ6Sy3k1157zZGF1od6LHWVRQhO75vr+Ci/Amdqi4EStbro WwW9XlJQp7KCrFnMAqj6HJz2IuBemJQgek7qafYzt3/c/VXfm++JKBvI3Ls8q29brnhcJG8gbVWb j1/Q+2jdQN+3pH3WzrXJgwn3D49WMKKbgraPmusXa9vcWyGhjdov93FMohffhdgdneE+PR1e1/X0 /lpz/CRAAiSQJgQoAKcJdnZKAiRAAiRAAiRAAiSQHglQAKawE5rCDp8LnwvXANeA8xqo+udeW/FX FYG1+wO7HseIlb3wyj/TcfvoEyEhCMvv4MRur776qk6o0QowOXLkQGxsrMm1CJNaO+NxpUqVTG2S ekEETGM/2vNZs2YltYsUaX9+9TJs6/0+1r31Ita2b4mtPd/DwdG/oWeXdx3nI3MzpvQ+dOgQqlat 6redlovxeMCAASkyz9Ry6r15PCCRMzWFwt3herHTyFx7LhGz9aooqP0/BVkshOKPXkgQPc9MMNv0 aBl3/6HK+j4lFbRE3gYyb4m21Y5Jjmf3C6yt6r9vW72P5x7St5d019o+ZHydmwYeEa22lVrJap+Z er+gNCT6Xb4A4Y06k1qvG/shARIggQxNgAJwhn68nBwJkAAJkAAJkAAJkEByEqAA7CwwUIAhH64B rgGugdBcA53njAtKANaKwXJ8dPejGL3qE7SfNRmVxhxJE0E4KQKw1N9VxRbjvnz58pZ/KkhqYqOt 9rxjx46W7ZJy0Z8ALPWE08MWGRmJ5557zpGfpNd+4403cOPGjfgpSeTvPffc49hO+wycjj/66KN4 v+nxQKIfQ00MLFNEL3iq/PPkVPBETQXfvqFgw0/6SNs5XygomFffrlghfQ3bWpX09++rqGD8x/pr al/ia1YAQu6xsQpyZtf7aF4nOKH19Sf07ZtqInzl2fzxgf6+OkZ/exHF779TgQjh879ScGN6cOMK tXWR6PH8WwAx656G6+AP8ETsSI+vKcdMAiRAAiFPgAJwyD8iDpAESIAESIAESIAESCBUCFAADk1h g4ITnwvXANcA14DzGpi45v0kCcBGQfjknvoYv7o7Os6eiLvHHkDYUG+Ki8JJEYAff/xxW1GxRo0a pj8zzp49a2uvijsTJ040tUvqhaJFizr2e/166KdBlbTY9913n+M8RORduXKlCddbb73l2E5lH+h+ 8eLFpj7SywVJfZtoYW1mygiKrzQyC57/9teLuVZj7veyuZ0In6qtMdWyPN9CBtFY+8xFQJUIX7W9 3f61x/X9StpqSSttZ2+8bkzxPKC9vu2RMXr/2jEajyuWUvDWUwomfqpAop6NfWWK81nZEb3yIcTu 7QvPxRXwet3p5XXkOEmABEgg3RKgAJxuHx0HTgIkQAIkQAIkQAIkkNoEKAA7CwwUYMiHa4BrgGsg NNeACLZGETc5z6W+8KS1XfHunD9RbdxeZBnqSXZBOCkC8IoVK9CjRw/cf//9yJo1q05kLFWqlOnP CRF3jQKO8VxE4uTe/AnAkh45lLetW7fitttuc2TXoUMHy5TbkyZNcmwn/KtXr46RI0dix44dWLp0 KVq1aoUsWbLYtnvyySdDGZfj2NxnZoScSDjmQ7PguWSAfzFTUhwb35+h7ya0EzHYeD+Qc4nQvTYt wY9RRN0yxOz3tiIKJDrYaGs8D++qbyuiswi+Rrsq5fR26riLFlTQqr6CYe8p2DfS3M7oJ6OeRy+p jNgd78F95h94XQnR/o6LnzdJgARIgASSjQAF4GRDSUckQAIkQAIkQAIkQAIZnQAF4NAUNig48blw DXANcA3Yr4HKYw+lqPhrJSRf2Fcb09Z1Rre5o3Df+P+QbZgryYJwUgRg7d8nV69excyZM9GtWzfc e++9KFy4sEmQlPTOqpBjtZf00Cmx+Ut/HKo1gIXF6tWrkTdvXltukvL5u+++s8QmwnaBAgVs28oz eOGFFyCppY3bkCFDHNtt377d2MR0fu3aNcyYMQOdOnXyicxlypTB7bffjsceewzt27f3jVsim1Nz 88ZeQdTMrCbBMS2FQhFOje9D7zaBiZv5c+vbattFTFUg9XONvtXz95opuLO09X2pNXxynP0YJDW1 6kfdP3y3guN/2rdZOtCcPrrhvdb2MjbxK2mwH7dJg52WzyzV+15QBjFbXob7+Bh4o5P/SzKp+Q6y LxIgARLICAQoAGeEp8g5kAAJkAAJkAAJkAAJpAoBCsD2AgPFF7LhGuAa4BoIzTXw1qyJqS4AG0Xh y/trYeb6t/HRvOGoPWErcgyLDVoQTi4B2PgHg8vlMl5CpUqVTKKRKh7JvnPnzqY2yXGhXbt2jv1+ ++23ydFNsvvYt28fbr31VtuxS9T1lClTLPv1er2oVauWbVvh/fHHH0Ps7LannnrKtr1EftttMTEx +OCDD5AzZ07b9upzz5Ytm0+EXrZsmZ27ZL8evaJ2SAnAIiZWLa8XVEVM9Scy7h2uICxM3y68i76d iKcqa+3+nvJxNXIlirjePdY25Ysr2PyL3p86poOjFFQoaW6XN5cCST2tpmOOnKFg3eC4qF3jWMV2 pU3q6F2/K5j/tf802Op4Mtz+34KIWdcErkOD4bmWPmqUJ/uLSockQAIkEMIEKACH8MPh0EiABEiA BEiABEiABEKLAAXg0BQ3KDrxuXANcA1wDdivgXGrP0xzAdgoCEccuA9zN76JnvOHod7Ejcj1e7Rf QTilBGDjXxpRUVEoWLCgpRilClN2YqbRV7DngwYNcuz3ueeeC9ZlvP2XX34JEUoHDBiADRs2wO1O nvqb586dQ4UKFRzH/fPPP8ePw3iwZMkSx7aSttvj8Rib6c6nTZtm6+PNN9/U2aonEk0sKaLVZxrM vlGjRrhy5YrqKsX2sXt6+xVXU1tQ7NpcL6Zmy6rgwiRr8VXGJtG9zWrr2wjrTQbB9pvXzTZiJ+Kq Okfx1e4xa7t8uRVM65Ngq7aR/f6RCsoVt24nqZ1L3KIgRzbr+9mzKZjzhbVfbR+Z5nhWDkSvqgvX 3s/hubSKdXxT7O2nYxIgARJIHgIUgJOHI72QAAmQAAmQAAmQAAlkAgIUgO0FBoovZMM1wDXANRCa a+Do7kdDTgA2CsLXD9bAok2voe+CIXh00jrkDY80CcKpJQDLnzMijopIKmJp48aNkS9fvnihUFIZ X7hwIUX+6lm/fn18P1aCpNS73bt3b9B9HzlyxBTlKiJ3kyZN8P3332PLli1+RVarTkVE9Re9K+m0 nTanqGeJHN68ebNTc9+9/fv323Jr3bq1qb2Itw8//LBtGyv2xmuVK1eGcE3JzXNhWbz4GSoC4z+f mYVSK+FVavNO6a2gViWzvdTNvTFdL6qu/8ls1/RBvY3KoE8bs608H4nc/fp16zZ7RygoW9S6nfHZ queSlnrCJ9b+1LFk/H0YopdUQex/XeE+OwtelzkNe0q+A/RNAiRAAiSQNAIUgJPGj61JgARIgARI gARIgAQyEQEKwKEpblB04nPhGuAa4BqwXgMVxxwLefHXKAbL+c2D1bF8c1v0XzQYT/y9CgXCryM1 BWDjnzaSJnrNmjX46quv0KVLF+PtZD2vWrWqozApdWmt0lY7DaJNmzaOPkXw2r17t5ML0z0RyZs2 bero99FHHzXVV9Y6ioiIQJ48eWx9vPPOO1pz22OJ2v7oo498YrSIxqqAJ/tmzZrp2t28edNX+1lr k9jjYsWKBSRQ6wYQxInXE4OoOXlCSgS++LcCiYrVMnu3WZxIKlG9A9sraHy/AkmbrLVRj2/Jp2B3 uFlUvfmPgiIF9G1a1jXbqYLr6O72UbvtGlqnZJa6v+80MY9fHZu6vzW/gl6tnWsLq+PIkPsFpRGz 5VW4T/wJb/T5IFYsTUmABEiABEKNAAXgUHsiHA8JkAAJkAAJkAAJkEDIEqAAbC0wUHghF64BrgGu gdBcA6/PnJouBWCjKBx1qBp27XoJ7kvfwRO5DF731ZD9WyGpAxsyZIilcKaKU7Jv3759wCmcJcJX 29bquHbt2kEP++2333b0e8cdd+DSpUuOfsPDwx19SET08OHDISmXS5Uq5YtiLlmypC9697XXXsOM GTNMArOIyrNmzfLV9q1Ro4apXvMvv/zi2KcVH6drNWvWdKxP7AgggJsxaxuHlAAsgme9KnqhNn9u BcUL6a9ZMRM7p3TKL9TT+xBBWIRhO5F10bcKRKy16qtOZQXHxlq3levhXRW0aRBXV7hmxbg01e83 j7t+abJ1O7txpPvr/xZCzPpmcB3+GZ7r+wNYlTQhARIgARJILwQoAKeXJ8VxkgAJkAAJkAAJkAAJ pDkBCsChKXBQeOJz4RrgGuAasF4Do1Z9kiEEYKMg7Ds/2RLui9/Cc2MhvG5noTHN/4AIYgAiYIrY aSVqaa/VqVMHkvrYaevTp49fP+Jz0qRJTm5M9yZPnuzot0CBAgFFFIvwrJ2T8bhMmTKO98W+RIkS mDBhgmmMVhdiY2NRtmxZR5/ir2/fvhg5ciS++OIL/O9//3O0lzEIj2C2w4cP+5j369cPbdu2xcsv v+zrc/To0aaIYtfBQbYCaFoJj33bWouuxuennotIK5G3B0c5C6tD3zX7XTfYuc3OYQoqljK3k74l 5fOGn5zbpxXDNO13dk5Er6oP174v4Lm0Bl6vc43tYNY2bUmABEiABEKLAAXg0HoeHA0JkAAJkAAJ kAAJkEAIE6AAbC0wUHghF64BrgGugdBcAwd2PZ5xBeDD9+jndqI53Be+hOfGPHhd6Ttt6Zw5c/yK jiJwSU3gJ554AmPHjsV///2Ha9eu4ejRo5g4cSIeeOCBgHzcfffdQaWUlvq5IpKq4p7VXsbvbzt4 8KCjDyu/Ttek1q/H4yxkicDq5KNBgwa4ceOGbuher9cnBmfLls22rdQD9te3OF21ahWaN2/ue25O 45Co4lGjRkFSW3sitoecALz8O2vBVTunSqUVvP2Mgqm9FUg94EAET6nTq/Uhx3Y1fbX+To03RyXf UVJBh6cULB0YWN9afxnvOAzRS6sidmc3uM/+C6/7pm6N84QESIAESCDjEqAAnHGfLWdGAiRAAiRA AiRAAiSQzAQoAIemwEHhic+Fa4BrgGvAvAbKjzqpF0iNgmlGPz/RBO4Ln8NzfTa8rrNay/+LAAAg AElEQVTJ/BdByruTNM9GMSy5z6Ve7oYNG4KazJtvvuk4rhdeeCEgf1OmTHH0k5i59ujRw7ZvEXKd onnlnojbdptEBDuNae3atXZNIXWHJWW1U3ure0WKFMGoUX8gal7RgATU1BIub0xXUCCPXqzNmV3B S48oCO+i4MAfiRddK5TU+21UIzBfEVMV9GmjYNh7CvaNDKxNavFKk34WlEHs1tfhPjEe3ugLtmuT N0iABEiABDI2AQrAGfv5cnYkQAIkQAIkQAIkQALJSIACsFlgoOhCJlwDXANcA6G5Btr980/mFoCN AvfxJ+A63xueazPgjT2ZjH8dpIwrif58+umngxYNrYREu2s9e/YMavBLly5FWFiY7Zhy5syJI0eO BOSzf//+tn7sxhvI9T/++MOy/5iYGHTs2BGVKlWy7NdfGmm3241y5cpZtpVx2aWBPnToEKpWrWrb LpA5bfuzekgJwCJoNn1QL9SWvjV5RFeJ2tUyyZ1DwdWpyeM7TYTYmak09rmFEbOhOVyHf4XnxkHL d4AXSYAESIAEMh8BCsCZ75lzxiRAAiRAAiRAAiRAAokkQAE4NEUOik98LlwDXANcA+Y1EL6iDwVg owisPT/WEK7zn8BzbQq8sUcT+ZdByjaTmrUSUasVxJLr+NVXX4VExQa6iSB95513Oo7l008/DdSd r/ZtIHOpXr06hgwZghEjRuCtt95C9uzZHceQI0cOrF+/3nEcp06dwrhx4yBR1hUqVEDhwoURHR3t 2EZutmjRwrbvAQMGmNpL5O8999xj2yaQ+YvNK41SSUQMQqz8saNeqJVxbvst6eP86xOz33lfJt1v hhN/Z+dCzOoGcO37Ep7L61jH1/T28QIJkAAJkIAQoADMdUACJEACJEACJEACJEACARKgAGwWGCi6 kAnXANcA10BoroE9OxtTANYKvv6Ojz0C17kP4Y6YCG/MwaDE0QD/jEiUmUSefv7555Do2kAFQ392 r7zySkA1a7UDFnHXyW/x4sV9NYi1bZyOpc6tkz+puSu1jI3b4cOH0ahRI8e2LVu2NDZzPBdx298m Yvm9995r2++wYcNMLkSwdppjoPfKFg09AXT7b2ah9oe3kj7O0xMUhIXF+a5YSkHHpxVIXxlOwA1C bI+bexZEL6uO2F0fwn1uHrxu/2vWtCB5gQRIgARIINMRoACc6R45J0wCJEACJEACJEACJJBYAhSA Q1PkoPjE58I1kHZr4LaxwINTgeZzgVcXA41mAuX+BLIMTbsxcT0Apf44R/HXn+Dr7/7RunCdfR/u q+Pgjdmb5hF2Bw4cQOPGjZMkKBYoUACjRo0K+s+gY8eOQQRZJ8FSInQD3URMzZs3r6O/8PBwW3cX L15EiRIlbNtLFPC1a9ds2yfmhqSWdpr/woULdW4nTZrkaC++JLpZagvv2LEDkl67VatWyJIli2W7 /4aFnggqaZ+1TJo8mDxjnNpbwX7W8UXUwnKI3doe7pN/wRtzUbe+eEICJEACJEACgRCgABwIJdqQ AAmQAAmQAAmQAAmQAAAKwEkXdEQoWnjC/PPJ2qT7Tm3RRwSu8fv1c5l8MP3NIxBuP+/Qz1OeYbZh GXOuWh6Zdd5aBlbH5ccBX2wC9ly2/9UQ5QJ2XgL6bwIKjUyfa+WPPeZ1n17m8tKM2RSA/Qm8wd4/ Wgeus+/CfXU0vNE74fW67V+AFLyzZs0adO7cGUWLFtWJb1ohznhcsGBBdO3aFcePH0/UyD766CPH viQy1uPxBOxbBGXjGLXn9erV8+vr999/d/Sxdu1avz6MBqdPn8bVq1eNl33irBPvQoUKQdI9q5vU /RWxXTsn47Gk9o6MjFSbxO8l3bXRVs5/ejt5xNXkjKRt11AvABfIo+DG9NAbZ3LOOUV9zb0VMRtb wHVkKDyRh+PXBA9IgARIgARIILEEKAAnlhzbkQAJkAAJkAAJkAAJZDoCFICTLuKM2Wu9bK5GA7nD k+7fSqwK9lrJMUCFcfqfnL+bx5b9d/Nczt002wXbfyjanzH/jxo5LJiE4ti1Ywr02aptMsq81fkk x/6lBcC1GPPad7pyJRrovR7IPyJ9vR97r5hnVWxU+pjDb8s/pwAcrMAbrP2RB+A60wnuKyPgidoG rzfWvGBS8IrL5cL8+fMxaNAgvPPOO3jqqadw1113QVIxS13bBg0aoHv37r40yjdu3Ej0SETYlBq5 VqKkes0Y/eqvs927dzv6mzBhgj8XvqhZtX+r/dixY/36MBoIO4nAvf/++/HGG2+gU6dOqFy5suNY pe9333033pVEN9eqVcuxzccff+yYYlyepXFOz9YJPWH1jw/0ArCMednA0Btnioq2Qady1vCZnRsx qx+Da//X8Fze4Lgm4hcYD0iABEiABEggCAIUgIOARVMSIAESIAESIAESIIHMTYACcNKEjwIjgEiH /4+3W5Q0/8khbomPBRYBUvdPMY+NArCZSXI9g5TyE+izVfunAJzwjOVLEEN3Ju13wKEIoGg6EVBl DaRnAXjHjqYUgIMVdJNqf+R+uE53gPvK7/BEbYLXG+Q3JZL2eqVYa0nFbBQjtefVqlULuu/9+/fb +gwLC9NF09o5lxTP2nEYj63qB9v5kuu7du1y9Gf0r56XLFkSZ86ciXe9ZMkSRz8iLvuLlp42bZrJ R6G8CiJnaMTDpAiPydT2yBizANynTWiNMbTE3yyIXl4Tsbs+gvv8Anjd0fHrhgckQAIkQAIkkBIE KACnBFX6JAESIAESIAESIAESyJAEKAAniEGqQBbMvsMy52Wx9GTS/AczFifbQEVCCsCh8bycnqXx XqDPVm1HATjuGd8+Dthywfn9DfTumjNArhCJ9lefs90+vQrAxUZepPibVDE3WdrXgOv0a3Bf/hWe m+vh9SSkCA70fQkFu6pVq5rESFX8lL1TrV678R85csTWp9T2DWRzEpFlXMuW+fmjw9CJXepl7VyN x3ny5MHKlSt1ntq1a2c7t6xZs2Lz5s06e6sTu7mtGBR64mqVcnoRuG6V0BtjWorA0QtvR+y2DnCf mgRvjEPdBKuFwGskQAIkQAIkkEQCFICTCJDNSYAESIAESIAESIAEMg8BCsBJE/zWnnVeK15vXNpl OzEmta4HKhJmJgF4wzkg2q3/SY8poAN9tupayyjzVueT2P3qhOA200ss73Wn5cDD04HqfwPN/gU+ XQecuG4yjb8w8UDSPksSO49g26VXAbjltHkUgJNFwL0nmTneC9epdnBfGgxP5Gp4PYlPyxz/MqXw wdKlS23FTBFDpfatVR1bf8O6dOmSrd+8efNC0lv726ZOnWrrQ8a2d69NzQkbxy1atHD0pxV/JUq5 YcOGOHDggM5bREQERBTW2mqPJVV3IFtUVBSk7rKkkhbRWPXxebvQE1ffaxYnAOfJqeDxmqFZqzhV BeB5RRCz8QW4jv4OT+SRQB43bUiABEiABEggxQhQAE4xtHRMAiRAAiRAAiRAAiSQ0QhQAE68aHP3 xMBWw5ebEt9HsOKOnX2gImFmEoDtWKW364E+2/Q2r5Qcb6sF1u+ufGHj3ZX272ue4cC3W6zbylUR jFNy3MnhO70KwD8t+zKZhcvkFkLpL9YnUFeD61RruC8NgidyGbzuCPsXJo3uPPfcc/HioypCavcd O3ZM9MjKlStn63v9+vV+/T755JO27WWMV65YFPF28Fq2bFlHf+q8c+XKhYMHD1p68pcuW+Y1fPhw NGrUCKVKlULOnDkhKaQffvhhvPbaa5gxYwZiY/W1MkRUnjVrFj744AO0f64iUlXMDCBV9K7fFcz/ WkHE1NATp1OFldTxXdMIrgPfwnNFUr97LdcGL5IACZAACZBAWhCgAJwW1NknCZAACZAACZAACZBA uiRAATjxgs2gbeZHvs0ipaxEDWYZmvh+kkP0CVQkpACcts8pMc860GebGN8ZsY2kaj5ioUnFuIGX FgT2/IfZ1A0WcTjUmaVXAXjr9uYUgEMyAtif8F0VsSdfgPviAHhuLILXnfbpYp9//nnky5fPVhid P3+++Zd7gFecIm7ffPNNRy8bNmyAROGqoqxxf++99/raT5kyBX/88Qck5bS/TaKS//rrL7Rt2xbZ s2e39S193XbbbZYRxrVr13ZsV6ZMGcf74ltSYE+YMMFyuFIzNmp27pATgVNFaA1AjE6dcUgd3/sR u/sTuM/Le8o6vpaLlRdJgARIgARCggAF4JB4DBwECZAACZAACZAACZBAeiBAAThxgo0IpecsSh/e N9n6+lOz/fdTYRzwyIyEnzrT/Le5a0KCvbS9f0pCm//9lXBv4znzanxrWcJ9aZvzd8CfAFxtEjBg CzD9MCApdGccBr7bCrRfCuQdntB3oCKY1GF9bh7w+cY4nytPA8N3x0Vh1psOFBgRmE+Jxtayk7mr Y6gyEfhiEzD7KCC1WheeAAqNjEvNrW0jx2ob2RcbpfdptPV3XkvzLLR+1WN5dh+vBYb8B0w9BMjc F58Exu4DvtkCyJqx++JAYp6t2q9xnRnnrdoZ9yn1rOT5qH1V/itu7tMOJc/6Uv1q95LK2Wp7fUnC OLT2VseSKvyQhYi865J/H8nF0TiueyYCUpP81/+AZaeAJSeBvw4APdYAstZU+8QIwLIOG/wDfL8N mPL/a3XRCWD03jj/t41N8K/2k5z7wiOuIuaQP6GR9+MicNMBhxPPwX3hK3huzIfXbfGtKasXNJmv STrmNWvW4KuvvvJFrubOndsnYt5yyy2maNVgupZIWKNwqz0X8dZqEzFXRFKtrfF47NixvqZ169aN tytfvjxef/11yL0TJ05YuY6/duzYMXTq1MlRZBax1+PxxLeRqGDjOJJy3rp1a51/taOYtU9QAE5l MTh60R2I3d4R7lOT4Y0NLrJcfW7ckwAJkAAJkEBaEKAAnBbU2ScJkAAJkAAJkAAJkEC6JEABOHHC RfO55setij+/7DDfm3zQuZ+sw4CIGH07EZidRJRbRgJRhpKC6hikXbAZ+8r+aS8AZxsGjNqjH5/x 7NQN4NXFzmNW51NpArDeT/1k8e/yAP02AtK/2ta4l3vGbfz+uDY/bo/zYbxfYjRwJtJ4FdDWAJ51 1Hw/mCsHrlqPuckcYF0Ac5e+jl8Huq02+0nMs1W5+Zu3aqfuU/pZyZcJpK/fbKJqVebBrC917Ma9 fMnhmuE9E/8Spe+0xox+5LynjZAsAq+VfXJy1PqXL17Ilwj8rQkRg0uOAYIVgOXLFfK54rR5vMDI PXFfItGOLbmOn526iNG/6TL6N0Ax+kRTuC/0g+f6HHhdDsW5nRZhEu/FxMRgxYoVmDNnTpI83bx5 E0WKFLEVTSUKV1JMq2Kt9Dt06FCULl3ato0IrpJaWdIoSyreAgUK2NpKFLG/rWfPnrbtpa9ffvkl 3oUI1kkRfK3a9ujRI96/euA6MJACcEoLwPOKIWbTi3AdHQ5v5DEVPfckQAIkQAIkkO4IUABOd4+M AyYBEiABEiABEiABEkgrAhSArcUaf8LFTIvMi73Xx/l6aJr5aUp62SKj7PvyF3lrNR4Rc4ybVgA2 3vN3bicAizAtIl2g22t+IimlxupNg3Dtz/em84BEh1pxsGI38QAwYb+910AEYIkYTspmJQC3Xgi4 E4KrAnYv6ca1cw+44f8byrNV2wcjAKfGs5Iocon6DnTzt77UeVrtJdrZapNIbCt7p2uyhvpu0P/0 WQ9InWBju+TmqPqv/jdw8KrVjKyvHY4Arlpk9pRod9Wndv/KYiBSX7rT2vH/X111Gihq40vrN9jj QUu+pQCckQVg49yOPwXX+T7wXPsH3thTjmsuFG9+9tlnfkVTEYIrVqyIwoUL+7UVEfWbb77xTfXy 5cuO9vv27fOLRCJ869WrZ+unYcOG8T769+9va2cl7gZ6TVJYazfP1S0UgJNbAJ6TBxJZLeK65+pW 1vHVLjgekwAJkAAJpGsCFIDT9ePj4EmABEiABEiABEiABFKTAAVga+HDSaAQ4VUiU42bpNZV2x29 ZrxrHcmp2luJmP4igFNLADbPxPnKlWigtE1KWEltnNhNROM7xicwdmLnr4+0EICb/ps48Vedi1b4 VK8Fuk+MABwqz8o4R6f1pa4Ju72kGjdusW5Aount2iT1ekpwlDFJxPKOi8bZJO7cSgD+ZG3ifEl9 ZYl2Tio3bfsN21pSADaKpJnp/FhDuM5/Cs+1qfDGhn7kYnR0NO6///5kE06lNq8Iv7JFREQ4+j1/ /nxAL+53331n6ydv3ryQFNmySe3gQETd6tWrY8iQIRgxYgTeeustv/WGc+TIgfXr18ePVSKbo+YV oQicJBE4K6JXPIDY3T3hvrAEXo9Fuot44jwgARIgARIggfRLgAJw+n12HDkJkAAJkAAJkAAJkEAq E6AAHLxQIdGCxk1S+moFi28thM7/HOqDpoQALGlhpR6o/EiKW+MmaanV+7IXEcxqHNp2G87Fpb5t sxDotR64YFEHWew/sEhbLHVIRWyz2qRmqaR6fnt5XDSopD622iQts5azHPsbs9aPGn0biAD84Zq4 msFSN9jux0mAkyhx7Vjn2EQU77sCDNsJtFsEtFoASArxGxZRl39r0ogn5tmqYwkkAjitnlVS1pc6 P6e9rHnjJhG0Tm2Sci+lOMqY3l9lnEncubxj84/HvZ9SE/jnHdbpzrWtjQKwfGHAKkr/UhTww7a4 mt/yfkg9batN1npSuGnbFhx+DdGHqlIAzkyCr7+5HmsA17kecEdMgjfmkNUSTPNrR48exa233hqQ eOoksEqN38OHE1JwREZGOvrUiqpOEH766SdHPxcvxn27pGbNmo522bJlw8SJE01dyZgbNWrk2LZl y5a6dpKeOCpJAqiS6dpHL74Tsds7wX16GryxQaSD0JHnCQmQAAmQAAmkLwIUgNPX8+JoSYAESIAE SIAESIAE0pAABeDghQqrGppdVur9VJtk/VAfmKq3U4UOKxEzqRHAqm/ZLzhuHs/9U8xjsRqH2nLg VkBqFWv9ipB6MUq1SNhLSl+tnRyLKGXcJJLaqm5w/hH24tIzc/S+ncYs/YnwLnV31RTcEjmdZai1 KKatAWwcv9W5XWrsPZf1UaW5w60FtfcM60bt496/zVHmIrar97X7QJ+t2iYQATgtnlVS15c6P6e9 fNHAuC06Yc3VyU+g91KKY/HR5prhMi8RbRvPNs9H1vxqh9KqRgFYUqgbt8Un42oIG+feabl5rUrb Gn+bx2FsG8j505OXUfz1J4hm9vtH68F1thvcEePhjdkXMqlud+/ejapVqzqKoE7ir6SIPn5c/4vT 7XYjT548tj6///5746tref7kk0/a+siZM6evjUTlSjSw0xjDw8Mt/ctFEZFLlChh216igK9dS0iX IrVpKQD7EbHnFUfMptZwHRsJ702bb+DYPhHeIAESIAESIIGMQYACcMZ4jpwFCZAACZAACZAACZBA KhCgABycSPHwdPNDkahSEWSMYobU4zVuEulptJNzKxEzlARgqe1pNW65JrWPjZvRvr5N7dW2i+z9 ihi74rTRM7Dtgr6NFTu11dRD1jVZZdyBCKF2c5br/Tepvej3ItQaU1U/OUtvI2cSPezk32r95Ao3 t0luATgtnpVxvWi5BLK+tPZOxzst3skRFl9WcPIR6L2U5Ci1pK02WWd245MvIVitefGjFYBrTTF7 Phup/0KDsQ+pUW3cphyyH4uxvdP5N4sHUQDO7AJvsPM/+hBcZ9+D++oYeKN3weu1ST1hXLQpcB4V FYXOnTtDImWdhFTjvRo1auD0aYtfgAAeffRRW19ly5b1Ca9OU9m4caNtexmHRB3LduzYMUc7qSPs b/v9998dfaxdm5BSxRN5hAKwMQJ6Tl7ErG0M18Hv4YnY7g8375MACZAACZBApiBAAThTPGZOkgRI gARIgARIgARIIDkIUAAOTqQYucdMXQQ4KwHDSri6Gm0tSFqJmKEkADeaaT1HmXfDmWYmIl5qmXRb bbbZfVlvo7VXjx+3EE5FcNdG6lqxk96EdeE/7PuwEsO0ftUxWO1fXGCej1yJdgPyJQFjm9vHASJ2 a3/qTDPbqe3KjI3zZewlNQTgtHhWSV1fKjd/e4nMNm6/2Xwpw58vf/dTkuMXFl8+MKahtxpfV5u0 0VoBuLvFuypRvlb+1GsSsX/dkLbc67WvBa62C2S/estLFICDFUBpr18zRx6E68w7cF8ZCU/Udni9 cfVtjZ8FKXl+7tw5/PDDD5BauUaxVz0vUqSITyzWiqJWY/ryyy9tfYgvie4V4dlqO3v2LO677z7H 9vXr1/c1lQhmdWxW+wkTJlh1obu2Y8cORx9jx47V2UcvuiNzi8CzsiF6RW3E7ukNz4Vl8HoMH6w6 WjwhARIgARIggcxJgAJw5nzunDUJkAAJkAAJkAAJkEAiCFAAdhY2tAJFvuFmkUOQv7bE2kfF8dYP 5GWLqFcrETOUBGCpD6xloT0WcdO4GQXg8F1GC8CfqKT2IUKxcbtnYsJ4rNiJvdQoVn1Y7RMrAN83 2Tqds/TpFNFsNQb1mgjVD04FXl8SV5c50uZ/vqkhAKfFs0rq+lI5+ttbpUG2qivtz08g91OSo9SD Nm5WqdSN48w7HBBh1rhpBeA/LL7k0nwuUGmC84/UsjZuxnTtxvH4O88XHombB6vrxTyKm+SR1DVw pBZcZzrAfSUcnqgt8HpjjEs3Rc/Pnz+PdevW4a+//sLgwYMxcuRILFy4ELGxNh/8htFcuHDBMQ20 iLWSennQoEHxKZYlmnfMmDEoV66coyArbYcNG+brcf/+/ba2YWFhuHnzpmFk5lNJ8WwlHqvXjPWD Y7d3zHQCcPTiuxC74124z8yANzbCDJFXSIAESIAESIAEdAQoAOtw8IQESIAESIAESIAESIAE7AlQ AHYWCbUChYhzVtsHq4E3l1r/WNlLHVKtXzm2EjFDRQC+FGUer3b8Ul/UuEmqXa3NSotMlnb1kLXt 5HjcPqN34IX5Cf6t2EkLpwhb8ZsYAVhqHp+4bh6PXPl8Y8KYjHPQnssXCWQtSZ1kSX1sVUPZugcg NQTg1H5WybG+tHydjv85YiYrNaKd2iT2XkpylPThxq2K5ksRTmO2WvdaAXj9WaPnxJ+/vyppbJ/4 exXFzqSKnWzvfw0dqQnX6dfhvvwrPDc3wOuxjp5N/JuQ/C0/+eQTR2FVFVhFqM2fP39AttJGav5e vhz3rasjR47YthOBOZDNSUSW/pYtW6Zz4z41OeMLwPNLIub/2DsP6KiK9g9vSCWU0EIvoSaEjiDS pCmCWBBEpSrChyBFQUFBsFFEiiBdUGnSBESpUgSlSO8gPYTQWyCUlG3v/7zhf5O7d2/Z3exutvzu OZzbprzzzOx++/lkZg52JkPCXDInX7FoP25AAARAAARAAAS0CUAAazNCChAAARAAARAAARAAARBI JwABbLugYFnnjINn4En3iJWTmJ4igJ0RB+8hKj1YpqqJKuHdmIPSnETD9mTmlWPHOQrNzUwjlCU+ y4kwtSWgQ38g2q0gx1hSi8uWu+ayebnhR7ZN8rJuNLlHALu7r5wxvuR4yz37/pg1Vu6PoFna/Sct L++PRCyv76Vm/uM/Doj65UlZruQoN4YiVGbpi2Pfd9OagVgA89Lpzjp4yWlx3fZej9wyWVveQXCC kdPHQE0yXO1Kxrvfkyl5F5lNMv8D5qwPiYPl8Gxh3oNXEL3OOk+dOjUjort37yqWz6LYYNBeSnvl ypWKZXDMp0+fzqiPL8xpdylldQ7fksDr8lDanjZkuDCJTEnHLdqLGxAAARAAARAAAfsJQADbzww5 QAAEQAAEQAAEQAAE/JQABLBtgiJae6s7u0bQ6IOW9cpJTGeKMd6nWHrUWWEZA8sZV8UR/0BaO1GZ hdb1ywmiCUes8/KsayGtXMxJaZnvhXTSs70CeL7lf6fOCIpnerIclpYvvmfBuCouI4vqxbVH8rOe OZM7ZgC7u6+cOc7FzOWu2/8pj77jZvX+kyvrBZn9qbl04Q8bXMlRTi6zkJaLU/rsqMzsYbEAvq29 qqs8RJmn7yosjy+NSen+74NdIDedLjergqndTGuQ4WonMt6dSKbH/5DZJPM/aDLj39WPeF9hrf18 7RHDLVu2JLNkjXi1JaP37t2r2UTej1gthnv3rNeOT/2njncLYN7Hd0cD0p/+nEx3tpPZpC3KNUEi AQiAAAiAAAiAQAYBCOAMFLgAARAAARAAARAAARAAAXUCEMC2SZOxh9Q52vv2ykOiQNGsQzmJeStZ PTa5PYale+8KYiW7BfCGS9aEmvyu3j4h9pUXrPO+uC4zrxw7LanIZdsjgAf/ax0DPzl/X3umMdel lJ9lLwtuFpPVlxHxHq1Cu68+sq7THQLY0/pKbolxpXEusFM686xwid9Ih8yzYpXyKD0fdcC6f3g8 COldyVFuNYIav2bWLcQgd+Y/jpAeYgH873Xp2yf7nL+0jsjef3lslNJyceb8IYUena8JWWm3rITg 1bucWTUyXHmDjHfGkenRVjIb71t/aNz0hPfh7dq1q6pkVROwwrsXX3yRUlKsl75u3769Ytk9e/ZU beW+ffuIl6AW6pCea9asKZtf/9+nXieAU7fGkv74ADJeX01mg2f8gYAsXDwEARAAARAAAR8gAAHs A52IJoAACIAACIAACIAACLiHAASwtjTh2Zss6qQHP+PZdFr/LiRJcz65F0tMrkN6GExEOWYqx9fs D2kOIiUxlt0CeNJR61hHHlBumyCEeGat3GzHsv+/zC6nc7UAbrOOyGS2jj8xlYhnhguxqp3Xxlvn 5xnBckJXKEdOUMult7Vv1coVL33taX3lTAHMDBadte4LftJwlW19yWUU+JlIbqbsvNOZZbiSo9xs 9N7/ZNYt9LX0zLP+5Q6xAJ57yjpFg9+0y5bWldX7Zsv2QP66XGRCFjtNFl9uR6YeZoQAACAASURB VMY7Y8j0aBOZjTLT7K0/Vk59cvLkSerdu3f6Hr5S0ap2Hx4eTqNGjSJeUlrumDNnjqLA5XJXrJD/ UuH9g3mfYLW6FyxYIFclGW9t8XwBvLE4pR3qSsaE+WROcdL+ILI08BAEQAAEQAAEQEBKAAJYSgT3 IAACIAACIAACIAACIKBAAAJYW2zwrDe5o7GNwohlUZrRugSe2SqWJCwUpUfx+ZZpxOk/2S1NbZ8A fnqlddmOyFRbBF2vv61jvZNCFC6a8Spum3Ddc5t1vmSDpRh3JGYuX06wikUop6m8hEhuxqTeSMQC XohT68xtlR5qexRzv8sdtgpgub4VYtRqt6f1lS3jS2ibLefSC4l4DEkPXrK5ko1Cf9YJae4n9zxe hRhcyfHzfdb1n76XWbcQg/SsJL/FAnjoHuuyub3SsqT3U44R/XM189/is0TSz5M0j9r955umQQBD AHvvGLj8Mhlvf02mh+vJbJDZeNv6Y+aUJ7yk8oQJEyg6Oppy5MihKGCrVq1KX375JSUkyOwPIYqE ZxgXKlRIsZzg4GB677336PLly+m50tLSaObMmVSiRAnFPCyFixcvriidzcYUSlkb5lkSeH1eStv7 MhkufE+mBydFhHAJAiAAAiAAAiDgbgIQwO4mjvpAAARAAARAAARAAAS8lgAEsLbYkNu79dID7Xxi ufHHReshwhIxcm5mOYduW6fpozCrj0WgnMizZwbw82sy6xZidUSm2iLoYpYQGU3W7fv+mHUMQiy8 R7DcPqq8tK6Qhs+OxMz55PiJhRWL+3MKK3vas7dpwZ+t281P1JbHHSYj4TiPrQJYrm8FZlrt9rS+ smV8CW2z9cyzz+UOXnZdbm9soVxetv2r/fLLSPOKADxmhLSu5Fj/N7noifpuz6xfiEM4N/+DiL9z 5A6xAH72d+sUnI/bI5QlPfMMYenBnx1pOnvutxx4x3vlH8Qt+k46BhJeJMOtEWR6wEsEu2fGKMvY c+fO0ebNm2n+/Pm0aNEi2rZtW4aslX5mle6/+OILVZnLQpdFcIUKFahAgQKaaTn9N998o1Rd+vO0 f5/LXgG8JphSdzYiw+kvyXR3J/bxVe0tvAQBEAABEAAB9xKAAHYvb9QGAiAAAiAAAiAAAiDgxQQg gNUlBYsROWnyzSH1fFLR8cYm+UEyaFdmOXJ73bJUqro0Mw2Xy7NDtyv892MlAfx7nHX9v5yxnEnL ZTsiU20VdNOOW8fAT34+RcRLPYuZ8X6mvE+y9OBlsWMlPByJmetSE6G8JPeWJxOapCGk79nLdWr9 4zKENt2VmQHMS+1K251zNhHLX7l9ajkQnr0qlCmcbe1bIb1au4U0ntRXto4vIXZbzrzXstyy7sz4 oZ6IBTHvsS2UVXQeES8FLrf3rjBAWq/NTC/kcxVHLn+9zL7aHAvP4BXqF868x3SqgvzlPGIBzHnW yCxZzrPYW8r80UijVURyM9w/En23CXHYeg6dlUYPztWGRJRKRNz7zphIeJ4Mt4aR6cFvZNarz8IV vmOy65yamkp16tSxSeyqLfksvCtZsiQlJiaqNsdwbqzbBXDqtqqkP/4hGW+sJbNB5geIasR4CQIg AAIgAAIg4C4CEMDuIo16QAAEQAAEQAAEQAAEvJ4ABLC1LBFLCpYYcke1Zer5xGXwNYu9B2nWJZ24 m1kOz96TO3j5aJ6FPPsk0bYr8uUI+ZQE8NRjQgrLM8d0/j4RLx/LM1Idkam2Crr8P8nvm8oRpRiI /r5KtPUK0dl7ljGK7747kslLYOxIzJxXTYTyzOusHrxvsDATV0nW8T6yLOK5Xbw8r9wy4OI4uP8/ 2GnJwNa+FXiptVtI40l9Zev4EmK39dzuT/lZ6WLevFS0Vp9w+hkKSyS7iiO3UWk/X46H/+CA953m PyqR629xG/laKoB5b2u5P3zhP0w4lfhkrPKy0LtvSEt6cn8/1XI2tK19IqRrtOSA74g+SFv0pS1j 4FJzMtwcQqakX8mcJvMXW/IfNbc9jY+Pp4IFC2ZZAkdFRVFcnHb7TPcOuF4AbypJaYfeJuPlhWRO ue42lqgIBEAABEAABEAgawQggLPGD7lBAARAAARAAARAAAT8iAAEsKVMEwSEcGahKj2O3VHPI+SV nuedlpb05L7e/+/Fy8sPX0iSTyP3lAWj9FASwO9slaa0vufZpY7IVHsE3Vub5MWSdTTWT1g85f3R mr0jMXPfyIkxYQnoITL7K1tHpP2k/44n8XbarJ3WnhS8PLYwvmztWyG9WruFNHz2lL6yZ3yJ47fl +jWNmbG29Mm/19X3snYFR6FtLJ6dcUgFMJf/tcIy2Vr1PdITNbRxf3ShHdLzsI2zIA1tkYZI47vj JP5ZMtwcRMakxWROO0tmpWUhtD6QTnz/33//UbVq1RyWwLxEtNaew0K4ZrOJUjYUcK4EXh9BaXtf JUPcVDI9OCVUhTMIgAAIgAAIgICXEYAA9rIOQ7ggAAIgAAIgAAIgAALZRwACOFOkSSUEi1m545Pd ynmkZYjveflUuYNn9grpuD94xq/Wwcu5tt1gnUpJALMkjdOQy+4QwNzO2suJ5MS6dWuePOH/7j3l 2JNZ1AIn8dkbBDDHy7N8bT14GeJNKquCigWwrX0rMLNVAHN6T+grVwpgbiN/zuX239bqK+6jATus l1EXOIvPzuYoLvv97bZ9Z3B7eMY5z7KXHnICmOvosNG2GdBCebyiQIvVmd9n4jjtud6wv6fvij1I W/StI2MgvgEZbgwg4/0FZE79j1iQZseRkpJCffv2paCgILtEcK1atejaNYW9KxQakra/Q9YE8JoQ St35LBnOfE2mxN1kNtvw40ohFjwGARAAARAAARDwHAIQwJ7TF4gEBEAABEAABEAABEDAwwlAACvL ioEyyz+zjJTbh9UWuRE4S37WqXgZaC6H9/w9cEt54Fx+SMT7jeaYab335t4byu2JnPtkGWle1lbu KLWAiGN8rLd8ezNZuUyO1xFBFzabaPxhogSVbfZYcu+/qS2UHImZ4+alr6WHMAP47b+kbxy7F2YA c33cX923ytcrlG40Ec35j6jIvCfM/1SQwGIBzGXb0recTqvdQhrxObv7ypHxJY7flmvum15/E+27 KfSE8pmXK//tAhF/XmwpW0jjTI5CmcL56ZVER24rx8yf6eXniUoseLLntjglL/Wc7yfltnAe3mc6 SWYJe6EcXvKZZwwX+Fm5HCFWrXPwLD3dO1sXktARSehAngenYunm4crg7QA7fXbmufgMGa6/T8Z7 c8mUeozMZoX/YRc+pE4+37x5k7777juqUaOGogguVKhQuizevduxJTUM8T/YKYADKHVbddKfGETG G+vJbHjk5FajOBAAARAAARAAAU8gAAHsCb2AGEAABEAABEAABEAABLyCAARw1oWFltBw9D2Ll1fW Ew3fS8RLCPN+xK3WPpG0jpbJ+YJmEbFA5H2M+R9fs5zKSplZycvSqNkfRB/uJGJh2mXLk7h4ZmtW yvXUvCys6/9G1O0voi/3P+lfnmnJfSHtB2bwzEqij/8lGn2QqN8OIpZ9Sm1zdd/6Q1/x54FFPX/u ph8nWniGaOSBJ7NhY5Zk/fPHfecqjhUXPxlXvIR5x81EPbYRVV/mnJg57nK/EPGy2TzzmZce5++l uiuIcs1RHpNKY1Xpeb3FRyAj3SgW54wrkS7wqkaHUp9uBWjxtFJ0ZV8M+sCNfeAUkXyxLhmu9yLj vdlkSjlMZrPkL7lc+Iv01q1btGfPHlqyZAlNnjyZfvrpJ9q8eTPp9VmLwfTogrYA3lya9Ie7k/HK YjKn2vAXPC7kgKJBAARAAARAAATcQwAC2D2cUQsIgAAIgAAIgAAIgIAPEIAAdp64UBIaeA7GGAMY AxgDto2BwX/+CPnoRvnYrX0+2Rmc0eVCqGfH/LRgckm6+G80+sSNfeIcIfwUGa69S8bEGWRK3kdm U6pX/mJN3VzWUgKvz0dp+14jQ9x0Mj0845VtQtAgAAIgAAIgAAJZIwABnDV+yA0CIAACIAACIAAC IOBHBCCAbZMSkDfghDGAMYAx4PoxsHpvb8hGN8rGqJLBsgJYp9NZPC9XOoTe6ZCPfppQgs7tqIQ+ cmMfOUUIx9Uiw9VuZEycQqbkf8lseuwVv3T1x/pR2q6mZDg7mkyJe7GPr1f0GoIEARAAARAAAdcS gAB2LV+UDgIgAAIgAAIgAAIg4EMEIIBdLzQgjcAYYwBjAGNAewwEzjTSnbP1IBc15OKtI5Wdsm/v hZ2VLCSvVPqq3VePCaOvBhWm039DBjtH0FZ187ivSYarncl4dxKZHm8ns+mhD/2yRVNAAARAAARA AAR8mQAEsC/3LtoGAiAAAiAAAiAAAiDgVAIQwNpSAuIGjDAGMAYwBlw/Bp5adNzNEszd0s059Q3p Uyhd3LKE7ft2AVo6vRQ9PBVrN7t535V0WAALcjgwUEcf9ChId45Wtrt+7xSnzulDz2t7dTJceZOM d8aT6fE2MhvvO/W3JgoDARAAARAAARAAAWcRgAB2FkmUAwIgAAIgAAIgAAIg4PMEIIBdLzUgjsAY YwBjAGNAewwM3DAXElFj9i+Lw2dqh1uJ26v7Y+xm1+PN/FblsNjl/X+DgiyXgBaEr9KZl4g+r7I0 9INTsU6Ztex54tRXhXA10l9pR8Y735Dp0WYyG+/6/O9hNNDzCVy5coXWrFlDU6ZMoYEDB1K3bt2o T58+NG/ePOJ3OEAABEAABPyDAASwf/QzWgkCIAACIAACIAACIOAEAhDA2lIC4gaMMAYwBjAGXD8G Vu7pZ7fE9DcheP9krJWcrVQ2xCFuFcuGWAngsNAAenQ6lu6diKUNC6JoaN9Ialg3nEJCAqzSSmVw 6eLBdOOQvIieM65Eev6q0aHUp1sBWjytFF3ZJ5/W3/rUa9p7+RUy3v6aTA83kNlwywm/QFEECNhG YNu2bdSuXTsKDAxU/R6KiYlJF8NJSUm2FYxUIAACIAACXkkAAtgruw1BgwAIgAAIgAAIgAAIZAcB CGDXSw2IIzDGGMAYwBjQGgNmunmmgUMi02sEmg2ze7Xa8ufCKCsB0vOt/HZzS9gbbVUOC92m9XPJ lsUzeDcvjqJB/ytExYsEyebl/G+/nk82f7f2+WTzHNlYQTa9Fge894CZxwltyHD7CzI9XE1mw/Xs +AmLOn2cwOLFi6latWqy3x3SP0AR31eqVIlOnjzp43TQPBAAARDwXwIQwP7b92g5CIAACIAACIAA CICAnQQggLWkBN5DXGEMYAxgDLh6DFT/5TREoA2CeFi/SCsZwnv52itEf5kiv//v5x8W1iwr9XwV kouDBQzvCcyzlKXxRJUMtoo7V3gOSj5bxSqtNC/uPUD22jA29QkvkOHWZ2R6sIrM+gQ7f40iOQhk EjCbzdSvXz+r7wyx5NW6zp07Ny1fvjyzUFyBAAiAAAj4DAEIYJ/pSjQEBEAABEAABEAABEDA1QQg gCF2XC12UD7GGMYAxoDWGOi3bqHfi8CHp2Lp8Rl1IdqorvX+v3G7ou1m916XArJyhWf52ipcB7xb ULaMv5aWtSjjws5Ksumeb5zbIp2t9SKdlwjhSy3IcPMTMiUtJ7P+oqt/zqJ8HyLQu3dv2e8MLekr 937Pnj0+RAZNAQEQAAEQYAIQwBgHIAACIAACIAACIAACIGAjAQhgiBktMYP3GCMYAxgDrh4Dy3Z/ 4Pcy8MtBhYn34OVlmEd8UDh9yWVeelkQniyIpXvxli0VnPFeSGfLObZiqJVg4bLF9WmVc/pvebE7 ekgRi5h4hrKcmPn6I+3ZxuIYti4tS8/Wy0VvvhxB00cVp2ObK1rUI06Law+UxJeakOHmR2RMWkLm tHPEszxx+BeBtLQ0zX5fsGCB7PeF3HeILc9at27tX5DRWhAAARDwAwIQwH7QyWgiCIAACIAACIAA CICAcwhAAEPsuFrsoHyMMYwBjAGtMXD1dGO/l3nNG+ayEh8sZRvWDaehfSNp1OAiVu+V9txVE6DX DsRYlcMihetRyyf3joW1VMJI9yTu8WZ+qzSc5+9fLWcKy5XPz64fjKF3OsjvIRxZMJDatc5Lk78o ZnfsSvXhuZvkcXwjMtz4gIz3F5I59RSZzSbn/LBFKR5DIDU1lbZt20YjRoyghg0bUnBwcPq9UoB3 796lQoUKyX5fSL9ngoKU9yKXpt23b59SlXgOAiAAAiDghQQggL2w0xAyCIAACIAACIAACIBA9hCA AIaY0RIzeI8xgjGAMeDKMRC74Lzfyzte+jk8p7VMlYoM6T3PhLVXWC6bUUpWsLBktqesq/vlRbK0 nIplQ6zqY3H86HTm7Galen8cX4IK5g+0yi/mwHsJfzu0qF2xK9WH526Sv3J7CsfXJ8P1vmS8P5dM qcfJbDZmzw9j1OowAYPBQLt376bRo0dTixYtKCwszOqzyzJY6Rg/frxVevFnPTAwMH1v4Bs3bqTP JD5y5Eh6XSEh1t8x4nxt2rRRqhLPQQAEQAAEvJAABLAXdhpCBgEQAAEQAAEQAAEQyB4CEMAQO64U Oygb4wtjAGNAawy8t3ap38u7HSvLqYoPscyQXteuFkYf9ixIK2eXppuHK2uy7Pu2/P6/GxbYvv8v i9LvPi8mG7NYSifsjZZNw8tcq8lWXt6Zl3uWtlV6//qLeeniv/bvgaxWN95lowQWi+GLT5Ph+ntk vDeHTCmHyWzWZ88PZdSqSICX8T58+DBNnDiRWLLmyZNH8zPLM4GVjlq1ainmz507Nx0/flw26+bN mylnzpyKefl7486dO7J58RAEQAAEQMD7CEAAe1+fIWIQAAEQAAEQAAEQAIFsIgABDDmjJWfwHmME YwBjwJVjYNGuj1RloD8IORaeXV7LR6WLB6tKDKkAld4HBOioekwYseTlmb5ye/rWqGw9K4/LmT+p JN04FGNTX/CM5ZLF5GMVi+Rfpsjv//v5h/L7/3K8w/pFUnCw+mzoSmVDSFyPPWOEpfTeNeVp7bwy xOKd79MuVLGp3fbUg7ROFskX65Dx/i/Z9GsZ1QoETp06RdOnT6f27dtTwYIF7f6+4mWgHz16JBSX cb5165ZqWWozh7mQAQMGqObfvn17Rl24AAEQAAEQ8G4CEMDe3X+IHgRAAARAAARAAARAwI0EIIAh dlwpdlA2xhfGAMaA1hi4dKop5Jto5uO5HZXopwkl0ve9LV9GfWlTqQCW3sftspwdyzOEWRJL04nv q8WE0vvdCtDS6aWIl3mWiszLe2NIbr9iLqNIoSBKPpspU9/rIj/bePNi69nG6+dHkVZ7c4YF0Ncf FbZp+Whx3H8tLZsuxZUEOy9JXTM2jCaOKEq3jmjPohaXjWsni17RZ0HK1vRooxt/IaMqgcDWrVup c+fOVKyY/Kx/8feHLdcbNmwQis4479q1S/F7iWf3JiUlZaSVuzh//rxifo5p7ty5ctnwDARAAARA wAsJQAB7YachZBAAARAAARAAARAAgewhAAEMOaMlZ/AeYwRjAGPAVWOg4vx4K8EolT7+fh+/O5ra vpBXVW7ISReWnVJ2v80ubXc5lSuEUtd2+Whw70L0Uos8FJEnh2IZnEZcZ2zFUKu0ISEBFjOTWSi/ 9UqEVTppm15+Lg+xHBeXr3V9YF0FRVktLV+4ZxncrX0+2vVbObvq0ooF77Muis1GLOObHf9vYeDA gZqfT+HzY8uZ9wiWHgsXLlSsIzY2Vppc9p5nFyvVv2jRItk8eAgCIAACIOB9BCCAva/PEDEIgAAI gAAIgAAIgEA2EYAAhthxldhBuRhbGAMYA1pj4N3VKyDZVGY8CtKw5bO5rcRGp7YRVDXaWrAKAoSX lBbyC2feK1h47+xzwfyBdGFnpqC9diBGtq6GdcPT4+Jll3m/YDWhzDFGlQym338sY9UWoU1K5zGf FNGc7azF4LP+kXbXqxQPnmdRAF9+OZt+KaPaUaNGyX6WtT4/wvt8+fJR27ZtacqUKXTixAlZoDxD V0gvPTdv3lw2j/RhSIjyigmrVq2SJsc9CIAACICAlxKAAPbSjkPYIAACIAACIAACIAAC7icAAQxB oyVo8B5jBGMAY8BVY2Dezk8h2DQEcMq5KpQ7l+Ws26KRQRncrh+MoeWzSlP/7gWpVpWwDOk565vi GWkE+Vi7mvz+v1LhYu8979m7dWlZi/p4D2K5cob2jSSemVuvVk7Z90IeninM+wHL7WMstEfuzLz+ 1ym/atlCHbacO7fNZ/eS03Jx4VnWBLDx9tfu/5GMGtMJzJo1y67PU65cuahVq1Y0btw4OnDgAJlM Jk2Sy5YtU6wjJiZGM/+5c+cU8/Pn/PTp05plIAEIgAAIgIB3EIAA9o5+QpQgAAIgAAIgAAIgAAIe QAACGGLHVWIH5WJsYQxgDGiNgQsnW1hIQ0gya0n276pyVmLjjZciFLndPlKZVv9chlgMi3nePVaZ cuSw3v83pnworfihNA1494lAlkujJkqDgnT088QSFnVxvX3flt//t0blMAoMtI5DXMfzjXPTf1sr WpUpbo/StdYs59CQAOLZ0SM/LkKjBhehnh3zU8WyyjMHOa4mz+SieydiFeNhSc37KyvFhOfW49pe JqaH6z3gV7P3hXDlyhVas2ZN+uxbXsq5W7du1KdPH5o3bx7xO1uO5cuXW30HiT+voaGh1LRpU/r6 669p586dpNfrbSnWIs3atWsV6+ClnQ0Gg0V66U3fvn0V89eqVUuaHPcgAAIgAAJeTAAC2Is7D6GD AAiAAAiAAAiAAAi4lwAEMASNlqDBe4wRjAGMAVeMgbLzLkOYacz+ZUk2dmgRK7Ex9etidrNbM7eM VTkscViYimXcnaOV6Y+fytBHvQpR3Ro5iWfiimWPcF2yWDB9Oagw8R6+4vzCNYteIa0953nflZQt TyhX7bxkmvysY64/IECXLn7Py+wjzMtRb1gQRa2bWS+1LcTOslip7jnjSqS3lZfk7tOtAC2eVoqu 7JPnolQGnqtLYrPhpnt/IHt5bdu2baN27dpRYGCg6ueQZ9eyGE5KSlJsMZclfA6k5wULFlBycrJi XltfXLhwQbGOHDly0OXLlxWLunHjBoWHhyvm55nIOEAABEAABHyHAASw7/QlWgICIAACIAACIAAC IOBiAhDAEDuuEDsoE+MKYwBjQGsMdPtjlaJQgwzLlGFtWuSxEhtHNlawm93g3oWsymGZ89vs0qpl sRyN2xVNW5aUpR/Hl6C5E0vS5sVRxEstK/UTz4Zl4SqVRbbcOyqAr+6PoTy5LZfKFuorUiiI9q8r rxivuB0svoV84nOBfIHEs6jFaYXrbu3zyeaJLheSPsN4weSSdPHfaNm8Qhk4Z455KxYJrV38a9h3 il+8eDFVq1ZNdjyKx7P0ulKlSnTy5ElZEMeOHVMsb9++fbJ5HHlYqFDmZ69KlSrUv39/4r17ExMT FYszGo3UrFkzxfiCgoIoISFBMT9egAAIgAAIeB8BCGDv6zNEDAIgAAIgAAIgAAIgkE0EIIAhabQk Dd5jjGAMYAy4YgzM2T4cQkxjBnDq+SoUkcdSahYqEOgQN7k9d1nSumLpYpbKUsFk632juuEOta/f OwVl6+Qlrf+S7E9sJRgl/fBeF/nlq78aVFg2tqiSwbJ1S9tcrnQIvdMhH/00oQSdk5mJrBWXv743 3BqRTb+Svadas9lM/fr1s2kcSselcJ87d27i5Z6lx7Vr1xTLXb/eeUtzr1ixgpYsWUI8o9fWY8iQ IYqxcbtGjRpla1FIBwIgAAIg4CUEIIC9pKMQJgiAAAiAAAiAAAiAQPYTgACG2HGF2EGZGFcYAxgD WmPg9IlWsjLNXyWXXLv3rS1vJTdea5XXbm73T8YS79UriB7hXD0mzO6y5OKUPtPah5frzxWew0pu C3Ed32Lf/r+8rHNwsPxS1d98qrx0szRu4T5hb7Ts0tc8C5hnRAvp+HxhZyUrrkI7tM6liwenL0s9 65viDu95LI7FV69ND1Zn/w9mD4+gd+/eDo9D6Tjds2ePRWtTU1MVy+YloMWHyWQi3s+XZ++2adOG KleuTOXLl6f69evT0KFDKT4+Xpw8S9c//vijYlzcpsaNGxPHgwMEQAAEQMC3CEAA+1Z/ojUgAAIg AAIgAAIgAAIuJAABDEmjJWnwHmMEYwBjwNljoOTP1y0kmq+Kq6y26+RfFdMFIYtCQdJM+sL+/X95 f1shv/jc9+0CLumH2tXU9/9946UIit8dTdNHFZeNa2DPQnbF9cXAwrLlNG+Yy65yxP3V5TX5ZZ2l ewjzktViplm5LlY4iN58OSKdy6lt9klwcey+dm3WX3XhL2HvL5olbFbGnTRv69bWS27z7GBpOr7/ 7rvv0gE+fPiQxo8fT+XKlZNNJ+Tl/XxfeeUV2rJlS5bAr169WnV/44iICKfK5iwFi8wgAAIgAAJO JQAB7FScKAwEQAAEQAAEQAAEQMCXCUAAQ+w4W+ygPIwpjAGMAa0x0PH3NQ6LOV+TW7a2h5cM5v13 HdlLdli/SFkps2xGKaf3A++Ty8suC8JHfK5cIZQ2LYrKqPPWkcoUGmI9c5eXuX50OjYjnRajqtGh svVp7W+sVu64YUVlyxTHz/l7vJlfNp243Y5cd3w1wub2q7XD698ltPTJn+GXL1+mNWvW0JgxY2jQ oEE0cODA9OWKN23aRLyvra3H3bt3Sbx3rtpY4/1w1d6L30n39o2Kkv8jkmHDhlFycjI1bNjQ5rKF embOnGlrMy3SHThwgMLDwxXrCw4Opo0bN1rkwQ0IgAAIgIDvEIAA9p2+REtAAARAAARAAARAAARc TKDvdqKYJfgHBhgDGAMYAxgD7hsDi/d8Abkl2XfWlaKO99UVpIv4fO1AjNP7Yc3cMrJ18czW5LOW yydzm/m5OCbhetFU2+Q0z5IW8ojPRQoFydZnK+dfZ8rvY7xVsp9wxbIhL+d/ywAAIABJREFUVvWH hQbQjUMxtG5+Gfrk/Uiq/1S44hLV4pjF19NGFnd639jadk9KZ7g11MW/hN1XfEpKCs2fP5/q1atn NWbEfV+kSJH0JZR3796tGRzPuhXnlV4HBgam7w3M++ryPsFHjhyh0aNHU0iI9bgV5+Xlm8XHU089 JVtPjx49qG3btrLvxOXJXQcEBNDChQvF1WheX716lUqUKKFYnyNlalaKBCAAAiAAAh5FAALYo7oD wYAACIAACIAACIAACIAACIAACIAACIBAJgH95Zcgt9wkgB+cipXdz5Zn47pC9A3uXUhWzijNxmVJ KieHmjWwbfnm+ZPkl2D+qJd9y0hLWTw+U4X+WlqWeHlpjiVn2JOZygfWVcjgxnsFy8XetL517En/ xdLGX6Jo+IBIerZeLtmZz+Kyjm7KrEcamz/dmx6szPzi8NIrvV5Pw4cPp4IFC8qOF3G/S695L10W t0pHrVq1FMvkZZuPHz8um3Xz5s2UM2dOxbwcx507dzLyvvDCC6pppXHbes+CetWqVRn1qF08fvyY lES0UN+4cePUisA7EAABEAABHyAAAewDnYgmgAAIgAAIgAAIgAAIgAAIgAAIgAAI+B4Bs+F2hkDz J5GVXW39b2tFiiwYaCVvenV2zf6/9WpZS6WAAB3dPFxZtt9Tz1ehEkXll6a1ZR/coX3ll7f+d1U5 2foc7QcWwmL5y+X8MkVePn/+YWHNuh+eiiWeTfzloMLUolEuCs+ZuRQ2L4HtaJy+ls+sT/DqL0Fe orlp06ZWnz9BWNpy7ty5M7FElh63bt1SLXfEiBHSLBb3AwYMUM2/ffv2jPSdOnVSTWtLO5TSFC9e XLZ9GZUTpUvw9u3bq8bQp08fcRZcgwAIgAAI+CgBCGAf7Vg0CwRAAARAAARAAARAAARAAARAAARA wLsJmB5ugNxy0+xfsQw8trkiTR9VPH3JZRaui6fZtsSyuAyt6/snYykoyHr/3+oxYap9/qmCxOXZ xFp1vtYqr6wU4iWYtfJm9f17XQrI1r15ceY+x7bWwYJ5x8pyNHpIEfp2aFGXx25rXNma7lIzr/6y O3XqFFWoUEF2jCjJUKXnPXv2tGKxa9cuxbJ5dm9SUpJVHvGD8+fPK+bnOObOnZuRXEsWC3Hnz5+f 3n33XZo0aRJ9//331KBBA9U6hHxLlizJqEvuYvbs2arlNG/enAwGg1xWPAMBEAABEPAxAhDAPtah aA4IgAAIgAAIgAAIgAAIgAAIgAAIgIBvEDDeHgm5lQ0C2B0ib8OCKFlJ0/dt9dnGWdnH94Umua3q 5Nm07mhvbMVQq7pDQgKIl912R/2+Xofh5hCv/dLj5YqLFStmNT4E4WnvmZdKZmErPnj/XKVyYmNj xUkVr4ODgxXLWLRoUUa+r776SjEdx8Dx8Yzj1NTUjDzCxf79+6lw4cKq+Z955hkhudX52rVrFBEh v1c4182SPTEx0Sqf9AEvpX306NF0OT1x4kTpa9yDAAiAAAh4CQEIYC/pKIQJAiAAAiAAAiAAAiAA AiAAAiAAAiDgXwRMKYfJeHcSGa52Jn1cTYgyH5LBw/rJL8e8bIb2bOMGdcJlBdGvM0urjpFWTa0F cEx51+xvLBau1w7EyMbbsG64arziMnBdVZWVMWmZ1345fvPNN7LjQxC2LF55aecFCxbQ33//TWPH jqVSpUqp5unRo4cFD56hK5QnPfOMWFuOkJAQxTLEe/NOmzZNMR3XPWSIuqznvYi19kDeu3evbMjt 2rVTrDtHjhx05MgR2Xz88MyZMzRz5kzq0KEDRUZmfj+xUDYajYr5vOmFOe0uGa//QcZrtu2l7E1t Q6wgAAIgIEcAAliOCp6BAAiAAAiAAAiAAAiAAAiAAAiAgA8RMBw7TEm9u1Fi8zrpZ/2h/T7UOv9o itmUQqbk3WRMnEqGa2+T/mJtVSEEYaYuzLKbT6O68hKXZalWbLO+KS4reVo+m1s1b+tm1gK4Wozr BTBLbal04/v3u6nPdtbigPeZY9ycdsGlX4Q8W3XPnj20ePFiGj16NLFgfeGFF9L/vf322zRq1Chi Cfro0SO74rh37x7xUshy44Of1atXj65evWpVJsfz7LPPKuarVq2aRZ5ly5Yppo2JibFIK3dz7tw5 xfwc5+nTpzOyLV26VDFt2bJliWc8ax28LLQSE37Os4ylx++//66aRyrFL126lL50ddeuXalkSfk9 uoUY9u3bJ63OK+7NxhQy3dlO+lMjKHVHfUpZHUApq3WUur2uV8SPIEEABEAgqwQggLNKEPlBAARA AARAAARAAARAAARAAARAwEMJ8DKOj7//lm5H5aPbZSIy/0Xlo0ejhpMZ+wB6aM9ph2U268mUvI+M iTPJcK0H6S/WVZV/kGWZsiy7WfCyx7z8sSBXhHPlCrbJ2LvHKlPOMOv8AQE6OrejkuI46NTWemnY 0JAASjlXRTGPM1jxstZCG6Xn0sWDqXPbfMRS+7+tFV0ahzPa4pFlxD+r/YXhQAqe9blp0ybq3r27 6rLC4j7l/XTbt29PSjNUpWGozf6tVauWqlC+c+cO5c5t/UcNHE++fPksqlq7dq3iGOQZxlp74vbt 21cxP8cpPjZv3myVtmjRotSxY0ebufCexHny5LEqR2DNZUmPNm3aKKbPlSsXHT58mFhO9+rVy+79 lnnWtTccZrOJTEnHyHD+O0rb8yKlrA1LF74sfS3/BZJZf88bmoQYQQAEQCBLBCCAs4QPmUEABEAA BEAABEAABEAABEAABEDAMwmYU1Mpqc/bmdJXLID///r+m23IlHjXMxuAqOwiYDYbKH3J6HuzyXC9 F+kv1oNM89Alo1l0RhYMtJI1vTrbPiOWpakgg8RnXlpaSVJ+82kR2TzHNrtWvNaoHCZbrzhu4bpY 4SB68+UImj6qOB3dVEGxLUpt9MfnhpuD7PqusCUxS0yeRSv0i73ngIAA6tSpE924cUO1up49eyrW 8euvv6rm5ZcsM5Vie/jwYUb+CxcuKKbjpZEvX76ckVZ6wW0ID5efsc91jxs3ziILL7NcqFAheu21 12jq1Kl08uRJi/e23rRt21Yx5gYNGlgUk5KSQizflVhk9XnLli0t6vOkG3PyZTJc+pnSDnailA0F JKJXKn4z741XV3hSMxALCIAACLiEAASwS7CiUBAAARAAARAAARAAARAAARAAARDIPgKmpPt07/VW qvJXmBGc2OwpMl5V/o/f2dcK1JwVAmazkUypx8l4by4Zrr9P+vgGkGkeJoRZvLLoZOFZomgQLZ6m vf+vIDg3LYqSlT3FiwQpzuhdN7+MbB576hXq5/Nvs0vT841z01eDCtO2ZWXp0elYqzF283Bl4pnJ jgooFuXtWuelyV8Uo4PrK1DaBdfOVha3z1uujUmLs/JVYZH3+vXr9PLLLzvcX9J+LlOmDJ04ccKi DvEN778rzSPc37p1S5xU9lppqWSeGcwrYIgPlrJC2VWqVKH+/funL1udmJgoTmZxzbOgmzVrlpFP yC+cg4KCKCEhwSKPs27ee+89xXqff/55i2o2bNigmFaINStnFuB6vd6izuy6MafeTt/DV3+sL6Vu jrJZ+FrOANaR/mjv7GoC6gUBEAABtxGAAHYbalQEAiAAAiAAAiAAAiAAAiAAAiAAAq4nYLp1kxJb NbRJ/goS+G6jGmS6ed31waGGbCPAMsSceoqM9xeS4cYHpI9vbCXrvEV4Ic6q6SK0TIlgWenDYlaO 0f2TsZQndw6rPE9Vz6kojeXK4Wep56tQbMVQi7LCQgOoyTO56NaRyhn1cyxZEU/SvPkjAmnkx0Uy yleKz5+em9POOOV7hWfJsrCVMs/qfUREBB06dEg2RrV9fM+c0W4XS1y5+HjvYOmxYsUKWrJkieas ZHG+IUOGyJYv1Ml7H7vqePfddxXr7tChg0W1ShyEOLNyDg0NpaZNmxIvuZ0dh9mYTMbb20h/6jNK 3V4vYx9fqdC19z51S4XsaA7qBAEQAAG3EoAAdituVAYCIAACIAACIAACIAACIAACIAACriNgTLhI dxvXsEv+ChI48cXGZE5Jdl1wKNnjCJjTzpIxaQkZbn5E+kvNINU8bIawlsQcPiBSVhC1aZFHsS// 1ym/bJ6vPyqsmEcujgWTS8qWU6dGTotyPuxZUDbdGy9FUNP6uYilsb1y6stB9sUqF7/PPItvYDXT 1ZEvmrNnz1LJkvJ9am//yKUvW7Ys3btnvefqO++8o9j/Q4cOVW0KzxBW2id3xowZqnltefnjjz8q xsZtbNy4MZlMJluKykjDe/umpaVl3KtdlC9fXrF+nh0sPtRmUsv1h9qzwMBAeuaZZ2jYsGG0ZcsW Sk527++C9H187x8hw/kJlLa7FaWsDXV4lq+WFDY/viTGiGsQAAEQ8DkCEMA+16VoEAiAAAiAAAiA AAiAAAiAAAiAgD8SMJw6QXfqVHJI/goS+MFAy/+o7I8c/bnN5rQ4MiX9SoabQ0h/qYWFyPMZYeZl kleN+5l/KskKohw5dHTx32jZ/tu/rrzskszBwQHpSyyr1Se827umPPFMXDmJtHZeGYt6a1ez3v+X 47t77MksYV42+u9fyxILaF5OOle49QxlaT1bl5a1qEOIyx/PhhsDZL+yeLneHTt2EM9QPX78uGwa 4SHP7CxevLhsf0rZZ+X+9ddfF6rMOM+ePVux3rx589LBgwcz0oovLl68SNHR0bJ5q1evTrx0c1aO 1atXE4tQpfbyrOb4+HjNKngf4vXr19PHH39MtWvXJt5vmK+1jn379inWzTEtXmy57HeTJk1U0yu1 g5/zfs01a9akQYMG0dq1a+nBgwda4Tn9vflxPBku/UhpB96ilA35XSZ8pUKY68QBAiAAAr5MAALY l3sXbQMBEAABEAABEAABEAABEAABEPALAvr9u+lOtdJZkr+CBE7+5We/YIZGahMw66+Q6cFvZLg1 jPQJLSHdPFAer5xdmvp0K0BVoy2XY/5ioPIs2X7vyM/KLVwokFbNkV8+WpCravK3/lPhFmOEJS/L Xql8YikslCc9J5+tQrt+K0fffFqEWjfLTXnzWArh0JAAenjKeq9haTn+cm+8vyD9g8wzUffv30/f fvstvfDCC5QrV64M7sOHD1f9sHfu3DkjrbSvxPcsCnk/3PHjxxMvp7x8+XLq27evoogV5xWupUKX BanSLF7OExISQp988gnxHre8l/Cff/5Jb7/9NoWFWf9hAadn+Xv5ctb2tD9w4ADxnrdCzNJzcHAw bdy4UZXp6NGjqUGDBsRppfm5TadPn1bMzzOly5UrZ5VPKIfFtHR/ZJ6NLLy35czyvE+fPul9mB1L O5tTb5Hx2krSH+1DKZtLu034SgUwC2ccIAACIODLBCCAfbl30TYQAAEQAAEQAAEQAAEQAAEQAAGf J5D210a6XamIU+QvS+A7dSo6ZUlRnwfvhw00G26Q6eFqMtz6nPQJLypKPH+Rb57WzusHY2j5rNLU v3tB+vxDZQHMewGXKx2iKIyaN8xFP00oQVf3x2T08ZYlZalDmwgKCrIWuoJw2vhLVEZ6ZrNmrvx+ srwstK3seK9hls4ThhelV57PQ7x0tK15fTld2oUqdGhDBZo8cSi9+uqrlC9fPsX+ZBGpdKxZs0Yx n9CvfO7atavqjNf58+erxiCU1bZtW6tQPv/8c5tiEMpQO7Nw5eWLeWnp3bt3W9Wl9eDq1atUokQJ xXhYgi9cuFCrGGrUqJFiGRx/ZGQk/fPPP1bl7Ny5k3j/YrU2cl9ID+aqlof3du7evXt67NxGdx9m w2My3v6L9P8NpdTtdZ22j69U6Np9/2dh/N5x92BAfSAAAm4lAAHsVtyoDARAAARAAARAAARAAARA AARAAAScRyBl1TK6Xa6A0+SvMAvYdPuW84JEST5LwGy8TaaHG8h4+2vSX34FYs4DZwgrSdBT2ypS qeLWsxOlEik8ZwDlzmU5C1eahu/f71bAqv8H9y4kK6V41rJSXHheVZHNf1sr0ozRxdNFfGRB5eWJ pf0TFBREPNNW7qhWrZpsHwllcN4lS5bIZbV6duXKFSpdurRieTxrl2cnSw+evdymTRvFfEIsjpzb t29vNVtWWr9w//jxY3rqqadU4xg3bpyQXPX8888/q5bDbeHloGvVqkUDBgwgluDPP/+8Zh7uD7nZ w1KJXrRoUerYsSPNmTOHLly4oBqrK16azUYy3T9EhnPjKG13S0pZE5Jts3y1pLDp/mFXIECZIAAC IOARBCCAPaIbEAQIgAAIgAAIgAAIgIA3EIh/QHTsDv6BAcYAxoBnjIHz02bRrTIRTpe/LIGPX7yP 7zt839s9Bk7cukcXr2+iG5fH0IP4dpQWV01RZkH0KYs+d7HhPYTLltKWwFribcwnRWT7uV6tnFZC KyBARzcPP9n/113t9NZ64nZFp8/E7touH5UslrV+4n1opYfWPrPc7zNmzJBmU73/66+/0veU5bw8 G7dhw4Y0YsQI2rZtG6WmpirmZfnKSz3LLZmsNf603j/99NPE5asdZrOZWBarlcVLJtt6PHr0iIoV K6Zanlpdcu/UZh9v2bIlPf6pU6fSyZMnbQ3TqelMj+PIED+b0va/QSnrIzxW+EqFsOHceKdyQGEg AAIg4EkEIIA9qTcQCwiAAAiAAAiAAAiAgEcTeHUDUcBM/AMDjAGMgewfAwO7jneJ+GX5e6VcJL7r 8F3vlDEQMecBvbxiK43bOo72HH6Dks/XkBWF3irofCHueydi6YMeBWX36pWTUOJnwcEBtGBySdk+ 5WWm5ZaLrh6jvP+vL/DMSht4ye1FU0tRz475qUKU8hLd4j6w9frjjz+2+o393nvvqQrK5557ziqP LQ9YRvKevUqzjtXKiIuLI549y/vc2to2W9K1a9dOrVqaPXu2an3Nmzcng8GgWob05bp161TLtCVu cRqWu550mFNvkPHqctIffY9SNpXyGuErFcBpu61npXsSZ8QCAiAAAlkhAAGcFXrICwIgAAIgAAIg AAIg4FcEIICzX3pBPKIPMAaIPn/jc5fJXxbA18oWpIAZZqcIQPQXPrPiMZB79mNqtXw7jd7yHe04 1Iken68pKw+zItGQ17GZxQfWVaAeb+anfHm1l3tm8ft849y087dyiv23YUGUrPzq+7b1UtH+3mdz xpWgqtGhsrzEAjAr17wvrvRQ2+uW6+JZu+4+7t27p7kUcq5cuahz58701Vdf0cCBA6lixYo2sTt4 8KBsc65du0YRERGKZVSoUIESExNl84of8izio0eP0qRJk2jixInpr6RLMzvahyNHjhRXlS3XZsMj Mt7aTPqTn1DqP095rfCVCuCUdeFkNqVlC1NUCgIgAAKuJgAB7GrCKB8EQAAEQAAEQAAEQMBnCEAA Q2SIRYa/XZccm0Dt+i+nYW99TV+8MYLe6LuEck5JhiR050zRGWYa13agS+WvsAdwmW8uom/d2bd+ WlfOH1KoxbJ/6cvNU2jrwW704FxtRaHo75LQXe1/dDqWVs0pTV8OKkzd38hPTevnohqVw6hh3XB6 98389OvM0nT3mPYSzsP6RcoKtZjyoellb11alh6eikV/x1Wlrz8qLMvKUVko5MuTJ0/63rosI48f P27xe5yFppBO7hwSEkJGo9Eij6tvWKC+9NJLinGFhobShAkT6P79+1ahLF++nFgMy7VFeNazZ0+r fPyAZwcLaaRn3qf3yJEjsvn44ZkzZ2jmzJnUoUMHiozMHPMslAV+33//PfHevdKybbkvUKBAevmK AbjwRfo+vvcOkOHcWEr7twWlrAn2Hem7WmfRFuNt9/+xgwu7DkWDAAiAQAYBCOAMFLgAARAAARAA ARAAARAAAXUCEMAQwP4mfbm9xb+9Qr+0eFNWOh6qVpWqfHUcotAN8i5wupGmv9hLth8EaevM84dd J6Bf3dCv/vidotbm0Flp1GTpPhqxaTpt3P8u3T9XB4IwzrEZve4Sxkr1NKobrim8QkMC6Nl6uWj4 gEja+EsUJf3nn0J4x8pymqxskYVhYWHUokULGj16NO3evVt1yeJ//vlHtc7KlSur/yh2wVsW1Urt ZJnN+wurHfv371ddOjo8PNyKye+//65YJ8fSo0cPiyovXbpEc+fOpa5du1LJkiVV8/Iey8Jx6tSp dLlt69LWUVFRNHToULp7965QhFvOpkfnyXBxFqXtf51S1ue1kKRWM2clEtWb3+tPfeYWvqgEBEAA BNxNAALY3cRRHwiAAAiAAAiAAAiAgNcSgACGAFYTF774rsB3d+lwtSqq0vFEbEUqOu4aZKELZWHI tDSa93xn1X5wpvzlsi5WKE6xX51Av7qwX33xO8PZbQqepacGSw7Rp3/Opv3H/0f6i09DCHuBEH5w KpZCQgJU5Zic6OOlpes/FU6fvB9J6+aXocTj2jONlQS0Nz1PPluFcufSXnpbyiw4OJgaNmxII0aM SF+uOTU11ebf2D/++KNq/7Rt29bmspyVsEyZMooxfffddzZVw0tDSzmJ78+dO2dRTps2bRTT84zi w4cP09KlS6lXr17ES0GLy9K6Hjt2rEVdfPP48WNi+f7tt9+mzzyuUaMGNWjQIH1J6+HDh6fvf8wi 212HOeU6Ga8uI/2RnpSyqYTfCF+prE7dXs9dyFEPCIAACLiVAASwW3GjMhAAARAAARAAARAAAW8m AAEMAexsueHp5X3V4TObpOO6Bs9T8DQ9ZKELZGH4lMe0rOlrNvWDsyXwuegy9E6vn7DUtwv61dM/ +54YH/9vcPqSpKnHyHjvZzJcf5/08fUhhD1QCP+3tSJFFgy0S5bJybTAQB3VqZGTBv2vEP3+Yxm6 fcTzhHDq+Sp0aEMFWvFDaRo3rGh6rCM+KEy/zS5t1xLXrZvl1uQVEKCj2lXD0utY98dUevTokcM/ q2fPnq1a3wcffOBw2Y5kvHLlimI8LGLlln2Wq+fff/9VLIfH2Pr16zOypaSkUM6cOVXTy41LW5+1 bNkyoy5PuTAbHpLx5kbSnxxMqX/X8lvhKxXAKasDyay3XlrcU/oNcYAACICAowQggB0lh3wgAAIg AAIgAAIgAAJ+RwACGALYE6WIK2P6p059m8XjmHZDIICdLArzTE6iNQ1b2dwHzhbAQnmXyxUmlvw/ t+xK41/9kAZ2HU9PjdiP/nZyf7vys+wLZfP/BksPs9lE5tT/yHh/ARluDCB9fCMIYQ8Swsc2V6Tp o4rTmy9HULHCju2BKpZtLISze9/gtAtPhO93nxejl5/LQxF5lGfu5smdgzq+GkEbFkRpjkuWx+K2 yl0n7I1+Us7Fp8hs1ks/Dnbdz5kzR7W+Ll262FVeVhOvWLFCMZ6KFSvaXHx8fLxiOcx0w4bMLxK+ luPsrGe85LRen7V+srnhCgnNJgOZEveR4exoStvVzKf38bWWupb7/Gq9N177TYEiHoMACICA9xKA APbevkPkIAACIAACIAACIAACbiYAAQwB7AsSxZ42nImOsks+vtZ/BaSgk6Rgvkn3aFO9pnbxF4St u85/NHqRioy/jj53Up/b89n0x7RyAlj6M8BsNpM57QwZkxaR4eYg0l9qoinevGmpYG+PlWcG/zC2 BHV5LR+VLh5st3yrHhOWLf3Jcc8YXZw6tIlweGbzqMFFVGPft7a8Jo8tS8qml2G49q506Nt9r7UE 9DPPPGN3mbZkuHfvHvG+uwMGDKCRI0dmZFETwDwD2GQyZaRVuzhx4oQqx+PHj2dk79+/v2rarIjg 0NBQatq0Kd25cyejPnddmB6eJcPFGZS2rx2lrMuDWb427lWsP/a+u7oI9YAACICA2whAALsNNSoC ARAAARAAARAAARDwdgIQwBDA3i5dyo6JoxwzTDYJu7CpKXSzTD67BGR8hWLYN9YJMpD3Xt76dGO7 2LtL+krr2VOzNrGs9vbPBuL3/O93WwSw3O8Mc9oFMiYtI8PNwaS/1EJVwnm7YPW2+M/tqEQ/TShB 73TIR+XLhGjKuL5vF3BL/8Xtik6Pq2u7fFSymP2iWkkc9u5agHjJaLl+4pnFBfKpL5v9Wf/I9LzG xBlyQ92uZ4sWLVLlHRkZaVd5Sol5meo///yThgwZQnXq1KEcOTJnTDdr1iwj2969e1Xj+fXXXzPS ql188cUXquXcvHkzI3vz5s1V0yr1o9zzwMBAYmk+bNgw2rJlCyUnJ2fU4+oLc8pVMl5ZTPrD71LK xuIQvjYKX+mM4NS/Krm6q1A+CIAACLidAASw25GjQhAAARAAARAAARAAAW8lAAHs+YIAEke5jyp/ fZJ4T9ffG7ehYuOuagq75oO3OCQg99WoQREQgpp8lcZq5IRbZM/S21Ihmx33v7R40+H2KnHAc+XP sr+ycVQAS39zmPUJZHqwkgy3hpI+4XlZGScn6PCsqstZxe+OpgWTS1LPjvkpupy1EF42o5RLYri6 P4YWTS2VXm+FKOt65YSfo8/GfKI8E/i1VnlVhWSDOuHp7Tcl75MOa9X7hw8fUlxcnEWaQ4cOqdbF 7UtMTLTI48hN/vz5FeupUqVKRpFXr15VTMexVK9enXiGv9qRkJBAxYoVUyynVq1aFtmbNGmimFar fwMCAqhmzZo0aNAgWrt2LT148MCibFfemA0PyHhzA+lPfESpf9eA8HVQ+EoFMN+bky+7sutQNgiA AAi4nQAEsNuRo0IQAAEQAAEQAAEQAAFvJQABDCHhreKl9DfxdLxKdIbQ5aWdXxi0XlnazTCni2JH ZeKSZq/bPNPYW5m6Im5eTnlX7boZ/eQo/+zI996705XHkxNmRbuCN8r0ru90Zwlg6W8Qs+E6mR6s JsOtEaRPaO0SwQh57Jg8vrIvhpZMK0V9uhWg2lXD6NqBGKf2z5xxJahqdKjDElBLEsq9L1IoiB6c ipVtx5SvlOUllxUUpKN7J6qT2ZQqHcYW9ykpKbR161YaPnw4NWjAHvuhAAAgAElEQVTQgIKCgig6 OtoqDc9alYtReDZ79myLPI7c5MmTR7GO0qVLZxSZlpZGuXPnVkzLMbVv315xZu2VK1eoUqVKqvmn Tp2aUR9fNG7cWDW9wEE4M8M+ffrQ8uXL3bq0s9mkJ1PibjKcGUmpu5pQypogSF8nSl+xCDZc+tli jOAGBEAABLydAASwt/cg4gcBEAABEAABEAABEHAbAQhg75IFkDtP+qvQxNvEy/TKScEx7YZQ6NRU S3E3w0xfvz5MNr1cGUrPPuk02rJcSEBVHsW/vUJ7a9bKMnel/nD188vlClPFUWdU24jPJL5DszIG XCWApT8izIbbZHq4joy3vyb95ZdlRR2ErmNC19O4ff1RYbsEoCACs3qeNrK47Lg6trmiZjzrFrWQ DlkyGAz077//0qhRo4iXNQ4LC5Mth2fZio+YmBjZdEL7nn76aXFyh67VpG7t2rUtyuzevbtqPBwX zwSeNm0axcfHU1JSEu3fv5/ee+89xTYLbeHZxiyZxUfbtm1V6ytTpgxxTAsXLiQpO3E5rrg2PTxN hrhplLavLaWsyw3h6yLhK5a/fJ12sJMruhNlggAIgEC2EYAAzjb0qBgEQAAEQAAEQAAEQMDbCEAA Q15kRV5kR97ckx/Q5npNVKXi1rqNqMKos+nirsYXh2lV45dU09sqEm+ViaAWH2+CELRBfJcae4n2 16jhFO629o8r0i1q/gb624b+zo7vAl+o010CWPrbxGxMJNOjjWS8PZr0l9uRPq6arLzzNLmJeLQl 9Y6V5VQFoCAPlc7BwQHEyzLzktVfDSpMb7+ej3LnytzjVilfTPlQxTFUrHCQakwfD2hBJpOJeAnn CRMm0Isvvkhqs2zFMbDIFB8sTsXv5a6PHTsmzmLXNS89zbOP5crlZ61atbIob+fOnYpplcqw5TlL aBbF0uPzzz+3qK9o0aLUsWNHmjNnDl24cEGa3KX35uQrZLz8C+kPvUMpG4tC+LpJ+EoFcMqfRVza zygcBEAABNxNAALY3cRRHwiAAAiAAAiAAAiAgNcSgACGAPYmiRI2NcXmZZzjKxSjLRqi2BFheDa6 DPHy097Ezd2xRn1zkQ5Xq+L18pfHB0v/fNj/GePdRRI8uwSw9EeL2XifTI/+IuOdb0l/pQPp46or yjxIWG0Jm52Mks9WsUnYCpIxRw4d1amRkwb3LkTr50fR/ZPWSzkfXF+BtCRuQICOHiosA93x1QgL KSnULZzDwkKoQIECqmmEtNIzz2YVH9u2bdMshyWxo8fSpUtVy+/UyXq2ZY8ePVTzSNukdc/LTB89 elS2CVu2bElfVpqXhj558qRsGlc9NOuTyHhjHelPDKTUbdUgfLNL+MrUa0py/I8eXDVeUC4IgAAI OEoAAthRcsgHAiAAAiAAAiAAAiDgdwQggCGA3S0HHa0vaLqBeDamI9LW2XlYLIdMS4MUk5Fi5Uef o2NVYjyin5zV7zyb2dFxi3z4jlUbA54igKU/fsymR2R6/A8Z704kw9WOpI+rCSEc59niVyydWzdT 33c2MFBH/bsXpN9ml6bbRyrb1Ler5pTWlJhHN1WQLeuHsSU082pJT6X3vKSx+OCZxMWLF1etLyAg gP744w9xNpuvO3TooFo2z2CWHjxruFq1aqr5lNonfc5LWN+4cUNaRbbcp+/je3cXGU5/Rak7G1PK 6kBIXxn5ajUjNxvSGM5PzJYxgkpBAARAwBUEIIBdQRVlggAIgAAIgAAIgAAI+CQBCGDICTU54Snv csww0exW3T1KKo58fSikoEQAlxt9no5XifaofsqqBGaZzePPUz4LiMO3vrM9VQBLf/CYTclkeryL jHe/J8PVrqSPqyUr+sQSEtfZJ4zHDSuqKhvDQgMUZ+sq9Vvq+SpUsWyIarlbl5aVHRdnt1dSzSeV nPbeX79+3WLIDh48WLO+iIgIOnv2rEU+rRueXRwSos7gxIkTssXw3r4tW7bUjEup7RzvRx99RCkp KbLlu+uh6cF/ZIibQml7X6GUdbkgfLNB5joilNP2tHbXEEE9IAACIOByAhDALkeMCkAABEAABEAA BEAABHyFAASwb8kEX5VD37z2scdJxfT9gAdvhhj8fwnsi/KX5fGnHUehjyWi31e/Z7KjXd4igKW/ ecymVDIl7yVj4nQyXOtO+otPyYo/JZmI566Vw/vWltcUjVuWyMtatb4Z9L9CquWy6FXKH1UyWDWv kviUe16wYMH0ZY6nT59Op06dkg5PunPnDrEwlcsrfla1alVKTEy0yi/3gJdTzpcvn2qZFStWlMua 8cxoNNK8efMoKipKtRxxjLVq1Urfv/fx48cZ5bjzwpycQMaEBZR2qBvxXrKOyEdfy/PgNx1tGauj z97SUf3KOlowWOf5XNblIp6xjQMEQAAEfIEABLAv9CLaAAIgAAIgAAIgAAIg4BYC3iKAg6bpqeqQ rRT5DZZizQ5JkZ11vjBovcfJX2FW6X+Vy1PhCTf9XhCWG3PB55Z95j6Oq1iS8n+X6Pf9m52ff1+v 21sFsPQHitmsJ1PKQTLe+4EM1/5H+ot1FUWgkiDEc+dJ4bQLVahAvkBVyfhZ/0i7+0htZjHvJcz7 Dyv1Y/c38qvGI5ae0us8efJQmzZtaOLEiXT48GEym83SIWh1P3bsWJvqY6k7ZswYUhKsPHN3/Pjx VKRIEc3yWO7acrAI5pnCixYtoiFDhtALL7xAMTEx1KhRI+rcuTMNHTqUZs2aRfv377elOKemMevv k/HGGtIf/4BSt8Z6vtjMhhm4H7TVWYyFTk29QACv1pHpzj9OHSsoDARAAASyiwAEcHaRR70gAAIg AAIgAAIgAAJeR8CTBXCeiXep0fuL6cMWb9H80hG0ooiOXn/ra8gYP5uNt6ZhK48VwCwJFzfv4Ndj 0lflL/ftoC7j/LpvfV2+ekL7fEUAS3/8mM0GMqUcJeO9n8hwvQ/pLz6jKAaVhCGeZ00Iv9Yqr4Wk kkrVBnXC7e6TDm2UZ9XyDF+1Pps/qaRqPOL4wsLCqEWLFjR69GjavXs3GQwG6RDTvOelkitUqGBz nUWLFqVvv/2W1q9fT5s2baIffviB3n//fWL5LI5N6bpSpUrEYtfbDrMpjUx3dpD+9BeUuqMh9vH9 f6F8fq6O5nyoI5a7japYCt5fh1kK4KL5Ld9rzXj+b7aOVn+pox8G6Gj5Zzq6MNe+/FrlK73Xnxrh bcMT8YIACICALAEIYFkseAgCIAACIAACIAACIAAC1gQ8TQAXG3WOXur2HX1VryktKxqYLn1Z/Ar/ xtaqCyHjZwL4atlCHi2AWRR26r3AL8dl2TFxdLRqZY/vH+4je/+diK1E4VMe+2W/eoIY9ZcYfFUA S39tmM0mMqeeIOP9+WS40Z/08Q1VZaGaSMQ728TwlK+KqYrLoCAd3TsRa3M/nNhSkcJzBiiWyfWp 9c2lPdGKeQWp2rp1a+J9dlNTU6VDyKF7XrbZVoErxODImYX1gQMHHIrR3Zl49rTpwQkyXJhMaXva UMq6cMzylcwivrnUUvDymGBpK4jVG0t0xDPexWPl4NTM90I66fmPL3TUuIplPi4jKFBHXVro6PB0 7TKkZdpzn7qjvruHG+oDARAAAZcQgAB2CVYUCgIgAAIgAAIgAAIg4IsEslsAB043UuVPd1CXdkNo SmylDNErCF/peXmRAMo/7jqkjJ9IYB4fvNeuvfLO3el5qeCSYxP8alz6svzl8fNa/xV+1Z/+Ilw9 rZ3+IoClv59YQpnTTpPx/i9kuDGQ9PFNVOWhmljEO3khfGxzRQtBJZZVwvXaeWVs4r5hQRQVKqC8 pDTP/n14Slsmx5QPVY2pV69e0qGS5fvVq1dTjhw5VOsVeDh6tnXp5yw3xsECzMlXyJgwj9IOdqGU PyMzRKY98tDf0lYvaylqp71vKWefjrZ8P76n5Xsxr/srdfRsNcv0SmNteCflcsRlOnS9JojM+iQH RxGygQAIgIDnEIAA9py+QCQgAAIgAAIgAAIgAAIeTiA7BHD4pCSq32859WvZjeZGFdCUvlIJ/FzP 2RAzfiKAWdYcqRrr8QKYheHKZ1+hgBlmvxibvi5/f23S1i/60dNkqD/G468CWO6nkTntAhmTlpLh 5sekv9TcJjEJ+SsvfwUuxQoHqYrPj3oVkuWcer4K7V1TnkYPKUJa0rZMiWA6808l2XKEOIRz764F VOPhJZtdcSxcuJBCQ9Xls5KQU3seEhJCc+fOdUXIWSrTnJZIxut/kP5YP0r9qyKEr2SGry3y9EPJ Pr/9X7EUs5++YSl0W9e1fC+u453nLdPymArMoaOIXNbP+d3sD5TLEpfryDWPCxwgAAIg4O0EIIC9 vQcRPwiAAAiAAAiAAAiAgNsIuEsAFxkTR63fmUoj6j9PS4sF2y19xRL408YvQ874kQCe1bqHVwhg lsA9/OCPE8p8c9FrpLwjM8HPREdRiW8v4zvGj75jslM8QwAr/9wx6y+R6cFKMtz6lPSXnrNJMAqi EecnYrjjq8p79rJoql0tLIPr0U0V6Psvi1HbF/JS/gjl2b5SIfryc3loweSSdHV/TEZZSvyXzSil KoC57ISEBOVBkYU3e/bsoWLF1JfFlrZN7T4qKoq2b9+ehYicl9VsTCXTnX+I93jlZX5TVueA9HVA +oqF6l9jdfRWEx3NHqCjcz9bC9lNYyzlbe6cOnq4yjrdrP6W6Qrl1dGE/+kocfmTtBtH66huJcs0 vCQ0ly+Ox1nX/EcBOEAABEDA2wlAAHt7DyJ+EAABEAABEAABEAABtxFwlQDOMcNEFT/bQx1f/4wm VquWJeErlr98vahETgqdkgxB4yeC5pUPVnmNAL5UviiVG3PBZ8cmi9GD1at5TX/YK4BvlslHzQdv 8dn+y07RibpJdlxBANv+c8dsuEamB3+Q4dYI0ie00pSNShLSn57/MLaEpnDt0CaCikaqzxRWE6HC u4L5A2nNXPUlpW8ciqGAAEvZJeQXzq5cTvn69evUu3dvCg4O1uQixCM9N2jQgFasWEFGo9H2wevk lOn7+CYdI8P5iZS2pzWlrM3pElnoLOnornLOz9XRnA911KmpjhpVcY1AFdqStFJH4aGWY5mlsfBe OJctmpmG0++eZJ3m9jIdSZeUblHTOp1QZlbOqVtjnDwaURwIgAAIuJ8ABLD7maNGEAABEAABEAAB EAABLyXgTAEc9v0jqvvB79SnVQ/6qVxhp0pfqQSu8+Fq2f+YDskgLxm8mUvOKcl0sUJxr5GOaxu0 JP4DCG9mLhd7kfHXaW/NWl7TD/bKX07//jtTfK7f5PoSzzznexIC2PEfT2bDTTI9XEvG21+R/vLL EMJx1stBn91eyWHRKRWftt7/PLGEal/UjA1Tjalbt26ODwobc8bFxRHvN1ykSBHVWIQ2BwUF0Vtv vUV79+61sQbnJzMnJ5Dh0s+UdrATpfxZyEo0ZkUK+kLem0szRavQb//NzrpEPfuTjn4YoKM3n9XR jH6W5bWsbVnnZx0t35+abfmel5VWYr31W8u0vET05V+U0yuVY8tz3hMaBwiAAAh4MwEIYG/uPcQO AiAAAiAAAiAAAiDgVgJZFcAFx16mlj1m0dBGbWhJ8VCXSl+xBO7d+n8QNX4yA5hl1czWPb1KPPZ9 53ufGp+FJt6mXbXrelUf2CuAR7f/xKf6DJLXcySvWl9AADvvJ4/ZeIdMj/4k4+1RpL/8mqqE9KdZ wFElHZ/tKog0e8558+SgCzuV9wT+sGdBVelasmRJ5w0KG0o6duwYTZo0ifr27ZsueV988UV65513 aOTIkbRo0SLavXs33b1714aSnJvEnHaXjNd+I/2x9yl1S3lFcWiL8POXNNXLWkrUae9nTaBO6WNZ XrMaluWNfdfyfYPKlu+n97V8v35k5vvkP3S0Z7KOxnTX0XO1dJQzxDItf+ayGr9SvxsT5jl3sKI0 EAABEHAzAQhgNwNHdSAAAiAAAiAAAiAAAt5LwG4BPMNM5UYcpDfe/JK+rfmU24SvWP7y9ZzyxShg hhnCxk8kcMuPNniVfLxSLpKiR57KlvE55RjR5suW/4JmWcswW9Pl/y6R/q7TwKv42yt/p7V5D98n fvJdoiZjs+MdBLDrfj+ZjffJ9GgLGe+MJf2V10kfV80vpXD3N/KrCld75K6taV9rlVeR9R8/ldGM 5+zZs64bGB5astmYQsbb20h/6jNK3V4P+/g6sIcvz7AVj9F2DTOFq5IMVXu+fYJleaHBOrq3IrPM fd9bvue9e28tzXz/6RuW73k/YZ5F/HojHfFewOJYpddliujo+96ZZanFae+7tINdPPRTgLBAAARA wDYCEMC2cUIqEAABEAABEAABEAABECBbBDDvt1t74Drq1aY3za5QPNukr1QCVxi+L1sEW3ZIAn+v M2RaGp2LLuNVEnJzvSYUNN3g9jF6/bH1F1vID9YC2JZ0eSfdpy31mngVd3vl748vvE2B041u7yd/ /0yj/U8+kxDA1t9XrnpiNj0k0+O/yXh3AhmuvEX6uBqKktKXZgjPn1RSVTRJxZNwHxwcQI3qhtPw AZG0ZFop2rO6fPr5uUa5NcvLkUOnOAv47rHKFBgYoFrGrFmzXDUMPKZcs9lEpvuHyXBuPKXtfoFS 1oZhlq8D0lcsP1d/aSlVC+TR0ePfMyUqy1meVdul+ZM9gmuU01Gbp3W05FMdPVqVmU4ok59F5LIs c93Xmel4Fm9khOX7lcMz30/8n+U74bMld+ZYWVhzfM5Yulpog+x5YzGP+RwgEBAAARBwhAAEsCPU kAcEQAAEQAAEQAAEQMAvCSgJ4PzjrlPz//1EQ5q0pUUlwz1G+ool8FsdRkDa+NGsve9f7ut1IvLj zmPdPkZtEbss37TS5f7+Ia2v/5zXMbdHAC94rmO2SHrIT+s/SPBXJhDA2ffTy2x6TKbHO8l4dzIZ rnYhfVxNnxTCl/ZEq8pWQUaxtK1TIycN7l2I1s+PovsnY2V5pJ6vQj07as8qHto3UjY/y/Vn6pRS jemNN97IvoHhwprNj+PJcOlHSjvwFqVsKAjhm0XhK5Wbd5frKCTIUrru+u6JkF02TEcsWYXxLj2X KqSjuR9lyluh7FeesczzUXvLNG88a/m+78uZ7xd9YvlOXCfPJuYlpUd20xHHKBbVlxboaN5HOhrS IbMsIR5nnU0PTrhwpKNoEAABEHAtAQhg1/JF6SAAAiAAAiAAAiAAAj5EQCyAy3x5jNp1HE1jnnqG lhcJ8EjpKxbA42vUdLtc81dJ4Qntbjpkq9fJyGtlC1K1L464dZxqiV2hL9XShU95TH80etHreNsj f5c2a088s1zggTOkbHaMAQhgz/lBZTalkCl5DxkTp5Hh2jukv1hbUWB62wzhmPKhiuKLpVSTZ3LR 7SOVbW4vS+DqMWGqZVaIClEsb9jgt1TzRkZGktls9pzB4WAk5rQ7ZLy6gvRHe1Pq5rIQvk4WvnIy 9NlqltKVBSvP8A0IsHwulrHCNadZOtRSuk7ubZmvVnnL97P6W76vXDrz/bZxlu+4nvdf0hHvBSxe Slrcjpa1M/OULpxZljiNM64NFyY7OKqRDQRAAASynwAEcPb3ASIAARAAARAAARAAARDwAgKmtDTq PX4Tvftyf5pZqbTHC1+x/BWuC41NgMDxk1nAvEzvf5XLe52U/KdOfbeKRjWxKxZc+24SpRot//FS 0SxFf23S1us42yN/Vz77CoVNTcF3h598d4jHvaddQwB77o8ls1lPppQDZEycRYZrPUl/sa6i0PR0 Idy7awFV4Vq+jLKsVWobzxIWxJnS+fCfFWSZbdm0UjPvsWPHPHdwKERmNiaT8fZfpP9vKKVur0sp qwMgfd0gfcVC9MsumQKVx+XT0TrKn9vyWeMqT/bhLZrf8jmn55m5W8ZmitdjMy3TsCS+uijz/Zmf LN9zGXHznrznWb0sccWfj5n9MvOK4+brA1Mt0zaprpxWmtfe+7Q9bRRGMR6DAAiAgOcTgAD2/D5C hCAAAiAAAiAAAiAAAtlEIPXObYr/dQHt7tmBfi+XxyulryB/+dyq+3RIHD+SON+2HeSVYnL4m1+4 bZzaKoDlRBhL9rnPd/FKxrYK4DUNWxHPcJZrP55hFrC7xwAEcDb9GHKgWrPZQKaUI2S89yMZrvcm /cV6snJTSZhm5/NlM9SXXGZBdWFnJbvbUzNWfRYw7x9s1e6EFyklJYXCwtTzTp7s+TMU0/fxvXeQ DOe+pbR/n6eUtaEQvm4WvlLxuX2CpUQVy9em1XW0f0qmVE1c/mQJZuns4DoVM9Nw+bw8tLgcXtpZ XG+F4pbvfxqY+f6b7pbvWDqfnpP5XijnwW9P9iYW1/NZR+t0Qvosn9flIbPJ4MA3IbKAAAiAQPYT gADO/j5ABCAAAiAAAiAAAiAAAh5EIOnsKTo9bRxte6UxrSiaw+ulr1gAf9awFUSOHwngep/t9ko5 eSMqP9UZvs8tY9VhATzDTFPb9PZKvrbK3w31W1DuyQ/c0g/uFomozzvlNQSwB/1YsjMUs9lIptTj ZLw/jww3+pE+voG17Iyr6hHPbhyK0VwC98fxJeyOdcLwohZiTCyv+Dq6nPXMYsOtz9NJN2vWTDXv q6++amePuCe56XEcGeJnU9r+NyhlQ34LEZhlKZfN8tQT409aqaM1X+no+9464v13B7+uo1+GKC+h /GiVjiJyWUpXHotRRXR0a6m8UB39jnX6HRMz03Z7zvJ9jxcy3zGzXq0t33dpnvn++mIdhYdavudY FgzW0cNVT/b+/W2EjiqWsEwTGaEcr7P6yXRnh3s+NKgFBEAABJxMAALYyUBRHAiAAAiAAAiAAAiA gHcRMBkMdGvnNjr6+SDa8HR5nxK+YvnL10uKh1LOyQ8hdPxIAu+rUcMrJeWemrUp55Tk9LFa7hei Jr9n/qu9/Im8yjGTqPoyoh7biH44SbTjGtGmBKIFZ4g+2kUU9Yu25LJVAEtjmN9lsFdytVX+bqnX hPJOuo/vCj/6rvAGKQ4B7F2/r9Si5T1rzamnyXh/IRlufEj6+MZ2C1Wr2bJOFMhas3W7vJbP7niv 7IuhwEBLcSWVwBsWRFmUa3q4Oh3jyJEjZQVwmTJlqHv37rRmzRo13G57Z069Rcarv5L+SC9K2VwG wtdNkvrKLzr6oouOiuSTH195cuqoawsd8RLMUiH6yjPWeXivXmk68X2DypZ5OjfLTD/vI8t3ZYtm vuMyeN9g8bgvXsDyPe9BHJjDMg2nzxWmo/9j7zygo6j+Njx0QQWs9CpFqoKooBQVEFEUFRALKKKI giJSBAUF/gjYKVKkKyKCElrovfcOofceIIRA2tb3O3fzTXbabjbJbrK78+45npmdufW5d8Y9PPnd mze3/rpIq40yVrbVX+fWIwOy7DliRSRAAiTgTwIUwP6kybJIgARIgARIgARIgARCgoDlZizOzfkH 2z5+G/MrFg5r6auVwE9+FkGpYyKp0+ud70NWVA5p1cc1V7WSdudVoNpMYNfVtF83o/YDecZ7FsHa skWJYm9frQxTpov/aXDIMvVFAK+t8xTu+fWGjoGWCb/r5wmZBJYJBXDa77xQTuG0nIA9biZs0T1h PfuMSoQGUvYald39w/tUkkoprMR5iaK5M9S+5s/e5bXcxvXvVJXrtF12DemmTZtc+YoWLYq33noL EydOxMmTJ7N9uJ22BNivroA1qg+S19XmPr5ZJHyVUnPR//RRs9r5Kn8v/YCEwxPUwnXEx3qpumW4 Oo2yPnEuInLlMsXxwcLu9Genqe+J+8plnEWUb06N4N0zxp1flC+ilrVplPXJ50JsLxykzqttq7++ J294OtufNzaABEiABDJCgAI4I9SYhwRIgARIgARIgARIIOQI3D51HMfGD8e6Vs8honhuU0lfpQTu 2qwDxY6JBHDpYWdwtUyhkBSWot1P910PpXwVL56riUBMku+voI2XgOJ/GospbdmiVG8COGH8qJBk 6Yv4FWk216qDB36+yneEid4RoSStKYB9f++FQ0qn9Qwct2bDFt0X1rNNVGLUSNr689r8yWVUgksW Tspj1KqK6W7TvElplztiQLGUcs81Sx1Gu92OEydOpH7PrhPXUt6xO2A7NgyWzY2RFJnXa6Sov+Qb yzGWnLtHSyhYQC9cS9wnoUZZCXkMImZL3q+WwPvH6fMfn2JcnzwOYqlpbZRuzH/uPNXLqssc09V9 T5Qh9g1WPku/dFLfF2lWDJPwRkMJd+RVpxX5hHD+uq2EU3/o88lt9PsxMjectlvZ9eixXhIgARLI MAEK4AyjY0YSIAESIAESIAESIIFgJuC023Ft20bsH9wHyxpUNa3wVcpfcT653APIOdZBwWMiwTO/ /oshKy131qyJy1dvZ/pVczEeKDhJL4HTI4CTZkwNWY6+COBdNWug+A8X+G4w0bshlOSvaCsFcKZf hSFdgNN6Ho5b82C72h/Wcy+kW76mRxDH7K+S5nLNY74rnqE2PFLlDpX8UoowcX7/vblw+3BV2K5+ HRTj5Yg/Advp32HZ0QpJiwtT+GZDlK+RzLz4t4TSD6rlaKUSEmZ97ZaiRyZJaNdYnUbMsdb13WlE 2aXuV6dZPlR936j+h4qp8wgZLafr1lJ9r5Wmvi/bqO+/9IQ7r1yGfIyeKWFGXwlCIovlozf9KuHW HM/p5XyBONqvBMdS60HxYmAjSIAEQoYABXDIDBUbSgIkQAIkQAIkQAIkkBYB6+1bOB85G9s/ew8L Hr6P0reIZMig8lebKHlMJHne/nhaSIvL6C+7e3z0b1mAyYeBTzcAn28E/jsBJFiNkw/YnnEBfOW/ CFwrWzikOXqTwAerVkS5oaf4XjDReyHU5C8FsPF7zcxXnbYrcNyOhP3aQFjPt8iQjPUmhZ+sld+r qG39YsEM1TljdClVuQXy58DzDe/CsL5FsHX+Q0g+Uc1VrtRQ+RoAACAASURBVOPWnGwZXmdyNOwX ZsK690MkrSidKvUCIdRYplpkxs9Nic4Vyxqv/1mCiLT1xGjcp2qJWvQeCWJ5ZaP0nZqr04roXeV+ wO82Ud//5m3jcpRla6N4RcSufH/eAHV5990tIXG++/7S79T3xVLOt+e678vlBNvReuDzbHkmWSkJ kAAJZIYABXBm6DEvCZAACZAACZAACZBAthOIP3cGJyaPxoa2zRBRMq+h8NRGwZr9+zut+lL0mEj0 3DXiFs4+VDRk5aVYCtqycY3uXXMyLmUvYK3Ienw2cC1Rlxw3k4F7JqslsC8RwM/1XomrD90Xsvy8 iV9x71jlMqjyvyi+E0z0TtA+M6HynRHA+vcar7gJOO3X4Li9BPZrg2E93zJDclYphPt2fUAlao0i dS0nU2StMl9a50Lwvte6MAZ88SDW/lsOCUeNy3Baz7k7F8Azpy0e9uhlsEb1QvLaR7mPbzZE+J75 U0KvVhKEKFXOs7y5JQh5K8SwVoa+Wk+d9o+e+jRyHhEx+3ApdfrPX3WnF3mV9Ra7N20hq116WvRB ru/6v/rlp5X7Ct+MkJD//5d2LpBPQtPaEi5Md+eXywm2Y/LqqgF8Elk0CZAACQSGAAVwYLiyVBIg ARIgARIgARIggQARcDqdiNm9HQeH9ceKZx+h8PUQ5etNcg+vXo2yx2Sy5/fmH4S0wIx5qjoct917 r1ntQJm/1DJXKbGqzgRsDv1LSBsFnJYAfuybHThToVhIs/MmgE9XLIHa3+zk+8Bk7wPlsxJK5xTA +ncar3gm4LTHwhG/Avbrw2C90ArWUzXSJYWXTS+rkmJKQSaf71pcIV1lpiWHU++fbey5Y5m849rH 98Y22I4NgWXTs9zHNxuEr1JsRo2XIISrPKeMjm0bquWoEMJaAXt2mjqNsg5xPryzug6xXLScRshb bb2/dXHfl9PJx796q9MXKaxP26CaOs2QDuo0k7+QsGyo9yhnub5gOjqTLmXyCWR2EiABEshaAhTA WcubtZEACZAACZAACZAACWSAgC0hAReXLsDOLz5EZLUilL4ZkL5aIVyEy72aSno9++WqkJeYt/p0 S317TD3sWf7KQuuvo6nJU08WnlHn8yaAK353FEcrlw15bp4E8PnyD+LpvutN9RzIc4NH9XMQKjwo gFNfZTzJAAGnPQ6OhLWwx/wE24W2sJ56xKu8vXW4KvLlzaETY0pR9ss3Rb2WkSp0T1VPVzpbdJ8M 9NBzFsftY7CdGgPL9teQtLhQqvgLJrEWzm1Z/YOE3q1T9t59o6GEAe0knJyaIkSfe1QtSpXzS3m+ 6ze3QBURvcp7+fK473nieGmGOo9YdlmZtnpZ9f3cuSQsHqxOI9ILYS2Er7L+V+rq0337jjtNheIS RnsRysp2BPu5/dw0zw8a75AACZBAEBKgAA7CQWGTSIAESIAESIAESIAEgMRLF3By2nhsbNcCc0rf QenrB+mrlMAvvTeC4sdEUX85xzqwt3rVkJeZlrUrXa/HenPSFliP/ad/kx6JVefzJICL/3AhLHh5 kr+Xyt2Hpj2X8h1gondAqEheb+2kANa/03gl4wScjgQ4EjbAHjMCtovvwHrqUZ2kbVT3TpXoUkov cf5yk7t1eTIqfZX5HHH/ZrxjAJxJl2G/MAPWPR2RtLykSvQFu2ALp/YdmSjhicpuEaqcP3feIeHD F9z3Higkod9bEuZ8I+HjlyTkzOm+J/KJtEo29xdU34+eqb6vTCufa5eYFks1y/e6tVSXJ+oUewW/ 2UjCsiESlg+V0KWFfmln0Y9DE9zlyOUJUTyhm4Rjk/X35DSheLTsfjdTzyYzkwAJkEBWE6AAzmri rI8ESIAESIAESIAESMAjgdgDexD18yCsfL4OZhfJQenrZ+mrFMAD6jam/DGZ/Pny7aEhL4Bj6laF I+4m7p+qFrlG0ijPeMCuWQbaYgdyKsbdSAA/OOIGNtZ+IuRZeZK/0WUK47XPZvP5V8wDo/nDa2k/ Y1nNiALY488n3vADAacjEY7ELbDf+A22S+/Bero2BvZ40FAAly6ex7WP79yJpQMigJ2WU+nqkdN2 G/Yri2E92APJa2qmSr1QFGyh2ua4iBRJ2vcNCf3flnB+etpLO8tCuHJJCVc1AvfTV9RCVsjbxPlu mVpDE7G7Ypj7nieGpR9Ul3nwd3eeeQPU9+S2pXX0tlS0p3aE9PVlxdP1bDIxCZAACWQ3AQrg7B4B 1k8CJEACJEACJEACJiZgT0rC5VVLsPvLT7DwkRIUvgEUvkr5K85nFsuDO4ffpAQykQQq8cN5CPnn SQyGyvXYHl18nrfxVv0LtrRi72CtAHYmJmBpvcYhz8jbWL730RSf+WW14GN9wSddg2lMKID17zNe CRwBp9OCDasnuQRwkQfyo+3L92Lc0OI4srZSQKRvagTw2UZpdsrpsMFxYwtsRwcjeVMjJEXmofTN xr18b/wnQUTCyrL0nrsktG/s/i6uC4ErlmqW0yiPi/7nFrGyHBV7+ubIoU6/Zbg73YuPq++1a+y+ J5ehPMbOVpcn2iLaLacR0cB5cqvL9NRe0XYRgfzTh+78cjlmODpuHUrzGWUCEiABEggWAhTAwTIS bAcJkAAJkAAJkAAJmIRA0tVonP5nKjZ3eA1zy91J6ZuF0lcrgZ/uOpMiyEQCWIicGc+1CQu5+Xyv ZT7NXa3gFa/ZUtPckk1532m14uZ7rcKCjycB3LPdDz5xCybpx7a456vZWVAAm+SHYhB1026348SJ E64WOZ1WOJL2wB47EbbLnWE9/URARLAtuqchASGdbKd+g2VbSyQtLpgq7swg3EKhjzXLqeWpLHhr PSRh/c8povTCdOMlofePMxap9aqoy/zuPXe66V+q792RV4IyolfLbNIX6vRNarnLktPWr6ZOM6ar hE9aSKhSOmXf34olJLz+tITfP5MghLKcz2xH8RzyQwIkQAKhQoACOFRGiu0kARIgARIgARIggRAm EHf4IA6PHIbVL9bD7KI5KX2zUfoqJXC3Ju9QBplMADf/YmFYCM6o6g+j0PBYr/M31++AzccloJ1O J2593iks2HiSv0Nf7+2Vl9nlIvsf/KKZAjiEfwiGYdOdTjscyQdgvzkVtstdYT1Tzy9C2B73j4uW M+kS7Oenw7q7A5KWFTetbMsuubj6BwndX5UwvLNvolOklaWvfCx6j4Rzf6nz7xurT7dgoDqN3Odv 31Gnfe5Rd7r4uRJKP6C+L5aSNtoL+NQfKRHIcrvE8ccP3GUZ1VeheMp+xPI9cx9zupZWF0usi6XW nfbkMHyjsUskQALhSoACOFxHlv0iARIgARIgARIggWwk4LBaEb1+Jfb064bFdcpS+AaJ8FXKX3E+ tey9yDXGTilkIgmce4wNB6pVDgvROfqlzl7n7tNz9S/BY7FqySVHAMd/1z8smHiSv+Nf6IgcY51e eVGAqucGeQQfDwpg/TuNV4KHgNPpgDP5MOw3/4LtyuewnqmfLiFsOV4Fln1lYN3XAclrqlP4ZtOS ztdmSWj2mFusli+mF6VGMlRIXKVgFediH1+jtHUfVqcd/K5xurU/qtOJKN+bEe6033dU3xd1Ciks InRj/pNw5k8Jg9pLuDu/Ol3V0saiOGq8hAndJByb7K7DqP2muLa8FKx7OsJ+YQaclhvB86JhS0iA BEggnQQogNMJjMlJgARIgARIgARIgASMCSTHXMfZ2dOxpdMbmPdQQUrfIJW+Wglcrc9aSiETCWAh tb5+839hIzub9Vjscf7OOq5/Vy05q5ZaQgAnThkXNjyMBPCsZ15DntFWj5woOtVzgjyClwcFsP6d xivBS0CsLOG0HIeI6BXLOlvPNlIJYcvJarAcKIfkrQ8iaWUBQ1FoCtFmIHpP/5kSeftGQwl1KkpY 91NghGRchITlQyX0fUPC/96VkDBPQgPNMshCqh6ZmHb9Qrhq99Ad8bFxvgHt1EJWGdmrHHMR5Vuw gDrtksHuMm/PTVmSWSuevX0vUljCUQpe/fO29AFYtr8G26kxcCacCd4XC1tGAiRAAukkQAGcTmBM TgIkQAIkQAIkQAIk4CZw68RRHB37M9a2bIjZxXJR+oaI9FVK4Hdf7UkxZDIBXHrYGUSXLRwW0vNg 1Uq459cbujn87Hz98s/izdVzk1puXZk7D9fChIWR/F1a9zncOTJex4eSUz0PyCM0eFAAu39/8Sw0 CdhvLIc16n0kr38ISQtz6SWUgQxVCsFwP781R8IHzSTkzKmWnl+3dUtPfzG48Z+EO+9w1yOWa57w ufu7UqKKiFpf6m1QXZ3/Kw/tFkJbWb42sldZ18tPqtP2bq1ui5DEQpQry/N0/lAxCZt+VedX1mWq 84X5Ydn0LGzHhsBxYxvEH2zwQwIkQALhSIACOBxHlX0iARIgARIgARIggQARcNhsuLp5HfYN7IWl dStS+Iag8FXKX3E+qmolyiGTCWAhuza3eC0sBLCQnuOaf6iaw68tBZJs+pdgTBJw10S36Hqy3xZc rfhg2HDQCuDT9R/Hfb/GqNhQdLrHnyxCjwUFsP69xivBTcCZeAH2c9Ng2f0ukpYV80kimkrCaYR3 x2bGIrNelcBIy5rl1PWVuM/9vUA+CT1eT4k+vjrTt/q1kb3PPmKczyiyd7Eislc5B8QexEqh+1gF fZmivKk9JTxfW0IujTwXeUVU879fp0Q4K8s213lOJK99FNaoXrBHL4XTYQnulwdbRwIkQAJ+IkAB 7CeQLIYESIAESIAESIAEwpWANe4mzs+bhW1d2mF+pXsofcNA+molcInBRyiJTCaBR/4aGVbic8O0 SEScBC7Fe34TD9rhFl4VvzuKY5XLhBUDpQCOqVsV9ovnccsCnLgJHIkF7p7k7j/lJ1mE4hygAPb8 fuOd4CDgtMbBfnkBrAe6IXl1VQpfjeD1JhxFRO5dmr1qi9+bsoetr0tAH/xdwh89JQxsJ6FbSwli b919Y/XCVG5H91fVclUWrfcXlHBkkud8cn7tURvZmy+PhNjZxuVoI3t7tTJOJ9ovt0scc+SQcGmG cVrRnrPTJMz5RsLMryRsGS7BV3mt7Us4fE9eURbWvR/CfmEmnNbY4HhJsBUkQAIkkMUEKICzGDir IwESIAESIAESIIFQIHD7zEkcnzAS61o1RkSJPJS+YSh9lRL4lXY/UQCbTAB3WWNHzFPVw0aAXn+s Ahw3Yjy+XqNigHunpEi/Ij9dwa6aNcKm70rxK86v1ygN29FDOhal/6L0DEXpyTa75y0FsO6x5oVs JuB0WOG4vgHWIwOQvOEpJEXmpvRNh/RVSsao8WrRKWSnN9GpzCuiZ1+oo88vi9NaD0kwWsZ5wUDj PCJaVlm+r+ciErfQneoyfY3srW0Q2SvXq4xMFn36p2/G2ieXF7bHpQ/CsqMVbKfHwZl4LpvfDqye BEiABIKDAAVwcIwDW0ECJEACJEACJEAC2UrA6XDg+o7NODDkKyxrWI3CN8yFr1L+ivP/PdGQAthk AviTdUDC2OFhJUHjunYwfI+uugAUmpwike4aeRurn2gQVv1WCeCKD8C6daMhBwpgt0ikVA1NFhTA ho82L2YxAUfcAdhODodl60tIWnRXhkRh2Aq4BRJO/SFhr5eoW099FxHAsrAVR7GU8e253kWnuN/8 cXU+ZRnac+1ewjH/SciTW51f7McbF+G9Xk99ENdfqasuzx+Rve0aq8v88IWMt89b20Pu3qICsGxu DNuxYXDE7sjiNwGrIwESIIHQIEABHBrjxFaSAAmQAAmQAAmQgN8J2OJv48KiOdjx+ftYUPUBSl+T SV+lBJ5VNBfu/oV7hZpJCr27Cq6I2WuVwmsP3ORFc1PflWIf4N/2A3nGp8iu3GNsmPVM+Ox9rBK/ ZQrhaplCWPT7XCQa7H8soJSaFprSz0zPJfvqfY5SAKe+3niShQSciedhP/cHLLveQdLSIhS+mghf scRwRH8JXV+WUKV0iqhsUD1jgvLeu9Wic9ynEn74QEKzxySIc62g7NBUnV4IX7HscrUyEsTy0VoB LL73aaMuR7RVma5GWfV9bZ1pfR/xsbo8b5G9Je9Xp53hIbJ3So+UdGJp6jYNJPzXL3NtTKsPwXs/ F5LX1YY16kvYry6HiMDnhwRIgARIwDsBCmDvfHiXBEiABEiABEiABMKKQML5szgxdSw2vNUcc0rl o/Q1sfRVCmBx3vDjvxgFbLIoYCGbRr7cNayiYc9XK4NvFl5Cq6VAQeWet2OdGPPiR2HVV60A7txx jOsZzv07UOYvoMaslP/E+R0TvIs1ikfyCYU5QAEcVj9Jg7YzTutN2C/Pg3X/p0he/bBOOgavHMsa KSiibld+L6HfmxLqVUmJ1FUKVHEuompFdG16WTWqqRaiynLFEs/K8oQYVt4XEcMfNZdw5s+UdAnz JEztKaGURrKKPHvGuMsa0E5dTrF73feU9fl6vn+cujyxZ+/Fv43LbO9jZO+1WRK2j5SQON+4HF/b ForpkleWh3XvR7Bf/Bdij21+SIAESIAE0keAAjh9vJiaBEiABEiABEiABEKKgNPpxI09OxD1w7dY 0bgWhS+Fr8c50OO5NyiATSiAawzYG3ZS9N9GryLHWKdqPn/Xqm/Y9VMpgAe16afqbyjIPLaR0jm9 c4ACOKR+goZMY50OCxzX18F6uD+S19dF0oJcKtEYitLM323e9ZuEnz5MWW75rvxqwamUsMpzsb+u L+24PENC5xclVCzhvdw775Ag9tiVy9Tui/vde+57chpxFEK2YAF12e8/70677if1PSFsY2e77yvL 8vVcG9n7dx/j8oSgVjJ7uJRxOl/rDYt0y4rCsqMNbGfGQ0Tf80MCJEACJJA5AhTAmePH3CRAAiRA AiRAAiQQdATsiYm4tCwSu3p+hIU1inkUftoIUH6XTM1qWumCyD3aSolkQgm88Knnw06OfvL+b6lz udc734dd/5Tyd8IL7+uEd3rFGtNTxobCHKAADrqfnCHZIPHHkY64fbCd+AWWrc2RtOjOVKkYFgJN s0RzRvok9vGd2F3C289IKHqPWlIqhaXR+QOFJLzRUMLm4b7JTCFbxbLNRmWJa0KKfvGahMhB7gjY nb+p04s0Sjms7bNWtIr6zv2V0j6Rr9Cd6vIWD/at7dp65O/ayN4PmhmXJ6KVRdtF5PLMryQIGS6X YZrjortg2dwUtuM/wBG7KyTfKWw0CZAACQQzAQrgYB4dto0ESIAESIAESIAEfCSQeOUSTk2fiE3t X8GcMvlNLTIpsjMusmv2WpEqzUJBBrCN/pFWr3aLCDtBerHc/ag5YA+6dBgVdn1Tyt95DV5C3tEW Prcm/MMNM77/KIB9/FHIZDoCzoSzsJ2dDMvOt5C09EHzSbZ0SmEhfj0JWe31AvkkPF9bwvcdM75M 8TNeln6e+61eig57X92+Ts31aZQCVSxbrRXZ03q787xSV11er1bue8pyfD3XCudyRTNXnq/1hkS6 yNxIXlcH1kN9Yb+2ivv46t5WvEACJEAC/iVAAexfniyNBEiABEiABEiABLKMQOzBvTj062CseuEJ zC6Sg9KXyztneg50fKUbRZIJRVKe0VYcqFY57ETp4YfLh12flPJ3/WN1UXD4TT6zJnxmzSh/RZ8p gLPsJ2bIV+S0xsJ+aQ6s+7sgeVUlCt90CuDx3dRCVCl9c+aU8ERlCX3fkLBsqIS4iMzLzYj+EkZ9 IiFqvIQ2DdR1f/qKvnxRt7JNg9/Vp9HK0C4t1HnEHsJymhEfq+/VruC+J6dJz1FE9srtE4K8aW3/ cEpPG4IpbfLKCrDu+xj2i7PhtN0K+fcLO0ACJEACoUSAAjiURottJQESIAESIAESMDUBe3IyLq9e it19u2JRrVKZln2MlM14pGy4shtTuRxlkkllUvf2P4e1LFWK03A4P1i1Ekp+f47Pq0mfVwpgU/8c ZOcNCDjtybBfWw3roa+RvP4J7uOrEL5iWeGV30uY0kPCoPYSBraTIKJqL0z3LDmPTXYLTFlk1qko YdbXEq784zmfP6TjuE/VdVctra9PK2w/M5DE2rYM76wut/ur7nLFPsFyP8VR7AN88W/3fW1ZvnwX 9flLkPtSX1ClWVYMlp1tYTs7Cc6kiwZPLC+RAAmQAAlkFQEK4KwizXpIgARIgARIgARIIAMEkq9d xZmZf2BLx1aYW+4uSl9G+QZ8DpQeeIBSyYRSqfDwWJypUIwSuEyhoGcgxumRAXv4nJrwOTWr+JX7 zQjgDPyQDNMsrn18b+6B7fhPsGxphqRFBVKjOYNKhClEbFa36/CElL1l78irlptK0VmxRMres0Zt E/eUaZ97NHNC1KgOo2tHJqnrFW04/ae6biGilW1rVFN936jcCZ+r87zZSJ2n5P3q+3/3Ud83KpPX /p/Rortdz6F4Hh0394TpW4fdIgESIIHQJEABHJrjxlaTAAmQAAmQAAmEMYG4I1E4Mup7rGnxNGYX zRlw4Reu0azsV8YinF9/eyjFkknF0tDXewe9/AyH6N3M9CG6TGG80GMRn1GTPqOyCDXrkQI4jH/8 +tA1py0BtjMTXZGFSUsfoPD1IJcPTZDwRkMJYqlmpST1dv7Os/rI3s4vqvMLkXzTD8s9+yJNyxdT 1y2il5X5Ng9X3xd9E8JbmUZ7/mUbdZ5+b6rTt2+svv9BM/V9bXmm/i728d1YH9bD/WC/tgZOh82H J5hJSIAESIAEsoMABXB2UGedJEACJEACJEACJKAg4LBaEb1+Ffb2744lj5en8GWUb7bOgSGP1aNc MqlcKjPsNK6UvYcSOIijgDt9MI7Pp0mfT7NKX2W/KYAVPx5NeOq0JyJpYT6vks/UUm6BhFN/SCh6 j1pkehO/ynv1q6mFpzbKVqRdMlidRstbLJssImeFPK1QXMKOUd7Ta/PL3zs1V/ehXWN9OVVKq9N0 aKpPI5cn9imuXFKdfu2P6vRTe6rvlyuqvi+XZdaj2Etb7Kkt9tZ22m6b8A3ELpMACZBAaBKgAA7N cWOrSYAESIAESIAEQpyAJfYGzkb8ja2d38S8CoWyVfgxUjZjkbLhyu3fojlR6KdoSiaTSqbJzd6j AA5SASwitJUyjOcgD5O9pyiAQ/zHrx+ab9nc2HQC+PZcCau+l9DvLQlPVZHwWxdjMXlrTsp9pdQV 53lzS+j6csr+vet+kiD2phWyV5tOfJ/QzV222DtYG0Xcu7X7vhChsbMlLB4soVcrCbUrpOydqyz3 +47q9L7K03/6qttX4j59Odq9gkW9Yz/VpxN19tFE/95zl4SEeeq0Z/5011kgn4SmtSUIcexrm8Mu 3fISsOx6G7azU+BMuuSHp5dFkAAJkAAJZAcBCuDsoM46SYAESIAESIAETEng9qnjODruF6x97RnM LpaL0peRvkE7B577aArFisnEiiwTa3+zkwI4CAXw9MZtkXOsg8+lSZ9L+fk0+5EC2JQ/n1Wdth0b ZiohJ5Ytviu/W0wWKSzh6kxjKdmlhTudkKE5ckh4t4mEY5P16RPnSxj6vjq9yHPf3RJEFK8sMx+v pE7zaHkJYvnlwe9KePYRCfnyqO8r5a84f762uyy5TF+Ol2boZfK+seqyhHx+oJC6ftFnsbfvnjEp cnrl9xIaVFenEe0arxDdyvYIOb5sqEnF7+KCsGxtDtuJX+CI26d67viFBEiABEggdAlQAIfu2LHl JEACJEACJEACQU7Aabfj2pb12D+oN5Y+VTloZV+4RrLOLpIDS554CFs6tsLBof1wcFh/7Pj8fcyv fC/HIg353rvRaxRNJhZNkU+/QAkcRBJ41RMNcefIeD6TJn4mzS5+5f5TAAf5D98saJ4jdkeqnFSK u3A83zpCL0GVEbrKPosoXK18FVG5yjRG591fTcknxOljFSSICF+xjLScVhs5q63D2/eCBSSIvYXl stJ7FO1Rli/krLYMIXiVglyZ3tO5NopZW6ZpvkfmQfKGerAe/gaO6+vgdNqz4AlmFSRAAiRAAllN gAI4q4mzPhIgARIgARIggbAmYL0Vh/Pz/8X2ru0pGtOQjIEQz5HVi2LnFx/i4tL5EGNh9HFYLLiw eC42tmtBEexhjKaXvBN5fkumcDKpcHqhxyIK4CARwPuqV0GRny7zWTTpsyiLTx5TlvumADb6VWOu a06nA0lL7tGJwFCTdjf+08tMbR8a1lALUCFEReSuNp34/okm+vehYikRsEZpldfEstER/SWIiFvl dfl82RB1GzxJVXE9T24JDapJ+PYdCWJ/3fi5xmXKZad1FKJWWV+LJ43LW/OjhLsVUdLKPMrz3Lkk iChpTwzTak843E9e/TCs+z+F/fI8OG3x5np5sLckQAIkYFICFMAmHXh2mwRIgARIgARIwH8E4s+c wvGJo7C+TVNElMhDqehBKgZC+IoyVzz7iCu6N2bXNjidznQN7J6vPuV4eRivWj0WUzqZVTqNdWJL rccogbNZAp+pUAw1Bu7jc2jW55D91s19CuB0/cQJ28SWHa0MZWUwCzqxj6+IVu33poR6VSTkypmy TLGnNv/7tVp+CpEppKqn9A+XUqf/u4/ntJ7KMLou9sDNn1ddtlKqVi8roVtLCfMGSLj+r3/qlNux RBPVLCKKPUnlA79L6NlKQsn79W0tfGfKHsUnpvq3fXI7g/q4vCQsu9rBfu4POJOvhO07gR0jARIg ARLwTIAC2DMb3iEBEiABEiABEiABQwJOhwMxO7fiwJCvsbxRDQpEDwIxUMI3omRebGjbDCcmj0bC +bOGY+TrRSGMt3VpxzE0GMNOL32i+8d3RqGlRKGZgcPbn/xFAZyNAvhqmUJ4qfsCPoOUoJwDijlA Aezrr5vwTmc7Pc6jCA1WGXdogl5M/tzJWEiKqFwRwasUrW89Y5xW9Pf0n+q0Ip+oz18smtZWly8i af/oKeHsNP/VYdTWmxES7tDIZ28SXJQhonvX/STh2vkGLgAAIABJREFUn74SFv1PQtR4CUK+G5Uf ltcWF4Jl60uwnRwOR9yB8H4RsHckQAIkQAI+EaAA9gkTE5EACZAACZAACZidgC0+HheXzMOO7h0R We1BCkMDYRgo4SuXK2T7+cjZsMXf9ut0tCcmYkGV+zmmmjEdX7EkxYNCPJhB+ir7mGe0FbtrVKcE ziYJ3P3dX/j8mfj5Uz6LPHf/4Q0FsF9//oRsYY744yEp9EppolNffNxYTP74gVq4Fsgn4aSX6NVp vdXp8+aWkDDPuOyMSM9h76vLF4L5yET/le+tTc89qq5bLC/tLb3p7kXmRfKGp2E9MgCO6xu4j2/I vtXYcBIgARIIHAEK4MCxZckkQAIkQAIkQAIhTiDh4nmc/GMcNr79IuaUykdBqBGEspjNquOGN19I 14yKOxKFI6N/xJYPWmN187o49OtgOO12wzKifviW42swvuW+3U0JZWIJ1bHTRArgbBDAY1/sxOfO xM8dha9b+GpZUAAb/oQx5cWkFaWDSgSK5Y+vzvQuJ99topaZYt9abXTqxb8liCWLldG/A9t5L/fP Xur0Dxb2nj69knTbSHX5om1jP/VvHZ7aNKRDSt0Vikvo/KIEsd+vp7TmuJ4DyaurwnqgG+yXF8Bp SzDl889OkwAJkAAJ+E6AAth3VkxJAiRAAiRAAiQQ5gTEcsA39u1C1I8DsLJJbQpBAyGYVbLXqB4h 4UUktqePw2ZD9PpV2Nu/O5Y8Xt5w/Na3bmK4T3DS1SuG6Y3aYaZrbdoOoogysYi647ckHKxaiRI4 CyXw4npNkO+3ZD53Jn7utNKT391CmALY0y8g81237v0w20Sgcj/fJrUklLjPLUjvu1vC569K2DdW Lyq1olaI1NU/qNN90sJdlrhfpogEsRSyN7m5bKg6j8h34z/vebyVd2mGhJlfucsQyyrfX1BdR+v6 vpd/6g8Jk7+QMKi973nk9om2HJuc/nxy/rA4LisOy+53YT83Dc7kaPM97OwxCZAACZBApghQAGcK HzOTAAmQAAmQAAmEOgF7UhIurViEXb06Y2HN4pSAWSp9c6Sb94VFcwyn3O4+XTCvQiGfyvNUxsJH SviU30wC+IdHH6OIMrmI6tJhFAVwFgngPTWq4cGfo/nMmfyZo/B1C18tCwpgw59AprxovzDTqxT1 t/jb9ZuEnz6U0PxxCXflV8tQIVyN/tNG7oo9c7Xp+r/tlptCGufKqU4jRGxafdk/Tp1H1LF7dNr5 lOXGz5XQu7WE2hUk5MiRUt7xKe4y2jRQ1yGEsBDDyjLk82uzJET0l9D1ZQlVSrvzib6lFSUtl2Hq 4+LCsGx7GbaTI+G4fcyUzzc7TQIkQAIk4D8CFMD+Y8mSSIAESIAESIAEQoRAUvRlnP57Mja92xJz yxag9MsC6Tun9B3Y+lFbHPv9V0RvWI3kmOuu2WJPTnZFXZ/+Z6orcndZg6pex2PH5+8bzrJtXdp5 zaeUtmtbNjQsY32bpj6XoSwvnM//K5ID9/5wkULKxELqzpHxOFq5LCVwgCXw6QrFUW3QAT5rJn7W tLKT3/UimALY8OeLKS+KSMikBTkMBaQ/5KGIWp3YXcLbz0goeo9bYmoFblrfReSrsj01yqrLerqq +76Qy8ryGtV031OWoT0XUlWZT5xP6OZbXrksEdWsLSNqvLuMcZ/q728dkXJf5F31vYR+b0l4qoqE 3Ln0aeWyZ/d3lynXbfrjwnxI3tgAtiOD4IjZBKfTYcpnmp0mARIgARIIDAEK4MBwZakkQAIkQAIk QAJBRuDmof04PGIIVjV/ErOLpD/yNJwlXyD7trBGMZf0tdyI8WlGiGWcD48cBiGMjdoVWe1BOB36 fxg5P/9fw/RGZSyqVcqwLUIuG6U3+7WmH4ynlDK5lOrR7kcK4AAK4KtlCqH5Fwv5nJn8OaPw1Qtf LRMKYMOfL6a9mLz2UZVc9adIFOJXlpbejjlzpkS5Pl9bQpHC+jz580q48o9beorloZXlCVkqImYX /U99XaR5r6nnKFttX7X7Btd92F2nNq2n76IvyraJqGc57ZFJ6nsiXbPH0hcRLfJ8+oq7TLls8x1z IHlNdVgPdIf9yiI47YmmfYbZcRIgARIggcAToAAOPGPWQAIkQAIkQAIkkA0EHBYLrqxdjj1ffYrF j5Wh2MuCKF+tKN328dvwVfxqp8itk8ew+qWnDMft+o7N2uSw3opDRIk8hum17VrT4mldfnFB7A+s TcvvEr6q/xLFlMnFVMHhN3GqYklK4ABJYCHYtaKL39OWgWRkPkYUwIY/X0x70RrVK1VQ+lsiju+m F56yHK1QXELnFyXM+lrC5RluoRnzn4RW9fX5xNLRcvvmD9DfF1Gx1TWRwXJdr9aTIMqV83s6fvaK vtydCoHrKZ98/eRUff5tI9X1li+mTyO309vxgUISxBLSv38m4cRUdZly/WF/XF4S1t0dYD8/Hc7k a6Z9ZtlxEiABEiCBrCdAAZz1zFkjCZAACZAACZBAgAgkX7+GM/9Ow5YPWmNe+bsp87JB+srC9NiE EZkeZbFMdGS1IrpxPDDkK8OyfRW45yNnG+YX0cpy+3mUUln8XSI/8o1MoKAyuQT++s3/UQAHQABP eb49cox18vky+fNFme2bzKYANvz5YtqL9uilaYrRjIrFY5P1svOVuhLEdW9lXv9XgjYat0E1dx5x P09uddl3p7Gn8CPlJSj34zWqX0ToaiN4X37SXa9RHuW1sZolnu+9W8KtOer8nZqr2+1J+oqo56a1 JQx7X4KQyJ72ClbWH3bnS+6FZVtL2E6NhiP+hGmfUXacBEiABEgg+wlQAGf/GLAFJEACJEACJEAC mSAQd+wwjoz+EWtero/ZRXOmSisKPLfAy2oWB4f19zqiiVcuIXr9Sohlm+PPnPKa9sKiOboxXd6o umGe4xNH6dIq+y6WlT41fZJhXiGblWl5rp4/j38+n4LK5IKq8PBYnKxUihLYjxJ4XZ16EHssU/75 Jv/IiZwogA1/wpj2otOWgKTIvF6FbGbEYsUSauH53KNqIeqpbLHMsVKOlrhPnU8IYeV9X87F8tJr f1SXo63fKPp4UHvveUQZQkpXLa1u00fN9fn+6atOI7dbiOfHK0no00bCsiES4iL0ebVtDbvvYh/f TY1gOzoYjhtbuI+vad9K7DgJkAAJBB8BCuDgGxO2iARIgARIgARIwAsBsUfs1Y1rsO/bHljyZAVK u2yM8jWSpBvfecnj6F1cMg9rX22kG7PljWogdv9uj/m2ftRWl8dIHMefPa1LJ9q44tlHEPXTQCRd veKxjoND+xnmNeqjGa993PxDSiqTC2Ah33q/M4wC2E8C+FjlMigz7DSfKz5XnAPpmAMUwB5/xpj2 hmXTMwETwGKZZ1lyiuMdeSXc9EFu/vCBOl+OHOoo2G/fUd9X1lHqfglftjG+nze3hMlfeJar63/W 5xN1T+3pOY+I8hXLTCvbIM7XGMjmSzMkiPLEfU/LYIed2F3giZ3Yx7cmrAd7wh69BE57kmmfQXac BEiABEgguAlQAAf3+LB1JEACJEACJEACACw3Y3Fuzj8Qe8rOr1iYoi7IpK8sRCNK5sXtU8d1c1bs x7zziw+8jpvYv1eMsdHn0vKFurzHJ4w0SgoRHSzasaFtM5yYPBoJ588aplNeFHsKi+hguR88qqN/ BY+JDxXlMrXpkBThGql494g4CHF5zU8S1KzlXCl7Dxr2WUPxx2eKcyCdc4ACWPnrheeCgO3YkIAJ YLHHr1aMLhnsSQi6r7/bRJ2v9APue0KQrvtJfV9Zx/QvU9L+0VOCEL7Ke/J5r1ZqoayUroPfNc7z ZGUJS79ztyN6poRRn0go/aA+fev67nTKssV5RP+0l8HW5gmb7ytKw7qnI+wXZsBpuc4HkARIgARI gARCggAFcEgMExtJAiRAAiRAAuYjIETisfHDse71ZxFRPDflXBZI3zll8mNdq+ew56tPcWLqWNcy zVfWLMOx33/Fju4dMbfcXV7HYXffroYTVUTf+iJV55YtgJuH9sPpcEBIWbHX77KG1Qzziv1+jT5C +Fpv3zK6ZXhN1MM/KtALX6PxqthvG2VFOmVFOIrg7u/+QgGcSQHeueMYPkt8ljgHMjAHKIANf8qY +qLjxraACeDLM/T76vZu7VmOCtG56nv9Hr8iwlYpQePnSihYQC9eG9ZQpxNl3Xe3Pp0QwS2elHBt ljq9XMeAdsZ5RD6x37CnMsX9JrX0e//K5ZruuOQ+WLa/DtvpsXDEnzT1c8bOkwAJkAAJhC4BCuDQ HTu2nARIgARIgATCioCQfte2bcT+wX2wrH4VQ+lnJKV4zTd554lTZPWi2PnFh7i4dD5sCQle59Tt 0yew+sV6HsdGyFTtRyzVnJ7oWiFjFzx8n8c65H6IiGHrrThtdT5/F6J438Be/OOC9PxhQZ/+mHMS /M/kDOYdjMfFmuUpgTMogQ926sxnyOTPEN+jGf//yFbPOzn4/P9/JgwvAk6nHUmLC6kEqz9Fpdjb Vo68FcfaFYyl69HJEvq+YRy1K0f1Ktv18pPqckXZO0bpy44aL0G7F7HcnmplJByZpM8j6un3pr58 OZ+noxDQMf8Zl6dse9ieL7wDlk3PuqLKxR8WOJ3O8HpY2BsSIAESIAFTEqAANuWws9MkQAIkQAIk EBwERKTm+cjZ2P7Ze1hQ5f40pZ8s/3jMnPQVe+IeHNYfMbvS/48bTrvdFZWtHYOFj5Qw/IeSze+9 GrBxPT9vVromstg/WkQ0b+7wGmYXyxWwdmnZhMv35c/UTBdvJg5fAgnjR1EAZ0AAx778DJxJ3Ccw fJ8M9owESCA7CFi2vxYwAdxHsx+v2ANX7IUrllD+r5+ET1pIqFTCs2zt+rKxUB3eWZ9n71jjtBf/ ltCgmj69ELn3F5Sw8nvjfLP7S6ha2jifUgI/96iExT4sbR1+4jcnktfWgjWqN+zRy7iPb3Y8vKyT BEiABEgg4AQogAOOmBWQAAmQAAmQAAkoCcSfO+Pam1Xs0Sr2ag0XORbM/UjvnrjK8TI6v75zi27c Nr3bUpdU/OX8nFL5dGn9xWpbl3a6OrUXLLE3cDbib2zt/CbmVSgUsLb4q0/BXo4veyprx4Dfw4+A MykR1+tUogROhwS+Xqs87JcuhN9kYI9IgARIIJsJ2E6NCZgAXjZEL1DLFpGQK6f+ulKqinMR5Xt7 rrGc3TdWn//Xj4zTCvEaFyHhnWf1eUQ9eXJLGN/NOG/CPAmrf0iJTn6hjoQ6FSU0qC7hvaYSBrWX sHm4cb7wk70p/UxeURbWvR/CfmEmnJaYbJ65rJ4ESIAESIAEAk+AAjjwjFkDCZAACZAACZiagJCA ItJURJyKyNNgF1zh1L7ljWq4Iqxt8bf9Pgc3vvOSaiz39u+uqyPxyiVVGn+znV/5XoiIZKPP0XG/ YO1rz3CJ5/Qs8exD2hOTRxvh5jUTEkic+jsFsK8CuNw9sGxaa8JZwi6TAAmQQOAJOG4fDZgAFuI1 f15j8aoVvvJ3sWz0jL5pi9US96nLFfv6piVe+7+tziPXKY7dWkoQwjetMkx1f+n9sOxoDdvp3+FI OB34ycgaSIAESIAESCDICFAAB9mAsDkkQAIkQAIkEA4ExF6yYk9Zsbes2GPW3+KP5fm2BPSGN19I 13SKOxKFI6O+x7pWjbGwZnEsa1gNMTu3GpZxctp41bgK4ar9GEUK+3vsrm5ep60Wtvj4dO077O82 hXN56994XsebF8xJwJmcjJina1AC+yCBE34fYc5Jwl6TAAmQQBYRSFpeKmDis2ltz9JViNcC+SQ0 e0zCDx9IEHv2+ipY2zVWl1uwgIR4DxHDyjKn9lTvNSwEdZNaEoa+LyF2tu/1K8sMm/OF+WHZ3Bi2 Y8PgiN1huD1NFk1JVkMCJEACJEACQUGAAjgohoGNIAESIAESIIHQJ5B4+SKEFNzYrgXlmw+RlFkh CcXyy0KGevqIPXGj16+CiN5d8nh5ldCV2ze33J1Ivn5NV4QQr3IacTw69mddGhH5rUwTiPN9A3vp 6hUXNrzVPOB1B6I/wV6mWE5c7N3NDwkIAklzZ1EApyGA4zq352QhARIgARIIMAHrnvd9Fq/plZ3D 3leLWiF9q5eV8FVbCSuGSbg1J2PSdUoPfblrf/StLLHvr6hfLFF9M8K3POntd2ikz4nkdY/BGtUH 9qsr4LQnB3imsXgSIAESIAESCC0CFMChNV5sLQmQAAmQAAkEFYHY/bsR9fMgrHy+DmYXyUHhFiTi VykRLyyaYzhndvfp4vOeuPv/96WujEvLF6rGO+qngbo01ltxqjTKdvl6vqDqA9jRrQMuLIyAWMp6 fZumqjKXPlVZV6+4cPKPcap0vtbHdGlHl5+PnG3InBfNR0As8X+jeX1KYA8S+MZzdeDgH0yY78Fg j0mABLKcgP3CjIAJ4G0j9aJ27KeZl66n/9SX+83bmS83NMRtxvuZvLI8rHs/gv3iv3BaY7N8rrFC EiABEiABEgglAhTAoTRabCsJkAAJkAAJZDMBe1ISLq9cjN1ffoJFj5akYAtC4asVmDs+f99w1mzr 0s7n8Vv7aiNdGccnjlLl9xSJu6hWKVU6bfu8fRei0elwqOre3berrrxbJ46q0ogvCRfP69J5q4v3 0ha/MqPtn76r480L5iVgWbeKAthIAFcpDtuxI+adGOw5CZAACWQhAWfylYAJ4MT5Eu4vqJa1retn XGAqBW21Mupy61fzT7nKOkL+fOmDsOx4A7YzE+BMOJuFs4pVkQAJkAAJkEDoE6AADv0xZA9IgARI gARIIKAEkq5G4/SMKdjc4TWI5YBlCcSj78IsO1lFVntQJ1HFhDk//1+fx/LAd311c0xIQGW/Nr7z ki6NuLCp/SuqdMo8aZ2LCHPt5/DIYbryjJafFvlWNK6lS5tWnbyf9rxeUOV+wzmlHSt+Nw+Bm2+3 pATWSODkRXPNMwHYUxIgARIIAgLJa2oGTAK3aaAWtUIICzGcWbn62Ssp5Yp9hMVewyM/znyZmW1T tudfVACWzU1hO/4DHDd3cx/fIHi22AQSIAESIIHQJUABHLpjx5aTAAmQAAmQQMAI3Dx0AIdHDMXq F+thdtGclGghEOnrTVxe37FZN1fE8swRJfKkObZL61WC+CMA5efW8SOIKJ5blVdIQaPPxaULVOm8 tVN7L3rDal2Rh375n648owhlkTHqxwG6tNo6+D1t4WvE6Nq2jbqx4QXzErAd2EMBrBDA8d/1N+9k YM9JgARIIJsIWA/2yLSQ9SQ/x32qFsBiH+CtIzIva6PGS1g2VEKcqffxzYXk9Y/Deugr2K+tgtNh yaYZxGpJgARIgARIIPwIUACH35iyRyRAAiRAAiSQbgIOqxVX1q3Ann7dsLhOWUqzEBe+WmF3YMhX hnNifesmHsd63kMFse/bHjr5KwoS+z6veuEJzCmVT5U/7ughXT1ij9CldSuq0mnb5+m7kWQ8OLSf vqxiuWC5EaOr+8benfq0YTa2ntgF+rrRvtC6AeAFUxGI+6wjJXCZQoht0xxOu91UY8/OkgAJkEAw ELBfWRwwAXxkkl4AD30/8wLYk3AO9+vJKyvAuu9j2C9FwGm9GQzTh20gARIgARIggbAkQAEclsPK TpEACZAACZBA2gSEMDv731/Y0ukNCNkXaGHE8jMWaekPbssbVTecENp9fIX8F38EIP4YQPxRQFqf hAvnsL1r+9S5s6vnR4ZZTkwZk5rG1/7MKX0HxJ7T2o+nvYvPzp6uTepaMm5hzeLprtvXNpo53bL6 VXS8ecHcBOznTuNahftNLYGv134IjujL5p4I7D0JkAAJZBMBpy0eSZF5AiaByxdTS+AmtSiAfRbV S4vAsvNN2M5OgjPxfDbNEFZLAiRAAiRAAuYjQAFsvjFnj0mABEiABExM4NaJozg65iesbdkQs4vl ohgzUTRo/JlTupmfcP4sVjev61ruWyz7ndHP3m++cM2liJJ5IaSw9iNE7qrmT6Zrvq1/43ltMS4p Pb9iYcNytn7UVpdeXNjVq7NhejPLW3/1/fbpE4bMedG8BG4P+NK8ArhsYVjW65etN+9sYM9JgARI IOsJJG9sGDAB3Km5WgDnzyvhpqmXbvYiwBfdCcuWZrCd+BmOm3uzfiKwRhIgARIgARIgARcBCmBO BBIgARIgARIIYwIOmw1XN63FvgE9M7wMr79kEcvJvghgwf74hJEBm+limecNbzV3idY9X31qWI/Y R9jX5cXnlb8b4o8VtJ/Lq5Z4lLnzKhQyjFo+8tsPHvNwTmZuTh4bP1w7RPxucgKO69dwrUpxU0rg +J8Gm3z02X0SIAESyH4CtqP/C5gA/qevWgCLfYCXfudFgi4w0b3I3Ehe/ySsh/vBfm0NnI60VxLK /tnCFpAACZAACZBA+BOgAA7/MWYPSYAESIAETEbAGncT5+bOxLZP3sH8SvdQfoVblG/RnBkaU7Hf b3o/9uRkCOkq9hAWSy9H/TgAiVcuGRYTs3Orq11i6WZPaeKORKU5JyNK5MH5ebMM69j5xYde+x69 fqVLAnM/68yJXV/EeGS1B3F07M+G48SL5iYgROi1MoVM9V/s689z319zT3v2ngRIIEgIOG5sCZgA vjRDQo4cKRK4QnEJnV+UsG+siSSvRmgnr6oE6/6usF+aC6c1LkhmAJtBAiRAAiRAAiSgJEABrKTB cxIgARIgARIIUQK3z5zEsQkjsK5VYwiB5ovAYZrASzJ/MY6sVgQ7unfEhcVzIQS/WLY5vWWLeWG9 lfY/ziRfu4rT/0zF5vdfx9xyd+nqWVijGOKOHjJ8Ula/WM+Vfnffrob3xUVL7A1E/TwICx6+T1N2 Dmzt/BZunzpumDfu8EGIyGBv/RacuJ914Ob1sgZVsX9wH1zbthFOh8NwnHiRBBw3Y3G9RmlTCeDr dSpx719OfRIgARIIAgJOpx1JiwsGTAJH9JdwbLJJpe+yYrDsehu2s1PgTLwQBKPNJpAACZAACZAA CaRFgAI4LUK8TwIkQAIkQAJBSEDIl+s7NuPAd32xrGE1r1LMmzDjPX/KshxY9cITWN6ohl/HQ0Td iiWWlZ+N77yUoTo8RdYmXrqAwyOHYfVLT2G2DxHGm9q/bCgA933bI7Vdp2dMUTZZd26Lj8eZWX+6 /nDh4tL5iD93RpdGvpAUfRmLHyuTWjbnrT/nreey/i2eB781eg5ffj4cb/5xCi0Wgf+RQZpz4KNJ h3GucklTCWAR8bzlmSZoOd+SJh8+R3yPcA5kfA58t1P+ZcAjCXgmYNnWMmACOEkTBRvW3xfdBcvW F2E78Ssccfs9A+cdEiABEiABEiCBoCVAARy0Q8OGkQAJkAAJkICagC3+Ni4smoMd3TpgQdUHKMOy YGnniJJ5saFtMxwc1h+zi+TQMRfLHW96tyVOTZ8EISnFRyw/7E9BaSRS17xcP0N1iGWcjT47Pn8/ 3eXFHTusK+rouF9SyxERx5eWRerSpPeCLSEBK5+vk1quP9myLL38nVr2Xnze5G3U7/IPCgyPQ45x 4H9k4PMcuO+X69hZs6bp5K+85PXwVz7zmRWfLb5bOAfSPwdaLknvrwimNyMB26nfKIAzIqrFPr4b 6sF6+Bs4rq/jPr5mfHjYZxIgARIggbAjQAEcdkPKDpEACZAACYQTgYQL53BiyhhsePMFzCmVjxIs C6SvkIJbOr2B85GzIaS7/FnZ9DEdfxExq/04rFa/LkN8bs4/2iqwvFF1XVt8kZnzK99ruE+lWFra l/zKNNe2btC1S7RVmUZEEx8a/p0uglmX0cOFm4cOYN3rz6rLzKI5oOpHmNf5W5WKeO/VHqj25Rrk GmOnwKLwzdAcyPdbMhY+9bxp5a8sgd/vNClD/CgD0y8Dycx8zCiAPfxg4mUVAcetwxTAPgrg5NVV YN3/GeyX58Npu6XiyC8kQAIkQAIkQAKhT4ACOPTHkD0gARIgARIIIwJiqd8be3bg4PffYMVzj1J8 ZZN4i9m1TTeron4aqBsPESFstK+uEMieBOKypx/G/kG9Eb1htWs/VU/p5OtCzmo/i2qV8li+nM/T 8ermddriIJZjFtHMnvJor4u9ge3Jybpyzv73l2EZa19tBKN6dQX8/4W4I1EuCW8Uda1tC7/ro3jT YjKraC4MfrwBWrb7EcUHH6WsovD1yxwY8+JHppe/QgJfKncf6n692S9MKTjNJzg55t7HnALY0y8n XtcSSFpeghLYSAIvKw7Lrnawn/sDzqRLWmz8TgIkQAIkQAIkEGYEKIDDbEDZHRIgARIggdAjYE9M dC2Vu7NHJyysUcxQoKUldHg//RLMGzMhe7Wf2P27Dcfm/Px/tUlhJELFXr63Th5TpRV7Oa9t2dCw XLl9l1cvVeURX+Y9VNBrHjmv0XHfwF668sSFDW8197HMHDgz8w/DMja/96rXMta0eBpHRn2PmJ1b YU9KcpUh/uhBRLpfWbscxyeOwpYPWvu0D7FR33jN83PwZ+lC6PlsGzT6eBru/iWGcorS169zoEe7 Hyl/yxRKZRBVpQKK/3DBr4wpBr2LQfIxBx8KYMOfX7xoQMCy+z0KYCGAF90Ny9YWsJ0cAcetgwak eIkESIAESIAESCCcCVAAh/Posm8kQAIkQAJBSyDxyiWcmj4Rm9q/jDll8nuVZpRanqVWoNisbFLb cO4YidftXdvr0lpuxLjGdX2bpi6peWPvTpz+Z4ounbiQcPE8xNLMnvpyddNaVT4hjTMTGbv0qcqq 8uQvJ/8Y57ENcttWvfAELi1fKGdRHUWfRUS0nNaXo5j76Yk89qVMpnE/L2Mql0PHlz/DI72WI/do K2UUpW9A5sArn8/FVYX8lJdCNvtx+ZPPQCyLTTFpDjHJcc6acaYAVv304hcvBOzn/zKnAI7Mg+QN T8N6ZAAc1zfA6bB5ocRbJEACJEACJEAC4U5Mb9DVAAAgAElEQVSAAjjcR5j9IwESIAESCBoCsQf3 4tCvg7Gq2eOZEngUXG7BFTgWOZB46YJr79qY3dtTluR+9hFDubng4fsM99V12u2qubf147chooiN PheXzDMsW/RPuxy15Wasx7S+8rh14qiuGUJE6/PngJC+Yt7ejNqny6O8sKv3xwb5s2KsWIc8bv8W zYlhtZ/E628NQZmB+ymeKHwDPgce/XY3zj1UJDXy1ezSV9v/US0+CfgYUDxmjXgk5+DgTAGs/OXF c28EnEmXTSOAk1dXg/XA57BfiYTTdtsbFt4jARIgARIgARIwGQEKYJMNOLtLAiRAAiSQdQTEHqli +d7dfbogM3u2ynKHx6wVfSuefcSnJbnFnr7JMdfTnFhn/p2GxY+XgxC4Rp/dfbsaCtSbh/arksef O2OYLj3z4+jYn1Vlyl9WNK6FuWULYFP7V1wR6knRl+VbHo9iCWexfHl66mda/83l6SXvxJeNXsVz nSaj0M9XKZsofbNsDogljg9WrUT5m0b0c6cPxmXZmFBSBoek5DgEbhwogD3+HOMNAwLJa6qHpwRe XhKW3e/Cfm4ahOjmhwRIgARIgARIgAQ8EaAA9kSG10mABEiABEggAwSSr1117Y+6+f3XMbfcXZRi RfwnurJbGopI380dXnMJUtGW3V9+otvT19uUuXnogGs+bGzXwhVZrE0r9sRd/kxN3ZzR7hssIskz y2Ltq4201bu+C+Er9qT29SPavK1Lu0y3J7P9MVv+3yuWwkcvfYzaXyxCHi4xS7mWDdL7zpHxWP14 fcrfNOSviAi+XPZePN13PedpNsxTitjAidjsYksB7OsvNKYTBKwHuoeHAF5cCJZtr8B2ahQctw5x cEmABEiABEiABEjAZwIUwD6jYkISIAESIAESMCYQdyQKR0Z9j9UvPYXZRXNShoWR9F3yxEPYP6g3 rm1Zn7rM8+b3XnWN8fEJI40nhOKqiPY9MWUMNrRthjml8qXOjcMjhipSuU/jjh5KFcyy1BRLMys/ VzevSy1HTpPuY7FcEHv2ZvSTePkiDg7rj8hqD2a+LWE0X9I9Dj72/b8iOfDjo7XxRtuBKP/NLook iqRsnQM5xzowrclblL8+yF95SejDD5dHye/PZeu4ZZewY73hJ2Gzc0wpgDP6y82c+exXFoamAI7M i+SNDWA7MgiOmM1wOtXbyphzNNlrEiABEiABEiCBjBCgAM4INeYhARIgARIwNQGH1Yro9auwt393 LHm8PAWYjxIrUHLMX+VGlMzrWsr4wqI5ODfnH9e4npszQzfXT8+Y4rq3vnUT3T3thX0DehrPj2K5 XHNIm158PzV9oiqPdnnpi0vnq+5ntP9nZ083qt7jNdeS5isXY2vnNxFRIo9f2pDRtpsh398l8uPr +i/i+Q9+x70/XKQ4ovQNmjkwsE1/yt90yF9ZAq96oiHyj0oMmnHMTonHuimFMzoHKIA9/kzjDQMC Yj/cpMg8ISCBcyB5TQ1YD34B+5VFcNriDXrDSyRAAiRAAiRAAiSQfgIUwOlnxhwkQAIkQAImJGCJ vYGzEX+75Ne8CoUov8JE+soicd3rzyL+7OnUmS32tV1Yoxh2dO+Yek0+Sboa7Yr0FhLUeivOtWTy xaULcH3nFjlJ6tFbtK6Ink28dCE1rfJky4dtUueYLV79j0BiL2G53Zk5bv2orbJKw3PRVyG8RdTz 3HJ3+qXezLQ53PNOfKgourzQEY9/Pg/5RiZQFFH6Bt0ceOfjPyl/MyB/ZQk8rvmHQTemGRVxzEeJ mx1zgALY8OcaL3ohkLyxfnAK4OWlYN3dAfbzf8OZHO2lB7xFAiRAAiRAAiRAAhknQAGccXbMSQIk QAIkEOYExN6rR8f9ArFfakTx3JRfYSR9xX6+yxtVd43p6uZ1oZWsYmrv7NEJkdWKGO7XK/IIGbm0 XiXMKZPfdb72tWd0T4TTbsf8yvd6nDti2XARUa79iKWjFz9WxpXP6XCobh+f9JvH8tIjSMUfMhjV LfYqFktUu/rIJc39wtrbuPxSowbeat0PFfttRY6xTsohSt+gnQNiH9tL5e6jAM6EABYiuEuHUUE7 xtkh9FgnRXJ65gAFsOonIb/4QMB2ZGBwCODFhWHZ/ipsp0bDcfuIDy1nEhIgARIgARIgARLIPAEK 4MwzZAkkQAIkQAJhQkDIOrHXq9jzdelTlQMufrxJId6T/M5fyFrlfr4iulUs+3z79AnDGSyiesU4 xOzcqrsvBKl2jMQfCYhIce1n2yfv6NIq84qlxI0+13dsdu0HrL136NfBXstTlp3WefT6lS4JfGXd Cuzp1w2L65T1W9lp1W3W+/8Uz4tv6jVF8w6/4YFhZymCKHxDYg6UH3ICxyqXofzNpPwVAvhK2XvQ qM+akBj39Ig5pqXIzYo5QAGs/VXI72kRcMRszB4BLPbx3dQItqPfwXFjK/fxTWugeJ8ESIAESIAE SCAgBCiAA4KVhZIACZAACYQKAbGE7/n5/2J71/YQUaFmlVLh1m+xPLM2avva1g26aXnyj3G6a+KC WAI6Zvd213w4OLSfLo2IkjViJpYJ137Oz5tlmFaZX8xBo4+I9tV+9g3slWZ5yrK9nYsI53kPFfRb ed7qMvO9KeXux2dN26Pep/8h/4jbFD+UviE1BwoPj8XWR2tT/vpB/spLQR+tXBZlhp0OqXmQFXKP dVAipzUHKIC1vwr5PS0CTocNSYvuzgIJnAPJax+B9WBP2KOXwGlLSKtpvE8CJEACJEACJEACASdA ARxwxKyABEiABEgg2AiIvV6PTxyF9W2aQohCM4upcOq7kJliz94Li+e6lnQ+OKy/amyjfh6U5lQU fxBwYMjXmF/pntS8yxvVMMxnFC27tfOburTWuJtpzrN55e/GreO+LQcnlqYOp3EL176MrPYw2r/W G1X6bkDOsQ6KHkrfkJwDeUZbMafhy5S/fpS/sgReW+cpFBjFvb7TEn68TymsnAMUwLqfmbzgAwHL tpcDI4BXlIF1zwewX/gHzuSrPrSESUiABEiABEiABEggawlQAGctb9ZGAiRAAiSQDQTEHqrXd25x iT0h88JVOJm5XyKCW0TtKj8xu7apxnrl83WUt3XnSdGXsbBmcVUemWn8uTO69GLJZPm+fPS0r+66 Vo11aeU88nFZw2qGexFrK97yYZs0y5LL5NH/S4l7YjqrWG4MevIZvNz+FxQdciIkZZ/yH9l5Tuki 5sCvr3Sj/A2A/JUl8KRm7/FdwT8O4RxIxxygANb+KuR3XwjYTo70jwBecg8s21+H7fRYOG4f86Vq piEBEiABEiABEiCBbCVAAZyt+Fk5CZAACZBAoAjY4uNdkaAiIjSy2oMUZkWyToR5EmSBvL6q+ZO6 qSSEcGT1ooqxz4HEyxd16eQLIiLcUxuNlmIW++YapY9ev0ouMvV4fMJIw7Ta/Ns+fjs1j6eT9W88 71NZ2rL53f/PwB9l7kH3xm+ifpcZuPPXWP4jfjr+EZ+COfgFc5cOoyh/Ayh/ZQnc7b3hfHfw3cE5 4OMcoAD29OuQ170RcNyKypgAXpgPlk3PwXZsKBw3tsPpdHirhvdIgARIgARIgARIIOgIUAAH3ZCw QSRAAiRAAhklkHDxPMSerhvffhFzSt9BSRYm0lfszbzxnZfSGM8cSLp6RTd1dn7xoSrfyWnjdWnE hVsnjqrSaWWpkMPaj8NqNdw/d2//7tqkiD9zymv5yvpOTBmjy6+8sOqFJ3wuS1kuz/0jgKfUqIAO Lbuj+perkWu0jf9o7+M/2lP4Br/wVY5Rsx6LEV2mMAVwFghgwblx7xV8l/BdwjngwxygAFb+IuR5 eggkLSvugwQW+/jWgjWqN+zRy+C0J6anCqYlARIgARIgARIggaAjQAEcdEPCBpEACZAACfhKQER4 3ti7E1E/DsDKJrUpxcJE+ApRubReJewf1BvXtqyH0253TYm0xvj035N1U+fi0vmqebGxXQtdGnHh 3Jx/VOm0sjSiZF5Yb9/S5d3S6Q1dviVPPKRLJy74uvy4qEssX+3ps/Spyro6te3ld//IXhfHYrmw psXTODLqe8QdPQTxj89KUcZz8gi3OVB94H6crlCc8jcL5K8cBXy8chmUH3qS7xYfBGC4PW/sT/r+ H0IB7OnXIa+nRcCyu72hAE5eUQ7WvZ1gvzgLzuRraRXD+yRAAiRAAiRAAiQQUgQogENquNhYEiAB EiABe1ISLi1fiF29OmPhIyUowsJI+iql5bWtG3STXYh+ZRrt+aZ3W+ry2BISVNHgc8rkh7im/ZyZ +YfXskVd5xf8p82Gs//9ZZgv7kiULu2xCSNS04q9gsWev9o+yN8X1S6N5JjrujLEBfWy1n4UnWE6 l2Sm6TnOK383tnRsBTEvtONAAZy+f6yn3AgtXkV+uoK91atS/mah/JUl8IbHnsRdI29TAlMCcw54 mQMUwIY/DXnRBwL2c3+mCOAl98KyozVsp3+HI/6EDzmZhARIgARIgARIgARClwAFcOiOHVtOAiRA AqYhIJb2PTV9EoTgm1u2gEdplh7Bw7TBLQ6jfh6km9839u3yOvZzy90J8QcC2o+I+lWOt4gK1n6u b9+kSqNML59v79pemw2WGzGYXSyXLq+IFtV+RCSzWN757Ozprmji26dP6PLJdYnjpvYva4twfefy 5oGZu4vrlMXuvl1xefVSOCwWQ/biIgVwaAlNCmjfxyv/qEQsq/ss5W82yF9ZAk9t2g45xjopAL0I QD7Tvj/T4ciKAtjjzxPeSIOA0xoLR+xO7uObBifeJgESIAESIAESCC8CFMDhNZ7sDQmQAAmEDYGb UftwaPh3WNX8ScwuksOrKFNKM54HRo5lNdeVz9cxnMtpRX1fWrFIl0/s+6tsv9gXWPuxxN5Ic56J vYjl5aiV+de80kBVvqhrZdPHlEk8ni9rUFWXV27rokdL6vJZ4256TC/n49HXZyAHxH7Kh34dDPG+ 8fVDAWxu+RCOQsXVp7FOTGr2HuVvNspfWQL3aPcjBTAFMOeAhzlAAezrrxWmIwESIAESIAESIAES IAGAApizgARIgARIICgIiIi7K2uWYc9Xn2LxY2UoucJsOd6FNYph/RvPY2//7jgxdSxO/vk79n3b AxvefAHzKxY2GO8cSLx8UTc3xdLf3gSnuK/9iHKUf0QgllAW+0drPyl/bOBdHhotTX10zE+Gbbq+ c4u2Ct33/YP7GOYVfVxWv4ou/a3jRzym98aF91LGVawgsKn9Kzg1fSLEygIZ+VAAUwCHowTu+9Z3 lL9BIH+FBL5aphCe77mEAtCDAAzH54998v3/KxTAGfnlwjwkQAIkQAIkQAIkQAJmJUABbNaRZ79J gARIIAgIiL01z8z6E1s+aA2x5yYllXf5GIp8lj9TE+fmzoTT4fA448QyyiIqVylpRV9F5K72I/Z/ 9sZBRAgbfUREsTJfzK5tumQi4lyZxuh8/6DeunyepOy6Vs/BYbXq0ssXbPHx2NX7Y491bu38ppw0 9Xh55WKP6Y3ay2uSa6/wXT0/wqVlkYZLhKfC9fGEAtj3f6in1AgNVq0/nUX5GyTyV44CPlmpFCp8 d4wSmBKYc0AzByiAffyxwmQkQAIkQAIkQAIkQAIkAEYAcxKQAAmQAAlkMQEhy4789gPWvFwfs4vm pMwKs0hfWTgKESv22jWKtPU05aI3rEZEiTypc0Ls3av9iD1+09oHWuwVrP2IPYXltonjwWH9tUlw 89B+VRplevl82dMP6/KJC0vrVjTMu/m9V3Fjzw44bDaXBBfz//z8f7Hziw8w76GChnlEXUseLw+x R7D2c2DI1x7zyG3kUcLKJrUR9cO3LvZahpn9TgEcGlKT8tm3cXqi31ZcKP8ABXCQCWAhgjfXqoO7 R8RRAGoEIJ9t357tcOVEAZzZXzHMTwIkQAIkQAIkQAIkYCYCjAA202izryRAAiQQBAS2dGxFgRWm 0lcWj3NK34HYg3szNNsODu2XOj/mlMkPW0KCrpxN77ZMTSPXqTxG/ThAlyd2/25VnhXPPqJLIy74 svz47VPHdXn3DeipKl/ZHnEumMwplc9rGlH34RFDcXnVEpcw1lUCYPWL9byWoa3XLN8F3w1vNXct L5546YIROr9dowA2t3wIJ6lSetgZHH64POVvEMpfORJ4euO2yDHWSQlMCcw58P9zgALYbz9nWBAJ kAAJkAAJkAAJkIAJCFAAm2CQ2UUSIAESCCYCZ2b+QYEV5gL45B/jDKecLf42Li6Zh9N/T/YYmWlP ToaIspXFpYgi1n5OTZ+Uel9OpzyubPqYNovr+6JHS6ryJZw/q0sn9qBWlmV0fnTcL7p8l1YsSjOf UVnKa8sbVdeVq7xwbs4/ma5DWV+on0dWK4Idn7+PC4vmQCynnVUfCmAK4KyUwHUjgGXngBXnff9v 6Tng72NAtw1AndlA7t/1YyYiSzc89iTlbxDLX1kC93l7SNDIvymH9fOw8GT9/MrKZ4R1mYs/BXBW /dphPSRAAiRAAiRAAiRAAuFAgAI4HEaRfSABEiCBECKQfO0ql372kwCeV6EQVjV/Els/aov1rZtA CLHslnpbPmxjOBuPjR+O+ZXvVbVvR7cOcNrtqvTi+95vvkhNJ/YG1n6Srl7R7Res7HdE8dxwWCza bNj95Sep5Yr0JyaP1qW5sna5Ko2yXPl87WvPuPKJ/X2vrFuBPf26+RQ5LOf3dow/d0bXJnEh/swp HT9v5YTrPSHJDwz5Ctd3bE7X8uKGUDN4kQLYXLIhu+XSJ+syOFEV2RKswLDdwF0TU8Yu1xg7Zj7z OuVvCMhfIYGvlimEF7+IDAoJfCRWMbH+//TBqXwnZPd7wkz1UwDrn0FeIQESIAESIAESIAESIAFP BCiAPZHhdRIgARIggYARWNPi6TQlW7gKrEz1q1gubOn0Bq6sWYbEK5cMx0cI9otLF2DpU5UzxXhB 1QewtmVD7OzRCfsH9XZFWvpS5rVtG3XtEvLXU7+PjPoe1ribOD9vFrZ98o5OckZWL2oo+oT49lSm uH77zEldOy6vXKzKs6FtM10aIY7nlb9blU5bjxDMG958wesevto8vn4/Puk3VZuE7BZLWs+vdI/X NvlafqiliyiZ1/XHDccnjET82dMqNtn1hQKYsicrZYs/BLD8rByNBUpOA4a+3pvyN0TkrxwFfLpi CVQefDjbJTAFMN9/Wfn+M6qLAlh+o/NIAiRAAiRAAiRAAiRAAmkToABOmxFTkAAJkAAJ+JmAkH6h JqKys70RJfK4okzTI8DsSUkucTu7WK50sV5atyLOzZ1pKF2dTqdLPm985yXjKO5iuXR79lpuxBin TUcUdMyubboZeOz3X730KwfEctPaj1heem65O1PzCblovX1LmwxbPmidmiarx12IbbFM+u6+XbGy SW0I2ZzVbcju+hY8fB+2dWnn+qMAo/HRDVgWX6AApgAxkhKBuuZPASweleNjJlD+hpj8lSXwtkdr odDw2GyVwBTAfP8F6l3na7kUwFn8o4fVkQAJkAAJkAAJkAAJhDQBCuCQHj42ngRIgARCk0DckSjT Sa2MSrV5DxV0LTOc0ZE+P/9fn1gL6Xbyz9/hsNl8qiru2GEsqlVKVfbyZ2rq8p6PnK1KkxEOB4f1 15UrooaVMldZrpCHnj6bO7ymao9on/YjOCjL47kUcB4iunzfwF64unmdbllw7fhk93cKYAoQX0WF P9J5EsCrLwBG/224BJyMA2wO/ZNiWbcK18rdQwEcogJYiOCZz7ZCzrGObJPAFMB8//njvZaZMiiA 9e92XiEBEiABEiABEiABEiABTwQogD2R4XUSIAESIIGAEljyePmAS6VQF3cLaxbHzah9mR6Hda8/ 65110ZyIXr8q3fXEHT0EIY5lzmJPX+3nwHd9U+/L6dJ7XNagqrZY1/djE0boyl77aiPDqF65gNMz pqjybP/sPdct5X6+WrGd3vYyfdrCWEQ2i7E6OvZn3Dp5TB6ekDhSAFOAZEZepDevkQC+mZz2GJT+ C5h62P1I2Y4dwfXqpSh/Q1j+ypHA/doOpAAel/YzkN5njelDgykFsPu9zjMSIAESIAESIAESIAES SIsABXBahHifBEiABEggIAT29u+uEnGUZnppFrN7u0f2sft3u+TZzi8+hJCYYu9YITGNPrEH9nhd hvnAkK+Msrn25r2ydjnEvr5i+Wejj1ieWY7E3fH5+7okJyaPTvc4i/2H17duosp3Zd0KXdniwpl/ p2Hz+69jS8dWruWpDRMpLiZdjVaVKyKsN7ZrEZD9fDmn1XN6XoVC2PpRW5ydPR2W2BuKUQmtUwrg 0JAE4SJzMiqA5f4vPQc4Yq4jpv4jlL9hIH9lCdzy87nZIoEZAcz3n/xuya4jBXBo/WZia0mABEiA BEiABEiABLKXAAVw9vJn7SRAAiRgWgIi4pSCTC3IlDzWt2lqODduHT+CNS/XN2QnlmBOvHTBMJ+n fW1XN6+rW/bZYbHg8IghmF+xcGo9i+uUxeVVSwzLlpdMXvNKA919saSvsl+ezhc/Xg4iWvj69k1w OlLWLl3eqHpq3g1vvqArO60Lh4Z/B3tiYmoyIc2jfhqYWqantvC653mZXjZLnngIe/t9juj1K3Xz LHVgQuyEApgCJCvFR2YFcNMIC2JbNaP8DSP5KyTwmQrFUHXQwVQJXHUm0Gie+7+H/3E/p9VmAv/b CSw8A2y+DKw4DxSe7L4v5nP1mUCntcCYA8DaiynLi/9zHOi9Gag8w52WAtjNIivfA6zLzZ0COMR+ NLG5JEACJEACJEACJEAC2UqAAjhb8bNyEiABEjAvARGtKiIC0yuUzJI+esNq3eQQkbxzy93lldmW Tm+k5hP7+Ypy9n7zBSKrFzXMJ6IxtZ9dvTobpo0okQcXFs3RJnctuTy3bAFEViuiu2e5GQuRL61x OzL6R13eFc89qsiXAyLa2NfP9Z1bIJYZ3vdtD+zq/TEWPVpSUZb/BGda/TLd/aI5sfrFejg8chji Dh/0dbhCKh0FsPsf4iklAs8iswJ40iudKX/DTP7KUcA7HnkE9/x6A7l/179C/z4G1/Xh+/6PvfsA d6JK/zj+t7e1N7AhIDZEXBSxLljRte7aG5ZVcS242Bv23hUVEBVEFER6EwHpSJXeuxTpvV245f0/ 78W5dzKZlmQmmSTfeZ5LksnMmTOfcxLy5Jdzxv560BVa7+i7+7QU+WyyiMMkH2UFaxhc8VsRAuDw X/O8r7obEwCXvSy5gwACCCCAAAIIIICApwABsCcRGyCAAAIIhCUwsuHNhHKHx4eRGvLaLZ7X8v2r LJ3SeWTDW2JG8DoFkZsWLog51NIBfVzbpGeNijHbGw9GP3RH6X7b168zVpXdal2cjm+sn/Hp22Xb G3diA+D/k24nHCQ6itdr0dGm3Y4/0POYxrG5je+DiZhof9VpuOe3ayUFq1Z6NU/WP08A7P7lPOFF sD6pBMCN73iP8DdHw18jBP6p7jWyR7OiuPfV9rNFfnC5vLoGwDU7iMyJ/y87rixjxbz1Inr9aety WKtg+zzvIXi69QECYOsrkMcIIIAAAggggAACCDgLEAA72/AMAggggEDIAn90+p6QziYA1tGqdotO p5tIMOe1bc+aR8YdZtzTD8YdQwM+vcbugvatHQM+HWmsx9Pw1broyF2vuqwYPsi6m5ingDb21xB4 bpsWsnH+nJjtdUT5yhFDSq8x27HiLp7HM8rjNrnwt1etY0T7ik4LrlOG59NCAEw44RZOBP1csgHw VY92lRU5Hn4aIWi+37564wsJvwUf+a3IpFUJ72a7AwEw74lBv++5lUcAbPsyZCUCCCCAAAIIIIAA ArYCBMC2LKxEAAEEEEiHwLa1a0qn6SWEiw3hfjn3RFv+Sa88GWiwqaGudRl6y+WlxygN+J55SHRE sJ+AT6+1q1MuO12rd+o7LzrWXYNe47q/Rn30WsYdK+zsuI/2mV5/P1oGXHGO9D69khD6xvah4F9T O0n/S8+QaR+8KjoVeT4vBMCEHW7hRNDPJRMAn/biOFlY9XBG/+ZRAF7Q9Sdfb8tFxTs2a+JwRYXt RSK/LBR5ftSOawJ/Oklk6Wb3ogmAeU8M+n3PrTwCYPfXI88igAACCCCAAAIIIGAWIAA2a3AfAQQQ QCDtAoP+Vc815As+yAo7KEu9/E5H7S46otW6FG7eLGMevVu6Vt0vELMR995gPUTpKNq1UybErbdb sXXFcpn/wzfy213/ki6V9ymr05qJv8dtXlJSIqXXFraEuj/XOU6s01DrzjOavlNWXj72gSics17X edjtV8q8776UrcuXxrVpvq4gACbscAsngn4u0QD4iHcWy9TqxxP+5lH4WzoC+vjDpXDKRNu35cmr Ra7sJXLIX1M11/hRZL3NxA1bCkUu6xn/+tZr/w53+S+AADjeLOj3AcorNyYAtn2ZsxIBBBBAAAEE EEAAAVsBAmBbFlYigAACCKRLYGazDwj6bKaBXjV6uGMTaJi6YfYM0WmXV435rfS6uOtnTpNNf8yX rSuWyfYN66WooKD0dvW40aXXZh145blxzr9edqbjMZyeWD99ikz/5C0Z8M+zY0bo9jz1iLLHej1Y p0X31yB4bON7ZUGHNlJcWBi3qYbfOgo6CiFovtVBr/GsbbOkT3fRUd0s8QIEwOVfxBNKhG9hFwBr r1y00eZv+SZZedn5hL/5Fv7+db6rzzlFilfHzuvcaa7I3i1j++kt/eLf13RN/R6x25lf33t96TwS mADY2c1syP1gnAiA7V+/rEUAAQQQQAABBBBAwE6AANhOhXUIIIAAAmkT2DB3FkGfTQBsNzo31UbR UK/7iQeXeXc/+VDPIjWM1ev6jn++kfSuXblsXw1G+19cS6a+97IYI37HPfPQX8/vJHO/be5Ztt0G OhX0yIY3xxwn30LYdJ9vvwtqypS3mwcOgWIAACAASURBVIj+WEB/XMDiLkAAHMyX+IQh/hydAmBr L9X3zvX33kL4m6fhr3Ed5HU3Xyklf/2wal2ByEHfxPezV8dae4/IyGXx21lfo48Oi99P1xAAe9tZ LXmcvBkBsP3rkLUIIIAAAggggAACCNgJEADbqbAOAQQQQCCtAoz2tJk2uuIusmLYwMDbYc34MdK1 yr5lAWvhpk22x/ijY1sZcd+N0vW4/cu2NQeTev1d6zL2sftitp3x2bvWTVwf66jl3598IKYM8zG5 b9NPbH484OXU+eg9ZOhN9WXON5/L5sULXduEJ+MFCICT/+Ke0CNxO78B8KbXX8i78HfDU4/Ipjea 5N15G2Gv0+3Gl58ufePS6/javeY6zIl/X7vzV/ttzfvv01LE7jdCBMDedmZH7qfmRQAc//plDQII IIAAAggggAACTgIEwE4yrEcAAQQQSJvApFeeJPSzCfI0qF01dkTg7TC/Xasy72UDf4kr/8++Pcue dwoTR9xzXdx+er1Y6/YTX3zM8/qxOtXwrC8/ltJppG0crGXyOPEgWEd7j37kTlncs5MUbtoY13as 8C9AAJzal/eEH4n5+QmAt7b/Nu9C0HW3XlM60rWkoEDWXHRm3p2/U/hrrN/a8Qc5u7N9X5sUO0t0 6Ztf9fb221pfr0s3x79XEgD7s7Na8jg5NwLg+NcgaxBAAAEEEEAAAQQQcBIgAHaSYT0CCCCAQNoE Vo4YEhccEvL9FfJV3KV0JO6aCWMDm55Xr7vb+/RKpeaDr7vQtp0H//sCxzbpdMSuZdM+Gzvr1ME/ 1znOfp8KO8ugf9WTua2bybppk2TjvNmlwfairj+Khv89qh9uvx9hcEouv5x/skx67WnR60nr9LAs wQgQACf3pT1hR3JudgHwtiKRL6bs+PvphyGyvMrBeRWArrngdClev67sBb194jhZWeWgvDIwgl7H 2+MPk7qvj7MdAbxpexld2Z39v/bXP0cvL9ul7A4BsD873gODcSIALnvpcQcBBBBAAAEEEEAAAU8B AmBPIjZAAAEEEAhboKSoKObatIS/9iM8Ox+zp/xy3kky6Nq6MvCq86T/JaeXPtYwt0f1w6RL5b9J x4q7SKcjd5NetY4RvSbv5iWLbJtPg0HDefXvo+K20VGiA644p2wbY1u9hvCf/XrFbb+o+09x2xr7 cGvfnkG7aLtroD+rxUeyacG8uDZiRTACBMDBfIlPGOLP0S4A1mu7ql+VN+fKrBMq5VXwueCEo6X7 gFmypiD29bzpvdfyysEx+DVdA3nCKSfLoe+viAuBl9mM4t3vK3/9caLN6GECYH92vOcF40QAHPve xyMEEEAAAQQQQAABBNwECIDddHgOAQQQQCBtAqMfuoMAMYQRr33OqibF2+OH+yzs3K7M+7c7r7Vt Zw3mNezVttHr+87//mvR6Zqti44u/eUf1cvKCzrYpDznALnbCQfJqAdulYVd2st204g4axvxODgB AuBgvsQnDPHn6BQAH/DRWhl5Wq28Cj1XVNpfLn3859JAc5fmInU6iTQeLtJutsiSNdtkzaVn55WH nxC4x7mXyW6fbY8JgYf9Gf9+WLODv/64flv8vgTA/ux4zwvGiQA4/jXIGgQQQAABBBBAAAEEnAQI gJ1kWI8AAgggkFaBRd06ECCGEABreKqjc63Lit8Gm7x3ktktP7Vu4uuxhr+/P9HQVJZzWEmQG4yN hvp6beUVwweJhvQs6RUgAA7mS3zCEH+OdgHw2k2F0vkfV+Vd2NnkppdigkxrH7rmgwmyvDJTQVuD 4XeufSzG7dsZ8e+ZDwz27o9ndIzfT9cQAHvbWfsqj5M3IwC2fx2yFgEEEEAAAQQQQAABOwECYDsV 1iGAAAIIpF1g+4b1pVMXExIGExKaHWc2+yCuPRf36hwX2k7/+M247dxW6MjiEffdGFeO+djcD6A9 K+4iA68+X2Z89q5smDPTrUl4Lg0CBMDJf3FP6JG4nV0AvOqJRnkX/q74V31Ztr5QdPrieetFdm1u b/nUrW/mnY018LV7fOsDbcpC4BdHx79Rzlhr72l+zX4/K34/XUMA7G1nduR+al4EwPavQ9YigAAC CCCAAAIIIGAnQABsp8I6BBBAAIGMCAy54RLCRJtRwHrt32G3/lPmtm5Wek3fJX26JeS0dsqEuPac 1/Yr2zImNGksW5cvjdvevKJ427bS6aB/OfdE2zIIfVMPfbtW3U9G3HuDLOjQRratWW3m536GBQiA U/vynvAjMT9rALzly6Z5F3CuOK2KFC2Lnbf40h72jjrd8bCzzs87I7vQ17xucZVD5fQmY0pD4LM7 27+JPjTE3lRfsxd2E9nuMOEEAbCzG+93wdsQANu/flmLAAIIIIAAAggggICdAAGwnQrrEEAAAQQy IqDTEBMexoaH0z9+Qwo3bYprj4FXnuvLavLrz8TtqysGXVvXef8KO5c+P+frz2Td1Imlo05XjflN dJruiS8/IT1PPcJ5X5sAmzaNbVMnj961K8v45x6RZYP62l632bYhWZl2AQLg4L/QJyRxNjUHwNv6 /ywrjz0gr8LN5ZUOkL7tB8S9znUk8DmdRXZuFmv3t5Yi3X+ZIiuPOySvnMxhr9P9ydVPkMPfW1Ya Avf+I460dMWzI2M99bV5XR+RAofwV3ciAI434z0tPBMCYPvXLmsRQAABBBBAAAEEELATIAC2U2Ed AggggEBGBDb9MZ9g0RKgTn3nRdu20FG9vU+v5OjVo/phMvvLT2z3jb3+r79w0im0ZH0KfhV2lgGX nyUa8q+bNtm2rVgZPQEC4PC+2Cc0ibc1AuDCaZNl5UlH5F2o+eRtb0nDwc7vA2sKRLrOE3l3vEiX eSL6WJfNn76Xd1ZOwa95fa9zLpHdP9smTtfzVbvVW0V6LhDpNFdk6eYdnm7/EgDHv255LwvPhADY 7dXIcwgggAACCCCAAAIIxAoQAMd68AgBBBBAIMMCfevWcAw18zFs7FH9cNEpl+2W7Rs3yPjnG0nv M46VjhV2lp/PrCrDG1wj8777Uoq2brXbpXTdkOsvxtgStKerb3WpvI/8due1pVNob12x3LGNeCK6 AgTA4X2xT2gSb6sBcPHyZbL6rJPzLtDsWPca2fmL4tJRvt3nJ/aeUFJYKGuvqpd3Zuaw1+n+A3d/ VjoK+IspiZk6bU0AHP+65b0sPBMCYKdXIusRQAABBBBAAAEEEIgXIACON2ENAggggEAGBSa/8Rzh pCWcnPHp254tUlLkMj/jX3vrNuOe+i++Ft+ww99epx0lvz/5gPzZr5cUFfw1PM2zRdkgqgIEwOF9 sU9oEm/7SL+tsvbqC/IuyJxy8vFy6PsrSoNK7Rf7tBQZtSyxd4XCWdNl+XGH5p2dU/BrrL/k8T5l rg8OEdnm/fGhFH7lFpEBi+PbgAA4/nXLe1l4JgTA8a9B1iCAAAIIIIAAAggg4CRAAOwkw3oEEEAA gYwIrBo7goDSElB2OnI3WT1udErtsX39Ohly46XYWmzDCX93kv6XnC5T33tZ1kz8PaV2Y+foCRAA h/fFPqGJxfaLEul7/V15F2AuO/ZAOfvZYWUhpdEv9Hq/N/wiMnaF+/tCcYlIn4U7tm1010d552cE vXa3S489SP728YYY2zM7iUxY6Wy6ebvIT3NEjmwj8s302O22F4kc8LWl31quy2y0H7c4BdEHCIBj X4M8QgABBBBAAAEEEEDATYAA2E2H5xBAAAEE0i5QUlwsev3acIK5FK7Xmpbg0Ll+3Y4/UFYMG5hw e6jn4p6d5JfzTsI0xDbsXGkvGXbbFTL32+ayZemShNuJHbJHgACYECOIEMNPGc/c8npehpeN7vwo JqC0s6r2g8ilPUTuGyTy6DCReweK/GegSP0eO4JKYx+dQrr32RfnpaNdAKzTahs21ls1bfCryFMj RG7pt8Pz1B9FdmnOa95qxePM9QkC4Oz5vERNEUAAAQQQQAABBDIvQACc+TagBggggAACFoEx/7uH sNImrOx01O4y8eUnpGD1KotY/MPtG9bLrOYfSu/albG0sQziBwY9TqkgYxv/R5b83FUKN2+ObwTW 5KQAAXDmvvjPp9Dluoc75GVo+cOFN8hOX5Q4hpTJ9IGqb8yWP6pWyEtPawh8w0PtA7VNpj3Yh/fQ VPoAAXBOfrTipBBAAAEEEEAAAQRCEiAADgmWYhFAAAEEkhdY3LsLoaVLaNn5mD3l1/q1RYPyWS0+ kiV9uskfHdvKlDefl9/u+pf0Oft46VhxFwxdDJMNgPvWO7XUefXYkVJSUpJ8J2fPrBUgACa8SCW8 8LNv7RdGyeIq+Xft2vE1qsuBH64JJaBs0LBV3gfA86odJXt/ujkUXz/9mm147wyiDxAAZ+3HJyqO AAIIIIAAAgggkAEBAuAMoHNIBBBAAAF3gcJNm0RDzmRDOvZznkoam8RsdNS1Xjt59ldNZfOiP9w7 Ls/mhQABMCFGECGGUxnHvLVApp1UNe/Cyj8rHyynNxkTajjZ+pLb8s7VPAK4yU0vherr1KdZz3tm kH2AADgvPmpxkggggAACCCCAAAIBCRAABwRJMQgggAACwQoMu/WfBMAhjGAlAPYOgLufdIiMfriB LOr+k2zfuCHYjk1pWS9AAEyYEWSYYS5LR2cOOf2svAwp7/tPs9DDSR1dPKn6iXnpu7Dq4XLY+8tD Nzb3Z+7zXhlGHyAAzvqPUZwAAggggAACCCCAQBoFCIDTiM2hEEAAAQT8C8xt3YwAmAA4bX3gl/NO kkmvPiUrRw6VkuJi/x2VLfNOgACYUCOMUEPL3PXzQpl4ykl5F1B+c+kdaQsmz3tmsCyvdEDeGb92 /bNpMw7r9UG5vPdqHyAAzruPXZwwAggggAACCCCAQAoCBMAp4LErAggggEB4ApuXLEpb+MeoWO9R sblm1OmIXWXwvy+QWc0/lI3z54TXkSk55wQIgAkhwgyi/nfH+3kVTo6uWVP2+2hdWsPJF256Ka+M Z5xYWfb/aG1ajcN8jVB2fr8HEwDn3McqTggBBBBAAAEEEEAgRAEC4BBxKRoBBBBAIDWB/hfXIgRm FHBgfaBbtQNkZMNbZGHnH2TburWpdU72zlsBAuD8Dh/CDp8O+WClLK5yaF4ElIuqHCY1XpqQ9mBy t8+2S9869fLCWK8BfNf9X6fdOOzXCeXn7/swAXDefvzixBFAAAEEEEAAAQSSECAATgKNXRBAAAEE 0iMw9d2XAgv/cm0EK+fjb9Tyz3WOkwlNGsvyoQOkuLAwPR2Xo+S0AAFw/gYP6QqdPruiYV6Ekw0a tspYMFnlzbky/7gjct658z+ukp2+KMmYc7peMxwnf96XCYBz+iMWJ4cAAggggAACCCAQsAABcMCg FIcAAgggEJzAmgljCYAZAZxYH6i4iwy88lyZ0fQdWT9zWnCdkZIQ+EuAADh/goZMhUqnvTgu54PJ Zpffm/FQ8uYHv89p5wmnnCwV312ScedMvY44bm6+VxMA83EMAQQQQAABBBBAAAH/AgTA/q3YEgEE EEAgzQIlJSXSs+aRiQWABKZ559W1yr4y4j/Xy4Ifv5WC1avS3Es5XL4JEADnZqgQtbCo1zmX5Gw4 ObxWbdnnk02RCCa/vOzunHQeX6O6VH1jdiSMo/baoj7Z/R5OAJxvn7o4XwQQQAABBBBAAIFUBAiA U9FjXwQQQACB0AV+f6Jh3gWaTO/sPb1z79MryfhnH5ZlA3+R4m3bQu+HHAABQ4AAOLvDg2wJf655 tEtOBpMLjqsoJ7w2PTLB5N8+3iAjT6uVM9bLKx0gOoX4/h+tjYxxtrzmqGd2vLcTABufRrhFAAEE EEAAAQQQQMBbgADY24gtEEAAAQQyKPBn354EwIxqlo6H7yS/XnamTPvodVk3dWIGeySHzncBAuDs CAmyPczZ5fMiGVOzZs4Ekysr7V96Ljc+1C5yweTJr0yRP6pWyGrrEX8/XR658yM5+u0/Iueb7a9F 6h+t93wC4Hz/FMb5I4AAAggggAACCCQiQACciBbbIoAAAgikXaBo61bpcuzehMB5GAJruw+/42qZ 1/Yr2bpiWdr7HgdEwE6AADhaYUAuhzP/uffLrA4ljdDXuP3o6kciG07e9OAPWWm97NgD5eE7Pxb9 wUAuvxY4N953jT5AAGz3yYR1CCCAAAIIIIAAAgjYCxAA27uwFgEEEEAgQgLDG1xDAJwnAbBe8/n3 x+8XHfmt4T8LAlETIAAmiDCCiLBvdRrfRVUOy8pg0gh9jduBtc+VvT7dEumQ8oNrHs0661sfaBNp 07BfI5Sff+/HBMBR+1REfRBAAAEEEEAAAQSiLEAAHOXWoW4IIIAAAqUCOgKU6+J6Xxc3W436XfR3 mfruS7Jmwlh6PAKRFyAAzr/AIZMhU49z62ddKGmEvsbtvGpHSZU35kQ+qNyjaYH8euY/ssa7zcW3 RN40k68djp2b79UEwJH/mEQFEUAAAQQQQAABBCIkQAAcocagKggggAAC9gI6/a9eAzZbA07qHRte dz5mTxl6y+Uyt3Uz2fLnYvtGZy0CERUgAM7NUCGqYdGXl92dNYGkEfhab695tEvWBJWV3povs0+o lBXmZ7wwOmtco/r6ol7Z935OABzRD0dUCwEEEEAAAQQQQCCSAgTAkWwWKoUAAgggYBX49fI6BMBZ PA10j+qHy5hH75bFvbtI4aZN1ublMQJZI0AAnH2BQTaHPN3O+2dWhJHW0Nd4/Oa/n8y6kPLSx3+W FZX2j7T7lJOrZZ1rNr8OqXt03vcJgLPm4xIVRQABBBBAAAEEEIiAAAFwBBqBKiCAAAIIeAtM++h1 AuAsC4D71j1FJr/xrKwaO0JKSkq8G5ktEMgCAQLg6AQBuR7KHPr+Cvmz8sGRDiKNoNfutm+derL7 Z9uyMqh8/qaXI+3+Y71/ZaVrrr9mOb/w/38gAM6CD0pUEQEEEEAAAQQQQCAyAgTAkWkKKoIAAggg 4CawbtokAuCIB8Cdjtpdhlx/scz+8hPZ9Md8t+bkOQSyVoAAOPwv+AlRdhi/eOOLkQ4h7UJfY51O o3zMWwuyNqTc5fMi6XL+lZH1f/mGF7LWltc376Gp9AEC4Kz9+ETFEUAAAQQQQAABBDIgQACcAXQO iQACCCCQnEDv0ysRAkcsBO5+4sEy6sHbZVG3DrJ9w/rkGpa9EMgiAQJgwotUwgu/++ro3z+qVohs AGkEvXa3On1y/cd6Z31AecgHK+X3U2tEsg3OfnZY1vv6fS2wHe+55j5AAJxFH5ioKgIIIIAAAggg gEDGBQiAM94EVAABBBBAwK/A+GcfJgCOQADc55wTZOLLT8jKEUOkpKjIb/OxHQI5IUAATBhhDiPC uh/1KYjtgl9j3Us3NsmZcLL6K5Nl/nFHRCoE7vyPq3LGN6zXD+Xm7vs0AXBOfJTiJBBAAAEEEEAA AQTSJEAAnCZoDoMAAgggkLrAskF9CYAzEAB3OmJXGXRtXZn5xfuyYe6s1BuSEhDIYgEC4NwNFqIS Gu3RtECmn1glUqGjEe563fY851LZ9fPCnAoo/9m4h+ioZq9zT+T5uccfnVR52i8qvzkvp3yj8rqj Htnx3k4AnMUfoKg6AggggAACCCCAQNoFCIDTTs4BEUAAAQSSFSjetk26VtmXEDgNIXDX4/aXkfff JH90bCvb1q5JtsnYD4GcEyAAzo6QIJvDnGsbdUoqHEwkgAxjWw0nK767JCfDycZ3vBdIm2iQfM99 LeWgD1fLh1c3SihYVt/TXhyXk77Z/Hql7un9P4EAOOc+VnFCCCCAAAIIIIAAAiEKEACHiEvRCCCA AALBC4z4z/UEwCEFwD/XriITnn9Ulg/pL8XbtwffeJSIQA4IEACn98v+fAxXPr7q4UDCxjBCXqcy l1c6QC546tecDie/vOzulNpFw9877/8mxqhWk7HSr05dz3KH16otx741P2bffHxtcM68/xIA58AH KU4BAQQQQAABBBBAIG0CBMBpo+ZACCCAAAJBCCz48VsC4KAC4Ao7y4ArzpHpn7wl62dMDaJ5KAOB nBcgACaACDuEanrFA56BoFMQm6n1T9/6Rs6Hk3t9ukX6+whr7dpAw9/bG7a2Ndr5i+LSYHjWCZVs 273dBdfLvh+vt9037L5I+bzfRa0PEADn/McsThABBBBAAAEEEEAgQAEC4AAxKQoBBBBAIHyBgtWr pGPFXQiBkwyBu1T+m/x2979lfrtWUrByRfgNxhEQyDGBx4eLnNGRPwzC6wO3fjjWNgi0CxajsK7f RVdJ7Q7FefG6qP/1Epl5yvEJtc+yYw+UZ55q6+lzYetV8t2Nj8RMC92iwXN5Y8t7SnjvKblkq/8H syCAAAIIIIAAAggggIA/AQJgf05shQACCCAQIYGBV51HAJxAANyr1jEy7ukHZemvP0tRQUGEWpKq IIAAAgjYCay/95aEQsZMBcGrzjheilcstzuFnF23fdwYWVntUH/tU/VgKejROSELLX/ttRfJ1nat E9qPjRFAAAEEEEAAAQQQQAABBBAwCxAAmzW4jwACCCCQFQIzmr5DAOwaAO8kv9avLdM+eFXWTh6f FW1KJRFAAAEEygUKp0+Rlcce4C9krLR/ZrarfKBsHzG0vNJ5dG9r5/ae5qtOPlK2DeqfRyqcKgII IIAAAggggAACCCCAQJQECICj1BrUBQEEEEDAl8D6WdMJgC0BcOdKe8nwO66Sed99KVuW/enLkY0Q QAABBKIrsKHRvZ4hY6ZG/upxN3/2QXTx0lCzzS0+cWyf1eecIoXTJqehFhwCAQQQQAABBBBAAAEE EEAAAXsBAmB7F9YigAACCERc4Oc6x+V9CNyzRkUZ+9h9sqRPdynasiXiLUb1EEAAAQQSEShetVJW /b2KY8iYyfB33V3XS0lJSSKnk5Pbbm3fRlaedERMG2343/1SvG5tTp4vJ4UAAggggAACCCCAAAII IJA9AgTA2dNW1BQBBBBAwCQwoUnjvAyA+114mkx5u4msHjeaL99N/YG7CCCAQC4KFPTuGhMuZjL0 NY69+uzqUrxmdS5yJ3VOeg1kvV7vljZfSdHc2UmVwU4IIIAAAggggAACCCCAAAIIBC1AABy0KOUh gAACCKRFYMWwgXkRAHc+eg8ZevNlMuebz2Xz4oVpseUgCCCAAALREdjQ6D/RCYGrHizbfx8dHRxq ggACCCCAAAIIIIAAAggggAACtgIEwLYsrEQAAQQQiLpAcWGhdKt2QE6GwN1PPlTGNLpLFvfsJIWb Nka9KagfAggggECIAjqd8Op6tSIRAm/56vMQz5SiEUAAAQQQQAABBBBAAAEEEEAgKAEC4KAkKQcB BBBAIO0CIxvekjMB8C//qC6TX39GVo0eLiXFxWm35IAIIIAAAtEVKFowL+PXA15//23RBaJmCCCA AAIIIIAAAggggAACCCAQI0AAHMPBAwQQQACBbBJY2Lld1gbAnY7cTQZfd5HM+vJj2bhgbjaxU1cE EEAAgQwI6NTLK48/PCMjgVefV1OK16/LwFlzSAQQQAABBBBAAAEEEEAAAQQQSEaAADgZNfZBAAEE EIiEwLZ1a6XTEbtmTQjc7fgDZdR/b5OFXdrLdr5Ij0QfohIIIIBANgkU/NJTVlY71DUEXnXykbL6 3FNdt1lZaX//z1c7VAonj88mJuqKAAIIIIAAAggggAACCCCAQN4LEADnfRcAAAEEEMhugcH/viDS AXCfs4+XiS89LiuGD5KSoqLsxqb2CCCAAAIZF9g2fLCsqn5UbIBb9WBZ/9Bdsm3IgLL/awpnz5RV Z1SL3S6R4Pevbbd893XGz5kKIIAAAggggAACCCCAAAIIIIBAYgIEwIl5sTUCCCCAQMQEZrX4KFoB cMVdZODV58vMz9+TDbNnREyL6iCAAAII5IJA4dRJsuqM42VVjWNk0xtNpGjpEtvT2vjKMykFwOsf uce2XFYigAACCCCAAAIIIIAAAggggEC0BQiAo90+1A4BBBBAwENg4/w5GQ+Au1bdT0bcd6P88dN3 sm3Nao8a8zQCCCCAAAKpCxQvXyolmza6FrT+wTuTDoDXXHiGZ/muB+dJBBBAAAEEEEAAAQQQQAAB BBDImAABcMboOTACCCCAQFACv5x3UtpD4N61K8v45xvJssH9pHj79qBOhXIQQAABBBAITGD1Oack FwCfUEEKZ0wNrB4UhAACCCCAAAIIIIAAAggggAAC6RUgAE6vN0dDAAEEEAhBYNKrT4UfAFfYWQZc fpZM//hNWTdtcghnQZEIIIAAAggEK6BTRK9M4rq/W3/6PtiKUBoCCCCAAAIIIIAAAggggAACCKRV gAA4rdwcDAEEEEAgDIGVo4aFEgB3qbyP/HbntTL/h29k64rlYVSdMhFAIMsEZqwV+W0pfxhkRx9Y VL9uwgHwnIceoo/zGqcP0Aci2Qf0/2AWBBBAAAEEEEAAAQQQ8CdAAOzPia0QQAABBCIsUFJcLN1P OiSQELjXaUfJ708+IEv795aigoIInzVVQwCBTAhc87PITs34wyA7+sD993yRUAA8+IyzZa9Pt9DH eY3TB+gDkewD+n8wCwIIIIAAAggggAACCPgTIAD258RWCCCAAAIRFxj9cIMkA+CdpP8lp8vU91+R tZPGRfwsqR4CCGRagAA4O4JPAuod7bRH0wIZWPtcXyHw/GpHStU3Zkcy9KE9ed3RB+gD2gcIgDP9 KYjjI4AAAggggAACCGSTAAFwNrUWdUUAAQQQcBRY1KOj7wC48zF7yrDbrpC5bVrIlqVLHMvkCQQQ QMAqQABMCJFtQdSxb82X6SdW8QyB//3IT4S/jPqkD9AHIt0HCICtn0p4jAACCCCAAAIIIICAswAB sLMNzyCAAAIIZJHA9o0bpNNRuzuGwD1OqSBjG/9HlvTpJoWbN2fRmVFVBBCIkgABMAFwtgXAWt/T Xhwn8487wjEE/uyKhpEOfbLR32mQfwAAIABJREFUnDrzXkEfCL4PEABH6RMRdUEAAQQQQAABBBCI ugABcNRbiPohgAACCPgWGHLjpTEBcN96p8qUN5+X1b+PkpKSEt/lsCECCCDgJEAAHPwX+oQk6TGt +/RAWVTlsLgQuPfZF3PdX0Z98gMA+kBW9AECYKdPJ6xHAAEEEEAAAQQQQCBegAA43oQ1CCCAAAJZ KjDvuy9FQ+DZXzWVTQsXZOlZUG0EEIiyAAFwesJKQuFwnHUkcIe618qsEyrJyNNqyZO3vSV7Nt2a FcEPfSKcPoErrtnUBwiAo/wJibohgAACCCCAAAIIRE2AADhqLUJ9EEAAAQQQQAABBCIrQABMWJJN YQl1pb/SB+gDudQHCIAj+/GIiiGAAAIIIIAAAghEUIAAOIKNQpUQQAABBBBAAAEEoilAAEyYkkth CudCf6YP0AeyqQ8QAEfzsxG1QgABBBBAAAEEEIimAAFwNNuFWiGAAAIIIIAAAghEUIAAmLAkm8IS 6kp/pQ/QB3KpDxAAR/CDEVVCAAEEEEAAAQQQiKwAAXBkm4aKIYAAAggggAACCERNgACYMCWXwhTO hf5MH6APZFMfIACO2qci6oMAAggggAACCCAQZQEC4Ci3DnVDAAEEEEAAAQQQiJQAATBhSTaFJdSV /kofoA/kUh8gAI7URyIqgwACCCCAAAIIIBBxAQLgiDcQ1UMAAQQQQAABBBCIjgABMGFKLoUpnAv9 mT5AH8imPkAAHJ3PQ9QEAQQQQAABBBBAIPoCBMDRbyNqiAACCCCAAAIIIBARAQJgwpJsCkuoK/2V PkAfyKU+QAAckQ9DVAMBBBBAAAEEEEAgKwQIgLOimagkAggggAACCCCAQBQECIAJU3IpTOFc6M/0 AfpANvUBAuAofBKiDggggAACCCCAAALZIkAAnC0tRT0RQAABBBBAAAEEMi5AAExYkk1hCXWlv9IH 6AO51AcIgDP+MYgKIIAAAggggAACCGSRAAFwFjUWVUUAAQQQQAABBBDIrAABMGFKLoUpnAv9mT5A H8imPkAAnNnPQBwdAQQQQAABBBBAILsECICzq72oLQIIIIAAAggggEAGBQiACUuyKSyhrvRX+gB9 IJf6AAFwBj8AcWgEEEAAAQQQQACBrBMgAM66JqPCCCCAAAIIIIAAApkSIAAmTMmlMIVzoT/TB+gD 2dQHCIAz9emH4yKAAAIIIIAAAghkowABcDa2GnVGAAEEEEAAAQQQyIgAATBhSTaFJdSV/kofoA/k Uh8gAM7IRx8OigACCCCAAAIIIJClAgTAWdpwVBsBBBBAAAEEEEAg/QIEwIQpuRSmcC70Z/oAfSCb +gABcPo/93BEBBBAAAEEEEAAgewVIADO3raj5ggggAACCCCAAAJpFiAAJizJprCEutJf6QP0gVzq AwTAaf7Qw+EQQAABBBBAAAEEslqAADirm4/KI4AAAggggAACCKRTgACYMCWXwhTOhf5MH6APZFMf IABO5ycejoUAAggggAACCCCQ7QIEwNnegtQfAQQQQAABBBBAIG0CBMCEJdkUllBX+it9gD6QS32A ADhtH3c4EAIIIIAAAggggEAOCBAA50AjcgoIIIAAAggggAAC6REgACZMyaUwhXOhP9MH6APZ1AcI gNPzWYejIIAAAggggAACCOSGAAFwbrQjZ4EAAggggAACCCCQBgECYMKSbApLqCv9lT5AH8ilPkAA nIYPOhwCAQQQQAABBBBAIGcECIBzpik5EQQQQAABBBBAAIGwBQiAMxumHNVGpE4nkWt/FrnzV5GL u4tU+k5k52aZrVcuBSxhnQttRx8Nq29Rbv70LQLgsD/lUD4CCCCAAAIIIIBALgkQAOdSa3IuCCCA AAIIIIAAAqEKEACnP2g4tq3Iq2NFpq9xbtqthSJTVou8NlbkgK+96/jpJJF+i2L/dm0eu5+fbQie Ys2sHmG0nfUY2fj4m+mxfU/7op9+m43nalfnTL62MnlsOwvWub+HWH0IgJ3/H+QZBBBAAAEEEEAA AQSsAgTAVhEeI4AAAggggAACCCDgIEAAnNiX9dYv7xN9fHNfkQ3bHBrDYfXaApEXRons+5VzXZdu jt959xax2/vZJtHzyfT2Fb8VqdI29m8Py3kHVcew2i6o+mWynBlr4/vfYa1i+18m65fMsRPpW5l8 bWXy2Mm4sk/s64IAOP69gzUIIIAAAggggAACCDgJEAA7ybAeAQQQQAABBBBAAAGLAAFw7JfxYYUT Gko2m2LBT/Dh3PUihzqEan5CID/bhHX+YZXbd2E84hkdg23TsNsuLJt0lpuLAXAifSuTr61MHjud fSxXj0UAHP8ezhoEEEAAAQQQQAABBJwECICdZFiPAAIIIIAAAggggIBFgAA42LDQLqSo3FZk3EoL fJIPf1sqsueX8XX2EwL52cau/lFel0hIl8x5pKPtkqlX1PYhAI5/QVtH4IfVZrn4ug7LKorlEgDH v3ZYgwACCCCAAAIIIICAkwABsJMM6xFAAAEEEEAAAQQQsAgQAMeHqUGHBMOXWtBND0csE/nvYJFz u4jU7CBydW+RZ0eKLNpo2shyt/3s+Dr7CYFGLxcpKIr9S1dIFbSpUV7YAXA62s44l2y+zfcAOJOv LT+v/WzuW7ledwJgy39wPEQAAQQQQAABBBBAwEWAANgFh6cQQAABBBBAAAEEEDALEADHh6lBBg43 9jVrl98vKRF5eKjzsfduKfL2uPLtrfc0MDbXM19DoDAD4HS1nbkds/V+vgfAmWy3fH3tZ9I8yGMT AFv/d+MxAggggAACCCCAAALOAgTAzjY8gwACCCCAAAIIIIBAjAABcGyQGuQX+zpV8/z1MdylD7YV idzc199xmztcN1jDYXNd8zUECisATmfbmdsxW+8TAMe+HtPZjvn62k+ncZjHIgCO/z+SNQgggAAC CCCAAAIIOAkQADvJsB4BBBBAAAEEEEAAAYsAAXB4wY1O5Wy33D3A/zF1iua5NiHy1NWxZfgJgaq0 FanbNfbPK9jYuZlIvW4iH0wQ6ThXZOifIv0XibSeIfLkbyJHtYmth115J7ePPWb19uX7nNRO5K1x Ip3niuh0y13nibw3XuQ/A0X2aVm+nbncE9uVlzdmebzw/YPKn9fz3aOFfTnmMq3309l2emyrkZ6j USf1enWsSM8FInoN6H6LRA74uvx5Y7sg2sooy7g9pb3IfYNEPp8sMmiJyIDFIu1m72j7E34or0My AXAQ9bW6ZapvJfPaUmM1fHqEyGeTRTr99fr6dbFIm5k7XheX9xRRJ6M97G79vPbN+x3WSuTBITva 1Dim8Zp+fazIxd3dj2cui/upWxEAx7+HswYBBBBAAAEEEEAAAScBAmAnGdYjgAACCCCAAAIIIGAR IABO/Qt8uxBEQ8cN2yzYsuPavrs2T+yYzzkEyZXblpfjJwTys435XDRc06DZbSkuEfl6unPIqudq XbrM21HvLxxGNxvbL9kkcuev5edo1E2nz05kOea7+DKMsuxu0912dkbfzxLR9R9NFCksjj/bCq1j zymItjJbaPiuoaSXtYbBFb8VSTQADqK+dm6Z6luJvrau7CUycll8u9qtWbhRpPHw2PY2t5XfYx/3 vcgvC0WKbPqT9bjanncl8EMVc32479xWdjYEwNbex2MEEEAAAQQQQAABBJwFCICdbXgGAQQQQAAB BBBAAIEYAQLgxL6st/sC326djjy1W3S0n932bus07HtxdOxfk1Eiep1gYz8/IZCfbYzyGvwqsnm7 3RnYrxv2p8ihrcrrY5SzW4v47XWUb8tp8eud1liDKKftnNYnGgCnu+3sjNrPFvlhltMZiZgD4KDa ymizmh1E5qxzPrb1mXnrRdYVWNeK6EhTo0zzbVD1tXPLVN9K5LV1Sz9/IaxV9P0J9p5+jl2nk8iK LdYSvR/rKH9z23E/eA8CYO9+yBYIIIAAAggggAACCBgCBMCGBLcIIIAAAggggAACCHgIEAAH/4W+ hiQvj4mH314kcqDN1L1BhCp+QiA/22hdnhkRX3c/a/R6x8ebpgXWsuxCOj9lmbdZWyBypGmqafNz fu4nGgCnu+2SMTIC4CDbSttLR9VOWuVH1XsbuwA4yPom42atdVB9y+9r66reyYW/Rr2tP4bQNvM6 to5oX28zG4FRptftbf3DeY/UuvMnQgDs1QN5HgEEEEAAAQQQQACBcgEC4HIL7iGAAAIIIIAAAggg 4CpAABxOCPHTnHh2HVUZVuDhFQL5CYp0Gw1LtxTG1331VpEPJ+y4Nu8Tv+24Dm38ViK9FsSeo1dI N3q5iE5xfWs/kedHiax0GKX4mGkKXJ2aWK9Jq3+LNsbXQu2N5/U20dA93W3nZWQ+Q2P6Xg2Ag24r bf//DTMfrfy+/nhBpw/WNtJrAn86yT54LN8jfgRw0PX1cktn3/Lz+lNffX3YLTPXijSfInJ7f5Eb +4o0nSSyyWYEfoc5sa8vP6/rS3vYHXHH9bbvGSDyrz47frCi7Wu36HW/9Tj8hWNAAGzX61iHAAII IIAAAggggIC9AAGwvQtrEUAAAQQQQAABBBCIEyAADudL/UFL4qil/6JwjuUnBPK7jU49bF1+Xbzj Oq/WAOi/g+2vT/v3DuXn6RbSvTteZBfL9ZA12Fy11VqDHVNGW4+vj/vahFZndCw/vt0+XuvS3XZu RioxebWIXjP2kL+mVNZr7u7cTCTotjq8tf1IUf1BwGU94021HsOXxreVscY6Ajjo+rq5pbtv+QmA 9/rS/scVjwyNt9U+elqH+NeX/kDC2n+9jq3XkbYuzabEl6Plal2si14H+ohv7be31oXHiTsRAFt7 HI8RQAABBBBAAAEEEHAWIAB2tuEZBBBAAAEEEEAAAQRiBAiAE//C3k/IMWV1DHPpg6+mhXMsrY9X CORnm9od4+u8bLP7CFq9Lql16Ti3/DydQjq9ZrCT4wujrCWKOG0fRgCc7rZzMlKFTnNjr/VsmIXR VnptWrulfg/nttJQ067vaTnmADiM+jq5OfUVtQurb9kZ7N4i1k0drYtOt220qd3tVJv3kT2/jN3H 69htZlqPKvLdzNgyjGPrDzLGrhCZuz7275+97Lc39uM2eR8C4Pj+yRoEEEAAAQQQQAABBJwECICd ZFiPAAIIIIAAAggggIBFgAA4+S/u3UKP6Wss0CLyhcOoO7dy/D7nFQJpOV7bPD48vs46ytetDvt+ JbLRMlWtjhg0rtnrFNJd3N253Iu6x9dDgzC7eoQRAKe77ZyM1hWIHPSN/XmH0Vavjo13H7nM/vjm tnjUYdpocwAcRn2d3DLRt7xeW+pVua2IXk/X/Hd2Z2ffo9uIFBTFt0miAbDTtN46nfSpPzof39zG 3A/PiQA4vo+zBgEEEEAAAQQQQAABJwECYCcZ1iOAAAIIIIAAAgggYBEgAA7ni327qXF7WK6PG2So 4ieA8trmm+mWziEi1/4scvwP7n96/VLrcsVfIwadQjq36/JqUGZd0hkAp7vtnIz0ertOfSSMttJA 0Lrc+atzHYy67dNSREN/62IOgMOor5NbJvqW12vLsHK71bC/TieRuwfsuIb1ZssPKwzfRANgDZnd liWbRNrOFGk0dMfxrdOyu9WZ57xfH15GBMBuvZPnEEAAAQQQQAABBBCIFSAAjvXgEQIIIIAAAggg gAACjgIEwKl/gW/3BX+3+fHkei1Xu22DWOcngPLaZtSy+Donu0ZHHep52YV0q7e6O+i1Za2LTsts 5xTGCOB0t52dkZ6/2+jQMNpKpyO2LtXb27tb28Kub5kD4DDqa+eWqb5ld/7WKaDNZn9ruSPobTlt x/Tmdte9traF8TjRAFiPqwGv30VHnus07pe6TP1tPhfu+3uNODkRAPvtmWyHAAIIIIAAAggggIAI ATC9AAEEEEAAAQQQQAABnwIEwKl9ee/0pf4nk+IbYNN2kV2bJ368/b4S0WBrbUH536KNIse2LS/L TwDltY0GP0EtOi2w2tiFdMu3lNfbzs8uAE7nCOB0t52dkbbDIa2cncJoK+2f1mX/r53rYG670cut e8ZeAziM+tq5Zapveb22DCsNhXUqeDvreEH7NckEwHpcuxHe9kcoX6uj4Y/5zl8fMM6R28S8CIDL +xv3EEAAAQQQQAABBBDwEiAA9hLieQQQQAABBBBAAAEE/hIgAE7sy3q/4cZ1fey72C39Ej9e/R72 ZVVoXV6WnwDKa5uVW+yPk8zaewbsqFuUQrqotp2d0fpt5W1rV+8w2mrZ5viW1h8f2B3fum6izehh 8wjgMOpr5xblAFh//NFlXryx3Zo//5qW2e65ZAJgo73O6CjSfrbImgR+7KE/vjjA5w8BjONw6+91 o04EwHa9nHUIIIAAAggggAACCNgLEADbu7AWAQQQQAABBBBAAIE4AQJg/1/UJxJq6OhNu+ui6kjJ RMrRbV8fG9dsMmddbDle4a6W47XNb0vjj3PXAJEreyX+t+9fwWGUQjq/7uluu2SMwmirYX/Gt3/N DrH9zMlQA2vrYg6Aw6hvMm5hjS73em2p25O/WYV2PNaw9/0JIvqjkVN/FNFrKhvOen1e65JKAGyU q9f51esNNx4u0m62iN1xzMd9a1x5nYwyuA3GhADY3NO4jwACCCCAAAIIIICAuwABsLsPzyKAAAII IIAAAgggUCZAABzMl/h2Ycj3s8qYY+6c28X/MQ/6RsRu9GTrGbFl+AmgvLZpNT2mmqUPzukcexy7 83RbF6WQzq2e1ufS2XbJGIXRVt/OiG//BwZ7t7+OKrVbzAFwGPVNxi2TAXDPBfFKOiLYGuia+6Ld a9a6vd02btcfNpdvvq/Xe24xVaS4JL6eQ/707gfmsrjv34sAOL6/sQYBBBBAAAEEEEAAAScBAmAn GdYjgAACCCCAAAIIIGARIAD2/0V9oqGGXjtzS6EFXEQWbBA5/gd/x20+JX5/XXPvwNj9/YRAXts8 OzL+WHp8r/P+dJLI4CXlfz/MEjECqEyEdGd28q6z1zmls+2SMQqjrV4cHd/+M9Z6WzqF5eYAOIz6 JuOWagDs1Le8Xlva31Ztjfd1u87zEd/Gb69rEgmA1UhnC9DpvY2/eevdr0Wuob910fcxr9cMzydn RABs7W08RgABBBBAAAEEEEDAWYAA2NmGZxBAAAEEEEAAAQQQiBEgAE7uS3u/YcdrNtM3awOs2CKi IyedytEpWl8ZYz+NtE4ZqyODzfv6CaC8tvlH15iuUfpge5HIie1ij2U+ro4Qti6zTdNTZyKku6SH c33Ndfe6n662S8YojLY626YttW0fGuLseWE3Ee0jdos5AA6jvsm4pRoAO/Utr9fWwd/YCYkYU6Xb 9cXnbH6QoaUkEgBruXbTO1/q8ho57vv4uup7jl0dWZe6CwFwfH9jDQIIIIAAAggggAACTgIEwE4y rEcAAQQQQAABBBBAwCJAAJz6F/huIYhez1PDE7tl43YRDRk1cDHKqNBa5IpeInbXYzXKuLxn+fbG fl4BlG7nZ5seNtPU6shFu8DovC72oxofH15ev7BDuq7zDJXy27YzRXZuVl4HwyjR23S1XTJGei5B t5WW2fuPckfzPR3Ba/XTa9YWOIS/uq85AA6jvsm4JRIAJ9K3/Ly2VtuMANapsfdoEWu715ciGv7a XUNcXXV0urktvI7942xzS+64r6OB9ccb1tfJ31qK6Ah+66LTg5uPyf3gPAiArb2NxwgggAACCCCA AAIIOAsQADvb8AwCCCCAAAIIIIAAAjECBMDBfZHvFIr8u49IUXEMe9wDnWJ1TUHc6rgVXzhMyewV Amnd/Gxzwg/2Izo1jJq+RkSn+9VpoUcsi6ta6Yp1BbGjk8MO6ZpOsq/Hhm07pr7VKYzdRlk6tZmx Ph1tl4yR1i/ottIyna7nq8oaYOp1bDvNte9L1pawBsBB1zcZt0QC4ET6lp/XllO4rtf41h8tfDhh x+vL631g4GKRR4eVv295HbuhzZTORlvpsTTofne8iF6P2OnYt/cvP57x2uA2GBMCYKM3cosAAggg gAACCCCAgLcAAbC3EVsggAACCCCAAAIIIFAqQAAczJf4XmHIvzxGS/rpjr8tFdm7pX19vUIgrZ+f bXS7Vx2mrfaq46btIud2ia1f2CHdXQO8ahU/YtKrrazPh912yRgZdQyyrYwy9UcGQSzWAFjLD7K+ ybglEgAn0rf8vLZu7ReEankZlf4aCex1bB3l231++X6J3huw2Pl9x+gz3Ma+7yXiQQCcaI9kewQQ QAABBBBAAIF8FiAAzufW59wRQAABBBBAAAEEEhIgAE7+i/tEvuTXbet0Ehm3MqHmKd1Yp4puNDR+ ulbz8b1CIN3WzzZGmTf84jwa0O4MdMTtRd3jLcMO6bT8eevtalS+zjplrnGOidyG2XbJGJnrHlRb mct8cIjINpfpnct1RXQEq4aE1sUuANZjBFXfZNwSCYAT6Vt+X1s6ytfvoq/7vgudt/YbAKu5Tmc+ ymHUvvMRRHotiL/msLmfcD/+PS9REwJgtx7IcwgggAACCCCAAAIIxAoQAMd68AgBBBBAAAEEEEAA AUcBAuDUv8BP5At/HY13/yCR0csdm6Tsia2FIp3nihzdxruOc9aV7VZ2Z3fLtUX9bGM+lyPb7Jge dv22siLj7uiUzzqq86Bv7Ou4S3ORzdtjd1u+xX5b49iJhHS6z6GtRL6cKqLTaNstfvyMY7vdhtV2 yRhZ6xlEW1nLPLOTyASXHyxou/40R0SP/c30WPntRSIHfO3czkHUNxm3sPqW39eW9qG7B+yYnjxW rPyRThffcprI4a13+PVxCIGNADiRY2v4PnZF+bHs7hWXiOgxddtdmzu3obW/8Dg5KwJgu17IOgQQ QAABBBBAAAEE7AUIgO1dWIsAAggggAACCCCAQJwAAXByX9oHEXZogKNh0AujRD6fLPLdTJHXxu4I Xk5sJ6IBVxDHCaKMKm1FdCpkHYmsU+PqdLa1O+4YWRhE+UGUoWGVmtb4ccef3t/zy3AMo9x2QbdV tR9EGvwq8tQIkVv6ifxnoMipPwbXP4OubxB9yVpG0H1LX9tnd97h+vKYHe8BGrhq37X2WR2JfFYn kSd+E3njd5GHh4poOG+tYyKPtU0v7SFy36Ad1xO+d+COdq3fY0egn0hZbJtaWxAAx30sYQUCCCCA AAIIIIAAAo4CBMCONDyBAAIIIIAAAggggECsAAFwal/eE37gRx+gD9AH6APJ9gEC4NjPJDxCAAEE EEAAAQQQQMBNgADYTYfnEEAAAQQQQAABBBAwCRAAE1wkG1ywH32HPkAfoA+k1gcIgE0fSLiLAAII IIAAAggggICHAAGwBxBPI4AAAggggAACCCBgCBAAp/blPeEHfvQB+gB9gD6QbB8gADY+jXCLAAII IIAAAggggIC3AAGwtxFbIIAAAggggAACCCBQKkAATHCRbHDBfvQd+gB9gD6QWh8gAObDGAIIIIAA AggggAAC/gUIgP1bsSUCCCCAAAIIIIBAngsQAKf25T3hB370AfoAfYA+kGwfIADO8w9hnD4CCCCA AAIIIIBAQgIEwAlxsTECCCCAAAIIIIBAPgsQABNcJBtcsB99hz5AH6APpNYHCIDz+RMY544AAggg gAACCCCQqAABcKJibI8AAggggAACCCCQtwIEwKl9eU/4gR99gD5AH6APJNsHCIDz9uMXJ44AAggg gAACCCCQhAABcBJo7IIAAggggAACCCCQnwIEwAQXyQYX7EffoQ/QB+gDqfUBAuD8/OzFWSOAAAII IIAAAggkJ0AAnJwbeyGAAAIIIIAAAgjkoQABcGpf3hN+4EcfoA/QB+gDyfYBAuA8/ODFKSOAAAII IIAAAggkLUAAnDQdOyKAAAIIIIAAAgjkmwABMMFFssEF+9F36AP0AfpAan2AADjfPnVxvggggAAC CCCAAAKpCBAAp6LHvggggAACCCCAAAJ5JUAAnNqX94Qf+NEH6AP0AfpAsn2AADivPnJxsggggAAC CCCAAAIpChAApwjI7ggggAACCCCAAAL5I0AATHCRbHDBfvQd+gB9gD6QWh8gAM6fz1ucKQIIIIAA AggggEDqAgTAqRtSAgIIIIAAAggggECeCBAAp/blPeEHfvQB+gB9gD6QbB8gAM6TD1ucJgIIIIAA AggggEAgAgTAgTBSCAIIIIAAAggggEA+CBAAE1wkG1ywH32HPkAfoA+k1gcIgPPhkxbniAACCCCA AAIIIBCUAAFwUJKUgwACCCCAAAIIIJDzAgTAqX15T/iBH32APkAfoA8k2wcIgHP+YxYniAACCCCA AAIIIBCgAAFwgJgUhQACCCCAAAIIIJDbAgTABBfJBhfsR9+hD9AH6AOp9QEC4Nz+jMXZIYAAAggg gAACCAQrQAAcrCelIYAAAggggAACCOSwAAFwal/eE37gRx+gD9AH6APJ9gEC4Bz+gMWpIYAAAggg gAACCAQuQAAcOCkFIoAAAggggAACCOSqAAEwwUWywQX70XfoA/QB+kBqfYAAOFc/XXFeCCCAAAII IIAAAmEIEACHoUqZCCCAAAIIIIAAAjkpQACc2pf3hB/40QfoA/QB+kCyfYAAOCc/WnFSCCCAAAII IIAAAiEJEACHBEuxCCCAAAIIIIAAArknQABMcJFscMF+9B36AH2APpBaHyAAzr3PVZwRAggggAAC CCCAQHgCBMDh2VIyAggggAACCCCAQI4JEACn9uU94Qd+9AH6AH2APpBsHyAAzrEPVZwOAggggAAC CCCAQKgCBMCh8lI4AggggAACCCCAQC4JEAATXCQbXLAffYc+QB+gD6TWBwiAc+kTFeeCAAIIIIAA AgggELYAAXDYwpSPAAIIIIAAAgggkDMCBMCpfXlP+IEffYA+QB+gDyTbBwiAc+bjFCeCAAIIIIAA AgggkAYBAuA0IHMIBBBsIQlwAAAgAElEQVRAAAEEEEAAgdwQIAAmuEg2uGA/+g59gD5AH0itDxAA 58ZnKc4CAQQQQAABBBBAID0CBMDpceYoCCCAAAIIIIAAAjkgQACc2pf3hB/40QfoA/QB+kCyfYAA OAc+SHEKCCCAAAIIIIAAAmkTIABOGzUHQgABBBBAAAEEEMh2AQJggotkgwv2o+/QB+gD9IHU+gAB cLZ/iqL+CCCAAAIIIIAAAukUIABOpzbHQgABBBBAAAEEEMhqgQkrRfou5A8D+gB9gD5AH6APpLsP 6P/BLAgggAACCCCAAAIIIOBPgADYnxNbIYAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAA ApEXIACOfBNRQQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQMCfAAGwPye2QgABBBBA AAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBCIvQAAc+SaigggggAACCCCAAAIIIIAAAggggAAC CCCAAAIIIIAAAggggIA/AQJgf05shQACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCERe gAA48k1EBRFAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAF/AgTA/pzYCgEEEEAAAQQQ QAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEIi8AAFw5JuICiKAAAIIIIAAAggggAACCCCAAAIIIIAA AggggAACCCCAAAL+BAiA/TmxFQIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIBB5AQLg yDcRFUQAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQT8CRAA+3NiKwQQQAABBBBAAAEE EEAAAQQQQAABBBBAAAEEEEAAAQQQQCDyAgTAkW8iKogAAggggAACCCCAAAIIIIAAAggggAACCCCA AAIIIIAAAgj4EyAA9ufEVggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggEDkBQiAI99E VBABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBDwJ0AA7M+JrRBAAAEEEEAAAQQQQAAB BBBAAAEEEEAAAQQQQAABBBBAAIHICxAAR76JqCACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggg gAACCCDgT4AA2J8TWyGAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAKRFyAAjnwTUUEE EEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEDAnwABsD8ntkIAAQQQQAABBBBAAAEEEEAA AQQQQAABBBBAAAEEEEAAAQQiL0AAHPkmooIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAII IICAPwECYH9ObIUAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAghEXoAAOPJNRAURQAAB BBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABfwIEwP6c2AoBBBBAAAEEEEAAAQQQQAABBBBA AAEEEEAAAQQQQAABBBCIvAABcOSbiAoigAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAAC /gQIgP05sRUCCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCAQeQEC4Mg3ERVEAAEEEEAA AQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEE/AkQAPtzYisEEEAAAQQQQAABBBBAAAEEEEAAAQQQ QAABBBBAAAEEEEAg8gIEwJFvIiqIAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAII+BMg APbnxFYIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIIBA5AUIgCPfRFQQAQQQQAABBBBA AAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQ8CdAAOzPia0QQAABBBBAAAEEEEAAAQQQQAABBBBAAAEE EEAAAQQQQACByAsQAEe+iaggAggggAACCCCAAAKJCxQVFcnQoUOlVatW8tZbb8n//vc/uf322+W+ ++6TZ555Rt5//30ZOHCgbN68OfHC2QMBBBBAAAEEEEAAAQQQQAABBBBAILICBMCRbRoqhgACCCCA AAIIIOAkUKtWLalevXogf3Xr1pVHHnlEWrZsKaNGjZKCggKnw8atD7IedufTqFGjuGO6rSgpKZEe PXrIXXfdJQcffLD83//9n+ffbrvtJpdffrmMHTvWreiEntuyZYu0adNGnnzySbnpppvk7LPPltNO O02uu+46ef7550ufmzp1qu8yZ82aJdOnTw/lT4Nyu6W4uDjQ423atMnuMHHrNm7cKN26dSvtk1df fbXUqVNHatSoIfXq1ZMbb7xRXnvtNRkzZoxoW4e9pNq/TznlFNHXl/YB/QHCO++8I/37909L3cO2 ofz0C+j7id37ZFjratasmbaT3LBhg+u5TZw4MW114UAIIIAAAggggAACCCCQGwIEwLnRjpwFAggg gAACCCCQVwJ77rmnZ7DpJ/y026ZKlSqlIZUf0DDroXW79tpr/VSjdJsRI0aUhoV25+R3nQa0GrQm u6xYsaJ0dLHf8Pn6668XDXfdlo4dO4bW1uqydOlS28NrQO3Xzc92ffr0sT2OsXLdunWldn77VNWq VaVDhw7G7qHc+q2Ln/M3b1OtWjX54IMPZPXq1aHUm0JzU+Dmm28O9DVp7pN293fddde0Qa5du9b1 3Lp27Zq2unAgBBBAAAEEEEAAAQQQyA0BAuDcaEfOAgEEEEAAAQQQyCuBsIIpcwhw9913y5o1a1xd w66HnwB427Ztcs8998hOO+3kGiCYz83t/i677CL33nuvaLmJLKNHj5ajjjoq4TpoyPLwww+L00jc Zs2aJVym2/lZn3MKgNu3bx/ocd0CYLU77LDDkjrepZdeKn5HFyfSnrpt2P370EMPlXnz5iVaLbbP UwEC4DxteE4bAQQQQAABBBBAAAEEkhIgAE6KjZ0QQAABBBBAAAEEMikQdjBlhIQ6fa3bVLth18Mr ANZpQy+88MKkgkPjHJ1udRppv4uORE3V4tFHH7U9XKYC4Oeeey5QV6cAeMiQIbLffvuldKyzzjpL dARh0EuqberUt8zrTzrppFDqHrQF5WVegAA4821ADRBAAAEEEEAAAQQQQCB7BAiAs6etqCkCCCCA AAIIIIDAXwLpCKaMkOrTTz91dA+7Hm4B8Pr160Wv0WrUM4zbN9980/HcjSf02sFBObRu3dootuw2 UwHwVVddFaitXQC8cuVKOeSQQwI5zg033FBmFtSdoNrVq2/qNahZEPASIAD2EuJ5BBBAAAEEEEAA AQQQQKBcgAC43IJ7CCCAAAIIIIAAAlkikK5gSoOrvffeW2bPnm0rE3Y93ALgW2+9NZDg0C2c02ml 3a4zqwHmMccc41kPnVZap3p2O5Y+t8cee8jMmTNjrDMVAFeqVMmzvl7nY37eLgC+/fbbAz1Gly5d YuxSfRB2/zZ8dt55Z9m4cWOq1WX/HBcgAM7xBub0EEAAAQQQQAABBBBAIFABAuBAOSkMAQQQQAAB BBBAIB0CXsHUHXfcIQ8++KDjn46WrF27dmngaIRQbrdNmjSxPS2veriV6ec5p2mR27Rp4zs4PPLI I+Wxxx6TFi1aSMeOHeWjjz4qvcZvhQoVfJWx1157OQbgeu1et/M4+eSTRYNPvZ7w9u3bZcCAAVKt WjXXfV5//fUY60wEwOvWrXOto9s5Oz03ePDgmPMaNWqU5zEqVqwoDRo0kOeff14uuugiz/6qYbzT tZRjDu7zgVf/dnqdPfDAA3LTTTfJOeecIxr+O5mY1w8dOtRnrdgsXwUaNmzoqy+Z+1Uq96tWrZo2 ap3C3a2uXbt2TVtdOBACCCCAAAIIIIAAAgjkhgABcG60I2eBAAIIIIAAAgjklYBXMDV//nxfHosW LRINsdy+eNfnrrzyStvyvOoxceLE0uub6pf7yfwVFxfHHVfL8XPN2N12202++uorsStDC9URlxps 6whnr/Nv1KhRXD0WLlzoGkgee+yxokGqddGpq4877jjHY9apUydmlx49epSGnxqAJvPndm6nn366 FBQUxBxPHwwbNsyxfj/99JMUFhYm/Gc9yL333ut4DK1z/fr1S4Nz834TJkyQgw46yHW/Xr16mXdJ 6b5X//bzOvvzzz/ltttuc62znu8nn3ySUl3ZOfcF9Ickft5HmzZt6trfLrnkEl/l2L03hKWs5+X2 XkUAHJY85SKAAAIIIIAAAgggkLsCBMC527acGQIIIIAAAgggkLMCQQRTBk5JSYmcf/75rl++H3XU UcbmMbdB1iOmYJcHb731lmtdNUTQULd3794upZQ/pWGn13lo4Gydotdt9K+GzyNHjiw/iOWejvZ0 Cjt02ully5ZZ9kju4RdffOF4nFNPPVVWr15tW7DbfrNmzbLdJ5GVmzZtkn333dexbn//+99l8+bN tkWOGTPGdTrtf//737b7JbPSq1/4CYD1uDoqWcN7pzbX9XfffXcyVYzZR0eZa0iYrkWPlc7jGeel nnquySzpNjLXMZV6m8vxuv/NN9+49rV//vOfXkUk9Ly+Vp1+aOO3oKgGwJnsLxrAhxnCb926NdAZ E/y2NdshgAACCCCAAAIIIJAuAQLgdElzHAQQQAABBBBAAIHABIIKpowK/fLLL66BgQZU+gW9dQm6 HtbyrY81bNJpgd2CtAMOOEB+++03666ujzt16iQavLqV+/PPP5eVoWHHYYcd5rj9yy+/XLat050z zzzTcf927do57eZ7/bRp00Snr7Y7p5NOOklWrFjhWJZOYWy3nwbrqQY9elCdituufGNd+/btHeum T2jIa2xrvdXwfcuWLa77+30yyP79+eefO9ZZz+HOO+/0W63S7fQcu3XrJvfcc49Ur15dDj744LI+ rPdr1KhROg21jpwMIqTVH0o89NBDoqNHTznllJiR2Nov9Eci+qMCvTb3Dz/84PjjAvNJ6pTorVu3 tv2zjp7v27evXHfddXLiiSeKtrFeN7levXrm4uLuh2UUdr3jTiTBFWEGwPreqjMn6PTm2uZ63XLt vzrVub4nar/T9w/td04/4rA7nVQDYD2eU1/S9d99953dYWPWZbq/zJ07V1577TU544wzYl5f++yz j9StW1eefvpp6devX0yd/TzQELlz586lMxFou+nU3lqm0W56OYRatWrJFVdcIe+9915gP0DyUze2 QQABBBBAAAEEEEAgTAEC4DB1KRsBBBBAAAEEEEAgFIEggymt4B9//OEaTukXxVEIgH/88UfPelqv oeu3Af7xj3+4lv3qq6+WFeU2gletdGptr0VHXmtAYvenUyynsmjgp6NotS7WPw2FNRx2W84999y4 /bQcDSaCWJ555hnb8vUYhx9+uOfoTg1BrOdlfuw2+jqR+gf5OuvSpYtrnV988UXfVdPz1/DNfM5u 9zUQbtmype/yjQ31Na+BlNuU5U7H1UBQAyW3Hxpce+21judg/AhgxowZpdcrtzuOXk/baQnTKMx6 O51PIuvDCIAXLFggl156qWN72bWPXpNbr4HuZ0klAH7llVc863XXXXe5ViOT/UVHGet1zv1eL/y+ ++4THb3rteiPKHSq/f3339/Tx9x+u+66q1xzzTWus1h4HZvnEUAAAQQQQAABBBCIggABcBRagTog gAACCCCAAAIIJCQQZDClB9brlJq/ALbe19FCdkvQ9bA7hnnd/fff71pPHY3mFjiZy7Le14DMet7m x7fffnvZLs8++6zjtrVr1y7bznxHv4xfvHhxIKMxzeXa3X/iiScc6/fZZ5/Z7VK2ToNpp2ss62hT Y9HtdApkveZuixYtRK8NrKNE7X4oYOxj3OooUrOt+f5NN91kbOZ4q4HJ7rvv7liGjrYNYgmyf7/9 9tuO9dXz//777z2rrCMUH3nkkbKRvmY3P/f1uspO035bD758+XKpWbOma539HLNSpUqi1wK3W9yC VB1FrKNNNbx2Oo5dAJwOozDqbeeT7LogA2B9net7xt/+9jfHdnBqH2O9jm5fs2aN6+kkGwC/++67 nvXSENRp5oJM95dWrVp5XoLBcDTf6mj7efPmOZqqt/5fZN4n0fs6sr9///6Ox+AJBBBAAAEEEEAA AQSiLkAAHPUWon4IIIAAAggggAACcQJBBlNa+JAhQ1y/KNZpV+2WoOthdwzzOg183L7EbtCggXnz hO7rSNxBgwY5/q1ataqsvBtuuMGxHm+++WbpdjqqWkcN60hcs5NONa2jXDVQ7tGjh2jAEuSiX9g7 TWft59qfOtLPyfijjz4qDR20HGMKUeu2Gszq89qnnBa3UE+v8exncRrhrPUxB9V+ynLaxtxu1vPU x36vAbxw4UI55JBDHF31OQ2i3BYNUU844QTHMuzqZ7euTp06otdgdlt0BHsQxzKOr31l0qRJcYd0 C1I12HO7TrSWbQ2A02UUdL3jYFJcEVQArNc995oZwWhjr1udZthtav5kAuCmTZt6vh4efPBBx/fY KPQXrz7u5nrLLbfY9hT9kYdO6ey2r9/n9D3Q7yhu28qwEgEEEEAAAQQQQACBDAoQAGcQn0MjgAAC CCCAAAIIJCcQVDBlHF2DU7cvhP/73/8am8bcBl2PmMItD7xGKWv9R4wYYdkrnIcaojl56fWUNZhw Ckit+1122WWBXXNRpwU9+uijbeum10ydNWuWJ0j37t1t99d667V3/Y4E1OlMNQy3BtwbNmxwLF+P ocf3s2iAbrU0Hl944YV+ivDcJpX+XVRUVBoQa1/wmq5Zw063Raf01h9hGOeX6q3bDwG03kEey6jr jTfeGHeKbkGqsZ/brTkATqdRkPWOQwlgRVAB8P/+97/A+py2o7aX09TFiQbAX331leMPXYw+o/V3 WrKpvxjnY73VqZrtLjeg1+q2bpvK4wMPPFBSvSyBUzuwHgEEEEAAAQQQQACBMAUIgMPUpWwEEEAA AQQQQACBUARSCabMFdJpMZs3b+75ZfG4cePMu5Xd96qHXkdQp6xN9E9DVOuio8e8vsT2GtloLTPZ x0cccYRjXdxGBzvV/7DDDpPevXsnW52y/T7++GPHetkFcGU7mu7oNZSd6pnM+ssvv1zMo6d1Gmy3 ctxGCZqqKY8//rhjOUFdq9irf+t5aNBv9+f3ep4NGzY0n5btfR1J7mamz2ld9bx12lenKbzNZXTo 0MH2WHrtXfN21vt6nIcfflgGDx4sc+bMEb1Gb7t27cTputHG/mpkXYIMUtNpFGS9rSZBPA4iAB47 dqyva9Jqfzj99NPl0EMPde03Rj944YUXbE8xkQBYp0vXH7QYZdrdPv3007bHMVZGub94nZv5fK3n WVBQ4HrNX30dvvPOOzJhwoTSHwT9+OOP0rhxY88fffz6668GHbcIIIAAAggggAACCGSNAAFw1jQV FUUAAQQQQAABBBAwBLyCqffff186duzo+PfFF1/IU089JTVq1HD9El2/aHYbTelVD/MX1Yncf+ON N4xTLbt1G5mqZR900EFl24Z5R68/m8gX9Imct7ZLsotOYa1TSzsdb/z48b6K1mvwOpWR7Pqrr766 7NjTpk1zLX/69Oll27rd0dHFTvU5/vjj3Xb1/VxY/VvrrX3oww8/dLw2qVFJHbWt17Z2OtfKlSuX hrHmEXo6ildHFbvVX0eKa1hkXXSUt9OxdGpxpxHaWtY555zjuK+WuXLlypjDJROkarBesWLF0nO7 4IILSstLt1FQ9Y7BCPBBqgGw9h+vKYT1eb3mt46kNRZ9bT/wwAOufWC33XaTqVOnGruU3foNgDt1 6iQ68tWpj+r6Jk2alJVrdyeK/UWD2WbNmsns2bNL3xP0Gtxt27b1nAbd+mMXff90s9Ey7Rb9/8Nt uu9GjRrZ7cY6BBBAAAEEEEAAAQQiLUAAHOnmoXIIIIAAAggggAACdgJuwY7bl7+JPqdT19pNMWnU Kax62AXAXqFGzZo1jWqFeqvXfU3U0e/2+++/f1xI5vdkNPBzOo7blL/W8k866STHcpzK97N+4MCB pYcaOXKka/l67WQ/yyeffOJYjl5vNIglrP5teL300kuyYsUK16pedNFFjuepo331ep9Oy7fffuu4 r9ahc+fOcbu6Xfv3kksuidvevMLrmqwabpkXv0GqTkGr15/W0eEaVOmiU4vrjzF0SbdRUPUurXwI /3i9V3q9H3i145lnnika2DotzzzzjGu/q1evXtyufgLgXr16iV5j3Hj92N2+9tprcWVbV0Stv+g1 0Z1++DJq1CjX89X/o82LXgPezsVY17JlS/PmMff1mvTGdtbbKlWqxGzLAwQQQAABBBBAAAEEskGA ADgbWok6IoAAAggggAACCMQIhB1M6Ze/Gi4tWbIk5rjWB2HVwy4A/uCDDxy/nNb66rV007EMGTLE tR7WL851umidIrV69eqe16zUffX6jYkuGzdulEMOOcSxXjpSz8+i1+f0mrpYQ+r69euLhpeffvqp 3H///aLhgPW8rY/VQEM7HYlsfc782CkIsdbfLaTS6xQHsYTVv83nq3UdNGiQbXV1pKJ5W+t9P9e8 Pv/88x3LuO666+KOq1N2648p7P50hKLb8sorrzgeS+ueTACsP0iw7meuQyaM/ATAXvU2n0PQ91MN gN2m89YA1utHC3o+F198sWtf0Gu6mxevAFinHfd6PXpdS1uPF8X+8uyzz5op4u67tYeOqDZfZ71P nz6u7pUqVZKff/457hi6Qi+hoD+ssfvTclkQQAABBBBAAAEEEMg2AQLgbGsx6osAAggggAACCCDg +UW4NShK9PE999zjOTWtNoPXF/KJHtfY3i4A/vzzz12/2D7vvPPS0jM0rDPq6XZ75JFHlo5YNFdK Q4+zzjrLdX+d3lSvq5rI4nbdXp3W0++i13p2OycNBXVqUuuyZcuW0iDYbV99Tqcl12vHum03b948 a/G2j3X6ZKdyDjjgANt9El0ZVv+21nvvvfcWu2tsfvbZZ47nePbZZ/s6nRYtWjiWodPOmsMjXwU6 bKRh9DHHHON4LD1na5DrFaTuu+++riOctSqZMAqi3g6MgaxOJQDesGGD6xTLeo1zP4teW9baz82P v/vuu5hivAJg87529/X6536WKPaXhQsXulbdbXYHtTAH8mvWrPH1QyMdxa3XQR4+fHjZSHrXSvAk AggggAACCCCAAAJZKEAAnIWNRpURQAABBBBAAIF8F0hHMKXB4dKlS12pw6qHXQDcoUMH10BBr2ma jsXrGrb6hbwGYU52OoWt26hM3V+nu/W7rFu3TnSKXLtQRNclMnJLjXWEn92fXt9VwwW3xev6n489 9ph4hcx+RwC/9dZbjues/kEsXv1bR+bpdLJ2f3rtbB31rSGrU9uY1+sIbmN6Y6Pubtdj1h8YNGjQ wPNP62E+jvX+3LlzjcP5utXAWPu2TsesQeOTTz4pGkZby7V7nGgA3LhxY886ZcLIKwD2U2/PE0th g1QCYK8faPTs2dNXzfSa0DpbgF0/0HWPPPJITDmpBsDWvhVTuOlB1PqLTv/stXz//feOjmo5c+bM mCJOPfVU1+2tbaLvc/r+/vjjj0vv3r1Ff9DDggACCCCAAAIIIIBALggQAOdCK3IOCCCAAAIIIIBA ngl4BVPWL3iTfayjao3rbNoRe9WjatWqcuKJJyb8p6MWrcuAAQNcv9TWqYsLCwutuwX+WENQL0+3 6yxqhXTUlVsZDRs29F1vnZbXqSzr9SF9F5rkhitXrhQdfetUH732qAY1Ts/r+gkTJvg6+ssvv+xY jgavQSxe/VuvB+1n6du3b2nA4nbe+pxOqW1e9EcYXvuk+nz37t3Nh4y7r+GSvh51VoAaNWrIXnvt lXSdrCGdV5DqxzcTRkHUOw46wBWpBMA//fSTa/v6aRPjVHTad6f+qUGseUk1ANYf1fgZzR61/uLn vapfv36OjuprDYBbtWrlur1Tmxjr9X1Pp4LX6wmzIIAAAggggAACCCCQzQIEwNncetQdAQQQQAAB BBDIUwGvYEq/XL/33ntt//Q5nf7RbdSo8UWw3uo0kU6LVz0SCQucjmGsnzp1queX2taAydjX7+2V V14pGhA4/RUVFZUWpSNkzUbm+wcddJBraG7U5YwzznAso27dusZmnrduIzw1tEv3otcENnuY7+u1 gnUKafM6632/I5bdRhv7nR7ZyybI/r1t27bS62pbz9f8uFq1ajFV0uvImp8P437r1q1jjmk8GDhw oGhgv9NOOwVWB+vr0y1I9TuNdyaMgqi34RzGbSoBsNsPSrT/6chev4u+nzr1WR01b15SDYD1OHrt Wq8lav1Fr5Xstej06k6Out4aAGt5blPku5VlfU7/L9T/e1kQQAABBBBAAAEEEMhGAQLgbGw16owA AggggAACCOS5QBDBlH6R//bbb4tef9T6pa/5ceXKlR21g6iHY+GWJ4qLiz1D6xdeeMGyl/+HOvWw +byt9ytUqFBWmI6stT5vPNZpgf0s9913n2MZ5mO5laXXftSRz8axrbd6Hc50Lzp9tbUexuOdd95Z dMpq47HdrZ8QR8/pggsucCznsssuC+S0g+7f48ePd6yzWmjYap5+1euaunZ+ia7TsNC6NGnSxLWe iR7D2D6RAPiUU06xVsv2cSaM3AJgv/W2PZmAVqYSAOsPAoz2srtNpIo333yzY1nWH2kEEQDr/2Vz 5sxxrWLU+ov2Ja8lmQBYy9Qf03hdbsCuja3rKlasKAsWLPCqJs8jgAACCCCAAAIIIBA5AQLgyDUJ FUIAAQQQQAABBBDwEggymNLpXa1f+Fofjxw50rZKQdbD9gCWlW7Bi9ZZr6O6detWy17+Hn7++eeu DuYRa26jd6+77i7YwR4AACAASURBVDpfB3zppZccj7fffvv5KsOt7TRsXb16ta9ygtzIa/rRZcuW iY4EtvYx4/GDDz7oqzpHHHGEYxl6reEglqD7t44g32OPPRzrrQZ6jWljqVmzpuu2hlkqt1999ZVx uNJbfZxIedrP9Ecit9xyizz11FOu+yYSANevXz+mXk4PMmHk9j7kt95O5xPE+lQC4K+//tq1DfUH HH4XHd3q1Jd0imHzEkQArMfS2RPcpoKOWn8JMwA2fPV63Xqtbj33ZEf0n3DCCWm5xIJRZ24RQAAB BBBAAAEEEAhCgAA4CEXKQAABBBBAAAEEEEirQJDBlH5Zftpppzl+Ua9fqms4arcEWQ+78q3r9Bqp ToGCsd4aaFnLcHqswYFRht3to48+WrbrNddc47jtWWedVbad2x0NOu2Oo+s0IPWzuAUsOs13IosR EmhQYP3TYM/tWtDm4zz33HOO56VhoV6n+frrr3fcxhy0m8s139+wYYPj/urXtm1b8+ZJ3w+jf+uP FJzaXdebp8BWC6dt69SpI4MGDUr5b+nSpWU+en3rXXfd1fGYWpf9999f9BrV7du3l8mTJ8f84GLY sGGu+yYSAPsJxrTi6TbSY7oFwH7rXYYewp1UAmC9JrRTn9P15h8oeFX95JNPdiyrQYMGMbv7CYB1 tgO3mROMejdt2jSmbPODbOwvyY4ANp+3cV+n4O/YsaPo/2e1atVKKBAeM2aMUQy3CCCAAAIIIIAA AghkhQABcFY0E5VEAAEEEEAAAQQQMAsEHUw9//zzjl/U65fqjRs3Nh++7H7Q9Sgr2OGOhlVeIyh1 NOKiRYscSrBf/e2337qevxqYg7n333/fcXsdvetnFPJ5553nWIafEHnlypWu0z8nOh22hqZGgGJ3 O3ToUHs8y9p69eo5lnP44YeXbv3GG284bqPXV164cKGl1NiHzZs3d9xf6x7UNSuD7t86+vn/2bsP qGnK+m78530tiV3EGI0oikaNNSgWYtQYS4wtf03UvFFjN0TEqIgtKsEuBrv0Ir1Jr9KLgCDSEemg 9CK9P3D9z++5meeenZ2Znd2dLffuZ855zrYp1/WZ3+6zZ7/3dU2Zbf65CHWz5QMf+EDl+i960Yuy 1Vq7jRrPt6V4P67pGkFd1XLQQQfVbj+KAHjcRtH3WQ6ATznllNpzWPXHQMWauOKKK2o/n+IPRfJL rwD4QQ960PLgMraJ8LhYm/nHD3vYw9JFF12U3/2K+0uxXtoMgFdA3H8n/k+Nz9P4PMkblt3/wQ9+ UNzcYwIECBAgQIAAAQJTLSAAnurTo3EECBAgQIAAAQJlAm0HU4cffnjtj79V0xq33Y6yvhafazIC 7ElPelLjkWoRVKy88sq1/X/c4x6XYvrebDnjjDNq199oo42yVUtvTzrppNrt11577dLt8k9uvvnm tfs45phj8qv3vB/rl/3onz1X9UcA+R0feuihtfvIpn3tVW9100DfddddKc5v1q7i7UorrdRxrvLt 6/d+2/X9zW9+s7LdWT/OO++8Fc2s+8OEhzzkISlGQjdZ4vrWEeAX/x133HEdm3/1q1+tbN+jH/3o dOutt3asX3yw8cYbV24f/RtFADxuo+jzLAfAva61HqNGmyy9av2QQw7p2E2vAPgnP/nJivXj2ufx Ps/eM2W3cY3wsqmgl2K99BMAr7vuuilC7uK/+Py++OKLVxgW78R5//a3v11r+t73vre4mccECBAg QIAAAQIEplpAADzVp0fjCBAgQIAAAQIEygTaDqZixGzZj+jZc6973evKmpHabkfpQQpPnnvuuSmm Es7aVnX7mMc8JsW0xnXLPvvsk2JUatU+suc/85nPdO1m1VVXrdwupvm99NJLu7aJJyLArBslG8fc e++9S7fNPxnXXM3aV7x9+MMf3vf1GmMkWN31IWP61bpRwDEi+TnPeU5lm6KN2fTcETasssoqlevG KO/LLrss390V93uFjHXh8YqdNLzTVn3HOY9paet8wyf6ffvtt69o3eWXX15pFOt/8pOfXLFu1Z3r rrsuRXhbrJF4/IxnPKNjs7e+9a2l68W6L3/5yzvWLXtQNyV57GMUAfC4jaLfsxwAR//iD37K6iV7 7rDDDis7/Suei6nEn/KUp1TuI95XxVkSegXAxc/EuuufZ+0sG628FOulnwB49dVXr3TPh+grTlbu TgTm8f9m5le8/dCHPpRb210CBAgQIECAAAEC0y8gAJ7+c6SFBAgQIECAAAECBYG2gqlst3Fd1rpw qup6sm23I2tPr9sY5VT8cbrscQTFcc3HuCZmjHb83e9+l2KU6ve///30tre9rdE+IiQrG/nY63rE ESwXR1hef/31qde1hiMYve2223oR1F63Oa7pPMjSq20xUnqbbbbpGlkXI5qf/OQn13rGthEMZUuv acf/5m/+pisE3n///XuO/Dv55JOzQwx926u+49rIEUiX/YuwZf31108f/OAHU4wgL6vP4nNxbeTi UjfdbYTycT3PqiXCrhe84AWVx45R5PmlLtiMP3ioW+J9Fe0p9in/eBQBcLRpnEZxvDqneG3SyzDX AI62x+dW3f8HMcXyEUccUdrNGJ3b65ry8fldXPoNgCOsjKny8/VVvB9/CFM26nWp1Us/AfA73/nO SpOY5jn/BybFc3DTTTelmGq76Jg9js8zCwECBAgQIECAAIGlJCAAXkpnS1sJECBAgAABAgSWC/QK psp+9O5FVxdSPf3pTy/dfBTtKD1Q4cm77747rbHGGpU/VGc/WA97Gz+GVwWK8UN6k9HDz3zmM9O/ /uu/ple+8pU9R0xHe/fYY49Cb7sfRvgRUwBX9e9Nb3pT90YNntl+++0r95k/VoTiETTEKOSnPe1p jbYp9iuu0RnX+83vt3g/Rq6+5S1vWT6daQTCdaFUbFv1hwoNul66Sq/6LrZ3mMfRt5gau7hcffXV PUPvmFo7guCYmjxG80dgtN5666VHPOIRlb5PfOITl49Gzx9vgw02qFw/+vaVr3wlv/qK+wceeGCj 2o725Ze2gtRxGkX722p33qLN+8MGwNGWtdZaq7YW4vMnRtvvuOOOy6+5Hdd/juuO9/o8iJHBZX9Q 028AHG089dRTe/7RQfwBUHEq6KVWL/0EwD/84Q9rz9sb3vCGdMkll3SVW8zgEP9H1X2G7bnnnl3b eYIAAQIECBAgQIDANAsIgKf57GgbAQIECBAgQIBAqUCvYGqQALhu1NYjH/nIsbWj9EAlT15wwQUp plqu+8F62Nc23HDDkiMvPhXhx7DHyG/fNLiN85vfrnj/P/7jPxYb2ee9973vfbX7Lh6ryeO4HmXZ EoFik+2brPPABz4wnXLKKWWHGfi5Xu+zJu1qus53v/vdynZusskmrTll7fne977Xdbz99tuv53Hi j0HWWWed5aObYwrqCN2zffa6LU4h3maQOi6jQGuz3V0noYUn2giAb7zxxvSEJzyh8bntde6z1+OP BcqWQQLg2E9c2zbbd9Xtpptu2nXIpVQv/QTAcd5i5HOVRTwfI/Xf+MY3Lrf7/Oc/v7yeY/r5um3i D8TiD68sBAgQIECAAAECBJaSgAB4KZ0tbSVAgAABAgQIEFgu0CuYGiQA7nXdx7Jrso6iHf2c4rge 8FOf+tTaH67rftSue61s5FhZ2yIMq9tP09ce+tCHlk5XWnbMGG1Xt9+vfe1rZZs1eu7OO+9Ma665 Zu3+645dfG211VZLN998c+mx49q4z372s1s5VgQZbS+96rvY10Efr7322rVNj2smv/jFL27FKdoY tV28Bms0IEZGxvS+g/aj13YxhXd+aTNIHZdRtL/Nduc92rrfRgAcbYlR5b3OaT+vx0wIVcugAXB8 tsRo9rp2xEj44jXZl1K99BMAh+8OO+yQ4vIHdSb9vBaB8W677VZ16jxPgAABAgQIECBAYGoFBMBT e2o0jAABAgQIECBAoEqgVzA1SAD8zW9+s/YH4xgdWFxG0Y7iMXo9vuqqq9JLX/rS2rb382N3rBth eIykarLEqKh3vOMdQx3/SU96UjryyCObHG75OjF6s65PcZ3eYZYwjTbVHaPJazGq/Mwzz6xtSgQz f/mXfznUseI6u8uWLas9ziAv9qrvJgZ160RIE6OjI4zqtUQ4+/a3v30op2jL6173utrrgO60005D H6Oqz8VRx20HqeMyarvdvc59v6+3FQDHcbfccssUU7FXndMmz8f05h/96EdTXGO2ahk0AI79NQmq o+6Ly1Kpl34D4Ojntttu20oIHOcu9mUhQIAAAQIECBAgsBQFBMBL8axpMwECBAgQIEBgzgV6BVOD BMAHH3xw7Y/8EXoUl1G0o3iMJo8jQIvQY9gpS1daaaX04x//uMkhu9bZaKONUkxD3CQQya/z7ne/ u3HYnB00wpT8Por3Dz300GzVgW+vu+669IUvfKHndKLFY8fjuD7od77znXTPPfc0Ov6VV16Z/vZv /7a2T2XHCe8vfvGLXdf4bHTQBiv1qu+yNjV5LvYb03Sfd955DVrRucrOO++cVl555b6tol3xhwpl I387j5DSpz/96b73H0HR//zP/6TnPe95ldu+9rWv7TjUqILUURuNqt0dOEM8aDMAjmZcccUVtaOe 62o+/rjjqKOO6tmbYQLg2HlcB7uuHfHa5ptvXtqOaa+XQQLg6OjPfvaz2uuA9/KKkb+bbbZZqZkn CRAgQIAAAQIECCwFAQHwUjhL2kiAAAECBAgQINAhsMoqq9T+2D1IAHzNNdfU7jNCvZiyN7+Moh35 /fd7/9Zbb00xyjDCxH6mwIxppOMarLfccku/h+xY/+yzz15+fdQmI+ae9axnpV133bVj+6YP3vWu d9Weq3POOafprnquF0FwTK/c67qSESZEYBDXMb7wwgt77rdshRjJt/rqq9f2LY4TtfjOd74zxRTg o1x61XevACVej6m9Y5rrcPn4xz+efvjDHy6fanmYdscI7fe85z2Nwp2wij8YiNrsZzn66KPTq1/9 6p7nIq4dGteNPv3005fvPoLtKpf4A4388uEPf7hy3bI/OMlv2+v+KI1G2e5e/WryetsBcHbMmAb4 uc99buU5y5/3xz/+8cv/gKTJHxzE/mO9us+YvffeO2tG6W185kSt59tQvL/qqquWbhtPTnO9DBoA R7/i/8StttoqvexlL6u1yVvF/00xI8jvf//7Si8vECBAgAABAgQIEFgKAgLgpXCWtJEAAQIECBAg QIBAnwIRaG+33XZp/fXXXz7aMgKlV7ziFen1r399+rd/+7f0iU98YvmIsEHDyrrm3H777ekXv/jF 8ulTY1TkZz/72eXtiLbEiKpRB5d1bRv0tZhi+aKLLkoxuniTTTZJn/nMZ9L73//+5YH317/+9bT7 7runGMXXxnL55ZcvP3df/epXl4emMcVzHC9C+hip3jRUaqMt07yPmH48RldGqPzf//3fy62+/e1v pzgf22+/fTr22GOHPidnnHHG8j9UiP2uu+666Vvf+lb6/ve/nw444IB0/vnnNx7lPSnHcRhNqm+T Om68P+M6s1ELMVo8RvvHHzdssMEGadNNN13xxwCTat8wx53leon364EHHpi22GKL5edqrbXWSh/5 yEfSl7/85bTxxhunvfbaK8X73UKAAAECBAgQIEBgVgQEwLNyJvWDAAECBAgQIECAAAECBAgQIECA AAECBAgQIECAAIG5FxAAz30JACBAgAABAgQIECBAgAABAgQIECBAgAABAgQIECBAYFYEBMCzcib1 gwABAgQIECBAgAABAgQIECBAgAABAgQIECBAgACBuRcQAM99CQAgQIAAAQIECBAgQIAAAQIECBAg QIAAAQIECBAgQGBWBATAs3Im9YMAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAgbkXEADPfQkA IECAAAECBAgQIECAAAECBAgQIECAAAECBAgQIEBgVgQEwLNyJvWDAAECBAgQIECAAAECBAgQIECA AAECBAgQIECAAIG5FxAAz30JACBAgAABAgQIECBAgAABAgQIECBAgAABAgQIECBAYFYEBMCzcib1 gwABAgQIECBAgAABAgQIECBAgAABAgQIECBAgACBuRcQAM99CQAgQIAAAQIECBAgQIAAAQIECBAg QIAAAQIECBAgQGBWBATAs3Im9YMAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAgbkXEADPfQkA IECAAAECBAgQIECAAAECBAgQIECAAAECBAgQIEBgVgQEwLNyJvWDAAECBAgQIECAAAECBAgQIECA AAECBAgQIECAAIG5FxAAz30JACBAgAABAgQIECBAgAABAgQIECBAgAABAgQIECBAYFYEBMCzcib1 gwABAgQIECBAgAABAgQIECBAgAABAgQIECBAgACBuRcQAM99CQAgQIAAAQIECBAgQIAAAQIECBAg QIAAAQIECBAgQGBWBATAs3Im9YMAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAgbkXEADPfQkA IECAAAECBAgQIECAAAECBAgQIECAAAECBAgQIEBgVgQEwLNyJvWDAAECBAgQIECAAAECBAgQIECA AAECBAgQIECAAIG5FxAAz30JACBAgAABAgQIECBAgAABAgQIECBAgAABAgQIECBAYFYEBMCzcib1 gwABAgQIECBAgAABAgQIECBAgAABAgQIECBAgACBuRcQAM99CQAgQIAAAQIECBAgQIAAAQIECBAg QIAAAQIECBAgQGBWBATAs3Im9YMAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAgbkXEADPfQkA IECAAAECBAgQIECAAAECBAgQIECAAAECBAgQIEBgVgQEwLNyJvWDAAECBAgQIECAAAECBAgQIECA AAECBAgQIECAAIG5FxAAz30JACBAgAABAgQIECBAgAABAgQIECBAgAABAgQIECBAYFYEBMCzcib1 gwABAgQIECBAgAABAgQIECBAgAABAgQIECBAgACBuRcQAM99CQAgQIAAAQIECBAgQIAAAQIECBAg QIAAAQIECBAgQGBWBATAs3Im9YMAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAgbkXEADPfQkA IECAAAECBAgQIECAAAECBAgQIECAAAECBAgQIEBgVgQEwLNyJvWDAAECBAgQIECAAAECBAgQIECA AAECBAgQIECAAIG5FxAAz30JACBAgAABAgQIECBAgAABAgQIECBAgAABAgQIECBAYFYEBMCzcib1 gwABAgQIECBAgAABAgQIECBAgAABAgQIECBAgACBuRcQAM99CQAgQIAAAQIECBBoKvCew1J6zNb+ MVADakANqAE1MO4aiP+DLQQIECBAgAABAgQINBMQADdzshYBAgQIECBAgACB9E8HpfR/NvGPgRpQ A2pADaiBcddA/B9sIUCAAAECBAgQIECgmYAAuJmTtQgQIECAAAECBAgIgIXf/gBADagBNaAGJlQD AmBfxAgQIECAAAECBAg0FxAAN7eyJgECBAgQIECAwJwLGAFsxNu4R7w5nppTA2pADSzUgAB4zr+E 6T4BAgQIECBAgEBfAgLgvrisTIAAAQIECBAgMM8CAmBBjCBGDagBNaAGJlMDAuB5/gam7wQIECBA gAABAv0KCID7FbM+AQIECBAgQIDA3AoIgCfzo7+whbsaUANqQA0IgOf265eOEyBAgAABAgQIDCAg AB4AzSYECBAgQIAAAQLzKSAAFkAIodSAGlADamAyNSAAns/vXnpNgAABAgQIECAwmIAAeDA3WxEg QIAAAQIECMyhgAB4Mj/6C1u4qwE1oAbUgAB4Dr946TIBAgQIECBAgMDAAgLggelsSIAAAQIECBAg MG8CAmABhBBKDagBNaAGJlMDAuB5+9alvwQIECBAgAABAsMICICH0bMtAQIECBAgQIDAXAkIgCfz o7+whbsaUANqQA0IgOfqK5fOEiBAgAABAgQIDCkgAB4S0OYECBAgQIAAAQLzIyAAFkAIodSAGlAD amAyNSAAnp/vW3pKgAABAgQIECAwvIAAeHhDeyBAgAABAgQIEJgTAQHwZH70F7ZwVwNqQA2oAQHw nHzZ0k0CBAgQIECAAIFWBATArTDaCQECBAgQIECAwDwICIAFEEIoNaAG1IAamEwNCIDn4ZuWPhIg QIAAAQIECLQlIABuS9J+CBAgQIAAAQIEZl5AADyZH/2FLdzVgBpQA2pAADzzX7N0kAABAgQIECBA oEUBAXCLmHZFgAABAgQIECAw2wICYAGEEEoNqAE1oAYmUwMC4Nn+jqV3BAgQIECAAAEC7QoIgNv1 tDcCBAgQIECAAIEZFhAAT+ZHf2ELdzWgBtSAGhAAz/AXLF0jQIAAAQIECBBoXUAA3DqpHRIgQIAA AQIECMyqgABYACGEUgNqQA2ogcnUgAB4Vr9d6RcBAgQIECBAgMAoBATAo1C1TwIECBAgQIAAgZkU EABP5kd/YQt3NaAG1IAaEADP5FcrnSJAgAABAgQIEBiRgAB4RLB2S4AAAQIECBAgMHsCAmABhBBK DagBNaAGJlMDAuDZ+16lRwQIECBAgAABAqMTEACPztaeCRAgQIAAAQIEZkxAADyZH/2FLdzVgBpQ A2pAADxjX6p0hwABAgQIECBAYKQCAuCR8to5AQIECBAgQIDALAkIgAUQQig1oAbUgBqYTA0IgGfp G5W+ECBAgAABAgQIjFpAADxqYfsnQIAAAQIECBCYGQEB8GR+9Be2cFcDakANqAEB8Mx8ndIRAgQI ECBAgACBMQgIgMeA7BAECBAgQIAAAQKzISAAFkAIodSAGlADamAyNSAAno3vUnpBgAABAgQIECAw HgEB8HicHYUAAQIECBAgQGAGBATAk/nRX9jCXQ2oATWgBgTAM/BFShcIECBAgAABAgTGJiAAHhu1 AxEgQIAAAQIECCx1AQGwAEIIpQbUgBpQA5OpAQHwUv8Wpf0ECBAgQIAAAQLjFBAAj1PbsQgQIECA AAECBJa0gAB4Mj/6C1u4qwE1oAbUgAB4SX+F0ngCBAgQIECAAIExCwiAxwzucAQIECBAgAABAktX QAAsgBBCqQE1oAbUwGRqQAC8dL8/aTkBAgQIECBAgMD4BQTA4zd3RAIECBAgQIAAgSUqsFQD4Lcc mFLb/568fTsBwP/dpLtta/y8nX0LaRYcp904zne+Pt94QErR5qbn7+k7dm4f+3rklovb5/fd1v2o /7b2ld9P9r567i797f/NB6T0yr1TekSu30396tYb9bmpO/ZSf+2le3Sew5fssViTS71vk2q/AHiJ fnnSbAIECBAgQIAAgYkICIAnwu6gBAgQIECAAAECS1FgKQbAD9h0NNIfOaqdMONPN+9u388vbGff kwoppu24024c57u4fPCI5jXw+ROKW6f00zMXth9V/X/0qO5jtvFM9r76wemD7e3e+1I67dqF/v/F ts0Nq2p2lOem6piz8vyBl3aewzg3s9K3SfVDANxZUx4RIECAAAECBAgQqBMQANfpeI0AAQIECBAg QIBATkAAvIiRBVXDBgHTHk4O279p2H7ajctCxnWObR6WlQXAP/vdfAbAi+/QlK65PaU37N/csaxW R3luyo43S88JgIervbJaEADn3+HuEyBAgAABAgQIEKgXEADX+3iVAAECBAgQIECAwAoBAfAKiiQA bj/cKAs82nhOALxYt23dm9YRwMX+3XdfSp/oI0wv1psAePD3uQB4cLtiHWaPBcDFd7jHBAgQIECA AAECBKoFBMDVNl4hQIAAAQIECBAg0CGwFAPguJbqsns7utHKAwFw++FGFnK0ffsnm6UU08/mlwj2 2j7OoPsbZcg4qvqPAHiU76uyKaDjeHfc0/3vrmX5M9t9/6a7Ulppq8HO9yjPzaD1slS2EwAPVnN1 51cA3P3+9gwBAgQIECBAgACBKgEBcJWM5wkQIECAAAECBAgUBJZiABw/pq+yXUov2K363xW3Fjqa Uvr3w6vXj309Zut2ftyf9tGpdWHEUnrtSYUaWHX7ds5fGwajDhlHVf+j2m+YlgXA3zml+pw9equU XrNvSkdc1v1ejmc2+HX1tnXncNTnpu7YS/01AfBgNVd33gXA5e9vzxIgQIAAAQIECBAoExAAl6l4 jgABAgQIECBAgECJwFINgOt+UI/XLrm5u7Nr7tn+j/dl7RAAj8e5zH5anpt0yDiq+h9mv/0GwNm5 fNBmKZ1wVff7+bd/HKzOJn1usn4txVsB8GA1V3euBcDd723PECBAgAABAgQIEKgSEABXyXieAAEC BAgQIECAQEFAANz9g34ETs/bNaX3HpbS/56W0n6XpLTNOSn91y9T+rt9ek89228A/NQdUnrJHt3/ YprjquDggZum9MLdU1rr6JS2Piel/S9JacvfpvSlE1N6zi7V22X7e9bOncfLRj9H3991SEo/PiOl fS5OKcKyb52S0gePSGnlhiOkY9/rHZ/Sj85IabcLUjrgkoU2fvXklN55SEoPrulX1r4mt0/bsbMP T9+xu9+j7GddGycdMg4T1Nb1a5j9DhoAR3tev1/hgystTBtd19aq1yZ1boZ9zxb78+p9Uvrirxbe Z7vn3mdfu/99Vvf5UdxXTCv+ir0Wrq0cnyfxnt3u3IVR1i/dY/F9NUgAPGy/i+/hGBke7X/Apin9 v0MXPquivfF59fK9Ftta7OO0PhYAd7+3PUOAAAECBAgQIECgSkAAXCXjeQIECBAgQIAAAQIFAQFw Z2AQgcIf7ywglTyMsPURW3ZumwUM/QTAESjfdnf3ASJoe2TF/j9wREq3lGyT38vhl6X0uG3K27fa Dvk1F+5Hv/9q55T+cEv3a9kz4fLJXy4EL1lf87f/sF9Kp1ybrV19e83tKUUYHAFOfvt+7ke4dV+P awCPqp9N8V6qEgAAIABJREFU2jmpkDFr2zBBbbaPstth9jtMAPzE7crr6fE/67+GJnFuhn3P5s/F 508on+GgKHT9HSnFFNsRwOa3L95/xk4pHX9lcevOx7++OqU1fp5SvwHwsP0uew/H/1nxxy9nXt/Z xngU0/wX+zftjwXA3efRMwQIECBAgAABAgSqBATAVTKeJ0CAAAECBAgQIFAQEAAvBAYxAnaX8ws4 PR5efFNKr9y7O3BoGgDHtreWBLnn3ZBSXN+2GFw8dIuFkcg9mrXi5Wjfc0tGA8fI2eISowavuq34 bPnjz57Q3bYYIXzPveXrVz2703mDh8BNjEfRz+I5qXo8iZAx35Zhgtr8for3h9nvMAFwjAItW6r+ yKHY7vzjcZ6btt6zWfs3PatMof65PS9MKUb2Z/vI30Zgevs99dtnr8Z6Nxb+OObe+8r321a/y97D 659U/Uc6AuDsbLklQIAAAQIECBAgMJsCAuDZPK96RYAAAQIECBAgMAIBAXBKMf3pSVcPhhsBSIxG y4cqTcLJmKq0bBTvWdenVDWq8ajL+2/jzXel9KpCSF0WqvSz5zuXpfTMnRb7PMz+vvGbxf3kDXvd b2I8TLvCo9jPXm3Kv14WMn7hVyk9dptm/zY6rfuM/Ox3za2GCWrz/SjeH2a/wwTAHzmq2yP+eKLY viaPx3lu2nrPRr++fnK3QdNnYtRw0WbV7ZuHv1XHqQqA2+p3v+9hAXDVmfI8AQIECBAgQIAAgdkQ EADPxnnUCwIECBAgQIAAgTEICIBTKguXgv706xauqfuP+6f04SNT2vn87mmHY72YPjUfrvQKJ9fc M6UIZotLTJ8cAWF+X9n9fz2kuPZCW2Iq6n/5RUqv2y+lz52Q0rW3d6932rWd+6wLVWJ65nWPS+nv 90kp+h3XFi1b4lhZ29Y5tnuNGH380aMWwvHYz5dPTClGNheXy25Z3E+2vya3vYxjH233s0m7snXK QsZi3/t9PK8BcExNXhx5Gnbx/sy8+7kd17lp8z0b/Subnv3Sm1Pa5KyF63avvltKccxjruiurJgS vmi090Xd68Uzv7wipRjlH58p7zt84Trg5WsufAYV99tmv+vew1mb7lqW0jl/XJjBIKayL7Zn2h+b Ajo7k24JECBAgAABAgQI9BYQAPc2sgYBAgQIECBAgACB5QLzHgCvtFV5aLrPxSk9ZPPuMOG9h6V0 97Lu4omgJAsa6sLJl+yR0k0l4e8JV6X06K0W95HtK26jHb8vXJv3jntSeu2+3evHtVIj8C0ubz5g cd2qUCWuqfmEbRfXy9qww7nFvaWUDyP3vbj79Qijsu2z27C+4tbudWM0dLZO09s642wfbfcz22+T 23GFjFVtGWakbtU+4/lh9ls2AnjX81OK67wW/8V1aSOA/P7p5dfIjir69HH91030YRznpu337PN3 7X7fxGwBZZ8Zcc3f4jV94/MiPw30q/fp3l88s8055dOyr31MSstKpniP63Dn66Xtfle9h6OtcU3y +OOXuB54vg1L7b4AuLwWPUuAAAECBAgQIECgTEAAXKbiOQIECBAgQIAAAQIlAvMeAH+8ZPTqGdeV hyBZsBAjZIvLqblRtlXh5Bo/Lx/JGNOlPnyL6hDjP48uHi2lsilds/ZF+BpTs+aXCJiz16tClVdU BLEv2C2/p4X7x+VGPe9VMpLwSycuHi87btxGgL7Fbxf/bXxWSn9WMeo5v13xfpVxfr22+5nfd6/7 4wgZ69owTFA7qv2WBcDdldXsmatvTymuM1vX1qrXxnFu2n7PvumAbpe1jq7u/9bndK+f/4z5yknd r8fnUJVZPB9/9FFcigFw2/2ueg9ff0dKT9mhvr11fZmm1wTAxarymAABAgQIECBAgEC1gAC42sYr BAgQIECAAAECBDoE5j0AjulTi0uv60hGkHLDnZ1bxQi7uJZwBAtl4eRFNy2MWOvcamG61bKRxvmA YvOzO7eKa9M+uMeotwMu6dwmHmWje8tClRj9mz9m/n4cqzj67zfXLK7/xV91HyueialkY+rsuNZo fn9t3C8zjmAvv++2+5nfd6/74wgZ69owywFw1H9MM1zX/7rXxnFu2n7PRn9iBP3KWy/+i5G+Zf2M 0b0RkBeXfAAc09kXl7cdXL6/7BhP37H7c6AYALfd77L3cLQ7/ggna9dSvxUAFyvRYwIECBAgQIAA AQLVAgLgahuvECBAgAABAgQIEOgQmPcAOEa95ZcIl/JTpVaFC3Ht3eIS09jG+mXhZHHd7HGMhq06 RvZ8jLYtLt89NaW6f2XXAn72LgvHKgtVdjqvvh1X3dbZgnwAHNNaF0ccd66d0uW3phQjhT91XEpx Tdesb4Pelhk3CYCH6Wc/bS0LGWO64xi12eRf2ajq/LTbvdoyqwFwXOs1RqT36n/d6+M4N22/Z8v6 EyPnX7n3wjXMNzw1pZiKPf7QpGrJB8AxY0F+iWssP6AiUM4fO/zzSzEAbrvfZZ9Vt9y99Kd9zpsK gPMV5T4BAgQIECBAgACBegEBcL2PVwkQIECAAAECBAisEJj3ALg4Uu68G5qFS587YQXhijsxTWv8 sF8WTq5YqXAnApRX7V1/zOJo48IuGj/MrrVbFqrE9Lz5UKJ4v3jt3nwAHOvG9Vj7WSKAGqb2yoyb BMDD9rPoUvW4LGRc59h64/y+Yorv4jKvAXCMrj/68pQ+c/zg0z7nbcdxbtp+z2btf84uKW10Wvm1 tIv1UnycD4Bvu7vz1dOva1abB13auV0xAG6732WfVcXPnsxmqd4KgDtryiMCBAgQIECAAAECdQIC 4DodrxEgQIAAAQIECBDICQwTwk3zD+5NR0BGgJFffpW7Vm5d/z56VH6rhfsfOGIhRCkLJ7vXXnzm ghurg61+97W41+57b74/oC4LVdoIRt/xi5R+Wxgh2N2Kzme+3yN4rjoHZS4C4MUQr2n9V/lWPT/M fsuuAbz7BSnFyPmyf0/evv7a2FVt7PX8qAPgstrsrPrmj7L3bPTpQ0emVPy8ar6nRcs/2ax7q7Nq poDPe8YI+vwSI/+z10fR77LPql3OXzxmduylfCsAzleU+wQIECBAgAABAgTqBQTA9T5eJUCAAAEC BAgQILBCYN4D4IsLU6ZeenOzcGH9k1YQrrgT196MIKIuCDn0DyndvWzFJivu/PCM6uNed8eK1Vbc iRGR/f6L0YPRvrJQpY0AOPYd10GOaWm/8ZuUTrgqpZhSu9fy/vuD835CnDJjAfBiDQ0T1Nadh2H2 WxYAf+eUxTbXHbfN10YdAEdb237P/vPB1dOsX3ZLSnHN7x+dkdInjk3pFXulFCFpccmPAC7OfHBG wxHAxSnziyOA2+73IJ9VbdbKOPYlAC5WqscECBAgQIAAAQIEqgUEwNU2XiFAgAABAgQIECDQITDv AfCBhSlNY0TbSlv1DqXKQqQnbLuwXVk4GehZ2PW1kztOwfIHEaREcFMWOBSvqxkjhsvWa/rcIKFK rymgq44d11N+6R4p/feJKRWvO5op7H9J//0pMxYALzoOE9RWnct4fpj9zlMA3PZ7Nt4jxeXwy6qv h7xzjwC42L5b7+597fO4RnDxWuDFALi430l8VtXV7zS+JgAuVrbHBAgQIECAAAECBKoFBMDVNl4h QIAAAQIECBAg0CEw7wHw907r4Fj+4Au/WgzSygKDVbbrHsV7452L25SFkzHyN9tXvB7XGi4u51dM Bb3NOZ1rLrs3pafssLi/bL/527/da2E0YIwIzP49dIuFbdoMgB+46cI1SX98RkrZv38/vLptn/xl Z1/i0fV3VK+f71P+fpmxAHjRcZigNu9cvD/MfucpAG77PRvvkfwSMxU87P73c/EcxeNjr8ivvXA/ PwJ4u3O7X3/vYYv1U7bPmOK9uBQD4Lb7PchnVVnbp/k5AXCxqjwmQIAAAQIECBAgUC0gAK628QoB AgQIECBAgACBDoF5D4AjrCwuMdr1z7apDkM2O7u4RUoxNWoWMjQJJ2O66LKl7Jq46x7XvWYELdnx irdx7dQb7uzcJqZmffBmC9sMEqpUjQCOUCkC6fzSa9RfMcy6457qvhT7lj1uYtxmP7PjNr0tGyG+ zrHN+/n5E/KiC/d/9rvm2w8T1Nb1cZj9zlMA3OZ7dtXtu2vh4N9X10J8dt1TeE/GHvIB8KdKPlPO vD6luD5w2fmP99vJ13S3oxgAt9nvaMcg7+Gy9k/zcwLg7rryDAECBAgQIECAAIEqAQFwlYznCRAg QIAAAQIECBQE5j0AjimKz/ljASWldO4NKUXwkg8O4vq2Pzmze9145lV7L67bJJyM/RZHy8V+Ygrq lxemgn7UVildc3vncSN4iamko035NkaAU7xOZ2y54amL6w0SqlQFwHHsU67tbFs82uDXi8fLt+9v 9uy+lml+dHR+3br7TYzb7mdde4qvCYC7z/88BcBtvmdjX/F+zy833ZXS83btNo5p6KumWs+mqI9a fcSWKV1b+EyJ/cdnRxwvX8+x7pGX5Y++eL8YALfZ72jDIO/hfNuXwn0B8GI9uUeAAAECBAgQIECg l4AAuJeQ1wkQIECAAAECBAjcLzDvAXAEBK/br7wcImTZ9+KUNjkrpc3PTimmaC5b4nqb+aChSTgZ 66+8dXkIE+HzQzbv3Od/HF125JROvy6lH52R0vonpXTQpSnddnf3ejFCd7XclNGDhCp1AfAPz+g+ ZjwT1wvd5fyU/uuXKcXIwD0v7B4tHOt99oTOvuYtq+43MW67n1VtKXteANx9TucpAI6aaPM9+9uS P1K5/Z6Utj83pY8ds/Aei/sxmr5q2eqclD5y1OIfjax3fPma8V7f4dyUvnxiSjudl9KVt5WvF88W A+C2+z3Ie7js/TjNzwmAq+vLKwQIECBAgAABAgSKAgLgoojHBAgQIECAAAECBCoEBMALQdWO51UA 9Xg6plZ+4nadYVeTcDILJOK6m2XLRqd17vMBm5ZPwVq2bf65CGjef0TnvgYJVeoC4Mdtk9JFN+WP 2vz+xTd1+2U2dbdNjNvuZ117iq8JgDtrLnzmLQBu8z37rVOav6d6rZlN8xzXBI8/NhlmKQuA2+z3 IO/h4ntx2h8LgIepQNsSIECAAAECBAjMm4AAeN7OuP4SIECAAAECBAgMLCAAXgiqYirlTx9XP4Ku iHzAJSnlp1XNgoYm4WS2btwe9ofinhemSV5zz84Q7WFbpFR2/eHurReeiemk1z6mcx9xvEFClboA OPb5Vzun9MfCdYer2pU9H+HTKoXwPO9Sd7+J8Sj6Wdem/GsC4O66m7cAOOqhrfdsTFV/RMU0zNn7 KX970tX5R533swA42hdTNu99UefrVY9+f0tKMdtBfonPmHzdZ/fb6vcg7+GsDUvlVgCcryj3CRAg QIAAAQIECNQLCIDrfbxKgAABAgQIECBAYIWAALgzwHjOLikdfln5VMqBFiPezrshpY8e1bldPmyI sCamZ80vPz2zev2n71gePO9+Qfk2bz0wpbOv776Wbna8mPJ5u3NTeuZO5dvHiOVYJ79EOJfvQ/F+ rwA41l9pq5S+dGL39Yrzx4n70fZPHbewfvE4TR83MR5VP5u08We/K/Y6pXWOrTfO7/fzJ3RvH/vM r1N3/5Kbu7cv/kFB3fZVrw2z36+f3N2m+KOLqmON6vlJnJth37Nh8cgtF677HVPTVy2nXZvSa/Zd MP3eaeVr5QPgzDimg76wYhR/hLzHX7nwxxox1Xx+ufmu+vM3bL8HeQ9nfVoqtwLgfEW5T4AAAQIE CBAgQKBeQABc7+NVAgQIECBAgAABAisEZjUAHvbH/xgRHAHqOw9ZCHvXOjqlCNAevkV94DHscfvZ PqZwfckeC+37ykkpffCIlF65d0p/ts1k2xijc/96t5Sitj5x7ML1ieM6pW85MKUI2Pvpo3V5zVIN tPGejVG7f7/Pwvs+Atm4ru8r9up+38dn2PN3XZgFID4fYr0X7FZfT/FHHK/dN6UIhCOcf9Xe7Xzm tdHvWaqDfF8EwCu+jrhDgAABAgQIECBAoKeAALgnkRUIECBAgAABAgQILAgIgOsDkfwP9e6zUgNq QA2ogTZrQADs2xgBAgQIECBAgACB5gIC4OZW1iRAgAABAgQIEJhzAQGwMKPNMMO+1JMaUANqoHkN CIDn/EuY7hMgQIAAAQIECPQlIADui8vKBAgQIECAAAEC8ywgAG7+Q71Qg5UaUANqQA20WQMC4Hn+ BqbvBAgQIECAAAEC/QoIgPsVsz4BAgQIECBAgMDcCgiAhRlthhn2pZ7UgBpQA81rQAA8t1+/dJwA AQIECBAgQGAAAQHwAGg2IUCAAAECBAgQmE8BAXDzH+qFGqzUgBpQA2qgzRoQAM/ndy+9JkCAAAEC BAgQGExAADyYm60IECBAgAABAgTmUEAALMxoM8ywL/WkBtSAGmheAwLgOfzipcsECBAgQIAAAQID CwiAB6azIQECBAgQIECAwLwJCICb/1Av1GClBtSAGlADbdaAAHjevnXpLwECBAgQIECAwDACAuBh 9GxLgAABAgQIECAwVwICYGFGm2GGfaknNaAG1EDzGhAAz9VXLp0lQIAAAQIECBAYUkAAPCSgzQkQ IECAAAECBOZHQADc/Id6oQYrNaAG1IAaaLMGBMDz831LTwkQIECAAAECBIYXEAAPb2gPBAgQIECA AAECcyIgABZmtBlm2Jd6UgNqQA00rwEB8Jx82dJNAgQIECBAgACBVgQEwK0w2gkBAgQIECBAgMA8 CAiAm/9QL9RgpQbUgBpQA23WgAB4Hr5p6SMBAgQIECBAgEBbAgLgtiTthwABAgQIECBAYOYFBMDC jDbDDPtST2pADaiB5jUgAJ75r1k6SIAAAQIECBAg0KKAALhFTLsiQIAAAQIECBCYbQEBcPMf6oUa rNSAGlADaqDNGhAAz/Z3LL0jQIAAAQIECBBoV0AA3K6nvREgQIAAAQIECMywgABYmNFmmGFf6kkN qAE10LwGBMAz/AVL1wgQIECAAAECBFoXEAC3TmqHBAgQIECAAAECsyogAG7+Q71Qg5UaUANqQA20 WQMC4Fn9dqVfBAgQIECAAAECoxAQAI9C1T4JECBAgAABAgRmUkAALMxoM8ywL/WkBtSAGmheAwLg mfxqpVMECBAgQIAAAQIjEhAAjwjWbgkQIECAAAECBGZPQADc/Id6oQYrNaAG1IAaaLMGBMCz971K jwgQIECAAAECBEYnIAAena09EyBAgAABAgQIzJiAAFiY0WaYYV/qSQ2oATXQvAYEwDP2pUp3CBAg QIAAAQIERiogAB4pr50TIECAAAECBAjMkoAAuPkP9UINVmpADagBNdBmDQiAZ+kblb4QIECAAAEC BAiMWkAAPGph+ydAgAABAgQIEJgZAQGwMKPNMMO+1JMaUANqoHkNCIBn5uuUjhAgQIAAAQIECIxB QAA8BmSHIECAAAECBAgQmA0BAXDzH+qFGqzUgBpQA2qgzRoQAM/Gdym9IECAAAECBAgQGI+AAHg8 zo5CgAABAgQIECAwAwICYGFGm2GGfaknNaAG1EDzGhAAz8AXKV0gQIAAAQIECBAYm4AAeGzUDkSA AAECBAgQILDUBQTAzX+oF2qwUgNqQA2ogTZrQAC81L9FaT8BAgQIECBAgMA4BQTA49R2LAIECBAg QIAAgSUtIAAWZrQZZtiXelIDakANNK8BAfCS/gql8QQIECBAgAABAmMWEACPGdzhCBAgQIAAAQIE lq6AALj5D/VCDVZqQA2oATXQZg0IgJfu9yctJ0CAAAECBAgQGL+AAHj85o5IgAABAgQIECCwRAUE wMKMNsMM+1JPakANqIHmNSAAXqJfnjSbAAECBAgQIEBgIgIC4ImwOygBAgQIECBAgMBSFNjitymt c6x/DNSAGlADakANjLsG4v9gCwECBAgQIECAAAECzQQEwM2crEWAAAECBAgQIECAAAECBAgQIECA AAECBAgQIECAAIGpFxAAT/0p0kACBAgQIECAAAECBAgQIECAAAECBAgQIECAAAECBAg0ExAAN3Oy FgECBAgQIECAAAECBAgQIECAAAECBAgQIECAAAECBKZeQAA89adIAwkQIECAAAECBAgQIECAAAEC BAgQIECAAAECBAgQINBMQADczMlaBAgQIECAAAECBAgQIECAAAECBAgQIECAAAECBAgQmHoBAfDU nyINJECAAAECBAgQIECAAAECBAgQIECAAAECBAgQIECAQDMBAXAzJ2sRIECAAAECBAgQIECAAAEC BAgQIECAAAECBAgQIEBg6gUEwFN/ijSQAAECBAgQIECAAAECBAgQIECAAAECBAgQIECAAAECzQQE wM2crEWAAAECBAgQIECAAAECBAgQIECAAAECBAgQIECAAIGpFxAAT/0p0kACBAgQIECAAAECBAgQ IECAAAECBAgQIECAAAECBAg0ExAAN3OyFgECBAgQIECAAAECBAgQIECAAAECBAgQIECAAAECBKZe QAA89adIAwkQIECAAAECBAgQIECAAAECBAgQIECAAAECBAgQINBMQADczMlaBAgQIECAAAECBAgQ IECAAAECBAgQIECAAAECBAgQmHoBAfDUnyINJECAAAECBAgQIECAAAECBAgQIECAAAECBAgQIECA QDMBAXAzJ2sRIECAAAECBAgQIECAAAECBAgQIECAAAECBAgQIEBg6gUEwFN/ijSQAAECBAgQIEBg WgT2viil/z3NPwZqQA2oATWgBsZdA/F/sIUAAQIECBAgQIAAgWYCAuBmTtYiQIAAAQIECBAgkP7p oJT+zyb+MVADakANqAE1MO4aiP+DLQQIECBAgAABAgQINBMQADdzshYBAgQIECBAgAABAbDw2x8A qAE1oAbUwIRqQADsixgBAgQIECBAgACB5gIC4OZW1iRAgAABAgQIEJhzASOAjXgb94g3x1NzakAN qIGFGhAAz/mXMN0nQIAAAQIECBDoS0AA3BeXlQkQIECAAAECBOZZQAAsiBHEqAE1oAbUwGRqQAA8 z9/A9J0AAQIECBAgQKBfAQFwv2LWJ0CAAAECBAgQmFsBAfBkfvQXtnBXA2pADagBAfDcfv3ScQIE CBAgQIAAgQEEBMADoNmEAAECBAgQIEBgPgUEwAIIIZQaUANqQA1MpgYEwPP53UuvCRAgQIAAAQIE BhMQAA/mZisCBAgQIECAAIE5FBAAT+ZHf2ELdzWgBtSAGhAAz+EXL10mQIAAAQIECBAYWEAAPDCd DQkQIECAAAECBOZNQAAsgBBCqQE1oAbUwGRqQAA8b9+69JcAAQIECBAgQGAYAQHwMHq2JUCAAAEC BAgQmCsBAfBkfvQXtnBXA2pADagBAfBcfeXSWQIECBAgQIAAgSEFBMBDAtqcAAECBAgQIEBgfgQE wAIIIZQaUANqQA1MpgYEwPPzfUtPCRAgQIAAAQIEhhcQAA9vaA8ECBAgQIAAAQJzIiAAnsyP/sIW 7mpADagBNSAAnpMvW7pJgAABAgQIECDQioAAuBVGOyFAgAABAgQIEJgHAQGwAEIIpQbUgBpQA5Op AQHwPHzT0kcCBAgQIECAAIG2BATAbUnaDwECBAgQIECAwMwLCIAn86O/sIW7GlADakANCIBn/muW DhIgQIAAAQIECLQoIABuEdOuCBAgQIAAAQIEZltAACyAEEKpATWgBtTAZGpAADzb37H0jgABAgQI ECBAoF0BAXC7nvZGgAABAgQIECAwwwIC4Mn86C9s4a4G1IAaUAMC4Bn+gqVrBAgQIECAAAECrQsI gFsntUMCBAgQIECAAIFZFRAACyCEUGpADagBNTCZGhAAz+q3K/0iQIAAAQIECBAYhYAAeBSq9kmA AAECBAgQIDCTAgLgyfzoL2zhrgbUgBpQAwLgmfxqpVMECBAgQIAAAQIjEhAAjwjWbgkQIECAAAEC BGZPQAAsgBBCqQE1oAbUwGRqQAA8e9+r9IgAAQIECBAgQGB0AgLg0dnaMwECBAgQIECAwIwJCIAn 86O/sIW7GlADakANCIBn7EuV7hAgQIAAAQIECIxUQAA8Ul47J0CAAAECBAgQmCUBAbAAQgilBtSA GlADk6kBAfAsfaPSFwIECBAgQIAAgVELCIBHLWz/BAgQIECAAAECMyMgAJ7Mj/7CFu5qQA2oATUg AJ6Zr1M6QoAAAQIECBAgMAYBAfAYkB2CAAECBAgQIEBgNgQEwAIIIZQaUANqQA1MpgYEwLPxXUov CBAgQIAAAQIExiMgAB6Ps6MQIECAAAECBAjMgIAAeDI/+gtbuKsBNaAG1IAAeAa+SOkCAQIECBAg QIDA2AQEwGOjdiACBAgQIECAAIGlLiAAFkAIodSAGlADamAyNSAAXurforSfAAECBAgQIEBgnAIC 4HFqOxYBAgQIECBAgMCSFhAAT+ZHf2ELdzWgBtSAGhAAL+mvUBpPgAABAgQIECAwZgEB8JjBHY4A AQIECBAgQGDpCgiABRBCKDWgBtSAGphMDQiAl+73Jy0nQIAAAQIECBAYv4AAePzmjkiAAAECBAgQ ILBEBQTAk/nRX9jCXQ2oATWgBgTAS/TLk2YTIECAAAECBAhMREAAPBF2ByVAgAABAgQIEFiKAoME wG85MKW2/z15+3aCgP+7SXfb1vh5O/sW1iw4Trvxc3fproG6en3zASm9cu+UHrHlcHXygE1Tes2+ Kf30zJQO+X1KZ12f0lW3pXThTSn98oqUdjk/pQ8ekdJjth7uOFGHbz0wpY1OS2mvi1I67dqF45x5 fUp7X7Tw/EeOSunhW1Qfp85j0Nf6fQ/3e56q2vUX21b303u23maQc/DGA1J6/q7Dv18mcW5eukfn Z8NL9qj3GUcbBcBL8ZuTNhMgQIAAAQIECExKQAA8KXnHJUCAAAECBAgQWHIC/QbAEXKNYonAqo0f 2/8t6T0bAAAgAElEQVR08+7W/fzCdvbdRvtmYR/TbvyD07troMkz9963EKZGgNtvqBjhZIS9TZa7 l6UUbXzwZv3VZawf75Pf3dDkKCldd0dKnz+hOwielvfwoOep2PvDL+vPcRbeg231YdhzcOVtKX35 xJQetdXSOAcHXtpZPfGeb8ty0P0IgDvPiUcECBAgQIAAAQIE6gQEwHU6XiNAgAABAgQIECCQExAA Tz4AGDQ4mNR2sxoA594W6ZrbU3rD/r1r44GbpvTdU1O677781s3un3R1Sk/Zofcx4jzHcfa7pNl+ i2tFML1a7jizFgD/6qpmhpN6v0zzcYcNgLNau/HOlF69z/SfBwFwdsbcEiBAgAABAgQIEFiaAgLg pXnetJoAAQIECBAgQGACAgLg6Q8tpi1AmocAON6KEep+4tjq+njSdikdd+Vwb9ob7kypyXtw63OG O87Z16f0yPunuBYAV5/TaXuvjbo9bQXAUZ3xRxPxnhh1m4fZvwB4uM8RWxMgQIAAAQIECBCYtIAA eNJnwPEJECBAgAABAgSWjECT8Cn/g3tc/3XZve13zxTQ0x2c5GvgTzZLKaZOzS/TNM12WagVNXvH Pd3/7lqW70X3/ZvuSmmlkultwyCu7Vu1nHBVSl8/eeHfF3+V0s7np3T7PVVr14+ejPdG2RJ9OujS lL7wq4Wg+pu/SenIy8rWXHhu/0sWamxa3sNl56m69dWvGAE8+GdH2Tmoeq/E+6fXZ39c5zr/WTFt 9wXA1e8jrxAgQIAAAQIECBBYCgIC4KVwlrSRAAECBAgQIEBgKgT6DYDjB/1VtkvpBbtV/7vi1u6u /fvh1evHvh6zdTvBwbSPTp22QGTQ9sRIv3wNrLp9O+dv0PbktysLtb5zSnX7Hr1VSq/ZN6UjKsLT DX7dve1nT+iu8Xgmron64p93rx/ti+uk7nNx+XanXptSBLP5fmT3f3NN9zZ/uCWl5+xSvv7qu6V0 6c3d28Qzj//ZwjbT8B4uO0/bnNNZV/kaq7r/9B3LHTI/t9U+Zeeg7r0So8efvH1Knzshpdvu7q6x i26qPtY0nAcBcPc58wwBAgQIECBAgACBpSQgAF5KZ0tbCRAgQIAAAQIEJiowSADc64f8S0rCpzX3 HE8wIAAej3OvGpjk6/2GWllbH7RZSjFyt7j89o+dpo/bJqUYGVxczr8xpafmrrWb7Td/GwHaVhXT OX/oyM7jxHbRpuJo6zjumw/oXjd/nOftWj7i+G0H12+X7WMc7+FBz1PWRrfNzmWd0zDnYO1jiu+A hWnTs6nG6447qdcEwN3nzDMECBAgQIAAAQIElpKAAHgpnS1tJUCAAAECBAgQmKjAtAXAEXhFePXe w1L639NS2u+SlGJU4H/9MqW/26d8Ot58mNBvAByB3Uv26P4XU/zm95u//8BNU3rh7imtdXRKcW3W mFp3y9+m9KUTq0dl5rd/1s6dx8tGP0ff33VISj8+Y2GkaEyr/K1TUvrgESmt3HCEdOx7veNT+tEZ Ke12QUoHXLLQxq+enNI7D0npwTX9yrex1/2n7djZh7JRmKPsZ137hgm1Xr9f99sxpr7NH2/Ts7rX ue6OlCIYzq9Xd3+n87r3EaOHH75F5z5ipHXZ8tgGx4rpoYvLd0/t3H9VG2cpAB72MyWMirUco8bj +Qj0/9+hC+/ZeK/FCO+X77XwWnGb7H0eU4p/7JiUNj4rpX0vTmm7c1P66FELxyiej0dsufDaJmct 7HuPC1Pa8NSF58qmJi9u3+vxMO+VqPey5Zk71ddYG+ej2K8YPf+KvRamQo/P5DgX4Rqj91+6x2J7 6gLgv9yp8zPtRbsvblc8XvY4/i8o/v8R/39lrze5jf+DLQQIECBAgAABAgQINBMQADdzshYBAgQI ECBAgACBNE0BcAQpf7yz90mJsDWCkbIf1/sJgCNQLpvGNMKvqlFsHzgipVtKpj7Nt/rwy6rDwNV2 yK+5cD/6/Vc7pxTT+lYt4fLJXy4ETmX9/of9Ujrl2qqtF5+/5vaUIgyO4KpsP02ei3D8vh7XAB5V P5u0b5hQ64kVgWt+6uSy66DG9X6btC1bJ8530TDOUoT32Tpx+4RtF89d/l6TkbzxRxOX3dL5b9vf de4/f6z8/VkJgNv4TCmr5fjcjD8COfP6/FlZuB/T3ZdtE2358JHlI7OzvZx8TUpPuX8UeXw+3Vjz eRifCXGO8+et3/vDvFfiM7hsqfpsjra1cT6KfXzGTikdf2VZSxaf+/XVKa3x85SqAuAI0+8uuR54 hPjF4+Uf/+P+i8fI7h13Zf02+e3jvgA4k3NLgAABAgQIECBAoLeAALi3kTUIECBAgAABAgQILBeY hgA4Rsbtcn5/J+Tim1J65d7dP7Q3DYBj21tLgtzzbkgpRl0Wf6R/6BYLI5GbtjLa99ySa7TGyNni 8rWTU7rqtuKz5Y/j2rPFtsUI4XvuLV+/6tkYgTpoCNzEeBT9LPa76vEwoVYEPmVLNrr3fYd3vxrB 0V9s231eqtqXPX/w77v3degfuvdz+z3d6117e0oxZfSg5zBrQ9XtUg+A2/xMKavl9U+q/mOVCIDL tjmxZHrx7jOb0rk3pPT2g1OKkedNliZ/DFB1nod5r/x/JSNX43Ov7Fhtno/8/sO67P1R5hbrFQP1 mF49298vr+jequz639n6cfuz33Vvs86xi/vMr1t1XwDcbegZAgQIECBAgAABAlUCAuAqGc8TIECA AAECBAgQKAhMOgCOqTtPurrQqIYP48f7GIWX/2G9STgZU7SWjeI96/qUspGe+X3G/aMub9io3Go3 35XSqwohdVkwlNuk5907l6WUn2J1mP194zeddsU+Vz1uYjxMuwKh2M+qtpQ9P0yo9ZGjuk9B/KFA dpyYjry47H7B4uvZek1uy4KfGJEeU+Tmt/9FSVCcteF3N6T0meNTesFundvktx/k/lIOgNv+TOm3 lqsC4OyctX17+a0p1U1ZX3f+B32vrL5bSjFleXGJWQqKx2v7fGT7X3X75uFvsZ3Z43wAHH9QUVzi D4Ky4xVvYzr9YqAcfwzSZHr2/L7KPgeK7fCYAAECBAgQIECAAIEFAQGwSiBAgAABAgQIECDQUGDS AXBZ4BZNP/26hWvqxhSbMW3qzueXT5kbU3/mf0zvFU6uuWdKEcwWl5g+ueqH+389pLj2QltiKup/ +UVKr9svpc+dkFKMyiwup13b2b66MCmmZ173uJT+fp+Uot8RLJYtcayszzHarLjEKLy4pmiE47Gf L5+YUgQZxSWmB872089tL+PYV9v97Kd9g4ZaMS1zMdAJs6jF7PgxvWtxidGg2ev93FYZxXWp8/uJ P1hoslx9e0oxsjtGhEc4lt9Hv/cnFQBHne51UfN/q5SM1m/7M6XqPOXPyV3LUjrnjwsj+WOa47pt Yr24xnlcszbaGtePrlriPRrrxB+SxPXBD/tD+ZrPKZltoMk5L3uvxEjluM5w2b+fnJlSTHEfwWlx 2eqc8iC67fOR9Wvvi4otWHgcI3ljpoT4XI4R+3Et9aolpmHP9hdTV5fNChFTR2fr5G/fcmD3XqNN +XWa3BcAdzt6hgABAgQIECBAgECVgAC4SsbzBAgQIECAAAECBAoCkwyA47qLZaHpPhen9JDNu39I j9Ck7DqN8SN/9kN7XTj5kj1Suqkk/D3hqpQevdXiPrJ9xW204/eFa/PG1Kyv3bd7/bh+bAS+xeXN ByyuWxUMxbVE43qv+WPH/R3OLe5tYdrRbL19L+5+PUbnZa9nt2F9xa3d60a4mK3T9LbOONtH2/3M 9tvktizU2vX8heuyxrVZ8//i+qERFH3/9PLrQYfYp49bNIrpeYtLvv6atC9bJ0YQlgVpLy4JnCLQ KrtmcLEt+cfn35jSRqelFHWZHbPp7aQC4Hz7m9x/diH4HMVnSlUtR/viOrzxRyDFEbhV2xx9eUox nXz+PPxtRcAf4e+f/6xz3ThOXCe4uAz6OV72Xinuu8njtY/pbGfWv1Gcj9j3q/cpb1WM0C+bFj3a V3bt7nwAHPstm9L5e6eV963sszmm7s763vRWAFx+Lj1LgAABAgQIECBAoExAAFym4jkCBAgQIECA AAECJQKDBgd1P243DY8+XjJ69Yzryn/Az44XI2SLy6m5UbZV4WSM4iob3RlTOz+8EMhkx4rb/zy6 eLSUPp8bgZtfN+5H+FoM9SJgztarCoZiNGC2Tv42pvYtLjEKNVsnRksWly+duPh6tl7cRoC+xW8X /218Vkp/tk35uvntiverjPPrtd3P/L573W8r1ArXGFWbD+zK/mDhNSV/DNCrjdnrZdPo/sN+5efk 3YeVh/jF8198HNNpRxBcFoxl7SjeNn0PF7fr53Eb56kYAI/iM6Wqlq+/I6WnFEZrZ/0v2yau0x2j zLN18rcX3VQ8awujWPPrZPfj86e4lE29nK1fd9vGOYi2xKwKZTU2ivMR/fnKSUWBhWn66/paFu4W A+C4NnxxiSm2Yxrr/L7jM7A4k0TUQ/xRR369JvcFwEVxjwkQIECAAAECBAhUCwiAq228QoAAAQIE CBAgQKBDYJIB8CZndTRl+YO4fmbdj+YR1t5wZ+d2MSI3+4G+LJyMcCVG6hWXmCq0bKRx/vibn925 VYRpvX7kP+CSzm3iUTa6tywYitG/+WPm78exiiPXfnPN4vpf/FX3seKZ6FtMnT3sVMD5tmT3y4xj mtXs9bhtu5/5ffe631aoFec6pv/OH68ssI1ptvPr9HM/QqPiUhcoP3DThRGncV3gmHa4nyVGLDYN gZdqADyKz5SyWg73+GOUqnNdtk1MM1+1/pGXdZ/Jvy4ZyR/bl009vN7x1fuuOmY839Z7JWv9nhd2 XsN6FOcj2h2XBCgub+sx+vbpO3Z/lhYD4Nj3BTcW97ww4jjvGCN9i8tPzxzsHAiAi5IeEyBAgAAB AgQIEKgWEABX23iFAAECBAgQIECAQIfAJAPgGH2bXyJwe1CDEVRx7d3iEtP6xg/0ZeFkcd3scYyG zf+oX3a/7Jqv3z01pbp/ZaNEs5GKZcFQXLe17NjZc1fdlrV44TYfAMe01sURx51rpxQj2GKk8KeO qx6BmB2ryW2ZcZMAeJh+NmlXtk4boVZcpzVGX2f7zG4jrC8uMUo8e72f27jmaNlSdtyy/cbI5Bgt HNdq/fXVvesgjhUjMsv2VXxuUgFwjOaPkelN/z2+MEXyKD5Tyt6zt9zdPe1z3rBsm+3PrbaPae+L y8pbl68f088XlzYD4Hgvx7T1Zf8ifI5rTMfnX9kfL0S74vXMYhTnI/YddZJfYnaHJn/cEO/r/FIW AMcMCsUl/hAo61PcxpTyxeWle3Suk1+/7r4AuCjpMQECBAgQIECAAIFqAQFwtY1XCBAgQIAAAQIE CHQITDIAjul188t5NzT7Af1zJVOgvun+6+yWhZP5Y+Tvx4//r9q7/pjF0cb57fu5n11rtywYisCy LiAoXrs3HwDHdnGN2n6WCE+GOe9lxk0C4GH7WWeUf23QADhGksc1Wj9zfOe0z/l9H1EyUvM7p9Sf v/z2+fvP27X8rP1FybWg89tV3X/sNinFCPrdL6i+nnFcV7Z4vdqy/U0qAB7UMuvDKD5Tyt6zxfdg dvzstmybuvovC4CrAs2yaYrbDICbnoPHbJ3SSVd31/Dvcp/jozgfYXzb3Z3HPf26Zu/Bgy7t3K4s AH7Sdt1/TBEzSGQzPzxsi+7j5/uc1UDTWwFw5znxiAABAgQIECBAgECdgAC4TsdrBAgQIECAAAEC BHICwwSBVT9wNw2P4sf3/PKr3LVyq/Ydz3/0qPxWC/c/cP+os7JwsnvtxWdius/8NV7zx+13X4t7 7b4Xo+li3/0GQ7FNrwA41nnHL1L6bWF0W3crOp/5fo/gOW+Rv1/mMu0BcISiMUq87N+Tt6+/DnS+ 7987rdMwHh2fuyZzft1e9z92TPe+IjDLbxfT1j5nl8V/2Ujy/Dpl9+PatMdc0b3/eOZlDUYqNn0P lx276XNlQX3T8LHqGKP4TCl7z+5yfud5KranbJtZC4Cjz1GbZcuf3z8yexTnI/6AobicVTONfv7c xCwE+SVmT8i/nt2PKdaLS4x+jtffdUjxlZRiKv5s235vBcDdnp4hQIAAAQIECBAgUCUgAK6S8TwB AgQIECBAgACBgsAkA+CLb+pszKU3N/sRff2TOreLR6/eZ2HbsnAyW/vQP6R0d8l1U394RvVxryu5 RmuMEu33XwQlEQz0GwzFNk0C4FgvroMcowO/8ZuUTrgqpZhSu9fy/tx0rU2DizLjaQ+Ahw0WM5uy 66+GcUzFna3T9DZGDRaXmFo22/5RW3WPRIz1m17XOcLusuV9Pa6zHcdfqgHwKD5TBnnP9rvNUhwB nNVp2WdkNh3yKM5HHLc4sviMhiOAi1NSl40Ajv3Htb+LS1x3OF7b48LOV2If8UckmUe/twLgTk+P CBAgQIAAAQIECNQJCIDrdLxGgAABAgQIECBAICcwyQD4wMJ0nDEaa6Wtev+QHmFjcXnC/dPmloWT sW4WAH7t5OKWKcUP+K/Yq/y4xWsAx4jhfn/gz6/fbzAU2zYNgPPHiftxPeUIYv77xO5rZmYK+1/S f3/KjOclAH7klimVTQuehUPFc1D1OKYsL1v+36GL5yMC/Xvu7V7r7QcvrlO1/+z5qNfisk6D6wAv 1QB4FJ8pg7xn+91mKQfAMT1ycXnr/aNlR3E+oraLn8u33t37+vExpXbxeupVAXB8xhX7FdNOx/8z MVV8fjn8subvx+x9mb8VAOc13SdAgAABAgQIECBQLyAArvfxKgECBAgQIECAAIEVApMMgMum0/1C j6k0V9muexTvjXcu/gBfFk7GyN/sB/d4Pa41XFzOr5gKeptzOtdcdm9KMb1utr+y27/dK6VPHNv5 L5tmut9gKPZfFQA/cNOUNjotpR+fsfgvrgFb1qZ47pO/7OxLPLr+jur1q/ZTZjwvAXCYfKrkmssR 1L5uv2aWca3euGZpcTn5mu7tiyMoY5uYxrbq3BSfLwtyY7rw4nrFx2Xbrbln7+2K+6l7PIopoEfx mTLIe7bfbZZqAPyC3YpVvPA4no9zP4rzEfvd7tzu4773sPr6jLovLlUBcBzjp2cW106pGGjHGk1G 1Ne9DwTA3c6eIUCAAAECBAgQIFAlIACukvE8AQIECBAgQIAAgYLAJAPgCCuLS4Sdf7ZN9Q/5m51d 3CKlmNYz+4G9STgZ00WXLWXXxF23JOyLUDg7XvE2pgItjhCNKVIfvNnCNv0GQ7H/qgD44VukFIF0 fuk1QjkC3/wSo9mKfej1uIlxm/3s1Z7i66MIFvPHiJHVZX9EENOLx9Sx+XWL96M+yqZ+jnNSNgo9 wv2y5b9+WX+cOO7aJdcYjn29cPfe2y7VAHgUnymD1HK/2yzFAPgxW6cUf7RQXO5atjgadxTnI2q7 7I8wzrw+pbg+cPE9F4/jM6usrXUB8It2L/as+3GMPI7P4bJjNn1OANzt6hkCBAgQIECAAAECVQIC 4CoZzxMgQIAAAQIECBAoCEwyAI4g7Zw/FhqUUjr3hu7rnMZ0uD8pGZEVW79q78Uf4JuEk/HDfHFk b+wnpqB+eWEq6LgO6zW3d7YxQoOYSjralP+RP8KH4jUmY8sNT11cr99gKPZfFQDHa6dc29m2eLTB rxePl2/f3+zZfU3Z/Ojo/Lp195sYt93PuvYUXxt1ABzHqwptstrIpiTP2hZ/APDPB6d02S3d5yue 2f2C8nMWYW0x5I/1o1Zj2um/vn+kZXacuH3cNimFQdn1riN8zq9bdX+pBsCj+EwZpJb73WaaAuC4 DnWMZq/6957DUvrmb1Iqu/Zv1GZMz5zV1SjOR+z7EVumdG3hczmOHZ+/8ZmdHT9b98jL4tXupS4A jm3j2sJ1S4xEzh9rkPtVnyV1x/UaAQIECBAgQIAAgXkVEADP65nXbwIECBAgQIAAgb4FJhkAx4/l ETKULTfdldK+F6e0yVkpbX52SjFFc9lSvPZqk3Ayjrvy1uUBQoTPD9m880f9/zi67MgL0/j+6IyU 1j8ppYMuTSmuEVlcIrxbLTdldL/BULS1LgD+YcUI0bjW5S7npxQjRWMU854XlgeJnz2hs69NAowm xm33s0m7snXGEQDHsaI+q5Y47xEeRcD+q6u6ryea3y6CtKfmaiTrR3ZbNgo9v33URxzj6MtTiuA2 wuGyJdrU9P2+VAPgMGv7M2WQWu53m2kKgMtqp+lzMaPA83ft/Exp+3xk74v1ji9vVbwfdjg3pS+f uDBd+pW3la8Xz/YKgMtGGuf39tp9O/uata2fWwFwXtR9AgQIECBAgAABAvUCAuB6H68SIECAAAEC BAgQWCHQNBDq5wftfsOjHc9b0Zy+7kRw9sTtOn+AbxJOZn2Ja0aWLXFd3WyduH3ApuXTh5Ztm38u woX3H9G5r36DoTh+XQAcoz0vuil/1Ob34/qyRb98v6vuNzFuu59VbSl7flwBcNTF109eCJGaq3eu GaMln1So4bI+RaA17PKhIztrsew42XP9voez7fq5HeV5avMzZZBa7nebWQmAP3pUeY21eT6yGovr qscf7Ayz9AqA43IEZSPp45h/uKV7Foisbf3cCoCHOYO2JUCAAAECBAgQmDcBAfC8nXH9JUCAAAEC BAgQGFhgGgLgmEr508elFKPHmi4HXJJScZrd+NG9STiZ/3H+sD90HzFGUK65Z2eQ8bAtUiq7/nD3 1gvPxD7iGqz5Y8X9foOh2KYuAI7X/2rn+hGmZW2M4GSVBsFjsf3xuInxKPpZ1pay50YZLJYd7/X7 pXR1yXS0Ze7ZcxE8feeUlB64aXeNlB0jRqVv+dvqMCrbb9ntnctS+mSDawbnj7vUA+A2P1MGqeV+ t1nqAXCMQH/TAdW13Ob5yNdpTPe890VlVd/93O9vWZg2Pf9KfE7n91d2P2ZPKFu+dUrvbcv2V3xO AFym6zkCBAgQIECAAAEC5QIC4HIXzxIgQIAAAQIECBDoEpiGADj7Qfw5u6R0+GXlUylHwyM0O++G lKpGmcV+4pqTtxeC5J+eWf1D/dN3LA+eq67J+tYDUzr7+vppduO6kM/cqfyYMeK2eE3XCCwzg7Lb XgFwbLPSVil96cTu6xUXT3i0PaY1jfXLjtXkuSbGo+pnk/bFqNziEn9g0GTbQdf5i21TivMeU5fX LRE4HXtFSv+4/2DtecoOKW16Vkp3Las7ysJrMfXtV05auCZwv/0aRwA8jvPUxmfKILXc7zaTCoDL zkGvyoprokfgG9Pvx7WA/36f5rXcxvkoq+WYDvrCipkQ4j13/JULf/AS0/Xnl5vv6t32mMWhbIk/ vClrS7/PCYDLdD1HgAABAgQIECBAoFxAAFzu4lkCBAgQIECAAAECXQKjCID7/QG8uH6MFosA9Z2H LIS9ax29MCL34Vu084N78XiDPI7pR1+yx0L7ImT74BEpvXLvlGLK0EH219Y2MTr3r3dbuNbrJ45d uD7xx45J6S0HphThS1vHsZ9yyz/ZLKU37J/SOscuhGNx/ervn55SXGv53Yel9PiflW/Xr2eMfFzj 5ym94xcpfe6ElDY+K6Ufn5FSBGHxvnnpHik9eLN2jtVv26Zx/aXwmTKNbqNq06jOR/xhS1yXN94H 8Ucfr9o7pWH/3ygLyU+6ur33lgC462uJJwgQIECAAAECBAhUCgiAK2m8QIAAAQIECBAgQKBTYBoD 4FGFDvbbXmjBkqUaUAPzUANl11ivm4WiXxMBcOd3Eo8IECBAgAABAgQI1AkIgOt0vEaAAAECBAgQ IEAgJyAAFuL0G1hYX82oATUwDzXw+RNy/1nefzemeR92VHHeTgDcbewZAgQIECBAgAABAlUCAuAq Gc8TIECAAAECBAgQKAgIgAU5+TDCffWgBtTAvNZATJ1+xnUpHXRpSqddW/jP8v6HG53Wbn0IgMud PUuAAAECBAgQIECgTEAAXKbiOQIECBAgQIAAAQIlAgLgdn/Mn9fgRL/VkRpQA0u9BuLa3XXLtben 9Oit2j3PAuA6ca8RIECAAAECBAgQ6BQQAHd6eESAAAECBAgQIECgUkAA3O6P+Us9ANF+9aAG1MC8 1kBdAHzXspT++eD2a0MAXPn1xAsECBAgQIAAAQIEugQEwF0kniBAgAABAgQIECBQLiAAbv8H/XkN T/RbLakBNbCUa6AqAL7gxpTW3HM051YAXP7dxLMECBAgQIAAAQIEygQEwGUqniNAgAABAgQIECBQ IiAAHs2P+ks5BNF2NaEG1MA81sDKW6f08r1Siv8X33d4Sm/YP6XHbTPaWhAAl3wx8RQBAgQIECBA gACBCgEBcAWMpwkQIECAAAECBAgUBQTAo/1xfx5DFH1WU2pADaiBZjUgAC5+K/GYAAECBAgQIECA QLWAALjaxisECBAgQIAAAQIEOgQEwM1+pBdmcFIDakANqIG2a0AA3PGVxAMCBAgQIECAAAECtQIC 4FoeLxIgQIAAAQIECBBYFBAACzTaDjTsT02pATWgBprVgAB48fuIewQIECBAgAABAgR6CQiAewl5 nQABAgQIECBAgMD9AgLgZj/SCzM4qQE1oAbUQNs1IAD2dYwAAQIECBAgQIBAcwEBcHMraxIgQIAA AQIECMy5gABYoNF2oGF/akoNqAE10KwGBMBz/iVM9wkQIECAAAECBPoSEAD3xWVlAgQIECBAgACB eRYQADf7kV6YwUkNqAE1oAbargEB8Dx/A9N3AgQIECBAgACBfgUEwP2KWZ8AAQIECBAgQGBuBQTA Ao22Aw37U1NqQA2ogWY1IACe269fOk6AAAECBAgQIDCAgAB4ADSbECBAgAABAgQIzKeAALjZj/TC DE5qQA2oATXQdg0IgOfzu5deEyBAgAABAgQIDCYgAB7MzVYECBAgQIAAAQJzKCAAFmi0HWjYn0Bc iOYAACAASURBVJpSA2pADTSrAQHwHH7x0mUCBAgQIECAAIGBBQTAA9PZkAABAgQIECBAYN4EBMDN fqQXZnBSA2pADaiBtmtAADxv37r0lwABAgQIECBAYBgBAfAwerYlQIAAAQIECBCYKwEBsECj7UDD /tSUGlADaqBZDQiA5+orl84SIECAAAECBAgMKSAAHhLQ5gQIECBAgAABAvMjIABu9iO9MIOTGlAD akANtF0DAuD5+b6lpwQIECBAgAABAsMLCICHN7QHAgQIECBAgACBOREQAAs02g407E9NqQE1oAaa 1YAAeE6+bOkmAQIECBAgQIBAKwIC4FYY7YQAAQIECBAgQGAeBATAzX6kF2ZwUgNqQA2ogbZrQAA8 D9+09JEAAQIECBAgQKAtAQFwW5L2Q4AAAQIECBAgMPMCAmCBRtuBhv2pKTWgBtRAsxoQAM/81ywd JECAAAECBAgQaFFAANwipl0RIECAAAECBAjMtoAAuNmP9MIMTmpADagBNdB2DQiAZ/s7lt4RIECA AAECBAi0KyAAbtfT3ggQIECAAAECBGZYQAAs0Gg70LA/NaUG1IAaaFYDAuAZ/oKlawQIECBAgAAB Aq0LCIBbJ7VDAgQIECBAgACBWRUQADf7kV6YwUkNqAE1oAbargEB8Kx+u9IvAgQIECBAgACBUQgI gEehap8ECBAgQIAAAQIzKSAAFmi0HWjYn5pSA2pADTSrAQHwTH610ikCBAgQIECAAIERCQiARwRr twQIECBAgAABArMncMc9Kd1yt38M1IAaUANqQA2Muwbi/2ALAQIECBAgQIAAAQLNBATAzZysRYAA AQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAgakXEABP/SnSQAIECBAgQIAAAQIECBAgQIAAAQIE CBAgQIAAAQIECDQTEAA3c7IWAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIEpl5AADz1p0gD CRAgQIAAAQIECBAgQGCWBO7ce/d0y5fWTXefdPwsdUtfCBAgQIAAAQIECBAgQGBKBATAU3IiNIMA AQIECBAgQIAAAQIEZlvgvjvuSDd97H3p2lUfteLfrRtukO67777Z7rjeESBAgAABAgQIECBAgMBY BQTAY+V2MAIECBAgQIAAAQIECBCYR4F7b7ox3fAvb1gR/OZD4JvX+7gQeB6LQp8JECBAgAABAgQI ECAwIgEB8Ihg7ZYAAQIECBAgQIAAAQIECITAvddek/74xleUhr9ZEHzrt9aHRYAAAQIECBAgQIAA AQIEWhEQALfCaCcECBAgQIAAAQIECBAgQKBbYNllv0/X/90La8PfLAS+67ijunfgGQIECBAgQIAA AQIECBAg0KeAALhPMKsTIECAAAECBAgQIECAAIEmAvecf266/qV/1Sj8jRD41m98uclurUOAAAEC BAgQIECAAAECBGoFBMC1PF4kQIAAAQIECBAgQIAAAQL9C9xzxqnpur9+auPwd3kAvNE3+j+QLQgQ IECAAAECBAgQIECAQEFAAFwA8ZAAAQIECBAgQIAAAQIExiew7Kor0h277ZBu33aLtOwPl47vwCM8 0l3HH5Oue/YT+wp/IwC+5UvrjrBVdk2AAAECBAgQIECAAAEC8yIgAJ6XM62fBAgQIECAAAECBAgQ mDKBO/baLV37tJUXg9JnPj7dffKJU9bK/ppz5yEHpGuf8bjFPq36qMb3r3vBU9KyKy/v74DWJkCA AAECBAgQIECAAAECBQEBcAHEQwIECBAgQIAAAQIECBAYj8B1q6/WFY5et8Yz0r1XXzWeBrR8lDv2 2Dldu9pjuvoUo3ub/guTW7+9frpj9x3TXcccke674/aWW2l3BAgQIECAAAECBAgQIDDrAgLgWT/D +keAAAECBAgQIECAAIEJCtx3zz2lR4+QtyoUveGf/yHdd/fdpdtN65O377B1ZX+q+tnk+etf/Mx0 z2/PnNZuaxcBAgQIECBAgAABAgQITKGAAHgKT4omESBAgAABAgQIECBAYBYE7rvzznTju96Ubl5v 7XTf7bd1dOnOfX5eG5je8pX1Otaf5gdx/eImYe6g61z/smene2/44zQTaBsBAgQIECBAgAABAgQI TJGAAHiKToamECBAgAABAgQITLfAv/wipQdv5h8DNdCkBv50k2Vpu9e9e0UwesIL10irf/X05e+h F25wWjrzOc9c8VpVMPqudXad+vfcWh/epGc/qvrXz/Nb/OMHpt6iSV1Yx+fHoDUQ/wdbCBAgQIAA AQIECBBoJiAAbuZkLQIECBAgQIAAAQLpnw5K6f9s4h8DNdCzBja+L/3wzR/rCkYvW+3P0s9f9U/p 6lUf3fVaWRh66dMen569wVlT+777zw/8uFE/yvo2yHOP3/CKqbXoWRM+O527IWsg/g+2ECBAgAAB AgQIECDQTEAA3MzJWgQIECBAgAABAgQEwEP+eC8gmp/g+Jtv/2xrwegJq78oPeyHt05dePbx9/2g tT42CYMvf+pj0yN+cNPUOXhfz8/7etLnWgDsixgBAgQIECBAgACB5gIC4OZW1iRAgAABAgQIEJhz ASOABR2TDkCWwvHf/9GtWg9Gf/iWtacq+Pzkv2/Ueh97hcA/eMvHp8pgKdSiNs7WZ7YAeM6/hOk+ AQIECBAgQIBAXwIC4L64rEyAAAECBAgQIDDPAgLg2QoThEOjOZ9HvvjlIwlH3/TJfaciAF33Pd8Z Sf/qAuA/rPa49MTv/GEq+u99M5r3DdfergLgef4Gpu8ECBAgQIAAAQL9CgiA+xWzPgECBAgQIECA wNwKCIB7/0AvxGD0q79+4UgC0nOetVp67EbXTjQE/dy/fWMkfasLf+O1T79nw4n22/va+3oaakAA PLdfv3ScAAECBAgQIEBgAAEB8ABoNiFAgAABAgQIEJhPAQGwEGQaQpBpb8PGb/zIyELSn73u3RML QicV/h605mvSg35y98T6Pe31pn3z87ksAJ7P7156TYAAAQIECBAgMJiAAHgwN1sRIECAAAECBAjM oYAAeH6CBqHS4Of6Hz+1/8gC4BgN+461dxl7GPqJ931/pH2qGgH8m+c/Lz1+wyvG3l/1P3j9sxud nQB4Dr946TIBAgQIECBAgMDAAgLggelsSIAAAQIECBAgMG8CAuDR/bAvNJkd2z/58Z3pwmc8aWSB 6QXPeHJ6woaXjy0U/fCHNxtZX6qC33j+7L96elrtmxeOrZ/eg7PzHpzVcykAnrdvXfpLgAABAgQI ECAwjIAAeBg92xIgQIAAAQIECMyVgABYQDKrwUrb/frRm/9zpKHprn/3trEEo+9ea9t0zaqPGmlf ykLg85+5anrOBmeOpY9tn3v78zk5qhoQAM/VVy6dJUCAAAECBAgQGFJAADwkoM0JECBAgAABAgTm R0AALNgYVbAxa/v9+/UOG3lo+v6PbjXSgPTt6+yerl710SPvRzEAvugvV0mrf+U3I+3brNWb/szH Z7MAeH6+b+kpAQIECBAgQIDA8AIC4OEN7YEAAQIECBAgQGBOBATA8xEyCJOGP88P/Ok96ZxnrTbS 8PSSpz8hPeVbF48kKH3jp/ZLVz7lMSNtfzH4jceXPu3x6WVfPH4kfVLXw9c1w8kaCoDn5MuWbhIg QIAAAQIECLQiIABuhdFOCBAgQIAAAQIE5kFAADzZH/+FL0vL/+v//PmRB6j7vfwN6f9ufG+rgelr 1js0Xf7Ux4687cUA+A+rPS698nNHttoX75ml9Z5xvurPlwB4Hr5p6SMBAgQIECBAgEBbAgLgtiTt hwABAgQIECBAYOYFBMD1P84LL/jka+B5/3P6WELUj73/R62Fpi///DHp90/787G0Ox8AX/HUldPr 1j24tX7kz4P73pezUgMC4Jn/mqWDBAgQIECAAAECLQoIgFvEtCsCBAgQIECAAIHZFhAAC1JmJUgZ Vz+OWuNvRh6mxsjZv/z6uUOHp2t86aR08dP/YuTtzQe/cf+qp6yU3vpfew3d/nGdU8fxOTipGhAA z/Z3LL0jQIAAAQIECBBoV0AA3K6nvREgQIAAAQIECMywgABY8DGp4GOpHvc/P/DjsQSqv3jZq9MD frps4BA1AuTznrnqWNqaD4CvXvXR6R1r7zJwu5dqXWi3z9JBakAAPMNfsHSNAAECBAgQIECgdQEB cOukdkiAAAECBAgQIDCrAgJgocUgocU8b/O4/706xfTG+dBzVPc/+e8bDRSkPmHDy9Opz3vOWNpY 7Pu//8c2A7V5nmtK3+f3c1gAPKvfrvSLAAECBAgQIEBgFAIC4FGo2icBAgQIECBAgMBMCgiA5zd4 EDoNfu63fv17xxKuXv7Ux6Znb3BWX4Hqo75/QzrmRS8bS/uK4W+MjlZXg9cVu/mzEwDP5FcrnSJA gAABAgQIEBiRgAB4RLB2S4AAAQIECBAgMHsCAuD5CxyETMOf81d/9vCxBayHv+SV6YE/vadRsPqn P74j7ffyN4ytbfkA+MvvWr9RG9Xf8PXHcHYMBcCz971KjwgQIECAAAECBEYnIAAena09EyBAgAAB AgQIzJiAAHh2ggSh0BjP5cb3pZOf//yxBa3rvftbPcPVuF7wtq/9t7G1KR/+/vhNa/Vsn/ocY31u 4lhLpd4EwDP2pUp3CBAgQIAAAQIERiogAB4pr50TIECAAAECBAjMkoAAWFCyVIKSaWvnJ9/7v2ML W+Oaw89b/7TakHWjf/qvsbUnH/7u/Op/aTxCedrOofb4/Jt0DQiAZ+kblb4QIECAAAECBAiMWkAA PGph+ydAgAABAgQIEJgZAQGwAGTSAchSPf6ff/eqFMFsPgwd5f2j11gzPfgnd5WGwJ/9t2+OrR35 Ph605mvSQ390W2mblup51W6fieOsAQHwzHyd0hECBAgQIECAAIExCAiAx4DsEAQIECBAgAABArMh IAAWdowz7Ji1Y236jx8aa/D63/+6QVfY+v+3dydQUlR338fPa4xJ1ATFuESNLC6gqChuj1EjxPio CZrELeY1vsQsxrjBY6LGJY9RY2KicQsiCAKu4IqIoqIgCoqgCAKyL7KIwDAMMKzDDP/3/GnKqb51 q7qqu6q3+tY5c7q7upZ7P7VMn/71vbfbZf2LWgYnAH7/6GOl5b21nvJU2zGmPtwjkzwHCICr47MU tUAAAQQQQAABBBAojgABcHGc2QsCCCCAAAIIIIBAFQgQABNuJBluVPu2j71lQlHD12Wtd5fjbhn/ ZejatcdQWd5qt6KWQQPgKR3ay/53LfqyHNV+nKkf98mkzgEC4Cr4IEUVEEAAAQQQQAABBIomQABc NGp2hAACCCCAAAIIIFDpAgTABBtJBRtp2e6IEzoXNYD9sGNH+eb9a6Tz9aNkSds9i7pvDX/ntGsl 7W+fTvj7MPeOtFzjSdaTALjSP0VRfgQQQAABBBBAAIFiChAAF1ObfSGAAAIIIIAAAghUtAABMCFO kuFGGrZ94ZWDih7CDjmlqyw8cJ+i73dx273khJvHEf4S/nIOxHQOEABX9EcoCo8AAggggAACCCBQ ZAEC4CKDszsEEEAAAQQQQACByhUgACYATkNIm2Qdd+q5WaYddkjRw1hnLN5iPa5o1UJ+0n0IwV9M wV+S5yTbrpz7OgFw5X5+ouQIIIAAAggggAACxRcgAC6+OXtEAAEEEEAAAQQQqFCBfALgs4eLxP13 wBPxfGG/w8Pesh37fDzbJlTJOFaysZ4Ld30sMnyhyKQakaXrROatERmxSKTXNJFr3xM58plo58vh g0V6db+v6gPgHpfcsy38/UpvkdNeFnloasZtWq3IsvUZx7FLRQbPEfn1KJGW/aM5cn0l43XOcJF/ TxYZMl9kck3mWE2tFXlpfmb+70aL7No3mX1HOaaVfF+JUk9zWQLgCv3wRLERQAABBBBAAAEESiJA AFwSdnaKAAIIIIAAAgggUIkCUQNgDX+SmDSEML8Yz+f11x/xlu75efFsO5/yVOM6lWh89LMi01d5 zw3bnK1bM+FYp+fCnTf3fyLStLpOag7dt2pD4Ae7/mHb9ak//NCwN8zU0CiiNjv1CedYjddKqeqk 5npPnVkX5kiJrNwo8udxpQ2CK/G+EsfxJQAOd46yFAIIIIAAAggggAACKkAAzHmAAAIIIIAAAggg gEBIAQJgwqmoIUalBTWXvyOyqTHkBWEsNnCmiLZMDDLSkFOn+ttvrMoAeOjJP5KvP9Qgd08S0XA8 6jRhuUjrJ4MNg3x5L5rdjr1Fhn0W9Shlltdwv23AsXpjkYgeT+dvwIxoZQs6lpV2XwmqS5T3CIDz O1dZCwEEEEAAAQQQQCCdAgTA6Tzu1BoBBBBAAAEEEEAgDwEC4PgCjChf+lfyspUS1Hyzn8igOXlc FMYqD04JPkecALhxySKpaduyqkLgD47qJB16r5L3vjBQIr6s2yQS9V5TyddIKcvef0bEg2Ms/mmt yLf62c/5FRuyFx6/zL5cPvWvlPtKPnULWocAOPuc4hUCCCCAAAIIIIAAAkECBMBBOryHAAIIIIAA AggggIBLIGooo60hG5tcG4jpKV1AxxekBIUNcbz3tT4iTUZL0HLsZlvH+fWbtGtcbdHaY6zILeNF tKWvdoPrN10/zv/4OAGwrrv2j3+omgB4VrvW0u4f87aNkeznMm6ZyN8+Erl6jMhNH2QC9w1b/JYW 6TLU3zGOczPt29D7qG3Se/ZrC0Vu/EDkmjEif58o8vYS25KZea98Zj9OSQbAlXJfifscIwD2Pw95 BwEEEEAAAQQQQAABU4AA2BThNQIIIIAAAggggAACPgJRA2D98nv/x0U6Puv/t3Sdd2f/b6T/8rqt lv3tgUPUL9vT2oosqlOhy3/XOAdaPRHP8Su0XM76Z77iPQd1joaT571uL+sufUX+9L69u2jt+njf x+zruQPgxnlzpKb1bhUfAn/e5tty4o1jRYNv2/TFepHjnrd7tHhUZOgC21oik2pyd6ntHEMe7b5B LhNXeN0X14t0GGzflo6NvXCtdx2ds89A7zpJBsBar3K/rwTZ5/seAbD9/GMuAggggAACCCCAAAI2 AQJgmwrzEEAAAQQQQAABBBCwCOQTAOf6ovszS6Bw4oveMCHXdvJ5nwC4OM75HJtiraNjoGo3tuak 3RCfPCS3j14TWyyt3K94176uOwDWfa656tKKD4AvvHKQ7DVAZM1mU1FkzmqRNgHjxOpx/kpvkUd9 uiL+zdt2x2KdH9W6n69aWubr0ev6arD3Ec9kfhhhHumfWX4okXQAXK3HJqheBMDmmcdrBBBAAAEE EEAAAQT8BQiA/W14BwEEEEAAAQQQQACBLIFyC4A1xNBA4pK3RO6ZLDLsM5EBM0S6jxXpPFRk90eD w4yoAbAGWce/4P3T7kj9vrTXgLHTcyKXvyOi421qd6n9pme6EvZraefeVvtB2ftzWj9r3X8+QuQ/ UzItKLVb5X98LPLrUSJ7hGwhrdu+7n0RHbf22bkir36WKePtH4lcOEJkp4B6ucuY6/mBT2XX4aCn vF5J1jOofBrUmpO24NVjFrSe+707J5pbEHlrsX19MwDeMmOarGjVomJD4Jsvum2bU+9pXgPtJluD YbdV0POnZ3u3oa2Hd+3bvA291sxr8IAcLcq1DO51wlx3cV+3u22/F2nY/Ys3M9etXm96nvz27eby HRPivNOyueujz/U+GGRrvqetZ23Tt0McL+0e2py0i3Tdh/seqT+icE/6Qwt3ud2t5M3r389LW4uf tP2HGeVwX/nOYyI/fS1z79X/P30+Fek2UsR9j1Nrd73d75nHJddrAmD3GcVzBBBAAAEEEEAAAQSC BQiAg314FwEEEEAAAQQQQACBLwXKKQDWEGWVETB8WVDXEw1bv9nPHo5ECYA1UF7f4Nrw9qfagvlb Ptu/dJRIvWUd91ZGLvEPydo+6V4y81zrfeggEe2q1W9SFx2vVsMmW6BwxjCRj2v81m6ery34NAz2 245t2+Y8Dew0UHVP5hjASdXTLIv5WseoXr7BXbLMcw1yzGWDXrd72rsNbRXshPXudc0AWNf88MKL KzIAHtTlfNmhV9O2bt5tY33reL/uuud6rue1ea6oj/5IwVlXQz9zUlPnfdvjVKOFt3Z9bFvOmZfE dav3Tv1RgVkWsy76WsNQpyy2x7MsXZa/90XwOuZ2NLi0TbaWvOa6+gObJfXZf4/NzHTXbTt+tv3o vFsnZMpsu/6DvHSIgFLfVzSg9uu63KnvmKUier6uNv5PPTc32rFy+xMAO7o8IoAAAggggAACCCCQ W4AAOLcRSyCAAAIIIIAAAgggsE2gHAJgDdUGz4l2QBasEfn+S94v3cMGwLruOkuQO7suMw6l+wt6 fb5z30xL5LCl1PIdbhl30xZ23fGRyLL14basY7KaZdMWwrYui4O2qC0z8w2BwxgnUU+z3rbXOqap bfrBUK+bbX33vCvfFblhXPbfnpbWlLYA+JEhldcKePxRR0uL++q2nV/a4tGcGhr9x0F2u5nPX19k bknkTVdratu5kisANscZ9wuAk7xuNewM84MVrf1tHwaffwNneo2uHhO8jumsr3WMa3Oq2SCi3W7n c73rOlEmJwC2HdMgLw2AS3lf0fvGvDXhaqpBuTkRAJsivEYAAQQQQAABBBBAIBkBAuBkXNkqAggg gAACCCCAQBUKlDoA1habE5bnB9tk6dY3TIig3Y3aWvFOqxXZZ6A9dBn9efQyrt0scqoRUtuCkShb 3tQooq1TnfCnkO1pN8fOdqI8hjEupFzqYdYzbPn+5z2v5qy6/OoZdp+2APifH4s8cmbljAW84KB9 pd0dM748H7TbdXPKN+SytXDUlvfa5bka286VuALgcrlu9YclfueTdstutijVsD1M183mNt+whO3O cZxZJ/Kn90U6PutfFnN7UQPgW8b7H1OnHLbHQgJg2/b85tnuK3rPt/0/8NuGbX6+14Z6264P2z6Y hwACCCCAAAIIIIAAAiIEwJwFCCCAAAIIIIAAAgiEFCh1APy70faCfrIyM6audo2q42kOmmPvSvZ9 o5vUXOHkiS+KaDBrTtp9sl/gctEIc+lMWbQr6vPfEDl9WKaVqLa0M6fJNdlhiy3sctbR7pn/+J6I tlbVemuoYJu0VaoT1GgrQXPS1seXjc50T6vb+ct4EQ2gzElbsjnbifKYy1i3FXc9w5avl2Xc2hfm 5VfPsPu0BcDq/fro2bKize5l3xW0jlfctcfQrHNBux82J6d1Z1gXZzm/c0HHltVlbO/HEQAX67p1 nDY3isxYJbJ8vcjGRmdu8+Oxz9vPw7OHNy/jPHtpvn1Zx9TvUX/cEmbSbtK1FwDtPaBVjvGWr31P xPkze01YVN/8nv74osX2cZFtx9Qsl+OlvR9oN/iluq888qlZsszrZ+ZkWk6f+YqI9rwwZaV9OZ1L AOxvwzsIIIAAAggggAACCMQpQAAcpybbQgABBBBAAAEEEKhqgVIGwLs/KmILTXUcxm884g1ALnlL RFvGmZN2V+sEIkEhwvEviKyxhL/jlono+I/ONtyPWg4NOdzTxi0iP3zZu/x+j4to4GtOXV9tXtYv GNFxRHUMT/e+9fmTs8ytiWh3sc5yLy/wvq/dmTrvO49qbXabq2tqYOQsE/YxyNjZRtz1dLab69EW mv97sn8dtQW6jlca5s8JLM0y2AJg56isvfbysg+Ab7rods85oK2mzcl9nZkGQa+1hau21jen47YH orZzpdAAuFjXrdZJu4HWH4LoGLaOg61L53t9zkPbNX7u683bcrYZ9lHDyijj9mod5qwW0etE72FB +9Efqbin8cvsy9uOqbOezUv3WYr7inbTbxvrWgNv02HXviKvLXRqkf1IAJztwSsEEEAAAQQQQAAB BJISIABOSpbtIoAAAggggAACCFSdQCkD4KssrVe1lVXQWJXaQtacJrla2fqFCNr6zuxmVbejXcTq F/vml/3O6z+8Y+5N5M+uFrjOcs6jhq9m2KUBs/O+XzByik8Qq921mpO2znS2N2S++W6m5bTzvvtR A/S+05v/tLWsbUxb9zq2537G7mXjrqd720HPRy7xemjLRL91tNV3lKn7WO+2ggLgxsULpebgPcs2 BB7U5XzZoVeTx8f2w4zTLD968HM1539hGeP6jGEZS9u5UmgAXKzrtnajSOvtLZndddYxxs3p83Ui +oMD93J6LZk9Eug2NTR3Lxf1+cVv2X/wYZbJfK1dJGsQ7HcPLjQA9vPS+pXivqJdtZvT47P87fV/ Rd0mcw1aAHtFmIMAAggggAACCCCAQDICBMDJuLJVBBBAAAEEEEAAgSoUKGUA/LClu14dCzIo7LB9 Aa8tcp1gxRYizF+TaaVnHr6xS+0tjd37N7sH1YAkVzjz6mfmnppb99rCLm39696n+7nuy2yhNnFF 8/I3feDdl87RumnX2bm6d3XvK+xzm/HzRjfLcdczbNlsY6C6u8w2txM1ANbWleY2ggJgPRb1d9xU lgHw+I5HSYv76jz10frZAlvtTtyse9jXttDMCZRt50qhAXAxrls9tvqDFD+Duau912aXodnLa0tf c3poavYyftvPNX/H3pmWyXpNaHfLUSZtlWwLgQsNgIO8SnFfGWa5V+swAUG2ttCYFsBRzi6WRQAB BBBAAAEEEEAgfwEC4PztWBMBBBBAAAEEEEAgZQKlDIC19a170nD1qyFavunYu+akXfjql/a2EMFc 1nmtrWGDvujX92xjod49SSToz9Z68rDBmX3Zwi4dizOoHDpGpntyB8DarbXZ4ti9rD7XlofaUlhb wh46KHhfQeVw3rMZhwmAC6mns+9cj0/NNmsvoj808FsvqQBYW6VrC2v96zdulXx+2AFlFQIvOGhf aX/7dF8X/VGCOWmrWj/HoPna/bhtOvKZzPZs10ShAXAxrtv6huxun02DW8Z7a63BtHs5qegD1AAA H4NJREFUHWfWnE54IXsZ9/L5Pt+5r4i2uP7XJJEPl+e+Z2iZtIcGc3+FBMC5vEpxXzFDev3hg1ln 87WO0W5OBMCmCK8RQAABBBBAAAEEEEhGgAA4GVe2igACCCCAAAIIIFCFAqUMgJcb40nOrsv95bt+ Ga8tOs3px9vH2bWFCOayzmsdJ/PUl4L3aWu56Kwf5dEZazeJsEvHq4wyaThZyHG3GYcJgAsN9cwg xvba1hpXx+20LavzWvbPjPGs4zybf+savKphWwBrK0H3Pq/udl9ZBcA/6T4kq3zusurzUZautM06 mev4ve70nNdR5zhjXidxTRTjunX/EMNW9+8+7g1adfxbpweBXfqKrDfOsZkh74G2/UWZpz980N4W NLg0y+AcrSX13oC7kAA4l1ex7yv6YyPzxzMfuLrr9/O0na8EwM5ZwyMCCCCAAAIIIIAAAskKEAAn 68vWEUAAAQQQQAABBKpIoJAg0O8L8s/WeoFs3WpqAOuewnz5rvu8bLR7rczzS0dlAjdbiOBdunmO tgDT1nG2ukTdVvNWvc+6bg+obeFBHMHoBW+ITF/l3W/QnPs+sdfbZuGeZ3MplwC420hvjVduzLQM d9chzHNbsJ5vAPz1/2yUTw4/tCxC4L+fe531fHeb3DvZ6/i+a+xp97Lmc6c7dmf+5ZZxtLVVu/N+ 3NeE7fz01ibcnKDrdvCc5jo4dTEfbV2Snz08s97PR3jLoF26m9sI+/qgp0Q6DG7+c3odyLW+jmH8 7lJvWXTOfxmtkQsJgHN52Y5bkvcV7eLa7F7/7SW5/bW3CXMiADZFeI0AAggggAACCCCAQDICBMDJ uLJVBBBAAAEEEEAAgSoUKGUAvGBNNujCtbm/fNcw49YJ2evpK2dsTVuI4Cz95mKRBstYmA9M8d+v hofm9M7nIlH/NJjRsscddrnDHQ3evv+SyJ0TRcYtE9EutXNNv9oenLu3k+u5zTjJoCZXedzv65jH tknHQ3YvF+Z5/xneLeUbAOv+Lvn9gJIHwGM7HS879dyc00JDStukXY4H2Q2cKaJjbrff3tW4tnY1 r3Pd7rNzm7eTzzUR1C26lq8crlstx0WWkHfQ9uD4hXnZwvqDmAOeaHYJcjbfa/GotzWrbj3sGOC2 UFPX1x9UuPdVSACc64cupbiv6P8c9xSmFwq9x5oTAbApwmsEEEAAAQQQQAABBJIRIABOxpWtIoAA AggggAACCFShQCkD4OELs0G1O04dL9QdONiea9hoTk53srYQQZd1uq+94yNzTRENXk4ZYt+vOZao thi2lSnsvHzCrqXrssucqytVpyzaxamOJ3rzeBHt9tk2vfJZ9PrYjMslANa62+o6rTZaPb/xiIgZ DqlfIQHw/nctkuWtditpCLyk7Z5yzF8+zHkOf6ufiK0bZSe8dM4x96P7hxna1bEGZVe8azvrRNyB vO2a6GOMlevez469vWGneU2Uw3WrZdZrRS3ck3a5rPerjVvcc0VGhmh96nZwP9cff2xpyt6evjr3 9fDnvTkerq5/tTEOcLUFwPpDHvekhnsPDDZzn+fOugTAjgSPCCCAAAIIIIAAAggkK0AAnKwvW0cA AQQQQAABBBCoIoFSBsC2bmZvzNEF6v6Pe1vxrt7U/IW9LZzUlr9OWKLvaysvc5rj0xX0AKMVqHYZ ql2mOtuzPZ48ROSaMdl/TjfTtrArV8s4vwBYg7B/Txb5z5TmPx3X01YmnddjrFlrkdqN/sv7bcdm XE4B8Gkve+upc7qPDV9XbUVtm/INgHd+cL28ecKpJQ1/a1q12Lb/qR3ayd53f+F7njjH/X8sY0tr QHb6MK+jrVXkZp8W6No617kedF8ahprTqwE/TDjkaXNpETMALofr1nF8aKq3vOaPX3QJs7Wts37Y R1tL66dne4+V3/ZsXfdr1/Lu5c0AeMLy7PedZfO5z5XivvLYTO+x0R8JOfUwH/Weq2MjmxMBsCnC awQQQAABBBBAAAEEkhEgAE7Gla0igAACCCCAAAIIVKFAKQNgDSvNScPOPQf4fwGvLQPNafTnzcuH CRG0u2jbZBsT94+WEEzDJTMYcF5rF65my0kNvLQrXF0mn2DELwDeta93DMtcLZQ18HVP2grRKXvY xzDGcdYzbLncy728wF3L5ud//TB3fX/0qvdHBs4W8gqAe22VAaf/sizCXycEHn7iD3N2Ba0tyG0/ ltBu1LVrY7e3ttz3G0fWsXMeb7cEbGZr2M/XNV8z7v3oc+2y3ZzMALgcrlun3Mc8Z5bW+3pdg4he z846+TzqD0FsU5gfPlzp01K703PZZTID4Kk+Levzuf5LcV8573WvmP6gyK+rc/2xjm0iALapMA8B BBBAAAEEEEAAgfgFCIDjN2WLCCCAAAIIIIAAAlUqUMoAWAOmGau8sLPqvGNXahenPS0t6XTtU19q DinChAgarpgtBHU72gX1SUZX0Dq2phl6aJfR2kpMy+QOar7WR0TDaHP616Tm5fIJRvwCYN33x5au nW/zCTm/96K361x362h3XYKehzGOu55B5bG9p61EbeM967HRVn/tnm4+Js76Ol7q4Dnm0ct+HTYA HrNU5Jbxmb/h3W8tq/DXCYHvP/uqrPPXcXA/6v3BNjnXgNP1uq6j57+23A2apqwU2cUSdM60tMq/ ydIbgAbPZlis+zMD4HK4bt2OWu+g6fFZ3vPRvX6Y5xrWag8F5qT3Ne26+6hnvfvYa4CIhpq2a0WP iblfDebdk7bydp8DzvL5XP+luK/oPXy65X9QfYPIr0dl6qatfo97PnPfcNfd/ZwA2K3BcwQQQAAB BBBAAAEEkhMgAE7Oli0jgAACCCCAAAIIVJlAKQNgDQu0O1nbtGaziLbifHiayCOfimgXzbbJHJM0 TIig+92jv0jNBu8WNXzW8V+dIEMff/+Odzmd88lKkQeniOiYkK8tFNGxPc1JA5m2ri6j8wlGggJg W2tILcOy9ZkwU1v/aWvIF+fZwyFboOmuu+15GOO462krR655f7OM9+w+Pnqs31osouPFmuO0updz P7d5+bUK1PU2PvtkWYa/Tgj8m98+knWu20z9WlNr/fT81nBTf0jw/hcift0+O4ZHPpN9bTn7e2q2 s0T2owbKaq4/uHhjUfZ77ldmAKzbLfV169RNH23dabvL/8OX7S7ubYR5bmv57N6P3ks+WCaiY99q l88aDtsmPa62/w0fLvcurfdR7dJ61BKRy0Zn6pHP9V+q+8olb3nrFHUOAXBUMZZHAAEEEEAAAQQQ QCA/AQLg/NxYCwEEEEAAAQQQQCCFArYv+cMEDUHL2MaSPPFF/4DDL/zJdTi0a+X9Hs/ebpgQwSm7 3xf/Oq6us4w+fqW3yEcrcpXG+762kvzVqOxt5ROMBAXA2oJv/hrvvsPM0TFDTT93vf2ehzGOu55+ Zck1X1vx2YL5MD4agmlLQPcUJQBuGDdGag7co6wD4KVt9pATbxybdb6bpnr+a5iu53Ohk7ZYt7UY bT/I/gOFsPuzBcClvm7djtqtva2VrdZvcb23NwH3ulGfPzkrrJr/cr95O/u+5ZRhoGXMXPdW9Mcw umw+13+p7it6nvh1n+2um/Ncg25zIgA2RXiNAAIIIIAAAggggEAyAgTAybiyVQQQQAABBBBAAIEq FCiHAFi74bz2PXvXrn7k2jLQFiSFCRGcMEMftQWoOWmrODOw1m5rbeMPm+s6r3UbOq6me1/5BiNB AbBu89BB4VuwOuXT1q/7G+G5WVa/12GM8wmActXTrzy55ncYbO/m1bGwPWpofOEIkYuN1oFhA+DG +XNl5ZGtyjr8dVoBz2jfVva/a5HnXDVd/3uYyHJLq3mbX9C8RfUihw/2Xhv3Tg5aq/k97RHg09rm 1/rMFgBr+Ut53Zp+2grfNv3jY6+FuW6U19qDQb/p/oGzrQzOvE2NIj3G+pdHj5tfq2HdRiUGwI7t 70bnNtNW6DretTkRAJsivEYAAQQQQAABBBBAIBkBAuBkXNkqAggggAACCCCAQBUKlEMA7HwBr0Hd yCX+LTa1BeLsuuZuRp313I86rvCGLdkH6qGp/oHGQU/Zg2e/L/TPGZ4Jn/xCEG01quN52saY1XJq i1tdxj1pF8LuOpjPwwSjGkromLPmeMXu/ehzDc60O1pd3txP2NdhjJOqZ9gymstpEKgtu79Yb4pk v9Zz54V5zWNQt3ky+31bqG92Nd20uk5qO3eqiPDXCYFHHv99+caDG3KeE/s+ljm/tYv2oElbu+o1 dMW7IkvqvUvqeWoeI339y7dEajd6l9c5Gk7es711vvnDjXeX2rfn7KMU162zb+dRewOwTfoDDmeZ OB9bPynSe1rubrm1THpd/O8EEe1RIFcZ9Mcx2t23rUX4X8Zn1s/n+i+H+8phg0WuHpMZ71fvlXqf 154mtJt47d5af/yiP5wxp6dn53bzc9X/wUwIIIAAAggggAACCCAQToAAOJwTSyGAAAIIIIAAAggg YB3n0e+L6mLN1xbBGqBqC0z90v3ydzItcnftm/+X7HGXfee+Ise/kCmfBifa1fD3XxLRrl7j3leU 7WlAcdSzmfE7rxmTaZGnIdzZw0U0YI+yrWpcVs+tk4eI/OEdkds/ygRkd0/KtPTV8Ee7gy2k3l/t 2SBDTulaUeGvEwL3Pus3oev+tT4iZ76SCcv+PjEzTrcG7HrO/fQ1kb0HNjtqYKbjBLunq8Y0v296 6zHQlqbdRmZCyZs+EPm/b8ZzbZXyujV/KKAeE5b7O5gu+b5u8ajIsc+LXPCGyA3jRHpNy3R5fN37 mXvsCS+I7NQnejm+2S/T1fMRz4joD2la9o++jXzrFOd6O/YWcf/l2nbnoe4zOfP8zon5150A2OvJ HAQQQAABBBBAAAEE/AQIgP1kmI8AAggggAACCCCAgCGQRAvgXF+g837+YQF25W33wNlXVmT464TA V/7qgdAhcJRz8Vv9RN7c3t26BsZR1q2WZW1jdesPXKqlfpVYD21xbk7/zNElt3avbU4/ejX/40gA bGryGgEEEEAAAQQQQAABfwECYH8b3kEAAQQQQAABBBBAIEuAADj/L+4rMfCgzMkd76u73VfR4a+G wMta7y5drh+ZSCipXfx2LSAoq+Rz98/jsm67215oN9rl1KtBJfvmW3ZtqW52yV+3SeTIZ+z3ifPf 8I6BrF1hF9KlPgGw99pgDgIIIIAAAggggAACfgIEwH4yzEcAAQQQQAABBBBAwBAgALZ/0Z9voMB6 6fT8cY+XZUWrFhUfAGsIPKddK2nz9/mJhMBpuT60W2Xt9vq1hSKTa4yb7vaX2mV2WjzKuZ7meNJ6 eNY1iPT5VOSSt0QuGpHpOluPpW3qP6Ow40gAbFNlHgIIIIAAAggggAACdgECYLsLcxFAAAEEEEAA AQQQ8AgQABf25X05BxuUrTjH9shbJ8nCA/epivDX6Qp6zDEnyK4P1BNQPpzfOXT1GM+tNmtGzQaR 3R7Nb9tc1/G6/WCoyIYtWYcn9ItZdSK7FDg2PQFwaG4WRAABBBBAAAEEEEBACIA5CRBAAAEEEEAA AQQQCClAABxvmEA4ky7P7/zrc5naoV1Vhb9OCDzg9F/K/+m1lRA4jxA4KADe3Chy3uvpuk7K/b54 8hAR7fo5yvT2EpH2gwo/jgTAUdRZFgEEEEAAAQQQQCDtAgTAaT8DqD8CCCCAAAIIIIBAaAEC4MK/ wC/3cIPyJXOMd3lgnYw6/pSqDH+dEPhPF99FABxjADx3tciJLyZzPnKdF+a6/+Mi/ztBZN4a/3+f Gt6PXyZy1iuF7ct9rAiA/b15BwEEEEAAAQQQQAABU4AA2BThNQIIIIAAAggggAACPgIEwPF9ke/+ Up/n1e26Q68mefyHv6jq8FdDYB3X+MxrXyUEjhgC79Ff5KQhInp/7TZS5MxXRPYaUN3XRDXd89o8 KaKtgi8ckRkHuPNQkQOeENkh4nkQxoQA2OfDCbMRQAABBBBAAAEEELAIEABbUJiFAAIIIIAAAggg gIBNgACYUCZMSMEy2efJbRfcXPXhr9MKeMHB+8khd8wkBE4g/OO6yr6u0uhBAGz7ZMI8BBBAAAEE EEAAAQTsAgTAdhfmIoAAAggggAACCCDgESAAJoBIY+hSSJ0v+f2A1IS/Tgg8/qijpcV9dYTAhMCc AzGfAwTAno8lzEAAAQQQQAABBBBAwFeAANiXhjcQQAABBBBAAAEEEMgWIAAmAC4kDE3buqfcMFq+ aN0ydQGwBsGDu5wn2vV12o459eUemeQ5QACc/ZmEVwgggAACCCCAAAIIBAkQAAfp8B4CCCCAAAII IIAAAi4BAmDCjSTDjWra9kF/my1zDzkgleGv0xL4lp/fSgAccwvQarpGqEv0/ycEwK4PJDxFAAEE EEAAAQQQQCCHAAFwDiDeRgABBBBAAAEEEEDAESAAjv6FPSFH+sxa3lsrEzp2THX464TAP7nmRUJg QmDOgZjOAQJg59MIjwgggAACCCCAAAII5BYgAM5txBIIIIAAAggggAACCGwTIABOX5hJgB3tmO/U c7MMO+lMwt9WLbYZLDxwHzn8r1MIAGMKALkeo12P1eZFAMyHMQQQQAABBBBAAAEEwgsQAIe3YkkE EEAAAQQQQACBlAsQAKc7fKi2MCWJ+vT88e8Jf7eHv04r4IlHHiHaKjoJb7bJPSlN5wABcMo/hFF9 BBBAAAEEEEAAgUgCBMCRuFgYAQQQQAABBBBAIM0CBMCELWkKW6LWtccl95Q8/L3tgpvl3nOuKXk5 nPDXeRxySlfZ8aEthMC0BOYcKOAcIABO8ycw6o4AAggggAACCCAQVYAAOKoYyyOAAAIIIIAAAgik VoAAmAA4aiialuV/0n2IrDBavjrhZ7EenzjtItmhV5Psev9a0Va3xdpv2P3ced4NhH8FhH9puZao p///GQLg1H78ouIIIIAAAggggAACeQgQAOeBxioIIIAAAggggAAC6RQgAPb/Yp7QIr02nf7ykSw6 cO+SBq7jjj5mW/DrnIcn//mdkgfStmD4oiueIgQmBOYcyPMcIABO52cvao0AAggggAACCCCQnwAB cH5urIUAAggggAACCCCQQgEC4PSGnE6wyGP2ObDfPxfLtMMOLmn4u/DAfeSw26Z5QrV//OxPJS2X LQBe0nZP0cCc8yj7PMIDjzDnAAFwCj94UWUEEEAAAQQQQACBvAUIgPOmY0UEEEAAAQQQQACBtAkQ ABNShAkp0rLMrg/Uy+hjv1fykNWvVe3OD66X8R2PKnn5zCB4Sof2svfdywiB82wFmpbri3p6/98Q AKftUxf1RQABBBBAAAEEEChEgAC4ED3WRQABBBBAAAEEEEiVAAGw9wt5Qop0muhYu0//4IKSh6v3 n31VYJB6ws3jZHmr3UpeTjMEHtTl/MByc12l87riuAcfdwLgVH3korIIIIAAAggggAACBQoQABcI yOoIIIAAAggggAAC6REgAA7+cp7wIj0+d553Q8lD1bePO0m+8eCGnEHqbRfcXPKymgHww2f9Nme5 uZ7Scz1xrMMdawLg9HzeoqYIIIAAAggggAAChQsQABduyBYQQAABBBBAAAEEUiJAABzuS3rCjOp2 uvR3/UoeqM4/eH9pe+fcUCHq1/+zUd7rdFzJy+wOgc/u/lKosnMtVfe1xPGNdnwJgFPyYYtqIoAA AggggAACCMQiQAAcCyMbQQABBBBAAAEEEEiDAAFwtC/rCTeqz6vL9SPli9YtSx6mntN9SKQA9Yi/ fiKft/l2ycutIfCnhx4kO/XcHKn8XEvVdy1xTKMfUwLgNHzSoo4IIIAAAggggAACcQkQAMclyXYQ QAABBBBAAAEEql6AADj6F/aEHNVjtuv9a2XeId8teYiq3U/nc15dfmnPkpddA+Brut2XV/nzqTPr VM/1x7EUIQCu+o9ZVBABBBBAAAEEEEAgRgEC4Bgx2RQCCCCAAAIIIIBAdQsQABOmpD2Eef2/flDS EFX3/9WeDfkFqL22yuDO55a0/JOO6BBq3OK0n2fUn3ut7RwgAK7uz1jUDgEEEEAAAQQQQCBeAQLg eD3ZGgIIIIAAAggggEAVCxAAE0rYQok0zTv/qmdKFqDOatda9vvn4vzC34cz5+5e9yzf1gWzezze Yj4/49rhBZU/TecadeV+a54DBMBV/AGLqiGAAAIIIIAAAgjELkAAHDspG0QAAQQQQAABBBCoVoEn Zonc+AF/GKT3HLh5bIMsOKpd0UPgFa1aSJ+HR8Ry/fXp/abo9ooZ/Or+nr/5gVjKz/WX3usv7cde /wczIYAAAggggAACCCCAQDgBAuBwTiyFAAIIIIAAAggggAACCCAgIusfureo4akGtevuvj1W+3X/ uq04dWjbUtZc0U0aJk6ItfxsDAEEEEAAAQQQQAABBBBAAIEgAQLgIB3eQwABBBBAAAEEEEAAAQQQ yBJoWl0nNYfsVZwAtVULWX1RV9na2JhVhkJf6PZW/+KcROtQe1w72TJreqFFZX0EEEAAAQQQQAAB BBBAAAEEIgsQAEcmYwUEEEAAAQQQQAABBBBAIN0Cdef+d6LhqdM988pjD5GmFcsTwW6qWSG1x7dP rB6b3nglkXKzUQQQQAABBBBAAAEEEEAAAQRyCRAA5xLifQQQQAABBBBAAAEEEEAAgSyBVacdl1hw 6oS/NW12l4ZxY7L2G/eLho8+kJoD94i9LisP20+2NjXFXVy2hwACCCCAAAIIIIAAAggggEAoAQLg UEwshAACCCCAAAIIIIAAAgggoAI6nu2XIW2rFok917GGizFt6P9w7HVY/cufFqPo7AMBBBBAAAEE EEAAAQQQQAABqwABsJWFmQgggAACCCCAAAIIIIAAAjaBNZddHHtgagbKq391gWzdutW2+0Tmrb3u yljrtGnYi4mUk40igAACCCCAAAIIIIAAAgggEEaAADiMEssggAACCCCAAAIIIIAAAghI46IFsQal ZvCrr2u/d7g01a0qqvbWzZul7rwzQtVNw+L6W64V7aLaVv51f7ulqGVnZwgggAACCCCAAAIIIIAA AgiYAgTApgivEUAAAQQQQAABBBBAAAEErAKbXhliDT1tQWhe8w76tjRMnmjdd9Izm1bWbAufg8pd f1OPL1smb5k6Wep+dnqzR9uWsuGxR5IuJttHAAEEEEAAAQQQQAABBBBAIKcAAXBOIhZAAAEEEEAA AQQQQAABBBBQga3r6mXl0W2bQ8+YxwDeMLBPSaG3TJ8qNYfua62frWWvdlO98dknZVWXY2Tz2LdL WnZ2jgACCCCAAAIIIIAAAggggIAjQADsSPCIAAIIIIAAAggggAACCCCQU2BD357WgDSo5WyY99Zc 0S3nvouxwKY3h3u6d17f58Fi7Jp9IIAAAggggAACCCCAAAIIIBCLAAFwLIxsBAEEEEAAAQQQQAAB BBBIh8DWhgZZddbJsYbAtZ07SVP92rIB3Pz2m9vqqF08bx5Dy96yOTAUBAEEEEAAAQQQQAABBBBA IJQAAXAoJhZCAAEEEEAAAQQQQAABBBBwBLbMmCY1B+8ZTwh8yN6i22NCAAEEEEAAAQQQQAABBBBA AIF4BAiA43FkKwgggAACCCCAAAIIIIBAqgQ2vfRcLAGwjqHLhAACCCCAAAIIIIAAAggggAAC8QkQ AMdnyZYQQAABBBBAAAEEEEAAgVQJrO/zgCcErj31aFnZYX/PfNs4wGuvuzJVXlQWAQQQQAABBBBA AAEEEEAAgWIIEAAXQ5l9IIAAAggggAACCCCAAAJVKrBx0EBZecQBUn/r9bJl9sxttWxctCBnALzq jO/J1o0bqlSFaiGAAAIIIIAAAggggAACCCBQOgEC4NLZs2cEEEAAAQQQQAABBBBAoCoEtm7ZklWP LXNnBwbA2kK4cf7crHV4gQACCCCAAAIIIIAAAggggAAC8QgQAMfjyFYQQAABBBBAAAEEEEAAAQS2 CzRM+igwAN706hCsEEAAAQQQQAABBBBAAAEEEEAgIQEC4IRg2SwCCCCAAAIIIIAAAgggkFaBrQ0N UntKR2sIrF1FMyGAAAIIIIAAAggggAACCCCAQHICBMDJ2bJlBBBAAAEEEEAAAQQQQCC1AlumTpaa 9t/JCoHrzu4sGg4zIYAAAggggAACCCCAAAIIIIBAcgIEwMnZsmUEEEAAAQQQQAABBBBAINUCm98Z KSsP229bCFx7ckdpXLQg1R5UHgEEEEAAAQQQQAABBBBAAIFiCBAAF0OZfSCAAAIIIIAAAggggAAC KRVoWrFcGsa/J1s3rE+pANVGAAEEEEAAAQQQQAABBBBAoLgCBMDF9WZvCCCAAAIIIIAAAggggAAC CCCAAAIIIIAAAggggAACCCCAQGICBMCJ0bJhBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAAB BBBAoLgCBMDF9WZvCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAQGICBMCJ0bJhBBBA AAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAoLgCBMDF9WZvCCCAAAIIIIAAAggggAACCCCA AAIIIIAAAggggAACCCCAQGICBMCJ0bJhBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBA oLgCBMDF9WZvCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAQGICBMCJ0bJhBBBAAAEE EEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAoLgC/x9tCwzrCveapQAAAABJRU5ErkJggg== --000000000000542cca05a9cd46f5-- From nobody Mon Jul 6 16:01:20 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8A883A0BD4 for ; Mon, 6 Jul 2020 16:01:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.096 X-Spam-Level: X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eYYvjYx62eGE for ; Mon, 6 Jul 2020 16:01:15 -0700 (PDT) Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D7103A0BD1 for ; Mon, 6 Jul 2020 16:01:15 -0700 (PDT) Received: by mail-wm1-x334.google.com with SMTP id o8so40911790wmh.4 for ; Mon, 06 Jul 2020 16:01:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=r47HpAQNlBYt7gV3OY20zKFBeg76+lnn1Y9GJA6KHKo=; b=SxN+iBB3DOxROScGI5mlDit53tK3SbWx6nlb4RFX60VwmQxxJYdMKhBEmz2bccnw+z QGF+EUVrBwE8Sx2OEwFoHVC3Q2BkGSmu7T9fIn29Xn5u43tmPTWqCSrkkWnaScukU8sT Vd1PGAzCzh8v1SXvurtgET5b6zqM39Qm/3OY46ZdiYlWbLrNX+0RF5s2dc/YVmNiwdxP AOhpPQ3I6egtYIuPtEJVMieMbZXUXncIwe55naVEgRzUG9j3kOX97bV864kkoW/wfkJH +2TAcp9DD6W1G9s5Cmi1K0uU6Od2GQIrvPhFU6frbc3DHImBpDvGuqUQmtWaFPtOdnu8 kAuQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=r47HpAQNlBYt7gV3OY20zKFBeg76+lnn1Y9GJA6KHKo=; b=dQfweIv76WKkDe9ihH/r7hYolzi4YBi1oqOPpw32T4BfhBTeSP0xrVZjnRaEuLdgdF NeFNreHRfE8Nz+JAaLb44bia4zCBi9JDRl68zc7Nds5UYrChPxl/IvC9g0cgSCtVMutv 0rWq3SeVo81DjUDJhS55Ws+eqEVpyblV54TMIDeRScDlBLbdPhA0G1UtbE0oIpi4Nqfh Qk6zXiN4GQYwnr/Unay1Isr7gxSci8EJyJP2MeDPn19BKZ+q+fkF0TAElBAY+oPkUADE dbi3twBS3c+0+/TZLsUq1B83LT6bK1CXQwK/aFzHSmnIAmNjBNUaR9OpBhROeVMPDYcM Eilg== X-Gm-Message-State: AOAM532KD2HpKxbfTMFjFKgPk4nNyf3LvL/QZ4BWNCjTqCFAC+ES90VX S2iIwyqkYhPQBHZjYxCBipiNeaTn+hx67OUhtC9MDMNL X-Google-Smtp-Source: ABdhPJzMlGPcH86aPyLUvaLGnQMCS2rIn/XcSSxpeZvbrzde9Bfdf+A3rP263Hd26VZ8gG1DfqxcZXRznI5RfcyvguA= X-Received: by 2002:a05:600c:2483:: with SMTP id 3mr1245827wms.120.1594076473249; Mon, 06 Jul 2020 16:01:13 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Sascha Preibisch Date: Mon, 6 Jul 2020 16:00:00 -0700 Message-ID: To: Dick Hardt Cc: IETF oauth WG Content-Type: multipart/related; boundary="000000000000ef03c005a9cdd9df" Archived-At: Subject: Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2020 23:01:18 -0000 --000000000000ef03c005a9cdd9df Content-Type: multipart/alternative; boundary="000000000000ef03bf05a9cdd9de" --000000000000ef03bf05a9cdd9de Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Thanks, Dick! That slide compares easier than the documents next to each other, for sure! I will continue with my comparison and provide feedback as soon as I feel it's worth talking about it. Regards, Sascha On Mon, 6 Jul 2020 at 15:19, Dick Hardt wrote: > Hey Sascha > > This slide below from one of Aaron's presentations may help guide you wha= t > OAuth 2.1 is about. > > There are no "new" features -- everything already exists. > There are no changed definitions. We added "credentialed" client. > > Yes, this list is the right place to discuss the OAuth 2.1 doc ... :) > > /Dick > > [image: image.png] > =E1=90=A7 > > On Mon, Jul 6, 2020 at 2:46 PM Sascha Preibisch > wrote: > >> Hi all! >> >> I am reading through this document for the first time. I am mainly >> looking at it in comparison to OAuth 2.0 (RFC 6749) and with the eyes >> of a developer. I am trying to understand where phrases have changed >> and, of course, where features are changing. >> >> What is the best way to provide feedback? In this mailing list? >> >> Thanks, >> Sascha >> >> On Mon, 6 Jul 2020 at 09:44, Dick Hardt wrote: >> > >> > Aaron, Torsten, and I -- with some help from Daniel -- have created a >> new version of draft-pareck-oauth-v2-1. I think we are ready for a WG >> adoption call (assuming the updated charter). >> > >> > Here is the doc: >> > >> > https://tools.ietf.org/html/draft-parecki-oauth-v2-1-03 >> > >> > Here is a link to the diff from -02: >> > >> > https://tools.ietf.org/rfcdiff?url2=3Ddraft-parecki-oauth-v2-1-03.txt >> > >> > This version incorporates feedback from the WG, as well as editorial >> changes to improve readability. Highlights: >> > >> > - Appendix of current known extensions, and references to the Appendix >> so that readers become aware of related work. >> > >> > - defined new client type - credentialed clients - a client that has >> credentials, but the AS has not confirmed the identity of the client. >> Confidential clients have had their identity confirmed by the AS. We tal= ked >> about changing the names of confidential and public, but thought that wo= uld >> be confusing. This new definition cleans up the text substantially. >> > >> > - consistent use of redirect URI rather than mixing in redirect >> endpoint URI and redirect endpoint. >> > >> > - adopted new language on when PKCE is required. >> > >> > - removed IANA section (nothing new is in 2.1) >> > >> > / Dick >> > >> > >> > >> > _______________________________________________ >> > OAuth mailing list >> > OAuth@ietf.org >> > https://www.ietf.org/mailman/listinfo/oauth >> > --000000000000ef03bf05a9cdd9de Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Thanks, Dick!

That slide compares easie= r than the documents next to each other, for sure!

I will continue with my comparison and provide feedback as soon=C2=A0as=C2= =A0I feel it's=C2=A0worth talking about it.

Re= gards,
Sascha

On Mon, 6 Jul 2020 at 15:19, Dick Hardt <<= a href=3D"mailto:dick.hardt@gmail.com">dick.hardt@gmail.com> wrote:<= br>
Hey Sascha

Th= is slide below from one of Aaron's presentations may help guide you wha= t OAuth 2.1 is about.

There are no "new"= features -- everything already exists.
There are no changed defi= nitions. We added "credentialed" client.=C2=A0

Yes, this list is the right place to discuss the OAuth 2.1 doc ... := )

/Dick

3D"image.png"
=
=E1=90=A7

On Mon, Jul 6, 2020 at 2:46 PM S= ascha Preibisch <saschapreibisch@gmail.com> wrote:
= Hi all!

I am reading through this document for the first time. I am mainly
looking at it in comparison to OAuth 2.0 (RFC 6749) and with the eyes
of a developer. I am trying to understand where phrases have changed
and, of course, where features are changing.

What is the best way to provide feedback? In this mailing list?

Thanks,
Sascha

On Mon, 6 Jul 2020 at 09:44, Dick Hardt <dick.hardt@gmail.com> wrote:
>
> Aaron, Torsten, and I -- with some help from Daniel -- have created a = new version of draft-pareck-oauth-v2-1. I think we are ready for a WG adopt= ion call (assuming the updated charter).
>
> Here is the doc:
>
> https://tools.ietf.org/html/draft-pareck= i-oauth-v2-1-03
>
> Here is a link to the diff from -02:
>
> https://tools.ietf.org/rfc= diff?url2=3Ddraft-parecki-oauth-v2-1-03.txt
>
> This version incorporates feedback from the WG, as well as editorial c= hanges to improve readability. Highlights:
>
> - Appendix of current known extensions, and references to the Appendix= so that readers become aware of related work.
>
> - defined new client type - credentialed clients - a client that has c= redentials, but the AS has not confirmed the identity of the client. Confid= ential clients have had their identity confirmed by the AS. We talked about= changing the names of confidential and public, but thought that would be c= onfusing. This new definition cleans up the text substantially.
>
> - consistent use of redirect URI rather than mixing in redirect endpoi= nt URI and redirect endpoint.
>
> - adopted new language on when PKCE is required.
>
> - removed IANA section (nothing new is in 2.1)
>
> / Dick
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org=
> https://www.ietf.org/mailman/listinfo/oauth
--000000000000ef03bf05a9cdd9de-- --000000000000ef03c005a9cdd9df Content-Type: image/png; name="image.png" Content-Disposition: inline; filename="image.png" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: ii_kcb2egra0 iVBORw0KGgoAAAANSUhEUgAAB4AAAAQ4CAYAAADo08FDAAAgAElEQVR4AezdB/wUxf3/8ahgRcUa 7Iq9oiJRf4ot9gD2XmM3fxsae+8gEU0UNWLDgr1gV9RYsSGoYEUFNXZsCHad/+N9yZr7Hnf33fls 33vt4/F9XPnu7c48Z7bMfnZnfueYEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQRK IfC7UuSCTCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIOALAVAIEEEAAAQQQQAAB BBBAAAEEEEAAAQQQQAABBBBAAAEEEECgJAIEgEtSkGQDAQQQQAABBBBAAAEEEEAAAQQQQAABBBBA AAEEEEAAAQQQIABMHUAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQRKIkAAuCQFSTYQ QAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABAsDUAQQQQAABBBBAAAEEEEAAAQQQQAAB BBBAAAEEEEAAAQQQQKAkAgSAS1KQZAMBBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBAg AEwdQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBEoiQAC4JAVJNhBAAAEEEEAAAQQQ QAABBBBAAAEEEEAAAQQQQAABBBBAAAECwNQBBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAAB BBBAoCQCBIBLUpBkAwEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEECAATB1AAAEEEEAA AQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEESiJAALgkBUk2EEAAAQQQQAABBBBAAAEEEEAAAQQQ QAABBBBAAAEEEEAAAQLA1AEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEECgJAIEgEtS kGQDAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQIABMHUAAAQQQQAABBBBAAAEEEEAA AQQQQAABBBBAAAEEEEAAAQRKIkAAuCQFSTYQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQ QAABAsDUAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQKAkAgSAS1KQZAMBBBBAAAEE EEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBAgAEwdQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAA AQQQQAABBEoiQAC4JAVJNhBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAECwNQBBBBA AAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAoCQCBIBLUpBkAwEEEEAAAQQQQAABBBBAAAEE EEAAAQQQQAABBBBAAAEEECAATB1AAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEESiJA ALgkBUk2EEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQLA1AEEEEAAAQQQQAABBBBA AAEEEEAAAQQQQAABBBBAAAEEEECgJAIEgEtSkGQDAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEE EEAAAQQQIABMHUAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQRKIkAAuCQFSTYQQAAB BBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABAsDUAQQQQAABBBBAAAEEEEAAAQQQQAABBBBA AAEEEEAAAQQQQKAkAgSAS1KQZAMBBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBAgAEwd QAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBEoiQAC4JAVJNhBAAAEEEEAAAQQQQAAB BBBAAAEEEEAAAQQQQAABBBBAAAECwNQBBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBA oCQCBIBLUpBkAwEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEECAATB1AAAEEEEAAAQQQ QAABBBBAAAEEEEAAAQQQQAABBBBAAAEESiJAALgkBUk2EEAAAQQQQAABBBBAAAEEEEAAAQQQQAAB BBBAAAEEEEAAAQLA1AEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEECgJAIEgEtSkGQD AQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQIABMHUAAAQQQQAABBBBAAAEEEEAAAQQQ QAABBBBAAAEEEEAAAQRKIkAAuCQFSTYQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAAB AsDUAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQKAkAgSAS1KQZAMBBBBAAAEEEEAA AQQQQAABBBBAAAEEEEAAAQQQQAABBBAgAEwdQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQ QAABBEoiQAC4JAVJNhBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAECwNQBBBBAAAEE EEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAoCQCBIBLUpBkAwEEEEAAAQQQQAABBBBAAAEEEEAA AQQQQAABBBBAAAEEECAATB1AAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEESiJAALgk BUk2EEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQLA1AEEEEAAAQQQQAABBBBAAAEE EEAAAQQQQAABBBBAAAEEEECgJAIEgEtSkGQDAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAA AQQQIABMHUAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQRKIkAAuCQFSTYQQAABBBBA AAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABAsDUAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEE EEAAAQQQQKAkAgSAS1KQZAMBBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBAgAEwdQAAB BBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBEoiQAC4JAVJNhBAAAEEEEAAAQQQQAABBBBA AAEEEEAAAQQQQAABBBBAAAECwNQBBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAoCQC BIBLUpBkAwEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEECAATB1AAAEEEEAAAQQQQAAB BBBAAAEEEEAAAQQQQAABBBBAAAEESiJAALgkBUk2EEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBA AAEEEEAAAQLA1AEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEECgJAIEgEtSkGQDAQQQ QAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQIABMHUAAAQQQQAABBBBAAAEEEEAAAQQQQAAB BBBAAAEEEEAAAQRKIkAAuCQFSTYQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABAsDU AQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQKAkAgSAS1KQZAMBBBBAAAEEEEAAAQQQ QAABBBBAAAEEEEAAAQQQQAABBBAgAEwdQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAAB BEoiQAC4JAVJNhBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAECwNQBBBBAAAEEEEAA AQQQQAABBBBAAAEEEEAAAQQQQAABBBBAoCQCBIBLUpBkAwEEEEAAAQQQQAABBBBAAAEEEEAAAQQQ QAABBBBAAAEEECAATB1AAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEESiJAALgkBUk2 EEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQLA1AEEEEAAAQQQQAABBBBAAAEEEEAA AQQQQAABBBBAAAEEEECgJAIEgEtSkGQDAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQ IABMHUAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQRKIkAAuCQFSTYQQKC+wKRJk9zI kSPdPffc42688UZ32WWXufPPP9+dffbZ7h//+Ie79tpr3b333uueffZZN27cOPf555+7X375pf7C +BYBBBBAAIEqAR0vxo8fXznOPPTQQ+7mm292l156qRswYEDlT8ecW2+91T3yyCNu9OjRbsKECe7b b7+tWgJvEUAAAQQQyLdAo/bUFVdc4QYOHOgGDx7srr/+enfXXXe5Z555xn3xxRf5zhCpQwABBBBA AAEEEECgRQQIALdIQZNNBFpBYPLkyZVAb9++fd3666/v5p9/fve73/3O+2+mmWZyPXv2dEcffbQb NmyY+/TTT1uBjzwigAACCDQR+PXXX93YsWPdkCFD3KGHHurWXntt16lTJ+9jzHTTTedWWmklt88+ +1SCxS+99JL7+eefm6yZfyGAAAIIIJCOQFztqXnmmadynDzwwAPdLbfcQlA4neJjLQgggAACCCCA AAIItBEgANyGgw8IIFA0AT2xqyd611lnHdexY0fvC/FhA8RLLrlk5WL9iBEjikZEehFAAAEEIgi8 /PLLlRuCFlpoocSOMbPMMovbeuutKzcxEQyOUFj8FAEEEKgS0I07n332mdONNurxR70ynHbaaZWb eI444gh37LHHulNOOaXSM9DFF1/s7rzzTjdq1Cj35ZdfVi2l/G/TaE9NO+207g9/+IM744wz3Acf fFB+VOcqx/RDDjnEWf/UawgTAu0JqPcZ3zp27rnntrdY/p+BwE8//VTZP77wwguV/Yd6WTjrrLOc HnDQwwnqceG6665zw4cPd2qffPLJJ/ReF6GcdKx/+OGHKzf3qnfA008/3encQN4nnXRSxfvyyy+v nBu89957EdbETxFAAIFsBQgAZ+vP2hFAwCjw5JNPul133dXNOOOMiV2QbxQc1pNbF110kVN3aEwI IIAAAuUTUPeV/fv3rzyp2+hYkNT3Cy64oDvxxBMrXUuXT5YcIYAAAskKfPPNN5UL5H369InUTujV q1eyCc3B0rNqT3Xo0MFtueWWlaC8gvRlnbp16xapnXr88ceXlYZ8xSjw//7f//OuZ7oZgykfAroh ZtCgQW7DDTd02jf6ti/0EMSmm25a6YpfNzwxNRb47rvvKsPC7bDDDm7xxRf3tlbPFrI+77zzKsH3 xmviPwgggEC+BAgA56s8SA0CCLQj8M4777jevXt7n6z5nkiHmV9df+63337urbfeaifV/BsBBBBA oAgCevr2wgsvdHPNNVfmx5lpppnGbbvttu7f//53EehIIwIIIJC5gJ6M0gXaMOfx7c2z6qqrZp6f pBKQp/bUWmut5V588cWksprZcp9//vnI9VA9j/zyyy+Z5YEVF0OAAHAxyqk6lRpibMCAAW7NNdd0 Ot9v73gU9v8aZmaDDTaoPKzw1VdfVa+ypd+PGzfOHXDAAa5z586xWStYrxvN9DQ2EwIIIJB3AQLA eS8h0ocAAhUB3a136qmnRrqTP+yJs+98GjO4X79+Tl32MCGAAAIIFFPggQcecMsvv3xsFwZ8jyWN 5p911lndBRdcwEXgYlYrUo0AAikIaNxaPbHbaD9q+b6MAeC8tqcUtFAXtmUKWFiCcvXqqbouZ0Kg mYClrvEEcDPR5P6nG03V1XCcgch6+w199/vf/95dc801yWWmAEvWuYGGeph++uljPT+oNVePFuPH jy+ACElEAIFWFSAA3KolT74RKJDA3XffbeqipfbELOnP6uZLd3szIYAAAggUR+D77793O++8c6IX BuI4/uhi3ejRo4sDS0oRQACBFAR0A+Zmm20W+z68bAHgIrSnFLC4+uqrU6g1ya7i22+/dXPMMUcs dXKbbbZJNrEsvfACBICLUYSPPfaYW3HFFWPZL/i0K9Zbbz336quvFgMpxlSOGjXKqRcFH6so82po Oo0XzIQAAgjkUYAAcB5LhTQhgEBF4N133610qxLlRCzt3+oO9r59+zoFFJgQQACBPAicfvrprmvX rl5/J5xwQh6SnngaNNZvz549U7s4EPWYpHG+br755sRdqDOJE3utgPLw4mLmFhPYc889E9mHlyUA XMT2lI7LY8eOLWxNHjp0aGx1Uk+uMa5nPqtCXo7NBIDzWT+CVKnnhd133z22fYKlLaH2w5lnnhkk qfSvjz/+uJt99tkzMVfX3kwIIIBA3gQIAOetREgPAghUBF566aVKtzWWE9w8/GbDDTd0U6ZMoTQR QACBzAX+7//+z7sBvP/++2ee7qQTMGHCBLfssst622R9jNGNRkl36UadSbr2+S2f8vDzYu7WEXj0 0UcT24eXIQBc5PZUp06d3COPPFLIyqx2YJznCgMHDiykQ9kTnZdjMwHg/Na0SZMmufXXXz/W/UGU fYseVCj7pN4uNERbFKeov1W300wIIIBAngQIAOepNEgLAghUBEaMGBFbt1lRT96i/H6ttdZyX3/9 NaWKAAIIZCqQlwtUmSLUrPyNN95wXbp0yfTiQJTjy7TTTusGDx5ck6v4PlJn4rOMY0mURxyKLKOM AjrXjrIvbfbbogeAy9CemmGGGdywYcMKVXXfeecdN80008RaL9VtLFP+BPJybCYAnL+6oRRNnDjR 9ejRI9Z9QbNjVtj/7bfffu6XX37JJ1rEVF133XWuQ4cOuTDXzdRldY5YTPwcAQQyECAAnAE6q0QA gcYCDz74oJtllllycdIW9iS62Xzdu3evnPw3zjH/QQABBJIVyMsFqmRzGX7pP/zwg1t55ZULf5zR BeZLLrkkfMY95qTOeGClMCvlkQIyqyicwP3335/ofrzIAeAytad0MT/pXi/irPynnHJKIvXy2Wef jTOZLCsGgbwcmwkAx1CYMS/igw8+cMstt1wi+4Jm157C/m+33XZzv/76a8y5znZxl156aew334T1 bDTfjjvuWDrnbEuZtSOAgFWAALBVjt8hgEDsArfeeqvTnd6NTqCK+v0KK6xAEDj22sICEUAgrEBe LlCFTW/S8x122GGlOc5obMBXXnkldjLqTOykkRZIeUTi48clFdhrr70S3ZcXNQBcxvaUbni68MIL c1+T9bTXIosskki9bIWhOXJfwDUJzMuxmQBwTcFk/FE3mnbr1i2R/UCc18MuuuiijKXiW73GjFeb KE6fuJY1aNCg+DLKkhBAAAGjAAFgIxw/QwCBeAWuuuoqp3EN4zrRql2OLhzMM888bpVVVnG9evVy e++9t9tll13cZptt5lZffXW3wAILJLZupWWbbbaJF4ylIYAAAiEF8nKBKmRyE53t3nvvTeTucN28 tOiiizpZa3+/xx57uE022cQts8wybuaZZ070+PKHP/zB/fzzz7G6UWdi5Yy8MMojMiELKKHAYost lui+tYgB4LTbU2pHbbnllm611VarDKug4Qlq22Bxfj7jjDNyXZOHDx+eWP5nn312N2XKlFznv9US l5djMwHgfNU8jf8a534vqWWp17233347X3iG1OjGG13PS8op6nJnnXVW9+677xpyxk8QQACB+AQI AMdnyZIQQMAo8Nhjj7m4Lxgo4Lvhhhs6jQOisZi+//77dlM3fvx4pwsne+65p+vcuXPsJ5FDhgxp Nw3MgAACCMQtkJcLVHHny3d5X375pZt33nlj27erd4d+/fo5HTvamz799FM3cuRId9NNN7nevXvH HoTu379/e0nw+j91xosr8Zkpj8SJWUHBBLTfjXJRdskll3QDBgxwuilozJgxlT+NmXvPPfe4c845 x+20007u3HPPLZRKHtpTP/74Y+VC9+23314JDHfs2DFSOdUrY7Xt8jqp3tRLc1zfXX311XnNekum Ky/HZgLA+al+Tz31VGwPNeiJVt3opLHu11tvPbfsssu6OeaYI9Z9TM+ePQs/Tu3AgQNjM5lpppnc SiutVBm7Oc7rgZtuuml+KikpQQCBlhQgANySxU6mEciPwFdffRVrV1k6ST711FMj32U3adIkp5PJ hRZaKLYTytlmmy1yuvJTcqQEAQSKIpCXC1RZe11wwQWR9+e6GHDkkUe6l156KVJ23njjDXfAAQc4 XWiI48LwjDPO6F5//fVIaar+MXWmWiP795RH9mVACvIloBs2rftOjZ2uJ4bKNOW1PfXJJ59UAum6 YcpaXrW/05OweXya6vPPP3c6FtemN87P6667bpmqbeHzkpdjMwHgfFSlyZMnu8UXXzzSPkDXiw48 8EA3atSohmPHan9/xRVXuD/+8Y+xPERx8cUX5wPQkIq33norck9LKrOhQ4dWbuitPTf4+OOP3f33 3+/WXnvtSOWq4wAPgxgKmJ8ggEBsAgSAY6NkQQggYBHYddddI59M6YRKJ8s6qfr1118tyWj4m59+ +smdeeaZLq472HX3ZtxpbJh4/oEAAgg4V+mW2PcCZBnHmos6Htc666wT+0XniRMnutNPP71yDPMt o9r5NaxBXFNeLmrGlZ+iL4fyKHoJkv64BU477TRT++HQQw+NOym5WF7e21NC0tPVXbp0MZVb7fFO gdDaC/VZF4TGeaxNZ9yf1cPVuHHjss4q6/+vQF6OzQSA81El+/btG2kf8Je//MUpiOwz6YbSNddc M9J6NVxNESddU1t//fXNeVfXzOrJSWM2h5luuOEGt/DCC5vXN+ecczoFlJkQQACBLAQIAGehzjoR QKAioJOoOBrGOulVN89JTs8//7xbaqmlYknv5ZdfnmRSWTYCCCDQRiAvF6jaJCrlD9qHRznebLfd dolebH7xxRfdfPPNFymNGmv4m2++iUWWOhMLY2wLoTxio2RBJRGwXGjv0KFDqCFhikZUpPaUhkPo 1atXpGNdcCyPe+iDqOXevXv3WPIV5K/R63HHHRc1qfw+JoG8HJsJAMdUoBEW8/XXX7tOnTqZ9gHq OUC9Wlinn3/+2Wl89Eb7jDDfP/zww9bVZ/a7YcOGmfM811xzOQXPfSf1Erjqqqua16ttlQkBBBDI QoAAcBbqrBMBBNz7778feZzd6aabzp100klOT+mmMenEvkePHuYTvuDkW+OKMCGAAAJpCeTlAlVa +a23Hj3RHOyDfV/V7VeYceTrrdfnuwkTJkQeEiGu8QGpMz4ll/y8lEfyxqyhWAJ77rmn9z5d4/6W bSpie0plcOGFF0buLlnjY44ePToXRaruWn3PLfQ0r+XJvQUXXNAp4MOUvUBejs0EgLOvC1GGmdFN PHFMeprVdz8UzL/tttvGkYRUl7H55pub8jvDDDO4J554wpzWjz76yC266KKmdWsIgylTppjXzQ8R QAABqwABYKscv0MAAbNA1O5adKI67bTTuttvv92cBusPv/jiCxe1G1Gl//HHH7cmgd8hgAACXgJ5 uUDlleiYZ9bYvcFFDp9XXaB99dVXY05N48U9+OCDpnQGedp4440bL9zjP9QZD6wUZqU8UkBmFYUS 6NOnj/e+snfv3oXKY3uJLXJ7SnkbMWKEm2mmmbzLMTje6XW55ZZz3333XXtUif//kEMO8c6H9ut3 3XWX9++Ub3WnzZS9QF6OzQSAs68L6ka5et8U9v0BBxwQa+K1vLDrrp5PPWRoWJqiTO+99555/OM4 Au6vvfaam2OOOUzWV155ZVGYSScCCJRIgABwiQqTrCBQFIFrrrnGdLJUfZJ63nnnZZZddV8WtavO HXbYIbP0s2IEEGgtgbxcoMpK/fPPPzcfcxRkSHuyPNkWHB/VM4buTI86tXqdieoX9+8pj7hFWV7R BTQme7DfC/u63377FT3bbdJf9PaUMnPLLbc43WgVtgzrzaeuT7Oc1EOIuhOtl7Zm3+kpaI09qXEh m81X739bb711lllm3f8VyMuxmQBwtlXyoYce8t6GtV0vssgisd/A8tVXX7l55pnHlJ477rgjW0iP tZ9yyimmPG6zzTYea2k+q3Xcd+03mBBAAIG0BQgApy3O+hBAwK288sqmE7agAXzQQQdlrhhlzBHl o2PHju7DDz/MPB8kAAEEyi+QlwtUWUlrfN3g+OH7euONN6aebN3VHuWC+HXXXRc5za1eZyIDxrwA yiNmUBZXeAG2CVeK9pQq4oABA8zHaB3Tu3TpksowDY02mptuusk7/XraTjcUa9p33329f6/ur4Pf N0oX3ycvkJf9EAHg5Mu62RrUfbJv+0Lzn3/++c0Wa/6ftTvqo48+2rzONH/4yy+/uIUWWsjbXD0I jh07Nrak6gYea1fQcaYjtgyxIAQQKLUAAeBSFy+ZQyB/AtY7JIOT6l69euVm3KOdd97Z+8QzyIde TzvttPwVEClCAIHSCeTlAlVWsHfffbd5X/38889nkmzL023B8aV///6R09zqdSYyYMwLoDxiBmVx hRdo9W2iTO0pVUZrt6XBce+KK67IrE5vuumm3ucY+k0wPfLII96/V77PPffcYBG8ZiSQl/0QAeCM KoBzTl3xW7oC1m8mT56cSMK//PLLysMGwf4x7GvPnj0TSU/cC1UX+GHzVD3fTjvtFHdSnI491esI +/7QQw+NPS0sEAEEEGgmQAC4mQ7/QwCB2AU222wz00mSTqZ0oqwxePMyRRl7RPlZf/3185IV0tFA 4Ouvv67UuUmTJuXmxoMgqXlIm1ymTJkSJKnlX7/99lunrrd0MSBPU14uUGVlcvHFF5uPO9rPZzFd cskl5jRrLMKoUyvUmZ9//rmyvWqb1fs8Tx2tOQYAACAASURBVK1QHvLnmJJNLdQYqrpgnLdjVzON VtkmGhmUqT2lPP74449uiSWWMB/3VlhhhUZUiX7/7rvvmsahvPrqq39Ll55mm3/++b3znlWef0s4 b1xe9kNZBYDz2u5Js2q++uqr3tuurgMl3aPdxhtv7J0ujcmu/VHep+233947bzJ//fXXY8+a2g9d u3b1To+GDSiCdexgLBABBDITIACcGT0rRqD1BF555ZVI3Vr+7W9/yx2a5a5vnYDqr3PnzrnLTysn 6I033qjcTb/hhhtWuvOZYYYZpjqZ18n62muvnTpTlml7++23K11UHXbYYU5jV+vu4MUXX9zNPPPM v/no5owVV1zR6YKkxtjT0+1Dhgwpbfd0n332mbv00kvdUUcd5dQI/cMf/uDmnXfe3zzUxZTGdNPF zB49ejiN6XrZZZe51157LZML7Hm5QJX6hvPfFR5//PG/lU2w/w37+swzz2SS7Lfeesuc5jjGtyp6 ndEFmVGjRrnrr7++sj/abbfd3BprrFHZt88999xuxhlnnMpX+zR1JbrMMsu43r17V7bvK6+80j33 3HOZB4iLXh7VGxHHlGqNdN5re3jyyScr28L+++/vttpqK7fWWmtVjlGzzTbbb9uCuqXVNtCtWze3 0UYbuV122cUdfvjhleNXHGOLx5nbMm0Tvi5lbE/J4Oabb/6tLoY9RlfPd//99/tSRp7/9NNP906z giy62aV66tu3r/dylPeszlGq097K7/OyH0o6AKxhqzRmteqpxp/u3r17m3Fm89buSbNOXn755aZt V70TJTmdfPLJpnSpjZv3ab755vPOm+psUtOxxx7rnR7tv8eMGZNUklguAgggMJUAAeCpSPgCAQSS Eth7771NJ0c6QdL4Gt9//31SSTMvN+rFCl3kDzPpDnOdyJ900kmh/xSgSnpSI+GUU04JnSal/7zz zjMla+TIkd4GYVY0evRo59Pd6iyzzDLVYvOctqkSG+KL8ePHu3POOcetttpq5m1W263Guu7Tp4+7 9dZbncbJSWuylIeeAmxv0oU2BZLq3Ryg/Ib5000EekIz7LbfLE0TJkxwp556arvbX5h01c6jhrLP /iZPvTPUmuku+9r8hf2swH0WkwI2GuMvbDqr51tzzTUbJrnMdUZPaw8ePNhpLDbdYFVtEvW9bnLR sA9Dhw6NtSeSMpdHdSUs+jGlOi9Fea8nem+44Qa36667Oh13om4DGpdc5wQ659MxNqmnhXVeeeaZ Z7Z7/LHkx+e4poB5XqcytqcCa92oYylb/UY3LaQ5aRuwPPmlGwdrJ91oZMm3xg9Oc2qV9mjRjs1J BID1dKJuqtANQ7o5yFI/9Zs42z1p1vWw67Lsj3V+n1T3z0G6dT5sKTPdrJznSeeTlnwlOfSarg9Y 0pTGtbo8lyVpQwCBdAUIAKfrzdoQaFmBTz75JFLQRBdd8zgpqKWniSwnffrNTTfdFCpblgCGnkpM elLwyTfviy22mClZlsZtswuUusioJ2F017JPHuoFgPOcNh9sBWpVb3w8ws6rJ2Ll9NJLL/kkyTSv pTyadfWrrvpWXXXVWF1U77bYYovK04WmTDrnonQTHLbcws73zjvvWLOR+O+OO+44c9llOUbTcsst Z0r3wgsv3NC0jHXmqaeecr169YrUw0jYeq75dOHuwAMPdLoQHnUqY3lUm5TlmFKdp7y/101tm2++ eaQL9mG2Bz2Bc/bZZzt1ARrnZB3bL0yafebRTXB5nMrangqsFXj3KafaedM4xwzS+q9//cuU1jvu uCNYRJtX9a5Tm5/2PusJ/jSHYmmV9mjRjs2Wdk+j6wS6AVHjS6u93l798/l/HO2eNhtMTj4su+yy 3k5p9Cam4L1P+QTzPvHEEzmRrZ8MXRMM0urz+vLLL9dfYAzf6nqT5alk9RDGhAACCKQlQAA4LWnW g0CLC+hCis9JWvW8K6+8cmJPGsRRLOoatzq9Pu+POeaYUEmIs2EXaoUhZ7J0L5R1APinn35yf//7 381PiCUZAE4ibWGKUk+jRhlPzqfOTzfddJWuVTXmYFKTZXupFwBWF316mtAnf77zykNPVOmCi+9U tAtUvvmLa/4BAwaYy1D7q2+++SaupHgtR8GV7bbbzvuv2QWFMtWZBx98sNIlve82F9f8CgSry3t1 jWidylQe1QZlO6ZU5y2v7/XEmp721ZO6cdXxMMtZcMEF3RVXXBHbWHYEgJvXsDK3p4Kcqwv+MHWv 3jxJj6sZpFGv6hGmXhqafafeJBr1iHPCCSd4L0/ruuqqq6qTleh7y/l1o0BjnAmNuz1atGNzXOWi G9sUnGxWh6P+L0q7J846E8eydPOF5Zi7xx57xLH6pssYO3asqRyHDRvWdLlZ/9NyE4p6akh60kMF vtvG0ksvnXSyWD4CCCDwmwAB4N8oeIMAAkkKRBkrV8G6PE8av8P3hC+Yf5NNNgmVtbgadqFW5jFT 3A3uZqu2GNQ+AayLLnoyJvC3vCYVAE4qbc1MFYRVGdYbD9Ni4/Mb3TGd1NhllrpSGwDWncJLLbVU pLri46ELLrVpaFZ2+l/RLlC1l5+k/m8dnysoPwX5yjKVoc78+OOPznIBKCjPuF81/vcjjzxiqiJl KI/qjJf1mFKdx7y9V/f7RxxxRKReduLYJlZYYQWn4G3UiQBwc8Eyt6eCnN9+++3mcy+dW6YxqYt1 jeXru+3ss88+DZOnsZ19l6f5NYxNWpPl/JoAcLghYhqVfZgeduIoFw1rFffwGY3ypO8t7Z606nnY 9Shg3iyPjf53/PHHh12Feb433njDlLb77rvPvM40fqihHBq5Nvpe3XQnPd14443e6VJ6P//886ST xvIRQACBigABYCoCAggkLqCnGjt16mQ6KVJ3QVGerkk8c/9dwcUXX+z0lJnvn7rnCTPF0bALsx7f eYoUANYTlltvvbWpHlY3KJIIACeZtkZl+uabb7oll1wyske1je973QV+9NFHxz6+t2V7qQ6+6mkK y4U93/zXzr/EEks4dU0edipb8Chsvn3ns47NVF0+9957r+9qczl/0euMzgfWWmutTPdb1fUieK99 Wb9+/bx7Kyl6eVRX8jIfU6rzmaf3ugFRXb4H9TAPrwcffLCpR4vAlQBwIDH1ayu0p5Tr77//3qlr Y2t9/vjjj6fGi/kb6767vZuFVlppJVO+tf9NY7KcXxMAzn8AOKub6nzbPWnUcZ91vPjii6bt9aKL LvJZjWleBXIt+9CRI0ea1pfGj/TEtWU86jQeJnn11VdN3nfffXcadKwDAQQQcASAqQQIIJC4wNNP P206IdJJ63rrrZd4+oqwglZpcDcrC4tB8ATwL7/84nbZZRdzPaxuQMUdAE46bfVM1WD9/e9/H4tH tY31/RprrBFrN7uWuhIEgK+//vpMXf7v//7Phe0e23oB0lpOzX4X5gmFenUxje/k2bFjx0jlOuus s7orr7wyjeQmuo4i15kXXnjBdenSJVI5NqvDcfwv7LAOQSEXuTyCPOi17MeU6rzm5f0DDzwQKUgW R31vtAx14Tt58mQTFQHgxmyt1J7afffdzfv6G264oTFiTP9RULNR/W/0/QILLNBuV+m6kajR75t9 f+yxx8aUs+aLsZxfEwDOdwC4f//+pjrXrD76/M+n3dO8dqb/X93Q4ZPXYN4777wz8cQq6Bmsz+dV w0nkdbIeA9u78SaO/OpmfkuPaqeeemocq2cZCCCAQLsCBIDbJWIGBBCIKnDWWWeZTkB1sqona5mc a5UGd7OythgoAKy/fffd11wHaxtNcQaA00hbremIESNS7eKr1q/R53XXXdd9++23tck1fbbUFQWA NV6SyrdRGtP6fueddw6V77IEj0JlNuJMq666aizlutVWW3k9pR0x2bH/vKh15pNPPnEaazStbTDK etQNXNipqOVRnb9WOKZU5zcP7wcPHmx6CiZKvfb9rfa5lh58CAA3rmGt1J5Srxu+dS6Y/4ADDmiM GMN/NERIsC6f18MPP7zdtY8fP940pqiCywpAJD1Zzq8JAOc3AKztTL2t+dTjJOYN2+5Jun77Lv+W W24x2Y0aNcp3Vd7zW7ZVla2ess3rZO1meeLEialkydLWTKN76lQyz0oQQCD3AgSAc19EJBCB4gts vPHGppNjdano0x1q8aUa58ByEl/EBndjAVsQXAHWCy64wFT/GjVw4wwAp5G2atMHH3wwFwHORrYa 205jIUedLNuLutJMc8zfRgbB9wqqtDeVIXjUXh7j+n+UC+dBmQSvc889d6Xr8nHjxsWVvNSWU8Q6 ozF/e/bsGet+PCjLJF5nnnnmyhOxYQq1iOVRna9WOaZU5znr93paJIl6m8QyF1poIffWW295kREA bszVSu0p7ffnnHNOU11feumlGyPG8B8Fci3bS9iuVfVEpGX5d911Vwy5a74Iy/l1EdujRTs2W8pl 9tlnd/qz1LUkfhOm3dO8dqb/30svvdTk9+mnnyaeWEswUl3v53n629/+5u09//zzp5alPfbYwzt9 Oq4zIYAAAmkIEABOQ5l1INDCAmrAW5+oW2GFFVpYrm3WLQ27Ija42+a67SeLgcYB69y5s/fJeLOG bVwB4LTSFijq6VZL10TNLJL4n8ZpjvoUg6WudO/ePdZ6EtVmo402Coqu4WvRLlA1zEgK//jggw+c biqKWi7Vv59mmmncBhts4K699trC3KxUxDpj2Z6ryymL93/84x9D1eoilkeQsVY6pgR5zvp12LBh se7D0tg2dBFaY7qGnQgA15dqxfbUn/70J3N9/+ijj+pDRvxWNynOM8883unyCUpbbw5VDyVJT5bj cRHbo0U7NlvKJY39v886wrR7kq7fvss/55xzvPcFM8wwQ6V3Mt91+cz/2GOPeadLZaV9bp6nQw89 1Dtf66yzTmpZOv30073Tt+yyy6aWPlaEAAKtLUAAuLXLn9wjkLjAU0895X0iFDQWdt1118TTV5QV WBp2RWxwNysPi4HlN0H9a/QaVwA4rbTJVBdfV1ppJfO2WG2hINoSSyzh1lprLaeLTb169XK6wGu5 IFa93Or3Bx10ULOq0O7/krCtTl+nTp2cblDZcMMN3RZbbOFWXnllp6f+queJ4/0TTzzRNK9Fu0DV NDMp/LNPnz6xl1FQzgoGazvQGLAPP/ywV8Ajhaz/toqi1RkFGQPjuF61D19mmWWcLjZuv/32Tj0P rL766m7JJZeMtVvdV1555Tf3Rm+KVh5BPlrtmBLkO8vXd999180xxxyxbg86lgXbwpZbbunWWGMN p65k4+4SVMfksBMB4PpSrdieOv744831fejQofUhI3576623mtJ0yimnhF6zbhC13LDWsWNHp+ES kpws59dFbI8W7dhsKRefc6q8tHuSrNuWZb/zzjtOPaH4/D366KOWVXn9xtreOf/8873Wk/bMuknc p95q3t69e6eWTMvNO9q2mBBAAIE0BAgAp6HMOhBoYYFBgwZ5n6gFJ3bnnntuC8u1zbqlYVfEBnfb XLf9ZDGwdh8X1MF6r3EFgNNKmxT79u1r3g5loItK2267rbvmmmvc559/3rZgqj6pe7sjjjjCqbul enZhv1Mw7Zlnnqlast9bS11pL21qoGmcHl2crtdNtbobnzBhgrv//vvdnnvuGSn/QVr+/Oc/N824 gmP77LOP22uvvZr+zTvvvN7p0dMq7S23+v9F6K7/1VdfddNPP723RVAePq8zzTSTU7deAwYMcKNH j078bv+mFaXqn0WrM9rmfNzrzav91w477OD+9a9/Nd1/ienrr792N998s9O216VLl0jrDjMOZdHK I6hKrXZMCfKd1aue/lRwtl799v1uscUWc3pKRePeN5p++ukn98ADD1SO+9p+fNdRb36NlRhmUrq0 7VQfX+q9T/q4dt9994VJbmrztGJ7yjq+purf0UcfnUjZWJ9KfuONN7zSY+3uW12kJjlZzq+L2B4t 2rHZUi719tPV3+Wx3ZNk3S7LsrWvUTu6uizDvg9z42KWTj169PDOV5oPlFx99dXe6VPZfPnll1my sm4EEGgRAQLALVLQZBOBrASijFWmp6iY/iNgadgVscHdrLwtBmEbPNXzqctoPd2piy/bbLNN5VUN Do37qfniCgBXrzPse0vadFeytSGodMnAd6zTb775xu28886mRlBgscoqq5i7go67rigv6kLYZ1Kg WE9SBfmxvC6yyCI+q2w4r2U8uf3337/h8or8jyhPFFnKMPiNghU77bSTu/zyyys3CuTdMA91RmOk Rem2fq655nInnnii97YblI26otcNLUEZ+r7qWKHAXRxTHsojyEcrHlOCvGf1+te//tVcD4N6qyd9 FdTVzUo+k54oPPbYY01PJAbr1qvGmnz77bd9Vt103jxtE00TGtM/W7E9pfGjq+uQz3vdNBD39O9/ /9u0Hay22mreSbnyyitNeV9++eW91+XzA8v5ddnao9VeedkPWcql2fZU9HZPdRm10nsd3zfbbDPT viOuNmeS3pYbM7VtpDXdcccdJvsxY8aklUTWgwACLSxAALiFC5+sI5CGgLpybdbAaPa/Zk8appH2 PK3D0rArW4PbYtCsflX/b9FFF3VHHnmke/bZZ5teHP3qq69cvbtj85o2Pc1mfRpXwWZdLI4yXXrp pZECOH//+99Nq4+rPNSt8913321Kg36kO3q322478z5QdTSOC+Z5uUBlhozxh999913lBo/q7T+L 9+pGXUH2m266yU2cODHGHMazqDzUGXWZaS0bdUmvJ77jmHQh3vrkuLoHjGPKQ3koH616TImjDK3L 0NM8Ubtk3nfffd2UKVOsSaj8TkMSLLzwwuZtUtuyehKJa8rLNhFXftpbTiu2pxTMmG222Ux1Tl2g xj2dffbZprQMHDjQOylqb2isUMsx8Omnn/ZeX9gfWM6vy9YerbbKy37IUi716lZZ2j3VZdRK7/v1 62faZ6guJN17QNRy+OWXX0w3tB933HFRVx369+ppqN521d53Ua+3hE4gMyKAQEsLEABu6eIn8wgk L7DjjjuaToR0hx/T/wQsDbuyNbgtBu2dcCvI+Y9//MP8pGlQQnlNm7qfbc+g3v/VRWRcwZOXXnrJ qTvheutp7ztd+Pvwww8D5tCvcZSH6saTTz4Zep2NZtRYmcsuu6wp//IZPHhwo0WH/j4vF6hCJzjh GfUUj276aK/+pfV/PaGvJ971lJ+6EI8aqImDLw91xjpuubbdUaNGxcHw2zKGDx9uqi+6GBTHlIfy UD5a9ZgSRxlal6HgrXVfpHFEr7/+euuqp/qdbmraYIMNzOlRINu3R5GpEvHfL/KyTTRKX9zft2p7 Sm0ZS/1fc801Yy0CBaM1TrxvWlTnfXuQCRK+1VZbea9P6dPQIElNlvPrsrVHq23zsh+ylEttXS5T u6e6jFrlvdqsHTp0MO0z5phjDqfeu/I8TZ482ZQ3BcXTmtT2qN2uwny+7bbb0koi60EAgRYWIADc woVP1hFIQ2DDDTc0nQgtt9xyaSSvMOuwNOzK1uC2GDQ76dbTAeraMI4pj2lT16MLLrig9/anLlff fPPNOFh+W4YalUsttZR3WlR+GgPUd4qjPMKOVxgmbXpyqlldbPa/ww47LMwqms6TlwtUTROZ8j9V xy1jSDYrq7j+p6dN11tvPXfmmWdWxg9OmaayuqzrjLpftjz9pItfI0aMSIRs8803996OhwwZEkta si4PZaKVjymxFKJhIR999JFpOwj2RXHcQFSb7EmTJrmVV17Ze1sI0hTX8AJ52CZqbZL83KrtqU03 3dRU1xSsjXOynsfphgnrpB5Cgu3G51U3TypYksRkOb8uW3u02jUv+yFLudTWqTK1e6rLqBXev//+ +6Y2f1AHNDxO3icNCxOk1+f14osvTi1r6rXLJ23BvNdee21qaWRFCCDQugIEgFu37Mk5AqkIdOvW zXQiFPed26lkNsGVWBp2ZWtwWwyCE+va11133TXyU7/VxZ3HtCnwUJvvMJ+TulNW3RuFWX/tPBpH 0/dCVtTyWHfddauLN5b31n3hbrvtFnn9eblAFTkjMS9AQWBrudTW0yQ/K40XXnihU5eQaU1Z1xmV jcVUgfOkpptvvtk7Taeffnosycm6PJSJVj6mxFKIhoUcc8wx3nUu2G5OOukkwxrD/UQ9c2i8wGBd Pq+6ySyOm+/ysE2E04pnLuuxqujtKeuTz3qiLc5pzz33NNX3yy67zJyMb7/91s0666ym9WrogiQm y/l12dqj1a552Q9ZyqV6v122dk91GZX9/XvvvecWX3xx035CdWDuuefO5VA0teU2YcIEUx6HDh1a u6jEPmtIn+rtKux7DZnFhAACCCQtQAA4aWGWj0CLCyywwAKmE6HNNtusxeXaZt/SsCtbg9tiUO/E e6+99nIaRybOKY9pW3HFFb23PXVD+9NPP8VJ02ZZW2+9tXeaVIZXX311m+W09yFKeai7vtGjR7e3 Cu//q6vxevWxve/01GHUKS8XqKLmI4nfa0zgKF2stld+cf5fY7MdfPDBlbGlk7CoXmbWdeaOO+4w bS/qojipydK1W1xPVWRdHjJt5WNKUnWq2XL1pO3ss89u2g569uzZbNGx/M/6RKT2iXFsF3nYJmKB DLmQVm1PHXDAAaZtQEMrxHU+q7HPdTOi7/FcvVio2/Qok24C9F2v5l977bWjrLbhby3n12Vrj1bj 5GU/ZCmXoF6Vsd1TXUZlfq/gb9euXU37iKD84xwmIklrDU0VpNnn9Z577kkyWW2WrZ5yfNIWzHv+ +ee3WQ4fEEAAgSQECAAnocoyEUDgNwFLF446Gdppp51+WwZvnLM07MrW4LYYBCfWwesKK6zgfvjh h9irVN7SpnFEgzyHfdVYgS+88ELsNtUL1N27CmKFTVMwn7o+9JmilIeCgUlMY8aM8c638r/66qtH Tk5eLlBFzkiCC9DTnVHuoA/qahqv6rpaT/doTMKkpqzrzFlnnWXaXuIau7yeq2UbjiPQpbRkXR6t fkypVx+S/u7yyy83bQMKfCV9LA/yvv3225vS+Pvf/z5YhPk1623CnHDjD1u1PRXlKfiPP/7YqN32 Z3qK13Js33LLLdsuyPDp3nvvNa1b6X3jjTcMa2z+E8v5ddnao9VCedkPWcolqNNlbPdUl1FZ348b Ny5y8FfjjBdlGjlypGlfqLGR05xmmmkm73SqzcOEAAIIJC1AADhpYZaPQAsLqOuqoHHh+7rffvu1 sNzUWbc07MrW4LYYVNe7jh07Oj3BlcSUt7Rp+6nOe5j3Rx11VBI0Uy3zjDPO8E6b7k7X+EZhJ2t5 aNy0OLqmrJdOPXXeqVMn77zHMY5dXi5Q1XPJ03d6WkhjZi688MLe5RRmG4t7Ht0YEfXpokb+WdeZ /v37ux49enj9xfG0fCMPfX/nnXd614uyBIBb/ZjSrF4k9T8NVWHZZ/z5z39OKklTLXf8+PFOXTpb 0vnKK69MtTyfL7LeR/mkNeq8rdyeOvPMM031S3Xytddei0pf+b2lrmn9GsM36qTzEnXRatnGjj76 6Kirn+r3lvPrsrVHq1EsdSOucdCr02EpF9WpsrZ7qm3K+P6GG26olJ1lvxD8RjdiffTRR4Xhefzx x037wZdffjnVPHbp0sU7nSeccEKqaWRlCCDQmgIEgFuz3Mk1AqkI/Pzzz05PIgQnmj6vGmuJ6X8C loZd2RrcFoPqOnfsscf+DzTmd3lL2xJLLOG13Wk7TasRqAuZlqeAfcYmtpaHLrgnOVkuFC222GKR k2RZbxIXqCJnJKUFqJcAPX230UYbuQ4dOnhtS9X7nDTeL7PMMu7tt9+OXYY6MzXpYYcd5l0XyhIA bvVjytS1IflvFlxwQe/6pn3OW2+9lXziqtawzz77mNI5aNCgqqX4v22lfVQrt6dOPvlkU/3StqAb FKJOulHBcizX2L06341jsnaDPf/88zvVnTgny/l12dqj1Z552Q9ZykX1uqztnuoyKtN7DVtjuSGv dh8255xzurQDo1HLYfjw4aZ9cdrnRJYuudO6CT9qGfB7BBAotgAB4GKXH6lHIPcCOsGsPekM8zmO brNyj+ORQEvDrmwNbotBUNemn376xJ7sVDHmKW3vvvuu9za35ppretTG6LP27t3bO40+45lZy0Pd 6iY5bbPNNt75JgCcZIm0v+yJEyc6df+46aabOvUiEOxT8vSqp4NefPHF9jPjMUdeLmp6JDnRWdW1 tKX8yxAA5piSaNWqu3B17WjZx6Rx3leb4IcfftiU1m233bZ2UV6fW20f1artqUMPPdRUv7T9fPPN N151qt7MRx55pGn9u+++e73Fmb577LHHTGmQgXquiHOynF+nsV+y3ChQpvNrS7mofpS13RNnnc/L stSjwYorrmjeFwTnFHrq+7nnnstLtkKnw/oEsIZvSXPiCeA0tVkXAgj4CBAA9tFiXgQQ8BZYaqml TCeq6623nve6yvwDS8OubA1ui0HQ2Nltt90SrR55SttVV13lvc35PF0bB+Q///lP7zTq4mfYyVoe CnQkOVme4ijTBaokbdNY9uTJk53G4zv88MPdSiutZO7hItgvxfmqpwU//PDD2BhaLbjSDO7ZZ591 2g4t5VWGADDHlGa1I5n/qSt6S307//zzk0lQk6VqeIP55pvPO73zzDNPpHHMW20f1artqT322MO7 bmnbUdfkUacff/zRWS7ma/0aNz2u6ddff3XWHgHivqHacn5dtvZodbnmZT9kKRfV07K2e6rLqAzv hwwZ4maZZRbTvrD6XEI9cCmQWsSJMYCLWGqkGQEE8iRAADhPpUFaECihgKVhpBPVVVZZpYQa9ixZ GnZla3BbDIJGT9J3uuYpbXrqIMh32Nf77rvPXjkNv1S3U2HTVj1f2G6qLeWhp/uSnjTGT3V+wrwn AJx0qdiX//HHH7vrrrvOaczNhRZaU6VgUQAAIABJREFUyLtsw5S/zzzdu3d3U6ZMsWeo6peWY3fZ ug0fPXq0O/DAA01P/gblVoYAMMeUqg0jpbe77LKLaX8S500gPlk9+OCDTekdO3asz2razNtq+yhL frUfKnp7aosttjDVLQVMo07Dhg0zrXveeed1Grs3zumvf/2rKS06t9W5SlyT5fy6bO3RakvLdpnE uZKlXMrc7qkuoyK/142n1ptggvPQ4FW9oT3wwAOF5VBPPEFefF7vueee1PKsm4Z80hbMm8XNe6mh sCIEEMiNAAHg3BQFCUGgnAJ9+vQxnQjFEfQok6ilYVe2BrfFQCfWcVwEaq8u5SltlifV1KhKc9K4 aJbxwdXVZJjJUh56ginp6ZRTTvHeH8axL8zLBaqkfbNevrptvfTSS91OO+1kfmoouBhgfT3ooINi YWilOqMxEl9//XV3yy23OG2j6prW+rRdbbmVIQDMMSWWTcprId26dfM+ViyyyCJe64hz5qFDh3qn V9vKDTfcYE5GK+2jhNSq7al1113XVLdWXnllc90KfmgNPsd1HA7SodcXXnjB5KDt7JxzzqleVKT3 lvPrsrVHqwHzsh+ylEuZ2z3VZVTU988//7xbZpllzNt99flohw4d3O23315Uikq6J0yYYLLQ+Ula k4YNqnYP+15tRyYEEEAgaQECwEkLs3wEWlxgr732Mp0IzTDDDLHfPV3korA07MrW4LYY6MR7hx12 SLzo85Q2bTthGxzBfLqwuPPOO6f6F6zb5/WCCy4IVZaW8lCXvklPBICTFs7X8nVjxaBBg9xWW23l Onfu7L1d+mwbwbzTTTed05OrUae8XNSMmo/g9+pC8/3333ePPPJIJUivcR3VNebyyy/vLPvMwLu9 1zIEgC0+ZTumBPUordcFFljAe38Rd1evPnnV2ITtbQv1/n/hhRf6rKbNvGXbR7XJXJ0PrdqestyA orq24YYb1lEM/5WeplfQpF69be+7ESNGhF+Rx5zWG5OWW245j7U0n9Vyfl229mi1UF72Q5ZyKXO7 p7qMivZeT5GedNJJ5v1P7f5J3eHfeOONRWOYKr2ffvqpaX98ySWXTLWspL54++23TWm89tprk0oS y0UAAQR+EyAA/BsFbxBAIAmBo446ynQipJNXdRPL9B8BS8OubA1ui4HqUdigYZS6lpe0TZo0yby9 1TYY8/hZ3bGGmSzlUbbtpdopLxeoqtPUau/1lKkuCp966qlurbXWiu3CTr3tdM0114w0tqbKpqh1 RhfOFHi/9dZb3RlnnOHUle6qq64ay9hp9azb+67oAWCOKdnsqXTBtr26Vfv/0047LZvEOuc0DrBl fELtD61TUfdR1vy2Ynvqq6++8t4Ogu1ixx13tFJXfqenZoNl+bzG0WtLo4SffPLJpjQp/U899VSj xXp9z/l1W6687Icol7blUtRPGhZB56w++5xm83bt2jWWm0Lz4KnusJvltdH/+vfvn1ryR40aZUrj bbfdlloaWRECCLSuAAHg1i17co5AKgIDBgwwnQjpJO7qq69OJY1FWAkNO+csBqpHOhlPespL2qx3 njZqNOXt+8022yxUUVrKgwDw79rsq5MYoyxU4bXITF988YW78sor3eabb+40Llfc21rY7tIbcefl omaj9AXfa2xDOaqnh2WXXTbSeL1xl4GWV/QAMMeUoKal92q9yHnzzTenl8g6a7JctNbYwdapKPso a/5qf9eK7alHH33UfGyM2g2zjieWY8Kcc87pLr744kT+Dj30UFOalI+99967tkqZPnN+3ZYtL/sh yqVtuRTtk26i0j7e0uNKo/1Ur1693Jdfflk0iobplZFl+Kjjjjuu4TLj/of1mFXksZnjNmR5CCCQ nAAB4ORsWTICCDjnrr/+enNjtW/fvoUx1FNHOsn2/dPvwkw07OwB4K+//joMcaR5LOWjBlvcaXvm mWfM21ujBmSevu/du3eocrKUBwFgAsChKlcCM+m4cdVVV7nVVlsttu036tNPebmoWY97ypQp7rzz znM9evQwXQxKc59W9AAwx5R6NTDZ76zj3EW96SNqrtTlru+2pfHSrVOe91HWPDX7Xau0p6oNzj// fO86FdTBfv36VS/K67166wiWU5bXWWed1X3zzTdeDvVm5vy6rUpe9kOUS9tyKdIn3Wi39tprx7bP mXbaaSs94Gjok7JNXbp08XbStpHWNGzYMO/06RgzZsyYtJLIehBAoIUFCAC3cOGTdQTSEPj3v/9t OhHSydD666+fRhJjWcff/vY3Uz7XW2+9UOunYWcLAGs8zDQmS/kkkba77rrLVA+LcoFr2223DVWc lvIgAEwAOFTlSnim22+/3S299NKRt2M9VfzZZ5+ZU5uXi5rVGdANM2eeeaabe+65I/uktc8regCY Y0p1DUzn/QsvvGCq3/pdlpOOz77b1UYbbWROch73UebMhPhhq7Snqin23HNP7zoV1MEoXR7vs88+ 5vUG68/j6xVXXFHNa3rP+XVbtrzshyiXtuVSlE8an9YyfEKj/YvOjx988MGiZN87nbrxs1HeG32/ 2267ea/H+gP1XtgoHc2+L9OT2lY7focAAskLEABO3pg1INDyAksssYTpZKhz586VccWKALjXXnuZ 8qixIMNMNOxsAWA1hNKYLOWTRNqGDBliqofNGiV5+p/G8wwzWcqDADAB4DB1K415FOjceOONI2/L 1113nTm5ebmoGWTgkUcecfPOO29kk7T3Z0UPAHNMCWpgeq8PPfSQqZ6PGzcuvUTWWZPlPFgXc61T 3vZR1nz4/K4V2lPVHiussIJpW1BAJWwPS9Xr03s9JaunZdM+VqSxvrBtzlqT6s+cX1drOJeX/RDl 0rZc8v5J45tbbppqtp/QU8Tvvfde3rMeKX1bb7219765T58+kdbp8+MLLrjAO32dOnXyWQXzIoAA AmYBAsBmOn6IAAJhBaLcSZ11l3Zh87jGGmt4n/DpJF53t4eZaNjZAsBLLrlkGN7I81jKJ4m0DR06 1FQPmzUo8/S/sGOYWcqDADAB4Mg7ghgX8NNPP7mdd9450vb8l7/8xZyivFzUVAY0Lpp6TMhqX7Tg ggu6U045xc0888zeaSh6AJhjinkTMv9QTy5a6vrYsWPN64zjh7pByzfd66yzjnnVedpHmTPh+cNW aE8FJLqhwbc+BfPrBirrpOEYguWU8fX111+30lR+x/l1W7687Icol7blkudPzz//vOvatWts+5mZ ZpqpMiyKxsgt+2QZB33ddddNjeWMM87wLleNN8+EAAIIpCFAADgNZdaBQIsL6CkkayN6v/32K4Te bLPNZsqjurMMM9GwswWANaZmGpOlfJJI2/3332+qh9btM+3fhQ1oWcqDAHC5AsAfffSR01Ojlr80 9hlh1vHFF1+4Oeec07xNr7zyymFWU3eevFzU3H///c35j7J/6tixo9t8883dnXfe6X7++eeKkW7a 8V1m0QPAHFPqbh6JfqkAjW890/xPPvlkoulqb+F/+tOfvNO91VZbtbfYhv/Pyz6qYQIT+EcrtKcC NsuF9GC7Oeuss4LFeL/27NnTux4H6y3C61FHHeVtUv0Dzq+rNXgCuK3G1J9OPvlk7+1pscUWm3pB JfnmoosuchqiJa59hZ76ffPNN0ui0342LEOu6SbOtCZLTyhRblhKK1+sBwEEyiFAALgc5UguEMi1 wAcffGA+0Z1rrrmcnoTK8/Tqq6+a83fTTTeFyhoNblsAOI2gngowL+Xz3HPPmetiXI3RJJdz5JFH sr2EEmg7UyteKD/88MPN20KexmI6//zzzfmYYYYZ2lYEj095qDNXXnmlOe9h9kMK8iqou9lmm7mD Djqo8gSFxrx944036p53tGIAmGOKx0YT06wTJ0401fu77747phTYFqPuZcNsd9Xz7LvvvraVufwE XswZMPyw7O2papIVV1zRuz4FdWvEiBHViwr93nrzRbDeIrzON998dY9vYZHy0t6pTW9WgcY8nCvJ gnKprRH5+6wbAuPaR7TSU7/VJXnjjTeaDNNq1+nmft8yDtu7WbUD7xFAAAGLAAFgixq/QQABbwHL hdPgBOree+/1Xl+aP+jfv7/3yV6Qt9GjR4dKKg27/DZuVYB5KZ+3337bVBcHDx7s9GRJ3v/effdd tpdQAm1nyssFqrapSvaTelcI9rO+r6+99lqyifNYusYx7Ny5szkvGs/QMmVdZ8aMGWPqcrlRWS+9 9NJOwaZLLrnEDR8+3L3zzju/Pdkb1sdyHlP0J4A5poStHfHNp24cp512Wu9t/uKLL44vEYYlLbLI It5pPuaYYwxr+s9Pst5HmRMe8YeW/VCwX8x7eyqgeeWVV7zrUpBHjf9rvXH42GOPNa83WH8RXocN GxZQe7/mpb1Tm3ACwP/Pu+6mcZN0VuVSWz+y/KxeZHT+Gde+odWe+q0uu6efftrk+Pjjj1cvJpH3 OnezDBVz6qmnJpIeFooAAgjUChAArhXhMwIIJCIQ5cR39913TyRNcS3U8tRD0AiYPHlyqGTktcF9 xBFHeJ+IW7t2yquBCjAvadMdrkHd8nl97733QtXDosyUl/Ko9crqQkgrXigfMmSIaVvQdvPoo4/W Fl2mny13lAfb//jx401pz7rOrLLKKubyC/K+wQYbOPWy8fHHH5sMan9kCbwUPQDMMaW2FqTzWb3f BPU47GuWQ6Z8/vnn3ulVvjS+t3XKeh9lTXfU35W5PRXYnHDCCab6pDq1ySabBIvxelXQeP755zev N+x2mof5+vTp42VTPXNez6/TbI9We+RlP5TXcsmq3VNdRlm+135FQx3Esd2rVx91gdwKY/02KrMp U6a4Dh06eHteeOGFjRYZ2/fqittSzln33hIbAAtCAIHcCxAAzn0RkUAEyiGgkxvLSZF+o7FS3nrr rVxCfPrpp6YnNZSvrl27hs5TXht222+/vXe5EgD+z1irSdx5/euvv7rpppvOu0xefPHF0HWxCDPm dXvJ6kJIXi5QpVl3Hn74Ye/tIDhG3XDDDWkmtd11bbfddua8vPzyy+0uv94MWdaZ559/3pxflaEC v0nc7d+KAWCOKfW2juS/W2qppby3gR49eiSfsAZreOihh7zTq21V3bxbpyz3UdY0x/G7sranAhvd dDLnnHOa6pPq1KBBg4JFeb3ec8895nUG5w5FeVUA5aOPPvLyCWbO6/l1mu3RwEKvedkP5bVcsmr3 VJdRlu///Oc/x7JfWXXVVZ16RmByrnv37t6m+++/f+J0t956q3e6dMzQDXRMCCCAQBoCBIDTUGYd CCDgdBFRXTBaG8dq2OVx0p2Y1jz99a9/DZ0lS8OuW7duoZdvnXGNNdbwzj8B4OQCwCrHLl26eJfJ LbfcYq0CufydZXtJIiBfi5PVhZC8XKCq9Ujys8Zxte6bNX5wnqajjjrKnBeNGWmZsqwzf/nLX8z5 1ZAMSU2tGACWJceUpGpU4+Wuv/763tvAjDPO6NRlfBbTOeec451e7Z8ffPBBc3Kz3EeZEx3DD8va ngpo1DayHrvnmGMOF7ZnpWB9wevWW29tXq81vVn+znqstJxfl609GtQZveZlP2QplzK3e6rLKKv3 UXoyCPYNulnjpJNOMndrn1Xek1zvQQcd5L2vXmaZZZJMUmXZBx98sHe6dG2UCQEEEEhLgABwWtKs BwEEKmPvBSe0ltdnnnkmV4rfffed6cJokPdnn302dH4sDTufJ4xDJ6RmRkt3aQSAkw0Aq2u3oI6F fVXXaWWaLNtLmS+E5OUCVZp1TN2Eha3/tfNpLMs8TZYbB5QnXTiydhWXVZ3RcdU65vFuu+2WaLG1 agCYY0qi1aruwk888UTT/uu+++6ru7ykv1xnnXW806veSiZNmmROWlb7KHOCY/yhxjKvPW75fM5b eyqgmTBhglM3pz55qZ5XY/hapk8++cR17NjRtF7dILPccstl8rf44oub0iwza0DEcn5dtvZodR3L y37IUi5lbvdUl1EW76Puo4NtVD3iMLUVGDp0qGm/9/rrr7ddUMyfFl54Ye907bnnnjGngsUhgAAC jQUIADe24T8IIBCzwLfffuvmnntu75OjoHG/9tprx5yiaIvTeCJB2nxfF110Ua+VH3nkkd7rmmee ebzW4TuznjSZdtppvdNFADjZALDlSRxdwCjTxIWQtqWZlwtUbVOV/Cc9DeS7bw7mf+6555JPYMg1 HHDAAaZ8LLTQQiHXMPVsWdWZRx55xJRXXchU8DjJqVUDwBxTkqxV9Zdt7cJ+1113rb/ABL997733 3DTTTOO93UYNPmS1j0qQMvSiy9aeCjK+yy67eNej4Jit4YI+/PDDYFFerwMHDjSv98knn/RaV5wz 65g322yzpZp22qNtSzAv+yHaPW3LJctPI0eONN9QEuzPdCxP+pw2S6Mo6x4/frxpn9evX78oq236 21GjRpnSdOmllzZdLv9EAAEE4hQgABynJstCAIF2BdSNTXBya3kdMmRIu+tIYwZdfNHFdUse9Buf 7p+VnzPOOMN7XboYYn36K4yh9QScAHCyAeCnn37aVFfKNAYNF0LabsF5uUDVNlXJf1p33XW9t4Vg n37ooYcmn8CQa1httdVM+VhzzTVDrmHq2bKqM9dee60prxoXM+nJMi7l8ccfH0uysioPJZ5jSixF 6LUQnWPqHC7YH4V97dSpk9Nv05zUlWzY9FXPp67to0xZbhNR0h3Xb8vSngo8/vWvf5luJAjq1B57 7BEsyvt1hRVWMNVh3cyrLrmznKKMMarf+k60R9uK5WU/RLunbblk9Uld0C+11FKm/UmwLzvmmGMy 369k5Rd2vfPNN5+3sYYtS2qyHo/HjBmTVJJYLgIIIDCVAAHgqUj4AgEEkhRQN1tRuvfSb7O82zqw 2Xfffb1PPIMTe736Pl1mfdpY42AmNd1zzz0mAwLAyQaA9WT2TDPN5F025557blJVZarlfvzxx26D DTZwGucw7J9PQI4LIW3J83KBqm2qkv80aNAg7+0g2E+rO8ixY8cmn8h21qAxfC1P1ykf2223XTtL b/zvrOqM5WlTPQH1ww8/NM5MDP/56quvTHWpDAFgjikxVCDDInr27Gmqc4MHDzaszfaTn376yXyx W+eQUaas9lFR0hznb8vSnpKJuuaM0mOHjncvvfSSiVftseC47/t63HHHmdYZ54+GDx9uTr9uGPnm m2+8kkN7tC1XXvZDtHvalktWn6JcH1Kvamq3MLUvsP3223vv99SWevvtt9tfuOccethCY/n6Hj/m mmuuRB/U8MwGsyOAQAsIEABugUImiwjkTWCfffbxPkmqPqnSCdO4ceMyy9b1118fKf1LLLGEd9qv ueYa0zpvuukm73WF/YHGW6wul7DvCQAnGwBW+VmefFTjJa2pb9++3nWHALC9dCwXqMowLtGnn37q NM5k2H1T7Xxyy/rpntNOO82c/sMPP9xcabKqM4cddph3frt3727OZ9gfahy22voR5nOWAeA4t+FW P6aErSdxznfCCSeY6pyejPEN6ljTfcEFF5jSGHX8X6XXso/af//9rVnN5e+K3p4Sqo7TGiM2zP60 0TwbbbSRuXxUJxott73vX3nlFfN64/qhgg+Wp+GCvF122WVeSaE92pbLsh+K89gcpIYAcCCR3et9 991n3pfoxu3bb789u8QXbM3WhxCi9BTRiMjac5HPdY1G6+Z7BBBAwEeAALCPFvMigEAsAm+++aab ccYZzSfJarRqLL6JEyfGkh6fheiJ2llnnTVS2hVA9p3uvPNO0zo1VlMS05QpU5zuHA8uIPi8EgBO PgB85plnmsrmxhtvTKK6tFnmRx99ZHpCWWODhp24ENJWynKBatttt227kIJ+2njjjU3bQrBP0xOp WU0az3CWWWYxpz/KxaSs6swOO+zgnd8oF//Dlq01SJBlADjObbjVjylh60mc8z377LPe20Kw31Lw OOnpyy+/dLohM1inz6t6AIk6WfZRZQsAF7k9pfLXGJcaqsCn7tTOq6e6Hn/8cVN1Ultm9tlnN62/ W7dupnUm8SPLTZWBo7Yjn4n2aFsty34ozmNzkBraPYFENq+6EWOllVYy7UvUi81TTz2VTcILulZ5 W4Zi081nr732Wmy5Vg85iy++uKnc89DLVGwQLAgBBAohQAC4EMVEIhEon8A//vEP08lS0GDVq8ZF fOedd1LDGT16tOvSpUukdK+++uqmJ8pGjRplWq9OjnWSHPfUr18/U3pUbgSAkw8AW7sGnHfeeRO/ scLyhJ+6BlRXk2EnLoS0lbJcoNpkk03aLqSgn6644grzvio43gwYMCD13Ouiwuabb25Ou45VPttM bQazqjOWPK+88sq1yY/1swLx1qErsgwAx7kNt/oxJdYK5bEwazfQepoo6bHl9t57b/P+6d577/VQ qD+rZR9VtgCwZIrYnlK69eSv9lHBcdb6esQRR9SvICG+tT7NqrRmeXNYbdZGjhwZydEnIEJ7tK2+ ZT8U57E5SA3tnkAim1frU6Dal9x6663ZJDqGtSrtqs/WPx2/rNMpp5xi2u9FGR6nNq2XXHKJKQ3a bzAhgAACaQsQAE5bnPUhgEBFQN1qxtHw112TOulOenr44Yed1mW9QBH8znqHp4IB1gvQDzzwQKw8 Gj/FMsZsYEAAOPkAsAp8r732MtXXHXfcMdb6Ur0wdZdnqTu77LJL9WLafc+FkLZEa621lndd0J3s ZZj0lJp13xnss/R60kknpcbx888/V8bvrV6/7/ujjz46UnqzqjO77767d13VPkXlnMSk5Vou8Abl FVcAOKvyqDZt5WNKtUOa7++++27v7SGoe7oBUGOIJzFZxuoO0rXiiivGkiTLdlnGAHDR2lMq/Pvv vz/yDbWqTzpP+f777831af311zdtX3rq+P333zevN4kfWsagDLZJn96iaI+2Lb08HJuVIto9bcsl zU/aJqzd2Be9G+CDDz7YtA8N9j1Rjsnvvfee07jJwbLCvmr/HccQaeoV0NoLypVXXplmFWVdCCCA QEWAADAVAQEEMhPQUzXWE6fak7ydd97Zff3117Hn5Ycffqjc5T399NN7n2DWpjFql096erh2mWE+ q5sy5SOOafLkyc7S2K1OJwHgdALAL7/8sqm+qKzUoIt70hMGv//9701p0sVCn4kLIW21tthiC5O7 GtdlmA488EBT/qv3W3q/zjrrOG1XSU66wWa99daLnN5x48ZFSmZWdeaYY44x5T3KeMeNoPTUq54u rq0HPp+PPfbYRov3+j6r8qhOZCsfU6od0nyv4N7yyy9vroOqv3GPB6yhInQB1Wc7qJ5XT13GMREA /p9iEdpTSq2CteoFJkr9CeqSbuyK8pT7W2+9ZU6HjtF5m0499VTzNunbY0irt0eryz4Px2alh3ZP damk+9769K/axFFuYEk3l/XXlmUAWCmy9BqkY4iGonvyySfrZyrEtx9//HGlR7vgeOTzqmEHNPwA EwIIIJC2AAHgtMVZHwIItBG47bbbzA3W2pOtRRZZxJ133nmVbsXarMT4QU9eaKzh2vVYPiuArAv7 UaaDDjrInJYoXaQFaVaA3XLBrdaLAHA6AWCV2x//+EdznTnggAOcnkSMY3r99dfNT3so6OY7cSGk rZh136H9aRmmr776ys0333zmbaF6H6bxow455JDYn/7R/lVP1c0888yR0xnHxems6oy1O9MOHTq4 gQMHxlZddfPDUkstFbkstB+NY8qqPGrT3qrHlFqHND9fddVVkeqhbgL06eK1Ud4UjNY+qmPHjub0 LLzwwpG6pq9Om+V8NMrTRtXrzuP7PLendHy79NJLI93MUH0c1vuo5ycnnniiuR4rL3mbdNNXrZHP 59tvvz10lqzHI6WnDO3RaiirRdT6W50GvafdUyuS3udNN93UtO2phxjdoJ+3Px3rw05ZB4CHDRtm ste+SA+h6Cle32nSpEmue/fu5vVqW2VCAAEEshAgAJyFOutEAIE2AtZuBRs1bHVxaquttnJ33XWX 94UmdZd30UUXVZ70arR8y/fnnntumzxbPgwZMsR8sqk06y5Ja3eATzzxRGwXbggApxcAVvfflvoa /GbVVVd1zz//vKW6Vn6jRqQaZ1GCb5Zu07kQ0rbI+vfvb6oHukM6jS7226Y2mU+33HKLySDYFmpf 9QSTuo+8/PLLzd0Pa3x2bV8KSnTq1CmW9CldcXT7n1WdueOOOyI5qKcNXZyxTroQN3ToUKdAVW2Z Wz737t3bmpQ2v8uqPNokwrlK3bI4BL8p6jGl1iHNz+peMurNiLqxZPDgweZkf/TRR26jjTaKvE1o vLy4JgLAU0vmqT2l879HHnnE7bbbbrHc2BTsQ/SquugTpKiV0s2N6iK9eplh3+uG3i+++KJ2kbn4 bH0yV3n3OVa1enu0urDzcmym3VNdKum9V08xugEx7P6jCPP5tPuzDgDrOGDtyl9lMeuss7p+/fqF 7invhhtuiNQ+mHPOOZ2eHmZCAAEEshAgAJyFOutEAIE2AuqeLkoXd81OptWtVa9evZyewjnjjDOc xtwYPny4e/HFFytdvygoMGjQIHfcccc5NZzj6JasNj377bdfm/xaP2gsQsv4qdXp6dy5s7v66qtD J2HUqFFO469WLyPqewLA6QWAVdB77713pPLT+Dr77ruve/rpp0NfcFOXVrrYvMwyy0Rad58+fULX 1eoZuRBSreHc9ddfH6kctA9Qt5+6KPDmm29W/saOHesefPDByv5TT3RMnDix7Upz+MnaVV97+zwd NxZffHG3zTbbVI4zukCgbstHjBjh5KRuKnUTjXqVUPenJ5xwQuXpfF14aG/Zvv+PqyvkrOqMzgei PgWtJ3cvuOAC9+6774auhe+8845T99PzzDNPrGWivMTRBW9W5VEPsBWPKfUc0vzuhRdeiGUs8zXW WMNdccUVTsN5hJm071KPBzogQBq7AAAgAElEQVR39N0X1c5vPZ43SicB4KllsmhPjR49uhLo1bHt 7LPPrjyJuOWWW7pFF100cp2prUP6PP/885tvZg3EdHyut+ww3ylveZ3+/ve/m/OlIJa6Eg8ztXp7 tNooL8dm2j3VpZLee2uvNWH2NVnNU6QAsEpa3flHbTeoDaebP8ePH+90c271pICtjhlrr722ef8a lKVunmFCAAEEshIgAJyVPOtFAIE2AgoerLbaapFPrIITrLy8brjhht5PIbeBqfnw5z//ORajJZZY wm299dZOXaApWDFy5Ej37LPPVp6a1sVBNSStd8e3Z08AON0AsC70Lr300rHUG9UJXQxW93d33nln pc7oJgEFtnQjxdFHH+123HFH81i/1XVnttlmqwQaazaBUB+5ENKWSeMcVdsm8V4BtLxP77//fuVu 7yTyn4dl6hiqpwXjmLKsMzvssENs9XWVVVapHOfUje59993nFEjTxS11l6ouGDUepbo11o0uSZWh bi679957K8NAqJvOhx56yH322WdexZRledQmtBWPKbUGWXy+8MILY6ujOr7qfFJdOiuAofr12GOP Veqpju86N1SwOK5tQk/Ux/3UJAHg+rWwrO0p1UVdpI/jXGP77bc31+2bb765PnwOvlWgQsNUWLdb PQkXdmrl9mi1UV6OzbR7qkslvfcbbLCBeXuzbqdJ/65oAWCVtoaAictFD1ustNJKrkePHrHc/Bak S12FMyGAAAJZChAAzlKfdSOAQBsBdduosQuDE6Wivy677LJOY0/GOSlIW3QXAsDpBoBV/xSkVbd1 Rak7eqJSXUdbJy6EtJXTk5BJl30cF2XbpjqZTxoaYIYZZkjcI2nv2uUroKO74OOasqwzUcb0qnXJ 62c9Ve8zZVke9dLZaseUegZZfKdeBvJapxulS08WqgeRuCcCwI1Fy9aeUt1accUVnboijzrp5hvr OYCOs999913UJCT6+0022cS8j9DNomGnVm6PVhvl5dhMu6e6VNJ5r+6HtU9odOwr6vdFDADrqd0o XeAnXVbq8Un7CiYEEEAgSwECwFnqs24EEJhKQA1rjUOU9IlY0sufd955Y7lLfSog53L1pPQss8zi XVYEgNMPAKseaRzqpOt9XMs/+eST61X90N9xIaQtlRrG2ifFVT71llOUALBk9DSmxjeul48ifqcn fuJ+KinLOvPTTz+5bt26laZ86tUp9cDhM2VZHo3S2UrHlEYGaX+vmwq7du1aqG1jwIABiTARAG7O Wpb2lPafeho9rifIo3TZuueeezZHz8F/NcxPvWNO2O80XEXYKU89d6XZHq32ycuxmXZPdamk8/71 11+PtK2F3SbTnq+IAWCVuIbcyevN7uoljQkBBBDIWoAAcNYlwPoRQGAqAV383XXXXQt7Uq0uJzWG SFKTnrzp2LFj5j4a30vdR/s2TAgAZxMA1p3KRx11lHd5+ZZv1Pn1hJPSGmXiQsjUegcddFCiZV+k ALB0NH5x1DHVo9b1OH6vu8rVtXESU5Z1Rl0168nBOIzyuAzfALDKN8vyqFe/WumYUi//WX03YcIE t/zyy+d+21BPHmeccUZiTASA26ctentK+24NpRN2zOr2RVykm4uGDx8eZhWZzqOnv6Oc2/gEuVu1 PVpbwHk4NtPuqS2V5D9fe+21uT8OW85/ixoAVolrCAude1jyndRvNDRW1Osayddm1oAAAq0gQAC4 FUqZPCJQQAGdKPXt2zd3J3HtnRzuscceqXQPdvbZZ2d6cqsAtLr/euCBB7zTQQA4mwBwsBu44IIL Eh3vsr1tpNn/999/f/fzzz8HSTW/ciFkarqku+srWgBYQg8//LCbeeaZvfdhzepwmv/TuJovv/zy 1IUd0zdZ15ljjz22sGXTXj2wBICzLo9G1aoVjimN8p7V93oSWIGx9upZVv9XF7tDhw5NlIcAcDje oranVHd32mkn98MPP4TLaIi5FNiwbhNdunRxetqzCNMOO+xgzmenTp2cgshhp1Zsj9ba5OHYTLun tlSS/3z44YebtzPrfiiN3xU5AKxSv+6663JzA6muaxTluJH8FsMaEEAgawECwFmXAOtHAIGmAho3 bNVVV839Cba6nLnoooua5iXOf+pksmfPnpm5DBw4sJIdAsD/KdW8Nrwb1bnbbrstV13g6m5dXUSK a8preahra9/Gu/WGiXqW++67r/f6w6a3iAFgGY0ZM8ZZAglhXZKaT10vxjEeYr16Uv1dlnXmxx9/ dNtvv31iddanbNTN9mmnnVb58/ldo3ktAWCVS5blUV0vat+X/ZhSm988fNb2sffee+di+6iu53PN NZfz6UbWamnZb+tibKtORWlPqS4tscQSlaEa4i4ry7lhULcPO+ywuJOT2PLuvPPOSPuFwYMHh05b K7ZH6+FkfWy21O0//OEP9bIS63dZt3tizUzNwvRkZ7B/KNNr0QPAKqa77747Uk8IcZSnbmJlQgAB BPIkQAA4T6VBWhBAoK6AGpcXX3yxm3POOXN5or344os7XVhJe/ryyy/dBhtskKqJnpa78sorf8sq AeD/UOS14f1bQdV58+STTzo9QRhHIyfKMuaee25300031Umh/au8lkfWF0K++eYbt9RSSyVS5kUN AKuW6QkpdRs2xxxzJGITZfuo/e3ss89euVlC4zumMWVdZ9QjgLqkrHVI8/NCCy30W0Dr3XffjaVn EmsAOOvyaFbnynxMaZbvrP+nsZj11F6a20Sjda2++uruzTffTIWEALA/c97bU2pjnHnmmbE+9Rso 6ZgZ5RjvExQJ1pnVq24OidJm1pjLPlOrtUfr2WR9bKbdU69Ukv1u4403zsVxt9Hx2Pq9z77u4IMP jmSQ5E1Zjz/+uFObyeoQ5XcDBgxItvKxdAQQQMAgQADYgMZPEEAgG4GJEyc6nShOO+20mZzM1Z4I 6sm8yy+/3GmMrawmNfLV7XRt2pL4vOyyy7qxY8e2ySoB4P9w5LXh3aaw6nzQBTE9eTvbbLOlUoeq 66W24wMPPNB98cUXdVIW7au8lkfWAWCpfvbZZ4l0HVrkAHBQ2z755JPcjj+vXiYOPfRQp+Ng2lPW dUYB+lNPPdWpW9nqfUga77fddlv3+eeftyGPo+tdawBYCcm6PNpg1Hwo6zGlJpu5+/jxxx+7Aw44 ILNuD/XEZtw3crWHTAC4PaHG/89be0r78u2228699957jRMd8T/XX3+9+fihG+eKNqm9HOUY+eqr r3pluZXao41gsjw20+5pVCrJfa+eeKJsY3n9bVkCwCp5jVOumzjTsp5xxhkr1waTq3UsGQEEELAL EAC22/FLBBDISGDkyJFuk002ySwQvOiii7rLLrss08BvLf21117r9CRyUie4u+22m5s8eXLtahkD +L8ieW14T1VgDb7QRYuDDjootYvHenL9hRdeaJCa6F/ntTzyEACWrp6qPOecc9wCCywQ2z6jDAHg oOaNHj3a6a52dWWa1D417HJnmmmmSlD67bffDpKXyWse6swbb7zh/vjHPyZeJrPOOqvTPuS1116r a/3vf/+70kVp2DKsN1+UALASlYfyqIvz3y/Ldkxpltc8/e/11193W221VeLbSFCn55lnHqcxoBX8 SXsiABxdPOv2lOqRyvGhhx6Knpl2lhDlxh3dgFS0SU+/Bdup5fWII44wZbkV2qPNYLI6NtPuaVYq yfxPDwJYtq28/6ZMAWCVvK5fqTtm3UibpP2WW27pxo8fn0xlY6kIIIBADAIEgGNAZBEIIJCNgE6y TjzxxFiDGI1ODHXSuP766zuNi5TFha4wwkrXJZdc4uJqkCjwoPHlFAxpNFmeAF5xxRUbLa7p90cd dZT3iXvv3r2bLjOuf+Y5bT55VNeNxx9/vOvWrZu3daNtJ/i+S5cu7phjjkmle8i8loclAOzbFZ9P eav3ghtuuKESMFhwwQXNZT7LLLM4dY1btumHH35wt9xyi+vVq1dqN0doe9G+d5tttqmUTb0bb7J0 zkOduffeeyt1tkOHDuY6G+yXql+XX375SjBr0qRJ7RK///77rmvXrub1Rw0ABwnMQ3kEaan3WpZj Sr285fk7XcA98sgjnXpuqa7jcbxXN706t9L5ZphtJSknAsDxyabZnlId1M1Vffv2da+88kp8mWiy JO0ndWOPtf6PGzeuydLz+S/1nBFlmJc111zTnLGyt0fDwKR9bKbdE6ZU4p0nieOrdR8V1++mmWYa 5/P0vwKrUdadZBfQtaWt/bh6SuncuXOkNFfnV+2QPn36uOHDh9eujs8IIIBA7gQIAOeuSEgQAgj4 Cuhu22eeeaYybpSCtHF1E7nkkktWnoq866676j796pvONOcfM2aM69+/v1t33XVdx44dvU501dXZ 3/72t0S65k3TgHVFE1BXfBp7+09/+lMlIFXd4AnzXt1K64mLE044wd1///25emI+mkx5f61uRFVW eoLjoosucv369XPHHXdcZdxvNfLVXfigQYPcNddcU5lP+xmN/dYKk2zUhaSeitF+Nc5u0xVAV6B/ v/32q6wjb0HfZuWbZZ3RunWsUjBKTyKG2S8F8+iiTY8ePdxhhx3mbr75Zvfhhx82y2bd/2nMP40d 3b1791Dr1lhkm266aeXp+6TGSc2yPOoiVX3JMaUKI8W36j3g73//u9too43MT8AokKQhG+655x73 7bffpph6VpWmQFLtKe1vFVDUTbuPPvpoImP8punEusIL0B79j1Wej83hS5M5ESi+gIYqufHGG90O O+xg6j1P7Q2dy5933nlOQwcxIYAAAkURIABclJIinQggEFpAJ3Z6alUnd6eddlql+8yNN9640s2Y nj7VE7LqQlqBzrXWWqvyJJHuQFSg6h//+EflqasydWf6yy+/VMbVeuKJJyqBnbPOOqvSFc7hhx9e ufh97rnnujvuuMOpkT5lypTQzszYOgK6KKiLFy+99FLlLtfrrruu0vDRE70KoOjJVl1gVmBQF4g1 VrTqHRMCZRXQ0zXqblXbwkknneQOOeQQp67yFYzs2bOn07FG406pm209JaAAry4Y6IKDAr36jZ4u ViCQbSWeWqJAl45lGqJhwIABleOcxk2WtbqpVQBfXY2++OKLsR/r1F303XffXXkqUucSWq96U9Dx ddiwYZW6Qjn/r5w5pvzPIs13gfvLL79c2RaCY7lu8NGx/PTTT3f//Oc/K9vRiBEjnLYp3ejA1JoC YdtTGhpnhRVWqBzndOPfjjvuWNnv6mYyPY1OHWrN+lOba9qjtSJ8RgCBrAV0I/PDDz/srr766sp1 QJ0H6WZf9VKh9sPAgQMr4/reeeediY5Tn7UD60cAgfILEAAufxmTQwQQQAABBBBAAAEEEEAAAQQQ QAABBBBAAAEEEEAAAQQQaBEBAsAtUtBkEwEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEE yi9AALj8ZUwOEUAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEECgRQQIALdIQZNNBBBAAAEE EEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBAovwAB4PKXMTlEAAEEEEAAAQQQQAABBBBAAAEEEEAA AQQQQAABBBBAAIEWESAA3CIFTTYRQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQKD8AgSA y1/G5BABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBFpEgABwixQ02UQAAQQQQAABBBBA AAEEEEAAAQQQQAABBBBAAAEEEEAAgfILEAAufxmTQwQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEE EEAAAQQQaBEBAsAtUtBkEwEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEyi9AALj8ZUwO EUAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEECgRQQIALdIQZNNBBBAAAEEEEAAAQQQQAAB BBBAAAEEEEAAAQQQQAABBBAovwAB4PKXMTlEAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBA AIEWESAA3CIFTTYRQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQKD8AgSAy1/G5BABBBBA AAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBFpEgABwixQ02UQAAQQQQAABBBBAAAEEEEAAAQQQ QAABBBBAAAEEEEAAgfILEAAufxmTQwQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQaBEB AsAtUtBkEwEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEyi9AALj8ZUwOEUAAAQQQQAAB BBBAAAEEEEAAAQQQQAABBBBAAAEEEECgRQQIALdIQZNNBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAA AQQQQAABBBAovwAB4PKXMTlEAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAIEWESAA3CIF TTYRQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQKD8AgSAy1/G5BABBBBAAAEEEEAAAQQQ QAABBBBAAAEEEEAAAQQQQOD/s3ce0FFUXxgPYC9/FUVAsACiKCqKgqAUUURR7NjBghTBhiI2VEQF 7KAgKNWCotKRTui9995Ch1BDS8/9n2/wLW9m3szuJrsp5Hvn5MybmfvabyabzXxz7yUBEsgnBCgA 55MLzWWSAAmQAAmQAAmQAAmQAAmQAAmQAAmQAAmQAAmQAAmQAAmQAAmQAAmc/AQoAJ/815grJAES IAESIAESIAESIAESIAESIAESIAESIAESiBKBjLQ0ORK3URJWr4jSCKF1e3jjOlnXq4tsGfJXaA1o RQIkQAIkQAIkcNISoAB80l5aLowESIAESIAESIAESIAESIAESIAESIAESIAESCAaBI7t2iHLv/hI YuvcIoNKniYDi8bImNuujsZQQfvEXKY9eY81B8xjZMXLgrahAQmQAAmQAAmQwMlNgALwyX19uToS IAESIAESIAESIAESIAESIAESIAESIAESIIEIEoj76xcZUursgOAK0fX4TwFJPXI4giOd6Cr16FHZ O2+mrO/dVea1bCSxtSvK/sXz5ejWzfJv+aKuuSTt23uiMWskQAIkQAIkQAL5jgAF4Hx3yblgEiAB EiABEiABEiABEiABEiABEiABEiABEiCBzBCInzFZBhYr6BJclQi8Z/a0zHQbtM30BvVcY67v86NM vK+q6zjmsmvyuKB90oAESIAESIAESODkJUAB+OS9tlwZCZAACZAACZAACZAACZAACZAACZAACZAA CZCARiAjPV2S9+/TjoRXnfn8w0bBFR7B8MrdNWV8SB2mHEqQgyuXWULt7mkT5dC61b7tlrX/wDXu 2NvLuY4pIXp1ly99++NJEiABEiABEiCBk5sABeCT+/pydSRAAiRAAiRAAiRAAiRAAiRAAiRAAiRA AiSQLwmkp6TIgeWLZVP/vrLog9dkUr3bZUipc2T8nTdmmsegS05xia5zX2koyQf2B+0z+eAB2fDb zzK1fm0x9TO2+rWyrsf3Ajtn2Tp8gGtcJfaq7eDLzpA5LRoIPIOPbIlzdsF9EiABEiABEiCBfESA AnA+uthcKgmQAAmQAAmQAAmQAAmQAAmQAAmQAAmQAAmcjATSEhNl34I5suGX7jL/rSYSW+cWGXzp 6UbRdFCJUyU9OTlTGEzC7a5JY4P2tXvqBBl2dWHjfJSAq7ZDrjhLdk4cY+vzcNwG37ZzX3s+S57N tsG4QwIkQAIkQAIkkOcJUADO85eQCyABEiABEiABEiABEiABEiABEiABEiABEiCB/EMA4ZPjZ06R tT06y9xXn5NxNa+TgcUL+QqkSlxV2/1LFmQK2ODLz3SNs+KbdrKxXy9Z+G4LWfLxW65+IebCO1eN HcoWIvCeOdNtfQ0re76xj8mP3CHpqak2W+6QAAmQAAmQAAnkbwIUgPP39efqSYAESIAESIAESIAE SIAESIAESIAESIAESCBPENg8sJ+MqVJWBhYtYBRCQxFWlc3Gfj3DXnPqkSMy8qZLfceGl69ekBPY yxMZthCvvcThoVeeJwlrVwW6m/JoLePY20YMCtiwQgIkQAIkQAIkQAIgQAGY9wEJkAAJkAAJkAAJ kAAJkAAJkAAJkAAJkAAJkECuJ7B5wO9GAVSJuqFuR91yhWz6o3fI64375zcZW+0aGVisYEjj6/l3 kXfYOS+IyBhfhaE+un2rTH/2fpcd2i14u1lgnvAudvaF/aPbtgRsWCEBEiABEiABEiABEKAAzPuA BEiABEiABEiABEiABEiABEiABEiABEiABEggWwhArNwy5C9Z+3MnWdb+fVnxVVvZ1L+vJMbvCjp+ wuoVRgHUJIpax4oVlLG3l5M5Lz8ja378WpCHN/nA/qDjOA3gLew5RtEY27khpc6WPbOnWV0cWrfa dg59IIfwvoVznUNIRkaGTH6ohsseYZ+R3xgFHtCmeRyJ2+jqjwdIgARIgARIgATyNwEKwPn7+nP1 JEACJEACJEACJEACJEACJEACJEACJEACJBBVAhB31/X8QY57w3qFby4gE+tWkdVdvpT0lBTjfDLS 0gS5cU0i6KASp8r4O2+UeW+8KOt6dZG9c2cIQjZHoiBfsGlM/RgEZoRrzkhPDwy59NN3XO3mNH82 cN5Z8RK4twzub5kmrFnp6g9z2DtvprMr7pMACZAACZAACeRzAhSA8/kNwOWTAAmQAAmQAAmQAAmQ AAmQAAmQAAmQAAmQQDQIwKt11fcdZfDlZxqFS11A1esT779NEnfvNE4JIrFuq+qHN6032kfiIEI1 I2z0tKfriknUxRy2jx7qGmrmC4+45rqm2zcuO/1AbO2KrjZzX2lomUBcNgngG377We+CdRIgARIg ARIgARJgCGjeAyRAAiRAAiRAAiRAAiRAAiRAAiRAAiRAAiRAApElgLDFs5o84RIzlWAbbDvihktk 34I5rkktfLeFsc/tY4a5bKN1YHSl0q45rPjyY9dws5s+6bILJtYua/+Bq82sRo8F+p54X1XXeT1P cMCQFRIgARIgARIggXxNgB7A+fryc/EkQAIkQAIkQAIkQAIkQAIkQAIkQAIkQAIkEBoBeKAir+2W wX/K0natZdEHrxkbwvN3+rP3u4TKYKKv8/yoSqUE3rd68crHi1zCoRSEo945YbTsmz87FHOjDQRZ 51ynN6jnsoXnrtNuxdefuOz0A6b1zWj4QMBk4XuvuPqccE+lwHlWSIAESIAESIAESAAEKADzPiAB EiABEiABEiABEiABEiABEiABEiABEiABEjASSDmUYAm9yN87pNQ5NvFxU/++xjarf/jCZucUQcdW v1ZWdvpc1vX4XmY1flyGlDrb0x65g/XilY93RsMHdTOrfnTrZtk2aojAOxcCLbyK1Vxmvvioyz7U A6s6tw/0o/obUaGEq/n8Nxu77KY+Ucdlpx/YPOgPV5tpT94TMNnYr5fr/ODLzpD01NSADSskQAIk QAIkQAIkQAGY9wAJkAAJkAAJkAAJkAAJkAAJkAAJkAAJkAAJkICRgFfI5enP3Ge0P7ZrhwwqeZpL pIRQOumBarJz4hiBh7BekvbtlWlP3Wts82/5iyX1yOGAOTyCB5U41WULuy1D/rJy9E6tX1uGl7vQ ZaPEWmyR0zezBR7Eel+qnhi/29blmh+/dtmBTcrhQzY7fQditepPbXVx+8DSha7zsDu4cqneDesk QAIkQAIkQAL5nAAF4Hx+A3D5JEACJEACJEACJEACJEACJEACJEACJEAC+YcAPHrjZ06RtT06y7zX X5Cj27Z4Ln7vvJkysFhBl+A4rOz5cmzHNmO7pZ+967KHQDm2RnlJO3bM2AYHIQpPfqiGvW2xggJv 4fgZk23txt95o92uaEym9pMP7Lf1G+oOwkgrcVbfQhjWS+LunTKweCGX7ZJP3tbNAvW0pCSLk94n 6psH/B6wsQRwg8Ae99cvARtWSIAESIAESIAESIACMO8BEiABEiABEiABEiABEiABEiABEiABEiAB EjjJCWwe2E/GVCkrA4sWsAmSW4f9Y1x5ekqKjKt5nc1WCZNeoZ/R0b/XFXO1GXz5mZKwarlxHP0g bBa1eV3W9/lRID6nHj2qnw7U57Vs5BpDzS2crVNYDgwQQkUPJ63GXNW5g6ulKRfyoEtOkW0jB9ts IY4vaNXUtS6I7WmJiTbb8Xfd5LIDNxYSIAESIAESIAESUAQoACsS3JIACZAACZAACZAACZAACZAA CZAACZAACZDASUoAXqRKqNS3yz5/z7hi5OjV7VTdK/QzOjm0Ya2xzawmTxjHyOzB9b27GsdRczRt IUJPqHurLHynuWz8vYfsXzxfIHJntiCnsHOcWS/Vd3WHHMROO7U/q9FjsuGX7lbY6uHXXGS0W/xh S1ef8998yWY75IqzZNH7r7rseIAESIAESIAESCD/EqAAnH+vPVdOAiRAAiRAAiRAAiRAAiRAAiRA AiRAAiSQhwjAE3TfgjmWaDj/rSYysW4VGX5tESsn7rCrLpDY2hVlXc8fBGGenSVh9QqbaKhEyKlP 1HGaWkLu4MvOcNn7hX5GJ5sH/eFqg3HWdP/WNUZWDuydO8M4jlrT0DL/s8JJQzyN++c3ObhymWSk pWVlSFfb5V985JrD6EqlXXY44BUWW83XawuB2CRS7xg3QpZ8/JbAqzthzUrJSE83jsuDJEACJEAC JEAC+ZcABeD8e+25chIgARIgARIgARIgARIgARIgARIgARIggVxKQM/VO/fV546HYzbkkzWJh0NL nyurf/jCtjIIoPAUddpDQHaWKY/WctmhnV/oZ/Sxvm83Y7v46ZOcQ2RpP/XIEXNu4qsLy+GN66x8 wlkaIITGXp69KQkHjbFqMWcAACAASURBVK0XtH7ZyMZ5PdT+nBYNIi5aGyfGgyRAAiRAAiRAAicl AQrAJ+Vl5aJIgARIgARIgARIgARIgARIgARIgARIgATyIgGvXL1KGAxnC0FWL/AYNrU/un1rwAwi r8nGL/SzagzR2dQ2K7l2Vd/O7dhq1xjGKmD0fna2jcT+0a2bDePHiJfYDS9dhHsed8cNxnbHuRWQ ifdVlY39etGrNxIXiX2QQBYIrFmzRnr06CGvvPKK3HffffLAAw/I559/Lhs2bMhCr2xKAiRAAtlH gAJw9rHmSCRAAiRAAiRAAiRAAiRAAiRAAiRAAiRAAiTgS8ArV69JWA16rFhB2T1tYmC8he+2MIqP 28cMs2yS9sTLsKsLu2yChX5WA6z87jNXW8xx678DlUmmt2nHjtnazmn+rHGsaIjNtoG1neHlLnTN IZRw13vnz5Iln7wtWMPsZk9b4ZyR1/joti1a76ySAAlkJ4HNmzdL3759pWHDhlKiRAmJiYnx/Klf v74kJydn5/Q4FgmQAAmETYACcNjI2IAESIAESIAESIAESIAESIAESIAESIAESIAEokPAK1evSeyF ADmu5nUCgdZ0HsdmPv9wYKIb+/U02q34qq1l4yWqBgv9rAbY9GcfY//ISxxOObZjm2wd+reVOxc5 iodfc5GMq3m9rYs13b4xjrX25042O9MO8uoeWLpQNv3RWxa+94pAGM9MmVq/tmsOCN3MQgIkkPsJ HD58WPr37y9NmjSRMmXKeIq9XkJwvXr1JCUlJfcvlDMkARLItwQoAOfbS8+FkwAJkAAJkAAJkAAJ kAAJkAAJkAAJkAAJ5DYCXrl6IebOavKEldt31+RxkrR3T2DqGRkZsrZHZxlU8jSXIDmoxKmStG+v Zbt/yQLXefQ7o+GDsnPiGOO50ZXLBMYJVtk9NdbYx7Sn6wZrajs/740XXf3E3n2zzQaezSbRe+4r DW12qUePCjxu1/f5Uea/2Vhia1d0cUJuZIRoDrcs/fSdwBzQB8I3r+7yZbjd0J4ESCAHCCxZsiRs 0dcpBv/66685MHMOSQIkQAKhEaAAHBonWpEACZAACZAACZAACZAACZAACZAACZAACZBAthAIJVev aSILWjUNCJK6OLp12D+WeXpyskAQ1s+hjrDPoyqVch1Xdks+fss0nOtY6pHDMqTU2a5+IEynJBx0 2XsdmPnCI64+pjx2p808+eABlw3mO+rmy2XtT98JPHHHVr9WBhYvZLRTa1PbhDUrbf2HsnNw5VJB zma0hXDPQgIkkPMEUlNTZePGjbJy5UpfD128OHPRRRcZReBTTz1VqlevLm3atJEBAwbIsGHDrH2n AFyxYsWcXzBnQAIkQAIeBCgAe4DhYRIgARIgARIgARIgARIgARIgARIgARIgARLICQLBcvV6zWnf wrlGsROhmVUZf+eNRhslhHptF7zdTCCYBCvwwDX1sa5Xl2BNrfMYA17Hzj4gCjuLn2jtbB9sH0Iu CwmQQN4kkJCQIF988YVceeWVUqhQoYCoe9ZZZ0mtWrWkQ4cOkpiY6Foccvk6RV3YHj161GWbnp4u 5cuXd9lv3brVZcsDJEACJJAbCFAAzg1XgXMgARIgARIgARIgARIgARIgARIgARIgARIggf8IBMvV 6wXqyOZNLuEUwifCH6syr2Ujo00wgRTnIe4G83T1CgM9pNQ5cjhug5qG53b31AnG+S364DVXm1mN HjPahrIWp83Sdq1d/fMACZBA7iawd+9e+eijj+T88893CbNOYRfi7eLFi20L6tatm6sd+vMq3bt3 d9lPnTrVy5zHSYAESCBHCVAAzlH8HJwESIAESIAESIAESIAESIAESIAESIAESIAE7AT8cvXaLe17 W4b8ZRREN/zSPWC4vndXo41TEPXah+ianpIS6M9ZQS7dkTddahxjUr3bJfXIEWeTwH7SnngZW6O8 oW0BSVi1PGCnKqs6tzfYxgQ/VryQFR4aYaLXdP9W4qdPkpRDCapbbkmABPIAgT179kipUqVcgqxT +NX3TzvtNJk1a1ZgdatXr3a1v/322wPnnZW///7bZT9q1CinGfdJgARIIFcQoACcKy4DJ0ECJEAC JEACJEACJEACJEACJEACJEACJEACxwl45eodeWNJT0T7F82TEdcXN4ifBeTIlrhAu71zZxhs7KJp sDDR05+5T9IM4VTVICu//dRzDIjD20YMUqbWFl7FO2NHybia1xnbTX/2fpu92kEbL6FaHUf+4fF3 3STz33zJ8oTeO2+mpBrCu6o+uSUBEsj9BFJSUqRGjRouMVaJvX4ewRUqVJA0LWd3iRIlbP0g/+8R w4sqCAF9991322wLFCgg8fHxuR8YZ0gCJJAvCVAAzpeXnYsmARIgARIgARIgARIgARIgARIgARIg ARLIzQS8RFh4yaLA0zZh7SrZ+HsPmfn8wzKwaAGjGAqvW73AA3dgsYJGW4imsXffLOmpqbLq+46e NrCb8tidnt68EHRnNHzAt31s7Yoyu9nTgty+I264xNc2fsZkfQmBemL8Llu7IVecJRPvqyoL33tF NvbrJQeWLhSI6SyRIwBP6fiZU2Rtj85yaMPayHXMnkggDAJNmjSxCbEQfs844wxp2bKl7Ny50+pp x44dVu7f008/3WX77bffBkZr0KCB6/zo0aMD51NTU2XMmDECz2AlMKvtLbfcErBjhQRIgARyGwEK wLntinA+JEACJEACJEACJEACJEACJEACJEACJEAC+Z6AV67e6Q3qycT7b5Mhpc62iZ/K41XfDipx quVZ64Q5tto1xrbwlj24clnAPFiIZcwjJeFgwF6vwMt2wr2VjePocwxWhxDtV1Z80042D+wnCWtW WqK4ny3PZZ7Awneay5gqZW0vGkAEZiGBrBBYs2aN/PTTT9K0aVPLo7dkyZKCXL1PPPGELFy40Nj1 1q1bXUIsPH43btxotB87dqzAUxeibdmyZaVZs2Yybty4gG2fPn1c/T3zzDPSuXNneeihhzzzC8NT ePz48YF+WCEBEiCB3EaAAnBuuyKcDwmQAAmQAAmQAAmQAAmQAAmQAAmQAAmQQL4nkNVcvRB/t40c bOQ4p/mzRmF2eYc2LvuV331mtFXCLTx5k/btdbXDgcT43TK6chnf9qof53bQJafIpv59jf3yYPYT mPJoLdd1nPvqc9k/EY6Ypwls3rxZ+vbtKw0bNhRn6GXlVau2EFh79+7tWm+vXr1cgq3JTm84ffp0 gXBsKnFxca7+1Bz8tr/99pupOx4jARIggVxDgAJwrrkUnAgJkAAJkAAJkAAJkAAJkAAJkAAJkAAJ kAAJHCcQSq5ep2iq9kdUKCE7xv7riXJNt29cYh7arv25k7GNX05ftBtbo7wk7j4edtXZwbGd22V2 s6eM46n5OrfIdbxj/EhnV9zPQQJL2rZyXcNxNa/PwRlx6LxA4PDhw9K/f39ByOYyZcqELbRecMEF gj708vjjj9v6KVKkiH46U/XSpUvb+vQSfuFJfOedd9LzN1OU2YgESCC7CVAAzm7iHI8ESIAESIAE SIAESIAESIAESIAESIAESIAEghAIlqvXKZoOu7qwzGryhMT9/aukJSb69r572kSXmIf+5r7S0LPd iq8/MbZR80B44KNbN3u23ztvpixo/bL8W/5iYz/Dr7nIOo98v8hvzJK7CGwe9IfrusFLO9i9lrtW wdlkN4ElS5aEJKx6Ca443qmT/cWUwoUL2/qsWbNmlpfVuHFjW5/6fM4991ypV6+efPfdd7Jp06Ys j8UOSIAESCC7CFAAzi7SHIcESIAESIAESIAESIAESIAESIAESIAESIAEwiDglat3eLkLZdpT98qy 9h/I1n8HyuG4DZKRkRFyz8kHD7jEPAi58OT1Kyu+/NjYTonAo26+XA5vWu/XhTVPeAvvXzxfdk0e JweWLpTE+F0UfX2peZ9MOZQg8TOnCPLxHtqw1tswi2eQY1ldZ327b8GcLPbM5iczAXwuXXTRRUZx FSGeq1evLm3btpUxY8bIokWLLE9hXXxF/a233rIhglewblO/fn3b+czs/Pnnn7Y+0X/lypVl1qxZ kpqampku2YYESIAEcpwABeAcvwScAAmQAAmQAAmQAAmQAAmQAAmQAAmQAAmQAAm4CXjl6oWXbFbL qEql3IJe8UKSduyYb9fLO37oblc0JnBsxPXFBWIhS3QJLHynucDremDRAgH2EIGjVeCVPaTU2YGx lAi84defojUk+z1JCECg1QVb1Dt06CBHjx51rRCC8XXXXWezb926tc2uXLlytvO33HKL7XywnUOH DsnIkSOlVatWsmDBAst8586dtj4xx/Ll/V+ICTYOz5MACZBAThOgAJzTV4DjkwAJkAAJkAAJkAAJ kAAJkAAJkAAJkAAJkICBQLi5eg1deB6a1egxl5gHUW/f/NmebdSJ5R3auNqOrlRaZr1UX1Z17kAB WIGK4nbKo7Vc12Duq89FcUSRifff5hpzQaumUR2Tned9At26dXOJqx999JHnwho0aGCzh1islzvu uMN2/vzzzw8pAsLu3bulatWqcsoppwTaQwhW5dprrw0cV4L1rl271Ok8vc1I3pen58/JkwAJZI4A BeDMcWMrEiABEiABEiABEiABEiABEiABEiABEiABEogqgczk6g11Qqs6t3eJeRCA1/ftFlIX6/v8 KGu6fyvx0ydJSsLBkNrQKHQC6ampcnDlUvEKsbykbSvX9RtX8/rQB/jPMvXoUUuw3zlhtGwbMUiQ qzkxfrexn4XvveIaM7ZOeN6Xxo558KQmsHr1apewevvttxvXPHPmTIGgqwTYa665xuUp/NRTTwXO K7vY2Fhjf/rB9evXu9qNGDEiYPLqq6+6zvfv3z9wPi9VMlIOSNquEZKyrKUkTSgriaMLS0YGc6vn pWvIuZJAJAhQAI4ERfZBAiRAAiRAAiRAAiRAAiRAAiRAAiRAAiRAAhEmkNlcvaFMY2fsKJeYBwF4 /puNQ2lOmygQgNi74O1mMuHeyjL4sjOs6zP+rpuMI20e9Ifr+o2+9UqjrfPg/kXzBKG8x9eq4Orj eGjnAoLw40c2b7I13fRHb5f94EtPF4jVLCTgR6BEiRI2cRX5f48cOWI1OXDggAwdOlSeeeYZKVCg gM3uySeflFGjRkl6+gnx8vvvv7fZQAR++umn/Ya3zs2YMcPVTheABw8e7DrfpEmToP3mBoOM9GRJ 3zdDUle3k6Tp1SVxeEFJHB5j+0nfPzc3TJVzIAESyEYCFICzETaHIgESIAESIAESIAESIAESIAES IAESIAESIIFwCGQ2V2+wMRLjd9nEvCFXnCUT76sqa3/6LlhTno8Sgbi/f7VdE4ixg0qeJunJya4R j8RtlDkvPyOru34lu6fGSvL+4CFej27fKl6hv48LvydyOWN/aJn/2fo9sGyRa36wO7hiiWt+PEAC OgFnWGeIto899phUqlRJChUq5BJelWev2lasWFG2bNlidYkcvv/73/9sbRDWecqUKfqQrvrbb79t a4O+16xZE7Dbv3+/FCxY0GZTpkyZwPncVEGu5PRDKyR1w/eSPOcBSRxxpk3sdYq/2E9daw+lnZvW w7mQAAlEhwAF4OhwZa8kQAIkQAIkQAIkQAIkQAIkQAIkQAIkQAIkkGUCXoJdKLl6gw2+4pt2snlg PysEcIbmYResHc9HhwBCPpuE2ANLF2Z5wD2zpsqQUucY+zeNqY4h37Mq6SkpliCtzqntpv59lQm3 JGAk0KdPH5uwqoTdcLaPP/54oO+33nrL1V/RokVl69atARu9MnXqVDn99NNtbapVq6abWHUIzc45 bd682WWXEwcyEndI2pbfJHnhc5I45qKggq9TBE6ecWdOTJtjkgAJ5CABCsA5CJ9DkwAJkAAJkAAJ kAAJkMDJSCAtLU2mTZsmffv2lY4dO0rLli0Fb/0jhNp7770n33zzjUyaNMmVz+tkZME1RZeA173W rFkzadu2rXTv3t0KKQiPDhYSiBQBr/uOn3GRIsx+nASymqvX2R/3cy8BhFJWoZ+VuIrtxn69jJNG /l7k7F3fu6vMa9lIEC56cZs3XLYIJT6y4mVG8XdC3Vtl2efvWaGnB5U41WUztPS5Ng/k2NoVXTaL 2rzuGpMHTg4C+Ju3ZMkSGTJkiPWzaZM9LHioq4yLi3MJq06hFQIuQj5//PHH8uKLLxo9g/E/BArm YfIchmdwu3btBGGlMXfkH27VqpWcc845rvF/+eUX1/R1L+HLLrtMXnjhBWssl2E2HMhI3i9pO4dL yrLXJSm2TNiCr1MAThxxhmSkJWbDzDkECZBAbiFAATi3XAnOgwRIgARIgARIgARIIE8QwFvh5cuX j8hPzZo15bXXXpOePXvKnDlzJCkpKWQGkZyHaT2vvx7egzyEIfv333+thyQXXnih6wGL8wEP9pH7 q27dujJ//vyQ1x3M8NixY/Lbb79J69atrQdIVatWlRtvvNEKMdemTRvr3IoVK4J1Ezi/du1aWbVq VVR+8FAqqwUPtUzzUyHywukfD9I6depkifV33XWX3HDDDVKlShWL3RtvvCFdunSR3bt3h9NlVGwz c68hLOCdd94pP/zwg0RbDG7YsKHv58ODDz4YFS65tVN8lpg+Y3Ds008/za3Tds0rM/ddND7jXBPj gXxBgLl688VlDiwS+X918Rf1mc8/bInAC99tIRPvv00SVh//LgOx12kbW+eWQF+qsvjDli670ZVK y67J45SJtd30Zx+XHfrfv2RBwA45op1jTnrA7UkZaMBKniSQmpoq8Nq98sorbd/rIbo+9dRTsnTp 0rDXVbp0aVtf+H/g7rvvtr6fLV++3NXf77//7rKvVatWwK5fv35GEVj93+EM56yOY4v/QZINodUh dvfo0UPWr18fGCe7KhlpSZK+d5qkrG4rSdNuM+bxdYm6jjy/wc6n7R6bXcvhOCRAArmAAAXgXHAR OAUSIAESIAESIAESIIG8Q+CMM85wPYjQHyZkpY6HIrGxsSHBiOY8sIaHH344pHnAaNasWXLrrbdm iQtygEHIzGyJj4+3vItDFZ/r168vEHf9ysCBA7O0pmD3ws6dO/2GD3quW7dunvODgBtq2b59u9x7 772efenrgKD1xBNPyLx580LtPqJ2kbjXChcuLF27dhU82Ix0gXdLgQIFgrLMzEPTSM81u/rDZ4l+ D+n1cD5nsmu+pnEicd9l9TPONC8eyz8EmKs3/1xrePTOeO4hl8DqFFwh1KKYBNvBl54u8CTWy7Qn 73H1idDfznI4boPLDmPrHsjr+3Zz2SC0NEOIO2nmrX3k1R05cqTlLYvv5K+++qrn32/8LUc45Rkz ZoS1yMaNG7v6hGexV0lPT5dLL73U1ub666+3mUMk9hN69e8dqg7ROTEx5z1hrTy+CcskdUMnSZ59 v8BDN5iAm9XzKSta2/hxhwRI4OQmQAH45L6+XB0JkAAJkAAJkAAJkECECURbeMWDCYQ8C+alGO15 hCLM4K35Ro0ahSR4qQcuflt4FODBkOltfL/LOHfuXClZsqTt4ZDfOOocvELxcMvLExfhg5VtNLZZ EYAXLVokfvdAqALwgAEDBIJouOuDEAwRNbtKpO81rBceqFl56cC0dni0hsISeevyUqlXr55UqFDB +PPjjz/6LiUvC8CRvu8y+xnnC5gn8w0B5uo9uS/1njnTZWy1a2RgsYIucdUp/mJ/0QevWUAOLFtk tD+4YokN2Lg7brDZQbDVvXphnHL4kMxu9rTNTo0Nz2NV9s6fZbQ5tG61MuE2jxFAmGN8L1bfYfC3 OxRRtUiRIrJhw4aQV/vnn38GxlBjIRqSX7nppptsbcqWLesy79+/f0j/C+A77/vvvy+IGJRTJePY Nknb8oskL3hWEkdfGHXB1ykYJ02+KaeWznFJgARygAAF4ByAziFJgARIgARIgARIgATyLgE/0U09 yIjEFuGh8Va4V4n2PIIJwPASQEjdSKzV2QceQoVa/vnnH18h1Nm3aR/hjU0ltwrAYH/VVVf5sg8m ACPc+PPPP+/bh4mV81jz5s1N6CJ6LJr3GjzGZ8+eHZH54vfVFNrQyQz7yHEXDQ/kiCzE0EmZMmU8 75WPPvrI0OLEobwqAEfzvgvnM+4ESdZIgATyMgF41iJP79JP37Fy9K7p9o0kxp9Iq3Bg+WKjqKoE WH07pNTZsuj9Vy0c6SkpMqjkaa62m/r3teFCqOil7VrLlsH9BUKt8tbF3y6IzwvfaS7Dri7s6keN O7FulUB/aceOycDihVy26Jsl6wSOHDkiY8aMkXfffVcmTpyY5Q6RvgN5c//66y9ra/r+ARHW9H0F xx566CFrPvjOjZfnnHbB/mfQF4CXH53t0adXwYuKTntEHTIVeAuDGyLVqP+TEJUFL4ni/yp8rz96 9KipaVSPZSTvlbSdQyVl6auSFFs62wVfpwCcOLygYE4sJEAC+YMABeD8cZ25ShIgARIgARIgARIg gQgRUA8UnA8jorGPfKVeJdrz8HuYk5CQIMhBHI01qz47dOjgtfTAceQOjhSHX375JdCvquRWAfiZ Z54Jyj6YANyuXbugfahrEWyLUNTRKtlxr5199tnWA9GsrmHy5MlhMUXO7LxS8psAnB33XSifcXnl /uA8SSA3EYAgCjEVAii8ZJGbFh6rOVUw9swXHzV69g6+/ExZ/NGblhiLeSN0sxJcTdsFrZpKwtpV AfFWrSn27ptd7Ra1eV2dNm6PxG20BOERN1ziamsae8gVZ0lGWlqgr7E1yrvaQWBmyTyBESNGSLVq 1QRRVtR3r+LFi8vevZkT69asWWO97Kd79qLfK664QhC9Ay8DqoIwzGpMfYvIJnpBZIzKlSvbbBHd Ytu2bbqZb/3aa6+1tcd4u3btCrTZt2+fIA0LUieY0moMGjQoYOtVwYsNBw4csK3RyzbSxzPSEiV9 7xRJWfWhJE2tIonDC+QC0TfGNoe07X9HetnsjwRIIJcSoACcSy8Mp0UCJEACJEACJEACJJA7CURK cNQfrnjVzzrrLFm3bp0RRLTn4ScAhyJAeq0p1ON44ANPA6+yZ88eueyyy1wPkJz946GU88GX0wb7 yGOGB2V6yY0CcK9evYKuGevxE4BxT2G9Jg6ZOXbaaafJggULdHQRq2fHvYY1FytWTJBHOisFXp3h 8MODzbxS8psAnB33XbDPuLxyb3CeJJDbCIyseJlLmFzT/duoThN5e/fOm2l5+M5r2Uhia1eU/Yvn y775s2XQJae45uMUWFd939Ga34yGD8i0p+vK8g5txLSOJR+b0wfMf7OxawwI36aSeuSwYI6eoaaL F7JEc+ccsZ+wekWgyzktGrjGnPLYXYHzrIRPoGnTpsbvEaF+X1i5cqWVnuPLL7+UuLg4Oeecc4z9 qe8q8OyF1ywKUs84Qz6fd955RgF19erVLmHWKRT7rd6UWxipMVq1aiUI9+ych5ovtog+5BchyW/c aJ3LyEiX9IQlkrr+W0meXVcSR5xuE1vdHrh2MTYnzqcsbhItHOyXBEgglxGgAJzLLginQwIkQAIk QAIkQAIkkLsJBBNeGzZsKC1atPD8efzxx6VSpUohC3Be4VWDzUN/WJKZuldY5N9++833YZI+VokS JQQPdH7++WfrTf5OnTpZOX4htul2XvUzzzzTUwA3PTzS+4F3AcLAwVMhJSXFCqGHnGG6jbP++eef 226+3CYAL1u2TMDEOW/Tvp8AfPfddwft47bbbpN33nnH+qlevbrvwziMf++999rYRWIns/cavFjQ tn379lK1atWga1X87r///kxP+/DhwwJPYtVXKFsI5/ByyQslPwnAmb3v4K0Uyc+4vHBfcI4kkBsJ TK1f2yVMQqyMZpneoJ5rTIi6oyuVdh03CauDSpxqE1cx13mvv+BqO/mRO4zLWN+3m8sWOX5VmGfV KHn/Phl965UuW8xp7O3lZGWnz+XIljhJS0oyCtebB/yuupK1P33n6gchpFkyT+C+++7z/B5hilSj Rpo3b571Ipv67vG///1Pateu7dmXssMWoqsqN998s60Nov14lTvuuMNmW69ePS9T1/HBgwfb2urz 8as3a9bM+k7v6jAHDmQc2yKpm3tL8vynJXF04Vwv+DpFZoSiZiEBEsgfBCgA54/rzFWSAAmQAAmQ AAmQAAlEiEAw4XXTpk0hjbR161aBWOz3oAPnvB6oBJvHkiVLrNBnCH+WmR/lEaAvBv3goVKwOSN0 HTxVTX2gP4hlELbh4Rysr9dfd4cw3LJli6+AjtB2Bw8e1Kdu1RHW9corr/Qc05lTDCF6IaRm9sdv bXjIpofec03WcQD54K655hrPuTvH8hKAIVI5bfV9iJK//vqrY3SRYcOGBfUkiaQXcKTuNSxk6dKl 4idg6uv/888/XWsP5UCfPn18uepj6PWuXbuG0n2O2/jx83pJRU06L+UAjtR9l9XPOMWOWxIggfAJ IMeuU2QdW/3asDpCjtvDm9Zboiy8e4OVZe0/cI3pnIO1X6ygpx360Mu6Ht+7bIeVPV83CdQRZto0 HnL96gV5fp12/5a/WLaPGaabWfVRN1/ustU9kONnTHadR98QkFkyR+CGG27w/C5x7rnnitf/GIiK YwqVjO8bRYsWlc6dOwvSVLz55pu28NLq+8jixYutCbdu3do2Pl7k9Crw+FXtsfXL4+vsw+RtrPel 1/G9FDl9I5EL2TmPcPYzkvZI2o7BkrK0hSSNvyLPCb5OARj76Uc2hIOAtiRAAnmUAAXgPHrhOG0S IAESIAESIAESIIGcIRBMePV6OGOaLUKYwbtSf9DhrJcsWdLUNGju23DmYRzAcLBjx46+c8XcIeqO GjXK0Np9aPr06UHXAcEZYope/Lx/IT7Pnj1bN7fVp02b5rkGPDzTc5DZGoa5g7y4zmup9vGAL1zP z3DDC3sJwPBAsylVeAAAIABJREFUV/Mwbf0EUFwvUxt1DHOMVIn0vYbreuONN/rOH+uoUKFCppYQ 7PdYMXJub7nllkyNl92NckIAxgsS4bwkEQkmkb7vMvsZF+5ajh496vnCTbh9ZcY+LS0tU15ZiM6A KA0s+ZuAM2fv5IdrStLePZmGsmXIX25hsnghCSbkYh5bh/0jUx67UwYWLWDrY0yVsrJl8J+eoWe3 Dh9gs9dF1sGXnSErv/tMjm7dbM0B4ahN4ZfH3XGDbc17Zk8z9nk4zi3aYG0Dixdy2W8Z3N/Wpykc 9e5pE202agdis74O1Cc9WF2dlpSEgy5OsNk2cnDAhpXwCBQuXNj3ewryA3u9XInvL87vGEWKFHHl Dzbl+n355ZetiY4ePdrVh9f3YrwsqI934YUXhrVYeBfr7fX61VdfLc2bN5cBAwaE/X05rEn4GGek HZO0PRMlZeUHkjS1cq7M42sSdcM5lrrpJx8CPEUCJHCyEKAAfLJcSa6DBEiABEiABEiABEggWwhE UgDGhMeOHev5AEQ9DIFXmrNEeh7O/p37eEhfvHhx37mef/75MnPmTGdT3/1BgwZ5ei2o9eOBlCp4 8HXxxRd7zuOTTz5Rpp7bypUre7bv39/+sNSzE58TyMHmFaoZXrzh5ppF2D/FItStSQAGO7+HixBI g+VVQx46rzng/ohEida9Bq/wUITacePGhbUM5FT2YhLK8eXLl4c8HjxgcD+YfkL1jkHoRVN7HIOX PAqES93Gbx0PPvigzRbtFi1aFFhTqB7AuD4IF4+wknhorcZEaO2aNWvKu+++K+PHjw/0G+lKtO67 cD/jgq0Ln7HwukaYdrwgpPJ5I985Phuvv/56wcP8oUOHCoThcIrf/eWMqoDfE3welCtXzvIoQ85G XDuvcuzYMSuSQKNGjSxPMYgFymMNdcz7ySeftOZNUdiLYt4/npGWJkfiNgbCHScfPCCDLz3dJTTu mhze57BO5tD6Na7+IEzCS9arbPqzj/xbvqixnS6CTqh7q5XX19kPRFndTq9vHfq301wWvveK0f7Y zu0BW+TqNQnFEJtNZWyN8q4+l7ZrHTAFe31eqp4YvytgoyoQu9V5fTuo5GkC72hVRlcu47Jb/sVH 6jS3YRDA57X6u6e2iGij6mqLF5VMBd69ykZtO3ToYDIVZ557eBdjfESbwYuUqj22335rzp+N47od ItuEU95+++1A+8suu0zwEiFSMGzbti2cbiJma+XxPbhIUtd9Lcmz7skTeXzDEXtNtsnz6keMHzsi ARLIvQQoAOfea8OZkQAJkAAJkAAJkAAJ5EICkRZeN2/eHHgAoj9I0eu5QQD++++/g87TmUM31MtX o0YN374RZk4VPw9eMENo7WAFIicedJl+UlNTgzX3PQ/h4qabbjKuB6IwxOFwCuy9cssq8US/V1Td JADjoZo6b9oi53GwMnXqVN8+EG45qyWa99ratWsDopOJAY498sgjYS3hww8/9GUC4dJrLBxHyMVQ S6hiqld/yBPoN5c1a9ZYTRFy0c8u2Lm2bdsGphDKnBFi3O/FDn28Jk2aSGJiYqD/SFWied+F8xnn tZ64uDipU6dOWNcFD9WRCz3U4net/vrrL6ub1atXW3ns9Wui6sizbioQ7iFWK7tgWwjCPXv2NHXF Y3mQwLFdOwSiYGydWwQCIgTFMbddHVjJv9cVc4mIq3/4InA+3Ar+xg8tfa6rz/V9fjR2tbFfT6Mn qy586vUhV5wlCWvcf8tNHrM4Znqx6uDKZa75YYzto4fa5jim6lUuu2Xt37fZqB3kOdbnifqUx+5S p628vs7z2NcFW4jO4GRai2q7c8KJl/JmNX7cNeb0Z+8PjMlK6ATw/cT52bhs2TJXuhQItAsXLnR1 jLQlzvZI+2EqCAfttFUvbt1+++22cwgh7fQCRvQGhHzW+2jRooVpKM9jSFXTo0cPWb9+vadNtE+k H90kqXE9JXn+k5I46vyTIqyzSej1PDb6QuPnU7S5s38SIIHsJUABOHt5czQSIAESIAESIAESIIE8 TiDSAvCOHTtsD1D0hymoQ/wzlUjPwzSGfqxp06a+84QXWrierap/POh3rlvfb9CggTKV999/39O2 UqVKATu9As81iJ/Z4VWmezToa0A93Hyv8JiDV5yzH+xD2IGnpekcjpkEYDzc87LH8UmTJunYjHXk bfPrAx6cWS3RvNcwt7p16/quAZ7sXiEWnWuD3aWXXurZX+nSpS2x8rzzzvO0gec0QuiGUvwEOpwL VmbNmuU5D1xXJQDDm9PvOgc7F44A/NVXX4U9FsKob9y4MdhywzofzfsunM8456QhHuGz45xzzgmb k7pOzz//vOB3N1jxu78QHh7exxBnVb/OrVMAxmfYa6+9FvSlC2c/av+ee+7JsfCfwVjxfGgE4v76 RYaUOtslEiLEMsRGlOnP3Oc6P6vJE6EN4GGFUMVKsFTb+W++5LKO+/tXT/F36JXnCcI3q/b6dnyt Cpagqnc45dFaLtsJ91bWTWz1kTeWdNmv+PJjm83sZk+5bKY9da/NRu2s/ek7l+2wqwur05bQY/LY xbrG33WTTH38bsGa9XWa6pMfOeHpv6pzB5s9xPFZjR4LjMlK6AQQgUF99mGLFCgo3333ne04ziGa jPNFKETwQCQIvQ+vF2nwncP5otfw4cOt8RBhQu8DdYRrnjNnjnUeL/rde++9Lhu8yJXbS0ZSvKRt HygpS16WxPGX5T/Bd3iMa83pB+bn9svG+ZEACWSRAAXgLAJkcxIgARIgARIgARIggfxFINLCazCP SoTXNJVIz8M0hn4MD/adD4T0/eeee043D6sOT1x4I3j97N27N9CfXw5bFeoOXtXwGoYnrs4JHrPw ZICgDE8Jk1dOYKBMVGJjYz2Fjvvuuy/sHuHpqDNW9VNOOcUSYvCwTh1zbk0CMObntNP3FyxYENIc nQ8Y9T7atWsXUh9+RtG81zAuclTrczbVQ2WBMLim9uoYvINRguVwHjlypB+SwDk/gS4vCsDwis+s 2Pz0008HuESiEs37LpzPOH0tyH8ezHtY3WvBtsWKFQsaot/v/oJQjzChfuPoAjC8u5DH0c8+lHO3 3nqrFZZU58J63iAQP2OyMYSxEhWR4xZleYc2ARFx2FUXWDl4IWYGK8ipixDHY6tfK/+Wv1jGVrtG IJgeWrdaFrV5PdCnGi+2dkVbl2mJiYLx1Hm1hfiswkUjzy08ZNU5fbv4w5a2/pZ8/JbLDoKrV4FQ qveH+vQG9Wzmq7t+5bIZfm0R4/cXi3fRGJf9kS1xgT5Xd/nSdd45B7WPnMRzX2l4wr54IYs1PI1V GOj9SxbIkratZPPAfpZXdEZ6emAsVsIjgPDH+mei+jzFi2YI+a+fQ/311193DYDPS91O5fZ1GYpI qVKlbLYqCgxeBtT70OtnnXWW8RxCSufGkpF6VNLiYyVl5XuSNOWWkzKPr6d3r0HsNdmmrst8tIXc eM05JxIgATcBCsBuJjxCAiRAAiRAAiRAAiRAAp4EdEFRfyii6ps2bfJsazoB4VS1NW2bN29uamYT Nk3twp2HcZD/DgbzUsb48CzMjuJ8uKWvHfmUu3Tp4hkyWbdFHR4MzrB2mV0DPDG8PEEhcCG0XzgF 3nbO+ar9L7/80uoqXAEYIQNVH6YtcoYGK9u3b/ftw+t+DdavOp8d9xqEf1NePZ0JPG5CKc48enof qK9atcrqBmF4nef0/SeeCM3bzU+gy4sCsM4g3DpehAgl5Hso1zE77rtQ5uG0admype99Ey4zCApO rzF9TL/7K5SxlGCBaAt4eSmUNqHYZOYFGn1drOcMgZnPP3xCPNSESXgEQ4zdNeV4Tu+Etatk24hB cmRzaN+fjm7fKhBpB11yirH/QSVOldGVSrvOIfx0enJyAIYpz+28lo0C5/XKog9ec/UH72AlhMIW IqgST9UW+Y0hNJvKqs7tXfYjKpSwme6eGuuyQd+7p0207NJTUwPhqCFWw7Naja2220YODvSZfGC/ 5e2rznlt4UGN/hC+e8Mv3WXvvJmSGmZO8cCg+ayC7xjz588PO7QxXmLUPw+rVasWIIfQ+87/P/BS I7736sUZJQcRG7yi3zhf6MGLkShJSUmCl7P0ufjVEakG3se5oWRkpEn6gQWSuu5LSZ55tyT+e5rL 49UkgubnY8kza+eGS8c5kAAJRJEABeAowmXXJEACJEACJEACJEACJx8B5wMY50ORUIVXvNH/008/ BX3AYsrzBarB5vHQQw9ZoTcRfjOcH+fDJIyFsJ/OdTr3jxw5ki0X+5JLLvGci593sHO+ah95R+ER mtXSuXNnz3mFKu6pOUAsdj6YU/OFEKI8l8MVgHGN/PIGv/POO2oKnluIxGoupu2jjz7q2TaUE9l1 r9WrV893HSbPGuf8kZvb7yEpQiaqgtzSF110keeYCKGe1RC9kRSA4UFeq1atwI/fOnEf6Lao6y+E hCsqhuMRjPzKkSjZdd+FM1cICH7e9ur3D38Lbr75ZilSpIjn/aVssVVe6aa5hHut9H5RVwIwIjA4 zzn3Me9bbrnFyieMUKfO8879f/75xzRlHsvFBEwCLTxKIUL6FfyNO7xpvdEOgivEYy/hMtjxA0tP 5E6dWr+2o58Ckhi/yzY1ay5xG2TDrz85bI972u4YfyJ6A/ICm8bft3CurU+1g1y6JvvE+N3KRJL3 7zPaDCl1jky4p5IMLfM/QQ5lVUwhnvUcv7BD6O25rz1vtdXHR95kXJ+dE8dIRohpCdS43B4ngEgr KvIBvpOGU5BDV//cc36fwst/+nnU8Z143759gWGQb91po6dkUIamlwz1NC74DqD3U6FCBSuyTuHC ha3jyEOMtCtIRQLBOCdL+pENkhr3syTPe1wSR51HwTdEz9+A6D3iTMlIM7+kkpPXlWOTAAlEjgAF 4MixZE8kQAIkQAIkQAIkQAL5gEAw4fWbb76RgQMHev5069ZNILR55XbVH7jceeednkSDzUPvJ5x6 +/btXWP6CY3oGw+EsqOkpKRkOlxsMAa4LpktCO+K0NJeYyD3bqgFD9IQutrUV4kSJWTPnj2Brvyu Cx7emQpyB5v6xjHkvj106JCpWeCYnwc2+kCYwqwUvzWh/0jda84HrU4moYQzDPYCBz4L9NKsWTNP 9hg/lHvQT6CLpACszxv1MmXKeM4d+QL9it+cFXfkOkf4yXXr1ln5l3fv3i39+vXzfBFCtYOAGImS XfddqHNFfka8QKDWadri/PTp023eXStXrhSE/DTZq2N4cL9ixQrjVEK5VqoftYVIjTzW+JsE8R8v sOCFBnXeuUXY0SlTpgheilAF60WIab+/a4iwkNNCg5ovt6ERMAnAuybZPRZVT9tHD5XFH70pyC+r 8tCu/bmTOh3YmnLiKhFzeLkLZeRNlxoFU2WzsV+vQF/O3MQjK14mCatXyOYBvwvCOetzUe2d20Xv vxroD+GPkQPXabPht58DNnoFYrPTFvsQhvUypupVRju9beLunVaTWS/Vd9lOf/Z+vbtAHd7DEKcR OvrgyqWensqBBqzYCOD7EtI3tGrVyor2gZcJEZlCfebhpS/1wp6tocfOgw8+GGiLPlREFeS779Wr lzz55JO282ocXWhG3nXn5y9eqvrss88E31XxGfr9999b3/dUe2zxvVMv+F9AP498wegbBS+/4TM7 p0pG0i5J2/6PpCxuKonjLqXgG67ga7BHmGwWEiCBk5cABeCT99pyZSRAAiRAAiRAAiRAAlEg4PeA Wn9YktV6yZIlfcObRmseJgG4T58+tgdBzrXBMyA7CryrnWNHav+8886ziavhrAfChdc8wg1d6iVM QmRBvmi9+IlWXgJwnTp1POeKNTRq1MgS4PRxVB3htb3WqY5DKMxKya57rWPHjr5rAadgxU8MxwNX hMvWi19ePfBDf8GKn0CXVwVghKhUobKd658zZ47vdcLnZCRKdt13oc412O9a5cqVrYfwXv299957 vtzuuOMOY1O/+0v9jmN7wQUXSKdOnazoEBAVUCB04CUdp+eY3g4eY7q3mnMSv/76q++8Bw8+EcrW 2Zb7uY/A4MvPdImRK75pJxBhF77bwhJZ1aynPHany3buq8+p09YWOYN10VPVx9W8XrYOHyAq/+zO 2FGeQvDC914J9KmEZtVPZrZjby8X6A+VifdVdc1xwdvNbDb6zogbLnHZr+rcQTcRUx5g51yVJzLa 6ucgSCPXMEtkCbzwwgs2sRcCqylCDXKhh1qcL/0gQk2wdBXq8xX5g1WpWbOm8XMUL//oArVqi/8n li5dqppbW0TxUOfVFt7FOVEyUo9IWvw4SVnxjiRNqUjB1yDgBrx5M3kuZUVkoqnkxP3BMUmABIIT oAAcnBEtSIAESIAESIAESIAESCBAIFrCq3rAgi0ekjvFo8AE/qtEax4mAfjbb791PQjS54tcutlR IIDq4war42EcQqOWL1/eN/Sx6ueVV048GA51PYcPH/YN7QsPvVDLgAEDPNf3+eefu7rJjACMh4Rq vV5biEDIN6fKli1bBGy87PXjCOWalRJMAIqUxyfCFurzdtbxO+hX4EHpbKPvm7z3Efbd9IBYb+cl hKq5+Al0eVUARs5Cv3L77bd7ssYD7XA8rLzGyS2fcWp+fmuGJ5YeqlO1cW5r167tyQ33HPIeO4vf /aXu02uuucby1Ha2xT68f5WdaauHBje1x7Hq1at79vHYYxSyvLjltuOpR454irBKoBx29YnoIUs+ edsmXMJmXM3rbMta3qGNywZev8hT6yyHN64T5OhVY6ktBFpV0FYdD21bQMZUKSuzmz4pq7t8Kbsm j5OkfXtVd9YWArOzL4Rq9irTG9Rz2cOLVy8YI5gX8Mbfe1hN9i9ZIEvatrLyESMktRLF9f5YD42A 398WpFbRP+Oc4frxHR2fweF8B4Tgq/cZTh3fveLi4qyFtWvXLuR+8LIavIudBREanKlIgv2tdvaR 2f3jeXznSerajpI8405J/PdUir6ZFHZDFYaTptyc2cvFdiRAAnmAAAXgPHCROEUSIAESIAESIAES IIHcQyBawqt60OPngalTiNY8TALwjz/+6PswqVq1avrUolafPHmy7zwUQ4RKRk5PvUDsqFKlim97 eEbowqfe3qsOYVaN69zWqFHDq5nr+IYNGwReyM4+sH/33XcbvXIzIwDjgSZEcdM4zmMII+g1J6et 2scDzKyU7LrXunbt6ssAIpRfQRh3tWbTtnfv3sbmb7zxhm+7YDlt/QS6vCoA4wUDv+LnYQ/2oYih fv3jXHbdd8HmgfMIK2ry0lL3mR7u06+/v//+2/de+/33313N/e4vjA9BwM+D1+/3qmrVE8Kba2Dt wM8//+w5b4QK9xNltG5YzSECcf/8JmOrXSMDixV0CZtOYRT7R7YcF602D/rDbV+8kCDnryqxd9/s sln9wxfqtGu74qu2Lnt4xCpRFLlzTXPCMYSvhmcxvJDX9ugse2ZNlZTD9hQJ6EeFXlaDw7vZ2SeE aIRbNhXk53Xaj65U2mUKQX3F15/IjIYPyKQHqsmsJk/I0natZcvgP+XYTnu0CVdjHgiJAEIb4zsw wiHjuw8+hxHVBLl38bKfXoYMGeL5OQVxeNcuey5pva2pjtDMBQoU8OxTff5jPk2aNJEbbrjBZYvv nHjRbNq0aa5zn3zyieDFNNUPwlMjxDTSBniV+++/P2CPdqFEKfHqK9jx9CPrJHVTd0me95gkjvof Bd8oC75uYbigZCSfyCUd7HrxPAmQQN4iQAE4b10vzpYESIAESIAESIAESCCHCURLeFUPZbDFQ5yd O4/nc/NabrTmYRKA//nnH9tDIH2uqCM3Y3YUPKhyju3cR45bL3YIVernXYa+ENY01HLw4EErFKpz Dmp/zJgxIXWVnJws8GxV7fRtsWLFBPlQTSUzAjD6Qf5NfYxI1iEuZ6Vk173WunVrXwaPPvqo5zLg GYOcp17cIJzj3jAVU1hFvR+8vIAHuF7FT6DLiwIwwj8HK3/88Ycna7Bbs2ZNsC6Cns+u+y7oREL4 /RwxYkQo3Vi5Hv1e4IBI4Sx+9xdYv/nmm84mtn2vHJVoi3v7ueeeC/qjixT674aq42UZlpwhcDhu g6zv3VWWfvqOLG7zhqzp9o0kxtv/Pm3s19MlaDoFTrWPHLwI64ySsHaVsd2+BXMCizXlFN491Tt3 5aH1a4x9wjMWxRSueXTlMoIx0xITA+Pqld3TJgq8fCfef5tg/v+WL6qflgNLFxrHRI5dU9k2aojR PiXB/DfE1AePZZ1A27ZtXR6v6jMH28KFCwv+Fqmyf/9+gfesboP6008/rUzC2iLPr7Mv7ONzs0GD BoI0BcrDFx0vX75cEA3C2QZiNULx42UZ/dxHH31kzQdCs1PM9pqoMzIGvJwTEhK8zMM6npG4U9K2 /SUpi16SxHElKPhmu+Ab42Ketn1AWNeQxiRAAnmHAAXgvHOtOFMSIAESIAESIAESIIFcQCBawqv+ oAZ1eNXiIY5XCTYPeAmUK1cu7B94XznLxIkTbQ+SnHPFQyGIYtEueODmHNu537NnT99pzJgxw7eP Zs28c/U5O+7evbtnX+HkJv3uu++M/eDh4oQJE5zDBvYzKwCjg1BDOjv5Btt/5JFHAvPLTCW77rUn nnjCyFytr2nTpp7ThwCn7ExbP/EYnQbL6ef34oCfQJcXBWCEZw9WkHfQxFkdi4QAnF33XbC14rxf KHisGbnQQy1+3v4Qa53F7/4KZWy8vKSuS7S2+NxjyV4Ce+fPkpkvPmr06kWe38UfvRnwqkUIYiXw em3X/Pi1JfgqT1ysBnUIqs42G37pHljs0NLnus7vXzQvcN5UGVWplKvN5oH9LFP07RwPc0g9Yvf2 VP2mJSVZIaD1Ns78uunJyTKo5GmufuP++kV1Y9se3br5hG3xQjK2+rUyp0UDSYwPz4PU1il3wiIQ ashkpBxAKhJVTJ+veMEuM8WU4sTv+x/G+PTTT12ftxCFkXf4nnvusZ1DWoFwy6JFiwJ9nHXWWVKn Th2bCB1OfxmphyVt9xhJWfG2JE2+0SU+uj1S3QIlbaLLJGVJ6P//hHPtaUsCJJDzBCgA5/w14AxI gARIgARIgARIgATyEIFgwiseqjdu3Nj4g3OVK1f29RrVH5rj4Y5XCTaPcEQCrzHU8WD5TjHndevW KfNMbevVq2d5PkNAMP2kpaVZ/Zo8HhQzeGj4ieZqYl7etuinZs2ayizo1s9TDaG8Qy3wzFBrcG4R ctXr58wzz/Rsh36c7fAwTy/wZkHeOOeYfvsIG/jss896tnn99df1IcKuZ8e9hkmZHtzq61beMqYF 1K9f33P9qg+EkPT6UTZe26eeeso0rHXMT6DLiwIwciQGK8G8piMhAGfHfRfqZ5zfiyW4Z+DBFWrB mF732V133eXqxu/+Ov/88132zgPID+w1XqSOI383S+QJpB49KnvnzbQ8fOe1bCSxtSvK/sXzZd/8 2VY4ZF30NNVXfd/RmhQE0FG3XCHTnq5reQqbbLePHmpcALxqnfbz32oSsB1xfXHX+R3jRwbOmypT HrvL1WbJx29ZpskHDxjzBCO8si5Ow/jI5k0yo+GDrr7W9+3mGnb8XTe57Ba18f7biLDRYI9rwJI1 Agi93LlzZ8FLXgiTXKRIEbn++uvl+eefF1P0gP79+7s+s/DdrkuXLoKwyfgepX92ob+tW7dakzRF Esnsd+E///zTNg7G9Au3jwng+26FChWsdkWLFhV8d+jRo4cVNQaewPq8IV6H6vmrrgDC7Xfs2NES vRGpJpySkZ4q6fvnSOqazyV5xh2S+O8pFH1zgZevn4ieFFsmnEtMWxIggTxEgAJwHrpYnCoJkAAJ kAAJkAAJkEDOE4iE8IoH+F988YXgjXr9AY2zXqpUKc8FR2Ienp07TiAk7QUXXOA71w8//NDRKvTd VatW+faNMMiqwLPWyUnth+rhgPxpqo1zq4+lxjRtkXcUns/O9mof+TdDLX4CsOovEtsFCxa4poSw g8jNGUr/9957ryBf6wsvvOBp/80337jGCOdAtO81zGXZsmWe81ccRo0aZZz23r17jWEXVbtIbPG7 7RVC2k+gC0UADuYB7yWmIqKA19r8xHJAzOqcs0MAjvZ9F85nHAROL9Y4Hk6BIODVlyknr9+1uu66 64IOjRD8XuNF6jhCobJEnsD0BvVcoiVEXeSjdYqypv1BJU6VhNUrXBMztV/x5ccuOxxY9P6rrrFi 69wSsB1T9SrX+WXt3w+cN1VmPv+wq82UR2sFTOc0f9Z1HuubWLeKQNxFjt0FbzcTrM+5boR/Ttq3 N9CXqsx/8yWbLfIOY20s0SOAv83PPPOM7/cypGdAuH+9OF8Gc+ZGx98fZ072Nm3aWF2MHj3a9XkX G+sdklwf11l35rqHYBtKvnOEhUY4aGeZN2+ea26YbzRL+uE1krrxR0me+4gkjjyXgm8uF3xNYnD6 0dAjjETzXmLfJEACkSUQ3n8PkR2bvZEACZAACZAACZAACZBAniMQSeEV4ZaDPRSfPXu2kVEk52Ec wHHQTxjAGuAZmuiRM8/RlWv3xx9/9OWge6r5ee8+9thjrr5NB5DrzYs7PGJDKX7XDqGbg3lu6GPk pACMeUD8mjRpkjRv3lwqVapk5bc955xz5PLLL5dbb73Vyvs5ffr0wJSvvPJKT37hCN+BDh2VaN5r GAoe+l7XH8fxsNfLU+aHH37wbevXbzjnTKHYMXc/Ng8++KCDpHt32LBhvvPPrwJwMLa4dtn1Gde7 d2/fa+T1coD7aovAw9rrvqtbt66rid/9hZCiwYryRvMaMxLHe/XqFWwa+f58yqEEObhymeyaPE6Q s/bQutVBmSxr/4FNtHSKnYH9YgU97dCHsyBEcqBt0RirDrHZVDb92cdlO/jS0yX9v3QYs5s+6ToP UdivjLsMwi38AAAgAElEQVTjBlebYWVPeLPDC9hk45yzaX/7GHM48h3jRgi8jBFqGvmGnd7EfvPl ufAJ4AUbvLwXyucLPHiRTgQFL7TpbeD5q5cdO3ZIv379LC9i3a506dKW2ZEjRwRCrX4OnreZKYie ovdzySWXZKabQBt8r0PUBr1PeCxHsmQkbpe0rX9IyqIXJXFscQq+eVDwdYrAqXH+aXQief+wLxIg gewjQAE4+1hzJBIgARIgARIgARIggZOAQCSFV7zdf+ONN9oe0OgPa1CHOGoqkZyHqX/nsVCEr8w+ mEfYZee69f033ngjMJ2HHnrI07ZKlSoBO79KixYtPPtQD/b82uOcn7CCMN/hlJwWgMOZa7BQuUuX Lg2nO6NtNO+1PXv2SLDfndtuu804LxxEWGf93oxW3eSdifH9BDrkDQ9W/F5cwFryswAczfsunM84 v9zeuEYrV64MdpkD56+99lrP+/W5554L2KmK3/2Fc8EKXtbx+p3AyySTJ0/O8s/OnTuDTSNfnoeQ ueG3n2Vq/drGkM3ILbuux/cCO1PZOnyASyhVoufgy86Qld99JshXizDFa7p/a8wHDCHVWVZ1bu/q d0SFEk4za//AskUuW8zhwPLF1vltIwcbz+t5gvWOIXybPHfR5+G4DQHTY7t2iClXsFq/cwse63p1 CbRnJXsI4LOva9eu8uijj1p/i9WoznQcCEUPO+R2x3doPV0GXmxTecT79u1r+7yCB/HAgQMF3xHL lStnO+f8XFMvZyLyjH4ulBdl1Lz1Ldak91OxYkX9dKbq+vflsmXLytdff52pflSjjNRDkrZrlKQs f0uSJt1AwfckEHydAnDyvCfU5eaWBEjgJCJAAfgkuphcCgmQAAmQAAmQAAmQQPQJBBOPws29i1By +kMfZ/3NN980LirS8zAOoh3EQ3eEz3POT99HyGqVG01r6lv99ddffftE/2PGjAn0gRDD+ph6Hd67 oXghQyjT2+n1UERkiIh+4Z/DDYednQLw+vXrBaGgnT8IixxKjrcOHTp4srviiisC1ykrlWjda/CI QR5A/Xqb6t26uXM6Yj2LFy8O2tbUX2aPmcRYv/zDeMAbrCCnod98TGOiz5M9BDTWGK37LtzPuIUL F/peI6+XgpzXHt5rfp9TH3zg9tbMqgD84osves4doVZZokNg99QJMuzqwkZx1CleIhzxzokn/qaq GUEQddqq/a1D3SkNFr73itH+2M7tqktru3PCaKNdYvxumx124OkLj181rtpu6t/Xsk1LSpKhZf7n Oj+k1DmWp7PeIYTuCXVvddmqPrf+O1A3lyNb4mRBq6YypNTZnm0GFi8kU5+oYwx1beuMOxEnMHjw YNtnC8LNo+A7t/43DWJvQkKCbXx48fbs2dOVA9iUd1fvy1nH39hmzZoJIp2oMZzf384++2wrN69t AiHs4KVCvCTz/vvvy/jx4+XYsWMhtPI3mTBhguDvT7jfy1WvGekpkr5vpqSu+VSSptdgHt+TUPB1 CsCJYy4KKfS4uke4JQESyBsEKADnjevEWZIACZAACZAACZAACeQSApEWXvGAxvmQSd/3Cmsc6XmE gtcvd66a86WXXhqyhxoEigsvvNB3/RdffLGkpaUFpgcPUzWWafvtt98GbE2VuXPn+rZ/5ZVXTM1s x3r06OHbx9SpU232wXY+//xz3/5M6wz3GMJSQ9yD159X22BrP3r0qPiFf27ZsmWwpYZ8PtL3GvJu 43fJa+3qOO43r5cIsD5llx1bk0Dn572OB98ISelX/EKoY02ZEYDxwNqvZFVUzI4cwGr+kb7vMvMZ FywfcaieYX4va+Bajxs3Ti07sM3qtfITu3F/Hjp0KDCWXwUhXadNm+b6QQ7rk7WkHD5khQuOnz5J 4mdOkeT9+0JaKsRceKQqYTOULUTgPXNOhPVXAyE0srM9jplykSLEtNMW+9tHD1XdWdvE+F1GOwjD phJ7980u+0UfvBYwXfzRm67zx+dRQOa++pxs+PUnWdTmdYEobJqfOmYKV41BIByv7dFZZjd7SqY8 dpfMaPigLGj9smzs10uS9u4JzIOVyBNQIZebNm0qqOsFoqv+d7d8+fLWaWcYZ9jgO9XGjRsFeYG3 bdsmePENP7t32186wGeg3qezju+zeGlMF1Hx+YyXdNTfSqTPcLbDZ1e4xfQ7Fm4fkbBPP7RKUjd2 keQ5D0niyHPo5ZsfRF/HGtMPLozErcQ+SIAEchEBCsC56GJwKiRAAiRAAiRAAiRAArmfQKSFV7yZ 73x4pO/ffffdRiiRnodxEMdBPPCCkKjPz1QvXLiwzJw509HavotcpEWLFg3a19tvv21vKGLlpjWN i2PI07l582ZXGxyAh+sdd9zhO+bQofaH16aOnn76ac8+kDs3NTXV1Mzz2IEDByxeYBbOz1dffeU5 Dwh9el/Lly+3xu/fv79nG1y3+Ph4z3m+9NJLnm3Bfv78+Z5twz0RyXsNOVODXXd1P+HBsamkpKS4 8gCqNmqL3H94UBzqTzCxEQ+f8bBZL5999pnvNfjll190c1s9mJCKdaiH2raGQTyAGzVq5DS37WdV VAw2b6852yYR4k4k77usfMYFe1khNjbWd0XIcQmPfHVvOrf4+2F60SGr12r79u2eY2IOobwkAtHG mbtSzf+qq/zzvfpCyYUnk/btlXU9f5DJD9cUeJcqcdLaFisosbUryvIvPpK0xETj7HdNGW/0mEV7 eASPq3mdpzg89MrzJGHtKlu/Ux6tZZ9D0RiZcK93SoORN5Z02a/48mNbn9gZccMlLrtVnTu47HBg /ltNXLaT6t0esIUX8Pi7bnLZ2Nj9l2tYHUPIaVVX22lP3Rvok5WcJYAXQ5whlyEC68XpravSJOza tcv3M0d9dqht8eLF5b333rM+/0xRPZCWBakS1q1bpw9v7SNMM74noS+kDEDBy2V6iGmca9euna1t bt7JOLZN0rb+LskLn5fEscUo+DrEUJeHbD44n7ruq9x8y3JuJEACmSBAATgT0NiEBEiABEiABEiA BEgg/xKItPAKsbBAgQKeD7C88slGeh6hXtFWrVp5zlU9YMMWQjHyQfbp00fgtbV69WorrF2nTp3k kUceCakPPOw3eTQGy9UJYdnpKbZv3z4JloezZMmSAi/XYMUvbzPOZVfxyxUK9qYCsfnUU0/15F+3 bl1jKGg/4RjX+8EHHzQNl6Vjmb3X8OAWHjoQ4Bo3biwIDa7fm171q6++2ni/YRHO8JPOPhAiOdwC sSzYCxVOL03k2XaOre/DQxueT86CEN/4fdJtTXUvMdUvBDR+3yDaeZWsiorZKQBjDZm97yL5GYfP L7+/CwgzivyWpoKXOPw+o3DdsUZTyeq1Qp9+UQYQkho5Nr0KficqVKjgeZ8i+sLJUnaMGyHDrrrA JUwqgVLfjq9VQQ5vtAtS4ABhVLdDfeRNl8qmP3pLenKyhero9q0y/dn7XXawXfB2MxvOJR+/5bIb Xdn7s21Wo8dc9tMb1LP1iR0cc85z1kv1XXY4sL5vN5ctvHkztJdhwMIUCto5BvYhrsPb2TpXvJAg F/Kc5s+KCittnAQPRoUAhN6RI0cKPPz1gu8lzr9H+KzQ7X7//XebTZ06dQJd4EVJZ/tg+48//rjl 2e78u3j//fcH+tUrDRs2tI0xffoJD3pn7nN818ytJSMlQdJ2jZCUZS0ladJ1FHwNgu6GvjHSs2WM PFsrRgZ+GBMRRkeHxsiqHjEy5vMYmd05RvYNiEy/0RCok2ed+N3Krfcx50UCJBAeAQrA4fGiNQmQ AAmQAAmQAAmQQD4nEA3hFWFnvR5WQdAxlWjMwzSO8xg8IYOFkfVaSzjHIVJ6eZQiN1oo3sMQ9J56 6impUaOGBOOFuQ0aNMi5XNc+wvQ5vT30dXk9PHR1FIEDmRGAMazzYaU+f9QhHuEhLYTEOXPmSPPm zX1ziUKoWrRoUQRWZO8iu+41rBn5rf3WAIHbyUnfRx7AzBTcm3o/zvqzzz5r6zZYyEq0L1KkiMBz vnfv3tK5c2dLBD/rrLN8x1HjegnA119/vW97iOy4r/Byx2233SZdu3YNzDuromJ2C8DZdd/5fcYB 3ssvv+zLHJ9DCAn+xx9/yIoVK2T06NGC/ON+Yj2uMzyDTS/WYMysXiv0gTCrF1xwge/c8aIJhGCE 9EcUDFzj1q1by7nnnuvZrkSJEsaXUwI3Wh6q7Jo8ztNz1yRi4hjE4uQD+wOrPLRutUsoHXTJKbJv 4dyAjarg79bkh2q47BHeWfcu3jywn8sGOXl1G9Untqs6t3fZw9vWWeDF7FzX6EqlnWbW/r75s122 aIv16iVh9QqZ9nRdo60aa9wdN8ixHdssMXzfgjmSGsILXvoYrGedAL6vtWnTRuCxe8opp1i/31Wq VLGFFYcwrP4G6duHHnooMAFEt9DP1a9/4gUChHdGn/r5YHV8b1m5cqV069bN1a5jx46BcZEbHuKv /kIOvrPrOXrbt28f6APfJe69N/d4lx/P4ztdUld/IknTq0ni8EIRETSjITzmdJ9Tvo6RcpfGBK4l 7qHzz46Rtb0zJ9buHxAjfd6KkbtujJHTTrH3i74frhojq3tlru+oshpxpmSkJQV+B1ghARLI+wQo AOf9a8gVkAAJkAAJkAAJkAAJZCOBYELipk2bwp6Nn7cWhBVTicY8TOOYjuFhG0ItB3vAlpXzCG/s VyB6ZKV/Z9tQhVtcX2dbfb9ZM7tHld8asnouswIwwlzrc85qPVgO2KysMzvuNay/e/funtNEiEn1 4NqLle6p5NmR4cSPP/7oey0g3CYkJARaImIAQkN7zSOrx70EYD+vTtOYbdu2Dcw5q6JidgvAmHh2 3HfBPuMQuhzhSk18s3Js1KhRgWvjrGT1Wqn+8PuUlTma2n733Xeq+zy93TN7miAHrxIp9e3wchcK PG71Y3odQqoqSz99x2UHz1avAsFU70vVtwzuH2iSsGal0cYkKqMR8viqfvRtYrw91+q2UUOMdikJ BwNjq0rasWPucNhFY2TL4D+ViW2LMNjwRIbYO+qWK2RC3Vtl4bstrDzKuSWvqm3CJ+HO4cOHJS4u ziaK6ss0pWDAdzhVEHnF9DuPYyqfrjP6hTP1ANIlLFmyROApDFEXP3gJClEDvv32W0uUdY4xZswY K+oLXi5xnsPfWXw3N73w17dvXzV1a4sXcD744AMryo0uDNuMsnEn/dAKSd3wvSTPeUASR55Nwdfg 5WsSUDu/7BZpcV/cfm2MHBkSnlAb+0WMlCpm7k+/1844LUbm/RBe36a5R/pY2h5zhJFsvI05FAmQ QAQJUACOIEx2RQIkQAIkQAIkQAIkcPITiIbwGizf47Zt21xgozEP1yA+ByAUlSpVyvXQTH+wkdk6 PAlDeXD72muvRWR8iGyhCvfwsvNbF3K0ZlfJrACM+SEHnt86Qj13zz33uPLURnr90bzXIOwiTLlf +eabb3xZ3XTTTX7Nfc/BWxKhLv149+zZ09YHcg372WflnJcAHCzsunPMvC4AA3g077tQP+PgJetk m5V9RETwK5ESgCHGVKpUKWJzBy9TzmK/teTWc6awzfCatcI2p6RY04ZIPKZKWZdoiry9yQcPWDYz X3jEdX5Nt298l42cwrpQi/rcVxoG2iDMskmc3vDbzwEbvZIYv8vVH/qEMKyXo1s3G+3ip0/SzQL1 sTXKu+yXfPJ24DwrOU9g9uzZVoQVPYINvF/xGYJ8vYikoArC4+Oc/tkFgVWJpcijq5/T6yrXL/Ly 6sffeOMN1X1IW3ynvPbaa219jBgxwmqLtBGhvliF752hfD8NaVIRMso4tkXStvwqyQsbSuKYiyn4 /if4Iuzyjj9j5NDg0ATW1vW9Bds2T4fWB4RYeP0WKODdl34fo17xyvAF5kgLvs7+UlZ+EKG7k92Q AAnkBgIUgHPDVeAcSIAESIAESIAESIAE8gyBaAivHTp0sD2Ucj4c+Pfff118ojEP1yBBDsAz8tZb b/Wdu3MtwfYhhsPzLZSCB4zI4xasT7/zeOg3aZL5IbRpDvBC8+vP6Rli6iNSx7IiAEOgQRhWv7UE O1erVi1B7r7sKNG418477zzx84ZU67ruuut8OX399dfKNFNbiFt+rKtVq2brd//+/b6hcv36wjUr VqyY53heAjAekIeaSxnjnwwCMKBH474L5zMOc4Dn2/nnn+95zfyutzqH8KVNmza1eZPbbqr/diIl AKM7vNzw6KOPZmnemD/yeyqhyDTnvHTsuBBawCFuFpA9s6a6lgEReGDRAjKoxKmCHMDz3nhR1vX8 ISAAz276pKOfGPESalXny9p/4GoD71m9TLyvqsvGmStYtx9xwyUu+1WdO+gmVh3ezU7xeU33b112 OABR2rJVOXtbNJDto4cabXkwewns2LHDCvOvPlu8tvXq1bO9tIG/CU7bTz/91Jo8Ilvo58qXL2/b R3oOZ6hmZ9oFpAxBVAWEXy5cuLAsWLDABgZ/w5wh5ufOPREuHS8BwlNZD/Wszwl/p5VgbOs4B3Yy Ug5I2s7hkrLsdUmaeA0F3/8EX5W7t8FdMVKhdIzAu1Zdw+rXxcgvrWLk4CBvIRc5f5W9c1uwYIzA q9cplDr3MYfzzrb3U/7yGOnSIkZmfBcjc76PkSdrnDgPofimMjGysGvwvp1jRXM/aWqlHLizOSQJ kEC0CFAAjhZZ9ksCJEACJEACJEACJHBSEoiG8IowdM6HDfo+Hso7SzTm4RwjlH0IifCgzGqoUuSM 7NKlSyhDumwQ3i9YiF6dp6ojv2qoYrMaFCKKam/ajh8/XplGfZsVARiTQ2hheLMgF6lpLX7H3nrr LUlLS4v6GvUBInWv4V5B7tQ9e/bo3Rvr8+bN82WDh8XIYZqVghCVfqxxDg+v9bJ8+XJxPiQP1kf1 6tWtNft5OnkJwBgboTjPPvvsoHPFPE4WARjrjtR9l5XPOIgufuKs37UvW7asTJ48Wb99POt+Y5j+ Dnl2pJ3o37+/XHjhhSHdN8514AWfk8XzF0hWd/3KJYJOb1BPo2WvHt2+VdKSzLkYAyJp0ZhAnyu+ /sTegWNvY7+eAVslxs5o+IDNauF7r7hsJtzjLQZg/qovtZ310on8rKrzqfVru+zmtGigTtu2CauW y955M5mz10bFfwd5vfFdEnnA8eIFvF1LlixpiZqff/65zSPXv6fjZ+HlClEV4fBVwQtfwfLB67/D d955Z+D3F16+V199te1zAH9Ptm/fbnnU6u0GDx5s+1tz1VVXifPlOz2EPj6jS5cubesbLzp9//33 MmDAAHn33XcFL3zpY+j5hdX6sEXEHYzVvHlzqx08jxHiOSdLRnqypO+dKimrP5akabcxj+9/gm/8 XzEy8MMYaVHPnbtXv9Z6/bKLYwQirUk8veOGE8Is2lxd0r5/6UXHPYpNbdWxLxrZ2zxUNUbgiazO Y4tw0h8+EyN/vBsj2/+wn9PtcrZeSPCiAQsJkMDJQYAC8MlxHbkKEiABEiABEiABEiCBbCKAB2r6 wwRnPdRQwvp04+PjfftEDrLk5GS9ifVgzzm2vp+ZedgGCHMHDx/x0AzeigULFvRdjz5PhJGGByVy yGWl4AEdxMxQPOXKlSsnf//9d6aGe/LJJ33XltlcsJmZTFYFYDUmHvBiXV6eL+p6IYRjw4YNZc6c Oappjmwze69dfvnl1j0SzsPcYOGfa9asmWUGe/fuDfoCgylMNfImNm7cOGgIaXxmde7cORCq2y/n uJ8AjIWuXLnSeijufNiu7hG11QVgzFEdd25DERVzIgew6aJm9r6L1Gcc5vTPP/9IMI90xRgCCPJz hyOgZvVambjhGDypGzRo4PLAU3PVt/h7hxdtwvk99Ro3tx2f+eKjLhE0mGjrtYb5bzZ29TX1iTpe 5tbxzYP+cLWZ9uQ9tjYb+/Vy2Qy+7AxJT0212akd5CVWwq/ajq5UWp0ObPWcxQgzDU/j1V2+DJxn JTwC+E6IFzs+/vhj63tXsBe5br755pBfeIuNjQ2ItXgJQ5XatWvbPsuRvgC5eIcNG2b9jdHDQavf 6Z9++kk1t6KtqONq+/zzz1vn9e8f+Mz/5JNPbGNBBFZtsNX7RQfhhMuvWLGibNmyJTCv3FaB+J6e sExSN3SS5Nn3SeLIs2wCYs4KgzknWB4ectwLt81TMVL1mhgpVNAutur3h1/9hlIxsudv9zquKnGi v8LnxsjMTu4xHq7qbqdfj3YNT/SBObz3hL+93ja31dN2DMptvxqcDwmQQCYJUADOJDg2IwESIAES IAESIAESIAESMBOAoP3bb79ZXoDNmjWzPNfgfVinTh155pln5PXXXxd4PW7YsMHcQRaOIlTo2LFj rbCpeID4zjvvWPOAIAVPjmACVxaGzvNN9+3bJ3jw+uuvv0qbNm2sB7vg17VrV4HYjOua24rXvYYw kHiwjPl36tRJFi9enNumHrH54OUJhDH/4osv5OWXX5YXX3xRWrZsKfCMh9dutPIVwhsMv8PwksY4 yAm5aNEi68F6dnuHRwxmiB153XfZ8RmHKcJrrl+/ftKxY0eBNz7yQr/66qvSrl07SxhZsmRJiCvJ XjOE7YdoBc88fMZgzrhv4aH4+++/W/dRdoWVz96VHx9tdrOnXWLp+t5dMzWVNT9+7eprUMnTJOXw Ic/+Vnz5savNjIYP2uwPLF3osoGwe3DlUpud2tk2aojRPiXBnsoB7TcP7CcJa1ZKRjZHj1Bzzetb fL4iZQiEWLwo4Sdymc7h98xZDh06JCNHjpRWrVoJXmBDWgQ9ospFF11k/Q3Bi2LOPiEU6wVh350p BuD1q/8NeuGFF2z9QPiFp7E+5syZMwUvOJUoUcJmq4//xx9/6ENbdXye+L2AiEgE+NxxvlDp6igH DmQc2yqpW/pK8oJnJXFMEQq+/3n56qLoyh52cVW/H5z1C8+NkerlY6RKuRhB+Gbn+XcedwuzZ59x wq5siePnkfvX2bZrC3dbNc+Pn7XbQ6RufG+M9GwZI/3eiZGfXouRrxvHyOfPx0jHF48fR/jnY8O8 +1R9Z/c2ZUnzHPhN4JAkQALRIEABOBpU2ScJkAAJkAAJkAAJkAAJkAAJkAAJkAAJkAAJ/EdgXstG LrF0xVdtQ+KTGL9bdk4YbYWRTj1yWBJ375SBxQu5+lvyydvG/hBKemyN8i77zQN+t9mnJycLhGTl zau2cX/9YrNTO8fzGv8XhlrL2ZsYv0uZcBshAo888ohLjHKKU377RYoUsYWChhirC6+fffaZXHLJ Ja4x8EIJQi7rfSPHr6n89ddfNrv/s3ce0FFVXxd/oXcQ6UgREf+IgKAoKCAKKiogCqIUKyIiCiJi oSliA1FRUTCAFAFBqhTpvfcivffeAoSUKftbZ/K95PWZSZ0k+62V9dq55977e/dNsrLnnCNtJDW1 uknGCxGVtb7kC4KSYUS9tnr1ap/56NGj46+p99T9rFmzVJe6vXwhqUOHDqhfvz6qVauGpk2b4sMP P8SMGTN0c9c1SoMTb8xluM/MQOyOzoheVJGCr4XgayV4ShpmdQ1o93lyKniipgJJwbzhJ72gOucL c13eYoUURGjqAZ+bqPcrEcbS/7VpCu6toL8ntYXtavZu/81acNaO1epYhOodQ0NLBI5efGcavBns kgRIICUIUABOCar0SQIkQAIkQAIkQAIkQAIkQAIkQAIkQAIkQAL/T8Cqvq4xBbMR1rZeXTG7Wimd IHv9aFz2jFVtn9FdF7F2aqlsODlnms6N++ZNbO7+lsn2nzsLwR0VpbOVk4UNa5hst/bqYrJTL0ja aNbsVWmk3P7nn3+2FL9EUJJU/6+88gqkXIBE1EodXauSJRLxq25SNkMrRklKZ+15rly5fNHGq1at 8tUV1t6TurpWm0TXGmt+SykF7SZZRrS+jMfSn2xS27dGjRqWtoHWNdf2m5bHXnc0PBeWIXZPb0Sv qI2omVko+mpEX6mLayX4Gq+90kgvxsra+be/Xsw1tpFzY2pmaTf/q4Q+t/6q99vkwYR7m35RkCOb /n6VcgquTEmw0fbZ/km9rXF9253fVkTBVY0orfWZVsfeyGNp+dqwbxIggWQiQAE4mUDSDQmQAAmQ AAmQAAmQAAmQAAmQAAmQAAmQAAlYEdgz+GuTsOpL22xIl6xtO6/2naY2IujKZpd+WYTgtW+0wKHR QyG1d2dWLmLyITbber+v7Sr+eFO39jp7qdm79dN34+/zIG0I7Ny50ySGSo3x/fv3Ww5IaoYbxSZJ raxu06dPN91X7UUcltrd6ia1ftV7sn/nnXfUW6b9s88+q7OVUgzG7bHHHtPZaH1LSQF1k/IG2nvq 8ZYtW1STkNzH1fHdDtfBQYhZ2xhRs3MHJHCmldCXmv1GzlAwva+C1g0USN1diaiV51q8kIKnayno 00bBwVHW4uqYD83i6pIB1rbaOZ2eYG439N2EdhIlrK4t2b/6eMI98dP/Ff19sen4tN5G7U/SOf/0 toIKJc1ttH1YHQ/qYO1T9Z3ae9exkSH5fnFQJEACwRGgABwcL1qTAAmQAAmQAAmQAAmQAAmQAAmQ AAmQAAmQQFAEbhw/iiklsujEVRFit/f9wNLPtYP7MKV4mM5+RsWCOtsd/T/W3Rd/gfyIQOyJjdX5 Uk9OL5jtG1N8zV6PR73FfRoTKF68uE6oypEjB27+/xcCjEMz1u3NkycPXC5XvNnly5cta+a2bt06 3kY9kIhfrWD10EMPqbdM+y5duuhspS69cRPRWpv2Wet7xYoVOnOtoCzzf+mllyCppENtk2hJEcxi NrVG1LwiFHw1Eb4iXIowKgJnueL+hdFb8ikY/7FZDD021ty2dxuznZVQmj+3vq22XXgX/b3uLfQ+ JUL5gbv0NrJmJ/fS2xn7PTVeweZf4tJSS3roQ6MUSLrpE+Pi2hpF4pcbOvsz+k/pc1nL3EiABNI/ AdotnrkAACAASURBVArA6f8ZcgYkQAIkQAIkQAIkQAIkQAIkQAIkQAIkQAIhTmDFC4+bBFpf2ubZ U3Ujj71+DcuerW+yXf92G52dnGzu8bbJzkkEXv9OO3jdbpMfXkg5Ah6XC1d378ClzeuT1ImIn1qx VI4XLlxo8imRviK8am0lPbRxu++++3Q2Yr98+XKjGQYPHqyzCwsLw9GjR012cqFt27Y62x49elja ffHFFzo7dazG/g8dOoRffvkFEgEdSps35hLcp6cidnsnRC+6g4KvQfDVipMX/1bwbB2zgKo+c7u9 pG7W+pHjquX1fh6+22xjbLN3uIKwMH07EX1Vu8/a6e99/XrCPdVGavSq0crqeAvnt49WVts57ef2 1/crKa6d7FP93rxikGh2biRAAumbAAXg9P38OHoSIAESIAESIAESIAESIAESIAESIAESIIF0QODE P3/birUizB7+MxzbP//QVPdXBF0Riq8fOWiapdfj8aV7XtCgmq1viSRe8nQdSL1eseeW8gRE7N38 YUcsbvwAppXN5Xs2Ul85KVt4eLhJNP300099LkWo2b59O3744QeUKVNGZ5c/f34MHz7cJNqKOKuK Wer+wIEDpiGePHkS2bNn19mK0Gvczpw5g4IFC+rs1qxZYzTznUu94MqVK+ts8+bN66thbNkgjS96 3VFwX1iC2N09Eb3iAdbxdRB8tUJlxFQF1SvohU51rd2aX8GDdymoWVFBnpxmG7kmUb9af12b6+2y ZVVwYZLeRmsv/TerrW8j/UttX9Wuw1P6+1pxWCKX1/6o4KvXFBQpoLcTP/XuUSBprVVf6l4ifn/s qKBdQwWXJpvvi933HfT+pH6w2j5U9p6r29L4zWP3JEACSSVAATipBNmeBEiABEiABEiABEiABEiA BEiABEiABEggVQg8//zzqFOnDnr27OmLfrRLgZsqg0lEJ1t7dXEQau1TOO/oZx1JqR3CxU1rfQLy +k5tsa5ja18q54MjhyDy5HGtGY9TgcDRSWNMz1lqPntiYoLuXUT76EsXsW/7Vp1gKgJU+fLl0apV KxQtWtR0TxXa1L2kXf7+++/j+587d66pzaJFi+Lvaw/atWtnshUB+caNGz4zqd1bq1YtnU3p0qUd Iwgl3bPUA+7Xrx+kfaxNWnLtOFLr2Ov1wHN1C1wHBiJm7ROImp0r5MS5UBEJncYhIqi6/tR9g2oK Fn2rFztPjrOOEu7cVG/3z2dmf9P66G1kPNemKZjSW0GtSmb7KuUUSFpnddzPPKC3EWH2t3cVtKir QERqddx2e4kgVn1Jv+UNaa5fe1yBCNGqzeHRCt5vriBrlgTfcrzhpwQb1Tat91LHmhsJkED6JkAB OH0/P46eBEiABEiABEiABEiABEiABEiABEiABDIFARGIJEpQ+494qYNar1499O3bF0uXLkV0dHRI s5BIzY1dXzeJg7Zpm0tkwb5fvwvpOXFwZgKS8tnqmV7ZscVsbLjiunEdJ+dMw6Zub2Je7TsxtXT2 eF8jimdFr0IKquZIEI+074O/46xZs/oihaVLEW+Nkb0DBgwwjCbuVKKLrer2FihQACVLltS9kzKG 3Llz+0RdS2chetETeQSuo8MRs+lFRM0tHC/YpbUIl177vzxZQYlb9OtUxFCJqrWa0/XpCiqWSrAX 8fXVx/W2kk46e7YEG1lr7zaLs5Go3oHtFTS+X0HeXHob9b2Q+sK7w/U+77WJUFbb+NuLeLt0YILP Tk3MfZcqrOCxexXcU96cjlr8iyBsxSStr8WsbRyibyuHRQIkECgBCsCBkqIdCZAACZAACZAACZAA CZAACZAACZAACZBAmhFYtWqVSWgy/nM+V65cePTRRyE1RkMtqlAFJzV4JTJ3fr2744U9o1goKZ9X vtQY51ZYR2SqvrgPTQJS91dN/ax9tpKG226TSN+Do37DP5VusV0XWl8d8yvIoujFJhF4a9euja5d u/qi5O+55x7TO9OgQYP4ITz88MO6+08++WT8PeOBRAcbv4BhfP/kXETl2bNnG5uH3Lk3+gLcpyYj dntHRC+8PSQFuLQWAJPS/8rv9WtT1sb5ic5C5/yv4tItS9plO6G4XhW93/y5FRQvpL9mtS7Fbs4X 5v6LBdBW/FUoqeDNxgresRB4yxZTcPavON+Stjpfbv/jEZ+SwlpqDtvNNSn8k6XtnDzweoLPWhBy LzsHRAKZmAAF4Ez88Dl1EiABEiABEiABEiABEiABEiABEiABEkgvBPr3768Tq6z+yW+8lidPHjz+ +OP4+uuvsXbtWrhcrpCa7vnVy7Ct9/tY99aLWNu+Jbb2fA+HxgxD9MULITVODiZ4AlL/VyvYyvGa V5v7ajFv+fgdLHnmIUTs3eVz7ImNxdJm9Uz2xvbG80a5FRQpUgTdunXDrFmzEBERoRtoZGQkqlat anpvli9f7rPr06eP7p4IvE6pmOUdeuihhxAWFqZrJ++d1BoW4fnQoUO6MYTKidd9E+7zixC7+xNE L78fUTPDKPoGWMs3MWLi3z3NIuiZCWYBNljffdua/Ro/97XnEkksou3BUea+JWWz1lZ7LDV/W9aN Swe9d7i+7RM1ze3EVp3LliEKatxhtlH958yu4MX6cfWF1TahuvdcWBYqrzDHQQIkkAgCFIATAY1N SIAESIAESIAESIAESIAESIAESIAESIAEUpeA1AtV/4Ge2L2IVE8//TS+++47nDlzJnUnwN4yDQFX ZCRWv/KsX0H3yIQ/fEx2ftvH0nbWPSWwsvVTWN6ioWVE8e9FFNxXraoj12HDhpnem6lTp/raSNp0 47skkfP+tuPHj2PIkCHo3bs3fvzxR0yfPt0kPvvzkdL3fXV8r2yC68C3iFnTCFGzc8YLdKEqtmWk cS342iyANq+TIJImdq7LvzP7Na7hSqUVvP2Mgqm94+oB2/W1b6TelxqRu26wc1TuoVEKJJ20sd9h 7yXMT1Jaiwjep42CF+opeKWRgn4vKxj/sYLTySCE280pua/H7umd0q8q/ZMACaQgAQrAKQiXrkmA BEiABEiABEiABEiABEiABEiABEiABJJOQGr7Snpn4z/ck3IuNU3bt2+PXbviojCTPkp6yOwELqxf hfl1K2NKiSyWgq4xglcivmMjrmJKyax6+xJZcGT8SEhaaHWL2L8H08vnibcbXVTBZ7coKJdNwYUL 9hHjf//9t+m9GT9+vM+tvFdSr1f7HvXr10/tMt3tPTcOwXX0d8RsfAFRc2+h4JuCEb7+hEYROY31 emWd1btHQa/WCib1VDCtj4LpfeN+5FgEW/lZMkCB1Pu16uPGdAUF8ujFV4mofekRBeFdFBz4w7qd lS/pR7v2S98aeNsxH+rbip88ORVs/y1wH1ZjCrVr0Stqp7vPAQ6YBEgggQAF4AQWPCIBEiABEiAB EiABEiABEiABEiABEiABEghBAsuWLdP9o177T/ukHks625YtWyIqKioEZ555hxR7LQLn1yzH/vDB uHZof5qDuH70kK92844vPsK2Xl2x77dBiDp/TjeuKzu3xQu0RrHXeD799rzY+um7iDx53NRGIn+l jrBxO/nvdPRp+gSKZtGLT5MnTzaa+s4lJXSdOnVM787cuXPj7Rs2bKi7/8gjj8TfC/UDb/R5uE9N Quy2DohaWM5SMAw1QS0zjUfSHCf28zksLE4sXvOjWVBt+qDebzDCrZb/uI/0fqpXMPeltTcet6ib 0D53DgWNaiiY+XlwPow+Q+88K7yxV0P9o4DjIwESsCFAAdgGDC+TAAmQAAmQAAmQAAmQAAmQAAmQ AAmQAAmEBoHPPvss0UJCoAJE06ZNQ65GcGjQT91RbPmoE+bVvhNTiofFC6MiAqfVdnHTWqx5/XnL qN5p5XJjW59u8ZG6Ust3Wpmc8eM2ir5yvrn7W5BoXjW6V46t7NZ1fAnnVi5B5KkTcN24Hi8IW0X0 durUKR6Px+PBli1bIDWzy5Yta3pvqlWrBq/XG2//1VdfxdtIVHzjxo3j74XagdcVCff5BYjd9RGi l9VgHd9UjPA9P1HBjx0VtHtMwdExgYmc+0cqKFk4QSQN9LNYaydC8Ihu+v5kHFobOd6WiMjbge31 fh67V9+PPzH25DgFvdsomP+VgqtTg2vrz3co3Xefnh5qHwUcDwmQQIAEKAAHCIpmJEACJEACJEAC JEACJEACJEACJEACJEACaUOgfv36pn/4awUAiXL8/vvv0aRJExQsWNDRVtvOeNyuXTudOJY2s834 vTpF9y5//lGTILrh3VdSFIrU7L24cY0vwnfj+29gUaOauLxtEy5tWoeppbKZxmMUbPf89E38+Fa/ 3NRXt3fn170wp2ZZU9vtfT+It5WD60cOmmyM/uPPS2TBjLsK48dbFXQqoKBWzjgBq1y5cr6avM8/ /zwKFy5su/5F4F2wYIGuf0mB3rNnTyxcuBA3b97U3UvrE6/XDc/lDXDt/xoxqx9D1KwcjPJNRdFX FSEnfKKgUN4EsfSPDwIXOzf/ouChygltjZ+5gZxLbd4VgxL6lDTLxnY/vJVwXx23v/37zfV+JGLZ X5vMeD92R+e0/ihg/yRAAokkQAE4keDYjARIgARIgARIgARIgARIgARIgARIgARIIOUJiCiVI0cO 0z/8tQLAkCFD4gfidruxYcMGDBgwwBfNmC9fPse2Wj9yPG7cuHhfVgcisongHKqimdWYQ+VaING9 2z/rbhJEFzxSNUWnsKpdE1OfIurOrVXBdD1ejC2uxN+bWjo7Ivaaa0lv7PJavI3abtlzDUxzWdb8 EZOdau9v/2FBBbnC9EKWcU3LecmSJbF27VpT36F2wXPjAFxHhiJmw3OI+rcQBbmZCiJnKJjzhYJu zyl4tLqClxumnFApUbu/d1HQpoGCvSPiUhpnNaQclyjgYIVQiZL9rF2c32ceUCA/TR5U0Ky2guZ1 FEhaZ4nA/V8Z67Us97V9Stpn7ToXX9r7gRy/UE/vo3PT4H0E0k+6tZmdE9ErH4br2MhQ+5jgeEiA BAIkQAE4QFA0IwESIAESIAESIAESIAESIAESIAESIAESSH0CixYt0v2jX/tPf/VYohjtNpfLBfHR unVrSASk2sZu/+STT9q5QmxsLPLmzavzIeJ0vXr10LdvXyxduhTR0dG27TP7jUCie49NHW8SQ+c+ WDFodO6bN33RtSLMSoSv0/bfVz1NfVoKryWy2NqJD+N2IPwnk/0/dxYymuHSlg2Qur+WfWqEZrv7 LTXRmcZ1XbFiRd+XIS5evGjqNxQueKPPwX3yL8RubY+oBWWCFvHSrbgWYCTv0oEKyhbVC5U5sim4 PDn5xcq+bfX9SKrlO0rqr8n6uq1I8vetfY4bf1Zwewl9v5IKWjvndg319wvkUXBjenDjevhuvQ+Z v3Ycme84DNFLqiD2v65wn50Frzu0MgKEwucVx0AC6Y0ABeD09sQ4XhIgARIgARIgARIgARIgARIg ARIgARLIRAR69eqlE1yNAlfx4sUDprFz506UKVPG0V/WrFlx9uxZS5+rVq1ybCtjy5UrFx599FF8 8cUXWLlypU80tnSWCS8GEt174+hhrH+7DfYOGYhzKxYh5vKlgElJDd4T//yN5S0e09UQFuFU6gof nzbBMsX3iZmTbcXXaWVzYfcP/RF54phPSN439HvLesALGlQzjfPCupWWfq8fPWSyjb54Af99+QkW PXG/3zrCRiF4ZFEFWZU4MUu+oCB1fAcOHIhNmzZZztfUeSpe8LpuwH1uHmJ3dkf0suqs4+sgBO8J V5Azu16kVD//JCI4uQXKv3vq+zJG2d5/p4I/eyjY9Xvy922cyyTDWGTe639K6FfSUKss1P2ygQn3 jf6szqtXUPDAXQo+aaVg/tcKIjJwHV+r+fuuzS+FmC2vwH18LLwxofklkVT8eGJXJJDhCFAAznCP lBMiARIgARIgARIgARIgARIgARIgARIggYxD4KGHHjL9o1/9h7/sX3zxxaAmu2PHDkd/4nP48OGW Pvv37++3rXZscpwnTx488cQT+Oabb7Bu3TpIRHJm3ayie6XGrjsqKslIjkz4A7OqFLcUXLWC6eKn HvTV9tV2KIKs1kZ7fGLGJK2p73jLJ50t7W+eOaWzdd24bikWi+Dsb3PduIGbp0/i2sF9uLx9M07P nwVfWuoH7rDsu3+vT0PyCwdxdXzXwbXvS8SsbsA6vg6Cr1Gkk5TJxs+T5x9WMPx9Becm+hc7RdCc 1U/BT28r6N5CQY+WCsZ9pODKFOu2Z/9SkMWQ7lntX9JPG8eXkucnxpnnvvbHhDEcGWO+36dNwv1A xiaptQOxy1A2cwsjZn0zuA7/DM8N8xdR/H0u8T4JkED6IkABOH09L46WBEiABEiABEiABEiABEiA BEiABEiABDINgRs3biB79uwmEUQVJWQ/bNiwoHlUr17d0eevv/5q6fOxxx5zbKcdl91x/vz58fTT T+O7777zRWh6PB7LvjLixYh9uy3Fy0ub1+umKymbL25cg4Mjh2Dj+29gYcMa2Narq85Ge3J43HBT xK9WxDUeTy+fBzIW7SapmY12cs3r9WrNfMdXd/9nspW2p+bOMNnOq1PJZPvfV5+a7IwXvDbrIvLU Ccu5et1uo4s0O/dc3wfX4SGI2dAcUf8WzHwiWxAir5O42LqBXuQMtEbtyXFx9XaLF9K3Vz+T8ueO qyO8b6RZAJWIWNVO3desGHx6ZXVekrZ5dr+4+sUScVu5bFxNY/W+3f7f/uZxHBurH2+VcnqbulX0 9+18Z6rrs3MhelU9uPb2g+fSGsvPszT7oGDHJEACKU6AAnCKI2YHJEACJEACJEACJEACJEACJEAC JEACJEACiSEwb948kxihihLqft++fUG7lhTNanur/fjx400+pbavpHe2sk/KtYIFC6JZs2b48ccf sW3btgz9D3oRNaffntckiB4aoxfxRew1irGSGtlqOzppjKUgKu1nVCwISeFs9CXnCx+tDremXrNV feLFjR+w6tJ3bc69t5n87hrQ12S/ruNLJruVLzXW2cVcveJLXS3C8MoXn8TMu4tiUaOaOhv1RFJk G+cjc0zLzRt1Bu4T4xG79XVELbiNgq9GAL4+XYGkJr42LXhxUqJ2tZ8tvVr79yGpofPk1LfT+tAe S21hSTOtFUQlHbLWRo6TUhv30xfN/sb20Pep7V+ORcCucYe+nZW4+16zOBuZ7+M14yKdjb4y33kY opdWRezObnCfnQOvO+nZFdLys4V9kwAJJI0ABeCk8WNrEiABEiABEiABEiABEiABEiABEiABEiCB FCLw8ccfm8QIrThRqlSpoHuWiNty5co5+p0zZ47J77JlyxzbaMeVlGOpM5yRtyXPPGQSMDd3f0s3 ZUnnbBI5y+SEx5A+W1JH/1PpFpPt2g6tcHHTWp/P2Iir2PltH5ON+N/W+/34frf3/cBkM/eBO+Lv Gw/WvtHCZL+qXROjma+WsXEuIvBqI4vjIqPDTP529OsBqWusbufXLMf8h/9nslvV5mnVJFX2Xtd1 n7gkIpOITZlPZHMWMLcMUTCog4KnaynIlztOpJQas8Fy+uEtvQhap7ICqdP79jMK5NiYwlj6LZBH 30Y+i6SWb9XyCrJnM9+7rYheBJZxGj+/pB5vsGNX7SWVc95cep+35FMw8VOzTxHJx3yooGIpvb2M Z8kAs73UIs60tXs1XzKQL13EbnnN9yUMb0zgNdNT5cOCnZAACaQpAQrAaYqfnZMACZAACZAACZAA CZAACZAACZAACZAACdgReOCBB0xihFacaNOmjV1T2+szZ8509Cn+16xZY2r/2Wef+W2nHVtijnPk yIHIyEhT3xnpglX9XGN075X/tppEThFRr+7arkNxfNoEk52kjLbatvZ8z2QrkbPumzd95semjDPf L5PTtj7xnsFfmexnVy9t6vrcikUmO5nLuZVLfLYiaosAbCUoi9302/Nh8ZO1MLtqSUs/cj/yxDFT v8l5wetx+dLHuvZ9gehV9RE1K3uiBUFVGMxI+0Oj4urytmmgoGRhs3gpnwUSWRvsnBd+Y+1L/WxZ 9X2Cz1PjFZQtprevVFqBVrzdO0JBu4Z6G/HVsm6CH6kbbIwg/rVzwv1g5yD2H79g7lP6FRH7nSZx 6aGfraOgmE3KauGamH4zbJu5t/rSq0uadU/kkeR81emLBEgggxGgAJzBHiinQwIkQAIkQAIkQAIk QAIkQAIkQAIkQAIZgUBERASyZs3qV3StW7cu+vTpgyVLliAqyjndpcvlwiOPPOLos0iRIojVRF2q LOvXr+/YrlChQrjlllscbVThxm5fr149tbt0tY+9fs0nYp5ftRQSpRpz2T4K7cj4kSYhc5ohulei XqfelsNkd+SvUTouK1o2MtiEIer8WZ2NRNpeP3oIkmbaGIkr56cXxkV7x0XhKiabS1s26PypJ2cW zzXZir+o8+dUE99eWFj1qwq7M+4ogFn3lMCVndtsU1lbtZdrMysXwal5/+j6S64Tz7XdcB3+GTHr myHq3wIU4DQRl+cnKpjSO068/F8Za3HT+I5Lbd1ABcm/PlHwRE0FuXI4++7/SoLPoe/qbUvcouDM hIT72r47PKW3zZpFgbYesKRT1o6/R0trP1qfTscyDhmP1megx5L2+uY/SevfaWzp4t7s3Ihe/Qhc +76E5/I6XfaA5Hrf6YcESCBjEqAAnDGfK2dFAiRAAiRAAiRAAiRAAiRAAiRAAiRAAumawOzZs4MW DKRGb4MGDdCvXz+sWLECMTEx8QwuXLiAZ5991q/Prl27xrdRD27evAmJznUSLYYMGQJJL71582YM GjQIzzzzDAoUKODYxuivb19zDVl1DFb7w4cPY+LEifjpp5/Qu3dv9OrVC+Hh4Vi0aBHkngjeKbVF X7qIA8N/xrLmj2BKyax6kbNEFl8NW0m9LGmatVug0b2LHr9P77O4gq29umhdmeoJz6lZFhF7d+HY 5D8hKZ2XPdfAVwfYTkCV61s/fdfn01efuHweU5+Hxv6u61M9EaHZyq8Iw8ZtXp1Klrba9lHnzkCi hWUO2utWx1NLZ8fGLq9BnkFybd6o03Cf+BMxW15F1PxSAYuV6UJA04i3iRmv1PFd9K2CXi/FRa2K YGp8d+3Os2RRUKtScHV0pR87fyIKN6+j4OdOCg78kSCMyjVtm9HdE+4Z5yyplo3CddfmCfbfvK73 9VDlhHtGX4GeHxuroFENvV/teI3HVcopmN436f0GOr7QssuC6GXVEbuzO9zn5sLrjk6u15x+SIAE MhkBCsCZ7IFzuiRAAiRAAiRAAiRAAiRAAiRAAiRAAiSQHgh0795dJ2gYBYJAzrNly4aKFSvi9ttv D8iXiLx79uwx4RFB1V9/u3btMrVzu91Yv349vv32Wzz55JPImzevo5+lS5eafBgv7N+/H507d0b5 8uUdfcl4Zf7S76xZs3zitNFXYs9PL5htWXvXSqxc+Gh1XD98IL6rQKN7N3V70ySELm1aN96PHMyo WNBkYzUGp2tSU1fdljxdx+Rv84cd1dum/exqpUz2ewZ/bbLbO2Sgyc44JjUSOfZaBPb89A3Wtm+J ebXvxD93FvLtlz1bH5Le+sTMyRCbpG5e1zW4z85C7H9dEb2kCgVfB5F4d3jgwqW8d1LDtuPTcemX 7aJwnQRHEZvtPm/uq2gWRW9MN9f+FcHVqY8fO+r7kHTRqv2Gn/T3smVVcGFSwn3VLti9RPIOaK/g /jsV5Myu70PmK7WKX26oYNnApPcV7NjS3H5hWcRubQ/3yb/gjbmc1Neb7UmABEjAR4ACMBcCCZAA CZAACZAACZAACZAACZAACZAACZBAyBGoWbOmrQhiJ44k9foPP/xgyUEia518Fy9e3LKd8aKkll69 ejW+/PJLNGzYELlz5473K9HL0dH2kV4i/D7//PPIkiVLfBunMRnvVahQAd999x0uX06auHB22QJI ymajgOl0/k+lWxBzJaHfRY1qmtobo3sPjvrNZCNpkyVSV91m/u9Wk43TOKYUD/OJqeveehF7fxkA mYs2itaqPrHU37XbVrVrYupfhFvjJn34iwI+/Ge4sVmynns9sfBcWgXX3s8RvaouomZlixf80lz8 chBfQ2VsZYqYBUv1HZPatS/WV/B7FwX7RyZdvJQIXakZPLufgnWD9f2GhSk4bUjtLPbqWGQv4qo/ buJD2yZ/7oQ2ItQWLai/P61Pwn1/vgO5L1HVIjTP/FyB1DJODoE5kH5DxmZeUcRseB6uI7/BG3k0 Wd91OiMBEiABlQAFYJUE9yRAAiRAAiRAAiRAAiRAAiRAAiRAAiRAAiFBQETKxAqdWlEjmOO2bdva 1lZ86KGHdGKJ0e+LL76YKG6Sonr58uX4/PPP0bNnT1sfkuZZKxYb+w/mXPyMHTvWti+nGxfWrcR0 izTJIrqKGDv3gTtMgqgqyEo6aHULJLr34qa1lr6uHdiruvHVzlX9G/dTS2XDgkeqYsO7r2B/+GBc WLsCUqtYu4mYLKmX1e3wuBGmPqeVzQWPTSptmZOx37m1KqjudHvXjRvY9d3nWP1yU0gk89oOrbCj Xw8cnzYBN8+c0tkm14nn2k64Dg1GzLomiJqTz68oGDLiWAoLwluGKJjaW4FEwfZ8UcGQd+LESImk tWPwSiO9ICrv3JevxrVL6Rq1EhmrfccnfGIeZ5ECeptzE802xrndml/f5uLfCW1a1dffe7dZwj2j H54HwGZOHsSsfgyu/V/Dc3mD7e+a5Hr36YcESIAEhAAFYK4DEiABEiABEiABEiABEiABEiABEiAB EiCBkCIwY8YMneChFT/U40KFCvm1UW2d9vnz58fo0aNt53/jxg1kz57dsa9hw4bZtk/qDRGHw8LC HPt3mp/VPfE3cODAoIe2tMnDJsFzdvXSODJ+JCS1s2wiEkvqYqMwKumaY65e8dkEEt3riow0JBsK KAAAIABJREFU1xYuruD4tL/ix22VsllE6Eub15tqD6uNzq1cAon0XfLMQ74awrOqJERvX9mxxTRu mcfV3TvU5rr9yX+nW9rHRlzV2aXWiffmSbiPj0HMlpcRNb+krZiZGQU7EXelLm7V8nphU/t+5M2l oHUDBafGmwW9MR+a2y0ZYLZLCbbtGur7frOxuV/jvBZ+Y7Yxjq1sMb3fncMS2gx7T3+vctmEe0Y/ PLdikxXRy2ogdlcPuM/Nh9eTUI8+tT4P2A8JkAAJUADmGiABEiABEiABEiABEiABEiABEiABEiAB EggpAl27dnUUPCWdsdfrxbZt2/Djjz+iWbNmCFYQbtSoEaZPn46ICOd6qvPmzXMciwhI+/btSxF+ 77//vt++tQJWsMfdunULOBIt8sQxSAplvbAb5ousNU5eRGCxnVo6O6QG8Maur+PA8J/jBeBAonvF 5/z6VQz9Kb6oWbW/Q6OHmu5Pvz0vXDeuqya6vTs62iROr32jRbyNJyYGU2/LYfJ5dKL1FwTimChx 9iWzYn69u7H+nXaIOn823mdKHnhjI+A+8w9id7yH6CWVKfjaRA7/2llBueJ6QdPpXSlxi4IZn+lF Pampa2zTu43eJqWE0D8+0PddoaS536dr6W1ENHYaz5UpCiSdtDonSRt9eXJCm30jE+6pNkfGJNx3 8p1Z70UvvB2x2zrAfWoSvLFxX3ZJyfefvkmABEjAHwEKwP4I8T4JkAAJkAAJkAAJkAAJkAAJkAAJ kAAJkECqEqhWrVq8MKGKD9p9+/btTePxeDzYtGmTr87tfffd59hefBUtWhTr1q0z+TFe+Pjjjx19 5cmTB1evJn/E55gxYxz71fJIyvErr7xinLLl+d4hA03CqNTAtdsiT52ACK5Wm/vmTb/RvdJOxFS9 4KxgeYuG8S4lolhSNBttJL2ytlawNLhx7AhWv9zMZCvRyNptYcMaJhtjfWKtvaSNvrhxDSRiOaU3 Xx3fiysQu7cvolfWYR1fG8FXK0D2esksZAb6vsztrxc8jVG2D9+tv6/tV44lNfSaH+NSRT92r4K2 jzrbG9ur5yK8Gse8d4Te17iP9Da5cijQRvSqvtT9iG56+0Y19P7E7o6SepuR3cw2qr9MuZ9XDDEb W8J1ZBi8N4+n9OtP/yRAAiQQNAEKwEEjYwMSIAESIAESIAESIAESIAESIAESIAESIIGUInDhwgW/ KY/HjRvnt/vNmzejXr16JuFEK6TceuutiPQj3D3wwAOOPsRf1qxZcf/996NHjx74999/cf26dQSq 30H/v4EI2bly5fLbrzoXEcwlmnfAgAH46KOP0KJFCxQsWDDg9pMmTXIc2u7duzG0prm+r9S0Tezm L7pX/O4f9oNJjP3nrsK6Ltd3amuyEUF4yVO1IeKu1Njd/GFHXzSyUSiW9M/Rly7q/G3q1l7nT2oe b/30XZ1Nap54InbAdfAHxKx7GlFz8jpGdWYWEe7waAUiYIqgem8FBXa1e6f31QuY8e/L7QokKnjB 13GRvl2eVZA/t9m2YikFV6cmiJ5dm+ttsmVVcGFSwn3hvyc8zneLugoKG2rsFsxrP1Z/z65KOX3f Q9/V9ysMyhbV29x1mwKrWsDCz1j/d2B7vT8ZT4enEvwJC0mh7W+cGfr+nLyIWdMIrgPfwnNlU2p+ DLAvEiABEkgUAQrAicLGRiRAAiRAAiRAAiRAApmRwKBtwEsL+EMGXANcA1wDXANcAym5Bh7uM8Wv cHnq1KmA/hQRcbdBgwaO/n799VdbX5IeWsRdVTgKdJ8tWzbUrl0bn376KRYsWOBXZNYOQFJbi5gc SF+1atXC+vXrtc3jj0WEHjx4MMqUKePXV8mSJR1FaxGWuxb4/1THxRP2U7u8iUuXLsX3GcyBv+he 8XV+9TKdGKsKuDeOH43vSqKAFzSoZmmn2tvtT82bGe9HPTi9YDa29/0Ax6aMQ8S+3aZIYtUupfbe myfgOj4KMZvbIGpe8cwtuBkifCWi9X9lEkRJeUe+ft1alNwdrqBQXr1t+eJxIqZE5hqFyl2/W9cH 1qZ5/uczvT/pf/j7CiT69o0nFYh/f+/tikHmvo1jsTp/r5ne9wv1zH6+fUNvI2MRUVjq+V6arODo GAX9XjaL3XeXtRaKJXr59y4K9o8092U1xox3LSuil9+H2F0fw31+ISQCnxsJkAAJpCcCFIDT09Pi WEmABEiABEiABEiABNKUwLNzgbCh/CEDrgGuAa4BrgGugZRcA8ojnR1FlEqVKgX198DSpUsd/UmU sN02e/Zsx7b+xB71fvbs2VG3bl306dMHS5YsQVRUlF2XmDhxYkB9duzYES6Xy9aPeuPcuXOoXr26 X5/Dhw9Xm5j2jRs3RicLAbhVXqkjGoZ7773XF4E8c+ZMy3TYUefP4cziuZA00mp93kCie2MjrlrU HVZwcs403Rhvnj2Nf2vdHrAILGmjD4z4RecjrU/cZ2cjevFdJmEy44lqiRcTm9XWC5ySojhCE6Gr ZfVQZb2tRN/6q2ErQuct+eLaSYRsy7oKxn+cMN6LfyvInk3vV33HA9lLFO/8rxL8acfr79gYzVyk QFyKaW2769MVPP9wcOMrXkiB1PvV+snMx9GL7kDsjnfhPjUZUmObGwmQAAmkZwIUgNPz0+PYSYAE SIAESIAESIAEUpUABWAKHikpeNA31xfXANcA10DcGlBK3O0oVorwGcwmtYGd0iHfcccdtu66d+/u OJZARB8rm5w5c+LLL7809RsbGwsZj1Ub7TURrQMRf9UOLl++DH91lUWgttqkn3z58qF9/oTIXzWi tnchs9ikTYc9o92zmFW1hE6YvX70kK+bQKJ7xXDuA+bU0zu/7WMaqkQFb+7+FqbfnlfXnzpW375k Vqxo9QQi9u4ytU/rC56LKzK1CHd5srMIOf9r81qb1se6zYlxZluJgg1E2Fw3WIH8WEUJS/t6Vcy+ te+m9vi2IgpebqhgVPe46NtA+rezkVTTknJa61/GabSXVNCt6uvttG20xyKgr/7B7MPoM0Ofzy+B mI2t4DoaDu/Nk2n9McD+SYAESCBZCVAATlacdEYCJEACJEACJEACJJCRCVAApjhDcYZrgGuAa4Br IGXXgDLgrE7g0IoV6rFEyAa7lS5d2tZv/vz5bd3VrFnTtp06nsTuJT2zcZsxY4bf/ooVK4ZAU2Br /S9cuNCv7ytXrmib+I7XrFnja/dcHrMA/FcxBXnC7MWmX241t7n2/zV3A43uXdu+pUnQXdX2GdM4 1QuSEnp/+GCs6/gSlrdoiNUvN8PmHm/j8LgRiL54QTULub2kl81MNX6lDq2kT27TQEGJWxRIzVw7 oTFyRlytX+279nhNe3tJyay1lRTHdr6Dvd63rd63tp8CeRQ0fVDBjx0VbP8t+fpUx/jw3fq+7dJf iwgsovMTNRVkzaJvI+MVEfvvngqEq+o70+zn5EPM2ifgOjAQnqtbQu5zgAMiARIggeQkQAE4OWnS FwmQAAmQAAmQAAmQQIYmQAE4Zf/pT1GFfLkGuAa4BrgGlPb+0x+fPXs26L83RDTVCjXa4wIFClj6 k6jZLFmy2LbT+kjM8fbt2039tm7d2m9/IuQmdnvkkUcc/a9bt87k+quvvvK1KZJFwd/FzILuq/+f MtfIoGRWBZMN9mOKKsiRI0d8OuxpVUuZxF1jdO+ewV/rbKaXz4O1b7QwjTMjXIhZ93SmEeRE+NWu GUm5bBd1G95FbyuRsNscBNb2T+rtpa/kEjiXf6f3LXMQ0Veui/CaXP1Y+ZF6xFpmjWr47+/YWAUS KT3xUwVrf1RwfqL/NlZ9p9trs7IhekUtxO7+FO4LS1jHNyN8UHIOJEACAROgABwwKhqSAAmQAAmQ AAmQAAlkdgIUgClMUJziGuAa4BrgGkjZNaDU7agTOLRihxzffffdQf85cv369UT5DCQad/HixZDa uW3atEHJkiUd+9HOpUiRIvB6vbq53Lx505dqWWtnPH7wwQd1bYI96devn+MYx4wZY3LZpEmT+DZ9 CpkF4EnFFDyYUy9M5QpT8MUtZtuuBfR2HxQ02xijey9v34ztn3XHsSnjELFvN7wej2mMGeWC69CP KSoghpKI97tB1JW1vuZHszgpdXdLFtavm/eame20c6tUWm//eTtne21bf8ci8kqkr/bdbPdY8vl3 6n/JAH2/uXPY10B28pPR70UvvhOx2zvBfXoqvK5rGeXjgfMgARIggaAJUAAOGhkbkAAJkAAJkAAJ kAAJZFYCFIBT9p/+FFXIl2uAa4BrgGtAKVZJJ6xoRRY57ty5c9B/hmzZssXR5xNPPGHps2vXro7t KlSoYGq3d+9eDB06FK1atYJT1HGLFuYI1pkzZzr2J/MfNmyYqc9gLoSHhzv2MWLECJO7M2fOYMKE CejQoQOeK6ev56utr/teAQWNcit4OZ+C8CJmYVeE4uKGGqbGtNIZObrXBNbigifivwwhAEtq4dMT FFybZi+M7h+pFzNlfX/5qtm+54t6uyIFFJz9y2ynFTXvNAjAP3dytte2DeRYIn61n02lb01e/3Zj uD5dQf7cCvLkVCApsL99Q8GVKanTt92YQuL6/JKI2fQSXMdGwht1yuLN4iUSIAESyJwEKABnzufO WZMACZAACZAACZAACSSCAAVgChMUp7gGuAa4BtLrGmgwaT2em7oQxUZeRKjOQfk5CkqugjphRSuy yPGUKVOC/g0uNYONfrTn3bp1s/RZrVo1x3bt27e3bKdelAjfnTt34pdffsHzzz+PW2+9Nd7fkCFD VLP4/RdffBF/Xzs+9Th37ty4evVqvH1iDg4ePIi3334bd911l2VfgdRXXtn1dV1KZq0I7HQswrA6 F3V/ezYFa3t0cozuPXz4MCZNmgSJXm7bti1efvll9O3bF6NHj8bmzZsTgyFk28iaiZpXPN2JwIdG xdXzbddQQfUKCnLlSHjW9e5RMLq7gqtTzUKlUah97F69zYE/FEiUq7peZD/kHb2NlQApfWrbfNjC fxsrP3JN0lJL6uRlAxN8SI1frX85dkpJrfUtIq5E8ko6Z6uIZ62t1bH0E2HB0so2w16bkx8xaxvD dXAQPFe3hez7zIGRAAmQQFoToACc1k+A/ZMACZAACZAACZAACaQbAhSAKfyEqmjCcXFtcg1wDfhb A1PWvYfYw/f4frbteBY/L+uPltPmotQf50JKEFZ+dUP5eAOU5wZAubsxlJz54oWWsLAwXLhwIei/ G/wJq+PGjTP5lH6kP6PIoz23amdypLkg4t62bdt8gvCJEyc0d+IOX3zxRcf+JM10cm6nT5/G+PHj 8eabb+KOO+7w9b1ixQq/Xcg8NgYhAkvd4GaGlLkqR6eU3qtWrULz5s391mGuWbMmRo0ahaioKL9j Tw8GMZvbhrwALHVkp/RW8E4TBf8rYxZD1eer3ZctpkCEYq0o2fFpfVsRjrVCsbFOcLXbFUh0sdaH 1XGr+nq/zz/sv43Rz4KvFbSsq0BqE8s8Xn08wcf23/T+5f4PbyXcN/ra+quCQR0UPF0rLoJX5fLB 8/ZtjD4y9bmvju+DiN3TG54Ly+D1uNLDq8wxkgAJkECaE6AAnOaPgAMgARIgARIgARIgARJILwQo AFNg8Sew8D7XCNcA10BorgEvzu59KF4AVoVgdb/zv2cwdPlnaD1jFm7740xoCcJDXFB6rEHlV79C ly5dEvUnw3vvvecorP73338mvxJprIo0dvtTp5I31WiVKlUc+/z5559N40zOC+fPnw/YndftxsGR QzC/3t220cB/lwhDr0IKqhoiOLU8rVJ6Sy3k1157zZGF1od6LHWVRQhO75vr+Ci/Amdqi4EStbro WwW9XlJQp7KCrFnMAqj6HJz2IuBemJQgek7qafYzt3/c/VXfm++JKBvI3Ls8q29brnhcJG8gbVWb j1/Q+2jdQN+3pH3WzrXJgwn3D49WMKKbgraPmusXa9vcWyGhjdov93FMohffhdgdneE+PR1e1/X0 /lpz/CRAAiSQJgQoAKcJdnZKAiRAAiRAAiRAAiSQHglQAKawE5rCDp8LnwvXANeA8xqo+udeW/FX FYG1+wO7HseIlb3wyj/TcfvoEyEhCMvv4MRur776qk6o0QowOXLkQGxsrMm1CJNaO+NxpUqVTG2S ekEETGM/2vNZs2YltYsUaX9+9TJs6/0+1r31Ita2b4mtPd/DwdG/oWeXdx3nI3MzpvQ+dOgQqlat 6redlovxeMCAASkyz9Ry6r15PCCRMzWFwt3herHTyFx7LhGz9aooqP0/BVkshOKPXkgQPc9MMNv0 aBl3/6HK+j4lFbRE3gYyb4m21Y5Jjmf3C6yt6r9vW72P5x7St5d019o+ZHydmwYeEa22lVrJap+Z er+gNCT6Xb4A4Y06k1qvG/shARIggQxNgAJwhn68nBwJkAAJkAAJkAAJkEByEqAA7CwwUIAhH64B rgGugdBcA53njAtKANaKwXJ8dPejGL3qE7SfNRmVxhxJE0E4KQKw1N9VxRbjvnz58pZ/KkhqYqOt 9rxjx46W7ZJy0Z8ALPWE08MWGRmJ5557zpGfpNd+4403cOPGjfgpSeTvPffc49hO+wycjj/66KN4 v+nxQKIfQ00MLFNEL3iq/PPkVPBETQXfvqFgw0/6SNs5XygomFffrlghfQ3bWpX09++rqGD8x/pr al/ia1YAQu6xsQpyZtf7aF4nOKH19Sf07ZtqInzl2fzxgf6+OkZ/exHF779TgQjh879ScGN6cOMK tXWR6PH8WwAx656G6+AP8ETsSI+vKcdMAiRAAiFPgAJwyD8iDpAESIAESIAESIAESCBUCFAADk1h g4ITnwvXANcA14DzGpi45v0kCcBGQfjknvoYv7o7Os6eiLvHHkDYUG+Ki8JJEYAff/xxW1GxRo0a pj8zzp49a2uvijsTJ040tUvqhaJFizr2e/166KdBlbTY9913n+M8RORduXKlCddbb73l2E5lH+h+ 8eLFpj7SywVJfZtoYW1mygiKrzQyC57/9teLuVZj7veyuZ0In6qtMdWyPN9CBtFY+8xFQJUIX7W9 3f61x/X9StpqSSttZ2+8bkzxPKC9vu2RMXr/2jEajyuWUvDWUwomfqpAop6NfWWK81nZEb3yIcTu 7QvPxRXwet3p5XXkOEmABEgg3RKgAJxuHx0HTgIkQAIkQAIkQAIkkNoEKAA7CwwUYMiHa4BrgGsg NNeACLZGETc5z6W+8KS1XfHunD9RbdxeZBnqSXZBOCkC8IoVK9CjRw/cf//9yJo1q05kLFWqlOnP CRF3jQKO8VxE4uTe/AnAkh45lLetW7fitttuc2TXoUMHy5TbkyZNcmwn/KtXr46RI0dix44dWLp0 KVq1aoUsWbLYtnvyySdDGZfj2NxnZoScSDjmQ7PguWSAfzFTUhwb35+h7ya0EzHYeD+Qc4nQvTYt wY9RRN0yxOz3tiIKJDrYaGs8D++qbyuiswi+Rrsq5fR26riLFlTQqr6CYe8p2DfS3M7oJ6OeRy+p jNgd78F95h94XQnR/o6LnzdJgARIgASSjQAF4GRDSUckQAIkQAIkQAIkQAIZnQAF4NAUNig48blw DXANcA3Yr4HKYw+lqPhrJSRf2Fcb09Z1Rre5o3Df+P+QbZgryYJwUgRg7d8nV69excyZM9GtWzfc e++9KFy4sEmQlPTOqpBjtZf00Cmx+Ut/HKo1gIXF6tWrkTdvXltukvL5u+++s8QmwnaBAgVs28oz eOGFFyCppY3bkCFDHNtt377d2MR0fu3aNcyYMQOdOnXyicxlypTB7bffjsceewzt27f3jVsim1Nz 88ZeQdTMrCbBMS2FQhFOje9D7zaBiZv5c+vbattFTFUg9XONvtXz95opuLO09X2pNXxynP0YJDW1 6kfdP3y3guN/2rdZOtCcPrrhvdb2MjbxK2mwH7dJg52WzyzV+15QBjFbXob7+Bh4o5P/SzKp+Q6y LxIgARLICAQoAGeEp8g5kAAJkAAJkAAJkAAJpAoBCsD2AgPFF7LhGuAa4BoIzTXw1qyJqS4AG0Xh y/trYeb6t/HRvOGoPWErcgyLDVoQTi4B2PgHg8vlMl5CpUqVTKKRKh7JvnPnzqY2yXGhXbt2jv1+ ++23ydFNsvvYt28fbr31VtuxS9T1lClTLPv1er2oVauWbVvh/fHHH0Ps7LannnrKtr1EftttMTEx +OCDD5AzZ07b9upzz5Ytm0+EXrZsmZ27ZL8evaJ2SAnAIiZWLa8XVEVM9Scy7h2uICxM3y68i76d iKcqa+3+nvJxNXIlirjePdY25Ysr2PyL3p86poOjFFQoaW6XN5cCST2tpmOOnKFg3eC4qF3jWMV2 pU3q6F2/K5j/tf802Op4Mtz+34KIWdcErkOD4bmWPmqUJ/uLSockQAIkEMIEKACH8MPh0EiABEiA BEiABEiABEKLAAXg0BQ3KDrxuXANcA1wDdivgXGrP0xzAdgoCEccuA9zN76JnvOHod7Ejcj1e7Rf QTilBGDjXxpRUVEoWLCgpRilClN2YqbRV7DngwYNcuz3ueeeC9ZlvP2XX34JEUoHDBiADRs2wO1O nvqb586dQ4UKFRzH/fPPP8ePw3iwZMkSx7aSttvj8Rib6c6nTZtm6+PNN9/U2aonEk0sKaLVZxrM vlGjRrhy5YrqKsX2sXt6+xVXU1tQ7NpcL6Zmy6rgwiRr8VXGJtG9zWrr2wjrTQbB9pvXzTZiJ+Kq Okfx1e4xa7t8uRVM65Ngq7aR/f6RCsoVt24nqZ1L3KIgRzbr+9mzKZjzhbVfbR+Z5nhWDkSvqgvX 3s/hubSKdXxT7O2nYxIgARJIHgIUgJOHI72QAAmQAAmQAAmQAAlkAgIUgO0FBoovZMM1wDXANRCa a+Do7kdDTgA2CsLXD9bAok2voe+CIXh00jrkDY80CcKpJQDLnzMijopIKmJp48aNkS9fvnihUFIZ X7hwIUX+6lm/fn18P1aCpNS73bt3b9B9HzlyxBTlKiJ3kyZN8P3332PLli1+RVarTkVE9Re9K+m0 nTanqGeJHN68ebNTc9+9/fv323Jr3bq1qb2Itw8//LBtGyv2xmuVK1eGcE3JzXNhWbz4GSoC4z+f mYVSK+FVavNO6a2gViWzvdTNvTFdL6qu/8ls1/RBvY3KoE8bs608H4nc/fp16zZ7RygoW9S6nfHZ queSlnrCJ9b+1LFk/H0YopdUQex/XeE+OwtelzkNe0q+A/RNAiRAAiSQNAIUgJPGj61JgARIgARI gARIgAQyEQEKwKEpblB04nPhGuAa4BqwXgMVxxwLefHXKAbL+c2D1bF8c1v0XzQYT/y9CgXCryM1 BWDjnzaSJnrNmjX46quv0KVLF+PtZD2vWrWqozApdWmt0lY7DaJNmzaOPkXw2r17t5ML0z0RyZs2 bero99FHHzXVV9Y6ioiIQJ48eWx9vPPOO1pz22OJ2v7oo498YrSIxqqAJ/tmzZrp2t28edNX+1lr k9jjYsWKBSRQ6wYQxInXE4OoOXlCSgS++LcCiYrVMnu3WZxIKlG9A9sraHy/AkmbrLVRj2/Jp2B3 uFlUvfmPgiIF9G1a1jXbqYLr6O72UbvtGlqnZJa6v+80MY9fHZu6vzW/gl6tnWsLq+PIkPsFpRGz 5VW4T/wJb/T5IFYsTUmABEiABEKNAAXgUHsiHA8JkAAJkAAJkAAJkEDIEqAAbC0wUHghF64BrgGu gdBcA6/PnJouBWCjKBx1qBp27XoJ7kvfwRO5DF731ZD9WyGpAxsyZIilcKaKU7Jv3759wCmcJcJX 29bquHbt2kEP++2333b0e8cdd+DSpUuOfsPDwx19SET08OHDISmXS5Uq5YtiLlmypC9697XXXsOM GTNMArOIyrNmzfLV9q1Ro4apXvMvv/zi2KcVH6drNWvWdKxP7AgggJsxaxuHlAAsgme9KnqhNn9u BcUL6a9ZMRM7p3TKL9TT+xBBWIRhO5F10bcKRKy16qtOZQXHxlq3levhXRW0aRBXV7hmxbg01e83 j7t+abJ1O7txpPvr/xZCzPpmcB3+GZ7r+wNYlTQhARIgARJILwQoAKeXJ8VxkgAJkAAJkAAJkAAJ pDkBCsChKXBQeOJz4RrgGuAasF4Do1Z9kiEEYKMg7Ds/2RLui9/Cc2MhvG5noTHN/4AIYgAiYIrY aSVqaa/VqVMHkvrYaevTp49fP+Jz0qRJTm5M9yZPnuzot0CBAgFFFIvwrJ2T8bhMmTKO98W+RIkS mDBhgmmMVhdiY2NRtmxZR5/ir2/fvhg5ciS++OIL/O9//3O0lzEIj2C2w4cP+5j369cPbdu2xcsv v+zrc/To0aaIYtfBQbYCaFoJj33bWouuxuennotIK5G3B0c5C6tD3zX7XTfYuc3OYQoqljK3k74l 5fOGn5zbpxXDNO13dk5Er6oP174v4Lm0Bl6vc43tYNY2bUmABEiABEKLAAXg0HoeHA0JkAAJkAAJ kAAJkEAIE6AAbC0wUHghF64BrgGugdBcAwd2PZ5xBeDD9+jndqI53Be+hOfGPHhd6Ttt6Zw5c/yK jiJwSU3gJ554AmPHjsV///2Ha9eu4ejRo5g4cSIeeOCBgHzcfffdQaWUlvq5IpKq4p7VXsbvbzt4 8KCjDyu/Ttek1q/H4yxkicDq5KNBgwa4ceOGbuher9cnBmfLls22rdQD9te3OF21ahWaN2/ue25O 45Co4lGjRkFSW3sitoecALz8O2vBVTunSqUVvP2Mgqm9FUg94EAET6nTq/Uhx3Y1fbX+To03RyXf UVJBh6cULB0YWN9afxnvOAzRS6sidmc3uM/+C6/7pm6N84QESIAESCDjEqAAnHGfLWdGAiRAAiRA AiRAAiSQzAQoAIemwEHhic+Fa4BrgGvAvAbKjzqpF0iNgmlGPz/RBO4Ln8NzfTa8rrNay/+LAAAg AElEQVTJ/BdByruTNM9GMSy5z6Ve7oYNG4KazJtvvuk4rhdeeCEgf1OmTHH0k5i59ujRw7ZvEXKd onnlnojbdptEBDuNae3atXZNIXWHJWW1U3ure0WKFMGoUX8gal7RgATU1BIub0xXUCCPXqzNmV3B S48oCO+i4MAfiRddK5TU+21UIzBfEVMV9GmjYNh7CvaNDKxNavFKk34WlEHs1tfhPjEe3ugLtmuT N0iABEiABDI2AQrAGfv5cnYkQAIkQAIkQAIkQALJSIACsFlgoOhCJlwDXANcA6G5Btr980/mFoCN AvfxJ+A63xueazPgjT2ZjH8dpIwrif58+umngxYNrYREu2s9e/YMavBLly5FWFiY7Zhy5syJI0eO BOSzf//+tn7sxhvI9T/++MOy/5iYGHTs2BGVKlWy7NdfGmm3241y5cpZtpVx2aWBPnToEKpWrWrb LpA5bfuzekgJwCJoNn1QL9SWvjV5RFeJ2tUyyZ1DwdWpyeM7TYTYmak09rmFEbOhOVyHf4XnxkHL d4AXSYAESIAEMh8BCsCZ75lzxiRAAiRAAiRAAiRAAokkQAE4NEUOik98LlwDXANcA+Y1EL6iDwVg owisPT/WEK7zn8BzbQq8sUcT+ZdByjaTmrUSUasVxJLr+NVXX4VExQa6iSB95513Oo7l008/DdSd r/ZtIHOpXr06hgwZghEjRuCtt95C9uzZHceQI0cOrF+/3nEcp06dwrhx4yBR1hUqVEDhwoURHR3t 2EZutmjRwrbvAQMGmNpL5O8999xj2yaQ+YvNK41SSUQMQqz8saNeqJVxbvst6eP86xOz33lfJt1v hhN/Z+dCzOoGcO37Ep7L61jH1/T28QIJkAAJkIAQoADMdUACJEACJEACJEACJEACARKgAGwWGCi6 kAnXANcA10BoroE9OxtTANYKvv6Ojz0C17kP4Y6YCG/MwaDE0QD/jEiUmUSefv7555Do2kAFQ392 r7zySkA1a7UDFnHXyW/x4sV9NYi1bZyOpc6tkz+puSu1jI3b4cOH0ahRI8e2LVu2NDZzPBdx298m Yvm9995r2++wYcNMLkSwdppjoPfKFg09AXT7b2ah9oe3kj7O0xMUhIXF+a5YSkHHpxVIXxlOwA1C bI+bexZEL6uO2F0fwn1uHrxu/2vWtCB5gQRIgARIINMRoACc6R45J0wCJEACJEACJEACJJBYAhSA Q1PkoPjE58I1kHZr4LaxwINTgeZzgVcXA41mAuX+BLIMTbsxcT0Apf44R/HXn+Dr7/7RunCdfR/u q+Pgjdmb5hF2Bw4cQOPGjZMkKBYoUACjRo0K+s+gY8eOQQRZJ8FSInQD3URMzZs3r6O/8PBwW3cX L15EiRIlbNtLFPC1a9ds2yfmhqSWdpr/woULdW4nTZrkaC++JLpZagvv2LEDkl67VatWyJIli2W7 /4aFnggqaZ+1TJo8mDxjnNpbwX7W8UXUwnKI3doe7pN/wRtzUbe+eEICJEACJEACgRCgABwIJdqQ AAmQAAmQAAmQAAmQAAAKwEkXdEQoWnjC/PPJ2qT7Tm3RRwSu8fv1c5l8MP3NIxBuP+/Qz1OeYbZh GXOuWh6Zdd5aBlbH5ccBX2wC9ly2/9UQ5QJ2XgL6bwIKjUyfa+WPPeZ1n17m8tKM2RSA/Qm8wd4/ Wgeus+/CfXU0vNE74fW67V+AFLyzZs0adO7cGUWLFtWJb1ohznhcsGBBdO3aFcePH0/UyD766CPH viQy1uPxBOxbBGXjGLXn9erV8+vr999/d/Sxdu1avz6MBqdPn8bVq1eNl33irBPvQoUKQdI9q5vU /RWxXTsn47Gk9o6MjFSbxO8l3bXRVs5/ejt5xNXkjKRt11AvABfIo+DG9NAbZ3LOOUV9zb0VMRtb wHVkKDyRh+PXBA9IgARIgARIILEEKAAnlhzbkQAJkAAJkAAJkAAJZDoCFICTLuKM2Wu9bK5GA7nD k+7fSqwK9lrJMUCFcfqfnL+bx5b9d/Nczt002wXbfyjanzH/jxo5LJiE4ti1Ywr02aptMsq81fkk x/6lBcC1GPPad7pyJRrovR7IPyJ9vR97r5hnVWxU+pjDb8s/pwAcrMAbrP2RB+A60wnuKyPgidoG rzfWvGBS8IrL5cL8+fMxaNAgvPPOO3jqqadw1113QVIxS13bBg0aoHv37r40yjdu3Ej0SETYlBq5 VqKkes0Y/eqvs927dzv6mzBhgj8XvqhZtX+r/dixY/36MBoIO4nAvf/++/HGG2+gU6dOqFy5suNY pe9333033pVEN9eqVcuxzccff+yYYlyepXFOz9YJPWH1jw/0ArCMednA0Btnioq2Qady1vCZnRsx qx+Da//X8Fze4Lgm4hcYD0iABEiABEggCAIUgIOARVMSIAESIAESIAESIIHMTYACcNKEjwIjgEiH /4+3W5Q0/8khbomPBRYBUvdPMY+NArCZSXI9g5TyE+izVfunAJzwjOVLEEN3Ju13wKEIoGg6EVBl DaRnAXjHjqYUgIMVdJNqf+R+uE53gPvK7/BEbYLXG+Q3JZL2eqVYa0nFbBQjtefVqlULuu/9+/fb +gwLC9NF09o5lxTP2nEYj63qB9v5kuu7du1y9Gf0r56XLFkSZ86ciXe9ZMkSRz8iLvuLlp42bZrJ R6G8CiJnaMTDpAiPydT2yBizANynTWiNMbTE3yyIXl4Tsbs+gvv8Anjd0fHrhgckQAIkQAIkkBIE KACnBFX6JAESIAESIAESIAESyJAEKAAniEGqQBbMvsMy52Wx9GTS/AczFifbQEVCCsCh8bycnqXx XqDPVm1HATjuGd8+Dthywfn9DfTumjNArhCJ9lefs90+vQrAxUZepPibVDE3WdrXgOv0a3Bf/hWe m+vh9SSkCA70fQkFu6pVq5rESFX8lL1TrV678R85csTWp9T2DWRzEpFlXMuW+fmjw9CJXepl7VyN x3ny5MHKlSt1ntq1a2c7t6xZs2Lz5s06e6sTu7mtGBR64mqVcnoRuG6V0BtjWorA0QtvR+y2DnCf mgRvjEPdBKuFwGskQAIkQAIkkEQCFICTCJDNSYAESIAESIAESIAEMg8BCsBJE/zWnnVeK15vXNpl OzEmta4HKhJmJgF4wzkg2q3/SY8poAN9tupayyjzVueT2P3qhOA200ss73Wn5cDD04HqfwPN/gU+ XQecuG4yjb8w8UDSPksSO49g26VXAbjltHkUgJNFwL0nmTneC9epdnBfGgxP5Gp4PYlPyxz/MqXw wdKlS23FTBFDpfatVR1bf8O6dOmSrd+8efNC0lv726ZOnWrrQ8a2d69NzQkbxy1atHD0pxV/JUq5 YcOGOHDggM5bREQERBTW2mqPJVV3IFtUVBSk7rKkkhbRWPXxebvQE1ffaxYnAOfJqeDxmqFZqzhV BeB5RRCz8QW4jv4OT+SRQB43bUiABEiABEggxQhQAE4xtHRMAiRAAiRAAiRAAiSQ0QhQAE68aHP3 xMBWw5ebEt9HsOKOnX2gImFmEoDtWKW364E+2/Q2r5Qcb6sF1u+ufGHj3ZX272ue4cC3W6zbylUR jFNy3MnhO70KwD8t+zKZhcvkFkLpL9YnUFeD61RruC8NgidyGbzuCPsXJo3uPPfcc/HioypCavcd O3ZM9MjKlStn63v9+vV+/T755JO27WWMV65YFPF28Fq2bFlHf+q8c+XKhYMHD1p68pcuW+Y1fPhw NGrUCKVKlULOnDkhKaQffvhhvPbaa5gxYwZiY/W1MkRUnjVrFj744AO0f64iUlXMDCBV9K7fFcz/ WkHE1NATp1OFldTxXdMIrgPfwnNFUr97LdcGL5IACZAACZBAWhCgAJwW1NknCZAACZAACZAACZBA uiRAATjxgs2gbeZHvs0ipaxEDWYZmvh+kkP0CVQkpACcts8pMc860GebGN8ZsY2kaj5ioUnFuIGX FgT2/IfZ1A0WcTjUmaVXAXjr9uYUgEMyAtif8F0VsSdfgPviAHhuLILXnfbpYp9//nnky5fPVhid P3+++Zd7gFecIm7ffPNNRy8bNmyAROGqoqxxf++99/raT5kyBX/88Qck5bS/TaKS//rrL7Rt2xbZ s2e39S193XbbbZYRxrVr13ZsV6ZMGcf74ltSYE+YMMFyuFIzNmp27pATgVNFaA1AjE6dcUgd3/sR u/sTuM/Le8o6vpaLlRdJgARIgARCggAF4JB4DBwECZAACZAACZAACZBAeiBAAThxgo0IpecsSh/e N9n6+lOz/fdTYRzwyIyEnzrT/Le5a0KCvbS9f0pCm//9lXBv4znzanxrWcJ9aZvzd8CfAFxtEjBg CzD9MCApdGccBr7bCrRfCuQdntB3oCKY1GF9bh7w+cY4nytPA8N3x0Vh1psOFBgRmE+Jxtayk7mr Y6gyEfhiEzD7KCC1WheeAAqNjEvNrW0jx2ob2RcbpfdptPV3XkvzLLR+1WN5dh+vBYb8B0w9BMjc F58Exu4DvtkCyJqx++JAYp6t2q9xnRnnrdoZ9yn1rOT5qH1V/itu7tMOJc/6Uv1q95LK2Wp7fUnC OLT2VseSKvyQhYi865J/H8nF0TiueyYCUpP81/+AZaeAJSeBvw4APdYAstZU+8QIwLIOG/wDfL8N mPL/a3XRCWD03jj/t41N8K/2k5z7wiOuIuaQP6GR9+MicNMBhxPPwX3hK3huzIfXbfGtKasXNJmv STrmNWvW4KuvvvJFrubOndsnYt5yyy2maNVgupZIWKNwqz0X8dZqEzFXRFKtrfF47NixvqZ169aN tytfvjxef/11yL0TJ05YuY6/duzYMXTq1MlRZBax1+PxxLeRqGDjOJJy3rp1a51/taOYtU9QAE5l MTh60R2I3d4R7lOT4Y0NLrJcfW7ckwAJkAAJkEBaEKAAnBbU2ScJkAAJkAAJkAAJkEC6JEABOHHC RfO55setij+/7DDfm3zQuZ+sw4CIGH07EZidRJRbRgJRhpKC6hikXbAZ+8r+aS8AZxsGjNqjH5/x 7NQN4NXFzmNW51NpArDeT/1k8e/yAP02AtK/2ta4l3vGbfz+uDY/bo/zYbxfYjRwJtJ4FdDWAJ51 1Hw/mCsHrlqPuckcYF0Ac5e+jl8Huq02+0nMs1W5+Zu3aqfuU/pZyZcJpK/fbKJqVebBrC917Ma9 fMnhmuE9E/8Spe+0xox+5LynjZAsAq+VfXJy1PqXL17Ilwj8rQkRg0uOAYIVgOXLFfK54rR5vMDI PXFfItGOLbmOn526iNG/6TL6N0Ax+kRTuC/0g+f6HHhdDsW5nRZhEu/FxMRgxYoVmDNnTpI83bx5 E0WKFLEVTSUKV1JMq2Kt9Dt06FCULl3ato0IrpJaWdIoSyreAgUK2NpKFLG/rWfPnrbtpa9ffvkl 3oUI1kkRfK3a9ujRI96/euA6MJACcEoLwPOKIWbTi3AdHQ5v5DEVPfckQAIkQAIkkO4IUABOd4+M AyYBEiABEiABEiABEkgrAhSArcUaf8LFTIvMi73Xx/l6aJr5aUp62SKj7PvyF3lrNR4Rc4ybVgA2 3vN3bicAizAtIl2g22t+IimlxupNg3Dtz/em84BEh1pxsGI38QAwYb+910AEYIkYTspmJQC3Xgi4 E4KrAnYv6ca1cw+44f8byrNV2wcjAKfGs5Iocon6DnTzt77UeVrtJdrZapNIbCt7p2uyhvpu0P/0 WQ9InWBju+TmqPqv/jdw8KrVjKyvHY4Arlpk9pRod9Wndv/KYiBSX7rT2vH/X111Gihq40vrN9jj QUu+pQCckQVg49yOPwXX+T7wXPsH3thTjmsuFG9+9tlnfkVTEYIrVqyIwoUL+7UVEfWbb77xTfXy 5cuO9vv27fOLRCJ869WrZ+unYcOG8T769+9va2cl7gZ6TVJYazfP1S0UgJNbAJ6TBxJZLeK65+pW 1vHVLjgekwAJkAAJpGsCFIDT9ePj4EmABEiABEiABEiABFKTAAVga+HDSaAQ4VUiU42bpNZV2x29 ZrxrHcmp2luJmP4igFNLADbPxPnKlWigtE1KWEltnNhNROM7xicwdmLnr4+0EICb/ps48Vedi1b4 VK8Fuk+MABwqz8o4R6f1pa4Ju72kGjdusW5Aount2iT1ekpwlDFJxPKOi8bZJO7cSgD+ZG3ifEl9 ZYl2Tio3bfsN21pSADaKpJnp/FhDuM5/Cs+1qfDGhn7kYnR0NO6///5kE06lNq8Iv7JFREQ4+j1/ /nxAL+53331n6ydv3ryQFNmySe3gQETd6tWrY8iQIRgxYgTeeustv/WGc+TIgfXr18ePVSKbo+YV oQicJBE4K6JXPIDY3T3hvrAEXo9Fuot44jwgARIgARIggfRLgAJw+n12HDkJkAAJkAAJkAAJkEAq E6AAHLxQIdGCxk1S+moFi28thM7/HOqDpoQALGlhpR6o/EiKW+MmaanV+7IXEcxqHNp2G87Fpb5t sxDotR64YFEHWew/sEhbLHVIRWyz2qRmqaR6fnt5XDSopD622iQts5azHPsbs9aPGn0biAD84Zq4 msFSN9jux0mAkyhx7Vjn2EQU77sCDNsJtFsEtFoASArxGxZRl39r0ogn5tmqYwkkAjitnlVS1pc6 P6e9rHnjJhG0Tm2Sci+lOMqY3l9lnEncubxj84/HvZ9SE/jnHdbpzrWtjQKwfGHAKkr/UhTww7a4 mt/yfkg9batN1npSuGnbFhx+DdGHqlIAzkyCr7+5HmsA17kecEdMgjfmkNUSTPNrR48exa233hqQ eOoksEqN38OHE1JwREZGOvrUiqpOEH766SdHPxcvxn27pGbNmo522bJlw8SJE01dyZgbNWrk2LZl y5a6dpKeOCpJAqiS6dpHL74Tsds7wX16GryxQaSD0JHnCQmQAAmQAAmkLwIUgNPX8+JoSYAESIAE SIAESIAE0pAABeDghQqrGppdVur9VJtk/VAfmKq3U4UOKxEzqRHAqm/ZLzhuHs/9U8xjsRqH2nLg VkBqFWv9ipB6MUq1SNhLSl+tnRyLKGXcJJLaqm5w/hH24tIzc/S+ncYs/YnwLnV31RTcEjmdZai1 KKatAWwcv9W5XWrsPZf1UaW5w60FtfcM60bt496/zVHmIrar97X7QJ+t2iYQATgtnlVS15c6P6e9 fNHAuC06Yc3VyU+g91KKY/HR5prhMi8RbRvPNs9H1vxqh9KqRgFYUqgbt8Un42oIG+feabl5rUrb Gn+bx2FsG8j505OXUfz1J4hm9vtH68F1thvcEePhjdkXMqlud+/ejapVqzqKoE7ir6SIPn5c/4vT 7XYjT548tj6///5746tref7kk0/a+siZM6evjUTlSjSw0xjDw8Mt/ctFEZFLlChh216igK9dS0iX IrVpKQD7EbHnFUfMptZwHRsJ702bb+DYPhHeIAESIAESIIGMQYACcMZ4jpwFCZAACZAACZAACZBA KhCgABycSPHwdPNDkahSEWSMYobU4zVuEulptJNzKxEzlARgqe1pNW65JrWPjZvRvr5N7dW2i+z9 ihi74rTRM7Dtgr6NFTu11dRD1jVZZdyBCKF2c5br/Tepvej3ItQaU1U/OUtvI2cSPezk32r95Ao3 t0luATgtnpVxvWi5BLK+tPZOxzst3skRFl9WcPIR6L2U5Ci1pK02WWd245MvIVitefGjFYBrTTF7 Phup/0KDsQ+pUW3cphyyH4uxvdP5N4sHUQDO7AJvsPM/+hBcZ9+D++oYeKN3weu1ST1hXLQpcB4V FYXOnTtDImWdhFTjvRo1auD0aYtfgAAeffRRW19ly5b1Ca9OU9m4caNtexmHRB3LduzYMUc7qSPs b/v9998dfaxdm5BSxRN5hAKwMQJ6Tl7ErG0M18Hv4YnY7g8375MACZAACZBApiBAAThTPGZOkgRI gARIgARIgARIIDkIUAAOTqQYucdMXQQ4KwHDSri6Gm0tSFqJmKEkADeaaT1HmXfDmWYmIl5qmXRb bbbZfVlvo7VXjx+3EE5FcNdG6lqxk96EdeE/7PuwEsO0ftUxWO1fXGCej1yJdgPyJQFjm9vHASJ2 a3/qTDPbqe3KjI3zZewlNQTgtHhWSV1fKjd/e4nMNm6/2Xwpw58vf/dTkuMXFl8+MKahtxpfV5u0 0VoBuLvFuypRvlb+1GsSsX/dkLbc67WvBa62C2S/estLFICDFUBpr18zRx6E68w7cF8ZCU/Udni9 cfVtjZ8FKXl+7tw5/PDDD5BauUaxVz0vUqSITyzWiqJWY/ryyy9tfYgvie4V4dlqO3v2LO677z7H 9vXr1/c1lQhmdWxW+wkTJlh1obu2Y8cORx9jx47V2UcvuiNzi8CzsiF6RW3E7ukNz4Vl8HoMH6w6 WjwhARIgARIggcxJgAJw5nzunDUJkAAJkAAJkAAJkEAiCFAAdhY2tAJFvuFmkUOQv7bE2kfF8dYP 5GWLqFcrETOUBGCpD6xloT0WcdO4GQXg8F1GC8CfqKT2IUKxcbtnYsJ4rNiJvdQoVn1Y7RMrAN83 2Tqds/TpFNFsNQb1mgjVD04FXl8SV5c50uZ/vqkhAKfFs0rq+lI5+ttbpUG2qivtz08g91OSo9SD Nm5WqdSN48w7HBBh1rhpBeA/LL7k0nwuUGmC84/UsjZuxnTtxvH4O88XHombB6vrxTyKm+SR1DVw pBZcZzrAfSUcnqgt8HpjjEs3Rc/Pnz+PdevW4a+//sLgwYMxcuRILFy4ELGxNh/8htFcuHDBMQ20 iLWSennQoEHxKZYlmnfMmDEoV66coyArbYcNG+brcf/+/ba2YWFhuHnzpmFk5lNJ8WwlHqvXjPWD Y7d3zHQCcPTiuxC74124z8yANzbCDJFXSIAESIAESIAEdAQoAOtw8IQESIAESIAESIAESIAE7AlQ AHYWCbUChYhzVtsHq4E3l1r/WNlLHVKtXzm2EjFDRQC+FGUer3b8Ul/UuEmqXa3NSotMlnb1kLXt 5HjcPqN34IX5Cf6t2EkLpwhb8ZsYAVhqHp+4bh6PXPl8Y8KYjHPQnssXCWQtSZ1kSX1sVUPZugcg NQTg1H5WybG+tHydjv85YiYrNaKd2iT2XkpylPThxq2K5ksRTmO2WvdaAXj9WaPnxJ+/vyppbJ/4 exXFzqSKnWzvfw0dqQnX6dfhvvwrPDc3wOuxjp5N/JuQ/C0/+eQTR2FVFVhFqM2fP39AttJGav5e vhz3rasjR47YthOBOZDNSUSW/pYtW6Zz4z41OeMLwPNLIub/2DsP6KiK9g9vSCWU0EIvoSaEjiDS pCmCWBBEpSrChyBFQUFBsFFEiiBdUGnSBESpUgSlSO8gPYTQWyCUlG3v/7zhf5O7d2/Z3exutvzu OZzbprzzzOx++/lkZg52JkPCXDInX7FoP25AAARAAARAAAS0CUAAazNCChAAARAAARAAARAAARBI JwABbLugYFnnjINn4En3iJWTmJ4igJ0RB+8hKj1YpqqJKuHdmIPSnETD9mTmlWPHOQrNzUwjlCU+ y4kwtSWgQ38g2q0gx1hSi8uWu+ayebnhR7ZN8rJuNLlHALu7r5wxvuR4yz37/pg1Vu6PoFna/Sct L++PRCyv76Vm/uM/Doj65UlZruQoN4YiVGbpi2Pfd9OagVgA89Lpzjp4yWlx3fZej9wyWVveQXCC kdPHQE0yXO1Kxrvfkyl5F5lNMv8D5qwPiYPl8Gxh3oNXEL3OOk+dOjUjort37yqWz6LYYNBeSnvl ypWKZXDMp0+fzqiPL8xpdylldQ7fksDr8lDanjZkuDCJTEnHLdqLGxAAARAAARAAAfsJQADbzww5 QAAEQAAEQAAEQAAE/JQABLBtgiJae6s7u0bQ6IOW9cpJTGeKMd6nWHrUWWEZA8sZV8UR/0BaO1GZ hdb1ywmiCUes8/KsayGtXMxJaZnvhXTSs70CeL7lf6fOCIpnerIclpYvvmfBuCouI4vqxbVH8rOe OZM7ZgC7u6+cOc7FzOWu2/8pj77jZvX+kyvrBZn9qbl04Q8bXMlRTi6zkJaLU/rsqMzsYbEAvq29 qqs8RJmn7yosjy+NSen+74NdIDedLjergqndTGuQ4WonMt6dSKbH/5DZJPM/aDLj39WPeF9hrf18 7RHDLVu2JLNkjXi1JaP37t2r2UTej1gthnv3rNeOT/2njncLYN7Hd0cD0p/+nEx3tpPZpC3KNUEi AQiAAAiAAAiAQAYBCOAMFLgAARAAARAAARAAARAAAXUCEMC2SZOxh9Q52vv2ykOiQNGsQzmJeStZ PTa5PYale+8KYiW7BfCGS9aEmvyu3j4h9pUXrPO+uC4zrxw7LanIZdsjgAf/ax0DPzl/X3umMdel lJ9lLwtuFpPVlxHxHq1Cu68+sq7THQLY0/pKbolxpXEusFM686xwid9Ih8yzYpXyKD0fdcC6f3g8 COldyVFuNYIav2bWLcQgd+Y/jpAeYgH873Xp2yf7nL+0jsjef3lslNJyceb8IYUena8JWWm3rITg 1bucWTUyXHmDjHfGkenRVjIb71t/aNz0hPfh7dq1q6pkVROwwrsXX3yRUlKsl75u3769Ytk9e/ZU beW+ffuIl6AW6pCea9asKZtf/9+nXieAU7fGkv74ADJeX01mg2f8gYAsXDwEARAAARAAAR8gAAHs A52IJoAACIAACIAACIAACLiHAASwtjTh2Zss6qQHP+PZdFr/LiRJcz65F0tMrkN6GExEOWYqx9fs D2kOIiUxlt0CeNJR61hHHlBumyCEeGat3GzHsv+/zC6nc7UAbrOOyGS2jj8xlYhnhguxqp3Xxlvn 5xnBckJXKEdOUMult7Vv1coVL33taX3lTAHMDBadte4LftJwlW19yWUU+JlIbqbsvNOZZbiSo9xs 9N7/ZNYt9LX0zLP+5Q6xAJ57yjpFg9+0y5bWldX7Zsv2QP66XGRCFjtNFl9uR6YeZoQAACAASURB VMY7Y8j0aBOZjTLT7K0/Vk59cvLkSerdu3f6Hr5S0ap2Hx4eTqNGjSJeUlrumDNnjqLA5XJXrJD/ UuH9g3mfYLW6FyxYIFclGW9t8XwBvLE4pR3qSsaE+WROcdL+ILI08BAEQAAEQAAEQEBKAAJYSgT3 IAACIAACIAACIAACIKBAAAJYW2zwrDe5o7GNwohlUZrRugSe2SqWJCwUpUfx+ZZpxOk/2S1NbZ8A fnqlddmOyFRbBF2vv61jvZNCFC6a8Spum3Ddc5t1vmSDpRh3JGYuX06wikUop6m8hEhuxqTeSMQC XohT68xtlR5qexRzv8sdtgpgub4VYtRqt6f1lS3jS2ibLefSC4l4DEkPXrK5ko1Cf9YJae4n9zxe hRhcyfHzfdb1n76XWbcQg/SsJL/FAnjoHuuyub3SsqT3U44R/XM189/is0TSz5M0j9r955umQQBD AHvvGLj8Mhlvf02mh+vJbJDZeNv6Y+aUJ7yk8oQJEyg6Oppy5MihKGCrVq1KX375JSUkyOwPIYqE ZxgXKlRIsZzg4GB677336PLly+m50tLSaObMmVSiRAnFPCyFixcvriidzcYUSlkb5lkSeH1eStv7 MhkufE+mBydFhHAJAiAAAiAAAiDgbgIQwO4mjvpAAARAAARAAARAAAS8lgAEsLbYkNu79dID7Xxi ufHHReshwhIxcm5mOYduW6fpozCrj0WgnMizZwbw82sy6xZidUSm2iLoYpYQGU3W7fv+mHUMQiy8 R7DcPqq8tK6Qhs+OxMz55PiJhRWL+3MKK3vas7dpwZ+t281P1JbHHSYj4TiPrQJYrm8FZlrt9rS+ smV8CW2z9cyzz+UOXnZdbm9soVxetv2r/fLLSPOKADxmhLSu5Fj/N7noifpuz6xfiEM4N/+DiL9z 5A6xAH72d+sUnI/bI5QlPfMMYenBnx1pOnvutxx4x3vlH8Qt+k46BhJeJMOtEWR6wEsEu2fGKMvY c+fO0ebNm2n+/Pm0aNEi2rZtW4aslX5mle6/+OILVZnLQpdFcIUKFahAgQKaaTn9N998o1Rd+vO0 f5/LXgG8JphSdzYiw+kvyXR3J/bxVe0tvAQBEAABEAAB9xKAAHYvb9QGAiAAAiAAAiAAAiDgxQQg gNUlBYsROWnyzSH1fFLR8cYm+UEyaFdmOXJ73bJUqro0Mw2Xy7NDtyv892MlAfx7nHX9v5yxnEnL ZTsiU20VdNOOW8fAT34+RcRLPYuZ8X6mvE+y9OBlsWMlPByJmetSE6G8JPeWJxOapCGk79nLdWr9 4zKENt2VmQHMS+1K251zNhHLX7l9ajkQnr0qlCmcbe1bIb1au4U0ntRXto4vIXZbzrzXstyy7sz4 oZ6IBTHvsS2UVXQeES8FLrf3rjBAWq/NTC/kcxVHLn+9zL7aHAvP4BXqF868x3SqgvzlPGIBzHnW yCxZzrPYW8r80UijVURyM9w/En23CXHYeg6dlUYPztWGRJRKRNz7zphIeJ4Mt4aR6cFvZNarz8IV vmOy65yamkp16tSxSeyqLfksvCtZsiQlJiaqNsdwbqzbBXDqtqqkP/4hGW+sJbNB5geIasR4CQIg AAIgAAIg4C4CEMDuIo16QAAEQAAEQAAEQAAEvJ4ABLC1LBFLCpYYcke1Zer5xGXwNYu9B2nWJZ24 m1kOz96TO3j5aJ6FPPsk0bYr8uUI+ZQE8NRjQgrLM8d0/j4RLx/LM1Idkam2Crr8P8nvm8oRpRiI /r5KtPUK0dl7ljGK7747kslLYOxIzJxXTYTyzOusHrxvsDATV0nW8T6yLOK5Xbw8r9wy4OI4uP8/ 2GnJwNa+FXiptVtI40l9Zev4EmK39dzuT/lZ6WLevFS0Vp9w+hkKSyS7iiO3UWk/X46H/+CA953m PyqR629xG/laKoB5b2u5P3zhP0w4lfhkrPKy0LtvSEt6cn8/1XI2tK19IqRrtOSA74g+SFv0pS1j 4FJzMtwcQqakX8mcJvMXW/IfNbc9jY+Pp4IFC2ZZAkdFRVFcnHb7TPcOuF4AbypJaYfeJuPlhWRO ue42lqgIBEAABEAABEAgawQggLPGD7lBAARAAARAAARAAAT8iAAEsKVMEwSEcGahKj2O3VHPI+SV nuedlpb05L7e/+/Fy8sPX0iSTyP3lAWj9FASwO9slaa0vufZpY7IVHsE3Vub5MWSdTTWT1g85f3R mr0jMXPfyIkxYQnoITL7K1tHpP2k/44n8XbarJ3WnhS8PLYwvmztWyG9WruFNHz2lL6yZ3yJ47fl +jWNmbG29Mm/19X3snYFR6FtLJ6dcUgFMJf/tcIy2Vr1PdITNbRxf3ShHdLzsI2zIA1tkYZI47vj JP5ZMtwcRMakxWROO0tmpWUhtD6QTnz/33//UbVq1RyWwLxEtNaew0K4ZrOJUjYUcK4EXh9BaXtf JUPcVDI9OCVUhTMIgAAIgAAIgICXEYAA9rIOQ7ggAAIgAAIgAAIgAALZRwACOFOkSSUEi1m545Pd ynmkZYjveflUuYNn9grpuD94xq/Wwcu5tt1gnUpJALMkjdOQy+4QwNzO2suJ5MS6dWuePOH/7j3l 2JNZ1AIn8dkbBDDHy7N8bT14GeJNKquCigWwrX0rMLNVAHN6T+grVwpgbiN/zuX239bqK+6jATus l1EXOIvPzuYoLvv97bZ9Z3B7eMY5z7KXHnICmOvosNG2GdBCebyiQIvVmd9n4jjtud6wv6fvij1I W/StI2MgvgEZbgwg4/0FZE79j1iQZseRkpJCffv2paCgILtEcK1atejaNYW9KxQakra/Q9YE8JoQ St35LBnOfE2mxN1kNtvw40ohFjwGARAAARAAARDwHAIQwJ7TF4gEBEAABEAABEAABEDAwwlAACvL ioEyyz+zjJTbh9UWuRE4S37WqXgZaC6H9/w9cEt54Fx+SMT7jeaYab335t4byu2JnPtkGWle1lbu KLWAiGN8rLd8ezNZuUyO1xFBFzabaPxhogSVbfZYcu+/qS2UHImZ4+alr6WHMAP47b+kbxy7F2YA c33cX923ytcrlG40Ec35j6jIvCfM/1SQwGIBzGXb0recTqvdQhrxObv7ypHxJY7flmvum15/E+27 KfSE8pmXK//tAhF/XmwpW0jjTI5CmcL56ZVER24rx8yf6eXniUoseLLntjglL/Wc7yfltnAe3mc6 SWYJe6EcXvKZZwwX+Fm5HCFWrXPwLD3dO1sXktARSehAngenYunm4crg7QA7fXbmufgMGa6/T8Z7 c8mUeozMZoX/YRc+pE4+37x5k7777juqUaOGogguVKhQuizevduxJTUM8T/YKYADKHVbddKfGETG G+vJbHjk5FajOBAAARAAARAAAU8gAAHsCb2AGEAABEAABEAABEAABLyCAARw1oWFltBw9D2Ll1fW Ew3fS8RLCPN+xK3WPpG0jpbJ+YJmEbFA5H2M+R9fs5zKSplZycvSqNkfRB/uJGJh2mXLk7h4ZmtW yvXUvCys6/9G1O0voi/3P+lfnmnJfSHtB2bwzEqij/8lGn2QqN8OIpZ9Sm1zdd/6Q1/x54FFPX/u ph8nWniGaOSBJ7NhY5Zk/fPHfecqjhUXPxlXvIR5x81EPbYRVV/mnJg57nK/EPGy2TzzmZce5++l uiuIcs1RHpNKY1Xpeb3FRyAj3SgW54wrkS7wqkaHUp9uBWjxtFJ0ZV8M+sCNfeAUkXyxLhmu9yLj vdlkSjlMZrPkL7lc+Iv01q1btGfPHlqyZAlNnjyZfvrpJ9q8eTPp9VmLwfTogrYA3lya9Ie7k/HK YjKn2vAXPC7kgKJBAARAAARAAATcQwAC2D2cUQsIgAAIgAAIgAAIgIAPEIAAdp64UBIaeA7GGAMY AxgDto2BwX/+CPnoRvnYrX0+2Rmc0eVCqGfH/LRgckm6+G80+sSNfeIcIfwUGa69S8bEGWRK3kdm U6pX/mJN3VzWUgKvz0dp+14jQ9x0Mj0845VtQtAgAAIgAAIgAAJZIwABnDV+yA0CIAACIAACIAAC IOBHBCCAbZMSkDfghDGAMYAx4PoxsHpvb8hGN8rGqJLBsgJYp9NZPC9XOoTe6ZCPfppQgs7tqIQ+ cmMfOUUIx9Uiw9VuZEycQqbkf8lseuwVv3T1x/pR2q6mZDg7mkyJe7GPr1f0GoIEARAAARAAAdcS gAB2LV+UDgIgAAIgAAIgAAIg4EMEIIBdLzQgjcAYYwBjAGNAewwEzjTSnbP1IBc15OKtI5Wdsm/v hZ2VLCSvVPqq3VePCaOvBhWm039DBjtH0FZ187ivSYarncl4dxKZHm8ns+mhD/2yRVNAAARAAARA AAR8mQAEsC/3LtoGAiAAAiAAAiAAAiDgVAIQwNpSAuIGjDAGMAYwBlw/Bp5adNzNEszd0s059Q3p Uyhd3LKE7ft2AVo6vRQ9PBVrN7t535V0WAALcjgwUEcf9ChId45Wtrt+7xSnzulDz2t7dTJceZOM d8aT6fE2MhvvO/W3JgoDARAAARAAARAAAWcRgAB2FkmUAwIgAAIgAAIgAAIg4PMEIIBdLzUgjsAY YwBjAGNAewwM3DAXElFj9i+Lw2dqh1uJ26v7Y+xm1+PN/FblsNjl/X+DgiyXgBaEr9KZl4g+r7I0 9INTsU6Ztex54tRXhXA10l9pR8Y735Dp0WYyG+/6/O9hNNDzCVy5coXWrFlDU6ZMoYEDB1K3bt2o T58+NG/ePOJ3OEAABEAABPyDAASwf/QzWgkCIAACIAACIAACIOAEAhDA2lIC4gaMMAYwBjAGXD8G Vu7pZ7fE9DcheP9krJWcrVQ2xCFuFcuGWAngsNAAenQ6lu6diKUNC6JoaN9Ialg3nEJCAqzSSmVw 6eLBdOOQvIieM65Eev6q0aHUp1sBWjytFF3ZJ5/W3/rUa9p7+RUy3v6aTA83kNlwywm/QFEECNhG YNu2bdSuXTsKDAxU/R6KiYlJF8NJSUm2FYxUIAACIAACXkkAAtgruw1BgwAIgAAIgAAIgAAIZAcB CGDXSw2IIzDGGMAYwBjQGgNmunmmgUMi02sEmg2ze7Xa8ufCKCsB0vOt/HZzS9gbbVUOC92m9XPJ lsUzeDcvjqJB/ytExYsEyebl/G+/nk82f7f2+WTzHNlYQTa9Fge894CZxwltyHD7CzI9XE1mw/Xs +AmLOn2cwOLFi6latWqy3x3SP0AR31eqVIlOnjzp43TQPBAAARDwXwIQwP7b92g5CIAACIAACIAA CICAnQQggLWkBN5DXGEMYAxgDLh6DFT/5TREoA2CeFi/SCsZwnv52itEf5kiv//v5x8W1iwr9XwV kouDBQzvCcyzlKXxRJUMtoo7V3gOSj5bxSqtNC/uPUD22jA29QkvkOHWZ2R6sIrM+gQ7f40iOQhk EjCbzdSvXz+r7wyx5NW6zp07Ny1fvjyzUFyBAAiAAAj4DAEIYJ/pSjQEBEAABEAABEAABEDA1QQg gCF2XC12UD7GGMYAxoDWGOi3bqHfi8CHp2Lp8Rl1IdqorvX+v3G7ou1m916XArJyhWf52ipcB7xb ULaMv5aWtSjjws5Ksumeb5zbIp2t9SKdlwjhSy3IcPMTMiUtJ7P+oqt/zqJ8HyLQu3dv2e8MLekr 937Pnj0+RAZNAQEQAAEQYAIQwBgHIAACIAACIAACIAACIGAjAQhgiBktMYP3GCMYAxgDrh4Dy3Z/ 4Pcy8MtBhYn34OVlmEd8UDh9yWVeelkQniyIpXvxli0VnPFeSGfLObZiqJVg4bLF9WmVc/pvebE7 ekgRi5h4hrKcmPn6I+3ZxuIYti4tS8/Wy0VvvhxB00cVp2ObK1rUI06Law+UxJeakOHmR2RMWkLm tHPEszxx+BeBtLQ0zX5fsGCB7PeF3HeILc9at27tX5DRWhAAARDwAwIQwH7QyWgiCIAACIAACIAA CICAcwhAAEPsuFrsoHyMMYwBjAGtMXD1dGO/l3nNG+ayEh8sZRvWDaehfSNp1OAiVu+V9txVE6DX DsRYlcMihetRyyf3joW1VMJI9yTu8WZ+qzSc5+9fLWcKy5XPz64fjKF3OsjvIRxZMJDatc5Lk78o ZnfsSvXhuZvkcXwjMtz4gIz3F5I59RSZzSbn/LBFKR5DIDU1lbZt20YjRoyghg0bUnBwcPq9UoB3 796lQoUKyX5fSL9ngoKU9yKXpt23b59SlXgOAiAAAiDghQQggL2w0xAyCIAACIAACIAACIBA9hCA AIaY0RIzeI8xgjGAMeDKMRC74Lzfyzte+jk8p7VMlYoM6T3PhLVXWC6bUUpWsLBktqesq/vlRbK0 nIplQ6zqY3H86HTm7Galen8cX4IK5g+0yi/mwHsJfzu0qF2xK9WH526Sv3J7CsfXJ8P1vmS8P5dM qcfJbDZmzw9j1OowAYPBQLt376bRo0dTixYtKCwszOqzyzJY6Rg/frxVevFnPTAwMH1v4Bs3bqTP JD5y5Eh6XSEh1t8x4nxt2rRRqhLPQQAEQAAEvJAABLAXdhpCBgEQAAEQAAEQAAEQyB4CEMAQO64U Oygb4wtjAGNAawy8t3ap38u7HSvLqYoPscyQXteuFkYf9ixIK2eXppuHK2uy7Pu2/P6/GxbYvv8v i9LvPi8mG7NYSifsjZZNw8tcq8lWXt6Zl3uWtlV6//qLeeniv/bvgaxWN95lowQWi+GLT5Ph+ntk vDeHTCmHyWzWZ88PZdSqSICX8T58+DBNnDiRWLLmyZNH8zPLM4GVjlq1ainmz507Nx0/flw26+bN mylnzpyKefl7486dO7J58RAEQAAEQMD7CEAAe1+fIWIQAAEQAAEQAAEQAIFsIgABDDmjJWfwHmME YwBjwJVjYNGuj1RloD8IORaeXV7LR6WLB6tKDKkAld4HBOioekwYseTlmb5ye/rWqGw9K4/LmT+p JN04FGNTX/CM5ZLF5GMVi+Rfpsjv//v5h/L7/3K8w/pFUnCw+mzoSmVDSFyPPWOEpfTeNeVp7bwy xOKd79MuVLGp3fbUg7ROFskX65Dx/i/Z9GsZ1QoETp06RdOnT6f27dtTwYIF7f6+4mWgHz16JBSX cb5165ZqWWozh7mQAQMGqObfvn17Rl24AAEQAAEQ8G4CEMDe3X+IHgRAAARAAARAAARAwI0EIIAh dlwpdlA2xhfGAMaA1hi4dKop5Jto5uO5HZXopwkl0ve9LV9GfWlTqQCW3sftspwdyzOEWRJL04nv q8WE0vvdCtDS6aWIl3mWiszLe2NIbr9iLqNIoSBKPpspU9/rIj/bePNi69nG6+dHkVZ7c4YF0Ncf FbZp+Whx3H8tLZsuxZUEOy9JXTM2jCaOKEq3jmjPohaXjWsni17RZ0HK1vRooxt/IaMqgcDWrVup c+fOVKyY/Kx/8feHLdcbNmwQis4479q1S/F7iWf3JiUlZaSVuzh//rxifo5p7ty5ctnwDARAAARA wAsJQAB7YachZBAAARAAARAAARAAgewhAAEMOaMlZ/AeYwRjAGPAVWOg4vx4K8EolT7+fh+/O5ra vpBXVW7ISReWnVJ2v80ubXc5lSuEUtd2+Whw70L0Uos8FJEnh2IZnEZcZ2zFUKu0ISEBFjOTWSi/ 9UqEVTppm15+Lg+xHBeXr3V9YF0FRVktLV+4ZxncrX0+2vVbObvq0ooF77Muis1GLOObHf9vYeDA gZqfT+HzY8uZ9wiWHgsXLlSsIzY2Vppc9p5nFyvVv2jRItk8eAgCIAACIOB9BCCAva/PEDEIgAAI gAAIgAAIgEA2EYAAhthxldhBuRhbGAMYA1pj4N3VKyDZVGY8CtKw5bO5rcRGp7YRVDXaWrAKAoSX lBbyC2feK1h47+xzwfyBdGFnpqC9diBGtq6GdcPT4+Jll3m/YDWhzDFGlQym338sY9UWoU1K5zGf FNGc7azF4LP+kXbXqxQPnmdRAF9+OZt+KaPaUaNGyX6WtT4/wvt8+fJR27ZtacqUKXTixAlZoDxD V0gvPTdv3lw2j/RhSIjyigmrVq2SJsc9CIAACICAlxKAAPbSjkPYIAACIAACIAACIAAC7icAAQxB oyVo8B5jBGMAY8BVY2Dezk8h2DQEcMq5KpQ7l+Ws26KRQRncrh+MoeWzSlP/7gWpVpWwDOk565vi GWkE+Vi7mvz+v1LhYu8979m7dWlZi/p4D2K5cob2jSSemVuvVk7Z90IeninM+wHL7WMstEfuzLz+ 1ym/atlCHbacO7fNZ/eS03Jx4VnWBLDx9tfu/5GMGtMJzJo1y67PU65cuahVq1Y0btw4OnDgAJlM Jk2Sy5YtU6wjJiZGM/+5c+cU8/Pn/PTp05plIAEIgAAIgIB3EIAA9o5+QpQgAAIgAAIgAAIgAAIe QAACGGLHVWIH5WJsYQxgDGiNgQsnW1hIQ0gya0n276pyVmLjjZciFLndPlKZVv9chlgMi3nePVaZ cuSw3v83pnworfihNA1494lAlkujJkqDgnT088QSFnVxvX3flt//t0blMAoMtI5DXMfzjXPTf1sr WpUpbo/StdYs59CQAOLZ0SM/LkKjBhehnh3zU8WyyjMHOa4mz+SieydiFeNhSc37KyvFhOfW49pe JqaH6z3gV7P3hXDlyhVas2ZN+uxbXsq5W7du1KdPH5o3bx7xO1uO5cuXW30HiT+voaGh1LRpU/r6 669p586dpNfrbSnWIs3atWsV6+ClnQ0Gg0V66U3fvn0V89eqVUuaHPcgAAIgAAJeTAAC2Is7D6GD AAiAAAiAAAiAAAi4lwAEMASNlqDBe4wRjAGMAVeMgbLzLkOYacz+ZUk2dmgRK7Ex9etidrNbM7eM VTkscViYimXcnaOV6Y+fytBHvQpR3Ro5iWfiimWPcF2yWDB9Oagw8R6+4vzCNYteIa0953nflZQt TyhX7bxkmvysY64/IECXLn7Py+wjzMtRb1gQRa2bWS+1LcTOslip7jnjSqS3lZfk7tOtAC2eVoqu 7JPnolQGnqtLYrPhpnt/IHt5bdu2baN27dpRYGCg6ueQZ9eyGE5KSlJsMZclfA6k5wULFlBycrJi XltfXLhwQbGOHDly0OXLlxWLunHjBoWHhyvm55nIOEAABEAABHyHAASw7/QlWgICIAACIAACIAAC IOBiAhDAEDuuEDsoE+MKYwBjQGsMdPtjlaJQgwzLlGFtWuSxEhtHNlawm93g3oWsymGZ89vs0qpl sRyN2xVNW5aUpR/Hl6C5E0vS5sVRxEstK/UTz4Zl4SqVRbbcOyqAr+6PoTy5LZfKFuorUiiI9q8r rxivuB0svoV84nOBfIHEs6jFaYXrbu3zyeaJLheSPsN4weSSdPHfaNm8Qhk4Z455KxYJrV38a9h3 il+8eDFVq1ZNdjyKx7P0ulKlSnTy5ElZEMeOHVMsb9++fbJ5HHlYqFDmZ69KlSrUv39/4r17ExMT FYszGo3UrFkzxfiCgoIoISFBMT9egAAIgAAIeB8BCGDv6zNEDAIgAAIgAAIgAAIgkE0EIIAhabQk Dd5jjGAMYAy4YgzM2T4cQkxjBnDq+SoUkcdSahYqEOgQN7k9d1nSumLpYpbKUsFk632juuEOta/f OwVl6+Qlrf+S7E9sJRgl/fBeF/nlq78aVFg2tqiSwbJ1S9tcrnQIvdMhH/00oQSdk5mJrBWXv743 3BqRTb+Svadas9lM/fr1s2kcSselcJ87d27i5Z6lx7Vr1xTLXb/eeUtzr1ixgpYsWUI8o9fWY8iQ IYqxcbtGjRpla1FIBwIgAAIg4CUEIIC9pKMQJgiAAAiAAAiAAAiAQPYTgACG2HGF2EGZGFcYAxgD WmPg9IlWsjLNXyWXXLv3rS1vJTdea5XXbm73T8YS79UriB7hXD0mzO6y5OKUPtPah5frzxWew0pu C3Ed32Lf/r+8rHNwsPxS1d98qrx0szRu4T5hb7Ts0tc8C5hnRAvp+HxhZyUrrkI7tM6liwenL0s9 65viDu95LI7FV69ND1Zn/w9mD4+gd+/eDo9D6Tjds2ePRWtTU1MVy+YloMWHyWQi3s+XZ++2adOG KleuTOXLl6f69evT0KFDKT4+Xpw8S9c//vijYlzcpsaNGxPHgwMEQAAEQMC3CEAA+1Z/ojUgAAIg AAIgAAIgAAIuJAABDEmjJWnwHmMEYwBjwNljoOTP1y0kmq+Kq6y26+RfFdMFIYtCQdJM+sL+/X95 f1shv/jc9+0CLumH2tXU9/9946UIit8dTdNHFZeNa2DPQnbF9cXAwrLlNG+Yy65yxP3V5TX5ZZ2l ewjzktViplm5LlY4iN58OSKdy6lt9klwcey+dm3WX3XhL2HvL5olbFbGnTRv69bWS27z7GBpOr7/ 7rvv0gE+fPiQxo8fT+XKlZNNJ+Tl/XxfeeUV2rJlS5bAr169WnV/44iICKfK5iwFi8wgAAIgAAJO JQAB7FScKAwEQAAEQAAEQAAEQMCXCUAAQ+w4W+ygPIwpjAGMAa0x0PH3NQ6LOV+TW7a2h5cM5v13 HdlLdli/SFkps2xGKaf3A++Ty8suC8JHfK5cIZQ2LYrKqPPWkcoUGmI9c5eXuX50OjYjnRajqtGh svVp7W+sVu64YUVlyxTHz/l7vJlfNp243Y5cd3w1wub2q7XD698ltPTJn+GXL1+mNWvW0JgxY2jQ oEE0cODA9OWKN23aRLyvra3H3bt3Sbx3rtpY4/1w1d6L30n39o2Kkv8jkmHDhlFycjI1bNjQ5rKF embOnGlrMy3SHThwgMLDwxXrCw4Opo0bN1rkwQ0IgAAIgIDvEIAA9p2+REtAAARAAARAAARAAARc TKDvdqKYJfgHBhgDGAMYAxgD7hsDi/d8Abkl2XfWlaKO99UVpIv4fO1AjNP7Yc3cMrJ18czW5LOW yydzm/m5OCbhetFU2+Q0z5IW8ojPRQoFydZnK+dfZ8rvY7xVsp9wxbIhL+d/ywAAIABJREFUVvWH hQbQjUMxtG5+Gfrk/Uiq/1S44hLV4pjF19NGFnd639jadk9KZ7g11MW/hN1XfEpKCs2fP5/q1atn NWbEfV+kSJH0JZR3796tGRzPuhXnlV4HBgam7w3M++ryPsFHjhyh0aNHU0iI9bgV5+Xlm8XHU089 JVtPjx49qG3btrLvxOXJXQcEBNDChQvF1WheX716lUqUKKFYnyNlalaKBCAAAiAAAh5FAALYo7oD wYAACIAACIAACIAACIAACIAACIAACIBAJgH95Zcgt9wkgB+cipXdz5Zn47pC9A3uXUhWzijNxmVJ KieHmjWwbfnm+ZPkl2D+qJd9y0hLWTw+U4X+WlqWeHlpjiVn2JOZygfWVcjgxnsFy8XetL517En/ xdLGX6Jo+IBIerZeLtmZz+Kyjm7KrEcamz/dmx6szPzi8NIrvV5Pw4cPp4IFC8qOF3G/S695L10W t0pHrVq1FMvkZZuPHz8um3Xz5s2UM2dOxbwcx507dzLyvvDCC6pppXHbes+CetWqVRn1qF08fvyY lES0UN+4cePUisA7EAABEAABHyAAAewDnYgmgAAIgAAIgAAIgAAIgAAIgAAIgAAI+B4Bs+F2hkDz J5GVXW39b2tFiiwYaCVvenV2zf6/9WpZS6WAAB3dPFxZtt9Tz1ehEkXll6a1ZR/coX3ll7f+d1U5 2foc7QcWwmL5y+X8MkVePn/+YWHNuh+eiiWeTfzloMLUolEuCs+ZuRQ2L4HtaJy+ls+sT/DqL0Fe orlp06ZWnz9BWNpy7ty5M7FElh63bt1SLXfEiBHSLBb3AwYMUM2/ffv2jPSdOnVSTWtLO5TSFC9e XLZ9GZUTpUvw9u3bq8bQp08fcRZcgwAIgAAI+CgBCGAf7Vg0CwRAAARAAARAAARAAARAAARAAARA wLsJmB5ugNxy0+xfsQw8trkiTR9VPH3JZRaui6fZtsSyuAyt6/snYykoyHr/3+oxYap9/qmCxOXZ xFp1vtYqr6wU4iWYtfJm9f17XQrI1r15ceY+x7bWwYJ5x8pyNHpIEfp2aFGXx25rXNma7lIzr/6y O3XqFFWoUEF2jCjJUKXnPXv2tGKxa9cuxbJ5dm9SUpJVHvGD8+fPK+bnOObOnZuRXEsWC3Hnz5+f 3n33XZo0aRJ9//331KBBA9U6hHxLlizJqEvuYvbs2arlNG/enAwGg1xWPAMBEAABEPAxAhDAPtah aA4IgAAIgAAIgAAIgAAIgAAIgAAIgIBvEDDeHgm5lQ0C2B0ib8OCKFlJ0/dt9dnGWdnH94Umua3q 5Nm07mhvbMVQq7pDQgKIl912R/2+Xofh5hCv/dLj5YqLFStmNT4E4WnvmZdKZmErPnj/XKVyYmNj xUkVr4ODgxXLWLRoUUa+r776SjEdx8Dx8Yzj1NTUjDzCxf79+6lw4cKq+Z955hkhudX52rVrFBEh v1c4182SPTEx0Sqf9AEvpX306NF0OT1x4kTpa9yDAAiAAAh4CQEIYC/pKIQJAiAAAiAAAiAAAiAA AiAAAiAAAiDgXwRMKYfJeHcSGa52Jn1cTYgyH5LBw/rJL8e8bIb2bOMGdcJlBdGvM0urjpFWTa0F cEx51+xvLBau1w7EyMbbsG64arziMnBdVZWVMWmZ1345fvPNN7LjQxC2LF55aecFCxbQ33//TWPH jqVSpUqp5unRo4cFD56hK5QnPfOMWFuOkJAQxTLEe/NOmzZNMR3XPWSIuqznvYi19kDeu3evbMjt 2rVTrDtHjhx05MgR2Xz88MyZMzRz5kzq0KEDRUZmfj+xUDYajYr5vOmFOe0uGa//QcZrtu2l7E1t Q6wgAAIgIEcAAliOCp6BAAiAAAiAAAiAAAiAAAiAAAiAgA8RMBw7TEm9u1Fi8zrpZ/2h/T7UOv9o itmUQqbk3WRMnEqGa2+T/mJtVSEEYaYuzLKbT6O68hKXZalWbLO+KS4reVo+m1s1b+tm1gK4Wozr BTBLbal04/v3u6nPdtbigPeZY9ycdsGlX4Q8W3XPnj20ePFiGj16NLFgfeGFF9L/vf322zRq1Chi Cfro0SO74rh37x7xUshy44Of1atXj65evWpVJsfz7LPPKuarVq2aRZ5ly5Yppo2JibFIK3dz7tw5 xfwc5+nTpzOyLV26VDFt2bJliWc8ax28LLQSE37Os4ylx++//66aRyrFL126lL50ddeuXalkSfk9 uoUY9u3bJ63OK+7NxhQy3dlO+lMjKHVHfUpZHUApq3WUur2uV8SPIEEABEAgqwQggLNKEPlBAARA AARAAARAAARAAARAAARAwEMJ8DKOj7//lm5H5aPbZSIy/0Xlo0ejhpMZ+wB6aM9ph2U268mUvI+M iTPJcK0H6S/WVZV/kGWZsiy7WfCyx7z8sSBXhHPlCrbJ2LvHKlPOMOv8AQE6OrejkuI46NTWemnY 0JAASjlXRTGPM1jxstZCG6Xn0sWDqXPbfMRS+7+tFV0ahzPa4pFlxD+r/YXhQAqe9blp0ybq3r27 6rLC4j7l/XTbt29PSjNUpWGozf6tVauWqlC+c+cO5c5t/UcNHE++fPksqlq7dq3iGOQZxlp74vbt 21cxP8cpPjZv3myVtmjRotSxY0ebufCexHny5LEqR2DNZUmPNm3aKKbPlSsXHT58mFhO9+rVy+79 lnnWtTccZrOJTEnHyHD+O0rb8yKlrA1LF74sfS3/BZJZf88bmoQYQQAEQCBLBCCAs4QPmUEABEAA BEAABEAABEAABEAABEDAMwmYU1Mpqc/bmdJXLID///r+m23IlHjXMxuAqOwiYDYbKH3J6HuzyXC9 F+kv1oNM89Alo1l0RhYMtJI1vTrbPiOWpakgg8RnXlpaSVJ+82kR2TzHNrtWvNaoHCZbrzhu4bpY 4SB68+UImj6qOB3dVEGxLUpt9MfnhpuD7PqusCUxS0yeRSv0i73ngIAA6tSpE924cUO1up49eyrW 8euvv6rm5ZcsM5Vie/jwYUb+CxcuKKbjpZEvX76ckVZ6wW0ID5efsc91jxs3ziILL7NcqFAheu21 12jq1Kl08uRJi/e23rRt21Yx5gYNGlgUk5KSQizflVhk9XnLli0t6vOkG3PyZTJc+pnSDnailA0F JKJXKn4z741XV3hSMxALCIAACLiEAASwS7CiUBAAARAAARAAARAAARAAARAAARDIPgKmpPt07/VW qvJXmBGc2OwpMl5V/o/f2dcK1JwVAmazkUypx8l4by4Zrr9P+vgGkGkeJoRZvLLoZOFZomgQLZ6m vf+vIDg3LYqSlT3FiwQpzuhdN7+MbB576hXq5/Nvs0vT841z01eDCtO2ZWXp0elYqzF283Bl4pnJ jgooFuXtWuelyV8Uo4PrK1DaBdfOVha3z1uujUmLs/JVYZH3+vXr9PLLLzvcX9J+LlOmDJ04ccKi DvEN778rzSPc37p1S5xU9lppqWSeGcwrYIgPlrJC2VWqVKH+/funL1udmJgoTmZxzbOgmzVrlpFP yC+cg4KCKCEhwSKPs27ee+89xXqff/55i2o2bNigmFaINStnFuB6vd6izuy6MafeTt/DV3+sL6Vu jrJZ+FrOANaR/mjv7GoC6gUBEAABtxGAAHYbalQEAiAAAiAAAiAAAiAAAiAAAiAAAq4nYLp1kxJb NbRJ/goS+G6jGmS6ed31waGGbCPAMsSceoqM9xeS4cYHpI9vbCXrvEV4Ic6q6SK0TIlgWenDYlaO 0f2TsZQndw6rPE9Vz6kojeXK4Wep56tQbMVQi7LCQgOoyTO56NaRyhn1cyxZEU/SvPkjAmnkx0Uy yleKz5+em9POOOV7hWfJsrCVMs/qfUREBB06dEg2RrV9fM+c0W4XS1y5+HjvYOmxYsUKWrJkieas ZHG+IUOGyJYv1Ml7H7vqePfddxXr7tChg0W1ShyEOLNyDg0NpaZNmxIvuZ0dh9mYTMbb20h/6jNK 3V4vYx9fqdC19z51S4XsaA7qBAEQAAG3EoAAdituVAYCIAACIAACIAACIAACIAACIAACriNgTLhI dxvXsEv+ChI48cXGZE5Jdl1wKNnjCJjTzpIxaQkZbn5E+kvNINU8bIawlsQcPiBSVhC1aZFHsS// 1ym/bJ6vPyqsmEcujgWTS8qWU6dGTotyPuxZUDbdGy9FUNP6uYilsb1y6stB9sUqF7/PPItvYDXT 1ZEvmrNnz1LJkvJ9am//yKUvW7Ys3btnvefqO++8o9j/Q4cOVW0KzxBW2id3xowZqnltefnjjz8q xsZtbNy4MZlMJluKykjDe/umpaVl3KtdlC9fXrF+nh0sPtRmUsv1h9qzwMBAeuaZZ2jYsGG0ZcsW Sk527++C9H187x8hw/kJlLa7FaWsDXV4lq+WFDY/viTGiGsQAAEQ8DkCEMA+16VoEAiAAAiAAAiA AAiAAAiAAAiAgD8SMJw6QXfqVHJI/goS+MFAy/+o7I8c/bnN5rQ4MiX9SoabQ0h/qYWFyPMZYeZl kleN+5l/KskKohw5dHTx32jZ/tu/rrzskszBwQHpSyyr1Se827umPPFMXDmJtHZeGYt6a1ez3v+X 47t77MksYV42+u9fyxILaF5OOle49QxlaT1bl5a1qEOIyx/PhhsDZL+yeLneHTt2EM9QPX78uGwa 4SHP7CxevLhsf0rZZ+X+9ddfF6rMOM+ePVux3rx589LBgwcz0oovLl68SNHR0bJ5q1evTrx0c1aO 1atXE4tQpfbyrOb4+HjNKngf4vXr19PHH39MtWvXJt5vmK+1jn379inWzTEtXmy57HeTJk1U0yu1 g5/zfs01a9akQYMG0dq1a+nBgwda4Tn9vflxPBku/UhpB96ilA35XSZ8pUKY68QBAiAAAr5MAALY l3sXbQMBEAABEAABEAABEAABEAABEPALAvr9u+lOtdJZkr+CBE7+5We/YIZGahMw66+Q6cFvZLg1 jPQJLSHdPFAer5xdmvp0K0BVoy2XY/5ioPIs2X7vyM/KLVwokFbNkV8+WpCravK3/lPhFmOEJS/L Xql8YikslCc9J5+tQrt+K0fffFqEWjfLTXnzWArh0JAAenjKeq9haTn+cm+8vyD9g8wzUffv30/f fvstvfDCC5QrV64M7sOHD1f9sHfu3DkjrbSvxPcsCnk/3PHjxxMvp7x8+XLq27evoogV5xWupUKX BanSLF7OExISQp988gnxHre8l/Cff/5Jb7/9NoWFWf9hAadn+Xv5ctb2tD9w4ADxnrdCzNJzcHAw bdy4UZXp6NGjqUGDBsRppfm5TadPn1bMzzOly5UrZ5VPKIfFtHR/ZJ6NLLy35czyvE+fPul9mB1L O5tTb5Hx2krSH+1DKZtLu034SgUwC2ccIAACIODLBCCAfbl30TYQAAEQAAEQAAEQAAEQAAEQAAGf J5D210a6XamIU+QvS+A7dSo6ZUlRnwfvhw00G26Q6eFqMtz6nPQJLypKPH+Rb57WzusHY2j5rNLU v3tB+vxDZQHMewGXKx2iKIyaN8xFP00oQVf3x2T08ZYlZalDmwgKCrIWuoJw2vhLVEZ6ZrNmrvx+ srwstK3seK9hls4ThhelV57PQ7x0tK15fTld2oUqdGhDBZo8cSi9+uqrlC9fPsX+ZBGpdKxZs0Yx n9CvfO7atavqjNf58+erxiCU1bZtW6tQPv/8c5tiEMpQO7Nw5eWLeWnp3bt3W9Wl9eDq1atUokQJ xXhYgi9cuFCrGGrUqJFiGRx/ZGQk/fPPP1bl7Ny5k3j/YrU2cl9ID+aqlof3du7evXt67NxGdx9m w2My3v6L9P8NpdTtdZ22j69U6Np9/2dh/N5x92BAfSAAAm4lAAHsVtyoDARAAARAAARAAARAAARA AARAAAScRyBl1TK6Xa6A0+SvMAvYdPuW84JEST5LwGy8TaaHG8h4+2vSX34FYs4DZwgrSdBT2ypS qeLWsxOlEik8ZwDlzmU5C1eahu/f71bAqv8H9y4kK6V41rJSXHheVZHNf1sr0ozRxdNFfGRB5eWJ pf0TFBREPNNW7qhWrZpsHwllcN4lS5bIZbV6duXKFSpdurRieTxrl2cnSw+evdymTRvFfEIsjpzb t29vNVtWWr9w//jxY3rqqadU4xg3bpyQXPX8888/q5bDbeHloGvVqkUDBgwgluDPP/+8Zh7uD7nZ w1KJXrRoUerYsSPNmTOHLly4oBqrK16azUYy3T9EhnPjKG13S0pZE5Jts3y1pLDp/mFXIECZIAAC IOARBCCAPaIbEAQIgAAIgAAIgAAIgIA3EIh/QHTsDv6BAcYAxoBnjIHz02bRrTIRTpe/LIGPX7yP 7zt839s9Bk7cukcXr2+iG5fH0IP4dpQWV01RZkH0KYs+d7HhPYTLltKWwFribcwnRWT7uV6tnFZC KyBARzcPP9n/113t9NZ64nZFp8/E7touH5UslrV+4n1opYfWPrPc7zNmzJBmU73/66+/0veU5bw8 G7dhw4Y0YsQI2rZtG6WmpirmZfnKSz3LLZmsNf603j/99NPE5asdZrOZWBarlcVLJtt6PHr0iIoV K6Zanlpdcu/UZh9v2bIlPf6pU6fSyZMnbQ3TqelMj+PIED+b0va/QSnrIzxW+EqFsOHceKdyQGEg AAIg4EkEIIA9qTcQCwiAAAiAAAiAAAiAgEcTeHUDUcBM/AMDjAGMgewfAwO7jneJ+GX5e6VcJL7r 8F3vlDEQMecBvbxiK43bOo72HH6Dks/XkBWF3irofCHueydi6YMeBWX36pWTUOJnwcEBtGBySdk+ 5WWm5ZaLrh6jvP+vL/DMSht4ye1FU0tRz475qUKU8hLd4j6w9frjjz+2+o393nvvqQrK5557ziqP LQ9YRvKevUqzjtXKiIuLI549y/vc2to2W9K1a9dOrVqaPXu2an3Nmzcng8GgWob05bp161TLtCVu cRqWu550mFNvkPHqctIffY9SNpXyGuErFcBpu61npXsSZ8QCAiAAAlkhAAGcFXrICwIgAAIgAAIg AAIg4FcEIICzX3pBPKIPMAaIPn/jc5fJXxbA18oWpIAZZqcIQPQXPrPiMZB79mNqtXw7jd7yHe04 1Iken68pKw+zItGQ17GZxQfWVaAeb+anfHm1l3tm8ft849y087dyiv23YUGUrPzq+7b1UtH+3mdz xpWgqtGhsrzEAjAr17wvrvRQ2+uW6+JZu+4+7t27p7kUcq5cuahz58701Vdf0cCBA6lixYo2sTt4 8KBsc65du0YRERGKZVSoUIESExNl84of8izio0eP0qRJk2jixInpr6RLMzvahyNHjhRXlS3XZsMj Mt7aTPqTn1DqP095rfCVCuCUdeFkNqVlC1NUCgIgAAKuJgAB7GrCKB8EQAAEQAAEQAAEQMBnCEAA Q2SIRYa/XZccm0Dt+i+nYW99TV+8MYLe6LuEck5JhiR050zRGWYa13agS+WvsAdwmW8uom/d2bd+ WlfOH1KoxbJ/6cvNU2jrwW704FxtRaHo75LQXe1/dDqWVs0pTV8OKkzd38hPTevnohqVw6hh3XB6 98389OvM0nT3mPYSzsP6RcoKtZjyoellb11alh6eikV/x1Wlrz8qLMvKUVko5MuTJ0/63rosI48f P27xe5yFppBO7hwSEkJGo9Eij6tvWKC+9NJLinGFhobShAkT6P79+1ahLF++nFgMy7VFeNazZ0+r fPyAZwcLaaRn3qf3yJEjsvn44ZkzZ2jmzJnUoUMHiozMHPMslAV+33//PfHevdKybbkvUKBAevmK AbjwRfo+vvcOkOHcWEr7twWlrAn2Hem7WmfRFuNt9/+xgwu7DkWDAAiAQAYBCOAMFLgAARAAARAA ARAAARAAAXUCEMAQwP4mfbm9xb+9Qr+0eFNWOh6qVpWqfHUcotAN8i5wupGmv9hLth8EaevM84dd J6Bf3dCv/vidotbm0Flp1GTpPhqxaTpt3P8u3T9XB4IwzrEZve4Sxkr1NKobrim8QkMC6Nl6uWj4 gEja+EsUJf3nn0J4x8pymqxskYVhYWHUokULGj16NO3evVt1yeJ//vlHtc7KlSur/yh2wVsW1Urt ZJnN+wurHfv371ddOjo8PNyKye+//65YJ8fSo0cPiyovXbpEc+fOpa5du1LJkiVV8/Iey8Jx6tSp dLlt69LWUVFRNHToULp7965QhFvOpkfnyXBxFqXtf51S1ue1kKRWM2clEtWb3+tPfeYWvqgEBEAA BNxNAALY3cRRHwiAAAiAAAiAAAiAgNcSgACGAFYTF774rsB3d+lwtSqq0vFEbEUqOu4aZKELZWHI tDSa93xn1X5wpvzlsi5WKE6xX51Av7qwX33xO8PZbQqepacGSw7Rp3/Opv3H/0f6i09DCHuBEH5w KpZCQgJU5Zic6OOlpes/FU6fvB9J6+aXocTj2jONlQS0Nz1PPluFcufSXnpbyiw4OJgaNmxII0aM SF+uOTU11ebf2D/++KNq/7Rt29bmspyVsEyZMooxfffddzZVw0tDSzmJ78+dO2dRTps2bRTT84zi w4cP09KlS6lXr17ES0GLy9K6Hjt2rEVdfPP48WNi+f7tt9+mzzyuUaMGNWjQIH1J6+HDh6fvf8wi 212HOeU6Ga8uI/2RnpSyqYTfCF+prE7dXs9dyFEPCIAACLiVAASwW3GjMhAAARAAARAAARAAAW8m AAEMAexsueHp5X3V4TObpOO6Bs9T8DQ9ZKELZGH4lMe0rOlrNvWDsyXwuegy9E6vn7DUtwv61dM/ +54YH/9vcPqSpKnHyHjvZzJcf5/08fUhhD1QCP+3tSJFFgy0S5bJybTAQB3VqZGTBv2vEP3+Yxm6 fcTzhHDq+Sp0aEMFWvFDaRo3rGh6rCM+KEy/zS5t1xLXrZvl1uQVEKCj2lXD0utY98dUevTokcM/ q2fPnq1a3wcffOBw2Y5kvHLlimI8LGLlln2Wq+fff/9VLIfH2Pr16zOypaSkUM6cOVXTy41LW5+1 bNkyoy5PuTAbHpLx5kbSnxxMqX/X8lvhKxXAKasDyay3XlrcU/oNcYAACICAowQggB0lh3wgAAIg AAIgAAIgAAJ+RwACGALYE6WIK2P6p059m8XjmHZDIICdLArzTE6iNQ1b2dwHzhbAQnmXyxUmlvw/ t+xK41/9kAZ2HU9PjdiP/nZyf7vys+wLZfP/BksPs9lE5tT/yHh/ARluDCB9fCMIYQ8Swsc2V6Tp o4rTmy9HULHCju2BKpZtLISze9/gtAtPhO93nxejl5/LQxF5lGfu5smdgzq+GkEbFkRpjkuWx+K2 yl0n7I1+Us7Fp8hs1ks/Dnbdz5kzR7W+Ll262FVeVhOvWLFCMZ6KFSvaXHx8fLxiOcx0w4bMLxK+ luPsrGe85LRen7V+srnhCgnNJgOZEveR4exoStvVzKf38bWWupb7/Gq9N177TYEiHoMACICA9xKA APbevkPkIAACIAACIAACIAACbiYAAQwB7AsSxZ42nImOsks+vtZ/BaSgk6Rgvkn3aFO9pnbxF4St u85/NHqRioy/jj53Up/b89n0x7RyAlj6M8BsNpM57QwZkxaR4eYg0l9qoinevGmpYG+PlWcG/zC2 BHV5LR+VLh5st3yrHhOWLf3Jcc8YXZw6tIlweGbzqMFFVGPft7a8Jo8tS8qml2G49q506Nt9r7UE 9DPPPGN3mbZkuHfvHvG+uwMGDKCRI0dmZFETwDwD2GQyZaRVuzhx4oQqx+PHj2dk79+/v2rarIjg 0NBQatq0Kd25cyejPnddmB6eJcPFGZS2rx2lrMuDWb427lWsP/a+u7oI9YAACICA2whAALsNNSoC ARAAARAAARAAARDwdgIQwBDA3i5dyo6JoxwzTDYJu7CpKXSzTD67BGR8hWLYN9YJMpD3Xt76dGO7 2LtL+krr2VOzNrGs9vbPBuL3/O93WwSw3O8Mc9oFMiYtI8PNwaS/1EJVwnm7YPW2+M/tqEQ/TShB 73TIR+XLhGjKuL5vF3BL/8Xtik6Pq2u7fFSymP2iWkkc9u5agHjJaLl+4pnFBfKpL5v9Wf/I9LzG xBlyQ92uZ4sWLVLlHRkZaVd5Sol5meo///yThgwZQnXq1KEcOTJnTDdr1iwj2969e1Xj+fXXXzPS ql188cUXquXcvHkzI3vz5s1V0yr1o9zzwMBAYmk+bNgw2rJlCyUnJ2fU4+oLc8pVMl5ZTPrD71LK xuIQvjYKX+mM4NS/Krm6q1A+CIAACLidAASw25GjQhAAARAAARAAARAAAW8lAAHs+YIAEke5jyp/ fZJ4T9ffG7ehYuOuagq75oO3OCQg99WoQREQgpp8lcZq5IRbZM/S21Ihmx33v7R40+H2KnHAc+XP sr+ycVQAS39zmPUJZHqwkgy3hpI+4XlZGScn6PCsqstZxe+OpgWTS1LPjvkpupy1EF42o5RLYri6 P4YWTS2VXm+FKOt65YSfo8/GfKI8E/i1VnlVhWSDOuHp7Tcl75MOa9X7hw8fUlxcnEWaQ4cOqdbF 7UtMTLTI48hN/vz5FeupUqVKRpFXr15VTMexVK9enXiGv9qRkJBAxYoVUyynVq1aFtmbNGmimFar fwMCAqhmzZo0aNAgWrt2LT148MCibFfemA0PyHhzA+lPfESpf9eA8HVQ+EoFMN+bky+7sutQNgiA AAi4nQAEsNuRo0IQAAEQAAEQAAEQAAFvJQABDCHhreKl9DfxdLxKdIbQ5aWdXxi0XlnazTCni2JH ZeKSZq/bPNPYW5m6Im5eTnlX7boZ/eQo/+zI996705XHkxNmRbuCN8r0ru90Zwlg6W8Qs+E6mR6s JsOtEaRPaO0SwQh57Jg8vrIvhpZMK0V9uhWg2lXD6NqBGKf2z5xxJahqdKjDElBLEsq9L1IoiB6c ipVtx5SvlOUllxUUpKN7J6qT2ZQqHcYW9ykpKbR161YaPnw4NWjAHvuhAAAgAElEQVTQgIKCgig6 OtoqDc9alYtReDZ79myLPI7c5MmTR7GO0qVLZxSZlpZGuXPnVkzLMbVv315xZu2VK1eoUqVKqvmn Tp2aUR9fNG7cWDW9wEE4M8M+ffrQ8uXL3bq0s9mkJ1PibjKcGUmpu5pQypogSF8nSl+xCDZc+tli jOAGBEAABLydAASwt/cg4gcBEAABEAABEAABEHAbAQhg75IFkDtP+qvQxNvEy/TKScEx7YZQ6NRU S3E3w0xfvz5MNr1cGUrPPuk02rJcSEBVHsW/vUJ7a9bKMnel/nD188vlClPFUWdU24jPJL5DszIG XCWApT8izIbbZHq4joy3vyb95ZdlRR2ErmNC19O4ff1RYbsEoCACs3qeNrK47Lg6trmiZjzrFrWQ DlkyGAz077//0qhRo4iXNQ4LC5Mth2fZio+YmBjZdEL7nn76aXFyh67VpG7t2rUtyuzevbtqPBwX zwSeNm0axcfHU1JSEu3fv5/ee+89xTYLbeHZxiyZxUfbtm1V6ytTpgxxTAsXLiQpO3E5rrg2PTxN hrhplLavLaWsyw3h6yLhK5a/fJ12sJMruhNlggAIgEC2EYAAzjb0qBgEQAAEQAAEQAAEQMDbCEAA Q15kRV5kR97ckx/Q5npNVKXi1rqNqMKos+nirsYXh2lV45dU09sqEm+ViaAWH2+CELRBfJcae4n2 16jhFO629o8r0i1q/gb624b+zo7vAl+o010CWPrbxGxMJNOjjWS8PZr0l9uRPq6arLzzNLmJeLQl 9Y6V5VQFoCAPlc7BwQHEyzLzktVfDSpMb7+ej3LnytzjVilfTPlQxTFUrHCQakwfD2hBJpOJeAnn CRMm0Isvvkhqs2zFMbDIFB8sTsXv5a6PHTsmzmLXNS89zbOP5crlZ61atbIob+fOnYpplcqw5TlL aBbF0uPzzz+3qK9o0aLUsWNHmjNnDl24cEGa3KX35uQrZLz8C+kPvUMpG4tC+LpJ+EoFcMqfRVza zygcBEAABNxNAALY3cRRHwiAAAiAAAiAAAiAgNcSgACGAPYmiRI2NcXmZZzjKxSjLRqi2BFheDa6 DPHy097Ezd2xRn1zkQ5Xq+L18pfHB0v/fNj/GePdRRI8uwSw9EeL2XifTI/+IuOdb0l/pQPp46or yjxIWG0Jm52Mks9WsUnYCpIxRw4d1amRkwb3LkTr50fR/ZPWSzkfXF+BtCRuQICOHiosA93x1QgL KSnULZzDwkKoQIECqmmEtNIzz2YVH9u2bdMshyWxo8fSpUtVy+/UyXq2ZY8ePVTzSNukdc/LTB89 elS2CVu2bElfVpqXhj558qRsGlc9NOuTyHhjHelPDKTUbdUgfLNL+MrUa0py/I8eXDVeUC4IgAAI OEoAAthRcsgHAiAAAiAAAiAAAiDgdwQggCGA3S0HHa0vaLqBeDamI9LW2XlYLIdMS4MUk5Fi5Uef o2NVYjyin5zV7zyb2dFxi3z4jlUbA54igKU/fsymR2R6/A8Z704kw9WOpI+rCSEc59niVyydWzdT 33c2MFBH/bsXpN9ml6bbRyrb1Ler5pTWlJhHN1WQLeuHsSU082pJT6X3vKSx+OCZxMWLF1etLyAg gP744w9xNpuvO3TooFo2z2CWHjxruFq1aqr5lNonfc5LWN+4cUNaRbbcp+/je3cXGU5/Rak7G1PK 6kBIXxn5ajUjNxvSGM5PzJYxgkpBAARAwBUEIIBdQRVlggAIgAAIgAAIgAAI+CQBCGDICTU54Snv csww0exW3T1KKo58fSikoEQAlxt9no5XifaofsqqBGaZzePPUz4LiMO3vrM9VQBLf/CYTclkeryL jHe/J8PVrqSPqyUr+sQSEtfZJ4zHDSuqKhvDQgMUZ+sq9Vvq+SpUsWyIarlbl5aVHRdnt1dSzSeV nPbeX79+3WLIDh48WLO+iIgIOnv2rEU+rRueXRwSos7gxIkTssXw3r4tW7bUjEup7RzvRx99RCkp KbLlu+uh6cF/ZIibQml7X6GUdbkgfLNB5joilNP2tHbXEEE9IAACIOByAhDALkeMCkAABEAABEAA BEAABHyFAASwb8kEX5VD37z2scdJxfT9gAdvhhj8fwnsi/KX5fGnHUehjyWi31e/Z7KjXd4igKW/ ecymVDIl7yVj4nQyXOtO+otPyYo/JZmI566Vw/vWltcUjVuWyMtatb4Z9L9CquWy6FXKH1UyWDWv kviUe16wYMH0ZY6nT59Op06dkg5PunPnDrEwlcsrfla1alVKTEy0yi/3gJdTzpcvn2qZFStWlMua 8cxoNNK8efMoKipKtRxxjLVq1Urfv/fx48cZ5bjzwpycQMaEBZR2qBvxXrKOyEdfy/PgNx1tGauj z97SUf3KOlowWOf5XNblIp6xjQMEQAAEfIEABLAv9CLaAAIgAAIgAAIgAAIg4BYC3iKAg6bpqeqQ rRT5DZZizQ5JkZ11vjBovcfJX2FW6X+Vy1PhCTf9XhCWG3PB55Z95j6Oq1iS8n+X6Pf9m52ff1+v 21sFsPQHitmsJ1PKQTLe+4EM1/5H+ot1FUWgkiDEc+dJ4bQLVahAvkBVyfhZ/0i7+0htZjHvJcz7 Dyv1Y/c38qvGI5ae0us8efJQmzZtaOLEiXT48GEym83SIWh1P3bsWJvqY6k7ZswYUhKsPHN3/Pjx VKRIEc3yWO7acrAI5pnCixYtoiFDhtALL7xAMTEx1KhRI+rcuTMNHTqUZs2aRfv377elOKemMevv k/HGGtIf/4BSt8Z6vtjMhhm4H7TVWYyFTk29QACv1pHpzj9OHSsoDARAAASyiwAEcHaRR70gAAIg AAIgAAIgAAJeR8CTBXCeiXep0fuL6cMWb9H80hG0ooiOXn/ra8gYP5uNt6ZhK48VwCwJFzfv4Ndj 0lflL/ftoC7j/LpvfV2+ekL7fEUAS3/8mM0GMqUcJeO9n8hwvQ/pLz6jKAaVhCGeZ00Iv9Yqr4Wk kkrVBnXC7e6TDm2UZ9XyDF+1Pps/qaRqPOL4wsLCqEWLFjR69GjavXs3GQwG6RDTvOelkitUqGBz nUWLFqVvv/2W1q9fT5s2baIffviB3n//fWL5LI5N6bpSpUrEYtfbDrMpjUx3dpD+9BeUuqMh9vH9 f6F8fq6O5nyoI5a7japYCt5fh1kK4KL5Ld9rzXj+b7aOVn+pox8G6Gj5Zzq6MNe+/FrlK73Xnxrh bcMT8YIACICALAEIYFkseAgCIAACIAACIAACIAAC1gQ8TQAXG3WOXur2HX1VryktKxqYLn1Z/Ar/ xtaqCyHjZwL4atlCHi2AWRR26r3AL8dl2TFxdLRqZY/vH+4je/+diK1E4VMe+2W/eoIY9ZcYfFUA S39tmM0mMqeeIOP9+WS40Z/08Q1VZaGaSMQ728TwlK+KqYrLoCAd3TsRa3M/nNhSkcJzBiiWyfWp 9c2lPdGKeQWp2rp1a+J9dlNTU6VDyKF7XrbZVoErxODImYX1gQMHHIrR3Zl49rTpwQkyXJhMaXva UMq6cMzylcwivrnUUvDymGBpK4jVG0t0xDPexWPl4NTM90I66fmPL3TUuIplPi4jKFBHXVro6PB0 7TKkZdpzn7qjvruHG+oDARAAAZcQgAB2CVYUCgIgAAIgAAIgAAIg4IsEslsAB043UuVPd1CXdkNo SmylDNErCF/peXmRAMo/7jqkjJ9IYB4fvNeuvfLO3el5qeCSYxP8alz6svzl8fNa/xV+1Z/+Ilw9 rZ3+IoClv59YQpnTTpPx/i9kuDGQ9PFNVOWhmljEO3khfGxzRQtBJZZVwvXaeWVs4r5hQRQVKqC8 pDTP/n14Slsmx5QPVY2pV69e0qGS5fvVq1dTjhw5VOsVeDh6tnXp5yw3xsECzMlXyJgwj9IOdqGU PyMzRKY98tDf0lYvaylqp71vKWefjrZ8P76n5Xsxr/srdfRsNcv0SmNteCflcsRlOnS9JojM+iQH RxGygQAIgIDnEIAA9py+QCQgAAIgAAIgAAIgAAIeTiA7BHD4pCSq32859WvZjeZGFdCUvlIJ/FzP 2RAzfiKAWdYcqRrr8QKYheHKZ1+hgBlmvxibvi5/f23S1i/60dNkqD/G468CWO6nkTntAhmTlpLh 5sekv9TcJjEJ+SsvfwUuxQoHqYrPj3oVkuWcer4K7V1TnkYPKUJa0rZMiWA6808l2XKEOIRz764F VOPhJZtdcSxcuJBCQ9Xls5KQU3seEhJCc+fOdUXIWSrTnJZIxut/kP5YP0r9qyKEr2SGry3y9EPJ Pr/9X7EUs5++YSl0W9e1fC+u453nLdPymArMoaOIXNbP+d3sD5TLEpfryDWPCxwgAAIg4O0EIIC9 vQcRPwiAAAiAAAiAAAiAgNsIuEsAFxkTR63fmUoj6j9PS4sF2y19xRL408YvQ874kQCe1bqHVwhg lsA9/OCPE8p8c9FrpLwjM8HPREdRiW8v4zvGj75jslM8QwAr/9wx6y+R6cFKMtz6lPSXnrNJMAqi EecnYrjjq8p79rJoql0tLIPr0U0V6Psvi1HbF/JS/gjl2b5SIfryc3loweSSdHV/TEZZSvyXzSil KoC57ISEBOVBkYU3e/bsoWLF1JfFlrZN7T4qKoq2b9+ehYicl9VsTCXTnX+I93jlZX5TVueA9HVA +oqF6l9jdfRWEx3NHqCjcz9bC9lNYyzlbe6cOnq4yjrdrP6W6Qrl1dGE/+kocfmTtBtH66huJcs0 vCQ0ly+Ox1nX/EcBOEAABEDA2wlAAHt7DyJ+EAABEAABEAABEAABtxFwlQDOMcNEFT/bQx1f/4wm VquWJeErlr98vahETgqdkgxB4yeC5pUPVnmNAL5UviiVG3PBZ8cmi9GD1at5TX/YK4BvlslHzQdv 8dn+y07RibpJdlxBANv+c8dsuEamB3+Q4dYI0ie00pSNShLSn57/MLaEpnDt0CaCikaqzxRWE6HC u4L5A2nNXPUlpW8ciqGAAEvZJeQXzq5cTvn69evUu3dvCg4O1uQixCM9N2jQgFasWEFGo9H2wevk lOn7+CYdI8P5iZS2pzWlrM3pElnoLOnornLOz9XRnA911KmpjhpVcY1AFdqStFJH4aGWY5mlsfBe OJctmpmG0++eZJ3m9jIdSZeUblHTOp1QZlbOqVtjnDwaURwIgAAIuJ8ABLD7maNGEAABEAABEAAB EAABLyXgTAEc9v0jqvvB79SnVQ/6qVxhp0pfqQSu8+Fq2f+YDskgLxm8mUvOKcl0sUJxr5GOaxu0 JP4DCG9mLhd7kfHXaW/NWl7TD/bKX07//jtTfK7f5PoSzzznexIC2PEfT2bDTTI9XEvG21+R/vLL EMJx1stBn91eyWHRKRWftt7/PLGEal/UjA1Tjalbt26ODwobc8bFxRHvN1ykSBHVWIQ2BwUF0Vtv vUV79+61sQbnJzMnJ5Dh0s+UdrATpfxZyEo0ZkUK+kLem0szRavQb//NzrpEPfuTjn4YoKM3n9XR jH6W5bWsbVnnZx0t35+abfmel5VWYr31W8u0vET05V+U0yuVY8tz3hMaBwiAAAh4MwEIYG/uPcQO AiAAAiAAAiAAAiDgVgJZFcAFx16mlj1m0dBGbWhJ8VCXSl+xBO7d+n8QNX4yA5hl1czWPb1KPPZ9 53ufGp+FJt6mXbXrelUf2CuAR7f/xKf6DJLXcySvWl9AADvvJ4/ZeIdMj/4k4+1RpL/8mqqE9KdZ wFElHZ/tKog0e8558+SgCzuV9wT+sGdBVelasmRJ5w0KG0o6duwYTZo0ifr27ZsueV988UV65513 aOTIkbRo0SLavXs33b1714aSnJvEnHaXjNd+I/2x9yl1S3lFcWiL8POXNNXLWkrUae9nTaBO6WNZ XrMaluWNfdfyfYPKlu+n97V8v35k5vvkP3S0Z7KOxnTX0XO1dJQzxDItf+ayGr9SvxsT5jl3sKI0 EAABEHAzAQhgNwNHdSAAAiAAAiAAAiAAAt5LwG4BPMNM5UYcpDfe/JK+rfmU24SvWP7y9ZzyxShg hhnCxk8kcMuPNniVfLxSLpKiR57KlvE55RjR5suW/4JmWcswW9Pl/y6R/q7TwKv42yt/p7V5D98n fvJdoiZjs+MdBLDrfj+ZjffJ9GgLGe+MJf2V10kfV80vpXD3N/KrCld75K6taV9rlVeR9R8/ldGM 5+zZs64bGB5astmYQsbb20h/6jNK3V4P+/g6sIcvz7AVj9F2DTOFq5IMVXu+fYJleaHBOrq3IrPM fd9bvue9e28tzXz/6RuW73k/YZ5F/HojHfFewOJYpddliujo+96ZZanFae+7tINdPPRTgLBAAARA wDYCEMC2cUIqEAABEAABEAABEAABECBbBDDvt1t74Drq1aY3za5QPNukr1QCVxi+L1sEW3ZIAn+v M2RaGp2LLuNVEnJzvSYUNN3g9jF6/bH1F1vID9YC2JZ0eSfdpy31mngVd3vl748vvE2B041u7yd/ /0yj/U8+kxDA1t9XrnpiNj0k0+O/yXh3AhmuvEX6uBqKktKXZgjPn1RSVTRJxZNwHxwcQI3qhtPw AZG0ZFop2rO6fPr5uUa5NcvLkUOnOAv47rHKFBgYoFrGrFmzXDUMPKZcs9lEpvuHyXBuPKXtfoFS 1oZhlq8D0lcsP1d/aSlVC+TR0ePfMyUqy1meVdul+ZM9gmuU01Gbp3W05FMdPVqVmU4ok59F5LIs c93Xmel4Fm9khOX7lcMz30/8n+U74bMld+ZYWVhzfM5Yulpog+x5YzGP+RwgEBAAARBwhAAEsCPU kAcEQAAEQAAEQAAEQMAvCSgJ4PzjrlPz//1EQ5q0pUUlwz1G+ool8FsdRkDa+NGsve9f7ut1IvLj zmPdPkZtEbss37TS5f7+Ia2v/5zXMbdHAC94rmO2SHrIT+s/SPBXJhDA2ffTy2x6TKbHO8l4dzIZ rnYhfVxNnxTCl/ZEq8pWQUaxtK1TIycN7l2I1s+PovsnY2V5pJ6vQj07as8qHto3UjY/y/Vn6pRS jemNN97IvoHhwprNj+PJcOlHSjvwFqVsKAjhm0XhK5Wbd5frKCTIUrru+u6JkF02TEcsWYXxLj2X KqSjuR9lyluh7FeesczzUXvLNG88a/m+78uZ7xd9YvlOXCfPJuYlpUd20xHHKBbVlxboaN5HOhrS IbMsIR5nnU0PTrhwpKNoEAABEHAtAQhg1/JF6SAAAiAAAiAAAiAAAj5EQCyAy3x5jNp1HE1jnnqG lhcJ8EjpKxbA42vUdLtc81dJ4Qntbjpkq9fJyGtlC1K1L464dZxqiV2hL9XShU95TH80etHreNsj f5c2a088s1zggTOkbHaMAQhgz/lBZTalkCl5DxkTp5Hh2jukv1hbUWB62wzhmPKhiuKLpVSTZ3LR 7SOVbW4vS+DqMWGqZVaIClEsb9jgt1TzRkZGktls9pzB4WAk5rQ7ZLy6gvRHe1Pq5rIQvk4WvnIy 9NlqltKVBSvP8A0IsHwulrHCNadZOtRSuk7ubZmvVnnL97P6W76vXDrz/bZxlu+4nvdf0hHvBSxe Slrcjpa1M/OULpxZljiNM64NFyY7OKqRDQRAAASynwAEcPb3ASIAARAAARAAARAAARDwAgKmtDTq PX4Tvftyf5pZqbTHC1+x/BWuC41NgMDxk1nAvEzvf5XLe52U/KdOfbeKRjWxKxZc+24SpRot//FS 0SxFf23S1us42yN/Vz77CoVNTcF3h598d4jHvaddQwB77o8ls1lPppQDZEycRYZrPUl/sa6i0PR0 Idy7awFV4Vq+jLKsVWobzxIWxJnS+fCfFWSZbdm0UjPvsWPHPHdwKERmNiaT8fZfpP9vKKVur0sp qwMgfd0gfcVC9MsumQKVx+XT0TrKn9vyWeMqT/bhLZrf8jmn55m5W8ZmitdjMy3TsCS+uijz/Zmf LN9zGXHznrznWb0sccWfj5n9MvOK4+brA1Mt0zaprpxWmtfe+7Q9bRRGMR6DAAiAgOcTgAD2/D5C hCAAAiAAAiAAAiAAAtlEIPXObYr/dQHt7tmBfi+XxyulryB/+dyq+3RIHD+SON+2HeSVYnL4m1+4 bZzaKoDlRBhL9rnPd/FKxrYK4DUNWxHPcJZrP55hFrC7xwAEcDb9GHKgWrPZQKaUI2S89yMZrvcm /cV6snJTSZhm5/NlM9SXXGZBdWFnJbvbUzNWfRYw7x9s1e6EFyklJYXCwtTzTp7s+TMU0/fxvXeQ DOe+pbR/n6eUtaEQvm4WvlLxuX2CpUQVy9em1XW0f0qmVE1c/mQJZuns4DoVM9Nw+bw8tLgcXtpZ XG+F4pbvfxqY+f6b7pbvWDqfnpP5XijnwW9P9iYW1/NZR+t0Qvosn9flIbPJ4MA3IbKAAAiAQPYT gADO/j5ABCAAAiAAAiAAAiAAAh5EIOnsKTo9bRxte6UxrSiaw+ulr1gAf9awFUSOHwngep/t9ko5 eSMqP9UZvs8tY9VhATzDTFPb9PZKvrbK3w31W1DuyQ/c0g/uFomozzvlNQSwB/1YsjMUs9lIptTj ZLw/jww3+pE+voG17Iyr6hHPbhyK0VwC98fxJeyOdcLwohZiTCyv+Dq6nPXMYsOtz9NJN2vWTDXv q6++amePuCe56XEcGeJnU9r+NyhlQ34LEZhlKZfN8tQT409aqaM1X+no+9464v13B7+uo1+GKC+h /GiVjiJyWUpXHotRRXR0a6m8UB39jnX6HRMz03Z7zvJ9jxcy3zGzXq0t33dpnvn++mIdhYdavudY FgzW0cNVT/b+/W2EjiqWsEwTGaEcr7P6yXRnh3s+NKgFBEAABJxMAALYyUBRHAiAAAiAAAiAAAiA gHcRMBkMdGvnNjr6+SDa8HR5nxK+YvnL10uKh1LOyQ8hdPxIAu+rUcMrJeWemrUp55Tk9LFa7hei Jr9n/qu9/Im8yjGTqPoyoh7biH44SbTjGtGmBKIFZ4g+2kUU9Yu25LJVAEtjmN9lsFdytVX+bqnX hPJOuo/vCj/6rvAGKQ4B7F2/r9Si5T1rzamnyXh/IRlufEj6+MZ2C1Wr2bJOFMhas3W7vJbP7niv 7IuhwEBLcSWVwBsWRFmUa3q4Oh3jyJEjZQVwmTJlqHv37rRmzRo13G57Z069Rcarv5L+SC9K2VwG wtdNkvrKLzr6oouOiuSTH195cuqoawsd8RLMUiH6yjPWeXivXmk68X2DypZ5OjfLTD/vI8t3ZYtm vuMyeN9g8bgvXsDyPe9BHJjDMg2nzxWmo/9j7zygo6j+Njx0QQWs9CpFqoKooBQVEFEUFRALKKKI giJSBAUF/gjYKVKkKyKCElrovfcOofceIIRA2tb3O3fzTXbabjbJbrK78+45npmdufW5d8Y9PPnd mze3/rpIq40yVrbVX+fWIwOy7DliRSRAAiTgTwIUwP6kybJIgARIgARIgARIgARCgoDlZizOzfkH 2z5+G/MrFg5r6auVwE9+FkGpYyKp0+ud70NWVA5p1cc1V7WSdudVoNpMYNfVtF83o/YDecZ7FsHa skWJYm9frQxTpov/aXDIMvVFAK+t8xTu+fWGjoGWCb/r5wmZBJYJBXDa77xQTuG0nIA9biZs0T1h PfuMSoQGUvYald39w/tUkkoprMR5iaK5M9S+5s/e5bXcxvXvVJXrtF12DemmTZtc+YoWLYq33noL EydOxMmTJ7N9uJ22BNivroA1qg+S19XmPr5ZJHyVUnPR//RRs9r5Kn8v/YCEwxPUwnXEx3qpumW4 Oo2yPnEuInLlMsXxwcLu9Genqe+J+8plnEWUb06N4N0zxp1flC+ilrVplPXJ50JsLxykzqttq7++ J294OtufNzaABEiABDJCgAI4I9SYhwRIgARIgARIgARIIOQI3D51HMfGD8e6Vs8honhuU0lfpQTu 2qwDxY6JBHDpYWdwtUyhkBSWot1P910PpXwVL56riUBMku+voI2XgOJ/GospbdmiVG8COGH8qJBk 6Yv4FWk216qDB36+yneEid4RoSStKYB9f++FQ0qn9Qwct2bDFt0X1rNNVGLUSNr689r8yWVUgksW Tspj1KqK6W7TvElplztiQLGUcs81Sx1Gu92OEydOpH7PrhPXUt6xO2A7NgyWzY2RFJnXa6Sov+Qb yzGWnLtHSyhYQC9cS9wnoUZZCXkMImZL3q+WwPvH6fMfn2JcnzwOYqlpbZRuzH/uPNXLqssc09V9 T5Qh9g1WPku/dFLfF2lWDJPwRkMJd+RVpxX5hHD+uq2EU3/o88lt9PsxMjectlvZ9eixXhIgARLI MAEK4AyjY0YSIAESIAESIAESIIFgJuC023Ft20bsH9wHyxpUNa3wVcpfcT653APIOdZBwWMiwTO/ /oshKy131qyJy1dvZ/pVczEeKDhJL4HTI4CTZkwNWY6+COBdNWug+A8X+G4w0bshlOSvaCsFcKZf hSFdgNN6Ho5b82C72h/Wcy+kW76mRxDH7K+S5nLNY74rnqE2PFLlDpX8UoowcX7/vblw+3BV2K5+ HRTj5Yg/Advp32HZ0QpJiwtT+GZDlK+RzLz4t4TSD6rlaKUSEmZ97ZaiRyZJaNdYnUbMsdb13WlE 2aXuV6dZPlR936j+h4qp8wgZLafr1lJ9r5Wmvi/bqO+/9IQ7r1yGfIyeKWFGXwlCIovlozf9KuHW HM/p5XyBONqvBMdS60HxYmAjSIAEQoYABXDIDBUbSgIkQAIkQAIkQAIkkBYB6+1bOB85G9s/ew8L Hr6P0reIZMig8lebKHlMJHne/nhaSIvL6C+7e3z0b1mAyYeBTzcAn28E/jsBJFiNkw/YnnEBfOW/ CFwrWzikOXqTwAerVkS5oaf4XjDReyHU5C8FsPF7zcxXnbYrcNyOhP3aQFjPt8iQjPUmhZ+sld+r qG39YsEM1TljdClVuQXy58DzDe/CsL5FsHX+Q0g+Uc1VrtRQ+RoAACAASURBVOPWnGwZXmdyNOwX ZsK690MkrSidKvUCIdRYplpkxs9Nic4Vyxqv/1mCiLT1xGjcp2qJWvQeCWJ5ZaP0nZqr04roXeV+ wO82Ud//5m3jcpRla6N4RcSufH/eAHV5990tIXG++/7S79T3xVLOt+e678vlBNvReuDzbHkmWSkJ kAAJZIYABXBm6DEvCZAACZAACZAACZBAthOIP3cGJyaPxoa2zRBRMq+h8NRGwZr9+zut+lL0mEj0 3DXiFs4+VDRk5aVYCtqycY3uXXMyLmUvYK3Ienw2cC1Rlxw3k4F7JqslsC8RwM/1XomrD90Xsvy8 iV9x71jlMqjyvyi+E0z0TtA+M6HynRHA+vcar7gJOO3X4Li9BPZrg2E93zJDclYphPt2fUAlao0i dS0nU2StMl9a50Lwvte6MAZ88SDW/lsOCUeNy3Baz7k7F8Azpy0e9uhlsEb1QvLaR7mPbzZE+J75 U0KvVhKEKFXOs7y5JQh5K8SwVoa+Wk+d9o+e+jRyHhEx+3ApdfrPX3WnF3mV9Ra7N20hq116WvRB ru/6v/rlp5X7Ct+MkJD//5d2LpBPQtPaEi5Md+eXywm2Y/LqqgF8Elk0CZAACQSGAAVwYLiyVBIg ARIgARIgARIggQARcDqdiNm9HQeH9ceKZx+h8PUQ5etNcg+vXo2yx2Sy5/fmH4S0wIx5qjoct917 r1ntQJm/1DJXKbGqzgRsDv1LSBsFnJYAfuybHThToVhIs/MmgE9XLIHa3+zk+8Bk7wPlsxJK5xTA +ncar3gm4LTHwhG/Avbrw2C90ArWUzXSJYWXTS+rkmJKQSaf71pcIV1lpiWHU++fbey5Y5m849rH 98Y22I4NgWXTs9zHNxuEr1JsRo2XIISrPKeMjm0bquWoEMJaAXt2mjqNsg5xPryzug6xXLScRshb bb2/dXHfl9PJx796q9MXKaxP26CaOs2QDuo0k7+QsGyo9yhnub5gOjqTLmXyCWR2EiABEshaAhTA WcubtZEACZAACZAACZAACWSAgC0hAReXLsDOLz5EZLUilL4ZkL5aIVyEy72aSno9++WqkJeYt/p0 S317TD3sWf7KQuuvo6nJU08WnlHn8yaAK353FEcrlw15bp4E8PnyD+LpvutN9RzIc4NH9XMQKjwo gFNfZTzJAAGnPQ6OhLWwx/wE24W2sJ56xKu8vXW4KvLlzaETY0pR9ss3Rb2WkSp0T1VPVzpbdJ8M 9NBzFsftY7CdGgPL9teQtLhQqvgLJrEWzm1Z/YOE3q1T9t59o6GEAe0knJyaIkSfe1QtSpXzS3m+ 6ze3QBURvcp7+fK473nieGmGOo9YdlmZtnpZ9f3cuSQsHqxOI9ILYS2Er7L+V+rq0337jjtNheIS RnsRysp2BPu5/dw0zw8a75AACZBAEBKgAA7CQWGTSIAESIAESIAESIAEgMRLF3By2nhsbNcCc0rf QenrB+mrlMAvvTeC4sdEUX85xzqwt3rVkJeZlrUrXa/HenPSFliP/ad/kx6JVefzJICL/3AhLHh5 kr+Xyt2Hpj2X8h1gondAqEheb+2kANa/03gl4wScjgQ4EjbAHjMCtovvwHrqUZ2kbVT3TpXoUkov cf5yk7t1eTIqfZX5HHH/ZrxjAJxJl2G/MAPWPR2RtLykSvQFu2ALp/YdmSjhicpuEaqcP3feIeHD F9z3Higkod9bEuZ8I+HjlyTkzOm+J/KJtEo29xdU34+eqb6vTCufa5eYFks1y/e6tVSXJ+oUewW/ 2UjCsiESlg+V0KWFfmln0Y9DE9zlyOUJUTyhm4Rjk/X35DSheLTsfjdTzyYzkwAJkEBWE6AAzmri rI8ESIAESIAESIAESMAjgdgDexD18yCsfL4OZhfJQenrZ+mrFMAD6jam/DGZ/Pny7aEhL4Bj6laF I+4m7p+qFrlG0ijPeMCuWQbaYgdyKsbdSAA/OOIGNtZ+IuRZeZK/0WUK47XPZvP5V8wDo/nDa2k/ Y1nNiALY488n3vADAacjEY7ELbDf+A22S+/Bero2BvZ40FAAly6ex7WP79yJpQMigJ2WU+nqkdN2 G/Yri2E92APJa2qmSr1QFGyh2ua4iBRJ2vcNCf3flnB+etpLO8tCuHJJCVc1AvfTV9RCVsjbxPlu mVpDE7G7Ypj7nieGpR9Ul3nwd3eeeQPU9+S2pXX0tlS0p3aE9PVlxdP1bDIxCZAACWQ3AQrg7B4B 1k8CJEACJEACJEACJiZgT0rC5VVLsPvLT7DwkRIUvgEUvkr5K85nFsuDO4ffpAQykQQq8cN5CPnn SQyGyvXYHl18nrfxVv0LtrRi72CtAHYmJmBpvcYhz8jbWL730RSf+WW14GN9wSddg2lMKID17zNe CRwBp9OCDasnuQRwkQfyo+3L92Lc0OI4srZSQKRvagTw2UZpdsrpsMFxYwtsRwcjeVMjJEXmofTN xr18b/wnQUTCyrL0nrsktG/s/i6uC4ErlmqW0yiPi/7nFrGyHBV7+ubIoU6/Zbg73YuPq++1a+y+ J5ehPMbOVpcn2iLaLacR0cB5cqvL9NRe0XYRgfzTh+78cjlmODpuHUrzGWUCEiABEggWAhTAwTIS bAcJkAAJkAAJkAAJmIRA0tVonP5nKjZ3eA1zy91J6ZuF0lcrgZ/uOpMiyEQCWIicGc+1CQu5+Xyv ZT7NXa3gFa/ZUtPckk1532m14uZ7rcKCjycB3LPdDz5xCybpx7a456vZWVAAm+SHYhB1026348SJ E64WOZ1WOJL2wB47EbbLnWE9/URARLAtuqchASGdbKd+g2VbSyQtLpgq7swg3EKhjzXLqeWpLHhr PSRh/c8povTCdOMlofePMxap9aqoy/zuPXe66V+q792RV4IyolfLbNIX6vRNarnLktPWr6ZOM6ar hE9aSKhSOmXf34olJLz+tITfP5MghLKcz2xH8RzyQwIkQAKhQoACOFRGiu0kARIgARIgARIggRAm EHf4IA6PHIbVL9bD7KI5KX2zUfoqJXC3Ju9QBplMADf/YmFYCM6o6g+j0PBYr/M31++AzccloJ1O J2593iks2HiSv0Nf7+2Vl9nlIvsf/KKZAjiEfwiGYdOdTjscyQdgvzkVtstdYT1Tzy9C2B73j4uW M+kS7Oenw7q7A5KWFTetbMsuubj6BwndX5UwvLNvolOklaWvfCx6j4Rzf6nz7xurT7dgoDqN3Odv 31Gnfe5Rd7r4uRJKP6C+L5aSNtoL+NQfKRHIcrvE8ccP3GUZ1VeheMp+xPI9cx9zupZWF0usi6XW nfbkMHyjsUskQALhSoACOFxHlv0iARIgARIgARIggWwk4LBaEb1+Jfb064bFdcpS+AaJ8FXKX3E+ tey9yDXGTilkIgmce4wNB6pVDgvROfqlzl7n7tNz9S/BY7FqySVHAMd/1z8smHiSv+Nf6IgcY51e eVGAqucGeQQfDwpg/TuNV4KHgNPpgDP5MOw3/4LtyuewnqmfLiFsOV4Fln1lYN3XAclrqlP4ZtOS ztdmSWj2mFusli+mF6VGMlRIXKVgFediH1+jtHUfVqcd/K5xurU/qtOJKN+bEe6033dU3xd1Ciks InRj/pNw5k8Jg9pLuDu/Ol3V0saiOGq8hAndJByb7K7DqP2muLa8FKx7OsJ+YQaclhvB86JhS0iA BEggnQQogNMJjMlJgARIgARIgARIgASMCSTHXMfZ2dOxpdMbmPdQQUrfIJW+Wglcrc9aSiETCWAh tb5+839hIzub9Vjscf7OOq5/Vy05q5ZaQgAnThkXNjyMBPCsZ15DntFWj5woOtVzgjyClwcFsP6d xivBS0CsLOG0HIeI6BXLOlvPNlIJYcvJarAcKIfkrQ8iaWUBQ1FoCtFmIHpP/5kSeftGQwl1KkpY 91NghGRchITlQyX0fUPC/96VkDBPQgPNMshCqh6ZmHb9Qrhq99Ad8bFxvgHt1EJWGdmrHHMR5Vuw gDrtksHuMm/PTVmSWSuevX0vUljCUQpe/fO29AFYtr8G26kxcCacCd4XC1tGAiRAAukkQAGcTmBM TgIkQAIkQAIkQAIk4CZw68RRHB37M9a2bIjZxXJR+oaI9FVK4Hdf7UkxZDIBXHrYGUSXLRwW0vNg 1Uq459cbujn87Hz98s/izdVzk1puXZk7D9fChIWR/F1a9zncOTJex4eSUz0PyCM0eFAAu39/8Sw0 CdhvLIc16n0kr38ISQtz6SWUgQxVCsFwP781R8IHzSTkzKmWnl+3dUtPfzG48Z+EO+9w1yOWa57w ufu7UqKKiFpf6m1QXZ3/Kw/tFkJbWb42sldZ18tPqtP2bq1ui5DEQpQry/N0/lAxCZt+VedX1mWq 84X5Ydn0LGzHhsBxYxvEH2zwQwIkQALhSIACOBxHlX0iARIgARIgARIggQARcNhsuLp5HfYN7IWl dStS+Iag8FXKX3E+qmolyiGTCWAhuza3eC0sBLCQnuOaf6iaw68tBZJs+pdgTBJw10S36Hqy3xZc rfhg2HDQCuDT9R/Hfb/GqNhQdLrHnyxCjwUFsP69xivBTcCZeAH2c9Ng2f0ukpYV80kimkrCaYR3 x2bGIrNelcBIy5rl1PWVuM/9vUA+CT1eT4k+vjrTt/q1kb3PPmKczyiyd7Eislc5B8QexEqh+1gF fZmivKk9JTxfW0IujTwXeUVU879fp0Q4K8s213lOJK99FNaoXrBHL4XTYQnulwdbRwIkQAJ+IkAB 7CeQLIYESIAESIAESIAEwpWANe4mzs+bhW1d2mF+pXsofcNA+molcInBRyiJTCaBR/4aGVbic8O0 SEScBC7Fe34TD9rhFl4VvzuKY5XLhBUDpQCOqVsV9ovnccsCnLgJHIkF7p7k7j/lJ1mE4hygAPb8 fuOd4CDgtMbBfnkBrAe6IXl1VQpfjeD1JhxFRO5dmr1qi9+bsoetr0tAH/xdwh89JQxsJ6FbSwli b919Y/XCVG5H91fVclUWrfcXlHBkkud8cn7tURvZmy+PhNjZxuVoI3t7tTJOJ9ovt0scc+SQcGmG cVrRnrPTJMz5RsLMryRsGS7BV3mt7Us4fE9eURbWvR/CfmEmnNbY4HhJsBUkQAIkkMUEKICzGDir IwESIAESIAESIIFQIHD7zEkcnzAS61o1RkSJPJS+YSh9lRL4lXY/UQCbTAB3WWNHzFPVw0aAXn+s Ahw3Yjy+XqNigHunpEi/Ij9dwa6aNcKm70rxK86v1ygN29FDOhal/6L0DEXpyTa75y0FsO6x5oVs JuB0WOG4vgHWIwOQvOEpJEXmpvRNh/RVSsao8WrRKWSnN9GpzCuiZ1+oo88vi9NaD0kwWsZ5wUDj PCJaVlm+r+ciErfQneoyfY3srW0Q2SvXq4xMFn36p2/G2ieXF7bHpQ/CsqMVbKfHwZl4LpvfDqye BEiABIKDAAVwcIwDW0ECJEACJEACJEAC2UrA6XDg+o7NODDkKyxrWI3CN8yFr1L+ivP/PdGQAthk AviTdUDC2OFhJUHjunYwfI+uugAUmpwike4aeRurn2gQVv1WCeCKD8C6daMhBwpgt0ikVA1NFhTA ho82L2YxAUfcAdhODodl60tIWnRXhkRh2Aq4BRJO/SFhr5eoW099FxHAsrAVR7GU8e253kWnuN/8 cXU+ZRnac+1ewjH/SciTW51f7McbF+G9Xk99ENdfqasuzx+Rve0aq8v88IWMt89b20Pu3qICsGxu DNuxYXDE7sjiNwGrIwESIIHQIEABHBrjxFaSAAmQAAmQAAmQgN8J2OJv48KiOdjx+ftYUPUBSl+T SV+lBJ5VNBfu/oV7hZpJCr27Cq6I2WuVwmsP3ORFc1PflWIf4N/2A3nGp8iu3GNsmPVM+Ox9rBK/ ZQrhaplCWPT7XCQa7H8soJSaFprSz0zPJfvqfY5SAKe+3niShQSciedhP/cHLLveQdLSIhS+mghf scRwRH8JXV+WUKV0iqhsUD1jgvLeu9Wic9ynEn74QEKzxySIc62g7NBUnV4IX7HscrUyEsTy0VoB LL73aaMuR7RVma5GWfV9bZ1pfR/xsbo8b5G9Je9Xp53hIbJ3So+UdGJp6jYNJPzXL3NtTKsPwXs/ F5LX1YY16kvYry6HiMDnhwRIgARIwDsBCmDvfHiXBEiABEiABEiABMKKQML5szgxdSw2vNUcc0rl o/Q1sfRVCmBx3vDjvxgFbLIoYCGbRr7cNayiYc9XK4NvFl5Cq6VAQeWet2OdGPPiR2HVV60A7txx jOsZzv07UOYvoMaslP/E+R0TvIs1ikfyCYU5QAEcVj9Jg7YzTutN2C/Pg3X/p0he/bBOOgavHMsa KSiibld+L6HfmxLqVUmJ1FUKVHEuompFdG16WTWqqRaiynLFEs/K8oQYVt4XEcMfNZdw5s+UdAnz JEztKaGURrKKPHvGuMsa0E5dTrF73feU9fl6vn+cujyxZ+/Fv43LbO9jZO+1WRK2j5SQON+4HF/b ForpkleWh3XvR7Bf/Bdij21+SIAESIAE0keAAjh9vJiaBEiABEiABEiABEKKgNPpxI09OxD1w7dY 0bgWhS+Fr8c50OO5NyiATSiAawzYG3ZS9N9GryLHWKdqPn/Xqm/Y9VMpgAe16afqbyjIPLaR0jm9 c4ACOKR+goZMY50OCxzX18F6uD+S19dF0oJcKtEYitLM323e9ZuEnz5MWW75rvxqwamUsMpzsb+u L+24PENC5xclVCzhvdw775Ag9tiVy9Tui/vde+57chpxFEK2YAF12e8/70677if1PSFsY2e77yvL 8vVcG9n7dx/j8oSgVjJ7uJRxOl/rDYt0y4rCsqMNbGfGQ0Tf80MCJEACJJA5AhTAmePH3CRAAiRA AiRAAiQQdATsiYm4tCwSu3p+hIU1inkUftoIUH6XTM1qWumCyD3aSolkQgm88Knnw06OfvL+b6lz udc734dd/5Tyd8IL7+uEd3rFGtNTxobCHKAADrqfnCHZIPHHkY64fbCd+AWWrc2RtOjOVKkYFgJN s0RzRvok9vGd2F3C289IKHqPWlIqhaXR+QOFJLzRUMLm4b7JTCFbxbLNRmWJa0KKfvGahMhB7gjY nb+p04s0Sjms7bNWtIr6zv2V0j6Rr9Cd6vIWD/at7dp65O/ayN4PmhmXJ6KVRdtF5PLMryQIGS6X YZrjortg2dwUtuM/wBG7KyTfKWw0CZAACQQzAQrgYB4dto0ESIAESIAESIAEfCSQeOUSTk2fiE3t X8GcMvlNLTIpsjMusmv2WpEqzUJBBrCN/pFWr3aLCDtBerHc/ag5YA+6dBgVdn1Tyt95DV5C3tEW Prcm/MMNM77/KIB9/FHIZDoCzoSzsJ2dDMvOt5C09EHzSbZ0SmEhfj0JWe31AvkkPF9bwvcdM75M 8TNeln6e+61eig57X92+Ts31aZQCVSxbrRXZ03q787xSV11er1bue8pyfD3XCudyRTNXnq/1hkS6 yNxIXlcH1kN9Yb+2ivv46t5WvEACJEAC/iVAAexfniyNBEiABEiABEiABLKMQOzBvTj062CseuEJ zC6Sg9KXyztneg50fKUbRZIJRVKe0VYcqFY57ETp4YfLh12flPJ3/WN1UXD4TT6zJnxmzSh/RZ8p gLPsJ2bIV+S0xsJ+aQ6s+7sgeVUlCt90CuDx3dRCVCl9c+aU8ERlCX3fkLBsqIS4iMzLzYj+EkZ9 IiFqvIQ2DdR1f/qKvnxRt7JNg9/Vp9HK0C4t1HnEHsJymhEfq+/VruC+J6dJz1FE9srtE4K8aW3/ cEpPG4IpbfLKCrDu+xj2i7PhtN0K+fcLO0ACJEACoUSAAjiURottJQESIAESIAESMDUBe3IyLq9e it19u2JRrVKZln2MlM14pGy4shtTuRxlkkllUvf2P4e1LFWK03A4P1i1Ekp+f47Pq0mfVwpgU/8c ZOcNCDjtybBfWw3roa+RvP4J7uOrEL5iWeGV30uY0kPCoPYSBraTIKJqL0z3LDmPTXYLTFlk1qko YdbXEq784zmfP6TjuE/VdVctra9PK2w/M5DE2rYM76wut/ur7nLFPsFyP8VR7AN88W/3fW1ZvnwX 9flLkPtSX1ClWVYMlp1tYTs7Cc6kiwZPLC+RAAmQAAlkFQEK4KwizXpIgARIgARIgARIIAMEkq9d xZmZf2BLx1aYW+4uSl9G+QZ8DpQeeIBSyYRSqfDwWJypUIwSuEyhoGcgxumRAXv4nJrwOTWr+JX7 zQjgDPyQDNMsrn18b+6B7fhPsGxphqRFBVKjOYNKhClEbFa36/CElL1l78irlptK0VmxRMres0Zt E/eUaZ97NHNC1KgOo2tHJqnrFW04/ae6biGilW1rVFN936jcCZ+r87zZSJ2n5P3q+3/3Ud83KpPX /p/Rortdz6F4Hh0394TpW4fdIgESIIHQJEABHJrjxlaTAAmQAAmQAAmEMYG4I1E4Mup7rGnxNGYX zRlw4Reu0azsV8YinF9/eyjFkknF0tDXewe9/AyH6N3M9CG6TGG80GMRn1GTPqOyCDXrkQI4jH/8 +tA1py0BtjMTXZGFSUsfoPD1IJcPTZDwRkMJYqlmpST1dv7Os/rI3s4vqvMLkXzTD8s9+yJNyxdT 1y2il5X5Ng9X3xd9E8JbmUZ7/mUbdZ5+b6rTt2+svv9BM/V9bXmm/i728d1YH9bD/WC/tgZOh82H J5hJSIAESIAEsoMABXB2UGedJEACJEACJEACJKAg4LBaEb1+Ffb2744lj5en8GWUb7bOgSGP1aNc MqlcKjPsNK6UvYcSOIijgDt9MI7Pp0mfT7NKX2W/KYAVPx5NeOq0JyJpYT6vks/UUm6BhFN/SCh6 j1pkehO/ynv1q6mFpzbKVqRdMlidRstbLJssImeFPK1QXMKOUd7Ta/PL3zs1V/ehXWN9OVVKq9N0 aKpPI5cn9imuXFKdfu2P6vRTe6rvlyuqvi+XZdaj2Etb7Kkt9tZ22m6b8A3ELpMACZBAaBKgAA7N cWOrSYAESIAESIAEQpyAJfYGzkb8ja2d38S8CoWyVfgxUjZjkbLhyu3fojlR6KdoSiaTSqbJzd6j AA5SASwitJUyjOcgD5O9pyiAQ/zHrx+ab9nc2HQC+PZcCau+l9DvLQlPVZHwWxdjMXlrTsp9pdQV 53lzS+j6csr+vet+kiD2phWyV5tOfJ/QzV222DtYG0Xcu7X7vhChsbMlLB4soVcrCbUrpOydqyz3 +47q9L7K03/6qttX4j59Odq9gkW9Yz/VpxN19tFE/95zl4SEeeq0Z/5011kgn4SmtSUIcexrm8Mu 3fISsOx6G7azU+BMuuSHp5dFkAAJkAAJZAcBCuDsoM46SYAESIAESIAETEng9qnjODruF6x97RnM LpaL0peRvkE7B577aArFisnEiiwTa3+zkwI4CAXw9MZtkXOsg8+lSZ9L+fk0+5EC2JQ/n1Wdth0b ZiohJ5Ytviu/W0wWKSzh6kxjKdmlhTudkKE5ckh4t4mEY5P16RPnSxj6vjq9yHPf3RJEFK8sMx+v pE7zaHkJYvnlwe9KePYRCfnyqO8r5a84f762uyy5TF+Ol2boZfK+seqyhHx+oJC6ftFnsbfvnjEp cnrl9xIaVFenEe0arxDdyvYIOb5sqEnF7+KCsGxtDtuJX+CI26d67viFBEiABEggdAlQAIfu2LHl JEACJEACJEACQU7Aabfj2pb12D+oN5Y+VTloZV+4RrLOLpIDS554CFs6tsLBof1wcFh/7Pj8fcyv fC/HIg353rvRaxRNJhZNkU+/QAkcRBJ41RMNcefIeD6TJn4mzS5+5f5TAAf5D98saJ4jdkeqnFSK u3A83zpCL0GVEbrKPosoXK18FVG5yjRG591fTcknxOljFSSICF+xjLScVhs5q63D2/eCBSSIvYXl stJ7FO1Rli/krLYMIXiVglyZ3tO5NopZW6ZpvkfmQfKGerAe/gaO6+vgdNqz4AlmFSRAAiRAAllN gAI4q4mzPhIgARIgARIggbAmYL0Vh/Pz/8X2ru0pGtOQjIEQz5HVi2LnFx/i4tL5EGNh9HFYLLiw eC42tmtBEexhjKaXvBN5fkumcDKpcHqhxyIK4CARwPuqV0GRny7zWTTpsyiLTx5TlvumADb6VWOu a06nA0lL7tGJwFCTdjf+08tMbR8a1lALUCFEReSuNp34/okm+vehYikRsEZpldfEstER/SWIiFvl dfl82RB1GzxJVXE9T24JDapJ+PYdCWJ/3fi5xmXKZad1FKJWWV+LJ43LW/OjhLsVUdLKPMrz3Lkk iChpTwzTak843E9e/TCs+z+F/fI8OG3x5np5sLckQAIkYFICFMAmHXh2mwRIgARIgARIwH8E4s+c wvGJo7C+TVNElMhDqehBKgZC+IoyVzz7iCu6N2bXNjidznQN7J6vPuV4eRivWj0WUzqZVTqNdWJL rccogbNZAp+pUAw1Bu7jc2jW55D91s19CuB0/cQJ28SWHa0MZWUwCzqxj6+IVu33poR6VSTkypmy TLGnNv/7tVp+CpEppKqn9A+XUqf/u4/ntJ7KMLou9sDNn1ddtlKqVi8roVtLCfMGSLj+r3/qlNux RBPVLCKKPUnlA79L6NlKQsn79W0tfGfKHsUnpvq3fXI7g/q4vCQsu9rBfu4POJOvhO07gR0jARIg ARLwTIAC2DMb3iEBEiABEiABEiABQwJOhwMxO7fiwJCvsbxRDQpEDwIxUMI3omRebGjbDCcmj0bC +bOGY+TrRSGMt3VpxzE0GMNOL32i+8d3RqGlRKGZgcPbn/xFAZyNAvhqmUJ4qfsCPoOUoJwDijlA Aezrr5vwTmc7Pc6jCA1WGXdogl5M/tzJWEiKqFwRwasUrW89Y5xW9Pf0n+q0Ip+oz18smtZWly8i af/oKeHsNP/VYdTWmxES7tDIZ28SXJQhonvX/STh2vkGLgAAIABJREFUn74SFv1PQtR4CUK+G5Uf ltcWF4Jl60uwnRwOR9yB8H4RsHckQAIkQAI+EaAA9gkTE5EACZAACZAACZidgC0+HheXzMOO7h0R We1BCkMDYRgo4SuXK2T7+cjZsMXf9ut0tCcmYkGV+zmmmjEdX7EkxYNCPJhB+ir7mGe0FbtrVKcE ziYJ3P3dX/j8mfj5Uz6LPHf/4Q0FsF9//oRsYY744yEp9EppolNffNxYTP74gVq4Fsgn4aSX6NVp vdXp8+aWkDDPuOyMSM9h76vLF4L5yET/le+tTc89qq5bLC/tLb3p7kXmRfKGp2E9MgCO6xu4j2/I vtXYcBIgARIIHAEK4MCxZckkQAIkQAIkQAIhTiDh4nmc/GMcNr79IuaUykdBqBGEspjNquOGN19I 14yKOxKFI6N/xJYPWmN187o49OtgOO12wzKifviW42swvuW+3U0JZWIJ1bHTRArgbBDAY1/sxOfO xM8dha9b+GpZUAAb/oQx5cWkFaWDSgSK5Y+vzvQuJ99topaZYt9abXTqxb8liCWLldG/A9t5L/fP Xur0Dxb2nj69knTbSHX5om1jP/VvHZ7aNKRDSt0Vikvo/KIEsd+vp7TmuJ4DyaurwnqgG+yXF8Bp SzDl889OkwAJkAAJ+E6AAth3VkxJAiRAAiRAAiQQ5gTEcsA39u1C1I8DsLJJbQpBAyGYVbLXqB4h 4UUktqePw2ZD9PpV2Nu/O5Y8Xt5w/Na3bmK4T3DS1SuG6Y3aYaZrbdoOoogysYi647ckHKxaiRI4 CyXw4npNkO+3ZD53Jn7utNKT391CmALY0y8g81237v0w20Sgcj/fJrUklLjPLUjvu1vC569K2DdW Lyq1olaI1NU/qNN90sJdlrhfpogEsRSyN7m5bKg6j8h34z/vebyVd2mGhJlfucsQyyrfX1BdR+v6 vpd/6g8Jk7+QMKi973nk9om2HJuc/nxy/rA4LisOy+53YT83Dc7kaPM97OwxCZAACZBApghQAGcK HzOTAAmQAAmQAAmEOgF7UhIurViEXb06Y2HN4pSAWSp9c6Sb94VFcwyn3O4+XTCvQiGfyvNUxsJH SviU30wC+IdHH6OIMrmI6tJhFAVwFgngPTWq4cGfo/nMmfyZo/B1C18tCwpgw59AprxovzDTqxT1 t/jb9ZuEnz6U0PxxCXflV8tQIVyN/tNG7oo9c7Xp+r/tlptCGufKqU4jRGxafdk/Tp1H1LF7dNr5 lOXGz5XQu7WE2hUk5MiRUt7xKe4y2jRQ1yGEsBDDyjLk82uzJET0l9D1ZQlVSrvzib6lFSUtl2Hq 4+LCsGx7GbaTI+G4fcyUzzc7TQIkQAIk4D8CFMD+Y8mSSIAESIAESIAEQoRAUvRlnP57Mja92xJz yxag9MsC6Tun9B3Y+lFbHPv9V0RvWI3kmOuu2WJPTnZFXZ/+Z6orcndZg6pex2PH5+8bzrJtXdp5 zaeUtmtbNjQsY32bpj6XoSwvnM//K5ID9/5wkULKxELqzpHxOFq5LCVwgCXw6QrFUW3QAT5rJn7W tLKT3/UimALY8OeLKS+KSMikBTkMBaQ/5KGIWp3YXcLbz0goeo9bYmoFblrfReSrsj01yqrLerqq +76Qy8ryGtV031OWoT0XUlWZT5xP6OZbXrksEdWsLSNqvLuMcZ/q728dkXJf5F31vYR+b0l4qoqE 3Ln0aeWyZ/d3lynXbfrjwnxI3tgAtiOD4IjZBKfTYcpnmp0mARIgARIIDAEK4MBwZakkQAIkQAIk QAJBRuDmof04PGIIVjV/ErOLpD/yNJwlXyD7trBGMZf0tdyI8WlGiGWcD48cBiGMjdoVWe1BOB36 fxg5P/9fw/RGZSyqVcqwLUIuG6U3+7WmH4ynlDK5lOrR7kcK4AAK4KtlCqH5Fwv5nJn8OaPw1Qtf LRMKYMOfL6a9mLz2UZVc9adIFOJXlpbejjlzpkS5Pl9bQpHC+jz580q48o9beorloZXlCVkqImYX /U99XaR5r6nnKFttX7X7Btd92F2nNq2n76IvyraJqGc57ZFJ6nsiXbPH0hcRLfJ8+oq7TLls8x1z IHlNdVgPdIf9yiI47YmmfYbZcRIgARIggcAToAAOPGPWQAIkQAIkQAIkkA0EHBYLrqxdjj1ffYrF j5Wh2MuCKF+tKN328dvwVfxqp8itk8ew+qWnDMft+o7N2uSw3opDRIk8hum17VrT4mldfnFB7A+s TcvvEr6q/xLFlMnFVMHhN3GqYklK4ABJYCHYtaKL39OWgWRkPkYUwIY/X0x70RrVK1VQ+lsiju+m F56yHK1QXELnFyXM+lrC5RluoRnzn4RW9fX5xNLRcvvmD9DfF1Gx1TWRwXJdr9aTIMqV83s6fvaK vtydCoHrKZ98/eRUff5tI9X1li+mTyO309vxgUISxBLSv38m4cRUdZly/WF/XF4S1t0dYD8/Hc7k a6Z9ZtlxEiABEiCBrCdAAZz1zFkjCZAACZAACZBAgAgkX7+GM/9Ow5YPWmNe+bsp87JB+srC9NiE EZkeZbFMdGS1IrpxPDDkK8OyfRW45yNnG+YX0cpy+3mUUln8XSI/8o1MoKAyuQT++s3/UQAHQABP eb49cox18vky+fNFme2bzKYANvz5YtqL9uilaYrRjIrFY5P1svOVuhLEdW9lXv9XgjYat0E1dx5x P09uddl3p7Gn8CPlJSj34zWqX0ToaiN4X37SXa9RHuW1sZolnu+9W8KtOer8nZqr2+1J+oqo56a1 JQx7X4KQyJ72ClbWH3bnS+6FZVtL2E6NhiP+hGmfUXacBEiABEgg+wlQAGf/GLAFJEACJEACJEAC mSAQd+wwjoz+EWtero/ZRXOmSisKPLfAy2oWB4f19zqiiVcuIXr9Sohlm+PPnPKa9sKiOboxXd6o umGe4xNH6dIq+y6WlT41fZJhXiGblWl5rp4/j38+n4LK5IKq8PBYnKxUihLYjxJ4XZ16EHssU/75 Jv/IiZwogA1/wpj2otOWgKTIvF6FbGbEYsUSauH53KNqIeqpbLHMsVKOlrhPnU8IYeV9X87F8tJr f1SXo63fKPp4UHvveUQZQkpXLa1u00fN9fn+6atOI7dbiOfHK0no00bCsiES4iL0ebVtDbvvYh/f TY1gOzoYjhtbuI+vad9K7DgJkAAJBB8BCuDgGxO2iARIgARIgARIwAsBsUfs1Y1rsO/bHljyZAVK u2yM8jWSpBvfecnj6F1cMg9rX22kG7PljWogdv9uj/m2ftRWl8dIHMefPa1LJ9q44tlHEPXTQCRd veKxjoND+xnmNeqjGa993PxDSiqTC2Ah33q/M4wC2E8C+FjlMigz7DSfKz5XnAPpmAMUwB5/xpj2 hmXTMwETwGKZZ1lyiuMdeSXc9EFu/vCBOl+OHOoo2G/fUd9X1lHqfglftjG+nze3hMlfeJar63/W 5xN1T+3pOY+I8hXLTCvbIM7XGMjmSzMkiPLEfU/LYIed2F3giZ3Yx7cmrAd7wh69BE57kmmfQXac BEiABEgguAlQAAf3+LB1JEACJEACJEACACw3Y3Fuzj8Qe8rOr1iYoi7IpK8sRCNK5sXtU8d1c1bs x7zziw+8jpvYv1eMsdHn0vKFurzHJ4w0SgoRHSzasaFtM5yYPBoJ588aplNeFHsKi+hguR88qqN/ BY+JDxXlMrXpkBThGql494g4CHF5zU8S1KzlXCl7Dxr2WUPxx2eKcyCdc4ACWPnrheeCgO3YkIAJ YLHHr1aMLhnsSQi6r7/bRJ2v9APue0KQrvtJfV9Zx/QvU9L+0VOCEL7Ke/J5r1ZqoayUroPfNc7z ZGUJS79ztyN6poRRn0go/aA+fev67nTKssV5RP+0l8HW5gmb7ytKw7qnI+wXZsBpuc4HkARIgARI gARCggAFcEgMExtJAiRAAiRAAuYjIETisfHDse71ZxFRPDflXBZI3zll8mNdq+ew56tPcWLqWNcy zVfWLMOx33/Fju4dMbfcXV7HYXffroYTVUTf+iJV55YtgJuH9sPpcEBIWbHX77KG1Qzziv1+jT5C +Fpv3zK6ZXhN1MM/KtALX6PxqthvG2VFOmVFOIrg7u/+QgGcSQHeueMYPkt8ljgHMjAHKIANf8qY +qLjxraACeDLM/T76vZu7VmOCtG56nv9Hr8iwlYpQePnSihYQC9eG9ZQpxNl3Xe3Pp0QwS2elHBt ljq9XMeAdsZ5RD6x37CnMsX9JrX0e//K5ZruuOQ+WLa/DtvpsXDEnzT1c8bOkwAJkAAJhC4BCuDQ HTu2nARIgARIgATCioCQfte2bcT+wX2wrH4VQ+lnJKV4zTd554lTZPWi2PnFh7i4dD5sCQle59Tt 0yew+sV6HsdGyFTtRyzVnJ7oWiFjFzx8n8c65H6IiGHrrThtdT5/F6J438Be/OOC9PxhQZ/+mHMS /M/kDOYdjMfFmuUpgTMogQ926sxnyOTPEN+jGf//yFbPOzn4/P9/JgwvAk6nHUmLC6kEqz9Fpdjb Vo68FcfaFYyl69HJEvq+YRy1K0f1Ktv18pPqckXZO0bpy44aL0G7F7HcnmplJByZpM8j6un3pr58 OZ+noxDQMf8Zl6dse9ieL7wDlk3PuqLKxR8WOJ3O8HpY2BsSIAESIAFTEqAANuWws9MkQAIkQAIk EBwERKTm+cjZ2P7Ze1hQ5f40pZ8s/3jMnPQVe+IeHNYfMbvS/48bTrvdFZWtHYOFj5Qw/IeSze+9 GrBxPT9vVromstg/WkQ0b+7wGmYXyxWwdmnZhMv35c/UTBdvJg5fAgnjR1EAZ0AAx778DJxJ3Ccw fJ8M9owESCA7CFi2vxYwAdxHsx+v2ANX7IUrllD+r5+ET1pIqFTCs2zt+rKxUB3eWZ9n71jjtBf/ ltCgmj69ELn3F5Sw8nvjfLP7S6ha2jifUgI/96iExT4sbR1+4jcnktfWgjWqN+zRy7iPb3Y8vKyT BEiABEgg4AQogAOOmBWQAAmQAAmQAAkoCcSfO+Pam1Xs0Sr2ag0XORbM/UjvnrjK8TI6v75zi27c Nr3bUpdU/OX8nFL5dGn9xWpbl3a6OrUXLLE3cDbib2zt/CbmVSgUsLb4q0/BXo4veyprx4Dfw4+A MykR1+tUogROhwS+Xqs87JcuhN9kYI9IgARIIJsJ2E6NCZgAXjZEL1DLFpGQK6f+ulKqinMR5Xt7 rrGc3TdWn//Xj4zTCvEaFyHhnWf1eUQ9eXJLGN/NOG/CPAmrf0iJTn6hjoQ6FSU0qC7hvaYSBrWX sHm4cb7wk70p/UxeURbWvR/CfmEmnJaYbJ65rJ4ESIAESIAEAk+AAjjwjFkDCZAACZAACZiagJCA ItJURJyKyNNgF1zh1L7ljWq4Iqxt8bf9Pgc3vvOSaiz39u+uqyPxyiVVGn+znV/5XoiIZKPP0XG/ YO1rz3CJ5/Qs8exD2hOTRxvh5jUTEkic+jsFsK8CuNw9sGxaa8JZwi6TAAmQQOAJOG4fDZgAFuI1 f15j8aoVvvJ3sWz0jL5pi9US96nLFfv6piVe+7+tziPXKY7dWkoQwjetMkx1f+n9sOxoDdvp3+FI OB34ycgaSIAESIAESCDICFAAB9mAsDkkQAIkQAIkEA4ExF6yYk9Zsbes2GPW3+KP5fm2BPSGN19I 13SKOxKFI6O+x7pWjbGwZnEsa1gNMTu3GpZxctp41bgK4ar9GEUK+3vsrm5ep60Wtvj4dO077O82 hXN56994XsebF8xJwJmcjJina1AC+yCBE34fYc5Jwl6TAAmQQBYRSFpeKmDis2ltz9JViNcC+SQ0 e0zCDx9IEHv2+ipY2zVWl1uwgIR4DxHDyjKn9lTvNSwEdZNaEoa+LyF2tu/1K8sMm/OF+WHZ3Bi2 Y8PgiN1huD1NFk1JVkMCJEACJEACQUGAAjgohoGNIAESIAESIIHQJ5B4+SKEFNzYrgXlmw+RlFkh CcXyy0KGevqIPXGj16+CiN5d8nh5ldCV2ze33J1Ivn5NV4QQr3IacTw69mddGhH5rUwTiPN9A3vp 6hUXNrzVPOB1B6I/wV6mWE5c7N3NDwkIAklzZ1EApyGA4zq352QhARIgARIIMAHrnvd9Fq/plZ3D 3leLWiF9q5eV8FVbCSuGSbg1J2PSdUoPfblrf/StLLHvr6hfLFF9M8K3POntd2ikz4nkdY/BGtUH 9qsr4LQnB3imsXgSIAESIAESCC0CFMChNV5sLQmQAAmQAAkEFYHY/bsR9fMgrHy+DmYXyUHhFiTi VykRLyyaYzhndvfp4vOeuPv/96WujEvLF6rGO+qngbo01ltxqjTKdvl6vqDqA9jRrQMuLIyAWMp6 fZumqjKXPlVZV6+4cPKPcap0vtbHdGlHl5+PnG3InBfNR0As8X+jeX1KYA8S+MZzdeDgH0yY78Fg j0mABLKcgP3CjIAJ4G0j9aJ27KeZl66n/9SX+83bmS83NMRtxvuZvLI8rHs/gv3iv3BaY7N8rrFC EiABEiABEgglAhTAoTRabCsJkAAJkAAJZDMBe1ISLq9cjN1ffoJFj5akYAtC4asVmDs+f99w1mzr 0s7n8Vv7aiNdGccnjlLl9xSJu6hWKVU6bfu8fRei0elwqOre3berrrxbJ46q0ogvCRfP69J5q4v3 0ha/MqPtn76r480L5iVgWbeKAthIAFcpDtuxI+adGOw5CZAACWQhAWfylYAJ4MT5Eu4vqJa1retn XGAqBW21Mupy61fzT7nKOkL+fOmDsOx4A7YzE+BMOJuFs4pVkQAJkAAJkEDoE6AADv0xZA9IgARI gARIIKAEkq5G4/SMKdjc4TWI5YBlCcSj78IsO1lFVntQJ1HFhDk//1+fx/LAd311c0xIQGW/Nr7z ki6NuLCp/SuqdMo8aZ2LCHPt5/DIYbryjJafFvlWNK6lS5tWnbyf9rxeUOV+wzmlHSt+Nw+Bm2+3 pATWSODkRXPNMwHYUxIgARIIAgLJa2oGTAK3aaAWtUIICzGcWbn62Ssp5Yp9hMVewyM/znyZmW1T tudfVACWzU1hO/4DHDd3cx/fIHi22AQSIAESIIHQJUABHLpjx5aTAAmQAAmQQMAI3Dx0AIdHDMXq F+thdtGclGghEOnrTVxe37FZN1fE8swRJfKkObZL61WC+CMA5efW8SOIKJ5blVdIQaPPxaULVOm8 tVN7L3rDal2Rh375n648owhlkTHqxwG6tNo6+D1t4WvE6Nq2jbqx4QXzErAd2EMBrBDA8d/1N+9k YM9JgARIIJsIWA/2yLSQ9SQ/x32qFsBiH+CtIzIva6PGS1g2VEKcqffxzYXk9Y/Deugr2K+tgtNh yaYZxGpJgARIgARIIPwIUACH35iyRyRAAiRAAiSQbgIOqxVX1q3Ann7dsLhOWUqzEBe+WmF3YMhX hnNifesmHsd63kMFse/bHjr5KwoS+z6veuEJzCmVT5U/7ughXT1ij9CldSuq0mnb5+m7kWQ8OLSf vqxiuWC5EaOr+8benfq0YTa2ntgF+rrRvtC6AeAFUxGI+6wjJXCZQoht0xxOu91UY8/OkgAJkEAw ELBfWRwwAXxkkl4AD30/8wLYk3AO9+vJKyvAuu9j2C9FwGm9GQzTh20gARIgARIggbAkQAEclsPK TpEACZAACZBA2gSEMDv731/Y0ukNCNkXaGHE8jMWaekPbssbVTecENp9fIX8F38EIP4YQPxRQFqf hAvnsL1r+9S5s6vnR4ZZTkwZk5rG1/7MKX0HxJ7T2o+nvYvPzp6uTepaMm5hzeLprtvXNpo53bL6 VXS8ecHcBOznTuNahftNLYGv134IjujL5p4I7D0JkAAJZBMBpy0eSZF5AiaByxdTS+AmtSiAfRbV S4vAsvNN2M5OgjPxfDbNEFZLAiRAAiRAAuYjQAFsvjFnj0mABEiABExM4NaJozg65iesbdkQs4vl ohgzUTRo/JlTupmfcP4sVjev61ruWyz7ndHP3m++cM2liJJ5IaSw9iNE7qrmT6Zrvq1/43ltMS4p Pb9iYcNytn7UVpdeXNjVq7NhejPLW3/1/fbpE4bMedG8BG4P+NK8ArhsYVjW65etN+9sYM9JgARI IOsJJG9sGDAB3Km5WgDnzyvhpqmXbvYiwBfdCcuWZrCd+BmOm3uzfiKwRhIgARIgARIgARcBCmBO BBIgARIgARIIYwIOmw1XN63FvgE9M7wMr79kEcvJvghgwf74hJEBm+limecNbzV3idY9X31qWI/Y R9jX5cXnlb8b4o8VtJ/Lq5Z4lLnzKhQyjFo+8tsPHvNwTmZuTh4bP1w7RPxucgKO69dwrUpxU0rg +J8Gm3z02X0SIAESyH4CtqP/C5gA/qevWgCLfYCXfudFgi4w0b3I3Ehe/ySsh/vBfm0NnI60VxLK /tnCFpAACZAACZBA+BOgAA7/MWYPSYAESIAETEbAGncT5+bOxLZP3sH8SvdQfoVblG/RnBkaU7Hf b3o/9uRkCOkq9hAWSy9H/TgAiVcuGRYTs3Orq11i6WZPaeKORKU5JyNK5MH5ebMM69j5xYde+x69 fqVLAnM/68yJXV/EeGS1B3F07M+G48SL5iYgROi1MoVM9V/s689z319zT3v2ngRIIEgIOG5sCZgA vjRDQo4cKRK4QnEJnV+UsG+siSSvRmgnr6oE6/6usF+aC6c1LkhmAJtBAiRAAiRAAiSgJEABrKTB cxIgARIgARIIUQK3z5zEsQkjsK5VYwiB5ovAYZrASzJ/MY6sVgQ7unfEhcVzIQS/WLY5vWWLeWG9 lfY/ziRfu4rT/0zF5vdfx9xyd+nqWVijGOKOHjJ8Ula/WM+Vfnffrob3xUVL7A1E/TwICx6+T1N2 Dmzt/BZunzpumDfu8EGIyGBv/RacuJ914Ob1sgZVsX9wH1zbthFOh8NwnHiRBBw3Y3G9RmlTCeDr dSpx719OfRIgARIIAgJOpx1JiwsGTAJH9JdwbLJJpe+yYrDsehu2s1PgTLwQBKPNJpAACZAACZAA CaRFgAI4LUK8TwIkQAIkQAJBSEDIl+s7NuPAd32xrGE1r1LMmzDjPX/KshxY9cITWN6ohl/HQ0Td iiWWlZ+N77yUoTo8RdYmXrqAwyOHYfVLT2G2DxHGm9q/bCgA933bI7Vdp2dMUTZZd26Lj8eZWX+6 /nDh4tL5iD93RpdGvpAUfRmLHyuTWjbnrT/nreey/i2eB781eg5ffj4cb/5xCi0Wgf+RQZpz4KNJ h3GucklTCWAR8bzlmSZoOd+SJh8+R3yPcA5kfA58t1P+ZcAjCXgmYNnWMmACOEkTBRvW3xfdBcvW F2E78Ssccfs9A+cdEiABEiABEiCBoCVAARy0Q8OGkQAJkAAJkICagC3+Ni4smoMd3TpgQdUHKMOy YGnniJJ5saFtMxwc1h+zi+TQMRfLHW96tyVOTZ8EISnFRyw/7E9BaSRS17xcP0N1iGWcjT47Pn8/ 3eXFHTusK+rouF9SyxERx5eWRerSpPeCLSEBK5+vk1quP9myLL38nVr2Xnze5G3U7/IPCgyPQ45x 4H9k4PMcuO+X69hZs6bp5K+85PXwVz7zmRWfLb5bOAfSPwdaLknvrwimNyMB26nfKIAzIqrFPr4b 6sF6+Bs4rq/jPr5mfHjYZxIgARIggbAjQAEcdkPKDpEACZAACYQTgYQL53BiyhhsePMFzCmVjxIs C6SvkIJbOr2B85GzIaS7/FnZ9DEdfxExq/04rFa/LkN8bs4/2iqwvFF1XVt8kZnzK99ruE+lWFra l/zKNNe2btC1S7RVmUZEEx8a/p0uglmX0cOFm4cOYN3rz6rLzKI5oOpHmNf5W5WKeO/VHqj25Rrk GmOnwKLwzdAcyPdbMhY+9bxp5a8sgd/vNClD/CgD0y8Dycx8zCiAPfxg4mUVAcetwxTAPgrg5NVV YN3/GeyX58Npu6XiyC8kQAIkQAIkQAKhT4ACOPTHkD0gARIgARIIIwJiqd8be3bg4PffYMVzj1J8 ZZN4i9m1TTeron4aqBsPESFstK+uEMieBOKypx/G/kG9Eb1htWs/VU/p5OtCzmo/i2qV8li+nM/T 8ermddriIJZjFtHMnvJor4u9ge3Jybpyzv73l2EZa19tBKN6dQX8/4W4I1EuCW8Uda1tC7/ro3jT YjKraC4MfrwBWrb7EcUHH6WsovD1yxwY8+JHppe/QgJfKncf6n692S9MKTjNJzg55t7HnALY0y8n XtcSSFpeghLYSAIvKw7Lrnawn/sDzqRLWmz8TgIkQAIkQAIkEGYEKIDDbEDZHRIgARIggdAjYE9M dC2Vu7NHJyysUcxQoKUldHg//RLMGzMhe7Wf2P27Dcfm/Px/tUlhJELFXr63Th5TpRV7Oa9t2dCw XLl9l1cvVeURX+Y9VNBrHjmv0XHfwF668sSFDW8197HMHDgz8w/DMja/96rXMta0eBpHRn2PmJ1b YU9KcpUh/uhBRLpfWbscxyeOwpYPWvu0D7FR33jN83PwZ+lC6PlsGzT6eBru/iWGcorS169zoEe7 Hyl/yxRKZRBVpQKK/3DBr4wpBr2LQfIxBx8KYMOfX7xoQMCy+z0KYCGAF90Ny9YWsJ0cAcetgwak eIkESIAESIAESCCcCVAAh/Posm8kQAIkQAJBSyDxyiWcmj4Rm9q/jDll8nuVZpRanqVWoNisbFLb cO4YidftXdvr0lpuxLjGdX2bpi6peWPvTpz+Z4ounbiQcPE8xNLMnvpyddNaVT4hjTMTGbv0qcqq 8uQvJ/8Y57ENcttWvfAELi1fKGdRHUWfRUS0nNaXo5j76Yk89qVMpnE/L2Mql0PHlz/DI72WI/do K2UUpW9A5sArn8/FVYX8lJdCNvtx+ZPPQCyLTTFpDjHJcc6acaYAVv304hcvBOzn/zKnAI7Mg+QN T8N6ZAAc1zfA6bB5ocRbJEACJEACJEAC4U5Mb9DVAAAgAElEQVSAAjjcR5j9IwESIAESCBoCsQf3 4tCvg7Gq2eOZEngUXG7BFTgWOZB46YJr79qY3dtTluR+9hFDubng4fsM99V12u2qubf147chooiN PheXzDMsW/RPuxy15Wasx7S+8rh14qiuGUJE6/PngJC+Yt7ejNqny6O8sKv3xwb5s2KsWIc8bv8W zYlhtZ/E628NQZmB+ymeKHwDPgce/XY3zj1UJDXy1ezSV9v/US0+CfgYUDxmjXgk5+DgTAGs/OXF c28EnEmXTSOAk1dXg/XA57BfiYTTdtsbFt4jARIgARIgARIwGQEKYJMNOLtLAiRAAiSQdQTEHqli +d7dfbogM3u2ynKHx6wVfSuefcSnJbnFnr7JMdfTnFhn/p2GxY+XgxC4Rp/dfbsaCtSbh/arksef O2OYLj3z4+jYn1Vlyl9WNK6FuWULYFP7V1wR6knRl+VbHo9iCWexfHl66mda/83l6SXvxJeNXsVz nSaj0M9XKZsofbNsDogljg9WrUT5m0b0c6cPxmXZmFBSBoek5DgEbhwogD3+HOMNAwLJa6qHpwRe XhKW3e/Cfm4ahOjmhwRIgARIgARIgAQ8EaAA9kSG10mABEiABEggAwSSr1117Y+6+f3XMbfcXZRi RfwnurJbGopI380dXnMJUtGW3V9+otvT19uUuXnogGs+bGzXwhVZrE0r9sRd/kxN3ZzR7hssIskz y2Ltq4201bu+C+Er9qT29SPavK1Lu0y3J7P9MVv+3yuWwkcvfYzaXyxCHi4xS7mWDdL7zpHxWP14 fcrfNOSviAi+XPZePN13PedpNsxTitjAidjsYksB7OsvNKYTBKwHuoeHAF5cCJZtr8B2ahQctw5x cEmABEiABEiABEjAZwIUwD6jYkISIAESIAESMCYQdyQKR0Z9j9UvPYXZRXNShoWR9F3yxEPYP6g3 rm1Zn7rM8+b3XnWN8fEJI40nhOKqiPY9MWUMNrRthjml8qXOjcMjhipSuU/jjh5KFcyy1BRLMys/ VzevSy1HTpPuY7FcEHv2ZvSTePkiDg7rj8hqD2a+LWE0X9I9Dj72/b8iOfDjo7XxRtuBKP/NLook iqRsnQM5xzowrclblL8+yF95SejDD5dHye/PZeu4ZZewY73hJ2Gzc0wpgDP6y82c+exXFoamAI7M i+SNDWA7MgiOmM1wOtXbyphzNNlrEiABEiABEiCBjBCgAM4INeYhARIgARIwNQGH1Yro9auwt393 LHm8PAWYjxIrUHLMX+VGlMzrWsr4wqI5ODfnH9e4npszQzfXT8+Y4rq3vnUT3T3thX0DehrPj2K5 XHNIm158PzV9oiqPdnnpi0vnq+5ntP9nZ083qt7jNdeS5isXY2vnNxFRIo9f2pDRtpsh398l8uPr +i/i+Q9+x70/XKQ4ovQNmjkwsE1/yt90yF9ZAq96oiHyj0oMmnHMTonHuimFMzoHKIA9/kzjDQMC Yj/cpMg8ISCBcyB5TQ1YD34B+5VFcNriDXrDSyRAAiRAAiRAAiSQfgIUwOlnxhwkQAIkQAImJGCJ vYGzEX+75Ne8CoUov8JE+soicd3rzyL+7OnUmS32tV1Yoxh2dO+Yek0+Sboa7Yr0FhLUeivOtWTy xaULcH3nFjlJ6tFbtK6Ink28dCE1rfJky4dtUueYLV79j0BiL2G53Zk5bv2orbJKw3PRVyG8RdTz 3HJ3+qXezLQ53PNOfKgourzQEY9/Pg/5RiZQFFH6Bt0ceOfjPyl/MyB/ZQk8rvmHQTemGRVxzEeJ mx1zgALY8OcaL3ohkLyxfnAK4OWlYN3dAfbzf8OZHO2lB7xFAiRAAiRAAiRAAhknQAGccXbMSQIk QAIkEOYExN6rR8f9ArFfakTx3JRfYSR9xX6+yxtVd43p6uZ1oZWsYmrv7NEJkdWKGO7XK/IIGbm0 XiXMKZPfdb72tWd0T4TTbsf8yvd6nDti2XARUa79iKWjFz9WxpXP6XCobh+f9JvH8tIjSMUfMhjV LfYqFktUu/rIJc39wtrbuPxSowbeat0PFfttRY6xTsohSt+gnQNiH9tL5e6jAM6EABYiuEuHUUE7 xtkh9FgnRXJ65gAFsOonIb/4QMB2ZGBwCODFhWHZ/ipsp0bDcfuIDy1nEhIgARIgARIgARLIPAEK 4MwzZAkkQAIkQAJhQkDIOrHXq9jzdelTlQMufrxJId6T/M5fyFrlfr4iulUs+3z79AnDGSyiesU4 xOzcqrsvBKl2jMQfCYhIce1n2yfv6NIq84qlxI0+13dsdu0HrL136NfBXstTlp3WefT6lS4JfGXd Cuzp1w2L65T1W9lp1W3W+/8Uz4tv6jVF8w6/4YFhZymCKHxDYg6UH3ICxyqXofzNpPwVAvhK2XvQ qM+akBj39Ig5pqXIzYo5QAGs/VXI72kRcMRszB4BLPbx3dQItqPfwXFjK/fxTWugeJ8ESIAESIAE SCAgBCiAA4KVhZIACZAACYQKAbGE7/n5/2J71/YQUaFmlVLh1m+xPLM2avva1g26aXnyj3G6a+KC WAI6Zvd213w4OLSfLo2IkjViJpYJ137Oz5tlmFaZX8xBo4+I9tV+9g3slWZ5yrK9nYsI53kPFfRb ed7qMvO9KeXux2dN26Pep/8h/4jbFD+UviE1BwoPj8XWR2tT/vpB/spLQR+tXBZlhp0OqXmQFXKP dVAipzUHKIC1vwr5PS0CTocNSYvuzgIJnAPJax+B9WBP2KOXwGlLSKtpvE8CJEACJEACJEACASdA ARxwxKyABEiABEgg2AiIvV6PTxyF9W2aQohCM4upcOq7kJliz94Li+e6lnQ+OKy/amyjfh6U5lQU fxBwYMjXmF/pntS8yxvVMMxnFC27tfOburTWuJtpzrN55e/GreO+LQcnlqYOp3EL176MrPYw2r/W G1X6bkDOsQ6KHkrfkJwDeUZbMafhy5S/fpS/sgReW+cpFBjFvb7TEn68TymsnAMUwLqfmbzgAwHL tpcDI4BXlIF1zwewX/gHzuSrPrSESUiABEiABEiABEggawlQAGctb9ZGAiRAAiSQDQTEHqrXd25x iT0h88JVOJm5XyKCW0TtKj8xu7apxnrl83WUt3XnSdGXsbBmcVUemWn8uTO69GLJZPm+fPS0r+66 Vo11aeU88nFZw2qGexFrK97yYZs0y5LL5NH/S4l7YjqrWG4MevIZvNz+FxQdciIkZZ/yH9l5Tuki 5sCvr3Sj/A2A/JUl8KRm7/FdwT8O4RxIxxygANb+KuR3XwjYTo70jwBecg8s21+H7fRYOG4f86Vq piEBEiABEiABEiCBbCVAAZyt+Fk5CZAACZBAoAjY4uNdkaAiIjSy2oMUZkWyToR5EmSBvL6q+ZO6 qSSEcGT1ooqxz4HEyxd16eQLIiLcUxuNlmIW++YapY9ev0ouMvV4fMJIw7Ta/Ns+fjs1j6eT9W88 71NZ2rL53f/PwB9l7kH3xm+ifpcZuPPXWP4jfjr+EZ+COfgFc5cOoyh/Ayh/ZQnc7b3hfHfw3cE5 4OMcoAD29OuQ170RcNyKypgAXpgPlk3PwXZsKBw3tsPpdHirhvdIgARIgARIgARIIOgIUAAH3ZCw QSRAAiRAAhklkHDxPMSerhvffhFzSt9BSRYm0lfszbzxnZfSGM8cSLp6RTd1dn7xoSrfyWnjdWnE hVsnjqrSaWWpkMPaj8NqNdw/d2//7tqkiD9zymv5yvpOTBmjy6+8sOqFJ3wuS1kuz/0jgKfUqIAO Lbuj+perkWu0jf9o7+M/2lP4Br/wVY5Rsx6LEV2mMAVwFghgwblx7xV8l/BdwjngwxygAFb+IuR5 eggkLSvugwQW+/jWgjWqN+zRy+C0J6anCqYlARIgARIgARIggaAjQAEcdEPCBpEACZAACfhKQER4 3ti7E1E/DsDKJrUpxcJE+ApRubReJewf1BvXtqyH0253TYm0xvj035N1U+fi0vmqebGxXQtdGnHh 3Jx/VOm0sjSiZF5Yb9/S5d3S6Q1dviVPPKRLJy74uvy4qEssX+3ps/Spyro6te3ld//IXhfHYrmw psXTODLqe8QdPQTxj89KUcZz8gi3OVB94H6crlCc8jcL5K8cBXy8chmUH3qS7xYfBGC4PW/sT/r+ H0IB7OnXIa+nRcCyu72hAE5eUQ7WvZ1gvzgLzuRraRXD+yRAAiRAAiRAAiQQUgQogENquNhYEiAB EiABe1ISLi1fiF29OmPhIyUowsJI+iql5bWtG3STXYh+ZRrt+aZ3W+ry2BISVNHgc8rkh7im/ZyZ +YfXskVd5xf8p82Gs//9ZZgv7kiULu2xCSNS04q9gsWev9o+yN8X1S6N5JjrujLEBfWy1n4UnWE6 l2Sm6TnOK383tnRsBTEvtONAAZy+f6yn3AgtXkV+uoK91atS/mah/JUl8IbHnsRdI29TAlMCcw54 mQMUwIY/DXnRBwL2c3+mCOAl98KyozVsp3+HI/6EDzmZhARIgARIgARIgARClwAFcOiOHVtOAiRA AqYhIJb2PTV9EoTgm1u2gEdplh7Bw7TBLQ6jfh6km9839u3yOvZzy90J8QcC2o+I+lWOt4gK1n6u b9+kSqNML59v79pemw2WGzGYXSyXLq+IFtV+RCSzWN757Ozprmji26dP6PLJdYnjpvYva4twfefy 5oGZu4vrlMXuvl1xefVSOCwWQ/biIgVwaAlNCmjfxyv/qEQsq/ss5W82yF9ZAk9t2g45xjopAL0I QD7Tvj/T4ciKAtjjzxPeSIOA0xoLR+xO7uObBifeJgESIAESIAESCC8CFMDhNZ7sDQmQAAmEDYGb UftwaPh3WNX8ScwuksOrKFNKM54HRo5lNdeVz9cxnMtpRX1fWrFIl0/s+6tsv9gXWPuxxN5Ic56J vYjl5aiV+de80kBVvqhrZdPHlEk8ni9rUFWXV27rokdL6vJZ4256TC/n49HXZyAHxH7Kh34dDPG+ 8fVDAWxu+RCOQsXVp7FOTGr2HuVvNspfWQL3aPcjBTAFMOeAhzlAAezrrxWmIwESIAESIAESIAES IAGAApizgARIgARIICgIiIi7K2uWYc9Xn2LxY2UoucJsOd6FNYph/RvPY2//7jgxdSxO/vk79n3b AxvefAHzKxY2GO8cSLx8UTc3xdLf3gSnuK/9iHKUf0QgllAW+0drPyl/bOBdHhotTX10zE+Gbbq+ c4u2Ct33/YP7GOYVfVxWv4ou/a3jRzym98aF91LGVawgsKn9Kzg1fSLEygIZ+VAAUwCHowTu+9Z3 lL9BIH+FBL5aphCe77mEAtCDAAzH54998v3/KxTAGfnlwjwkQAIkQAIkQAIkQAJmJUABbNaRZ79J gARIIAgIiL01z8z6E1s+aA2x5yYllXf5GIp8lj9TE+fmzoTT4fA448QyyiIqVylpRV9F5K72I/Z/ 9sZBRAgbfUREsTJfzK5tumQi4lyZxuh8/6DeunyepOy6Vs/BYbXq0ssXbPHx2NX7Y491bu38ppw0 9Xh55WKP6Y3ay2uSa6/wXT0/wqVlkYZLhKfC9fGEAtj3f6in1AgNVq0/nUX5GyTyV44CPlmpFCp8 d4wSmBKYc0AzByiAffyxwmQkQAIkQAIkQAIkQAIkAEYAcxKQAAmQAAlkMQEhy4789gPWvFwfs4vm pMwKs0hfWTgKESv22jWKtPU05aI3rEZEiTypc0Ls3av9iD1+09oHWuwVrP2IPYXltonjwWH9tUlw 89B+VRplevl82dMP6/KJC0vrVjTMu/m9V3Fjzw44bDaXBBfz//z8f7Hziw8w76GChnlEXUseLw+x R7D2c2DI1x7zyG3kUcLKJrUR9cO3LvZahpn9TgEcGlKT8tm3cXqi31ZcKP8ABXCQCWAhgjfXqoO7 R8RRAGoEIJ9t357tcOVEAZzZXzHMTwIkQAIkQAIkQAIkYCYCjAA202izryRAAiQQBAS2dGxFgRWm 0lcWj3NK34HYg3szNNsODu2XOj/mlMkPW0KCrpxN77ZMTSPXqTxG/ThAlyd2/25VnhXPPqJLIy74 svz47VPHdXn3DeipKl/ZHnEumMwplc9rGlH34RFDcXnVEpcw1lUCYPWL9byWoa3XLN8F3w1vNXct L5546YIROr9dowA2t3wIJ6lSetgZHH64POVvEMpfORJ4euO2yDHWSQlMCcw58P9zgALYbz9nWBAJ kAAJkAAJkAAJkIAJCFAAm2CQ2UUSIAESCCYCZ2b+QYEV5gL45B/jDKecLf42Li6Zh9N/T/YYmWlP ToaIspXFpYgi1n5OTZ+Uel9OpzyubPqYNovr+6JHS6ryJZw/q0sn9qBWlmV0fnTcL7p8l1YsSjOf UVnKa8sbVdeVq7xwbs4/ma5DWV+on0dWK4Idn7+PC4vmQCynnVUfCmAK4KyUwHUjgGXngBXnff9v 6Tng72NAtw1AndlA7t/1YyYiSzc89iTlbxDLX1kC93l7SNDIvymH9fOw8GT9/MrKZ4R1mYs/BXBW /dphPSRAAiRAAiRAAiRAAuFAgAI4HEaRfSABEiCBECKQfO0ql372kwCeV6EQVjV/Els/aov1rZtA CLHslnpbPmxjOBuPjR+O+ZXvVbVvR7cOcNrtqvTi+95vvkhNJ/YG1n6Srl7R7Res7HdE8dxwWCza bNj95Sep5Yr0JyaP1qW5sna5Ko2yXPl87WvPuPKJ/X2vrFuBPf26+RQ5LOf3dow/d0bXJnEh/swp HT9v5YTrPSHJDwz5Ctd3bE7X8uKGUDN4kQLYXLIhu+XSJ+syOFEV2RKswLDdwF0TU8Yu1xg7Zj7z OuVvCMhfIYGvlimEF7+IDAoJfCRWMbH+//TBqXwnZPd7wkz1UwDrn0FeIQESIAESIAESIAESIAFP BCiAPZHhdRIgARIggYARWNPi6TQlW7gKrEz1q1gubOn0Bq6sWYbEK5cMx0cI9otLF2DpU5UzxXhB 1QewtmVD7OzRCfsH9XZFWvpS5rVtG3XtEvLXU7+PjPoe1ribOD9vFrZ98o5OckZWL2oo+oT49lSm uH77zEldOy6vXKzKs6FtM10aIY7nlb9blU5bjxDMG958wesevto8vn4/Puk3VZuE7BZLWs+vdI/X NvlafqiliyiZ1/XHDccnjET82dMqNtn1hQKYsicrZYs/BLD8rByNBUpOA4a+3pvyN0TkrxwFfLpi CVQefDjbJTAFMN9/Wfn+M6qLAlh+o/NIAiRAAiRAAiRAAiRAAmkToABOmxFTkAAJkAAJ+JmAkH6h JqKys70RJfK4okzTI8DsSUkucTu7WK50sV5atyLOzZ1pKF2dTqdLPm985yXjKO5iuXR79lpuxBin TUcUdMyubboZeOz3X730KwfEctPaj1heem65O1PzCblovX1LmwxbPmidmiarx12IbbFM+u6+XbGy SW0I2ZzVbcju+hY8fB+2dWnn+qMAo/HRDVgWX6AApgAxkhKBuuZPASweleNjJlD+hpj8lSXwtkdr odDw2GyVwBTAfP8F6l3na7kUwFn8o4fVkQAJkAAJkAAJkAAJhDQBCuCQHj42ngRIgARCk0DckSjT Sa2MSrV5DxV0LTOc0ZE+P/9fn1gL6Xbyz9/hsNl8qiru2GEsqlVKVfbyZ2rq8p6PnK1KkxEOB4f1 15UrooaVMldZrpCHnj6bO7ymao9on/YjOCjL47kUcB4iunzfwF64unmdbllw7fhk93cKYAoQX0WF P9J5EsCrLwBG/224BJyMA2wO/ZNiWbcK18rdQwEcogJYiOCZz7ZCzrGObJPAFMB8//njvZaZMiiA 9e92XiEBEiABEiABEiABEiABTwQogD2R4XUSIAESIIGAEljyePmAS6VQF3cLaxbHzah9mR6Hda8/ 65110ZyIXr8q3fXEHT0EIY5lzmJPX+3nwHd9U+/L6dJ7XNagqrZY1/djE0boyl77aiPDqF65gNMz pqjybP/sPdct5X6+WrGd3vYyfdrCWEQ2i7E6OvZn3Dp5TB6ekDhSAFOAZEZepDevkQC+mZz2GJT+ C5h62P1I2Y4dwfXqpSh/Q1j+ypHA/doOpAAel/YzkN5njelDgykFsPu9zjMSIAESIAESIAESIAES SIsABXBahHifBEiABEggIAT29u+uEnGUZnppFrN7u0f2sft3u+TZzi8+hJCYYu9YITGNPrEH9nhd hvnAkK+Msrn25r2ydjnEvr5i+Wejj1ieWY7E3fH5+7okJyaPTvc4i/2H17duosp3Zd0KXdniwpl/ p2Hz+69jS8dWruWpDRMpLiZdjVaVKyKsN7ZrEZD9fDmn1XN6XoVC2PpRW5ydPR2W2BuKUQmtUwrg 0JAE4SJzMiqA5f4vPQc4Yq4jpv4jlL9hIH9lCdzy87nZIoEZAcz3n/xuya4jBXBo/WZia0mABEiA BEiABEiABLKXAAVw9vJn7SRAAiRgWgIi4pSCTC3IlDzWt2lqODduHT+CNS/XN2QnlmBOvHTBMJ+n fW1XN6+rW/bZYbHg8IghmF+xcGo9i+uUxeVVSwzLlpdMXvNKA919saSvsl+ezhc/Xg4iWvj69k1w OlLWLl3eqHpq3g1vvqArO60Lh4Z/B3tiYmoyIc2jfhqYWqantvC653mZXjZLnngIe/t9juj1K3Xz LHVgQuyEApgCJCvFR2YFcNMIC2JbNaP8DSP5KyTwmQrFUHXQwVQJXHUm0Gie+7+H/3E/p9VmAv/b CSw8A2y+DKw4DxSe7L4v5nP1mUCntcCYA8DaiynLi/9zHOi9Gag8w52WAtjNIivfA6zLzZ0COMR+ NLG5JEACJEACJEACJEAC2UqAAjhb8bNyEiABEjAvARGtKiIC0yuUzJI+esNq3eQQkbxzy93lldmW Tm+k5hP7+Ypy9n7zBSKrFzXMJ6IxtZ9dvTobpo0okQcXFs3RJnctuTy3bAFEViuiu2e5GQuRL61x OzL6R13eFc89qsiXAyLa2NfP9Z1bIJYZ3vdtD+zq/TEWPVpSUZb/BGda/TLd/aI5sfrFejg8chji Dh/0dbhCKh0FsPsf4iklAs8iswJ40iudKX/DTP7KUcA7HnkE9/x6A7l/179C/z4G1/Xh+/6PvfsA d6JK/zj+t7e1N7AhIDZEXBSxLljRte7aG5ZVcS242Bv23hUVEBVEFER6EwHpSJXeuxTpvV245f0/ 78W5dzKZlmQmmSTfeZ5LksnMmTOfcxLy5Jdzxv560BVa7+i7+7QU+WyyiMMkH2UFaxhc8VsRAuDw X/O8r7obEwCXvSy5gwACCCCAAAIIIICApwABsCcRGyCAAAIIhCUwsuHNhHKHx4eRGvLaLZ7X8v2r LJ3SeWTDW2JG8DoFkZsWLog51NIBfVzbpGeNijHbGw9GP3RH6X7b168zVpXdal2cjm+sn/Hp22Xb G3diA+D/k24nHCQ6itdr0dGm3Y4/0POYxrG5je+DiZhof9VpuOe3ayUFq1Z6NU/WP08A7P7lPOFF sD6pBMCN73iP8DdHw18jBP6p7jWyR7OiuPfV9rNFfnC5vLoGwDU7iMyJ/y87rixjxbz1Inr9aety WKtg+zzvIXi69QECYOsrkMcIIIAAAggggAACCDgLEAA72/AMAggggEDIAn90+p6QziYA1tGqdotO p5tIMOe1bc+aR8YdZtzTD8YdQwM+vcbugvatHQM+HWmsx9Pw1broyF2vuqwYPsi6m5ingDb21xB4 bpsWsnH+nJjtdUT5yhFDSq8x27HiLp7HM8rjNrnwt1etY0T7ik4LrlOG59NCAEw44RZOBP1csgHw VY92lRU5Hn4aIWi+37564wsJvwUf+a3IpFUJ72a7AwEw74lBv++5lUcAbPsyZCUCCCCAAAIIIIAA ArYCBMC2LKxEAAEEEEiHwLa1a0qn6SWEiw3hfjn3RFv+Sa88GWiwqaGudRl6y+WlxygN+J55SHRE sJ+AT6+1q1MuO12rd+o7LzrWXYNe47q/Rn30WsYdK+zsuI/2mV5/P1oGXHGO9D69khD6xvah4F9T O0n/S8+QaR+8KjoVeT4vBMCEHW7hRNDPJRMAn/biOFlY9XBG/+ZRAF7Q9Sdfb8tFxTs2a+JwRYXt RSK/LBR5ftSOawJ/Oklk6Wb3ogmAeU8M+n3PrTwCYPfXI88igAACCCCAAAIIIGAWIAA2a3AfAQQQ QCDtAoP+Vc815As+yAo7KEu9/E5H7S46otW6FG7eLGMevVu6Vt0vELMR995gPUTpKNq1UybErbdb sXXFcpn/wzfy213/ki6V9ymr05qJv8dtXlJSIqXXFraEuj/XOU6s01DrzjOavlNWXj72gSics17X edjtV8q8776UrcuXxrVpvq4gACbscAsngn4u0QD4iHcWy9TqxxP+5lH4WzoC+vjDpXDKRNu35cmr Ra7sJXLIX1M11/hRZL3NxA1bCkUu6xn/+tZr/w53+S+AADjeLOj3AcorNyYAtn2ZsxIBBBBAAAEE EEAAAVsBAmBbFlYigAACCKRLYGazDwj6bKaBXjV6uGMTaJi6YfYM0WmXV435rfS6uOtnTpNNf8yX rSuWyfYN66WooKD0dvW40aXXZh145blxzr9edqbjMZyeWD99ikz/5C0Z8M+zY0bo9jz1iLLHej1Y p0X31yB4bON7ZUGHNlJcWBi3qYbfOgo6CiFovtVBr/GsbbOkT3fRUd0s8QIEwOVfxBNKhG9hFwBr r1y00eZv+SZZedn5hL/5Fv7+db6rzzlFilfHzuvcaa7I3i1j++kt/eLf13RN/R6x25lf33t96TwS mADY2c1syP1gnAiA7V+/rEUAAQQQQAABBBBAwE6AANhOhXUIIIAAAmkT2DB3FkGfTQBsNzo31UbR UK/7iQeXeXc/+VDPIjWM1ev6jn++kfSuXblsXw1G+19cS6a+97IYI37HPfPQX8/vJHO/be5Ztt0G OhX0yIY3xxwn30LYdJ9vvwtqypS3mwcOgWIAACAASURBVIj+WEB/XMDiLkAAHMyX+IQh/hydAmBr L9X3zvX33kL4m6fhr3Ed5HU3Xyklf/2wal2ByEHfxPezV8dae4/IyGXx21lfo48Oi99P1xAAe9tZ LXmcvBkBsP3rkLUIIIAAAggggAACCNgJEADbqbAOAQQQQCCtAoz2tJk2uuIusmLYwMDbYc34MdK1 yr5lAWvhpk22x/ijY1sZcd+N0vW4/cu2NQeTev1d6zL2sftitp3x2bvWTVwf66jl3598IKYM8zG5 b9NPbH484OXU+eg9ZOhN9WXON5/L5sULXduEJ+MFCICT/+Ke0CNxO78B8KbXX8i78HfDU4/Ipjea 5N15G2Gv0+3Gl58ufePS6/javeY6zIl/X7vzV/ttzfvv01LE7jdCBMDedmZH7qfmRQAc//plDQII IIAAAggggAACTgIEwE4yrEcAAQQQSJvApFeeJPSzCfI0qF01dkTg7TC/Xasy72UDf4kr/8++Pcue dwoTR9xzXdx+er1Y6/YTX3zM8/qxOtXwrC8/ltJppG0crGXyOPEgWEd7j37kTlncs5MUbtoY13as 8C9AAJzal/eEH4n5+QmAt7b/Nu9C0HW3XlM60rWkoEDWXHRm3p2/U/hrrN/a8Qc5u7N9X5sUO0t0 6Ztf9fb221pfr0s3x79XEgD7s7Na8jg5NwLg+NcgaxBAAAEEEEAAAQQQcBIgAHaSYT0CCCCAQNoE Vo4YEhccEvL9FfJV3KV0JO6aCWMDm55Xr7vb+/RKpeaDr7vQtp0H//sCxzbpdMSuZdM+Gzvr1ME/ 1znOfp8KO8ugf9WTua2bybppk2TjvNmlwfairj+Khv89qh9uvx9hcEouv5x/skx67WnR60nr9LAs wQgQACf3pT1hR3JudgHwtiKRL6bs+PvphyGyvMrBeRWArrngdClev67sBb194jhZWeWgvDIwgl7H 2+MPk7qvj7MdAbxpexld2Z39v/bXP0cvL9ul7A4BsD873gODcSIALnvpcQcBBBBAAAEEEEAAAU8B AmBPIjZAAAEEEAhboKSoKObatIS/9iM8Ox+zp/xy3kky6Nq6MvCq86T/JaeXPtYwt0f1w6RL5b9J x4q7SKcjd5NetY4RvSbv5iWLbJtPg0HDefXvo+K20VGiA644p2wbY1u9hvCf/XrFbb+o+09x2xr7 cGvfnkG7aLtroD+rxUeyacG8uDZiRTACBMDBfIlPGOLP0S4A1mu7ql+VN+fKrBMq5VXwueCEo6X7 gFmypiD29bzpvdfyysEx+DVdA3nCKSfLoe+viAuBl9mM4t3vK3/9caLN6GECYH92vOcF40QAHPve xyMEEEAAAQQQQAABBNwECIDddHgOAQQQQCBtAqMfuoMAMYQRr33OqibF2+OH+yzs3K7M+7c7r7Vt Zw3mNezVttHr+87//mvR6Zqti44u/eUf1cvKCzrYpDznALnbCQfJqAdulYVd2st204g4axvxODgB AuBgvsQnDPHn6BQAH/DRWhl5Wq28Cj1XVNpfLn3859JAc5fmInU6iTQeLtJutsiSNdtkzaVn55WH nxC4x7mXyW6fbY8JgYf9Gf9+WLODv/64flv8vgTA/ux4zwvGiQA4/jXIGgQQQAABBBBAAAEEnAQI gJ1kWI8AAgggkFaBRd06ECCGEABreKqjc63Lit8Gm7x3ktktP7Vu4uuxhr+/P9HQVJZzWEmQG4yN hvp6beUVwweJhvQs6RUgAA7mS3zCEH+OdgHw2k2F0vkfV+Vd2NnkppdigkxrH7rmgwmyvDJTQVuD 4XeufSzG7dsZ8e+ZDwz27o9ndIzfT9cQAHvbWfsqj5M3IwC2fx2yFgEEEEAAAQQQQAABOwECYDsV 1iGAAAIIpF1g+4b1pVMXExIGExKaHWc2+yCuPRf36hwX2k7/+M247dxW6MjiEffdGFeO+djcD6A9 K+4iA68+X2Z89q5smDPTrUl4Lg0CBMDJf3FP6JG4nV0AvOqJRnkX/q74V31Ztr5QdPrieetFdm1u b/nUrW/mnY018LV7fOsDbcpC4BdHx79Rzlhr72l+zX4/K34/XUMA7G1nduR+al4EwPavQ9YigAAC CCCAAAIIIGAnQABsp8I6BBBAAIGMCAy54RLCRJtRwHrt32G3/lPmtm5Wek3fJX26JeS0dsqEuPac 1/Yr2zImNGksW5cvjdvevKJ427bS6aB/OfdE2zIIfVMPfbtW3U9G3HuDLOjQRratWW3m536GBQiA U/vynvAjMT9rALzly6Z5F3CuOK2KFC2Lnbf40h72jjrd8bCzzs87I7vQ17xucZVD5fQmY0pD4LM7 27+JPjTE3lRfsxd2E9nuMOEEAbCzG+93wdsQANu/flmLAAIIIIAAAggggICdAAGwnQrrEEAAAQQy IqDTEBMexoaH0z9+Qwo3bYprj4FXnuvLavLrz8TtqysGXVvXef8KO5c+P+frz2Td1Imlo05XjflN dJruiS8/IT1PPcJ5X5sAmzaNbVMnj961K8v45x6RZYP62l632bYhWZl2AQLg4L/QJyRxNjUHwNv6 /ywrjz0gr8LN5ZUOkL7tB8S9znUk8DmdRXZuFmv3t5Yi3X+ZIiuPOySvnMxhr9P9ydVPkMPfW1Ya Avf+I460dMWzI2M99bV5XR+RAofwV3ciAI434z0tPBMCYPvXLmsRQAABBBBAAAEEELATIAC2U2Ed AggggEBGBDb9MZ9g0RKgTn3nRdu20FG9vU+v5OjVo/phMvvLT2z3jb3+r79w0im0ZH0KfhV2lgGX nyUa8q+bNtm2rVgZPQEC4PC+2Cc0ibc1AuDCaZNl5UlH5F2o+eRtb0nDwc7vA2sKRLrOE3l3vEiX eSL6WJfNn76Xd1ZOwa95fa9zLpHdP9smTtfzVbvVW0V6LhDpNFdk6eYdnm7/EgDHv255LwvPhADY 7dXIcwgggAACCCCAAAIIxAoQAMd68AgBBBBAIMMCfevWcAw18zFs7FH9cNEpl+2W7Rs3yPjnG0nv M46VjhV2lp/PrCrDG1wj8777Uoq2brXbpXTdkOsvxtgStKerb3WpvI/8due1pVNob12x3LGNeCK6 AgTA4X2xT2gSb6sBcPHyZbL6rJPzLtDsWPca2fmL4tJRvt3nJ/aeUFJYKGuvqpd3Zuaw1+n+A3d/ VjoK+IspiZk6bU0AHP+65b0sPBMCYKdXIusRQAABBBBAAAEEEIgXIACON2ENAggggEAGBSa/8Rzh pCWcnPHp254tUlLkMj/jX3vrNuOe+i++Ft+ww99epx0lvz/5gPzZr5cUFfw1PM2zRdkgqgIEwOF9 sU9oEm/7SL+tsvbqC/IuyJxy8vFy6PsrSoNK7Rf7tBQZtSyxd4XCWdNl+XGH5p2dU/BrrL/k8T5l rg8OEdnm/fGhFH7lFpEBi+PbgAA4/nXLe1l4JgTA8a9B1iCAAAIIIIAAAggg4CRAAOwkw3oEEEAA gYwIrBo7goDSElB2OnI3WT1udErtsX39Ohly46XYWmzDCX93kv6XnC5T33tZ1kz8PaV2Y+foCRAA h/fFPqGJxfaLEul7/V15F2AuO/ZAOfvZYWUhpdEv9Hq/N/wiMnaF+/tCcYlIn4U7tm1010d552cE vXa3S489SP728YYY2zM7iUxY6Wy6ebvIT3NEjmwj8s302O22F4kc8LWl31quy2y0H7c4BdEHCIBj X4M8QgABBBBAAAEEEEDATYAA2E2H5xBAAAEE0i5QUlwsev3acIK5FK7Xmpbg0Ll+3Y4/UFYMG5hw e6jn4p6d5JfzTsI0xDbsXGkvGXbbFTL32+ayZemShNuJHbJHgACYECOIEMNPGc/c8npehpeN7vwo JqC0s6r2g8ilPUTuGyTy6DCReweK/GegSP0eO4JKYx+dQrr32RfnpaNdAKzTahs21ls1bfCryFMj RG7pt8Pz1B9FdmnOa95qxePM9QkC4Oz5vERNEUAAAQQQQAABBDIvQACc+TagBggggAACFoEx/7uH sNImrOx01O4y8eUnpGD1KotY/MPtG9bLrOYfSu/albG0sQziBwY9TqkgYxv/R5b83FUKN2+ObwTW 5KQAAXDmvvjPp9Dluoc75GVo+cOFN8hOX5Q4hpTJ9IGqb8yWP6pWyEtPawh8w0PtA7VNpj3Yh/fQ VPoAAXBOfrTipBBAAAEEEEAAAQRCEiAADgmWYhFAAAEEkhdY3LsLoaVLaNn5mD3l1/q1RYPyWS0+ kiV9uskfHdvKlDefl9/u+pf0Oft46VhxFwxdDJMNgPvWO7XUefXYkVJSUpJ8J2fPrBUgACa8SCW8 8LNv7RdGyeIq+Xft2vE1qsuBH64JJaBs0LBV3gfA86odJXt/ujkUXz/9mm147wyiDxAAZ+3HJyqO AAIIIIAAAgggkAEBAuAMoHNIBBBAAAF3gcJNm0RDzmRDOvZznkoam8RsdNS1Xjt59ldNZfOiP9w7 Ls/mhQABMCFGECGGUxnHvLVApp1UNe/Cyj8rHyynNxkTajjZ+pLb8s7VPAK4yU0vherr1KdZz3tm kH2AADgvPmpxkggggAACCCCAAAIBCRAABwRJMQgggAACwQoMu/WfBMAhjGAlAPYOgLufdIiMfriB LOr+k2zfuCHYjk1pWS9AAEyYEWSYYS5LR2cOOf2svAwp7/tPs9DDSR1dPKn6iXnpu7Dq4XLY+8tD Nzb3Z+7zXhlGHyAAzvqPUZwAAggggAACCCCAQBoFCIDTiM2hEEAAAQT8C8xt3YwAmAA4bX3gl/NO kkmvPiUrRw6VkuJi/x2VLfNOgACYUCOMUEPL3PXzQpl4ykl5F1B+c+kdaQsmz3tmsCyvdEDeGb92 /bNpMw7r9UG5vPdqHyAAzruPXZwwAggggAACCCCAQAoCBMAp4LErAggggEB4ApuXLEpb+MeoWO9R sblm1OmIXWXwvy+QWc0/lI3z54TXkSk55wQIgAkhwgyi/nfH+3kVTo6uWVP2+2hdWsPJF256Ka+M Z5xYWfb/aG1ajcN8jVB2fr8HEwDn3McqTggBBBBAAAEEEEAgRAEC4BBxKRoBBBBAIDWB/hfXIgRm FHBgfaBbtQNkZMNbZGHnH2TburWpdU72zlsBAuD8Dh/CDp8O+WClLK5yaF4ElIuqHCY1XpqQ9mBy t8+2S9869fLCWK8BfNf9X6fdOOzXCeXn7/swAXDefvzixBFAAAEEEEAAAQSSECAATgKNXRBAAAEE 0iMw9d2XAgv/cm0EK+fjb9Tyz3WOkwlNGsvyoQOkuLAwPR2Xo+S0AAFw/gYP6QqdPruiYV6Ekw0a tspYMFnlzbky/7gjct658z+ukp2+KMmYc7peMxwnf96XCYBz+iMWJ4cAAggggAACCCAQsAABcMCg FIcAAgggEJzAmgljCYAZAZxYH6i4iwy88lyZ0fQdWT9zWnCdkZIQ+EuAADh/goZMhUqnvTgu54PJ Zpffm/FQ8uYHv89p5wmnnCwV312ScedMvY44bm6+VxMA83EMAQQQQAABBBBAAAH/AgTA/q3YEgEE EEAgzQIlJSXSs+aRiQWABKZ559W1yr4y4j/Xy4Ifv5WC1avS3Es5XL4JEADnZqgQtbCo1zmX5Gw4 ObxWbdnnk02RCCa/vOzunHQeX6O6VH1jdiSMo/baoj7Z/R5OAJxvn7o4XwQQQAABBBBAAIFUBAiA U9FjXwQQQACB0AV+f6Jh3gWaTO/sPb1z79MryfhnH5ZlA3+R4m3bQu+HHAABQ4AAOLvDg2wJf655 tEtOBpMLjqsoJ7w2PTLB5N8+3iAjT6uVM9bLKx0gOoX4/h+tjYxxtrzmqGd2vLcTABufRrhFAAEE EEAAAQQQQMBbgADY24gtEEAAAQQyKPBn354EwIxqlo6H7yS/XnamTPvodVk3dWIGeySHzncBAuDs CAmyPczZ5fMiGVOzZs4Ekysr7V96Ljc+1C5yweTJr0yRP6pWyGrrEX8/XR658yM5+u0/Iueb7a9F 6h+t93wC4Hz/FMb5I4AAAggggAACCCQiQACciBbbIoAAAgikXaBo61bpcuzehMB5GAJruw+/42qZ 1/Yr2bpiWdr7HgdEwE6AADhaYUAuhzP/uffLrA4ljdDXuP3o6kciG07e9OAPWWm97NgD5eE7Pxb9 wUAuvxY4N953jT5AAGz3yYR1CCCAAAIIIIAAAgjYCxAA27uwFgEEEEAgQgLDG1xDAJwnAbBe8/n3 x+8XHfmt4T8LAlETIAAmiDCCiLBvdRrfRVUOy8pg0gh9jduBtc+VvT7dEumQ8oNrHs0661sfaBNp 07BfI5Sff+/HBMBR+1REfRBAAAEEEEAAAQSiLEAAHOXWoW4IIIAAAqUCOgKU6+J6Xxc3W436XfR3 mfruS7Jmwlh6PAKRFyAAzr/AIZMhU49z62ddKGmEvsbtvGpHSZU35kQ+qNyjaYH8euY/ssa7zcW3 RN40k68djp2b79UEwJH/mEQFEUAAAQQQQAABBCIkQAAcocagKggggAAC9gI6/a9eAzZbA07qHRte dz5mTxl6y+Uyt3Uz2fLnYvtGZy0CERUgAM7NUCGqYdGXl92dNYGkEfhab695tEvWBJWV3povs0+o lBXmZ7wwOmtco/r6ol7Z935OABzRD0dUCwEEEEAAAQQQQCCSAgTAkWwWKoUAAgggYBX49fI6BMBZ PA10j+qHy5hH75bFvbtI4aZN1ublMQJZI0AAnH2BQTaHPN3O+2dWhJHW0Nd4/Oa/n8y6kPLSx3+W FZX2j7T7lJOrZZ1rNr8OqXt03vcJgLPm4xIVRQABBBBAAAEEEIiAAAFwBBqBKiCAAAIIeAtM++h1 AuAsC4D71j1FJr/xrKwaO0JKSkq8G5ktEMgCAQLg6AQBuR7KHPr+Cvmz8sGRDiKNoNfutm+derL7 Z9uyMqh8/qaXI+3+Y71/ZaVrrr9mOb/w/38gAM6CD0pUEQEEEEAAAQQQQCAyAgTAkWkKKoIAAggg 4CawbtokAuCIB8Cdjtpdhlx/scz+8hPZ9Md8t+bkOQSyVoAAOPwv+AlRdhi/eOOLkQ4h7UJfY51O o3zMWwuyNqTc5fMi6XL+lZH1f/mGF7LWltc376Gp9AEC4Kz9+ETFEUAAAQQQQAABBDIgQACcAXQO iQACCCCQnEDv0ysRAkcsBO5+4sEy6sHbZVG3DrJ9w/rkGpa9EMgiAQJgwotUwgu/++ro3z+qVohs AGkEvXa3On1y/cd6Z31AecgHK+X3U2tEsg3OfnZY1vv6fS2wHe+55j5AAJxFH5ioKgIIIIAAAggg gEDGBQiAM94EVAABBBBAwK/A+GcfJgCOQADc55wTZOLLT8jKEUOkpKjIb/OxHQI5IUAATBhhDiPC uh/1KYjtgl9j3Us3NsmZcLL6K5Nl/nFHRCoE7vyPq3LGN6zXD+Xm7vs0AXBOfJTiJBBAAAEEEEAA AQTSJEAAnCZoDoMAAgggkLrAskF9CYAzEAB3OmJXGXRtXZn5xfuyYe6s1BuSEhDIYgEC4NwNFqIS Gu3RtECmn1glUqGjEe563fY851LZ9fPCnAoo/9m4h+ioZq9zT+T5uccfnVR52i8qvzkvp3yj8rqj Htnx3k4AnMUfoKg6AggggAACCCCAQNoFCIDTTs4BEUAAAQSSFSjetk26VtmXEDgNIXDX4/aXkfff JH90bCvb1q5JtsnYD4GcEyAAzo6QIJvDnGsbdUoqHEwkgAxjWw0nK767JCfDycZ3vBdIm2iQfM99 LeWgD1fLh1c3SihYVt/TXhyXk77Z/Hql7un9P4EAOOc+VnFCCCCAAAIIIIAAAiEKEACHiEvRCCCA AALBC4z4z/UEwCEFwD/XriITnn9Ulg/pL8XbtwffeJSIQA4IEACn98v+fAxXPr7q4UDCxjBCXqcy l1c6QC546tecDie/vOzulNpFw9877/8mxqhWk7HSr05dz3KH16otx741P2bffHxtcM68/xIA58AH KU4BAQQQQAABBBBAIG0CBMBpo+ZACCCAAAJBCCz48VsC4KAC4Ao7y4ArzpHpn7wl62dMDaJ5KAOB nBcgACaACDuEanrFA56BoFMQm6n1T9/6Rs6Hk3t9ukX6+whr7dpAw9/bG7a2Ndr5i+LSYHjWCZVs 273dBdfLvh+vt9037L5I+bzfRa0PEADn/McsThABBBBAAAEEEEAgQAEC4AAxKQoBBBBAIHyBgtWr pGPFXQiBkwyBu1T+m/x2979lfrtWUrByRfgNxhEQyDGBx4eLnNGRPwzC6wO3fjjWNgi0CxajsK7f RVdJ7Q7FefG6qP/1Epl5yvEJtc+yYw+UZ55q6+lzYetV8t2Nj8RMC92iwXN5Y8t7SnjvKblkq/8H syCAAAIIIIAAAggggIA/AQJgf05shQACCCAQIYGBV51HAJxAANyr1jEy7ukHZemvP0tRQUGEWpKq IIAAAgjYCay/95aEQsZMBcGrzjheilcstzuFnF23fdwYWVntUH/tU/VgKejROSELLX/ttRfJ1nat E9qPjRFAAAEEEEAAAQQQQAABBBAwCxAAmzW4jwACCCCQFQIzmr5DAOwaAO8kv9avLdM+eFXWTh6f FW1KJRFAAAEEygUKp0+Rlcce4C9krLR/ZrarfKBsHzG0vNJ5dG9r5/ae5qtOPlK2DeqfRyqcKgII IIAAAggggAACCCCAQJQECICj1BrUBQEEEEDAl8D6WdMJgC0BcOdKe8nwO66Sed99KVuW/enLkY0Q QAABBKIrsKHRvZ4hY6ZG/upxN3/2QXTx0lCzzS0+cWyf1eecIoXTJqehFhwCAQQQQAABBBBAAAEE EEAAAXsBAmB7F9YigAACCERc4Oc6x+V9CNyzRkUZ+9h9sqRPdynasiXiLUb1EEAAAQQSEShetVJW /b2KY8iYyfB33V3XS0lJSSKnk5Pbbm3fRlaedERMG2343/1SvG5tTp4vJ4UAAggggAACCCCAAAII IJA9AgTA2dNW1BQBBBBAwCQwoUnjvAyA+114mkx5u4msHjeaL99N/YG7CCCAQC4KFPTuGhMuZjL0 NY69+uzqUrxmdS5yJ3VOeg1kvV7vljZfSdHc2UmVwU4IIIAAAggggAACCCCAAAIIBC1AABy0KOUh gAACCKRFYMWwgXkRAHc+eg8ZevNlMuebz2Xz4oVpseUgCCCAAALREdjQ6D/RCYGrHizbfx8dHRxq ggACCCCAAAIIIIAAAggggAACtgIEwLYsrEQAAQQQiLpAcWGhdKt2QE6GwN1PPlTGNLpLFvfsJIWb Nka9KagfAggggECIAjqd8Op6tSIRAm/56vMQz5SiEUAAAQQQQAABBBBAAAEEEEAgKAEC4KAkKQcB BBBAIO0CIxvekjMB8C//qC6TX39GVo0eLiXFxWm35IAIIIAAAtEVKFowL+PXA15//23RBaJmCCCA AAIIIIAAAggggAACCCAQI0AAHMPBAwQQQACBbBJY2Lld1gbAnY7cTQZfd5HM+vJj2bhgbjaxU1cE EEAAgQwI6NTLK48/PCMjgVefV1OK16/LwFlzSAQQQAABBBBAAAEEEEAAAQQQSEaAADgZNfZBAAEE EIiEwLZ1a6XTEbtmTQjc7fgDZdR/b5OFXdrLdr5Ij0QfohIIIIBANgkU/NJTVlY71DUEXnXykbL6 3FNdt1lZaX//z1c7VAonj88mJuqKAAIIIIAAAggggAACCCCAQN4LEADnfRcAAAEEEMhugcH/viDS AXCfs4+XiS89LiuGD5KSoqLsxqb2CCCAAAIZF9g2fLCsqn5UbIBb9WBZ/9Bdsm3IgLL/awpnz5RV Z1SL3S6R4Pevbbd893XGz5kKIIAAAggggAACCCCAAAIIIIBAYgIEwIl5sTUCCCCAQMQEZrX4KFoB cMVdZODV58vMz9+TDbNnREyL6iCAAAII5IJA4dRJsuqM42VVjWNk0xtNpGjpEtvT2vjKMykFwOsf uce2XFYigAACCCCAAAIIIIAAAggggEC0BQiAo90+1A4BBBBAwENg4/w5GQ+Au1bdT0bcd6P88dN3 sm3Nao8a8zQCCCCAAAKpCxQvXyolmza6FrT+wTuTDoDXXHiGZ/muB+dJBBBAAAEEEEAAAQQQQAAB BBDImAABcMboOTACCCCAQFACv5x3UtpD4N61K8v45xvJssH9pHj79qBOhXIQQAABBBAITGD1Oack FwCfUEEKZ0wNrB4UhAACCCCAAAIIIIAAAggggAAC6RUgAE6vN0dDAAEEEAhBYNKrT4UfAFfYWQZc fpZM//hNWTdtcghnQZEIIIAAAggEK6BTRK9M4rq/W3/6PtiKUBoCCCCAAAIIIIAAAggggAACCKRV gAA4rdwcDAEEEEAgDIGVo4aFEgB3qbyP/HbntTL/h29k64rlYVSdMhFAIMsEZqwV+W0pfxhkRx9Y VL9uwgHwnIceoo/zGqcP0Aci2Qf0/2AWBBBAAAEEEEAAAQQQ8CdAAOzPia0QQAABBCIsUFJcLN1P OiSQELjXaUfJ708+IEv795aigoIInzVVQwCBTAhc87PITs34wyA7+sD993yRUAA8+IyzZa9Pt9DH eY3TB+gDkewD+n8wCwIIIIAAAggggAACCPgTIAD258RWCCCAAAIRFxj9cIMkA+CdpP8lp8vU91+R tZPGRfwsqR4CCGRagAA4O4JPAuod7bRH0wIZWPtcXyHw/GpHStU3Zkcy9KE9ed3RB+gD2gcIgDP9 KYjjI4AAAggggAACCGSTAAFwNrUWdUUAAQQQcBRY1KOj7wC48zF7yrDbrpC5bVrIlqVLHMvkCQQQ QMAqQABMCJFtQdSxb82X6SdW8QyB//3IT4S/jPqkD9AHIt0HCICtn0p4jAACCCCAAAIIIICAswAB sLMNzyCAAAIIZJHA9o0bpNNRuzuGwD1OqSBjG/9HlvTpJoWbN2fRmVFVBBCIkgABMAFwtgXAWt/T Xhwn8487wjEE/uyKhpEOfbLR32mQfwAAIABJREFUnDrzXkEfCL4PEABH6RMRdUEAAQQQQAABBBCI ugABcNRbiPohgAACCPgWGHLjpTEBcN96p8qUN5+X1b+PkpKSEt/lsCECCCDgJEAAHPwX+oQk6TGt +/RAWVTlsLgQuPfZF3PdX0Z98gMA+kBW9AECYKdPJ6xHAAEEEEAAAQQQQCBegAA43oQ1CCCAAAJZ KjDvuy9FQ+DZXzWVTQsXZOlZUG0EEIiyAAFwesJKQuFwnHUkcIe618qsEyrJyNNqyZO3vSV7Nt2a FcEPfSKcPoErrtnUBwiAo/wJibohgAACCCCAAAIIRE2AADhqLUJ9EEAAAQQQQAABBCIrQABMWJJN YQl1pb/SB+gDudQHCIAj+/GIiiGAAAIIIIAAAghEUIAAOIKNQpUQQAABBBBAAAEEoilAAEyYkkth CudCf6YP0AeyqQ8QAEfzsxG1QgABBBBAAAEEEIimAAFwNNuFWiGAAAIIIIAAAghEUIAAmLAkm8IS 6kp/pQ/QB3KpDxAAR/CDEVVCAAEEEEAAAQQQiKwAAXBkm4aKIYAAAggggAACCERNgACYMCWXwhTO hf5MH6APZFMfIACO2qci6oMAAggggAACCCAQZQEC4Ci3DnVDAAEEEEAAAQQQiJQAATBhSTaFJdSV /kofoA/kUh8gAI7URyIqgwACCCCAAAIIIBBxAQLgiDcQ1UMAAQQQQAABBBCIjgABMGFKLoUpnAv9 mT5AH8imPkAAHJ3PQ9QEAQQQQAABBBBAIPoCBMDRbyNqiAACCCCAAAIIIBARAQJgwpJsCkuoK/2V PkAfyKU+QAAckQ9DVAMBBBBAAAEEEEAgKwQIgLOimagkAggggAACCCCAQBQECIAJU3IpTOFc6M/0 AfpANvUBAuAofBKiDggggAACCCCAAALZIkAAnC0tRT0RQAABBBBAAAEEMi5AAExYkk1hCXWlv9IH 6AO51AcIgDP+MYgKIIAAAggggAACCGSRAAFwFjUWVUUAAQQQQAABBBDIrAABMGFKLoUpnAv9mT5A H8imPkAAnNnPQBwdAQQQQAABBBBAILsECICzq72oLQIIIIAAAggggEAGBQiACUuyKSyhrvRX+gB9 IJf6AAFwBj8AcWgEEEAAAQQQQACBrBMgAM66JqPCCCCAAAIIIIAAApkSIAAmTMmlMIVzoT/TB+gD 2dQHCIAz9emH4yKAAAIIIIAAAghkowABcDa2GnVGAAEEEEAAAQQQyIgAATBhSTaFJdSV/kofoA/k Uh8gAM7IRx8OigACCCCAAAIIIJClAgTAWdpwVBsBBBBAAAEEEEAg/QIEwIQpuRSmcC70Z/oAfSCb +gABcPo/93BEBBBAAAEEEEAAgewVIADO3raj5ggggAACCCCAAAJpFiAAJizJprCEutJf6QP0gVzq AwTAaf7Qw+EQQAABBBBAAAEEslqAADirm4/KI4AAAggggAACCKRTgACYMCWXwhTOhf5MH6APZFMf IABO5ycejoUAAggggAACCCCQ7QIEwNnegtQfAQQQQAABBBBAIG0CBMCEJdkUllBX+it9gD6QS32A ADhtH3c4EAIIIIAAAggggEAOCBAA50AjcgoIIIAAAggggAAC6REgACZMyaUwhXOhP9MH6APZ1AcI gNPzWYejIIAAAggggAACCOSGAAFwbrQjZ4EAAggggAACCCCQBgECYMKSbApLqCv9lT5AH8ilPkAA nIYPOhwCAQQQQAABBBBAIGcECIBzpik5EQQQQAABBBBAAIGwBQiAMxumHNVGpE4nkWt/FrnzV5GL u4tU+k5k52aZrVcuBSxhnQttRx8Nq29Rbv70LQLgsD/lUD4CCCCAAAIIIIBALgkQAOdSa3IuCCCA AAIIIIAAAqEKEACnP2g4tq3Iq2NFpq9xbtqthSJTVou8NlbkgK+96/jpJJF+i2L/dm0eu5+fbQie Ys2sHmG0nfUY2fj4m+mxfU/7op9+m43nalfnTL62MnlsOwvWub+HWH0IgJ3/H+QZBBBAAAEEEEAA AQSsAgTAVhEeI4AAAggggAACCCDgIEAAnNiX9dYv7xN9fHNfkQ3bHBrDYfXaApEXRons+5VzXZdu jt959xax2/vZJtHzyfT2Fb8VqdI29m8Py3kHVcew2i6o+mWynBlr4/vfYa1i+18m65fMsRPpW5l8 bWXy2Mm4sk/s64IAOP69gzUIIIAAAggggAACCDgJEAA7ybAeAQQQQAABBBBAAAGLAAFw7JfxYYUT Gko2m2LBT/Dh3PUihzqEan5CID/bhHX+YZXbd2E84hkdg23TsNsuLJt0lpuLAXAifSuTr61MHjud fSxXj0UAHP8ezhoEEEAAAQQQQAABBJwECICdZFiPAAIIIIAAAggggIBFgAA42LDQLqSo3FZk3EoL fJIPf1sqsueX8XX2EwL52cau/lFel0hIl8x5pKPtkqlX1PYhAI5/QVtH4IfVZrn4ug7LKorlEgDH v3ZYgwACCCCAAAIIIICAkwABsJMM6xFAAAEEEEAAAQQQsAgQAMeHqUGHBMOXWtBND0csE/nvYJFz u4jU7CBydW+RZ0eKLNpo2shyt/3s+Dr7CYFGLxcpKIr9S1dIFbSpUV7YAXA62s44l2y+zfcAOJOv LT+v/WzuW7ledwJgy39wPEQAAQQQQAABBBBAwEWAANgFh6cQQAABBBBAAAEEEDALEADHh6lBBg43 9jVrl98vKRF5eKjzsfduKfL2uPLtrfc0MDbXM19DoDAD4HS1nbkds/V+vgfAmWy3fH3tZ9I8yGMT AFv/d+MxAggggAACCCCAAALOAgTAzjY8gwACCCCAAAIIIIBAjAABcGyQGuQX+zpV8/z1MdylD7YV idzc199xmztcN1jDYXNd8zUECisATmfbmdsxW+8TAMe+HtPZjvn62k+ncZjHIgCO/z+SNQgggAAC CCCAAAIIOAkQADvJsB4BBBBAAAEEEEAAAYsAAXB4wY1O5Wy33D3A/zF1iua5NiHy1NWxZfgJgaq0 FanbNfbPK9jYuZlIvW4iH0wQ6ThXZOifIv0XibSeIfLkbyJHtYmth115J7ePPWb19uX7nNRO5K1x Ip3niuh0y13nibw3XuQ/A0X2aVm+nbncE9uVlzdmebzw/YPKn9fz3aOFfTnmMq3309l2emyrkZ6j USf1enWsSM8FInoN6H6LRA74uvx5Y7sg2sooy7g9pb3IfYNEPp8sMmiJyIDFIu1m72j7E34or0My AXAQ9bW6ZapvJfPaUmM1fHqEyGeTRTr99fr6dbFIm5k7XheX9xRRJ6M97G79vPbN+x3WSuTBITva 1Dim8Zp+fazIxd3dj2cui/upWxEAx7+HswYBBBBAAAEEEEAAAScBAmAnGdYjgAACCCCAAAIIIGAR IABO/Qt8uxBEQ8cN2yzYsuPavrs2T+yYzzkEyZXblpfjJwTys435XDRc06DZbSkuEfl6unPIqudq XbrM21HvLxxGNxvbL9kkcuev5edo1E2nz05kOea7+DKMsuxu0912dkbfzxLR9R9NFCksjj/bCq1j zymItjJbaPiuoaSXtYbBFb8VSTQADqK+dm6Z6luJvrau7CUycll8u9qtWbhRpPHw2PY2t5XfYx/3 vcgvC0WKbPqT9bjanncl8EMVc32479xWdjYEwNbex2MEEEAAAQQQQAABBJwFCICdbXgGAQQQQAAB BBBAAIEYAQLgxL6st/sC326djjy1W3S0n932bus07HtxdOxfk1Eiep1gYz8/IZCfbYzyGvwqsnm7 3RnYrxv2p8ihrcrrY5SzW4v47XWUb8tp8eud1liDKKftnNYnGgCnu+3sjNrPFvlhltMZiZgD4KDa ymizmh1E5qxzPrb1mXnrRdYVWNeK6EhTo0zzbVD1tXPLVN9K5LV1Sz9/IaxV9P0J9p5+jl2nk8iK LdYSvR/rKH9z23E/eA8CYO9+yBYIIIAAAggggAACCBgCBMCGBLcIIIAAAggggAACCHgIEAAH/4W+ hiQvj4mH314kcqDN1L1BhCp+QiA/22hdnhkRX3c/a/R6x8ebpgXWsuxCOj9lmbdZWyBypGmqafNz fu4nGgCnu+2SMTIC4CDbSttLR9VOWuVH1XsbuwA4yPom42atdVB9y+9r66reyYW/Rr2tP4bQNvM6 to5oX28zG4FRptftbf3DeY/UuvMnQgDs1QN5HgEEEEAAAQQQQACBcgEC4HIL7iGAAAIIIIAAAggg 4CpAABxOCPHTnHh2HVUZVuDhFQL5CYp0Gw1LtxTG1331VpEPJ+y4Nu8Tv+24Dm38ViK9FsSeo1dI N3q5iE5xfWs/kedHiax0GKX4mGkKXJ2aWK9Jq3+LNsbXQu2N5/U20dA93W3nZWQ+Q2P6Xg2Ag24r bf//DTMfrfy+/nhBpw/WNtJrAn86yT54LN8jfgRw0PX1cktn3/Lz+lNffX3YLTPXijSfInJ7f5Eb +4o0nSSyyWYEfoc5sa8vP6/rS3vYHXHH9bbvGSDyrz47frCi7Wu36HW/9Tj8hWNAAGzX61iHAAII IIAAAggggIC9AAGwvQtrEUAAAQQQQAABBBCIEyAADudL/UFL4qil/6JwjuUnBPK7jU49bF1+Xbzj Oq/WAOi/g+2vT/v3DuXn6RbSvTteZBfL9ZA12Fy11VqDHVNGW4+vj/vahFZndCw/vt0+XuvS3XZu RioxebWIXjP2kL+mVNZr7u7cTCTotjq8tf1IUf1BwGU94021HsOXxreVscY6Ajjo+rq5pbtv+QmA 9/rS/scVjwyNt9U+elqH+NeX/kDC2n+9jq3XkbYuzabEl6Plal2si14H+ohv7be31oXHiTsRAFt7 HI8RQAABBBBAAAEEEHAWIAB2tuEZBBBAAAEEEEAAAQRiBAiAE//C3k/IMWV1DHPpg6+mhXMsrY9X CORnm9od4+u8bLP7CFq9Lql16Ti3/DydQjq9ZrCT4wujrCWKOG0fRgCc7rZzMlKFTnNjr/VsmIXR VnptWrulfg/nttJQ067vaTnmADiM+jq5OfUVtQurb9kZ7N4i1k0drYtOt220qd3tVJv3kT2/jN3H 69htZlqPKvLdzNgyjGPrDzLGrhCZuz7275+97Lc39uM2eR8C4Pj+yRoEEEAAAQQQQAABBJwECICd ZFiPAAIIIIAAAggggIBFgAA4+S/u3UKP6Wss0CLyhcOoO7dy/D7nFQJpOV7bPD48vs46ytetDvt+ JbLRMlWtjhg0rtnrFNJd3N253Iu6x9dDgzC7eoQRAKe77ZyM1hWIHPSN/XmH0Vavjo13H7nM/vjm tnjUYdpocwAcRn2d3DLRt7xeW+pVua2IXk/X/Hd2Z2ffo9uIFBTFt0miAbDTtN46nfSpPzof39zG 3A/PiQA4vo+zBgEEEEAAAQQQQAABJwECYCcZ1iOAAAIIIIAAAgggYBEgAA7ni327qXF7WK6PG2So 4ieA8trmm+mWziEi1/4scvwP7n96/VLrcsVfIwadQjq36/JqUGZd0hkAp7vtnIz0ertOfSSMttJA 0Lrc+atzHYy67dNSREN/62IOgMOor5NbJvqW12vLsHK71bC/TieRuwfsuIb1ZssPKwzfRANgDZnd liWbRNrOFGk0dMfxrdOyu9WZ57xfH15GBMBuvZPnEEAAAQQQQAABBBCIFSAAjvXgEQIIIIAAAggg gAACjgIEwKl/gW/3BX+3+fHkei1Xu22DWOcngPLaZtSy+Donu0ZHHep52YV0q7e6O+i1Za2LTsts 5xTGCOB0t52dkZ6/2+jQMNpKpyO2LtXb27tb28Kub5kD4DDqa+eWqb5ld/7WKaDNZn9ruSPobTlt x/Tmdte9traF8TjRAFiPqwGv30VHnus07pe6TP1tPhfu+3uNODkRAPvtmWyHAAIIIIAAAggggIAI ATC9AAEEEEAAAQQQQAABnwIEwKl9ee/0pf4nk+IbYNN2kV2bJ368/b4S0WBrbUH536KNIse2LS/L TwDltY0GP0EtOi2w2tiFdMu3lNfbzs8uAE7nCOB0t52dkbbDIa2cncJoK+2f1mX/r53rYG670cut e8ZeAziM+tq5Zapveb22DCsNhXUqeDvreEH7NckEwHpcuxHe9kcoX6uj4Y/5zl8fMM6R28S8CIDL +xv3EEAAAQQQQAABBBDwEiAA9hLieQQQQAABBBBAAAEE/hIgAE7sy3q/4cZ1fey72C39Ej9e/R72 ZVVoXV6WnwDKa5uVW+yPk8zaewbsqFuUQrqotp2d0fpt5W1rV+8w2mrZ5viW1h8f2B3fum6izehh 8wjgMOpr5xblAFh//NFlXryx3Zo//5qW2e65ZAJgo73O6CjSfrbImgR+7KE/vjjA5w8BjONw6+91 o04EwHa9nHUIIIAAAggggAACCNgLEADbu7AWAQQQQAABBBBAAIE4AQJg/1/UJxJq6OhNu+ui6kjJ RMrRbV8fG9dsMmddbDle4a6W47XNb0vjj3PXAJEreyX+t+9fwWGUQjq/7uluu2SMwmirYX/Gt3/N DrH9zMlQA2vrYg6Aw6hvMm5hjS73em2p25O/WYV2PNaw9/0JIvqjkVN/FNFrKhvOen1e65JKAGyU q9f51esNNx4u0m62iN1xzMd9a1x5nYwyuA3GhADY3NO4jwACCCCAAAIIIICAuwABsLsPzyKAAAII IIAAAgggUCZAABzMl/h2Ycj3s8qYY+6c28X/MQ/6RsRu9GTrGbFl+AmgvLZpNT2mmqUPzukcexy7 83RbF6WQzq2e1ufS2XbJGIXRVt/OiG//BwZ7t7+OKrVbzAFwGPVNxi2TAXDPBfFKOiLYGuia+6Ld a9a6vd02btcfNpdvvq/Xe24xVaS4JL6eQ/707gfmsrjv34sAOL6/sQYBBBBAAAEEEEAAAScBAmAn GdYjgAACCCCAAAIIIGARIAD2/0V9oqGGXjtzS6EFXEQWbBA5/gd/x20+JX5/XXPvwNj9/YRAXts8 OzL+WHp8r/P+dJLI4CXlfz/MEjECqEyEdGd28q6z1zmls+2SMQqjrV4cHd/+M9Z6WzqF5eYAOIz6 JuOWagDs1Le8Xlva31Ztjfd1u87zEd/Gb69rEgmA1UhnC9DpvY2/eevdr0Wuob910fcxr9cMzydn RABs7W08RgABBBBAAAEEEEDAWYAA2NmGZxBAAAEEEEAAAQQQiBEgAE7uS3u/YcdrNtM3awOs2CKi IyedytEpWl8ZYz+NtE4ZqyODzfv6CaC8tvlH15iuUfpge5HIie1ij2U+ro4Qti6zTdNTZyKku6SH c33Ndfe6n662S8YojLY626YttW0fGuLseWE3Ee0jdos5AA6jvsm4pRoAO/Utr9fWwd/YCYkYU6Xb 9cXnbH6QoaUkEgBruXbTO1/q8ho57vv4uup7jl0dWZe6CwFwfH9jDQIIIIAAAggggAACTgIEwE4y rEcAAQQQQAABBBBAwCJAAJz6F/huIYhez1PDE7tl43YRDRk1cDHKqNBa5IpeInbXYzXKuLxn+fbG fl4BlG7nZ5seNtPU6shFu8DovC72oxofH15ev7BDuq7zDJXy27YzRXZuVl4HwyjR23S1XTJGei5B t5WW2fuPckfzPR3Ba/XTa9YWOIS/uq85AA6jvsm4JRIAJ9K3/Ly2VtuMANapsfdoEWu715ciGv7a XUNcXXV0urktvI7942xzS+64r6OB9ccb1tfJ31qK6Ah+66LTg5uPyf3gPAiArb2NxwgggAACCCCA AAIIOAsQADvb8AwCCCCAAAIIIIAAAjECBMDBfZHvFIr8u49IUXEMe9wDnWJ1TUHc6rgVXzhMyewV Amnd/Gxzwg/2Izo1jJq+RkSn+9VpoUcsi6ta6Yp1BbGjk8MO6ZpOsq/Hhm07pr7VKYzdRlk6tZmx Ph1tl4yR1i/ottIyna7nq8oaYOp1bDvNte9L1pawBsBB1zcZt0QC4ET6lp/XllO4rtf41h8tfDhh x+vL631g4GKRR4eVv295HbuhzZTORlvpsTTofne8iF6P2OnYt/cvP57x2uA2GBMCYKM3cosAAggg gAACCCCAgLcAAbC3EVsggAACCCCAAAIIIFAqQAAczJf4XmHIvzxGS/rpjr8tFdm7pX19vUIgrZ+f bXS7Vx2mrfaq46btIud2ia1f2CHdXQO8ahU/YtKrrazPh912yRgZdQyyrYwy9UcGQSzWAFjLD7K+ ybglEgAn0rf8vLZu7ReEankZlf4aCex1bB3l231++X6J3huw2Pl9x+gz3Ma+7yXiQQCcaI9kewQQ QAABBBBAAIF8FiAAzufW59wRQAABBBBAAAEEEhIgAE7+i/tEvuTXbet0Ehm3MqHmKd1Yp4puNDR+ ulbz8b1CIN3WzzZGmTf84jwa0O4MdMTtRd3jLcMO6bT8eevtalS+zjplrnGOidyG2XbJGJnrHlRb mct8cIjINpfpnct1RXQEq4aE1sUuANZjBFXfZNwSCYAT6Vt+X1s6ytfvoq/7vgudt/YbAKu5Tmc+ ymHUvvMRRHotiL/msLmfcD/+PS9REwJgtx7IcwgggAACCCCAAAIIxAoQAMd68AgBBBBAAAEEEEAA AUcBAuDUv8BP5At/HY13/yCR0csdm6Tsia2FIp3nihzdxruOc9aV7VZ2Z3fLtUX9bGM+lyPb7Jge dv22siLj7uiUzzqq86Bv7Ou4S3ORzdtjd1u+xX5b49iJhHS6z6GtRL6cKqLTaNstfvyMY7vdhtV2 yRhZ6xlEW1nLPLOTyASXHyxou/40R0SP/c30WPntRSIHfO3czkHUNxm3sPqW39eW9qG7B+yYnjxW rPyRThffcprI4a13+PVxCIGNADiRY2v4PnZF+bHs7hWXiOgxddtdmzu3obW/8Dg5KwJgu17IOgQQ QAABBBBAAAEE7AUIgO1dWIsAAggggAACCCCAQJwAAXByX9oHEXZogKNh0AujRD6fLPLdTJHXxu4I Xk5sJ6IBVxDHCaKMKm1FdCpkHYmsU+PqdLa1O+4YWRhE+UGUoWGVmtb4ccef3t/zy3AMo9x2QbdV tR9EGvwq8tQIkVv6ifxnoMipPwbXP4OubxB9yVpG0H1LX9tnd97h+vKYHe8BGrhq37X2WR2JfFYn kSd+E3njd5GHh4poOG+tYyKPtU0v7SFy36Ad1xO+d+COdq3fY0egn0hZbJtaWxAAx30sYQUCCCCA AAIIIIAAAo4CBMCONDyBAAIIIIAAAggggECsAAFwal/eE37gRx+gD9AH6APJ9gEC4NjPJDxCAAEE EEAAAQQQQMBNgADYTYfnEEAAAQQQQAABBBAwCRAAE1wkG1ywH32HPkAfoA+k1gcIgE0fSLiLAAII IIAAAggggICHAAGwBxBPI4AAAggggAACCCBgCBAAp/blPeEHfvQB+gB9gD6QbB8gADY+jXCLAAII IIAAAggggIC3AAGwtxFbIIAAAggggAACCCBQKkAATHCRbHDBfvQd+gB9gD6QWh8gAObDGAIIIIAA AggggAAC/gUIgP1bsSUCCCCAAAIIIIBAngsQAKf25T3hB370AfoAfYA+kGwfIADO8w9hnD4CCCCA AAIIIIBAQgIEwAlxsTECCCCAAAIIIIBAPgsQABNcJBtcsB99hz5AH6APpNYHCIDz+RMY544AAggg gAACCCCQqAABcKJibI8AAggggAACCCCQtwIEwKl9eU/4gR99gD5AH6APJNsHCIDz9uMXJ44AAggg gAACCCCQhAABcBJo7IIAAggggAACCCCQnwIEwAQXyQYX7EffoQ/QB+gDqfUBAuD8/OzFWSOAAAII IIAAAggkJ0AAnJwbeyGAAAIIIIAAAgjkoQABcGpf3hN+4EcfoA/QB+gDyfYBAuA8/ODFKSOAAAII IIAAAggkLUAAnDQdOyKAAAIIIIAAAgjkmwABMMFFssEF+9F36AP0AfpAan2AADjfPnVxvggggAAC CCCAAAKpCBAAp6LHvggggAACCCCAAAJ5JUAAnNqX94Qf+NEH6AP0AfpAsn2AADivPnJxsggggAAC CCCAAAIpChAApwjI7ggggAACCCCAAAL5I0AATHCRbHDBfvQd+gB9gD6QWh8gAM6fz1ucKQIIIIAA AggggEDqAgTAqRtSAgIIIIAAAggggECeCBAAp/blPeEHfvQB+gB9gD6QbB8gAM6TD1ucJgIIIIAA AggggEAgAgTAgTBSCAIIIIAAAggggEA+CBAAE1wkG1ywH32HPkAfoA+k1gcIgPPhkxbniAACCCCA AAIIIBCUAAFwUJKUgwACCCCAAAIIIJDzAgTAqX15T/iBH32APkAfoA8k2wcIgHP+YxYniAACCCCA AAIIIBCgAAFwgJgUhQACCCCAAAIIIJDbAgTABBfJBhfsR9+hD9AH6AOp9QEC4Nz+jMXZIYAAAggg gAACCAQrQAAcrCelIYAAAggggAACCOSwAAFwal/eE37gRx+gD9AH6APJ9gEC4Bz+gMWpIYAAAggg gAACCAQuQAAcOCkFIoAAAggggAACCOSqAAEwwUWywQX70XfoA/QB+kBqfYAAOFc/XXFeCCCAAAII IIAAAmEIEACHoUqZCCCAAAIIIIAAAjkpQACc2pf3hB/40QfoA/QB+kCyfYAAOCc/WnFSCCCAAAII IIAAAiEJEACHBEuxCCCAAAIIIIAAArknQABMcJFscMF+9B36AH2APpBaHyAAzr3PVZwRAggggAAC CCCAQHgCBMDh2VIyAggggAACCCCAQI4JEACn9uU94Qd+9AH6AH2APpBsHyAAzrEPVZwOAggggAAC CCCAQKgCBMCh8lI4AggggAACCCCAQC4JEAATXCQbXLAffYc+QB+gD6TWBwiAc+kTFeeCAAIIIIAA AgggELYAAXDYwpSPAAIIIIAAAgggkDMCBMCpfXlP+IEffYA+QB+gDyTbBwiAc+bjFCeCAAIIIIAA AgggkAYBAuA0IHMIBBBsIQlwAAAgAElEQVRAAAEEEEAAgdwQIAAmuEg2uGA/+g59gD5AH0itDxAA 58ZnKc4CAQQQQAABBBBAID0CBMDpceYoCCCAAAIIIIAAAjkgQACc2pf3hB/40QfoA/QB+kCyfYAA OAc+SHEKCCCAAAIIIIAAAmkTIABOGzUHQgABBBBAAAEEEMh2AQJggotkgwv2o+/QB+gD9IHU+gAB cLZ/iqL+CCCAAAIIIIAAAukUIABOpzbHQgABBBBAAAEEEMhqgQkrRfou5A8D+gB9gD5AH6APpLsP 6P/BLAgggAACCCCAAAIIIOBPgADYnxNbIYAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAA ApEXIACOfBNRQQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQMCfAAGwPye2QgABBBBA AAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBCIvQAAc+SaigggggAACCCCAAAIIIIAAAggggAAC CCCAAAIIIIAAAggggIA/AQJgf05shQACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCERe gAA48k1EBRFAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAF/AgTA/pzYCgEEEEAAAQQQ QAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEIi8AAFw5JuICiKAAAIIIIAAAggggAACCCCAAAIIIIAA AggggAACCCCAAAL+BAiA/TmxFQIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIBB5AQLg yDcRFUQAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQT8CRAA+3NiKwQQQAABBBBAAAEE EEAAAQQQQAABBBBAAAEEEEAAAQQQQCDyAgTAkW8iKogAAggggAACCCCAAAIIIIAAAggggAACCCCA AAIIIIAAAgj4EyAA9ufEVggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggEDkBQiAI99E VBABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBDwJ0AA7M+JrRBAAAEEEEAAAQQQQAAB BBBAAAEEEEAAAQQQQAABBBBAAIHICxAAR76JqCACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggg gAACCCDgT4AA2J8TWyGAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAKRFyAAjnwTUUEE EEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEDAnwABsD8ntkIAAQQQQAABBBBAAAEEEEAA AQQQQAABBBBAAAEEEEAAAQQiL0AAHPkmooIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAII IICAPwECYH9ObIUAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAghEXoAAOPJNRAURQAAB BBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABfwIEwP6c2AoBBBBAAAEEEEAAAQQQQAABBBBA AAEEEEAAAQQQQAABBBCIvAABcOSbiAoigAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAAC /gQIgP05sRUCCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCAQeQEC4Mg3ERVEAAEEEEAA AQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEE/AkQAPtzYisEEEAAAQQQQAABBBBAAAEEEEAAAQQQ QAABBBBAAAEEEEAg8gIEwJFvIiqIAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAII+BMg APbnxFYIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIIBA5AUIgCPfRFQQAQQQQAABBBBA AAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQ8CdAAOzPia0QQAABBBBAAAEEEEAAAQQQQAABBBBAAAEE EEAAAQQQQACByAsQAEe+iaggAggggAACCCCAAAKJCxQVFcnQoUOlVatW8tZbb8n//vc/uf322+W+ ++6TZ555Rt5//30ZOHCgbN68OfHC2QMBBBBAAAEEEEAAAQQQQAABBBBAILICBMCRbRoqhgACCCCA AAIIIOAkUKtWLalevXogf3Xr1pVHHnlEWrZsKaNGjZKCggKnw8atD7IedufTqFGjuGO6rSgpKZEe PXrIXXfdJQcffLD83//9n+ffbrvtJpdffrmMHTvWreiEntuyZYu0adNGnnzySbnpppvk7LPPltNO O02uu+46ef7550ufmzp1qu8yZ82aJdOnTw/lT4Nyu6W4uDjQ423atMnuMHHrNm7cKN26dSvtk1df fbXUqVNHatSoIfXq1ZMbb7xRXnvtNRkzZoxoW4e9pNq/TznlFNHXl/YB/QHCO++8I/37909L3cO2 ofz0C+j7id37ZFjratasmbaT3LBhg+u5TZw4MW114UAIIIAAAggggAACCCCQGwIEwLnRjpwFAggg gAACCCCQVwJ77rmnZ7DpJ/y026ZKlSqlIZUf0DDroXW79tpr/VSjdJsRI0aUhoV25+R3nQa0GrQm u6xYsaJ0dLHf8Pn6668XDXfdlo4dO4bW1uqydOlS28NrQO3Xzc92ffr0sT2OsXLdunWldn77VNWq VaVDhw7G7qHc+q2Ln/M3b1OtWjX54IMPZPXq1aHUm0JzU+Dmm28O9DVp7pN293fddde0Qa5du9b1 3Lp27Zq2unAgBBBAAAEEEEAAAQQQyA0BAuDcaEfOAgEEEEAAAQQQyCuBsIIpcwhw9913y5o1a1xd w66HnwB427Ztcs8998hOO+3kGiCYz83t/i677CL33nuvaLmJLKNHj5ajjjoq4TpoyPLwww+L00jc Zs2aJVym2/lZn3MKgNu3bx/ocd0CYLU77LDDkjrepZdeKn5HFyfSnrpt2P370EMPlXnz5iVaLbbP UwEC4DxteE4bAQQQQAABBBBAAAEEkhIgAE6KjZ0QQAABBBBAAAEEMikQdjBlhIQ6fa3bVLth18Mr ANZpQy+88MKkgkPjHJ1udRppv4uORE3V4tFHH7U9XKYC4Oeeey5QV6cAeMiQIbLffvuldKyzzjpL dARh0EuqberUt8zrTzrppFDqHrQF5WVegAA4821ADRBAAAEEEEAAAQQQQCB7BAiAs6etqCkCCCCA AAIIIIDAXwLpCKaMkOrTTz91dA+7Hm4B8Pr160Wv0WrUM4zbN9980/HcjSf02sFBObRu3dootuw2 UwHwVVddFaitXQC8cuVKOeSQQwI5zg033FBmFtSdoNrVq2/qNahZEPASIAD2EuJ5BBBAAAEEEEAA AQQQQKBcgAC43IJ7CCCAAAIIIIAAAlkikK5gSoOrvffeW2bPnm0rE3Y93ALgW2+9NZDg0C2c02ml 3a4zqwHmMccc41kPnVZap3p2O5Y+t8cee8jMmTNjrDMVAFeqVMmzvl7nY37eLgC+/fbbAz1Gly5d YuxSfRB2/zZ8dt55Z9m4cWOq1WX/HBcgAM7xBub0EEAAAQQQQAABBBBAIFABAuBAOSkMAQQQQAAB BBBAIB0CXsHUHXfcIQ8++KDjn46WrF27dmngaIRQbrdNmjSxPS2veriV6ec5p2mR27Rp4zs4PPLI I+Wxxx6TFi1aSMeOHeWjjz4qvcZvhQoVfJWx1157OQbgeu1et/M4+eSTRYNPvZ7w9u3bZcCAAVKt WjXXfV5//fUY60wEwOvWrXOto9s5Oz03ePDgmPMaNWqU5zEqVqwoDRo0kOeff14uuugiz/6qYbzT tZRjDu7zgVf/dnqdPfDAA3LTTTfJOeecIxr+O5mY1w8dOtRnrdgsXwUaNmzoqy+Z+1Uq96tWrZo2 ap3C3a2uXbt2TVtdOBACCCCAAAIIIIAAAgjkhgABcG60I2eBAAIIIIAAAgjklYBXMDV//nxfHosW LRINsdy+eNfnrrzyStvyvOoxceLE0uub6pf7yfwVFxfHHVfL8XPN2N12202++uorsStDC9URlxps 6whnr/Nv1KhRXD0WLlzoGkgee+yxokGqddGpq4877jjHY9apUydmlx49epSGnxqAJvPndm6nn366 FBQUxBxPHwwbNsyxfj/99JMUFhYm/Gc9yL333ut4DK1z/fr1S4Nz834TJkyQgw46yHW/Xr16mXdJ 6b5X//bzOvvzzz/ltttuc62znu8nn3ySUl3ZOfcF9Ickft5HmzZt6trfLrnkEl/l2L03hKWs5+X2 XkUAHJY85SKAAAIIIIAAAgggkLsCBMC527acGQIIIIAAAgggkLMCQQRTBk5JSYmcf/75rl++H3XU UcbmMbdB1iOmYJcHb731lmtdNUTQULd3794upZQ/pWGn13lo4Gydotdt9K+GzyNHjiw/iOWejvZ0 Cjt02ully5ZZ9kju4RdffOF4nFNPPVVWr15tW7DbfrNmzbLdJ5GVmzZtkn333dexbn//+99l8+bN tkWOGTPGdTrtf//737b7JbPSq1/4CYD1uDoqWcN7pzbX9XfffXcyVYzZR0eZa0iYrkWPlc7jGeel nnquySzpNjLXMZV6m8vxuv/NN9+49rV//vOfXkUk9Ly+Vp1+aOO3oKgGwJnsLxrAhxnCb926NdAZ E/y2NdshgAACCCCAAAIIIJAuAQLgdElzHAQQQAABBBBAAIHABIIKpowK/fLLL66BgQZU+gW9dQm6 HtbyrY81bNJpgd2CtAMOOEB+++03666ujzt16iQavLqV+/PPP5eVoWHHYYcd5rj9yy+/XLat050z zzzTcf927do57eZ7/bRp00Snr7Y7p5NOOklWrFjhWJZOYWy3nwbrqQY9elCdituufGNd+/btHeum T2jIa2xrvdXwfcuWLa77+30yyP79+eefO9ZZz+HOO+/0W63S7fQcu3XrJvfcc49Ur15dDj744LI+ rPdr1KhROg21jpwMIqTVH0o89NBDoqNHTznllJiR2Nov9Eci+qMCvTb3Dz/84PjjAvNJ6pTorVu3 tv2zjp7v27evXHfddXLiiSeKtrFeN7levXrm4uLuh2UUdr3jTiTBFWEGwPreqjMn6PTm2uZ63XLt vzrVub4nar/T9w/td04/4rA7nVQDYD2eU1/S9d99953dYWPWZbq/zJ07V1577TU544wzYl5f++yz j9StW1eefvpp6devX0yd/TzQELlz586lMxFou+nU3lqm0W56OYRatWrJFVdcIe+9915gP0DyUze2 QQABBBBAAAEEEEAgTAEC4DB1KRsBBBBAAAEEEEAgFIEggymt4B9//OEaTukXxVEIgH/88UfPelqv oeu3Af7xj3+4lv3qq6+WFeU2gletdGptr0VHXmtAYvenUyynsmjgp6NotS7WPw2FNRx2W84999y4 /bQcDSaCWJ555hnb8vUYhx9+uOfoTg1BrOdlfuw2+jqR+gf5OuvSpYtrnV988UXfVdPz1/DNfM5u 9zUQbtmype/yjQ31Na+BlNuU5U7H1UBQAyW3Hxpce+21judg/AhgxowZpdcrtzuOXk/baQnTKMx6 O51PIuvDCIAXLFggl156qWN72bWPXpNbr4HuZ0klAH7llVc863XXXXe5ViOT/UVHGet1zv1eL/y+ ++4THb3rteiPKHSq/f3339/Tx9x+u+66q1xzzTWus1h4HZvnEUAAAQQQQAABBBCIggABcBRagTog gAACCCCAAAIIJCQQZDClB9brlJq/ALbe19FCdkvQ9bA7hnnd/fff71pPHY3mFjiZy7Le14DMet7m x7fffnvZLs8++6zjtrVr1y7bznxHv4xfvHhxIKMxzeXa3X/iiScc6/fZZ5/Z7VK2ToNpp2ss62hT Y9HtdApkveZuixYtRK8NrKNE7X4oYOxj3OooUrOt+f5NN91kbOZ4q4HJ7rvv7liGjrYNYgmyf7/9 9tuO9dXz//777z2rrCMUH3nkkbKRvmY3P/f1uspO035bD758+XKpWbOma539HLNSpUqi1wK3W9yC VB1FrKNNNbx2Oo5dAJwOozDqbeeT7LogA2B9net7xt/+9jfHdnBqH2O9jm5fs2aN6+kkGwC/++67 nvXSENRp5oJM95dWrVp5XoLBcDTf6mj7efPmOZqqt/5fZN4n0fs6sr9///6Ox+AJBBBAAAEEEEAA AQSiLkAAHPUWon4IIIAAAggggAACcQJBBlNa+JAhQ1y/KNZpV+2WoOthdwzzOg183L7EbtCggXnz hO7rSNxBgwY5/q1ataqsvBtuuMGxHm+++WbpdjqqWkcN60hcs5NONa2jXDVQ7tGjh2jAEuSiX9g7 TWft59qfOtLPyfijjz4qDR20HGMKUeu2Gszq89qnnBa3UE+v8exncRrhrPUxB9V+ynLaxtxu1vPU x36vAbxw4UI55JBDHF31OQ2i3BYNUU844QTHMuzqZ7euTp06otdgdlt0BHsQxzKOr31l0qRJcYd0 C1I12HO7TrSWbQ2A02UUdL3jYFJcEVQArNc995oZwWhjr1udZthtav5kAuCmTZt6vh4efPBBx/fY KPQXrz7u5nrLLbfY9hT9kYdO6ey2r9/n9D3Q7yhu28qwEgEEEEAAAQQQQACBDAoQAGcQn0MjgAAC CCCAAAIIJCcQVDBlHF2DU7cvhP/73/8am8bcBl2PmMItD7xGKWv9R4wYYdkrnIcaojl56fWUNZhw Ckit+1122WWBXXNRpwU9+uijbeum10ydNWuWJ0j37t1t99d667V3/Y4E1OlMNQy3BtwbNmxwLF+P ocf3s2iAbrU0Hl944YV+ivDcJpX+XVRUVBoQa1/wmq5Zw063Raf01h9hGOeX6q3bDwG03kEey6jr jTfeGHeKbkGqsZ/brTkATqdRkPWOQwlgRVAB8P/+97/A+py2o7aX09TFiQbAX331leMPXYw+o/V3 WrKpvxjnY73VqZrtLjeg1+q2bpvK4wMPPFBSvSyBUzuwHgEEEEAAAQQQQACBMAUIgMPUpWwEEEAA AQQQQACBUARSCabMFdJpMZs3b+75ZfG4cePMu5Xd96qHXkdQp6xN9E9DVOuio8e8vsT2GtloLTPZ x0cccYRjXdxGBzvV/7DDDpPevXsnW52y/T7++GPHetkFcGU7mu7oNZSd6pnM+ssvv1zMo6d1Gmy3 ctxGCZqqKY8//rhjOUFdq9irf+t5aNBv9+f3ep4NGzY0n5btfR1J7mamz2ld9bx12lenKbzNZXTo 0MH2WHrtXfN21vt6nIcfflgGDx4sc+bMEb1Gb7t27cTputHG/mpkXYIMUtNpFGS9rSZBPA4iAB47 dqyva9Jqfzj99NPl0EMPde03Rj944YUXbE8xkQBYp0vXH7QYZdrdPv3007bHMVZGub94nZv5fK3n WVBQ4HrNX30dvvPOOzJhwoTSHwT9+OOP0rhxY88fffz6668GHbcIIIAAAggggAACCGSNAAFw1jQV FUUAAQQQQAABBBAwBLyCqffff186duzo+PfFF1/IU089JTVq1HD9El2/aHYbTelVD/MX1Yncf+ON N4xTLbt1G5mqZR900EFl24Z5R68/m8gX9Imct7ZLsotOYa1TSzsdb/z48b6K1mvwOpWR7Pqrr766 7NjTpk1zLX/69Oll27rd0dHFTvU5/vjj3Xb1/VxY/VvrrX3oww8/dLw2qVFJHbWt17Z2OtfKlSuX hrHmEXo6ildHFbvVX0eKa1hkXXSUt9OxdGpxpxHaWtY555zjuK+WuXLlypjDJROkarBesWLF0nO7 4IILSstLt1FQ9Y7BCPBBqgGw9h+vKYT1eb3mt46kNRZ9bT/wwAOufWC33XaTqVOnGruU3foNgDt1 6iQ68tWpj+r6Jk2alJVrdyeK/UWD2WbNmsns2bNL3xP0Gtxt27b1nAbd+mMXff90s9Ey7Rb9/8Nt uu9GjRrZ7cY6BBBAAAEEEEAAAQQiLUAAHOnmoXIIIIAAAggggAACdgJuwY7bl7+JPqdT19pNMWnU Kax62AXAXqFGzZo1jWqFeqvXfU3U0e/2+++/f1xI5vdkNPBzOo7blL/W8k866STHcpzK97N+4MCB pYcaOXKka/l67WQ/yyeffOJYjl5vNIglrP5teL300kuyYsUK16pedNFFjuepo331ep9Oy7fffuu4 r9ahc+fOcbu6Xfv3kksuidvevMLrmqwabpkXv0GqTkGr15/W0eEaVOmiU4vrjzF0SbdRUPUurXwI /3i9V3q9H3i145lnnika2DotzzzzjGu/q1evXtyufgLgXr16iV5j3Hj92N2+9tprcWVbV0Stv+g1 0Z1++DJq1CjX89X/o82LXgPezsVY17JlS/PmMff1mvTGdtbbKlWqxGzLAwQQQAABBBBAAAEEskGA ADgbWok6IoAAAggggAACCMQIhB1M6Ze/Gi4tWbIk5rjWB2HVwy4A/uCDDxy/nNb66rV007EMGTLE tR7WL851umidIrV69eqe16zUffX6jYkuGzdulEMOOcSxXjpSz8+i1+f0mrpYQ+r69euLhpeffvqp 3H///aLhgPW8rY/VQEM7HYlsfc782CkIsdbfLaTS6xQHsYTVv83nq3UdNGiQbXV1pKJ5W+t9P9e8 Pv/88x3LuO666+KOq1N2648p7P50hKLb8sorrzgeS+ueTACsP0iw7meuQyaM/ATAXvU2n0PQ91MN gN2m89YA1utHC3o+F198sWtf0Gu6mxevAFinHfd6PXpdS1uPF8X+8uyzz5op4u67tYeOqDZfZ71P nz6u7pUqVZKff/457hi6Qi+hoD+ssfvTclkQQAABBBBAAAEEEMg2AQLgbGsx6osAAggggAACCCDg +UW4NShK9PE999zjOTWtNoPXF/KJHtfY3i4A/vzzz12/2D7vvPPS0jM0rDPq6XZ75JFHlo5YNFdK Q4+zzjrLdX+d3lSvq5rI4nbdXp3W0++i13p2OycNBXVqUuuyZcuW0iDYbV99Tqcl12vHum03b948 a/G2j3X6ZKdyDjjgANt9El0ZVv+21nvvvfcWu2tsfvbZZ47nePbZZ/s6nRYtWjiWodPOmsMjXwU6 bKRh9DHHHON4LD1na5DrFaTuu+++riOctSqZMAqi3g6MgaxOJQDesGGD6xTLeo1zP4teW9baz82P v/vuu5hivAJg87529/X6536WKPaXhQsXulbdbXYHtTAH8mvWrPH1QyMdxa3XQR4+fHjZSHrXSvAk AggggAACCCCAAAJZKEAAnIWNRpURQAABBBBAAIF8F0hHMKXB4dKlS12pw6qHXQDcoUMH10BBr2ma jsXrGrb6hbwGYU52OoWt26hM3V+nu/W7rFu3TnSKXLtQRNclMnJLjXWEn92fXt9VwwW3xev6n489 9ph4hcx+RwC/9dZbjues/kEsXv1bR+bpdLJ2f3rtbB31rSGrU9uY1+sIbmN6Y6Pubtdj1h8YNGjQ wPNP62E+jvX+3LlzjcP5utXAWPu2TsesQeOTTz4pGkZby7V7nGgA3LhxY886ZcLIKwD2U2/PE0th g1QCYK8faPTs2dNXzfSa0DpbgF0/0HWPPPJITDmpBsDWvhVTuOlB1PqLTv/stXz//feOjmo5c+bM mCJOPfVU1+2tbaLvc/r+/vjjj0vv3r1Ff9DDggACCCCAAAIIIIBALggQAOdCK3IOCCCAAAIIIIBA ngl4BVPWL3iTfayjao3rbNoRe9WjatWqcuKJJyb8p6MWrcuAAQNcv9TWqYsLCwutuwX+WENQL0+3 6yxqhXTUlVsZDRs29F1vnZbXqSzr9SF9F5rkhitXrhQdfetUH732qAY1Ts/r+gkTJvg6+ssvv+xY jgavQSxe/VuvB+1n6du3b2nA4nbe+pxOqW1e9EcYXvuk+nz37t3Nh4y7r+GSvh51VoAaNWrIXnvt lXSdrCGdV5DqxzcTRkHUOw46wBWpBMA//fSTa/v6aRPjVHTad6f+qUGseUk1ANYf1fgZzR61/uLn vapfv36OjuprDYBbtWrlur1Tmxjr9X1Pp4LX6wmzIIAAAggggAACCCCQzQIEwNncetQdAQQQQAAB BBDIUwGvYEq/XL/33ntt//Q5nf7RbdSo8UWw3uo0kU6LVz0SCQucjmGsnzp1queX2taAydjX7+2V V14pGhA4/RUVFZUWpSNkzUbm+wcddJBraG7U5YwzznAso27dusZmnrduIzw1tEv3otcENnuY7+u1 gnUKafM6632/I5bdRhv7nR7ZyybI/r1t27bS62pbz9f8uFq1ajFV0uvImp8P437r1q1jjmk8GDhw oGhgv9NOOwVWB+vr0y1I9TuNdyaMgqi34RzGbSoBsNsPSrT/6chev4u+nzr1WR01b15SDYD1OHrt Wq8lav1Fr5Xstej06k6Out4aAGt5blPku5VlfU7/L9T/e1kQQAABBBBAAAEEEMhGAQLgbGw16owA AggggAACCOS5QBDBlH6R//bbb4tef9T6pa/5ceXKlR21g6iHY+GWJ4qLiz1D6xdeeMGyl/+HOvWw +byt9ytUqFBWmI6stT5vPNZpgf0s9913n2MZ5mO5laXXftSRz8axrbd6Hc50Lzp9tbUexuOdd95Z dMpq47HdrZ8QR8/pggsucCznsssuC+S0g+7f48ePd6yzWmjYap5+1euaunZ+ia7TsNC6NGnSxLWe iR7D2D6RAPiUU06xVsv2cSaM3AJgv/W2PZmAVqYSAOsPAoz2srtNpIo333yzY1nWH2kEEQDr/2Vz 5sxxrWLU+ov2Ja8lmQBYy9Qf03hdbsCuja3rKlasKAsWLPCqJs8jgAACCCCAAAIIIBA5AQLgyDUJ FUIAAQQQQAABBBDwEggymNLpXa1f+Fofjxw50rZKQdbD9gCWlW7Bi9ZZr6O6detWy17+Hn7++eeu DuYRa26jd6+77i7YwR4AACAASURBVDpfB3zppZccj7fffvv5KsOt7TRsXb16ta9ygtzIa/rRZcuW iY4EtvYx4/GDDz7oqzpHHHGEYxl6reEglqD7t44g32OPPRzrrQZ6jWljqVmzpuu2hlkqt1999ZVx uNJbfZxIedrP9Ecit9xyizz11FOu+yYSANevXz+mXk4PMmHk9j7kt95O5xPE+lQC4K+//tq1DfUH HH4XHd3q1Jd0imHzEkQArMfS2RPcpoKOWn8JMwA2fPV63Xqtbj33ZEf0n3DCCWm5xIJRZ24RQAAB BBBAAAEEEAhCgAA4CEXKQAABBBBAAAEEEEirQJDBlH5Zftpppzl+Ua9fqms4arcEWQ+78q3r9Bqp ToGCsd4aaFnLcHqswYFRht3to48+WrbrNddc47jtWWedVbad2x0NOu2Oo+s0IPWzuAUsOs13IosR EmhQYP3TYM/tWtDm4zz33HOO56VhoV6n+frrr3fcxhy0m8s139+wYYPj/urXtm1b8+ZJ3w+jf+uP FJzaXdebp8BWC6dt69SpI4MGDUr5b+nSpWU+en3rXXfd1fGYWpf9999f9BrV7du3l8mTJ8f84GLY sGGu+yYSAPsJxrTi6TbSY7oFwH7rXYYewp1UAmC9JrRTn9P15h8oeFX95JNPdiyrQYMGMbv7CYB1 tgO3mROMejdt2jSmbPODbOwvyY4ANp+3cV+n4O/YsaPo/2e1atVKKBAeM2aMUQy3CCCAAAIIIIAA AghkhQABcFY0E5VEAAEEEEAAAQQQMAsEHUw9//zzjl/U65fqjRs3Nh++7H7Q9Sgr2OGOhlVeIyh1 NOKiRYscSrBf/e2337qevxqYg7n333/fcXsdvetnFPJ5553nWIafEHnlypWu0z8nOh22hqZGgGJ3 O3ToUHs8y9p69eo5lnP44YeXbv3GG284bqPXV164cKGl1NiHzZs3d9xf6x7UNSuD7t86+vn/2bsP qGnK+m78530tiV3EGI0oikaNNSgWYtQYS4wtf03UvFFjN0TEqIgtKsEuBrv0Ir1Jr9KLgCDSEemg 9CK9P3D9z++5meeenZ2Znd2dLffuZ855zrYp1/WZ3+6zZ7/3dU2Zbf65CHWz5QMf+EDl+i960Yuy 1Vq7jRrPt6V4P67pGkFd1XLQQQfVbj+KAHjcRtH3WQ6ATznllNpzWPXHQMWauOKKK2o/n+IPRfJL rwD4QQ960PLgMraJ8LhYm/nHD3vYw9JFF12U3/2K+0uxXtoMgFdA3H8n/k+Nz9P4PMkblt3/wQ9+ UNzcYwIECBAgQIAAAQJTLSAAnurTo3EECBAgQIAAAQJlAm0HU4cffnjtj79V0xq33Y6yvhafazIC 7ElPelLjkWoRVKy88sq1/X/c4x6XYvrebDnjjDNq199oo42yVUtvTzrppNrt11577dLt8k9uvvnm tfs45phj8qv3vB/rl/3onz1X9UcA+R0feuihtfvIpn3tVW9100DfddddKc5v1q7i7UorrdRxrvLt 6/d+2/X9zW9+s7LdWT/OO++8Fc2s+8OEhzzkISlGQjdZ4vrWEeAX/x133HEdm3/1q1+tbN+jH/3o dOutt3asX3yw8cYbV24f/RtFADxuo+jzLAfAva61HqNGmyy9av2QQw7p2E2vAPgnP/nJivXj2ufx Ps/eM2W3cY3wsqmgl2K99BMAr7vuuilC7uK/+Py++OKLVxgW78R5//a3v11r+t73vre4mccECBAg QIAAAQIEplpAADzVp0fjCBAgQIAAAQIEygTaDqZixGzZj+jZc6973evKmpHabkfpQQpPnnvuuSmm Es7aVnX7mMc8JsW0xnXLPvvsk2JUatU+suc/85nPdO1m1VVXrdwupvm99NJLu7aJJyLArBslG8fc e++9S7fNPxnXXM3aV7x9+MMf3vf1GmMkWN31IWP61bpRwDEi+TnPeU5lm6KN2fTcETasssoqlevG KO/LLrss390V93uFjHXh8YqdNLzTVn3HOY9paet8wyf6ffvtt69o3eWXX15pFOt/8pOfXLFu1Z3r rrsuRXhbrJF4/IxnPKNjs7e+9a2l68W6L3/5yzvWLXtQNyV57GMUAfC4jaLfsxwAR//iD37K6iV7 7rDDDis7/Suei6nEn/KUp1TuI95XxVkSegXAxc/EuuufZ+0sG628FOulnwB49dVXr3TPh+grTlbu TgTm8f9m5le8/dCHPpRb210CBAgQIECAAAEC0y8gAJ7+c6SFBAgQIECAAAECBYG2gqlst3Fd1rpw qup6sm23I2tPr9sY5VT8cbrscQTFcc3HuCZmjHb83e9+l2KU6ve///30tre9rdE+IiQrG/nY63rE ESwXR1hef/31qde1hiMYve2223oR1F63Oa7pPMjSq20xUnqbbbbpGlkXI5qf/OQn13rGthEMZUuv acf/5m/+pisE3n///XuO/Dv55JOzQwx926u+49rIEUiX/YuwZf31108f/OAHU4wgL6vP4nNxbeTi UjfdbYTycT3PqiXCrhe84AWVx45R5PmlLtiMP3ioW+J9Fe0p9in/eBQBcLRpnEZxvDqneG3SyzDX AI62x+dW3f8HMcXyEUccUdrNGJ3b65ry8fldXPoNgCOsjKny8/VVvB9/CFM26nWp1Us/AfA73/nO SpOY5jn/BybFc3DTTTelmGq76Jg9js8zCwECBAgQIECAAIGlJCAAXkpnS1sJECBAgAABAgSWC/QK psp+9O5FVxdSPf3pTy/dfBTtKD1Q4cm77747rbHGGpU/VGc/WA97Gz+GVwWK8UN6k9HDz3zmM9O/ /uu/ple+8pU9R0xHe/fYY49Cb7sfRvgRUwBX9e9Nb3pT90YNntl+++0r95k/VoTiETTEKOSnPe1p jbYp9iuu0RnX+83vt3g/Rq6+5S1vWT6daQTCdaFUbFv1hwoNul66Sq/6LrZ3mMfRt5gau7hcffXV PUPvmFo7guCYmjxG80dgtN5666VHPOIRlb5PfOITl49Gzx9vgw02qFw/+vaVr3wlv/qK+wceeGCj 2o725Ze2gtRxGkX722p33qLN+8MGwNGWtdZaq7YW4vMnRtvvuOOOy6+5Hdd/juuO9/o8iJHBZX9Q 028AHG089dRTe/7RQfwBUHEq6KVWL/0EwD/84Q9rz9sb3vCGdMkll3SVW8zgEP9H1X2G7bnnnl3b eYIAAQIECBAgQIDANAsIgKf57GgbAQIECBAgQIBAqUCvYGqQALhu1NYjH/nIsbWj9EAlT15wwQUp plqu+8F62Nc23HDDkiMvPhXhx7DHyG/fNLiN85vfrnj/P/7jPxYb2ee9973vfbX7Lh6ryeO4HmXZ EoFik+2brPPABz4wnXLKKWWHGfi5Xu+zJu1qus53v/vdynZusskmrTll7fne977Xdbz99tuv53Hi j0HWWWed5aObYwrqCN2zffa6LU4h3maQOi6jQGuz3V0noYUn2giAb7zxxvSEJzyh8bntde6z1+OP BcqWQQLg2E9c2zbbd9Xtpptu2nXIpVQv/QTAcd5i5HOVRTwfI/Xf+MY3Lrf7/Oc/v7yeY/r5um3i D8TiD68sBAgQIECAAAECBJaSgAB4KZ0tbSVAgAABAgQIEFgu0CuYGiQA7nXdx7Jrso6iHf2c4rge 8FOf+tTaH67rftSue61s5FhZ2yIMq9tP09ce+tCHlk5XWnbMGG1Xt9+vfe1rZZs1eu7OO+9Ma665 Zu3+645dfG211VZLN998c+mx49q4z372s1s5VgQZbS+96rvY10Efr7322rVNj2smv/jFL27FKdoY tV28Bms0IEZGxvS+g/aj13YxhXd+aTNIHZdRtL/Nduc92rrfRgAcbYlR5b3OaT+vx0wIVcugAXB8 tsRo9rp2xEj44jXZl1K99BMAh+8OO+yQ4vIHdSb9vBaB8W677VZ16jxPgAABAgQIECBAYGoFBMBT e2o0jAABAgQIECBAoEqgVzA1SAD8zW9+s/YH4xgdWFxG0Y7iMXo9vuqqq9JLX/rS2rb382N3rBth eIykarLEqKh3vOMdQx3/SU96UjryyCObHG75OjF6s65PcZ3eYZYwjTbVHaPJazGq/Mwzz6xtSgQz f/mXfznUseI6u8uWLas9ziAv9qrvJgZ160RIE6OjI4zqtUQ4+/a3v30op2jL6173utrrgO60005D H6Oqz8VRx20HqeMyarvdvc59v6+3FQDHcbfccssUU7FXndMmz8f05h/96EdTXGO2ahk0AI79NQmq o+6Ly1Kpl34D4Ojntttu20oIHOcu9mUhQIAAAQIECBAgsBQFBMBL8axpMwECBAgQIEBgzgV6BVOD BMAHH3xw7Y/8EXoUl1G0o3iMJo8jQIvQY9gpS1daaaX04x//uMkhu9bZaKONUkxD3CQQya/z7ne/ u3HYnB00wpT8Por3Dz300GzVgW+vu+669IUvfKHndKLFY8fjuD7od77znXTPPfc0Ov6VV16Z/vZv /7a2T2XHCe8vfvGLXdf4bHTQBiv1qu+yNjV5LvYb03Sfd955DVrRucrOO++cVl555b6tol3xhwpl I387j5DSpz/96b73H0HR//zP/6TnPe95ldu+9rWv7TjUqILUURuNqt0dOEM8aDMAjmZcccUVtaOe 62o+/rjjqKOO6tmbYQLg2HlcB7uuHfHa5ptvXtqOaa+XQQLg6OjPfvaz2uuA9/KKkb+bbbZZqZkn CRAgQIAAAQIECCwFAQHwUjhL2kiAAAECBAgQINAhsMoqq9T+2D1IAHzNNdfU7jNCvZiyN7+Moh35 /fd7/9Zbb00xyjDCxH6mwIxppOMarLfccku/h+xY/+yzz15+fdQmI+ae9axnpV133bVj+6YP3vWu d9Weq3POOafprnquF0FwTK/c67qSESZEYBDXMb7wwgt77rdshRjJt/rqq9f2LY4TtfjOd74zxRTg o1x61XevACVej6m9Y5rrcPn4xz+efvjDHy6fanmYdscI7fe85z2Nwp2wij8YiNrsZzn66KPTq1/9 6p7nIq4dGteNPv3005fvPoLtKpf4A4388uEPf7hy3bI/OMlv2+v+KI1G2e5e/WryetsBcHbMmAb4 uc99buU5y5/3xz/+8cv/gKTJHxzE/mO9us+YvffeO2tG6W185kSt59tQvL/qqquWbhtPTnO9DBoA R7/i/8StttoqvexlL6u1yVvF/00xI8jvf//7Si8vECBAgAABAgQIEFgKAgLgpXCWtJEAAQIECBAg QIBAnwIRaG+33XZp/fXXXz7aMgKlV7ziFen1r399+rd/+7f0iU98YvmIsEHDyrrm3H777ekXv/jF 8ulTY1TkZz/72eXtiLbEiKpRB5d1bRv0tZhi+aKLLkoxuniTTTZJn/nMZ9L73//+5YH317/+9bT7 7runGMXXxnL55ZcvP3df/epXl4emMcVzHC9C+hip3jRUaqMt07yPmH48RldGqPzf//3fy62+/e1v pzgf22+/fTr22GOHPidnnHHG8j9UiP2uu+666Vvf+lb6/ve/nw444IB0/vnnNx7lPSnHcRhNqm+T Om68P+M6s1ELMVo8RvvHHzdssMEGadNNN13xxwCTat8wx53leon364EHHpi22GKL5edqrbXWSh/5 yEfSl7/85bTxxhunvfbaK8X73UKAAAECBAgQIEBgVgQEwLNyJvWDAAECBAgQIECAAAECBAgQIECA AAECBAgQIECAAIG5FxAAz30JACBAgAABAgQIECBAgAABAgQIECBAgAABAgQIECBAYFYEBMCzcib1 gwABAgQIECBAgAABAgQIECBAgAABAgQIECBAgACBuRcQAM99CQAgQIAAAQIECBAgQIAAAQIECBAg QIAAAQIECBAgQGBWBATAs3Im9YMAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAgbkXEADPfQkA IECAAAECBAgQIECAAAECBAgQIECAAAECBAgQIEBgVgQEwLNyJvWDAAECBAgQIECAAAECBAgQIECA AAECBAgQIECAAIG5FxAAz30JACBAgAABAgQIECBAgAABAgQIECBAgAABAgQIECBAYFYEBMCzcib1 gwABAgQIECBAgAABAgQIECBAgAABAgQIECBAgACBuRcQAM99CQAgQIAAAQIECBAgQIAAAQIECBAg QIAAAQIECBAgQGBWBATAs3Im9YMAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAgbkXEADPfQkA IECAAAECBAgQIECAAAECBAgQIECAAAECBAgQIEBgVgQEwLNyJvWDAAECBAgQIECAAAECBAgQIECA AAECBAgQIECAAIG5FxAAz30JACBAgAABAgQIECBAgAABAgQIECBAgAABAgQIECBAYFYEBMCzcib1 gwABAgQIECBAgAABAgQIECBAgAABAgQIECBAgACBuRcQAM99CQAgQIAAAQIECBAgQIAAAQIECBAg QIAAAQIECBAgQGBWBATAs3Im9YMAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAgbkXEADPfQkA IECAAAECBAgQIECAAAECBAgQIECAAAECBAgQIEBgVgQEwLNyJvWDAAECBAgQIECAAAECBAgQIECA AAECBAgQIECAAIG5FxAAz30JACBAgAABAgQIECBAgAABAgQIECBAgAABAgQIECBAYFYEBMCzcib1 gwABAgQIECBAgAABAgQIECBAgAABAgQIECBAgACBuRcQAM99CQAgQIAAAQIECBAgQIAAAQIECBAg QIAAAQIECBAgQGBWBATAs3Im9YMAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAgbkXEADPfQkA IECAAAECBAgQIECAAAECBAgQIECAAAECBAgQIEBgVgQEwLNyJvWDAAECBAgQIECAAAECBAgQIECA AAECBAgQIECAAIG5FxAAz30JACBAgAABAgQIECBAgAABAgQIECBAgAABAgQIECBAYFYEBMCzcib1 gwABAgQIECBAgAABAgQIECBAgAABAgQIECBAgACBuRcQAM99CQAgQIAAAQIECBAgQIAAAQIECBAg QIAAAQIECBAgQGBWBATAs3Im9YMAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAgbkXEADPfQkA IECAAAECBAgQIECAAAECBAgQIECAAAECBAgQIEBgVgQEwLNyJvWDAAECBAgQIECAAAECBAgQIECA AAECBAgQIECAAIG5FxAAz30JACBAgAABAgQIECBAgAABAgQIECBAgAABAgQIECBAYFYEBMCzcib1 gwABAgQIECBAgAABAgQIECBAgAABAgQIECBAgACBuRcQAM99CQAgQIAAAQIECBBoKvCew1J6zNb+ MVADakANqAE1MO4aiP+DLQQIECBAgAABAgQINBMQADdzshYBAgQIECBAgACB9E8HpfR/NvGPgRpQ A2pADaiBcddA/B9sIUCAAAECBAgQIECgmYAAuJmTtQgQIECAAAECBAgIgIXf/gBADagBNaAGJlQD AmBfxAgQIECAAAECBAg0FxAAN7eyJgECBAgQIECAwJwLGAFsxNu4R7w5nppTA2pADSzUgAB4zr+E 6T4BAgQIECBAgEBfAgLgvrisTIAAAQIECBAgMM8CAmBBjCBGDagBNaAGJlMDAuB5/gam7wQIECBA gAABAv0KCID7FbM+AQIECBAgQIDA3AoIgCfzo7+whbsaUANqQA0IgOf265eOEyBAgAABAgQIDCAg AB4AzSYECBAgQIAAAQLzKSAAFkAIodSAGlADamAyNSAAns/vXnpNgAABAgQIECAwmIAAeDA3WxEg QIAAAQIECMyhgAB4Mj/6C1u4qwE1oAbUgAB4Dr946TIBAgQIECBAgMDAAgLggelsSIAAAQIECBAg MG8CAmABhBBKDagBNaAGJlMDAuB5+9alvwQIECBAgAABAsMICICH0bMtAQIECBAgQIDAXAkIgCfz o7+whbsaUANqQA0IgOfqK5fOEiBAgAABAgQIDCkgAB4S0OYECBAgQIAAAQLzIyAAFkAIodSAGlAD amAyNSAAnp/vW3pKgAABAgQIECAwvIAAeHhDeyBAgAABAgQIEJgTAQHwZH70F7ZwVwNqQA2oAQHw nHzZ0k0CBAgQIECAAIFWBATArTDaCQECBAgQIECAwDwICIAFEEIoNaAG1IAamEwNCIDn4ZuWPhIg QIAAAQIECLQlIABuS9J+CBAgQIAAAQIEZl5AADyZH/2FLdzVgBpQA2pAADzzX7N0kAABAgQIECBA oEUBAXCLmHZFgAABAgQIECAw2wICYAGEEEoNqAE1oAYmUwMC4Nn+jqV3BAgQIECAAAEC7QoIgNv1 tDcCBAgQIECAAIEZFhAAT+ZHf2ELdzWgBtSAGhAAz/AXLF0jQIAAAQIECBBoXUAA3DqpHRIgQIAA AQIECMyqgABYACGEUgNqQA2ogcnUgAB4Vr9d6RcBAgQIECBAgMAoBATAo1C1TwIECBAgQIAAgZkU EABP5kd/YQt3NaAG1IAaEADP5FcrnSJAgAABAgQIEBiRgAB4RLB2S4AAAQIECBAgMHsCAmABhBBK DagBNaAGJlMDAuDZ+16lRwQIECBAgAABAqMTEACPztaeCRAgQIAAAQIEZkxAADyZH/2FLdzVgBpQ A2pAADxjX6p0hwABAgQIECBAYKQCAuCR8to5AQIECBAgQIDALAkIgAUQQig1oAbUgBqYTA0IgGfp G5W+ECBAgAABAgQIjFpAADxqYfsnQIAAAQIECBCYGQEB8GR+9Be2cFcDakANqAEB8Mx8ndIRAgQI ECBAgACBMQgIgMeA7BAECBAgQIAAAQKzISAAFkAIodSAGlADamAyNSAAno3vUnpBgAABAgQIECAw HgEB8HicHYUAAQIECBAgQGAGBATAk/nRX9jCXQ2oATWgBgTAM/BFShcIECBAgAABAgTGJiAAHhu1 AxEgQIAAAQIECCx1AQGwAEIIpQbUgBpQA5OpAQHwUv8Wpf0ECBAgQIAAAQLjFBAAj1PbsQgQIECA AAECBJa0gAB4Mj/6C1u4qwE1oAbUgAB4SX+F0ngCBAgQIECAAIExCwiAxwzucAQIECBAgAABAktX QAAsgBBCqQE1oAbUwGRqQAC8dL8/aTkBAgQIECBAgMD4BQTA4zd3RAIECBAgQIAAgSUqsFQD4Lcc mFLb/568fTsBwP/dpLtta/y8nX0LaRYcp904zne+Pt94QErR5qbn7+k7dm4f+3rklovb5/fd1v2o /7b2ld9P9r567i797f/NB6T0yr1TekSu30396tYb9bmpO/ZSf+2le3Sew5fssViTS71vk2q/AHiJ fnnSbAIECBAgQIAAgYkICIAnwu6gBAgQIECAAAECS1FgKQbAD9h0NNIfOaqdMONPN+9u388vbGff kwoppu24024c57u4fPCI5jXw+ROKW6f00zMXth9V/X/0qO5jtvFM9r76wemD7e3e+1I67dqF/v/F ts0Nq2p2lOem6piz8vyBl3aewzg3s9K3SfVDANxZUx4RIECAAAECBAgQqBMQANfpeI0AAQIECBAg QIBATkAAvIiRBVXDBgHTHk4O279p2H7ajctCxnWObR6WlQXAP/vdfAbAi+/QlK65PaU37N/csaxW R3luyo43S88JgIervbJaEADn3+HuEyBAgAABAgQIEKgXEADX+3iVAAECBAgQIECAwAoBAfAKiiQA bj/cKAs82nhOALxYt23dm9YRwMX+3XdfSp/oI0wv1psAePD3uQB4cLtiHWaPBcDFd7jHBAgQIECA AAECBKoFBMDVNl4hQIAAAQIECBAg0CGwFAPguJbqsns7utHKAwFw++FGFnK0ffsnm6UU08/mlwj2 2j7OoPsbZcg4qvqPAHiU76uyKaDjeHfc0/3vrmX5M9t9/6a7Ulppq8HO9yjPzaD1slS2EwAPVnN1 51cA3P3+9gwBAgQIECBAgACBKgEBcJWM5wkQIECAAAECBAgUBJZiABw/pq+yXUov2K363xW3Fjqa Uvr3w6vXj309Zut2ftyf9tGpdWHEUnrtSYUaWHX7ds5fGwajDhlHVf+j2m+YlgXA3zml+pw9equU XrNvSkdc1v1ejmc2+HX1tnXncNTnpu7YS/01AfBgNVd33gXA5e9vzxIgQIAAAQIECBAoExAAl6l4 jgABAgQIECBAgECJwFINgOt+UI/XLrm5u7Nr7tn+j/dl7RAAj8e5zH5anpt0yDiq+h9mv/0GwNm5 fNBmKZ1wVff7+bd/HKzOJn1usn4txVsB8GA1V3euBcDd723PECBAgAABAgQIEKgSEABXyXieAAEC BAgQIECAQEFAANz9g34ETs/bNaX3HpbS/56W0n6XpLTNOSn91y9T+rt9ek89228A/NQdUnrJHt3/ YprjquDggZum9MLdU1rr6JS2Piel/S9JacvfpvSlE1N6zi7V22X7e9bOncfLRj9H3991SEo/PiOl fS5OKcKyb52S0gePSGnlhiOkY9/rHZ/Sj85IabcLUjrgkoU2fvXklN55SEoPrulX1r4mt0/bsbMP T9+xu9+j7GddGycdMg4T1Nb1a5j9DhoAR3tev1/hgystTBtd19aq1yZ1boZ9zxb78+p9Uvrirxbe Z7vn3mdfu/99Vvf5UdxXTCv+ir0Wrq0cnyfxnt3u3IVR1i/dY/F9NUgAPGy/i+/hGBke7X/Apin9 v0MXPquivfF59fK9Ftta7OO0PhYAd7+3PUOAAAECBAgQIECgSkAAXCXjeQIECBAgQIAAAQIFAQFw Z2AQgcIf7ywglTyMsPURW3ZumwUM/QTAESjfdnf3ASJoe2TF/j9wREq3lGyT38vhl6X0uG3K27fa Dvk1F+5Hv/9q55T+cEv3a9kz4fLJXy4EL1lf87f/sF9Kp1ybrV19e83tKUUYHAFOfvt+7ke4dV+P awCPqp9N8V6qEgAAIABJREFU2jmpkDFr2zBBbbaPstth9jtMAPzE7crr6fE/67+GJnFuhn3P5s/F 508on+GgKHT9HSnFFNsRwOa3L95/xk4pHX9lcevOx7++OqU1fp5SvwHwsP0uew/H/1nxxy9nXt/Z xngU0/wX+zftjwXA3efRMwQIECBAgAABAgSqBATAVTKeJ0CAAAECBAgQIFAQEAAvBAYxAnaX8ws4 PR5efFNKr9y7O3BoGgDHtreWBLnn3ZBSXN+2GFw8dIuFkcg9mrXi5Wjfc0tGA8fI2eISowavuq34 bPnjz57Q3bYYIXzPveXrVz2703mDh8BNjEfRz+I5qXo8iZAx35Zhgtr8for3h9nvMAFwjAItW6r+ yKHY7vzjcZ6btt6zWfs3PatMof65PS9MKUb2Z/vI30Zgevs99dtnr8Z6Nxb+OObe+8r321a/y97D 659U/Uc6AuDsbLklQIAAAQIECBAgMJsCAuDZPK96RYAAAQIECBAgMAIBAXBKMf3pSVcPhhsBSIxG y4cqTcLJmKq0bBTvWdenVDWq8ajL+2/jzXel9KpCSF0WqvSz5zuXpfTMnRb7PMz+vvGbxf3kDXvd b2I8TLvCo9jPXm3Kv14WMn7hVyk9dptm/zY6rfuM/Ox3za2GCWrz/SjeH2a/wwTAHzmq2yP+eKLY viaPx3lu2nrPRr++fnK3QdNnYtRw0WbV7ZuHv1XHqQqA2+p3v+9hAXDVmfI8AQIECBAgQIAAgdkQ EADPxnnUCwIECBAgQIAAgTEICIBTKguXgv706xauqfuP+6f04SNT2vn87mmHY72YPjUfrvQKJ9fc M6UIZotLTJ8cAWF+X9n9fz2kuPZCW2Iq6n/5RUqv2y+lz52Q0rW3d6932rWd+6wLVWJ65nWPS+nv 90kp+h3XFi1b4lhZ29Y5tnuNGH380aMWwvHYz5dPTClGNheXy25Z3E+2vya3vYxjH233s0m7snXK QsZi3/t9PK8BcExNXhx5Gnbx/sy8+7kd17lp8z0b/Subnv3Sm1Pa5KyF63avvltKccxjruiurJgS vmi090Xd68Uzv7wipRjlH58p7zt84Trg5WsufAYV99tmv+vew1mb7lqW0jl/XJjBIKayL7Zn2h+b Ajo7k24JECBAgAABAgQI9BYQAPc2sgYBAgQIECBAgACB5QLzHgCvtFV5aLrPxSk9ZPPuMOG9h6V0 97Lu4omgJAsa6sLJl+yR0k0l4e8JV6X06K0W95HtK26jHb8vXJv3jntSeu2+3evHtVIj8C0ubz5g cd2qUCWuqfmEbRfXy9qww7nFvaWUDyP3vbj79Qijsu2z27C+4tbudWM0dLZO09s642wfbfcz22+T 23GFjFVtGWakbtU+4/lh9ls2AnjX81OK67wW/8V1aSOA/P7p5dfIjir69HH91030YRznpu337PN3 7X7fxGwBZZ8Zcc3f4jV94/MiPw30q/fp3l88s8055dOyr31MSstKpniP63Dn66Xtfle9h6OtcU3y +OOXuB54vg1L7b4AuLwWPUuAAAECBAgQIECgTEAAXKbiOQIECBAgQIAAAQIlAvMeAH+8ZPTqGdeV hyBZsBAjZIvLqblRtlXh5Bo/Lx/JGNOlPnyL6hDjP48uHi2lsilds/ZF+BpTs+aXCJiz16tClVdU BLEv2C2/p4X7x+VGPe9VMpLwSycuHi87btxGgL7Fbxf/bXxWSn9WMeo5v13xfpVxfr22+5nfd6/7 4wgZ69owTFA7qv2WBcDdldXsmatvTymuM1vX1qrXxnFu2n7PvumAbpe1jq7u/9bndK+f/4z5yknd r8fnUJVZPB9/9FFcigFw2/2ueg9ff0dKT9mhvr11fZmm1wTAxarymAABAgQIECBAgEC1gAC42sYr BAgQIECAAAECBDoE5j0AjulTi0uv60hGkHLDnZ1bxQi7uJZwBAtl4eRFNy2MWOvcamG61bKRxvmA YvOzO7eKa9M+uMeotwMu6dwmHmWje8tClRj9mz9m/n4cqzj67zfXLK7/xV91HyueialkY+rsuNZo fn9t3C8zjmAvv++2+5nfd6/74wgZ69owywFw1H9MM1zX/7rXxnFu2n7PRn9iBP3KWy/+i5G+Zf2M 0b0RkBeXfAAc09kXl7cdXL6/7BhP37H7c6AYALfd77L3cLQ7/ggna9dSvxUAFyvRYwIECBAgQIAA AQLVAgLgahuvECBAgAABAgQIEOgQmPcAOEa95ZcIl/JTpVaFC3Ht3eIS09jG+mXhZHHd7HGMhq06 RvZ8jLYtLt89NaW6f2XXAn72LgvHKgtVdjqvvh1X3dbZgnwAHNNaF0ccd66d0uW3phQjhT91XEpx Tdesb4Pelhk3CYCH6Wc/bS0LGWO64xi12eRf2ajq/LTbvdoyqwFwXOs1RqT36n/d6+M4N22/Z8v6 EyPnX7n3wjXMNzw1pZiKPf7QpGrJB8AxY0F+iWssP6AiUM4fO/zzSzEAbrvfZZ9Vt9y99Kd9zpsK gPMV5T4BAgQIECBAgACBegEBcL2PVwkQIECAAAECBAisEJj3ALg4Uu68G5qFS587YQXhijsxTWv8 sF8WTq5YqXAnApRX7V1/zOJo48IuGj/MrrVbFqrE9Lz5UKJ4v3jt3nwAHOvG9Vj7WSKAGqb2yoyb BMDD9rPoUvW4LGRc59h64/y+Yorv4jKvAXCMrj/68pQ+c/zg0z7nbcdxbtp+z2btf84uKW10Wvm1 tIv1UnycD4Bvu7vz1dOva1abB13auV0xAG6732WfVcXPnsxmqd4KgDtryiMCBAgQIECAAAECdQIC 4DodrxEgQIAAAQIECBDICQwTwk3zD+5NR0BGgJFffpW7Vm5d/z56VH6rhfsfOGIhRCkLJ7vXXnzm ghurg61+97W41+57b74/oC4LVdoIRt/xi5R+Wxgh2N2Kzme+3yN4rjoHZS4C4MUQr2n9V/lWPT/M fsuuAbz7BSnFyPmyf0/evv7a2FVt7PX8qAPgstrsrPrmj7L3bPTpQ0emVPy8ar6nRcs/2ax7q7Nq poDPe8YI+vwSI/+z10fR77LPql3OXzxmduylfCsAzleU+wQIECBAgAABAgTqBQTA9T5eJUCAAAEC BAgQILBCYN4D4IsLU6ZeenOzcGH9k1YQrrgT196MIKIuCDn0DyndvWzFJivu/PCM6uNed8eK1Vbc iRGR/f6L0YPRvrJQpY0AOPYd10GOaWm/8ZuUTrgqpZhSu9fy/vuD835CnDJjAfBiDQ0T1Nadh2H2 WxYAf+eUxTbXHbfN10YdAEdb237P/vPB1dOsX3ZLSnHN7x+dkdInjk3pFXulFCFpccmPAC7OfHBG wxHAxSnziyOA2+73IJ9VbdbKOPYlAC5WqscECBAgQIAAAQIEqgUEwNU2XiFAgAABAgQIECDQITDv AfCBhSlNY0TbSlv1DqXKQqQnbLuwXVk4GehZ2PW1kztOwfIHEaREcFMWOBSvqxkjhsvWa/rcIKFK rymgq44d11N+6R4p/feJKRWvO5op7H9J//0pMxYALzoOE9RWnct4fpj9zlMA3PZ7Nt4jxeXwy6qv h7xzjwC42L5b7+597fO4RnDxWuDFALi430l8VtXV7zS+JgAuVrbHBAgQIECAAAECBKoFBMDVNl4h QIAAAQIECBAg0CEw7wHw907r4Fj+4Au/WgzSygKDVbbrHsV7452L25SFkzHyN9tXvB7XGi4u51dM Bb3NOZ1rLrs3pafssLi/bL/527/da2E0YIwIzP49dIuFbdoMgB+46cI1SX98RkrZv38/vLptn/xl Z1/i0fV3VK+f71P+fpmxAHjRcZigNu9cvD/MfucpAG77PRvvkfwSMxU87P73c/EcxeNjr8ivvXA/ PwJ4u3O7X3/vYYv1U7bPmOK9uBQD4Lb7PchnVVnbp/k5AXCxqjwmQIAAAQIECBAgUC0gAK628QoB AgQIECBAgACBDoF5D4AjrCwuMdr1z7apDkM2O7u4RUoxNWoWMjQJJ2O66LKl7Jq46x7XvWYELdnx irdx7dQb7uzcJqZmffBmC9sMEqpUjQCOUCkC6fzSa9RfMcy6457qvhT7lj1uYtxmP7PjNr0tGyG+ zrHN+/n5E/KiC/d/9rvm2w8T1Nb1cZj9zlMA3OZ7dtXtu2vh4N9X10J8dt1TeE/GHvIB8KdKPlPO vD6luD5w2fmP99vJ13S3oxgAt9nvaMcg7+Gy9k/zcwLg7rryDAECBAgQIECAAIEqAQFwlYznCRAg QIAAAQIECBQE5j0AjimKz/ljASWldO4NKUXwkg8O4vq2Pzmze9145lV7L67bJJyM/RZHy8V+Ygrq lxemgn7UVildc3vncSN4iamko035NkaAU7xOZ2y54amL6w0SqlQFwHHsU67tbFs82uDXi8fLt+9v 9uy+lml+dHR+3br7TYzb7mdde4qvCYC7z/88BcBtvmdjX/F+zy833ZXS83btNo5p6KumWs+mqI9a fcSWKV1b+EyJ/cdnRxwvX8+x7pGX5Y++eL8YALfZ72jDIO/hfNuXwn0B8GI9uUeAAAECBAgQIECg l4AAuJeQ1wkQIECAAAECBAjcLzDvAXAEBK/br7wcImTZ9+KUNjkrpc3PTimmaC5b4nqb+aChSTgZ 66+8dXkIE+HzQzbv3Od/HF125JROvy6lH52R0vonpXTQpSnddnf3ejFCd7XclNGDhCp1AfAPz+g+ ZjwT1wvd5fyU/uuXKcXIwD0v7B4tHOt99oTOvuYtq+43MW67n1VtKXteANx9TucpAI6aaPM9+9uS P1K5/Z6Utj83pY8ds/Aei/sxmr5q2eqclD5y1OIfjax3fPma8V7f4dyUvnxiSjudl9KVt5WvF88W A+C2+z3Ie7js/TjNzwmAq+vLKwQIECBAgAABAgSKAgLgoojHBAgQIECAAAECBCoEBMALQdWO51UA 9Xg6plZ+4nadYVeTcDILJOK6m2XLRqd17vMBm5ZPwVq2bf65CGjef0TnvgYJVeoC4Mdtk9JFN+WP 2vz+xTd1+2U2dbdNjNvuZ117iq8JgDtrLnzmLQBu8z37rVOav6d6rZlN8xzXBI8/NhlmKQuA2+z3 IO/h4ntx2h8LgIepQNsSIECAAAECBAjMm4AAeN7OuP4SIECAAAECBAgMLCAAXgiqYirlTx9XP4Ku iHzAJSnlp1XNgoYm4WS2btwe9ofinhemSV5zz84Q7WFbpFR2/eHurReeiemk1z6mcx9xvEFClboA OPb5Vzun9MfCdYer2pU9H+HTKoXwPO9Sd7+J8Sj6Wdem/GsC4O66m7cAOOqhrfdsTFV/RMU0zNn7 KX970tX5R533swA42hdTNu99UefrVY9+f0tKMdtBfonPmHzdZ/fb6vcg7+GsDUvlVgCcryj3CRAg QIAAAQIECNQLCIDrfbxKgAABAgQIECBAYIWAALgzwHjOLikdfln5VMqBFiPezrshpY8e1bldPmyI sCamZ80vPz2zev2n71gePO9+Qfk2bz0wpbOv776Wbna8mPJ5u3NTeuZO5dvHiOVYJ79EOJfvQ/F+ rwA41l9pq5S+dGL39Yrzx4n70fZPHbewfvE4TR83MR5VP5u08We/K/Y6pXWOrTfO7/fzJ3RvH/vM r1N3/5Kbu7cv/kFB3fZVrw2z36+f3N2m+KOLqmON6vlJnJth37Nh8cgtF677HVPTVy2nXZvSa/Zd MP3eaeVr5QPgzDimg76wYhR/hLzHX7nwxxox1Xx+ufmu+vM3bL8HeQ9nfVoqtwLgfEW5T4AAAQIE CBAgQKBeQABc7+NVAgQIECBAgAABAisEZjUAHvbH/xgRHAHqOw9ZCHvXOjqlCNAevkV94DHscfvZ PqZwfckeC+37ykkpffCIlF65d0p/ts1k2xijc/96t5Sitj5x7ML1ieM6pW85MKUI2Pvpo3V5zVIN tPGejVG7f7/Pwvs+Atm4ru8r9up+38dn2PN3XZgFID4fYr0X7FZfT/FHHK/dN6UIhCOcf9Xe7Xzm tdHvWaqDfF8EwCu+jrhDgAABAgQIECBAoKeAALgnkRUIECBAgAABAgQILAgIgOsDkfwP9e6zUgNq QA2ogTZrQADs2xgBAgQIECBAgACB5gIC4OZW1iRAgAABAgQIEJhzAQGwMKPNMMO+1JMaUANqoHkN CIDn/EuY7hMgQIAAAQIECPQlIADui8vKBAgQIECAAAEC8ywgAG7+Q71Qg5UaUANqQA20WQMC4Hn+ BqbvBAgQIECAAAEC/QoIgPsVsz4BAgQIECBAgMDcCgiAhRlthhn2pZ7UgBpQA81rQAA8t1+/dJwA AQIECBAgQGAAAQHwAGg2IUCAAAECBAgQmE8BAXDzH+qFGqzUgBpQA2qgzRoQAM/ndy+9JkCAAAEC BAgQGExAADyYm60IECBAgAABAgTmUEAALMxoM8ywL/WkBtSAGmheAwLgOfzipcsECBAgQIAAAQID CwiAB6azIQECBAgQIECAwLwJCICb/1Av1GClBtSAGlADbdaAAHjevnXpLwECBAgQIECAwDACAuBh 9GxLgAABAgQIECAwVwICYGFGm2GGfaknNaAG1EDzGhAAz9VXLp0lQIAAAQIECBAYUkAAPCSgzQkQ IECAAAECBOZHQADc/Id6oQYrNaAG1IAaaLMGBMDz831LTwkQIECAAAECBIYXEAAPb2gPBAgQIECA AAECcyIgABZmtBlm2Jd6UgNqQA00rwEB8Jx82dJNAgQIECBAgACBVgQEwK0w2gkBAgQIECBAgMA8 CAiAm/9QL9RgpQbUgBpQA23WgAB4Hr5p6SMBAgQIECBAgEBbAgLgtiTthwABAgQIECBAYOYFBMDC jDbDDPtST2pADaiB5jUgAJ75r1k6SIAAAQIECBAg0KKAALhFTLsiQIAAAQIECBCYbQEBcPMf6oUa rNSAGlADaqDNGhAAz/Z3LL0jQIAAAQIECBBoV0AA3K6nvREgQIAAAQIECMywgABYmNFmmGFf6kkN qAE10LwGBMAz/AVL1wgQIECAAAECBFoXEAC3TmqHBAgQIECAAAECsyogAG7+Q71Qg5UaUANqQA20 WQMC4Fn9dqVfBAgQIECAAAECoxAQAI9C1T4JECBAgAABAgRmUkAALMxoM8ywL/WkBtSAGmheAwLg mfxqpVMECBAgQIAAAQIjEhAAjwjWbgkQIECAAAECBGZPQADc/Id6oQYrNaAG1IAaaLMGBMCz971K jwgQIECAAAECBEYnIAAena09EyBAgAABAgQIzJiAAFiY0WaYYV/qSQ2oATXQvAYEwDP2pUp3CBAg QIAAAQIERiogAB4pr50TIECAAAECBAjMkoAAuPkP9UINVmpADagBNdBmDQiAZ+kblb4QIECAAAEC BAiMWkAAPGph+ydAgAABAgQIEJgZAQGwMKPNMMO+1JMaUANqoHkNCIBn5uuUjhAgQIAAAQIECIxB QAA8BmSHIECAAAECBAgQmA0BAXDzH+qFGqzUgBpQA2qgzRoQAM/Gdym9IECAAAECBAgQGI+AAHg8 zo5CgAABAgQIECAwAwICYGFGm2GGfaknNaAG1EDzGhAAz8AXKV0gQIAAAQIECBAYm4AAeGzUDkSA AAECBAgQILDUBQTAzX+oF2qwUgNqQA2ogTZrQAC81L9FaT8BAgQIECBAgMA4BQTA49R2LAIECBAg QIAAgSUtIAAWZrQZZtiXelIDakANNK8BAfCS/gql8QQIECBAgAABAmMWEACPGdzhCBAgQIAAAQIE lq6AALj5D/VCDVZqQA2oATXQZg0IgJfu9yctJ0CAAAECBAgQGL+AAHj85o5IgAABAgQIECCwRAUE wMKMNsMM+1JPakANqIHmNSAAXqJfnjSbAAECBAgQIEBgIgIC4ImwOygBAgQIECBAgMBSFNjitymt c6x/DNSAGlADakANjLsG4v9gCwECBAgQIECAAAECzQQEwM2crEWAAAECBAgQIECAAAECBAgQIECA AAECBAgQIECAAIGpFxAAT/0p0kACBAgQIECAAAECBAgQIECAAAECBAgQIECAAAECBAg0ExAAN3Oy FgECBAgQIECAAAECBAgQIECAAAECBAgQIECAAAECBKZeQAA89adIAwkQIECAAAECBAgQIECAAAEC BAgQIECAAAECBAgQINBMQADczMlaBAgQIECAAAECBAgQIECAAAECBAgQIECAAAECBAgQmHoBAfDU nyINJECAAAECBAgQIECAAAECBAgQIECAAAECBAgQIECAQDMBAXAzJ2sRIECAAAECBAgQIECAAAEC BAgQIECAAAECBAgQIEBg6gUEwFN/ijSQAAECBAgQIECAAAECBAgQIECAAAECBAgQIECAAAECzQQE wM2crEWAAAECBAgQIECAAAECBAgQIECAAAECBAgQIECAAIGpFxAAT/0p0kACBAgQIECAAAECBAgQ IECAAAECBAgQIECAAAECBAg0ExAAN3OyFgECBAgQIECAAAECBAgQIECAAAECBAgQIECAAAECBKZe QAA89adIAwkQIECAAAECBAgQIECAAAECBAgQIECAAAECBAgQINBMQADczMlaBAgQIECAAAECBAgQ IECAAAECBAgQIECAAAECBAgQmHoBAfDUnyINJECAAAECBAgQIECAAAECBAgQIECAAAECBAgQIECA QDMBAXAzJ2sRIECAAAECBAgQIECAAAECBAgQIECAAAECBAgQIEBg6gUEwFN/ijSQAAECBAgQIEBg WgT2viil/z3NPwZqQA2oATWgBsZdA/F/sIUAAQIECBAgQIAAgWYCAuBmTtYiQIAAAQIECBAgkP7p oJT+zyb+MVADakANqAE1MO4aiP+DLQQIECBAgAABAgQINBMQADdzshYBAgQIECBAgAABAbDw2x8A qAE1oAbUwIRqQADsixgBAgQIECBAgACB5gIC4OZW1iRAgAABAgQIEJhzASOAjXgb94g3x1NzakAN qIGFGhAAz/mXMN0nQIAAAQIECBDoS0AA3BeXlQkQIECAAAECBOZZQAAsiBHEqAE1oAbUwGRqQAA8 z9/A9J0AAQIECBAgQKBfAQFwv2LWJ0CAAAECBAgQmFsBAfBkfvQXtnBXA2pADagBAfDcfv3ScQIE CBAgQIAAgQEEBMADoNmEAAECBAgQIEBgPgUEwAIIIZQaUANqQA1MpgYEwPP53UuvCRAgQIAAAQIE BhMQAA/mZisCBAgQIECAAIE5FBAAT+ZHf2ELdzWgBtSAGhAAz+EXL10mQIAAAQIECBAYWEAAPDCd DQkQIECAAAECBOZNQAAsgBBCqQE1oAbUwGRqQAA8b9+69JcAAQIECBAgQGAYAQHwMHq2JUCAAAEC BAgQmCsBAfBkfvQXtnBXA2pADagBAfBcfeXSWQIECBAgQIAAgSEFBMBDAtqcAAECBAgQIEBgfgQE wAIIIZQaUANqQA1MpgYEwPPzfUtPCRAgQIAAAQIEhhcQAA9vaA8ECBAgQIAAAQJzIiAAnsyP/sIW 7mpADagBNSAAnpMvW7pJgAABAgQIECDQioAAuBVGOyFAgAABAgQIEJgHAQGwAEIIpQbUgBpQA5Op AQHwPHzT0kcCBAgQIECAAIG2BATAbUnaDwECBAgQIECAwMwLCIAn86O/sIW7GlADakANCIBn/muW DhIgQIAAAQIECLQoIABuEdOuCBAgQIAAAQIEZltAACyAEEKpATWgBtTAZGpAADzb37H0jgABAgQI ECBAoF0BAXC7nvZGgAABAgQIECAwwwIC4Mn86C9s4a4G1IAaUAMC4Bn+gqVrBAgQIECAAAECrQsI gFsntUMCBAgQIECAAIFZFRAACyCEUGpADagBNTCZGhAAz+q3K/0iQIAAAQIECBAYhYAAeBSq9kmA AAECBAgQIDCTAgLgyfzoL2zhrgbUgBpQAwLgmfxqpVMECBAgQIAAAQIjEhAAjwjWbgkQIECAAAEC BGZPQAAsgBBCqQE1oAbUwGRqQAA8e9+r9IgAAQIECBAgQGB0AgLg0dnaMwECBAgQIECAwIwJCIAn 86O/sIW7GlADakANCIBn7EuV7hAgQIAAAQIECIxUQAA8Ul47J0CAAAECBAgQmCUBAbAAQgilBtSA GlADk6kBAfAsfaPSFwIECBAgQIAAgVELCIBHLWz/BAgQIECAAAECMyMgAJ7Mj/7CFu5qQA2oATUg AJ6Zr1M6QoAAAQIECBAgMAYBAfAYkB2CAAECBAgQIEBgNgQEwAIIIZQaUANqQA1MpgYEwLPxXUov CBAgQIAAAQIExiMgAB6Ps6MQIECAAAECBAjMgIAAeDI/+gtbuKsBNaAG1IAAeAa+SOkCAQIECBAg QIDA2AQEwGOjdiACBAgQIECAAIGlLiAAFkAIodSAGlADamAyNSAAXurforSfAAECBAgQIEBgnAIC 4HFqOxYBAgQIECBAgMCSFhAAT+ZHf2ELdzWgBtSAGhAAL+mvUBpPgAABAgQIECAwZgEB8JjBHY4A AQIECBAgQGDpCgiABRBCKDWgBtSAGphMDQiAl+73Jy0nQIAAAQIECBAYv4AAePzmjkiAAAECBAgQ ILBEBQTAk/nRX9jCXQ2oATWgBgTAS/TLk2YTIECAAAECBAhMREAAPBF2ByVAgAABAgQIEFiKAoME wG85MKW2/z15+3aCgP+7SXfb1vh5O/sW1iw4Trvxc3fproG6en3zASm9cu+UHrHlcHXygE1Tes2+ Kf30zJQO+X1KZ12f0lW3pXThTSn98oqUdjk/pQ8ekdJjth7uOFGHbz0wpY1OS2mvi1I67dqF45x5 fUp7X7Tw/EeOSunhW1Qfp85j0Nf6fQ/3e56q2vUX21b303u23maQc/DGA1J6/q7Dv18mcW5eukfn Z8NL9qj3GUcbBcBL8ZuTNhMgQIAAAQIECExKQAA8KXnHJUCAAAECBAgQWHIC/QbAEXKNYonAqo0f 2/8t6T0bAAAgAElEQVR08+7W/fzCdvbdRvtmYR/TbvyD07troMkz9963EKZGgNtvqBjhZIS9TZa7 l6UUbXzwZv3VZawf75Pf3dDkKCldd0dKnz+hOwielvfwoOep2PvDL+vPcRbeg231YdhzcOVtKX35 xJQetdXSOAcHXtpZPfGeb8ty0P0IgDvPiUcECBAgQIAAAQIE6gQEwHU6XiNAgAABAgQIECCQExAA Tz4AGDQ4mNR2sxoA594W6ZrbU3rD/r1r44GbpvTdU1O677781s3un3R1Sk/Zofcx4jzHcfa7pNl+ i2tFML1a7jizFgD/6qpmhpN6v0zzcYcNgLNau/HOlF69z/SfBwFwdsbcEiBAgAABAgQIEFiaAgLg pXnetJoAAQIECBAgQGACAgLg6Q8tpi1AmocAON6KEep+4tjq+njSdikdd+Vwb9ob7kypyXtw63OG O87Z16f0yPunuBYAV5/TaXuvjbo9bQXAUZ3xRxPxnhh1m4fZvwB4uM8RWxMgQIAAAQIECBCYtIAA eNJnwPEJECBAgAABAgSWjECT8Cn/g3tc/3XZve13zxTQ0x2c5GvgTzZLKaZOzS/TNM12WagVNXvH Pd3/7lqW70X3/ZvuSmmlkultwyCu7Vu1nHBVSl8/eeHfF3+V0s7np3T7PVVr14+ejPdG2RJ9OujS lL7wq4Wg+pu/SenIy8rWXHhu/0sWamxa3sNl56m69dWvGAE8+GdH2Tmoeq/E+6fXZ39c5zr/WTFt 9wXA1e8jrxAgQIAAAQIECBBYCgIC4KVwlrSRAAECBAgQIEBgKgT6DYDjB/1VtkvpBbtV/7vi1u6u /fvh1evHvh6zdTvBwbSPTp22QGTQ9sRIv3wNrLp9O+dv0PbktysLtb5zSnX7Hr1VSq/ZN6UjKsLT DX7dve1nT+iu8Xgmron64p93rx/ti+uk7nNx+XanXptSBLP5fmT3f3NN9zZ/uCWl5+xSvv7qu6V0 6c3d28Qzj//ZwjbT8B4uO0/bnNNZV/kaq7r/9B3LHTI/t9U+Zeeg7r0So8efvH1Knzshpdvu7q6x i26qPtY0nAcBcPc58wwBAgQIECBAgACBpSQgAF5KZ0tbCRAgQIAAAQIEJiowSADc64f8S0rCpzX3 HE8wIAAej3OvGpjk6/2GWllbH7RZSjFyt7j89o+dpo/bJqUYGVxczr8xpafmrrWb7Td/GwHaVhXT OX/oyM7jxHbRpuJo6zjumw/oXjd/nOftWj7i+G0H12+X7WMc7+FBz1PWRrfNzmWd0zDnYO1jiu+A hWnTs6nG6447qdcEwN3nzDMECBAgQIAAAQIElpKAAHgpnS1tJUCAAAECBAgQmKjAtAXAEXhFePXe w1L639NS2u+SlGJU4H/9MqW/26d8Ot58mNBvAByB3Uv26P4XU/zm95u//8BNU3rh7imtdXRKcW3W mFp3y9+m9KUTq0dl5rd/1s6dx8tGP0ff33VISj8+Y2GkaEyr/K1TUvrgESmt3HCEdOx7veNT+tEZ Ke12QUoHXLLQxq+enNI7D0npwTX9yrex1/2n7djZh7JRmKPsZ137hgm1Xr9f99sxpr7NH2/Ts7rX ue6OlCIYzq9Xd3+n87r3EaOHH75F5z5ipHXZ8tgGx4rpoYvLd0/t3H9VG2cpAB72MyWMirUco8bj +Qj0/9+hC+/ZeK/FCO+X77XwWnGb7H0eU4p/7JiUNj4rpX0vTmm7c1P66FELxyiej0dsufDaJmct 7HuPC1Pa8NSF58qmJi9u3+vxMO+VqPey5Zk71ddYG+ej2K8YPf+KvRamQo/P5DgX4Rqj91+6x2J7 6gLgv9yp8zPtRbsvblc8XvY4/i8o/v8R/39lrze5jf+DLQQIECBAgAABAgQINBMQADdzshYBAgQI ECBAgACBNE0BcAQpf7yz90mJsDWCkbIf1/sJgCNQLpvGNMKvqlFsHzgipVtKpj7Nt/rwy6rDwNV2 yK+5cD/6/Vc7pxTT+lYt4fLJXy4ETmX9/of9Ujrl2qqtF5+/5vaUIgyO4KpsP02ei3D8vh7XAB5V P5u0b5hQ64kVgWt+6uSy66DG9X6btC1bJ8530TDOUoT32Tpx+4RtF89d/l6TkbzxRxOX3dL5b9vf de4/f6z8/VkJgNv4TCmr5fjcjD8COfP6/FlZuB/T3ZdtE2358JHlI7OzvZx8TUpPuX8UeXw+3Vjz eRifCXGO8+et3/vDvFfiM7hsqfpsjra1cT6KfXzGTikdf2VZSxaf+/XVKa3x85SqAuAI0+8uuR54 hPjF4+Uf/+P+i8fI7h13Zf02+e3jvgA4k3NLgAABAgQIECBAoLeAALi3kTUIECBAgAABAgQILBeY hgA4Rsbtcn5/J+Tim1J65d7dP7Q3DYBj21tLgtzzbkgpRl0Wf6R/6BYLI5GbtjLa99ySa7TGyNni 8rWTU7rqtuKz5Y/j2rPFtsUI4XvuLV+/6tkYgTpoCNzEeBT9LPa76vEwoVYEPmVLNrr3fYd3vxrB 0V9s231eqtqXPX/w77v3degfuvdz+z3d6117e0oxZfSg5zBrQ9XtUg+A2/xMKavl9U+q/mOVCIDL tjmxZHrx7jOb0rk3pPT2g1OKkedNliZ/DFB1nod5r/x/JSNX43Ov7Fhtno/8/sO67P1R5hbrFQP1 mF49298vr+jequz639n6cfuz33Vvs86xi/vMr1t1XwDcbegZAgQIECBAgAABAlUCAuAqGc8TIECA AAECBAgQKAhMOgCOqTtPurrQqIYP48f7GIWX/2G9STgZU7SWjeI96/qUspGe+X3G/aMub9io3Go3 35XSqwohdVkwlNuk5907l6WUn2J1mP194zeddsU+Vz1uYjxMuwKh2M+qtpQ9P0yo9ZGjuk9B/KFA dpyYjry47H7B4uvZek1uy4KfGJEeU+Tmt/9FSVCcteF3N6T0meNTesFundvktx/k/lIOgNv+TOm3 lqsC4OyctX17+a0p1U1ZX3f+B32vrL5bSjFleXGJWQqKx2v7fGT7X3X75uFvsZ3Z43wAHH9QUVzi D4Ky4xVvYzr9YqAcfwzSZHr2/L7KPgeK7fCYAAECBAgQIECAAIEFAQGwSiBAgAABAgQIECDQUGDS AXBZ4BZNP/26hWvqxhSbMW3qzueXT5kbU3/mf0zvFU6uuWdKEcwWl5g+ueqH+389pLj2QltiKup/ +UVKr9svpc+dkFKMyiwup13b2b66MCmmZ173uJT+fp+Uot8RLJYtcayszzHarLjEKLy4pmiE47Gf L5+YUgQZxSWmB872089tL+PYV9v97Kd9g4ZaMS1zMdAJs6jF7PgxvWtxidGg2ev93FYZxXWp8/uJ P1hoslx9e0oxsjtGhEc4lt9Hv/cnFQBHne51UfN/q5SM1m/7M6XqPOXPyV3LUjrnjwsj+WOa47pt Yr24xnlcszbaGtePrlriPRrrxB+SxPXBD/tD+ZrPKZltoMk5L3uvxEjluM5w2b+fnJlSTHEfwWlx 2eqc8iC67fOR9Wvvi4otWHgcI3ljpoT4XI4R+3Et9aolpmHP9hdTV5fNChFTR2fr5G/fcmD3XqNN +XWa3BcAdzt6hgABAgQIECBAgECVgAC4SsbzBAgQIECAAAECBAoCkwyA47qLZaHpPhen9JDNu39I j9Ck7DqN8SN/9kN7XTj5kj1Suqkk/D3hqpQevdXiPrJ9xW204/eFa/PG1Kyv3bd7/bh+bAS+xeXN ByyuWxUMxbVE43qv+WPH/R3OLe5tYdrRbL19L+5+PUbnZa9nt2F9xa3d60a4mK3T9LbOONtH2/3M 9tvktizU2vX8heuyxrVZ8//i+qERFH3/9PLrQYfYp49bNIrpeYtLvv6atC9bJ0YQlgVpLy4JnCLQ KrtmcLEt+cfn35jSRqelFHWZHbPp7aQC4Hz7m9x/diH4HMVnSlUtR/viOrzxRyDFEbhV2xx9eUox nXz+PPxtRcAf4e+f/6xz3ThOXCe4uAz6OV72Xinuu8njtY/pbGfWv1Gcj9j3q/cpb1WM0C+bFj3a V3bt7nwAHPstm9L5e6eV963sszmm7s763vRWAFx+Lj1LgAABAgQIECBAoExAAFym4jkCBAgQIECA AAECJQKDBgd1P243DY8+XjJ69Yzryn/Az44XI2SLy6m5UbZV4WSM4iob3RlTOz+8EMhkx4rb/zy6 eLSUPp8bgZtfN+5H+FoM9SJgztarCoZiNGC2Tv42pvYtLjEKNVsnRksWly+duPh6tl7cRoC+xW8X /218Vkp/tk35uvntiverjPPrtd3P/L573W8r1ArXGFWbD+zK/mDhNSV/DNCrjdnrZdPo/sN+5efk 3YeVh/jF8198HNNpRxBcFoxl7SjeNn0PF7fr53Eb56kYAI/iM6Wqlq+/I6WnFEZrZ/0v2yau0x2j zLN18rcX3VQ8awujWPPrZPfj86e4lE29nK1fd9vGOYi2xKwKZTU2ivMR/fnKSUWBhWn66/paFu4W A+C4NnxxiSm2Yxrr/L7jM7A4k0TUQ/xRR369JvcFwEVxjwkQIECAAAECBAhUCwiAq228QoAAAQIE CBAgQKBDYJIB8CZndTRl+YO4fmbdj+YR1t5wZ+d2MSI3+4G+LJyMcCVG6hWXmCq0bKRx/vibn925 VYRpvX7kP+CSzm3iUTa6tywYitG/+WPm78exiiPXfnPN4vpf/FX3seKZ6FtMnT3sVMD5tmT3y4xj mtXs9bhtu5/5ffe631aoFec6pv/OH68ssI1ptvPr9HM/QqPiUhcoP3DThRGncV3gmHa4nyVGLDYN gZdqADyKz5SyWg73+GOUqnNdtk1MM1+1/pGXdZ/Jvy4ZyR/bl009vN7x1fuuOmY839Z7JWv9nhd2 XsN6FOcj2h2XBCgub+sx+vbpO3Z/lhYD4Nj3BTcW97ww4jjvGCN9i8tPzxzsHAiAi5IeEyBAgAAB AgQIEKgWEABX23iFAAECBAgQIECAQIfAJAPgGH2bXyJwe1CDEVRx7d3iEtP6xg/0ZeFkcd3scYyG zf+oX3a/7Jqv3z01pbp/ZaNEs5GKZcFQXLe17NjZc1fdlrV44TYfAMe01sURx51rpxQj2GKk8KeO qx6BmB2ryW2ZcZMAeJh+NmlXtk4boVZcpzVGX2f7zG4jrC8uMUo8e72f27jmaNlSdtyy/cbI5Bgt HNdq/fXVvesgjhUjMsv2VXxuUgFwjOaPkelN/z2+MEXyKD5Tyt6zt9zdPe1z3rBsm+3PrbaPae+L y8pbl68f088XlzYD4Hgvx7T1Zf8ifI5rTMfnX9kfL0S74vXMYhTnI/YddZJfYnaHJn/cEO/r/FIW AMcMCsUl/hAo61PcxpTyxeWle3Suk1+/7r4AuCjpMQECBAgQIECAAIFqAQFwtY1XCBAgQIAAAQIE CHQITDIAjul188t5NzT7Af1zJVOgvun+6+yWhZP5Y+Tvx4//r9q7/pjF0cb57fu5n11rtywYisCy LiAoXrs3HwDHdnGN2n6WCE+GOe9lxk0C4GH7WWeUf23QADhGksc1Wj9zfOe0z/l9H1EyUvM7p9Sf v/z2+fvP27X8rP1FybWg89tV3X/sNinFCPrdL6i+nnFcV7Z4vdqy/U0qAB7UMuvDKD5Tyt6zxfdg dvzstmybuvovC4CrAs2yaYrbDICbnoPHbJ3SSVd31/Dvcp/jozgfYXzb3Z3HPf26Zu/Bgy7t3K4s AH7Sdt1/TBEzSGQzPzxsi+7j5/uc1UDTWwFw5znxiAABAgQIECBAgECdgAC4TsdrBAgQIECAAAEC BHICwwSBVT9wNw2P4sf3/PKr3LVyq/Ydz3/0qPxWC/c/cP+os7JwsnvtxWdius/8NV7zx+13X4t7 7b4Xo+li3/0GQ7FNrwA41nnHL1L6bWF0W3crOp/5fo/gOW+Rv1/mMu0BcISiMUq87N+Tt6+/DnS+ 7987rdMwHh2fuyZzft1e9z92TPe+IjDLbxfT1j5nl8V/2Ujy/Dpl9+PatMdc0b3/eOZlDUYqNn0P lx276XNlQX3T8LHqGKP4TCl7z+5yfud5KranbJtZC4Cjz1GbZcuf3z8yexTnI/6AobicVTONfv7c xCwE+SVmT8i/nt2PKdaLS4x+jtffdUjxlZRiKv5s235vBcDdnp4hQIAAAQIECBAgUCUgAK6S8TwB AgQIECBAgACBgsAkA+CLb+pszKU3N/sRff2TOreLR6/eZ2HbsnAyW/vQP6R0d8l1U394RvVxryu5 RmuMEu33XwQlEQz0GwzFNk0C4FgvroMcowO/8ZuUTrgqpZhSu9fy/tx0rU2DizLjaQ+Ahw0WM5uy 66+GcUzFna3T9DZGDRaXmFo22/5RW3WPRIz1m17XOcLusuV9Pa6zHcdfqgHwKD5TBnnP9rvNUhwB nNVp2WdkNh3yKM5HHLc4sviMhiOAi1NSl40Ajv3Htb+LS1x3OF7b48LOV2If8UckmUe/twLgTk+P CBAgQIAAAQIECNQJCIDrdLxGgAABAgQIECBAICcwyQD4wMJ0nDEaa6Wtev+QHmFjcXnC/dPmloWT sW4WAH7t5OKWKcUP+K/Yq/y4xWsAx4jhfn/gz6/fbzAU2zYNgPPHiftxPeUIYv77xO5rZmYK+1/S f3/KjOclAH7klimVTQuehUPFc1D1OKYsL1v+36GL5yMC/Xvu7V7r7QcvrlO1/+z5qNfisk6D6wAv 1QB4FJ8pg7xn+91mKQfAMT1ycXnr/aNlR3E+oraLn8u33t37+vExpXbxeupVAXB8xhX7FdNOx/8z MVV8fjn8subvx+x9mb8VAOc13SdAgAABAgQIECBQLyAArvfxKgECBAgQIECAAIEVApMMgMum0/1C j6k0V9muexTvjXcu/gBfFk7GyN/sB/d4Pa41XFzOr5gKeptzOtdcdm9KMb1utr+y27/dK6VPHNv5 L5tmut9gKPZfFQA/cNOUNjotpR+fsfgvrgFb1qZ47pO/7OxLPLr+jur1q/ZTZjwvAXCYfKrkmssR 1L5uv2aWca3euGZpcTn5mu7tiyMoY5uYxrbq3BSfLwtyY7rw4nrFx2Xbrbln7+2K+6l7PIopoEfx mTLIe7bfbZZqAPyC3YpVvPA4no9zP4rzEfvd7tzu4773sPr6jLovLlUBcBzjp2cW106pGGjHGk1G 1Ne9DwTA3c6eIUCAAAECBAgQIFAlIACukvE8AQIECBAgQIAAgYLAJAPgCCuLS4Sdf7ZN9Q/5m51d 3CKlmNYz+4G9STgZ00WXLWXXxF23JOyLUDg7XvE2pgItjhCNKVIfvNnCNv0GQ7H/qgD44VukFIF0 fuk1QjkC3/wSo9mKfej1uIlxm/3s1Z7i66MIFvPHiJHVZX9EENOLx9Sx+XWL96M+yqZ+jnNSNgo9 wv2y5b9+WX+cOO7aJdcYjn29cPfe2y7VAHgUnymD1HK/2yzFAPgxW6cUf7RQXO5atjgadxTnI2q7 7I8wzrw+pbg+cPE9F4/jM6usrXUB8It2L/as+3GMPI7P4bJjNn1OANzt6hkCBAgQIECAAAECVQIC 4CoZzxMgQIAAAQIECBAoCEwyAI4g7Zw/FhqUUjr3hu7rnMZ0uD8pGZEVW79q78Uf4JuEk/HDfHFk b+wnpqB+eWEq6LgO6zW3d7YxQoOYSjralP+RP8KH4jUmY8sNT11cr99gKPZfFQDHa6dc29m2eLTB rxePl2/f3+zZfU3Z/Ojo/Lp195sYt93PuvYUXxt1ABzHqwptstrIpiTP2hZ/APDPB6d02S3d5yue 2f2C8nMWYW0x5I/1o1Zj2um/vn+kZXacuH3cNimFQdn1riN8zq9bdX+pBsCj+EwZpJb73WaaAuC4 DnWMZq/6957DUvrmb1Iqu/Zv1GZMz5zV1SjOR+z7EVumdG3hczmOHZ+/8ZmdHT9b98jL4tXupS4A jm3j2sJ1S4xEzh9rkPtVnyV1x/UaAQIECBAgQIAAgXkVEADP65nXbwIECBAgQIAAgb4FJhkAx4/l ETKULTfdldK+F6e0yVkpbX52SjFFc9lSvPZqk3Ayjrvy1uUBQoTPD9m880f9/zi67MgL0/j+6IyU 1j8ppYMuTSmuEVlcIrxbLTdldL/BULS1LgD+YcUI0bjW5S7npxQjRWMU854XlgeJnz2hs69NAowm xm33s0m7snXGEQDHsaI+q5Y47xEeRcD+q6u6ryea3y6CtKfmaiTrR3ZbNgo9v33URxzj6MtTiuA2 wuGyJdrU9P2+VAPgMGv7M2WQWu53m2kKgMtqp+lzMaPA83ft/Exp+3xk74v1ji9vVbwfdjg3pS+f uDBd+pW3la8Xz/YKgMtGGuf39tp9O/uata2fWwFwXtR9AgQIECBAgAABAvUCAuB6H68SIECAAAEC BAgQWCHQNBDq5wftfsOjHc9b0Zy+7kRw9sTtOn+AbxJOZn2Ja0aWLXFd3WyduH3ApuXTh5Ztm38u woX3H9G5r36DoTh+XQAcoz0vuil/1Ob34/qyRb98v6vuNzFuu59VbSl7flwBcNTF109eCJGaq3eu GaMln1So4bI+RaA17PKhIztrsew42XP9voez7fq5HeV5avMzZZBa7nebWQmAP3pUeY21eT6yGovr qscf7Ayz9AqA43IEZSPp45h/uKV7Foisbf3cCoCHOYO2JUCAAAECBAgQmDcBAfC8nXH9JUCAAAEC BAgQGFhgGgLgmEr508elFKPHmi4HXJJScZrd+NG9STiZ/3H+sD90HzFGUK65Z2eQ8bAtUiq7/nD3 1gvPxD7iGqz5Y8X9foOh2KYuAI7X/2rn+hGmZW2M4GSVBsFjsf3xuInxKPpZ1pay50YZLJYd7/X7 pXR1yXS0Ze7ZcxE8feeUlB64aXeNlB0jRqVv+dvqMCrbb9ntnctS+mSDawbnj7vUA+A2P1MGqeV+ t1nqAXCMQH/TAdW13Ob5yNdpTPe890VlVd/93O9vWZg2Pf9KfE7n91d2P2ZPKFu+dUrvbcv2V3xO AFym6zkCBAgQIECAAAEC5QIC4HIXzxIgQIAAAQIECBDoEpiGADj7Qfw5u6R0+GXlUylHwyM0O++G lKpGmcV+4pqTtxeC5J+eWf1D/dN3LA+eq67J+tYDUzr7+vppduO6kM/cqfyYMeK2eE3XCCwzg7Lb XgFwbLPSVil96cTu6xUXT3i0PaY1jfXLjtXkuSbGo+pnk/bFqNziEn9g0GTbQdf5i21TivMeU5fX LRE4HXtFSv+4/2DtecoOKW16Vkp3Las7ysJrMfXtV05auCZwv/0aRwA8jvPUxmfKILXc7zaTCoDL zkGvyoprokfgG9Pvx7WA/36f5rXcxvkoq+WYDvrCipkQ4j13/JULf/AS0/Xnl5vv6t32mMWhbIk/ vClrS7/PCYDLdD1HgAABAgQIECBAoFxAAFzu4lkCBAgQIECAAAECXQKjCID7/QG8uH6MFosA9Z2H LIS9ax29MCL34Vu084N78XiDPI7pR1+yx0L7ImT74BEpvXLvlGLK0EH219Y2MTr3r3dbuNbrJ45d uD7xx45J6S0HphThS1vHsZ9yyz/ZLKU37J/SOscuhGNx/ervn55SXGv53Yel9PiflW/Xr2eMfFzj 5ym94xcpfe6ElDY+K6Ufn5FSBGHxvnnpHik9eLN2jtVv26Zx/aXwmTKNbqNq06jOR/xhS1yXN94H 8Ucfr9o7pWH/3ygLyU+6ur33lgC462uJJwgQIECAAAECBAhUCgiAK2m8QIAAAQIECBAgQKBTYBoD 4FGFDvbbXmjBkqUaUAPzUANl11ivm4WiXxMBcOd3Eo8IECBAgAABAgQI1AkIgOt0vEaAAAECBAgQ IEAgJyAAFuL0G1hYX82oATUwDzXw+RNy/1nefzemeR92VHHeTgDcbewZAgQIECBAgAABAlUCAuAq Gc8TIECAAAECBAgQKAgIgAU5+TDCffWgBtTAvNZATJ1+xnUpHXRpSqddW/jP8v6HG53Wbn0IgMud PUuAAAECBAgQIECgTEAAXKbiOQIECBAgQIAAAQIlAgLgdn/Mn9fgRL/VkRpQA0u9BuLa3XXLtben 9Oit2j3PAuA6ca8RIECAAAECBAgQ6BQQAHd6eESAAAECBAgQIECgUkAA3O6P+Us9ANF+9aAG1MC8 1kBdAHzXspT++eD2a0MAXPn1xAsECBAgQIAAAQIEugQEwF0kniBAgAABAgQIECBQLiAAbv8H/XkN T/RbLakBNbCUa6AqAL7gxpTW3HM051YAXP7dxLMECBAgQIAAAQIEygQEwGUqniNAgAABAgQIECBQ IiAAHs2P+ks5BNF2NaEG1MA81sDKW6f08r1Siv8X33d4Sm/YP6XHbTPaWhAAl3wx8RQBAgQIECBA gACBCgEBcAWMpwkQIECAAAECBAgUBQTAo/1xfx5DFH1WU2pADaiBZjUgAC5+K/GYAAECBAgQIECA QLWAALjaxisECBAgQIAAAQIEOgQEwM1+pBdmcFIDakANqIG2a0AA3PGVxAMCBAgQIECAAAECtQIC 4FoeLxIgQIAAAQIECBBYFBAACzTaDjTsT02pATWgBprVgAB48fuIewQIECBAgAABAgR6CQiAewl5 nQABAgQIECBAgMD9AgLgZj/SCzM4qQE1oAbUQNs1IAD2dYwAAQIECBAgQIBAcwEBcHMraxIgQIAA AQIECMy5gABYoNF2oGF/akoNqAE10KwGBMBz/iVM9wkQIECAAAECBPoSEAD3xWVlAgQIECBAgACB eRYQADf7kV6YwUkNqAE1oAbargEB8Dx/A9N3AgQIECBAgACBfgUEwP2KWZ8AAQIECBAgQGBuBQTA Ao22Aw37U1NqQA2ogWY1IACe269fOk6AAAECBAgQIDCAgAB4ADSbECBAgAABAgQIzKeAALjZj/TC DE5qQA2oATXQdg0IgOfzu5deEyBAgAABAgQIDCYgAB7MzVYECBAgQIAAAQJzKCAAFmi0HWjYn0Bc iOYAACAASURBVJpSA2pADTSrAQHwHH7x0mUCBAgQIECAAIGBBQTAA9PZkAABAgQIECBAYN4EBMDN fqQXZnBSA2pADaiBtmtAADxv37r0lwABAgQIECBAYBgBAfAwerYlQIAAAQIECBCYKwEBsECj7UDD /tSUGlADaqBZDQiA5+orl84SIECAAAECBAgMKSAAHhLQ5gQIECBAgAABAvMjIABu9iO9MIOTGlAD akANtF0DAuD5+b6lpwQIECBAgAABAsMLCICHN7QHAgQIECBAgACBOREQAAs02g407E9NqQE1oAaa 1YAAeE6+bOkmAQIECBAgQIBAKwIC4FYY7YQAAQIECBAgQGAeBATAzX6kF2ZwUgNqQA2ogbZrQAA8 D9+09JEAAQIECBAgQKAtAQFwW5L2Q4AAAQIECBAgMPMCAmCBRtuBhv2pKTWgBtRAsxoQAM/81ywd JECAAAECBAgQaFFAANwipl0RIECAAAECBAjMtoAAuNmP9MIMTmpADagBNdB2DQiAZ/s7lt4RIECA AAECBAi0KyAAbtfT3ggQIECAAAECBGZYQAAs0Gg70LA/NaUG1IAaaFYDAuAZ/oKlawQIECBAgAAB Aq0LCIBbJ7VDAgQIECBAgACBWRUQADf7kV6YwUkNqAE1oAbargEB8Kx+u9IvAgQIECBAgACBUQgI gEehap8ECBAgQIAAAQIzKSAAFmi0HWjYn5pSA2pADTSrAQHwTH610ikCBAgQIECAAIERCQiARwRr twQIECBAgAABArMncMc9Kd1yt38M1IAaUANqQA2Muwbi/2ALAQIECBAgQIAAAQLNBATAzZysRYAA AQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAgakXEABP/SnSQAIECBAgQIAAAQIECBAgQIAAAQIE CBAgQIAAAQIECDQTEAA3c7IWAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIEpl5AADz1p0gD CRAgQIAAAQIECBAgQGCWBO7ce/d0y5fWTXefdPwsdUtfCBAgQIAAAQIECBAgQGBKBATAU3IiNIMA AQIECBAgQIAAAQIEZlvgvjvuSDd97H3p2lUfteLfrRtukO67777Z7rjeESBAgAABAgQIECBAgMBY BQTAY+V2MAIECBAgQIAAAQIECBCYR4F7b7ox3fAvb1gR/OZD4JvX+7gQeB6LQp8JECBAgAABAgQI ECAwIgEB8Ihg7ZYAAQIECBAgQIAAAQIECITAvddek/74xleUhr9ZEHzrt9aHRYAAAQIECBAgQIAA AQIEWhEQALfCaCcECBAgQIAAAQIECBAgQKBbYNllv0/X/90La8PfLAS+67ijunfgGQIECBAgQIAA AQIECBAg0KeAALhPMKsTIECAAAECBAgQIECAAIEmAvecf266/qV/1Sj8jRD41m98uclurUOAAAEC BAgQIECAAAECBGoFBMC1PF4kQIAAAQIECBAgQIAAAQL9C9xzxqnpur9+auPwd3kAvNE3+j+QLQgQ IECAAAECBAgQIECAQEFAAFwA8ZAAAQIECBAgQIAAAQIExiew7Kor0h277ZBu33aLtOwPl47vwCM8 0l3HH5Oue/YT+wp/IwC+5UvrjrBVdk2AAAECBAgQIECAAAEC8yIgAJ6XM62fBAgQIECAAAECBAgQ mDKBO/baLV37tJUXg9JnPj7dffKJU9bK/ppz5yEHpGuf8bjFPq36qMb3r3vBU9KyKy/v74DWJkCA AAECBAgQIECAAAECBQEBcAHEQwIECBAgQIAAAQIECBAYj8B1q6/WFY5et8Yz0r1XXzWeBrR8lDv2 2Dldu9pjuvoUo3ub/guTW7+9frpj9x3TXcccke674/aWW2l3BAgQIECAAAECBAgQIDDrAgLgWT/D +keAAAECBAgQIECAAIEJCtx3zz2lR4+QtyoUveGf/yHdd/fdpdtN65O377B1ZX+q+tnk+etf/Mx0 z2/PnNZuaxcBAgQIECBAgAABAgQITKGAAHgKT4omESBAgAABAgQIECBAYBYE7rvzznTju96Ubl5v 7XTf7bd1dOnOfX5eG5je8pX1Otaf5gdx/eImYe6g61z/smene2/44zQTaBsBAgQIECBAgAABAgQI TJGAAHiKToamECBAgAABAgQITLfAv/wipQdv5h8DNdCkBv50k2Vpu9e9e0UwesIL10irf/X05e+h F25wWjrzOc9c8VpVMPqudXad+vfcWh/epGc/qvrXz/Nb/OMHpt6iSV1Yx+fHoDUQ/wdbCBAgQIAA AQIECBBoJiAAbuZkLQIECBAgQIAAAQLpnw5K6f9s4h8DNdCzBja+L/3wzR/rCkYvW+3P0s9f9U/p 6lUf3fVaWRh66dMen569wVlT+777zw/8uFE/yvo2yHOP3/CKqbXoWRM+O527IWsg/g+2ECBAgAAB AgQIECDQTEAA3MzJWgQIECBAgAABAgQEwEP+eC8gmp/g+Jtv/2xrwegJq78oPeyHt05dePbx9/2g tT42CYMvf+pj0yN+cNPUOXhfz8/7etLnWgDsixgBAgQIECBAgACB5gIC4OZW1iRAgAABAgQIEJhz ASOABR2TDkCWwvHf/9GtWg9Gf/iWtacq+Pzkv2/Ueh97hcA/eMvHp8pgKdSiNs7WZ7YAeM6/hOk+ AQIECBAgQIBAXwIC4L64rEyAAAECBAgQIDDPAgLg2QoThEOjOZ9HvvjlIwlH3/TJfaciAF33Pd8Z Sf/qAuA/rPa49MTv/GEq+u99M5r3DdfergLgef4Gpu8ECBAgQIAAAQL9CgiA+xWzPgECBAgQIECA wNwKCIB7/0AvxGD0q79+4UgC0nOetVp67EbXTjQE/dy/fWMkfasLf+O1T79nw4n22/va+3oaakAA PLdfv3ScAAECBAgQIEBgAAEB8ABoNiFAgAABAgQIEJhPAQGwEGQaQpBpb8PGb/zIyELSn73u3RML QicV/h605mvSg35y98T6Pe31pn3z87ksAJ7P7156TYAAAQIECBAgMJiAAHgwN1sRIECAAAECBAjM oYAAeH6CBqHS4Of6Hz+1/8gC4BgN+461dxl7GPqJ931/pH2qGgH8m+c/Lz1+wyvG3l/1P3j9sxud nQB4Dr946TIBAgQIECBAgMDAAgLggelsSIAAAQIECBAgMG8CAuDR/bAvNJkd2z/58Z3pwmc8aWSB 6QXPeHJ6woaXjy0U/fCHNxtZX6qC33j+7L96elrtmxeOrZ/eg7PzHpzVcykAnrdvXfpLgAABAgQI ECAwjIAAeBg92xIgQIAAAQIECMyVgABYQDKrwUrb/frRm/9zpKHprn/3trEEo+9ea9t0zaqPGmlf ykLg85+5anrOBmeOpY9tn3v78zk5qhoQAM/VVy6dJUCAAAECBAgQGFJAADwkoM0JECBAgAABAgTm R0AALNgYVbAxa/v9+/UOG3lo+v6PbjXSgPTt6+yerl710SPvRzEAvugvV0mrf+U3I+3brNWb/szH Z7MAeH6+b+kpAQIECBAgQIDA8AIC4OEN7YEAAQIECBAgQGBOBATA8xEyCJOGP88P/Ok96ZxnrTbS 8PSSpz8hPeVbF48kKH3jp/ZLVz7lMSNtfzH4jceXPu3x6WVfPH4kfVLXw9c1w8kaCoDn5MuWbhIg QIAAAQIECLQiIABuhdFOCBAgQIAAAQIE5kFAADzZH/+FL0vL/+v//PmRB6j7vfwN6f9ufG+rgelr 1js0Xf7Ux4687cUA+A+rPS698nNHttoX75ml9Z5xvurPlwB4Hr5p6SMBAgQIECBAgEBbAgLgtiTt hwABAgQIECBAYOYFBMD1P84LL/jka+B5/3P6WELUj73/R62Fpi///DHp90/787G0Ox8AX/HUldPr 1j24tX7kz4P73pezUgMC4Jn/mqWDBAgQIECAAAECLQoIgFvEtCsCBAgQIECAAIHZFhAAC1JmJUgZ Vz+OWuNvRh6mxsjZv/z6uUOHp2t86aR08dP/YuTtzQe/cf+qp6yU3vpfew3d/nGdU8fxOTipGhAA z/Z3LL0jQIAAAQIECBBoV0AA3K6nvREgQIAAAQIECMywgABY8DGp4GOpHvc/P/DjsQSqv3jZq9MD frps4BA1AuTznrnqWNqaD4CvXvXR6R1r7zJwu5dqXWi3z9JBakAAPMNfsHSNAAECBAgQIECgdQEB cOukdkiAAAECBAgQIDCrAgJgocUgocU8b/O4/706xfTG+dBzVPc/+e8bDRSkPmHDy9Opz3vOWNpY 7Pu//8c2A7V5nmtK3+f3c1gAPKvfrvSLAAECBAgQIEBgFAIC4FGo2icBAgQIECBAgMBMCgiA5zd4 EDoNfu63fv17xxKuXv7Ux6Znb3BWX4Hqo75/QzrmRS8bS/uK4W+MjlZXg9cVu/mzEwDP5FcrnSJA gAABAgQIEBiRgAB4RLB2S4AAAQIECBAgMHsCAuD5CxyETMOf81d/9vCxBayHv+SV6YE/vadRsPqn P74j7ffyN4ytbfkA+MvvWr9RG9Xf8PXHcHYMBcCz971KjwgQIECAAAECBEYnIAAena09EyBAgAAB AgQIzJiAAHh2ggSh0BjP5cb3pZOf//yxBa3rvftbPcPVuF7wtq/9t7G1KR/+/vhNa/Vsn/ocY31u 4lhLpd4EwDP2pUp3CBAgQIAAAQIERiogAB4pr50TIECAAAECBAjMkoAAWFCyVIKSaWvnJ9/7v2ML W+Oaw89b/7TakHWjf/qvsbUnH/7u/Op/aTxCedrOofb4/Jt0DQiAZ+kblb4QIECAAAECBAiMWkAA PGph+ydAgAABAgQIEJgZAQGwAGTSAchSPf6ff/eqFMFsPgwd5f2j11gzPfgnd5WGwJ/9t2+OrR35 Ph605mvSQ390W2mblup51W6fieOsAQHwzHyd0hECBAgQIECAAIExCAiAx4DsEAQIECBAgAABArMh IAAWdowz7Ji1Y236jx8aa/D63/+6QVfY+v+3dydQUlR338fPa4xJ1ATFuESNLC6gqChuj1EjxPio CZrELeY1vsQsxrjBY6LGJY9RY2KicQsiCAKu4IqIoqIgCoqgCAKyL7KIwDAMMKzDDP/3/GnKqb51 q7qqu6q3+tY5c7q7upZ7P7VMn/71vbfbZf2LWgYnAH7/6GOl5b21nvJU2zGmPtwjkzwHCICr47MU tUAAAQQQQAABBBAojgABcHGc2QsCCCCAAAIIIIBAFQgQABNuJBluVPu2j71lQlHD12Wtd5fjbhn/ ZejatcdQWd5qt6KWQQPgKR3ay/53LfqyHNV+nKkf98mkzgEC4Cr4IEUVEEAAAQQQQAABBIomQABc NGp2hAACCCCAAAIIIFDpAgTABBtJBRtp2e6IEzoXNYD9sGNH+eb9a6Tz9aNkSds9i7pvDX/ntGsl 7W+fTvj7MPeOtFzjSdaTALjSP0VRfgQQQAABBBBAAIFiChAAF1ObfSGAAAIIIIAAAghUtAABMCFO kuFGGrZ94ZWDih7CDjmlqyw8cJ+i73dx273khJvHEf4S/nIOxHQOEABX9EcoCo8AAggggAACCCBQ ZAEC4CKDszsEEEAAAQQQQACByhUgACYATkNIm2Qdd+q5WaYddkjRw1hnLN5iPa5o1UJ+0n0IwV9M wV+S5yTbrpz7OgFw5X5+ouQIIIAAAggggAACxRcgAC6+OXtEAAEEEEAAAQQQqFCBfALgs4eLxP13 wBPxfGG/w8Pesh37fDzbJlTJOFaysZ4Ld30sMnyhyKQakaXrROatERmxSKTXNJFr3xM58plo58vh g0V6db+v6gPgHpfcsy38/UpvkdNeFnloasZtWq3IsvUZx7FLRQbPEfn1KJGW/aM5cn0l43XOcJF/ TxYZMl9kck3mWE2tFXlpfmb+70aL7No3mX1HOaaVfF+JUk9zWQLgCv3wRLERQAABBBBAAAEESiJA AFwSdnaKAAIIIIAAAgggUIkCUQNgDX+SmDSEML8Yz+f11x/xlu75efFsO5/yVOM6lWh89LMi01d5 zw3bnK1bM+FYp+fCnTf3fyLStLpOag7dt2pD4Ae7/mHb9ak//NCwN8zU0CiiNjv1CedYjddKqeqk 5npPnVkX5kiJrNwo8udxpQ2CK/G+EsfxJQAOd46yFAIIIIAAAggggAACKkAAzHmAAAIIIIAAAggg gEBIAQJgwqmoIUalBTWXvyOyqTHkBWEsNnCmiLZMDDLSkFOn+ttvrMoAeOjJP5KvP9Qgd08S0XA8 6jRhuUjrJ4MNg3x5L5rdjr1Fhn0W9Shlltdwv23AsXpjkYgeT+dvwIxoZQs6lpV2XwmqS5T3CIDz O1dZCwEEEEAAAQQQQCCdAgTA6Tzu1BoBBBBAAAEEEEAgDwEC4PgCjChf+lfyspUS1Hyzn8igOXlc FMYqD04JPkecALhxySKpaduyqkLgD47qJB16r5L3vjBQIr6s2yQS9V5TyddIKcvef0bEg2Ms/mmt yLf62c/5FRuyFx6/zL5cPvWvlPtKPnULWocAOPuc4hUCCCCAAAIIIIAAAkECBMBBOryHAAIIIIAA AggggIBLIGooo60hG5tcG4jpKV1AxxekBIUNcbz3tT4iTUZL0HLsZlvH+fWbtGtcbdHaY6zILeNF tKWvdoPrN10/zv/4OAGwrrv2j3+omgB4VrvW0u4f87aNkeznMm6ZyN8+Erl6jMhNH2QC9w1b/JYW 6TLU3zGOczPt29D7qG3Se/ZrC0Vu/EDkmjEif58o8vYS25KZea98Zj9OSQbAlXJfifscIwD2Pw95 BwEEEEAAAQQQQAABU4AA2BThNQIIIIAAAggggAACPgJRA2D98nv/x0U6Puv/t3Sdd2f/b6T/8rqt lv3tgUPUL9vT2oosqlOhy3/XOAdaPRHP8Su0XM76Z77iPQd1joaT571uL+sufUX+9L69u2jt+njf x+zruQPgxnlzpKb1bhUfAn/e5tty4o1jRYNv2/TFepHjnrd7tHhUZOgC21oik2pyd6ntHEMe7b5B LhNXeN0X14t0GGzflo6NvXCtdx2ds89A7zpJBsBar3K/rwTZ5/seAbD9/GMuAggggAACCCCAAAI2 AQJgmwrzEEAAAQQQQAABBBCwCOQTAOf6ovszS6Bw4oveMCHXdvJ5nwC4OM75HJtiraNjoGo3tuak 3RCfPCS3j14TWyyt3K94176uOwDWfa656tKKD4AvvHKQ7DVAZM1mU1FkzmqRNgHjxOpx/kpvkUd9 uiL+zdt2x2KdH9W6n69aWubr0ev6arD3Ec9kfhhhHumfWX4okXQAXK3HJqheBMDmmcdrBBBAAAEE EEAAAQT8BQiA/W14BwEEEEAAAQQQQACBLIFyC4A1xNBA4pK3RO6ZLDLsM5EBM0S6jxXpPFRk90eD w4yoAbAGWce/4P3T7kj9vrTXgLHTcyKXvyOi421qd6n9pme6EvZraefeVvtB2ftzWj9r3X8+QuQ/ UzItKLVb5X98LPLrUSJ7hGwhrdu+7n0RHbf22bkir36WKePtH4lcOEJkp4B6ucuY6/mBT2XX4aCn vF5J1jOofBrUmpO24NVjFrSe+707J5pbEHlrsX19MwDeMmOarGjVomJD4Jsvum2bU+9pXgPtJluD YbdV0POnZ3u3oa2Hd+3bvA291sxr8IAcLcq1DO51wlx3cV+3u22/F2nY/Ys3M9etXm96nvz27eby HRPivNOyueujz/U+GGRrvqetZ23Tt0McL+0e2py0i3Tdh/seqT+icE/6Qwt3ud2t5M3r389LW4uf tP2HGeVwX/nOYyI/fS1z79X/P30+Fek2UsR9j1Nrd73d75nHJddrAmD3GcVzBBBAAAEEEEAAAQSC BQiAg314FwEEEEAAAQQQQACBLwXKKQDWEGWVETB8WVDXEw1bv9nPHo5ECYA1UF7f4Nrw9qfagvlb Ptu/dJRIvWUd91ZGLvEPydo+6V4y81zrfeggEe2q1W9SFx2vVsMmW6BwxjCRj2v81m6ery34NAz2 245t2+Y8Dew0UHVP5hjASdXTLIv5WseoXr7BXbLMcw1yzGWDXrd72rsNbRXshPXudc0AWNf88MKL KzIAHtTlfNmhV9O2bt5tY33reL/uuud6rue1ea6oj/5IwVlXQz9zUlPnfdvjVKOFt3Z9bFvOmZfE dav3Tv1RgVkWsy76WsNQpyy2x7MsXZa/90XwOuZ2NLi0TbaWvOa6+gObJfXZf4/NzHTXbTt+tv3o vFsnZMpsu/6DvHSIgFLfVzSg9uu63KnvmKUier6uNv5PPTc32rFy+xMAO7o8IoAAAggggAACCCCQ W4AAOLcRSyCAAAIIIIAAAgggsE2gHAJgDdUGz4l2QBasEfn+S94v3cMGwLruOkuQO7suMw6l+wt6 fb5z30xL5LCl1PIdbhl30xZ23fGRyLL14basY7KaZdMWwrYui4O2qC0z8w2BwxgnUU+z3rbXOqap bfrBUK+bbX33vCvfFblhXPbfnpbWlLYA+JEhldcKePxRR0uL++q2nV/a4tGcGhr9x0F2u5nPX19k bknkTVdratu5kisANscZ9wuAk7xuNewM84MVrf1tHwaffwNneo2uHhO8jumsr3WMa3Oq2SCi3W7n c73rOlEmJwC2HdMgLw2AS3lf0fvGvDXhaqpBuTkRAJsivEYAAQQQQAABBBBAIBkBAuBkXNkqAggg gAACCCCAQBUKlDoA1habE5bnB9tk6dY3TIig3Y3aWvFOqxXZZ6A9dBn9efQyrt0scqoRUtuCkShb 3tQooq1TnfCnkO1pN8fOdqI8hjEupFzqYdYzbPn+5z2v5qy6/OoZdp+2APifH4s8cmbljAW84KB9 pd0dM748H7TbdXPKN+SytXDUlvfa5bka286VuALgcrlu9YclfueTdstutijVsD1M183mNt+whO3O cZxZJ/Kn90U6PutfFnN7UQPgW8b7H1OnHLbHQgJg2/b85tnuK3rPt/0/8NuGbX6+14Z6264P2z6Y hwACCCCAAAIIIIAAAiIEwJwFCCCAAAIIIIAAAgiEFCh1APy70faCfrIyM6audo2q42kOmmPvSvZ9 o5vUXOHkiS+KaDBrTtp9sl/gctEIc+lMWbQr6vPfEDl9WKaVqLa0M6fJNdlhiy3sctbR7pn/+J6I tlbVemuoYJu0VaoT1GgrQXPS1seXjc50T6vb+ct4EQ2gzElbsjnbifKYy1i3FXc9w5avl2Xc2hfm 5VfPsPu0BcDq/fro2bKize5l3xW0jlfctcfQrHNBux82J6d1Z1gXZzm/c0HHltVlbO/HEQAX67p1 nDY3isxYJbJ8vcjGRmdu8+Oxz9vPw7OHNy/jPHtpvn1Zx9TvUX/cEmbSbtK1FwDtPaBVjvGWr31P xPkze01YVN/8nv74osX2cZFtx9Qsl+OlvR9oN/iluq888qlZsszrZ+ZkWk6f+YqI9rwwZaV9OZ1L AOxvwzsIIIAAAggggAACCMQpQAAcpybbQgABBBBAAAEEEKhqgVIGwLs/KmILTXUcxm884g1ALnlL RFvGmZN2V+sEIkEhwvEviKyxhL/jlono+I/ONtyPWg4NOdzTxi0iP3zZu/x+j4to4GtOXV9tXtYv GNFxRHUMT/e+9fmTs8ytiWh3sc5yLy/wvq/dmTrvO49qbXabq2tqYOQsE/YxyNjZRtz1dLab69EW mv97sn8dtQW6jlca5s8JLM0y2AJg56isvfbysg+Ab7rods85oK2mzcl9nZkGQa+1hau21jen47YH orZzpdAAuFjXrdZJu4HWH4LoGLaOg61L53t9zkPbNX7u683bcrYZ9lHDyijj9mod5qwW0etE72FB +9Efqbin8cvsy9uOqbOezUv3WYr7inbTbxvrWgNv02HXviKvLXRqkf1IAJztwSsEEEAAAQQQQAAB BJISIABOSpbtIoAAAggggAACCFSdQCkD4KssrVe1lVXQWJXaQtacJrla2fqFCNr6zuxmVbejXcTq F/vml/3O6z+8Y+5N5M+uFrjOcs6jhq9m2KUBs/O+XzByik8Qq921mpO2znS2N2S++W6m5bTzvvtR A/S+05v/tLWsbUxb9zq2537G7mXjrqd720HPRy7xemjLRL91tNV3lKn7WO+2ggLgxsULpebgPcs2 BB7U5XzZoVeTx8f2w4zTLD968HM1539hGeP6jGEZS9u5UmgAXKzrtnajSOvtLZndddYxxs3p83Ui +oMD93J6LZk9Eug2NTR3Lxf1+cVv2X/wYZbJfK1dJGsQ7HcPLjQA9vPS+pXivqJdtZvT47P87fV/ Rd0mcw1aAHtFmIMAAggggAACCCCAQDICBMDJuLJVBBBAAAEEEEAAgSoUKGUA/LClu14dCzIo7LB9 Aa8tcp1gxRYizF+TaaVnHr6xS+0tjd37N7sH1YAkVzjz6mfmnppb99rCLm39696n+7nuy2yhNnFF 8/I3feDdl87RumnX2bm6d3XvK+xzm/HzRjfLcdczbNlsY6C6u8w2txM1ANbWleY2ggJgPRb1d9xU lgHw+I5HSYv76jz10frZAlvtTtyse9jXttDMCZRt50qhAXAxrls9tvqDFD+Duau912aXodnLa0tf c3poavYyftvPNX/H3pmWyXpNaHfLUSZtlWwLgQsNgIO8SnFfGWa5V+swAUG2ttCYFsBRzi6WRQAB BBBAAAEEEEAgfwEC4PztWBMBBBBAAAEEEEAgZQKlDIC19a170nD1qyFavunYu+akXfjql/a2EMFc 1nmtrWGDvujX92xjod49SSToz9Z68rDBmX3Zwi4dizOoHDpGpntyB8DarbXZ4ti9rD7XlofaUlhb wh46KHhfQeVw3rMZhwmAC6mns+9cj0/NNmsvoj808FsvqQBYW6VrC2v96zdulXx+2AFlFQIvOGhf aX/7dF8X/VGCOWmrWj/HoPna/bhtOvKZzPZs10ShAXAxrtv6huxun02DW8Z7a63BtHs5qegD1AAA H4NJREFUHWfWnE54IXsZ9/L5Pt+5r4i2uP7XJJEPl+e+Z2iZtIcGc3+FBMC5vEpxXzFDev3hg1ln 87WO0W5OBMCmCK8RQAABBBBAAAEEEEhGgAA4GVe2igACCCCAAAIIIFCFAqUMgJcb40nOrsv95bt+ Ga8tOs3px9vH2bWFCOayzmsdJ/PUl4L3aWu56Kwf5dEZazeJsEvHq4wyaThZyHG3GYcJgAsN9cwg xvba1hpXx+20LavzWvbPjPGs4zybf+savKphWwBrK0H3Pq/udl9ZBcA/6T4kq3zusurzUZautM06 mev4ve70nNdR5zhjXidxTRTjunX/EMNW9+8+7g1adfxbpweBXfqKrDfOsZkh74G2/UWZpz980N4W NLg0y+AcrSX13oC7kAA4l1ex7yv6YyPzxzMfuLrr9/O0na8EwM5ZwyMCCCCAAAIIIIAAAskKEAAn 68vWEUAAAQQQQAABBKpIoJAg0O8L8s/WeoFs3WpqAOuewnz5rvu8bLR7rczzS0dlAjdbiOBdunmO tgDT1nG2ukTdVvNWvc+6bg+obeFBHMHoBW+ITF/l3W/QnPs+sdfbZuGeZ3MplwC420hvjVduzLQM d9chzHNbsJ5vAPz1/2yUTw4/tCxC4L+fe531fHeb3DvZ6/i+a+xp97Lmc6c7dmf+5ZZxtLVVu/N+ 3NeE7fz01ibcnKDrdvCc5jo4dTEfbV2Snz08s97PR3jLoF26m9sI+/qgp0Q6DG7+c3odyLW+jmH8 7lJvWXTOfxmtkQsJgHN52Y5bkvcV7eLa7F7/7SW5/bW3CXMiADZFeI0AAggggAACCCCAQDICBMDJ uLJVBBBAAAEEEEAAgSoUKGUAvGBNNujCtbm/fNcw49YJ2evpK2dsTVuI4Cz95mKRBstYmA9M8d+v hofm9M7nIlH/NJjRsscddrnDHQ3evv+SyJ0TRcYtE9EutXNNv9oenLu3k+u5zTjJoCZXedzv65jH tknHQ3YvF+Z5/xneLeUbAOv+Lvn9gJIHwGM7HS879dyc00JDStukXY4H2Q2cKaJjbrff3tW4tnY1 r3Pd7rNzm7eTzzUR1C26lq8crlstx0WWkHfQ9uD4hXnZwvqDmAOeaHYJcjbfa/GotzWrbj3sGOC2 UFPX1x9UuPdVSACc64cupbiv6P8c9xSmFwq9x5oTAbApwmsEEEAAAQQQQAABBJIRIABOxpWtIoAA AggggAACCFShQCkD4OELs0G1O04dL9QdONiea9hoTk53srYQQZd1uq+94yNzTRENXk4ZYt+vOZao thi2lSnsvHzCrqXrssucqytVpyzaxamOJ3rzeBHt9tk2vfJZ9PrYjMslANa62+o6rTZaPb/xiIgZ DqlfIQHw/nctkuWtditpCLyk7Z5yzF8+zHkOf6ufiK0bZSe8dM4x96P7hxna1bEGZVe8azvrRNyB vO2a6GOMlevez469vWGneU2Uw3WrZdZrRS3ck3a5rPerjVvcc0VGhmh96nZwP9cff2xpyt6evjr3 9fDnvTkerq5/tTEOcLUFwPpDHvekhnsPDDZzn+fOugTAjgSPCCCAAAIIIIAAAggkK0AAnKwvW0cA AQQQQAABBBCoIoFSBsC2bmZvzNEF6v6Pe1vxrt7U/IW9LZzUlr9OWKLvaysvc5rj0xX0AKMVqHYZ ql2mOtuzPZ48ROSaMdl/TjfTtrArV8s4vwBYg7B/Txb5z5TmPx3X01YmnddjrFlrkdqN/sv7bcdm XE4B8Gkve+upc7qPDV9XbUVtm/INgHd+cL28ecKpJQ1/a1q12Lb/qR3ayd53f+F7njjH/X8sY0tr QHb6MK+jrVXkZp8W6No617kedF8ahprTqwE/TDjkaXNpETMALofr1nF8aKq3vOaPX3QJs7Wts37Y R1tL66dne4+V3/ZsXfdr1/Lu5c0AeMLy7PedZfO5z5XivvLYTO+x0R8JOfUwH/Weq2MjmxMBsCnC awQQQAABBBBAAAEEkhEgAE7Gla0igAACCCCAAAIIVKFAKQNgDSvNScPOPQf4fwGvLQPNafTnzcuH CRG0u2jbZBsT94+WEEzDJTMYcF5rF65my0kNvLQrXF0mn2DELwDeta93DMtcLZQ18HVP2grRKXvY xzDGcdYzbLncy728wF3L5ud//TB3fX/0qvdHBs4W8gqAe22VAaf/sizCXycEHn7iD3N2Ba0tyG0/ ltBu1LVrY7e3ttz3G0fWsXMeb7cEbGZr2M/XNV8z7v3oc+2y3ZzMALgcrlun3Mc8Z5bW+3pdg4he z846+TzqD0FsU5gfPlzp01K703PZZTID4Kk+Levzuf5LcV8573WvmP6gyK+rc/2xjm0iALapMA8B BBBAAAEEEEAAgfgFCIDjN2WLCCCAAAIIIIAAAlUqUMoAWAOmGau8sLPqvGNXahenPS0t6XTtU19q DinChAgarpgtBHU72gX1SUZX0Dq2phl6aJfR2kpMy+QOar7WR0TDaHP616Tm5fIJRvwCYN33x5au nW/zCTm/96K361x362h3XYKehzGOu55B5bG9p61EbeM967HRVn/tnm4+Js76Ol7q4Dnm0ct+HTYA HrNU5Jbxmb/h3W8tq/DXCYHvP/uqrPPXcXA/6v3BNjnXgNP1uq6j57+23A2apqwU2cUSdM60tMq/ ydIbgAbPZlis+zMD4HK4bt2OWu+g6fFZ3vPRvX6Y5xrWag8F5qT3Ne26+6hnvfvYa4CIhpq2a0WP iblfDebdk7bydp8DzvL5XP+luK/oPXy65X9QfYPIr0dl6qatfo97PnPfcNfd/ZwA2K3BcwQQQAAB BBBAAAEEkhMgAE7Oli0jgAACCCCAAAIIVJlAKQNgDQu0O1nbtGaziLbifHiayCOfimgXzbbJHJM0 TIig+92jv0jNBu8WNXzW8V+dIEMff/+Odzmd88lKkQeniOiYkK8tFNGxPc1JA5m2ri6j8wlGggJg W2tILcOy9ZkwU1v/aWvIF+fZwyFboOmuu+15GOO462krR655f7OM9+w+Pnqs31osouPFmuO0updz P7d5+bUK1PU2PvtkWYa/Tgj8m98+knWu20z9WlNr/fT81nBTf0jw/hcift0+O4ZHPpN9bTn7e2q2 s0T2owbKaq4/uHhjUfZ77ldmAKzbLfV169RNH23dabvL/8OX7S7ubYR5bmv57N6P3ks+WCaiY99q l88aDtsmPa62/w0fLvcurfdR7dJ61BKRy0Zn6pHP9V+q+8olb3nrFHUOAXBUMZZHAAEEEEAAAQQQ QCA/AQLg/NxYCwEEEEAAAQQQQCCFArYv+cMEDUHL2MaSPPFF/4DDL/zJdTi0a+X9Hs/ebpgQwSm7 3xf/Oq6us4w+fqW3yEcrcpXG+762kvzVqOxt5ROMBAXA2oJv/hrvvsPM0TFDTT93vf2ehzGOu55+ Zck1X1vx2YL5MD4agmlLQPcUJQBuGDdGag7co6wD4KVt9pATbxybdb6bpnr+a5iu53Ohk7ZYt7UY bT/I/gOFsPuzBcClvm7djtqtva2VrdZvcb23NwH3ulGfPzkrrJr/cr95O/u+5ZRhoGXMXPdW9Mcw umw+13+p7it6nvh1n+2um/Ncg25zIgA2RXiNAAIIIIAAAggggEAyAgTAybiyVQQQQAABBBBAAIEq FCiHAFi74bz2PXvXrn7k2jLQFiSFCRGcMEMftQWoOWmrODOw1m5rbeMPm+s6r3UbOq6me1/5BiNB AbBu89BB4VuwOuXT1q/7G+G5WVa/12GM8wmActXTrzy55ncYbO/m1bGwPWpofOEIkYuN1oFhA+DG +XNl5ZGtyjr8dVoBz2jfVva/a5HnXDVd/3uYyHJLq3mbX9C8RfUihw/2Xhv3Tg5aq/k97RHg09rm 1/rMFgBr+Ut53Zp+2grfNv3jY6+FuW6U19qDQb/p/oGzrQzOvE2NIj3G+pdHj5tfq2HdRiUGwI7t 70bnNtNW6DretTkRAJsivEYAAQQQQAABBBBAIBkBAuBkXNkqAggggAACCCCAQBUKlEMA7HwBr0Hd yCX+LTa1BeLsuuZuRp313I86rvCGLdkH6qGp/oHGQU/Zg2e/L/TPGZ4Jn/xCEG01quN52saY1XJq i1tdxj1pF8LuOpjPwwSjGkromLPmeMXu/ehzDc60O1pd3txP2NdhjJOqZ9gymstpEKgtu79Yb4pk v9Zz54V5zWNQt3ky+31bqG92Nd20uk5qO3eqiPDXCYFHHv99+caDG3KeE/s+ljm/tYv2oElbu+o1 dMW7IkvqvUvqeWoeI339y7dEajd6l9c5Gk7es711vvnDjXeX2rfn7KMU162zb+dRewOwTfoDDmeZ OB9bPynSe1rubrm1THpd/O8EEe1RIFcZ9Mcx2t23rUX4X8Zn1s/n+i+H+8phg0WuHpMZ71fvlXqf 154mtJt47d5af/yiP5wxp6dn53bzc9X/wUwIIIAAAggggAACCCAQToAAOJwTSyGAAAIIIIAAAggg YB3n0e+L6mLN1xbBGqBqC0z90v3ydzItcnftm/+X7HGXfee+Ise/kCmfBifa1fD3XxLRrl7j3leU 7WlAcdSzmfE7rxmTaZGnIdzZw0U0YI+yrWpcVs+tk4eI/OEdkds/ygRkd0/KtPTV8Ee7gy2k3l/t 2SBDTulaUeGvEwL3Pus3oev+tT4iZ76SCcv+PjEzTrcG7HrO/fQ1kb0HNjtqYKbjBLunq8Y0v296 6zHQlqbdRmZCyZs+EPm/b8ZzbZXyujV/KKAeE5b7O5gu+b5u8ajIsc+LXPCGyA3jRHpNy3R5fN37 mXvsCS+I7NQnejm+2S/T1fMRz4joD2la9o++jXzrFOd6O/YWcf/l2nbnoe4zOfP8zon5150A2OvJ HAQQQAABBBBAAAEE/AQIgP1kmI8AAggggAACCCCAgCGQRAvgXF+g837+YQF25W33wNlXVmT464TA V/7qgdAhcJRz8Vv9RN7c3t26BsZR1q2WZW1jdesPXKqlfpVYD21xbk7/zNElt3avbU4/ejX/40gA bGryGgEEEEAAAQQQQAABfwECYH8b3kEAAQQQQAABBBBAIEuAADj/L+4rMfCgzMkd76u73VfR4a+G wMta7y5drh+ZSCipXfx2LSAoq+Rz98/jsm67215oN9rl1KtBJfvmW3ZtqW52yV+3SeTIZ+z3ifPf 8I6BrF1hF9KlPgGw99pgDgIIIIAAAggggAACfgIEwH4yzEcAAQQQQAABBBBAwBAgALZ/0Z9voMB6 6fT8cY+XZUWrFhUfAGsIPKddK2nz9/mJhMBpuT60W2Xt9vq1hSKTa4yb7vaX2mV2WjzKuZ7meNJ6 eNY1iPT5VOSSt0QuGpHpOluPpW3qP6Ow40gAbFNlHgIIIIAAAggggAACdgECYLsLcxFAAAEEEEAA AQQQ8AgQABf25X05BxuUrTjH9shbJ8nCA/epivDX6Qp6zDEnyK4P1BNQPpzfOXT1GM+tNmtGzQaR 3R7Nb9tc1/G6/WCoyIYtWYcn9ItZdSK7FDg2PQFwaG4WRAABBBBAAAEEEEBACIA5CRBAAAEEEEAA AQQQCClAABxvmEA4ky7P7/zrc5naoV1Vhb9OCDzg9F/K/+m1lRA4jxA4KADe3Chy3uvpuk7K/b54 8hAR7fo5yvT2EpH2gwo/jgTAUdRZFgEEEEAAAQQQQCDtAgTAaT8DqD8CCCCAAAIIIIBAaAEC4MK/ wC/3cIPyJXOMd3lgnYw6/pSqDH+dEPhPF99FABxjADx3tciJLyZzPnKdF+a6/+Mi/ztBZN4a/3+f Gt6PXyZy1iuF7ct9rAiA/b15BwEEEEAAAQQQQAABU4AA2BThNQIIIIAAAggggAACPgIEwPF9ke/+ Up/n1e26Q68mefyHv6jq8FdDYB3X+MxrXyUEjhgC79Ff5KQhInp/7TZS5MxXRPYaUN3XRDXd89o8 KaKtgi8ckRkHuPNQkQOeENkh4nkQxoQA2OfDCbMRQAABBBBAAAEEELAIEABbUJiFAAIIIIAAAggg gIBNgACYUCZMSMEy2efJbRfcXPXhr9MKeMHB+8khd8wkBE4g/OO6yr6u0uhBAGz7ZMI8BBBAAAEE EEAAAQTsAgTAdhfmIoAAAggggAACCCDgESAAJoBIY+hSSJ0v+f2A1IS/Tgg8/qijpcV9dYTAhMCc AzGfAwTAno8lzEAAAQQQQAABBBBAwFeAANiXhjcQQAABBBBAAAEEEMgWIAAmAC4kDE3buqfcMFq+ aN0ydQGwBsGDu5wn2vV12o459eUemeQ5QACc/ZmEVwgggAACCCCAAAIIBAkQAAfp8B4CCCCAAAII IIAAAi4BAmDCjSTDjWra9kF/my1zDzkgleGv0xL4lp/fSgAccwvQarpGqEv0/ycEwK4PJDxFAAEE EEAAAQQQQCCHAAFwDiDeRgABBBBAAAEEEEDAESAAjv6FPSFH+sxa3lsrEzp2THX464TAP7nmRUJg QmDOgZjOAQJg59MIjwgggAACCCCAAAII5BYgAM5txBIIIIAAAggggAACCGwTIABOX5hJgB3tmO/U c7MMO+lMwt9WLbYZLDxwHzn8r1MIAGMKALkeo12P1eZFAMyHMQQQQAABBBBAAAEEwgsQAIe3YkkE EEAAAQQQQACBlAsQAKc7fKi2MCWJ+vT88e8Jf7eHv04r4IlHHiHaKjoJb7bJPSlN5wABcMo/hFF9 BBBAAAEEEEAAgUgCBMCRuFgYAQQQQAABBBBAIM0CBMCELWkKW6LWtccl95Q8/L3tgpvl3nOuKXk5 nPDXeRxySlfZ8aEthMC0BOYcKOAcIABO8ycw6o4AAggggAACCCAQVYAAOKoYyyOAAAIIIIAAAgik VoAAmAA4aiialuV/0n2IrDBavjrhZ7EenzjtItmhV5Psev9a0Va3xdpv2P3ced4NhH8FhH9puZao p///GQLg1H78ouIIIIAAAggggAACeQgQAOeBxioIIIAAAggggAAC6RQgAPb/Yp7QIr02nf7ykSw6 cO+SBq7jjj5mW/DrnIcn//mdkgfStmD4oiueIgQmBOYcyPMcIABO52cvao0AAggggAACCCCQnwAB cH5urIUAAggggAACCCCQQgEC4PSGnE6wyGP2ObDfPxfLtMMOLmn4u/DAfeSw26Z5QrV//OxPJS2X LQBe0nZP0cCc8yj7PMIDjzDnAAFwCj94UWUEEEAAAQQQQACBvAUIgPOmY0UEEEAAAQQQQACBtAkQ ABNShAkp0rLMrg/Uy+hjv1fykNWvVe3OD66X8R2PKnn5zCB4Sof2svfdywiB82wFmpbri3p6/98Q AKftUxf1RQABBBBAAAEEEChEgAC4ED3WRQABBBBAAAEEEEiVAAGw9wt5Qop0muhYu0//4IKSh6v3 n31VYJB6ws3jZHmr3UpeTjMEHtTl/MByc12l87riuAcfdwLgVH3korIIIIAAAggggAACBQoQABcI yOoIIIAAAggggAAC6REgAA7+cp7wIj0+d553Q8lD1bePO0m+8eCGnEHqbRfcXPKymgHww2f9Nme5 uZ7Scz1xrMMdawLg9HzeoqYIIIAAAggggAAChQsQABduyBYQQAABBBBAAAEEUiJAABzuS3rCjOp2 uvR3/UoeqM4/eH9pe+fcUCHq1/+zUd7rdFzJy+wOgc/u/lKosnMtVfe1xPGNdnwJgFPyYYtqIoAA AggggAACCMQiQAAcCyMbQQABBBBAAAEEEEiDAAFwtC/rCTeqz6vL9SPli9YtSx6mntN9SKQA9Yi/ fiKft/l2ycutIfCnhx4kO/XcHKn8XEvVdy1xTKMfUwLgNHzSoo4IIIAAAggggAACcQkQAMclyXYQ QAABBBBAAAEEql6AADj6F/aEHNVjtuv9a2XeId8teYiq3U/nc15dfmnPkpddA+Brut2XV/nzqTPr VM/1x7EUIQCu+o9ZVBABBBBAAAEEEEAgRgEC4Bgx2RQCCCCAAAIIIIBAdQsQABOmpD2Eef2/flDS EFX3/9WeDfkFqL22yuDO55a0/JOO6BBq3OK0n2fUn3ut7RwgAK7uz1jUDgEEEEAAAQQQQCBeAQLg eD3ZGgIIIIAAAggggEAVCxAAE0rYQok0zTv/qmdKFqDOatda9vvn4vzC34cz5+5e9yzf1gWzezze Yj4/49rhBZU/TecadeV+a54DBMBV/AGLqiGAAAIIIIAAAgjELkAAHDspG0QAAQQQQAABBBCoVoEn Zonc+AF/GKT3HLh5bIMsOKpd0UPgFa1aSJ+HR8Ry/fXp/abo9ooZ/Or+nr/5gVjKz/WX3usv7cde /wczIYAAAggggAACCCCAQDgBAuBwTiyFAAIIIIAAAggggAACCCAgIusfureo4akGtevuvj1W+3X/ uq04dWjbUtZc0U0aJk6ItfxsDAEEEEAAAQQQQAABBBBAAIEgAQLgIB3eQwABBBBAAAEEEEAAAQQQ yBJoWl0nNYfsVZwAtVULWX1RV9na2JhVhkJf6PZW/+KcROtQe1w72TJreqFFZX0EEEAAAQQQQAAB BBBAAAEEIgsQAEcmYwUEEEAAAQQQQAABBBBAIN0Cdef+d6LhqdM988pjD5GmFcsTwW6qWSG1x7dP rB6b3nglkXKzUQQQQAABBBBAAAEEEEAAAQRyCRAA5xLifQQQQAABBBBAAAEEEEAAgSyBVacdl1hw 6oS/NW12l4ZxY7L2G/eLho8+kJoD94i9LisP20+2NjXFXVy2hwACCCCAAAIIIIAAAggggEAoAQLg UEwshAACCCCAAAIIIIAAAgggoAI6nu2XIW2rFok917GGizFt6P9w7HVY/cufFqPo7AMBBBBAAAEE EEAAAQQQQAABqwABsJWFmQgggAACCCCAAAIIIIAAAjaBNZddHHtgagbKq391gWzdutW2+0Tmrb3u yljrtGnYi4mUk40igAACCCCAAAIIIIAAAgggEEaAADiMEssggAACCCCAAAIIIIAAAghI46IFsQal ZvCrr2u/d7g01a0qqvbWzZul7rwzQtVNw+L6W64V7aLaVv51f7ulqGVnZwgggAACCCCAAAIIIIAA AgiYAgTApgivEUAAAQQQQAABBBBAAAEErAKbXhliDT1tQWhe8w76tjRMnmjdd9Izm1bWbAufg8pd f1OPL1smb5k6Wep+dnqzR9uWsuGxR5IuJttHAAEEEEAAAQQQQAABBBBAIKcAAXBOIhZAAAEEEEAA AQQQQAABBBBQga3r6mXl0W2bQ8+YxwDeMLBPSaG3TJ8qNYfua62frWWvdlO98dknZVWXY2Tz2LdL WnZ2jgACCCCAAAIIIIAAAggggIAjQADsSPCIAAIIIIAAAggggAACCCCQU2BD357WgDSo5WyY99Zc 0S3nvouxwKY3h3u6d17f58Fi7Jp9IIAAAggggAACCCCAAAIIIBCLAAFwLIxsBAEEEEAAAQQQQAAB BBBIh8DWhgZZddbJsYbAtZ07SVP92rIB3Pz2m9vqqF08bx5Dy96yOTAUBAEEEEAAAQQQQAABBBBA IJQAAXAoJhZCAAEEEEAAAQQQQAABBBBwBLbMmCY1B+8ZTwh8yN6i22NCAAEEEEAAAQQQQAABBBBA AIF4BAiA43FkKwgggAACCCCAAAIIIIBAqgQ2vfRcLAGwjqHLhAACCCCAAAIIIIAAAggggAAC8QkQ AMdnyZYQQAABBBBAAAEEEEAAgVQJrO/zgCcErj31aFnZYX/PfNs4wGuvuzJVXlQWAQQQQAABBBBA AAEEEEAAgWIIEAAXQ5l9IIAAAggggAACCCCAAAJVKrBx0EBZecQBUn/r9bJl9sxttWxctCBnALzq jO/J1o0bqlSFaiGAAAIIIIAAAggggAACCCBQOgEC4NLZs2cEEEAAAQQQQAABBBBAoCoEtm7ZklWP LXNnBwbA2kK4cf7crHV4gQACCCCAAAIIIIAAAggggAAC8QgQAMfjyFYQQAABBBBAAAEEEEAAAQS2 CzRM+igwAN706hCsEEAAAQQQQAABBBBAAAEEEEAgIQEC4IRg2SwCCCCAAAIIIIAAAgggkFaBrQ0N UntKR2sIrF1FMyGAAAIIIIAAAggggAACCCCAQHICBMDJ2bJlBBBAAAEEEEAAAQQQQCC1AlumTpaa 9t/JCoHrzu4sGg4zIYAAAggggAACCCCAAAIIIIBAcgIEwMnZsmUEEEAAAQQQQAABBBBAINUCm98Z KSsP229bCFx7ckdpXLQg1R5UHgEEEEAAAQQQQAABBBBAAIFiCBAAF0OZfSCAAAIIIIAAAggggAAC KRVoWrFcGsa/J1s3rE+pANVGAAEEEEAAAQQQQAABBBBAoLgCBMDF9WZvCCCAAAIIIIAAAggggAAC CCCAAAIIIIAAAggggAACCCCAQGICBMCJ0bJhBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAAB BBBAoLgCBMDF9WZvCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAQGICBMCJ0bJhBBBA AAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAoLgCBMDF9WZvCCCAAAIIIIAAAggggAACCCCA AAIIIIAAAggggAACCCCAQGICBMCJ0bJhBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBA oLgCBMDF9WZvCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAQGICBMCJ0bJhBBBAAAEE EEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAoLgC/x9tCwzrCveapQAAAABJRU5ErkJggg== --000000000000ef03c005a9cdd9df-- From nobody Tue Jul 7 11:46:45 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC8CF3A0920 for ; Tue, 7 Jul 2020 11:46:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.095 X-Spam-Level: X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id einhTT1Cf0Yz for ; Tue, 7 Jul 2020 11:46:41 -0700 (PDT) Received: from mail-wr1-x432.google.com (mail-wr1-x432.google.com [IPv6:2a00:1450:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53F543A0927 for ; Tue, 7 Jul 2020 11:46:36 -0700 (PDT) Received: by mail-wr1-x432.google.com with SMTP id f18so38267259wrs.0 for ; Tue, 07 Jul 2020 11:46:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=awC/OfW+XXDTfmTecKM5t2vRFA/IYEAhmnJhnwx+OwY=; b=ab+fnL+5jYSy9JJlviAb07vTad96tD8f5cYiQlP8HvLUDQe1ETMgV2CtcB1o/0IfIm BAet7i94CjXfvrZKFWXqja+E+e0scKsF/LDkGj+LPSWvDVJtml1dg+O3lBx6RvoI3ieV aPeMP/N5LYFwoMj6GVqWgFkcirLas9cjFgafa6E1zx11QZwUxKJ6C/TrsajzEm+38NWW EppMnxW69GjBT020Aeu7wHN8n2znMqOF0EPxdJzj+V0QtrgTulcdqqNjAHCCDfA5NRAF gAiQ3OgqmdhrtTGKGTr3jMq4gdKwj1G43ZhgQNLRW28LTzgrrfddhHp9FCobii/T5I6N 4wpw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=awC/OfW+XXDTfmTecKM5t2vRFA/IYEAhmnJhnwx+OwY=; b=e4F4SZWRbo+wYMWp50YQfx7myqWG4ULcmwDEP/E+VeYyBN+mFE5CYzZtmOzwd9h4c3 9ZgcqED30T3VbINlKhnExC+FShFtOEqu1hcZ3i9CUSQMexLA6VpIFm9+g8QDfCsvPcUO NMl6sBHooZUkGCJR5jhxoc+Zr4/LE1u0Ea6S1p9tWXGBIZvILL80H4P14eFTvzHBAoY3 HEFwgwGQNxyRZp4GmqhyDcsUG+uhx+sfxOTmjd9sEGOAtb7p/K/jQCh4kTNGv1AeXhli 4kKtg9w/ozY7BOWRxohBz6zgMZlpv7i4SCUvSqyLFiBNe8e0MI1P9sN4G9UG6uyn2KF/ VF3A== X-Gm-Message-State: AOAM5302AsCmJm2ppoRcKHfUVzPf2KJr9q38hOH6faTiMSRCMIW3Cxk/ h5BeqnkHAE2yOiz84QZDFxinP/dt4rTnEvuRpJkAjcG6ZJ8= X-Google-Smtp-Source: ABdhPJzsHlvZz5C5Fras061wI+i082pKdwF16ECdNHqUdjhaREcHbwWGMC6YIGQEWB1RBwQ8lBHKTvtJQ7/Yg1VHOqg= X-Received: by 2002:adf:f452:: with SMTP id f18mr54455548wrp.389.1594147594505; Tue, 07 Jul 2020 11:46:34 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Sascha Preibisch Date: Tue, 7 Jul 2020 11:45:21 -0700 Message-ID: To: Dick Hardt Cc: IETF oauth WG Content-Type: multipart/related; boundary="00000000000017930705a9de699f" Archived-At: Subject: Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jul 2020 18:46:44 -0000 --00000000000017930705a9de699f Content-Type: multipart/alternative; boundary="00000000000017930505a9de699e" --00000000000017930505a9de699e Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Dick and all others! I have started to write my feedback. This is the first part, please let me know if it works like this. I have compared these documents: - https://tools.ietf.org/html/draft-parecki-oauth-v2-1-03 (draft) - https://tools.ietf.org/html/rfc6749v (current) I am addressing changes in the format of the document and the content. In general, I am a fan of required changes only. If wordings change, it may cause more confusion than it helps, especially if the message is still the same as before. Thanks, Sascha =3D=3D=3D General: - keep the format of the current document. It makes it easier to find actual differences - for example: in diagrams keep (A), (B), ... instead of (1), (2), .... - in the section 'OAuth defines four roles' keep 'resource owner\n' instead of "resource owner": . The same for all other roles. I do not see any value content wise or in regards to the readability of the document - Lists in current use 'o' whereas draft uses '*'. If it stays the same, comparisons show less differences Section: 1.1 Roles ------------------------- "OAuth defines four roles" - for 'resource owner' and 'authorization server' add the abbreviation to the name, i.e.: resource owner (RO) - I believe resource owner and authorization server are not sometimes abbreviated as RO or AS but always Section 2. Client Registration ------------------------- Draft and current document: "When registering a client, the client developer SHALL" - It would be good to change SHALL to MUST - As far as I understand they are semantically equal but SHALL often causes discussions in dev teams as it is interpreted as 'MAYBE OR MAYBE NOT' - This is also the only location where SHALL is used Section 2.1. Client Types ------------------------- Draft: "OAuth 2.1 defines three client types:" Current: "OAuth defines two client types, based on their ability to authenticate securely with the authorization server (i.e., ability to maintain the confidentiality of their client credentials):" I would like to see this text in the draft. It emphasizes the main difference between client types: "... based on their ability to authenticate securely with the authorization server (i.e., ability to maintain the confidentiality of their client credentials)" =3D=3D=3D Draft: "Confidential" - the description has changed. Are existing confidential clients still of type confidential? "Credentialed" - Is this a 'to be' confidential client? - If the credentials have been registered at the AS, how are they not also confirmed at the same time? - If this is meant as a client that can act as a public and confidential client, depending on the flow, maybe that could be expressed here. If that is the case, it should be listed as the third option. That way, its description could reference confidential and public - Suggestion: "Clients that have credentials and are able to act as public and confidential client" "Public" - the description now states these are clients without credentials. Do they still have a client_id? - Suggestion: Clients incapable of maintaining a client secret =3D=3D=3D Draft: - "browser-based application" Current: - user-agent-based application - Were these terms changed due to a general change in the language the developers use? - Otherwise, if there is no urgent reason, I am suggesting to keep the current definition On Mon, 6 Jul 2020 at 15:19, Dick Hardt wrote: > Hey Sascha > > This slide below from one of Aaron's presentations may help guide you wha= t > OAuth 2.1 is about. > > There are no "new" features -- everything already exists. > There are no changed definitions. We added "credentialed" client. > > Yes, this list is the right place to discuss the OAuth 2.1 doc ... :) > > /Dick > > [image: image.png] > =E1=90=A7 > > On Mon, Jul 6, 2020 at 2:46 PM Sascha Preibisch > wrote: > >> Hi all! >> >> I am reading through this document for the first time. I am mainly >> looking at it in comparison to OAuth 2.0 (RFC 6749) and with the eyes >> of a developer. I am trying to understand where phrases have changed >> and, of course, where features are changing. >> >> What is the best way to provide feedback? In this mailing list? >> >> Thanks, >> Sascha >> >> On Mon, 6 Jul 2020 at 09:44, Dick Hardt wrote: >> > >> > Aaron, Torsten, and I -- with some help from Daniel -- have created a >> new version of draft-pareck-oauth-v2-1. I think we are ready for a WG >> adoption call (assuming the updated charter). >> > >> > Here is the doc: >> > >> > https://tools.ietf.org/html/draft-parecki-oauth-v2-1-03 >> > >> > Here is a link to the diff from -02: >> > >> > https://tools.ietf.org/rfcdiff?url2=3Ddraft-parecki-oauth-v2-1-03.txt >> > >> > This version incorporates feedback from the WG, as well as editorial >> changes to improve readability. Highlights: >> > >> > - Appendix of current known extensions, and references to the Appendix >> so that readers become aware of related work. >> > >> > - defined new client type - credentialed clients - a client that has >> credentials, but the AS has not confirmed the identity of the client. >> Confidential clients have had their identity confirmed by the AS. We tal= ked >> about changing the names of confidential and public, but thought that wo= uld >> be confusing. This new definition cleans up the text substantially. >> > >> > - consistent use of redirect URI rather than mixing in redirect >> endpoint URI and redirect endpoint. >> > >> > - adopted new language on when PKCE is required. >> > >> > - removed IANA section (nothing new is in 2.1) >> > >> > / Dick >> > >> > >> > >> > _______________________________________________ >> > OAuth mailing list >> > OAuth@ietf.org >> > https://www.ietf.org/mailman/listinfo/oauth >> > --00000000000017930505a9de699e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Dick and all others!
I have started to = write my feedback. This is the first part, please let me know if it works l= ike this.

I have compared thes= e documents:
- https://tools.ietf.org/html/draft-pareck=
i-oauth-v2-1-03 (draft)
- https://tools.ietf.org/html/rfc6749v (current)

I am addre=
ssing changes in the format of the document and the content. In general, I =
am a fan of required changes only. If wordings change, it may cause more co=
nfusion than it helps, especially if the message is still the same as befor=
e.

Thanks,
Sascha

=3D=3D=3D

General:=

- keep the format of the current document. It makes it easier to find a=
ctual differences
- for example: in diagrams keep (A), (B), ... instead =
of (1), (2), ....
- in the section 'OAuth defines four roles' ke=
ep 'resource owner\n' instead of "resource owner": . The =
same for all other roles. I do not see any value content wise or in regards=
 to the readability of the document
- Lists in current use 'o' w=
hereas draft uses '*'. If it stays the same, comparisons show less =
differences

Section: 1.1 Roles
-------------------------

&=
quot;OAuth defines four roles"
- for 'resource owner' and &=
#39;authorization server' add the abbreviation to the name, i.e.: resou=
rce owner (RO)
- I believe resource owner and authorization server are n=
ot sometimes abbreviated as RO or AS but always

Section 2. Client Re=
gistration
-------------------------

Draft and current document:<=
br>"When registering a client, the client developer SHALL"
- I=
t would be good to change SHALL to MUST
- As far as I understand they ar=
e semantically equal but SHALL often causes discussions in dev teams as it =
is interpreted as 'MAYBE OR MAYBE NOT'
- This is also the only l=
ocation where SHALL is used

Section 2.1. Client Types
-----------=
--------------

Draft:
"OAuth 2.1 defines three client types:=
"

Current:
"OAuth defines two client types, based on th=
eir ability to authenticate securely with the authorization server (i.e., a=
bility to maintain the confidentiality of their client credentials):"<=
br>
I would like to see this text in the draft. It emphasizes the main d=
ifference between client types:
"... based on their ability to auth=
enticate securely with the authorization server (i.e., ability to maintain =
the confidentiality of their client credentials)"

=3D=3D=3D
=

Draft:

"Confidential"
- the description has changed=
. Are existing confidential clients still of type confidential?

&quo=
t;Credentialed"
- Is this a 'to be' confidential client?- If the credentials have been registered at the AS, how are they not also=
 confirmed at the same time?
- If this is meant as a client that can act=
 as a public and confidential client, depending on the flow, maybe that cou=
ld be expressed here. If that is the case, it should be listed as the third=
 option. That way, its description could reference confidential and public<=
br>- Suggestion: "Clients that have credentials and are able to act as=
 public and confidential client"

"Public"
- the de=
scription now states these are clients without credentials. Do they still h=
ave a client_id?
- Suggestion: Clients incapable of maintaining a client=
 secret
=3D=3D=3D

D=
raft:
- "browser-based application"

Current:
- user-=
agent-based application

- Were these terms changed due to a general =
change in the language the developers use?
- Otherwise, if there is no u=
rgent reason, I am suggesting to keep the current definition

On Mon, 6 Jul 2020 at 15:19, Dick Hardt <dick.hardt@gmail.com> wrote:
Hey Sascha

This sli= de below from one of Aaron's presentations may help guide you what OAut= h 2.1 is about.

There are no "new" featu= res -- everything already exists.
There are no changed definition= s. We added "credentialed" client.=C2=A0

Yes, this list is the right place to discuss the OAuth 2.1 doc ... :)

/Dick

3D"image.png"
=
3D""==E1=90=A7

<= div dir=3D"ltr" class=3D"gmail_attr">On Mon, Jul 6, 2020 at 2:46 PM Sascha = Preibisch <saschapreibisch@gmail.com> wrote:
Hi all= !

I am reading through this document for the first time. I am mainly
looking at it in comparison to OAuth 2.0 (RFC 6749) and with the eyes
of a developer. I am trying to understand where phrases have changed
and, of course, where features are changing.

What is the best way to provide feedback? In this mailing list?

Thanks,
Sascha

On Mon, 6 Jul 2020 at 09:44, Dick Hardt <dick.hardt@gmail.com> wrote:
>
> Aaron, Torsten, and I -- with some help from Daniel -- have created a = new version of draft-pareck-oauth-v2-1. I think we are ready for a WG adopt= ion call (assuming the updated charter).
>
> Here is the doc:
>
> https://tools.ietf.org/html/draft-pareck= i-oauth-v2-1-03
>
> Here is a link to the diff from -02:
>
> https://tools.ietf.org/rfc= diff?url2=3Ddraft-parecki-oauth-v2-1-03.txt
>
> This version incorporates feedback from the WG, as well as editorial c= hanges to improve readability. Highlights:
>
> - Appendix of current known extensions, and references to the Appendix= so that readers become aware of related work.
>
> - defined new client type - credentialed clients - a client that has c= redentials, but the AS has not confirmed the identity of the client. Confid= ential clients have had their identity confirmed by the AS. We talked about= changing the names of confidential and public, but thought that would be c= onfusing. This new definition cleans up the text substantially.
>
> - consistent use of redirect URI rather than mixing in redirect endpoi= nt URI and redirect endpoint.
>
> - adopted new language on when PKCE is required.
>
> - removed IANA section (nothing new is in 2.1)
>
> / Dick
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org=
> https://www.ietf.org/mailman/listinfo/oauth
--00000000000017930505a9de699e-- --00000000000017930705a9de699f Content-Type: image/png; name="image.png" Content-Disposition: inline; filename="image.png" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: ii_kcb2egra0 iVBORw0KGgoAAAANSUhEUgAAB4AAAAQ4CAYAAADo08FDAAAgAElEQVR4AezdB/wUxf3/8ahgRcUa 7Iq9oiJRf4ot9gD2XmM3fxsae+8gEU0UNWLDgr1gV9RYsSGoYEUFNXZsCHad/+N9yZr7Hnf33fls 33vt4/F9XPnu7c48Z7bMfnZnfueYEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQRK IfC7UuSCTCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIOALAVAIEEEAAAQQQQAAB BBBAAAEEEEAAAQQQQAABBBBAAAEEEECgJAIEgEtSkGQDAQQQQAABBBBAAAEEEEAAAQQQQAABBBBA AAEEEEAAAQQQIABMHUAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQRKIkAAuCQFSTYQ QAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABAsDUAQQQQAABBBBAAAEEEEAAAQQQQAAB BBBAAAEEEEAAAQQQQKAkAgSAS1KQZAMBBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBAg AEwdQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBEoiQAC4JAVJNhBAAAEEEEAAAQQQ QAABBBBAAAEEEEAAAQQQQAABBBBAAAECwNQBBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAAB BBBAoCQCBIBLUpBkAwEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEECAATB1AAAEEEEAA AQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEESiJAALgkBUk2EEAAAQQQQAABBBBAAAEEEEAAAQQQ QAABBBBAAAEEEEAAAQLA1AEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEECgJAIEgEtS kGQDAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQIABMHUAAAQQQQAABBBBAAAEEEEAA AQQQQAABBBBAAAEEEEAAAQRKIkAAuCQFSTYQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQ QAABAsDUAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQKAkAgSAS1KQZAMBBBBAAAEE EEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBAgAEwdQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAA AQQQQAABBEoiQAC4JAVJNhBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAECwNQBBBBA AAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAoCQCBIBLUpBkAwEEEEAAAQQQQAABBBBAAAEE EEAAAQQQQAABBBBAAAEEECAATB1AAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEESiJA ALgkBUk2EEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQLA1AEEEEAAAQQQQAABBBBA AAEEEEAAAQQQQAABBBBAAAEEEECgJAIEgEtSkGQDAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEE EEAAAQQQIABMHUAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQRKIkAAuCQFSTYQQAAB BBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABAsDUAQQQQAABBBBAAAEEEEAAAQQQQAABBBBA AAEEEEAAAQQQQKAkAgSAS1KQZAMBBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBAgAEwd QAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBEoiQAC4JAVJNhBAAAEEEEAAAQQQQAAB BBBAAAEEEEAAAQQQQAABBBBAAAECwNQBBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBA oCQCBIBLUpBkAwEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEECAATB1AAAEEEEAAAQQQ QAABBBBAAAEEEEAAAQQQQAABBBBAAAEESiJAALgkBUk2EEAAAQQQQAABBBBAAAEEEEAAAQQQQAAB BBBAAAEEEEAAAQLA1AEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEECgJAIEgEtSkGQD AQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQIABMHUAAAQQQQAABBBBAAAEEEEAAAQQQ QAABBBBAAAEEEEAAAQRKIkAAuCQFSTYQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAAB AsDUAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQKAkAgSAS1KQZAMBBBBAAAEEEEAA AQQQQAABBBBAAAEEEEAAAQQQQAABBBAgAEwdQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQ QAABBEoiQAC4JAVJNhBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAECwNQBBBBAAAEE EEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAoCQCBIBLUpBkAwEEEEAAAQQQQAABBBBAAAEEEEAA AQQQQAABBBBAAAEEECAATB1AAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEESiJAALgk BUk2EEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQLA1AEEEEAAAQQQQAABBBBAAAEE EEAAAQQQQAABBBBAAAEEEECgJAIEgEtSkGQDAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAA AQQQIABMHUAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQRKIkAAuCQFSTYQQAABBBBA AAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABAsDUAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEE EEAAAQQQQKAkAgSAS1KQZAMBBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBAgAEwdQAAB BBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBEoiQAC4JAVJNhBAAAEEEEAAAQQQQAABBBBA AAEEEEAAAQQQQAABBBBAAAECwNQBBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAoCQC BIBLUpBkAwEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEECAATB1AAAEEEEAAAQQQQAAB BBBAAAEEEEAAAQQQQAABBBBAAAEESiJAALgkBUk2EEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBA AAEEEEAAAQLA1AEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEECgJAIEgEtSkGQDAQQQ QAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQIABMHUAAAQQQQAABBBBAAAEEEEAAAQQQQAAB BBBAAAEEEEAAAQRKIkAAuCQFSTYQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABAsDU AQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQKAkAgSAS1KQZAMBBBBAAAEEEEAAAQQQ QAABBBBAAAEEEEAAAQQQQAABBBAgAEwdQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAAB BEoiQAC4JAVJNhBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAECwNQBBBBAAAEEEEAA AQQQQAABBBBAAAEEEEAAAQQQQAABBBBAoCQCBIBLUpBkAwEEEEAAAQQQQAABBBBAAAEEEEAAAQQQ QAABBBBAAAEEECAATB1AAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEESiJAALgkBUk2 EEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQLA1AEEEEAAAQQQQAABBBBAAAEEEEAA AQQQQAABBBBAAAEEEECgJAIEgEtSkGQDAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQ IABMHUAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQRKIkAAuCQFSTYQQKC+wKRJk9zI kSPdPffc42688UZ32WWXufPPP9+dffbZ7h//+Ie79tpr3b333uueffZZN27cOPf555+7X375pf7C +BYBBBBAAIEqAR0vxo8fXznOPPTQQ+7mm292l156qRswYEDlT8ecW2+91T3yyCNu9OjRbsKECe7b b7+tWgJvEUAAAQQQyLdAo/bUFVdc4QYOHOgGDx7srr/+enfXXXe5Z555xn3xxRf5zhCpQwABBBBA AAEEEECgRQQIALdIQZNNBFpBYPLkyZVAb9++fd3666/v5p9/fve73/3O+2+mmWZyPXv2dEcffbQb NmyY+/TTT1uBjzwigAACCDQR+PXXX93YsWPdkCFD3KGHHurWXntt16lTJ+9jzHTTTedWWmklt88+ +1SCxS+99JL7+eefm6yZfyGAAAIIIJCOQFztqXnmmadynDzwwAPdLbfcQlA4neJjLQgggAACCCCA AAIItBEgANyGgw8IIFA0AT2xqyd611lnHdexY0fvC/FhA8RLLrlk5WL9iBEjikZEehFAAAEEIgi8 /PLLlRuCFlpoocSOMbPMMovbeuutKzcxEQyOUFj8FAEEEKgS0I07n332mdONNurxR70ynHbaaZWb eI444gh37LHHulNOOaXSM9DFF1/s7rzzTjdq1Cj35ZdfVi2l/G/TaE9NO+207g9/+IM744wz3Acf fFB+VOcqx/RDDjnEWf/UawgTAu0JqPcZ3zp27rnntrdY/p+BwE8//VTZP77wwguV/Yd6WTjrrLOc HnDQwwnqceG6665zw4cPd2qffPLJJ/ReF6GcdKx/+OGHKzf3qnfA008/3encQN4nnXRSxfvyyy+v nBu89957EdbETxFAAIFsBQgAZ+vP2hFAwCjw5JNPul133dXNOOOMiV2QbxQc1pNbF110kVN3aEwI IIAAAuUTUPeV/fv3rzyp2+hYkNT3Cy64oDvxxBMrXUuXT5YcIYAAAskKfPPNN5UL5H369InUTujV q1eyCc3B0rNqT3Xo0MFtueWWlaC8gvRlnbp16xapnXr88ceXlYZ8xSjw//7f//OuZ7oZgykfAroh ZtCgQW7DDTd02jf6ti/0EMSmm25a6YpfNzwxNRb47rvvKsPC7bDDDm7xxRf3tlbPFrI+77zzKsH3 xmviPwgggEC+BAgA56s8SA0CCLQj8M4777jevXt7n6z5nkiHmV9df+63337urbfeaifV/BsBBBBA oAgCevr2wgsvdHPNNVfmx5lpppnGbbvttu7f//53EehIIwIIIJC5gJ6M0gXaMOfx7c2z6qqrZp6f pBKQp/bUWmut5V588cWksprZcp9//vnI9VA9j/zyyy+Z5YEVF0OAAHAxyqk6lRpibMCAAW7NNdd0 Ot9v73gU9v8aZmaDDTaoPKzw1VdfVa+ypd+PGzfOHXDAAa5z586xWStYrxvN9DQ2EwIIIJB3AQLA eS8h0ocAAhUB3a136qmnRrqTP+yJs+98GjO4X79+Tl32MCGAAAIIFFPggQcecMsvv3xsFwZ8jyWN 5p911lndBRdcwEXgYlYrUo0AAikIaNxaPbHbaD9q+b6MAeC8tqcUtFAXtmUKWFiCcvXqqbouZ0Kg mYClrvEEcDPR5P6nG03V1XCcgch6+w199/vf/95dc801yWWmAEvWuYGGeph++uljPT+oNVePFuPH jy+ACElEAIFWFSAA3KolT74RKJDA3XffbeqipfbELOnP6uZLd3szIYAAAggUR+D77793O++8c6IX BuI4/uhi3ejRo4sDS0oRQACBFAR0A+Zmm20W+z68bAHgIrSnFLC4+uqrU6g1ya7i22+/dXPMMUcs dXKbbbZJNrEsvfACBICLUYSPPfaYW3HFFWPZL/i0K9Zbbz336quvFgMpxlSOGjXKqRcFH6so82po Oo0XzIQAAgjkUYAAcB5LhTQhgEBF4N133610qxLlRCzt3+oO9r59+zoFFJgQQACBPAicfvrprmvX rl5/J5xwQh6SnngaNNZvz549U7s4EPWYpHG+br755sRdqDOJE3utgPLw4mLmFhPYc889E9mHlyUA XMT2lI7LY8eOLWxNHjp0aGx1Uk+uMa5nPqtCXo7NBIDzWT+CVKnnhd133z22fYKlLaH2w5lnnhkk qfSvjz/+uJt99tkzMVfX3kwIIIBA3gQIAOetREgPAghUBF566aVKtzWWE9w8/GbDDTd0U6ZMoTQR QACBzAX+7//+z7sBvP/++2ee7qQTMGHCBLfssst622R9jNGNRkl36UadSbr2+S2f8vDzYu7WEXj0 0UcT24eXIQBc5PZUp06d3COPPFLIyqx2YJznCgMHDiykQ9kTnZdjMwHg/Na0SZMmufXXXz/W/UGU fYseVCj7pN4uNERbFKeov1W300wIIIBAngQIAOepNEgLAghUBEaMGBFbt1lRT96i/H6ttdZyX3/9 NaWKAAIIZCqQlwtUmSLUrPyNN95wXbp0yfTiQJTjy7TTTusGDx5ck6v4PlJn4rOMY0mURxyKLKOM AjrXjrIvbfbbogeAy9CemmGGGdywYcMKVXXfeecdN80008RaL9VtLFP+BPJybCYAnL+6oRRNnDjR 9ejRI9Z9QbNjVtj/7bfffu6XX37JJ1rEVF133XWuQ4cOuTDXzdRldY5YTPwcAQQyECAAnAE6q0QA gcYCDz74oJtllllycdIW9iS62Xzdu3evnPw3zjH/QQABBJIVyMsFqmRzGX7pP/zwg1t55ZULf5zR BeZLLrkkfMY95qTOeGClMCvlkQIyqyicwP3335/ofrzIAeAytad0MT/pXi/irPynnHJKIvXy2Wef jTOZLCsGgbwcmwkAx1CYMS/igw8+cMstt1wi+4Jm157C/m+33XZzv/76a8y5znZxl156aew334T1 bDTfjjvuWDrnbEuZtSOAgFWAALBVjt8hgEDsArfeeqvTnd6NTqCK+v0KK6xAEDj22sICEUAgrEBe LlCFTW/S8x122GGlOc5obMBXXnkldjLqTOykkRZIeUTi48clFdhrr70S3ZcXNQBcxvaUbni68MIL c1+T9bTXIosskki9bIWhOXJfwDUJzMuxmQBwTcFk/FE3mnbr1i2R/UCc18MuuuiijKXiW73GjFeb KE6fuJY1aNCg+DLKkhBAAAGjAAFgIxw/QwCBeAWuuuoqp3EN4zrRql2OLhzMM888bpVVVnG9evVy e++9t9tll13cZptt5lZffXW3wAILJLZupWWbbbaJF4ylIYAAAiEF8nKBKmRyE53t3nvvTeTucN28 tOiiizpZa3+/xx57uE022cQts8wybuaZZ070+PKHP/zB/fzzz7G6UWdi5Yy8MMojMiELKKHAYost lui+tYgB4LTbU2pHbbnllm611VarDKug4Qlq22Bxfj7jjDNyXZOHDx+eWP5nn312N2XKlFznv9US l5djMwHgfNU8jf8a534vqWWp17233347X3iG1OjGG13PS8op6nJnnXVW9+677xpyxk8QQACB+AQI AMdnyZIQQMAo8Nhjj7m4Lxgo4Lvhhhs6jQOisZi+//77dlM3fvx4pwsne+65p+vcuXPsJ5FDhgxp Nw3MgAACCMQtkJcLVHHny3d5X375pZt33nlj27erd4d+/fo5HTvamz799FM3cuRId9NNN7nevXvH HoTu379/e0nw+j91xosr8Zkpj8SJWUHBBLTfjXJRdskll3QDBgxwuilozJgxlT+NmXvPPfe4c845 x+20007u3HPPLZRKHtpTP/74Y+VC9+23314JDHfs2DFSOdUrY7Xt8jqp3tRLc1zfXX311XnNekum Ky/HZgLA+al+Tz31VGwPNeiJVt3opLHu11tvPbfsssu6OeaYI9Z9TM+ePQs/Tu3AgQNjM5lpppnc SiutVBm7Oc7rgZtuuml+KikpQQCBlhQgANySxU6mEciPwFdffRVrV1k6ST711FMj32U3adIkp5PJ hRZaKLYTytlmmy1yuvJTcqQEAQSKIpCXC1RZe11wwQWR9+e6GHDkkUe6l156KVJ23njjDXfAAQc4 XWiI48LwjDPO6F5//fVIaar+MXWmWiP795RH9mVACvIloBs2rftOjZ2uJ4bKNOW1PfXJJ59UAum6 YcpaXrW/05OweXya6vPPP3c6FtemN87P6667bpmqbeHzkpdjMwHgfFSlyZMnu8UXXzzSPkDXiw48 8EA3atSohmPHan9/xRVXuD/+8Y+xPERx8cUX5wPQkIq33norck9LKrOhQ4dWbuitPTf4+OOP3f33 3+/WXnvtSOWq4wAPgxgKmJ8ggEBsAgSAY6NkQQggYBHYddddI59M6YRKJ8s6qfr1118tyWj4m59+ +smdeeaZLq472HX3ZtxpbJh4/oEAAgg4V+mW2PcCZBnHmos6Htc666wT+0XniRMnutNPP71yDPMt o9r5NaxBXFNeLmrGlZ+iL4fyKHoJkv64BU477TRT++HQQw+NOym5WF7e21NC0tPVXbp0MZVb7fFO gdDaC/VZF4TGeaxNZ9yf1cPVuHHjss4q6/+vQF6OzQSA81El+/btG2kf8Je//MUpiOwz6YbSNddc M9J6NVxNESddU1t//fXNeVfXzOrJSWM2h5luuOEGt/DCC5vXN+ecczoFlJkQQACBLAQIAGehzjoR QKAioJOoOBrGOulVN89JTs8//7xbaqmlYknv5ZdfnmRSWTYCCCDQRiAvF6jaJCrlD9qHRznebLfd dolebH7xxRfdfPPNFymNGmv4m2++iUWWOhMLY2wLoTxio2RBJRGwXGjv0KFDqCFhikZUpPaUhkPo 1atXpGNdcCyPe+iDqOXevXv3WPIV5K/R63HHHRc1qfw+JoG8HJsJAMdUoBEW8/XXX7tOnTqZ9gHq OUC9Wlinn3/+2Wl89Eb7jDDfP/zww9bVZ/a7YcOGmfM811xzOQXPfSf1Erjqqqua16ttlQkBBBDI QoAAcBbqrBMBBNz7778feZzd6aabzp100klOT+mmMenEvkePHuYTvuDkW+OKMCGAAAJpCeTlAlVa +a23Hj3RHOyDfV/V7VeYceTrrdfnuwkTJkQeEiGu8QGpMz4ll/y8lEfyxqyhWAJ77rmn9z5d4/6W bSpie0plcOGFF0buLlnjY44ePToXRaruWn3PLfQ0r+XJvQUXXNAp4MOUvUBejs0EgLOvC1GGmdFN PHFMeprVdz8UzL/tttvGkYRUl7H55pub8jvDDDO4J554wpzWjz76yC266KKmdWsIgylTppjXzQ8R QAABqwABYKscv0MAAbNA1O5adKI67bTTuttvv92cBusPv/jiCxe1G1Gl//HHH7cmgd8hgAACXgJ5 uUDlleiYZ9bYvcFFDp9XXaB99dVXY05N48U9+OCDpnQGedp4440bL9zjP9QZD6wUZqU8UkBmFYUS 6NOnj/e+snfv3oXKY3uJLXJ7SnkbMWKEm2mmmbzLMTje6XW55ZZz3333XXtUif//kEMO8c6H9ut3 3XWX9++Ub3WnzZS9QF6OzQSAs68L6ka5et8U9v0BBxwQa+K1vLDrrp5PPWRoWJqiTO+99555/OM4 Au6vvfaam2OOOUzWV155ZVGYSScCCJRIgABwiQqTrCBQFIFrrrnGdLJUfZJ63nnnZZZddV8WtavO HXbYIbP0s2IEEGgtgbxcoMpK/fPPPzcfcxRkSHuyPNkWHB/VM4buTI86tXqdieoX9+8pj7hFWV7R BTQme7DfC/u63377FT3bbdJf9PaUMnPLLbc43WgVtgzrzaeuT7Oc1EOIuhOtl7Zm3+kpaI09qXEh m81X739bb711lllm3f8VyMuxmQBwtlXyoYce8t6GtV0vssgisd/A8tVXX7l55pnHlJ477rgjW0iP tZ9yyimmPG6zzTYea2k+q3Xcd+03mBBAAIG0BQgApy3O+hBAwK288sqmE7agAXzQQQdlrhhlzBHl o2PHju7DDz/MPB8kAAEEyi+QlwtUWUlrfN3g+OH7euONN6aebN3VHuWC+HXXXRc5za1eZyIDxrwA yiNmUBZXeAG2CVeK9pQq4oABA8zHaB3Tu3TpksowDY02mptuusk7/XraTjcUa9p33329f6/ur4Pf N0oX3ycvkJf9EAHg5Mu62RrUfbJv+0Lzn3/++c0Wa/6ftTvqo48+2rzONH/4yy+/uIUWWsjbXD0I jh07Nrak6gYea1fQcaYjtgyxIAQQKLUAAeBSFy+ZQyB/AtY7JIOT6l69euVm3KOdd97Z+8QzyIde TzvttPwVEClCAIHSCeTlAlVWsHfffbd5X/38889nkmzL023B8aV///6R09zqdSYyYMwLoDxiBmVx hRdo9W2iTO0pVUZrt6XBce+KK67IrE5vuumm3ucY+k0wPfLII96/V77PPffcYBG8ZiSQl/0QAeCM KoBzTl3xW7oC1m8mT56cSMK//PLLysMGwf4x7GvPnj0TSU/cC1UX+GHzVD3fTjvtFHdSnI491esI +/7QQw+NPS0sEAEEEGgmQAC4mQ7/QwCB2AU222wz00mSTqZ0oqwxePMyRRl7RPlZf/3185IV0tFA 4Ouvv67UuUmTJuXmxoMgqXlIm1ymTJkSJKnlX7/99lunrrd0MSBPU14uUGVlcvHFF5uPO9rPZzFd cskl5jRrLMKoUyvUmZ9//rmyvWqb1fs8Tx2tOQYAACAASURBVK1QHvLnmJJNLdQYqrpgnLdjVzON VtkmGhmUqT2lPP74449uiSWWMB/3VlhhhUZUiX7/7rvvmsahvPrqq39Ll55mm3/++b3znlWef0s4 b1xe9kNZBYDz2u5Js2q++uqr3tuurgMl3aPdxhtv7J0ujcmu/VHep+233947bzJ//fXXY8+a2g9d u3b1To+GDSiCdexgLBABBDITIACcGT0rRqD1BF555ZVI3Vr+7W9/yx2a5a5vnYDqr3PnzrnLTysn 6I033qjcTb/hhhtWuvOZYYYZpjqZ18n62muvnTpTlml7++23K11UHXbYYU5jV+vu4MUXX9zNPPPM v/no5owVV1zR6YKkxtjT0+1Dhgwpbfd0n332mbv00kvdUUcd5dQI/cMf/uDmnXfe3zzUxZTGdNPF zB49ejiN6XrZZZe51157LZML7Hm5QJX6hvPfFR5//PG/lU2w/w37+swzz2SS7Lfeesuc5jjGtyp6 ndEFmVGjRrnrr7++sj/abbfd3BprrFHZt88999xuxhlnnMpX+zR1JbrMMsu43r17V7bvK6+80j33 3HOZB4iLXh7VGxHHlGqNdN5re3jyyScr28L+++/vttpqK7fWWmtVjlGzzTbbb9uCuqXVNtCtWze3 0UYbuV122cUdfvjhleNXHGOLx5nbMm0Tvi5lbE/J4Oabb/6tLoY9RlfPd//99/tSRp7/9NNP906z giy62aV66tu3r/dylPeszlGq097K7/OyH0o6AKxhqzRmteqpxp/u3r17m3Fm89buSbNOXn755aZt V70TJTmdfPLJpnSpjZv3ab755vPOm+psUtOxxx7rnR7tv8eMGZNUklguAgggMJUAAeCpSPgCAQSS Eth7771NJ0c6QdL4Gt9//31SSTMvN+rFCl3kDzPpDnOdyJ900kmh/xSgSnpSI+GUU04JnSal/7zz zjMla+TIkd4GYVY0evRo59Pd6iyzzDLVYvOctqkSG+KL8ePHu3POOcetttpq5m1W263Guu7Tp4+7 9dZbncbJSWuylIeeAmxv0oU2BZLq3Ryg/Ib5000EekIz7LbfLE0TJkxwp556arvbX5h01c6jhrLP /iZPvTPUmuku+9r8hf2swH0WkwI2GuMvbDqr51tzzTUbJrnMdUZPaw8ePNhpLDbdYFVtEvW9bnLR sA9Dhw6NtSeSMpdHdSUs+jGlOi9Fea8nem+44Qa36667Oh13om4DGpdc5wQ659MxNqmnhXVeeeaZ Z7Z7/LHkx+e4poB5XqcytqcCa92oYylb/UY3LaQ5aRuwPPmlGwdrJ91oZMm3xg9Oc2qV9mjRjs1J BID1dKJuqtANQ7o5yFI/9Zs42z1p1vWw67Lsj3V+n1T3z0G6dT5sKTPdrJznSeeTlnwlOfSarg9Y 0pTGtbo8lyVpQwCBdAUIAKfrzdoQaFmBTz75JFLQRBdd8zgpqKWniSwnffrNTTfdFCpblgCGnkpM elLwyTfviy22mClZlsZtswuUusioJ2F017JPHuoFgPOcNh9sBWpVb3w8ws6rJ2Ll9NJLL/kkyTSv pTyadfWrrvpWXXXVWF1U77bYYovK04WmTDrnonQTHLbcws73zjvvWLOR+O+OO+44c9llOUbTcsst Z0r3wgsv3NC0jHXmqaeecr169YrUw0jYeq75dOHuwAMPdLoQHnUqY3lUm5TlmFKdp7y/101tm2++ eaQL9mG2Bz2Bc/bZZzt1ARrnZB3bL0yafebRTXB5nMrangqsFXj3KafaedM4xwzS+q9//cuU1jvu uCNYRJtX9a5Tm5/2PusJ/jSHYmmV9mjRjs2Wdk+j6wS6AVHjS6u93l798/l/HO2eNhtMTj4su+yy 3k5p9Cam4L1P+QTzPvHEEzmRrZ8MXRMM0urz+vLLL9dfYAzf6nqT5alk9RDGhAACCKQlQAA4LWnW g0CLC+hCis9JWvW8K6+8cmJPGsRRLOoatzq9Pu+POeaYUEmIs2EXaoUhZ7J0L5R1APinn35yf//7 381PiCUZAE4ibWGKUk+jRhlPzqfOTzfddJWuVTXmYFKTZXupFwBWF316mtAnf77zykNPVOmCi+9U tAtUvvmLa/4BAwaYy1D7q2+++SaupHgtR8GV7bbbzvuv2QWFMtWZBx98sNIlve82F9f8CgSry3t1 jWidylQe1QZlO6ZU5y2v7/XEmp721ZO6cdXxMMtZcMEF3RVXXBHbWHYEgJvXsDK3p4Kcqwv+MHWv 3jxJj6sZpFGv6hGmXhqafafeJBr1iHPCCSd4L0/ruuqqq6qTleh7y/l1o0BjnAmNuz1atGNzXOWi G9sUnGxWh6P+L0q7J846E8eydPOF5Zi7xx57xLH6pssYO3asqRyHDRvWdLlZ/9NyE4p6akh60kMF vtvG0ksvnXSyWD4CCCDwmwAB4N8oeIMAAkkKRBkrV8G6PE8av8P3hC+Yf5NNNgmVtbgadqFW5jFT 3A3uZqu2GNQ+AayLLnoyJvC3vCYVAE4qbc1MFYRVGdYbD9Ni4/Mb3TGd1NhllrpSGwDWncJLLbVU pLri46ELLrVpaFZ2+l/RLlC1l5+k/m8dnysoPwX5yjKVoc78+OOPznIBKCjPuF81/vcjjzxiqiJl KI/qjJf1mFKdx7y9V/f7RxxxRKReduLYJlZYYQWn4G3UiQBwc8Eyt6eCnN9+++3mcy+dW6YxqYt1 jeXru+3ss88+DZOnsZ19l6f5NYxNWpPl/JoAcLghYhqVfZgeduIoFw1rFffwGY3ypO8t7Z606nnY 9Shg3iyPjf53/PHHh12Feb433njDlLb77rvPvM40fqihHBq5Nvpe3XQnPd14443e6VJ6P//886ST xvIRQACBigABYCoCAggkLqCnGjt16mQ6KVJ3QVGerkk8c/9dwcUXX+z0lJnvn7rnCTPF0bALsx7f eYoUANYTlltvvbWpHlY3KJIIACeZtkZl+uabb7oll1wyske1je973QV+9NFHxz6+t2V7qQ6+6mkK y4U93/zXzr/EEks4dU0edipb8Chsvn3ns47NVF0+9957r+9qczl/0euMzgfWWmutTPdb1fUieK99 Wb9+/bx7Kyl6eVRX8jIfU6rzmaf3ugFRXb4H9TAPrwcffLCpR4vAlQBwIDH1ayu0p5Tr77//3qlr Y2t9/vjjj6fGi/kb6767vZuFVlppJVO+tf9NY7KcXxMAzn8AOKub6nzbPWnUcZ91vPjii6bt9aKL LvJZjWleBXIt+9CRI0ea1pfGj/TEtWU86jQeJnn11VdN3nfffXcadKwDAQQQcASAqQQIIJC4wNNP P206IdJJ63rrrZd4+oqwglZpcDcrC4tB8ATwL7/84nbZZRdzPaxuQMUdAE46bfVM1WD9/e9/H4tH tY31/RprrBFrN7uWuhIEgK+//vpMXf7v//7Phe0e23oB0lpOzX4X5gmFenUxje/k2bFjx0jlOuus s7orr7wyjeQmuo4i15kXXnjBdenSJVI5NqvDcfwv7LAOQSEXuTyCPOi17MeU6rzm5f0DDzwQKUgW R31vtAx14Tt58mQTFQHgxmyt1J7afffdzfv6G264oTFiTP9RULNR/W/0/QILLNBuV+m6kajR75t9 f+yxx8aUs+aLsZxfEwDOdwC4f//+pjrXrD76/M+n3dO8dqb/X93Q4ZPXYN4777wz8cQq6Bmsz+dV w0nkdbIeA9u78SaO/OpmfkuPaqeeemocq2cZCCCAQLsCBIDbJWIGBBCIKnDWWWeZTkB1sqona5mc a5UGd7OythgoAKy/fffd11wHaxtNcQaA00hbremIESNS7eKr1q/R53XXXdd9++23tck1fbbUFQWA NV6SyrdRGtP6fueddw6V77IEj0JlNuJMq666aizlutVWW3k9pR0x2bH/vKh15pNPPnEaazStbTDK etQNXNipqOVRnb9WOKZU5zcP7wcPHmx6CiZKvfb9rfa5lh58CAA3rmGt1J5Srxu+dS6Y/4ADDmiM GMN/NERIsC6f18MPP7zdtY8fP940pqiCywpAJD1Zzq8JAOc3AKztTL2t+dTjJOYN2+5Jun77Lv+W W24x2Y0aNcp3Vd7zW7ZVla2ess3rZO1meeLEialkydLWTKN76lQyz0oQQCD3AgSAc19EJBCB4gts vPHGppNjdano0x1q8aUa58ByEl/EBndjAVsQXAHWCy64wFT/GjVw4wwAp5G2atMHH3wwFwHORrYa 205jIUedLNuLutJMc8zfRgbB9wqqtDeVIXjUXh7j+n+UC+dBmQSvc889d6Xr8nHjxsWVvNSWU8Q6 ozF/e/bsGet+PCjLJF5nnnnmyhOxYQq1iOVRna9WOaZU5znr93paJIl6m8QyF1poIffWW295kREA bszVSu0p7ffnnHNOU11feumlGyPG8B8Fci3bS9iuVfVEpGX5d911Vwy5a74Iy/l1EdujRTs2W8pl 9tlnd/qz1LUkfhOm3dO8dqb/30svvdTk9+mnnyaeWEswUl3v53n629/+5u09//zzp5alPfbYwzt9 Oq4zIYAAAmkIEABOQ5l1INDCAmrAW5+oW2GFFVpYrm3WLQ27Ija42+a67SeLgcYB69y5s/fJeLOG bVwB4LTSFijq6VZL10TNLJL4n8ZpjvoUg6WudO/ePdZ6EtVmo402Coqu4WvRLlA1zEgK//jggw+c biqKWi7Vv59mmmncBhts4K699trC3KxUxDpj2Z6ryymL93/84x9D1eoilkeQsVY6pgR5zvp12LBh se7D0tg2dBFaY7qGnQgA15dqxfbUn/70J3N9/+ijj+pDRvxWNynOM8883unyCUpbbw5VDyVJT5bj cRHbo0U7NlvKJY39v886wrR7kq7fvss/55xzvPcFM8wwQ6V3Mt91+cz/2GOPeadLZaV9bp6nQw89 1Dtf66yzTmpZOv30073Tt+yyy6aWPlaEAAKtLUAAuLXLn9wjkLjAU0895X0iFDQWdt1118TTV5QV WBp2RWxwNysPi4HlN0H9a/QaVwA4rbTJVBdfV1ppJfO2WG2hINoSSyzh1lprLaeLTb169XK6wGu5 IFa93Or3Bx10ULOq0O7/krCtTl+nTp2cblDZcMMN3RZbbOFWXnllp6f+queJ4/0TTzzRNK9Fu0DV NDMp/LNPnz6xl1FQzgoGazvQGLAPP/ywV8Ajhaz/toqi1RkFGQPjuF61D19mmWWcLjZuv/32Tj0P rL766m7JJZeMtVvdV1555Tf3Rm+KVh5BPlrtmBLkO8vXd999180xxxyxbg86lgXbwpZbbunWWGMN p65k4+4SVMfksBMB4PpSrdieOv744831fejQofUhI3576623mtJ0yimnhF6zbhC13LDWsWNHp+ES kpws59dFbI8W7dhsKRefc6q8tHuSrNuWZb/zzjtOPaH4/D366KOWVXn9xtreOf/8873Wk/bMuknc p95q3t69e6eWTMvNO9q2mBBAAIE0BAgAp6HMOhBoYYFBgwZ5n6gFJ3bnnntuC8u1zbqlYVfEBnfb XLf9ZDGwdh8X1MF6r3EFgNNKmxT79u1r3g5loItK2267rbvmmmvc559/3rZgqj6pe7sjjjjCqbul enZhv1Mw7Zlnnqlast9bS11pL21qoGmcHl2crtdNtbobnzBhgrv//vvdnnvuGSn/QVr+/Oc/N824 gmP77LOP22uvvZr+zTvvvN7p0dMq7S23+v9F6K7/1VdfddNPP723RVAePq8zzTSTU7deAwYMcKNH j078bv+mFaXqn0WrM9rmfNzrzav91w477OD+9a9/Nd1/ienrr792N998s9O216VLl0jrDjMOZdHK I6hKrXZMCfKd1aue/lRwtl799v1uscUWc3pKRePeN5p++ukn98ADD1SO+9p+fNdRb36NlRhmUrq0 7VQfX+q9T/q4dt9994VJbmrztGJ7yjq+purf0UcfnUjZWJ9KfuONN7zSY+3uW12kJjlZzq+L2B4t 2rHZUi719tPV3+Wx3ZNk3S7LsrWvUTu6uizDvg9z42KWTj169PDOV5oPlFx99dXe6VPZfPnll1my sm4EEGgRAQLALVLQZBOBrASijFWmp6iY/iNgadgVscHdrLwtBmEbPNXzqctoPd2piy/bbLNN5VUN Do37qfniCgBXrzPse0vadFeytSGodMnAd6zTb775xu28886mRlBgscoqq5i7go67rigv6kLYZ1Kg WE9SBfmxvC6yyCI+q2w4r2U8uf3337/h8or8jyhPFFnKMPiNghU77bSTu/zyyys3CuTdMA91RmOk Rem2fq655nInnnii97YblI26otcNLUEZ+r7qWKHAXRxTHsojyEcrHlOCvGf1+te//tVcD4N6qyd9 FdTVzUo+k54oPPbYY01PJAbr1qvGmnz77bd9Vt103jxtE00TGtM/W7E9pfGjq+uQz3vdNBD39O9/ /9u0Hay22mreSbnyyitNeV9++eW91+XzA8v5ddnao9VeedkPWcql2fZU9HZPdRm10nsd3zfbbDPT viOuNmeS3pYbM7VtpDXdcccdJvsxY8aklUTWgwACLSxAALiFC5+sI5CGgLpybdbAaPa/Zk8appH2 PK3D0rArW4PbYtCsflX/b9FFF3VHHnmke/bZZ5teHP3qq69cvbtj85o2Pc1mfRpXwWZdLI4yXXrp pZECOH//+99Nq4+rPNSt8913321Kg36kO3q322478z5QdTSOC+Z5uUBlhozxh999913lBo/q7T+L 9+pGXUH2m266yU2cODHGHMazqDzUGXWZaS0bdUmvJ77jmHQh3vrkuLoHjGPKQ3koH616TImjDK3L 0NM8Ubtk3nfffd2UKVOsSaj8TkMSLLzwwuZtUtuyehKJa8rLNhFXftpbTiu2pxTMmG222Ux1Tl2g xj2dffbZprQMHDjQOylqb2isUMsx8Omnn/ZeX9gfWM6vy9YerbbKy37IUi716lZZ2j3VZdRK7/v1 62faZ6guJN17QNRy+OWXX0w3tB933HFRVx369+ppqN521d53Ua+3hE4gMyKAQEsLEABu6eIn8wgk L7DjjjuaToR0hx/T/wQsDbuyNbgtBu2dcCvI+Y9//MP8pGlQQnlNm7qfbc+g3v/VRWRcwZOXXnrJ qTvheutp7ztd+Pvwww8D5tCvcZSH6saTTz4Zep2NZtRYmcsuu6wp//IZPHhwo0WH/j4vF6hCJzjh GfUUj276aK/+pfV/PaGvJ971lJ+6EI8aqImDLw91xjpuubbdUaNGxcHw2zKGDx9uqi+6GBTHlIfy UD5a9ZgSRxlal6HgrXVfpHFEr7/+euuqp/qdbmraYIMNzOlRINu3R5GpEvHfL/KyTTRKX9zft2p7 Sm0ZS/1fc801Yy0CBaM1TrxvWlTnfXuQCRK+1VZbea9P6dPQIElNlvPrsrVHq23zsh+ylEttXS5T u6e6jFrlvdqsHTp0MO0z5phjDqfeu/I8TZ482ZQ3BcXTmtT2qN2uwny+7bbb0koi60EAgRYWIADc woVP1hFIQ2DDDTc0nQgtt9xyaSSvMOuwNOzK1uC2GDQ76dbTAeraMI4pj2lT16MLLrig9/anLlff fPPNOFh+W4YalUsttZR3WlR+GgPUd4qjPMKOVxgmbXpyqlldbPa/ww47LMwqms6TlwtUTROZ8j9V xy1jSDYrq7j+p6dN11tvPXfmmWdWxg9OmaayuqzrjLpftjz9pItfI0aMSIRs8803996OhwwZEkta si4PZaKVjymxFKJhIR999JFpOwj2RXHcQFSb7EmTJrmVV17Ze1sI0hTX8AJ52CZqbZL83KrtqU03 3dRU1xSsjXOynsfphgnrpB5Cgu3G51U3TypYksRkOb8uW3u02jUv+yFLudTWqTK1e6rLqBXev//+ +6Y2f1AHNDxO3icNCxOk1+f14osvTi1r6rXLJ23BvNdee21qaWRFCCDQugIEgFu37Mk5AqkIdOvW zXQiFPed26lkNsGVWBp2ZWtwWwyCE+va11133TXyU7/VxZ3HtCnwUJvvMJ+TulNW3RuFWX/tPBpH 0/dCVtTyWHfddauLN5b31n3hbrvtFnn9eblAFTkjMS9AQWBrudTW0yQ/K40XXnihU5eQaU1Z1xmV jcVUgfOkpptvvtk7Taeffnosycm6PJSJVj6mxFKIhoUcc8wx3nUu2G5OOukkwxrD/UQ9c2i8wGBd Pq+6ySyOm+/ysE2E04pnLuuxqujtKeuTz3qiLc5pzz33NNX3yy67zJyMb7/91s0666ym9WrogiQm y/l12dqj1a552Q9ZyqV6v122dk91GZX9/XvvvecWX3xx035CdWDuuefO5VA0teU2YcIEUx6HDh1a u6jEPmtIn+rtKux7DZnFhAACCCQtQAA4aWGWj0CLCyywwAKmE6HNNtusxeXaZt/SsCtbg9tiUO/E e6+99nIaRybOKY9pW3HFFb23PXVD+9NPP8VJ02ZZW2+9tXeaVIZXX311m+W09yFKeai7vtGjR7e3 Cu//q6vxevWxve/01GHUKS8XqKLmI4nfa0zgKF2stld+cf5fY7MdfPDBlbGlk7CoXmbWdeaOO+4w bS/qojipydK1W1xPVWRdHjJt5WNKUnWq2XL1pO3ss89u2g569uzZbNGx/M/6RKT2iXFsF3nYJmKB DLmQVm1PHXDAAaZtQEMrxHU+q7HPdTOi7/FcvVio2/Qok24C9F2v5l977bWjrLbhby3n12Vrj1bj 5GU/ZCmXoF6Vsd1TXUZlfq/gb9euXU37iKD84xwmIklrDU0VpNnn9Z577kkyWW2WrZ5yfNIWzHv+ +ee3WQ4fEEAAgSQECAAnocoyEUDgNwFLF446Gdppp51+WwZvnLM07MrW4LYYBCfWwesKK6zgfvjh h9irVN7SpnFEgzyHfdVYgS+88ELsNtUL1N27CmKFTVMwn7o+9JmilIeCgUlMY8aM8c638r/66qtH Tk5eLlBFzkiCC9DTnVHuoA/qahqv6rpaT/doTMKkpqzrzFlnnWXaXuIau7yeq2UbjiPQpbRkXR6t fkypVx+S/u7yyy83bQMKfCV9LA/yvv3225vS+Pvf/z5YhPk1623CnHDjD1u1PRXlKfiPP/7YqN32 Z3qK13Js33LLLdsuyPDp3nvvNa1b6X3jjTcMa2z+E8v5ddnao9VCedkPWcolqNNlbPdUl1FZ348b Ny5y8FfjjBdlGjlypGlfqLGR05xmmmkm73SqzcOEAAIIJC1AADhpYZaPQAsLqOuqoHHh+7rffvu1 sNzUWbc07MrW4LYYVNe7jh07Oj3BlcSUt7Rp+6nOe5j3Rx11VBI0Uy3zjDPO8E6b7k7X+EZhJ2t5 aNy0OLqmrJdOPXXeqVMn77zHMY5dXi5Q1XPJ03d6WkhjZi688MLe5RRmG4t7Ht0YEfXpokb+WdeZ /v37ux49enj9xfG0fCMPfX/nnXd614uyBIBb/ZjSrF4k9T8NVWHZZ/z5z39OKklTLXf8+PFOXTpb 0vnKK69MtTyfL7LeR/mkNeq8rdyeOvPMM031S3Xytddei0pf+b2lrmn9GsM36qTzEnXRatnGjj76 6Kirn+r3lvPrsrVHq1EsdSOucdCr02EpF9WpsrZ7qm3K+P6GG26olJ1lvxD8RjdiffTRR4Xhefzx x037wZdffjnVPHbp0sU7nSeccEKqaWRlCCDQmgIEgFuz3Mk1AqkI/Pzzz05PIgQnmj6vGmuJ6X8C loZd2RrcFoPqOnfsscf+DzTmd3lL2xJLLOG13Wk7TasRqAuZlqeAfcYmtpaHLrgnOVkuFC222GKR k2RZbxIXqCJnJKUFqJcAPX230UYbuQ4dOnhtS9X7nDTeL7PMMu7tt9+OXYY6MzXpYYcd5l0XyhIA bvVjytS1IflvFlxwQe/6pn3OW2+9lXziqtawzz77mNI5aNCgqqX4v22lfVQrt6dOPvlkU/3StqAb FKJOulHBcizX2L06341jsnaDPf/88zvVnTgny/l12dqj1Z552Q9ZykX1uqztnuoyKtN7DVtjuSGv dh8255xzurQDo1HLYfjw4aZ9cdrnRJYuudO6CT9qGfB7BBAotgAB4GKXH6lHIPcCOsGsPekM8zmO brNyj+ORQEvDrmwNbotBUNemn376xJ7sVDHmKW3vvvuu9za35ppretTG6LP27t3bO40+45lZy0Pd 6iY5bbPNNt75JgCcZIm0v+yJEyc6df+46aabOvUiEOxT8vSqp4NefPHF9jPjMUdeLmp6JDnRWdW1 tKX8yxAA5piSaNWqu3B17WjZx6Rx3leb4IcfftiU1m233bZ2UV6fW20f1artqUMPPdRUv7T9fPPN N151qt7MRx55pGn9u+++e73Fmb577LHHTGmQgXquiHOynF+nsV+y3ChQpvNrS7mofpS13RNnnc/L stSjwYorrmjeFwTnFHrq+7nnnstLtkKnw/oEsIZvSXPiCeA0tVkXAgj4CBAA9tFiXgQQ8BZYaqml TCeq6623nve6yvwDS8OubA1ui0HQ2Nltt90SrR55SttVV13lvc35PF0bB+Q///lP7zTq4mfYyVoe CnQkOVme4ijTBaokbdNY9uTJk53G4zv88MPdSiutZO7hItgvxfmqpwU//PDD2BhaLbjSDO7ZZ591 2g4t5VWGADDHlGa1I5n/qSt6S307//zzk0lQk6VqeIP55pvPO73zzDNPpHHMW20f1artqT322MO7 bmnbUdfkUacff/zRWS7ma/0aNz2u6ddff3XWHgHivqHacn5dtvZodbnmZT9kKRfV07K2e6rLqAzv hwwZ4maZZRbTvrD6XEI9cCmQWsSJMYCLWGqkGQEE8iRAADhPpUFaECihgKVhpBPVVVZZpYQa9ixZ GnZla3BbDIJGT9J3uuYpbXrqIMh32Nf77rvPXjkNv1S3U2HTVj1f2G6qLeWhp/uSnjTGT3V+wrwn AJx0qdiX//HHH7vrrrvOaczNhRZaU6VgUQAAIABJREFUyLtsw5S/zzzdu3d3U6ZMsWeo6peWY3fZ ug0fPXq0O/DAA01P/gblVoYAMMeUqg0jpbe77LKLaX8S500gPlk9+OCDTekdO3asz2razNtq+yhL frUfKnp7aosttjDVLQVMo07Dhg0zrXveeed1Grs3zumvf/2rKS06t9W5SlyT5fy6bO3RakvLdpnE uZKlXMrc7qkuoyK/142n1ptggvPQ4FW9oT3wwAOF5VBPPEFefF7vueee1PKsm4Z80hbMm8XNe6mh sCIEEMiNAAHg3BQFCUGgnAJ9+vQxnQjFEfQok6ilYVe2BrfFQCfWcVwEaq8u5SltlifV1KhKc9K4 aJbxwdXVZJjJUh56ginp6ZRTTvHeH8axL8zLBaqkfbNevrptvfTSS91OO+1kfmoouBhgfT3ooINi YWilOqMxEl9//XV3yy23OG2j6prW+rRdbbmVIQDMMSWWTcprId26dfM+ViyyyCJe64hz5qFDh3qn V9vKDTfcYE5GK+2jhNSq7al1113XVLdWXnllc90KfmgNPsd1HA7SodcXXnjB5KDt7JxzzqleVKT3 lvPrsrVHqwHzsh+ylEuZ2z3VZVTU988//7xbZpllzNt99flohw4d3O23315Uikq6J0yYYLLQ+Ula k4YNqnYP+15tRyYEEEAgaQECwEkLs3wEWlxgr732Mp0IzTDDDLHfPV3korA07MrW4LYY6MR7hx12 SLzo85Q2bTthGxzBfLqwuPPOO6f6F6zb5/WCCy4IVZaW8lCXvklPBICTFs7X8nVjxaBBg9xWW23l Onfu7L1d+mwbwbzTTTed05OrUae8XNSMmo/g9+pC8/3333ePPPJIJUivcR3VNebyyy/vLPvMwLu9 1zIEgC0+ZTumBPUordcFFljAe38Rd1evPnnV2ITtbQv1/n/hhRf6rKbNvGXbR7XJXJ0PrdqestyA orq24YYb1lEM/5WeplfQpF69be+7ESNGhF+Rx5zWG5OWW245j7U0n9Vyfl229mi1UF72Q5ZyKXO7 p7qMivZeT5GedNJJ5v1P7f5J3eHfeOONRWOYKr2ffvqpaX98ySWXTLWspL54++23TWm89tprk0oS y0UAAQR+EyAA/BsFbxBAIAmBo446ynQipJNXdRPL9B8BS8OubA1ui4HqUdigYZS6lpe0TZo0yby9 1TYY8/hZ3bGGmSzlUbbtpdopLxeoqtPUau/1lKkuCp966qlurbXWiu3CTr3tdM0114w0tqbKpqh1 RhfOFHi/9dZb3RlnnOHUle6qq64ay9hp9azb+67oAWCOKdnsqXTBtr26Vfv/0047LZvEOuc0DrBl fELtD61TUfdR1vy2Ynvqq6++8t4Ogu1ixx13tFJXfqenZoNl+bzG0WtLo4SffPLJpjQp/U899VSj xXp9z/l1W6687Icol7blUtRPGhZB56w++5xm83bt2jWWm0Lz4KnusJvltdH/+vfvn1ryR40aZUrj bbfdlloaWRECCLSuAAHg1i17co5AKgIDBgwwnQjpJO7qq69OJY1FWAkNO+csBqpHOhlPespL2qx3 njZqNOXt+8022yxUUVrKgwDw79rsq5MYoyxU4bXITF988YW78sor3eabb+40Llfc21rY7tIbcefl omaj9AXfa2xDOaqnh2WXXTbSeL1xl4GWV/QAMMeUoKal92q9yHnzzTenl8g6a7JctNbYwdapKPso a/5qf9eK7alHH33UfGyM2g2zjieWY8Kcc87pLr744kT+Dj30UFOalI+99967tkqZPnN+3ZYtL/sh yqVtuRTtk26i0j7e0uNKo/1Ur1693Jdfflk0iobplZFl+Kjjjjuu4TLj/of1mFXksZnjNmR5CCCQ nAAB4ORsWTICCDjnrr/+enNjtW/fvoUx1FNHOsn2/dPvwkw07OwB4K+//joMcaR5LOWjBlvcaXvm mWfM21ujBmSevu/du3eocrKUBwFgAsChKlcCM+m4cdVVV7nVVlsttu036tNPebmoWY97ypQp7rzz znM9evQwXQxKc59W9AAwx5R6NTDZ76zj3EW96SNqrtTlru+2pfHSrVOe91HWPDX7Xau0p6oNzj// fO86FdTBfv36VS/K67166wiWU5bXWWed1X3zzTdeDvVm5vy6rUpe9kOUS9tyKdIn3Wi39tprx7bP mXbaaSs94Gjok7JNXbp08XbStpHWNGzYMO/06RgzZsyYtJLIehBAoIUFCAC3cOGTdQTSEPj3v/9t OhHSydD666+fRhJjWcff/vY3Uz7XW2+9UOunYWcLAGs8zDQmS/kkkba77rrLVA+LcoFr2223DVWc lvIgAEwAOFTlSnim22+/3S299NKRt2M9VfzZZ5+ZU5uXi5rVGdANM2eeeaabe+65I/uktc8regCY Y0p1DUzn/QsvvGCq3/pdlpOOz77b1UYbbWROch73UebMhPhhq7Snqin23HNP7zoV1MEoXR7vs88+ 5vUG68/j6xVXXFHNa3rP+XVbtrzshyiXtuVSlE8an9YyfEKj/YvOjx988MGiZN87nbrxs1HeG32/ 2267ea/H+gP1XtgoHc2+L9OT2lY7focAAskLEABO3pg1INDyAksssYTpZKhz586VccWKALjXXnuZ 8qixIMNMNOxsAWA1hNKYLOWTRNqGDBliqofNGiV5+p/G8wwzWcqDADAB4DB1K415FOjceOONI2/L 1113nTm5ebmoGWTgkUcecfPOO29kk7T3Z0UPAHNMCWpgeq8PPfSQqZ6PGzcuvUTWWZPlPFgXc61T 3vZR1nz4/K4V2lPVHiussIJpW1BAJWwPS9Xr03s9JaunZdM+VqSxvrBtzlqT6s+cX1drOJeX/RDl 0rZc8v5J45tbbppqtp/QU8Tvvfde3rMeKX1bb7219765T58+kdbp8+MLLrjAO32dOnXyWQXzIoAA AmYBAsBmOn6IAAJhBaLcSZ11l3Zh87jGGmt4n/DpJF53t4eZaNjZAsBLLrlkGN7I81jKJ4m0DR06 1FQPmzUo8/S/sGOYWcqDADAB4Mg7ghgX8NNPP7mdd9450vb8l7/8xZyivFzUVAY0Lpp6TMhqX7Tg ggu6U045xc0888zeaSh6AJhjinkTMv9QTy5a6vrYsWPN64zjh7pByzfd66yzjnnVedpHmTPh+cNW aE8FJLqhwbc+BfPrBirrpOEYguWU8fX111+30lR+x/l1W7687Icol7blkudPzz//vOvatWts+5mZ ZpqpMiyKxsgt+2QZB33ddddNjeWMM87wLleNN8+EAAIIpCFAADgNZdaBQIsL6CkkayN6v/32K4Te bLPNZsqjurMMM9GwswWANaZmGpOlfJJI2/3332+qh9btM+3fhQ1oWcqDAHC5AsAfffSR01Ojlr80 9hlh1vHFF1+4Oeec07xNr7zyymFWU3eevFzU3H///c35j7J/6tixo9t8883dnXfe6X7++eeKkW7a 8V1m0QPAHFPqbh6JfqkAjW890/xPPvlkoulqb+F/+tOfvNO91VZbtbfYhv/Pyz6qYQIT+EcrtKcC NsuF9GC7Oeuss4LFeL/27NnTux4H6y3C61FHHeVtUv0Dzq+rNXgCuK3G1J9OPvlk7+1pscUWm3pB JfnmoosuchqiJa59hZ76ffPNN0ui0342LEOu6SbOtCZLTyhRblhKK1+sBwEEyiFAALgc5UguEMi1 wAcffGA+0Z1rrrmcnoTK8/Tqq6+a83fTTTeFyhoNblsAOI2gngowL+Xz3HPPmetiXI3RJJdz5JFH sr2EEmg7UyteKD/88MPN20KexmI6//zzzfmYYYYZ2lYEj095qDNXXnmlOe9h9kMK8iqou9lmm7mD Djqo8gSFxrx944036p53tGIAmGOKx0YT06wTJ0401fu77747phTYFqPuZcNsd9Xz7LvvvraVufwE XswZMPyw7O2papIVV1zRuz4FdWvEiBHViwr93nrzRbDeIrzON998dY9vYZHy0t6pTW9WgcY8nCvJ gnKprRH5+6wbAuPaR7TSU7/VJXnjjTeaDNNq1+nmft8yDtu7WbUD7xFAAAGLAAFgixq/QQABbwHL hdPgBOree+/1Xl+aP+jfv7/3yV6Qt9GjR4dKKg27/DZuVYB5KZ+3337bVBcHDx7s9GRJ3v/effdd tpdQAm1nyssFqrapSvaTelcI9rO+r6+99lqyifNYusYx7Ny5szkvGs/QMmVdZ8aMGWPqcrlRWS+9 9NJOwaZLLrnEDR8+3L3zzju/Pdkb1sdyHlP0J4A5poStHfHNp24cp512Wu9t/uKLL44vEYYlLbLI It5pPuaYYwxr+s9Pst5HmRMe8YeW/VCwX8x7eyqgeeWVV7zrUpBHjf9rvXH42GOPNa83WH8RXocN GxZQe7/mpb1Tm3ACwP/Pu+6mcZN0VuVSWz+y/KxeZHT+Gde+odWe+q0uu6efftrk+Pjjj1cvJpH3 OnezDBVz6qmnJpIeFooAAgjUChAArhXhMwIIJCIQ5cR39913TyRNcS3U8tRD0AiYPHlyqGTktcF9 xBFHeJ+IW7t2yquBCjAvadMdrkHd8nl97733QtXDosyUl/Ko9crqQkgrXigfMmSIaVvQdvPoo4/W Fl2mny13lAfb//jx401pz7rOrLLKKubyC/K+wQYbOPWy8fHHH5sMan9kCbwUPQDMMaW2FqTzWb3f BPU47GuWQ6Z8/vnn3ulVvjS+t3XKeh9lTXfU35W5PRXYnHDCCab6pDq1ySabBIvxelXQeP755zev N+x2mof5+vTp42VTPXNez6/TbI9We+RlP5TXcsmq3VNdRlm+135FQx3Esd2rVx91gdwKY/02KrMp U6a4Dh06eHteeOGFjRYZ2/fqittSzln33hIbAAtCAIHcCxAAzn0RkUAEyiGgkxvLSZF+o7FS3nrr rVxCfPrpp6YnNZSvrl27hs5TXht222+/vXe5EgD+z1irSdx5/euvv7rpppvOu0xefPHF0HWxCDPm dXvJ6kJIXi5QpVl3Hn74Ye/tIDhG3XDDDWkmtd11bbfddua8vPzyy+0uv94MWdaZ559/3pxflaEC v0nc7d+KAWCOKfW2juS/W2qppby3gR49eiSfsAZreOihh7zTq21V3bxbpyz3UdY0x/G7sranAhvd dDLnnHOa6pPq1KBBg4JFeb3ec8895nUG5w5FeVUA5aOPPvLyCWbO6/l1mu3RwEKvedkP5bVcsmr3 VJdRlu///Oc/x7JfWXXVVZ16RmByrnv37t6m+++/f+J0t956q3e6dMzQDXRMCCCAQBoCBIDTUGYd CCDgdBFRXTBaG8dq2OVx0p2Y1jz99a9/DZ0lS8OuW7duoZdvnXGNNdbwzj8B4OQCwCrHLl26eJfJ LbfcYq0CufydZXtJIiBfi5PVhZC8XKCq9Ujys8Zxte6bNX5wnqajjjrKnBeNGWmZsqwzf/nLX8z5 1ZAMSU2tGACWJceUpGpU4+Wuv/763tvAjDPO6NRlfBbTOeec451e7Z8ffPBBc3Kz3EeZEx3DD8va ngpo1DayHrvnmGMOF7ZnpWB9wevWW29tXq81vVn+znqstJxfl609GtQZveZlP2QplzK3e6rLKKv3 UXoyCPYNulnjpJNOMndrn1Xek1zvQQcd5L2vXmaZZZJMUmXZBx98sHe6dG2UCQEEEEhLgABwWtKs BwEEKmPvBSe0ltdnnnkmV4rfffed6cJokPdnn302dH4sDTufJ4xDJ6RmRkt3aQSAkw0Aq2u3oI6F fVXXaWWaLNtLmS+E5OUCVZp1TN2Eha3/tfNpLMs8TZYbB5QnXTiydhWXVZ3RcdU65vFuu+2WaLG1 agCYY0qi1aruwk888UTT/uu+++6ru7ykv1xnnXW806veSiZNmmROWlb7KHOCY/yhxjKvPW75fM5b eyqgmTBhglM3pz55qZ5XY/hapk8++cR17NjRtF7dILPccstl8rf44oub0iwza0DEcn5dtvZodR3L y37IUi5lbvdUl1EW76Puo4NtVD3iMLUVGDp0qGm/9/rrr7ddUMyfFl54Ye907bnnnjGngsUhgAAC jQUIADe24T8IIBCzwLfffuvmnntu75OjoHG/9tprx5yiaIvTeCJB2nxfF110Ua+VH3nkkd7rmmee ebzW4TuznjSZdtppvdNFADjZALDlSRxdwCjTxIWQtqWZlwtUbVOV/Cc9DeS7bw7mf+6555JPYMg1 HHDAAaZ8LLTQQiHXMPVsWdWZRx55xJRXXchU8DjJqVUDwBxTkqxV9Zdt7cJ+1113rb/ABL997733 3DTTTOO93UYNPmS1j0qQMvSiy9aeCjK+yy67eNej4Jit4YI+/PDDYFFerwMHDjSv98knn/RaV5wz 65g322yzpZp22qNtSzAv+yHaPW3LJctPI0eONN9QEuzPdCxP+pw2S6Mo6x4/frxpn9evX78oq236 21GjRpnSdOmllzZdLv9EAAEE4hQgABynJstCAIF2BdSNTXBya3kdMmRIu+tIYwZdfNHFdUse9Buf 7p+VnzPOOMN7XboYYn36K4yh9QScAHCyAeCnn37aVFfKNAYNF0LabsF5uUDVNlXJf1p33XW9t4Vg n37ooYcmn8CQa1httdVM+VhzzTVDrmHq2bKqM9dee60prxoXM+nJMi7l8ccfH0uysioPJZ5jSixF 6LUQnWPqHC7YH4V97dSpk9Nv05zUlWzY9FXPp67to0xZbhNR0h3Xb8vSngo8/vWvf5luJAjq1B57 7BEsyvt1hRVWMNVh3cyrLrmznKKMMarf+k60R9uK5WU/RLunbblk9Uld0C+11FKm/UmwLzvmmGMy 369k5Rd2vfPNN5+3sYYtS2qyHo/HjBmTVJJYLgIIIDCVAAHgqUj4AgEEkhRQN1tRuvfSb7O82zqw 2Xfffb1PPIMTe736Pl1mfdpY42AmNd1zzz0mAwLAyQaA9WT2TDPN5F025557blJVZarlfvzxx26D DTZwGucw7J9PQI4LIW3J83KBqm2qkv80aNAg7+0g2E+rO8ixY8cmn8h21qAxfC1P1ykf2223XTtL b/zvrOqM5WlTPQH1ww8/NM5MDP/56quvTHWpDAFgjikxVCDDInr27Gmqc4MHDzaszfaTn376yXyx W+eQUaas9lFR0hznb8vSnpKJuuaM0mOHjncvvfSSiVftseC47/t63HHHmdYZ54+GDx9uTr9uGPnm m2+8kkN7tC1XXvZDtHvalktWn6JcH1Kvamq3MLUvsP3223vv99SWevvtt9tfuOccethCY/n6Hj/m mmuuRB/U8MwGsyOAQAsIEABugUImiwjkTWCfffbxPkmqPqnSCdO4ceMyy9b1118fKf1LLLGEd9qv ueYa0zpvuukm73WF/YHGW6wul7DvCQAnGwBW+VmefFTjJa2pb9++3nWHALC9dCwXqMowLtGnn37q NM5k2H1T7Xxyy/rpntNOO82c/sMPP9xcabKqM4cddph3frt3727OZ9gfahy22voR5nOWAeA4t+FW P6aErSdxznfCCSeY6pyejPEN6ljTfcEFF5jSGHX8X6XXso/af//9rVnN5e+K3p4Sqo7TGiM2zP60 0TwbbbSRuXxUJxott73vX3nlFfN64/qhgg+Wp+GCvF122WVeSaE92pbLsh+K89gcpIYAcCCR3et9 991n3pfoxu3bb789u8QXbM3WhxCi9BTRiMjac5HPdY1G6+Z7BBBAwEeAALCPFvMigEAsAm+++aab ccYZzSfJarRqLL6JEyfGkh6fheiJ2llnnTVS2hVA9p3uvPNO0zo1VlMS05QpU5zuHA8uIPi8EgBO PgB85plnmsrmxhtvTKK6tFnmRx99ZHpCWWODhp24ENJWynKBatttt227kIJ+2njjjU3bQrBP0xOp WU0az3CWWWYxpz/KxaSs6swOO+zgnd8oF//Dlq01SJBlADjObbjVjylh60mc8z377LPe20Kw31Lw OOnpyy+/dLohM1inz6t6AIk6WfZRZQsAF7k9pfLXGJcaqsCn7tTOq6e6Hn/8cVN1Ultm9tlnN62/ W7dupnUm8SPLTZWBo7Yjn4n2aFsty34ozmNzkBraPYFENq+6EWOllVYy7UvUi81TTz2VTcILulZ5 W4Zi081nr732Wmy5Vg85iy++uKnc89DLVGwQLAgBBAohQAC4EMVEIhEon8A//vEP08lS0GDVq8ZF fOedd1LDGT16tOvSpUukdK+++uqmJ8pGjRplWq9OjnWSHPfUr18/U3pUbgSAkw8AW7sGnHfeeRO/ scLyhJ+6BlRXk2EnLoS0lbJcoNpkk03aLqSgn6644grzvio43gwYMCD13Ouiwuabb25Ou45VPttM bQazqjOWPK+88sq1yY/1swLx1qErsgwAx7kNt/oxJdYK5bEwazfQepoo6bHl9t57b/P+6d577/VQ qD+rZR9VtgCwZIrYnlK69eSv9lHBcdb6esQRR9SvICG+tT7NqrRmeXNYbdZGjhwZydEnIEJ7tK2+ ZT8U57E5SA3tnkAim1frU6Dal9x6663ZJDqGtSrtqs/WPx2/rNMpp5xi2u9FGR6nNq2XXHKJKQ3a bzAhgAACaQsQAE5bnPUhgEBFQN1qxtHw112TOulOenr44Yed1mW9QBH8znqHp4IB1gvQDzzwQKw8 Gj/FMsZsYEAAOPkAsAp8r732MtXXHXfcMdb6Ur0wdZdnqTu77LJL9WLafc+FkLZEa621lndd0J3s ZZj0lJp13xnss/R60kknpcbx888/V8bvrV6/7/ujjz46UnqzqjO77767d13VPkXlnMSk5Vou8Abl FVcAOKvyqDZt5WNKtUOa7++++27v7SGoe7oBUGOIJzFZxuoO0rXiiivGkiTLdlnGAHDR2lMq/Pvv vz/yDbWqTzpP+f777831af311zdtX3rq+P333zevN4kfWsagDLZJn96iaI+2Lb08HJuVIto9bcsl zU/aJqzd2Be9G+CDDz7YtA8N9j1Rjsnvvfee07jJwbLCvmr/HccQaeoV0NoLypVXXplmFWVdCCCA QEWAADAVAQEEMhPQUzXWE6fak7ydd97Zff3117Hn5Ycffqjc5T399NN7n2DWpjFql096erh2mWE+ q5sy5SOOafLkyc7S2K1OJwHgdALAL7/8sqm+qKzUoIt70hMGv//9701p0sVCn4kLIW21tthiC5O7 GtdlmA488EBT/qv3W3q/zjrrOG1XSU66wWa99daLnN5x48ZFSmZWdeaYY44x5T3KeMeNoPTUq54u rq0HPp+PPfbYRov3+j6r8qhOZCsfU6od0nyv4N7yyy9vroOqv3GPB6yhInQB1Wc7qJ5XT13GMREA /p9iEdpTSq2CteoFJkr9CeqSbuyK8pT7W2+9ZU6HjtF5m0499VTzNunbY0irt0eryz4Px2alh3ZP damk+9769K/axFFuYEk3l/XXlmUAWCmy9BqkY4iGonvyySfrZyrEtx9//HGlR7vgeOTzqmEHNPwA EwIIIJC2AAHgtMVZHwIItBG47bbbzA3W2pOtRRZZxJ133nmVbsXarMT4QU9eaKzh2vVYPiuArAv7 UaaDDjrInJYoXaQFaVaA3XLBrdaLAHA6AWCV2x//+EdznTnggAOcnkSMY3r99dfNT3so6OY7cSGk rZh136H9aRmmr776ys0333zmbaF6H6bxow455JDYn/7R/lVP1c0888yR0xnHxems6oy1O9MOHTq4 gQMHxlZddfPDUkstFbkstB+NY8qqPGrT3qrHlFqHND9fddVVkeqhbgL06eK1Ud4UjNY+qmPHjub0 LLzwwpG6pq9Om+V8NMrTRtXrzuP7PLendHy79NJLI93MUH0c1vuo5ycnnniiuR4rL3mbdNNXrZHP 59tvvz10lqzHI6WnDO3RaiirRdT6W50GvafdUyuS3udNN93UtO2phxjdoJ+3Px3rw05ZB4CHDRtm ste+SA+h6Cle32nSpEmue/fu5vVqW2VCAAEEshAgAJyFOutEAIE2AtZuBRs1bHVxaquttnJ33XWX 94UmdZd30UUXVZ70arR8y/fnnntumzxbPgwZMsR8sqk06y5Ja3eATzzxRGwXbggApxcAVvfflvoa /GbVVVd1zz//vKW6Vn6jRqQaZ1GCb5Zu07kQ0rbI+vfvb6oHukM6jS7226Y2mU+33HKLySDYFmpf 9QSTuo+8/PLLzd0Pa3x2bV8KSnTq1CmW9CldcXT7n1WdueOOOyI5qKcNXZyxTroQN3ToUKdAVW2Z Wz737t3bmpQ2v8uqPNokwrlK3bI4BL8p6jGl1iHNz+peMurNiLqxZPDgweZkf/TRR26jjTaKvE1o vLy4JgLAU0vmqT2l879HHnnE7bbbbrHc2BTsQ/SquugTpKiV0s2N6iK9eplh3+uG3i+++KJ2kbn4 bH0yV3n3OVa1enu0urDzcmym3VNdKum9V08xugEx7P6jCPP5tPuzDgDrOGDtyl9lMeuss7p+/fqF 7invhhtuiNQ+mHPOOZ2eHmZCAAEEshAgAJyFOutEAIE2AuqeLkoXd81OptWtVa9evZyewjnjjDOc xtwYPny4e/HFFytdvygoMGjQIHfcccc5NZzj6JasNj377bdfm/xaP2gsQsv4qdXp6dy5s7v66qtD J2HUqFFO469WLyPqewLA6QWAVdB77713pPLT+Dr77ruve/rpp0NfcFOXVrrYvMwyy0Rad58+fULX 1eoZuRBSreHc9ddfH6kctA9Qt5+6KPDmm29W/saOHesefPDByv5TT3RMnDix7Upz+MnaVV97+zwd NxZffHG3zTbbVI4zukCgbstHjBjh5KRuKnUTjXqVUPenJ5xwQuXpfF14aG/Zvv+PqyvkrOqMzgei PgWtJ3cvuOAC9+6774auhe+8845T99PzzDNPrGWivMTRBW9W5VEPsBWPKfUc0vzuhRdeiGUs8zXW WMNdccUVTsN5hJm071KPBzogQBq7AAAgAElEQVR39N0X1c5vPZ43SicB4KllsmhPjR49uhLo1bHt 7LPPrjyJuOWWW7pFF100cp2prUP6PP/885tvZg3EdHyut+ww3ylveZ3+/ve/m/OlIJa6Eg8ztXp7 tNooL8dm2j3VpZLee2uvNWH2NVnNU6QAsEpa3flHbTeoDaebP8ePH+90c271pICtjhlrr722ef8a lKVunmFCAAEEshIgAJyVPOtFAIE2AgoerLbaapFPrIITrLy8brjhht5PIbeBqfnw5z//ORajJZZY wm299dZOXaApWDFy5Ej37LPPVp6a1sVBNSStd8e3Z08AON0AsC70Lr300rHUG9UJXQxW93d33nln pc7oJgEFtnQjxdFHH+123HFH81i/1XVnttlmqwQaazaBUB+5ENKWSeMcVdsm8V4BtLxP77//fuVu 7yTyn4dl6hiqpwXjmLKsMzvssENs9XWVVVapHOfUje59993nFEjTxS11l6ouGDUepbo11o0uSZWh bi679957K8NAqJvOhx56yH322WdexZRledQmtBWPKbUGWXy+8MILY6ujOr7qfFJdOiuAofr12GOP Veqpju86N1SwOK5tQk/Ux/3UJAHg+rWwrO0p1UVdpI/jXGP77bc31+2bb765PnwOvlWgQsNUWLdb PQkXdmrl9mi1UV6OzbR7qkslvfcbbLCBeXuzbqdJ/65oAWCVtoaAictFD1ustNJKrkePHrHc/Bak S12FMyGAAAJZChAAzlKfdSOAQBsBdduosQuDE6Wivy677LJOY0/GOSlIW3QXAsDpBoBV/xSkVbd1 Rak7eqJSXUdbJy6EtJXTk5BJl30cF2XbpjqZTxoaYIYZZkjcI2nv2uUroKO74OOasqwzUcb0qnXJ 62c9Ve8zZVke9dLZaseUegZZfKdeBvJapxulS08WqgeRuCcCwI1Fy9aeUt1accUVnboijzrp5hvr OYCOs999913UJCT6+0022cS8j9DNomGnVm6PVhvl5dhMu6e6VNJ5r+6HtU9odOwr6vdFDADrqd0o XeAnXVbq8Un7CiYEEEAgSwECwFnqs24EEJhKQA1rjUOU9IlY0sufd955Y7lLfSog53L1pPQss8zi XVYEgNMPAKseaRzqpOt9XMs/+eST61X90N9xIaQtlRrG2ifFVT71llOUALBk9DSmxjeul48ifqcn fuJ+KinLOvPTTz+5bt26laZ86tUp9cDhM2VZHo3S2UrHlEYGaX+vmwq7du1aqG1jwIABiTARAG7O Wpb2lPafeho9rifIo3TZuueeezZHz8F/NcxPvWNO2O80XEXYKU89d6XZHq32ycuxmXZPdamk8/71 11+PtK2F3SbTnq+IAWCVuIbcyevN7uoljQkBBBDIWoAAcNYlwPoRQGAqAV383XXXXQt7Uq0uJzWG SFKTnrzp2LFj5j4a30vdR/s2TAgAZxMA1p3KRx11lHd5+ZZv1Pn1hJPSGmXiQsjUegcddFCiZV+k ALB0NH5x1DHVo9b1OH6vu8rVtXESU5Z1Rl0168nBOIzyuAzfALDKN8vyqFe/WumYUi//WX03YcIE t/zyy+d+21BPHmeccUZiTASA26ctentK+24NpRN2zOr2RVykm4uGDx8eZhWZzqOnv6Oc2/gEuVu1 PVpbwHk4NtPuqS2V5D9fe+21uT8OW85/ixoAVolrCAude1jyndRvNDRW1Osayddm1oAAAq0gQAC4 FUqZPCJQQAGdKPXt2zd3J3HtnRzuscceqXQPdvbZZ2d6cqsAtLr/euCBB7zTQQA4mwBwsBu44IIL Eh3vsr1tpNn/999/f/fzzz8HSTW/ciFkarqku+srWgBYQg8//LCbeeaZvfdhzepwmv/TuJovv/zy 1IUd0zdZ15ljjz22sGXTXj2wBICzLo9G1aoVjimN8p7V93oSWIGx9upZVv9XF7tDhw5NlIcAcDje oranVHd32mkn98MPP4TLaIi5FNiwbhNdunRxetqzCNMOO+xgzmenTp2cgshhp1Zsj9ba5OHYTLun tlSS/3z44YebtzPrfiiN3xU5AKxSv+6663JzA6muaxTluJH8FsMaEEAgawECwFmXAOtHAIGmAho3 bNVVV839Cba6nLnoooua5iXOf+pksmfPnpm5DBw4sJIdAsD/KdW8Nrwb1bnbbrstV13g6m5dXUSK a8preahra9/Gu/WGiXqW++67r/f6w6a3iAFgGY0ZM8ZZAglhXZKaT10vxjEeYr16Uv1dlnXmxx9/ dNtvv31iddanbNTN9mmnnVb58/ldo3ktAWCVS5blUV0vat+X/ZhSm988fNb2sffee+di+6iu53PN NZfz6UbWamnZb+tibKtORWlPqS4tscQSlaEa4i4ry7lhULcPO+ywuJOT2PLuvPPOSPuFwYMHh05b K7ZH6+FkfWy21O0//OEP9bIS63dZt3tizUzNwvRkZ7B/KNNr0QPAKqa77747Uk8IcZSnbmJlQgAB BPIkQAA4T6VBWhBAoK6AGpcXX3yxm3POOXN5or344os7XVhJe/ryyy/dBhtskKqJnpa78sorf8sq AeD/UOS14f1bQdV58+STTzo9QRhHIyfKMuaee25300031Umh/au8lkfWF0K++eYbt9RSSyVS5kUN AKuW6QkpdRs2xxxzJGITZfuo/e3ss89euVlC4zumMWVdZ9QjgLqkrHVI8/NCCy30W0Dr3XffjaVn EmsAOOvyaFbnynxMaZbvrP+nsZj11F6a20Sjda2++uruzTffTIWEALA/c97bU2pjnHnmmbE+9Rso 6ZgZ5RjvExQJ1pnVq24OidJm1pjLPlOrtUfr2WR9bKbdU69Ukv1u4403zsVxt9Hx2Pq9z77u4IMP jmSQ5E1Zjz/+uFObyeoQ5XcDBgxItvKxdAQQQMAgQADYgMZPEEAgG4GJEyc6nShOO+20mZzM1Z4I 6sm8yy+/3GmMrawmNfLV7XRt2pL4vOyyy7qxY8e2ySoB4P9w5LXh3aaw6nzQBTE9eTvbbLOlUoeq 66W24wMPPNB98cUXdVIW7au8lkfWAWCpfvbZZ4l0HVrkAHBQ2z755JPcjj+vXiYOPfRQp+Ng2lPW dUYB+lNPPdWpW9nqfUga77fddlv3+eeftyGPo+tdawBYCcm6PNpg1Hwo6zGlJpu5+/jxxx+7Aw44 ILNuD/XEZtw3crWHTAC4PaHG/89be0r78u2228699957jRMd8T/XX3+9+fihG+eKNqm9HOUY+eqr r3pluZXao41gsjw20+5pVCrJfa+eeKJsY3n9bVkCwCp5jVOumzjTsp5xxhkr1waTq3UsGQEEELAL EAC22/FLBBDISGDkyJFuk002ySwQvOiii7rLLrss08BvLf21117r9CRyUie4u+22m5s8eXLtahkD +L8ieW14T1VgDb7QRYuDDjootYvHenL9hRdeaJCa6F/ntTzyEACWrp6qPOecc9wCCywQ2z6jDAHg oOaNHj3a6a52dWWa1D417HJnmmmmSlD67bffDpKXyWse6swbb7zh/vjHPyZeJrPOOqvTPuS1116r a/3vf/+70kVp2DKsN1+UALASlYfyqIvz3y/Ldkxpltc8/e/11193W221VeLbSFCn55lnHqcxoBX8 SXsiABxdPOv2lOqRyvGhhx6Knpl2lhDlxh3dgFS0SU+/Bdup5fWII44wZbkV2qPNYLI6NtPuaVYq yfxPDwJYtq28/6ZMAWCVvK5fqTtm3UibpP2WW27pxo8fn0xlY6kIIIBADAIEgGNAZBEIIJCNgE6y TjzxxFiDGI1ODHXSuP766zuNi5TFha4wwkrXJZdc4uJqkCjwoPHlFAxpNFmeAF5xxRUbLa7p90cd dZT3iXvv3r2bLjOuf+Y5bT55VNeNxx9/vOvWrZu3daNtJ/i+S5cu7phjjkmle8i8loclAOzbFZ9P eav3ghtuuKESMFhwwQXNZT7LLLM4dY1btumHH35wt9xyi+vVq1dqN0doe9G+d5tttqmUTb0bb7J0 zkOduffeeyt1tkOHDuY6G+yXql+XX375SjBr0qRJ7RK///77rmvXrub1Rw0ABwnMQ3kEaan3WpZj Sr285fk7XcA98sgjnXpuqa7jcbxXN706t9L5ZphtJSknAsDxyabZnlId1M1Vffv2da+88kp8mWiy JO0ndWOPtf6PGzeuydLz+S/1nBFlmJc111zTnLGyt0fDwKR9bKbdE6ZU4p0nieOrdR8V1++mmWYa 5/P0vwKrUdadZBfQtaWt/bh6SuncuXOkNFfnV+2QPn36uOHDh9eujs8IIIBA7gQIAOeuSEgQAgj4 Cuhu22eeeaYybpSCtHF1E7nkkktWnoq866676j796pvONOcfM2aM69+/v1t33XVdx44dvU501dXZ 3/72t0S65k3TgHVFE1BXfBp7+09/+lMlIFXd4AnzXt1K64mLE044wd1///25emI+mkx5f61uRFVW eoLjoosucv369XPHHXdcZdxvNfLVXfigQYPcNddcU5lP+xmN/dYKk2zUhaSeitF+Nc5u0xVAV6B/ v/32q6wjb0HfZuWbZZ3RunWsUjBKTyKG2S8F8+iiTY8ePdxhhx3mbr75Zvfhhx82y2bd/2nMP40d 3b1791Dr1lhkm266aeXp+6TGSc2yPOoiVX3JMaUKI8W36j3g73//u9too43MT8AokKQhG+655x73 7bffpph6VpWmQFLtKe1vFVDUTbuPPvpoImP8punEusIL0B79j1Wej83hS5M5ESi+gIYqufHGG90O O+xg6j1P7Q2dy5933nlOQwcxIYAAAkURIABclJIinQggEFpAJ3Z6alUnd6eddlql+8yNN9640s2Y nj7VE7LqQlqBzrXWWqvyJJHuQFSg6h//+EflqasydWf6yy+/VMbVeuKJJyqBnbPOOqvSFc7hhx9e ufh97rnnujvuuMOpkT5lypTQzszYOgK6KKiLFy+99FLlLtfrrruu0vDRE70KoOjJVl1gVmBQF4g1 VrTqHRMCZRXQ0zXqblXbwkknneQOOeQQp67yFYzs2bOn07FG406pm209JaAAry4Y6IKDAr36jZ4u ViCQbSWeWqJAl45lGqJhwIABleOcxk2WtbqpVQBfXY2++OKLsR/r1F303XffXXkqUucSWq96U9Dx ddiwYZW6Qjn/r5w5pvzPIs13gfvLL79c2RaCY7lu8NGx/PTTT3f//Oc/K9vRiBEjnLYp3ejA1JoC YdtTGhpnhRVWqBzndOPfjjvuWNnv6mYyPY1OHWrN+lOba9qjtSJ8RgCBrAV0I/PDDz/srr766sp1 QJ0H6WZf9VKh9sPAgQMr4/reeeediY5Tn7UD60cAgfILEAAufxmTQwQQQAABBBBAAAEEEEAAAQQQ QAABBBBAAAEEEEAAAQQQaBEBAsAtUtBkEwEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEE yi9AALj8ZUwOEUAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEECgRQQIALdIQZNNBBBAAAEE EEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBAovwAB4PKXMTlEAAEEEEAAAQQQQAABBBBAAAEEEEAA AQQQQAABBBBAAIEWESAA3CIFTTYRQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQKD8AgSA y1/G5BABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBFpEgABwixQ02UQAAQQQQAABBBBA AAEEEEAAAQQQQAABBBBAAAEEEEAAgfILEAAufxmTQwQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEE EEAAAQQQaBEBAsAtUtBkEwEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEyi9AALj8ZUwO EUAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEECgRQQIALdIQZNNBBBAAAEEEEAAAQQQQAAB BBBAAAEEEEAAAQQQQAABBBAovwAB4PKXMTlEAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBA AIEWESAA3CIFTTYRQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQKD8AgSAy1/G5BABBBBA AAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBFpEgABwixQ02UQAAQQQQAABBBBAAAEEEEAAAQQQ QAABBBBAAAEEEEAAgfILEAAufxmTQwQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQaBEB AsAtUtBkEwEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEyi9AALj8ZUwOEUAAAQQQQAAB BBBAAAEEEEAAAQQQQAABBBBAAAEEEECgRQQIALdIQZNNBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAA AQQQQAABBBAovwAB4PKXMTlEAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAIEWESAA3CIF TTYRQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQKD8AgSAy1/G5BABBBBAAAEEEEAAAQQQ QAABBBBAAAEEEEAAAQQQQOD/s3ce0FFUXxgPYC9/FUVAsACiKCqKgqAUUURR7NjBghTBhiI2VEQF 7KAgKNWCotKRTui9995Ch1BDS8/9n2/wLW9m3szuJrsp5Hvn5MybmfvabyabzXxz7yUBEsgnBCgA 55MLzWWSAAmQAAmQAAmQAAmQAAmQAAmQAAmQAAmQAAmQAAmQAAmQAAmQAAmc/AQoAJ/815grJAES IAESIAESIAESIAESIAESIAESIAESIAESiBKBjLQ0ORK3URJWr4jSCKF1e3jjOlnXq4tsGfJXaA1o RQIkQAIkQAIkcNISoAB80l5aLowESIAESIAESIAESIAESIAESIAESIAESIAESCAaBI7t2iHLv/hI YuvcIoNKniYDi8bImNuujsZQQfvEXKY9eY81B8xjZMXLgrahAQmQAAmQAAmQwMlNgALwyX19uToS IAESIAESIAESIAESIAESIAESIAESIAESIIEIEoj76xcZUursgOAK0fX4TwFJPXI4giOd6Cr16FHZ O2+mrO/dVea1bCSxtSvK/sXz5ejWzfJv+aKuuSTt23uiMWskQAIkQAIkQAL5jgAF4Hx3yblgEiAB EiABEiABEiABEiABEiABEiABEiABEiCBzBCInzFZBhYr6BJclQi8Z/a0zHQbtM30BvVcY67v86NM vK+q6zjmsmvyuKB90oAESIAESIAESODkJUAB+OS9tlwZCZAACZAACZAACZAACZAACZAACZAACZAA CZCARiAjPV2S9+/TjoRXnfn8w0bBFR7B8MrdNWV8SB2mHEqQgyuXWULt7mkT5dC61b7tlrX/wDXu 2NvLuY4pIXp1ly99++NJEiABEiABEiCBk5sABeCT+/pydSRAAiRAAiRAAiRAAiRAAiRAAiRAAiRA AiSQLwmkp6TIgeWLZVP/vrLog9dkUr3bZUipc2T8nTdmmsegS05xia5zX2koyQf2B+0z+eAB2fDb zzK1fm0x9TO2+rWyrsf3Ajtn2Tp8gGtcJfaq7eDLzpA5LRoIPIOPbIlzdsF9EiABEiABEiCBfESA AnA+uthcKgmQAAmQAAmQAAmQAAmQAAmQAAmQAAmQAAmcjATSEhNl34I5suGX7jL/rSYSW+cWGXzp 6UbRdFCJUyU9OTlTGEzC7a5JY4P2tXvqBBl2dWHjfJSAq7ZDrjhLdk4cY+vzcNwG37ZzX3s+S57N tsG4QwIkQAIkQAIkkOcJUADO85eQCyABEiABEiABEiABEiABEiABEiABEiABEiCB/EMA4ZPjZ06R tT06y9xXn5NxNa+TgcUL+QqkSlxV2/1LFmQK2ODLz3SNs+KbdrKxXy9Z+G4LWfLxW65+IebCO1eN HcoWIvCeOdNtfQ0re76xj8mP3CHpqak2W+6QAAmQAAmQAAnkbwIUgPP39efqSYAESIAESIAESIAE SIAESIAESIAESIAESCBPENg8sJ+MqVJWBhYtYBRCQxFWlc3Gfj3DXnPqkSMy8qZLfceGl69ekBPY yxMZthCvvcThoVeeJwlrVwW6m/JoLePY20YMCtiwQgIkQAIkQAIkQAIgQAGY9wEJkAAJkAAJkAAJ kAAJkAAJkAAJkAAJkAAJkECuJ7B5wO9GAVSJuqFuR91yhWz6o3fI64375zcZW+0aGVisYEjj6/l3 kXfYOS+IyBhfhaE+un2rTH/2fpcd2i14u1lgnvAudvaF/aPbtgRsWCEBEiABEiABEiABEKAAzPuA BEiABEiABEiABEiABEiABEiABEiABEiABEggWwhArNwy5C9Z+3MnWdb+fVnxVVvZ1L+vJMbvCjp+ wuoVRgHUJIpax4oVlLG3l5M5Lz8ja378WpCHN/nA/qDjOA3gLew5RtEY27khpc6WPbOnWV0cWrfa dg59IIfwvoVznUNIRkaGTH6ohsseYZ+R3xgFHtCmeRyJ2+jqjwdIgARIgARIgATyNwEKwPn7+nP1 JEACJEACJEACJEACJEACJEACJEACJEACJBBVAhB31/X8QY57w3qFby4gE+tWkdVdvpT0lBTjfDLS 0gS5cU0i6KASp8r4O2+UeW+8KOt6dZG9c2cIQjZHoiBfsGlM/RgEZoRrzkhPDwy59NN3XO3mNH82 cN5Z8RK4twzub5kmrFnp6g9z2DtvprMr7pMACZAACZAACeRzAhSA8/kNwOWTAAmQAAmQAAmQAAmQ AAmQAAmQAAmQAAmQQDQIwKt11fcdZfDlZxqFS11A1esT779NEnfvNE4JIrFuq+qHN6032kfiIEI1 I2z0tKfriknUxRy2jx7qGmrmC4+45rqm2zcuO/1AbO2KrjZzX2lomUBcNgngG377We+CdRIgARIg ARIgARJgCGjeAyRAAiRAAiRAAiRAAiRAAiRAAiRAAiRAAiRAApElgLDFs5o84RIzlWAbbDvihktk 34I5rkktfLeFsc/tY4a5bKN1YHSl0q45rPjyY9dws5s+6bILJtYua/+Bq82sRo8F+p54X1XXeT1P cMCQFRIgARIgARIggXxNgB7A+fryc/EkQAIkQAIkQAIkQAIkQAIkQAIkQAIkQAIkEBoBeKAir+2W wX/K0natZdEHrxkbwvN3+rP3u4TKYKKv8/yoSqUE3rd68crHi1zCoRSEo945YbTsmz87FHOjDQRZ 51ynN6jnsoXnrtNuxdefuOz0A6b1zWj4QMBk4XuvuPqccE+lwHlWSIAESIAESIAESAAEKADzPiAB EiABEiABEiABEiABEiABEiABEiABEiABEjASSDmUYAm9yN87pNQ5NvFxU/++xjarf/jCZucUQcdW v1ZWdvpc1vX4XmY1flyGlDrb0x65g/XilY93RsMHdTOrfnTrZtk2aojAOxcCLbyK1Vxmvvioyz7U A6s6tw/0o/obUaGEq/n8Nxu77KY+Ucdlpx/YPOgPV5tpT94TMNnYr5fr/ODLzpD01NSADSskQAIk QAIkQAIkQAGY9wAJkAAJkAAJkAAJkAAJkAAJkAAJkAAJkAAJkICRgFfI5enP3Ge0P7ZrhwwqeZpL pIRQOumBarJz4hiBh7BekvbtlWlP3Wts82/5iyX1yOGAOTyCB5U41WULuy1D/rJy9E6tX1uGl7vQ ZaPEWmyR0zezBR7Eel+qnhi/29blmh+/dtmBTcrhQzY7fQditepPbXVx+8DSha7zsDu4cqneDesk QAIkQAIkQAL5nAAF4Hx+A3D5JEACJEACJEACJEACJEACJEACJEACJEAC+YcAPHrjZ06RtT06y7zX X5Cj27Z4Ln7vvJkysFhBl+A4rOz5cmzHNmO7pZ+967KHQDm2RnlJO3bM2AYHIQpPfqiGvW2xggJv 4fgZk23txt95o92uaEym9pMP7Lf1G+oOwkgrcVbfQhjWS+LunTKweCGX7ZJP3tbNAvW0pCSLk94n 6psH/B6wsQRwg8Ae99cvARtWSIAESIAESIAESIACMO8BEiABEiABEiABEiABEiABEiABEiABEiAB EjjJCWwe2E/GVCkrA4sWsAmSW4f9Y1x5ekqKjKt5nc1WCZNeoZ/R0b/XFXO1GXz5mZKwarlxHP0g bBa1eV3W9/lRID6nHj2qnw7U57Vs5BpDzS2crVNYDgwQQkUPJ63GXNW5g6ulKRfyoEtOkW0jB9ts IY4vaNXUtS6I7WmJiTbb8Xfd5LIDNxYSIAESIAESIAESUAQoACsS3JIACZAACZAACZAACZAACZAA CZAACZAACZDASUoAXqRKqNS3yz5/z7hi5OjV7VTdK/QzOjm0Ya2xzawmTxjHyOzB9b27GsdRczRt IUJPqHurLHynuWz8vYfsXzxfIHJntiCnsHOcWS/Vd3WHHMROO7U/q9FjsuGX7lbY6uHXXGS0W/xh S1ef8998yWY75IqzZNH7r7rseIAESIAESIAESCD/EqAAnH+vPVdOAiRAAiRAAiRAAiRAAiRAAiRA AiRAAiSQhwjAE3TfgjmWaDj/rSYysW4VGX5tESsn7rCrLpDY2hVlXc8fBGGenSVh9QqbaKhEyKlP 1HGaWkLu4MvOcNn7hX5GJ5sH/eFqg3HWdP/WNUZWDuydO8M4jlrT0DL/s8JJQzyN++c3ObhymWSk pWVlSFfb5V985JrD6EqlXXY44BUWW83XawuB2CRS7xg3QpZ8/JbAqzthzUrJSE83jsuDJEACJEAC JEAC+ZcABeD8e+25chIgARIgARIgARIgARIgARIgARIgARIggVxKQM/VO/fV546HYzbkkzWJh0NL nyurf/jCtjIIoPAUddpDQHaWKY/WctmhnV/oZ/Sxvm83Y7v46ZOcQ2RpP/XIEXNu4qsLy+GN66x8 wlkaIITGXp69KQkHjbFqMWcAACAASURBVK0XtH7ZyMZ5PdT+nBYNIi5aGyfGgyRAAiRAAiRAAicl AQrAJ+Vl5aJIgARIgARIgARIgARIgARIgARIgARIgATyIgGvXL1KGAxnC0FWL/AYNrU/un1rwAwi r8nGL/SzagzR2dQ2K7l2Vd/O7dhq1xjGKmD0fna2jcT+0a2bDePHiJfYDS9dhHsed8cNxnbHuRWQ ifdVlY39etGrNxIXiX2QQBYIrFmzRnr06CGvvPKK3HffffLAAw/I559/Lhs2bMhCr2xKAiRAAtlH gAJw9rHmSCRAAiRAAiRAAiRAAiRAAiRAAiRAAiRAAiTgS8ArV69JWA16rFhB2T1tYmC8he+2MIqP 28cMs2yS9sTLsKsLu2yChX5WA6z87jNXW8xx678DlUmmt2nHjtnazmn+rHGsaIjNtoG1neHlLnTN IZRw13vnz5Iln7wtWMPsZk9b4ZyR1/joti1a76ySAAlkJ4HNmzdL3759pWHDhlKiRAmJiYnx/Klf v74kJydn5/Q4FgmQAAmETYACcNjI2IAESIAESIAESIAESIAESIAESIAESIAESIAEokPAK1evSeyF ADmu5nUCgdZ0HsdmPv9wYKIb+/U02q34qq1l4yWqBgv9rAbY9GcfY//ISxxOObZjm2wd+reVOxc5 iodfc5GMq3m9rYs13b4xjrX25042O9MO8uoeWLpQNv3RWxa+94pAGM9MmVq/tmsOCN3MQgIkkPsJ HD58WPr37y9NmjSRMmXKeIq9XkJwvXr1JCUlJfcvlDMkARLItwQoAOfbS8+FkwAJkAAJkAAJkAAJ kAAJkAAJkAAJkAAJ5DYCXrl6IebOavKEldt31+RxkrR3T2DqGRkZsrZHZxlU8jSXIDmoxKmStG+v Zbt/yQLXefQ7o+GDsnPiGOO50ZXLBMYJVtk9NdbYx7Sn6wZrajs/740XXf3E3n2zzQaezSbRe+4r DW12qUePCjxu1/f5Uea/2Vhia1d0cUJuZIRoDrcs/fSdwBzQB8I3r+7yZbjd0J4ESCAHCCxZsiRs 0dcpBv/66685MHMOSQIkQAKhEaAAHBonWpEACZAACZAACZAACZAACZAACZAACZAACZBAthAIJVev aSILWjUNCJK6OLp12D+WeXpyskAQ1s+hjrDPoyqVch1Xdks+fss0nOtY6pHDMqTU2a5+IEynJBx0 2XsdmPnCI64+pjx2p808+eABlw3mO+rmy2XtT98JPHHHVr9WBhYvZLRTa1PbhDUrbf2HsnNw5VJB zma0hXDPQgIkkPMEUlNTZePGjbJy5UpfD128OHPRRRcZReBTTz1VqlevLm3atJEBAwbIsGHDrH2n AFyxYsWcXzBnQAIkQAIeBCgAe4DhYRIgARIgARIgARIgARIgARIgARIgARIgARLICQLBcvV6zWnf wrlGsROhmVUZf+eNRhslhHptF7zdTCCYBCvwwDX1sa5Xl2BNrfMYA17Hzj4gCjuLn2jtbB9sH0Iu CwmQQN4kkJCQIF988YVceeWVUqhQoYCoe9ZZZ0mtWrWkQ4cOkpiY6Foccvk6RV3YHj161GWbnp4u 5cuXd9lv3brVZcsDJEACJJAbCFAAzg1XgXMgARIgARIgARIgARIgARIgARIgARIgARIggf8IBMvV 6wXqyOZNLuEUwifCH6syr2Ujo00wgRTnIe4G83T1CgM9pNQ5cjhug5qG53b31AnG+S364DVXm1mN HjPahrIWp83Sdq1d/fMACZBA7iawd+9e+eijj+T88893CbNOYRfi7eLFi20L6tatm6sd+vMq3bt3 d9lPnTrVy5zHSYAESCBHCVAAzlH8HJwESIAESIAESIAESIAESIAESIAESIAESIAE7AT8cvXaLe17 W4b8ZRREN/zSPWC4vndXo41TEPXah+ianpIS6M9ZQS7dkTddahxjUr3bJfXIEWeTwH7SnngZW6O8 oW0BSVi1PGCnKqs6tzfYxgQ/VryQFR4aYaLXdP9W4qdPkpRDCapbbkmABPIAgT179kipUqVcgqxT +NX3TzvtNJk1a1ZgdatXr3a1v/322wPnnZW///7bZT9q1CinGfdJgARIIFcQoACcKy4DJ0ECJEAC JEACJEACJEACJEACJEACJEACJEACxwl45eodeWNJT0T7F82TEdcXN4ifBeTIlrhAu71zZxhs7KJp sDDR05+5T9IM4VTVICu//dRzDIjD20YMUqbWFl7FO2NHybia1xnbTX/2fpu92kEbL6FaHUf+4fF3 3STz33zJ8oTeO2+mpBrCu6o+uSUBEsj9BFJSUqRGjRouMVaJvX4ewRUqVJA0LWd3iRIlbP0g/+8R w4sqCAF9991322wLFCgg8fHxuR8YZ0gCJJAvCVAAzpeXnYsmARIgARIgARIgARIgARIgARIgARIg ARLIzQS8RFh4yaLA0zZh7SrZ+HsPmfn8wzKwaAGjGAqvW73AA3dgsYJGW4imsXffLOmpqbLq+46e NrCb8tidnt68EHRnNHzAt31s7Yoyu9nTgty+I264xNc2fsZkfQmBemL8Llu7IVecJRPvqyoL33tF NvbrJQeWLhSI6SyRIwBP6fiZU2Rtj85yaMPayHXMnkggDAJNmjSxCbEQfs844wxp2bKl7Ny50+pp x44dVu7f008/3WX77bffBkZr0KCB6/zo0aMD51NTU2XMmDECz2AlMKvtLbfcErBjhQRIgARyGwEK wLntinA+JEACJEACJEACJEACJEACJEACJEACJEAC+Z6AV67e6Q3qycT7b5Mhpc62iZ/K41XfDipx quVZ64Q5tto1xrbwlj24clnAPFiIZcwjJeFgwF6vwMt2wr2VjePocwxWhxDtV1Z80042D+wnCWtW WqK4ny3PZZ7Awneay5gqZW0vGkAEZiGBrBBYs2aN/PTTT9K0aVPLo7dkyZKCXL1PPPGELFy40Nj1 1q1bXUIsPH43btxotB87dqzAUxeibdmyZaVZs2Yybty4gG2fPn1c/T3zzDPSuXNneeihhzzzC8NT ePz48YF+WCEBEiCB3EaAAnBuuyKcDwmQAAmQAAmQAAmQAAmQAAmQAAmQAAmQQL4nkNVcvRB/t40c bOQ4p/mzRmF2eYc2LvuV331mtFXCLTx5k/btdbXDgcT43TK6chnf9qof53bQJafIpv59jf3yYPYT mPJoLdd1nPvqc9k/EY6Ypwls3rxZ+vbtKw0bNhRn6GXlVau2EFh79+7tWm+vXr1cgq3JTm84ffp0 gXBsKnFxca7+1Bz8tr/99pupOx4jARIggVxDgAJwrrkUnAgJkAAJkAAJkAAJkAAJkAAJkAAJkAAJ kAAJHCcQSq5ep2iq9kdUKCE7xv7riXJNt29cYh7arv25k7GNX05ftBtbo7wk7j4edtXZwbGd22V2 s6eM46n5OrfIdbxj/EhnV9zPQQJL2rZyXcNxNa/PwRlx6LxA4PDhw9K/f39ByOYyZcqELbRecMEF gj708vjjj9v6KVKkiH46U/XSpUvb+vQSfuFJfOedd9LzN1OU2YgESCC7CVAAzm7iHI8ESIAESIAE SIAESIAESIAESIAESIAESIAEghAIlqvXKZoOu7qwzGryhMT9/aukJSb69r572kSXmIf+5r7S0LPd iq8/MbZR80B44KNbN3u23ztvpixo/bL8W/5iYz/Dr7nIOo98v8hvzJK7CGwe9IfrusFLO9i9lrtW wdlkN4ElS5aEJKx6Ca443qmT/cWUwoUL2/qsWbNmlpfVuHFjW5/6fM4991ypV6+efPfdd7Jp06Ys j8UOSIAESCC7CFAAzi7SHIcESIAESIAESIAESIAESIAESIAESIAESIAEwiDglat3eLkLZdpT98qy 9h/I1n8HyuG4DZKRkRFyz8kHD7jEPAi58OT1Kyu+/NjYTonAo26+XA5vWu/XhTVPeAvvXzxfdk0e JweWLpTE+F0UfX2peZ9MOZQg8TOnCPLxHtqw1tswi2eQY1ldZ327b8GcLPbM5iczAXwuXXTRRUZx FSGeq1evLm3btpUxY8bIokWLLE9hXXxF/a233rIhglewblO/fn3b+czs/Pnnn7Y+0X/lypVl1qxZ kpqampku2YYESIAEcpwABeAcvwScAAmQAAmQAAmQAAmQAAmQAAmQAAmQAAmQAAm4CXjl6oWXbFbL qEql3IJe8UKSduyYb9fLO37oblc0JnBsxPXFBWIhS3QJLHynucDremDRAgH2EIGjVeCVPaTU2YGx lAi84defojUk+z1JCECg1QVb1Dt06CBHjx51rRCC8XXXXWezb926tc2uXLlytvO33HKL7XywnUOH DsnIkSOlVatWsmDBAst8586dtj4xx/Ll/V+ICTYOz5MACZBAThOgAJzTV4DjkwAJkAAJkAAJkAAJ kAAJkAAJkAAJkAAJkICBQLi5eg1deB6a1egxl5gHUW/f/NmebdSJ5R3auNqOrlRaZr1UX1Z17kAB WIGK4nbKo7Vc12Duq89FcUSRifff5hpzQaumUR2Tned9At26dXOJqx999JHnwho0aGCzh1islzvu uMN2/vzzzw8pAsLu3bulatWqcsoppwTaQwhW5dprrw0cV4L1rl271Ok8vc1I3pen58/JkwAJZI4A BeDMcWMrEiABEiABEiABEiABEiABEiABEiABEiABEogqgczk6g11Qqs6t3eJeRCA1/ftFlIX6/v8 KGu6fyvx0ydJSsLBkNrQKHQC6ampcnDlUvEKsbykbSvX9RtX8/rQB/jPMvXoUUuw3zlhtGwbMUiQ qzkxfrexn4XvveIaM7ZOeN6Xxo558KQmsHr1apewevvttxvXPHPmTIGgqwTYa665xuUp/NRTTwXO K7vY2Fhjf/rB9evXu9qNGDEiYPLqq6+6zvfv3z9wPi9VMlIOSNquEZKyrKUkTSgriaMLS0YGc6vn pWvIuZJAJAhQAI4ERfZBAiRAAiRAAiRAAiRAAiRAAiRAAiRAAiRAAhEmkNlcvaFMY2fsKJeYBwF4 /puNQ2lOmygQgNi74O1mMuHeyjL4sjOs6zP+rpuMI20e9Ifr+o2+9UqjrfPg/kXzBKG8x9eq4Orj eGjnAoLw40c2b7I13fRHb5f94EtPF4jVLCTgR6BEiRI2cRX5f48cOWI1OXDggAwdOlSeeeYZKVCg gM3uySeflFGjRkl6+gnx8vvvv7fZQAR++umn/Ya3zs2YMcPVTheABw8e7DrfpEmToP3mBoOM9GRJ 3zdDUle3k6Tp1SVxeEFJHB5j+0nfPzc3TJVzIAESyEYCFICzETaHIgESIAESIAESIAESIAESIAES IAESIAESIIFwCGQ2V2+wMRLjd9nEvCFXnCUT76sqa3/6LlhTno8Sgbi/f7VdE4ixg0qeJunJya4R j8RtlDkvPyOru34lu6fGSvL+4CFej27fKl6hv48LvydyOWN/aJn/2fo9sGyRa36wO7hiiWt+PEAC OgFnWGeIto899phUqlRJChUq5BJelWev2lasWFG2bNlidYkcvv/73/9sbRDWecqUKfqQrvrbb79t a4O+16xZE7Dbv3+/FCxY0GZTpkyZwPncVEGu5PRDKyR1w/eSPOcBSRxxpk3sdYq/2E9daw+lnZvW w7mQAAlEhwAF4OhwZa8kQAIkQAIkQAIkQAIkQAIkQAIkQAIkQAIkkGUCXoJdKLl6gw2+4pt2snlg PysEcIbmYResHc9HhwBCPpuE2ANLF2Z5wD2zpsqQUucY+zeNqY4h37Mq6SkpliCtzqntpv59lQm3 JGAk0KdPH5uwqoTdcLaPP/54oO+33nrL1V/RokVl69atARu9MnXqVDn99NNtbapVq6abWHUIzc45 bd682WWXEwcyEndI2pbfJHnhc5I45qKggq9TBE6ecWdOTJtjkgAJ5CABCsA5CJ9DkwAJkAAJkAAJ kAAJkMDJSCAtLU2mTZsmffv2lY4dO0rLli0Fb/0jhNp7770n33zzjUyaNMmVz+tkZME1RZeA173W rFkzadu2rXTv3t0KKQiPDhYSiBQBr/uOn3GRIsx+nASymqvX2R/3cy8BhFJWoZ+VuIrtxn69jJNG /l7k7F3fu6vMa9lIEC56cZs3XLYIJT6y4mVG8XdC3Vtl2efvWaGnB5U41WUztPS5Ng/k2NoVXTaL 2rzuGpMHTg4C+Ju3ZMkSGTJkiPWzaZM9LHioq4yLi3MJq06hFQIuQj5//PHH8uKLLxo9g/E/BArm YfIchmdwu3btBGGlMXfkH27VqpWcc845rvF/+eUX1/R1L+HLLrtMXnjhBWssl2E2HMhI3i9pO4dL yrLXJSm2TNiCr1MAThxxhmSkJWbDzDkECZBAbiFAATi3XAnOgwRIgARIgARIgARIIE8QwFvh5cuX j8hPzZo15bXXXpOePXvKnDlzJCkpKWQGkZyHaT2vvx7egzyEIfv333+thyQXXnih6wGL8wEP9pH7 q27dujJ//vyQ1x3M8NixY/Lbb79J69atrQdIVatWlRtvvNEKMdemTRvr3IoVK4J1Ezi/du1aWbVq VVR+8FAqqwUPtUzzUyHywukfD9I6depkifV33XWX3HDDDVKlShWL3RtvvCFdunSR3bt3h9NlVGwz c68hLOCdd94pP/zwg0RbDG7YsKHv58ODDz4YFS65tVN8lpg+Y3Ds008/za3Tds0rM/ddND7jXBPj gXxBgLl688VlDiwS+X918Rf1mc8/bInAC99tIRPvv00SVh//LgOx12kbW+eWQF+qsvjDli670ZVK y67J45SJtd30Zx+XHfrfv2RBwA45op1jTnrA7UkZaMBKniSQmpoq8Nq98sorbd/rIbo+9dRTsnTp 0rDXVbp0aVtf+H/g7rvvtr6fLV++3NXf77//7rKvVatWwK5fv35GEVj93+EM56yOY4v/QZINodUh dvfo0UPWr18fGCe7KhlpSZK+d5qkrG4rSdNuM+bxdYm6jjy/wc6n7R6bXcvhOCRAArmAAAXgXHAR OAUSIAESIAESIAESIIG8Q+CMM85wPYjQHyZkpY6HIrGxsSHBiOY8sIaHH344pHnAaNasWXLrrbdm iQtygEHIzGyJj4+3vItDFZ/r168vEHf9ysCBA7O0pmD3ws6dO/2GD3quW7dunvODgBtq2b59u9x7 772efenrgKD1xBNPyLx580LtPqJ2kbjXChcuLF27dhU82Ix0gXdLgQIFgrLMzEPTSM81u/rDZ4l+ D+n1cD5nsmu+pnEicd9l9TPONC8eyz8EmKs3/1xrePTOeO4hl8DqFFwh1KKYBNvBl54u8CTWy7Qn 73H1idDfznI4boPLDmPrHsjr+3Zz2SC0NEOIO2nmrX3k1R05cqTlLYvv5K+++qrn32/8LUc45Rkz ZoS1yMaNG7v6hGexV0lPT5dLL73U1ub666+3mUMk9hN69e8dqg7ROTEx5z1hrTy+CcskdUMnSZ59 v8BDN5iAm9XzKSta2/hxhwRI4OQmQAH45L6+XB0JkAAJkAAJkAAJkECECURbeMWDCYQ8C+alGO15 hCLM4K35Ro0ahSR4qQcuflt4FODBkOltfL/LOHfuXClZsqTt4ZDfOOocvELxcMvLExfhg5VtNLZZ EYAXLVokfvdAqALwgAEDBIJouOuDEAwRNbtKpO81rBceqFl56cC0dni0hsISeevyUqlXr55UqFDB +PPjjz/6LiUvC8CRvu8y+xnnC5gn8w0B5uo9uS/1njnTZWy1a2RgsYIucdUp/mJ/0QevWUAOLFtk tD+4YokN2Lg7brDZQbDVvXphnHL4kMxu9rTNTo0Nz2NV9s6fZbQ5tG61MuE2jxFAmGN8L1bfYfC3 OxRRtUiRIrJhw4aQV/vnn38GxlBjIRqSX7nppptsbcqWLesy79+/f0j/C+A77/vvvy+IGJRTJePY Nknb8oskL3hWEkdfGHXB1ykYJ02+KaeWznFJgARygAAF4ByAziFJgARIgARIgARIgATyLgE/0U09 yIjEFuGh8Va4V4n2PIIJwPASQEjdSKzV2QceQoVa/vnnH18h1Nm3aR/hjU0ltwrAYH/VVVf5sg8m ACPc+PPPP+/bh4mV81jz5s1N6CJ6LJr3GjzGZ8+eHZH54vfVFNrQyQz7yHEXDQ/kiCzE0EmZMmU8 75WPPvrI0OLEobwqAEfzvgvnM+4ESdZIgATyMgF41iJP79JP37Fy9K7p9o0kxp9Iq3Bg+WKjqKoE WH07pNTZsuj9Vy0c6SkpMqjkaa62m/r3teFCqOil7VrLlsH9BUKt8tbF3y6IzwvfaS7Dri7s6keN O7FulUB/aceOycDihVy26Jsl6wSOHDkiY8aMkXfffVcmTpyY5Q6RvgN5c//66y9ra/r+ARHW9H0F xx566CFrPvjOjZfnnHbB/mfQF4CXH53t0adXwYuKTntEHTIVeAuDGyLVqP+TEJUFL4ni/yp8rz96 9KipaVSPZSTvlbSdQyVl6auSFFs62wVfpwCcOLygYE4sJEAC+YMABeD8cZ25ShIgARIgARIgARIg gQgRUA8UnA8jorGPfKVeJdrz8HuYk5CQIMhBHI01qz47dOjgtfTAceQOjhSHX375JdCvquRWAfiZ Z54Jyj6YANyuXbugfahrEWyLUNTRKtlxr5199tnWA9GsrmHy5MlhMUXO7LxS8psAnB33XSifcXnl /uA8SSA3EYAgCjEVAii8ZJGbFh6rOVUw9swXHzV69g6+/ExZ/NGblhiLeSN0sxJcTdsFrZpKwtpV AfFWrSn27ptd7Ra1eV2dNm6PxG20BOERN1ziamsae8gVZ0lGWlqgr7E1yrvaQWBmyTyBESNGSLVq 1QRRVtR3r+LFi8vevZkT69asWWO97Kd79qLfK664QhC9Ay8DqoIwzGpMfYvIJnpBZIzKlSvbbBHd Ytu2bbqZb/3aa6+1tcd4u3btCrTZt2+fIA0LUieY0moMGjQoYOtVwYsNBw4csK3RyzbSxzPSEiV9 7xRJWfWhJE2tIonDC+QC0TfGNoe07X9HetnsjwRIIJcSoACcSy8Mp0UCJEACJEACJEACJJA7CURK cNQfrnjVzzrrLFm3bp0RRLTn4ScAhyJAeq0p1ON44ANPA6+yZ88eueyyy1wPkJz946GU88GX0wb7 yGOGB2V6yY0CcK9evYKuGevxE4BxT2G9Jg6ZOXbaaafJggULdHQRq2fHvYY1FytWTJBHOisFXp3h 8MODzbxS8psAnB33XbDPuLxyb3CeJJDbCIyseJlLmFzT/duoThN5e/fOm2l5+M5r2Uhia1eU/Yvn y775s2XQJae45uMUWFd939Ga34yGD8i0p+vK8g5txLSOJR+b0wfMf7OxawwI36aSeuSwYI6eoaaL F7JEc+ccsZ+wekWgyzktGrjGnPLYXYHzrIRPoGnTpsbvEaF+X1i5cqWVnuPLL7+UuLg4Oeecc4z9 qe8q8OyF1ywKUs84Qz6fd955RgF19erVLmHWKRT7rd6UWxipMVq1aiUI9+ych5ovtog+5BchyW/c aJ3LyEiX9IQlkrr+W0meXVcSR5xuE1vdHrh2MTYnzqcsbhItHOyXBEgglxGgAJzLLginQwIkQAIk QAIkQAIkkLsJBBNeGzZsKC1atPD8efzxx6VSpUohC3Be4VWDzUN/WJKZuldY5N9++833YZI+VokS JQQPdH7++WfrTf5OnTpZOX4htul2XvUzzzzTUwA3PTzS+4F3AcLAwVMhJSXFCqGHnGG6jbP++eef 226+3CYAL1u2TMDEOW/Tvp8AfPfddwft47bbbpN33nnH+qlevbrvwziMf++999rYRWIns/cavFjQ tn379lK1atWga1X87r///kxP+/DhwwJPYtVXKFsI5/ByyQslPwnAmb3v4K0Uyc+4vHBfcI4kkBsJ TK1f2yVMQqyMZpneoJ5rTIi6oyuVdh03CauDSpxqE1cx13mvv+BqO/mRO4zLWN+3m8sWOX5VmGfV KHn/Phl965UuW8xp7O3lZGWnz+XIljhJS0oyCtebB/yuupK1P33n6gchpFkyT+C+++7z/B5hilSj Rpo3b571Ipv67vG///1Pateu7dmXssMWoqsqN998s60Nov14lTvuuMNmW69ePS9T1/HBgwfb2urz 8as3a9bM+k7v6jAHDmQc2yKpm3tL8vynJXF04Vwv+DpFZoSiZiEBEsgfBCgA54/rzFWSAAmQAAmQ AAmQAAlEiEAw4XXTpk0hjbR161aBWOz3oAPnvB6oBJvHkiVLrNBnCH+WmR/lEaAvBv3goVKwOSN0 HTxVTX2gP4hlELbh4Rysr9dfd4cw3LJli6+AjtB2Bw8e1Kdu1RHW9corr/Qc05lTDCF6IaRm9sdv bXjIpofec03WcQD54K655hrPuTvH8hKAIVI5bfV9iJK//vqrY3SRYcOGBfUkiaQXcKTuNSxk6dKl 4idg6uv/888/XWsP5UCfPn18uepj6PWuXbuG0n2O2/jx83pJRU06L+UAjtR9l9XPOMWOWxIggfAJ IMeuU2QdW/3asDpCjtvDm9Zboiy8e4OVZe0/cI3pnIO1X6ygpx360Mu6Ht+7bIeVPV83CdQRZto0 HnL96gV5fp12/5a/WLaPGaabWfVRN1/ustU9kONnTHadR98QkFkyR+CGG27w/C5x7rnnitf/GIiK YwqVjO8bRYsWlc6dOwvSVLz55pu28NLq+8jixYutCbdu3do2Pl7k9Crw+FXtsfXL4+vsw+RtrPel 1/G9FDl9I5EL2TmPcPYzkvZI2o7BkrK0hSSNvyLPCb5OARj76Uc2hIOAtiRAAnmUAAXgPHrhOG0S IAESIAESIAESIIGcIRBMePV6OGOaLUKYwbtSf9DhrJcsWdLUNGju23DmYRzAcLBjx46+c8XcIeqO GjXK0Np9aPr06UHXAcEZYope/Lx/IT7Pnj1bN7fVp02b5rkGPDzTc5DZGoa5g7y4zmup9vGAL1zP z3DDC3sJwPBAsylVeAAAIABJREFUV/Mwbf0EUFwvUxt1DHOMVIn0vYbreuONN/rOH+uoUKFCppYQ 7PdYMXJub7nllkyNl92NckIAxgsS4bwkEQkmkb7vMvsZF+5ajh496vnCTbh9ZcY+LS0tU15ZiM6A KA0s+ZuAM2fv5IdrStLePZmGsmXIX25hsnghCSbkYh5bh/0jUx67UwYWLWDrY0yVsrJl8J+eoWe3 Dh9gs9dF1sGXnSErv/tMjm7dbM0B4ahN4ZfH3XGDbc17Zk8z9nk4zi3aYG0Dixdy2W8Z3N/Wpykc 9e5pE202agdis74O1Cc9WF2dlpSEgy5OsNk2cnDAhpXwCBQuXNj3ewryA3u9XInvL87vGEWKFHHl Dzbl+n355ZetiY4ePdrVh9f3YrwsqI934YUXhrVYeBfr7fX61VdfLc2bN5cBAwaE/X05rEn4GGek HZO0PRMlZeUHkjS1cq7M42sSdcM5lrrpJx8CPEUCJHCyEKAAfLJcSa6DBEiABEiABEiABEggWwhE UgDGhMeOHev5AEQ9DIFXmrNEeh7O/p37eEhfvHhx37mef/75MnPmTGdT3/1BgwZ5ei2o9eOBlCp4 8HXxxRd7zuOTTz5Rpp7bypUre7bv39/+sNSzE58TyMHmFaoZXrzh5ppF2D/FItStSQAGO7+HixBI g+VVQx46rzng/ohEida9Bq/wUITacePGhbUM5FT2YhLK8eXLl4c8HjxgcD+YfkL1jkHoRVN7HIOX PAqES93Gbx0PPvigzRbtFi1aFFhTqB7AuD4IF4+wknhorcZEaO2aNWvKu+++K+PHjw/0G+lKtO67 cD/jgq0Ln7HwukaYdrwgpPJ5I985Phuvv/56wcP8oUOHCoThcIrf/eWMqoDfE3welCtXzvIoQ85G XDuvcuzYMSuSQKNGjSxPMYgFymMNdcz7ySeftOZNUdiLYt4/npGWJkfiNgbCHScfPCCDLz3dJTTu mhze57BO5tD6Na7+IEzCS9arbPqzj/xbvqixnS6CTqh7q5XX19kPRFndTq9vHfq301wWvveK0f7Y zu0BW+TqNQnFEJtNZWyN8q4+l7ZrHTAFe31eqp4YvytgoyoQu9V5fTuo5GkC72hVRlcu47Jb/sVH 6jS3YRDA57X6u6e2iGij6mqLF5VMBd69ykZtO3ToYDIVZ557eBdjfESbwYuUqj22335rzp+N47od ItuEU95+++1A+8suu0zwEiFSMGzbti2cbiJma+XxPbhIUtd9Lcmz7skTeXzDEXtNtsnz6keMHzsi ARLIvQQoAOfea8OZkQAJkAAJkAAJkAAJ5EICkRZeN2/eHHgAoj9I0eu5QQD++++/g87TmUM31MtX o0YN374RZk4VPw9eMENo7WAFIicedJl+UlNTgzX3PQ/h4qabbjKuB6IwxOFwCuy9cssq8US/V1Td JADjoZo6b9oi53GwMnXqVN8+EG45qyWa99ratWsDopOJAY498sgjYS3hww8/9GUC4dJrLBxHyMVQ S6hiqld/yBPoN5c1a9ZYTRFy0c8u2Lm2bdsGphDKnBFi3O/FDn28Jk2aSGJiYqD/SFWied+F8xnn tZ64uDipU6dOWNcFD9WRCz3U4net/vrrL6ub1atXW3ns9Wui6sizbioQ7iFWK7tgWwjCPXv2NHXF Y3mQwLFdOwSiYGydWwQCIgTFMbddHVjJv9cVc4mIq3/4InA+3Ar+xg8tfa6rz/V9fjR2tbFfT6Mn qy586vUhV5wlCWvcf8tNHrM4Znqx6uDKZa75YYzto4fa5jim6lUuu2Xt37fZqB3kOdbnifqUx+5S p628vs7z2NcFW4jO4GRai2q7c8KJl/JmNX7cNeb0Z+8PjMlK6ATw/cT52bhs2TJXuhQItAsXLnR1 jLQlzvZI+2EqCAfttFUvbt1+++22cwgh7fQCRvQGhHzW+2jRooVpKM9jSFXTo0cPWb9+vadNtE+k H90kqXE9JXn+k5I46vyTIqyzSej1PDb6QuPnU7S5s38SIIHsJUABOHt5czQSIAESIAESIAESIIE8 TiDSAvCOHTtsD1D0hymoQ/wzlUjPwzSGfqxp06a+84QXWrierap/POh3rlvfb9CggTKV999/39O2 UqVKATu9As81iJ/Z4VWmezToa0A93Hyv8JiDV5yzH+xD2IGnpekcjpkEYDzc87LH8UmTJunYjHXk bfPrAx6cWS3RvNcwt7p16/quAZ7sXiEWnWuD3aWXXurZX+nSpS2x8rzzzvO0gec0QuiGUvwEOpwL VmbNmuU5D1xXJQDDm9PvOgc7F44A/NVXX4U9FsKob9y4MdhywzofzfsunM8456QhHuGz45xzzgmb k7pOzz//vOB3N1jxu78QHh7exxBnVb/OrVMAxmfYa6+9FvSlC2c/av+ee+7JsfCfwVjxfGgE4v76 RYaUOtslEiLEMsRGlOnP3Oc6P6vJE6EN4GGFUMVKsFTb+W++5LKO+/tXT/F36JXnCcI3q/b6dnyt Cpagqnc45dFaLtsJ91bWTWz1kTeWdNmv+PJjm83sZk+5bKY9da/NRu2s/ek7l+2wqwur05bQY/LY xbrG33WTTH38bsGa9XWa6pMfOeHpv6pzB5s9xPFZjR4LjMlK6AQQgUF99mGLFCgo3333ne04ziGa jPNFKETwQCQIvQ+vF2nwncP5otfw4cOt8RBhQu8DdYRrnjNnjnUeL/rde++9Lhu8yJXbS0ZSvKRt HygpS16WxPGX5T/Bd3iMa83pB+bn9svG+ZEACWSRAAXgLAJkcxIgARIgARIgARIggfxFINLCazCP SoTXNJVIz8M0hn4MD/adD4T0/eeee043D6sOT1x4I3j97N27N9CfXw5bFeoOXtXwGoYnrs4JHrPw ZICgDE8Jk1dOYKBMVGJjYz2Fjvvuuy/sHuHpqDNW9VNOOcUSYvCwTh1zbk0CMObntNP3FyxYENIc nQ8Y9T7atWsXUh9+RtG81zAuclTrczbVQ2WBMLim9uoYvINRguVwHjlypB+SwDk/gS4vCsDwis+s 2Pz0008HuESiEs37LpzPOH0tyH8ezHtY3WvBtsWKFQsaot/v/oJQjzChfuPoAjC8u5DH0c8+lHO3 3nqrFZZU58J63iAQP2OyMYSxEhWR4xZleYc2ARFx2FUXWDl4IWYGK8ipixDHY6tfK/+Wv1jGVrtG IJgeWrdaFrV5PdCnGi+2dkVbl2mJiYLx1Hm1hfiswkUjzy08ZNU5fbv4w5a2/pZ8/JbLDoKrV4FQ qveH+vQG9Wzmq7t+5bIZfm0R4/cXi3fRGJf9kS1xgT5Xd/nSdd45B7WPnMRzX2l4wr54IYs1PI1V GOj9SxbIkratZPPAfpZXdEZ6emAsVsIjgPDH+mei+jzFi2YI+a+fQ/311193DYDPS91O5fZ1GYpI qVKlbLYqCgxeBtT70OtnnXWW8RxCSufGkpF6VNLiYyVl5XuSNOWWkzKPr6d3r0HsNdmmrst8tIXc eM05JxIgATcBCsBuJjxCAiRAAiRAAiRAAiRAAp4EdEFRfyii6ps2bfJsazoB4VS1NW2bN29uamYT Nk3twp2HcZD/DgbzUsb48CzMjuJ8uKWvHfmUu3Tp4hkyWbdFHR4MzrB2mV0DPDG8PEEhcCG0XzgF 3nbO+ar9L7/80uoqXAEYIQNVH6YtcoYGK9u3b/ftw+t+DdavOp8d9xqEf1NePZ0JPG5CKc48enof qK9atcrqBmF4nef0/SeeCM3bzU+gy4sCsM4g3DpehAgl5Hso1zE77rtQ5uG0admype99Ey4zCApO rzF9TL/7K5SxlGCBaAt4eSmUNqHYZOYFGn1drOcMgZnPP3xCPNSESXgEQ4zdNeV4Tu+Etatk24hB cmRzaN+fjm7fKhBpB11yirH/QSVOldGVSrvOIfx0enJyAIYpz+28lo0C5/XKog9ec/UH72AlhMIW IqgST9UW+Y0hNJvKqs7tXfYjKpSwme6eGuuyQd+7p0207NJTUwPhqCFWw7Naja2220YODvSZfGC/ 5e2rznlt4UGN/hC+e8Mv3WXvvJmSGmZO8cCg+ayC7xjz588PO7QxXmLUPw+rVasWIIfQ+87/P/BS I7736sUZJQcRG7yi3zhf6MGLkShJSUmCl7P0ufjVEakG3se5oWRkpEn6gQWSuu5LSZ55tyT+e5rL 49UkgubnY8kza+eGS8c5kAAJRJEABeAowmXXJEACJEACJEACJEACJx8B5wMY50ORUIVXvNH/008/ BX3AYsrzBarB5vHQQw9ZoTcRfjOcH+fDJIyFsJ/OdTr3jxw5ki0X+5JLLvGci593sHO+ah95R+ER mtXSuXNnz3mFKu6pOUAsdj6YU/OFEKI8l8MVgHGN/PIGv/POO2oKnluIxGoupu2jjz7q2TaUE9l1 r9WrV893HSbPGuf8kZvb7yEpQiaqgtzSF110keeYCKGe1RC9kRSA4UFeq1atwI/fOnEf6Lao6y+E hCsqhuMRjPzKkSjZdd+FM1cICH7e9ur3D38Lbr75ZilSpIjn/aVssVVe6aa5hHut9H5RVwIwIjA4 zzn3Me9bbrnFyieMUKfO8879f/75xzRlHsvFBEwCLTxKIUL6FfyNO7xpvdEOgivEYy/hMtjxA0tP 5E6dWr+2o58Ckhi/yzY1ay5xG2TDrz85bI972u4YfyJ6A/ICm8bft3CurU+1g1y6JvvE+N3KRJL3 7zPaDCl1jky4p5IMLfM/QQ5lVUwhnvUcv7BD6O25rz1vtdXHR95kXJ+dE8dIRohpCdS43B4ngEgr KvIBvpOGU5BDV//cc36fwst/+nnU8Z143759gWGQb91po6dkUIamlwz1NC74DqD3U6FCBSuyTuHC ha3jyEOMtCtIRQLBOCdL+pENkhr3syTPe1wSR51HwTdEz9+A6D3iTMlIM7+kkpPXlWOTAAlEjgAF 4MixZE8kQAIkQAIkQAIkQAL5gEAw4fWbb76RgQMHev5069ZNILR55XbVH7jceeednkSDzUPvJ5x6 +/btXWP6CY3oGw+EsqOkpKRkOlxsMAa4LpktCO+K0NJeYyD3bqgFD9IQutrUV4kSJWTPnj2Brvyu Cx7emQpyB5v6xjHkvj106JCpWeCYnwc2+kCYwqwUvzWh/0jda84HrU4moYQzDPYCBz4L9NKsWTNP 9hg/lHvQT6CLpACszxv1MmXKeM4d+QL9it+cFXfkOkf4yXXr1ln5l3fv3i39+vXzfBFCtYOAGImS XfddqHNFfka8QKDWadri/PTp023eXStXrhSE/DTZq2N4cL9ixQrjVEK5VqoftYVIjTzW+JsE8R8v sOCFBnXeuUXY0SlTpgheilAF60WIab+/a4iwkNNCg5ovt6ERMAnAuybZPRZVT9tHD5XFH70pyC+r 8tCu/bmTOh3YmnLiKhFzeLkLZeRNlxoFU2WzsV+vQF/O3MQjK14mCatXyOYBvwvCOetzUe2d20Xv vxroD+GPkQPXabPht58DNnoFYrPTFvsQhvUypupVRju9beLunVaTWS/Vd9lOf/Z+vbtAHd7DEKcR OvrgyqWensqBBqzYCOD7EtI3tGrVyor2gZcJEZlCfebhpS/1wp6tocfOgw8+GGiLPlREFeS779Wr lzz55JO282ocXWhG3nXn5y9eqvrss88E31XxGfr9999b3/dUe2zxvVMv+F9AP498wegbBS+/4TM7 p0pG0i5J2/6PpCxuKonjLqXgG67ga7BHmGwWEiCBk5cABeCT99pyZSRAAiRAAiRAAiRAAlEg4PeA Wn9YktV6yZIlfcObRmseJgG4T58+tgdBzrXBMyA7CryrnWNHav+8886ziavhrAfChdc8wg1d6iVM QmRBvmi9+IlWXgJwnTp1POeKNTRq1MgS4PRxVB3htb3WqY5DKMxKya57rWPHjr5rAadgxU8MxwNX hMvWi19ePfBDf8GKn0CXVwVghKhUobKd658zZ47vdcLnZCRKdt13oc412O9a5cqVrYfwXv299957 vtzuuOMOY1O/+0v9jmN7wQUXSKdOnazoEBAVUCB04CUdp+eY3g4eY7q3mnMSv/76q++8Bw8+EcrW 2Zb7uY/A4MvPdImRK75pJxBhF77bwhJZ1aynPHany3buq8+p09YWOYN10VPVx9W8XrYOHyAq/+zO 2FGeQvDC914J9KmEZtVPZrZjby8X6A+VifdVdc1xwdvNbDb6zogbLnHZr+rcQTcRUx5g51yVJzLa 6ucgSCPXMEtkCbzwwgs2sRcCqylCDXKhh1qcL/0gQk2wdBXq8xX5g1WpWbOm8XMUL//oArVqi/8n li5dqppbW0TxUOfVFt7FOVEyUo9IWvw4SVnxjiRNqUjB1yDgBrx5M3kuZUVkoqnkxP3BMUmABIIT oAAcnBEtSIAESIAESIAESIAESCBAIFrCq3rAgi0ekjvFo8AE/qtEax4mAfjbb791PQjS54tcutlR IIDq4war42EcQqOWL1/eN/Sx6ueVV048GA51PYcPH/YN7QsPvVDLgAEDPNf3+eefu7rJjACMh4Rq vV5biEDIN6fKli1bBGy87PXjCOWalRJMAIqUxyfCFurzdtbxO+hX4EHpbKPvm7z3Efbd9IBYb+cl hKq5+Al0eVUARs5Cv3L77bd7ssYD7XA8rLzGyS2fcWp+fmuGJ5YeqlO1cW5r167tyQ33HPIeO4vf /aXu02uuucby1Ha2xT68f5WdaauHBje1x7Hq1at79vHYYxSyvLjltuOpR454irBKoBx29YnoIUs+ edsmXMJmXM3rbMta3qGNywZev8hT6yyHN64T5OhVY6ktBFpV0FYdD21bQMZUKSuzmz4pq7t8Kbsm j5OkfXtVd9YWArOzL4Rq9irTG9Rz2cOLVy8YI5gX8Mbfe1hN9i9ZIEvatrLyESMktRLF9f5YD42A 398WpFbRP+Oc4frxHR2fweF8B4Tgq/cZTh3fveLi4qyFtWvXLuR+8LIavIudBREanKlIgv2tdvaR 2f3jeXznSerajpI8405J/PdUir6ZFHZDFYaTptyc2cvFdiRAAnmAAAXgPHCROEUSIAESIAESIAES IIHcQyBawqt60OPngalTiNY8TALwjz/+6PswqVq1avrUolafPHmy7zwUQ4RKRk5PvUDsqFKlim97 eEbowqfe3qsOYVaN69zWqFHDq5nr+IYNGwReyM4+sH/33XcbvXIzIwDjgSZEcdM4zmMII+g1J6et 2scDzKyU7LrXunbt6ssAIpRfQRh3tWbTtnfv3sbmb7zxhm+7YDlt/QS6vCoA4wUDv+LnYQ/2oYih fv3jXHbdd8HmgfMIK2ry0lL3mR7u06+/v//+2/de+/33313N/e4vjA9BwM+D1+/3qmrVE8Kba2Dt wM8//+w5b4QK9xNltG5YzSECcf/8JmOrXSMDixV0CZtOYRT7R7YcF602D/rDbV+8kCDnryqxd9/s sln9wxfqtGu74qu2Lnt4xCpRFLlzTXPCMYSvhmcxvJDX9ugse2ZNlZTD9hQJ6EeFXlaDw7vZ2SeE aIRbNhXk53Xaj65U2mUKQX3F15/IjIYPyKQHqsmsJk/I0natZcvgP+XYTnu0CVdjHgiJAEIb4zsw wiHjuw8+hxHVBLl38bKfXoYMGeL5OQVxeNcuey5pva2pjtDMBQoU8OxTff5jPk2aNJEbbrjBZYvv nHjRbNq0aa5zn3zyieDFNNUPwlMjxDTSBniV+++/P2CPdqFEKfHqK9jx9CPrJHVTd0me95gkjvof Bd8oC75uYbigZCSfyCUd7HrxPAmQQN4iQAE4b10vzpYESIAESIAESIAESCCHCURLeFUPZbDFQ5yd O4/nc/NabrTmYRKA//nnH9tDIH2uqCM3Y3YUPKhyju3cR45bL3YIVernXYa+ENY01HLw4EErFKpz Dmp/zJgxIXWVnJws8GxV7fRtsWLFBPlQTSUzAjD6Qf5NfYxI1iEuZ6Vk173WunVrXwaPPvqo5zLg GYOcp17cIJzj3jAVU1hFvR+8vIAHuF7FT6DLiwIwwj8HK3/88Ycna7Bbs2ZNsC6Cns+u+y7oREL4 /RwxYkQo3Vi5Hv1e4IBI4Sx+9xdYv/nmm84mtn2vHJVoi3v7ueeeC/qjixT674aq42UZlpwhcDhu g6zv3VWWfvqOLG7zhqzp9o0kxtv/Pm3s19MlaDoFTrWPHLwI64ySsHaVsd2+BXMCizXlFN491Tt3 5aH1a4x9wjMWxRSueXTlMoIx0xITA+Pqld3TJgq8fCfef5tg/v+WL6qflgNLFxrHRI5dU9k2aojR PiXB/DfE1AePZZ1A27ZtXR6v6jMH28KFCwv+Fqmyf/9+gfesboP6008/rUzC2iLPr7Mv7ONzs0GD BoI0BcrDFx0vX75cEA3C2QZiNULx42UZ/dxHH31kzQdCs1PM9pqoMzIGvJwTEhK8zMM6npG4U9K2 /SUpi16SxHElKPhmu+Ab42Ketn1AWNeQxiRAAnmHAAXgvHOtOFMSIAESIAESIAESIIFcQCBawqv+ oAZ1eNXiIY5XCTYPeAmUK1cu7B94XznLxIkTbQ+SnHPFQyGIYtEueODmHNu537NnT99pzJgxw7eP Zs28c/U5O+7evbtnX+HkJv3uu++M/eDh4oQJE5zDBvYzKwCjg1BDOjv5Btt/5JFHAvPLTCW77rUn nnjCyFytr2nTpp7ThwCn7ExbP/EYnQbL6ef34oCfQJcXBWCEZw9WkHfQxFkdi4QAnF33XbC14rxf KHisGbnQQy1+3v4Qa53F7/4KZWy8vKSuS7S2+NxjyV4Ce+fPkpkvPmr06kWe38UfvRnwqkUIYiXw em3X/Pi1JfgqT1ysBnUIqs42G37pHljs0NLnus7vXzQvcN5UGVWplKvN5oH9LFP07RwPc0g9Yvf2 VP2mJSVZIaD1Ns78uunJyTKo5GmufuP++kV1Y9se3br5hG3xQjK2+rUyp0UDSYwPz4PU1il3wiIQ ashkpBxAKhJVTJ+veMEuM8WU4sTv+x/G+PTTT12ftxCFkXf4nnvusZ1DWoFwy6JFiwJ9nHXWWVKn Th2bCB1OfxmphyVt9xhJWfG2JE2+0SU+uj1S3QIlbaLLJGVJ6P//hHPtaUsCJJDzBCgA5/w14AxI gARIgARIgARIgATyEIFgwiseqjdu3Nj4g3OVK1f29RrVH5rj4Y5XCTaPcEQCrzHU8WD5TjHndevW KfNMbevVq2d5PkNAMP2kpaVZ/Zo8HhQzeGj4ieZqYl7etuinZs2ayizo1s9TDaG8Qy3wzFBrcG4R ctXr58wzz/Rsh36c7fAwTy/wZkHeOOeYfvsIG/jss896tnn99df1IcKuZ8e9hkmZHtzq61beMqYF 1K9f33P9qg+EkPT6UTZe26eeeso0rHXMT6DLiwIwciQGK8G8piMhAGfHfRfqZ5zfiyW4Z+DBFWrB mF732V133eXqxu/+Ov/88132zgPID+w1XqSOI383S+QJpB49KnvnzbQ8fOe1bCSxtSvK/sXzZd/8 2VY4ZF30NNVXfd/RmhQE0FG3XCHTnq5reQqbbLePHmpcALxqnfbz32oSsB1xfXHX+R3jRwbOmypT HrvL1WbJx29ZpskHDxjzBCO8si5Ow/jI5k0yo+GDrr7W9+3mGnb8XTe57Ba18f7biLDRYI9rwJI1 Agi93LlzZ8FLXgiTXKRIEbn++uvl+eefF1P0gP79+7s+s/DdrkuXLoKwyfgepX92ob+tW7dakzRF Esnsd+E///zTNg7G9Au3jwng+26FChWsdkWLFhV8d+jRo4cVNQaewPq8IV6H6vmrrgDC7Xfs2NES vRGpJpySkZ4q6fvnSOqazyV5xh2S+O8pFH1zgZevn4ieFFsmnEtMWxIggTxEgAJwHrpYnCoJkAAJ kAAJkAAJkEDOE4iE8IoH+F988YXgjXr9AY2zXqpUKc8FR2Ienp07TiAk7QUXXOA71w8//NDRKvTd VatW+faNMMiqwLPWyUnth+rhgPxpqo1zq4+lxjRtkXcUns/O9mof+TdDLX4CsOovEtsFCxa4poSw g8jNGUr/9957ryBf6wsvvOBp/80337jGCOdAtO81zGXZsmWe81ccRo0aZZz23r17jWEXVbtIbPG7 7RVC2k+gC0UADuYB7yWmIqKA19r8xHJAzOqcs0MAjvZ9F85nHAROL9Y4Hk6BIODVlyknr9+1uu66 64IOjRD8XuNF6jhCobJEnsD0BvVcoiVEXeSjdYqypv1BJU6VhNUrXBMztV/x5ccuOxxY9P6rrrFi 69wSsB1T9SrX+WXt3w+cN1VmPv+wq82UR2sFTOc0f9Z1HuubWLeKQNxFjt0FbzcTrM+5boR/Ttq3 N9CXqsx/8yWbLfIOY20s0SOAv83PPPOM7/cypGdAuH+9OF8Gc+ZGx98fZ072Nm3aWF2MHj3a9XkX G+sdklwf11l35rqHYBtKvnOEhUY4aGeZN2+ea26YbzRL+uE1krrxR0me+4gkjjyXgm8uF3xNYnD6 0dAjjETzXmLfJEACkSUQ3n8PkR2bvZEACZAACZAACZAACZBAniMQSeEV4ZaDPRSfPXu2kVEk52Ec wHHQTxjAGuAZmuiRM8/RlWv3xx9/9OWge6r5ee8+9thjrr5NB5DrzYs7PGJDKX7XDqGbg3lu6GPk pACMeUD8mjRpkjRv3lwqVapk5bc955xz5PLLL5dbb73Vyvs5ffr0wJSvvPJKT37hCN+BDh2VaN5r GAoe+l7XH8fxsNfLU+aHH37wbevXbzjnTKHYMXc/Ng8++KCDpHt32LBhvvPPrwJwMLa4dtn1Gde7 d2/fa+T1coD7aovAw9rrvqtbt66rid/9hZCiwYryRvMaMxLHe/XqFWwa+f58yqEEObhymeyaPE6Q s/bQutVBmSxr/4FNtHSKnYH9YgU97dCHsyBEcqBt0RirDrHZVDb92cdlO/jS0yX9v3QYs5s+6ToP UdivjLsMwi38AAAgAElEQVTjBlebYWVPeLPDC9hk45yzaX/7GHM48h3jRgi8jBFqGvmGnd7EfvPl ufAJ4AUbvLwXyucLPHiRTgQFL7TpbeD5q5cdO3ZIv379LC9i3a506dKW2ZEjRwRCrX4OnreZKYie ovdzySWXZKabQBt8r0PUBr1PeCxHsmQkbpe0rX9IyqIXJXFscQq+eVDwdYrAqXH+aXQief+wLxIg gewjQAE4+1hzJBIgARIgARIgARIggZOAQCSFV7zdf+ONN9oe0OgPa1CHOGoqkZyHqX/nsVCEr8w+ mEfYZee69f033ngjMJ2HHnrI07ZKlSoBO79KixYtPPtQD/b82uOcn7CCMN/hlJwWgMOZa7BQuUuX Lg2nO6NtNO+1PXv2SLDfndtuu804LxxEWGf93oxW3eSdifH9BDrkDQ9W/F5cwFryswAczfsunM84 v9zeuEYrV64MdpkD56+99lrP+/W5554L2KmK3/2Fc8EKXtbx+p3AyySTJ0/O8s/OnTuDTSNfnoeQ ueG3n2Vq/drGkM3ILbuux/cCO1PZOnyASyhVoufgy86Qld99JshXizDFa7p/a8wHDCHVWVZ1bu/q d0SFEk4za//AskUuW8zhwPLF1vltIwcbz+t5gvWOIXybPHfR5+G4DQHTY7t2iClXsFq/cwse63p1 CbRnJXsI4LOva9eu8uijj1p/i9WoznQcCEUPO+R2x3doPV0GXmxTecT79u1r+7yCB/HAgQMF3xHL lStnO+f8XFMvZyLyjH4ulBdl1Lz1Ldak91OxYkX9dKbq+vflsmXLytdff52pflSjjNRDkrZrlKQs f0uSJt1AwfckEHydAnDyvCfU5eaWBEjgJCJAAfgkuphcCgmQAAmQAAmQAAmQQPQJBBOPws29i1By +kMfZ/3NN980LirS8zAOoh3EQ3eEz3POT99HyGqVG01r6lv99ddffftE/2PGjAn0gRDD+ph6Hd67 oXghQyjT2+n1UERkiIh+4Z/DDYednQLw+vXrBaGgnT8IixxKjrcOHTp4srviiisC1ykrlWjda/CI QR5A/Xqb6t26uXM6Yj2LFy8O2tbUX2aPmcRYv/zDeMAbrCCnod98TGOiz5M9BDTWGK37LtzPuIUL F/peI6+XgpzXHt5rfp9TH3zg9tbMqgD84osves4doVZZokNg99QJMuzqwkZx1CleIhzxzokn/qaq GUEQddqq/a1D3SkNFr73itH+2M7tqktru3PCaKNdYvxumx124OkLj181rtpu6t/Xsk1LSpKhZf7n Oj+k1DmWp7PeIYTuCXVvddmqPrf+O1A3lyNb4mRBq6YypNTZnm0GFi8kU5+oYwx1beuMOxEnMHjw YNtnC8LNo+A7t/43DWJvQkKCbXx48fbs2dOVA9iUd1fvy1nH39hmzZoJIp2oMZzf384++2wrN69t AiHs4KVCvCTz/vvvy/jx4+XYsWMhtPI3mTBhguDvT7jfy1WvGekpkr5vpqSu+VSSptdgHt+TUPB1 CsCJYy4KKfS4uke4JQESyBsEKADnjevEWZIACZAACZAACZAACeQSApEWXvGAxvmQSd/3Cmsc6XmE gtcvd66a86WXXhqyhxoEigsvvNB3/RdffLGkpaUFpgcPUzWWafvtt98GbE2VuXPn+rZ/5ZVXTM1s x3r06OHbx9SpU232wXY+//xz3/5M6wz3GMJSQ9yD159X22BrP3r0qPiFf27ZsmWwpYZ8PtL3GvJu 43fJa+3qOO43r5cIsD5llx1bk0Dn572OB98ISelX/EKoY02ZEYDxwNqvZFVUzI4cwGr+kb7vMvMZ FywfcaieYX4va+Bajxs3Ti07sM3qtfITu3F/Hjp0KDCWXwUhXadNm+b6QQ7rk7WkHD5khQuOnz5J 4mdOkeT9+0JaKsRceKQqYTOULUTgPXNOhPVXAyE0srM9jplykSLEtNMW+9tHD1XdWdvE+F1GOwjD phJ7980u+0UfvBYwXfzRm67zx+dRQOa++pxs+PUnWdTmdYEobJqfOmYKV41BIByv7dFZZjd7SqY8 dpfMaPigLGj9smzs10uS9u4JzIOVyBNQIZebNm0qqOsFoqv+d7d8+fLWaWcYZ9jgO9XGjRsFeYG3 bdsmePENP7t32186wGeg3qezju+zeGlMF1Hx+YyXdNTfSqTPcLbDZ1e4xfQ7Fm4fkbBPP7RKUjd2 keQ5D0niyHPo5ZsfRF/HGtMPLozErcQ+SIAEchEBCsC56GJwKiRAAiRAAiRAAiRAArmfQKSFV7yZ 73x4pO/ffffdRiiRnodxEMdBPPCCkKjPz1QvXLiwzJw509HavotcpEWLFg3a19tvv21vKGLlpjWN i2PI07l582ZXGxyAh+sdd9zhO+bQofaH16aOnn76ac8+kDs3NTXV1Mzz2IEDByxeYBbOz1dffeU5 Dwh9el/Lly+3xu/fv79nG1y3+Ph4z3m+9NJLnm3Bfv78+Z5twz0RyXsNOVODXXd1P+HBsamkpKS4 8gCqNmqL3H94UBzqTzCxEQ+f8bBZL5999pnvNfjll190c1s9mJCKdaiH2raGQTyAGzVq5DS37WdV VAw2b6852yYR4k4k77usfMYFe1khNjbWd0XIcQmPfHVvOrf4+2F60SGr12r79u2eY2IOobwkAtHG mbtSzf+qq/zzvfpCyYUnk/btlXU9f5DJD9cUeJcqcdLaFisosbUryvIvPpK0xETj7HdNGW/0mEV7 eASPq3mdpzg89MrzJGHtKlu/Ux6tZZ9D0RiZcK93SoORN5Z02a/48mNbn9gZccMlLrtVnTu47HBg /ltNXLaT6t0esIUX8Pi7bnLZ2Nj9l2tYHUPIaVVX22lP3Rvok5WcJYAXQ5whlyEC68XpravSJOza tcv3M0d9dqht8eLF5b333rM+/0xRPZCWBakS1q1bpw9v7SNMM74noS+kDEDBy2V6iGmca9euna1t bt7JOLZN0rb+LskLn5fEscUo+DrEUJeHbD44n7ruq9x8y3JuJEACmSBAATgT0NiEBEiABEiABEiA BEgg/xKItPAKsbBAgQKeD7C88slGeh6hXtFWrVp5zlU9YMMWQjHyQfbp00fgtbV69WorrF2nTp3k kUceCakPPOw3eTQGy9UJYdnpKbZv3z4JloezZMmSAi/XYMUvbzPOZVfxyxUK9qYCsfnUU0/15F+3 bl1jKGg/4RjX+8EHHzQNl6Vjmb3X8OAWHjoQ4Bo3biwIDa7fm171q6++2ni/YRHO8JPOPhAiOdwC sSzYCxVOL03k2XaOre/DQxueT86CEN/4fdJtTXUvMdUvBDR+3yDaeZWsiorZKQBjDZm97yL5GYfP L7+/CwgzivyWpoKXOPw+o3DdsUZTyeq1Qp9+UQYQkho5Nr0KficqVKjgeZ8i+sLJUnaMGyHDrrrA JUwqgVLfjq9VQQ5vtAtS4ABhVLdDfeRNl8qmP3pLenKyhero9q0y/dn7XXawXfB2MxvOJR+/5bIb Xdn7s21Wo8dc9tMb1LP1iR0cc85z1kv1XXY4sL5vN5ctvHkztJdhwMIUCto5BvYhrsPb2TpXvJAg F/Kc5s+KCittnAQPRoUAhN6RI0cKPPz1gu8lzr9H+KzQ7X7//XebTZ06dQJd4EVJZ/tg+48//rjl 2e78u3j//fcH+tUrDRs2tI0xffoJD3pn7nN818ytJSMlQdJ2jZCUZS0ladJ1FHwNgu6GvjHSs2WM PFsrRgZ+GBMRRkeHxsiqHjEy5vMYmd05RvYNiEy/0RCok2ed+N3Krfcx50UCJBAeAQrA4fGiNQmQ AAmQAAmQAAmQQD4nEA3hFWFnvR5WQdAxlWjMwzSO8xg8IYOFkfVaSzjHIVJ6eZQiN1oo3sMQ9J56 6impUaOGBOOFuQ0aNMi5XNc+wvQ5vT30dXk9PHR1FIEDmRGAMazzYaU+f9QhHuEhLYTEOXPmSPPm zX1ziUKoWrRoUQRWZO8iu+41rBn5rf3WAIHbyUnfRx7AzBTcm3o/zvqzzz5r6zZYyEq0L1KkiMBz vnfv3tK5c2dLBD/rrLN8x1HjegnA119/vW97iOy4r/Byx2233SZdu3YNzDuromJ2C8DZdd/5fcYB 3ssvv+zLHJ9DCAn+xx9/yIoVK2T06NGC/ON+Yj2uMzyDTS/WYMysXiv0gTCrF1xwge/c8aIJhGCE 9EcUDFzj1q1by7nnnuvZrkSJEsaXUwI3Wh6q7Jo8ztNz1yRi4hjE4uQD+wOrPLRutUsoHXTJKbJv 4dyAjarg79bkh2q47BHeWfcu3jywn8sGOXl1G9Untqs6t3fZw9vWWeDF7FzX6EqlnWbW/r75s122 aIv16iVh9QqZ9nRdo60aa9wdN8ixHdssMXzfgjmSGsILXvoYrGedAL6vtWnTRuCxe8opp1i/31Wq VLGFFYcwrP4G6duHHnooMAFEt9DP1a9/4gUChHdGn/r5YHV8b1m5cqV069bN1a5jx46BcZEbHuKv /kIOvrPrOXrbt28f6APfJe69N/d4lx/P4ztdUld/IknTq0ni8EIRETSjITzmdJ9Tvo6RcpfGBK4l 7qHzz46Rtb0zJ9buHxAjfd6KkbtujJHTTrH3i74frhojq3tlru+oshpxpmSkJQV+B1ghARLI+wQo AOf9a8gVkAAJkAAJkAAJkAAJZCOBYELipk2bwp6Nn7cWhBVTicY8TOOYjuFhG0ItB3vAlpXzCG/s VyB6ZKV/Z9tQhVtcX2dbfb9ZM7tHld8asnouswIwwlzrc85qPVgO2KysMzvuNay/e/funtNEiEn1 4NqLle6p5NmR4cSPP/7oey0g3CYkJARaImIAQkN7zSOrx70EYD+vTtOYbdu2Dcw5q6JidgvAmHh2 3HfBPuMQuhzhSk18s3Js1KhRgWvjrGT1Wqn+8PuUlTma2n733Xeq+zy93TN7miAHrxIp9e3wchcK PG71Y3odQqoqSz99x2UHz1avAsFU70vVtwzuH2iSsGal0cYkKqMR8viqfvRtYrw91+q2UUOMdikJ BwNjq0rasWPucNhFY2TL4D+ViW2LMNjwRIbYO+qWK2RC3Vtl4bstrDzKuSWvqm3CJ+HO4cOHJS4u ziaK6ss0pWDAdzhVEHnF9DuPYyqfrjP6hTP1ANIlLFmyROApDFEXP3gJClEDvv32W0uUdY4xZswY K+oLXi5xnsPfWXw3N73w17dvXzV1a4sXcD744AMryo0uDNuMsnEn/dAKSd3wvSTPeUASR55Nwdfg 5WsSUDu/7BZpcV/cfm2MHBkSnlAb+0WMlCpm7k+/1844LUbm/RBe36a5R/pY2h5zhJFsvI05FAmQ QAQJUACOIEx2RQIkQAIkQAIkQAIkcPITiIbwGizf47Zt21xgozEP1yA+ByAUlSpVyvXQTH+wkdk6 PAlDeXD72muvRWR8iGyhCvfwsvNbF3K0ZlfJrACM+SEHnt86Qj13zz33uPLURnr90bzXIOwiTLlf +eabb3xZ3XTTTX7Nfc/BWxKhLv149+zZ09YHcg372WflnJcAHCzsunPMvC4AA3g077tQP+PgJetk m5V9RETwK5ESgCHGVKpUKWJzBy9TzmK/teTWc6awzfCatcI2p6RY04ZIPKZKWZdoiry9yQcPWDYz X3jEdX5Nt298l42cwrpQi/rcVxoG2iDMskmc3vDbzwEbvZIYv8vVH/qEMKyXo1s3G+3ip0/SzQL1 sTXKu+yXfPJ24DwrOU9g9uzZVoQVPYINvF/xGYJ8vYikoArC4+Oc/tkFgVWJpcijq5/T6yrXL/Ly 6sffeOMN1X1IW3ynvPbaa219jBgxwmqLtBGhvliF752hfD8NaVIRMso4tkXStvwqyQsbSuKYiyn4 /if4Iuzyjj9j5NDg0ATW1vW9Bds2T4fWB4RYeP0WKODdl34fo17xyvAF5kgLvs7+UlZ+EKG7k92Q AAnkBgIUgHPDVeAcSIAESIAESIAESIAE8gyBaAivHTp0sD2Ucj4c+Pfff118ojEP1yBBDsAz8tZb b/Wdu3MtwfYhhsPzLZSCB4zI4xasT7/zeOg3aZL5IbRpDvBC8+vP6Rli6iNSx7IiAEOgQRhWv7UE O1erVi1B7r7sKNG418477zzx84ZU67ruuut8OX399dfKNFNbiFt+rKtVq2brd//+/b6hcv36wjUr VqyY53heAjAekIeaSxnjnwwCMKBH474L5zMOc4Dn2/nnn+95zfyutzqH8KVNmza1eZPbbqr/diIl AKM7vNzw6KOPZmnemD/yeyqhyDTnvHTsuBBawCFuFpA9s6a6lgEReGDRAjKoxKmCHMDz3nhR1vX8 ISAAz276pKOfGPESalXny9p/4GoD71m9TLyvqsvGmStYtx9xwyUu+1WdO+gmVh3ezU7xeU33b112 OABR2rJVOXtbNJDto4cabXkwewns2LHDCvOvPlu8tvXq1bO9tIG/CU7bTz/91Jo8Ilvo58qXL2/b R3oOZ6hmZ9oFpAxBVAWEXy5cuLAsWLDABgZ/w5wh5ufOPREuHS8BwlNZD/Wszwl/p5VgbOs4B3Yy Ug5I2s7hkrLsdUmaeA0F3/8EX5W7t8FdMVKhdIzAu1Zdw+rXxcgvrWLk4CBvIRc5f5W9c1uwYIzA q9cplDr3MYfzzrb3U/7yGOnSIkZmfBcjc76PkSdrnDgPofimMjGysGvwvp1jRXM/aWqlHLizOSQJ kEC0CFAAjhZZ9ksCJEACJEACJEACJHBSEoiG8IowdM6HDfo+Hso7SzTm4RwjlH0IifCgzGqoUuSM 7NKlSyhDumwQ3i9YiF6dp6ojv2qoYrMaFCKKam/ajh8/XplGfZsVARiTQ2hheLMgF6lpLX7H3nrr LUlLS4v6GvUBInWv4V5B7tQ9e/bo3Rvr8+bN82WDh8XIYZqVghCVfqxxDg+v9bJ8+XJxPiQP1kf1 6tWtNft5OnkJwBgboTjPPvvsoHPFPE4WARjrjtR9l5XPOIgufuKs37UvW7asTJ48Wb99POt+Y5j+ Dnl2pJ3o37+/XHjhhSHdN8514AWfk8XzF0hWd/3KJYJOb1BPo2WvHt2+VdKSzLkYAyJp0ZhAnyu+ /sTegWNvY7+eAVslxs5o+IDNauF7r7hsJtzjLQZg/qovtZ310on8rKrzqfVru+zmtGigTtu2CauW y955M5mz10bFfwd5vfFdEnnA8eIFvF1LlixpiZqff/65zSPXv6fjZ+HlClEV4fBVwQtfwfLB67/D d955Z+D3F16+V199te1zAH9Ptm/fbnnU6u0GDx5s+1tz1VVXifPlOz2EPj6jS5cubesbLzp9//33 MmDAAHn33XcFL3zpY+j5hdX6sEXEHYzVvHlzqx08jxHiOSdLRnqypO+dKimrP5akabcxj+9/gm/8 XzEy8MMYaVHPnbtXv9Z6/bKLYwQirUk8veOGE8Is2lxd0r5/6UXHPYpNbdWxLxrZ2zxUNUbgiazO Y4tw0h8+EyN/vBsj2/+wn9PtcrZeSPCiAQsJkMDJQYAC8MlxHbkKEiABEiABEiABEiCBbCKAB2r6 wwRnPdRQwvp04+PjfftEDrLk5GS9ifVgzzm2vp+ZedgGCHMHDx/x0AzeigULFvRdjz5PhJGGByVy yGWl4AEdxMxQPOXKlSsnf//9d6aGe/LJJ33XltlcsJmZTFYFYDUmHvBiXV6eL+p6IYRjw4YNZc6c Oappjmwze69dfvnl1j0SzsPcYOGfa9asmWUGe/fuDfoCgylMNfImNm7cOGgIaXxmde7cORCq2y/n uJ8AjIWuXLnSeijufNiu7hG11QVgzFEdd25DERVzIgew6aJm9r6L1Gcc5vTPP/9IMI90xRgCCPJz hyOgZvVambjhGDypGzRo4PLAU3PVt/h7hxdtwvk99Ro3tx2f+eKjLhE0mGjrtYb5bzZ29TX1iTpe 5tbxzYP+cLWZ9uQ9tjYb+/Vy2Qy+7AxJT0212akd5CVWwq/ajq5UWp0ObPWcxQgzDU/j1V2+DJxn JTwC+E6IFzs+/vhj63tXsBe5br755pBfeIuNjQ2ItXgJQ5XatWvbPsuRvgC5eIcNG2b9jdHDQavf 6Z9++kk1t6KtqONq+/zzz1vn9e8f+Mz/5JNPbGNBBFZtsNX7RQfhhMuvWLGibNmyJTCv3FaB+J6e sExSN3SS5Nn3SeLIs2wCYs4KgzknWB4ectwLt81TMVL1mhgpVNAutur3h1/9hlIxsudv9zquKnGi v8LnxsjMTu4xHq7qbqdfj3YNT/SBObz3hL+93ja31dN2DMptvxqcDwmQQCYJUADOJDg2IwESIAES IAESIAESIAESMBOAoP3bb79ZXoDNmjWzPNfgfVinTh155pln5PXXXxd4PW7YsMHcQRaOIlTo2LFj rbCpeID4zjvvWPOAIAVPjmACVxaGzvNN9+3bJ3jw+uuvv0qbNm2sB7vg17VrV4HYjOua24rXvYYw kHiwjPl36tRJFi9enNumHrH54OUJhDH/4osv5OWXX5YXX3xRWrZsKfCMh9dutPIVwhsMv8PwksY4 yAm5aNEi68F6dnuHRwxmiB153XfZ8RmHKcJrrl+/ftKxY0eBNz7yQr/66qvSrl07SxhZsmRJiCvJ XjOE7YdoBc88fMZgzrhv4aH4+++/W/dRdoWVz96VHx9tdrOnXWLp+t5dMzWVNT9+7eprUMnTJOXw Ic/+Vnz5savNjIYP2uwPLF3osoGwe3DlUpud2tk2aojRPiXBnsoB7TcP7CcJa1ZKRjZHj1Bzzetb fL4iZQiEWLwo4Sdymc7h98xZDh06JCNHjpRWrVoJXmBDWgQ9ospFF11k/Q3Bi2LOPiEU6wVh350p BuD1q/8NeuGFF2z9QPiFp7E+5syZMwUvOJUoUcJmq4//xx9/6ENbdXye+L2AiEgE+NxxvlDp6igH DmQc2yqpW/pK8oJnJXFMEQq+/3n56qLoyh52cVW/H5z1C8+NkerlY6RKuRhB+Gbn+XcedwuzZ59x wq5siePnkfvX2bZrC3dbNc+Pn7XbQ6RufG+M9GwZI/3eiZGfXouRrxvHyOfPx0jHF48fR/jnY8O8 +1R9Z/c2ZUnzHPhN4JAkQALRIEABOBpU2ScJkAAJkAAJkAAJkAAJkAAJkAAJkAAJkAAJ/EdgXstG LrF0xVdtQ+KTGL9bdk4YbYWRTj1yWBJ375SBxQu5+lvyydvG/hBKemyN8i77zQN+t9mnJycLhGTl zau2cX/9YrNTO8fzGv8XhlrL2ZsYv0uZcBshAo888ohLjHKKU377RYoUsYWChhirC6+fffaZXHLJ Ja4x8EIJQi7rfSPHr6n89ddfNrv/s3ce0FFVXxd/oXcQ6UgREf+IgKAoKCAKKiogCqIUKyIiCiJi oSliA1FRUTCAFAFBqhTpvfcivffeAoSUKftbZ/K95PWZSZ0k+62V9dq55977e/dNsrLnnCNtJDW1 uknGCxGVtb7kC4KSYUS9tnr1ap/56NGj46+p99T9rFmzVJe6vXwhqUOHDqhfvz6qVauGpk2b4sMP P8SMGTN0c9c1SoMTb8xluM/MQOyOzoheVJGCr4XgayV4ShpmdQ1o93lyKniipgJJwbzhJ72gOucL c13eYoUURGjqAZ+bqPcrEcbS/7VpCu6toL8ntYXtavZu/81acNaO1epYhOodQ0NLBI5efGcavBns kgRIICUIUABOCar0SQIkQAIkQAIkQAIkQAIkQAIkQAIkQAIkQAL/T8Cqvq4xBbMR1rZeXTG7Wimd IHv9aFz2jFVtn9FdF7F2aqlsODlnms6N++ZNbO7+lsn2nzsLwR0VpbOVk4UNa5hst/bqYrJTL0ja aNbsVWmk3P7nn3+2FL9EUJJU/6+88gqkXIBE1EodXauSJRLxq25SNkMrRklKZ+15rly5fNHGq1at 8tUV1t6TurpWm0TXGmt+SykF7SZZRrS+jMfSn2xS27dGjRqWtoHWNdf2m5bHXnc0PBeWIXZPb0Sv qI2omVko+mpEX6mLayX4Gq+90kgvxsra+be/Xsw1tpFzY2pmaTf/q4Q+t/6q99vkwYR7m35RkCOb /n6VcgquTEmw0fbZ/km9rXF9253fVkTBVY0orfWZVsfeyGNp+dqwbxIggWQiQAE4mUDSDQmQAAmQ AAmQAAmQAAmQAAmQAAmQAAmQAAlYEdgz+GuTsOpL22xIl6xtO6/2naY2IujKZpd+WYTgtW+0wKHR QyG1d2dWLmLyITbber+v7Sr+eFO39jp7qdm79dN34+/zIG0I7Ny50ySGSo3x/fv3Ww5IaoYbxSZJ raxu06dPN91X7UUcltrd6ia1ftV7sn/nnXfUW6b9s88+q7OVUgzG7bHHHtPZaH1LSQF1k/IG2nvq 8ZYtW1STkNzH1fHdDtfBQYhZ2xhRs3MHJHCmldCXmv1GzlAwva+C1g0USN1diaiV51q8kIKnayno 00bBwVHW4uqYD83i6pIB1rbaOZ2eYG439N2EdhIlrK4t2b/6eMI98dP/Ff19sen4tN5G7U/SOf/0 toIKJc1ttH1YHQ/qYO1T9Z3ae9exkSH5fnFQJEACwRGgABwcL1qTAAmQAAmQAAmQAAmQAAmQAAmQ AAmQAAmQQFAEbhw/iiklsujEVRFit/f9wNLPtYP7MKV4mM5+RsWCOtsd/T/W3Rd/gfyIQOyJjdX5 Uk9OL5jtG1N8zV6PR73FfRoTKF68uE6oypEjB27+/xcCjEMz1u3NkycPXC5XvNnly5cta+a2bt06 3kY9kIhfrWD10EMPqbdM+y5duuhspS69cRPRWpv2Wet7xYoVOnOtoCzzf+mllyCppENtk2hJEcxi NrVG1LwiFHw1Eb4iXIowKgJnueL+hdFb8ikY/7FZDD021ty2dxuznZVQmj+3vq22XXgX/b3uLfQ+ JUL5gbv0NrJmJ/fS2xn7PTVeweZf4tJSS3roQ6MUSLrpE+Pi2hpF4pcbOvsz+k/pc1nL3EiABNI/ AdotnrkAACAASURBVArA6f8ZcgYkQAIkQAIkQAIkQAIkQAIkQAIkQAIkQAIhTmDFC4+bBFpf2ubZ U3Ujj71+DcuerW+yXf92G52dnGzu8bbJzkkEXv9OO3jdbpMfXkg5Ah6XC1d378ClzeuT1ImIn1qx VI4XLlxo8imRviK8am0lPbRxu++++3Q2Yr98+XKjGQYPHqyzCwsLw9GjR012cqFt27Y62x49elja ffHFFzo7dazG/g8dOoRffvkFEgEdSps35hLcp6cidnsnRC+6g4KvQfDVipMX/1bwbB2zgKo+c7u9 pG7W+pHjquX1fh6+22xjbLN3uIKwMH07EX1Vu8/a6e99/XrCPdVGavSq0crqeAvnt49WVts57ef2 1/crKa6d7FP93rxikGh2biRAAumbAAXg9P38OHoSIAESIAESIAESIAESIAESIAESIAESIIF0QODE P3/birUizB7+MxzbP//QVPdXBF0Riq8fOWiapdfj8aV7XtCgmq1viSRe8nQdSL1eseeW8gRE7N38 YUcsbvwAppXN5Xs2Ul85KVt4eLhJNP300099LkWo2b59O3744QeUKVNGZ5c/f34MHz7cJNqKOKuK Wer+wIEDpiGePHkS2bNn19mK0Gvczpw5g4IFC+rs1qxZYzTznUu94MqVK+ts8+bN66thbNkgjS96 3VFwX1iC2N09Eb3iAdbxdRB8tUJlxFQF1SvohU51rd2aX8GDdymoWVFBnpxmG7kmUb9af12b6+2y ZVVwYZLeRmsv/TerrW8j/UttX9Wuw1P6+1pxWCKX1/6o4KvXFBQpoLcTP/XuUSBprVVf6l4ifn/s qKBdQwWXJpvvi933HfT+pH6w2j5U9p6r29L4zWP3JEACSSVAATipBNmeBEiABEiABEiABEiABEiA BEiABEiABEggVQg8//zzqFOnDnr27OmLfrRLgZsqg0lEJ1t7dXEQau1TOO/oZx1JqR3CxU1rfQLy +k5tsa5ja18q54MjhyDy5HGtGY9TgcDRSWNMz1lqPntiYoLuXUT76EsXsW/7Vp1gKgJU+fLl0apV KxQtWtR0TxXa1L2kXf7+++/j+587d66pzaJFi+Lvaw/atWtnshUB+caNGz4zqd1bq1YtnU3p0qUd Iwgl3bPUA+7Xrx+kfaxNWnLtOFLr2Ov1wHN1C1wHBiJm7ROImp0r5MS5UBEJncYhIqi6/tR9g2oK Fn2rFztPjrOOEu7cVG/3z2dmf9P66G1kPNemKZjSW0GtSmb7KuUUSFpnddzPPKC3EWH2t3cVtKir QERqddx2e4kgVn1Jv+UNaa5fe1yBCNGqzeHRCt5vriBrlgTfcrzhpwQb1Tat91LHmhsJkED6JkAB OH0/P46eBEiABEiABEiABEiABEiABEiABEiABDIFARGIJEpQ+494qYNar1499O3bF0uXLkV0dHRI s5BIzY1dXzeJg7Zpm0tkwb5fvwvpOXFwZgKS8tnqmV7ZscVsbLjiunEdJ+dMw6Zub2Je7TsxtXT2 eF8jimdFr0IKquZIEI+074O/46xZs/oihaVLEW+Nkb0DBgwwjCbuVKKLrer2FihQACVLltS9kzKG 3Llz+0RdS2chetETeQSuo8MRs+lFRM0tHC/YpbUIl177vzxZQYlb9OtUxFCJqrWa0/XpCiqWSrAX 8fXVx/W2kk46e7YEG1lr7zaLs5Go3oHtFTS+X0HeXHob9b2Q+sK7w/U+77WJUFbb+NuLeLt0YILP Tk3MfZcqrOCxexXcU96cjlr8iyBsxSStr8WsbRyibyuHRQIkECgBCsCBkqIdCZAACZAACZAACZAA CZAACZAACZAACZBAmhFYtWqVSWgy/nM+V65cePTRRyE1RkMtqlAFJzV4JTJ3fr2744U9o1goKZ9X vtQY51ZYR2SqvrgPTQJS91dN/ax9tpKG226TSN+Do37DP5VusV0XWl8d8yvIoujFJhF4a9euja5d u/qi5O+55x7TO9OgQYP4ITz88MO6+08++WT8PeOBRAcbv4BhfP/kXETl2bNnG5uH3Lk3+gLcpyYj dntHRC+8PSQFuLQWAJPS/8rv9WtT1sb5ic5C5/yv4tItS9plO6G4XhW93/y5FRQvpL9mtS7Fbs4X 5v6LBdBW/FUoqeDNxgresRB4yxZTcPavON+Stjpfbv/jEZ+SwlpqDtvNNSn8k6XtnDzweoLPWhBy LzsHRAKZmAAF4Ez88Dl1EiABEiABEiABEiABEiABEiABEiABEkgvBPr3768Tq6z+yW+8lidPHjz+ +OP4+uuvsXbtWrhcrpCa7vnVy7Ct9/tY99aLWNu+Jbb2fA+HxgxD9MULITVODiZ4AlL/VyvYyvGa V5v7ajFv+fgdLHnmIUTs3eVz7ImNxdJm9Uz2xvbG80a5FRQpUgTdunXDrFmzEBERoRtoZGQkqlat anpvli9f7rPr06eP7p4IvE6pmOUdeuihhxAWFqZrJ++d1BoW4fnQoUO6MYTKidd9E+7zixC7+xNE L78fUTPDKPoGWMs3MWLi3z3NIuiZCWYBNljffdua/Ro/97XnEkksou3BUea+JWWz1lZ7LDV/W9aN Swe9d7i+7RM1ze3EVp3LliEKatxhtlH958yu4MX6cfWF1TahuvdcWBYqrzDHQQIkkAgCFIATAY1N SIAESIAESIAESIAESIAESIAESIAESIAEUpeA1AtV/4Ge2L2IVE8//TS+++47nDlzJnUnwN4yDQFX ZCRWv/KsX0H3yIQ/fEx2ftvH0nbWPSWwsvVTWN6ioWVE8e9FFNxXraoj12HDhpnem6lTp/raSNp0 47skkfP+tuPHj2PIkCHo3bs3fvzxR0yfPt0kPvvzkdL3fXV8r2yC68C3iFnTCFGzc8YLdKEqtmWk cS342iyANq+TIJImdq7LvzP7Na7hSqUVvP2Mgqm94+oB2/W1b6TelxqRu26wc1TuoVEKJJ20sd9h 7yXMT1Jaiwjep42CF+opeKWRgn4vKxj/sYLTySCE280pua/H7umd0q8q/ZMACaQgAQrAKQiXrkmA BEiABEiABEiABEiABEiABEiABEiABJJOQGr7Snpn4z/ck3IuNU3bt2+PXbviojCTPkp6yOwELqxf hfl1K2NKiSyWgq4xglcivmMjrmJKyax6+xJZcGT8SEhaaHWL2L8H08vnibcbXVTBZ7coKJdNwYUL 9hHjf//9t+m9GT9+vM+tvFdSr1f7HvXr10/tMt3tPTcOwXX0d8RsfAFRc2+h4JuCEb7+hEYROY31 emWd1btHQa/WCib1VDCtj4LpfeN+5FgEW/lZMkCB1Pu16uPGdAUF8ujFV4mofekRBeFdFBz4w7qd lS/pR7v2S98aeNsxH+rbip88ORVs/y1wH1ZjCrVr0Stqp7vPAQ6YBEgggQAF4AQWPCIBEiABEiAB EiABEiABEiABEiABEiABEghBAsuWLdP9o177T/ukHks625YtWyIqKioEZ555hxR7LQLn1yzH/vDB uHZof5qDuH70kK92844vPsK2Xl2x77dBiDp/TjeuKzu3xQu0RrHXeD799rzY+um7iDx53NRGIn+l jrBxO/nvdPRp+gSKZtGLT5MnTzaa+s4lJXSdOnVM787cuXPj7Rs2bKi7/8gjj8TfC/UDb/R5uE9N Quy2DohaWM5SMAw1QS0zjUfSHCf28zksLE4sXvOjWVBt+qDebzDCrZb/uI/0fqpXMPeltTcet6ib 0D53DgWNaiiY+XlwPow+Q+88K7yxV0P9o4DjIwESsCFAAdgGDC+TAAmQAAmQAAmQAAmQAAmQAAmQ AAmQAAmEBoHPPvss0UJCoAJE06ZNQ65GcGjQT91RbPmoE+bVvhNTiofFC6MiAqfVdnHTWqx5/XnL qN5p5XJjW59u8ZG6Ust3Wpmc8eM2ir5yvrn7W5BoXjW6V46t7NZ1fAnnVi5B5KkTcN24Hi8IW0X0 durUKR6Px+PBli1bIDWzy5Yta3pvqlWrBq/XG2//1VdfxdtIVHzjxo3j74XagdcVCff5BYjd9RGi l9VgHd9UjPA9P1HBjx0VtHtMwdExgYmc+0cqKFk4QSQN9LNYaydC8Ihu+v5kHFobOd6WiMjbge31 fh67V9+PPzH25DgFvdsomP+VgqtTg2vrz3co3Xefnh5qHwUcDwmQQIAEKAAHCIpmJEACJEACJEAC JEACJEACJEACJEACJEACaUOgfv36pn/4awUAiXL8/vvv0aRJExQsWNDRVtvOeNyuXTudOJY2s834 vTpF9y5//lGTILrh3VdSFIrU7L24cY0vwnfj+29gUaOauLxtEy5tWoeppbKZxmMUbPf89E38+Fa/ 3NRXt3fn170wp2ZZU9vtfT+It5WD60cOmmyM/uPPS2TBjLsK48dbFXQqoKBWzjgBq1y5cr6avM8/ /zwKFy5su/5F4F2wYIGuf0mB3rNnTyxcuBA3b97U3UvrE6/XDc/lDXDt/xoxqx9D1KwcjPJNRdFX FSEnfKKgUN4EsfSPDwIXOzf/ouChygltjZ+5gZxLbd4VgxL6lDTLxnY/vJVwXx23v/37zfV+JGLZ X5vMeD92R+e0/ihg/yRAAokkQAE4keDYjARIgARIgARIgARIgARIgARIgARIgARIIOUJiCiVI0cO 0z/8tQLAkCFD4gfidruxYcMGDBgwwBfNmC9fPse2Wj9yPG7cuHhfVgcisongHKqimdWYQ+VaING9 2z/rbhJEFzxSNUWnsKpdE1OfIurOrVXBdD1ejC2uxN+bWjo7Ivaaa0lv7PJavI3abtlzDUxzWdb8 EZOdau9v/2FBBbnC9EKWcU3LecmSJbF27VpT36F2wXPjAFxHhiJmw3OI+rcQBbmZCiJnKJjzhYJu zyl4tLqClxumnFApUbu/d1HQpoGCvSPiUhpnNaQclyjgYIVQiZL9rF2c32ceUCA/TR5U0Ky2guZ1 FEhaZ4nA/V8Z67Us97V9Stpn7ToXX9r7gRy/UE/vo3PT4H0E0k+6tZmdE9ErH4br2MhQ+5jgeEiA BAIkQAE4QFA0IwESIAESIAESIAESIAESIAESIAESIAESSH0CixYt0v2jX/tPf/VYohjtNpfLBfHR unVrSASk2sZu/+STT9q5QmxsLPLmzavzIeJ0vXr10LdvXyxduhTR0dG27TP7jUCie49NHW8SQ+c+ WDFodO6bN33RtSLMSoSv0/bfVz1NfVoKryWy2NqJD+N2IPwnk/0/dxYymuHSlg2Qur+WfWqEZrv7 LTXRmcZ1XbFiRd+XIS5evGjqNxQueKPPwX3yL8RubY+oBWWCFvHSrbgWYCTv0oEKyhbVC5U5sim4 PDn5xcq+bfX9SKrlO0rqr8n6uq1I8vetfY4bf1Zwewl9v5IKWjvndg319wvkUXBjenDjevhuvQ+Z v3Ycme84DNFLqiD2v65wn50Frzu0MgKEwucVx0AC6Y0ABeD09sQ4XhIgARIgARIgARIgARIgARIg ARIgARLIRAR69eqlE1yNAlfx4sUDprFz506UKVPG0V/WrFlx9uxZS5+rVq1ybCtjy5UrFx599FF8 8cUXWLlypU80tnSWCS8GEt174+hhrH+7DfYOGYhzKxYh5vKlgElJDd4T//yN5S0e09UQFuFU6gof nzbBMsX3iZmTbcXXaWVzYfcP/RF54phPSN439HvLesALGlQzjfPCupWWfq8fPWSyjb54Af99+QkW PXG/3zrCRiF4ZFEFWZU4MUu+oCB1fAcOHIhNmzZZztfUeSpe8LpuwH1uHmJ3dkf0suqs4+sgBO8J V5Azu16kVD//JCI4uQXKv3vq+zJG2d5/p4I/eyjY9Xvy922cyyTDWGTe639K6FfSUKss1P2ygQn3 jf6szqtXUPDAXQo+aaVg/tcKIjJwHV+r+fuuzS+FmC2vwH18LLwxofklkVT8eGJXJJDhCFAAznCP lBMiARIgARIgARIgARIgARIgARIgARIggYxD4KGHHjL9o1/9h7/sX3zxxaAmu2PHDkd/4nP48OGW Pvv37++3rXZscpwnTx488cQT+Oabb7Bu3TpIRHJm3ayie6XGrjsqKslIjkz4A7OqFLcUXLWC6eKn HvTV9tV2KIKs1kZ7fGLGJK2p73jLJ50t7W+eOaWzdd24bikWi+Dsb3PduIGbp0/i2sF9uLx9M07P nwVfWuoH7rDsu3+vT0PyCwdxdXzXwbXvS8SsbsA6vg6Cr1Gkk5TJxs+T5x9WMPx9Becm+hc7RdCc 1U/BT28r6N5CQY+WCsZ9pODKFOu2Z/9SkMWQ7lntX9JPG8eXkucnxpnnvvbHhDEcGWO+36dNwv1A xiaptQOxy1A2cwsjZn0zuA7/DM8N8xdR/H0u8T4JkED6IkABOH09L46WBEiABEiABEiABEiABEiA BEiABEiABDINgRs3biB79uwmEUQVJWQ/bNiwoHlUr17d0eevv/5q6fOxxx5zbKcdl91x/vz58fTT T+O7777zRWh6PB7LvjLixYh9uy3Fy0ub1+umKymbL25cg4Mjh2Dj+29gYcMa2Narq85Ge3J43HBT xK9WxDUeTy+fBzIW7SapmY12cs3r9WrNfMdXd/9nspW2p+bOMNnOq1PJZPvfV5+a7IwXvDbrIvLU Ccu5et1uo4s0O/dc3wfX4SGI2dAcUf8WzHwiWxAir5O42LqBXuQMtEbtyXFx9XaLF9K3Vz+T8ueO qyO8b6RZAJWIWNVO3desGHx6ZXVekrZ5dr+4+sUScVu5bFxNY/W+3f7f/uZxHBurH2+VcnqbulX0 9+18Z6rrs3MhelU9uPb2g+fSGsvPszT7oGDHJEACKU6AAnCKI2YHJEACJEACJEACJEACJEACJEAC JEACJEACiSEwb948kxihihLqft++fUG7lhTNanur/fjx400+pbavpHe2sk/KtYIFC6JZs2b48ccf sW3btgz9D3oRNaffntckiB4aoxfxRew1irGSGtlqOzppjKUgKu1nVCwISeFs9CXnCx+tDremXrNV feLFjR+w6tJ3bc69t5n87hrQ12S/ruNLJruVLzXW2cVcveJLXS3C8MoXn8TMu4tiUaOaOhv1RFJk G+cjc0zLzRt1Bu4T4xG79XVELbiNgq9GAL4+XYGkJr42LXhxUqJ2tZ8tvVr79yGpofPk1LfT+tAe S21hSTOtFUQlHbLWRo6TUhv30xfN/sb20Pep7V+ORcCucYe+nZW4+16zOBuZ7+M14yKdjb4y33kY opdWRezObnCfnQOvO+nZFdLys4V9kwAJJI0ABeCk8WNrEiABEiABEiABEiABEiABEiABEiABEiCB FCLw8ccfm8QIrThRqlSpoHuWiNty5co5+p0zZ47J77JlyxzbaMeVlGOpM5yRtyXPPGQSMDd3f0s3 ZUnnbBI5y+SEx5A+W1JH/1PpFpPt2g6tcHHTWp/P2Iir2PltH5ON+N/W+/34frf3/cBkM/eBO+Lv Gw/WvtHCZL+qXROjma+WsXEuIvBqI4vjIqPDTP529OsBqWusbufXLMf8h/9nslvV5mnVJFX2Xtd1 n7gkIpOITZlPZHMWMLcMUTCog4KnaynIlztOpJQas8Fy+uEtvQhap7ICqdP79jMK5NiYwlj6LZBH 30Y+i6SWb9XyCrJnM9+7rYheBJZxGj+/pB5vsGNX7SWVc95cep+35FMw8VOzTxHJx3yooGIpvb2M Z8kAs73UIs60tXs1XzKQL13EbnnN9yUMb0zgNdNT5cOCnZAACaQpAQrAaYqfnZMACZAACZAACZAA CZAACZAACZAACZAACdgReOCBB0xihFacaNOmjV1T2+szZ8509Cn+16xZY2r/2Wef+W2nHVtijnPk yIHIyEhT3xnpglX9XGN075X/tppEThFRr+7arkNxfNoEk52kjLbatvZ8z2QrkbPumzd95semjDPf L5PTtj7xnsFfmexnVy9t6vrcikUmO5nLuZVLfLYiaosAbCUoi9302/Nh8ZO1MLtqSUs/cj/yxDFT v8l5wetx+dLHuvZ9gehV9RE1K3uiBUFVGMxI+0Oj4urytmmgoGRhs3gpnwUSWRvsnBd+Y+1L/WxZ 9X2Cz1PjFZQtprevVFqBVrzdO0JBu4Z6G/HVsm6CH6kbbIwg/rVzwv1g5yD2H79g7lP6FRH7nSZx 6aGfraOgmE3KauGamH4zbJu5t/rSq0uadU/kkeR81emLBEgggxGgAJzBHiinQwIkQAIkQAIkQAIk QAIkQAIkQAIkQAIZgUBERASyZs3qV3StW7cu+vTpgyVLliAqyjndpcvlwiOPPOLos0iRIojVRF2q LOvXr+/YrlChQrjlllscbVThxm5fr149tbt0tY+9fs0nYp5ftRQSpRpz2T4K7cj4kSYhc5ohulei XqfelsNkd+SvUTouK1o2MtiEIer8WZ2NRNpeP3oIkmbaGIkr56cXxkV7x0XhKiabS1s26PypJ2cW zzXZir+o8+dUE99eWFj1qwq7M+4ogFn3lMCVndtsU1lbtZdrMysXwal5/+j6S64Tz7XdcB3+GTHr myHq3wIU4DQRl+cnKpjSO068/F8Za3HT+I5Lbd1ABcm/PlHwRE0FuXI4++7/SoLPoe/qbUvcouDM hIT72r47PKW3zZpFgbYesKRT1o6/R0trP1qfTscyDhmP1megx5L2+uY/SevfaWzp4t7s3Ihe/Qhc +76E5/I6XfaA5Hrf6YcESCBjEqAAnDGfK2dFAiRAAiRAAiRAAiRAAiRAAiRAAiRAAumawOzZs4MW DKRGb4MGDdCvXz+sWLECMTEx8QwuXLiAZ5991q/Prl27xrdRD27evAmJznUSLYYMGQJJL71582YM GjQIzzzzDAoUKODYxuivb19zDVl1DFb7w4cPY+LEifjpp5/Qu3dv9OrVC+Hh4Vi0aBHkngjeKbVF X7qIA8N/xrLmj2BKyax6kbNEFl8NW0m9LGmatVug0b2LHr9P77O4gq29umhdmeoJz6lZFhF7d+HY 5D8hKZ2XPdfAVwfYTkCV61s/fdfn01efuHweU5+Hxv6u61M9EaHZyq8Iw8ZtXp1Klrba9lHnzkCi hWUO2utWx1NLZ8fGLq9BnkFybd6o03Cf+BMxW15F1PxSAYuV6UJA04i3iRmv1PFd9K2CXi/FRa2K YGp8d+3Os2RRUKtScHV0pR87fyIKN6+j4OdOCg78kSCMyjVtm9HdE+4Z5yyplo3CddfmCfbfvK73 9VDlhHtGX4GeHxuroFENvV/teI3HVcopmN436f0GOr7QssuC6GXVEbuzO9zn5sLrjk6u15x+SIAE MhkBCsCZ7IFzuiRAAiRAAiRAAiRAAiRAAiRAAiRAAiSQHgh0795dJ2gYBYJAzrNly4aKFSvi9ttv D8iXiLx79uwx4RFB1V9/u3btMrVzu91Yv349vv32Wzz55JPImzevo5+lS5eafBgv7N+/H507d0b5 8uUdfcl4Zf7S76xZs3zitNFXYs9PL5htWXvXSqxc+Gh1XD98IL6rQKN7N3V70ySELm1aN96PHMyo WNBkYzUGp2tSU1fdljxdx+Rv84cd1dum/exqpUz2ewZ/bbLbO2Sgyc44JjUSOfZaBPb89A3Wtm+J ebXvxD93FvLtlz1bH5Le+sTMyRCbpG5e1zW4z85C7H9dEb2kCgVfB5F4d3jgwqW8d1LDtuPTcemX 7aJwnQRHEZvtPm/uq2gWRW9MN9f+FcHVqY8fO+r7kHTRqv2Gn/T3smVVcGFSwn3VLti9RPIOaK/g /jsV5Myu70PmK7WKX26oYNnApPcV7NjS3H5hWcRubQ/3yb/gjbmc1Neb7UmABEjAR4ACMBcCCZAA CZAACZAACZAACZAACZAACZAACZBAyBGoWbOmrQhiJ44k9foPP/xgyUEia518Fy9e3LKd8aKkll69 ejW+/PJLNGzYELlz5473K9HL0dH2kV4i/D7//PPIkiVLfBunMRnvVahQAd999x0uX06auHB22QJI ymajgOl0/k+lWxBzJaHfRY1qmtobo3sPjvrNZCNpkyVSV91m/u9Wk43TOKYUD/OJqeveehF7fxkA mYs2itaqPrHU37XbVrVrYupfhFvjJn34iwI+/Ge4sVmynns9sfBcWgXX3s8RvaouomZlixf80lz8 chBfQ2VsZYqYBUv1HZPatS/WV/B7FwX7RyZdvJQIXakZPLufgnWD9f2GhSk4bUjtLPbqWGQv4qo/ buJD2yZ/7oQ2ItQWLai/P61Pwn1/vgO5L1HVIjTP/FyB1DJODoE5kH5DxmZeUcRseB6uI7/BG3k0 Wd91OiMBEiABlQAFYJUE9yRAAiRAAiRAAiRAAiRAAiRAAiRAAiRAAiFBQETKxAqdWlEjmOO2bdva 1lZ86KGHdGKJ0e+LL76YKG6Sonr58uX4/PPP0bNnT1sfkuZZKxYb+w/mXPyMHTvWti+nGxfWrcR0 izTJIrqKGDv3gTtMgqgqyEo6aHULJLr34qa1lr6uHdiruvHVzlX9G/dTS2XDgkeqYsO7r2B/+GBc WLsCUqtYu4mYLKmX1e3wuBGmPqeVzQWPTSptmZOx37m1KqjudHvXjRvY9d3nWP1yU0gk89oOrbCj Xw8cnzYBN8+c0tkm14nn2k64Dg1GzLomiJqTz68oGDLiWAoLwluGKJjaW4FEwfZ8UcGQd+LESImk tWPwSiO9ICrv3JevxrVL6Rq1EhmrfccnfGIeZ5ECeptzE802xrndml/f5uLfCW1a1dffe7dZwj2j H54HwGZOHsSsfgyu/V/Dc3mD7e+a5Hr36YcESIAEhAAFYK4DEiABEiABEiABEiABEiABEiABEiAB EiCBkCIwY8YMneChFT/U40KFCvm1UW2d9vnz58fo0aNt53/jxg1kz57dsa9hw4bZtk/qDRGHw8LC HPt3mp/VPfE3cODAoIe2tMnDJsFzdvXSODJ+JCS1s2wiEkvqYqMwKumaY65e8dkEEt3riow0JBsK KAAAIABJREFU1xYuruD4tL/ix22VsllE6Eub15tqD6uNzq1cAon0XfLMQ74awrOqJERvX9mxxTRu mcfV3TvU5rr9yX+nW9rHRlzV2aXWiffmSbiPj0HMlpcRNb+krZiZGQU7EXelLm7V8nphU/t+5M2l oHUDBafGmwW9MR+a2y0ZYLZLCbbtGur7frOxuV/jvBZ+Y7Yxjq1sMb3fncMS2gx7T3+vctmEe0Y/ PLdikxXRy2ogdlcPuM/Nh9eTUI8+tT4P2A8JkAAJUADmGiABEiABEiABEiABEiABEiABEiABEiAB EggpAl27dnUUPCWdsdfrxbZt2/Djjz+iWbNmCFYQbtSoEaZPn46ICOd6qvPmzXMciwhI+/btSxF+ 77//vt++tQJWsMfdunULOBIt8sQxSAplvbAb5ousNU5eRGCxnVo6O6QG8Maur+PA8J/jBeBAonvF 5/z6VQz9Kb6oWbW/Q6OHmu5Pvz0vXDeuqya6vTs62iROr32jRbyNJyYGU2/LYfJ5dKL1FwTimChx 9iWzYn69u7H+nXaIOn823mdKHnhjI+A+8w9id7yH6CWVKfjaRA7/2llBueJ6QdPpXSlxi4IZn+lF Pampa2zTu43eJqWE0D8+0PddoaS536dr6W1ENHYaz5UpCiSdtDonSRt9eXJCm30jE+6pNkfGJNx3 8p1Z70UvvB2x2zrAfWoSvLFxX3ZJyfefvkmABEjAHwEKwP4I8T4JkAAJkAAJkAAJkAAJkAAJkAAJ kAAJkECqEqhWrVq8MKGKD9p9+/btTePxeDzYtGmTr87tfffd59hefBUtWhTr1q0z+TFe+Pjjjx19 5cmTB1evJn/E55gxYxz71fJIyvErr7xinLLl+d4hA03CqNTAtdsiT52ACK5Wm/vmTb/RvdJOxFS9 4KxgeYuG8S4lolhSNBttJL2ytlawNLhx7AhWv9zMZCvRyNptYcMaJhtjfWKtvaSNvrhxDSRiOaU3 Xx3fiysQu7cvolfWYR1fG8FXK0D2esksZAb6vsztrxc8jVG2D9+tv6/tV44lNfSaH+NSRT92r4K2 jzrbG9ur5yK8Gse8d4Te17iP9Da5cijQRvSqvtT9iG56+0Y19P7E7o6SepuR3cw2qr9MuZ9XDDEb W8J1ZBi8N4+n9OtP/yRAAiQQNAEKwEEjYwMSIAESIAESIAESIAESIAESIAESIAESIIGUInDhwgW/ KY/HjRvnt/vNmzejXr16JuFEK6TceuutiPQj3D3wwAOOPsRf1qxZcf/996NHjx74999/cf26dQSq 30H/v4EI2bly5fLbrzoXEcwlmnfAgAH46KOP0KJFCxQsWDDg9pMmTXIc2u7duzG0prm+r9S0Tezm L7pX/O4f9oNJjP3nrsK6Ltd3amuyEUF4yVO1IeKu1Njd/GFHXzSyUSiW9M/Rly7q/G3q1l7nT2oe b/30XZ1Nap54InbAdfAHxKx7GlFz8jpGdWYWEe7waAUiYIqgem8FBXa1e6f31QuY8e/L7QokKnjB 13GRvl2eVZA/t9m2YikFV6cmiJ5dm+ttsmVVcGFSwn3hvyc8zneLugoKG2rsFsxrP1Z/z65KOX3f Q9/V9ysMyhbV29x1mwKrWsDCz1j/d2B7vT8ZT4enEvwJC0mh7W+cGfr+nLyIWdMIrgPfwnNlU2p+ DLAvEiABEkgUAQrAicLGRiRAAiRAAiRAAiRAApmRwKBtwEsL+EMGXANcA1wDXANcAym5Bh7uM8Wv cHnq1KmA/hQRcbdBgwaO/n799VdbX5IeWsRdVTgKdJ8tWzbUrl0bn376KRYsWOBXZNYOQFJbi5gc SF+1atXC+vXrtc3jj0WEHjx4MMqUKePXV8mSJR1FaxGWuxb4/1THxRP2U7u8iUuXLsX3GcyBv+he 8XV+9TKdGKsKuDeOH43vSqKAFzSoZmmn2tvtT82bGe9HPTi9YDa29/0Ax6aMQ8S+3aZIYtUupfbe myfgOj4KMZvbIGpe8cwtuBkifCWi9X9lEkRJeUe+ft1alNwdrqBQXr1t+eJxIqZE5hqFyl2/W9cH 1qZ5/uczvT/pf/j7CiT69o0nFYh/f+/tikHmvo1jsTp/r5ne9wv1zH6+fUNvI2MRUVjq+V6arODo GAX9XjaL3XeXtRaKJXr59y4K9o8092U1xox3LSuil9+H2F0fw31+ISQCnxsJkAAJpCcCFIDT09Pi WEmABEiABEiABEiABNKUwLNzgbCh/CEDrgGuAa4BrgGugZRcA8ojnR1FlEqVKgX198DSpUsd/UmU sN02e/Zsx7b+xB71fvbs2VG3bl306dMHS5YsQVRUlF2XmDhxYkB9duzYES6Xy9aPeuPcuXOoXr26 X5/Dhw9Xm5j2jRs3RicLAbhVXqkjGoZ7773XF4E8c+ZMy3TYUefP4cziuZA00mp93kCie2MjrlrU HVZwcs403Rhvnj2Nf2vdHrAILGmjD4z4RecjrU/cZ2cjevFdJmEy44lqiRcTm9XWC5ySojhCE6Gr ZfVQZb2tRN/6q2ErQuct+eLaSYRsy7oKxn+cMN6LfyvInk3vV33HA9lLFO/8rxL8acfr79gYzVyk QFyKaW2769MVPP9wcOMrXkiB1PvV+snMx9GL7kDsjnfhPjUZUmObGwmQAAmkZwIUgNPz0+PYSYAE SIAESIAESIAEUpUABWAKHikpeNA31xfXANcA10DcGlBK3O0oVorwGcwmtYGd0iHfcccdtu66d+/u OJZARB8rm5w5c+LLL7809RsbGwsZj1Ub7TURrQMRf9UOLl++DH91lUWgttqkn3z58qF9/oTIXzWi tnchs9ikTYc9o92zmFW1hE6YvX70kK+bQKJ7xXDuA+bU0zu/7WMaqkQFb+7+FqbfnlfXnzpW375k Vqxo9QQi9u4ytU/rC56LKzK1CHd5srMIOf9r81qb1se6zYlxZluJgg1E2Fw3WIH8WEUJS/t6Vcy+ te+m9vi2IgpebqhgVPe46NtA+rezkVTTknJa61/GabSXVNCt6uvttG20xyKgr/7B7MPoM0Ofzy+B mI2t4DoaDu/Nk2n9McD+SYAESCBZCVAATlacdEYCJEACJEACJEACJJCRCVAApjhDcYZrgGuAa4Br IGXXgDLgrE7g0IoV6rFEyAa7lS5d2tZv/vz5bd3VrFnTtp06nsTuJT2zcZsxY4bf/ooVK4ZAU2Br /S9cuNCv7ytXrmib+I7XrFnja/dcHrMA/FcxBXnC7MWmX241t7n2/zV3A43uXdu+pUnQXdX2GdM4 1QuSEnp/+GCs6/gSlrdoiNUvN8PmHm/j8LgRiL54QTULub2kl81MNX6lDq2kT27TQEGJWxRIzVw7 oTFyRlytX+279nhNe3tJyay1lRTHdr6Dvd63rd63tp8CeRQ0fVDBjx0VbP8t+fpUx/jw3fq+7dJf iwgsovMTNRVkzaJvI+MVEfvvngqEq+o70+zn5EPM2ifgOjAQnqtbQu5zgAMiARIggeQkQAE4OWnS FwmQAAmQAAmQAAmQQIYmQAE4Zf/pT1GFfLkGuAa4BrgGlPb+0x+fPXs26L83RDTVCjXa4wIFClj6 k6jZLFmy2LbT+kjM8fbt2039tm7d2m9/IuQmdnvkkUcc/a9bt87k+quvvvK1KZJFwd/FzILuq/+f MtfIoGRWBZMN9mOKKsiRI0d8OuxpVUuZxF1jdO+ewV/rbKaXz4O1b7QwjTMjXIhZ93SmEeRE+NWu GUm5bBd1G95FbyuRsNscBNb2T+rtpa/kEjiXf6f3LXMQ0Veui/CaXP1Y+ZF6xFpmjWr47+/YWAUS KT3xUwVrf1RwfqL/NlZ9p9trs7IhekUtxO7+FO4LS1jHNyN8UHIOJEACAROgABwwKhqSAAmQAAmQ AAmQAAlkdgIUgClMUJziGuAa4BrgGkjZNaDU7agTOLRihxzffffdQf85cv369UT5DCQad/HixZDa uW3atEHJkiUd+9HOpUiRIvB6vbq53Lx505dqWWtnPH7wwQd1bYI96devn+MYx4wZY3LZpEmT+DZ9 CpkF4EnFFDyYUy9M5QpT8MUtZtuuBfR2HxQ02xijey9v34ztn3XHsSnjELFvN7wej2mMGeWC69CP KSoghpKI97tB1JW1vuZHszgpdXdLFtavm/eame20c6tUWm//eTtne21bf8ci8kqkr/bdbPdY8vl3 6n/JAH2/uXPY10B28pPR70UvvhOx2zvBfXoqvK5rGeXjgfMgARIggaAJUAAOGhkbkAAJkAAJkAAJ kAAJZFYCFIBT9p/+FFXIl2uAa4BrgGtAKVZJJ6xoRRY57ty5c9B/hmzZssXR5xNPPGHps2vXro7t KlSoYGq3d+9eDB06FK1atYJT1HGLFuYI1pkzZzr2J/MfNmyYqc9gLoSHhzv2MWLECJO7M2fOYMKE CejQoQOeK6ev56utr/teAQWNcit4OZ+C8CJmYVeE4uKGGqbGtNIZObrXBNbigifivwwhAEtq4dMT FFybZi+M7h+pFzNlfX/5qtm+54t6uyIFFJz9y2ynFTXvNAjAP3dytte2DeRYIn61n02lb01e/3Zj uD5dQf7cCvLkVCApsL99Q8GVKanTt92YQuL6/JKI2fQSXMdGwht1yuLN4iUSIAESyJwEKABnzufO WZMACZAACZAACZAACSSCAAVgChMUp7gGuAa4BtLrGmgwaT2em7oQxUZeRKjOQfk5CkqugjphRSuy yPGUKVOC/g0uNYONfrTn3bp1s/RZrVo1x3bt27e3bKdelAjfnTt34pdffsHzzz+PW2+9Nd7fkCFD VLP4/RdffBF/Xzs+9Th37ty4evVqvH1iDg4ePIi3334bd911l2VfgdRXXtn1dV1KZq0I7HQswrA6 F3V/ezYFa3t0cozuPXz4MCZNmgSJXm7bti1efvll9O3bF6NHj8bmzZsTgyFk28iaiZpXPN2JwIdG xdXzbddQQfUKCnLlSHjW9e5RMLq7gqtTzUKlUah97F69zYE/FEiUq7peZD/kHb2NlQApfWrbfNjC fxsrP3JN0lJL6uRlAxN8SI1frX85dkpJrfUtIq5E8ko6Z6uIZ62t1bH0E2HB0so2w16bkx8xaxvD dXAQPFe3hez7zIGRAAmQQFoToACc1k+A/ZMACZAACZAACZAACaQbAhSAKfyEqmjCcXFtcg1wDfhb A1PWvYfYw/f4frbteBY/L+uPltPmotQf50JKEFZ+dUP5eAOU5wZAubsxlJz54oWWsLAwXLhwIei/ G/wJq+PGjTP5lH6kP6PIoz23amdypLkg4t62bdt8gvCJEyc0d+IOX3zxRcf+JM10cm6nT5/G+PHj 8eabb+KOO+7w9b1ixQq/Xcg8NgYhAkvd4GaGlLkqR6eU3qtWrULz5s391mGuWbMmRo0ahaioKL9j Tw8GMZvbhrwALHVkp/RW8E4TBf8rYxZD1eer3ZctpkCEYq0o2fFpfVsRjrVCsbFOcLXbFUh0sdaH 1XGr+nq/zz/sv43Rz4KvFbSsq0BqE8s8Xn08wcf23/T+5f4PbyXcN/ra+quCQR0UPF0rLoJX5fLB 8/ZtjD4y9bmvju+DiN3TG54Ly+D1uNLDq8wxkgAJkECaE6AAnOaPgAMgARIgARIgARIgARJILwQo AFNg8Sew8D7XCNcA10BorgEvzu59KF4AVoVgdb/zv2cwdPlnaD1jFm7740xoCcJDXFB6rEHlV79C ly5dEvUnw3vvvecorP73338mvxJprIo0dvtTp5I31WiVKlUc+/z5559N40zOC+fPnw/YndftxsGR QzC/3t220cB/lwhDr0IKqhoiOLU8rVJ6Sy3k1157zZGF1od6LHWVRQhO75vr+Ci/Amdqi4EStbro WwW9XlJQp7KCrFnMAqj6HJz2IuBemJQgek7qafYzt3/c/VXfm++JKBvI3Ls8q29brnhcJG8gbVWb j1/Q+2jdQN+3pH3WzrXJgwn3D49WMKKbgraPmusXa9vcWyGhjdov93FMohffhdgdneE+PR1e1/X0 /lpz/CRAAiSQJgQoAKcJdnZKAiRAAiRAAiRAAiSQHglQAKawE5rCDp8LnwvXANeA8xqo+udeW/FX FYG1+wO7HseIlb3wyj/TcfvoEyEhCMvv4MRur776qk6o0QowOXLkQGxsrMm1CJNaO+NxpUqVTG2S ekEETGM/2vNZs2YltYsUaX9+9TJs6/0+1r31Ita2b4mtPd/DwdG/oWeXdx3nI3MzpvQ+dOgQqlat 6redlovxeMCAASkyz9Ry6r15PCCRMzWFwt3herHTyFx7LhGz9aooqP0/BVkshOKPXkgQPc9MMNv0 aBl3/6HK+j4lFbRE3gYyb4m21Y5Jjmf3C6yt6r9vW72P5x7St5d019o+ZHydmwYeEa22lVrJap+Z er+gNCT6Xb4A4Y06k1qvG/shARIggQxNgAJwhn68nBwJkAAJkAAJkAAJkEByEqAA7CwwUIAhH64B rgGugdBcA53njAtKANaKwXJ8dPejGL3qE7SfNRmVxhxJE0E4KQKw1N9VxRbjvnz58pZ/KkhqYqOt 9rxjx46W7ZJy0Z8ALPWE08MWGRmJ5557zpGfpNd+4403cOPGjfgpSeTvPffc49hO+wycjj/66KN4 v+nxQKIfQ00MLFNEL3iq/PPkVPBETQXfvqFgw0/6SNs5XygomFffrlghfQ3bWpX09++rqGD8x/pr al/ia1YAQu6xsQpyZtf7aF4nOKH19Sf07ZtqInzl2fzxgf6+OkZ/exHF779TgQjh879ScGN6cOMK tXWR6PH8WwAx656G6+AP8ETsSI+vKcdMAiRAAiFPgAJwyD8iDpAESIAESIAESIAESCBUCFAADk1h g4ITnwvXANcA14DzGpi45v0kCcBGQfjknvoYv7o7Os6eiLvHHkDYUG+Ki8JJEYAff/xxW1GxRo0a pj8zzp49a2uvijsTJ040tUvqhaJFizr2e/166KdBlbTY9913n+M8RORduXKlCddbb73l2E5lH+h+ 8eLFpj7SywVJfZtoYW1mygiKrzQyC57/9teLuVZj7veyuZ0In6qtMdWyPN9CBtFY+8xFQJUIX7W9 3f61x/X9StpqSSttZ2+8bkzxPKC9vu2RMXr/2jEajyuWUvDWUwomfqpAop6NfWWK81nZEb3yIcTu 7QvPxRXwet3p5XXkOEmABEgg3RKgAJxuHx0HTgIkQAIkQAIkQAIkkNoEKAA7CwwUYMiHa4BrgGsg NNeACLZGETc5z6W+8KS1XfHunD9RbdxeZBnqSXZBOCkC8IoVK9CjRw/cf//9yJo1q05kLFWqlOnP CRF3jQKO8VxE4uTe/AnAkh45lLetW7fitttuc2TXoUMHy5TbkyZNcmwn/KtXr46RI0dix44dWLp0 KVq1aoUsWbLYtnvyySdDGZfj2NxnZoScSDjmQ7PguWSAfzFTUhwb35+h7ya0EzHYeD+Qc4nQvTYt wY9RRN0yxOz3tiIKJDrYaGs8D++qbyuiswi+Rrsq5fR26riLFlTQqr6CYe8p2DfS3M7oJ6OeRy+p jNgd78F95h94XQnR/o6LnzdJgARIgASSjQAF4GRDSUckQAIkQAIkQAIkQAIZnQAF4NAUNig48blw DXANcA3Yr4HKYw+lqPhrJSRf2Fcb09Z1Rre5o3Df+P+QbZgryYJwUgRg7d8nV69excyZM9GtWzfc e++9KFy4sEmQlPTOqpBjtZf00Cmx+Ut/HKo1gIXF6tWrkTdvXltukvL5u+++s8QmwnaBAgVs28oz eOGFFyCppY3bkCFDHNtt377d2MR0fu3aNcyYMQOdOnXyicxlypTB7bffjsceewzt27f3jVsim1Nz 88ZeQdTMrCbBMS2FQhFOje9D7zaBiZv5c+vbattFTFUg9XONvtXz95opuLO09X2pNXxynP0YJDW1 6kfdP3y3guN/2rdZOtCcPrrhvdb2MjbxK2mwH7dJg52WzyzV+15QBjFbXob7+Bh4o5P/SzKp+Q6y LxIgARLICAQoAGeEp8g5kAAJkAAJkAAJkAAJpAoBCsD2AgPFF7LhGuAa4BoIzTXw1qyJqS4AG0Xh y/trYeb6t/HRvOGoPWErcgyLDVoQTi4B2PgHg8vlMl5CpUqVTKKRKh7JvnPnzqY2yXGhXbt2jv1+ ++23ydFNsvvYt28fbr31VtuxS9T1lClTLPv1er2oVauWbVvh/fHHH0Ps7LannnrKtr1EftttMTEx +OCDD5AzZ07b9upzz5Ytm0+EXrZsmZ27ZL8evaJ2SAnAIiZWLa8XVEVM9Scy7h2uICxM3y68i76d iKcqa+3+nvJxNXIlirjePdY25Ysr2PyL3p86poOjFFQoaW6XN5cCST2tpmOOnKFg3eC4qF3jWMV2 pU3q6F2/K5j/tf802Op4Mtz+34KIWdcErkOD4bmWPmqUJ/uLSockQAIkEMIEKACH8MPh0EiABEiA BEiABEiABEKLAAXg0BQ3KDrxuXANcA1wDdivgXGrP0xzAdgoCEccuA9zN76JnvOHod7Ejcj1e7Rf QTilBGDjXxpRUVEoWLCgpRilClN2YqbRV7DngwYNcuz3ueeeC9ZlvP2XX34JEUoHDBiADRs2wO1O nvqb586dQ4UKFRzH/fPPP8ePw3iwZMkSx7aSttvj8Rib6c6nTZtm6+PNN9/U2aonEk0sKaLVZxrM vlGjRrhy5YrqKsX2sXt6+xVXU1tQ7NpcL6Zmy6rgwiRr8VXGJtG9zWrr2wjrTQbB9pvXzTZiJ+Kq Okfx1e4xa7t8uRVM65Ngq7aR/f6RCsoVt24nqZ1L3KIgRzbr+9mzKZjzhbVfbR+Z5nhWDkSvqgvX 3s/hubSKdXxT7O2nYxIgARJIHgIUgJOHI72QAAmQAAmQAAmQAAlkAgIUgO0FBoovZMM1wDXANRCa a+Do7kdDTgA2CsLXD9bAok2voe+CIXh00jrkDY80CcKpJQDLnzMijopIKmJp48aNkS9fvnihUFIZ X7hwIUX+6lm/fn18P1aCpNS73bt3b9B9HzlyxBTlKiJ3kyZN8P3332PLli1+RVarTkVE9Re9K+m0 nTanqGeJHN68ebNTc9+9/fv323Jr3bq1qb2Itw8//LBtGyv2xmuVK1eGcE3JzXNhWbz4GSoC4z+f mYVSK+FVavNO6a2gViWzvdTNvTFdL6qu/8ls1/RBvY3KoE8bs608H4nc/fp16zZ7RygoW9S6nfHZ queSlnrCJ9b+1LFk/H0YopdUQex/XeE+OwtelzkNe0q+A/RNAiRAAiSQNAIUgJPGj61JgARIgARI gARIgAQyEQEKwKEpblB04nPhGuAa4BqwXgMVxxwLefHXKAbL+c2D1bF8c1v0XzQYT/y9CgXCryM1 BWDjnzaSJnrNmjX46quv0KVLF+PtZD2vWrWqozApdWmt0lY7DaJNmzaOPkXw2r17t5ML0z0RyZs2 bero99FHHzXVV9Y6ioiIQJ48eWx9vPPOO1pz22OJ2v7oo498YrSIxqqAJ/tmzZrp2t28edNX+1lr k9jjYsWKBSRQ6wYQxInXE4OoOXlCSgS++LcCiYrVMnu3WZxIKlG9A9sraHy/AkmbrLVRj2/Jp2B3 uFlUvfmPgiIF9G1a1jXbqYLr6O72UbvtGlqnZJa6v+80MY9fHZu6vzW/gl6tnWsLq+PIkPsFpRGz 5VW4T/wJb/T5IFYsTUmABEiABEKNAAXgUHsiHA8JkAAJkAAJkAAJkEDIEqAAbC0wUHghF64BrgGu gdBcA6/PnJouBWCjKBx1qBp27XoJ7kvfwRO5DF731ZD9WyGpAxsyZIilcKaKU7Jv3759wCmcJcJX 29bquHbt2kEP++2333b0e8cdd+DSpUuOfsPDwx19SET08OHDISmXS5Uq5YtiLlmypC9697XXXsOM GTNMArOIyrNmzfLV9q1Ro4apXvMvv/zi2KcVH6drNWvWdKxP7AgggJsxaxuHlAAsgme9KnqhNn9u BcUL6a9ZMRM7p3TKL9TT+xBBWIRhO5F10bcKRKy16qtOZQXHxlq3levhXRW0aRBXV7hmxbg01e83 j7t+abJ1O7txpPvr/xZCzPpmcB3+GZ7r+wNYlTQhARIgARJILwQoAKeXJ8VxkgAJkAAJkAAJkAAJ pDkBCsChKXBQeOJz4RrgGuAasF4Do1Z9kiEEYKMg7Ds/2RLui9/Cc2MhvG5noTHN/4AIYgAiYIrY aSVqaa/VqVMHkvrYaevTp49fP+Jz0qRJTm5M9yZPnuzot0CBAgFFFIvwrJ2T8bhMmTKO98W+RIkS mDBhgmmMVhdiY2NRtmxZR5/ir2/fvhg5ciS++OIL/O9//3O0lzEIj2C2w4cP+5j369cPbdu2xcsv v+zrc/To0aaIYtfBQbYCaFoJj33bWouuxuennotIK5G3B0c5C6tD3zX7XTfYuc3OYQoqljK3k74l 5fOGn5zbpxXDNO13dk5Er6oP174v4Lm0Bl6vc43tYNY2bUmABEiABEKLAAXg0HoeHA0JkAAJkAAJ kAAJkEAIE6AAbC0wUHghF64BrgGugdBcAwd2PZ5xBeDD9+jndqI53Be+hOfGPHhd6Ttt6Zw5c/yK jiJwSU3gJ554AmPHjsV///2Ha9eu4ejRo5g4cSIeeOCBgHzcfffdQaWUlvq5IpKq4p7VXsbvbzt4 8KCjDyu/Ttek1q/H4yxkicDq5KNBgwa4ceOGbuher9cnBmfLls22rdQD9te3OF21ahWaN2/ue25O 45Co4lGjRkFSW3sitoecALz8O2vBVTunSqUVvP2Mgqm9FUg94EAET6nTq/Uhx3Y1fbX+To03RyXf UVJBh6cULB0YWN9afxnvOAzRS6sidmc3uM/+C6/7pm6N84QESIAESCDjEqAAnHGfLWdGAiRAAiRA AiRAAiSQzAQoAIemwEHhic+Fa4BrgGvAvAbKjzqpF0iNgmlGPz/RBO4Ln8NzfTa8rrNay/+LAAAg AElEQVTJ/BdByruTNM9GMSy5z6Ve7oYNG4KazJtvvuk4rhdeeCEgf1OmTHH0k5i59ujRw7ZvEXKd onnlnojbdptEBDuNae3atXZNIXWHJWW1U3ure0WKFMGoUX8gal7RgATU1BIub0xXUCCPXqzNmV3B S48oCO+i4MAfiRddK5TU+21UIzBfEVMV9GmjYNh7CvaNDKxNavFKk34WlEHs1tfhPjEe3ugLtmuT N0iABEiABDI2AQrAGfv5cnYkQAIkQAIkQAIkQALJSIACsFlgoOhCJlwDXANcA6G5Btr980/mFoCN AvfxJ+A63xueazPgjT2ZjH8dpIwrif58+umngxYNrYREu2s9e/YMavBLly5FWFiY7Zhy5syJI0eO BOSzf//+tn7sxhvI9T/++MOy/5iYGHTs2BGVKlWy7NdfGmm3241y5cpZtpVx2aWBPnToEKpWrWrb LpA5bfuzekgJwCJoNn1QL9SWvjV5RFeJ2tUyyZ1DwdWpyeM7TYTYmak09rmFEbOhOVyHf4XnxkHL d4AXSYAESIAEMh8BCsCZ75lzxiRAAiRAAiRAAiRAAokkQAE4NEUOik98LlwDXANcA+Y1EL6iDwVg owisPT/WEK7zn8BzbQq8sUcT+ZdByjaTmrUSUasVxJLr+NVXX4VExQa6iSB95513Oo7l008/DdSd r/ZtIHOpXr06hgwZghEjRuCtt95C9uzZHceQI0cOrF+/3nEcp06dwrhx4yBR1hUqVEDhwoURHR3t 2EZutmjRwrbvAQMGmNpL5O8999xj2yaQ+YvNK41SSUQMQqz8saNeqJVxbvst6eP86xOz33lfJt1v hhN/Z+dCzOoGcO37Ep7L61jH1/T28QIJkAAJkIAQoADMdUACJEACJEACJEACJEACARKgAGwWGCi6 kAnXANcA10BoroE9OxtTANYKvv6Ojz0C17kP4Y6YCG/MwaDE0QD/jEiUmUSefv7555Do2kAFQ392 r7zySkA1a7UDFnHXyW/x4sV9NYi1bZyOpc6tkz+puSu1jI3b4cOH0ahRI8e2LVu2NDZzPBdx298m Yvm9995r2++wYcNMLkSwdppjoPfKFg09AXT7b2ah9oe3kj7O0xMUhIXF+a5YSkHHpxVIXxlOwA1C bI+bexZEL6uO2F0fwn1uHrxu/2vWtCB5gQRIgARIINMRoACc6R45J0wCJEACJEACJEACJJBYAhSA Q1PkoPjE58I1kHZr4LaxwINTgeZzgVcXA41mAuX+BLIMTbsxcT0Apf44R/HXn+Dr7/7RunCdfR/u q+Pgjdmb5hF2Bw4cQOPGjZMkKBYoUACjRo0K+s+gY8eOQQRZJ8FSInQD3URMzZs3r6O/8PBwW3cX L15EiRIlbNtLFPC1a9ds2yfmhqSWdpr/woULdW4nTZrkaC++JLpZagvv2LEDkl67VatWyJIli2W7 /4aFnggqaZ+1TJo8mDxjnNpbwX7W8UXUwnKI3doe7pN/wRtzUbe+eEICJEACJEACgRCgABwIJdqQ AAmQAAmQAAmQAAmQAAAKwEkXdEQoWnjC/PPJ2qT7Tm3RRwSu8fv1c5l8MP3NIxBuP+/Qz1OeYbZh GXOuWh6Zdd5aBlbH5ccBX2wC9ly2/9UQ5QJ2XgL6bwIKjUyfa+WPPeZ1n17m8tKM2RSA/Qm8wd4/ Wgeus+/CfXU0vNE74fW67V+AFLyzZs0adO7cGUWLFtWJb1ohznhcsGBBdO3aFcePH0/UyD766CPH viQy1uPxBOxbBGXjGLXn9erV8+vr999/d/Sxdu1avz6MBqdPn8bVq1eNl33irBPvQoUKQdI9q5vU /RWxXTsn47Gk9o6MjFSbxO8l3bXRVs5/ejt5xNXkjKRt11AvABfIo+DG9NAbZ3LOOUV9zb0VMRtb wHVkKDyRh+PXBA9IgARIgARIILEEKAAnlhzbkQAJkAAJkAAJkAAJZDoCFICTLuKM2Wu9bK5GA7nD k+7fSqwK9lrJMUCFcfqfnL+bx5b9d/Nczt002wXbfyjanzH/jxo5LJiE4ti1Ywr02aptMsq81fkk x/6lBcC1GPPad7pyJRrovR7IPyJ9vR97r5hnVWxU+pjDb8s/pwAcrMAbrP2RB+A60wnuKyPgidoG rzfWvGBS8IrL5cL8+fMxaNAgvPPOO3jqqadw1113QVIxS13bBg0aoHv37r40yjdu3Ej0SETYlBq5 VqKkes0Y/eqvs927dzv6mzBhgj8XvqhZtX+r/dixY/36MBoIO4nAvf/++/HGG2+gU6dOqFy5suNY pe9333033pVEN9eqVcuxzccff+yYYlyepXFOz9YJPWH1jw/0ArCMednA0Btnioq2Qady1vCZnRsx qx+Da//X8Fze4Lgm4hcYD0iABEiABEggCAIUgIOARVMSIAESIAESIAESIIHMTYACcNKEjwIjgEiH /4+3W5Q0/8khbomPBRYBUvdPMY+NArCZSXI9g5TyE+izVfunAJzwjOVLEEN3Ju13wKEIoGg6EVBl DaRnAXjHjqYUgIMVdJNqf+R+uE53gPvK7/BEbYLXG+Q3JZL2eqVYa0nFbBQjtefVqlULuu/9+/fb +gwLC9NF09o5lxTP2nEYj63qB9v5kuu7du1y9Gf0r56XLFkSZ86ciXe9ZMkSRz8iLvuLlp42bZrJ R6G8CiJnaMTDpAiPydT2yBizANynTWiNMbTE3yyIXl4Tsbs+gvv8Anjd0fHrhgckQAIkQAIkkBIE KACnBFX6JAESIAESIAESIAESyJAEKAAniEGqQBbMvsMy52Wx9GTS/AczFifbQEVCCsCh8bycnqXx XqDPVm1HATjuGd8+Dthywfn9DfTumjNArhCJ9lefs90+vQrAxUZepPibVDE3WdrXgOv0a3Bf/hWe m+vh9SSkCA70fQkFu6pVq5rESFX8lL1TrV678R85csTWp9T2DWRzEpFlXMuW+fmjw9CJXepl7VyN x3ny5MHKlSt1ntq1a2c7t6xZs2Lz5s06e6sTu7mtGBR64mqVcnoRuG6V0BtjWorA0QtvR+y2DnCf mgRvjEPdBKuFwGskQAIkQAIkkEQCFICTCJDNSYAESIAESIAESIAEMg8BCsBJE/zWnnVeK15vXNpl OzEmta4HKhJmJgF4wzkg2q3/SY8poAN9tupayyjzVueT2P3qhOA200ss73Wn5cDD04HqfwPN/gU+ XQecuG4yjb8w8UDSPksSO49g26VXAbjltHkUgJNFwL0nmTneC9epdnBfGgxP5Gp4PYlPyxz/MqXw wdKlS23FTBFDpfatVR1bf8O6dOmSrd+8efNC0lv726ZOnWrrQ8a2d69NzQkbxy1atHD0pxV/JUq5 YcOGOHDggM5bREQERBTW2mqPJVV3IFtUVBSk7rKkkhbRWPXxebvQE1ffaxYnAOfJqeDxmqFZqzhV BeB5RRCz8QW4jv4OT+SRQB43bUiABEiABEggxQhQAE4xtHRMAiRAAiRAAiRAAiSQ0QhQAE68aHP3 xMBWw5ebEt9HsOKOnX2gImFmEoDtWKW364E+2/Q2r5Qcb6sF1u+ufGHj3ZX272ue4cC3W6zbylUR jFNy3MnhO70KwD8t+zKZhcvkFkLpL9YnUFeD61RruC8NgidyGbzuCPsXJo3uPPfcc/HioypCavcd O3ZM9MjKlStn63v9+vV+/T755JO27WWMV65YFPF28Fq2bFlHf+q8c+XKhYMHD1p68pcuW+Y1fPhw NGrUCKVKlULOnDkhKaQffvhhvPbaa5gxYwZiY/W1MkRUnjVrFj744AO0f64iUlXMDCBV9K7fFcz/ WkHE1NATp1OFldTxXdMIrgPfwnNFUr97LdcGL5IACZAACZBAWhCgAJwW1NknCZAACZAACZAACZBA uiRAATjxgs2gbeZHvs0ipaxEDWYZmvh+kkP0CVQkpACcts8pMc860GebGN8ZsY2kaj5ioUnFuIGX FgT2/IfZ1A0WcTjUmaVXAXjr9uYUgEMyAtif8F0VsSdfgPviAHhuLILXnfbpYp9//nnky5fPVhid P3+++Zd7gFecIm7ffPNNRy8bNmyAROGqoqxxf++99/raT5kyBX/88Qck5bS/TaKS//rrL7Rt2xbZ s2e39S193XbbbZYRxrVr13ZsV6ZMGcf74ltSYE+YMMFyuFIzNmp27pATgVNFaA1AjE6dcUgd3/sR u/sTuM/Le8o6vpaLlRdJgARIgARCggAF4JB4DBwECZAACZAACZAACZBAeiBAAThxgo0IpecsSh/e N9n6+lOz/fdTYRzwyIyEnzrT/Le5a0KCvbS9f0pCm//9lXBv4znzanxrWcJ9aZvzd8CfAFxtEjBg CzD9MCApdGccBr7bCrRfCuQdntB3oCKY1GF9bh7w+cY4nytPA8N3x0Vh1psOFBgRmE+Jxtayk7mr Y6gyEfhiEzD7KCC1WheeAAqNjEvNrW0jx2ob2RcbpfdptPV3XkvzLLR+1WN5dh+vBYb8B0w9BMjc F58Exu4DvtkCyJqx++JAYp6t2q9xnRnnrdoZ9yn1rOT5qH1V/itu7tMOJc/6Uv1q95LK2Wp7fUnC OLT2VseSKvyQhYi865J/H8nF0TiueyYCUpP81/+AZaeAJSeBvw4APdYAstZU+8QIwLIOG/wDfL8N mPL/a3XRCWD03jj/t41N8K/2k5z7wiOuIuaQP6GR9+MicNMBhxPPwX3hK3huzIfXbfGtKasXNJmv STrmNWvW4KuvvvJFrubOndsnYt5yyy2maNVgupZIWKNwqz0X8dZqEzFXRFKtrfF47NixvqZ169aN tytfvjxef/11yL0TJ05YuY6/duzYMXTq1MlRZBax1+PxxLeRqGDjOJJy3rp1a51/taOYtU9QAE5l MTh60R2I3d4R7lOT4Y0NLrJcfW7ckwAJkAAJkEBaEKAAnBbU2ScJkAAJkAAJkAAJkEC6JEABOHHC RfO55setij+/7DDfm3zQuZ+sw4CIGH07EZidRJRbRgJRhpKC6hikXbAZ+8r+aS8AZxsGjNqjH5/x 7NQN4NXFzmNW51NpArDeT/1k8e/yAP02AtK/2ta4l3vGbfz+uDY/bo/zYbxfYjRwJtJ4FdDWAJ51 1Hw/mCsHrlqPuckcYF0Ac5e+jl8Huq02+0nMs1W5+Zu3aqfuU/pZyZcJpK/fbKJqVebBrC917Ma9 fMnhmuE9E/8Spe+0xox+5LynjZAsAq+VfXJy1PqXL17Ilwj8rQkRg0uOAYIVgOXLFfK54rR5vMDI PXFfItGOLbmOn526iNG/6TL6N0Ax+kRTuC/0g+f6HHhdDsW5nRZhEu/FxMRgxYoVmDNnTpI83bx5 E0WKFLEVTSUKV1JMq2Kt9Dt06FCULl3ato0IrpJaWdIoSyreAgUK2NpKFLG/rWfPnrbtpa9ffvkl 3oUI1kkRfK3a9ujRI96/euA6MJACcEoLwPOKIWbTi3AdHQ5v5DEVPfckQAIkQAIkkO4IUABOd4+M AyYBEiABEiABEiABEkgrAhSArcUaf8LFTIvMi73Xx/l6aJr5aUp62SKj7PvyF3lrNR4Rc4ybVgA2 3vN3bicAizAtIl2g22t+IimlxupNg3Dtz/em84BEh1pxsGI38QAwYb+910AEYIkYTspmJQC3Xgi4 E4KrAnYv6ca1cw+44f8byrNV2wcjAKfGs5Iocon6DnTzt77UeVrtJdrZapNIbCt7p2uyhvpu0P/0 WQ9InWBju+TmqPqv/jdw8KrVjKyvHY4Arlpk9pRod9Wndv/KYiBSX7rT2vH/X111Gihq40vrN9jj QUu+pQCckQVg49yOPwXX+T7wXPsH3thTjmsuFG9+9tlnfkVTEYIrVqyIwoUL+7UVEfWbb77xTfXy 5cuO9vv27fOLRCJ869WrZ+unYcOG8T769+9va2cl7gZ6TVJYazfP1S0UgJNbAJ6TBxJZLeK65+pW 1vHVLjgekwAJkAAJpGsCFIDT9ePj4EmABEiABEiABEiABFKTAAVga+HDSaAQ4VUiU42bpNZV2x29 ZrxrHcmp2luJmP4igFNLADbPxPnKlWigtE1KWEltnNhNROM7xicwdmLnr4+0EICb/ps48Vedi1b4 VK8Fuk+MABwqz8o4R6f1pa4Ju72kGjdusW5Aount2iT1ekpwlDFJxPKOi8bZJO7cSgD+ZG3ifEl9 ZYl2Tio3bfsN21pSADaKpJnp/FhDuM5/Cs+1qfDGhn7kYnR0NO6///5kE06lNq8Iv7JFREQ4+j1/ /nxAL+53331n6ydv3ryQFNmySe3gQETd6tWrY8iQIRgxYgTeeustv/WGc+TIgfXr18ePVSKbo+YV oQicJBE4K6JXPIDY3T3hvrAEXo9Fuot44jwgARIgARIggfRLgAJw+n12HDkJkAAJkAAJkAAJkEAq E6AAHLxQIdGCxk1S+moFi28thM7/HOqDpoQALGlhpR6o/EiKW+MmaanV+7IXEcxqHNp2G87Fpb5t sxDotR64YFEHWew/sEhbLHVIRWyz2qRmqaR6fnt5XDSopD622iQts5azHPsbs9aPGn0biAD84Zq4 msFSN9jux0mAkyhx7Vjn2EQU77sCDNsJtFsEtFoASArxGxZRl39r0ogn5tmqYwkkAjitnlVS1pc6 P6e9rHnjJhG0Tm2Sci+lOMqY3l9lnEncubxj84/HvZ9SE/jnHdbpzrWtjQKwfGHAKkr/UhTww7a4 mt/yfkg9batN1npSuGnbFhx+DdGHqlIAzkyCr7+5HmsA17kecEdMgjfmkNUSTPNrR48exa233hqQ eOoksEqN38OHE1JwREZGOvrUiqpOEH766SdHPxcvxn27pGbNmo522bJlw8SJE01dyZgbNWrk2LZl y5a6dpKeOCpJAqiS6dpHL74Tsds7wX16GryxQaSD0JHnCQmQAAmQAAmkLwIUgNPX8+JoSYAESIAE SIAESIAE0pAABeDghQqrGppdVur9VJtk/VAfmKq3U4UOKxEzqRHAqm/ZLzhuHs/9U8xjsRqH2nLg VkBqFWv9ipB6MUq1SNhLSl+tnRyLKGXcJJLaqm5w/hH24tIzc/S+ncYs/YnwLnV31RTcEjmdZai1 KKatAWwcv9W5XWrsPZf1UaW5w60FtfcM60bt496/zVHmIrar97X7QJ+t2iYQATgtnlVS15c6P6e9 fNHAuC06Yc3VyU+g91KKY/HR5prhMi8RbRvPNs9H1vxqh9KqRgFYUqgbt8Un42oIG+feabl5rUrb Gn+bx2FsG8j505OXUfz1J4hm9vtH68F1thvcEePhjdkXMqlud+/ejapVqzqKoE7ir6SIPn5c/4vT 7XYjT548tj6///5746tref7kk0/a+siZM6evjUTlSjSw0xjDw8Mt/ctFEZFLlChh216igK9dS0iX IrVpKQD7EbHnFUfMptZwHRsJ702bb+DYPhHeIAESIAESIIGMQYACcMZ4jpwFCZAACZAACZAACZBA KhCgABycSPHwdPNDkahSEWSMYobU4zVuEulptJNzKxEzlARgqe1pNW65JrWPjZvRvr5N7dW2i+z9 ihi74rTRM7Dtgr6NFTu11dRD1jVZZdyBCKF2c5br/Tepvej3ItQaU1U/OUtvI2cSPezk32r95Ao3 t0luATgtnpVxvWi5BLK+tPZOxzst3skRFl9WcPIR6L2U5Ci1pK02WWd245MvIVitefGjFYBrTTF7 Phup/0KDsQ+pUW3cphyyH4uxvdP5N4sHUQDO7AJvsPM/+hBcZ9+D++oYeKN3weu1ST1hXLQpcB4V FYXOnTtDImWdhFTjvRo1auD0aYtfgAAeffRRW19ly5b1Ca9OU9m4caNtexmHRB3LduzYMUc7qSPs b/v9998dfaxdm5BSxRN5hAKwMQJ6Tl7ErG0M18Hv4YnY7g8375MACZAACZBApiBAAThTPGZOkgRI gARIgARIgARIIDkIUAAOTqQYucdMXQQ4KwHDSri6Gm0tSFqJmKEkADeaaT1HmXfDmWYmIl5qmXRb bbbZfVlvo7VXjx+3EE5FcNdG6lqxk96EdeE/7PuwEsO0ftUxWO1fXGCej1yJdgPyJQFjm9vHASJ2 a3/qTDPbqe3KjI3zZewlNQTgtHhWSV1fKjd/e4nMNm6/2Xwpw58vf/dTkuMXFl8+MKahtxpfV5u0 0VoBuLvFuypRvlb+1GsSsX/dkLbc67WvBa62C2S/estLFICDFUBpr18zRx6E68w7cF8ZCU/Udni9 cfVtjZ8FKXl+7tw5/PDDD5BauUaxVz0vUqSITyzWiqJWY/ryyy9tfYgvie4V4dlqO3v2LO677z7H 9vXr1/c1lQhmdWxW+wkTJlh1obu2Y8cORx9jx47V2UcvuiNzi8CzsiF6RW3E7ukNz4Vl8HoMH6w6 WjwhARIgARIggcxJgAJw5nzunDUJkAAJkAAJkAAJkEAiCFAAdhY2tAJFvuFmkUOQv7bE2kfF8dYP 5GWLqFcrETOUBGCpD6xloT0WcdO4GQXg8F1GC8CfqKT2IUKxcbtnYsJ4rNiJvdQoVn1Y7RMrAN83 2Tqds/TpFNFsNQb1mgjVD04FXl8SV5c50uZ/vqkhAKfFs0rq+lI5+ttbpUG2qivtz08g91OSo9SD Nm5WqdSN48w7HBBh1rhpBeA/LL7k0nwuUGmC84/UsjZuxnTtxvH4O88XHombB6vrxTyKm+SR1DVw pBZcZzrAfSUcnqgt8HpjjEs3Rc/Pnz+PdevW4a+//sLgwYMxcuRILFy4ELGxNh/8htFcuHDBMQ20 iLWSennQoEHxKZYlmnfMmDEoV66coyArbYcNG+brcf/+/ba2YWFhuHnzpmFk5lNJ8WwlHqvXjPWD Y7d3zHQCcPTiuxC74124z8yANzbCDJFXSIAESIAESIAEdAQoAOtw8IQESIAESIAESIAESIAE7AlQ AHYWCbUChYhzVtsHq4E3l1r/WNlLHVKtXzm2EjFDRQC+FGUer3b8Ul/UuEmqXa3NSotMlnb1kLXt 5HjcPqN34IX5Cf6t2EkLpwhb8ZsYAVhqHp+4bh6PXPl8Y8KYjHPQnssXCWQtSZ1kSX1sVUPZugcg NQTg1H5WybG+tHydjv85YiYrNaKd2iT2XkpylPThxq2K5ksRTmO2WvdaAXj9WaPnxJ+/vyppbJ/4 exXFzqSKnWzvfw0dqQnX6dfhvvwrPDc3wOuxjp5N/JuQ/C0/+eQTR2FVFVhFqM2fP39AttJGav5e vhz3rasjR47YthOBOZDNSUSW/pYtW6Zz4z41OeMLwPNLIub/2DsP6KiK9g9vSCWU0EIvoSaEjiDS pCmCWBBEpSrChyBFQUFBsFFEiiBdUGnSBESpUgSlSO8gPYTQWyCUlG3v/7zhf5O7d2/Z3exutvzu OZzbprzzzOx++/lkZg52JkPCXDInX7FoP25AAARAAARAAAS0CUAAazNCChAAARAAARAAARAAARBI JwABbLugYFnnjINn4En3iJWTmJ4igJ0RB+8hKj1YpqqJKuHdmIPSnETD9mTmlWPHOQrNzUwjlCU+ y4kwtSWgQ38g2q0gx1hSi8uWu+ayebnhR7ZN8rJuNLlHALu7r5wxvuR4yz37/pg1Vu6PoFna/Sct L++PRCyv76Vm/uM/Doj65UlZruQoN4YiVGbpi2Pfd9OagVgA89Lpzjp4yWlx3fZej9wyWVveQXCC kdPHQE0yXO1Kxrvfkyl5F5lNMv8D5qwPiYPl8Gxh3oNXEL3OOk+dOjUjort37yqWz6LYYNBeSnvl ypWKZXDMp0+fzqiPL8xpdylldQ7fksDr8lDanjZkuDCJTEnHLdqLGxAAARAAARAAAfsJQADbzww5 QAAEQAAEQAAEQAAE/JQABLBtgiJae6s7u0bQ6IOW9cpJTGeKMd6nWHrUWWEZA8sZV8UR/0BaO1GZ hdb1ywmiCUes8/KsayGtXMxJaZnvhXTSs70CeL7lf6fOCIpnerIclpYvvmfBuCouI4vqxbVH8rOe OZM7ZgC7u6+cOc7FzOWu2/8pj77jZvX+kyvrBZn9qbl04Q8bXMlRTi6zkJaLU/rsqMzsYbEAvq29 qqs8RJmn7yosjy+NSen+74NdIDedLjergqndTGuQ4WonMt6dSKbH/5DZJPM/aDLj39WPeF9hrf18 7RHDLVu2JLNkjXi1JaP37t2r2UTej1gthnv3rNeOT/2njncLYN7Hd0cD0p/+nEx3tpPZpC3KNUEi AQiAAAiAAAiAQAYBCOAMFLgAARAAARAAARAAARAAAXUCEMC2SZOxh9Q52vv2ykOiQNGsQzmJeStZ PTa5PYale+8KYiW7BfCGS9aEmvyu3j4h9pUXrPO+uC4zrxw7LanIZdsjgAf/ax0DPzl/X3umMdel lJ9lLwtuFpPVlxHxHq1Cu68+sq7THQLY0/pKbolxpXEusFM686xwid9Ih8yzYpXyKD0fdcC6f3g8 COldyVFuNYIav2bWLcQgd+Y/jpAeYgH873Xp2yf7nL+0jsjef3lslNJyceb8IYUena8JWWm3rITg 1bucWTUyXHmDjHfGkenRVjIb71t/aNz0hPfh7dq1q6pkVROwwrsXX3yRUlKsl75u3769Ytk9e/ZU beW+ffuIl6AW6pCea9asKZtf/9+nXieAU7fGkv74ADJeX01mg2f8gYAsXDwEARAAARAAAR8gAAHs A52IJoAACIAACIAACIAACLiHAASwtjTh2Zss6qQHP+PZdFr/LiRJcz65F0tMrkN6GExEOWYqx9fs D2kOIiUxlt0CeNJR61hHHlBumyCEeGat3GzHsv+/zC6nc7UAbrOOyGS2jj8xlYhnhguxqp3Xxlvn 5xnBckJXKEdOUMult7Vv1coVL33taX3lTAHMDBadte4LftJwlW19yWUU+JlIbqbsvNOZZbiSo9xs 9N7/ZNYt9LX0zLP+5Q6xAJ57yjpFg9+0y5bWldX7Zsv2QP66XGRCFjtNFl9uR6YeZoQAACAASURB VMY7Y8j0aBOZjTLT7K0/Vk59cvLkSerdu3f6Hr5S0ap2Hx4eTqNGjSJeUlrumDNnjqLA5XJXrJD/ UuH9g3mfYLW6FyxYIFclGW9t8XwBvLE4pR3qSsaE+WROcdL+ILI08BAEQAAEQAAEQEBKAAJYSgT3 IAACIAACIAACIAACIKBAAAJYW2zwrDe5o7GNwohlUZrRugSe2SqWJCwUpUfx+ZZpxOk/2S1NbZ8A fnqlddmOyFRbBF2vv61jvZNCFC6a8Spum3Ddc5t1vmSDpRh3JGYuX06wikUop6m8hEhuxqTeSMQC XohT68xtlR5qexRzv8sdtgpgub4VYtRqt6f1lS3jS2ibLefSC4l4DEkPXrK5ko1Cf9YJae4n9zxe hRhcyfHzfdb1n76XWbcQg/SsJL/FAnjoHuuyub3SsqT3U44R/XM189/is0TSz5M0j9r955umQQBD AHvvGLj8Mhlvf02mh+vJbJDZeNv6Y+aUJ7yk8oQJEyg6Oppy5MihKGCrVq1KX375JSUkyOwPIYqE ZxgXKlRIsZzg4GB677336PLly+m50tLSaObMmVSiRAnFPCyFixcvriidzcYUSlkb5lkSeH1eStv7 MhkufE+mBydFhHAJAiAAAiAAAiDgbgIQwO4mjvpAAARAAARAAARAAAS8lgAEsLbYkNu79dID7Xxi ufHHReshwhIxcm5mOYduW6fpozCrj0WgnMizZwbw82sy6xZidUSm2iLoYpYQGU3W7fv+mHUMQiy8 R7DcPqq8tK6Qhs+OxMz55PiJhRWL+3MKK3vas7dpwZ+t281P1JbHHSYj4TiPrQJYrm8FZlrt9rS+ smV8CW2z9cyzz+UOXnZdbm9soVxetv2r/fLLSPOKADxmhLSu5Fj/N7noifpuz6xfiEM4N/+DiL9z 5A6xAH72d+sUnI/bI5QlPfMMYenBnx1pOnvutxx4x3vlH8Qt+k46BhJeJMOtEWR6wEsEu2fGKMvY c+fO0ebNm2n+/Pm0aNEi2rZtW4aslX5mle6/+OILVZnLQpdFcIUKFahAgQKaaTn9N998o1Rd+vO0 f5/LXgG8JphSdzYiw+kvyXR3J/bxVe0tvAQBEAABEAAB9xKAAHYvb9QGAiAAAiAAAiAAAiDgxQQg gNUlBYsROWnyzSH1fFLR8cYm+UEyaFdmOXJ73bJUqro0Mw2Xy7NDtyv892MlAfx7nHX9v5yxnEnL ZTsiU20VdNOOW8fAT34+RcRLPYuZ8X6mvE+y9OBlsWMlPByJmetSE6G8JPeWJxOapCGk79nLdWr9 4zKENt2VmQHMS+1K251zNhHLX7l9ajkQnr0qlCmcbe1bIb1au4U0ntRXto4vIXZbzrzXstyy7sz4 oZ6IBTHvsS2UVXQeES8FLrf3rjBAWq/NTC/kcxVHLn+9zL7aHAvP4BXqF868x3SqgvzlPGIBzHnW yCxZzrPYW8r80UijVURyM9w/En23CXHYeg6dlUYPztWGRJRKRNz7zphIeJ4Mt4aR6cFvZNarz8IV vmOy65yamkp16tSxSeyqLfksvCtZsiQlJiaqNsdwbqzbBXDqtqqkP/4hGW+sJbNB5geIasR4CQIg AAIgAAIg4C4CEMDuIo16QAAEQAAEQAAEQAAEvJ4ABLC1LBFLCpYYcke1Zer5xGXwNYu9B2nWJZ24 m1kOz96TO3j5aJ6FPPsk0bYr8uUI+ZQE8NRjQgrLM8d0/j4RLx/LM1Idkam2Crr8P8nvm8oRpRiI /r5KtPUK0dl7ljGK7747kslLYOxIzJxXTYTyzOusHrxvsDATV0nW8T6yLOK5Xbw8r9wy4OI4uP8/ 2GnJwNa+FXiptVtI40l9Zev4EmK39dzuT/lZ6WLevFS0Vp9w+hkKSyS7iiO3UWk/X46H/+CA953m PyqR629xG/laKoB5b2u5P3zhP0w4lfhkrPKy0LtvSEt6cn8/1XI2tK19IqRrtOSA74g+SFv0pS1j 4FJzMtwcQqakX8mcJvMXW/IfNbc9jY+Pp4IFC2ZZAkdFRVFcnHb7TPcOuF4AbypJaYfeJuPlhWRO ue42lqgIBEAABEAABEAgawQggLPGD7lBAARAAARAAARAAAT8iAAEsKVMEwSEcGahKj2O3VHPI+SV nuedlpb05L7e/+/Fy8sPX0iSTyP3lAWj9FASwO9slaa0vufZpY7IVHsE3Vub5MWSdTTWT1g85f3R mr0jMXPfyIkxYQnoITL7K1tHpP2k/44n8XbarJ3WnhS8PLYwvmztWyG9WruFNHz2lL6yZ3yJ47fl +jWNmbG29Mm/19X3snYFR6FtLJ6dcUgFMJf/tcIy2Vr1PdITNbRxf3ShHdLzsI2zIA1tkYZI47vj JP5ZMtwcRMakxWROO0tmpWUhtD6QTnz/33//UbVq1RyWwLxEtNaew0K4ZrOJUjYUcK4EXh9BaXtf JUPcVDI9OCVUhTMIgAAIgAAIgICXEYAA9rIOQ7ggAAIgAAIgAAIgAALZRwACOFOkSSUEi1m545Pd ynmkZYjveflUuYNn9grpuD94xq/Wwcu5tt1gnUpJALMkjdOQy+4QwNzO2suJ5MS6dWuePOH/7j3l 2JNZ1AIn8dkbBDDHy7N8bT14GeJNKquCigWwrX0rMLNVAHN6T+grVwpgbiN/zuX239bqK+6jATus l1EXOIvPzuYoLvv97bZ9Z3B7eMY5z7KXHnICmOvosNG2GdBCebyiQIvVmd9n4jjtud6wv6fvij1I W/StI2MgvgEZbgwg4/0FZE79j1iQZseRkpJCffv2paCgILtEcK1atejaNYW9KxQakra/Q9YE8JoQ St35LBnOfE2mxN1kNtvw40ohFjwGARAAARAAARDwHAIQwJ7TF4gEBEAABEAABEAABEDAwwlAACvL ioEyyz+zjJTbh9UWuRE4S37WqXgZaC6H9/w9cEt54Fx+SMT7jeaYab335t4byu2JnPtkGWle1lbu KLWAiGN8rLd8ezNZuUyO1xFBFzabaPxhogSVbfZYcu+/qS2UHImZ4+alr6WHMAP47b+kbxy7F2YA c33cX923ytcrlG40Ec35j6jIvCfM/1SQwGIBzGXb0recTqvdQhrxObv7ypHxJY7flmvum15/E+27 KfSE8pmXK//tAhF/XmwpW0jjTI5CmcL56ZVER24rx8yf6eXniUoseLLntjglL/Wc7yfltnAe3mc6 SWYJe6EcXvKZZwwX+Fm5HCFWrXPwLD3dO1sXktARSehAngenYunm4crg7QA7fXbmufgMGa6/T8Z7 c8mUeozMZoX/YRc+pE4+37x5k7777juqUaOGogguVKhQuizevduxJTUM8T/YKYADKHVbddKfGETG G+vJbHjk5FajOBAAARAAARAAAU8gAAHsCb2AGEAABEAABEAABEAABLyCAARw1oWFltBw9D2Ll1fW Ew3fS8RLCPN+xK3WPpG0jpbJ+YJmEbFA5H2M+R9fs5zKSplZycvSqNkfRB/uJGJh2mXLk7h4ZmtW yvXUvCys6/9G1O0voi/3P+lfnmnJfSHtB2bwzEqij/8lGn2QqN8OIpZ9Sm1zdd/6Q1/x54FFPX/u ph8nWniGaOSBJ7NhY5Zk/fPHfecqjhUXPxlXvIR5x81EPbYRVV/mnJg57nK/EPGy2TzzmZce5++l uiuIcs1RHpNKY1Xpeb3FRyAj3SgW54wrkS7wqkaHUp9uBWjxtFJ0ZV8M+sCNfeAUkXyxLhmu9yLj vdlkSjlMZrPkL7lc+Iv01q1btGfPHlqyZAlNnjyZfvrpJ9q8eTPp9VmLwfTogrYA3lya9Ie7k/HK YjKn2vAXPC7kgKJBAARAAARAAATcQwAC2D2cUQsIgAAIgAAIgAAIgIAPEIAAdp64UBIaeA7GGAMY AxgDto2BwX/+CPnoRvnYrX0+2Rmc0eVCqGfH/LRgckm6+G80+sSNfeIcIfwUGa69S8bEGWRK3kdm U6pX/mJN3VzWUgKvz0dp+14jQ9x0Mj0845VtQtAgAAIgAAIgAAJZIwABnDV+yA0CIAACIAACIAAC IOBHBCCAbZMSkDfghDGAMYAx4PoxsHpvb8hGN8rGqJLBsgJYp9NZPC9XOoTe6ZCPfppQgs7tqIQ+ cmMfOUUIx9Uiw9VuZEycQqbkf8lseuwVv3T1x/pR2q6mZDg7mkyJe7GPr1f0GoIEARAAARAAAdcS gAB2LV+UDgIgAAIgAAIgAAIg4EMEIIBdLzQgjcAYYwBjAGNAewwEzjTSnbP1IBc15OKtI5Wdsm/v hZ2VLCSvVPqq3VePCaOvBhWm039DBjtH0FZ187ivSYarncl4dxKZHm8ns+mhD/2yRVNAAARAAARA AAR8mQAEsC/3LtoGAiAAAiAAAiAAAiDgVAIQwNpSAuIGjDAGMAYwBlw/Bp5adNzNEszd0s059Q3p Uyhd3LKE7ft2AVo6vRQ9PBVrN7t535V0WAALcjgwUEcf9ChId45Wtrt+7xSnzulDz2t7dTJceZOM d8aT6fE2MhvvO/W3JgoDARAAARAAARAAAWcRgAB2FkmUAwIgAAIgAAIgAAIg4PMEIIBdLzUgjsAY YwBjAGNAewwM3DAXElFj9i+Lw2dqh1uJ26v7Y+xm1+PN/FblsNjl/X+DgiyXgBaEr9KZl4g+r7I0 9INTsU6Ztex54tRXhXA10l9pR8Y735Dp0WYyG+/6/O9hNNDzCVy5coXWrFlDU6ZMoYEDB1K3bt2o T58+NG/ePOJ3OEAABEAABPyDAASwf/QzWgkCIAACIAACIAACIOAEAhDA2lIC4gaMMAYwBjAGXD8G Vu7pZ7fE9DcheP9krJWcrVQ2xCFuFcuGWAngsNAAenQ6lu6diKUNC6JoaN9Ialg3nEJCAqzSSmVw 6eLBdOOQvIieM65Eev6q0aHUp1sBWjytFF3ZJ5/W3/rUa9p7+RUy3v6aTA83kNlwywm/QFEECNhG YNu2bdSuXTsKDAxU/R6KiYlJF8NJSUm2FYxUIAACIAACXkkAAtgruw1BgwAIgAAIgAAIgAAIZAcB CGDXSw2IIzDGGMAYwBjQGgNmunmmgUMi02sEmg2ze7Xa8ufCKCsB0vOt/HZzS9gbbVUOC92m9XPJ lsUzeDcvjqJB/ytExYsEyebl/G+/nk82f7f2+WTzHNlYQTa9Fge894CZxwltyHD7CzI9XE1mw/Xs +AmLOn2cwOLFi6latWqy3x3SP0AR31eqVIlOnjzp43TQPBAAARDwXwIQwP7b92g5CIAACIAACIAA CICAnQQggLWkBN5DXGEMYAxgDLh6DFT/5TREoA2CeFi/SCsZwnv52itEf5kiv//v5x8W1iwr9XwV kouDBQzvCcyzlKXxRJUMtoo7V3gOSj5bxSqtNC/uPUD22jA29QkvkOHWZ2R6sIrM+gQ7f40iOQhk EjCbzdSvXz+r7wyx5NW6zp07Ny1fvjyzUFyBAAiAAAj4DAEIYJ/pSjQEBEAABEAABEAABEDA1QQg gCF2XC12UD7GGMYAxoDWGOi3bqHfi8CHp2Lp8Rl1IdqorvX+v3G7ou1m916XArJyhWf52ipcB7xb ULaMv5aWtSjjws5Ksumeb5zbIp2t9SKdlwjhSy3IcPMTMiUtJ7P+oqt/zqJ8HyLQu3dv2e8MLekr 937Pnj0+RAZNAQEQAAEQYAIQwBgHIAACIAACIAACIAACIGAjAQhgiBktMYP3GCMYAxgDrh4Dy3Z/ 4Pcy8MtBhYn34OVlmEd8UDh9yWVeelkQniyIpXvxli0VnPFeSGfLObZiqJVg4bLF9WmVc/pvebE7 ekgRi5h4hrKcmPn6I+3ZxuIYti4tS8/Wy0VvvhxB00cVp2ObK1rUI06Law+UxJeakOHmR2RMWkLm tHPEszxx+BeBtLQ0zX5fsGCB7PeF3HeILc9at27tX5DRWhAAARDwAwIQwH7QyWgiCIAACIAACIAA CICAcwhAAEPsuFrsoHyMMYwBjAGtMXD1dGO/l3nNG+ayEh8sZRvWDaehfSNp1OAiVu+V9txVE6DX DsRYlcMihetRyyf3joW1VMJI9yTu8WZ+qzSc5+9fLWcKy5XPz64fjKF3OsjvIRxZMJDatc5Lk78o ZnfsSvXhuZvkcXwjMtz4gIz3F5I59RSZzSbn/LBFKR5DIDU1lbZt20YjRoyghg0bUnBwcPq9UoB3 796lQoUKyX5fSL9ngoKU9yKXpt23b59SlXgOAiAAAiDghQQggL2w0xAyCIAACIAACIAACIBA9hCA AIaY0RIzeI8xgjGAMeDKMRC74Lzfyzte+jk8p7VMlYoM6T3PhLVXWC6bUUpWsLBktqesq/vlRbK0 nIplQ6zqY3H86HTm7Galen8cX4IK5g+0yi/mwHsJfzu0qF2xK9WH526Sv3J7CsfXJ8P1vmS8P5dM qcfJbDZmzw9j1OowAYPBQLt376bRo0dTixYtKCwszOqzyzJY6Rg/frxVevFnPTAwMH1v4Bs3bqTP JD5y5Eh6XSEh1t8x4nxt2rRRqhLPQQAEQAAEvJAABLAXdhpCBgEQAAEQAAEQAAEQyB4CEMAQO64U Oygb4wtjAGNAawy8t3ap38u7HSvLqYoPscyQXteuFkYf9ixIK2eXppuHK2uy7Pu2/P6/GxbYvv8v i9LvPi8mG7NYSifsjZZNw8tcq8lWXt6Zl3uWtlV6//qLeeniv/bvgaxWN95lowQWi+GLT5Ph+ntk vDeHTCmHyWzWZ88PZdSqSICX8T58+DBNnDiRWLLmyZNH8zPLM4GVjlq1ainmz507Nx0/flw26+bN mylnzpyKefl7486dO7J58RAEQAAEQMD7CEAAe1+fIWIQAAEQAAEQAAEQAIFsIgABDDmjJWfwHmME YwBjwJVjYNGuj1RloD8IORaeXV7LR6WLB6tKDKkAld4HBOioekwYseTlmb5ye/rWqGw9K4/LmT+p JN04FGNTX/CM5ZLF5GMVi+Rfpsjv//v5h/L7/3K8w/pFUnCw+mzoSmVDSFyPPWOEpfTeNeVp7bwy xOKd79MuVLGp3fbUg7ROFskX65Dx/i/Z9GsZ1QoETp06RdOnT6f27dtTwYIF7f6+4mWgHz16JBSX cb5165ZqWWozh7mQAQMGqObfvn17Rl24AAEQAAEQ8G4CEMDe3X+IHgRAAARAAARAAARAwI0EIIAh dlwpdlA2xhfGAMaA1hi4dKop5Jto5uO5HZXopwkl0ve9LV9GfWlTqQCW3sftspwdyzOEWRJL04nv q8WE0vvdCtDS6aWIl3mWiszLe2NIbr9iLqNIoSBKPpspU9/rIj/bePNi69nG6+dHkVZ7c4YF0Ncf FbZp+Whx3H8tLZsuxZUEOy9JXTM2jCaOKEq3jmjPohaXjWsni17RZ0HK1vRooxt/IaMqgcDWrVup c+fOVKyY/Kx/8feHLdcbNmwQis4479q1S/F7iWf3JiUlZaSVuzh//rxifo5p7ty5ctnwDARAAARA wAsJQAB7YachZBAAARAAARAAARAAgewhAAEMOaMlZ/AeYwRjAGPAVWOg4vx4K8EolT7+fh+/O5ra vpBXVW7ISReWnVJ2v80ubXc5lSuEUtd2+Whw70L0Uos8FJEnh2IZnEZcZ2zFUKu0ISEBFjOTWSi/ 9UqEVTppm15+Lg+xHBeXr3V9YF0FRVktLV+4ZxncrX0+2vVbObvq0ooF77Muis1GLOObHf9vYeDA gZqfT+HzY8uZ9wiWHgsXLlSsIzY2Vppc9p5nFyvVv2jRItk8eAgCIAACIOB9BCCAva/PEDEIgAAI gAAIgAAIgEA2EYAAhthxldhBuRhbGAMYA1pj4N3VKyDZVGY8CtKw5bO5rcRGp7YRVDXaWrAKAoSX lBbyC2feK1h47+xzwfyBdGFnpqC9diBGtq6GdcPT4+Jll3m/YDWhzDFGlQym338sY9UWoU1K5zGf FNGc7azF4LP+kXbXqxQPnmdRAF9+OZt+KaPaUaNGyX6WtT4/wvt8+fJR27ZtacqUKXTixAlZoDxD V0gvPTdv3lw2j/RhSIjyigmrVq2SJsc9CIAACICAlxKAAPbSjkPYIAACIAACIAACIAAC7icAAQxB oyVo8B5jBGMAY8BVY2Dezk8h2DQEcMq5KpQ7l+Ws26KRQRncrh+MoeWzSlP/7gWpVpWwDOk565vi GWkE+Vi7mvz+v1LhYu8979m7dWlZi/p4D2K5cob2jSSemVuvVk7Z90IeninM+wHL7WMstEfuzLz+ 1ym/atlCHbacO7fNZ/eS03Jx4VnWBLDx9tfu/5GMGtMJzJo1y67PU65cuahVq1Y0btw4OnDgAJlM Jk2Sy5YtU6wjJiZGM/+5c+cU8/Pn/PTp05plIAEIgAAIgIB3EIAA9o5+QpQgAAIgAAIgAAIgAAIe QAACGGLHVWIH5WJsYQxgDGiNgQsnW1hIQ0gya0n276pyVmLjjZciFLndPlKZVv9chlgMi3nePVaZ cuSw3v83pnworfihNA1494lAlkujJkqDgnT088QSFnVxvX3flt//t0blMAoMtI5DXMfzjXPTf1sr WpUpbo/StdYs59CQAOLZ0SM/LkKjBhehnh3zU8WyyjMHOa4mz+SieydiFeNhSc37KyvFhOfW49pe JqaH6z3gV7P3hXDlyhVas2ZN+uxbXsq5W7du1KdPH5o3bx7xO1uO5cuXW30HiT+voaGh1LRpU/r6 669p586dpNfrbSnWIs3atWsV6+ClnQ0Gg0V66U3fvn0V89eqVUuaHPcgAAIgAAJeTAAC2Is7D6GD AAiAAAiAAAiAAAi4lwAEMASNlqDBe4wRjAGMAVeMgbLzLkOYacz+ZUk2dmgRK7Ex9etidrNbM7eM VTkscViYimXcnaOV6Y+fytBHvQpR3Ro5iWfiimWPcF2yWDB9Oagw8R6+4vzCNYteIa0953nflZQt TyhX7bxkmvysY64/IECXLn7Py+wjzMtRb1gQRa2bWS+1LcTOslip7jnjSqS3lZfk7tOtAC2eVoqu 7JPnolQGnqtLYrPhpnt/IHt5bdu2baN27dpRYGCg6ueQZ9eyGE5KSlJsMZclfA6k5wULFlBycrJi XltfXLhwQbGOHDly0OXLlxWLunHjBoWHhyvm55nIOEAABEAABHyHAASw7/QlWgICIAACIAACIAAC IOBiAhDAEDuuEDsoE+MKYwBjQGsMdPtjlaJQgwzLlGFtWuSxEhtHNlawm93g3oWsymGZ89vs0qpl sRyN2xVNW5aUpR/Hl6C5E0vS5sVRxEstK/UTz4Zl4SqVRbbcOyqAr+6PoTy5LZfKFuorUiiI9q8r rxivuB0svoV84nOBfIHEs6jFaYXrbu3zyeaJLheSPsN4weSSdPHfaNm8Qhk4Z455KxYJrV38a9h3 il+8eDFVq1ZNdjyKx7P0ulKlSnTy5ElZEMeOHVMsb9++fbJ5HHlYqFDmZ69KlSrUv39/4r17ExMT FYszGo3UrFkzxfiCgoIoISFBMT9egAAIgAAIeB8BCGDv6zNEDAIgAAIgAAIgAAIgkE0EIIAhabQk Dd5jjGAMYAy4YgzM2T4cQkxjBnDq+SoUkcdSahYqEOgQN7k9d1nSumLpYpbKUsFk632juuEOta/f OwVl6+Qlrf+S7E9sJRgl/fBeF/nlq78aVFg2tqiSwbJ1S9tcrnQIvdMhH/00oQSdk5mJrBWXv743 3BqRTb+Svadas9lM/fr1s2kcSselcJ87d27i5Z6lx7Vr1xTLXb/eeUtzr1ixgpYsWUI8o9fWY8iQ IYqxcbtGjRpla1FIBwIgAAIg4CUEIIC9pKMQJgiAAAiAAAiAAAiAQPYTgACG2HGF2EGZGFcYAxgD WmPg9IlWsjLNXyWXXLv3rS1vJTdea5XXbm73T8YS79UriB7hXD0mzO6y5OKUPtPah5frzxWew0pu C3Ed32Lf/r+8rHNwsPxS1d98qrx0szRu4T5hb7Ts0tc8C5hnRAvp+HxhZyUrrkI7tM6liwenL0s9 65viDu95LI7FV69ND1Zn/w9mD4+gd+/eDo9D6Tjds2ePRWtTU1MVy+YloMWHyWQi3s+XZ++2adOG KleuTOXLl6f69evT0KFDKT4+Xpw8S9c//vijYlzcpsaNGxPHgwMEQAAEQMC3CEAA+1Z/ojUgAAIg AAIgAAIgAAIuJAABDEmjJWnwHmMEYwBjwNljoOTP1y0kmq+Kq6y26+RfFdMFIYtCQdJM+sL+/X95 f1shv/jc9+0CLumH2tXU9/9946UIit8dTdNHFZeNa2DPQnbF9cXAwrLlNG+Yy65yxP3V5TX5ZZ2l ewjzktViplm5LlY4iN58OSKdy6lt9klwcey+dm3WX3XhL2HvL5olbFbGnTRv69bWS27z7GBpOr7/ 7rvv0gE+fPiQxo8fT+XKlZNNJ+Tl/XxfeeUV2rJlS5bAr169WnV/44iICKfK5iwFi8wgAAIgAAJO JQAB7FScKAwEQAAEQAAEQAAEQMCXCUAAQ+w4W+ygPIwpjAGMAa0x0PH3NQ6LOV+TW7a2h5cM5v13 HdlLdli/SFkps2xGKaf3A++Ty8suC8JHfK5cIZQ2LYrKqPPWkcoUGmI9c5eXuX50OjYjnRajqtGh svVp7W+sVu64YUVlyxTHz/l7vJlfNp243Y5cd3w1wub2q7XD698ltPTJn+GXL1+mNWvW0JgxY2jQ oEE0cODA9OWKN23aRLyvra3H3bt3Sbx3rtpY4/1w1d6L30n39o2Kkv8jkmHDhlFycjI1bNjQ5rKF embOnGlrMy3SHThwgMLDwxXrCw4Opo0bN1rkwQ0IgAAIgIDvEIAA9p2+REtAAARAAARAAARAAARc TKDvdqKYJfgHBhgDGAMYAxgD7hsDi/d8Abkl2XfWlaKO99UVpIv4fO1AjNP7Yc3cMrJ18czW5LOW yydzm/m5OCbhetFU2+Q0z5IW8ojPRQoFydZnK+dfZ8rvY7xVsp9wxbIhL+d/ywAAIABJREFUVvWH hQbQjUMxtG5+Gfrk/Uiq/1S44hLV4pjF19NGFnd639jadk9KZ7g11MW/hN1XfEpKCs2fP5/q1atn NWbEfV+kSJH0JZR3796tGRzPuhXnlV4HBgam7w3M++ryPsFHjhyh0aNHU0iI9bgV5+Xlm8XHU089 JVtPjx49qG3btrLvxOXJXQcEBNDChQvF1WheX716lUqUKKFYnyNlalaKBCAAAiAAAh5FAALYo7oD wYAACIAACIAACIAACIAACIAACIAACIBAJgH95Zcgt9wkgB+cipXdz5Zn47pC9A3uXUhWzijNxmVJ KieHmjWwbfnm+ZPkl2D+qJd9y0hLWTw+U4X+WlqWeHlpjiVn2JOZygfWVcjgxnsFy8XetL517En/ xdLGX6Jo+IBIerZeLtmZz+Kyjm7KrEcamz/dmx6szPzi8NIrvV5Pw4cPp4IFC8qOF3G/S695L10W t0pHrVq1FMvkZZuPHz8um3Xz5s2UM2dOxbwcx507dzLyvvDCC6pppXHbes+CetWqVRn1qF08fvyY lES0UN+4cePUisA7EAABEAABHyAAAewDnYgmgAAIgAAIgAAIgAAIgAAIgAAIgAAI+B4Bs+F2hkDz J5GVXW39b2tFiiwYaCVvenV2zf6/9WpZS6WAAB3dPFxZtt9Tz1ehEkXll6a1ZR/coX3ll7f+d1U5 2foc7QcWwmL5y+X8MkVePn/+YWHNuh+eiiWeTfzloMLUolEuCs+ZuRQ2L4HtaJy+ls+sT/DqL0Fe orlp06ZWnz9BWNpy7ty5M7FElh63bt1SLXfEiBHSLBb3AwYMUM2/ffv2jPSdOnVSTWtLO5TSFC9e XLZ9GZUTpUvw9u3bq8bQp08fcRZcgwAIgAAI+CgBCGAf7Vg0CwRAAARAAARAAARAAARAAARAAARA wLsJmB5ugNxy0+xfsQw8trkiTR9VPH3JZRaui6fZtsSyuAyt6/snYykoyHr/3+oxYap9/qmCxOXZ xFp1vtYqr6wU4iWYtfJm9f17XQrI1r15ceY+x7bWwYJ5x8pyNHpIEfp2aFGXx25rXNma7lIzr/6y O3XqFFWoUEF2jCjJUKXnPXv2tGKxa9cuxbJ5dm9SUpJVHvGD8+fPK+bnOObOnZuRXEsWC3Hnz5+f 3n33XZo0aRJ9//331KBBA9U6hHxLlizJqEvuYvbs2arlNG/enAwGg1xWPAMBEAABEPAxAhDAPtah aA4IgAAIgAAIgAAIgAAIgAAIgAAIgIBvEDDeHgm5lQ0C2B0ib8OCKFlJ0/dt9dnGWdnH94Umua3q 5Nm07mhvbMVQq7pDQgKIl912R/2+Xofh5hCv/dLj5YqLFStmNT4E4WnvmZdKZmErPnj/XKVyYmNj xUkVr4ODgxXLWLRoUUa+r776SjEdx8Dx8Yzj1NTUjDzCxf79+6lw4cKq+Z955hkhudX52rVrFBEh v1c4182SPTEx0Sqf9AEvpX306NF0OT1x4kTpa9yDAAiAAAh4CQEIYC/pKIQJAiAAAiAAAiAAAiAA AiAAAiAAAiDgXwRMKYfJeHcSGa52Jn1cTYgyH5LBw/rJL8e8bIb2bOMGdcJlBdGvM0urjpFWTa0F cEx51+xvLBau1w7EyMbbsG64arziMnBdVZWVMWmZ1345fvPNN7LjQxC2LF55aecFCxbQ33//TWPH jqVSpUqp5unRo4cFD56hK5QnPfOMWFuOkJAQxTLEe/NOmzZNMR3XPWSIuqznvYi19kDeu3evbMjt 2rVTrDtHjhx05MgR2Xz88MyZMzRz5kzq0KEDRUZmfj+xUDYajYr5vOmFOe0uGa//QcZrtu2l7E1t Q6wgAAIgIEcAAliOCp6BAAiAAAiAAAiAAAiAAAiAAAiAgA8RMBw7TEm9u1Fi8zrpZ/2h/T7UOv9o itmUQqbk3WRMnEqGa2+T/mJtVSEEYaYuzLKbT6O68hKXZalWbLO+KS4reVo+m1s1b+tm1gK4Wozr BTBLbal04/v3u6nPdtbigPeZY9ycdsGlX4Q8W3XPnj20ePFiGj16NLFgfeGFF9L/vf322zRq1Chi Cfro0SO74rh37x7xUshy44Of1atXj65evWpVJsfz7LPPKuarVq2aRZ5ly5Yppo2JibFIK3dz7tw5 xfwc5+nTpzOyLV26VDFt2bJliWc8ax28LLQSE37Os4ylx++//66aRyrFL126lL50ddeuXalkSfk9 uoUY9u3bJ63OK+7NxhQy3dlO+lMjKHVHfUpZHUApq3WUur2uV8SPIEEABEAgqwQggLNKEPlBAARA AARAAARAAARAAARAAARAwEMJ8DKOj7//lm5H5aPbZSIy/0Xlo0ejhpMZ+wB6aM9ph2U268mUvI+M iTPJcK0H6S/WVZV/kGWZsiy7WfCyx7z8sSBXhHPlCrbJ2LvHKlPOMOv8AQE6OrejkuI46NTWemnY 0JAASjlXRTGPM1jxstZCG6Xn0sWDqXPbfMRS+7+tFV0ahzPa4pFlxD+r/YXhQAqe9blp0ybq3r27 6rLC4j7l/XTbt29PSjNUpWGozf6tVauWqlC+c+cO5c5t/UcNHE++fPksqlq7dq3iGOQZxlp74vbt 21cxP8cpPjZv3myVtmjRotSxY0ebufCexHny5LEqR2DNZUmPNm3aKKbPlSsXHT58mFhO9+rVy+79 lnnWtTccZrOJTEnHyHD+O0rb8yKlrA1LF74sfS3/BZJZf88bmoQYQQAEQCBLBCCAs4QPmUEABEAA BEAABEAABEAABEAABEDAMwmYU1Mpqc/bmdJXLID///r+m23IlHjXMxuAqOwiYDYbKH3J6HuzyXC9 F+kv1oNM89Alo1l0RhYMtJI1vTrbPiOWpakgg8RnXlpaSVJ+82kR2TzHNrtWvNaoHCZbrzhu4bpY 4SB68+UImj6qOB3dVEGxLUpt9MfnhpuD7PqusCUxS0yeRSv0i73ngIAA6tSpE924cUO1up49eyrW 8euvv6rm5ZcsM5Vie/jwYUb+CxcuKKbjpZEvX76ckVZ6wW0ID5efsc91jxs3ziILL7NcqFAheu21 12jq1Kl08uRJi/e23rRt21Yx5gYNGlgUk5KSQizflVhk9XnLli0t6vOkG3PyZTJc+pnSDnailA0F JKJXKn4z741XV3hSMxALCIAACLiEAASwS7CiUBAAARAAARAAARAAARAAARAAARDIPgKmpPt07/VW qvJXmBGc2OwpMl5V/o/f2dcK1JwVAmazkUypx8l4by4Zrr9P+vgGkGkeJoRZvLLoZOFZomgQLZ6m vf+vIDg3LYqSlT3FiwQpzuhdN7+MbB576hXq5/Nvs0vT841z01eDCtO2ZWXp0elYqzF283Bl4pnJ jgooFuXtWuelyV8Uo4PrK1DaBdfOVha3z1uujUmLs/JVYZH3+vXr9PLLLzvcX9J+LlOmDJ04ccKi DvEN778rzSPc37p1S5xU9lppqWSeGcwrYIgPlrJC2VWqVKH+/funL1udmJgoTmZxzbOgmzVrlpFP yC+cg4KCKCEhwSKPs27ee+89xXqff/55i2o2bNigmFaINStnFuB6vd6izuy6MafeTt/DV3+sL6Vu jrJZ+FrOANaR/mjv7GoC6gUBEAABtxGAAHYbalQEAiAAAiAAAiAAAiAAAiAAAiAAAq4nYLp1kxJb NbRJ/goS+G6jGmS6ed31waGGbCPAMsSceoqM9xeS4cYHpI9vbCXrvEV4Ic6q6SK0TIlgWenDYlaO 0f2TsZQndw6rPE9Vz6kojeXK4Wep56tQbMVQi7LCQgOoyTO56NaRyhn1cyxZEU/SvPkjAmnkx0Uy yleKz5+em9POOOV7hWfJsrCVMs/qfUREBB06dEg2RrV9fM+c0W4XS1y5+HjvYOmxYsUKWrJkieas ZHG+IUOGyJYv1Ml7H7vqePfddxXr7tChg0W1ShyEOLNyDg0NpaZNmxIvuZ0dh9mYTMbb20h/6jNK 3V4vYx9fqdC19z51S4XsaA7qBAEQAAG3EoAAdituVAYCIAACIAACIAACIAACIAACIAACriNgTLhI dxvXsEv+ChI48cXGZE5Jdl1wKNnjCJjTzpIxaQkZbn5E+kvNINU8bIawlsQcPiBSVhC1aZFHsS// 1ym/bJ6vPyqsmEcujgWTS8qWU6dGTotyPuxZUDbdGy9FUNP6uYilsb1y6stB9sUqF7/PPItvYDXT 1ZEvmrNnz1LJkvJ9am//yKUvW7Ys3btnvefqO++8o9j/Q4cOVW0KzxBW2id3xowZqnltefnjjz8q xsZtbNy4MZlMJluKykjDe/umpaVl3KtdlC9fXrF+nh0sPtRmUsv1h9qzwMBAeuaZZ2jYsGG0ZcsW Sk527++C9H187x8hw/kJlLa7FaWsDXV4lq+WFDY/viTGiGsQAAEQ8DkCEMA+16VoEAiAAAiAAAiA AAiAAAiAAAiAgD8SMJw6QXfqVHJI/goS+MFAy/+o7I8c/bnN5rQ4MiX9SoabQ0h/qYWFyPMZYeZl kleN+5l/KskKohw5dHTx32jZ/tu/rrzskszBwQHpSyyr1Se827umPPFMXDmJtHZeGYt6a1ez3v+X 47t77MksYV42+u9fyxILaF5OOle49QxlaT1bl5a1qEOIyx/PhhsDZL+yeLneHTt2EM9QPX78uGwa 4SHP7CxevLhsf0rZZ+X+9ddfF6rMOM+ePVux3rx589LBgwcz0oovLl68SNHR0bJ5q1evTrx0c1aO 1atXE4tQpfbyrOb4+HjNKngf4vXr19PHH39MtWvXJt5vmK+1jn379inWzTEtXmy57HeTJk1U0yu1 g5/zfs01a9akQYMG0dq1a+nBgwda4Tn9vflxPBku/UhpB96ilA35XSZ8pUKY68QBAiAAAr5MAALY l3sXbQMBEAABEAABEAABEAABEAABEPALAvr9u+lOtdJZkr+CBE7+5We/YIZGahMw66+Q6cFvZLg1 jPQJLSHdPFAer5xdmvp0K0BVoy2XY/5ioPIs2X7vyM/KLVwokFbNkV8+WpCravK3/lPhFmOEJS/L Xql8YikslCc9J5+tQrt+K0fffFqEWjfLTXnzWArh0JAAenjKeq9haTn+cm+8vyD9g8wzUffv30/f fvstvfDCC5QrV64M7sOHD1f9sHfu3DkjrbSvxPcsCnk/3PHjxxMvp7x8+XLq27evoogV5xWupUKX BanSLF7OExISQp988gnxHre8l/Cff/5Jb7/9NoWFWf9hAadn+Xv5ctb2tD9w4ADxnrdCzNJzcHAw bdy4UZXp6NGjqUGDBsRppfm5TadPn1bMzzOly5UrZ5VPKIfFtHR/ZJ6NLLy35czyvE+fPul9mB1L O5tTb5Hx2krSH+1DKZtLu034SgUwC2ccIAACIODLBCCAfbl30TYQAAEQAAEQAAEQAAEQAAEQAAGf J5D210a6XamIU+QvS+A7dSo6ZUlRnwfvhw00G26Q6eFqMtz6nPQJLypKPH+Rb57WzusHY2j5rNLU v3tB+vxDZQHMewGXKx2iKIyaN8xFP00oQVf3x2T08ZYlZalDmwgKCrIWuoJw2vhLVEZ6ZrNmrvx+ srwstK3seK9hls4ThhelV57PQ7x0tK15fTld2oUqdGhDBZo8cSi9+uqrlC9fPsX+ZBGpdKxZs0Yx n9CvfO7atavqjNf58+erxiCU1bZtW6tQPv/8c5tiEMpQO7Nw5eWLeWnp3bt3W9Wl9eDq1atUokQJ xXhYgi9cuFCrGGrUqJFiGRx/ZGQk/fPPP1bl7Ny5k3j/YrU2cl9ID+aqlof3du7evXt67NxGdx9m w2My3v6L9P8NpdTtdZ22j69U6Np9/2dh/N5x92BAfSAAAm4lAAHsVtyoDARAAARAAARAAARAAARA AARAAAScRyBl1TK6Xa6A0+SvMAvYdPuW84JEST5LwGy8TaaHG8h4+2vSX34FYs4DZwgrSdBT2ypS qeLWsxOlEik8ZwDlzmU5C1eahu/f71bAqv8H9y4kK6V41rJSXHheVZHNf1sr0ozRxdNFfGRB5eWJ pf0TFBREPNNW7qhWrZpsHwllcN4lS5bIZbV6duXKFSpdurRieTxrl2cnSw+evdymTRvFfEIsjpzb t29vNVtWWr9w//jxY3rqqadU4xg3bpyQXPX8888/q5bDbeHloGvVqkUDBgwgluDPP/+8Zh7uD7nZ w1KJXrRoUerYsSPNmTOHLly4oBqrK16azUYy3T9EhnPjKG13S0pZE5Jts3y1pLDp/mFXIECZIAAC IOARBCCAPaIbEAQIgAAIgAAIgAAIgIA3EIh/QHTsDv6BAcYAxoBnjIHz02bRrTIRTpe/LIGPX7yP 7zt839s9Bk7cukcXr2+iG5fH0IP4dpQWV01RZkH0KYs+d7HhPYTLltKWwFribcwnRWT7uV6tnFZC KyBARzcPP9n/113t9NZ64nZFp8/E7touH5UslrV+4n1opYfWPrPc7zNmzJBmU73/66+/0veU5bw8 G7dhw4Y0YsQI2rZtG6WmpirmZfnKSz3LLZmsNf603j/99NPE5asdZrOZWBarlcVLJtt6PHr0iIoV K6Zanlpdcu/UZh9v2bIlPf6pU6fSyZMnbQ3TqelMj+PIED+b0va/QSnrIzxW+EqFsOHceKdyQGEg AAIg4EkEIIA9qTcQCwiAAAiAAAiAAAiAgEcTeHUDUcBM/AMDjAGMgewfAwO7jneJ+GX5e6VcJL7r 8F3vlDEQMecBvbxiK43bOo72HH6Dks/XkBWF3irofCHueydi6YMeBWX36pWTUOJnwcEBtGBySdk+ 5WWm5ZaLrh6jvP+vL/DMSht4ye1FU0tRz475qUKU8hLd4j6w9frjjz+2+o393nvvqQrK5557ziqP LQ9YRvKevUqzjtXKiIuLI549y/vc2to2W9K1a9dOrVqaPXu2an3Nmzcng8GgWob05bp161TLtCVu cRqWu550mFNvkPHqctIffY9SNpXyGuErFcBpu61npXsSZ8QCAiAAAlkhAAGcFXrICwIgAAIgAAIg AAIg4FcEIICzX3pBPKIPMAaIPn/jc5fJXxbA18oWpIAZZqcIQPQXPrPiMZB79mNqtXw7jd7yHe04 1Iken68pKw+zItGQ17GZxQfWVaAeb+anfHm1l3tm8ft849y087dyiv23YUGUrPzq+7b1UtH+3mdz xpWgqtGhsrzEAjAr17wvrvRQ2+uW6+JZu+4+7t27p7kUcq5cuahz58701Vdf0cCBA6lixYo2sTt4 8KBsc65du0YRERGKZVSoUIESExNl84of8izio0eP0qRJk2jixInpr6RLMzvahyNHjhRXlS3XZsMj Mt7aTPqTn1DqP095rfCVCuCUdeFkNqVlC1NUCgIgAAKuJgAB7GrCKB8EQAAEQAAEQAAEQMBnCEAA Q2SIRYa/XZccm0Dt+i+nYW99TV+8MYLe6LuEck5JhiR050zRGWYa13agS+WvsAdwmW8uom/d2bd+ WlfOH1KoxbJ/6cvNU2jrwW704FxtRaHo75LQXe1/dDqWVs0pTV8OKkzd38hPTevnohqVw6hh3XB6 98389OvM0nT3mPYSzsP6RcoKtZjyoellb11alh6eikV/x1Wlrz8qLMvKUVko5MuTJ0/63rosI48f P27xe5yFppBO7hwSEkJGo9Eij6tvWKC+9NJLinGFhobShAkT6P79+1ahLF++nFgMy7VFeNazZ0+r fPyAZwcLaaRn3qf3yJEjsvn44ZkzZ2jmzJnUoUMHiozMHPMslAV+33//PfHevdKybbkvUKBAevmK AbjwRfo+vvcOkOHcWEr7twWlrAn2Hem7WmfRFuNt9/+xgwu7DkWDAAiAQAYBCOAMFLgAARAAARAA ARAAARAAAXUCEMAQwP4mfbm9xb+9Qr+0eFNWOh6qVpWqfHUcotAN8i5wupGmv9hLth8EaevM84dd J6Bf3dCv/vidotbm0Flp1GTpPhqxaTpt3P8u3T9XB4IwzrEZve4Sxkr1NKobrim8QkMC6Nl6uWj4 gEja+EsUJf3nn0J4x8pymqxskYVhYWHUokULGj16NO3evVt1yeJ//vlHtc7KlSur/yh2wVsW1Urt ZJnN+wurHfv371ddOjo8PNyKye+//65YJ8fSo0cPiyovXbpEc+fOpa5du1LJkiVV8/Iey8Jx6tSp dLlt69LWUVFRNHToULp7965QhFvOpkfnyXBxFqXtf51S1ue1kKRWM2clEtWb3+tPfeYWvqgEBEAA BNxNAALY3cRRHwiAAAiAAAiAAAiAgNcSgACGAFYTF774rsB3d+lwtSqq0vFEbEUqOu4aZKELZWHI tDSa93xn1X5wpvzlsi5WKE6xX51Av7qwX33xO8PZbQqepacGSw7Rp3/Opv3H/0f6i09DCHuBEH5w KpZCQgJU5Zic6OOlpes/FU6fvB9J6+aXocTj2jONlQS0Nz1PPluFcufSXnpbyiw4OJgaNmxII0aM SF+uOTU11ebf2D/++KNq/7Rt29bmspyVsEyZMooxfffddzZVw0tDSzmJ78+dO2dRTps2bRTT84zi w4cP09KlS6lXr17ES0GLy9K6Hjt2rEVdfPP48WNi+f7tt9+mzzyuUaMGNWjQIH1J6+HDh6fvf8wi 212HOeU6Ga8uI/2RnpSyqYTfCF+prE7dXs9dyFEPCIAACLiVAASwW3GjMhAAARAAARAAARAAAW8m AAEMAexsueHp5X3V4TObpOO6Bs9T8DQ9ZKELZGH4lMe0rOlrNvWDsyXwuegy9E6vn7DUtwv61dM/ +54YH/9vcPqSpKnHyHjvZzJcf5/08fUhhD1QCP+3tSJFFgy0S5bJybTAQB3VqZGTBv2vEP3+Yxm6 fcTzhHDq+Sp0aEMFWvFDaRo3rGh6rCM+KEy/zS5t1xLXrZvl1uQVEKCj2lXD0utY98dUevTokcM/ q2fPnq1a3wcffOBw2Y5kvHLlimI8LGLlln2Wq+fff/9VLIfH2Pr16zOypaSkUM6cOVXTy41LW5+1 bNkyoy5PuTAbHpLx5kbSnxxMqX/X8lvhKxXAKasDyay3XlrcU/oNcYAACICAowQggB0lh3wgAAIg AAIgAAIgAAJ+RwACGALYE6WIK2P6p059m8XjmHZDIICdLArzTE6iNQ1b2dwHzhbAQnmXyxUmlvw/ t+xK41/9kAZ2HU9PjdiP/nZyf7vys+wLZfP/BksPs9lE5tT/yHh/ARluDCB9fCMIYQ8Swsc2V6Tp o4rTmy9HULHCju2BKpZtLISze9/gtAtPhO93nxejl5/LQxF5lGfu5smdgzq+GkEbFkRpjkuWx+K2 yl0n7I1+Us7Fp8hs1ks/Dnbdz5kzR7W+Ll262FVeVhOvWLFCMZ6KFSvaXHx8fLxiOcx0w4bMLxK+ luPsrGe85LRen7V+srnhCgnNJgOZEveR4exoStvVzKf38bWWupb7/Gq9N177TYEiHoMACICA9xKA APbevkPkIAACIAACIAACIAACbiYAAQwB7AsSxZ42nImOsks+vtZ/BaSgk6Rgvkn3aFO9pnbxF4St u85/NHqRioy/jj53Up/b89n0x7RyAlj6M8BsNpM57QwZkxaR4eYg0l9qoinevGmpYG+PlWcG/zC2 BHV5LR+VLh5st3yrHhOWLf3Jcc8YXZw6tIlweGbzqMFFVGPft7a8Jo8tS8qml2G49q506Nt9r7UE 9DPPPGN3mbZkuHfvHvG+uwMGDKCRI0dmZFETwDwD2GQyZaRVuzhx4oQqx+PHj2dk79+/v2rarIjg 0NBQatq0Kd25cyejPnddmB6eJcPFGZS2rx2lrMuDWb427lWsP/a+u7oI9YAACICA2whAALsNNSoC ARAAARAAARAAARDwdgIQwBDA3i5dyo6JoxwzTDYJu7CpKXSzTD67BGR8hWLYN9YJMpD3Xt76dGO7 2LtL+krr2VOzNrGs9vbPBuL3/O93WwSw3O8Mc9oFMiYtI8PNwaS/1EJVwnm7YPW2+M/tqEQ/TShB 73TIR+XLhGjKuL5vF3BL/8Xtik6Pq2u7fFSymP2iWkkc9u5agHjJaLl+4pnFBfKpL5v9Wf/I9LzG xBlyQ92uZ4sWLVLlHRkZaVd5Sol5meo///yThgwZQnXq1KEcOTJnTDdr1iwj2969e1Xj+fXXXzPS ql188cUXquXcvHkzI3vz5s1V0yr1o9zzwMBAYmk+bNgw2rJlCyUnJ2fU4+oLc8pVMl5ZTPrD71LK xuIQvjYKX+mM4NS/Krm6q1A+CIAACLidAASw25GjQhAAARAAARAAARAAAW8lAAHs+YIAEke5jyp/ fZJ4T9ffG7ehYuOuagq75oO3OCQg99WoQREQgpp8lcZq5IRbZM/S21Ihmx33v7R40+H2KnHAc+XP sr+ycVQAS39zmPUJZHqwkgy3hpI+4XlZGScn6PCsqstZxe+OpgWTS1LPjvkpupy1EF42o5RLYri6 P4YWTS2VXm+FKOt65YSfo8/GfKI8E/i1VnlVhWSDOuHp7Tcl75MOa9X7hw8fUlxcnEWaQ4cOqdbF 7UtMTLTI48hN/vz5FeupUqVKRpFXr15VTMexVK9enXiGv9qRkJBAxYoVUyynVq1aFtmbNGmimFar fwMCAqhmzZo0aNAgWrt2LT148MCibFfemA0PyHhzA+lPfESpf9eA8HVQ+EoFMN+bky+7sutQNgiA AAi4nQAEsNuRo0IQAAEQAAEQAAEQAAFvJQABDCHhreKl9DfxdLxKdIbQ5aWdXxi0XlnazTCni2JH ZeKSZq/bPNPYW5m6Im5eTnlX7boZ/eQo/+zI996705XHkxNmRbuCN8r0ru90Zwlg6W8Qs+E6mR6s JsOtEaRPaO0SwQh57Jg8vrIvhpZMK0V9uhWg2lXD6NqBGKf2z5xxJahqdKjDElBLEsq9L1IoiB6c ipVtx5SvlOUllxUUpKN7J6qT2ZQqHcYW9ykpKbR161YaPnw4NWjAHvuhAAAgAElEQVTQgIKCgig6 OtoqDc9alYtReDZ79myLPI7c5MmTR7GO0qVLZxSZlpZGuXPnVkzLMbVv315xZu2VK1eoUqVKqvmn Tp2aUR9fNG7cWDW9wEE4M8M+ffrQ8uXL3bq0s9mkJ1PibjKcGUmpu5pQypogSF8nSl+xCDZc+tli jOAGBEAABLydAASwt/cg4gcBEAABEAABEAABEHAbAQhg75IFkDtP+qvQxNvEy/TKScEx7YZQ6NRU S3E3w0xfvz5MNr1cGUrPPuk02rJcSEBVHsW/vUJ7a9bKMnel/nD188vlClPFUWdU24jPJL5DszIG XCWApT8izIbbZHq4joy3vyb95ZdlRR2ErmNC19O4ff1RYbsEoCACs3qeNrK47Lg6trmiZjzrFrWQ DlkyGAz077//0qhRo4iXNQ4LC5Mth2fZio+YmBjZdEL7nn76aXFyh67VpG7t2rUtyuzevbtqPBwX zwSeNm0axcfHU1JSEu3fv5/ee+89xTYLbeHZxiyZxUfbtm1V6ytTpgxxTAsXLiQpO3E5rrg2PTxN hrhplLavLaWsyw3h6yLhK5a/fJ12sJMruhNlggAIgEC2EYAAzjb0qBgEQAAEQAAEQAAEQMDbCEAA Q15kRV5kR97ckx/Q5npNVKXi1rqNqMKos+nirsYXh2lV45dU09sqEm+ViaAWH2+CELRBfJcae4n2 16jhFO629o8r0i1q/gb624b+zo7vAl+o010CWPrbxGxMJNOjjWS8PZr0l9uRPq6arLzzNLmJeLQl 9Y6V5VQFoCAPlc7BwQHEyzLzktVfDSpMb7+ej3LnytzjVilfTPlQxTFUrHCQakwfD2hBJpOJeAnn CRMm0Isvvkhqs2zFMbDIFB8sTsXv5a6PHTsmzmLXNS89zbOP5crlZ61atbIob+fOnYpplcqw5TlL aBbF0uPzzz+3qK9o0aLUsWNHmjNnDl24cEGa3KX35uQrZLz8C+kPvUMpG4tC+LpJ+EoFcMqfRVza zygcBEAABNxNAALY3cRRHwiAAAiAAAiAAAiAgNcSgACGAPYmiRI2NcXmZZzjKxSjLRqi2BFheDa6 DPHy097Ezd2xRn1zkQ5Xq+L18pfHB0v/fNj/GePdRRI8uwSw9EeL2XifTI/+IuOdb0l/pQPp46or yjxIWG0Jm52Mks9WsUnYCpIxRw4d1amRkwb3LkTr50fR/ZPWSzkfXF+BtCRuQICOHiosA93x1QgL KSnULZzDwkKoQIECqmmEtNIzz2YVH9u2bdMshyWxo8fSpUtVy+/UyXq2ZY8ePVTzSNukdc/LTB89 elS2CVu2bElfVpqXhj558qRsGlc9NOuTyHhjHelPDKTUbdUgfLNL+MrUa0py/I8eXDVeUC4IgAAI OEoAAthRcsgHAiAAAiAAAiAAAiDgdwQggCGA3S0HHa0vaLqBeDamI9LW2XlYLIdMS4MUk5Fi5Uef o2NVYjyin5zV7zyb2dFxi3z4jlUbA54igKU/fsymR2R6/A8Z704kw9WOpI+rCSEc59niVyydWzdT 33c2MFBH/bsXpN9ml6bbRyrb1Ler5pTWlJhHN1WQLeuHsSU082pJT6X3vKSx+OCZxMWLF1etLyAg gP744w9xNpuvO3TooFo2z2CWHjxruFq1aqr5lNonfc5LWN+4cUNaRbbcp+/je3cXGU5/Rak7G1PK 6kBIXxn5ajUjNxvSGM5PzJYxgkpBAARAwBUEIIBdQRVlggAIgAAIgAAIgAAI+CQBCGDICTU54Snv csww0exW3T1KKo58fSikoEQAlxt9no5XifaofsqqBGaZzePPUz4LiMO3vrM9VQBLf/CYTclkeryL jHe/J8PVrqSPqyUr+sQSEtfZJ4zHDSuqKhvDQgMUZ+sq9Vvq+SpUsWyIarlbl5aVHRdnt1dSzSeV nPbeX79+3WLIDh48WLO+iIgIOnv2rEU+rRueXRwSos7gxIkTssXw3r4tW7bUjEup7RzvRx99RCkp KbLlu+uh6cF/ZIibQml7X6GUdbkgfLNB5joilNP2tHbXEEE9IAACIOByAhDALkeMCkAABEAABEAA BEAABHyFAASwb8kEX5VD37z2scdJxfT9gAdvhhj8fwnsi/KX5fGnHUehjyWi31e/Z7KjXd4igKW/ ecymVDIl7yVj4nQyXOtO+otPyYo/JZmI566Vw/vWltcUjVuWyMtatb4Z9L9CquWy6FXKH1UyWDWv kviUe16wYMH0ZY6nT59Op06dkg5PunPnDrEwlcsrfla1alVKTEy0yi/3gJdTzpcvn2qZFStWlMua 8cxoNNK8efMoKipKtRxxjLVq1Urfv/fx48cZ5bjzwpycQMaEBZR2qBvxXrKOyEdfy/PgNx1tGauj z97SUf3KOlowWOf5XNblIp6xjQMEQAAEfIEABLAv9CLaAAIgAAIgAAIgAAIg4BYC3iKAg6bpqeqQ rRT5DZZizQ5JkZ11vjBovcfJX2FW6X+Vy1PhCTf9XhCWG3PB55Z95j6Oq1iS8n+X6Pf9m52ff1+v 21sFsPQHitmsJ1PKQTLe+4EM1/5H+ot1FUWgkiDEc+dJ4bQLVahAvkBVyfhZ/0i7+0htZjHvJcz7 Dyv1Y/c38qvGI5ae0us8efJQmzZtaOLEiXT48GEym83SIWh1P3bsWJvqY6k7ZswYUhKsPHN3/Pjx VKRIEc3yWO7acrAI5pnCixYtoiFDhtALL7xAMTEx1KhRI+rcuTMNHTqUZs2aRfv377elOKemMevv k/HGGtIf/4BSt8Z6vtjMhhm4H7TVWYyFTk29QACv1pHpzj9OHSsoDARAAASyiwAEcHaRR70gAAIg AAIgAAIgAAJeR8CTBXCeiXep0fuL6cMWb9H80hG0ooiOXn/ra8gYP5uNt6ZhK48VwCwJFzfv4Ndj 0lflL/ftoC7j/LpvfV2+ekL7fEUAS3/8mM0GMqUcJeO9n8hwvQ/pLz6jKAaVhCGeZ00Iv9Yqr4Wk kkrVBnXC7e6TDm2UZ9XyDF+1Pps/qaRqPOL4wsLCqEWLFjR69GjavXs3GQwG6RDTvOelkitUqGBz nUWLFqVvv/2W1q9fT5s2baIffviB3n//fWL5LI5N6bpSpUrEYtfbDrMpjUx3dpD+9BeUuqMh9vH9 f6F8fq6O5nyoI5a7japYCt5fh1kK4KL5Ld9rzXj+b7aOVn+pox8G6Gj5Zzq6MNe+/FrlK73Xnxrh bcMT8YIACICALAEIYFkseAgCIAACIAACIAACIAAC1gQ8TQAXG3WOXur2HX1VryktKxqYLn1Z/Ar/ xtaqCyHjZwL4atlCHi2AWRR26r3AL8dl2TFxdLRqZY/vH+4je/+diK1E4VMe+2W/eoIY9ZcYfFUA S39tmM0mMqeeIOP9+WS40Z/08Q1VZaGaSMQ728TwlK+KqYrLoCAd3TsRa3M/nNhSkcJzBiiWyfWp 9c2lPdGKeQWp2rp1a+J9dlNTU6VDyKF7XrbZVoErxODImYX1gQMHHIrR3Zl49rTpwQkyXJhMaXva UMq6cMzylcwivrnUUvDymGBpK4jVG0t0xDPexWPl4NTM90I66fmPL3TUuIplPi4jKFBHXVro6PB0 7TKkZdpzn7qjvruHG+oDARAAAZcQgAB2CVYUCgIgAAIgAAIgAAIg4IsEslsAB043UuVPd1CXdkNo SmylDNErCF/peXmRAMo/7jqkjJ9IYB4fvNeuvfLO3el5qeCSYxP8alz6svzl8fNa/xV+1Z/+Ilw9 rZ3+IoClv59YQpnTTpPx/i9kuDGQ9PFNVOWhmljEO3khfGxzRQtBJZZVwvXaeWVs4r5hQRQVKqC8 pDTP/n14Slsmx5QPVY2pV69e0qGS5fvVq1dTjhw5VOsVeDh6tnXp5yw3xsECzMlXyJgwj9IOdqGU PyMzRKY98tDf0lYvaylqp71vKWefjrZ8P76n5Xsxr/srdfRsNcv0SmNteCflcsRlOnS9JojM+iQH RxGygQAIgIDnEIAA9py+QCQgAAIgAAIgAAIgAAIeTiA7BHD4pCSq32859WvZjeZGFdCUvlIJ/FzP 2RAzfiKAWdYcqRrr8QKYheHKZ1+hgBlmvxibvi5/f23S1i/60dNkqD/G468CWO6nkTntAhmTlpLh 5sekv9TcJjEJ+SsvfwUuxQoHqYrPj3oVkuWcer4K7V1TnkYPKUJa0rZMiWA6808l2XKEOIRz764F VOPhJZtdcSxcuJBCQ9Xls5KQU3seEhJCc+fOdUXIWSrTnJZIxut/kP5YP0r9qyKEr2SGry3y9EPJ Pr/9X7EUs5++YSl0W9e1fC+u453nLdPymArMoaOIXNbP+d3sD5TLEpfryDWPCxwgAAIg4O0EIIC9 vQcRPwiAAAiAAAiAAAiAgNsIuEsAFxkTR63fmUoj6j9PS4sF2y19xRL408YvQ874kQCe1bqHVwhg lsA9/OCPE8p8c9FrpLwjM8HPREdRiW8v4zvGj75jslM8QwAr/9wx6y+R6cFKMtz6lPSXnrNJMAqi EecnYrjjq8p79rJoql0tLIPr0U0V6Psvi1HbF/JS/gjl2b5SIfryc3loweSSdHV/TEZZSvyXzSil KoC57ISEBOVBkYU3e/bsoWLF1JfFlrZN7T4qKoq2b9+ehYicl9VsTCXTnX+I93jlZX5TVueA9HVA +oqF6l9jdfRWEx3NHqCjcz9bC9lNYyzlbe6cOnq4yjrdrP6W6Qrl1dGE/+kocfmTtBtH66huJcs0 vCQ0ly+Ox1nX/EcBOEAABEDA2wlAAHt7DyJ+EAABEAABEAABEAABtxFwlQDOMcNEFT/bQx1f/4wm VquWJeErlr98vahETgqdkgxB4yeC5pUPVnmNAL5UviiVG3PBZ8cmi9GD1at5TX/YK4BvlslHzQdv 8dn+y07RibpJdlxBANv+c8dsuEamB3+Q4dYI0ie00pSNShLSn57/MLaEpnDt0CaCikaqzxRWE6HC u4L5A2nNXPUlpW8ciqGAAEvZJeQXzq5cTvn69evUu3dvCg4O1uQixCM9N2jQgFasWEFGo9H2wevk lOn7+CYdI8P5iZS2pzWlrM3pElnoLOnornLOz9XRnA911KmpjhpVcY1AFdqStFJH4aGWY5mlsfBe OJctmpmG0++eZJ3m9jIdSZeUblHTOp1QZlbOqVtjnDwaURwIgAAIuJ8ABLD7maNGEAABEAABEAAB EAABLyXgTAEc9v0jqvvB79SnVQ/6qVxhp0pfqQSu8+Fq2f+YDskgLxm8mUvOKcl0sUJxr5GOaxu0 JP4DCG9mLhd7kfHXaW/NWl7TD/bKX07//jtTfK7f5PoSzzznexIC2PEfT2bDTTI9XEvG21+R/vLL EMJx1stBn91eyWHRKRWftt7/PLGEal/UjA1Tjalbt26ODwobc8bFxRHvN1ykSBHVWIQ2BwUF0Vtv vUV79+61sQbnJzMnJ5Dh0s+UdrATpfxZyEo0ZkUK+kLem0szRavQb//NzrpEPfuTjn4YoKM3n9XR jH6W5bWsbVnnZx0t35+abfmel5VWYr31W8u0vET05V+U0yuVY8tz3hMaBwiAAAh4MwEIYG/uPcQO AiAAAiAAAiAAAiDgVgJZFcAFx16mlj1m0dBGbWhJ8VCXSl+xBO7d+n8QNX4yA5hl1czWPb1KPPZ9 53ufGp+FJt6mXbXrelUf2CuAR7f/xKf6DJLXcySvWl9AADvvJ4/ZeIdMj/4k4+1RpL/8mqqE9KdZ wFElHZ/tKog0e8558+SgCzuV9wT+sGdBVelasmRJ5w0KG0o6duwYTZo0ifr27ZsueV988UV65513 aOTIkbRo0SLavXs33b1714aSnJvEnHaXjNd+I/2x9yl1S3lFcWiL8POXNNXLWkrUae9nTaBO6WNZ XrMaluWNfdfyfYPKlu+n97V8v35k5vvkP3S0Z7KOxnTX0XO1dJQzxDItf+ayGr9SvxsT5jl3sKI0 EAABEHAzAQhgNwNHdSAAAiAAAiAAAiAAAt5LwG4BPMNM5UYcpDfe/JK+rfmU24SvWP7y9ZzyxShg hhnCxk8kcMuPNniVfLxSLpKiR57KlvE55RjR5suW/4JmWcswW9Pl/y6R/q7TwKv42yt/p7V5D98n fvJdoiZjs+MdBLDrfj+ZjffJ9GgLGe+MJf2V10kfV80vpXD3N/KrCld75K6taV9rlVeR9R8/ldGM 5+zZs64bGB5astmYQsbb20h/6jNK3V4P+/g6sIcvz7AVj9F2DTOFq5IMVXu+fYJleaHBOrq3IrPM fd9bvue9e28tzXz/6RuW73k/YZ5F/HojHfFewOJYpddliujo+96ZZanFae+7tINdPPRTgLBAAARA wDYCEMC2cUIqEAABEAABEAABEAABECBbBDDvt1t74Drq1aY3za5QPNukr1QCVxi+L1sEW3ZIAn+v M2RaGp2LLuNVEnJzvSYUNN3g9jF6/bH1F1vID9YC2JZ0eSfdpy31mngVd3vl748vvE2B041u7yd/ /0yj/U8+kxDA1t9XrnpiNj0k0+O/yXh3AhmuvEX6uBqKktKXZgjPn1RSVTRJxZNwHxwcQI3qhtPw AZG0ZFop2rO6fPr5uUa5NcvLkUOnOAv47rHKFBgYoFrGrFmzXDUMPKZcs9lEpvuHyXBuPKXtfoFS 1oZhlq8D0lcsP1d/aSlVC+TR0ePfMyUqy1meVdul+ZM9gmuU01Gbp3W05FMdPVqVmU4ok59F5LIs c93Xmel4Fm9khOX7lcMz30/8n+U74bMld+ZYWVhzfM5Yulpog+x5YzGP+RwgEBAAARBwhAAEsCPU kAcEQAAEQAAEQAAEQMAvCSgJ4PzjrlPz//1EQ5q0pUUlwz1G+ool8FsdRkDa+NGsve9f7ut1IvLj zmPdPkZtEbss37TS5f7+Ia2v/5zXMbdHAC94rmO2SHrIT+s/SPBXJhDA2ffTy2x6TKbHO8l4dzIZ rnYhfVxNnxTCl/ZEq8pWQUaxtK1TIycN7l2I1s+PovsnY2V5pJ6vQj07as8qHto3UjY/y/Vn6pRS jemNN97IvoHhwprNj+PJcOlHSjvwFqVsKAjhm0XhK5Wbd5frKCTIUrru+u6JkF02TEcsWYXxLj2X KqSjuR9lyluh7FeesczzUXvLNG88a/m+78uZ7xd9YvlOXCfPJuYlpUd20xHHKBbVlxboaN5HOhrS IbMsIR5nnU0PTrhwpKNoEAABEHAtAQhg1/JF6SAAAiAAAiAAAiAAAj5EQCyAy3x5jNp1HE1jnnqG lhcJ8EjpKxbA42vUdLtc81dJ4Qntbjpkq9fJyGtlC1K1L464dZxqiV2hL9XShU95TH80etHreNsj f5c2a088s1zggTOkbHaMAQhgz/lBZTalkCl5DxkTp5Hh2jukv1hbUWB62wzhmPKhiuKLpVSTZ3LR 7SOVbW4vS+DqMWGqZVaIClEsb9jgt1TzRkZGktls9pzB4WAk5rQ7ZLy6gvRHe1Pq5rIQvk4WvnIy 9NlqltKVBSvP8A0IsHwulrHCNadZOtRSuk7ubZmvVnnL97P6W76vXDrz/bZxlu+4nvdf0hHvBSxe Slrcjpa1M/OULpxZljiNM64NFyY7OKqRDQRAAASynwAEcPb3ASIAARAAARAAARAAARDwAgKmtDTq PX4Tvftyf5pZqbTHC1+x/BWuC41NgMDxk1nAvEzvf5XLe52U/KdOfbeKRjWxKxZc+24SpRot//FS 0SxFf23S1us42yN/Vz77CoVNTcF3h598d4jHvaddQwB77o8ls1lPppQDZEycRYZrPUl/sa6i0PR0 Idy7awFV4Vq+jLKsVWobzxIWxJnS+fCfFWSZbdm0UjPvsWPHPHdwKERmNiaT8fZfpP9vKKVur0sp qwMgfd0gfcVC9MsumQKVx+XT0TrKn9vyWeMqT/bhLZrf8jmn55m5W8ZmitdjMy3TsCS+uijz/Zmf LN9zGXHznrznWb0sccWfj5n9MvOK4+brA1Mt0zaprpxWmtfe+7Q9bRRGMR6DAAiAgOcTgAD2/D5C hCAAAiAAAiAAAiAAAtlEIPXObYr/dQHt7tmBfi+XxyulryB/+dyq+3RIHD+SON+2HeSVYnL4m1+4 bZzaKoDlRBhL9rnPd/FKxrYK4DUNWxHPcJZrP55hFrC7xwAEcDb9GHKgWrPZQKaUI2S89yMZrvcm /cV6snJTSZhm5/NlM9SXXGZBdWFnJbvbUzNWfRYw7x9s1e6EFyklJYXCwtTzTp7s+TMU0/fxvXeQ DOe+pbR/n6eUtaEQvm4WvlLxuX2CpUQVy9em1XW0f0qmVE1c/mQJZuns4DoVM9Nw+bw8tLgcXtpZ XG+F4pbvfxqY+f6b7pbvWDqfnpP5XijnwW9P9iYW1/NZR+t0Qvosn9flIbPJ4MA3IbKAAAiAQPYT gADO/j5ABCAAAiAAAiAAAiAAAh5EIOnsKTo9bRxte6UxrSiaw+ulr1gAf9awFUSOHwngep/t9ko5 eSMqP9UZvs8tY9VhATzDTFPb9PZKvrbK3w31W1DuyQ/c0g/uFomozzvlNQSwB/1YsjMUs9lIptTj ZLw/jww3+pE+voG17Iyr6hHPbhyK0VwC98fxJeyOdcLwohZiTCyv+Dq6nPXMYsOtz9NJN2vWTDXv q6++amePuCe56XEcGeJnU9r+NyhlQ34LEZhlKZfN8tQT409aqaM1X+no+9464v13B7+uo1+GKC+h /GiVjiJyWUpXHotRRXR0a6m8UB39jnX6HRMz03Z7zvJ9jxcy3zGzXq0t33dpnvn++mIdhYdavudY FgzW0cNVT/b+/W2EjiqWsEwTGaEcr7P6yXRnh3s+NKgFBEAABJxMAALYyUBRHAiAAAiAAAiAAAiA gHcRMBkMdGvnNjr6+SDa8HR5nxK+YvnL10uKh1LOyQ8hdPxIAu+rUcMrJeWemrUp55Tk9LFa7hei Jr9n/qu9/Im8yjGTqPoyoh7biH44SbTjGtGmBKIFZ4g+2kUU9Yu25LJVAEtjmN9lsFdytVX+bqnX hPJOuo/vCj/6rvAGKQ4B7F2/r9Si5T1rzamnyXh/IRlufEj6+MZ2C1Wr2bJOFMhas3W7vJbP7niv 7IuhwEBLcSWVwBsWRFmUa3q4Oh3jyJEjZQVwmTJlqHv37rRmzRo13G57Z069Rcarv5L+SC9K2VwG wtdNkvrKLzr6oouOiuSTH195cuqoawsd8RLMUiH6yjPWeXivXmk68X2DypZ5OjfLTD/vI8t3ZYtm vuMyeN9g8bgvXsDyPe9BHJjDMg2nzxWmo/9j7zygo6j+Njx0QQWs9CpFqoKooBQVEFEUFRALKKKI giJSBAUF/gjYKVKkKyKCElrovfcOofceIIRA2tb3O3fzTXbabjbJbrK78+45npmdufW5d8Y9PPnd mze3/rpIq40yVrbVX+fWIwOy7DliRSRAAiTgTwIUwP6kybJIgARIgARIgARIgARCgoDlZizOzfkH 2z5+G/MrFg5r6auVwE9+FkGpYyKp0+ud70NWVA5p1cc1V7WSdudVoNpMYNfVtF83o/YDecZ7FsHa skWJYm9frQxTpov/aXDIMvVFAK+t8xTu+fWGjoGWCb/r5wmZBJYJBXDa77xQTuG0nIA9biZs0T1h PfuMSoQGUvYald39w/tUkkoprMR5iaK5M9S+5s/e5bXcxvXvVJXrtF12DemmTZtc+YoWLYq33noL EydOxMmTJ7N9uJ22BNivroA1qg+S19XmPr5ZJHyVUnPR//RRs9r5Kn8v/YCEwxPUwnXEx3qpumW4 Oo2yPnEuInLlMsXxwcLu9Genqe+J+8plnEWUb06N4N0zxp1flC+ilrVplPXJ50JsLxykzqttq7++ J294OtufNzaABEiABDJCgAI4I9SYhwRIgARIgARIgARIIOQI3D51HMfGD8e6Vs8honhuU0lfpQTu 2qwDxY6JBHDpYWdwtUyhkBSWot1P910PpXwVL56riUBMku+voI2XgOJ/GospbdmiVG8COGH8qJBk 6Yv4FWk216qDB36+yneEid4RoSStKYB9f++FQ0qn9Qwct2bDFt0X1rNNVGLUSNr689r8yWVUgksW Tspj1KqK6W7TvElplztiQLGUcs81Sx1Gu92OEydOpH7PrhPXUt6xO2A7NgyWzY2RFJnXa6Sov+Qb yzGWnLtHSyhYQC9cS9wnoUZZCXkMImZL3q+WwPvH6fMfn2JcnzwOYqlpbZRuzH/uPNXLqssc09V9 T5Qh9g1WPku/dFLfF2lWDJPwRkMJd+RVpxX5hHD+uq2EU3/o88lt9PsxMjectlvZ9eixXhIgARLI MAEK4AyjY0YSIAESIAESIAESIIFgJuC023Ft20bsH9wHyxpUNa3wVcpfcT653APIOdZBwWMiwTO/ /oshKy131qyJy1dvZ/pVczEeKDhJL4HTI4CTZkwNWY6+COBdNWug+A8X+G4w0bshlOSvaCsFcKZf hSFdgNN6Ho5b82C72h/Wcy+kW76mRxDH7K+S5nLNY74rnqE2PFLlDpX8UoowcX7/vblw+3BV2K5+ HRTj5Yg/Advp32HZ0QpJiwtT+GZDlK+RzLz4t4TSD6rlaKUSEmZ97ZaiRyZJaNdYnUbMsdb13WlE 2aXuV6dZPlR936j+h4qp8wgZLafr1lJ9r5Wmvi/bqO+/9IQ7r1yGfIyeKWFGXwlCIovlozf9KuHW HM/p5XyBONqvBMdS60HxYmAjSIAEQoYABXDIDBUbSgIkQAIkQAIkQAIkkBYB6+1bOB85G9s/ew8L Hr6P0reIZMig8lebKHlMJHne/nhaSIvL6C+7e3z0b1mAyYeBTzcAn28E/jsBJFiNkw/YnnEBfOW/ CFwrWzikOXqTwAerVkS5oaf4XjDReyHU5C8FsPF7zcxXnbYrcNyOhP3aQFjPt8iQjPUmhZ+sld+r qG39YsEM1TljdClVuQXy58DzDe/CsL5FsHX+Q0g+Uc1VrtRQ+RoAACAASURBVOPWnGwZXmdyNOwX ZsK690MkrSidKvUCIdRYplpkxs9Nic4Vyxqv/1mCiLT1xGjcp2qJWvQeCWJ5ZaP0nZqr04roXeV+ wO82Ud//5m3jcpRla6N4RcSufH/eAHV5990tIXG++/7S79T3xVLOt+e678vlBNvReuDzbHkmWSkJ kAAJZIYABXBm6DEvCZAACZAACZAACZBAthOIP3cGJyaPxoa2zRBRMq+h8NRGwZr9+zut+lL0mEj0 3DXiFs4+VDRk5aVYCtqycY3uXXMyLmUvYK3Ienw2cC1Rlxw3k4F7JqslsC8RwM/1XomrD90Xsvy8 iV9x71jlMqjyvyi+E0z0TtA+M6HynRHA+vcar7gJOO3X4Li9BPZrg2E93zJDclYphPt2fUAlao0i dS0nU2StMl9a50Lwvte6MAZ88SDW/lsOCUeNy3Baz7k7F8Azpy0e9uhlsEb1QvLaR7mPbzZE+J75 U0KvVhKEKFXOs7y5JQh5K8SwVoa+Wk+d9o+e+jRyHhEx+3ApdfrPX3WnF3mV9Ra7N20hq116WvRB ru/6v/rlp5X7Ct+MkJD//5d2LpBPQtPaEi5Md+eXywm2Y/LqqgF8Elk0CZAACQSGAAVwYLiyVBIg ARIgARIgARIggQARcDqdiNm9HQeH9ceKZx+h8PUQ5etNcg+vXo2yx2Sy5/fmH4S0wIx5qjoct917 r1ntQJm/1DJXKbGqzgRsDv1LSBsFnJYAfuybHThToVhIs/MmgE9XLIHa3+zk+8Bk7wPlsxJK5xTA +ncar3gm4LTHwhG/Avbrw2C90ArWUzXSJYWXTS+rkmJKQSaf71pcIV1lpiWHU++fbey5Y5m849rH 98Y22I4NgWXTs9zHNxuEr1JsRo2XIISrPKeMjm0bquWoEMJaAXt2mjqNsg5xPryzug6xXLScRshb bb2/dXHfl9PJx796q9MXKaxP26CaOs2QDuo0k7+QsGyo9yhnub5gOjqTLmXyCWR2EiABEshaAhTA WcubtZEACZAACZAACZAACWSAgC0hAReXLsDOLz5EZLUilL4ZkL5aIVyEy72aSno9++WqkJeYt/p0 S317TD3sWf7KQuuvo6nJU08WnlHn8yaAK353FEcrlw15bp4E8PnyD+LpvutN9RzIc4NH9XMQKjwo gFNfZTzJAAGnPQ6OhLWwx/wE24W2sJ56xKu8vXW4KvLlzaETY0pR9ss3Rb2WkSp0T1VPVzpbdJ8M 9NBzFsftY7CdGgPL9teQtLhQqvgLJrEWzm1Z/YOE3q1T9t59o6GEAe0knJyaIkSfe1QtSpXzS3m+ 6ze3QBURvcp7+fK473nieGmGOo9YdlmZtnpZ9f3cuSQsHqxOI9ILYS2Er7L+V+rq0337jjtNheIS RnsRysp2BPu5/dw0zw8a75AACZBAEBKgAA7CQWGTSIAESIAESIAESIAEgMRLF3By2nhsbNcCc0rf QenrB+mrlMAvvTeC4sdEUX85xzqwt3rVkJeZlrUrXa/HenPSFliP/ad/kx6JVefzJICL/3AhLHh5 kr+Xyt2Hpj2X8h1gondAqEheb+2kANa/03gl4wScjgQ4EjbAHjMCtovvwHrqUZ2kbVT3TpXoUkov cf5yk7t1eTIqfZX5HHH/ZrxjAJxJl2G/MAPWPR2RtLykSvQFu2ALp/YdmSjhicpuEaqcP3feIeHD F9z3Higkod9bEuZ8I+HjlyTkzOm+J/KJtEo29xdU34+eqb6vTCufa5eYFks1y/e6tVSXJ+oUewW/ 2UjCsiESlg+V0KWFfmln0Y9DE9zlyOUJUTyhm4Rjk/X35DSheLTsfjdTzyYzkwAJkEBWE6AAzmri rI8ESIAESIAESIAESMAjgdgDexD18yCsfL4OZhfJQenrZ+mrFMAD6jam/DGZ/Pny7aEhL4Bj6laF I+4m7p+qFrlG0ijPeMCuWQbaYgdyKsbdSAA/OOIGNtZ+IuRZeZK/0WUK47XPZvP5V8wDo/nDa2k/ Y1nNiALY488n3vADAacjEY7ELbDf+A22S+/Bero2BvZ40FAAly6ex7WP79yJpQMigJ2WU+nqkdN2 G/Yri2E92APJa2qmSr1QFGyh2ua4iBRJ2vcNCf3flnB+etpLO8tCuHJJCVc1AvfTV9RCVsjbxPlu mVpDE7G7Ypj7nieGpR9Ul3nwd3eeeQPU9+S2pXX0tlS0p3aE9PVlxdP1bDIxCZAACWQ3AQrg7B4B 1k8CJEACJEACJEACJiZgT0rC5VVLsPvLT7DwkRIUvgEUvkr5K85nFsuDO4ffpAQykQQq8cN5CPnn SQyGyvXYHl18nrfxVv0LtrRi72CtAHYmJmBpvcYhz8jbWL730RSf+WW14GN9wSddg2lMKID17zNe CRwBp9OCDasnuQRwkQfyo+3L92Lc0OI4srZSQKRvagTw2UZpdsrpsMFxYwtsRwcjeVMjJEXmofTN xr18b/wnQUTCyrL0nrsktG/s/i6uC4ErlmqW0yiPi/7nFrGyHBV7+ubIoU6/Zbg73YuPq++1a+y+ J5ehPMbOVpcn2iLaLacR0cB5cqvL9NRe0XYRgfzTh+78cjlmODpuHUrzGWUCEiABEggWAhTAwTIS bAcJkAAJkAAJkAAJmIRA0tVonP5nKjZ3eA1zy91J6ZuF0lcrgZ/uOpMiyEQCWIicGc+1CQu5+Xyv ZT7NXa3gFa/ZUtPckk1532m14uZ7rcKCjycB3LPdDz5xCybpx7a456vZWVAAm+SHYhB1026348SJ E64WOZ1WOJL2wB47EbbLnWE9/URARLAtuqchASGdbKd+g2VbSyQtLpgq7swg3EKhjzXLqeWpLHhr PSRh/c8povTCdOMlofePMxap9aqoy/zuPXe66V+q792RV4IyolfLbNIX6vRNarnLktPWr6ZOM6ar hE9aSKhSOmXf34olJLz+tITfP5MghLKcz2xH8RzyQwIkQAKhQoACOFRGiu0kARIgARIgARIggRAm EHf4IA6PHIbVL9bD7KI5KX2zUfoqJXC3Ju9QBplMADf/YmFYCM6o6g+j0PBYr/M31++AzccloJ1O J2593iks2HiSv0Nf7+2Vl9nlIvsf/KKZAjiEfwiGYdOdTjscyQdgvzkVtstdYT1Tzy9C2B73j4uW M+kS7Oenw7q7A5KWFTetbMsuubj6BwndX5UwvLNvolOklaWvfCx6j4Rzf6nz7xurT7dgoDqN3Odv 31Gnfe5Rd7r4uRJKP6C+L5aSNtoL+NQfKRHIcrvE8ccP3GUZ1VeheMp+xPI9cx9zupZWF0usi6XW nfbkMHyjsUskQALhSoACOFxHlv0iARIgARIgARIggWwk4LBaEb1+Jfb064bFdcpS+AaJ8FXKX3E+ tey9yDXGTilkIgmce4wNB6pVDgvROfqlzl7n7tNz9S/BY7FqySVHAMd/1z8smHiSv+Nf6IgcY51e eVGAqucGeQQfDwpg/TuNV4KHgNPpgDP5MOw3/4LtyuewnqmfLiFsOV4Fln1lYN3XAclrqlP4ZtOS ztdmSWj2mFusli+mF6VGMlRIXKVgFediH1+jtHUfVqcd/K5xurU/qtOJKN+bEe6033dU3xd1Ciks InRj/pNw5k8Jg9pLuDu/Ol3V0saiOGq8hAndJByb7K7DqP2muLa8FKx7OsJ+YQaclhvB86JhS0iA BEggnQQogNMJjMlJgARIgARIgARIgASMCSTHXMfZ2dOxpdMbmPdQQUrfIJW+Wglcrc9aSiETCWAh tb5+839hIzub9Vjscf7OOq5/Vy05q5ZaQgAnThkXNjyMBPCsZ15DntFWj5woOtVzgjyClwcFsP6d xivBS0CsLOG0HIeI6BXLOlvPNlIJYcvJarAcKIfkrQ8iaWUBQ1FoCtFmIHpP/5kSeftGQwl1KkpY 91NghGRchITlQyX0fUPC/96VkDBPQgPNMshCqh6ZmHb9Qrhq99Ad8bFxvgHt1EJWGdmrHHMR5Vuw gDrtksHuMm/PTVmSWSuevX0vUljCUQpe/fO29AFYtr8G26kxcCacCd4XC1tGAiRAAukkQAGcTmBM TgIkQAIkQAIkQAIk4CZw68RRHB37M9a2bIjZxXJR+oaI9FVK4Hdf7UkxZDIBXHrYGUSXLRwW0vNg 1Uq459cbujn87Hz98s/izdVzk1puXZk7D9fChIWR/F1a9zncOTJex4eSUz0PyCM0eFAAu39/8Sw0 CdhvLIc16n0kr38ISQtz6SWUgQxVCsFwP781R8IHzSTkzKmWnl+3dUtPfzG48Z+EO+9w1yOWa57w ufu7UqKKiFpf6m1QXZ3/Kw/tFkJbWb42sldZ18tPqtP2bq1ui5DEQpQry/N0/lAxCZt+VedX1mWq 84X5Ydn0LGzHhsBxYxvEH2zwQwIkQALhSIACOBxHlX0iARIgARIgARIggQARcNhsuLp5HfYN7IWl dStS+Iag8FXKX3E+qmolyiGTCWAhuza3eC0sBLCQnuOaf6iaw68tBZJs+pdgTBJw10S36Hqy3xZc rfhg2HDQCuDT9R/Hfb/GqNhQdLrHnyxCjwUFsP69xivBTcCZeAH2c9Ng2f0ukpYV80kimkrCaYR3 x2bGIrNelcBIy5rl1PWVuM/9vUA+CT1eT4k+vjrTt/q1kb3PPmKczyiyd7Eislc5B8QexEqh+1gF fZmivKk9JTxfW0IujTwXeUVU879fp0Q4K8s213lOJK99FNaoXrBHL4XTYQnulwdbRwIkQAJ+IkAB 7CeQLIYESIAESIAESIAEwpWANe4mzs+bhW1d2mF+pXsofcNA+molcInBRyiJTCaBR/4aGVbic8O0 SEScBC7Fe34TD9rhFl4VvzuKY5XLhBUDpQCOqVsV9ovnccsCnLgJHIkF7p7k7j/lJ1mE4hygAPb8 fuOd4CDgtMbBfnkBrAe6IXl1VQpfjeD1JhxFRO5dmr1qi9+bsoetr0tAH/xdwh89JQxsJ6FbSwli b919Y/XCVG5H91fVclUWrfcXlHBkkud8cn7tURvZmy+PhNjZxuVoI3t7tTJOJ9ovt0scc+SQcGmG cVrRnrPTJMz5RsLMryRsGS7BV3mt7Us4fE9eURbWvR/CfmEmnNbY4HhJsBUkQAIkkMUEKICzGDir IwESIAESIAESIIFQIHD7zEkcnzAS61o1RkSJPJS+YSh9lRL4lXY/UQCbTAB3WWNHzFPVw0aAXn+s Ahw3Yjy+XqNigHunpEi/Ij9dwa6aNcKm70rxK86v1ygN29FDOhal/6L0DEXpyTa75y0FsO6x5oVs JuB0WOG4vgHWIwOQvOEpJEXmpvRNh/RVSsao8WrRKWSnN9GpzCuiZ1+oo88vi9NaD0kwWsZ5wUDj PCJaVlm+r+ciErfQneoyfY3srW0Q2SvXq4xMFn36p2/G2ieXF7bHpQ/CsqMVbKfHwZl4LpvfDqye BEiABIKDAAVwcIwDW0ECJEACJEACJEAC2UrA6XDg+o7NODDkKyxrWI3CN8yFr1L+ivP/PdGQAthk AviTdUDC2OFhJUHjunYwfI+uugAUmpwike4aeRurn2gQVv1WCeCKD8C6daMhBwpgt0ikVA1NFhTA ho82L2YxAUfcAdhODodl60tIWnRXhkRh2Aq4BRJO/SFhr5eoW099FxHAsrAVR7GU8e253kWnuN/8 cXU+ZRnac+1ewjH/SciTW51f7McbF+G9Xk99ENdfqasuzx+Rve0aq8v88IWMt89b20Pu3qICsGxu DNuxYXDE7sjiNwGrIwESIIHQIEABHBrjxFaSAAmQAAmQAAmQgN8J2OJv48KiOdjx+ftYUPUBSl+T SV+lBJ5VNBfu/oV7hZpJCr27Cq6I2WuVwmsP3ORFc1PflWIf4N/2A3nGp8iu3GNsmPVM+Ox9rBK/ ZQrhaplCWPT7XCQa7H8soJSaFprSz0zPJfvqfY5SAKe+3niShQSciedhP/cHLLveQdLSIhS+mghf scRwRH8JXV+WUKV0iqhsUD1jgvLeu9Wic9ynEn74QEKzxySIc62g7NBUnV4IX7HscrUyEsTy0VoB LL73aaMuR7RVma5GWfV9bZ1pfR/xsbo8b5G9Je9Xp53hIbJ3So+UdGJp6jYNJPzXL3NtTKsPwXs/ F5LX1YY16kvYry6HiMDnhwRIgARIwDsBCmDvfHiXBEiABEiABEiABMKKQML5szgxdSw2vNUcc0rl o/Q1sfRVCmBx3vDjvxgFbLIoYCGbRr7cNayiYc9XK4NvFl5Cq6VAQeWet2OdGPPiR2HVV60A7txx jOsZzv07UOYvoMaslP/E+R0TvIs1ikfyCYU5QAEcVj9Jg7YzTutN2C/Pg3X/p0he/bBOOgavHMsa KSiibld+L6HfmxLqVUmJ1FUKVHEuompFdG16WTWqqRaiynLFEs/K8oQYVt4XEcMfNZdw5s+UdAnz JEztKaGURrKKPHvGuMsa0E5dTrF73feU9fl6vn+cujyxZ+/Fv43LbO9jZO+1WRK2j5SQON+4HF/b ForpkleWh3XvR7Bf/Bdij21+SIAESIAE0keAAjh9vJiaBEiABEiABEiABEKKgNPpxI09OxD1w7dY 0bgWhS+Fr8c50OO5NyiATSiAawzYG3ZS9N9GryLHWKdqPn/Xqm/Y9VMpgAe16afqbyjIPLaR0jm9 c4ACOKR+goZMY50OCxzX18F6uD+S19dF0oJcKtEYitLM323e9ZuEnz5MWW75rvxqwamUsMpzsb+u L+24PENC5xclVCzhvdw775Ag9tiVy9Tui/vde+57chpxFEK2YAF12e8/70677if1PSFsY2e77yvL 8vVcG9n7dx/j8oSgVjJ7uJRxOl/rDYt0y4rCsqMNbGfGQ0Tf80MCJEACJJA5AhTAmePH3CRAAiRA AiRAAiQQdATsiYm4tCwSu3p+hIU1inkUftoIUH6XTM1qWumCyD3aSolkQgm88Knnw06OfvL+b6lz udc734dd/5Tyd8IL7+uEd3rFGtNTxobCHKAADrqfnCHZIPHHkY64fbCd+AWWrc2RtOjOVKkYFgJN s0RzRvok9vGd2F3C289IKHqPWlIqhaXR+QOFJLzRUMLm4b7JTCFbxbLNRmWJa0KKfvGahMhB7gjY nb+p04s0Sjms7bNWtIr6zv2V0j6Rr9Cd6vIWD/at7dp65O/ayN4PmhmXJ6KVRdtF5PLMryQIGS6X YZrjortg2dwUtuM/wBG7KyTfKWw0CZAACQQzAQrgYB4dto0ESIAESIAESIAEfCSQeOUSTk2fiE3t X8GcMvlNLTIpsjMusmv2WpEqzUJBBrCN/pFWr3aLCDtBerHc/ag5YA+6dBgVdn1Tyt95DV5C3tEW Prcm/MMNM77/KIB9/FHIZDoCzoSzsJ2dDMvOt5C09EHzSbZ0SmEhfj0JWe31AvkkPF9bwvcdM75M 8TNeln6e+61eig57X92+Ts31aZQCVSxbrRXZ03q787xSV11er1bue8pyfD3XCudyRTNXnq/1hkS6 yNxIXlcH1kN9Yb+2ivv46t5WvEACJEAC/iVAAexfniyNBEiABEiABEiABLKMQOzBvTj062CseuEJ zC6Sg9KXyztneg50fKUbRZIJRVKe0VYcqFY57ETp4YfLh12flPJ3/WN1UXD4TT6zJnxmzSh/RZ8p gLPsJ2bIV+S0xsJ+aQ6s+7sgeVUlCt90CuDx3dRCVCl9c+aU8ERlCX3fkLBsqIS4iMzLzYj+EkZ9 IiFqvIQ2DdR1f/qKvnxRt7JNg9/Vp9HK0C4t1HnEHsJymhEfq+/VruC+J6dJz1FE9srtE4K8aW3/ cEpPG4IpbfLKCrDu+xj2i7PhtN0K+fcLO0ACJEACoUSAAjiURottJQESIAESIAESMDUBe3IyLq9e it19u2JRrVKZln2MlM14pGy4shtTuRxlkkllUvf2P4e1LFWK03A4P1i1Ekp+f47Pq0mfVwpgU/8c ZOcNCDjtybBfWw3roa+RvP4J7uOrEL5iWeGV30uY0kPCoPYSBraTIKJqL0z3LDmPTXYLTFlk1qko YdbXEq784zmfP6TjuE/VdVctra9PK2w/M5DE2rYM76wut/ur7nLFPsFyP8VR7AN88W/3fW1ZvnwX 9flLkPtSX1ClWVYMlp1tYTs7Cc6kiwZPLC+RAAmQAAlkFQEK4KwizXpIgARIgARIgARIIAMEkq9d xZmZf2BLx1aYW+4uSl9G+QZ8DpQeeIBSyYRSqfDwWJypUIwSuEyhoGcgxumRAXv4nJrwOTWr+JX7 zQjgDPyQDNMsrn18b+6B7fhPsGxphqRFBVKjOYNKhClEbFa36/CElL1l78irlptK0VmxRMres0Zt E/eUaZ97NHNC1KgOo2tHJqnrFW04/ae6biGilW1rVFN936jcCZ+r87zZSJ2n5P3q+3/3Ud83KpPX /p/Rortdz6F4Hh0394TpW4fdIgESIIHQJEABHJrjxlaTAAmQAAmQAAmEMYG4I1E4Mup7rGnxNGYX zRlw4Reu0azsV8YinF9/eyjFkknF0tDXewe9/AyH6N3M9CG6TGG80GMRn1GTPqOyCDXrkQI4jH/8 +tA1py0BtjMTXZGFSUsfoPD1IJcPTZDwRkMJYqlmpST1dv7Os/rI3s4vqvMLkXzTD8s9+yJNyxdT 1y2il5X5Ng9X3xd9E8JbmUZ7/mUbdZ5+b6rTt2+svv9BM/V9bXmm/i728d1YH9bD/WC/tgZOh82H J5hJSIAESIAEsoMABXB2UGedJEACJEACJEACJKAg4LBaEb1+Ffb2744lj5en8GWUb7bOgSGP1aNc MqlcKjPsNK6UvYcSOIijgDt9MI7Pp0mfT7NKX2W/KYAVPx5NeOq0JyJpYT6vks/UUm6BhFN/SCh6 j1pkehO/ynv1q6mFpzbKVqRdMlidRstbLJssImeFPK1QXMKOUd7Ta/PL3zs1V/ehXWN9OVVKq9N0 aKpPI5cn9imuXFKdfu2P6vRTe6rvlyuqvi+XZdaj2Etb7Kkt9tZ22m6b8A3ELpMACZBAaBKgAA7N cWOrSYAESIAESIAEQpyAJfYGzkb8ja2d38S8CoWyVfgxUjZjkbLhyu3fojlR6KdoSiaTSqbJzd6j AA5SASwitJUyjOcgD5O9pyiAQ/zHrx+ab9nc2HQC+PZcCau+l9DvLQlPVZHwWxdjMXlrTsp9pdQV 53lzS+j6csr+vet+kiD2phWyV5tOfJ/QzV222DtYG0Xcu7X7vhChsbMlLB4soVcrCbUrpOydqyz3 +47q9L7K03/6qttX4j59Odq9gkW9Yz/VpxN19tFE/95zl4SEeeq0Z/5011kgn4SmtSUIcexrm8Mu 3fISsOx6G7azU+BMuuSHp5dFkAAJkAAJZAcBCuDsoM46SYAESIAESIAETEng9qnjODruF6x97RnM LpaL0peRvkE7B577aArFisnEiiwTa3+zkwI4CAXw9MZtkXOsg8+lSZ9L+fk0+5EC2JQ/n1Wdth0b ZiohJ5Ytviu/W0wWKSzh6kxjKdmlhTudkKE5ckh4t4mEY5P16RPnSxj6vjq9yHPf3RJEFK8sMx+v pE7zaHkJYvnlwe9KePYRCfnyqO8r5a84f762uyy5TF+Ol2boZfK+seqyhHx+oJC6ftFnsbfvnjEp cnrl9xIaVFenEe0arxDdyvYIOb5sqEnF7+KCsGxtDtuJX+CI26d67viFBEiABEggdAlQAIfu2LHl JEACJEACJEACQU7Aabfj2pb12D+oN5Y+VTloZV+4RrLOLpIDS554CFs6tsLBof1wcFh/7Pj8fcyv fC/HIg353rvRaxRNJhZNkU+/QAkcRBJ41RMNcefIeD6TJn4mzS5+5f5TAAf5D98saJ4jdkeqnFSK u3A83zpCL0GVEbrKPosoXK18FVG5yjRG591fTcknxOljFSSICF+xjLScVhs5q63D2/eCBSSIvYXl stJ7FO1Rli/krLYMIXiVglyZ3tO5NopZW6ZpvkfmQfKGerAe/gaO6+vgdNqz4AlmFSRAAiRAAllN gAI4q4mzPhIgARIgARIggbAmYL0Vh/Pz/8X2ru0pGtOQjIEQz5HVi2LnFx/i4tL5EGNh9HFYLLiw eC42tmtBEexhjKaXvBN5fkumcDKpcHqhxyIK4CARwPuqV0GRny7zWTTpsyiLTx5TlvumADb6VWOu a06nA0lL7tGJwFCTdjf+08tMbR8a1lALUCFEReSuNp34/okm+vehYikRsEZpldfEstER/SWIiFvl dfl82RB1GzxJVXE9T24JDapJ+PYdCWJ/3fi5xmXKZad1FKJWWV+LJ43LW/OjhLsVUdLKPMrz3Lkk iChpTwzTak843E9e/TCs+z+F/fI8OG3x5np5sLckQAIkYFICFMAmHXh2mwRIgARIgARIwH8E4s+c wvGJo7C+TVNElMhDqehBKgZC+IoyVzz7iCu6N2bXNjidznQN7J6vPuV4eRivWj0WUzqZVTqNdWJL rccogbNZAp+pUAw1Bu7jc2jW55D91s19CuB0/cQJ28SWHa0MZWUwCzqxj6+IVu33poR6VSTkypmy TLGnNv/7tVp+CpEppKqn9A+XUqf/u4/ntJ7KMLou9sDNn1ddtlKqVi8roVtLCfMGSLj+r3/qlNux RBPVLCKKPUnlA79L6NlKQsn79W0tfGfKHsUnpvq3fXI7g/q4vCQsu9rBfu4POJOvhO07gR0jARIg ARLwTIAC2DMb3iEBEiABEiABEiABQwJOhwMxO7fiwJCvsbxRDQpEDwIxUMI3omRebGjbDCcmj0bC +bOGY+TrRSGMt3VpxzE0GMNOL32i+8d3RqGlRKGZgcPbn/xFAZyNAvhqmUJ4qfsCPoOUoJwDijlA Aezrr5vwTmc7Pc6jCA1WGXdogl5M/tzJWEiKqFwRwasUrW89Y5xW9Pf0n+q0Ip+oz18smtZWly8i af/oKeHsNP/VYdTWmxES7tDIZ28SXJQhonvX/STh2vkGLgAAIABJREFUn74SFv1PQtR4CUK+G5Uf ltcWF4Jl60uwnRwOR9yB8H4RsHckQAIkQAI+EaAA9gkTE5EACZAACZAACZidgC0+HheXzMOO7h0R We1BCkMDYRgo4SuXK2T7+cjZsMXf9ut0tCcmYkGV+zmmmjEdX7EkxYNCPJhB+ir7mGe0FbtrVKcE ziYJ3P3dX/j8mfj5Uz6LPHf/4Q0FsF9//oRsYY744yEp9EppolNffNxYTP74gVq4Fsgn4aSX6NVp vdXp8+aWkDDPuOyMSM9h76vLF4L5yET/le+tTc89qq5bLC/tLb3p7kXmRfKGp2E9MgCO6xu4j2/I vtXYcBIgARIIHAEK4MCxZckkQAIkQAIkQAIhTiDh4nmc/GMcNr79IuaUykdBqBGEspjNquOGN19I 14yKOxKFI6N/xJYPWmN187o49OtgOO12wzKifviW42swvuW+3U0JZWIJ1bHTRArgbBDAY1/sxOfO xM8dha9b+GpZUAAb/oQx5cWkFaWDSgSK5Y+vzvQuJ99topaZYt9abXTqxb8liCWLldG/A9t5L/fP Xur0Dxb2nj69knTbSHX5om1jP/VvHZ7aNKRDSt0Vikvo/KIEsd+vp7TmuJ4DyaurwnqgG+yXF8Bp SzDl889OkwAJkAAJ+E6AAth3VkxJAiRAAiRAAiQQ5gTEcsA39u1C1I8DsLJJbQpBAyGYVbLXqB4h 4UUktqePw2ZD9PpV2Nu/O5Y8Xt5w/Na3bmK4T3DS1SuG6Y3aYaZrbdoOoogysYi647ckHKxaiRI4 CyXw4npNkO+3ZD53Jn7utNKT391CmALY0y8g81237v0w20Sgcj/fJrUklLjPLUjvu1vC569K2DdW Lyq1olaI1NU/qNN90sJdlrhfpogEsRSyN7m5bKg6j8h34z/vebyVd2mGhJlfucsQyyrfX1BdR+v6 vpd/6g8Jk7+QMKi973nk9om2HJuc/nxy/rA4LisOy+53YT83Dc7kaPM97OwxCZAACZBApghQAGcK HzOTAAmQAAmQAAmEOgF7UhIurViEXb06Y2HN4pSAWSp9c6Sb94VFcwyn3O4+XTCvQiGfyvNUxsJH SviU30wC+IdHH6OIMrmI6tJhFAVwFgngPTWq4cGfo/nMmfyZo/B1C18tCwpgw59AprxovzDTqxT1 t/jb9ZuEnz6U0PxxCXflV8tQIVyN/tNG7oo9c7Xp+r/tlptCGufKqU4jRGxafdk/Tp1H1LF7dNr5 lOXGz5XQu7WE2hUk5MiRUt7xKe4y2jRQ1yGEsBDDyjLk82uzJET0l9D1ZQlVSrvzib6lFSUtl2Hq 4+LCsGx7GbaTI+G4fcyUzzc7TQIkQAIk4D8CFMD+Y8mSSIAESIAESIAEQoRAUvRlnP57Mja92xJz yxag9MsC6Tun9B3Y+lFbHPv9V0RvWI3kmOuu2WJPTnZFXZ/+Z6orcndZg6pex2PH5+8bzrJtXdp5 zaeUtmtbNjQsY32bpj6XoSwvnM//K5ID9/5wkULKxELqzpHxOFq5LCVwgCXw6QrFUW3QAT5rJn7W tLKT3/UimALY8OeLKS+KSMikBTkMBaQ/5KGIWp3YXcLbz0goeo9bYmoFblrfReSrsj01yqrLerqq +76Qy8ryGtV031OWoT0XUlWZT5xP6OZbXrksEdWsLSNqvLuMcZ/q728dkXJf5F31vYR+b0l4qoqE 3Ln0aeWyZ/d3lynXbfrjwnxI3tgAtiOD4IjZBKfTYcpnmp0mARIgARIIDAEK4MBwZakkQAIkQAIk QAJBRuDmof04PGIIVjV/ErOLpD/yNJwlXyD7trBGMZf0tdyI8WlGiGWcD48cBiGMjdoVWe1BOB36 fxg5P/9fw/RGZSyqVcqwLUIuG6U3+7WmH4ynlDK5lOrR7kcK4AAK4KtlCqH5Fwv5nJn8OaPw1Qtf LRMKYMOfL6a9mLz2UZVc9adIFOJXlpbejjlzpkS5Pl9bQpHC+jz580q48o9beorloZXlCVkqImYX /U99XaR5r6nnKFttX7X7Btd92F2nNq2n76IvyraJqGc57ZFJ6nsiXbPH0hcRLfJ8+oq7TLls8x1z IHlNdVgPdIf9yiI47YmmfYbZcRIgARIggcAToAAOPGPWQAIkQAIkQAIkkA0EHBYLrqxdjj1ffYrF j5Wh2MuCKF+tKN328dvwVfxqp8itk8ew+qWnDMft+o7N2uSw3opDRIk8hum17VrT4mldfnFB7A+s TcvvEr6q/xLFlMnFVMHhN3GqYklK4ABJYCHYtaKL39OWgWRkPkYUwIY/X0x70RrVK1VQ+lsiju+m F56yHK1QXELnFyXM+lrC5RluoRnzn4RW9fX5xNLRcvvmD9DfF1Gx1TWRwXJdr9aTIMqV83s6fvaK vtydCoHrKZ98/eRUff5tI9X1li+mTyO309vxgUISxBLSv38m4cRUdZly/WF/XF4S1t0dYD8/Hc7k a6Z9ZtlxEiABEiCBrCdAAZz1zFkjCZAACZAACZBAgAgkX7+GM/9Ow5YPWmNe+bsp87JB+srC9NiE EZkeZbFMdGS1IrpxPDDkK8OyfRW45yNnG+YX0cpy+3mUUln8XSI/8o1MoKAyuQT++s3/UQAHQABP eb49cox18vky+fNFme2bzKYANvz5YtqL9uilaYrRjIrFY5P1svOVuhLEdW9lXv9XgjYat0E1dx5x P09uddl3p7Gn8CPlJSj34zWqX0ToaiN4X37SXa9RHuW1sZolnu+9W8KtOer8nZqr2+1J+oqo56a1 JQx7X4KQyJ72ClbWH3bnS+6FZVtL2E6NhiP+hGmfUXacBEiABEgg+wlQAGf/GLAFJEACJEACJEAC mSAQd+wwjoz+EWtero/ZRXOmSisKPLfAy2oWB4f19zqiiVcuIXr9Sohlm+PPnPKa9sKiOboxXd6o umGe4xNH6dIq+y6WlT41fZJhXiGblWl5rp4/j38+n4LK5IKq8PBYnKxUihLYjxJ4XZ16EHssU/75 Jv/IiZwogA1/wpj2otOWgKTIvF6FbGbEYsUSauH53KNqIeqpbLHMsVKOlrhPnU8IYeV9X87F8tJr f1SXo63fKPp4UHvveUQZQkpXLa1u00fN9fn+6atOI7dbiOfHK0no00bCsiES4iL0ebVtDbvvYh/f TY1gOzoYjhtbuI+vad9K7DgJkAAJBB8BCuDgGxO2iARIgARIgARIwAsBsUfs1Y1rsO/bHljyZAVK u2yM8jWSpBvfecnj6F1cMg9rX22kG7PljWogdv9uj/m2ftRWl8dIHMefPa1LJ9q44tlHEPXTQCRd veKxjoND+xnmNeqjGa993PxDSiqTC2Ah33q/M4wC2E8C+FjlMigz7DSfKz5XnAPpmAMUwB5/xpj2 hmXTMwETwGKZZ1lyiuMdeSXc9EFu/vCBOl+OHOoo2G/fUd9X1lHqfglftjG+nze3hMlfeJar63/W 5xN1T+3pOY+I8hXLTCvbIM7XGMjmSzMkiPLEfU/LYIed2F3giZ3Yx7cmrAd7wh69BE57kmmfQXac BEiABEgguAlQAAf3+LB1JEACJEACJEACACw3Y3Fuzj8Qe8rOr1iYoi7IpK8sRCNK5sXtU8d1c1bs x7zziw+8jpvYv1eMsdHn0vKFurzHJ4w0SgoRHSzasaFtM5yYPBoJ588aplNeFHsKi+hguR88qqN/ BY+JDxXlMrXpkBThGql494g4CHF5zU8S1KzlXCl7Dxr2WUPxx2eKcyCdc4ACWPnrheeCgO3YkIAJ YLHHr1aMLhnsSQi6r7/bRJ2v9APue0KQrvtJfV9Zx/QvU9L+0VOCEL7Ke/J5r1ZqoayUroPfNc7z ZGUJS79ztyN6poRRn0go/aA+fev67nTKssV5RP+0l8HW5gmb7ytKw7qnI+wXZsBpuc4HkARIgARI gARCggAFcEgMExtJAiRAAiRAAuYjIETisfHDse71ZxFRPDflXBZI3zll8mNdq+ew56tPcWLqWNcy zVfWLMOx33/Fju4dMbfcXV7HYXffroYTVUTf+iJV55YtgJuH9sPpcEBIWbHX77KG1Qzziv1+jT5C +Fpv3zK6ZXhN1MM/KtALX6PxqthvG2VFOmVFOIrg7u/+QgGcSQHeueMYPkt8ljgHMjAHKIANf8qY +qLjxraACeDLM/T76vZu7VmOCtG56nv9Hr8iwlYpQePnSihYQC9eG9ZQpxNl3Xe3Pp0QwS2elHBt ljq9XMeAdsZ5RD6x37CnMsX9JrX0e//K5ZruuOQ+WLa/DtvpsXDEnzT1c8bOkwAJkAAJhC4BCuDQ HTu2nARIgARIgATCioCQfte2bcT+wX2wrH4VQ+lnJKV4zTd554lTZPWi2PnFh7i4dD5sCQle59Tt 0yew+sV6HsdGyFTtRyzVnJ7oWiFjFzx8n8c65H6IiGHrrThtdT5/F6J438Be/OOC9PxhQZ/+mHMS /M/kDOYdjMfFmuUpgTMogQ926sxnyOTPEN+jGf//yFbPOzn4/P9/JgwvAk6nHUmLC6kEqz9Fpdjb Vo68FcfaFYyl69HJEvq+YRy1K0f1Ktv18pPqckXZO0bpy44aL0G7F7HcnmplJByZpM8j6un3pr58 OZ+noxDQMf8Zl6dse9ieL7wDlk3PuqLKxR8WOJ3O8HpY2BsSIAESIAFTEqAANuWws9MkQAIkQAIk EBwERKTm+cjZ2P7Ze1hQ5f40pZ8s/3jMnPQVe+IeHNYfMbvS/48bTrvdFZWtHYOFj5Qw/IeSze+9 GrBxPT9vVromstg/WkQ0b+7wGmYXyxWwdmnZhMv35c/UTBdvJg5fAgnjR1EAZ0AAx778DJxJ3Ccw fJ8M9owESCA7CFi2vxYwAdxHsx+v2ANX7IUrllD+r5+ET1pIqFTCs2zt+rKxUB3eWZ9n71jjtBf/ ltCgmj69ELn3F5Sw8nvjfLP7S6ha2jifUgI/96iExT4sbR1+4jcnktfWgjWqN+zRy7iPb3Y8vKyT BEiABEgg4AQogAOOmBWQAAmQAAmQAAkoCcSfO+Pam1Xs0Sr2ag0XORbM/UjvnrjK8TI6v75zi27c Nr3bUpdU/OX8nFL5dGn9xWpbl3a6OrUXLLE3cDbib2zt/CbmVSgUsLb4q0/BXo4veyprx4Dfw4+A MykR1+tUogROhwS+Xqs87JcuhN9kYI9IgARIIJsJ2E6NCZgAXjZEL1DLFpGQK6f+ulKqinMR5Xt7 rrGc3TdWn//Xj4zTCvEaFyHhnWf1eUQ9eXJLGN/NOG/CPAmrf0iJTn6hjoQ6FSU0qC7hvaYSBrWX sHm4cb7wk70p/UxeURbWvR/CfmEmnJaYbJ65rJ4ESIAESIAEAk+AAjjwjFkDCZAACZAACZiagJCA ItJURJyKyNNgF1zh1L7ljWq4Iqxt8bf9Pgc3vvOSaiz39u+uqyPxyiVVGn+znV/5XoiIZKPP0XG/ YO1rz3CJ5/Qs8exD2hOTRxvh5jUTEkic+jsFsK8CuNw9sGxaa8JZwi6TAAmQQOAJOG4fDZgAFuI1 f15j8aoVvvJ3sWz0jL5pi9US96nLFfv6piVe+7+tziPXKY7dWkoQwjetMkx1f+n9sOxoDdvp3+FI OB34ycgaSIAESIAESCDICFAAB9mAsDkkQAIkQAIkEA4ExF6yYk9Zsbes2GPW3+KP5fm2BPSGN19I 13SKOxKFI6O+x7pWjbGwZnEsa1gNMTu3GpZxctp41bgK4ar9GEUK+3vsrm5ep60Wtvj4dO077O82 hXN56994XsebF8xJwJmcjJina1AC+yCBE34fYc5Jwl6TAAmQQBYRSFpeKmDis2ltz9JViNcC+SQ0 e0zCDx9IEHv2+ipY2zVWl1uwgIR4DxHDyjKn9lTvNSwEdZNaEoa+LyF2tu/1K8sMm/OF+WHZ3Bi2 Y8PgiN1huD1NFk1JVkMCJEACJEACQUGAAjgohoGNIAESIAESIIHQJ5B4+SKEFNzYrgXlmw+RlFkh CcXyy0KGevqIPXGj16+CiN5d8nh5ldCV2ze33J1Ivn5NV4QQr3IacTw69mddGhH5rUwTiPN9A3vp 6hUXNrzVPOB1B6I/wV6mWE5c7N3NDwkIAklzZ1EApyGA4zq352QhARIgARIIMAHrnvd9Fq/plZ3D 3leLWiF9q5eV8FVbCSuGSbg1J2PSdUoPfblrf/StLLHvr6hfLFF9M8K3POntd2ikz4nkdY/BGtUH 9qsr4LQnB3imsXgSIAESIAESCC0CFMChNV5sLQmQAAmQAAkEFYHY/bsR9fMgrHy+DmYXyUHhFiTi VykRLyyaYzhndvfp4vOeuPv/96WujEvLF6rGO+qngbo01ltxqjTKdvl6vqDqA9jRrQMuLIyAWMp6 fZumqjKXPlVZV6+4cPKPcap0vtbHdGlHl5+PnG3InBfNR0As8X+jeX1KYA8S+MZzdeDgH0yY78Fg j0mABLKcgP3CjIAJ4G0j9aJ27KeZl66n/9SX+83bmS83NMRtxvuZvLI8rHs/gv3iv3BaY7N8rrFC EiABEiABEgglAhTAoTRabCsJkAAJkAAJZDMBe1ISLq9cjN1ffoJFj5akYAtC4asVmDs+f99w1mzr 0s7n8Vv7aiNdGccnjlLl9xSJu6hWKVU6bfu8fRei0elwqOre3berrrxbJ46q0ogvCRfP69J5q4v3 0ha/MqPtn76r480L5iVgWbeKAthIAFcpDtuxI+adGOw5CZAACWQhAWfylYAJ4MT5Eu4vqJa1retn XGAqBW21Mupy61fzT7nKOkL+fOmDsOx4A7YzE+BMOJuFs4pVkQAJkAAJkEDoE6AADv0xZA9IgARI gARIIKAEkq5G4/SMKdjc4TWI5YBlCcSj78IsO1lFVntQJ1HFhDk//1+fx/LAd311c0xIQGW/Nr7z ki6NuLCp/SuqdMo8aZ2LCHPt5/DIYbryjJafFvlWNK6lS5tWnbyf9rxeUOV+wzmlHSt+Nw+Bm2+3 pATWSODkRXPNMwHYUxIgARIIAgLJa2oGTAK3aaAWtUIICzGcWbn62Ssp5Yp9hMVewyM/znyZmW1T tudfVACWzU1hO/4DHDd3cx/fIHi22AQSIAESIIHQJUABHLpjx5aTAAmQAAmQQMAI3Dx0AIdHDMXq F+thdtGclGghEOnrTVxe37FZN1fE8swRJfKkObZL61WC+CMA5efW8SOIKJ5blVdIQaPPxaULVOm8 tVN7L3rDal2Rh375n648owhlkTHqxwG6tNo6+D1t4WvE6Nq2jbqx4QXzErAd2EMBrBDA8d/1N+9k YM9JgARIIJsIWA/2yLSQ9SQ/x32qFsBiH+CtIzIva6PGS1g2VEKcqffxzYXk9Y/Deugr2K+tgtNh yaYZxGpJgARIgARIIPwIUACH35iyRyRAAiRAAiSQbgIOqxVX1q3Ann7dsLhOWUqzEBe+WmF3YMhX hnNifesmHsd63kMFse/bHjr5KwoS+z6veuEJzCmVT5U/7ughXT1ij9CldSuq0mnb5+m7kWQ8OLSf vqxiuWC5EaOr+8benfq0YTa2ntgF+rrRvtC6AeAFUxGI+6wjJXCZQoht0xxOu91UY8/OkgAJkEAw ELBfWRwwAXxkkl4AD30/8wLYk3AO9+vJKyvAuu9j2C9FwGm9GQzTh20gARIgARIggbAkQAEclsPK TpEACZAACZBA2gSEMDv731/Y0ukNCNkXaGHE8jMWaekPbssbVTecENp9fIX8F38EIP4YQPxRQFqf hAvnsL1r+9S5s6vnR4ZZTkwZk5rG1/7MKX0HxJ7T2o+nvYvPzp6uTepaMm5hzeLprtvXNpo53bL6 VXS8ecHcBOznTuNahftNLYGv134IjujL5p4I7D0JkAAJZBMBpy0eSZF5AiaByxdTS+AmtSiAfRbV S4vAsvNN2M5OgjPxfDbNEFZLAiRAAiRAAuYjQAFsvjFnj0mABEiABExM4NaJozg65iesbdkQs4vl ohgzUTRo/JlTupmfcP4sVjev61ruWyz7ndHP3m++cM2liJJ5IaSw9iNE7qrmT6Zrvq1/43ltMS4p Pb9iYcNytn7UVpdeXNjVq7NhejPLW3/1/fbpE4bMedG8BG4P+NK8ArhsYVjW65etN+9sYM9JgARI IOsJJG9sGDAB3Km5WgDnzyvhpqmXbvYiwBfdCcuWZrCd+BmOm3uzfiKwRhIgARIgARIgARcBCmBO BBIgARIgARIIYwIOmw1XN63FvgE9M7wMr79kEcvJvghgwf74hJEBm+limecNbzV3idY9X31qWI/Y R9jX5cXnlb8b4o8VtJ/Lq5Z4lLnzKhQyjFo+8tsPHvNwTmZuTh4bP1w7RPxucgKO69dwrUpxU0rg +J8Gm3z02X0SIAESyH4CtqP/C5gA/qevWgCLfYCXfudFgi4w0b3I3Ehe/ySsh/vBfm0NnI60VxLK /tnCFpAACZAACZBA+BOgAA7/MWYPSYAESIAETEbAGncT5+bOxLZP3sH8SvdQfoVblG/RnBkaU7Hf b3o/9uRkCOkq9hAWSy9H/TgAiVcuGRYTs3Orq11i6WZPaeKORKU5JyNK5MH5ebMM69j5xYde+x69 fqVLAnM/68yJXV/EeGS1B3F07M+G48SL5iYgROi1MoVM9V/s689z319zT3v2ngRIIEgIOG5sCZgA vjRDQo4cKRK4QnEJnV+UsG+siSSvRmgnr6oE6/6usF+aC6c1LkhmAJtBAiRAAiRAAiSgJEABrKTB cxIgARIgARIIUQK3z5zEsQkjsK5VYwiB5ovAYZrASzJ/MY6sVgQ7unfEhcVzIQS/WLY5vWWLeWG9 lfY/ziRfu4rT/0zF5vdfx9xyd+nqWVijGOKOHjJ8Ula/WM+Vfnffrob3xUVL7A1E/TwICx6+T1N2 Dmzt/BZunzpumDfu8EGIyGBv/RacuJ914Ob1sgZVsX9wH1zbthFOh8NwnHiRBBw3Y3G9RmlTCeDr dSpx719OfRIgARIIAgJOpx1JiwsGTAJH9JdwbLJJpe+yYrDsehu2s1PgTLwQBKPNJpAACZAACZAA CaRFgAI4LUK8TwIkQAIkQAJBSEDIl+s7NuPAd32xrGE1r1LMmzDjPX/KshxY9cITWN6ohl/HQ0Td iiWWlZ+N77yUoTo8RdYmXrqAwyOHYfVLT2G2DxHGm9q/bCgA933bI7Vdp2dMUTZZd26Lj8eZWX+6 /nDh4tL5iD93RpdGvpAUfRmLHyuTWjbnrT/nreey/i2eB781eg5ffj4cb/5xCi0Wgf+RQZpz4KNJ h3GucklTCWAR8bzlmSZoOd+SJh8+R3yPcA5kfA58t1P+ZcAjCXgmYNnWMmACOEkTBRvW3xfdBcvW F2E78Ssccfs9A+cdEiABEiABEiCBoCVAARy0Q8OGkQAJkAAJkICagC3+Ni4smoMd3TpgQdUHKMOy YGnniJJ5saFtMxwc1h+zi+TQMRfLHW96tyVOTZ8EISnFRyw/7E9BaSRS17xcP0N1iGWcjT47Pn8/ 3eXFHTusK+rouF9SyxERx5eWRerSpPeCLSEBK5+vk1quP9myLL38nVr2Xnze5G3U7/IPCgyPQ45x 4H9k4PMcuO+X69hZs6bp5K+85PXwVz7zmRWfLb5bOAfSPwdaLknvrwimNyMB26nfKIAzIqrFPr4b 6sF6+Bs4rq/jPr5mfHjYZxIgARIggbAjQAEcdkPKDpEACZAACYQTgYQL53BiyhhsePMFzCmVjxIs C6SvkIJbOr2B85GzIaS7/FnZ9DEdfxExq/04rFa/LkN8bs4/2iqwvFF1XVt8kZnzK99ruE+lWFra l/zKNNe2btC1S7RVmUZEEx8a/p0uglmX0cOFm4cOYN3rz6rLzKI5oOpHmNf5W5WKeO/VHqj25Rrk GmOnwKLwzdAcyPdbMhY+9bxp5a8sgd/vNClD/CgD0y8Dycx8zCiAPfxg4mUVAcetwxTAPgrg5NVV YN3/GeyX58Npu6XiyC8kQAIkQAIkQAKhT4ACOPTHkD0gARIgARIIIwJiqd8be3bg4PffYMVzj1J8 ZZN4i9m1TTeron4aqBsPESFstK+uEMieBOKypx/G/kG9Eb1htWs/VU/p5OtCzmo/i2qV8li+nM/T 8ermddriIJZjFtHMnvJor4u9ge3Jybpyzv73l2EZa19tBKN6dQX8/4W4I1EuCW8Uda1tC7/ro3jT YjKraC4MfrwBWrb7EcUHH6WsovD1yxwY8+JHppe/QgJfKncf6n692S9MKTjNJzg55t7HnALY0y8n XtcSSFpeghLYSAIvKw7Lrnawn/sDzqRLWmz8TgIkQAIkQAIkEGYEKIDDbEDZHRIgARIggdAjYE9M dC2Vu7NHJyysUcxQoKUldHg//RLMGzMhe7Wf2P27Dcfm/Px/tUlhJELFXr63Th5TpRV7Oa9t2dCw XLl9l1cvVeURX+Y9VNBrHjmv0XHfwF668sSFDW8197HMHDgz8w/DMja/96rXMta0eBpHRn2PmJ1b YU9KcpUh/uhBRLpfWbscxyeOwpYPWvu0D7FR33jN83PwZ+lC6PlsGzT6eBru/iWGcorS169zoEe7 Hyl/yxRKZRBVpQKK/3DBr4wpBr2LQfIxBx8KYMOfX7xoQMCy+z0KYCGAF90Ny9YWsJ0cAcetgwak eIkESIAESIAESCCcCVAAh/Posm8kQAIkQAJBSyDxyiWcmj4Rm9q/jDll8nuVZpRanqVWoNisbFLb cO4YidftXdvr0lpuxLjGdX2bpi6peWPvTpz+Z4ounbiQcPE8xNLMnvpyddNaVT4hjTMTGbv0qcqq 8uQvJ/8Y57ENcttWvfAELi1fKGdRHUWfRUS0nNaXo5j76Yk89qVMpnE/L2Mql0PHlz/DI72WI/do K2UUpW9A5sArn8/FVYX8lJdCNvtx+ZPPQCyLTTFpDjHJcc6acaYAVv304hcvBOzn/zKnAI7Mg+QN T8N6ZAAc1zfA6bB5ocRbJEACJEACJEAC4U5Mb9DVAAAgAElEQVSAAjjcR5j9IwESIAESCBoCsQf3 4tCvg7Gq2eOZEngUXG7BFTgWOZB46YJr79qY3dtTluR+9hFDubng4fsM99V12u2qubf147chooiN PheXzDMsW/RPuxy15Wasx7S+8rh14qiuGUJE6/PngJC+Yt7ejNqny6O8sKv3xwb5s2KsWIc8bv8W zYlhtZ/E628NQZmB+ymeKHwDPgce/XY3zj1UJDXy1ezSV9v/US0+CfgYUDxmjXgk5+DgTAGs/OXF c28EnEmXTSOAk1dXg/XA57BfiYTTdtsbFt4jARIgARIgARIwGQEKYJMNOLtLAiRAAiSQdQTEHqli +d7dfbogM3u2ynKHx6wVfSuefcSnJbnFnr7JMdfTnFhn/p2GxY+XgxC4Rp/dfbsaCtSbh/arksef O2OYLj3z4+jYn1Vlyl9WNK6FuWULYFP7V1wR6knRl+VbHo9iCWexfHl66mda/83l6SXvxJeNXsVz nSaj0M9XKZsofbNsDogljg9WrUT5m0b0c6cPxmXZmFBSBoek5DgEbhwogD3+HOMNAwLJa6qHpwRe XhKW3e/Cfm4ahOjmhwRIgARIgARIgAQ8EaAA9kSG10mABEiABEggAwSSr1117Y+6+f3XMbfcXZRi RfwnurJbGopI380dXnMJUtGW3V9+otvT19uUuXnogGs+bGzXwhVZrE0r9sRd/kxN3ZzR7hssIskz y2Ltq4201bu+C+Er9qT29SPavK1Lu0y3J7P9MVv+3yuWwkcvfYzaXyxCHi4xS7mWDdL7zpHxWP14 fcrfNOSviAi+XPZePN13PedpNsxTitjAidjsYksB7OsvNKYTBKwHuoeHAF5cCJZtr8B2ahQctw5x cEmABEiABEiABEjAZwIUwD6jYkISIAESIAESMCYQdyQKR0Z9j9UvPYXZRXNShoWR9F3yxEPYP6g3 rm1Zn7rM8+b3XnWN8fEJI40nhOKqiPY9MWUMNrRthjml8qXOjcMjhipSuU/jjh5KFcyy1BRLMys/ VzevSy1HTpPuY7FcEHv2ZvSTePkiDg7rj8hqD2a+LWE0X9I9Dj72/b8iOfDjo7XxRtuBKP/NLook iqRsnQM5xzowrclblL8+yF95SejDD5dHye/PZeu4ZZewY73hJ2Gzc0wpgDP6y82c+exXFoamAI7M i+SNDWA7MgiOmM1wOtXbyphzNNlrEiABEiABEiCBjBCgAM4INeYhARIgARIwNQGH1Yro9auwt393 LHm8PAWYjxIrUHLMX+VGlMzrWsr4wqI5ODfnH9e4npszQzfXT8+Y4rq3vnUT3T3thX0DehrPj2K5 XHNIm158PzV9oiqPdnnpi0vnq+5ntP9nZ083qt7jNdeS5isXY2vnNxFRIo9f2pDRtpsh398l8uPr +i/i+Q9+x70/XKQ4ovQNmjkwsE1/yt90yF9ZAq96oiHyj0oMmnHMTonHuimFMzoHKIA9/kzjDQMC Yj/cpMg8ISCBcyB5TQ1YD34B+5VFcNriDXrDSyRAAiRAAiRAAiSQfgIUwOlnxhwkQAIkQAImJGCJ vYGzEX+75Ne8CoUov8JE+soicd3rzyL+7OnUmS32tV1Yoxh2dO+Yek0+Sboa7Yr0FhLUeivOtWTy xaULcH3nFjlJ6tFbtK6Ink28dCE1rfJky4dtUueYLV79j0BiL2G53Zk5bv2orbJKw3PRVyG8RdTz 3HJ3+qXezLQ53PNOfKgourzQEY9/Pg/5RiZQFFH6Bt0ceOfjPyl/MyB/ZQk8rvmHQTemGRVxzEeJ mx1zgALY8OcaL3ohkLyxfnAK4OWlYN3dAfbzf8OZHO2lB7xFAiRAAiRAAiRAAhknQAGccXbMSQIk QAIkEOYExN6rR8f9ArFfakTx3JRfYSR9xX6+yxtVd43p6uZ1oZWsYmrv7NEJkdWKGO7XK/IIGbm0 XiXMKZPfdb72tWd0T4TTbsf8yvd6nDti2XARUa79iKWjFz9WxpXP6XCobh+f9JvH8tIjSMUfMhjV LfYqFktUu/rIJc39wtrbuPxSowbeat0PFfttRY6xTsohSt+gnQNiH9tL5e6jAM6EABYiuEuHUUE7 xtkh9FgnRXJ65gAFsOonIb/4QMB2ZGBwCODFhWHZ/ipsp0bDcfuIDy1nEhIgARIgARIgARLIPAEK 4MwzZAkkQAIkQAJhQkDIOrHXq9jzdelTlQMufrxJId6T/M5fyFrlfr4iulUs+3z79AnDGSyiesU4 xOzcqrsvBKl2jMQfCYhIce1n2yfv6NIq84qlxI0+13dsdu0HrL136NfBXstTlp3WefT6lS4JfGXd Cuzp1w2L65T1W9lp1W3W+/8Uz4tv6jVF8w6/4YFhZymCKHxDYg6UH3ICxyqXofzNpPwVAvhK2XvQ qM+akBj39Ig5pqXIzYo5QAGs/VXI72kRcMRszB4BLPbx3dQItqPfwXFjK/fxTWugeJ8ESIAESIAE SCAgBCiAA4KVhZIACZAACYQKAbGE7/n5/2J71/YQUaFmlVLh1m+xPLM2avva1g26aXnyj3G6a+KC WAI6Zvd213w4OLSfLo2IkjViJpYJ137Oz5tlmFaZX8xBo4+I9tV+9g3slWZ5yrK9nYsI53kPFfRb ed7qMvO9KeXux2dN26Pep/8h/4jbFD+UviE1BwoPj8XWR2tT/vpB/spLQR+tXBZlhp0OqXmQFXKP dVAipzUHKIC1vwr5PS0CTocNSYvuzgIJnAPJax+B9WBP2KOXwGlLSKtpvE8CJEACJEACJEACASdA ARxwxKyABEiABEgg2AiIvV6PTxyF9W2aQohCM4upcOq7kJliz94Li+e6lnQ+OKy/amyjfh6U5lQU fxBwYMjXmF/pntS8yxvVMMxnFC27tfOburTWuJtpzrN55e/GreO+LQcnlqYOp3EL176MrPYw2r/W G1X6bkDOsQ6KHkrfkJwDeUZbMafhy5S/fpS/sgReW+cpFBjFvb7TEn68TymsnAMUwLqfmbzgAwHL tpcDI4BXlIF1zwewX/gHzuSrPrSESUiABEiABEiABEggawlQAGctb9ZGAiRAAiSQDQTEHqrXd25x iT0h88JVOJm5XyKCW0TtKj8xu7apxnrl83WUt3XnSdGXsbBmcVUemWn8uTO69GLJZPm+fPS0r+66 Vo11aeU88nFZw2qGexFrK97yYZs0y5LL5NH/S4l7YjqrWG4MevIZvNz+FxQdciIkZZ/yH9l5Tuki 5sCvr3Sj/A2A/JUl8KRm7/FdwT8O4RxIxxygANb+KuR3XwjYTo70jwBecg8s21+H7fRYOG4f86Vq piEBEiABEiABEiCBbCVAAZyt+Fk5CZAACZBAoAjY4uNdkaAiIjSy2oMUZkWyToR5EmSBvL6q+ZO6 qSSEcGT1ooqxz4HEyxd16eQLIiLcUxuNlmIW++YapY9ev0ouMvV4fMJIw7Ta/Ns+fjs1j6eT9W88 71NZ2rL53f/PwB9l7kH3xm+ifpcZuPPXWP4jfjr+EZ+COfgFc5cOoyh/Ayh/ZQnc7b3hfHfw3cE5 4OMcoAD29OuQ170RcNyKypgAXpgPlk3PwXZsKBw3tsPpdHirhvdIgARIgARIgARIIOgIUAAH3ZCw QSRAAiRAAhklkHDxPMSerhvffhFzSt9BSRYm0lfszbzxnZfSGM8cSLp6RTd1dn7xoSrfyWnjdWnE hVsnjqrSaWWpkMPaj8NqNdw/d2//7tqkiD9zymv5yvpOTBmjy6+8sOqFJ3wuS1kuz/0jgKfUqIAO Lbuj+perkWu0jf9o7+M/2lP4Br/wVY5Rsx6LEV2mMAVwFghgwblx7xV8l/BdwjngwxygAFb+IuR5 eggkLSvugwQW+/jWgjWqN+zRy+C0J6anCqYlARIgARIgARIggaAjQAEcdEPCBpEACZAACfhKQER4 3ti7E1E/DsDKJrUpxcJE+ApRubReJewf1BvXtqyH0253TYm0xvj035N1U+fi0vmqebGxXQtdGnHh 3Jx/VOm0sjSiZF5Yb9/S5d3S6Q1dviVPPKRLJy74uvy4qEssX+3ps/Spyro6te3ld//IXhfHYrmw psXTODLqe8QdPQTxj89KUcZz8gi3OVB94H6crlCc8jcL5K8cBXy8chmUH3qS7xYfBGC4PW/sT/r+ H0IB7OnXIa+nRcCyu72hAE5eUQ7WvZ1gvzgLzuRraRXD+yRAAiRAAiRAAiQQUgQogENquNhYEiAB EiABe1ISLi1fiF29OmPhIyUowsJI+iql5bWtG3STXYh+ZRrt+aZ3W+ry2BISVNHgc8rkh7im/ZyZ +YfXskVd5xf8p82Gs//9ZZgv7kiULu2xCSNS04q9gsWev9o+yN8X1S6N5JjrujLEBfWy1n4UnWE6 l2Sm6TnOK383tnRsBTEvtONAAZy+f6yn3AgtXkV+uoK91atS/mah/JUl8IbHnsRdI29TAlMCcw54 mQMUwIY/DXnRBwL2c3+mCOAl98KyozVsp3+HI/6EDzmZhARIgARIgARIgARClwAFcOiOHVtOAiRA AqYhIJb2PTV9EoTgm1u2gEdplh7Bw7TBLQ6jfh6km9839u3yOvZzy90J8QcC2o+I+lWOt4gK1n6u b9+kSqNML59v79pemw2WGzGYXSyXLq+IFtV+RCSzWN757Ozprmji26dP6PLJdYnjpvYva4twfefy 5oGZu4vrlMXuvl1xefVSOCwWQ/biIgVwaAlNCmjfxyv/qEQsq/ss5W82yF9ZAk9t2g45xjopAL0I QD7Tvj/T4ciKAtjjzxPeSIOA0xoLR+xO7uObBifeJgESIAESIAESCC8CFMDhNZ7sDQmQAAmEDYGb UftwaPh3WNX8ScwuksOrKFNKM54HRo5lNdeVz9cxnMtpRX1fWrFIl0/s+6tsv9gXWPuxxN5Ic56J vYjl5aiV+de80kBVvqhrZdPHlEk8ni9rUFWXV27rokdL6vJZ4256TC/n49HXZyAHxH7Kh34dDPG+ 8fVDAWxu+RCOQsXVp7FOTGr2HuVvNspfWQL3aPcjBTAFMOeAhzlAAezrrxWmIwESIAESIAESIAES IAGAApizgARIgARIICgIiIi7K2uWYc9Xn2LxY2UoucJsOd6FNYph/RvPY2//7jgxdSxO/vk79n3b AxvefAHzKxY2GO8cSLx8UTc3xdLf3gSnuK/9iHKUf0QgllAW+0drPyl/bOBdHhotTX10zE+Gbbq+ c4u2Ct33/YP7GOYVfVxWv4ou/a3jRzym98aF91LGVawgsKn9Kzg1fSLEygIZ+VAAUwCHowTu+9Z3 lL9BIH+FBL5aphCe77mEAtCDAAzH54998v3/KxTAGfnlwjwkQAIkQAIkQAIkQAJmJUABbNaRZ79J gARIIAgIiL01z8z6E1s+aA2x5yYllXf5GIp8lj9TE+fmzoTT4fA448QyyiIqVylpRV9F5K72I/Z/ 9sZBRAgbfUREsTJfzK5tumQi4lyZxuh8/6DeunyepOy6Vs/BYbXq0ssXbPHx2NX7Y491bu38ppw0 9Xh55WKP6Y3ay2uSa6/wXT0/wqVlkYZLhKfC9fGEAtj3f6in1AgNVq0/nUX5GyTyV44CPlmpFCp8 d4wSmBKYc0AzByiAffyxwmQkQAIkQAIkQAIkQAIkAEYAcxKQAAmQAAlkMQEhy4789gPWvFwfs4vm pMwKs0hfWTgKESv22jWKtPU05aI3rEZEiTypc0Ls3av9iD1+09oHWuwVrP2IPYXltonjwWH9tUlw 89B+VRplevl82dMP6/KJC0vrVjTMu/m9V3Fjzw44bDaXBBfz//z8f7Hziw8w76GChnlEXUseLw+x R7D2c2DI1x7zyG3kUcLKJrUR9cO3LvZahpn9TgEcGlKT8tm3cXqi31ZcKP8ABXCQCWAhgjfXqoO7 R8RRAGoEIJ9t357tcOVEAZzZXzHMTwIkQAIkQAIkQAIkYCYCjAA202izryRAAiQQBAS2dGxFgRWm 0lcWj3NK34HYg3szNNsODu2XOj/mlMkPW0KCrpxN77ZMTSPXqTxG/ThAlyd2/25VnhXPPqJLIy74 svz47VPHdXn3DeipKl/ZHnEumMwplc9rGlH34RFDcXnVEpcw1lUCYPWL9byWoa3XLN8F3w1vNXct L5546YIROr9dowA2t3wIJ6lSetgZHH64POVvEMpfORJ4euO2yDHWSQlMCcw58P9zgALYbz9nWBAJ kAAJkAAJkAAJkIAJCFAAm2CQ2UUSIAESCCYCZ2b+QYEV5gL45B/jDKecLf42Li6Zh9N/T/YYmWlP ToaIspXFpYgi1n5OTZ+Uel9OpzyubPqYNovr+6JHS6ryJZw/q0sn9qBWlmV0fnTcL7p8l1YsSjOf UVnKa8sbVdeVq7xwbs4/ma5DWV+on0dWK4Idn7+PC4vmQCynnVUfCmAK4KyUwHUjgGXngBXnff9v 6Tng72NAtw1AndlA7t/1YyYiSzc89iTlbxDLX1kC93l7SNDIvymH9fOw8GT9/MrKZ4R1mYs/BXBW /dphPSRAAiRAAiRAAiRAAuFAgAI4HEaRfSABEiCBECKQfO0ql372kwCeV6EQVjV/Els/aov1rZtA CLHslnpbPmxjOBuPjR+O+ZXvVbVvR7cOcNrtqvTi+95vvkhNJ/YG1n6Srl7R7Res7HdE8dxwWCza bNj95Sep5Yr0JyaP1qW5sna5Ko2yXPl87WvPuPKJ/X2vrFuBPf26+RQ5LOf3dow/d0bXJnEh/swp HT9v5YTrPSHJDwz5Ctd3bE7X8uKGUDN4kQLYXLIhu+XSJ+syOFEV2RKswLDdwF0TU8Yu1xg7Zj7z OuVvCMhfIYGvlimEF7+IDAoJfCRWMbH+//TBqXwnZPd7wkz1UwDrn0FeIQESIAESIAESIAESIAFP BCiAPZHhdRIgARIggYARWNPi6TQlW7gKrEz1q1gubOn0Bq6sWYbEK5cMx0cI9otLF2DpU5UzxXhB 1QewtmVD7OzRCfsH9XZFWvpS5rVtG3XtEvLXU7+PjPoe1ribOD9vFrZ98o5OckZWL2oo+oT49lSm uH77zEldOy6vXKzKs6FtM10aIY7nlb9blU5bjxDMG958wesevto8vn4/Puk3VZuE7BZLWs+vdI/X NvlafqiliyiZ1/XHDccnjET82dMqNtn1hQKYsicrZYs/BLD8rByNBUpOA4a+3pvyN0TkrxwFfLpi CVQefDjbJTAFMN9/Wfn+M6qLAlh+o/NIAiRAAiRAAiRAAiRAAmkToABOmxFTkAAJkAAJ+JmAkH6h JqKys70RJfK4okzTI8DsSUkucTu7WK50sV5atyLOzZ1pKF2dTqdLPm985yXjKO5iuXR79lpuxBin TUcUdMyubboZeOz3X730KwfEctPaj1heem65O1PzCblovX1LmwxbPmidmiarx12IbbFM+u6+XbGy SW0I2ZzVbcju+hY8fB+2dWnn+qMAo/HRDVgWX6AApgAxkhKBuuZPASweleNjJlD+hpj8lSXwtkdr odDw2GyVwBTAfP8F6l3na7kUwFn8o4fVkQAJkAAJkAAJkAAJhDQBCuCQHj42ngRIgARCk0DckSjT Sa2MSrV5DxV0LTOc0ZE+P/9fn1gL6Xbyz9/hsNl8qiru2GEsqlVKVfbyZ2rq8p6PnK1KkxEOB4f1 15UrooaVMldZrpCHnj6bO7ymao9on/YjOCjL47kUcB4iunzfwF64unmdbllw7fhk93cKYAoQX0WF P9J5EsCrLwBG/224BJyMA2wO/ZNiWbcK18rdQwEcogJYiOCZz7ZCzrGObJPAFMB8//njvZaZMiiA 9e92XiEBEiABEiABEiABEiABTwQogD2R4XUSIAESIIGAEljyePmAS6VQF3cLaxbHzah9mR6Hda8/ 65110ZyIXr8q3fXEHT0EIY5lzmJPX+3nwHd9U+/L6dJ7XNagqrZY1/djE0boyl77aiPDqF65gNMz pqjybP/sPdct5X6+WrGd3vYyfdrCWEQ2i7E6OvZn3Dp5TB6ekDhSAFOAZEZepDevkQC+mZz2GJT+ C5h62P1I2Y4dwfXqpSh/Q1j+ypHA/doOpAAel/YzkN5njelDgykFsPu9zjMSIAESIAESIAESIAES SIsABXBahHifBEiABEggIAT29u+uEnGUZnppFrN7u0f2sft3u+TZzi8+hJCYYu9YITGNPrEH9nhd hvnAkK+Msrn25r2ydjnEvr5i+Wejj1ieWY7E3fH5+7okJyaPTvc4i/2H17duosp3Zd0KXdniwpl/ p2Hz+69jS8dWruWpDRMpLiZdjVaVKyKsN7ZrEZD9fDmn1XN6XoVC2PpRW5ydPR2W2BuKUQmtUwrg 0JAE4SJzMiqA5f4vPQc4Yq4jpv4jlL9hIH9lCdzy87nZIoEZAcz3n/xuya4jBXBo/WZia0mABEiA BEiABEiABLKXAAVw9vJn7SRAAiRgWgIi4pSCTC3IlDzWt2lqODduHT+CNS/XN2QnlmBOvHTBMJ+n fW1XN6+rW/bZYbHg8IghmF+xcGo9i+uUxeVVSwzLlpdMXvNKA919saSvsl+ezhc/Xg4iWvj69k1w OlLWLl3eqHpq3g1vvqArO60Lh4Z/B3tiYmoyIc2jfhqYWqantvC653mZXjZLnngIe/t9juj1K3Xz LHVgQuyEApgCJCvFR2YFcNMIC2JbNaP8DSP5KyTwmQrFUHXQwVQJXHUm0Gie+7+H/3E/p9VmAv/b CSw8A2y+DKw4DxSe7L4v5nP1mUCntcCYA8DaiynLi/9zHOi9Gag8w52WAtjNIivfA6zLzZ0COMR+ NLG5JEACJEACJEACJEAC2UqAAjhb8bNyEiABEjAvARGtKiIC0yuUzJI+esNq3eQQkbxzy93lldmW Tm+k5hP7+Ypy9n7zBSKrFzXMJ6IxtZ9dvTobpo0okQcXFs3RJnctuTy3bAFEViuiu2e5GQuRL61x OzL6R13eFc89qsiXAyLa2NfP9Z1bIJYZ3vdtD+zq/TEWPVpSUZb/BGda/TLd/aI5sfrFejg8chji Dh/0dbhCKh0FsPsf4iklAs8iswJ40iudKX/DTP7KUcA7HnkE9/x6A7l/179C/z4G1/Xh+/6PvfsA d6JK/zj+t7e1N7AhIDZEXBSxLljRte7aG5ZVcS242Bv23hUVEBVEFER6EwHpSJXeuxTpvV245f0/ 78W5dzKZlmQmmSTfeZ5LksnMmTOfcxLy5Jdzxv560BVa7+i7+7QU+WyyiMMkH2UFaxhc8VsRAuDw X/O8r7obEwCXvSy5gwACCCCAAAIIIICApwABsCcRGyCAAAIIhCUwsuHNhHKHx4eRGvLaLZ7X8v2r LJ3SeWTDW2JG8DoFkZsWLog51NIBfVzbpGeNijHbGw9GP3RH6X7b168zVpXdal2cjm+sn/Hp22Xb G3diA+D/k24nHCQ6itdr0dGm3Y4/0POYxrG5je+DiZhof9VpuOe3ayUFq1Z6NU/WP08A7P7lPOFF sD6pBMCN73iP8DdHw18jBP6p7jWyR7OiuPfV9rNFfnC5vLoGwDU7iMyJ/y87rixjxbz1Inr9aety WKtg+zzvIXi69QECYOsrkMcIIIAAAggggAACCDgLEAA72/AMAggggEDIAn90+p6QziYA1tGqdotO p5tIMOe1bc+aR8YdZtzTD8YdQwM+vcbugvatHQM+HWmsx9Pw1broyF2vuqwYPsi6m5ingDb21xB4 bpsWsnH+nJjtdUT5yhFDSq8x27HiLp7HM8rjNrnwt1etY0T7ik4LrlOG59NCAEw44RZOBP1csgHw VY92lRU5Hn4aIWi+37564wsJvwUf+a3IpFUJ72a7AwEw74lBv++5lUcAbPsyZCUCCCCAAAIIIIAA ArYCBMC2LKxEAAEEEEiHwLa1a0qn6SWEiw3hfjn3RFv+Sa88GWiwqaGudRl6y+WlxygN+J55SHRE sJ+AT6+1q1MuO12rd+o7LzrWXYNe47q/Rn30WsYdK+zsuI/2mV5/P1oGXHGO9D69khD6xvah4F9T O0n/S8+QaR+8KjoVeT4vBMCEHW7hRNDPJRMAn/biOFlY9XBG/+ZRAF7Q9Sdfb8tFxTs2a+JwRYXt RSK/LBR5ftSOawJ/Oklk6Wb3ogmAeU8M+n3PrTwCYPfXI88igAACCCCAAAIIIGAWIAA2a3AfAQQQ QCDtAoP+Vc815As+yAo7KEu9/E5H7S46otW6FG7eLGMevVu6Vt0vELMR995gPUTpKNq1UybErbdb sXXFcpn/wzfy213/ki6V9ymr05qJv8dtXlJSIqXXFraEuj/XOU6s01DrzjOavlNWXj72gSics17X edjtV8q8776UrcuXxrVpvq4gACbscAsngn4u0QD4iHcWy9TqxxP+5lH4WzoC+vjDpXDKRNu35cmr Ra7sJXLIX1M11/hRZL3NxA1bCkUu6xn/+tZr/w53+S+AADjeLOj3AcorNyYAtn2ZsxIBBBBAAAEE EEAAAVsBAmBbFlYigAACCKRLYGazDwj6bKaBXjV6uGMTaJi6YfYM0WmXV435rfS6uOtnTpNNf8yX rSuWyfYN66WooKD0dvW40aXXZh145blxzr9edqbjMZyeWD99ikz/5C0Z8M+zY0bo9jz1iLLHej1Y p0X31yB4bON7ZUGHNlJcWBi3qYbfOgo6CiFovtVBr/GsbbOkT3fRUd0s8QIEwOVfxBNKhG9hFwBr r1y00eZv+SZZedn5hL/5Fv7+db6rzzlFilfHzuvcaa7I3i1j++kt/eLf13RN/R6x25lf33t96TwS mADY2c1syP1gnAiA7V+/rEUAAQQQQAABBBBAwE6AANhOhXUIIIAAAmkT2DB3FkGfTQBsNzo31UbR UK/7iQeXeXc/+VDPIjWM1ev6jn++kfSuXblsXw1G+19cS6a+97IYI37HPfPQX8/vJHO/be5Ztt0G OhX0yIY3xxwn30LYdJ9vvwtqypS3mwcOgWIAACAASURBVIj+WEB/XMDiLkAAHMyX+IQh/hydAmBr L9X3zvX33kL4m6fhr3Ed5HU3Xyklf/2wal2ByEHfxPezV8dae4/IyGXx21lfo48Oi99P1xAAe9tZ LXmcvBkBsP3rkLUIIIAAAggggAACCNgJEADbqbAOAQQQQCCtAoz2tJk2uuIusmLYwMDbYc34MdK1 yr5lAWvhpk22x/ijY1sZcd+N0vW4/cu2NQeTev1d6zL2sftitp3x2bvWTVwf66jl3598IKYM8zG5 b9NPbH484OXU+eg9ZOhN9WXON5/L5sULXduEJ+MFCICT/+Ke0CNxO78B8KbXX8i78HfDU4/Ipjea 5N15G2Gv0+3Gl58ufePS6/javeY6zIl/X7vzV/ttzfvv01LE7jdCBMDedmZH7qfmRQAc//plDQII IIAAAggggAACTgIEwE4yrEcAAQQQSJvApFeeJPSzCfI0qF01dkTg7TC/Xasy72UDf4kr/8++Pcue dwoTR9xzXdx+er1Y6/YTX3zM8/qxOtXwrC8/ltJppG0crGXyOPEgWEd7j37kTlncs5MUbtoY13as 8C9AAJzal/eEH4n5+QmAt7b/Nu9C0HW3XlM60rWkoEDWXHRm3p2/U/hrrN/a8Qc5u7N9X5sUO0t0 6Ztf9fb221pfr0s3x79XEgD7s7Na8jg5NwLg+NcgaxBAAAEEEEAAAQQQcBIgAHaSYT0CCCCAQNoE Vo4YEhccEvL9FfJV3KV0JO6aCWMDm55Xr7vb+/RKpeaDr7vQtp0H//sCxzbpdMSuZdM+Gzvr1ME/ 1znOfp8KO8ugf9WTua2bybppk2TjvNmlwfairj+Khv89qh9uvx9hcEouv5x/skx67WnR60nr9LAs wQgQACf3pT1hR3JudgHwtiKRL6bs+PvphyGyvMrBeRWArrngdClev67sBb194jhZWeWgvDIwgl7H 2+MPk7qvj7MdAbxpexld2Z39v/bXP0cvL9ul7A4BsD873gODcSIALnvpcQcBBBBAAAEEEEAAAU8B AmBPIjZAAAEEEAhboKSoKObatIS/9iM8Ox+zp/xy3kky6Nq6MvCq86T/JaeXPtYwt0f1w6RL5b9J x4q7SKcjd5NetY4RvSbv5iWLbJtPg0HDefXvo+K20VGiA644p2wbY1u9hvCf/XrFbb+o+09x2xr7 cGvfnkG7aLtroD+rxUeyacG8uDZiRTACBMDBfIlPGOLP0S4A1mu7ql+VN+fKrBMq5VXwueCEo6X7 gFmypiD29bzpvdfyysEx+DVdA3nCKSfLoe+viAuBl9mM4t3vK3/9caLN6GECYH92vOcF40QAHPve xyMEEEAAAQQQQAABBNwECIDddHgOAQQQQCBtAqMfuoMAMYQRr33OqibF2+OH+yzs3K7M+7c7r7Vt Zw3mNezVttHr+87//mvR6Zqti44u/eUf1cvKCzrYpDznALnbCQfJqAdulYVd2st204g4axvxODgB AuBgvsQnDPHn6BQAH/DRWhl5Wq28Cj1XVNpfLn3859JAc5fmInU6iTQeLtJutsiSNdtkzaVn55WH nxC4x7mXyW6fbY8JgYf9Gf9+WLODv/64flv8vgTA/ux4zwvGiQA4/jXIGgQQQAABBBBAAAEEnAQI gJ1kWI8AAgggkFaBRd06ECCGEABreKqjc63Lit8Gm7x3ktktP7Vu4uuxhr+/P9HQVJZzWEmQG4yN hvp6beUVwweJhvQs6RUgAA7mS3zCEH+OdgHw2k2F0vkfV+Vd2NnkppdigkxrH7rmgwmyvDJTQVuD 4XeufSzG7dsZ8e+ZDwz27o9ndIzfT9cQAHvbWfsqj5M3IwC2fx2yFgEEEEAAAQQQQAABOwECYDsV 1iGAAAIIpF1g+4b1pVMXExIGExKaHWc2+yCuPRf36hwX2k7/+M247dxW6MjiEffdGFeO+djcD6A9 K+4iA68+X2Z89q5smDPTrUl4Lg0CBMDJf3FP6JG4nV0AvOqJRnkX/q74V31Ztr5QdPrieetFdm1u b/nUrW/mnY018LV7fOsDbcpC4BdHx79Rzlhr72l+zX4/K34/XUMA7G1nduR+al4EwPavQ9YigAAC CCCAAAIIIGAnQABsp8I6BBBAAIGMCAy54RLCRJtRwHrt32G3/lPmtm5Wek3fJX26JeS0dsqEuPac 1/Yr2zImNGksW5cvjdvevKJ427bS6aB/OfdE2zIIfVMPfbtW3U9G3HuDLOjQRratWW3m536GBQiA U/vynvAjMT9rALzly6Z5F3CuOK2KFC2Lnbf40h72jjrd8bCzzs87I7vQ17xucZVD5fQmY0pD4LM7 27+JPjTE3lRfsxd2E9nuMOEEAbCzG+93wdsQANu/flmLAAIIIIAAAggggICdAAGwnQrrEEAAAQQy IqDTEBMexoaH0z9+Qwo3bYprj4FXnuvLavLrz8TtqysGXVvXef8KO5c+P+frz2Td1Imlo05XjflN dJruiS8/IT1PPcJ5X5sAmzaNbVMnj961K8v45x6RZYP62l632bYhWZl2AQLg4L/QJyRxNjUHwNv6 /ywrjz0gr8LN5ZUOkL7tB8S9znUk8DmdRXZuFmv3t5Yi3X+ZIiuPOySvnMxhr9P9ydVPkMPfW1Ya Avf+I460dMWzI2M99bV5XR+RAofwV3ciAI434z0tPBMCYPvXLmsRQAABBBBAAAEEELATIAC2U2Ed AggggEBGBDb9MZ9g0RKgTn3nRdu20FG9vU+v5OjVo/phMvvLT2z3jb3+r79w0im0ZH0KfhV2lgGX nyUa8q+bNtm2rVgZPQEC4PC+2Cc0ibc1AuDCaZNl5UlH5F2o+eRtb0nDwc7vA2sKRLrOE3l3vEiX eSL6WJfNn76Xd1ZOwa95fa9zLpHdP9smTtfzVbvVW0V6LhDpNFdk6eYdnm7/EgDHv255LwvPhADY 7dXIcwgggAACCCCAAAIIxAoQAMd68AgBBBBAIMMCfevWcAw18zFs7FH9cNEpl+2W7Rs3yPjnG0nv M46VjhV2lp/PrCrDG1wj8777Uoq2brXbpXTdkOsvxtgStKerb3WpvI/8due1pVNob12x3LGNeCK6 AgTA4X2xT2gSb6sBcPHyZbL6rJPzLtDsWPca2fmL4tJRvt3nJ/aeUFJYKGuvqpd3Zuaw1+n+A3d/ VjoK+IspiZk6bU0AHP+65b0sPBMCYKdXIusRQAABBBBAAAEEEIgXIACON2ENAggggEAGBSa/8Rzh pCWcnPHp254tUlLkMj/jX3vrNuOe+i++Ft+ww99epx0lvz/5gPzZr5cUFfw1PM2zRdkgqgIEwOF9 sU9oEm/7SL+tsvbqC/IuyJxy8vFy6PsrSoNK7Rf7tBQZtSyxd4XCWdNl+XGH5p2dU/BrrL/k8T5l rg8OEdnm/fGhFH7lFpEBi+PbgAA4/nXLe1l4JgTA8a9B1iCAAAIIIIAAAggg4CRAAOwkw3oEEEAA gYwIrBo7goDSElB2OnI3WT1udErtsX39Ohly46XYWmzDCX93kv6XnC5T33tZ1kz8PaV2Y+foCRAA h/fFPqGJxfaLEul7/V15F2AuO/ZAOfvZYWUhpdEv9Hq/N/wiMnaF+/tCcYlIn4U7tm1010d552cE vXa3S489SP728YYY2zM7iUxY6Wy6ebvIT3NEjmwj8s302O22F4kc8LWl31quy2y0H7c4BdEHCIBj X4M8QgABBBBAAAEEEEDATYAA2E2H5xBAAAEE0i5QUlwsev3acIK5FK7Xmpbg0Ll+3Y4/UFYMG5hw e6jn4p6d5JfzTsI0xDbsXGkvGXbbFTL32+ayZemShNuJHbJHgACYECOIEMNPGc/c8npehpeN7vwo JqC0s6r2g8ilPUTuGyTy6DCReweK/GegSP0eO4JKYx+dQrr32RfnpaNdAKzTahs21ls1bfCryFMj RG7pt8Pz1B9FdmnOa95qxePM9QkC4Oz5vERNEUAAAQQQQAABBDIvQACc+TagBggggAACFoEx/7uH sNImrOx01O4y8eUnpGD1KotY/MPtG9bLrOYfSu/albG0sQziBwY9TqkgYxv/R5b83FUKN2+ObwTW 5KQAAXDmvvjPp9Dluoc75GVo+cOFN8hOX5Q4hpTJ9IGqb8yWP6pWyEtPawh8w0PtA7VNpj3Yh/fQ VPoAAXBOfrTipBBAAAEEEEAAAQRCEiAADgmWYhFAAAEEkhdY3LsLoaVLaNn5mD3l1/q1RYPyWS0+ kiV9uskfHdvKlDefl9/u+pf0Oft46VhxFwxdDJMNgPvWO7XUefXYkVJSUpJ8J2fPrBUgACa8SCW8 8LNv7RdGyeIq+Xft2vE1qsuBH64JJaBs0LBV3gfA86odJXt/ujkUXz/9mm147wyiDxAAZ+3HJyqO AAIIIIAAAgggkAEBAuAMoHNIBBBAAAF3gcJNm0RDzmRDOvZznkoam8RsdNS1Xjt59ldNZfOiP9w7 Ls/mhQABMCFGECGGUxnHvLVApp1UNe/Cyj8rHyynNxkTajjZ+pLb8s7VPAK4yU0vherr1KdZz3tm kH2AADgvPmpxkggggAACCCCAAAIBCRAABwRJMQgggAACwQoMu/WfBMAhjGAlAPYOgLufdIiMfriB LOr+k2zfuCHYjk1pWS9AAEyYEWSYYS5LR2cOOf2svAwp7/tPs9DDSR1dPKn6iXnpu7Dq4XLY+8tD Nzb3Z+7zXhlGHyAAzvqPUZwAAggggAACCCCAQBoFCIDTiM2hEEAAAQT8C8xt3YwAmAA4bX3gl/NO kkmvPiUrRw6VkuJi/x2VLfNOgACYUCOMUEPL3PXzQpl4ykl5F1B+c+kdaQsmz3tmsCyvdEDeGb92 /bNpMw7r9UG5vPdqHyAAzruPXZwwAggggAACCCCAQAoCBMAp4LErAggggEB4ApuXLEpb+MeoWO9R sblm1OmIXWXwvy+QWc0/lI3z54TXkSk55wQIgAkhwgyi/nfH+3kVTo6uWVP2+2hdWsPJF256Ka+M Z5xYWfb/aG1ajcN8jVB2fr8HEwDn3McqTggBBBBAAAEEEEAgRAEC4BBxKRoBBBBAIDWB/hfXIgRm FHBgfaBbtQNkZMNbZGHnH2TburWpdU72zlsBAuD8Dh/CDp8O+WClLK5yaF4ElIuqHCY1XpqQ9mBy t8+2S9869fLCWK8BfNf9X6fdOOzXCeXn7/swAXDefvzixBFAAAEEEEAAAQSSECAATgKNXRBAAAEE 0iMw9d2XAgv/cm0EK+fjb9Tyz3WOkwlNGsvyoQOkuLAwPR2Xo+S0AAFw/gYP6QqdPruiYV6Ekw0a tspYMFnlzbky/7gjct658z+ukp2+KMmYc7peMxwnf96XCYBz+iMWJ4cAAggggAACCCAQsAABcMCg FIcAAgggEJzAmgljCYAZAZxYH6i4iwy88lyZ0fQdWT9zWnCdkZIQ+EuAADh/goZMhUqnvTgu54PJ Zpffm/FQ8uYHv89p5wmnnCwV312ScedMvY44bm6+VxMA83EMAQQQQAABBBBAAAH/AgTA/q3YEgEE EEAgzQIlJSXSs+aRiQWABKZ559W1yr4y4j/Xy4Ifv5WC1avS3Es5XL4JEADnZqgQtbCo1zmX5Gw4 ObxWbdnnk02RCCa/vOzunHQeX6O6VH1jdiSMo/baoj7Z/R5OAJxvn7o4XwQQQAABBBBAAIFUBAiA U9FjXwQQQACB0AV+f6Jh3gWaTO/sPb1z79MryfhnH5ZlA3+R4m3bQu+HHAABQ4AAOLvDg2wJf655 tEtOBpMLjqsoJ7w2PTLB5N8+3iAjT6uVM9bLKx0gOoX4/h+tjYxxtrzmqGd2vLcTABufRrhFAAEE EEAAAQQQQMBbgADY24gtEEAAAQQyKPBn354EwIxqlo6H7yS/XnamTPvodVk3dWIGeySHzncBAuDs CAmyPczZ5fMiGVOzZs4Ekysr7V96Ljc+1C5yweTJr0yRP6pWyGrrEX8/XR658yM5+u0/Iueb7a9F 6h+t93wC4Hz/FMb5I4AAAggggAACCCQiQACciBbbIoAAAgikXaBo61bpcuzehMB5GAJruw+/42qZ 1/Yr2bpiWdr7HgdEwE6AADhaYUAuhzP/uffLrA4ljdDXuP3o6kciG07e9OAPWWm97NgD5eE7Pxb9 wUAuvxY4N953jT5AAGz3yYR1CCCAAAIIIIAAAgjYCxAA27uwFgEEEEAgQgLDG1xDAJwnAbBe8/n3 x+8XHfmt4T8LAlETIAAmiDCCiLBvdRrfRVUOy8pg0gh9jduBtc+VvT7dEumQ8oNrHs0661sfaBNp 07BfI5Sff+/HBMBR+1REfRBAAAEEEEAAAQSiLEAAHOXWoW4IIIAAAqUCOgKU6+J6Xxc3W436XfR3 mfruS7Jmwlh6PAKRFyAAzr/AIZMhU49z62ddKGmEvsbtvGpHSZU35kQ+qNyjaYH8euY/ssa7zcW3 RN40k68djp2b79UEwJH/mEQFEUAAAQQQQAABBCIkQAAcocagKggggAAC9gI6/a9eAzZbA07qHRte dz5mTxl6y+Uyt3Uz2fLnYvtGZy0CERUgAM7NUCGqYdGXl92dNYGkEfhab695tEvWBJWV3povs0+o lBXmZ7wwOmtco/r6ol7Z935OABzRD0dUCwEEEEAAAQQQQCCSAgTAkWwWKoUAAgggYBX49fI6BMBZ PA10j+qHy5hH75bFvbtI4aZN1ublMQJZI0AAnH2BQTaHPN3O+2dWhJHW0Nd4/Oa/n8y6kPLSx3+W FZX2j7T7lJOrZZ1rNr8OqXt03vcJgLPm4xIVRQABBBBAAAEEEIiAAAFwBBqBKiCAAAIIeAtM++h1 AuAsC4D71j1FJr/xrKwaO0JKSkq8G5ktEMgCAQLg6AQBuR7KHPr+Cvmz8sGRDiKNoNfutm+derL7 Z9uyMqh8/qaXI+3+Y71/ZaVrrr9mOb/w/38gAM6CD0pUEQEEEEAAAQQQQCAyAgTAkWkKKoIAAggg 4CawbtokAuCIB8Cdjtpdhlx/scz+8hPZ9Md8t+bkOQSyVoAAOPwv+AlRdhi/eOOLkQ4h7UJfY51O o3zMWwuyNqTc5fMi6XL+lZH1f/mGF7LWltc376Gp9AEC4Kz9+ETFEUAAAQQQQAABBDIgQACcAXQO iQACCCCQnEDv0ysRAkcsBO5+4sEy6sHbZVG3DrJ9w/rkGpa9EMgiAQJgwotUwgu/++ro3z+qVohs AGkEvXa3On1y/cd6Z31AecgHK+X3U2tEsg3OfnZY1vv6fS2wHe+55j5AAJxFH5ioKgIIIIAAAggg gEDGBQiAM94EVAABBBBAwK/A+GcfJgCOQADc55wTZOLLT8jKEUOkpKjIb/OxHQI5IUAATBhhDiPC uh/1KYjtgl9j3Us3NsmZcLL6K5Nl/nFHRCoE7vyPq3LGN6zXD+Xm7vs0AXBOfJTiJBBAAAEEEEAA AQTSJEAAnCZoDoMAAgggkLrAskF9CYAzEAB3OmJXGXRtXZn5xfuyYe6s1BuSEhDIYgEC4NwNFqIS Gu3RtECmn1glUqGjEe563fY851LZ9fPCnAoo/9m4h+ioZq9zT+T5uccfnVR52i8qvzkvp3yj8rqj Htnx3k4AnMUfoKg6AggggAACCCCAQNoFCIDTTs4BEUAAAQSSFSjetk26VtmXEDgNIXDX4/aXkfff JH90bCvb1q5JtsnYD4GcEyAAzo6QIJvDnGsbdUoqHEwkgAxjWw0nK767JCfDycZ3vBdIm2iQfM99 LeWgD1fLh1c3SihYVt/TXhyXk77Z/Hql7un9P4EAOOc+VnFCCCCAAAIIIIAAAiEKEACHiEvRCCCA AALBC4z4z/UEwCEFwD/XriITnn9Ulg/pL8XbtwffeJSIQA4IEACn98v+fAxXPr7q4UDCxjBCXqcy l1c6QC546tecDie/vOzulNpFw9877/8mxqhWk7HSr05dz3KH16otx741P2bffHxtcM68/xIA58AH KU4BAQQQQAABBBBAIG0CBMBpo+ZACCCAAAJBCCz48VsC4KAC4Ao7y4ArzpHpn7wl62dMDaJ5KAOB nBcgACaACDuEanrFA56BoFMQm6n1T9/6Rs6Hk3t9ukX6+whr7dpAw9/bG7a2Ndr5i+LSYHjWCZVs 273dBdfLvh+vt9037L5I+bzfRa0PEADn/McsThABBBBAAAEEEEAgQAEC4AAxKQoBBBBAIHyBgtWr pGPFXQiBkwyBu1T+m/x2979lfrtWUrByRfgNxhEQyDGBx4eLnNGRPwzC6wO3fjjWNgi0CxajsK7f RVdJ7Q7FefG6qP/1Epl5yvEJtc+yYw+UZ55q6+lzYetV8t2Nj8RMC92iwXN5Y8t7SnjvKblkq/8H syCAAAIIIIAAAggggIA/AQJgf05shQACCCAQIYGBV51HAJxAANyr1jEy7ukHZemvP0tRQUGEWpKq IIAAAgjYCay/95aEQsZMBcGrzjheilcstzuFnF23fdwYWVntUH/tU/VgKejROSELLX/ttRfJ1nat E9qPjRFAAAEEEEAAAQQQQAABBBAwCxAAmzW4jwACCCCQFQIzmr5DAOwaAO8kv9avLdM+eFXWTh6f FW1KJRFAAAEEygUKp0+Rlcce4C9krLR/ZrarfKBsHzG0vNJ5dG9r5/ae5qtOPlK2DeqfRyqcKgII IIAAAggggAACCCCAQJQECICj1BrUBQEEEEDAl8D6WdMJgC0BcOdKe8nwO66Sed99KVuW/enLkY0Q QAABBKIrsKHRvZ4hY6ZG/upxN3/2QXTx0lCzzS0+cWyf1eecIoXTJqehFhwCAQQQQAABBBBAAAEE EEAAAXsBAmB7F9YigAACCERc4Oc6x+V9CNyzRkUZ+9h9sqRPdynasiXiLUb1EEAAAQQSEShetVJW /b2KY8iYyfB33V3XS0lJSSKnk5Pbbm3fRlaedERMG2343/1SvG5tTp4vJ4UAAggggAACCCCAAAII IJA9AgTA2dNW1BQBBBBAwCQwoUnjvAyA+114mkx5u4msHjeaL99N/YG7CCCAQC4KFPTuGhMuZjL0 NY69+uzqUrxmdS5yJ3VOeg1kvV7vljZfSdHc2UmVwU4IIIAAAggggAACCCCAAAIIBC1AABy0KOUh gAACCKRFYMWwgXkRAHc+eg8ZevNlMuebz2Xz4oVpseUgCCCAAALREdjQ6D/RCYGrHizbfx8dHRxq ggACCCCAAAIIIIAAAggggAACtgIEwLYsrEQAAQQQiLpAcWGhdKt2QE6GwN1PPlTGNLpLFvfsJIWb Nka9KagfAggggECIAjqd8Op6tSIRAm/56vMQz5SiEUAAAQQQQAABBBBAAAEEEEAgKAEC4KAkKQcB BBBAIO0CIxvekjMB8C//qC6TX39GVo0eLiXFxWm35IAIIIAAAtEVKFowL+PXA15//23RBaJmCCCA AAIIIIAAAggggAACCCAQI0AAHMPBAwQQQACBbBJY2Lld1gbAnY7cTQZfd5HM+vJj2bhgbjaxU1cE EEAAgQwI6NTLK48/PCMjgVefV1OK16/LwFlzSAQQQAABBBBAAAEEEEAAAQQQSEaAADgZNfZBAAEE EIiEwLZ1a6XTEbtmTQjc7fgDZdR/b5OFXdrLdr5Ij0QfohIIIIBANgkU/NJTVlY71DUEXnXykbL6 3FNdt1lZaX//z1c7VAonj88mJuqKAAIIIIAAAggggAACCCCAQN4LEADnfRcAAAEEEMhugcH/viDS AXCfs4+XiS89LiuGD5KSoqLsxqb2CCCAAAIZF9g2fLCsqn5UbIBb9WBZ/9Bdsm3IgLL/awpnz5RV Z1SL3S6R4Pevbbd893XGz5kKIIAAAggggAACCCCAAAIIIIBAYgIEwIl5sTUCCCCAQMQEZrX4KFoB cMVdZODV58vMz9+TDbNnREyL6iCAAAII5IJA4dRJsuqM42VVjWNk0xtNpGjpEtvT2vjKMykFwOsf uce2XFYigAACCCCAAAIIIIAAAggggEC0BQiAo90+1A4BBBBAwENg4/w5GQ+Au1bdT0bcd6P88dN3 sm3Nao8a8zQCCCCAAAKpCxQvXyolmza6FrT+wTuTDoDXXHiGZ/muB+dJBBBAAAEEEEAAAQQQQAAB BBDImAABcMboOTACCCCAQFACv5x3UtpD4N61K8v45xvJssH9pHj79qBOhXIQQAABBBAITGD1Oack FwCfUEEKZ0wNrB4UhAACCCCAAAIIIIAAAggggAAC6RUgAE6vN0dDAAEEEAhBYNKrT4UfAFfYWQZc fpZM//hNWTdtcghnQZEIIIAAAggEK6BTRK9M4rq/W3/6PtiKUBoCCCCAAAIIIIAAAggggAACCKRV gAA4rdwcDAEEEEAgDIGVo4aFEgB3qbyP/HbntTL/h29k64rlYVSdMhFAIMsEZqwV+W0pfxhkRx9Y VL9uwgHwnIceoo/zGqcP0Aci2Qf0/2AWBBBAAAEEEEAAAQQQ8CdAAOzPia0QQAABBCIsUFJcLN1P OiSQELjXaUfJ708+IEv795aigoIInzVVQwCBTAhc87PITs34wyA7+sD993yRUAA8+IyzZa9Pt9DH eY3TB+gDkewD+n8wCwIIIIAAAggggAACCPgTIAD258RWCCCAAAIRFxj9cIMkA+CdpP8lp8vU91+R tZPGRfwsqR4CCGRagAA4O4JPAuod7bRH0wIZWPtcXyHw/GpHStU3Zkcy9KE9ed3RB+gD2gcIgDP9 KYjjI4AAAggggAACCGSTAAFwNrUWdUUAAQQQcBRY1KOj7wC48zF7yrDbrpC5bVrIlqVLHMvkCQQQ QMAqQABMCJFtQdSxb82X6SdW8QyB//3IT4S/jPqkD9AHIt0HCICtn0p4jAACCCCAAAIIIICAswAB sLMNzyCAAAIIZJHA9o0bpNNRuzuGwD1OqSBjG/9HlvTpJoWbN2fRmVFVBBCIkgABMAFwtgXAWt/T Xhwn8487wjEE/uyKhpEOfbLR32mQfwAAIABJREFUnDrzXkEfCL4PEABH6RMRdUEAAQQQQAABBBCI ugABcNRbiPohgAACCPgWGHLjpTEBcN96p8qUN5+X1b+PkpKSEt/lsCECCCDgJEAAHPwX+oQk6TGt +/RAWVTlsLgQuPfZF3PdX0Z98gMA+kBW9AECYKdPJ6xHAAEEEEAAAQQQQCBegAA43oQ1CCCAAAJZ KjDvuy9FQ+DZXzWVTQsXZOlZUG0EEIiyAAFwesJKQuFwnHUkcIe618qsEyrJyNNqyZO3vSV7Nt2a FcEPfSKcPoErrtnUBwiAo/wJibohgAACCCCAAAIIRE2AADhqLUJ9EEAAAQQQQAABBCIrQABMWJJN YQl1pb/SB+gDudQHCIAj+/GIiiGAAAIIIIAAAghEUIAAOIKNQpUQQAABBBBAAAEEoilAAEyYkkth CudCf6YP0AeyqQ8QAEfzsxG1QgABBBBAAAEEEIimAAFwNNuFWiGAAAIIIIAAAghEUIAAmLAkm8IS 6kp/pQ/QB3KpDxAAR/CDEVVCAAEEEEAAAQQQiKwAAXBkm4aKIYAAAggggAACCERNgACYMCWXwhTO hf5MH6APZFMfIACO2qci6oMAAggggAACCCAQZQEC4Ci3DnVDAAEEEEAAAQQQiJQAATBhSTaFJdSV /kofoA/kUh8gAI7URyIqgwACCCCAAAIIIBBxAQLgiDcQ1UMAAQQQQAABBBCIjgABMGFKLoUpnAv9 mT5AH8imPkAAHJ3PQ9QEAQQQQAABBBBAIPoCBMDRbyNqiAACCCCAAAIIIBARAQJgwpJsCkuoK/2V PkAfyKU+QAAckQ9DVAMBBBBAAAEEEEAgKwQIgLOimagkAggggAACCCCAQBQECIAJU3IpTOFc6M/0 AfpANvUBAuAofBKiDggggAACCCCAAALZIkAAnC0tRT0RQAABBBBAAAEEMi5AAExYkk1hCXWlv9IH 6AO51AcIgDP+MYgKIIAAAggggAACCGSRAAFwFjUWVUUAAQQQQAABBBDIrAABMGFKLoUpnAv9mT5A H8imPkAAnNnPQBwdAQQQQAABBBBAILsECICzq72oLQIIIIAAAggggEAGBQiACUuyKSyhrvRX+gB9 IJf6AAFwBj8AcWgEEEAAAQQQQACBrBMgAM66JqPCCCCAAAIIIIAAApkSIAAmTMmlMIVzoT/TB+gD 2dQHCIAz9emH4yKAAAIIIIAAAghkowABcDa2GnVGAAEEEEAAAQQQyIgAATBhSTaFJdSV/kofoA/k Uh8gAM7IRx8OigACCCCAAAIIIJClAgTAWdpwVBsBBBBAAAEEEEAg/QIEwIQpuRSmcC70Z/oAfSCb +gABcPo/93BEBBBAAAEEEEAAgewVIADO3raj5ggggAACCCCAAAJpFiAAJizJprCEutJf6QP0gVzq AwTAaf7Qw+EQQAABBBBAAAEEslqAADirm4/KI4AAAggggAACCKRTgACYMCWXwhTOhf5MH6APZFMf IABO5ycejoUAAggggAACCCCQ7QIEwNnegtQfAQQQQAABBBBAIG0CBMCEJdkUllBX+it9gD6QS32A ADhtH3c4EAIIIIAAAggggEAOCBAA50AjcgoIIIAAAggggAAC6REgACZMyaUwhXOhP9MH6APZ1AcI gNPzWYejIIAAAggggAACCOSGAAFwbrQjZ4EAAggggAACCCCQBgECYMKSbApLqCv9lT5AH8ilPkAA nIYPOhwCAQQQQAABBBBAIGcECIBzpik5EQQQQAABBBBAAIGwBQiAMxumHNVGpE4nkWt/FrnzV5GL u4tU+k5k52aZrVcuBSxhnQttRx8Nq29Rbv70LQLgsD/lUD4CCCCAAAIIIIBALgkQAOdSa3IuCCCA AAIIIIAAAqEKEACnP2g4tq3Iq2NFpq9xbtqthSJTVou8NlbkgK+96/jpJJF+i2L/dm0eu5+fbQie Ys2sHmG0nfUY2fj4m+mxfU/7op9+m43nalfnTL62MnlsOwvWub+HWH0IgJ3/H+QZBBBAAAEEEEAA AQSsAgTAVhEeI4AAAggggAACCCDgIEAAnNiX9dYv7xN9fHNfkQ3bHBrDYfXaApEXRons+5VzXZdu jt959xax2/vZJtHzyfT2Fb8VqdI29m8Py3kHVcew2i6o+mWynBlr4/vfYa1i+18m65fMsRPpW5l8 bWXy2Mm4sk/s64IAOP69gzUIIIAAAggggAACCDgJEAA7ybAeAQQQQAABBBBAAAGLAAFw7JfxYYUT Gko2m2LBT/Dh3PUihzqEan5CID/bhHX+YZXbd2E84hkdg23TsNsuLJt0lpuLAXAifSuTr61MHjud fSxXj0UAHP8ezhoEEEAAAQQQQAABBJwECICdZFiPAAIIIIAAAggggIBFgAA42LDQLqSo3FZk3EoL fJIPf1sqsueX8XX2EwL52cau/lFel0hIl8x5pKPtkqlX1PYhAI5/QVtH4IfVZrn4ug7LKorlEgDH v3ZYgwACCCCAAAIIIICAkwABsJMM6xFAAAEEEEAAAQQQsAgQAMeHqUGHBMOXWtBND0csE/nvYJFz u4jU7CBydW+RZ0eKLNpo2shyt/3s+Dr7CYFGLxcpKIr9S1dIFbSpUV7YAXA62s44l2y+zfcAOJOv LT+v/WzuW7ledwJgy39wPEQAAQQQQAABBBBAwEWAANgFh6cQQAABBBBAAAEEEDALEADHh6lBBg43 9jVrl98vKRF5eKjzsfduKfL2uPLtrfc0MDbXM19DoDAD4HS1nbkds/V+vgfAmWy3fH3tZ9I8yGMT AFv/d+MxAggggAACCCCAAALOAgTAzjY8gwACCCCAAAIIIIBAjAABcGyQGuQX+zpV8/z1MdylD7YV idzc199xmztcN1jDYXNd8zUECisATmfbmdsxW+8TAMe+HtPZjvn62k+ncZjHIgCO/z+SNQgggAAC CCCAAAIIOAkQADvJsB4BBBBAAAEEEEAAAYsAAXB4wY1O5Wy33D3A/zF1iua5NiHy1NWxZfgJgaq0 FanbNfbPK9jYuZlIvW4iH0wQ6ThXZOifIv0XibSeIfLkbyJHtYmth115J7ePPWb19uX7nNRO5K1x Ip3niuh0y13nibw3XuQ/A0X2aVm+nbncE9uVlzdmebzw/YPKn9fz3aOFfTnmMq3309l2emyrkZ6j USf1enWsSM8FInoN6H6LRA74uvx5Y7sg2sooy7g9pb3IfYNEPp8sMmiJyIDFIu1m72j7E34or0My AXAQ9bW6ZapvJfPaUmM1fHqEyGeTRTr99fr6dbFIm5k7XheX9xRRJ6M97G79vPbN+x3WSuTBITva 1Dim8Zp+fazIxd3dj2cui/upWxEAx7+HswYBBBBAAAEEEEAAAScBAmAnGdYjgAACCCCAAAIIIGAR IABO/Qt8uxBEQ8cN2yzYsuPavrs2T+yYzzkEyZXblpfjJwTys435XDRc06DZbSkuEfl6unPIqudq XbrM21HvLxxGNxvbL9kkcuev5edo1E2nz05kOea7+DKMsuxu0912dkbfzxLR9R9NFCksjj/bCq1j zymItjJbaPiuoaSXtYbBFb8VSTQADqK+dm6Z6luJvrau7CUycll8u9qtWbhRpPHw2PY2t5XfYx/3 vcgvC0WKbPqT9bjanncl8EMVc32479xWdjYEwNbex2MEEEAAAQQQQAABBJwFCICdbXgGAQQQQAAB BBBAAIEYAQLgxL6st/sC326djjy1W3S0n932bus07HtxdOxfk1Eiep1gYz8/IZCfbYzyGvwqsnm7 3RnYrxv2p8ihrcrrY5SzW4v47XWUb8tp8eud1liDKKftnNYnGgCnu+3sjNrPFvlhltMZiZgD4KDa ymizmh1E5qxzPrb1mXnrRdYVWNeK6EhTo0zzbVD1tXPLVN9K5LV1Sz9/IaxV9P0J9p5+jl2nk8iK LdYSvR/rKH9z23E/eA8CYO9+yBYIIIAAAggggAACCBgCBMCGBLcIIIAAAggggAACCHgIEAAH/4W+ hiQvj4mH314kcqDN1L1BhCp+QiA/22hdnhkRX3c/a/R6x8ebpgXWsuxCOj9lmbdZWyBypGmqafNz fu4nGgCnu+2SMTIC4CDbSttLR9VOWuVH1XsbuwA4yPom42atdVB9y+9r66reyYW/Rr2tP4bQNvM6 to5oX28zG4FRptftbf3DeY/UuvMnQgDs1QN5HgEEEEAAAQQQQACBcgEC4HIL7iGAAAIIIIAAAggg 4CpAABxOCPHTnHh2HVUZVuDhFQL5CYp0Gw1LtxTG1331VpEPJ+y4Nu8Tv+24Dm38ViK9FsSeo1dI N3q5iE5xfWs/kedHiax0GKX4mGkKXJ2aWK9Jq3+LNsbXQu2N5/U20dA93W3nZWQ+Q2P6Xg2Ag24r bf//DTMfrfy+/nhBpw/WNtJrAn86yT54LN8jfgRw0PX1cktn3/Lz+lNffX3YLTPXijSfInJ7f5Eb +4o0nSSyyWYEfoc5sa8vP6/rS3vYHXHH9bbvGSDyrz47frCi7Wu36HW/9Tj8hWNAAGzX61iHAAII IIAAAggggIC9AAGwvQtrEUAAAQQQQAABBBCIEyAADudL/UFL4qil/6JwjuUnBPK7jU49bF1+Xbzj Oq/WAOi/g+2vT/v3DuXn6RbSvTteZBfL9ZA12Fy11VqDHVNGW4+vj/vahFZndCw/vt0+XuvS3XZu RioxebWIXjP2kL+mVNZr7u7cTCTotjq8tf1IUf1BwGU94021HsOXxreVscY6Ajjo+rq5pbtv+QmA 9/rS/scVjwyNt9U+elqH+NeX/kDC2n+9jq3XkbYuzabEl6Plal2si14H+ohv7be31oXHiTsRAFt7 HI8RQAABBBBAAAEEEHAWIAB2tuEZBBBAAAEEEEAAAQRiBAiAE//C3k/IMWV1DHPpg6+mhXMsrY9X CORnm9od4+u8bLP7CFq9Lql16Ti3/DydQjq9ZrCT4wujrCWKOG0fRgCc7rZzMlKFTnNjr/VsmIXR VnptWrulfg/nttJQ067vaTnmADiM+jq5OfUVtQurb9kZ7N4i1k0drYtOt220qd3tVJv3kT2/jN3H 69htZlqPKvLdzNgyjGPrDzLGrhCZuz7275+97Lc39uM2eR8C4Pj+yRoEEEAAAQQQQAABBJwECICd ZFiPAAIIIIAAAggggIBFgAA4+S/u3UKP6Wss0CLyhcOoO7dy/D7nFQJpOV7bPD48vs46ytetDvt+ JbLRMlWtjhg0rtnrFNJd3N253Iu6x9dDgzC7eoQRAKe77ZyM1hWIHPSN/XmH0Vavjo13H7nM/vjm tnjUYdpocwAcRn2d3DLRt7xeW+pVua2IXk/X/Hd2Z2ffo9uIFBTFt0miAbDTtN46nfSpPzof39zG 3A/PiQA4vo+zBgEEEEAAAQQQQAABJwECYCcZ1iOAAAIIIIAAAgggYBEgAA7ni327qXF7WK6PG2So 4ieA8trmm+mWziEi1/4scvwP7n96/VLrcsVfIwadQjq36/JqUGZd0hkAp7vtnIz0ertOfSSMttJA 0Lrc+atzHYy67dNSREN/62IOgMOor5NbJvqW12vLsHK71bC/TieRuwfsuIb1ZssPKwzfRANgDZnd liWbRNrOFGk0dMfxrdOyu9WZ57xfH15GBMBuvZPnEEAAAQQQQAABBBCIFSAAjvXgEQIIIIAAAggg gAACjgIEwKl/gW/3BX+3+fHkei1Xu22DWOcngPLaZtSy+Donu0ZHHep52YV0q7e6O+i1Za2LTsts 5xTGCOB0t52dkZ6/2+jQMNpKpyO2LtXb27tb28Kub5kD4DDqa+eWqb5ld/7WKaDNZn9ruSPobTlt x/Tmdte9traF8TjRAFiPqwGv30VHnus07pe6TP1tPhfu+3uNODkRAPvtmWyHAAIIIIAAAggggIAI ATC9AAEEEEAAAQQQQAABnwIEwKl9ee/0pf4nk+IbYNN2kV2bJ368/b4S0WBrbUH536KNIse2LS/L TwDltY0GP0EtOi2w2tiFdMu3lNfbzs8uAE7nCOB0t52dkbbDIa2cncJoK+2f1mX/r53rYG670cut e8ZeAziM+tq5Zapveb22DCsNhXUqeDvreEH7NckEwHpcuxHe9kcoX6uj4Y/5zl8fMM6R28S8CIDL +xv3EEAAAQQQQAABBBDwEiAA9hLieQQQQAABBBBAAAEE/hIgAE7sy3q/4cZ1fey72C39Ej9e/R72 ZVVoXV6WnwDKa5uVW+yPk8zaewbsqFuUQrqotp2d0fpt5W1rV+8w2mrZ5viW1h8f2B3fum6izehh 8wjgMOpr5xblAFh//NFlXryx3Zo//5qW2e65ZAJgo73O6CjSfrbImgR+7KE/vjjA5w8BjONw6+91 o04EwHa9nHUIIIAAAggggAACCNgLEADbu7AWAQQQQAABBBBAAIE4AQJg/1/UJxJq6OhNu+ui6kjJ RMrRbV8fG9dsMmddbDle4a6W47XNb0vjj3PXAJEreyX+t+9fwWGUQjq/7uluu2SMwmirYX/Gt3/N DrH9zMlQA2vrYg6Aw6hvMm5hjS73em2p25O/WYV2PNaw9/0JIvqjkVN/FNFrKhvOen1e65JKAGyU q9f51esNNx4u0m62iN1xzMd9a1x5nYwyuA3GhADY3NO4jwACCCCAAAIIIICAuwABsLsPzyKAAAII IIAAAgggUCZAABzMl/h2Ycj3s8qYY+6c28X/MQ/6RsRu9GTrGbFl+AmgvLZpNT2mmqUPzukcexy7 83RbF6WQzq2e1ufS2XbJGIXRVt/OiG//BwZ7t7+OKrVbzAFwGPVNxi2TAXDPBfFKOiLYGuia+6Ld a9a6vd02btcfNpdvvq/Xe24xVaS4JL6eQ/707gfmsrjv34sAOL6/sQYBBBBAAAEEEEAAAScBAmAn GdYjgAACCCCAAAIIIGARIAD2/0V9oqGGXjtzS6EFXEQWbBA5/gd/x20+JX5/XXPvwNj9/YRAXts8 OzL+WHp8r/P+dJLI4CXlfz/MEjECqEyEdGd28q6z1zmls+2SMQqjrV4cHd/+M9Z6WzqF5eYAOIz6 JuOWagDs1Le8Xlva31Ztjfd1u87zEd/Gb69rEgmA1UhnC9DpvY2/eevdr0Wuob910fcxr9cMzydn RABs7W08RgABBBBAAAEEEEDAWYAA2NmGZxBAAAEEEEAAAQQQiBEgAE7uS3u/YcdrNtM3awOs2CKi IyedytEpWl8ZYz+NtE4ZqyODzfv6CaC8tvlH15iuUfpge5HIie1ij2U+ro4Qti6zTdNTZyKku6SH c33Ndfe6n662S8YojLY626YttW0fGuLseWE3Ee0jdos5AA6jvsm4pRoAO/Utr9fWwd/YCYkYU6Xb 9cXnbH6QoaUkEgBruXbTO1/q8ho57vv4uup7jl0dWZe6CwFwfH9jDQIIIIAAAggggAACTgIEwE4y rEcAAQQQQAABBBBAwCJAAJz6F/huIYhez1PDE7tl43YRDRk1cDHKqNBa5IpeInbXYzXKuLxn+fbG fl4BlG7nZ5seNtPU6shFu8DovC72oxofH15ev7BDuq7zDJXy27YzRXZuVl4HwyjR23S1XTJGei5B t5WW2fuPckfzPR3Ba/XTa9YWOIS/uq85AA6jvsm4JRIAJ9K3/Ly2VtuMANapsfdoEWu715ciGv7a XUNcXXV0urktvI7942xzS+64r6OB9ccb1tfJ31qK6Ah+66LTg5uPyf3gPAiArb2NxwgggAACCCCA AAIIOAsQADvb8AwCCCCAAAIIIIAAAjECBMDBfZHvFIr8u49IUXEMe9wDnWJ1TUHc6rgVXzhMyewV Amnd/Gxzwg/2Izo1jJq+RkSn+9VpoUcsi6ta6Yp1BbGjk8MO6ZpOsq/Hhm07pr7VKYzdRlk6tZmx Ph1tl4yR1i/ottIyna7nq8oaYOp1bDvNte9L1pawBsBB1zcZt0QC4ET6lp/XllO4rtf41h8tfDhh x+vL631g4GKRR4eVv295HbuhzZTORlvpsTTofne8iF6P2OnYt/cvP57x2uA2GBMCYKM3cosAAggg gAACCCCAgLcAAbC3EVsggAACCCCAAAIIIFAqQAAczJf4XmHIvzxGS/rpjr8tFdm7pX19vUIgrZ+f bXS7Vx2mrfaq46btIud2ia1f2CHdXQO8ahU/YtKrrazPh912yRgZdQyyrYwy9UcGQSzWAFjLD7K+ ybglEgAn0rf8vLZu7ReEankZlf4aCex1bB3l231++X6J3huw2Pl9x+gz3Ma+7yXiQQCcaI9kewQQ QAABBBBAAIF8FiAAzufW59wRQAABBBBAAAEEEhIgAE7+i/tEvuTXbet0Ehm3MqHmKd1Yp4puNDR+ ulbz8b1CIN3WzzZGmTf84jwa0O4MdMTtRd3jLcMO6bT8eevtalS+zjplrnGOidyG2XbJGJnrHlRb mct8cIjINpfpnct1RXQEq4aE1sUuANZjBFXfZNwSCYAT6Vt+X1s6ytfvoq/7vgudt/YbAKu5Tmc+ ymHUvvMRRHotiL/msLmfcD/+PS9REwJgtx7IcwgggAACCCCAAAIIxAoQAMd68AgBBBBAAAEEEEAA AUcBAuDUv8BP5At/HY13/yCR0csdm6Tsia2FIp3nihzdxruOc9aV7VZ2Z3fLtUX9bGM+lyPb7Jge dv22siLj7uiUzzqq86Bv7Ou4S3ORzdtjd1u+xX5b49iJhHS6z6GtRL6cKqLTaNstfvyMY7vdhtV2 yRhZ6xlEW1nLPLOTyASXHyxou/40R0SP/c30WPntRSIHfO3czkHUNxm3sPqW39eW9qG7B+yYnjxW rPyRThffcprI4a13+PVxCIGNADiRY2v4PnZF+bHs7hWXiOgxddtdmzu3obW/8Dg5KwJgu17IOgQQ QAABBBBAAAEE7AUIgO1dWIsAAggggAACCCCAQJwAAXByX9oHEXZogKNh0AujRD6fLPLdTJHXxu4I Xk5sJ6IBVxDHCaKMKm1FdCpkHYmsU+PqdLa1O+4YWRhE+UGUoWGVmtb4ccef3t/zy3AMo9x2QbdV tR9EGvwq8tQIkVv6ifxnoMipPwbXP4OubxB9yVpG0H1LX9tnd97h+vKYHe8BGrhq37X2WR2JfFYn kSd+E3njd5GHh4poOG+tYyKPtU0v7SFy36Ad1xO+d+COdq3fY0egn0hZbJtaWxAAx30sYQUCCCCA AAIIIIAAAo4CBMCONDyBAAIIIIAAAggggECsAAFwal/eE37gRx+gD9AH6APJ9gEC4NjPJDxCAAEE EEAAAQQQQMBNgADYTYfnEEAAAQQQQAABBBAwCRAAE1wkG1ywH32HPkAfoA+k1gcIgE0fSLiLAAII IIAAAggggICHAAGwBxBPI4AAAggggAACCCBgCBAAp/blPeEHfvQB+gB9gD6QbB8gADY+jXCLAAII IIAAAggggIC3AAGwtxFbIIAAAggggAACCCBQKkAATHCRbHDBfvQd+gB9gD6QWh8gAObDGAIIIIAA AggggAAC/gUIgP1bsSUCCCCAAAIIIIBAngsQAKf25T3hB370AfoAfYA+kGwfIADO8w9hnD4CCCCA AAIIIIBAQgIEwAlxsTECCCCAAAIIIIBAPgsQABNcJBtcsB99hz5AH6APpNYHCIDz+RMY544AAggg gAACCCCQqAABcKJibI8AAggggAACCCCQtwIEwKl9eU/4gR99gD5AH6APJNsHCIDz9uMXJ44AAggg gAACCCCQhAABcBJo7IIAAggggAACCCCQnwIEwAQXyQYX7EffoQ/QB+gDqfUBAuD8/OzFWSOAAAII IIAAAggkJ0AAnJwbeyGAAAIIIIAAAgjkoQABcGpf3hN+4EcfoA/QB+gDyfYBAuA8/ODFKSOAAAII IIAAAggkLUAAnDQdOyKAAAIIIIAAAgjkmwABMMFFssEF+9F36AP0AfpAan2AADjfPnVxvggggAAC CCCAAAKpCBAAp6LHvggggAACCCCAAAJ5JUAAnNqX94Qf+NEH6AP0AfpAsn2AADivPnJxsggggAAC CCCAAAIpChAApwjI7ggggAACCCCAAAL5I0AATHCRbHDBfvQd+gB9gD6QWh8gAM6fz1ucKQIIIIAA AggggEDqAgTAqRtSAgIIIIAAAggggECeCBAAp/blPeEHfvQB+gB9gD6QbB8gAM6TD1ucJgIIIIAA AggggEAgAgTAgTBSCAIIIIAAAggggEA+CBAAE1wkG1ywH32HPkAfoA+k1gcIgPPhkxbniAACCCCA AAIIIBCUAAFwUJKUgwACCCCAAAIIIJDzAgTAqX15T/iBH32APkAfoA8k2wcIgHP+YxYniAACCCCA AAIIIBCgAAFwgJgUhQACCCCAAAIIIJDbAgTABBfJBhfsR9+hD9AH6AOp9QEC4Nz+jMXZIYAAAggg gAACCAQrQAAcrCelIYAAAggggAACCOSwAAFwal/eE37gRx+gD9AH6APJ9gEC4Bz+gMWpIYAAAggg gAACCAQuQAAcOCkFIoAAAggggAACCOSqAAEwwUWywQX70XfoA/QB+kBqfYAAOFc/XXFeCCCAAAII IIAAAmEIEACHoUqZCCCAAAIIIIAAAjkpQACc2pf3hB/40QfoA/QB+kCyfYAAOCc/WnFSCCCAAAII IIAAAiEJEACHBEuxCCCAAAIIIIAAArknQABMcJFscMF+9B36AH2APpBaHyAAzr3PVZwRAggggAAC CCCAQHgCBMDh2VIyAggggAACCCCAQI4JEACn9uU94Qd+9AH6AH2APpBsHyAAzrEPVZwOAggggAAC CCCAQKgCBMCh8lI4AggggAACCCCAQC4JEAATXCQbXLAffYc+QB+gD6TWBwiAc+kTFeeCAAIIIIAA AgggELYAAXDYwpSPAAIIIIAAAgggkDMCBMCpfXlP+IEffYA+QB+gDyTbBwiAc+bjFCeCAAIIIIAA AgggkAYBAuA0IHMIBBBsIQlwAAAgAElEQVRAAAEEEEAAgdwQIAAmuEg2uGA/+g59gD5AH0itDxAA 58ZnKc4CAQQQQAABBBBAID0CBMDpceYoCCCAAAIIIIAAAjkgQACc2pf3hB/40QfoA/QB+kCyfYAA OAc+SHEKCCCAAAIIIIAAAmkTIABOGzUHQgABBBBAAAEEEMh2AQJggotkgwv2o+/QB+gD9IHU+gAB cLZ/iqL+CCCAAAIIIIAAAukUIABOpzbHQgABBBBAAAEEEMhqgQkrRfou5A8D+gB9gD5AH6APpLsP 6P/BLAgggAACCCCAAAIIIOBPgADYnxNbIYAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAA ApEXIACOfBNRQQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQMCfAAGwPye2QgABBBBA AAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBCIvQAAc+SaigggggAACCCCAAAIIIIAAAggggAAC CCCAAAIIIIAAAggggIA/AQJgf05shQACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCERe gAA48k1EBRFAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAF/AgTA/pzYCgEEEEAAAQQQ QAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEIi8AAFw5JuICiKAAAIIIIAAAggggAACCCCAAAIIIIAA AggggAACCCCAAAL+BAiA/TmxFQIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIBB5AQLg yDcRFUQAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQT8CRAA+3NiKwQQQAABBBBAAAEE EEAAAQQQQAABBBBAAAEEEEAAAQQQQCDyAgTAkW8iKogAAggggAACCCCAAAIIIIAAAggggAACCCCA AAIIIIAAAgj4EyAA9ufEVggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggEDkBQiAI99E VBABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBDwJ0AA7M+JrRBAAAEEEEAAAQQQQAAB BBBAAAEEEEAAAQQQQAABBBBAAIHICxAAR76JqCACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggg gAACCCDgT4AA2J8TWyGAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAKRFyAAjnwTUUEE EEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEDAnwABsD8ntkIAAQQQQAABBBBAAAEEEEAA AQQQQAABBBBAAAEEEEAAAQQiL0AAHPkmooIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAII IICAPwECYH9ObIUAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAghEXoAAOPJNRAURQAAB BBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABfwIEwP6c2AoBBBBAAAEEEEAAAQQQQAABBBBA AAEEEEAAAQQQQAABBBCIvAABcOSbiAoigAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAAC /gQIgP05sRUCCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCAQeQEC4Mg3ERVEAAEEEEAA AQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEE/AkQAPtzYisEEEAAAQQQQAABBBBAAAEEEEAAAQQQ QAABBBBAAAEEEEAg8gIEwJFvIiqIAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAII+BMg APbnxFYIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIIBA5AUIgCPfRFQQAQQQQAABBBBA AAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQ8CdAAOzPia0QQAABBBBAAAEEEEAAAQQQQAABBBBAAAEE EEAAAQQQQACByAsQAEe+iaggAggggAACCCCAAAKJCxQVFcnQoUOlVatW8tZbb8n//vc/uf322+W+ ++6TZ555Rt5//30ZOHCgbN68OfHC2QMBBBBAAAEEEEAAAQQQQAABBBBAILICBMCRbRoqhgACCCCA AAIIIOAkUKtWLalevXogf3Xr1pVHHnlEWrZsKaNGjZKCggKnw8atD7IedufTqFGjuGO6rSgpKZEe PXrIXXfdJQcffLD83//9n+ffbrvtJpdffrmMHTvWreiEntuyZYu0adNGnnzySbnpppvk7LPPltNO O02uu+46ef7550ufmzp1qu8yZ82aJdOnTw/lT4Nyu6W4uDjQ423atMnuMHHrNm7cKN26dSvtk1df fbXUqVNHatSoIfXq1ZMbb7xRXnvtNRkzZoxoW4e9pNq/TznlFNHXl/YB/QHCO++8I/37909L3cO2 ofz0C+j7id37ZFjratasmbaT3LBhg+u5TZw4MW114UAIIIAAAggggAACCCCQGwIEwLnRjpwFAggg gAACCCCQVwJ77rmnZ7DpJ/y026ZKlSqlIZUf0DDroXW79tpr/VSjdJsRI0aUhoV25+R3nQa0GrQm u6xYsaJ0dLHf8Pn6668XDXfdlo4dO4bW1uqydOlS28NrQO3Xzc92ffr0sT2OsXLdunWldn77VNWq VaVDhw7G7qHc+q2Ln/M3b1OtWjX54IMPZPXq1aHUm0JzU+Dmm28O9DVp7pN293fddde0Qa5du9b1 3Lp27Zq2unAgBBBAAAEEEEAAAQQQyA0BAuDcaEfOAgEEEEAAAQQQyCuBsIIpcwhw9913y5o1a1xd w66HnwB427Ztcs8998hOO+3kGiCYz83t/i677CL33nuvaLmJLKNHj5ajjjoq4TpoyPLwww+L00jc Zs2aJVym2/lZn3MKgNu3bx/ocd0CYLU77LDDkjrepZdeKn5HFyfSnrpt2P370EMPlXnz5iVaLbbP UwEC4DxteE4bAQQQQAABBBBAAAEEkhIgAE6KjZ0QQAABBBBAAAEEMikQdjBlhIQ6fa3bVLth18Mr ANZpQy+88MKkgkPjHJ1udRppv4uORE3V4tFHH7U9XKYC4Oeeey5QV6cAeMiQIbLffvuldKyzzjpL dARh0EuqberUt8zrTzrppFDqHrQF5WVegAA4821ADRBAAAEEEEAAAQQQQCB7BAiAs6etqCkCCCCA AAIIIIDAXwLpCKaMkOrTTz91dA+7Hm4B8Pr160Wv0WrUM4zbN9980/HcjSf02sFBObRu3dootuw2 UwHwVVddFaitXQC8cuVKOeSQQwI5zg033FBmFtSdoNrVq2/qNahZEPASIAD2EuJ5BBBAAAEEEEAA AQQQQKBcgAC43IJ7CCCAAAIIIIAAAlkikK5gSoOrvffeW2bPnm0rE3Y93ALgW2+9NZDg0C2c02ml 3a4zqwHmMccc41kPnVZap3p2O5Y+t8cee8jMmTNjrDMVAFeqVMmzvl7nY37eLgC+/fbbAz1Gly5d YuxSfRB2/zZ8dt55Z9m4cWOq1WX/HBcgAM7xBub0EEAAAQQQQAABBBBAIFABAuBAOSkMAQQQQAAB BBBAIB0CXsHUHXfcIQ8++KDjn46WrF27dmngaIRQbrdNmjSxPS2veriV6ec5p2mR27Rp4zs4PPLI I+Wxxx6TFi1aSMeOHeWjjz4qvcZvhQoVfJWx1157OQbgeu1et/M4+eSTRYNPvZ7w9u3bZcCAAVKt WjXXfV5//fUY60wEwOvWrXOto9s5Oz03ePDgmPMaNWqU5zEqVqwoDRo0kOeff14uuugiz/6qYbzT tZRjDu7zgVf/dnqdPfDAA3LTTTfJOeecIxr+O5mY1w8dOtRnrdgsXwUaNmzoqy+Z+1Uq96tWrZo2 ap3C3a2uXbt2TVtdOBACCCCAAAIIIIAAAgjkhgABcG60I2eBAAIIIIAAAgjklYBXMDV//nxfHosW LRINsdy+eNfnrrzyStvyvOoxceLE0uub6pf7yfwVFxfHHVfL8XPN2N12202++uorsStDC9URlxps 6whnr/Nv1KhRXD0WLlzoGkgee+yxokGqddGpq4877jjHY9apUydmlx49epSGnxqAJvPndm6nn366 FBQUxBxPHwwbNsyxfj/99JMUFhYm/Gc9yL333ut4DK1z/fr1S4Nz834TJkyQgw46yHW/Xr16mXdJ 6b5X//bzOvvzzz/ltttuc62znu8nn3ySUl3ZOfcF9Ickft5HmzZt6trfLrnkEl/l2L03hKWs5+X2 XkUAHJY85SKAAAIIIIAAAgggkLsCBMC527acGQIIIIAAAgggkLMCQQRTBk5JSYmcf/75rl++H3XU UcbmMbdB1iOmYJcHb731lmtdNUTQULd3794upZQ/pWGn13lo4Gydotdt9K+GzyNHjiw/iOWejvZ0 Cjt02ully5ZZ9kju4RdffOF4nFNPPVVWr15tW7DbfrNmzbLdJ5GVmzZtkn333dexbn//+99l8+bN tkWOGTPGdTrtf//737b7JbPSq1/4CYD1uDoqWcN7pzbX9XfffXcyVYzZR0eZa0iYrkWPlc7jGeel nnquySzpNjLXMZV6m8vxuv/NN9+49rV//vOfXkUk9Ly+Vp1+aOO3oKgGwJnsLxrAhxnCb926NdAZ E/y2NdshgAACCCCAAAIIIJAuAQLgdElzHAQQQAABBBBAAIHABIIKpowK/fLLL66BgQZU+gW9dQm6 HtbyrY81bNJpgd2CtAMOOEB+++03666ujzt16iQavLqV+/PPP5eVoWHHYYcd5rj9yy+/XLat050z zzzTcf927do57eZ7/bRp00Snr7Y7p5NOOklWrFjhWJZOYWy3nwbrqQY9elCdituufGNd+/btHeum T2jIa2xrvdXwfcuWLa77+30yyP79+eefO9ZZz+HOO+/0W63S7fQcu3XrJvfcc49Ur15dDj744LI+ rPdr1KhROg21jpwMIqTVH0o89NBDoqNHTznllJiR2Nov9Eci+qMCvTb3Dz/84PjjAvNJ6pTorVu3 tv2zjp7v27evXHfddXLiiSeKtrFeN7levXrm4uLuh2UUdr3jTiTBFWEGwPreqjMn6PTm2uZ63XLt vzrVub4nar/T9w/td04/4rA7nVQDYD2eU1/S9d99953dYWPWZbq/zJ07V1577TU544wzYl5f++yz j9StW1eefvpp6devX0yd/TzQELlz586lMxFou+nU3lqm0W56OYRatWrJFVdcIe+9915gP0DyUze2 QQABBBBAAAEEEEAgTAEC4DB1KRsBBBBAAAEEEEAgFIEggymt4B9//OEaTukXxVEIgH/88UfPelqv oeu3Af7xj3+4lv3qq6+WFeU2gletdGptr0VHXmtAYvenUyynsmjgp6NotS7WPw2FNRx2W84999y4 /bQcDSaCWJ555hnb8vUYhx9+uOfoTg1BrOdlfuw2+jqR+gf5OuvSpYtrnV988UXfVdPz1/DNfM5u 9zUQbtmype/yjQ31Na+BlNuU5U7H1UBQAyW3Hxpce+21judg/AhgxowZpdcrtzuOXk/baQnTKMx6 O51PIuvDCIAXLFggl156qWN72bWPXpNbr4HuZ0klAH7llVc863XXXXe5ViOT/UVHGet1zv1eL/y+ ++4THb3rteiPKHSq/f3339/Tx9x+u+66q1xzzTWus1h4HZvnEUAAAQQQQAABBBCIggABcBRagTog gAACCCCAAAIIJCQQZDClB9brlJq/ALbe19FCdkvQ9bA7hnnd/fff71pPHY3mFjiZy7Le14DMet7m x7fffnvZLs8++6zjtrVr1y7bznxHv4xfvHhxIKMxzeXa3X/iiScc6/fZZ5/Z7VK2ToNpp2ss62hT Y9HtdApkveZuixYtRK8NrKNE7X4oYOxj3OooUrOt+f5NN91kbOZ4q4HJ7rvv7liGjrYNYgmyf7/9 9tuO9dXz//777z2rrCMUH3nkkbKRvmY3P/f1uspO035bD758+XKpWbOma539HLNSpUqi1wK3W9yC VB1FrKNNNbx2Oo5dAJwOozDqbeeT7LogA2B9net7xt/+9jfHdnBqH2O9jm5fs2aN6+kkGwC/++67 nvXSENRp5oJM95dWrVp5XoLBcDTf6mj7efPmOZqqt/5fZN4n0fs6sr9///6Ox+AJBBBAAAEEEEAA AQSiLkAAHPUWon4IIIAAAggggAACcQJBBlNa+JAhQ1y/KNZpV+2WoOthdwzzOg183L7EbtCggXnz hO7rSNxBgwY5/q1ataqsvBtuuMGxHm+++WbpdjqqWkcN60hcs5NONa2jXDVQ7tGjh2jAEuSiX9g7 TWft59qfOtLPyfijjz4qDR20HGMKUeu2Gszq89qnnBa3UE+v8exncRrhrPUxB9V+ynLaxtxu1vPU x36vAbxw4UI55JBDHF31OQ2i3BYNUU844QTHMuzqZ7euTp06otdgdlt0BHsQxzKOr31l0qRJcYd0 C1I12HO7TrSWbQ2A02UUdL3jYFJcEVQArNc995oZwWhjr1udZthtav5kAuCmTZt6vh4efPBBx/fY KPQXrz7u5nrLLbfY9hT9kYdO6ey2r9/n9D3Q7yhu28qwEgEEEEAAAQQQQACBDAoQAGcQn0MjgAAC CCCAAAIIJCcQVDBlHF2DU7cvhP/73/8am8bcBl2PmMItD7xGKWv9R4wYYdkrnIcaojl56fWUNZhw Ckit+1122WWBXXNRpwU9+uijbeum10ydNWuWJ0j37t1t99d667V3/Y4E1OlMNQy3BtwbNmxwLF+P ocf3s2iAbrU0Hl944YV+ivDcJpX+XVRUVBoQa1/wmq5Zw063Raf01h9hGOeX6q3bDwG03kEey6jr jTfeGHeKbkGqsZ/brTkATqdRkPWOQwlgRVAB8P/+97/A+py2o7aX09TFiQbAX331leMPXYw+o/V3 WrKpvxjnY73VqZrtLjeg1+q2bpvK4wMPPFBSvSyBUzuwHgEEEEAAAQQQQACBMAUIgMPUpWwEEEAA AQQQQACBUARSCabMFdJpMZs3b+75ZfG4cePMu5Xd96qHXkdQp6xN9E9DVOuio8e8vsT2GtloLTPZ x0cccYRjXdxGBzvV/7DDDpPevXsnW52y/T7++GPHetkFcGU7mu7oNZSd6pnM+ssvv1zMo6d1Gmy3 ctxGCZqqKY8//rhjOUFdq9irf+t5aNBv9+f3ep4NGzY0n5btfR1J7mamz2ld9bx12lenKbzNZXTo 0MH2WHrtXfN21vt6nIcfflgGDx4sc+bMEb1Gb7t27cTputHG/mpkXYIMUtNpFGS9rSZBPA4iAB47 dqyva9Jqfzj99NPl0EMPde03Rj944YUXbE8xkQBYp0vXH7QYZdrdPv3007bHMVZGub94nZv5fK3n WVBQ4HrNX30dvvPOOzJhwoTSHwT9+OOP0rhxY88fffz6668GHbcIIIAAAggggAACCGSNAAFw1jQV FUUAAQQQQAABBBAwBLyCqffff186duzo+PfFF1/IU089JTVq1HD9El2/aHYbTelVD/MX1Yncf+ON N4xTLbt1G5mqZR900EFl24Z5R68/m8gX9Imct7ZLsotOYa1TSzsdb/z48b6K1mvwOpWR7Pqrr766 7NjTpk1zLX/69Oll27rd0dHFTvU5/vjj3Xb1/VxY/VvrrX3oww8/dLw2qVFJHbWt17Z2OtfKlSuX hrHmEXo6ildHFbvVX0eKa1hkXXSUt9OxdGpxpxHaWtY555zjuK+WuXLlypjDJROkarBesWLF0nO7 4IILSstLt1FQ9Y7BCPBBqgGw9h+vKYT1eb3mt46kNRZ9bT/wwAOufWC33XaTqVOnGruU3foNgDt1 6iQ68tWpj+r6Jk2alJVrdyeK/UWD2WbNmsns2bNL3xP0Gtxt27b1nAbd+mMXff90s9Ey7Rb9/8Nt uu9GjRrZ7cY6BBBAAAEEEEAAAQQiLUAAHOnmoXIIIIAAAggggAACdgJuwY7bl7+JPqdT19pNMWnU Kax62AXAXqFGzZo1jWqFeqvXfU3U0e/2+++/f1xI5vdkNPBzOo7blL/W8k866STHcpzK97N+4MCB pYcaOXKka/l67WQ/yyeffOJYjl5vNIglrP5teL300kuyYsUK16pedNFFjuepo331ep9Oy7fffuu4 r9ahc+fOcbu6Xfv3kksuidvevMLrmqwabpkXv0GqTkGr15/W0eEaVOmiU4vrjzF0SbdRUPUurXwI /3i9V3q9H3i145lnnika2DotzzzzjGu/q1evXtyufgLgXr16iV5j3Hj92N2+9tprcWVbV0Stv+g1 0Z1++DJq1CjX89X/o82LXgPezsVY17JlS/PmMff1mvTGdtbbKlWqxGzLAwQQQAABBBBAAAEEskGA ADgbWok6IoAAAggggAACCMQIhB1M6Ze/Gi4tWbIk5rjWB2HVwy4A/uCDDxy/nNb66rV007EMGTLE tR7WL851umidIrV69eqe16zUffX6jYkuGzdulEMOOcSxXjpSz8+i1+f0mrpYQ+r69euLhpeffvqp 3H///aLhgPW8rY/VQEM7HYlsfc782CkIsdbfLaTS6xQHsYTVv83nq3UdNGiQbXV1pKJ5W+t9P9e8 Pv/88x3LuO666+KOq1N2648p7P50hKLb8sorrzgeS+ueTACsP0iw7meuQyaM/ATAXvU2n0PQ91MN gN2m89YA1utHC3o+F198sWtf0Gu6mxevAFinHfd6PXpdS1uPF8X+8uyzz5op4u67tYeOqDZfZ71P nz6u7pUqVZKff/457hi6Qi+hoD+ssfvTclkQQAABBBBAAAEEEMg2AQLgbGsx6osAAggggAACCCDg +UW4NShK9PE999zjOTWtNoPXF/KJHtfY3i4A/vzzz12/2D7vvPPS0jM0rDPq6XZ75JFHlo5YNFdK Q4+zzjrLdX+d3lSvq5rI4nbdXp3W0++i13p2OycNBXVqUuuyZcuW0iDYbV99Tqcl12vHum03b948 a/G2j3X6ZKdyDjjgANt9El0ZVv+21nvvvfcWu2tsfvbZZ47nePbZZ/s6nRYtWjiWodPOmsMjXwU6 bKRh9DHHHON4LD1na5DrFaTuu+++riOctSqZMAqi3g6MgaxOJQDesGGD6xTLeo1zP4teW9baz82P v/vuu5hivAJg87529/X6536WKPaXhQsXulbdbXYHtTAH8mvWrPH1QyMdxa3XQR4+fHjZSHrXSvAk AggggAACCCCAAAJZKEAAnIWNRpURQAABBBBAAIF8F0hHMKXB4dKlS12pw6qHXQDcoUMH10BBr2ma jsXrGrb6hbwGYU52OoWt26hM3V+nu/W7rFu3TnSKXLtQRNclMnJLjXWEn92fXt9VwwW3xev6n489 9ph4hcx+RwC/9dZbjues/kEsXv1bR+bpdLJ2f3rtbB31rSGrU9uY1+sIbmN6Y6Pubtdj1h8YNGjQ wPNP62E+jvX+3LlzjcP5utXAWPu2TsesQeOTTz4pGkZby7V7nGgA3LhxY886ZcLIKwD2U2/PE0th g1QCYK8faPTs2dNXzfSa0DpbgF0/0HWPPPJITDmpBsDWvhVTuOlB1PqLTv/stXz//feOjmo5c+bM mCJOPfVU1+2tbaLvc/r+/vjjj0vv3r1Ff9DDggACCCCAAAIIIIBALggQAOdCK3IOCCCAAAIIIIBA ngl4BVPWL3iTfayjao3rbNoRe9WjatWqcuKJJyb8p6MWrcuAAQNcv9TWqYsLCwutuwX+WENQL0+3 6yxqhXTUlVsZDRs29F1vnZbXqSzr9SF9F5rkhitXrhQdfetUH732qAY1Ts/r+gkTJvg6+ssvv+xY jgavQSxe/VuvB+1n6du3b2nA4nbe+pxOqW1e9EcYXvuk+nz37t3Nh4y7r+GSvh51VoAaNWrIXnvt lXSdrCGdV5DqxzcTRkHUOw46wBWpBMA//fSTa/v6aRPjVHTad6f+qUGseUk1ANYf1fgZzR61/uLn vapfv36OjuprDYBbtWrlur1Tmxjr9X1Pp4LX6wmzIIAAAggggAACCCCQzQIEwNncetQdAQQQQAAB BBDIUwGvYEq/XL/33ntt//Q5nf7RbdSo8UWw3uo0kU6LVz0SCQucjmGsnzp1queX2taAydjX7+2V V14pGhA4/RUVFZUWpSNkzUbm+wcddJBraG7U5YwzznAso27dusZmnrduIzw1tEv3otcENnuY7+u1 gnUKafM6632/I5bdRhv7nR7ZyybI/r1t27bS62pbz9f8uFq1ajFV0uvImp8P437r1q1jjmk8GDhw oGhgv9NOOwVWB+vr0y1I9TuNdyaMgqi34RzGbSoBsNsPSrT/6chev4u+nzr1WR01b15SDYD1OHrt Wq8lav1Fr5Xstej06k6Out4aAGt5blPku5VlfU7/L9T/e1kQQAABBBBAAAEEEMhGAQLgbGw16owA AggggAACCOS5QBDBlH6R//bbb4tef9T6pa/5ceXKlR21g6iHY+GWJ4qLiz1D6xdeeMGyl/+HOvWw +byt9ytUqFBWmI6stT5vPNZpgf0s9913n2MZ5mO5laXXftSRz8axrbd6Hc50Lzp9tbUexuOdd95Z dMpq47HdrZ8QR8/pggsucCznsssuC+S0g+7f48ePd6yzWmjYap5+1euaunZ+ia7TsNC6NGnSxLWe iR7D2D6RAPiUU06xVsv2cSaM3AJgv/W2PZmAVqYSAOsPAoz2srtNpIo333yzY1nWH2kEEQDr/2Vz 5sxxrWLU+ov2Ja8lmQBYy9Qf03hdbsCuja3rKlasKAsWLPCqJs8jgAACCCCAAAIIIBA5AQLgyDUJ FUIAAQQQQAABBBDwEggymNLpXa1f+Fofjxw50rZKQdbD9gCWlW7Bi9ZZr6O6detWy17+Hn7++eeu DuYRa26jd6+77i7YwR4AACAASURBVDpfB3zppZccj7fffvv5KsOt7TRsXb16ta9ygtzIa/rRZcuW iY4EtvYx4/GDDz7oqzpHHHGEYxl6reEglqD7t44g32OPPRzrrQZ6jWljqVmzpuu2hlkqt1999ZVx uNJbfZxIedrP9Ecit9xyizz11FOu+yYSANevXz+mXk4PMmHk9j7kt95O5xPE+lQC4K+//tq1DfUH HH4XHd3q1Jd0imHzEkQArMfS2RPcpoKOWn8JMwA2fPV63Xqtbj33ZEf0n3DCCWm5xIJRZ24RQAAB BBBAAAEEEAhCgAA4CEXKQAABBBBAAAEEEEirQJDBlH5Zftpppzl+Ua9fqms4arcEWQ+78q3r9Bqp ToGCsd4aaFnLcHqswYFRht3to48+WrbrNddc47jtWWedVbad2x0NOu2Oo+s0IPWzuAUsOs13IosR EmhQYP3TYM/tWtDm4zz33HOO56VhoV6n+frrr3fcxhy0m8s139+wYYPj/urXtm1b8+ZJ3w+jf+uP FJzaXdebp8BWC6dt69SpI4MGDUr5b+nSpWU+en3rXXfd1fGYWpf9999f9BrV7du3l8mTJ8f84GLY sGGu+yYSAPsJxrTi6TbSY7oFwH7rXYYewp1UAmC9JrRTn9P15h8oeFX95JNPdiyrQYMGMbv7CYB1 tgO3mROMejdt2jSmbPODbOwvyY4ANp+3cV+n4O/YsaPo/2e1atVKKBAeM2aMUQy3CCCAAAIIIIAA AghkhQABcFY0E5VEAAEEEEAAAQQQMAsEHUw9//zzjl/U65fqjRs3Nh++7H7Q9Sgr2OGOhlVeIyh1 NOKiRYscSrBf/e2337qevxqYg7n333/fcXsdvetnFPJ5553nWIafEHnlypWu0z8nOh22hqZGgGJ3 O3ToUHs8y9p69eo5lnP44YeXbv3GG284bqPXV164cKGl1NiHzZs3d9xf6x7UNSuD7t86+vn/2bsP qGnK+m78530tiV3EGI0oikaNNSgWYtQYS4wtf03UvFFjN0TEqIgtKsEuBrv0Ir1Jr9KLgCDSEemg 9CK9P3D9z++5meeenZ2Znd2dLffuZ855zrYp1/WZ3+6zZ7/3dU2Zbf65CHWz5QMf+EDl+i960Yuy 1Vq7jRrPt6V4P67pGkFd1XLQQQfVbj+KAHjcRtH3WQ6ATznllNpzWPXHQMWauOKKK2o/n+IPRfJL rwD4QQ960PLgMraJ8LhYm/nHD3vYw9JFF12U3/2K+0uxXtoMgFdA3H8n/k+Nz9P4PMkblt3/wQ9+ UNzcYwIECBAgQIAAAQJTLSAAnurTo3EECBAgQIAAAQJlAm0HU4cffnjtj79V0xq33Y6yvhafazIC 7ElPelLjkWoRVKy88sq1/X/c4x6XYvrebDnjjDNq199oo42yVUtvTzrppNrt11577dLt8k9uvvnm tfs45phj8qv3vB/rl/3onz1X9UcA+R0feuihtfvIpn3tVW9100DfddddKc5v1q7i7UorrdRxrvLt 6/d+2/X9zW9+s7LdWT/OO++8Fc2s+8OEhzzkISlGQjdZ4vrWEeAX/x133HEdm3/1q1+tbN+jH/3o dOutt3asX3yw8cYbV24f/RtFADxuo+jzLAfAva61HqNGmyy9av2QQw7p2E2vAPgnP/nJivXj2ufx Ps/eM2W3cY3wsqmgl2K99BMAr7vuuilC7uK/+Py++OKLVxgW78R5//a3v11r+t73vre4mccECBAg QIAAAQIEplpAADzVp0fjCBAgQIAAAQIEygTaDqZixGzZj+jZc6973evKmpHabkfpQQpPnnvuuSmm Es7aVnX7mMc8JsW0xnXLPvvsk2JUatU+suc/85nPdO1m1VVXrdwupvm99NJLu7aJJyLArBslG8fc e++9S7fNPxnXXM3aV7x9+MMf3vf1GmMkWN31IWP61bpRwDEi+TnPeU5lm6KN2fTcETasssoqlevG KO/LLrss390V93uFjHXh8YqdNLzTVn3HOY9paet8wyf6ffvtt69o3eWXX15pFOt/8pOfXLFu1Z3r rrsuRXhbrJF4/IxnPKNjs7e+9a2l68W6L3/5yzvWLXtQNyV57GMUAfC4jaLfsxwAR//iD37K6iV7 7rDDDis7/Suei6nEn/KUp1TuI95XxVkSegXAxc/EuuufZ+0sG628FOulnwB49dVXr3TPh+grTlbu TgTm8f9m5le8/dCHPpRb210CBAgQIECAAAEC0y8gAJ7+c6SFBAgQIECAAAECBYG2gqlst3Fd1rpw qup6sm23I2tPr9sY5VT8cbrscQTFcc3HuCZmjHb83e9+l2KU6ve///30tre9rdE+IiQrG/nY63rE ESwXR1hef/31qde1hiMYve2223oR1F63Oa7pPMjSq20xUnqbbbbpGlkXI5qf/OQn13rGthEMZUuv acf/5m/+pisE3n///XuO/Dv55JOzQwx926u+49rIEUiX/YuwZf31108f/OAHU4wgL6vP4nNxbeTi UjfdbYTycT3PqiXCrhe84AWVx45R5PmlLtiMP3ioW+J9Fe0p9in/eBQBcLRpnEZxvDqneG3SyzDX AI62x+dW3f8HMcXyEUccUdrNGJ3b65ry8fldXPoNgCOsjKny8/VVvB9/CFM26nWp1Us/AfA73/nO SpOY5jn/BybFc3DTTTelmGq76Jg9js8zCwECBAgQIECAAIGlJCAAXkpnS1sJECBAgAABAgSWC/QK psp+9O5FVxdSPf3pTy/dfBTtKD1Q4cm77747rbHGGpU/VGc/WA97Gz+GVwWK8UN6k9HDz3zmM9O/ /uu/ple+8pU9R0xHe/fYY49Cb7sfRvgRUwBX9e9Nb3pT90YNntl+++0r95k/VoTiETTEKOSnPe1p jbYp9iuu0RnX+83vt3g/Rq6+5S1vWT6daQTCdaFUbFv1hwoNul66Sq/6LrZ3mMfRt5gau7hcffXV PUPvmFo7guCYmjxG80dgtN5666VHPOIRlb5PfOITl49Gzx9vgw02qFw/+vaVr3wlv/qK+wceeGCj 2o725Ze2gtRxGkX722p33qLN+8MGwNGWtdZaq7YW4vMnRtvvuOOOy6+5Hdd/juuO9/o8iJHBZX9Q 028AHG089dRTe/7RQfwBUHEq6KVWL/0EwD/84Q9rz9sb3vCGdMkll3SVW8zgEP9H1X2G7bnnnl3b eYIAAQIECBAgQIDANAsIgKf57GgbAQIECBAgQIBAqUCvYGqQALhu1NYjH/nIsbWj9EAlT15wwQUp plqu+8F62Nc23HDDkiMvPhXhx7DHyG/fNLiN85vfrnj/P/7jPxYb2ee9973vfbX7Lh6ryeO4HmXZ EoFik+2brPPABz4wnXLKKWWHGfi5Xu+zJu1qus53v/vdynZusskmrTll7fne977Xdbz99tuv53Hi j0HWWWed5aObYwrqCN2zffa6LU4h3maQOi6jQGuz3V0noYUn2giAb7zxxvSEJzyh8bntde6z1+OP BcqWQQLg2E9c2zbbd9Xtpptu2nXIpVQv/QTAcd5i5HOVRTwfI/Xf+MY3Lrf7/Oc/v7yeY/r5um3i D8TiD68sBAgQIECAAAECBJaSgAB4KZ0tbSVAgAABAgQIEFgu0CuYGiQA7nXdx7Jrso6iHf2c4rge 8FOf+tTaH67rftSue61s5FhZ2yIMq9tP09ce+tCHlk5XWnbMGG1Xt9+vfe1rZZs1eu7OO+9Ma665 Zu3+645dfG211VZLN998c+mx49q4z372s1s5VgQZbS+96rvY10Efr7322rVNj2smv/jFL27FKdoY tV28Bms0IEZGxvS+g/aj13YxhXd+aTNIHZdRtL/Nduc92rrfRgAcbYlR5b3OaT+vx0wIVcugAXB8 tsRo9rp2xEj44jXZl1K99BMAh+8OO+yQ4vIHdSb9vBaB8W677VZ16jxPgAABAgQIECBAYGoFBMBT e2o0jAABAgQIECBAoEqgVzA1SAD8zW9+s/YH4xgdWFxG0Y7iMXo9vuqqq9JLX/rS2rb382N3rBth eIykarLEqKh3vOMdQx3/SU96UjryyCObHG75OjF6s65PcZ3eYZYwjTbVHaPJazGq/Mwzz6xtSgQz f/mXfznUseI6u8uWLas9ziAv9qrvJgZ160RIE6OjI4zqtUQ4+/a3v30op2jL6173utrrgO60005D H6Oqz8VRx20HqeMyarvdvc59v6+3FQDHcbfccssUU7FXndMmz8f05h/96EdTXGO2ahk0AI79NQmq o+6Ly1Kpl34D4Ojntttu20oIHOcu9mUhQIAAAQIECBAgsBQFBMBL8axpMwECBAgQIEBgzgV6BVOD BMAHH3xw7Y/8EXoUl1G0o3iMJo8jQIvQY9gpS1daaaX04x//uMkhu9bZaKONUkxD3CQQya/z7ne/ u3HYnB00wpT8Por3Dz300GzVgW+vu+669IUvfKHndKLFY8fjuD7od77znXTPPfc0Ov6VV16Z/vZv /7a2T2XHCe8vfvGLXdf4bHTQBiv1qu+yNjV5LvYb03Sfd955DVrRucrOO++cVl555b6tol3xhwpl I387j5DSpz/96b73H0HR//zP/6TnPe95ldu+9rWv7TjUqILUURuNqt0dOEM8aDMAjmZcccUVtaOe 62o+/rjjqKOO6tmbYQLg2HlcB7uuHfHa5ptvXtqOaa+XQQLg6OjPfvaz2uuA9/KKkb+bbbZZqZkn CRAgQIAAAQIECCwFAQHwUjhL2kiAAAECBAgQINAhsMoqq9T+2D1IAHzNNdfU7jNCvZiyN7+Moh35 /fd7/9Zbb00xyjDCxH6mwIxppOMarLfccku/h+xY/+yzz15+fdQmI+ae9axnpV133bVj+6YP3vWu d9Weq3POOafprnquF0FwTK/c67qSESZEYBDXMb7wwgt77rdshRjJt/rqq9f2LY4TtfjOd74zxRTg o1x61XevACVej6m9Y5rrcPn4xz+efvjDHy6fanmYdscI7fe85z2Nwp2wij8YiNrsZzn66KPTq1/9 6p7nIq4dGteNPv3005fvPoLtKpf4A4388uEPf7hy3bI/OMlv2+v+KI1G2e5e/WryetsBcHbMmAb4 uc99buU5y5/3xz/+8cv/gKTJHxzE/mO9us+YvffeO2tG6W185kSt59tQvL/qqquWbhtPTnO9DBoA R7/i/8StttoqvexlL6u1yVvF/00xI8jvf//7Si8vECBAgAABAgQIEFgKAgLgpXCWtJEAAQIECBAg QIBAnwIRaG+33XZp/fXXXz7aMgKlV7ziFen1r399+rd/+7f0iU98YvmIsEHDyrrm3H777ekXv/jF 8ulTY1TkZz/72eXtiLbEiKpRB5d1bRv0tZhi+aKLLkoxuniTTTZJn/nMZ9L73//+5YH317/+9bT7 7runGMXXxnL55ZcvP3df/epXl4emMcVzHC9C+hip3jRUaqMt07yPmH48RldGqPzf//3fy62+/e1v pzgf22+/fTr22GOHPidnnHHG8j9UiP2uu+666Vvf+lb6/ve/nw444IB0/vnnNx7lPSnHcRhNqm+T Om68P+M6s1ELMVo8RvvHHzdssMEGadNNN13xxwCTat8wx53leon364EHHpi22GKL5edqrbXWSh/5 yEfSl7/85bTxxhunvfbaK8X73UKAAAECBAgQIEBgVgQEwLNyJvWDAAECBAgQIECAAAECBAgQIECA AAECBAgQIECAAIG5FxAAz30JACBAgAABAgQIECBAgAABAgQIECBAgAABAgQIECBAYFYEBMCzcib1 gwABAgQIECBAgAABAgQIECBAgAABAgQIECBAgACBuRcQAM99CQAgQIAAAQIECBAgQIAAAQIECBAg QIAAAQIECBAgQGBWBATAs3Im9YMAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAgbkXEADPfQkA IECAAAECBAgQIECAAAECBAgQIECAAAECBAgQIEBgVgQEwLNyJvWDAAECBAgQIECAAAECBAgQIECA AAECBAgQIECAAIG5FxAAz30JACBAgAABAgQIECBAgAABAgQIECBAgAABAgQIECBAYFYEBMCzcib1 gwABAgQIECBAgAABAgQIECBAgAABAgQIECBAgACBuRcQAM99CQAgQIAAAQIECBAgQIAAAQIECBAg QIAAAQIECBAgQGBWBATAs3Im9YMAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAgbkXEADPfQkA IECAAAECBAgQIECAAAECBAgQIECAAAECBAgQIEBgVgQEwLNyJvWDAAECBAgQIECAAAECBAgQIECA AAECBAgQIECAAIG5FxAAz30JACBAgAABAgQIECBAgAABAgQIECBAgAABAgQIECBAYFYEBMCzcib1 gwABAgQIECBAgAABAgQIECBAgAABAgQIECBAgACBuRcQAM99CQAgQIAAAQIECBAgQIAAAQIECBAg QIAAAQIECBAgQGBWBATAs3Im9YMAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAgbkXEADPfQkA IECAAAECBAgQIECAAAECBAgQIECAAAECBAgQIEBgVgQEwLNyJvWDAAECBAgQIECAAAECBAgQIECA AAECBAgQIECAAIG5FxAAz30JACBAgAABAgQIECBAgAABAgQIECBAgAABAgQIECBAYFYEBMCzcib1 gwABAgQIECBAgAABAgQIECBAgAABAgQIECBAgACBuRcQAM99CQAgQIAAAQIECBAgQIAAAQIECBAg QIAAAQIECBAgQGBWBATAs3Im9YMAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAgbkXEADPfQkA IECAAAECBAgQIECAAAECBAgQIECAAAECBAgQIEBgVgQEwLNyJvWDAAECBAgQIECAAAECBAgQIECA AAECBAgQIECAAIG5FxAAz30JACBAgAABAgQIECBAgAABAgQIECBAgAABAgQIECBAYFYEBMCzcib1 gwABAgQIECBAgAABAgQIECBAgAABAgQIECBAgACBuRcQAM99CQAgQIAAAQIECBAgQIAAAQIECBAg QIAAAQIECBAgQGBWBATAs3Im9YMAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAgbkXEADPfQkA IECAAAECBAgQIECAAAECBAgQIECAAAECBAgQIEBgVgQEwLNyJvWDAAECBAgQIECAAAECBAgQIECA AAECBAgQIECAAIG5FxAAz30JACBAgAABAgQIECBAgAABAgQIECBAgAABAgQIECBAYFYEBMCzcib1 gwABAgQIECBAgAABAgQIECBAgAABAgQIECBAgACBuRcQAM99CQAgQIAAAQIECBBoKvCew1J6zNb+ MVADakANqAE1MO4aiP+DLQQIECBAgAABAgQINBMQADdzshYBAgQIECBAgACB9E8HpfR/NvGPgRpQ A2pADaiBcddA/B9sIUCAAAECBAgQIECgmYAAuJmTtQgQIECAAAECBAgIgIXf/gBADagBNaAGJlQD AmBfxAgQIECAAAECBAg0FxAAN7eyJgECBAgQIECAwJwLGAFsxNu4R7w5nppTA2pADSzUgAB4zr+E 6T4BAgQIECBAgEBfAgLgvrisTIAAAQIECBAgMM8CAmBBjCBGDagBNaAGJlMDAuB5/gam7wQIECBA gAABAv0KCID7FbM+AQIECBAgQIDA3AoIgCfzo7+whbsaUANqQA0IgOf265eOEyBAgAABAgQIDCAg AB4AzSYECBAgQIAAAQLzKSAAFkAIodSAGlADamAyNSAAns/vXnpNgAABAgQIECAwmIAAeDA3WxEg QIAAAQIECMyhgAB4Mj/6C1u4qwE1oAbUgAB4Dr946TIBAgQIECBAgMDAAgLggelsSIAAAQIECBAg MG8CAmABhBBKDagBNaAGJlMDAuB5+9alvwQIECBAgAABAsMICICH0bMtAQIECBAgQIDAXAkIgCfz o7+whbsaUANqQA0IgOfqK5fOEiBAgAABAgQIDCkgAB4S0OYECBAgQIAAAQLzIyAAFkAIodSAGlAD amAyNSAAnp/vW3pKgAABAgQIECAwvIAAeHhDeyBAgAABAgQIEJgTAQHwZH70F7ZwVwNqQA2oAQHw nHzZ0k0CBAgQIECAAIFWBATArTDaCQECBAgQIECAwDwICIAFEEIoNaAG1IAamEwNCIDn4ZuWPhIg QIAAAQIECLQlIABuS9J+CBAgQIAAAQIEZl5AADyZH/2FLdzVgBpQA2pAADzzX7N0kAABAgQIECBA oEUBAXCLmHZFgAABAgQIECAw2wICYAGEEEoNqAE1oAYmUwMC4Nn+jqV3BAgQIECAAAEC7QoIgNv1 tDcCBAgQIECAAIEZFhAAT+ZHf2ELdzWgBtSAGhAAz/AXLF0jQIAAAQIECBBoXUAA3DqpHRIgQIAA AQIECMyqgABYACGEUgNqQA2ogcnUgAB4Vr9d6RcBAgQIECBAgMAoBATAo1C1TwIECBAgQIAAgZkU EABP5kd/YQt3NaAG1IAaEADP5FcrnSJAgAABAgQIEBiRgAB4RLB2S4AAAQIECBAgMHsCAmABhBBK DagBNaAGJlMDAuDZ+16lRwQIECBAgAABAqMTEACPztaeCRAgQIAAAQIEZkxAADyZH/2FLdzVgBpQ A2pAADxjX6p0hwABAgQIECBAYKQCAuCR8to5AQIECBAgQIDALAkIgAUQQig1oAbUgBqYTA0IgGfp G5W+ECBAgAABAgQIjFpAADxqYfsnQIAAAQIECBCYGQEB8GR+9Be2cFcDakANqAEB8Mx8ndIRAgQI ECBAgACBMQgIgMeA7BAECBAgQIAAAQKzISAAFkAIodSAGlADamAyNSAAno3vUnpBgAABAgQIECAw HgEB8HicHYUAAQIECBAgQGAGBATAk/nRX9jCXQ2oATWgBgTAM/BFShcIECBAgAABAgTGJiAAHhu1 AxEgQIAAAQIECCx1AQGwAEIIpQbUgBpQA5OpAQHwUv8Wpf0ECBAgQIAAAQLjFBAAj1PbsQgQIECA AAECBJa0gAB4Mj/6C1u4qwE1oAbUgAB4SX+F0ngCBAgQIECAAIExCwiAxwzucAQIECBAgAABAktX QAAsgBBCqQE1oAbUwGRqQAC8dL8/aTkBAgQIECBAgMD4BQTA4zd3RAIECBAgQIAAgSUqsFQD4Lcc mFLb/568fTsBwP/dpLtta/y8nX0LaRYcp904zne+Pt94QErR5qbn7+k7dm4f+3rklovb5/fd1v2o /7b2ld9P9r567i797f/NB6T0yr1TekSu30396tYb9bmpO/ZSf+2le3Sew5fssViTS71vk2q/AHiJ fnnSbAIECBAgQIAAgYkICIAnwu6gBAgQIECAAAECS1FgKQbAD9h0NNIfOaqdMONPN+9u388vbGff kwoppu24024c57u4fPCI5jXw+ROKW6f00zMXth9V/X/0qO5jtvFM9r76wemD7e3e+1I67dqF/v/F ts0Nq2p2lOem6piz8vyBl3aewzg3s9K3SfVDANxZUx4RIECAAAECBAgQqBMQANfpeI0AAQIECBAg QIBATkAAvIiRBVXDBgHTHk4O279p2H7ajctCxnWObR6WlQXAP/vdfAbAi+/QlK65PaU37N/csaxW R3luyo43S88JgIervbJaEADn3+HuEyBAgAABAgQIEKgXEADX+3iVAAECBAgQIECAwAoBAfAKiiQA bj/cKAs82nhOALxYt23dm9YRwMX+3XdfSp/oI0wv1psAePD3uQB4cLtiHWaPBcDFd7jHBAgQIECA AAECBKoFBMDVNl4hQIAAAQIECBAg0CGwFAPguJbqsns7utHKAwFw++FGFnK0ffsnm6UU08/mlwj2 2j7OoPsbZcg4qvqPAHiU76uyKaDjeHfc0/3vrmX5M9t9/6a7Ulppq8HO9yjPzaD1slS2EwAPVnN1 51cA3P3+9gwBAgQIECBAgACBKgEBcJWM5wkQIECAAAECBAgUBJZiABw/pq+yXUov2K363xW3Fjqa Uvr3w6vXj309Zut2ftyf9tGpdWHEUnrtSYUaWHX7ds5fGwajDhlHVf+j2m+YlgXA3zml+pw9equU XrNvSkdc1v1ejmc2+HX1tnXncNTnpu7YS/01AfBgNVd33gXA5e9vzxIgQIAAAQIECBAoExAAl6l4 jgABAgQIECBAgECJwFINgOt+UI/XLrm5u7Nr7tn+j/dl7RAAj8e5zH5anpt0yDiq+h9mv/0GwNm5 fNBmKZ1wVff7+bd/HKzOJn1usn4txVsB8GA1V3euBcDd723PECBAgAABAgQIEKgSEABXyXieAAEC BAgQIECAQEFAANz9g34ETs/bNaX3HpbS/56W0n6XpLTNOSn91y9T+rt9ek89228A/NQdUnrJHt3/ YprjquDggZum9MLdU1rr6JS2Piel/S9JacvfpvSlE1N6zi7V22X7e9bOncfLRj9H3991SEo/PiOl fS5OKcKyb52S0gePSGnlhiOkY9/rHZ/Sj85IabcLUjrgkoU2fvXklN55SEoPrulX1r4mt0/bsbMP T9+xu9+j7GddGycdMg4T1Nb1a5j9DhoAR3tev1/hgystTBtd19aq1yZ1boZ9zxb78+p9Uvrirxbe Z7vn3mdfu/99Vvf5UdxXTCv+ir0Wrq0cnyfxnt3u3IVR1i/dY/F9NUgAPGy/i+/hGBke7X/Apin9 v0MXPquivfF59fK9Ftta7OO0PhYAd7+3PUOAAAECBAgQIECgSkAAXCXjeQIECBAgQIAAAQIFAQFw Z2AQgcIf7ywglTyMsPURW3ZumwUM/QTAESjfdnf3ASJoe2TF/j9wREq3lGyT38vhl6X0uG3K27fa Dvk1F+5Hv/9q55T+cEv3a9kz4fLJXy4EL1lf87f/sF9Kp1ybrV19e83tKUUYHAFOfvt+7ke4dV+P awCPqp9N8V6qEgAAIABJREFU2jmpkDFr2zBBbbaPstth9jtMAPzE7crr6fE/67+GJnFuhn3P5s/F 508on+GgKHT9HSnFFNsRwOa3L95/xk4pHX9lcevOx7++OqU1fp5SvwHwsP0uew/H/1nxxy9nXt/Z xngU0/wX+zftjwXA3efRMwQIECBAgAABAgSqBATAVTKeJ0CAAAECBAgQIFAQEAAvBAYxAnaX8ws4 PR5efFNKr9y7O3BoGgDHtreWBLnn3ZBSXN+2GFw8dIuFkcg9mrXi5Wjfc0tGA8fI2eISowavuq34 bPnjz57Q3bYYIXzPveXrVz2703mDh8BNjEfRz+I5qXo8iZAx35Zhgtr8for3h9nvMAFwjAItW6r+ yKHY7vzjcZ6btt6zWfs3PatMof65PS9MKUb2Z/vI30Zgevs99dtnr8Z6Nxb+OObe+8r321a/y97D 659U/Uc6AuDsbLklQIAAAQIECBAgMJsCAuDZPK96RYAAAQIECBAgMAIBAXBKMf3pSVcPhhsBSIxG y4cqTcLJmKq0bBTvWdenVDWq8ajL+2/jzXel9KpCSF0WqvSz5zuXpfTMnRb7PMz+vvGbxf3kDXvd b2I8TLvCo9jPXm3Kv14WMn7hVyk9dptm/zY6rfuM/Ox3za2GCWrz/SjeH2a/wwTAHzmq2yP+eKLY viaPx3lu2nrPRr++fnK3QdNnYtRw0WbV7ZuHv1XHqQqA2+p3v+9hAXDVmfI8AQIECBAgQIAAgdkQ EADPxnnUCwIECBAgQIAAgTEICIBTKguXgv706xauqfuP+6f04SNT2vn87mmHY72YPjUfrvQKJ9fc M6UIZotLTJ8cAWF+X9n9fz2kuPZCW2Iq6n/5RUqv2y+lz52Q0rW3d6932rWd+6wLVWJ65nWPS+nv 90kp+h3XFi1b4lhZ29Y5tnuNGH380aMWwvHYz5dPTClGNheXy25Z3E+2vya3vYxjH233s0m7snXK QsZi3/t9PK8BcExNXhx5Gnbx/sy8+7kd17lp8z0b/Subnv3Sm1Pa5KyF63avvltKccxjruiurJgS vmi090Xd68Uzv7wipRjlH58p7zt84Trg5WsufAYV99tmv+vew1mb7lqW0jl/XJjBIKayL7Zn2h+b Ajo7k24JECBAgAABAgQI9BYQAPc2sgYBAgQIECBAgACB5QLzHgCvtFV5aLrPxSk9ZPPuMOG9h6V0 97Lu4omgJAsa6sLJl+yR0k0l4e8JV6X06K0W95HtK26jHb8vXJv3jntSeu2+3evHtVIj8C0ubz5g cd2qUCWuqfmEbRfXy9qww7nFvaWUDyP3vbj79Qijsu2z27C+4tbudWM0dLZO09s642wfbfcz22+T 23GFjFVtGWakbtU+4/lh9ls2AnjX81OK67wW/8V1aSOA/P7p5dfIjir69HH91030YRznpu337PN3 7X7fxGwBZZ8Zcc3f4jV94/MiPw30q/fp3l88s8055dOyr31MSstKpniP63Dn66Xtfle9h6OtcU3y +OOXuB54vg1L7b4AuLwWPUuAAAECBAgQIECgTEAAXKbiOQIECBAgQIAAAQIlAvMeAH+8ZPTqGdeV hyBZsBAjZIvLqblRtlXh5Bo/Lx/JGNOlPnyL6hDjP48uHi2lsilds/ZF+BpTs+aXCJiz16tClVdU BLEv2C2/p4X7x+VGPe9VMpLwSycuHi87btxGgL7Fbxf/bXxWSn9WMeo5v13xfpVxfr22+5nfd6/7 4wgZ69owTFA7qv2WBcDdldXsmatvTymuM1vX1qrXxnFu2n7PvumAbpe1jq7u/9bndK+f/4z5yknd r8fnUJVZPB9/9FFcigFw2/2ueg9ff0dKT9mhvr11fZmm1wTAxarymAABAgQIECBAgEC1gAC42sYr BAgQIECAAAECBDoE5j0AjulTi0uv60hGkHLDnZ1bxQi7uJZwBAtl4eRFNy2MWOvcamG61bKRxvmA YvOzO7eKa9M+uMeotwMu6dwmHmWje8tClRj9mz9m/n4cqzj67zfXLK7/xV91HyueialkY+rsuNZo fn9t3C8zjmAvv++2+5nfd6/74wgZ69owywFw1H9MM1zX/7rXxnFu2n7PRn9iBP3KWy/+i5G+Zf2M 0b0RkBeXfAAc09kXl7cdXL6/7BhP37H7c6AYALfd77L3cLQ7/ggna9dSvxUAFyvRYwIECBAgQIAA AQLVAgLgahuvECBAgAABAgQIEOgQmPcAOEa95ZcIl/JTpVaFC3Ht3eIS09jG+mXhZHHd7HGMhq06 RvZ8jLYtLt89NaW6f2XXAn72LgvHKgtVdjqvvh1X3dbZgnwAHNNaF0ccd66d0uW3phQjhT91XEpx Tdesb4Pelhk3CYCH6Wc/bS0LGWO64xi12eRf2ajq/LTbvdoyqwFwXOs1RqT36n/d6+M4N22/Z8v6 EyPnX7n3wjXMNzw1pZiKPf7QpGrJB8AxY0F+iWssP6AiUM4fO/zzSzEAbrvfZZ9Vt9y99Kd9zpsK gPMV5T4BAgQIECBAgACBegEBcL2PVwkQIECAAAECBAisEJj3ALg4Uu68G5qFS587YQXhijsxTWv8 sF8WTq5YqXAnApRX7V1/zOJo48IuGj/MrrVbFqrE9Lz5UKJ4v3jt3nwAHOvG9Vj7WSKAGqb2yoyb BMDD9rPoUvW4LGRc59h64/y+Yorv4jKvAXCMrj/68pQ+c/zg0z7nbcdxbtp+z2btf84uKW10Wvm1 tIv1UnycD4Bvu7vz1dOva1abB13auV0xAG6732WfVcXPnsxmqd4KgDtryiMCBAgQIECAAAECdQIC 4DodrxEgQIAAAQIECBDICQwTwk3zD+5NR0BGgJFffpW7Vm5d/z56VH6rhfsfOGIhRCkLJ7vXXnzm ghurg61+97W41+57b74/oC4LVdoIRt/xi5R+Wxgh2N2Kzme+3yN4rjoHZS4C4MUQr2n9V/lWPT/M fsuuAbz7BSnFyPmyf0/evv7a2FVt7PX8qAPgstrsrPrmj7L3bPTpQ0emVPy8ar6nRcs/2ax7q7Nq poDPe8YI+vwSI/+z10fR77LPql3OXzxmduylfCsAzleU+wQIECBAgAABAgTqBQTA9T5eJUCAAAEC BAgQILBCYN4D4IsLU6ZeenOzcGH9k1YQrrgT196MIKIuCDn0DyndvWzFJivu/PCM6uNed8eK1Vbc iRGR/f6L0YPRvrJQpY0AOPYd10GOaWm/8ZuUTrgqpZhSu9fy/vuD835CnDJjAfBiDQ0T1Nadh2H2 WxYAf+eUxTbXHbfN10YdAEdb237P/vPB1dOsX3ZLSnHN7x+dkdInjk3pFXulFCFpccmPAC7OfHBG wxHAxSnziyOA2+73IJ9VbdbKOPYlAC5WqscECBAgQIAAAQIEqgUEwNU2XiFAgAABAgQIECDQITDv AfCBhSlNY0TbSlv1DqXKQqQnbLuwXVk4GehZ2PW1kztOwfIHEaREcFMWOBSvqxkjhsvWa/rcIKFK rymgq44d11N+6R4p/feJKRWvO5op7H9J//0pMxYALzoOE9RWnct4fpj9zlMA3PZ7Nt4jxeXwy6qv h7xzjwC42L5b7+597fO4RnDxWuDFALi430l8VtXV7zS+JgAuVrbHBAgQIECAAAECBKoFBMDVNl4h QIAAAQIECBAg0CEw7wHw907r4Fj+4Au/WgzSygKDVbbrHsV7452L25SFkzHyN9tXvB7XGi4u51dM Bb3NOZ1rLrs3pafssLi/bL/527/da2E0YIwIzP49dIuFbdoMgB+46cI1SX98RkrZv38/vLptn/xl Z1/i0fV3VK+f71P+fpmxAHjRcZigNu9cvD/MfucpAG77PRvvkfwSMxU87P73c/EcxeNjr8ivvXA/ PwJ4u3O7X3/vYYv1U7bPmOK9uBQD4Lb7PchnVVnbp/k5AXCxqjwmQIAAAQIECBAgUC0gAK628QoB AgQIECBAgACBDoF5D4AjrCwuMdr1z7apDkM2O7u4RUoxNWoWMjQJJ2O66LKl7Jq46x7XvWYELdnx irdx7dQb7uzcJqZmffBmC9sMEqpUjQCOUCkC6fzSa9RfMcy6457qvhT7lj1uYtxmP7PjNr0tGyG+ zrHN+/n5E/KiC/d/9rvm2w8T1Nb1cZj9zlMA3OZ7dtXtu2vh4N9X10J8dt1TeE/GHvIB8KdKPlPO vD6luD5w2fmP99vJ13S3oxgAt9nvaMcg7+Gy9k/zcwLg7rryDAECBAgQIECAAIEqAQFwlYznCRAg QIAAAQIECBQE5j0AjimKz/ljASWldO4NKUXwkg8O4vq2Pzmze9145lV7L67bJJyM/RZHy8V+Ygrq lxemgn7UVildc3vncSN4iamko035NkaAU7xOZ2y54amL6w0SqlQFwHHsU67tbFs82uDXi8fLt+9v 9uy+lml+dHR+3br7TYzb7mdde4qvCYC7z/88BcBtvmdjX/F+zy833ZXS83btNo5p6KumWs+mqI9a fcSWKV1b+EyJ/cdnRxwvX8+x7pGX5Y++eL8YALfZ72jDIO/hfNuXwn0B8GI9uUeAAAECBAgQIECg l4AAuJeQ1wkQIECAAAECBAjcLzDvAXAEBK/br7wcImTZ9+KUNjkrpc3PTimmaC5b4nqb+aChSTgZ 66+8dXkIE+HzQzbv3Od/HF125JROvy6lH52R0vonpXTQpSnddnf3ejFCd7XclNGDhCp1AfAPz+g+ ZjwT1wvd5fyU/uuXKcXIwD0v7B4tHOt99oTOvuYtq+43MW67n1VtKXteANx9TucpAI6aaPM9+9uS P1K5/Z6Utj83pY8ds/Aei/sxmr5q2eqclD5y1OIfjax3fPma8V7f4dyUvnxiSjudl9KVt5WvF88W A+C2+z3Ie7js/TjNzwmAq+vLKwQIECBAgAABAgSKAgLgoojHBAgQIECAAAECBCoEBMALQdWO51UA 9Xg6plZ+4nadYVeTcDILJOK6m2XLRqd17vMBm5ZPwVq2bf65CGjef0TnvgYJVeoC4Mdtk9JFN+WP 2vz+xTd1+2U2dbdNjNvuZ117iq8JgDtrLnzmLQBu8z37rVOav6d6rZlN8xzXBI8/NhlmKQuA2+z3 IO/h4ntx2h8LgIepQNsSIECAAAECBAjMm4AAeN7OuP4SIECAAAECBAgMLCAAXgiqYirlTx9XP4Ku iHzAJSnlp1XNgoYm4WS2btwe9ofinhemSV5zz84Q7WFbpFR2/eHurReeiemk1z6mcx9xvEFClboA OPb5Vzun9MfCdYer2pU9H+HTKoXwPO9Sd7+J8Sj6Wdem/GsC4O66m7cAOOqhrfdsTFV/RMU0zNn7 KX970tX5R533swA42hdTNu99UefrVY9+f0tKMdtBfonPmHzdZ/fb6vcg7+GsDUvlVgCcryj3CRAg QIAAAQIECNQLCIDrfbxKgAABAgQIECBAYIWAALgzwHjOLikdfln5VMqBFiPezrshpY8e1bldPmyI sCamZ80vPz2zev2n71gePO9+Qfk2bz0wpbOv776Wbna8mPJ5u3NTeuZO5dvHiOVYJ79EOJfvQ/F+ rwA41l9pq5S+dGL39Yrzx4n70fZPHbewfvE4TR83MR5VP5u08We/K/Y6pXWOrTfO7/fzJ3RvH/vM r1N3/5Kbu7cv/kFB3fZVrw2z36+f3N2m+KOLqmON6vlJnJth37Nh8cgtF677HVPTVy2nXZvSa/Zd MP3eaeVr5QPgzDimg76wYhR/hLzHX7nwxxox1Xx+ufmu+vM3bL8HeQ9nfVoqtwLgfEW5T4AAAQIE CBAgQKBeQABc7+NVAgQIECBAgAABAisEZjUAHvbH/xgRHAHqOw9ZCHvXOjqlCNAevkV94DHscfvZ PqZwfckeC+37ykkpffCIlF65d0p/ts1k2xijc/96t5Sitj5x7ML1ieM6pW85MKUI2Pvpo3V5zVIN tPGejVG7f7/Pwvs+Atm4ru8r9up+38dn2PN3XZgFID4fYr0X7FZfT/FHHK/dN6UIhCOcf9Xe7Xzm tdHvWaqDfF8EwCu+jrhDgAABAgQIECBAoKeAALgnkRUIECBAgAABAgQILAgIgOsDkfwP9e6zUgNq QA2ogTZrQADs2xgBAgQIECBAgACB5gIC4OZW1iRAgAABAgQIEJhzAQGwMKPNMMO+1JMaUANqoHkN CIDn/EuY7hMgQIAAAQIECPQlIADui8vKBAgQIECAAAEC8ywgAG7+Q71Qg5UaUANqQA20WQMC4Hn+ BqbvBAgQIECAAAEC/QoIgPsVsz4BAgQIECBAgMDcCgiAhRlthhn2pZ7UgBpQA81rQAA8t1+/dJwA AQIECBAgQGAAAQHwAGg2IUCAAAECBAgQmE8BAXDzH+qFGqzUgBpQA2qgzRoQAM/ndy+9JkCAAAEC BAgQGExAADyYm60IECBAgAABAgTmUEAALMxoM8ywL/WkBtSAGmheAwLgOfzipcsECBAgQIAAAQID CwiAB6azIQECBAgQIECAwLwJCICb/1Av1GClBtSAGlADbdaAAHjevnXpLwECBAgQIECAwDACAuBh 9GxLgAABAgQIECAwVwICYGFGm2GGfaknNaAG1EDzGhAAz9VXLp0lQIAAAQIECBAYUkAAPCSgzQkQ IECAAAECBOZHQADc/Id6oQYrNaAG1IAaaLMGBMDz831LTwkQIECAAAECBIYXEAAPb2gPBAgQIECA AAECcyIgABZmtBlm2Jd6UgNqQA00rwEB8Jx82dJNAgQIECBAgACBVgQEwK0w2gkBAgQIECBAgMA8 CAiAm/9QL9RgpQbUgBpQA23WgAB4Hr5p6SMBAgQIECBAgEBbAgLgtiTthwABAgQIECBAYOYFBMDC jDbDDPtST2pADaiB5jUgAJ75r1k6SIAAAQIECBAg0KKAALhFTLsiQIAAAQIECBCYbQEBcPMf6oUa rNSAGlADaqDNGhAAz/Z3LL0jQIAAAQIECBBoV0AA3K6nvREgQIAAAQIECMywgABYmNFmmGFf6kkN qAE10LwGBMAz/AVL1wgQIECAAAECBFoXEAC3TmqHBAgQIECAAAECsyogAG7+Q71Qg5UaUANqQA20 WQMC4Fn9dqVfBAgQIECAAAECoxAQAI9C1T4JECBAgAABAgRmUkAALMxoM8ywL/WkBtSAGmheAwLg mfxqpVMECBAgQIAAAQIjEhAAjwjWbgkQIECAAAECBGZPQADc/Id6oQYrNaAG1IAaaLMGBMCz971K jwgQIECAAAECBEYnIAAena09EyBAgAABAgQIzJiAAFiY0WaYYV/qSQ2oATXQvAYEwDP2pUp3CBAg QIAAAQIERiogAB4pr50TIECAAAECBAjMkoAAuPkP9UINVmpADagBNdBmDQiAZ+kblb4QIECAAAEC BAiMWkAAPGph+ydAgAABAgQIEJgZAQGwMKPNMMO+1JMaUANqoHkNCIBn5uuUjhAgQIAAAQIECIxB QAA8BmSHIECAAAECBAgQmA0BAXDzH+qFGqzUgBpQA2qgzRoQAM/Gdym9IECAAAECBAgQGI+AAHg8 zo5CgAABAgQIECAwAwICYGFGm2GGfaknNaAG1EDzGhAAz8AXKV0gQIAAAQIECBAYm4AAeGzUDkSA AAECBAgQILDUBQTAzX+oF2qwUgNqQA2ogTZrQAC81L9FaT8BAgQIECBAgMA4BQTA49R2LAIECBAg QIAAgSUtIAAWZrQZZtiXelIDakANNK8BAfCS/gql8QQIECBAgAABAmMWEACPGdzhCBAgQIAAAQIE lq6AALj5D/VCDVZqQA2oATXQZg0IgJfu9yctJ0CAAAECBAgQGL+AAHj85o5IgAABAgQIECCwRAUE wMKMNsMM+1JPakANqIHmNSAAXqJfnjSbAAECBAgQIEBgIgIC4ImwOygBAgQIECBAgMBSFNjitymt c6x/DNSAGlADakANjLsG4v9gCwECBAgQIECAAAECzQQEwM2crEWAAAECBAgQIECAAAECBAgQIECA AAECBAgQIECAAIGpFxAAT/0p0kACBAgQIECAAAECBAgQIECAAAECBAgQIECAAAECBAg0ExAAN3Oy FgECBAgQIECAAAECBAgQIECAAAECBAgQIECAAAECBKZeQAA89adIAwkQIECAAAECBAgQIECAAAEC BAgQIECAAAECBAgQINBMQADczMlaBAgQIECAAAECBAgQIECAAAECBAgQIECAAAECBAgQmHoBAfDU nyINJECAAAECBAgQIECAAAECBAgQIECAAAECBAgQIECAQDMBAXAzJ2sRIECAAAECBAgQIECAAAEC BAgQIECAAAECBAgQIEBg6gUEwFN/ijSQAAECBAgQIECAAAECBAgQIECAAAECBAgQIECAAAECzQQE wM2crEWAAAECBAgQIECAAAECBAgQIECAAAECBAgQIECAAIGpFxAAT/0p0kACBAgQIECAAAECBAgQ IECAAAECBAgQIECAAAECBAg0ExAAN3OyFgECBAgQIECAAAECBAgQIECAAAECBAgQIECAAAECBKZe QAA89adIAwkQIECAAAECBAgQIECAAAECBAgQIECAAAECBAgQINBMQADczMlaBAgQIECAAAECBAgQ IECAAAECBAgQIECAAAECBAgQmHoBAfDUnyINJECAAAECBAgQIECAAAECBAgQIECAAAECBAgQIECA QDMBAXAzJ2sRIECAAAECBAgQIECAAAECBAgQIECAAAECBAgQIEBg6gUEwFN/ijSQAAECBAgQIEBg WgT2viil/z3NPwZqQA2oATWgBsZdA/F/sIUAAQIECBAgQIAAgWYCAuBmTtYiQIAAAQIECBAgkP7p oJT+zyb+MVADakANqAE1MO4aiP+DLQQIECBAgAABAgQINBMQADdzshYBAgQIECBAgAABAbDw2x8A qAE1oAbUwIRqQADsixgBAgQIECBAgACB5gIC4OZW1iRAgAABAgQIEJhzASOAjXgb94g3x1NzakAN qIGFGhAAz/mXMN0nQIAAAQIECBDoS0AA3BeXlQkQIECAAAECBOZZQAAsiBHEqAE1oAbUwGRqQAA8 z9/A9J0AAQIECBAgQKBfAQFwv2LWJ0CAAAECBAgQmFsBAfBkfvQXtnBXA2pADagBAfDcfv3ScQIE CBAgQIAAgQEEBMADoNmEAAECBAgQIEBgPgUEwAIIIZQaUANqQA1MpgYEwPP53UuvCRAgQIAAAQIE BhMQAA/mZisCBAgQIECAAIE5FBAAT+ZHf2ELdzWgBtSAGhAAz+EXL10mQIAAAQIECBAYWEAAPDCd DQkQIECAAAECBOZNQAAsgBBCqQE1oAbUwGRqQAA8b9+69JcAAQIECBAgQGAYAQHwMHq2JUCAAAEC BAgQmCsBAfBkfvQXtnBXA2pADagBAfBcfeXSWQIECBAgQIAAgSEFBMBDAtqcAAECBAgQIEBgfgQE wAIIIZQaUANqQA1MpgYEwPPzfUtPCRAgQIAAAQIEhhcQAA9vaA8ECBAgQIAAAQJzIiAAnsyP/sIW 7mpADagBNSAAnpMvW7pJgAABAgQIECDQioAAuBVGOyFAgAABAgQIEJgHAQGwAEIIpQbUgBpQA5Op AQHwPHzT0kcCBAgQIECAAIG2BATAbUnaDwECBAgQIECAwMwLCIAn86O/sIW7GlADakANCIBn/muW DhIgQIAAAQIECLQoIABuEdOuCBAgQIAAAQIEZltAACyAEEKpATWgBtTAZGpAADzb37H0jgABAgQI ECBAoF0BAXC7nvZGgAABAgQIECAwwwIC4Mn86C9s4a4G1IAaUAMC4Bn+gqVrBAgQIECAAAECrQsI gFsntUMCBAgQIECAAIFZFRAACyCEUGpADagBNTCZGhAAz+q3K/0iQIAAAQIECBAYhYAAeBSq9kmA AAECBAgQIDCTAgLgyfzoL2zhrgbUgBpQAwLgmfxqpVMECBAgQIAAAQIjEhAAjwjWbgkQIECAAAEC BGZPQAAsgBBCqQE1oAbUwGRqQAA8e9+r9IgAAQIECBAgQGB0AgLg0dnaMwECBAgQIECAwIwJCIAn 86O/sIW7GlADakANCIBn7EuV7hAgQIAAAQIECIxUQAA8Ul47J0CAAAECBAgQmCUBAbAAQgilBtSA GlADk6kBAfAsfaPSFwIECBAgQIAAgVELCIBHLWz/BAgQIECAAAECMyMgAJ7Mj/7CFu5qQA2oATUg AJ6Zr1M6QoAAAQIECBAgMAYBAfAYkB2CAAECBAgQIEBgNgQEwAIIIZQaUANqQA1MpgYEwLPxXUov CBAgQIAAAQIExiMgAB6Ps6MQIECAAAECBAjMgIAAeDI/+gtbuKsBNaAG1IAAeAa+SOkCAQIECBAg QIDA2AQEwGOjdiACBAgQIECAAIGlLiAAFkAIodSAGlADamAyNSAAXurforSfAAECBAgQIEBgnAIC 4HFqOxYBAgQIECBAgMCSFhAAT+ZHf2ELdzWgBtSAGhAAL+mvUBpPgAABAgQIECAwZgEB8JjBHY4A AQIECBAgQGDpCgiABRBCKDWgBtSAGphMDQiAl+73Jy0nQIAAAQIECBAYv4AAePzmjkiAAAECBAgQ ILBEBQTAk/nRX9jCXQ2oATWgBgTAS/TLk2YTIECAAAECBAhMREAAPBF2ByVAgAABAgQIEFiKAoME wG85MKW2/z15+3aCgP+7SXfb1vh5O/sW1iw4Trvxc3fproG6en3zASm9cu+UHrHlcHXygE1Tes2+ Kf30zJQO+X1KZ12f0lW3pXThTSn98oqUdjk/pQ8ekdJjth7uOFGHbz0wpY1OS2mvi1I67dqF45x5 fUp7X7Tw/EeOSunhW1Qfp85j0Nf6fQ/3e56q2vUX21b303u23maQc/DGA1J6/q7Dv18mcW5eukfn Z8NL9qj3GUcbBcBL8ZuTNhMgQIAAAQIECExKQAA8KXnHJUCAAAECBAgQWHIC/QbAEXKNYonAqo0f 2/8t6T0bAAAgAElEQVR08+7W/fzCdvbdRvtmYR/TbvyD07troMkz9963EKZGgNtvqBjhZIS9TZa7 l6UUbXzwZv3VZawf75Pf3dDkKCldd0dKnz+hOwielvfwoOep2PvDL+vPcRbeg231YdhzcOVtKX35 xJQetdXSOAcHXtpZPfGeb8ty0P0IgDvPiUcECBAgQIAAAQIE6gQEwHU6XiNAgAABAgQIECCQExAA Tz4AGDQ4mNR2sxoA594W6ZrbU3rD/r1r44GbpvTdU1O677781s3un3R1Sk/Zofcx4jzHcfa7pNl+ i2tFML1a7jizFgD/6qpmhpN6v0zzcYcNgLNau/HOlF69z/SfBwFwdsbcEiBAgAABAgQIEFiaAgLg pXnetJoAAQIECBAgQGACAgLg6Q8tpi1AmocAON6KEep+4tjq+njSdikdd+Vwb9ob7kypyXtw63OG O87Z16f0yPunuBYAV5/TaXuvjbo9bQXAUZ3xRxPxnhh1m4fZvwB4uM8RWxMgQIAAAQIECBCYtIAA eNJnwPEJECBAgAABAgSWjECT8Cn/g3tc/3XZve13zxTQ0x2c5GvgTzZLKaZOzS/TNM12WagVNXvH Pd3/7lqW70X3/ZvuSmmlkultwyCu7Vu1nHBVSl8/eeHfF3+V0s7np3T7PVVr14+ejPdG2RJ9OujS lL7wq4Wg+pu/SenIy8rWXHhu/0sWamxa3sNl56m69dWvGAE8+GdH2Tmoeq/E+6fXZ39c5zr/WTFt 9wXA1e8jrxAgQIAAAQIECBBYCgIC4KVwlrSRAAECBAgQIEBgKgT6DYDjB/1VtkvpBbtV/7vi1u6u /fvh1evHvh6zdTvBwbSPTp22QGTQ9sRIv3wNrLp9O+dv0PbktysLtb5zSnX7Hr1VSq/ZN6UjKsLT DX7dve1nT+iu8Xgmron64p93rx/ti+uk7nNx+XanXptSBLP5fmT3f3NN9zZ/uCWl5+xSvv7qu6V0 6c3d28Qzj//ZwjbT8B4uO0/bnNNZV/kaq7r/9B3LHTI/t9U+Zeeg7r0So8efvH1Knzshpdvu7q6x i26qPtY0nAcBcPc58wwBAgQIECBAgACBpSQgAF5KZ0tbCRAgQIAAAQIEJiowSADc64f8S0rCpzX3 HE8wIAAej3OvGpjk6/2GWllbH7RZSjFyt7j89o+dpo/bJqUYGVxczr8xpafmrrWb7Td/GwHaVhXT OX/oyM7jxHbRpuJo6zjumw/oXjd/nOftWj7i+G0H12+X7WMc7+FBz1PWRrfNzmWd0zDnYO1jiu+A hWnTs6nG6447qdcEwN3nzDMECBAgQIAAAQIElpKAAHgpnS1tJUCAAAECBAgQmKjAtAXAEXhFePXe w1L639NS2u+SlGJU4H/9MqW/26d8Ot58mNBvAByB3Uv26P4XU/zm95u//8BNU3rh7imtdXRKcW3W mFp3y9+m9KUTq0dl5rd/1s6dx8tGP0ff33VISj8+Y2GkaEyr/K1TUvrgESmt3HCEdOx7veNT+tEZ Ke12QUoHXLLQxq+enNI7D0npwTX9yrex1/2n7djZh7JRmKPsZ137hgm1Xr9f99sxpr7NH2/Ts7rX ue6OlCIYzq9Xd3+n87r3EaOHH75F5z5ipHXZ8tgGx4rpoYvLd0/t3H9VG2cpAB72MyWMirUco8bj +Qj0/9+hC+/ZeK/FCO+X77XwWnGb7H0eU4p/7JiUNj4rpX0vTmm7c1P66FELxyiej0dsufDaJmct 7HuPC1Pa8NSF58qmJi9u3+vxMO+VqPey5Zk71ddYG+ej2K8YPf+KvRamQo/P5DgX4Rqj91+6x2J7 6gLgv9yp8zPtRbsvblc8XvY4/i8o/v8R/39lrze5jf+DLQQIECBAgAABAgQINBMQADdzshYBAgQI ECBAgACBNE0BcAQpf7yz90mJsDWCkbIf1/sJgCNQLpvGNMKvqlFsHzgipVtKpj7Nt/rwy6rDwNV2 yK+5cD/6/Vc7pxTT+lYt4fLJXy4ETmX9/of9Ujrl2qqtF5+/5vaUIgyO4KpsP02ei3D8vh7XAB5V P5u0b5hQ64kVgWt+6uSy66DG9X6btC1bJ8530TDOUoT32Tpx+4RtF89d/l6TkbzxRxOX3dL5b9vf de4/f6z8/VkJgNv4TCmr5fjcjD8COfP6/FlZuB/T3ZdtE2358JHlI7OzvZx8TUpPuX8UeXw+3Vjz eRifCXGO8+et3/vDvFfiM7hsqfpsjra1cT6KfXzGTikdf2VZSxaf+/XVKa3x85SqAuAI0+8uuR54 hPjF4+Uf/+P+i8fI7h13Zf02+e3jvgA4k3NLgAABAgQIECBAoLeAALi3kTUIECBAgAABAgQILBeY hgA4Rsbtcn5/J+Tim1J65d7dP7Q3DYBj21tLgtzzbkgpRl0Wf6R/6BYLI5GbtjLa99ySa7TGyNni 8rWTU7rqtuKz5Y/j2rPFtsUI4XvuLV+/6tkYgTpoCNzEeBT9LPa76vEwoVYEPmVLNrr3fYd3vxrB 0V9s231eqtqXPX/w77v3degfuvdz+z3d6117e0oxZfSg5zBrQ9XtUg+A2/xMKavl9U+q/mOVCIDL tjmxZHrx7jOb0rk3pPT2g1OKkedNliZ/DFB1nod5r/x/JSNX43Ov7Fhtno/8/sO67P1R5hbrFQP1 mF49298vr+jequz639n6cfuz33Vvs86xi/vMr1t1XwDcbegZAgQIECBAgAABAlUCAuAqGc8TIECA AAECBAgQKAhMOgCOqTtPurrQqIYP48f7GIWX/2G9STgZU7SWjeI96/qUspGe+X3G/aMub9io3Go3 35XSqwohdVkwlNuk5907l6WUn2J1mP194zeddsU+Vz1uYjxMuwKh2M+qtpQ9P0yo9ZGjuk9B/KFA dpyYjry47H7B4uvZek1uy4KfGJEeU+Tmt/9FSVCcteF3N6T0meNTesFundvktx/k/lIOgNv+TOm3 lqsC4OyctX17+a0p1U1ZX3f+B32vrL5bSjFleXGJWQqKx2v7fGT7X3X75uFvsZ3Z43wAHH9QUVzi D4Ky4xVvYzr9YqAcfwzSZHr2/L7KPgeK7fCYAAECBAgQIECAAIEFAQGwSiBAgAABAgQIECDQUGDS AXBZ4BZNP/26hWvqxhSbMW3qzueXT5kbU3/mf0zvFU6uuWdKEcwWl5g+ueqH+389pLj2QltiKup/ +UVKr9svpc+dkFKMyiwup13b2b66MCmmZ173uJT+fp+Uot8RLJYtcayszzHarLjEKLy4pmiE47Gf L5+YUgQZxSWmB872089tL+PYV9v97Kd9g4ZaMS1zMdAJs6jF7PgxvWtxidGg2ev93FYZxXWp8/uJ P1hoslx9e0oxsjtGhEc4lt9Hv/cnFQBHne51UfN/q5SM1m/7M6XqPOXPyV3LUjrnjwsj+WOa47pt Yr24xnlcszbaGtePrlriPRrrxB+SxPXBD/tD+ZrPKZltoMk5L3uvxEjluM5w2b+fnJlSTHEfwWlx 2eqc8iC67fOR9Wvvi4otWHgcI3ljpoT4XI4R+3Et9aolpmHP9hdTV5fNChFTR2fr5G/fcmD3XqNN +XWa3BcAdzt6hgABAgQIECBAgECVgAC4SsbzBAgQIECAAAECBAoCkwyA47qLZaHpPhen9JDNu39I j9Ck7DqN8SN/9kN7XTj5kj1Suqkk/D3hqpQevdXiPrJ9xW204/eFa/PG1Kyv3bd7/bh+bAS+xeXN ByyuWxUMxbVE43qv+WPH/R3OLe5tYdrRbL19L+5+PUbnZa9nt2F9xa3d60a4mK3T9LbOONtH2/3M 9tvktizU2vX8heuyxrVZ8//i+qERFH3/9PLrQYfYp49bNIrpeYtLvv6atC9bJ0YQlgVpLy4JnCLQ KrtmcLEt+cfn35jSRqelFHWZHbPp7aQC4Hz7m9x/diH4HMVnSlUtR/viOrzxRyDFEbhV2xx9eUox nXz+PPxtRcAf4e+f/6xz3ThOXCe4uAz6OV72Xinuu8njtY/pbGfWv1Gcj9j3q/cpb1WM0C+bFj3a V3bt7nwAHPstm9L5e6eV963sszmm7s763vRWAFx+Lj1LgAABAgQIECBAoExAAFym4jkCBAgQIECA AAECJQKDBgd1P243DY8+XjJ69Yzryn/Az44XI2SLy6m5UbZV4WSM4iob3RlTOz+8EMhkx4rb/zy6 eLSUPp8bgZtfN+5H+FoM9SJgztarCoZiNGC2Tv42pvYtLjEKNVsnRksWly+duPh6tl7cRoC+xW8X /218Vkp/tk35uvntiverjPPrtd3P/L573W8r1ArXGFWbD+zK/mDhNSV/DNCrjdnrZdPo/sN+5efk 3YeVh/jF8198HNNpRxBcFoxl7SjeNn0PF7fr53Eb56kYAI/iM6Wqlq+/I6WnFEZrZ/0v2yau0x2j zLN18rcX3VQ8awujWPPrZPfj86e4lE29nK1fd9vGOYi2xKwKZTU2ivMR/fnKSUWBhWn66/paFu4W A+C4NnxxiSm2Yxrr/L7jM7A4k0TUQ/xRR369JvcFwEVxjwkQIECAAAECBAhUCwiAq228QoAAAQIE CBAgQKBDYJIB8CZndTRl+YO4fmbdj+YR1t5wZ+d2MSI3+4G+LJyMcCVG6hWXmCq0bKRx/vibn925 VYRpvX7kP+CSzm3iUTa6tywYitG/+WPm78exiiPXfnPN4vpf/FX3seKZ6FtMnT3sVMD5tmT3y4xj mtXs9bhtu5/5ffe631aoFec6pv/OH68ssI1ptvPr9HM/QqPiUhcoP3DThRGncV3gmHa4nyVGLDYN gZdqADyKz5SyWg73+GOUqnNdtk1MM1+1/pGXdZ/Jvy4ZyR/bl009vN7x1fuuOmY839Z7JWv9nhd2 XsN6FOcj2h2XBCgub+sx+vbpO3Z/lhYD4Nj3BTcW97ww4jjvGCN9i8tPzxzsHAiAi5IeEyBAgAAB AgQIEKgWEABX23iFAAECBAgQIECAQIfAJAPgGH2bXyJwe1CDEVRx7d3iEtP6xg/0ZeFkcd3scYyG zf+oX3a/7Jqv3z01pbp/ZaNEs5GKZcFQXLe17NjZc1fdlrV44TYfAMe01sURx51rpxQj2GKk8KeO qx6BmB2ryW2ZcZMAeJh+NmlXtk4boVZcpzVGX2f7zG4jrC8uMUo8e72f27jmaNlSdtyy/cbI5Bgt HNdq/fXVvesgjhUjMsv2VXxuUgFwjOaPkelN/z2+MEXyKD5Tyt6zt9zdPe1z3rBsm+3PrbaPae+L y8pbl68f088XlzYD4Hgvx7T1Zf8ifI5rTMfnX9kfL0S74vXMYhTnI/YddZJfYnaHJn/cEO/r/FIW AMcMCsUl/hAo61PcxpTyxeWle3Suk1+/7r4AuCjpMQECBAgQIECAAIFqAQFwtY1XCBAgQIAAAQIE CHQITDIAjul188t5NzT7Af1zJVOgvun+6+yWhZP5Y+Tvx4//r9q7/pjF0cb57fu5n11rtywYisCy LiAoXrs3HwDHdnGN2n6WCE+GOe9lxk0C4GH7WWeUf23QADhGksc1Wj9zfOe0z/l9H1EyUvM7p9Sf v/z2+fvP27X8rP1FybWg89tV3X/sNinFCPrdL6i+nnFcV7Z4vdqy/U0qAB7UMuvDKD5Tyt6zxfdg dvzstmybuvovC4CrAs2yaYrbDICbnoPHbJ3SSVd31/Dvcp/jozgfYXzb3Z3HPf26Zu/Bgy7t3K4s AH7Sdt1/TBEzSGQzPzxsi+7j5/uc1UDTWwFw5znxiAABAgQIECBAgECdgAC4TsdrBAgQIECAAAEC BHICwwSBVT9wNw2P4sf3/PKr3LVyq/Ydz3/0qPxWC/c/cP+os7JwsnvtxWdius/8NV7zx+13X4t7 7b4Xo+li3/0GQ7FNrwA41nnHL1L6bWF0W3crOp/5fo/gOW+Rv1/mMu0BcISiMUq87N+Tt6+/DnS+ 7987rdMwHh2fuyZzft1e9z92TPe+IjDLbxfT1j5nl8V/2Ujy/Dpl9+PatMdc0b3/eOZlDUYqNn0P lx276XNlQX3T8LHqGKP4TCl7z+5yfud5KranbJtZC4Cjz1GbZcuf3z8yexTnI/6AobicVTONfv7c xCwE+SVmT8i/nt2PKdaLS4x+jtffdUjxlZRiKv5s235vBcDdnp4hQIAAAQIECBAgUCUgAK6S8TwB AgQIECBAgACBgsAkA+CLb+pszKU3N/sRff2TOreLR6/eZ2HbsnAyW/vQP6R0d8l1U394RvVxryu5 RmuMEu33XwQlEQz0GwzFNk0C4FgvroMcowO/8ZuUTrgqpZhSu9fy/tx0rU2DizLjaQ+Ahw0WM5uy 66+GcUzFna3T9DZGDRaXmFo22/5RW3WPRIz1m17XOcLusuV9Pa6zHcdfqgHwKD5TBnnP9rvNUhwB nNVp2WdkNh3yKM5HHLc4sviMhiOAi1NSl40Ajv3Htb+LS1x3OF7b48LOV2If8UckmUe/twLgTk+P CBAgQIAAAQIECNQJCIDrdLxGgAABAgQIECBAICcwyQD4wMJ0nDEaa6Wtev+QHmFjcXnC/dPmloWT sW4WAH7t5OKWKcUP+K/Yq/y4xWsAx4jhfn/gz6/fbzAU2zYNgPPHiftxPeUIYv77xO5rZmYK+1/S f3/KjOclAH7klimVTQuehUPFc1D1OKYsL1v+36GL5yMC/Xvu7V7r7QcvrlO1/+z5qNfisk6D6wAv 1QB4FJ8pg7xn+91mKQfAMT1ycXnr/aNlR3E+oraLn8u33t37+vExpXbxeupVAXB8xhX7FdNOx/8z MVV8fjn8subvx+x9mb8VAOc13SdAgAABAgQIECBQLyAArvfxKgECBAgQIECAAIEVApMMgMum0/1C j6k0V9muexTvjXcu/gBfFk7GyN/sB/d4Pa41XFzOr5gKeptzOtdcdm9KMb1utr+y27/dK6VPHNv5 L5tmut9gKPZfFQA/cNOUNjotpR+fsfgvrgFb1qZ47pO/7OxLPLr+jur1q/ZTZjwvAXCYfKrkmssR 1L5uv2aWca3euGZpcTn5mu7tiyMoY5uYxrbq3BSfLwtyY7rw4nrFx2Xbrbln7+2K+6l7PIopoEfx mTLIe7bfbZZqAPyC3YpVvPA4no9zP4rzEfvd7tzu4773sPr6jLovLlUBcBzjp2cW106pGGjHGk1G 1Ne9DwTA3c6eIUCAAAECBAgQIFAlIACukvE8AQIECBAgQIAAgYLAJAPgCCuLS4Sdf7ZN9Q/5m51d 3CKlmNYz+4G9STgZ00WXLWXXxF23JOyLUDg7XvE2pgItjhCNKVIfvNnCNv0GQ7H/qgD44VukFIF0 fuk1QjkC3/wSo9mKfej1uIlxm/3s1Z7i66MIFvPHiJHVZX9EENOLx9Sx+XWL96M+yqZ+jnNSNgo9 wv2y5b9+WX+cOO7aJdcYjn29cPfe2y7VAHgUnymD1HK/2yzFAPgxW6cUf7RQXO5atjgadxTnI2q7 7I8wzrw+pbg+cPE9F4/jM6usrXUB8It2L/as+3GMPI7P4bJjNn1OANzt6hkCBAgQIECAAAECVQIC 4CoZzxMgQIAAAQIECBAoCEwyAI4g7Zw/FhqUUjr3hu7rnMZ0uD8pGZEVW79q78Uf4JuEk/HDfHFk b+wnpqB+eWEq6LgO6zW3d7YxQoOYSjralP+RP8KH4jUmY8sNT11cr99gKPZfFQDHa6dc29m2eLTB rxePl2/f3+zZfU3Z/Ojo/Lp195sYt93PuvYUXxt1ABzHqwptstrIpiTP2hZ/APDPB6d02S3d5yue 2f2C8nMWYW0x5I/1o1Zj2um/vn+kZXacuH3cNimFQdn1riN8zq9bdX+pBsCj+EwZpJb73WaaAuC4 DnWMZq/6957DUvrmb1Iqu/Zv1GZMz5zV1SjOR+z7EVumdG3hczmOHZ+/8ZmdHT9b98jL4tXupS4A jm3j2sJ1S4xEzh9rkPtVnyV1x/UaAQIECBAgQIAAgXkVEADP65nXbwIECBAgQIAAgb4FJhkAx4/l ETKULTfdldK+F6e0yVkpbX52SjFFc9lSvPZqk3Ayjrvy1uUBQoTPD9m880f9/zi67MgL0/j+6IyU 1j8ppYMuTSmuEVlcIrxbLTdldL/BULS1LgD+YcUI0bjW5S7npxQjRWMU854XlgeJnz2hs69NAowm xm33s0m7snXGEQDHsaI+q5Y47xEeRcD+q6u6ryea3y6CtKfmaiTrR3ZbNgo9v33URxzj6MtTiuA2 wuGyJdrU9P2+VAPgMGv7M2WQWu53m2kKgMtqp+lzMaPA83ft/Exp+3xk74v1ji9vVbwfdjg3pS+f uDBd+pW3la8Xz/YKgMtGGuf39tp9O/uata2fWwFwXtR9AgQIECBAgAABAvUCAuB6H68SIECAAAEC BAgQWCHQNBDq5wftfsOjHc9b0Zy+7kRw9sTtOn+AbxJOZn2Ja0aWLXFd3WyduH3ApuXTh5Ztm38u woX3H9G5r36DoTh+XQAcoz0vuil/1Ob34/qyRb98v6vuNzFuu59VbSl7flwBcNTF109eCJGaq3eu GaMln1So4bI+RaA17PKhIztrsew42XP9voez7fq5HeV5avMzZZBa7nebWQmAP3pUeY21eT6yGovr qscf7Ayz9AqA43IEZSPp45h/uKV7Foisbf3cCoCHOYO2JUCAAAECBAgQmDcBAfC8nXH9JUCAAAEC BAgQGFhgGgLgmEr508elFKPHmi4HXJJScZrd+NG9STiZ/3H+sD90HzFGUK65Z2eQ8bAtUiq7/nD3 1gvPxD7iGqz5Y8X9foOh2KYuAI7X/2rn+hGmZW2M4GSVBsFjsf3xuInxKPpZ1pay50YZLJYd7/X7 pXR1yXS0Ze7ZcxE8feeUlB64aXeNlB0jRqVv+dvqMCrbb9ntnctS+mSDawbnj7vUA+A2P1MGqeV+ t1nqAXCMQH/TAdW13Ob5yNdpTPe890VlVd/93O9vWZg2Pf9KfE7n91d2P2ZPKFu+dUrvbcv2V3xO AFym6zkCBAgQIECAAAEC5QIC4HIXzxIgQIAAAQIECBDoEpiGADj7Qfw5u6R0+GXlUylHwyM0O++G lKpGmcV+4pqTtxeC5J+eWf1D/dN3LA+eq67J+tYDUzr7+vppduO6kM/cqfyYMeK2eE3XCCwzg7Lb XgFwbLPSVil96cTu6xUXT3i0PaY1jfXLjtXkuSbGo+pnk/bFqNziEn9g0GTbQdf5i21TivMeU5fX LRE4HXtFSv+4/2DtecoOKW16Vkp3Las7ysJrMfXtV05auCZwv/0aRwA8jvPUxmfKILXc7zaTCoDL zkGvyoprokfgG9Pvx7WA/36f5rXcxvkoq+WYDvrCipkQ4j13/JULf/AS0/Xnl5vv6t32mMWhbIk/ vClrS7/PCYDLdD1HgAABAgQIECBAoFxAAFzu4lkCBAgQIECAAAECXQKjCID7/QG8uH6MFosA9Z2H LIS9ax29MCL34Vu084N78XiDPI7pR1+yx0L7ImT74BEpvXLvlGLK0EH219Y2MTr3r3dbuNbrJ45d uD7xx45J6S0HphThS1vHsZ9yyz/ZLKU37J/SOscuhGNx/ervn55SXGv53Yel9PiflW/Xr2eMfFzj 5ym94xcpfe6ElDY+K6Ufn5FSBGHxvnnpHik9eLN2jtVv26Zx/aXwmTKNbqNq06jOR/xhS1yXN94H 8Ucfr9o7pWH/3ygLyU+6ur33lgC462uJJwgQIECAAAECBAhUCgiAK2m8QIAAAQIECBAgQKBTYBoD 4FGFDvbbXmjBkqUaUAPzUANl11ivm4WiXxMBcOd3Eo8IECBAgAABAgQI1AkIgOt0vEaAAAECBAgQ IEAgJyAAFuL0G1hYX82oATUwDzXw+RNy/1nefzemeR92VHHeTgDcbewZAgQIECBAgAABAlUCAuAq Gc8TIECAAAECBAgQKAgIgAU5+TDCffWgBtTAvNZATJ1+xnUpHXRpSqddW/jP8v6HG53Wbn0IgMud PUuAAAECBAgQIECgTEAAXKbiOQIECBAgQIAAAQIlAgLgdn/Mn9fgRL/VkRpQA0u9BuLa3XXLtben 9Oit2j3PAuA6ca8RIECAAAECBAgQ6BQQAHd6eESAAAECBAgQIECgUkAA3O6P+Us9ANF+9aAG1MC8 1kBdAHzXspT++eD2a0MAXPn1xAsECBAgQIAAAQIEugQEwF0kniBAgAABAgQIECBQLiAAbv8H/XkN T/RbLakBNbCUa6AqAL7gxpTW3HM051YAXP7dxLMECBAgQIAAAQIEygQEwGUqniNAgAABAgQIECBQ IiAAHs2P+ks5BNF2NaEG1MA81sDKW6f08r1Siv8X33d4Sm/YP6XHbTPaWhAAl3wx8RQBAgQIECBA gACBCgEBcAWMpwkQIECAAAECBAgUBQTAo/1xfx5DFH1WU2pADaiBZjUgAC5+K/GYAAECBAgQIECA QLWAALjaxisECBAgQIAAAQIEOgQEwM1+pBdmcFIDakANqIG2a0AA3PGVxAMCBAgQIECAAAECtQIC 4FoeLxIgQIAAAQIECBBYFBAACzTaDjTsT02pATWgBprVgAB48fuIewQIECBAgAABAgR6CQiAewl5 nQABAgQIECBAgMD9AgLgZj/SCzM4qQE1oAbUQNs1IAD2dYwAAQIECBAgQIBAcwEBcHMraxIgQIAA AQIECMy5gABYoNF2oGF/akoNqAE10KwGBMBz/iVM9wkQIECAAAECBPoSEAD3xWVlAgQIECBAgACB eRYQADf7kV6YwUkNqAE1oAbargEB8Dx/A9N3AgQIECBAgACBfgUEwP2KWZ8AAQIECBAgQGBuBQTA Ao22Aw37U1NqQA2ogWY1IACe269fOk6AAAECBAgQIDCAgAB4ADSbECBAgAABAgQIzKeAALjZj/TC DE5qQA2oATXQdg0IgOfzu5deEyBAgAABAgQIDCYgAB7MzVYECBAgQIAAAQJzKCAAFmi0HWjYn0Bc iOYAACAASURBVJpSA2pADTSrAQHwHH7x0mUCBAgQIECAAIGBBQTAA9PZkAABAgQIECBAYN4EBMDN fqQXZnBSA2pADaiBtmtAADxv37r0lwABAgQIECBAYBgBAfAwerYlQIAAAQIECBCYKwEBsECj7UDD /tSUGlADaqBZDQiA5+orl84SIECAAAECBAgMKSAAHhLQ5gQIECBAgAABAvMjIABu9iO9MIOTGlAD akANtF0DAuD5+b6lpwQIECBAgAABAsMLCICHN7QHAgQIECBAgACBOREQAAs02g407E9NqQE1oAaa 1YAAeE6+bOkmAQIECBAgQIBAKwIC4FYY7YQAAQIECBAgQGAeBATAzX6kF2ZwUgNqQA2ogbZrQAA8 D9+09JEAAQIECBAgQKAtAQFwW5L2Q4AAAQIECBAgMPMCAmCBRtuBhv2pKTWgBtRAsxoQAM/81ywd JECAAAECBAgQaFFAANwipl0RIECAAAECBAjMtoAAuNmP9MIMTmpADagBNdB2DQiAZ/s7lt4RIECA AAECBAi0KyAAbtfT3ggQIECAAAECBGZYQAAs0Gg70LA/NaUG1IAaaFYDAuAZ/oKlawQIECBAgAAB Aq0LCIBbJ7VDAgQIECBAgACBWRUQADf7kV6YwUkNqAE1oAbargEB8Kx+u9IvAgQIECBAgACBUQgI gEehap8ECBAgQIAAAQIzKSAAFmi0HWjYn5pSA2pADTSrAQHwTH610ikCBAgQIECAAIERCQiARwRr twQIECBAgAABArMncMc9Kd1yt38M1IAaUANqQA2Muwbi/2ALAQIECBAgQIAAAQLNBATAzZysRYAA AQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAgakXEABP/SnSQAIECBAgQIAAAQIECBAgQIAAAQIE CBAgQIAAAQIECDQTEAA3c7IWAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIEpl5AADz1p0gD CRAgQIAAAQIECBAgQGCWBO7ce/d0y5fWTXefdPwsdUtfCBAgQIAAAQIECBAgQGBKBATAU3IiNIMA AQIECBAgQIAAAQIEZlvgvjvuSDd97H3p2lUfteLfrRtukO67777Z7rjeESBAgAABAgQIECBAgMBY BQTAY+V2MAIECBAgQIAAAQIECBCYR4F7b7ox3fAvb1gR/OZD4JvX+7gQeB6LQp8JECBAgAABAgQI ECAwIgEB8Ihg7ZYAAQIECBAgQIAAAQIECITAvddek/74xleUhr9ZEHzrt9aHRYAAAQIECBAgQIAA AQIEWhEQALfCaCcECBAgQIAAAQIECBAgQKBbYNllv0/X/90La8PfLAS+67ijunfgGQIECBAgQIAA AQIECBAg0KeAALhPMKsTIECAAAECBAgQIECAAIEmAvecf266/qV/1Sj8jRD41m98uclurUOAAAEC BAgQIECAAAECBGoFBMC1PF4kQIAAAQIECBAgQIAAAQL9C9xzxqnpur9+auPwd3kAvNE3+j+QLQgQ IECAAAECBAgQIECAQEFAAFwA8ZAAAQIECBAgQIAAAQIExiew7Kor0h277ZBu33aLtOwPl47vwCM8 0l3HH5Oue/YT+wp/IwC+5UvrjrBVdk2AAAECBAgQIECAAAEC8yIgAJ6XM62fBAgQIECAAAECBAgQ mDKBO/baLV37tJUXg9JnPj7dffKJU9bK/ppz5yEHpGuf8bjFPq36qMb3r3vBU9KyKy/v74DWJkCA AAECBAgQIECAAAECBQEBcAHEQwIECBAgQIAAAQIECBAYj8B1q6/WFY5et8Yz0r1XXzWeBrR8lDv2 2Dldu9pjuvoUo3ub/guTW7+9frpj9x3TXcccke674/aWW2l3BAgQIECAAAECBAgQIDDrAgLgWT/D +keAAAECBAgQIECAAIEJCtx3zz2lR4+QtyoUveGf/yHdd/fdpdtN65O377B1ZX+q+tnk+etf/Mx0 z2/PnNZuaxcBAgQIECBAgAABAgQITKGAAHgKT4omESBAgAABAgQIECBAYBYE7rvzznTju96Ubl5v 7XTf7bd1dOnOfX5eG5je8pX1Otaf5gdx/eImYe6g61z/smene2/44zQTaBsBAgQIECBAgAABAgQI TJGAAHiKToamECBAgAABAgQITLfAv/wipQdv5h8DNdCkBv50k2Vpu9e9e0UwesIL10irf/X05e+h F25wWjrzOc9c8VpVMPqudXad+vfcWh/epGc/qvrXz/Nb/OMHpt6iSV1Yx+fHoDUQ/wdbCBAgQIAA AQIECBBoJiAAbuZkLQIECBAgQIAAAQLpnw5K6f9s4h8DNdCzBja+L/3wzR/rCkYvW+3P0s9f9U/p 6lUf3fVaWRh66dMen569wVlT+777zw/8uFE/yvo2yHOP3/CKqbXoWRM+O527IWsg/g+2ECBAgAAB AgQIECDQTEAA3MzJWgQIECBAgAABAgQEwEP+eC8gmp/g+Jtv/2xrwegJq78oPeyHt05dePbx9/2g tT42CYMvf+pj0yN+cNPUOXhfz8/7etLnWgDsixgBAgQIECBAgACB5gIC4OZW1iRAgAABAgQIEJhz ASOABR2TDkCWwvHf/9GtWg9Gf/iWtacq+Pzkv2/Ueh97hcA/eMvHp8pgKdSiNs7WZ7YAeM6/hOk+ AQIECBAgQIBAXwIC4L64rEyAAAECBAgQIDDPAgLg2QoThEOjOZ9HvvjlIwlH3/TJfaciAF33Pd8Z Sf/qAuA/rPa49MTv/GEq+u99M5r3DdfergLgef4Gpu8ECBAgQIAAAQL9CgiA+xWzPgECBAgQIECA wNwKCIB7/0AvxGD0q79+4UgC0nOetVp67EbXTjQE/dy/fWMkfasLf+O1T79nw4n22/va+3oaakAA PLdfv3ScAAECBAgQIEBgAAEB8ABoNiFAgAABAgQIEJhPAQGwEGQaQpBpb8PGb/zIyELSn73u3RML QicV/h605mvSg35y98T6Pe31pn3z87ksAJ7P7156TYAAAQIECBAgMJiAAHgwN1sRIECAAAECBAjM oYAAeH6CBqHS4Of6Hz+1/8gC4BgN+461dxl7GPqJ931/pH2qGgH8m+c/Lz1+wyvG3l/1P3j9sxud nQB4Dr946TIBAgQIECBAgMDAAgLggelsSIAAAQIECBAgMG8CAuDR/bAvNJkd2z/58Z3pwmc8aWSB 6QXPeHJ6woaXjy0U/fCHNxtZX6qC33j+7L96elrtmxeOrZ/eg7PzHpzVcykAnrdvXfpLgAABAgQI ECAwjIAAeBg92xIgQIAAAQIECMyVgABYQDKrwUrb/frRm/9zpKHprn/3trEEo+9ea9t0zaqPGmlf ykLg85+5anrOBmeOpY9tn3v78zk5qhoQAM/VVy6dJUCAAAECBAgQGFJAADwkoM0JECBAgAABAgTm R0AALNgYVbAxa/v9+/UOG3lo+v6PbjXSgPTt6+yerl710SPvRzEAvugvV0mrf+U3I+3brNWb/szH Z7MAeH6+b+kpAQIECBAgQIDA8AIC4OEN7YEAAQIECBAgQGBOBATA8xEyCJOGP88P/Ok96ZxnrTbS 8PSSpz8hPeVbF48kKH3jp/ZLVz7lMSNtfzH4jceXPu3x6WVfPH4kfVLXw9c1w8kaCoDn5MuWbhIg QIAAAQIECLQiIABuhdFOCBAgQIAAAQIE5kFAADzZH/+FL0vL/+v//PmRB6j7vfwN6f9ufG+rgelr 1js0Xf7Ux4687cUA+A+rPS698nNHttoX75ml9Z5xvurPlwB4Hr5p6SMBAgQIECBAgEBbAgLgtiTt hwABAgQIECBAYOYFBMD1P84LL/jka+B5/3P6WELUj73/R62Fpi///DHp90/787G0Ox8AX/HUldPr 1j24tX7kz4P73pezUgMC4Jn/mqWDBAgQIECAAAECLQoIgFvEtCsCBAgQIECAAIHZFhAAC1JmJUgZ Vz+OWuNvRh6mxsjZv/z6uUOHp2t86aR08dP/YuTtzQe/cf+qp6yU3vpfew3d/nGdU8fxOTipGhAA z/Z3LL0jQIAAAQIECBBoV0AA3K6nvREgQIAAAQIECMywgABY8DGp4GOpHvc/P/DjsQSqv3jZq9MD frps4BA1AuTznrnqWNqaD4CvXvXR6R1r7zJwu5dqXWi3z9JBakAAPMNfsHSNAAECBAgQIECgdQEB cOukdkiAAAECBAgQIDCrAgJgocUgocU8b/O4/706xfTG+dBzVPc/+e8bDRSkPmHDy9Opz3vOWNpY 7Pu//8c2A7V5nmtK3+f3c1gAPKvfrvSLAAECBAgQIEBgFAIC4FGo2icBAgQIECBAgMBMCgiA5zd4 EDoNfu63fv17xxKuXv7Ux6Znb3BWX4Hqo75/QzrmRS8bS/uK4W+MjlZXg9cVu/mzEwDP5FcrnSJA gAABAgQIEBiRgAB4RLB2S4AAAQIECBAgMHsCAuD5CxyETMOf81d/9vCxBayHv+SV6YE/vadRsPqn P74j7ffyN4ytbfkA+MvvWr9RG9Xf8PXHcHYMBcCz971KjwgQIECAAAECBEYnIAAena09EyBAgAAB AgQIzJiAAHh2ggSh0BjP5cb3pZOf//yxBa3rvftbPcPVuF7wtq/9t7G1KR/+/vhNa/Vsn/ocY31u 4lhLpd4EwDP2pUp3CBAgQIAAAQIERiogAB4pr50TIECAAAECBAjMkoAAWFCyVIKSaWvnJ9/7v2ML W+Oaw89b/7TakHWjf/qvsbUnH/7u/Op/aTxCedrOofb4/Jt0DQiAZ+kblb4QIECAAAECBAiMWkAA PGph+ydAgAABAgQIEJgZAQGwAGTSAchSPf6ff/eqFMFsPgwd5f2j11gzPfgnd5WGwJ/9t2+OrR35 Ph605mvSQ390W2mblup51W6fieOsAQHwzHyd0hECBAgQIECAAIExCAiAx4DsEAQIECBAgAABArMh IAAWdowz7Ji1Y236jx8aa/D63/+6QVfY+v+3dydQUlR338fPa4xJ1ATFuESNLC6gqChuj1EjxPio CZrELeY1vsQsxrjBY6LGJY9RY2KicQsiCAKu4IqIoqIgCoqgCAKyL7KIwDAMMKzDDP/3/GnKqb51 q7qqu6q3+tY5c7q7upZ7P7VMn/71vbfbZf2LWgYnAH7/6GOl5b21nvJU2zGmPtwjkzwHCICr47MU tUAAAQQQQAABBBAojgABcHGc2QsCCCCAAAIIIIBAFQgQABNuJBluVPu2j71lQlHD12Wtd5fjbhn/ ZejatcdQWd5qt6KWQQPgKR3ay/53LfqyHNV+nKkf98mkzgEC4Cr4IEUVEEAAAQQQQAABBIomQABc NGp2hAACCCCAAAIIIFDpAgTABBtJBRtp2e6IEzoXNYD9sGNH+eb9a6Tz9aNkSds9i7pvDX/ntGsl 7W+fTvj7MPeOtFzjSdaTALjSP0VRfgQQQAABBBBAAIFiChAAF1ObfSGAAAIIIIAAAghUtAABMCFO kuFGGrZ94ZWDih7CDjmlqyw8cJ+i73dx273khJvHEf4S/nIOxHQOEABX9EcoCo8AAggggAACCCBQ ZAEC4CKDszsEEEAAAQQQQACByhUgACYATkNIm2Qdd+q5WaYddkjRw1hnLN5iPa5o1UJ+0n0IwV9M wV+S5yTbrpz7OgFw5X5+ouQIIIAAAggggAACxRcgAC6+OXtEAAEEEEAAAQQQqFCBfALgs4eLxP13 wBPxfGG/w8Pesh37fDzbJlTJOFaysZ4Ld30sMnyhyKQakaXrROatERmxSKTXNJFr3xM58plo58vh g0V6db+v6gPgHpfcsy38/UpvkdNeFnloasZtWq3IsvUZx7FLRQbPEfn1KJGW/aM5cn0l43XOcJF/ TxYZMl9kck3mWE2tFXlpfmb+70aL7No3mX1HOaaVfF+JUk9zWQLgCv3wRLERQAABBBBAAAEESiJA AFwSdnaKAAIIIIAAAgggUIkCUQNgDX+SmDSEML8Yz+f11x/xlu75efFsO5/yVOM6lWh89LMi01d5 zw3bnK1bM+FYp+fCnTf3fyLStLpOag7dt2pD4Ae7/mHb9ak//NCwN8zU0CiiNjv1CedYjddKqeqk 5npPnVkX5kiJrNwo8udxpQ2CK/G+EsfxJQAOd46yFAIIIIAAAggggAACKkAAzHmAAAIIIIAAAggg gEBIAQJgwqmoIUalBTWXvyOyqTHkBWEsNnCmiLZMDDLSkFOn+ttvrMoAeOjJP5KvP9Qgd08S0XA8 6jRhuUjrJ4MNg3x5L5rdjr1Fhn0W9Shlltdwv23AsXpjkYgeT+dvwIxoZQs6lpV2XwmqS5T3CIDz O1dZCwEEEEAAAQQQQCCdAgTA6Tzu1BoBBBBAAAEEEEAgDwEC4PgCjChf+lfyspUS1Hyzn8igOXlc FMYqD04JPkecALhxySKpaduyqkLgD47qJB16r5L3vjBQIr6s2yQS9V5TyddIKcvef0bEg2Ms/mmt yLf62c/5FRuyFx6/zL5cPvWvlPtKPnULWocAOPuc4hUCCCCAAAIIIIAAAkECBMBBOryHAAIIIIAA AggggIBLIGooo60hG5tcG4jpKV1AxxekBIUNcbz3tT4iTUZL0HLsZlvH+fWbtGtcbdHaY6zILeNF tKWvdoPrN10/zv/4OAGwrrv2j3+omgB4VrvW0u4f87aNkeznMm6ZyN8+Erl6jMhNH2QC9w1b/JYW 6TLU3zGOczPt29D7qG3Se/ZrC0Vu/EDkmjEif58o8vYS25KZea98Zj9OSQbAlXJfifscIwD2Pw95 BwEEEEAAAQQQQAABU4AA2BThNQIIIIAAAggggAACPgJRA2D98nv/x0U6Puv/t3Sdd2f/b6T/8rqt lv3tgUPUL9vT2oosqlOhy3/XOAdaPRHP8Su0XM76Z77iPQd1joaT571uL+sufUX+9L69u2jt+njf x+zruQPgxnlzpKb1bhUfAn/e5tty4o1jRYNv2/TFepHjnrd7tHhUZOgC21oik2pyd6ntHEMe7b5B LhNXeN0X14t0GGzflo6NvXCtdx2ds89A7zpJBsBar3K/rwTZ5/seAbD9/GMuAggggAACCCCAAAI2 AQJgmwrzEEAAAQQQQAABBBCwCOQTAOf6ovszS6Bw4oveMCHXdvJ5nwC4OM75HJtiraNjoGo3tuak 3RCfPCS3j14TWyyt3K94176uOwDWfa656tKKD4AvvHKQ7DVAZM1mU1FkzmqRNgHjxOpx/kpvkUd9 uiL+zdt2x2KdH9W6n69aWubr0ev6arD3Ec9kfhhhHumfWX4okXQAXK3HJqheBMDmmcdrBBBAAAEE EEAAAQT8BQiA/W14BwEEEEAAAQQQQACBLIFyC4A1xNBA4pK3RO6ZLDLsM5EBM0S6jxXpPFRk90eD w4yoAbAGWce/4P3T7kj9vrTXgLHTcyKXvyOi421qd6n9pme6EvZraefeVvtB2ftzWj9r3X8+QuQ/ UzItKLVb5X98LPLrUSJ7hGwhrdu+7n0RHbf22bkir36WKePtH4lcOEJkp4B6ucuY6/mBT2XX4aCn vF5J1jOofBrUmpO24NVjFrSe+707J5pbEHlrsX19MwDeMmOarGjVomJD4Jsvum2bU+9pXgPtJluD YbdV0POnZ3u3oa2Hd+3bvA291sxr8IAcLcq1DO51wlx3cV+3u22/F2nY/Ys3M9etXm96nvz27eby HRPivNOyueujz/U+GGRrvqetZ23Tt0McL+0e2py0i3Tdh/seqT+icE/6Qwt3ud2t5M3r389LW4uf tP2HGeVwX/nOYyI/fS1z79X/P30+Fek2UsR9j1Nrd73d75nHJddrAmD3GcVzBBBAAAEEEEAAAQSC BQiAg314FwEEEEAAAQQQQACBLwXKKQDWEGWVETB8WVDXEw1bv9nPHo5ECYA1UF7f4Nrw9qfagvlb Ptu/dJRIvWUd91ZGLvEPydo+6V4y81zrfeggEe2q1W9SFx2vVsMmW6BwxjCRj2v81m6ery34NAz2 245t2+Y8Dew0UHVP5hjASdXTLIv5WseoXr7BXbLMcw1yzGWDXrd72rsNbRXshPXudc0AWNf88MKL KzIAHtTlfNmhV9O2bt5tY33reL/uuud6rue1ea6oj/5IwVlXQz9zUlPnfdvjVKOFt3Z9bFvOmZfE dav3Tv1RgVkWsy76WsNQpyy2x7MsXZa/90XwOuZ2NLi0TbaWvOa6+gObJfXZf4/NzHTXbTt+tv3o vFsnZMpsu/6DvHSIgFLfVzSg9uu63KnvmKUier6uNv5PPTc32rFy+xMAO7o8IoAAAggggAACCCCQ W4AAOLcRSyCAAAIIIIAAAgggsE2gHAJgDdUGz4l2QBasEfn+S94v3cMGwLruOkuQO7suMw6l+wt6 fb5z30xL5LCl1PIdbhl30xZ23fGRyLL14basY7KaZdMWwrYui4O2qC0z8w2BwxgnUU+z3rbXOqap bfrBUK+bbX33vCvfFblhXPbfnpbWlLYA+JEhldcKePxRR0uL++q2nV/a4tGcGhr9x0F2u5nPX19k bknkTVdratu5kisANscZ9wuAk7xuNewM84MVrf1tHwaffwNneo2uHhO8jumsr3WMa3Oq2SCi3W7n c73rOlEmJwC2HdMgLw2AS3lf0fvGvDXhaqpBuTkRAJsivEYAAQQQQAABBBBAIBkBAuBkXNkqAggg gAACCCCAQBUKlDoA1habE5bnB9tk6dY3TIig3Y3aWvFOqxXZZ6A9dBn9efQyrt0scqoRUtuCkShb 3tQooq1TnfCnkO1pN8fOdqI8hjEupFzqYdYzbPn+5z2v5qy6/OoZdp+2APifH4s8cmbljAW84KB9 pd0dM748H7TbdXPKN+SytXDUlvfa5bka286VuALgcrlu9YclfueTdstutijVsD1M183mNt+whO3O cZxZJ/Kn90U6PutfFnN7UQPgW8b7H1OnHLbHQgJg2/b85tnuK3rPt/0/8NuGbX6+14Z6264P2z6Y hwACCCCAAAIIIIAAAiIEwJwFCCCAAAIIIIAAAgiEFCh1APy70faCfrIyM6audo2q42kOmmPvSvZ9 o5vUXOHkiS+KaDBrTtp9sl/gctEIc+lMWbQr6vPfEDl9WKaVqLa0M6fJNdlhiy3sctbR7pn/+J6I tlbVemuoYJu0VaoT1GgrQXPS1seXjc50T6vb+ct4EQ2gzElbsjnbifKYy1i3FXc9w5avl2Xc2hfm 5VfPsPu0BcDq/fro2bKize5l3xW0jlfctcfQrHNBux82J6d1Z1gXZzm/c0HHltVlbO/HEQAX67p1 nDY3isxYJbJ8vcjGRmdu8+Oxz9vPw7OHNy/jPHtpvn1Zx9TvUX/cEmbSbtK1FwDtPaBVjvGWr31P xPkze01YVN/8nv74osX2cZFtx9Qsl+OlvR9oN/iluq888qlZsszrZ+ZkWk6f+YqI9rwwZaV9OZ1L AOxvwzsIIIAAAggggAACCMQpQAAcpybbQgABBBBAAAEEEKhqgVIGwLs/KmILTXUcxm884g1ALnlL RFvGmZN2V+sEIkEhwvEviKyxhL/jlono+I/ONtyPWg4NOdzTxi0iP3zZu/x+j4to4GtOXV9tXtYv GNFxRHUMT/e+9fmTs8ytiWh3sc5yLy/wvq/dmTrvO49qbXabq2tqYOQsE/YxyNjZRtz1dLab69EW mv97sn8dtQW6jlca5s8JLM0y2AJg56isvfbysg+Ab7rods85oK2mzcl9nZkGQa+1hau21jen47YH orZzpdAAuFjXrdZJu4HWH4LoGLaOg61L53t9zkPbNX7u683bcrYZ9lHDyijj9mod5qwW0etE72FB +9Efqbin8cvsy9uOqbOezUv3WYr7inbTbxvrWgNv02HXviKvLXRqkf1IAJztwSsEEEAAAQQQQAAB BJISIABOSpbtIoAAAggggAACCFSdQCkD4KssrVe1lVXQWJXaQtacJrla2fqFCNr6zuxmVbejXcTq F/vml/3O6z+8Y+5N5M+uFrjOcs6jhq9m2KUBs/O+XzByik8Qq921mpO2znS2N2S++W6m5bTzvvtR A/S+05v/tLWsbUxb9zq2537G7mXjrqd720HPRy7xemjLRL91tNV3lKn7WO+2ggLgxsULpebgPcs2 BB7U5XzZoVeTx8f2w4zTLD968HM1539hGeP6jGEZS9u5UmgAXKzrtnajSOvtLZndddYxxs3p83Ui +oMD93J6LZk9Eug2NTR3Lxf1+cVv2X/wYZbJfK1dJGsQ7HcPLjQA9vPS+pXivqJdtZvT47P87fV/ Rd0mcw1aAHtFmIMAAggggAACCCCAQDICBMDJuLJVBBBAAAEEEEAAgSoUKGUA/LClu14dCzIo7LB9 Aa8tcp1gxRYizF+TaaVnHr6xS+0tjd37N7sH1YAkVzjz6mfmnppb99rCLm39696n+7nuy2yhNnFF 8/I3feDdl87RumnX2bm6d3XvK+xzm/HzRjfLcdczbNlsY6C6u8w2txM1ANbWleY2ggJgPRb1d9xU lgHw+I5HSYv76jz10frZAlvtTtyse9jXttDMCZRt50qhAXAxrls9tvqDFD+Duau912aXodnLa0tf c3poavYyftvPNX/H3pmWyXpNaHfLUSZtlWwLgQsNgIO8SnFfGWa5V+swAUG2ttCYFsBRzi6WRQAB BBBAAAEEEEAgfwEC4PztWBMBBBBAAAEEEEAgZQKlDIC19a170nD1qyFavunYu+akXfjql/a2EMFc 1nmtrWGDvujX92xjod49SSToz9Z68rDBmX3Zwi4dizOoHDpGpntyB8DarbXZ4ti9rD7XlofaUlhb wh46KHhfQeVw3rMZhwmAC6mns+9cj0/NNmsvoj808FsvqQBYW6VrC2v96zdulXx+2AFlFQIvOGhf aX/7dF8X/VGCOWmrWj/HoPna/bhtOvKZzPZs10ShAXAxrtv6huxun02DW8Z7a63BtHs5qegD1AAA H4NJREFUHWfWnE54IXsZ9/L5Pt+5r4i2uP7XJJEPl+e+Z2iZtIcGc3+FBMC5vEpxXzFDev3hg1ln 87WO0W5OBMCmCK8RQAABBBBAAAEEEEhGgAA4GVe2igACCCCAAAIIIFCFAqUMgJcb40nOrsv95bt+ Ga8tOs3px9vH2bWFCOayzmsdJ/PUl4L3aWu56Kwf5dEZazeJsEvHq4wyaThZyHG3GYcJgAsN9cwg xvba1hpXx+20LavzWvbPjPGs4zybf+savKphWwBrK0H3Pq/udl9ZBcA/6T4kq3zusurzUZautM06 mev4ve70nNdR5zhjXidxTRTjunX/EMNW9+8+7g1adfxbpweBXfqKrDfOsZkh74G2/UWZpz980N4W NLg0y+AcrSX13oC7kAA4l1ex7yv6YyPzxzMfuLrr9/O0na8EwM5ZwyMCCCCAAAIIIIAAAskKEAAn 68vWEUAAAQQQQAABBKpIoJAg0O8L8s/WeoFs3WpqAOuewnz5rvu8bLR7rczzS0dlAjdbiOBdunmO tgDT1nG2ukTdVvNWvc+6bg+obeFBHMHoBW+ITF/l3W/QnPs+sdfbZuGeZ3MplwC420hvjVduzLQM d9chzHNbsJ5vAPz1/2yUTw4/tCxC4L+fe531fHeb3DvZ6/i+a+xp97Lmc6c7dmf+5ZZxtLVVu/N+ 3NeE7fz01ibcnKDrdvCc5jo4dTEfbV2Snz08s97PR3jLoF26m9sI+/qgp0Q6DG7+c3odyLW+jmH8 7lJvWXTOfxmtkQsJgHN52Y5bkvcV7eLa7F7/7SW5/bW3CXMiADZFeI0AAggggAACCCCAQDICBMDJ uLJVBBBAAAEEEEAAgSoUKGUAvGBNNujCtbm/fNcw49YJ2evpK2dsTVuI4Cz95mKRBstYmA9M8d+v hofm9M7nIlH/NJjRsscddrnDHQ3evv+SyJ0TRcYtE9EutXNNv9oenLu3k+u5zTjJoCZXedzv65jH tknHQ3YvF+Z5/xneLeUbAOv+Lvn9gJIHwGM7HS879dyc00JDStukXY4H2Q2cKaJjbrff3tW4tnY1 r3Pd7rNzm7eTzzUR1C26lq8crlstx0WWkHfQ9uD4hXnZwvqDmAOeaHYJcjbfa/GotzWrbj3sGOC2 UFPX1x9UuPdVSACc64cupbiv6P8c9xSmFwq9x5oTAbApwmsEEEAAAQQQQAABBJIRIABOxpWtIoAA AggggAACCFShQCkD4OELs0G1O04dL9QdONiea9hoTk53srYQQZd1uq+94yNzTRENXk4ZYt+vOZao thi2lSnsvHzCrqXrssucqytVpyzaxamOJ3rzeBHt9tk2vfJZ9PrYjMslANa62+o6rTZaPb/xiIgZ DqlfIQHw/nctkuWtditpCLyk7Z5yzF8+zHkOf6ufiK0bZSe8dM4x96P7hxna1bEGZVe8azvrRNyB vO2a6GOMlevez469vWGneU2Uw3WrZdZrRS3ck3a5rPerjVvcc0VGhmh96nZwP9cff2xpyt6evjr3 9fDnvTkerq5/tTEOcLUFwPpDHvekhnsPDDZzn+fOugTAjgSPCCCAAAIIIIAAAggkK0AAnKwvW0cA AQQQQAABBBCoIoFSBsC2bmZvzNEF6v6Pe1vxrt7U/IW9LZzUlr9OWKLvaysvc5rj0xX0AKMVqHYZ ql2mOtuzPZ48ROSaMdl/TjfTtrArV8s4vwBYg7B/Txb5z5TmPx3X01YmnddjrFlrkdqN/sv7bcdm XE4B8Gkve+upc7qPDV9XbUVtm/INgHd+cL28ecKpJQ1/a1q12Lb/qR3ayd53f+F7njjH/X8sY0tr QHb6MK+jrVXkZp8W6No617kedF8ahprTqwE/TDjkaXNpETMALofr1nF8aKq3vOaPX3QJs7Wts37Y R1tL66dne4+V3/ZsXfdr1/Lu5c0AeMLy7PedZfO5z5XivvLYTO+x0R8JOfUwH/Weq2MjmxMBsCnC awQQQAABBBBAAAEEkhEgAE7Gla0igAACCCCAAAIIVKFAKQNgDSvNScPOPQf4fwGvLQPNafTnzcuH CRG0u2jbZBsT94+WEEzDJTMYcF5rF65my0kNvLQrXF0mn2DELwDeta93DMtcLZQ18HVP2grRKXvY xzDGcdYzbLncy728wF3L5ud//TB3fX/0qvdHBs4W8gqAe22VAaf/sizCXycEHn7iD3N2Ba0tyG0/ ltBu1LVrY7e3ttz3G0fWsXMeb7cEbGZr2M/XNV8z7v3oc+2y3ZzMALgcrlun3Mc8Z5bW+3pdg4he z846+TzqD0FsU5gfPlzp01K703PZZTID4Kk+Levzuf5LcV8573WvmP6gyK+rc/2xjm0iALapMA8B BBBAAAEEEEAAgfgFCIDjN2WLCCCAAAIIIIAAAlUqUMoAWAOmGau8sLPqvGNXahenPS0t6XTtU19q DinChAgarpgtBHU72gX1SUZX0Dq2phl6aJfR2kpMy+QOar7WR0TDaHP616Tm5fIJRvwCYN33x5au nW/zCTm/96K361x362h3XYKehzGOu55B5bG9p61EbeM967HRVn/tnm4+Js76Ol7q4Dnm0ct+HTYA HrNU5Jbxmb/h3W8tq/DXCYHvP/uqrPPXcXA/6v3BNjnXgNP1uq6j57+23A2apqwU2cUSdM60tMq/ ydIbgAbPZlis+zMD4HK4bt2OWu+g6fFZ3vPRvX6Y5xrWag8F5qT3Ne26+6hnvfvYa4CIhpq2a0WP iblfDebdk7bydp8DzvL5XP+luK/oPXy65X9QfYPIr0dl6qatfo97PnPfcNfd/ZwA2K3BcwQQQAAB BBBAAAEEkhMgAE7Oli0jgAACCCCAAAIIVJlAKQNgDQu0O1nbtGaziLbifHiayCOfimgXzbbJHJM0 TIig+92jv0jNBu8WNXzW8V+dIEMff/+Odzmd88lKkQeniOiYkK8tFNGxPc1JA5m2ri6j8wlGggJg W2tILcOy9ZkwU1v/aWvIF+fZwyFboOmuu+15GOO462krR655f7OM9+w+Pnqs31osouPFmuO0updz P7d5+bUK1PU2PvtkWYa/Tgj8m98+knWu20z9WlNr/fT81nBTf0jw/hcift0+O4ZHPpN9bTn7e2q2 s0T2owbKaq4/uHhjUfZ77ldmAKzbLfV169RNH23dabvL/8OX7S7ubYR5bmv57N6P3ks+WCaiY99q l88aDtsmPa62/w0fLvcurfdR7dJ61BKRy0Zn6pHP9V+q+8olb3nrFHUOAXBUMZZHAAEEEEAAAQQQ QCA/AQLg/NxYCwEEEEAAAQQQQCCFArYv+cMEDUHL2MaSPPFF/4DDL/zJdTi0a+X9Hs/ebpgQwSm7 3xf/Oq6us4w+fqW3yEcrcpXG+762kvzVqOxt5ROMBAXA2oJv/hrvvsPM0TFDTT93vf2ehzGOu55+ Zck1X1vx2YL5MD4agmlLQPcUJQBuGDdGag7co6wD4KVt9pATbxybdb6bpnr+a5iu53Ohk7ZYt7UY bT/I/gOFsPuzBcClvm7djtqtva2VrdZvcb23NwH3ulGfPzkrrJr/cr95O/u+5ZRhoGXMXPdW9Mcw umw+13+p7it6nvh1n+2um/Ncg25zIgA2RXiNAAIIIIAAAggggEAyAgTAybiyVQQQQAABBBBAAIEq FCiHAFi74bz2PXvXrn7k2jLQFiSFCRGcMEMftQWoOWmrODOw1m5rbeMPm+s6r3UbOq6me1/5BiNB AbBu89BB4VuwOuXT1q/7G+G5WVa/12GM8wmActXTrzy55ncYbO/m1bGwPWpofOEIkYuN1oFhA+DG +XNl5ZGtyjr8dVoBz2jfVva/a5HnXDVd/3uYyHJLq3mbX9C8RfUihw/2Xhv3Tg5aq/k97RHg09rm 1/rMFgBr+Ut53Zp+2grfNv3jY6+FuW6U19qDQb/p/oGzrQzOvE2NIj3G+pdHj5tfq2HdRiUGwI7t 70bnNtNW6DretTkRAJsivEYAAQQQQAABBBBAIBkBAuBkXNkqAggggAACCCCAQBUKlEMA7HwBr0Hd yCX+LTa1BeLsuuZuRp313I86rvCGLdkH6qGp/oHGQU/Zg2e/L/TPGZ4Jn/xCEG01quN52saY1XJq i1tdxj1pF8LuOpjPwwSjGkromLPmeMXu/ehzDc60O1pd3txP2NdhjJOqZ9gymstpEKgtu79Yb4pk v9Zz54V5zWNQt3ky+31bqG92Nd20uk5qO3eqiPDXCYFHHv99+caDG3KeE/s+ljm/tYv2oElbu+o1 dMW7IkvqvUvqeWoeI339y7dEajd6l9c5Gk7es711vvnDjXeX2rfn7KMU162zb+dRewOwTfoDDmeZ OB9bPynSe1rubrm1THpd/O8EEe1RIFcZ9Mcx2t23rUX4X8Zn1s/n+i+H+8phg0WuHpMZ71fvlXqf 154mtJt47d5af/yiP5wxp6dn53bzc9X/wUwIIIAAAggggAACCCAQToAAOJwTSyGAAAIIIIAAAggg YB3n0e+L6mLN1xbBGqBqC0z90v3ydzItcnftm/+X7HGXfee+Ise/kCmfBifa1fD3XxLRrl7j3leU 7WlAcdSzmfE7rxmTaZGnIdzZw0U0YI+yrWpcVs+tk4eI/OEdkds/ygRkd0/KtPTV8Ee7gy2k3l/t 2SBDTulaUeGvEwL3Pus3oev+tT4iZ76SCcv+PjEzTrcG7HrO/fQ1kb0HNjtqYKbjBLunq8Y0v296 6zHQlqbdRmZCyZs+EPm/b8ZzbZXyujV/KKAeE5b7O5gu+b5u8ajIsc+LXPCGyA3jRHpNy3R5fN37 mXvsCS+I7NQnejm+2S/T1fMRz4joD2la9o++jXzrFOd6O/YWcf/l2nbnoe4zOfP8zon5150A2OvJ HAQQQAABBBBAAAEE/AQIgP1kmI8AAggggAACCCCAgCGQRAvgXF+g837+YQF25W33wNlXVmT464TA V/7qgdAhcJRz8Vv9RN7c3t26BsZR1q2WZW1jdesPXKqlfpVYD21xbk7/zNElt3avbU4/ejX/40gA bGryGgEEEEAAAQQQQAABfwECYH8b3kEAAQQQQAABBBBAIEuAADj/L+4rMfCgzMkd76u73VfR4a+G wMta7y5drh+ZSCipXfx2LSAoq+Rz98/jsm67215oN9rl1KtBJfvmW3ZtqW52yV+3SeTIZ+z3ifPf 8I6BrF1hF9KlPgGw99pgDgIIIIAAAggggAACfgIEwH4yzEcAAQQQQAABBBBAwBAgALZ/0Z9voMB6 6fT8cY+XZUWrFhUfAGsIPKddK2nz9/mJhMBpuT60W2Xt9vq1hSKTa4yb7vaX2mV2WjzKuZ7meNJ6 eNY1iPT5VOSSt0QuGpHpOluPpW3qP6Ow40gAbFNlHgIIIIAAAggggAACdgECYLsLcxFAAAEEEEAA AQQQ8AgQABf25X05BxuUrTjH9shbJ8nCA/epivDX6Qp6zDEnyK4P1BNQPpzfOXT1GM+tNmtGzQaR 3R7Nb9tc1/G6/WCoyIYtWYcn9ItZdSK7FDg2PQFwaG4WRAABBBBAAAEEEEBACIA5CRBAAAEEEEAA AQQQCClAABxvmEA4ky7P7/zrc5naoV1Vhb9OCDzg9F/K/+m1lRA4jxA4KADe3Chy3uvpuk7K/b54 8hAR7fo5yvT2EpH2gwo/jgTAUdRZFgEEEEAAAQQQQCDtAgTAaT8DqD8CCCCAAAIIIIBAaAEC4MK/ wC/3cIPyJXOMd3lgnYw6/pSqDH+dEPhPF99FABxjADx3tciJLyZzPnKdF+a6/+Mi/ztBZN4a/3+f Gt6PXyZy1iuF7ct9rAiA/b15BwEEEEAAAQQQQAABU4AA2BThNQIIIIAAAggggAACPgIEwPF9ke/+ Up/n1e26Q68mefyHv6jq8FdDYB3X+MxrXyUEjhgC79Ff5KQhInp/7TZS5MxXRPYaUN3XRDXd89o8 KaKtgi8ckRkHuPNQkQOeENkh4nkQxoQA2OfDCbMRQAABBBBAAAEEELAIEABbUJiFAAIIIIAAAggg gIBNgACYUCZMSMEy2efJbRfcXPXhr9MKeMHB+8khd8wkBE4g/OO6yr6u0uhBAGz7ZMI8BBBAAAEE EEAAAQTsAgTAdhfmIoAAAggggAACCCDgESAAJoBIY+hSSJ0v+f2A1IS/Tgg8/qijpcV9dYTAhMCc AzGfAwTAno8lzEAAAQQQQAABBBBAwFeAANiXhjcQQAABBBBAAAEEEMgWIAAmAC4kDE3buqfcMFq+ aN0ydQGwBsGDu5wn2vV12o459eUemeQ5QACc/ZmEVwgggAACCCCAAAIIBAkQAAfp8B4CCCCAAAII IIAAAi4BAmDCjSTDjWra9kF/my1zDzkgleGv0xL4lp/fSgAccwvQarpGqEv0/ycEwK4PJDxFAAEE EEAAAQQQQCCHAAFwDiDeRgABBBBAAAEEEEDAESAAjv6FPSFH+sxa3lsrEzp2THX464TAP7nmRUJg QmDOgZjOAQJg59MIjwgggAACCCCAAAII5BYgAM5txBIIIIAAAggggAACCGwTIABOX5hJgB3tmO/U c7MMO+lMwt9WLbYZLDxwHzn8r1MIAGMKALkeo12P1eZFAMyHMQQQQAABBBBAAAEEwgsQAIe3YkkE EEAAAQQQQACBlAsQAKc7fKi2MCWJ+vT88e8Jf7eHv04r4IlHHiHaKjoJb7bJPSlN5wABcMo/hFF9 BBBAAAEEEEAAgUgCBMCRuFgYAQQQQAABBBBAIM0CBMCELWkKW6LWtccl95Q8/L3tgpvl3nOuKXk5 nPDXeRxySlfZ8aEthMC0BOYcKOAcIABO8ycw6o4AAggggAACCCAQVYAAOKoYyyOAAAIIIIAAAgik VoAAmAA4aiialuV/0n2IrDBavjrhZ7EenzjtItmhV5Psev9a0Va3xdpv2P3ced4NhH8FhH9puZao p///GQLg1H78ouIIIIAAAggggAACeQgQAOeBxioIIIAAAggggAAC6RQgAPb/Yp7QIr02nf7ykSw6 cO+SBq7jjj5mW/DrnIcn//mdkgfStmD4oiueIgQmBOYcyPMcIABO52cvao0AAggggAACCCCQnwAB cH5urIUAAggggAACCCCQQgEC4PSGnE6wyGP2ObDfPxfLtMMOLmn4u/DAfeSw26Z5QrV//OxPJS2X LQBe0nZP0cCc8yj7PMIDjzDnAAFwCj94UWUEEEAAAQQQQACBvAUIgPOmY0UEEEAAAQQQQACBtAkQ ABNShAkp0rLMrg/Uy+hjv1fykNWvVe3OD66X8R2PKnn5zCB4Sof2svfdywiB82wFmpbri3p6/98Q AKftUxf1RQABBBBAAAEEEChEgAC4ED3WRQABBBBAAAEEEEiVAAGw9wt5Qop0muhYu0//4IKSh6v3 n31VYJB6ws3jZHmr3UpeTjMEHtTl/MByc12l87riuAcfdwLgVH3korIIIIAAAggggAACBQoQABcI yOoIIIAAAggggAAC6REgAA7+cp7wIj0+d553Q8lD1bePO0m+8eCGnEHqbRfcXPKymgHww2f9Nme5 uZ7Scz1xrMMdawLg9HzeoqYIIIAAAggggAAChQsQABduyBYQQAABBBBAAAEEUiJAABzuS3rCjOp2 uvR3/UoeqM4/eH9pe+fcUCHq1/+zUd7rdFzJy+wOgc/u/lKosnMtVfe1xPGNdnwJgFPyYYtqIoAA AggggAACCMQiQAAcCyMbQQABBBBAAAEEEEiDAAFwtC/rCTeqz6vL9SPli9YtSx6mntN9SKQA9Yi/ fiKft/l2ycutIfCnhx4kO/XcHKn8XEvVdy1xTKMfUwLgNHzSoo4IIIAAAggggAACcQkQAMclyXYQ QAABBBBAAAEEql6AADj6F/aEHNVjtuv9a2XeId8teYiq3U/nc15dfmnPkpddA+Brut2XV/nzqTPr VM/1x7EUIQCu+o9ZVBABBBBAAAEEEEAgRgEC4Bgx2RQCCCCAAAIIIIBAdQsQABOmpD2Eef2/flDS EFX3/9WeDfkFqL22yuDO55a0/JOO6BBq3OK0n2fUn3ut7RwgAK7uz1jUDgEEEEAAAQQQQCBeAQLg eD3ZGgIIIIAAAggggEAVCxAAE0rYQok0zTv/qmdKFqDOatda9vvn4vzC34cz5+5e9yzf1gWzezze Yj4/49rhBZU/TecadeV+a54DBMBV/AGLqiGAAAIIIIAAAgjELkAAHDspG0QAAQQQQAABBBCoVoEn Zonc+AF/GKT3HLh5bIMsOKpd0UPgFa1aSJ+HR8Ry/fXp/abo9ooZ/Or+nr/5gVjKz/WX3usv7cde /wczIYAAAggggAACCCCAQDgBAuBwTiyFAAIIIIAAAggggAACCCAgIusfureo4akGtevuvj1W+3X/ uq04dWjbUtZc0U0aJk6ItfxsDAEEEEAAAQQQQAABBBBAAIEgAQLgIB3eQwABBBBAAAEEEEAAAQQQ yBJoWl0nNYfsVZwAtVULWX1RV9na2JhVhkJf6PZW/+KcROtQe1w72TJreqFFZX0EEEAAAQQQQAAB BBBAAAEEIgsQAEcmYwUEEEAAAQQQQAABBBBAIN0Cdef+d6LhqdM988pjD5GmFcsTwW6qWSG1x7dP rB6b3nglkXKzUQQQQAABBBBAAAEEEEAAAQRyCRAA5xLifQQQQAABBBBAAAEEEEAAgSyBVacdl1hw 6oS/NW12l4ZxY7L2G/eLho8+kJoD94i9LisP20+2NjXFXVy2hwACCCCAAAIIIIAAAggggEAoAQLg UEwshAACCCCAAAIIIIAAAgggoAI6nu2XIW2rFok917GGizFt6P9w7HVY/cufFqPo7AMBBBBAAAEE EEAAAQQQQAABqwABsJWFmQgggAACCCCAAAIIIIAAAjaBNZddHHtgagbKq391gWzdutW2+0Tmrb3u yljrtGnYi4mUk40igAACCCCAAAIIIIAAAgggEEaAADiMEssggAACCCCAAAIIIIAAAghI46IFsQal ZvCrr2u/d7g01a0qqvbWzZul7rwzQtVNw+L6W64V7aLaVv51f7ulqGVnZwgggAACCCCAAAIIIIAA AgiYAgTApgivEUAAAQQQQAABBBBAAAEErAKbXhliDT1tQWhe8w76tjRMnmjdd9Izm1bWbAufg8pd f1OPL1smb5k6Wep+dnqzR9uWsuGxR5IuJttHAAEEEEAAAQQQQAABBBBAIKcAAXBOIhZAAAEEEEAA AQQQQAABBBBQga3r6mXl0W2bQ8+YxwDeMLBPSaG3TJ8qNYfua62frWWvdlO98dknZVWXY2Tz2LdL WnZ2jgACCCCAAAIIIIAAAggggIAjQADsSPCIAAIIIIAAAggggAACCCCQU2BD357WgDSo5WyY99Zc 0S3nvouxwKY3h3u6d17f58Fi7Jp9IIAAAggggAACCCCAAAIIIBCLAAFwLIxsBAEEEEAAAQQQQAAB BBBIh8DWhgZZddbJsYbAtZ07SVP92rIB3Pz2m9vqqF08bx5Dy96yOTAUBAEEEEAAAQQQQAABBBBA IJQAAXAoJhZCAAEEEEAAAQQQQAABBBBwBLbMmCY1B+8ZTwh8yN6i22NCAAEEEEAAAQQQQAABBBBA AIF4BAiA43FkKwgggAACCCCAAAIIIIBAqgQ2vfRcLAGwjqHLhAACCCCAAAIIIIAAAggggAAC8QkQ AMdnyZYQQAABBBBAAAEEEEAAgVQJrO/zgCcErj31aFnZYX/PfNs4wGuvuzJVXlQWAQQQQAABBBBA AAEEEEAAgWIIEAAXQ5l9IIAAAggggAACCCCAAAJVKrBx0EBZecQBUn/r9bJl9sxttWxctCBnALzq jO/J1o0bqlSFaiGAAAIIIIAAAggggAACCCBQOgEC4NLZs2cEEEAAAQQQQAABBBBAoCoEtm7ZklWP LXNnBwbA2kK4cf7crHV4gQACCCCAAAIIIIAAAggggAAC8QgQAMfjyFYQQAABBBBAAAEEEEAAAQS2 CzRM+igwAN706hCsEEAAAQQQQAABBBBAAAEEEEAgIQEC4IRg2SwCCCCAAAIIIIAAAgggkFaBrQ0N UntKR2sIrF1FMyGAAAIIIIAAAggggAACCCCAQHICBMDJ2bJlBBBAAAEEEEAAAQQQQCC1AlumTpaa 9t/JCoHrzu4sGg4zIYAAAggggAACCCCAAAIIIIBAcgIEwMnZsmUEEEAAAQQQQAABBBBAINUCm98Z KSsP229bCFx7ckdpXLQg1R5UHgEEEEAAAQQQQAABBBBAAIFiCBAAF0OZfSCAAAIIIIAAAggggAAC KRVoWrFcGsa/J1s3rE+pANVGAAEEEEAAAQQQQAABBBBAoLgCBMDF9WZvCCCAAAIIIIAAAggggAAC CCCAAAIIIIAAAggggAACCCCAQGICBMCJ0bJhBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAAB BBBAoLgCBMDF9WZvCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAQGICBMCJ0bJhBBBA AAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAoLgCBMDF9WZvCCCAAAIIIIAAAggggAACCCCA AAIIIIAAAggggAACCCCAQGICBMCJ0bJhBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBA oLgCBMDF9WZvCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAQGICBMCJ0bJhBBBAAAEE EEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAoLgC/x9tCwzrCveapQAAAABJRU5ErkJggg== --00000000000017930705a9de699f-- From nobody Tue Jul 7 13:08:56 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB15F3A0A0D for ; Tue, 7 Jul 2020 13:08:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.896 X-Spam-Level: X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A1BMyYh-NPSG for ; Tue, 7 Jul 2020 13:08:53 -0700 (PDT) Received: from p3plsmtpa06-03.prod.phx3.secureserver.net (p3plsmtpa06-03.prod.phx3.secureserver.net [173.201.192.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40B773A0A0C for ; Tue, 7 Jul 2020 13:08:53 -0700 (PDT) Received: from [192.168.88.250] ([94.155.17.31]) by :SMTPAUTH: with ESMTPSA id sttbjY1VAjqjisttcjeU0J; Tue, 07 Jul 2020 13:08:52 -0700 X-CMAE-Analysis: v=2.3 cv=U7zs8tju c=1 sm=1 tr=0 a=+I3yL00+yDwT8KNLgfs+4A==:117 a=+I3yL00+yDwT8KNLgfs+4A==:17 a=q0rX5H01Qin5IyBaTmIA:9 a=VAMm1qzQAAAA:8 a=xbHvs1yBsIbqydze8tgA:9 a=_s9_IssjmW8t3rxW:21 a=iytcRMvxwO25_rXe:21 a=QEXdDO2ut3YA:10 a=D8lnhvtxf0AONpHuB7QA:9 a=ZVk8-NSrHBgA:10 a=30ssDGKg3p0A:10 X-SECURESERVER-ACCT: vladimir@connect2id.com To: oauth@ietf.org References: <19057F94-1B09-4376-86A3-78662DCA5836@forgerock.com> From: Vladimir Dzhuvinov Autocrypt: addr=vladimir@connect2id.com; prefer-encrypt=mutual; keydata= mQENBFQZaoEBCACnP2YMDex9fnf+niLglTHGKuoypUSVKPQeKDHHeFQVzhRke+HBEZBwmA9T kZ+kEhyrNqibDPkPYVPmo23tM8mbNcTVQqpmN7NwgMpqkqcAqNsIyBtt09DjWOQVm57A3K+y uXI7SdNErdt79p2xQseOhqSC9+LgWuyh+mZsl2oFD4glFFfKSCMp2jATXrAMeGzigTnW+Xe0 tRzrwFN9zqykKxhUq9oHg1cNvoDtfxgsc9ysVHbxM/PM8o9lgj3YTQwKMBcCFclTqohji7ML fQ08eQo+acKTwC1WRzeLt9PknGt3C4TmvdCl0c1BQTTTNiF96Hu4kbaiBIbsfxJOR8+VABEB AAG0LFZsYWRpbWlyIER6aHV2aW5vdiA8dmxhZGltaXJAY29ubmVjdDJpZC5jb20+iQE+BBMB AgAoBQJUGWqBAhsjBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAZ0vUyOqri Ql62B/wOO0s2JC/QvO6w9iSsRhCOa/JZi+wO+l01V7eGCQ1cYf1W26Y7iKiUlY4/Kz+cr69D pMtkv3UpDTGejKEfspLUxz5Vo3T4oAKbTtNtVIZL/XxH3/JhJ719Jj4eLoe9/djKkGYTX2O5 bMk8TpO1DDjbIw4r9XKI9ZIk96zlKnZvrg7Ho7oOl0ZIf8AzcvdqZEUogDwyr8uwOU+jIyux mOTthepBzXCNjjBjnc8I1//9YppAIaGJ5nnXelVVD1/dyOszogervzFNANEIOvNvCd9G5u4e s7qkDKWKY7/Lj1tF+tMrDTrOh6JqUKbGNeTUB8DlPvIoNyqHUYfBELdpw1Nd Organization: Connect2id Ltd. Message-ID: Date: Tue, 7 Jul 2020 23:08:50 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0 MIME-Version: 1.0 In-Reply-To: <19057F94-1B09-4376-86A3-78662DCA5836@forgerock.com> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms010300010300020303020101" X-CMAE-Envelope: MS4wfKPaggICdUMj5eGQpWOgTsvGadMQlEFgxpe1ECW6iS4JCnNI2njeSCi8+9pXUjhgUQyg88Gz1xBvwYO/RRs8CfW8gQgv9jOD/wo+lRM45wpP5l4QmglL bGTtqf5N8AOrctBt+81wsegLGLBtOHH/8QVhEZTXjKc2LohcNxzODTqt Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jul 2020 20:08:55 -0000 This is a cryptographically signed message in MIME format. --------------ms010300010300020303020101 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: en-US On 06/07/2020 19:32, Neil Madden wrote: > I=E2=80=99m reading=C2=A0draft-ietf-oauth-rar-01 in a bit more detail n= ow I have > some time, and I have a few comments. > > An assumption in the draft appears to be that the client knows ahead > of time what it wants to gain access to and can describe it in detail. > For example, the last example in section 2.1 is a client requesting > access to particular files, which assumes that the client already > knows the paths of the files it wants to access. This in turn seems to > imply that the client already has some level of access to be able to > determine this, e.g. to list directories, which may not be desirable. > In many cases like this I think it=E2=80=99s more natural for the clien= t to > not know exactly what it is asking for but instead to want access to > *some* file, chosen by the user. An example of this is the Dropbox > Chooser [1] and Saver [2] APIs, which notably are not built on top of > OAuth. In these cases it would be more natural for the client to send > a more generic request and for the details to be filled in by the user > as part of the consent process. > > Another issue is that as far as I can see in the current draft, any > client can initiate a rich authorization request at any time without > any kind of prior approval. This seems problematic for the main > example in the draft, i.e. payment initiation. As an attacker, if I > can get a consent screen up on a user=E2=80=99s device requesting to mo= ve > money around then it seems like half my job is already done - some > fraction of users will probably approve such a transaction without > properly checking it. It feels like the ability to ask for transaction > approval should already be a privileged operation that should require > consent and approval. > > A related issue is that each approval is in effect a completely > isolated incident. In a normal OAuth2 interaction I would grant an app > some longish-term access to data and it would get an access token and > optionally a refresh token. At some later point I can go to the AS and > see that I have granted this access and revoke it if I choose. With > RAR there is no representation of a long-term relationship between the > RO and the client and each transaction starts from fresh. Again, this > seems potentially problematic and not quite in keeping with how OAuth > currently operates. Each grant of access is ephemeral. (Do refresh > tokens make sense in the context of RAR?) The original motivation for RAR was indeed transactions, which require parameters, and this class of use cases do typically imply "ephemeral" access (single-use token). But nothing precludes RAR from being used for long term access (with a refresh token) and there are one or two simple examples in the spec which can be interpreted as such. > > I think a better approach would be a two-phase authorization process: > > 1. In step 1 an app gets a normal long-lived access and/or refresh > token that grants it permissions to ask to initial transactions (RARs) > - e.g. with scope initiate_payments > 2. In step 2 the app requests authorization for individual > RARs/transactions using some proof of its grant from step 1 Such a two-phase authorisation can make good sense in cases when user trust needs to be built up. Mentioning this and / or some other pattern can be useful, but I don't think we should make this normative for RAR, because there can well be use cases which won't need this. > > I have ideas for how this could be achieved, but I=E2=80=99d prefer to = see > what others think of this general idea rather than getting bogged down > in specific details. > > [1]:=C2=A0https://www.dropbox.com/developers/chooser > [2]:=C2=A0https://www.dropbox.com/developers/saver=C2=A0 > > =E2=80=94 Neil --------------ms010300010300020303020101 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CzMwggUbMIIEA6ADAgECAhBs/e7jES6a32XKZxs4R01iMA0GCSqGSIb3DQEBCwUAMIGWMQsw CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxm b3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENs aWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE5MTEwMjAwMDAw MFoXDTIxMTEwMTIzNTk1OVowKDEmMCQGCSqGSIb3DQEJARYXdmxhZGltaXJAY29ubmVjdDJp ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDG5mL+CcvSppMj/W8Kd0/E 1/y5/s94gmbIFzEugHyMPV2dd6lusiALe35QCtu3e8Wy6FkCwzxWmmzhF4FY/e4uPbDjco3w /GgHhz2KXe385u31c32/uM3jRqhYT5JvmXxte/GgmjcW1yWcPkKEz/sCezdIYpI9Pek+P4Gr xmbt8H+wJrwfrXKTJXXT+gFjCcZDRLm67X4U57TsaCoezTe7zOoPX9zxMTyZD/cvC/SfuVxQ U60ZsfZzdcgPwScgy3JaiPegcbnqqebjJqtRx42eRjrBZ1/u411rHN2QQLgiih7D1/4PJC9f /8nHgaerLy3ogdu1dw5+vQ1TRIYBmcIXAgMBAAGjggHQMIIBzDAfBgNVHSMEGDAWgBQJwPL8 C9qU21/+K9+omULPyeCtADAdBgNVHQ4EFgQU446sriG/NgywLZA2oBG79Yr2qyAwDgYDVR0P AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMC MEAGA1UdIAQ5MDcwNQYMKwYBBAGyMQECAQEBMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2Vj dGlnby5jb20vQ1BTMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwuc2VjdGlnby5jb20v U2VjdGlnb1JTQUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcmwwgYoG CCsGAQUFBwEBBH4wfDBVBggrBgEFBQcwAoZJaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0 aWdvUlNBQ2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAjBggrBgEF BQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wIgYDVR0RBBswGYEXdmxhZGltaXJAY29u bmVjdDJpZC5jb20wDQYJKoZIhvcNAQELBQADggEBAEE73kCtUigl/bhLrqS6AsCU+jKm1fxq BY09+ktBwVcu5WgM18Uov3WvzVnjXn5BNNVM3RwhWFXyW3pPnDPyjqgxcpfoyY5SJEzvcPlu wm69z/dzqasVhsHPIFSjACnUBrFZPsq/abMQr4yFOMVyX/EudYgmZVu2Er9Ui7YbTO1Nolap xlseQIgQhVcr7aSs02PLDANuwW/asgKExYzhPdt9MF1lezj968Mv74kRo1T/lm5RFNfh2QdM 9C0n1t+qRCrRF1VbsiTgChjazgNGbvl12bOAujX0up4hqw+7PaCcI3Mpyv/rKKKrRG52iCcv cMHX344tOqKM/DIdF/0WNpkwggYQMIID+KADAgECAhBNlCwQ1DvglAnFgS06KwZPMA0GCSqG SIb3DQEBDAUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKTmV3IEplcnNleTEUMBIGA1UE BxMLSmVyc2V5IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEuMCwGA1UE AxMlVVNFUlRydXN0IFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xODExMDIwMDAw MDBaFw0zMDEyMzEyMzU5NTlaMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBN YW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQx PjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJl IEVtYWlsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyjztlApB/975Rrno 1jvm2pK/KxBOqhq8gr2+JhwpKirSzZxQgT9tlC7zl6hn1fXjSo5MqXUfItMltrMaXqcESJuK 8dtK56NCSrq4iDKaKq9NxOXFmqXX2zN8HHGjQ2b2Xv0v1L5Nk1MQPKA19xeWQcpGEGFUUd0k N+oHox+L9aV1rjfNiCj3bJk6kJaOPabPi2503nn/ITX5e8WfPnGw4VuZ79Khj1YBrf24k5Ee 1sLTHsLtpiK9OjG4iQRBdq6Z/TlVx/hGAez5h36bBJMxqdHLpdwIUkTqT8se3ed0PewDch/8 kHPo5fZl5u1B0ecpq/sDN/5sCG52Ds+QU5O5EwIDAQABo4IBZDCCAWAwHwYDVR0jBBgwFoAU U3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFAnA8vwL2pTbX/4r36iZQs/J4K0AMA4G A1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMC BggrBgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDov L2NybC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdFJTQUNlcnRpZmljYXRpb25BdXRob3JpdHku Y3JsMHYGCCsGAQUFBwEBBGowaDA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1c3Qu Y29tL1VTRVJUcnVzdFJTQUFkZFRydXN0Q0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2Nz cC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBDAUAA4ICAQBBRHUAqznCFfXejpVtMnFojADd F9d6HBA4kMjjsb0XMZHztuOCtKF+xswhh2GqkW5JQrM8zVlU+A2VP72Ky2nlRA1GwmIPgou7 4TZ/XTarHG8zdMSgaDrkVYzz1g3nIVO9IHk96VwsacIvBF8JfqIs+8aWH2PfSUrNxP6Ys7U0 sZYx4rXD6+cqFq/ZW5BUfClN/rhk2ddQXyn7kkmka2RQb9d90nmNHdgKrwfQ49mQ2hWQNDkJ JIXwKjYA6VUR/fZUFeCUisdDe/0ABLTI+jheXUV1eoYV7lNwNBKpeHdNuO6Aacb533JlfeUH xvBz9OfYWUiXu09sMAviM11Q0DuMZ5760CdO2VnpsXP4KxaYIhvqPqUMWqRdWyn7crItNkZe roXaecG03i3mM7dkiPaCkgocBg0EBYsbZDZ8bsG3a08LwEsL1Ygz3SBsyECa0waq4hOf/Z85 F2w2ZpXfP+w8q4ifwO90SGZZV+HR/Jh6rEaVPDRF/CEGVqR1hiuQOZ1YL5ezMTX0ZSLwrymU E0pwi/KDaiYB15uswgeIAcA6JzPFf9pLkAFFWs1QNyN++niFhsM47qodx/PL+5jR87myx5uY dBEQkkDc+lKB1Wct6ucXqm2EmsaQ0M95QjTmy+rDWjkDYdw3Ms6mSWE3Bn7i5ZgtwCLXgAIe 5W8mybM2JzGCBDIwggQuAgEBMIGrMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRl ciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0 ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2Vj dXJlIEVtYWlsIENBAhBs/e7jES6a32XKZxs4R01iMA0GCWCGSAFlAwQCAQUAoIICVzAYBgkq hkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMDA3MDcyMDA4NTFaMC8G CSqGSIb3DQEJBDEiBCDOKBhZonKybIskJb7+Mgh9sM5KCHgnI8f7pavSDaD3uDBsBgkqhkiG 9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZI hvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIG8Bgkr BgEEAYI3EAQxga4wgaswgZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNo ZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE+MDwG A1UEAxM1U2VjdGlnbyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1h aWwgQ0ECEGz97uMRLprfZcpnGzhHTWIwgb4GCyqGSIb3DQEJEAILMYGuoIGrMIGWMQswCQYD VQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3Jk MRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVu dCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhBs/e7jES6a32XKZxs4R01i MA0GCSqGSIb3DQEBAQUABIIBACgf9hmWBBWjbJD7z7eOLgoaKTa1FdnoWow+r/EDYGvpmDI3 1yidB7WelxHEpWRMc7hCBol4jOojv9gfzRlnvtKpyDEWHG6d0DBLuhSuVUiPuBHMSyN4MvmX bcdGfOOdpcrer+NJD+ziXY5wGDiseBuVpgfiIOz/XYeouCh7MWgSF73h51XqyVXjQGafRs8f l1InyN1noRzUnUL5mPNnb2aFfrl041TgcQBlVwQBH6GTLmlU/MlClDOwf5Ih4wUZJBeC0Zqw 7fBbuFg5ujWFA+hZMd7FaLG8xagVG0mXYXpKzYIfln7TJbUa+GfsKOiI67H4LP+VutiWPOLP XE984zkAAAAAAAA= --------------ms010300010300020303020101-- From nobody Tue Jul 7 15:21:15 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDE6A3A0B27 for ; Tue, 7 Jul 2020 15:21:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.895 X-Spam-Level: X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jBq8md48-wLK for ; Tue, 7 Jul 2020 15:21:09 -0700 (PDT) Received: from p3plsmtpa06-04.prod.phx3.secureserver.net (p3plsmtpa06-04.prod.phx3.secureserver.net [173.201.192.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 045373A0B28 for ; Tue, 7 Jul 2020 15:21:08 -0700 (PDT) Received: from [192.168.88.250] ([94.155.17.31]) by :SMTPAUTH: with ESMTPSA id svxaj1ZzWM35XsvxbjkaMU; Tue, 07 Jul 2020 15:21:08 -0700 X-CMAE-Analysis: v=2.3 cv=CPNUoijD c=1 sm=1 tr=0 a=+I3yL00+yDwT8KNLgfs+4A==:117 a=+I3yL00+yDwT8KNLgfs+4A==:17 a=q0rX5H01Qin5IyBaTmIA:9 a=r77TgQKjGQsHNAKrUKIA:9 a=Dc0mUnFQl-Wq2u5v2AMA:9 a=QEXdDO2ut3YA:10 a=pGLkceISAAAA:8 a=Lz2gcHyPjL5tGRc_hgQA:9 a=hncZEEFjE3mArc4k:21 a=_W_S_7VecoQA:10 a=D8lnhvtxf0AONpHuB7QA:9 a=ZVk8-NSrHBgA:10 a=30ssDGKg3p0A:10 X-SECURESERVER-ACCT: vladimir@connect2id.com To: oauth@ietf.org References: From: Vladimir Dzhuvinov Autocrypt: addr=vladimir@connect2id.com; prefer-encrypt=mutual; keydata= mQENBFQZaoEBCACnP2YMDex9fnf+niLglTHGKuoypUSVKPQeKDHHeFQVzhRke+HBEZBwmA9T kZ+kEhyrNqibDPkPYVPmo23tM8mbNcTVQqpmN7NwgMpqkqcAqNsIyBtt09DjWOQVm57A3K+y uXI7SdNErdt79p2xQseOhqSC9+LgWuyh+mZsl2oFD4glFFfKSCMp2jATXrAMeGzigTnW+Xe0 tRzrwFN9zqykKxhUq9oHg1cNvoDtfxgsc9ysVHbxM/PM8o9lgj3YTQwKMBcCFclTqohji7ML fQ08eQo+acKTwC1WRzeLt9PknGt3C4TmvdCl0c1BQTTTNiF96Hu4kbaiBIbsfxJOR8+VABEB AAG0LFZsYWRpbWlyIER6aHV2aW5vdiA8dmxhZGltaXJAY29ubmVjdDJpZC5jb20+iQE+BBMB AgAoBQJUGWqBAhsjBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAZ0vUyOqri Ql62B/wOO0s2JC/QvO6w9iSsRhCOa/JZi+wO+l01V7eGCQ1cYf1W26Y7iKiUlY4/Kz+cr69D pMtkv3UpDTGejKEfspLUxz5Vo3T4oAKbTtNtVIZL/XxH3/JhJ719Jj4eLoe9/djKkGYTX2O5 bMk8TpO1DDjbIw4r9XKI9ZIk96zlKnZvrg7Ho7oOl0ZIf8AzcvdqZEUogDwyr8uwOU+jIyux mOTthepBzXCNjjBjnc8I1//9YppAIaGJ5nnXelVVD1/dyOszogervzFNANEIOvNvCd9G5u4e s7qkDKWKY7/Lj1tF+tMrDTrOh6JqUKbGNeTUB8DlPvIoNyqHUYfBELdpw1Nd X-Enigmail-Draft-Status: N11100 Organization: Connect2id Ltd. Message-ID: <7ce27138-b1f5-7593-72aa-40d04b64ee9e@connect2id.com> Date: Wed, 8 Jul 2020 01:21:06 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms020209000405020205030908" X-CMAE-Envelope: MS4wfBzGRL0Db1ghy8cRo1iXNqPSbuqO+7yRuREtF/ZcKSoiQOkfDZV8sTTGbu9KbvdlGc1WMuwPQfUyiduHWed9Pp45zxBkaq7PPjaEk2g5ZLp+3Fw9uCYq BRk/pmTz3gng5ZUZr/FtpJOUJooxg2hCaqhiaBzxr2CScQMU/gwqtpKk Archived-At: Subject: Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jul 2020 22:21:12 -0000 This is a cryptographically signed message in MIME format. --------------ms020209000405020205030908 Content-Type: multipart/alternative; boundary="------------B2BCF1C1E6A35248C363B12A" Content-Language: en-US This is a multi-part message in MIME format. --------------B2BCF1C1E6A35248C363B12A Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable I find 03 well structured, well written and it shows that a lot of thought and work has gone into it. If this is a formal call for adoption - I support it. > - defined new client type - credentialed clients - a client that has > credentials, but the AS has not confirmed the identity of the client. > Confidential clients have had their identity confirmed by the AS. We > talked about changing the names of confidential and public, but > thought that would be confusing. This new definition cleans up the > text substantially. I understand why this new client type was introduced. For the reader who is not familiar with the recent OAuth RFCs and drafts - I suspect this can still be confusing. There will likely be questions -- Why does this difference between confidential and credentialed matter? What is a concrete example of a credentialed client? Also, people will likely ask themselves - what does the confirmation of a (credentialed) client's identity by the AS actually mean and do? (section 2.1) > Authorization servers SHOULD consider the level of confidence in a > client's identity when deciding whether they allow such a client > access to more critical functions, such as the Client Credentials > grant type. Again, normative text that relies on the implementer being able to assign levels of confidence in the client's identity, but is not immediately obvious how to go about this. There is mention in 9.1 about "enlisting the resource owner to confirm identity" and "if there is a web application whose developer's identity was verified...". But this talk about client identity is secondary and happens in the context of client authentication. Perhaps it will make sense to promote the discussion about identity to a new 9.x section "Client identity" or "Client Identification", before "Client Authentication". Addressing the topics what client identity is, why does it matter (especially for security), and the "confirmation by the AS". Then proceed with "Client Authentication" which now is freed to focus on the credentials / auth methods aspects. > Such credentials are either issued by the > authorization server or registered by the developer of the client > with the authorization server. Credentials (public key) can also be registered by a client performing dynamic registration (section 2.1) Vladimir --------------B2BCF1C1E6A35248C363B12A Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable

I find 03 well structured, well written and it shows that a lot of thought and work has gone into it.

If this is a formal call for adoption - I support it.


- defined new client type - credentialed clients - a client that has credentials, but the AS has not confirmed the identity of the client. Confidential clients have had their identity confirmed by the AS. We talked about changing the names of confidential and public, but thought that would be confusing. This new definition cleans up the text substantially.

I understand why this new client type was introduced. For the reader who is not familiar with the recent OAuth RFCs and drafts - I suspect this can still be confusing. There will likely be questions -- Why does this difference between confidential and credentialed matter? What is a concrete example of a credentialed client?

Also, people will likely ask themselves - what does the confirmation of a (credentialed) client's identity by the AS actually mean and do? (section 2.1)


   Authorization servers SHOULD consider the=
 level of confidence in a
   client's identity when deciding whether they allow such a client
   access to more critical functions, such as the Client Credentials
   grant type.

Again, normative text that relies on the implementer being able to assign levels of confidence in the client's identity, but is not immediately obvious how to go about this.


There is mention in 9.1 about "enlisting the resource owner to confirm identity" and "if there is a web application whose developer's identity was verified...". But this talk about client identity is secondary and happens in the context of client authentication.

Perhaps it will make sense to promote the discussion about identity to a new 9.x section "Client identity" or "Client Identification", before "Client Authentication". Addressing the topics what client identity is, why does it matter (especially for security), and the "confirmation by the AS". Then proceed with "Client Authentication" which now is freed to focus on the credentials / auth methods aspects.

   Such credentials are either issued by the=

   authorization server or registered by the developer of the client
   with the authorization server.

Credentials (public key) can also be registered by a client performing dynamic registration (section 2.1)


Vladimir

--------------B2BCF1C1E6A35248C363B12A-- --------------ms020209000405020205030908 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CzMwggUbMIIEA6ADAgECAhBs/e7jES6a32XKZxs4R01iMA0GCSqGSIb3DQEBCwUAMIGWMQsw CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxm b3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENs aWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE5MTEwMjAwMDAw MFoXDTIxMTEwMTIzNTk1OVowKDEmMCQGCSqGSIb3DQEJARYXdmxhZGltaXJAY29ubmVjdDJp ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDG5mL+CcvSppMj/W8Kd0/E 1/y5/s94gmbIFzEugHyMPV2dd6lusiALe35QCtu3e8Wy6FkCwzxWmmzhF4FY/e4uPbDjco3w /GgHhz2KXe385u31c32/uM3jRqhYT5JvmXxte/GgmjcW1yWcPkKEz/sCezdIYpI9Pek+P4Gr xmbt8H+wJrwfrXKTJXXT+gFjCcZDRLm67X4U57TsaCoezTe7zOoPX9zxMTyZD/cvC/SfuVxQ U60ZsfZzdcgPwScgy3JaiPegcbnqqebjJqtRx42eRjrBZ1/u411rHN2QQLgiih7D1/4PJC9f /8nHgaerLy3ogdu1dw5+vQ1TRIYBmcIXAgMBAAGjggHQMIIBzDAfBgNVHSMEGDAWgBQJwPL8 C9qU21/+K9+omULPyeCtADAdBgNVHQ4EFgQU446sriG/NgywLZA2oBG79Yr2qyAwDgYDVR0P AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMC MEAGA1UdIAQ5MDcwNQYMKwYBBAGyMQECAQEBMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2Vj dGlnby5jb20vQ1BTMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwuc2VjdGlnby5jb20v U2VjdGlnb1JTQUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcmwwgYoG CCsGAQUFBwEBBH4wfDBVBggrBgEFBQcwAoZJaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0 aWdvUlNBQ2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAjBggrBgEF BQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wIgYDVR0RBBswGYEXdmxhZGltaXJAY29u bmVjdDJpZC5jb20wDQYJKoZIhvcNAQELBQADggEBAEE73kCtUigl/bhLrqS6AsCU+jKm1fxq BY09+ktBwVcu5WgM18Uov3WvzVnjXn5BNNVM3RwhWFXyW3pPnDPyjqgxcpfoyY5SJEzvcPlu wm69z/dzqasVhsHPIFSjACnUBrFZPsq/abMQr4yFOMVyX/EudYgmZVu2Er9Ui7YbTO1Nolap xlseQIgQhVcr7aSs02PLDANuwW/asgKExYzhPdt9MF1lezj968Mv74kRo1T/lm5RFNfh2QdM 9C0n1t+qRCrRF1VbsiTgChjazgNGbvl12bOAujX0up4hqw+7PaCcI3Mpyv/rKKKrRG52iCcv cMHX344tOqKM/DIdF/0WNpkwggYQMIID+KADAgECAhBNlCwQ1DvglAnFgS06KwZPMA0GCSqG SIb3DQEBDAUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKTmV3IEplcnNleTEUMBIGA1UE BxMLSmVyc2V5IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEuMCwGA1UE AxMlVVNFUlRydXN0IFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xODExMDIwMDAw MDBaFw0zMDEyMzEyMzU5NTlaMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBN YW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQx PjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJl IEVtYWlsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyjztlApB/975Rrno 1jvm2pK/KxBOqhq8gr2+JhwpKirSzZxQgT9tlC7zl6hn1fXjSo5MqXUfItMltrMaXqcESJuK 8dtK56NCSrq4iDKaKq9NxOXFmqXX2zN8HHGjQ2b2Xv0v1L5Nk1MQPKA19xeWQcpGEGFUUd0k N+oHox+L9aV1rjfNiCj3bJk6kJaOPabPi2503nn/ITX5e8WfPnGw4VuZ79Khj1YBrf24k5Ee 1sLTHsLtpiK9OjG4iQRBdq6Z/TlVx/hGAez5h36bBJMxqdHLpdwIUkTqT8se3ed0PewDch/8 kHPo5fZl5u1B0ecpq/sDN/5sCG52Ds+QU5O5EwIDAQABo4IBZDCCAWAwHwYDVR0jBBgwFoAU U3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFAnA8vwL2pTbX/4r36iZQs/J4K0AMA4G A1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMC BggrBgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDov L2NybC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdFJTQUNlcnRpZmljYXRpb25BdXRob3JpdHku Y3JsMHYGCCsGAQUFBwEBBGowaDA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1c3Qu Y29tL1VTRVJUcnVzdFJTQUFkZFRydXN0Q0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2Nz cC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBDAUAA4ICAQBBRHUAqznCFfXejpVtMnFojADd F9d6HBA4kMjjsb0XMZHztuOCtKF+xswhh2GqkW5JQrM8zVlU+A2VP72Ky2nlRA1GwmIPgou7 4TZ/XTarHG8zdMSgaDrkVYzz1g3nIVO9IHk96VwsacIvBF8JfqIs+8aWH2PfSUrNxP6Ys7U0 sZYx4rXD6+cqFq/ZW5BUfClN/rhk2ddQXyn7kkmka2RQb9d90nmNHdgKrwfQ49mQ2hWQNDkJ JIXwKjYA6VUR/fZUFeCUisdDe/0ABLTI+jheXUV1eoYV7lNwNBKpeHdNuO6Aacb533JlfeUH xvBz9OfYWUiXu09sMAviM11Q0DuMZ5760CdO2VnpsXP4KxaYIhvqPqUMWqRdWyn7crItNkZe roXaecG03i3mM7dkiPaCkgocBg0EBYsbZDZ8bsG3a08LwEsL1Ygz3SBsyECa0waq4hOf/Z85 F2w2ZpXfP+w8q4ifwO90SGZZV+HR/Jh6rEaVPDRF/CEGVqR1hiuQOZ1YL5ezMTX0ZSLwrymU E0pwi/KDaiYB15uswgeIAcA6JzPFf9pLkAFFWs1QNyN++niFhsM47qodx/PL+5jR87myx5uY dBEQkkDc+lKB1Wct6ucXqm2EmsaQ0M95QjTmy+rDWjkDYdw3Ms6mSWE3Bn7i5ZgtwCLXgAIe 5W8mybM2JzGCBDIwggQuAgEBMIGrMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRl ciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0 ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2Vj dXJlIEVtYWlsIENBAhBs/e7jES6a32XKZxs4R01iMA0GCWCGSAFlAwQCAQUAoIICVzAYBgkq hkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMDA3MDcyMjIxMDZaMC8G CSqGSIb3DQEJBDEiBCBLWmfmA4TMIsVtLXF3dvC6bN643GU7QOYW6jhFabjayzBsBgkqhkiG 9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZI hvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIG8Bgkr BgEEAYI3EAQxga4wgaswgZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNo ZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE+MDwG A1UEAxM1U2VjdGlnbyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1h aWwgQ0ECEGz97uMRLprfZcpnGzhHTWIwgb4GCyqGSIb3DQEJEAILMYGuoIGrMIGWMQswCQYD VQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3Jk MRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVu dCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhBs/e7jES6a32XKZxs4R01i MA0GCSqGSIb3DQEBAQUABIIBAMOcA8s7FftRhZ3fXrGOhqoA3fOIWO620eCLipaCPylb9K5G fMlvsPIottEiX/VBOKofE7QQFDN9pC4xrrR2VhrUabpr1nH2XD0NFJy335A2wImOE89ZV2+Y B46iqH1UhaiKISx9OaX/5LPzfDzIWM9+PRQ4/6f/KmlwUk/Xs+5ecE9xKQ3432b3wneBnCcd /zCnNMDMDnY4se+sKOXI5neGEgsMzzxAsS/lYOQZfHL1abZO+gndG7NtiFXsNtH0iHPrWhSv BHGOWCQsNO3rnNMCMaOHofTpikmKBtyQFHC02pMvhHTfjTnFF/GeyCAK7xxRP8YVCc4sOD0+ n0Po7ZYAAAAAAAA= --------------ms020209000405020205030908-- From nobody Tue Jul 7 16:04:06 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 889763A0B69 for ; Tue, 7 Jul 2020 16:04:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uMXTwEBOfv-3 for ; Tue, 7 Jul 2020 16:04:02 -0700 (PDT) Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37F2D3A0B67 for ; Tue, 7 Jul 2020 16:04:02 -0700 (PDT) Received: by mail-wm1-x331.google.com with SMTP id o2so1001656wmh.2 for ; Tue, 07 Jul 2020 16:04:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=C6aBJ7mkEaAATbCQ6munZsWdlHl91N3jo3d+L+uYzuo=; b=q35ArDwtVnDi25C5xOt7uW4SHG6/+RAusQjuc6Mmh0CxXElxOLYH/PRxAnQBmC5uIq 4XIiggq8ukkDB4daHR+j7E+iKXyqpTKKCnIxULLqanejH05wtJrQbyhJ63SPmwBQJdLS XRTkqAC9UIDABFqW5hOaGrpt7H+9oR0mk8b0nR0u1Ha+YUBpcNlfMZLgif8IeqjdiW8C slrY9M3PSSKzCdaN0eRn6h1jhsetXpOz1o7ovQU7lq4YqOCxmPEwUzVA2SML8xbKK8qG ztUf1jqTmtkVfTKkIloWXhud2iaEq1/ab6+GPGLD5aZeHfPVDxwlWMlaQajVgiH+2DGX 7Uug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=C6aBJ7mkEaAATbCQ6munZsWdlHl91N3jo3d+L+uYzuo=; b=OA6HQSVHu69gsvQ7WHbPAvXkZ2ZiGCSDRhwb2nHv8fHD3dFSH865WgsLNFsvTvSyjX P4H6ynopHjCF8WLmvjlKdZUQO88pe6E3O8dUwytje+5gNAq01MdnJMsdPls3lwtd1LaR sG3s59EjiH0C0IWWe/NrEpcASaz6zWP7jHLw4tIT/GX5W6/oYY90nQop368U6bHLNk1y Y/OjRzWDiWdWjhCEl8ZRdKN2keO55MBDzSsHk4/SPjQ3fTFCxE52YyZvxvRKAXr4wT68 29vd/E5JJiAe2WL1I0LysSnJ9dvhjaikayGHZxfLehN3UKPQgx2z6n5WfSRpt2rGDgne nxiw== X-Gm-Message-State: AOAM531rIL4OnqxKSxfV5jG+Rcpo9G0fZWj5aTq50y/jUrfaFYD8VXhp hp7mqWn9ezUKbIjbV4oHrDCv+64knER75tNxxir/yFZM7c0= X-Google-Smtp-Source: ABdhPJx4dRWMQzrf/PBgwajjNSykYFWeQC+xj+js09V9qFzEOfd4i61R82khkA3Ile57Jk0rUg/2VUDE/3Hf8aJ5WTo= X-Received: by 2002:a05:600c:4143:: with SMTP id h3mr6617747wmm.131.1594163040443; Tue, 07 Jul 2020 16:04:00 -0700 (PDT) MIME-Version: 1.0 References: <7ce27138-b1f5-7593-72aa-40d04b64ee9e@connect2id.com> In-Reply-To: <7ce27138-b1f5-7593-72aa-40d04b64ee9e@connect2id.com> From: Sascha Preibisch Date: Tue, 7 Jul 2020 16:02:46 -0700 Message-ID: To: Vladimir Dzhuvinov Cc: IETF oauth WG Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jul 2020 23:04:05 -0000 Hi all! Here is the rest of my feedback. At the end I also included a list of typos and the summary of changes that I have found between RFC 6739 and the current draft. Regards, Sascha Section 2.3. Client Authentication ------------------------- Draft and current: - both documents contain this description: "... the authorization server (e.g., password, public/private key pair)" - since the client usually uses a 'client secret', maybe this could be worded as such: - suggestion: "... the authorization server (e.g., client secret, public/private key pair)" Draft: "The authorization server MAY establish a client authentication method with public clients, which converts them to credentialed clients. However, the authorization server MUST NOT rely on credentialed client authentication for the purpose of identifying the client." - Does this mean that credentialed clients are as trustworthy/ not trustworthy as public clients? Draft: "Clients in possession of a client password, also known as a client secret,= ..." - Maybe this could simply be changed to: "Clients in possession of a client secret ..." Section 3.1.2.2 Registration Requirements ------------------------- Draft: "Lack of requiring registration of redirect URIs enables an attacker to use the authorization endpoint as an open redirector as described in Section 9.18." - is that still required since redirect_uris have to be pre-registered now? Section 4.1. Authorization Code Grant ------------------------- Draft: - Figure 3, step (1), does not include 'code_challenge_method' Is that intentionally? - I am suggesting to include it to avoid potential questions and confusion. It could listed as 'optional' as 'scope' is - In addition, when referencing parameters, they should be spelled as used in the protocol, i.e.: 'code_challenge' instead of 'code_challenge' Section 4.1.1 Authorization Request ------------------------- Draft: "Clients use a unique secret per authorization request to protect .... " - It would be less confusing if this section would start of with "PKCE is required" - Introducing a '... unique secret per ...' sounds like something very new although this is referencing PKCE - Suggestion (along the lines of): "Clients MUST leverage PKCE per authorization request to protect ..." Section 4.1.2.1 Error Response ------------------------- Draft: "An AS MUST reject requests without a "code_challenge" from public clients, and MUST reject such requests from other clients unless there is reasonable assurance that ..." - These statements are the ones that cause discussions between developers and/ or third parties - ' ... unless ...' is very difficult to grasp, even when looking into section 9.8 - I would suggest to make it required Section 5.1 Successful Response ------------------------- Draft and current: - both documents describe the refresh_token response parameter and describe it as such: "OPTIONAL. The refresh token, which can be used to obtain new access tokens using the same authorization grant as described in Section 6" - As an enhancement, I suggest this update: "OPTIONAL. The refresh token, which can be used to obtain new access tokens using the grant type "refresh_token" as described in Section 6" Section 6. Refreshing an Access Token ------------------------- Draft: Authorization servers SHOULD determine, based on a risk assessment, whether to issue refresh tokens to a certain client. If the authorization server decides not to issue refresh tokens, the client MAY refresh access tokens by utilizing other grant types, such as the authorization code grant type. In such a case, the authorization server may utilize cookies and persistent grants to optimize the user experience. - That paragraph sounds like a general advice for web developers and should appear in an appendix for my taste - ' ... based on risk assessment ... ' may exclude any implementation that does not have such capabilities =3D=3D=3D Draft: - this section includes this statement: "Confidential or credentialed clients MUST authenticate with the authorization server ..." - section 2.3 includes this statement and makes me wonder how confident an authorization server can be when working with 'credentialed' clients': "However, the authorization server MUST NOT rely on credentialed client authentication for the purpose of identifying the client." - Any clarification, I would say about the client type 'credentialed' in general, would be helpful ------------------------- Typos: ------------------------- Section 2.1. Client Types ------------------------- Draft: "credentialed": Clients that have credentials and their identity has been not been confirmed by the AS are designated as "credentialed clients" - I believe it should be: "credentialed": Clients that have credentials and their identity has not been confirmed by the AS are designated as "credentialed clients" Section 3.2.1 Client Authentication ------------------------- Draft: "Confidential or credentialed clients client MUST authenticate with..." - I believe it should be: "Confidential or credentialed clients MUST authenticate with..." ------------------------- Summary of changes between draft and current: ------------------------- - no more implicit - no more response_type=3Dtoken - no more ropc - no more redirect code 307 - no more open redirect_uri - new client type 'credentialed' - must use PKCE (with few exceptions) - AS must provide a way to show their support for 'code_challenge_method' - refresh token should expire - description for client type 'confidential' got updated - clients should not be able to choose their client_id - no reference to 'mac' token profile anymore - section 7.2 details on Bearer token - resource server must include 'WWW-Authenticate: Bearer realm=3D"example"' header for failing authorization - extended list of security threats - discussion on native apps removed - recommended bindings between access_token and resource_server - recommended refresh_token rotation or sender-constraints - recommended to use '127.0.0.1' instead of 'localhost' On Tue, 7 Jul 2020 at 15:21, Vladimir Dzhuvinov w= rote: > > I find 03 well structured, well written and it shows that a lot of though= t and work has gone into it. > > If this is a formal call for adoption - I support it. > > > - defined new client type - credentialed clients - a client that has cred= entials, but the AS has not confirmed the identity of the client. Confident= ial clients have had their identity confirmed by the AS. We talked about ch= anging the names of confidential and public, but thought that would be conf= using. This new definition cleans up the text substantially. > > I understand why this new client type was introduced. For the reader who = is not familiar with the recent OAuth RFCs and drafts - I suspect this can = still be confusing. There will likely be questions -- Why does this differe= nce between confidential and credentialed matter? What is a concrete exampl= e of a credentialed client? > > Also, people will likely ask themselves - what does the confirmation of a= (credentialed) client's identity by the AS actually mean and do? (section = 2.1) > > > Authorization servers SHOULD consider the level of confidence in a > client's identity when deciding whether they allow such a client > access to more critical functions, such as the Client Credentials > grant type. > > Again, normative text that relies on the implementer being able to assign= levels of confidence in the client's identity, but is not immediately obvi= ous how to go about this. > > > There is mention in 9.1 about "enlisting the resource owner to confirm id= entity" and "if there is a web application whose developer's identity was v= erified...". But this talk about client identity is secondary and happens i= n the context of client authentication. > > Perhaps it will make sense to promote the discussion about identity to a = new 9.x section "Client identity" or "Client Identification", before "Clien= t Authentication". Addressing the topics what client identity is, why does = it matter (especially for security), and the "confirmation by the AS". Then= proceed with "Client Authentication" which now is freed to focus on the cr= edentials / auth methods aspects. > > Such credentials are either issued by the > authorization server or registered by the developer of the client > with the authorization server. > > Credentials (public key) can also be registered by a client performing dy= namic registration (section 2.1) > > > Vladimir > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Tue Jul 7 16:36:32 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 002173A0C2A for ; Tue, 7 Jul 2020 16:36:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.096 X-Spam-Level: X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XUjRz2Sv4KCT for ; Tue, 7 Jul 2020 16:36:28 -0700 (PDT) Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E78253A0C1B for ; Tue, 7 Jul 2020 16:36:27 -0700 (PDT) Received: by mail-lj1-x233.google.com with SMTP id f5so36192700ljj.10 for ; Tue, 07 Jul 2020 16:36:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KR+x7rqvtD1oChOr898twdijgA5nja6bDgZjlbAYUMY=; b=Lkbq0PPZfpWUBD7TscxgDUKXTXIXRc5R6XtGkKtraQ9VidSwoagaNEfvjEAa534rlx Cw95bVf6kA4NbxF/sHwUG2ge/Zb8Dg0oTwP6t1SpkU6jUkWfxPf2NcNC9UCOyZyaCiLj 6FyKk38xr+NAaQf/bK0IMCh/5i3XTE1vIqVw605nf7tsrc06G6UYhNxnkZpuU8HJKysb z39qyt8GF42ZX16ML1D0E375FxSzkSqFPyzIDZ27Zkm+WJjnwMybTxcK9Uz5VbJAMSbn KDAjYXKTxLo9jHTRMg03RPVMm7nLR4f0Nwvfk4F2RWQjjjD3rdDLBPSN/UjC38R+nHHA igxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KR+x7rqvtD1oChOr898twdijgA5nja6bDgZjlbAYUMY=; b=CXG10AdcbhKCzdX5XvmoNqyL8GEZv/LCy2jXWXQLMuvkrhGd9EHFy7HJzedwBHkjFe mhagppIcatoT0OFKZJD50K4cMWpFKpQ/nPm1CDaolOG4xSla6ZlR1UTpIY6rFmOi+vE2 njPPrlQ2pB4eh+WAxpUdzZpMPnl6rtNI6Dir4DpxV7+P17NxwniIlwIyJDmxbYGfQMUs dZGG3P3iXx8M3wOs1dly3axBjWqE1madPK13uFhX4gMfJR/Q4ukKd3nZRLs+LPHTzlez 72lyTpReTfsLqlz4l1KRuEE8EzuxCovZMyyj/STrcHxHPJRW1BwzrmGI6sLM06agmsRh GRSA== X-Gm-Message-State: AOAM532XXpJaK7uskSfpMg+3fyZstR2tnchzxmKFXhCnWuLDsDVGAraD S8nKQskwA7PpHtgauJght/IaTm7Izbs9o470VQytNLDr X-Google-Smtp-Source: ABdhPJx+6Y6XrWgxZ97O7Myq+A4/13oaNlv60EsOXPw7cTaw3Ux2VM5bvvmev2d3yMH6QvrA9ERgUM9mjxuU42wyUlo= X-Received: by 2002:a2e:b607:: with SMTP id r7mr26268947ljn.5.1594164985886; Tue, 07 Jul 2020 16:36:25 -0700 (PDT) MIME-Version: 1.0 References: <7ce27138-b1f5-7593-72aa-40d04b64ee9e@connect2id.com> In-Reply-To: From: Dick Hardt Date: Tue, 7 Jul 2020 16:35:49 -0700 Message-ID: To: Sascha Preibisch Cc: Vladimir Dzhuvinov , IETF oauth WG Content-Type: multipart/alternative; boundary="000000000000b27bf205a9e27505" Archived-At: Subject: Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jul 2020 23:36:31 -0000 --000000000000b27bf205a9e27505 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Thanks Sascha and Vladimir for the feedback! Sascha: did you have a concern with the document being adopted by the WG? =E1=90=A7 On Tue, Jul 7, 2020 at 4:04 PM Sascha Preibisch wrote: > Hi all! > > Here is the rest of my feedback. At the end I also included a list of > typos and the summary of changes that I have found between RFC 6739 > and the current draft. > > Regards, > Sascha > > Section 2.3. Client Authentication > ------------------------- > > Draft and current: > - both documents contain this description: "... the authorization > server (e.g., password, public/private key pair)" > - since the client usually uses a 'client secret', maybe this could be > worded as such: > - suggestion: "... the authorization server (e.g., client secret, > public/private key pair)" > > Draft: > > "The authorization server MAY establish a client authentication method > with public clients, which converts them to credentialed clients. > However, the authorization server MUST NOT rely on credentialed > client authentication for the purpose of identifying the client." > > - Does this mean that credentialed clients are as trustworthy/ not > trustworthy as public clients? > > Draft: > > "Clients in possession of a client password, also known as a client > secret, ..." > > - Maybe this could simply be changed to: > "Clients in possession of a client secret ..." > > Section 3.1.2.2 Registration Requirements > ------------------------- > > Draft: > > "Lack of requiring registration of redirect URIs enables an attacker > to use the authorization endpoint as an open redirector as described > in Section 9.18." > > - is that still required since redirect_uris have to be pre-registered no= w? > > Section 4.1. Authorization Code Grant > ------------------------- > > Draft: > - Figure 3, step (1), does not include 'code_challenge_method' Is that > intentionally? > - I am suggesting to include it to avoid potential questions and > confusion. It could listed as 'optional' as 'scope' is > - In addition, when referencing parameters, they should be spelled as > used in the protocol, i.e.: 'code_challenge' instead of > 'code_challenge' > > Section 4.1.1 Authorization Request > ------------------------- > > Draft: > > "Clients use a unique secret per authorization request to protect .... " > > - It would be less confusing if this section would start of with "PKCE > is required" > - Introducing a '... unique secret per ...' sounds like something very > new although this is referencing PKCE > - Suggestion (along the lines of): > "Clients MUST leverage PKCE per authorization request to protect ..." > > Section 4.1.2.1 Error Response > ------------------------- > > Draft: > > "An AS MUST reject requests without a "code_challenge" from public > clients, and MUST reject such requests from other clients unless > there is reasonable assurance that ..." > > - These statements are the ones that cause discussions between > developers and/ or third parties > - ' ... unless ...' is very difficult to grasp, even when looking into > section 9.8 > - I would suggest to make it required > > Section 5.1 Successful Response > ------------------------- > > Draft and current: > > - both documents describe the refresh_token response parameter and > describe it as such: > "OPTIONAL. The refresh token, which can be used to obtain new access > tokens using the same authorization grant as described in href=3D"#section-6">Section 6" > > - As an enhancement, I suggest this update: > "OPTIONAL. The refresh token, which can be used to obtain new access > tokens using the grant type "refresh_token" as described in href=3D"#section-6">Section 6" > > Section 6. Refreshing an Access Token > ------------------------- > > Draft: > > Authorization servers SHOULD determine, based on a risk assessment, > whether to issue refresh tokens to a certain client. If the > authorization server decides not to issue refresh tokens, the client > MAY refresh access tokens by utilizing other grant types, such as the > authorization code grant type. In such a case, the authorization > server may utilize cookies and persistent grants to optimize the user > experience. > > - That paragraph sounds like a general advice for web developers and > should appear in an appendix for my taste > - ' ... based on risk assessment ... ' may exclude any implementation > that does not have such capabilities > > =3D=3D=3D > > Draft: > > - this section includes this statement: > "Confidential or credentialed clients MUST authenticate with the > authorization server ..." > > - section 2.3 includes this statement and makes me wonder how > confident an authorization server can be when working with > 'credentialed' clients': > "However, the authorization server MUST NOT rely on credentialed > client authentication for the purpose of identifying the client." > > - Any clarification, I would say about the client type 'credentialed' > in general, would be helpful > > ------------------------- > Typos: > ------------------------- > > Section 2.1. Client Types > ------------------------- > > Draft: > > "credentialed": Clients that have credentials and their identity has > been not been confirmed by the AS are designated as "credentialed > clients" > > - I believe it should be: > > "credentialed": Clients that have credentials and their identity has > not been confirmed by the AS are designated as "credentialed clients" > > Section 3.2.1 Client Authentication > ------------------------- > > Draft: > > "Confidential or credentialed clients client MUST authenticate with..." > > - I believe it should be: > "Confidential or credentialed clients MUST authenticate with..." > > ------------------------- > Summary of changes between draft and current: > ------------------------- > > - no more implicit > - no more response_type=3Dtoken > - no more ropc > - no more redirect code 307 > - no more open redirect_uri > - new client type 'credentialed' > - must use PKCE (with few exceptions) > - AS must provide a way to show their support for 'code_challenge_method' > > - refresh token should expire > - description for client type 'confidential' got updated > - clients should not be able to choose their client_id > - no reference to 'mac' token profile anymore > - section 7.2 details on Bearer token > - resource server must include 'WWW-Authenticate: Bearer > realm=3D"example"' header for failing authorization > - extended list of security threats > - discussion on native apps removed > - recommended bindings between access_token and resource_server > - recommended refresh_token rotation or sender-constraints > - recommended to use '127.0.0.1' instead of 'localhost' > > On Tue, 7 Jul 2020 at 15:21, Vladimir Dzhuvinov > wrote: > > > > I find 03 well structured, well written and it shows that a lot of > thought and work has gone into it. > > > > If this is a formal call for adoption - I support it. > > > > > > - defined new client type - credentialed clients - a client that has > credentials, but the AS has not confirmed the identity of the client. > Confidential clients have had their identity confirmed by the AS. We talk= ed > about changing the names of confidential and public, but thought that wou= ld > be confusing. This new definition cleans up the text substantially. > > > > I understand why this new client type was introduced. For the reader wh= o > is not familiar with the recent OAuth RFCs and drafts - I suspect this ca= n > still be confusing. There will likely be questions -- Why does this > difference between confidential and credentialed matter? What is a concre= te > example of a credentialed client? > > > > Also, people will likely ask themselves - what does the confirmation of > a (credentialed) client's identity by the AS actually mean and do? (secti= on > 2.1) > > > > > > Authorization servers SHOULD consider the level of confidence in a > > client's identity when deciding whether they allow such a client > > access to more critical functions, such as the Client Credentials > > grant type. > > > > Again, normative text that relies on the implementer being able to > assign levels of confidence in the client's identity, but is not > immediately obvious how to go about this. > > > > > > There is mention in 9.1 about "enlisting the resource owner to confirm > identity" and "if there is a web application whose developer's identity w= as > verified...". But this talk about client identity is secondary and happen= s > in the context of client authentication. > > > > Perhaps it will make sense to promote the discussion about identity to = a > new 9.x section "Client identity" or "Client Identification", before > "Client Authentication". Addressing the topics what client identity is, w= hy > does it matter (especially for security), and the "confirmation by the AS= ". > Then proceed with "Client Authentication" which now is freed to focus on > the credentials / auth methods aspects. > > > > Such credentials are either issued by the > > authorization server or registered by the developer of the client > > with the authorization server. > > > > Credentials (public key) can also be registered by a client performing > dynamic registration (section 2.1) > > > > > > Vladimir > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --000000000000b27bf205a9e27505 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Thanks Sascha and Vladimir for the feedback!

Sascha: did you have=C2=A0a concern with the document being adopted b= y the WG?

3D""=E1=90=A7

On Tue, Jul 7,= 2020 at 4:04 PM Sascha Preibisch <saschapreibisch@gmail.com> wrote:
Hi all!

Here is the rest of my feedback. At the end I also included a list of
typos and the summary of changes that I have found between RFC 6739
and the current draft.

Regards,
Sascha

Section 2.3. Client Authentication
-------------------------

Draft and current:
- both documents contain this description: "... the authorization
server (e.g., password, public/private key pair)"
- since the client usually uses a 'client secret', maybe this could= be
worded as such:
- suggestion: "... the authorization server (e.g., client secret,
public/private key pair)"

Draft:

"The authorization server MAY establish a client authentication method=
with public clients, which converts them to credentialed clients.
However, the authorization server MUST NOT rely on credentialed
client authentication for the purpose of identifying the client."

- Does this mean that credentialed clients are as trustworthy/ not
trustworthy as public clients?

Draft:

"Clients in possession of a client password, also known as a client se= cret, ..."

- Maybe this could simply be changed to:
"Clients in possession of a client secret ..."

Section 3.1.2.2 Registration Requirements
-------------------------

Draft:

"Lack of requiring registration of redirect URIs enables an attacker to use the authorization endpoint as an open redirector as described
in <a href=3D"#section-9.18">Section 9.18</a>."<= br>
- is that still required since redirect_uris have to be pre-registered now?=

Section 4.1. Authorization Code Grant
-------------------------

Draft:
- Figure 3, step (1), does not include 'code_challenge_method' Is t= hat
intentionally?
- I am suggesting to include it to avoid potential questions and
confusion. It could listed as 'optional' as 'scope' is
- In addition, when referencing parameters, they should be spelled as
used in the protocol, i.e.: 'code_challenge' instead of
'code_challenge'

Section 4.1.1 Authorization Request
-------------------------

Draft:

"Clients use a unique secret per authorization request to protect ....= "

- It would be less confusing if this section would start of with "PKCE=
is required"
- Introducing a '... unique secret per ...' sounds like something v= ery
new although this is referencing PKCE
- Suggestion (along the lines of):
"Clients MUST leverage PKCE per authorization request to protect ...&q= uot;

Section 4.1.2.1 Error Response
-------------------------

Draft:

"An AS MUST reject requests without a "code_challenge" from = public
clients, and MUST reject such requests from other clients=C2=A0 unless
there is reasonable assurance that ..."

- These statements are the ones that cause discussions between
developers and/ or third parties
- ' ... unless ...' is very difficult to grasp, even when looking i= nto
section 9.8
- I would suggest to make it required

Section 5.1 Successful Response
-------------------------

Draft and current:

- both documents describe the refresh_token response parameter and
describe it as such:
"OPTIONAL.=C2=A0 The refresh token, which can be used to obtain new ac= cess
tokens using the same authorization grant as described in <a
href=3D"#section-6">Section 6</a>"

- As an enhancement, I suggest this update:
"OPTIONAL.=C2=A0 The refresh token, which can be used to obtain new ac= cess
tokens using the grant type "refresh_token" as described in <a=
href=3D"#section-6">Section 6</a>"

Section 6. Refreshing an Access Token
-------------------------

Draft:

Authorization servers SHOULD determine, based on a risk assessment,
whether to issue refresh tokens to a certain client.=C2=A0 If the
authorization server decides not to issue refresh tokens, the client
MAY refresh access tokens by utilizing other grant types, such as the
authorization code grant type.=C2=A0 In such a case, the authorization
server may utilize cookies and persistent grants to optimize the user
experience.

- That paragraph sounds like a general advice for web developers and
should appear in an appendix for my taste
- ' ... based on risk assessment ... ' may exclude any implementati= on
that does not have such capabilities

=3D=3D=3D

Draft:

- this section includes this statement:
"Confidential or credentialed clients MUST authenticate with the
authorization server ..."

- section 2.3 includes this statement and makes me wonder how
confident an authorization server can be when working with
'credentialed' clients':
"However, the authorization server MUST NOT rely on credentialed
client authentication for the purpose of identifying the client."

- Any clarification, I would say about the client type 'credentialed= 9;
in general, would be helpful

-------------------------
Typos:
-------------------------

Section 2.1. Client Types
-------------------------

Draft:

"credentialed":=C2=A0 Clients that have credentials and their ide= ntity has
been not been confirmed by the AS are designated as "credentialed
clients"

- I believe it should be:

"credentialed":=C2=A0 Clients that have credentials and their ide= ntity has
not been confirmed by the AS are designated as "credentialed clients&q= uot;

Section 3.2.1 Client Authentication
-------------------------

Draft:

"Confidential or credentialed clients client MUST authenticate with...= "

- I believe it should be:
"Confidential or credentialed clients MUST authenticate with..."<= br>
-------------------------
Summary of changes between draft and current:
-------------------------

- no more implicit
- no more response_type=3Dtoken
- no more ropc
- no more redirect code 307
- no more open redirect_uri
- new client type 'credentialed'
- must use PKCE (with few exceptions)
- AS must provide a way to show their support for 'code_challenge_metho= d'

- refresh token should expire
- description for client type 'confidential' got updated
- clients should not be able to choose their client_id
- no reference to 'mac' token profile anymore
- section 7.2 details on Bearer token
- resource server must include 'WWW-Authenticate: Bearer
realm=3D"example"' header for failing authorization
- extended list of security threats
- discussion on native apps removed
- recommended bindings between access_token and resource_server
- recommended refresh_token rotation or sender-constraints
- recommended to use '127.0.0.1' instead of 'localhost'

On Tue, 7 Jul 2020 at 15:21, Vladimir Dzhuvinov <vladimir@connect2id.com> wrote= :
>
> I find 03 well structured, well written and it shows that a lot of tho= ught and work has gone into it.
>
> If this is a formal call for adoption - I support it.
>
>
> - defined new client type - credentialed clients - a client that has c= redentials, but the AS has not confirmed the identity of the client. Confid= ential clients have had their identity confirmed by the AS. We talked about= changing the names of confidential and public, but thought that would be c= onfusing. This new definition cleans up the text substantially.
>
> I understand why this new client type was introduced. For the reader w= ho is not familiar with the recent OAuth RFCs and drafts - I suspect this c= an still be confusing. There will likely be questions -- Why does this diff= erence between confidential and credentialed matter? What is a concrete exa= mple of a credentialed client?
>
> Also, people will likely ask themselves - what does the confirmation o= f a (credentialed) client's identity by the AS actually mean and do? (s= ection 2.1)
>
>
>=C2=A0 =C2=A0 Authorization servers SHOULD consider the level of confid= ence in a
>=C2=A0 =C2=A0 client's identity when deciding whether they allow su= ch a client
>=C2=A0 =C2=A0 access to more critical functions, such as the Client Cre= dentials
>=C2=A0 =C2=A0 grant type.
>
> Again, normative text that relies on the implementer being able to ass= ign levels of confidence in the client's identity, but is not immediate= ly obvious how to go about this.
>
>
> There is mention in 9.1 about "enlisting the resource owner to co= nfirm identity" and "if there is a web application whose develope= r's identity was verified...". But this talk about client identity= is secondary and happens in the context of client authentication.
>
> Perhaps it will make sense to promote the discussion about identity to= a new 9.x section "Client identity" or "Client Identificati= on", before "Client Authentication". Addressing the topics w= hat client identity is, why does it matter (especially for security), and t= he "confirmation by the AS". Then proceed with "Client Authe= ntication" which now is freed to focus on the credentials / auth metho= ds aspects.
>
>=C2=A0 =C2=A0 Such credentials are either issued by the
>=C2=A0 =C2=A0 authorization server or registered by the developer of th= e client
>=C2=A0 =C2=A0 with the authorization server.
>
> Credentials (public key) can also be registered by a client performing= dynamic registration (section 2.1)
>
>
> Vladimir
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org=
> https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--000000000000b27bf205a9e27505-- From nobody Tue Jul 7 16:56:55 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 893393A0C70 for ; Tue, 7 Jul 2020 16:56:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.096 X-Spam-Level: X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O3XkQEhLdloI for ; Tue, 7 Jul 2020 16:56:49 -0700 (PDT) Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECFC23A0C7F for ; Tue, 7 Jul 2020 16:56:48 -0700 (PDT) Received: by mail-wr1-x42c.google.com with SMTP id b6so47061545wrs.11 for ; Tue, 07 Jul 2020 16:56:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mRUYQ1fiKfU/Feq0Ez6426l5rv0OlMOZzA9I1bK8DqA=; b=iN2qBb2CyU16peH+4gmvNFBOoiYnBy1SV8FqZaKO4cUK6cUoAHwrI4ybYDWzseC68X sjTWraG9sSSWKfqugLoB/LWfZqXfNid3m740VlRFMXvu7Affg96qfLP3z3ThZTu1HCNW qQfssMFlPIC70yoMwPWJWR5Kmt0SMzpkFXiLDZXggOLN8zgZDMXvm4jig30hu2jrNfjh 7vzfkBNrSBdmeP8/ArJTzTsk2bVmddMlnqD92A+GTTyG96zxbTpRtAa9FampnBfY9Ty+ T3ioSxBRaNcU0krCZakZBAzp6JrFg4MKPoOCp+zZFRUlJy25+2Ye5XXIYA55FbmW4HoD K5BA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mRUYQ1fiKfU/Feq0Ez6426l5rv0OlMOZzA9I1bK8DqA=; b=dizJ4QKVNfOtl02jaxWsXD5Sgjrc7eZsVonJjNAfTfYMl/1QzHAevUXa/SNtjy4lRx RtBkwllhVugA/S8vY/DECWb2ui/g+NxKaJYd3M3w5XgfdzN6/kTPO3Atb0rQivKPEwR6 fS996BbVp6vz+HbyVjags5k4ViK2DSP90mOzck+lxgP/gzfWp8PU9dGF+31bpcFgLdIo jBNsE342WoFWBkwUr6uOqtlwWrUvHWJ7PKUS26HPDHH8FipWxFSEzfkIxtuMpABFVnO4 LBLheMGIqNHBtZ2eJQpCO/OPMJCJX/ctG7K8hAmDo6cnNHwTuq9/WY7T5WhXtDT0tI8I M4Kw== X-Gm-Message-State: AOAM533QmGXMWd068XTH7ZfcBAFSZaVBSDyNWMmlFLikELJseEMv0i8g Ok5L1b2RRfPf0ityyba3dj9DDTpm+JPPpA271Oc= X-Google-Smtp-Source: ABdhPJyRdEa2MegF9nsq08kCpQ+KeAoF1yEDm9ee1udzrrDutpJubOmgE93N37OtHGsrPNWJQg5PYy6+j4b9547cioo= X-Received: by 2002:a05:6000:1143:: with SMTP id d3mr44238068wrx.235.1594166207365; Tue, 07 Jul 2020 16:56:47 -0700 (PDT) MIME-Version: 1.0 References: <7ce27138-b1f5-7593-72aa-40d04b64ee9e@connect2id.com> In-Reply-To: From: Sascha Preibisch Date: Tue, 7 Jul 2020 16:55:33 -0700 Message-ID: To: Dick Hardt Cc: Vladimir Dzhuvinov , IETF oauth WG Content-Type: multipart/alternative; boundary="00000000000080c5d005a9e2be89" Archived-At: Subject: Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jul 2020 23:56:53 -0000 --00000000000080c5d005a9e2be89 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello Dick! Unless the two typos that I have mentioned should be updated beforehand , no, I do not. Thank you, Sascha On Tue, 7 Jul 2020 at 16:36, Dick Hardt wrote: > Thanks Sascha and Vladimir for the feedback! > > Sascha: did you have a concern with the document being adopted by the WG? > > =E1=90=A7 > > On Tue, Jul 7, 2020 at 4:04 PM Sascha Preibisch > wrote: > >> Hi all! >> >> Here is the rest of my feedback. At the end I also included a list of >> typos and the summary of changes that I have found between RFC 6739 >> and the current draft. >> >> Regards, >> Sascha >> >> Section 2.3. Client Authentication >> ------------------------- >> >> Draft and current: >> - both documents contain this description: "... the authorization >> server (e.g., password, public/private key pair)" >> - since the client usually uses a 'client secret', maybe this could be >> worded as such: >> - suggestion: "... the authorization server (e.g., client secret, >> public/private key pair)" >> >> Draft: >> >> "The authorization server MAY establish a client authentication method >> with public clients, which converts them to credentialed clients. >> However, the authorization server MUST NOT rely on credentialed >> client authentication for the purpose of identifying the client." >> >> - Does this mean that credentialed clients are as trustworthy/ not >> trustworthy as public clients? >> >> Draft: >> >> "Clients in possession of a client password, also known as a client >> secret, ..." >> >> - Maybe this could simply be changed to: >> "Clients in possession of a client secret ..." >> >> Section 3.1.2.2 Registration Requirements >> ------------------------- >> >> Draft: >> >> "Lack of requiring registration of redirect URIs enables an attacker >> to use the authorization endpoint as an open redirector as described >> in Section 9.18." >> >> - is that still required since redirect_uris have to be pre-registered >> now? >> >> Section 4.1. Authorization Code Grant >> ------------------------- >> >> Draft: >> - Figure 3, step (1), does not include 'code_challenge_method' Is that >> intentionally? >> - I am suggesting to include it to avoid potential questions and >> confusion. It could listed as 'optional' as 'scope' is >> - In addition, when referencing parameters, they should be spelled as >> used in the protocol, i.e.: 'code_challenge' instead of >> 'code_challenge' >> >> Section 4.1.1 Authorization Request >> ------------------------- >> >> Draft: >> >> "Clients use a unique secret per authorization request to protect .... " >> >> - It would be less confusing if this section would start of with "PKCE >> is required" >> - Introducing a '... unique secret per ...' sounds like something very >> new although this is referencing PKCE >> - Suggestion (along the lines of): >> "Clients MUST leverage PKCE per authorization request to protect ..." >> >> Section 4.1.2.1 Error Response >> ------------------------- >> >> Draft: >> >> "An AS MUST reject requests without a "code_challenge" from public >> clients, and MUST reject such requests from other clients unless >> there is reasonable assurance that ..." >> >> - These statements are the ones that cause discussions between >> developers and/ or third parties >> - ' ... unless ...' is very difficult to grasp, even when looking into >> section 9.8 >> - I would suggest to make it required >> >> Section 5.1 Successful Response >> ------------------------- >> >> Draft and current: >> >> - both documents describe the refresh_token response parameter and >> describe it as such: >> "OPTIONAL. The refresh token, which can be used to obtain new access >> tokens using the same authorization grant as described in > href=3D"#section-6">Section 6" >> >> - As an enhancement, I suggest this update: >> "OPTIONAL. The refresh token, which can be used to obtain new access >> tokens using the grant type "refresh_token" as described in > href=3D"#section-6">Section 6" >> >> Section 6. Refreshing an Access Token >> ------------------------- >> >> Draft: >> >> Authorization servers SHOULD determine, based on a risk assessment, >> whether to issue refresh tokens to a certain client. If the >> authorization server decides not to issue refresh tokens, the client >> MAY refresh access tokens by utilizing other grant types, such as the >> authorization code grant type. In such a case, the authorization >> server may utilize cookies and persistent grants to optimize the user >> experience. >> >> - That paragraph sounds like a general advice for web developers and >> should appear in an appendix for my taste >> - ' ... based on risk assessment ... ' may exclude any implementation >> that does not have such capabilities >> >> =3D=3D=3D >> >> Draft: >> >> - this section includes this statement: >> "Confidential or credentialed clients MUST authenticate with the >> authorization server ..." >> >> - section 2.3 includes this statement and makes me wonder how >> confident an authorization server can be when working with >> 'credentialed' clients': >> "However, the authorization server MUST NOT rely on credentialed >> client authentication for the purpose of identifying the client." >> >> - Any clarification, I would say about the client type 'credentialed' >> in general, would be helpful >> >> ------------------------- >> Typos: >> ------------------------- >> >> Section 2.1. Client Types >> ------------------------- >> >> Draft: >> >> "credentialed": Clients that have credentials and their identity has >> been not been confirmed by the AS are designated as "credentialed >> clients" >> >> - I believe it should be: >> >> "credentialed": Clients that have credentials and their identity has >> not been confirmed by the AS are designated as "credentialed clients" >> >> Section 3.2.1 Client Authentication >> ------------------------- >> >> Draft: >> >> "Confidential or credentialed clients client MUST authenticate with..." >> >> - I believe it should be: >> "Confidential or credentialed clients MUST authenticate with..." >> >> ------------------------- >> Summary of changes between draft and current: >> ------------------------- >> >> - no more implicit >> - no more response_type=3Dtoken >> - no more ropc >> - no more redirect code 307 >> - no more open redirect_uri >> - new client type 'credentialed' >> - must use PKCE (with few exceptions) >> - AS must provide a way to show their support for 'code_challenge_method= ' >> >> - refresh token should expire >> - description for client type 'confidential' got updated >> - clients should not be able to choose their client_id >> - no reference to 'mac' token profile anymore >> - section 7.2 details on Bearer token >> - resource server must include 'WWW-Authenticate: Bearer >> realm=3D"example"' header for failing authorization >> - extended list of security threats >> - discussion on native apps removed >> - recommended bindings between access_token and resource_server >> - recommended refresh_token rotation or sender-constraints >> - recommended to use '127.0.0.1' instead of 'localhost' >> >> On Tue, 7 Jul 2020 at 15:21, Vladimir Dzhuvinov >> wrote: >> > >> > I find 03 well structured, well written and it shows that a lot of >> thought and work has gone into it. >> > >> > If this is a formal call for adoption - I support it. >> > >> > >> > - defined new client type - credentialed clients - a client that has >> credentials, but the AS has not confirmed the identity of the client. >> Confidential clients have had their identity confirmed by the AS. We tal= ked >> about changing the names of confidential and public, but thought that wo= uld >> be confusing. This new definition cleans up the text substantially. >> > >> > I understand why this new client type was introduced. For the reader >> who is not familiar with the recent OAuth RFCs and drafts - I suspect th= is >> can still be confusing. There will likely be questions -- Why does this >> difference between confidential and credentialed matter? What is a concr= ete >> example of a credentialed client? >> > >> > Also, people will likely ask themselves - what does the confirmation o= f >> a (credentialed) client's identity by the AS actually mean and do? (sect= ion >> 2.1) >> > >> > >> > Authorization servers SHOULD consider the level of confidence in a >> > client's identity when deciding whether they allow such a client >> > access to more critical functions, such as the Client Credentials >> > grant type. >> > >> > Again, normative text that relies on the implementer being able to >> assign levels of confidence in the client's identity, but is not >> immediately obvious how to go about this. >> > >> > >> > There is mention in 9.1 about "enlisting the resource owner to confirm >> identity" and "if there is a web application whose developer's identity = was >> verified...". But this talk about client identity is secondary and happe= ns >> in the context of client authentication. >> > >> > Perhaps it will make sense to promote the discussion about identity to >> a new 9.x section "Client identity" or "Client Identification", before >> "Client Authentication". Addressing the topics what client identity is, = why >> does it matter (especially for security), and the "confirmation by the A= S". >> Then proceed with "Client Authentication" which now is freed to focus on >> the credentials / auth methods aspects. >> > >> > Such credentials are either issued by the >> > authorization server or registered by the developer of the client >> > with the authorization server. >> > >> > Credentials (public key) can also be registered by a client performing >> dynamic registration (section 2.1) >> > >> > >> > Vladimir >> > >> > _______________________________________________ >> > OAuth mailing list >> > OAuth@ietf.org >> > https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > --00000000000080c5d005a9e2be89 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello Dick!

Unless the two typos that I= have mentioned should be updated beforehand , no, I do not.

=
Thank you,
Sascha

On Tue, 7 Jul 2020 at 16:36, Di= ck Hardt <dick.hardt@gmail.com> wrote:
Thanks Sascha and = Vladimir for the feedback!

Sascha: did you have=C2=A0a c= oncern with the document being adopted by the WG?

3D""=E1=90=A7

On Tue, Jul 7, 2020 at 4:04 PM Sascha Preib= isch <sas= chapreibisch@gmail.com> wrote:
Hi all!

Here is the rest of my feedback. At the end I also included a list of
typos and the summary of changes that I have found between RFC 6739
and the current draft.

Regards,
Sascha

Section 2.3. Client Authentication
-------------------------

Draft and current:
- both documents contain this description: "... the authorization
server (e.g., password, public/private key pair)"
- since the client usually uses a 'client secret', maybe this could= be
worded as such:
- suggestion: "... the authorization server (e.g., client secret,
public/private key pair)"

Draft:

"The authorization server MAY establish a client authentication method=
with public clients, which converts them to credentialed clients.
However, the authorization server MUST NOT rely on credentialed
client authentication for the purpose of identifying the client."

- Does this mean that credentialed clients are as trustworthy/ not
trustworthy as public clients?

Draft:

"Clients in possession of a client password, also known as a client se= cret, ..."

- Maybe this could simply be changed to:
"Clients in possession of a client secret ..."

Section 3.1.2.2 Registration Requirements
-------------------------

Draft:

"Lack of requiring registration of redirect URIs enables an attacker to use the authorization endpoint as an open redirector as described
in <a href=3D"#section-9.18">Section 9.18</a>."<= br>
- is that still required since redirect_uris have to be pre-registered now?=

Section 4.1. Authorization Code Grant
-------------------------

Draft:
- Figure 3, step (1), does not include 'code_challenge_method' Is t= hat
intentionally?
- I am suggesting to include it to avoid potential questions and
confusion. It could listed as 'optional' as 'scope' is
- In addition, when referencing parameters, they should be spelled as
used in the protocol, i.e.: 'code_challenge' instead of
'code_challenge'

Section 4.1.1 Authorization Request
-------------------------

Draft:

"Clients use a unique secret per authorization request to protect ....= "

- It would be less confusing if this section would start of with "PKCE=
is required"
- Introducing a '... unique secret per ...' sounds like something v= ery
new although this is referencing PKCE
- Suggestion (along the lines of):
"Clients MUST leverage PKCE per authorization request to protect ...&q= uot;

Section 4.1.2.1 Error Response
-------------------------

Draft:

"An AS MUST reject requests without a "code_challenge" from = public
clients, and MUST reject such requests from other clients=C2=A0 unless
there is reasonable assurance that ..."

- These statements are the ones that cause discussions between
developers and/ or third parties
- ' ... unless ...' is very difficult to grasp, even when looking i= nto
section 9.8
- I would suggest to make it required

Section 5.1 Successful Response
-------------------------

Draft and current:

- both documents describe the refresh_token response parameter and
describe it as such:
"OPTIONAL.=C2=A0 The refresh token, which can be used to obtain new ac= cess
tokens using the same authorization grant as described in <a
href=3D"#section-6">Section 6</a>"

- As an enhancement, I suggest this update:
"OPTIONAL.=C2=A0 The refresh token, which can be used to obtain new ac= cess
tokens using the grant type "refresh_token" as described in <a=
href=3D"#section-6">Section 6</a>"

Section 6. Refreshing an Access Token
-------------------------

Draft:

Authorization servers SHOULD determine, based on a risk assessment,
whether to issue refresh tokens to a certain client.=C2=A0 If the
authorization server decides not to issue refresh tokens, the client
MAY refresh access tokens by utilizing other grant types, such as the
authorization code grant type.=C2=A0 In such a case, the authorization
server may utilize cookies and persistent grants to optimize the user
experience.

- That paragraph sounds like a general advice for web developers and
should appear in an appendix for my taste
- ' ... based on risk assessment ... ' may exclude any implementati= on
that does not have such capabilities

=3D=3D=3D

Draft:

- this section includes this statement:
"Confidential or credentialed clients MUST authenticate with the
authorization server ..."

- section 2.3 includes this statement and makes me wonder how
confident an authorization server can be when working with
'credentialed' clients':
"However, the authorization server MUST NOT rely on credentialed
client authentication for the purpose of identifying the client."

- Any clarification, I would say about the client type 'credentialed= 9;
in general, would be helpful

-------------------------
Typos:
-------------------------

Section 2.1. Client Types
-------------------------

Draft:

"credentialed":=C2=A0 Clients that have credentials and their ide= ntity has
been not been confirmed by the AS are designated as "credentialed
clients"

- I believe it should be:

"credentialed":=C2=A0 Clients that have credentials and their ide= ntity has
not been confirmed by the AS are designated as "credentialed clients&q= uot;

Section 3.2.1 Client Authentication
-------------------------

Draft:

"Confidential or credentialed clients client MUST authenticate with...= "

- I believe it should be:
"Confidential or credentialed clients MUST authenticate with..."<= br>
-------------------------
Summary of changes between draft and current:
-------------------------

- no more implicit
- no more response_type=3Dtoken
- no more ropc
- no more redirect code 307
- no more open redirect_uri
- new client type 'credentialed'
- must use PKCE (with few exceptions)
- AS must provide a way to show their support for 'code_challenge_metho= d'

- refresh token should expire
- description for client type 'confidential' got updated
- clients should not be able to choose their client_id
- no reference to 'mac' token profile anymore
- section 7.2 details on Bearer token
- resource server must include 'WWW-Authenticate: Bearer
realm=3D"example"' header for failing authorization
- extended list of security threats
- discussion on native apps removed
- recommended bindings between access_token and resource_server
- recommended refresh_token rotation or sender-constraints
- recommended to use '127.0.0.1' instead of 'localhost'

On Tue, 7 Jul 2020 at 15:21, Vladimir Dzhuvinov <vladimir@connect2id.com> wrote= :
>
> I find 03 well structured, well written and it shows that a lot of tho= ught and work has gone into it.
>
> If this is a formal call for adoption - I support it.
>
>
> - defined new client type - credentialed clients - a client that has c= redentials, but the AS has not confirmed the identity of the client. Confid= ential clients have had their identity confirmed by the AS. We talked about= changing the names of confidential and public, but thought that would be c= onfusing. This new definition cleans up the text substantially.
>
> I understand why this new client type was introduced. For the reader w= ho is not familiar with the recent OAuth RFCs and drafts - I suspect this c= an still be confusing. There will likely be questions -- Why does this diff= erence between confidential and credentialed matter? What is a concrete exa= mple of a credentialed client?
>
> Also, people will likely ask themselves - what does the confirmation o= f a (credentialed) client's identity by the AS actually mean and do? (s= ection 2.1)
>
>
>=C2=A0 =C2=A0 Authorization servers SHOULD consider the level of confid= ence in a
>=C2=A0 =C2=A0 client's identity when deciding whether they allow su= ch a client
>=C2=A0 =C2=A0 access to more critical functions, such as the Client Cre= dentials
>=C2=A0 =C2=A0 grant type.
>
> Again, normative text that relies on the implementer being able to ass= ign levels of confidence in the client's identity, but is not immediate= ly obvious how to go about this.
>
>
> There is mention in 9.1 about "enlisting the resource owner to co= nfirm identity" and "if there is a web application whose develope= r's identity was verified...". But this talk about client identity= is secondary and happens in the context of client authentication.
>
> Perhaps it will make sense to promote the discussion about identity to= a new 9.x section "Client identity" or "Client Identificati= on", before "Client Authentication". Addressing the topics w= hat client identity is, why does it matter (especially for security), and t= he "confirmation by the AS". Then proceed with "Client Authe= ntication" which now is freed to focus on the credentials / auth metho= ds aspects.
>
>=C2=A0 =C2=A0 Such credentials are either issued by the
>=C2=A0 =C2=A0 authorization server or registered by the developer of th= e client
>=C2=A0 =C2=A0 with the authorization server.
>
> Credentials (public key) can also be registered by a client performing= dynamic registration (section 2.1)
>
>
> Vladimir
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org=
> https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--00000000000080c5d005a9e2be89-- From nobody Wed Jul 8 00:14:39 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 498983A0BF3 for ; Wed, 8 Jul 2020 00:14:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oxHRC3W6x-aB for ; Wed, 8 Jul 2020 00:14:36 -0700 (PDT) Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 032F23A0A26 for ; Wed, 8 Jul 2020 00:14:35 -0700 (PDT) Received: by mail-wr1-x42b.google.com with SMTP id o11so47744041wrv.9 for ; Wed, 08 Jul 2020 00:14:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=4FjfIUxPaGiLjDfCVlehIZbsbq6Y41On7ixfDBp7N3s=; b=SRmWeENfaS4jYXKtRAcapj6zX5OQFu/tvq0J20FmqGpxl9Y/RGNHLoqpVZc9N5H0GF rfACcOvEMeuD2mymKq2lQDS/QoQshFlbqBC1EzShQrAYy4Y7mezcI/mFknmLd3FxRX7G SE5NF4y6WNgYiuJQTTm5lIT0sTjoNPynF9CHU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=4FjfIUxPaGiLjDfCVlehIZbsbq6Y41On7ixfDBp7N3s=; b=p8RTEsn9TI/c/jo59jS4x/MV3QcqDZJSE+YcjguqLWxkevFmtccyIXlllBjmXTkrxQ SOZ5QGnMDPoHZZM+1TWwRVTQBWHC6xcsdaBc9XysYlu2HfNrFgo8qcnop+P3qU4Y2ER3 6mNyICplt1OjfmA4GDUvTjzqPAHVHkjCcAVe1BxRDqqLJCE8ztejr5BWcWPYkimh45hG kHtpU89mJc7F0NK8iwOZcDLLObyYHJbxfuok1W2w82eNegn7buyiNgtnb9Efo6Ed2qvE yLy6ihUMCOAgfwh8LJLwrQ+jHO4KilJbBg6hCUXIGaXIfVeOJmgULMg8ICksD+HFzUp7 /CoA== X-Gm-Message-State: AOAM533bLLtoqiEPcXZkuxzcUQCgFutP+NyoZk5VsqXNXvoc8thjWflm IAdlgDthI+Hmktmv5iwqm7aKhQfp98b/Pw== X-Google-Smtp-Source: ABdhPJxXMkcCj3XW0PQQF1Ep8mJ/P7hvr2O1h3/UYJiHZs8kbjZpnRa9fH4aO6BXOwoyQxeMJ9Erng== X-Received: by 2002:a5d:6749:: with SMTP id l9mr56158037wrw.63.1594192473817; Wed, 08 Jul 2020 00:14:33 -0700 (PDT) Received: from [10.0.0.3] (128.211.93.209.dyn.plus.net. [209.93.211.128]) by smtp.gmail.com with ESMTPSA id d18sm4599311wrj.8.2020.07.08.00.14.33 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 08 Jul 2020 00:14:33 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Neil Madden Mime-Version: 1.0 (1.0) Date: Wed, 8 Jul 2020 08:14:32 +0100 Message-Id: References: Cc: oauth@ietf.org In-Reply-To: To: Vladimir Dzhuvinov X-Mailer: iPhone Mail (17F80) Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2020 07:14:38 -0000 On 7 Jul 2020, at 21:09, Vladimir Dzhuvinov wrote:= >=20 > =EF=BB=BF >> On 06/07/2020 19:32, Neil Madden wrote: >> I=E2=80=99m reading draft-ietf-oauth-rar-01 in a bit more detail now I ha= ve >> some time, and I have a few comments. >>=20 >> An assumption in the draft appears to be that the client knows ahead >> of time what it wants to gain access to and can describe it in detail. >> For example, the last example in section 2.1 is a client requesting >> access to particular files, which assumes that the client already >> knows the paths of the files it wants to access. This in turn seems to >> imply that the client already has some level of access to be able to >> determine this, e.g. to list directories, which may not be desirable. >> In many cases like this I think it=E2=80=99s more natural for the client t= o >> not know exactly what it is asking for but instead to want access to >> *some* file, chosen by the user. An example of this is the Dropbox >> Chooser [1] and Saver [2] APIs, which notably are not built on top of >> OAuth. In these cases it would be more natural for the client to send >> a more generic request and for the details to be filled in by the user >> as part of the consent process. >>=20 >> Another issue is that as far as I can see in the current draft, any >> client can initiate a rich authorization request at any time without >> any kind of prior approval. This seems problematic for the main >> example in the draft, i.e. payment initiation. As an attacker, if I >> can get a consent screen up on a user=E2=80=99s device requesting to move= >> money around then it seems like half my job is already done - some >> fraction of users will probably approve such a transaction without >> properly checking it. It feels like the ability to ask for transaction >> approval should already be a privileged operation that should require >> consent and approval. >>=20 >> A related issue is that each approval is in effect a completely >> isolated incident. In a normal OAuth2 interaction I would grant an app >> some longish-term access to data and it would get an access token and >> optionally a refresh token. At some later point I can go to the AS and >> see that I have granted this access and revoke it if I choose. With >> RAR there is no representation of a long-term relationship between the >> RO and the client and each transaction starts from fresh. Again, this >> seems potentially problematic and not quite in keeping with how OAuth >> currently operates. Each grant of access is ephemeral. (Do refresh >> tokens make sense in the context of RAR?) >=20 > The original motivation for RAR was indeed transactions, which require > parameters, and this class of use cases do typically imply "ephemeral" > access (single-use token). >=20 > But nothing precludes RAR from being used for long term access (with a > refresh token) and there are one or two simple examples in the spec > which can be interpreted as such. >=20 >>=20 >> I think a better approach would be a two-phase authorization process: >>=20 >> 1. In step 1 an app gets a normal long-lived access and/or refresh >> token that grants it permissions to ask to initial transactions (RARs) >> - e.g. with scope initiate_payments >> 2. In step 2 the app requests authorization for individual >> RARs/transactions using some proof of its grant from step 1 >=20 > Such a two-phase authorisation can make good sense in cases when user > trust needs to be built up. >=20 > Mentioning this and / or some other pattern can be useful, but I don't > think we should make this normative for RAR, because there can well be > use cases which won't need this. >=20 Do you have any examples?=20 I think this is something the draft needs to address.=20 Neil= From nobody Wed Jul 8 07:40:34 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3E7C3A0CD2 for ; Wed, 8 Jul 2020 07:40:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.896 X-Spam-Level: X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f5h4iwLw3gQp for ; Wed, 8 Jul 2020 07:40:31 -0700 (PDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B24B83A0CD1 for ; Wed, 8 Jul 2020 07:40:30 -0700 (PDT) Received: from [192.168.1.7] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 068EeRYX023471 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 8 Jul 2020 10:40:28 -0400 From: Justin Richer Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_E68C174D-1C6F-4488-885E-2B006917929C" Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Date: Wed, 8 Jul 2020 10:40:27 -0400 In-Reply-To: <19057F94-1B09-4376-86A3-78662DCA5836@forgerock.com> Cc: oauth To: Neil Madden References: <19057F94-1B09-4376-86A3-78662DCA5836@forgerock.com> X-Mailer: Apple Mail (2.3608.80.23.2.2) Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2020 14:40:33 -0000 --Apple-Mail=_E68C174D-1C6F-4488-885E-2B006917929C Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 The two-phase approach is exactly what OBUK does, where you get one = access token using client credentials before getting a more specific one = in context of the user=E2=80=99s consent. This ends up being awkward to = implement at best, since OAuth involves the user too early in the = process to allow for this kind of thing. PAR might help address this = dichotomy, but RAR can provide places for this to fill in. With XYZ, I tried to design for that kind of multi-stage transaction = pattern more explicitly, with the idea that you could continue your = request in context and vary it over time, or even start a new request in = the context of an existing one. This is something that I intend to = continue with the soon-to-be-formed GNAP working group, if you want to = bring this use case there. =E2=80=94 Justin > On Jul 6, 2020, at 12:32 PM, Neil Madden = wrote: >=20 > I=E2=80=99m reading draft-ietf-oauth-rar-01 in a bit more detail now I = have some time, and I have a few comments. >=20 > An assumption in the draft appears to be that the client knows ahead = of time what it wants to gain access to and can describe it in detail. = For example, the last example in section 2.1 is a client requesting = access to particular files, which assumes that the client already knows = the paths of the files it wants to access. This in turn seems to imply = that the client already has some level of access to be able to determine = this, e.g. to list directories, which may not be desirable. In many = cases like this I think it=E2=80=99s more natural for the client to not = know exactly what it is asking for but instead to want access to *some* = file, chosen by the user. An example of this is the Dropbox Chooser [1] = and Saver [2] APIs, which notably are not built on top of OAuth. In = these cases it would be more natural for the client to send a more = generic request and for the details to be filled in by the user as part = of the consent process. >=20 > Another issue is that as far as I can see in the current draft, any = client can initiate a rich authorization request at any time without any = kind of prior approval. This seems problematic for the main example in = the draft, i.e. payment initiation. As an attacker, if I can get a = consent screen up on a user=E2=80=99s device requesting to move money = around then it seems like half my job is already done - some fraction of = users will probably approve such a transaction without properly checking = it. It feels like the ability to ask for transaction approval should = already be a privileged operation that should require consent and = approval. >=20 > A related issue is that each approval is in effect a completely = isolated incident. In a normal OAuth2 interaction I would grant an app = some longish-term access to data and it would get an access token and = optionally a refresh token. At some later point I can go to the AS and = see that I have granted this access and revoke it if I choose. With RAR = there is no representation of a long-term relationship between the RO = and the client and each transaction starts from fresh. Again, this seems = potentially problematic and not quite in keeping with how OAuth = currently operates. Each grant of access is ephemeral. (Do refresh = tokens make sense in the context of RAR?) >=20 > I think a better approach would be a two-phase authorization process: >=20 > 1. In step 1 an app gets a normal long-lived access and/or refresh = token that grants it permissions to ask to initial transactions (RARs) - = e.g. with scope initiate_payments > 2. In step 2 the app requests authorization for individual = RARs/transactions using some proof of its grant from step 1 >=20 > I have ideas for how this could be achieved, but I=E2=80=99d prefer to = see what others think of this general idea rather than getting bogged = down in specific details. >=20 > [1]: https://www.dropbox.com/developers/chooser = > [2]: https://www.dropbox.com/developers/saver = =20 >=20 > =E2=80=94 Neil > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_E68C174D-1C6F-4488-885E-2B006917929C Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 The = two-phase approach is exactly what OBUK does, where you get one access = token using client credentials before getting a more specific one in = context of the user=E2=80=99s consent. This ends up being awkward to = implement at best, since OAuth involves the user too early in the = process to allow for this kind of thing. PAR might help address this = dichotomy, but RAR can provide places for this to fill in.

With XYZ, I tried to = design for that kind of multi-stage transaction pattern more explicitly, = with the idea that you could continue your request in context and vary = it over time, or even start a new request in the context of an existing = one. This is something that I intend to continue with the = soon-to-be-formed GNAP working group, if you want to bring this use case = there.

 =E2= =80=94 Justin

On Jul 6, 2020, at 12:32 PM, Neil Madden = <neil.madden@forgerock.com> wrote:

I=E2=80=99m = reading draft-ietf-oauth-rar-01 in a bit more detail now I have = some time, and I have a few comments.

An assumption in the draft appears to = be that the client knows ahead of time what it wants to gain access to = and can describe it in detail. For example, the last example in section = 2.1 is a client requesting access to particular files, which assumes = that the client already knows the paths of the files it wants to access. = This in turn seems to imply that the client already has some level of = access to be able to determine this, e.g. to list directories, which may = not be desirable. In many cases like this I think it=E2=80=99s more = natural for the client to not know exactly what it is asking for but = instead to want access to *some* file, chosen by the user. An example of = this is the Dropbox Chooser [1] and Saver [2] APIs, which notably are = not built on top of OAuth. In these cases it would be more natural for = the client to send a more generic request and for the details to be = filled in by the user as part of the consent process.

Another issue is that as = far as I can see in the current draft, any client can initiate a rich = authorization request at any time without any kind of prior approval. = This seems problematic for the main example in the draft, i.e. payment = initiation. As an attacker, if I can get a consent screen up on a = user=E2=80=99s device requesting to move money around then it seems like = half my job is already done - some fraction of users will probably = approve such a transaction without properly checking it. It feels like = the ability to ask for transaction approval should already be a = privileged operation that should require consent and approval.

A related issue is that = each approval is in effect a completely isolated incident. In a normal = OAuth2 interaction I would grant an app some longish-term access to data = and it would get an access token and optionally a refresh token. At some = later point I can go to the AS and see that I have granted this access = and revoke it if I choose. With RAR there is no representation of a = long-term relationship between the RO and the client and each = transaction starts from fresh. Again, this seems potentially problematic = and not quite in keeping with how OAuth currently operates. Each grant = of access is ephemeral. (Do refresh tokens make sense in the context of = RAR?)

I think = a better approach would be a two-phase authorization process:

1. In step 1 an app gets = a normal long-lived access and/or refresh token that grants it = permissions to ask to initial transactions (RARs) - e.g. with scope = initiate_payments
2. In step 2 the app requests = authorization for individual RARs/transactions using some proof of its = grant from step 1

I have ideas for how this could be achieved, but I=E2=80=99d = prefer to see what others think of this general idea rather than getting = bogged down in specific details.

[1]: https://www.dropbox.com/developers/chooser
[2]: https://www.dropbox.com/developers/saver 

=E2=80=94 = Neil
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

= --Apple-Mail=_E68C174D-1C6F-4488-885E-2B006917929C-- From nobody Wed Jul 8 09:17:17 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8FA73A0F03 for ; Wed, 8 Jul 2020 09:17:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Io6fns31af7c for ; Wed, 8 Jul 2020 09:17:14 -0700 (PDT) Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E8303A0EEF for ; Wed, 8 Jul 2020 09:17:13 -0700 (PDT) Received: by mail-wr1-x431.google.com with SMTP id q5so49589609wru.6 for ; Wed, 08 Jul 2020 09:17:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=zrsBFSj8Kkk7Y9UsejFTtwYnGlKVULAG1GiuWlPECmo=; b=PSigU12l1EMuO9sektFwN/UCQIM8tkZMPUXgfscGwbZ5xYeBKG6Iv9rMmxBdmi85MW W0iTZKcTMGZ6UQWKlhSfydpBZfX9MvQeP8MS6iVaxEnItR4hrOwPn62VmicB9Q26vphF Cn6xZ4BuoXlR8imyinlokJaTEtxs5Y2M6PfaA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=zrsBFSj8Kkk7Y9UsejFTtwYnGlKVULAG1GiuWlPECmo=; b=I+LMvLH1uecP/kx13BwAkEcF2YYa12mukHrc8rZsg0BmitkUlFcKouMdqwDqWNzZy2 bAAfhLyW/hjNHXsaXC6jPRtmRR3bBC4HTUznNyGmK+84X7JjfSxKavLj1PxeqZmVyV9z Z7MbIGhfcFcP8eBRsVueGhBAsgNqb7pH15jhp4B+9tHcYYBCD3FtjZziMvdKW3ggYrX3 yJ4LW40MFBDlg63iYWa3tsRa9ASvtxFxqTz/8qlbWgemCyjvhsE7CVZ7MxFvpDFYSD1y fG7JMKO3yX133r/FjqsUZnCWaW6OwpKwB3Lim01HPj5Nu80prG7EBpo2YFjRh6/1zvAh M8EA== X-Gm-Message-State: AOAM5328NXb3SmjE42YEWhqqUFej/8P+QHIKojkAjyYdiUrXmdb4Qx+E WLA41Mkb5Ze+5tv+tXKiegIt3A== X-Google-Smtp-Source: ABdhPJwjBjX70Q9wJ4qxE5AfaECU+t7kkyuFvHYCsQoutmowxVznanzrLEJduRnKCE3UMDnACDIFRA== X-Received: by 2002:adf:82b8:: with SMTP id 53mr64087018wrc.172.1594225032086; Wed, 08 Jul 2020 09:17:12 -0700 (PDT) Received: from [10.0.0.2] (128.211.93.209.dyn.plus.net. [209.93.211.128]) by smtp.gmail.com with ESMTPSA id j14sm597169wrs.75.2020.07.08.09.17.11 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Jul 2020 09:17:11 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) From: Neil Madden In-Reply-To: Date: Wed, 8 Jul 2020 17:17:10 +0100 Cc: oauth Content-Transfer-Encoding: quoted-printable Message-Id: References: <19057F94-1B09-4376-86A3-78662DCA5836@forgerock.com> To: Justin Richer X-Mailer: Apple Mail (2.3608.80.23.2.2) Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2020 16:17:17 -0000 On 8 Jul 2020, at 15:40, Justin Richer wrote: >=20 > The two-phase approach is exactly what OBUK does, where you get one = access token using client credentials before getting a more specific one = in context of the user=E2=80=99s consent. This ends up being awkward to = implement at best, since OAuth involves the user too early in the = process to allow for this kind of thing. PAR might help address this = dichotomy, but RAR can provide places for this to fill in. I=E2=80=99m not sure how client credentials would help here. The point = I=E2=80=99m making is that the _user_ needs to consent to two separate = things: 1. An initial consent to allow this app/service to initiate payment = requests on my behalf. 2. Consent to individual transactions. RAR (and open banking?) completely omits step 1 at the moment, which = seems crucial. Especially if you=E2=80=99re doing something like CIBA = backchannel where step 1 is effectively consent for this app to spam my = phone with payment approval requests. >=20 > With XYZ, I tried to design for that kind of multi-stage transaction = pattern more explicitly, with the idea that you could continue your = request in context and vary it over time, or even start a new request in = the context of an existing one. This is something that I intend to = continue with the soon-to-be-formed GNAP working group, if you want to = bring this use case there. RAR is adopted by the OAuth WG so I think this needs to be discussed = here. =E2=80=94 Neil= From nobody Wed Jul 8 09:20:19 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D59633A0F03 for ; Wed, 8 Jul 2020 09:20:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3LaDYSp4tDSN for ; Wed, 8 Jul 2020 09:20:16 -0700 (PDT) Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA36C3A0EEF for ; Wed, 8 Jul 2020 09:20:15 -0700 (PDT) Received: by mail-ed1-x532.google.com with SMTP id dm19so36051461edb.13 for ; Wed, 08 Jul 2020 09:20:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=AJi2q1FIPvS7pPKFfp7NJFmH6Xql34tCFbnBoW/nFmo=; b=HkSz92CK1y3fDua4UnPpFZTDi16Ua6tFi0kFdGhPia05OZE58yTsYE1KccSfgm3CYv UkkOauGE8e64ctOsQRXZyko6drjbPh5CAJkBuNbQzCz7+r/7NYOYyyqr1sSGMxJpRxBB 3xoi33LKiuSpaTINM3uxCa4Z2YBdexQV2pmZCvitMPyJzANnvsdeqvrCMbbN69W5RZoj ENDy7KF+sX5SAbxLABZsGW4Yw/w3a9xO7m/r09Io7fIwI1IRY08dwBzJuLef1BxTrmqP IdBSOzwe6vc2QE+Wez0lSKISMps/C3YrR36c6AmZsqIYX8UR0aQHu/jDziJu5xpMRxCH LOcg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=AJi2q1FIPvS7pPKFfp7NJFmH6Xql34tCFbnBoW/nFmo=; b=jbFY+C1Tfzk/L2R5RfFC4fxQiz8hZwEYQL3j0zjmTmaeItc7CbKM2lG6Kc+zzpN/OS CEzOlkvdbCJqQhivJyBWAETrwTEwQ5TFIi4VHMddDVJjPUisS5hVDqYhjabUGd/5Uy7d CnO0JK2rw40lTc0VmycMtbdxbTyXkPTI8uNk/V2ZlS4EJWKirkiZJQdHhHIF5gKMKNBA qU1I9L/UYcvv6H1Q4hQ1u9YeSP4+BG3s3AJwrcbb4SIuwSdND5+1CConN58X/vGlpv6B WVmg8oj9FRlSIt0Gkwm0KvjPoWufdrv/7I1fGPlz0IiFh27crWLxiYr6j48CaorXA4kW IoRQ== X-Gm-Message-State: AOAM532cQUrIbMb88mfPcgz2nBN3McqlqffKq0V3TyT9MNLhzta0EVlb iwgd+5x9PbDPrwmi8PTH8OwMKw== X-Google-Smtp-Source: ABdhPJy3/hZWuNrssPt1DcdannooO+uv3glC5QMlER2b4OowIRREhvZmHQwu+c63Uzyc6U0ekGfQAA== X-Received: by 2002:aa7:d1c8:: with SMTP id g8mr68400815edp.337.1594225214085; Wed, 08 Jul 2020 09:20:14 -0700 (PDT) Received: from p200300eb8f013880e46871ecac2fb6f0.dip0.t-ipconnect.de (p200300eb8f013880e46871ecac2fb6f0.dip0.t-ipconnect.de. [2003:eb:8f01:3880:e468:71ec:ac2f:b6f0]) by smtp.gmail.com with ESMTPSA id di20sm28745edb.26.2020.07.08.09.20.12 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Jul 2020 09:20:13 -0700 (PDT) From: Torsten Lodderstedt Message-Id: <0982ACB0-CDE4-4B26-AF80-63C650263445@lodderstedt.net> Content-Type: multipart/signed; boundary="Apple-Mail=_651C02CB-CD56-4B79-A765-C347E61045A1"; protocol="application/pkcs7-signature"; micalg=sha-256 Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Date: Wed, 8 Jul 2020 18:20:10 +0200 In-Reply-To: Cc: oauth , Justin Richer To: Neil Madden References: <19057F94-1B09-4376-86A3-78662DCA5836@forgerock.com> X-Mailer: Apple Mail (2.3608.80.23.2.2) Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2020 16:20:18 -0000 --Apple-Mail=_651C02CB-CD56-4B79-A765-C347E61045A1 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi Neil,=20 > On 8. Jul 2020, at 16:40, Justin Richer wrote: >=20 > The two-phase approach is exactly what OBUK does, where you get one = access token using client credentials before getting a more specific one = in context of the user=E2=80=99s consent. This ends up being awkward to = implement at best, since OAuth involves the user too early in the = process to allow for this kind of thing. PAR might help address this = dichotomy, but RAR can provide places for this to fill in. >=20 > With XYZ, I tried to design for that kind of multi-stage transaction = pattern more explicitly, with the idea that you could continue your = request in context and vary it over time, or even start a new request in = the context of an existing one. This is something that I intend to = continue with the soon-to-be-formed GNAP working group, if you want to = bring this use case there. >=20 > =E2=80=94 Justin >=20 >> On Jul 6, 2020, at 12:32 PM, Neil Madden = wrote: >>=20 >> I=E2=80=99m reading draft-ietf-oauth-rar-01 in a bit more detail now = I have some time, and I have a few comments. >>=20 >> An assumption in the draft appears to be that the client knows ahead = of time what it wants to gain access to and can describe it in detail. = For example, the last example in section 2.1 is a client requesting = access to particular files, which assumes that the client already knows = the paths of the files it wants to access. This in turn seems to imply = that the client already has some level of access to be able to determine = this, e.g. to list directories, which may not be desirable. In many = cases like this I think it=E2=80=99s more natural for the client to not = know exactly what it is asking for but instead to want access to *some* = file, chosen by the user. An example of this is the Dropbox Chooser [1] = and Saver [2] APIs, which notably are not built on top of OAuth. In = these cases it would be more natural for the client to send a more = generic request and for the details to be filled in by the user as part = of the consent process. That=E2=80=99s a very good point. There are scenarios where the client knows the resources it wants to = interact with in advance, potentially from another transaction (e.g. = first access to account list, payment initiation afterwards).=20 The scenario you are describing is viable as well. In such a case, the = request would be fairly generic but the AS (or the RS) would need to = make transparent to the client what resources it just obtained access = for. Interestingly, this might also happen if the client wants to access = accounts. It could just request access to accounts and the user, in the = consent, selects the accounts to disclose to the client. In our design = at yes, we reflect this in an augmented authorization_details object in = the token response (an addition for the spec I have on my list).=20 >>=20 >> Another issue is that as far as I can see in the current draft, any = client can initiate a rich authorization request at any time without any = kind of prior approval. This seems problematic for the main example in = the draft, i.e. payment initiation. As an attacker, if I can get a = consent screen up on a user=E2=80=99s device requesting to move money = around then it seems like half my job is already done - some fraction of = users will probably approve such a transaction without properly checking = it. It feels like the ability to ask for transaction approval should = already be a privileged operation that should require consent and = approval. I think RAR will almost always be used in conjunction with PAR. This = means the client is authenticated before the user interaction starts = preventing the attack you mentioned. I think we should at least = recommend this in the draft.=20 >>=20 >> A related issue is that each approval is in effect a completely = isolated incident. In a normal OAuth2 interaction I would grant an app = some longish-term access to data and it would get an access token and = optionally a refresh token. At some later point I can go to the AS and = see that I have granted this access and revoke it if I choose. With RAR = there is no representation of a long-term relationship between the RO = and the client and each transaction starts from fresh. Again, this seems = potentially problematic and not quite in keeping with how OAuth = currently operates. Each grant of access is ephemeral. (Do refresh = tokens make sense in the context of RAR?) Some of the use cases initially causing the development of RAR are = transactional (as pointed out by Vladimir) others are not. RAR is about = a richer vocabulary for describing the scope of access. In the beforementioned account information scenario, the client would, = for example, ask for read access to several accounts. Access to balance = for one and access to balance & transaction history for another account. = This could easily be expressed using RAR and would be a long term grant. = If the client for the same user asks for access to another account (and = the user approves), the AS should add this to the same underlying grant. = This effectively means, the client could use the same token (refresh and = access token) to access all accounts.=20 >>=20 >> I think a better approach would be a two-phase authorization process: >>=20 >> 1. In step 1 an app gets a normal long-lived access and/or refresh = token that grants it permissions to ask to initial transactions (RARs) - = e.g. with scope initiate_payments I agree. This is PAR. PAR + RAR is in the end a generalised version of = the UK OB consent pattern.=20 >> 2. In step 2 the app requests authorization for individual = RARs/transactions using some proof of its grant from step 1 >>=20 >> I have ideas for how this could be achieved, but I=E2=80=99d prefer = to see what others think of this general idea rather than getting bogged = down in specific details. best regards, Torsten.=20 >>=20 >> [1]: https://www.dropbox.com/developers/chooser >> [2]: https://www.dropbox.com/developers/saver=20 >>=20 >> =E2=80=94 Neil >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_651C02CB-CD56-4B79-A765-C347E61045A1 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCC38w ggT0MIID3KADAgECAhBpfEIkHQiWmzF6zDsgdF+DMA0GCSqGSIb3DQEBCwUAMIGNMQswCQYDVQQG EwJJVDEQMA4GA1UECAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9udGUgU2FuIFBpZXRybzEjMCEGA1UE CgwaQWN0YWxpcyBTLnAuQS4vMDMzNTg1MjA5NjcxLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1 dGhlbnRpY2F0aW9uIENBIEcyMB4XDTIwMDIyMzE3MjEzOVoXDTIxMDIyMzE3MjEzOVowIjEgMB4G A1UEAwwXdG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQCrIaCISpAU98m6ZkDyUR3My5imAF4TKQk8eqo+oQ06PTWT/3yJXujVCjjOqOl8p11v/RoN Gf8zqYbBsqGBuJx2NyxFmAnmCjcbnxihQdcmuxLm6izvxr2MawOovDheMXnfmGy/Ns5Fs6bd+M5F jCNhP+Gljvgm/SFq1skvs7YUX2FxZmh+xPMm3FZ/a6Lyhkrd3JHzEqv8VWY69Aehezg39OuPJEpb IdjK/eBcmaIG0qn5RQdXLByJYfXhepyVAZPJT5rAgaIQL/IjSIVInxf3FxOv+ELMAErclws6mKzy zkY2JiItPEpKWzAWGCxCX2o0JjVj1f7xgaunLfJ+Ec0lAgMBAAGjggG4MIIBtDAMBgNVHRMBAf8E AjAAMB8GA1UdIwQYMBaAFGvyjZ5owSUEH1E0V/YWXJTqTWkaMH4GCCsGAQUFBwEBBHIwcDA7Bggr BgEFBQcwAoYvaHR0cDovL2NhY2VydC5hY3RhbGlzLml0L2NlcnRzL2FjdGFsaXMtYXV0Y2xpZzIw MQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3NwMDkuYWN0YWxpcy5pdC9WQS9BVVRIQ0wtRzIwIgYDVR0R BBswGYEXdG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQwRwYDVR0gBEAwPjA8BgYrgR8BGAEwMjAwBggr BgEFBQcCARYkaHR0cHM6Ly93d3cuYWN0YWxpcy5pdC9hcmVhLWRvd25sb2FkMB0GA1UdJQQWMBQG CCsGAQUFBwMCBggrBgEFBQcDBDBIBgNVHR8EQTA/MD2gO6A5hjdodHRwOi8vY3JsMDkuYWN0YWxp cy5pdC9SZXBvc2l0b3J5L0FVVEhDTC1HMi9nZXRMYXN0Q1JMMB0GA1UdDgQWBBSuRfshihlGSEJ7 2UeyOZRJ1YYyMDAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEBAH/3ECMSOoOLiwCe GsBj/WWnUhXvZyHmz3LW0DVdH3s30b2HWpomEVNDN3cWt4QSRhISqV0xyyChL6THhDY+Um2mo+z/ L5fxHd3MjhzvYKwUtLUJdWRgymlUBO9zNKi/IMVYv3O+mpOHuQrgtMaV9luDPRYPZrhF9y/InTZE tb+FOrF9ykIRlYgMzqSKjuqFmmYO4d6GkbgfGKFZsAjkySjM9BUBLb70MdysOTxZ/HtZguIKfZ4q CveZ9ZKe+LGsIpt5bFAs1LHIMBUlTCsuVIq2lD3TmScWbELn+Ace7WwKc+08GqOWZzUot5fkiIx3 /crnd7HTmUfqi0yCylHY62wwggaDMIIEa6ADAgECAhBP3hBL7ZVb3outZYfMQV7jMA0GCSqGSIb3 DQEBCwUAMGsxCzAJBgNVBAYTAklUMQ4wDAYDVQQHDAVNaWxhbjEjMCEGA1UECgwaQWN0YWxpcyBT LnAuQS4vMDMzNTg1MjA5NjcxJzAlBgNVBAMMHkFjdGFsaXMgQXV0aGVudGljYXRpb24gUm9vdCBD QTAeFw0xOTA5MjAwNzEyMDVaFw0zMDA5MjIxMTIyMDJaMIGNMQswCQYDVQQGEwJJVDEQMA4GA1UE CAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9udGUgU2FuIFBpZXRybzEjMCEGA1UECgwaQWN0YWxpcyBT LnAuQS4vMDMzNTg1MjA5NjcxLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1dGhlbnRpY2F0aW9u IENBIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt2hzetk81C/73GfKPc6UfP+J Gc7aGmPzGUeQJ1go3CdFpsBPonREDXUDdmRCIRkTDroH30RLsTO/0hEFiYjCyvvbSVSm05sXkvfJ XOXefNqK21fBayr4JCgMRyLVwqRYXlKI7bb42nYSm7YcXGTDmdcydmJuuqcLqFQawWiBMNRRVEi4 uW5uXBZgWGmq8NoKH/+5xGBFbf6tNTWcGhPVceResuwK155+OiH6jTW01Na8aLj7c7IAGJ0Y9e6h iHtRthfW7SwbU7ys73a3nNXv8Kv9XNr0RvJKHoOsKqxjffew3GKQrMXIHB5tm/je3XEnIxUT8JG3 sEsk7IfF3VirSwIDAQABo4IB/jCCAfowDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRS2Ig6 yJ94Zu2J83s4cJTJAgI20DBBBggrBgEFBQcBAQQ1MDMwMQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3Nw MDUuYWN0YWxpcy5pdC9WQS9BVVRILVJPT1QwRQYDVR0gBD4wPDA6BgRVHSAAMDIwMAYIKwYBBQUH AgEWJGh0dHBzOi8vd3d3LmFjdGFsaXMuaXQvYXJlYS1kb3dubG9hZDAnBgNVHSUEIDAeBggrBgEF BQcDAgYIKwYBBQUHAwQGCCsGAQUFBwMJMIHjBgNVHR8EgdswgdgwgZaggZOggZCGgY1sZGFwOi8v bGRhcDA1LmFjdGFsaXMuaXQvY24lM2RBY3RhbGlzJTIwQXV0aGVudGljYXRpb24lMjBSb290JTIw Q0EsbyUzZEFjdGFsaXMlMjBTLnAuQS4lMmYwMzM1ODUyMDk2NyxjJTNkSVQ/Y2VydGlmaWNhdGVS ZXZvY2F0aW9uTGlzdDtiaW5hcnkwPaA7oDmGN2h0dHA6Ly9jcmwwNS5hY3RhbGlzLml0L1JlcG9z aXRvcnkvQVVUSC1ST09UL2dldExhc3RDUkwwHQYDVR0OBBYEFGvyjZ5owSUEH1E0V/YWXJTqTWka MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAYES6GaKrcvsOQZpEwboVOb2dri/f Jrcpb7GSEW9JmA+Kep4GLmp9X50Iv8EK478kwf2aAjnPnsOdiItALcIgecS1qVxN+EY+V5GCNEy4 VAsB5gzlQBmKI9P4PxLt9pnQJneCVEvDnVBMZAllIL5s3uaCiIEb8eYZqG8taOWSM1nqjoCZULcc hXWYajBqaJg0RUOZ6f5IB0lb26HA/7EUVmh1nSVglDoUeD7elINXHph0z3if1722UydcoH4Jj3Za Y9dtQ4wJSNhSZOzES72UkS6we/556FOGs7oeJWuQe8Rq2EeeSGmGliZKUbYo4jB/C2omMn0L4QwI 5wMNrWd2FRNUUwxMBmbJYtEaDRTQ72HPA8DnbRkvRDSJkjsToqU6ZpBlBf4s5EwrhXqFVb2rM9mG CPDZJi7Hw3y8BYD/d3iTL6PW5UjOTSpFcnSIP4HW5PI6MTHXl+ab6ajCnvJw6E1TGLh3zJypv5CQ 8Ftm0z7MKLt5Zr2E4jojZXeZn1sUpSqidZyp9mG/LYMRmHMkthDRnDnO2tHv5+YOO4cUEbTt5Bww E5RPjqovsnedyd5SijIK+k1MCXFLMTfERz3qUN3i/fwueXcGy4jEf2n/FvYsEY3GBHXZCMVWPffB fbl/ITjs9Q9NG37bAEm/mg2yNq02NLjDbQIKgt9W0aBU9SsxggOpMIIDpQIBATCBojCBjTELMAkG A1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcMEFBvbnRlIFNhbiBQaWV0cm8xIzAh BgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENsaWVu dCBBdXRoZW50aWNhdGlvbiBDQSBHMgIQaXxCJB0Ilpsxesw7IHRfgzANBglghkgBZQMEAgEFAKCC AdcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNzA4MTYyMDEw WjAvBgkqhkiG9w0BCQQxIgQgE16Xsqg9NIvCI88LbJoENFQMXjbKIggPg9zjWzUkbKYwgbMGCSsG AQQBgjcQBDGBpTCBojCBjTELMAkGA1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcM EFBvbnRlIFNhbiBQaWV0cm8xIzAhBgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSww KgYDVQQDDCNBY3RhbGlzIENsaWVudCBBdXRoZW50aWNhdGlvbiBDQSBHMgIQaXxCJB0Ilpsxesw7 IHRfgzCBtQYLKoZIhvcNAQkQAgsxgaWggaIwgY0xCzAJBgNVBAYTAklUMRAwDgYDVQQIDAdCZXJn YW1vMRkwFwYDVQQHDBBQb250ZSBTYW4gUGlldHJvMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8w MzM1ODUyMDk2NzEsMCoGA1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzIC EGl8QiQdCJabMXrMOyB0X4MwDQYJKoZIhvcNAQEBBQAEggEAmGXhzNntKlxThwDadrm8Sm9naC9g KwiBVOueS/UkAmLHAYomoyEbdB4TEmLydU0BwyM9yar3caGgIzapa8wgUWMkouXWkpNfRb/NQ0Bn FDLSE9Nb359PcH9mMAQcdwyWxhTtwH4glJTUJtxYlUs98Vvr21vabORqadnrBcw+F/izmAyI6jzb HpqUDK/MGfO2+LV2KHaf5aOXAQsP4NINhYgQ/Gjkonnv15S9Fdo1c6Rt+6/Kxghe8JW97Wigdp/L 0e0qiO6r8E+GCdSLwh/BYgUWsJDicHS9GnwFOa2EgiBFjDBw3VD15h61s0gz1L8EkaKqFUSlZM49 m0StDaWABAAAAAAAAA== --Apple-Mail=_651C02CB-CD56-4B79-A765-C347E61045A1-- From nobody Wed Jul 8 09:21:10 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 623353A0EEF for ; Wed, 8 Jul 2020 09:21:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id toJAC0wKOSE1 for ; Wed, 8 Jul 2020 09:21:06 -0700 (PDT) Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE93F3A0F12 for ; Wed, 8 Jul 2020 09:21:05 -0700 (PDT) Received: by mail-ed1-x52a.google.com with SMTP id dm19so36053681edb.13 for ; Wed, 08 Jul 2020 09:21:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=2zyx685Ka5sXFHgEw28WkMJ12Ee39kxaLCqNZr2ICx0=; b=SaAphuhUlziti9iwFXUIiL/m0P22FVDTnQlYt2qDtIKdqwNnRgfx4Y1bWFH83veetD kaonQzAgIBikYhV6UHMAU+juhNQ9WupHgNj2j5+bRo4ouiN/5GRKdtAJpaUcQsaVyH11 JMZldnvKkLSds2LiIbEocDfqA8VlJ2f+0LoSmaWbhvDnllZnpdYfCuKO8qxGs1gCNL5V Cd/Q1hd1cW/wwqRxCTa3n8UKTFSJTAC7C6vwQ8LhzPgG9ShaHP8A3ETfbry/iq1HzLFf Q1IYIqd3vDJWZQcZgwXuPYwo++wFvDeMIlWEQFUO5nxAK7CgFAtVAqMTKi08Mlgby3Xs qqYw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=2zyx685Ka5sXFHgEw28WkMJ12Ee39kxaLCqNZr2ICx0=; b=Qs4UbfVQmoBk7GHaufcb/qnv0IIEayOoVcOX5x9wyYv26VxuRMmbPdr+R5SnkxPLwu 8mTdXZxXRHK3XO/YM1y49W/sHFMm8kFcV5ViOXChKKPuGuonF2vUpNTGU+o/00SpLCOQ pipzbDW3P7dkIspMk6MRhi9Z0Ah+THQVizzPKS3nhNPQvl9HxCO94WxJvw81gsQO0MeV MH+B13K0W20mRjlXLlQ6KyoBG0iTUi1T+e7fqjZITaukaK7Sjfy8zxvDK3EJD0XV8Wy/ Q6SS6yhALllbuwy8lNDHZNXTVKsZNmlR6kKIBBO0wfIDLPoB+zOfIBYrabSescHVwRPT LVOw== X-Gm-Message-State: AOAM532QCvRfYrUkbqh8rZPLhxUQ/x/aDwh69fIKfGM7fWlgto9UaPEF A8O3c0SIyTEoL5DrhIC8lZiMegEGeBo= X-Google-Smtp-Source: ABdhPJy6XuA/RPdv45RxTGPN4ru+KsMtl92q5jsE3/Wo5MlS091K7PDJVmC4X+2c+VcC2M/cdaOQPQ== X-Received: by 2002:a50:c88d:: with SMTP id d13mr68605374edh.104.1594225264122; Wed, 08 Jul 2020 09:21:04 -0700 (PDT) Received: from p200300eb8f013880e46871ecac2fb6f0.dip0.t-ipconnect.de (p200300eb8f013880e46871ecac2fb6f0.dip0.t-ipconnect.de. [2003:eb:8f01:3880:e468:71ec:ac2f:b6f0]) by smtp.gmail.com with ESMTPSA id di20sm28745edb.26.2020.07.08.09.21.03 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Jul 2020 09:21:03 -0700 (PDT) From: Torsten Lodderstedt Message-Id: <1DBD3620-18F8-47F1-B0C3-EDD08A64966C@lodderstedt.net> Content-Type: multipart/signed; boundary="Apple-Mail=_0820BBF2-956D-4AC4-A5AE-854B09B834BB"; protocol="application/pkcs7-signature"; micalg=sha-256 Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Date: Wed, 8 Jul 2020 18:21:02 +0200 In-Reply-To: Cc: Justin Richer , oauth To: Neil Madden References: <19057F94-1B09-4376-86A3-78662DCA5836@forgerock.com> X-Mailer: Apple Mail (2.3608.80.23.2.2) Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2020 16:21:09 -0000 --Apple-Mail=_0820BBF2-956D-4AC4-A5AE-854B09B834BB Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 8. Jul 2020, at 18:17, Neil Madden = wrote: >=20 > On 8 Jul 2020, at 15:40, Justin Richer wrote: >>=20 >> The two-phase approach is exactly what OBUK does, where you get one = access token using client credentials before getting a more specific one = in context of the user=E2=80=99s consent. This ends up being awkward to = implement at best, since OAuth involves the user too early in the = process to allow for this kind of thing. PAR might help address this = dichotomy, but RAR can provide places for this to fill in. >=20 > I=E2=80=99m not sure how client credentials would help here. The point = I=E2=80=99m making is that the _user_ needs to consent to two separate = things: >=20 > 1. An initial consent to allow this app/service to initiate payment = requests on my behalf. What in particular should the use consent with in this step? > 2. Consent to individual transactions. >=20 > RAR (and open banking?) completely omits step 1 at the moment, which = seems crucial. Especially if you=E2=80=99re doing something like CIBA = backchannel where step 1 is effectively consent for this app to spam my = phone with payment approval requests. >=20 >>=20 >> With XYZ, I tried to design for that kind of multi-stage transaction = pattern more explicitly, with the idea that you could continue your = request in context and vary it over time, or even start a new request in = the context of an existing one. This is something that I intend to = continue with the soon-to-be-formed GNAP working group, if you want to = bring this use case there. >=20 > RAR is adopted by the OAuth WG so I think this needs to be discussed = here. >=20 > =E2=80=94 Neil > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_0820BBF2-956D-4AC4-A5AE-854B09B834BB Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCC38w ggT0MIID3KADAgECAhBpfEIkHQiWmzF6zDsgdF+DMA0GCSqGSIb3DQEBCwUAMIGNMQswCQYDVQQG EwJJVDEQMA4GA1UECAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9udGUgU2FuIFBpZXRybzEjMCEGA1UE CgwaQWN0YWxpcyBTLnAuQS4vMDMzNTg1MjA5NjcxLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1 dGhlbnRpY2F0aW9uIENBIEcyMB4XDTIwMDIyMzE3MjEzOVoXDTIxMDIyMzE3MjEzOVowIjEgMB4G A1UEAwwXdG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQCrIaCISpAU98m6ZkDyUR3My5imAF4TKQk8eqo+oQ06PTWT/3yJXujVCjjOqOl8p11v/RoN Gf8zqYbBsqGBuJx2NyxFmAnmCjcbnxihQdcmuxLm6izvxr2MawOovDheMXnfmGy/Ns5Fs6bd+M5F jCNhP+Gljvgm/SFq1skvs7YUX2FxZmh+xPMm3FZ/a6Lyhkrd3JHzEqv8VWY69Aehezg39OuPJEpb IdjK/eBcmaIG0qn5RQdXLByJYfXhepyVAZPJT5rAgaIQL/IjSIVInxf3FxOv+ELMAErclws6mKzy zkY2JiItPEpKWzAWGCxCX2o0JjVj1f7xgaunLfJ+Ec0lAgMBAAGjggG4MIIBtDAMBgNVHRMBAf8E AjAAMB8GA1UdIwQYMBaAFGvyjZ5owSUEH1E0V/YWXJTqTWkaMH4GCCsGAQUFBwEBBHIwcDA7Bggr BgEFBQcwAoYvaHR0cDovL2NhY2VydC5hY3RhbGlzLml0L2NlcnRzL2FjdGFsaXMtYXV0Y2xpZzIw MQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3NwMDkuYWN0YWxpcy5pdC9WQS9BVVRIQ0wtRzIwIgYDVR0R BBswGYEXdG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQwRwYDVR0gBEAwPjA8BgYrgR8BGAEwMjAwBggr BgEFBQcCARYkaHR0cHM6Ly93d3cuYWN0YWxpcy5pdC9hcmVhLWRvd25sb2FkMB0GA1UdJQQWMBQG CCsGAQUFBwMCBggrBgEFBQcDBDBIBgNVHR8EQTA/MD2gO6A5hjdodHRwOi8vY3JsMDkuYWN0YWxp cy5pdC9SZXBvc2l0b3J5L0FVVEhDTC1HMi9nZXRMYXN0Q1JMMB0GA1UdDgQWBBSuRfshihlGSEJ7 2UeyOZRJ1YYyMDAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEBAH/3ECMSOoOLiwCe GsBj/WWnUhXvZyHmz3LW0DVdH3s30b2HWpomEVNDN3cWt4QSRhISqV0xyyChL6THhDY+Um2mo+z/ L5fxHd3MjhzvYKwUtLUJdWRgymlUBO9zNKi/IMVYv3O+mpOHuQrgtMaV9luDPRYPZrhF9y/InTZE tb+FOrF9ykIRlYgMzqSKjuqFmmYO4d6GkbgfGKFZsAjkySjM9BUBLb70MdysOTxZ/HtZguIKfZ4q CveZ9ZKe+LGsIpt5bFAs1LHIMBUlTCsuVIq2lD3TmScWbELn+Ace7WwKc+08GqOWZzUot5fkiIx3 /crnd7HTmUfqi0yCylHY62wwggaDMIIEa6ADAgECAhBP3hBL7ZVb3outZYfMQV7jMA0GCSqGSIb3 DQEBCwUAMGsxCzAJBgNVBAYTAklUMQ4wDAYDVQQHDAVNaWxhbjEjMCEGA1UECgwaQWN0YWxpcyBT LnAuQS4vMDMzNTg1MjA5NjcxJzAlBgNVBAMMHkFjdGFsaXMgQXV0aGVudGljYXRpb24gUm9vdCBD QTAeFw0xOTA5MjAwNzEyMDVaFw0zMDA5MjIxMTIyMDJaMIGNMQswCQYDVQQGEwJJVDEQMA4GA1UE CAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9udGUgU2FuIFBpZXRybzEjMCEGA1UECgwaQWN0YWxpcyBT LnAuQS4vMDMzNTg1MjA5NjcxLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1dGhlbnRpY2F0aW9u IENBIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt2hzetk81C/73GfKPc6UfP+J Gc7aGmPzGUeQJ1go3CdFpsBPonREDXUDdmRCIRkTDroH30RLsTO/0hEFiYjCyvvbSVSm05sXkvfJ XOXefNqK21fBayr4JCgMRyLVwqRYXlKI7bb42nYSm7YcXGTDmdcydmJuuqcLqFQawWiBMNRRVEi4 uW5uXBZgWGmq8NoKH/+5xGBFbf6tNTWcGhPVceResuwK155+OiH6jTW01Na8aLj7c7IAGJ0Y9e6h iHtRthfW7SwbU7ys73a3nNXv8Kv9XNr0RvJKHoOsKqxjffew3GKQrMXIHB5tm/je3XEnIxUT8JG3 sEsk7IfF3VirSwIDAQABo4IB/jCCAfowDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRS2Ig6 yJ94Zu2J83s4cJTJAgI20DBBBggrBgEFBQcBAQQ1MDMwMQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3Nw MDUuYWN0YWxpcy5pdC9WQS9BVVRILVJPT1QwRQYDVR0gBD4wPDA6BgRVHSAAMDIwMAYIKwYBBQUH AgEWJGh0dHBzOi8vd3d3LmFjdGFsaXMuaXQvYXJlYS1kb3dubG9hZDAnBgNVHSUEIDAeBggrBgEF BQcDAgYIKwYBBQUHAwQGCCsGAQUFBwMJMIHjBgNVHR8EgdswgdgwgZaggZOggZCGgY1sZGFwOi8v bGRhcDA1LmFjdGFsaXMuaXQvY24lM2RBY3RhbGlzJTIwQXV0aGVudGljYXRpb24lMjBSb290JTIw Q0EsbyUzZEFjdGFsaXMlMjBTLnAuQS4lMmYwMzM1ODUyMDk2NyxjJTNkSVQ/Y2VydGlmaWNhdGVS ZXZvY2F0aW9uTGlzdDtiaW5hcnkwPaA7oDmGN2h0dHA6Ly9jcmwwNS5hY3RhbGlzLml0L1JlcG9z aXRvcnkvQVVUSC1ST09UL2dldExhc3RDUkwwHQYDVR0OBBYEFGvyjZ5owSUEH1E0V/YWXJTqTWka MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAYES6GaKrcvsOQZpEwboVOb2dri/f Jrcpb7GSEW9JmA+Kep4GLmp9X50Iv8EK478kwf2aAjnPnsOdiItALcIgecS1qVxN+EY+V5GCNEy4 VAsB5gzlQBmKI9P4PxLt9pnQJneCVEvDnVBMZAllIL5s3uaCiIEb8eYZqG8taOWSM1nqjoCZULcc hXWYajBqaJg0RUOZ6f5IB0lb26HA/7EUVmh1nSVglDoUeD7elINXHph0z3if1722UydcoH4Jj3Za Y9dtQ4wJSNhSZOzES72UkS6we/556FOGs7oeJWuQe8Rq2EeeSGmGliZKUbYo4jB/C2omMn0L4QwI 5wMNrWd2FRNUUwxMBmbJYtEaDRTQ72HPA8DnbRkvRDSJkjsToqU6ZpBlBf4s5EwrhXqFVb2rM9mG CPDZJi7Hw3y8BYD/d3iTL6PW5UjOTSpFcnSIP4HW5PI6MTHXl+ab6ajCnvJw6E1TGLh3zJypv5CQ 8Ftm0z7MKLt5Zr2E4jojZXeZn1sUpSqidZyp9mG/LYMRmHMkthDRnDnO2tHv5+YOO4cUEbTt5Bww E5RPjqovsnedyd5SijIK+k1MCXFLMTfERz3qUN3i/fwueXcGy4jEf2n/FvYsEY3GBHXZCMVWPffB fbl/ITjs9Q9NG37bAEm/mg2yNq02NLjDbQIKgt9W0aBU9SsxggOpMIIDpQIBATCBojCBjTELMAkG A1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcMEFBvbnRlIFNhbiBQaWV0cm8xIzAh BgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENsaWVu dCBBdXRoZW50aWNhdGlvbiBDQSBHMgIQaXxCJB0Ilpsxesw7IHRfgzANBglghkgBZQMEAgEFAKCC AdcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNzA4MTYyMTAy WjAvBgkqhkiG9w0BCQQxIgQgaR7YjmuazZkGzzk5mf8R67y8G4TG8bIJUILIR/sfxpQwgbMGCSsG AQQBgjcQBDGBpTCBojCBjTELMAkGA1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcM EFBvbnRlIFNhbiBQaWV0cm8xIzAhBgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSww KgYDVQQDDCNBY3RhbGlzIENsaWVudCBBdXRoZW50aWNhdGlvbiBDQSBHMgIQaXxCJB0Ilpsxesw7 IHRfgzCBtQYLKoZIhvcNAQkQAgsxgaWggaIwgY0xCzAJBgNVBAYTAklUMRAwDgYDVQQIDAdCZXJn YW1vMRkwFwYDVQQHDBBQb250ZSBTYW4gUGlldHJvMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8w MzM1ODUyMDk2NzEsMCoGA1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzIC EGl8QiQdCJabMXrMOyB0X4MwDQYJKoZIhvcNAQEBBQAEggEAfHM+/Dt4+jO+qXrFGM8Blg1fUEWQ 9gmDhuQU/aDkl0Hw5/FKVjJAoOSZn6cDp0Zb8MfN2LGyU7eVmw566u0HQUYv+ad8/yZmuZ8q6aAl 0pzylfFBb4zxupIHIyv6hrZRO8excHZNWmqghLtMSy1Fws8HVOUP3LS+B+W7HrKmCW8MDt9aL7dd c5H1z0dn9SNfDZewyin6SKtvGawpWnm9mSo/3W4CFXpwKwU1zOTPkbTWe55kLRsWJWHuhZUqS/aE CiOt3FjJ0jVyirhQmeMwMBatKekLkiPkuZt5WieIzxzgmgeo1ufdgYZlUlM9kLzgjYu+Bfepil6v NsLm8/r0hAAAAAAAAA== --Apple-Mail=_0820BBF2-956D-4AC4-A5AE-854B09B834BB-- From nobody Wed Jul 8 09:59:53 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA41E3A0F47 for ; Wed, 8 Jul 2020 09:59:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Atf_IZ1NDGee for ; Wed, 8 Jul 2020 09:59:49 -0700 (PDT) Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 921073A0F46 for ; Wed, 8 Jul 2020 09:59:49 -0700 (PDT) Received: by mail-wm1-x333.google.com with SMTP id l17so4024263wmj.0 for ; Wed, 08 Jul 2020 09:59:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=y4Lwk7SAkFBDlPO4jx1k3a9rs9jPu3f3wG0SFaF1o/A=; b=B25NzBIlTtO3H83Pbw0umdLTL+YNEx9gra/OI/cgwjtdm9UP74WhO92xNdu1XL4SRk 9FYUpa0O1A4E7TVe8qBjpFLOpSSWVquECV+TbJ912MsTTCjjZjwZWDo+x9omO4/GpYyJ p4yH1dPkk3eX4H9gB1SA/xMIBWrwBmZbxAkWo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=y4Lwk7SAkFBDlPO4jx1k3a9rs9jPu3f3wG0SFaF1o/A=; b=jsiW6E0VJl5LkFzATGAxmjxVg1rWCnxJwPQp8bpOnUeFh0VOB2q/Q6WSLmN753hBNu dCE8A19fGBQmIIhdchREMPfZTNWANI6VvtaznYh5bKzw6DDi17J2dgMzgpG5v8x5eQIz zWTaD8vxQArwF4TijCtypuqBS6LPZHRhNQzOoS52VWaxy11dW13zub6IGPdjAJOEEmsN 9cp/nt7AxEyyy6MTZ9UbQwbXBpUiFslGmQ+GUneVUQJyp+uxSc29VFnlFYcYLGDvxMeM zhuGtDMTPcoNg1I2MMTtNcBtAQO2Qg/9k0bSmJ4jbzpi8ZsvdyT0ki6kE5blor4wDSSF +uBg== X-Gm-Message-State: AOAM533yJ8vYL3qouUvQ9oCdzc7ibKOcwD2M2LCbd3ZPsbWhWz8v3uCf CKFGNTmaG7UXkOU0ZzMBBTamqw== X-Google-Smtp-Source: ABdhPJwX8J3T8ou9VaLszhtTf0U55XFHc4sn+R/Jiys/4sVWfmFq+i/NuPUB5i+xrJ2vY9F4+Matpw== X-Received: by 2002:a1c:f60d:: with SMTP id w13mr10854274wmc.51.1594227587808; Wed, 08 Jul 2020 09:59:47 -0700 (PDT) Received: from [10.0.0.3] (128.211.93.209.dyn.plus.net. [209.93.211.128]) by smtp.gmail.com with ESMTPSA id r11sm543066wmh.1.2020.07.08.09.59.47 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 08 Jul 2020 09:59:47 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Neil Madden Mime-Version: 1.0 (1.0) Date: Wed, 8 Jul 2020 17:59:46 +0100 Message-Id: <27DB83CC-4A61-4CDB-BFCA-6727317120AE@forgerock.com> References: <1DBD3620-18F8-47F1-B0C3-EDD08A64966C@lodderstedt.net> Cc: Justin Richer , oauth In-Reply-To: <1DBD3620-18F8-47F1-B0C3-EDD08A64966C@lodderstedt.net> To: Torsten Lodderstedt X-Mailer: iPhone Mail (17F80) Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2020 16:59:52 -0000 > On 8 Jul 2020, at 17:21, Torsten Lodderstedt wro= te: >=20 > =EF=BB=BF >=20 >> On 8. Jul 2020, at 18:17, Neil Madden wrote: >>=20 >>> On 8 Jul 2020, at 15:40, Justin Richer wrote: >>>=20 >>> The two-phase approach is exactly what OBUK does, where you get one acce= ss token using client credentials before getting a more specific one in cont= ext of the user=E2=80=99s consent. This ends up being awkward to implement a= t best, since OAuth involves the user too early in the process to allow for t= his kind of thing. PAR might help address this dichotomy, but RAR can provid= e places for this to fill in. >>=20 >> I=E2=80=99m not sure how client credentials would help here. The point I=E2= =80=99m making is that the _user_ needs to consent to two separate things: >>=20 >> 1. An initial consent to allow this app/service to initiate payment reque= sts on my behalf. >=20 > What in particular should the use consent with in this step? =E2=80=9CFooPay would like to: - initiate payments from your account (you will be asked to approve each on= e)=E2=80=9D The point is that a client that I don=E2=80=99t have any kind of relationshi= p with can=E2=80=99t just send me a request to transfer $500 to some account= .=20 >=20 >> 2. Consent to individual transactions. >>=20 >> RAR (and open banking?) completely omits step 1 at the moment, which seem= s crucial. Especially if you=E2=80=99re doing something like CIBA backchanne= l where step 1 is effectively consent for this app to spam my phone with pay= ment approval requests. >>=20 >>>=20 >>> With XYZ, I tried to design for that kind of multi-stage transaction pat= tern more explicitly, with the idea that you could continue your request in c= ontext and vary it over time, or even start a new request in the context of a= n existing one. This is something that I intend to continue with the soon-to= -be-formed GNAP working group, if you want to bring this use case there. >>=20 >> RAR is adopted by the OAuth WG so I think this needs to be discussed here= . >>=20 >> =E2=80=94 Neil >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >=20 From nobody Wed Jul 8 11:03:10 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACE9B3A059F for ; Wed, 8 Jul 2020 11:03:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xN_dTlTZ4d3R for ; Wed, 8 Jul 2020 11:03:07 -0700 (PDT) Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20D933A0593 for ; Wed, 8 Jul 2020 11:03:07 -0700 (PDT) Received: by mail-ej1-x635.google.com with SMTP id dr13so51513773ejc.3 for ; Wed, 08 Jul 2020 11:03:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=fHNI/U2mCMtWabNG7pAufmkeIbWW2FaS8HdqHjscNxo=; b=W/8oWgeJDriUSNRvsNu6OQ0hEyC/dL7Ss0OLs18O4JObzTvhq2iPm5g7mxGWoIFMHL r3VbDH4s7dWxDeMUp8WRNFK/2rXaUFZYJ11xune4vzfgGBaks3DPavByo9rHM3SFM9pO qmzmvwVW2Cjszde8Flj3HUSUInM8AY/zJ5Ollq+SzeqO11Y/zhHPqleUqV8UnLfSkdNL yCmb8joinccXRA9NC937f3/nS+s+Wk1YBcOLXO31mYLymM1D8e40mvzSeeuc2fR8Gi3O ziX/mH0IC+5L39Cv9D5PHq0IarkIlPPeMzmH65QKnHwdR21T7xFPj1YvKXBOysSTP8p4 sasA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=fHNI/U2mCMtWabNG7pAufmkeIbWW2FaS8HdqHjscNxo=; b=MoHEB6Kpxpd88Vur3LO7WYtr/orG5zdb77mH4Zqc5jF9AbZBRZyGL0vmORHTZVQ/Jl g8yv0kJZjiJPFfOUlTUBOZKoEHyFh+Y0FV0f6yyVULR1hSXka6ISr3PBV3q0s5oCgo0j 5H7ePpfJHv6zecEBiAZsx+SYxJPUx9Pe0UtYfaWmcCEqlAzrm8ibYbE2U9dIr3Wz3BkK GNbbEDhULekzL/k4S+YGezmKZ+BVKpcoiJeblAydDxl1d5/yV4vmT+vxzs4rEheCHsdg MnAr08bJWVvBASzuYNNPnrg29x4sTEMIVp+x1oPw6XgRY1IPISeo+fmFfof++tDQTgWA puXw== X-Gm-Message-State: AOAM531taTBKfvy6L4CAT0te8NG+oKuO2XHh0qX/ZwPw59srESfCpHg2 OKANyqjNm+bsYLbKz/4+dErqTA== X-Google-Smtp-Source: ABdhPJxlBSEnGEsxFZT6GCo2Rues0FYBFBcWkAT8JmFYrJAzumrQwrjyENWzo9hnz7kwDQQxg7OQ7g== X-Received: by 2002:a17:906:8417:: with SMTP id n23mr51921058ejx.192.1594231385490; Wed, 08 Jul 2020 11:03:05 -0700 (PDT) Received: from p200300eb8f013880e46871ecac2fb6f0.dip0.t-ipconnect.de (p200300eb8f013880e46871ecac2fb6f0.dip0.t-ipconnect.de. [2003:eb:8f01:3880:e468:71ec:ac2f:b6f0]) by smtp.gmail.com with ESMTPSA id z8sm167120eju.106.2020.07.08.11.03.04 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Jul 2020 11:03:04 -0700 (PDT) From: Torsten Lodderstedt Message-Id: Content-Type: multipart/signed; boundary="Apple-Mail=_F3A26ED9-8B1D-451C-A3FB-FD563A075152"; protocol="application/pkcs7-signature"; micalg=sha-256 Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Date: Wed, 8 Jul 2020 20:03:03 +0200 In-Reply-To: <27DB83CC-4A61-4CDB-BFCA-6727317120AE@forgerock.com> Cc: Justin Richer , oauth To: Neil Madden References: <1DBD3620-18F8-47F1-B0C3-EDD08A64966C@lodderstedt.net> <27DB83CC-4A61-4CDB-BFCA-6727317120AE@forgerock.com> X-Mailer: Apple Mail (2.3608.80.23.2.2) Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2020 18:03:09 -0000 --Apple-Mail=_F3A26ED9-8B1D-451C-A3FB-FD563A075152 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 8. Jul 2020, at 18:59, Neil Madden = wrote: >=20 >=20 >=20 >> On 8 Jul 2020, at 17:21, Torsten Lodderstedt = wrote: >>=20 >> =EF=BB=BF >>=20 >>> On 8. Jul 2020, at 18:17, Neil Madden = wrote: >>>=20 >>>> On 8 Jul 2020, at 15:40, Justin Richer wrote: >>>>=20 >>>> The two-phase approach is exactly what OBUK does, where you get one = access token using client credentials before getting a more specific one = in context of the user=E2=80=99s consent. This ends up being awkward to = implement at best, since OAuth involves the user too early in the = process to allow for this kind of thing. PAR might help address this = dichotomy, but RAR can provide places for this to fill in. >>>=20 >>> I=E2=80=99m not sure how client credentials would help here. The = point I=E2=80=99m making is that the _user_ needs to consent to two = separate things: >>>=20 >>> 1. An initial consent to allow this app/service to initiate payment = requests on my behalf. >>=20 >> What in particular should the use consent with in this step? >=20 > =E2=80=9CFooPay would like to: > - initiate payments from your account (you will be asked to approve = each one)=E2=80=9D >=20 > The point is that a client that I don=E2=80=99t have any kind of = relationship with can=E2=80=99t just send me a request to transfer $500 = to some account.=20 Are we talking about legal consent or a security measures here? In case of open banking the user legally consents to this process at the = client (TPP) even before the OAuth/Payment Initiation dance starts.=20 >=20 >>=20 >>> 2. Consent to individual transactions. >>>=20 >>> RAR (and open banking?) completely omits step 1 at the moment, which = seems crucial. Especially if you=E2=80=99re doing something like CIBA = backchannel where step 1 is effectively consent for this app to spam my = phone with payment approval requests. >>>=20 >>>>=20 >>>> With XYZ, I tried to design for that kind of multi-stage = transaction pattern more explicitly, with the idea that you could = continue your request in context and vary it over time, or even start a = new request in the context of an existing one. This is something that I = intend to continue with the soon-to-be-formed GNAP working group, if you = want to bring this use case there. >>>=20 >>> RAR is adopted by the OAuth WG so I think this needs to be discussed = here. >>>=20 >>> =E2=80=94 Neil >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>=20 --Apple-Mail=_F3A26ED9-8B1D-451C-A3FB-FD563A075152 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCC38w ggT0MIID3KADAgECAhBpfEIkHQiWmzF6zDsgdF+DMA0GCSqGSIb3DQEBCwUAMIGNMQswCQYDVQQG EwJJVDEQMA4GA1UECAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9udGUgU2FuIFBpZXRybzEjMCEGA1UE CgwaQWN0YWxpcyBTLnAuQS4vMDMzNTg1MjA5NjcxLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1 dGhlbnRpY2F0aW9uIENBIEcyMB4XDTIwMDIyMzE3MjEzOVoXDTIxMDIyMzE3MjEzOVowIjEgMB4G A1UEAwwXdG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQCrIaCISpAU98m6ZkDyUR3My5imAF4TKQk8eqo+oQ06PTWT/3yJXujVCjjOqOl8p11v/RoN Gf8zqYbBsqGBuJx2NyxFmAnmCjcbnxihQdcmuxLm6izvxr2MawOovDheMXnfmGy/Ns5Fs6bd+M5F jCNhP+Gljvgm/SFq1skvs7YUX2FxZmh+xPMm3FZ/a6Lyhkrd3JHzEqv8VWY69Aehezg39OuPJEpb IdjK/eBcmaIG0qn5RQdXLByJYfXhepyVAZPJT5rAgaIQL/IjSIVInxf3FxOv+ELMAErclws6mKzy zkY2JiItPEpKWzAWGCxCX2o0JjVj1f7xgaunLfJ+Ec0lAgMBAAGjggG4MIIBtDAMBgNVHRMBAf8E AjAAMB8GA1UdIwQYMBaAFGvyjZ5owSUEH1E0V/YWXJTqTWkaMH4GCCsGAQUFBwEBBHIwcDA7Bggr BgEFBQcwAoYvaHR0cDovL2NhY2VydC5hY3RhbGlzLml0L2NlcnRzL2FjdGFsaXMtYXV0Y2xpZzIw MQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3NwMDkuYWN0YWxpcy5pdC9WQS9BVVRIQ0wtRzIwIgYDVR0R BBswGYEXdG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQwRwYDVR0gBEAwPjA8BgYrgR8BGAEwMjAwBggr BgEFBQcCARYkaHR0cHM6Ly93d3cuYWN0YWxpcy5pdC9hcmVhLWRvd25sb2FkMB0GA1UdJQQWMBQG CCsGAQUFBwMCBggrBgEFBQcDBDBIBgNVHR8EQTA/MD2gO6A5hjdodHRwOi8vY3JsMDkuYWN0YWxp cy5pdC9SZXBvc2l0b3J5L0FVVEhDTC1HMi9nZXRMYXN0Q1JMMB0GA1UdDgQWBBSuRfshihlGSEJ7 2UeyOZRJ1YYyMDAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEBAH/3ECMSOoOLiwCe GsBj/WWnUhXvZyHmz3LW0DVdH3s30b2HWpomEVNDN3cWt4QSRhISqV0xyyChL6THhDY+Um2mo+z/ L5fxHd3MjhzvYKwUtLUJdWRgymlUBO9zNKi/IMVYv3O+mpOHuQrgtMaV9luDPRYPZrhF9y/InTZE tb+FOrF9ykIRlYgMzqSKjuqFmmYO4d6GkbgfGKFZsAjkySjM9BUBLb70MdysOTxZ/HtZguIKfZ4q CveZ9ZKe+LGsIpt5bFAs1LHIMBUlTCsuVIq2lD3TmScWbELn+Ace7WwKc+08GqOWZzUot5fkiIx3 /crnd7HTmUfqi0yCylHY62wwggaDMIIEa6ADAgECAhBP3hBL7ZVb3outZYfMQV7jMA0GCSqGSIb3 DQEBCwUAMGsxCzAJBgNVBAYTAklUMQ4wDAYDVQQHDAVNaWxhbjEjMCEGA1UECgwaQWN0YWxpcyBT LnAuQS4vMDMzNTg1MjA5NjcxJzAlBgNVBAMMHkFjdGFsaXMgQXV0aGVudGljYXRpb24gUm9vdCBD QTAeFw0xOTA5MjAwNzEyMDVaFw0zMDA5MjIxMTIyMDJaMIGNMQswCQYDVQQGEwJJVDEQMA4GA1UE CAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9udGUgU2FuIFBpZXRybzEjMCEGA1UECgwaQWN0YWxpcyBT LnAuQS4vMDMzNTg1MjA5NjcxLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1dGhlbnRpY2F0aW9u IENBIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt2hzetk81C/73GfKPc6UfP+J Gc7aGmPzGUeQJ1go3CdFpsBPonREDXUDdmRCIRkTDroH30RLsTO/0hEFiYjCyvvbSVSm05sXkvfJ XOXefNqK21fBayr4JCgMRyLVwqRYXlKI7bb42nYSm7YcXGTDmdcydmJuuqcLqFQawWiBMNRRVEi4 uW5uXBZgWGmq8NoKH/+5xGBFbf6tNTWcGhPVceResuwK155+OiH6jTW01Na8aLj7c7IAGJ0Y9e6h iHtRthfW7SwbU7ys73a3nNXv8Kv9XNr0RvJKHoOsKqxjffew3GKQrMXIHB5tm/je3XEnIxUT8JG3 sEsk7IfF3VirSwIDAQABo4IB/jCCAfowDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRS2Ig6 yJ94Zu2J83s4cJTJAgI20DBBBggrBgEFBQcBAQQ1MDMwMQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3Nw MDUuYWN0YWxpcy5pdC9WQS9BVVRILVJPT1QwRQYDVR0gBD4wPDA6BgRVHSAAMDIwMAYIKwYBBQUH AgEWJGh0dHBzOi8vd3d3LmFjdGFsaXMuaXQvYXJlYS1kb3dubG9hZDAnBgNVHSUEIDAeBggrBgEF BQcDAgYIKwYBBQUHAwQGCCsGAQUFBwMJMIHjBgNVHR8EgdswgdgwgZaggZOggZCGgY1sZGFwOi8v bGRhcDA1LmFjdGFsaXMuaXQvY24lM2RBY3RhbGlzJTIwQXV0aGVudGljYXRpb24lMjBSb290JTIw Q0EsbyUzZEFjdGFsaXMlMjBTLnAuQS4lMmYwMzM1ODUyMDk2NyxjJTNkSVQ/Y2VydGlmaWNhdGVS ZXZvY2F0aW9uTGlzdDtiaW5hcnkwPaA7oDmGN2h0dHA6Ly9jcmwwNS5hY3RhbGlzLml0L1JlcG9z aXRvcnkvQVVUSC1ST09UL2dldExhc3RDUkwwHQYDVR0OBBYEFGvyjZ5owSUEH1E0V/YWXJTqTWka MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAYES6GaKrcvsOQZpEwboVOb2dri/f Jrcpb7GSEW9JmA+Kep4GLmp9X50Iv8EK478kwf2aAjnPnsOdiItALcIgecS1qVxN+EY+V5GCNEy4 VAsB5gzlQBmKI9P4PxLt9pnQJneCVEvDnVBMZAllIL5s3uaCiIEb8eYZqG8taOWSM1nqjoCZULcc hXWYajBqaJg0RUOZ6f5IB0lb26HA/7EUVmh1nSVglDoUeD7elINXHph0z3if1722UydcoH4Jj3Za Y9dtQ4wJSNhSZOzES72UkS6we/556FOGs7oeJWuQe8Rq2EeeSGmGliZKUbYo4jB/C2omMn0L4QwI 5wMNrWd2FRNUUwxMBmbJYtEaDRTQ72HPA8DnbRkvRDSJkjsToqU6ZpBlBf4s5EwrhXqFVb2rM9mG CPDZJi7Hw3y8BYD/d3iTL6PW5UjOTSpFcnSIP4HW5PI6MTHXl+ab6ajCnvJw6E1TGLh3zJypv5CQ 8Ftm0z7MKLt5Zr2E4jojZXeZn1sUpSqidZyp9mG/LYMRmHMkthDRnDnO2tHv5+YOO4cUEbTt5Bww E5RPjqovsnedyd5SijIK+k1MCXFLMTfERz3qUN3i/fwueXcGy4jEf2n/FvYsEY3GBHXZCMVWPffB fbl/ITjs9Q9NG37bAEm/mg2yNq02NLjDbQIKgt9W0aBU9SsxggOpMIIDpQIBATCBojCBjTELMAkG A1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcMEFBvbnRlIFNhbiBQaWV0cm8xIzAh BgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENsaWVu dCBBdXRoZW50aWNhdGlvbiBDQSBHMgIQaXxCJB0Ilpsxesw7IHRfgzANBglghkgBZQMEAgEFAKCC AdcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNzA4MTgwMzAz WjAvBgkqhkiG9w0BCQQxIgQg/wTvAgDmAKgAntQwalZv4X1s47MbLmWXVOpUlh3vW04wgbMGCSsG AQQBgjcQBDGBpTCBojCBjTELMAkGA1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcM EFBvbnRlIFNhbiBQaWV0cm8xIzAhBgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSww KgYDVQQDDCNBY3RhbGlzIENsaWVudCBBdXRoZW50aWNhdGlvbiBDQSBHMgIQaXxCJB0Ilpsxesw7 IHRfgzCBtQYLKoZIhvcNAQkQAgsxgaWggaIwgY0xCzAJBgNVBAYTAklUMRAwDgYDVQQIDAdCZXJn YW1vMRkwFwYDVQQHDBBQb250ZSBTYW4gUGlldHJvMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8w MzM1ODUyMDk2NzEsMCoGA1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzIC EGl8QiQdCJabMXrMOyB0X4MwDQYJKoZIhvcNAQEBBQAEggEAO5A3B40pku/Crj1Ug0us+s17Lwt6 P1kaRsWH5PP2Q7lsol1M98OHtfr8vSYqmWXYpNs34Wij/wH7lubFhJvVqLQqI9kSE8uW8gj6O8yi RldS4cvTpxktLuEZFkC8LO3fXZKwnzPJK4++9ZeidpB1ve+vs/PY6cu4yGDp+46o2ErFN1+FxFjl z9UndpHjZyearBrkVWK6RvelP55MXVNGYBHdY2qy45exXPRp5DiFC34kWx1j5jS7SK4w0uwRFC+J T0D1L2qioPlzE4MHcej/GJixCGLe1sD9LgTxXVzmWPmNU+dTCH9GaIpoDGenaQeBJHKq0JmkmYxE dHgrmaMXMgAAAAAAAA== --Apple-Mail=_F3A26ED9-8B1D-451C-A3FB-FD563A075152-- From nobody Wed Jul 8 11:39:12 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 757433A078A for ; Wed, 8 Jul 2020 11:39:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 83UG09qxznjT for ; Wed, 8 Jul 2020 11:39:07 -0700 (PDT) Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BA3E3A0789 for ; Wed, 8 Jul 2020 11:39:07 -0700 (PDT) Received: by mail-wr1-x42f.google.com with SMTP id j4so47617770wrp.10 for ; Wed, 08 Jul 2020 11:39:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=8JogT+g46j714+3f/TlXYik9pyWhviYJL9hcRHYt6XY=; b=FhT9GMgKCXOeotqYg4UbTqDCoFLOspz3ifldiUyyLTphzK1Nse77t9/d6W9+vvaXdT 272Ln5DjRePysLN3a5ZYYDVCvG+/QfbdVL3hwe82NZU9Hfx+Q31CA3Xq08XCMpi11PGP +XWxcCwTAu4FZAEjrUT9o5AqoRO5bJtRlgIB8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=8JogT+g46j714+3f/TlXYik9pyWhviYJL9hcRHYt6XY=; b=rIJqhnaLRO+yRJRoS8MV95ubNyMFSV7b0V96v6GYdry65MVuiqa9KWefDL2UpbHBUp ok6yIlLiMq2Y/hO3Lhwl5m+OQjfYSRAXZDsJnL58/DyNhpSsGhJuALu5la/l3u32miFZ fyBMKc4Y45yJEI9mD5/hcejk26XhpgTVjzZHUXjL5nxmTHahfPexeuW4Y0R0KMNEbXUq SMCD0iizHTM35X1LFQ/glxd/wsl+QV2tplEwmV2QQaSoJOsAv1PL1diDV1IUIhu2qQ2u AHS7KLR+yUjnGxzjW1Zv6sY1uHekndINndVUWGxILAI9dxbIJX3/D83YmsiKPb2rfZjm 60pA== X-Gm-Message-State: AOAM5309LBRO0bviQHL6RxE5kRSWwH7ayiODKHJCJJwclKlkP6FCCjbd O9bnE1UvMW6wgW+s58dPq0CJOA== X-Google-Smtp-Source: ABdhPJxVmICD0XutM1yQ7mKMvUu7y4jpGqrDw01Rz8eSHv4Mg6OEc6QXnVadIo5nfPM8Xq5rDC0tnA== X-Received: by 2002:a5d:4d0b:: with SMTP id z11mr29920245wrt.24.1594233545401; Wed, 08 Jul 2020 11:39:05 -0700 (PDT) Received: from [10.0.0.2] (128.211.93.209.dyn.plus.net. [209.93.211.128]) by smtp.gmail.com with ESMTPSA id l18sm1246547wrm.52.2020.07.08.11.39.04 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Jul 2020 11:39:04 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) From: Neil Madden In-Reply-To: <0982ACB0-CDE4-4B26-AF80-63C650263445@lodderstedt.net> Date: Wed, 8 Jul 2020 19:39:04 +0100 Cc: oauth , Justin Richer Content-Transfer-Encoding: quoted-printable Message-Id: <083119F4-AAC4-4F04-BB3F-DD34B49E21B1@forgerock.com> References: <0982ACB0-CDE4-4B26-AF80-63C650263445@lodderstedt.net> To: Torsten Lodderstedt X-Mailer: Apple Mail (2.3608.80.23.2.2) Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2020 18:39:11 -0000 Hi Torsten, > On 8 Jul 2020, at 17:20, Torsten Lodderstedt = wrote: >=20 > =EF=BB=BFHi Neil,=20 >=20 >> On 8. Jul 2020, at 16:40, Justin Richer wrote: >>=20 >> The two-phase approach is exactly what OBUK does, where you get one = access token using client credentials before getting a more specific one = in context of the user=E2=80=99s consent. This ends up being awkward to = implement at best, since OAuth involves the user too early in the = process to allow for this kind of thing. PAR might help address this = dichotomy, but RAR can provide places for this to fill in. >>=20 >> With XYZ, I tried to design for that kind of multi-stage transaction = pattern more explicitly, with the idea that you could continue your = request in context and vary it over time, or even start a new request in = the context of an existing one. This is something that I intend to = continue with the soon-to-be-formed GNAP working group, if you want to = bring this use case there. >>=20 >> =E2=80=94 Justin >>=20 >>>> On Jul 6, 2020, at 12:32 PM, Neil Madden = wrote: >>>=20 >>> I=E2=80=99m reading draft-ietf-oauth-rar-01 in a bit more detail now = I have some time, and I have a few comments. >>>=20 >>> An assumption in the draft appears to be that the client knows ahead = of time what it wants to gain access to and can describe it in detail. = For example, the last example in section 2.1 is a client requesting = access to particular files, which assumes that the client already knows = the paths of the files it wants to access. This in turn seems to imply = that the client already has some level of access to be able to determine = this, e.g. to list directories, which may not be desirable. In many = cases like this I think it=E2=80=99s more natural for the client to not = know exactly what it is asking for but instead to want access to *some* = file, chosen by the user. An example of this is the Dropbox Chooser [1] = and Saver [2] APIs, which notably are not built on top of OAuth. In = these cases it would be more natural for the client to send a more = generic request and for the details to be filled in by the user as part = of the consent process. >=20 > That=E2=80=99s a very good point. >=20 > There are scenarios where the client knows the resources it wants to = interact with in advance, potentially from another transaction (e.g. = first access to account list, payment initiation afterwards).=20 >=20 > The scenario you are describing is viable as well. In such a case, the = request would be fairly generic but the AS (or the RS) would need to = make transparent to the client what resources it just obtained access = for. Interestingly, this might also happen if the client wants to access = accounts. It could just request access to accounts and the user, in the = consent, selects the accounts to disclose to the client. In our design = at yes, we reflect this in an augmented authorization_details object in = the token response (an addition for the spec I have on my list).=20 Ok, it sounds like this can be incorporated into the draft.=20 >>> Another issue is that as far as I can see in the current draft, any = client can initiate a rich authorization request at any time without any = kind of prior approval. This seems problematic for the main example in = the draft, i.e. payment initiation. As an attacker, if I can get a = consent screen up on a user=E2=80=99s device requesting to move money = around then it seems like half my job is already done - some fraction of = users will probably approve such a transaction without properly checking = it. It feels like the ability to ask for transaction approval should = already be a privileged operation that should require consent and = approval. >=20 > I think RAR will almost always be used in conjunction with PAR. This = means the client is authenticated before the user interaction starts = preventing the attack you mentioned. I think we should at least = recommend this in the draft.=20 See other discussion. Client authentication is not the issue here, = it=E2=80=99s about user consent. The underlying assumption appears to be = that all legitimate clients registered with a bank are trustworthy = because of vetting, reputation etc. Even putting aside that issue, as a = user, if an app or service acts in a way that I don=E2=80=99t like then = I should be able to stop using that app regardless of whether the app = has violated any rules.=20 In normal OAuth I can always go and revoke a grant to indicate that I no = longer use that app/service. In RAR I don=E2=80=99t have that option = because every transaction starts from scratch. I=E2=80=99m not arguing = that every use of RAR will require this kind of two-phase user = authorization approach, but that the current description of RAR seems to = preclude using the normal OAuth mechanisms to manage this relationship = in the transactional case. If PAR can bridge that gap, it would be good = to explicitly call that out. >>> A related issue is that each approval is in effect a completely = isolated incident. In a normal OAuth2 interaction I would grant an app = some longish-term access to data and it would get an access token and = optionally a refresh token. At some later point I can go to the AS and = see that I have granted this access and revoke it if I choose. With RAR = there is no representation of a long-term relationship between the RO = and the client and each transaction starts from fresh. Again, this seems = potentially problematic and not quite in keeping with how OAuth = currently operates. Each grant of access is ephemeral. (Do refresh = tokens make sense in the context of RAR?) >=20 > Some of the use cases initially causing the development of RAR are = transactional (as pointed out by Vladimir) others are not. RAR is about = a richer vocabulary for describing the scope of access. >=20 > In the beforementioned account information scenario, the client would, = for example, ask for read access to several accounts. Access to balance = for one and access to balance & transaction history for another account. = This could easily be expressed using RAR and would be a long term grant. = If the client for the same user asks for access to another account (and = the user approves), the AS should add this to the same underlying grant. = This effectively means, the client could use the same token (refresh and = access token) to access all accounts.=20 I am generally against proposals that encourage accumulating authority = in a single token, so I=E2=80=99m not convinced this is a good idea. But = for the sake of argument, I=E2=80=99ll assume that there are good = non-transactional applications of RAR.=20 >>> I think a better approach would be a two-phase authorization = process: >>>=20 >>> 1. In step 1 an app gets a normal long-lived access and/or refresh = token that grants it permissions to ask to initial transactions (RARs) - = e.g. with scope initiate_payments >=20 > I agree. This is PAR. PAR + RAR is in the end a generalised version of = the UK OB consent pattern.=20 PAR currently only allows client credentials to authorize requests to = the pushed auth endpoint. But what I=E2=80=99m describing would instead = use an access token (authorized by the user). This seems closer to what = OB currently does, but using a user-approved access token rather than a = client_credentials granted one. There are other approaches, for example based on macaroon 3rd-party = caveats. I=E2=80=99ll try to knock up a decent description or demo of = the approach because it has some appealing properties. But whatever the = implementation, the important thing is that there is some consideration = of these issues.=20 =E2=80=94 Neil From nobody Wed Jul 8 11:46:57 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6FF03A0798 for ; Wed, 8 Jul 2020 11:46:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hrajn5A-ILPF for ; Wed, 8 Jul 2020 11:46:53 -0700 (PDT) Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B3EE3A0795 for ; Wed, 8 Jul 2020 11:46:53 -0700 (PDT) Received: by mail-wr1-x436.google.com with SMTP id f7so47016881wrw.1 for ; Wed, 08 Jul 2020 11:46:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=WTbrESfbK0/sejwnVfufgt8OAZA49m9Ibi+jQ8LgOKs=; b=guvmcowttL/YFHFWLGR1VAVzDvOLWn7t8YPtfTfFvcOJ8WnvgCGCDk/KaS71pXhR7K nKpgaNNIiqzm5J/K02VRlYorhshMbPQcQrGrlpncc4IW4s23hiB8x/2fK+NR3IJnlKog 5lRPfcUw2k25a1bdVrNU53xki6nR4Sc7fGVn4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=WTbrESfbK0/sejwnVfufgt8OAZA49m9Ibi+jQ8LgOKs=; b=M5myLSG76X1Xc6ylj0+TWAgTGY1p3vDTPII8mePuaMpMn0O9TITMdH8rQE/ULLfK9b D+ok3gPcVOvkWjptrzGkcYt5JCGCOUfwUx6BTczRfZwk7HiYDR9rKT7RjfTAmURDJwoo z/4LOJNgg5E69YtYzBlrXAfGrZWBv2sTs6TkaoqLtrHoYGW4W13InPC7kNdN8OnsR53G lrk/h/dqsmevmwZ+m0P/+AMNM72RTd3M7PYFUm4m/jX05CMUfPHyZaX3hSS7QM4U0E2G cWQm7hGWolm0CRzqtHl+0Iuw0KZolXq7sFKVj+/WlDbKD6ikgFADLQe6k9t2tSU7xYNn +B+Q== X-Gm-Message-State: AOAM533yKL4AEvXrR/EybElz6L5iKkJlQzHGKDtSJtrARXsoMVGordzc +HaIkCeK6rqRfRFQuyCIK90YAA== X-Google-Smtp-Source: ABdhPJwvyYN+HTZwOTSg5imo/NCl+XK3epbtqtgMLjeP89jGUQjH+fHCi4Lv6TG3NgK8QtIwS90IVg== X-Received: by 2002:adf:ed87:: with SMTP id c7mr57802038wro.422.1594234011750; Wed, 08 Jul 2020 11:46:51 -0700 (PDT) Received: from [10.0.0.2] (128.211.93.209.dyn.plus.net. [209.93.211.128]) by smtp.gmail.com with ESMTPSA id 92sm1262885wrr.96.2020.07.08.11.46.50 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Jul 2020 11:46:51 -0700 (PDT) From: Neil Madden Message-Id: <28DA6872-32D6-4FDA-850D-55B06A727694@forgerock.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_98138A86-AA65-4EB7-839A-BA3E500DB2EA" Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Date: Wed, 8 Jul 2020 19:46:50 +0100 In-Reply-To: Cc: Justin Richer , oauth To: Torsten Lodderstedt References: <1DBD3620-18F8-47F1-B0C3-EDD08A64966C@lodderstedt.net> <27DB83CC-4A61-4CDB-BFCA-6727317120AE@forgerock.com> X-Mailer: Apple Mail (2.3608.80.23.2.2) Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2020 18:46:56 -0000 --Apple-Mail=_98138A86-AA65-4EB7-839A-BA3E500DB2EA Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On 8 Jul 2020, at 19:03, Torsten Lodderstedt = wrote: >>>=20 >>> What in particular should the use consent with in this step? >>=20 >> =E2=80=9CFooPay would like to: >> - initiate payments from your account (you will be asked to approve = each one)=E2=80=9D >>=20 >> The point is that a client that I don=E2=80=99t have any kind of = relationship with can=E2=80=99t just send me a request to transfer $500 = to some account.=20 >=20 > Are we talking about legal consent or a security measures here? Normal OAuth consent. My phone is my resource, and I am its resource = owner. If a client wants to send payment requests to my phone (e.g. via = CIBA backchannel) then it should have to get my permission first. Even = without backchannel requests, I=E2=80=99d much rather that only the = three clients I=E2=80=99ve explicitly consented to can ask me to = initiate payments rather than the hundreds/thousands clients my bank = happens to have a relationship with. >=20 > In case of open banking the user legally consents to this process at = the client (TPP) even before the OAuth/Payment Initiation dance starts.=20= How does the bank (ASPSP) confirm that this actually happened? =E2=80=94 Neil= --Apple-Mail=_98138A86-AA65-4EB7-839A-BA3E500DB2EA Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 On = 8 Jul 2020, at 19:03, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:

What in particular should the use consent with = in this step?

=E2=80=9CFooPay = would like to:
- initiate payments from your account (you = will be asked to approve each one)=E2=80=9D

The point is that a client that I don=E2=80=99t have any kind = of relationship with can=E2=80=99t just send me a request to transfer = $500 to some account. 

Are we talking about legal consent or a security measures = here?

Normal OAuth consent. My phone is my resource, and = I am its resource owner. If a client wants to send payment requests to = my phone (e.g. via CIBA backchannel) then it should have to get my = permission first. Even without backchannel requests, I=E2=80=99d much = rather that only the three clients I=E2=80=99ve explicitly consented to = can ask me to initiate payments rather than the hundreds/thousands = clients my bank happens to have a relationship with.


In case of open banking the user legally consents to this = process at the client (TPP) even before the OAuth/Payment Initiation = dance starts. 

How does the bank (ASPSP) confirm that this actually = happened?

=E2=80= =94 Neil
= --Apple-Mail=_98138A86-AA65-4EB7-839A-BA3E500DB2EA-- From nobody Wed Jul 8 12:57:02 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E28DF3A07B6 for ; Wed, 8 Jul 2020 12:57:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kzoPAlqmq1TE for ; Wed, 8 Jul 2020 12:56:59 -0700 (PDT) Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97E063A0801 for ; Wed, 8 Jul 2020 12:56:58 -0700 (PDT) Received: by mail-ed1-x52e.google.com with SMTP id h28so39116edz.0 for ; Wed, 08 Jul 2020 12:56:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=QA3fGGa+4+lb5OjDLeweaq+tgeRl4G+0+GnJBn5NtU0=; b=vTc3barbR7E5ZFedqs0aQIqLLlY6YYXeicJuRI7ATZL+0TyLgm7LP4QfEGzKpIXTNM mbelA9jzhfOl+yzOkp2g7cD8EaQL5hm63EDxmnNDhQudOqLNX+3xK8fmBicwPmKS5TQw htyqtvTT1/CwoaIRUWn/RxY8J18K2RGz6Rd5+wsqTWNyNlw8sKNuBn1UtZQNLKS7mnKk MX7CXP3RmCYCrxUi05kJ1FiZY+tqGnxb5fcW2ABBvjH+vHvAiFRmFPV8mt+Pj/gOu/h5 P4tkeWoaXcOwd2FhNzNa/lmyzlWOGnGAXIQYgK+UUYW1dXfP1gZa1orddLTlWZlxnOek TYMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=QA3fGGa+4+lb5OjDLeweaq+tgeRl4G+0+GnJBn5NtU0=; b=FUSgdoBte7iaD9n17LxQHYyoLG09QXLBnHHcovTXpwqj4KVGNE3tECQUz0GDV9r5ga 2SgtoFuO11Ox5QU+xzsDAFRedIo3IMfHg6lTiC/Hwn727MoIpZRhSKzf9Xwn2n85uy4M iyxqVuJlvzzr7RiXWshMdzZBxOr8zv/VYew6Rez3d4lMsanMB5v0g+8++Lf92EFO5O07 pmX+4EVPx53UuZpYumh1Pps8YiTiarCH9nBvUb8M05TIGG27OhYIqKwspXIVuKsRPMol q3zgLTwHExuSphgncUTKMJ5wsXmi9/ltwwjVohXODRz0qGYP2B9X9wU3OJdEascSFE/T JNQw== X-Gm-Message-State: AOAM531Q0dlVrb/EcOcsydJwKoxyMFlJ+srFXqVAeVVFn0yNfGo6b6/o VFl4HSmzW7c/usF5Q+0PZoqvPw== X-Google-Smtp-Source: ABdhPJwzRjL0+IBr+jjn3VKATH4MBzJnUOTZLuXB1hU4SWm6isVnxC4ScavWFyb5pF7TAiN8NHDsCA== X-Received: by 2002:a05:6402:13d0:: with SMTP id a16mr68708849edx.269.1594238216864; Wed, 08 Jul 2020 12:56:56 -0700 (PDT) Received: from [192.168.71.102] (p5b0d9bb4.dip0.t-ipconnect.de. [91.13.155.180]) by smtp.gmail.com with ESMTPSA id ks27sm329405ejb.7.2020.07.08.12.56.55 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 08 Jul 2020 12:56:55 -0700 (PDT) Content-Type: multipart/signed; boundary=Apple-Mail-85FB7887-16EF-4A1F-8DAA-C97B1336E30C; protocol="application/pkcs7-signature"; micalg=sha-256 Content-Transfer-Encoding: 7bit From: Torsten Lodderstedt Mime-Version: 1.0 (1.0) Date: Wed, 8 Jul 2020 21:56:54 +0200 Message-Id: <65F58D4B-4ECB-49CE-B681-169CBBFDCED9@lodderstedt.net> References: <28DA6872-32D6-4FDA-850D-55B06A727694@forgerock.com> Cc: Justin Richer , oauth In-Reply-To: <28DA6872-32D6-4FDA-850D-55B06A727694@forgerock.com> To: Neil Madden X-Mailer: iPad Mail (17F80) Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2020 19:57:01 -0000 --Apple-Mail-85FB7887-16EF-4A1F-8DAA-C97B1336E30C Content-Type: multipart/alternative; boundary=Apple-Mail-496843D3-8421-47B1-ABE7-8D22D2EA5127 Content-Transfer-Encoding: 7bit --Apple-Mail-496843D3-8421-47B1-ABE7-8D22D2EA5127 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable > Am 08.07.2020 um 20:46 schrieb Neil Madden : >=20 > =EF=BB=BFOn 8 Jul 2020, at 19:03, Torsten Lodderstedt wrote: >>>>=20 >>>> What in particular should the use consent with in this step? >>>=20 >>> =E2=80=9CFooPay would like to: >>> - initiate payments from your account (you will be asked to approve each= one)=E2=80=9D >>>=20 >>> The point is that a client that I don=E2=80=99t have any kind of relatio= nship with can=E2=80=99t just send me a request to transfer $500 to some acc= ount.=20 >>=20 >> Are we talking about legal consent or a security measures here? >=20 > Normal OAuth consent. My phone is my resource, and I am its resource owner= . If a client wants to send payment requests to my phone (e.g. via CIBA back= channel) then it should have to get my permission first. Even without backch= annel requests, I=E2=80=99d much rather that only the three clients I=E2=80=99= ve explicitly consented to can ask me to initiate payments rather than the h= undreds/thousands clients my bank happens to have a relationship with. To me it sounds like you would like to require a client to get user authoriz= ation to send an authorization request. Would you require the same if I woul= d use scope values to encode a payment initiation request? >=20 >>=20 >> In case of open banking the user legally consents to this process at the c= lient (TPP) even before the OAuth/Payment Initiation dance starts.=20 >=20 > How does the bank (ASPSP) confirm that this actually happened? It does not because it is not the responsibility of the ASPSP. The TPP is ob= liged by law to obtain consent. >=20 > =E2=80=94 Neil --Apple-Mail-496843D3-8421-47B1-ABE7-8D22D2EA5127 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable


Am 08.07.2020 um 20:46 schrieb Neil Madden &l= t;neil.madden@forgerock.com>:

=EF=BB=BFOn 8 Jul 2020, at 19:03, Torsten Lodderstedt &l= t;torsten@lodderstedt.= net> wrote:
<= div class=3D"">
What in particular should the use consent with in this step?

=E2=80=9CFooPay would like to:
- initiate payments from your account (you will be asked to approve= each one)=E2=80=9D

The point is that a client t= hat I don=E2=80=99t have any kind of relationship with can=E2=80=99t just se= nd me a request to transfer $500 to some account. 

Are we talking about legal consent or a security m= easures here?

Normal OAuth consent. My phone is my res= ource, and I am its resource owner. If a client wants to send payment reques= ts to my phone (e.g. via CIBA backchannel) then it should have to get my per= mission first. Even without backchannel requests, I=E2=80=99d much rather th= at only the three clients I=E2=80=99ve explicitly consented to can ask me to= initiate payments rather than the hundreds/thousands clients my bank happen= s to have a relationship with.

=
To me it sounds like you would like to require a client to get user aut= horization to send an authorization request. Would you require the same if I= would use scope values to encode a payment initiation request?


<= /div>

In case of open banking the user legally co= nsents to this process at the client (TPP) even before the OAuth/Payment Ini= tiation dance starts. 

How does the bank (ASPSP) confirm that this actuall= y happened?

It does not because it is= not the responsibility of the ASPSP. The TPP is obliged by law to obtain co= nsent.


=E2=80=94 Neil
= --Apple-Mail-496843D3-8421-47B1-ABE7-8D22D2EA5127-- --Apple-Mail-85FB7887-16EF-4A1F-8DAA-C97B1336E30C Content-Type: application/pkcs7-signature; name=smime.p7s Content-Disposition: attachment; filename=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCBPgw ggT0MIID3KADAgECAhBpfEIkHQiWmzF6zDsgdF+DMA0GCSqGSIb3DQEBCwUAMIGNMQswCQYDVQQG EwJJVDEQMA4GA1UECAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9udGUgU2FuIFBpZXRybzEjMCEGA1UE CgwaQWN0YWxpcyBTLnAuQS4vMDMzNTg1MjA5NjcxLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1 dGhlbnRpY2F0aW9uIENBIEcyMB4XDTIwMDIyMzE3MjEzOVoXDTIxMDIyMzE3MjEzOVowIjEgMB4G A1UEAwwXdG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQCrIaCISpAU98m6ZkDyUR3My5imAF4TKQk8eqo+oQ06PTWT/3yJXujVCjjOqOl8p11v/RoN Gf8zqYbBsqGBuJx2NyxFmAnmCjcbnxihQdcmuxLm6izvxr2MawOovDheMXnfmGy/Ns5Fs6bd+M5F jCNhP+Gljvgm/SFq1skvs7YUX2FxZmh+xPMm3FZ/a6Lyhkrd3JHzEqv8VWY69Aehezg39OuPJEpb IdjK/eBcmaIG0qn5RQdXLByJYfXhepyVAZPJT5rAgaIQL/IjSIVInxf3FxOv+ELMAErclws6mKzy zkY2JiItPEpKWzAWGCxCX2o0JjVj1f7xgaunLfJ+Ec0lAgMBAAGjggG4MIIBtDAMBgNVHRMBAf8E AjAAMB8GA1UdIwQYMBaAFGvyjZ5owSUEH1E0V/YWXJTqTWkaMH4GCCsGAQUFBwEBBHIwcDA7Bggr BgEFBQcwAoYvaHR0cDovL2NhY2VydC5hY3RhbGlzLml0L2NlcnRzL2FjdGFsaXMtYXV0Y2xpZzIw MQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3NwMDkuYWN0YWxpcy5pdC9WQS9BVVRIQ0wtRzIwIgYDVR0R BBswGYEXdG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQwRwYDVR0gBEAwPjA8BgYrgR8BGAEwMjAwBggr BgEFBQcCARYkaHR0cHM6Ly93d3cuYWN0YWxpcy5pdC9hcmVhLWRvd25sb2FkMB0GA1UdJQQWMBQG CCsGAQUFBwMCBggrBgEFBQcDBDBIBgNVHR8EQTA/MD2gO6A5hjdodHRwOi8vY3JsMDkuYWN0YWxp cy5pdC9SZXBvc2l0b3J5L0FVVEhDTC1HMi9nZXRMYXN0Q1JMMB0GA1UdDgQWBBSuRfshihlGSEJ7 2UeyOZRJ1YYyMDAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEBAH/3ECMSOoOLiwCe GsBj/WWnUhXvZyHmz3LW0DVdH3s30b2HWpomEVNDN3cWt4QSRhISqV0xyyChL6THhDY+Um2mo+z/ L5fxHd3MjhzvYKwUtLUJdWRgymlUBO9zNKi/IMVYv3O+mpOHuQrgtMaV9luDPRYPZrhF9y/InTZE tb+FOrF9ykIRlYgMzqSKjuqFmmYO4d6GkbgfGKFZsAjkySjM9BUBLb70MdysOTxZ/HtZguIKfZ4q CveZ9ZKe+LGsIpt5bFAs1LHIMBUlTCsuVIq2lD3TmScWbELn+Ace7WwKc+08GqOWZzUot5fkiIx3 /crnd7HTmUfqi0yCylHY62wxggOpMIIDpQIBATCBojCBjTELMAkGA1UEBhMCSVQxEDAOBgNVBAgM B0JlcmdhbW8xGTAXBgNVBAcMEFBvbnRlIFNhbiBQaWV0cm8xIzAhBgNVBAoMGkFjdGFsaXMgUy5w LkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENsaWVudCBBdXRoZW50aWNhdGlvbiBD QSBHMgIQaXxCJB0Ilpsxesw7IHRfgzANBglghkgBZQMEAgEFAKCCAdcwGAYJKoZIhvcNAQkDMQsG CSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNzA4MTk1NjU0WjAvBgkqhkiG9w0BCQQxIgQg +t6NBSxPjtI5kmN+kfYyiBMlQsZV0qp3CG1LEPz9HjwwgbMGCSsGAQQBgjcQBDGBpTCBojCBjTEL MAkGA1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcMEFBvbnRlIFNhbiBQaWV0cm8x IzAhBgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENs aWVudCBBdXRoZW50aWNhdGlvbiBDQSBHMgIQaXxCJB0Ilpsxesw7IHRfgzCBtQYLKoZIhvcNAQkQ AgsxgaWggaIwgY0xCzAJBgNVBAYTAklUMRAwDgYDVQQIDAdCZXJnYW1vMRkwFwYDVQQHDBBQb250 ZSBTYW4gUGlldHJvMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1ODUyMDk2NzEsMCoGA1UE AwwjQWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzICEGl8QiQdCJabMXrMOyB0X4Mw DQYJKoZIhvcNAQEBBQAEggEApVZNb9quHqwUUtFjxODl+577DVNK3CxckCeJy4DLRj3cmlqT5BGj mOw9JoiFFtsePdObqEAOr0sM65eKQ6b42J1HiNoTlgQBJmxmpB50eJTPmDGwAapnZKP/k3YojUFk NDKbisnX8JCMikyp/ZoLgNEWs8KpGHiqzj74gJHdpq5Jq3Anf8WgGeszQZRFjbga71l4F7FnQXCy Wwp2KBJ63sHQnj7ZJw6TL9E7QDbx9AkuXyIir3tKuR4WMeE5o+/UgHcbgrfAv8WqAV3nNulYqLcS DBTg4o8Uh17w4x0UYewu5DvlK1eKseEhEXl5nDC5Q1NeS008CJoOVAeUjoFtIQAAAAAAAA== --Apple-Mail-85FB7887-16EF-4A1F-8DAA-C97B1336E30C-- From nobody Wed Jul 8 14:52:32 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3F6C3A07BD for ; Wed, 8 Jul 2020 14:52:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gli5n4bIMdx5 for ; Wed, 8 Jul 2020 14:52:18 -0700 (PDT) Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 761D43A0798 for ; Wed, 8 Jul 2020 14:52:17 -0700 (PDT) Received: by mail-wr1-x431.google.com with SMTP id a6so214457wrm.4 for ; Wed, 08 Jul 2020 14:52:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=e87pEQ2UEGzKAbLqoDw802VotJXTm3TyJu5Y2JEzxk0=; b=dsfqrxubdMvl9VKjfkHS9SAgdSgsod/wsQxoAlap2dowYJdASYAYoe/2gNZ4UH1Xgh SlIJsx9vpHiwOodqGE51Iv//PkXcX3ZhL0E6wG8oFDPRf4+pjN00UK/0l21QLEh9APSu +brmCQu3IjWULEI13v7wnUz0BTQeFTox+fkXU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=e87pEQ2UEGzKAbLqoDw802VotJXTm3TyJu5Y2JEzxk0=; b=k8WPp5l0UrOAIFnmVZZgmUDQXadsSr0LPdvlQ3zyT34K6u4zD8uIFq9vFHl3+GKcpQ DTwzsf7OvxAl1UxJ/m6trbtseV5ONcaaoO3qf5/7mv5UKyH/s6LDKN2FoZ6HWnvpXnPp 00ZNdajlKwUr67wgcCy5YSgZhmM5sK6yAWOlkWjPoIO5CW4XL0ZyhVmeokxFRhZuePOy /6p6RMCtaWTQU2lOXQ7tKFnh4nwC1DwseXnqsbwKjPSYN8YOo6LtVTgClXo9EkCJqZdj u9uQ3we0463tw+7oKWx5mpX96rWnfzA7+jWRdqJYtPuwvu+z61qCrKruMubIkh/+Yq5X tA+g== X-Gm-Message-State: AOAM531wTdio+do9v4QknDS8765PMU35oVlZxll2Q+Da93mOdk02MrwU JC41F7Bd0Dx+m62G/ASrkPyaTvWxTS4Vng== X-Google-Smtp-Source: ABdhPJzY63IxSZlEYh0ECDOzzeiRXjsbHvJ8U7gl3SpVq3lc9eAOpCoFlNQPO2zQJlFixARYmvvThA== X-Received: by 2002:adf:fd8e:: with SMTP id d14mr60198100wrr.202.1594245135451; Wed, 08 Jul 2020 14:52:15 -0700 (PDT) Received: from [10.0.0.3] (128.211.93.209.dyn.plus.net. [209.93.211.128]) by smtp.gmail.com with ESMTPSA id d13sm2005139wrn.61.2020.07.08.14.52.13 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 08 Jul 2020 14:52:14 -0700 (PDT) Content-Type: multipart/alternative; boundary=Apple-Mail-38843936-B178-47A7-9EBA-B6EC64D6C019 Content-Transfer-Encoding: 7bit From: Neil Madden Mime-Version: 1.0 (1.0) Date: Wed, 8 Jul 2020 22:52:12 +0100 Message-Id: References: <65F58D4B-4ECB-49CE-B681-169CBBFDCED9@lodderstedt.net> Cc: Justin Richer , oauth In-Reply-To: <65F58D4B-4ECB-49CE-B681-169CBBFDCED9@lodderstedt.net> To: Torsten Lodderstedt X-Mailer: iPhone Mail (17F80) Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2020 21:52:30 -0000 --Apple-Mail-38843936-B178-47A7-9EBA-B6EC64D6C019 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable > On 8 Jul 2020, at 20:56, Torsten Lodderstedt wro= te: >=20 >>> Am 08.07.2020 um 20:46 schrieb Neil Madden : >>>=20 >> =EF=BB=BFOn 8 Jul 2020, at 19:03, Torsten Lodderstedt wrote: >>>>>=20 >>>>> What in particular should the use consent with in this step? >>>>=20 >>>> =E2=80=9CFooPay would like to: >>>> - initiate payments from your account (you will be asked to approve eac= h one)=E2=80=9D >>>>=20 >>>> The point is that a client that I don=E2=80=99t have any kind of relati= onship with can=E2=80=99t just send me a request to transfer $500 to some ac= count.=20 >>>=20 >>> Are we talking about legal consent or a security measures here? >>=20 >> Normal OAuth consent. My phone is my resource, and I am its resource owne= r. If a client wants to send payment requests to my phone (e.g. via CIBA bac= kchannel) then it should have to get my permission first. Even without backc= hannel requests, I=E2=80=99d much rather that only the three clients I=E2=80= =99ve explicitly consented to can ask me to initiate payments rather than th= e hundreds/thousands clients my bank happens to have a relationship with. >=20 > To me it sounds like you would like to require a client to get user author= ization to send an authorization request. Would you require the same if I wo= uld use scope values to encode a payment initiation request? Yes. If something is sufficiently high value to require per-transaction auth= orization then initiating transactions itself becomes a privileged operation= .=20 >>>=20 >>> In case of open banking the user legally consents to this process at the= client (TPP) even before the OAuth/Payment Initiation dance starts.=20 >>=20 >> How does the bank (ASPSP) confirm that this actually happened? >=20 > It does not because it is not the responsibility of the ASPSP. The TPP is o= bliged by law to obtain consent. If the TPP can be trusted to obey the law about this, why not also trust the= m to be honest about transactions? Why enforce one thing with access tokens b= ut take the other on trust? Especially as the actual transactions are more l= ikely to have a rigorous audit trail.=20 If we could trust clients to obtain consent we wouldn=E2=80=99t need OAuth a= t all.=20 =E2=80=94 Neil= --Apple-Mail-38843936-B178-47A7-9EBA-B6EC64D6C019 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable

On 8 Jul 2020, at 20:56, Torsten Lodderstedt <= torsten@lodderstedt.net> wrote:

Am 08= .07.2020 um 20:46 schrieb Neil Madden <neil.madden@forgerock.com>:
=
=EF=BB=BF<= meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf-8">On 8= Jul 2020, at 19:03, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
=

What in particular sho= uld the use consent with in this step?

=E2=80=9CFooPay would like to:
- initiate payments from you= r account (you will be asked to approve each one)=E2=80=9D
The point is that a client that I don=E2=80=99t have any kind of= relationship with can=E2=80=99t just send me a request to transfer $500 to s= ome account. 

Are we tal= king about legal consent or a security measures here?

= Normal OAuth consent. My phone is my resource, and I am its resource owner. I= f a client wants to send payment requests to my phone (e.g. via CIBA backcha= nnel) then it should have to get my permission first. Even without backchann= el requests, I=E2=80=99d much rather that only the three clients I=E2=80=99v= e explicitly consented to can ask me to initiate payments rather than the hu= ndreds/thousands clients my bank happens to have a relationship with.
<= /div>

To me it sounds like you would l= ike to require a client to get user authorization to send an authorization r= equest. Would you require the same if I would use scope values to encode a p= ayment initiation request?

Yes. I= f something is sufficiently high value to require per-transaction authorizat= ion then initiating transactions itself becomes a privileged operation. = ;


In case of open bank= ing the user legally consents to this process at the client (TPP) even befor= e the OAuth/Payment Initiation dance starts. 

How does the bank (ASPSP) co= nfirm that this actually happened?

It= does not because it is not the responsibility of the ASPSP. The TPP is obli= ged by law to obtain consent.

If the TPP ca= n be trusted to obey the law about this, why not also trust them to be hones= t about transactions? Why enforce one thing with access tokens but take the o= ther on trust? Especially as the actual transactions are more likely to have= a rigorous audit trail. 

If we could trust cl= ients to obtain consent we wouldn=E2=80=99t need OAuth at all. 

=E2=80=94 Neil
= --Apple-Mail-38843936-B178-47A7-9EBA-B6EC64D6C019-- From nobody Wed Jul 8 23:33:42 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABE703A0F7B for ; Wed, 8 Jul 2020 23:33:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MQ8Gtzl6cMeF for ; Wed, 8 Jul 2020 23:33:39 -0700 (PDT) Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D05F53A0970 for ; Wed, 8 Jul 2020 23:33:38 -0700 (PDT) Received: by mail-ej1-x62f.google.com with SMTP id a1so1038537ejg.12 for ; Wed, 08 Jul 2020 23:33:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=3gsgy/mb8zEV4vaJqxtAwmFeovdmZIz46sGTyazX+MQ=; b=zSTMA5ppCGNUzYth3xwNmpsKgahMagTVKSWsjQW77MI2+jEIcX9B6erEGuOb7SUx58 kYROKP1bCUBcl9srRdypczzqOWFeHZXXIIaNuxHiII9+teOb3uBT8iO6njEjzQJlOZY1 38BkJpbGfN7z63sC3Y5CDQKLf6mjpWw8i/0o25GyuIahquxbHm/NFR6atuZG0oyzPvjo X4apeyxpFSmIiUoh8dkUlbClxW7wvj60Pl+yWAn499lxgRx769opiAcqD/D6q7VfeML4 OQbD7uTnJtSECL45YsdLHo1FOqOdn5HQnEIttk8y1T3w4VTyWMZpur/Dv7qfQgPZq8Lt ZTlg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=3gsgy/mb8zEV4vaJqxtAwmFeovdmZIz46sGTyazX+MQ=; b=umigq2khbkYWcrvGvsYzXItYpr1zKXXo05QYU4GDRDyJ5Z5YBhmkkVDdjxxQUed9U7 3FrfozmxHrUD8DHYWkhEsKx2ltetkRkEFjSRgPRcZ4RH4C3lq1hUtsGvPktdnvkG1ZG9 DfOmjJeIWWSuZjn+zuEULZPaSpuWqhfUHY9bdbDZ/9J5qiyujQMhbSBfy5EGrp74WHJP 6/6bYlK+het06wiRahbnmvAg7A+0EbY+qN31NXZzKqTpd4BlZv/UidXl9w0EuTOpAiHB 3sLAEkWooCpTkeIIToiQlqJc9aJnxPG209hXQ2FMKRv1avH+JcZWNy8Wz79HVUJy5z8u +1Rw== X-Gm-Message-State: AOAM530FIWijg8WeSTzbWhJAao236NYsk5E/ZNiYyIPl8RzPC3HQsM54 I6SosQTF8W5t46ffLr2zDRxIOw== X-Google-Smtp-Source: ABdhPJzVNnpmzxYi/iwVYcBICeBB4cZgM5F6YesZstB0ycfjmODPoZiT1dfGrJVnllWW0uFPcepXOg== X-Received: by 2002:a17:906:940f:: with SMTP id q15mr56396867ejx.470.1594276417077; Wed, 08 Jul 2020 23:33:37 -0700 (PDT) Received: from p200300eb8f0138adc89b3a305e9c3444.dip0.t-ipconnect.de (p200300eb8f0138adc89b3a305e9c3444.dip0.t-ipconnect.de. [2003:eb:8f01:38ad:c89b:3a30:5e9c:3444]) by smtp.gmail.com with ESMTPSA id e4sm1173761ejx.76.2020.07.08.23.33.35 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Jul 2020 23:33:36 -0700 (PDT) From: Torsten Lodderstedt Message-Id: <6F0ACCC8-98F7-46AE-BC45-7444F08C6C6E@lodderstedt.net> Content-Type: multipart/signed; boundary="Apple-Mail=_0E2275AA-4CE9-4522-839F-536CF3795383"; protocol="application/pkcs7-signature"; micalg=sha-256 Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Date: Thu, 9 Jul 2020 08:33:34 +0200 In-Reply-To: Cc: Justin Richer , oauth To: Neil Madden References: <65F58D4B-4ECB-49CE-B681-169CBBFDCED9@lodderstedt.net> X-Mailer: Apple Mail (2.3608.80.23.2.2) Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2020 06:33:41 -0000 --Apple-Mail=_0E2275AA-4CE9-4522-839F-536CF3795383 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 8. Jul 2020, at 23:52, Neil Madden = wrote: >=20 >>=20 >> On 8 Jul 2020, at 20:56, Torsten Lodderstedt = wrote: >>=20 >>> Am 08.07.2020 um 20:46 schrieb Neil Madden = : >>>=20 >>> =EF=BB=BFOn 8 Jul 2020, at 19:03, Torsten Lodderstedt = wrote: >>>>>>=20 >>>>>> What in particular should the use consent with in this step? >>>>>=20 >>>>> =E2=80=9CFooPay would like to: >>>>> - initiate payments from your account (you will be asked to = approve each one)=E2=80=9D >>>>>=20 >>>>> The point is that a client that I don=E2=80=99t have any kind of = relationship with can=E2=80=99t just send me a request to transfer $500 = to some account.=20 >>>>=20 >>>> Are we talking about legal consent or a security measures here? >>>=20 >>> Normal OAuth consent. My phone is my resource, and I am its resource = owner. If a client wants to send payment requests to my phone (e.g. via = CIBA backchannel) then it should have to get my permission first. Even = without backchannel requests, I=E2=80=99d much rather that only the = three clients I=E2=80=99ve explicitly consented to can ask me to = initiate payments rather than the hundreds/thousands clients my bank = happens to have a relationship with. >>=20 >> To me it sounds like you would like to require a client to get user = authorization to send an authorization request. Would you require the = same if I would use scope values to encode a payment initiation request? >=20 > Yes. If something is sufficiently high value to require = per-transaction authorization then initiating transactions itself = becomes a privileged operation.=20 The per transaction authorization alone is a significant increase in = security. What is the added value of requiring an authorization to send = a per-transaction authorisation request in an additional step? >=20 >>>>=20 >>>> In case of open banking the user legally consents to this process = at the client (TPP) even before the OAuth/Payment Initiation dance = starts.=20 >>>=20 >>> How does the bank (ASPSP) confirm that this actually happened? >>=20 >> It does not because it is not the responsibility of the ASPSP. The = TPP is obliged by law to obtain consent. >=20 > If the TPP can be trusted to obey the law about this, why not also = trust them to be honest about transactions? Why enforce one thing with = access tokens but take the other on trust? Especially as the actual = transactions are more likely to have a rigorous audit trail.=20 >=20 > If we could trust clients to obtain consent we wouldn=E2=80=99t need = OAuth at all.=20 I thought the same initially, but we must distinguish between legal = consent and strong authentication/transaction authorization in such a = case. Legal consent can be obtained in various ways including the = traditional OAuth user consent but also in other places. Authenticating = the user (probably with 2FA) and getting authorization for a certain = transaction (the meaning of PSD2 SCA) must be conducted by the AS.=20 >=20 > =E2=80=94 Neil --Apple-Mail=_0E2275AA-4CE9-4522-839F-536CF3795383 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCC38w ggT0MIID3KADAgECAhBpfEIkHQiWmzF6zDsgdF+DMA0GCSqGSIb3DQEBCwUAMIGNMQswCQYDVQQG EwJJVDEQMA4GA1UECAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9udGUgU2FuIFBpZXRybzEjMCEGA1UE CgwaQWN0YWxpcyBTLnAuQS4vMDMzNTg1MjA5NjcxLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1 dGhlbnRpY2F0aW9uIENBIEcyMB4XDTIwMDIyMzE3MjEzOVoXDTIxMDIyMzE3MjEzOVowIjEgMB4G A1UEAwwXdG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQCrIaCISpAU98m6ZkDyUR3My5imAF4TKQk8eqo+oQ06PTWT/3yJXujVCjjOqOl8p11v/RoN Gf8zqYbBsqGBuJx2NyxFmAnmCjcbnxihQdcmuxLm6izvxr2MawOovDheMXnfmGy/Ns5Fs6bd+M5F jCNhP+Gljvgm/SFq1skvs7YUX2FxZmh+xPMm3FZ/a6Lyhkrd3JHzEqv8VWY69Aehezg39OuPJEpb IdjK/eBcmaIG0qn5RQdXLByJYfXhepyVAZPJT5rAgaIQL/IjSIVInxf3FxOv+ELMAErclws6mKzy zkY2JiItPEpKWzAWGCxCX2o0JjVj1f7xgaunLfJ+Ec0lAgMBAAGjggG4MIIBtDAMBgNVHRMBAf8E AjAAMB8GA1UdIwQYMBaAFGvyjZ5owSUEH1E0V/YWXJTqTWkaMH4GCCsGAQUFBwEBBHIwcDA7Bggr BgEFBQcwAoYvaHR0cDovL2NhY2VydC5hY3RhbGlzLml0L2NlcnRzL2FjdGFsaXMtYXV0Y2xpZzIw MQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3NwMDkuYWN0YWxpcy5pdC9WQS9BVVRIQ0wtRzIwIgYDVR0R BBswGYEXdG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQwRwYDVR0gBEAwPjA8BgYrgR8BGAEwMjAwBggr BgEFBQcCARYkaHR0cHM6Ly93d3cuYWN0YWxpcy5pdC9hcmVhLWRvd25sb2FkMB0GA1UdJQQWMBQG CCsGAQUFBwMCBggrBgEFBQcDBDBIBgNVHR8EQTA/MD2gO6A5hjdodHRwOi8vY3JsMDkuYWN0YWxp cy5pdC9SZXBvc2l0b3J5L0FVVEhDTC1HMi9nZXRMYXN0Q1JMMB0GA1UdDgQWBBSuRfshihlGSEJ7 2UeyOZRJ1YYyMDAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEBAH/3ECMSOoOLiwCe GsBj/WWnUhXvZyHmz3LW0DVdH3s30b2HWpomEVNDN3cWt4QSRhISqV0xyyChL6THhDY+Um2mo+z/ L5fxHd3MjhzvYKwUtLUJdWRgymlUBO9zNKi/IMVYv3O+mpOHuQrgtMaV9luDPRYPZrhF9y/InTZE tb+FOrF9ykIRlYgMzqSKjuqFmmYO4d6GkbgfGKFZsAjkySjM9BUBLb70MdysOTxZ/HtZguIKfZ4q CveZ9ZKe+LGsIpt5bFAs1LHIMBUlTCsuVIq2lD3TmScWbELn+Ace7WwKc+08GqOWZzUot5fkiIx3 /crnd7HTmUfqi0yCylHY62wwggaDMIIEa6ADAgECAhBP3hBL7ZVb3outZYfMQV7jMA0GCSqGSIb3 DQEBCwUAMGsxCzAJBgNVBAYTAklUMQ4wDAYDVQQHDAVNaWxhbjEjMCEGA1UECgwaQWN0YWxpcyBT LnAuQS4vMDMzNTg1MjA5NjcxJzAlBgNVBAMMHkFjdGFsaXMgQXV0aGVudGljYXRpb24gUm9vdCBD QTAeFw0xOTA5MjAwNzEyMDVaFw0zMDA5MjIxMTIyMDJaMIGNMQswCQYDVQQGEwJJVDEQMA4GA1UE CAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9udGUgU2FuIFBpZXRybzEjMCEGA1UECgwaQWN0YWxpcyBT LnAuQS4vMDMzNTg1MjA5NjcxLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1dGhlbnRpY2F0aW9u IENBIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt2hzetk81C/73GfKPc6UfP+J Gc7aGmPzGUeQJ1go3CdFpsBPonREDXUDdmRCIRkTDroH30RLsTO/0hEFiYjCyvvbSVSm05sXkvfJ XOXefNqK21fBayr4JCgMRyLVwqRYXlKI7bb42nYSm7YcXGTDmdcydmJuuqcLqFQawWiBMNRRVEi4 uW5uXBZgWGmq8NoKH/+5xGBFbf6tNTWcGhPVceResuwK155+OiH6jTW01Na8aLj7c7IAGJ0Y9e6h iHtRthfW7SwbU7ys73a3nNXv8Kv9XNr0RvJKHoOsKqxjffew3GKQrMXIHB5tm/je3XEnIxUT8JG3 sEsk7IfF3VirSwIDAQABo4IB/jCCAfowDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRS2Ig6 yJ94Zu2J83s4cJTJAgI20DBBBggrBgEFBQcBAQQ1MDMwMQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3Nw MDUuYWN0YWxpcy5pdC9WQS9BVVRILVJPT1QwRQYDVR0gBD4wPDA6BgRVHSAAMDIwMAYIKwYBBQUH AgEWJGh0dHBzOi8vd3d3LmFjdGFsaXMuaXQvYXJlYS1kb3dubG9hZDAnBgNVHSUEIDAeBggrBgEF BQcDAgYIKwYBBQUHAwQGCCsGAQUFBwMJMIHjBgNVHR8EgdswgdgwgZaggZOggZCGgY1sZGFwOi8v bGRhcDA1LmFjdGFsaXMuaXQvY24lM2RBY3RhbGlzJTIwQXV0aGVudGljYXRpb24lMjBSb290JTIw Q0EsbyUzZEFjdGFsaXMlMjBTLnAuQS4lMmYwMzM1ODUyMDk2NyxjJTNkSVQ/Y2VydGlmaWNhdGVS ZXZvY2F0aW9uTGlzdDtiaW5hcnkwPaA7oDmGN2h0dHA6Ly9jcmwwNS5hY3RhbGlzLml0L1JlcG9z aXRvcnkvQVVUSC1ST09UL2dldExhc3RDUkwwHQYDVR0OBBYEFGvyjZ5owSUEH1E0V/YWXJTqTWka MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAYES6GaKrcvsOQZpEwboVOb2dri/f Jrcpb7GSEW9JmA+Kep4GLmp9X50Iv8EK478kwf2aAjnPnsOdiItALcIgecS1qVxN+EY+V5GCNEy4 VAsB5gzlQBmKI9P4PxLt9pnQJneCVEvDnVBMZAllIL5s3uaCiIEb8eYZqG8taOWSM1nqjoCZULcc hXWYajBqaJg0RUOZ6f5IB0lb26HA/7EUVmh1nSVglDoUeD7elINXHph0z3if1722UydcoH4Jj3Za Y9dtQ4wJSNhSZOzES72UkS6we/556FOGs7oeJWuQe8Rq2EeeSGmGliZKUbYo4jB/C2omMn0L4QwI 5wMNrWd2FRNUUwxMBmbJYtEaDRTQ72HPA8DnbRkvRDSJkjsToqU6ZpBlBf4s5EwrhXqFVb2rM9mG CPDZJi7Hw3y8BYD/d3iTL6PW5UjOTSpFcnSIP4HW5PI6MTHXl+ab6ajCnvJw6E1TGLh3zJypv5CQ 8Ftm0z7MKLt5Zr2E4jojZXeZn1sUpSqidZyp9mG/LYMRmHMkthDRnDnO2tHv5+YOO4cUEbTt5Bww E5RPjqovsnedyd5SijIK+k1MCXFLMTfERz3qUN3i/fwueXcGy4jEf2n/FvYsEY3GBHXZCMVWPffB fbl/ITjs9Q9NG37bAEm/mg2yNq02NLjDbQIKgt9W0aBU9SsxggOpMIIDpQIBATCBojCBjTELMAkG A1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcMEFBvbnRlIFNhbiBQaWV0cm8xIzAh BgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENsaWVu dCBBdXRoZW50aWNhdGlvbiBDQSBHMgIQaXxCJB0Ilpsxesw7IHRfgzANBglghkgBZQMEAgEFAKCC AdcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNzA5MDYzMzM0 WjAvBgkqhkiG9w0BCQQxIgQghFGBiTKIBXSJlkzKe6nRRto4QJIOeS0USaJMIG7fftswgbMGCSsG AQQBgjcQBDGBpTCBojCBjTELMAkGA1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcM EFBvbnRlIFNhbiBQaWV0cm8xIzAhBgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSww KgYDVQQDDCNBY3RhbGlzIENsaWVudCBBdXRoZW50aWNhdGlvbiBDQSBHMgIQaXxCJB0Ilpsxesw7 IHRfgzCBtQYLKoZIhvcNAQkQAgsxgaWggaIwgY0xCzAJBgNVBAYTAklUMRAwDgYDVQQIDAdCZXJn YW1vMRkwFwYDVQQHDBBQb250ZSBTYW4gUGlldHJvMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8w MzM1ODUyMDk2NzEsMCoGA1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzIC EGl8QiQdCJabMXrMOyB0X4MwDQYJKoZIhvcNAQEBBQAEggEAdVr9DkXBY3gBWqZCnrkGnYif3F4y O62EtGDoDzxQiDZOqYVRxTqTvNfehZOQmFEWXGwlXWPjzkZXsC6RZj9GlqbUowiiENh+/a7Iwo3Y 5MPhDJ+QCZBaE+V7o0SFQUO17KYLKriE5JMLmtg7JK/xRZvgAcuUqBuK6gMvCQ9pa2kdvZw5NIDw ne+WbJLvo1cEGSThjpZRN0X5JrSqqpI0vsxxEIyJXObdvYZBuX8LspH0YK3NSEQB8ZhyXkewA2CQ BxU7J+UOg0gCJuf3v0MtLwBmpbXQzq28TmSi7q26pBHOlmaha6otkCCYFZTQmWPyLkbtLc780adI N5z9xBeZnAAAAAAAAA== --Apple-Mail=_0E2275AA-4CE9-4522-839F-536CF3795383-- From nobody Thu Jul 9 00:28:48 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C31B33A083E for ; Thu, 9 Jul 2020 00:28:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.739 X-Spam-Level: X-Spam-Status: No, score=-1.739 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=momentumft.co.uk Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SQ-oVCk0Lo7g for ; Thu, 9 Jul 2020 00:28:44 -0700 (PDT) Received: from mail-oi1-x235.google.com (mail-oi1-x235.google.com [IPv6:2607:f8b0:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7069D3A083F for ; Thu, 9 Jul 2020 00:28:44 -0700 (PDT) Received: by mail-oi1-x235.google.com with SMTP id r8so1145205oij.5 for ; Thu, 09 Jul 2020 00:28:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=momentumft.co.uk; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LS9qBiQUuxIespJzgAQgr9e+9Jy3/r7Mhehumn0yPDQ=; b=NaHn9CGz5icNWU9Mvwcu8wQIqvg2IVkIaf/n9zv2EoRWrSexoVgx5LyJbHw3IFjLGb ZpfM3Ve7KQcSXExwVTiSD7lhd5kC/e2qbncwFeHvTQjN5XUkd607ouzasMvQADlBVds9 U4m3DUsrMwlqmnbq/UqqxncBinsbOScPkHb9M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LS9qBiQUuxIespJzgAQgr9e+9Jy3/r7Mhehumn0yPDQ=; b=L3hOIAM+ZbE7D8Qfxnqk6z3nyXHVh/viJpIEhNfUWNKpACf7I4Bf1/H2C+85SkF4To Fmrm0Q162dyTEJb2JNuz32ie8ZMnBc3pdZ9M/MpclUJypBlG3udeKPduEty9XHA3pEKn xTEJHw87DL3Ro/pTDwCZY8JtglpRmfDdb8X93T0lTRaIxRtKEHWXwgx6yUI8dzlW2kNm qq0IlZYDwb4vhNDKLxI4TjdKhU5LrkgqqJaYrmbGi4p6KfIMPVxfBEuItZ+Bgug8GwGw kMpdvuIeQYtfXjqf67HtvYuFrJt5AXOcWFLKzloRnD57yErgfN6XQJtPrf+sRmFGWyMb w6sw== X-Gm-Message-State: AOAM532TdKe7IlA/38g1LJ8djR+unXx5M1oLivVaeujRH3pAOwawkaL3 pvBsaKHF6zZK1CY7Ped+WBVEuQwnbvIhq1Ub8JjtVLOWH91mIUd9w+iihVk7B9+pjXQCPH6lyY1 uzEMLoESXmYCO9g== X-Google-Smtp-Source: ABdhPJwi7fEmbifh2xFNecCxs995Tc92n1LF6GT+bE8PYnADQMfayjYv81dbqbIHMcpMkKb7NXjlOdb5EtGHkeg+9cI= X-Received: by 2002:aca:4c0d:: with SMTP id z13mr10464468oia.34.1594279723412; Thu, 09 Jul 2020 00:28:43 -0700 (PDT) MIME-Version: 1.0 References: <65F58D4B-4ECB-49CE-B681-169CBBFDCED9@lodderstedt.net> <6F0ACCC8-98F7-46AE-BC45-7444F08C6C6E@lodderstedt.net> In-Reply-To: <6F0ACCC8-98F7-46AE-BC45-7444F08C6C6E@lodderstedt.net> From: Dave Tonge Date: Thu, 9 Jul 2020 09:28:32 +0200 Message-ID: To: Neil Madden Cc: oauth , Torsten Lodderstedt Content-Type: multipart/alternative; boundary="0000000000009649a105a9fd2c83" Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2020 07:28:47 -0000 --0000000000009649a105a9fd2c83 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Neil >From a conceptual point of view I'm not really sure what RAR changes from vanilla OAuth? For example what is the difference between a client redirecting a user to an AS in order to: - grant access to sensitive health data - initiate a specific payment - grant full read/write access to file storage containing sensitive commercial data All of the above could happen with RAR or vanilla OAuth. Ironically in most jurisdictions, there is more protection for a user if they are tricked into initiating a payment vs whether they are tricked into granting access to data. Payments can be refunded, data cannot. >From my perspective if an AS is granting access to sensitive data, payments, etc. then it has an obligation to protect its users by not allowing any random client to to start an authorization flow. In the case of Open Banking, this obligation is taken care of by national regulators, but other commercial OAuth deployments often employ some form of vetting of clients before allowing them to request sensitive data. In addition certain sensitive actions can always require step-up authentication - this is also the case in OpenBanking, a payment to a new payee or over a certain amount will always require multi-factor authentication even if the user has a valid logged in session. An AS is always free to implement the 2 step solution that you proposed and indeed it could be easier to implement with RAR in the manner you described, but I don't think it should be the prescribed approach. Dave On Thu, 9 Jul 2020 at 08:34, Torsten Lodderstedt wrote: > > > > On 8. Jul 2020, at 23:52, Neil Madden wrote= : > > > >> > >> On 8 Jul 2020, at 20:56, Torsten Lodderstedt > wrote: > >> > >>> Am 08.07.2020 um 20:46 schrieb Neil Madden >: > >>> > >>> =EF=BB=BFOn 8 Jul 2020, at 19:03, Torsten Lodderstedt > wrote: > >>>>>> > >>>>>> What in particular should the use consent with in this step? > >>>>> > >>>>> =E2=80=9CFooPay would like to: > >>>>> - initiate payments from your account (you will be asked to approve > each one)=E2=80=9D > >>>>> > >>>>> The point is that a client that I don=E2=80=99t have any kind of > relationship with can=E2=80=99t just send me a request to transfer $500 t= o some > account. > >>>> > >>>> Are we talking about legal consent or a security measures here? > >>> > >>> Normal OAuth consent. My phone is my resource, and I am its resource > owner. If a client wants to send payment requests to my phone (e.g. via > CIBA backchannel) then it should have to get my permission first. Even > without backchannel requests, I=E2=80=99d much rather that only the three= clients > I=E2=80=99ve explicitly consented to can ask me to initiate payments rath= er than > the hundreds/thousands clients my bank happens to have a relationship wit= h. > >> > >> To me it sounds like you would like to require a client to get user > authorization to send an authorization request. Would you require the sam= e > if I would use scope values to encode a payment initiation request? > > > > Yes. If something is sufficiently high value to require per-transaction > authorization then initiating transactions itself becomes a privileged > operation. > > The per transaction authorization alone is a significant increase in > security. What is the added value of requiring an authorization to send a > per-transaction authorisation request in an additional step? > > > > >>>> > >>>> In case of open banking the user legally consents to this process at > the client (TPP) even before the OAuth/Payment Initiation dance starts. > >>> > >>> How does the bank (ASPSP) confirm that this actually happened? > >> > >> It does not because it is not the responsibility of the ASPSP. The TPP > is obliged by law to obtain consent. > > > > If the TPP can be trusted to obey the law about this, why not also trus= t > them to be honest about transactions? Why enforce one thing with access > tokens but take the other on trust? Especially as the actual transactions > are more likely to have a rigorous audit trail. > > > > If we could trust clients to obtain consent we wouldn=E2=80=99t need OA= uth at > all. > > I thought the same initially, but we must distinguish between legal > consent and strong authentication/transaction authorization in such a cas= e. > Legal consent can be obtained in various ways including the traditional > OAuth user consent but also in other places. Authenticating the user > (probably with 2FA) and getting authorization for a certain transaction > (the meaning of PSD2 SCA) must be conducted by the AS. > > > > > =E2=80=94 Neil > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --=20 Dave Tonge CTO [image: Moneyhub Enterprise] Moneyhub Financial Technology, 5th Floor, 10 Temple Back, Bristol, BS1 6FL t: +44 (0)117 280 5120 Moneyhub Enterprise is a trading style of Moneyhub Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on the Financial Services Register (FRN 809360) at fca.org.uk/register. Moneyhub Financial Technology is registered in England & Wales, company registration number 06909772 . Moneyhub Financial Technology Limited 2018 =C2=A9 DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Moneyhub Financial Technology Limited or of any other group company. --=20 Moneyhub Enterprise is a trading style of Moneyhub Financial Technology=20 Limited which is authorised and regulated by the Financial Conduct=20 Authority ("FCA"). Moneyhub Financial Technology is entered on the=20 Financial Services Register (FRN 809360) at https://register.fca.org.uk/=20 . Moneyhub Financial Technology is registered= =20 in England & Wales, company registration number 06909772. Moneyhub=20 Financial Technology Limited 2020 =C2=A9 Moneyhub Enterprise, Regus Buildin= g,=20 Temple Quay, 1 Friary, Bristol, BS1 6EA.=C2=A0 DISCLAIMER: This email=20 (including any attachments) is subject to copyright, and the information in= =20 it is confidential. Use of this email or of any information in it other=20 than by the addressee is unauthorised and unlawful. Whilst reasonable=20 efforts are made to ensure that any attachments are virus-free, it is the= =20 recipient's sole responsibility to scan all attachments for viruses. All=20 calls and emails to and from this company may be monitored and recorded for= =20 legitimate purposes relating to this company's business. Any opinions=20 expressed in this email (or in any attachments) are those of the author and= =20 do not necessarily represent the opinions of Moneyhub Financial Technology= =20 Limited or of any other group company. --0000000000009649a105a9fd2c83 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Neil

From a conceptual point of view I&= #39;m not really sure what RAR changes from vanilla OAuth?
For exampl= e what is the difference between a client redirecting a user to an AS in or= der to:
=C2=A0- grant access to sensitive health data
=C2=A0- in= itiate a specific payment
=C2=A0- grant full read/write access to file= storage containing sensitive=C2=A0commercial data

All of th= e above could happen with RAR or vanilla OAuth.

Ironically= =C2=A0in most jurisdictions, there is more protection for a user if they ar= e tricked into initiating a payment vs whether they are tricked into granti= ng access to data. Payments can be refunded, data cannot.

=
= >From my perspective if an AS is granting access to sensitive data, payments= , etc. then it has an obligation to protect its users by not allowing any r= andom client to to start an authorization flow. In the case of Open Banking= , this obligation is taken care of by national regulators, but other commer= cial OAuth deployments often employ some form of vetting of clients before = allowing them to request sensitive data. In addition certain sensitive acti= ons can always require step-up authentication - this is also the case in Op= enBanking, a payment to a new payee or over a certain amount will always re= quire multi-factor authentication even if the user has a valid logged in se= ssion.

An AS is always free to implement the 2 step solution= that you proposed and indeed it could be easier to implement with RAR in t= he manner you described, but I don't think it should be the prescribed = approach.

Dave


On Thu, 9 Jul 2020 at 08:34, T= orsten Lodderstedt <torsten=3D40lodderstedt.net@dmarc.ietf.org> wrote:=


> On 8. Jul 2020, at 23:52, Neil Madden <neil.madden@forgerock.com> wrote:=
>
>>
>> On 8 Jul 2020, at 20:56, Torsten Lodderstedt <torsten@lodderstedt.net>= wrote:
>>
>>> Am 08.07.2020 um 20:46 schrieb Neil Madden <neil.madden@forgerock.com>:
>>>
>>> =EF=BB=BFOn 8 Jul 2020, at 19:03, Torsten Lodderstedt <torsten@loddersted= t.net> wrote:
>>>>>>
>>>>>> What in particular should the use consent with in = this step?
>>>>>
>>>>> =E2=80=9CFooPay would like to:
>>>>> - initiate payments from your account (you will be ask= ed to approve each one)=E2=80=9D
>>>>>
>>>>> The point is that a client that I don=E2=80=99t have a= ny kind of relationship with can=E2=80=99t just send me a request to transf= er $500 to some account.
>>>>
>>>> Are we talking about legal consent or a security measures = here?
>>>
>>> Normal OAuth consent. My phone is my resource, and I am its re= source owner. If a client wants to send payment requests to my phone (e.g. = via CIBA backchannel) then it should have to get my permission first. Even = without backchannel requests, I=E2=80=99d much rather that only the three c= lients I=E2=80=99ve explicitly consented to can ask me to initiate payments= rather than the hundreds/thousands clients my bank happens to have a relat= ionship with.
>>
>> To me it sounds like you would like to require a client to get use= r authorization to send an authorization request. Would you require the sam= e if I would use scope values to encode a payment initiation request?
>
> Yes. If something is sufficiently high value to require per-transactio= n authorization then initiating transactions itself becomes a privileged op= eration.

The per transaction authorization alone is a significant increase in securi= ty. What is the added value of requiring an authorization to send a per-tra= nsaction authorisation request in an additional step?

>
>>>>
>>>> In case of open banking the user legally consents to this = process at the client (TPP) even before the OAuth/Payment Initiation dance = starts.
>>>
>>> How does the bank (ASPSP) confirm that this actually happened?=
>>
>> It does not because it is not the responsibility of the ASPSP. The= TPP is obliged by law to obtain consent.
>
> If the TPP can be trusted to obey the law about this, why not also tru= st them to be honest about transactions? Why enforce one thing with access = tokens but take the other on trust? Especially as the actual transactions a= re more likely to have a rigorous audit trail.
>
> If we could trust clients to obtain consent we wouldn=E2=80=99t need O= Auth at all.

I thought the same initially, but we must distinguish between legal consent= and strong authentication/transaction authorization in such a case. Legal = consent can be obtained in various ways including the traditional OAuth use= r consent but also in other places. Authenticating the user (probably with = 2FA) and getting authorization for a certain transaction (the meaning of PS= D2 SCA) must be conducted by the AS.

>
> =E2=80=94 Neil

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
<= div dir=3D"ltr">
Dave Tonge
CTO
3D"Moneyhub
Moneyhub Financial Technology, 5th Floor, 10 Temple Back, Bristol= , BS1 6FL
t:=C2=A0+44 (0)117 280 5120

Moneyhub Enterprise is a trading styl= e of Moneyhub Financial Technology Limited which is authorised and regulate= d by the Financial Conduct Authority ("FCA").=C2=A0Moneyhub Finan= cial Technology is entered on the Financial Services Register=C2=A0<= span style=3D"color:rgb(51,51,51);font-family:lato,"open sans",ar= ial,sans-serif;font-size:0.75em;background-color:transparent">(FRN=C2=A0809360) at fca.org.uk/register. Moneyhub=C2=A0Fin= ancial Technology is registered in England & Wales, company registratio= n number=C2=A0=C2=A006909772=C2=A0.
Moneyhub=C2=A0Financial Technology Limited 2018=C2=A0=C2=A9

=
DISCLAIMER: This ema= il (including any attachments) is subject to copyright, and the information= in it is confidential. Use of this email or of any information in it other= than by the addressee is unauthorised and unlawful. Whilst reasonable effo= rts are made to ensure that any attachments are virus-free, it is the recip= ient's sole responsibility to scan all attachments for viruses. All cal= ls and emails to and from this company may be monitored and recorded for le= gitimate purposes relating to this company's business. Any opinions exp= ressed in this email (or in any attachments) are those of the author and do= not necessarily represent the opinions of Moneyhub Financial Technology Li= mited or of any other group company.

Moneyhub Enterprise is a trading style of Moneyhub Financi= al Technology Limited which is authorised and regulated by the Financial Co= nduct Authority ("FCA"). Moneyhub Financial Technology is entered= on the Financial Services Register (FRN 809360) at https://register.fca.org.uk/. Moneyhub Financial Technology is registered in England & Wales,= company registration number 06909772. Moneyhub Financial Technology Limite= d 2020 =C2=A9 Moneyhub Enterprise, Regus Building, Temple Quay, 1 Friary, B= ristol, BS1 6EA.=C2=A0

= DISCLAIMER: This email (including any attachments) is subjec= t to copyright, and the information in it is confidential. Use of this emai= l or of any information in it other than by the addressee is unauthorised a= nd unlawful. Whilst reasonable efforts are made to ensure that any attachme= nts are virus-free, it is the recipient's sole responsibility to scan a= ll attachments for viruses. All calls and emails to and from this company m= ay be monitored and recorded for legitimate purposes relating to this compa= ny's business. Any opinions expressed in this email (or in any attachme= nts) are those of the author and do not necessarily represent the opinions = of Moneyhub Financial Technology Limited or of any other group company.


--0000000000009649a105a9fd2c83-- From nobody Thu Jul 9 00:52:02 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 188143A088C for ; Thu, 9 Jul 2020 00:52:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6hMNIafhJepk for ; Thu, 9 Jul 2020 00:51:58 -0700 (PDT) Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC52D3A0889 for ; Thu, 9 Jul 2020 00:51:57 -0700 (PDT) Received: by mail-wm1-x329.google.com with SMTP id o2so820639wmh.2 for ; Thu, 09 Jul 2020 00:51:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=0YvbD6jHZLVddPaiWajQYzbx852zzOiFG7LtxNfVL78=; b=Y36L9JqYBBYF9ucRhaqTfPmWiTRspzLaQpNBDCU5SlDQTtPWF4BG35081uBCy1CWyb i1uotxDYOCUsta8A6NvW0xfN+DHczXITEbvd73RYdtxhNV5JdJKFku34D64jiGaU1a9l moFeXspIdT6sQGJzFfOGLqCLAK+RHcriIkqeg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=0YvbD6jHZLVddPaiWajQYzbx852zzOiFG7LtxNfVL78=; b=fFrsh+0tKIXZMjYEXemJffhgUn4ldYJB/AyTgjsVJEqa6AotJUGsXssSK7ZfN+vzla OTJ0E7uzAn7AknbZuMRgnTAH3doLpmSlW+edaTA99gopEkNKy8h41XvPVxUzQCij6yH0 Um8iU29mRSclPaEdwmQVYJbXNyQ24glkIE3VBzqeDSKAZON8wD+WLJ5D8ieI2cCvld6z GcKd2QGtoQN+X1+p0oCiC5zkbgaUjnSjZL9Cr3A9VEkXvdaLTROfAShayITR/yHRDc4P AnpyYronfVofeTXqyy1VYp3qZg7EBEh8hgfW00Ea8snZUSPJUx4LTsrCZ4Ld/0urZwOS v6EQ== X-Gm-Message-State: AOAM532E/lTUoSR/GzVNkhTC8Y9uoOk6RdlFbe34subNRf2bbKy5E/8z 7WnxR1KKyDwfwYupVHwvCR7OrQ== X-Google-Smtp-Source: ABdhPJw+LthWNcZm4nINcPQvdWhr4CwYUT57jcVqgbcRw0L/zOvvkxpThcqF+GwVUhz5kKlU4eaOig== X-Received: by 2002:a1c:e908:: with SMTP id q8mr13628300wmc.59.1594281115850; Thu, 09 Jul 2020 00:51:55 -0700 (PDT) Received: from [10.0.0.3] (128.211.93.209.dyn.plus.net. [209.93.211.128]) by smtp.gmail.com with ESMTPSA id u17sm4004158wrp.70.2020.07.09.00.51.55 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 09 Jul 2020 00:51:55 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Neil Madden Mime-Version: 1.0 (1.0) Date: Thu, 9 Jul 2020 08:51:54 +0100 Message-Id: References: <6F0ACCC8-98F7-46AE-BC45-7444F08C6C6E@lodderstedt.net> Cc: Justin Richer , oauth In-Reply-To: <6F0ACCC8-98F7-46AE-BC45-7444F08C6C6E@lodderstedt.net> To: Torsten Lodderstedt X-Mailer: iPhone Mail (17F80) Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2020 07:52:00 -0000 > On 9 Jul 2020, at 07:33, Torsten Lodderstedt wro= te: >=20 > =EF=BB=BF >=20 >>> On 8. Jul 2020, at 23:52, Neil Madden wrote:= >>>=20 >>>=20 >>>> On 8 Jul 2020, at 20:56, Torsten Lodderstedt w= rote: >>>=20 >>>> Am 08.07.2020 um 20:46 schrieb Neil Madden := >>>>=20 >>>> =EF=BB=BFOn 8 Jul 2020, at 19:03, Torsten Lodderstedt wrote: >>>>>>>=20 >>>>>>> What in particular should the use consent with in this step? >>>>>>=20 >>>>>> =E2=80=9CFooPay would like to: >>>>>> - initiate payments from your account (you will be asked to approve e= ach one)=E2=80=9D >>>>>>=20 >>>>>> The point is that a client that I don=E2=80=99t have any kind of rela= tionship with can=E2=80=99t just send me a request to transfer $500 to some a= ccount.=20 >>>>>=20 >>>>> Are we talking about legal consent or a security measures here? >>>>=20 >>>> Normal OAuth consent. My phone is my resource, and I am its resource ow= ner. If a client wants to send payment requests to my phone (e.g. via CIBA b= ackchannel) then it should have to get my permission first. Even without bac= kchannel requests, I=E2=80=99d much rather that only the three clients I=E2=80= =99ve explicitly consented to can ask me to initiate payments rather than th= e hundreds/thousands clients my bank happens to have a relationship with. >>>=20 >>> To me it sounds like you would like to require a client to get user auth= orization to send an authorization request. Would you require the same if I w= ould use scope values to encode a payment initiation request? >>=20 >> Yes. If something is sufficiently high value to require per-transaction a= uthorization then initiating transactions itself becomes a privileged operat= ion.=20 >=20 > The per transaction authorization alone is a significant increase in secur= ity. What is the added value of requiring an authorization to send a per-tra= nsaction authorisation request in an additional step? Because Open Banking allows any client at any time to send an asynchronous b= ack channel request to my phone to approve a payment. This is pretty risky.=20= I can=E2=80=99t think of another transactional auth system that allows this w= ithout some kind of initial indication of user consent. For example, in Appl= e Pay all payment requests must be initiated from an explicit user gesture, p= roviding some indication that the user wants to use this. The Dropbox Choose= r and Saver APIs also have to be triggered from a user gesture. Again, this p= rovides some confirmation that the user actually initiated the interaction.=20= In OAuth, the AS doesn=E2=80=99t have this level of integration into the cli= ent=E2=80=99s UI so it needs some other way to establish user consent. By th= e time the user has a payment confirmation request on their screen it=E2=80=99= s too late.=20 >>>>> In case of open banking the user legally consents to this process at t= he client (TPP) even before the OAuth/Payment Initiation dance starts.=20 >>>>=20 >>>> How does the bank (ASPSP) confirm that this actually happened? >>>=20 >>> It does not because it is not the responsibility of the ASPSP. The TPP i= s obliged by law to obtain consent. >>=20 >> If the TPP can be trusted to obey the law about this, why not also trust t= hem to be honest about transactions? Why enforce one thing with access token= s but take the other on trust? Especially as the actual transactions are mor= e likely to have a rigorous audit trail.=20 >>=20 >> If we could trust clients to obtain consent we wouldn=E2=80=99t need OAut= h at all.=20 >=20 > I thought the same initially, but we must distinguish between legal consen= t and strong authentication/transaction authorization in such a case. Legal c= onsent can be obtained in various ways including the traditional OAuth user c= onsent but also in other places. Authenticating the user (probably with 2FA)= and getting authorization for a certain transaction (the meaning of PSD2 SC= A) must be conducted by the AS.=20 >=20 Do you mean legal protection for the bank or their users? As a user, if an O= B client acts in a way that I don=E2=80=99t like, but doesn=E2=80=99t break a= ny actual laws or policies, what=E2=80=99s my recourse? In normal OAuth I ca= n revoke the grant to that client. This is not possible in transactional use= s of RAR, and that seems like a big difference that significantly changes th= e relationship between users and clients.=20 =E2=80=94 Neil= From nobody Thu Jul 9 01:08:03 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8A543A08AF for ; Thu, 9 Jul 2020 01:08:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G3y0asvKz2Gy for ; Thu, 9 Jul 2020 01:07:59 -0700 (PDT) Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 005063A08AB for ; Thu, 9 Jul 2020 01:07:58 -0700 (PDT) Received: by mail-wm1-x333.google.com with SMTP id w3so861488wmi.4 for ; Thu, 09 Jul 2020 01:07:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=NZA4xsNn3BVZUl5zg+v3lQa+7ypXkuu7Ri+BVyxEafk=; b=N0zKVO9vlDlNPOTEat98qMjMdA4MU2AjEL7Fc4AayQ32pDFloU7DLLo+nntt66HNul GU3bhm4K/+pijaK1yR9LC2CtM8Uy8adUg5kB3PvhoK8PBu3NSI8NqsDksAoplgNQM4dV NwXnZIm92AxKXbbpYtKu5+hygjLt0td0fj7rY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=NZA4xsNn3BVZUl5zg+v3lQa+7ypXkuu7Ri+BVyxEafk=; b=mJJdKhzntgWeDAvSzJIlpVIuHj3bkkVgWCkFrZjpO5a2/NZ2+qU+DiiUhUkQeYiBgJ EOYd1OOQ0NG7XtPydta0J4AHqxDnp/haui1mhMnFuF+myxz3RLyjE+xVCg1oGadyxs1H jIPMRpoGGS7hCsATDuPeTKpyCcSkbqXLee7mTfQlgEVMmzdE6mT6E8vzEFoURURO5nzU +A+/f6YBk5Vv8M9gEbJCj5+/5F5XjM55TQCb9iZpqK5OltYhNixvuIRC9sgZY6vGngyF YUU5hfWD9uE+ZHtbIxx9sfLIGCW2RMpU28NhmRNQ85ysLl05kF9xrrsuW0VOMPox4CKN 7OgQ== X-Gm-Message-State: AOAM532qzo2El+P4QNcTTnm0q4bYUovST1tnQZDTQOmzqB6e9dGFvaOX /5Cyf3eQYnRvgjl6VIW7WHH7UdvewpPb3g== X-Google-Smtp-Source: ABdhPJwXxTLn908kTmmqvZ6ZQRKQAJe2e+8V6/rFpKlo2OlfVt/ITVrZ5IbC/NcPJrwKVB91Lxznig== X-Received: by 2002:a1c:4c16:: with SMTP id z22mr12743345wmf.103.1594282077084; Thu, 09 Jul 2020 01:07:57 -0700 (PDT) Received: from [10.0.0.3] (128.211.93.209.dyn.plus.net. [209.93.211.128]) by smtp.gmail.com with ESMTPSA id q1sm4271891wro.82.2020.07.09.01.07.55 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 09 Jul 2020 01:07:56 -0700 (PDT) Content-Type: multipart/alternative; boundary=Apple-Mail-5C995DB6-3880-4B7B-953D-C6CC252CB145 Content-Transfer-Encoding: 7bit From: Neil Madden Mime-Version: 1.0 (1.0) Date: Thu, 9 Jul 2020 09:07:55 +0100 Message-Id: <3AB19607-2D27-416B-BB6A-F9A5C566B9A7@forgerock.com> References: Cc: oauth , Torsten Lodderstedt In-Reply-To: To: Dave Tonge X-Mailer: iPhone Mail (17F80) Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2020 08:08:02 -0000 --Apple-Mail-5C995DB6-3880-4B7B-953D-C6CC252CB145 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable > On 9 Jul 2020, at 08:28, Dave Tonge wrote: >=20 > =EF=BB=BF > Hi Neil >=20 > =46rom a conceptual point of view I'm not really sure what RAR changes fro= m vanilla OAuth? > For example what is the difference between a client redirecting a user to a= n AS in order to: > - grant access to sensitive health data > - initiate a specific payment > - grant full read/write access to file storage containing sensitive comme= rcial data The difference is that one of these is transactional and the others aren=E2=80= =99t. Normal OAuth relationships are durative and give the user some measure= of control to manage that relationship over time. The transactional uses of= RAR preclude this because every transaction is a completely isolated intera= ction.=20 Unless you are suggesting dropping the transactional use-cases from RAR then= this should be considered and addressed.=20 >=20 > All of the above could happen with RAR or vanilla OAuth. >=20 > Ironically in most jurisdictions, there is more protection for a user if t= hey are tricked into initiating a payment vs whether they are tricked into g= ranting access to data. Payments can be refunded, data cannot. > =46rom my perspective if an AS is granting access to sensitive data, payme= nts, etc. then it has an obligation to protect its users by not allowing any= random client to to start an authorization flow. I=E2=80=99m glad we agree.=20 > In the case of Open Banking, this obligation is taken care of by national r= egulators, but other commercial OAuth deployments often employ some form of v= etting of clients before allowing them to request sensitive data. In additio= n certain sensitive actions can always require step-up authentication - this= is also the case in OpenBanking, a payment to a new payee or over a certain= amount will always require multi-factor authentication even if the user has= a valid logged in session. Putting aside the question of whether regulation is an adequate substitute f= or user consent, RAR is being proposed as a general specification, not withi= n the context of any specific regulatory framework. It=E2=80=99s not ok to j= ust assume this will all be handled by deployments.=20 >=20 > An AS is always free to implement the 2 step solution that you proposed an= d indeed it could be easier to implement with RAR in the manner you describe= d, but I don't think it should be the prescribed approach. How can an AS implement this with RAR? This is my point - there is no mechan= ism at all in RAR to link a transaction to any kind of prior consent. It=E2=80= =99s not about mandating such an approach, it=E2=80=99s about *supporting* i= t at all. Every transaction in RAR is a blank slate at the moment.=20 =E2=80=94 Neil= --Apple-Mail-5C995DB6-3880-4B7B-953D-C6CC252CB145 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable


On 9 Jul 2020, at 08:28, Dave Tonge <dave.= tonge@momentumft.co.uk> wrote:

=EF=BB=BF
Hi Neil

=46rom= a conceptual point of view I'm not really sure what RAR changes from vanill= a OAuth?
For example what is the difference between a client redirecting= a user to an AS in order to:
 - grant access to sensitive health d= ata
 - initiate a specific payment
 - grant full read/writ= e access to file storage containing sensitive commercial data

The difference is that one of these= is transactional and the others aren=E2=80=99t. Normal OAuth relationships a= re durative and give the user some measure of control to manage that relatio= nship over time. The transactional uses of RAR preclude this because every t= ransaction is a completely isolated interaction. 

<= div>Unless you are suggesting dropping the transactional use-cases from RAR t= hen this should be considered and addressed. 

All of the above could h= appen with RAR or vanilla OAuth.

Ironically in most jurisdi= ctions, there is more protection for a user if they are tricked into initiat= ing a payment vs whether they are tricked into granting access to data. Paym= ents can be refunded, data cannot.

=46rom my pers= pective if an AS is granting access to sensitive data, payments, etc. then i= t has an obligation to protect its users by not allowing any random client t= o to start an authorization flow.

I=E2=80=99m glad we agree. 

=
In the case of Open Banking, this obligati= on is taken care of by national regulators, but other commercial OAuth deplo= yments often employ some form of vetting of clients before allowing them to r= equest sensitive data. In addition certain sensitive actions can always requ= ire step-up authentication - this is also the case in OpenBanking, a payment= to a new payee or over a certain amount will always require multi-factor au= thentication even if the user has a valid logged in session.

Putting aside the question of whether reg= ulation is an adequate substitute for user consent, RAR is being proposed as= a general specification, not within the context of any specific regulatory f= ramework. It=E2=80=99s not ok to just assume this will all be handled by dep= loyments. 


An AS is always free to implement the 2 step solution that y= ou proposed and indeed it could be easier to implement with RAR in the manne= r you described, but I don't think it should be the prescribed approach.

How can an AS implement this w= ith RAR? This is my point - there is no mechanism at all in RAR to link a tr= ansaction to any kind of prior consent. It=E2=80=99s not about mandating suc= h an approach, it=E2=80=99s about *supporting* it at all. Every transaction i= n RAR is a blank slate at the moment. 

=E2=80=94= Neil
= --Apple-Mail-5C995DB6-3880-4B7B-953D-C6CC252CB145-- From nobody Thu Jul 9 01:53:44 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAA813A0937 for ; Thu, 9 Jul 2020 01:53:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.894 X-Spam-Level: X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r4Xl5KbL2QSo for ; Thu, 9 Jul 2020 01:53:41 -0700 (PDT) Received: from p3plsmtpa06-07.prod.phx3.secureserver.net (p3plsmtpa06-07.prod.phx3.secureserver.net [173.201.192.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECC0E3A0925 for ; Thu, 9 Jul 2020 01:53:40 -0700 (PDT) Received: from [192.168.88.250] ([94.155.17.31]) by :SMTPAUTH: with ESMTPSA id tSJHjWaFBzW3NtSJHjBMu4; Thu, 09 Jul 2020 01:53:40 -0700 X-CMAE-Analysis: v=2.3 cv=KeKsTjQD c=1 sm=1 tr=0 a=+I3yL00+yDwT8KNLgfs+4A==:117 a=+I3yL00+yDwT8KNLgfs+4A==:17 a=q0rX5H01Qin5IyBaTmIA:9 a=r77TgQKjGQsHNAKrUKIA:9 a=xtERp6CFAAAA:8 a=48vgC7mUAAAA:8 a=t0AD0Vh_BpqxNSdR7MYA:9 a=QEXdDO2ut3YA:10 a=UM_DoP-0AAAA:8 a=KG9R1vCHg_8UQmI2IPkA:9 a=YZL7Mldt2S4Sk4hr:21 a=_W_S_7VecoQA:10 a=D8lnhvtxf0AONpHuB7QA:9 a=ZVk8-NSrHBgA:10 a=30ssDGKg3p0A:10 a=w1C3t2QeGrPiZgrLijVG:22 a=TEVHQOIvcflanWNqQbWu:22 X-SECURESERVER-ACCT: vladimir@connect2id.com To: oauth@ietf.org References: <3AB19607-2D27-416B-BB6A-F9A5C566B9A7@forgerock.com> From: Vladimir Dzhuvinov Autocrypt: addr=vladimir@connect2id.com; prefer-encrypt=mutual; keydata= mQENBFQZaoEBCACnP2YMDex9fnf+niLglTHGKuoypUSVKPQeKDHHeFQVzhRke+HBEZBwmA9T kZ+kEhyrNqibDPkPYVPmo23tM8mbNcTVQqpmN7NwgMpqkqcAqNsIyBtt09DjWOQVm57A3K+y uXI7SdNErdt79p2xQseOhqSC9+LgWuyh+mZsl2oFD4glFFfKSCMp2jATXrAMeGzigTnW+Xe0 tRzrwFN9zqykKxhUq9oHg1cNvoDtfxgsc9ysVHbxM/PM8o9lgj3YTQwKMBcCFclTqohji7ML fQ08eQo+acKTwC1WRzeLt9PknGt3C4TmvdCl0c1BQTTTNiF96Hu4kbaiBIbsfxJOR8+VABEB AAG0LFZsYWRpbWlyIER6aHV2aW5vdiA8dmxhZGltaXJAY29ubmVjdDJpZC5jb20+iQE+BBMB AgAoBQJUGWqBAhsjBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAZ0vUyOqri Ql62B/wOO0s2JC/QvO6w9iSsRhCOa/JZi+wO+l01V7eGCQ1cYf1W26Y7iKiUlY4/Kz+cr69D pMtkv3UpDTGejKEfspLUxz5Vo3T4oAKbTtNtVIZL/XxH3/JhJ719Jj4eLoe9/djKkGYTX2O5 bMk8TpO1DDjbIw4r9XKI9ZIk96zlKnZvrg7Ho7oOl0ZIf8AzcvdqZEUogDwyr8uwOU+jIyux mOTthepBzXCNjjBjnc8I1//9YppAIaGJ5nnXelVVD1/dyOszogervzFNANEIOvNvCd9G5u4e s7qkDKWKY7/Lj1tF+tMrDTrOh6JqUKbGNeTUB8DlPvIoNyqHUYfBELdpw1Nd X-Enigmail-Draft-Status: N11100 Organization: Connect2id Ltd. Message-ID: <4fa0537c-6324-cccd-28b0-80e3c2953b6e@connect2id.com> Date: Thu, 9 Jul 2020 11:53:38 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0 MIME-Version: 1.0 In-Reply-To: <3AB19607-2D27-416B-BB6A-F9A5C566B9A7@forgerock.com> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms000604040403020604040400" X-CMAE-Envelope: MS4wfBJ8BmuVt+ng6p1kuI/DFlku1bM4gsUXzzajthCfpL3LGu8c6cN6HKZ8ryVtmUW8NGjWvZzVyyXq/c6pX+eHybVk5QbdoXstkxm+ZSjgbk0rbF0uHkTI nMxGSx0LsV/5RttCnRpVAhRWrzeNR89Y3MPmMLa2DeE4BhCnaDUcGUdq Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2020 08:53:43 -0000 This is a cryptographically signed message in MIME format. --------------ms000604040403020604040400 Content-Type: multipart/alternative; boundary="------------6397257FE841433A97DEA3E7" Content-Language: en-US This is a multi-part message in MIME format. --------------6397257FE841433A97DEA3E7 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 09/07/2020 11:07, Neil Madden wrote: > >> >> An AS is always free to implement the 2 step solution that you >> proposed and indeed it could be easier to implement with RAR in the >> manner you described, but I don't think it should be the prescribed >> approach. > > How can an AS implement this with RAR? This is my point - there is no > mechanism at all in RAR to link a transaction to any kind of prior > consent. It=E2=80=99s not about mandating such an approach, it=E2=80=99= s about > *supporting* it at all. Every transaction in RAR is a blank slate at > the moment. The ability to reference an existing grant is a general problem with OAut= h. The grant management draft has a "grant_id" parameter which can be used to reference prior consent. I suppose to reference prior consent as context only a new |grant_management_mode|may be needed. https://bitbucket.org/openid/fapi/src/master/Financial_API_Grant_Manageme= nt.md We also have OAuth Incremental Authorization, which references a refresh token: https://tools.ietf.org/html/draft-ietf-oauth-incremental-authz-04 Vladimir --------------6397257FE841433A97DEA3E7 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable


On 09/07/2020 11:07, Neil Madden wrote= :

An AS is always free to implement the 2 step solution that you proposed and indeed it could be easier to implement with RAR in the manner you described, but I don't think it should be the prescribed approach.

How can an AS implement this with RAR? This is my point - there is no mechanism at all in RAR to link a transaction to any kind of prior consent. It=E2=80=99s not about mandating such an approach, it=E2=80=99s about *supporting* it at all. Every transa= ction in RAR is a blank slate at the moment.

The ability to reference an existing grant is a general problem with OAuth.

The grant management draft has a "grant_id" parameter which can be used to reference prior consent. I suppose to reference prior consent as context only a new grant_management_mode may be needed.

https://bitbucket.org/openid/fapi/src/master/Financial_API_Gr= ant_Management.md

We also have OAuth Incremental Authorization, which references a refresh token:

h= ttps://tools.ietf.org/html/draft-ietf-oauth-incremental-authz-04


Vladimir

--------------6397257FE841433A97DEA3E7-- --------------ms000604040403020604040400 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CzMwggUbMIIEA6ADAgECAhBs/e7jES6a32XKZxs4R01iMA0GCSqGSIb3DQEBCwUAMIGWMQsw CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxm b3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENs aWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE5MTEwMjAwMDAw MFoXDTIxMTEwMTIzNTk1OVowKDEmMCQGCSqGSIb3DQEJARYXdmxhZGltaXJAY29ubmVjdDJp ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDG5mL+CcvSppMj/W8Kd0/E 1/y5/s94gmbIFzEugHyMPV2dd6lusiALe35QCtu3e8Wy6FkCwzxWmmzhF4FY/e4uPbDjco3w /GgHhz2KXe385u31c32/uM3jRqhYT5JvmXxte/GgmjcW1yWcPkKEz/sCezdIYpI9Pek+P4Gr xmbt8H+wJrwfrXKTJXXT+gFjCcZDRLm67X4U57TsaCoezTe7zOoPX9zxMTyZD/cvC/SfuVxQ U60ZsfZzdcgPwScgy3JaiPegcbnqqebjJqtRx42eRjrBZ1/u411rHN2QQLgiih7D1/4PJC9f /8nHgaerLy3ogdu1dw5+vQ1TRIYBmcIXAgMBAAGjggHQMIIBzDAfBgNVHSMEGDAWgBQJwPL8 C9qU21/+K9+omULPyeCtADAdBgNVHQ4EFgQU446sriG/NgywLZA2oBG79Yr2qyAwDgYDVR0P AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMC MEAGA1UdIAQ5MDcwNQYMKwYBBAGyMQECAQEBMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2Vj dGlnby5jb20vQ1BTMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwuc2VjdGlnby5jb20v U2VjdGlnb1JTQUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcmwwgYoG CCsGAQUFBwEBBH4wfDBVBggrBgEFBQcwAoZJaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0 aWdvUlNBQ2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAjBggrBgEF BQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wIgYDVR0RBBswGYEXdmxhZGltaXJAY29u bmVjdDJpZC5jb20wDQYJKoZIhvcNAQELBQADggEBAEE73kCtUigl/bhLrqS6AsCU+jKm1fxq BY09+ktBwVcu5WgM18Uov3WvzVnjXn5BNNVM3RwhWFXyW3pPnDPyjqgxcpfoyY5SJEzvcPlu wm69z/dzqasVhsHPIFSjACnUBrFZPsq/abMQr4yFOMVyX/EudYgmZVu2Er9Ui7YbTO1Nolap xlseQIgQhVcr7aSs02PLDANuwW/asgKExYzhPdt9MF1lezj968Mv74kRo1T/lm5RFNfh2QdM 9C0n1t+qRCrRF1VbsiTgChjazgNGbvl12bOAujX0up4hqw+7PaCcI3Mpyv/rKKKrRG52iCcv cMHX344tOqKM/DIdF/0WNpkwggYQMIID+KADAgECAhBNlCwQ1DvglAnFgS06KwZPMA0GCSqG SIb3DQEBDAUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKTmV3IEplcnNleTEUMBIGA1UE BxMLSmVyc2V5IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEuMCwGA1UE AxMlVVNFUlRydXN0IFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xODExMDIwMDAw MDBaFw0zMDEyMzEyMzU5NTlaMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBN YW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQx PjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJl IEVtYWlsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyjztlApB/975Rrno 1jvm2pK/KxBOqhq8gr2+JhwpKirSzZxQgT9tlC7zl6hn1fXjSo5MqXUfItMltrMaXqcESJuK 8dtK56NCSrq4iDKaKq9NxOXFmqXX2zN8HHGjQ2b2Xv0v1L5Nk1MQPKA19xeWQcpGEGFUUd0k N+oHox+L9aV1rjfNiCj3bJk6kJaOPabPi2503nn/ITX5e8WfPnGw4VuZ79Khj1YBrf24k5Ee 1sLTHsLtpiK9OjG4iQRBdq6Z/TlVx/hGAez5h36bBJMxqdHLpdwIUkTqT8se3ed0PewDch/8 kHPo5fZl5u1B0ecpq/sDN/5sCG52Ds+QU5O5EwIDAQABo4IBZDCCAWAwHwYDVR0jBBgwFoAU U3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFAnA8vwL2pTbX/4r36iZQs/J4K0AMA4G A1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMC BggrBgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDov L2NybC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdFJTQUNlcnRpZmljYXRpb25BdXRob3JpdHku Y3JsMHYGCCsGAQUFBwEBBGowaDA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1c3Qu Y29tL1VTRVJUcnVzdFJTQUFkZFRydXN0Q0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2Nz cC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBDAUAA4ICAQBBRHUAqznCFfXejpVtMnFojADd F9d6HBA4kMjjsb0XMZHztuOCtKF+xswhh2GqkW5JQrM8zVlU+A2VP72Ky2nlRA1GwmIPgou7 4TZ/XTarHG8zdMSgaDrkVYzz1g3nIVO9IHk96VwsacIvBF8JfqIs+8aWH2PfSUrNxP6Ys7U0 sZYx4rXD6+cqFq/ZW5BUfClN/rhk2ddQXyn7kkmka2RQb9d90nmNHdgKrwfQ49mQ2hWQNDkJ JIXwKjYA6VUR/fZUFeCUisdDe/0ABLTI+jheXUV1eoYV7lNwNBKpeHdNuO6Aacb533JlfeUH xvBz9OfYWUiXu09sMAviM11Q0DuMZ5760CdO2VnpsXP4KxaYIhvqPqUMWqRdWyn7crItNkZe roXaecG03i3mM7dkiPaCkgocBg0EBYsbZDZ8bsG3a08LwEsL1Ygz3SBsyECa0waq4hOf/Z85 F2w2ZpXfP+w8q4ifwO90SGZZV+HR/Jh6rEaVPDRF/CEGVqR1hiuQOZ1YL5ezMTX0ZSLwrymU E0pwi/KDaiYB15uswgeIAcA6JzPFf9pLkAFFWs1QNyN++niFhsM47qodx/PL+5jR87myx5uY dBEQkkDc+lKB1Wct6ucXqm2EmsaQ0M95QjTmy+rDWjkDYdw3Ms6mSWE3Bn7i5ZgtwCLXgAIe 5W8mybM2JzGCBDIwggQuAgEBMIGrMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRl ciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0 ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2Vj dXJlIEVtYWlsIENBAhBs/e7jES6a32XKZxs4R01iMA0GCWCGSAFlAwQCAQUAoIICVzAYBgkq hkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMDA3MDkwODUzMzhaMC8G CSqGSIb3DQEJBDEiBCDwzEXPS/oTsZIBzyQjhCxMQDzZkWjssYbWs+ByN0fmyjBsBgkqhkiG 9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZI hvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIG8Bgkr BgEEAYI3EAQxga4wgaswgZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNo ZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE+MDwG A1UEAxM1U2VjdGlnbyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1h aWwgQ0ECEGz97uMRLprfZcpnGzhHTWIwgb4GCyqGSIb3DQEJEAILMYGuoIGrMIGWMQswCQYD VQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3Jk MRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVu dCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhBs/e7jES6a32XKZxs4R01i MA0GCSqGSIb3DQEBAQUABIIBAFM6ZJWiyQ2njqYeGSokIfCUV5HQKylD4fKt212K3uy2rZm4 oxcMa+XWrRYnOfIqFYtrTj0chGypmVzyrC+oWH/eaW+M7D2Qr995Xp0g3v2VPSZ0eRozveJD z3hP0Jhu+9F6V9fYptcEJc3fOGH08d2rm8UfRrMqeqsiEBo6pGRB1KVyamjnE9HALnZHN2Bj 9DS7Ao9ynDd8XO5SC1i+NBRKziBkjX+eyNZdw7A0UT0h9ouwj4g50Ak35XwjUzGUVfYYlaDk +LK7Um/KEwA0O/J7M5TNigjXxoJ2pIxoyjdPmTUkmh3j2O8ZhoiQfkF4kIUb8BUc6FAmCP+w dGxcS30AAAAAAAA= --------------ms000604040403020604040400-- From nobody Thu Jul 9 03:23:37 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACEA93A080E for ; Thu, 9 Jul 2020 03:23:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XH1F0l1LHK4A for ; Thu, 9 Jul 2020 03:23:34 -0700 (PDT) Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AA3B3A080A for ; Thu, 9 Jul 2020 03:23:33 -0700 (PDT) Received: by mail-wr1-x42a.google.com with SMTP id j4so1741496wrp.10 for ; Thu, 09 Jul 2020 03:23:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=yZ4ztLJEYozDre/D31+UBi2nqZYrqRBN26RL6NAbU0c=; b=gmcHThU/sBf/8tXiVOUsvMd2pWbZu2fpTi4yUv5k8FAzaM+EiYnVVt7UMDKs0wxig5 tS1dfVcOG5U8lTi3ygRXAHX2vCZUAzgfHpQAoTyetCZg/wx6x1mNR6DYAzAzaXkYN7lw IuG/K/cymSeX1yTEuBa/gttWXGOUCepSNTRjk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=yZ4ztLJEYozDre/D31+UBi2nqZYrqRBN26RL6NAbU0c=; b=GVqM/a93UddUd2Wj8YBZkJ1oA4UkeJxqg5riHCo06KSIVriXXNVXzjLI7U8QL/OTMa ypxslcBLqSRwCJPb7PAFNnzoCNXEMjSRcNM/GfirDoqMyuGVr33QsWelMtd8lSZy9PQ/ HMElyILdZY/tygszUqdaPslwYa5RowXvjHwjDKU5UW8rJU30nOztgeuwq6UvUr+TOk5s GoH+huxfljPktvP60CNj2petqMuZJ2TM+2K9fD97tyDqB9EoQ3m83FDFRavwI4CCtHav HffSYoxCqRTbFzEFb0Zqz5UQvAof4ttrZulN/42F/6TX/qbSVna2Qdl2UgCKVja0DQEd e5XQ== X-Gm-Message-State: AOAM532/keL7Nrvdrkgpo0oKjGTvvuQR035BRnowXx3e/q3QEXqkkqTz tLhXhs0X2tOJaTl/0Eyitr7y/feTHXzbxQ== X-Google-Smtp-Source: ABdhPJzuj9aPJe4L0u405iyl0twGuSvEDIn9Cbn1yiaJVhM3cLTIjYSMAKcSGPZWqBoO8fX605EEqw== X-Received: by 2002:adf:ed4f:: with SMTP id u15mr61062110wro.318.1594290212225; Thu, 09 Jul 2020 03:23:32 -0700 (PDT) Received: from [10.0.0.2] (128.211.93.209.dyn.plus.net. [209.93.211.128]) by smtp.gmail.com with ESMTPSA id 68sm4069755wmz.40.2020.07.09.03.23.31 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Jul 2020 03:23:31 -0700 (PDT) From: Neil Madden Message-Id: <85AB3BEE-5197-4EFB-A893-8B1B1ED23F7E@forgerock.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_6E0D406C-0C32-4C03-A806-86726CD2098F" Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Date: Thu, 9 Jul 2020 11:23:31 +0100 In-Reply-To: <4fa0537c-6324-cccd-28b0-80e3c2953b6e@connect2id.com> Cc: oauth@ietf.org To: Vladimir Dzhuvinov References: <3AB19607-2D27-416B-BB6A-F9A5C566B9A7@forgerock.com> <4fa0537c-6324-cccd-28b0-80e3c2953b6e@connect2id.com> X-Mailer: Apple Mail (2.3608.80.23.2.2) Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2020 10:23:37 -0000 --Apple-Mail=_6E0D406C-0C32-4C03-A806-86726CD2098F Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 9 Jul 2020, at 09:53, Vladimir Dzhuvinov = wrote: > On 09/07/2020 11:07, Neil Madden wrote: >>=20 >>>=20 >>> An AS is always free to implement the 2 step solution that you = proposed and indeed it could be easier to implement with RAR in the = manner you described, but I don't think it should be the prescribed = approach. >>=20 >> How can an AS implement this with RAR? This is my point - there is no = mechanism at all in RAR to link a transaction to any kind of prior = consent. It=E2=80=99s not about mandating such an approach, it=E2=80=99s = about *supporting* it at all. Every transaction in RAR is a blank slate = at the moment.=20 > The ability to reference an existing grant is a general problem with = OAuth. >=20 > The grant management draft has a "grant_id" parameter which can be = used to reference prior consent. I suppose to reference prior consent as = context only a new grant_management_mode may be needed. >=20 > = https://bitbucket.org/openid/fapi/src/master/Financial_API_Grant_Managemen= t.md = > We also have OAuth Incremental Authorization, which references a = refresh token: >=20 > https://tools.ietf.org/html/draft-ietf-oauth-incremental-authz-04 = >=20 Thanks, these are useful references. The grant_id approach could work. = Incremental authZ is an interesting comparison, but in that case the new = grant replaces the old one, whereas in transactional auth each grant is = separate. Another potential issue is that the proof of the existing = grant is only presented at the token endpoint, after the flow has = completed. Although this does stop the kind of attacks I was worried = about, it would be better to check this up front if possible. That=E2=80=99= s certainly an interesting reference though, and one I hadn=E2=80=99t = considered before in this context, so thanks for mentioning it. I think I prefer an approach using PAR, with the following = additions/modifications: 1. Ability to make PAR mandatory for approval of some scopes and/or for = particular clients (determined by AS policy). 2. Ability to authorize the call to the PAR endpoint using an access = token instead of client authentication. - AS policy can decide what type of authorization is required for a = particular request: user-approved access token, client_credentials = access token (i.e., current OB UK), or direct client authentication. 3. If a user-approved AT is used in step 2, then the AS MUST ensure that = the same user is involved in the subsequent authorization flow. There is precedent for step 2 - e.g., token introspection currently = allows an access token instead of client authentication. If RAR was then updated to discuss this issue in the security = considerations (or elsewhere) with a reference to these features of PAR = then I think I would be pretty happy with that. =E2=80=94 Neil --Apple-Mail=_6E0D406C-0C32-4C03-A806-86726CD2098F Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8

On 9 Jul 2020, at 09:53, Vladimir Dzhuvinov <vladimir@connect2id.com> wrote:
On 09/07/2020 11:07, Neil Madden = wrote:


An AS is always free to implement the 2 step solution that you proposed and indeed it could be easier to implement with RAR in the manner you described, but I don't think it should be the prescribed = approach.

How can an AS implement this with RAR? This is my = point - there is no mechanism at all in RAR to link a transaction to any kind of prior consent. It=E2=80=99s not about mandating such an approach, it=E2=80=99s about *supporting* it at all. Every = transaction in RAR is a blank slate at the moment.

The ability to reference an existing = grant is a general problem with OAuth.

The grant management draft has a = "grant_id" parameter which can be used to reference prior consent. I suppose to reference prior consent as context only a new grant_management_mode may be needed.

https://bitbucket.org/openid/fapi/src/master/Financial_API_G= rant_Management.md

We also have OAuth Incremental Authorization, which references a refresh token:

https://tools.ietf.org/html/draft-ietf-oauth-incremental-authz-04


Thanks, these are useful = references. The grant_id approach could work. Incremental authZ is an = interesting comparison, but in that case the new grant replaces the old = one, whereas in transactional auth each grant is separate. Another = potential issue is that the proof of the existing grant is only = presented at the token endpoint, after the flow has completed. Although = this does stop the kind of attacks I was worried about, it would be = better to check this up front if possible. That=E2=80=99s certainly an = interesting reference though, and one I hadn=E2=80=99t considered before = in this context, so thanks for mentioning it.

I think I prefer an approach using PAR, with the = following additions/modifications:

1. = Ability to make PAR mandatory for approval of some scopes and/or for = particular clients (determined by AS policy).
2. Ability to = authorize the call to the PAR endpoint using an access token instead of = client authentication.
  - AS policy can decide what type = of authorization is required for a particular request: user-approved = access token, client_credentials access token (i.e., current OB UK), or = direct client authentication.
3. If a user-approved AT is used = in step 2, then the AS MUST ensure that the same user is involved in the = subsequent authorization flow.

There = is precedent for step 2 - e.g., token introspection currently allows an = access token instead of client authentication.

If RAR was then updated to discuss this issue in = the security considerations (or elsewhere) with a reference to these = features of PAR then I think I would be pretty happy with = that.

=E2=80=94 Neil

= --Apple-Mail=_6E0D406C-0C32-4C03-A806-86726CD2098F-- From nobody Thu Jul 9 09:07:29 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A5D93A0CC5 for ; Thu, 9 Jul 2020 09:07:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.739 X-Spam-Level: X-Spam-Status: No, score=-1.739 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=momentumft.co.uk Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VAGfms2KOLov for ; Thu, 9 Jul 2020 09:07:20 -0700 (PDT) Received: from mail-ot1-x330.google.com (mail-ot1-x330.google.com [IPv6:2607:f8b0:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39E823A0CC6 for ; Thu, 9 Jul 2020 09:06:54 -0700 (PDT) Received: by mail-ot1-x330.google.com with SMTP id 72so2066900otc.3 for ; Thu, 09 Jul 2020 09:06:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=momentumft.co.uk; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/KXIkp7soTsJEFxDXQqRYzxtapzkRVvpZWPkqdh/aBg=; b=RudfDa7mvbKoCADxtaC8Df7fSsVblkXfOGQ/Xzbno38Kk2X0n5SVGaI6I8eRD+kLr5 HOlguaBuarse+b768nd4lY0qWlsUQpaLWVAA2sMJCHea63YS8LRkuDv34Y8czin1SIok BM/J7j3RtOK8v3bXkzOC0XfQNKbmy3wm4NKhI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/KXIkp7soTsJEFxDXQqRYzxtapzkRVvpZWPkqdh/aBg=; b=EcAdujpKP6qILjN7nTK6ugaZbzuZQCuxg96bQXIhRUS+CiAvw7Ad2tl/h0Hho9Sk8M u9K/MkAUyQqs7usPRrT5yP5XPlhgpuyJszMIY/zj2cdCA3rz/BlCxFh5PnnGRFA7S0WX rFR4r/h24mACScyCW5y6qmY09BPdsl6h+l6DszApRJLbB3V0LiYJklkB+t9dc4TnMeJD R/LC+txX9CPgNduBaCKXiYHkL1eYK1NLSSnULo1ZsgDUB9KeKjnWEzNKAUUtzn4Las7e eDyXquG7pRcFhzn0HuZlrZz15tnIHmTqygucn5FoZJpqPrtiS4IH7qI/Y2AxeVdHDL1h /eVA== X-Gm-Message-State: AOAM533M/vIfX8cb//fmytRETFdD1Lk1XA1SZLwnExN66FdV3TOdmvkg EwzGlSN/Yjmz+PbWLP14KMRqsrdsfnBq6/MHAKbvAoMUDEPb/i5rAftpKMbXiyWssI7brsHzrec 0XqPuSZ1h20LAzg== X-Google-Smtp-Source: ABdhPJwbyEeXnFqnpdlBXurp9jKbPy4vf5ik1CtnFxhsvIOmb2mQAjsa0WMSi9veinU0E/Ag4LTxyVULoHPDjz8g/Sg= X-Received: by 2002:a9d:ee2:: with SMTP id 89mr19204318otj.260.1594310813177; Thu, 09 Jul 2020 09:06:53 -0700 (PDT) MIME-Version: 1.0 References: <3AB19607-2D27-416B-BB6A-F9A5C566B9A7@forgerock.com> <4fa0537c-6324-cccd-28b0-80e3c2953b6e@connect2id.com> <85AB3BEE-5197-4EFB-A893-8B1B1ED23F7E@forgerock.com> In-Reply-To: <85AB3BEE-5197-4EFB-A893-8B1B1ED23F7E@forgerock.com> From: Dave Tonge Date: Thu, 9 Jul 2020 18:06:42 +0200 Message-ID: To: Neil Madden Cc: Vladimir Dzhuvinov , oauth Content-Type: multipart/alternative; boundary="000000000000ae711305aa0469f3" Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2020 16:07:23 -0000 --000000000000ae711305aa0469f3 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Neil RAR doesn't have to be transactional and people are already using standard OAuth for transactions without RAR. But I take your point that RAR is promoting a more transactional use of OAuth. However I still don't agree that there is a fundamental difference. Revocation of access is irrelevant, as I mentioned if access was granted in error, then the damage is already done whether the user revokes or not. I'm not sure whether it is worth standardising the approach of linking one OAuth request to another, and I'm definitely not sure about it for RAR. It is an interesting suggestion of allowing a user access token to be presented at the PAR endpoint, but I'm not sure that is needed. If a particular implementation wants to allow a two stage transaction, they can simply pass some reference to the first auth in the subsequent RAR auth flows, e.g. First flow, a user grants access with the simple scope of "make_payments", the access token issued at the end of the grant allows access to a resource server endpoints /payment-consents. The payload the client receives back when hitting that endpoint is {*id: "123"*, paymentsStarted:[], paymentsCompleted:[]} The second flow the client uses RAR with authorization_details containing this object: { "type": "payment_initiation", "actions": [ "initiate", "status", "cancel" ], "locations": [ "https://example.com/payments" ], "instructedAmount": { "currency": "EUR", "amount": "123.50" }, "creditorName": "Merchant123", "creditorAccount": { "iban": "DE02100100109307118603" }, "remittanceInformationUnstructured": "Ref Number Merchant", *"paymentConsentId": "123",* } This type of flows seems to better separate the AS and the RS What do you think? Dave On Thu, 9 Jul 2020 at 12:24, Neil Madden wrote: > > > On 9 Jul 2020, at 09:53, Vladimir Dzhuvinov > wrote: > On 09/07/2020 11:07, Neil Madden wrote: > > > > An AS is always free to implement the 2 step solution that you proposed > and indeed it could be easier to implement with RAR in the manner you > described, but I don't think it should be the prescribed approach. > > > How can an AS implement this with RAR? This is my point - there is no > mechanism at all in RAR to link a transaction to any kind of prior consen= t. > It=E2=80=99s not about mandating such an approach, it=E2=80=99s about *su= pporting* it at > all. Every transaction in RAR is a blank slate at the moment. > > The ability to reference an existing grant is a general problem with OAut= h. > > The grant management draft has a "grant_id" parameter which can be used t= o > reference prior consent. I suppose to reference prior consent as context > only a new grant_management_mode may be needed. > > > https://bitbucket.org/openid/fapi/src/master/Financial_API_Grant_Manageme= nt.md > > We also have OAuth Incremental Authorization, which references a refresh > token: > > https://tools.ietf.org/html/draft-ietf-oauth-incremental-authz-04 > > Thanks, these are useful references. The grant_id approach could work. > Incremental authZ is an interesting comparison, but in that case the new > grant replaces the old one, whereas in transactional auth each grant is > separate. Another potential issue is that the proof of the existing grant > is only presented at the token endpoint, after the flow has completed. > Although this does stop the kind of attacks I was worried about, it would > be better to check this up front if possible. That=E2=80=99s certainly an > interesting reference though, and one I hadn=E2=80=99t considered before = in this > context, so thanks for mentioning it. > > I think I prefer an approach using PAR, with the following > additions/modifications: > > 1. Ability to make PAR mandatory for approval of some scopes and/or for > particular clients (determined by AS policy). > 2. Ability to authorize the call to the PAR endpoint using an access toke= n > instead of client authentication. > - AS policy can decide what type of authorization is required for a > particular request: user-approved access token, client_credentials access > token (i.e., current OB UK), or direct client authentication. > 3. If a user-approved AT is used in step 2, then the AS MUST ensure that > the same user is involved in the subsequent authorization flow. > > There is precedent for step 2 - e.g., token introspection currently allow= s > an access token instead of client authentication. > > If RAR was then updated to discuss this issue in the security > considerations (or elsewhere) with a reference to these features of PAR > then I think I would be pretty happy with that. > > =E2=80=94 Neil > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --=20 Dave Tonge CTO [image: Moneyhub Enterprise] Moneyhub Financial Technology, 5th Floor, 10 Temple Back, Bristol, BS1 6FL t: +44 (0)117 280 5120 Moneyhub Enterprise is a trading style of Moneyhub Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on the Financial Services Register (FRN 809360) at fca.org.uk/register. Moneyhub Financial Technology is registered in England & Wales, company registration number 06909772 . Moneyhub Financial Technology Limited 2018 =C2=A9 DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Moneyhub Financial Technology Limited or of any other group company. --=20 Moneyhub Enterprise is a trading style of Moneyhub Financial Technology=20 Limited which is authorised and regulated by the Financial Conduct=20 Authority ("FCA"). Moneyhub Financial Technology is entered on the=20 Financial Services Register (FRN 809360) at https://register.fca.org.uk/=20 . Moneyhub Financial Technology is registered= =20 in England & Wales, company registration number 06909772. Moneyhub=20 Financial Technology Limited 2020 =C2=A9 Moneyhub Enterprise, Regus Buildin= g,=20 Temple Quay, 1 Friary, Bristol, BS1 6EA.=C2=A0 DISCLAIMER: This email=20 (including any attachments) is subject to copyright, and the information in= =20 it is confidential. Use of this email or of any information in it other=20 than by the addressee is unauthorised and unlawful. Whilst reasonable=20 efforts are made to ensure that any attachments are virus-free, it is the= =20 recipient's sole responsibility to scan all attachments for viruses. All=20 calls and emails to and from this company may be monitored and recorded for= =20 legitimate purposes relating to this company's business. Any opinions=20 expressed in this email (or in any attachments) are those of the author and= =20 do not necessarily represent the opinions of Moneyhub Financial Technology= =20 Limited or of any other group company. --000000000000ae711305aa0469f3 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Neil

RAR doesn't have to= be transactional and people are already using standard OAuth for transacti= ons without RAR.
But I take your point th= at RAR is promoting a more transactional use of OAuth.=C2=A0
However I still don't agree that there is a fundame= ntal difference. Revocation of access is irrelevant, as I mentioned if acce= ss was granted in error, then the damage is already done whether the user r= evokes or not.

I'm not sure whether it is worth standardising the approac= h of linking one OAuth request to another, and I'm definitely not sure = about it for RAR.

It is an interesting suggestion of allowing a user access t= oken to be presented at the PAR endpoint, but I'm not sure that is need= ed.
If a particular implementation wants = to allow a two stage transaction, they can simply pass some reference=C2=A0= to the first auth in the subsequent RAR auth flows, e.g.

First flow, a user g= rants access with the simple scope of "make_payments", the access= token issued at the end of the grant allows access to a resource server en= dpoints /payment-consents. The payload the client receives back when hittin= g that endpoint is {id: "123", paymentsStarted:[], payment= sCompleted:[]}
The second flow the client uses RAR with authorization_de= tails containing this object:

=C2=A0 =C2=A0 {
=C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0"type": "payment_initiation",
=C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0"actions": [
=C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 "initiate",
=C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 "status",
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 "cancel"
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0],
=C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0"locations": [
=C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 "= https://example.com/payments"
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0],
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0"instructedAmount": {<= br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 "currency": "EU= R",
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 "amount": &= quot;123.50"
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0},
=C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0"creditorName": "Merchant123",
= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0"creditorAccount": {
=C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 "iban": "DE02100100109307= 118603"
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0},
=C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0"remittanceInformationUnstructured": "Ref N= umber Merchant",
=C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0"paymentConsentId": "123",
= =C2=A0 =C2=A0 =C2=A0 }

This type = of flows seems to better separate=C2=A0the AS and the RS

What do you think?

Dav= e


On Thu, 9 Jul 2020 at 1= 2:24, Neil Madden <neil.madden@forgerock.com> wrote:


On 9 Jul 2020, at 09:53, Vladimir D= zhuvinov <v= ladimir@connect2id.com> wrote:
On 09/07/2020 11:07, Neil Madden wrote:


An AS is always free to implement the 2 step solution that you proposed and indeed it could be easier to implement with RAR in the manner you described, but I don't think it should be the prescribed approach.

How can an AS implement this with RAR? This is my point - there is no mechanism at all in RAR to link a transaction to any kind of prior consent. It=E2=80=99s not about mandating such an approach, it=E2=80=99s about *supporting* it at all. Every transact= ion in RAR is a blank slate at the moment.

The ability to reference an existing grant is a general= problem with OAuth.

The grant management draft has a "grant_id&quo= t; parameter which can be used to reference prior consent. I suppose to reference prior consent as context only a new grant_management_mode may be needed.

https://bitbucket.org/openid/fapi/src/master/Financial_API_Gr= ant_Management.md

We also have OAuth In= cremental Authorization, which references a refresh token:

https://tools= .ietf.org/html/draft-ietf-oauth-incremental-authz-04

<= div>
Thanks, these are useful references.= The grant_id approach could work. Incremental authZ is an interesting comp= arison, but in that case the new grant replaces the old one, whereas in tra= nsactional auth each grant is separate. Another potential issue is that the= proof of the existing grant is only presented at the token endpoint, after= the flow has completed. Although this does stop the kind of attacks I was = worried about, it would be better to check this up front if possible. That= =E2=80=99s certainly an interesting reference though, and one I hadn=E2=80= =99t considered before in this context, so thanks for mentioning it.
<= div>
I think I prefer an approach using PAR, with the followi= ng additions/modifications:

1. Ability to make PAR= mandatory for approval of some scopes and/or for particular clients (deter= mined by AS policy).
2. Ability to authorize the call to the PAR = endpoint using an access token instead of client authentication.
= =C2=A0 - AS policy can decide what type of authorization is required for a = particular request: user-approved access token, client_credentials access t= oken (i.e., current OB UK), or direct client authentication.
3. I= f a user-approved AT is used in step 2, then the AS MUST ensure that the sa= me user is involved in the subsequent authorization flow.

There is precedent for step 2 - e.g., token introspection currently= allows an access token instead of client authentication.

If RAR was then updated to discuss this issue in the security consi= derations (or elsewhere) with a reference to these features of PAR then I t= hink I would be pretty happy with that.

=E2=80=94 = Neil

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
<= div dir=3D"ltr">
Dave Tonge
CTO
3D"Moneyhub
Moneyhub Financial Technology, 5th Floor, 10 Temple Back, Bristol= , BS1 6FL
t:=C2=A0+44 (0)117 280 5120

Moneyhub Enterprise is a trading styl= e of Moneyhub Financial Technology Limited which is authorised and regulate= d by the Financial Conduct Authority ("FCA").=C2=A0Moneyhub Finan= cial Technology is entered on the Financial Services Register=C2=A0<= span style=3D"color:rgb(51,51,51);font-family:lato,"open sans",ar= ial,sans-serif;font-size:0.75em;background-color:transparent">(FRN=C2=A0809360) at fca.org.uk/register. Moneyhub=C2=A0Fin= ancial Technology is registered in England & Wales, company registratio= n number=C2=A0=C2=A006909772=C2=A0.
Moneyhub=C2=A0Financial Technology Limited 2018=C2=A0=C2=A9

=
DISCLAIMER: This ema= il (including any attachments) is subject to copyright, and the information= in it is confidential. Use of this email or of any information in it other= than by the addressee is unauthorised and unlawful. Whilst reasonable effo= rts are made to ensure that any attachments are virus-free, it is the recip= ient's sole responsibility to scan all attachments for viruses. All cal= ls and emails to and from this company may be monitored and recorded for le= gitimate purposes relating to this company's business. Any opinions exp= ressed in this email (or in any attachments) are those of the author and do= not necessarily represent the opinions of Moneyhub Financial Technology Li= mited or of any other group company.

Moneyhub Enterprise is a trading style of Moneyhub Financi= al Technology Limited which is authorised and regulated by the Financial Co= nduct Authority ("FCA"). Moneyhub Financial Technology is entered= on the Financial Services Register (FRN 809360) at https://register.fca.org.uk/. Moneyhub Financial Technology is registered in England & Wales,= company registration number 06909772. Moneyhub Financial Technology Limite= d 2020 =C2=A9 Moneyhub Enterprise, Regus Building, Temple Quay, 1 Friary, B= ristol, BS1 6EA.=C2=A0

= DISCLAIMER: This email (including any attachments) is subjec= t to copyright, and the information in it is confidential. Use of this emai= l or of any information in it other than by the addressee is unauthorised a= nd unlawful. Whilst reasonable efforts are made to ensure that any attachme= nts are virus-free, it is the recipient's sole responsibility to scan a= ll attachments for viruses. All calls and emails to and from this company m= ay be monitored and recorded for legitimate purposes relating to this compa= ny's business. Any opinions expressed in this email (or in any attachme= nts) are those of the author and do not necessarily represent the opinions = of Moneyhub Financial Technology Limited or of any other group company.


--000000000000ae711305aa0469f3-- From nobody Thu Jul 9 09:47:24 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3385E3A0D9D for ; Thu, 9 Jul 2020 09:47:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.895 X-Spam-Level: X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KkZgXFScsvkG for ; Thu, 9 Jul 2020 09:47:21 -0700 (PDT) Received: from p3plsmtpa06-01.prod.phx3.secureserver.net (p3plsmtpa06-01.prod.phx3.secureserver.net [173.201.192.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8C523A0D9A for ; Thu, 9 Jul 2020 09:47:21 -0700 (PDT) Received: from [192.168.88.250] ([94.155.17.31]) by :SMTPAUTH: with ESMTPSA id tZhfjFiTbUdEbtZhgjTEGZ; Thu, 09 Jul 2020 09:47:21 -0700 X-CMAE-Analysis: v=2.3 cv=McgSRK3f c=1 sm=1 tr=0 a=+I3yL00+yDwT8KNLgfs+4A==:117 a=+I3yL00+yDwT8KNLgfs+4A==:17 a=q0rX5H01Qin5IyBaTmIA:9 a=r77TgQKjGQsHNAKrUKIA:9 a=A1X0JdhQAAAA:8 a=VEsa74yA3q4ogB9wAdwA:9 a=b6uz82L7Lp5d-k0Z:21 a=dMH-rmBhD47I8XmO:21 a=QEXdDO2ut3YA:10 a=pGLkceISAAAA:8 a=VzlQt00s5m8mbxElNUIA:9 a=hq1rprGzBEZUtRm8:21 a=KMgt9dgIOZlrC0SJ:21 a=B31zhVek1V9-nwip:21 a=_W_S_7VecoQA:10 a=D8lnhvtxf0AONpHuB7QA:9 a=ZVk8-NSrHBgA:10 a=30ssDGKg3p0A:10 a=Df3jFdWbhGDLdZNm0fyq:22 X-SECURESERVER-ACCT: vladimir@connect2id.com To: Dave Tonge , "oauth@ietf.org" References: <3AB19607-2D27-416B-BB6A-F9A5C566B9A7@forgerock.com> <4fa0537c-6324-cccd-28b0-80e3c2953b6e@connect2id.com> <85AB3BEE-5197-4EFB-A893-8B1B1ED23F7E@forgerock.com> From: Vladimir Dzhuvinov Autocrypt: addr=vladimir@connect2id.com; prefer-encrypt=mutual; keydata= mQENBFQZaoEBCACnP2YMDex9fnf+niLglTHGKuoypUSVKPQeKDHHeFQVzhRke+HBEZBwmA9T kZ+kEhyrNqibDPkPYVPmo23tM8mbNcTVQqpmN7NwgMpqkqcAqNsIyBtt09DjWOQVm57A3K+y uXI7SdNErdt79p2xQseOhqSC9+LgWuyh+mZsl2oFD4glFFfKSCMp2jATXrAMeGzigTnW+Xe0 tRzrwFN9zqykKxhUq9oHg1cNvoDtfxgsc9ysVHbxM/PM8o9lgj3YTQwKMBcCFclTqohji7ML fQ08eQo+acKTwC1WRzeLt9PknGt3C4TmvdCl0c1BQTTTNiF96Hu4kbaiBIbsfxJOR8+VABEB AAG0LFZsYWRpbWlyIER6aHV2aW5vdiA8dmxhZGltaXJAY29ubmVjdDJpZC5jb20+iQE+BBMB AgAoBQJUGWqBAhsjBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAZ0vUyOqri Ql62B/wOO0s2JC/QvO6w9iSsRhCOa/JZi+wO+l01V7eGCQ1cYf1W26Y7iKiUlY4/Kz+cr69D pMtkv3UpDTGejKEfspLUxz5Vo3T4oAKbTtNtVIZL/XxH3/JhJ719Jj4eLoe9/djKkGYTX2O5 bMk8TpO1DDjbIw4r9XKI9ZIk96zlKnZvrg7Ho7oOl0ZIf8AzcvdqZEUogDwyr8uwOU+jIyux mOTthepBzXCNjjBjnc8I1//9YppAIaGJ5nnXelVVD1/dyOszogervzFNANEIOvNvCd9G5u4e s7qkDKWKY7/Lj1tF+tMrDTrOh6JqUKbGNeTUB8DlPvIoNyqHUYfBELdpw1Nd X-Enigmail-Draft-Status: N11100 Organization: Connect2id Ltd. Message-ID: Date: Thu, 9 Jul 2020 19:47:19 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms030400060306000609060305" X-CMAE-Envelope: MS4wfPwTRJCZB5c570ge8Lba4FkQ+lzznDrp9jUZLxpebmF/uILl/S1fSsEktQwG2BItEMqbtE6m7xmHPKEhqGqz/n+Y+7uBfZ0Yy+WhYRmiWVvxuBYTc198 FCKMfWOybB7YldEJkDIF88B8OLJGuWvxOEan80wlFiVwj1ebklgZF5lsve5c2pP6/Z/HUqfbeRiPzEe/UPnLKKAGqvlnLHHOyGM= Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2020 16:47:23 -0000 This is a cryptographically signed message in MIME format. --------------ms030400060306000609060305 Content-Type: multipart/alternative; boundary="------------768BA6FF3FA6662DDCF9A61B" Content-Language: en-US This is a multi-part message in MIME format. --------------768BA6FF3FA6662DDCF9A61B Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 Ck9uIDA5LzA3LzIwMjAgMTk6MDYsIERhdmUgVG9uZ2Ugd3JvdGU6Cj4KPiBJZiBhIHBhcnRp Y3VsYXIgaW1wbGVtZW50YXRpb24gd2FudHMgdG8gYWxsb3cgYSB0d28gc3RhZ2UgdHJhbnNh Y3Rpb24sCj4gdGhleSBjYW4gc2ltcGx5IHBhc3Mgc29tZSByZWZlcmVuY2XCoHRvIHRoZSBm aXJzdCBhdXRoIGluIHRoZQo+IHN1YnNlcXVlbnQgUkFSIGF1dGggZmxvd3MsIGUuZy4KPgo+ IEZpcnN0IGZsb3csIGEgdXNlciBncmFudHMgYWNjZXNzIHdpdGggdGhlIHNpbXBsZSBzY29w ZSBvZgo+ICJtYWtlX3BheW1lbnRzIiwgdGhlIGFjY2VzcyB0b2tlbiBpc3N1ZWQgYXQgdGhl IGVuZCBvZiB0aGUgZ3JhbnQKPiBhbGxvd3MgYWNjZXNzIHRvIGEgcmVzb3VyY2Ugc2VydmVy IGVuZHBvaW50cyAvcGF5bWVudC1jb25zZW50cy4gVGhlCj4gcGF5bG9hZCB0aGUgY2xpZW50 IHJlY2VpdmVzIGJhY2sgd2hlbiBoaXR0aW5nIHRoYXQgZW5kcG9pbnQgaXMgeyppZDoKPiAi MTIzIiosIHBheW1lbnRzU3RhcnRlZDpbXSwgcGF5bWVudHNDb21wbGV0ZWQ6W119Cj4gVGhl IHNlY29uZCBmbG93IHRoZSBjbGllbnQgdXNlcyBSQVIgd2l0aCBhdXRob3JpemF0aW9uX2Rl dGFpbHMKPiBjb250YWluaW5nIHRoaXMgb2JqZWN0Ogo+Cj4gwqAgwqAgewo+IMKgIMKgIMKg IMKgIMKgInR5cGUiOiAicGF5bWVudF9pbml0aWF0aW9uIiwKPiDCoCDCoCDCoCDCoCDCoCJh Y3Rpb25zIjogWwo+IMKgIMKgIMKgIMKgIMKgIMKgICJpbml0aWF0ZSIsCj4gwqAgwqAgwqAg wqAgwqAgwqAgInN0YXR1cyIsCj4gwqAgwqAgwqAgwqAgwqAgwqAgImNhbmNlbCIKPiDCoCDC oCDCoCDCoCDCoF0sCj4gwqAgwqAgwqAgwqAgwqAibG9jYXRpb25zIjogWwo+IMKgIMKgIMKg IMKgIMKgIMKgICJodHRwczovL2V4YW1wbGUuY29tL3BheW1lbnRzIgo+IMKgIMKgIMKgIMKg IMKgXSwKPiDCoCDCoCDCoCDCoCDCoCJpbnN0cnVjdGVkQW1vdW50Ijogewo+IMKgIMKgIMKg IMKgIMKgIMKgICJjdXJyZW5jeSI6ICJFVVIiLAo+IMKgIMKgIMKgIMKgIMKgIMKgICJhbW91 bnQiOiAiMTIzLjUwIgo+IMKgIMKgIMKgIMKgIMKgfSwKPiDCoCDCoCDCoCDCoCDCoCJjcmVk aXRvck5hbWUiOiAiTWVyY2hhbnQxMjMiLAo+IMKgIMKgIMKgIMKgIMKgImNyZWRpdG9yQWNj b3VudCI6IHsKPiDCoCDCoCDCoCDCoCDCoCDCoCAiaWJhbiI6ICJERTAyMTAwMTAwMTA5MzA3 MTE4NjAzIgo+IMKgIMKgIMKgIMKgIMKgfSwKPiDCoCDCoCDCoCDCoCDCoCJyZW1pdHRhbmNl SW5mb3JtYXRpb25VbnN0cnVjdHVyZWQiOiAiUmVmIE51bWJlciBNZXJjaGFudCIsCj4gwqAg wqAgwqAgwqAgwqAqInBheW1lbnRDb25zZW50SWQiOiAiMTIzIiwqCj4gwqAgwqAgwqAgfQo+ Cj4gVGhpcyB0eXBlIG9mIGZsb3dzIHNlZW1zIHRvIGJldHRlciBzZXBhcmF0ZcKgdGhlIEFT IGFuZCB0aGUgUlMKPgpXaGF0IEkgbGlrZSBhYm91dCB0aGlzIHByb3Bvc2FsOgoKIDEuIEl0 IGtlZXBzIHRoZSBsaW5raW5nIC8gcmVmZXJlbmNpbmcgc2VsZi1jb250YWluZWQsIGkuZS4g d2l0aGluIHRoZQogICAgUkFSIGF1dGhvcml6YXRpb25fZGV0YWlscy4KCiAyLiBJdCBkb2Vz bid0IHJlcXVpcmUgYW55dGhpbmcgZWxzZSBpbiB0ZXJtcyBvZiBPQXV0aCwgc3VjaCBhIG5l dwogICAgdG9wLWxldmVsIGF1dGh6IHJlcXVlc3QgcGFyYW1ldGVyLgoKIDMuIEFwcGxpY2F0 aW9ucyAvIGRlcGxveW1lbnRzIGFyZSBmcmVlIGhvdyB0byBkZWZpbmUgdGhlICJsaW5raW5n IiAvCiAgICAiY29udGV4dCIgYmV0d2VlbiBSQVJzLgoKIDQuIERvZXMgbm90IGNvbXBsaWNh dGUgdGhlIFJBUiBzcGVjIGZ1cnRoZXIgKHRoZSBub3JtYXRpdmUgYml0cykuCgoKVmxhZGlt aXIKCgo= --------------768BA6FF3FA6662DDCF9A61B Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable


On 09/07/2020 19:06, Dave Tonge wrote:=

If a particular implementation wants to allow a two stage transaction, they can simply pass some reference=C2=A0to the first auth in the subsequent RAR a= uth flows, e.g.

First flow, a user grants access with the simple scope of "make_payments", the access token issued at the end of the grant allows access to a resource server endpoints /payment-consents. The payload the client receives back when hitting that endpoint is {id: "123"= , paymentsStarted:[], paymentsCompleted:[]}
The second flow the client uses RAR with authorization_details containing this object:

=C2=A0 =C2=A0 {
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0"type": "payment_initiation= ",
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0"actions": [
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 "initiate",
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 "status",
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 "cancel"
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0],
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0"locations": [
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 "https://example.com/payments"<= br> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0],
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0"instructedAmount": {
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 "currency": "EUR",<= br> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 "amount": "123.50"<= br> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0},
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0"creditorName": "Merchant12= 3",
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0"creditorAccount": {
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 "iban": "DE02100100= 109307118603"
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0},
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0"remittanceInformationUnstr= uctured": "Ref Number Merchant",
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= "paymentConsentId": "123",
=C2=A0 =C2=A0 =C2=A0 }

This type of flows seems to better= separate=C2=A0the AS and the RS

What I like about this proposal:

  1. It keeps the linking / referencing self-contained, i.e. within the RAR authorization_details.

  2. It doesn't require anything else in terms of OAuth, such a new top-level authz request parameter.

  3. Applications / deployments are free how to define the "linking" / "context" between RARs.

  4. Does not complicate the RAR spec further (the normative bits).<= /li>


Vladimir


--------------768BA6FF3FA6662DDCF9A61B-- --------------ms030400060306000609060305 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CzMwggUbMIIEA6ADAgECAhBs/e7jES6a32XKZxs4R01iMA0GCSqGSIb3DQEBCwUAMIGWMQsw CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxm b3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENs aWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE5MTEwMjAwMDAw MFoXDTIxMTEwMTIzNTk1OVowKDEmMCQGCSqGSIb3DQEJARYXdmxhZGltaXJAY29ubmVjdDJp ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDG5mL+CcvSppMj/W8Kd0/E 1/y5/s94gmbIFzEugHyMPV2dd6lusiALe35QCtu3e8Wy6FkCwzxWmmzhF4FY/e4uPbDjco3w /GgHhz2KXe385u31c32/uM3jRqhYT5JvmXxte/GgmjcW1yWcPkKEz/sCezdIYpI9Pek+P4Gr xmbt8H+wJrwfrXKTJXXT+gFjCcZDRLm67X4U57TsaCoezTe7zOoPX9zxMTyZD/cvC/SfuVxQ U60ZsfZzdcgPwScgy3JaiPegcbnqqebjJqtRx42eRjrBZ1/u411rHN2QQLgiih7D1/4PJC9f /8nHgaerLy3ogdu1dw5+vQ1TRIYBmcIXAgMBAAGjggHQMIIBzDAfBgNVHSMEGDAWgBQJwPL8 C9qU21/+K9+omULPyeCtADAdBgNVHQ4EFgQU446sriG/NgywLZA2oBG79Yr2qyAwDgYDVR0P AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMC MEAGA1UdIAQ5MDcwNQYMKwYBBAGyMQECAQEBMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2Vj dGlnby5jb20vQ1BTMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwuc2VjdGlnby5jb20v U2VjdGlnb1JTQUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcmwwgYoG CCsGAQUFBwEBBH4wfDBVBggrBgEFBQcwAoZJaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0 aWdvUlNBQ2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAjBggrBgEF BQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wIgYDVR0RBBswGYEXdmxhZGltaXJAY29u bmVjdDJpZC5jb20wDQYJKoZIhvcNAQELBQADggEBAEE73kCtUigl/bhLrqS6AsCU+jKm1fxq BY09+ktBwVcu5WgM18Uov3WvzVnjXn5BNNVM3RwhWFXyW3pPnDPyjqgxcpfoyY5SJEzvcPlu wm69z/dzqasVhsHPIFSjACnUBrFZPsq/abMQr4yFOMVyX/EudYgmZVu2Er9Ui7YbTO1Nolap xlseQIgQhVcr7aSs02PLDANuwW/asgKExYzhPdt9MF1lezj968Mv74kRo1T/lm5RFNfh2QdM 9C0n1t+qRCrRF1VbsiTgChjazgNGbvl12bOAujX0up4hqw+7PaCcI3Mpyv/rKKKrRG52iCcv cMHX344tOqKM/DIdF/0WNpkwggYQMIID+KADAgECAhBNlCwQ1DvglAnFgS06KwZPMA0GCSqG SIb3DQEBDAUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKTmV3IEplcnNleTEUMBIGA1UE BxMLSmVyc2V5IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEuMCwGA1UE AxMlVVNFUlRydXN0IFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xODExMDIwMDAw MDBaFw0zMDEyMzEyMzU5NTlaMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBN YW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQx PjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJl IEVtYWlsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyjztlApB/975Rrno 1jvm2pK/KxBOqhq8gr2+JhwpKirSzZxQgT9tlC7zl6hn1fXjSo5MqXUfItMltrMaXqcESJuK 8dtK56NCSrq4iDKaKq9NxOXFmqXX2zN8HHGjQ2b2Xv0v1L5Nk1MQPKA19xeWQcpGEGFUUd0k N+oHox+L9aV1rjfNiCj3bJk6kJaOPabPi2503nn/ITX5e8WfPnGw4VuZ79Khj1YBrf24k5Ee 1sLTHsLtpiK9OjG4iQRBdq6Z/TlVx/hGAez5h36bBJMxqdHLpdwIUkTqT8se3ed0PewDch/8 kHPo5fZl5u1B0ecpq/sDN/5sCG52Ds+QU5O5EwIDAQABo4IBZDCCAWAwHwYDVR0jBBgwFoAU U3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFAnA8vwL2pTbX/4r36iZQs/J4K0AMA4G A1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMC BggrBgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDov L2NybC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdFJTQUNlcnRpZmljYXRpb25BdXRob3JpdHku Y3JsMHYGCCsGAQUFBwEBBGowaDA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1c3Qu Y29tL1VTRVJUcnVzdFJTQUFkZFRydXN0Q0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2Nz cC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBDAUAA4ICAQBBRHUAqznCFfXejpVtMnFojADd F9d6HBA4kMjjsb0XMZHztuOCtKF+xswhh2GqkW5JQrM8zVlU+A2VP72Ky2nlRA1GwmIPgou7 4TZ/XTarHG8zdMSgaDrkVYzz1g3nIVO9IHk96VwsacIvBF8JfqIs+8aWH2PfSUrNxP6Ys7U0 sZYx4rXD6+cqFq/ZW5BUfClN/rhk2ddQXyn7kkmka2RQb9d90nmNHdgKrwfQ49mQ2hWQNDkJ JIXwKjYA6VUR/fZUFeCUisdDe/0ABLTI+jheXUV1eoYV7lNwNBKpeHdNuO6Aacb533JlfeUH xvBz9OfYWUiXu09sMAviM11Q0DuMZ5760CdO2VnpsXP4KxaYIhvqPqUMWqRdWyn7crItNkZe roXaecG03i3mM7dkiPaCkgocBg0EBYsbZDZ8bsG3a08LwEsL1Ygz3SBsyECa0waq4hOf/Z85 F2w2ZpXfP+w8q4ifwO90SGZZV+HR/Jh6rEaVPDRF/CEGVqR1hiuQOZ1YL5ezMTX0ZSLwrymU E0pwi/KDaiYB15uswgeIAcA6JzPFf9pLkAFFWs1QNyN++niFhsM47qodx/PL+5jR87myx5uY dBEQkkDc+lKB1Wct6ucXqm2EmsaQ0M95QjTmy+rDWjkDYdw3Ms6mSWE3Bn7i5ZgtwCLXgAIe 5W8mybM2JzGCBDIwggQuAgEBMIGrMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRl ciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0 ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2Vj dXJlIEVtYWlsIENBAhBs/e7jES6a32XKZxs4R01iMA0GCWCGSAFlAwQCAQUAoIICVzAYBgkq hkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMDA3MDkxNjQ3MTlaMC8G CSqGSIb3DQEJBDEiBCArIu1soZx4NLbnWx1D9hFl08/Sm1dnLzSI0iL8BFuEHjBsBgkqhkiG 9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZI hvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIG8Bgkr BgEEAYI3EAQxga4wgaswgZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNo ZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE+MDwG A1UEAxM1U2VjdGlnbyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1h aWwgQ0ECEGz97uMRLprfZcpnGzhHTWIwgb4GCyqGSIb3DQEJEAILMYGuoIGrMIGWMQswCQYD VQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3Jk MRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVu dCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhBs/e7jES6a32XKZxs4R01i MA0GCSqGSIb3DQEBAQUABIIBALiCxv0rvTg86dkT3o3j29e9IJ91o93TN1Z+k8KcePNRirWM W42HrYTXu3a0CjprYjLBA5Lvx47V75E8rSWn0l3L2V+WKosGeAStf/UVuNPJ71ohHttJQKuI /vFDzAX/tPONWK0R+mcoCRddDU9+3Qbb1jFJwtJDHQV4i57JYkPXSS/L/m+u72m7hbEsR068 tq+dYka2oq9ndWPEWMu2icJPKd+3mb9MyvRwfNHmTjE/FCCCWHrKP/exmAdTdZVFfTJ98kI8 W3hmECwJaY+O51F5Is/OVnWPqRjoLr4L9o8EHUbOASLCrY14yVVDIoLKtP92k2hs8swDFxj/ L4bBjQgAAAAAAAA= --------------ms030400060306000609060305-- From nobody Thu Jul 9 10:10:27 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD3EF3A0D07 for ; Thu, 9 Jul 2020 10:10:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5VY34vGlRE9V for ; Thu, 9 Jul 2020 10:10:23 -0700 (PDT) Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD74C3A0D04 for ; Thu, 9 Jul 2020 10:10:22 -0700 (PDT) Received: by mail-ej1-x631.google.com with SMTP id dr13so3100153ejc.3 for ; Thu, 09 Jul 2020 10:10:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=nu+QEjzfk6uP4A+rzC9K2UZVLCt1/Dod/i4u02Yrb0o=; b=6BwYaHyQ+Dp1yuHsdm8FnPUAkDoE91qFLqk+AfQmiF8dxEPxya/hQLYuc3CZHi1vFB jKPyqjDgOlo5vR4knpBS6FU76y05zfOQpkmvNkyPCWBhj541auGiUK8DdDXsV1ZT63P0 1w3C4YvkiWC71LFQ0LCriyjngncSvw9KhrHlvg+MNv7ouTMXwEZy8z6sY0rf4HzOO0Ys yTp4qeBqAwOS9FfP66RKRyu0QlYKax34uR5Z8/KRycHyxCtUTyacf7DAJeF4UqFJdQ7F TUMLlY+MajmQ6oiQivcgZbty+234+AT34TkiaY8WMuc+27//Xdp5JK4Qnfl63QdjWoei 6AvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=nu+QEjzfk6uP4A+rzC9K2UZVLCt1/Dod/i4u02Yrb0o=; b=d6ourNJGnc5sR7tkbJw+RaT+wMrUHvf7TdP5aPh1QPxsYQbMx2bqyRdy6hAkQJXFQN NTCBC3IWBp6iJ1dzHGfEldCHCdPuw4LmgWj5r/Agf5+PFtpiH3JSykJDA+UxOoIq4ris NtUAiiKCDO5tePNgaOGJtbGUF0N1CB1TchymXJAkiMpok6DD5Mund7plUNa9DXK2hCPj W3vsl6JsbTQ/bow9TuikTr3uVITxrYgxycfJDZlCQEhpE3ohObTGzRpXz0KYx/7RTXvc e31Zy+upsNKV2qETMWK51Q6E8afizdOd3EGcBid06IHT0e1+gLIOJVARX7pC+kehcvgt E7cQ== X-Gm-Message-State: AOAM532LlWYsEjAC4eoIAXYdxXi7PbhSKz4D1ftKhEwBrJW2yHYznjj0 qkD/mtPKp+yQ5LcD+eoo0sQ/dcUf0RY= X-Google-Smtp-Source: ABdhPJylBuSPRx8vu7uSS7wg5BiHBrko4KGtq5qiP5/gKpjYeKPnNJYHhm+xLfmAGEet2ootKkC/QA== X-Received: by 2002:a17:907:7294:: with SMTP id dt20mr56160731ejc.355.1594314620859; Thu, 09 Jul 2020 10:10:20 -0700 (PDT) Received: from p200300eb8f0138ad00c78d47e32ff693.dip0.t-ipconnect.de (p200300eb8f0138ad00c78d47e32ff693.dip0.t-ipconnect.de. [2003:eb:8f01:38ad:c7:8d47:e32f:f693]) by smtp.gmail.com with ESMTPSA id u18sm2419122edx.34.2020.07.09.10.10.19 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Jul 2020 10:10:19 -0700 (PDT) From: Torsten Lodderstedt Message-Id: <888E8738-A5A6-4086-BAB0-418216342A7E@lodderstedt.net> Content-Type: multipart/signed; boundary="Apple-Mail=_E810E568-CBBA-4F91-AC59-5892816BFAD5"; protocol="application/pkcs7-signature"; micalg=sha-256 Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Date: Thu, 9 Jul 2020 19:10:18 +0200 In-Reply-To: Cc: Justin Richer , oauth To: Neil Madden References: <6F0ACCC8-98F7-46AE-BC45-7444F08C6C6E@lodderstedt.net> X-Mailer: Apple Mail (2.3608.80.23.2.2) Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2020 17:10:25 -0000 --Apple-Mail=_E810E568-CBBA-4F91-AC59-5892816BFAD5 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 >>>>>>>>=20 >>>>>>>> What in particular should the use consent with in this step? >>>>>>>=20 >>>>>>> =E2=80=9CFooPay would like to: >>>>>>> - initiate payments from your account (you will be asked to = approve each one)=E2=80=9D >>>>>>>=20 >>>>>>> The point is that a client that I don=E2=80=99t have any kind of = relationship with can=E2=80=99t just send me a request to transfer $500 = to some account.=20 >>>>>>=20 >>>>>> Are we talking about legal consent or a security measures here? >>>>>=20 >>>>> Normal OAuth consent. My phone is my resource, and I am its = resource owner. If a client wants to send payment requests to my phone = (e.g. via CIBA backchannel) then it should have to get my permission = first. Even without backchannel requests, I=E2=80=99d much rather that = only the three clients I=E2=80=99ve explicitly consented to can ask me = to initiate payments rather than the hundreds/thousands clients my bank = happens to have a relationship with. >>>>=20 >>>> To me it sounds like you would like to require a client to get user = authorization to send an authorization request. Would you require the = same if I would use scope values to encode a payment initiation request? >>>=20 >>> Yes. If something is sufficiently high value to require = per-transaction authorization then initiating transactions itself = becomes a privileged operation.=20 >>=20 >> The per transaction authorization alone is a significant increase in = security. What is the added value of requiring an authorization to send = a per-transaction authorisation request in an additional step? >=20 > Because Open Banking allows any client at any time to send an = asynchronous back channel request to my phone to approve a payment. This = is pretty risky.=20 Can you please explain how you came to that conclusion and how it = relates to RAR? In the simplest of all scenarios the client sends authorization details = instead of scope values through the user browser and this way starts the = authorization process with the AS. When RAR is combined with PAR, the client first stores the authorization = request including authorization details at the AS in exchange for a = reference to this data. It then uses this reference to start the = authorization process. This is more secure and robust than sending the = data through the browser.=20 So what is the risk here and why do you think unsolicited backchannel = requests are sent to your device?=20 >=20 > I can=E2=80=99t think of another transactional auth system that allows = this without some kind of initial indication of user consent. For = example, in Apple Pay all payment requests must be initiated from an = explicit user gesture, providing some indication that the user wants to = use this. The Dropbox Chooser and Saver APIs also have to be triggered = from a user gesture. Again, this provides some confirmation that the = user actually initiated the interaction.=20 >=20 > In OAuth, the AS doesn=E2=80=99t have this level of integration into = the client=E2=80=99s UI so it needs some other way to establish user = consent. By the time the user has a payment confirmation request on = their screen it=E2=80=99s too late.=20 >=20 >=20 >>>>>> In case of open banking the user legally consents to this process = at the client (TPP) even before the OAuth/Payment Initiation dance = starts.=20 >>>>>=20 >>>>> How does the bank (ASPSP) confirm that this actually happened? >>>>=20 >>>> It does not because it is not the responsibility of the ASPSP. The = TPP is obliged by law to obtain consent. >>>=20 >>> If the TPP can be trusted to obey the law about this, why not also = trust them to be honest about transactions? Why enforce one thing with = access tokens but take the other on trust? Especially as the actual = transactions are more likely to have a rigorous audit trail.=20 >>>=20 >>> If we could trust clients to obtain consent we wouldn=E2=80=99t need = OAuth at all.=20 >>=20 >> I thought the same initially, but we must distinguish between legal = consent and strong authentication/transaction authorization in such a = case. Legal consent can be obtained in various ways including the = traditional OAuth user consent but also in other places. Authenticating = the user (probably with 2FA) and getting authorization for a certain = transaction (the meaning of PSD2 SCA) must be conducted by the AS.=20 >>=20 >=20 > Do you mean legal protection for the bank or their users? As a user, = if an OB client acts in a way that I don=E2=80=99t like, but doesn=E2=80=99= t break any actual laws or policies, what=E2=80=99s my recourse? In = normal OAuth I can revoke the grant to that client. This is not possible = in transactional uses of RAR, and that seems like a big difference that = significantly changes the relationship between users and clients.=20 >=20 > =E2=80=94 Neil --Apple-Mail=_E810E568-CBBA-4F91-AC59-5892816BFAD5 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCC38w ggT0MIID3KADAgECAhBpfEIkHQiWmzF6zDsgdF+DMA0GCSqGSIb3DQEBCwUAMIGNMQswCQYDVQQG EwJJVDEQMA4GA1UECAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9udGUgU2FuIFBpZXRybzEjMCEGA1UE CgwaQWN0YWxpcyBTLnAuQS4vMDMzNTg1MjA5NjcxLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1 dGhlbnRpY2F0aW9uIENBIEcyMB4XDTIwMDIyMzE3MjEzOVoXDTIxMDIyMzE3MjEzOVowIjEgMB4G A1UEAwwXdG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQCrIaCISpAU98m6ZkDyUR3My5imAF4TKQk8eqo+oQ06PTWT/3yJXujVCjjOqOl8p11v/RoN Gf8zqYbBsqGBuJx2NyxFmAnmCjcbnxihQdcmuxLm6izvxr2MawOovDheMXnfmGy/Ns5Fs6bd+M5F jCNhP+Gljvgm/SFq1skvs7YUX2FxZmh+xPMm3FZ/a6Lyhkrd3JHzEqv8VWY69Aehezg39OuPJEpb IdjK/eBcmaIG0qn5RQdXLByJYfXhepyVAZPJT5rAgaIQL/IjSIVInxf3FxOv+ELMAErclws6mKzy zkY2JiItPEpKWzAWGCxCX2o0JjVj1f7xgaunLfJ+Ec0lAgMBAAGjggG4MIIBtDAMBgNVHRMBAf8E AjAAMB8GA1UdIwQYMBaAFGvyjZ5owSUEH1E0V/YWXJTqTWkaMH4GCCsGAQUFBwEBBHIwcDA7Bggr BgEFBQcwAoYvaHR0cDovL2NhY2VydC5hY3RhbGlzLml0L2NlcnRzL2FjdGFsaXMtYXV0Y2xpZzIw MQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3NwMDkuYWN0YWxpcy5pdC9WQS9BVVRIQ0wtRzIwIgYDVR0R BBswGYEXdG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQwRwYDVR0gBEAwPjA8BgYrgR8BGAEwMjAwBggr BgEFBQcCARYkaHR0cHM6Ly93d3cuYWN0YWxpcy5pdC9hcmVhLWRvd25sb2FkMB0GA1UdJQQWMBQG CCsGAQUFBwMCBggrBgEFBQcDBDBIBgNVHR8EQTA/MD2gO6A5hjdodHRwOi8vY3JsMDkuYWN0YWxp cy5pdC9SZXBvc2l0b3J5L0FVVEhDTC1HMi9nZXRMYXN0Q1JMMB0GA1UdDgQWBBSuRfshihlGSEJ7 2UeyOZRJ1YYyMDAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEBAH/3ECMSOoOLiwCe GsBj/WWnUhXvZyHmz3LW0DVdH3s30b2HWpomEVNDN3cWt4QSRhISqV0xyyChL6THhDY+Um2mo+z/ L5fxHd3MjhzvYKwUtLUJdWRgymlUBO9zNKi/IMVYv3O+mpOHuQrgtMaV9luDPRYPZrhF9y/InTZE tb+FOrF9ykIRlYgMzqSKjuqFmmYO4d6GkbgfGKFZsAjkySjM9BUBLb70MdysOTxZ/HtZguIKfZ4q CveZ9ZKe+LGsIpt5bFAs1LHIMBUlTCsuVIq2lD3TmScWbELn+Ace7WwKc+08GqOWZzUot5fkiIx3 /crnd7HTmUfqi0yCylHY62wwggaDMIIEa6ADAgECAhBP3hBL7ZVb3outZYfMQV7jMA0GCSqGSIb3 DQEBCwUAMGsxCzAJBgNVBAYTAklUMQ4wDAYDVQQHDAVNaWxhbjEjMCEGA1UECgwaQWN0YWxpcyBT LnAuQS4vMDMzNTg1MjA5NjcxJzAlBgNVBAMMHkFjdGFsaXMgQXV0aGVudGljYXRpb24gUm9vdCBD QTAeFw0xOTA5MjAwNzEyMDVaFw0zMDA5MjIxMTIyMDJaMIGNMQswCQYDVQQGEwJJVDEQMA4GA1UE CAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9udGUgU2FuIFBpZXRybzEjMCEGA1UECgwaQWN0YWxpcyBT LnAuQS4vMDMzNTg1MjA5NjcxLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1dGhlbnRpY2F0aW9u IENBIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt2hzetk81C/73GfKPc6UfP+J Gc7aGmPzGUeQJ1go3CdFpsBPonREDXUDdmRCIRkTDroH30RLsTO/0hEFiYjCyvvbSVSm05sXkvfJ XOXefNqK21fBayr4JCgMRyLVwqRYXlKI7bb42nYSm7YcXGTDmdcydmJuuqcLqFQawWiBMNRRVEi4 uW5uXBZgWGmq8NoKH/+5xGBFbf6tNTWcGhPVceResuwK155+OiH6jTW01Na8aLj7c7IAGJ0Y9e6h iHtRthfW7SwbU7ys73a3nNXv8Kv9XNr0RvJKHoOsKqxjffew3GKQrMXIHB5tm/je3XEnIxUT8JG3 sEsk7IfF3VirSwIDAQABo4IB/jCCAfowDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRS2Ig6 yJ94Zu2J83s4cJTJAgI20DBBBggrBgEFBQcBAQQ1MDMwMQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3Nw MDUuYWN0YWxpcy5pdC9WQS9BVVRILVJPT1QwRQYDVR0gBD4wPDA6BgRVHSAAMDIwMAYIKwYBBQUH AgEWJGh0dHBzOi8vd3d3LmFjdGFsaXMuaXQvYXJlYS1kb3dubG9hZDAnBgNVHSUEIDAeBggrBgEF BQcDAgYIKwYBBQUHAwQGCCsGAQUFBwMJMIHjBgNVHR8EgdswgdgwgZaggZOggZCGgY1sZGFwOi8v bGRhcDA1LmFjdGFsaXMuaXQvY24lM2RBY3RhbGlzJTIwQXV0aGVudGljYXRpb24lMjBSb290JTIw Q0EsbyUzZEFjdGFsaXMlMjBTLnAuQS4lMmYwMzM1ODUyMDk2NyxjJTNkSVQ/Y2VydGlmaWNhdGVS ZXZvY2F0aW9uTGlzdDtiaW5hcnkwPaA7oDmGN2h0dHA6Ly9jcmwwNS5hY3RhbGlzLml0L1JlcG9z aXRvcnkvQVVUSC1ST09UL2dldExhc3RDUkwwHQYDVR0OBBYEFGvyjZ5owSUEH1E0V/YWXJTqTWka MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAYES6GaKrcvsOQZpEwboVOb2dri/f Jrcpb7GSEW9JmA+Kep4GLmp9X50Iv8EK478kwf2aAjnPnsOdiItALcIgecS1qVxN+EY+V5GCNEy4 VAsB5gzlQBmKI9P4PxLt9pnQJneCVEvDnVBMZAllIL5s3uaCiIEb8eYZqG8taOWSM1nqjoCZULcc hXWYajBqaJg0RUOZ6f5IB0lb26HA/7EUVmh1nSVglDoUeD7elINXHph0z3if1722UydcoH4Jj3Za Y9dtQ4wJSNhSZOzES72UkS6we/556FOGs7oeJWuQe8Rq2EeeSGmGliZKUbYo4jB/C2omMn0L4QwI 5wMNrWd2FRNUUwxMBmbJYtEaDRTQ72HPA8DnbRkvRDSJkjsToqU6ZpBlBf4s5EwrhXqFVb2rM9mG CPDZJi7Hw3y8BYD/d3iTL6PW5UjOTSpFcnSIP4HW5PI6MTHXl+ab6ajCnvJw6E1TGLh3zJypv5CQ 8Ftm0z7MKLt5Zr2E4jojZXeZn1sUpSqidZyp9mG/LYMRmHMkthDRnDnO2tHv5+YOO4cUEbTt5Bww E5RPjqovsnedyd5SijIK+k1MCXFLMTfERz3qUN3i/fwueXcGy4jEf2n/FvYsEY3GBHXZCMVWPffB fbl/ITjs9Q9NG37bAEm/mg2yNq02NLjDbQIKgt9W0aBU9SsxggOpMIIDpQIBATCBojCBjTELMAkG A1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcMEFBvbnRlIFNhbiBQaWV0cm8xIzAh BgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENsaWVu dCBBdXRoZW50aWNhdGlvbiBDQSBHMgIQaXxCJB0Ilpsxesw7IHRfgzANBglghkgBZQMEAgEFAKCC AdcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNzA5MTcxMDE4 WjAvBgkqhkiG9w0BCQQxIgQgSDQqCfxf2TspXPEMrMT+VTDeoXe1cwxUbnLbUV16cOIwgbMGCSsG AQQBgjcQBDGBpTCBojCBjTELMAkGA1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcM EFBvbnRlIFNhbiBQaWV0cm8xIzAhBgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSww KgYDVQQDDCNBY3RhbGlzIENsaWVudCBBdXRoZW50aWNhdGlvbiBDQSBHMgIQaXxCJB0Ilpsxesw7 IHRfgzCBtQYLKoZIhvcNAQkQAgsxgaWggaIwgY0xCzAJBgNVBAYTAklUMRAwDgYDVQQIDAdCZXJn YW1vMRkwFwYDVQQHDBBQb250ZSBTYW4gUGlldHJvMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8w MzM1ODUyMDk2NzEsMCoGA1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzIC EGl8QiQdCJabMXrMOyB0X4MwDQYJKoZIhvcNAQEBBQAEggEAnV9aYxPkbyvOSVNEEZZNCMgQlHuz N3lQ2EvIXKfWOEEJRt53PpyrZk3IdDVMPqfdbdoMOvJkDTBwuD/+31gZwbWACm7MIq6bu4bVfUqJ PBvsH1rRe7ICu4D8q1POX7//hTN+34dqoO0MKdij8zUvR+hIkmZhzI+hgMJJZHMTQNldqA3XJ3dx k1DgwIa8T+aoeVXTyWKhrbcEHp4eHLQs3OOjt4/Ter/6tGVljRDN3P9vdghIDzqSOyp7S1H9p4jh 1EYStilOKKMsjtm5Tg568gtYY1GxiNzZw4O478U4tyTOag8etTPsooNHa5zxnRuBTQ+Q3h58K7xo 0vYizf7G1QAAAAAAAA== --Apple-Mail=_E810E568-CBBA-4F91-AC59-5892816BFAD5-- From nobody Thu Jul 9 10:17:35 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A6193A0D3D for ; Thu, 9 Jul 2020 10:17:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W-LmfNz6tygE for ; Thu, 9 Jul 2020 10:17:31 -0700 (PDT) Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 132FF3A0D37 for ; Thu, 9 Jul 2020 10:17:30 -0700 (PDT) Received: by mail-wr1-x42d.google.com with SMTP id q5so3209804wru.6 for ; Thu, 09 Jul 2020 10:17:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=7WTa+8RhmIW6CVyLtHK4A34KGDSs4oMB9PTpvgUCGws=; b=d8Nh5LUFE2RW3qRumYm0AwXxHoEe2TAPvSMJd35Xv9CX/GyncspN8ZmadjAVfVa46v 6R8X0TLAtVK+RGribUG0n68gsWDEVD7WqlKf11GBhzKWIfi1T85uGYwGf4S3SiXaLMol cPVkblV7BwzDkKqOUD43ji9kkEjcAfg6yxQ4Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=7WTa+8RhmIW6CVyLtHK4A34KGDSs4oMB9PTpvgUCGws=; b=a9prbMCRjELQpg1qUdr8Aqa7CRS2J/Xml35+ElzbTggOz/l36xFtVNZsEi20kSK5D/ ttokpTQ7ZjGK5b156g16CQppgS/JduMG+ENaQnOMSH6TsK+p1lcI2Nnb0zAMIwWYZsnB tOZJIXE26AUWHD6dwHffyTFeuNEJ+lZhGCmHcH95TEfIWJfiMUekhUiENjwr/DaSYLKG MZ6IsH0XYKfiRcYE+V5Hx5n4MCPaYkLiBxLiuDxa5nOY3NN5VqMf3SkNXBFN2c6I7fPX YmjOIyh3ekQq3nNseHDn34nJ5zUqnY3lIMrVjmtvqMIpRquYlSvBXvZSIztlTUuLzQK8 j4EA== X-Gm-Message-State: AOAM532iC+E1BzctsP/rpRjXGGL562kbmeGN4xW5PjQpENMHCmE61eTh JRWWcqsfMZnNu2pZ6/o3EED3s4ZrT8GY9A== X-Google-Smtp-Source: ABdhPJxKXdw+h9QQjOhO2x+gxTCPYP20cNlKgMSIKj8upvVXsOltwBc3V7inCkr1U/ibMkPpXf2BbQ== X-Received: by 2002:adf:94a1:: with SMTP id 30mr33600489wrr.37.1594315049081; Thu, 09 Jul 2020 10:17:29 -0700 (PDT) Received: from [10.0.0.2] (128.211.93.209.dyn.plus.net. [209.93.211.128]) by smtp.gmail.com with ESMTPSA id d132sm5441186wmd.35.2020.07.09.10.17.28 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Jul 2020 10:17:28 -0700 (PDT) From: Neil Madden Message-Id: <37686834-5ABB-4F6C-9C8E-1616EE957FD7@forgerock.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_3F5D0498-0C76-4038-B455-627114379211" Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Date: Thu, 9 Jul 2020 18:17:27 +0100 In-Reply-To: Cc: Vladimir Dzhuvinov , oauth To: Dave Tonge References: <3AB19607-2D27-416B-BB6A-F9A5C566B9A7@forgerock.com> <4fa0537c-6324-cccd-28b0-80e3c2953b6e@connect2id.com> <85AB3BEE-5197-4EFB-A893-8B1B1ED23F7E@forgerock.com> X-Mailer: Apple Mail (2.3608.80.23.2.2) Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2020 17:17:34 -0000 --Apple-Mail=_3F5D0498-0C76-4038-B455-627114379211 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On 9 Jul 2020, at 17:06, Dave Tonge wrote: >=20 > Hi Neil >=20 > RAR doesn't have to be transactional and people are already using = standard OAuth for transactions without RAR. > But I take your point that RAR is promoting a more transactional use = of OAuth.=20 > However I still don't agree that there is a fundamental difference. = Revocation of access is irrelevant, as I mentioned if access was granted = in error, then the damage is already done whether the user revokes or = not. This is not true. I=E2=80=99m not talking about revoking individual = transaction tokens, I=E2=80=99m talking about revoking the permission to = ask for transaction tokens. >=20 > I'm not sure whether it is worth standardising the approach of linking = one OAuth request to another, and I'm definitely not sure about it for = RAR. >=20 > It is an interesting suggestion of allowing a user access token to be = presented at the PAR endpoint, but I'm not sure that is needed. > If a particular implementation wants to allow a two stage transaction, = they can simply pass some reference to the first auth in the subsequent = RAR auth flows, e.g. >=20 > First flow, a user grants access with the simple scope of = "make_payments", the access token issued at the end of the grant allows = access to a resource server endpoints /payment-consents. The payload the = client receives back when hitting that endpoint is {id: "123", = paymentsStarted:[], paymentsCompleted:[]} > The second flow the client uses RAR with authorization_details = containing this object: >=20 > { > "type": "payment_initiation", > "actions": [ > "initiate", > "status", > "cancel" > ], > "locations": [ > "https://example.com/payments = " > ], > "instructedAmount": { > "currency": "EUR", > "amount": "123.50" > }, > "creditorName": "Merchant123", > "creditorAccount": { > "iban": "DE02100100109307118603" > }, > "remittanceInformationUnstructured": "Ref Number Merchant", > "paymentConsentId": "123", > } >=20 > This type of flows seems to better separate the AS and the RS >=20 > What do you think? Isn=E2=80=99t this paymentConsentId just an access token in all but = name? The point is that the AS shouldn=E2=80=99t process the transaction = request if the user hasn=E2=80=99t authorized this client to do so. So = the AS needs to be able to tie this paymentConsentId to the actual = consent and check that it appropriate authorizes this request, which is = what an access token does. =E2=80=94 Neil= --Apple-Mail=_3F5D0498-0C76-4038-B455-627114379211 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 On = 9 Jul 2020, at 17:06, Dave Tonge <dave.tonge@momentumft.co.uk> wrote:

Hi Neil

RAR doesn't have to be transactional and people = are already using standard OAuth for transactions without RAR.
But I take your point that RAR is promoting a = more transactional use of OAuth. 
However I still don't agree that there is a = fundamental difference. Revocation of access is irrelevant, as I = mentioned if access was granted in error, then the damage is already = done whether the user revokes or = not.

This is not true. I=E2=80=99m not talking about = revoking individual transaction tokens, I=E2=80=99m talking about = revoking the permission to ask for transaction tokens.


I'm not sure whether it is worth standardising = the approach of linking one OAuth request to another, and I'm definitely = not sure about it for RAR.

It is an interesting = suggestion of allowing a user access token to be presented at the PAR = endpoint, but I'm not sure that is needed.
If a particular implementation wants to allow a = two stage transaction, they can simply pass some reference to the = first auth in the subsequent RAR auth flows, e.g.

First flow, a user grants access with the simple = scope of "make_payments", the access token issued at the end of the = grant allows access to a resource server endpoints /payment-consents. = The payload the client receives back when hitting that endpoint is {id: "123", paymentsStarted:[], paymentsCompleted:[]}
The second flow the client uses RAR with = authorization_details containing this object:

    {
        =  "type": "payment_initiation",
      =    "actions": [
        =     "initiate",
        =     "status",
          =   "cancel"
         ],
         "locations": [
            "https://example.com/payments"
    =      ],
        =  "instructedAmount": {
        =     "currency": "EUR",
      =       "amount": "123.50"
    =      },
        =  "creditorName": "Merchant123",
      =    "creditorAccount": {
      =       "iban": "DE02100100109307118603"
 =        },
        =  "remittanceInformationUnstructured": "Ref Number = Merchant",
        =  "paymentConsentId": "123",
  =     }

This type of flows seems to better = separate the AS and the RS

What do you = think?

Isn=E2=80=99t this paymentConsentId just an access = token in all but name? The point is that the AS shouldn=E2=80=99t = process the transaction request if the user hasn=E2=80=99t authorized = this client to do so. So the AS needs to be able to tie this = paymentConsentId to the actual consent and check that it appropriate = authorizes this request, which is what an access token = does.

=E2=80=94 = Neil
= --Apple-Mail=_3F5D0498-0C76-4038-B455-627114379211-- From nobody Thu Jul 9 10:28:25 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19BCA3A0D19 for ; Thu, 9 Jul 2020 10:28:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fuRt42_Uc9b6 for ; Thu, 9 Jul 2020 10:28:20 -0700 (PDT) Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B48AC3A0D13 for ; Thu, 9 Jul 2020 10:28:19 -0700 (PDT) Received: by mail-wm1-x334.google.com with SMTP id 17so2698239wmo.1 for ; Thu, 09 Jul 2020 10:28:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=H/AfEgzoraFDqENZ8Occas+aukjFgoMHyrGTkhOdP6U=; b=VpACkfg1b+IE4mVSIhsYrIgFF1MF1BcM0c/7aagU/MK7SaU3uAR9E1HRR7qbYMc3nf VN6G8qFAn2e9Zjn/ocQMuUcNbvn/8pc81nhiVuSAN7J5YqiCLUwyir/4owGZo0zzkZGR KwkX9V7F4r4rpnt+yLy7m61cmJ8Bk8xWpQv8M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=H/AfEgzoraFDqENZ8Occas+aukjFgoMHyrGTkhOdP6U=; b=R021MZ8+NvIrx+jyobyzjBlT1elHxIHYPzFDYClv0DxPsc2EkrNST4xdFnUm1dafc6 nsgQV2LU9bfbwytZYqMWP/r2h6kBBuWOY/RR9c3iyxGeqRtPExaIknJtSdEPZLyLS/Sh 5trLxssmdLbrrL8AhbH6+rH0NvqbLSaJP54tesnH7UbqEhAP1jeqncciOlnbXv0p+1iJ aogKbvlEH/Q0Z694REUHcXoM2MMMzN9k8sNsO/MwLsjvQX4JmDqZSqLmHoC5CxkFucww lo8AzfeTuVZbg/MO7vJPKYNGSNSAMdgREybEgD119K7BqlvvlbMKcSOC5Hml3IUP+Lct 8IKg== X-Gm-Message-State: AOAM531Md1SYtaWLRBlNiZiBLxmGjXIxjD/hnf0pmPpwY059JfGdloV5 LPw2GnPU8JUqxb7yMC6bVZDrFA== X-Google-Smtp-Source: ABdhPJzKLi+Uu3iEjrEQTXfxhladFuFreKzVS5kBmrKPLM5OqapTm77fX5EH0CBKKh9xMBKUqBn5GQ== X-Received: by 2002:a1c:2392:: with SMTP id j140mr1083423wmj.6.1594315698031; Thu, 09 Jul 2020 10:28:18 -0700 (PDT) Received: from [10.0.0.2] (128.211.93.209.dyn.plus.net. [209.93.211.128]) by smtp.gmail.com with ESMTPSA id u23sm7085692wru.94.2020.07.09.10.28.17 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Jul 2020 10:28:17 -0700 (PDT) From: Neil Madden Message-Id: <43899574-72B3-488A-83A6-1CBCF41EEB30@forgerock.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_459C71B1-6915-4269-B3B7-211C023F8C1C" Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Date: Thu, 9 Jul 2020 18:28:16 +0100 In-Reply-To: <888E8738-A5A6-4086-BAB0-418216342A7E@lodderstedt.net> Cc: Justin Richer , oauth To: Torsten Lodderstedt References: <6F0ACCC8-98F7-46AE-BC45-7444F08C6C6E@lodderstedt.net> <888E8738-A5A6-4086-BAB0-418216342A7E@lodderstedt.net> X-Mailer: Apple Mail (2.3608.80.23.2.2) Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2020 17:28:23 -0000 --Apple-Mail=_459C71B1-6915-4269-B3B7-211C023F8C1C Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On 9 Jul 2020, at 18:10, Torsten Lodderstedt = wrote: >=20 >>>>>>>>>=20 >>>>>>>>>=20 >>>>>>>>> What in particular should the use consent with in this step? >>>>>>>>=20 >>>>>>>> =E2=80=9CFooPay would like to: >>>>>>>> - initiate payments from your account (you will be asked to = approve each one)=E2=80=9D >>>>>>>>=20 >>>>>>>> The point is that a client that I don=E2=80=99t have any kind = of relationship with can=E2=80=99t just send me a request to transfer = $500 to some account.=20 >>>>>>>=20 >>>>>>> Are we talking about legal consent or a security measures here? >>>>>>=20 >>>>>> Normal OAuth consent. My phone is my resource, and I am its = resource owner. If a client wants to send payment requests to my phone = (e.g. via CIBA backchannel) then it should have to get my permission = first. Even without backchannel requests, I=E2=80=99d much rather that = only the three clients I=E2=80=99ve explicitly consented to can ask me = to initiate payments rather than the hundreds/thousands clients my bank = happens to have a relationship with. >>>>>=20 >>>>> To me it sounds like you would like to require a client to get = user authorization to send an authorization request. Would you require = the same if I would use scope values to encode a payment initiation = request? >>>>=20 >>>> Yes. If something is sufficiently high value to require = per-transaction authorization then initiating transactions itself = becomes a privileged operation.=20 >>>=20 >>> The per transaction authorization alone is a significant increase in = security. What is the added value of requiring an authorization to send = a per-transaction authorisation request in an additional step? >>=20 >> Because Open Banking allows any client at any time to send an = asynchronous back channel request to my phone to approve a payment. This = is pretty risky.=20 >=20 > Can you please explain how you came to that conclusion and how it = relates to RAR? = https://openbankinguk.github.io/read-write-api-site3/v3.1.6/profiles/payme= nt-initiation-api-profile.html = Client (PISP) initiates a payment-order consent using a = client_credentials access token, then launches a CIBA backchannel = authorization request. What prevents this? This relates to RAR, because RAR also has no protection against this. If = you use RAR in combination with a backchannel authorization method then = the same issue applies. This is a general issue with backchannel = approaches, but it is particularly a risk here because RAR is pitching = itself as a way to do payment transactions. >=20 > In the simplest of all scenarios the client sends authorization = details instead of scope values through the user browser and this way = starts the authorization process with the AS. >=20 > When RAR is combined with PAR, the client first stores the = authorization request including authorization details at the AS in = exchange for a reference to this data. It then uses this reference to = start the authorization process. This is more secure and robust than = sending the data through the browser.=20 >=20 > So what is the risk here and why do you think unsolicited backchannel = requests are sent to your device?=20 >=20 >=20 >>=20 >> I can=E2=80=99t think of another transactional auth system that = allows this without some kind of initial indication of user consent. For = example, in Apple Pay all payment requests must be initiated from an = explicit user gesture, providing some indication that the user wants to = use this. The Dropbox Chooser and Saver APIs also have to be triggered = from a user gesture. Again, this provides some confirmation that the = user actually initiated the interaction.=20 >>=20 >> In OAuth, the AS doesn=E2=80=99t have this level of integration into = the client=E2=80=99s UI so it needs some other way to establish user = consent. By the time the user has a payment confirmation request on = their screen it=E2=80=99s too late.=20 >>=20 >>=20 >>>>>>> In case of open banking the user legally consents to this = process at the client (TPP) even before the OAuth/Payment Initiation = dance starts.=20 >>>>>>=20 >>>>>> How does the bank (ASPSP) confirm that this actually happened? >>>>>=20 >>>>> It does not because it is not the responsibility of the ASPSP. The = TPP is obliged by law to obtain consent. >>>>=20 >>>> If the TPP can be trusted to obey the law about this, why not also = trust them to be honest about transactions? Why enforce one thing with = access tokens but take the other on trust? Especially as the actual = transactions are more likely to have a rigorous audit trail.=20 >>>>=20 >>>> If we could trust clients to obtain consent we wouldn=E2=80=99t = need OAuth at all.=20 >>>=20 >>> I thought the same initially, but we must distinguish between legal = consent and strong authentication/transaction authorization in such a = case. Legal consent can be obtained in various ways including the = traditional OAuth user consent but also in other places. Authenticating = the user (probably with 2FA) and getting authorization for a certain = transaction (the meaning of PSD2 SCA) must be conducted by the AS.=20 >>>=20 >>=20 >> Do you mean legal protection for the bank or their users? As a user, = if an OB client acts in a way that I don=E2=80=99t like, but doesn=E2=80=99= t break any actual laws or policies, what=E2=80=99s my recourse? In = normal OAuth I can revoke the grant to that client. This is not possible = in transactional uses of RAR, and that seems like a big difference that = significantly changes the relationship between users and clients.=20 >>=20 >> =E2=80=94 Neil --Apple-Mail=_459C71B1-6915-4269-B3B7-211C023F8C1C Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 On = 9 Jul 2020, at 18:10, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:



What in particular = should the use consent with in this step?

=E2=80=9CFooPay would like to:
- initiate = payments from your account (you will be asked to approve each one)=E2=80=9D=

The point is that a client that I don=E2=80=99= t have any kind of relationship with can=E2=80=99t just send me a = request to transfer $500 to some account. 

Are we talking about legal = consent or a security measures here?

Normal OAuth consent. My phone is my resource, and I am its = resource owner. If a client wants to send payment requests to my phone = (e.g. via CIBA backchannel) then it should have to get my permission = first. Even without backchannel requests, I=E2=80=99d much rather that = only the three clients I=E2=80=99ve explicitly consented to can ask me = to initiate payments rather than the hundreds/thousands clients my bank = happens to have a relationship with.

To me it sounds like you would like to require a client to = get user authorization to send an authorization request. Would you = require the same if I would use scope values to encode a payment = initiation request?

Yes. If = something is sufficiently high value to require per-transaction = authorization then initiating transactions itself becomes a privileged = operation. 

The per transaction authorization = alone is a significant increase in security. What is the added value of = requiring an authorization to send a per-transaction authorisation = request in an additional step?

Because Open Banking allows any client at any time to send an = asynchronous back channel request to my phone to approve a payment. This = is pretty risky. 

Can you please explain how you came to that conclusion and = how it relates to RAR?


Client (PISP) initiates a payment-order consent = using a client_credentials access token, then launches a CIBA = backchannel authorization request. What prevents this?

This relates to RAR, because RAR also has no = protection against this. If you use RAR in combination with a = backchannel authorization method then the same issue applies. This is a = general issue with backchannel approaches, but it is particularly a risk = here because RAR is pitching itself as a way to do payment = transactions.


In the simplest of all scenarios the client sends = authorization details instead of scope values through the user browser = and this way starts the authorization process with the AS.

When RAR is combined with PAR, the client first stores the = authorization request including authorization details at the AS in = exchange for a reference to this data. It then uses this reference to = start the authorization process. This is more secure and robust than = sending the data through the browser. 

So what is the risk here and why do you think unsolicited = backchannel requests are sent to your device? 



I can=E2=80=99t think = of another transactional auth system that allows this without some kind = of initial indication of user consent. For example, in Apple Pay all = payment requests must be initiated from an explicit user gesture, = providing some indication that the user wants to use this. The Dropbox = Chooser and Saver APIs also have to be triggered from a user gesture. = Again, this provides some confirmation that the user actually initiated = the interaction. 

In OAuth, the AS doesn=E2=80=99t have this = level of integration into the client=E2=80=99s UI so it needs some other = way to establish user consent. By the time the user has a payment = confirmation request on their screen it=E2=80=99s too late. 


In case = of open banking the user legally consents to this process at the client = (TPP) even before the OAuth/Payment Initiation dance starts. 

How does the bank (ASPSP) confirm = that this actually happened?

It = does not because it is not the responsibility of the ASPSP. The TPP is = obliged by law to obtain consent.

If the TPP can be trusted to obey the law about this, why not = also trust them to be honest about transactions? Why enforce one thing = with access tokens but take the other on trust? Especially as the actual = transactions are more likely to have a rigorous audit trail. 

If we could trust clients to obtain consent we wouldn=E2=80=99t= need OAuth at all. 

I thought the same initially, but = we must distinguish between legal consent and strong = authentication/transaction authorization in such a case. Legal consent = can be obtained in various ways including the traditional OAuth user = consent but also in other places. Authenticating the user (probably with = 2FA) and getting authorization for a certain transaction (the meaning of = PSD2 SCA) must be conducted by the AS. 


Do you mean legal protection for = the bank or their users? As a user, if an OB client acts in a way that I = don=E2=80=99t like, but doesn=E2=80=99t break any actual laws or = policies, what=E2=80=99s my recourse? In normal OAuth I can revoke the = grant to that client. This is not possible in transactional uses of RAR, = and that seems like a big difference that significantly changes the = relationship between users and clients. 

=E2=80=94 Neil

= --Apple-Mail=_459C71B1-6915-4269-B3B7-211C023F8C1C-- From nobody Thu Jul 9 10:34:37 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F75C3A0D29 for ; Thu, 9 Jul 2020 10:34:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 32iJs18_lsOH for ; Thu, 9 Jul 2020 10:34:33 -0700 (PDT) Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E61E93A0D24 for ; Thu, 9 Jul 2020 10:34:32 -0700 (PDT) Received: by mail-ed1-x52d.google.com with SMTP id b15so2460833edy.7 for ; Thu, 09 Jul 2020 10:34:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=r4p9Y8I8gUS4KEQEDytRC8usr+bbBTNBay3Y+QIfd0M=; b=AfpPeKuLGZXLhjyWd54KBDh27wneIHyG2gKoNO4SmqHWBjKSxNQZl1K0yR81M2FXMm UdHCyfpM29J4I6bi7miPiQlDt4NpxZacuRFDKsLUPffL58Onm8YouNFFqWDa/TXGgMlK tFwoKFQRAhpWE74Gs6b02jJhWMOTm34KX2Z43EPO8i4noBDJ/5abg4mwMajYldkqDuXE LYd2R5ojBEvZmSCKrqTT7++5lbfRf7TCRZckCU/OvrmR0XaNLTOuTzxZ8cvES7q3hFIF iZjY1jc9iz/kHcJz5Gq83t7DohXNzLYeOg6qeGWe+XHDsjPsyWKMy3PM7ZbrUs/162/A 4iwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=r4p9Y8I8gUS4KEQEDytRC8usr+bbBTNBay3Y+QIfd0M=; b=qSroh8T1JkOXkJXddeKxnJOVRpBVb/YN5n5j7s8Dc61MXWEK2w1T8Gde3aDvMy/A8R MBciB8jNWjo318GXkyth/QBEyo+yFpg43h1+qsn4sNv4K0s5b1ATJbj66GadbnMxpPUf 5LdYUpJBI9mCZPqJmRepdsu6V6Xa3zWqv8DO6iO/ocQjiDe/f7NBzb20nTv18Qk2cVxM QogVN+zS9y+jw15o0RU8GqxT7qTe3DFlHYoNI8yGnbMqGnTxT8TFjrSqIYyHKFqSKpBP Sin5/ov/iPDHNJQAzX6yDjm3EFPHlzHmYtI6xd+UBSRRy+k3+ntiYYQzQwjDds18RF+N 3oKw== X-Gm-Message-State: AOAM533dSxMZcE7hdyMijtx4a/bQFuzzKjteoxdtIR32z48q0bRSnJzd VnqESFFhMjdmP2ffczUoMnXOYg== X-Google-Smtp-Source: ABdhPJwjIdmZF4LezE7gFoLDZ5jG2a9G0yO9o9p35P8P0C5g7Yg98tovzK7akq3eN4iCnQvfKVzXbw== X-Received: by 2002:aa7:c98d:: with SMTP id c13mr63863955edt.188.1594316071124; Thu, 09 Jul 2020 10:34:31 -0700 (PDT) Received: from p200300eb8f0138ad00c78d47e32ff693.dip0.t-ipconnect.de (p200300eb8f0138ad00c78d47e32ff693.dip0.t-ipconnect.de. [2003:eb:8f01:38ad:c7:8d47:e32f:f693]) by smtp.gmail.com with ESMTPSA id e22sm2199319ejd.36.2020.07.09.10.34.29 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Jul 2020 10:34:30 -0700 (PDT) From: Torsten Lodderstedt Message-Id: <4D681F6F-D67B-4BBD-99F9-08853F15AF73@lodderstedt.net> Content-Type: multipart/signed; boundary="Apple-Mail=_B98C3CD5-99EA-4FB1-B551-49BD29373D81"; protocol="application/pkcs7-signature"; micalg=sha-256 Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Date: Thu, 9 Jul 2020 19:34:29 +0200 In-Reply-To: <43899574-72B3-488A-83A6-1CBCF41EEB30@forgerock.com> Cc: Justin Richer , oauth To: Neil Madden References: <6F0ACCC8-98F7-46AE-BC45-7444F08C6C6E@lodderstedt.net> <888E8738-A5A6-4086-BAB0-418216342A7E@lodderstedt.net> <43899574-72B3-488A-83A6-1CBCF41EEB30@forgerock.com> X-Mailer: Apple Mail (2.3608.80.23.2.2) Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2020 17:34:35 -0000 --Apple-Mail=_B98C3CD5-99EA-4FB1-B551-49BD29373D81 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 9. Jul 2020, at 19:28, Neil Madden = wrote: >=20 > On 9 Jul 2020, at 18:10, Torsten Lodderstedt = wrote: >>=20 >>>>>>>>>>=20 >>>>>>>>>>=20 >>>>>>>>>> What in particular should the use consent with in this step? >>>>>>>>>=20 >>>>>>>>> =E2=80=9CFooPay would like to: >>>>>>>>> - initiate payments from your account (you will be asked to = approve each one)=E2=80=9D >>>>>>>>>=20 >>>>>>>>> The point is that a client that I don=E2=80=99t have any kind = of relationship with can=E2=80=99t just send me a request to transfer = $500 to some account.=20 >>>>>>>>=20 >>>>>>>> Are we talking about legal consent or a security measures here? >>>>>>>=20 >>>>>>> Normal OAuth consent. My phone is my resource, and I am its = resource owner. If a client wants to send payment requests to my phone = (e.g. via CIBA backchannel) then it should have to get my permission = first. Even without backchannel requests, I=E2=80=99d much rather that = only the three clients I=E2=80=99ve explicitly consented to can ask me = to initiate payments rather than the hundreds/thousands clients my bank = happens to have a relationship with. >>>>>>=20 >>>>>> To me it sounds like you would like to require a client to get = user authorization to send an authorization request. Would you require = the same if I would use scope values to encode a payment initiation = request? >>>>>=20 >>>>> Yes. If something is sufficiently high value to require = per-transaction authorization then initiating transactions itself = becomes a privileged operation.=20 >>>>=20 >>>> The per transaction authorization alone is a significant increase = in security. What is the added value of requiring an authorization to = send a per-transaction authorisation request in an additional step? >>>=20 >>> Because Open Banking allows any client at any time to send an = asynchronous back channel request to my phone to approve a payment. This = is pretty risky.=20 >>=20 >> Can you please explain how you came to that conclusion and how it = relates to RAR? >=20 > = https://openbankinguk.github.io/read-write-api-site3/v3.1.6/profiles/payme= nt-initiation-api-profile.html >=20 > Client (PISP) initiates a payment-order consent using a = client_credentials access token, then launches a CIBA backchannel = authorization request. What prevents this? The fact that the PISP cannot issue this request without a valid user = identifier. The demos I=E2=80=99m remembering use a traditional first = authorization flow to establish this identifier. >=20 > This relates to RAR, because RAR also has no protection against this. = If you use RAR in combination with a backchannel authorization method = then the same issue applies. This is a general issue with backchannel = approaches, Exactly! It's a problem with any kind of backchannel initiated _user = interaction_.=20 > but it is particularly a risk here because RAR is pitching itself as a = way to do payment transactions. The problem is the backchannel request, not RAR. RAR is just a more = elaborated scope. >=20 >>=20 >> In the simplest of all scenarios the client sends authorization = details instead of scope values through the user browser and this way = starts the authorization process with the AS. >>=20 >> When RAR is combined with PAR, the client first stores the = authorization request including authorization details at the AS in = exchange for a reference to this data. It then uses this reference to = start the authorization process. This is more secure and robust than = sending the data through the browser.=20 >>=20 >> So what is the risk here and why do you think unsolicited backchannel = requests are sent to your device?=20 >>=20 >>=20 >>>=20 >>> I can=E2=80=99t think of another transactional auth system that = allows this without some kind of initial indication of user consent. For = example, in Apple Pay all payment requests must be initiated from an = explicit user gesture, providing some indication that the user wants to = use this. The Dropbox Chooser and Saver APIs also have to be triggered = from a user gesture. Again, this provides some confirmation that the = user actually initiated the interaction.=20 >>>=20 >>> In OAuth, the AS doesn=E2=80=99t have this level of integration into = the client=E2=80=99s UI so it needs some other way to establish user = consent. By the time the user has a payment confirmation request on = their screen it=E2=80=99s too late.=20 >>>=20 >>>=20 >>>>>>>> In case of open banking the user legally consents to this = process at the client (TPP) even before the OAuth/Payment Initiation = dance starts.=20 >>>>>>>=20 >>>>>>> How does the bank (ASPSP) confirm that this actually happened? >>>>>>=20 >>>>>> It does not because it is not the responsibility of the ASPSP. = The TPP is obliged by law to obtain consent. >>>>>=20 >>>>> If the TPP can be trusted to obey the law about this, why not also = trust them to be honest about transactions? Why enforce one thing with = access tokens but take the other on trust? Especially as the actual = transactions are more likely to have a rigorous audit trail.=20 >>>>>=20 >>>>> If we could trust clients to obtain consent we wouldn=E2=80=99t = need OAuth at all.=20 >>>>=20 >>>> I thought the same initially, but we must distinguish between legal = consent and strong authentication/transaction authorization in such a = case. Legal consent can be obtained in various ways including the = traditional OAuth user consent but also in other places. Authenticating = the user (probably with 2FA) and getting authorization for a certain = transaction (the meaning of PSD2 SCA) must be conducted by the AS.=20 >>>>=20 >>>=20 >>> Do you mean legal protection for the bank or their users? As a user, = if an OB client acts in a way that I don=E2=80=99t like, but doesn=E2=80=99= t break any actual laws or policies, what=E2=80=99s my recourse? In = normal OAuth I can revoke the grant to that client. This is not possible = in transactional uses of RAR, and that seems like a big difference that = significantly changes the relationship between users and clients.=20 >>>=20 >>> =E2=80=94 Neil >=20 --Apple-Mail=_B98C3CD5-99EA-4FB1-B551-49BD29373D81 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCC38w ggT0MIID3KADAgECAhBpfEIkHQiWmzF6zDsgdF+DMA0GCSqGSIb3DQEBCwUAMIGNMQswCQYDVQQG EwJJVDEQMA4GA1UECAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9udGUgU2FuIFBpZXRybzEjMCEGA1UE CgwaQWN0YWxpcyBTLnAuQS4vMDMzNTg1MjA5NjcxLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1 dGhlbnRpY2F0aW9uIENBIEcyMB4XDTIwMDIyMzE3MjEzOVoXDTIxMDIyMzE3MjEzOVowIjEgMB4G A1UEAwwXdG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQCrIaCISpAU98m6ZkDyUR3My5imAF4TKQk8eqo+oQ06PTWT/3yJXujVCjjOqOl8p11v/RoN Gf8zqYbBsqGBuJx2NyxFmAnmCjcbnxihQdcmuxLm6izvxr2MawOovDheMXnfmGy/Ns5Fs6bd+M5F jCNhP+Gljvgm/SFq1skvs7YUX2FxZmh+xPMm3FZ/a6Lyhkrd3JHzEqv8VWY69Aehezg39OuPJEpb IdjK/eBcmaIG0qn5RQdXLByJYfXhepyVAZPJT5rAgaIQL/IjSIVInxf3FxOv+ELMAErclws6mKzy zkY2JiItPEpKWzAWGCxCX2o0JjVj1f7xgaunLfJ+Ec0lAgMBAAGjggG4MIIBtDAMBgNVHRMBAf8E AjAAMB8GA1UdIwQYMBaAFGvyjZ5owSUEH1E0V/YWXJTqTWkaMH4GCCsGAQUFBwEBBHIwcDA7Bggr BgEFBQcwAoYvaHR0cDovL2NhY2VydC5hY3RhbGlzLml0L2NlcnRzL2FjdGFsaXMtYXV0Y2xpZzIw MQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3NwMDkuYWN0YWxpcy5pdC9WQS9BVVRIQ0wtRzIwIgYDVR0R BBswGYEXdG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQwRwYDVR0gBEAwPjA8BgYrgR8BGAEwMjAwBggr BgEFBQcCARYkaHR0cHM6Ly93d3cuYWN0YWxpcy5pdC9hcmVhLWRvd25sb2FkMB0GA1UdJQQWMBQG CCsGAQUFBwMCBggrBgEFBQcDBDBIBgNVHR8EQTA/MD2gO6A5hjdodHRwOi8vY3JsMDkuYWN0YWxp cy5pdC9SZXBvc2l0b3J5L0FVVEhDTC1HMi9nZXRMYXN0Q1JMMB0GA1UdDgQWBBSuRfshihlGSEJ7 2UeyOZRJ1YYyMDAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEBAH/3ECMSOoOLiwCe GsBj/WWnUhXvZyHmz3LW0DVdH3s30b2HWpomEVNDN3cWt4QSRhISqV0xyyChL6THhDY+Um2mo+z/ L5fxHd3MjhzvYKwUtLUJdWRgymlUBO9zNKi/IMVYv3O+mpOHuQrgtMaV9luDPRYPZrhF9y/InTZE tb+FOrF9ykIRlYgMzqSKjuqFmmYO4d6GkbgfGKFZsAjkySjM9BUBLb70MdysOTxZ/HtZguIKfZ4q CveZ9ZKe+LGsIpt5bFAs1LHIMBUlTCsuVIq2lD3TmScWbELn+Ace7WwKc+08GqOWZzUot5fkiIx3 /crnd7HTmUfqi0yCylHY62wwggaDMIIEa6ADAgECAhBP3hBL7ZVb3outZYfMQV7jMA0GCSqGSIb3 DQEBCwUAMGsxCzAJBgNVBAYTAklUMQ4wDAYDVQQHDAVNaWxhbjEjMCEGA1UECgwaQWN0YWxpcyBT LnAuQS4vMDMzNTg1MjA5NjcxJzAlBgNVBAMMHkFjdGFsaXMgQXV0aGVudGljYXRpb24gUm9vdCBD QTAeFw0xOTA5MjAwNzEyMDVaFw0zMDA5MjIxMTIyMDJaMIGNMQswCQYDVQQGEwJJVDEQMA4GA1UE CAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9udGUgU2FuIFBpZXRybzEjMCEGA1UECgwaQWN0YWxpcyBT LnAuQS4vMDMzNTg1MjA5NjcxLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1dGhlbnRpY2F0aW9u IENBIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt2hzetk81C/73GfKPc6UfP+J Gc7aGmPzGUeQJ1go3CdFpsBPonREDXUDdmRCIRkTDroH30RLsTO/0hEFiYjCyvvbSVSm05sXkvfJ XOXefNqK21fBayr4JCgMRyLVwqRYXlKI7bb42nYSm7YcXGTDmdcydmJuuqcLqFQawWiBMNRRVEi4 uW5uXBZgWGmq8NoKH/+5xGBFbf6tNTWcGhPVceResuwK155+OiH6jTW01Na8aLj7c7IAGJ0Y9e6h iHtRthfW7SwbU7ys73a3nNXv8Kv9XNr0RvJKHoOsKqxjffew3GKQrMXIHB5tm/je3XEnIxUT8JG3 sEsk7IfF3VirSwIDAQABo4IB/jCCAfowDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRS2Ig6 yJ94Zu2J83s4cJTJAgI20DBBBggrBgEFBQcBAQQ1MDMwMQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3Nw MDUuYWN0YWxpcy5pdC9WQS9BVVRILVJPT1QwRQYDVR0gBD4wPDA6BgRVHSAAMDIwMAYIKwYBBQUH AgEWJGh0dHBzOi8vd3d3LmFjdGFsaXMuaXQvYXJlYS1kb3dubG9hZDAnBgNVHSUEIDAeBggrBgEF BQcDAgYIKwYBBQUHAwQGCCsGAQUFBwMJMIHjBgNVHR8EgdswgdgwgZaggZOggZCGgY1sZGFwOi8v bGRhcDA1LmFjdGFsaXMuaXQvY24lM2RBY3RhbGlzJTIwQXV0aGVudGljYXRpb24lMjBSb290JTIw Q0EsbyUzZEFjdGFsaXMlMjBTLnAuQS4lMmYwMzM1ODUyMDk2NyxjJTNkSVQ/Y2VydGlmaWNhdGVS ZXZvY2F0aW9uTGlzdDtiaW5hcnkwPaA7oDmGN2h0dHA6Ly9jcmwwNS5hY3RhbGlzLml0L1JlcG9z aXRvcnkvQVVUSC1ST09UL2dldExhc3RDUkwwHQYDVR0OBBYEFGvyjZ5owSUEH1E0V/YWXJTqTWka MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAYES6GaKrcvsOQZpEwboVOb2dri/f Jrcpb7GSEW9JmA+Kep4GLmp9X50Iv8EK478kwf2aAjnPnsOdiItALcIgecS1qVxN+EY+V5GCNEy4 VAsB5gzlQBmKI9P4PxLt9pnQJneCVEvDnVBMZAllIL5s3uaCiIEb8eYZqG8taOWSM1nqjoCZULcc hXWYajBqaJg0RUOZ6f5IB0lb26HA/7EUVmh1nSVglDoUeD7elINXHph0z3if1722UydcoH4Jj3Za Y9dtQ4wJSNhSZOzES72UkS6we/556FOGs7oeJWuQe8Rq2EeeSGmGliZKUbYo4jB/C2omMn0L4QwI 5wMNrWd2FRNUUwxMBmbJYtEaDRTQ72HPA8DnbRkvRDSJkjsToqU6ZpBlBf4s5EwrhXqFVb2rM9mG CPDZJi7Hw3y8BYD/d3iTL6PW5UjOTSpFcnSIP4HW5PI6MTHXl+ab6ajCnvJw6E1TGLh3zJypv5CQ 8Ftm0z7MKLt5Zr2E4jojZXeZn1sUpSqidZyp9mG/LYMRmHMkthDRnDnO2tHv5+YOO4cUEbTt5Bww E5RPjqovsnedyd5SijIK+k1MCXFLMTfERz3qUN3i/fwueXcGy4jEf2n/FvYsEY3GBHXZCMVWPffB fbl/ITjs9Q9NG37bAEm/mg2yNq02NLjDbQIKgt9W0aBU9SsxggOpMIIDpQIBATCBojCBjTELMAkG A1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcMEFBvbnRlIFNhbiBQaWV0cm8xIzAh BgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENsaWVu dCBBdXRoZW50aWNhdGlvbiBDQSBHMgIQaXxCJB0Ilpsxesw7IHRfgzANBglghkgBZQMEAgEFAKCC AdcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNzA5MTczNDI5 WjAvBgkqhkiG9w0BCQQxIgQgno1SWSYEz0He9Vzhjjhbou8lAqKUm1aJEDULvUpC3e8wgbMGCSsG AQQBgjcQBDGBpTCBojCBjTELMAkGA1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcM EFBvbnRlIFNhbiBQaWV0cm8xIzAhBgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSww KgYDVQQDDCNBY3RhbGlzIENsaWVudCBBdXRoZW50aWNhdGlvbiBDQSBHMgIQaXxCJB0Ilpsxesw7 IHRfgzCBtQYLKoZIhvcNAQkQAgsxgaWggaIwgY0xCzAJBgNVBAYTAklUMRAwDgYDVQQIDAdCZXJn YW1vMRkwFwYDVQQHDBBQb250ZSBTYW4gUGlldHJvMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8w MzM1ODUyMDk2NzEsMCoGA1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzIC EGl8QiQdCJabMXrMOyB0X4MwDQYJKoZIhvcNAQEBBQAEggEAn7aHyW54E/TdeFsQX1K+S1OGZBaX V5SFQccCfodf1MQRMXAhlOkqRfWE3nPxh1hGozBMNRho7JoLZbfgF8hW3uApY5rGRTI8Nd1S6Oie QsNkdHu0YZ0520EA3EiX8y6l/GklATeMZMpDzMvv2W/RdwamaPJcZ5H9mAqOhYnR2OugX+rEAg2U K2CrQTmcT8EHWXejlEVxEXD1EvgKQmE99eUoa672LcoAFe2nPV54zRGWCdurEJEn+0sJB+GrYOtB yUBNWzyRDw6qVL1IuIWDEnv7XMryVYZshTLZtKVPTBRzkhdpYihTz1ZW/h1fa8T43w+oKw4p2i2Q H0SY1iHLlAAAAAAAAA== --Apple-Mail=_B98C3CD5-99EA-4FB1-B551-49BD29373D81-- From nobody Thu Jul 9 10:58:23 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44E6B3A0D9D for ; Thu, 9 Jul 2020 10:58:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kUhGqDCsWIZe for ; Thu, 9 Jul 2020 10:58:19 -0700 (PDT) Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66F093A0D9C for ; Thu, 9 Jul 2020 10:58:19 -0700 (PDT) Received: by mail-wr1-x430.google.com with SMTP id a6so3327893wrm.4 for ; Thu, 09 Jul 2020 10:58:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=5iBdpnyM7zLxB4QmxHUjaXe67ENbl1XMabzW0h3fLu4=; b=Q/g1HDAMhivM6fzPJvtKGIu+YPFrKEU/ML6RNFtSVW0LzSAwkc2RcK4VxXkryLT4f9 yjEehKX9fBjw+b/suGA7ZInTTVJaTOQVg9jAOhrdEYKOerroB9eo2qNRgWi/eNeFi3nc w39VYEk7febBpsfUGia+8xoIsk6g0ux4JwYek= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=5iBdpnyM7zLxB4QmxHUjaXe67ENbl1XMabzW0h3fLu4=; b=fzoXOwX6afUEjxLm3vk6Cqeo4oqQ15Wi27Z+NybrYZIsMK+0rTGWXYe8NZUr3RCg3m g9Fzw39ou6+ThE3D7G/O2baG1VY7KpiyhngrkGs+GRqX8XVOJrxR1bI05dX3vvw5YCrx DXutP5Qno+0KS4Tptfhvtc3B63+vXXS/4EDLvPabUGr+z17Habrhwylbn3O9YUuEX6i3 +VEMRFPsIiBpcCkfmvutlIT+HJ8lpOL1NXn3NHHpmjGySpR8EMSbgG+FCUT6f1dzwHK6 r7GE/hiAetenJLhvv6NFAZNBgJEiYzeOabwGW3cOX9VbWKrIgCbym5OrThy4MH8lYbes UJ9Q== X-Gm-Message-State: AOAM5322nlrIPGF4Q9QqxbEv+2WY2tRgXevtLcoeKVu38rBLpzrd9uU0 bL7LjRwUam2cs7nawV83azCYBg== X-Google-Smtp-Source: ABdhPJwcl8D00wYSUgaJ/gacNTmYS8YlcL/eM6HLDbi8tjhvLOHrP6Hi+z0z/eiAtIYIsIsgfDK5PA== X-Received: by 2002:adf:c44d:: with SMTP id a13mr66281080wrg.205.1594317497313; Thu, 09 Jul 2020 10:58:17 -0700 (PDT) Received: from [10.0.0.2] (128.211.93.209.dyn.plus.net. [209.93.211.128]) by smtp.gmail.com with ESMTPSA id m62sm5693911wmm.42.2020.07.09.10.58.16 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Jul 2020 10:58:16 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) From: Neil Madden In-Reply-To: <4D681F6F-D67B-4BBD-99F9-08853F15AF73@lodderstedt.net> Date: Thu, 9 Jul 2020 18:58:16 +0100 Cc: Justin Richer , oauth Content-Transfer-Encoding: quoted-printable Message-Id: <8300E578-D565-4650-8DC1-8259735FE96A@forgerock.com> References: <6F0ACCC8-98F7-46AE-BC45-7444F08C6C6E@lodderstedt.net> <888E8738-A5A6-4086-BAB0-418216342A7E@lodderstedt.net> <43899574-72B3-488A-83A6-1CBCF41EEB30@forgerock.com> <4D681F6F-D67B-4BBD-99F9-08853F15AF73@lodderstedt.net> To: Torsten Lodderstedt X-Mailer: Apple Mail (2.3608.80.23.2.2) Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2020 17:58:22 -0000 > On 9 Jul 2020, at 18:34, Torsten Lodderstedt = wrote: >=20 >> On 9. Jul 2020, at 19:28, Neil Madden = wrote: >>=20 >> On 9 Jul 2020, at 18:10, Torsten Lodderstedt = wrote: >>>=20 >>>>>>>>>>>=20 >>>>>>>>>>>=20 >>>>>>>>>>> What in particular should the use consent with in this step? >>>>>>>>>>=20 >>>>>>>>>> =E2=80=9CFooPay would like to: >>>>>>>>>> - initiate payments from your account (you will be asked to = approve each one)=E2=80=9D >>>>>>>>>>=20 >>>>>>>>>> The point is that a client that I don=E2=80=99t have any kind = of relationship with can=E2=80=99t just send me a request to transfer = $500 to some account.=20 >>>>>>>>>=20 >>>>>>>>> Are we talking about legal consent or a security measures = here? >>>>>>>>=20 >>>>>>>> Normal OAuth consent. My phone is my resource, and I am its = resource owner. If a client wants to send payment requests to my phone = (e.g. via CIBA backchannel) then it should have to get my permission = first. Even without backchannel requests, I=E2=80=99d much rather that = only the three clients I=E2=80=99ve explicitly consented to can ask me = to initiate payments rather than the hundreds/thousands clients my bank = happens to have a relationship with. >>>>>>>=20 >>>>>>> To me it sounds like you would like to require a client to get = user authorization to send an authorization request. Would you require = the same if I would use scope values to encode a payment initiation = request? >>>>>>=20 >>>>>> Yes. If something is sufficiently high value to require = per-transaction authorization then initiating transactions itself = becomes a privileged operation.=20 >>>>>=20 >>>>> The per transaction authorization alone is a significant increase = in security. What is the added value of requiring an authorization to = send a per-transaction authorisation request in an additional step? >>>>=20 >>>> Because Open Banking allows any client at any time to send an = asynchronous back channel request to my phone to approve a payment. This = is pretty risky.=20 >>>=20 >>> Can you please explain how you came to that conclusion and how it = relates to RAR? >>=20 >> = https://openbankinguk.github.io/read-write-api-site3/v3.1.6/profiles/payme= nt-initiation-api-profile.html >>=20 >> Client (PISP) initiates a payment-order consent using a = client_credentials access token, then launches a CIBA backchannel = authorization request. What prevents this? >=20 > The fact that the PISP cannot issue this request without a valid user = identifier. The demos I=E2=80=99m remembering use a traditional first = authorization flow to establish this identifier. An identifier is not an access token or credential. >>=20 >> This relates to RAR, because RAR also has no protection against this. = If you use RAR in combination with a backchannel authorization method = then the same issue applies. This is a general issue with backchannel = approaches, >=20 > Exactly! It's a problem with any kind of backchannel initiated _user = interaction_.=20 >=20 >=20 >> but it is particularly a risk here because RAR is pitching itself as = a way to do payment transactions. >=20 > The problem is the backchannel request, not RAR. RAR is just a more = elaborated scope. I don=E2=80=99t agree. It=E2=80=99s particularly acute with backchannel = requests, but it still exists with front channel. If I can redirect your = browser to a payment confirmation screen, what percentage of users will = click ok? I would guess more than 0. It=E2=80=99s a problem precisely = because a one-off interaction is enough to authorize a transaction. It might be that in OB they accept this risk and mitigate it in other = ways, e.g. making it easy to reverse transactions, or through sufficient = vetting of clients and big legal consequences. As a UK banking user, = that wouldn=E2=80=99t make me very happy but OK. The point is that RAR = can=E2=80=99t make payment transactions the primary use-case, emphasised = throughout the draft, and then fail to even discuss this issue or make = any kind of suggestion as how to handle it.=20 =E2=80=94 Neil From nobody Thu Jul 9 12:29:33 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CB903A0E44 for ; Thu, 9 Jul 2020 12:29:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.896 X-Spam-Level: X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UbIHz2SYrSBm for ; Thu, 9 Jul 2020 12:29:29 -0700 (PDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CEFD3A0E27 for ; Thu, 9 Jul 2020 12:29:29 -0700 (PDT) Received: from [192.168.1.7] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 069JTR17025086 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 9 Jul 2020 15:29:28 -0400 From: Justin Richer Content-Type: multipart/alternative; boundary="Apple-Mail=_D8E4FEFF-7693-470C-B911-6B5F9EBDDA1F" Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Message-Id: <0E71D133-A516-4F1C-92CB-36F181B1BA4A@mit.edu> Date: Thu, 9 Jul 2020 15:29:27 -0400 To: oauth X-Mailer: Apple Mail (2.3608.80.23.2.2) Archived-At: Subject: [OAUTH-WG] OAuth Request JSON Encoding X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2020 19:29:31 -0000 --Apple-Mail=_D8E4FEFF-7693-470C-B911-6B5F9EBDDA1F Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 In the ten years since OAuth started, we=E2=80=99ve seen a huge shift = away from form encoding to JSON encoding for sending data to a server. = And yet, OAuth is stuck with form encoding. So I thought, why can=E2=80=99= t we change that? I put together a quick proposal for how this would work. https://www.ietf.org/id/draft-richer-oauth-json-request-00.html = The basic idea is that you take the map of form inputs and make it into = a JSON object. For some fields, like scope and authorization_details, = you can define a JSON-specific encoding to make use of object and array = structures native to JSON. You also don=E2=80=99t have to url-encode = values inside the JSON strings.=20 Caveat, I haven=E2=80=99t tried implementing this yet, but I think = it=E2=80=99s not likely to be that difficult for either the client or = server side of things. At worst it seems like it=E2=80=99d be a pretty = simple middleware function. Functionality can be detected at the AS by = the content negotiation in HTTP (client sends content-type of JSON), and = can be advertised as an option in the metadata (or in an OPTIONS call to = the token endpoint, to be more HTTP-friendly). =E2=80=94 Justin= --Apple-Mail=_D8E4FEFF-7693-470C-B911-6B5F9EBDDA1F Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
In the ten years since OAuth started, we=E2=80=99ve seen a = huge shift away from form encoding to JSON encoding for sending data to = a server. And yet, OAuth is stuck with form encoding. So I thought, why = can=E2=80=99t we change that?

I = put together a quick proposal for how this would work.

https://www.ietf.org/id/draft-richer-oauth-json-request-00.html=

The basic = idea is that you take the map of form inputs and make it into a JSON = object. For some fields, like scope and authorization_details, you can = define a JSON-specific encoding to make use of object and array = structures native to JSON. You also don=E2=80=99t have to url-encode = values inside the JSON strings. 

Caveat, I haven=E2=80=99t tried = implementing this yet, but I think it=E2=80=99s not likely to be that = difficult for either the client or server side of things. At worst it = seems like it=E2=80=99d be a pretty simple middleware function. = Functionality can be detected at the AS by the content negotiation in = HTTP (client sends content-type of JSON), and can be advertised as an = option in the metadata (or in an OPTIONS call to the token endpoint, to = be more HTTP-friendly).

 =E2=80=94 Justin
= --Apple-Mail=_D8E4FEFF-7693-470C-B911-6B5F9EBDDA1F-- From nobody Fri Jul 10 12:21:42 2020 Return-Path: X-Original-To: oauth@ietf.org Delivered-To: oauth@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AEDF3A08A2; Fri, 10 Jul 2020 12:21:35 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: oauth@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.7.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: oauth@ietf.org Message-ID: <159440889524.18992.17060147644363356438@ietfa.amsl.com> Date: Fri, 10 Jul 2020 12:21:35 -0700 Archived-At: Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-par-02.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jul 2020 19:21:35 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Pushed Authorization Requests Authors : Torsten Lodderstedt Brian Campbell Nat Sakimura Dave Tonge Filip Skokan Filename : draft-ietf-oauth-par-02.txt Pages : 18 Date : 2020-07-10 Abstract: This document defines the pushed authorization request endpoint, which allows clients to push the payload of an OAuth 2.0 authorization request to the authorization server via a direct request and provides them with a request URI that is used as reference to the data in a subsequent authorization request. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-par/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-oauth-par-02 https://datatracker.ietf.org/doc/html/draft-ietf-oauth-par-02 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-par-02 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Fri Jul 10 12:36:54 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F9F53A08B7 for ; Fri, 10 Jul 2020 12:36:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0SIBqAJdhOik for ; Fri, 10 Jul 2020 12:36:50 -0700 (PDT) Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24EB83A07FB for ; Fri, 10 Jul 2020 12:36:49 -0700 (PDT) Received: by mail-lf1-x131.google.com with SMTP id d21so3832127lfb.6 for ; Fri, 10 Jul 2020 12:36:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=W79L8IQ8TaatP80rDHBmdL6n4v4SptfXIc1jZmqdQXg=; b=bq0S5JxoMzICMunXzeZi4oS5LtgkvPePOvzrTK4FLRO/zpYxJNL3DT5/d0MObM9axS oIMAhbgkldXVUwWPKM46T5vMnQezYwUQgh1rORbMMrOuVbsUJk2C0xl4U/bMrchFs4l5 nMDSQAA6EHD6G1SfZ0HRFICLG/veEbaigURzZ6SarQqkyNuJns04rCSgUT8gAkhZ0eU3 Lqn+90DLbWJyXfI4fQaYb71JZmDVaoH3LWfVp9rLFCPnUk+3YkzjG1epm5k0RU8kD+Ju Gbg/jOqqYU1UnGk11im53fWF8l6ISZb/T6b2THtfRicpRShXqtcpjYIi8j3E6hBaaBX+ GWeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=W79L8IQ8TaatP80rDHBmdL6n4v4SptfXIc1jZmqdQXg=; b=BQcbVNT2AU9VfKJeTjl6BwaO+MvCLFnul+CXWulIFGfGRUPOxqoXhLkk4QTfspTOOE pQLbkilpEaFN8nsTflTykmGJB4emXGxXk/oMXyQtefKVp05ViMUzIG2LHKiEhVEwqxXA 06dsTKIsiPHW+7f/u6uIERX7rWj7phelh1CzmNN/MdnS5225kebK7XtMo6NEwDjJ0xgc zcZX/vTrC+XqcfOwToY+SmwLmEgbJqtIsKrKPf97y6zAwofmQIrjmRYjcZ20eazSCElH RvSNAoxbVMGHP5QAmKZXE3tdoSoKe99vLM2x9dNfWthIa8fHUR6KWRlosBL64eNTV6BY AVLQ== X-Gm-Message-State: AOAM533A1WwLU8ROg+AbB9L+o5JziuEbxwHACO6zQlecJ1ebRVUdCSjI s+I1AoLk9QmBSoeUg/c9ymC9qi/kAVA9IM97J6RoA/GXIe5F6Fq/z7kixmyz0Znx3wZG1J28rjr NfVmBADHUidq0Z/DmMlg= X-Google-Smtp-Source: ABdhPJzprX15lJAbDJavXDFZViYH/HS90llkMVmTwVlOPUI6Fz+fZVLHyyoIyUqXvuzShritZ9mQsQ3KW4t8379x9Bg= X-Received: by 2002:ac2:5e29:: with SMTP id o9mr43101449lfg.196.1594409807286; Fri, 10 Jul 2020 12:36:47 -0700 (PDT) MIME-Version: 1.0 References: <159440889543.18992.875170114115905147@ietfa.amsl.com> In-Reply-To: <159440889543.18992.875170114115905147@ietfa.amsl.com> From: Brian Campbell Date: Fri, 10 Jul 2020 13:36:20 -0600 Message-ID: To: oauth Content-Type: multipart/alternative; boundary="00000000000030b07b05aa1b7647" Archived-At: Subject: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-par-02.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jul 2020 19:36:52 -0000 --00000000000030b07b05aa1b7647 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable WG, A new -02 draft of "OAuth 2.0 Pushed Authorization Requests" has been published. A summary of the changes, taken from the document history, is included below for ease of reference. -02 * Update Resource Indicators reference to the somewhat recently published RFC 8707 * Added metadata in support of pushed authorization requests only feature * Update to comply with draft-ietf-oauth-jwsreq-21 , which requires "client_id" in the authorization request in addition to the "request_uri" * Clarified timing of request validation * Add some guidance/options on the request URI structure * Add the key used in the request object example so that a reader could validate or recreate the request object signature * Update to draft-ietf-oauth-jwsreq-25 and added note regarding "require_signed_request_object" ---------- Forwarded message --------- From: Date: Fri, Jul 10, 2020 at 1:21 PM Subject: New Version Notification for draft-ietf-oauth-par-02.txt To: Filip Skokan , Torsten Lodderstedt < torsten@lodderstedt.net>, Brian Campbell , Dave Tonge , Nat Sakimura A new version of I-D, draft-ietf-oauth-par-02.txt has been successfully submitted by Brian Campbell and posted to the IETF repository. Name: draft-ietf-oauth-par Revision: 02 Title: OAuth 2.0 Pushed Authorization Requests Document date: 2020-07-10 Group: oauth Pages: 18 URL: https://www.ietf.org/internet-drafts/draft-ietf-oauth-par-02.txt Status: https://datatracker.ietf.org/doc/draft-ietf-oauth-par/ Htmlized: https://tools.ietf.org/html/draft-ietf-oauth-par-02 Htmlized: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-par Diff: https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-par-02 Abstract: This document defines the pushed authorization request endpoint, which allows clients to push the payload of an OAuth 2.0 authorization request to the authorization server via a direct request and provides them with a request URI that is used as reference to the data in a subsequent authorization request. Please note that it may take a couple of minutes from the time of submissio= n until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat --=20 _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged= =20 material for the sole use of the intended recipient(s). Any review, use,=20 distribution or disclosure by others is strictly prohibited.=C2=A0 If you h= ave=20 received this communication in error, please notify the sender immediately= =20 by e-mail and delete the message and any file attachments from your=20 computer. Thank you._ --00000000000030b07b05aa1b7647 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
WG,

A new -02 draft of "= ;OAuth 2.0 Pushed Authorization Requests" has been published. A summar= y of the changes, taken from the document history, is included below for ea= se of reference.=C2=A0


---------- Forwarded= message ---------
From: <internet-drafts@ietf.org>
Date: Fri, Jul 10, 2020 at 1:21 PM
Subject: New Version Notificati= on for draft-ietf-oauth-par-02.txt
To: Filip Skokan <panva.ip@gmail.com>, Torsten= Lodderstedt <torsten@lodderstedt.net>, Brian Campbell <bcampbell@pingidentity.com&= gt;, Dave Tonge <dav= e@tonge.org>, Nat Sakimura <nat@sakimura.org>



A new version of I-D, draft-ietf-oauth-par-02.txt
has been successfully submitted by Brian Campbell and posted to the
IETF repository.

Name:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0draft-ietf-oauth-par
Revision:=C2=A0 =C2=A0 =C2=A0 =C2=A002
Title:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 OAuth 2.0 Pushed Authorization Req= uests
Document date:=C2=A0 2020-07-10
Group:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 oauth
Pages:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 18
URL:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 https://www.ietf.org/internet-drafts/draft-ietf-oauth-par-02.tx= t
Status:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0https= ://datatracker.ietf.org/doc/draft-ietf-oauth-par/
Htmlized:=C2=A0 =C2=A0 =C2=A0 =C2=A0https://tools= .ietf.org/html/draft-ietf-oauth-par-02
Htmlized:=C2=A0 =C2=A0 =C2=A0 =C2=A0https:= //datatracker.ietf.org/doc/html/draft-ietf-oauth-par
Diff:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-par-02

Abstract:
=C2=A0 =C2=A0This document defines the pushed authorization request endpoin= t,
=C2=A0 =C2=A0which allows clients to push the payload of an OAuth 2.0
=C2=A0 =C2=A0authorization request to the authorization server via a direct=
=C2=A0 =C2=A0request and provides them with a request URI that is used as =C2=A0 =C2=A0reference to the data in a subsequent authorization request.



Please note that it may take a couple of minutes from the time of submissio= n
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat



<= span style=3D"margin:0px;padding:0px;border:0px;outline:0px;vertical-align:= baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,= -apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ub= untu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"= >CONFIDENTIALITY NOTICE: This email may contain confidenti= al and privileged material for the sole use of the intended recipient(s). A= ny review, use, distribution or disclosure by others is strictly prohibited= .=C2=A0 If you have received this communication in error, please notify the= sender immediately by e-mail and delete the message and any file attachmen= ts from your computer. Thank you. --00000000000030b07b05aa1b7647-- From nobody Sun Jul 12 17:52:11 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E76F73A0C07 for ; Sun, 12 Jul 2020 17:52:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.198 X-Spam-Level: X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=adorsys.de Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JvhGQkq9n9Il for ; Sun, 12 Jul 2020 17:52:08 -0700 (PDT) Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A90923A0C06 for ; Sun, 12 Jul 2020 17:52:07 -0700 (PDT) Received: by mail-wr1-x42c.google.com with SMTP id k6so12751143wrn.3 for ; Sun, 12 Jul 2020 17:52:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adorsys.de; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=S+kyygKu+7yYMzTYljTdnAVChKirWnBZYe29qYQNaJk=; b=e3/F7u7Pd1wNc4YdgriGM6KWx0OGuSIL6C/YoNKxRr6E418/jqTzE4gvH9V888pm+L uulIK+necM0vaofCH0kgE3A6INZ6n9DKKwL9trn9jAPyPldEvprIbxsFgqFqWXvTXcnN s3VMOGZambUOsPOo1mxhSlpVTBS1U6iw6JuXI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=S+kyygKu+7yYMzTYljTdnAVChKirWnBZYe29qYQNaJk=; b=VLiJuq9UoAungansh9v90s8kYr/p/WxVFiMO6/tBSLKYVBL5yTpOCejmEKFSFgwnIo VSxflOSP1QQChILdMWacxVPnbWLtYe0+lHzikY92UmuyZHlCDVkIyRr7GP9nkSmsO69g JI3JIvm5mvCrZPLYw0cVbtUU3Yxbb9/pjheebLLisa5sH2OyZBM9wPN+5CsBsffzfQss TCLYxh/qMpyKsK/2FNI4GcyYHpEqe0ADmUnlqCQYpqQz3sMgQfyUVQK9w4DKorX40EPr duF9FOEXeBO/0YIcaZeNEn1HizN6Dgnt8JY8irPUcCYGjLkwka8BMqBRLc5IiT070oEP BMAQ== X-Gm-Message-State: AOAM532onuPsebA9aXcPfE29klBGojyeswS9fBZrxSBHQEQ5glr/PFxf 3M5lA1s6NqwqrSig5TKl+0CMiXqxxqOASINgOjVYpUyrcq8= X-Google-Smtp-Source: ABdhPJyeBRYlRMUw4uomw5VWs3yiIpx7VRmDao8APXxGbNWLD3tQP0WWULbUr43/h1ZuJPJccclHLJpWh8QW8JLmrAk= X-Received: by 2002:a5d:4a84:: with SMTP id o4mr36016932wrq.104.1594601525930; Sun, 12 Jul 2020 17:52:05 -0700 (PDT) MIME-Version: 1.0 References: <6F0ACCC8-98F7-46AE-BC45-7444F08C6C6E@lodderstedt.net> <888E8738-A5A6-4086-BAB0-418216342A7E@lodderstedt.net> <43899574-72B3-488A-83A6-1CBCF41EEB30@forgerock.com> <4D681F6F-D67B-4BBD-99F9-08853F15AF73@lodderstedt.net> <8300E578-D565-4650-8DC1-8259735FE96A@forgerock.com> In-Reply-To: <8300E578-D565-4650-8DC1-8259735FE96A@forgerock.com> From: Francis Pouatcha Date: Sun, 12 Jul 2020 20:51:54 -0400 Message-ID: To: Neil Madden Cc: Torsten Lodderstedt , oauth Content-Type: multipart/alternative; boundary="00000000000082fdbe05aa4819db" Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2020 00:52:10 -0000 --00000000000082fdbe05aa4819db Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Neil, IMHO the purpose of RAR is to provide a rich substitute for oAuth2 scopes. The point you are addressing in this thread is nevertheless very pertinent, even though not directly related to RAR. Proof of RO (PSU) authorized interaction between the RO and the Client (TPP) prior to starting an payment authorization request is essential. The NextGenPSD2 specification addresses the problem with a so-called oAuth2 pre-step option. As this requires two authorization operations (SCA) for the release of a single payment, banks implementing oAuth2 pre-step fell under the scrutiny of the EBA (European Banking Association) last June. Now those banks have the burden of proving to their NCA's (national market/country authorities) that pre-step is necessary to mitigate the very problem you are raising in this thread. Let settle with: - RAR as a payload for carrying authorization details - The decision on whether to protect an authorization transaction with a preceding RO authorization to do so shall be left to the target oAuth2 profile. Best regards /Francis On Thu, Jul 9, 2020 at 1:58 PM Neil Madden wrote: > > > On 9 Jul 2020, at 18:34, Torsten Lodderstedt > wrote: > > > >> On 9. Jul 2020, at 19:28, Neil Madden > wrote: > >> > >> On 9 Jul 2020, at 18:10, Torsten Lodderstedt > wrote: > >>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> What in particular should the use consent with in this step? > >>>>>>>>>> > >>>>>>>>>> =E2=80=9CFooPay would like to: > >>>>>>>>>> - initiate payments from your account (you will be asked to > approve each one)=E2=80=9D > >>>>>>>>>> > >>>>>>>>>> The point is that a client that I don=E2=80=99t have any kind = of > relationship with can=E2=80=99t just send me a request to transfer $500 t= o some > account. > >>>>>>>>> > >>>>>>>>> Are we talking about legal consent or a security measures here? > >>>>>>>> > >>>>>>>> Normal OAuth consent. My phone is my resource, and I am its > resource owner. If a client wants to send payment requests to my phone > (e.g. via CIBA backchannel) then it should have to get my permission firs= t. > Even without backchannel requests, I=E2=80=99d much rather that only the = three > clients I=E2=80=99ve explicitly consented to can ask me to initiate payme= nts rather > than the hundreds/thousands clients my bank happens to have a relationshi= p > with. > >>>>>>> > >>>>>>> To me it sounds like you would like to require a client to get > user authorization to send an authorization request. Would you require th= e > same if I would use scope values to encode a payment initiation request? > >>>>>> > >>>>>> Yes. If something is sufficiently high value to require > per-transaction authorization then initiating transactions itself becomes= a > privileged operation. > >>>>> > >>>>> The per transaction authorization alone is a significant increase i= n > security. What is the added value of requiring an authorization to send a > per-transaction authorisation request in an additional step? > >>>> > >>>> Because Open Banking allows any client at any time to send an > asynchronous back channel request to my phone to approve a payment. This = is > pretty risky. > >>> > >>> Can you please explain how you came to that conclusion and how it > relates to RAR? > >> > >> > https://openbankinguk.github.io/read-write-api-site3/v3.1.6/profiles/paym= ent-initiation-api-profile.html > >> > >> Client (PISP) initiates a payment-order consent using a > client_credentials access token, then launches a CIBA backchannel > authorization request. What prevents this? > > > > The fact that the PISP cannot issue this request without a valid user > identifier. The demos I=E2=80=99m remembering use a traditional first aut= horization > flow to establish this identifier. > > An identifier is not an access token or credential. > > >> > >> This relates to RAR, because RAR also has no protection against this. > If you use RAR in combination with a backchannel authorization method the= n > the same issue applies. This is a general issue with backchannel approach= es, > > > > Exactly! It's a problem with any kind of backchannel initiated _user > interaction_. > > > > > >> but it is particularly a risk here because RAR is pitching itself as a > way to do payment transactions. > > > > The problem is the backchannel request, not RAR. RAR is just a more > elaborated scope. > > I don=E2=80=99t agree. It=E2=80=99s particularly acute with backchannel r= equests, but it > still exists with front channel. If I can redirect your browser to a > payment confirmation screen, what percentage of users will click ok? I > would guess more than 0. It=E2=80=99s a problem precisely because a one-o= ff > interaction is enough to authorize a transaction. > > It might be that in OB they accept this risk and mitigate it in other > ways, e.g. making it easy to reverse transactions, or through sufficient > vetting of clients and big legal consequences. As a UK banking user, that > wouldn=E2=80=99t make me very happy but OK. The point is that RAR can=E2= =80=99t make > payment transactions the primary use-case, emphasised throughout the draf= t, > and then fail to even discuss this issue or make any kind of suggestion a= s > how to handle it. > > =E2=80=94 Neil > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --=20 Francis Pouatcha Co-Founder and Technical Lead adorsys GmbH & Co. KG https://adorsys-platform.de/solutions/ --00000000000082fdbe05aa4819db Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi=C2=A0Neil,

IMHO the purpose of RAR i= s to provide a rich substitute=C2=A0for oAuth2 scopes.

=
The point you are addressing in this thread is nevertheless very perti= nent, even=C2=A0though not directly related to RAR.=C2=A0

Proof=C2=A0of RO (PSU) authorized interaction between the RO and th= e Client (TPP) prior to starting an payment authorization request is essent= ial.

The NextGenPSD2 specification addresses the p= roblem with=C2=A0a so-called oAuth2 pre-step option. As this requires two a= uthorization operations (SCA) for the release of a single payment, banks im= plementing oAuth2 pre-step fell under the scrutiny of the EBA (European Ban= king Association) last June. Now those banks have the burden of proving to = their NCA's (national market/country authorities) that pre-step is nece= ssary to mitigate the very problem you are raising in this thread.

Let settle with:
- RAR as a payload for carrying= authorization details
- The decision on whether to=C2=A0protect = an authorization transaction with a preceding=C2=A0RO authorization to do s= o shall be left to the target oAuth2 profile.

Bes= t regards
/Francis

On Thu, Jul 9, 2020 at 1:58 PM Neil Madde= n <neil.madden@forgerock.co= m> wrote:

> On 9 Jul 2020, at 18:34, Torsten Lodderstedt <torsten@lodderstedt.net> wro= te:
>
>> On 9. Jul 2020, at 19:28, Neil Madden <neil.madden@forgerock.com> wr= ote:
>>
>> On 9 Jul 2020, at 18:10, Torsten Lodderstedt <torsten@lodderstedt.net>= wrote:
>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> What in particular should the = use consent with in this step?
>>>>>>>>>>
>>>>>>>>>> =E2=80=9CFooPay would like to:
>>>>>>>>>> - initiate payments from your acco= unt (you will be asked to approve each one)=E2=80=9D
>>>>>>>>>>
>>>>>>>>>> The point is that a client that I = don=E2=80=99t have any kind of relationship with can=E2=80=99t just send me= a request to transfer $500 to some account.
>>>>>>>>>
>>>>>>>>> Are we talking about legal consent or = a security measures here?
>>>>>>>>
>>>>>>>> Normal OAuth consent. My phone is my resou= rce, and I am its resource owner. If a client wants to send payment request= s to my phone (e.g. via CIBA backchannel) then it should have to get my per= mission first. Even without backchannel requests, I=E2=80=99d much rather t= hat only the three clients I=E2=80=99ve explicitly consented to can ask me = to initiate payments rather than the hundreds/thousands clients my bank hap= pens to have a relationship with.
>>>>>>>
>>>>>>> To me it sounds like you would like to require= a client to get user authorization to send an authorization request. Would= you require the same if I would use scope values to encode a payment initi= ation request?
>>>>>>
>>>>>> Yes. If something is sufficiently high value to re= quire per-transaction authorization then initiating transactions itself bec= omes a privileged operation.
>>>>>
>>>>> The per transaction authorization alone is a significa= nt increase in security. What is the added value of requiring an authorizat= ion to send a per-transaction authorisation request in an additional step?<= br> >>>>
>>>> Because Open Banking allows any client at any time to send= an asynchronous back channel request to my phone to approve a payment. Thi= s is pretty risky.
>>>
>>> Can you please explain how you came to that conclusion and how= it relates to RAR?
>>
>> https://openbankinguk.github.io/read-write-api-site3/v3.1.6/pr= ofiles/payment-initiation-api-profile.html
>>
>> Client (PISP) initiates a payment-order consent using a client_cre= dentials access token, then launches a CIBA backchannel authorization reque= st. What prevents this?
>
> The fact that the PISP cannot issue this request without a valid user = identifier. The demos I=E2=80=99m remembering use a traditional first autho= rization flow to establish this identifier.

An identifier is not an access token or credential.

>>
>> This relates to RAR, because RAR also has no protection against th= is. If you use RAR in combination with a backchannel authorization method t= hen the same issue applies. This is a general issue with backchannel approa= ches,
>
> Exactly! It's a problem with any kind of backchannel initiated _us= er interaction_.
>
>
>> but it is particularly a risk here because RAR is pitching itself = as a way to do payment transactions.
>
> The problem is the backchannel request, not RAR. RAR is just a more el= aborated scope.

I don=E2=80=99t agree. It=E2=80=99s particularly acute with backchannel req= uests, but it still exists with front channel. If I can redirect your brows= er to a payment confirmation screen, what percentage of users will click ok= ? I would guess more than 0. It=E2=80=99s a problem precisely because a one= -off interaction is enough to authorize a transaction.

It might be that in OB they accept this risk and mitigate it in other ways,= e.g. making it easy to reverse transactions, or through sufficient vetting= of clients and big legal consequences. As a UK banking user, that wouldn= =E2=80=99t make me very happy but OK. The point is that RAR can=E2=80=99t m= ake payment transactions the primary use-case, emphasised throughout the dr= aft, and then fail to even discuss this issue or make any kind of suggestio= n as how to handle it.

=E2=80=94 Neil

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
Francis Pouatcha
Co-= Founder and Technical Lead
adorsys GmbH & Co. KG
https://= adorsys-platform.de/solutions/
--00000000000082fdbe05aa4819db-- From nobody Mon Jul 13 01:29:41 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B86553A0C02 for ; Mon, 13 Jul 2020 01:29:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.199 X-Spam-Level: X-Spam-Status: No, score=-0.199 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eACr8dQl8P5t for ; Mon, 13 Jul 2020 01:29:39 -0700 (PDT) Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C4B03A0BFD for ; Mon, 13 Jul 2020 01:29:39 -0700 (PDT) Received: by mail-ed1-x531.google.com with SMTP id a1so6925706edt.10 for ; Mon, 13 Jul 2020 01:29:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=wkMgtPGaBU0tgGr4vOUALMcKmfs5ywZ3Ow23D2Y4Fa8=; b=mVZv7yTixX6M02kosy5NTGXz2TdQbiDJ0afJ8PNm17zzkRhnQLvAfeHcQoy3fRCISS IR/wIy+ec3kv9EVUswOsKrBKLPgs2rdOKv9KfsPGawWMCTQboFb4GtT3AvzJxzgq4izf i06sIhmdA0sWJdsX6zx1nhv1qKF2uZhySRLXrspvPeNyh6gZqD1UKgkNCzeqJzT6FQnd O0ooZKPHa4qKlg6cjnvRKUnn8a0J5Idga1w+Rw83Z1CKnC8/d2HQHdDcQO/TwgOf51BU BQktEwulPe6qUOAmBmDXEVfJV1gP10MiGVtOI3noY5k3eJ7+yHRhrHPefMwUO56QBWOc w27A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=wkMgtPGaBU0tgGr4vOUALMcKmfs5ywZ3Ow23D2Y4Fa8=; b=pHO/OzmLCOS7ZKvjqwSKUFEURKPrYSoGaqaoU9cwSSf15IaciAPg1pvcFS+W9dAsZN 2xyOtJuL8TFGFyaCamX0JUVbgLz/oCZbvnShJ1ZEzajccAbP3hHBtST28FQqRFR4Bxh4 gGXnbe/50NyQSYDcxLkXu8Vhf4gQYOZ+ztiYjWQwERV5Aa9aq8hD/5oc3SuBFHE75Uqf djnHbXn1jUXJC6BBlLLz6M3NluCBG6FBSFyWGect7DfTdMysdLeynbnDF2V2xs9D3K1w lkqJ6KWsy6U7+m0AaIvR+PO3vn9Qg6otCPOAOKiC9ybqrXzbRrXUJG0xa6BeiJEVJTn7 xkfA== X-Gm-Message-State: AOAM530Ex6ep9JWM38bcCtZFckrCq+ltt9HPRIVEn+5anGHk/AyLHAQO NvZTgSulzvtfNm0rekwLlYBjDw== X-Google-Smtp-Source: ABdhPJx6pxGqZ4rifT7TNbqMTNskXCr7mq3OqzlTT1yWW/XlGOybB/kjzcmPyPyOJKw0kKy9lXBguA== X-Received: by 2002:a05:6402:ca1:: with SMTP id cn1mr76830306edb.223.1594628977738; Mon, 13 Jul 2020 01:29:37 -0700 (PDT) Received: from p200300eb8f0138c4cc36055da3f574f1.dip0.t-ipconnect.de (p200300eb8f0138c4cc36055da3f574f1.dip0.t-ipconnect.de. [2003:eb:8f01:38c4:cc36:55d:a3f5:74f1]) by smtp.gmail.com with ESMTPSA id kt1sm9091314ejb.78.2020.07.13.01.29.36 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 13 Jul 2020 01:29:36 -0700 (PDT) From: Torsten Lodderstedt Message-Id: <56A079DA-7237-496F-A9D7-6A7E9F994551@lodderstedt.net> Content-Type: multipart/signed; boundary="Apple-Mail=_8ED9C2D7-D937-4813-8271-5F2B2BCB9450"; protocol="application/pkcs7-signature"; micalg=sha-256 Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Date: Mon, 13 Jul 2020 10:29:35 +0200 In-Reply-To: <8300E578-D565-4650-8DC1-8259735FE96A@forgerock.com> Cc: Justin Richer , oauth To: Neil Madden References: <6F0ACCC8-98F7-46AE-BC45-7444F08C6C6E@lodderstedt.net> <888E8738-A5A6-4086-BAB0-418216342A7E@lodderstedt.net> <43899574-72B3-488A-83A6-1CBCF41EEB30@forgerock.com> <4D681F6F-D67B-4BBD-99F9-08853F15AF73@lodderstedt.net> <8300E578-D565-4650-8DC1-8259735FE96A@forgerock.com> X-Mailer: Apple Mail (2.3608.80.23.2.2) Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2020 08:29:41 -0000 --Apple-Mail=_8ED9C2D7-D937-4813-8271-5F2B2BCB9450 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 9. Jul 2020, at 19:58, Neil Madden = wrote: >=20 > The point is that RAR can=E2=80=99t make payment transactions the = primary use-case, emphasised throughout the draft, and then fail to even = discuss this issue or make any kind of suggestion as how to handle it.=20= I=E2=80=99m still trying to understand the issue and your proposed = solution. What you are suggesting is an OAuth authorization to = subsequently send another more detailed or transactional OAuth = authorization.=20 If your basic assumption is that users just accept a payment = conformation screen, why do you think the additional pre-authorization = won=E2=80=99t be accepted straight away? The way PSD2 uses to secure such transactions is transaction = authorization using a dynamic second factor (called strong customer = authentication). I assume the rational is SCA will make users think = before they confirm.=20 --Apple-Mail=_8ED9C2D7-D937-4813-8271-5F2B2BCB9450 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCC38w ggT0MIID3KADAgECAhBpfEIkHQiWmzF6zDsgdF+DMA0GCSqGSIb3DQEBCwUAMIGNMQswCQYDVQQG EwJJVDEQMA4GA1UECAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9udGUgU2FuIFBpZXRybzEjMCEGA1UE CgwaQWN0YWxpcyBTLnAuQS4vMDMzNTg1MjA5NjcxLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1 dGhlbnRpY2F0aW9uIENBIEcyMB4XDTIwMDIyMzE3MjEzOVoXDTIxMDIyMzE3MjEzOVowIjEgMB4G A1UEAwwXdG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQCrIaCISpAU98m6ZkDyUR3My5imAF4TKQk8eqo+oQ06PTWT/3yJXujVCjjOqOl8p11v/RoN Gf8zqYbBsqGBuJx2NyxFmAnmCjcbnxihQdcmuxLm6izvxr2MawOovDheMXnfmGy/Ns5Fs6bd+M5F jCNhP+Gljvgm/SFq1skvs7YUX2FxZmh+xPMm3FZ/a6Lyhkrd3JHzEqv8VWY69Aehezg39OuPJEpb IdjK/eBcmaIG0qn5RQdXLByJYfXhepyVAZPJT5rAgaIQL/IjSIVInxf3FxOv+ELMAErclws6mKzy zkY2JiItPEpKWzAWGCxCX2o0JjVj1f7xgaunLfJ+Ec0lAgMBAAGjggG4MIIBtDAMBgNVHRMBAf8E AjAAMB8GA1UdIwQYMBaAFGvyjZ5owSUEH1E0V/YWXJTqTWkaMH4GCCsGAQUFBwEBBHIwcDA7Bggr BgEFBQcwAoYvaHR0cDovL2NhY2VydC5hY3RhbGlzLml0L2NlcnRzL2FjdGFsaXMtYXV0Y2xpZzIw MQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3NwMDkuYWN0YWxpcy5pdC9WQS9BVVRIQ0wtRzIwIgYDVR0R BBswGYEXdG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQwRwYDVR0gBEAwPjA8BgYrgR8BGAEwMjAwBggr BgEFBQcCARYkaHR0cHM6Ly93d3cuYWN0YWxpcy5pdC9hcmVhLWRvd25sb2FkMB0GA1UdJQQWMBQG CCsGAQUFBwMCBggrBgEFBQcDBDBIBgNVHR8EQTA/MD2gO6A5hjdodHRwOi8vY3JsMDkuYWN0YWxp cy5pdC9SZXBvc2l0b3J5L0FVVEhDTC1HMi9nZXRMYXN0Q1JMMB0GA1UdDgQWBBSuRfshihlGSEJ7 2UeyOZRJ1YYyMDAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEBAH/3ECMSOoOLiwCe GsBj/WWnUhXvZyHmz3LW0DVdH3s30b2HWpomEVNDN3cWt4QSRhISqV0xyyChL6THhDY+Um2mo+z/ L5fxHd3MjhzvYKwUtLUJdWRgymlUBO9zNKi/IMVYv3O+mpOHuQrgtMaV9luDPRYPZrhF9y/InTZE tb+FOrF9ykIRlYgMzqSKjuqFmmYO4d6GkbgfGKFZsAjkySjM9BUBLb70MdysOTxZ/HtZguIKfZ4q CveZ9ZKe+LGsIpt5bFAs1LHIMBUlTCsuVIq2lD3TmScWbELn+Ace7WwKc+08GqOWZzUot5fkiIx3 /crnd7HTmUfqi0yCylHY62wwggaDMIIEa6ADAgECAhBP3hBL7ZVb3outZYfMQV7jMA0GCSqGSIb3 DQEBCwUAMGsxCzAJBgNVBAYTAklUMQ4wDAYDVQQHDAVNaWxhbjEjMCEGA1UECgwaQWN0YWxpcyBT LnAuQS4vMDMzNTg1MjA5NjcxJzAlBgNVBAMMHkFjdGFsaXMgQXV0aGVudGljYXRpb24gUm9vdCBD QTAeFw0xOTA5MjAwNzEyMDVaFw0zMDA5MjIxMTIyMDJaMIGNMQswCQYDVQQGEwJJVDEQMA4GA1UE CAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9udGUgU2FuIFBpZXRybzEjMCEGA1UECgwaQWN0YWxpcyBT LnAuQS4vMDMzNTg1MjA5NjcxLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1dGhlbnRpY2F0aW9u IENBIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt2hzetk81C/73GfKPc6UfP+J Gc7aGmPzGUeQJ1go3CdFpsBPonREDXUDdmRCIRkTDroH30RLsTO/0hEFiYjCyvvbSVSm05sXkvfJ XOXefNqK21fBayr4JCgMRyLVwqRYXlKI7bb42nYSm7YcXGTDmdcydmJuuqcLqFQawWiBMNRRVEi4 uW5uXBZgWGmq8NoKH/+5xGBFbf6tNTWcGhPVceResuwK155+OiH6jTW01Na8aLj7c7IAGJ0Y9e6h iHtRthfW7SwbU7ys73a3nNXv8Kv9XNr0RvJKHoOsKqxjffew3GKQrMXIHB5tm/je3XEnIxUT8JG3 sEsk7IfF3VirSwIDAQABo4IB/jCCAfowDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRS2Ig6 yJ94Zu2J83s4cJTJAgI20DBBBggrBgEFBQcBAQQ1MDMwMQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3Nw MDUuYWN0YWxpcy5pdC9WQS9BVVRILVJPT1QwRQYDVR0gBD4wPDA6BgRVHSAAMDIwMAYIKwYBBQUH AgEWJGh0dHBzOi8vd3d3LmFjdGFsaXMuaXQvYXJlYS1kb3dubG9hZDAnBgNVHSUEIDAeBggrBgEF BQcDAgYIKwYBBQUHAwQGCCsGAQUFBwMJMIHjBgNVHR8EgdswgdgwgZaggZOggZCGgY1sZGFwOi8v bGRhcDA1LmFjdGFsaXMuaXQvY24lM2RBY3RhbGlzJTIwQXV0aGVudGljYXRpb24lMjBSb290JTIw Q0EsbyUzZEFjdGFsaXMlMjBTLnAuQS4lMmYwMzM1ODUyMDk2NyxjJTNkSVQ/Y2VydGlmaWNhdGVS ZXZvY2F0aW9uTGlzdDtiaW5hcnkwPaA7oDmGN2h0dHA6Ly9jcmwwNS5hY3RhbGlzLml0L1JlcG9z aXRvcnkvQVVUSC1ST09UL2dldExhc3RDUkwwHQYDVR0OBBYEFGvyjZ5owSUEH1E0V/YWXJTqTWka MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAYES6GaKrcvsOQZpEwboVOb2dri/f Jrcpb7GSEW9JmA+Kep4GLmp9X50Iv8EK478kwf2aAjnPnsOdiItALcIgecS1qVxN+EY+V5GCNEy4 VAsB5gzlQBmKI9P4PxLt9pnQJneCVEvDnVBMZAllIL5s3uaCiIEb8eYZqG8taOWSM1nqjoCZULcc hXWYajBqaJg0RUOZ6f5IB0lb26HA/7EUVmh1nSVglDoUeD7elINXHph0z3if1722UydcoH4Jj3Za Y9dtQ4wJSNhSZOzES72UkS6we/556FOGs7oeJWuQe8Rq2EeeSGmGliZKUbYo4jB/C2omMn0L4QwI 5wMNrWd2FRNUUwxMBmbJYtEaDRTQ72HPA8DnbRkvRDSJkjsToqU6ZpBlBf4s5EwrhXqFVb2rM9mG CPDZJi7Hw3y8BYD/d3iTL6PW5UjOTSpFcnSIP4HW5PI6MTHXl+ab6ajCnvJw6E1TGLh3zJypv5CQ 8Ftm0z7MKLt5Zr2E4jojZXeZn1sUpSqidZyp9mG/LYMRmHMkthDRnDnO2tHv5+YOO4cUEbTt5Bww E5RPjqovsnedyd5SijIK+k1MCXFLMTfERz3qUN3i/fwueXcGy4jEf2n/FvYsEY3GBHXZCMVWPffB fbl/ITjs9Q9NG37bAEm/mg2yNq02NLjDbQIKgt9W0aBU9SsxggOpMIIDpQIBATCBojCBjTELMAkG A1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcMEFBvbnRlIFNhbiBQaWV0cm8xIzAh BgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENsaWVu dCBBdXRoZW50aWNhdGlvbiBDQSBHMgIQaXxCJB0Ilpsxesw7IHRfgzANBglghkgBZQMEAgEFAKCC AdcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNzEzMDgyOTM1 WjAvBgkqhkiG9w0BCQQxIgQgifO+HbdK+kEiOpjDdWUZpW+CvCvK42WkoOZyGujxldowgbMGCSsG AQQBgjcQBDGBpTCBojCBjTELMAkGA1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcM EFBvbnRlIFNhbiBQaWV0cm8xIzAhBgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSww KgYDVQQDDCNBY3RhbGlzIENsaWVudCBBdXRoZW50aWNhdGlvbiBDQSBHMgIQaXxCJB0Ilpsxesw7 IHRfgzCBtQYLKoZIhvcNAQkQAgsxgaWggaIwgY0xCzAJBgNVBAYTAklUMRAwDgYDVQQIDAdCZXJn YW1vMRkwFwYDVQQHDBBQb250ZSBTYW4gUGlldHJvMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8w MzM1ODUyMDk2NzEsMCoGA1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzIC EGl8QiQdCJabMXrMOyB0X4MwDQYJKoZIhvcNAQEBBQAEggEAb9awtM5bm2n1eVP9K7slRb2M+RsR JZjO+jnd1zNej2EMu3lWZAOCje0rJEkO9YlERob32Qo5djQsgD8Rb5us1Fw0c+cIxS9IDxhcTSus kB6YUZYH/fe57Sc9tStSTjIl9WRSK4dxoEJ+PGTciWopj+I8qtXvdcjoR1o3QQdYoY/E50JoRK1h mxmvbFrh1RSGKanGDB1vma6ki65ysV5m8+V9sBfgRHe//MwJhCYZtMbDWrNgE5Y1hoCTzn8V1c/r 7YcVt7nuoFNgkZYPJOiI+42m3LvsV2XXXP8xBjfP0pu+LfKsPleec2y+Vn/Wmi5EpNDHOb9wPBBo g676wgbD9AAAAAAAAA== --Apple-Mail=_8ED9C2D7-D937-4813-8271-5F2B2BCB9450-- From nobody Mon Jul 13 07:16:38 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD3883A1204 for ; Mon, 13 Jul 2020 07:16:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id taF9iBknKhuE for ; Mon, 13 Jul 2020 07:16:35 -0700 (PDT) Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67E1D3A08AA for ; Mon, 13 Jul 2020 07:16:35 -0700 (PDT) Received: by mail-wr1-x42e.google.com with SMTP id r12so16706950wrj.13 for ; Mon, 13 Jul 2020 07:16:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=K5MKZfeIo2MBB0YkoAOoahoJyv6tAIkbstsNljCQ6EA=; b=f5gEJVmV8VezCrx3Df6Atlr8W9rjQ4eNuCK/xd/N+TJDwRJ9hBnTZ99Vgv4EJ6ePKo PYx8fe4mzHENOyWMUNyNCM/mQpdLD726e5HEpSnH1ioK/Id35zBykARU0dVtidpmTl+M 8ivIYb6E0lZyY01Y4Te+o+g7j9NXxp/ipFh0M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=K5MKZfeIo2MBB0YkoAOoahoJyv6tAIkbstsNljCQ6EA=; b=DvBir4uIOBZpoQbrjJlaGElOD6gfCum2+bSaMNLPnFFC3vgrpa/WrnBF6Zie/T8Boq zc1JMFUXf2DxT8pYKhE8hOOFVbiNByQTy3awCoGw0+Lk/nbF1vgpiCXM5iGUpkdHWF0p er0sbx8uvxYrJR81Jm18f31iNMItZTUynZAKKCNCxcDE6EVBuiE9pdklv5oqtrjJTNIJ JHeF9qkLaX+xjG8gcA8Sy68Q561tV1Co/5JaxV2NHiawaZfhYXEt0bfJfCWmJ62gFuJy 0c/q4Fg3rnHt/jPxFXwJfY6fTI6i1L29cchSiN25kdwmlWa8Nv84w8RZyPEXgo7FQT7G eOKA== X-Gm-Message-State: AOAM532L7Wn6I8XhkYFaJCaS34RlgDWFGOr3kxJaXrb0BaU2jL81Hy3a eZDLJMtucDQM55eOfEJLxj6vKJfCvqGpsF+eNepWyOm9Qp9RWNQ/+oYcZSJeh1jG+86A8T5Ola+ NYzQgpecAAQsM6SCTdE3oQSKBBCPVzHdFATYUAdFmGRN8I+SwYXj9BCq4oStG4W8LeQ== X-Google-Smtp-Source: ABdhPJwWmx77G3gn0vVVW1nt6FXo/wbInFzerzFZ0GcBMyefiq5Y8M+UZJxaUjASNfXdV0jc0ps19g== X-Received: by 2002:adf:e7c2:: with SMTP id e2mr85518253wrn.179.1594649793327; Mon, 13 Jul 2020 07:16:33 -0700 (PDT) Received: from [10.0.0.3] (128.211.93.209.dyn.plus.net. [209.93.211.128]) by smtp.gmail.com with ESMTPSA id z25sm20799191wmk.28.2020.07.13.07.16.32 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 13 Jul 2020 07:16:32 -0700 (PDT) Content-Type: multipart/alternative; boundary=Apple-Mail-85F4A80E-94AD-4116-A96C-C09F3740142B Content-Transfer-Encoding: 7bit From: Neil Madden Mime-Version: 1.0 (1.0) Date: Mon, 13 Jul 2020 15:16:31 +0100 Message-Id: <9B25F535-038C-4E24-9BF4-4BF954F33A02@forgerock.com> References: Cc: Torsten Lodderstedt , oauth In-Reply-To: To: Francis Pouatcha X-Mailer: iPhone Mail (17F80) Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2020 14:16:38 -0000 --Apple-Mail-85F4A80E-94AD-4116-A96C-C09F3740142B Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable > On 13 Jul 2020, at 01:52, Francis Pouatcha wrote: >=20 > =EF=BB=BF > Hi Neil, >=20 > IMHO the purpose of RAR is to provide a rich substitute for oAuth2 scopes.= >=20 > The point you are addressing in this thread is nevertheless very pertinent= , even though not directly related to RAR.=20 I think it is absolutely related.=20 >=20 > Proof of RO (PSU) authorized interaction between the RO and the Client (TP= P) prior to starting an payment authorization request is essential. >=20 > The NextGenPSD2 specification addresses the problem with a so-called oAuth= 2 pre-step option. As this requires two authorization operations (SCA) for t= he release of a single payment, banks implementing oAuth2 pre-step fell unde= r the scrutiny of the EBA (European Banking Association) last June. Now thos= e banks have the burden of proving to their NCA's (national market/country a= uthorities) that pre-step is necessary to mitigate the very problem you are r= aising in this thread. I=E2=80=99m not sure this is the same issue I=E2=80=99m raising in this thre= ad. In particular, what I=E2=80=99m suggesting would *not* need two authoriz= ation requests per payment. What I am suggesting is that there is one long-l= ived authorization between the RO and a client and then individual authoriza= tions of each transaction: 1 + N not 2N.=20 >=20 > Let settle with: > - RAR as a payload for carrying authorization details > - The decision on whether to protect an authorization transaction with a p= receding RO authorization to do so shall be left to the target oAuth2 profil= e. >=20 >> On Thu, Jul 9, 2020 at 1:58 PM Neil Madden wr= ote: >>=20 >> > On 9 Jul 2020, at 18:34, Torsten Lodderstedt w= rote: >> >=20 >> >> On 9. Jul 2020, at 19:28, Neil Madden wrot= e: >> >>=20 >> >> On 9 Jul 2020, at 18:10, Torsten Lodderstedt = wrote: >> >>>=20 >> >>>>>>>>>>>=20 >> >>>>>>>>>>>=20 >> >>>>>>>>>>> What in particular should the use consent with in this step? >> >>>>>>>>>>=20 >> >>>>>>>>>> =E2=80=9CFooPay would like to: >> >>>>>>>>>> - initiate payments from your account (you will be asked to ap= prove each one)=E2=80=9D >> >>>>>>>>>>=20 >> >>>>>>>>>> The point is that a client that I don=E2=80=99t have any kind o= f relationship with can=E2=80=99t just send me a request to transfer $500 to= some account.=20 >> >>>>>>>>>=20 >> >>>>>>>>> Are we talking about legal consent or a security measures here?= >> >>>>>>>>=20 >> >>>>>>>> Normal OAuth consent. My phone is my resource, and I am its reso= urce owner. If a client wants to send payment requests to my phone (e.g. via= CIBA backchannel) then it should have to get my permission first. Even with= out backchannel requests, I=E2=80=99d much rather that only the three client= s I=E2=80=99ve explicitly consented to can ask me to initiate payments rathe= r than the hundreds/thousands clients my bank happens to have a relationship= with. >> >>>>>>>=20 >> >>>>>>> To me it sounds like you would like to require a client to get us= er authorization to send an authorization request. Would you require the sam= e if I would use scope values to encode a payment initiation request? >> >>>>>>=20 >> >>>>>> Yes. If something is sufficiently high value to require per-transa= ction authorization then initiating transactions itself becomes a privileged= operation.=20 >> >>>>>=20 >> >>>>> The per transaction authorization alone is a significant increase i= n security. What is the added value of requiring an authorization to send a p= er-transaction authorisation request in an additional step? >> >>>>=20 >> >>>> Because Open Banking allows any client at any time to send an asynch= ronous back channel request to my phone to approve a payment. This is pretty= risky.=20 >> >>>=20 >> >>> Can you please explain how you came to that conclusion and how it rel= ates to RAR? >> >>=20 >> >> https://openbankinguk.github.io/read-write-api-site3/v3.1.6/profiles/p= ayment-initiation-api-profile.html >> >>=20 >> >> Client (PISP) initiates a payment-order consent using a client_credent= ials access token, then launches a CIBA backchannel authorization request. W= hat prevents this? >> >=20 >> > The fact that the PISP cannot issue this request without a valid user i= dentifier. The demos I=E2=80=99m remembering use a traditional first authori= zation flow to establish this identifier. >>=20 >> An identifier is not an access token or credential. >>=20 >> >>=20 >> >> This relates to RAR, because RAR also has no protection against this. I= f you use RAR in combination with a backchannel authorization method then th= e same issue applies. This is a general issue with backchannel approaches, >> >=20 >> > Exactly! It's a problem with any kind of backchannel initiated _user in= teraction_.=20 >> >=20 >> >=20 >> >> but it is particularly a risk here because RAR is pitching itself as a= way to do payment transactions. >> >=20 >> > The problem is the backchannel request, not RAR. RAR is just a more ela= borated scope. >>=20 >> I don=E2=80=99t agree. It=E2=80=99s particularly acute with backchannel r= equests, but it still exists with front channel. If I can redirect your brow= ser to a payment confirmation screen, what percentage of users will click ok= ? I would guess more than 0. It=E2=80=99s a problem precisely because a one-= off interaction is enough to authorize a transaction. >>=20 >> It might be that in OB they accept this risk and mitigate it in other way= s, e.g. making it easy to reverse transactions, or through sufficient vettin= g of clients and big legal consequences. As a UK banking user, that wouldn=E2= =80=99t make me very happy but OK. The point is that RAR can=E2=80=99t make p= ayment transactions the primary use-case, emphasised throughout the draft, a= nd then fail to even discuss this issue or make any kind of suggestion as ho= w to handle it.=20 >>=20 >> =E2=80=94 Neil >>=20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >=20 >=20 > --=20 > Francis Pouatcha > Co-Founder and Technical Lead > adorsys GmbH & Co. KG > https://adorsys-platform.de/solutions/ --Apple-Mail-85F4A80E-94AD-4116-A96C-C09F3740142B Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable

On 13 Jul 2020, at 01:52, Francis Pouatcha <fp= o@adorsys.de> wrote:

=
=EF=BB=BF
Hi Neil,

= IMHO the purpose of RAR is to provide a rich substitute for oAuth2 scop= es.

The point you are addressing in this thread is n= evertheless very pertinent, even though not directly related to RAR.&nb= sp;

I think it is absolutely re= lated. 


Proof of RO (PSU) authorized interac= tion between the RO and the Client (TPP) prior to starting an payment author= ization request is essential.

The NextGenPSD2 speci= fication addresses the problem with a so-called oAuth2 pre-step option.= As this requires two authorization operations (SCA) for the release of a si= ngle payment, banks implementing oAuth2 pre-step fell under the scrutiny of t= he EBA (European Banking Association) last June. Now those banks have the bu= rden of proving to their NCA's (national market/country authorities) that pr= e-step is necessary to mitigate the very problem you are raising in this thr= ead.

I=E2=80=99m not sure t= his is the same issue I=E2=80=99m raising in this thread. In particular, wha= t I=E2=80=99m suggesting would *not* need two authorization requests per pay= ment. What I am suggesting is that there is one long-lived authorization bet= ween the RO and a client and then individual authorizations of each transact= ion: 1 + N not 2N. 


Let settle with:
- RAR as a p= ayload for carrying authorization details
- The decision on whethe= r to protect an authorization transaction with a preceding RO auth= orization to do so shall be left to the target oAuth2 profile.
<= /div>

On Thu, Jul 9, 2020 at 1= :58 PM Neil Madden <neil.mad= den@forgerock.com> wrote:

> On 9 Jul 2020, at 18:34, Torsten Lodderstedt <torsten@lodderstedt.net> wrote= :
>
>> On 9. Jul 2020, at 19:28, Neil Madden <neil.madden@forgerock.com> wrot= e:
>>
>> On 9 Jul 2020, at 18:10, Torsten Lodderstedt <torsten@lodderstedt.net> w= rote:
>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> What in particular should the u= se consent with in this step?
>>>>>>>>>>
>>>>>>>>>> =E2=80=9CFooPay would like to:
>>>>>>>>>> - initiate payments from your accou= nt (you will be asked to approve each one)=E2=80=9D
>>>>>>>>>>
>>>>>>>>>> The point is that a client that I d= on=E2=80=99t have any kind of relationship with can=E2=80=99t just send me a= request to transfer $500 to some account.
>>>>>>>>>
>>>>>>>>> Are we talking about legal consent or a= security measures here?
>>>>>>>>
>>>>>>>> Normal OAuth consent. My phone is my resour= ce, and I am its resource owner. If a client wants to send payment requests t= o my phone (e.g. via CIBA backchannel) then it should have to get my permiss= ion first. Even without backchannel requests, I=E2=80=99d much rather that o= nly the three clients I=E2=80=99ve explicitly consented to can ask me to ini= tiate payments rather than the hundreds/thousands clients my bank happens to= have a relationship with.
>>>>>>>
>>>>>>> To me it sounds like you would like to require a= client to get user authorization to send an authorization request. Would yo= u require the same if I would use scope values to encode a payment initiatio= n request?
>>>>>>
>>>>>> Yes. If something is sufficiently high value to req= uire per-transaction authorization then initiating transactions itself becom= es a privileged operation.
>>>>>
>>>>> The per transaction authorization alone is a significan= t increase in security. What is the added value of requiring an authorizatio= n to send a per-transaction authorisation request in an additional step?
= >>>>
>>>> Because Open Banking allows any client at any time to send a= n asynchronous back channel request to my phone to approve a payment. This i= s pretty risky.
>>>
>>> Can you please explain how you came to that conclusion and how i= t relates to RAR?
>>
>> https://openbankinguk.github.io/read-write-api-site3/v3.1.6/profile= s/payment-initiation-api-profile.html
>>
>> Client (PISP) initiates a payment-order consent using a client_cred= entials access token, then launches a CIBA backchannel authorization request= . What prevents this?
>
> The fact that the PISP cannot issue this request without a valid user i= dentifier. The demos I=E2=80=99m remembering use a traditional first authori= zation flow to establish this identifier.

An identifier is not an access token or credential.

>>
>> This relates to RAR, because RAR also has no protection against thi= s. If you use RAR in combination with a backchannel authorization method the= n the same issue applies. This is a general issue with backchannel approache= s,
>
> Exactly! It's a problem with any kind of backchannel initiated _user in= teraction_.
>
>
>> but it is particularly a risk here because RAR is pitching itself a= s a way to do payment transactions.
>
> The problem is the backchannel request, not RAR. RAR is just a more ela= borated scope.

I don=E2=80=99t agree. It=E2=80=99s particularly acute with backchannel requ= ests, but it still exists with front channel. If I can redirect your browser= to a payment confirmation screen, what percentage of users will click ok? I= would guess more than 0. It=E2=80=99s a problem precisely because a one-off= interaction is enough to authorize a transaction.

It might be that in OB they accept this risk and mitigate it in other ways, e= .g. making it easy to reverse transactions, or through sufficient vetting of= clients and big legal consequences. As a UK banking user, that wouldn=E2=80= =99t make me very happy but OK. The point is that RAR can=E2=80=99t make pay= ment transactions the primary use-case, emphasised throughout the draft, and= then fail to even discuss this issue or make any kind of suggestion as how t= o handle it.

=E2=80=94 Neil

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
Francis Pouatcha
Co-Foun= der and Technical Lead
adorsys GmbH & Co. KG
=
= --Apple-Mail-85F4A80E-94AD-4116-A96C-C09F3740142B-- From nobody Mon Jul 13 07:33:09 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCFC43A12E5 for ; Mon, 13 Jul 2020 07:33:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 132FkAZoYwJE for ; Mon, 13 Jul 2020 07:33:06 -0700 (PDT) Received: from mail-wm1-x342.google.com (mail-wm1-x342.google.com [IPv6:2a00:1450:4864:20::342]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B46E3A12CB for ; Mon, 13 Jul 2020 07:33:05 -0700 (PDT) Received: by mail-wm1-x342.google.com with SMTP id l2so13391403wmf.0 for ; Mon, 13 Jul 2020 07:33:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=wceTCreC9LL9/JLokkuPko5EqvqTh4R3KkIVYjDs08U=; b=hMZmigQ2QDEx6WIc9bs36bVe6oQfDrDFRg1CCgtb/IN2dtiKBAYCzet0FWIfCn5ciq w8uVQgt5WJz5LY+6Z/yWsF5MN9eonus0PUHNZQsUgrjXv6oYlN+8h3r3iO7k5236vM0l IAoVy2YorR2xE02O7gs6r5aKcEFvvih3lDvdg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=wceTCreC9LL9/JLokkuPko5EqvqTh4R3KkIVYjDs08U=; b=O8cMyUaj2i3FwwN76U9wcG7vyugzFs5qb5IzctmR2ye2ZLtR5U2DSaWWkmEfDwX1y7 iXw4JdRxaBHquJy9jlLrhrPT2cI0GfMowUlaXRm7qXtQ7WJmAd8nd2XF9w/wuQKwUeo/ wh95wbAyRRb87ozKtFuPuQlrxSGR2noFQo5KMMG1AUPVstBOl8vRyD1rAqKF6f77G0Ba kFUJpIltGSfV97nN7qec50aCc0yAi4LW52KNbm5VsEPOFT4d0axIq2zmcWpxx/b+VfnO AN8/J6ffkbGKxUHwxmqA74F7LD9CM/gkuSBfNk0elhhut5fbuCDZx9WfSycrq5w6vsZc dsSA== X-Gm-Message-State: AOAM533tQcxrEhPMPC08USTMLnHV5RMnuI8EON8ah/9crgP80YU0pxwA 0D4Cw4KSm/sk6NG7MSY9a//y/Q== X-Google-Smtp-Source: ABdhPJxru+nLd1CEXXxQxSdG7hFHkXbgB8zKSMFWgbSenq4uR16Fbo5SwoBgDiQ0Lnau1Dl8B2uUqQ== X-Received: by 2002:a1c:5453:: with SMTP id p19mr223255wmi.41.1594650784333; Mon, 13 Jul 2020 07:33:04 -0700 (PDT) Received: from [10.0.0.3] (128.211.93.209.dyn.plus.net. [209.93.211.128]) by smtp.gmail.com with ESMTPSA id b10sm21345238wmj.30.2020.07.13.07.33.02 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 13 Jul 2020 07:33:03 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Neil Madden Mime-Version: 1.0 (1.0) Date: Mon, 13 Jul 2020 15:33:02 +0100 Message-Id: References: <56A079DA-7237-496F-A9D7-6A7E9F994551@lodderstedt.net> Cc: Justin Richer , oauth In-Reply-To: <56A079DA-7237-496F-A9D7-6A7E9F994551@lodderstedt.net> To: Torsten Lodderstedt X-Mailer: iPhone Mail (17F80) Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2020 14:33:08 -0000 > On 13 Jul 2020, at 09:29, Torsten Lodderstedt wr= ote: >=20 > =EF=BB=BF >=20 >> On 9. Jul 2020, at 19:58, Neil Madden wrote: >>=20 >> The point is that RAR can=E2=80=99t make payment transactions the primary= use-case, emphasised throughout the draft, and then fail to even discuss th= is issue or make any kind of suggestion as how to handle it.=20 >=20 > I=E2=80=99m still trying to understand the issue and your proposed solutio= n. What you are suggesting is an OAuth authorization to subsequently send an= other more detailed or transactional OAuth authorization.=20 >=20 > If your basic assumption is that users just accept a payment conformation s= creen, why do you think the additional pre-authorization won=E2=80=99t be ac= cepted straight away? It=E2=80=99s not about having two authorization screens. It=E2=80=99s about a= llowing users to manage their relationship with a client just as they can fo= r any other OAuth client. If a normal OAuth client behaves badly I can go an= d revoke my grant of access to that client. I can=E2=80=99t do that with the= transactional uses of RAR because each one is a blank slate.=20 Having individual transactions tied to an overall grant of authority lets th= e user control which clients they interact with and which they trust.=20 To me, this (user consent and control) is a fundamental strength of OAuth an= d any approach to transactional authorization using OAuth should preserve th= is.=20 The other point I was making is that when the transactional authorization oc= curs over a backchannel then it is much better if the user has previously ex= plicitly authorized that client over a front channel - eg when they first in= stalled an app. I=E2=80=99m not suggesting that the AS would send two backch= annel authorization requests instead of one.=20 >=20 > The way PSD2 uses to secure such transactions is transaction authorization= using a dynamic second factor (called strong customer authentication). I as= sume the rational is SCA will make users think before they confirm.=20 I hope so. But given that authN usually occurs before the consent stage, the= user may not know what it is they are consenting to before they complete 2FA= .=20 =E2=80=94 Neil From nobody Mon Jul 13 08:21:13 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38FDF3A1380 for ; Mon, 13 Jul 2020 08:21:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cj8Q96nw5NTm for ; Mon, 13 Jul 2020 08:21:10 -0700 (PDT) Received: from mail-oi1-x231.google.com (mail-oi1-x231.google.com [IPv6:2607:f8b0:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF3FF3A167F for ; Mon, 13 Jul 2020 08:20:08 -0700 (PDT) Received: by mail-oi1-x231.google.com with SMTP id y22so11253103oie.8 for ; Mon, 13 Jul 2020 08:20:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KdWd8obSHTmyk8OS0KZBjj1e4TcIMaf6r8MNKFBl0RE=; b=CqBV1g6ZLTvtUQQk2PxKFd7bjOcWaZI+l/ortKe98Gu5gaoHK9Yuz6/zFc3oZjfKKx 11yYEqx4EnxWZwB09b6QWFxIe0LwP/e3Wxeub/cQJO5L9fgbWkLPALbw44FM2ZlJY83m FTAh4lHc2z3JE3qlezqSvDIpT4MynMf2fC5Ct7Yc4iXr0f1NE0tAF5E+Gde+JOQheIlO oj65C+yFICE9q9aG7wkKAoLnXnFbw6YM4M/x/KA2f1UTmX/dBAV/1VwMgPoKMFxOlCSZ tVkMysUIO4qeDrfNuuw0RqcGroPvgAqGSPdLdlG2FbdzU3MN0/dwn0Nq48I+lLYTo5Zn PoSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KdWd8obSHTmyk8OS0KZBjj1e4TcIMaf6r8MNKFBl0RE=; b=ng5r1b4UVdSlZNZjASyvYKpQK+YdAaTaktZ48UHOSL5YEVttANl/tRlk7JESwmn1m/ zscV/iQBk6WhP3ZQDMqgxla0f9EZ38cSfMQ2uM50/uK5dXBaBTUhM6MUM1k+pODKN+IM 0dKKMa7sk+cJkdfMOXUAWcn5N0Uu3uEfGJB/ckqT9PDzHl50lowXenEvNm8YYDEf4jTu 5K0OT18earMNzivYr80+Huz2r5HTmc4SNKXW+M4C1HfgIWmVNtthuVS2zqtsj7m97Z5o b7OOyun8C27mdhEp5zbVNZ1lU85WFvsmfLxRhATbtofCT8aO42P3tNKypyZBE8dCtQL0 atRQ== X-Gm-Message-State: AOAM533quB97BOKeUj38zq3Fukxtf+A1HMmnszr96m1QvedrZhJuyPw2 xKZMJQQVrQmV9CvRj3er179npGLexuKEJUp120k= X-Google-Smtp-Source: ABdhPJw9XKET0RzDPCxyzEFtSewxRFDaJPUENHVWhPxd37iYBdeFFzJG1ZBqwAavQeTbGtXhzHvSThek4EzkMKBnpQU= X-Received: by 2002:aca:aa57:: with SMTP id t84mr319649oie.131.1594653607989; Mon, 13 Jul 2020 08:20:07 -0700 (PDT) MIME-Version: 1.0 References: <0E71D133-A516-4F1C-92CB-36F181B1BA4A@mit.edu> In-Reply-To: <0E71D133-A516-4F1C-92CB-36F181B1BA4A@mit.edu> From: Tom Jones Date: Mon, 13 Jul 2020 08:19:55 -0700 Message-ID: To: Justin Richer Cc: oauth Content-Type: multipart/alternative; boundary="000000000000d81e3d05aa5439fc" Archived-At: Subject: Re: [OAUTH-WG] OAuth Request JSON Encoding X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2020 15:21:12 -0000 --000000000000d81e3d05aa5439fc Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable What, exactly is json encoding? It sounds like a python or java method. Afaik json can be encoded in utf 8 16 or 32. But form encoding is limited to ascii or even to base64url . Is that the point. Will GNAP specify one encoding? thx ..Tom (mobile) On Thu, Jul 9, 2020, 12:29 PM Justin Richer wrote: > In the ten years since OAuth started, we=E2=80=99ve seen a huge shift awa= y from > form encoding to JSON encoding for sending data to a server. And yet, OAu= th > is stuck with form encoding. So I thought, why can=E2=80=99t we change th= at? > > I put together a quick proposal for how this would work. > > https://www.ietf.org/id/draft-richer-oauth-json-request-00.html > > The basic idea is that you take the map of form inputs and make it into a > JSON object. For some fields, like scope and authorization_details, you c= an > define a JSON-specific encoding to make use of object and array structure= s > native to JSON. You also don=E2=80=99t have to url-encode values inside t= he JSON > strings. > > Caveat, I haven=E2=80=99t tried implementing this yet, but I think it=E2= =80=99s not likely > to be that difficult for either the client or server side of things. At > worst it seems like it=E2=80=99d be a pretty simple middleware function. > Functionality can be detected at the AS by the content negotiation in HTT= P > (client sends content-type of JSON), and can be advertised as an option i= n > the metadata (or in an OPTIONS call to the token endpoint, to be more > HTTP-friendly). > > =E2=80=94 Justin > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --000000000000d81e3d05aa5439fc Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
What, exactly is json encoding? It sounds like a python o= r java method. Afaik json can be encoded in utf 8 16 or 32. But form encodi= ng is limited to ascii or even to base64url
. Is that the = point. Will GNAP specify one encoding?

thx ..Tom (mobile)

On Thu, Jul 9, 2020,= 12:29 PM Justin Richer <jricher@mit.= edu> wrote:
In the ten years sinc= e OAuth started, we=E2=80=99ve seen a huge shift away from form encoding to= JSON encoding for sending data to a server. And yet, OAuth is stuck with f= orm encoding. So I thought, why can=E2=80=99t we change that?
I put together a quick proposal for how this would work.


The basic i= dea is that you take the map of form inputs and make it into a JSON object.= For some fields, like scope and authorization_details, you can define a JS= ON-specific encoding to make use of object and array structures native to J= SON. You also don=E2=80=99t have to url-encode values inside the JSON strin= gs.=C2=A0

Caveat, I haven=E2=80=99t tried implemen= ting this yet, but I think it=E2=80=99s not likely to be that difficult for= either the client or server side of things. At worst it seems like it=E2= =80=99d be a pretty simple middleware function. Functionality can be detect= ed at the AS by the content negotiation in HTTP (client sends content-type = of JSON), and can be advertised as an option in the metadata (or in an OPTI= ONS call to the token endpoint, to be more HTTP-friendly).

=C2=A0=E2=80=94 Justin
________________________________= _______________
OAuth mailing list
OAut= h@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--000000000000d81e3d05aa5439fc-- From nobody Mon Jul 13 08:33:00 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C24443A13CD for ; Mon, 13 Jul 2020 08:32:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.92 X-Spam-Level: X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zty21uBG1esd for ; Mon, 13 Jul 2020 08:32:55 -0700 (PDT) Received: from gabriel-vm-2.zfn.uni-bremen.de (gabriel-vm-2.zfn.uni-bremen.de [134.102.50.17]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 426FA3A13BD for ; Mon, 13 Jul 2020 08:32:54 -0700 (PDT) Received: from [172.16.42.100] (p5089ae91.dip0.t-ipconnect.de [80.137.174.145]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-vm-2.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4B572D40mCz17pd; Mon, 13 Jul 2020 17:32:52 +0200 (CEST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) From: Carsten Bormann In-Reply-To: Date: Mon, 13 Jul 2020 17:32:51 +0200 Cc: Justin Richer , oauth X-Mao-Original-Outgoing-Id: 616347170.994398-81ce565bf2b0eb1a90aa3892f14042d5 Content-Transfer-Encoding: quoted-printable Message-Id: References: <0E71D133-A516-4F1C-92CB-36F181B1BA4A@mit.edu> To: Tom Jones X-Mailer: Apple Mail (2.3608.80.23.2.2) Archived-At: Subject: Re: [OAUTH-WG] OAuth Request JSON Encoding X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2020 15:32:58 -0000 On 2020-07-13, at 17:19, Tom Jones wrote: >=20 > What, exactly is json encoding? JSON is defined in RFC 8259. The term =E2=80=9Cencoding=E2=80=9D is ambiguous here, it could be used = for the encoding of a JSON text (which employs UTF-8) or the = representation of an application data model using the JSON generic data = model. > It sounds like a python or java method. Many languages and platforms support JSON. > Afaik json can be encoded in utf 8 16 or 32. Early definitions of JSON said so, even though that practically never = happened in interchange. RFC 8259 supports UTF-8 encoding only. Gr=C3=BC=C3=9Fe, Carsten From nobody Mon Jul 13 08:46:08 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 687073A14C7 for ; Mon, 13 Jul 2020 08:46:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=adorsys.de Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5zoS7Ef2OaBC for ; Mon, 13 Jul 2020 08:45:57 -0700 (PDT) Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B663A3A13B4 for ; Mon, 13 Jul 2020 08:44:37 -0700 (PDT) Received: by mail-wr1-x436.google.com with SMTP id f18so17081578wrs.0 for ; Mon, 13 Jul 2020 08:44:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adorsys.de; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=map6A2lXTfY2kr65Sfv9GDrjqeKKq77nr94nGmm3LHQ=; b=b1O4lsoeciE/EQoNm2Ldwk3oZVMSEaZHm9ArJb073tAWRdZAOHhX8D1Sb+RO0e4J+q ans7wU1UFbINO27tNfuu9bujr/WYxMz0b3Jbmz5FCkwbEETEjAknXmB/tF0ojDqmCPwH pfai0Brd1N0DvDyA4b9jSpezeU4lIpUWF3A80= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=map6A2lXTfY2kr65Sfv9GDrjqeKKq77nr94nGmm3LHQ=; b=smoSKyy462NeFMaKBSnFJ5dU9Gh6WeK7w7rIDfPXBShnPR6DiByeEsKqGZd2tE9h7q oKXioOo1h24cACz7B5a6nyalg6aXqYuDLJOvrzI2NCIe23hRfKmdLDTK89iVuyClp2Cc QXL1qmPno5giCXvatE4UuyCCDIBL91Wl7WzZqyScKJ8e/T4liEqzKXbZBR1zqHEUu1tB e/X8oN/TdDhN/roeHuXgKnwEMBAcoIX7w5hIzQZgcNsXh0cfgANn4JLL7kqFa3miQHTq lEpWTvxpPpAXmWpKWVQqcSehImhVfJDxS/c//tgjg+2VR3LykPbkP7W65K07ktv6odMh S+eg== X-Gm-Message-State: AOAM532HE/McH9ah8x8HG6oVRCJJcSnjNj+g70CAqWoPG4SnLq3t3Km7 PRvMFAeOiHcOgbEpx4sIQ+KzS7IIAwsEHpQdRwQwKZGY X-Google-Smtp-Source: ABdhPJwcKqW3aZGmHFRcb9jVTEsm0kfSCjRU+EPpxVny6CRb82g4uWIkjTzdzKOhwIachX9BrrZKBeBOXctGwxJru5Y= X-Received: by 2002:a5d:4a84:: with SMTP id o4mr38898965wrq.104.1594655075819; Mon, 13 Jul 2020 08:44:35 -0700 (PDT) MIME-Version: 1.0 References: <9B25F535-038C-4E24-9BF4-4BF954F33A02@forgerock.com> In-Reply-To: <9B25F535-038C-4E24-9BF4-4BF954F33A02@forgerock.com> From: Francis Pouatcha Date: Mon, 13 Jul 2020 11:44:24 -0400 Message-ID: To: oauth Content-Type: multipart/alternative; boundary="00000000000055775c05aa54918c" Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2020 15:46:06 -0000 --00000000000055775c05aa54918c Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable > > Proof of RO (PSU) authorized interaction between the RO and the Client > (TPP) prior to starting an payment authorization request is essential. > > The NextGenPSD2 specification addresses the problem with a so-called > oAuth2 pre-step option. As this requires two authorization operations (SC= A) > for the release of a single payment, banks implementing oAuth2 pre-step > fell under the scrutiny of the EBA (European Banking Association) last > June. Now those banks have the burden of proving to their NCA's (national > market/country authorities) that pre-step is necessary to mitigate the ve= ry > problem you are raising in this thread. > > > I=E2=80=99m not sure this is the same issue I=E2=80=99m raising in this t= hread. In > particular, what I=E2=80=99m suggesting would *not* need two authorizatio= n requests > per payment. What I am suggesting is that there is one long-lived > authorization between the RO and a client and then individual > authorizations of each transaction: 1 + N not 2N. > For the first payment you will need 2 authorizations. This is what I mean with the pre-step above. And I understand you want to introduce grant management for the first durable authorization, so RO can revoque this correct? > > > > Let settle with: > - RAR as a payload for carrying authorization details > - The decision on whether to protect an authorization transaction with a > preceding RO authorization to do so shall be left to the target oAuth2 > profile. > > > On Thu, Jul 9, 2020 at 1:58 PM Neil Madden > wrote: > >> >> > On 9 Jul 2020, at 18:34, Torsten Lodderstedt >> wrote: >> > >> >> On 9. Jul 2020, at 19:28, Neil Madden >> wrote: >> >> >> >> On 9 Jul 2020, at 18:10, Torsten Lodderstedt >> wrote: >> >>> >> >>>>>>>>>>> >> >>>>>>>>>>> >> >>>>>>>>>>> What in particular should the use consent with in this step? >> >>>>>>>>>> >> >>>>>>>>>> =E2=80=9CFooPay would like to: >> >>>>>>>>>> - initiate payments from your account (you will be asked to >> approve each one)=E2=80=9D >> >>>>>>>>>> >> >>>>>>>>>> The point is that a client that I don=E2=80=99t have any kind= of >> relationship with can=E2=80=99t just send me a request to transfer $500 = to some >> account. >> >>>>>>>>> >> >>>>>>>>> Are we talking about legal consent or a security measures here= ? >> >>>>>>>> >> >>>>>>>> Normal OAuth consent. My phone is my resource, and I am its >> resource owner. If a client wants to send payment requests to my phone >> (e.g. via CIBA backchannel) then it should have to get my permission fir= st. >> Even without backchannel requests, I=E2=80=99d much rather that only the= three >> clients I=E2=80=99ve explicitly consented to can ask me to initiate paym= ents rather >> than the hundreds/thousands clients my bank happens to have a relationsh= ip >> with. >> >>>>>>> >> >>>>>>> To me it sounds like you would like to require a client to get >> user authorization to send an authorization request. Would you require t= he >> same if I would use scope values to encode a payment initiation request? >> >>>>>> >> >>>>>> Yes. If something is sufficiently high value to require >> per-transaction authorization then initiating transactions itself become= s a >> privileged operation. >> >>>>> >> >>>>> The per transaction authorization alone is a significant increase >> in security. What is the added value of requiring an authorization to se= nd >> a per-transaction authorisation request in an additional step? >> >>>> >> >>>> Because Open Banking allows any client at any time to send an >> asynchronous back channel request to my phone to approve a payment. This= is >> pretty risky. >> >>> >> >>> Can you please explain how you came to that conclusion and how it >> relates to RAR? >> >> >> >> >> https://openbankinguk.github.io/read-write-api-site3/v3.1.6/profiles/pay= ment-initiation-api-profile.html >> >> >> >> Client (PISP) initiates a payment-order consent using a >> client_credentials access token, then launches a CIBA backchannel >> authorization request. What prevents this? >> > >> > The fact that the PISP cannot issue this request without a valid user >> identifier. The demos I=E2=80=99m remembering use a traditional first au= thorization >> flow to establish this identifier. >> >> An identifier is not an access token or credential. >> >> >> >> >> This relates to RAR, because RAR also has no protection against this. >> If you use RAR in combination with a backchannel authorization method th= en >> the same issue applies. This is a general issue with backchannel approac= hes, >> > >> > Exactly! It's a problem with any kind of backchannel initiated _user >> interaction_. >> > >> > >> >> but it is particularly a risk here because RAR is pitching itself as = a >> way to do payment transactions. >> > >> > The problem is the backchannel request, not RAR. RAR is just a more >> elaborated scope. >> >> I don=E2=80=99t agree. It=E2=80=99s particularly acute with backchannel = requests, but it >> still exists with front channel. If I can redirect your browser to a >> payment confirmation screen, what percentage of users will click ok? I >> would guess more than 0. It=E2=80=99s a problem precisely because a one-= off >> interaction is enough to authorize a transaction. >> >> It might be that in OB they accept this risk and mitigate it in other >> ways, e.g. making it easy to reverse transactions, or through sufficient >> vetting of clients and big legal consequences. As a UK banking user, tha= t >> wouldn=E2=80=99t make me very happy but OK. The point is that RAR can=E2= =80=99t make >> payment transactions the primary use-case, emphasised throughout the dra= ft, >> and then fail to even discuss this issue or make any kind of suggestion = as >> how to handle it. >> >> =E2=80=94 Neil >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > > -- > Francis Pouatcha > Co-Founder and Technical Lead > adorsys GmbH & Co. KG > https://adorsys-platform.de/solutions/ > > --=20 Francis Pouatcha Co-Founder and Technical Lead adorsys GmbH & Co. KG https://adorsys-platform.de/solutions/ --00000000000055775c05aa54918c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


Proof= =C2=A0of RO (PSU) authorized interaction between the RO and the Client (TPP= ) prior to starting an payment authorization request is essential.

The NextGenPSD2 specification addresses the problem with= =C2=A0a so-called oAuth2 pre-step option. As this requires two authorizatio= n operations (SCA) for the release of a single payment, banks implementing = oAuth2 pre-step fell under the scrutiny of the EBA (European Banking Associ= ation) last June. Now those banks have the burden of proving to their NCA&#= 39;s (national market/country authorities) that pre-step is necessary to mi= tigate the very problem you are raising in this thread.

I=E2=80=99m not sure this is the same issue = I=E2=80=99m raising in this thread. In particular, what I=E2=80=99m suggest= ing would *not* need two authorization requests per payment. What I am sugg= esting is that there is one long-lived authorization between the RO and a c= lient and then individual authorizations of each transaction: 1 + N not 2N.= =C2=A0
For the first payment you will need 2 a= uthorizations. This is what I mean with the pre-step above.

<= /div>
And I understand you want to introduce grant management for the f= irst durable authorization, so RO can revoque this correct?
=C2=A0
=


Let settle with:
- RAR as a payload for carr= ying authorization details
- The decision on whether to=C2=A0prot= ect an authorization transaction with a preceding=C2=A0RO authorization to = do so shall be left to the target oAuth2 profile.

On Thu, Jul 9, 2020 at 1:58 PM N= eil Madden <neil.madden@forgerock.com> wrote:

> On 9 Jul 2020, at 18:34, Torsten Lodderstedt <torsten@lodderstedt.net> wro= te:
>
>> On 9. Jul 2020, at 19:28, Neil Madden <neil.madden@forgerock.com> wr= ote:
>>
>> On 9 Jul 2020, at 18:10, Torsten Lodderstedt <torsten@lodderstedt.net>= wrote:
>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> What in particular should the = use consent with in this step?
>>>>>>>>>>
>>>>>>>>>> =E2=80=9CFooPay would like to:
>>>>>>>>>> - initiate payments from your acco= unt (you will be asked to approve each one)=E2=80=9D
>>>>>>>>>>
>>>>>>>>>> The point is that a client that I = don=E2=80=99t have any kind of relationship with can=E2=80=99t just send me= a request to transfer $500 to some account.
>>>>>>>>>
>>>>>>>>> Are we talking about legal consent or = a security measures here?
>>>>>>>>
>>>>>>>> Normal OAuth consent. My phone is my resou= rce, and I am its resource owner. If a client wants to send payment request= s to my phone (e.g. via CIBA backchannel) then it should have to get my per= mission first. Even without backchannel requests, I=E2=80=99d much rather t= hat only the three clients I=E2=80=99ve explicitly consented to can ask me = to initiate payments rather than the hundreds/thousands clients my bank hap= pens to have a relationship with.
>>>>>>>
>>>>>>> To me it sounds like you would like to require= a client to get user authorization to send an authorization request. Would= you require the same if I would use scope values to encode a payment initi= ation request?
>>>>>>
>>>>>> Yes. If something is sufficiently high value to re= quire per-transaction authorization then initiating transactions itself bec= omes a privileged operation.
>>>>>
>>>>> The per transaction authorization alone is a significa= nt increase in security. What is the added value of requiring an authorizat= ion to send a per-transaction authorisation request in an additional step?<= br> >>>>
>>>> Because Open Banking allows any client at any time to send= an asynchronous back channel request to my phone to approve a payment. Thi= s is pretty risky.
>>>
>>> Can you please explain how you came to that conclusion and how= it relates to RAR?
>>
>> https://openbankinguk.github.io/read-write-api-site3/v3.1.6/pr= ofiles/payment-initiation-api-profile.html
>>
>> Client (PISP) initiates a payment-order consent using a client_cre= dentials access token, then launches a CIBA backchannel authorization reque= st. What prevents this?
>
> The fact that the PISP cannot issue this request without a valid user = identifier. The demos I=E2=80=99m remembering use a traditional first autho= rization flow to establish this identifier.

An identifier is not an access token or credential.

>>
>> This relates to RAR, because RAR also has no protection against th= is. If you use RAR in combination with a backchannel authorization method t= hen the same issue applies. This is a general issue with backchannel approa= ches,
>
> Exactly! It's a problem with any kind of backchannel initiated _us= er interaction_.
>
>
>> but it is particularly a risk here because RAR is pitching itself = as a way to do payment transactions.
>
> The problem is the backchannel request, not RAR. RAR is just a more el= aborated scope.

I don=E2=80=99t agree. It=E2=80=99s particularly acute with backchannel req= uests, but it still exists with front channel. If I can redirect your brows= er to a payment confirmation screen, what percentage of users will click ok= ? I would guess more than 0. It=E2=80=99s a problem precisely because a one= -off interaction is enough to authorize a transaction.

It might be that in OB they accept this risk and mitigate it in other ways,= e.g. making it easy to reverse transactions, or through sufficient vetting= of clients and big legal consequences. As a UK banking user, that wouldn= =E2=80=99t make me very happy but OK. The point is that RAR can=E2=80=99t m= ake payment transactions the primary use-case, emphasised throughout the dr= aft, and then fail to even discuss this issue or make any kind of suggestio= n as how to handle it.

=E2=80=94 Neil

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
Francis Pouatcha
Co-Founder and Technical Lead=
adorsys GmbH & Co. KG


--
<= div dir=3D"ltr">
Franc= is Pouatcha
Co-Founder and Technical Lead
adorsys GmbH = & Co. KG
--00000000000055775c05aa54918c-- From nobody Mon Jul 13 08:48:00 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 847DE3A1380 for ; Mon, 13 Jul 2020 08:47:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.096 X-Spam-Level: X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HFsM-QkcMjuu for ; Mon, 13 Jul 2020 08:47:58 -0700 (PDT) Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E55AC3A13CB for ; Mon, 13 Jul 2020 08:47:47 -0700 (PDT) Received: by mail-ej1-x634.google.com with SMTP id l12so17747212ejn.10 for ; Mon, 13 Jul 2020 08:47:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=eoqJsqABaEDg2i1mCkN+jEsXARpN1Q25CWNH2pwfGL8=; b=BXYODldtC/jOF6KwYtDwh0DAMxGZOe7eKUF7jfyzuFiKBzzR0qMJfOEQU2XUncZN6A xJjcW1tV8z5ntQEdrgOGdlIe6XOoNFlRJdmYa2KNLP7lvkc9fG+bG0AXKmGQi4PZwzBJ WbMFLAunrW9+OLPTG6e1IUjdde2B5yDYGDpZeo1pZ37ra3ah3MsvZ9oMkiPbS24MU5Cw Bvq3BtIA3w3JC5YLFCThI2C3p9uCNwAjhrXssWlAhrI447lh5f5swqjcWsUlMStDeYt8 NgZ9a/kKda/5h4kfXPEY0O5V7AuG8VAPLKrQfHwtFPZuECh6GHN5ASMBmhVFztcUAric FGWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=eoqJsqABaEDg2i1mCkN+jEsXARpN1Q25CWNH2pwfGL8=; b=bk4WDO/TkDXGXLLE0Jq4Ty0+EEujkMExuJbw0GWInYGb5+WM1xtOfoKtmMkhfnULqD pPmU9nHjX8LLDdoM5qDRvl6LofoIdK4Cjqi+x8+f/XWgB/ToFLgQpXIH+dLCuRPIZWgs hDVVprQ1QhIq/PlgUbDNEIW6fGSW31miI9c2fvo3NqdFX8AdVLun21d4C+aradIHK+Hq EOpFAWd2ZrYYiM9is6lBfFcEEWyVHzCqGRD1UDSb7onS1sb5zm8CGk2UdaBoPo2ZsQ1m vBosUk5Q8WtBLoZwMnZJOtqzJwCeVsSUPh1yJa8+1E9VY7RC3pMhPx4I87PcIJmRj2Dw Nf1A== X-Gm-Message-State: AOAM532dykHi7Y2/EbPuVgHyz5ipkInYx8yJVf71ogJY7yINPMV65mRo YEw6U/C7EYqPVdz6S7eLIA== X-Google-Smtp-Source: ABdhPJxc41iYMM6eqwbXMZ8uAX9b69jWJjArfOgXvAsxVhi2RqPHQtiZWBIXG0REEh4IgVLfja/DdQ== X-Received: by 2002:a17:906:2318:: with SMTP id l24mr355770eja.291.1594655266367; Mon, 13 Jul 2020 08:47:46 -0700 (PDT) Received: from [192.168.68.100] (173.c3.airnet.cz. [94.74.199.173]) by smtp.gmail.com with ESMTPSA id dt22sm10410508ejc.104.2020.07.13.08.47.45 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 13 Jul 2020 08:47:45 -0700 (PDT) Content-Type: multipart/alternative; boundary=Apple-Mail-7B3A9592-608A-469B-BFBF-1E2AC73341A6 Content-Transfer-Encoding: 7bit From: Filip Skokan Mime-Version: 1.0 (1.0) Date: Mon, 13 Jul 2020 17:47:44 +0200 Message-Id: <1C36CCB9-5D15-4456-89A8-8F038A689E68@gmail.com> References: <0E71D133-A516-4F1C-92CB-36F181B1BA4A@mit.edu> Cc: oauth In-Reply-To: <0E71D133-A516-4F1C-92CB-36F181B1BA4A@mit.edu> To: Justin Richer X-Mailer: iPhone Mail (17F80) Archived-At: Subject: Re: [OAUTH-WG] OAuth Request JSON Encoding X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2020 15:48:00 -0000 --Apple-Mail-7B3A9592-608A-469B-BFBF-1E2AC73341A6 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello Justin,=20 Your ID changes both how a client sends a request as well as how the, alread= y a json, token response is structured (as far as i can see it changes scope= from a space separated value to an array).=20 The response morphing will be confusing to clients. I don=E2=80=99t think there=E2=80=99s much to explore here, apart from autho= rization_details param sent to the token endpoint form encoded i don=E2=80=99= t find much unnatural about the existing oauth interface.=20 Filip Odesl=C3=A1no z iPhonu > 9. 7. 2020 v 21:29, Justin Richer : >=20 > =EF=BB=BF > In the ten years since OAuth started, we=E2=80=99ve seen a huge shift away= from form encoding to JSON encoding for sending data to a server. And yet, O= Auth is stuck with form encoding. So I thought, why can=E2=80=99t we change t= hat? >=20 > I put together a quick proposal for how this would work. >=20 > https://www.ietf.org/id/draft-richer-oauth-json-request-00.html >=20 > The basic idea is that you take the map of form inputs and make it into a J= SON object. For some fields, like scope and authorization_details, you can d= efine a JSON-specific encoding to make use of object and array structures na= tive to JSON. You also don=E2=80=99t have to url-encode values inside the JS= ON strings.=20 >=20 > Caveat, I haven=E2=80=99t tried implementing this yet, but I think it=E2=80= =99s not likely to be that difficult for either the client or server side of= things. At worst it seems like it=E2=80=99d be a pretty simple middleware f= unction. Functionality can be detected at the AS by the content negotiation i= n HTTP (client sends content-type of JSON), and can be advertised as an opti= on in the metadata (or in an OPTIONS call to the token endpoint, to be more H= TTP-friendly). >=20 > =E2=80=94 Justin > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail-7B3A9592-608A-469B-BFBF-1E2AC73341A6 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello Justin, 

Your= ID changes both how a client sends a request as well as how the, already a j= son, token response is structured (as far as i can see it changes scope from= a space separated value to an array). 

The re= sponse morphing will be confusing to clients.

I don= =E2=80=99t think there=E2=80=99s much to explore here, apart from authorizat= ion_details param sent to the token endpoint form encoded i don=E2=80= =99t find much unnatural about the existing oauth interface. 

Filip

Odesl=C3=A1no z iP= honu

9. 7. 2020 v 2= 1:29, Justin Richer <jricher@mit.edu>:

=EF=BB=BF
In the ten years= since OAuth started, we=E2=80=99ve seen a huge shift away from form encodin= g to JSON encoding for sending data to a server. And yet, OAuth is stuck wit= h form encoding. So I thought, why can=E2=80=99t we change that?

I put together a quick proposal for how this w= ould work.

ht= tps://www.ietf.org/id/draft-richer-oauth-json-request-00.html

The basic idea is that you ta= ke the map of form inputs and make it into a JSON object. For some fields, l= ike scope and authorization_details, you can define a JSON-specific encoding= to make use of object and array structures native to JSON. You also don=E2=80= =99t have to url-encode values inside the JSON strings. 

Caveat, I haven=E2=80=99t tried i= mplementing this yet, but I think it=E2=80=99s not likely to be that difficu= lt for either the client or server side of things. At worst it seems like it= =E2=80=99d be a pretty simple middleware function. Functionality can be dete= cted at the AS by the content negotiation in HTTP (client sends content-type= of JSON), and can be advertised as an option in the metadata (or in an OPTI= ONS call to the token endpoint, to be more HTTP-friendly).

 =E2=80=94 Justin
__= _____________________________________________
OAuth mailing l= ist
OAuth@ietf.org
https://www.ietf.org/mail= man/listinfo/oauth
= --Apple-Mail-7B3A9592-608A-469B-BFBF-1E2AC73341A6-- From nobody Mon Jul 13 09:10:42 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7DF43A145D for ; Mon, 13 Jul 2020 09:10:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.918 X-Spam-Level: X-Spam-Status: No, score=-1.918 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1iJuMmfiHMfq for ; Mon, 13 Jul 2020 09:10:39 -0700 (PDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6DAB93A1722 for ; Mon, 13 Jul 2020 09:09:50 -0700 (PDT) Received: from [192.168.1.7] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 06DG9lR7001973 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 13 Jul 2020 12:09:48 -0400 From: Justin Richer Message-Id: <7126D3DA-57E4-4381-8F6A-3BC5734E1469@mit.edu> Content-Type: multipart/alternative; boundary="Apple-Mail=_06DC6629-5937-4CFA-967E-E3DAF979A840" Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Date: Mon, 13 Jul 2020 12:09:47 -0400 In-Reply-To: <1C36CCB9-5D15-4456-89A8-8F038A689E68@gmail.com> Cc: oauth To: Filip Skokan References: <0E71D133-A516-4F1C-92CB-36F181B1BA4A@mit.edu> <1C36CCB9-5D15-4456-89A8-8F038A689E68@gmail.com> X-Mailer: Apple Mail (2.3608.80.23.2.2) Archived-At: Subject: Re: [OAUTH-WG] OAuth Request JSON Encoding X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2020 16:10:41 -0000 --Apple-Mail=_06DC6629-5937-4CFA-967E-E3DAF979A840 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 The intent was to only affect the request, not the response, though I = can see the confusion that would arise in having those be at odds with = each other.=20 =E2=80=94 Justin > On Jul 13, 2020, at 11:47 AM, Filip Skokan wrote: >=20 > Hello Justin,=20 >=20 > Your ID changes both how a client sends a request as well as how the, = already a json, token response is structured (as far as i can see it = changes scope from a space separated value to an array).=20 >=20 > The response morphing will be confusing to clients. >=20 > I don=E2=80=99t think there=E2=80=99s much to explore here, apart from = authorization_details param sent to the token endpoint form encoded i = don=E2=80=99t find much unnatural about the existing oauth interface.=20 >=20 > Filip >=20 > Odesl=C3=A1no z iPhonu >=20 >> 9. 7. 2020 v 21:29, Justin Richer : >>=20 >> =EF=BB=BF >> In the ten years since OAuth started, we=E2=80=99ve seen a huge shift = away from form encoding to JSON encoding for sending data to a server. = And yet, OAuth is stuck with form encoding. So I thought, why can=E2=80=99= t we change that? >>=20 >> I put together a quick proposal for how this would work. >>=20 >> https://www.ietf.org/id/draft-richer-oauth-json-request-00.html = >>=20 >> The basic idea is that you take the map of form inputs and make it = into a JSON object. For some fields, like scope and = authorization_details, you can define a JSON-specific encoding to make = use of object and array structures native to JSON. You also don=E2=80=99t = have to url-encode values inside the JSON strings.=20 >>=20 >> Caveat, I haven=E2=80=99t tried implementing this yet, but I think = it=E2=80=99s not likely to be that difficult for either the client or = server side of things. At worst it seems like it=E2=80=99d be a pretty = simple middleware function. Functionality can be detected at the AS by = the content negotiation in HTTP (client sends content-type of JSON), and = can be advertised as an option in the metadata (or in an OPTIONS call to = the token endpoint, to be more HTTP-friendly). >>=20 >> =E2=80=94 Justin >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_06DC6629-5937-4CFA-967E-E3DAF979A840 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 The = intent was to only affect the request, not the response, though I can = see the confusion that would arise in having those be at odds with each = other. 

 =E2= =80=94 Justin

On Jul 13, 2020, at 11:47 AM, Filip Skokan = <panva.ip@gmail.com> wrote:

Hello Justin, 

Your ID changes both how = a client sends a request as well as how the, already a json, token = response is structured (as far as i can see it changes scope from a = space separated value to an array). 

The response morphing will be confusing = to clients.

I = don=E2=80=99t think there=E2=80=99s much to explore here, apart from = authorization_details param sent to the token endpoint = form encoded i don=E2=80=99t find much unnatural about the existing = oauth interface. 

Filip

Odesl=C3=A1no z iPhonu

9. 7. = 2020 v 21:29, Justin Richer <jricher@mit.edu>:

=EF=BB=BF
In the ten years since = OAuth started, we=E2=80=99ve seen a huge shift away from form encoding = to JSON encoding for sending data to a server. And yet, OAuth is stuck = with form encoding. So I thought, why can=E2=80=99t we change = that?

I put together a quick = proposal for how this would work.

https://www.ietf.org/id/draft-richer-oauth-json-request-00.html=

The basic = idea is that you take the map of form inputs and make it into a JSON = object. For some fields, like scope and authorization_details, you can = define a JSON-specific encoding to make use of object and array = structures native to JSON. You also don=E2=80=99t have to url-encode = values inside the JSON strings. 

Caveat, I haven=E2=80=99t tried = implementing this yet, but I think it=E2=80=99s not likely to be that = difficult for either the client or server side of things. At worst it = seems like it=E2=80=99d be a pretty simple middleware function. = Functionality can be detected at the AS by the content negotiation in = HTTP (client sends content-type of JSON), and can be advertised as an = option in the metadata (or in an OPTIONS call to the token endpoint, to = be more HTTP-friendly).

 =E2=80=94 Justin
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

= --Apple-Mail=_06DC6629-5937-4CFA-967E-E3DAF979A840-- From nobody Mon Jul 13 09:10:56 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1360C3A155A for ; Mon, 13 Jul 2020 09:10:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IsutjXD4EFZI for ; Mon, 13 Jul 2020 09:10:48 -0700 (PDT) Received: from mail-ot1-x332.google.com (mail-ot1-x332.google.com [IPv6:2607:f8b0:4864:20::332]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D1953A1461 for ; Mon, 13 Jul 2020 09:10:43 -0700 (PDT) Received: by mail-ot1-x332.google.com with SMTP id a21so9897699otq.8 for ; Mon, 13 Jul 2020 09:10:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dcPEysqwfhoK/zLSZwpwSQAgrHCb2ZT116TfgDP494w=; b=Xy58uViIA9Q7OEj9BC3am6RNKUYzVp1RTjkqa6PNDErUR2Xd2j+zqwBqfwH02qZ21j To+yXmnAhqUxKcTuuoog+ckXDa8zGfdAaGsUBUBg3b39GNGC1d/B9Gi+c+sR6193Obwd 3AplZBtRJHUZDkgIx55RTX42foyj/M08sZx4rPsAnopx492ZcoDbq5oQ/7Y/j9UFlDH/ 7VP9e2c1YBoeZwm3eIjlF/QimHptdzCBA9iveOKnIRrUJ19x9UxVfemUSpgEHqvKn9os j+7UF9J8RSTVm+d9V+KhrtoyBRL14Cx34DjQm2tnFvjQw7IX6HJL/PrJx+JMlk9pZfx+ HZMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dcPEysqwfhoK/zLSZwpwSQAgrHCb2ZT116TfgDP494w=; b=P2vTSdowtrVAwzuu2c/SjjO4bE9lK/UC9+2T0Joxuy2sca4sy9SN2i47jU25WbnbSu hWhyQNIkI8abITwQzD4igYUhrbTO3K8cRESHxcyUOuQ1UzDQdPaRPFxG7A5B3qRF0okN YDoAgNbzZ5Oxc2X9u7AEquyccrXg+6t0OMQno0/cydtWvIy8/hN2asBpMdxw3pGW78QO 960A5pyn1+QUdLWD8+FqhRtyWQEyOHULc6Pt2LbCPm/0cEDLkJpR7bSlbalek+wwlCZC +XLfBHOTKMl5M6FtpaJLBtMwippayB6EBFSZO1E5dhnoEowkw3q/rK84NcUUq0bHD41b cRlQ== X-Gm-Message-State: AOAM533itvWBHgYdkzs43RrPsEDEGibyDMFFbXl51Xti5FQz979lEZA1 s4lwH8xnUFchPCkKDOW3MM3KZd02eDtFC7N9GjrzcaH5 X-Google-Smtp-Source: ABdhPJzOzZGBej+n65V6pk5ZXsJaH8YwiKbfuHn9Lz4/IhXfzUwUQzfS3w33N6Gdn8GNkwj/jiZsTN5AAsV9Q3AOM8s= X-Received: by 2002:a9d:66ca:: with SMTP id t10mr280669otm.358.1594656642442; Mon, 13 Jul 2020 09:10:42 -0700 (PDT) MIME-Version: 1.0 References: <0E71D133-A516-4F1C-92CB-36F181B1BA4A@mit.edu> In-Reply-To: From: Tom Jones Date: Mon, 13 Jul 2020 09:10:31 -0700 Message-ID: To: Carsten Bormann Cc: Justin Richer , oauth Content-Type: multipart/alternative; boundary="000000000000b6293305aa54eecc" Archived-At: Subject: Re: [OAUTH-WG] OAuth Request JSON Encoding X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2020 16:10:55 -0000 --000000000000b6293305aa54eecc Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable ahh - thx - so that explains why RFC 6749 OAuth 2.0 is ambiguous on the topic. I suspect that means that GNAP will take a dependency on 8259, Peace ..tom On Mon, Jul 13, 2020 at 8:34 AM Carsten Bormann wrote: > On 2020-07-13, at 17:19, Tom Jones wrote: > > > > What, exactly is json encoding? > > JSON is defined in RFC 8259. > The term =E2=80=9Cencoding=E2=80=9D is ambiguous here, it could be used f= or the encoding > of a JSON text (which employs UTF-8) or the representation of an > application data model using the JSON generic data model. > > > It sounds like a python or java method. > > Many languages and platforms support JSON. > > > Afaik json can be encoded in utf 8 16 or 32. > > Early definitions of JSON said so, even though that practically never > happened in interchange. RFC 8259 supports UTF-8 encoding only. > > Gr=C3=BC=C3=9Fe, Carsten > > --000000000000b6293305aa54eecc Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
ahh - thx - so that explains why=C2=A0RFC=C2=A06749=C2=A0OAuth=C2=A02.0 is ambiguous=C2=A0on the topic. I suspect that means that G= NAP will take a dependency on 8259,
Peace ..tom


On Mon, Jul 13, 202= 0 at 8:34 AM Carsten Bormann <cabo@tzi.o= rg> wrote:
thomasclinganjones@gmail.com> wrote:=
>
> What, exactly is json encoding?

JSON is defined in RFC 8259.
The term =E2=80=9Cencoding=E2=80=9D is ambiguous here, it could be used for= the encoding of a JSON text (which employs UTF-8) or the representation of= an application data model using the JSON generic data model.

> It sounds like a python or java method.

Many languages and platforms support JSON.

> Afaik json can be encoded in utf 8 16 or 32.

Early definitions of JSON said so, even though that practically never happe= ned in interchange.=C2=A0 RFC 8259 supports UTF-8 encoding only.

Gr=C3=BC=C3=9Fe, Carsten

--000000000000b6293305aa54eecc-- From nobody Mon Jul 13 10:01:15 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C8CC3A163E for ; Mon, 13 Jul 2020 10:01:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.096 X-Spam-Level: X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8sz22eGPzCkV for ; Mon, 13 Jul 2020 10:01:07 -0700 (PDT) Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C27C73A1671 for ; Mon, 13 Jul 2020 10:00:58 -0700 (PDT) Received: by mail-ej1-x62c.google.com with SMTP id w6so18036401ejq.6 for ; Mon, 13 Jul 2020 10:00:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=dxm+VW7eaf6v5r6UPt2qPUkvjKGZkcqyOYnnDFUt+8c=; b=e0mpqxffmKRshddXndmx8btQ7l0MiarrD2uSVUObxDY0oPurPqfyfyGFZmH/Bq+R9O Rj2GlpTuIC06/TJA/y0RvjfkFyZqkmUeh/PsHz5IPupCYSZfFn83icRo9jx1YgJ2YFpF njhKSO6AuTv657SLBRfIee1awLtdAPQEN2AMPzPqeXKKWXyVK/Geyf/EwybpUjpGFJdw R0pfClmxx1nPQH8s8fj3K2XwHUfuEXbJ0Q05vbxQO7Ke+gwK1qbb/KQHru6we4BF5u8B v+/ypIxrmCqYxIJnT7NfcgNl5X3HOxuoQq/sTvs6PhfqdAUuX3gPlowmJ2IlvT42RCa8 bdig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=dxm+VW7eaf6v5r6UPt2qPUkvjKGZkcqyOYnnDFUt+8c=; b=gm4rz/KDToKV4IwF406/+XDsVGfYjWD5fUq1fNrKJNrrLhsuj89qeX6N2HeOZ0a0ey F4G1qdLm9E3Pc2BxIhDHOxCrKVD9JiJ3nbrf8MHDdN6KaRoQtoHH2IvzYO/fLe8jQql4 CPB2cFsUbStILw/UAIhskciAcHN/sruZdDz+aaGbn6gadxRcf/sO6cdutG5uvBfyBBQz YRHzSS7HoNJcb4TR+ORHHbyyLQDxS2JtSAHMI1UzOjDI3F3pg9ATrcIAiZcM0vmHfqi5 cbjTTSGNI37u1AvFQSDuSLwK/hHK5blKf48wGIixMzsULavIV25fOqDF9NGeLC8HCmiq ynbA== X-Gm-Message-State: AOAM532uqF23y5JbbhG4rBoGT9bmWERxAXGg7n9+ocG30ADFT+p6VG1m GUB9zNrmGXYtGXCAQOOOBg== X-Google-Smtp-Source: ABdhPJzC+bqonY5IbnEC9mDw2seadvatcjRrog2x4B9FkOaPmrOUfqKI1NCX/mcFd+Ea+gAUWGTn7Q== X-Received: by 2002:a17:906:375a:: with SMTP id e26mr686824ejc.324.1594659657174; Mon, 13 Jul 2020 10:00:57 -0700 (PDT) Received: from [192.168.68.100] (173.c3.airnet.cz. [94.74.199.173]) by smtp.gmail.com with ESMTPSA id sd15sm10156049ejb.66.2020.07.13.10.00.56 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 13 Jul 2020 10:00:56 -0700 (PDT) Content-Type: multipart/alternative; boundary=Apple-Mail-4516EF2F-6D75-4615-8D0A-CCFB15F459C1 Content-Transfer-Encoding: 7bit From: Filip Skokan Mime-Version: 1.0 (1.0) Date: Mon, 13 Jul 2020 19:00:55 +0200 Message-Id: <795E9946-C272-4B09-9078-018AA6EEDE44@gmail.com> References: <7126D3DA-57E4-4381-8F6A-3BC5734E1469@mit.edu> Cc: oauth In-Reply-To: <7126D3DA-57E4-4381-8F6A-3BC5734E1469@mit.edu> To: Justin Richer X-Mailer: iPhone Mail (17F80) Archived-At: Subject: Re: [OAUTH-WG] OAuth Request JSON Encoding X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2020 17:01:14 -0000 --Apple-Mail-4516EF2F-6D75-4615-8D0A-CCFB15F459C1 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Apologies Justin, i read it in a rush.=20 But, even more so after your clarification, if the ID means responses are un= modified it=E2=80=99s just confusing - as you say - at odds with each other,= since i=E2=80=99d send in scope as array and get it back as a string from t= he token response.=20 Odesl=C3=A1no z iPhonu > 13. 7. 2020 v 18:09, Justin Richer : >=20 > =EF=BB=BFThe intent was to only affect the request, not the response, thou= gh I can see the confusion that would arise in having those be at odds with e= ach other.=20 >=20 > =E2=80=94 Justin >=20 >>> On Jul 13, 2020, at 11:47 AM, Filip Skokan wrote: >>>=20 >>> Hello Justin,=20 >>>=20 >>> Your ID changes both how a client sends a request as well as how the, al= ready a json, token response is structured (as far as i can see it changes s= cope from a space separated value to an array).=20 >>>=20 >>> The response morphing will be confusing to clients. >>>=20 >>> I don=E2=80=99t think there=E2=80=99s much to explore here, apart from a= uthorization_details param sent to the token endpoint form encoded i don=E2=80= =99t find much unnatural about the existing oauth interface.=20 >>>=20 >>> Filip >>>=20 >>> Odesl=C3=A1no z iPhonu >>>=20 >>> 9. 7. 2020 v 21:29, Justin Richer : >>>=20 >>> =EF=BB=BF >>> In the ten years since OAuth started, we=E2=80=99ve seen a huge shift aw= ay from form encoding to JSON encoding for sending data to a server. And yet= , OAuth is stuck with form encoding. So I thought, why can=E2=80=99t we chan= ge that? >>>=20 >>> I put together a quick proposal for how this would work. >>>=20 >>> https://www.ietf.org/id/draft-richer-oauth-json-request-00.html >>>=20 >>> The basic idea is that you take the map of form inputs and make it into a= JSON object. For some fields, like scope and authorization_details, you can= define a JSON-specific encoding to make use of object and array structures n= ative to JSON. You also don=E2=80=99t have to url-encode values inside the J= SON strings.=20 >>>=20 >>> Caveat, I haven=E2=80=99t tried implementing this yet, but I think it=E2= =80=99s not likely to be that difficult for either the client or server side= of things. At worst it seems like it=E2=80=99d be a pretty simple middlewar= e function. Functionality can be detected at the AS by the content negotiati= on in HTTP (client sends content-type of JSON), and can be advertised as an o= ption in the metadata (or in an OPTIONS call to the token endpoint, to be mo= re HTTP-friendly). >>>=20 >>> =E2=80=94 Justin >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >=20 --Apple-Mail-4516EF2F-6D75-4615-8D0A-CCFB15F459C1 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable Apologies Justin, i read it in a rush. = ;

But, even more so after your clarification, if the ID m= eans responses are unmodified it=E2=80=99s just confusing - as you say - at o= dds with each other, since i=E2=80=99d send in scope as array and get it bac= k as a string from the token response. 

Odesl=C3=A1no z iPhonu

13. 7. 2020 v 18:09, Justin Richer <jricher@mit.edu>= :

=EF=BB= =BF= The intent was to only affect the request, not the response, though I can se= e the confusion that would arise in having those be at odds with each other.=  

 =E2=80=94 J= ustin

On Jul 13, 2020, at 11:47 AM, Filip Skokan <panva.ip@gmail.com> wrote:
=
Hello Justin, 

Your ID changes both how a client sends a re= quest as well as how the, already a json, token response is structured (as f= ar as i can see it changes scope from a space separated value to an array).&= nbsp;

The response= morphing will be confusing to clients.

=
I don=E2=80=99t think there=E2=80=99s much to explore h= ere, apart from authorization_details param sent to the to= ken endpoint form encoded i don=E2=80=99t find much unnatural about the exis= ting oauth interface. 

Filip

Odesl=C3=A1no z iPhonu

9. 7. 2020 v 21:29, Justin Rich= er <jricher@mit.edu>= :

=EF=BB=BF
In the ten ye= ars since OAuth started, we=E2=80=99ve seen a huge shift away from form enco= ding to JSON encoding for sending data to a server. And yet, OAuth is stuck w= ith form encoding. So I thought, why can=E2=80=99t we change that?

I put together a quick proposal for how thi= s would work.

https://www.ietf.org/id/draft-richer-oauth-json-request-00.html

The basic idea is that yo= u take the map of form inputs and make it into a JSON object. For some field= s, like scope and authorization_details, you can define a JSON-specific enco= ding to make use of object and array structures native to JSON. You also don= =E2=80=99t have to url-encode values inside the JSON strings. 

Caveat, I haven=E2=80=99t t= ried implementing this yet, but I think it=E2=80=99s not likely to be that d= ifficult for either the client or server side of things. At worst it seems l= ike it=E2=80=99d be a pretty simple middleware function. Functionality can b= e detected at the AS by the content negotiation in HTTP (client sends conten= t-type of JSON), and can be advertised as an option in the metadata (or in a= n OPTIONS call to the token endpoint, to be more HTTP-friendly).

 =E2=80=94 Justin
<= span class=3D"">_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
= --Apple-Mail-4516EF2F-6D75-4615-8D0A-CCFB15F459C1-- From nobody Mon Jul 13 10:18:42 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5AB93A13D2 for ; Mon, 13 Jul 2020 10:18:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id esQeYNbn2ihM for ; Mon, 13 Jul 2020 10:18:38 -0700 (PDT) Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 972D33A15C5 for ; Mon, 13 Jul 2020 10:18:06 -0700 (PDT) Received: by mail-wr1-x42e.google.com with SMTP id f2so17351092wrp.7 for ; Mon, 13 Jul 2020 10:18:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=qZLxdq79km6B6trDwbvboN1awX0aYC8g7B/qY9byv+U=; b=fwI72PZIATvFG6qP4RPxyD0YBD+ZJl6XoPkIOTmquk37Q6XfkEgzJS5dBHijWpP/uM O+QLBdhAtQsmvYZho+xGUyTV7FQ1pZ3sHGNWkrDTYBlsUR5jicrY6EBs9aWdGE4ZAPSR iX+uTSfoGnXDxh2uX7tDan670xdv2zP+vnl0U= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=qZLxdq79km6B6trDwbvboN1awX0aYC8g7B/qY9byv+U=; b=iR1cF61IJUUKocC+AAxk5B1bIcRRVduzsdVP4JD37e1NTn2XP6/xaHW7UlWtOkXNr8 Cnn72UnIhxPQf/bqUiQEK/pgYEU8QJ/wJUiTqOm+prmmCEhcX1dr7iHBq0tKYyQ5zu6n hCh5Hgx6W6OLDZ1X8LLhj0zvt3ODLL66HQHM1haaoag05mx9XAUVyDVOvhym3jC3iPdx Lx77oZyeyTkxKKS3ecVdZCmmGQ+VIzMZoiBSDKp0WlRu9+Hn6KcnHaLfWecT5qcGHW4q kKdzsblBy+azbcDd+Eqw06iCxILMqUXV+FXjLpdonEFs64zPTUDSdeuqmzih55/uqdF2 3Ipg== X-Gm-Message-State: AOAM533t4hGAWdzhm+Z5WmigUCRAH92Vp+Bv6H5Zn/KrbKJ5Oj7DGgCR ZcqEZ8ipBrdvRO//2rXUE53bXA== X-Google-Smtp-Source: ABdhPJzJSPkqm6MkJX2p/ROnydw9g99cqRUUtMD+jnAVE7fjL8ppextyxkqfnnp6h2MMwEZ9r3M8bQ== X-Received: by 2002:a5d:6803:: with SMTP id w3mr424861wru.200.1594660684655; Mon, 13 Jul 2020 10:18:04 -0700 (PDT) Received: from [10.0.0.2] (128.211.93.209.dyn.plus.net. [209.93.211.128]) by smtp.gmail.com with ESMTPSA id j15sm24258878wrx.69.2020.07.13.10.18.03 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 13 Jul 2020 10:18:04 -0700 (PDT) From: Neil Madden Message-Id: <352B8C03-6C99-44D4-B253-5D694DE5917E@forgerock.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_5AC971D4-FCEE-4CDB-A15A-C790FC839A00" Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Date: Mon, 13 Jul 2020 18:18:03 +0100 In-Reply-To: Cc: oauth , Torsten Lodderstedt To: Francis Pouatcha References: <9B25F535-038C-4E24-9BF4-4BF954F33A02@forgerock.com> X-Mailer: Apple Mail (2.3608.80.23.2.2) Archived-At: Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2020 17:18:40 -0000 --Apple-Mail=_5AC971D4-FCEE-4CDB-A15A-C790FC839A00 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On 13 Jul 2020, at 16:44, Francis Pouatcha wrote: >=20 >>=20 >>=20 >> Proof of RO (PSU) authorized interaction between the RO and the = Client (TPP) prior to starting an payment authorization request is = essential. >>=20 >> The NextGenPSD2 specification addresses the problem with a so-called = oAuth2 pre-step option. As this requires two authorization operations = (SCA) for the release of a single payment, banks implementing oAuth2 = pre-step fell under the scrutiny of the EBA (European Banking = Association) last June. Now those banks have the burden of proving to = their NCA's (national market/country authorities) that pre-step is = necessary to mitigate the very problem you are raising in this thread. >=20 > I=E2=80=99m not sure this is the same issue I=E2=80=99m raising in = this thread. In particular, what I=E2=80=99m suggesting would *not* need = two authorization requests per payment. What I am suggesting is that = there is one long-lived authorization between the RO and a client and = then individual authorizations of each transaction: 1 + N not 2N.=20 > For the first payment you will need 2 authorizations. This is what I = mean with the pre-step above. Well it=E2=80=99s still only 1 authorization for the actual payment. The = first authorization is the permission to initiate subsequent payment = authorizations. I would imagine that most forms of fine-grained or = transactional authorization will be used alongside more traditional = forms of OAuth authorization, so this would be pretty natural in = practice. For example, on first launch of an app you might get a consent = screen like: FooPay would like to: - List your accounts - View your account balance - Initiate payments from your account (you=E2=80=99ll be asked to = approve each one) >=20 > And I understand you want to introduce grant management for the first = durable authorization, so RO can revoque this correct? This is a pretty standard feature of AS software, so I=E2=80=99d opt for = =E2=80=9Cpreserve=E2=80=9D rather than =E2=80=9Cintroduce=E2=80=9D. =E2=80=94 Neil= --Apple-Mail=_5AC971D4-FCEE-4CDB-A15A-C790FC839A00 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 On = 13 Jul 2020, at 16:44, Francis Pouatcha <fpo@adorsys.de> = wrote:



Proof of RO (PSU) authorized interaction between the RO = and the Client (TPP) prior to starting an payment authorization request = is essential.

The NextGenPSD2 specification addresses the problem = with a so-called oAuth2 pre-step option. As this requires two = authorization operations (SCA) for the release of a single payment, = banks implementing oAuth2 pre-step fell under the scrutiny of the EBA = (European Banking Association) last June. Now those banks have the = burden of proving to their NCA's (national market/country authorities) = that pre-step is necessary to mitigate the very problem you are raising = in this thread.

I=E2=80=99m not sure this is the same = issue I=E2=80=99m raising in this thread. In particular, what I=E2=80=99m = suggesting would *not* need two authorization requests per payment. What = I am suggesting is that there is one long-lived authorization between = the RO and a client and then individual authorizations of each = transaction: 1 + N not 2N. 
For the first payment you will need 2 authorizations. This is = what I mean with the pre-step = above.

Well = it=E2=80=99s still only 1 authorization for the actual payment. The = first authorization is the permission to initiate subsequent payment = authorizations. I would imagine that most forms of fine-grained or = transactional authorization will be used alongside more traditional = forms of OAuth authorization, so this would be pretty natural in = practice. For example, on first launch of an app you might get a consent = screen like:

FooPay would like = to:
 - List your accounts
 - View your = account balance
 - Initiate payments from your account = (you=E2=80=99ll be asked to approve each one)


And I = understand you want to introduce grant management for the first durable = authorization, so RO can revoque this = correct?

This= is a pretty standard feature of AS software, so I=E2=80=99d opt for = =E2=80=9Cpreserve=E2=80=9D rather than =E2=80=9Cintroduce=E2=80=9D.
<= div>
=E2=80=94 Neil
= --Apple-Mail=_5AC971D4-FCEE-4CDB-A15A-C790FC839A00-- From nobody Mon Jul 13 12:18:45 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46A963A1797 for ; Mon, 13 Jul 2020 12:18:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.918 X-Spam-Level: X-Spam-Status: No, score=-1.918 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QK1yt34X8UTE for ; Mon, 13 Jul 2020 12:18:38 -0700 (PDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 604AE3A179A for ; Mon, 13 Jul 2020 12:18:38 -0700 (PDT) Received: from [192.168.1.7] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 06DJIZIH012220 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 13 Jul 2020 15:18:36 -0400 From: Justin Richer Message-Id: <79824BAE-CA43-48FD-BE0A-2CAECA3E073B@mit.edu> Content-Type: multipart/alternative; boundary="Apple-Mail=_64B3B101-CC1D-43AA-879D-8F49E4C7056A" Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Date: Mon, 13 Jul 2020 15:18:35 -0400 In-Reply-To: <795E9946-C272-4B09-9078-018AA6EEDE44@gmail.com> Cc: oauth To: Filip Skokan References: <7126D3DA-57E4-4381-8F6A-3BC5734E1469@mit.edu> <795E9946-C272-4B09-9078-018AA6EEDE44@gmail.com> X-Mailer: Apple Mail (2.3608.80.23.2.2) Archived-At: Subject: Re: [OAUTH-WG] OAuth Request JSON Encoding X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2020 19:18:40 -0000 --Apple-Mail=_64B3B101-CC1D-43AA-879D-8F49E4C7056A Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 It=E2=80=99s all good, I wrote it relatively quickly and I haven=E2=80=99t= actually built it out. The idea struck me this week, as I was working = on something for a client, that it would be a fairly simple translation = from the map structure of form encoding to a JSON-based map structure = for the same key-value pairs, and you could skip all the form encoding = for the values and occasionally make use of a more native encoding = method for some values like scope. For aligning request and response, it could say that there=E2=80=99s an = alternate response encoding as well but only if the client uses this = request format. That=E2=80=99s a lot for the AS to track, but it would = let clients speak only one dialect natively. It might be squirrely but = then again it might just make sense for the AS to track it all. Ultimately it=E2=80=99s a back-patch because all OAuth values are going = to have to define form encodings and an extension couldn=E2=80=99t take = full advantage of this unless it was written to be JSON-only, which = would be a bit weird and limiting. For example, I didn=E2=80=99t look at = applying it to PAR because the PAR values are defined in terms of query = parameters already, and are therefore beholden to those rules and not = the token endpoint rules. It might work there, too, but probably not = even as smoothly as this! I appreciate the read through and the comments! I=E2=80=99d be curious = if there=E2=80=99s any energy in the group to pick it up. =E2=80=94 Justin > On Jul 13, 2020, at 1:00 PM, Filip Skokan wrote: >=20 > Apologies Justin, i read it in a rush.=20 >=20 > But, even more so after your clarification, if the ID means responses = are unmodified it=E2=80=99s just confusing - as you say - at odds with = each other, since i=E2=80=99d send in scope as array and get it back as = a string from the token response.=20 >=20 > Odesl=C3=A1no z iPhonu >=20 >> 13. 7. 2020 v 18:09, Justin Richer : >>=20 >> =EF=BB=BFThe intent was to only affect the request, not the response, = though I can see the confusion that would arise in having those be at = odds with each other.=20 >>=20 >> =E2=80=94 Justin >>=20 >>> On Jul 13, 2020, at 11:47 AM, Filip Skokan > wrote: >>>=20 >>> Hello Justin,=20 >>>=20 >>> Your ID changes both how a client sends a request as well as how = the, already a json, token response is structured (as far as i can see = it changes scope from a space separated value to an array).=20 >>>=20 >>> The response morphing will be confusing to clients. >>>=20 >>> I don=E2=80=99t think there=E2=80=99s much to explore here, apart = from authorization_details param sent to the token endpoint form encoded = i don=E2=80=99t find much unnatural about the existing oauth interface.=20= >>>=20 >>> Filip >>>=20 >>> Odesl=C3=A1no z iPhonu >>>=20 >>>> 9. 7. 2020 v 21:29, Justin Richer >: >>>>=20 >>>> =EF=BB=BF >>>> In the ten years since OAuth started, we=E2=80=99ve seen a huge = shift away from form encoding to JSON encoding for sending data to a = server. And yet, OAuth is stuck with form encoding. So I thought, why = can=E2=80=99t we change that? >>>>=20 >>>> I put together a quick proposal for how this would work. >>>>=20 >>>> https://www.ietf.org/id/draft-richer-oauth-json-request-00.html = >>>>=20 >>>> The basic idea is that you take the map of form inputs and make it = into a JSON object. For some fields, like scope and = authorization_details, you can define a JSON-specific encoding to make = use of object and array structures native to JSON. You also don=E2=80=99t = have to url-encode values inside the JSON strings.=20 >>>>=20 >>>> Caveat, I haven=E2=80=99t tried implementing this yet, but I think = it=E2=80=99s not likely to be that difficult for either the client or = server side of things. At worst it seems like it=E2=80=99d be a pretty = simple middleware function. Functionality can be detected at the AS by = the content negotiation in HTTP (client sends content-type of JSON), and = can be advertised as an option in the metadata (or in an OPTIONS call to = the token endpoint, to be more HTTP-friendly). >>>>=20 >>>> =E2=80=94 Justin >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth = >>=20 --Apple-Mail=_64B3B101-CC1D-43AA-879D-8F49E4C7056A Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 It=E2=80=99s all good, I wrote it relatively quickly and I = haven=E2=80=99t actually built it out. The idea struck me this week, as = I was working on something for a client, that it would be a fairly = simple translation from the map structure of form encoding to a = JSON-based map structure for the same key-value pairs, and you could = skip all the form encoding for the values and occasionally make use of a = more native encoding method for some values like scope.
For aligning request and response, it = could say that there=E2=80=99s an alternate response encoding as well = but only if the client uses this request format. That=E2=80=99s a lot = for the AS to track, but it would let clients speak only one dialect = natively. It might be squirrely but then again it might just make sense = for the AS to track it all.

Ultimately it=E2=80=99s a back-patch because all OAuth = values are going to have to define form encodings and an extension = couldn=E2=80=99t take full advantage of this unless it was written to be = JSON-only, which would be a bit weird and limiting. For example, I = didn=E2=80=99t look at applying it to PAR because the PAR values are = defined in terms of query parameters already, and are therefore beholden = to those rules and not the token endpoint rules. It might work there, = too, but probably not even as smoothly as this!

I appreciate the read through and the = comments! I=E2=80=99d be curious if there=E2=80=99s any energy in the = group to pick it up.

 =E2=80=94 Justin

On Jul = 13, 2020, at 1:00 PM, Filip Skokan <panva.ip@gmail.com> = wrote:

Apologies Justin, i read it in a = rush. 

But, = even more so after your clarification, if the ID means responses are = unmodified it=E2=80=99s just confusing - as you say - at odds with each = other, since i=E2=80=99d send in scope as array and get it back as a = string from the token response. 

Odesl=C3=A1no z iPhonu

13. 7. = 2020 v 18:09, Justin Richer <jricher@mit.edu>:

=EF=BB=BFThe intent was to only affect the = request, not the response, though I can see the confusion that would = arise in having those be at odds with each other. 
 =E2=80=94 Justin

On Jul 13, 2020, at 11:47 AM, Filip Skokan = <panva.ip@gmail.com> wrote:

Hello Justin, 

Your ID changes both how a client sends = a request as well as how the, already a json, token response is = structured (as far as i can see it changes scope from a space separated = value to an array). 

The response morphing will be confusing to clients.

I don=E2=80=99t think = there=E2=80=99s much to explore here, apart from authorization_details = param sent to the token endpoint form encoded i = don=E2=80=99t find much unnatural about the existing oauth = interface. 

Filip

Odesl=C3=A1no z iPhonu

9. 7. = 2020 v 21:29, Justin Richer <jricher@mit.edu>:

=EF=BB=BF
In the ten years since = OAuth started, we=E2=80=99ve seen a huge shift away from form encoding = to JSON encoding for sending data to a server. And yet, OAuth is stuck = with form encoding. So I thought, why can=E2=80=99t we change = that?

I put together a quick = proposal for how this would work.

https://www.ietf.org/id/draft-richer-oauth-json-request-00.html=

The basic = idea is that you take the map of form inputs and make it into a JSON = object. For some fields, like scope and authorization_details, you can = define a JSON-specific encoding to make use of object and array = structures native to JSON. You also don=E2=80=99t have to url-encode = values inside the JSON strings. 

Caveat, I haven=E2=80=99t tried = implementing this yet, but I think it=E2=80=99s not likely to be that = difficult for either the client or server side of things. At worst it = seems like it=E2=80=99d be a pretty simple middleware function. = Functionality can be detected at the AS by the content negotiation in = HTTP (client sends content-type of JSON), and can be advertised as an = option in the metadata (or in an OPTIONS call to the token endpoint, to = be more HTTP-friendly).

 =E2=80=94 Justin
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


= --Apple-Mail=_64B3B101-CC1D-43AA-879D-8F49E4C7056A-- From ag@broadcom.com Mon Jul 13 13:28:41 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC2B63A08B1 for ; Mon, 13 Jul 2020 13:28:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=broadcom.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id idiQw9HLBwhU for ; Mon, 13 Jul 2020 13:28:40 -0700 (PDT) Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com [IPv6:2607:f8b0:4864:20::52e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCBD13A086F for ; Mon, 13 Jul 2020 13:28:39 -0700 (PDT) Received: by mail-pg1-x52e.google.com with SMTP id e18so6545592pgn.7 for ; Mon, 13 Jul 2020 13:28:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; h=from:mime-version:subject:message-id:date:to; bh=0kPInzd5Wk/tqiJO0KA06pi+OSzJdFT7QMxf7u2viAA=; b=PqzVVWcEi4P5pZHB3m43rZxtDTt0XJ1h+EJWlW9/lyFCxAWfbQvBc44NF7K/mJ8Eba nqYZcWAtP9oVyQ48Kt8kYTTx1c1pxTwAN7cPDce/YnSIDjrizKhpw1IfVc+W2hayX85g mJNBWpbbZPLbCXuUsXmUjMiWRMAc726c+T31w= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:date:to; bh=0kPInzd5Wk/tqiJO0KA06pi+OSzJdFT7QMxf7u2viAA=; b=klRkDIko6CksF6E9QrLWKMcMmP+ghmAL2xAGVDMsyzGBVXQbdwAMly7Q86WKMe9RLl Uda11L4Gn1LTmk+VDUgKkrVovk/SX6ZswMECgedUqmGsOjFnkKXF6tROUMygH3RTnyKl mKvsRLYCLWGJMBRjLawFnpKHFnuWlno17KDjv+/CGsNWfJeB6ZFUsRWX8I0PlmhRz7/B gZuZ/SFF+AoNjXdC+RBkhowrGviUqt5pghg5RIxWB5HK/MYGouKcl+E1IkwC3bgUwjLK 9t9uWCsTaIoeIaTl16EAcfWLa+BbPuzQ78/NClNxbmKF1yj9x7U19220dudbCvJ1PTHc Qalg== X-Gm-Message-State: AOAM5329263xag8Ehxhq4vSS8rLuqcajRuXm5WPQDXAcEHBX83hQlyRD fTdJ8QQsxW+B1raUldXY6SMCvR4jgd/0538la1PY5JJ1d1DYbp3XKIN3HwIdHkfihNTcSHGvHdF YbrFU0V6IT3iC/DXjaTpuNFQO0OjLyw/FVyWXP4bc5j2y7tr/ X-Google-Smtp-Source: ABdhPJx79Ki4Xef/U67cUY68OLAsQ6s6oW54TCXBVa/zvAXlRtRntQOzzzgPk4dn0ZRUmNFKrCE9lg== X-Received: by 2002:a63:225d:: with SMTP id t29mr754025pgm.374.1594672118199; Mon, 13 Jul 2020 13:28:38 -0700 (PDT) Received: from c02w42tjhtdd.lan (c-98-248-136-122.hsd1.ca.comcast.net. [98.248.136.122]) by smtp.gmail.com with ESMTPSA id r6sm15461138pfl.142.2020.07.13.13.28.37 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 13 Jul 2020 13:28:37 -0700 (PDT) From: Amarendra Godbole Content-Type: multipart/alternative; boundary="Apple-Mail=_C328C8AF-3E1F-4367-A08A-EB752DED6263" Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3601.0.4\)) Message-Id: <7619889F-6A75-4179-B4A8-DEAAC359E5EB@broadcom.com> Date: Mon, 13 Jul 2020 13:28:36 -0700 To: oauth@ietf.org X-Mailer: Apple Mail (2.3601.0.4) Archived-At: Subject: [OAUTH-WG] Rotating client secret X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2020 20:34:50 -0000 --Apple-Mail=_C328C8AF-3E1F-4367-A08A-EB752DED6263 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi All, First post to the list, and hopefully I am articulate enough to describe = the problem I am facing =E2=80=94 did OAuth ever consider an ability to = dynamically rotate client secret (part of the =E2=80=9Cclient = credentials=E2=80=9D authorization grant)? I stumbled across rfc7591 = (OAuth 2.0 Dynamic Client Registration Protocol), but the OAuth 2.0 = implementation I am looking at [1], does not support it. I also found = some previous reference to client secret rotation [2], but it does not = discuss my use case. We operate a SaaS application A, which is supposed to talk with another = SaaS application B. Our customers subscribe to both, our application A = as well as application B. However, the teams adminstering A and B are = separate teams within the same organization, though we cannot assume the = level of trust between them. Let=E2=80=99s call them Tenant Admin A and = Tenant Admin B. In our usecase, application A is the client for = application B, and application B provides OAuth 2.0 authorization = workflows. Now, Tenant Admin A has to provision the "client = credentials=E2=80=9D authorization grant =E2=80=94 in order to do that, = Tenant Admin B generates the client_id and client_secret, and sends them = to Tenant Admin B. There is the problem =E2=80=94 as I earlier stated, = we cannot assume the level of trust between Tenant Admin A and Tenant = Admin B, and exchanging client_id and client_secret now means the circle = of trust for application B includes individuals who may or may not be = trusted. One thought that occured to me was a provision in OAuth 2.0=E2=80=99s = client credentials grant flow was the ability to =E2=80=9Cbootstrap=E2=80=9D= a client application =E2=80=94 basically the client_secret is = one-time-use-and-timebound-only, and allows the client to exchange it = for a different client_secret. In our case, this can be handled by the = SaaS application backend, thus making sure the Tenant Admin A no longer = have access to it once they provision the client. This can be = generalized, such that the authZ server can periodically trigger = client_secret rotation, and won=E2=80=99t require manual intervention = [3]. As I stated earlier, rfc7591 talks about this, but but in the = context of dynamic registration. Having the client secret rotation a part of the protocol exchange = messages, maybe a bootstrap, would be the ideal solution for our = usecase. Or the bigger question: Did I misinterpret it all? Looking for guidance = from this list. Thanks in advance. -Amarendra [1] Microsoft Azure = https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-app-typ= es = [2] = https://mailarchive.ietf.org/arch/msg/oauth/7ICMSRI2tjfXDD1Bk_G-qNpLy-0/ = = [3] Auth0 rotate client secret: = https://auth0.com/docs/dashboard/guides/applications/rotate-client-secret = --Apple-Mail=_C328C8AF-3E1F-4367-A08A-EB752DED6263 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
Hi = All,

First = post to the list, and hopefully I am articulate enough to describe the = problem I am facing =E2=80=94 did OAuth ever consider an ability to = dynamically rotate client secret (part of the =E2=80=9Cclient = credentials=E2=80=9D authorization grant)? I stumbled = across rfc7591 (OAuth 2.0 Dynamic Client Registration Protocol), = but the OAuth 2.0 implementation I am looking at [1], does not support = it. I also found some previous reference to client secret rotation [2], = but it does not discuss my use case.

We operate a SaaS application A, which = is supposed to talk with another SaaS application B. Our customers = subscribe to both, our application A as well as application B. However, = the teams adminstering A and B are separate teams within the same = organization, though we cannot assume the level of trust between them. = Let=E2=80=99s call them Tenant Admin A and Tenant Admin B. In our = usecase, application A is the client for application B, and application = B provides OAuth 2.0 authorization workflows. Now, Tenant Admin A has to = provision the "client credentials=E2=80=9D authorization grant =E2=80=94 = in order to do that, Tenant Admin B generates the client_id and = client_secret, and sends them to Tenant Admin B. There is the problem = =E2=80=94 as I earlier stated, we cannot assume the level of trust = between Tenant Admin A and Tenant Admin B, and exchanging client_id and = client_secret now means the circle of trust for application B includes = individuals who may or may not be trusted.

One thought that occured to me was a = provision in OAuth 2.0=E2=80=99s client credentials grant flow was the = ability to =E2=80=9Cbootstrap=E2=80=9D a client application =E2=80=94 = basically the client_secret is one-time-use-and-timebound-only, and = allows the client to exchange it for a different client_secret. In our = case, this can be handled by the SaaS application backend, thus making = sure the Tenant Admin A no longer have access to it once they provision = the client. This can be generalized, such that the authZ server can = periodically trigger client_secret rotation, and won=E2=80=99t require = manual intervention [3]. As I stated earlier, rfc7591 talks about this, = but but in the context of dynamic registration.

Having the client secret rotation a = part of the protocol exchange messages, maybe a bootstrap, would be the = ideal solution for our usecase.

Or the bigger question: Did I = misinterpret it all? Looking for guidance from this list.

Thanks in = advance.

-Amarendra

[1] Microsoft Azure https://docs.microsoft.com/en-us/azure/active-directory/develop= /v2-app-types
[2] https://mailarchive.ietf.org/arch/msg/oauth/7ICMSRI2tjfXDD1Bk_G= -qNpLy-0/
[3] Auth0 rotate client = secret: https://auth0.com/docs/dashboard/guides/applications/rotate-cli= ent-secret

= --Apple-Mail=_C328C8AF-3E1F-4367-A08A-EB752DED6263-- From nobody Mon Jul 13 13:48:28 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 744A73A0972 for ; Mon, 13 Jul 2020 13:48:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys-ch.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yG4IFdSVhVPu for ; Mon, 13 Jul 2020 13:48:25 -0700 (PDT) Received: from mail-qt1-x835.google.com (mail-qt1-x835.google.com [IPv6:2607:f8b0:4864:20::835]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4774E3A0978 for ; Mon, 13 Jul 2020 13:48:25 -0700 (PDT) Received: by mail-qt1-x835.google.com with SMTP id i3so11111506qtq.13 for ; Mon, 13 Jul 2020 13:48:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys-ch.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QUah5mIRfDKBBrBkNVg0c0/mGhyeKJ4kkKTf31juBVU=; b=vbOP5OxblVa694u8RYgPvp2HShPTFZ59A1BXZrIRaw2eZ8h9kHPBoJoL40UWisFzQW 4HZnqNAAetMd9+MyWLQzUA5/IF76p+NiJNzvxDz6xk+JWM3Iau0F83p04pO8UfTC4w4G nXaA9LtA8u30m7JkwokWU9go5hWiJ2KEjB+11C3IRYHhLlAZkCEYe5pyI+h4cJsYRidk IxUTHJDuqFrSNbrIZWM+WpSYHIr+IdE49wzoyUllz8pCtOAzzqCifkRxdX8MmkSLKvPb C8dDHVlsasL/h2uArVCBfLlQm7ebTXmmVliERGeyZUpT6/cZW/FzEugshcGx1W1vTShp gPXA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QUah5mIRfDKBBrBkNVg0c0/mGhyeKJ4kkKTf31juBVU=; b=k6PPQqULDeTQlGifddE+XQhAX4iMN85C0Wz1O/IjHmKO6fvM54+aU0dZobv/oPYa81 EVGwjCvXMPFx7HJ6/vMs5yQbwjkh0432d1fQR+FplF4lui4zr5RvWCvUJYJHK4dob4Kp CuoDtJ0+5Cy2X/cdLBYA+hhwFJJa4ivqAO6JYtDwbrP9fdhwBs0JPmXutR1qNDUUk+L1 0Up7FQlRIYWLXnzyifSiRd3W+Vds616BupRZV9qJj2uHkrlhWHzTJc/R2t8n+ceZWkXL JwIHQe6kQBNs46lKe947ZipJQg16v/fDW5dBylR2IsFXvOnRuQGzxWAT0u8s2XTi7f5b n8TA== X-Gm-Message-State: AOAM531UZ2NyqTr5N+d9F/SEXYFGQjlSmEpCHdPufbOMEkgDppw89Ws7 pPrJMPMqpHJ2689xILTkcXAaUz8bhbM6mDIJeB7yniFjyWw9 X-Google-Smtp-Source: ABdhPJzCyO0pvob+L6xTK/0WSCGqjdkAz9675VlXXyZMswTa4LL0Q8EeAkMtUvNUfMA7Uh69cLQkYZ564zjJRsY7h4A= X-Received: by 2002:ac8:2b98:: with SMTP id m24mr1280517qtm.7.1594673303120; Mon, 13 Jul 2020 13:48:23 -0700 (PDT) MIME-Version: 1.0 References: <7619889F-6A75-4179-B4A8-DEAAC359E5EB@broadcom.com> In-Reply-To: <7619889F-6A75-4179-B4A8-DEAAC359E5EB@broadcom.com> From: Warren Parad Date: Mon, 13 Jul 2020 22:48:12 +0200 Message-ID: To: Amarendra Godbole Cc: oauth@ietf.org Content-Type: multipart/alternative; boundary="000000000000c403cb05aa58cfa5" Archived-At: Subject: Re: [OAUTH-WG] Rotating client secret X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2020 20:48:27 -0000 --000000000000c403cb05aa58cfa5 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I'm not sure if it is just me, but I'm not sure I'm totally following. I can see a concrete analogy being that, Tenant application B could be Google Drive, and Tenant application A being any front end app that wants to offer a service that saves files in a user's Google Drive. If application A wants to interact with application B offline then tenant A needs a service client/secret along with an authorization grant initiated through application A (currently via UI in OAuth2). Whether application A cycles the client secret or not seems like a different problem. But I think I'm missing something. Given the example I provided, would you be able to provide more insight into the problem you are seeing? *Warren Parad* Secure your user data and complete your authorization architecture. Implement Authress . On Mon, Jul 13, 2020 at 10:36 PM Amarendra Godbole wrote: > Hi All, > > First post to the list, and hopefully I am articulate enough to describe > the problem I am facing =E2=80=94 did OAuth ever consider an ability to d= ynamically > rotate client secret (part of the =E2=80=9Cclient credentials=E2=80=9D au= thorization > grant)? I stumbled across rfc7591 (OAuth 2.0 Dynamic Client Registration > Protocol), but the OAuth 2.0 implementation I am looking at [1], does not > support it. I also found some previous reference to client secret rotatio= n > [2], but it does not discuss my use case. > > We operate a SaaS application A, which is supposed to talk with another > SaaS application B. Our customers subscribe to both, our application A as > well as application B. However, the teams adminstering A and B are separa= te > teams within the same organization, though we cannot assume the level of > trust between them. Let=E2=80=99s call them Tenant Admin A and Tenant Adm= in B. In > our usecase, application A is the client for application B, and applicati= on > B provides OAuth 2.0 authorization workflows. Now, Tenant Admin A has to > provision the "client credentials=E2=80=9D authorization grant =E2=80=94 = in order to do > that, Tenant Admin B generates the client_id and client_secret, and sends > them to Tenant Admin B. There is the problem =E2=80=94 as I earlier state= d, we > cannot assume the level of trust between Tenant Admin A and Tenant Admin = B, > and exchanging client_id and client_secret now means the circle of trust > for application B includes individuals who may or may not be trusted. > > One thought that occured to me was a provision in OAuth 2.0=E2=80=99s cli= ent > credentials grant flow was the ability to =E2=80=9Cbootstrap=E2=80=9D a c= lient application > =E2=80=94 basically the client_secret is one-time-use-and-timebound-only,= and > allows the client to exchange it for a different client_secret. In our > case, this can be handled by the SaaS application backend, thus making su= re > the Tenant Admin A no longer have access to it once they provision the > client. This can be generalized, such that the authZ server can > periodically trigger client_secret rotation, and won=E2=80=99t require ma= nual > intervention [3]. As I stated earlier, rfc7591 talks about this, but but = in > the context of dynamic registration. > > Having the client secret rotation a part of the protocol exchange > messages, maybe a bootstrap, would be the ideal solution for our usecase. > > Or the bigger question: Did I misinterpret it all? Looking for guidance > from this list. > > Thanks in advance. > > -Amarendra > > [1] Microsoft Azure > https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-app-ty= pes > [2] > https://mailarchive.ietf.org/arch/msg/oauth/7ICMSRI2tjfXDD1Bk_G-qNpLy-0/ > [3] Auth0 rotate client secret: > https://auth0.com/docs/dashboard/guides/applications/rotate-client-secret > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --000000000000c403cb05aa58cfa5 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I'm not sure if it is just me, but I'm not sure I&= #39;m totally following.

I can see a concrete analogy be= ing that, Tenant application=C2=A0B could be Google Drive, and Tenant appli= cation A being any front end app that wants to offer a service that saves f= iles in a user's Google Drive. If application A wants to interact with = application B offline then tenant A needs a service client/secret along wit= h an authorization grant initiated through application A (currently via UI = in OAuth2).

Whether application A cycles the clien= t secret or not seems like a different problem. But I think I'm missing= something. Given the example I provided, would you be able to provide more= insight into the problem you are seeing?

=
Warren Parad
Secure you= r user data and complete your authorization architecture. Implement=C2=A0Authress.


On Mon, Jul 13,= 2020 at 10:36 PM Amarendra Godbole <ag=3D40broadcom.com@dmarc.ietf.org> wrote:
= Hi All,

First post to the list, and hopefully I am= articulate enough to describe the problem I am facing =E2=80=94 did OAuth = ever consider an ability to dynamically rotate client secret (part of the = =E2=80=9Cclient credentials=E2=80=9D authorization grant)? I stumbled acros= s=C2=A0rfc7591 (OAuth 2.0 Dynamic Client Registration Protocol), but the OA= uth 2.0 implementation I am looking at [1], does not support it. I also fou= nd some previous reference to client secret rotation [2], but it does not d= iscuss my use case.

We operate a SaaS application = A, which is supposed to talk with another SaaS application B. Our customers= subscribe to both, our application A as well as application B. However, th= e teams adminstering A and B are separate teams within the same organizatio= n, though we cannot assume the level of trust between them. Let=E2=80=99s c= all them Tenant Admin A and Tenant Admin B. In our usecase, application A i= s the client for application B, and application B provides OAuth 2.0 author= ization workflows. Now, Tenant Admin A has to provision the "client cr= edentials=E2=80=9D authorization grant =E2=80=94 in order to do that, Tenan= t Admin B generates the client_id and client_secret, and sends them to Tena= nt Admin B. There is the problem =E2=80=94 as I earlier stated, we cannot a= ssume the level of trust between Tenant Admin A and Tenant Admin B, and exc= hanging client_id and client_secret now means the circle of trust for appli= cation B includes individuals who may or may not be trusted.

=
One thought that occured to me was a provision in OAuth 2.0=E2= =80=99s client credentials grant flow was the ability to =E2=80=9Cbootstrap= =E2=80=9D a client application =E2=80=94 basically the client_secret is one= -time-use-and-timebound-only, and allows the client to exchange it for a di= fferent client_secret. In our case, this can be handled by the SaaS applica= tion backend, thus making sure the Tenant Admin A no longer have access to = it once they provision the client. This can be generalized, such that the a= uthZ server can periodically trigger client_secret rotation, and won=E2=80= =99t require manual intervention [3]. As I stated earlier, rfc7591 talks ab= out this, but but in the context of dynamic registration.

Having the client secret rotation a part of the protocol exchange m= essages, maybe a bootstrap, would be the ideal solution for our usecase.

Or the bigger question: Did I misinterpret it all? L= ooking for guidance from this list.

Thanks in adva= nce.

-Amarendra

[2]=C2=A0https://mailarchive.ietf.org/arch/msg/oauth/7ICMS= RI2tjfXDD1Bk_G-qNpLy-0/

___________= ____________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--000000000000c403cb05aa58cfa5-- From nobody Mon Jul 13 14:34:59 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38ACF3A07FC for ; Mon, 13 Jul 2020 14:34:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=broadcom.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id URL9QOVwoAbQ for ; Mon, 13 Jul 2020 14:34:55 -0700 (PDT) Received: from mail-pg1-x52b.google.com (mail-pg1-x52b.google.com [IPv6:2607:f8b0:4864:20::52b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F23CC3A0E67 for ; Mon, 13 Jul 2020 14:34:19 -0700 (PDT) Received: by mail-pg1-x52b.google.com with SMTP id m22so6620137pgv.9 for ; Mon, 13 Jul 2020 14:34:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=tEjmC1pubvLVrh2afNwgFD1C8vIOhgemyMVmuQu9+SU=; b=UUUnmSNL48rAkAtyYKvqagiZV8nGV2SMayq5uDxqoY2Q01aV82TpR80lLg4s8avpwS RKtw/eJiDKAuZ7Jll3QaRkcABoKq4C12dYWMD+EHHFzY2mNljtp+uC/7uNhIiT2UDkKJ OLeI2WzNTFlHwYRiaFPr8PVRPLNz5nOIKzVNg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=tEjmC1pubvLVrh2afNwgFD1C8vIOhgemyMVmuQu9+SU=; b=ftV4ifzDoPXqFMqflgQbtqVTEEa0cy2fnGf5ZIqs+zDyjAbgJBgFzIDSPCXVLJ/2bp kKFwi+fu8QSqEaN6LIoUsZIZGva2Fna1us2wRZB52zwUqSCqlGVNxVdahLULsop51Nw8 ee+6ZZCUzs5F/dQ3U8qCPUUXhUNR00XXXJGtQWB+iwL23ZpVbh2VNaqIJzp/EEb/0hv3 iMIooNyc7Wu2CsgeZcMxlDyEqup3+toVtYAP1MXRew/5pWd0aib1y+5Lvle4tAlXSmHV XAdo4xbI2q4AHLVlMmk+4JenkhkmT/2g4iIMRPOeqMNkC0JFPRKYVg9z2gAwkFTeMNa9 2rkA== X-Gm-Message-State: AOAM531txMVIsUylaVvk/e/SLT3lXYL6BVfUPm9aNZPjSRhLGsb1TnFS H+kBhSCIXXi7AdVToWesy97+sL8gFvw= X-Google-Smtp-Source: ABdhPJwLqOgy2DPknce4lj1xXtsywEhV4C8LwQaGJGgLqMuD1Ie89rIYHcv15EVCO9B1BcQaY4VTBA== X-Received: by 2002:a62:5e83:: with SMTP id s125mr1467288pfb.197.1594676059108; Mon, 13 Jul 2020 14:34:19 -0700 (PDT) Received: from c02w42tjhtdd.lan (c-98-248-136-122.hsd1.ca.comcast.net. [98.248.136.122]) by smtp.gmail.com with ESMTPSA id l191sm15137845pfd.149.2020.07.13.14.34.17 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 13 Jul 2020 14:34:18 -0700 (PDT) From: Amarendra Godbole Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_C151518F-6450-48D3-9BFB-FAD36D0562ED" Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3601.0.4\)) Date: Mon, 13 Jul 2020 14:34:16 -0700 In-Reply-To: Cc: Amarendra Godbole , oauth@ietf.org To: Warren Parad References: <7619889F-6A75-4179-B4A8-DEAAC359E5EB@broadcom.com> X-Mailer: Apple Mail (2.3601.0.4) Archived-At: Subject: Re: [OAUTH-WG] Rotating client secret X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2020 21:34:57 -0000 --Apple-Mail=_C151518F-6450-48D3-9BFB-FAD36D0562ED Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Let me see if I can provide more details on the usecase: 1. A tenant is subscribed to SaaS application A and SaaS application B, = and both applications are separately managed by different teams in the = same organization. No assumption can be made about the trust between = those teams. 2. Application A backend is supposed to access Application B. App B also = has the authorization server. Both applications expose administration UI = for its tenants. 3. App B admin generates client_id and client_secret, and hands them = over to App A admin. 4. App A admin enters the client_id and clilent_secret in the UI, so the = backend App A can now communicate with/access App B. #3 exposes client credentials of App B to admins of app A =E2=80=94 this = is our problem. As stated in #1, we cannot make any assumptions about = the level of trust between the two groups. If OAuth2 provided a client credential rotation, this exposure of = credentials can be limited to a small time window. The original = client_secret can be a one-time-use-bootstrap, that App A backend = exchanges for another secret from the authorization server. Generalizing = it, the OAuth2 spec can provide for servers to trigger a client_secret = rotation. To your analogy, the front-end app can =E2=80=9Cleak=E2=80=9D the = credentials during provisioning (it can be a simple copy/paste that the = user has to do), thus creating a security issue. But if the credentials = are one-time-bootstrap, then first time the front-end app connects to = Google drive, drive changes the client_secret for a different one, which = then would be used by front-end app in the future. Drive also has the = ability to periodically rotate the client_secret in a similar manner. = This assumes front-end app cannot access the client_secret once it is = provisioned. Is this better? Thanks! -Amarendra -- sent via recycled electrons, from my portable command center. > On Jul 13, 2020, at 1:48 PM, Warren Parad wrote: >=20 > I'm not sure if it is just me, but I'm not sure I'm totally following. >=20 > I can see a concrete analogy being that, Tenant application B could be = Google Drive, and Tenant application A being any front end app that = wants to offer a service that saves files in a user's Google Drive. If = application A wants to interact with application B offline then tenant A = needs a service client/secret along with an authorization grant = initiated through application A (currently via UI in OAuth2). >=20 > Whether application A cycles the client secret or not seems like a = different problem. But I think I'm missing something. Given the example = I provided, would you be able to provide more insight into the problem = you are seeing? >=20 > Warren Parad > Secure your user data and complete your authorization architecture. = Implement Authress . > >=20 > On Mon, Jul 13, 2020 at 10:36 PM Amarendra Godbole = > wrote: > Hi All, >=20 > First post to the list, and hopefully I am articulate enough to = describe the problem I am facing =E2=80=94 did OAuth ever consider an = ability to dynamically rotate client secret (part of the =E2=80=9Cclient = credentials=E2=80=9D authorization grant)? I stumbled across rfc7591 = (OAuth 2.0 Dynamic Client Registration Protocol), but the OAuth 2.0 = implementation I am looking at [1], does not support it. I also found = some previous reference to client secret rotation [2], but it does not = discuss my use case. >=20 > We operate a SaaS application A, which is supposed to talk with = another SaaS application B. Our customers subscribe to both, our = application A as well as application B. However, the teams adminstering = A and B are separate teams within the same organization, though we = cannot assume the level of trust between them. Let=E2=80=99s call them = Tenant Admin A and Tenant Admin B. In our usecase, application A is the = client for application B, and application B provides OAuth 2.0 = authorization workflows. Now, Tenant Admin A has to provision the = "client credentials=E2=80=9D authorization grant =E2=80=94 in order to = do that, Tenant Admin B generates the client_id and client_secret, and = sends them to Tenant Admin B. There is the problem =E2=80=94 as I = earlier stated, we cannot assume the level of trust between Tenant Admin = A and Tenant Admin B, and exchanging client_id and client_secret now = means the circle of trust for application B includes individuals who may = or may not be trusted. >=20 > One thought that occured to me was a provision in OAuth 2.0=E2=80=99s = client credentials grant flow was the ability to =E2=80=9Cbootstrap=E2=80=9D= a client application =E2=80=94 basically the client_secret is = one-time-use-and-timebound-only, and allows the client to exchange it = for a different client_secret. In our case, this can be handled by the = SaaS application backend, thus making sure the Tenant Admin A no longer = have access to it once they provision the client. This can be = generalized, such that the authZ server can periodically trigger = client_secret rotation, and won=E2=80=99t require manual intervention = [3]. As I stated earlier, rfc7591 talks about this, but but in the = context of dynamic registration. >=20 > Having the client secret rotation a part of the protocol exchange = messages, maybe a bootstrap, would be the ideal solution for our = usecase. >=20 > Or the bigger question: Did I misinterpret it all? Looking for = guidance from this list. >=20 > Thanks in advance. >=20 > -Amarendra >=20 > [1] Microsoft Azure = https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-app-typ= es = > [2] = https://mailarchive.ietf.org/arch/msg/oauth/7ICMSRI2tjfXDD1Bk_G-qNpLy-0/ = = > [3] Auth0 rotate client secret: = https://auth0.com/docs/dashboard/guides/applications/rotate-client-secret = >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth = > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_C151518F-6450-48D3-9BFB-FAD36D0562ED Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Let = me see if I can provide more details on the usecase:
1. A = tenant is subscribed to SaaS application A and SaaS application B, and = both applications are separately managed by different teams in the same = organization. No assumption can be made about the trust between those = teams.
2. Application A backend is = supposed to access Application B. App B also has the authorization = server. Both applications expose administration UI for its = tenants.
3. App B admin generates client_id and = client_secret, and hands them over to App A admin.
4.= App A admin enters the client_id and clilent_secret in the UI, so the = backend App A can now communicate with/access App B.

#3 exposes client = credentials of App B to admins of app A =E2=80=94 this is our problem. As stated in #1, we cannot make = any assumptions about the level of trust between the two = groups.

If = OAuth2 provided a client credential rotation, this exposure of = credentials can be limited to a small time window. The original = client_secret can be a one-time-use-bootstrap, that App A backend = exchanges for another secret from the authorization server. Generalizing = it, the OAuth2 spec can provide for servers to trigger a client_secret = rotation.

To = your analogy, the front-end app can =E2=80=9Cleak=E2=80=9D the = credentials during provisioning (it can be a simple copy/paste that the = user has to do), thus creating a security issue. But if the credentials = are one-time-bootstrap, then first time the front-end app connects to = Google drive, drive changes the client_secret for a different one, which = then would be used by front-end app in the future. Drive also has the = ability to periodically rotate the client_secret in a similar manner. = This assumes front-end app cannot access the client_secret once it is = provisioned.

Is = this better? Thanks!

-Amarendra

--
sent via recycled electrons, = from my portable command center.



On Jul 13, 2020, at 1:48 PM, Warren Parad <wparad@rhosys.ch> = wrote:

I'm not sure if it is just me, but I'm not sure = I'm totally following.

I can see a concrete analogy being that, Tenant = application B could be Google Drive, and Tenant application A being = any front end app that wants to offer a service that saves files in a = user's Google Drive. If application A wants to interact with application = B offline then tenant A needs a service client/secret along with an = authorization grant initiated through application A (currently via UI in = OAuth2).

Whether= application A cycles the client secret or not seems like a different = problem. But I think I'm missing something. Given the example I = provided, would you be able to provide more insight into the problem you = are seeing?

Warren Parad
Secure your user data and complete your authorization = architecture. Implement Authress.


On Mon, Jul 13, 2020 at 10:36 PM Amarendra Godbole = <ag=3D40broadcom.com@dmarc.ietf.org> wrote:
Hi All,

First post to the list, and hopefully I = am articulate enough to describe the problem I am facing =E2=80=94 did = OAuth ever consider an ability to dynamically rotate client secret (part = of the =E2=80=9Cclient credentials=E2=80=9D authorization grant)? I = stumbled across rfc7591 (OAuth 2.0 Dynamic Client Registration = Protocol), but the OAuth 2.0 implementation I am looking at [1], does = not support it. I also found some previous reference to client secret = rotation [2], but it does not discuss my use case.

We operate a SaaS = application A, which is supposed to talk with another SaaS application = B. Our customers subscribe to both, our application A as well as = application B. However, the teams adminstering A and B are separate = teams within the same organization, though we cannot assume the level of = trust between them. Let=E2=80=99s call them Tenant Admin A and Tenant = Admin B. In our usecase, application A is the client for application B, = and application B provides OAuth 2.0 authorization workflows. Now, = Tenant Admin A has to provision the "client credentials=E2=80=9D = authorization grant =E2=80=94 in order to do that, Tenant Admin B = generates the client_id and client_secret, and sends them to Tenant = Admin B. There is the problem =E2=80=94 as I earlier stated, we cannot = assume the level of trust between Tenant Admin A and Tenant Admin B, and = exchanging client_id and client_secret now means the circle of trust for = application B includes individuals who may or may not be = trusted.

One = thought that occured to me was a provision in OAuth 2.0=E2=80=99s client = credentials grant flow was the ability to =E2=80=9Cbootstrap=E2=80=9D a = client application =E2=80=94 basically the client_secret is = one-time-use-and-timebound-only, and allows the client to exchange it = for a different client_secret. In our case, this can be handled by the = SaaS application backend, thus making sure the Tenant Admin A no longer = have access to it once they provision the client. This can be = generalized, such that the authZ server can periodically trigger = client_secret rotation, and won=E2=80=99t require manual intervention = [3]. As I stated earlier, rfc7591 talks about this, but but in the = context of dynamic registration.

Having the client secret rotation a = part of the protocol exchange messages, maybe a bootstrap, would be the = ideal solution for our usecase.

Or the bigger question: Did I = misinterpret it all? Looking for guidance from this list.

Thanks in = advance.

-Amarendra

[1] Microsoft Azure https://docs.microsoft.com/en-us/azure/active-directory/develop= /v2-app-types
[2] https://mailarchive.ietf.org/arch/msg/oauth/7ICMSRI2tjfXDD1Bk_G= -qNpLy-0/
[3] Auth0 rotate client = secret: https://auth0.com/docs/dashboard/guides/applications/rotate-cli= ent-secret

_____________________________________________= __
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth = mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

= --Apple-Mail=_C151518F-6450-48D3-9BFB-FAD36D0562ED-- From nobody Mon Jul 13 14:42:28 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E85DB3A0C6C for ; Mon, 13 Jul 2020 14:42:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sSVQPXwYorGO for ; Mon, 13 Jul 2020 14:42:24 -0700 (PDT) Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DD0F3A0C57 for ; Mon, 13 Jul 2020 14:42:24 -0700 (PDT) Received: by mail-lj1-x236.google.com with SMTP id j11so19876486ljo.7 for ; Mon, 13 Jul 2020 14:42:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OUZEVa1aWA97F2BjKRAt7p33BDu6R2O0vjqQcfSrtTk=; b=oY3rLle3znkKg8raVzDUoik+77rP28keG/BQZVdKV6Fllqwx/Dv/Gz+Mj7bD1DDAC0 ozW+f1OAn6CkQ6/xn6HrHNVUhkZNaSBwQetB72GyKwixolizPQfLDZ/ST/382FhB6c1z hTNZ9o8PgB3ZQPrHfSymOEuBAKmjPTmqApc4f5x9R+wFUT/UaM32clEUZ/dLGbA2B0pe QkXpBU64aTWVihTZwhjgON5fYGeWI0O0Ze7BRLkRJVVLyLdolcDoJqat9Le0NSb/+F9F bcO8dP+2M7nMuogigDupFos0RM4H/cVaxFp53aqgIEdWqbeAkdU5XbPpaJOSUKERIG1v uOuA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OUZEVa1aWA97F2BjKRAt7p33BDu6R2O0vjqQcfSrtTk=; b=ojI1vYK7Sxyp6m8S4Nttv/W9BtQg2k+LZiy0qo8pN03/e6q5I86qIUzEhnFDRYk9fA fxjJnHXYDYudQ4FtoTH9wbzxckLbhjoXACMZCObNJq3IwNmwidK43raC5tWm3SZjgDfx uKdUq8K3punYXUBHyWAdtEnmH2vauihv1zC77vTC/L4hXOjjxo+1zEdkdQZdM+pR7oSy mR2XBxRrD/oYEz/0C8V5Qq+fBA7FMqOJ5hjOYgPLLu7edw6tzOs+oFUaY6odhYVyuiqE ZKzXJ7gYlCjFDOfK2kxFS5ZjTOmieQs/zJgkzuh0O55i4IEL833Q8NIeIgDO0bBcqx0M xbnQ== X-Gm-Message-State: AOAM531GlO6BrGctvJhZ72f+pnOv+BRR7AIx4BhGg30R6bxW27TR3rqG COH1D3jksDRDTUILswnpKfuunZIqbuwtjqox61s= X-Google-Smtp-Source: ABdhPJw/OUcTUmhp0Pf81TgjjlDT6+QK6Q9I3g7H2+YsrVSKiGVJsc29017No4AwdjkpfrgXFpqrZ6xb5FjZ/gff5Rc= X-Received: by 2002:a2e:b70b:: with SMTP id j11mr781415ljo.142.1594676542261; Mon, 13 Jul 2020 14:42:22 -0700 (PDT) MIME-Version: 1.0 References: <7619889F-6A75-4179-B4A8-DEAAC359E5EB@broadcom.com> In-Reply-To: From: Dick Hardt Date: Mon, 13 Jul 2020 14:41:46 -0700 Message-ID: To: Amarendra Godbole Cc: Warren Parad , oauth@ietf.org Content-Type: multipart/alternative; boundary="000000000000d559c605aa599039" Archived-At: Subject: Re: [OAUTH-WG] Rotating client secret X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2020 21:42:27 -0000 --000000000000d559c605aa599039 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I don't know of any discussion for client secret rotation. Another way to solve your problem could be to raise it up a layer. Admin B generates a one time use URL that is sent to Admin A. Admin A visits the URI and obtains the client_id and client_secret. On Mon, Jul 13, 2020 at 2:35 PM Amarendra Godbole wrote: > Let me see if I can provide more details on the usecase: > 1. A tenant is subscribed to SaaS application A and SaaS application B, > and both applications are separately managed by different teams in the sa= me > organization. No assumption can be made about the trust between those tea= ms. > 2. Application A backend is supposed to access Application B. App B also > has the authorization server. Both applications expose administration UI > for its tenants. > 3. App B admin generates client_id and client_secret, and hands them over > to App A admin. > 4. App A admin enters the client_id and clilent_secret in the UI, so the > backend App A can now communicate with/access App B. > > #3 exposes client credentials of App B to admins of app A =E2=80=94 *this= is our > problem*. As stated in #1, we cannot make any assumptions about the level > of trust between the two groups. > > If OAuth2 provided a client credential rotation, this exposure of > credentials can be limited to a small time window. The original > client_secret can be a one-time-use-bootstrap, that App A backend exchang= es > for another secret from the authorization server. Generalizing it, the > OAuth2 spec can provide for servers to trigger a client_secret rotation. > > To your analogy, the front-end app can =E2=80=9Cleak=E2=80=9D the credent= ials during > provisioning (it can be a simple copy/paste that the user has to do), thu= s > creating a security issue. But if the credentials are one-time-bootstrap, > then first time the front-end app connects to Google drive, drive changes > the client_secret for a different one, which then would be used by > front-end app in the future. Drive also has the ability to periodically > rotate the client_secret in a similar manner. This assumes front-end app > cannot access the client_secret once it is provisioned. > > Is this better? Thanks! > > -Amarendra > > -- > sent via recycled electrons, from my portable command center. > > > > On Jul 13, 2020, at 1:48 PM, Warren Parad wrote: > > I'm not sure if it is just me, but I'm not sure I'm totally following. > > I can see a concrete analogy being that, Tenant application B could be > Google Drive, and Tenant application A being any front end app that wants > to offer a service that saves files in a user's Google Drive. If > application A wants to interact with application B offline then tenant A > needs a service client/secret along with an authorization grant initiated > through application A (currently via UI in OAuth2). > > Whether application A cycles the client secret or not seems like a > different problem. But I think I'm missing something. Given the example I > provided, would you be able to provide more insight into the problem you > are seeing? > > > *Warren Parad* > Secure your user data and complete your authorization architecture. > Implement Authress . > > > > On Mon, Jul 13, 2020 at 10:36 PM Amarendra Godbole 40broadcom.com@dmarc.ietf.org> wrote: > >> Hi All, >> >> First post to the list, and hopefully I am articulate enough to describe >> the problem I am facing =E2=80=94 did OAuth ever consider an ability to = dynamically >> rotate client secret (part of the =E2=80=9Cclient credentials=E2=80=9D a= uthorization >> grant)? I stumbled across rfc7591 (OAuth 2.0 Dynamic Client Registration >> Protocol), but the OAuth 2.0 implementation I am looking at [1], does no= t >> support it. I also found some previous reference to client secret rotati= on >> [2], but it does not discuss my use case. >> >> We operate a SaaS application A, which is supposed to talk with another >> SaaS application B. Our customers subscribe to both, our application A a= s >> well as application B. However, the teams adminstering A and B are separ= ate >> teams within the same organization, though we cannot assume the level of >> trust between them. Let=E2=80=99s call them Tenant Admin A and Tenant Ad= min B. In >> our usecase, application A is the client for application B, and applicat= ion >> B provides OAuth 2.0 authorization workflows. Now, Tenant Admin A has to >> provision the "client credentials=E2=80=9D authorization grant =E2=80=94= in order to do >> that, Tenant Admin B generates the client_id and client_secret, and send= s >> them to Tenant Admin B. There is the problem =E2=80=94 as I earlier stat= ed, we >> cannot assume the level of trust between Tenant Admin A and Tenant Admin= B, >> and exchanging client_id and client_secret now means the circle of trust >> for application B includes individuals who may or may not be trusted. >> >> One thought that occured to me was a provision in OAuth 2.0=E2=80=99s cl= ient >> credentials grant flow was the ability to =E2=80=9Cbootstrap=E2=80=9D a = client application >> =E2=80=94 basically the client_secret is one-time-use-and-timebound-only= , and >> allows the client to exchange it for a different client_secret. In our >> case, this can be handled by the SaaS application backend, thus making s= ure >> the Tenant Admin A no longer have access to it once they provision the >> client. This can be generalized, such that the authZ server can >> periodically trigger client_secret rotation, and won=E2=80=99t require m= anual >> intervention [3]. As I stated earlier, rfc7591 talks about this, but but= in >> the context of dynamic registration. >> >> Having the client secret rotation a part of the protocol exchange >> messages, maybe a bootstrap, would be the ideal solution for our usecase= . >> >> Or the bigger question: Did I misinterpret it all? Looking for guidance >> from this list. >> >> Thanks in advance. >> >> -Amarendra >> >> [1] Microsoft Azure >> https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-app-t= ypes >> [2] >> https://mailarchive.ietf.org/arch/msg/oauth/7ICMSRI2tjfXDD1Bk_G-qNpLy-0/ >> [3] Auth0 rotate client secret: >> https://auth0.com/docs/dashboard/guides/applications/rotate-client-secre= t >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --000000000000d559c605aa599039 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I don't know of any discussion for client=C2=A0secret = rotation.

Another way to solve your problem could be to = raise it up a layer. Admin B generates a one time use URL that is sent to A= dmin A. Admin A visits the URI and obtains the client_id and client_secret.= =C2=A0



On Mon, Jul 13, 2020 at 2:35 PM A= marendra Godbole <ag=3D= 40broadcom.com@dmarc.ietf.org> wrote:
Let = me see if I can provide more details on the usecase:
1. A tenant is sub= scribed to SaaS application A and SaaS application B, and both applications= are separately managed by different teams in the same organization. No ass= umption can be made about the trust between those teams.
2. Applica= tion A backend is supposed to access Application B. App B also has the auth= orization server. Both applications expose administration UI for its tenant= s.
3. App B admin generates client_id and client_secret, and hand= s them over to App A admin.
4. App A admin enters the client_id a= nd clilent_secret in the UI, so the backend App A can now communicate with/= access App B.

#3 exposes client credentials of App= B to admins of app A =E2=80=94 this is our problem. As state= d in #1, we cannot make any assumptions about the level of trust between th= e two groups.

If OAuth2 provided a client credenti= al rotation, this exposure of credentials can be limited to a small time wi= ndow. The original client_secret can be a one-time-use-bootstrap, that App = A backend exchanges for another secret from the authorization server. Gener= alizing it, the OAuth2 spec can provide for servers to trigger a client_sec= ret rotation.

To your analogy, the front-end app c= an =E2=80=9Cleak=E2=80=9D the credentials during provisioning (it can be a = simple copy/paste that the user has to do), thus creating a security issue.= But if the credentials are one-time-bootstrap, then first time the front-e= nd app connects to Google drive, drive changes the client_secret for a diff= erent one, which then would be used by front-end app in the future. Drive a= lso has the ability to periodically rotate the client_secret in a similar m= anner. This assumes front-end app cannot access the client_secret once it i= s provisioned.

Is this better? Thanks!
<= br>
-Amarendra

--
sent via recycled electrons, from=C2=A0my portable command = center.



On Jul 13, 2020, at 1:48 PM, Warren= Parad <wparad@rho= sys.ch> wrote:

I'm not sure if it= is just me, but I'm not sure I'm totally following.

=
I can see a concrete analogy being that, Tenant application=C2=A0B cou= ld be Google Drive, and Tenant application A being any front end app that w= ants to offer a service that saves files in a user's Google Drive. If a= pplication A wants to interact with application B offline then tenant A nee= ds a service client/secret along with an authorization grant initiated thro= ugh application A (currently via UI in OAuth2).

Wh= ether application A cycles the client secret or not seems like a different = problem. But I think I'm missing something. Given the example I provide= d, would you be able to provide more insight into the problem you are seein= g?

Wa= rren Parad
Secure your user data and complete = your authorization architecture. Implement=C2=A0Authress.


On Mon, Jul 13, 2020 at 10:36 PM Amaren= dra Godbole <ag=3D40broadcom.com@dmarc.ietf.org> wrote:
Hi Al= l,

First post to the list, and hopefully I am arti= culate enough to describe the problem I am facing =E2=80=94 did OAuth ever = consider an ability to dynamically rotate client secret (part of the =E2=80= =9Cclient credentials=E2=80=9D authorization grant)? I stumbled across=C2= =A0rfc7591 (OAuth 2.0 Dynamic Client Registration Protocol), but the OAuth = 2.0 implementation I am looking at [1], does not support it. I also found s= ome previous reference to client secret rotation [2], but it does not discu= ss my use case.

We operate a SaaS application A, w= hich is supposed to talk with another SaaS application B. Our customers sub= scribe to both, our application A as well as application B. However, the te= ams adminstering A and B are separate teams within the same organization, t= hough we cannot assume the level of trust between them. Let=E2=80=99s call = them Tenant Admin A and Tenant Admin B. In our usecase, application A is th= e client for application B, and application B provides OAuth 2.0 authorizat= ion workflows. Now, Tenant Admin A has to provision the "client creden= tials=E2=80=9D authorization grant =E2=80=94 in order to do that, Tenant Ad= min B generates the client_id and client_secret, and sends them to Tenant A= dmin B. There is the problem =E2=80=94 as I earlier stated, we cannot assum= e the level of trust between Tenant Admin A and Tenant Admin B, and exchang= ing client_id and client_secret now means the circle of trust for applicati= on B includes individuals who may or may not be trusted.

One thought that occured to me was a provision in OAuth 2.0=E2=80=99= s client credentials grant flow was the ability to =E2=80=9Cbootstrap=E2=80= =9D a client application =E2=80=94 basically the client_secret is one-time-= use-and-timebound-only, and allows the client to exchange it for a differen= t client_secret. In our case, this can be handled by the SaaS application b= ackend, thus making sure the Tenant Admin A no longer have access to it onc= e they provision the client. This can be generalized, such that the authZ s= erver can periodically trigger client_secret rotation, and won=E2=80=99t re= quire manual intervention [3]. As I stated earlier, rfc7591 talks about thi= s, but but in the context of dynamic registration.

Having the client secret rotation a part of the protocol exchange messages= , maybe a bootstrap, would be the ideal solution for our usecase.

Or the bigger question: Did I misinterpret it all? Looking = for guidance from this list.

________________= _______________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
http= s://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--000000000000d559c605aa599039-- From nobody Mon Jul 13 15:50:40 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C11E53A005F for ; Mon, 13 Jul 2020 15:50:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys-ch.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vG1nhI_Ndmki for ; Mon, 13 Jul 2020 15:50:33 -0700 (PDT) Received: from mail-qv1-xf2a.google.com (mail-qv1-xf2a.google.com [IPv6:2607:f8b0:4864:20::f2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32DF93A0062 for ; Mon, 13 Jul 2020 15:50:33 -0700 (PDT) Received: by mail-qv1-xf2a.google.com with SMTP id p7so6619201qvl.4 for ; Mon, 13 Jul 2020 15:50:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys-ch.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VOLfjXI8eqPSz4Wp5YyBoN75MS9xS19pqjXRFQd+yhQ=; b=YOgFIe/DKU01SuhuXhSGapy8XC1wCKhGZZ52qWiXervg5gNzaehAuPOsrUZogqLgbq MC0yLoWipDJL61jtioPndmHz68sW/r1JTj+CXxnEX0tAdBrZWpVHOcKIxq9KonNaCZbG CBtkOuBzlVVmdbHUUKw7eSUEqZ2B53aWhO06eEMXQAk0TAR2oiR8dKaVJKnh+jqMKDzC z4KIyJy3oKvZSmhya/AgrX2mE/PAVouybHZB6zTHC5VJkRsfJBwZNVPIYVbQ30UgIESW DuD9HCu9jjatF/Joz3zAPBTj2SUCwKFTI9uAkEfca8oYRQAtj4eYhElmupW6cQjGfEnf xJhQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VOLfjXI8eqPSz4Wp5YyBoN75MS9xS19pqjXRFQd+yhQ=; b=ptL6s6aC/ByCZj7EPrnnn8v+fPETxFQs27PGO6fQRMikZGvNAeNAXCpnJ63vo4WwOU f2rj5MRmNSiQdEfYyft/qpEmbdy4r5fHvS7SFIiT8P4/JtT8qo6uJcSHhtxLUGGGuWRk KNLwXJTJeqMPKGmGW/hCFrrwKv0dpqaxrGndlv1NIGibRe9MqtF8Q5aycjX4wXuOhESy 7xkyLVK14Nzf9fWg7Mi0ft0wD8tg0p1jNuC2HCA5ovz7x1td21s2mweGK+VaeNpG41yR WHd38agpaUDv8nw5YkzlWKgc9QqMoArJ18G2cUuMIhYZn9NNc4+islxYN3VoPXSXmJnh cFpA== X-Gm-Message-State: AOAM530HBl8WxHVsiDq1k+hWIE1gNfrUpIWzb3RNaQr2+Hum2BWsEEDI P/tXAEVl1ZDyb4t5FWEXuI1UcKCwZxY3ctxyXUpN X-Google-Smtp-Source: ABdhPJxHurSt57QmaH20rlM8K6pJ1bazPF5y6rlbNFQwognZj8FLsbQX0+nWxYi0qVhfTToPG+Q4Vxqx+IGMJ+3eCdc= X-Received: by 2002:ad4:57c7:: with SMTP id y7mr1781274qvx.124.1594680632124; Mon, 13 Jul 2020 15:50:32 -0700 (PDT) MIME-Version: 1.0 References: <7619889F-6A75-4179-B4A8-DEAAC359E5EB@broadcom.com> In-Reply-To: From: Warren Parad Date: Tue, 14 Jul 2020 00:50:21 +0200 Message-ID: To: Amarendra Godbole Cc: Amarendra Godbole , oauth@ietf.org Content-Type: multipart/alternative; boundary="0000000000009bbfae05aa5a84f2" Archived-At: Subject: Re: [OAUTH-WG] Rotating client secret X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2020 22:50:37 -0000 --0000000000009bbfae05aa5a84f2 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Why is #3 a problem, and why do the admin A incorrectly use App A to store the service credentials of App B in their repository? Admin A should be using their source control/database to store the tenant B client secret. *Warren Parad* Secure your user data and complete your authorization architecture. Implement Authress . On Mon, Jul 13, 2020 at 11:34 PM Amarendra Godbole wrote: > Let me see if I can provide more details on the usecase: > 1. A tenant is subscribed to SaaS application A and SaaS application B, > and both applications are separately managed by different teams in the sa= me > organization. No assumption can be made about the trust between those tea= ms. > 2. Application A backend is supposed to access Application B. App B also > has the authorization server. Both applications expose administration UI > for its tenants. > 3. App B admin generates client_id and client_secret, and hands them over > to App A admin. > 4. App A admin enters the client_id and clilent_secret in the UI, so the > backend App A can now communicate with/access App B. > > #3 exposes client credentials of App B to admins of app A =E2=80=94 *this= is our > problem*. As stated in #1, we cannot make any assumptions about the level > of trust between the two groups. > > If OAuth2 provided a client credential rotation, this exposure of > credentials can be limited to a small time window. The original > client_secret can be a one-time-use-bootstrap, that App A backend exchang= es > for another secret from the authorization server. Generalizing it, the > OAuth2 spec can provide for servers to trigger a client_secret rotation. > > To your analogy, the front-end app can =E2=80=9Cleak=E2=80=9D the credent= ials during > provisioning (it can be a simple copy/paste that the user has to do), thu= s > creating a security issue. But if the credentials are one-time-bootstrap, > then first time the front-end app connects to Google drive, drive changes > the client_secret for a different one, which then would be used by > front-end app in the future. Drive also has the ability to periodically > rotate the client_secret in a similar manner. This assumes front-end app > cannot access the client_secret once it is provisioned. > > Is this better? Thanks! > > -Amarendra > > -- > sent via recycled electrons, from my portable command center. > > > > On Jul 13, 2020, at 1:48 PM, Warren Parad wrote: > > I'm not sure if it is just me, but I'm not sure I'm totally following. > > I can see a concrete analogy being that, Tenant application B could be > Google Drive, and Tenant application A being any front end app that wants > to offer a service that saves files in a user's Google Drive. If > application A wants to interact with application B offline then tenant A > needs a service client/secret along with an authorization grant initiated > through application A (currently via UI in OAuth2). > > Whether application A cycles the client secret or not seems like a > different problem. But I think I'm missing something. Given the example I > provided, would you be able to provide more insight into the problem you > are seeing? > > > *Warren Parad* > Secure your user data and complete your authorization architecture. > Implement Authress . > > > > On Mon, Jul 13, 2020 at 10:36 PM Amarendra Godbole 40broadcom.com@dmarc.ietf.org> wrote: > >> Hi All, >> >> First post to the list, and hopefully I am articulate enough to describe >> the problem I am facing =E2=80=94 did OAuth ever consider an ability to = dynamically >> rotate client secret (part of the =E2=80=9Cclient credentials=E2=80=9D a= uthorization >> grant)? I stumbled across rfc7591 (OAuth 2.0 Dynamic Client Registration >> Protocol), but the OAuth 2.0 implementation I am looking at [1], does no= t >> support it. I also found some previous reference to client secret rotati= on >> [2], but it does not discuss my use case. >> >> We operate a SaaS application A, which is supposed to talk with another >> SaaS application B. Our customers subscribe to both, our application A a= s >> well as application B. However, the teams adminstering A and B are separ= ate >> teams within the same organization, though we cannot assume the level of >> trust between them. Let=E2=80=99s call them Tenant Admin A and Tenant Ad= min B. In >> our usecase, application A is the client for application B, and applicat= ion >> B provides OAuth 2.0 authorization workflows. Now, Tenant Admin A has to >> provision the "client credentials=E2=80=9D authorization grant =E2=80=94= in order to do >> that, Tenant Admin B generates the client_id and client_secret, and send= s >> them to Tenant Admin B. There is the problem =E2=80=94 as I earlier stat= ed, we >> cannot assume the level of trust between Tenant Admin A and Tenant Admin= B, >> and exchanging client_id and client_secret now means the circle of trust >> for application B includes individuals who may or may not be trusted. >> >> One thought that occured to me was a provision in OAuth 2.0=E2=80=99s cl= ient >> credentials grant flow was the ability to =E2=80=9Cbootstrap=E2=80=9D a = client application >> =E2=80=94 basically the client_secret is one-time-use-and-timebound-only= , and >> allows the client to exchange it for a different client_secret. In our >> case, this can be handled by the SaaS application backend, thus making s= ure >> the Tenant Admin A no longer have access to it once they provision the >> client. This can be generalized, such that the authZ server can >> periodically trigger client_secret rotation, and won=E2=80=99t require m= anual >> intervention [3]. As I stated earlier, rfc7591 talks about this, but but= in >> the context of dynamic registration. >> >> Having the client secret rotation a part of the protocol exchange >> messages, maybe a bootstrap, would be the ideal solution for our usecase= . >> >> Or the bigger question: Did I misinterpret it all? Looking for guidance >> from this list. >> >> Thanks in advance. >> >> -Amarendra >> >> [1] Microsoft Azure >> https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-app-t= ypes >> [2] >> https://mailarchive.ietf.org/arch/msg/oauth/7ICMSRI2tjfXDD1Bk_G-qNpLy-0/ >> [3] Auth0 rotate client secret: >> https://auth0.com/docs/dashboard/guides/applications/rotate-client-secre= t >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > --0000000000009bbfae05aa5a84f2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Why is #3 a problem, and why do the admin A incorrectly us= e App A to store the service=C2=A0credentials of App B in their repository?= Admin A should be using their source control/database to store the tenant = B client secret.

Warren Parad
Secure your user data and complete your authorization architecture.= Implement=C2=A0Authre= ss.

<= br>
On Mon,= Jul 13, 2020 at 11:34 PM Amarendra Godbole <ag@broadcom.com> wrote:
Let me see if I can provide m= ore details on the usecase:
1. A tenant is subscribed to SaaS applicati= on A and SaaS application B, and both applications are separately managed b= y different teams in the same organization. No assumption can be made about= the trust between those teams.
2. Application A backend is suppose= d to access Application B. App B also has the authorization server. Both ap= plications expose administration UI for its tenants.
3. App B adm= in generates client_id and client_secret, and hands them over to App A admi= n.
4. App A admin enters the client_id and clilent_secret in the = UI, so the backend App A can now communicate with/access App B.
<= br>
#3 exposes client credentials of App B to admins of app A =E2= =80=94 this is our problem. As stated in #1, we cannot make a= ny assumptions about the level of trust between the two groups.
<= br>
If OAuth2 provided a client credential rotation, this exposur= e of credentials can be limited to a small time window. The original client= _secret can be a one-time-use-bootstrap, that App A backend exchanges for a= nother secret from the authorization server. Generalizing it, the OAuth2 sp= ec can provide for servers to trigger a client_secret rotation.
<= br>
To your analogy, the front-end app can =E2=80=9Cleak=E2=80=9D= the credentials during provisioning (it can be a simple copy/paste that th= e user has to do), thus creating a security issue. But if the credentials a= re one-time-bootstrap, then first time the front-end app connects to Google= drive, drive changes the client_secret for a different one, which then wou= ld be used by front-end app in the future. Drive also has the ability to pe= riodically rotate the client_secret in a similar manner. This assumes front= -end app cannot access the client_secret once it is provisioned.
=
Is this better? Thanks!

-Amarendra<= /div>

--
sent via recycled electrons, from=C2=A0my portable command = center.



On Jul 13, 2020, at 1:48 PM, Warren= Parad <wparad@rho= sys.ch> wrote:

I'm not sure if it= is just me, but I'm not sure I'm totally following.

=
I can see a concrete analogy being that, Tenant application=C2=A0B cou= ld be Google Drive, and Tenant application A being any front end app that w= ants to offer a service that saves files in a user's Google Drive. If a= pplication A wants to interact with application B offline then tenant A nee= ds a service client/secret along with an authorization grant initiated thro= ugh application A (currently via UI in OAuth2).

Wh= ether application A cycles the client secret or not seems like a different = problem. But I think I'm missing something. Given the example I provide= d, would you be able to provide more insight into the problem you are seein= g?

Wa= rren Parad
Secure your user data and complete = your authorization architecture. Implement=C2=A0Authress.


On Mon, Jul 13, 2020 at 10:36 PM Amarendra Godbol= e <ag=3D40broadcom.com@dmarc.ietf.org> wrote:
Hi All,
<= div>
First post to the list, and hopefully I am articulate en= ough to describe the problem I am facing =E2=80=94 did OAuth ever consider = an ability to dynamically rotate client secret (part of the =E2=80=9Cclient= credentials=E2=80=9D authorization grant)? I stumbled across=C2=A0rfc7591 = (OAuth 2.0 Dynamic Client Registration Protocol), but the OAuth 2.0 impleme= ntation I am looking at [1], does not support it. I also found some previou= s reference to client secret rotation [2], but it does not discuss my use c= ase.

We operate a SaaS application A, which is sup= posed to talk with another SaaS application B. Our customers subscribe to b= oth, our application A as well as application B. However, the teams adminst= ering A and B are separate teams within the same organization, though we ca= nnot assume the level of trust between them. Let=E2=80=99s call them Tenant= Admin A and Tenant Admin B. In our usecase, application A is the client fo= r application B, and application B provides OAuth 2.0 authorization workflo= ws. Now, Tenant Admin A has to provision the "client credentials=E2=80= =9D authorization grant =E2=80=94 in order to do that, Tenant Admin B gener= ates the client_id and client_secret, and sends them to Tenant Admin B. The= re is the problem =E2=80=94 as I earlier stated, we cannot assume the level= of trust between Tenant Admin A and Tenant Admin B, and exchanging client_= id and client_secret now means the circle of trust for application B includ= es individuals who may or may not be trusted.

One = thought that occured to me was a provision in OAuth 2.0=E2=80=99s client cr= edentials grant flow was the ability to =E2=80=9Cbootstrap=E2=80=9D a clien= t application =E2=80=94 basically the client_secret is one-time-use-and-tim= ebound-only, and allows the client to exchange it for a different client_se= cret. In our case, this can be handled by the SaaS application backend, thu= s making sure the Tenant Admin A no longer have access to it once they prov= ision the client. This can be generalized, such that the authZ server can p= eriodically trigger client_secret rotation, and won=E2=80=99t require manua= l intervention [3]. As I stated earlier, rfc7591 talks about this, but but = in the context of dynamic registration.

Having the= client secret rotation a part of the protocol exchange messages, maybe a b= ootstrap, would be the ideal solution for our usecase.

=
Or the bigger question: Did I misinterpret it all? Looking for guidanc= e from this list.

Thanks in advance.
-Amarendra

[1] Microsoft Azure=C2=A0https://docs.microsoft.com/en-us/azure/active= -directory/develop/v2-app-types

____________________________= ___________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
http= s://www.ietf.org/mailman/listinfo/oauth
--0000000000009bbfae05aa5a84f2-- From nobody Mon Jul 13 17:40:04 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B64403A0C38 for ; Mon, 13 Jul 2020 17:40:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=broadcom.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TCO_cOO0cAgz for ; Mon, 13 Jul 2020 17:40:00 -0700 (PDT) Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C2C03A07C8 for ; Mon, 13 Jul 2020 17:39:59 -0700 (PDT) Received: by mail-pl1-x62a.google.com with SMTP id b9so6272664plx.6 for ; Mon, 13 Jul 2020 17:39:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=bKwRvAmgNwuKLrm+Tn7QM3TtqA/lOZKN8uDCI0NfIdg=; b=Jw3X0LmrmS0h0pIBCehkwA4K+xCdP0UxkSZkIw1GxET9nEGohan6PuknVqqE2EPRx7 ecrvZM+xSRRupjs/D70cgwR57granpGP/v5jjn1teeAz5XVMfYhJAVuzWq781rDA4mWr nMlVmNapIrPLL6W5z3bADsnAHgNfcgY0Fg1WQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=bKwRvAmgNwuKLrm+Tn7QM3TtqA/lOZKN8uDCI0NfIdg=; b=alag+hppNpo1qrzt92nHDQnfFcPRcgPTUX4iazNY6Qrmy6iE4YxHAONS+Vyxm/LJIp uneeu1ymKbuQk38FPxwBlRI9jkJMmtoDha9kwuKunK7+IzEvUweeHPzboDpgKJVn8CGF XZUhzJIz5Dl66wZkyDV9SLsuw/Lwb+fwiiwT3dI8JgwixQv5iWEi7zzcy5NdOu/5WRzf wFB3mR+juE9KoiisnU+gv1dugd27NhLZG3P0DW/N1PbR2InEY7/pxN7e/Gb3vqvUcTSy KyIM8vDMrzt/18XHWjl/kYWn/+8WvePNaua8lat5nNhPnY0GczeLiedtsFGV5/QVB6yN laUA== X-Gm-Message-State: AOAM531dQ3wJBab2Jp+RgCTcygzA4u8dJAiBdqzwsxL6p2Wvotg6fiG6 McZXUNRKLZjlMhBzcaYTMcdBjcoAgh8= X-Google-Smtp-Source: ABdhPJyk+txO2ML0Q+9vtI4DeAr9vL9yeHewDIfRiJk8Mf9ZG+zUtpbrtKN8V//G+Ju6BFpHsHiAXA== X-Received: by 2002:a17:902:c209:: with SMTP id 9mr1816341pll.133.1594687199081; Mon, 13 Jul 2020 17:39:59 -0700 (PDT) Received: from c02w42tjhtdd.lan (c-98-248-136-122.hsd1.ca.comcast.net. [98.248.136.122]) by smtp.gmail.com with ESMTPSA id io3sm624691pjb.22.2020.07.13.17.39.57 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 13 Jul 2020 17:39:58 -0700 (PDT) From: Amarendra Godbole Message-Id: <5F99C5D2-2805-4C28-BE4F-4DDB5F0F2E80@broadcom.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_35A1C054-470C-428B-A28C-9EC4B1F39ACA" Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3601.0.4\)) Date: Mon, 13 Jul 2020 17:39:56 -0700 In-Reply-To: Cc: oauth@ietf.org To: Warren Parad References: <7619889F-6A75-4179-B4A8-DEAAC359E5EB@broadcom.com> X-Mailer: Apple Mail (2.3601.0.4) Archived-At: Subject: Re: [OAUTH-WG] Rotating client secret X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jul 2020 00:40:03 -0000 --Apple-Mail=_35A1C054-470C-428B-A28C-9EC4B1F39ACA Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Ah! That isn=E2=80=99t the issue as much as the fact that Admin B does = not want to share the client_secret with Admin A in the first place! As Dick Hardt suggested earlier, we are already considering moving it up = a layer since this is largely a trust-between-humans-issue, though its = still a bummer that OAuth2 doesn=E2=80=99t support rotating = client_secret. Thanks everyone who responded, I have enough food for thought! -Amarendra -- sent via recycled electrons, from my portable command center. > On Jul 13, 2020, at 3:50 PM, Warren Parad wrote: >=20 > Why is #3 a problem, and why do the admin A incorrectly use App A to = store the service credentials of App B in their repository? Admin A = should be using their source control/database to store the tenant B = client secret. >=20 > Warren Parad > Secure your user data and complete your authorization architecture. = Implement Authress . > >=20 > On Mon, Jul 13, 2020 at 11:34 PM Amarendra Godbole > wrote: > Let me see if I can provide more details on the usecase: > 1. A tenant is subscribed to SaaS application A and SaaS application = B, and both applications are separately managed by different teams in = the same organization. No assumption can be made about the trust between = those teams. > 2. Application A backend is supposed to access Application B. App B = also has the authorization server. Both applications expose = administration UI for its tenants. > 3. App B admin generates client_id and client_secret, and hands them = over to App A admin. > 4. App A admin enters the client_id and clilent_secret in the UI, so = the backend App A can now communicate with/access App B. >=20 > #3 exposes client credentials of App B to admins of app A =E2=80=94 = this is our problem. As stated in #1, we cannot make any assumptions = about the level of trust between the two groups. >=20 > If OAuth2 provided a client credential rotation, this exposure of = credentials can be limited to a small time window. The original = client_secret can be a one-time-use-bootstrap, that App A backend = exchanges for another secret from the authorization server. Generalizing = it, the OAuth2 spec can provide for servers to trigger a client_secret = rotation. >=20 > To your analogy, the front-end app can =E2=80=9Cleak=E2=80=9D the = credentials during provisioning (it can be a simple copy/paste that the = user has to do), thus creating a security issue. But if the credentials = are one-time-bootstrap, then first time the front-end app connects to = Google drive, drive changes the client_secret for a different one, which = then would be used by front-end app in the future. Drive also has the = ability to periodically rotate the client_secret in a similar manner. = This assumes front-end app cannot access the client_secret once it is = provisioned. >=20 > Is this better? Thanks! >=20 > -Amarendra >=20 > -- > sent via recycled electrons, from my portable command center. >=20 >=20 >=20 >> On Jul 13, 2020, at 1:48 PM, Warren Parad > wrote: >>=20 >> I'm not sure if it is just me, but I'm not sure I'm totally = following. >>=20 >> I can see a concrete analogy being that, Tenant application B could = be Google Drive, and Tenant application A being any front end app that = wants to offer a service that saves files in a user's Google Drive. If = application A wants to interact with application B offline then tenant A = needs a service client/secret along with an authorization grant = initiated through application A (currently via UI in OAuth2). >>=20 >> Whether application A cycles the client secret or not seems like a = different problem. But I think I'm missing something. Given the example = I provided, would you be able to provide more insight into the problem = you are seeing? >>=20 >> Warren Parad >> Secure your user data and complete your authorization architecture. = Implement Authress . >> >>=20 >> On Mon, Jul 13, 2020 at 10:36 PM Amarendra Godbole = > wrote: >> Hi All, >>=20 >> First post to the list, and hopefully I am articulate enough to = describe the problem I am facing =E2=80=94 did OAuth ever consider an = ability to dynamically rotate client secret (part of the =E2=80=9Cclient = credentials=E2=80=9D authorization grant)? I stumbled across rfc7591 = (OAuth 2.0 Dynamic Client Registration Protocol), but the OAuth 2.0 = implementation I am looking at [1], does not support it. I also found = some previous reference to client secret rotation [2], but it does not = discuss my use case. >>=20 >> We operate a SaaS application A, which is supposed to talk with = another SaaS application B. Our customers subscribe to both, our = application A as well as application B. However, the teams adminstering = A and B are separate teams within the same organization, though we = cannot assume the level of trust between them. Let=E2=80=99s call them = Tenant Admin A and Tenant Admin B. In our usecase, application A is the = client for application B, and application B provides OAuth 2.0 = authorization workflows. Now, Tenant Admin A has to provision the = "client credentials=E2=80=9D authorization grant =E2=80=94 in order to = do that, Tenant Admin B generates the client_id and client_secret, and = sends them to Tenant Admin B. There is the problem =E2=80=94 as I = earlier stated, we cannot assume the level of trust between Tenant Admin = A and Tenant Admin B, and exchanging client_id and client_secret now = means the circle of trust for application B includes individuals who may = or may not be trusted. >>=20 >> One thought that occured to me was a provision in OAuth 2.0=E2=80=99s = client credentials grant flow was the ability to =E2=80=9Cbootstrap=E2=80=9D= a client application =E2=80=94 basically the client_secret is = one-time-use-and-timebound-only, and allows the client to exchange it = for a different client_secret. In our case, this can be handled by the = SaaS application backend, thus making sure the Tenant Admin A no longer = have access to it once they provision the client. This can be = generalized, such that the authZ server can periodically trigger = client_secret rotation, and won=E2=80=99t require manual intervention = [3]. As I stated earlier, rfc7591 talks about this, but but in the = context of dynamic registration. >>=20 >> Having the client secret rotation a part of the protocol exchange = messages, maybe a bootstrap, would be the ideal solution for our = usecase. >>=20 >> Or the bigger question: Did I misinterpret it all? Looking for = guidance from this list. >>=20 >> Thanks in advance. >>=20 >> -Amarendra >>=20 >> [1] Microsoft Azure = https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-app-typ= es = >> [2] = https://mailarchive.ietf.org/arch/msg/oauth/7ICMSRI2tjfXDD1Bk_G-qNpLy-0/ = = >> [3] Auth0 rotate client secret: = https://auth0.com/docs/dashboard/guides/applications/rotate-client-secret = >>=20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth = >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth = >=20 --Apple-Mail=_35A1C054-470C-428B-A28C-9EC4B1F39ACA Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Ah! = That isn=E2=80=99t the issue as much as the fact that Admin B does not = want to share the client_secret with Admin A in the first place!

As Dick Hardt suggested = earlier, we are already considering moving it up a layer since this is = largely a trust-between-humans-issue, though its still a bummer that = OAuth2 doesn=E2=80=99t support rotating client_secret.

Thanks everyone who = responded, I have enough food for thought!

-Amarendra
=

--
sent via recycled electrons, = from my portable command center.



On Jul 13, 2020, at 3:50 PM, Warren Parad <wparad@rhosys.ch> = wrote:

Why is #3 a problem, and why do the admin A = incorrectly use App A to store the service credentials of App B in = their repository? Admin A should be using their source control/database = to store the tenant B client secret.

Warren Parad
Secure your user data and = complete your authorization architecture. Implement Authress.


On Mon, Jul 13, 2020 at 11:34 PM = Amarendra Godbole <ag@broadcom.com> wrote:
Let me see if I = can provide more details on the usecase:
1. A tenant is = subscribed to SaaS application A and SaaS application B, and both = applications are separately managed by different teams in the same = organization. No assumption can be made about the trust between those = teams.
2. Application A backend is = supposed to access Application B. App B also has the authorization = server. Both applications expose administration UI for its = tenants.
3. App B admin generates client_id and = client_secret, and hands them over to App A admin.
4.= App A admin enters the client_id and clilent_secret in the UI, so the = backend App A can now communicate with/access App B.

#3 exposes client = credentials of App B to admins of app A =E2=80=94 this is our problem. As stated in #1, we cannot make = any assumptions about the level of trust between the two = groups.

If = OAuth2 provided a client credential rotation, this exposure of = credentials can be limited to a small time window. The original = client_secret can be a one-time-use-bootstrap, that App A backend = exchanges for another secret from the authorization server. Generalizing = it, the OAuth2 spec can provide for servers to trigger a client_secret = rotation.

To = your analogy, the front-end app can =E2=80=9Cleak=E2=80=9D the = credentials during provisioning (it can be a simple copy/paste that the = user has to do), thus creating a security issue. But if the credentials = are one-time-bootstrap, then first time the front-end app connects to = Google drive, drive changes the client_secret for a different one, which = then would be used by front-end app in the future. Drive also has the = ability to periodically rotate the client_secret in a similar manner. = This assumes front-end app cannot access the client_secret once it is = provisioned.

Is = this better? Thanks!

-Amarendra

--
sent = via recycled electrons, from my portable command center.



On Jul 13, 2020, at 1:48 PM, Warren Parad <wparad@rhosys.ch> wrote:

I'm not sure if it is just me, = but I'm not sure I'm totally following.

I can see a concrete analogy being = that, Tenant application B could be Google Drive, and Tenant = application A being any front end app that wants to offer a service that = saves files in a user's Google Drive. If application A wants to interact = with application B offline then tenant A needs a service client/secret = along with an authorization grant initiated through application A = (currently via UI in OAuth2).

Whether application A cycles the client = secret or not seems like a different problem. But I think I'm missing = something. Given the example I provided, would you be able to provide = more insight into the problem you are seeing?

Warren Parad
Secure your user data and = complete your authorization architecture. Implement Authress.


On Mon, Jul 13, 2020 at 10:36 PM = Amarendra Godbole <ag=3D40broadcom.com@dmarc.ietf.org> wrote:
Hi All,

First post to the list, and hopefully I = am articulate enough to describe the problem I am facing =E2=80=94 did = OAuth ever consider an ability to dynamically rotate client secret (part = of the =E2=80=9Cclient credentials=E2=80=9D authorization grant)? I = stumbled across rfc7591 (OAuth 2.0 Dynamic Client Registration = Protocol), but the OAuth 2.0 implementation I am looking at [1], does = not support it. I also found some previous reference to client secret = rotation [2], but it does not discuss my use case.

We operate a SaaS = application A, which is supposed to talk with another SaaS application = B. Our customers subscribe to both, our application A as well as = application B. However, the teams adminstering A and B are separate = teams within the same organization, though we cannot assume the level of = trust between them. Let=E2=80=99s call them Tenant Admin A and Tenant = Admin B. In our usecase, application A is the client for application B, = and application B provides OAuth 2.0 authorization workflows. Now, = Tenant Admin A has to provision the "client credentials=E2=80=9D = authorization grant =E2=80=94 in order to do that, Tenant Admin B = generates the client_id and client_secret, and sends them to Tenant = Admin B. There is the problem =E2=80=94 as I earlier stated, we cannot = assume the level of trust between Tenant Admin A and Tenant Admin B, and = exchanging client_id and client_secret now means the circle of trust for = application B includes individuals who may or may not be = trusted.

One = thought that occured to me was a provision in OAuth 2.0=E2=80=99s client = credentials grant flow was the ability to =E2=80=9Cbootstrap=E2=80=9D a = client application =E2=80=94 basically the client_secret is = one-time-use-and-timebound-only, and allows the client to exchange it = for a different client_secret. In our case, this can be handled by the = SaaS application backend, thus making sure the Tenant Admin A no longer = have access to it once they provision the client. This can be = generalized, such that the authZ server can periodically trigger = client_secret rotation, and won=E2=80=99t require manual intervention = [3]. As I stated earlier, rfc7591 talks about this, but but in the = context of dynamic registration.

Having the client secret rotation a = part of the protocol exchange messages, maybe a bootstrap, would be the = ideal solution for our usecase.

Or the bigger question: Did I = misinterpret it all? Looking for guidance from this list.

Thanks in = advance.

-Amarendra

[1] Microsoft Azure https://docs.microsoft.com/en-us/azure/active-directory/develop= /v2-app-types
[2] https://mailarchive.ietf.org/arch/msg/oauth/7ICMSRI2tjfXDD1Bk_G= -qNpLy-0/
[3] Auth0 rotate client = secret: https://auth0.com/docs/dashboard/guides/applications/rotate-cli= ent-secret

_____________________________________________= __
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth = mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


= --Apple-Mail=_35A1C054-470C-428B-A28C-9EC4B1F39ACA-- From nobody Wed Jul 15 10:42:13 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07C753A0FBA for ; Wed, 15 Jul 2020 10:42:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ySi8ic_F2sCy for ; Wed, 15 Jul 2020 10:42:05 -0700 (PDT) Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D8A03A0FB9 for ; Wed, 15 Jul 2020 10:41:43 -0700 (PDT) Received: by mail-wr1-x42d.google.com with SMTP id z13so3622944wrw.5 for ; Wed, 15 Jul 2020 10:41:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=jIzAsjLWu3rx7UaS1H+fdxATvQaJWKoGGaUD/+3EtMw=; b=Nr8enRcp0pM4rOl9R1W+qqyi36VwG+NSe2s+LunmreC75SfT3PsDKk+ONu7nxvgW+9 +Szxr1i0SQM6dura4/0HB4tXi0jCAKn44/nUBNXvEe9WyBEAiDoHHz8jS6fP95QRYyLf k+qWSrwmri7HNZQ8edvGzCyPiHH+EkBpJIBzUTbmAed3bh2MJKYcQtR3FH/Rw5gG7EA9 8++WXOOOFJyAYEZh++//upgjDGLrH3SKQ6K/Dun5MUy85z8QIG71twGv98rUFSD8NRC2 A/cl95Bz2H0ai3vUd8IjAcScSoS60OKhlsh8NRKfhnN/p0w8ze/z3g2TUjbV6ehpCZRF 1IIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=jIzAsjLWu3rx7UaS1H+fdxATvQaJWKoGGaUD/+3EtMw=; b=QJPyYja8GMYJMMEOYKaC7g2HYH5pliniQc77Q6H37bvVN5fIo+GAXfGOQBLXvGbgtP EAEqx3bybY/PEBZ86ENk4LC1s5rrt1koJ8crLPk1u3g78Tk68w/hEl8/bZ4fkv/1ebg/ QZvJ4DViR2ZOYrSYc+NgnV2EBpMoJsMw7O+NdS+ksNvLTiQBOcQLn80ONqMkkGK+gejC 9V3C9+LG/bdl0SAsFWttwxNcuEZD4cSqJJu3+qrloBGIRdKWOiTpH0Y1ITU0jmdgEcl6 N8ZY0/Cc8HYmw+Z94NImBkg3hC6n3Lz8UCwQwTfEf+nyvw1SCyPEBaLpQcXh72NCeRIx 9WeA== X-Gm-Message-State: AOAM531W6Im4EKPjAHZRoxAwSODRqj1LYt+WFm/tJRlgFULnBee6UCb9 l3B+jW1DHoI1SJgDV6e9wpecK8498pP3cw16cOu6Q8h9 X-Google-Smtp-Source: ABdhPJwHGja359hXiuMnMHBa1SNrd4MnsTNIC0E6QwwJHrNCinWRk+i4srOVIQgnu98p5+KSREX6BUzF1n6Xn5VDTfs= X-Received: by 2002:adf:e7c2:: with SMTP id e2mr496096wrn.179.1594834901561; Wed, 15 Jul 2020 10:41:41 -0700 (PDT) MIME-Version: 1.0 From: Rifaat Shekh-Yusef Date: Wed, 15 Jul 2020 13:41:30 -0400 Message-ID: To: oauth Content-Type: multipart/alternative; boundary="000000000000c8915605aa7e6fa1" Archived-At: Subject: [OAUTH-WG] Call for adoption - OAuth 2.1 document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2020 17:42:11 -0000 --000000000000c8915605aa7e6fa1 Content-Type: text/plain; charset="UTF-8" All, This is a *call for adoption* for the following *OAuth 2.1* document as a WG document: https://www.ietf.org/id/draft-parecki-oauth-v2-1-03.html Please, provide your feedback on the mailing list by *July 29th.* Regards, Rifaat & Hannes --000000000000c8915605aa7e6fa1 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
All,

This is a call for adoption= for the following OAuth 2.1 document as a WG document:
https://= www.ietf.org/id/draft-parecki-oauth-v2-1-03.html

Please, provide your feedback on the mailing=C2=A0list by July 29= th.

Regards,
=C2=A0Rifaat & Hann= es

--000000000000c8915605aa7e6fa1-- From nobody Wed Jul 15 10:55:20 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26C283A07C2 for ; Wed, 15 Jul 2020 10:55:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LYWlVKNLia2y for ; Wed, 15 Jul 2020 10:55:17 -0700 (PDT) Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E52AA3A00C9 for ; Wed, 15 Jul 2020 10:55:16 -0700 (PDT) Received: by mail-lj1-x231.google.com with SMTP id f5so3571630ljj.10 for ; Wed, 15 Jul 2020 10:55:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Pjv6mMVp7LiBuUQEtsHWi4QfN9URFkpveAwpQofz/ao=; b=RCix8bN9sD3N48sEdNJ8f9xAcVgwJKp+ZKgwi6nkM8vaUOcuqD/KCE7FKofzF+re5+ vo0zXb/rLuguLKKoFUMFu3mAm5h76IlJ5AIEL9wYk3KBZS9luDtuLY3BooHcgBV/Hgcm XhXgVgXRkLkFAQ+gadaXSXY4rb4XoSMOnbo7NrfRxQxQX1Q89Oww8PfQw+pcncGc+yrT gSCZkfaKXUc6F54zIRWy2y0vZGSllDXc+ALe1vT00mD1Q4aCz7Wb7pKcS14l11V6ThWA r5KyEffcjk05T3+AxgItHWoZtk0YSD3vy4HIFn54M1wRc6ALW5rnmwEXvf6CKBnDi04u jboQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Pjv6mMVp7LiBuUQEtsHWi4QfN9URFkpveAwpQofz/ao=; b=j1nzeJf32E4KVIVr7qUeLBM9aJr4ve18DoIq7wiKRr4R4raJg/81zSee05Zt+6fPWQ EGmUu46MB5K+XuAwdXLJjLonEgugp+ewZLbY3U7OppY2I+q8yyN3P1cj4nmJ27suckV3 7oCaVm2+W9LhC5bf2Tp+jkulhd4eHNi0HQOS87dilEINaHrCC/T2RNcLltZ3dIuwq4qC TPiHCLtt1gs4A1QDAL+bt8JMiDRbmTVFQRSkFUqjXguqjsIwBtPuRdfOcmzCb0MV+HGc 3xTO9O7VAptq4jAJUtc9ka/iKah4MJ/nblEAfg6brcOm4FWnga3oARauiLCKkmIX1puw cPEw== X-Gm-Message-State: AOAM530BAcJcj2NhRIRVa74rjUFTGo6yOOG/Wt2Uw6R1vxGL4bympdqr ip7UJhct105TVfzqiFpY1nmp4gEXdck1dempYx0= X-Google-Smtp-Source: ABdhPJw5s4qZWmKuYsqqpC90rHFSd0EyiXTkigeuw3R4IC0WFqC4Cgwytyprur7/yqwDxZAdXRj9DIoGBGYBUdUGfqA= X-Received: by 2002:a2e:b70b:: with SMTP id j11mr157423ljo.142.1594835714807; Wed, 15 Jul 2020 10:55:14 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Dick Hardt Date: Wed, 15 Jul 2020 10:54:38 -0700 Message-ID: To: Rifaat Shekh-Yusef Cc: oauth Content-Type: multipart/alternative; boundary="000000000000419aef05aa7ea0c1" Archived-At: Subject: Re: [OAUTH-WG] Call for adoption - OAuth 2.1 document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2020 17:55:20 -0000 --000000000000419aef05aa7ea0c1 Content-Type: text/plain; charset="UTF-8" +1 On Wed, Jul 15, 2020 at 10:42 AM Rifaat Shekh-Yusef wrote: > All, > > This is a *call for adoption* for the following *OAuth 2.1* document as a > WG document: > https://www.ietf.org/id/draft-parecki-oauth-v2-1-03.html > > Please, provide your feedback on the mailing list by *July 29th.* > > Regards, > Rifaat & Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --000000000000419aef05aa7ea0c1 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
+1

On Wed, Jul 15, 2020 at 10:42 AM Rifaat Shekh-Yusef = <rifaat.s.ietf@gmail.com&= gt; wrote:
All,

This is a call for adoption for = the following OAuth 2.1 document as a WG document:
=

Please, provide your feedback on the mailing=C2=A0list = by July 29th.

Regards,
=C2=A0Rifa= at & Hannes

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--000000000000419aef05aa7ea0c1-- From nobody Wed Jul 15 11:57:36 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D37733A0E8A for ; Wed, 15 Jul 2020 11:57:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.897 X-Spam-Level: X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_IMAGE_RATIO_06=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys-ch.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qncs_qdyNDyu for ; Wed, 15 Jul 2020 11:57:31 -0700 (PDT) Received: from mail-qk1-x735.google.com (mail-qk1-x735.google.com [IPv6:2607:f8b0:4864:20::735]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 226583A0E8B for ; Wed, 15 Jul 2020 11:57:31 -0700 (PDT) Received: by mail-qk1-x735.google.com with SMTP id q198so2873566qka.2 for ; Wed, 15 Jul 2020 11:57:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys-ch.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PgG5uPIgaP+s1AtO2gaG/jwY1jrNVeMwOWfT3EQpHRw=; b=BFCfgpIbRlG0BYUDCmDC4z+U+e8Mmu585GlS/HV0iev9vYgQEBkGf6UK7gWdEDYKIX RjcWLVKlLSUKlLqf+yDbpgIdoaBtcUDVoU7jwYFzxN2p+KJ2P85qr0ZmlKgz0oAXCuTE q25/AvOzuvca4Q/Vor18QeZGhws2vkgmPKRI3x/L+e0YKVTJCWAaQVa3hrTKroXUnWVY k2OzCfFGiH/Ou9hCfnveByqrqm1vOfCtMjKXqCCvIv1J6t5Ooy4b7PHN/FYFVgmY1lFB LaUTS6Uk2UrfDTbZQLsiYS8/baHCETuMJZOprrxIvk0W99/s5wlBHvukeyEBU8GaZO9t BdCg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PgG5uPIgaP+s1AtO2gaG/jwY1jrNVeMwOWfT3EQpHRw=; b=Q+bk04W0SD+NRTOUw8udIGedDwGNmdB3uZKMmcD+Yb0xzH4QvzY5gdNPBiv6g2fSaB fASFW5OjyPQYEzQlQY8awArfRQDOpQaNbQkHbug2RdcHklx7Sj3kfZn8MQMEFYQoXRhl NvjLvbswiut7geOYx1XQSr+iWxl9ctrWvE3nN8ONlWU/WPBpl+XI+NqkFogj2IeUvcfd In1I6owOvaTIsuhA8QRtXdy01E/3HOn8vt8au99audBpByLla+ooexrM9KlQz7GzDRR0 zH0gkm6U6ZiOQ4oaGFkQEsc5HA3NkWsB7gJSH8HFMh/s5DWvUuoSiMDhQM4qlXH6DzZN Z9JQ== X-Gm-Message-State: AOAM530oXtGrjLhFkdD3zRiOFHgOpVUp+0BlUEas5nx2EOnNZlvBwYGO juc+eshLLetDyJm9eFuhtiuleElDPqp9H2I8Ndbt X-Google-Smtp-Source: ABdhPJyKdwwgGOrUrszCgsVoMuBccLuWpRzUvoaRkxyo4ufeoi2rxmCastVXNdC1PVDMhJLgQghXar4V7HoQht5UKNE= X-Received: by 2002:a37:8a06:: with SMTP id m6mr495854qkd.191.1594839449482; Wed, 15 Jul 2020 11:57:29 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Warren Parad Date: Wed, 15 Jul 2020 20:57:18 +0200 Message-ID: To: Dick Hardt Cc: Rifaat Shekh-Yusef , oauth Content-Type: multipart/related; boundary="000000000000dcfb8105aa7f7eec" Archived-At: Subject: Re: [OAUTH-WG] Call for adoption - OAuth 2.1 document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2020 18:57:34 -0000 --000000000000dcfb8105aa7f7eec Content-Type: multipart/alternative; boundary="000000000000dcfb8005aa7f7eeb" --000000000000dcfb8005aa7f7eeb Content-Type: text/plain; charset="UTF-8" I only recently joined this WG DL, so maybe this was already discussed by I have two things I'm confused/curious about: 1. Can we avoid using (1, 2, 3) on the left side of the diagram to describe, I'm not even sure what they are supposed to represent, not to mention the RO in the diagram doesn't really provide value (for me) relevant to the code grant flow. It's confusing to see these numerical identifiers twice in the same picture. But maybe there is something hidden in this that I'm missing, still 3a and 3b could be used to identify different legs of the same code path. [image: image.png] 2. It seems recently more and more common to pass the access_token to some RS via a cookie, yet 7.2.1 says it defines two methods. I think we need some RFC2119 keywords here, to suggest that either SHOULD use one of these two, or MUST. And then optionally state whether or not we recommend or reject the use of cookies as a place for access tokens. It's also possible that the language threw me off, because would an access token in a cookie be a bearer token, but no matter, if I'm having this thought, then surely others have it as well, right? [image: image.png] *Warren Parad* Secure your user data and complete your authorization architecture. Implement Authress . On Wed, Jul 15, 2020 at 7:55 PM Dick Hardt wrote: > +1 > > On Wed, Jul 15, 2020 at 10:42 AM Rifaat Shekh-Yusef < > rifaat.s.ietf@gmail.com> wrote: > >> All, >> >> This is a *call for adoption* for the following *OAuth 2.1* document as >> a WG document: >> https://www.ietf.org/id/draft-parecki-oauth-v2-1-03.html >> >> Please, provide your feedback on the mailing list by *July 29th.* >> >> Regards, >> Rifaat & Hannes >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --000000000000dcfb8005aa7f7eeb Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I only recently=C2=A0joined this WG DL, so maybe this= was already discussed by I have two things I'm confused/curious about:=

1. Can we avoid using (1, 2, 3) on the left side = of the diagram to describe, I'm not even sure what they are supposed to= represent, not to mention the RO in the diagram doesn't really provide= value (for me) relevant to the code grant flow. It's confusing to see = these numerical identifiers twice in the same picture. But maybe there is s= omething hidden in this that I'm missing, still 3a and 3b could be used= to identify different legs of the same code path.
3D"image.png"

2. It seems recently more and more=C2=A0commo= n to pass the access_token to some RS via a cookie, yet 7.2.1 says it defin= es two methods. I think we need some=C2=A0RFC2119=C2=A0keywords here, to suggest that either SHOULD use on= e of these two, or MUST. And then optionally state whether or not we recomm= end or reject the use of cookies as a place for access tokens. It's als= o possible that the language threw me off, because would an access token in= a cookie be a bearer token, but no matter, if I'm having this thought,= then surely others have it as well, right?

<= img src=3D"cid:ii_kcnq2gjv1" alt=3D"image.png" width=3D"562" height=3D"240"= >

Warren Parad
Secure your user data and complete your authoriz= ation architecture. Implement=C2=A0Authress.
=


On Wed, Jul 15, 2020 at 7:55 PM Dick Hardt <dick.hardt@gmail.com> wrote:
+1

On W= ed, Jul 15, 2020 at 10:42 AM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> wrote= :
All,

This is a call for adoption for the follo= wing OAuth 2.1 document as a WG document:

=
Please, provide your feedback on the mailing=C2=A0list by Jul= y 29th.

Regards,
=C2=A0Rifaat & = Hannes

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--000000000000dcfb8005aa7f7eeb-- --000000000000dcfb8105aa7f7eec Content-Type: image/png; name="image.png" Content-Disposition: inline; filename="image.png" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: ii_kcnpzgwk0 iVBORw0KGgoAAAANSUhEUgAAAvkAAAJeCAIAAAChx415AAAgAElEQVR4AeydvYvbTvTu79+iSt10 qqIqqqIqboKaxU1wEdQEN8HFDS4Chlt+wRC4hhTmphCkECkEKQQpTBqRRqQRabSVFn6grbyVLmdm pBnJkte72Rfv+nGReC1pXj7nzMyjMzPS/6rwAQEQAAEQAAEQAIHnS+B/Pd+qoWYgAAIgAAIgAAIg UEHrwAlAAARAAARAAASeMwFonedsXdQNBEAABEAABEAAWgc+AAIgAAIgAAIg8JwJQOs8Z+uibiAA AiAAAiAAAtA68AEQAAEQAAEQAIHnTABa5zlbF3UDARAAARAAARCA1oEPgAAIgAAIgAAIPGcCp6x1 ynjujUbeeJXesYW36Xo6nszC7I7TrbZZMJtMput0e9cp31962donyrOouL88kDIIgAAIgAAIDBO4 sdahocsbeZPrBEIRLyaed/15w0XrPZKuJt7IGy82txjtiyzZJHnZpFsGY8MwDDaNm5/u5kvkm5Sw NUv+Lb1tkSabNFdVTWY2JWz6kfrt37LovXpbJOFqPp2MPW888aezxTpKFbbeS4Z/TOa8zKNVPnzO tUfKLA6WM1GisT+dzZdBnN26SNdmJ04oyV/uPZcDC4PTQAAEQAAEbk3ghlonW434ML5fIJSbpWfR oEzj/ebWZdu9cLuZiXTZJLzxSMeFgl6ee9M6eTC2DNOe/mMoYxv5zDCchQoPFdHUNg1rHPyLbtjF qv9SbpZjS9hYWFD+a46D2wVm/lXrlMl64vQUyDDM0fr+OFRVtnQNw5xEOh18BwEQAAEQeIIEbqR1 spVXDzqDwZAyWY35jbwYI3Vt8c94Sj7484RvPvSmC6ejve5N6/xzRUUCQtjpWueOEh5MZpvMXWlh y53MFsvlcjHzPYeZtxGXIpt/0jrbZFEXiNmeL0o0n06oSDd3gcF69x0o1h6F0KB1+uDgNxAAARB4 UgRuoHXytceaW/0hrZOvuRwy7cnYpZPvUuuU4ZgGYtPkw3F7UiRZeLQqRJ/bKiO+HIdm24rNauqK wlvOiD50Zq11/DAJlzMxYzNdBEk3flEkwXLmj8c0oTNbhtp0Dl/x441XyTbfrOc+zfn467RqLVFJ lmOPZ6n/481jMQtVpNF6ISdntMS3ebyU0QzTdnmBaVlREU6pln6gQj3bLF7X003TxXqjzXhVlLU3 Xm6KNGwqMF/F+iktZxVy0DCYt+qsCCoLLYxWptFq7k/G3njsz3Z5cRY03TSeTBfBJtqdw9pmdQKT 6Xw9XJ4qmZM+pQItE60AvNBlWf/CCXuLuCySYMHL5S83dHCbb4LlfMZ/opw0OJykNw0yHd8ykLYt k2AmI5NM+gvWG7VcBX+AAAiAwFMicLDWkUqHjScjPvoMLnIpwpm/TMoy4MLkDrVOIWQUm8ynPHDk LtWIX0UTLoPG2tSWuDE3rOkmX/Ey82FT/mOOQyqi/lPzXZ8jKpPFSCk8cYrVSAGRgjX2x3LKzjDs WVK1Qhly8U6TuvgyDsqqksKwdciexmVVpUIg6EdIXfJpFZrWkqup89C3ZRymPtV01NRZzNcNWbYW Z6PTzNGyI2W4x243U14Ltm+2aputVV1lnmy04NKCUtkmyx1e/LRGmu6W2XTnzfV62xFzeIZxXUyJ V9P0fL+pJy1oqqtTg6H/mbeSPiNIMruLz/ajopK+q19pNOXXS4jvIAACIAACT4HAgVonD8Y04rNJ mIVcVQzFdZo6SyFxd1pHjvPMj0qpJey5Wvu7V+tsi3QTzniciU1WG/okGR/S5HDG3OlyHQTB0hcr Q+pSb2Mx/BuWN1sFwXpZ3+3b84TiMppaMp3xbLFYzFdx0dY6tMK1/kQLsdzJohG1qqpsNWLOeLpY BWEU1oEcGlW3eboJxNht+4EscdnROrlcPMVcf7EOgvVCRoJYvZ5HaB2Kro2X4SZNk3g14XqATaI6 KNIYrJJRHXOyZ+FzE/kZcWCr+ViIBcsXCarjs1UQBqual1FrhTo4aI3n6zAM6nCbNZVxLlWcqpKL s2pj6Ida35tqGqbtTckIiyivqm3s29ZoMl+uwyhcz4UEqzOS3mQYpjtdx0lKDiJsQxK6yJJ4IfSx txD00+Jel4O3KoQ/QAAEQAAE7pTAQVqnkEqHbvi3YiLpwbWOHEXFWNX80WzH2qt1iFgd5dHWStdK xfIplCI+cnwVd/Gl0HWGHkGSg6TJF0fXKRiO0D4ykVZcp065qspYBKRqpaOOiG8ytRqtrKS+Xkdm LuI6NQQpMyiNMvJ5aEYGfqQIIHlY5yVTsOe7++xjWgmtBY3qS9T/tfSzZ1zp8QP1pKVH64RlxWvl w+M8MkIliDZ1agJLdbRud2tZHV3x1s2kYrbyLO1jT7ksq7WOCImp4ra/tY1Sax3NtDKMRBE/Kriw PdbrtCniLxAAARB4igQO0DpFMOExHREteByts92I3dbWTKgbOWaqUfwftI45CdUte0tNSOGjjYcU i6HtOXIhUq11tOGYnKA9rEq30JROozwqvrt7MZv6k8lkMna5UDF9sfWn0QVqqk4vnRRvrCUStnLG TBRIigC9dLLEfbESeWm7ti2fltnTNJ36FAGt4aVFvNveIsVTLqG41pHnGsx2m4/ND9dxH5VuVYqE DT7dJ36XSGQ0zpCWk9XcLTjfqT6f+UR37Dk8I3mWbsU6T2k2gQtap8aC/0EABEDgyRO4VusUoa50 6H6Xr8Opgw+DAPYMqoPXDB7YypiDYTJ5W8/EMhWzHgj/Qeu0qqKriUqO/nUeonj12E6KpBOJqcvf o3XqiIsW8qjyYNJdLsJVw2FapxYe2kQeySyhCcWILkSAOda03B6zyEut6eBTAhKx478jKmp5FRS9 RdJhyBNqraL/30mUIisyYUetyyqzTUSfcM4nmFpaR8ZjahuUm92FVpRfW+s4enwLWqeGh/9BAARA 4HkRuE7ryOFNiQyrVhnMsuzx8ANO9gyqNyZYCr2lD431d5PPnVR9a5PlimQ5dg/PYQ1rHT0k0RRa JsuvOlTr1EpHn2WpJ8gsbx5s0izP82zN10ofGNfRy9EUrmoV+WZap54zctrqSaVdr+hplkbzQ/Xu uEm4bROXF0oJxeM6dZnHq03S+fSsh5Fn94R8mqALV3E91ayLajr+Kko43VhXgXV0rlUVaB3N1vgK AiAAAs+IwHVapw6o1Nqi/b/LH4Zb5unuSDWgdbZ5mmqPLj6IpFzSYTjTgN/Vi38CsdhY3qjLcnq0 vUl86sUlHa2jRS36lEorrlOvJdEfXFgrghGtIulLYXcOq0/pNBEYbbSVee9oHbW0plU6OcOmJUD7 t/gmbVnnHhEwYBaOrBBb5wzTW2VqVq/myZcDid1uYu1NGzMVow6/6TGaIhDPZBLXyK1e7eVNWg7t r83i6/G6XaBrtY6c/9KmJ+tNXZ24Tr2jjTLu1zpaUKxdOvwFAiAAAiDwRAhcp3WKVJMXfPpASAzT W4RRtMm39UDeHb76BtXtRixUtfi+6kMJydv7nUfH1UMzH+ylCmD1qFhs5JYn2nNOOcnh0XBmcV4W WZLkzfN19O3zLTVRyUXZtI8pzoqiyOKl2HEtC3OI1inkemE9pkMFypZcltCzbIqyLNJI7hSiN0Bw NDISZY6WSVEW2SbNO9EI+fQZ050GSV4UeRJMxTYyuUusuqHWqbbJQj6hmDn+Iog3SZommyhYLab+ itbolHJfGhvNozQvimyzFhu7TCEh6oc9stEiErxWE7kbX2idrdQThj1ZRmlOwawkDhZTb6aWT2t+ sd3IB+wYzJks1tEmSbOMijTna6a6c1hKoG3FnKawNsGT5dyZwxrUOpWUZbYfZkWRp3hZhGYXfAUB EACBp0XgOq2zU5vuep1muai+AlZtx24tgpWj9969PjsZ7ixDbs6oIzc2LViWu+JplSxj4mmDIgYl tU6jW2RkylsXfUqlrXUqWlMjB2stotU8gKcvBRUg4MO7nMLRruZfnUXavG+jOWY5tH6n1jq0I117 eA4N7J3SlZvmMcdNGob2tJqbap2K6rvzxB6edF0oekuFykt+Y+qBPcoM9VmmZdGi4DoWpD0JuT6D /m+viWpMPFwgumhY6zQ70lQepuOQJQ+N61S1d8kUWuEzrXz4CgIgAAIgcPQE/lnrVOnKs0zT8cNm ZzCvdF9cR6zGNe3xWm0tuo6QDAToz9JRlzQ6iJ7OUqbBbOzwdzmZluNNV9GSdgjVWqeqis1y4tJx k9mjeVw/S3B4vY7IqNisZ2OX1imZjKe7aWp6gNYZmATkQ2exWfouVwImc7xZmPK4Vy0rSHlEc1Ej k9neMunEdah42yxc+CPbMql09mgy1x/rfAutw5OMltOxa4uFWabJbHc8XcbNq6fKJJhPxGHTckb+ MmpNMG2zcD6RuOzRdJ3E/OUctdYRGSz8kbAUldodz1YqeWXd+ts2j1ezCVVS6A4ygzv2Z0v5iOue avJcghm9SoIeC2W7/nKT8UdHHqx1qqpM1v6ItomZzHKnHf+uC4f/QQAEQAAEjp7AjbXO0dcIBQQB EAABEAABEAABRQBaR7HANxAAARAAARAAgedHAFrn+dkUNQIBEAABEAABEFAEoHUUC3wDARAAARAA ARB4fgSgdZ6fTVEjEAABEAABEAABRQBaR7HANxAAARAAARAAgedHAFrn+dkUNQIBEAABEAABEFAE oHUUC3wDARAAARAAARB4fgSgdZ6fTVEjEAABEAABEAABRQBaR7HANxAAARAAARAAgedHAFrn+dkU NQIBEAABEAABEFAEoHUUC3wDARAAARAAARB4fgSgdZ6fTVEjEAABEAABEAABRQBaR7HANxAAARAA ARAAgedHAFrn+dkUNQIBEAABEAABEFAEoHUUC3wDARAAARAAARB4fgSgdZ6fTVEjEAABEAABEAAB RQBaR7HANxAAARAAARAAgedHAFrn+dkUNQIBEAABEAABEFAEbq91kpltTsKtSuohv2VL1/TWxUNm edR5Rb5pzTZHXcTnXrgy8Exnkd5nNR/aynfQyh61l7hHW/B6RfeYwd0k/c8WLOK5ZzPDMO1pVP5D me62dVBq7jL7h/Lg0tMjcI3W2YZj09j9jFZ59cC9WBlORmok+ec2TJbOViPLW+c3NXqnJLdL5KaZ XnP+Q4+Ce4qTLtwBCVysvfvUp9t4atuPJ/gGevO2t+zhdsChPVY+jG2ycKxJePCYdZtW1qnvA/cS B0C85pTNzJ0ecNNwIlqHqukuNnlR5MU/3dYOtI6OMTrO0zmq/oTWUSzw7VAC12idalvkGf+EvmV6 q1T8kZfVA2udbeRb2l3zbXrhHSRlspqvk5s24U5JbpfITln+8Yc9o+A/pnzTy8ky/VqnCMZsdJ+x uDxcLKIbS9ebVnDo/P7evOMtQxcf9vuwlQ9kW8TLRXD47fAtWlm3vk9M62yTuWNB69TuWAbjO4pV 9reOOh/5f9d5OofVn9A6igW+HUrgOq3TpJPMLHOs3xLyXmwVUojTNEzLnayS5oZxm4Wz5vflpmeu KY/mk5FtmabB7NE0yITiiHzGpnGTZ7pwzHFQVmXkW014iY+kvBdehouJQ5kzZ7yIVSZFvJi4dAGV SuWezGx3kSRr32UmnwBruvIyGLdiVxS2qqqq2Cz9kWOJ6vnrdFsNlaQZwfuzzpauNV2H8zEl1i1t U9uqKpOVP+I4me0tE35kmwZTgZLZ3iyUoKqqygVik9mjWbDymZrD2qbrqUjGGvnrtLGKymmbBdOR ZfKyzKNw5rgiZLaDqCqT9dRzRJmc8XIjEisDj41X0XLiWozxEoScWLp0WUNSk6ZVlQdjqznCpv93 brfmIPP1yLTnSVVFPhstwpXv2jxhb67Ey7VOpUmBYkNlIxdgtjtZdgRttwvfTC3mC7frv7CIF2PH Ep6mlyitMdrjebDcGRd2/baqthn5AfdaezTttU5VDRg98pk9Xa99qpnJ7LEsSoctVaTHdcn6SnkM WVD5CAU+aaZ4EcjyWm7LmXpcvae++3oJlVd/b1BVpeb87jzmzicAcgKWOw1Fs+81kHIYZjnejLto v31FSbabudN0M0bdCQx2JuZEzGFt0+WI2dOIl6RMVtzxzFZrrb16xL2agxQdXpmu6xZvtTsxCaef TDKznXlAHQN1KJYzWaq+tykB/RzMR612JlLdbebVLsBtshzZDQ4KyEY+89bpZknua04iqkFvV9NX Ka5O5sGq9l1pDuUCPV0rT7+399O1ThH6NvNW1DtT4+oZd4a73zySvk19mL++1wlorar4+igE/knr GKblLeKsKIs0nNpisCKP28xsNlrEeVkWyXpisZ6JojIJgzjNy7JM1xPLHAe8pxjQOlVVdYanbOka JhvNwjQviyyeu6Y1jUX3QQLJnqyTvCiyzWpiNRO7ycxmtuN6i3CTplkpu/JGpnD8JRW9Lu42jaiM RVlmVD3Z+e2WpOlNhrKm0hrMEx3SNl15rCmtZvRsNTKZt4iSLMuSKOYapQgnFhvNozQv8jScuczy xbQ5ZWWNV7yW8XJsmUatdegSfqQs883Sa65QOZF9TNsPEp7ofMRMQ+qSHURVlcdBlGRFWeZEmesR soZnGOZozgXmNg+4BYUMSuZDy7ho5GziOlR+NaFVrD2ZdOSbhunOYoqYbzNKeLTigYgDnEppnc3U ssbrtCjLIkuisCu2OyaslNbpvTBduMydRY2fy5UCNca0KIo0mo+YUWNUqLt+W8ZT23SmhL7I4oXH 2DjYiUQNGp3DcXzu2/lmNW7gcFXSsOVjRJ/rtrXOkAVV6aXfzmXVZ7yVCTMPuXoXbTKzB3oJlQ2J /L7eoAgnjLmzgDeIOEqoixAA/fUmzbI0jjZCYvcaKF97pjOjXqjM0ziM6Dah1756SWKf6XGdoWoK kqR1SGhaYxksy9ces/2AHC+LqLnMNrxTEoabRjn9VURNZ5IuHDZabKijzJMojHdcYYAMUTWsSUC9 WFUmqmFWZThhJnfWIk+DqWsahmpmdUV3mvmAh0vvrQOB1L4cx50soyRNKbTf39X0VorUiWk6vNMp eL9U9/l1oXY7eZ5+b+/XaJ1yM3eZMxO3YENdxFD3S6xsP6TOrcg2YdR3V6iVDl+fOIF/0zrarXvW DF7chegeXXzao1r9q/b/NprUY+iNtI6mF2isFCPQNp4ypi1JKIJxvWqXOggmpQLPvonr1IXZbmZO o3TqH8X/m1l969/pzVUiw1lTY6ulCHV2vSvr0nkjp5qs89WoFUMmIcG7LvoitRedrGVAl2hH4qnV nVLaxj4zNUTERWmdNqKmJDwXGWbjWsdk4s6ODmwjFVY6UOtU5C8juViKzOfM+V1V5JumF4jxlEYS DiCreB8uhRbl2OtUjdahGpKIEOK3VQf+R8eESuv0XbiNp5bmahSB4rSo0jrGzcyqMWo5trMqw7ES 5bx6bsu+/MJBo1c0ZGojF7mes+AjUUtHatnTV+W6ba0zZEF1ueZW9CPVWFh92NXb9eWRJJ2K6iVU Lu1vqjfgHIRXNKd0AfJiDRhIXC8jkSKFPvs2afMvLa0zXE2pdYp46jB3UYcNySspDi0+ZTipu56O 4ShGzlsPb8ZLHpJoF6PvL0WGcje0tbmqD+LdXX3XRxabMN1jZLKdnnDIw+s7TE3rGPasrqxonD1d TW+luNZRnQ7VResRZbk6zjPcEITWSemu0Z6IkPKeLqLjxk33S9nZvojH9QHHb8+LwD9pHXOs9mGR Y4o7y3Tu0NxB8zF77ne3WbTwPdfmH8s05DB2E62jj+iqkVAxtF5AjIpiTKVwuuqJ6hC9iutQCJt5 IorAjZzHy6nnOqKMzJDTHCovfpLqZ4az5iORmBejazopCIfivXh3ZW08ZTJYLE7aUvc53fAU9K5C 6zriKe2aaOAz0zD0G36pH3RE1HEordNGVBXJejYeCQY2M+VR7RJesHja3A0fqnVEKIJD4VJHrjsn vaKvlyBd5kdVdYhTNVqHJvimLjOtkb8IeDhA4Kv/7RpAxXV6LsxXoy5QXsKuufVa1Bl1bU16VhMr PM7QlaLVkNFpgs/Up3irGo4IUepm7nfdjtbR7lQo0xZ3XoOO31b5yhWNq1t3rj15K+ui5Y2ur5dQ iCiA19cbdDnQFTsAhT/3Gqgqk6Vn0ZTxbBXXc7/7HaMipIrDcDWJJBtNPFb3XFQ4asKGqdqeaRrS uB3DUS3EmrYiprAqcybz9aZPmveT0ezIMVI5hfWp9ekOpnonnXenJxzy8Np7Na3Tdr+BrqavUnt6 DFWyjvN0HaDu/ahcnumMxw71R2ISk/vGwLjTcWOVyzZdT2zTtL3pEkEdZYbn+u3ftI62CFW1Nx6g WFJkX33ad9h0I2G681i0bu1+pat15o06UQ7KLdFpw+ro/u6pPa60EqFViUzOl/AsePh6GvIwsX5z rPLqlGQ461ZGdQ/SmRymZHX5whMfau07J6thni4Zr3OFvijKNv1uObUK8dUVamTiYRVrUi8qUbet e3qug7UOT5xuC+letBl2O6PCluI8QuvY5mivU3EpoBPc5vF65tkmG123XodigXK9DmFvX0i4nHnc JrpfMnLbiX80uH1D9WY37HYHWmfIdbUxco8FVek7g0SVL2+ldXp7CZXLUG/QdX66ojuW029DBhI5 FGm4oBV6ti+X9nTtqwpC326gdQzT8WdjS3Ua/HbFD9uewtueap48N6V16M9tvqElUSZNuNUxIVGo ITKaHfmJROCmWqdjlD4Pr3sqTevo7Ys76lBX063UQf7Wbix7GgKfQ7e8me+a9rSGNjju7O9+yyxa 0eJFa7yuKyro499nRuAetA41+dZc0Q4y6otV8JPuFmVchw86fNEbXUM6vg4z8GagAtqD7su7B20N tQjq8k2k3YFcLL0UcZ0dpVPRbbrdZEjZ63Gd5oCWyHDWg6XVyVA3rqCII7wbVzvteVfPb5+pLtr9 G92ZyW6ILtEDzXoW4rucimi6VbKGFtfROkFSoepOjs99icDYnp6LqqGF+7Tsyc6tChLi0SoNxqyR OnyaRjuJl40epHG9U+1oHZE1rZdVdZC/hePa4+iHYu0ZpqZ12hfSRIbpqdtHcbSe0VGr9dN5MxVY n1LH8BpvoeldbT6MB0pU3eVlg0bvwiG3knNYLbaDrquNkXssqErPg//6jIg2h9XaqaBaWaedajny ZNWorHIZ6g1IWXXhUPI6QEplyEAqBxn3UpFVOtTnGFzrKG8ZbtGiXtG2KmnxjSunodK50w4q10XY q3XESXz1VyvsLGPSTam1frLTlSmqND9jyUVCDRoVupbl6Vw+DJBbU8ySVrvt64CuhlYG8kod5G8d 5xluCJQaD03TGkdLTkMNdhGHdL/tNlPbDf8/JwL3oHX42mRaOBtneZFnaRwEncWh5NNsvEqLLS2f HVMYUazvIY+z5A1YsZnTyrq6+dMdsLvYFGVR7C4rFm1SRErSpVuvTc7l2mRxoNPCtbXJQum0n03F R/YRZVjmydp3WK11aHXHQEmGsj6ksYni0FrvNM+zJBYLFXmHPJKLQ6M5X5vMg7Y0QFi0ArssqJZ2 e22y6fjrTVYUeZZEQaj2aAjPpQfRmM6UL8oj/lYzydhFRMJFLO+k1eejQ+awaD0LXzVZduNJtH6B NkwUzZEi8Nho7DFtRo2v4rQnK/5ID1q8q69N3utUWl+8TcN1lORFuRUrqrsjJp9ykSsat3k0pdg3 1zr9F6YLly8apwXiWboJ1xG/AeQjoTMNqUJZvKD14TsZiVkq5bd8RFPXeKxvedig0SWcnrXJLbbD rqvse9DYQ1rHoMWhtCw7C2cO6QyhkYdcvdM6DtE6g71BHowZc+chNYh0E/J5KGLDF3dneZ5uooj7 dr+Bcup4sqLcbos0mFi0iq/fvnp/Tu3Knka0WpjCoYPV5CT5PiyxWnrOl7HQ2mTmzkJa9Z+nSbQO RdczpHWyaB3Swv9tWSS0jUCpFF6mQTLKjvw8pXVoOS8z3brDmNGCee2eSNa0czmJql4P71mb3Jpl p7XJu11Nb6UO8reu8ww2hEbr0EPSPGZN+K0Ib1w9485Q91smAd8fs92WWTSlvRK53FjjLjtRd91F 8P2JErgPrUNx5Uhs0qV9385Y7NfRCG2zoNl8OI82K8+Ra5nFZmhmMkZbMMOlV8d16iUYBmmhUoum 8FR1rcM33NJmaLETftlsRt9p4U0b4Gtcmh3RhiHiOXk0G4md66NpkAQTq771F3P+vSURW1q7WTcZ CQTt0mpYiljtlPZWorlts2DmyT3K3qzenC+2V/I9oSbtOY8WrgovN5fwXffNRnEtI9rTzOvGbE/f LL2DqNwsxGNTaZ9sEk2ta+M6fJUE7VVlch+7ypamxx3+DNaZfK4AkTD0VZa0r7W9rbox37VORWEP AWGbLPkWcVrGQU802F38KTbmMsYs2pIezF0RtBu6sNmpTAl603o15DZt9n97tHXf3qkyNQW+dEh6 i9Y0+DZX7TkNihPfgdZn9Mi3JutY7dttbX/X2Q65rrLvQWNPtnSdeRQ1j5UQz12QBe139W59VY78 Mm1UVvUd7A3qhzAY5MijhdjTtE0Dsa+YHikxkytL+wyUh+LJC6IV8IdSDNlXlaWixSZ8Q7vcjTlQ TV4v+dzkcjNzTCmd6RkN/HkP3PUmchtz45kio2YOK1uLjooX0d91hiEy+6iWm2X9JI7JMl5P2AFa p+4zaYu57uGip6qndjq1oLr0dTW9lTrI37rOo6XP9/A3vZ+mdaqKC0xprd5xZ6j7LfkzoUWd6ZkE fE0X38wFraO1iGfz9WCt82xqjIp0CLQ6js6x+/6TuiEtqqPFZu47Z6QPAiAAAiBwMgSgdU7G1EMV pZvEnvUoQ6ff5e/8Nr9ZkEAp99w73mWGSAsEQAAEQOAECUDrnKDRs2CxEg8ILNJo5ppM27n5QDi2 9JzJ1djqvp4JWueBDIBsQAAEQOCECEDrnIDZNNcAACAASURBVJCx66rS6yX4uy/4OgHtNRr1Cff+ fzJ3THrLwaL1qDfEde4dPDIAARAAgVMkAK1zilZHnUEABEAABEDgdAhA65yOrVFTEAABEAABEDhF AtA6p2h11BkEQAAEQAAETocAtM7p2Bo1BQEQAAEQAIFTJACtc4pWR51BAARAAARA4HQIQOucjq1R UxAAARAAARA4RQLQOqdoddQZBEAABEAABE6HALTO6dgaNQUBEAABEACBUyQArXOKVkedQQAEQAAE QOB0CEDrnI6tUVMQAAEQAAEQOEUC0DqnaHXUGQRAAARAAAROhwC0zunYGjUFARAAARAAgVMkAK1z ilZHnUEABEAABEDgdAhA65yOrVFTEAABEAABEDhFAtA6p2h11BkEQAAEQAAETocAtM7p2Bo1BQEQ AAEQAIFTJACtc4pWR51BAARAAARA4HQIQOucjq1RUxAAARAAARA4RQLQOqdoddQZBEAABEAABE6H ALTO6dgaNQUBEAABEACBUyQArXOKVkedQQAEQAAEQOB0CDwFrVMGnuks0idvlGRmm5Nw+2D1eEhu g3nl4XRkmYbBnPmP//dQdsyWrumtizsjPVi7O8vhoROKfNOabR461wPyGy7YnTWfIp57NjMM055G 5QFFwinVbRrUndkL/EHgLggconWKzXLi2sw0TGbZo8ki5oNIsnCsSXhPfcVm5k6bnnh4pNnGU9s+ qMu+19IeaAit8WerkeWt8wMv3HNaC1TnvGFunRPv4M+BvLaRz5i3Sosiz4viHjVrm8NtuuZ9ELTa He5yfQmmC/ch1W7VxqKVaFhSaCc9xtfhgmnN558KRum4i01eFHmh33gc1kU8hAVbViuCieUuH+RO TydQhpORur88rEEVa0+7w7gre/2TsU/r4nThGGwan1alD67t9VonX3smG83DTZqlSRyuFuuE9xBF vFwE2cEZ3eTEbTJ3rEO0TpWHi0V0iGS4x9IeXDOt8ZfJai45Hnx5z4kdUJ0zxAh9PybqZFVpakA/ lK9G5qjWdAPn6Off8nuXw2Fd8+GZ6SU/2OV6kqdyPaDW6WLRSjQsKbSTHuPrcMG05vMvBSuDcX+U +KAu4gEs2LHaNg3mq83dxSj3sNMIbCPf0mLpBzWoIhizkYqm3pG99pQXhzoEivVDRc47GT+JP6/X OrHPTD/Sb4BExZQrl4HHxqtoOXEtxkxmj2ahkh9lsvJHIihke8uEX7tN11PxmzXy12k7NrTdzB3T qD+jVc7HUXcerHzXotiS7an0Vc9Ypus6H8sZy9iTMoEqbXXNmVWxWfojx6I4luX663Sn6lTfSZhF c88265mAMllNVPGy+poiXowdmdJqPW3msLS+I/KZt043SzrPnHDQA3y2WTgfO5yB5U7DfAeUqi7/ RiO0Ow+WE36N5UyWmxp1fx0HyPBK8Gyd8Vwpy20a0PSUaTJ7PA+WOyNIGc+IiPiYk6ijh5RjkL14 stvYZ8yPJbxkbhtqJopUk7tSfqXquuswIuS+DBcTzp61/GHAUiq9qsO5qFolVy5X0Zkzjzu35U6W 9YCULV1ruua2YqbZ5J4uXVa7taGNIzznZGY7s4C7MDUhbx5lhNe2mMks1aAoTKbdt6ULxxwH3Kg7 tuvBotUx8pk9Xa/rJtWya2+ltGurStmO1Y2636MqUa+6JvZoGjZtIwtmYxkupvpK0w4XTGvCVTXg k1opyT2FbXiPwbPdJsuRXbukocUg6Dot/RtYsN+ddhv1AJ+us+02al1nRz4bLULeoZJf6L0TmYR3 QNTO48C3OrXLV65JnSn/FMHYNJo5zG08tXizqwmUkd80XIOLc95fDTQokWQejK3Gu7mP8tRWIc0X 8q50skrq7meg4YiU+L+7APvb2o7bizSKeMG7Y+rCVcOsBpvPQJdejyi1k1cDPbNWcPLMbtYkr+25 GPsqCnUbTHT0VVWlc5s34QGXa6ojO36tB+4p8zaaNGpzgExd1EEUQ+Njb4vbNVOd/hH+f73WoUHG 9qOdG4u6YfCRwDDM0ZzPbW3zYGLVHXCVrUYm8xZRkmVZEsVc1hThxLLGqyQvy3yz9Jjl78yaxz7r xHVM0/GDhOLOdIk5DkR5moEnXThstNjkZVnkSRTG3UFRlfa6M6ttGgVxmhdlmYVTW3UQjfWo97Ec 1/XXcZJm+baq8rXHbD9I6Zpo7pr2bEMDtgiJLWIqdrKe2KboOKpKn/+mKjiOO1lGSZrmZVUN8Cnj qW06/nqTZlkaRxtewzaopoTiSxl4hmG6szDNyyKLFyPGam69dewnky5c5s6irCiLlHi4Sx4p2m5m tsnrXBRpNB8xY2f8btezrRjylces8TLOCE3gO6YzT7aV6BREvD5dOJZlsXooD6m7GIzkdzhkS9cw 2aiu+dw1ramQUAOW0sj1cW6PN7W+JQRstIjJ6ZL1xGJyVpJyN5i35F37NqWaytyTeaN2tRzpazKz DcP2Q/KmMl2MTNO0xvw2YJuvx4xNRBsZ7KH6bdfBouUZ+aZB3iSa1GpsmaNVY9e+SmnX9jXqoVaj 16sqoqk0NKVWbIJwkxUEb+k1GnewYLoWGfBJrYzUiNhoHqV5kafhzFW9jIjr9EQ7VRdBzfMwCw65 006jHuDT52xV22od3zNMZxqRlxDNpnfi6oS3dGpOU5eZXSVXke81jWnCLMtyZHtK51IxawQ60a/h BqUxJ0HUjusYpuUt4qbrqMf7oYajpdUFOHBJv9vTLYA94b6dbVYTq+6z9mqdTpfe5+QDPbNW7Ko/ ax7eFkJzu5la9Kn7Iwp805Fhl6sGvH13GKqqdDVZ8KGHCrJ3QLxhTzJQhq6ZdBRH9/16rUManBqP 7U2XYaokj2oYBF0JVS5c5T0DidbmZkLWXbM7/RJPrd2w/m5rN9XSoG00qUebiljz9TrUkkfL3RhM DVyV9roz6yv4/5sZ3fG0fpLaTg75/JB2e11VVRnK8lHb1+7fKcBYV7UV1zENeybmBSm1AT5lOG4G bFWeNij1O/9GdtG48d6uc7dH5zV17CND93x1u+TqbSSqRHcnetqbmXUTrdNxjG3sW4wsrCpP9zn+ auEyHlPsFKNT0aozPPCOQys1kRf2GrCUll4v5854I1yuDCes7r3pBm3hyCgUdVvNTXNV0TIl6S1E uH8OizSBcilyD5W0Nu4M9lB9ttvBolWTJIXmC8JVM+68/ZVS13Zspw403xqPEhpO1YuLWQ1NfQUZ SPYTQwXT4i4dZ8jX0ifr1GQj0pqe7vqHah2tmIMWHHQnqoXeqLWi6S2u19k6ztzxPd1qycwSkWCq k+bvPHSgWZfnrqjR/NRosfKZMIxqc6qT5IbSAHKXlsMzyaymQekVIyfqaB09iaZ9DDYcLbEOwKFL +tx+G08Z70xkchTEksYcbD78tlDzUx5uufnINZg1j97wxa3J3LZnq5ltzyjOQw4gGA12GspuvD7K 23fKrOGruMfvGxAHUQwg7R0FaPzd4+etAj3+HwdoHV7IMovXc5oSsCdykY5qGHprpJPjqYzK8Kbc XTocT2kLBGs+pmFoDUQQaQ/hg+lXSutURTwfMZM5k/l6w2972mxVaa87s8rj5dRzHZs+FjN6tY42 EgmHNUxVJVPGb+Ipk5NSoiwb6prEPqy21tGnJYheHx9qLd3uqzuYkeeJDz+zy416RNHEBurYwzBf jbql4RE36iD1voF6P61jq+Fr9dTjOjuO0VxOo4cUPRSESuY278PTuaN3X3Xyzf9th+FhM62nasQC 5dtnqSYdEVPe4ayTbOR1One6aJpuqx65KeEmd9EBDWqd2jd29O42nNQxrcEeqt+rO1i0aka+2fY6 PlNN1R+oVHPtju3EkYFWo7U7fh71pB6fdSvTYD4ZiWZmW2at9IYKpmmdIZ9sisi7oFbTI4QyUizM cW1c5xALDrtTtxZVf4s7pFF3fE+3Gl3O3ambTqvZ1VjoHowclCILzjzhq2tohUAz3OqRM81p6Xou Y+oZsJZL16nXJ7XX64zVtlMuqfjR632Md+ztmg64ZX+X1eqa+F2IWDQ42HwIsrq5EF26JnZFJQd6 Zo1At1dssm4EC0Wrp3EZ+4ybgt9J8kDMIOFBb++WWSsHfe0ho58xiKLvwsEydPycyy8+AtGahWP7 HKp1ZLkpiicnkFQvprdGOk9pHaWoVb1JAYzXeaF9ynp5S31Wu48eTF/XOnTpNt8E87Fjms4sbqaG RZqqtPzv4TNpsLWnYSau1+5Q67LpY7b4jff+frhTJVrp1MzL7iwIqJVLM3bKDAb48EFCdST1ye3J vjxL+SejuTCxykSb96H+i2udfXXskKHW68xpFk59KO1uq+7aSJav1emqc6gkra6kqO/NeYh3GufB mJHioD/teUK57QgQmQX/r+0wvGvWzm867iFLaUn1clYl11yOBpjRMlVcikLs62lVujUwUOJ3qnXU vARVoWO7rhTWakk3CfpYQrEE04+E1OutVHPxju3oyKBHUbsba7s16W/SOkU4YcxbbgQxLU4wVLC2 1un1yaaId6J1+vyno1aH3anbqAf49Drb/riO3mwardNNp7+9UEhgtM4TCipsaIZ9ZI6DnIZbeT+q dZJNkxFQh11ag86Ha9VFaanRSVQmcVM72HC0tDoA917Scftu19QIDmq77eVuTfPRGziVotfJB3pm rdTDWVNgylmk2dLlMyD0p7vMkkVzCzdImNLs64Fbiwi1MuhfO2T0Q4Mo+EmdCwfL0DFTVbZHID3D x/9+Q63DPdZZ0F2RcuWuozRaRwTS1O0Ary5xGw7vCiK0RlUtwRxOX4vrKJR8JYmcmW5+VaVtfqqq njOp11XrQsjl++M6rRgGTXjrQQ6ZBbmvYMV/oMTqkU7z7K67DPDhrU9FkWUWbVBa1egrcdPnmYgB 9eAH1LEhQ1FZ05Oro7T0+WZyNa9IMd8bzWEtHP3GmRYly5LyXmC+mDARl6F8XPqzh69WnA4HDa8A UUeKByylpdTLWffAxl400rHdtWatxVjt3Hl70G51tWzb/kk+oOJSWlyHwvNqowAdqNdgqLQa23Gt o7UjdQpXbIbKgYtD7qqDlVIX08CqXUoHhj2K5uZUe+LjKx9ZKcapNBAlKQ1MsUktda0NNYiGfFIV UXZTankXL7PYD0gG1lqluqhJ/3ALDrpT4yQi+SE+vc5GWkezWq/viWQbrSOnaepbRrpD6Ls3oDUc k8XcldNdfOBdUMRUbj3RCHBK6j5psEEpfKRmtOXP+gDBT+I+zZXQAT7W7dgPuKRxe4qhaL5VcThi V+9g89Eh89L2ODl3qv0j156syQW8xYJ2tdC9IkXV6M/GTIOEB719p8y6LfTvDRn9x0EU2knNhYNl 6Pi5du0Rfr1W65Sb9TKIaEEsrS5ejm2K9VGjUg2jC11pHd6H0vK0NM+zJBZLhnlsiBbZ0rrULImC UK3Pl4TEbVBEiz5LWrHanh/R0m9YZ9E6TLKi3IqVjpZYHKyAq9LuP5OPuqPFpijLPFn7DjtE6/C1 ycydhUle5HmaROuQd7PUvOnmNS9KWjHoDK5Nbs3zDfDhyw+daZBkeZ5uoohDa4NS1eXf5NrkaZgW rbXJQ3XsJ5MuXL68nFZ5ZukmXEdiDSv1KE6T9tgyb6J1ODHLo7XJEo1czi3GTcuyam1D2seyLDn3 RqHZ5WwedqcgOhwGO44hS2nk+jjrHti4nJDK1ngVZxxNHARiJ9a+3EemNQky4ddaplprol8HtQ71 mJYf8lVzxWbumoYhVP2Q7ShIWbcjPT+SFPX6zXzTWZts9lRKu5jq127UQx7FewnDEAtUizyhfBy+ IYVqKEjQan6vNYfVXzAd0YBPamUkK9LaZL4uNprztclireG/aR0KhmgWpLXJPQ2/O1QP8ulzNhkk q63W73u8qo3WEWGy0Zwvk8/ETgEtLtVw2cz4uthaLYvl/+pWRnWSVUVyyaV+sCjKfeKvSZuv9TL5 w7R4r63bi05SWmew4WhpqVYmfuTD7q5bDrg9LXcTa5NzuTZZyN7B5qNDFhnuOrnYNcK3h+wZuYay 5iuMLcuqd4fkqxGzLHULN9xp0JV9PfBumTV+VT8ZdcYgiv4LB8rQNZNK/wi/HaB1FmOXNmDT2gTb nTSPs1ENowtd0yJ8bJJb8JjtrYTLbbNg5tF2YIP2BI7VVugGEE028l3OtLVlT/oN62xNO95lir62 u1EmqUp73Zl5NOMP+jWt0TRIgonVtzZ5Z21Kmcht9ERpNFnLW8oino/llkt/Ha+8A+I6NBfRz2eb BmKHM1GbiZ1xLVANPvGlDMbWNIiX9c5rtee8v45DZPizJPkmVNoNPa0fKLBNmy3L3jwKZ7arnj1W l6TVgtt2bIiZlraRUkz763u6aGGo0QQz+Jrour+oc5Gz043DDM5h0QVNvm1LaWntctZL3rgcXZFH C74ZlBzZGYudiPtyL5OlR5ueWZeV8k+e7FBch1xjOqKN6Ix26odLT8Z1Bmw36B6Rb03WsXqMQ7Pn e6hSGp++Rt3vUVzrsMkqmPGt3iY9jkLuOd8mq9ovx8s4Xjgjsb9vuGAtRAM+qZWyaUT8KRVBs9X9 37RO1bVgvzu1nEQ4ykCvsutsYqlF48yDvicmHOspUbX33Rkvgnn/nC/tSaa9oGKCXirR+q5Cv30l L+A7UgyS1uU+l9aRp+uJwx9IPYs7qbW0zgE+tgOwv60NuD09N0SMB3zPuXj4LRV0qPnokOsKFTGl YfJx7/CRazBr2gNiaCvL+car5hZuP+Feb+8rc132qhoi05wxhGLowt4y9JipyeDovlyrdY6uxCjQ KROguHuP1DllJEdddy5Qep7OddSFfvKFa91iPPnaoAIgcBcEoHXugiLSeCACFKqSj5p5oByRzT8R aAVj/iklXHwwAb6Yrp6oOvgqnAgCz5oAtM6zNi8qBwKPSgBa52HwJ+v5mh6cWJZFSo/m7HlA68MU BLmAwJESgNY5UsOgWCDwDAhA6zyMEbPAH9FTivjqkpG/3tnu8TDFQC4gcLQEoHWO1jQoGAiAAAiA AAiAwB0QgNa5A4hIAgRAAARAAARA4GgJQOscrWlQMBAAARAAARAAgTsgAK1zBxCRBAiAAAiAAAiA wNESgNY5WtOgYCAAAiAAAiAAAndA4ElonTxerdWzL++g1kjiCAjk0WotXqpwBIVBEUDgBAkUm/VK vPPlBCt/WJW3WbgMsK3tMFhHfdYT0Dr0mjT1HPOjponC3YDANpk7eAzIDYDhVBC4UwJlPLWa99Dd acrPKbEy9ul1fPWLVZ9T1U6rLsevdejlvI/7VgD1jJD9ryB5MM855C0kR1LUvUzoRYraO633nnuT g49Rd+UknZLeWWG2Kb3zzTRMNlp1333ayRN/gsD1BPK1V79d/vqT7++MO2sg91ZE/n745iVirWyK eO7Z/BVg06h+y1jrhPv5Y7C3uZ/snkeqR6J10oVbv8SuwzWdO2ys/KxYe30v8O1cNPBnthpZ9DLR G36UYx1Js3wuWqeil+3eg9h5DDMpJ+l4110Vht6BSm/YLoo8v/de9bqWUgQTy13KF9x2KnyzP5OF Y6mXUd7s2n86++6q8E/FuNOLNzN3ujk0Rf7i8dX+3vAhrKM1kG08te3ZwTUYrml7mPjnWqQLR75j t5MltXp3scmLIi/uN/DTqdHMrl8j3SkR/hwkcBxah95V1691eINU8oTms0brYrA6+w+UyWq+vnkw Ug1jWrPcn9P9Hj1c6xz7/T8Zfhzc9dD9GGbiTtL3ksu7Kkwyf8Du7bqWsk2D+epOFlsV8XIRPIab 3l0V7rexH546nxQ+WOuI971fI1cfwjp6A8nDxSLaL78O4dEZJv69FpuZxXpeMHYQw0MKfO05nRqp IenaK3FCTeAQrZNH8wk9gNw0mD2aBlktYIvNcuww0zQt119v1mMlV7ZZOPNsZhqm5U6Wsk8sA4+N V9Fy4lqMmcwezULu1enSZUb9cRat1reNfWbVQj8PxlZ9nsGm/3dum3qMh2ZE7HlSJTPbmQXBdGRb PJtpWJe49frfMln5I15GZnvLhIAUm6U/cixRbn+dyooqx6qbJY07fVnXVPn/A6nJcyiJZpTPlq5h NGuSynDMK8KLFC/GDp+4cMbzuheIfGZP12tfzGjY6oCWPxXVnQfLCb/acibLTS0pIp9561Qab0Lj 8zYL52RKg8wyXad0Zr5yVcylCMam0RhiG08t5sdbAsanVeg6d7KUMrLX+lW2dO1ZnIXTkWWarjRz y76q9APoyLLzIJh6ZFmT6tSsGdymAU/YZPZ4HizHZseReNqimpym5U5DLpmzYDZ2azdoCEtfXUzI G3hODb3hsrHJKpiRSwnnll5X+4woQbqeCqezRr7grGotvvXaIvSdpo00ZhDnU1EnYRbNPds05bEy WcnpLtubNe5flSmxE2Z25zH3h0FjkYOXkc9afTx57WidV1ql9hilojbGnZRsFQe+pTcaUfxW4+rt H/h5Pa21IpvX1dGqKWwXUrsh27mTVZLFC+p1TJM5k5X0mTutgrtIkrXvMlN2C/1Uq21Weym15nBm y3bQHTM3vH01/rDbl1Zluq57L8sZL+Jiu5k79IoI8aFgqSoDsxxPdrYiTfo3mduMN/6qorbZms2i 8ljTzZb60qZX728pKkE6+VAOQ61V3cX1dRdFX2dYcS/TevLOMBFXrVr09nVUichno0XIxwRmMhrS 6v6/qioC0vTPosrbZDmyG+Lk2If1qyovPhKST44Xm4xaiug6vEV3H85AjVYhzZ+JQbb26op35j0O o9npVL8eonXKJAziNC/LMl1PLFMunsnXHmOjRZwVRbZZTWzTrFvFdjOz6UhelkWynlhMzBuVgWcY 5mjOLbnNA56UGH8H71lpksPV4qzUKJu4DkUWVedJp5LUIc82DNsPc5IqRTR1TGcuRmFN62Srkcm8 RZRkWZZEMR/dq20aUUWLsszCqd2M9KrBN/3jQNYtLxpITZ5DozybxlxOEUrLYnI2hysJcSRduMyd RVlRFimVSDa3yDcN0/HXCcVON6uxZe6u4BC03VmY5mWRxYsRa1Y9UYfiOO5kGSVpmpdVGU9t05kG lFwWLzw6M+edYa3GynDCLMty5kKIpnMR0t1MLWu8TumFg1kShULTDlif96e2445mwSZNszriSyB3 I3oD6LhlaR6HvKZM5m4tCSlP0/aDtCiKNJqPmGHsah1RTX+9SbMsjaONuH0sNkG4yagKydJjXMHx vs0zDDZa8HGxTFeciQgn7imbaY2XlFaeBL5NXke2bnymqopwYlnjVZKXZb5ZeqxnZfaALcTYZE6i lofxPyh9y3Fdfx0naUZOT+7EYZRlFhGk2YY3hXDCmDsLuMvHUULV2WcsalrcS9UNbaPxtUoNGqUq I98yuQcWeRJMXWYaqrnWFWk1rqH+oa+1Ekw2mtMLL/M0nLkNTe75bCR0cBH6lmEyd8Z7nXIzc+pG dKdVYLbjeouQPLscpLrjpWbtpcNaZ8BAtIJktNhQD5snURgLX6YbwyauQ6txnBl1wmWexmFU3/BJ 8NtoUreeHbFDxRFTSco6dCfY11JqO5KHzuzbcVCttaV1zHZ3MdAZ9vlGa5hoaZ3h9iU61WlUDxuq /6cqUlc3jbXK8q/CbnVU8sB+lesq0zA1nzRM0xED1jZdjuo7Fj233RoZpuXR6CuHBj707WnRemIn +v0QraOhUS2Ebvu18YSUhhy0aGCsyVdV1cgC6lyaO4mq2kYqZDOodWgKS+8f2ybPFg6/y6QCUgHE WEydr6bByR/l7a7SOindn2oaSqui/MqjlsK5VYNX/WN/1rvJ7KZWn0PRG1Fgik+Ol0uPiZpyJUEr lEj0WFIOUaBlPZLEqVlqVKhazqJucTJ9KqqpLYRohim6gzENbWMBFUTLhgd0yLIq+23kW6PFypfb 4eqJfj4QjgPeOdS1qoasT1rHML2gM/9IbqRVpUlGfWkbQrdsY05yJb2um5lVjyIqnW411ZH6G7mQ dAruq2qMp5vgvmJ2yqa1B+V1ymdqbjK/eGrtyLxuIbVWxttIv9bRYoKywTURQ7KHcH/KvRardY33 GUvUlwvviVx2SUUQdzqqUvzWQmtujVH4vbDmV2Qk3WtlGdqNq79/6GutvDpaEFhZqG27beSbptdM k3KKIUm/O62CwXy1NHWAKjWXAS8VY6aKaDdxnYGkuD+OllrggdNsax1u7yYcWZu8/r89TFeEs7Yi BXFlB66sU1/H/9daivY7dbyHcNjTWltap9VdqN6I59h0hn2+we+rmltiXevsaV+dTjWZWWYd9hq8 02hDPLBfFVpH6wrJJ2v2FE8fqdv5hi41q3aN9B6ORiPRiw45TJPQCX85QOtss2jhe67NP5ZpiGYQ T5nuC1qcMJ079Lbd5mNK2a51Lhx4PG3uQlQP1DEF36mjlut0nZh7AJcsXOqIrq/bPnkvyDu7ph/m Ll9Pjaks83g59VxHVJQZzB/WOqIk3axVUqRN+lNrzuFOvcq5OhitsmzlMtImwtfpRi1fjbogxW1b 5JtMv8mgTtTvDINd2tQs7RmPNHQup96iJTc2chCmYZKLns3UcuYJnzLm5W1miPKQ7tatkb8IeJiA RtoB62vAGgLyhlKNRPWRAXQdyza9An1RnYXUvdo4yJPdqSb/tUyD+WQkTE7viZbJ7KG3p2xjPoiK SjRep5KKp7Rho2kXzDQMrfvqL2RtCxFmG4rraLcWFfm2YapsTNPgkqrbYCm/vcYSPrElPSfEDs16 yG0CqlJaw+c1aIxSdYE3rU8Akv8qm2pp8mNN/9DbWrvV2ZKm40GNTjrxlOKndZ505yWEoHaaKgM/ 7TZVUOJykOoeLx3UOoMGKuL5iNGU3Hy9aW42WlqnKpOlZ9EMyWwVd4I6dP8vG3cNhjpQ4fwkdWpR rJEZaCn19SKuUweC+a8Dhd/DgW7DGXJb2gAAIABJREFUtPtS/W50oDPs9Y3uMKFq0fVJitfIG46e XlELOFPMqtvFiqktdZfZk0Jvv8rvNnWfpFuIpusoejen7mod7RJNHw0w16x0ul+v1Tqkp013HosG peI6/CZFW4up5Ar502hJ0wnq07mR4rybvkz24421NWt0W2TH5MLIq7zi7VOObuTZ2s4t3hmL4bTp balv6Sx7EAEoexryCZKqat+y1yGrwGuCWbxH7GStlZw61d7U1DliK2MRyXgJ/elHBYV7RE0oB2ce 5wpjUfA5v06jqga1jpxzoizbWkev/HD7l0ozmYnNEfTnOMgp2qTpxG0er2eebdKswZY6+n7r8/6n 1fQ5CNGH8Jm8BswgOtVn8XO5BWiherf31IaxJtHe0ExB0zreciNm1FR3z2/67RY9TyjFvWVTHZZw ae51qjA0PI/XbXO2a76jD7S+mDewjqCl2qn0RV157++HO9l0xQGdfZCxyEQkwvkCD7kjUst0yCg7 wMlKvQ7Q07iocE3/0Ntau9XZp3W02YebaR0uWLWtENdVQVhggOoeL+1qHdJn/EZrICmRzzbfBPOx Y9JUFe8X2lqHn1Sk4YLWEdm+WJ4mrqR/edBY2/JE+/yo49G7UiVkB1uKSlCdLH8bKPweDh2to3sL XdXTGfb6xm21jt6tUeGV1qGgpLxT1CrMO9WW1ummoNdAa8tK0lFq7awO1jqqdC2tM9D96sU+0e/X ah3qHJS+ppi6uIkk3aDMzEPldZ8Vjk09lFmT1fpH/lPTl8mlIX1ah/yAtYyqLZilVEQ0NQ3GrJlA oFCqNk7RCC1dsNE6IgbcnsOilNRl1Ib2xnV6s66rKg72p6bOEZPAy6kti57MbXu6UEpiS/35zqyP nO5VNuEtWzOFyIBo6xFzGpJky2u3NB5X0uYamjksaoULh00Wc1cezpYu/eloMw11bWhtBr9VoaG2 z/r9WqfbyVNyhxiCZ0vdHw+MUE/Eh2NZmnRu6xFe8SvvFdWMIP9xM7M0WUwjm4rrGNo96pZu/4je 3rLpefId4lwRKren8mpzh7Kwrf8oBD1gi0O1DgVr6mroaee8wap5Ejp2mLGEyInndGcr1tfpAmtQ 69CgaYmlQpRXw1AvVGt+QbuRoHNU/0BV1/ydJ8DHPi12x8/hEWAFnJ/Ik7llXOemVRBVG6Da9dJE eSldocXmirVnmFzrDCQl8hH/8lVAIqwklgDqB+V3fovY7u74+Ngaiilu6y42rVW4jXEHW4qWW3Oy /G2g8F0OemtVXZPqq0VqQ51hn2+091W0fGy4famseYZtAULe1oIlCiW6r3r1QCeFPW25fWY7q36t QwOv1gQ6qJuecLhFS5uc8n/Xah0+6I9XabGl9ZRj26wbJfGle2JaH5eGU1eGyuXyKNMar+IsL/Is jYOAr1rt9EFaX8aXovA1p2VRtu90O4KaplWYt0qL5sQi8Nho7GlPVhaLJfm6rSJPaOWuXCWqD7fU lGhtV5rnWRLT4j4+nT5abIqyzJO177DrtE61m7XypOHU1DkUR2aWbdW9HJ+StvTNjenC5Suoaf1l lm7CtXieO00Mm/bkkLXJ05BY7a5N1gIzfIGq6TRnekwuJqcleTOLPvXKlXThWJZV669tGq6jJC/K bZnH83r5Fu97d62vw28Q8NUgHf1xkCF4CqqF8+CjqsHYalZ9NllVYqksLcHO8jzdRFEi5guF39Eq Xq81h2XQ8u8goZXd0cw1xcruYbMKrxsvxWrB4bXJtKZ8Qw/JyZIoCJt9ZHU5OT1VE80WB2sdvjaZ ubMwyYs8T5NoHXKFkwdjxtx5SC6fbkI+r3GYsUjyuq5t0dY78dHa8mC3S0uxGRvNaXlskYkV47vj hbpcS5NnorQO9512axXmpLXJfHVmNOdrk/lisE46/6J1bloFSWeAasdLyd3qGzS6o3RmfHHNNo+m tAhATKAPJJVF6zDJqOXxJfVSUoqgY0S8y21O/S6dsi3SYGLp9wKimDshVRqcHdet90jQWY11qK31 thRZ5dbJ9W8Dhe9w0FurEgFdrUM3Xr2d4W5PThq+NUw0tRDLxvv7OpU1L35LgHRWwdT12x/X2dOv tvNqZVX1a53hGlFhVE8oMu3pfpsyn+6Xa7UO7ZOsNzd782iz8mrlUPEtgHKD9mo91WN+eSS2ShuG aTljsfWq0wfpWofPLdMGPlZvRm4swhugmk2gh8fS9lvTnsl7NRJjrcWZPObOd/+adN5IbbpttZ8i VvulvRWNBnk0G1l0jTWaBkkwsfat16EC7mTdlHpPavo5dANHW7nlEELCrrUgj2+DF7u6aVu3NxW7 9CPfmqxjuZ2X2V6zVVpLuwzG1jSIlxOxlby957wOdDXn1/ai3dK+vn8xmjBa7iFv56nvU6y3yZLv h6dFKPQwgmapZJ2abv1erUMb9mod1ZTlEEPwk7UWXm3TZgu+p+/m1VKtaJOy2I1Jz0KYRUVVbZNV DWi8jOOFM1ryuzTyVbFjn+/Q1ujtcZLRMqYnHXS8ruX22yyYeWQRQuOO1XMAtHLW9Dq2OFzr0B41 ubWdW2ayltEcuXGbZz5aSK+rs9tnrGzhGIYeb9IqpQ0kVAndKLQbWO59d8aLYN53b6wu19LkNDSt U1W7rZU210qY1DRmzbMwOun8k9bhG5oPr4KyYi9VzUud8SJcqglxSYoxZtHDG4K5WweVqTXs9qUZ PUK7diPVYGkVD3+kgrfO81A83UB42s4+ZhFo023KJQIzDC18oLTOYEtRVdZOVj/2FZ4a4kBrVSKg 1VfL9JpHXOidYa9vtIcJ5WOUUF2kTvtSWfPcdAFSRpO+Gaye9Tr6HNbBeelZUVi792Hy+2rUbnRN BVstWiI85f+u1zoH0uH+pK3fOfCy60+juwCbnvUw9KFWoa9MvbeS7Bagm/XuGfhlmADNex3p63jE eFkHp4ergCOHE+gbvQ6/+ijOvNMqdDTZI1RQLBis72MeoQBPI0s+uSfugZ5GgVHKXgJ3pXVofULP 4q3ePG/6Y7729rzagd9I6nPRbRV/08xucv5O1je5+OTPzZYj63FfdDZsgscfh4bL9kSP8GUaPUG8 J1Sdu63CEfgY3W3sRNKfkEEeoqj0NGp7KhZ/P0R+yOO+CNxe65TxaiGfvJdvVhNLf2TLfZW2ne6W HgC3Glud9+k8hNYZyLpdPvz1ZAkcwTj0ZNmpgifr+Zqe9Ucr+gLfMXuenahOPs5v91gF+Nhxmhyl eqYEbq91aKkDf7g+LddwtPnyhyKVzB16Gv940Xle1gNonaGsH6rqyOeeCWAcugvAWeDTu2VofRCt A1vvrMS+i0zuN417rAJ87H5Nh9RBoEXg9lqnlQz+AAEQAAEQAAEQAIGjJACtc5RmQaFAAARAAARA AATuiAC0zh2BRDIgAAIgAAIgAAJHSQBa5yjNgkKBAAiAAAiAAAjcEQFonTsCiWRAAARAAARAAASO kgC0zlGaBYUCARAAARAAARC4IwLQOncEEsmAAAiAAAiAAAgcJYEH0Dp3+mD1o4SIQoEACIAACIAA CBwtgXvROmU4GS3k+war3pc+3phHthrteU/EYHKdktwukcHUcQAEQAAEQAAEQODoCdyH1tlGvuXc sdYpk9V8nQy/ALQfdKckt0ukP2n8CgIgAAIgAAIg8CQIHKJ18mg+oWe9mwazR9MgE4oj8hmbxk0l 04VjjoOyotfJ0VPh+cechFsR11mGi4nDTHqdxHgRF81lRbyYuHSBabmT5aY+kMxsd5Eka99lpumt CxUcKoNxnTr/fyRe+1lslv7IsSgHy/XX6bYaKsm6zmM4a2ceBFPPtphpWs5k2fNo+zyaj3l1xMPv ZQxrm66nI5uXYeSvU/EC4Wzp2rM4C6cjyzTd//1/2u9Ipbe4s0lIp26zcOaJqxWKMvDYJMyiuWeb pjXbNODwBQRAAARAAARA4CACh2idMgnpJZ9lWabriWXKd1MPaJ2qqspgbLbjOobJRrMwzcsii+eu aU1joZdIINmTdZIXRUbvDzXdZcaLncxsZjuutwg3aZqVvRNh5WZmM2+d8wu2aSRfRJqFU9uUCmi3 JFw40RX7sjYMaxJQrlWZzF3TnidtlmU4YbYfZvRSw2wTRkLVFOHEssarJC/LfLP0mHzTIS1Xsh13 NAuoKkUejLUXwm9j32KTqKyqLdVmtIhzeqHpemLJmtFLcyzHdf11nKRZftPAVrvc+AsEQAAEQAAE TpDAIVpHw7KNJvXQfyOt06ibqirWnpQ023jKZEyDZ1EE4zp0kcxsg/mkAeRnZ4HzdjNzGqVTnyX+ 38ws5vOI06DWuSbrWnJVvSKLiznbj+oAkcg1X41qiUU/xFOLR7UoImWYXtCcXIZjZssAzTb2GfMj CkKRfFKaipQYhbOqMvAMQytOu6b4CwRAAARAAARA4DoCB2idbRYtfM+1+ccyDTkk30Tr6CJA6Q9S B61hnEb4EQ/U0LvKaUas+XS0znYzd5i3EkEgOimPl1PPdUQZmXGd1rkma5p6kx8uYZp5L/njNl1P bNO0velSBnVI3DB6n3PzMQ1jRNdRyWWYSVxNskbMRm0jn0kVmM6d7tU8NEZxHU0D1aXC/yAAAiAA AiAAAgcSuFbr0IIS053HYvpkT1xn3qgTpWZ4IToyRR09XHB0wivbZO6wkaZ0+ITUNOTTTlV1QFzn 8Kx7tQ6vV5lFK1qEY43XpLniKTPH67zQPiUppk71aWKMJM5ss+VSZ7bhsiqd2+ZomWoXFwUdIK2j zQceaFWcBgIgAAIgAAIgUBO4VuvwWItY/0vhk1WzfIUmoPj0C09qG07MOhLD1cx8aM+50jpcRo35 ulyeBp/DmvLltxTX0YIrLcWwo3T4tJjdZEgZ6HGd5oAmOw7PeljrCIQ0JcfzphPt2e5WsV2tU9Eq HWsWR75lz+RSoDKkQmuTdtJA0DoSBP4DARAAARAAgVsSuFbrcOUwXqXFllbcjmnmRiwroUHe8kO+ DqXYzF3TMOpZpw2FghaboiyK3WXFSutUVUrrdsXa5FyuTRYSaVjrCKUjlzDLStOyF3NEGZZ5svYd Vmudargkh2bdp3XKJOCLtbfbMoumtLKGFkjT2mTT8debrCjyLImCkG/g6tE6FUkt23UtbXaK1iab 1ngVZ3mRZ2kcBHxT2o7WKUPfYmO5IvuWRsdlIAACIAACIHBCBK7VOtU2C3zaFW4y25tHm5XnyCW0 2yyYjixmMmY540W49Oq4TlXl4dTlW6/9sNSiKZyrrnWqqtgsJ67cKj5ZNpvRh7UOXxaj7ToX8Zw8 mo3EzvXRNEiCiSXWJu8tyWFZ92qdeM43h9MKG8ebhXIXPqGaebQVnW+hHy83tOCoT+vQrivLMDqT U3m0GDt8w75pOeM5h9GjdZo9WifkpqgqCIAACIAACNyawPVa59ZJ40IQAAEQAAEQAAEQeHQC0DqP bgIUAARAAARAAARA4B4JQOvcI1wkDQIgAAIgAAIg8OgEoHUe3QQoAAiAAAiAAAiAwD0SgNa5R7hI GgRAAARAAARA4NEJQOs8uglQABAAARAAARAAgXskAK1zj3CRNAiAAAiAAAiAwKMTgNZ5dBOgACAA AiAAAiAAAvdIAFrnHuEiaRAAARAAARAAgUcnAK3z6CZAAUAABEAABEAABO6RALTOPcJF0iAAAiAA AiAAAo9OAFrn0U2AAoAACIAACIAACNwjAWide4SLpEEABEAABEAABB6dALTOo5sABQABEAABEAAB ELhHAtA69wgXSYMACIAACIAACDw6AWidRzcBCgACIAACIAACIHCPBKB17hEukgYBEAABEAABEHh0 AtA6j24CFAAEQAAEQAAEQOAeCUDr3CNcJA0CIAACIAACIPDoBKB1Ht0EKAAIgAAIgAAIgMA9Erhe 6/wPPiAAAiAAAiAAAiDwgATuVvgcpHWu8AEBEAABEAABEACBByHwP//zP9A6D0IamYAACIAACIAA CDwGAWidx6COPEEABEAABEAABB6KALTOQ5FGPiAAAiAAAiAAAo9BAFrnMagjTxAAARAAARAAgYci AK3zUKSRDwiAAAiAAAiAwGMQgNZ5DOrIEwRAAARAAARA4KEIQOs8FGnkAwIgAAIgAAIg8BgEoHUe gzryBAEQAAEQAAEQeCgC0DoPRRr5gAAIgAAIgAAIPAYBaJ3HoI48QQAEQAAEQAAEHooAtM5DkUY+ IAACIAACIAACj0EAWucxqCNPEAABEAABEACBhyIArfNQpJEPCIAACIAACIDAYxCA1nkM6sgTBEAA BEAABEDgoQhA6zwUaeQDAiAAAiAAAiDwGASgdR6DOvIEARAAARAAARB4KALQOg9FGvmAAAiAAAiA AAg8BoEnoXX+fn1/9unn5WPwOaY8L75/PPvw/fyYioSygAAIgAAIgMDRE3gSWuf3p5fm2beT1zrn X96Yrz//PXqfQgFBAARAAARA4JgIQOsckzX2lwVaZz8fHAUBEAABEACBPgJHrXX+/PfKNNof8+13 qgYd0T5NtOOJ/H7+9Uwrvfny029hm/7f6dc2BcN88wVzWX3+jN9AAARAAARAoEvgqLXO1cXfP/T5 /v6F+ea/3/z7+QlOZUkMPz+9Ml99/MEx/L3oWhJ/gwAIgAAIgAAI9BE4bq0jS4z1OhwE5rD6PBi/ gQAIgAAIgMB+AtA6+/kc01FonWOyBsoCAiAAAiDwVAg8Ca3zVGCinCAAAiAAAiAAAkdHAFrn6EyC AoEACIAACIAACNwhAWidO4SJpEAABEAABEAABI6OALTO0ZkEBQIBEAABEAABELhDAtA6dwgTSYEA CIAACIAACBwdAWidozMJCgQCIAACIAACIHCHBJ6E1jn/8ublx18H1Pr8yxvDMPgjiZn18s37L7+e 1SP3vr+13v04AANOAQEQAAEQAAEQaAg8O61Tvx3z8vzX5zOLvf3+jNQOtE7jt/gCAiAAAiAAAocS eLZa5+rq6vL7W/NFHQ86//nf29cvmGlar97+97N5mdTl328fz15azDTZi9fvv/yu30Bx+efbhzd0 Op3/uQ4PtZ/m9+M9s97/lKT/fn5tvvn8/fO7V5ZpmNb7HzKlvz8+nb20TNNkL88+fm9eUn7x+8t7 Xpz2z/vNBq2znw+OggAIgAAIgEAPgWerdS7//vzvDbPe/eBxnT//vWYv3n37c3l1+ffbuxfs7KtQ O3+/vDFffiDpc3n+89Pr+i2cFz/ev2Cv//t1fnV18efruxfszReuUvZrHcNgr959+fHr9+/fv+X7 qn7/94q9/PD9L+X74+Mr9uq/P2SEv1/PmHX25ffF1eX5jw8v2evP/Oce+7R+gtZp4cAfIAACIAAC IHAIgWendeiF4CZ/Lbj56j2JG/r8/GCxt9/q2SwegvnK/zr/+oa9ePf1t3ij6OX5+QVdcPn9LWsC QldXpHCESNmvdWqlpLj/+vhCy/fy97cv30nU0NvYXwv1dHV1dfH1TCavLuz/Bq3TzwW/ggAIgAAI gMAeAs9O68j1On+/vKmDKFdXl9/OTMNklvwwZhovP8lIysWvrx9pcou9eP3247ffXAFxMfSlmee6 osmqDzRZdY3WeaNdw5l/f2e++LC7qPrHe6YVx2KmIZLfYyeRHNYmX4cIx0EABEAABECgS+C5ap2r yx/vLeudXJnMv3/7e958Lnj85urq4u/vPyLcI+e8+Dqby2/tuM7XOq7TDsHsrtfpap12XOfq/PfP 36Sg+Hvbv/QUp2udzt+I63SA4E8QAAEQAAEQuJ7As9U6cqboM19nc/nr00v26sN3vorm4vfXTx+/ id9/vrfYm//40uPLv1/fWuzdd5rE4ut1xO9ifY9cr0MqhZ3JtTvf378wOmuTu1rn6venV+zVxx8k cM5//feGvfr0m2zy5/Nr9vLdVx5Fuvjz/dNHtSh6n8mgdfbRwTEQAAEQAAEQ6CXwjLXO1TmtAK43 RJ3/+PT2Fe2HMq2XZ5+aDVEXv7++5/utGHuhb9C6/PNV7cPS9m1d/Pzv7IVlvXj56s2Hj29fXKd1 rq7+fv949pK2eVmvtGyvLn59fveatn+Z7MWbD/W6ol4TqR+hdRQLfAMBEAABEACBAwk8L61zYKWf 6mnQOk/Vcig3CIAACIDAIxKA1nlE+DfNGlrnpsRwPgiAAAiAAAhcQes8ISeA1nlCxkJRQQAEQAAE joXAk9A6xwIL5QABEAABEAABEHhyBKB1npzJUGAQAAEQAAEQAIEbEHgSWufg95zfoOL1qX+/faR9 WIZpvX537K9FxxxWbTX8DwIgAAIgAAIHEzhtrXP56yN/7s6f84u/P/+j16J/U09LPpjhg50IrfNg qJERCIAACIDA8yFw0lrn8vs7pr3Dgb/36vNfel3VS/569POvb8TzeegFWWdfL67+fn7N3v4nn7zD XqoXoF9dDbxHnS7pff/5bVwIWuc21HANCIAACIDAiRM4aa1D72p4yx+ULLyAXunw7vslvV6ClA1J IfPlx9/0UodX/OWffz+/NsxXH77/kS8ob97ZOfQe9SvSOj3vP7+d10Hr3I4brgIBEAABEDhpAiet dX59eMHe/VD2p/ePn327vDr/+ubFh5+Xvz68fHP2+vXnvxff3r7gz19uvxT018cXUioNvkeda53d 95+rLG/0DVrnRrhwMgiAAAiAAAgQgZPWOt24zm8R1+FxnDeff3x6ffblx8dXb7/++PTq7Cst5Glr nd8fZVho33vU25f8m9NB6/wbP1wNAiAAAiBwkgROWuvQMpzuep3//lxd0ezVi7O3b17/9+fyx/uX b9+dyXd2toVLo3WuBt+j3pVH/+Zj0Dr/xg9XgwAIgAAInCSBk9Y6V80+rIuL819f3lpMhG+urmiZ sskXKF98e2uZlnj9+VBc52roPeo7oaB/8zFonX/jh6tBAARAAAROksBpax3SIt/p+TqGYVqv3n3+ dVE7AV+m/OPySsieN1/EVvShuA6d1v8e9Y48qpO/3f/QOrfjhqtAAARAAAROmsDJa52nZH1onadk LZQVBEAABEDgSAhA6xyJIQ4pBrTOIZRwDgiAAAiAAAi0CEDrtHAc9x/QOsdtH5QOBEAABEDgKAk8 Ca1zlORQKBAAARAAARAAgadAAFrnKVgJZQQBEAABEAABELgtgSehde7zPee3BfcY12EO6zGoI08Q AAEQAIEnTgBa5wkZEFrnCRkLRQUBEAABEDgWAtA6x2KJA8oBrXMAJJwCAiAAAiAAAm0C0DptHkf9 F7TOUZsHhQMBEAABEDhOAtA6x2mX3lJB6/RiwY8gAAIgAAIgsI8AtM4+Okd2DFrnyAyC4oAACIAA CDwFAtA6T8FKsozQOk/IWCgqCIAACIDAsRCA1jkWSxxQDmidAyDhFBAAARAAARBoE4DWafM46r+g dY7aPCgcCIAACIDAcRKA1jlOu/SWClqnFwt+BAEQAAEQAIF9BKB19tE5smPQOkdmEBQHBEAABEDg KRCA1nkKVpJlhNZ5QsZCUUEABEAABI6FwJPQOscCC+UAARAAARAAARB4cgSgdZ6cyVBgEAABEAAB EACBGxCA1rkBLJwKAiAAAiAAAiDw5Ag8Ca3z9+v7s08/L58c3Dsu8MX3j2cfvp/fcapIDgRAAARA AASeN4EnoXV+f3ppnn07ea1z/uWN+frz3+ftkKgdCIAACIAACNwxAWidOwZ6j8lB69wjXCQNAiAA AiDwbAkctdb5898r02h/zLffyRZ0RPs00Y4n8vv51zOt9ObLT7+Fg/X/Tr+2KRjmmy+Yy3q2jRIV AwEQAAEQuFMCR611ri7+/qHP9/cvzDf//ebfz09wKkti+Pnplfnq4w+O4e/FnboBEgMBEAABEACB Z0vguLWOxI71OhwE5rCebTNExUAABEAABO6RALTOPcK946Shde4YKJIDARAAARA4CQJPQuuchCVQ SRAAARAAARAAgfsgAK1zH1SRJgiAAAiAAAiAwLEQgNY5FkugHCAAAiAAAiAAAvdBAFrnPqgiTRAA ARAAARAAgWMhAK1zLJZAOUAABEAABEAABO6DALTOfVBFmiAAAiAAAiAAAsdCAFpnjyV+fXzB3n7D U/v2IMIhEAABEAABEDh2AtA6gxa6/PHOYsxq3j8xeCIOgAAIgAAIgAAIHC8BaJ0h25x/PbPOvnz7 8KJ5W9XQmfgdBEAABEAABEDgeAlA6wzY5u/n19a7H5dXvz+9evH+5wm+hGuAC34GARAAARAAgSdG AFqn32C/Pr588fEXHfv75Y2FRTv9lPArCIAACIAACBw/AWid47cRSggCIAACIAACIHB7AtA6t2eH K0EABEAABEAABI6fALTO8dsIJQQBEAABEAABELg9AWid27PDlSAAAiAAAiAAAsdPAFrn+G2EEoIA CIAACIAACNyeALTO7dnhShAAARAAARAAgeMnAK1z/DZCCUEABEAABEAABG5PAFrn9uxwJQiAAAiA AAiAwPETgNY5fhuhhCAAAiAAAiAAArcnAK2zh935lzcvxcOT95yEQyAAAiAAAiAAAsdMAFpnj3Wg dfbAwSEQAAEQAAEQeBoEoHX22AlaZw8cHAIBEAABEACBp0EAWmePnaB19sDBIRAAARAAARB4GgSg dfbYCVpnDxwcAgEQAAEQAIGnQQBaZ4+doHX2wMEhEAABEAABEHgaBKB19tgJWmcPHBwCARAAARAA gadBAFpnj52gdfbAwSEQAAEQAAEQeBoEoHX22AlaZw8cHAIBEAABEACBp0EAWmePnaB19sDBIRAA ARAAARB4GgSgdfbYCVpnDxwcAgEQAAEQAIGnQQBaZ4+doHX2wMEhEAABEAABEHgaBKB1ajtd/v1z Xn/f9//5n7+X+47jGAiAAAiAAAiAwDERgNbh1rj49en1qw8/L643zcXPj69ff/p1wJnXp4UzQAAE QAAEQAAE7p0AtM7V1dXFj/dzq2BgAAAgAElEQVQvX/33W4N98evzu1cWM03TevX2v5+tgM/l70+v Xrz/AbWj8cJXEAABEAABEDhaAtA6V1d//ntlvfuuTUydfz1jL959+3N5dXXx+8uZxd5+aymbi+9v rVf//Tlao6JgIAACIAACIAACDQFonavfH19a735oUufq56c3b7/UUuby+1vzxcdfDTH6cvn9HXv5 SQ8EtQ7jDxAAARAAARAAgaMhAK3z9/Nr882X1iyVbp3Lnx9eWO++t+I6V1fnX/ZepCeA7yAAAiAA AiAAAo9JAFrn14cX7N2PARucf3v34sXbbztK6PL7O/PFh3awZyAJ/AwCIAACIAACIPCYBKB1fr63 rPe9Wuf8x4eX1pvPv/XprdpWP94x68PP+i/8DwIgAAIgAAIgcKwEoHV+f3ppvtVXJgtTXfz48GpI 6FxdXX57a2LBzrE6NcoFAiAAAiAAAhoBaJ2Lb29Zd1PVxc+Pr6w3//VGdDi8P/+9Ym+/9QV8NLb4 CgIgAAIgAAIg8PgEoHWuaId5e3Hy708vDcMwtQ9r7Um/Ov/yhp197axXfnxjogQgAAIgAAIgAAI7 BKB1rq4uf7x/0Y3s7IDSf/jzHx4mqPPAdxAAARAAARA4YgLQOmSc8+/vXr75TM8OvP5z+efzm5fv vu9szbr+SpwBAiAAAiAAAiDw8ASgdQTzyz9f3n3sPkWnzxwX3z68+3KYKuq7HL+BAAiAAAiAAAg8 LAFonYfljdxAAARAAARAAAQelgC0zsPyRm73QODv59eG/Nxo3dU9FOXwJK95XvfhCR165uXvL+9e WaZhmOzVJzwG81BsOA8EQOA5EIDW2WPF8y9vXnbehLXnbBy6fwLN++eZ9erd51/tnXAXX8/MPq3z 98sb6/Xn+v1mty3kn+//fflx2CqtH+9Yrb3E/+1tfqIE/6h1zn98/vz9b19lLr69tXrc9tfHF+ar Tz/PL68uL84vtKVpA+f3JY3fQAAEQOBpEngSWufv1/dnn35q3fMDsT4yrXPx/ePZh1NeFP33y5vm /fN/vr57wc6+6qP9kNa5Ov/149dhKmWPY9FbQW4ifC//fnlDz5scctt/1Dp7Xm1y8fvHz7/dbM+/ vukVgldXV73n7yHxNA49VqfxNOjceylPvrO6d8LI4IYEnoTWoUcbnz3Ck/uOTOucf3ljvv6sj+43 NPYTP527gXqq0d+v716/15eT72id4bmtyz/fPrx5aZkme/Hmw7d6qfmPd+zVhy//vX1lmaZpvf7w TbD+8/mNZVmMz/5Y9DlsCojM1Q0znf/4dPaCmSZ7efb+7IV65+xNynP+9W27OC/kK07oYd4ynqS/ v+Ty+3t5vmEyXv43Isg1cD55yd/vn85eWcw0rVfvvvxW4bPfn16yd1++fzp7yUzDfHnMU2GP1Wk8 8UZ2V8U/9c7qrjginTsjAK2zByW0zh44D37o2vdy7GgdUcTL8+7c1sX3dxZ7zedzzn99es3qGR+a e7LOPv86v7y6+PPljLWeIHnTuA49cLKjdeipldbZl98Xl5d/f3x6bdZa5zblGY7rXH7ve1fb8Niz c/7lr48vzVcffvy9vLr4/eXMst7/qNUOf8qm9frD15+/f//+9XsnevTgTjGcIbTO/2fv/F0dxf7/ //1bUtmd7lRO5VS+K7eRbWQbmUK2kWlkG9lC2D4wkGLAYiDFQoohxYDFQoolzZJmsVlsxmqFD4zV Ws2X1/G30dzkXpPozTPFvYk/Xud1HsfoM6/z4zXM5gZ7hq+3GxSOIkDgmMCktU64VMsfquX4B8nc UiVoT+NVRTvG2p6DOtY6I9mnp2/jVWXW6t9OW8v6F//Lp+Rxg77eLclwL0xe6QGtk3W30224Qk4r SfIiZX0roWv3rJdrnbb4qfuwnuXPsNbJWtUor4cTz57O8UL72EHZCbZ35VrzkYDQ/EmHFu930xjp 5nDtm1v/TSaj9eMb96T6G3LZdtysym8c/k+MwKS1TpZEIb22tizpy4N4H5f34BuAPNY6Nyi0p4gC w85TJdUNBIao/KXdc/gr3fTcuM6R1jm4ykJieXdO3rtTJH9tPfTTjVHf77Mse7nWCZfUFVs2XK11 nuXP9bSO6PkreruKzq9qbDVpnanngbvzTeOVfvvOrhZuVmejwoE3JTBtrVOguFc4eipap8Bw4qf5 Ta+ZexVGg0UaWcjija07J8frFI52IzSkMrTlIa5fSS5AntA67KKxycd9WO3hwbXWeZY/QuuIGOdR c7SqUe49cfF0jk82piQ7u5pOnFTTtuagdYoa3+umUQJ/8P8nrrcHJ4Pq34kAtM4J8NA6J+DcYVcx D4tGiaThRszDak6v6mqa0sOj7fHG5Nz0aVxOlkbByl3thNhpPfS7cR16dqoeTXNP47OCi3S3r7vK yBkxXseksb5pvGuM13mOPySQZIcmwdMU8rKq9L8Yf9OJfw4/e46OTwJbZvpSzOVK473vetVce2id Jmm8HyYwfL0Nn4M9IHBFArPQOles/0nTE9M6J319jJ2N9XW0en2dxnyrYjxTPoBraDtNs17bOk2I kpis2eVMo5NaJ4sDV5fFZCylNf3rmPzw+jpx4OkyW9A8LMdS61FXz/An2S9pStdiwWQzn3rfmFdV YJDdQ+ldz7Nn+Pg03Lg01UqSGFfN5a5SlDPSOmXF8R8EQAAEsgxa58RVAK1zAg52gQAIgAAIgMA8 CEDrnGgnaJ0TcLALBEAABEAABOZBAFrnRDtB65yAg10gAAIgAAIgMA8C0DrzaKe7e5nG4Vkrx8Xh A06Hv3vrwAEQAAEQAIETBKB1TsDBroJAGq4M1dpUQ1RrMEl3TtJhqalielB9zDzf1XPC5+k/vAYB EAABECgJzELroC+pbK67/E/3nqo47dyrSRisPUvjklJP9Smci3xdNtc9umgE55NdkU9KNpadLOc9 1ncOXyzytWCZrJpef17wnhNp07HWGSdf+kBx2dl51GlGlV6nBYt9rfgYLtWqulwxnHWR52vvyu1l t9sz4Yccmvl23DTu24Bbk1vBfV1A6SDQIACt04Ax8bd3Sh0crw1utLVLuNS4arorR+vROlm6c2S5 o43GQUur8KvuPk3DFT3gn9JTO4ez4n6bRltHkdRlNQf7SYeOtc44+dKHCj57XeZc61R1j5paRyrW WkyjnaexViPQDHN+lVYZqtF9t0Pr3Jc/tM59+aP0LgFonS6R6X7uWSLlBs5GK625WnFeYipWqku3 Zp/WybK9IzczbY/mJWkdylcQB7bSjTT1FNLQOkUOtXLZ5f684lnWn4e8sU5PN3G5SKa13ji0WM+i zkI/ZD85+LYmEp3zen2gC/Ood7VOJfuITlnBLF+2edVIXbUVWqcH01w3hSvTdH1KUdr3gtbpo3K7 bdA6t2ONks4hAK1zDqVpHHMXrUMZA7oP+BLHoNZ5MnVVaeHS//HW4lxRFM05pz+qoXWScGMrTFuF VOJQXvGhPOS5l8f50rMsC2y2kGTd2+SJv/Noy5D9ZGtybqwOCS1m6JucW40UF8+O6/RpnSTcuirl b2/ogFenddJwu7QNhTHZcFZB2Fo8Wmi9Mn/9pVcZjh+BALTOCBBhYkQC0Dojwnyxqf6UwsOpg/uP HytlsahOO1jQruGg1qHADrPqbE2X+tkupv4UB45K6ShVTzzEo90mKMak1Mc03onxOjRgh4arcKNc /5c0Yz1kpc5zTttrWXfch3WUayLXOsys8nnmZQ/Zp/PrcrMo8Nf7qivq/NyiZL5KxtkcVyTG65TV ZZrbkYO31zp7R25mzq44jbW9aOr4sF05hsLL9aOrVoDWaXwZbv0WWufWxFHeaQLQOqf5TGLvPVMH n8oKcELruHKRO3xEgNSbprj7JBLprDYRfba2jchFt6wqrkMjiLhZBlGG8ooP5SEvzQ5oHW7vyiPy /8P21eag4vZJ42idog8rXKpM9xv9V1TW7bVOp4bX+VgqHa5apZgVBaEP6zq8z7UKrXMuKRx3GwLQ OrfhPEYp9IM+T/Q0hrUzbRyHN+oTh7VOYPMjCVCf97x3jbBIEjgyUxSZV6GCXpOV1smjH2XMhqrU l+d8KA95aftcrTNkv1EBMpmE+31jLaKtdWYe9WTTCg/tSVZuSPE1QnDUGye3erBeodahwVUKk7hm LTeHOkBWNBe0Tnnd3uc/tM59uKPUIQLQOkNkprf9Llon29l8aJzxoNbpdLOMhFJkGndFSvJ456qL xVHvUaeghtbJkq3JuB2IKNBQXvGhPOSF2XO1TjZonwJShk/dbiJPe0uqidqdlUddmDf8Q5Km8X5l VMN+GlpHzIVjrdlz1Fivax5WtF2utjT4qfcFrdOL5WYboXVuhhoFnUUAWucsTA98EI1naYwyaZIY 0jrJxmTXCECl4bqcxaSanu9qTG6O7m26Jt43tU6W7V2lCov15xUX87B68pA35mG18qjn43X6AlhD 9pODb+XzsCi9enuFoPPzqNPIZlvjIse5Zq8PRTdeU+vkkay83bC+ztGVgQ1XJwCtc3XEKOAiAtA6 F+F6yIMPntJaqeUpCLGvc7NvkeWnTsR+EBiNAOI6o6F8liFonWdhw0lXIwCtczW0r8dwsnNULZ/6 9HSl4o2pGOvOuNinT8MRIDAqAWidUXFebAxa52JkOOGqBKB1ror31RiPNo59joBJA886I3vDq+GC ikyVALTOfVsGWue+/FF6l8AstE7XaXwGARAAARAAARAAgTMJQOucCQqHgQAIgMAwgVOrMwyfhT0g AAI3ITALrfPicPS2leeAMhiUa63cBPJYhSAsPBZJ2Hn1BC69aYg5/0uRQ+QMNsl+vdyUE+Dy48fW OrT+ZbFIwhkODRzS42dx5MFTuyl9B2w8bzNuVs/jhrOuRQBa51pkr2AXt48rQIXJ10ngQq1z8BTG 2Nk/gdrz+wXBsbVOGu6Oknxd3FQ9fhY20mgfHK/AeHEBgyfgZjWIBjvuQuDRtU4abVxD4UySGK14 Uv9Si3dLU6yEwlWzufa8uKOttitL5dJCevkPr0taHbePS2jh2IcmcJnWOXiK6m08tSF22kt3BjYr FlIKbJlzRjnWJMbpVSzeTXcGzfVdSnkvMcVcVcsniaz3tFXiamNzkcvs6GZC+WTzl2TWOeWycKnV 2cVov+zu8xZOD9W6U4rhBcUS0kN+HjylML9opFUjS9FWLEQtSbxhhlbQ1L11vofJemX/iasLN6sn AGH3jQk8hNahNe8aN7F0Y5QfI0oD6eziLEvjnadVqRnDJa1TtwnTLI02ltxYgVasK8dUyw/2h8Ph 0Fjk//oth9vH9RmjhFdC4CKtc/AUbRlSlo36PjGkdQSfnngJ3Rkk1d2GSZZGgaOU95gksGWmLSnN axKuLbmRqezUzSQVyT8aWqdulzRc6Yybm3xhB0r2xvQVLSCdHFYGa60m3uNnbielPS2tQ5Et1Qli uudtHYWpywMdSlpHkq21sL/3NEl2ColVO9T3DjerPirYdj8Cj6F12gN0KKFQcUuL1zqj73Eslp5N 4zgRb2jB3TrVkgjlrIu16OnD8TLCdONovK6xaLDI3sit4H7XCkoGgfkQuETrHDxFX5FyiFZaJXae oXUa4uFQpilLt2Yz0RlZrYrov5kUjIe0ThKQEHGrqFGWRGH1k6ubx2RQ62TRqq11xCLjVSZdWvo8 FzVti92zhq8HaJ1hNthzDwIPqXXWldbJsmS/dqmzisma6W7y7DoU+CkD1JxzxqSF4hWjFoXw8Y8y Dd6k7XD7uAlmFPIaCFygdURieonRS5IWpRJ5odbxlDwla/eGQZ1hzi4n3N3X4t6vdSLfYLyzVmcc LC1dlWVZVmTeuFe188G2jJOsa2kdmrDR/A1HQ7VFStmu1tEagq5jsvURN6sWDny4O4GH0DpZ8/6S 95JruVxJokOYB2zSaLfUy+yQlKbb2kRx9UryeE/+y+/ML/v4bYvbx/hMYfGVEjhf6+xdRfX2xXd9 5yqF2Gk/5OvxOoJXT7ykLVwqrZBShKQcWZNl8boT12n1IzXbokfrJDtXkRQnaOU7zfvhqe+Jepw2 hlT9LrtE62R58rgitVqWbq2BuA60TrOR8H4+BB5D64gubc3bxSl1mZtVl3m6sznT83V+02htcmaJ KG66F33XWxEaTg5rzy36xovhhIjrzOcKh6ePSeBsrbN3FaXWItnOkQuxQwNYDF8Miom3trxoJnlN NqbEzXWUZmlSdHwPaJ1MjNfJbzL54D89t/nED6divE4pPuhoukHpq+60eJJd6jKkA8XNbdEMz/T4 WVwOdFpTZ+X3PJfGLmZx4KpM9arxOmWo65LbH36YPeb3brq1fgytk2XlVIiFxFWrniGRVQmpGZNb E67iwDNVTmNwaFLCtsrv1L6j3bZhcfu4LW+UNmMC52qdvdtexoYiGmVkZ7c0ZM5lRdUd15SbWidL Q99UaDaWxLV8EG/7zlDFdTK6+awdMTuL5mEdTeo8+uFUz8Mq5ksxm0bp5enqG6MCWT7GKEv2S1Ph jHNZNRxbZ8UPtrztjv1szMMqZnsZmzxQFG1dQ6HpYkwx3PKW1w5vtSt56vLAzeoUHey7PYFH0Tq3 J3uFEnH7uAJUmHydBM7VOq+z9vevFW5W928DeNAkAK3TpDHx97h9TLyB4N50CEDr3LctcLO6L3+U 3iUArdMlMuHPuH1MuHHg2rQIQOvctz1ws7ovf5TeJTALrdN1Gp9vTyCNw6gxTnLQgbhe62PwGOwA ARAAARAAgRsSgNa5IezZFpWGK0O1NuesKnRYarT46myrek3HA6teWuWa5cA2CIAACIBAi8AstM5Y 4ejLUhm3OJ3xYTil8BknT/mQdO+pirNrRHWqBDytGRtFHSJfl831FdROuFSZVS+aT1OCGx+nRjDc Lv2O5htT68TBalVOlWlXPdmYvDmJur333E/D9s+1cOfjxrppjFCN9LB2RNI9xhXdEdkWRrA6cRPo w5p4Az2ce4+kdS5MZXzptdCzvNilJk4fn2xdw9leQUScLjZeG9xoapeEllo0fFpjOg03lix1UmLQ akZySxudLuDcvfPSOltLaiwhJ+o4ptbZOzIbSBiSHILdWf2Np8CfsH/qtOnsm4zWSQKLM80NooSS 7i111siuNx1co3sCrTM6Uhh8EYEH0jo9qYyzLD34lsoZlxXNtHReL6HRm+c8WmnMXBaLZTRSGQ+l FH5R0xyd3F60/mj3lTZQnY0yG5go47AyjWWV/y/Po9MufO/I1Tr47T0v+RS2AzkUpSvjOsl+ZYms 9BJX60zPxbJKCqcs9rpDqVzLV2Bz2VlvxLIni65YKw+q/9NqS2RGYrJm+4fCTr7UbHFUvfJIuNIp switvZInwla9nBZpHWu5ssS6TVxzqgUq8+WfjvwMLKY6/jJf56k6Pl6bbfOyWH4ly2iZ/2JFlg59 sbqUWDmFFnipo02ETeWUlluuE3AP2qfl7LaeIU7gqiXEbl75PM4n+ChtzjXC8d+FK9N0/WBA1k1G 64SeIhXLtBODcG1bq+Lb03uTKdcY7OQ/j329XPeHzFDCqmrRwEvsjN8O/Rahdfq5YOu9CDyO1ulL ZZzSr1d9JZ5dMaUmLrXOQJ7zPJWxI1IZi+PrBUUzSpIstUXByI16F61DC682a9mt08FTj3+ndpPr dE963mexPFujD8uttA4tf234JGVo5Vhe5m1NtvSLWiyXHe89jTV6dmi9NknWvc3ucDjsD6eDZZGv M0UMQkpFq5fPmAGtk9euP66zkE1/H6dpcljpjJlbsYjbkJ+BxRbcWO3Fct++0VokbjjuQovhtbRO tWq40H62wvQ8SpdsTZEtm7BRAmvejMX12E/3riKpDomL5OAbnNtFsgJqGG0p4nyUIftp6fi89u+e lYbbpW0ojMmGswqKXC/VQZPROlm40hg3vG33Khu4yeRaZ7FgquUH+8PhcMgze9JVUl55lGqCacX6 yxfaqQhd9w20znX5wvqlBB5G6/SmMm7ngKlT3tD2vjzn9W934pwnrKliBSNonXhtNNZFLXPx0dbi 93r5r1jdvf94SrrTZ+fy7ScT6tCPy8BRuO53V63PMvGkrGXJpf70X8VHWkeWzLwMKk7zisddtWg/ acPq4ZClIpRThqMCmzVauL+8amsaR2GebqhqdbHvGVqnFiG0Hm3u3aCfrT6v9vq1OeH+pPet07Is pc92Ndwq3q/9IF8GPInCuEyt1EkF2WNfaCg7KK/3vSuXC/TSla8624NglCZxZbQi2H6zd+TmZV59 0y7dXliND9sVjYeRzXW1vHmWTUfrkMTcLi2dEgzr9qoMRA3dZIq4Tn3llvDyvmFxBYsAc7Ha8cV2 SnvX/Q+tc12+sH4pgUfROr2pjNOtKcmuyPpC3CqtM5jnvK11Dq4imSJ/lqA+gtYZaL0kCum181RJ dQPxPv+pN3D8mJuFwNiUD7imZYoFcM3bl0/L5r6ODGzuev77jtZp5kZMo2Bp67RQvqLbK5HTJ8tE m7O8Gynv9ambq2rrs9xJDmvH1BTKJC3LbFFKrBdpnTr2NehnS7TQRdl4/vXEXcqqtE7rZJssjxH/ 03DrFdVSZCYtmumRju1TULPslSs60aoT4t3Koc4tJmuWtx3oVWqVPdqHUulw1WqmX5iU1ikqm8b7 jaNRLC2mHkdDauJkjQTl7ftMjSpcqpzUZvmf9jzHTm3xeu+gda7HFpafQ+BBtM5AKmPxk6hSK/Xz byjPefsedDOtUzTsXfqw2lWuLrFkv9S46u76hI6QjY2hT9VJL3zTdiWtmyuNw3LxnyTc2GUnCh2v LQ9Vsvo4Tip365OfdiqlyyQfi52RgqrDSa4s5cliyzEWjdxGlCi6kVKSimmJkFrrDPrZOf5Y69SR s2YtWqdlImV1HU7K0mi/z/t7aKx+pVXbcI8ic/kIEUl2di2cQgOncVh0s2RJFLjq0ZjspnMjvo8D j9I3cc1abrr9Q9OJ6ySBZ9Wpg/NosOjqHrrJ9FxLFbTI17m52XnNbKXPsVMZvN4baJ3rsYXl5xB4 DK0zlMpY5BJW3XwEwtrkZSrjoTzn7QdCR+sMpxR+TsP0nHMXrZPtbN54Ugq30sNKl4eFjnjOtHIo 91TmOZto3IxsbUIxocXTWDnZK/I1SbHzcEKyp+jXUnSrxRuTczE+JsvSKFi5q0qbXaR1aFyLJSbA pfHO1STJzANdYnyoI2ymh6XOWoERikKpIuqVxkUHWEuE1FonG/Kzc3xL69ClKOdjiJJ2n1ExXqcO xeXjdZYUgEujwFFZkWg7l3Ci2yfZr3TWarIe+0XCbjHHK433vuvlo5wJAzfXQkAl4Uo/0njPaesz zom2y9WWRgn1vibTh0VXLTdWuyilYVokxfPw3NBN5pTWoSHJXJZlLb/ARcWfZacX2agboXVGxQlj LybwEFrnRCrjfB6WJNGvQ0ujcQ0F0t485ye1Tk/q4xc3zwQM0DiXRt9JJpTMYrFojrjojE6mh19n HvpIFaEJJyqn2L+iu5u6ryRvLZpQJFYwqSZcVWnsiwlU1YPxEq2TZdHG0WQmZutZjqmUWop22Cqn TNia6TlaSyxkceDqspiMpdj5GOSOdjHrPql+PzvHt7QOZbc2qONpwcpxKqSeygFd+f+yg1bMw5KL +VZ1T4/wME+QbbpWJx5zbF8MbS4zYbcydlfT4BiXNcvv7dYc6Qo428xktE5GI7lFB2s+382rl0Xq vcmc1DoZBRml1hIQ9I0MvHyynsQVo2G/fb86G90oB0LrjIIRRkYj8BBa5zxaFJfp9jqcd+YrP+rg KWUE5ayaxiLQfnpq01mGcBAIPJvAhLTOs+sw5xOhdebceq/R9wfXOpFv6KILK4t3NNCgOev2NTb3 8+qU7BxV8/Z1r8gpM/HGVIzmhJhTB2MfCFyJALTOlcCeaRZa50xQOOxGBB5c62TxbpkvQse4Zq/L ReJuBH9GxUQbxz5HwKSBZ4mRITOqG1x9jQSgde7bqtA69+WP0rsEZqF1uk7jMwiAAAiAAAiAAAic SQBa50xQOAwEQAAEQAAEQGCWBGahdRCOzq8thIVn+R2D0/cggJvGPajXZeJmVbPAuykQgNaZQiuc 6QNuH2eCwmEgAK1z32sAN6v78kfpXQLQOl0iE/6M28eEGweuTYsAtM592wM3q/vyR+ldAtA6XSIT /ozbx4QbB65NiwC0zn3bAzer+/JH6V0C0DpdIhP+jNvHhBsHrk2LALTOfdsDN6v78kfpXQLQOl0i E/6M28eEGweuTYsAtM592wM3q/vyR+ldAtA6XSIT/ozbx4QbB65NiwC0zn3bAzer+/JH6V0C0Dpd IhP+jNvHhBsHrk2LALTOfdsDN6v78kfpXQLQOl0iE/6M28eEGweuTYsAtM592wM3q/vyR+ldAtA6 XSIT/ozbx4QbB65NiwC0zn3bAzer+/JH6V0C0DpdIhP+jNvHhBsHrk2LALTOfdsDN6v78kfpXQLQ Ol0iE/6M28eEGweuTYsAtM592wM3q/vyR+ldArPQOl2n8fn2BNI4jNIzio3DKDnjMBwCAiAAAiAA ArciAK1zK9JzLicNV4ZqbeIz6nBYaqoTnHPkGcaudEhgMe7srmT8Qcwma0NSl+GD1BbVBAEQmDmB WWgdhKPvepWle09VnF0jqpOGG0eXmSRJTDHcbdRyL/J12VxfT+0kG5Mxc3tu9CjcLv2O9hpZ60S+ zrXVSx/7PX4WWMex32qj4kN6WNuaaEeuGF6HUt8J9bbJax3cNOrGusc79GHdgzrKHCYArTPMZmp7 kq1rONvriYiB+sZrgxtN7ZLuXZlp3j7OsjTe2oqk+y2n0p0jyy1tNGD5WZuTjckZ49a5YmdrSbK7 bxU1stbJ4n1AMF726vGzNDiK/dJY/T/ZWpwb/iHJsjTaOgq7JE4DrVODxLseAtA6PVCw6Y4EoHXu CP/ComNfl7RVO4hyoRmUz6EAACAASURBVIlnHB6tNGasm1GU5LBZbQ5lmGdnc253OoT2jnytTqJk Y8qm75tyQ+zsHM6soKhbtNIK8RWudM45kxYLiXF6qV6ueUjrWMuVpXJJkrjmbCqm8W5piq1M1p1N WNYxywKby846j2YtylaIVtqieLVkwtaikFf+ov1SxS8OPFOhUpms2X7BcNDPIftZcvDzeAyZWZdN sXdlbq18WxPVUq11w/+ehu9cTsnW0cx1TqLffpYl+6WpMPJet0210YcVbT1D5UySuGoJ8dRT3jU3 xYfN0jK85mWIuM41gT9tG1rnaUY44pYEoHVuSftlZXUeTi8zdu7ZycZsPNO6ZyXh2pSPYyzpxpQU 79A9eoTPJHWsIE22VkPsDGidvLieeElgsYVs+vs4TZPDSq96xCJfZ7IlJE688zTWCE4FNltIsu5t dofDYX9oRnHSeHjoShLYMlO9fS6ayL4iBjOlceAobUQ9fuYVOLIfb8wyHpMcVgYv+e9decF0L4jS LI02ltyNt3XwBz0iVRwyZJ/iQExf7uI0jfcrgy0KgZfuXUVSHSo3OfgG53bQlMadYsf9mBy2SxJ3 TDEcvxVcg9YZl/Sl1qB1LiWG469LAFrnunwvs05PzcarkAu0tYwfFP+Lx1j/8Vk21vYsy8KlWocl mrUJbC6RW9yswyLV/r0jM2tbfbzUn+rE7ptkYyp2kGZZGthKFdl5htapw07UGZODDj2lUdVUWN0W oZ3AZszc9D/CB7tzQl9n3ChiJRn1+EVhXMaK9q4smTWibFDrZB37JHkbYaSDp0i66GJsW3yyo247 MEJ7yH66NRtDumunUjIkGkW0FnVwWiW2bvvln/eO3LjKpYrrhdujtSlThGm5aWnPokxonX74t9oK rXMr0ijnPALQOudxuutRSRTSa+epkuoG4v3NJnbTo9TclA/oLoY0ClyVqUchnPyxO3RW18rZn+kB u5CYeEmLaoDyi7ROHYPqBDrqzrCM+rDYUU9d6Xb92C+30P9kR5Ebd9fUR8lh7ZiaIosXWzxP63Ra JN2UWq2jdeyGMmk6Vr7vVLfcnA3Zb4cV60qLnrail7DoM+wM4KpMj/sm73CUNdNdB2ETsygGWmdc 2pdag9a5lBiOvy4BaJ3r8h3TevthM6blE7ZaT/z8uGS/We+qIS49B4jhLYPS4ERhT+xK1gZFkWLx itZGo/NGqkIJXX+2Fjs5NrnWOvSQr0bWZFkem6rjOoMVqh/7tf/kHdP91uQsESnKxwJnWXY4iusc +VmY69gXcZd62BYF3nrjOk9pncjXyoFHVFASuLpFMagh+xS/kZ1ylHftFPVyys4ubxXxN0lGV7k1 2c67NN6vXRpExDV708QNrdMhdeOP0Do3Bo7iniAArfMEoAntvovWyWjscXsxGpr0zU1f/JRO9kuN KZ15TuJxOf5v+2RtNEdJx77O86nn5JDiiAhKeljqbNEsmxSM6u1pslFcdCC1undqrZOFK40p9pbW TEz2S70zXud8rUOT9Jl8NGpFdAJZYiJdGu9cTWoFzHr8LK69WlbkG2LBX4w8TkIaH2PmKx9dGNfJ GuNyaPyQyrR8vZwh+0kgxuuIYU7N8TpiUJK+3BG3NN777mWz10f5hqXRzl+umyPEoHVGAftsI9A6 z0aHE69CAFrnKlhfkdE0sHl3nHGyW1n5uiw0X+lovg9pj/EnjMVro201XKplN1a0sVXOuaxopueU 87CKRogDV5fFZCzFzieqD2mdLDsxD6unD6sxT6oYRyVqTdqEZl/VL27ns8SijaPJjJGflmMqzWE3 WXbs54B9UmK+JaY9Ma7V854u1TpZlpTr6zCumg2F0m+fyl1RCIVGaTu2Vs9RT8ONa9AELYkMLXfN odv3+ipA69yLfF4utM59+aP0LgFonS4RfO4SOHhKY0ZSd+/xZxFwOWuR5eNzsQUExiEArTMOx+da gdZ5Ljmcdx0C0DrX4fqqrCY7R9XKidNP1SzemEpj7tFTh2M/CFyFALTOVbCebRRa52xUOPAmBKB1 boJ59oVEG8euJ08PVycNPGtJg2PwAoG7EoDWuSv+DFrnvvxRepfALLRO12l8BgEQAAEQAAEQAIEz CUDrnAkKh4EACIAACIAACMySwKvUOvcKX9+r3FleeXAaBEAABEAABG5DYBZaJ1rbhrc7f32ye2mO K5d7pzznt7kQUQoIjErg0pvGqIXDGG5WuAYmRmAWWkcsaDuYp+CY6JU1x3GBxZYrl3uftQQHa4sd IDBhApfeNCZclTm6hpvVHFvtVfsMrTNi80LrjAgTpkDgJQSgdV5C78XnQuu8GCEMjEtg0lqHUv10 E3znqaFpT+PVWaT3WHMMHT/W9rxRzi73srzfdHQXQzMLwrhXBKyBwJwJXH7TGOsmMBM7l918suyy 43GzmvOX51X7PmmtkxUJvre2LOnLg0jwXaQ0Otkox5rj5OGj7bxWuffMcz4aHBgCgZsQeOZN4ya+ PUAhuFk9QCPPsorT1joF0kvD0dfSHE+18JXLRVj4qQbAfhAoCVx60yjPw/9RCOBmNQpGGBmPALTO eCwpvfdRyu9xzUud3roRrcMUCLwmAtA6d21NaJ274kfhxwRmoXWO3T695cqaY7Dwe5U76BB2gAAI gAAIgAAIQOuMeA1A64wIE6ZAAARAAARAYBwC0DrjcBRWoHVGhAlTIAACIAACIDAOAWidcTgKK9A6 I8KEKRAAARAAARAYh8Cr1DrjoIEVEAABEAABEACBV0AAWucVNCKqAAIgAAIgAAIgMEjgVWqde/Ul 3avcwdbFDhAAgesQ2LsyMzfJdYzDKgiAwMgEoHVGBAqtMyJMmAKB6RJIA4szxrHc1XSbCJ6BQIsA tE4Lx8s+QOu8jB/OBoF5EIjXBjf8jSMr3mGiHse+ztRlWHqXbEw2XWdLL/EfBK5GAFpnRLTQOiPC hCkQmCqBaKVxK0izg6fK9i6dppvJ1uKVuonXOtP8aJqewisQuAEBaJ0RIUPrjAgTpkBgogT2riK7 e3Iu8nU+2UE76c6RZSf3c6VhcNFErya4dSMC0DojgobWGREmTIEACLyMQLhUuR2kWfn/ZdZwNgjM mQC0zoitB60zIkyYAgEQeCGBPO6085Rr5iR+oY84HQRuQgBaZ0TM0DojwoQpEACBlxJINiaXZVmr Bym/1CLOB4F5EoDWGbHdoHVGhAlTIAACLyaQ7hwuGev4xYZgAATmTQBaZ8T2g9YZESZMgQAIgAAI gMA4BKB1xuEorEDrjAgTpkAABEAABEBgHALQOuNwFFagdUaECVMgAAIgAAIgMA6B+WudNArP6oyO w2jURb/uVe447Q4rIAACIAACIPAoBGaudZK9p6nOricDXxK3NyY7V9O8fXvjs1t5uNyuyXHL7VrH ZxAAARAAARAAgScIzFrrJIGtqMt2Qpok3PquqTLpKC1fKlZ0D0ZQO8flJgff1mQmSRJXzeWuFWga r9wn2hK7QQAEbkVgLh3Wc/HzVu2Gch6VwJy1Dq0Gam1bHVO0ertmuUtLOdY6WZZsTd5Ih/fcNj8q lzLPcMM/JFmWRmuTM3PbUlQjlftcf3EeCIDA2ATmoiHm4ufY7QN7INAmMGOtc3AVkYCvVaFUSJ/Y 1/u0TpZurZcn+z0uN96tV9syo3C6MaUq5V7h2yjltuqJDyAAAvckMBcNMRc/79mWKPsRCMxX60Qr TdL9Vm9R1WBDWieL/eGTqrNPvzlVbpYl+5XBFXffijZlY5R72ivsBQEQuCWBuWiIufh5y7ZDWY9I YL5aZ+/IzAr622xQ66RbSypS//af+fTWoXKTjcmkxWIhKc7xmKARyn3aMxwBAiBwKwJz0RBz8fNW 7YZyHpXAfLXOzubcvlTrZIHFuLN7SWufKjfLknBjK0z3o04RLy+3YxAfQQAE7khgLhpiLn7esSlR 9EMQmK/WOXiKZLZHJlctNhzX6RlMU5113puecuPderOvetMOrnzkWN8gnvOKw1EgAAITJDAXDTEX PyfYxHDpVRGYr9ahPqOhSVWDWidcqszcdAbTXNagPeVGvi7J9pbWKkzjwKE5YOVI5cL2COVe5iWO BgEQuCaBuWiIufh5zbaCbRDIsvlqnSxeG2xgcPKQ1ol9nRnr1nzwyy+CvnLjwDNVTuvrMMVwt90e rFHKvdxTnAECIHAlAnPREHPx80rNBLMgUBCYsdbJ0sCWhyI7vQ0cLlXZPh443HvsiY33KveES9gF AiBwUwJz0RBz8fOmjYfCHpDAnLVOlsVbS9FX4Vl9Umm40hVrWw2reUlj36vcl/iMc0EABMYjMBcN MRc/x2sZWAKBPgLz1jpZloa+5bZXKe6rZpYlG8fyz1NF/QbaW+9VbtsLfAIBELgPgbloiLn4eZ9W RKmPQ2DuWudxWgo1BQEQAAEQAAEQeA4BaJ3nUMM5IAACIAACIAACcyHwKrXOvcK29yp3Lhcb/ASB V0NgLl/2ufj5ai4MVGSiBKB1RmwY3FZGhAlTIDBlAnP5ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAw ZQJz+bLPxc8ptzV8ew0EoHVGbEXcVkaECVMgMGUCc/myz8XPKbc1fHsNBKB1RmxF3FZGhAlTIDBl AnP5ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAwZQJz+bLPxc8ptzV8ew0EoHVGbEXcVkaECVMgMGUC c/myz8XPKbc1fHsNBKB1RmxF3FZGhAlTIDBlAnP5ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAwZQJz +bLPxc8ptzV8ew0EoHVGbEXcVkaECVMgMGUCc/myz8XPKbc1fHsNBKB1RmxF3FZGhAlTIDBlAnP5 ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAwZQJz+bLPxc8ptzV8ew0EXqXWeQ0NgzqAAAiAAAiAAAiM QgBaZxSMMAICIAACIAACIDBRAq9S6+xdmZmbZKLI4RYIgMDsCcylb2gufs7+gkAFJk7gFWqdNLA4 Y1xbRRNnD/dAAATmSmAuGmIufs71OoDfcyHw+rROvDa44W8cWfEON2qF2NeZugzL0pKNyW5XeFkq /oMACNyOwFw0xFz8vF3LoaTHJPDqtE600rgVpNnBU2V7l96mVZOtxSt1E691pvkIKt0GPUoBgbsQ mIuGmIufd2lEFPpABF6b1tm7iuzuqQEjX+c3G7ST7hxZdvJyVxoGCz3QNwhVfUwCc9EQc/HzMa8i 1Pp2BF6b1rkduU5J4VLldpBm5f/ObnwEARB4TQTmoiHm4udrujZQlykSgNYZq1XyONLOU5Q8rjSW XdgBARCYHoG5aIi5+Dm9FoZHr4sAtM5o7ZlsTC7LslYPUh7NNAyBAAhMi8BcNMRc/JxW68Kb10cA Wme8Nk13DpeMdTyeRVgCARCYJoG5aIi5+DnNVoZXr4cAtM7raUvUBARA4FYE5qIh5uLnrdoN5Twq AWidR2151BsEQOD5BOaiIebi5/NbAmeCwDkEoHXOoYRjQAAEQKBJYC4aYi5+NtniPQiMTwBaZ3ym sAgCIAACIAACIDAdAtA602kLeAICIAACIAACIDA+AWid8ZnCIgiAwGsnMJe+obn4+dqvF9Tv3gRm oXWitW14t8ptde8WybJk6xrOFlPX798S8AAEhgjMRUPMxc8hztgOAuMQmIXWOXiKZGxulMdzHK4v sRL7uqStkDz0JQxxLghcl8BcNMRc/Lxua8E6CEDrTO8agNaZXpvAIxBoE5iLhpiLn226+AQCYxOY tNYJl6q0aL8kc0sIaE/jVUVBZrI9XhsN7yXFO1ClaGu7tgtJ99GXNfY1D3sg8HICc9EQc/Hz5S0C CyBwisCktU6WRCG9trYs6cuDeB+/4q6soro7T5VUNxDVjZJTrYd9IAAC9yEwFw0xFz/v04oo9XEI TFvrFO2A8TqPc0GipiAwCwJz0RBz8XMWjQ4nZ0wAWmd6jYfxOtNrE3gEAm0Cc9EQc/GzTRefQGBs ArPQOmNXGvZAAARA4EUE5qIh5uLnixoDJ4PAkwSgdZ5EhANAAARAoENgLhpiLn528OIjCIxMAFpn ZKAwBwIg8AAE5qIh5uLnA1wyqOJdCUDr3BU/CgcBEJglgbloiLn4OcuLAE7PiAC0zowa6xaupnEY nTOtPw4xHf4W7YEyQAAEQAAEXkwAWufFCF+RgTRcGaq1OWf5wsNSU53gnCPvxyewGHd29yv/NZSc rA1JXYavoSqj1iHZGMwS65qOahbGQAAErkNgFlrn0cKwW5NbwXXa+5TVdO+pitObYzVcadJC8VqP vMjXZXN9PbWTbEzGzO25iymG26Xf0V4ja53I17m2ajE4hXNgX4+fxZHj2O8rNj2sbU1mkiRxxfA6 lPpOqLdB69Qsmu+StcHtO3xJmz6c9f7Rbp5nQcFBD0gAWmeCjX4frROvDW70apdwpXF2pHWydOfI cr82GgFqsjE5Y9w6V+xsLUl2962CR9Y6WbwP9i/Wdj1+lk6PYr80Vv9Pthbnhn9IsiyNto7CLonT QOvUIJvvkrWhdC635u7pvIfWmU5bwJN7EoDWuSf9gbK7WifdOrq13Bxe/JwdKE9sjlYaM9Y9UZRw qcmmvzSkTlwny7K9I1+rkyjZmLLp+6bcEDs7h7Mq4BWttCJbWLjSOScxtpAYp5fq5ZqHtI61XFkq p4iG5myq3PHxbmmKrUzWnU1YD1AKbC47642jy0xalNnmo5VW5ilryYStRaGS/EUHSBW/OPBMhUpl smb7h9z+oJ9D9rOs18+9K3Nr5duaqJZqrRv+97RwZ2nKZOto5jonkRz8PN5Dbq4LN7MsS/ZLU2Hk vW6baqMPK9p6hsqZJHHVEuKppzxsmhQBaJ1JNQecuRsBaJ27oR8uuKt1snjvu6bGGVctb7O/Skqw ZGM2nmm1b0LpbOJk06d10o1ZJi6tzxjlHUkdK0iTrdUQOwNaJy+wJ14SWGwhm/4+TtPksNKrHrHI 15lsCYkT7zyNNYJTgc0Wkqx7m93hcNi31GVKuVlbWqeuaRLYMlO9fS5qyL4iBjOlceAobUQ9fuZ2 ju0P+Ll35QXTvSBKszTaWPITCWIDm3O7b9RSvDHLeE9yWBm8jKFRHIjpy12cpvF+ZbBFUel07yqS 6lC5ycE3OLeDHmlcQ8G7KRCA1plCK8CH+xOA1rl/Gxx5cKR1iiPSaLf2LE3mqpePqunPl55nTC8D DpJUP2uHji8yx1dhicqjA8V0aKxyv9ahwE5zhOaQ/aHtVTndN8nGVOwgzbI0sJUqsvMMrVOHnagz Jk8oH3pKHYGhnjjOrG0R2glsxsxN/yN8sDsn9HXGjSJWkmVZGkdhJUj3riyZjUGsg1on69of8rNt 8cmOuu3ACG2K9zSkGyWd06kLM92ajSHdtVMpGRKNIlpr71LT1xGxbhPmYb/GVShVXPeOfM3t4VJt mtdWRThvrO09NZ3wJmidCTcOXLshAWidG8I+t6h+rZOUSkcxWt0u51o9fRw96sxN69GVktKxtqLn bEjriAd566zTxZy3lx6wC4mJl7SoBii/SOvUMahOoKPuDMuyLLBZfxCEenZ64zrJjiI37q6pj5LD 2jE1RRYvtnim1hnys6N17IYy6cPbMVMd0mnxVETuDlnW7vOqKy162opewqLPUPev2q1auYo3zycA rfN8djjzNRGA1plgax5pnXBtaVxiiuH61INwjVfriS8KoN/xNAglf+UDVqTOPKSh5+jLPKQ5LuYm isUrWhtl5wo95KtQQtfhrcVOjk2utQ495BshrDw2VVC9VOuQd0z3W5OzRKQoHwucZdnhKK5z5GdB q5YV+YYhPy/UOpGvlQOPyG4SuLpFMSgR1yljHllGUY8irmMx2SlHeddOUS+n7OzyVhF/k+Q61+LL rh6c3SIArdPCgQ8PSwBaZ4JNf6R19r633l1J5JT139m87vApN1b/++M69Lgc/7d9sjaao6RjX+f5 1HOaha44IoKSHpY6WzTLJmWgenuabBQXHUit7p1a62ThSmOKvSWgyX6pd8brnB/XoUn6TD4atSI6 gfJ4WBrvXE1qBcx6/Cwo17Ki2DDg54VaJ2uMy6HxQyrT8vVy4o3JuClGNichjb8RvZWkhsR4HTHM qTleRwxK0pfiQkxpCNlls9erawlvbkkAWueWtFHWdAlA60ywbY60zi18TAOb5+NZ+krr1TqkParR EH1nPWtbvDbaVsOlWnZjRRtb5ZzLimZ6TjkPqyglDlxdFpOxFDufqD6kdQbmN5Gd3rhOY55UMR9L 1Jq0SR34ovBXueJKtHE0mTHy03JMpTksJsuO/Rywnw34eanWybKkXF+HcdVsKJRk71tiWhXjWnNe VbJf0TwsGqXt2Fo9Rz0NN65BE7QkMrTcoQfrWVf4TU+C1rkpbhQ2WQLQOhNsmrtonSw7eEpjRtLT XETA5axFlp+2hSNAAASuQQBa5xpUYXN+BKB1Jthmd9I6WbJzVK2cOP0Ul3hjKo25R08djv0gAAJ3 IACtcwfoKHKCBKB1Jtgo99I6WZZFG8euJ08Ps0kDz1rS4Bi8QAAEJkwAWmfCjQPXbkhgFlrnhjxQ FAiAAAiAAAiAwOsi8OBah5bJLWZTN9d7e11tjNqcItCdu37qWOwDARAAARCYI4FZaJ0RwrA0g0TP Z5Ao7QxItM5te2ZL3Y47R26sFFtvv+hdsl8vN3WuoTPOvWMf1hne3eKQZOcZlJebycYZPWU7h5fr ADFZNb1tlffqDF+Ptc718o2TO8N5zrvO0vwzq15x+eAp+cdwqVbV5YrhlPmwKHdE6zU8ra5bFD6/ WgIj3DxfLRtU7JEIPIbWoYzcTPNEkuo8A5JbpC7K23pI66ThLghfOiiFFmlrLF13xtX18FqHkKnu Pk1DSvDZm3u9ibGxnrJI5C2py0Nz/8n3x1pnnHzmQ4UO54jonnFC65QXVBp18nllGa0jxK+Wfb7r Iz5PnQC0ztRbCP7dhsBDaB1aB6axpm6683Sj9TQ80jrDfVuUeVqjkENzgRHKEW4u1yI7tsQUc1WM 2g1sOU/AXWbgrlICnWxdaB1aw9ePsziwFeXp53ZD63Qye6XhxtEp4Xgnn3kcFHEjxbCNKnlmY52b RqIo0VS9+c+zbMh+nUCca1Z5NQzmOR+4GMIykJPvp0UIRZinLZ47yx9n2VZonQGb2PxoBKB1Hq3F Ud9+Ag+hdegp0cn11KZxpHXy3cd9W+FSKzJkiwzTzMhjDvSQlFRnGyZZntm6+ahsP5raBfd/enit k8Vbi3NFUTTnnP6ohtZJwo2tsCKThUjYrXm7OM3ivacxxc0zH9BqhZySOKRpFHia1F77+TjfeL7G 4HH+8yH7yZYSiK8OCa3i55tVAnHR2ufHdcRl2+jDco+1ThJuXZXq1UjWAK3T/6160K3QOg/a8Kh2 h8BDaB3Kq3xy6PGA1sm62+mhWodmRO/Hmrq42v0g+VnV0wdap3PNPf2RMhlQekk1X+wn2m2CsOJ5 fLoYr0OJu2i0CjfK9Xwp4lEPWaF1ofM0TyISkqdJOGo7Mn6UqyHXOo2Wz10Ysk/n1+VmUeCvRe9p ftYLtE5xFYvxOmV1meZ25CC0zvEV8sBboHUeuPFR9QaBh9A6z43rdLUOpYIue6PoUcykheJR2se2 1jm4imRuq2cztE7jejvnLfUIKu4+iTYm5WiK6HOV8rPPQBXXoXFZRe4skXVToWTpvHhRzgPRLOFS kYxNOQyr3XZkfkDrHOXJOrhD9imLZmm/6/CztU4lvOsLikb06H5nJDa0Thf5Q3+G1nno5kflKwIP oXU643Wy/dIwVs3Rq9VjpOKSv+lup7TeVpmAm1I9F5me289LaJ0Oxss+NsIiSeDITFFkXgfT+mxV WidXnWUHIrWKtjy0EnPT6fFab2Soarcd7T9X6wzZb1RAmAv3+6hWPj352PvqdKSg0ypVV611MuqN k1s9WBivM0DzUTdD6zxqy6PebQIPoXUyMQ9Lz2cvlyM3qrhLNee8sSWHVIzXqbene09hqrMVj67k sPbcjfhR3X5edrROQhNjzHWUZmkSJ7WxdkM0Pz34eB0Kw6muSGce71x1sTjqPWrCyrKsoXWyZGuy cp0AkeDb9PeU9jyNgpW7EkaFQuCmf6DRVbuj8Tpna508gXiffQpIGT51u6XhxmpLNVG7dj72TnWq j5Gvi9FhhZ9lPvaG1smv7GLUWH5emsd1zrnOqoLw5vUSgNZ5vW2Lml1C4DG0jnjmuDpNn5KYYrib qHgU1POtioVJmB0QvqHtlKXaM1UuklorRrmSy0mtk6WhL7JGLySutaZ/DTXUg2udLA3XtpjrJtJy +y6NB88zl/cTa2qdLNu7ilRmX6cE30Wzy5pN6iZ/xYGny2xBF4Nj5XO+8kBKa32axaK005//PE8g 3mc/OfhWXgMqtp1L4zjPeX+taCvN+lM5dZwqenXVNrVOHsnKRwdhfZ1hkI+7B1rncdseNW8SeBSt 06zz5N8/utaZfAPBQRCYCwFonbm0FPy8LgFonevyfZZ1aJ1nYcNJIAACXQLQOl0i+PyYBKB1Jtju 0DoTbBS4BAJzJACtM8dWg8/jE5iF1hm/2rAIAiAAAiAAAiDwIASgdR6koVFNEAABEAABEHhQArPQ Oo8WhkUf1oN+G1FtEBibwKPdPMfmB3uvhQC0zgRbElpngo0Cl0BgjgSgdebYavB5fALQOuMzfbFF aJ0XI4QBEAABIgCtg+sABIgAtM4ErwNonQk2ClwCgTkSgNaZY6vB5/EJQOuMz/TFFqF1XowQBkAA BIgAtA6uAxAgAtA6E7wOoHUm2ChwCQTmSABaZ46tBp/HJwCtMz7TF1uE1nkxQhgAARAgAtA6uA5A gAhA60zwOoDWmWCjwCUQmCMBaJ05thp8Hp8AtM74TF9sEVrnxQhhAARAgAhA6+A6AAEiAK0zwesA WmeCjQKXQGCO8Qm47gAAIABJREFUBKB15thq8Hl8AtA64zN9sUVonRcjhAEQAAEiAK2D6wAEiAC0 zgSvA2idCTYKXAKBORKA1pljq8Hn8QnMQuuMX21YHCKQxmGUDu1sbI/DKGl8xFsQAAEQAAEQmCoB aJ2ptsw9/ErDlaFam/iMsg9LTXWCc448wxgOuYTAwVMkc3OOIL3EKo59lQSSjcGs7ausGioFApcQ mIXWebQw7J36sNK9pyrOrvUQPXjKovEy1nUwJ/J12VxPX+0kG5Mxc1s7fsn34wbH7hzeIFy81f1h sNA6N2iV11JEsja4HbyW2qAeIPBsAtA6z0Z3vRPvo3XitcGNrnYJLKY4QVS+4qYQSneOLHe00fWg PNdysjE5Y9yartgpa7Y1JXUZlp+G/0PrDLPBng6BZG0o7r6zER9B4PEIQOtMsM1PaJ00CnzHsLuS ZIRKRCuNNcM2wmS81qWjjXVhe0fmzq7+PMF3ycaUTd835ZbYSQ6+rclMkhjXrNW+ivkMbU/DjaMr XJKYrDubsFJ8yX5lCTsSVw2v7tIb2n4SUI/WiXdLU+VSu9xa66Shb3Bu+JVD0dYzVM4kiauWfyiq tXdlbq18WyNDXLXW1eEn3cFOEAABEHg1BKB1JtiUfVonjXZr11CYJGvWcjv+0yrZ9EUV6LEqq5rC GVc0u3p6lszSjSkp3qH8OMH/JHWsIE22VkPsJFuTc2NFWiA5+CYvgz7D2y3ONG8Xp1m89zRW/VDe 2ZzlSiMJ1yZn5iaXF0PbTwM60jqRrzPZEtIq3nkaK4JohdbJhY6+OpTKK927iqQ6QZRStQzO7UC4 s3flBdM92p5GG0uWTnWQnXYRe0EABEBglgSgdSbYbF2tk+5clXPVdNdBe/JTvDakxquSHZduz7Is XKo9EZxo6zneehdG4X5tK1L59KyY7R25OfLx0nKHjt9arFGterzB0PbKn+6bZGMqdpBmWRrYShnZ SdZGU6FFgb/e0+iYoe2xrzeOTwOby07eK0DV17wgFJIiTeKkkB1D27vutT93tU7oKY0mSXcOZ9Y2 zTLSOsbSNznTlpXQybJ0azEuKivM7l1qGnJo78qSWQ1PDSz2VCxu78gN/FKp4LKZbKdLufHSVlHO +dG2t68ufAKBxyYArTPB9j/SOtSDInPFsJebQ2vIzHjOF8GCEwbzZ2m7xyp/jJaBhRMn32cXqZeF xMRLWpQDlOmZpzcGWZe+DW0/uAoZ4cWLSQvJFCIiy9IoWNq6CHvp9mpXjSce2l4W1fu/q3UCm3O7 5h2ttDwik48Xp6e56u1r9tFKWyykppuLPIDT0Tr2k1qn1ztsBAEQAIH5EoDWmWDbdbVO7mISblc0 5oIpxnJXDMUYz/nqSdo0Ge98v36AU89MZ0pH53HcPHcC72kOirmJYvGK1kbRV9WJ3yThfi/CZUPb CY22PORmxN8kx5/GYbkYURJubEUqQghD259A0tU6In5Ta7I8hlbEdVTvEO89VeL1CgHUCyk7u5ab QglB6zwBHrtBAARePQFonQk2cb/WKRxNDpvlqh4FO5r7O5sf9W3QABY5H8uahtRpUnVn5MVS7850 B38ka6M52jr2dZ5PPY83NF5HjOhNw40l86JaJ7eb/p5CamkUrNxVrjUjX5MUeyvWXkxIeRTTqIa2 P9FWXa2ThSuNFfaT/VLvjNfJsoz0W92RlQS2zPTljvxJ473vFoOloXWeAI/dIAACr54AtM4Em/ik 1rmWvzQOpRrwUxWS7FemmNgjcdXshpNo5ZpqNER1ylTexGuj7V24VMturOTg5/OnmKzZfmse1sD2 ta3TvC1JnFDOcMriwMvxMK7oTj3BaWj7STZHWifLnpiHlWVJ4CiSXAxCztJwI8av0/wyaq68Tw1a 5yR27AQBEHgAAtA6E2zku2gdMeb1ouVyRKDkrEWWJ8gYLoEACIAACDwMAWidCTb1nbROluwcVWsO dz3FJt6YirEupricOhD7QAAEQAAEQOCuBKB17oq/v/B7aR0aAbJx7HMETBp41rLu++mvB7aCAAiA AAiAwAQIzELrTIATXLiQwLn50i80i8NBoEEgjcJqnn9jM96CAAiAQJsAtE6bBz6NQeCCfOljFDc1 G2KlmzyJ51kJrp7nf3rwLZVLtKaO6o2Z8ag9lvl5zp066+mlnE6d3doXby3VqFeObu3DBxAAARCo CEDrVCjwZiQCffnSnzYdrbTGqr8Dx1OeKXq+0yJD7vaswULhdun3T9GPfJ1rqzOSbQ4489RmWq/n LK0jMp3nK/0yWTW9sypGikQVeSsaCzY/5dJZ+y/TOqGnHKdpV7wTWEfUOlmW7hxFdRtLKp5VRRwE AiDwYARmoXWitW14u3qF2FfeRsnWNZztbGPzvfnSn2yyg6eUmRcGj6VZ5NxY7eMkPmxshSnnjKPe WpI8kOg53gciOcRggS/bcYnWYVYgCkujraNI6vLJHGOUlfUsIXV5HS7TOpX9nXO8QFO1s/lmVK2T ZbGvs+ku8tSsON6DAAjcjcAstI5YQHbzMFqHVuib7rI1T12qR/nSaWq6JXJSbS1uiOyYO0duVzDd ObL6VBLRPIdDqQHz/FBkNwssJpsOBXyKBN/5pRKudM45E708Ir9D2dUz3MfUu54N2Vcdv8g4zjVn UwWUaB0dSn9eLLvTvkSfo3U6mcn68qunW7uoVpkRQq+CUwdPYZa/9ShJ7EJSqq6t3vznWZYe1rYm C/+VOn87aR3Duzgveo/WqdPGy5q9LnN31VpnnDztJPsgdp76XmI/CDw2AWid6bX/rLVOT770g6uI CASljhTdVLGvy06d6EmkreRt8dPTKnlS9bpvpJYSgcUWir0JkzRP1dCK4wzGdVLKPNoKjQzkFSet sxDxpDRLQt9gRU7NjI5XHOogS2Na06+zFGPtYE9tmptEVs88riMqwIqetWQ7kF89E9GMHkEsUmVx zVnvDofD/iBWdM6G8p+LJKLakhZGzMNJRRPkedHF+stJuLb4mULiSOsUy1Dn6eRXRpVOvtA64+Vp J4VnPs5voealg/cgAALnEZi01qEf8p2xAEXCZtrTeFXPyZls78/vTVu71Z3d71VqAaNO4kRXYbq1 KDlDuNR0Q1fdQ7qz5VayiWRjcmNdBmyGLtxk3Ql3bU1Jcamzp5W6O9kYrU6rQa0j8po3tc5QXvGO /VohpXEUVqlYj3t+LtE6i8VCkkTrc6Nc73g4v/oprSNpfhV2EigH85+L3Paqs83TyaZJHOdpvto1 Cc7NFdrVOuR+Ay8pHF00sgjTjpmn/Yr9eUMXI7aDAAjMi8CktU6WRCG9trYs6cuDeF89W+bF+Sxv i+ruKLOSG4jqiqSUZ508kYPqDoraoWilq17gG9oyWOnaarfStWUdn6HwSJGVsz6l5x3FdRrPzoxE Tf65pXUykSMzj5KQlfO1TieRaZ0NtWU/3RhVACc5rB1TU2TxYpT+vOn3JVonH69DXXlFzq4sy07k Vz8R15G6EY7B/OekmHYrx1A5Y7JmeXliryxrax3Kk9bJ+NqsZP2+q3U6V0LNbfQ87QS6E1Or3cI7 EAABEMiyaWudooXED8HHiVHPug+rVgiNr9feVQzToOkyB081LFNpPjzDpSrb54w8p5BRHhkg06QL is6klhYR6b4bg5G3Fmv1adVudbWIuMzqkFSVV7wd16mf2WLEkOEXybEOrvxirZNlhK8UdIP51akK /RdJR1+Iug7mP0/j8FBo6SQKXLUMh42kdURcZ1XFmOrWIydHzdMuQPlPxQXrhsc7EACBhyMArTO9 Ju9/jE3Pz36P+vKlpxuTSfkAZVIozezj2d5V8p6ofnPNrVE1DysJt47KlGKucWAxSXECGp0ixs20 tE3+ZKUlntO4HRTsap2hvOKDWmdrMm6JCXNpvHM1qRNSObLfrEvzfWO8TpaQUVsMuc7EgJee/Op0 bv9F0qd1sqH855S6lZvrkHquknCll5pwJK1D7gv7KZn3Dc7NPHla7eRIedq7EaUmW7wHARAAgWwm cR201IwI9OZLp1/e+SiedGuyRn9DGthyGcc4o5Ll+joLJuv1+jqBxZhm5gnHuWr55YSf3GAcuLos JmMp9laMSGnMwyrGR5UDvgbnYfFqLHUd1xEZNTSZMS4rmuWYNFdcdM0N2++vYlPrUBeSUo06Tg79 +dUv0jrZQP7zLCOcGqVvZ1zWrDLf+1hah+zTcofCvmaVATAxJLrsaBsjT/vBU3Id3U8XW0EABEBg Hn1YaKdZERBL5ZzTKZVRFIO/fPh1qw9rVqjg7IsJ0GKCDfH8YnswAAIg8BoJzKIP6zWCf811uihf +gggoHVGgDhPE+ne01T3PGE9zxrCaxAAgTEIQOuMQRE2ugTOzZfePe9Zn6F1noXtFZwU+XZjZcdX UCFUAQRA4DoEoHWuwxVWQQAEQAAEQAAEpkEAWmca7QAvQAAEQAAEQAAErkMAWuc6XGEVBEAABEAA BEBgGgSgdabRDvACBEAABEAABEDgOgSgda7DFVZBAARAAARAAASmQQBaZxrtAC9AAARAAARAAASu QwBa5zpcYRUEQAAEQAAEQGAaBKB1ptEO8AIEQAAEQAAEQOA6BKB1rsMVVkEABEAABEAABKZBAFpn Gu0AL0AABEAABEAABK5DAFrnOlxhFQRAAARAAARAYBoEoHWm0Q7wAgRAAARAAARA4DoEoHWuwxVW QQAEQAAEQAAEpkEAWmca7QAvQAAEQAAEQAAErkMAWuc6XGEVBKZIIImi5Ay/0iiMzzjs/EPuVe75 Hj7ryHM5xWGUPqsAnAQCIDAOAWidMThGK03S/Zc/HQ6esiheY5gbo2q9Nob8HNreawQbb00gDhxV Wx6Oi03juK2A4q2lGqvDSM/nwXKPPBm33CPzZ2wILMad3RkHZlmy9zTV2bXJ9Z6Z7FxN8/ZnHNl7 +qgb040hKV7PRXBhKWPZubBYHA4CzyQwba2zNaVF/b2MfV1SV9FTNU326+VmrNt0s7DY10slUv8X N8axtE5RWrhUe6XTwVO5sX65pGpW6pz3Q+UO+Tm0/ZyyqmPC7dIPRqjrsJ3I17m2CqsSb/Nm2J8r lx9vTFn3W1+fND5sVo6hMMnYdHRNunMU1d13tj7HxeNy48AzVS5JEuOa5R9aEmC8cp/ja5adrXWS wFbUlnBMDr6tyUySJK6ay13r2k0PnirbQauqz3PwpWeNpVHGsvNUfYZuPr3npYfNcj0NTdnrHzbe kcD0tc6ClY/3M7UOPWmN9TXvKlSCuW202shaJ1r1a5002geH1i204cMV3w6VO+Tn0PaLXNxakuzu Lzql9+ATduJ9sL85zhP+9Po/0sZ07ypdnluLy7rteaZ8rHWyLPZ19vLo4nG54UpjqhNQp0689zTG 7aClqMYp97nYztU64VLl1rbheLK1ODeEckujtcmZuW3dg5KtydXlrZX1MYaxNMpYdo49bG8Zuvm0 jyo+xWtdUpctPd97HDY+IIHJax0my0zO74ZNrZOGG0cvf0OtSiUf2DLnTFosFhLj9DI35f0m3i1N 8aPr+DdXlu1dhXFzc+5zr1fraK7vCo+YYlYOZdnJcgcuuCOtMNA3lKwNSffWHv0wl5ise3UcpPqN yRTD3dZf/vwnNR3OVavhZr8nA+WWBx/5Wew42r41G7rl4CmSWYYR+vwJVzrPm7FoRdWrNE9gc9lZ 522/kLQyykdmFBEpkDXbL4J6g3ailVYG5lpPn8BiquMv85gD15xNxS0OXF3mnMuqbpv9QrSEIv4n +5VV/sQ3ymYZ9CfLxOVMFWCy7mzC4hEaWEw2HUuEQLhqlfXKsvSwtjVZ1FdpHN9yof0hJXBd6Zim oiBqkKO4TpZl9OB4qdg5LjfZOrpdfdXEd7qjAF5cbo5HXORKRT+LVhozl+v8ttH6kqYHv4Cs2ZYm ndOHdXAVbrU0Wrxbr7allEk35lFHUbq1WB2kbjdP+1O//1lGVZD01XZF3i6kWiRecpMhjSIbNl3k C4lr9rq82rKMdqnehqJT0mLBqptntM1vMRJv4GxonWTnqkxxqrtP783nxM2qXfvy08DNZ8jO3lPb 9369Ctn2+l8Wg/+PQmDyWoc765XOxCOp1jpJYMtMW9KP8iRcWzJrxub74jrhUmOyRQ+RNNpYchUq Kpo5XFu64Z3T8y5O6NM6C0l1t2GSpVHgKFL5CH2i3IGr7Egr5MelVG7z4UNfe0m21tQLQIMHJNnJ RUG0Nlj+GzONA0dhZU9NsjEJA/2kTg4r/egndb8/R+WWhw34mR1tH9I6p/zpj38ENltIsu5tdofD YV8EuSJfL261orrtp0y/nSzL0nhtVA0lqhRYbMGN1T5OsyT0DcaKH+7xWmeyvSUpnNL2ViOUMJr/ dzZnhk8PkSQUP/EryZ1lPf5QSIBp3i5O80iHUogS8kexN2GSJuHGViq9SOJEW1Krp9HWUWrJ1/Sh /f7gKcxshiEau4e0TiZOKlVp44QL3p4ql+TUxjyWYC8sN905MtNX4ktxWBmsfGaTwpVUR3xJ6VtR tn26d2VJBJrS5LA25cUZWud0IDfZrwyuHHUAxv5Zo/qG/M+1zmLBVMsP9ofD4VAMM7/sJkMaZSGX V5Ullxjo4qZdkmIut2R+XwxPpyZUnSCme+fWUVjRcVdqnVzo5N8OcWEM3HwGb1anr6ajm89JO31x nQH/TxeLva+PwAy0zj7ZuwpFXaJyvE66NVnjR2rnt2GP1tk5vLzjlb+OXtLJ1ad1Gs+/gysXgYtn lnukFYrrrrudvvalqqIffaUSIv+0amRG46g8zr7a5TfJNImTRhB++OKuLbePOXv7oNYRcf9+f3o0 QZZlgV09u2pf0jgK47Im9ORqdjD226GTG2ByW63+i3pv+/o6/ZjLDe0dmWleEIqgYgfzsT9kv/7B LyIhuWZt+0O/x3MRRO2rOtuDqHOadAcW12Dqd8el1vsGtU7+5ChjFfUJF7w7VW4W+gZXnONBLC8s N4nCarJZ3Yp5UKSaQJBfJnTRiC9pJQNbzAcrSg1sBce7SbyLsHJftVKCUfwaOT613jLgf3Hnqq+U 4owLbzKlRsnPbl3btIvbu/KblB9B5uvOOvHrRNRB2HFWrspkS/wMKNwZuvk0WkLUpLxZFacN/uve ZE7a6dE6Q/4PFogdr5TA5LWOuDkk9PPP2Sy1fGxy93ET2M25E/Rla4/Xoa9l2atFvSOMRjy/4BZO JTQfp53bKD07RCfNc8vtfr3La6+7vfu1L382iuBH3olHHXlMqn+qpuHGszSFMa4ajl/2/ZUFDPzv llsedvb2Ia0jOm8G/Ol/SlJT20fTZJLD2jE1RRYvtmg1Tr8dqkIbHwmp5hwccS8X81XCJfXxlJ2h 3YuvhNH6n0bB0tYVzrii26vWMNVjfw6uspBY1V5MogrQA6flT9Z8vsa7lWOonDFZs7zt0/OZ+/pU KocHtQ4BOnq0Vqed8+ZEudHGlGWz7iZsmHtpuXGwtHSVLgZF5tV3vd1wB1fJKafi4qzmJbWZN5xq vd3ZnNs9Wic/SEThWrHmfPt5trOs3//yV1ol13Kjl95k6utanL+1WKW/OrvE/m4Ltm9uC4lGYrda cejm0/62tRsjr0n/3+5N5qSdY60z6H9/adj6egnMQ+tkGQ1olGWea52UumLqwQedn4HHWicLbM6t TRRXr+S8gMZAu5+rdZ5bbvfrXbrR3T70tRcPL7+nukl0KAIgabz3Td7tyysL6vzvllvuPnu7uMmX Y26qu2WWnfKHbsJ1G5dF9mmdlH665aNCsywTUbXGwPF+O2Svja+rLeobf+u3b0fXln61/qdxWK6n knc+VeOKMurD6taL7vva8lBdnHGc5MKq9WxMNuWgpzQOy+6LJApctQz3tHzofKBvwNBUanG59HVV Ccc6j9aO3ac+DpRLHcmyuR74vfGycin8S4NHRHgiETOsRTntx2uldXINeWFcR1zD1TkCQrxbb+qR 7vlV2I6QdB+7A+yG/B/QOpfeZOrrmspv3Tvbuwr3RFykGplEg45ybUQHk8qJNiany7es69DNp/1t azfGAAmxuXuTOWknEWOTW5fVkP+nysS+10hg+lqneN5RL/ZiscjnnIvxOvqSwhL5+JvmeB16KHBz HaVZ1XuQ7kWf81aEtpPD2nPbvyfFeJ3li8brNPuwyrhO9lS5A1cUaanmuJzysO72wa89KUMlH8eT JeHWc4thrXQfUl0aF0I/Hm1FKqe4lSX0/++WWx519vbI16izjYql7n2pHJt8yh+xT6xJksZVBxX1 YR3FdahLk+dx9DTeuVplXvjZb4d2tfENa50spuFPJk2xSWPSFou+ximh0CPJ1yTFzsMtyd5TGx2N GQ1GkdR2vWjUCjd9GidE471W7iq/FAOL0VNbzFiiASaF9qN+BG6uRQ9ZEq70rnZqeFK9PTVWhDzq G5tMvTuDAqmyfPpNX7nx1lZkozEmtmviZeXSVVlebCGNvylCU+3Ha611aKaYpLokjsTgvzoI2vWr /kxNUPcei+0kUeS80fNRY+UgueqscKmyalB+tfXozZD/Q1rnwpsMaZTiAqRBfs2Ls1fr5OZdEZuk q5+p+eI89cE0xkCqO7IGbj7tb1u7MY4YNDZ0bzIn7VAHMNNX9NUoO+iH/G8UgbcPQWA2WkeMY2SF 1qG+j2JCRd9aFqFvKtRtLvF65bRqTQ8xmaAxM4mamb6sL52HVT//6NlR3dNOltu9xBpTD/KJQkXf ycD2E197MRGI01ofrZk9abhxjXzCEm9P0Oq6Ij4PlEvP63Ii0zl+0sQh31Q4lxVFszxbrfCc8kfM faJWZIpdTd/t0zpZFm0cTWaMy4pmOWY16jSv07Gdxjysohp54KUVR6nv5UIYlnPsDNtQeoVoC2Bj epmiO+3H+rE/NFJ8befTCpmYSFbFdZhmmiq1Y2seVjXNi3FZs87qihSzkKqOuJazQ1rn4HXnGhWP 20v6tY7L3TmcJko2XnI74vTScpP90qTuQy6rhmPr5RDz9uO11jpiWlsxs0mzbeMsfUfyt/7Glxca LRskvnN93y2aS9/uW2+1Qv1hwP8hrSMuz2LBor6bW21YvBPXtWkbqiJzutgaF2frkm+cFm1dMdVT ak7qbB0c+jojjZGf1HvzOXGzahTVeDtwk3nCTrSxaYbZQuKqW4486vW/URLePgSBaWudh2gCVHJW BIQyeMnI9vNr29Je55/WfyQFj5rhz/6j6q20qF+PqKGf2c0uufqEgXf3KnfAnbE2p4EtdyI7p02H y4ksJnjaTewFgVdKAFrnlTYsqjUegXTnaKILi8KJJpcukQwv8WJUrUNda4bSGkZ6wreU8h9UP4zr AymeoXXWw6n39r+7V7n93oy2Nd5air6qV6c5ZTgNV7rSmq506mjsAwEQGJ0AtM7oSGHw1RFID2un 6PprrKZ29WqOrHVoEaal5ZWR/VPuR77dWEmxcWSy3wbnPd4bJ92t3KYPV3ifhr7lVt2rJwpINo4l lls6cQx2gQAIXJMAtM416cI2CIAACIAACIDAvQlA69y7BW5YfntY3w0LvlNRo8dFzqzHWOWOZedM t3EYCIAACLxWAjPQOlfLWz5ym07Mz56Uv69a6/TkD7+XVnhWuRPyf+QvxlXNxcFq1ZlVedXyYBwE QGCWBGagdWjmx1lzNe/cABPz83gJ0eMFZe5MbNTij9cj7qw7PGppJ409S+tMyP+TlZvYzuZq0hNz De6AAAhMh8C0tU5/3vJwqebZEeO1nuf6pdXkcjnUn/98iDctuaHZ+eIRTNbdKlNvkUm6myq5XOKi m2q4308qNY3EgjYiD3mdgXvInyLfdV6s3hwd2liw5en85EMpfymuozirc/Oi0+zq5rTa7uejWoi4 keWWecLtKmH3xfWqFpCRuFpnqj4qMN8wmD+cNIe1FFmhJamVt5wWm+3Nl74rspy3ViXKl14tSm8t 09Kf//xEuX1VeIb/lLm5XnanTF/RZzzLspYIby2LMpgvfcg+5VG0/Dzt9UJS6vzz/UVTMwo3maya qzojSbLLV8Ch9ZAsrZH9u7fcvStza+XbGiV256pVrAgTr808AUqZ/kW2B7M29LuHrSAAAg9DYNpa RzRD61ZNW2hxTFI2tF65pLgHWotWFQ/lk/nPe9qUFpVj+nIfp2m8X+qszJlwcaphsn3kJykjsV49 rTmaxjtPeyq70MFTmZavqRttrHpys8i4d2F+8oG4jqTY60OS5u6Uq+IOpCamROCyU8zbEUyMDSX7 HnqR1qEVaKNUZIzmlVK6tF6n8oQPFd4fF1nIYj3iVKR1Z2Y1aWYwX7psCYVGrcXKug9pnaH855Sf fKDcIe97858P2MkX+hXrKScH3+DcPk6f2SyndWE2tQ6J15586Sfsi/XduOas8zTzpxNxJbSetbmh g5K9p0m8uJREBlqxsDmtAmnxcmHjoXL3rrxgukfrR4tV0ltLOSKu02xqvAcBEBggMEetQ0lc6DG0 dxTd0LRVlGxM2Q7S7HT+8x4Crd/oGS2lWnSWXZhqWJhuPVKKwsTT0FrnGamzNH4isXgah1GVD6HR E/Kc/OQDWqcO1NSVJ89786KLJddzgZBSSvJuDuQO0vZ4ILKfp/TILq0XPcCG8oR3yqw+9mudUs3l GSHqtfH68qWHlCuhWiVQZNnKEzwPaJ3BPFmNluuWW7l79OZs/0ni5+FMYWPvyo081EdmuyK8qXWo 3Y/zpZ+yL9SRH3VK2TtyYxVkySyXZ06iMC5jTnVao/a3tPZnsNx25voW3KyVEbXjFj6CAAiAQElg llqH4jj6KvA0ww9c1VwHnioSO9VP77x6lFCgvfx8We3if/sEoQ5W+Y38olTDubU+rUO/aNeuSQkM ZM10N4fy1t9xpPyY7H2xenuRobn2/vL85E9qHUpVVORGsFnZD9DNi04PN1o6TyQAeio3fFvrZI2n 96X1OpEtnJHqAAAROklEQVQnvETV/d8ordzVeiy2My/25ZqgPJWNHOr1xTGgdQbzn58ot3Tt+P/Z /osMF1IzLfoT+blaF2atLciFvnzpp+zT5VClPzmuQ2dLGm69Iv28IrMyjRhJxHrl5dqfwXI7Wqf9 pUZcpwMdH0EABPoIzFPrpFtLNkxdW4ZpYCumZeT56E7nP++pfv04o510I89/11+aaliYbj1SisIo kXcub9Jot9Sbv8d73Gl0VVEmyvqmfiofeI8dsakn5W9bi9RaR1S8Ly86PQ3XBlO8YKUzfX2q/4rK bNsnuPkz7dJ6ncwTPlTf4/zh7bHJT2uduv1FGeIpKnJZ08M2j/CUA7ZE8u/z4jrtcoe878t/PuC/ SHju7Fpp0csk073mRUilbLxaW1C0rS9f+in7F2kdGtyT98i2sIlUrdVPkNqfwXKf1jqNtPa9BLAR BEDg0QnMQOv05C3P6DEjiQHKycbkEi+eRCfzn/c0Nf2U5AYlsM7EyIdyvI4I7hd5uZupklv37K69 Hj9TGniS52PP0mht8tO9DVQr2RE5rtNoaytSGWagR8yl+cl7Uv62tUitdbKB1MSihsIOY9wKTj5Q 6ViyL2meGJ4UbSxZKlI9X1qvk3nCu9jLz4JRO3/4ifhKX1wnx5Cnqk5o+FY5Xoe0mlK0y2GpszKO MpT//ES5pbfH/8/3v7jKdzQQJo33vuvVY+qP7WYZXYVlHnjKcVGOj6Fq9eVLP2H/Iq1D4TAj7/BK 9iudleNsqEe2OUqu8iewZaYvj+p1UuuQopYdApAmVYcZUQjXlm54ecL4PirYBgIg8EgEZqB1srQn b7kYpSCevvQgrTMOn8p/ftyudKNUDEtXxDypxjysy1MN05jpHj+rBNaMpqIsSQaceKUHn+atUMJu 3XYMLomuOWH6ovzkeRFHKX8HtQ51ta0s7TgvujBEA1LFEPATnotdZF/WrTybAtfsTTmw4+J6Naad HeUJH/LiOH/4Cc3Rq3WoT6dvHhYNobVVTnnaNdNztPp6E2XSxaM085+fKHfI+TKXeiuv+6CdPD28 yKjNn76qsiwOXE0m91XDdSlOd8j9qKa7dfKlD9q/SOtQsbqcJxw3XUuVZHdflrs0i++cbar1iP3+ ck9qHco/YVAH2YLJ5rq84LIs27uKxM2TY+lPNAZ2gQAIvC4Cc9A61yPe7sO6XjmzthyvjTMTZLe1 1KwrfbnzJAPqkc2Xn/+gZ9BXsBjB/qAEUG0QAIEbEIDWqWNCN8A9tyLShDo9nprUXNbq0bTOvfKf l7zn+v/g6cZyT91Ooqe2CjPNtT7wGwRAYPIEoHWgdQYvUvrNLcnGsl4EbvBQsePRtA6tOHmP/Oen W2H6e9No6+ULToolGxsdT9P3HR6CAAjMksBja51ZNhmcBgEQAAEQAAEQuIAAtM4FsHAoCIAACIAA CIDA7AhA68yuyeAwCIAACIAACIDABQSgdS6AhUNBAARAAARAAARmRwBaZ3ZNBodBAARAAARAAAQu IACtcwEsHAoCIAACIAACIDA7AtA6s2syOAwCIAACIAACIHABAWidC2DhUBAAARAAARAAgdkRgNaZ XZPBYRAAARAAARAAgQsIQOtcAAuHggAIgAAIgAAIzI4AtM7smgwOgwAIgAAIgAAIXEAAWucCWDgU BEAABEAABEBgdgTuo3X+Dy8QAAEQAAEQAAEQuBWB76O+/t+o1mAMBEAABEAABEAABKZFAFpnWu0B b0AABEAABEAABMYlAK0zLk9YAwEQAAEQAAEQmBYBaJ1ptQe8AQEQAAEQAAEQGJcAtM64PGENBEAA BEAABEBgWgRerHW+/fPXP99uX6dv//7777f/blTuP59/ef/p7xcWNgqo//79+++vI1f7v2ey/PfL b+8//Pmith8F7AvbBaeDAAiAAAi8dgLna52vn35YtF7/+/DP939//1Hi7/8Y+el7Avq3vz798tNb JkmStFhI/KePf59V9r+f3/HFm1/P1ivfvv7zb2X468cfpB8+fj3h1dO7ng2q5ck/H/4nvf3t7Fqc duvb359/e/c/LhWNKvGfPl1Sx2+f30lvfv3rdBnV3r9/e9u6eBY/fvr3+xhgqxLwBgRAAARAAAT6 CZytdejRxt9/+fpv9RJhldajuL+IUbf+++XDb5//Ejrk21+/vl2w9388bf/bl5/fvH37Rnr3udIv J0/69uXntz9/KY+97KE+ZPh5oNqefP/+7etIQbSvn39+w9789OHL3znLr399+fLXJTGa//54z9nP 56rcr59+kN7++mfz6vn+fRywQ8CxHQRAAARAAARyAmdrnT/fc/auev4X+L7+8fHDl39Klt/++fLx 11/ev//1w5d/vn398vGziLn89/fvHz79+W950PevXz5+/JIHEL7+8fH3v76J096X3SHf/v788df3 79//8uHzU491Cgu8/U0U/9/fn375eaBD5dsf79+8/fWP33+SKBJVvr79+enD73VQ6L9/Pudefvv7 84ef3iz4j7/89pvYQg91/v7LP3/+/uHX9+9/+a1Zl+/f//3r8weqM22voyL/iMqTqV/ev//013/f a1D07rfq9eHjH/lZ//795dOH34Sh3//KYR158v2fLx8+/lGRPFH0t69//k7G3v9a2i+rLf7/99dv b6U372tTrb3fv/395WN59j+l4qNDyCNqm18//vEPmfjp91IdPdFqQij/8me7mI5a+u9rTvj9L7+V BL5++fChuFS+f6frqNFigkVNvG0an0AABEAABECgJnCu1vn7t7cSdTu0XiQ2/ld07hSBgl8+fPr4 28//e/P2LS86OEgk1UGS79QNUxgSp7/7+Ycf3pGu+PL1+7e/Pvz45s1Pv3789OnDz28l9u5zp8BG 6f/98/u7N29+/pIf8cd7tmA/fykfvY3jvv35y5s37//49p38qINAIqbwS90D89evb9i7z9++//f3 519/4os37377+PHjxy///Pedel/42x9+fP/bx0+ffnv3VpJ+KPp6/v3j1//xNz/98uHTp4+//MgX ohgq+u/f3rIf3r374Yeff/lNaKMGqH++kOGPHz9++OVHVp7y7csvP7775cPH33+neks/ff5Gz/Ye T0p5caroxZv//fhTw9uj3jfy5s37P5sqpgJGTcDf/Pie6vTrT2/qNvjv748/cfb2XUHhzRte9uud 0WpCKHeDanRJlWrp6+ef3/K370TLv/8fk97+9td/37//8Z5JP3/Jffv7t/9Ji7LI7//+/hMbrTOv qjzegAAIgAAIvEoCZ2od6oNgP334XL7+pN/7jT6Ir59+ZNWj/vv3v359syg6OIRI+r3SLN9+/6kc cUKnL/jPn8sf59++/Mz5z6W8+e/LO4n9fNxB9fXzL+9++umH/7398f2nIgBCDfPt69e+ocr//fXr W55Lpq+1yPr+XSiffgX27fM79qZWQV8//kCP2DIg9O+nH6W3Ijz09fef2Jtf/ijlFVWs0FLilLe/ 1GGTBqjyIvr3y/u3b979XpotNwudJP2Yx0uOPSmU5RNF/9j2No981SWcGPQjmqBWmP/98TPLhRfJ N+l/QoCQIdqxyLXsOa1GcvHNzx/Li+fLX9TkpLiKUVD/fPgf+99vVZBNaDEaW/XnL7zQOl8//fjm p/fveK5v/vvr1zf8XZ+yrWuJdyAAAiAAAiBQEDhP69DDWnrzvx+K148//fbnf98bfRB//fqmDNYI u/Q5/8lO2qDRdUQPSf5edGaI0ymUUrzoCcd+eP+heFEEpW/o679/ffn8+XeKObA3tU4qjbT/k9KR 3v7y5S96/fnhB6nSMMMKjB6wjTgU1bw5+Lram1ex0nDfhTYTcaPuKU1QuX/f/vz1f29++lT3D/33 799/fP70kXq33r0ttWCPJzmQ84uuvG1woRYpmqCxVbwlFdRorFxsUJDpvy8/s2bYjJox17LntJoQ ym/Ki+eHH999/LsplP/742ci/v/bO0MmV3koDP+XKhwuDofD4XA4VF0drq6/oK6urq6qDrduHa6u DleHy533kJCUhdJvuHc+ZvatWCiQ5ORJZ/LuOSeh/yFo0ZPIwP4uo6C4aY18q+RQV6WKEAiDsH4x c9gPficBEiABEiABj8BnWmc0WcfFIHDmL1QSgSOhk4FrAg4fCRV1gZ4+hKG1THAqK63UkePVqQHP ZHP6tVN++Z8PtAh7BKH7BBvjpJDGvNkSU7md/l9VkKfnpAGoARFxwy6jZ0EG/9WwSOeqscEarZ/f hzTKjr0Xo7mVCaJGh9P5crmUaS9Epiz5vOneWh8ODO08U/5VnPcaw96AkBFMcLB4slS8PNIjEU4z oyba702yDgbSr7wTUkgNq/fIJ0cOuvgM630cbisTlByNwFnDeSQBEiABEiABR+AjrSOz7ptknds2 6PMqEJ04Z9Yl002Sdl5qv8re/yPzqJdKIlph2Iaz88cZZtkxv0//YH1MQhd7kqCJXbDd3opQudkX gszOtiLTXAozeu5kiqeRkEriLetqqx1EHNw8gyJdsMZmNbX1MYvSg1vxhLZV79TwfV2Tlnzc9KAG QwYBJc9x1fOCtHjNyepFlSyYd2E9DXdZ16NPRm1GKLfXPPAGQzcg0m1jAAOK0ymLcgmCQrrhq8r+ 0+J4r4c8JQESIAES+I0EPtE6smB4mPWB/9at1vgu1SbeI5sUbotjhjxhWY3cIvYl3g6t2/t1G202 JqPULy7cMZ8G2bHuQhntY7hnXnuvzPpordtHdchCk4ejm+qw3Q0zX+6nNEydZkETiDIFkqMjgRcj MJ71uVAb2e4FD8HJ4HKwB4IMGsn0+XFKAmUyo5/fpyJS+UUSjwZFXoI193MeJfuX7feAzniYnvVl Gweb1Ai+SUveNu251zxrhbD9g6X6m2h77lbu67a5192KtwYpR6Ybz/tlG4dp535CTUFizh9VmQQm WUf2V3o3akb7OaLGCJ+SOJr2nfxrvg6Z6jPOIW6iOLLjKPI2iuwvzfaHRxIgARIgARJ4S+ADrTMa g9Av26s8LkUUbIJQqSjd7gubrKN1c92aGyrO98ddbENFL8XFwvZ+RiWbIMROgVGGpA7v87gUsu2d 3A7jfI81UvhIJrAXkJJryOhwya6mmt5Poe/nXKElpVRSHA825xVxHGw6iDvpofaTr6UKP/1FFixJ iAzGljbc9kPDOVD3Y4Lt9LANonzEefGsyrgjp5LidC6TxG4VOG3Jh0371hoC3aGtL9sk7Lf2Q95T l3fU1jIEglilu7MRnlgTdsoMsDjbn3aJsjvrzIwaAmP9xgDOiFdKTVUmIcY9DMI4P5hV+GZooaqM X/B5zYPN28V5rgWekQAJkAAJkIAl8IHWsY/OHPGqASyFwr/snndB6+4dBDOl7e1n83hMv/zh2Yzc bpuH2+PY1jN/bLEpoo2uvTwu70x4uTL1Rbo2WsdUibHr07W8sWS60FgTI9daoB5hPTlcADa21g3O vJFhGWny3SWM4kTt74rxHgmQAAmQAAnMEfgLWqd9uiU0LTwmLv9krnXeJwESIAESIAESIIF/S2C5 1kEWRRineVHkWaIClR9d5u2/tZ21kwAJkAAJkAAJkMAcgeVaB/v41V+32/V6q/6XV57PdZH3SYAE SIAESIAEfjGBv6F1fjE+dp0ESIAESIAESGDlBKh1Vj5ANI8ESIAESIAESGARAWqdRfhYmARIgARI gARIYOUEqHVWPkA0jwRIgARIgARIYBEBap1F+FiYBEiABEiABEhg5QSodVY+QDSPBEiABEiABEhg EQFqnUX4WJgESIAESIAESGDlBKh1Vj5ANI8ESIAESIAESGARAWqdRfhYmARIgARIgARIYOUEqHVW PkA0jwRIgARIgARIYBEBap1F+FiYBEiABEiABEhg5QT+ABYIs1RtZekFAAAAAElFTkSuQmCC --000000000000dcfb8105aa7f7eec Content-Type: image/png; name="image.png" Content-Disposition: inline; filename="image.png" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: ii_kcnq2gjv1 iVBORw0KGgoAAAANSUhEUgAAAuAAAAE6CAIAAADY8XCKAAAgAElEQVR4Aey9r5O0TBAGlr8FhcPh cDgcDodD4XCIVFEVgUwiqEol66hKVXAoTAq3lQgqBofD4XA4Ut0zwwwss8fe7d177/v1irtdfsz0 PNPT/UxPD/wPK30IAUKAECAECAFCgBD4ZQj8D79MHhKHECAECAFCgBAgBAiBlQgKKQEhQAgQAoQA IUAI/DoEiKD8ui4hgQgBQoAQIAQIAUKACMov14GuCAPfD/L7L5eTxCMECAFCgBAgBN6JwEWCsrR5 4J9+grDozgRaxrbK0zgMgzBK8qqbzi567dhYJUKIAD5hFKd52fTza8X86NX9LRIyn8AXJPX4gTht bBqGYUb18sGFdJoQIAQIAUKAEPiHELhIUOYqBD959rHi9ojHdM8D+3CtFZbD8boXfw+5eyiU/bT8 vPutJOWeHoHYNcErPgKFCMqLWkKXEwKEACFACPwTCFwkKOtQF4dPHjnga82gPAYB5jaFU6YdJHlZ lnnsWXClFdZfoxGcoNghlFqWtyJPAofxJjfvf2d3TPfyxj9F6iMOdpiJQ7f6Q2ZFBOV3dixJRQgQ AoQAIfC9CFwlKA9STCymYkWnrGOsb5VcehlvPjKU5CHW8lDsswOcoOzICC/aCMptDWkZ2zJLIlhb itNbM+xY0TJ19S1PY3Y6uzXDtnSC2R5B3s5TV+V4QVzc2c1zXxdpHMKq0n65aqqTwA/iapjH5pZi oal21aZD3mY8Rk2WgUuM5Zf3cZNpXY8EZe6KKAj8IIhLJvoHsiXVoJZeKN2yritglQNWbL3s1vST UvezzqBzhAAhQAgQAoTAdyLwWYIy3DzgHHZ6v+DQ5irEYEvcfKkpZwRlaSKMoQiCMreZt1+MMp2k EeSlz939ScMwvbxjTUAqYAZxjJEhLvCyLkMZHpZprKDo2T1DATC4UcyCI3DTI/8QjT4nKGMd8zAQ 3I0f05Ui7wjK0t8CFo0KkJ5ckM1yjqU7Mcdjvh+xgrZkvzQWJVCk/4QAIUAIEAL/CQQ+R1AW7mt3 wQwtXnMTo1f1b8fFIO0tpyceCcoyVBGSBy7I3MT40/LTW13XZeqzn1HNKUqXubYXpUVZ1U2VM+Jh 8iAQowLAEEwnSPI8z/JmXIcCCY/pRnlV11URMYrDK2QEBVmF5UUp3FRyvvPYhDOCMt58pEyWF+dl VZU5L98KKwaWQlDGmjUWOBVGdi7KZnpJ2XZ9f69TVhnjUCIG5iW3umnqsshi3wluHyXFPLaLjhAC hAAhQAgQAm9H4FMEhTOOk/STE/mWLsPcVmtjCScXXTrECYph2Q5+bIuFQyw/Z0sxUxnAETtpRVhn riPgRmZYiSCKWhOnF5xsCILiJK1cFWJJrqbCrXqWqutksHlJEBTTv8m1IrUK9fsJQeGF2XGzVSlI 1k4qMyqbFKmR6SYtb8tF2ZSQzsKooonZQHx1bAuoqKLSd0KAECAECAFC4M8i8BmCMjIeoEk/2bdH zPqtx1za/YUXfgmCwtZBtr+2Fxfos5cGt+QapuN64uPaSGIcsXCxjPfqlqdJHEVRGLLsXcY1eLbH folGEBBLlug5GA4yw2reCIoVNYISPWnHI0GZygCaYcXq7aIZbNWKR1AsRsbsiAdWFHL0gWx2qjxC pctw/YoVzQMwLGJUNP0Zh3vSHDpFCBAChAAhQAh8HwKfIChi1v9x+sncslm/oaSBfKEpnKDYUdni p6mrImEcw/SKfp0rdPcbc1G+2Gm3rpDBccgmwUt2BIVFF4SUnFMoJW1fAwjKcAKz8R9x3+n/R4Ky 3b57lMzuOhHXYfVuKz/rul6UbZdUsiMo6zq1RShTVEwnyEV05rQBdJAQIAQIAUKAEPgpBF4mKEub qFkfejmXLmcZD3ZYvSev4TEHZV3XuWZZsm4xLDV7WIuf37vDpx+XVaR7OGFR3/thHMcux91FR4Ki BEPEek5cPRQ5QMCBMwy+HKMHA8/siAceOd/e1CZKyo4gKLbnssiNL7JEPiPbgaCgEPPQ3lKxXxvW qj5oBp0mBAgBQoAQIAS+H4FXCQrPrDxJP5nHXu5RXYZSbDe58Q0valuWse/HLetCPfPs+ylBEdt4 IFAgYjtqEokskC8A+XJDMmcMTwgKpz9qDoos8OsEZeXPcdsRnJ7l7NgJLs3wJZ6oXiaeASz2HX1G tjOCwhs08nxjJd1m11T6QQgQAoQAIUAI/CACLxIUHjF4SD/ZMjsz2MMifJ1hBXlzVz4dPOFjubNE CPucR+gbzwmKkzQQ/hjHoe+agj0ujqdxDDe2x9gO8rqDi4a+rYs0jCFzg5MBO6qGeZ7Hrkr4huQn BGWdW7YvyHTjsu2x1q4p8zhkL8f5YgRlXXkGseklVTdOE0jFtgk5iOT+OSjzPWXP0nVTyAr+hGwq QRluUZAUVduPM+JRIKVkuTX6TqAzhAAhQAgQAoTATyDwEkFZ7uxRY49PP+GxCwMfmNZpH++OkQKe GWoYu7jBhcZygrJlgcgvttiUuwz8QSHyHHzzYIOz2E4kT5mOCzmjzwgK5GlwyiDvw7xWfOjclwnK evowEtPL+CPiDg9qW7qcUzDc9/OybDuCgs9w2bXKgGyhlyNbF7qOLiEECAFCgBAgBF5D4BWCwvfs nhILyD81TTeGB47wUMXB9cFPRknGKnJM03n55TyPBMW0HC9My7u6/2QZ21sSuGwPMl6QFOJ5sWOT hx7u6zFtL8zbAZd9nhMUyHPpqyzyHdxIY5q260dZyd5++HWCAo9zHeo89h3bNA3Tcvwoq+VDeA8E BVaVxJNTItw6/ZpsKkHBagOPN8uy3SC57ZB8TZPoakKAECAECAFC4I0IvEJQ3lgtFUUIEAKEACFA CBAChIAeASIoemzoDCFACBAChAAhQAj8IQSIoPwh4KlaQoAQIAQIAUKAENAjQARFjw2dIQQIAUKA ECAECIE/hAARlD8EPFVLCBAChAAhQAgQAnoEiKDosaEzhAAhQAgQAoQAIfCHECCC8oeAp2oJAUKA ECAECAFCQI8AERQ9NnSGECAECAFCgBAgBP4QAkRQ/hDwVC0hQAgQAoQAIUAI6BEggqLHhs4QAoQA IUAIEAKEwB9CgAjKHwKeqiUECAFCgBAgBAgBPQJEUPTY0BlCgBAgBAgBQoAQ+EMIEEH5Q8BTtYQA IUAIEAKEACGgR4AIih4bOkMIEAKEACFACBACfwgBIih/CHiqlhAgBAgBQoAQIAT0CBBB0WNDZwgB QoAQIAQIAULgDyFABOUPAU/VEgKEACFACBAChIAeASIoemzoDCFACBAChAAh8FkE5r4q6n757O2/ 975lqIuqm79dQCIo3w4xVUAIEAKEACHwn0Ng6TLXjpvvd+N/ANm5jW0n7b6bexFBUfp2rgLTKwbl CH39NgS61DGj5tuKf7HgJjbt9P7aTUPhmUE5vXbTP3U1IfBPdeePN2asE982DcNys7ve031mbL7c lO8wR3MdWU7WvSzL7gYUrNajs7v4R3/0uWtF9Tezr1cJynjzDTOsdFa5iU1DfEzL8aOsHv4Utn3u ClGU/1bcanvxGwhKl7v2t3eitkGfPrG0ieNwhz3XkZ/314u6p15ywdV/h0X4SMjh5ttBOeJlfe5F ctxfM4L7pv0L7vnVzt1f/wkE9rB/1GF//Py+xz8QRx01H1z660//gOFamtiygls/TeM47bzEXkmu jU0dohd78BvM0VyHlpu9YDnXqQTvWs9tbBlipvwbCMpSR6bh38YucwxlHtfnrhlW38tQXiQofe7a tm35N2bkH5SiiU0rqkb4DP29Sn0J9MO1331gmccBP13hm07SsB+HobAT4hsIytQWefUXxmTGOs8b 7OSliW33OkHBqOZvJShzd8tKFpUE3/oiQTk27RPueaduv+DHi527Hq5/HYED7L8AgmciHHv82bVw To6aj6789ed/wHCNN9/0+XRhh8dBSb5CUC734PsJytLGln3FEsq2AxGwknbpM8cMeBSACbbjb/KG n/p2T20zqmfoMUGcoOp7altx862yvURQli517LgqQ0vnsYCgKCGKpYlMMxZx/KUvE9+xTMO0/bjs OfOauzIJXDxsuWFx54eHwnPSdsAYoOmhg5y7W+TZpmFaTpBukZkmtoKyvxeha5lmdIbWVAWms2Oy S18lAatSLUolKFMdO0DvAf1lqFN2ue1FxZ2Hj4bCs5OyzkLXtkzTcsO8fQwsSf4rC7FsN0jrB4o3 3YvYh7IM0/bi8jGz6ryEc1TXdVba6GXtvK5d5pihDBpM5aZtjxhyozA3MYRg2ceM/vf/1TPdXPIt iGGqGrrcM3e7HCg3aPEyAEbQLMvxk63fFYuw9IVvOUnD4JvaPHSxm90wYyRpXZvY8vP6FvuOZZnW GT5zFZpbPBUmZ4a1aQMMeKD6wqH2hWeJVhmoy9DepKwS3zEN1M/qgP9J07C0os4j1ridApzrqrQn oDxxWWcBdDhrjxgPVWBF9dBkgWPyZSe9ulrhrckjVEDbjbbBs67rqQBd6nh515WxZ5lm8L//X7vO rf8fMIvKktVY+hJRKHKvDPXC8NQgMFRp6IkxxvrxEXYJyLqe679mlE1VCOBstnG5J/Yxsit0xkOd cYJNmdZLNud/+j93yvy//G9XatwWCrvUcbMKzAxYB+ick4xCvYS6UbOODR9MMJriEufn071Awwgj zIsKnhcgzYViteRBxQqdlSkN17quU5vzCpSi1vVSG1EVYdyCXXNDPu2Z2xRMuTAswkWs6/qoJM/G ps76oWKdjNlnbRErzm8xR+tmbDYdPxkR2zn+5Z46YI7Gm28Jt9mljhXdqhQQhD6Xnk/nmNbziuYz w3LmkfdWAg0CjsL7utThLmQCNlclLKI5c4eWmrnqAte4zkf3xyr0CkFZ2ti243bBpbX0dGltR1Dm oYocO6q536kj2w5v3TjP470IrC15aGyrphumeR7bzNssIlh/x/X8tLr3/TAt61gGlhNX/TTPQwMX cvME6uu6XlQ0Xd+PZ/GmI0GZ6si2/Kzpx2ns69TbRNkIynzPPMtNGVla7qlj+Xk7zvPUlZFt8UWC ofAMwwqY4Vn6W2DZSbtZTN5X2zgfy8B0UyhkHvu2bh5Xvpa+qdp+hPbViWM+RKlOS4C2nKE6AXXw 0qobhqFrmw764BlBOWLICQq4pSo0Nz4KFHr7sTJ+cmjzYd4wt4ljuknVjdM0tHlgWWGFvGUjKGMV 2nYowkx97lle2gzTPPUAA9d/WDs03aQZAeCpOcUHJmScE90TGz68P3CqBmcEQeFg7CMohulEtztU DL0sihJjDv4fmgYKYFp+WvfjPA2gvFuFGl2VhaHy2CGja9M99+FeVF5QQtv1vLhsu34Yl/WZuhqG 5efo+WZQQEssvmoGCxg7x/WCvIZBNR86d4WQrWQoUwm8fj/Md8qAeGoQAL5R1YDmPHVFYFkxUxPQ QQV2Cci6nuu/bpRB/FwylAWmeMdoM+qMl7awfLAMFfYpJ9cXbc6ux6/VKCLgXeoYhh1VgPI6d4pl U9qslVA3atD0xjXCOtzrBmd5oOxhCYZxGrqmZhOoc6t1ZkNOywTPIToK1MKJShzB91tkizEJ13zc xhEMY1i0wzSNXRW7pptxBqWMRgWTV8amzvopxR3G7LO2MILyLnPEwgtqPsH5iFBkXdexStJmWpc2 i0quqgCyaYcFjCUA0AEA8abzLgb7eDr0Tg3Lme94sBIwN0ljMNtdETG+waUG1UvUNsLx4eabVpA3 6HualkUizkf3xyr0AkEBRWYWeG7Etx26K0x0YQLKPjATDbd5w+Yk2C1tAjGjozsf5KIWWn8R5gJi LU/BiK8jMVeBKp9nEx8Iyt7JMr/NzDIjKD2YeicSIQ4cv9JOSyMOEgpzBFpxmmG7jXOsNRPxoSNu x98YOzt0/FkJOlTZtYflz6cE5YChhqCs4LUEQzlXg71FmOtwc9vQyPEGMRgQjBGUqU1cy8tFMvjS osYLvYA5PLsaeln6zrWDkOMxWoZxEkza6jLHSW+p4yCNBhlYKYpJPHhKKF+hhBjSPJa/c1cwEEEB JCcFaBid0uqq7Gbk35LkQziYB3zmKjC2BWhETGDA7gbBpbqq8St5RicAGDtL3VVwJBy5uwXdsad3 cccjW32CgGwofIOiOLgH2PfXyV9S/7WjjJkjHkOB64/8BIyRGcglchwTSviP1/bE5hwo6aUahUUA qJXJpaJ5spVaCbWjBvrLiXmokReEuhNWSN23sjVW68yGnJXJhycY6KVNLDUXkseuoKYrbYRBqQws mOSK0s4xOScoShFybOqs34bCcVLxvC1m1LzTHLUJMGhVFvldGRHy4Pk3AFlYXD4CWbGaLt6XolR0 ZlgUWKVHfrAS+yLVXziclfAXnDv0uHo5/y5H98cqdJ2gQFNF3iSmN53lfrIclIHnoNR5aAvv0yaW YZjW9jENw8fo0dSVaei7Dn4sU8yDQHsV+GDIGqa83zQNTnCgygcSt0PlQFDaxNo5N1j4Y2uFQFDc MHRBiG21ps/co+DS26kSqpGGrf6NoKxzVwQ2rASlt/YxfAKeqC2SwGNA2JahLpWx4k5K0KF6bCMW ANqkW+I5YqgjKCvYJ9Z+UALFP4sm7wkKaKtCLNYVQvHITIGn+1FgGeosHXKwD1rCuubQy1DsA7/d 2A1kSiUtpJqBpOwwejLFJB485ZXyTwjKTkUFMnpdFRixWI66/g62lvkzUEIVkmNXHtRVyQ5CTwOk RysAaOPOjx8ICoaYmE7DcFfsIpf8cP1xkAoEwJD2VRaJYW2bwlkfYJeA6PRfX4WifxgGf9hPADqs 5gC0scXXm6/ZnKN7gwwcofH6GrlPkgMf24i+VFk+Yw3XSagfNUtfRo5pOkFSsPAJFDTWiWfBunle YagUvcS51TqxIetpmZv8UjN5ZwH7Zaq7XcPOnLURqZbqphW9UkYjL5r/OyiJdmzqrJ9a2s4cPW/L m80RRhcUgqIZEaqwZ99xzCpTeQAHabfWMWkqOjEsR1vLPDLWKIn9mVDiGAwDsRbFjz30ODuu8W4f qtBlggIzmf1n73iYGKBLSg4Kzp0YfQA7G5bjpHzmBWbUvmlHIjFBmfkdtBebHdcP92PQRktUmVCv EBTDsIM09kyHB9w5ISx6Re6JpZwfJVSsM+8rESeQ6jX1dQ4JAE7MF762K6HpTlJjRJhnHx0iKLwx uxI0qK5Hr4b3gmorBEUZrZKOCHnkkYNPAu+HuenMWsssAHHnziIgndYSFMN04zSEnGuR1gIyuVm7 72YoWcqD9ZwSFFxycvN+KDyMRsAUwyuGTu6GU7rs0QiqWnRe/r5p6oIRCLUBpddVgREnKEqqOUgm CYrKDI5duScoam4VWiBBUOyzwXIwB4rMQjLoAGAokoeKM/h/ayM7quAJB+RZXGEMijsbKeCUeDTh ALssXKf/2ipwbs9W8brMEbNyWSDqjDp1WSCiAtb0qs15ICic67YLrJZqahRadIAacT0jKKcS6gkK tm8emhvsz7VDsQ6wrsvYlmngmJaPOShQgn9mtaCAMyt0LHOTHyRXQkEsln2doLBcIdktkPnG1fvQ tfKag5Jox77O+smSDjGw5215szkCjZaTKO2IUIU9+w4doVhtXKjnBOW0i7UV4fRbmc9o0du6/kyc 3THwASxKLQ+DERCDYDuqG90sji794+MwuUpQoAY3a9lOmGEY+io+W6Y/ISg8FABVP67EQBatHKIQ rBQzvKP29pm7Hyei8Qf1FYeV/weCApKoHgCGAxtw0IU4FmEVzeaRVHA3u7C4KPkgobTO4gL4f9rZ cKcSe4HrMD61BdShrB3RU4uE76KEc1TXdSzESopyJxgtZf58T20xr33EUB7Bdm2SgRuqI8vNO1iM UbIUt3pgsUJGtOBiNcxyXOJZ1hkSSryC5aRCDHbLX9+KvEpQEMUgzyHLFJb+pyq04OdGpZUug15X xr1sL9aqJShK07QEZdXqqmwR8H3I1+dHACa5xLNTz6fqClv+RdoV5okyMqgT4EEbHzqXL8f01Xki /OF6BU9oCJ5FE4gpIVtIA7BWCIoC+waIVv+1VUD69T0FhtJl589jOCzboQkrhvW6zUH3pvb4hRqF bT5ADb3I5qdbk/mKuGIIhIQ4xM5HjXL3HjJ2AvKYUWCt1ZIFCBsij6hmaJMfApCw9VVchks8LDC1 XcPOnbYR2qQ0EU08j70fulZU8JAspx2bOusnSzr04Edtad5pjqALpJ/RjghV2LPvhyUecGZMxzRd rK3oSFC06B269UwofgyK2E0/4Tj6U2Xu9dS7Hep6VKFrBAXScY6S4GhSCBnKDAQlqnACPI59U4S2 IZJhIaHJdOPyDtlSQ9dUNST3QWtY7ijkRPr7JZ5d2yHvz/LSuhuncey7pqxZisVBfU/gPBAU3I0A SbKYiNlkmCSLKzobQYFEn8CyI1zowcbb4a0dxmkc+raqWBraYXxJ66yKsHXACPcN07wsU19F2zqs uBYHrp/fIVe4K2PXeiQopyWcowrZVqFleVnd437vGheV0AuGJa4vQajX2nIdHjFUjsCijAeSTROz UrDX1AvD7UEpog3sP+iFkzSQUgwhMkTPTep+gkRSSJLlOcaIDC5fzphHy1Pn+tzDDCvIYB76e102 GF1R5IFqzgkEzO48y4aUW7ZCB9nwtg1hFCab0mWQ3oI5jEzMS+UfmqaUBsUrCqDTVSYF/MWApOWn DeDSQ+qbmiQr7RqUC05Ho64GzPqqDpJ0m9Qzd0myJ4Nl08ZNkIfOhVwqyw8DCdp2LXzZX69FAAwN Qxcy2gO5xHOAfStbq//aKvBWSDYKQwiYbQ50KxIT4jDxeZymEVTPZKG66zYHM98UZWbm92mNLxOU Mwm1o2buKkikn5dlHpoEUprHdenrsunGaV7YNgOmPOdW68yGnJW5m1n1sF+BJcmOPEmWmd6DOj16 F+gLGAt2AEmykOOZuNvuhiPBlx13UBL92NRZP1nUsQeft+W95ghVV+QKaEeEIuvpVyAoBssy5pZC TZI1HxyTtqIjQcHs+0ePvOv6U4m2g+BQ1NVofgLabQd5C76na+t2XLWj+ziBf1ShSwQFPJLgGZt0 oHlS2fhhmLRsHxO20yrbNZehSgPYkgnpsx7fUTzf88CB9BTYOto1ic2nhAfDBOXD5kDcroYbViO2 xe4Y/Jfybd+OBAVz+pkkuGO5EikhCkFhA0s407FhO19BTDfM2Hbig4SKf9pqVjobHpoIW+1Y2092 JI9Nik9VNG0/qboqstWlMihRU8IpqogWbvXCCv2cLcWMDW6XtnCLYXXDFRAo+mACDkfYErdh2jGf R8FExICsWqWh8uvUZtAQU4C3CvRwY+RN7LaUBGVd53vqmmLX1LZpEveTJyxZ+SChjqBA6ryhZNMi D5CCql0GFA32FFu4h/1a+fumqaXtCYpOVyVIeG9R8S2j6rbpBzvyXF2zqhDbnA/bjE8Gy8GjgDgP nYtEa6OuUmL+bXe9HoGluwmxwqJtc9fnJHEPu1K8Rv/1VeC9uBB/GuAErbacpCxj/mgCMW5B3S7b nH2PQ5XPa9yi2weoHy0vlKWVEDqG25zdqJnbDJ93AMkD8KwCsFxLV+C2fDjm+Ik0uKIExWqd2ZCz MhXDBXKyIckegBAV29MULrVRGQtoPMWDA1gYeDcHxR6FP3sleTY2ddZvK2o99uCztvB0z3eZI3jU 6hbh1I4IKerpty51/KIVD0DYbzPelETp4lVX0TPDwrwSf0zBoVtPpYKDsElC2lb1sqmV+96DG7BZ zeh+E0FR66bvhMAKun5CnQmZywgc/O7l+9QLmcUR6Tvqma99B9m2oNPXivr2u2EVXN3JpFZ4cGzq qS98f1bjq8V+j4SvSkHXfxcCEMEVT67+rjr+WLmwgP79ZuJSBOWPYUAV/0oEQDVfe4bzr2zGnxTq fQSFRdvf2Bac7O/XkN9Y+nuLwkczyVSefeHf4v6f1riv/+Nf3yLhx9XSFT+FACy0iQd2/VSdP1MP PKJX7iT5vjqJoHwftv9gycvM1kH/3XnBD3XaryQo0LvdLbT/hrdHLTM8sDGFh+joKNqb3f+FGl9V njdL+Gr1dD0h8NsRIILy23voN8kHu5swbUcuJP8m8f4iWX4jQekyF3o3zK8+TvAP4g1BPNO0vWRL IHsU5r3u/0qNjzI8P/JeCZ/XRWcJgb8QASIof2GnkciEACFACBAChMC/jgARlH+9h6l9hAAhQAgQ AoTAX4gAEZS/sNNIZEKAECAECAFC4F9HgAjKv97D1D5CgBAgBAgBQuAvRIAIyl/YaSQyIUAIEAKE ACHwryNABOVf72FqHyFACBAChAAh8BciQATlL+w0EpkQIAQIAUKAEPjXEfg1BOVHHgmAbxngL1z4 13v23e37kQ56t9AP5f0brXhoFh3QILD0ZcTexcNeFKi5jA7vEfg7h8m3m/eT19nscaNf70bgDxKU PveiWrxv/uR9da809Z567A3gz296vwZPVWR7he5Zls+l+e1nv9pBcx352sd8/ljjv9qK7xb0ouoy MZY20bxE+rvFfH/5Xe5++yNr8eX0UQUvUB+V9x3vYJzK4PyVde9vsiyxS21TsX5wAl4x8OTdJjuZ ZUHf8+2XEZSLY+T95v2A7m8jKH9EdX/W5f05ggLP0lSG6FeGBLwXwP4zBGXpq+x2nw6K/E/8/GoH wTuw2avf/yQcX23FN8t+WXW5HGOd5//IY3yntsir97/qcNdhXeaoRmY7p8AIT4j1y58ewa8TlFWR eWvHd335ijV+u0yXx8h/jaD8GdX9WZd3laDMVWiq3uae2Fbcoi6y91eb+LZvLyo6FhSZ2hxfAm5a bpg9mNS+8CxDfLBcGBJJKd4qbfuxfG34MtQpvmTctL2oOLKB5Z65pijK8NlbzqY2x8iusb9F0eCl L3zLSRq0THN344Fgh7/DHFrWxJaf17fYdwbF3ugAACAASURBVCzLtGwvLvst4CNGocKpu9Rxs6pK AseGp3C7UdEpkzZxw9hkke/Ypmngu9HhfenwOa8LvKubSyM+19Hu3a1LC+9ybXkZXeYY5jYZxAkZ ojFUaeg58LJ0ywlYX0xVCC+G35qz3BPbDCtppl/qoOlexL5rs9exM5TmJra3Xnn0ESciaUFYwcts zYKpZuk/vkt5GeosdFkj/aTsEfqXWrEufZn4iJPtx7yEdSg8J22HOvFt0zy+90X0mocaIsDFDj3B ZMU3zCul/U//5051/5f/7YNOQYig37CGS/r2RMJTxPDN6BxI03IAB6jsfIyfD8y5L2HIgLrZbpi3 oFRj81gmDkYRQtUJI+R/NgZBvpPxPtaxuxkZARoiB8ONwThWob3ZDithBo1fs64rk8rGpnhJzVty ffzKko7fnhMUCaxlu0Faj3C7kBm1yE5K0HewNJYAGetYhgpVldndOnWPOruu69yVSeCyLnLD4uTN Bk1sOUlZxmx1zFEtuJRtZ43Py5yrwIrqockCxxSKe2psu9Tx8q4rY88yd4P9HeYd1OPRGV1TraUX eDphVhWqF5w79A2mYYKeKz7uFCJ5UOlTRS2eDedT9X6muidW6xR2NjTBucJgT6sm9/hIAaMbitG5 rlO5hfcUlwduKyj7ewGW14yaBYfME2cN7dV4QAUK9evXCco9se2w7Kd5noauqRl/6HPP8tJmmOap rxPnLHR5mNw0sWmYTnS7wz1dGdkm5xrwQkjLz9sR3mRWRvbZe+ra2FIjKH3umk5UduM0DfdbZG/V bwQFDJMd8vnbWAaWE1fQhKHJPFO8fhJFcpNmBD8+NYkjRFIAVHqrSx3DsKNqAN84d1BQ1imXsq9z V1dtP87z3EMjBSnQ1AUsQ/JCxk8EH4HygDc6GVth6nPXtm0rrNA3z/V2ZrpXNcA6T10RcEIz16El GcpyT0GUPZ+62kHruvQNtAnwg87mHXfktCoUZyKhCTbME8ChPyVDmcrgAdm5TRzTTSrs8jYPLCus 0Koju9kH6s7VbJ3qyLbDWzfO83gvAsuOG8ADOKLjen5a3ft+mDZKh63BXvPSFg4vQ4VKy+nkOSaP pamqe6FTpJdaL+mbVkIdYqBjTlyjugz3ukGmdzrGNQOzz13Lz+8wXMeuqdtxXU/LBPkFc9UJo1cJ VZlW7XhnvX+SdKbACF1yHkFhUsXlvR+Gvm3uqFCvjd+dmOqPpwRlLAPTTcHizWPf1g2bxUiZh8Iz DCtgE6ClvwWWzd/oDH1iOjGMg7GvM98yDWk+ZP1jWzUddPHYnpspZo5iNKHj/RaCNUbF1nQ6+J2z MsE82q7nxWXb9QMYUo2x7VLHclwvyGsYZntDtKpjZF313X1u3leNM9KYXIkSMFSOZz9NU99kvmVs eI4Ae1i0sHzYVbFruhmbm59DdN6nSmX64axVb73qPtgZDexrX3gmWr1pGtoitE3jRYJi2q7rRUXT 9f04I14fOWvNCFKgUL9+maDgJD6s0ImLgpc2scWQAdUtVS8rLjrxf9yzwRXgMZGRoXGTjn7vq0RZ Ow1e2sSyonpTch4tgGuZBk9tAi9B5aEe1HfpnOc6ElQfNFj6xRVtCpBE9XMgKMoaMuiIcrd6E/++ NNHmaXV1gTcWJmZuos0SieKAwTDYhsKz41vuWTES2X0XiMuhOHY54GonPIZyTzdiI65cz1z7WQfJ G/AbFMVCa88IinKTFAnmiOeAD7lr+iVjHIgI52SiGGBjisKt4w0iT8jbLqoZZgAozWsTniMAzsAM lNiSqBP+N7FpBpLXMTopA17iUonJY2k71f24U6SXQoLyob7pJNQihpQ3ZoFFIf/ZGGes42RgAuB+ sYs1npXJByPO0bTCMIKijKKzMfhkvH+JoBylEmhs/6+M3+3iw5fnBAWmJdkxsCG7HrRICQlBog1T BOgoUzF94PSE9TgIIH7C0JLWTxw9jESwZRjJvWSNV1nmXAWGoSip1tiCpBabEggZ5P/dGHnS3afm XeuMDm08Va1mj+c9tQWePag5C9eDoEsb28zpaCBC2/DQp7KN2uH8pL1PCcrOaoHblL0sfRwOVtkK RbHgzJUIimk4qfCkWpugNHP3VR1BuxPyx5cJyrqOdeJZpu3HedWxNYLx5sOCz/YxDUMNcLDaHz2H GmKF/seJb5+5x7Ieh9xOg0EV1DGBg4K5N+DpfhRYhhLbADtkmFJa0zT4xK6JzVORJHoQwtgIhDIj hCuQOjysbS9Dk8eB5+DHNjdBtHUBvWINXhqIE6nxE6gGVA9M0njzrbCauszBa/rMFSRt7qss8t2t So6NUhzAopg13r6LHYSTpyIJPFaDbRkfExSNSFoQMI7BzIHK2LaOAG1R3Ni6wooVi5tcbUWbWEc9 w3k1GgE5hLcq8Qv4DDX3CfxDzCbsY3uGyWNpO9VdP+wU6aXUCAQIc65vOgn1iMG+F8c0nSApWPgE C38Y46t2YE4tzNwtN8rKO5+3nJYpx4teGKCAH43BJ+P9SwTlQSoA4uXxi3ry+OcpQVnnrghsWKRJ b61YBN4v8ajOUc4EjlAo1kkVYerKNBQWwTIV1yWuOsAOMQxUbG2nr+dlggCKrV21xhaUQXpQIQb/ vxsjxzZ+YN5hXBwHNhuzhzZCdyuhVqz6WJc0Pshe+VorXrqd0kF02qdKQ+Vw2KpGA3SUQWnvU4Ky 0xCNjwPNUZjuCoTh1QjKfnh+7Kx1I0iBQv36WYICUQqegwLFLWNbpoFjWj7koACmbtaOk/LZAhqi 9kfPoUK1qQt88QsIscnPIYqx7mOAT3oUeLrpxmloW9uuQ1S1uN4LizUozgCE3kQSLYD/ignQaZhy ObB508taZrdV/qivC+L+btZz3yXTRnixkD1iJ+1YhRa4aPjpZB1gwDz2BGkrQXFnixMwjAR526YW XXbGT04iKKcdhAPGSWoel5XRAmk3FQTgq1YkPQjM/d7GVfI1tVDomssE5bwVbWKZYfmoBWAEdkWr 9R5s3ALxCiQoGJU9weSxtJ3xhZkYDz5qOkWB6IK+YQRCtSCbhE8QgwbOQ3ODVAY7LLeA0H6M43DQ DsxlvFdZ6JqwUiFG/rFMKf8TYZT2glxnY/DJeP8SQQEDdej5z4xfVV/kdyhcmaDCCQj7KXPyderr HFIynBiTXw4ERZFMDrQjFPKMrBmHkh2JHKv93FpcdlBshaCcW2Oo+KxMxTxi0VpjK5VBiKD8342R YxsVh31m3vXO6BOqJZtzdO2YpIETSVBR7bg49qnSyAMC0MyvERRVQyDCfOLjHlohMTkoqIK6BAHN y9GcatuObdWPIAUK9etlgoIpDVtKxVQGhqkQFFYkZEaCOYSolDYsLmo/ICChwQs2SwQqrY39ibIg V3TLcEMMwsMSD5vnohI0yzpDQonH49B95m5OWxSI/3UiqRcpvaXTMOVysAbSBoFFEtOLJ3VBzNDN O/BcSlrrViqc9rI8sljBMAfHn5yHYHbJBgaALggKLBgCt+lksGUrFL5c7CDgPCINhiXFqBGUw1oM VqAV6QkIK1Tj3/oqtB4DaBhaVINLhyUexRNoq4ARqAQrNyQeKcV2ii1AyP5EU+kWA6SUaTB5LG2n umzV+1mnKPJf0De9hKA1GsRk+/bNYMfFGMfJ8AcDE1fwD/NiWaaU/4kwSnuh/s0sSCGR05nn4/0K QTnygq1ktN77iOWnxu9WoPoFYZCxceCEhwR4fjVoDFMxCcVBiyQNgcFvRZg7hbeDvMfhAtMi1VjG 1knoApY/FMWGCvkSz6k11papmEfWHp2xlcqgosS/78bIq+Zd64wkngyrkwgKw3OznqB+2xLPzpTD Eg9fXLvgsGSfKo09ILARlCft1aouRpwVggLhTmn3D5Uq141y7RBGmjJ0YXGLOw61Tw8Yftx2/QhS pFK/XiUozPimuC66jE0CoRwkKEtfl003TvPCMq7YeOhzz7SCvOnHaRz6e10220RM1A6ZKZhSOk/z csrFWMANrZwd3toBy2qr6riPh6dNJQ0k5kFZkPnDk2RHniTL8khRCTAEzxLgWFoTJBBZXlpDZtnY d01Zs6sP6J8ZxxcjKGBKrPDWTwskYoYQSeer+M/qgv26XhjqHoABts62bcE70NrbtpMyNgmKzmCG DODANoWeQT90meOEoafaNNE9LHXoQgfh0PTzO6TcdWXsWqYIrcE6iwcnpknMorF0rUjPQFinKrD8 MLBEO6WgzK1DkmzdT/M0YJJswFNWrqoZJsmablzeIett6Jqqxk1YB2ewqxUmtSzldpymEarluYRa TB5LgxHrSNX9qFMUiHQWbSeiTkKW/neC2NxVmMS9LPPQJJCcPK7nY1wzMIemrCEBc2E52UCqz8pU c1C0wjwxC2orteP9CkGBBXkruIHmgO1QPrgTDTKvh3Hs703TzZ8Yv7CRTGTdK2WvWLgD2YXDMPT3 Coamy/PiRjByAOEy9VXEcxuuRFCArOE4wATYewFblI4EBTFhKbiwgcHXLfGAYp8nyUJW5cEaw2Tm rEzVmbHWa4ztQZlVpL5q3iFJ9swZKUMJqjs178gO5CiBJFKBJzTEDiBJdh67KnG3vRXn4+K8T5V2 HhDYCMoTd6ZX3Qc7o4Ed3boN/TxP4CqdLUkW+XJY4gIjrE5ZWy6R2qcHDNlAflQP2Uz9CJLX7L5d Jigr26ZkWZbteFFRZR7zQ0tX4A4uWOdz/GTbHLxtTMTNrQnbKberGprtmIZh4Ua4Q1N36jI2bJeY gRu6Mty4uCtqhXVv3A3I/RKrne17jYrtBklQ1nW+p67pMsoFe+RwZyQ2ImJbKxWLgJXtRBLVK72l 1zBxMW71EFv3gqy53wL3AkHBOaIByUiyIPUbpDZt42YFT25Cwhm3tkt3i9j2Wzcs2jZ3fZjj8w8u mOrmwVc7aGxSAN8wbT+puiqyRWiNZScZEF3cMRSdSM90gAVntlEiGiD/CyXBzbE3ucP7aiuwc9IA oIKmeHz75cNQlzWC+zzsxtw0TYPJSWlH1QVT6Rq6jEEFoiv69kRC2O8nNl86fiwQm9sMt/TDeIYd rmChdGN8K0EdmAM8ulWAyIo9K3NHUGCB40yYiwRFbIN+GO9XCArsLo9gP7LppA/bjPuK7ZkEhUib CbZqvTh+YQvJGUFh6SwAFaib5QaJfJzSWHNrhHrINmqrUBy0SEZQgKqzbbGGAY8U2G+LFZo73/PA gQbDkxO6JrGVmTK/pontqGxvSltZhjqcFj2ldvqqKVMxj6J23OT8YGwPyrxdzL4cx8iL5l3ukled kTKUoJZT8w54bputg6ypYTc0m76y3dr8sQSHR2mcQHTep0o7DwgoBEWv3lrVPWgIVHPu42Anfeqj G3aCtLpFsLeTSTU2qPsW7oqGMx9HUODGk7YrrdSPIPUi5ft1gqLcRF9/GAEY5yLW8taqMYa5cZm3 Fv3+wmDUncZP3l/VxRIPNu7iXR9d9s5O+R4JP2oBnf8dCIDd+F0j5nfgQlJoEPh95oIIiqarftNh eGIg5Mm+/QOb49RMhLdX8M4CcU6h20/zzoqul/Ut4/mtnfItEl4HiK78owjArFy3Rf6PCkaV/04E fp+5IILyOzWFS7XM89RXsXP2dLovCb7M8FS6FJ4H8w3E50uiPd4MKHS30P72V7c8Vv38yJvH8zd0 ypslfA4Hnf3jCAxVfmPPYJv6JvVMePTAHxeKBPhbEPh95oIIym/WneHmwzOIg1R5jvJb5IWYjGna XlJtj1l4S7nfUkiXuYBCmB8fXfUttb1S6HvH83d0ynslfAUbuvZPIDDWaYAvncAUk8cXg/wJmajO vwaB32cuiKD8NcpDghIChAAhQAgQAv8dBIig/Hf6mlpKCBAChAAhQAj8NQgQQflruooEJQQIAUKA ECAE/jsIEEH57/Q1tZQQIAQIAUKAEPhrECCC8td0FQlKCBAChAAhQAj8dxAggvLf6WtqKSHwNyEw 91VR9/vHz/9N8v+Dsi5DXVTyKc3/YAupSb8LASIov6s/SBpCgBAABJYuc+1YvviOUPkNCMxtDK/5 Itb4GzrjvyDDZYLy+3ZI/xe65x9p44QveIHXnST/CY9z9gqSl7vyPzLiNM2El5V9y9sdzvrhk/oJ 71eBl1BZbnb/z7jsPnetaP9urTNI6Rgh8A4E/laCck+9hL/U6B0w/HfLGG6+Ld78+10owBO3vfwO r/ydvt+Q97nH3oP9Xc35uFw9QYHXzTridVzPC9J47uc3fdfZqQyU17JfruWCdp03c66/6e0OZ6J/ Tj/xlUnwGuRp/Am1PhP8M8e63P3aE5nh/duPrxf8jCh0DyHwEQJ/J0HB8C8RlI8698r5ubtl5feG bHdvW70i05eugVcK/l6Cso51nl97LvC55/4SNp++GR5y65evPzT9gnadNnNpY8v+qQH+Sf1k75uV b/n9NLg/e+PUFnkl32f+icrvqS1flv6J++kWQuAyAi8QlMOb5aWVhTc24yvaTdtTHq4M73cOXAfe gW65/OX16zpXgRXVQ5MFjmnyVzvP3S3ybLjO4S94B/mb2ArK/l6ErmWaUbNNvZd75pqG+Pjs9XHL UGdwIZThJ2U/PyAwFJ4dl3WGT4K24E3j4qKTiuCl5axJm0hzE1u7cdlljumXaKCmVry4/vDebS5F lzpuWlWJ79gWCohvsWcnpzbHxsPbzxX02BvFTXgVu+NFBVKIuS9j9n5vy3ZD8Rr29bT2seF4QH1x iS/cOStz/2Luc2EAuqQEgG3LhM7cqt6jPHc3Lh+IhwqydAW+zJt118MkfFZw9rJ2Xteh8Jy0HTB4 bnr/4/8cgpIofZ/YJrxeRNObfeHB6+vZx2WvGTqRiokNJ1DtbDcq2iq2uXiPKjrdi9jHJ4jjK+pF 4qa2W/EtslklX1ef1sKRqf6YKS0qvu0l9cH/K1fOLbw1KWPZiQ/djVP5SFk7gznu4SW2TFRUH9DA IGuGXuij7Uvx1rHJIt+xTdOAgYRvQhir0BaYGlbSAnpLXyb8VfOgXXy4dfA2+q4rY88yTUBT1a6T kqEkpZlSm9T74FXxVWCFtyaPUAGhu8RbDx5qXOEF8hpTcKIJH+gnSHRy1zq3KWgO+5hRIyVn35rY 8vP6FnuOxeEW/a8V7+qAxQY+2ltphC3bDXiHnpUJ4aKNwGuwAm3JKjCBMOABbzUxFgjdQb2O7aff hMB7EHiBoJiG6cZlB4H6+y20Tf+GPHy5p47l5+0Ib3QrI1u+125sK/beqrHNPJMvKIPttl3Pi8u2 64dxWdexDCwnrvoJXl8HF3KHBJbLdb2oaLq+H/eM4zDBmtvEMd2kAuGGNg8sK6w2i8CBGgrPMOyQ GdPpnvumnYBHZCZyV9FUR7blZ00/TmNfp56FyXowq1MYCvAT5tH63LO8tBmmeerrxDkZvF3qGIYT 19DcdWoS13QzFrUAX+JEiOpwv0W2uPme2CDrNM/T0DX1HZwXrP76+R2AHrumblkLT2vHFfy4HvD+ e92gBzkrc+dCdMIgdFbArNTS3wLr7BXIIxwPi3aYprGrYtlGNkM9mbRNdWRZXlp1wzB0bdNBI8E1 Oa7np9W974dpqkNLMpTlngI/YTxG05vQL5sBXle9VE1sm15aQyd3VeJZpiEJykFFl76p2n4EDYUO 5qR41XYrKLlpujEq5HgvAgtZlVA2tsTDlDYu7/0w9G1zPyqs8NwIuBM3jL+cdffSJraSFwDdKEQU VkIVde5z3zRNPhaWsQwta+M3c1dDU+d57suIkUHeK0oEBQaIHd66cZ6xdSKZtUsdy3G9IK+h81g3 8UECjv6s5HOCgpN0ZELYgLkKDMPyc3STMyigeAneQ416U6DXhCo03fxEP6Fu7V27kSNgFv+b2DRM L21hRXMZqmizljrxrg/Yc3s7loHppmCE57Fv6wZesXVaJiitGB86YZhi21EFXbjOnbTerH1gSBhP Fe2l/4TA9yDwEkHhBhwkAT+Cg/qQzAbGUblMCD1s65Zoa1T+DXfIJc25jkRcBQa5LmF8T1DmOgS2 sc2zxxsId3hLL3q+tBMSId1gcZljRRC7VW8XVIT5AT5ThYP4plA4qlQ+lvubsT5wD0qbwWNj8Ghp E0vxLOskT8RIsrYmQTFQpV+I6TtriKZ2qGHzabzJ2OKwQpLED/GOZB2mFQY62+DBLrhxqgLBo2Q5 aw/SsXAWHF3aWDhNHUFBnLPHbjLUV8SDftkJj6GA32K6ou/NPUHRSoV9IHUGohAKQTHU7lIaua6r 4jt13QozftOUmYRLsym19MdHpd3XsoUWRuACQcnf6ajpbiBumx4BNEpHsHL3oiJ6mRgLrH8O/QBd 2ERiWoFlbks8uLghu7pNbO7yoBZL3XkD952YA6VkCYgKQJsALd2OAJ7K3ABHAiv2WOMRVWkKtJqw 6vQTqtff9RFBMQMg0uzDLMoAnEFjqUCGSwNWY2/ZWBJxJVbrWZmrQlC0wiBBUezVsRdxiD1EjURj 6T8h8D4EXiEoPLrLKm9jy4wbGMEuLENsH9MwuHOfujINfdfBj2VyFgK2Rs3Oh1FimLIA0zS4tWti c1ej2ug9QQErsjOD981kypuYjZXTVBjSbBAeK2oTS11SWhcgTbAgzvwAMpQuc6wQc9nHm38E4GH1 XJm1oEAwwsF+SRm4nDj5xWWjsYZJve3HeYWRBbhgajPfMi03yso75xm62pe+jBzTdIKkYOETuP+s TGl89MIgdNIhnTo0tHaKT1knmNMhS9Q5gCPOiMGhLnCTkI6A7BOmy9zt63tzR1D0Uh11RuKA9EJV 0XUd2yIJPKbKtmVYMZvc67oVS1ApLvhbnlEh4iLo+nZKy1Vg+wdXBqFnqlxJ193gsjk0DwBigXtR oaslhwH9djhRXIYmjwOPDVrbNDgODG6xBtUm1lHlWXgFapGTjR39XTUlnxMUnKPvCYqKJ7penGwc azx26ypMgV4T9gQFGA/7gHF4cteOoOzvYkFZNYVGWkudpbo6YHX2du6KwIbl1/TWijeUn5YpNUGL lUJiUHlQXTZ6ihzHAttPH0LguxF4A0HBaf2kfmDeD0ptR2J1WoZJgKDsbA3MKeJ6VO+fMXCwmfIT DD5LUKSXRfuyERR1urYeHedGUNjQBBcp/QE21M3afQMOIqMZVbbmwe8PCAqUsIxtmQaOafksB4Ud u1dZ6JoQ0J0ZzNra56G5wUZIOyy3APaxTOmYnxMUxZeeExQR/BFNn7ZQ0ssERakLYzE8RKWAjr0n XSyL6LHe3BMUrVTIERWjC63n9R5VFJTXSWqMdx8jKCZjqazRolsvEZSjAAK37T8E9iw/SeR6xrPu 7jMXGTOjEpKH8+KkW4ID6HG2sSAJCgRoTC9rGftV4hwPBMUMy73G45Dd16ISFG3J5wQFIFfW6dis RsZ48PdGUJQLH2nfRlC0mrAnKMs09OwDW3NAdXe2QWr1jqDs70KCok6uliY2+XROR1Cwny4MWGAV ftGr5lLujJv6Oof8HyeWCU3HMmUffZagwJTBkbHoTWHpCyHwdgReISiG4hHAYvElnhCir1s0k0sI xk0OUVhdUCIoKkGBEMzJgsEW4j5vMaSDyFVQtgzw8RIPZPiJRRO4x9qWeHZGCMy3KiK4Ep4Ny5lJ mzlbm2FlRF2TOBMYJlhijgr+ofS3JR5bdXG4xKPOvKCwuYltpbFYPixEI6AXaodQhlI53i/LlAQF fYjib6Uw8hp2M67ZS3eBByFDRpmVwxKPxVc5dARlRB06lHOoC8qGwJWdtF2mPIABVp3OexN6K6xF N2ul4qtp4roFHNk5QdnjB41RIiin3XqJoKDvk/rIQFT/CoI+VqElEruedDc+n6LqJc9SyzrMiXUE ZY8WLI/wCAp8laMfbj9dfJXOj1e+9aa25HOCApELZQjCurASmlE661ij3hTsJbiin9AG/V07grLD mtku1VpCKW6BSzywYLkZoVWuQCkl7BWOndgGLCCz2R7lJuUrgC47i52QZUrE9FjJa/BuVBdJ5uHn fg6hVE5fCYF3IvASQRHpnA9JsqYd3tphnMahb6sKMzrBT7CsLcgc9XdLPIrpQXcdQKpk3Y3TOPZd U9bMZwkDfdZcGPFO0kC+KIRb0F+7Sd1PM0+SfXy0B8v09NMGLuqr2NklyaqLE4wS+BlLe20yTJIV 4W3wA57n2LG0Mn3umVaQY07t0N/rstniFVx2jADbQc4SSCHD2OUZAD3khLIk2ZEnyULrl74um26c 5mXGDGNEbGjKuhvg2NQVgcgdPa197ipMdVyWeYCcXIDjtMydmdUIs7sG91TsvIfoH0h2toOiHaYZ sk7dLdtZR1BWdL1eVvfjCLhhaHpzaaJY+N9ljhOGnkzlBJEgbfKkN5H9QX4fUw2tVJih62eY3D00 mW8ZSg6K6h2Ravn5fZrnsStj19oRFOOsW48xmLMlHtQyzOwexrG/N426UQIaLfWfJW2znPTT7kas hsKzgtC3Tn3H3uXoCAqyr/DWTwskv4awRsj0FFLDLHjmBwMVBIKM+TskRA9dU9VM+H0tagRFW7LS TLXHUQ0qMegwcY0lHc/T0KSeqSTJqqGWZ6ZAqwla/QSBtHcdR4UqPTTKMJ3ohs/+gax9dUuBeWKp rg9YtHUP9nYEuwu2YZn6KmIJSWdlqjkoerN56Mc9QQFeI1ZAYdec2NSwA4B+EAJvQeAFgmJHZSs3 TmZym/E6NmyXrWGYthtmLdqV+Z4HDqxVw47erklstjh9tN3QCtiQjHsWcZNwxPbEaiwXbzWkY+D+ TMFEhAy4q/Z2NPbCVhawPAKbkXGbMZ8+S0+wQboMVRrwXctBipstxbkhdw1DnQVBcsi9YFuFcad0 su0pFfdg8sStSnHHren4qbrNGO9lMkUFw25duiJ0cR8j7kquMDN2KCPPtmBzI4gv23hS+4yPbsVL Ldh0CKvSp2UezCwr6iDM4RoeEj9EI2u6YwAAIABJREFUPqCpWz+iGmwK8sQB8C2c2CQ/h1TYU4LC Mp3UiSNedtqbK6zGO/B8T09sM952xO43gcvd7W6YV9k2LXxQ0bFJ8Ymhpu0nVVdFtsxBsaKzbj2W cEpQgIZWbL8odGjKt+kIndnp/4RbjliC9El3s3tYgsopP7kYQYEdJ2znNe5Evt8CQaQhncGF0eyk bJuxGCCojOIhAgfHpvamtuST0QfNgYnAls4CeHpZVURsSO63Ge8JCnAKbo4eTMHr+vlEqzWayroC FkGSshRYCpuIJ0/Fuz5glQYq9hYeagtPdGDdwR4DcFbmjqAoRe2xOvTjjqDMTSQXeGBPGREU1uf0 9zsQuExQvqPyHy3z3PP9jAg44OWTXH6m0n+pFnzUR6wg+Pbe/EyBv61bQZ5gCzv85f0/3iAYxJJp GOE7xiV/cQM1rOsXS3xVNHhkH0v2unoHXUcIfB4BIiifx+76nYcZyfUb6UpEAPYs74NWn+ETz8B8 YEDPLhbnflm3QhIx7nwX8v3d/2Etg8/OjxGpX9+wf5WgwCO8Hf74qF/fCSTgP4AAEZSf6MRf5sl+ oslvqmOZ4fF98BzV/XNt3kBQujIrIW9oxpQk1xRPG7su+W/p1mWBB6bl/j8bbSeCcl0p6UpC4B9C gAjKT3Tmb/FkP9HWt9YBAWXTtD32zHWl6DcQlKGK4ZnusGyPbwM4yVtSKjz7+ku6FaI/8AaCqNw/ xO9M5L/zGBGUv7PfSGpC4IsI/HcIyheBotsJAUKAECAECAFC4OcQIILyc1hTTYQAIUAIEAKEACFw EQEiKBeBossIAUKAECAECAFC4OcQIILyc1hTTYQAIUAIEAKEACFwEQEiKBeBossIAUKAECAECAFC 4OcQIILyc1hTTYQAIUAIEAKEACFwEQEiKBeBossIAUKAECAECAFC4OcQIILyc1hTTYQAIUAIEAKE ACFwEQEiKBeBossIAUKAECAECAFC4OcQIILyc1hTTYQAIUAIEAKEACFwEQEiKBeBossIAUKAECAE CAFC4OcQIILyc1hTTYQAIUAIEAKEACFwEQEiKBeBossIAUKAECAECAFC4OcQIILyc1hTTYQAIUAI EAKEACFwEQEiKBeBossIAUKAECAECAFC4OcQIILyc1hTTYQAIUAIEAKEACFwEQEiKBeBossIAUKA ECAECAFC4OcQIILyc1hTTYQAIUAIEAKEACFwEQEiKBeBossIAUKAECAECAFC4OcQIILyc1hTTYQA IUAIEAKEACFwEQEiKBeBossIAUKAECAECAFC4OcQ+NcJylwFplcMPwfot9QErXDz/lvK/t5CX5e8 Sx0zqpfvFetp6U1s2un96SXHk68381jCO38vfRl5tmmYln+7rvqfu+udcv+tZf2u3n+C4lB4ZlBO T6746qm/BopdQ+euCF3LNEw7rMbdGfrxhxG4TFCGwjPEx7RsN0hu3fwHhZ/K4MpQgwFDBOWFfprr yH8jFXrdYGkISp97r9GWpU0c50WewXD62wnKVAWmHVXDNI3j9SH6ubte0KzvuXSqItsr3sHdP6/5 ryv5ug433w7KH/aG30JQ7qmXbHT+M1B8j2I8L3WnNgCLmzbjNI3T3OWuHdXXx42oZ2egPm98RHH0 nyHwCkExvfw+wmfomlvkGFbcvN6PbwJ+qkLLvzAX+JcIyvXJ8OdBXprYfmes5nWDdU5QwIa8RlDW sc7z5jMe4G8nKF32mRjU5+76vKa96c6lr7Lb/Q1BgS9o/utKvq5zd8vK7ocDhd9AUJYuc+2/j6Ds 1KaNLdmEqS3y6nVTezBQnzY+bxoW/0wxLxEU/ybtPXTIFpqYuxuPKTtBWg9i2I1NFvmObZqG5fhJ xY93qePlXVfGnmXygOMy1GngYIzNiwphbobCc9J2qBPfNk1PmdaPVWiLaI5hJS30xtJXCSvCUmVQ CcpUx44V3HoUb+nLxGdV+nHZM6Y1FJ6dlHUWurZlmpYb5i03fVJCiB6ltQQCVQFujMsqDRzbMi3b T6p+aLIAi7G9WDR9Xad7Eftw2DBtLy5BFkDSzeWQmOvIsuJGgAjlYyuyqohcCNzbblTcJTXUgK+o qBTeFvCCXQFMWS1zmwAy/18T26YAVvCBF4FiPQE9ZlpOmFVFKBenTota13Vqcx5h9eJbmTy4177w LCGWwenT3N1i3n9ueEpEFJ7RpY6bVaAg0K+An4z+LQP2NyyI2F5ST+uq3NjEFtcvhLPPXTOsGPSg cOfNBOdzNhy2HmHaUjP9sFAPeHc2sRWU/R0DzmaEOqBRbAYbVgOqJEbNWMfuhtXpQtXU5q/eNVeB Fd6aPGL6/KB+Zx0x9yU/bNliHI1NxvrZtBwYdAyQc62Y7gUX03K8qEBXflbmjhxosOLyQ4GWBXU/ jN/5RPNPRg0K/KgwfHjeYrauBvaH2we94u24wthkYLtQtKrJPdFxT9SPDRpcx3PDTBBxKbPOTJlB XvFeEIq3QDWRMtkENd9su9DaM2yXe+ZuBsMA96CHAszY6bg40fmtzs0vKM1pYsvP61vsOdiZwdZ4 9AInVn1dz7sMLUlfhs42YKDRuwnSyAcLGo0SbfSZU3s0UIoN4bWDyQc3KHwN2BnWEB8bItwBtP1M +QUm/7H/nyMoy3TPfUtwhrEMLCeu+mmehybzTCe9c7/X1VXbj/M892Vkm2GF3r5LHctxvSCv730/ zOu63FPH8vN2nOepKyPb4qFPGMOO6/lpBRdOqsdGr65EUKY6si0/a/pxGvs69SybR3dwwEAOynzP PMtNuWOH6+3w1o3zPN6LQFyO61hWwNzX0t8Cy05aqHcsA9NNQcJ57Nu62TgYVxe80Q5LOL4MZWgZ pihmamJHLvwufQOQAFR14phI+cabL534yvgJ1rrp4lwFhmF6ad2P8zS0uW9ZHEyQ7Bz87WYNvIyi QHAcLwhYtsJcKYQChsqLQGFhJmrDNPVN5luGoBSaohBb7P5pGrsyckxDcKOtCet6mN+P0DVh0cIy RlfFrulmD7NRxUZ0qWMYsOoBPGDuQEezDksHama6cXnvh6Fvmzs4FuVGrYcAzM6beaFHhLYgLYah ZNpJixQFqnZdLyqaru9hfUar2Ct4EScqu3GahvstsqVLQawaBTzl66fuQvWz/BxZ3QzDQqqfpiP6 3LX8/A5Deuyauh1XVGwnrodpnqfhXjdsUqDRinti22EJJmUauqbGOctJmYy7c86qxYoNHz/D2cYy VmiLOCXcsDlovmbUrGcKA0bGNN24gs5Ae6LYOo3iKQSlLzwTjdE0DW0R2qbxMUHpc8/y0maY5qkH Q8L4xCUzZQUZvy/1mOItbWJbclkDdESdiwJEWmzXXfgBCco5FNpx8aDzW5ecN6eJTbCFLTiEZYDO FJlWGl3SddkWKYYmbIvBkqAsXe5Cx7RgG+5Ny4z+fOrUjgZK2hBWe4K6MbQ5jh1GX7EhbtKM4GGm RriDdT1T/g2U/9iXVwiKYRgmfgzDsLxEzBJAn8W0Es3QWYrh0kTCKYC3UFeHwCMLf7GuaHhZdgnY cTNgrObYLTC+JUHZu3jmzlgZjKD0YFSdSEi8wvXKEGwTm/lEqFGq6grL8nzkA4fIlLDFQR640UmZ zwOjGZpKDGQ/hOWd99S2Ygj/TEB/eIRobiLBiuSVaAGlBcHRwNr3MfhaeFegKJafV6krkykPZvpl oGA2ZiqS3lObE5QnRW2N51h8SFD6jHM7BtHSxqqB5bhJGwGzIkOZEkrnMNch2Ogd971CUPTNRP39 YDgg8960ZV1anMGCEGCznFRyLa1iL21iKT5lnapwG3Z6gvK5u9DrKPqsqp+uI0AGv+ABOtYhoFpO 3OxXYzRagZCEFZrubRiclKkSFC1WTH4Wj4LCoPOUUc7L32u+btScKsxheIKt4+VrFQ9nWGwIY7Nk bFq1QTp+DIxCUdux5DMchOADM6W0nIdOFphVyAGEplXKg/DosT0jKHL8K1BoLdVR57f+RjP9aHWb 2DQDHsaEuSNO7yC4Ad9OrLq2y4TJxSY8EhQYLIpjk2Jt3xSnpiUox9rHG8TLMXgIDWcqgCV2qc2C pqfKv1X6H/vyCkExvUzkoLRl4ll2BAFx6AHDNC3xMbcZ8DI0eRx4Dn5s0+AsBCiqtODr2meuYcj7 LVPMuc9GiugePLfloIAqSQO0rksdmWxVEWyHG4auKeY0WECbWMcqke0calRs1twVgQ2LPumNM2kh Cf7f3wiQbNqPhHhbJxjbIgk8l0FiGYygoHthN6DxPHpMtLBKgciAkA/pwd/E08ILprpD7MUMBBeT dqK/DBQYCYUKKNxLV9Sx7+4wTh928aDTFUdx0G8W5cDwtobvCYpaJloyVB5gOoqNYPcqN+o8hL6Z F3qEh//kKqEsrYnNTVVAmCM4m2LLW3h7cdrLki4RKx5BASPIPtDMz931XP0Uh6dS7anNfMu03Cgr 75xnwDYhxzSdICl4+AQbeDoS17FOPMu0/TivOsFpTspUZNNipVzDwGoTJeeA44djSo4x3ag5VRg0 MsoStCxfTsexGsCfT6vAYqDmgZFRMVR8OiwCqOqw+fjx5h9R4+buFTMFLl2s03eZw/nu3pRxdPTY nhAUiSL2L5dM6yaOOi86BIOdJ1YXhqdMellBADMGdddYmI+77DyC8jBYUDCNU9MSlIfa72I2DLOR Xe/K1LEz5Vdg+S99fYmgKPR0XcGRwAH0FnE9TspnhugbxCW8rGXWSSGbh0G7Qhf6Ra/cPrHlnG0M n3QIDqNrBMUw7CCNPdPhYXRu98PyQWRlWoNVKgQFf099nUPmjBMDM1M/e1EBEmWU3hObKyJYGCep caUBEeQEBUC03Kxnk7uEr5DJCtACZnKrAgi2ERT7BHx5qx5ecOx1ZBuG6Yo1ORb8UUQHw/QSUMdR LW23riiwLyq5PKoHa8qeoBxs+jqJKaTSbjUQcihT+gko9hWCknFurW+mbjiokh19APxmrE7hRniD 1jEcBcDAjf9IUOZx6PEzwILR5+5CB+/s1C/g6ve8I5bxDvkOJqyOihWVeWhukLsD66FPRiK2fhnb Mg0c0/JZDgocPJa5VzBVkTYy9zmCcm6UThVGysB6+UsERdXbI0FR1c/N2r0BY3XDqH5qplQjPm6K B9NEK6znB/K8tWg3SCW2rxCUc0t11PmtHfzLsTkHv75AREUQlDNj9XGXXScoWqf2SYKiMlPwg8rM 7Ez5j9D8B35/naCAau8mzRw1nNJtkULg6koERekIZDjqks+G+t7rb4fxC5QnhxoYXsWtorYwaw22 A23/cPNNWwSY4Xo1ki7KPtR4JCjssqN7gaP7G3UEBZZypKGH0gVBwQV6N+8gdCvZghALLay6cAIO l/lVDfjbnSzCdQovyy+JqvstgOQctsyBTZa+6GWgWNRY7tLrM0dZ4tFhruQIgwDqOOUtASsTiggK 88abbuEaiQoPu0cxfFqCArUpsfKHG2EhReYrg1lmwT99M3XDQekR0BbI7RYLS5h1xFyrIjPeoFVs tJTgUPgHl3j4vBKwik5zUD53F6ifoQQ9F5gEcvXbpytAcPqhIzBdRw2Z8pAXjgSdgol2wTS6iQXB 347KMiU50GL1AkHZNB+G8NmoOVUYKQMT8CWCglmZCkkelWVmrfoBcdUsfguMNGbKUNR9W+KBeyDD J6r6m//I2MU6ipwhgYpxOgzrk2yfApSih0JrqY46Lxqw/y+bA0FBafrRFrj4pCuNLn3cZecE5UyZ tU4NXY40UJJlwuBWIMegFXdVh4YfCApr/pny74H5x3+9RFC8vMM4xzjcq9QzBS2BPE3LS+tunMax 75qyBk0GvbDCWz8tkIcaQmyXJSYevAVL0sRkpGGcxqFvq4rt49l7/X1HzHVkwo6caZ4gXIP96PPk rybDJFkMcmwEBZ48EFh2xFJaIHSAuZGQZTl0TVVjAuChRmgCU6YRhBqmeVmmvorkeq0Qan+jjqCg yvv5fZrnsStj15IEBWIntheG54/u4EmySQ3tfUySfQRfyAX/0ZhDrtceXkx7Y6m2w83fKAo4Hw9E nCbwfq8CxQJn7iYppPzx8agpCqf1VlDcx2keuypxtyVCtRGwzI5Zrqy/QeXsAJJk+T1bYra8SRn/ B5UDS8Yj7bh9w02qbhjH/t40oAbKjUApbR4vm+6ZZxoGc7Xo6k+bicmAz3sECIph+WkD3dlXsbNL klXXrvSKvUJqJU+SHXmSLHcgeoKyfu4upn6YBDpPQ5N6pkyS1XTE0JR1BwNmnjpIQk/vy9xVmDK/ LPPQJK7JUuHPtWLp67LpRrh/bDO+an9S5s4jPjUC6vxFEgipLbgSq2i+ZtRgh5gHhdF7Zb3iKRYD vJ4N6c7zBD3pyCRZrfqtfe6ZVpDjroChv9dlg1kYH5spUDxmJ4c6dTfFY5MsKwh9SyFLEh4ttkgQ nKSBdOh5eUJQtONCGW6yPvx2bnWBoJhOdLtDRjJkne6SZE+s+tkY33XZOUGBBXAHKxrwyRqQqa11 auvBQMlGoSJJSxFYYg+IameguRtBOVV+tHh/8Lkeh675sZ+vEJRtpyful4oKsQUXNkbw3V3sDNtA uAzVtu8ua+63wNUQFMhvavIQttAasIk2ZOn2h7DEARJY0IYNlaaTsm3GQ5UG+DRA2Ga87etVCAru xdnUYxHXQ5VeyPbtKlYDqlMISs32JLOLt83Hm0z7G3UEBdqZ+tBME3Yid1VkY5IsFgMuz1Aybbey mSB2UrVFxBp43Od5Ar569xm8nJ6IPAjwdjyKwtY/DfDLOD9/DSggRH2p9HsNm8q55zwtClhQm4V8 k3lctrfgJIKyQhKQY0J2NittUzlUGLHNUm22tBH7rYM8m06sDy497A6HzCfT9lLI4VRuhG0CiQ9b x3GzbF0EWyRB38zz4aCIhtpS7HZ78miKWjW/YQPN3Ck2wIY7ccXmfDkanxGUT92Fgwh3ueNeSY36 7TpigGfZAqi4nR6f6Ti3uJcWDlmwU1/shNsayAYXjsQFHu3J7AE+oQCzbU/K3BEU3NShMwIfExSe 9iI1/9Qo4Tb6g8LsvB1bt+JZEpcICuxDTX1UbjBdt0im8OrVT25FBZsbsC0L48dmys0atqcZOwaf cyA0k2W2nPITGNbCYB71EDKDcLszME49FGDGztzEbrgJUdj/8+Y0seUk5WZjhLfAWzYhFV1Ck3Qc 4zs5NQQF1hP5xnhQ2RgeMqtzatA41UDtBrJQJNxdL59vurtGJShnyk8EZa8b9OvHEYAxo+xm+vH6 qcKfQmBPZ3+q1s/Xw6w5PgXi84XQnRcROPiti3e94zKgUx8sHL2jmi+W8efw+aLgdPsnELgcQflE 2XTLKwjAs3EhT5Y+/zwCfydBIdX8GcX8Yw4YdvKIxyv9TFM/Vcsfw+dT0tJNX0OACMrX8HvH3cvM MhG2xcl3FEpl/F4EiKD83r7585L9vANeFnheZe5bJ5lcfx6PowQ/j89RAvr9cwgQQfk5rDU1wf4i XNc9S6TQ3EOH/2YEiKD8zb333bL/uAOGzTzwYo9ol5Hy3c38dPk/js+nJaUbv44AEZSvY0glEAKE ACFACBAChMCbESCC8mZAqThCgBAgBAgBQoAQ+DoCRFC+jiGVQAgQAoQAIUAIEAJvRoAIypsBpeII AUKAECAECAFC4OsIEEH5OoZUAiFACBAChAAhQAi8GQEiKG8GlIojBAgBQoAQIAQIga8jQATl6xhS CYQAIUAIEAKEACHwZgSIoLwZUCqOECAECAFCgBAgBL6OABGUr2NIJRAChAAhQAgQAoTAmxEggvJm QKk4QoAQIAQIAUKAEPg6AkRQvo4hlUAIEAKEACFACBACb0aACMqbAaXiCAFCgBAgBAgBQuDrCBBB +TqGVAIhQAgQAoQAIUAIvBkBIihvBpSKIwQIAUKAECAECIGvI0AE5esYUgmEACFACBAChAAh8GYE iKC8GVAqjhAgBAgBQoAQIAS+jgARlK9jSCUQAoQAIUAIEAKEwJsRIILyZkCpOEKAECAECAFCgBD4 OgJEUL6OIZVACBAChAAhQAgQAm9GgAjKmwGl4ggBQoAQIAQIAULg6wgQQfk6hlQCIUAIEAKEACFA CLwZASIobwaUiiMECAFCgBAgBAiBryNABOXrGFIJhAAhQAgQAoQAIfBmBIigvBlQKo4QIAQIAUKA ECAEvo4AEZSvY0glEAKEACFACBAChMCbEbhIUKY2j6PHT5zV44NAy3iviixJ4iQr6m56OL87MN9v SRwlZb87+skfQ53GUZy38yfvh9tGLCNrHtv1hULPbh3qPEnL7iuynhV75dhQIU7NQ9/MspvjOE7S /PZhB16pj64hBAgBQoAQIAReReAiQRlvnnH2cbI9s5i7InRM9UorLAeNUEtfRuxiM24117xyuM9c qNkMygfP+6SYvkziVPKsLnMMw3Dzfbue3H/1FDAfhYixesyw/iRDWe5FHOftKy3dJL2ntmEYXvHQ MePNV/sOv5te9iXGt9X6xi9Tk8dxcV/eWCQVRQgQAoQAIfC7ELhIUJbx3qifuojAx9lxu3cSYx3Z humEedXe2zrzLcMwrOjECS9jnbgbk3kLQelSoBbw8W/X4x9IFJysE93yXQQFKZ4liRhQOS9IJDMS Alz7v7SxZRjeCw1Vyv2AoJh+3rZt21S3BDvQUOBRSvlzX+cqNA0jrD7J7f6c4FQzIUAIEAKEwGUE LhKUY3nMjZ85rmXo+s1xdDhVP7tsamLbMOwgS2DO/gaCsrQJUibnGByYmiyO4qSS4YK+TCJcCZr7 OgvgetMNYP0qvnUrJyhZe6+KNIlxnarfxynmvrllcCotKrmEBRGSOKsHWOASN/Kzy9AUIbInx8d6 inaGIEAUp1KsZWxhZWxbWWHMbx7a6pYfypu6MvGQ+7khiL01bupqVkRW1LIXoPOWobllKWtOVyNU 2giKGTWiv6cyAManXPpRFbCyd2uGeaiSOM5xFakv4yiKCxmHYQuGm9Trup5Duq7L2Jas9WleVO0w w5FbjNTW9hBLtso4dTXvkwzWpcY9bxbNof+EACFACBACfw0CnyIonAwobkvTXjZVP18vmbumHZe5 Ag/4dYIyNxBRMINbw5Zo5NLTUMDqlJ3cNxkx+GD4t/8P62ZBF/xrRvXCCIpyEL7a8ZavMVYYO9ou sIJbj94QbzRtewsLyRubeHfQMPxy4mKlTKyxjvcrYy40gIVJtqqEIOxW5TA2bulvAZCW7WNHFQ8k Ta0SrdrOn3QfW+JRCMrCROc9+KSKuU1lQAwYnw8MilXBylAW3lg1VsLX9XSQHspkq3f/N3LerRG4 GjeU+5Ybhp3S+s+m7/SFECAECIG/EoHPEJQJI+xmUH6wkLLccdHFTp44izcRlLmOkJ9U09rnkIni pGLRRk9QxmUaGxTRSZoRPvPCIygQ3Mnre9e1FfPt3JuPZQBcg51syxjCIqZ/g+gMZzamm1TdOE/j PffhUrhxmccuB5pkRhXWMy2rSlAmlN6wvORWw9JKkWYssjLXsRukt7rt+q5KMMMGlq/maaygvYaX 3aG8aV54sw0nujVd1xQhBIassJrWlXeD6cS3FhrEFt4Ee9hp7ZGgzBjnMky2SMeQfVaFG5cnVTwn KFpI2UKO6WVN1/ddWxVplDXzOk/DDcM6wa1njWfI21EJMN2bMo/j29tTiHY40Q9CgBAgBAiBb0fg EwRlvIHn5U5LL+B8x5xV7r51172HoHDKxLISBCPh6THi52MEBfhVjwEXZRGKeTsTXTsKPZVsEQqW PUaMxsimzw3jCZAKwm+UCTdsecSMcb2EBw1kDopCUKYKWc9HmTPKHevaJkhQthwU7qQTkRPEKwdE WBjL3k6tPONZG0ExbC8MwzDwHYzImG7WQYzoQhUbE2VAXYmg6CGd6wgYnhtX+9Wqda4hBUXmoDDi ZAV5Sys7unFGxwkBQoAQ+OsQeJ2gMHfwkB57aPlQsjl8gNGFw0nl51sIylhisMJ0/AA+HkQPDCtu cOnlUwRFYSxzFWLsA3gGiwVYbhjzT8iyIWD9iPlvXJph7VNvXJ8RFJbdq1Qp8VnGe33LM8hBiSNM O+FrVQeCwuoybD8SkgW4ZOTm/cQWstSUUn7zlV08VlDwRJrPV/E0gvIE0vmeecBEDMO0/TjfsmqO BGWVa0SWG6blnXiK1CD6RggQAoTA34rAqwSFp5/IFZSzhk9NwlJCky114+wyOPYOgsIoiJKWwL7y 3UOfIihK2ozCM5YG5/SPNUFghBMUuT9ZuXF9SlB0mTpjHYl9SbLKc4LCk1nlZfybk3U8lhLVMm/0 o108QdF1XcuWqByRzfH5Kk4ICqx3YQ7KU0gxSfaW+CI9xw5x5euBoGCWbZVFLs/BMb3sviVq6zSP jhMChAAhQAj8agReJCgs10Pd1fHQuqXLcd5r6x+AotzzBoLCI/xRed8+dYoZH7hO80BQeCiAraiw Z6co0YunPIOddNJm2H3GafkKQWESiojPBg7bAmUFxX1Eb7tryCGCsmCOsOHl951gwzgvnAIoCzoL WztRjog6dzkoC8858Rjn+nwVjKD4MmWJwciSZJ9BKsRa54FvWWfpwIclnu2ydZnuN0bqlJRceZq+ EQKEACFACPw9CLxGUFhCo6n4GtjB2hWh6/opRkvGCpd2TC+/z4v4MDjmNvNdN8h3k9tHgnJ62RNA mYc7bNvgeTLgpliupXw2Ck/K5Ac4OZCZI6y48wgK5JvC8pEdlSItYpmHtrnDNuSnN648/iCR43QD d/GwW00/Z8+VXaa+qbuR+XWXP6JFrHfwCIpILBFZH5w5Okkt1jeWqW8bKHBiib1Owp7qtgx8t89H BGVdZ7Z1m6cRvVYFrs2wKngPiSSYmeVOswjKE0jnriphYzH7cO4E63accm19NDSl3Fh8eYfZE5Wi U4QAIUAIEAJ/HoGXCAqbUh8cj0CkAAAgAElEQVSffspm+pA1u3AycFxpYHfw9ZFtdyk2/pGgnF6m BYpTBiUEwi7lXhnCJFMVYujf9gJI/GRZDeJpbvx+w7Qcx7aCcnrOM9aphue3wMe0LMvEwmzcMfTB jTwcYVi2Y1teMagEZWVPheGlYpmYPIK5oIZpO65jmYZhWda2X5qzBTjpWBY8uGQoWTO5ZCgjIwh8 Gw+ccBzYBm1CaWdhsF0EBYAU+4tYzvDTKnCP0VYFVs+rWDr+iF/HD8NArMNwggJ1nEPKOR0030Wx cbs3EBbBMbHxTvp/sJ3Hlu26rs3yer2CtvFoxwydIAQIAULgr0DgBYLC/Zx1fHosPK7CMh146oYm T4ERlAme9WG5qXxg12kOyullOiz5fFlJTRVXcq6ELnrubrGPPt603SAtc/D8YtPM3BWRh27b9tJ2 /oBngNO+35LAxeedmJbthQl7oc5HNy59GfN63Lg+PAdlXce2YDKapu34cQFxpqnNuWiWE6TVvQw3 goInQ9cygRL4Be6pXsYm5+2Eo16UVewRLVC6KMn2orytYA/QxxEUwHLAPVvwJBigBteqcKMsx6fF iCqWsclChAzlym+wZVphqqeQLkOdRqzbeHPqQeTRjHUawB4j03LC8v+9F3Hg2si6oIOTG4a0hCbQ f0KAECAECIG/EYEXCMrf2DyS+Q8hoM3D/UPyULWEACFACBACfxkCRFD+sg77S8QlgvKXdBSJSQgQ AoTAb0WACMpv7Zm/Wy4iKH93/5H0hAAhQAj8cQSIoPzxLvgnBSCC8k92KzWKECAECIGfQ4AIys9h TTURAoQAIUAIEAKEwEUEiKBcBIouIwQIAUKAECAECIGfQ4AIys9hTTURAoQAIUAIEAKEwEUEiKBc BIouIwQIAUKAECAECIGfQ4AIys9hTTURAoQAIUAIEAKEwEUEiKBcBIouIwQIAUKAECAECIGfQ4AI ys9hTTURAoQAIUAIEAKEwEUEiKBcBIouIwQIAUKAECAECIGfQ4AIys9hTTURAoQAIUAIEAKEwEUE iKBcBIouIwQIAUKAECAECIGfQ4AIys9hTTURAoQAIUAIEAKEwEUEiKBcBIouIwQIAUKAECAECIGf Q4AIys9hTTURAoQAIUAIEAKEwEUEvkpQutQxo3q5WNtffdlcBaab98/bsPRl5NmmYVr+bXh+6T9+ 9hJcTzH4eglQ/E/2yFB4ZlBOT1v1nznZxKad3v8zzaWGEgJ/NQK/05VfIihLHZrG48e/jau+VcPN t4Ny/Ik+m8pAcQtd7tpRPb+94iv+cqoC046qYZrGcf5WBPrc+23EcC/SFbie99HXS1jXddcj/397 7+8jJ7KFgf4vRJVVRmQiE5nIJBbJisQisEhWvMAiWRGsRPxWryUHLTlAbwOeNkD7JCQHSBu0NkFO 0CY8JzjC0u7iu1eX2fuDp3MKqIKmenrGM2OPp1qWh6ah6tR3TtX56tQpOF3fp//KCUpfBIZxM+45 93nnI9SwvSirP+eM4BBawTm8404Iyg3i/OnqfxAlLAfby5q8HBMuu1r9ficItId94Jg6DCuEGpYb 5eCmuStvU0+3dpdMxaWSdplnXzaPl9589MNZBGXo26bGT+brxNlX7EvTia1aF92V+ygp72IkbVOX 2nze2ha7OL2F6MU5/rKMhIDSbSIArvALIygrkc6Ba20zy++fXgJ0O1Ejy/Jv/hsnKEOTxTH2+0+u JfcJ9dIGPnV1SEObatbuFuz7PEH7MjL1L4eg3CDO57X/oV+1GmwvgWM1Jlxytfr5DhBoUlfXqB0m eVlVVVlk+zitwE1zgtJXabQ/XDMQ3Oe+fulCw/ntPI+gzOWVoU5cMTqBrdpnkWNQohHd8vblGLsQ B+s8ck34HSaAfrKmZl2V+DbeT3XTjQuGTFfux8USwwmFOWNX7qerDWdXIt5TdIcGhQg0BPjrbKyb GnaQVKNwZWiYUZoGjqFTQnTT201iz02Fg75KA1snILcbpTuXL/H0VRIwmXVoERTbZL5JJ0kguC0g kPvUjjMUnBKqW36CNoGVbRQ1DNuYjMJVO2uuSDPj/ycyiJty2DXuwLrMJUZUwn0cNwB5y3d2qUPd fRa7JoICuqyL2LPgGzW5ZoehLeAiWMgyR/q9EqkaBqAXVpTufbbiBUqcw2mAK7MYulSuFPDmtAmh SGguaIQ71ruONDLiB3/6OgtHEXSTy7ZpdaesZb4BjCiN7GmJR4gfnLi9rycDAyCz0LSO5x5AUPxi Fr3PPUL8fPy+aTxDVyaBY7IuZbq7A7cNIyzqDG2a1TSLv1BE7lMnqQ476LXEy+dZRn+ITB7OgQiq vIsNAgJdEZrUilgfOzYesE60vXwH1kZhmJitpT3AScIme95uPeURajmB84zesNG0TQwlHbDFDgHS 6JY3mtkwQKk49oz1VLE59ch6Z21gLo5geM+mDFxqxMfL6jxyDDKtnG3rjnVOSgiBYabYO9NEBqi6 y1fj28QmM9HdLuqo0x0Ptqe0czwmQERzG0DeVLCEs1q6XbVkwO9SYfAehuEQ6FOnKkPDissy8S1K xt7bjEKia0jYZGAbIkHuTS+2MVSO1s7b+H/8nz6lPu9lOKmycfFhu9IjG96GgsvGj4BfEnvHvQ// iROUxcxw2zIlfa3LfQzMoBtEw5P0I17tJUc3QFA0ojtxUbddW2WBMflD7p67zKOGn9Vt17X1Icsn kjBJVsUmteND03VtU+ZZgaNekzjU8NOq7bo6jyxihAccJuu9TagT52Vd12VeYFlABIQICgd66IrA IGaQlk3b1kXsUOqmWHwZGpoGazEwdHclVMDc+CQU/O0PoUFQiLat8simmjZSwzbzdN3dl03XNYed Q3U/Zz4A5+uT81gQFKIRM8gbaESbBwYZR/dhu6hNTETZxMBAX+DwiPgAbrpOJ99RBDoNin4Ymr1D dXdXwOJTmfomMaP1UA+DoKZRm3G1NvN1jVArRL7YHUJzHs6q2KJWmM8aH4c5USTWCQkhpo/gI0rE TZF7QpOpHeVV0zZVFlozfFLALzOhATyC4SWo58Pe02dZWQRl0ghHsEkcYoZF03VdUxVZzhZNJFYn txYQjCAWbVOlgUU0bVxsXDrObWOb2lsiEJFNyWRgXFBwfgJB6erUM3QvYyR+23iALBdpXkKPawrB tsEgDdOyw/RQVXXbD5L2IrcwTcvbwSwLAqXCp/CpGEGRdrGZoPTVHvpyzkSWGA/aHrEjtLa+ST19 9PCHQNfdBMaBti7z7Ghedw7OgvTHTdvGcLsDSs3sJEFZYr41gm3LIIoNPkM3LaAcZVXDMCLRHZym Tlw00NETzyDa5QRlu6jtTrccbC/TzmpMONFP58ae29LNqqXWeJqgUMO0nDiDXtENfRmbRHf3RVXX 1SEvcGjYhmgWeoCWHXuxQW7tojY7GMA5QwHQcBSRVQo2L3bPTSgE2fghwEC90Vnx03jE/aZAUGSW eWJIXFDBbVhWNZ/6ehMERQjo1LE5TSFn9wygzOPThiygjzWnE6Yg4Osyb5w1VHAtm7jxkpZ9RghV QfxAR//MLm721hgDAXzn6cPAyRQvdBj63KdESGY5hProP5q9LUpRBLo4CHiTO5wRQCczeS6oAgJR bGIqKWoLE1G25coFtNOMIDAFBNnd7RzK3GQVmSzgtcKtL3ydCk1jRYNd8n7S5z4hzhSY4RX2RaAL oDaJPWG6XEyB0gT4YOLPciahyYLJYMkorhzwS0yoLwIqNqdN3WmWKSUoIEQ0hRZGaGVWJ7UWrIgb WJ97dFLzynFuGRsQSwEhMFwJQdE0wj4wc3fnaJ/EeBaGMkCXHONr9c7SiMNYIlwkay94cc0Ijxgs FrwkKPIuNhKUBri8k4xZM1LjQdvjsRowBbQWJN9uisR+2a7x2xk4L+5bN02C4VYHPGFmJwnKEvON EUwigyg3EjjBiGS6a3bTEId3twl2Qpy7QJM2IygSM9judIvB9lLtQJ18JfoEgLytZ7Z0s2q5NUJj xEFnGUHR6DTDHAYQcuows1QSiObf2VLy2oudsnYhzI116jNvQD1BJ5VWurLhTSgE0YRDcAiiFQk/ iX5z3g4itUzpkDgskd7qR2Kllx7fAEERrR4bxNJBuHuGfRQGIYYT7I7CJyBgW8DkkZpelBzYSASG BgtC04eM8wA0wKPUw0WfEZd4wC2PE1oGxGGiEpwt4g+C2BwxOCkqEzo7s/EioBBxnj9E08YIDnbI bYKyCAHP/VZW1DEmXDA4Wvb8yY5g0mPv63pvob9mzWqA4XGPjeXwtgjFCsQZzoLXhyUz9pl7S7O3 141nM+qlSLjEIw4JRTDOvGEA4K5oGHqgn5DVIAcct+LITWh9I3ZtFiOVEZShK3eODktU4Z7NkRhK W1YndF3EgsEKAQFosmhg3Obn+MFicXd5+1rsFf4j8FAS9dJ6zEHJYlenVozkQWY8Q1smoWubBn4o mcZb7Cic3st6GQvacNVPgrC/S4Ii72KIgONaRJwJSI1n3fbZWoYmCyxKdNuP05IFYRbyLAmK4A3R nITA6ngXoCk2TYbhRgdc60sws5MERZzMHPVEEEsmg9BQwEcM8sp0t+5cB5gKsXUdMNYtgiIrarvT rQbbS7SzHBNOAMibem5LtwxDbo1Lt7le4pk6CEhxJCTOkLf9EZd6y4tBUdtD5bqNEKyfGEoZGRSz KKR6wRFBtOEtKETR+DGM4qJP47+IfpN3Rqllyh3oCumNfiRWeunxTRAUTpHFQUEYrEGKrs73sPat u+Oa3lK0vjmkkWsSiLt3zKH6WdMKn66HleqVo8VCVn2GYye3V34NlgBGeTSWrS11oTbiJkfSTbxh m6CIWy5BMIYa0vXNooZhickSr2XPh6GSelmb+xTND776eQuBFcxpOMINFqBF9oCF8wbiV/QRmwSF mBGEkPkHFwFWIq1Kg1GYEZn1GColKOsSpCa01pTgOaQEBZvYVlkMS8+GD2sm6Dw2rO7uCMqkr4Wu F0s8wOcTZ/SxEuMBOHRvyreameVRoFDaXpFdLUSBL1chKBq1gwAXVkdqAaJtGs9a17O1YP19UySh YxBYf8RoAJfqGgRF7IlglpK+fNQBT5jZmqDwrLD1MLg1gp2SYWzpGh+Z7jAoJ6Yz8MdArAjK3BpZ UazmdadbDbZw0QntLMeEucpJfWCb40RiOnU0sTkp3qpq+YC/cps4+xoTuzZ8wdqHn5RhlnzTYM6y djaLwUkl8BMW25ZXKtg8r3wFBf9BPII9jTxILv4iJSjbvWMDtNGBrpFGAxGd+7LWy77dGUFhgsDg auBixKZguCgP8WhZKAoM/miJB1ZuhJMcOwgoCKsRw2KJZ5pYgCDQc44ICoSZxYWDKpoi8HD5dgQc O+RVCIq8qAmgGZPpBP5djTaQ9KUHu8AYWUcZGUYQB/o0FuNIwOfOEBQUFxdY0atBUEJQMAQqrBPM Yq1EWpXGCQo0WSRHqFNICZMDPtcx+ueVCUEoVczdZisvbCvsQiNiOfwYx1wAR2p1fJSHu7i14B7m MTsKOiJ4mjGiIgwi3CCxzvl21l6+IAxKEoEZJdwgKBpL8Ns2HlhM40ECVDVf4pnEw7Jl7b2MoPDS YfVV0sXmQprUpXR84IDUeKTWMoIAfyADT6ia/XIGzkIRGByaOgWe38ZQvGXugCfMDKKNPIkAKPc0 KV8RFCTMwmB1pgxHbltmq1CdYEPgLaaBDrz3aAhQK6xYM0csNQOOAh+3V4Mtv2RTO8sx4QSAQjnz +sJ47nLx5qrl1gjeXohAtYmjkW2Csjk2Xi4DbwDLXQSkz7Z2uJkxkyIy5uUmaaWCzQvV4uEMxfqH 8Tvk3hFn8xFdfJjinVHaO/jFWPA8prEgAss3WIkw96PV+dNf74CgdGWaFlXT9X1X5wHkqMy7OVC2 Ok8ySOjru7aEhFMc8DHXywozyB9sqjJPMrb3Bzog5ORWTVOXBcuohRQV6uyrtmshzCJgh5iYQQY/ sSTZsXLhGpBBwFeAC/sTv9vV5xxGSB0ipp8cIOe0LvM0GzcBLdyhMDatTIpHUDBJ9rioTUwE0QZI /cAkX9ZmWCehuqFPfRBE13WdD5qAp+5AkmzXlGlgzlnHQqHcLvGkhKDA2qiFicqQ5FpXhyzJMc99 JdKqNE5QmKOxI5Zlm0eYJIszbCngl5nQUEH6J0uSbcYk2XGv2EIjvLFNkaYHMLq+rVJvSsiRWJ3c WlpMkp2aEkIe9fkEBQYwyOHG/PHmsHP1OQubC8rWW7wUI1ZNU+Vw2ZSUvW2H0GSWAAxp6/ZyiUdc kcJES7rRy1bmKkqD0SkjyCGnHXqbtIvNBGVAG58eXCgxHpm19FWW5GUDowPm+wrOl0kliCpXk9AA 4Xp2dhvD7Q4oNTNw4DqG4YahPUSQLC0hhZjvth7BtmUQpD4mKDLdwVBGnd2hwY7umzxJFrw3dVk2 ECxw0jkNYtvstzvdYrC9VDurMeFEP50bu7YElg58ZKXbVcutEdl/iElnfZMHpiYjKEMP/cfw9oca fMyYl70N0Sz0MEgMZnuoPG4jywijlmXoPmxqwI+s0pUNb0MBe6imrSWCnD10QE13ohSyrWvYZ5yy fSm8+wjiySyTX8wkFWb4kEdhxYe2a9tOAosgz2WHd0FQCrYJGZbjYEPn+ilTNTx7leJTY3TLn7cp w1ZJ3MgLD5OxvXlzclvwbYfOHt0QJLnADl9ihOttxkOTTztiDZsXfgJfEbG+SuZdsrAL1Jh3gfZ1 GjqwdRo3HM47ORfu8CyCAhtej4uSYCLIBkOMQTSNjiLBnEBj5A6ugtn5IjkPt56OG6OnvcFCcXAo 2CV8lRIUGINHHYBunGDcP7wUaVWaQFCEJsPtYcotQgJ4d4kJQWAFRRr3uu/GrerrRTfe4CYbjQv2 i85b22FH14bVnbKW7rDzcAs9Nb1dkXhjerLgnkXGDAKIbHjcVq1p1HCW+9i5qOKD2jQCe6LZcwvw ii3jGbpD7BjQH2CjaZkHusxZStorCs/lmI5gVRm3mE8zje0utiikhe2HFtvduGk8Mmvpyx1uaIfB w7ADoeWjOMJgfUpNk/ALqcaTWxjKOqDMzNh+cUooPikh2zlTsEIYBCYZNkawzUFguh7+rvHBc1u2 CpsE54c++EkSTIvJYHk57qwHGZ0w3XtsPVhWlKTTiYPtpdrBVC9xmJL207mxZ7ZUWrXEGuExC7iH neqGBQ8EsIRtxlOQaRSin/ZXg8fy2b7P7ZFhlno4bTDjM9GmoXKrjQOks2uaGPE/s3tuQwEbiDYI CthSlUaeBQ8hwF5leSzpgnefhXhbvWMRBQAMxDFtzIjRgLF3Mlg4cJccXZGgXFKa+lkhoBC4LgIw LqxXv69blrpPIQAIcK+j8FAI3EMEFEG5h0pTIn+VCIAz2Uru+Sobqxp1JwgognInMKtKbgsBRVBu C1lVrkLgMgTqNN6zB6q1VR5ahI6PsrvsPvW7QuA8BBRBOQ8nddUXioAiKF+oYpRYDwCBJgsdeK8A y2QSHp3+ANqumngXCCiCchcoqzpuDQFFUG4NWlWwQkAhoBBQCCgEFALXRUARlOsip+5TCCgEFAIK AYWAQuDWEFAE5dagVQUrBBQCCgGFgEJAIXBdBBRBuS5y6j6FgEJAIaAQUAgoBG4NAUVQbg1aVbBC QCGgEFAIKAQUAtdFQBGU6yKn7lMIKAQUAgoBhYBC4NYQUATl1qBVBSsEFAIKAYWAQkAhcF0EFEG5 LnL34L6N94DcA6lvREThFS3XLG/xQoprlvGV3PbpYF4OxNdhq19HKy7XlrpCIXA3CJxNUOqdpWna 8duHKnjDkTa9ZBQ6qJ3gq2kn+RcvusZ3bcFrigjVDduLi5bdr60+04ucpkKwdj0ouukEvj/LJeKL y/s6i7359YKWG6UVu/y8KoSS7+9hl3l2PL7Hd8AXpy7eXnt/G3a55FVsedn0HtCtd8JdXsTiCglB WSK8uEP25Rq3yIr65PP13tanl/wNh9AKDltFtokj2s0nEZSlXrZqw3O34Nrb1NOt3dwbpFXf4A+3 0IoblO6oKKkBHF2pTigEPgsCVyEoVDfo8mWL+LJ1w9DJeQSlSRxC7Sg7VPia532clH3fNTV+yp1N jCBnX5p2djUIC3R8QsiCH3WpQFD6amdTYnhxVuBLpPN9YFFiRvB+7fOq+Czw33Clfe7rkyqGh0VQ wELugKCsED5Hf9e45Zxir3dNV+6jpMTO1ZeRqW8SlDZ1qTjN+BSCstKLVOpbcO19lUb7w2K2JK3+ hn64hVbckGQbxcgNYONidUoh8DkQuBJB8aLQoH7Owxh9EehWGLlnEpTCp8TPl9RjbnSbOsSIJPOd emfpXhxZUNF0v0hQkPqsXmTSFYExC4bVnKoi9ykNilmaKjanF6Z3VeJjYIbgq9SLccRrixhfBE+o 6UZ5M985HZShYYYp3koJNZwor6s0sA2dEqrbYTbf0Vdp4LCokuGEWT22r0sd6mU1vDudED3EmS57 ZTjEn8Qrxxo7eKX9FIlCZ43D5S6LPRNjVqYbT8IPQ52GLr5ym8k2SpP71I6zPbQXxLT8ZIZ7ahf8 bYvYs6AyolvCA9qhyVEKrdEpIbrp7crZVvo6w3e9r27hpbKqd/BKdAKYxoe63PsgIkgoSL4BQrWz 6NRyFs0DnxokgDdKafspb4gE8GGAH2ydQIVulO64WUsRHoa+ziKX4WvYQTIG7eZmbSrFCIs6w5os DHddVRcYh0T4Kbw6HvkG9BA/SUPEnup2kFZgO/AgfaJbfjqa1eRB+0NkzsaiiYHIJnX1GUvWJU6A eVqtx3qRGs8kGCBXJ66ue/Nr7vdoawubP2VpHPvUmfr/WdfD2+036hqGJo8829AJ0ahhBxOU+N76 uedaEYR3T/W4Wa4yNKy4LBPfooSwSJUExr6eDBLGmAzuwwEShj5hIjIcAn2OOW8XdTSIyQ1gllMd KAQ+OwJXISjEy8rYpG46eZ0u83R7XybzOIAdVJx7wUpM5hIjKqGlzd4mhp9vz2lOsQcs18u7MjKp vasZagJBgXupX0zUZUIVWIb4/vpTVUgJShWb1I4PTde1TZlnBXPlVWxRK8zrtmurLDAW1bDqy9DQ NMPPmh5GstgmhOguOrC+SVxKPUb02szTqR3lVdM2VRZaVB8ZICwx6KZl+UlRVjWU0iQONfy0aruu ziNrGU/CSlcDFyyMEWqHWdV0bV1EFuEBsPaQZoe67bq23Dl0Ai/3iUbMIIfqhjYPjMUi2ogrwGp4 Sdm0bX3Ye/rceGyy7qU1GEhXgohM8Rhpo3ZcAIpl4ul0XmaYdAWLMhqxQqRQ3SE0NUJMhh5ExyaK JgWhjIxVBEUjhreHJmKNc0OkgPeH0CCIb9tWeWRTvnI5CzmsEGYkOEgRiyJ2KHVHvyq9BXyYYVp2 mB6qqsZI4RV1cQh0sCTQXV3mGYsRsEVQNwEi0teJSzVCHUYQ29w3Rke4WPUrfLodQQERxV6MqtkC EyC7RK0rvQwy45kJClgdtXcjn5TYvNzSOO6DsEh31vWSusCUs7Somq7rqsTTyTgRajOPUitMy7qu yyIvYVg71eNmycrQoIZpOXEGFgAh3m0YjwySTEvpKysUCIqkqO1BTGoAs6jqQCHweRG4IkHp53EE HFjqUidt27MJCkw3YeXFcIJdVq14yin2wAhK1kNXNifnJhAUxkTmmMQEaZ+5wFumr8OpKqQEBUbY ebwci4LIEff1Q5PYiwkNXgVjImdH6JZGbz0Ibg44mzgXgtrYpKpLHU0oYMChfUEOZ6c9N3A1cMFw KYgJiuISzTcNcH6cQ4MrErIPylAn3irk1RcBpV42kVSwgkmQZZMFZ9hlHp24ysBaItTCJMl9Qpx0 MgrAgcsKKDGPCZreBGHlCKEhQlzgMDdECnif+5QI7TqE+uQPOFSC5uAkkG8B4KHZY4xPuH7MlRJU jD6MN3R57Tm66AsfedCSjkOxRojzgLFOyoOV3BOJ/ZefXQkBF60JyhaY56h1qRe58TDBmjK2qBnO uWYydUstTWzJiqBwcxIsU7heVpdwyTD0uTeybjSkdcT3rB4HwouBaAmMoGeJQa76OScokqIG0MJ6 EBsGqQEsmqy+KAQ+HwJXJSgwgx29WbO30VFdgaBgO7u6SCJYdTC8dAyGwPlT7GEmKMPQHUJDxznM mqDsb4egDG0R2ZRQ04uSA0YWMBSkaYTOH6JpR3PR5XtE0cXOEvYZDHMQrS0CuqAA8AsrCoZXwamj M9QIr5QQTQwZMGiXoV90NHOlC+faVWnk2aaBH51MTCj3yWKhaxmWwDqgJcJYz+iGnQD4yyZjwGyk FZG5xktw2VgsRFCEqqvIIO6c89omNjM6YATbICwd4aq0AYpjGSpSwNftEs2aSQj/L10DFLtgWodA v6JSoMyr6qJBmq/bfpzivB0EW+oacBIQhiUAtn7JeACjgVL/hGUJqe5L1XAwqzPUutTLGmRk3Wg8 UKflujq47pl6SdUttTSuKdDVHNo943ppXUNf57HvWHNfYb1ybUhY81ILK2uZZANhOMkeBgmMa6wE g1xa4cAJiqQoWJQ9GsQUQZkUov5+uQhcmaBg3AQcFC56w1gidJzVMInNhs60lVsCofYpWgoXnklQ hgHC6rqftwJBgXtpcKNLPOAg57WsoW8OaeSahLDZHYwdZlQ0rfCZQwqjspdjItzBJ6HnEhTBx7DZ up8t65yHclbpauASvdHCuWJ02tkdWCoyKHCkHKt0SO7Xx0aN63RXJyg4gRPQaldZ0MNq382y5gVB 0TdBWDrCVWncp8oZ4dofCO6NN37lcq5LUERSc01d9E2RhI5BqD3noAhc6cYJypgEhUjMuoEDe1ed VOtSL2uQFwRF0wwv9AxiRiyLd4xQbal72bkEKiyo6hoEZcu0IFpKrKhgcxMeQZESFEG5q/44CrcS Ho1zA8Y1VoJBrsuFoH3GVhUAACAASURBVCZGik9qZDWIKYIiGos6/jIRuDpBGSCMaIb70Bz31IgE pc89KkYvYX010IXQvYACdEAznmMoZxOUYehy3zCCPPFmn7+ZJAs5BaKLP8mBsI/PczdgECJBYWLj ojDQFohUbzeKt285DEFjtwgKA4GnBsN4zsIRwnjECq2iZUYNr2o+woGLh52lBAVWPNx5lQbqPJ+g 4IDNb2ZLPGwzyLLJgtsAf7k0i1nk+WDJjWYniL/PBAVmm5Os8514AI3gIRc5QZECDks84tJVFRmy JZ4ZYegK5y3xzLcghxd82PApuoCeMMZGlro+l6AIMSsBTlip4sa65o6c7Z2j1qVe5MYzyQ9bS4gZ wu47WAyUqFtqaUIrrkhQZHXByg8HA6BhEZRmt7GcN7ViFGNNJNjplfA49djoHWuDLLlBAvBCdLVN HI0gQTlDI/MghgRl2wBEFNWxQuAzInANgjLg4qhGzHHQFQnKgOOLjvlfkDuW71yDGOPzS7pDskvz QwU7icdf5rnSFSIogFab+7phCimcbJux6e1gDzMUn/BtxjO8pzgQtEL3Mwx+t4fIIprGIih1nmRl 3XY9SyfVwwOELarYItSJc8htratDluQz0xqrWw5DMoLCXIwdsXTbPMIkWRTiiKBgfii1wqxs2qap yjzJOLEZKwU2aMWHtmvbaU8BD9Xz4RKkwWRWTLd1Fks8m3PlGUI4qCDNkyXJNmOSLBNk2WSBoGAa INHdfVEjXkWaHm3/PI+gSEGAPCDWpLbr5T4V2S1mJWN+swg4Ok8zyKoWMopjV59zEsXWLxHG0Z7f 49ApQUp+y8qHIUpX0kVfZUleNmCRDSQ+Mw6+LPYsggKu1whySFwGyPinyzxCnT0AgT8sVcMJyjlq XelFajxc/h761jRmQOLqhs3LLY234qoERWJa0Guou6/avmsOMJxN1KBJXUqtKKsaHAEKSE/mrUA5 eI8TxFqvhLIk2Y3esTJI6KbTfAtUN7K4vskDWEBluXZokMcdTTaIiQYAUE8Z+qK46lgh8PkQuA5B gXFJn7IWlks80JC22LFtubAb1vZ3474XSB+JXdhEqkE+gmF58WJz7in2gB1feMoF1JJ5uibmQUIG Ln9Qm2654fSgthndk1WwLX2UUNxMnO2cMYJSJ7jzFYTWLX8/b5yd93ript+Abxseq1uOoVKCAnsu 0tAZN6o64byJ8ZigwHaCJJgfRWd7yRFBGVh6ggZcqzsxXPblft57vCuK2Bz3Rkld0YwhHrC2w95l 2GY8711eNlkkKLA0lLNt2YCj6UbzTVPJy6plERRYqdoGoSt3DuwpprgVc1ma4FMHKeCwzTjxYfc0 23nNd3VOIuLfBcJCu9DYuXmI9yxuWfmwYbiqLvpyh/vbsRfBdmIkF8tizyIomJiAzV3vqeqrxDOp phEjhBTzU2BeptZhqRfouQe2l3xpPKL8PVBgWMUFEDfVfdLSJuiFHnTW9ZK6+joVrOKwd8wp2b0r cUM+Dg12DBMXsRWLRdVJJvi7EgZ/2oaRG6TpxjAkTQRl3BBNKdVho3kaWXwzwFZRkkEMMlNmA1AE RVSSOv4yEDiboHwZ4iopFAIKAYXAQ0RA4FsPsfmqzQ8SAUVQHqTaVaMVAgqB+4WAIij3S19K2ptA QBGUm0BRlaEQUAgoBG4VAUVQbhVeVfgXiYAiKF+kWpRQCgGFgEJAREARFBENdfwwEFAE5WHoWbVS IaAQUAgoBBQC9woBRVDulbqUsAoBhYBCQCGgEHgYCCiC8jD0rFqpEFAIKAQUAgqBe4WAIij3Sl1K WIWAQkAhoBBQCDwMBBRBeRh6Vq1UCCgEFAIKAYXAvUJAEZR7pS4lrEJAIaAQUAgoBB4GAoqgPAw9 q1YqBBQCCgGFgELgXiGgCMq9UpcSViGgEFAIKAQUAg8DAUVQHoaeVSsVAgoBhYBCQCFwrxBQBOVe qUsJqxBQCCgEFAIKgYeBgCIoD0PPqpUKAYWAQkAhoBC4VwgognKv1KWEVQgoBBQCCgGFwMNAQBGU h6Fn1UqFgEJAIaAQUAjcKwQUQblX6lLCKgQUAgoBhYBC4GEgoAjKw9CzaqVCQCGgEFAIKATuFQKK oNwrdSlhFQIKAYWAQkAh8DAQUATlYehZtVIhoBBQCCgEFAL3CgFFUO6VupSwCgGFgEJAIaAQeBgI KIKypee+TKIwSsp+60d17l4j0OS7KNrlzR03oj3sozDK6uNqlbEdY6LOKAQUAgqBYTiToMCoHq4+ UXLoVhB2dZHu4yiK91nZrn4TvrbFPoriUz6iq9I4ipJyXYFQyGWH3SGJwnjLI2zd2VepIFGXOpqm OemJNmwVsjzXleluf6qRy8unb0tJhvaQxPvDJwnCSq6zUYMR6CfNq0/AdpL10/6uWsoLm1y2KGGV RmF0E0CUoaFpeljy6q50hLItegKY6eW6rneWphE/P67sRoztuFh1RiGgEFAI3HMEziQoZWRoRx87 Eaeh3SF2dOEa6iYb08WhnS7Tw8M2dn2d+iaBkpzk+o65TRwoQw8PZ4VBDoEO144S3YTP6DKXaJoR XdUTLiVp9ramadZuC8pt+GRncx8x5RqiVnzEMGU338r5ZUuFKrrU1TTN3ovmlXvkZnD4RILCZOMo gqDJ/3e5rhVBERSsDhUCCgGFwBkInElQ+rau+OcQ28feoi9j23CirKybusAL9GBy+JMgTerNHIbT gelX+NsdIotqGiHgTT+BoKA/ADdC/XxmKBjd55GbDhdy0qprih1wK2J6YQgrO91IUPZlke7iKN4l eS3O5tsy2+8iOF/M52FmDTP8tsr2cRQnhxb8L/Oyc/BinHlPoaG2KtI9q4AV1B9LknlEI142VX+i 6qZGaaNdshkdQYJihHnd1HWZxw4F4rOfiE9X5wlKkhbNjNcwDG0JIbF4lx6aFlqIy17QnmhfTOyx LXaLWFVbZQmG0dKyncuCk4jZPoW2HrdUsIIzCErfbKqmq4sM2rEGYWrePivzVQTlWNpjVR7JZsWH ev603cB1jZcelzmsCErfHBiwSVHubyBcJ0ioDhUCCgGFwNeBwJkEZdHYZm8TjbinFkBw4k/cdPKr 4/19vXedKC9iE2Mbi1LHL10ROF5SpjBhvj5BqaAG6jgQVndn745xIE6M2sTGn//fAJz1/HGSlhGU +QwcGGGBjekOsSWGInQvxYk+3mI6zhhpsvYNMgKMfRTr4AUsHnWZJ1ZLzKjsC4kkbLHpZNWUYmlI 7Li0AsIojhlX46lDCJSMLTk0GeeNwNPGpvbV3uYiUssyxmWvVVEM7KCAkvt6j9RnxI7aMSTy1Il4 EiIh//dRSwVRLyMobRGwEBurxfAyVEGPbeJaMwKmsjb31/G/cYlnW9pjVV4i2zBwXUsQWBCUvtoJ wDKBP3E9UZBQHSoEFAIKga8DgWsQFHTz1M9X5EPEgzlf7g3F34ZhQI/GicLqV/jaQ+Dg2gSFeSo9 KGpYICEzz5EQlG4YVr+MBEX3krJp2zr1wZkj0cELiRlkVdM2h70LP6BvmTiN4e2LsiqrVnRaUwsb dNSj4+wOyT4r67brGEGg6OI3JcEaLqvaCHIIfnQHCBEItGysfMkq2AIU6oApy/DTqu2aQwyuExem 2CKZ7iZl2zZlwjgMSrIsiqmTSc+4qxXmdds1RQhUzt43GD2AJb+ua5syTxLMqVm1dMIIwmi4xKM7 QTR/Qhc4BtK9voDQlO7uy6ZrqwRUoAcFhGr6Kt2nB0C0LRAEiDwxYyAoU1vnEdJLRlC2pR2OVXlS NkiM4QRFUqZIUBpcfdwCVqhHHSoEFAIKgYeOwJUJSpf7kweTYdfmgaFpVB5iuWWCwkTE7BPmZKcU jpVLnCIoMoLCCdbsf1ByYcWFBe7BazOvNnpKRGa+acKpSV2AbpzXgyOuD1ma7He7CNwvcbNeQpWg gsuqNuc8laOKuTjUDuI4jgIXIxAQtIFIDtE03Ql3+Ik8YAL2vmEUhmOA9bPEYaxg9QsSFERUM7yI lRXiwpmb/X8ppONQO0zE9aOVNiaUZoLCQyHzESoSl1OoHbA6YsxXMiIWGeqaMkdEY88c01gqSJ/i KmPUFwmKRNpxgU9U5UnZQKgZclmZAkHpEI0VfJ+akS1IqA4VAgoBhcDXgcBVCQqb/S3zFxdIdCUu gRh+PqUoLH7GL7dLUJgD0Ew3jKLIx1i6yfzXyiVeRlDmyMuASy/giIoVO+sxdxOcDSMo/JZF2B9a vaInHYsvaJpGKKWwaCSEaHh0aSw2ba9Q9SztAnn0obOr14gVsSSSZm/xs9ORGdfsPF+lY2GN0xEU BHgqY/oLmDRZAKlF0ErDjQtckVlpQxCWVWVFxZzmUVeYqAEqYD9OhY9/AbC+nBZOCGGIAs86wm2s thy54KogiNodq/KkbE0n6FqKAM9BQWCF5U8BWKEedagQUAgoBB46AlckKGwaL42N9BVmIEA0f86O 3ED4VgkKo1Arv8M286xcIvMZfOVmixYw6WeXj1kO/LrRWzK/uU51nGfVUEaL0RN9jp5g3ZoZFphG eilVStvh/KpnaRfQoziYJFslEMmhXoYUsk1AcHtXtcKn6wcWC+CMi123RVAQVoygjOaRNEJRbTea Qt8cksg1iKYRAGy9rCYIy1z2kgXPu3hYCMSMDstKBhYsM/wMk3zZVVAEBlwElY04luNKI3GPpOWk UJBpOtySTSAoUgQ4QTkB7FSJ+qsQUAgoBBQC5z4HhSHVF5CMsYh993W2gy0rmB+J+QDU3lULdgJP 8thlImNZExShkFEl6xwUeM7ELj3n0R3M81vxPPsumTuGnBnmPaYtMWwNg8UtcB2AskwGXGNYso3Z 5bP1EGPauzzSDtiefOzVBILSYkKsLuTtoJucKmQ/XyLJ+VXP0i7sG8UZFxbGLAhGUdgaiL2bNdS3 NTh5JuJERsecXiQozMcH4wZuthMaCQrL8qUuyxuG6vumafuugSgD+4zp01k3rDCfLpiXeCQEZWD1 4fLUeE9XN5Nyx4zoDvNUMILCiMt8ObMPXOKRSLuhyktkEwiKrExhiWcNLK6ZqiUeAWN1qBBQCCgE AIGrRFDaFB4twhfPwZXgAyA0M64HfL4EPHnEtKaPHWQt80Ma8fhu33WSrFDIpJQVQWE+6ZykWZzN L3cYjVmSbtqOR4YbxnHomWzbC7q0kawYju+5Qdqs2QZ3+T1bwSKG4/mupUNqhYPPe1nfIjgtxj80 avvTNuNd8RsmIhDD8X3P1glsq2YERS7J2VVzaSc44a9IUIahhp1Ymo4LcYxmacSwXc91bZOyCMdQ 7SChlOi253s2RD6mh9cxskJML4rjEGMimsaSZMdyNWo6ruc6lkEgRbmKTEJNx/ODwLNgnzlGUFYt FWTdilLMEZRh6ArIcdKIbrme59qmTnCFh3ESlNYxEFEkKEOXA63WqAlXWxT3OY27eBgKK2k/iaBM yK7LFAnKBKwxAsu21J/aFCdgow4VAgoBhcBDQeAKBIXFH5ZPZxtgwySBvE9GKVYrKzAJhk2ehNrz Ezc2dvHMhcyorwhKfwAXZ+GW1fmajYOexfPnSMh4CQuvg+RdufeRVhBqOEHkm/N2lzoN4AdCDT+b shBmn7Fw+e1h79sGxWudIBnDOicICoYKFsgAyWvyyDHgkS/UdHfZzjlHkvOqXkg7o7QkKMPoJVlU p6+zyDWBbgEAtrcbn+DWFrFrYktNN/QhVwUjKMPQHnYew1E33Shy9YmgDENXJYEDNwGFMAGgvi1i zwLEkFV485NoFpjPgk67eGQRFLiwgRJ1YJiEGpYXYzpNd9iN0hpOlCceYQQFdvckATIsottBuvcp f5LshrSfSFA2ERgWBGUYRGDjNLJnYAUU1KFCQCGgEHjYCFyBoDxsoB58648Z2IOHRAGgEFAIKAQU AreHgCIot4ft11WyIihflz5VaxQCCgGFwBeOgCIoX7iCvhjxFEH5YlShBFEIKAQUAg8BAUVQHoKW b6KNiqDcBIqqDIWAQkAhoBA4EwFFUM4ESl2mEFAIKAQUAgoBhcDdIaAIyt1hrWpSCCgEFAIKAYWA QuBMBBRBORModZlCQCGgEFAIKAQUAneHgCIod4e1qkkhoBBQCCgEFAIKgTMRUATlTKDUZQoBhYBC QCGgEFAI3B0CiqDcHdaqJoWAQkAhoBBQCCgEzkRAEZQzgVKXKQQUAgoBhYBCQCFwdwgognJ3WKua FAIKAYWAQkAhoBA4EwFFUM4ESl2mEFAIKAQUAgoBhcDdIaAIyt1hrWq6RwhcqM+1ELhHKlaiKgQU Al84AoqgfOEKUuJ9HgSu5Z3VTRefR1uqVoXAZ0OgK9NdVt9U9V3q6ZRSaoTFTRV56+W0TGb9FmRW BOXWtacquI8IKK5xPQTuo66VzAqB6yPQ5z414xsjKG3qEGdft23XX1+mu76z79r2EJnUv3FSddME JfeJHh7uGp9r1XcHonapQ8y4upZ49/EmaK+1u7G+egMQlKFBvOwaXf167lnddQM6u9Mi6p1FnKS9 8TqvbXiTJH2VeJZONELt/Rk9Sj6anSWJ/PZJnmEYmiywdaJp1IwO1+hSQkmLw20VnCX2opzP9OUQ Gjfp8oCguGn3mRrzCdVW8ecjKFVkEnvfzNLXsalpYrduE5sYUTkMZxn6XM5nPRBELWNT97IbMYpD aAUzQftqCEqbOKK6ZXq7BYJyZdUsRb32MHeDVOPNC6q//OUGC/ySi5KZxmc+v7QKQZht7yhccM3D axveWB/4Kd1L67Ztmq7e27qT8PF3QyZhNFv9epYk8tvn0iBSQJ19BRK1Terp1u5mpl7bKjhL7Fk4 8QDKE73VMAxtAjPFemj2trbxcV/9X9vn026od9Z0B6GG7cV5vSBn9c6iXs5PdeXO0U9OS/s6C0xC 3O1504qg/B0Zv2sa/iN/GPbHuPjP2Nb6nxY7P/1v7//NfuqqPvI6g8JdRP/T9v9V9sPQ/Z0EnUl/ 18gfpvtX3vyPY9Ze7P3xejP+m5/v/t45fxDzr0nP/8v9SZipUs3652iXn5OgDIdAJ+7swZu9TQkh TjpNPLrMI3pQ9PeVoLTFLk7PmKZw1UmO+jIy9a+PoLSpS+0zppm3QFCuqpqVqNce5jgJeP/6GTmf YHx8+9MPP/76gd9+cXHDBOXd62f601e/iTVc4/i3n394/eb91o2fVr6kY3zm0yurEKTZ9o7CBdc8 vLbhjfWVkRD668p9lICTkX/kDOMsSeS3z1U2e5vYE0vqqzTaH6bxf77mWgfbKkCxBcd/ftEnCMrQ tTX7JC6hXsqOm7aXnR+AoBArPjRNU1eHNHKoZoRC/Aiozzx366rEM3TLNuUEpclDSzdsG/zppkI3 CIqz/7tp/l1XF2nYUfJnXCG3qP9pkT+j4t91Pf5rOzjfHf4yye+G91da/F1Vfx/yf+12F+3wvzr5 aPv/LKr/NPVF7PxBnH+NxKK7CM0/rPBfh/o/XfcfVgiUU/3LM/6w7D8FgjL07b+rav739975XQ8u xmZ8VoLSZR6lyEBGOupEoUWnSFRfBDplEQgw9CBJA9sgmkZ020+rWQ19lQS2QQmeTyoWsKh3lh4k WeSaOiWEmm5cHJt9e9hhuFMj1LC83dhV+zoLHVae5e2m3nKqwIbdAEw4TPc+nUJzvA93qUPdfQ7V UYrXZXzi0uQR1Eeo4YRZsbOn28e+0x8ik0xsWwMOjw47Svc+i9XCbby0rtyPMVw4v6TlWGJXJoFj YgOp6e4Oc4SnKWJ2J9FNL2HEqiv3PgOXGs6uxAI2AR+2wOyqZLpbX6ugSV19bhUNcJWxr9KAQY9Y TMKLBKXNfAMmXKD+q2tqHo64amCouMRUjkXF2/cZ6k0juuXtyxnGbanGmmfX/e71M0rpo3NDIO9/ fEae/PBuvv3ixgnKxftf3/y6SS3ESi87/vkFefTdr5tXfVL5s+LgAHqTl9XQbci09Csx+7aIXROm PbrlJ8XemRbmwFELQzmEaudFxO2imjyCkjTop7afVMOxVQhConfcZbGHtyzHn+3yhyaPPNvQCdGo YQfpZPzD2AQwM3+fBALB2LS0LXCYYE3mm3TqcjDILF041oOLP6Yb5eOAsmAYckmElssGw63e2hUh DGHsQ7wcR7Zx8boMDTNKYTyAEVw3vd3lXWxGFi5PI5v7+FnAMjSot09DGNTYQFz3A0ZxvHzuwkMV m9wexntPEZS5+Nwn41g2n8KDo/Or0pq9xdYK2G197tHZHoc6CcK07nJPSlC6Ig7iQ1vtLNGqRRE2 CIqb/ne6AgIq1g4jJUBQOmFZg13yd2T+rvv9sQ+dSoC/ffEPSj7meKreddQ9vv5/dfKPMP13l38U CYpYyND+y6UTWxoGUMVnzEEBoohrODDquLAsWsbmSErQSkYWmftEI4a3P9Rt15aJp8/BtjbzdN3d l03XNYedQ3Uf7QwjaNRhRt1Xe4eyUIwIxSHQdTep2q5r6zLPGBXpD6FB7bhoOlYRHWOg8gLBmFGC tq2LnasTbWIY3At2qaNpxI6QJfUQyJwXBMFSdXd/aOD22NHnIVcUtfDpKoJCiOmnZdO22GrijmGn JnGo4afQqDqPLLKg5WOJTZHmZd12XVPAFbCENgx9yZpRVHVdHfICx8d6bxPqxHlZ13WZF0j+JIBv gQm2ZccHgLIp86zgLIpJgp2UR1CgZGpHedW0TZWF1qRLRsggB6U7RBY1Q8aprq4pAVGuGhZsvcRU cCwXgj1laGhEd+IC7LHKAmOCcZBJNdY9ue53r549evkj/McXaX5+Ljj3t98/Js9/+nhxcfHr9090 ncIwTqgOn2cszgERlBc/vHrxRAf/+/TlTzN9ef/LD8/xLH307OVPv0Eh7PPmW/3Ryx9/evnsEXja p6/wjnevnk5e68kPQgTl5xfg2NkHLiDf/DhGcN6/+f75Y6iVPnr67eu3rPzfXj3TmZyjmE++Z0RF Vv7Fxbacb17QJy9fjy2Y2iWoDgkK0U0LKEdZ1U0/DBKzh9PUiQvoJmXiGUS7nKBsFwVTKcPPoNe0 9SHL2TxoZcCCkDBcEGqHWdV0bQ39bBp/tssH2lVmaVE1XQcTZhgf0Bs0iUNwPDpqgsTSgM0vwRHE GjCCwlwIm8VP0/QqtqgV5rM9j+5RIChySYQKpIOhRNqlECuCommwGgW0oSv5SCXtYqAjgm1omyoN LLLMF2BSsp7r7sCTNGXqG8SMykGYC8Nl0IrVag4TdHVyWuLhABwRkfGno/NHBGVMZmDXH0LdCNl0 cC67z+QEZbwI5BZo93wrTP+XOSjASESCEpu/j0s5mwSl/MvQ/rw0C7BNu4l2/Cexf3fiPvb+NIw/ LPevrBaWfoahz2QE5X/17k8ehvnsBIUN/MDXwLqQOwPF9SEGB7G/iUUCQRGM4xDqhC3QYYCQ870i 0NkQBAPExBNG9UxlTWrrC59SN4XxjX9wIGIuG06CxlkXlhYIXV4QTbyOe0EYNYQlRWDso3QnbudS DRsEhSe39Lk3zSPRQudUKFwiO5lbXINFw/V9EdCZM00VV8um4WkJ4JtgYtt2PNY1lTv9XY7vULKY +gt3M+xZBKUCmml4U7Do6pqaqoW/XDVIUC4xlXF04lwKhjlBVoBxFBUc2Zb9jJWPTOHdq2ePv/v1 4/vX3zzmDEVCUPCW7QiK9uj561/ff/z44e2rZ5Q+/xkJBMRmHr1AXvL+l++fQpRmoihvvqUaefTs +59+efv27a9vxXjJx/c/fkMWBGUU9eLi4sObbx/RJ9//yoqB8h+/hHWcj+/fvHxMHn//ll8qjaAc ly+T880LqunfvPr1/ceLD7+9/obSFz9/XG4zRrovdmeJ2Tc7S7QocCeXEhRJUV3qEsPPVzPIpQGL 9oXDwBQbZskKTGBJ+eK9wwA9mlkR1CAYmtAEmf0fgbMoGjqVd0xQwEFPDArSVpOpK3KCIpdEqEA6 msmkPU1QBB1D9ae7WJu6MwuEGVfu0UVCIxNz1XNBr9D5+0M4Res3qciAZyciL/5d7rQ5IiIjOEfn 0XSY4+oZeTaiebUNowbrdahbIyj/rZKPOunGnOl1Dsqfcf2/LvtIyD8msxH0LR72f3OWM1yE+u/E +BjnfzfN31nwJzH+mlsHypERlP4i0P/w8jm087kjKANSejft+sLXWZfsYS4eFD0OCdNQv9IveE62 iaIIKMws5w/RNJzoCvoHEKEwoZ+PuDZZYFFYMIrTchx6qshcl8fukxU4WfikKoEtCF4QXKxYfxGM EZH17QOnLlOJ8PeYoGyXlrkYg57gIHzKyEtryyR0bdPADyWMlohscLq0y1jnnb7jXxngkIu/BnNo i8imhJpelByWRBDLQkxnrw8USUwLgw7JwkaInutCBticnzRcWVOLZiwJisgwt01lKSpqVpiqIGvD hkilGmtnrvzdq6dP0K2//1FgKFcnKDyH5cOP34xM4bfvH/NYx8XHX17q6OGx4jffUvr8p0Umy8wt oIRNgvLb62dU/+bHOT7z8f27395PlOfX7x6R5z/PhVxICcrFunypnIvcmumuhfLAHgQWOIChwtLL 9JnMfm1ROK9hS/TgSQUFzks8sqIG2P1iEGI4wW4MnzCfRYS4miCkdLiQiArrlXnsOxbrljrRWAPl TZBZ2hocQSgg5tsEBbM8OYAQr2NdjxMUuSS8hvVoxgdDmbQnCcrEJqGCy7sYNI1RGCYQqED8zs5C xxcUj4A4MEUrI2MM3a90NzUPTptRMSab4J9DDPRRzDJcOarpXtjlsVz6AQY7f8hyNR5oKM/EnMq4 cYKikd8JwYxX4+O+FJJklzkoMH3NPhL6j5N7ff+T+X/o7r8mLC58+ruTTmX2vUf/iEoeRJERlDb9 SI2/hFycz09QMLgW5EVo6AETDMILRnhYcHreT1BdC4JC3KRphQ9u9F5Z57bXgbL6pkhCxyDUxhwU DBrsKqG4tsUQ7sIBegAAGR9JREFUi6zAdZ8UNxxxL3g+QQEqchz0uAJB0f3sGI7JyFlH170pVWee z20SlHF2wW8GqgSRlg3A8aIVmOO5QxoBuTDDgi/y4k84EpxHUDRNd0LfIkYwFXJlTS2awVWDQTxh INs2laWoAvXEUsXR0yD2lv2MtaMrx0WP0R0QbWYZn0JQPv70fCQob77V9W/5utG7V0/Js9djrOTN t1T8jfMKCJNsEpQPv0CM5LtfRFLz4e2PL58/ffwIP1S7JkGRyrkgKB9/YsRrobx1b0ImvWH2hb+k vILSVwRlNn9ZUaz+rs73sCVWd1mK1soqBCGlwwWQ/g1RYRgkVlQwGs8jKPImyOx/DY4g1EmCAs53 OXDAnXzglUvCa5APhjJpr0VQtrvYJxIUmPFQ2LHBlLpejt6Mq3ziEo8VFXXTHD2ZBKJNQuxogvfG CQpLki33HdX/wfNvrrPE858i/JNaf/EkoeEi0H/3i5mR/B3qfwhfZRGUf++sKRVmavVnzkGB4Aas 7XiexdZ1QC5UkO/PuSiLfoKCg7mzCAqMLEYoRo9Yy2QDxNzu5UGX+zoyXBigKEtjWV4hLRBGPcG/ wVxkYhh8QFyPGnMEhTH42UkPMJWbbhcEgNUolkcKJ+WlwcbtDdvmJcHQx0uChZlpiQcG83lDFbsB uryweoUnZYDzKoYZTOEcLEEfLSFBZhgvH0oW40JYO6b3Q3uxVZATo4+B9qtrShBHZBhSzYrXL0UV b4erQHQ2k5ZKNRYGnODdq6ePX7559x4/b394OuWhoGeeEkx5DgrSiA+YJCtkiKySZDlBgRvnbJGL i19fPlpEUK5EUN79+I1On71eVIsxmW9ev2WU5e1RBIVKkmTXBEgq59UJCviWLbMHzQoWBe5zmpTD CDIl4w/DcAh1jfUbSVGiLYBbMiLYI7myCuEiqVFJyoeZgtgVptww1oRpXoqR4LEJMktbDw6CUHKC giu8x5N2kaDIJRFqkA6GMmmvQVBkRUGWhc53wrAm8ZF1lHK1xDPehD/CwoqXVvut3NopXMazCeCW TyQoXOEChAPsbRXjg9NvN05QphyUf+/t343gYpw9bhIUWHkRrplEwr//PUR/UvOvaeLIfvtP4vxu RtPW4u5f7rxLCH/fjKD0h78M0vEYOSvp8ybJggygZUKmzFg4A/mysN+YWxcn8ig1JygDZFYS008O sLW/LvM0Qx4nHSBYq+H/vsqSvAQCy7JF2VCGnlR390XdtE1dFWnKkmflBcLYontJ2XRtc9hDJt7E MM4hKJjmYniY1jom8k23c1HZRUEO6aZdf4KgYLYgtcKsbNqmqco8yabN5mNp4PbNEHOAqyyAfd1s nO7hB0xDbgBGljIMjYZU0ArOFSzLdRvwTTDrPMkgG7fv2hLyl/nowYSBHBl8BAK2ihEbO2KJenmE SbK48jYTlGGoId3ZQyO+uqYEQLlqzougrEQVbodCOUHBDD5Iel7bz1g34yf6t2+mNZKL375/MjKU d6+fwiIL/PLhl++ekDFJFgnKxzff6vTZq98+XFx8eP8Bb1458imCcvHbq6f08bc/v/t4cfHh1x+e rXJQzicoH3/9/gl99O0bMXhycXHx8efnVH/xM8RkPr7/5bunCzEvgHY8+R72Q398P68DjRRrtYQk k3PVrjMiKCxJdsPsQS/U2R0alhBp8hVPmARRN8FUcHjEBNVGgiLpQV2ZYgZr33d1HkDGEUyxV1Yh 2Jd8uMDE3aMeCuSJuvuq7SHX34XFJLa8vWxCIDRBYv/XIigQSbcwHx4y1OvqkCU5siJh4JVLIrRb OhhKpL0GQZF2sRaTZKfxI7SpLElW090dS2+fkmRZC+DZI45rU8HxCE0Dla4oxa0QFOaRF5mRKMWa oIAhjVtCJikxIH72NuOJoAxD9U+L/BEUmPmxSVCGoc0+6trvpv/P7PB3Xf9dHvo0+7sb/lvtOkq7 KP+7LMd/NduWnP9DJ3+GGeSgpP6fxPrnzLIlOSj/zbw/dH/iSVOTxAhKd9iHYbJyaPOFVzq40pNk YTlOZCOMs0wDBtYr9BP4LhAUWLxNQwd288EGZGvcNysfIOZ29OXONXGTG2w3C/jG5SaPpx9002U7 b065Mdjtx/Y/wzbjPLYmhsHd2HrU4BEUcG+4Sxm3Twfp3tta4sFsDtwCCCPjydJgFzFuDIbN07Z3 pM/uEDsGJO7AxssyD/RpItlPGyk1Qk0/ZTHOtuA7sZ09s40twDfBrOGhlZNifGEn7qQDWNiHnY9k fNvCXDJuuZ53WgoEZfRF49aqq2pqqnedJCta3/YSD+YgcFG5ZrFIgaCAPrfsZ6wa4idP6DdiHsgv Lx+NDOXj29fPH+v6o8ePn774/tsnIkG5uHj307dPwFqJ/uQ7zHpdOfKZoMh2x8DO5K0lHmGXzbgo jtt7IOIBXYp/9G/fINV499PLp48o1R89fvri5fPHy8yV92++e/YIxASShNxGUv6FTM5Vu84iKLDP Y9PsW7aFn1n7Yo9uk+PDBCjVTSeEbjdHHreK6gq2pRwaZvLt+2sDng3s1PizVT6MYvNTA6L8sHdg cwl+2iJyx6ceLHZKSyxtPTjMIuEBTEM2kmTht/k5ATBwOAFLRl8MvCckmWuRDoayfrFAShD+Ol2s O+ymfd3erki8DapRhoa9K6YHVhj24kkMLBVnm5+wpZ/bj6DAWDINyTOqcHCLBGX4bxn9SYx/wPZI CUEZhv+1h38Gzp86S1uhfzrRRTf8OzbXz1ibeM9/q+Qftv67Rn43nOUD3DaTZJt/2uRPMU9lbLwQ QQHjnXvpApsrf7kSQbly6V/zDdtJsl9zix9U29DDq/+ujMCNGMnK591ImaqQrwkBsJCtla67ayOE 9lZxmhupfLXN+EbKvJNCOEGBeNUN8ZNBEZRrKg/mEzelhGuKoG67RQSu7JnVDYjAjahEEZQbgfHr LQR28ggbBT9DQyFZeisB5ZNFafFJXPfxbcZEYw9qA2gkwa2ro6MIytmYNflulx3qpoUHOsUOVfzk bOju4YWKb1wPgRtRtSIoNwLjV1hI38NzPmMbto8eZ398FQ2GNwO3bdutdlJ+0W27PZkVQTlb8V0R u3OmhvCQ6bMLUBfeIwSu557VXTeiYkVQbgTGr68QeLIFvBDFS+RPlfz6Wv2QW6QIykPWvmq7QkAh oBBQCCgEvlAEFEH5QhWjxFIIKAQUAgoBhcBDRkARlIesfdV2hYBCQCGgEFAIfKEIKILyhSpGiaUQ UAgoBBQCCoGHjIAiKF+o9r+0dMsvFCYllkJAIaAQUAh8pQgogvKFKlYRlC9UMUoshYBCQCGgELgT BBRBuROYr16JIihXx0zdoRBQCCgEFAJfDwLXJSiLVz/cBBw3XuBNCPWpZXxCo75mgiK8yONTEf5a 7ldP/rhTTT40C4T2qude36mJqcpuBIHzCUoVWx5//+InuN5tuXmB9d7Wx3fMbV968mybODf2mN2T FW3/eGMofWUE5RBawWGC7EbdQ5d5djy/OPO6xrM0mzI2dS+7y0c5fk6Csmz7pKTTf5d2fvraW/61 LwLDCJlxLY1hUfHtWeCimjv+cqbuFEG5Y72o6m4IgbMJCrx75m4ISlfuo6S85nOM29SldtLeEDpX LubmULr47Ycn4ztrCdUff/Pyp98+fk7ScmUoxBv6MjL12yEofe7rJico1zSeldm0xS5OxbeOi425 lePPSFBWbT+reSs7P+ueW7uoyeI4x3d6r4xBqPEWLVCo5c4Pz9WdIih3rhpV4Y0gcB5BqXYWHb2l pqE7gIBHkEwvw9ZtP+XPHu6r8YXqRLf9pNqaiDZF7Fk60QjRTS8BVyBEUHYW4UGQtohdE66kwtPl c5/acbb3bYNSQnXLZ08+blJXn8WkQbFACF4B7fIQUJvYU9CzySPXpCAMNUBgdtt2K+ZXnRNqWN5u waNuFCUgKOTZ6/dASj789vPLJ+Txd79+RoaywLI97Hzb1AGzGXzUIRVRr2IT3kfeHyKTzGqBF4Di cBml+/m19SF7ZTzW0ZV7ZhrUcPgr1rc13uW+PheN/Bk8JzeeYzMbmjzybEMnRKOGHaR1PwzHZrOg C32djfYBd3B73hZpgdMA77R3DMCJ6qYzN7Mr0XbhtOHsymEYsMZ9FrGLdcvbl3O/2ewCXepQd59B 56CE4A01dir2KPDLbp/EPG77MPRVGoxCiyqYbhm27Jw6SXXYQTciXt4Pw7aF1DtLDxKAE4SmphsX 41xiEyiG8M6DF0zg1Ye63PuWAd8MZ753HDqOjWGS+EYscCpsGIauTALHZGo13d1h1tSGvQ3HugaE t0bIrbGlqxIY5ZgBcbhQmCvoTiQobeYb1NnjeM1h1y1vdxiVIVeTAII6VAjcAQLnERQYQSNjFUHR iOHtD3XbtWXi6WR69XSbebru7ssG3uq0c6ju53MHZg3qy9gkursvqrquDnkBTkJCUKrYolaYQyVV FhgTpch9ohEzyBu4s80DY64dHNR2BEVGUOC12Yaf1W3XtfUhyxmhkrTiEOi6m1R4bZlnU4+eFXVz KIkE5eKCffsR6crFxftffnj+9BH4pSfPf/hlPHlx8fHtj9/iaYi4fP9mPn/x7tVT8uzVz69ePAGm p3/7ZozFSMrZvH5uIhz0VZ4WVdN2XQ1amVSf+1sEBW4ofLqKoBBi+mnZtC0aCZleTdokDjX8FBCu 88gi0zvBpBrvUpcIERSBoGya2dCVGYjedV0FVjvWuzIbgaB0RWAQM0BR8R2R1E1xtg4WKzHCGasm cYgZFlBbUxVZjpY+1HubUCfOy7quy7xAgytDQyO6ExezqU+vSpV0gQ5eekrtHfKYNvN1jVArRH/f HUJz6imD5PZZxGFYtR0sn9pRXjVtU2WhtdGBt0YD3TQtb5eXVdVAd9+2kHpnaRp1mNB9tXeoHhTQ h7eBQoSFRmlgNBl0+r7a2UQf13X43GZlDEIjP90CxcKaIs1LGDGaAmw0Aoo5bNrblq6vMLbAK+zt +NB0XduUeVYwy+OinKu7maB0h8iiZsg4VX8IDWrHYJ84htNxZV2qJl6xOlII3AkCn0JQJr80DMMh 1NnMaWj29uywwDMFushroE19EVCYWS/bx0cZ7mPgvc3jCAYXN4k9+iIYufg8eSjn2tejrVCHlKCk LjH8fLkqJGlFX/gUHJR0/WmDoFwTJZGgfPjtp28f689e/4YRlN9+eEofvYAVn4/vfnrxiH7DeMvH X14+os9evf1wcfHh7atvKH3+04cx4vLu1VNNo09evH7z69u3b9++Y+cl5VxcAEE5ul5Acnl4CHX2 lm0gmVcgKDzHo8+9ydmMQZexhi6bf5BqfOWTFsazYWai7FDv6FxWAz0nKF3mEsEEh2ZvTXxIKhKv A8zIjPgMG3+pIk7p5kuBoIg8KzZZIEjaBcDlUB+CFfDpc58QZ+5TsxlKb58rXhMUFJkvmeHEROhq 431zBew7QGGEi3CiUAG3EPB8E62AqcWcurkJFFBA4qRTz4Q6eaIn9lC2lsuHjpUxCDJsEZSrWaBY mHBcszChZFjb0jVKvp+pxjRCbo4t0GZ7x4PTQsV4uLRbue4YQamAEhreFK7EqRkjV1AY9D2maama 1tWr7wqBW0bgEwjKIpo/x1eKgGoaofOHaNoqogHdiA80U/v4KMN9TLO312WxeXjuk+3ar0FQIN7q GYQYTrAbwyfAqyStaLLAorB0FaflNHJOTdiMM23LKS1/LgsIiqZphLAlDKAeLO7xy0t9yT3Isx+R cXx499tIPS4uPvz4DXnyAyM0SDjI4+/fLheIpOVsXz8LBgdNsQscyzTgo1PtOgRF8MaANtMr0AFY aZs+hGgjvZVqfOWTFsazYWZ9nce+Y6Hkhk60ywgKeJiFfz7MjFsqkgBVV+4cHVYnwj0LFA4DUp5x 7s+vBEokLEDO7lfaBcDlCBgWgcgNZ54nvZ3XvOoyMHvARZrxih5IIk8fGs8eExTRzqUWgv6U+2ZB dxtAYVRVKBZUwSGCJdqR+/OhQyhQaCAeHsfwBPTOsUChwLZMQtdm5g/rTTjb2hrWNnUt7ftbY0tb RDaF1/dGyWFjXrQkKHLdobW4rgmyzsNWFZnr4ZVhIleTAII6VAjcAQKfQFCEqdAAgwdLocXwSNK0 wqdbBhy2evL2Eg9caUbFsjAAhQ9JCBGvfTXaigDCmMrHN4z0CDSpq/N9YOtEdzEj5mQr+qZIQscg EGBfNm1jIey6KIkRlIsPb3+cQiUff/oGF6R19qGUaI+/Z0zk/ZsfXjx78ujRo0ePH+n8NCMcYzrL TFJOlMOWeFj6y3y9ACW4PyPIahYD4/PjowgKIM5m9VdwD7qfLRWOEEs1vvJJpwkKBBSIFRVsqD8n gnKaoGwrV4AKD9sqi32LEsPP2mEAgcX72NU8ZoPfRYKy3QWOCYrOk65EgrJ9uyDjuU5OuOUSO8fJ +JaFcO1gYSvdDUug1t1c6OUQfbk9grJtgXPzQTe6N+UiLaAWBpS5gUe6vvLY0jeHNAJyYYbFKu58 ru5wQVB3Qt8iRjAVAoDau0oYqdsWO9slapqRUAcKgdtG4EoERfDvUocB3Vce7YXmQCyT8PDq2EJe IO8euBjEY7wcC34xnhOGLgjBC4sq/BbkUMLC0iHUtfV4MrSJQ4yoGpC+nG7FADl5wvyO1bRiQVI5 L0dpQVAuLi5+ffmIPP/54uLizbe6/uKnd+/nz4cPGFp59/oZefzyzXv88uGnb8jEW7YJirQctsQz 5eduEJQZJGwyOJkpggLT+HnVYYC5t0BQBKxWzpXPX4cq4tkTgu7WvkogxOjkQGXsIxrPsZmBN+HW AbYyRlBWZsPpAoTB5Us8ovMRjHASZvEXfQlEDzBsz8MI7CJeI36fCYq0C6wwxCDUnBU+e03p7YJo y7ZDzWJsAaVN5gWJ8b7Tdi61EK4dLGdNUFjhM1CrecgSYDlB4cYgNBKWeD7NAqfCgNbyknAww2Fl c1jb0vXlfX9zbIGEkak7TbLgiqNo0DLdgbXgaAc5Mfq4oA3xHXqUITiwRT8hbLitplkGdaAQuD0E ziYokACie2nddS1ERKSud4AUMGL6yaFu26Yu8zTj+xFYO3rotphg28AFLNWUFyiOYlVsYT4hZOzV 1SFLctz8yS/GEoWhC9IWIEW9ZWIKwIGroW6CeYoQUKYaIyhdmWLWZN93dR7AMiyMxtut6Kssycum 7XqWHieO5FjVzaEkEpSP7399/Vwnz16/u7i4+Pjr94/pk5c/43LOh7c/fv/dT3Aar3/yA+5F/vDb j88faXxRB5NkVxERaTmXEhQcie34ADmCZeKbdCYo4Jh0DBPANo7IIpo2UkLwmEaQQzZe1+MuHhG6 eYkHsyUptcKsbNqmqco8yRj3kGsc1lwskKZtu8XYumFmyKbcfdX2kMDtwsIeW4NfmY1AF9AvmEEG FsWSZKdn9MhFmq2uKdIU0sj7vq1ST6eMloOBQz5sBeZfsMxHoUa4eyYokBqw2QXOIyjS22cRYc1p 0WWQeNsRS0zPI0ySnVcFpttO27nUQsSuDbth5gTnbaCWCAu9XBZBGZbGMEkLfz/ZAufCYPRimc+Q uG9PSzzDhr0xe1zr+gpjS50nGWTj9l0LQ5YeHpYh23N1NxOUYaghNdnDhR60bditUOPwCsaKmpaq CZKZN5OmZ3DUgULgRhE4m6AM4NQNomnUghS65dghzGghRFKnoQP7djXYhSpuw5tE76edvbB72Mdd EbzAZfeY997hlsyAJXjxi7FEceiCjBITEkiMcJ5QjtU2OW75pLjjM917FOcUXcH2dsJyLOwEZTst tlvRlzvc8wzXwibV4+y1G0MJCMe0N5fQR09fvOLbdd6/+f75E50QQmC7zs/ITy4uPvz6w/PHOtX1 R0++efntM0pf/Dzu1tkkKBcXF9vlbEdcJtXB3yYPbdjeS3Q7SMvU0/0R6r5OA1unBCB242znzFM+ WEvHzeLg3lfOVYigjHs4cWMlYuyNu75PaJwt3WtAjTpc4psnf8dm1tfpvLc5yg97xxyTBJdms6QL TT7tdDdsn+/fPSHSBFaTBawp2BHmfbFDW8DeWUCQGs4eKNiyRpGg4JZddrXYBVYYSiIoIMhmD5ok hL/LtguWD9KFuBNbvByPT9q51EKWXVskKJtALREWe7lkiWcYFsawkPpTLZAX1h1ix4AhBrbYl3mg T4HZY3sD+I90LSAsjJCbY0ud4B5rNpIKtjcLc6buBIIyTgJGmj3ZNghiuhHb9S1VkyIoM/Dq4G4Q OJ+g3I08qpYRgXlt5Qs5UIpRCCgEFAIKAYXAXSKgCMpdon2Fur4QXjKLcQXR1aUKAYWAQkAhoBD4 ZAQUQflkCG+ngJkZfCEHt9NKVapCQCGgEFAIKAS2EVAEZRuXz372C+ElsxifHRAlgEJAIaAQUAg8 KAQUQXlQ6laNVQgoBBQCCgGFwP1AQBGU+6EnJaVCQCGgEFAIKAQeFAKKoDwodavGKgQUAgoBhYBC 4H4goAjK/dCTklIhoBBQCCgEFAIPCgFFUB6UulVjFQIKAYWAQkAhcD8QUATlfuhJSakQUAgoBBQC CoEHhcD/D9LmlNQG+CNjAAAAAElFTkSuQmCC --000000000000dcfb8105aa7f7eec-- From nobody Wed Jul 15 12:02:37 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 948B63A0EBC for ; Wed, 15 Jul 2020 12:02:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.897 X-Spam-Level: X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_IMAGE_RATIO_06=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pw1OwpQYPhXM for ; Wed, 15 Jul 2020 12:02:31 -0700 (PDT) Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9D043A0EC6 for ; Wed, 15 Jul 2020 12:02:17 -0700 (PDT) Received: by mail-io1-xd2a.google.com with SMTP id q74so3441136iod.1 for ; Wed, 15 Jul 2020 12:02:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=t1SraYoln8doxovdHhPpObiz05rU5s1JZXQit6pzwSk=; b=K/F2CqIwCU5qCRDH0TMzalgykALh/grganHQoq8m9qm1WJ771gPXzzsl+s64LKeo7C ZEsCQrGfe81QLazuA6MQZxsUlBBLWwDlXo1WNUDq252PdhZdV8mJEpIdoPs98yJEZT5T jFqfylkAJVz3D8MwXuzsHopSda9n8N8GLOh1d1rWluEqAkgcksRHk4Wi3J48D1WHn9Zf 45M1+YdSZuiogPTGcmwWOqtngb4rX29ahHWRQbzZi9Zm5OqP6/aCZq1noROGHCBQ4mGa iIqT0rUM5wukofj5jROW0HeS9yPt90I/wWQU2ppm0wPV+TxytMJpN37N0pUKxX3khM6o kEuQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=t1SraYoln8doxovdHhPpObiz05rU5s1JZXQit6pzwSk=; b=mp4eVL7IKUomubQpLiK6+NlITafJaB7vebp/4jOAaR38s6916I4LiohwmAcKgMlkQH phej9f7uWDXn0tgnO+UgAfonsbJYrfpNVl420W7QPEYm58vAKmpSBc4YfbTGIXgqkIEX i/REab732JxxP518YqLZqvvi9flfi3goimAM0dueG7kdGFUw/78SQSpyPAPOe63qUU5I qSJ1MPzVNztXjeGJ7bNQZ61WwRzGBovguki8CDBpSEp48n2WhEllpEwHqGO8MpLCGw5A Rfi5P43wL/eI+pZjaon7kGzEj+EenroJEDR1va7mVO38peo+RhWxq3pMVjiT08L6pR3c y3/Q== X-Gm-Message-State: AOAM531QmwzaX3j18EWDWxpG0ONxTOUiJodl4TYiChdE86BsYVjkAHQk 6UirxWLZLCS2xHWAVfSJE0PfPhlcNak= X-Google-Smtp-Source: ABdhPJxY2usQr1m6B+5s22TbnfC6ikWJeY2kT9VGE3GnCdwDnUW7eb5lIMq1tCRh+ALvuf/TtgHZ0g== X-Received: by 2002:a05:6638:2601:: with SMTP id m1mr872398jat.141.1594839736240; Wed, 15 Jul 2020 12:02:16 -0700 (PDT) Received: from mail-io1-f49.google.com (mail-io1-f49.google.com. [209.85.166.49]) by smtp.gmail.com with ESMTPSA id k14sm1597735ion.17.2020.07.15.12.02.14 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 15 Jul 2020 12:02:14 -0700 (PDT) Received: by mail-io1-f49.google.com with SMTP id a12so3374927ion.13 for ; Wed, 15 Jul 2020 12:02:14 -0700 (PDT) X-Received: by 2002:a02:b714:: with SMTP id g20mr873067jam.117.1594839733990; Wed, 15 Jul 2020 12:02:13 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Aaron Parecki Date: Wed, 15 Jul 2020 12:02:02 -0700 X-Gmail-Original-Message-ID: Message-ID: To: Warren Parad Cc: Dick Hardt , oauth Content-Type: multipart/related; boundary="000000000000d20c7f05aa7f8f91" Archived-At: Subject: Re: [OAUTH-WG] Call for adoption - OAuth 2.1 document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2020 19:02:34 -0000 --000000000000d20c7f05aa7f8f91 Content-Type: multipart/alternative; boundary="000000000000d20c7e05aa7f8f90" --000000000000d20c7e05aa7f8f90 Content-Type: text/plain; charset="UTF-8" Just to clarify, this thread is a call for adoption, not meant to discuss the details of this particular draft. Any issues with the draft can be raised as new threads. But right now, the question posed to the list is whether the group thinks this document should be adopted as a working group item. Oh, and +1 from me :-) Aaron Parecki https://aaronparecki.com On Wed, Jul 15, 2020 at 11:57 AM Warren Parad wrote: > I only recently joined this WG DL, so maybe this was already discussed by > I have two things I'm confused/curious about: > > 1. Can we avoid using (1, 2, 3) on the left side of the diagram to > describe, I'm not even sure what they are supposed to represent, not to > mention the RO in the diagram doesn't really provide value (for me) > relevant to the code grant flow. It's confusing to see these numerical > identifiers twice in the same picture. But maybe there is something hidden > in this that I'm missing, still 3a and 3b could be used to identify > different legs of the same code path. > [image: image.png] > > 2. It seems recently more and more common to pass the access_token to some > RS via a cookie, yet 7.2.1 says it defines two methods. I think we need > some RFC2119 > keywords > here, to suggest that either SHOULD use one of these two, or MUST. And then > optionally state whether or not we recommend or reject the use of cookies > as a place for access tokens. It's also possible that the language threw me > off, because would an access token in a cookie be a bearer token, but no > matter, if I'm having this thought, then surely others have it as well, > right? > > [image: image.png] > > > *Warren Parad* > Secure your user data and complete your authorization architecture. > Implement Authress . > > > > On Wed, Jul 15, 2020 at 7:55 PM Dick Hardt wrote: > >> +1 >> >> On Wed, Jul 15, 2020 at 10:42 AM Rifaat Shekh-Yusef < >> rifaat.s.ietf@gmail.com> wrote: >> >>> All, >>> >>> This is a *call for adoption* for the following *OAuth 2.1* document as >>> a WG document: >>> https://www.ietf.org/id/draft-parecki-oauth-v2-1-03.html >>> >>> Please, provide your feedback on the mailing list by *July 29th.* >>> >>> Regards, >>> Rifaat & Hannes >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --000000000000d20c7e05aa7f8f90 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Just to clarify, this thread is a call for adoption, not m= eant to discuss the details of this particular draft.

An= y issues with the draft can be raised as new threads. But right now, the qu= estion posed to the list is whether the group thinks this document should b= e adopted=C2=A0as a working group item.

Oh, and=C2= =A0+1 from me :-)

Aaron Parecki

<= div class=3D"gmail_quote">
On Wed, Jul= 15, 2020 at 11:57 AM Warren Parad <= wparad@rhosys.ch> wrote:
I only recently=C2=A0joined this WG D= L, so maybe this was already discussed by I have two things I'm confuse= d/curious about:

1. Can we avoid using (1, 2, 3) o= n the left side of the diagram to describe, I'm not even sure what they= are supposed to represent, not to mention the RO in the diagram doesn'= t really provide value (for me) relevant to the code grant flow. It's c= onfusing to see these numerical identifiers twice in the same picture. But = maybe there is something hidden in this that I'm missing, still 3a and = 3b could be used to identify different legs of the same code path.
3D"image.png"

2. It seems recently more and = more=C2=A0common to pass the access_token to some RS via a cookie, yet 7.2.= 1 says it defines two methods. I think we need some=C2=A0RFC2119=C2=A0keywords here, to suggest that either S= HOULD use one of these two, or MUST. And then optionally state whether or n= ot we recommend or reject the use of cookies as a place for access tokens. = It's also possible that the language threw me off, because would an acc= ess token in a cookie be a bearer token, but no matter, if I'm having t= his thought, then surely others have it as well, right?

3D"image.png"

Warren Parad
Secure your user data= and complete your authorization architecture. Implement=C2=A0Authress.


On Wed, Jul 15, 2020 at 7:55 PM = Dick Hardt <di= ck.hardt@gmail.com> wrote:
+1

On Wed, Jul 15, 2020 at 10:42 AM R= ifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> wrote:
All,

T= his is a call for adoption for the following OAuth 2.1 docume= nt as a WG document:

Please, provide y= our feedback on the mailing=C2=A0list by July 29th.

Regards,
=C2=A0Rifaat & Hannes

<= /div> _______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--000000000000d20c7e05aa7f8f90-- --000000000000d20c7f05aa7f8f91 Content-Type: image/png; name="image.png" Content-Disposition: inline; filename="image.png" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: ii_kcnpzgwk0 iVBORw0KGgoAAAANSUhEUgAAAvkAAAJeCAIAAAChx415AAAgAElEQVR4AeydvYvbTvTu79+iSt10 qqIqqqIqboKaxU1wEdQEN8HFDS4Chlt+wRC4hhTmphCkECkEKQQpTBqRRqQRabSVFn6grbyVLmdm pBnJkte72Rfv+nGReC1pXj7nzMyjMzPS/6rwAQEQAAEQAAEQAIHnS+B/Pd+qoWYgAAIgAAIgAAIg UEHrwAlAAARAAARAAASeMwFonedsXdQNBEAABEAABEAAWgc+AAIgAAIgAAIg8JwJQOs8Z+uibiAA AiAAAiAAAtA68AEQAAEQAAEQAIHnTABa5zlbF3UDARAAARAAARCA1oEPgAAIgAAIgAAIPGcCp6x1 ynjujUbeeJXesYW36Xo6nszC7I7TrbZZMJtMput0e9cp31962donyrOouL88kDIIgAAIgAAIDBO4 sdahocsbeZPrBEIRLyaed/15w0XrPZKuJt7IGy82txjtiyzZJHnZpFsGY8MwDDaNm5/u5kvkm5Sw NUv+Lb1tkSabNFdVTWY2JWz6kfrt37LovXpbJOFqPp2MPW888aezxTpKFbbeS4Z/TOa8zKNVPnzO tUfKLA6WM1GisT+dzZdBnN26SNdmJ04oyV/uPZcDC4PTQAAEQAAEbk3ghlonW434ML5fIJSbpWfR oEzj/ebWZdu9cLuZiXTZJLzxSMeFgl6ee9M6eTC2DNOe/mMoYxv5zDCchQoPFdHUNg1rHPyLbtjF qv9SbpZjS9hYWFD+a46D2wVm/lXrlMl64vQUyDDM0fr+OFRVtnQNw5xEOh18BwEQAAEQeIIEbqR1 spVXDzqDwZAyWY35jbwYI3Vt8c94Sj7484RvPvSmC6ejve5N6/xzRUUCQtjpWueOEh5MZpvMXWlh y53MFsvlcjHzPYeZtxGXIpt/0jrbZFEXiNmeL0o0n06oSDd3gcF69x0o1h6F0KB1+uDgNxAAARB4 UgRuoHXytceaW/0hrZOvuRwy7cnYpZPvUuuU4ZgGYtPkw3F7UiRZeLQqRJ/bKiO+HIdm24rNauqK wlvOiD50Zq11/DAJlzMxYzNdBEk3flEkwXLmj8c0oTNbhtp0Dl/x441XyTbfrOc+zfn467RqLVFJ lmOPZ6n/481jMQtVpNF6ISdntMS3ebyU0QzTdnmBaVlREU6pln6gQj3bLF7X003TxXqjzXhVlLU3 Xm6KNGwqMF/F+iktZxVy0DCYt+qsCCoLLYxWptFq7k/G3njsz3Z5cRY03TSeTBfBJtqdw9pmdQKT 6Xw9XJ4qmZM+pQItE60AvNBlWf/CCXuLuCySYMHL5S83dHCbb4LlfMZ/opw0OJykNw0yHd8ykLYt k2AmI5NM+gvWG7VcBX+AAAiAwFMicLDWkUqHjScjPvoMLnIpwpm/TMoy4MLkDrVOIWQUm8ynPHDk LtWIX0UTLoPG2tSWuDE3rOkmX/Ey82FT/mOOQyqi/lPzXZ8jKpPFSCk8cYrVSAGRgjX2x3LKzjDs WVK1Qhly8U6TuvgyDsqqksKwdciexmVVpUIg6EdIXfJpFZrWkqup89C3ZRymPtV01NRZzNcNWbYW Z6PTzNGyI2W4x243U14Ltm+2aputVV1lnmy04NKCUtkmyx1e/LRGmu6W2XTnzfV62xFzeIZxXUyJ V9P0fL+pJy1oqqtTg6H/mbeSPiNIMruLz/ajopK+q19pNOXXS4jvIAACIAACT4HAgVonD8Y04rNJ mIVcVQzFdZo6SyFxd1pHjvPMj0qpJey5Wvu7V+tsi3QTzniciU1WG/okGR/S5HDG3OlyHQTB0hcr Q+pSb2Mx/BuWN1sFwXpZ3+3b84TiMppaMp3xbLFYzFdx0dY6tMK1/kQLsdzJohG1qqpsNWLOeLpY BWEU1oEcGlW3eboJxNht+4EscdnROrlcPMVcf7EOgvVCRoJYvZ5HaB2Kro2X4SZNk3g14XqATaI6 KNIYrJJRHXOyZ+FzE/kZcWCr+ViIBcsXCarjs1UQBqual1FrhTo4aI3n6zAM6nCbNZVxLlWcqpKL s2pj6Ida35tqGqbtTckIiyivqm3s29ZoMl+uwyhcz4UEqzOS3mQYpjtdx0lKDiJsQxK6yJJ4IfSx txD00+Jel4O3KoQ/QAAEQAAE7pTAQVqnkEqHbvi3YiLpwbWOHEXFWNX80WzH2qt1iFgd5dHWStdK xfIplCI+cnwVd/Gl0HWGHkGSg6TJF0fXKRiO0D4ykVZcp065qspYBKRqpaOOiG8ytRqtrKS+Xkdm LuI6NQQpMyiNMvJ5aEYGfqQIIHlY5yVTsOe7++xjWgmtBY3qS9T/tfSzZ1zp8QP1pKVH64RlxWvl w+M8MkIliDZ1agJLdbRud2tZHV3x1s2kYrbyLO1jT7ksq7WOCImp4ra/tY1Sax3NtDKMRBE/Kriw PdbrtCniLxAAARB4igQO0DpFMOExHREteByts92I3dbWTKgbOWaqUfwftI45CdUte0tNSOGjjYcU i6HtOXIhUq11tOGYnKA9rEq30JROozwqvrt7MZv6k8lkMna5UDF9sfWn0QVqqk4vnRRvrCUStnLG TBRIigC9dLLEfbESeWm7ti2fltnTNJ36FAGt4aVFvNveIsVTLqG41pHnGsx2m4/ND9dxH5VuVYqE DT7dJ36XSGQ0zpCWk9XcLTjfqT6f+UR37Dk8I3mWbsU6T2k2gQtap8aC/0EABEDgyRO4VusUoa50 6H6Xr8Opgw+DAPYMqoPXDB7YypiDYTJ5W8/EMhWzHgj/Qeu0qqKriUqO/nUeonj12E6KpBOJqcvf o3XqiIsW8qjyYNJdLsJVw2FapxYe2kQeySyhCcWILkSAOda03B6zyEut6eBTAhKx478jKmp5FRS9 RdJhyBNqraL/30mUIisyYUetyyqzTUSfcM4nmFpaR8ZjahuUm92FVpRfW+s4enwLWqeGh/9BAARA 4HkRuE7ryOFNiQyrVhnMsuzx8ANO9gyqNyZYCr2lD431d5PPnVR9a5PlimQ5dg/PYQ1rHT0k0RRa JsuvOlTr1EpHn2WpJ8gsbx5s0izP82zN10ofGNfRy9EUrmoV+WZap54zctrqSaVdr+hplkbzQ/Xu uEm4bROXF0oJxeM6dZnHq03S+fSsh5Fn94R8mqALV3E91ayLajr+Kko43VhXgXV0rlUVaB3N1vgK AiAAAs+IwHVapw6o1Nqi/b/LH4Zb5unuSDWgdbZ5mmqPLj6IpFzSYTjTgN/Vi38CsdhY3qjLcnq0 vUl86sUlHa2jRS36lEorrlOvJdEfXFgrghGtIulLYXcOq0/pNBEYbbSVee9oHbW0plU6OcOmJUD7 t/gmbVnnHhEwYBaOrBBb5wzTW2VqVq/myZcDid1uYu1NGzMVow6/6TGaIhDPZBLXyK1e7eVNWg7t r83i6/G6XaBrtY6c/9KmJ+tNXZ24Tr2jjTLu1zpaUKxdOvwFAiAAAiDwRAhcp3WKVJMXfPpASAzT W4RRtMm39UDeHb76BtXtRixUtfi+6kMJydv7nUfH1UMzH+ylCmD1qFhs5JYn2nNOOcnh0XBmcV4W WZLkzfN19O3zLTVRyUXZtI8pzoqiyOKl2HEtC3OI1inkemE9pkMFypZcltCzbIqyLNJI7hSiN0Bw NDISZY6WSVEW2SbNO9EI+fQZ050GSV4UeRJMxTYyuUusuqHWqbbJQj6hmDn+Iog3SZommyhYLab+ itbolHJfGhvNozQvimyzFhu7TCEh6oc9stEiErxWE7kbX2idrdQThj1ZRmlOwawkDhZTb6aWT2t+ sd3IB+wYzJks1tEmSbOMijTna6a6c1hKoG3FnKawNsGT5dyZwxrUOpWUZbYfZkWRp3hZhGYXfAUB EACBp0XgOq2zU5vuep1muai+AlZtx24tgpWj9969PjsZ7ixDbs6oIzc2LViWu+JplSxj4mmDIgYl tU6jW2RkylsXfUqlrXUqWlMjB2stotU8gKcvBRUg4MO7nMLRruZfnUXavG+jOWY5tH6n1jq0I117 eA4N7J3SlZvmMcdNGob2tJqbap2K6rvzxB6edF0oekuFykt+Y+qBPcoM9VmmZdGi4DoWpD0JuT6D /m+viWpMPFwgumhY6zQ70lQepuOQJQ+N61S1d8kUWuEzrXz4CgIgAAIgcPQE/lnrVOnKs0zT8cNm ZzCvdF9cR6zGNe3xWm0tuo6QDAToz9JRlzQ6iJ7OUqbBbOzwdzmZluNNV9GSdgjVWqeqis1y4tJx k9mjeVw/S3B4vY7IqNisZ2OX1imZjKe7aWp6gNYZmATkQ2exWfouVwImc7xZmPK4Vy0rSHlEc1Ej k9neMunEdah42yxc+CPbMql09mgy1x/rfAutw5OMltOxa4uFWabJbHc8XcbNq6fKJJhPxGHTckb+ MmpNMG2zcD6RuOzRdJ3E/OUctdYRGSz8kbAUldodz1YqeWXd+ts2j1ezCVVS6A4ygzv2Z0v5iOue avJcghm9SoIeC2W7/nKT8UdHHqx1qqpM1v6ItomZzHKnHf+uC4f/QQAEQAAEjp7AjbXO0dcIBQQB EAABEAABEAABRQBaR7HANxAAARAAARAAgedHAFrn+dkUNQIBEAABEAABEFAEoHUUC3wDARAAARAA ARB4fgSgdZ6fTVEjEAABEAABEAABRQBaR7HANxAAARAAARAAgedHAFrn+dkUNQIBEAABEAABEFAE oHUUC3wDARAAARAAARB4fgSgdZ6fTVEjEAABEAABEAABRQBaR7HANxAAARAAARAAgedHAFrn+dkU NQIBEAABEAABEFAEoHUUC3wDARAAARAAARB4fgSgdZ6fTVEjEAABEAABEAABRQBaR7HANxAAARAA ARAAgedHAFrn+dkUNQIBEAABEAABEFAEoHUUC3wDARAAARAAARB4fgSgdZ6fTVEjEAABEAABEAAB RQBaR7HANxAAARAAARAAgedHAFrn+dkUNQIBEAABEAABEFAEbq91kpltTsKtSuohv2VL1/TWxUNm edR5Rb5pzTZHXcTnXrgy8Exnkd5nNR/aynfQyh61l7hHW/B6RfeYwd0k/c8WLOK5ZzPDMO1pVP5D me62dVBq7jL7h/Lg0tMjcI3W2YZj09j9jFZ59cC9WBlORmok+ec2TJbOViPLW+c3NXqnJLdL5KaZ XnP+Q4+Ce4qTLtwBCVysvfvUp9t4atuPJ/gGevO2t+zhdsChPVY+jG2ycKxJePCYdZtW1qnvA/cS B0C85pTNzJ0ecNNwIlqHqukuNnlR5MU/3dYOtI6OMTrO0zmq/oTWUSzw7VAC12idalvkGf+EvmV6 q1T8kZfVA2udbeRb2l3zbXrhHSRlspqvk5s24U5JbpfITln+8Yc9o+A/pnzTy8ky/VqnCMZsdJ+x uDxcLKIbS9ebVnDo/P7evOMtQxcf9vuwlQ9kW8TLRXD47fAtWlm3vk9M62yTuWNB69TuWAbjO4pV 9reOOh/5f9d5OofVn9A6igW+HUrgOq3TpJPMLHOs3xLyXmwVUojTNEzLnayS5oZxm4Wz5vflpmeu KY/mk5FtmabB7NE0yITiiHzGpnGTZ7pwzHFQVmXkW014iY+kvBdehouJQ5kzZ7yIVSZFvJi4dAGV SuWezGx3kSRr32UmnwBruvIyGLdiVxS2qqqq2Cz9kWOJ6vnrdFsNlaQZwfuzzpauNV2H8zEl1i1t U9uqKpOVP+I4me0tE35kmwZTgZLZ3iyUoKqqygVik9mjWbDymZrD2qbrqUjGGvnrtLGKymmbBdOR ZfKyzKNw5rgiZLaDqCqT9dRzRJmc8XIjEisDj41X0XLiWozxEoScWLp0WUNSk6ZVlQdjqznCpv93 brfmIPP1yLTnSVVFPhstwpXv2jxhb67Ey7VOpUmBYkNlIxdgtjtZdgRttwvfTC3mC7frv7CIF2PH Ep6mlyitMdrjebDcGRd2/baqthn5AfdaezTttU5VDRg98pk9Xa99qpnJ7LEsSoctVaTHdcn6SnkM WVD5CAU+aaZ4EcjyWm7LmXpcvae++3oJlVd/b1BVpeb87jzmzicAcgKWOw1Fs+81kHIYZjnejLto v31FSbabudN0M0bdCQx2JuZEzGFt0+WI2dOIl6RMVtzxzFZrrb16xL2agxQdXpmu6xZvtTsxCaef TDKznXlAHQN1KJYzWaq+tykB/RzMR612JlLdbebVLsBtshzZDQ4KyEY+89bpZknua04iqkFvV9NX Ka5O5sGq9l1pDuUCPV0rT7+399O1ThH6NvNW1DtT4+oZd4a73zySvk19mL++1wlorar4+igE/knr GKblLeKsKIs0nNpisCKP28xsNlrEeVkWyXpisZ6JojIJgzjNy7JM1xPLHAe8pxjQOlVVdYanbOka JhvNwjQviyyeu6Y1jUX3QQLJnqyTvCiyzWpiNRO7ycxmtuN6i3CTplkpu/JGpnD8JRW9Lu42jaiM RVlmVD3Z+e2WpOlNhrKm0hrMEx3SNl15rCmtZvRsNTKZt4iSLMuSKOYapQgnFhvNozQv8jScuczy xbQ5ZWWNV7yW8XJsmUatdegSfqQs883Sa65QOZF9TNsPEp7ofMRMQ+qSHURVlcdBlGRFWeZEmesR soZnGOZozgXmNg+4BYUMSuZDy7ho5GziOlR+NaFVrD2ZdOSbhunOYoqYbzNKeLTigYgDnEppnc3U ssbrtCjLIkuisCu2OyaslNbpvTBduMydRY2fy5UCNca0KIo0mo+YUWNUqLt+W8ZT23SmhL7I4oXH 2DjYiUQNGp3DcXzu2/lmNW7gcFXSsOVjRJ/rtrXOkAVV6aXfzmXVZ7yVCTMPuXoXbTKzB3oJlQ2J /L7eoAgnjLmzgDeIOEqoixAA/fUmzbI0jjZCYvcaKF97pjOjXqjM0ziM6Dah1756SWKf6XGdoWoK kqR1SGhaYxksy9ces/2AHC+LqLnMNrxTEoabRjn9VURNZ5IuHDZabKijzJMojHdcYYAMUTWsSUC9 WFUmqmFWZThhJnfWIk+DqWsahmpmdUV3mvmAh0vvrQOB1L4cx50soyRNKbTf39X0VorUiWk6vNMp eL9U9/l1oXY7eZ5+b+/XaJ1yM3eZMxO3YENdxFD3S6xsP6TOrcg2YdR3V6iVDl+fOIF/0zrarXvW DF7chegeXXzao1r9q/b/NprUY+iNtI6mF2isFCPQNp4ypi1JKIJxvWqXOggmpQLPvonr1IXZbmZO o3TqH8X/m1l969/pzVUiw1lTY6ulCHV2vSvr0nkjp5qs89WoFUMmIcG7LvoitRedrGVAl2hH4qnV nVLaxj4zNUTERWmdNqKmJDwXGWbjWsdk4s6ODmwjFVY6UOtU5C8juViKzOfM+V1V5JumF4jxlEYS DiCreB8uhRbl2OtUjdahGpKIEOK3VQf+R8eESuv0XbiNp5bmahSB4rSo0jrGzcyqMWo5trMqw7ES 5bx6bsu+/MJBo1c0ZGojF7mes+AjUUtHatnTV+W6ba0zZEF1ueZW9CPVWFh92NXb9eWRJJ2K6iVU Lu1vqjfgHIRXNKd0AfJiDRhIXC8jkSKFPvs2afMvLa0zXE2pdYp46jB3UYcNySspDi0+ZTipu56O 4ShGzlsPb8ZLHpJoF6PvL0WGcje0tbmqD+LdXX3XRxabMN1jZLKdnnDIw+s7TE3rGPasrqxonD1d TW+luNZRnQ7VResRZbk6zjPcEITWSemu0Z6IkPKeLqLjxk33S9nZvojH9QHHb8+LwD9pHXOs9mGR Y4o7y3Tu0NxB8zF77ne3WbTwPdfmH8s05DB2E62jj+iqkVAxtF5AjIpiTKVwuuqJ6hC9iutQCJt5 IorAjZzHy6nnOqKMzJDTHCovfpLqZ4az5iORmBejazopCIfivXh3ZW08ZTJYLE7aUvc53fAU9K5C 6zriKe2aaOAz0zD0G36pH3RE1HEordNGVBXJejYeCQY2M+VR7RJesHja3A0fqnVEKIJD4VJHrjsn vaKvlyBd5kdVdYhTNVqHJvimLjOtkb8IeDhA4Kv/7RpAxXV6LsxXoy5QXsKuufVa1Bl1bU16VhMr PM7QlaLVkNFpgs/Up3irGo4IUepm7nfdjtbR7lQo0xZ3XoOO31b5yhWNq1t3rj15K+ui5Y2ur5dQ iCiA19cbdDnQFTsAhT/3Gqgqk6Vn0ZTxbBXXc7/7HaMipIrDcDWJJBtNPFb3XFQ4asKGqdqeaRrS uB3DUS3EmrYiprAqcybz9aZPmveT0ezIMVI5hfWp9ekOpnonnXenJxzy8Np7Na3Tdr+BrqavUnt6 DFWyjvN0HaDu/ahcnumMxw71R2ISk/vGwLjTcWOVyzZdT2zTtL3pEkEdZYbn+u3ftI62CFW1Nx6g WFJkX33ad9h0I2G681i0bu1+pat15o06UQ7KLdFpw+ro/u6pPa60EqFViUzOl/AsePh6GvIwsX5z rPLqlGQ461ZGdQ/SmRymZHX5whMfau07J6thni4Zr3OFvijKNv1uObUK8dUVamTiYRVrUi8qUbet e3qug7UOT5xuC+letBl2O6PCluI8QuvY5mivU3EpoBPc5vF65tkmG123XodigXK9DmFvX0i4nHnc JrpfMnLbiX80uH1D9WY37HYHWmfIdbUxco8FVek7g0SVL2+ldXp7CZXLUG/QdX66ojuW029DBhI5 FGm4oBV6ti+X9nTtqwpC326gdQzT8WdjS3Ua/HbFD9uewtueap48N6V16M9tvqElUSZNuNUxIVGo ITKaHfmJROCmWqdjlD4Pr3sqTevo7Ys76lBX063UQf7Wbix7GgKfQ7e8me+a9rSGNjju7O9+yyxa 0eJFa7yuKyro499nRuAetA41+dZc0Q4y6otV8JPuFmVchw86fNEbXUM6vg4z8GagAtqD7su7B20N tQjq8k2k3YFcLL0UcZ0dpVPRbbrdZEjZ63Gd5oCWyHDWg6XVyVA3rqCII7wbVzvteVfPb5+pLtr9 G92ZyW6ILtEDzXoW4rucimi6VbKGFtfROkFSoepOjs99icDYnp6LqqGF+7Tsyc6tChLi0SoNxqyR OnyaRjuJl40epHG9U+1oHZE1rZdVdZC/hePa4+iHYu0ZpqZ12hfSRIbpqdtHcbSe0VGr9dN5MxVY n1LH8BpvoeldbT6MB0pU3eVlg0bvwiG3knNYLbaDrquNkXssqErPg//6jIg2h9XaqaBaWaedajny ZNWorHIZ6g1IWXXhUPI6QEplyEAqBxn3UpFVOtTnGFzrKG8ZbtGiXtG2KmnxjSunodK50w4q10XY q3XESXz1VyvsLGPSTam1frLTlSmqND9jyUVCDRoVupbl6Vw+DJBbU8ySVrvt64CuhlYG8kod5G8d 5xluCJQaD03TGkdLTkMNdhGHdL/tNlPbDf8/JwL3oHX42mRaOBtneZFnaRwEncWh5NNsvEqLLS2f HVMYUazvIY+z5A1YsZnTyrq6+dMdsLvYFGVR7C4rFm1SRErSpVuvTc7l2mRxoNPCtbXJQum0n03F R/YRZVjmydp3WK11aHXHQEmGsj6ksYni0FrvNM+zJBYLFXmHPJKLQ6M5X5vMg7Y0QFi0ArssqJZ2 e22y6fjrTVYUeZZEQaj2aAjPpQfRmM6UL8oj/lYzydhFRMJFLO+k1eejQ+awaD0LXzVZduNJtH6B NkwUzZEi8Nho7DFtRo2v4rQnK/5ID1q8q69N3utUWl+8TcN1lORFuRUrqrsjJp9ykSsat3k0pdg3 1zr9F6YLly8apwXiWboJ1xG/AeQjoTMNqUJZvKD14TsZiVkq5bd8RFPXeKxvedig0SWcnrXJLbbD rqvse9DYQ1rHoMWhtCw7C2cO6QyhkYdcvdM6DtE6g71BHowZc+chNYh0E/J5KGLDF3dneZ5uooj7 dr+Bcup4sqLcbos0mFi0iq/fvnp/Tu3Knka0WpjCoYPV5CT5PiyxWnrOl7HQ2mTmzkJa9Z+nSbQO RdczpHWyaB3Swv9tWSS0jUCpFF6mQTLKjvw8pXVoOS8z3brDmNGCee2eSNa0czmJql4P71mb3Jpl p7XJu11Nb6UO8reu8ww2hEbr0EPSPGZN+K0Ib1w9485Q91smAd8fs92WWTSlvRK53FjjLjtRd91F 8P2JErgPrUNx5Uhs0qV9385Y7NfRCG2zoNl8OI82K8+Ra5nFZmhmMkZbMMOlV8d16iUYBmmhUoum 8FR1rcM33NJmaLETftlsRt9p4U0b4Gtcmh3RhiHiOXk0G4md66NpkAQTq771F3P+vSURW1q7WTcZ CQTt0mpYiljtlPZWorlts2DmyT3K3qzenC+2V/I9oSbtOY8WrgovN5fwXffNRnEtI9rTzOvGbE/f LL2DqNwsxGNTaZ9sEk2ta+M6fJUE7VVlch+7ypamxx3+DNaZfK4AkTD0VZa0r7W9rbox37VORWEP AWGbLPkWcVrGQU802F38KTbmMsYs2pIezF0RtBu6sNmpTAl603o15DZt9n97tHXf3qkyNQW+dEh6 i9Y0+DZX7TkNihPfgdZn9Mi3JutY7dttbX/X2Q65rrLvQWNPtnSdeRQ1j5UQz12QBe139W59VY78 Mm1UVvUd7A3qhzAY5MijhdjTtE0Dsa+YHikxkytL+wyUh+LJC6IV8IdSDNlXlaWixSZ8Q7vcjTlQ TV4v+dzkcjNzTCmd6RkN/HkP3PUmchtz45kio2YOK1uLjooX0d91hiEy+6iWm2X9JI7JMl5P2AFa p+4zaYu57uGip6qndjq1oLr0dTW9lTrI37rOo6XP9/A3vZ+mdaqKC0xprd5xZ6j7LfkzoUWd6ZkE fE0X38wFraO1iGfz9WCt82xqjIp0CLQ6js6x+/6TuiEtqqPFZu47Z6QPAiAAAiBwMgSgdU7G1EMV pZvEnvUoQ6ff5e/8Nr9ZkEAp99w73mWGSAsEQAAEQOAECUDrnKDRs2CxEg8ILNJo5ppM27n5QDi2 9JzJ1djqvp4JWueBDIBsQAAEQOCECEDrnIDZNNcAACAASURBVJCx66rS6yX4uy/4OgHtNRr1Cff+ fzJ3THrLwaL1qDfEde4dPDIAARAAgVMkAK1zilZHnUEABEAABEDgdAhA65yOrVFTEAABEAABEDhF AtA6p2h11BkEQAAEQAAETocAtM7p2Bo1BQEQAAEQAIFTJACtc4pWR51BAARAAARA4HQIQOucjq1R UxAAARAAARA4RQLQOqdoddQZBEAABEAABE6HALTO6dgaNQUBEAABEACBUyQArXOKVkedQQAEQAAE QOB0CEDrnI6tUVMQAAEQAAEQOEUC0DqnaHXUGQRAAARAAAROhwC0zunYGjUFARAAARAAgVMkAK1z ilZHnUEABEAABEDgdAhA65yOrVFTEAABEAABEDhFAtA6p2h11BkEQAAEQAAETocAtM7p2Bo1BQEQ AAEQAIFTJACtc4pWR51BAARAAARA4HQIQOucjq1RUxAAARAAARA4RQLQOqdoddQZBEAABEAABE6H ALTO6dgaNQUBEAABEACBUyQArXOKVkedQQAEQAAEQOB0CDwFrVMGnuks0idvlGRmm5Nw+2D1eEhu g3nl4XRkmYbBnPmP//dQdsyWrumtizsjPVi7O8vhoROKfNOabR461wPyGy7YnTWfIp57NjMM055G 5QFFwinVbRrUndkL/EHgLggconWKzXLi2sw0TGbZo8ki5oNIsnCsSXhPfcVm5k6bnnh4pNnGU9s+ qMu+19IeaAit8WerkeWt8wMv3HNaC1TnvGFunRPv4M+BvLaRz5i3Sosiz4viHjVrm8NtuuZ9ELTa He5yfQmmC/ch1W7VxqKVaFhSaCc9xtfhgmnN558KRum4i01eFHmh33gc1kU8hAVbViuCieUuH+RO TydQhpORur88rEEVa0+7w7gre/2TsU/r4nThGGwan1alD67t9VonX3smG83DTZqlSRyuFuuE9xBF vFwE2cEZ3eTEbTJ3rEO0TpWHi0V0iGS4x9IeXDOt8ZfJai45Hnx5z4kdUJ0zxAh9PybqZFVpakA/ lK9G5qjWdAPn6Off8nuXw2Fd8+GZ6SU/2OV6kqdyPaDW6WLRSjQsKbSTHuPrcMG05vMvBSuDcX+U +KAu4gEs2LHaNg3mq83dxSj3sNMIbCPf0mLpBzWoIhizkYqm3pG99pQXhzoEivVDRc47GT+JP6/X OrHPTD/Sb4BExZQrl4HHxqtoOXEtxkxmj2ahkh9lsvJHIihke8uEX7tN11PxmzXy12k7NrTdzB3T qD+jVc7HUXcerHzXotiS7an0Vc9Ypus6H8sZy9iTMoEqbXXNmVWxWfojx6I4luX663Sn6lTfSZhF c88265mAMllNVPGy+poiXowdmdJqPW3msLS+I/KZt043SzrPnHDQA3y2WTgfO5yB5U7DfAeUqi7/ RiO0Ow+WE36N5UyWmxp1fx0HyPBK8Gyd8Vwpy20a0PSUaTJ7PA+WOyNIGc+IiPiYk6ijh5RjkL14 stvYZ8yPJbxkbhtqJopUk7tSfqXquuswIuS+DBcTzp61/GHAUiq9qsO5qFolVy5X0Zkzjzu35U6W 9YCULV1ruua2YqbZ5J4uXVa7taGNIzznZGY7s4C7MDUhbx5lhNe2mMks1aAoTKbdt6ULxxwH3Kg7 tuvBotUx8pk9Xa/rJtWya2+ltGurStmO1Y2636MqUa+6JvZoGjZtIwtmYxkupvpK0w4XTGvCVTXg k1opyT2FbXiPwbPdJsuRXbukocUg6Dot/RtYsN+ddhv1AJ+us+02al1nRz4bLULeoZJf6L0TmYR3 QNTO48C3OrXLV65JnSn/FMHYNJo5zG08tXizqwmUkd80XIOLc95fDTQokWQejK3Gu7mP8tRWIc0X 8q50skrq7meg4YiU+L+7APvb2o7bizSKeMG7Y+rCVcOsBpvPQJdejyi1k1cDPbNWcPLMbtYkr+25 GPsqCnUbTHT0VVWlc5s34QGXa6ojO36tB+4p8zaaNGpzgExd1EEUQ+Njb4vbNVOd/hH+f73WoUHG 9qOdG4u6YfCRwDDM0ZzPbW3zYGLVHXCVrUYm8xZRkmVZEsVc1hThxLLGqyQvy3yz9Jjl78yaxz7r xHVM0/GDhOLOdIk5DkR5moEnXThstNjkZVnkSRTG3UFRlfa6M6ttGgVxmhdlmYVTW3UQjfWo97Ec 1/XXcZJm+baq8rXHbD9I6Zpo7pr2bEMDtgiJLWIqdrKe2KboOKpKn/+mKjiOO1lGSZrmZVUN8Cnj qW06/nqTZlkaRxtewzaopoTiSxl4hmG6szDNyyKLFyPGam69dewnky5c5s6irCiLlHi4Sx4p2m5m tsnrXBRpNB8xY2f8btezrRjylces8TLOCE3gO6YzT7aV6BREvD5dOJZlsXooD6m7GIzkdzhkS9cw 2aiu+dw1ramQUAOW0sj1cW6PN7W+JQRstIjJ6ZL1xGJyVpJyN5i35F37NqWaytyTeaN2tRzpazKz DcP2Q/KmMl2MTNO0xvw2YJuvx4xNRBsZ7KH6bdfBouUZ+aZB3iSa1GpsmaNVY9e+SmnX9jXqoVaj 16sqoqk0NKVWbIJwkxUEb+k1GnewYLoWGfBJrYzUiNhoHqV5kafhzFW9jIjr9EQ7VRdBzfMwCw65 006jHuDT52xV22od3zNMZxqRlxDNpnfi6oS3dGpOU5eZXSVXke81jWnCLMtyZHtK51IxawQ60a/h BqUxJ0HUjusYpuUt4qbrqMf7oYajpdUFOHBJv9vTLYA94b6dbVYTq+6z9mqdTpfe5+QDPbNW7Ko/ ax7eFkJzu5la9Kn7Iwp805Fhl6sGvH13GKqqdDVZ8KGHCrJ3QLxhTzJQhq6ZdBRH9/16rUManBqP 7U2XYaokj2oYBF0JVS5c5T0DidbmZkLWXbM7/RJPrd2w/m5rN9XSoG00qUebiljz9TrUkkfL3RhM DVyV9roz6yv4/5sZ3fG0fpLaTg75/JB2e11VVRnK8lHb1+7fKcBYV7UV1zENeybmBSm1AT5lOG4G bFWeNij1O/9GdtG48d6uc7dH5zV17CND93x1u+TqbSSqRHcnetqbmXUTrdNxjG3sW4wsrCpP9zn+ auEyHlPsFKNT0aozPPCOQys1kRf2GrCUll4v5854I1yuDCes7r3pBm3hyCgUdVvNTXNV0TIl6S1E uH8OizSBcilyD5W0Nu4M9lB9ttvBolWTJIXmC8JVM+68/ZVS13Zspw403xqPEhpO1YuLWQ1NfQUZ SPYTQwXT4i4dZ8jX0ifr1GQj0pqe7vqHah2tmIMWHHQnqoXeqLWi6S2u19k6ztzxPd1qycwSkWCq k+bvPHSgWZfnrqjR/NRosfKZMIxqc6qT5IbSAHKXlsMzyaymQekVIyfqaB09iaZ9DDYcLbEOwKFL +tx+G08Z70xkchTEksYcbD78tlDzUx5uufnINZg1j97wxa3J3LZnq5ltzyjOQw4gGA12GspuvD7K 23fKrOGruMfvGxAHUQwg7R0FaPzd4+etAj3+HwdoHV7IMovXc5oSsCdykY5qGHprpJPjqYzK8Kbc XTocT2kLBGs+pmFoDUQQaQ/hg+lXSutURTwfMZM5k/l6w2972mxVaa87s8rj5dRzHZs+FjN6tY42 EgmHNUxVJVPGb+Ipk5NSoiwb6prEPqy21tGnJYheHx9qLd3uqzuYkeeJDz+zy416RNHEBurYwzBf jbql4RE36iD1voF6P61jq+Fr9dTjOjuO0VxOo4cUPRSESuY278PTuaN3X3Xyzf9th+FhM62nasQC 5dtnqSYdEVPe4ayTbOR1One6aJpuqx65KeEmd9EBDWqd2jd29O42nNQxrcEeqt+rO1i0aka+2fY6 PlNN1R+oVHPtju3EkYFWo7U7fh71pB6fdSvTYD4ZiWZmW2at9IYKpmmdIZ9sisi7oFbTI4QyUizM cW1c5xALDrtTtxZVf4s7pFF3fE+3Gl3O3ambTqvZ1VjoHowclCILzjzhq2tohUAz3OqRM81p6Xou Y+oZsJZL16nXJ7XX64zVtlMuqfjR632Md+ztmg64ZX+X1eqa+F2IWDQ42HwIsrq5EF26JnZFJQd6 Zo1At1dssm4EC0Wrp3EZ+4ybgt9J8kDMIOFBb++WWSsHfe0ho58xiKLvwsEydPycyy8+AtGahWP7 HKp1ZLkpiicnkFQvprdGOk9pHaWoVb1JAYzXeaF9ynp5S31Wu48eTF/XOnTpNt8E87Fjms4sbqaG RZqqtPzv4TNpsLWnYSau1+5Q67LpY7b4jff+frhTJVrp1MzL7iwIqJVLM3bKDAb48EFCdST1ye3J vjxL+SejuTCxykSb96H+i2udfXXskKHW68xpFk59KO1uq+7aSJav1emqc6gkra6kqO/NeYh3GufB mJHioD/teUK57QgQmQX/r+0wvGvWzm867iFLaUn1clYl11yOBpjRMlVcikLs62lVujUwUOJ3qnXU vARVoWO7rhTWakk3CfpYQrEE04+E1OutVHPxju3oyKBHUbsba7s16W/SOkU4YcxbbgQxLU4wVLC2 1un1yaaId6J1+vyno1aH3anbqAf49Drb/riO3mwardNNp7+9UEhgtM4TCipsaIZ9ZI6DnIZbeT+q dZJNkxFQh11ag86Ha9VFaanRSVQmcVM72HC0tDoA917Scftu19QIDmq77eVuTfPRGziVotfJB3pm rdTDWVNgylmk2dLlMyD0p7vMkkVzCzdImNLs64Fbiwi1MuhfO2T0Q4Mo+EmdCwfL0DFTVbZHID3D x/9+Q63DPdZZ0F2RcuWuozRaRwTS1O0Ary5xGw7vCiK0RlUtwRxOX4vrKJR8JYmcmW5+VaVtfqqq njOp11XrQsjl++M6rRgGTXjrQQ6ZBbmvYMV/oMTqkU7z7K67DPDhrU9FkWUWbVBa1egrcdPnmYgB 9eAH1LEhQ1FZ05Oro7T0+WZyNa9IMd8bzWEtHP3GmRYly5LyXmC+mDARl6F8XPqzh69WnA4HDa8A UUeKByylpdTLWffAxl400rHdtWatxVjt3Hl70G51tWzb/kk+oOJSWlyHwvNqowAdqNdgqLQa23Gt o7UjdQpXbIbKgYtD7qqDlVIX08CqXUoHhj2K5uZUe+LjKx9ZKcapNBAlKQ1MsUktda0NNYiGfFIV UXZTankXL7PYD0gG1lqluqhJ/3ALDrpT4yQi+SE+vc5GWkezWq/viWQbrSOnaepbRrpD6Ls3oDUc k8XcldNdfOBdUMRUbj3RCHBK6j5psEEpfKRmtOXP+gDBT+I+zZXQAT7W7dgPuKRxe4qhaL5VcThi V+9g89Eh89L2ODl3qv0j156syQW8xYJ2tdC9IkXV6M/GTIOEB719p8y6LfTvDRn9x0EU2knNhYNl 6Pi5du0Rfr1W65Sb9TKIaEEsrS5ejm2K9VGjUg2jC11pHd6H0vK0NM+zJBZLhnlsiBbZ0rrULImC UK3Pl4TEbVBEiz5LWrHanh/R0m9YZ9E6TLKi3IqVjpZYHKyAq9LuP5OPuqPFpijLPFn7DjtE6/C1 ycydhUle5HmaROuQd7PUvOnmNS9KWjHoDK5Nbs3zDfDhyw+daZBkeZ5uoohDa4NS1eXf5NrkaZgW rbXJQ3XsJ5MuXL68nFZ5ZukmXEdiDSv1KE6T9tgyb6J1ODHLo7XJEo1czi3GTcuyam1D2seyLDn3 RqHZ5WwedqcgOhwGO44hS2nk+jjrHti4nJDK1ngVZxxNHARiJ9a+3EemNQky4ddaplprol8HtQ71 mJYf8lVzxWbumoYhVP2Q7ShIWbcjPT+SFPX6zXzTWZts9lRKu5jq127UQx7FewnDEAtUizyhfBy+ IYVqKEjQan6vNYfVXzAd0YBPamUkK9LaZL4uNprztclireG/aR0KhmgWpLXJPQ2/O1QP8ulzNhkk q63W73u8qo3WEWGy0Zwvk8/ETgEtLtVw2cz4uthaLYvl/+pWRnWSVUVyyaV+sCjKfeKvSZuv9TL5 w7R4r63bi05SWmew4WhpqVYmfuTD7q5bDrg9LXcTa5NzuTZZyN7B5qNDFhnuOrnYNcK3h+wZuYay 5iuMLcuqd4fkqxGzLHULN9xp0JV9PfBumTV+VT8ZdcYgiv4LB8rQNZNK/wi/HaB1FmOXNmDT2gTb nTSPs1ENowtd0yJ8bJJb8JjtrYTLbbNg5tF2YIP2BI7VVugGEE028l3OtLVlT/oN62xNO95lir62 u1EmqUp73Zl5NOMP+jWt0TRIgonVtzZ5Z21Kmcht9ERpNFnLW8oino/llkt/Ha+8A+I6NBfRz2eb BmKHM1GbiZ1xLVANPvGlDMbWNIiX9c5rtee8v45DZPizJPkmVNoNPa0fKLBNmy3L3jwKZ7arnj1W l6TVgtt2bIiZlraRUkz763u6aGGo0QQz+Jrour+oc5Gz043DDM5h0QVNvm1LaWntctZL3rgcXZFH C74ZlBzZGYudiPtyL5OlR5ueWZeV8k+e7FBch1xjOqKN6Ix26odLT8Z1Bmw36B6Rb03WsXqMQ7Pn e6hSGp++Rt3vUVzrsMkqmPGt3iY9jkLuOd8mq9ovx8s4Xjgjsb9vuGAtRAM+qZWyaUT8KRVBs9X9 37RO1bVgvzu1nEQ4ykCvsutsYqlF48yDvicmHOspUbX33Rkvgnn/nC/tSaa9oGKCXirR+q5Cv30l L+A7UgyS1uU+l9aRp+uJwx9IPYs7qbW0zgE+tgOwv60NuD09N0SMB3zPuXj4LRV0qPnokOsKFTGl YfJx7/CRazBr2gNiaCvL+car5hZuP+Feb+8rc132qhoi05wxhGLowt4y9JipyeDovlyrdY6uxCjQ KROguHuP1DllJEdddy5Qep7OddSFfvKFa91iPPnaoAIgcBcEoHXugiLSeCACFKqSj5p5oByRzT8R aAVj/iklXHwwAb6Yrp6oOvgqnAgCz5oAtM6zNi8qBwKPSgBa52HwJ+v5mh6cWJZFSo/m7HlA68MU BLmAwJESgNY5UsOgWCDwDAhA6zyMEbPAH9FTivjqkpG/3tnu8TDFQC4gcLQEoHWO1jQoGAiAAAiA AAiAwB0QgNa5A4hIAgRAAARAAARA4GgJQOscrWlQMBAAARAAARAAgTsgAK1zBxCRBAiAAAiAAAiA wNESgNY5WtOgYCAAAiAAAiAAAndA4ElonTxerdWzL++g1kjiCAjk0WotXqpwBIVBEUDgBAkUm/VK vPPlBCt/WJW3WbgMsK3tMFhHfdYT0Dr0mjT1HPOjponC3YDANpk7eAzIDYDhVBC4UwJlPLWa99Dd acrPKbEy9ul1fPWLVZ9T1U6rLsevdejlvI/7VgD1jJD9ryB5MM855C0kR1LUvUzoRYraO633nnuT g49Rd+UknZLeWWG2Kb3zzTRMNlp1333ayRN/gsD1BPK1V79d/vqT7++MO2sg91ZE/n745iVirWyK eO7Z/BVg06h+y1jrhPv5Y7C3uZ/snkeqR6J10oVbv8SuwzWdO2ys/KxYe30v8O1cNPBnthpZ9DLR G36UYx1Js3wuWqeil+3eg9h5DDMpJ+l4110Vht6BSm/YLoo8v/de9bqWUgQTy13KF9x2KnyzP5OF Y6mXUd7s2n86++6q8E/FuNOLNzN3ujk0Rf7i8dX+3vAhrKM1kG08te3ZwTUYrml7mPjnWqQLR75j t5MltXp3scmLIi/uN/DTqdHMrl8j3SkR/hwkcBxah95V1691eINU8oTms0brYrA6+w+UyWq+vnkw Ug1jWrPcn9P9Hj1c6xz7/T8Zfhzc9dD9GGbiTtL3ksu7Kkwyf8Du7bqWsk2D+epOFlsV8XIRPIab 3l0V7rexH546nxQ+WOuI971fI1cfwjp6A8nDxSLaL78O4dEZJv69FpuZxXpeMHYQw0MKfO05nRqp IenaK3FCTeAQrZNH8wk9gNw0mD2aBlktYIvNcuww0zQt119v1mMlV7ZZOPNsZhqm5U6Wsk8sA4+N V9Fy4lqMmcwezULu1enSZUb9cRat1reNfWbVQj8PxlZ9nsGm/3dum3qMh2ZE7HlSJTPbmQXBdGRb PJtpWJe49frfMln5I15GZnvLhIAUm6U/cixRbn+dyooqx6qbJY07fVnXVPn/A6nJcyiJZpTPlq5h NGuSynDMK8KLFC/GDp+4cMbzuheIfGZP12tfzGjY6oCWPxXVnQfLCb/acibLTS0pIp9561Qab0Lj 8zYL52RKg8wyXad0Zr5yVcylCMam0RhiG08t5sdbAsanVeg6d7KUMrLX+lW2dO1ZnIXTkWWarjRz y76q9APoyLLzIJh6ZFmT6tSsGdymAU/YZPZ4HizHZseReNqimpym5U5DLpmzYDZ2azdoCEtfXUzI G3hODb3hsrHJKpiRSwnnll5X+4woQbqeCqezRr7grGotvvXaIvSdpo00ZhDnU1EnYRbNPds05bEy WcnpLtubNe5flSmxE2Z25zH3h0FjkYOXkc9afTx57WidV1ql9hilojbGnZRsFQe+pTcaUfxW4+rt H/h5Pa21IpvX1dGqKWwXUrsh27mTVZLFC+p1TJM5k5X0mTutgrtIkrXvMlN2C/1Uq21Weym15nBm y3bQHTM3vH01/rDbl1Zluq57L8sZL+Jiu5k79IoI8aFgqSoDsxxPdrYiTfo3mduMN/6qorbZms2i 8ljTzZb60qZX728pKkE6+VAOQ61V3cX1dRdFX2dYcS/TevLOMBFXrVr09nVUichno0XIxwRmMhrS 6v6/qioC0vTPosrbZDmyG+Lk2If1qyovPhKST44Xm4xaiug6vEV3H85AjVYhzZ+JQbb26op35j0O o9npVL8eonXKJAziNC/LMl1PLFMunsnXHmOjRZwVRbZZTWzTrFvFdjOz6UhelkWynlhMzBuVgWcY 5mjOLbnNA56UGH8H71lpksPV4qzUKJu4DkUWVedJp5LUIc82DNsPc5IqRTR1TGcuRmFN62Srkcm8 RZRkWZZEMR/dq20aUUWLsszCqd2M9KrBN/3jQNYtLxpITZ5DozybxlxOEUrLYnI2hysJcSRduMyd RVlRFimVSDa3yDcN0/HXCcVON6uxZe6u4BC03VmY5mWRxYsRa1Y9UYfiOO5kGSVpmpdVGU9t05kG lFwWLzw6M+edYa3GynDCLMty5kKIpnMR0t1MLWu8TumFg1kShULTDlif96e2445mwSZNszriSyB3 I3oD6LhlaR6HvKZM5m4tCSlP0/aDtCiKNJqPmGHsah1RTX+9SbMsjaONuH0sNkG4yagKydJjXMHx vs0zDDZa8HGxTFeciQgn7imbaY2XlFaeBL5NXke2bnymqopwYlnjVZKXZb5ZeqxnZfaALcTYZE6i lofxPyh9y3Fdfx0naUZOT+7EYZRlFhGk2YY3hXDCmDsLuMvHUULV2WcsalrcS9UNbaPxtUoNGqUq I98yuQcWeRJMXWYaqrnWFWk1rqH+oa+1Ekw2mtMLL/M0nLkNTe75bCR0cBH6lmEyd8Z7nXIzc+pG dKdVYLbjeouQPLscpLrjpWbtpcNaZ8BAtIJktNhQD5snURgLX6YbwyauQ6txnBl1wmWexmFU3/BJ 8NtoUreeHbFDxRFTSco6dCfY11JqO5KHzuzbcVCttaV1zHZ3MdAZ9vlGa5hoaZ3h9iU61WlUDxuq /6cqUlc3jbXK8q/CbnVU8sB+lesq0zA1nzRM0xED1jZdjuo7Fj233RoZpuXR6CuHBj707WnRemIn +v0QraOhUS2Ebvu18YSUhhy0aGCsyVdV1cgC6lyaO4mq2kYqZDOodWgKS+8f2ybPFg6/y6QCUgHE WEydr6bByR/l7a7SOindn2oaSqui/MqjlsK5VYNX/WN/1rvJ7KZWn0PRG1Fgik+Ol0uPiZpyJUEr lEj0WFIOUaBlPZLEqVlqVKhazqJucTJ9KqqpLYRohim6gzENbWMBFUTLhgd0yLIq+23kW6PFypfb 4eqJfj4QjgPeOdS1qoasT1rHML2gM/9IbqRVpUlGfWkbQrdsY05yJb2um5lVjyIqnW411ZH6G7mQ dAruq2qMp5vgvmJ2yqa1B+V1ymdqbjK/eGrtyLxuIbVWxttIv9bRYoKywTURQ7KHcH/KvRardY33 GUvUlwvviVx2SUUQdzqqUvzWQmtujVH4vbDmV2Qk3WtlGdqNq79/6GutvDpaEFhZqG27beSbptdM k3KKIUm/O62CwXy1NHWAKjWXAS8VY6aKaDdxnYGkuD+OllrggdNsax1u7yYcWZu8/r89TFeEs7Yi BXFlB66sU1/H/9daivY7dbyHcNjTWltap9VdqN6I59h0hn2+we+rmltiXevsaV+dTjWZWWYd9hq8 02hDPLBfFVpH6wrJJ2v2FE8fqdv5hi41q3aN9B6ORiPRiw45TJPQCX85QOtss2jhe67NP5ZpiGYQ T5nuC1qcMJ079Lbd5mNK2a51Lhx4PG3uQlQP1DEF36mjlut0nZh7AJcsXOqIrq/bPnkvyDu7ph/m Ll9Pjaks83g59VxHVJQZzB/WOqIk3axVUqRN+lNrzuFOvcq5OhitsmzlMtImwtfpRi1fjbogxW1b 5JtMv8mgTtTvDINd2tQs7RmPNHQup96iJTc2chCmYZKLns3UcuYJnzLm5W1miPKQ7tatkb8IeJiA RtoB62vAGgLyhlKNRPWRAXQdyza9An1RnYXUvdo4yJPdqSb/tUyD+WQkTE7viZbJ7KG3p2xjPoiK SjRep5KKp7Rho2kXzDQMrfvqL2RtCxFmG4rraLcWFfm2YapsTNPgkqrbYCm/vcYSPrElPSfEDs16 yG0CqlJaw+c1aIxSdYE3rU8Akv8qm2pp8mNN/9DbWrvV2ZKm40GNTjrxlOKndZ505yWEoHaaKgM/ 7TZVUOJykOoeLx3UOoMGKuL5iNGU3Hy9aW42WlqnKpOlZ9EMyWwVd4I6dP8vG3cNhjpQ4fwkdWpR rJEZaCn19SKuUweC+a8Dhd/DgW7DGXJb2gAAIABJREFUtPtS/W50oDPs9Y3uMKFq0fVJitfIG46e XlELOFPMqtvFiqktdZfZk0Jvv8rvNnWfpFuIpusoejen7mod7RJNHw0w16x0ul+v1Tqkp013HosG peI6/CZFW4up5Ar502hJ0wnq07mR4rybvkz24421NWt0W2TH5MLIq7zi7VOObuTZ2s4t3hmL4bTp balv6Sx7EAEoexryCZKqat+y1yGrwGuCWbxH7GStlZw61d7U1DliK2MRyXgJ/elHBYV7RE0oB2ce 5wpjUfA5v06jqga1jpxzoizbWkev/HD7l0ozmYnNEfTnOMgp2qTpxG0er2eebdKswZY6+n7r8/6n 1fQ5CNGH8Jm8BswgOtVn8XO5BWiherf31IaxJtHe0ExB0zreciNm1FR3z2/67RY9TyjFvWVTHZZw ae51qjA0PI/XbXO2a76jD7S+mDewjqCl2qn0RV157++HO9l0xQGdfZCxyEQkwvkCD7kjUst0yCg7 wMlKvQ7Q07iocE3/0Ntau9XZp3W02YebaR0uWLWtENdVQVhggOoeL+1qHdJn/EZrICmRzzbfBPOx Y9JUFe8X2lqHn1Sk4YLWEdm+WJ4mrqR/edBY2/JE+/yo49G7UiVkB1uKSlCdLH8bKPweDh2to3sL XdXTGfb6xm21jt6tUeGV1qGgpLxT1CrMO9WW1ummoNdAa8tK0lFq7awO1jqqdC2tM9D96sU+0e/X ah3qHJS+ppi6uIkk3aDMzEPldZ8Vjk09lFmT1fpH/lPTl8mlIX1ah/yAtYyqLZilVEQ0NQ3GrJlA oFCqNk7RCC1dsNE6IgbcnsOilNRl1Ib2xnV6s66rKg72p6bOEZPAy6kti57MbXu6UEpiS/35zqyP nO5VNuEtWzOFyIBo6xFzGpJky2u3NB5X0uYamjksaoULh00Wc1cezpYu/eloMw11bWhtBr9VoaG2 z/r9WqfbyVNyhxiCZ0vdHw+MUE/Eh2NZmnRu6xFe8SvvFdWMIP9xM7M0WUwjm4rrGNo96pZu/4je 3rLpefId4lwRKren8mpzh7Kwrf8oBD1gi0O1DgVr6mroaee8wap5Ejp2mLGEyInndGcr1tfpAmtQ 69CgaYmlQpRXw1AvVGt+QbuRoHNU/0BV1/ydJ8DHPi12x8/hEWAFnJ/Ik7llXOemVRBVG6Da9dJE eSldocXmirVnmFzrDCQl8hH/8lVAIqwklgDqB+V3fovY7u74+Ngaiilu6y42rVW4jXEHW4qWW3Oy /G2g8F0OemtVXZPqq0VqQ51hn2+091W0fGy4famseYZtAULe1oIlCiW6r3r1QCeFPW25fWY7q36t QwOv1gQ6qJuecLhFS5uc8n/Xah0+6I9XabGl9ZRj26wbJfGle2JaH5eGU1eGyuXyKNMar+IsL/Is jYOAr1rt9EFaX8aXovA1p2VRtu90O4KaplWYt0qL5sQi8Nho7GlPVhaLJfm6rSJPaOWuXCWqD7fU lGhtV5rnWRLT4j4+nT5abIqyzJO177DrtE61m7XypOHU1DkUR2aWbdW9HJ+StvTNjenC5Suoaf1l lm7CtXieO00Mm/bkkLXJ05BY7a5N1gIzfIGq6TRnekwuJqcleTOLPvXKlXThWJZV669tGq6jJC/K bZnH83r5Fu97d62vw28Q8NUgHf1xkCF4CqqF8+CjqsHYalZ9NllVYqksLcHO8jzdRFEi5guF39Eq Xq81h2XQ8u8goZXd0cw1xcruYbMKrxsvxWrB4bXJtKZ8Qw/JyZIoCJt9ZHU5OT1VE80WB2sdvjaZ ubMwyYs8T5NoHXKFkwdjxtx5SC6fbkI+r3GYsUjyuq5t0dY78dHa8mC3S0uxGRvNaXlskYkV47vj hbpcS5NnorQO9512axXmpLXJfHVmNOdrk/lisE46/6J1bloFSWeAasdLyd3qGzS6o3RmfHHNNo+m tAhATKAPJJVF6zDJqOXxJfVSUoqgY0S8y21O/S6dsi3SYGLp9wKimDshVRqcHdet90jQWY11qK31 thRZ5dbJ9W8Dhe9w0FurEgFdrUM3Xr2d4W5PThq+NUw0tRDLxvv7OpU1L35LgHRWwdT12x/X2dOv tvNqZVX1a53hGlFhVE8oMu3pfpsyn+6Xa7UO7ZOsNzd782iz8mrlUPEtgHKD9mo91WN+eSS2ShuG aTljsfWq0wfpWofPLdMGPlZvRm4swhugmk2gh8fS9lvTnsl7NRJjrcWZPObOd/+adN5IbbpttZ8i VvulvRWNBnk0G1l0jTWaBkkwsfat16EC7mTdlHpPavo5dANHW7nlEELCrrUgj2+DF7u6aVu3NxW7 9CPfmqxjuZ2X2V6zVVpLuwzG1jSIlxOxlby957wOdDXn1/ai3dK+vn8xmjBa7iFv56nvU6y3yZLv h6dFKPQwgmapZJ2abv1erUMb9mod1ZTlEEPwk7UWXm3TZgu+p+/m1VKtaJOy2I1Jz0KYRUVVbZNV DWi8jOOFM1ryuzTyVbFjn+/Q1ujtcZLRMqYnHXS8ruX22yyYeWQRQuOO1XMAtHLW9Dq2OFzr0B41 ubWdW2ayltEcuXGbZz5aSK+rs9tnrGzhGIYeb9IqpQ0kVAndKLQbWO59d8aLYN53b6wu19LkNDSt U1W7rZU210qY1DRmzbMwOun8k9bhG5oPr4KyYi9VzUud8SJcqglxSYoxZtHDG4K5WweVqTXs9qUZ PUK7diPVYGkVD3+kgrfO81A83UB42s4+ZhFo023KJQIzDC18oLTOYEtRVdZOVj/2FZ4a4kBrVSKg 1VfL9JpHXOidYa9vtIcJ5WOUUF2kTvtSWfPcdAFSRpO+Gaye9Tr6HNbBeelZUVi792Hy+2rUbnRN BVstWiI85f+u1zoH0uH+pK3fOfCy60+juwCbnvUw9KFWoa9MvbeS7Bagm/XuGfhlmADNex3p63jE eFkHp4ergCOHE+gbvQ6/+ijOvNMqdDTZI1RQLBis72MeoQBPI0s+uSfugZ5GgVHKXgJ3pXVofULP 4q3ePG/6Y7729rzagd9I6nPRbRV/08xucv5O1je5+OTPzZYj63FfdDZsgscfh4bL9kSP8GUaPUG8 J1Sdu63CEfgY3W3sRNKfkEEeoqj0NGp7KhZ/P0R+yOO+CNxe65TxaiGfvJdvVhNLf2TLfZW2ne6W HgC3Glud9+k8hNYZyLpdPvz1ZAkcwTj0ZNmpgifr+Zqe9Ucr+gLfMXuenahOPs5v91gF+Nhxmhyl eqYEbq91aKkDf7g+LddwtPnyhyKVzB16Gv940Xle1gNonaGsH6rqyOeeCWAcugvAWeDTu2VofRCt A1vvrMS+i0zuN417rAJ87H5Nh9RBoEXg9lqnlQz+AAEQAAEQAAEQAIGjJACtc5RmQaFAAARAAARA AATuiAC0zh2BRDIgAAIgAAIgAAJHSQBa5yjNgkKBAAiAAAiAAAjcEQFonTsCiWRAAARAAARAAASO kgC0zlGaBYUCARAAARAAARC4IwLQOncEEsmAAAiAAAiAAAgcJYEH0Dp3+mD1o4SIQoEACIAACIAA CBwtgXvROmU4GS3k+war3pc+3phHthrteU/EYHKdktwukcHUcQAEQAAEQAAEQODoCdyH1tlGvuXc sdYpk9V8nQy/ALQfdKckt0ukP2n8CgIgAAIgAAIg8CQIHKJ18mg+oWe9mwazR9MgE4oj8hmbxk0l 04VjjoOyotfJ0VPh+cechFsR11mGi4nDTHqdxHgRF81lRbyYuHSBabmT5aY+kMxsd5Eka99lpumt CxUcKoNxnTr/fyRe+1lslv7IsSgHy/XX6bYaKsm6zmM4a2ceBFPPtphpWs5k2fNo+zyaj3l1xMPv ZQxrm66nI5uXYeSvU/EC4Wzp2rM4C6cjyzTd//1/2u9Ipbe4s0lIp26zcOaJqxWKMvDYJMyiuWeb pjXbNODwBQRAAARAAARA4CACh2idMgnpJZ9lWabriWXKd1MPaJ2qqspgbLbjOobJRrMwzcsii+eu aU1joZdIINmTdZIXRUbvDzXdZcaLncxsZjuutwg3aZqVvRNh5WZmM2+d8wu2aSRfRJqFU9uUCmi3 JFw40RX7sjYMaxJQrlWZzF3TnidtlmU4YbYfZvRSw2wTRkLVFOHEssarJC/LfLP0mHzTIS1Xsh13 NAuoKkUejLUXwm9j32KTqKyqLdVmtIhzeqHpemLJmtFLcyzHdf11nKRZftPAVrvc+AsEQAAEQAAE TpDAIVpHw7KNJvXQfyOt06ibqirWnpQ023jKZEyDZ1EE4zp0kcxsg/mkAeRnZ4HzdjNzGqVTnyX+ 38ws5vOI06DWuSbrWnJVvSKLiznbj+oAkcg1X41qiUU/xFOLR7UoImWYXtCcXIZjZssAzTb2GfMj CkKRfFKaipQYhbOqMvAMQytOu6b4CwRAAARAAARA4DoCB2idbRYtfM+1+ccyDTkk30Tr6CJA6Q9S B61hnEb4EQ/U0LvKaUas+XS0znYzd5i3EkEgOimPl1PPdUQZmXGd1rkma5p6kx8uYZp5L/njNl1P bNO0velSBnVI3DB6n3PzMQ1jRNdRyWWYSVxNskbMRm0jn0kVmM6d7tU8NEZxHU0D1aXC/yAAAiAA AiAAAgcSuFbr0IIS053HYvpkT1xn3qgTpWZ4IToyRR09XHB0wivbZO6wkaZ0+ITUNOTTTlV1QFzn 8Kx7tQ6vV5lFK1qEY43XpLniKTPH67zQPiUppk71aWKMJM5ss+VSZ7bhsiqd2+ZomWoXFwUdIK2j zQceaFWcBgIgAAIgAAIgUBO4VuvwWItY/0vhk1WzfIUmoPj0C09qG07MOhLD1cx8aM+50jpcRo35 ulyeBp/DmvLltxTX0YIrLcWwo3T4tJjdZEgZ6HGd5oAmOw7PeljrCIQ0JcfzphPt2e5WsV2tU9Eq HWsWR75lz+RSoDKkQmuTdtJA0DoSBP4DARAAARAAgVsSuFbrcOUwXqXFllbcjmnmRiwroUHe8kO+ DqXYzF3TMOpZpw2FghaboiyK3WXFSutUVUrrdsXa5FyuTRYSaVjrCKUjlzDLStOyF3NEGZZ5svYd Vmudargkh2bdp3XKJOCLtbfbMoumtLKGFkjT2mTT8debrCjyLImCkG/g6tE6FUkt23UtbXaK1iab 1ngVZ3mRZ2kcBHxT2o7WKUPfYmO5IvuWRsdlIAACIAACIHBCBK7VOtU2C3zaFW4y25tHm5XnyCW0 2yyYjixmMmY540W49Oq4TlXl4dTlW6/9sNSiKZyrrnWqqtgsJ67cKj5ZNpvRh7UOXxaj7ToX8Zw8 mo3EzvXRNEiCiSXWJu8tyWFZ92qdeM43h9MKG8ebhXIXPqGaebQVnW+hHy83tOCoT+vQrivLMDqT U3m0GDt8w75pOeM5h9GjdZo9WifkpqgqCIAACIAACNyawPVa59ZJ40IQAAEQAAEQAAEQeHQC0DqP bgIUAARAAARAAARA4B4JQOvcI1wkDQIgAAIgAAIg8OgEoHUe3QQoAAiAAAiAAAiAwD0SgNa5R7hI GgRAAARAAARA4NEJQOs8uglQABAAARAAARAAgXskAK1zj3CRNAiAAAiAAAiAwKMTgNZ5dBOgACAA AiAAAiAAAvdIAFrnHuEiaRAAARAAARAAgUcnAK3z6CZAAUAABEAABEAABO6RALTOPcJF0iAAAiAA AiAAAo9OAFrn0U2AAoAACIAACIAACNwjAWide4SLpEEABEAABEAABB6dALTOo5sABQABEAABEAAB ELhHAtA69wgXSYMACIAACIAACDw6AWidRzcBCgACIAACIAACIHCPBKB17hEukgYBEAABEAABEHh0 AtA6j24CFAAEQAAEQAAEQOAeCUDr3CNcJA0CIAACIAACIPDoBKB1Ht0EKAAIgAAIgAAIgMA9Erhe 6/wPPiAAAiAAAiAAAiDwgATuVvgcpHWu8AEBEAABEAABEACBByHwP//zP9A6D0IamYAACIAACIAA CDwGAWidx6COPEEABEAABEAABB6KALTOQ5FGPiAAAiAAAiAAAo9BAFrnMagjTxAAARAAARAAgYci AK3zUKSRDwiAAAiAAAiAwGMQgNZ5DOrIEwRAAARAAARA4KEIQOs8FGnkAwIgAAIgAAIg8BgEoHUe gzryBAEQAAEQAAEQeCgC0DoPRRr5gAAIgAAIgAAIPAYBaJ3HoI48QQAEQAAEQAAEHooAtM5DkUY+ IAACIAACIAACj0EAWucxqCNPEAABEAABEACBhyIArfNQpJEPCIAACIAACIDAYxCA1nkM6sgTBEAA BEAABEDgoQhA6zwUaeQDAiAAAiAAAiDwGASgdR6DOvIEARAAARAAARB4KALQOg9FGvmAAAiAAAiA AAg8BoEnoXX+fn1/9unn5WPwOaY8L75/PPvw/fyYioSygAAIgAAIgMDRE3gSWuf3p5fm2beT1zrn X96Yrz//PXqfQgFBAARAAARA4JgIQOsckzX2lwVaZz8fHAUBEAABEACBPgJHrXX+/PfKNNof8+13 qgYd0T5NtOOJ/H7+9Uwrvfny029hm/7f6dc2BcN88wVzWX3+jN9AAARAAARAoEvgqLXO1cXfP/T5 /v6F+ea/3/z7+QlOZUkMPz+9Ml99/MEx/L3oWhJ/gwAIgAAIgAAI9BE4bq0jS4z1OhwE5rD6PBi/ gQAIgAAIgMB+AtA6+/kc01FonWOyBsoCAiAAAiDwVAg8Ca3zVGCinCAAAiAAAiAAAkdHAFrn6EyC AoEACIAACIAACNwhAWidO4SJpEAABEAABEAABI6OALTO0ZkEBQIBEAABEAABELhDAtA6dwgTSYEA CIAACIAACBwdAWidozMJCgQCIAACIAACIHCHBJ6E1jn/8ublx18H1Pr8yxvDMPgjiZn18s37L7+e 1SP3vr+13v04AANOAQEQAAEQAAEQaAg8O61Tvx3z8vzX5zOLvf3+jNQOtE7jt/gCAiAAAiAAAocS eLZa5+rq6vL7W/NFHQ86//nf29cvmGlar97+97N5mdTl328fz15azDTZi9fvv/yu30Bx+efbhzd0 Op3/uQ4PtZ/m9+M9s97/lKT/fn5tvvn8/fO7V5ZpmNb7HzKlvz8+nb20TNNkL88+fm9eUn7x+8t7 Xpz2z/vNBq2znw+OggAIgAAIgEAPgWerdS7//vzvDbPe/eBxnT//vWYv3n37c3l1+ffbuxfs7KtQ O3+/vDFffiDpc3n+89Pr+i2cFz/ev2Cv//t1fnV18efruxfszReuUvZrHcNgr959+fHr9+/fv+X7 qn7/94q9/PD9L+X74+Mr9uq/P2SEv1/PmHX25ffF1eX5jw8v2evP/Oce+7R+gtZp4cAfIAACIAAC IHAIgWendeiF4CZ/Lbj56j2JG/r8/GCxt9/q2SwegvnK/zr/+oa9ePf1t3ij6OX5+QVdcPn9LWsC QldXpHCESNmvdWqlpLj/+vhCy/fy97cv30nU0NvYXwv1dHV1dfH1TCavLuz/Bq3TzwW/ggAIgAAI gMAeAs9O68j1On+/vKmDKFdXl9/OTMNklvwwZhovP8lIysWvrx9pcou9eP3247ffXAFxMfSlmee6 osmqDzRZdY3WeaNdw5l/f2e++LC7qPrHe6YVx2KmIZLfYyeRHNYmX4cIx0EABEAABECgS+C5ap2r yx/vLeudXJnMv3/7e958Lnj85urq4u/vPyLcI+e8+Dqby2/tuM7XOq7TDsHsrtfpap12XOfq/PfP 36Sg+Hvbv/QUp2udzt+I63SA4E8QAAEQAAEQuJ7As9U6cqboM19nc/nr00v26sN3vorm4vfXTx+/ id9/vrfYm//40uPLv1/fWuzdd5rE4ut1xO9ifY9cr0MqhZ3JtTvf378wOmuTu1rn6venV+zVxx8k cM5//feGvfr0m2zy5/Nr9vLdVx5Fuvjz/dNHtSh6n8mgdfbRwTEQAAEQAAEQ6CXwjLXO1TmtAK43 RJ3/+PT2Fe2HMq2XZ5+aDVEXv7++5/utGHuhb9C6/PNV7cPS9m1d/Pzv7IVlvXj56s2Hj29fXKd1 rq7+fv949pK2eVmvtGyvLn59fveatn+Z7MWbD/W6ol4TqR+hdRQLfAMBEAABEACBAwk8L61zYKWf 6mnQOk/Vcig3CIAACIDAIxKA1nlE+DfNGlrnpsRwPgiAAAiAAAhcQes8ISeA1nlCxkJRQQAEQAAE joXAk9A6xwIL5QABEAABEAABEHhyBKB1npzJUGAQAAEQAAEQAIEbEHgSWufg95zfoOL1qX+/faR9 WIZpvX537K9FxxxWbTX8DwIgAAIgAAIHEzhtrXP56yN/7s6f84u/P/+j16J/U09LPpjhg50IrfNg qJERCIAACIDA8yFw0lrn8vs7pr3Dgb/36vNfel3VS/569POvb8TzeegFWWdfL67+fn7N3v4nn7zD XqoXoF9dDbxHnS7pff/5bVwIWuc21HANCIAACIDAiRM4aa1D72p4yx+ULLyAXunw7vslvV6ClA1J IfPlx9/0UodX/OWffz+/NsxXH77/kS8ob97ZOfQe9SvSOj3vP7+d10Hr3I4brgIBEAABEDhpAiet dX59eMHe/VD2p/ePn327vDr/+ubFh5+Xvz68fHP2+vXnvxff3r7gz19uvxT018cXUioNvkeda53d 95+rLG/0DVrnRrhwMgiAAAiAAAgQgZPWOt24zm8R1+FxnDeff3x6ffblx8dXb7/++PTq7Cst5Glr nd8fZVho33vU25f8m9NB6/wbP1wNAiAAAiBwkgROWuvQMpzuep3//lxd0ezVi7O3b17/9+fyx/uX b9+dyXd2toVLo3WuBt+j3pVH/+Zj0Dr/xg9XgwAIgAAInCSBk9Y6V80+rIuL819f3lpMhG+urmiZ sskXKF98e2uZlnj9+VBc52roPeo7oaB/8zFonX/jh6tBAARAAAROksBpax3SIt/p+TqGYVqv3n3+ dVE7AV+m/OPySsieN1/EVvShuA6d1v8e9Y48qpO/3f/QOrfjhqtAAARAAAROmsDJa52nZH1onadk LZQVBEAABEDgSAhA6xyJIQ4pBrTOIZRwDgiAAAiAAAi0CEDrtHAc9x/QOsdtH5QOBEAABEDgKAk8 Ca1zlORQKBAAARAAARAAgadAAFrnKVgJZQQBEAABEAABELgtgSehde7zPee3BfcY12EO6zGoI08Q AAEQAIEnTgBa5wkZEFrnCRkLRQUBEAABEDgWAtA6x2KJA8oBrXMAJJwCAiAAAiAAAm0C0DptHkf9 F7TOUZsHhQMBEAABEDhOAtA6x2mX3lJB6/RiwY8gAAIgAAIgsI8AtM4+Okd2DFrnyAyC4oAACIAA CDwFAtA6T8FKsozQOk/IWCgqCIAACIDAsRCA1jkWSxxQDmidAyDhFBAAARAAARBoE4DWafM46r+g dY7aPCgcCIAACIDAcRKA1jlOu/SWClqnFwt+BAEQAAEQAIF9BKB19tE5smPQOkdmEBQHBEAABEDg KRCA1nkKVpJlhNZ5QsZCUUEABEAABI6FwJPQOscCC+UAARAAARAAARB4cgSgdZ6cyVBgEAABEAAB EACBGxCA1rkBLJwKAiAAAiAAAiDw5Ag8Ca3z9+v7s08/L58c3Dsu8MX3j2cfvp/fcapIDgRAAARA AASeN4EnoXV+f3ppnn07ea1z/uWN+frz3+ftkKgdCIAACIAACNwxAWidOwZ6j8lB69wjXCQNAiAA AiDwbAkctdb5898r02h/zLffyRZ0RPs00Y4n8vv51zOt9ObLT7+Fg/X/Tr+2KRjmmy+Yy3q2jRIV AwEQAAEQuFMCR611ri7+/qHP9/cvzDf//ebfz09wKkti+Pnplfnq4w+O4e/FnboBEgMBEAABEACB Z0vguLWOxI71OhwE5rCebTNExUAABEAABO6RALTOPcK946Shde4YKJIDARAAARA4CQJPQuuchCVQ SRAAARAAARAAgfsgAK1zH1SRJgiAAAiAAAiAwLEQgNY5FkugHCAAAiAAAiAAAvdBAFrnPqgiTRAA ARAAARAAgWMhAK1zLJZAOUAABEAABEAABO6DALTOfVBFmiAAAiAAAiAAAsdCAFpnjyV+fXzB3n7D U/v2IMIhEAABEAABEDh2AtA6gxa6/PHOYsxq3j8xeCIOgAAIgAAIgAAIHC8BaJ0h25x/PbPOvnz7 8KJ5W9XQmfgdBEAABEAABEDgeAlA6wzY5u/n19a7H5dXvz+9evH+5wm+hGuAC34GARAAARAAgSdG AFqn32C/Pr588fEXHfv75Y2FRTv9lPArCIAACIAACBw/AWid47cRSggCIAACIAACIHB7AtA6t2eH K0EABEAABEAABI6fALTO8dsIJQQBEAABEAABELg9AWid27PDlSAAAiAAAiAAAsdPAFrn+G2EEoIA CIAACIAACNyeALTO7dnhShAAARAAARAAgeMnAK1z/DZCCUEABEAABEAABG5PAFrn9uxwJQiAAAiA AAiAwPETgNY5fhuhhCAAAiAAAiAAArcnAK2zh935lzcvxcOT95yEQyAAAiAAAiAAAsdMAFpnj3Wg dfbAwSEQAAEQAAEQeBoEoHX22AlaZw8cHAIBEAABEACBp0EAWmePnaB19sDBIRAAARAAARB4GgSg dfbYCVpnDxwcAgEQAAEQAIGnQQBaZ4+doHX2wMEhEAABEAABEHgaBKB19tgJWmcPHBwCARAAARAA gadBAFpnj52gdfbAwSEQAAEQAAEQeBoEoHX22AlaZw8cHAIBEAABEACBp0EAWmePnaB19sDBIRAA ARAAARB4GgSgdfbYCVpnDxwcAgEQAAEQAIGnQQBaZ4+doHX2wMEhEAABEAABEHgaBKB1ajtd/v1z Xn/f9//5n7+X+47jGAiAAAiAAAiAwDERgNbh1rj49en1qw8/L643zcXPj69ff/p1wJnXp4UzQAAE QAAEQAAE7p0AtM7V1dXFj/dzq2BgAAAgAElEQVQvX/33W4N98evzu1cWM03TevX2v5+tgM/l70+v Xrz/AbWj8cJXEAABEAABEDhaAtA6V1d//ntlvfuuTUydfz1jL959+3N5dXXx+8uZxd5+aymbi+9v rVf//Tlao6JgIAACIAACIAACDQFonavfH19a735oUufq56c3b7/UUuby+1vzxcdfDTH6cvn9HXv5 SQ8EtQ7jDxAAARAAARAAgaMhAK3z9/Nr882X1iyVbp3Lnx9eWO++t+I6V1fnX/ZepCeA7yAAAiAA AiAAAo9JAFrn14cX7N2PARucf3v34sXbbztK6PL7O/PFh3awZyAJ/AwCIAACIAACIPCYBKB1fr63 rPe9Wuf8x4eX1pvPv/XprdpWP94x68PP+i/8DwIgAAIgAAIgcKwEoHV+f3ppvtVXJgtTXfz48GpI 6FxdXX57a2LBzrE6NcoFAiAAAiAAAhoBaJ2Lb29Zd1PVxc+Pr6w3//VGdDi8P/+9Ym+/9QV8NLb4 CgIgAAIgAAIg8PgEoHWuaId5e3Hy708vDcMwtQ9r7Um/Ov/yhp197axXfnxjogQgAAIgAAIgAAI7 BKB1rq4uf7x/0Y3s7IDSf/jzHx4mqPPAdxAAARAAARA4YgLQOmSc8+/vXr75TM8OvP5z+efzm5fv vu9szbr+SpwBAiAAAiAAAiDw8ASgdQTzyz9f3n3sPkWnzxwX3z68+3KYKuq7HL+BAAiAAAiAAAg8 LAFonYfljdxAAARAAARAAAQelgC0zsPyRm73QODv59eG/Nxo3dU9FOXwJK95XvfhCR165uXvL+9e WaZhmOzVJzwG81BsOA8EQOA5EIDW2WPF8y9vXnbehLXnbBy6fwLN++eZ9erd51/tnXAXX8/MPq3z 98sb6/Xn+v1mty3kn+//fflx2CqtH+9Yrb3E/+1tfqIE/6h1zn98/vz9b19lLr69tXrc9tfHF+ar Tz/PL68uL84vtKVpA+f3JY3fQAAEQOBpEngSWufv1/dnn35q3fMDsT4yrXPx/ePZh1NeFP33y5vm /fN/vr57wc6+6qP9kNa5Ov/149dhKmWPY9FbQW4ifC//fnlDz5scctt/1Dp7Xm1y8fvHz7/dbM+/ vukVgldXV73n7yHxNA49VqfxNOjceylPvrO6d8LI4IYEnoTWoUcbnz3Ck/uOTOucf3ljvv6sj+43 NPYTP527gXqq0d+v716/15eT72id4bmtyz/fPrx5aZkme/Hmw7d6qfmPd+zVhy//vX1lmaZpvf7w TbD+8/mNZVmMz/5Y9DlsCojM1Q0znf/4dPaCmSZ7efb+7IV65+xNynP+9W27OC/kK07oYd4ynqS/ v+Ty+3t5vmEyXv43Isg1cD55yd/vn85eWcw0rVfvvvxW4bPfn16yd1++fzp7yUzDfHnMU2GP1Wk8 8UZ2V8U/9c7qrjginTsjAK2zByW0zh44D37o2vdy7GgdUcTL8+7c1sX3dxZ7zedzzn99es3qGR+a e7LOPv86v7y6+PPljLWeIHnTuA49cLKjdeipldbZl98Xl5d/f3x6bdZa5zblGY7rXH7ve1fb8Niz c/7lr48vzVcffvy9vLr4/eXMst7/qNUOf8qm9frD15+/f//+9XsnevTgTjGcIbTO/2fv/F0dxf7/ //1bUtmd7lRO5VS+K7eRbWQbmUK2kWlkG9lC2D4wkGLAYiDFQoohxYDFQoolzZJmsVlsxmqFD4zV Ws2X1/G30dzkXpPozTPFvYk/Xud1HsfoM6/z4zXM5gZ7hq+3GxSOIkDgmMCktU64VMsfquX4B8nc UiVoT+NVRTvG2p6DOtY6I9mnp2/jVWXW6t9OW8v6F//Lp+Rxg77eLclwL0xe6QGtk3W30224Qk4r SfIiZX0roWv3rJdrnbb4qfuwnuXPsNbJWtUor4cTz57O8UL72EHZCbZ35VrzkYDQ/EmHFu930xjp 5nDtm1v/TSaj9eMb96T6G3LZdtysym8c/k+MwKS1TpZEIb22tizpy4N4H5f34BuAPNY6Nyi0p4gC w85TJdUNBIao/KXdc/gr3fTcuM6R1jm4ykJieXdO3rtTJH9tPfTTjVHf77Mse7nWCZfUFVs2XK11 nuXP9bSO6PkreruKzq9qbDVpnanngbvzTeOVfvvOrhZuVmejwoE3JTBtrVOguFc4eipap8Bw4qf5 Ta+ZexVGg0UaWcjija07J8frFI52IzSkMrTlIa5fSS5AntA67KKxycd9WO3hwbXWeZY/QuuIGOdR c7SqUe49cfF0jk82piQ7u5pOnFTTtuagdYoa3+umUQJ/8P8nrrcHJ4Pq34kAtM4J8NA6J+DcYVcx D4tGiaThRszDak6v6mqa0sOj7fHG5Nz0aVxOlkbByl3thNhpPfS7cR16dqoeTXNP47OCi3S3r7vK yBkxXseksb5pvGuM13mOPySQZIcmwdMU8rKq9L8Yf9OJfw4/e46OTwJbZvpSzOVK473vetVce2id Jmm8HyYwfL0Nn4M9IHBFArPQOles/0nTE9M6J319jJ2N9XW0en2dxnyrYjxTPoBraDtNs17bOk2I kpis2eVMo5NaJ4sDV5fFZCylNf3rmPzw+jpx4OkyW9A8LMdS61FXz/An2S9pStdiwWQzn3rfmFdV YJDdQ+ldz7Nn+Pg03Lg01UqSGFfN5a5SlDPSOmXF8R8EQAAEsgxa58RVAK1zAg52gQAIgAAIgMA8 CEDrnGgnaJ0TcLALBEAABEAABOZBAFrnRDtB65yAg10gAAIgAAIgMA8C0DrzaKe7e5nG4Vkrx8Xh A06Hv3vrwAEQAAEQAIETBKB1TsDBroJAGq4M1dpUQ1RrMEl3TtJhqalielB9zDzf1XPC5+k/vAYB EAABECgJzELroC+pbK67/E/3nqo47dyrSRisPUvjklJP9Smci3xdNtc9umgE55NdkU9KNpadLOc9 1ncOXyzytWCZrJpef17wnhNp07HWGSdf+kBx2dl51GlGlV6nBYt9rfgYLtWqulwxnHWR52vvyu1l t9sz4Yccmvl23DTu24Bbk1vBfV1A6SDQIACt04Ax8bd3Sh0crw1utLVLuNS4arorR+vROlm6c2S5 o43GQUur8KvuPk3DFT3gn9JTO4ez4n6bRltHkdRlNQf7SYeOtc44+dKHCj57XeZc61R1j5paRyrW WkyjnaexViPQDHN+lVYZqtF9t0Pr3Jc/tM59+aP0LgFonS6R6X7uWSLlBs5GK625WnFeYipWqku3 Zp/WybK9IzczbY/mJWkdylcQB7bSjTT1FNLQOkUOtXLZ5f684lnWn4e8sU5PN3G5SKa13ji0WM+i zkI/ZD85+LYmEp3zen2gC/Ood7VOJfuITlnBLF+2edVIXbUVWqcH01w3hSvTdH1KUdr3gtbpo3K7 bdA6t2ONks4hAK1zDqVpHHMXrUMZA7oP+BLHoNZ5MnVVaeHS//HW4lxRFM05pz+qoXWScGMrTFuF VOJQXvGhPOS5l8f50rMsC2y2kGTd2+SJv/Noy5D9ZGtybqwOCS1m6JucW40UF8+O6/RpnSTcuirl b2/ogFenddJwu7QNhTHZcFZB2Fo8Wmi9Mn/9pVcZjh+BALTOCBBhYkQC0Dojwnyxqf6UwsOpg/uP HytlsahOO1jQruGg1qHADrPqbE2X+tkupv4UB45K6ShVTzzEo90mKMak1Mc03onxOjRgh4arcKNc /5c0Yz1kpc5zTttrWXfch3WUayLXOsys8nnmZQ/Zp/PrcrMo8Nf7qivq/NyiZL5KxtkcVyTG65TV ZZrbkYO31zp7R25mzq44jbW9aOr4sF05hsLL9aOrVoDWaXwZbv0WWufWxFHeaQLQOqf5TGLvPVMH n8oKcELruHKRO3xEgNSbprj7JBLprDYRfba2jchFt6wqrkMjiLhZBlGG8ooP5SEvzQ5oHW7vyiPy /8P21eag4vZJ42idog8rXKpM9xv9V1TW7bVOp4bX+VgqHa5apZgVBaEP6zq8z7UKrXMuKRx3GwLQ OrfhPEYp9IM+T/Q0hrUzbRyHN+oTh7VOYPMjCVCf97x3jbBIEjgyUxSZV6GCXpOV1smjH2XMhqrU l+d8KA95aftcrTNkv1EBMpmE+31jLaKtdWYe9WTTCg/tSVZuSPE1QnDUGye3erBeodahwVUKk7hm LTeHOkBWNBe0Tnnd3uc/tM59uKPUIQLQOkNkprf9Llon29l8aJzxoNbpdLOMhFJkGndFSvJ456qL xVHvUaeghtbJkq3JuB2IKNBQXvGhPOSF2XO1TjZonwJShk/dbiJPe0uqidqdlUddmDf8Q5Km8X5l VMN+GlpHzIVjrdlz1Fivax5WtF2utjT4qfcFrdOL5WYboXVuhhoFnUUAWucsTA98EI1naYwyaZIY 0jrJxmTXCECl4bqcxaSanu9qTG6O7m26Jt43tU6W7V2lCov15xUX87B68pA35mG18qjn43X6AlhD 9pODb+XzsCi9enuFoPPzqNPIZlvjIse5Zq8PRTdeU+vkkay83bC+ztGVgQ1XJwCtc3XEKOAiAtA6 F+F6yIMPntJaqeUpCLGvc7NvkeWnTsR+EBiNAOI6o6F8liFonWdhw0lXIwCtczW0r8dwsnNULZ/6 9HSl4o2pGOvOuNinT8MRIDAqAWidUXFebAxa52JkOOGqBKB1ror31RiPNo59joBJA886I3vDq+GC ikyVALTOfVsGWue+/FF6l8AstE7XaXwGARAAARAAARAAgTMJQOucCQqHgQAIgMAwgVOrMwyfhT0g AAI3ITALrfPicPS2leeAMhiUa63cBPJYhSAsPBZJ2Hn1BC69aYg5/0uRQ+QMNsl+vdyUE+Dy48fW OrT+ZbFIwhkODRzS42dx5MFTuyl9B2w8bzNuVs/jhrOuRQBa51pkr2AXt48rQIXJ10ngQq1z8BTG 2Nk/gdrz+wXBsbVOGu6Oknxd3FQ9fhY20mgfHK/AeHEBgyfgZjWIBjvuQuDRtU4abVxD4UySGK14 Uv9Si3dLU6yEwlWzufa8uKOttitL5dJCevkPr0taHbePS2jh2IcmcJnWOXiK6m08tSF22kt3BjYr FlIKbJlzRjnWJMbpVSzeTXcGzfVdSnkvMcVcVcsniaz3tFXiamNzkcvs6GZC+WTzl2TWOeWycKnV 2cVov+zu8xZOD9W6U4rhBcUS0kN+HjylML9opFUjS9FWLEQtSbxhhlbQ1L11vofJemX/iasLN6sn AGH3jQk8hNahNe8aN7F0Y5QfI0oD6eziLEvjnadVqRnDJa1TtwnTLI02ltxYgVasK8dUyw/2h8Ph 0Fjk//oth9vH9RmjhFdC4CKtc/AUbRlSlo36PjGkdQSfnngJ3Rkk1d2GSZZGgaOU95gksGWmLSnN axKuLbmRqezUzSQVyT8aWqdulzRc6Yybm3xhB0r2xvQVLSCdHFYGa60m3uNnbielPS2tQ5Et1Qli uudtHYWpywMdSlpHkq21sL/3NEl2ColVO9T3DjerPirYdj8Cj6F12gN0KKFQcUuL1zqj73Eslp5N 4zgRb2jB3TrVkgjlrIu16OnD8TLCdONovK6xaLDI3sit4H7XCkoGgfkQuETrHDxFX5FyiFZaJXae oXUa4uFQpilLt2Yz0RlZrYrov5kUjIe0ThKQEHGrqFGWRGH1k6ubx2RQ62TRqq11xCLjVSZdWvo8 FzVti92zhq8HaJ1hNthzDwIPqXXWldbJsmS/dqmzisma6W7y7DoU+CkD1JxzxqSF4hWjFoXw8Y8y Dd6k7XD7uAlmFPIaCFygdURieonRS5IWpRJ5odbxlDwla/eGQZ1hzi4n3N3X4t6vdSLfYLyzVmcc LC1dlWVZVmTeuFe188G2jJOsa2kdmrDR/A1HQ7VFStmu1tEagq5jsvURN6sWDny4O4GH0DpZ8/6S 95JruVxJokOYB2zSaLfUy+yQlKbb2kRx9UryeE/+y+/ML/v4bYvbx/hMYfGVEjhf6+xdRfX2xXd9 5yqF2Gk/5OvxOoJXT7ykLVwqrZBShKQcWZNl8boT12n1IzXbokfrJDtXkRQnaOU7zfvhqe+Jepw2 hlT9LrtE62R58rgitVqWbq2BuA60TrOR8H4+BB5D64gubc3bxSl1mZtVl3m6sznT83V+02htcmaJ KG66F33XWxEaTg5rzy36xovhhIjrzOcKh6ePSeBsrbN3FaXWItnOkQuxQwNYDF8Miom3trxoJnlN NqbEzXWUZmlSdHwPaJ1MjNfJbzL54D89t/nED6divE4pPuhoukHpq+60eJJd6jKkA8XNbdEMz/T4 WVwOdFpTZ+X3PJfGLmZx4KpM9arxOmWo65LbH36YPeb3brq1fgytk2XlVIiFxFWrniGRVQmpGZNb E67iwDNVTmNwaFLCtsrv1L6j3bZhcfu4LW+UNmMC52qdvdtexoYiGmVkZ7c0ZM5lRdUd15SbWidL Q99UaDaWxLV8EG/7zlDFdTK6+awdMTuL5mEdTeo8+uFUz8Mq5ksxm0bp5enqG6MCWT7GKEv2S1Ph jHNZNRxbZ8UPtrztjv1szMMqZnsZmzxQFG1dQ6HpYkwx3PKW1w5vtSt56vLAzeoUHey7PYFH0Tq3 J3uFEnH7uAJUmHydBM7VOq+z9vevFW5W928DeNAkAK3TpDHx97h9TLyB4N50CEDr3LctcLO6L3+U 3iUArdMlMuHPuH1MuHHg2rQIQOvctz1ws7ovf5TeJTALrdN1Gp9vTyCNw6gxTnLQgbhe62PwGOwA ARAAARAAgRsSgNa5IezZFpWGK0O1NuesKnRYarT46myrek3HA6teWuWa5cA2CIAACIBAi8AstM5Y 4ejLUhm3OJ3xYTil8BknT/mQdO+pirNrRHWqBDytGRtFHSJfl831FdROuFSZVS+aT1OCGx+nRjDc Lv2O5htT68TBalVOlWlXPdmYvDmJur333E/D9s+1cOfjxrppjFCN9LB2RNI9xhXdEdkWRrA6cRPo w5p4Az2ce4+kdS5MZXzptdCzvNilJk4fn2xdw9leQUScLjZeG9xoapeEllo0fFpjOg03lix1UmLQ akZySxudLuDcvfPSOltLaiwhJ+o4ptbZOzIbSBiSHILdWf2Np8CfsH/qtOnsm4zWSQKLM80NooSS 7i111siuNx1co3sCrTM6Uhh8EYEH0jo9qYyzLD34lsoZlxXNtHReL6HRm+c8WmnMXBaLZTRSGQ+l FH5R0xyd3F60/mj3lTZQnY0yG5go47AyjWWV/y/Po9MufO/I1Tr47T0v+RS2AzkUpSvjOsl+ZYms 9BJX60zPxbJKCqcs9rpDqVzLV2Bz2VlvxLIni65YKw+q/9NqS2RGYrJm+4fCTr7UbHFUvfJIuNIp switvZInwla9nBZpHWu5ssS6TVxzqgUq8+WfjvwMLKY6/jJf56k6Pl6bbfOyWH4ly2iZ/2JFlg59 sbqUWDmFFnipo02ETeWUlluuE3AP2qfl7LaeIU7gqiXEbl75PM4n+ChtzjXC8d+FK9N0/WBA1k1G 64SeIhXLtBODcG1bq+Lb03uTKdcY7OQ/j329XPeHzFDCqmrRwEvsjN8O/Rahdfq5YOu9CDyO1ulL ZZzSr1d9JZ5dMaUmLrXOQJ7zPJWxI1IZi+PrBUUzSpIstUXByI16F61DC682a9mt08FTj3+ndpPr dE963mexPFujD8uttA4tf234JGVo5Vhe5m1NtvSLWiyXHe89jTV6dmi9NknWvc3ucDjsD6eDZZGv M0UMQkpFq5fPmAGtk9euP66zkE1/H6dpcljpjJlbsYjbkJ+BxRbcWO3Fct++0VokbjjuQovhtbRO tWq40H62wvQ8SpdsTZEtm7BRAmvejMX12E/3riKpDomL5OAbnNtFsgJqGG0p4nyUIftp6fi89u+e lYbbpW0ojMmGswqKXC/VQZPROlm40hg3vG33Khu4yeRaZ7FgquUH+8PhcMgze9JVUl55lGqCacX6 yxfaqQhd9w20znX5wvqlBB5G6/SmMm7ngKlT3tD2vjzn9W934pwnrKliBSNonXhtNNZFLXPx0dbi 93r5r1jdvf94SrrTZ+fy7ScT6tCPy8BRuO53V63PMvGkrGXJpf70X8VHWkeWzLwMKk7zisddtWg/ acPq4ZClIpRThqMCmzVauL+8amsaR2GebqhqdbHvGVqnFiG0Hm3u3aCfrT6v9vq1OeH+pPet07Is pc92Ndwq3q/9IF8GPInCuEyt1EkF2WNfaCg7KK/3vSuXC/TSla8624NglCZxZbQi2H6zd+TmZV59 0y7dXliND9sVjYeRzXW1vHmWTUfrkMTcLi2dEgzr9qoMRA3dZIq4Tn3llvDyvmFxBYsAc7Ha8cV2 SnvX/Q+tc12+sH4pgUfROr2pjNOtKcmuyPpC3CqtM5jnvK11Dq4imSJ/lqA+gtYZaL0kCum181RJ dQPxPv+pN3D8mJuFwNiUD7imZYoFcM3bl0/L5r6ODGzuev77jtZp5kZMo2Bp67RQvqLbK5HTJ8tE m7O8Gynv9ambq2rrs9xJDmvH1BTKJC3LbFFKrBdpnTr2NehnS7TQRdl4/vXEXcqqtE7rZJssjxH/ 03DrFdVSZCYtmumRju1TULPslSs60aoT4t3Koc4tJmuWtx3oVWqVPdqHUulw1WqmX5iU1ikqm8b7 jaNRLC2mHkdDauJkjQTl7ftMjSpcqpzUZvmf9jzHTm3xeu+gda7HFpafQ+BBtM5AKmPxk6hSK/Xz byjPefsedDOtUzTsXfqw2lWuLrFkv9S46u76hI6QjY2hT9VJL3zTdiWtmyuNw3LxnyTc2GUnCh2v LQ9Vsvo4Tip365OfdiqlyyQfi52RgqrDSa4s5cliyzEWjdxGlCi6kVKSimmJkFrrDPrZOf5Y69SR s2YtWqdlImV1HU7K0mi/z/t7aKx+pVXbcI8ic/kIEUl2di2cQgOncVh0s2RJFLjq0ZjspnMjvo8D j9I3cc1abrr9Q9OJ6ySBZ9Wpg/NosOjqHrrJ9FxLFbTI17m52XnNbKXPsVMZvN4baJ3rsYXl5xB4 DK0zlMpY5BJW3XwEwtrkZSrjoTzn7QdCR+sMpxR+TsP0nHMXrZPtbN54Ugq30sNKl4eFjnjOtHIo 91TmOZto3IxsbUIxocXTWDnZK/I1SbHzcEKyp+jXUnSrxRuTczE+JsvSKFi5q0qbXaR1aFyLJSbA pfHO1STJzANdYnyoI2ymh6XOWoERikKpIuqVxkUHWEuE1FonG/Kzc3xL69ClKOdjiJJ2n1ExXqcO xeXjdZYUgEujwFFZkWg7l3Ci2yfZr3TWarIe+0XCbjHHK433vuvlo5wJAzfXQkAl4Uo/0njPaesz zom2y9WWRgn1vibTh0VXLTdWuyilYVokxfPw3NBN5pTWoSHJXJZlLb/ARcWfZacX2agboXVGxQlj LybwEFrnRCrjfB6WJNGvQ0ujcQ0F0t485ye1Tk/q4xc3zwQM0DiXRt9JJpTMYrFojrjojE6mh19n HvpIFaEJJyqn2L+iu5u6ryRvLZpQJFYwqSZcVWnsiwlU1YPxEq2TZdHG0WQmZutZjqmUWop22Cqn TNia6TlaSyxkceDqspiMpdj5GOSOdjHrPql+PzvHt7QOZbc2qONpwcpxKqSeygFd+f+yg1bMw5KL +VZ1T4/wME+QbbpWJx5zbF8MbS4zYbcydlfT4BiXNcvv7dYc6Qo428xktE5GI7lFB2s+382rl0Xq vcmc1DoZBRml1hIQ9I0MvHyynsQVo2G/fb86G90oB0LrjIIRRkYj8BBa5zxaFJfp9jqcd+YrP+rg KWUE5ayaxiLQfnpq01mGcBAIPJvAhLTOs+sw5xOhdebceq/R9wfXOpFv6KILK4t3NNCgOev2NTb3 8+qU7BxV8/Z1r8gpM/HGVIzmhJhTB2MfCFyJALTOlcCeaRZa50xQOOxGBB5c62TxbpkvQse4Zq/L ReJuBH9GxUQbxz5HwKSBZ4mRITOqG1x9jQSgde7bqtA69+WP0rsEZqF1uk7jMwiAAAiAAAiAAAic SQBa50xQOAwEQAAEQAAEQGCWBGahdRCOzq8thIVn+R2D0/cggJvGPajXZeJmVbPAuykQgNaZQiuc 6QNuH2eCwmEgAK1z32sAN6v78kfpXQLQOl0iE/6M28eEGweuTYsAtM592wM3q/vyR+ldAtA6XSIT /ozbx4QbB65NiwC0zn3bAzer+/JH6V0C0DpdIhP+jNvHhBsHrk2LALTOfdsDN6v78kfpXQLQOl0i E/6M28eEGweuTYsAtM592wM3q/vyR+ldAtA6XSIT/ozbx4QbB65NiwC0zn3bAzer+/JH6V0C0Dpd IhP+jNvHhBsHrk2LALTOfdsDN6v78kfpXQLQOl0iE/6M28eEGweuTYsAtM592wM3q/vyR+ldAtA6 XSIT/ozbx4QbB65NiwC0zn3bAzer+/JH6V0C0DpdIhP+jNvHhBsHrk2LALTOfdsDN6v78kfpXQLQ Ol0iE/6M28eEGweuTYsAtM592wM3q/vyR+ldArPQOl2n8fn2BNI4jNIzio3DKDnjMBwCAiAAAiAA ArciAK1zK9JzLicNV4ZqbeIz6nBYaqoTnHPkGcaudEhgMe7srmT8Qcwma0NSl+GD1BbVBAEQmDmB WWgdhKPvepWle09VnF0jqpOGG0eXmSRJTDHcbdRyL/J12VxfT+0kG5Mxc3tu9CjcLv2O9hpZ60S+ zrXVSx/7PX4WWMex32qj4kN6WNuaaEeuGF6HUt8J9bbJax3cNOrGusc79GHdgzrKHCYArTPMZmp7 kq1rONvriYiB+sZrgxtN7ZLuXZlp3j7OsjTe2oqk+y2n0p0jyy1tNGD5WZuTjckZ49a5YmdrSbK7 bxU1stbJ4n1AMF726vGzNDiK/dJY/T/ZWpwb/iHJsjTaOgq7JE4DrVODxLseAtA6PVCw6Y4EoHXu CP/ComNfl7RVO4hyoRmUz6EAACAASURBVIlnHB6tNGasm1GU5LBZbQ5lmGdnc253OoT2jnytTqJk Y8qm75tyQ+zsHM6soKhbtNIK8RWudM45kxYLiXF6qV6ueUjrWMuVpXJJkrjmbCqm8W5piq1M1p1N WNYxywKby846j2YtylaIVtqieLVkwtaikFf+ov1SxS8OPFOhUpms2X7BcNDPIftZcvDzeAyZWZdN sXdlbq18WxPVUq11w/+ehu9cTsnW0cx1TqLffpYl+6WpMPJet0210YcVbT1D5UySuGoJ8dRT3jU3 xYfN0jK85mWIuM41gT9tG1rnaUY44pYEoHVuSftlZXUeTi8zdu7ZycZsPNO6ZyXh2pSPYyzpxpQU 79A9eoTPJHWsIE22VkPsDGidvLieeElgsYVs+vs4TZPDSq96xCJfZ7IlJE688zTWCE4FNltIsu5t dofDYX9oRnHSeHjoShLYMlO9fS6ayL4iBjOlceAobUQ9fuYVOLIfb8wyHpMcVgYv+e9decF0L4jS LI02ltyNt3XwBz0iVRwyZJ/iQExf7uI0jfcrgy0KgZfuXUVSHSo3OfgG53bQlMadYsf9mBy2SxJ3 TDEcvxVcg9YZl/Sl1qB1LiWG469LAFrnunwvs05PzcarkAu0tYwfFP+Lx1j/8Vk21vYsy8KlWocl mrUJbC6RW9yswyLV/r0jM2tbfbzUn+rE7ptkYyp2kGZZGthKFdl5htapw07UGZODDj2lUdVUWN0W oZ3AZszc9D/CB7tzQl9n3ChiJRn1+EVhXMaK9q4smTWibFDrZB37JHkbYaSDp0i66GJsW3yyo247 MEJ7yH66NRtDumunUjIkGkW0FnVwWiW2bvvln/eO3LjKpYrrhdujtSlThGm5aWnPokxonX74t9oK rXMr0ijnPALQOudxuutRSRTSa+epkuoG4v3NJnbTo9TclA/oLoY0ClyVqUchnPyxO3RW18rZn+kB u5CYeEmLaoDyi7ROHYPqBDrqzrCM+rDYUU9d6Xb92C+30P9kR5Ebd9fUR8lh7ZiaIosXWzxP63Ra JN2UWq2jdeyGMmk6Vr7vVLfcnA3Zb4cV60qLnrail7DoM+wM4KpMj/sm73CUNdNdB2ETsygGWmdc 2pdag9a5lBiOvy4BaJ3r8h3TevthM6blE7ZaT/z8uGS/We+qIS49B4jhLYPS4ERhT+xK1gZFkWLx itZGo/NGqkIJXX+2Fjs5NrnWOvSQr0bWZFkem6rjOoMVqh/7tf/kHdP91uQsESnKxwJnWXY4iusc +VmY69gXcZd62BYF3nrjOk9pncjXyoFHVFASuLpFMagh+xS/kZ1ylHftFPVyys4ubxXxN0lGV7k1 2c67NN6vXRpExDV708QNrdMhdeOP0Do3Bo7iniAArfMEoAntvovWyWjscXsxGpr0zU1f/JRO9kuN KZ15TuJxOf5v+2RtNEdJx77O86nn5JDiiAhKeljqbNEsmxSM6u1pslFcdCC1undqrZOFK40p9pbW TEz2S70zXud8rUOT9Jl8NGpFdAJZYiJdGu9cTWoFzHr8LK69WlbkG2LBX4w8TkIaH2PmKx9dGNfJ GuNyaPyQyrR8vZwh+0kgxuuIYU7N8TpiUJK+3BG3NN777mWz10f5hqXRzl+umyPEoHVGAftsI9A6 z0aHE69CAFrnKlhfkdE0sHl3nHGyW1n5uiw0X+lovg9pj/EnjMVro201XKplN1a0sVXOuaxopueU 87CKRogDV5fFZCzFzieqD2mdLDsxD6unD6sxT6oYRyVqTdqEZl/VL27ns8SijaPJjJGflmMqzWE3 WXbs54B9UmK+JaY9Ma7V854u1TpZlpTr6zCumg2F0m+fyl1RCIVGaTu2Vs9RT8ONa9AELYkMLXfN odv3+ipA69yLfF4utM59+aP0LgFonS4RfO4SOHhKY0ZSd+/xZxFwOWuR5eNzsQUExiEArTMOx+da gdZ5Ljmcdx0C0DrX4fqqrCY7R9XKidNP1SzemEpj7tFTh2M/CFyFALTOVbCebRRa52xUOPAmBKB1 boJ59oVEG8euJ08PVycNPGtJg2PwAoG7EoDWuSv+DFrnvvxRepfALLRO12l8BgEQAAEQAAEQAIEz CUDrnAkKh4EACIAACIAACMySwKvUOvcKX9+r3FleeXAaBEAABEAABG5DYBZaJ1rbhrc7f32ye2mO K5d7pzznt7kQUQoIjErg0pvGqIXDGG5WuAYmRmAWWkcsaDuYp+CY6JU1x3GBxZYrl3uftQQHa4sd IDBhApfeNCZclTm6hpvVHFvtVfsMrTNi80LrjAgTpkDgJQSgdV5C78XnQuu8GCEMjEtg0lqHUv10 E3znqaFpT+PVWaT3WHMMHT/W9rxRzi73srzfdHQXQzMLwrhXBKyBwJwJXH7TGOsmMBM7l918suyy 43GzmvOX51X7PmmtkxUJvre2LOnLg0jwXaQ0Otkox5rj5OGj7bxWuffMcz4aHBgCgZsQeOZN4ya+ PUAhuFk9QCPPsorT1joF0kvD0dfSHE+18JXLRVj4qQbAfhAoCVx60yjPw/9RCOBmNQpGGBmPALTO eCwpvfdRyu9xzUud3roRrcMUCLwmAtA6d21NaJ274kfhxwRmoXWO3T695cqaY7Dwe5U76BB2gAAI gAAIgAAIQOuMeA1A64wIE6ZAAARAAARAYBwC0DrjcBRWoHVGhAlTIAACIAACIDAOAWidcTgKK9A6 I8KEKRAAARAAARAYh8Cr1DrjoIEVEAABEAABEACBV0AAWucVNCKqAAIgAAIgAAIgMEjgVWqde/Ul 3avcwdbFDhAAgesQ2LsyMzfJdYzDKgiAwMgEoHVGBAqtMyJMmAKB6RJIA4szxrHc1XSbCJ6BQIsA tE4Lx8s+QOu8jB/OBoF5EIjXBjf8jSMr3mGiHse+ztRlWHqXbEw2XWdLL/EfBK5GAFpnRLTQOiPC hCkQmCqBaKVxK0izg6fK9i6dppvJ1uKVuonXOtP8aJqewisQuAEBaJ0RIUPrjAgTpkBgogT2riK7 e3Iu8nU+2UE76c6RZSf3c6VhcNFErya4dSMC0DojgobWGREmTIEACLyMQLhUuR2kWfn/ZdZwNgjM mQC0zoitB60zIkyYAgEQeCGBPO6085Rr5iR+oY84HQRuQgBaZ0TM0DojwoQpEACBlxJINiaXZVmr Bym/1CLOB4F5EoDWGbHdoHVGhAlTIAACLyaQ7hwuGev4xYZgAATmTQBaZ8T2g9YZESZMgQAIgAAI gMA4BKB1xuEorEDrjAgTpkAABEAABEBgHALQOuNwFFagdUaECVMgAAIgAAIgMA6B+WudNArP6oyO w2jURb/uVe447Q4rIAACIAACIPAoBGaudZK9p6nOricDXxK3NyY7V9O8fXvjs1t5uNyuyXHL7VrH ZxAAARAAARAAgScIzFrrJIGtqMt2Qpok3PquqTLpKC1fKlZ0D0ZQO8flJgff1mQmSRJXzeWuFWga r9wn2hK7QQAEbkVgLh3Wc/HzVu2Gch6VwJy1Dq0Gam1bHVO0ertmuUtLOdY6WZZsTd5Ih/fcNj8q lzLPcMM/JFmWRmuTM3PbUlQjlftcf3EeCIDA2ATmoiHm4ufY7QN7INAmMGOtc3AVkYCvVaFUSJ/Y 1/u0TpZurZcn+z0uN96tV9syo3C6MaUq5V7h2yjltuqJDyAAAvckMBcNMRc/79mWKPsRCMxX60Qr TdL9Vm9R1WBDWieL/eGTqrNPvzlVbpYl+5XBFXffijZlY5R72ivsBQEQuCWBuWiIufh5y7ZDWY9I YL5aZ+/IzAr622xQ66RbSypS//af+fTWoXKTjcmkxWIhKc7xmKARyn3aMxwBAiBwKwJz0RBz8fNW 7YZyHpXAfLXOzubcvlTrZIHFuLN7SWufKjfLknBjK0z3o04RLy+3YxAfQQAE7khgLhpiLn7esSlR 9EMQmK/WOXiKZLZHJlctNhzX6RlMU5113puecuPderOvetMOrnzkWN8gnvOKw1EgAAITJDAXDTEX PyfYxHDpVRGYr9ahPqOhSVWDWidcqszcdAbTXNagPeVGvi7J9pbWKkzjwKE5YOVI5cL2COVe5iWO BgEQuCaBuWiIufh5zbaCbRDIsvlqnSxeG2xgcPKQ1ol9nRnr1nzwyy+CvnLjwDNVTuvrMMVwt90e rFHKvdxTnAECIHAlAnPREHPx80rNBLMgUBCYsdbJ0sCWhyI7vQ0cLlXZPh443HvsiY33KveES9gF AiBwUwJz0RBz8fOmjYfCHpDAnLVOlsVbS9FX4Vl9Umm40hVrWw2reUlj36vcl/iMc0EABMYjMBcN MRc/x2sZWAKBPgLz1jpZloa+5bZXKe6rZpYlG8fyz1NF/QbaW+9VbtsLfAIBELgPgbloiLn4eZ9W RKmPQ2DuWudxWgo1BQEQAAEQAAEQeA4BaJ3nUMM5IAACIAACIAACcyHwKrXOvcK29yp3Lhcb/ASB V0NgLl/2ufj5ai4MVGSiBKB1RmwY3FZGhAlTIDBlAnP5ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAw ZQJz+bLPxc8ptzV8ew0EoHVGbEXcVkaECVMgMGUCc/myz8XPKbc1fHsNBKB1RmxF3FZGhAlTIDBl AnP5ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAwZQJz+bLPxc8ptzV8ew0EoHVGbEXcVkaECVMgMGUC c/myz8XPKbc1fHsNBKB1RmxF3FZGhAlTIDBlAnP5ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAwZQJz +bLPxc8ptzV8ew0EoHVGbEXcVkaECVMgMGUCc/myz8XPKbc1fHsNBKB1RmxF3FZGhAlTIDBlAnP5 ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAwZQJz+bLPxc8ptzV8ew0EXqXWeQ0NgzqAAAiAAAiAAAiM QgBaZxSMMAICIAACIAACIDBRAq9S6+xdmZmbZKLI4RYIgMDsCcylb2gufs7+gkAFJk7gFWqdNLA4 Y1xbRRNnD/dAAATmSmAuGmIufs71OoDfcyHw+rROvDa44W8cWfEON2qF2NeZugzL0pKNyW5XeFkq /oMACNyOwFw0xFz8vF3LoaTHJPDqtE600rgVpNnBU2V7l96mVZOtxSt1E691pvkIKt0GPUoBgbsQ mIuGmIufd2lEFPpABF6b1tm7iuzuqQEjX+c3G7ST7hxZdvJyVxoGCz3QNwhVfUwCc9EQc/HzMa8i 1Pp2BF6b1rkduU5J4VLldpBm5f/ObnwEARB4TQTmoiHm4udrujZQlykSgNYZq1XyONLOU5Q8rjSW XdgBARCYHoG5aIi5+Dm9FoZHr4sAtM5o7ZlsTC7LslYPUh7NNAyBAAhMi8BcNMRc/JxW68Kb10cA Wme8Nk13DpeMdTyeRVgCARCYJoG5aIi5+DnNVoZXr4cAtM7raUvUBARA4FYE5qIh5uLnrdoN5Twq AWidR2151BsEQOD5BOaiIebi5/NbAmeCwDkEoHXOoYRjQAAEQKBJYC4aYi5+NtniPQiMTwBaZ3ym sAgCIAACIAACIDAdAtA602kLeAICIAACIAACIDA+AWid8ZnCIgiAwGsnMJe+obn4+dqvF9Tv3gRm oXWitW14t8ptde8WybJk6xrOFlPX798S8AAEhgjMRUPMxc8hztgOAuMQmIXWOXiKZGxulMdzHK4v sRL7uqStkDz0JQxxLghcl8BcNMRc/Lxua8E6CEDrTO8agNaZXpvAIxBoE5iLhpiLn226+AQCYxOY tNYJl6q0aL8kc0sIaE/jVUVBZrI9XhsN7yXFO1ClaGu7tgtJ99GXNfY1D3sg8HICc9EQc/Hz5S0C CyBwisCktU6WRCG9trYs6cuDeB+/4q6soro7T5VUNxDVjZJTrYd9IAAC9yEwFw0xFz/v04oo9XEI TFvrFO2A8TqPc0GipiAwCwJz0RBz8XMWjQ4nZ0wAWmd6jYfxOtNrE3gEAm0Cc9EQc/GzTRefQGBs ArPQOmNXGvZAAARA4EUE5qIh5uLnixoDJ4PAkwSgdZ5EhANAAARAoENgLhpiLn528OIjCIxMAFpn ZKAwBwIg8AAE5qIh5uLnA1wyqOJdCUDr3BU/CgcBEJglgbloiLn4OcuLAE7PiAC0zowa6xaupnEY nTOtPw4xHf4W7YEyQAAEQAAEXkwAWufFCF+RgTRcGaq1OWf5wsNSU53gnCPvxyewGHd29yv/NZSc rA1JXYavoSqj1iHZGMwS65qOahbGQAAErkNgFlrn0cKwW5NbwXXa+5TVdO+pitObYzVcadJC8VqP vMjXZXN9PbWTbEzGzO25iymG26Xf0V4ja53I17m2ajE4hXNgX4+fxZHj2O8rNj2sbU1mkiRxxfA6 lPpOqLdB69Qsmu+StcHtO3xJmz6c9f7Rbp5nQcFBD0gAWmeCjX4frROvDW70apdwpXF2pHWydOfI cr82GgFqsjE5Y9w6V+xsLUl2962CR9Y6WbwP9i/Wdj1+lk6PYr80Vv9Pthbnhn9IsiyNto7CLonT QOvUIJvvkrWhdC635u7pvIfWmU5bwJN7EoDWuSf9gbK7WifdOrq13Bxe/JwdKE9sjlYaM9Y9UZRw qcmmvzSkTlwny7K9I1+rkyjZmLLp+6bcEDs7h7Mq4BWttCJbWLjSOScxtpAYp5fq5ZqHtI61XFkq p4iG5myq3PHxbmmKrUzWnU1YD1AKbC47642jy0xalNnmo5VW5ilryYStRaGS/EUHSBW/OPBMhUpl smb7h9z+oJ9D9rOs18+9K3Nr5duaqJZqrRv+97RwZ2nKZOto5jonkRz8PN5Dbq4LN7MsS/ZLU2Hk vW6baqMPK9p6hsqZJHHVEuKppzxsmhQBaJ1JNQecuRsBaJ27oR8uuKt1snjvu6bGGVctb7O/Skqw ZGM2nmm1b0LpbOJk06d10o1ZJi6tzxjlHUkdK0iTrdUQOwNaJy+wJ14SWGwhm/4+TtPksNKrHrHI 15lsCYkT7zyNNYJTgc0Wkqx7m93hcNi31GVKuVlbWqeuaRLYMlO9fS5qyL4iBjOlceAobUQ9fuZ2 ju0P+Ll35QXTvSBKszTaWPITCWIDm3O7b9RSvDHLeE9yWBm8jKFRHIjpy12cpvF+ZbBFUel07yqS 6lC5ycE3OLeDHmlcQ8G7KRCA1plCK8CH+xOA1rl/Gxx5cKR1iiPSaLf2LE3mqpePqunPl55nTC8D DpJUP2uHji8yx1dhicqjA8V0aKxyv9ahwE5zhOaQ/aHtVTndN8nGVOwgzbI0sJUqsvMMrVOHnagz Jk8oH3pKHYGhnjjOrG0R2glsxsxN/yN8sDsn9HXGjSJWkmVZGkdhJUj3riyZjUGsg1on69of8rNt 8cmOuu3ACG2K9zSkGyWd06kLM92ajSHdtVMpGRKNIlpr71LT1xGxbhPmYb/GVShVXPeOfM3t4VJt mtdWRThvrO09NZ3wJmidCTcOXLshAWidG8I+t6h+rZOUSkcxWt0u51o9fRw96sxN69GVktKxtqLn bEjriAd566zTxZy3lx6wC4mJl7SoBii/SOvUMahOoKPuDMuyLLBZfxCEenZ64zrJjiI37q6pj5LD 2jE1RRYvtnim1hnys6N17IYy6cPbMVMd0mnxVETuDlnW7vOqKy162opewqLPUPev2q1auYo3zycA rfN8djjzNRGA1plgax5pnXBtaVxiiuH61INwjVfriS8KoN/xNAglf+UDVqTOPKSh5+jLPKQ5LuYm isUrWhtl5wo95KtQQtfhrcVOjk2utQ495BshrDw2VVC9VOuQd0z3W5OzRKQoHwucZdnhKK5z5GdB q5YV+YYhPy/UOpGvlQOPyG4SuLpFMSgR1yljHllGUY8irmMx2SlHeddOUS+n7OzyVhF/k+Q61+LL rh6c3SIArdPCgQ8PSwBaZ4JNf6R19r633l1J5JT139m87vApN1b/++M69Lgc/7d9sjaao6RjX+f5 1HOaha44IoKSHpY6WzTLJmWgenuabBQXHUit7p1a62ThSmOKvSWgyX6pd8brnB/XoUn6TD4atSI6 gfJ4WBrvXE1qBcx6/Cwo17Ki2DDg54VaJ2uMy6HxQyrT8vVy4o3JuClGNichjb8RvZWkhsR4HTHM qTleRwxK0pfiQkxpCNlls9erawlvbkkAWueWtFHWdAlA60ywbY60zi18TAOb5+NZ+krr1TqkParR EH1nPWtbvDbaVsOlWnZjRRtb5ZzLimZ6TjkPqyglDlxdFpOxFDufqD6kdQbmN5Gd3rhOY55UMR9L 1Jq0SR34ovBXueJKtHE0mTHy03JMpTksJsuO/Rywnw34eanWybKkXF+HcdVsKJRk71tiWhXjWnNe VbJf0TwsGqXt2Fo9Rz0NN65BE7QkMrTcoQfrWVf4TU+C1rkpbhQ2WQLQOhNsmrtonSw7eEpjRtLT XETA5axFlp+2hSNAAASuQQBa5xpUYXN+BKB1Jthmd9I6WbJzVK2cOP0Ul3hjKo25R08djv0gAAJ3 IACtcwfoKHKCBKB1Jtgo99I6WZZFG8euJ08Ps0kDz1rS4Bi8QAAEJkwAWmfCjQPXbkhgFlrnhjxQ FAiAAAiAAAiAwOsi8OBah5bJLWZTN9d7e11tjNqcItCdu37qWOwDARAAARCYI4FZaJ0RwrA0g0TP Z5Ao7QxItM5te2ZL3Y47R26sFFtvv+hdsl8vN3WuoTPOvWMf1hne3eKQZOcZlJebycYZPWU7h5fr ADFZNb1tlffqDF+Ptc718o2TO8N5zrvO0vwzq15x+eAp+cdwqVbV5YrhlPmwKHdE6zU8ra5bFD6/ WgIj3DxfLRtU7JEIPIbWoYzcTPNEkuo8A5JbpC7K23pI66ThLghfOiiFFmlrLF13xtX18FqHkKnu Pk1DSvDZm3u9ibGxnrJI5C2py0Nz/8n3x1pnnHzmQ4UO54jonnFC65QXVBp18nllGa0jxK+Wfb7r Iz5PnQC0ztRbCP7dhsBDaB1aB6axpm6683Sj9TQ80jrDfVuUeVqjkENzgRHKEW4u1yI7tsQUc1WM 2g1sOU/AXWbgrlICnWxdaB1aw9ePsziwFeXp53ZD63Qye6XhxtEp4Xgnn3kcFHEjxbCNKnlmY52b RqIo0VS9+c+zbMh+nUCca1Z5NQzmOR+4GMIykJPvp0UIRZinLZ47yx9n2VZonQGb2PxoBKB1Hq3F Ud9+Ag+hdegp0cn11KZxpHXy3cd9W+FSKzJkiwzTzMhjDvSQlFRnGyZZntm6+ahsP5raBfd/enit k8Vbi3NFUTTnnP6ohtZJwo2tsCKThUjYrXm7OM3ivacxxc0zH9BqhZySOKRpFHia1F77+TjfeL7G 4HH+8yH7yZYSiK8OCa3i55tVAnHR2ufHdcRl2+jDco+1ThJuXZXq1UjWAK3T/6160K3QOg/a8Kh2 h8BDaB3Kq3xy6PGA1sm62+mhWodmRO/Hmrq42v0g+VnV0wdap3PNPf2RMhlQekk1X+wn2m2CsOJ5 fLoYr0OJu2i0CjfK9Xwp4lEPWaF1ofM0TyISkqdJOGo7Mn6UqyHXOo2Wz10Ysk/n1+VmUeCvRe9p ftYLtE5xFYvxOmV1meZ25CC0zvEV8sBboHUeuPFR9QaBh9A6z43rdLUOpYIue6PoUcykheJR2se2 1jm4imRuq2cztE7jejvnLfUIKu4+iTYm5WiK6HOV8rPPQBXXoXFZRe4skXVToWTpvHhRzgPRLOFS kYxNOQyr3XZkfkDrHOXJOrhD9imLZmm/6/CztU4lvOsLikb06H5nJDa0Thf5Q3+G1nno5kflKwIP oXU643Wy/dIwVs3Rq9VjpOKSv+lup7TeVpmAm1I9F5me289LaJ0Oxss+NsIiSeDITFFkXgfT+mxV WidXnWUHIrWKtjy0EnPT6fFab2Soarcd7T9X6wzZb1RAmAv3+6hWPj352PvqdKSg0ypVV611MuqN k1s9WBivM0DzUTdD6zxqy6PebQIPoXUyMQ9Lz2cvlyM3qrhLNee8sSWHVIzXqbene09hqrMVj67k sPbcjfhR3X5edrROQhNjzHWUZmkSJ7WxdkM0Pz34eB0Kw6muSGce71x1sTjqPWrCyrKsoXWyZGuy cp0AkeDb9PeU9jyNgpW7EkaFQuCmf6DRVbuj8Tpna508gXiffQpIGT51u6XhxmpLNVG7dj72TnWq j5Gvi9FhhZ9lPvaG1smv7GLUWH5emsd1zrnOqoLw5vUSgNZ5vW2Lml1C4DG0jnjmuDpNn5KYYrib qHgU1POtioVJmB0QvqHtlKXaM1UuklorRrmSy0mtk6WhL7JGLySutaZ/DTXUg2udLA3XtpjrJtJy +y6NB88zl/cTa2qdLNu7ilRmX6cE30Wzy5pN6iZ/xYGny2xBF4Nj5XO+8kBKa32axaK005//PE8g 3mc/OfhWXgMqtp1L4zjPeX+taCvN+lM5dZwqenXVNrVOHsnKRwdhfZ1hkI+7B1rncdseNW8SeBSt 06zz5N8/utaZfAPBQRCYCwFonbm0FPy8LgFonevyfZZ1aJ1nYcNJIAACXQLQOl0i+PyYBKB1Jtju 0DoTbBS4BAJzJACtM8dWg8/jE5iF1hm/2rAIAiAAAiAAAiDwIASgdR6koVFNEAABEAABEHhQArPQ Oo8WhkUf1oN+G1FtEBibwKPdPMfmB3uvhQC0zgRbElpngo0Cl0BgjgSgdebYavB5fALQOuMzfbFF aJ0XI4QBEAABIgCtg+sABIgAtM4ErwNonQk2ClwCgTkSgNaZY6vB5/EJQOuMz/TFFqF1XowQBkAA BIgAtA6uAxAgAtA6E7wOoHUm2ChwCQTmSABaZ46tBp/HJwCtMz7TF1uE1nkxQhgAARAgAtA6uA5A gAhA60zwOoDWmWCjwCUQmCMBaJ05thp8Hp8AtM74TF9sEVrnxQhhAARAgAhA6+A6AAEiAK0zwesA WmeCjQKXQGCO8Qm47gAAIABJREFUBKB15thq8Hl8AtA64zN9sUVonRcjhAEQAAEiAK2D6wAEiAC0 zgSvA2idCTYKXAKBORKA1pljq8Hn8QnMQuuMX21YHCKQxmGUDu1sbI/DKGl8xFsQAAEQAAEQmCoB aJ2ptsw9/ErDlaFam/iMsg9LTXWCc448wxgOuYTAwVMkc3OOIL3EKo59lQSSjcGs7ausGioFApcQ mIXWebQw7J36sNK9pyrOrvUQPXjKovEy1nUwJ/J12VxPX+0kG5Mxc1s7fsn34wbH7hzeIFy81f1h sNA6N2iV11JEsja4HbyW2qAeIPBsAtA6z0Z3vRPvo3XitcGNrnYJLKY4QVS+4qYQSneOLHe00fWg PNdysjE5Y9yartgpa7Y1JXUZlp+G/0PrDLPBng6BZG0o7r6zER9B4PEIQOtMsM1PaJ00CnzHsLuS ZIRKRCuNNcM2wmS81qWjjXVhe0fmzq7+PMF3ycaUTd835ZbYSQ6+rclMkhjXrNW+ivkMbU/DjaMr XJKYrDubsFJ8yX5lCTsSVw2v7tIb2n4SUI/WiXdLU+VSu9xa66Shb3Bu+JVD0dYzVM4kiauWfyiq tXdlbq18WyNDXLXW1eEn3cFOEAABEHg1BKB1JtiUfVonjXZr11CYJGvWcjv+0yrZ9EUV6LEqq5rC GVc0u3p6lszSjSkp3qH8OMH/JHWsIE22VkPsJFuTc2NFWiA5+CYvgz7D2y3ONG8Xp1m89zRW/VDe 2ZzlSiMJ1yZn5iaXF0PbTwM60jqRrzPZEtIq3nkaK4JohdbJhY6+OpTKK927iqQ6QZRStQzO7UC4 s3flBdM92p5GG0uWTnWQnXYRe0EABEBglgSgdSbYbF2tk+5clXPVdNdBe/JTvDakxquSHZduz7Is XKo9EZxo6zneehdG4X5tK1L59KyY7R25OfLx0nKHjt9arFGterzB0PbKn+6bZGMqdpBmWRrYShnZ SdZGU6FFgb/e0+iYoe2xrzeOTwOby07eK0DV17wgFJIiTeKkkB1D27vutT93tU7oKY0mSXcOZ9Y2 zTLSOsbSNznTlpXQybJ0azEuKivM7l1qGnJo78qSWQ1PDSz2VCxu78gN/FKp4LKZbKdLufHSVlHO +dG2t68ufAKBxyYArTPB9j/SOtSDInPFsJebQ2vIzHjOF8GCEwbzZ2m7xyp/jJaBhRMn32cXqZeF xMRLWpQDlOmZpzcGWZe+DW0/uAoZ4cWLSQvJFCIiy9IoWNq6CHvp9mpXjSce2l4W1fu/q3UCm3O7 5h2ttDwik48Xp6e56u1r9tFKWyykppuLPIDT0Tr2k1qn1ztsBAEQAIH5EoDWmWDbdbVO7mISblc0 5oIpxnJXDMUYz/nqSdo0Ge98v36AU89MZ0pH53HcPHcC72kOirmJYvGK1kbRV9WJ3yThfi/CZUPb CY22PORmxN8kx5/GYbkYURJubEUqQghD259A0tU6In5Ta7I8hlbEdVTvEO89VeL1CgHUCyk7u5ab QglB6zwBHrtBAARePQFonQk2cb/WKRxNDpvlqh4FO5r7O5sf9W3QABY5H8uahtRpUnVn5MVS7850 B38ka6M52jr2dZ5PPY83NF5HjOhNw40l86JaJ7eb/p5CamkUrNxVrjUjX5MUeyvWXkxIeRTTqIa2 P9FWXa2ThSuNFfaT/VLvjNfJsoz0W92RlQS2zPTljvxJ473vFoOloXWeAI/dIAACr54AtM4Em/ik 1rmWvzQOpRrwUxWS7FemmNgjcdXshpNo5ZpqNER1ylTexGuj7V24VMturOTg5/OnmKzZfmse1sD2 ta3TvC1JnFDOcMriwMvxMK7oTj3BaWj7STZHWifLnpiHlWVJ4CiSXAxCztJwI8av0/wyaq68Tw1a 5yR27AQBEHgAAtA6E2zku2gdMeb1ouVyRKDkrEWWJ8gYLoEACIAACDwMAWidCTb1nbROluwcVWsO dz3FJt6YirEupricOhD7QAAEQAAEQOCuBKB17oq/v/B7aR0aAbJx7HMETBp41rLu++mvB7aCAAiA AAiAwAQIzELrTIATXLiQwLn50i80i8NBoEEgjcJqnn9jM96CAAiAQJsAtE6bBz6NQeCCfOljFDc1 G2KlmzyJ51kJrp7nf3rwLZVLtKaO6o2Z8ag9lvl5zp066+mlnE6d3doXby3VqFeObu3DBxAAARCo CEDrVCjwZiQCffnSnzYdrbTGqr8Dx1OeKXq+0yJD7vaswULhdun3T9GPfJ1rqzOSbQ4489RmWq/n LK0jMp3nK/0yWTW9sypGikQVeSsaCzY/5dJZ+y/TOqGnHKdpV7wTWEfUOlmW7hxFdRtLKp5VRRwE AiDwYARmoXWitW14u3qF2FfeRsnWNZztbGPzvfnSn2yyg6eUmRcGj6VZ5NxY7eMkPmxshSnnjKPe WpI8kOg53gciOcRggS/bcYnWYVYgCkujraNI6vLJHGOUlfUsIXV5HS7TOpX9nXO8QFO1s/lmVK2T ZbGvs+ku8tSsON6DAAjcjcAstI5YQHbzMFqHVuib7rI1T12qR/nSaWq6JXJSbS1uiOyYO0duVzDd ObL6VBLRPIdDqQHz/FBkNwssJpsOBXyKBN/5pRKudM45E708Ir9D2dUz3MfUu54N2Vcdv8g4zjVn UwWUaB0dSn9eLLvTvkSfo3U6mcn68qunW7uoVpkRQq+CUwdPYZa/9ShJ7EJSqq6t3vznWZYe1rYm C/+VOn87aR3Duzgveo/WqdPGy5q9LnN31VpnnDztJPsgdp76XmI/CDw2AWid6bX/rLVOT770g6uI CASljhTdVLGvy06d6EmkreRt8dPTKnlS9bpvpJYSgcUWir0JkzRP1dCK4wzGdVLKPNoKjQzkFSet sxDxpDRLQt9gRU7NjI5XHOogS2Na06+zFGPtYE9tmptEVs88riMqwIqetWQ7kF89E9GMHkEsUmVx zVnvDofD/iBWdM6G8p+LJKLakhZGzMNJRRPkedHF+stJuLb4mULiSOsUy1Dn6eRXRpVOvtA64+Vp J4VnPs5voealg/cgAALnEZi01qEf8p2xAEXCZtrTeFXPyZls78/vTVu71Z3d71VqAaNO4kRXYbq1 KDlDuNR0Q1fdQ7qz5VayiWRjcmNdBmyGLtxk3Ql3bU1Jcamzp5W6O9kYrU6rQa0j8po3tc5QXvGO /VohpXEUVqlYj3t+LtE6i8VCkkTrc6Nc73g4v/oprSNpfhV2EigH85+L3Paqs83TyaZJHOdpvto1 Cc7NFdrVOuR+Ay8pHF00sgjTjpmn/Yr9eUMXI7aDAAjMi8CktU6WRCG9trYs6cuDeF89W+bF+Sxv i+ruKLOSG4jqiqSUZ508kYPqDoraoWilq17gG9oyWOnaarfStWUdn6HwSJGVsz6l5x3FdRrPzoxE Tf65pXUykSMzj5KQlfO1TieRaZ0NtWU/3RhVACc5rB1TU2TxYpT+vOn3JVonH69DXXlFzq4sy07k Vz8R15G6EY7B/OekmHYrx1A5Y7JmeXliryxrax3Kk9bJ+NqsZP2+q3U6V0LNbfQ87QS6E1Or3cI7 EAABEMiyaWudooXED8HHiVHPug+rVgiNr9feVQzToOkyB081LFNpPjzDpSrb54w8p5BRHhkg06QL is6klhYR6b4bg5G3Fmv1adVudbWIuMzqkFSVV7wd16mf2WLEkOEXybEOrvxirZNlhK8UdIP51akK /RdJR1+Iug7mP0/j8FBo6SQKXLUMh42kdURcZ1XFmOrWIydHzdMuQPlPxQXrhsc7EACBhyMArTO9 Ju9/jE3Pz36P+vKlpxuTSfkAZVIozezj2d5V8p6ofnPNrVE1DysJt47KlGKucWAxSXECGp0ixs20 tE3+ZKUlntO4HRTsap2hvOKDWmdrMm6JCXNpvHM1qRNSObLfrEvzfWO8TpaQUVsMuc7EgJee/Op0 bv9F0qd1sqH855S6lZvrkHquknCll5pwJK1D7gv7KZn3Dc7NPHla7eRIedq7EaUmW7wHARAAgWwm cR201IwI9OZLp1/e+SiedGuyRn9DGthyGcc4o5Ll+joLJuv1+jqBxZhm5gnHuWr55YSf3GAcuLos JmMp9laMSGnMwyrGR5UDvgbnYfFqLHUd1xEZNTSZMS4rmuWYNFdcdM0N2++vYlPrUBeSUo06Tg79 +dUv0jrZQP7zLCOcGqVvZ1zWrDLf+1hah+zTcofCvmaVATAxJLrsaBsjT/vBU3Id3U8XW0EABEBg Hn1YaKdZERBL5ZzTKZVRFIO/fPh1qw9rVqjg7IsJ0GKCDfH8YnswAAIg8BoJzKIP6zWCf811uihf +gggoHVGgDhPE+ne01T3PGE9zxrCaxAAgTEIQOuMQRE2ugTOzZfePe9Zn6F1noXtFZwU+XZjZcdX UCFUAQRA4DoEoHWuwxVWQQAEQAAEQAAEpkEAWmca7QAvQAAEQAAEQAAErkMAWuc6XGEVBEAABEAA BEBgGgSgdabRDvACBEAABEAABEDgOgSgda7DFVZBAARAAARAAASmQQBaZxrtAC9AAARAAARAAASu QwBa5zpcYRUEQAAEQAAEQGAaBKB1ptEO8AIEQAAEQAAEQOA6BKB1rsMVVkEABEAABEAABKZBAFpn Gu0AL0AABEAABEAABK5DAFrnOlxhFQRAAARAAARAYBoEoHWm0Q7wAgRAAARAAARA4DoEoHWuwxVW QQAEQAAEQAAEpkEAWmca7QAvQAAEQAAEQAAErkMAWuc6XGEVBKZIIImi5Ay/0iiMzzjs/EPuVe75 Hj7ryHM5xWGUPqsAnAQCIDAOAWidMThGK03S/Zc/HQ6esiheY5gbo2q9Nob8HNreawQbb00gDhxV Wx6Oi03juK2A4q2lGqvDSM/nwXKPPBm33CPzZ2wILMad3RkHZlmy9zTV2bXJ9Z6Z7FxN8/ZnHNl7 +qgb040hKV7PRXBhKWPZubBYHA4CzyQwba2zNaVF/b2MfV1SV9FTNU326+VmrNt0s7DY10slUv8X N8axtE5RWrhUe6XTwVO5sX65pGpW6pz3Q+UO+Tm0/ZyyqmPC7dIPRqjrsJ3I17m2CqsSb/Nm2J8r lx9vTFn3W1+fND5sVo6hMMnYdHRNunMU1d13tj7HxeNy48AzVS5JEuOa5R9aEmC8cp/ja5adrXWS wFbUlnBMDr6tyUySJK6ay13r2k0PnirbQauqz3PwpWeNpVHGsvNUfYZuPr3npYfNcj0NTdnrHzbe kcD0tc6ClY/3M7UOPWmN9TXvKlSCuW202shaJ1r1a5002geH1i204cMV3w6VO+Tn0PaLXNxakuzu Lzql9+ATduJ9sL85zhP+9Po/0sZ07ypdnluLy7rteaZ8rHWyLPZ19vLo4nG54UpjqhNQp0689zTG 7aClqMYp97nYztU64VLl1rbheLK1ODeEckujtcmZuW3dg5KtydXlrZX1MYaxNMpYdo49bG8Zuvm0 jyo+xWtdUpctPd97HDY+IIHJax0my0zO74ZNrZOGG0cvf0OtSiUf2DLnTFosFhLj9DI35f0m3i1N 8aPr+DdXlu1dhXFzc+5zr1fraK7vCo+YYlYOZdnJcgcuuCOtMNA3lKwNSffWHv0wl5ise3UcpPqN yRTD3dZf/vwnNR3OVavhZr8nA+WWBx/5Wew42r41G7rl4CmSWYYR+vwJVzrPm7FoRdWrNE9gc9lZ 522/kLQyykdmFBEpkDXbL4J6g3ailVYG5lpPn8BiquMv85gD15xNxS0OXF3mnMuqbpv9QrSEIv4n +5VV/sQ3ymYZ9CfLxOVMFWCy7mzC4hEaWEw2HUuEQLhqlfXKsvSwtjVZ1FdpHN9yof0hJXBd6Zim oiBqkKO4TpZl9OB4qdg5LjfZOrpdfdXEd7qjAF5cbo5HXORKRT+LVhozl+v8ttH6kqYHv4Cs2ZYm ndOHdXAVbrU0Wrxbr7allEk35lFHUbq1WB2kbjdP+1O//1lGVZD01XZF3i6kWiRecpMhjSIbNl3k C4lr9rq82rKMdqnehqJT0mLBqptntM1vMRJv4GxonWTnqkxxqrtP783nxM2qXfvy08DNZ8jO3lPb 9369Ctn2+l8Wg/+PQmDyWoc765XOxCOp1jpJYMtMW9KP8iRcWzJrxub74jrhUmOyRQ+RNNpYchUq Kpo5XFu64Z3T8y5O6NM6C0l1t2GSpVHgKFL5CH2i3IGr7Egr5MelVG7z4UNfe0m21tQLQIMHJNnJ RUG0Nlj+GzONA0dhZU9NsjEJA/2kTg4r/egndb8/R+WWhw34mR1tH9I6p/zpj38ENltIsu5tdofD YV8EuSJfL261orrtp0y/nSzL0nhtVA0lqhRYbMGN1T5OsyT0DcaKH+7xWmeyvSUpnNL2ViOUMJr/ dzZnhk8PkSQUP/EryZ1lPf5QSIBp3i5O80iHUogS8kexN2GSJuHGViq9SOJEW1Krp9HWUWrJ1/Sh /f7gKcxshiEau4e0TiZOKlVp44QL3p4ql+TUxjyWYC8sN905MtNX4ktxWBmsfGaTwpVUR3xJ6VtR tn26d2VJBJrS5LA25cUZWud0IDfZrwyuHHUAxv5Zo/qG/M+1zmLBVMsP9ofD4VAMM7/sJkMaZSGX V5Ullxjo4qZdkmIut2R+XwxPpyZUnSCme+fWUVjRcVdqnVzo5N8OcWEM3HwGb1anr6ajm89JO31x nQH/TxeLva+PwAy0zj7ZuwpFXaJyvE66NVnjR2rnt2GP1tk5vLzjlb+OXtLJ1ad1Gs+/gysXgYtn lnukFYrrrrudvvalqqIffaUSIv+0amRG46g8zr7a5TfJNImTRhB++OKuLbePOXv7oNYRcf9+f3o0 QZZlgV09u2pf0jgK47Im9ORqdjD226GTG2ByW63+i3pv+/o6/ZjLDe0dmWleEIqgYgfzsT9kv/7B LyIhuWZt+0O/x3MRRO2rOtuDqHOadAcW12Dqd8el1vsGtU7+5ChjFfUJF7w7VW4W+gZXnONBLC8s N4nCarJZ3Yp5UKSaQJBfJnTRiC9pJQNbzAcrSg1sBce7SbyLsHJftVKCUfwaOT613jLgf3Hnqq+U 4owLbzKlRsnPbl3btIvbu/KblB9B5uvOOvHrRNRB2HFWrspkS/wMKNwZuvk0WkLUpLxZFacN/uve ZE7a6dE6Q/4PFogdr5TA5LWOuDkk9PPP2Sy1fGxy93ET2M25E/Rla4/Xoa9l2atFvSOMRjy/4BZO JTQfp53bKD07RCfNc8vtfr3La6+7vfu1L382iuBH3olHHXlMqn+qpuHGszSFMa4ajl/2/ZUFDPzv llsedvb2Ia0jOm8G/Ol/SlJT20fTZJLD2jE1RRYvtmg1Tr8dqkIbHwmp5hwccS8X81XCJfXxlJ2h 3YuvhNH6n0bB0tYVzrii26vWMNVjfw6uspBY1V5MogrQA6flT9Z8vsa7lWOonDFZs7zt0/OZ+/pU KocHtQ4BOnq0Vqed8+ZEudHGlGWz7iZsmHtpuXGwtHSVLgZF5tV3vd1wB1fJKafi4qzmJbWZN5xq vd3ZnNs9Wic/SEThWrHmfPt5trOs3//yV1ol13Kjl95k6utanL+1WKW/OrvE/m4Ltm9uC4lGYrda cejm0/62tRsjr0n/3+5N5qSdY60z6H9/adj6egnMQ+tkGQ1olGWea52UumLqwQedn4HHWicLbM6t TRRXr+S8gMZAu5+rdZ5bbvfrXbrR3T70tRcPL7+nukl0KAIgabz3Td7tyysL6vzvllvuPnu7uMmX Y26qu2WWnfKHbsJ1G5dF9mmdlH665aNCsywTUbXGwPF+O2Svja+rLeobf+u3b0fXln61/qdxWK6n knc+VeOKMurD6taL7vva8lBdnHGc5MKq9WxMNuWgpzQOy+6LJApctQz3tHzofKBvwNBUanG59HVV Ccc6j9aO3ac+DpRLHcmyuR74vfGycin8S4NHRHgiETOsRTntx2uldXINeWFcR1zD1TkCQrxbb+qR 7vlV2I6QdB+7A+yG/B/QOpfeZOrrmspv3Tvbuwr3RFykGplEg45ybUQHk8qJNiany7es69DNp/1t azfGAAmxuXuTOWknEWOTW5fVkP+nysS+10hg+lqneN5RL/ZiscjnnIvxOvqSwhL5+JvmeB16KHBz HaVZ1XuQ7kWf81aEtpPD2nPbvyfFeJ3li8brNPuwyrhO9lS5A1cUaanmuJzysO72wa89KUMlH8eT JeHWc4thrXQfUl0aF0I/Hm1FKqe4lSX0/++WWx519vbI16izjYql7n2pHJt8yh+xT6xJksZVBxX1 YR3FdahLk+dx9DTeuVplXvjZb4d2tfENa50spuFPJk2xSWPSFou+ximh0CPJ1yTFzsMtyd5TGx2N GQ1GkdR2vWjUCjd9GidE471W7iq/FAOL0VNbzFiiASaF9qN+BG6uRQ9ZEq70rnZqeFK9PTVWhDzq G5tMvTuDAqmyfPpNX7nx1lZkozEmtmviZeXSVVlebCGNvylCU+3Ha611aKaYpLokjsTgvzoI2vWr /kxNUPcei+0kUeS80fNRY+UgueqscKmyalB+tfXozZD/Q1rnwpsMaZTiAqRBfs2Ls1fr5OZdEZuk q5+p+eI89cE0xkCqO7IGbj7tb1u7MY4YNDZ0bzIn7VAHMNNX9NUoO+iH/G8UgbcPQWA2WkeMY2SF 1qG+j2JCRd9aFqFvKtRtLvF65bRqTQ8xmaAxM4mamb6sL52HVT//6NlR3dNOltu9xBpTD/KJQkXf ycD2E197MRGI01ofrZk9abhxjXzCEm9P0Oq6Ij4PlEvP63Ii0zl+0sQh31Q4lxVFszxbrfCc8kfM faJWZIpdTd/t0zpZFm0cTWaMy4pmOWY16jSv07Gdxjysohp54KUVR6nv5UIYlnPsDNtQeoVoC2Bj epmiO+3H+rE/NFJ8befTCpmYSFbFdZhmmiq1Y2seVjXNi3FZs87qihSzkKqOuJazQ1rn4HXnGhWP 20v6tY7L3TmcJko2XnI74vTScpP90qTuQy6rhmPr5RDz9uO11jpiWlsxs0mzbeMsfUfyt/7Glxca LRskvnN93y2aS9/uW2+1Qv1hwP8hrSMuz2LBor6bW21YvBPXtWkbqiJzutgaF2frkm+cFm1dMdVT ak7qbB0c+jojjZGf1HvzOXGzahTVeDtwk3nCTrSxaYbZQuKqW4486vW/URLePgSBaWudh2gCVHJW BIQyeMnI9vNr29Je55/WfyQFj5rhz/6j6q20qF+PqKGf2c0uufqEgXf3KnfAnbE2p4EtdyI7p02H y4ksJnjaTewFgVdKAFrnlTYsqjUegXTnaKILi8KJJpcukQwv8WJUrUNda4bSGkZ6wreU8h9UP4zr AymeoXXWw6n39r+7V7n93oy2Nd5air6qV6c5ZTgNV7rSmq506mjsAwEQGJ0AtM7oSGHw1RFID2un 6PprrKZ29WqOrHVoEaal5ZWR/VPuR77dWEmxcWSy3wbnPd4bJ92t3KYPV3ifhr7lVt2rJwpINo4l lls6cQx2gQAIXJMAtM416cI2CIAACIAACIDAvQlA69y7BW5YfntY3w0LvlNRo8dFzqzHWOWOZedM t3EYCIAACLxWAjPQOlfLWz5ym07Mz56Uv69a6/TkD7+XVnhWuRPyf+QvxlXNxcFq1ZlVedXyYBwE QGCWBGagdWjmx1lzNe/cABPz83gJ0eMFZe5MbNTij9cj7qw7PGppJ409S+tMyP+TlZvYzuZq0hNz De6AAAhMh8C0tU5/3vJwqebZEeO1nuf6pdXkcjnUn/98iDctuaHZ+eIRTNbdKlNvkUm6myq5XOKi m2q4308qNY3EgjYiD3mdgXvInyLfdV6s3hwd2liw5en85EMpfymuozirc/Oi0+zq5rTa7uejWoi4 keWWecLtKmH3xfWqFpCRuFpnqj4qMN8wmD+cNIe1FFmhJamVt5wWm+3Nl74rspy3ViXKl14tSm8t 09Kf//xEuX1VeIb/lLm5XnanTF/RZzzLspYIby2LMpgvfcg+5VG0/Dzt9UJS6vzz/UVTMwo3maya qzojSbLLV8Ch9ZAsrZH9u7fcvStza+XbGiV256pVrAgTr808AUqZ/kW2B7M29LuHrSAAAg9DYNpa RzRD61ZNW2hxTFI2tF65pLgHWotWFQ/lk/nPe9qUFpVj+nIfp2m8X+qszJlwcaphsn3kJykjsV49 rTmaxjtPeyq70MFTmZavqRttrHpys8i4d2F+8oG4jqTY60OS5u6Uq+IOpCamROCyU8zbEUyMDSX7 HnqR1qEVaKNUZIzmlVK6tF6n8oQPFd4fF1nIYj3iVKR1Z2Y1aWYwX7psCYVGrcXKug9pnaH855Sf fKDcIe97858P2MkX+hXrKScH3+DcPk6f2SyndWE2tQ6J15586Sfsi/XduOas8zTzpxNxJbSetbmh g5K9p0m8uJREBlqxsDmtAmnxcmHjoXL3rrxgukfrR4tV0ltLOSKu02xqvAcBEBggMEetQ0lc6DG0 dxTd0LRVlGxM2Q7S7HT+8x4Crd/oGS2lWnSWXZhqWJhuPVKKwsTT0FrnGamzNH4isXgah1GVD6HR E/Kc/OQDWqcO1NSVJ89786KLJddzgZBSSvJuDuQO0vZ4ILKfp/TILq0XPcCG8oR3yqw+9mudUs3l GSHqtfH68qWHlCuhWiVQZNnKEzwPaJ3BPFmNluuWW7l79OZs/0ni5+FMYWPvyo081EdmuyK8qXWo 3Y/zpZ+yL9SRH3VK2TtyYxVkySyXZ06iMC5jTnVao/a3tPZnsNx25voW3KyVEbXjFj6CAAiAQElg llqH4jj6KvA0ww9c1VwHnioSO9VP77x6lFCgvfx8We3if/sEoQ5W+Y38olTDubU+rUO/aNeuSQkM ZM10N4fy1t9xpPyY7H2xenuRobn2/vL85E9qHUpVVORGsFnZD9DNi04PN1o6TyQAeio3fFvrZI2n 96X1OpEtnJHqAAAROklEQVQnvETV/d8ordzVeiy2My/25ZqgPJWNHOr1xTGgdQbzn58ot3Tt+P/Z /osMF1IzLfoT+blaF2atLciFvnzpp+zT5VClPzmuQ2dLGm69Iv28IrMyjRhJxHrl5dqfwXI7Wqf9 pUZcpwMdH0EABPoIzFPrpFtLNkxdW4ZpYCumZeT56E7nP++pfv04o510I89/11+aaliYbj1SisIo kXcub9Jot9Sbv8d73Gl0VVEmyvqmfiofeI8dsakn5W9bi9RaR1S8Ly86PQ3XBlO8YKUzfX2q/4rK bNsnuPkz7dJ6ncwTPlTf4/zh7bHJT2uduv1FGeIpKnJZ08M2j/CUA7ZE8u/z4jrtcoe878t/PuC/ SHju7Fpp0csk073mRUilbLxaW1C0rS9f+in7F2kdGtyT98i2sIlUrdVPkNqfwXKf1jqNtPa9BLAR BEDg0QnMQOv05C3P6DEjiQHKycbkEi+eRCfzn/c0Nf2U5AYlsM7EyIdyvI4I7hd5uZupklv37K69 Hj9TGniS52PP0mht8tO9DVQr2RE5rtNoaytSGWagR8yl+cl7Uv62tUitdbKB1MSihsIOY9wKTj5Q 6ViyL2meGJ4UbSxZKlI9X1qvk3nCu9jLz4JRO3/4ifhKX1wnx5Cnqk5o+FY5Xoe0mlK0y2GpszKO MpT//ES5pbfH/8/3v7jKdzQQJo33vuvVY+qP7WYZXYVlHnjKcVGOj6Fq9eVLP2H/Iq1D4TAj7/BK 9iudleNsqEe2OUqu8iewZaYvj+p1UuuQopYdApAmVYcZUQjXlm54ecL4PirYBgIg8EgEZqB1srQn b7kYpSCevvQgrTMOn8p/ftyudKNUDEtXxDypxjysy1MN05jpHj+rBNaMpqIsSQaceKUHn+atUMJu 3XYMLomuOWH6ovzkeRFHKX8HtQ51ta0s7TgvujBEA1LFEPATnotdZF/WrTybAtfsTTmw4+J6Naad HeUJH/LiOH/4Cc3Rq3WoT6dvHhYNobVVTnnaNdNztPp6E2XSxaM085+fKHfI+TKXeiuv+6CdPD28 yKjNn76qsiwOXE0m91XDdSlOd8j9qKa7dfKlD9q/SOtQsbqcJxw3XUuVZHdflrs0i++cbar1iP3+ ck9qHco/YVAH2YLJ5rq84LIs27uKxM2TY+lPNAZ2gQAIvC4Cc9A61yPe7sO6XjmzthyvjTMTZLe1 1KwrfbnzJAPqkc2Xn/+gZ9BXsBjB/qAEUG0QAIEbEIDWqWNCN8A9tyLShDo9nprUXNbq0bTOvfKf l7zn+v/g6cZyT91Ooqe2CjPNtT7wGwRAYPIEoHWgdQYvUvrNLcnGsl4EbvBQsePRtA6tOHmP/Oen W2H6e9No6+ULToolGxsdT9P3HR6CAAjMksBja51ZNhmcBgEQAAEQAAEQuIAAtM4FsHAoCIAACIAA CIDA7AhA68yuyeAwCIAACIAACIDABQSgdS6AhUNBAARAAARAAARmRwBaZ3ZNBodBAARAAARAAAQu IACtcwEsHAoCIAACIAACIDA7AtA6s2syOAwCIAACIAACIHABAWidC2DhUBAAARAAARAAgdkRgNaZ XZPBYRAAARAAARAAgQsIQOtcAAuHggAIgAAIgAAIzI4AtM7smgwOgwAIgAAIgAAIXEAAWucCWDgU BEAABEAABEBgdgTuo3X+Dy8QAAEQAAEQAAEQuBWB76O+/t+o1mAMBEAABEAABEAABKZFAFpnWu0B b0AABEAABEAABMYlAK0zLk9YAwEQAAEQAAEQmBYBaJ1ptQe8AQEQAAEQAAEQGJcAtM64PGENBEAA BEAABEBgWgRerHW+/fPXP99uX6dv//7777f/blTuP59/ef/p7xcWNgqo//79+++vI1f7v2ey/PfL b+8//Pmith8F7AvbBaeDAAiAAAi8dgLna52vn35YtF7/+/DP939//1Hi7/8Y+el7Avq3vz798tNb JkmStFhI/KePf59V9r+f3/HFm1/P1ivfvv7zb2X468cfpB8+fj3h1dO7ng2q5ck/H/4nvf3t7Fqc duvb359/e/c/LhWNKvGfPl1Sx2+f30lvfv3rdBnV3r9/e9u6eBY/fvr3+xhgqxLwBgRAAARAAAT6 CZytdejRxt9/+fpv9RJhldajuL+IUbf+++XDb5//Ejrk21+/vl2w9388bf/bl5/fvH37Rnr3udIv J0/69uXntz9/KY+97KE+ZPh5oNqefP/+7etIQbSvn39+w9789OHL3znLr399+fLXJTGa//54z9nP 56rcr59+kN7++mfz6vn+fRywQ8CxHQRAAARAAARyAmdrnT/fc/auev4X+L7+8fHDl39Klt/++fLx 11/ev//1w5d/vn398vGziLn89/fvHz79+W950PevXz5+/JIHEL7+8fH3v76J096X3SHf/v788df3 79//8uHzU491Cgu8/U0U/9/fn375eaBD5dsf79+8/fWP33+SKBJVvr79+enD73VQ6L9/Pudefvv7 84ef3iz4j7/89pvYQg91/v7LP3/+/uHX9+9/+a1Zl+/f//3r8weqM22voyL/iMqTqV/ev//013/f a1D07rfq9eHjH/lZ//795dOH34Sh3//KYR158v2fLx8+/lGRPFH0t69//k7G3v9a2i+rLf7/99dv b6U372tTrb3fv/395WN59j+l4qNDyCNqm18//vEPmfjp91IdPdFqQij/8me7mI5a+u9rTvj9L7+V BL5++fChuFS+f6frqNFigkVNvG0an0AABEAABECgJnCu1vn7t7cSdTu0XiQ2/ld07hSBgl8+fPr4 28//e/P2LS86OEgk1UGS79QNUxgSp7/7+Ycf3pGu+PL1+7e/Pvz45s1Pv3789OnDz28l9u5zp8BG 6f/98/u7N29+/pIf8cd7tmA/fykfvY3jvv35y5s37//49p38qINAIqbwS90D89evb9i7z9++//f3 519/4os37377+PHjxy///Pedel/42x9+fP/bx0+ffnv3VpJ+KPp6/v3j1//xNz/98uHTp4+//MgX ohgq+u/f3rIf3r374Yeff/lNaKMGqH++kOGPHz9++OVHVp7y7csvP7775cPH33+neks/ff5Gz/Ye T0p5caroxZv//fhTw9uj3jfy5s37P5sqpgJGTcDf/Pie6vTrT2/qNvjv748/cfb2XUHhzRte9uud 0WpCKHeDanRJlWrp6+ef3/K370TLv/8fk97+9td/37//8Z5JP3/Jffv7t/9Ji7LI7//+/hMbrTOv qjzegAAIgAAIvEoCZ2od6oNgP334XL7+pN/7jT6Ir59+ZNWj/vv3v359syg6OIRI+r3SLN9+/6kc cUKnL/jPn8sf59++/Mz5z6W8+e/LO4n9fNxB9fXzL+9++umH/7398f2nIgBCDfPt69e+ocr//fXr W55Lpq+1yPr+XSiffgX27fM79qZWQV8//kCP2DIg9O+nH6W3Ijz09fef2Jtf/ijlFVWs0FLilLe/ 1GGTBqjyIvr3y/u3b979XpotNwudJP2Yx0uOPSmU5RNF/9j2No981SWcGPQjmqBWmP/98TPLhRfJ N+l/QoCQIdqxyLXsOa1GcvHNzx/Li+fLX9TkpLiKUVD/fPgf+99vVZBNaDEaW/XnL7zQOl8//fjm p/fveK5v/vvr1zf8XZ+yrWuJdyAAAiAAAiBQEDhP69DDWnrzvx+K148//fbnf98bfRB//fqmDNYI u/Q5/8lO2qDRdUQPSf5edGaI0ymUUrzoCcd+eP+heFEEpW/o679/ffn8+XeKObA3tU4qjbT/k9KR 3v7y5S96/fnhB6nSMMMKjB6wjTgU1bw5+Lram1ex0nDfhTYTcaPuKU1QuX/f/vz1f29++lT3D/33 799/fP70kXq33r0ttWCPJzmQ84uuvG1woRYpmqCxVbwlFdRorFxsUJDpvy8/s2bYjJox17LntJoQ ym/Ki+eHH999/LsplP/742ci/v/bO0MmV3koDP+XKhwuDofD4XA4VF0drq6/oK6urq6qDrduHa6u DleHy533kJCUhdJvuHc+ZvatWCiQ5ORJZ/LuOSeh/yFo0ZPIwP4uo6C4aY18q+RQV6WKEAiDsH4x c9gPficBEiABEiABj8BnWmc0WcfFIHDmL1QSgSOhk4FrAg4fCRV1gZ4+hKG1THAqK63UkePVqQHP ZHP6tVN++Z8PtAh7BKH7BBvjpJDGvNkSU7md/l9VkKfnpAGoARFxwy6jZ0EG/9WwSOeqscEarZ/f hzTKjr0Xo7mVCaJGh9P5crmUaS9Epiz5vOneWh8ODO08U/5VnPcaw96AkBFMcLB4slS8PNIjEU4z oyba702yDgbSr7wTUkgNq/fIJ0cOuvgM630cbisTlByNwFnDeSQBEiABEiABR+AjrSOz7ptknds2 6PMqEJ04Z9Yl002Sdl5qv8re/yPzqJdKIlph2Iaz88cZZtkxv0//YH1MQhd7kqCJXbDd3opQudkX gszOtiLTXAozeu5kiqeRkEriLetqqx1EHNw8gyJdsMZmNbX1MYvSg1vxhLZV79TwfV2Tlnzc9KAG QwYBJc9x1fOCtHjNyepFlSyYd2E9DXdZ16NPRm1GKLfXPPAGQzcg0m1jAAOK0ymLcgmCQrrhq8r+ 0+J4r4c8JQESIAES+I0EPtE6smB4mPWB/9at1vgu1SbeI5sUbotjhjxhWY3cIvYl3g6t2/t1G202 JqPULy7cMZ8G2bHuQhntY7hnXnuvzPpordtHdchCk4ejm+qw3Q0zX+6nNEydZkETiDIFkqMjgRcj MJ71uVAb2e4FD8HJ4HKwB4IMGsn0+XFKAmUyo5/fpyJS+UUSjwZFXoI193MeJfuX7feAzniYnvVl Gweb1Ai+SUveNu251zxrhbD9g6X6m2h77lbu67a5192KtwYpR6Ybz/tlG4dp535CTUFizh9VmQQm WUf2V3o3akb7OaLGCJ+SOJr2nfxrvg6Z6jPOIW6iOLLjKPI2iuwvzfaHRxIgARIgARJ4S+ADrTMa g9Av26s8LkUUbIJQqSjd7gubrKN1c92aGyrO98ddbENFL8XFwvZ+RiWbIMROgVGGpA7v87gUsu2d 3A7jfI81UvhIJrAXkJJryOhwya6mmt5Poe/nXKElpVRSHA825xVxHGw6iDvpofaTr6UKP/1FFixJ iAzGljbc9kPDOVD3Y4Lt9LANonzEefGsyrgjp5LidC6TxG4VOG3Jh0371hoC3aGtL9sk7Lf2Q95T l3fU1jIEglilu7MRnlgTdsoMsDjbn3aJsjvrzIwaAmP9xgDOiFdKTVUmIcY9DMI4P5hV+GZooaqM X/B5zYPN28V5rgWekQAJkAAJkIAl8IHWsY/OHPGqASyFwr/snndB6+4dBDOl7e1n83hMv/zh2Yzc bpuH2+PY1jN/bLEpoo2uvTwu70x4uTL1Rbo2WsdUibHr07W8sWS60FgTI9daoB5hPTlcADa21g3O vJFhGWny3SWM4kTt74rxHgmQAAmQAAnMEfgLWqd9uiU0LTwmLv9krnXeJwESIAESIAESIIF/S2C5 1kEWRRineVHkWaIClR9d5u2/tZ21kwAJkAAJkAAJkMAcgeVaB/v41V+32/V6q/6XV57PdZH3SYAE SIAESIAEfjGBv6F1fjE+dp0ESIAESIAESGDlBKh1Vj5ANI8ESIAESIAESGARAWqdRfhYmARIgARI gARIYOUEqHVWPkA0jwRIgARIgARIYBEBap1F+FiYBEiABEiABEhg5QSodVY+QDSPBEiABEiABEhg EQFqnUX4WJgESIAESIAESGDlBKh1Vj5ANI8ESIAESIAESGARAWqdRfhYmARIgARIgARIYOUEqHVW PkA0jwRIgARIgARIYBEBap1F+FiYBEiABEiABEhg5QT+ABYIs1RtZekFAAAAAElFTkSuQmCC --000000000000d20c7f05aa7f8f91 Content-Type: image/png; name="image.png" Content-Disposition: inline; filename="image.png" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: ii_kcnq2gjv1 iVBORw0KGgoAAAANSUhEUgAAAuAAAAE6CAIAAADY8XCKAAAgAElEQVR4Aey9r5O0TBAGlr8FhcPh cDgcDodD4XCIVFEVgUwiqEol66hKVXAoTAq3lQgqBofD4XA4Ut0zwwwss8fe7d177/v1irtdfsz0 PNPT/UxPD/wPK30IAUKAECAECAFCgBD4ZQj8D79MHhKHECAECAFCgBAgBAiBlQgKKQEhQAgQAoQA IUAI/DoEiKD8ui4hgQgBQoAQIAQIAUKACMov14GuCAPfD/L7L5eTxCMECAFCgBAgBN6JwEWCsrR5 4J9+grDozgRaxrbK0zgMgzBK8qqbzi567dhYJUKIAD5hFKd52fTza8X86NX9LRIyn8AXJPX4gTht bBqGYUb18sGFdJoQIAQIAUKAEPiHELhIUOYqBD959rHi9ojHdM8D+3CtFZbD8boXfw+5eyiU/bT8 vPutJOWeHoHYNcErPgKFCMqLWkKXEwKEACFACPwTCFwkKOtQF4dPHjnga82gPAYB5jaFU6YdJHlZ lnnsWXClFdZfoxGcoNghlFqWtyJPAofxJjfvf2d3TPfyxj9F6iMOdpiJQ7f6Q2ZFBOV3dixJRQgQ AoQAIfC9CFwlKA9STCymYkWnrGOsb5VcehlvPjKU5CHW8lDsswOcoOzICC/aCMptDWkZ2zJLIlhb itNbM+xY0TJ19S1PY3Y6uzXDtnSC2R5B3s5TV+V4QVzc2c1zXxdpHMKq0n65aqqTwA/iapjH5pZi oal21aZD3mY8Rk2WgUuM5Zf3cZNpXY8EZe6KKAj8IIhLJvoHsiXVoJZeKN2yritglQNWbL3s1vST UvezzqBzhAAhQAgQAoTAdyLwWYIy3DzgHHZ6v+DQ5irEYEvcfKkpZwRlaSKMoQiCMreZt1+MMp2k EeSlz939ScMwvbxjTUAqYAZxjJEhLvCyLkMZHpZprKDo2T1DATC4UcyCI3DTI/8QjT4nKGMd8zAQ 3I0f05Ui7wjK0t8CFo0KkJ5ckM1yjqU7Mcdjvh+xgrZkvzQWJVCk/4QAIUAIEAL/CQQ+R1AW7mt3 wQwtXnMTo1f1b8fFIO0tpyceCcoyVBGSBy7I3MT40/LTW13XZeqzn1HNKUqXubYXpUVZ1U2VM+Jh 8iAQowLAEEwnSPI8z/JmXIcCCY/pRnlV11URMYrDK2QEBVmF5UUp3FRyvvPYhDOCMt58pEyWF+dl VZU5L98KKwaWQlDGmjUWOBVGdi7KZnpJ2XZ9f69TVhnjUCIG5iW3umnqsshi3wluHyXFPLaLjhAC hAAhQAgQAm9H4FMEhTOOk/STE/mWLsPcVmtjCScXXTrECYph2Q5+bIuFQyw/Z0sxUxnAETtpRVhn riPgRmZYiSCKWhOnF5xsCILiJK1cFWJJrqbCrXqWqutksHlJEBTTv8m1IrUK9fsJQeGF2XGzVSlI 1k4qMyqbFKmR6SYtb8tF2ZSQzsKooonZQHx1bAuoqKLSd0KAECAECAFC4M8i8BmCMjIeoEk/2bdH zPqtx1za/YUXfgmCwtZBtr+2Fxfos5cGt+QapuN64uPaSGIcsXCxjPfqlqdJHEVRGLLsXcY1eLbH folGEBBLlug5GA4yw2reCIoVNYISPWnHI0GZygCaYcXq7aIZbNWKR1AsRsbsiAdWFHL0gWx2qjxC pctw/YoVzQMwLGJUNP0Zh3vSHDpFCBAChAAhQAh8HwKfIChi1v9x+sncslm/oaSBfKEpnKDYUdni p6mrImEcw/SKfp0rdPcbc1G+2Gm3rpDBccgmwUt2BIVFF4SUnFMoJW1fAwjKcAKz8R9x3+n/R4Ky 3b57lMzuOhHXYfVuKz/rul6UbZdUsiMo6zq1RShTVEwnyEV05rQBdJAQIAQIAUKAEPgpBF4mKEub qFkfejmXLmcZD3ZYvSev4TEHZV3XuWZZsm4xLDV7WIuf37vDpx+XVaR7OGFR3/thHMcux91FR4Ki BEPEek5cPRQ5QMCBMwy+HKMHA8/siAceOd/e1CZKyo4gKLbnssiNL7JEPiPbgaCgEPPQ3lKxXxvW qj5oBp0mBAgBQoAQIAS+H4FXCQrPrDxJP5nHXu5RXYZSbDe58Q0valuWse/HLetCPfPs+ylBEdt4 IFAgYjtqEokskC8A+XJDMmcMTwgKpz9qDoos8OsEZeXPcdsRnJ7l7NgJLs3wJZ6oXiaeASz2HX1G tjOCwhs08nxjJd1m11T6QQgQAoQAIUAI/CACLxIUHjF4SD/ZMjsz2MMifJ1hBXlzVz4dPOFjubNE CPucR+gbzwmKkzQQ/hjHoe+agj0ujqdxDDe2x9gO8rqDi4a+rYs0jCFzg5MBO6qGeZ7Hrkr4huQn BGWdW7YvyHTjsu2x1q4p8zhkL8f5YgRlXXkGseklVTdOE0jFtgk5iOT+OSjzPWXP0nVTyAr+hGwq QRluUZAUVduPM+JRIKVkuTX6TqAzhAAhQAgQAoTATyDwEkFZ7uxRY49PP+GxCwMfmNZpH++OkQKe GWoYu7jBhcZygrJlgcgvttiUuwz8QSHyHHzzYIOz2E4kT5mOCzmjzwgK5GlwyiDvw7xWfOjclwnK evowEtPL+CPiDg9qW7qcUzDc9/OybDuCgs9w2bXKgGyhlyNbF7qOLiEECAFCgBAgBF5D4BWCwvfs nhILyD81TTeGB47wUMXB9cFPRknGKnJM03n55TyPBMW0HC9My7u6/2QZ21sSuGwPMl6QFOJ5sWOT hx7u6zFtL8zbAZd9nhMUyHPpqyzyHdxIY5q260dZyd5++HWCAo9zHeo89h3bNA3Tcvwoq+VDeA8E BVaVxJNTItw6/ZpsKkHBagOPN8uy3SC57ZB8TZPoakKAECAECAFC4I0IvEJQ3lgtFUUIEAKEACFA CBAChIAeASIoemzoDCFACBAChAAhQAj8IQSIoPwh4KlaQoAQIAQIAUKAENAjQARFjw2dIQQIAUKA ECAECIE/hAARlD8EPFVLCBAChAAhQAgQAnoEiKDosaEzhAAhQAgQAoQAIfCHECCC8oeAp2oJAUKA ECAECAFCQI8AERQ9NnSGECAECAFCgBAgBP4QAkRQ/hDwVC0hQAgQAoQAIUAI6BEggqLHhs4QAoQA IUAIEAKEwB9CgAjKHwKeqiUECAFCgBAgBAgBPQJEUPTY0BlCgBAgBAgBQoAQ+EMIEEH5Q8BTtYQA IUAIEAKEACGgR4AIih4bOkMIEAKEACFACBACfwgBIih/CHiqlhAgBAgBQoAQIAT0CBBB0WNDZwgB QoAQIAQIAULgDyFABOUPAU/VEgKEACFACBAChIAeASIoemzoDCFACBAChAAh8FkE5r4q6n757O2/ 975lqIuqm79dQCIo3w4xVUAIEAKEACHwn0Ng6TLXjpvvd+N/ANm5jW0n7b6bexFBUfp2rgLTKwbl CH39NgS61DGj5tuKf7HgJjbt9P7aTUPhmUE5vXbTP3U1IfBPdeePN2asE982DcNys7ve031mbL7c lO8wR3MdWU7WvSzL7gYUrNajs7v4R3/0uWtF9Tezr1cJynjzDTOsdFa5iU1DfEzL8aOsHv4Utn3u ClGU/1bcanvxGwhKl7v2t3eitkGfPrG0ieNwhz3XkZ/314u6p15ywdV/h0X4SMjh5ttBOeJlfe5F ctxfM4L7pv0L7vnVzt1f/wkE9rB/1GF//Py+xz8QRx01H1z660//gOFamtiygls/TeM47bzEXkmu jU0dohd78BvM0VyHlpu9YDnXqQTvWs9tbBlipvwbCMpSR6bh38YucwxlHtfnrhlW38tQXiQofe7a tm35N2bkH5SiiU0rqkb4DP29Sn0J9MO1331gmccBP13hm07SsB+HobAT4hsIytQWefUXxmTGOs8b 7OSliW33OkHBqOZvJShzd8tKFpUE3/oiQTk27RPueaduv+DHi527Hq5/HYED7L8AgmciHHv82bVw To6aj6789ed/wHCNN9/0+XRhh8dBSb5CUC734PsJytLGln3FEsq2AxGwknbpM8cMeBSACbbjb/KG n/p2T20zqmfoMUGcoOp7altx862yvURQli517LgqQ0vnsYCgKCGKpYlMMxZx/KUvE9+xTMO0/bjs OfOauzIJXDxsuWFx54eHwnPSdsAYoOmhg5y7W+TZpmFaTpBukZkmtoKyvxeha5lmdIbWVAWms2Oy S18lAatSLUolKFMdO0DvAf1lqFN2ue1FxZ2Hj4bCs5OyzkLXtkzTcsO8fQwsSf4rC7FsN0jrB4o3 3YvYh7IM0/bi8jGz6ryEc1TXdVba6GXtvK5d5pihDBpM5aZtjxhyozA3MYRg2ceM/vf/1TPdXPIt iGGqGrrcM3e7HCg3aPEyAEbQLMvxk63fFYuw9IVvOUnD4JvaPHSxm90wYyRpXZvY8vP6FvuOZZnW GT5zFZpbPBUmZ4a1aQMMeKD6wqH2hWeJVhmoy9DepKwS3zEN1M/qgP9J07C0os4j1ridApzrqrQn oDxxWWcBdDhrjxgPVWBF9dBkgWPyZSe9ulrhrckjVEDbjbbBs67rqQBd6nh515WxZ5lm8L//X7vO rf8fMIvKktVY+hJRKHKvDPXC8NQgMFRp6IkxxvrxEXYJyLqe679mlE1VCOBstnG5J/Yxsit0xkOd cYJNmdZLNud/+j93yvy//G9XatwWCrvUcbMKzAxYB+ick4xCvYS6UbOODR9MMJriEufn071Awwgj zIsKnhcgzYViteRBxQqdlSkN17quU5vzCpSi1vVSG1EVYdyCXXNDPu2Z2xRMuTAswkWs6/qoJM/G ps76oWKdjNlnbRErzm8xR+tmbDYdPxkR2zn+5Z46YI7Gm28Jt9mljhXdqhQQhD6Xnk/nmNbziuYz w3LmkfdWAg0CjsL7utThLmQCNlclLKI5c4eWmrnqAte4zkf3xyr0CkFZ2ti243bBpbX0dGltR1Dm oYocO6q536kj2w5v3TjP470IrC15aGyrphumeR7bzNssIlh/x/X8tLr3/TAt61gGlhNX/TTPQwMX cvME6uu6XlQ0Xd+PZ/GmI0GZ6si2/Kzpx2ns69TbRNkIynzPPMtNGVla7qlj+Xk7zvPUlZFt8UWC ofAMwwqY4Vn6W2DZSbtZTN5X2zgfy8B0UyhkHvu2bh5Xvpa+qdp+hPbViWM+RKlOS4C2nKE6AXXw 0qobhqFrmw764BlBOWLICQq4pSo0Nz4KFHr7sTJ+cmjzYd4wt4ljuknVjdM0tHlgWWGFvGUjKGMV 2nYowkx97lle2gzTPPUAA9d/WDs03aQZAeCpOcUHJmScE90TGz68P3CqBmcEQeFg7CMohulEtztU DL0sihJjDv4fmgYKYFp+WvfjPA2gvFuFGl2VhaHy2CGja9M99+FeVF5QQtv1vLhsu34Yl/WZuhqG 5efo+WZQQEssvmoGCxg7x/WCvIZBNR86d4WQrWQoUwm8fj/Md8qAeGoQAL5R1YDmPHVFYFkxUxPQ QQV2Cci6nuu/bpRB/FwylAWmeMdoM+qMl7awfLAMFfYpJ9cXbc6ux6/VKCLgXeoYhh1VgPI6d4pl U9qslVA3atD0xjXCOtzrBmd5oOxhCYZxGrqmZhOoc6t1ZkNOywTPIToK1MKJShzB91tkizEJ13zc xhEMY1i0wzSNXRW7pptxBqWMRgWTV8amzvopxR3G7LO2MILyLnPEwgtqPsH5iFBkXdexStJmWpc2 i0quqgCyaYcFjCUA0AEA8abzLgb7eDr0Tg3Lme94sBIwN0ljMNtdETG+waUG1UvUNsLx4eabVpA3 6HualkUizkf3xyr0AkEBRWYWeG7Etx26K0x0YQLKPjATDbd5w+Yk2C1tAjGjozsf5KIWWn8R5gJi LU/BiK8jMVeBKp9nEx8Iyt7JMr/NzDIjKD2YeicSIQ4cv9JOSyMOEgpzBFpxmmG7jXOsNRPxoSNu x98YOzt0/FkJOlTZtYflz6cE5YChhqCs4LUEQzlXg71FmOtwc9vQyPEGMRgQjBGUqU1cy8tFMvjS osYLvYA5PLsaeln6zrWDkOMxWoZxEkza6jLHSW+p4yCNBhlYKYpJPHhKKF+hhBjSPJa/c1cwEEEB JCcFaBid0uqq7Gbk35LkQziYB3zmKjC2BWhETGDA7gbBpbqq8St5RicAGDtL3VVwJBy5uwXdsad3 cccjW32CgGwofIOiOLgH2PfXyV9S/7WjjJkjHkOB64/8BIyRGcglchwTSviP1/bE5hwo6aUahUUA qJXJpaJ5spVaCbWjBvrLiXmokReEuhNWSN23sjVW68yGnJXJhycY6KVNLDUXkseuoKYrbYRBqQws mOSK0s4xOScoShFybOqs34bCcVLxvC1m1LzTHLUJMGhVFvldGRHy4Pk3AFlYXD4CWbGaLt6XolR0 ZlgUWKVHfrAS+yLVXziclfAXnDv0uHo5/y5H98cqdJ2gQFNF3iSmN53lfrIclIHnoNR5aAvv0yaW YZjW9jENw8fo0dSVaei7Dn4sU8yDQHsV+GDIGqa83zQNTnCgygcSt0PlQFDaxNo5N1j4Y2uFQFDc MHRBiG21ps/co+DS26kSqpGGrf6NoKxzVwQ2rASlt/YxfAKeqC2SwGNA2JahLpWx4k5K0KF6bCMW ANqkW+I5YqgjKCvYJ9Z+UALFP4sm7wkKaKtCLNYVQvHITIGn+1FgGeosHXKwD1rCuubQy1DsA7/d 2A1kSiUtpJqBpOwwejLFJB485ZXyTwjKTkUFMnpdFRixWI66/g62lvkzUEIVkmNXHtRVyQ5CTwOk RysAaOPOjx8ICoaYmE7DcFfsIpf8cP1xkAoEwJD2VRaJYW2bwlkfYJeA6PRfX4WifxgGf9hPADqs 5gC0scXXm6/ZnKN7gwwcofH6GrlPkgMf24i+VFk+Yw3XSagfNUtfRo5pOkFSsPAJFDTWiWfBunle YagUvcS51TqxIetpmZv8UjN5ZwH7Zaq7XcPOnLURqZbqphW9UkYjL5r/OyiJdmzqrJ9a2s4cPW/L m80RRhcUgqIZEaqwZ99xzCpTeQAHabfWMWkqOjEsR1vLPDLWKIn9mVDiGAwDsRbFjz30ODuu8W4f qtBlggIzmf1n73iYGKBLSg4Kzp0YfQA7G5bjpHzmBWbUvmlHIjFBmfkdtBebHdcP92PQRktUmVCv EBTDsIM09kyHB9w5ISx6Re6JpZwfJVSsM+8rESeQ6jX1dQ4JAE7MF762K6HpTlJjRJhnHx0iKLwx uxI0qK5Hr4b3gmorBEUZrZKOCHnkkYNPAu+HuenMWsssAHHnziIgndYSFMN04zSEnGuR1gIyuVm7 72YoWcqD9ZwSFFxycvN+KDyMRsAUwyuGTu6GU7rs0QiqWnRe/r5p6oIRCLUBpddVgREnKEqqOUgm CYrKDI5duScoam4VWiBBUOyzwXIwB4rMQjLoAGAokoeKM/h/ayM7quAJB+RZXGEMijsbKeCUeDTh ALssXKf/2ipwbs9W8brMEbNyWSDqjDp1WSCiAtb0qs15ICic67YLrJZqahRadIAacT0jKKcS6gkK tm8emhvsz7VDsQ6wrsvYlmngmJaPOShQgn9mtaCAMyt0LHOTHyRXQkEsln2doLBcIdktkPnG1fvQ tfKag5Jox77O+smSDjGw5215szkCjZaTKO2IUIU9+w4doVhtXKjnBOW0i7UV4fRbmc9o0du6/kyc 3THwASxKLQ+DERCDYDuqG90sji794+MwuUpQoAY3a9lOmGEY+io+W6Y/ISg8FABVP67EQBatHKIQ rBQzvKP29pm7Hyei8Qf1FYeV/weCApKoHgCGAxtw0IU4FmEVzeaRVHA3u7C4KPkgobTO4gL4f9rZ cKcSe4HrMD61BdShrB3RU4uE76KEc1TXdSzESopyJxgtZf58T20xr33EUB7Bdm2SgRuqI8vNO1iM UbIUt3pgsUJGtOBiNcxyXOJZ1hkSSryC5aRCDHbLX9+KvEpQEMUgzyHLFJb+pyq04OdGpZUug15X xr1sL9aqJShK07QEZdXqqmwR8H3I1+dHACa5xLNTz6fqClv+RdoV5okyMqgT4EEbHzqXL8f01Xki /OF6BU9oCJ5FE4gpIVtIA7BWCIoC+waIVv+1VUD69T0FhtJl589jOCzboQkrhvW6zUH3pvb4hRqF bT5ADb3I5qdbk/mKuGIIhIQ4xM5HjXL3HjJ2AvKYUWCt1ZIFCBsij6hmaJMfApCw9VVchks8LDC1 XcPOnbYR2qQ0EU08j70fulZU8JAspx2bOusnSzr04Edtad5pjqALpJ/RjghV2LPvhyUecGZMxzRd rK3oSFC06B269UwofgyK2E0/4Tj6U2Xu9dS7Hep6VKFrBAXScY6S4GhSCBnKDAQlqnACPI59U4S2 IZJhIaHJdOPyDtlSQ9dUNST3QWtY7ijkRPr7JZ5d2yHvz/LSuhuncey7pqxZisVBfU/gPBAU3I0A SbKYiNlkmCSLKzobQYFEn8CyI1zowcbb4a0dxmkc+raqWBraYXxJ66yKsHXACPcN07wsU19F2zqs uBYHrp/fIVe4K2PXeiQopyWcowrZVqFleVnd437vGheV0AuGJa4vQajX2nIdHjFUjsCijAeSTROz UrDX1AvD7UEpog3sP+iFkzSQUgwhMkTPTep+gkRSSJLlOcaIDC5fzphHy1Pn+tzDDCvIYB76e102 GF1R5IFqzgkEzO48y4aUW7ZCB9nwtg1hFCab0mWQ3oI5jEzMS+UfmqaUBsUrCqDTVSYF/MWApOWn DeDSQ+qbmiQr7RqUC05Ho64GzPqqDpJ0m9Qzd0myJ4Nl08ZNkIfOhVwqyw8DCdp2LXzZX69FAAwN Qxcy2gO5xHOAfStbq//aKvBWSDYKQwiYbQ50KxIT4jDxeZymEVTPZKG66zYHM98UZWbm92mNLxOU Mwm1o2buKkikn5dlHpoEUprHdenrsunGaV7YNgOmPOdW68yGnJW5m1n1sF+BJcmOPEmWmd6DOj16 F+gLGAt2AEmykOOZuNvuhiPBlx13UBL92NRZP1nUsQeft+W95ghVV+QKaEeEIuvpVyAoBssy5pZC TZI1HxyTtqIjQcHs+0ePvOv6U4m2g+BQ1NVofgLabQd5C76na+t2XLWj+ziBf1ShSwQFPJLgGZt0 oHlS2fhhmLRsHxO20yrbNZehSgPYkgnpsx7fUTzf88CB9BTYOto1ic2nhAfDBOXD5kDcroYbViO2 xe4Y/Jfybd+OBAVz+pkkuGO5EikhCkFhA0s407FhO19BTDfM2Hbig4SKf9pqVjobHpoIW+1Y2092 JI9Nik9VNG0/qboqstWlMihRU8IpqogWbvXCCv2cLcWMDW6XtnCLYXXDFRAo+mACDkfYErdh2jGf R8FExICsWqWh8uvUZtAQU4C3CvRwY+RN7LaUBGVd53vqmmLX1LZpEveTJyxZ+SChjqBA6ryhZNMi D5CCql0GFA32FFu4h/1a+fumqaXtCYpOVyVIeG9R8S2j6rbpBzvyXF2zqhDbnA/bjE8Gy8GjgDgP nYtEa6OuUmL+bXe9HoGluwmxwqJtc9fnJHEPu1K8Rv/1VeC9uBB/GuAErbacpCxj/mgCMW5B3S7b nH2PQ5XPa9yi2weoHy0vlKWVEDqG25zdqJnbDJ93AMkD8KwCsFxLV+C2fDjm+Ik0uKIExWqd2ZCz MhXDBXKyIckegBAV29MULrVRGQtoPMWDA1gYeDcHxR6FP3sleTY2ddZvK2o99uCztvB0z3eZI3jU 6hbh1I4IKerpty51/KIVD0DYbzPelETp4lVX0TPDwrwSf0zBoVtPpYKDsElC2lb1sqmV+96DG7BZ zeh+E0FR66bvhMAKun5CnQmZywgc/O7l+9QLmcUR6Tvqma99B9m2oNPXivr2u2EVXN3JpFZ4cGzq qS98f1bjq8V+j4SvSkHXfxcCEMEVT67+rjr+WLmwgP79ZuJSBOWPYUAV/0oEQDVfe4bzr2zGnxTq fQSFRdvf2Bac7O/XkN9Y+nuLwkczyVSefeHf4v6f1riv/+Nf3yLhx9XSFT+FACy0iQd2/VSdP1MP PKJX7iT5vjqJoHwftv9gycvM1kH/3XnBD3XaryQo0LvdLbT/hrdHLTM8sDGFh+joKNqb3f+FGl9V njdL+Gr1dD0h8NsRIILy23voN8kHu5swbUcuJP8m8f4iWX4jQekyF3o3zK8+TvAP4g1BPNO0vWRL IHsU5r3u/0qNjzI8P/JeCZ/XRWcJgb8QASIof2GnkciEACFACBAChMC/jgARlH+9h6l9hAAhQAgQ AoTAX4gAEZS/sNNIZEKAECAECAFC4F9HgAjKv97D1D5CgBAgBAgBQuAvRIAIyl/YaSQyIUAIEAKE ACHwryNABOVf72FqHyFACBAChAAh8BciQATlL+w0EpkQIAQIAUKAEPjXEfg1BOVHHgmAbxngL1z4 13v23e37kQ56t9AP5f0brXhoFh3QILD0ZcTexcNeFKi5jA7vEfg7h8m3m/eT19nscaNf70bgDxKU PveiWrxv/uR9da809Z567A3gz296vwZPVWR7he5Zls+l+e1nv9pBcx352sd8/ljjv9qK7xb0ouoy MZY20bxE+rvFfH/5Xe5++yNr8eX0UQUvUB+V9x3vYJzK4PyVde9vsiyxS21TsX5wAl4x8OTdJjuZ ZUHf8+2XEZSLY+T95v2A7m8jKH9EdX/W5f05ggLP0lSG6FeGBLwXwP4zBGXpq+x2nw6K/E/8/GoH wTuw2avf/yQcX23FN8t+WXW5HGOd5//IY3yntsir97/qcNdhXeaoRmY7p8AIT4j1y58ewa8TlFWR eWvHd335ijV+u0yXx8h/jaD8GdX9WZd3laDMVWiq3uae2Fbcoi6y91eb+LZvLyo6FhSZ2hxfAm5a bpg9mNS+8CxDfLBcGBJJKd4qbfuxfG34MtQpvmTctL2oOLKB5Z65pijK8NlbzqY2x8iusb9F0eCl L3zLSRq0THN344Fgh7/DHFrWxJaf17fYdwbF3ugAACAASURBVCzLtGwvLvst4CNGocKpu9Rxs6pK AseGp3C7UdEpkzZxw9hkke/Ypmngu9HhfenwOa8LvKubSyM+19Hu3a1LC+9ybXkZXeYY5jYZxAkZ ojFUaeg58LJ0ywlYX0xVCC+G35qz3BPbDCtppl/qoOlexL5rs9exM5TmJra3Xnn0ESciaUFYwcts zYKpZuk/vkt5GeosdFkj/aTsEfqXWrEufZn4iJPtx7yEdSg8J22HOvFt0zy+90X0mocaIsDFDj3B ZMU3zCul/U//5051/5f/7YNOQYig37CGS/r2RMJTxPDN6BxI03IAB6jsfIyfD8y5L2HIgLrZbpi3 oFRj81gmDkYRQtUJI+R/NgZBvpPxPtaxuxkZARoiB8ONwThWob3ZDithBo1fs64rk8rGpnhJzVty ffzKko7fnhMUCaxlu0Faj3C7kBm1yE5K0HewNJYAGetYhgpVldndOnWPOruu69yVSeCyLnLD4uTN Bk1sOUlZxmx1zFEtuJRtZ43Py5yrwIrqockCxxSKe2psu9Tx8q4rY88yd4P9HeYd1OPRGV1TraUX eDphVhWqF5w79A2mYYKeKz7uFCJ5UOlTRS2eDedT9X6muidW6xR2NjTBucJgT6sm9/hIAaMbitG5 rlO5hfcUlwduKyj7ewGW14yaBYfME2cN7dV4QAUK9evXCco9se2w7Kd5noauqRl/6HPP8tJmmOap rxPnLHR5mNw0sWmYTnS7wz1dGdkm5xrwQkjLz9sR3mRWRvbZe+ra2FIjKH3umk5UduM0DfdbZG/V bwQFDJMd8vnbWAaWE1fQhKHJPFO8fhJFcpNmBD8+NYkjRFIAVHqrSx3DsKNqAN84d1BQ1imXsq9z V1dtP87z3EMjBSnQ1AUsQ/JCxk8EH4HygDc6GVth6nPXtm0rrNA3z/V2ZrpXNcA6T10RcEIz16El GcpyT0GUPZ+62kHruvQNtAnwg87mHXfktCoUZyKhCTbME8ChPyVDmcrgAdm5TRzTTSrs8jYPLCus 0Koju9kH6s7VbJ3qyLbDWzfO83gvAsuOG8ADOKLjen5a3ft+mDZKh63BXvPSFg4vQ4VKy+nkOSaP pamqe6FTpJdaL+mbVkIdYqBjTlyjugz3ukGmdzrGNQOzz13Lz+8wXMeuqdtxXU/LBPkFc9UJo1cJ VZlW7XhnvX+SdKbACF1yHkFhUsXlvR+Gvm3uqFCvjd+dmOqPpwRlLAPTTcHizWPf1g2bxUiZh8Iz DCtgE6ClvwWWzd/oDH1iOjGMg7GvM98yDWk+ZP1jWzUddPHYnpspZo5iNKHj/RaCNUbF1nQ6+J2z MsE82q7nxWXb9QMYUo2x7VLHclwvyGsYZntDtKpjZF313X1u3leNM9KYXIkSMFSOZz9NU99kvmVs eI4Ae1i0sHzYVbFruhmbm59DdN6nSmX64axVb73qPtgZDexrX3gmWr1pGtoitE3jRYJi2q7rRUXT 9f04I14fOWvNCFKgUL9+maDgJD6s0ImLgpc2scWQAdUtVS8rLjrxf9yzwRXgMZGRoXGTjn7vq0RZ Ow1e2sSyonpTch4tgGuZBk9tAi9B5aEe1HfpnOc6ElQfNFj6xRVtCpBE9XMgKMoaMuiIcrd6E/++ NNHmaXV1gTcWJmZuos0SieKAwTDYhsKz41vuWTES2X0XiMuhOHY54GonPIZyTzdiI65cz1z7WQfJ G/AbFMVCa88IinKTFAnmiOeAD7lr+iVjHIgI52SiGGBjisKt4w0iT8jbLqoZZgAozWsTniMAzsAM lNiSqBP+N7FpBpLXMTopA17iUonJY2k71f24U6SXQoLyob7pJNQihpQ3ZoFFIf/ZGGes42RgAuB+ sYs1npXJByPO0bTCMIKijKKzMfhkvH+JoBylEmhs/6+M3+3iw5fnBAWmJdkxsCG7HrRICQlBog1T BOgoUzF94PSE9TgIIH7C0JLWTxw9jESwZRjJvWSNV1nmXAWGoSip1tiCpBabEggZ5P/dGHnS3afm XeuMDm08Va1mj+c9tQWePag5C9eDoEsb28zpaCBC2/DQp7KN2uH8pL1PCcrOaoHblL0sfRwOVtkK RbHgzJUIimk4qfCkWpugNHP3VR1BuxPyx5cJyrqOdeJZpu3HedWxNYLx5sOCz/YxDUMNcLDaHz2H GmKF/seJb5+5x7Ieh9xOg0EV1DGBg4K5N+DpfhRYhhLbADtkmFJa0zT4xK6JzVORJHoQwtgIhDIj hCuQOjysbS9Dk8eB5+DHNjdBtHUBvWINXhqIE6nxE6gGVA9M0njzrbCauszBa/rMFSRt7qss8t2t So6NUhzAopg13r6LHYSTpyIJPFaDbRkfExSNSFoQMI7BzIHK2LaOAG1R3Ni6wooVi5tcbUWbWEc9 w3k1GgE5hLcq8Qv4DDX3CfxDzCbsY3uGyWNpO9VdP+wU6aXUCAQIc65vOgn1iMG+F8c0nSApWPgE C38Y46t2YE4tzNwtN8rKO5+3nJYpx4teGKCAH43BJ+P9SwTlQSoA4uXxi3ry+OcpQVnnrghsWKRJ b61YBN4v8ajOUc4EjlAo1kkVYerKNBQWwTIV1yWuOsAOMQxUbG2nr+dlggCKrV21xhaUQXpQIQb/ vxsjxzZ+YN5hXBwHNhuzhzZCdyuhVqz6WJc0Pshe+VorXrqd0kF02qdKQ+Vw2KpGA3SUQWnvU4Ky 0xCNjwPNUZjuCoTh1QjKfnh+7Kx1I0iBQv36WYICUQqegwLFLWNbpoFjWj7koACmbtaOk/LZAhqi 9kfPoUK1qQt88QsIscnPIYqx7mOAT3oUeLrpxmloW9uuQ1S1uN4LizUozgCE3kQSLYD/ignQaZhy ObB508taZrdV/qivC+L+btZz3yXTRnixkD1iJ+1YhRa4aPjpZB1gwDz2BGkrQXFnixMwjAR526YW XXbGT04iKKcdhAPGSWoel5XRAmk3FQTgq1YkPQjM/d7GVfI1tVDomssE5bwVbWKZYfmoBWAEdkWr 9R5s3ALxCiQoGJU9weSxtJ3xhZkYDz5qOkWB6IK+YQRCtSCbhE8QgwbOQ3ODVAY7LLeA0H6M43DQ DsxlvFdZ6JqwUiFG/rFMKf8TYZT2glxnY/DJeP8SQQEDdej5z4xfVV/kdyhcmaDCCQj7KXPyderr HFIynBiTXw4ERZFMDrQjFPKMrBmHkh2JHKv93FpcdlBshaCcW2Oo+KxMxTxi0VpjK5VBiKD8342R YxsVh31m3vXO6BOqJZtzdO2YpIETSVBR7bg49qnSyAMC0MyvERRVQyDCfOLjHlohMTkoqIK6BAHN y9GcatuObdWPIAUK9etlgoIpDVtKxVQGhqkQFFYkZEaCOYSolDYsLmo/ICChwQs2SwQqrY39ibIg V3TLcEMMwsMSD5vnohI0yzpDQonH49B95m5OWxSI/3UiqRcpvaXTMOVysAbSBoFFEtOLJ3VBzNDN O/BcSlrrViqc9rI8sljBMAfHn5yHYHbJBgaALggKLBgCt+lksGUrFL5c7CDgPCINhiXFqBGUw1oM VqAV6QkIK1Tj3/oqtB4DaBhaVINLhyUexRNoq4ARqAQrNyQeKcV2ii1AyP5EU+kWA6SUaTB5LG2n umzV+1mnKPJf0De9hKA1GsRk+/bNYMfFGMfJ8AcDE1fwD/NiWaaU/4kwSnuh/s0sSCGR05nn4/0K QTnygq1ktN77iOWnxu9WoPoFYZCxceCEhwR4fjVoDFMxCcVBiyQNgcFvRZg7hbeDvMfhAtMi1VjG 1knoApY/FMWGCvkSz6k11papmEfWHp2xlcqgosS/78bIq+Zd64wkngyrkwgKw3OznqB+2xLPzpTD Eg9fXLvgsGSfKo09ILARlCft1aouRpwVggLhTmn3D5Uq141y7RBGmjJ0YXGLOw61Tw8Yftx2/QhS pFK/XiUozPimuC66jE0CoRwkKEtfl003TvPCMq7YeOhzz7SCvOnHaRz6e10220RM1A6ZKZhSOk/z csrFWMANrZwd3toBy2qr6riPh6dNJQ0k5kFZkPnDk2RHniTL8khRCTAEzxLgWFoTJBBZXlpDZtnY d01Zs6sP6J8ZxxcjKGBKrPDWTwskYoYQSeer+M/qgv26XhjqHoABts62bcE70NrbtpMyNgmKzmCG DODANoWeQT90meOEoafaNNE9LHXoQgfh0PTzO6TcdWXsWqYIrcE6iwcnpknMorF0rUjPQFinKrD8 MLBEO6WgzK1DkmzdT/M0YJJswFNWrqoZJsmablzeIett6Jqqxk1YB2ewqxUmtSzldpymEarluYRa TB5LgxHrSNX9qFMUiHQWbSeiTkKW/neC2NxVmMS9LPPQJJCcPK7nY1wzMIemrCEBc2E52UCqz8pU c1C0wjwxC2orteP9CkGBBXkruIHmgO1QPrgTDTKvh3Hs703TzZ8Yv7CRTGTdK2WvWLgD2YXDMPT3 Coamy/PiRjByAOEy9VXEcxuuRFCArOE4wATYewFblI4EBTFhKbiwgcHXLfGAYp8nyUJW5cEaw2Tm rEzVmbHWa4ztQZlVpL5q3iFJ9swZKUMJqjs178gO5CiBJFKBJzTEDiBJdh67KnG3vRXn4+K8T5V2 HhDYCMoTd6ZX3Qc7o4Ed3boN/TxP4CqdLUkW+XJY4gIjrE5ZWy6R2qcHDNlAflQP2Uz9CJLX7L5d Jigr26ZkWZbteFFRZR7zQ0tX4A4uWOdz/GTbHLxtTMTNrQnbKberGprtmIZh4Ua4Q1N36jI2bJeY gRu6Mty4uCtqhXVv3A3I/RKrne17jYrtBklQ1nW+p67pMsoFe+RwZyQ2ImJbKxWLgJXtRBLVK72l 1zBxMW71EFv3gqy53wL3AkHBOaIByUiyIPUbpDZt42YFT25Cwhm3tkt3i9j2Wzcs2jZ3fZjj8w8u mOrmwVc7aGxSAN8wbT+puiqyRWiNZScZEF3cMRSdSM90gAVntlEiGiD/CyXBzbE3ucP7aiuwc9IA oIKmeHz75cNQlzWC+zzsxtw0TYPJSWlH1QVT6Rq6jEEFoiv69kRC2O8nNl86fiwQm9sMt/TDeIYd rmChdGN8K0EdmAM8ulWAyIo9K3NHUGCB40yYiwRFbIN+GO9XCArsLo9gP7LppA/bjPuK7ZkEhUib CbZqvTh+YQvJGUFh6SwAFaib5QaJfJzSWHNrhHrINmqrUBy0SEZQgKqzbbGGAY8U2G+LFZo73/PA gQbDkxO6JrGVmTK/pontqGxvSltZhjqcFj2ldvqqKVMxj6J23OT8YGwPyrxdzL4cx8iL5l3ukled kTKUoJZT8w54bputg6ypYTc0m76y3dr8sQSHR2mcQHTep0o7DwgoBEWv3lrVPWgIVHPu42Anfeqj G3aCtLpFsLeTSTU2qPsW7oqGMx9HUODGk7YrrdSPIPUi5ft1gqLcRF9/GAEY5yLW8taqMYa5cZm3 Fv3+wmDUncZP3l/VxRIPNu7iXR9d9s5O+R4JP2oBnf8dCIDd+F0j5nfgQlJoEPh95oIIiqarftNh eGIg5Mm+/QOb49RMhLdX8M4CcU6h20/zzoqul/Ut4/mtnfItEl4HiK78owjArFy3Rf6PCkaV/04E fp+5IILyOzWFS7XM89RXsXP2dLovCb7M8FS6FJ4H8w3E50uiPd4MKHS30P72V7c8Vv38yJvH8zd0 ypslfA4Hnf3jCAxVfmPPYJv6JvVMePTAHxeKBPhbEPh95oIIym/WneHmwzOIg1R5jvJb5IWYjGna XlJtj1l4S7nfUkiXuYBCmB8fXfUttb1S6HvH83d0ynslfAUbuvZPIDDWaYAvncAUk8cXg/wJmajO vwaB32cuiKD8NcpDghIChAAhQAgQAv8dBIig/Hf6mlpKCBAChAAhQAj8NQgQQflruooEJQQIAUKA ECAE/jsIEEH57/Q1tZQQIAQIAUKAEPhrECCC8td0FQlKCBAChAAhQAj8dxAggvLf6WtqKSHwNyEw 91VR9/vHz/9N8v+Dsi5DXVTyKc3/YAupSb8LASIov6s/SBpCgBAABJYuc+1YvviOUPkNCMxtDK/5 Itb4GzrjvyDDZYLy+3ZI/xe65x9p44QveIHXnST/CY9z9gqSl7vyPzLiNM2El5V9y9sdzvrhk/oJ 71eBl1BZbnb/z7jsPnetaP9urTNI6Rgh8A4E/laCck+9hL/U6B0w/HfLGG6+Ld78+10owBO3vfwO r/ydvt+Q97nH3oP9Xc35uFw9QYHXzTridVzPC9J47uc3fdfZqQyU17JfruWCdp03c66/6e0OZ6J/ Tj/xlUnwGuRp/Am1PhP8M8e63P3aE5nh/duPrxf8jCh0DyHwEQJ/J0HB8C8RlI8698r5ubtl5feG bHdvW70i05eugVcK/l6Cso51nl97LvC55/4SNp++GR5y65evPzT9gnadNnNpY8v+qQH+Sf1k75uV b/n9NLg/e+PUFnkl32f+icrvqS1flv6J++kWQuAyAi8QlMOb5aWVhTc24yvaTdtTHq4M73cOXAfe gW65/OX16zpXgRXVQ5MFjmnyVzvP3S3ybLjO4S94B/mb2ArK/l6ErmWaUbNNvZd75pqG+Pjs9XHL UGdwIZThJ2U/PyAwFJ4dl3WGT4K24E3j4qKTiuCl5axJm0hzE1u7cdlljumXaKCmVry4/vDebS5F lzpuWlWJ79gWCohvsWcnpzbHxsPbzxX02BvFTXgVu+NFBVKIuS9j9n5vy3ZD8Rr29bT2seF4QH1x iS/cOStz/2Luc2EAuqQEgG3LhM7cqt6jPHc3Lh+IhwqydAW+zJt118MkfFZw9rJ2Xteh8Jy0HTB4 bnr/4/8cgpIofZ/YJrxeRNObfeHB6+vZx2WvGTqRiokNJ1DtbDcq2iq2uXiPKjrdi9jHJ4jjK+pF 4qa2W/EtslklX1ef1sKRqf6YKS0qvu0l9cH/K1fOLbw1KWPZiQ/djVP5SFk7gznu4SW2TFRUH9DA IGuGXuij7Uvx1rHJIt+xTdOAgYRvQhir0BaYGlbSAnpLXyb8VfOgXXy4dfA2+q4rY88yTUBT1a6T kqEkpZlSm9T74FXxVWCFtyaPUAGhu8RbDx5qXOEF8hpTcKIJH+gnSHRy1zq3KWgO+5hRIyVn35rY 8vP6FnuOxeEW/a8V7+qAxQY+2ltphC3bDXiHnpUJ4aKNwGuwAm3JKjCBMOABbzUxFgjdQb2O7aff hMB7EHiBoJiG6cZlB4H6+y20Tf+GPHy5p47l5+0Ib3QrI1u+125sK/beqrHNPJMvKIPttl3Pi8u2 64dxWdexDCwnrvoJXl8HF3KHBJbLdb2oaLq+H/eM4zDBmtvEMd2kAuGGNg8sK6w2i8CBGgrPMOyQ GdPpnvumnYBHZCZyV9FUR7blZ00/TmNfp56FyXowq1MYCvAT5tH63LO8tBmmeerrxDkZvF3qGIYT 19DcdWoS13QzFrUAX+JEiOpwv0W2uPme2CDrNM/T0DX1HZwXrP76+R2AHrumblkLT2vHFfy4HvD+ e92gBzkrc+dCdMIgdFbArNTS3wLr7BXIIxwPi3aYprGrYtlGNkM9mbRNdWRZXlp1wzB0bdNBI8E1 Oa7np9W974dpqkNLMpTlngI/YTxG05vQL5sBXle9VE1sm15aQyd3VeJZpiEJykFFl76p2n4EDYUO 5qR41XYrKLlpujEq5HgvAgtZlVA2tsTDlDYu7/0w9G1zPyqs8NwIuBM3jL+cdffSJraSFwDdKEQU VkIVde5z3zRNPhaWsQwta+M3c1dDU+d57suIkUHeK0oEBQaIHd66cZ6xdSKZtUsdy3G9IK+h81g3 8UECjv6s5HOCgpN0ZELYgLkKDMPyc3STMyigeAneQ416U6DXhCo03fxEP6Fu7V27kSNgFv+b2DRM L21hRXMZqmizljrxrg/Yc3s7loHppmCE57Fv6wZesXVaJiitGB86YZhi21EFXbjOnbTerH1gSBhP Fe2l/4TA9yDwEkHhBhwkAT+Cg/qQzAbGUblMCD1s65Zoa1T+DXfIJc25jkRcBQa5LmF8T1DmOgS2 sc2zxxsId3hLL3q+tBMSId1gcZljRRC7VW8XVIT5AT5ThYP4plA4qlQ+lvubsT5wD0qbwWNj8Ghp E0vxLOskT8RIsrYmQTFQpV+I6TtriKZ2qGHzabzJ2OKwQpLED/GOZB2mFQY62+DBLrhxqgLBo2Q5 aw/SsXAWHF3aWDhNHUFBnLPHbjLUV8SDftkJj6GA32K6ou/NPUHRSoV9IHUGohAKQTHU7lIaua6r 4jt13QozftOUmYRLsym19MdHpd3XsoUWRuACQcnf6ajpbiBumx4BNEpHsHL3oiJ6mRgLrH8O/QBd 2ERiWoFlbks8uLghu7pNbO7yoBZL3XkD952YA6VkCYgKQJsALd2OAJ7K3ABHAiv2WOMRVWkKtJqw 6vQTqtff9RFBMQMg0uzDLMoAnEFjqUCGSwNWY2/ZWBJxJVbrWZmrQlC0wiBBUezVsRdxiD1EjURj 6T8h8D4EXiEoPLrLKm9jy4wbGMEuLENsH9MwuHOfujINfdfBj2VyFgK2Rs3Oh1FimLIA0zS4tWti c1ej2ug9QQErsjOD981kypuYjZXTVBjSbBAeK2oTS11SWhcgTbAgzvwAMpQuc6wQc9nHm38E4GH1 XJm1oEAwwsF+SRm4nDj5xWWjsYZJve3HeYWRBbhgajPfMi03yso75xm62pe+jBzTdIKkYOETuP+s TGl89MIgdNIhnTo0tHaKT1knmNMhS9Q5gCPOiMGhLnCTkI6A7BOmy9zt63tzR1D0Uh11RuKA9EJV 0XUd2yIJPKbKtmVYMZvc67oVS1ApLvhbnlEh4iLo+nZKy1Vg+wdXBqFnqlxJ193gsjk0DwBigXtR oaslhwH9djhRXIYmjwOPDVrbNDgODG6xBtUm1lHlWXgFapGTjR39XTUlnxMUnKPvCYqKJ7penGwc azx26ypMgV4T9gQFGA/7gHF4cteOoOzvYkFZNYVGWkudpbo6YHX2du6KwIbl1/TWijeUn5YpNUGL lUJiUHlQXTZ6ihzHAttPH0LguxF4A0HBaf2kfmDeD0ptR2J1WoZJgKDsbA3MKeJ6VO+fMXCwmfIT DD5LUKSXRfuyERR1urYeHedGUNjQBBcp/QE21M3afQMOIqMZVbbmwe8PCAqUsIxtmQaOafksB4Ud u1dZ6JoQ0J0ZzNra56G5wUZIOyy3APaxTOmYnxMUxZeeExQR/BFNn7ZQ0ssERakLYzE8RKWAjr0n XSyL6LHe3BMUrVTIERWjC63n9R5VFJTXSWqMdx8jKCZjqazRolsvEZSjAAK37T8E9iw/SeR6xrPu 7jMXGTOjEpKH8+KkW4ID6HG2sSAJCgRoTC9rGftV4hwPBMUMy73G45Dd16ISFG3J5wQFIFfW6dis RsZ48PdGUJQLH2nfRlC0mrAnKMs09OwDW3NAdXe2QWr1jqDs70KCok6uliY2+XROR1Cwny4MWGAV ftGr5lLujJv6Oof8HyeWCU3HMmUffZagwJTBkbHoTWHpCyHwdgReISiG4hHAYvElnhCir1s0k0sI xk0OUVhdUCIoKkGBEMzJgsEW4j5vMaSDyFVQtgzw8RIPZPiJRRO4x9qWeHZGCMy3KiK4Ep4Ny5lJ mzlbm2FlRF2TOBMYJlhijgr+ofS3JR5bdXG4xKPOvKCwuYltpbFYPixEI6AXaodQhlI53i/LlAQF fYjib6Uw8hp2M67ZS3eBByFDRpmVwxKPxVc5dARlRB06lHOoC8qGwJWdtF2mPIABVp3OexN6K6xF N2ul4qtp4roFHNk5QdnjB41RIiin3XqJoKDvk/rIQFT/CoI+VqElEruedDc+n6LqJc9SyzrMiXUE ZY8WLI/wCAp8laMfbj9dfJXOj1e+9aa25HOCApELZQjCurASmlE661ij3hTsJbiin9AG/V07grLD mtku1VpCKW6BSzywYLkZoVWuQCkl7BWOndgGLCCz2R7lJuUrgC47i52QZUrE9FjJa/BuVBdJ5uHn fg6hVE5fCYF3IvASQRHpnA9JsqYd3tphnMahb6sKMzrBT7CsLcgc9XdLPIrpQXcdQKpk3Y3TOPZd U9bMZwkDfdZcGPFO0kC+KIRb0F+7Sd1PM0+SfXy0B8v09NMGLuqr2NklyaqLE4wS+BlLe20yTJIV 4W3wA57n2LG0Mn3umVaQY07t0N/rstniFVx2jADbQc4SSCHD2OUZAD3khLIk2ZEnyULrl74um26c 5mXGDGNEbGjKuhvg2NQVgcgdPa197ipMdVyWeYCcXIDjtMydmdUIs7sG91TsvIfoH0h2toOiHaYZ sk7dLdtZR1BWdL1eVvfjCLhhaHpzaaJY+N9ljhOGnkzlBJEgbfKkN5H9QX4fUw2tVJih62eY3D00 mW8ZSg6K6h2Ravn5fZrnsStj19oRFOOsW48xmLMlHtQyzOwexrG/N426UQIaLfWfJW2znPTT7kas hsKzgtC3Tn3H3uXoCAqyr/DWTwskv4awRsj0FFLDLHjmBwMVBIKM+TskRA9dU9VM+H0tagRFW7LS TLXHUQ0qMegwcY0lHc/T0KSeqSTJqqGWZ6ZAqwla/QSBtHcdR4UqPTTKMJ3ohs/+gax9dUuBeWKp rg9YtHUP9nYEuwu2YZn6KmIJSWdlqjkoerN56Mc9QQFeI1ZAYdec2NSwA4B+EAJvQeAFgmJHZSs3 TmZym/E6NmyXrWGYthtmLdqV+Z4HDqxVw47erklstjh9tN3QCtiQjHsWcZNwxPbEaiwXbzWkY+D+ TMFEhAy4q/Z2NPbCVhawPAKbkXGbMZ8+S0+wQboMVRrwXctBipstxbkhdw1DnQVBcsi9YFuFcad0 su0pFfdg8sStSnHHren4qbrNGO9lMkUFw25duiJ0cR8j7kquMDN2KCPPtmBzI4gv23hS+4yPbsVL Ldh0CKvSp2UezCwr6iDM4RoeEj9EI2u6YwAAIABJREFUPqCpWz+iGmwK8sQB8C2c2CQ/h1TYU4LC Mp3UiSNedtqbK6zGO/B8T09sM952xO43gcvd7W6YV9k2LXxQ0bFJ8Ymhpu0nVVdFtsxBsaKzbj2W cEpQgIZWbL8odGjKt+kIndnp/4RbjliC9El3s3tYgsopP7kYQYEdJ2znNe5Evt8CQaQhncGF0eyk bJuxGCCojOIhAgfHpvamtuST0QfNgYnAls4CeHpZVURsSO63Ge8JCnAKbo4eTMHr+vlEqzWayroC FkGSshRYCpuIJ0/Fuz5glQYq9hYeagtPdGDdwR4DcFbmjqAoRe2xOvTjjqDMTSQXeGBPGREU1uf0 9zsQuExQvqPyHy3z3PP9jAg44OWTXH6m0n+pFnzUR6wg+Pbe/EyBv61bQZ5gCzv85f0/3iAYxJJp GOE7xiV/cQM1rOsXS3xVNHhkH0v2unoHXUcIfB4BIiifx+76nYcZyfUb6UpEAPYs74NWn+ETz8B8 YEDPLhbnflm3QhIx7nwX8v3d/2Etg8/OjxGpX9+wf5WgwCO8Hf74qF/fCSTgP4AAEZSf6MRf5sl+ oslvqmOZ4fF98BzV/XNt3kBQujIrIW9oxpQk1xRPG7su+W/p1mWBB6bl/j8bbSeCcl0p6UpC4B9C gAjKT3Tmb/FkP9HWt9YBAWXTtD32zHWl6DcQlKGK4ZnusGyPbwM4yVtSKjz7+ku6FaI/8AaCqNw/ xO9M5L/zGBGUv7PfSGpC4IsI/HcIyheBotsJAUKAECAECAFC4OcQIILyc1hTTYQAIUAIEAKEACFw EQEiKBeBossIAUKAECAECAFC4OcQIILyc1hTTYQAIUAIEAKEACFwEQEiKBeBossIAUKAECAECAFC 4OcQIILyc1hTTYQAIUAIEAKEACFwEQEiKBeBossIAUKAECAECAFC4OcQIILyc1hTTYQAIUAIEAKE ACFwEQEiKBeBossIAUKAECAECAFC4OcQIILyc1hTTYQAIUAIEAKEACFwEQEiKBeBossIAUKAECAE CAFC4OcQIILyc1hTTYQAIUAIEAKEACFwEQEiKBeBossIAUKAECAECAFC4OcQIILyc1hTTYQAIUAI EAKEACFwEQEiKBeBossIAUKAECAECAFC4OcQIILyc1hTTYQAIUAIEAKEACFwEQEiKBeBossIAUKA ECAECAFC4OcQIILyc1hTTYQAIUAIEAKEACFwEQEiKBeBossIAUKAECAECAFC4OcQIILyc1hTTYQA IUAIEAKEACFwEQEiKBeBossIAUKAECAECAFC4OcQ+NcJylwFplcMPwfot9QErXDz/lvK/t5CX5e8 Sx0zqpfvFetp6U1s2un96SXHk68381jCO38vfRl5tmmYln+7rvqfu+udcv+tZf2u3n+C4lB4ZlBO T6746qm/BopdQ+euCF3LNEw7rMbdGfrxhxG4TFCGwjPEx7RsN0hu3fwHhZ/K4MpQgwFDBOWFfprr yH8jFXrdYGkISp97r9GWpU0c50WewXD62wnKVAWmHVXDNI3j9SH6ubte0KzvuXSqItsr3sHdP6/5 ryv5ug433w7KH/aG30JQ7qmXbHT+M1B8j2I8L3WnNgCLmzbjNI3T3OWuHdXXx42oZ2egPm98RHH0 nyHwCkExvfw+wmfomlvkGFbcvN6PbwJ+qkLLvzAX+JcIyvXJ8OdBXprYfmes5nWDdU5QwIa8RlDW sc7z5jMe4G8nKF32mRjU5+76vKa96c6lr7Lb/Q1BgS9o/utKvq5zd8vK7ocDhd9AUJYuc+2/j6Ds 1KaNLdmEqS3y6nVTezBQnzY+bxoW/0wxLxEU/ybtPXTIFpqYuxuPKTtBWg9i2I1NFvmObZqG5fhJ xY93qePlXVfGnmXygOMy1GngYIzNiwphbobCc9J2qBPfNk1PmdaPVWiLaI5hJS30xtJXCSvCUmVQ CcpUx44V3HoUb+nLxGdV+nHZM6Y1FJ6dlHUWurZlmpYb5i03fVJCiB6ltQQCVQFujMsqDRzbMi3b T6p+aLIAi7G9WDR9Xad7Eftw2DBtLy5BFkDSzeWQmOvIsuJGgAjlYyuyqohcCNzbblTcJTXUgK+o qBTeFvCCXQFMWS1zmwAy/18T26YAVvCBF4FiPQE9ZlpOmFVFKBenTota13Vqcx5h9eJbmTy4177w LCGWwenT3N1i3n9ueEpEFJ7RpY6bVaAg0K+An4z+LQP2NyyI2F5ST+uq3NjEFtcvhLPPXTOsGPSg cOfNBOdzNhy2HmHaUjP9sFAPeHc2sRWU/R0DzmaEOqBRbAYbVgOqJEbNWMfuhtXpQtXU5q/eNVeB Fd6aPGL6/KB+Zx0x9yU/bNliHI1NxvrZtBwYdAyQc62Y7gUX03K8qEBXflbmjhxosOLyQ4GWBXU/ jN/5RPNPRg0K/KgwfHjeYrauBvaH2we94u24wthkYLtQtKrJPdFxT9SPDRpcx3PDTBBxKbPOTJlB XvFeEIq3QDWRMtkENd9su9DaM2yXe+ZuBsMA96CHAszY6bg40fmtzs0vKM1pYsvP61vsOdiZwdZ4 9AInVn1dz7sMLUlfhs42YKDRuwnSyAcLGo0SbfSZU3s0UIoN4bWDyQc3KHwN2BnWEB8bItwBtP1M +QUm/7H/nyMoy3TPfUtwhrEMLCeu+mmehybzTCe9c7/X1VXbj/M892Vkm2GF3r5LHctxvSCv730/ zOu63FPH8vN2nOepKyPb4qFPGMOO6/lpBRdOqsdGr65EUKY6si0/a/pxGvs69SybR3dwwEAOynzP PMtNuWOH6+3w1o3zPN6LQFyO61hWwNzX0t8Cy05aqHcsA9NNQcJ57Nu62TgYVxe80Q5LOL4MZWgZ pihmamJHLvwufQOQAFR14phI+cabL534yvgJ1rrp4lwFhmF6ad2P8zS0uW9ZHEyQ7Bz87WYNvIyi QHAcLwhYtsJcKYQChsqLQGFhJmrDNPVN5luGoBSaohBb7P5pGrsyckxDcKOtCet6mN+P0DVh0cIy RlfFrulmD7NRxUZ0qWMYsOoBPGDuQEezDksHama6cXnvh6Fvmzs4FuVGrYcAzM6beaFHhLYgLYah ZNpJixQFqnZdLyqaru9hfUar2Ct4EScqu3GahvstsqVLQawaBTzl66fuQvWz/BxZ3QzDQqqfpiP6 3LX8/A5Deuyauh1XVGwnrodpnqfhXjdsUqDRinti22EJJmUauqbGOctJmYy7c86qxYoNHz/D2cYy VmiLOCXcsDlovmbUrGcKA0bGNN24gs5Ae6LYOo3iKQSlLzwTjdE0DW0R2qbxMUHpc8/y0maY5qkH Q8L4xCUzZQUZvy/1mOItbWJbclkDdESdiwJEWmzXXfgBCco5FNpx8aDzW5ecN6eJTbCFLTiEZYDO FJlWGl3SddkWKYYmbIvBkqAsXe5Cx7RgG+5Ny4z+fOrUjgZK2hBWe4K6MbQ5jh1GX7EhbtKM4GGm RriDdT1T/g2U/9iXVwiKYRgmfgzDsLxEzBJAn8W0Es3QWYrh0kTCKYC3UFeHwCMLf7GuaHhZdgnY cTNgrObYLTC+JUHZu3jmzlgZjKD0YFSdSEi8wvXKEGwTm/lEqFGq6grL8nzkA4fIlLDFQR640UmZ zwOjGZpKDGQ/hOWd99S2Ygj/TEB/eIRobiLBiuSVaAGlBcHRwNr3MfhaeFegKJafV6krkykPZvpl oGA2ZiqS3lObE5QnRW2N51h8SFD6jHM7BtHSxqqB5bhJGwGzIkOZEkrnMNch2Ogd971CUPTNRP39 YDgg8960ZV1anMGCEGCznFRyLa1iL21iKT5lnapwG3Z6gvK5u9DrKPqsqp+uI0AGv+ABOtYhoFpO 3OxXYzRagZCEFZrubRiclKkSFC1WTH4Wj4LCoPOUUc7L32u+btScKsxheIKt4+VrFQ9nWGwIY7Nk bFq1QTp+DIxCUdux5DMchOADM6W0nIdOFphVyAGEplXKg/DosT0jKHL8K1BoLdVR57f+RjP9aHWb 2DQDHsaEuSNO7yC4Ad9OrLq2y4TJxSY8EhQYLIpjk2Jt3xSnpiUox9rHG8TLMXgIDWcqgCV2qc2C pqfKv1X6H/vyCkExvUzkoLRl4ll2BAFx6AHDNC3xMbcZ8DI0eRx4Dn5s0+AsBCiqtODr2meuYcj7 LVPMuc9GiugePLfloIAqSQO0rksdmWxVEWyHG4auKeY0WECbWMcqke0calRs1twVgQ2LPumNM2kh Cf7f3wiQbNqPhHhbJxjbIgk8l0FiGYygoHthN6DxPHpMtLBKgciAkA/pwd/E08ILprpD7MUMBBeT dqK/DBQYCYUKKNxLV9Sx7+4wTh928aDTFUdx0G8W5cDwtobvCYpaJloyVB5gOoqNYPcqN+o8hL6Z F3qEh//kKqEsrYnNTVVAmCM4m2LLW3h7cdrLki4RKx5BASPIPtDMz931XP0Uh6dS7anNfMu03Cgr 75xnwDYhxzSdICl4+AQbeDoS17FOPMu0/TivOsFpTspUZNNipVzDwGoTJeeA44djSo4x3ag5VRg0 MsoStCxfTsexGsCfT6vAYqDmgZFRMVR8OiwCqOqw+fjx5h9R4+buFTMFLl2s03eZw/nu3pRxdPTY nhAUiSL2L5dM6yaOOi86BIOdJ1YXhqdMellBADMGdddYmI+77DyC8jBYUDCNU9MSlIfa72I2DLOR Xe/K1LEz5Vdg+S99fYmgKPR0XcGRwAH0FnE9TspnhugbxCW8rGXWSSGbh0G7Qhf6Ra/cPrHlnG0M n3QIDqNrBMUw7CCNPdPhYXRu98PyQWRlWoNVKgQFf099nUPmjBMDM1M/e1EBEmWU3hObKyJYGCep caUBEeQEBUC03Kxnk7uEr5DJCtACZnKrAgi2ERT7BHx5qx5ecOx1ZBuG6Yo1ORb8UUQHw/QSUMdR LW23riiwLyq5PKoHa8qeoBxs+jqJKaTSbjUQcihT+gko9hWCknFurW+mbjiokh19APxmrE7hRniD 1jEcBcDAjf9IUOZx6PEzwILR5+5CB+/s1C/g6ve8I5bxDvkOJqyOihWVeWhukLsD66FPRiK2fhnb Mg0c0/JZDgocPJa5VzBVkTYy9zmCcm6UThVGysB6+UsERdXbI0FR1c/N2r0BY3XDqH5qplQjPm6K B9NEK6znB/K8tWg3SCW2rxCUc0t11PmtHfzLsTkHv75AREUQlDNj9XGXXScoWqf2SYKiMlPwg8rM 7Ez5j9D8B35/naCAau8mzRw1nNJtkULg6koERekIZDjqks+G+t7rb4fxC5QnhxoYXsWtorYwaw22 A23/cPNNWwSY4Xo1ki7KPtR4JCjssqN7gaP7G3UEBZZypKGH0gVBwQV6N+8gdCvZghALLay6cAIO l/lVDfjbnSzCdQovyy+JqvstgOQctsyBTZa+6GWgWNRY7tLrM0dZ4tFhruQIgwDqOOUtASsTiggK 88abbuEaiQoPu0cxfFqCArUpsfKHG2EhReYrg1lmwT99M3XDQekR0BbI7RYLS5h1xFyrIjPeoFVs tJTgUPgHl3j4vBKwik5zUD53F6ifoQQ9F5gEcvXbpytAcPqhIzBdRw2Z8pAXjgSdgol2wTS6iQXB 347KMiU50GL1AkHZNB+G8NmoOVUYKQMT8CWCglmZCkkelWVmrfoBcdUsfguMNGbKUNR9W+KBeyDD J6r6m//I2MU6ipwhgYpxOgzrk2yfApSih0JrqY46Lxqw/y+bA0FBafrRFrj4pCuNLn3cZecE5UyZ tU4NXY40UJJlwuBWIMegFXdVh4YfCApr/pny74H5x3+9RFC8vMM4xzjcq9QzBS2BPE3LS+tunMax 75qyBk0GvbDCWz8tkIcaQmyXJSYevAVL0sRkpGGcxqFvq4rt49l7/X1HzHVkwo6caZ4gXIP96PPk rybDJFkMcmwEBZ48EFh2xFJaIHSAuZGQZTl0TVVjAuChRmgCU6YRhBqmeVmmvorkeq0Qan+jjqCg yvv5fZrnsStj15IEBWIntheG54/u4EmySQ3tfUySfQRfyAX/0ZhDrtceXkx7Y6m2w83fKAo4Hw9E nCbwfq8CxQJn7iYppPzx8agpCqf1VlDcx2keuypxtyVCtRGwzI5Zrqy/QeXsAJJk+T1bYra8SRn/ B5UDS8Yj7bh9w02qbhjH/t40oAbKjUApbR4vm+6ZZxoGc7Xo6k+bicmAz3sECIph+WkD3dlXsbNL klXXrvSKvUJqJU+SHXmSLHcgeoKyfu4upn6YBDpPQ5N6pkyS1XTE0JR1BwNmnjpIQk/vy9xVmDK/ LPPQJK7JUuHPtWLp67LpRrh/bDO+an9S5s4jPjUC6vxFEgipLbgSq2i+ZtRgh5gHhdF7Zb3iKRYD vJ4N6c7zBD3pyCRZrfqtfe6ZVpDjroChv9dlg1kYH5spUDxmJ4c6dTfFY5MsKwh9SyFLEh4ttkgQ nKSBdOh5eUJQtONCGW6yPvx2bnWBoJhOdLtDRjJkne6SZE+s+tkY33XZOUGBBXAHKxrwyRqQqa11 auvBQMlGoSJJSxFYYg+IameguRtBOVV+tHh/8Lkeh675sZ+vEJRtpyful4oKsQUXNkbw3V3sDNtA uAzVtu8ua+63wNUQFMhvavIQttAasIk2ZOn2h7DEARJY0IYNlaaTsm3GQ5UG+DRA2Ga87etVCAru xdnUYxHXQ5VeyPbtKlYDqlMISs32JLOLt83Hm0z7G3UEBdqZ+tBME3Yid1VkY5IsFgMuz1Aybbey mSB2UrVFxBp43Od5Ar569xm8nJ6IPAjwdjyKwtY/DfDLOD9/DSggRH2p9HsNm8q55zwtClhQm4V8 k3lctrfgJIKyQhKQY0J2NittUzlUGLHNUm22tBH7rYM8m06sDy497A6HzCfT9lLI4VRuhG0CiQ9b x3GzbF0EWyRB38zz4aCIhtpS7HZ78miKWjW/YQPN3Ck2wIY7ccXmfDkanxGUT92Fgwh3ueNeSY36 7TpigGfZAqi4nR6f6Ti3uJcWDlmwU1/shNsayAYXjsQFHu3J7AE+oQCzbU/K3BEU3NShMwIfExSe 9iI1/9Qo4Tb6g8LsvB1bt+JZEpcICuxDTX1UbjBdt0im8OrVT25FBZsbsC0L48dmys0atqcZOwaf cyA0k2W2nPITGNbCYB71EDKDcLszME49FGDGztzEbrgJUdj/8+Y0seUk5WZjhLfAWzYhFV1Ck3Qc 4zs5NQQF1hP5xnhQ2RgeMqtzatA41UDtBrJQJNxdL59vurtGJShnyk8EZa8b9OvHEYAxo+xm+vH6 qcKfQmBPZ3+q1s/Xw6w5PgXi84XQnRcROPiti3e94zKgUx8sHL2jmi+W8efw+aLgdPsnELgcQflE 2XTLKwjAs3EhT5Y+/zwCfydBIdX8GcX8Yw4YdvKIxyv9TFM/Vcsfw+dT0tJNX0OACMrX8HvH3cvM MhG2xcl3FEpl/F4EiKD83r7585L9vANeFnheZe5bJ5lcfx6PowQ/j89RAvr9cwgQQfk5rDU1wf4i XNc9S6TQ3EOH/2YEiKD8zb333bL/uAOGzTzwYo9ol5Hy3c38dPk/js+nJaUbv44AEZSvY0glEAKE ACFACBAChMCbESCC8mZAqThCgBAgBAgBQoAQ+DoCRFC+jiGVQAgQAoQAIUAIEAJvRoAIypsBpeII AUKAECAECAFC4OsIEEH5OoZUAiFACBAChAAhQAi8GQEiKG8GlIojBAgBQoAQIAQIga8jQATl6xhS CYQAIUAIEAKEACHwZgSIoLwZUCqOECAECAFCgBAgBL6OABGUr2NIJRAChAAhQAgQAoTAmxEggvJm QKk4QoAQIAQIAUKAEPg6AkRQvo4hlUAIEAKEACFACBACb0aACMqbAaXiCAFCgBAgBAgBQuDrCBBB +TqGVAIhQAgQAoQAIUAIvBkBIihvBpSKIwQIAUKAECAECIGvI0AE5esYUgmEACFACBAChAAh8GYE iKC8GVAqjhAgBAgBQoAQIAS+jgARlK9jSCUQAoQAIUAIEAKEwJsRIILyZkCpOEKAECAECAFCgBD4 OgJEUL6OIZVACBAChAAhQAgQAm9GgAjKmwGl4ggBQoAQIAQIAULg6wgQQfk6hlQCIUAIEAKEACFA CLwZASIobwaUiiMECAFCgBAgBAiBryNABOXrGFIJhAAhQAgQAoQAIfBmBIigvBlQKo4QIAQIAUKA ECAEvo4AEZSvY0glEAKEACFACBAChMCbEbhIUKY2j6PHT5zV44NAy3iviixJ4iQr6m56OL87MN9v SRwlZb87+skfQ53GUZy38yfvh9tGLCNrHtv1hULPbh3qPEnL7iuynhV75dhQIU7NQ9/MspvjOE7S /PZhB16pj64hBAgBQoAQIAReReAiQRlvnnH2cbI9s5i7InRM9UorLAeNUEtfRuxiM24117xyuM9c qNkMygfP+6SYvkziVPKsLnMMw3Dzfbue3H/1FDAfhYixesyw/iRDWe5FHOftKy3dJL2ntmEYXvHQ MePNV/sOv5te9iXGt9X6xi9Tk8dxcV/eWCQVRQgQAoQAIfC7ELhIUJbx3qifuojAx9lxu3cSYx3Z humEedXe2zrzLcMwrOjECS9jnbgbk3kLQelSoBbw8W/X4x9IFJysE93yXQQFKZ4liRhQOS9IJDMS Alz7v7SxZRjeCw1Vyv2AoJh+3rZt21S3BDvQUOBRSvlzX+cqNA0jrD7J7f6c4FQzIUAIEAKEwGUE LhKUY3nMjZ85rmXo+s1xdDhVP7tsamLbMOwgS2DO/gaCsrQJUibnGByYmiyO4qSS4YK+TCJcCZr7 OgvgetMNYP0qvnUrJyhZe6+KNIlxnarfxynmvrllcCotKrmEBRGSOKsHWOASN/Kzy9AUIbInx8d6 inaGIEAUp1KsZWxhZWxbWWHMbx7a6pYfypu6MvGQ+7khiL01bupqVkRW1LIXoPOWobllKWtOVyNU 2giKGTWiv6cyAManXPpRFbCyd2uGeaiSOM5xFakv4yiKCxmHYQuGm9Trup5Duq7L2Jas9WleVO0w w5FbjNTW9hBLtso4dTXvkwzWpcY9bxbNof+EACFACBACfw0CnyIonAwobkvTXjZVP18vmbumHZe5 Ag/4dYIyNxBRMINbw5Zo5NLTUMDqlJ3cNxkx+GD4t/8P62ZBF/xrRvXCCIpyEL7a8ZavMVYYO9ou sIJbj94QbzRtewsLyRubeHfQMPxy4mKlTKyxjvcrYy40gIVJtqqEIOxW5TA2bulvAZCW7WNHFQ8k Ta0SrdrOn3QfW+JRCMrCROc9+KSKuU1lQAwYnw8MilXBylAW3lg1VsLX9XSQHspkq3f/N3LerRG4 GjeU+5Ybhp3S+s+m7/SFECAECIG/EoHPEJQJI+xmUH6wkLLccdHFTp44izcRlLmOkJ9U09rnkIni pGLRRk9QxmUaGxTRSZoRPvPCIygQ3Mnre9e1FfPt3JuPZQBcg51syxjCIqZ/g+gMZzamm1TdOE/j PffhUrhxmccuB5pkRhXWMy2rSlAmlN6wvORWw9JKkWYssjLXsRukt7rt+q5KMMMGlq/maaygvYaX 3aG8aV54sw0nujVd1xQhBIassJrWlXeD6cS3FhrEFt4Ee9hp7ZGgzBjnMky2SMeQfVaFG5cnVTwn KFpI2UKO6WVN1/ddWxVplDXzOk/DDcM6wa1njWfI21EJMN2bMo/j29tTiHY40Q9CgBAgBAiBb0fg EwRlvIHn5U5LL+B8x5xV7r51172HoHDKxLISBCPh6THi52MEBfhVjwEXZRGKeTsTXTsKPZVsEQqW PUaMxsimzw3jCZAKwm+UCTdsecSMcb2EBw1kDopCUKYKWc9HmTPKHevaJkhQthwU7qQTkRPEKwdE WBjL3k6tPONZG0ExbC8MwzDwHYzImG7WQYzoQhUbE2VAXYmg6CGd6wgYnhtX+9Wqda4hBUXmoDDi ZAV5Sys7unFGxwkBQoAQ+OsQeJ2gMHfwkB57aPlQsjl8gNGFw0nl51sIylhisMJ0/AA+HkQPDCtu cOnlUwRFYSxzFWLsA3gGiwVYbhjzT8iyIWD9iPlvXJph7VNvXJ8RFJbdq1Qp8VnGe33LM8hBiSNM O+FrVQeCwuoybD8SkgW4ZOTm/cQWstSUUn7zlV08VlDwRJrPV/E0gvIE0vmeecBEDMO0/TjfsmqO BGWVa0SWG6blnXiK1CD6RggQAoTA34rAqwSFp5/IFZSzhk9NwlJCky114+wyOPYOgsIoiJKWwL7y 3UOfIihK2ozCM5YG5/SPNUFghBMUuT9ZuXF9SlB0mTpjHYl9SbLKc4LCk1nlZfybk3U8lhLVMm/0 o108QdF1XcuWqByRzfH5Kk4ICqx3YQ7KU0gxSfaW+CI9xw5x5euBoGCWbZVFLs/BMb3sviVq6zSP jhMChAAhQAj8agReJCgs10Pd1fHQuqXLcd5r6x+AotzzBoLCI/xRed8+dYoZH7hO80BQeCiAraiw Z6co0YunPIOddNJm2H3GafkKQWESiojPBg7bAmUFxX1Eb7tryCGCsmCOsOHl951gwzgvnAIoCzoL WztRjog6dzkoC8858Rjn+nwVjKD4MmWJwciSZJ9BKsRa54FvWWfpwIclnu2ydZnuN0bqlJRceZq+ EQKEACFACPw9CLxGUFhCo6n4GtjB2hWh6/opRkvGCpd2TC+/z4v4MDjmNvNdN8h3k9tHgnJ62RNA mYc7bNvgeTLgpliupXw2Ck/K5Ac4OZCZI6y48wgK5JvC8pEdlSItYpmHtrnDNuSnN648/iCR43QD d/GwW00/Z8+VXaa+qbuR+XWXP6JFrHfwCIpILBFZH5w5Okkt1jeWqW8bKHBiib1Owp7qtgx8t89H BGVdZ7Z1m6cRvVYFrs2wKngPiSSYmeVOswjKE0jnriphYzH7cO4E63accm19NDSl3Fh8eYfZE5Wi U4QAIUAIEAJ/HoGXCAqbUh8cj0CkAAAgAElEQVSffspm+pA1u3AycFxpYHfw9ZFtdyk2/pGgnF6m BYpTBiUEwi7lXhnCJFMVYujf9gJI/GRZDeJpbvx+w7Qcx7aCcnrOM9aphue3wMe0LMvEwmzcMfTB jTwcYVi2Y1teMagEZWVPheGlYpmYPIK5oIZpO65jmYZhWda2X5qzBTjpWBY8uGQoWTO5ZCgjIwh8 Gw+ccBzYBm1CaWdhsF0EBYAU+4tYzvDTKnCP0VYFVs+rWDr+iF/HD8NArMNwggJ1nEPKOR0030Wx cbs3EBbBMbHxTvp/sJ3Hlu26rs3yer2CtvFoxwydIAQIAULgr0DgBYLC/Zx1fHosPK7CMh146oYm T4ERlAme9WG5qXxg12kOyullOiz5fFlJTRVXcq6ELnrubrGPPt603SAtc/D8YtPM3BWRh27b9tJ2 /oBngNO+35LAxeedmJbthQl7oc5HNy59GfN63Lg+PAdlXce2YDKapu34cQFxpqnNuWiWE6TVvQw3 goInQ9cygRL4Be6pXsYm5+2Eo16UVewRLVC6KMn2orytYA/QxxEUwHLAPVvwJBigBteqcKMsx6fF iCqWsclChAzlym+wZVphqqeQLkOdRqzbeHPqQeTRjHUawB4j03LC8v+9F3Hg2si6oIOTG4a0hCbQ f0KAECAECIG/EYEXCMrf2DyS+Q8hoM3D/UPyULWEACFACBACfxkCRFD+sg77S8QlgvKXdBSJSQgQ AoTAb0WACMpv7Zm/Wy4iKH93/5H0hAAhQAj8cQSIoPzxLvgnBSCC8k92KzWKECAECIGfQ4AIys9h TTURAoQAIUAIEAKEwEUEiKBcBIouIwQIAUKAECAECIGfQ4AIys9hTTURAoQAIUAIEAKEwEUEiKBc BIouIwQIAUKAECAECIGfQ4AIys9hTTURAoQAIUAIEAKEwEUEiKBcBIouIwQIAUKAECAECIGfQ4AI ys9hTTURAoQAIUAIEAKEwEUEiKBcBIouIwQIAUKAECAECIGfQ4AIys9hTTURAoQAIUAIEAKEwEUE iKBcBIouIwQIAUKAECAECIGfQ4AIys9hTTURAoQAIUAIEAKEwEUEiKBcBIouIwQIAUKAECAECIGf Q4AIys9hTTURAoQAIUAIEAKEwEUEvkpQutQxo3q5WNtffdlcBaab98/bsPRl5NmmYVr+bXh+6T9+ 9hJcTzH4eglQ/E/2yFB4ZlBOT1v1nznZxKad3v8zzaWGEgJ/NQK/05VfIihLHZrG48e/jau+VcPN t4Ny/Ik+m8pAcQtd7tpRPb+94iv+cqoC046qYZrGcf5WBPrc+23EcC/SFbie99HXS1jXddcj/397 7+8jJ7KFgf4vRJVVRmQiE5nIJBbJisQisEhWvMAiWRGsRPxWryUHLTlAbwOeNkD7JCQHSBu0NkFO 0CY8JzjC0u7iu1eX2fuDp3MKqIKmenrGM2OPp1qWh6ah6tR3TtX56tQpOF3fp//KCUpfBIZxM+45 93nnI9SwvSirP+eM4BBawTm8404Iyg3i/OnqfxAlLAfby5q8HBMuu1r9ficItId94Jg6DCuEGpYb 5eCmuStvU0+3dpdMxaWSdplnXzaPl9589MNZBGXo26bGT+brxNlX7EvTia1aF92V+ygp72IkbVOX 2nze2ha7OL2F6MU5/rKMhIDSbSIArvALIygrkc6Ba20zy++fXgJ0O1Ejy/Jv/hsnKEOTxTH2+0+u JfcJ9dIGPnV1SEObatbuFuz7PEH7MjL1L4eg3CDO57X/oV+1GmwvgWM1Jlxytfr5DhBoUlfXqB0m eVlVVVlk+zitwE1zgtJXabQ/XDMQ3Oe+fulCw/ntPI+gzOWVoU5cMTqBrdpnkWNQohHd8vblGLsQ B+s8ck34HSaAfrKmZl2V+DbeT3XTjQuGTFfux8USwwmFOWNX7qerDWdXIt5TdIcGhQg0BPjrbKyb GnaQVKNwZWiYUZoGjqFTQnTT201iz02Fg75KA1snILcbpTuXL/H0VRIwmXVoERTbZL5JJ0kguC0g kPvUjjMUnBKqW36CNoGVbRQ1DNuYjMJVO2uuSDPj/ycyiJty2DXuwLrMJUZUwn0cNwB5y3d2qUPd fRa7JoICuqyL2LPgGzW5ZoehLeAiWMgyR/q9EqkaBqAXVpTufbbiBUqcw2mAK7MYulSuFPDmtAmh SGguaIQ71ruONDLiB3/6OgtHEXSTy7ZpdaesZb4BjCiN7GmJR4gfnLi9rycDAyCz0LSO5x5AUPxi Fr3PPUL8fPy+aTxDVyaBY7IuZbq7A7cNIyzqDG2a1TSLv1BE7lMnqQ476LXEy+dZRn+ITB7OgQiq vIsNAgJdEZrUilgfOzYesE60vXwH1kZhmJitpT3AScIme95uPeURajmB84zesNG0TQwlHbDFDgHS 6JY3mtkwQKk49oz1VLE59ch6Z21gLo5geM+mDFxqxMfL6jxyDDKtnG3rjnVOSgiBYabYO9NEBqi6 y1fj28QmM9HdLuqo0x0Ptqe0czwmQERzG0DeVLCEs1q6XbVkwO9SYfAehuEQ6FOnKkPDissy8S1K xt7bjEKia0jYZGAbIkHuTS+2MVSO1s7b+H/8nz6lPu9lOKmycfFhu9IjG96GgsvGj4BfEnvHvQ// iROUxcxw2zIlfa3LfQzMoBtEw5P0I17tJUc3QFA0ojtxUbddW2WBMflD7p67zKOGn9Vt17X1Icsn kjBJVsUmteND03VtU+ZZgaNekzjU8NOq7bo6jyxihAccJuu9TagT52Vd12VeYFlABIQICgd66IrA IGaQlk3b1kXsUOqmWHwZGpoGazEwdHclVMDc+CQU/O0PoUFQiLat8simmjZSwzbzdN3dl03XNYed Q3U/Zz4A5+uT81gQFKIRM8gbaESbBwYZR/dhu6hNTETZxMBAX+DwiPgAbrpOJ99RBDoNin4Ymr1D dXdXwOJTmfomMaP1UA+DoKZRm3G1NvN1jVArRL7YHUJzHs6q2KJWmM8aH4c5USTWCQkhpo/gI0rE TZF7QpOpHeVV0zZVFlozfFLALzOhATyC4SWo58Pe02dZWQRl0ghHsEkcYoZF03VdUxVZzhZNJFYn txYQjCAWbVOlgUU0bVxsXDrObWOb2lsiEJFNyWRgXFBwfgJB6erUM3QvYyR+23iALBdpXkKPawrB tsEgDdOyw/RQVXXbD5L2IrcwTcvbwSwLAqXCp/CpGEGRdrGZoPTVHvpyzkSWGA/aHrEjtLa+ST19 9PCHQNfdBMaBti7z7Ghedw7OgvTHTdvGcLsDSs3sJEFZYr41gm3LIIoNPkM3LaAcZVXDMCLRHZym Tlw00NETzyDa5QRlu6jtTrccbC/TzmpMONFP58ae29LNqqXWeJqgUMO0nDiDXtENfRmbRHf3RVXX 1SEvcGjYhmgWeoCWHXuxQW7tojY7GMA5QwHQcBSRVQo2L3bPTSgE2fghwEC90Vnx03jE/aZAUGSW eWJIXFDBbVhWNZ/6ehMERQjo1LE5TSFn9wygzOPThiygjzWnE6Yg4Osyb5w1VHAtm7jxkpZ9RghV QfxAR//MLm721hgDAXzn6cPAyRQvdBj63KdESGY5hProP5q9LUpRBLo4CHiTO5wRQCczeS6oAgJR bGIqKWoLE1G25coFtNOMIDAFBNnd7RzK3GQVmSzgtcKtL3ydCk1jRYNd8n7S5z4hzhSY4RX2RaAL oDaJPWG6XEyB0gT4YOLPciahyYLJYMkorhzwS0yoLwIqNqdN3WmWKSUoIEQ0hRZGaGVWJ7UWrIgb WJ97dFLzynFuGRsQSwEhMFwJQdE0wj4wc3fnaJ/EeBaGMkCXHONr9c7SiMNYIlwkay94cc0Ijxgs FrwkKPIuNhKUBri8k4xZM1LjQdvjsRowBbQWJN9uisR+2a7x2xk4L+5bN02C4VYHPGFmJwnKEvON EUwigyg3EjjBiGS6a3bTEId3twl2Qpy7QJM2IygSM9judIvB9lLtQJ18JfoEgLytZ7Z0s2q5NUJj xEFnGUHR6DTDHAYQcuows1QSiObf2VLy2oudsnYhzI116jNvQD1BJ5VWurLhTSgE0YRDcAiiFQk/ iX5z3g4itUzpkDgskd7qR2Kllx7fAEERrR4bxNJBuHuGfRQGIYYT7I7CJyBgW8DkkZpelBzYSASG BgtC04eM8wA0wKPUw0WfEZd4wC2PE1oGxGGiEpwt4g+C2BwxOCkqEzo7s/EioBBxnj9E08YIDnbI bYKyCAHP/VZW1DEmXDA4Wvb8yY5g0mPv63pvob9mzWqA4XGPjeXwtgjFCsQZzoLXhyUz9pl7S7O3 141nM+qlSLjEIw4JRTDOvGEA4K5oGHqgn5DVIAcct+LITWh9I3ZtFiOVEZShK3eODktU4Z7NkRhK W1YndF3EgsEKAQFosmhg3Obn+MFicXd5+1rsFf4j8FAS9dJ6zEHJYlenVozkQWY8Q1smoWubBn4o mcZb7Cic3st6GQvacNVPgrC/S4Ii72KIgONaRJwJSI1n3fbZWoYmCyxKdNuP05IFYRbyLAmK4A3R nITA6ngXoCk2TYbhRgdc60sws5MERZzMHPVEEEsmg9BQwEcM8sp0t+5cB5gKsXUdMNYtgiIrarvT rQbbS7SzHBNOAMibem5LtwxDbo1Lt7le4pk6CEhxJCTOkLf9EZd6y4tBUdtD5bqNEKyfGEoZGRSz KKR6wRFBtOEtKETR+DGM4qJP47+IfpN3Rqllyh3oCumNfiRWeunxTRAUTpHFQUEYrEGKrs73sPat u+Oa3lK0vjmkkWsSiLt3zKH6WdMKn66HleqVo8VCVn2GYye3V34NlgBGeTSWrS11oTbiJkfSTbxh m6CIWy5BMIYa0vXNooZhickSr2XPh6GSelmb+xTND776eQuBFcxpOMINFqBF9oCF8wbiV/QRmwSF mBGEkPkHFwFWIq1Kg1GYEZn1GColKOsSpCa01pTgOaQEBZvYVlkMS8+GD2sm6Dw2rO7uCMqkr4Wu F0s8wOcTZ/SxEuMBOHRvyreameVRoFDaXpFdLUSBL1chKBq1gwAXVkdqAaJtGs9a17O1YP19UySh YxBYf8RoAJfqGgRF7IlglpK+fNQBT5jZmqDwrLD1MLg1gp2SYWzpGh+Z7jAoJ6Yz8MdArAjK3BpZ UazmdadbDbZw0QntLMeEucpJfWCb40RiOnU0sTkp3qpq+YC/cps4+xoTuzZ8wdqHn5RhlnzTYM6y djaLwUkl8BMW25ZXKtg8r3wFBf9BPII9jTxILv4iJSjbvWMDtNGBrpFGAxGd+7LWy77dGUFhgsDg auBixKZguCgP8WhZKAoM/miJB1ZuhJMcOwgoCKsRw2KJZ5pYgCDQc44ICoSZxYWDKpoi8HD5dgQc O+RVCIq8qAmgGZPpBP5djTaQ9KUHu8AYWUcZGUYQB/o0FuNIwOfOEBQUFxdY0atBUEJQMAQqrBPM Yq1EWpXGCQo0WSRHqFNICZMDPtcx+ueVCUEoVczdZisvbCvsQiNiOfwYx1wAR2p1fJSHu7i14B7m MTsKOiJ4mjGiIgwi3CCxzvl21l6+IAxKEoEZJdwgKBpL8Ns2HlhM40ECVDVf4pnEw7Jl7b2MoPDS YfVV0sXmQprUpXR84IDUeKTWMoIAfyADT6ia/XIGzkIRGByaOgWe38ZQvGXugCfMDKKNPIkAKPc0 KV8RFCTMwmB1pgxHbltmq1CdYEPgLaaBDrz3aAhQK6xYM0csNQOOAh+3V4Mtv2RTO8sx4QSAQjnz +sJ47nLx5qrl1gjeXohAtYmjkW2Csjk2Xi4DbwDLXQSkz7Z2uJkxkyIy5uUmaaWCzQvV4uEMxfqH 8Tvk3hFn8xFdfJjinVHaO/jFWPA8prEgAss3WIkw96PV+dNf74CgdGWaFlXT9X1X5wHkqMy7OVC2 Ok8ySOjru7aEhFMc8DHXywozyB9sqjJPMrb3Bzog5ORWTVOXBcuohRQV6uyrtmshzCJgh5iYQQY/ sSTZsXLhGpBBwFeAC/sTv9vV5xxGSB0ipp8cIOe0LvM0GzcBLdyhMDatTIpHUDBJ9rioTUwE0QZI /cAkX9ZmWCehuqFPfRBE13WdD5qAp+5AkmzXlGlgzlnHQqHcLvGkhKDA2qiFicqQ5FpXhyzJMc99 JdKqNE5QmKOxI5Zlm0eYJIszbCngl5nQUEH6J0uSbcYk2XGv2EIjvLFNkaYHMLq+rVJvSsiRWJ3c WlpMkp2aEkIe9fkEBQYwyOHG/PHmsHP1OQubC8rWW7wUI1ZNU+Vw2ZSUvW2H0GSWAAxp6/ZyiUdc kcJES7rRy1bmKkqD0SkjyCGnHXqbtIvNBGVAG58eXCgxHpm19FWW5GUDowPm+wrOl0kliCpXk9AA 4Xp2dhvD7Q4oNTNw4DqG4YahPUSQLC0hhZjvth7BtmUQpD4mKDLdwVBGnd2hwY7umzxJFrw3dVk2 ECxw0jkNYtvstzvdYrC9VDurMeFEP50bu7YElg58ZKXbVcutEdl/iElnfZMHpiYjKEMP/cfw9oca fMyYl70N0Sz0MEgMZnuoPG4jywijlmXoPmxqwI+s0pUNb0MBe6imrSWCnD10QE13ohSyrWvYZ5yy fSm8+wjiySyTX8wkFWb4kEdhxYe2a9tOAosgz2WHd0FQCrYJGZbjYEPn+ilTNTx7leJTY3TLn7cp w1ZJ3MgLD5OxvXlzclvwbYfOHt0QJLnADl9ihOttxkOTTztiDZsXfgJfEbG+SuZdsrAL1Jh3gfZ1 GjqwdRo3HM47ORfu8CyCAhtej4uSYCLIBkOMQTSNjiLBnEBj5A6ugtn5IjkPt56OG6OnvcFCcXAo 2CV8lRIUGINHHYBunGDcP7wUaVWaQFCEJsPtYcotQgJ4d4kJQWAFRRr3uu/GrerrRTfe4CYbjQv2 i85b22FH14bVnbKW7rDzcAs9Nb1dkXhjerLgnkXGDAKIbHjcVq1p1HCW+9i5qOKD2jQCe6LZcwvw ii3jGbpD7BjQH2CjaZkHusxZStorCs/lmI5gVRm3mE8zje0utiikhe2HFtvduGk8Mmvpyx1uaIfB w7ADoeWjOMJgfUpNk/ALqcaTWxjKOqDMzNh+cUooPikh2zlTsEIYBCYZNkawzUFguh7+rvHBc1u2 CpsE54c++EkSTIvJYHk57qwHGZ0w3XtsPVhWlKTTiYPtpdrBVC9xmJL207mxZ7ZUWrXEGuExC7iH neqGBQ8EsIRtxlOQaRSin/ZXg8fy2b7P7ZFhlno4bTDjM9GmoXKrjQOks2uaGPE/s3tuQwEbiDYI CthSlUaeBQ8hwF5leSzpgnefhXhbvWMRBQAMxDFtzIjRgLF3Mlg4cJccXZGgXFKa+lkhoBC4LgIw LqxXv69blrpPIQAIcK+j8FAI3EMEFEG5h0pTIn+VCIAz2Uru+Sobqxp1JwgognInMKtKbgsBRVBu C1lVrkLgMgTqNN6zB6q1VR5ahI6PsrvsPvW7QuA8BBRBOQ8nddUXioAiKF+oYpRYDwCBJgsdeK8A y2QSHp3+ANqumngXCCiCchcoqzpuDQFFUG4NWlWwQkAhoBBQCCgEFALXRUARlOsip+5TCCgEFAIK AYWAQuDWEFAE5dagVQUrBBQCCgGFgEJAIXBdBBRBuS5y6j6FgEJAIaAQUAgoBG4NAUVQbg1aVbBC QCGgEFAIKAQUAtdFQBGU6yKn7lMIKAQUAgoBhYBC4NYQUATl1qBVBSsEFAIKAYWAQkAhcF0EFEG5 LnL34L6N94DcA6lvREThFS3XLG/xQoprlvGV3PbpYF4OxNdhq19HKy7XlrpCIXA3CJxNUOqdpWna 8duHKnjDkTa9ZBQ6qJ3gq2kn+RcvusZ3bcFrigjVDduLi5bdr60+04ucpkKwdj0ouukEvj/LJeKL y/s6i7359YKWG6UVu/y8KoSS7+9hl3l2PL7Hd8AXpy7eXnt/G3a55FVsedn0HtCtd8JdXsTiCglB WSK8uEP25Rq3yIr65PP13tanl/wNh9AKDltFtokj2s0nEZSlXrZqw3O34Nrb1NOt3dwbpFXf4A+3 0IoblO6oKKkBHF2pTigEPgsCVyEoVDfo8mWL+LJ1w9DJeQSlSRxC7Sg7VPia532clH3fNTV+yp1N jCBnX5p2djUIC3R8QsiCH3WpQFD6amdTYnhxVuBLpPN9YFFiRvB+7fOq+Czw33Clfe7rkyqGh0VQ wELugKCsED5Hf9e45Zxir3dNV+6jpMTO1ZeRqW8SlDZ1qTjN+BSCstKLVOpbcO19lUb7w2K2JK3+ hn64hVbckGQbxcgNYONidUoh8DkQuBJB8aLQoH7Owxh9EehWGLlnEpTCp8TPl9RjbnSbOsSIJPOd emfpXhxZUNF0v0hQkPqsXmTSFYExC4bVnKoi9ykNilmaKjanF6Z3VeJjYIbgq9SLccRrixhfBE+o 6UZ5M985HZShYYYp3koJNZwor6s0sA2dEqrbYTbf0Vdp4LCokuGEWT22r0sd6mU1vDudED3EmS57 ZTjEn8Qrxxo7eKX9FIlCZ43D5S6LPRNjVqYbT8IPQ52GLr5ym8k2SpP71I6zPbQXxLT8ZIZ7ahf8 bYvYs6AyolvCA9qhyVEKrdEpIbrp7crZVvo6w3e9r27hpbKqd/BKdAKYxoe63PsgIkgoSL4BQrWz 6NRyFs0DnxokgDdKafspb4gE8GGAH2ydQIVulO64WUsRHoa+ziKX4WvYQTIG7eZmbSrFCIs6w5os DHddVRcYh0T4Kbw6HvkG9BA/SUPEnup2kFZgO/AgfaJbfjqa1eRB+0NkzsaiiYHIJnX1GUvWJU6A eVqtx3qRGs8kGCBXJ66ue/Nr7vdoawubP2VpHPvUmfr/WdfD2+036hqGJo8829AJ0ahhBxOU+N76 uedaEYR3T/W4Wa4yNKy4LBPfooSwSJUExr6eDBLGmAzuwwEShj5hIjIcAn2OOW8XdTSIyQ1gllMd KAQ+OwJXISjEy8rYpG46eZ0u83R7XybzOIAdVJx7wUpM5hIjKqGlzd4mhp9vz2lOsQcs18u7MjKp vasZagJBgXupX0zUZUIVWIb4/vpTVUgJShWb1I4PTde1TZlnBXPlVWxRK8zrtmurLDAW1bDqy9DQ NMPPmh5GstgmhOguOrC+SVxKPUb02szTqR3lVdM2VRZaVB8ZICwx6KZl+UlRVjWU0iQONfy0aruu ziNrGU/CSlcDFyyMEWqHWdV0bV1EFuEBsPaQZoe67bq23Dl0Ai/3iUbMIIfqhjYPjMUi2ogrwGp4 Sdm0bX3Ye/rceGyy7qU1GEhXgohM8Rhpo3ZcAIpl4ul0XmaYdAWLMhqxQqRQ3SE0NUJMhh5ExyaK JgWhjIxVBEUjhreHJmKNc0OkgPeH0CCIb9tWeWRTvnI5CzmsEGYkOEgRiyJ2KHVHvyq9BXyYYVp2 mB6qqsZI4RV1cQh0sCTQXV3mGYsRsEVQNwEi0teJSzVCHUYQ29w3Rke4WPUrfLodQQERxV6MqtkC EyC7RK0rvQwy45kJClgdtXcjn5TYvNzSOO6DsEh31vWSusCUs7Somq7rqsTTyTgRajOPUitMy7qu yyIvYVg71eNmycrQoIZpOXEGFgAh3m0YjwySTEvpKysUCIqkqO1BTGoAs6jqQCHweRG4IkHp53EE HFjqUidt27MJCkw3YeXFcIJdVq14yin2wAhK1kNXNifnJhAUxkTmmMQEaZ+5wFumr8OpKqQEBUbY ebwci4LIEff1Q5PYiwkNXgVjImdH6JZGbz0Ibg44mzgXgtrYpKpLHU0oYMChfUEOZ6c9N3A1cMFw KYgJiuISzTcNcH6cQ4MrErIPylAn3irk1RcBpV42kVSwgkmQZZMFZ9hlHp24ysBaItTCJMl9Qpx0 MgrAgcsKKDGPCZreBGHlCKEhQlzgMDdECnif+5QI7TqE+uQPOFSC5uAkkG8B4KHZY4xPuH7MlRJU jD6MN3R57Tm66AsfedCSjkOxRojzgLFOyoOV3BOJ/ZefXQkBF60JyhaY56h1qRe58TDBmjK2qBnO uWYydUstTWzJiqBwcxIsU7heVpdwyTD0uTeybjSkdcT3rB4HwouBaAmMoGeJQa76OScokqIG0MJ6 EBsGqQEsmqy+KAQ+HwJXJSgwgx29WbO30VFdgaBgO7u6SCJYdTC8dAyGwPlT7GEmKMPQHUJDxznM mqDsb4egDG0R2ZRQ04uSA0YWMBSkaYTOH6JpR3PR5XtE0cXOEvYZDHMQrS0CuqAA8AsrCoZXwamj M9QIr5QQTQwZMGiXoV90NHOlC+faVWnk2aaBH51MTCj3yWKhaxmWwDqgJcJYz+iGnQD4yyZjwGyk FZG5xktw2VgsRFCEqqvIIO6c89omNjM6YATbICwd4aq0AYpjGSpSwNftEs2aSQj/L10DFLtgWodA v6JSoMyr6qJBmq/bfpzivB0EW+oacBIQhiUAtn7JeACjgVL/hGUJqe5L1XAwqzPUutTLGmRk3Wg8 UKflujq47pl6SdUttTSuKdDVHNo943ppXUNf57HvWHNfYb1ybUhY81ILK2uZZANhOMkeBgmMa6wE g1xa4cAJiqQoWJQ9GsQUQZkUov5+uQhcmaBg3AQcFC56w1gidJzVMInNhs60lVsCofYpWgoXnklQ hgHC6rqftwJBgXtpcKNLPOAg57WsoW8OaeSahLDZHYwdZlQ0rfCZQwqjspdjItzBJ6HnEhTBx7DZ up8t65yHclbpauASvdHCuWJ02tkdWCoyKHCkHKt0SO7Xx0aN63RXJyg4gRPQaldZ0MNq382y5gVB 0TdBWDrCVWncp8oZ4dofCO6NN37lcq5LUERSc01d9E2RhI5BqD3noAhc6cYJypgEhUjMuoEDe1ed VOtSL2uQFwRF0wwv9AxiRiyLd4xQbal72bkEKiyo6hoEZcu0IFpKrKhgcxMeQZESFEG5q/44CrcS Ho1zA8Y1VoJBrsuFoH3GVhUAACAASURBVCZGik9qZDWIKYIiGos6/jIRuDpBGSCMaIb70Bz31IgE pc89KkYvYX010IXQvYACdEAznmMoZxOUYehy3zCCPPFmn7+ZJAs5BaKLP8mBsI/PczdgECJBYWLj ojDQFohUbzeKt285DEFjtwgKA4GnBsN4zsIRwnjECq2iZUYNr2o+woGLh52lBAVWPNx5lQbqPJ+g 4IDNb2ZLPGwzyLLJgtsAf7k0i1nk+WDJjWYniL/PBAVmm5Os8514AI3gIRc5QZECDks84tJVFRmy JZ4ZYegK5y3xzLcghxd82PApuoCeMMZGlro+l6AIMSsBTlip4sa65o6c7Z2j1qVe5MYzyQ9bS4gZ wu47WAyUqFtqaUIrrkhQZHXByg8HA6BhEZRmt7GcN7ViFGNNJNjplfA49djoHWuDLLlBAvBCdLVN HI0gQTlDI/MghgRl2wBEFNWxQuAzInANgjLg4qhGzHHQFQnKgOOLjvlfkDuW71yDGOPzS7pDskvz QwU7icdf5rnSFSIogFab+7phCimcbJux6e1gDzMUn/BtxjO8pzgQtEL3Mwx+t4fIIprGIih1nmRl 3XY9SyfVwwOELarYItSJc8htratDluQz0xqrWw5DMoLCXIwdsXTbPMIkWRTiiKBgfii1wqxs2qap yjzJOLEZKwU2aMWHtmvbaU8BD9Xz4RKkwWRWTLd1Fks8m3PlGUI4qCDNkyXJNmOSLBNk2WSBoGAa INHdfVEjXkWaHm3/PI+gSEGAPCDWpLbr5T4V2S1mJWN+swg4Ok8zyKoWMopjV59zEsXWLxHG0Z7f 49ApQUp+y8qHIUpX0kVfZUleNmCRDSQ+Mw6+LPYsggKu1whySFwGyPinyzxCnT0AgT8sVcMJyjlq XelFajxc/h761jRmQOLqhs3LLY234qoERWJa0Guou6/avmsOMJxN1KBJXUqtKKsaHAEKSE/mrUA5 eI8TxFqvhLIk2Y3esTJI6KbTfAtUN7K4vskDWEBluXZokMcdTTaIiQYAUE8Z+qK46lgh8PkQuA5B gXFJn7IWlks80JC22LFtubAb1vZ3474XSB+JXdhEqkE+gmF58WJz7in2gB1feMoF1JJ5uibmQUIG Ln9Qm2654fSgthndk1WwLX2UUNxMnO2cMYJSJ7jzFYTWLX8/b5yd93ript+Abxseq1uOoVKCAnsu 0tAZN6o64byJ8ZigwHaCJJgfRWd7yRFBGVh6ggZcqzsxXPblft57vCuK2Bz3Rkld0YwhHrC2w95l 2GY8711eNlkkKLA0lLNt2YCj6UbzTVPJy6plERRYqdoGoSt3DuwpprgVc1ma4FMHKeCwzTjxYfc0 23nNd3VOIuLfBcJCu9DYuXmI9yxuWfmwYbiqLvpyh/vbsRfBdmIkF8tizyIomJiAzV3vqeqrxDOp phEjhBTzU2BeptZhqRfouQe2l3xpPKL8PVBgWMUFEDfVfdLSJuiFHnTW9ZK6+joVrOKwd8wp2b0r cUM+Dg12DBMXsRWLRdVJJvi7EgZ/2oaRG6TpxjAkTQRl3BBNKdVho3kaWXwzwFZRkkEMMlNmA1AE RVSSOv4yEDiboHwZ4iopFAIKAYXAQ0RA4FsPsfmqzQ8SAUVQHqTaVaMVAgqB+4WAIij3S19K2ptA QBGUm0BRlaEQUAgoBG4VAUVQbhVeVfgXiYAiKF+kWpRQCgGFgEJAREARFBENdfwwEFAE5WHoWbVS IaAQUAgoBBQC9woBRVDulbqUsAoBhYBCQCGgEHgYCCiC8jD0rFqpEFAIKAQUAgqBe4WAIij3Sl1K WIWAQkAhoBBQCDwMBBRBeRh6Vq1UCCgEFAIKAYXAvUJAEZR7pS4lrEJAIaAQUAgoBB4GAoqgPAw9 q1YqBBQCCgGFgELgXiGgCMq9UpcSViGgEFAIKAQUAg8DAUVQHoaeVSsVAgoBhYBCQCFwrxBQBOVe qUsJqxBQCCgEFAIKgYeBgCIoD0PPqpUKAYWAQkAhoBC4VwgognKv1KWEVQgoBBQCCgGFwMNAQBGU h6Fn1UqFgEJAIaAQUAjcKwQUQblX6lLCKgQUAgoBhYBC4GEgoAjKw9CzaqVCQCGgEFAIKATuFQKK oNwrdSlhFQIKAYWAQkAh8DAQUATlYehZtVIhoBBQCCgEFAL3CgFFUO6VupSwCgGFgEJAIaAQeBgI KIKypee+TKIwSsp+60d17l4j0OS7KNrlzR03oj3sozDK6uNqlbEdY6LOKAQUAgqBYTiToMCoHq4+ UXLoVhB2dZHu4yiK91nZrn4TvrbFPoriUz6iq9I4ipJyXYFQyGWH3SGJwnjLI2zd2VepIFGXOpqm OemJNmwVsjzXleluf6qRy8unb0tJhvaQxPvDJwnCSq6zUYMR6CfNq0/AdpL10/6uWsoLm1y2KGGV RmF0E0CUoaFpeljy6q50hLItegKY6eW6rneWphE/P67sRoztuFh1RiGgEFAI3HMEziQoZWRoRx87 Eaeh3SF2dOEa6iYb08WhnS7Tw8M2dn2d+iaBkpzk+o65TRwoQw8PZ4VBDoEO144S3YTP6DKXaJoR XdUTLiVp9ramadZuC8pt+GRncx8x5RqiVnzEMGU338r5ZUuFKrrU1TTN3ovmlXvkZnD4RILCZOMo gqDJ/3e5rhVBERSsDhUCCgGFwBkInElQ+rau+OcQ28feoi9j23CirKybusAL9GBy+JMgTerNHIbT gelX+NsdIotqGiHgTT+BoKA/ADdC/XxmKBjd55GbDhdy0qprih1wK2J6YQgrO91IUPZlke7iKN4l eS3O5tsy2+8iOF/M52FmDTP8tsr2cRQnhxb8L/Oyc/BinHlPoaG2KtI9q4AV1B9LknlEI142VX+i 6qZGaaNdshkdQYJihHnd1HWZxw4F4rOfiE9X5wlKkhbNjNcwDG0JIbF4lx6aFlqIy17QnmhfTOyx LXaLWFVbZQmG0dKyncuCk4jZPoW2HrdUsIIzCErfbKqmq4sM2rEGYWrePivzVQTlWNpjVR7JZsWH ev603cB1jZcelzmsCErfHBiwSVHubyBcJ0ioDhUCCgGFwNeBwJkEZdHYZm8TjbinFkBw4k/cdPKr 4/19vXedKC9iE2Mbi1LHL10ROF5SpjBhvj5BqaAG6jgQVndn745xIE6M2sTGn//fAJz1/HGSlhGU +QwcGGGBjekOsSWGInQvxYk+3mI6zhhpsvYNMgKMfRTr4AUsHnWZJ1ZLzKjsC4kkbLHpZNWUYmlI 7Li0AsIojhlX46lDCJSMLTk0GeeNwNPGpvbV3uYiUssyxmWvVVEM7KCAkvt6j9RnxI7aMSTy1Il4 EiIh//dRSwVRLyMobRGwEBurxfAyVEGPbeJaMwKmsjb31/G/cYlnW9pjVV4i2zBwXUsQWBCUvtoJ wDKBP3E9UZBQHSoEFAIKga8DgWsQFHTz1M9X5EPEgzlf7g3F34ZhQI/GicLqV/jaQ+Dg2gSFeSo9 KGpYICEzz5EQlG4YVr+MBEX3krJp2zr1wZkj0cELiRlkVdM2h70LP6BvmTiN4e2LsiqrVnRaUwsb dNSj4+wOyT4r67brGEGg6OI3JcEaLqvaCHIIfnQHCBEItGysfMkq2AIU6oApy/DTqu2aQwyuExem 2CKZ7iZl2zZlwjgMSrIsiqmTSc+4qxXmdds1RQhUzt43GD2AJb+ua5syTxLMqVm1dMIIwmi4xKM7 QTR/Qhc4BtK9voDQlO7uy6ZrqwRUoAcFhGr6Kt2nB0C0LRAEiDwxYyAoU1vnEdJLRlC2pR2OVXlS NkiM4QRFUqZIUBpcfdwCVqhHHSoEFAIKgYeOwJUJSpf7kweTYdfmgaFpVB5iuWWCwkTE7BPmZKcU jpVLnCIoMoLCCdbsf1ByYcWFBe7BazOvNnpKRGa+acKpSV2AbpzXgyOuD1ma7He7CNwvcbNeQpWg gsuqNuc8laOKuTjUDuI4jgIXIxAQtIFIDtE03Ql3+Ik8YAL2vmEUhmOA9bPEYaxg9QsSFERUM7yI lRXiwpmb/X8ppONQO0zE9aOVNiaUZoLCQyHzESoSl1OoHbA6YsxXMiIWGeqaMkdEY88c01gqSJ/i KmPUFwmKRNpxgU9U5UnZQKgZclmZAkHpEI0VfJ+akS1IqA4VAgoBhcDXgcBVCQqb/S3zFxdIdCUu gRh+PqUoLH7GL7dLUJgD0Ew3jKLIx1i6yfzXyiVeRlDmyMuASy/giIoVO+sxdxOcDSMo/JZF2B9a vaInHYsvaJpGKKWwaCSEaHh0aSw2ba9Q9SztAnn0obOr14gVsSSSZm/xs9ORGdfsPF+lY2GN0xEU BHgqY/oLmDRZAKlF0ErDjQtckVlpQxCWVWVFxZzmUVeYqAEqYD9OhY9/AbC+nBZOCGGIAs86wm2s thy54KogiNodq/KkbE0n6FqKAM9BQWCF5U8BWKEedagQUAgoBB46AlckKGwaL42N9BVmIEA0f86O 3ED4VgkKo1Arv8M286xcIvMZfOVmixYw6WeXj1kO/LrRWzK/uU51nGfVUEaL0RN9jp5g3ZoZFphG eilVStvh/KpnaRfQoziYJFslEMmhXoYUsk1AcHtXtcKn6wcWC+CMi123RVAQVoygjOaRNEJRbTea Qt8cksg1iKYRAGy9rCYIy1z2kgXPu3hYCMSMDstKBhYsM/wMk3zZVVAEBlwElY04luNKI3GPpOWk UJBpOtySTSAoUgQ4QTkB7FSJ+qsQUAgoBBQC5z4HhSHVF5CMsYh993W2gy0rmB+J+QDU3lULdgJP 8thlImNZExShkFEl6xwUeM7ELj3n0R3M81vxPPsumTuGnBnmPaYtMWwNg8UtcB2AskwGXGNYso3Z 5bP1EGPauzzSDtiefOzVBILSYkKsLuTtoJucKmQ/XyLJ+VXP0i7sG8UZFxbGLAhGUdgaiL2bNdS3 NTh5JuJERsecXiQozMcH4wZuthMaCQrL8qUuyxuG6vumafuugSgD+4zp01k3rDCfLpiXeCQEZWD1 4fLUeE9XN5Nyx4zoDvNUMILCiMt8ObMPXOKRSLuhyktkEwiKrExhiWcNLK6ZqiUeAWN1qBBQCCgE AIGrRFDaFB4twhfPwZXgAyA0M64HfL4EPHnEtKaPHWQt80Ma8fhu33WSrFDIpJQVQWE+6ZykWZzN L3cYjVmSbtqOR4YbxnHomWzbC7q0kawYju+5Qdqs2QZ3+T1bwSKG4/mupUNqhYPPe1nfIjgtxj80 avvTNuNd8RsmIhDD8X3P1glsq2YERS7J2VVzaSc44a9IUIahhp1Ymo4LcYxmacSwXc91bZOyCMdQ 7SChlOi253s2RD6mh9cxskJML4rjEGMimsaSZMdyNWo6ruc6lkEgRbmKTEJNx/ODwLNgnzlGUFYt FWTdilLMEZRh6ArIcdKIbrme59qmTnCFh3ESlNYxEFEkKEOXA63WqAlXWxT3OY27eBgKK2k/iaBM yK7LFAnKBKwxAsu21J/aFCdgow4VAgoBhcBDQeAKBIXFH5ZPZxtgwySBvE9GKVYrKzAJhk2ehNrz Ezc2dvHMhcyorwhKfwAXZ+GW1fmajYOexfPnSMh4CQuvg+RdufeRVhBqOEHkm/N2lzoN4AdCDT+b shBmn7Fw+e1h79sGxWudIBnDOicICoYKFsgAyWvyyDHgkS/UdHfZzjlHkvOqXkg7o7QkKMPoJVlU p6+zyDWBbgEAtrcbn+DWFrFrYktNN/QhVwUjKMPQHnYew1E33Shy9YmgDENXJYEDNwGFMAGgvi1i zwLEkFV485NoFpjPgk67eGQRFLiwgRJ1YJiEGpYXYzpNd9iN0hpOlCceYQQFdvckATIsottBuvcp f5LshrSfSFA2ERgWBGUYRGDjNLJnYAUU1KFCQCGgEHjYCFyBoDxsoB58648Z2IOHRAGgEFAIKAQU AreHgCIot4ft11WyIihflz5VaxQCCgGFwBeOgCIoX7iCvhjxFEH5YlShBFEIKAQUAg8BAUVQHoKW b6KNiqDcBIqqDIWAQkAhoBA4EwFFUM4ESl2mEFAIKAQUAgoBhcDdIaAIyt1hrWpSCCgEFAIKAYWA QuBMBBRBORModZlCQCGgEFAIKAQUAneHgCIod4e1qkkhoBBQCCgEFAIKgTMRUATlTKDUZQoBhYBC QCGgEFAI3B0CiqDcHdaqJoWAQkAhoBBQCCgEzkRAEZQzgVKXKQQUAgoBhYBCQCFwdwgognJ3WKua FAIKAYWAQkAhoBA4EwFFUM4ESl2mEFAIKAQUAgoBhcDdIaAIyt1hrWq6RwhcqM+1ELhHKlaiKgQU Al84AoqgfOEKUuJ9HgSu5Z3VTRefR1uqVoXAZ0OgK9NdVt9U9V3q6ZRSaoTFTRV56+W0TGb9FmRW BOXWtacquI8IKK5xPQTuo66VzAqB6yPQ5z414xsjKG3qEGdft23XX1+mu76z79r2EJnUv3FSddME JfeJHh7uGp9r1XcHonapQ8y4upZ49/EmaK+1u7G+egMQlKFBvOwaXf167lnddQM6u9Mi6p1FnKS9 8TqvbXiTJH2VeJZONELt/Rk9Sj6anSWJ/PZJnmEYmiywdaJp1IwO1+hSQkmLw20VnCX2opzP9OUQ Gjfp8oCguGn3mRrzCdVW8ecjKFVkEnvfzNLXsalpYrduE5sYUTkMZxn6XM5nPRBELWNT97IbMYpD aAUzQftqCEqbOKK6ZXq7BYJyZdUsRb32MHeDVOPNC6q//OUGC/ySi5KZxmc+v7QKQZht7yhccM3D axveWB/4Kd1L67Ztmq7e27qT8PF3QyZhNFv9epYk8tvn0iBSQJ19BRK1Terp1u5mpl7bKjhL7Fk4 8QDKE73VMAxtAjPFemj2trbxcV/9X9vn026od9Z0B6GG7cV5vSBn9c6iXs5PdeXO0U9OS/s6C0xC 3O1504qg/B0Zv2sa/iN/GPbHuPjP2Nb6nxY7P/1v7//NfuqqPvI6g8JdRP/T9v9V9sPQ/Z0EnUl/ 18gfpvtX3vyPY9Ze7P3xejP+m5/v/t45fxDzr0nP/8v9SZipUs3652iXn5OgDIdAJ+7swZu9TQkh TjpNPLrMI3pQ9PeVoLTFLk7PmKZw1UmO+jIy9a+PoLSpS+0zppm3QFCuqpqVqNce5jgJeP/6GTmf YHx8+9MPP/76gd9+cXHDBOXd62f601e/iTVc4/i3n394/eb91o2fVr6kY3zm0yurEKTZ9o7CBdc8 vLbhjfWVkRD668p9lICTkX/kDOMsSeS3z1U2e5vYE0vqqzTaH6bxf77mWgfbKkCxBcd/ftEnCMrQ tTX7JC6hXsqOm7aXnR+AoBArPjRNU1eHNHKoZoRC/Aiozzx366rEM3TLNuUEpclDSzdsG/zppkI3 CIqz/7tp/l1XF2nYUfJnXCG3qP9pkT+j4t91Pf5rOzjfHf4yye+G91da/F1Vfx/yf+12F+3wvzr5 aPv/LKr/NPVF7PxBnH+NxKK7CM0/rPBfh/o/XfcfVgiUU/3LM/6w7D8FgjL07b+rav739975XQ8u xmZ8VoLSZR6lyEBGOupEoUWnSFRfBDplEQgw9CBJA9sgmkZ020+rWQ19lQS2QQmeTyoWsKh3lh4k WeSaOiWEmm5cHJt9e9hhuFMj1LC83dhV+zoLHVae5e2m3nKqwIbdAEw4TPc+nUJzvA93qUPdfQ7V UYrXZXzi0uQR1Eeo4YRZsbOn28e+0x8ik0xsWwMOjw47Svc+i9XCbby0rtyPMVw4v6TlWGJXJoFj YgOp6e4Oc4SnKWJ2J9FNL2HEqiv3PgOXGs6uxAI2AR+2wOyqZLpbX6ugSV19bhUNcJWxr9KAQY9Y TMKLBKXNfAMmXKD+q2tqHo64amCouMRUjkXF2/cZ6k0juuXtyxnGbanGmmfX/e71M0rpo3NDIO9/ fEae/PBuvv3ixgnKxftf3/y6SS3ESi87/vkFefTdr5tXfVL5s+LgAHqTl9XQbci09Csx+7aIXROm PbrlJ8XemRbmwFELQzmEaudFxO2imjyCkjTop7afVMOxVQhConfcZbGHtyzHn+3yhyaPPNvQCdGo YQfpZPzD2AQwM3+fBALB2LS0LXCYYE3mm3TqcjDILF041oOLP6Yb5eOAsmAYckmElssGw63e2hUh DGHsQ7wcR7Zx8boMDTNKYTyAEVw3vd3lXWxGFi5PI5v7+FnAMjSot09DGNTYQFz3A0ZxvHzuwkMV m9wexntPEZS5+Nwn41g2n8KDo/Or0pq9xdYK2G197tHZHoc6CcK07nJPSlC6Ig7iQ1vtLNGqRRE2 CIqb/ne6AgIq1g4jJUBQOmFZg13yd2T+rvv9sQ+dSoC/ffEPSj7meKreddQ9vv5/dfKPMP13l38U CYpYyND+y6UTWxoGUMVnzEEBoohrODDquLAsWsbmSErQSkYWmftEI4a3P9Rt15aJp8/BtjbzdN3d l03XNYedQ3Uf7QwjaNRhRt1Xe4eyUIwIxSHQdTep2q5r6zLPGBXpD6FB7bhoOlYRHWOg8gLBmFGC tq2LnasTbWIY3At2qaNpxI6QJfUQyJwXBMFSdXd/aOD22NHnIVcUtfDpKoJCiOmnZdO22GrijmGn JnGo4afQqDqPLLKg5WOJTZHmZd12XVPAFbCENgx9yZpRVHVdHfICx8d6bxPqxHlZ13WZF0j+JIBv gQm2ZccHgLIp86zgLIpJgp2UR1CgZGpHedW0TZWF1qRLRsggB6U7RBY1Q8aprq4pAVGuGhZsvcRU cCwXgj1laGhEd+IC7LHKAmOCcZBJNdY9ue53r549evkj/McXaX5+Ljj3t98/Js9/+nhxcfHr9090 ncIwTqgOn2cszgERlBc/vHrxRAf/+/TlTzN9ef/LD8/xLH307OVPv0Eh7PPmW/3Ryx9/evnsEXja p6/wjnevnk5e68kPQgTl5xfg2NkHLiDf/DhGcN6/+f75Y6iVPnr67eu3rPzfXj3TmZyjmE++Z0RF Vv7Fxbacb17QJy9fjy2Y2iWoDgkK0U0LKEdZ1U0/DBKzh9PUiQvoJmXiGUS7nKBsFwVTKcPPoNe0 9SHL2TxoZcCCkDBcEGqHWdV0bQ39bBp/tssH2lVmaVE1XQcTZhgf0Bs0iUNwPDpqgsTSgM0vwRHE GjCCwlwIm8VP0/QqtqgV5rM9j+5RIChySYQKpIOhRNqlECuCommwGgW0oSv5SCXtYqAjgm1omyoN LLLMF2BSsp7r7sCTNGXqG8SMykGYC8Nl0IrVag4TdHVyWuLhABwRkfGno/NHBGVMZmDXH0LdCNl0 cC67z+QEZbwI5BZo93wrTP+XOSjASESCEpu/j0s5mwSl/MvQ/rw0C7BNu4l2/Cexf3fiPvb+NIw/ LPevrBaWfoahz2QE5X/17k8ehvnsBIUN/MDXwLqQOwPF9SEGB7G/iUUCQRGM4xDqhC3QYYCQ870i 0NkQBAPExBNG9UxlTWrrC59SN4XxjX9wIGIuG06CxlkXlhYIXV4QTbyOe0EYNYQlRWDso3QnbudS DRsEhSe39Lk3zSPRQudUKFwiO5lbXINFw/V9EdCZM00VV8um4WkJ4JtgYtt2PNY1lTv9XY7vULKY +gt3M+xZBKUCmml4U7Do6pqaqoW/XDVIUC4xlXF04lwKhjlBVoBxFBUc2Zb9jJWPTOHdq2ePv/v1 4/vX3zzmDEVCUPCW7QiK9uj561/ff/z44e2rZ5Q+/xkJBMRmHr1AXvL+l++fQpRmoihvvqUaefTs +59+efv27a9vxXjJx/c/fkMWBGUU9eLi4sObbx/RJ9//yoqB8h+/hHWcj+/fvHxMHn//ll8qjaAc ly+T880LqunfvPr1/ceLD7+9/obSFz9/XG4zRrovdmeJ2Tc7S7QocCeXEhRJUV3qEsPPVzPIpQGL 9oXDwBQbZskKTGBJ+eK9wwA9mlkR1CAYmtAEmf0fgbMoGjqVd0xQwEFPDArSVpOpK3KCIpdEqEA6 msmkPU1QBB1D9ae7WJu6MwuEGVfu0UVCIxNz1XNBr9D5+0M4Res3qciAZyciL/5d7rQ5IiIjOEfn 0XSY4+oZeTaiebUNowbrdahbIyj/rZKPOunGnOl1Dsqfcf2/LvtIyD8msxH0LR72f3OWM1yE+u/E +BjnfzfN31nwJzH+mlsHypERlP4i0P/w8jm087kjKANSejft+sLXWZfsYS4eFD0OCdNQv9IveE62 iaIIKMws5w/RNJzoCvoHEKEwoZ+PuDZZYFFYMIrTchx6qshcl8fukxU4WfikKoEtCF4QXKxYfxGM EZH17QOnLlOJ8PeYoGyXlrkYg57gIHzKyEtryyR0bdPADyWMlohscLq0y1jnnb7jXxngkIu/BnNo i8imhJpelByWRBDLQkxnrw8USUwLgw7JwkaInutCBticnzRcWVOLZiwJisgwt01lKSpqVpiqIGvD hkilGmtnrvzdq6dP0K2//1FgKFcnKDyH5cOP34xM4bfvH/NYx8XHX17q6OGx4jffUvr8p0Umy8wt oIRNgvLb62dU/+bHOT7z8f27395PlOfX7x6R5z/PhVxICcrFunypnIvcmumuhfLAHgQWOIChwtLL 9JnMfm1ROK9hS/TgSQUFzks8sqIG2P1iEGI4wW4MnzCfRYS4miCkdLiQiArrlXnsOxbrljrRWAPl TZBZ2hocQSgg5tsEBbM8OYAQr2NdjxMUuSS8hvVoxgdDmbQnCcrEJqGCy7sYNI1RGCYQqED8zs5C xxcUj4A4MEUrI2MM3a90NzUPTptRMSab4J9DDPRRzDJcOarpXtjlsVz6AQY7f8hyNR5oKM/EnMq4 cYKikd8JwYxX4+O+FJJklzkoMH3NPhL6j5N7ff+T+X/o7r8mLC58+ruTTmX2vUf/iEoeRJERlDb9 SI2/hFycz09QMLgW5EVo6AETDMILRnhYcHreT1BdC4JC3KRphQ9u9F5Z57bXgbL6pkhCxyDUxhwU DBrsKqG4tsUQ7sIBegAAGR9JREFUi6zAdZ8UNxxxL3g+QQEqchz0uAJB0f3sGI7JyFlH170pVWee z20SlHF2wW8GqgSRlg3A8aIVmOO5QxoBuTDDgi/y4k84EpxHUDRNd0LfIkYwFXJlTS2awVWDQTxh INs2laWoAvXEUsXR0yD2lv2MtaMrx0WP0R0QbWYZn0JQPv70fCQob77V9W/5utG7V0/Js9djrOTN t1T8jfMKCJNsEpQPv0CM5LtfRFLz4e2PL58/ffwIP1S7JkGRyrkgKB9/YsRrobx1b0ImvWH2hb+k vILSVwRlNn9ZUaz+rs73sCVWd1mK1soqBCGlwwWQ/g1RYRgkVlQwGs8jKPImyOx/DY4g1EmCAs53 OXDAnXzglUvCa5APhjJpr0VQtrvYJxIUmPFQ2LHBlLpejt6Mq3ziEo8VFXXTHD2ZBKJNQuxogvfG CQpLki33HdX/wfNvrrPE858i/JNaf/EkoeEi0H/3i5mR/B3qfwhfZRGUf++sKRVmavVnzkGB4Aas 7XiexdZ1QC5UkO/PuSiLfoKCg7mzCAqMLEYoRo9Yy2QDxNzu5UGX+zoyXBigKEtjWV4hLRBGPcG/ wVxkYhh8QFyPGnMEhTH42UkPMJWbbhcEgNUolkcKJ+WlwcbtDdvmJcHQx0uChZlpiQcG83lDFbsB uryweoUnZYDzKoYZTOEcLEEfLSFBZhgvH0oW40JYO6b3Q3uxVZATo4+B9qtrShBHZBhSzYrXL0UV b4erQHQ2k5ZKNRYGnODdq6ePX7559x4/b394OuWhoGeeEkx5DgrSiA+YJCtkiKySZDlBgRvnbJGL i19fPlpEUK5EUN79+I1On71eVIsxmW9ev2WU5e1RBIVKkmTXBEgq59UJCviWLbMHzQoWBe5zmpTD CDIl4w/DcAh1jfUbSVGiLYBbMiLYI7myCuEiqVFJyoeZgtgVptww1oRpXoqR4LEJMktbDw6CUHKC giu8x5N2kaDIJRFqkA6GMmmvQVBkRUGWhc53wrAm8ZF1lHK1xDPehD/CwoqXVvut3NopXMazCeCW TyQoXOEChAPsbRXjg9NvN05QphyUf+/t343gYpw9bhIUWHkRrplEwr//PUR/UvOvaeLIfvtP4vxu RtPW4u5f7rxLCH/fjKD0h78M0vEYOSvp8ybJggygZUKmzFg4A/mysN+YWxcn8ig1JygDZFYS008O sLW/LvM0Qx4nHSBYq+H/vsqSvAQCy7JF2VCGnlR390XdtE1dFWnKkmflBcLYontJ2XRtc9hDJt7E MM4hKJjmYniY1jom8k23c1HZRUEO6aZdf4KgYLYgtcKsbNqmqco8yabN5mNp4PbNEHOAqyyAfd1s nO7hB0xDbgBGljIMjYZU0ArOFSzLdRvwTTDrPMkgG7fv2hLyl/nowYSBHBl8BAK2ihEbO2KJenmE SbK48jYTlGGoId3ZQyO+uqYEQLlqzougrEQVbodCOUHBDD5Iel7bz1g34yf6t2+mNZKL375/MjKU d6+fwiIL/PLhl++ekDFJFgnKxzff6vTZq98+XFx8eP8Bb1458imCcvHbq6f08bc/v/t4cfHh1x+e rXJQzicoH3/9/gl99O0bMXhycXHx8efnVH/xM8RkPr7/5bunCzEvgHY8+R72Q398P68DjRRrtYQk k3PVrjMiKCxJdsPsQS/U2R0alhBp8hVPmARRN8FUcHjEBNVGgiLpQV2ZYgZr33d1HkDGEUyxV1Yh 2Jd8uMDE3aMeCuSJuvuq7SHX34XFJLa8vWxCIDRBYv/XIigQSbcwHx4y1OvqkCU5siJh4JVLIrRb OhhKpL0GQZF2sRaTZKfxI7SpLElW090dS2+fkmRZC+DZI45rU8HxCE0Dla4oxa0QFOaRF5mRKMWa oIAhjVtCJikxIH72NuOJoAxD9U+L/BEUmPmxSVCGoc0+6trvpv/P7PB3Xf9dHvo0+7sb/lvtOkq7 KP+7LMd/NduWnP9DJ3+GGeSgpP6fxPrnzLIlOSj/zbw/dH/iSVOTxAhKd9iHYbJyaPOFVzq40pNk YTlOZCOMs0wDBtYr9BP4LhAUWLxNQwd288EGZGvcNysfIOZ29OXONXGTG2w3C/jG5SaPpx9002U7 b065Mdjtx/Y/wzbjPLYmhsHd2HrU4BEUcG+4Sxm3Twfp3tta4sFsDtwCCCPjydJgFzFuDIbN07Z3 pM/uEDsGJO7AxssyD/RpItlPGyk1Qk0/ZTHOtuA7sZ09s40twDfBrOGhlZNifGEn7qQDWNiHnY9k fNvCXDJuuZ53WgoEZfRF49aqq2pqqnedJCta3/YSD+YgcFG5ZrFIgaCAPrfsZ6wa4idP6DdiHsgv Lx+NDOXj29fPH+v6o8ePn774/tsnIkG5uHj307dPwFqJ/uQ7zHpdOfKZoMh2x8DO5K0lHmGXzbgo jtt7IOIBXYp/9G/fINV499PLp48o1R89fvri5fPHy8yV92++e/YIxASShNxGUv6FTM5Vu84iKLDP Y9PsW7aFn1n7Yo9uk+PDBCjVTSeEbjdHHreK6gq2pRwaZvLt+2sDng3s1PizVT6MYvNTA6L8sHdg cwl+2iJyx6ceLHZKSyxtPTjMIuEBTEM2kmTht/k5ATBwOAFLRl8MvCckmWuRDoayfrFAShD+Ol2s O+ymfd3erki8DapRhoa9K6YHVhj24kkMLBVnm5+wpZ/bj6DAWDINyTOqcHCLBGX4bxn9SYx/wPZI CUEZhv+1h38Gzp86S1uhfzrRRTf8OzbXz1ibeM9/q+Qftv67Rn43nOUD3DaTZJt/2uRPMU9lbLwQ QQHjnXvpApsrf7kSQbly6V/zDdtJsl9zix9U29DDq/+ujMCNGMnK591ImaqQrwkBsJCtla67ayOE 9lZxmhupfLXN+EbKvJNCOEGBeNUN8ZNBEZRrKg/mEzelhGuKoG67RQSu7JnVDYjAjahEEZQbgfHr LQR28ggbBT9DQyFZeisB5ZNFafFJXPfxbcZEYw9qA2gkwa2ro6MIytmYNflulx3qpoUHOsUOVfzk bOju4YWKb1wPgRtRtSIoNwLjV1hI38NzPmMbto8eZ398FQ2GNwO3bdutdlJ+0W27PZkVQTlb8V0R u3OmhvCQ6bMLUBfeIwSu557VXTeiYkVQbgTGr68QeLIFvBDFS+RPlfz6Wv2QW6QIykPWvmq7QkAh oBBQCCgEvlAEFEH5QhWjxFIIKAQUAgoBhcBDRkARlIesfdV2hYBCQCGgEFAIfKEIKILyhSpGiaUQ UAgoBBQCCoGHjIAiKF+o9r+0dMsvFCYllkJAIaAQUAh8pQgogvKFKlYRlC9UMUoshYBCQCGgELgT BBRBuROYr16JIihXx0zdoRBQCCgEFAJfDwLXJSiLVz/cBBw3XuBNCPWpZXxCo75mgiK8yONTEf5a 7ldP/rhTTT40C4T2qude36mJqcpuBIHzCUoVWx5//+InuN5tuXmB9d7Wx3fMbV968mybODf2mN2T FW3/eGMofWUE5RBawWGC7EbdQ5d5djy/OPO6xrM0mzI2dS+7y0c5fk6Csmz7pKTTf5d2fvraW/61 LwLDCJlxLY1hUfHtWeCimjv+cqbuFEG5Y72o6m4IgbMJCrx75m4ISlfuo6S85nOM29SldtLeEDpX LubmULr47Ycn4ztrCdUff/Pyp98+fk7ScmUoxBv6MjL12yEofe7rJico1zSeldm0xS5OxbeOi425 lePPSFBWbT+reSs7P+ueW7uoyeI4x3d6r4xBqPEWLVCo5c4Pz9WdIih3rhpV4Y0gcB5BqXYWHb2l pqE7gIBHkEwvw9ZtP+XPHu6r8YXqRLf9pNqaiDZF7Fk60QjRTS8BVyBEUHYW4UGQtohdE66kwtPl c5/acbb3bYNSQnXLZ08+blJXn8WkQbFACF4B7fIQUJvYU9CzySPXpCAMNUBgdtt2K+ZXnRNqWN5u waNuFCUgKOTZ6/dASj789vPLJ+Txd79+RoaywLI97Hzb1AGzGXzUIRVRr2IT3kfeHyKTzGqBF4Di cBml+/m19SF7ZTzW0ZV7ZhrUcPgr1rc13uW+PheN/Bk8JzeeYzMbmjzybEMnRKOGHaR1PwzHZrOg C32djfYBd3B73hZpgdMA77R3DMCJ6qYzN7Mr0XbhtOHsymEYsMZ9FrGLdcvbl3O/2ewCXepQd59B 56CE4A01dir2KPDLbp/EPG77MPRVGoxCiyqYbhm27Jw6SXXYQTciXt4Pw7aF1DtLDxKAE4SmphsX 41xiEyiG8M6DF0zg1Ye63PuWAd8MZ753HDqOjWGS+EYscCpsGIauTALHZGo13d1h1tSGvQ3HugaE t0bIrbGlqxIY5ZgBcbhQmCvoTiQobeYb1NnjeM1h1y1vdxiVIVeTAII6VAjcAQLnERQYQSNjFUHR iOHtD3XbtWXi6WR69XSbebru7ssG3uq0c6ju53MHZg3qy9gkursvqrquDnkBTkJCUKrYolaYQyVV FhgTpch9ohEzyBu4s80DY64dHNR2BEVGUOC12Yaf1W3XtfUhyxmhkrTiEOi6m1R4bZlnU4+eFXVz KIkE5eKCffsR6crFxftffnj+9BH4pSfPf/hlPHlx8fHtj9/iaYi4fP9mPn/x7tVT8uzVz69ePAGm p3/7ZozFSMrZvH5uIhz0VZ4WVdN2XQ1amVSf+1sEBW4ofLqKoBBi+mnZtC0aCZleTdokDjX8FBCu 88gi0zvBpBrvUpcIERSBoGya2dCVGYjedV0FVjvWuzIbgaB0RWAQM0BR8R2R1E1xtg4WKzHCGasm cYgZFlBbUxVZjpY+1HubUCfOy7quy7xAgytDQyO6ExezqU+vSpV0gQ5eekrtHfKYNvN1jVArRH/f HUJz6imD5PZZxGFYtR0sn9pRXjVtU2WhtdGBt0YD3TQtb5eXVdVAd9+2kHpnaRp1mNB9tXeoHhTQ h7eBQoSFRmlgNBl0+r7a2UQf13X43GZlDEIjP90CxcKaIs1LGDGaAmw0Aoo5bNrblq6vMLbAK+zt +NB0XduUeVYwy+OinKu7maB0h8iiZsg4VX8IDWrHYJ84htNxZV2qJl6xOlII3AkCn0JQJr80DMMh 1NnMaWj29uywwDMFushroE19EVCYWS/bx0cZ7mPgvc3jCAYXN4k9+iIYufg8eSjn2tejrVCHlKCk LjH8fLkqJGlFX/gUHJR0/WmDoFwTJZGgfPjtp28f689e/4YRlN9+eEofvYAVn4/vfnrxiH7DeMvH X14+os9evf1wcfHh7atvKH3+04cx4vLu1VNNo09evH7z69u3b9++Y+cl5VxcAEE5ul5Acnl4CHX2 lm0gmVcgKDzHo8+9ydmMQZexhi6bf5BqfOWTFsazYWai7FDv6FxWAz0nKF3mEsEEh2ZvTXxIKhKv A8zIjPgMG3+pIk7p5kuBoIg8KzZZIEjaBcDlUB+CFfDpc58QZ+5TsxlKb58rXhMUFJkvmeHEROhq 431zBew7QGGEi3CiUAG3EPB8E62AqcWcurkJFFBA4qRTz4Q6eaIn9lC2lsuHjpUxCDJsEZSrWaBY mHBcszChZFjb0jVKvp+pxjRCbo4t0GZ7x4PTQsV4uLRbue4YQamAEhreFK7EqRkjV1AY9D2maama 1tWr7wqBW0bgEwjKIpo/x1eKgGoaofOHaNoqogHdiA80U/v4KMN9TLO312WxeXjuk+3ar0FQIN7q GYQYTrAbwyfAqyStaLLAorB0FaflNHJOTdiMM23LKS1/LgsIiqZphLAlDKAeLO7xy0t9yT3Isx+R cXx499tIPS4uPvz4DXnyAyM0SDjI4+/fLheIpOVsXz8LBgdNsQscyzTgo1PtOgRF8MaANtMr0AFY aZs+hGgjvZVqfOWTFsazYWZ9nce+Y6Hkhk60ywgKeJiFfz7MjFsqkgBVV+4cHVYnwj0LFA4DUp5x 7s+vBEokLEDO7lfaBcDlCBgWgcgNZ54nvZ3XvOoyMHvARZrxih5IIk8fGs8eExTRzqUWgv6U+2ZB dxtAYVRVKBZUwSGCJdqR+/OhQyhQaCAeHsfwBPTOsUChwLZMQtdm5g/rTTjb2hrWNnUt7ftbY0tb RDaF1/dGyWFjXrQkKHLdobW4rgmyzsNWFZnr4ZVhIleTAII6VAjcAQKfQFCEqdAAgwdLocXwSNK0 wqdbBhy2evL2Eg9caUbFsjAAhQ9JCBGvfTXaigDCmMrHN4z0CDSpq/N9YOtEdzEj5mQr+qZIQscg EGBfNm1jIey6KIkRlIsPb3+cQiUff/oGF6R19qGUaI+/Z0zk/ZsfXjx78ujRo0ePH+n8NCMcYzrL TFJOlMOWeFj6y3y9ACW4PyPIahYD4/PjowgKIM5m9VdwD7qfLRWOEEs1vvJJpwkKBBSIFRVsqD8n gnKaoGwrV4AKD9sqi32LEsPP2mEAgcX72NU8ZoPfRYKy3QWOCYrOk65EgrJ9uyDjuU5OuOUSO8fJ +JaFcO1gYSvdDUug1t1c6OUQfbk9grJtgXPzQTe6N+UiLaAWBpS5gUe6vvLY0jeHNAJyYYbFKu58 ru5wQVB3Qt8iRjAVAoDau0oYqdsWO9slapqRUAcKgdtG4EoERfDvUocB3Vce7YXmQCyT8PDq2EJe IO8euBjEY7wcC34xnhOGLgjBC4sq/BbkUMLC0iHUtfV4MrSJQ4yoGpC+nG7FADl5wvyO1bRiQVI5 L0dpQVAuLi5+ffmIPP/54uLizbe6/uKnd+/nz4cPGFp59/oZefzyzXv88uGnb8jEW7YJirQctsQz 5eduEJQZJGwyOJkpggLT+HnVYYC5t0BQBKxWzpXPX4cq4tkTgu7WvkogxOjkQGXsIxrPsZmBN+HW AbYyRlBWZsPpAoTB5Us8ovMRjHASZvEXfQlEDzBsz8MI7CJeI36fCYq0C6wwxCDUnBU+e03p7YJo y7ZDzWJsAaVN5gWJ8b7Tdi61EK4dLGdNUFjhM1CrecgSYDlB4cYgNBKWeD7NAqfCgNbyknAww2Fl c1jb0vXlfX9zbIGEkak7TbLgiqNo0DLdgbXgaAc5Mfq4oA3xHXqUITiwRT8hbLitplkGdaAQuD0E ziYokACie2nddS1ERKSud4AUMGL6yaFu26Yu8zTj+xFYO3rotphg28AFLNWUFyiOYlVsYT4hZOzV 1SFLctz8yS/GEoWhC9IWIEW9ZWIKwIGroW6CeYoQUKYaIyhdmWLWZN93dR7AMiyMxtut6Kssycum 7XqWHieO5FjVzaEkEpSP7399/Vwnz16/u7i4+Pjr94/pk5c/43LOh7c/fv/dT3Aar3/yA+5F/vDb j88faXxRB5NkVxERaTmXEhQcie34ADmCZeKbdCYo4Jh0DBPANo7IIpo2UkLwmEaQQzZe1+MuHhG6 eYkHsyUptcKsbNqmqco8yRj3kGsc1lwskKZtu8XYumFmyKbcfdX2kMDtwsIeW4NfmY1AF9AvmEEG FsWSZKdn9MhFmq2uKdIU0sj7vq1ST6eMloOBQz5sBeZfsMxHoUa4eyYokBqw2QXOIyjS22cRYc1p 0WWQeNsRS0zPI0ySnVcFpttO27nUQsSuDbth5gTnbaCWCAu9XBZBGZbGMEkLfz/ZAufCYPRimc+Q uG9PSzzDhr0xe1zr+gpjS50nGWTj9l0LQ5YeHpYh23N1NxOUYaghNdnDhR60bditUOPwCsaKmpaq CZKZN5OmZ3DUgULgRhE4m6AM4NQNomnUghS65dghzGghRFKnoQP7djXYhSpuw5tE76edvbB72Mdd EbzAZfeY997hlsyAJXjxi7FEceiCjBITEkiMcJ5QjtU2OW75pLjjM917FOcUXcH2dsJyLOwEZTst tlvRlzvc8wzXwibV4+y1G0MJCMe0N5fQR09fvOLbdd6/+f75E50QQmC7zs/ITy4uPvz6w/PHOtX1 R0++efntM0pf/Dzu1tkkKBcXF9vlbEdcJtXB3yYPbdjeS3Q7SMvU0/0R6r5OA1unBCB242znzFM+ WEvHzeLg3lfOVYigjHs4cWMlYuyNu75PaJwt3WtAjTpc4psnf8dm1tfpvLc5yg97xxyTBJdms6QL TT7tdDdsn+/fPSHSBFaTBawp2BHmfbFDW8DeWUCQGs4eKNiyRpGg4JZddrXYBVYYSiIoIMhmD5ok hL/LtguWD9KFuBNbvByPT9q51EKWXVskKJtALREWe7lkiWcYFsawkPpTLZAX1h1ix4AhBrbYl3mg T4HZY3sD+I90LSAsjJCbY0ud4B5rNpIKtjcLc6buBIIyTgJGmj3ZNghiuhHb9S1VkyIoM/Dq4G4Q OJ+g3I08qpYRgXlt5Qs5UIpRCCgEFAIKAYXAXSKgCMpdon2Fur4QXjKLcQXR1aUKAYWAQkAhoBD4 ZAQUQflkCG+ngJkZfCEHt9NKVapCQCGgEFAIKAS2EVAEZRuXz372C+ElsxifHRAlgEJAIaAQUAg8 KAQUQXlQ6laNVQgoBBQCCgGFwP1AQBGU+6EnJaVCQCGgEFAIKAQeFAKKoDwodavGKgQUAgoBhYBC 4H4goAjK/dCTklIhoBBQCCgEFAIPCgFFUB6UulVjFQIKAYWAQkAhcD8QUATlfuhJSakQUAgoBBQC CoEHhcD/D9LmlNQG+CNjAAAAAElFTkSuQmCC --000000000000d20c7f05aa7f8f91-- From nobody Wed Jul 15 12:14:21 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EFB03A0F97 for ; Wed, 15 Jul 2020 12:14:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.096 X-Spam-Level: X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_IMAGE_RATIO_06=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zUQVhnthyZ2v for ; Wed, 15 Jul 2020 12:14:12 -0700 (PDT) Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C809A3A0F3E for ; Wed, 15 Jul 2020 12:14:09 -0700 (PDT) Received: by mail-wr1-x435.google.com with SMTP id o11so3966588wrv.9 for ; Wed, 15 Jul 2020 12:14:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bxFNJJ3DbskcjidVI/EbgmksaF5xZynNYLQjiUP3fSY=; b=clkIWtqvVwujhvwJZeiXgo8DNvOI5JAHByRscR+FxS7Z9pChmYa+sbFwYdsZ99Gs+H /BAvQ+Dma08Qc5Gs5AgQAMSmHRkfSSymBrxCjfHXa0pJkCcgX9p2aY3IH8JBSqJyGY94 Hob6Vk5wJ9WWVKv4gzCUsC6AsUND+HnofAz9fhuQHDbjM2v13fa7uuTh8h0nPb5oyIOe 8AX/6Ctvqz7FK0/FqMAdNQWvR0XLvqsy0ao4ZeUuh9d/94cktU6fOnXg8I1t83Le5Ier sOnRg/kPhXMzTURf1jVg0PFLNG+EYvmcmPHs3Idmt0ApkZmr3XM+n4+Hbgm6vIYfQqyf 7EJQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bxFNJJ3DbskcjidVI/EbgmksaF5xZynNYLQjiUP3fSY=; b=deac/3CvnoP5qRm3sBMM0iAkedL3AUowEjR7eHKRULkKJIAHwew6SNbjnH4jTPpe2U 3HLPdfm04HL0KSyp8cL3OoLhKx4MJCHAhdKYzuan7zlnIwcqRjKrUfZ/WwdF5T22Dook wQJgU3tWiwfUuXOMYs+TBsXd/XG2tEl/h2+uJvfZxC4oZZXBQA8f3X3yW9z+UB4BfUNm Z9AkfzR8+j8RwkQboW9KXsQJgBrYFbtTtWB5M5HSsdyoVlRGpXQs4lne1v6dXYJy7knm wOaUj/QcbMClmqySU7HTM4F2vb9ZVeKC048vlZIg8KTfZUU7Ark1A9guAi1Ma3evXcfy d4zw== X-Gm-Message-State: AOAM531XK26k7UN2xXfrHM+84BYCUl9vOzEBKx5tYYKY6W/m7AM4wZEv eAgEocyYnCky2O4NylR0dEY8e2eE8e8HCEdVTlc= X-Google-Smtp-Source: ABdhPJyR6BDwMYUAR82VxARhGg7zNemWZKyxVYAmCAlTKO9/awz2HPIGeh1+6GBXrEq3hQJqOoxnSeJggJ5N+rrQRJo= X-Received: by 2002:adf:e7c2:: with SMTP id e2mr884231wrn.179.1594840448034; Wed, 15 Jul 2020 12:14:08 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Rifaat Shekh-Yusef Date: Wed, 15 Jul 2020 15:13:56 -0400 Message-ID: To: Warren Parad Cc: Dick Hardt , oauth Content-Type: multipart/related; boundary="00000000000061844c05aa7fbaf3" Archived-At: Subject: Re: [OAUTH-WG] Call for adoption - OAuth 2.1 document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2020 19:14:20 -0000 --00000000000061844c05aa7fbaf3 Content-Type: multipart/alternative; boundary="00000000000061844a05aa7fbaf2" --00000000000061844a05aa7fbaf2 Content-Type: text/plain; charset="UTF-8" Warren, Please, start a separate thread for this issue. Regards, Rifaat On Wed, Jul 15, 2020 at 2:57 PM Warren Parad wrote: > I only recently joined this WG DL, so maybe this was already discussed by > I have two things I'm confused/curious about: > > 1. Can we avoid using (1, 2, 3) on the left side of the diagram to > describe, I'm not even sure what they are supposed to represent, not to > mention the RO in the diagram doesn't really provide value (for me) > relevant to the code grant flow. It's confusing to see these numerical > identifiers twice in the same picture. But maybe there is something hidden > in this that I'm missing, still 3a and 3b could be used to identify > different legs of the same code path. > [image: image.png] > > 2. It seems recently more and more common to pass the access_token to some > RS via a cookie, yet 7.2.1 says it defines two methods. I think we need > some RFC2119 > keywords > here, to suggest that either SHOULD use one of these two, or MUST. And then > optionally state whether or not we recommend or reject the use of cookies > as a place for access tokens. It's also possible that the language threw me > off, because would an access token in a cookie be a bearer token, but no > matter, if I'm having this thought, then surely others have it as well, > right? > > [image: image.png] > > > *Warren Parad* > Secure your user data and complete your authorization architecture. > Implement Authress . > > > > On Wed, Jul 15, 2020 at 7:55 PM Dick Hardt wrote: > >> +1 >> >> On Wed, Jul 15, 2020 at 10:42 AM Rifaat Shekh-Yusef < >> rifaat.s.ietf@gmail.com> wrote: >> >>> All, >>> >>> This is a *call for adoption* for the following *OAuth 2.1* document as >>> a WG document: >>> https://www.ietf.org/id/draft-parecki-oauth-v2-1-03.html >>> >>> Please, provide your feedback on the mailing list by *July 29th.* >>> >>> Regards, >>> Rifaat & Hannes >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > --00000000000061844a05aa7fbaf2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Warren,

Please, start a separate thread= for this issue.

Regards,
=C2=A0Rifaat


On Wed, Jul 15, 2020 at 2:57 PM Warren Parad <wparad@rhosys.ch> wrote:
I only r= ecently=C2=A0joined this WG DL, so maybe this was already discussed by I ha= ve two things I'm confused/curious about:

1. C= an we avoid using (1, 2, 3) on the left side of the diagram to describe, I&= #39;m not even sure what they are supposed to represent, not to mention the= RO in the diagram doesn't really provide value (for me) relevant to th= e code grant flow. It's confusing to see these numerical identifiers tw= ice in the same picture. But maybe there is something hidden in this that I= 'm missing, still 3a and 3b could be used to identify different legs of= the same code path.
3D"im=

2= . It seems recently more and more=C2=A0common to pass the access_token to s= ome RS via a cookie, yet 7.2.1 says it defines two methods. I think we need= some=C2=A0RFC2119=C2=A0keywords h= ere, to suggest that either SHOULD use one of these two, or MUST. And then = optionally state whether or not we recommend or reject the use of cookies a= s a place for access tokens. It's also possible that the language threw= me off, because would an access token in a cookie be a bearer token, but n= o matter, if I'm having this thought, then surely others have it as wel= l, right?

=3D"image.png"

=

On= Wed, Jul 15, 2020 at 7:55 PM Dick Hardt <dick.hardt@gmail.com> wrote:
+1

On W= ed, Jul 15, 2020 at 10:42 AM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> wrote= :
All,

This is a call for adoption for the follo= wing OAuth 2.1 document as a WG document:

=
Please, provide your feedback on the mailing=C2=A0list by Jul= y 29th.

Regards,
=C2=A0Rifaat & = Hannes

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--00000000000061844a05aa7fbaf2-- --00000000000061844c05aa7fbaf3 Content-Type: image/png; name="image.png" Content-Disposition: inline; filename="image.png" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: ii_kcnpzgwk0 iVBORw0KGgoAAAANSUhEUgAAAvkAAAJeCAIAAAChx415AAAgAElEQVR4AeydvYvbTvTu79+iSt10 qqIqqqIqboKaxU1wEdQEN8HFDS4Chlt+wRC4hhTmphCkECkEKQQpTBqRRqQRabSVFn6grbyVLmdm pBnJkte72Rfv+nGReC1pXj7nzMyjMzPS/6rwAQEQAAEQAAEQAIHnS+B/Pd+qoWYgAAIgAAIgAAIg UEHrwAlAAARAAARAAASeMwFonedsXdQNBEAABEAABEAAWgc+AAIgAAIgAAIg8JwJQOs8Z+uibiAA AiAAAiAAAtA68AEQAAEQAAEQAIHnTABa5zlbF3UDARAAARAAARCA1oEPgAAIgAAIgAAIPGcCp6x1 ynjujUbeeJXesYW36Xo6nszC7I7TrbZZMJtMput0e9cp31962donyrOouL88kDIIgAAIgAAIDBO4 sdahocsbeZPrBEIRLyaed/15w0XrPZKuJt7IGy82txjtiyzZJHnZpFsGY8MwDDaNm5/u5kvkm5Sw NUv+Lb1tkSabNFdVTWY2JWz6kfrt37LovXpbJOFqPp2MPW888aezxTpKFbbeS4Z/TOa8zKNVPnzO tUfKLA6WM1GisT+dzZdBnN26SNdmJ04oyV/uPZcDC4PTQAAEQAAEbk3ghlonW434ML5fIJSbpWfR oEzj/ebWZdu9cLuZiXTZJLzxSMeFgl6ee9M6eTC2DNOe/mMoYxv5zDCchQoPFdHUNg1rHPyLbtjF qv9SbpZjS9hYWFD+a46D2wVm/lXrlMl64vQUyDDM0fr+OFRVtnQNw5xEOh18BwEQAAEQeIIEbqR1 spVXDzqDwZAyWY35jbwYI3Vt8c94Sj7484RvPvSmC6ejve5N6/xzRUUCQtjpWueOEh5MZpvMXWlh y53MFsvlcjHzPYeZtxGXIpt/0jrbZFEXiNmeL0o0n06oSDd3gcF69x0o1h6F0KB1+uDgNxAAARB4 UgRuoHXytceaW/0hrZOvuRwy7cnYpZPvUuuU4ZgGYtPkw3F7UiRZeLQqRJ/bKiO+HIdm24rNauqK wlvOiD50Zq11/DAJlzMxYzNdBEk3flEkwXLmj8c0oTNbhtp0Dl/x441XyTbfrOc+zfn467RqLVFJ lmOPZ6n/481jMQtVpNF6ISdntMS3ebyU0QzTdnmBaVlREU6pln6gQj3bLF7X003TxXqjzXhVlLU3 Xm6KNGwqMF/F+iktZxVy0DCYt+qsCCoLLYxWptFq7k/G3njsz3Z5cRY03TSeTBfBJtqdw9pmdQKT 6Xw9XJ4qmZM+pQItE60AvNBlWf/CCXuLuCySYMHL5S83dHCbb4LlfMZ/opw0OJykNw0yHd8ykLYt k2AmI5NM+gvWG7VcBX+AAAiAwFMicLDWkUqHjScjPvoMLnIpwpm/TMoy4MLkDrVOIWQUm8ynPHDk LtWIX0UTLoPG2tSWuDE3rOkmX/Ey82FT/mOOQyqi/lPzXZ8jKpPFSCk8cYrVSAGRgjX2x3LKzjDs WVK1Qhly8U6TuvgyDsqqksKwdciexmVVpUIg6EdIXfJpFZrWkqup89C3ZRymPtV01NRZzNcNWbYW Z6PTzNGyI2W4x243U14Ltm+2aputVV1lnmy04NKCUtkmyx1e/LRGmu6W2XTnzfV62xFzeIZxXUyJ V9P0fL+pJy1oqqtTg6H/mbeSPiNIMruLz/ajopK+q19pNOXXS4jvIAACIAACT4HAgVonD8Y04rNJ mIVcVQzFdZo6SyFxd1pHjvPMj0qpJey5Wvu7V+tsi3QTzniciU1WG/okGR/S5HDG3OlyHQTB0hcr Q+pSb2Mx/BuWN1sFwXpZ3+3b84TiMppaMp3xbLFYzFdx0dY6tMK1/kQLsdzJohG1qqpsNWLOeLpY BWEU1oEcGlW3eboJxNht+4EscdnROrlcPMVcf7EOgvVCRoJYvZ5HaB2Kro2X4SZNk3g14XqATaI6 KNIYrJJRHXOyZ+FzE/kZcWCr+ViIBcsXCarjs1UQBqual1FrhTo4aI3n6zAM6nCbNZVxLlWcqpKL s2pj6Ida35tqGqbtTckIiyivqm3s29ZoMl+uwyhcz4UEqzOS3mQYpjtdx0lKDiJsQxK6yJJ4IfSx txD00+Jel4O3KoQ/QAAEQAAE7pTAQVqnkEqHbvi3YiLpwbWOHEXFWNX80WzH2qt1iFgd5dHWStdK xfIplCI+cnwVd/Gl0HWGHkGSg6TJF0fXKRiO0D4ykVZcp065qspYBKRqpaOOiG8ytRqtrKS+Xkdm LuI6NQQpMyiNMvJ5aEYGfqQIIHlY5yVTsOe7++xjWgmtBY3qS9T/tfSzZ1zp8QP1pKVH64RlxWvl w+M8MkIliDZ1agJLdbRud2tZHV3x1s2kYrbyLO1jT7ksq7WOCImp4ra/tY1Sax3NtDKMRBE/Kriw PdbrtCniLxAAARB4igQO0DpFMOExHREteByts92I3dbWTKgbOWaqUfwftI45CdUte0tNSOGjjYcU i6HtOXIhUq11tOGYnKA9rEq30JROozwqvrt7MZv6k8lkMna5UDF9sfWn0QVqqk4vnRRvrCUStnLG TBRIigC9dLLEfbESeWm7ti2fltnTNJ36FAGt4aVFvNveIsVTLqG41pHnGsx2m4/ND9dxH5VuVYqE DT7dJ36XSGQ0zpCWk9XcLTjfqT6f+UR37Dk8I3mWbsU6T2k2gQtap8aC/0EABEDgyRO4VusUoa50 6H6Xr8Opgw+DAPYMqoPXDB7YypiDYTJ5W8/EMhWzHgj/Qeu0qqKriUqO/nUeonj12E6KpBOJqcvf o3XqiIsW8qjyYNJdLsJVw2FapxYe2kQeySyhCcWILkSAOda03B6zyEut6eBTAhKx478jKmp5FRS9 RdJhyBNqraL/30mUIisyYUetyyqzTUSfcM4nmFpaR8ZjahuUm92FVpRfW+s4enwLWqeGh/9BAARA 4HkRuE7ryOFNiQyrVhnMsuzx8ANO9gyqNyZYCr2lD431d5PPnVR9a5PlimQ5dg/PYQ1rHT0k0RRa JsuvOlTr1EpHn2WpJ8gsbx5s0izP82zN10ofGNfRy9EUrmoV+WZap54zctrqSaVdr+hplkbzQ/Xu uEm4bROXF0oJxeM6dZnHq03S+fSsh5Fn94R8mqALV3E91ayLajr+Kko43VhXgXV0rlUVaB3N1vgK AiAAAs+IwHVapw6o1Nqi/b/LH4Zb5unuSDWgdbZ5mmqPLj6IpFzSYTjTgN/Vi38CsdhY3qjLcnq0 vUl86sUlHa2jRS36lEorrlOvJdEfXFgrghGtIulLYXcOq0/pNBEYbbSVee9oHbW0plU6OcOmJUD7 t/gmbVnnHhEwYBaOrBBb5wzTW2VqVq/myZcDid1uYu1NGzMVow6/6TGaIhDPZBLXyK1e7eVNWg7t r83i6/G6XaBrtY6c/9KmJ+tNXZ24Tr2jjTLu1zpaUKxdOvwFAiAAAiDwRAhcp3WKVJMXfPpASAzT W4RRtMm39UDeHb76BtXtRixUtfi+6kMJydv7nUfH1UMzH+ylCmD1qFhs5JYn2nNOOcnh0XBmcV4W WZLkzfN19O3zLTVRyUXZtI8pzoqiyOKl2HEtC3OI1inkemE9pkMFypZcltCzbIqyLNJI7hSiN0Bw NDISZY6WSVEW2SbNO9EI+fQZ050GSV4UeRJMxTYyuUusuqHWqbbJQj6hmDn+Iog3SZommyhYLab+ itbolHJfGhvNozQvimyzFhu7TCEh6oc9stEiErxWE7kbX2idrdQThj1ZRmlOwawkDhZTb6aWT2t+ sd3IB+wYzJks1tEmSbOMijTna6a6c1hKoG3FnKawNsGT5dyZwxrUOpWUZbYfZkWRp3hZhGYXfAUB EACBp0XgOq2zU5vuep1muai+AlZtx24tgpWj9969PjsZ7ixDbs6oIzc2LViWu+JplSxj4mmDIgYl tU6jW2RkylsXfUqlrXUqWlMjB2stotU8gKcvBRUg4MO7nMLRruZfnUXavG+jOWY5tH6n1jq0I117 eA4N7J3SlZvmMcdNGob2tJqbap2K6rvzxB6edF0oekuFykt+Y+qBPcoM9VmmZdGi4DoWpD0JuT6D /m+viWpMPFwgumhY6zQ70lQepuOQJQ+N61S1d8kUWuEzrXz4CgIgAAIgcPQE/lnrVOnKs0zT8cNm ZzCvdF9cR6zGNe3xWm0tuo6QDAToz9JRlzQ6iJ7OUqbBbOzwdzmZluNNV9GSdgjVWqeqis1y4tJx k9mjeVw/S3B4vY7IqNisZ2OX1imZjKe7aWp6gNYZmATkQ2exWfouVwImc7xZmPK4Vy0rSHlEc1Ej k9neMunEdah42yxc+CPbMql09mgy1x/rfAutw5OMltOxa4uFWabJbHc8XcbNq6fKJJhPxGHTckb+ MmpNMG2zcD6RuOzRdJ3E/OUctdYRGSz8kbAUldodz1YqeWXd+ts2j1ezCVVS6A4ygzv2Z0v5iOue avJcghm9SoIeC2W7/nKT8UdHHqx1qqpM1v6ItomZzHKnHf+uC4f/QQAEQAAEjp7AjbXO0dcIBQQB EAABEAABEAABRQBaR7HANxAAARAAARAAgedHAFrn+dkUNQIBEAABEAABEFAEoHUUC3wDARAAARAA ARB4fgSgdZ6fTVEjEAABEAABEAABRQBaR7HANxAAARAAARAAgedHAFrn+dkUNQIBEAABEAABEFAE oHUUC3wDARAAARAAARB4fgSgdZ6fTVEjEAABEAABEAABRQBaR7HANxAAARAAARAAgedHAFrn+dkU NQIBEAABEAABEFAEoHUUC3wDARAAARAAARB4fgSgdZ6fTVEjEAABEAABEAABRQBaR7HANxAAARAA ARAAgedHAFrn+dkUNQIBEAABEAABEFAEoHUUC3wDARAAARAAARB4fgSgdZ6fTVEjEAABEAABEAAB RQBaR7HANxAAARAAARAAgedHAFrn+dkUNQIBEAABEAABEFAEbq91kpltTsKtSuohv2VL1/TWxUNm edR5Rb5pzTZHXcTnXrgy8Exnkd5nNR/aynfQyh61l7hHW/B6RfeYwd0k/c8WLOK5ZzPDMO1pVP5D me62dVBq7jL7h/Lg0tMjcI3W2YZj09j9jFZ59cC9WBlORmok+ec2TJbOViPLW+c3NXqnJLdL5KaZ XnP+Q4+Ce4qTLtwBCVysvfvUp9t4atuPJ/gGevO2t+zhdsChPVY+jG2ycKxJePCYdZtW1qnvA/cS B0C85pTNzJ0ecNNwIlqHqukuNnlR5MU/3dYOtI6OMTrO0zmq/oTWUSzw7VAC12idalvkGf+EvmV6 q1T8kZfVA2udbeRb2l3zbXrhHSRlspqvk5s24U5JbpfITln+8Yc9o+A/pnzTy8ky/VqnCMZsdJ+x uDxcLKIbS9ebVnDo/P7evOMtQxcf9vuwlQ9kW8TLRXD47fAtWlm3vk9M62yTuWNB69TuWAbjO4pV 9reOOh/5f9d5OofVn9A6igW+HUrgOq3TpJPMLHOs3xLyXmwVUojTNEzLnayS5oZxm4Wz5vflpmeu KY/mk5FtmabB7NE0yITiiHzGpnGTZ7pwzHFQVmXkW014iY+kvBdehouJQ5kzZ7yIVSZFvJi4dAGV SuWezGx3kSRr32UmnwBruvIyGLdiVxS2qqqq2Cz9kWOJ6vnrdFsNlaQZwfuzzpauNV2H8zEl1i1t U9uqKpOVP+I4me0tE35kmwZTgZLZ3iyUoKqqygVik9mjWbDymZrD2qbrqUjGGvnrtLGKymmbBdOR ZfKyzKNw5rgiZLaDqCqT9dRzRJmc8XIjEisDj41X0XLiWozxEoScWLp0WUNSk6ZVlQdjqznCpv93 brfmIPP1yLTnSVVFPhstwpXv2jxhb67Ey7VOpUmBYkNlIxdgtjtZdgRttwvfTC3mC7frv7CIF2PH Ep6mlyitMdrjebDcGRd2/baqthn5AfdaezTttU5VDRg98pk9Xa99qpnJ7LEsSoctVaTHdcn6SnkM WVD5CAU+aaZ4EcjyWm7LmXpcvae++3oJlVd/b1BVpeb87jzmzicAcgKWOw1Fs+81kHIYZjnejLto v31FSbabudN0M0bdCQx2JuZEzGFt0+WI2dOIl6RMVtzxzFZrrb16xL2agxQdXpmu6xZvtTsxCaef TDKznXlAHQN1KJYzWaq+tykB/RzMR612JlLdbebVLsBtshzZDQ4KyEY+89bpZknua04iqkFvV9NX Ka5O5sGq9l1pDuUCPV0rT7+399O1ThH6NvNW1DtT4+oZd4a73zySvk19mL++1wlorar4+igE/knr GKblLeKsKIs0nNpisCKP28xsNlrEeVkWyXpisZ6JojIJgzjNy7JM1xPLHAe8pxjQOlVVdYanbOka JhvNwjQviyyeu6Y1jUX3QQLJnqyTvCiyzWpiNRO7ycxmtuN6i3CTplkpu/JGpnD8JRW9Lu42jaiM RVlmVD3Z+e2WpOlNhrKm0hrMEx3SNl15rCmtZvRsNTKZt4iSLMuSKOYapQgnFhvNozQv8jScuczy xbQ5ZWWNV7yW8XJsmUatdegSfqQs883Sa65QOZF9TNsPEp7ofMRMQ+qSHURVlcdBlGRFWeZEmesR soZnGOZozgXmNg+4BYUMSuZDy7ho5GziOlR+NaFVrD2ZdOSbhunOYoqYbzNKeLTigYgDnEppnc3U ssbrtCjLIkuisCu2OyaslNbpvTBduMydRY2fy5UCNca0KIo0mo+YUWNUqLt+W8ZT23SmhL7I4oXH 2DjYiUQNGp3DcXzu2/lmNW7gcFXSsOVjRJ/rtrXOkAVV6aXfzmXVZ7yVCTMPuXoXbTKzB3oJlQ2J /L7eoAgnjLmzgDeIOEqoixAA/fUmzbI0jjZCYvcaKF97pjOjXqjM0ziM6Dah1756SWKf6XGdoWoK kqR1SGhaYxksy9ces/2AHC+LqLnMNrxTEoabRjn9VURNZ5IuHDZabKijzJMojHdcYYAMUTWsSUC9 WFUmqmFWZThhJnfWIk+DqWsahmpmdUV3mvmAh0vvrQOB1L4cx50soyRNKbTf39X0VorUiWk6vNMp eL9U9/l1oXY7eZ5+b+/XaJ1yM3eZMxO3YENdxFD3S6xsP6TOrcg2YdR3V6iVDl+fOIF/0zrarXvW DF7chegeXXzao1r9q/b/NprUY+iNtI6mF2isFCPQNp4ypi1JKIJxvWqXOggmpQLPvonr1IXZbmZO o3TqH8X/m1l969/pzVUiw1lTY6ulCHV2vSvr0nkjp5qs89WoFUMmIcG7LvoitRedrGVAl2hH4qnV nVLaxj4zNUTERWmdNqKmJDwXGWbjWsdk4s6ODmwjFVY6UOtU5C8juViKzOfM+V1V5JumF4jxlEYS DiCreB8uhRbl2OtUjdahGpKIEOK3VQf+R8eESuv0XbiNp5bmahSB4rSo0jrGzcyqMWo5trMqw7ES 5bx6bsu+/MJBo1c0ZGojF7mes+AjUUtHatnTV+W6ba0zZEF1ueZW9CPVWFh92NXb9eWRJJ2K6iVU Lu1vqjfgHIRXNKd0AfJiDRhIXC8jkSKFPvs2afMvLa0zXE2pdYp46jB3UYcNySspDi0+ZTipu56O 4ShGzlsPb8ZLHpJoF6PvL0WGcje0tbmqD+LdXX3XRxabMN1jZLKdnnDIw+s7TE3rGPasrqxonD1d TW+luNZRnQ7VResRZbk6zjPcEITWSemu0Z6IkPKeLqLjxk33S9nZvojH9QHHb8+LwD9pHXOs9mGR Y4o7y3Tu0NxB8zF77ne3WbTwPdfmH8s05DB2E62jj+iqkVAxtF5AjIpiTKVwuuqJ6hC9iutQCJt5 IorAjZzHy6nnOqKMzJDTHCovfpLqZ4az5iORmBejazopCIfivXh3ZW08ZTJYLE7aUvc53fAU9K5C 6zriKe2aaOAz0zD0G36pH3RE1HEordNGVBXJejYeCQY2M+VR7RJesHja3A0fqnVEKIJD4VJHrjsn vaKvlyBd5kdVdYhTNVqHJvimLjOtkb8IeDhA4Kv/7RpAxXV6LsxXoy5QXsKuufVa1Bl1bU16VhMr PM7QlaLVkNFpgs/Up3irGo4IUepm7nfdjtbR7lQo0xZ3XoOO31b5yhWNq1t3rj15K+ui5Y2ur5dQ iCiA19cbdDnQFTsAhT/3Gqgqk6Vn0ZTxbBXXc7/7HaMipIrDcDWJJBtNPFb3XFQ4asKGqdqeaRrS uB3DUS3EmrYiprAqcybz9aZPmveT0ezIMVI5hfWp9ekOpnonnXenJxzy8Np7Na3Tdr+BrqavUnt6 DFWyjvN0HaDu/ahcnumMxw71R2ISk/vGwLjTcWOVyzZdT2zTtL3pEkEdZYbn+u3ftI62CFW1Nx6g WFJkX33ad9h0I2G681i0bu1+pat15o06UQ7KLdFpw+ro/u6pPa60EqFViUzOl/AsePh6GvIwsX5z rPLqlGQ461ZGdQ/SmRymZHX5whMfau07J6thni4Zr3OFvijKNv1uObUK8dUVamTiYRVrUi8qUbet e3qug7UOT5xuC+letBl2O6PCluI8QuvY5mivU3EpoBPc5vF65tkmG123XodigXK9DmFvX0i4nHnc JrpfMnLbiX80uH1D9WY37HYHWmfIdbUxco8FVek7g0SVL2+ldXp7CZXLUG/QdX66ojuW029DBhI5 FGm4oBV6ti+X9nTtqwpC326gdQzT8WdjS3Ua/HbFD9uewtueap48N6V16M9tvqElUSZNuNUxIVGo ITKaHfmJROCmWqdjlD4Pr3sqTevo7Ys76lBX063UQf7Wbix7GgKfQ7e8me+a9rSGNjju7O9+yyxa 0eJFa7yuKyro499nRuAetA41+dZc0Q4y6otV8JPuFmVchw86fNEbXUM6vg4z8GagAtqD7su7B20N tQjq8k2k3YFcLL0UcZ0dpVPRbbrdZEjZ63Gd5oCWyHDWg6XVyVA3rqCII7wbVzvteVfPb5+pLtr9 G92ZyW6ILtEDzXoW4rucimi6VbKGFtfROkFSoepOjs99icDYnp6LqqGF+7Tsyc6tChLi0SoNxqyR OnyaRjuJl40epHG9U+1oHZE1rZdVdZC/hePa4+iHYu0ZpqZ12hfSRIbpqdtHcbSe0VGr9dN5MxVY n1LH8BpvoeldbT6MB0pU3eVlg0bvwiG3knNYLbaDrquNkXssqErPg//6jIg2h9XaqaBaWaedajny ZNWorHIZ6g1IWXXhUPI6QEplyEAqBxn3UpFVOtTnGFzrKG8ZbtGiXtG2KmnxjSunodK50w4q10XY q3XESXz1VyvsLGPSTam1frLTlSmqND9jyUVCDRoVupbl6Vw+DJBbU8ySVrvt64CuhlYG8kod5G8d 5xluCJQaD03TGkdLTkMNdhGHdL/tNlPbDf8/JwL3oHX42mRaOBtneZFnaRwEncWh5NNsvEqLLS2f HVMYUazvIY+z5A1YsZnTyrq6+dMdsLvYFGVR7C4rFm1SRErSpVuvTc7l2mRxoNPCtbXJQum0n03F R/YRZVjmydp3WK11aHXHQEmGsj6ksYni0FrvNM+zJBYLFXmHPJKLQ6M5X5vMg7Y0QFi0ArssqJZ2 e22y6fjrTVYUeZZEQaj2aAjPpQfRmM6UL8oj/lYzydhFRMJFLO+k1eejQ+awaD0LXzVZduNJtH6B NkwUzZEi8Nho7DFtRo2v4rQnK/5ID1q8q69N3utUWl+8TcN1lORFuRUrqrsjJp9ykSsat3k0pdg3 1zr9F6YLly8apwXiWboJ1xG/AeQjoTMNqUJZvKD14TsZiVkq5bd8RFPXeKxvedig0SWcnrXJLbbD rqvse9DYQ1rHoMWhtCw7C2cO6QyhkYdcvdM6DtE6g71BHowZc+chNYh0E/J5KGLDF3dneZ5uooj7 dr+Bcup4sqLcbos0mFi0iq/fvnp/Tu3Knka0WpjCoYPV5CT5PiyxWnrOl7HQ2mTmzkJa9Z+nSbQO RdczpHWyaB3Swv9tWSS0jUCpFF6mQTLKjvw8pXVoOS8z3brDmNGCee2eSNa0czmJql4P71mb3Jpl p7XJu11Nb6UO8reu8ww2hEbr0EPSPGZN+K0Ib1w9485Q91smAd8fs92WWTSlvRK53FjjLjtRd91F 8P2JErgPrUNx5Uhs0qV9385Y7NfRCG2zoNl8OI82K8+Ra5nFZmhmMkZbMMOlV8d16iUYBmmhUoum 8FR1rcM33NJmaLETftlsRt9p4U0b4Gtcmh3RhiHiOXk0G4md66NpkAQTq771F3P+vSURW1q7WTcZ CQTt0mpYiljtlPZWorlts2DmyT3K3qzenC+2V/I9oSbtOY8WrgovN5fwXffNRnEtI9rTzOvGbE/f LL2DqNwsxGNTaZ9sEk2ta+M6fJUE7VVlch+7ypamxx3+DNaZfK4AkTD0VZa0r7W9rbox37VORWEP AWGbLPkWcVrGQU802F38KTbmMsYs2pIezF0RtBu6sNmpTAl603o15DZt9n97tHXf3qkyNQW+dEh6 i9Y0+DZX7TkNihPfgdZn9Mi3JutY7dttbX/X2Q65rrLvQWNPtnSdeRQ1j5UQz12QBe139W59VY78 Mm1UVvUd7A3qhzAY5MijhdjTtE0Dsa+YHikxkytL+wyUh+LJC6IV8IdSDNlXlaWixSZ8Q7vcjTlQ TV4v+dzkcjNzTCmd6RkN/HkP3PUmchtz45kio2YOK1uLjooX0d91hiEy+6iWm2X9JI7JMl5P2AFa p+4zaYu57uGip6qndjq1oLr0dTW9lTrI37rOo6XP9/A3vZ+mdaqKC0xprd5xZ6j7LfkzoUWd6ZkE fE0X38wFraO1iGfz9WCt82xqjIp0CLQ6js6x+/6TuiEtqqPFZu47Z6QPAiAAAiBwMgSgdU7G1EMV pZvEnvUoQ6ff5e/8Nr9ZkEAp99w73mWGSAsEQAAEQOAECUDrnKDRs2CxEg8ILNJo5ppM27n5QDi2 9JzJ1djqvp4JWueBDIBsQAAEQOCECEDrnIDZNNcAACAASURBVJCx66rS6yX4uy/4OgHtNRr1Cff+ fzJ3THrLwaL1qDfEde4dPDIAARAAgVMkAK1zilZHnUEABEAABEDgdAhA65yOrVFTEAABEAABEDhF AtA6p2h11BkEQAAEQAAETocAtM7p2Bo1BQEQAAEQAIFTJACtc4pWR51BAARAAARA4HQIQOucjq1R UxAAARAAARA4RQLQOqdoddQZBEAABEAABE6HALTO6dgaNQUBEAABEACBUyQArXOKVkedQQAEQAAE QOB0CEDrnI6tUVMQAAEQAAEQOEUC0DqnaHXUGQRAAARAAAROhwC0zunYGjUFARAAARAAgVMkAK1z ilZHnUEABEAABEDgdAhA65yOrVFTEAABEAABEDhFAtA6p2h11BkEQAAEQAAETocAtM7p2Bo1BQEQ AAEQAIFTJACtc4pWR51BAARAAARA4HQIQOucjq1RUxAAARAAARA4RQLQOqdoddQZBEAABEAABE6H ALTO6dgaNQUBEAABEACBUyQArXOKVkedQQAEQAAEQOB0CDwFrVMGnuks0idvlGRmm5Nw+2D1eEhu g3nl4XRkmYbBnPmP//dQdsyWrumtizsjPVi7O8vhoROKfNOabR461wPyGy7YnTWfIp57NjMM055G 5QFFwinVbRrUndkL/EHgLggconWKzXLi2sw0TGbZo8ki5oNIsnCsSXhPfcVm5k6bnnh4pNnGU9s+ qMu+19IeaAit8WerkeWt8wMv3HNaC1TnvGFunRPv4M+BvLaRz5i3Sosiz4viHjVrm8NtuuZ9ELTa He5yfQmmC/ch1W7VxqKVaFhSaCc9xtfhgmnN558KRum4i01eFHmh33gc1kU8hAVbViuCieUuH+RO TydQhpORur88rEEVa0+7w7gre/2TsU/r4nThGGwan1alD67t9VonX3smG83DTZqlSRyuFuuE9xBF vFwE2cEZ3eTEbTJ3rEO0TpWHi0V0iGS4x9IeXDOt8ZfJai45Hnx5z4kdUJ0zxAh9PybqZFVpakA/ lK9G5qjWdAPn6Off8nuXw2Fd8+GZ6SU/2OV6kqdyPaDW6WLRSjQsKbSTHuPrcMG05vMvBSuDcX+U +KAu4gEs2LHaNg3mq83dxSj3sNMIbCPf0mLpBzWoIhizkYqm3pG99pQXhzoEivVDRc47GT+JP6/X OrHPTD/Sb4BExZQrl4HHxqtoOXEtxkxmj2ahkh9lsvJHIihke8uEX7tN11PxmzXy12k7NrTdzB3T qD+jVc7HUXcerHzXotiS7an0Vc9Ypus6H8sZy9iTMoEqbXXNmVWxWfojx6I4luX663Sn6lTfSZhF c88265mAMllNVPGy+poiXowdmdJqPW3msLS+I/KZt043SzrPnHDQA3y2WTgfO5yB5U7DfAeUqi7/ RiO0Ow+WE36N5UyWmxp1fx0HyPBK8Gyd8Vwpy20a0PSUaTJ7PA+WOyNIGc+IiPiYk6ijh5RjkL14 stvYZ8yPJbxkbhtqJopUk7tSfqXquuswIuS+DBcTzp61/GHAUiq9qsO5qFolVy5X0Zkzjzu35U6W 9YCULV1ruua2YqbZ5J4uXVa7taGNIzznZGY7s4C7MDUhbx5lhNe2mMks1aAoTKbdt6ULxxwH3Kg7 tuvBotUx8pk9Xa/rJtWya2+ltGurStmO1Y2636MqUa+6JvZoGjZtIwtmYxkupvpK0w4XTGvCVTXg k1opyT2FbXiPwbPdJsuRXbukocUg6Dot/RtYsN+ddhv1AJ+us+02al1nRz4bLULeoZJf6L0TmYR3 QNTO48C3OrXLV65JnSn/FMHYNJo5zG08tXizqwmUkd80XIOLc95fDTQokWQejK3Gu7mP8tRWIc0X 8q50skrq7meg4YiU+L+7APvb2o7bizSKeMG7Y+rCVcOsBpvPQJdejyi1k1cDPbNWcPLMbtYkr+25 GPsqCnUbTHT0VVWlc5s34QGXa6ojO36tB+4p8zaaNGpzgExd1EEUQ+Njb4vbNVOd/hH+f73WoUHG 9qOdG4u6YfCRwDDM0ZzPbW3zYGLVHXCVrUYm8xZRkmVZEsVc1hThxLLGqyQvy3yz9Jjl78yaxz7r xHVM0/GDhOLOdIk5DkR5moEnXThstNjkZVnkSRTG3UFRlfa6M6ttGgVxmhdlmYVTW3UQjfWo97Ec 1/XXcZJm+baq8rXHbD9I6Zpo7pr2bEMDtgiJLWIqdrKe2KboOKpKn/+mKjiOO1lGSZrmZVUN8Cnj qW06/nqTZlkaRxtewzaopoTiSxl4hmG6szDNyyKLFyPGam69dewnky5c5s6irCiLlHi4Sx4p2m5m tsnrXBRpNB8xY2f8btezrRjylces8TLOCE3gO6YzT7aV6BREvD5dOJZlsXooD6m7GIzkdzhkS9cw 2aiu+dw1ramQUAOW0sj1cW6PN7W+JQRstIjJ6ZL1xGJyVpJyN5i35F37NqWaytyTeaN2tRzpazKz DcP2Q/KmMl2MTNO0xvw2YJuvx4xNRBsZ7KH6bdfBouUZ+aZB3iSa1GpsmaNVY9e+SmnX9jXqoVaj 16sqoqk0NKVWbIJwkxUEb+k1GnewYLoWGfBJrYzUiNhoHqV5kafhzFW9jIjr9EQ7VRdBzfMwCw65 006jHuDT52xV22od3zNMZxqRlxDNpnfi6oS3dGpOU5eZXSVXke81jWnCLMtyZHtK51IxawQ60a/h BqUxJ0HUjusYpuUt4qbrqMf7oYajpdUFOHBJv9vTLYA94b6dbVYTq+6z9mqdTpfe5+QDPbNW7Ko/ ax7eFkJzu5la9Kn7Iwp805Fhl6sGvH13GKqqdDVZ8KGHCrJ3QLxhTzJQhq6ZdBRH9/16rUManBqP 7U2XYaokj2oYBF0JVS5c5T0DidbmZkLWXbM7/RJPrd2w/m5rN9XSoG00qUebiljz9TrUkkfL3RhM DVyV9roz6yv4/5sZ3fG0fpLaTg75/JB2e11VVRnK8lHb1+7fKcBYV7UV1zENeybmBSm1AT5lOG4G bFWeNij1O/9GdtG48d6uc7dH5zV17CND93x1u+TqbSSqRHcnetqbmXUTrdNxjG3sW4wsrCpP9zn+ auEyHlPsFKNT0aozPPCOQys1kRf2GrCUll4v5854I1yuDCes7r3pBm3hyCgUdVvNTXNV0TIl6S1E uH8OizSBcilyD5W0Nu4M9lB9ttvBolWTJIXmC8JVM+68/ZVS13Zspw403xqPEhpO1YuLWQ1NfQUZ SPYTQwXT4i4dZ8jX0ifr1GQj0pqe7vqHah2tmIMWHHQnqoXeqLWi6S2u19k6ztzxPd1qycwSkWCq k+bvPHSgWZfnrqjR/NRosfKZMIxqc6qT5IbSAHKXlsMzyaymQekVIyfqaB09iaZ9DDYcLbEOwKFL +tx+G08Z70xkchTEksYcbD78tlDzUx5uufnINZg1j97wxa3J3LZnq5ltzyjOQw4gGA12GspuvD7K 23fKrOGruMfvGxAHUQwg7R0FaPzd4+etAj3+HwdoHV7IMovXc5oSsCdykY5qGHprpJPjqYzK8Kbc XTocT2kLBGs+pmFoDUQQaQ/hg+lXSutURTwfMZM5k/l6w2972mxVaa87s8rj5dRzHZs+FjN6tY42 EgmHNUxVJVPGb+Ipk5NSoiwb6prEPqy21tGnJYheHx9qLd3uqzuYkeeJDz+zy416RNHEBurYwzBf jbql4RE36iD1voF6P61jq+Fr9dTjOjuO0VxOo4cUPRSESuY278PTuaN3X3Xyzf9th+FhM62nasQC 5dtnqSYdEVPe4ayTbOR1One6aJpuqx65KeEmd9EBDWqd2jd29O42nNQxrcEeqt+rO1i0aka+2fY6 PlNN1R+oVHPtju3EkYFWo7U7fh71pB6fdSvTYD4ZiWZmW2at9IYKpmmdIZ9sisi7oFbTI4QyUizM cW1c5xALDrtTtxZVf4s7pFF3fE+3Gl3O3ambTqvZ1VjoHowclCILzjzhq2tohUAz3OqRM81p6Xou Y+oZsJZL16nXJ7XX64zVtlMuqfjR632Md+ztmg64ZX+X1eqa+F2IWDQ42HwIsrq5EF26JnZFJQd6 Zo1At1dssm4EC0Wrp3EZ+4ybgt9J8kDMIOFBb++WWSsHfe0ho58xiKLvwsEydPycyy8+AtGahWP7 HKp1ZLkpiicnkFQvprdGOk9pHaWoVb1JAYzXeaF9ynp5S31Wu48eTF/XOnTpNt8E87Fjms4sbqaG RZqqtPzv4TNpsLWnYSau1+5Q67LpY7b4jff+frhTJVrp1MzL7iwIqJVLM3bKDAb48EFCdST1ye3J vjxL+SejuTCxykSb96H+i2udfXXskKHW68xpFk59KO1uq+7aSJav1emqc6gkra6kqO/NeYh3GufB mJHioD/teUK57QgQmQX/r+0wvGvWzm867iFLaUn1clYl11yOBpjRMlVcikLs62lVujUwUOJ3qnXU vARVoWO7rhTWakk3CfpYQrEE04+E1OutVHPxju3oyKBHUbsba7s16W/SOkU4YcxbbgQxLU4wVLC2 1un1yaaId6J1+vyno1aH3anbqAf49Drb/riO3mwardNNp7+9UEhgtM4TCipsaIZ9ZI6DnIZbeT+q dZJNkxFQh11ag86Ha9VFaanRSVQmcVM72HC0tDoA917Scftu19QIDmq77eVuTfPRGziVotfJB3pm rdTDWVNgylmk2dLlMyD0p7vMkkVzCzdImNLs64Fbiwi1MuhfO2T0Q4Mo+EmdCwfL0DFTVbZHID3D x/9+Q63DPdZZ0F2RcuWuozRaRwTS1O0Ary5xGw7vCiK0RlUtwRxOX4vrKJR8JYmcmW5+VaVtfqqq njOp11XrQsjl++M6rRgGTXjrQQ6ZBbmvYMV/oMTqkU7z7K67DPDhrU9FkWUWbVBa1egrcdPnmYgB 9eAH1LEhQ1FZ05Oro7T0+WZyNa9IMd8bzWEtHP3GmRYly5LyXmC+mDARl6F8XPqzh69WnA4HDa8A UUeKByylpdTLWffAxl400rHdtWatxVjt3Hl70G51tWzb/kk+oOJSWlyHwvNqowAdqNdgqLQa23Gt o7UjdQpXbIbKgYtD7qqDlVIX08CqXUoHhj2K5uZUe+LjKx9ZKcapNBAlKQ1MsUktda0NNYiGfFIV UXZTankXL7PYD0gG1lqluqhJ/3ALDrpT4yQi+SE+vc5GWkezWq/viWQbrSOnaepbRrpD6Ls3oDUc k8XcldNdfOBdUMRUbj3RCHBK6j5psEEpfKRmtOXP+gDBT+I+zZXQAT7W7dgPuKRxe4qhaL5VcThi V+9g89Eh89L2ODl3qv0j156syQW8xYJ2tdC9IkXV6M/GTIOEB719p8y6LfTvDRn9x0EU2knNhYNl 6Pi5du0Rfr1W65Sb9TKIaEEsrS5ejm2K9VGjUg2jC11pHd6H0vK0NM+zJBZLhnlsiBbZ0rrULImC UK3Pl4TEbVBEiz5LWrHanh/R0m9YZ9E6TLKi3IqVjpZYHKyAq9LuP5OPuqPFpijLPFn7DjtE6/C1 ycydhUle5HmaROuQd7PUvOnmNS9KWjHoDK5Nbs3zDfDhyw+daZBkeZ5uoohDa4NS1eXf5NrkaZgW rbXJQ3XsJ5MuXL68nFZ5ZukmXEdiDSv1KE6T9tgyb6J1ODHLo7XJEo1czi3GTcuyam1D2seyLDn3 RqHZ5WwedqcgOhwGO44hS2nk+jjrHti4nJDK1ngVZxxNHARiJ9a+3EemNQky4ddaplprol8HtQ71 mJYf8lVzxWbumoYhVP2Q7ShIWbcjPT+SFPX6zXzTWZts9lRKu5jq127UQx7FewnDEAtUizyhfBy+ IYVqKEjQan6vNYfVXzAd0YBPamUkK9LaZL4uNprztclireG/aR0KhmgWpLXJPQ2/O1QP8ulzNhkk q63W73u8qo3WEWGy0Zwvk8/ETgEtLtVw2cz4uthaLYvl/+pWRnWSVUVyyaV+sCjKfeKvSZuv9TL5 w7R4r63bi05SWmew4WhpqVYmfuTD7q5bDrg9LXcTa5NzuTZZyN7B5qNDFhnuOrnYNcK3h+wZuYay 5iuMLcuqd4fkqxGzLHULN9xp0JV9PfBumTV+VT8ZdcYgiv4LB8rQNZNK/wi/HaB1FmOXNmDT2gTb nTSPs1ENowtd0yJ8bJJb8JjtrYTLbbNg5tF2YIP2BI7VVugGEE028l3OtLVlT/oN62xNO95lir62 u1EmqUp73Zl5NOMP+jWt0TRIgonVtzZ5Z21Kmcht9ERpNFnLW8oino/llkt/Ha+8A+I6NBfRz2eb BmKHM1GbiZ1xLVANPvGlDMbWNIiX9c5rtee8v45DZPizJPkmVNoNPa0fKLBNmy3L3jwKZ7arnj1W l6TVgtt2bIiZlraRUkz763u6aGGo0QQz+Jrour+oc5Gz043DDM5h0QVNvm1LaWntctZL3rgcXZFH C74ZlBzZGYudiPtyL5OlR5ueWZeV8k+e7FBch1xjOqKN6Ix26odLT8Z1Bmw36B6Rb03WsXqMQ7Pn e6hSGp++Rt3vUVzrsMkqmPGt3iY9jkLuOd8mq9ovx8s4Xjgjsb9vuGAtRAM+qZWyaUT8KRVBs9X9 37RO1bVgvzu1nEQ4ykCvsutsYqlF48yDvicmHOspUbX33Rkvgnn/nC/tSaa9oGKCXirR+q5Cv30l L+A7UgyS1uU+l9aRp+uJwx9IPYs7qbW0zgE+tgOwv60NuD09N0SMB3zPuXj4LRV0qPnokOsKFTGl YfJx7/CRazBr2gNiaCvL+car5hZuP+Feb+8rc132qhoi05wxhGLowt4y9JipyeDovlyrdY6uxCjQ KROguHuP1DllJEdddy5Qep7OddSFfvKFa91iPPnaoAIgcBcEoHXugiLSeCACFKqSj5p5oByRzT8R aAVj/iklXHwwAb6Yrp6oOvgqnAgCz5oAtM6zNi8qBwKPSgBa52HwJ+v5mh6cWJZFSo/m7HlA68MU BLmAwJESgNY5UsOgWCDwDAhA6zyMEbPAH9FTivjqkpG/3tnu8TDFQC4gcLQEoHWO1jQoGAiAAAiA AAiAwB0QgNa5A4hIAgRAAARAAARA4GgJQOscrWlQMBAAARAAARAAgTsgAK1zBxCRBAiAAAiAAAiA wNESgNY5WtOgYCAAAiAAAiAAAndA4ElonTxerdWzL++g1kjiCAjk0WotXqpwBIVBEUDgBAkUm/VK vPPlBCt/WJW3WbgMsK3tMFhHfdYT0Dr0mjT1HPOjponC3YDANpk7eAzIDYDhVBC4UwJlPLWa99Dd acrPKbEy9ul1fPWLVZ9T1U6rLsevdejlvI/7VgD1jJD9ryB5MM855C0kR1LUvUzoRYraO633nnuT g49Rd+UknZLeWWG2Kb3zzTRMNlp1333ayRN/gsD1BPK1V79d/vqT7++MO2sg91ZE/n745iVirWyK eO7Z/BVg06h+y1jrhPv5Y7C3uZ/snkeqR6J10oVbv8SuwzWdO2ys/KxYe30v8O1cNPBnthpZ9DLR G36UYx1Js3wuWqeil+3eg9h5DDMpJ+l4110Vht6BSm/YLoo8v/de9bqWUgQTy13KF9x2KnyzP5OF Y6mXUd7s2n86++6q8E/FuNOLNzN3ujk0Rf7i8dX+3vAhrKM1kG08te3ZwTUYrml7mPjnWqQLR75j t5MltXp3scmLIi/uN/DTqdHMrl8j3SkR/hwkcBxah95V1691eINU8oTms0brYrA6+w+UyWq+vnkw Ug1jWrPcn9P9Hj1c6xz7/T8Zfhzc9dD9GGbiTtL3ksu7Kkwyf8Du7bqWsk2D+epOFlsV8XIRPIab 3l0V7rexH546nxQ+WOuI971fI1cfwjp6A8nDxSLaL78O4dEZJv69FpuZxXpeMHYQw0MKfO05nRqp IenaK3FCTeAQrZNH8wk9gNw0mD2aBlktYIvNcuww0zQt119v1mMlV7ZZOPNsZhqm5U6Wsk8sA4+N V9Fy4lqMmcwezULu1enSZUb9cRat1reNfWbVQj8PxlZ9nsGm/3dum3qMh2ZE7HlSJTPbmQXBdGRb PJtpWJe49frfMln5I15GZnvLhIAUm6U/cixRbn+dyooqx6qbJY07fVnXVPn/A6nJcyiJZpTPlq5h NGuSynDMK8KLFC/GDp+4cMbzuheIfGZP12tfzGjY6oCWPxXVnQfLCb/acibLTS0pIp9561Qab0Lj 8zYL52RKg8wyXad0Zr5yVcylCMam0RhiG08t5sdbAsanVeg6d7KUMrLX+lW2dO1ZnIXTkWWarjRz y76q9APoyLLzIJh6ZFmT6tSsGdymAU/YZPZ4HizHZseReNqimpym5U5DLpmzYDZ2azdoCEtfXUzI G3hODb3hsrHJKpiRSwnnll5X+4woQbqeCqezRr7grGotvvXaIvSdpo00ZhDnU1EnYRbNPds05bEy WcnpLtubNe5flSmxE2Z25zH3h0FjkYOXkc9afTx57WidV1ql9hilojbGnZRsFQe+pTcaUfxW4+rt H/h5Pa21IpvX1dGqKWwXUrsh27mTVZLFC+p1TJM5k5X0mTutgrtIkrXvMlN2C/1Uq21Weym15nBm y3bQHTM3vH01/rDbl1Zluq57L8sZL+Jiu5k79IoI8aFgqSoDsxxPdrYiTfo3mduMN/6qorbZms2i 8ljTzZb60qZX728pKkE6+VAOQ61V3cX1dRdFX2dYcS/TevLOMBFXrVr09nVUichno0XIxwRmMhrS 6v6/qioC0vTPosrbZDmyG+Lk2If1qyovPhKST44Xm4xaiug6vEV3H85AjVYhzZ+JQbb26op35j0O o9npVL8eonXKJAziNC/LMl1PLFMunsnXHmOjRZwVRbZZTWzTrFvFdjOz6UhelkWynlhMzBuVgWcY 5mjOLbnNA56UGH8H71lpksPV4qzUKJu4DkUWVedJp5LUIc82DNsPc5IqRTR1TGcuRmFN62Srkcm8 RZRkWZZEMR/dq20aUUWLsszCqd2M9KrBN/3jQNYtLxpITZ5DozybxlxOEUrLYnI2hysJcSRduMyd RVlRFimVSDa3yDcN0/HXCcVON6uxZe6u4BC03VmY5mWRxYsRa1Y9UYfiOO5kGSVpmpdVGU9t05kG lFwWLzw6M+edYa3GynDCLMty5kKIpnMR0t1MLWu8TumFg1kShULTDlif96e2445mwSZNszriSyB3 I3oD6LhlaR6HvKZM5m4tCSlP0/aDtCiKNJqPmGHsah1RTX+9SbMsjaONuH0sNkG4yagKydJjXMHx vs0zDDZa8HGxTFeciQgn7imbaY2XlFaeBL5NXke2bnymqopwYlnjVZKXZb5ZeqxnZfaALcTYZE6i lofxPyh9y3Fdfx0naUZOT+7EYZRlFhGk2YY3hXDCmDsLuMvHUULV2WcsalrcS9UNbaPxtUoNGqUq I98yuQcWeRJMXWYaqrnWFWk1rqH+oa+1Ekw2mtMLL/M0nLkNTe75bCR0cBH6lmEyd8Z7nXIzc+pG dKdVYLbjeouQPLscpLrjpWbtpcNaZ8BAtIJktNhQD5snURgLX6YbwyauQ6txnBl1wmWexmFU3/BJ 8NtoUreeHbFDxRFTSco6dCfY11JqO5KHzuzbcVCttaV1zHZ3MdAZ9vlGa5hoaZ3h9iU61WlUDxuq /6cqUlc3jbXK8q/CbnVU8sB+lesq0zA1nzRM0xED1jZdjuo7Fj233RoZpuXR6CuHBj707WnRemIn +v0QraOhUS2Ebvu18YSUhhy0aGCsyVdV1cgC6lyaO4mq2kYqZDOodWgKS+8f2ybPFg6/y6QCUgHE WEydr6bByR/l7a7SOindn2oaSqui/MqjlsK5VYNX/WN/1rvJ7KZWn0PRG1Fgik+Ol0uPiZpyJUEr lEj0WFIOUaBlPZLEqVlqVKhazqJucTJ9KqqpLYRohim6gzENbWMBFUTLhgd0yLIq+23kW6PFypfb 4eqJfj4QjgPeOdS1qoasT1rHML2gM/9IbqRVpUlGfWkbQrdsY05yJb2um5lVjyIqnW411ZH6G7mQ dAruq2qMp5vgvmJ2yqa1B+V1ymdqbjK/eGrtyLxuIbVWxttIv9bRYoKywTURQ7KHcH/KvRardY33 GUvUlwvviVx2SUUQdzqqUvzWQmtujVH4vbDmV2Qk3WtlGdqNq79/6GutvDpaEFhZqG27beSbptdM k3KKIUm/O62CwXy1NHWAKjWXAS8VY6aKaDdxnYGkuD+OllrggdNsax1u7yYcWZu8/r89TFeEs7Yi BXFlB66sU1/H/9daivY7dbyHcNjTWltap9VdqN6I59h0hn2+we+rmltiXevsaV+dTjWZWWYd9hq8 02hDPLBfFVpH6wrJJ2v2FE8fqdv5hi41q3aN9B6ORiPRiw45TJPQCX85QOtss2jhe67NP5ZpiGYQ T5nuC1qcMJ079Lbd5mNK2a51Lhx4PG3uQlQP1DEF36mjlut0nZh7AJcsXOqIrq/bPnkvyDu7ph/m Ll9Pjaks83g59VxHVJQZzB/WOqIk3axVUqRN+lNrzuFOvcq5OhitsmzlMtImwtfpRi1fjbogxW1b 5JtMv8mgTtTvDINd2tQs7RmPNHQup96iJTc2chCmYZKLns3UcuYJnzLm5W1miPKQ7tatkb8IeJiA RtoB62vAGgLyhlKNRPWRAXQdyza9An1RnYXUvdo4yJPdqSb/tUyD+WQkTE7viZbJ7KG3p2xjPoiK SjRep5KKp7Rho2kXzDQMrfvqL2RtCxFmG4rraLcWFfm2YapsTNPgkqrbYCm/vcYSPrElPSfEDs16 yG0CqlJaw+c1aIxSdYE3rU8Akv8qm2pp8mNN/9DbWrvV2ZKm40GNTjrxlOKndZ505yWEoHaaKgM/ 7TZVUOJykOoeLx3UOoMGKuL5iNGU3Hy9aW42WlqnKpOlZ9EMyWwVd4I6dP8vG3cNhjpQ4fwkdWpR rJEZaCn19SKuUweC+a8Dhd/DgW7DGXJb2gAAIABJREFUtPtS/W50oDPs9Y3uMKFq0fVJitfIG46e XlELOFPMqtvFiqktdZfZk0Jvv8rvNnWfpFuIpusoejen7mod7RJNHw0w16x0ul+v1Tqkp013HosG peI6/CZFW4up5Ar502hJ0wnq07mR4rybvkz24421NWt0W2TH5MLIq7zi7VOObuTZ2s4t3hmL4bTp balv6Sx7EAEoexryCZKqat+y1yGrwGuCWbxH7GStlZw61d7U1DliK2MRyXgJ/elHBYV7RE0oB2ce 5wpjUfA5v06jqga1jpxzoizbWkev/HD7l0ozmYnNEfTnOMgp2qTpxG0er2eebdKswZY6+n7r8/6n 1fQ5CNGH8Jm8BswgOtVn8XO5BWiherf31IaxJtHe0ExB0zreciNm1FR3z2/67RY9TyjFvWVTHZZw ae51qjA0PI/XbXO2a76jD7S+mDewjqCl2qn0RV157++HO9l0xQGdfZCxyEQkwvkCD7kjUst0yCg7 wMlKvQ7Q07iocE3/0Ntau9XZp3W02YebaR0uWLWtENdVQVhggOoeL+1qHdJn/EZrICmRzzbfBPOx Y9JUFe8X2lqHn1Sk4YLWEdm+WJ4mrqR/edBY2/JE+/yo49G7UiVkB1uKSlCdLH8bKPweDh2to3sL XdXTGfb6xm21jt6tUeGV1qGgpLxT1CrMO9WW1ummoNdAa8tK0lFq7awO1jqqdC2tM9D96sU+0e/X ah3qHJS+ppi6uIkk3aDMzEPldZ8Vjk09lFmT1fpH/lPTl8mlIX1ah/yAtYyqLZilVEQ0NQ3GrJlA oFCqNk7RCC1dsNE6IgbcnsOilNRl1Ib2xnV6s66rKg72p6bOEZPAy6kti57MbXu6UEpiS/35zqyP nO5VNuEtWzOFyIBo6xFzGpJky2u3NB5X0uYamjksaoULh00Wc1cezpYu/eloMw11bWhtBr9VoaG2 z/r9WqfbyVNyhxiCZ0vdHw+MUE/Eh2NZmnRu6xFe8SvvFdWMIP9xM7M0WUwjm4rrGNo96pZu/4je 3rLpefId4lwRKren8mpzh7Kwrf8oBD1gi0O1DgVr6mroaee8wap5Ejp2mLGEyInndGcr1tfpAmtQ 69CgaYmlQpRXw1AvVGt+QbuRoHNU/0BV1/ydJ8DHPi12x8/hEWAFnJ/Ik7llXOemVRBVG6Da9dJE eSldocXmirVnmFzrDCQl8hH/8lVAIqwklgDqB+V3fovY7u74+Ngaiilu6y42rVW4jXEHW4qWW3Oy /G2g8F0OemtVXZPqq0VqQ51hn2+091W0fGy4famseYZtAULe1oIlCiW6r3r1QCeFPW25fWY7q36t QwOv1gQ6qJuecLhFS5uc8n/Xah0+6I9XabGl9ZRj26wbJfGle2JaH5eGU1eGyuXyKNMar+IsL/Is jYOAr1rt9EFaX8aXovA1p2VRtu90O4KaplWYt0qL5sQi8Nho7GlPVhaLJfm6rSJPaOWuXCWqD7fU lGhtV5rnWRLT4j4+nT5abIqyzJO177DrtE61m7XypOHU1DkUR2aWbdW9HJ+StvTNjenC5Suoaf1l lm7CtXieO00Mm/bkkLXJ05BY7a5N1gIzfIGq6TRnekwuJqcleTOLPvXKlXThWJZV669tGq6jJC/K bZnH83r5Fu97d62vw28Q8NUgHf1xkCF4CqqF8+CjqsHYalZ9NllVYqksLcHO8jzdRFEi5guF39Eq Xq81h2XQ8u8goZXd0cw1xcruYbMKrxsvxWrB4bXJtKZ8Qw/JyZIoCJt9ZHU5OT1VE80WB2sdvjaZ ubMwyYs8T5NoHXKFkwdjxtx5SC6fbkI+r3GYsUjyuq5t0dY78dHa8mC3S0uxGRvNaXlskYkV47vj hbpcS5NnorQO9512axXmpLXJfHVmNOdrk/lisE46/6J1bloFSWeAasdLyd3qGzS6o3RmfHHNNo+m tAhATKAPJJVF6zDJqOXxJfVSUoqgY0S8y21O/S6dsi3SYGLp9wKimDshVRqcHdet90jQWY11qK31 thRZ5dbJ9W8Dhe9w0FurEgFdrUM3Xr2d4W5PThq+NUw0tRDLxvv7OpU1L35LgHRWwdT12x/X2dOv tvNqZVX1a53hGlFhVE8oMu3pfpsyn+6Xa7UO7ZOsNzd782iz8mrlUPEtgHKD9mo91WN+eSS2ShuG aTljsfWq0wfpWofPLdMGPlZvRm4swhugmk2gh8fS9lvTnsl7NRJjrcWZPObOd/+adN5IbbpttZ8i VvulvRWNBnk0G1l0jTWaBkkwsfat16EC7mTdlHpPavo5dANHW7nlEELCrrUgj2+DF7u6aVu3NxW7 9CPfmqxjuZ2X2V6zVVpLuwzG1jSIlxOxlby957wOdDXn1/ai3dK+vn8xmjBa7iFv56nvU6y3yZLv h6dFKPQwgmapZJ2abv1erUMb9mod1ZTlEEPwk7UWXm3TZgu+p+/m1VKtaJOy2I1Jz0KYRUVVbZNV DWi8jOOFM1ryuzTyVbFjn+/Q1ujtcZLRMqYnHXS8ruX22yyYeWQRQuOO1XMAtHLW9Dq2OFzr0B41 ubWdW2ayltEcuXGbZz5aSK+rs9tnrGzhGIYeb9IqpQ0kVAndKLQbWO59d8aLYN53b6wu19LkNDSt U1W7rZU210qY1DRmzbMwOun8k9bhG5oPr4KyYi9VzUud8SJcqglxSYoxZtHDG4K5WweVqTXs9qUZ PUK7diPVYGkVD3+kgrfO81A83UB42s4+ZhFo023KJQIzDC18oLTOYEtRVdZOVj/2FZ4a4kBrVSKg 1VfL9JpHXOidYa9vtIcJ5WOUUF2kTvtSWfPcdAFSRpO+Gaye9Tr6HNbBeelZUVi792Hy+2rUbnRN BVstWiI85f+u1zoH0uH+pK3fOfCy60+juwCbnvUw9KFWoa9MvbeS7Bagm/XuGfhlmADNex3p63jE eFkHp4ergCOHE+gbvQ6/+ijOvNMqdDTZI1RQLBis72MeoQBPI0s+uSfugZ5GgVHKXgJ3pXVofULP 4q3ePG/6Y7729rzagd9I6nPRbRV/08xucv5O1je5+OTPzZYj63FfdDZsgscfh4bL9kSP8GUaPUG8 J1Sdu63CEfgY3W3sRNKfkEEeoqj0NGp7KhZ/P0R+yOO+CNxe65TxaiGfvJdvVhNLf2TLfZW2ne6W HgC3Glud9+k8hNYZyLpdPvz1ZAkcwTj0ZNmpgifr+Zqe9Ucr+gLfMXuenahOPs5v91gF+Nhxmhyl eqYEbq91aKkDf7g+LddwtPnyhyKVzB16Gv940Xle1gNonaGsH6rqyOeeCWAcugvAWeDTu2VofRCt A1vvrMS+i0zuN417rAJ87H5Nh9RBoEXg9lqnlQz+AAEQAAEQAAEQAIGjJACtc5RmQaFAAARAAARA AATuiAC0zh2BRDIgAAIgAAIgAAJHSQBa5yjNgkKBAAiAAAiAAAjcEQFonTsCiWRAAARAAARAAASO kgC0zlGaBYUCARAAARAAARC4IwLQOncEEsmAAAiAAAiAAAgcJYEH0Dp3+mD1o4SIQoEACIAACIAA CBwtgXvROmU4GS3k+war3pc+3phHthrteU/EYHKdktwukcHUcQAEQAAEQAAEQODoCdyH1tlGvuXc sdYpk9V8nQy/ALQfdKckt0ukP2n8CgIgAAIgAAIg8CQIHKJ18mg+oWe9mwazR9MgE4oj8hmbxk0l 04VjjoOyotfJ0VPh+cechFsR11mGi4nDTHqdxHgRF81lRbyYuHSBabmT5aY+kMxsd5Eka99lpumt CxUcKoNxnTr/fyRe+1lslv7IsSgHy/XX6bYaKsm6zmM4a2ceBFPPtphpWs5k2fNo+zyaj3l1xMPv ZQxrm66nI5uXYeSvU/EC4Wzp2rM4C6cjyzTd//1/2u9Ipbe4s0lIp26zcOaJqxWKMvDYJMyiuWeb pjXbNODwBQRAAARAAARA4CACh2idMgnpJZ9lWabriWXKd1MPaJ2qqspgbLbjOobJRrMwzcsii+eu aU1joZdIINmTdZIXRUbvDzXdZcaLncxsZjuutwg3aZqVvRNh5WZmM2+d8wu2aSRfRJqFU9uUCmi3 JFw40RX7sjYMaxJQrlWZzF3TnidtlmU4YbYfZvRSw2wTRkLVFOHEssarJC/LfLP0mHzTIS1Xsh13 NAuoKkUejLUXwm9j32KTqKyqLdVmtIhzeqHpemLJmtFLcyzHdf11nKRZftPAVrvc+AsEQAAEQAAE TpDAIVpHw7KNJvXQfyOt06ibqirWnpQ023jKZEyDZ1EE4zp0kcxsg/mkAeRnZ4HzdjNzGqVTnyX+ 38ws5vOI06DWuSbrWnJVvSKLiznbj+oAkcg1X41qiUU/xFOLR7UoImWYXtCcXIZjZssAzTb2GfMj CkKRfFKaipQYhbOqMvAMQytOu6b4CwRAAARAAARA4DoCB2idbRYtfM+1+ccyDTkk30Tr6CJA6Q9S B61hnEb4EQ/U0LvKaUas+XS0znYzd5i3EkEgOimPl1PPdUQZmXGd1rkma5p6kx8uYZp5L/njNl1P bNO0velSBnVI3DB6n3PzMQ1jRNdRyWWYSVxNskbMRm0jn0kVmM6d7tU8NEZxHU0D1aXC/yAAAiAA AiAAAgcSuFbr0IIS053HYvpkT1xn3qgTpWZ4IToyRR09XHB0wivbZO6wkaZ0+ITUNOTTTlV1QFzn 8Kx7tQ6vV5lFK1qEY43XpLniKTPH67zQPiUppk71aWKMJM5ss+VSZ7bhsiqd2+ZomWoXFwUdIK2j zQceaFWcBgIgAAIgAAIgUBO4VuvwWItY/0vhk1WzfIUmoPj0C09qG07MOhLD1cx8aM+50jpcRo35 ulyeBp/DmvLltxTX0YIrLcWwo3T4tJjdZEgZ6HGd5oAmOw7PeljrCIQ0JcfzphPt2e5WsV2tU9Eq HWsWR75lz+RSoDKkQmuTdtJA0DoSBP4DARAAARAAgVsSuFbrcOUwXqXFllbcjmnmRiwroUHe8kO+ DqXYzF3TMOpZpw2FghaboiyK3WXFSutUVUrrdsXa5FyuTRYSaVjrCKUjlzDLStOyF3NEGZZ5svYd Vmudargkh2bdp3XKJOCLtbfbMoumtLKGFkjT2mTT8debrCjyLImCkG/g6tE6FUkt23UtbXaK1iab 1ngVZ3mRZ2kcBHxT2o7WKUPfYmO5IvuWRsdlIAACIAACIHBCBK7VOtU2C3zaFW4y25tHm5XnyCW0 2yyYjixmMmY540W49Oq4TlXl4dTlW6/9sNSiKZyrrnWqqtgsJ67cKj5ZNpvRh7UOXxaj7ToX8Zw8 mo3EzvXRNEiCiSXWJu8tyWFZ92qdeM43h9MKG8ebhXIXPqGaebQVnW+hHy83tOCoT+vQrivLMDqT U3m0GDt8w75pOeM5h9GjdZo9WifkpqgqCIAACIAACNyawPVa59ZJ40IQAAEQAAEQAAEQeHQC0DqP bgIUAARAAARAAARA4B4JQOvcI1wkDQIgAAIgAAIg8OgEoHUe3QQoAAiAAAiAAAiAwD0SgNa5R7hI GgRAAARAAARA4NEJQOs8uglQABAAARAAARAAgXskAK1zj3CRNAiAAAiAAAiAwKMTgNZ5dBOgACAA AiAAAiAAAvdIAFrnHuEiaRAAARAAARAAgUcnAK3z6CZAAUAABEAABEAABO6RALTOPcJF0iAAAiAA AiAAAo9OAFrn0U2AAoAACIAACIAACNwjAWide4SLpEEABEAABEAABB6dALTOo5sABQABEAABEAAB ELhHAtA69wgXSYMACIAACIAACDw6AWidRzcBCgACIAACIAACIHCPBKB17hEukgYBEAABEAABEHh0 AtA6j24CFAAEQAAEQAAEQOAeCUDr3CNcJA0CIAACIAACIPDoBKB1Ht0EKAAIgAAIgAAIgMA9Erhe 6/wPPiAAAiAAAiAAAiDwgATuVvgcpHWu8AEBEAABEAABEACBByHwP//zP9A6D0IamYAACIAACIAA CDwGAWidx6COPEEABEAABEAABB6KALTOQ5FGPiAAAiAAAiAAAo9BAFrnMagjTxAAARAAARAAgYci AK3zUKSRDwiAAAiAAAiAwGMQgNZ5DOrIEwRAAARAAARA4KEIQOs8FGnkAwIgAAIgAAIg8BgEoHUe gzryBAEQAAEQAAEQeCgC0DoPRRr5gAAIgAAIgAAIPAYBaJ3HoI48QQAEQAAEQAAEHooAtM5DkUY+ IAACIAACIAACj0EAWucxqCNPEAABEAABEACBhyIArfNQpJEPCIAACIAACIDAYxCA1nkM6sgTBEAA BEAABEDgoQhA6zwUaeQDAiAAAiAAAiDwGASgdR6DOvIEARAAARAAARB4KALQOg9FGvmAAAiAAAiA AAg8BoEnoXX+fn1/9unn5WPwOaY8L75/PPvw/fyYioSygAAIgAAIgMDRE3gSWuf3p5fm2beT1zrn X96Yrz//PXqfQgFBAARAAARA4JgIQOsckzX2lwVaZz8fHAUBEAABEACBPgJHrXX+/PfKNNof8+13 qgYd0T5NtOOJ/H7+9Uwrvfny029hm/7f6dc2BcN88wVzWX3+jN9AAARAAARAoEvgqLXO1cXfP/T5 /v6F+ea/3/z7+QlOZUkMPz+9Ml99/MEx/L3oWhJ/gwAIgAAIgAAI9BE4bq0jS4z1OhwE5rD6PBi/ gQAIgAAIgMB+AtA6+/kc01FonWOyBsoCAiAAAiDwVAg8Ca3zVGCinCAAAiAAAiAAAkdHAFrn6EyC AoEACIAACIAACNwhAWidO4SJpEAABEAABEAABI6OALTO0ZkEBQIBEAABEAABELhDAtA6dwgTSYEA CIAACIAACBwdAWidozMJCgQCIAACIAACIHCHBJ6E1jn/8ublx18H1Pr8yxvDMPgjiZn18s37L7+e 1SP3vr+13v04AANOAQEQAAEQAAEQaAg8O61Tvx3z8vzX5zOLvf3+jNQOtE7jt/gCAiAAAiAAAocS eLZa5+rq6vL7W/NFHQ86//nf29cvmGlar97+97N5mdTl328fz15azDTZi9fvv/yu30Bx+efbhzd0 Op3/uQ4PtZ/m9+M9s97/lKT/fn5tvvn8/fO7V5ZpmNb7HzKlvz8+nb20TNNkL88+fm9eUn7x+8t7 Xpz2z/vNBq2znw+OggAIgAAIgEAPgWerdS7//vzvDbPe/eBxnT//vWYv3n37c3l1+ffbuxfs7KtQ O3+/vDFffiDpc3n+89Pr+i2cFz/ev2Cv//t1fnV18efruxfszReuUvZrHcNgr959+fHr9+/fv+X7 qn7/94q9/PD9L+X74+Mr9uq/P2SEv1/PmHX25ffF1eX5jw8v2evP/Oce+7R+gtZp4cAfIAACIAAC IHAIgWendeiF4CZ/Lbj56j2JG/r8/GCxt9/q2SwegvnK/zr/+oa9ePf1t3ij6OX5+QVdcPn9LWsC QldXpHCESNmvdWqlpLj/+vhCy/fy97cv30nU0NvYXwv1dHV1dfH1TCavLuz/Bq3TzwW/ggAIgAAI gMAeAs9O68j1On+/vKmDKFdXl9/OTMNklvwwZhovP8lIysWvrx9pcou9eP3247ffXAFxMfSlmee6 osmqDzRZdY3WeaNdw5l/f2e++LC7qPrHe6YVx2KmIZLfYyeRHNYmX4cIx0EABEAABECgS+C5ap2r yx/vLeudXJnMv3/7e958Lnj85urq4u/vPyLcI+e8+Dqby2/tuM7XOq7TDsHsrtfpap12XOfq/PfP 36Sg+Hvbv/QUp2udzt+I63SA4E8QAAEQAAEQuJ7As9U6cqboM19nc/nr00v26sN3vorm4vfXTx+/ id9/vrfYm//40uPLv1/fWuzdd5rE4ut1xO9ifY9cr0MqhZ3JtTvf378wOmuTu1rn6venV+zVxx8k cM5//feGvfr0m2zy5/Nr9vLdVx5Fuvjz/dNHtSh6n8mgdfbRwTEQAAEQAAEQ6CXwjLXO1TmtAK43 RJ3/+PT2Fe2HMq2XZ5+aDVEXv7++5/utGHuhb9C6/PNV7cPS9m1d/Pzv7IVlvXj56s2Hj29fXKd1 rq7+fv949pK2eVmvtGyvLn59fveatn+Z7MWbD/W6ol4TqR+hdRQLfAMBEAABEACBAwk8L61zYKWf 6mnQOk/Vcig3CIAACIDAIxKA1nlE+DfNGlrnpsRwPgiAAAiAAAhcQes8ISeA1nlCxkJRQQAEQAAE joXAk9A6xwIL5QABEAABEAABEHhyBKB1npzJUGAQAAEQAAEQAIEbEHgSWufg95zfoOL1qX+/faR9 WIZpvX537K9FxxxWbTX8DwIgAAIgAAIHEzhtrXP56yN/7s6f84u/P/+j16J/U09LPpjhg50IrfNg qJERCIAACIDA8yFw0lrn8vs7pr3Dgb/36vNfel3VS/569POvb8TzeegFWWdfL67+fn7N3v4nn7zD XqoXoF9dDbxHnS7pff/5bVwIWuc21HANCIAACIDAiRM4aa1D72p4yx+ULLyAXunw7vslvV6ClA1J IfPlx9/0UodX/OWffz+/NsxXH77/kS8ob97ZOfQe9SvSOj3vP7+d10Hr3I4brgIBEAABEDhpAiet dX59eMHe/VD2p/ePn327vDr/+ubFh5+Xvz68fHP2+vXnvxff3r7gz19uvxT018cXUioNvkeda53d 95+rLG/0DVrnRrhwMgiAAAiAAAgQgZPWOt24zm8R1+FxnDeff3x6ffblx8dXb7/++PTq7Cst5Glr nd8fZVho33vU25f8m9NB6/wbP1wNAiAAAiBwkgROWuvQMpzuep3//lxd0ezVi7O3b17/9+fyx/uX b9+dyXd2toVLo3WuBt+j3pVH/+Zj0Dr/xg9XgwAIgAAInCSBk9Y6V80+rIuL819f3lpMhG+urmiZ sskXKF98e2uZlnj9+VBc52roPeo7oaB/8zFonX/jh6tBAARAAAROksBpax3SIt/p+TqGYVqv3n3+ dVE7AV+m/OPySsieN1/EVvShuA6d1v8e9Y48qpO/3f/QOrfjhqtAAARAAAROmsDJa52nZH1onadk LZQVBEAABEDgSAhA6xyJIQ4pBrTOIZRwDgiAAAiAAAi0CEDrtHAc9x/QOsdtH5QOBEAABEDgKAk8 Ca1zlORQKBAAARAAARAAgadAAFrnKVgJZQQBEAABEAABELgtgSehde7zPee3BfcY12EO6zGoI08Q AAEQAIEnTgBa5wkZEFrnCRkLRQUBEAABEDgWAtA6x2KJA8oBrXMAJJwCAiAAAiAAAm0C0DptHkf9 F7TOUZsHhQMBEAABEDhOAtA6x2mX3lJB6/RiwY8gAAIgAAIgsI8AtM4+Okd2DFrnyAyC4oAACIAA CDwFAtA6T8FKsozQOk/IWCgqCIAACIDAsRCA1jkWSxxQDmidAyDhFBAAARAAARBoE4DWafM46r+g dY7aPCgcCIAACIDAcRKA1jlOu/SWClqnFwt+BAEQAAEQAIF9BKB19tE5smPQOkdmEBQHBEAABEDg KRCA1nkKVpJlhNZ5QsZCUUEABEAABI6FwJPQOscCC+UAARAAARAAARB4cgSgdZ6cyVBgEAABEAAB EACBGxCA1rkBLJwKAiAAAiAAAiDw5Ag8Ca3z9+v7s08/L58c3Dsu8MX3j2cfvp/fcapIDgRAAARA AASeN4EnoXV+f3ppnn07ea1z/uWN+frz3+ftkKgdCIAACIAACNwxAWidOwZ6j8lB69wjXCQNAiAA AiDwbAkctdb5898r02h/zLffyRZ0RPs00Y4n8vv51zOt9ObLT7+Fg/X/Tr+2KRjmmy+Yy3q2jRIV AwEQAAEQuFMCR611ri7+/qHP9/cvzDf//ebfz09wKkti+Pnplfnq4w+O4e/FnboBEgMBEAABEACB Z0vguLWOxI71OhwE5rCebTNExUAABEAABO6RALTOPcK946Shde4YKJIDARAAARA4CQJPQuuchCVQ SRAAARAAARAAgfsgAK1zH1SRJgiAAAiAAAiAwLEQgNY5FkugHCAAAiAAAiAAAvdBAFrnPqgiTRAA ARAAARAAgWMhAK1zLJZAOUAABEAABEAABO6DALTOfVBFmiAAAiAAAiAAAsdCAFpnjyV+fXzB3n7D U/v2IMIhEAABEAABEDh2AtA6gxa6/PHOYsxq3j8xeCIOgAAIgAAIgAAIHC8BaJ0h25x/PbPOvnz7 8KJ5W9XQmfgdBEAABEAABEDgeAlA6wzY5u/n19a7H5dXvz+9evH+5wm+hGuAC34GARAAARAAgSdG AFqn32C/Pr588fEXHfv75Y2FRTv9lPArCIAACIAACBw/AWid47cRSggCIAACIAACIHB7AtA6t2eH K0EABEAABEAABI6fALTO8dsIJQQBEAABEAABELg9AWid27PDlSAAAiAAAiAAAsdPAFrn+G2EEoIA CIAACIAACNyeALTO7dnhShAAARAAARAAgeMnAK1z/DZCCUEABEAABEAABG5PAFrn9uxwJQiAAAiA AAiAwPETgNY5fhuhhCAAAiAAAiAAArcnAK2zh935lzcvxcOT95yEQyAAAiAAAiAAAsdMAFpnj3Wg dfbAwSEQAAEQAAEQeBoEoHX22AlaZw8cHAIBEAABEACBp0EAWmePnaB19sDBIRAAARAAARB4GgSg dfbYCVpnDxwcAgEQAAEQAIGnQQBaZ4+doHX2wMEhEAABEAABEHgaBKB19tgJWmcPHBwCARAAARAA gadBAFpnj52gdfbAwSEQAAEQAAEQeBoEoHX22AlaZw8cHAIBEAABEACBp0EAWmePnaB19sDBIRAA ARAAARB4GgSgdfbYCVpnDxwcAgEQAAEQAIGnQQBaZ4+doHX2wMEhEAABEAABEHgaBKB1ajtd/v1z Xn/f9//5n7+X+47jGAiAAAiAAAiAwDERgNbh1rj49en1qw8/L643zcXPj69ff/p1wJnXp4UzQAAE QAAEQAAE7p0AtM7V1dXFj/dzq2BgAAAgAElEQVQvX/33W4N98evzu1cWM03TevX2v5+tgM/l70+v Xrz/AbWj8cJXEAABEAABEDhaAtA6V1d//ntlvfuuTUydfz1jL959+3N5dXXx+8uZxd5+aymbi+9v rVf//Tlao6JgIAACIAACIAACDQFonavfH19a735oUufq56c3b7/UUuby+1vzxcdfDTH6cvn9HXv5 SQ8EtQ7jDxAAARAAARAAgaMhAK3z9/Nr882X1iyVbp3Lnx9eWO++t+I6V1fnX/ZepCeA7yAAAiAA AiAAAo9JAFrn14cX7N2PARucf3v34sXbbztK6PL7O/PFh3awZyAJ/AwCIAACIAACIPCYBKB1fr63 rPe9Wuf8x4eX1pvPv/XprdpWP94x68PP+i/8DwIgAAIgAAIgcKwEoHV+f3ppvtVXJgtTXfz48GpI 6FxdXX57a2LBzrE6NcoFAiAAAiAAAhoBaJ2Lb29Zd1PVxc+Pr6w3//VGdDi8P/+9Ym+/9QV8NLb4 CgIgAAIgAAIg8PgEoHWuaId5e3Hy708vDcMwtQ9r7Um/Ov/yhp197axXfnxjogQgAAIgAAIgAAI7 BKB1rq4uf7x/0Y3s7IDSf/jzHx4mqPPAdxAAARAAARA4YgLQOmSc8+/vXr75TM8OvP5z+efzm5fv vu9szbr+SpwBAiAAAiAAAiDw8ASgdQTzyz9f3n3sPkWnzxwX3z68+3KYKuq7HL+BAAiAAAiAAAg8 LAFonYfljdxAAARAAARAAAQelgC0zsPyRm73QODv59eG/Nxo3dU9FOXwJK95XvfhCR165uXvL+9e WaZhmOzVJzwG81BsOA8EQOA5EIDW2WPF8y9vXnbehLXnbBy6fwLN++eZ9erd51/tnXAXX8/MPq3z 98sb6/Xn+v1mty3kn+//fflx2CqtH+9Yrb3E/+1tfqIE/6h1zn98/vz9b19lLr69tXrc9tfHF+ar Tz/PL68uL84vtKVpA+f3JY3fQAAEQOBpEngSWufv1/dnn35q3fMDsT4yrXPx/ePZh1NeFP33y5vm /fN/vr57wc6+6qP9kNa5Ov/149dhKmWPY9FbQW4ifC//fnlDz5scctt/1Dp7Xm1y8fvHz7/dbM+/ vukVgldXV73n7yHxNA49VqfxNOjceylPvrO6d8LI4IYEnoTWoUcbnz3Ck/uOTOucf3ljvv6sj+43 NPYTP527gXqq0d+v716/15eT72id4bmtyz/fPrx5aZkme/Hmw7d6qfmPd+zVhy//vX1lmaZpvf7w TbD+8/mNZVmMz/5Y9DlsCojM1Q0znf/4dPaCmSZ7efb+7IV65+xNynP+9W27OC/kK07oYd4ynqS/ v+Ty+3t5vmEyXv43Isg1cD55yd/vn85eWcw0rVfvvvxW4bPfn16yd1++fzp7yUzDfHnMU2GP1Wk8 8UZ2V8U/9c7qrjginTsjAK2zByW0zh44D37o2vdy7GgdUcTL8+7c1sX3dxZ7zedzzn99es3qGR+a e7LOPv86v7y6+PPljLWeIHnTuA49cLKjdeipldbZl98Xl5d/f3x6bdZa5zblGY7rXH7ve1fb8Niz c/7lr48vzVcffvy9vLr4/eXMst7/qNUOf8qm9frD15+/f//+9XsnevTgTjGcIbTO/2fv/F0dxf7/ //1bUtmd7lRO5VS+K7eRbWQbmUK2kWlkG9lC2D4wkGLAYiDFQoohxYDFQoolzZJmsVlsxmqFD4zV Ws2X1/G30dzkXpPozTPFvYk/Xud1HsfoM6/z4zXM5gZ7hq+3GxSOIkDgmMCktU64VMsfquX4B8nc UiVoT+NVRTvG2p6DOtY6I9mnp2/jVWXW6t9OW8v6F//Lp+Rxg77eLclwL0xe6QGtk3W30224Qk4r SfIiZX0roWv3rJdrnbb4qfuwnuXPsNbJWtUor4cTz57O8UL72EHZCbZ35VrzkYDQ/EmHFu930xjp 5nDtm1v/TSaj9eMb96T6G3LZdtysym8c/k+MwKS1TpZEIb22tizpy4N4H5f34BuAPNY6Nyi0p4gC w85TJdUNBIao/KXdc/gr3fTcuM6R1jm4ykJieXdO3rtTJH9tPfTTjVHf77Mse7nWCZfUFVs2XK11 nuXP9bSO6PkreruKzq9qbDVpnanngbvzTeOVfvvOrhZuVmejwoE3JTBtrVOguFc4eipap8Bw4qf5 Ta+ZexVGg0UaWcjija07J8frFI52IzSkMrTlIa5fSS5AntA67KKxycd9WO3hwbXWeZY/QuuIGOdR c7SqUe49cfF0jk82piQ7u5pOnFTTtuagdYoa3+umUQJ/8P8nrrcHJ4Pq34kAtM4J8NA6J+DcYVcx D4tGiaThRszDak6v6mqa0sOj7fHG5Nz0aVxOlkbByl3thNhpPfS7cR16dqoeTXNP47OCi3S3r7vK yBkxXseksb5pvGuM13mOPySQZIcmwdMU8rKq9L8Yf9OJfw4/e46OTwJbZvpSzOVK473vetVce2id Jmm8HyYwfL0Nn4M9IHBFArPQOles/0nTE9M6J319jJ2N9XW0en2dxnyrYjxTPoBraDtNs17bOk2I kpis2eVMo5NaJ4sDV5fFZCylNf3rmPzw+jpx4OkyW9A8LMdS61FXz/An2S9pStdiwWQzn3rfmFdV YJDdQ+ldz7Nn+Pg03Lg01UqSGFfN5a5SlDPSOmXF8R8EQAAEsgxa58RVAK1zAg52gQAIgAAIgMA8 CEDrnGgnaJ0TcLALBEAABEAABOZBAFrnRDtB65yAg10gAAIgAAIgMA8C0DrzaKe7e5nG4Vkrx8Xh A06Hv3vrwAEQAAEQAIETBKB1TsDBroJAGq4M1dpUQ1RrMEl3TtJhqalielB9zDzf1XPC5+k/vAYB EAABECgJzELroC+pbK67/E/3nqo47dyrSRisPUvjklJP9Smci3xdNtc9umgE55NdkU9KNpadLOc9 1ncOXyzytWCZrJpef17wnhNp07HWGSdf+kBx2dl51GlGlV6nBYt9rfgYLtWqulwxnHWR52vvyu1l t9sz4Yccmvl23DTu24Bbk1vBfV1A6SDQIACt04Ax8bd3Sh0crw1utLVLuNS4arorR+vROlm6c2S5 o43GQUur8KvuPk3DFT3gn9JTO4ez4n6bRltHkdRlNQf7SYeOtc44+dKHCj57XeZc61R1j5paRyrW WkyjnaexViPQDHN+lVYZqtF9t0Pr3Jc/tM59+aP0LgFonS6R6X7uWSLlBs5GK625WnFeYipWqku3 Zp/WybK9IzczbY/mJWkdylcQB7bSjTT1FNLQOkUOtXLZ5f684lnWn4e8sU5PN3G5SKa13ji0WM+i zkI/ZD85+LYmEp3zen2gC/Ood7VOJfuITlnBLF+2edVIXbUVWqcH01w3hSvTdH1KUdr3gtbpo3K7 bdA6t2ONks4hAK1zDqVpHHMXrUMZA7oP+BLHoNZ5MnVVaeHS//HW4lxRFM05pz+qoXWScGMrTFuF VOJQXvGhPOS5l8f50rMsC2y2kGTd2+SJv/Noy5D9ZGtybqwOCS1m6JucW40UF8+O6/RpnSTcuirl b2/ogFenddJwu7QNhTHZcFZB2Fo8Wmi9Mn/9pVcZjh+BALTOCBBhYkQC0Dojwnyxqf6UwsOpg/uP HytlsahOO1jQruGg1qHADrPqbE2X+tkupv4UB45K6ShVTzzEo90mKMak1Mc03onxOjRgh4arcKNc /5c0Yz1kpc5zTttrWXfch3WUayLXOsys8nnmZQ/Zp/PrcrMo8Nf7qivq/NyiZL5KxtkcVyTG65TV ZZrbkYO31zp7R25mzq44jbW9aOr4sF05hsLL9aOrVoDWaXwZbv0WWufWxFHeaQLQOqf5TGLvPVMH n8oKcELruHKRO3xEgNSbprj7JBLprDYRfba2jchFt6wqrkMjiLhZBlGG8ooP5SEvzQ5oHW7vyiPy /8P21eag4vZJ42idog8rXKpM9xv9V1TW7bVOp4bX+VgqHa5apZgVBaEP6zq8z7UKrXMuKRx3GwLQ OrfhPEYp9IM+T/Q0hrUzbRyHN+oTh7VOYPMjCVCf97x3jbBIEjgyUxSZV6GCXpOV1smjH2XMhqrU l+d8KA95aftcrTNkv1EBMpmE+31jLaKtdWYe9WTTCg/tSVZuSPE1QnDUGye3erBeodahwVUKk7hm LTeHOkBWNBe0Tnnd3uc/tM59uKPUIQLQOkNkprf9Llon29l8aJzxoNbpdLOMhFJkGndFSvJ456qL xVHvUaeghtbJkq3JuB2IKNBQXvGhPOSF2XO1TjZonwJShk/dbiJPe0uqidqdlUddmDf8Q5Km8X5l VMN+GlpHzIVjrdlz1Fivax5WtF2utjT4qfcFrdOL5WYboXVuhhoFnUUAWucsTA98EI1naYwyaZIY 0jrJxmTXCECl4bqcxaSanu9qTG6O7m26Jt43tU6W7V2lCov15xUX87B68pA35mG18qjn43X6AlhD 9pODb+XzsCi9enuFoPPzqNPIZlvjIse5Zq8PRTdeU+vkkay83bC+ztGVgQ1XJwCtc3XEKOAiAtA6 F+F6yIMPntJaqeUpCLGvc7NvkeWnTsR+EBiNAOI6o6F8liFonWdhw0lXIwCtczW0r8dwsnNULZ/6 9HSl4o2pGOvOuNinT8MRIDAqAWidUXFebAxa52JkOOGqBKB1ror31RiPNo59joBJA886I3vDq+GC ikyVALTOfVsGWue+/FF6l8AstE7XaXwGARAAARAAARAAgTMJQOucCQqHgQAIgMAwgVOrMwyfhT0g AAI3ITALrfPicPS2leeAMhiUa63cBPJYhSAsPBZJ2Hn1BC69aYg5/0uRQ+QMNsl+vdyUE+Dy48fW OrT+ZbFIwhkODRzS42dx5MFTuyl9B2w8bzNuVs/jhrOuRQBa51pkr2AXt48rQIXJ10ngQq1z8BTG 2Nk/gdrz+wXBsbVOGu6Oknxd3FQ9fhY20mgfHK/AeHEBgyfgZjWIBjvuQuDRtU4abVxD4UySGK14 Uv9Si3dLU6yEwlWzufa8uKOttitL5dJCevkPr0taHbePS2jh2IcmcJnWOXiK6m08tSF22kt3BjYr FlIKbJlzRjnWJMbpVSzeTXcGzfVdSnkvMcVcVcsniaz3tFXiamNzkcvs6GZC+WTzl2TWOeWycKnV 2cVov+zu8xZOD9W6U4rhBcUS0kN+HjylML9opFUjS9FWLEQtSbxhhlbQ1L11vofJemX/iasLN6sn AGH3jQk8hNahNe8aN7F0Y5QfI0oD6eziLEvjnadVqRnDJa1TtwnTLI02ltxYgVasK8dUyw/2h8Ph 0Fjk//oth9vH9RmjhFdC4CKtc/AUbRlSlo36PjGkdQSfnngJ3Rkk1d2GSZZGgaOU95gksGWmLSnN axKuLbmRqezUzSQVyT8aWqdulzRc6Yybm3xhB0r2xvQVLSCdHFYGa60m3uNnbielPS2tQ5Et1Qli uudtHYWpywMdSlpHkq21sL/3NEl2ColVO9T3DjerPirYdj8Cj6F12gN0KKFQcUuL1zqj73Eslp5N 4zgRb2jB3TrVkgjlrIu16OnD8TLCdONovK6xaLDI3sit4H7XCkoGgfkQuETrHDxFX5FyiFZaJXae oXUa4uFQpilLt2Yz0RlZrYrov5kUjIe0ThKQEHGrqFGWRGH1k6ubx2RQ62TRqq11xCLjVSZdWvo8 FzVti92zhq8HaJ1hNthzDwIPqXXWldbJsmS/dqmzisma6W7y7DoU+CkD1JxzxqSF4hWjFoXw8Y8y Dd6k7XD7uAlmFPIaCFygdURieonRS5IWpRJ5odbxlDwla/eGQZ1hzi4n3N3X4t6vdSLfYLyzVmcc LC1dlWVZVmTeuFe188G2jJOsa2kdmrDR/A1HQ7VFStmu1tEagq5jsvURN6sWDny4O4GH0DpZ8/6S 95JruVxJokOYB2zSaLfUy+yQlKbb2kRx9UryeE/+y+/ML/v4bYvbx/hMYfGVEjhf6+xdRfX2xXd9 5yqF2Gk/5OvxOoJXT7ykLVwqrZBShKQcWZNl8boT12n1IzXbokfrJDtXkRQnaOU7zfvhqe+Jepw2 hlT9LrtE62R58rgitVqWbq2BuA60TrOR8H4+BB5D64gubc3bxSl1mZtVl3m6sznT83V+02htcmaJ KG66F33XWxEaTg5rzy36xovhhIjrzOcKh6ePSeBsrbN3FaXWItnOkQuxQwNYDF8Miom3trxoJnlN NqbEzXWUZmlSdHwPaJ1MjNfJbzL54D89t/nED6divE4pPuhoukHpq+60eJJd6jKkA8XNbdEMz/T4 WVwOdFpTZ+X3PJfGLmZx4KpM9arxOmWo65LbH36YPeb3brq1fgytk2XlVIiFxFWrniGRVQmpGZNb E67iwDNVTmNwaFLCtsrv1L6j3bZhcfu4LW+UNmMC52qdvdtexoYiGmVkZ7c0ZM5lRdUd15SbWidL Q99UaDaWxLV8EG/7zlDFdTK6+awdMTuL5mEdTeo8+uFUz8Mq5ksxm0bp5enqG6MCWT7GKEv2S1Ph jHNZNRxbZ8UPtrztjv1szMMqZnsZmzxQFG1dQ6HpYkwx3PKW1w5vtSt56vLAzeoUHey7PYFH0Tq3 J3uFEnH7uAJUmHydBM7VOq+z9vevFW5W928DeNAkAK3TpDHx97h9TLyB4N50CEDr3LctcLO6L3+U 3iUArdMlMuHPuH1MuHHg2rQIQOvctz1ws7ovf5TeJTALrdN1Gp9vTyCNw6gxTnLQgbhe62PwGOwA ARAAARAAgRsSgNa5IezZFpWGK0O1NuesKnRYarT46myrek3HA6teWuWa5cA2CIAACIBAi8AstM5Y 4ejLUhm3OJ3xYTil8BknT/mQdO+pirNrRHWqBDytGRtFHSJfl831FdROuFSZVS+aT1OCGx+nRjDc Lv2O5htT68TBalVOlWlXPdmYvDmJur333E/D9s+1cOfjxrppjFCN9LB2RNI9xhXdEdkWRrA6cRPo w5p4Az2ce4+kdS5MZXzptdCzvNilJk4fn2xdw9leQUScLjZeG9xoapeEllo0fFpjOg03lix1UmLQ akZySxudLuDcvfPSOltLaiwhJ+o4ptbZOzIbSBiSHILdWf2Np8CfsH/qtOnsm4zWSQKLM80NooSS 7i111siuNx1co3sCrTM6Uhh8EYEH0jo9qYyzLD34lsoZlxXNtHReL6HRm+c8WmnMXBaLZTRSGQ+l FH5R0xyd3F60/mj3lTZQnY0yG5go47AyjWWV/y/Po9MufO/I1Tr47T0v+RS2AzkUpSvjOsl+ZYms 9BJX60zPxbJKCqcs9rpDqVzLV2Bz2VlvxLIni65YKw+q/9NqS2RGYrJm+4fCTr7UbHFUvfJIuNIp switvZInwla9nBZpHWu5ssS6TVxzqgUq8+WfjvwMLKY6/jJf56k6Pl6bbfOyWH4ly2iZ/2JFlg59 sbqUWDmFFnipo02ETeWUlluuE3AP2qfl7LaeIU7gqiXEbl75PM4n+ChtzjXC8d+FK9N0/WBA1k1G 64SeIhXLtBODcG1bq+Lb03uTKdcY7OQ/j329XPeHzFDCqmrRwEvsjN8O/Rahdfq5YOu9CDyO1ulL ZZzSr1d9JZ5dMaUmLrXOQJ7zPJWxI1IZi+PrBUUzSpIstUXByI16F61DC682a9mt08FTj3+ndpPr dE963mexPFujD8uttA4tf234JGVo5Vhe5m1NtvSLWiyXHe89jTV6dmi9NknWvc3ucDjsD6eDZZGv M0UMQkpFq5fPmAGtk9euP66zkE1/H6dpcljpjJlbsYjbkJ+BxRbcWO3Fct++0VokbjjuQovhtbRO tWq40H62wvQ8SpdsTZEtm7BRAmvejMX12E/3riKpDomL5OAbnNtFsgJqGG0p4nyUIftp6fi89u+e lYbbpW0ojMmGswqKXC/VQZPROlm40hg3vG33Khu4yeRaZ7FgquUH+8PhcMgze9JVUl55lGqCacX6 yxfaqQhd9w20znX5wvqlBB5G6/SmMm7ngKlT3tD2vjzn9W934pwnrKliBSNonXhtNNZFLXPx0dbi 93r5r1jdvf94SrrTZ+fy7ScT6tCPy8BRuO53V63PMvGkrGXJpf70X8VHWkeWzLwMKk7zisddtWg/ acPq4ZClIpRThqMCmzVauL+8amsaR2GebqhqdbHvGVqnFiG0Hm3u3aCfrT6v9vq1OeH+pPet07Is pc92Ndwq3q/9IF8GPInCuEyt1EkF2WNfaCg7KK/3vSuXC/TSla8624NglCZxZbQi2H6zd+TmZV59 0y7dXliND9sVjYeRzXW1vHmWTUfrkMTcLi2dEgzr9qoMRA3dZIq4Tn3llvDyvmFxBYsAc7Ha8cV2 SnvX/Q+tc12+sH4pgUfROr2pjNOtKcmuyPpC3CqtM5jnvK11Dq4imSJ/lqA+gtYZaL0kCum181RJ dQPxPv+pN3D8mJuFwNiUD7imZYoFcM3bl0/L5r6ODGzuev77jtZp5kZMo2Bp67RQvqLbK5HTJ8tE m7O8Gynv9ambq2rrs9xJDmvH1BTKJC3LbFFKrBdpnTr2NehnS7TQRdl4/vXEXcqqtE7rZJssjxH/ 03DrFdVSZCYtmumRju1TULPslSs60aoT4t3Koc4tJmuWtx3oVWqVPdqHUulw1WqmX5iU1ikqm8b7 jaNRLC2mHkdDauJkjQTl7ftMjSpcqpzUZvmf9jzHTm3xeu+gda7HFpafQ+BBtM5AKmPxk6hSK/Xz byjPefsedDOtUzTsXfqw2lWuLrFkv9S46u76hI6QjY2hT9VJL3zTdiWtmyuNw3LxnyTc2GUnCh2v LQ9Vsvo4Tip365OfdiqlyyQfi52RgqrDSa4s5cliyzEWjdxGlCi6kVKSimmJkFrrDPrZOf5Y69SR s2YtWqdlImV1HU7K0mi/z/t7aKx+pVXbcI8ic/kIEUl2di2cQgOncVh0s2RJFLjq0ZjspnMjvo8D j9I3cc1abrr9Q9OJ6ySBZ9Wpg/NosOjqHrrJ9FxLFbTI17m52XnNbKXPsVMZvN4baJ3rsYXl5xB4 DK0zlMpY5BJW3XwEwtrkZSrjoTzn7QdCR+sMpxR+TsP0nHMXrZPtbN54Ugq30sNKl4eFjnjOtHIo 91TmOZto3IxsbUIxocXTWDnZK/I1SbHzcEKyp+jXUnSrxRuTczE+JsvSKFi5q0qbXaR1aFyLJSbA pfHO1STJzANdYnyoI2ymh6XOWoERikKpIuqVxkUHWEuE1FonG/Kzc3xL69ClKOdjiJJ2n1ExXqcO xeXjdZYUgEujwFFZkWg7l3Ci2yfZr3TWarIe+0XCbjHHK433vuvlo5wJAzfXQkAl4Uo/0njPaesz zom2y9WWRgn1vibTh0VXLTdWuyilYVokxfPw3NBN5pTWoSHJXJZlLb/ARcWfZacX2agboXVGxQlj LybwEFrnRCrjfB6WJNGvQ0ujcQ0F0t485ye1Tk/q4xc3zwQM0DiXRt9JJpTMYrFojrjojE6mh19n HvpIFaEJJyqn2L+iu5u6ryRvLZpQJFYwqSZcVWnsiwlU1YPxEq2TZdHG0WQmZutZjqmUWop22Cqn TNia6TlaSyxkceDqspiMpdj5GOSOdjHrPql+PzvHt7QOZbc2qONpwcpxKqSeygFd+f+yg1bMw5KL +VZ1T4/wME+QbbpWJx5zbF8MbS4zYbcydlfT4BiXNcvv7dYc6Qo428xktE5GI7lFB2s+382rl0Xq vcmc1DoZBRml1hIQ9I0MvHyynsQVo2G/fb86G90oB0LrjIIRRkYj8BBa5zxaFJfp9jqcd+YrP+rg KWUE5ayaxiLQfnpq01mGcBAIPJvAhLTOs+sw5xOhdebceq/R9wfXOpFv6KILK4t3NNCgOev2NTb3 8+qU7BxV8/Z1r8gpM/HGVIzmhJhTB2MfCFyJALTOlcCeaRZa50xQOOxGBB5c62TxbpkvQse4Zq/L ReJuBH9GxUQbxz5HwKSBZ4mRITOqG1x9jQSgde7bqtA69+WP0rsEZqF1uk7jMwiAAAiAAAiAAAic SQBa50xQOAwEQAAEQAAEQGCWBGahdRCOzq8thIVn+R2D0/cggJvGPajXZeJmVbPAuykQgNaZQiuc 6QNuH2eCwmEgAK1z32sAN6v78kfpXQLQOl0iE/6M28eEGweuTYsAtM592wM3q/vyR+ldAtA6XSIT /ozbx4QbB65NiwC0zn3bAzer+/JH6V0C0DpdIhP+jNvHhBsHrk2LALTOfdsDN6v78kfpXQLQOl0i E/6M28eEGweuTYsAtM592wM3q/vyR+ldAtA6XSIT/ozbx4QbB65NiwC0zn3bAzer+/JH6V0C0Dpd IhP+jNvHhBsHrk2LALTOfdsDN6v78kfpXQLQOl0iE/6M28eEGweuTYsAtM592wM3q/vyR+ldAtA6 XSIT/ozbx4QbB65NiwC0zn3bAzer+/JH6V0C0DpdIhP+jNvHhBsHrk2LALTOfdsDN6v78kfpXQLQ Ol0iE/6M28eEGweuTYsAtM592wM3q/vyR+ldArPQOl2n8fn2BNI4jNIzio3DKDnjMBwCAiAAAiAA ArciAK1zK9JzLicNV4ZqbeIz6nBYaqoTnHPkGcaudEhgMe7srmT8Qcwma0NSl+GD1BbVBAEQmDmB WWgdhKPvepWle09VnF0jqpOGG0eXmSRJTDHcbdRyL/J12VxfT+0kG5Mxc3tu9CjcLv2O9hpZ60S+ zrXVSx/7PX4WWMex32qj4kN6WNuaaEeuGF6HUt8J9bbJax3cNOrGusc79GHdgzrKHCYArTPMZmp7 kq1rONvriYiB+sZrgxtN7ZLuXZlp3j7OsjTe2oqk+y2n0p0jyy1tNGD5WZuTjckZ49a5YmdrSbK7 bxU1stbJ4n1AMF726vGzNDiK/dJY/T/ZWpwb/iHJsjTaOgq7JE4DrVODxLseAtA6PVCw6Y4EoHXu CP/ComNfl7RVO4hyoRmUz6EAACAASURBVIlnHB6tNGasm1GU5LBZbQ5lmGdnc253OoT2jnytTqJk Y8qm75tyQ+zsHM6soKhbtNIK8RWudM45kxYLiXF6qV6ueUjrWMuVpXJJkrjmbCqm8W5piq1M1p1N WNYxywKby846j2YtylaIVtqieLVkwtaikFf+ov1SxS8OPFOhUpms2X7BcNDPIftZcvDzeAyZWZdN sXdlbq18WxPVUq11w/+ehu9cTsnW0cx1TqLffpYl+6WpMPJet0210YcVbT1D5UySuGoJ8dRT3jU3 xYfN0jK85mWIuM41gT9tG1rnaUY44pYEoHVuSftlZXUeTi8zdu7ZycZsPNO6ZyXh2pSPYyzpxpQU 79A9eoTPJHWsIE22VkPsDGidvLieeElgsYVs+vs4TZPDSq96xCJfZ7IlJE688zTWCE4FNltIsu5t dofDYX9oRnHSeHjoShLYMlO9fS6ayL4iBjOlceAobUQ9fuYVOLIfb8wyHpMcVgYv+e9decF0L4jS LI02ltyNt3XwBz0iVRwyZJ/iQExf7uI0jfcrgy0KgZfuXUVSHSo3OfgG53bQlMadYsf9mBy2SxJ3 TDEcvxVcg9YZl/Sl1qB1LiWG469LAFrnunwvs05PzcarkAu0tYwfFP+Lx1j/8Vk21vYsy8KlWocl mrUJbC6RW9yswyLV/r0jM2tbfbzUn+rE7ptkYyp2kGZZGthKFdl5htapw07UGZODDj2lUdVUWN0W oZ3AZszc9D/CB7tzQl9n3ChiJRn1+EVhXMaK9q4smTWibFDrZB37JHkbYaSDp0i66GJsW3yyo247 MEJ7yH66NRtDumunUjIkGkW0FnVwWiW2bvvln/eO3LjKpYrrhdujtSlThGm5aWnPokxonX74t9oK rXMr0ijnPALQOudxuutRSRTSa+epkuoG4v3NJnbTo9TclA/oLoY0ClyVqUchnPyxO3RW18rZn+kB u5CYeEmLaoDyi7ROHYPqBDrqzrCM+rDYUU9d6Xb92C+30P9kR5Ebd9fUR8lh7ZiaIosXWzxP63Ra JN2UWq2jdeyGMmk6Vr7vVLfcnA3Zb4cV60qLnrail7DoM+wM4KpMj/sm73CUNdNdB2ETsygGWmdc 2pdag9a5lBiOvy4BaJ3r8h3TevthM6blE7ZaT/z8uGS/We+qIS49B4jhLYPS4ERhT+xK1gZFkWLx itZGo/NGqkIJXX+2Fjs5NrnWOvSQr0bWZFkem6rjOoMVqh/7tf/kHdP91uQsESnKxwJnWXY4iusc +VmY69gXcZd62BYF3nrjOk9pncjXyoFHVFASuLpFMagh+xS/kZ1ylHftFPVyys4ubxXxN0lGV7k1 2c67NN6vXRpExDV708QNrdMhdeOP0Do3Bo7iniAArfMEoAntvovWyWjscXsxGpr0zU1f/JRO9kuN KZ15TuJxOf5v+2RtNEdJx77O86nn5JDiiAhKeljqbNEsmxSM6u1pslFcdCC1undqrZOFK40p9pbW TEz2S70zXud8rUOT9Jl8NGpFdAJZYiJdGu9cTWoFzHr8LK69WlbkG2LBX4w8TkIaH2PmKx9dGNfJ GuNyaPyQyrR8vZwh+0kgxuuIYU7N8TpiUJK+3BG3NN777mWz10f5hqXRzl+umyPEoHVGAftsI9A6 z0aHE69CAFrnKlhfkdE0sHl3nHGyW1n5uiw0X+lovg9pj/EnjMVro201XKplN1a0sVXOuaxopueU 87CKRogDV5fFZCzFzieqD2mdLDsxD6unD6sxT6oYRyVqTdqEZl/VL27ns8SijaPJjJGflmMqzWE3 WXbs54B9UmK+JaY9Ma7V854u1TpZlpTr6zCumg2F0m+fyl1RCIVGaTu2Vs9RT8ONa9AELYkMLXfN odv3+ipA69yLfF4utM59+aP0LgFonS4RfO4SOHhKY0ZSd+/xZxFwOWuR5eNzsQUExiEArTMOx+da gdZ5Ljmcdx0C0DrX4fqqrCY7R9XKidNP1SzemEpj7tFTh2M/CFyFALTOVbCebRRa52xUOPAmBKB1 boJ59oVEG8euJ08PVycNPGtJg2PwAoG7EoDWuSv+DFrnvvxRepfALLRO12l8BgEQAAEQAAEQAIEz CUDrnAkKh4EACIAACIAACMySwKvUOvcKX9+r3FleeXAaBEAABEAABG5DYBZaJ1rbhrc7f32ye2mO K5d7pzznt7kQUQoIjErg0pvGqIXDGG5WuAYmRmAWWkcsaDuYp+CY6JU1x3GBxZYrl3uftQQHa4sd IDBhApfeNCZclTm6hpvVHFvtVfsMrTNi80LrjAgTpkDgJQSgdV5C78XnQuu8GCEMjEtg0lqHUv10 E3znqaFpT+PVWaT3WHMMHT/W9rxRzi73srzfdHQXQzMLwrhXBKyBwJwJXH7TGOsmMBM7l918suyy 43GzmvOX51X7PmmtkxUJvre2LOnLg0jwXaQ0Otkox5rj5OGj7bxWuffMcz4aHBgCgZsQeOZN4ya+ PUAhuFk9QCPPsorT1joF0kvD0dfSHE+18JXLRVj4qQbAfhAoCVx60yjPw/9RCOBmNQpGGBmPALTO eCwpvfdRyu9xzUud3roRrcMUCLwmAtA6d21NaJ274kfhxwRmoXWO3T695cqaY7Dwe5U76BB2gAAI gAAIgAAIQOuMeA1A64wIE6ZAAARAAARAYBwC0DrjcBRWoHVGhAlTIAACIAACIDAOAWidcTgKK9A6 I8KEKRAAARAAARAYh8Cr1DrjoIEVEAABEAABEACBV0AAWucVNCKqAAIgAAIgAAIgMEjgVWqde/Ul 3avcwdbFDhAAgesQ2LsyMzfJdYzDKgiAwMgEoHVGBAqtMyJMmAKB6RJIA4szxrHc1XSbCJ6BQIsA tE4Lx8s+QOu8jB/OBoF5EIjXBjf8jSMr3mGiHse+ztRlWHqXbEw2XWdLL/EfBK5GAFpnRLTQOiPC hCkQmCqBaKVxK0izg6fK9i6dppvJ1uKVuonXOtP8aJqewisQuAEBaJ0RIUPrjAgTpkBgogT2riK7 e3Iu8nU+2UE76c6RZSf3c6VhcNFErya4dSMC0DojgobWGREmTIEACLyMQLhUuR2kWfn/ZdZwNgjM mQC0zoitB60zIkyYAgEQeCGBPO6085Rr5iR+oY84HQRuQgBaZ0TM0DojwoQpEACBlxJINiaXZVmr Bym/1CLOB4F5EoDWGbHdoHVGhAlTIAACLyaQ7hwuGev4xYZgAATmTQBaZ8T2g9YZESZMgQAIgAAI gMA4BKB1xuEorEDrjAgTpkAABEAABEBgHALQOuNwFFagdUaECVMgAAIgAAIgMA6B+WudNArP6oyO w2jURb/uVe447Q4rIAACIAACIPAoBGaudZK9p6nOricDXxK3NyY7V9O8fXvjs1t5uNyuyXHL7VrH ZxAAARAAARAAgScIzFrrJIGtqMt2Qpok3PquqTLpKC1fKlZ0D0ZQO8flJgff1mQmSRJXzeWuFWga r9wn2hK7QQAEbkVgLh3Wc/HzVu2Gch6VwJy1Dq0Gam1bHVO0ertmuUtLOdY6WZZsTd5Ih/fcNj8q lzLPcMM/JFmWRmuTM3PbUlQjlftcf3EeCIDA2ATmoiHm4ufY7QN7INAmMGOtc3AVkYCvVaFUSJ/Y 1/u0TpZurZcn+z0uN96tV9syo3C6MaUq5V7h2yjltuqJDyAAAvckMBcNMRc/79mWKPsRCMxX60Qr TdL9Vm9R1WBDWieL/eGTqrNPvzlVbpYl+5XBFXffijZlY5R72ivsBQEQuCWBuWiIufh5y7ZDWY9I YL5aZ+/IzAr622xQ66RbSypS//af+fTWoXKTjcmkxWIhKc7xmKARyn3aMxwBAiBwKwJz0RBz8fNW 7YZyHpXAfLXOzubcvlTrZIHFuLN7SWufKjfLknBjK0z3o04RLy+3YxAfQQAE7khgLhpiLn7esSlR 9EMQmK/WOXiKZLZHJlctNhzX6RlMU5113puecuPderOvetMOrnzkWN8gnvOKw1EgAAITJDAXDTEX PyfYxHDpVRGYr9ahPqOhSVWDWidcqszcdAbTXNagPeVGvi7J9pbWKkzjwKE5YOVI5cL2COVe5iWO BgEQuCaBuWiIufh5zbaCbRDIsvlqnSxeG2xgcPKQ1ol9nRnr1nzwyy+CvnLjwDNVTuvrMMVwt90e rFHKvdxTnAECIHAlAnPREHPx80rNBLMgUBCYsdbJ0sCWhyI7vQ0cLlXZPh443HvsiY33KveES9gF AiBwUwJz0RBz8fOmjYfCHpDAnLVOlsVbS9FX4Vl9Umm40hVrWw2reUlj36vcl/iMc0EABMYjMBcN MRc/x2sZWAKBPgLz1jpZloa+5bZXKe6rZpYlG8fyz1NF/QbaW+9VbtsLfAIBELgPgbloiLn4eZ9W RKmPQ2DuWudxWgo1BQEQAAEQAAEQeA4BaJ3nUMM5IAACIAACIAACcyHwKrXOvcK29yp3Lhcb/ASB V0NgLl/2ufj5ai4MVGSiBKB1RmwY3FZGhAlTIDBlAnP5ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAw ZQJz+bLPxc8ptzV8ew0EoHVGbEXcVkaECVMgMGUCc/myz8XPKbc1fHsNBKB1RmxF3FZGhAlTIDBl AnP5ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAwZQJz+bLPxc8ptzV8ew0EoHVGbEXcVkaECVMgMGUC c/myz8XPKbc1fHsNBKB1RmxF3FZGhAlTIDBlAnP5ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAwZQJz +bLPxc8ptzV8ew0EoHVGbEXcVkaECVMgMGUCc/myz8XPKbc1fHsNBKB1RmxF3FZGhAlTIDBlAnP5 ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAwZQJz+bLPxc8ptzV8ew0EXqXWeQ0NgzqAAAiAAAiAAAiM QgBaZxSMMAICIAACIAACIDBRAq9S6+xdmZmbZKLI4RYIgMDsCcylb2gufs7+gkAFJk7gFWqdNLA4 Y1xbRRNnD/dAAATmSmAuGmIufs71OoDfcyHw+rROvDa44W8cWfEON2qF2NeZugzL0pKNyW5XeFkq /oMACNyOwFw0xFz8vF3LoaTHJPDqtE600rgVpNnBU2V7l96mVZOtxSt1E691pvkIKt0GPUoBgbsQ mIuGmIufd2lEFPpABF6b1tm7iuzuqQEjX+c3G7ST7hxZdvJyVxoGCz3QNwhVfUwCc9EQc/HzMa8i 1Pp2BF6b1rkduU5J4VLldpBm5f/ObnwEARB4TQTmoiHm4udrujZQlykSgNYZq1XyONLOU5Q8rjSW XdgBARCYHoG5aIi5+Dm9FoZHr4sAtM5o7ZlsTC7LslYPUh7NNAyBAAhMi8BcNMRc/JxW68Kb10cA Wme8Nk13DpeMdTyeRVgCARCYJoG5aIi5+DnNVoZXr4cAtM7raUvUBARA4FYE5qIh5uLnrdoN5Twq AWidR2151BsEQOD5BOaiIebi5/NbAmeCwDkEoHXOoYRjQAAEQKBJYC4aYi5+NtniPQiMTwBaZ3ym sAgCIAACIAACIDAdAtA602kLeAICIAACIAACIDA+AWid8ZnCIgiAwGsnMJe+obn4+dqvF9Tv3gRm oXWitW14t8ptde8WybJk6xrOFlPX798S8AAEhgjMRUPMxc8hztgOAuMQmIXWOXiKZGxulMdzHK4v sRL7uqStkDz0JQxxLghcl8BcNMRc/Lxua8E6CEDrTO8agNaZXpvAIxBoE5iLhpiLn226+AQCYxOY tNYJl6q0aL8kc0sIaE/jVUVBZrI9XhsN7yXFO1ClaGu7tgtJ99GXNfY1D3sg8HICc9EQc/Hz5S0C CyBwisCktU6WRCG9trYs6cuDeB+/4q6soro7T5VUNxDVjZJTrYd9IAAC9yEwFw0xFz/v04oo9XEI TFvrFO2A8TqPc0GipiAwCwJz0RBz8XMWjQ4nZ0wAWmd6jYfxOtNrE3gEAm0Cc9EQc/GzTRefQGBs ArPQOmNXGvZAAARA4EUE5qIh5uLnixoDJ4PAkwSgdZ5EhANAAARAoENgLhpiLn528OIjCIxMAFpn ZKAwBwIg8AAE5qIh5uLnA1wyqOJdCUDr3BU/CgcBEJglgbloiLn4OcuLAE7PiAC0zowa6xaupnEY nTOtPw4xHf4W7YEyQAAEQAAEXkwAWufFCF+RgTRcGaq1OWf5wsNSU53gnCPvxyewGHd29yv/NZSc rA1JXYavoSqj1iHZGMwS65qOahbGQAAErkNgFlrn0cKwW5NbwXXa+5TVdO+pitObYzVcadJC8VqP vMjXZXN9PbWTbEzGzO25iymG26Xf0V4ja53I17m2ajE4hXNgX4+fxZHj2O8rNj2sbU1mkiRxxfA6 lPpOqLdB69Qsmu+StcHtO3xJmz6c9f7Rbp5nQcFBD0gAWmeCjX4frROvDW70apdwpXF2pHWydOfI cr82GgFqsjE5Y9w6V+xsLUl2962CR9Y6WbwP9i/Wdj1+lk6PYr80Vv9Pthbnhn9IsiyNto7CLonT QOvUIJvvkrWhdC635u7pvIfWmU5bwJN7EoDWuSf9gbK7WifdOrq13Bxe/JwdKE9sjlYaM9Y9UZRw qcmmvzSkTlwny7K9I1+rkyjZmLLp+6bcEDs7h7Mq4BWttCJbWLjSOScxtpAYp5fq5ZqHtI61XFkq p4iG5myq3PHxbmmKrUzWnU1YD1AKbC47642jy0xalNnmo5VW5ilryYStRaGS/EUHSBW/OPBMhUpl smb7h9z+oJ9D9rOs18+9K3Nr5duaqJZqrRv+97RwZ2nKZOto5jonkRz8PN5Dbq4LN7MsS/ZLU2Hk vW6baqMPK9p6hsqZJHHVEuKppzxsmhQBaJ1JNQecuRsBaJ27oR8uuKt1snjvu6bGGVctb7O/Skqw ZGM2nmm1b0LpbOJk06d10o1ZJi6tzxjlHUkdK0iTrdUQOwNaJy+wJ14SWGwhm/4+TtPksNKrHrHI 15lsCYkT7zyNNYJTgc0Wkqx7m93hcNi31GVKuVlbWqeuaRLYMlO9fS5qyL4iBjOlceAobUQ9fuZ2 ju0P+Ll35QXTvSBKszTaWPITCWIDm3O7b9RSvDHLeE9yWBm8jKFRHIjpy12cpvF+ZbBFUel07yqS 6lC5ycE3OLeDHmlcQ8G7KRCA1plCK8CH+xOA1rl/Gxx5cKR1iiPSaLf2LE3mqpePqunPl55nTC8D DpJUP2uHji8yx1dhicqjA8V0aKxyv9ahwE5zhOaQ/aHtVTndN8nGVOwgzbI0sJUqsvMMrVOHnagz Jk8oH3pKHYGhnjjOrG0R2glsxsxN/yN8sDsn9HXGjSJWkmVZGkdhJUj3riyZjUGsg1on69of8rNt 8cmOuu3ACG2K9zSkGyWd06kLM92ajSHdtVMpGRKNIlpr71LT1xGxbhPmYb/GVShVXPeOfM3t4VJt mtdWRThvrO09NZ3wJmidCTcOXLshAWidG8I+t6h+rZOUSkcxWt0u51o9fRw96sxN69GVktKxtqLn bEjriAd566zTxZy3lx6wC4mJl7SoBii/SOvUMahOoKPuDMuyLLBZfxCEenZ64zrJjiI37q6pj5LD 2jE1RRYvtnim1hnys6N17IYy6cPbMVMd0mnxVETuDlnW7vOqKy162opewqLPUPev2q1auYo3zycA rfN8djjzNRGA1plgax5pnXBtaVxiiuH61INwjVfriS8KoN/xNAglf+UDVqTOPKSh5+jLPKQ5LuYm isUrWhtl5wo95KtQQtfhrcVOjk2utQ495BshrDw2VVC9VOuQd0z3W5OzRKQoHwucZdnhKK5z5GdB q5YV+YYhPy/UOpGvlQOPyG4SuLpFMSgR1yljHllGUY8irmMx2SlHeddOUS+n7OzyVhF/k+Q61+LL rh6c3SIArdPCgQ8PSwBaZ4JNf6R19r633l1J5JT139m87vApN1b/++M69Lgc/7d9sjaao6RjX+f5 1HOaha44IoKSHpY6WzTLJmWgenuabBQXHUit7p1a62ThSmOKvSWgyX6pd8brnB/XoUn6TD4atSI6 gfJ4WBrvXE1qBcx6/Cwo17Ki2DDg54VaJ2uMy6HxQyrT8vVy4o3JuClGNichjb8RvZWkhsR4HTHM qTleRwxK0pfiQkxpCNlls9erawlvbkkAWueWtFHWdAlA60ywbY60zi18TAOb5+NZ+krr1TqkParR EH1nPWtbvDbaVsOlWnZjRRtb5ZzLimZ6TjkPqyglDlxdFpOxFDufqD6kdQbmN5Gd3rhOY55UMR9L 1Jq0SR34ovBXueJKtHE0mTHy03JMpTksJsuO/Rywnw34eanWybKkXF+HcdVsKJRk71tiWhXjWnNe VbJf0TwsGqXt2Fo9Rz0NN65BE7QkMrTcoQfrWVf4TU+C1rkpbhQ2WQLQOhNsmrtonSw7eEpjRtLT XETA5axFlp+2hSNAAASuQQBa5xpUYXN+BKB1Jthmd9I6WbJzVK2cOP0Ul3hjKo25R08djv0gAAJ3 IACtcwfoKHKCBKB1Jtgo99I6WZZFG8euJ08Ps0kDz1rS4Bi8QAAEJkwAWmfCjQPXbkhgFlrnhjxQ FAiAAAiAAAiAwOsi8OBah5bJLWZTN9d7e11tjNqcItCdu37qWOwDARAAARCYI4FZaJ0RwrA0g0TP Z5Ao7QxItM5te2ZL3Y47R26sFFtvv+hdsl8vN3WuoTPOvWMf1hne3eKQZOcZlJebycYZPWU7h5fr ADFZNb1tlffqDF+Ptc718o2TO8N5zrvO0vwzq15x+eAp+cdwqVbV5YrhlPmwKHdE6zU8ra5bFD6/ WgIj3DxfLRtU7JEIPIbWoYzcTPNEkuo8A5JbpC7K23pI66ThLghfOiiFFmlrLF13xtX18FqHkKnu Pk1DSvDZm3u9ibGxnrJI5C2py0Nz/8n3x1pnnHzmQ4UO54jonnFC65QXVBp18nllGa0jxK+Wfb7r Iz5PnQC0ztRbCP7dhsBDaB1aB6axpm6683Sj9TQ80jrDfVuUeVqjkENzgRHKEW4u1yI7tsQUc1WM 2g1sOU/AXWbgrlICnWxdaB1aw9ePsziwFeXp53ZD63Qye6XhxtEp4Xgnn3kcFHEjxbCNKnlmY52b RqIo0VS9+c+zbMh+nUCca1Z5NQzmOR+4GMIykJPvp0UIRZinLZ47yx9n2VZonQGb2PxoBKB1Hq3F Ud9+Ag+hdegp0cn11KZxpHXy3cd9W+FSKzJkiwzTzMhjDvSQlFRnGyZZntm6+ahsP5raBfd/enit k8Vbi3NFUTTnnP6ohtZJwo2tsCKThUjYrXm7OM3ivacxxc0zH9BqhZySOKRpFHia1F77+TjfeL7G 4HH+8yH7yZYSiK8OCa3i55tVAnHR2ufHdcRl2+jDco+1ThJuXZXq1UjWAK3T/6160K3QOg/a8Kh2 h8BDaB3Kq3xy6PGA1sm62+mhWodmRO/Hmrq42v0g+VnV0wdap3PNPf2RMhlQekk1X+wn2m2CsOJ5 fLoYr0OJu2i0CjfK9Xwp4lEPWaF1ofM0TyISkqdJOGo7Mn6UqyHXOo2Wz10Ysk/n1+VmUeCvRe9p ftYLtE5xFYvxOmV1meZ25CC0zvEV8sBboHUeuPFR9QaBh9A6z43rdLUOpYIue6PoUcykheJR2se2 1jm4imRuq2cztE7jejvnLfUIKu4+iTYm5WiK6HOV8rPPQBXXoXFZRe4skXVToWTpvHhRzgPRLOFS kYxNOQyr3XZkfkDrHOXJOrhD9imLZmm/6/CztU4lvOsLikb06H5nJDa0Thf5Q3+G1nno5kflKwIP oXU643Wy/dIwVs3Rq9VjpOKSv+lup7TeVpmAm1I9F5me289LaJ0Oxss+NsIiSeDITFFkXgfT+mxV WidXnWUHIrWKtjy0EnPT6fFab2Soarcd7T9X6wzZb1RAmAv3+6hWPj352PvqdKSg0ypVV611MuqN k1s9WBivM0DzUTdD6zxqy6PebQIPoXUyMQ9Lz2cvlyM3qrhLNee8sSWHVIzXqbene09hqrMVj67k sPbcjfhR3X5edrROQhNjzHWUZmkSJ7WxdkM0Pz34eB0Kw6muSGce71x1sTjqPWrCyrKsoXWyZGuy cp0AkeDb9PeU9jyNgpW7EkaFQuCmf6DRVbuj8Tpna508gXiffQpIGT51u6XhxmpLNVG7dj72TnWq j5Gvi9FhhZ9lPvaG1smv7GLUWH5emsd1zrnOqoLw5vUSgNZ5vW2Lml1C4DG0jnjmuDpNn5KYYrib qHgU1POtioVJmB0QvqHtlKXaM1UuklorRrmSy0mtk6WhL7JGLySutaZ/DTXUg2udLA3XtpjrJtJy +y6NB88zl/cTa2qdLNu7ilRmX6cE30Wzy5pN6iZ/xYGny2xBF4Nj5XO+8kBKa32axaK005//PE8g 3mc/OfhWXgMqtp1L4zjPeX+taCvN+lM5dZwqenXVNrVOHsnKRwdhfZ1hkI+7B1rncdseNW8SeBSt 06zz5N8/utaZfAPBQRCYCwFonbm0FPy8LgFonevyfZZ1aJ1nYcNJIAACXQLQOl0i+PyYBKB1Jtju 0DoTbBS4BAJzJACtM8dWg8/jE5iF1hm/2rAIAiAAAiAAAiDwIASgdR6koVFNEAABEAABEHhQArPQ Oo8WhkUf1oN+G1FtEBibwKPdPMfmB3uvhQC0zgRbElpngo0Cl0BgjgSgdebYavB5fALQOuMzfbFF aJ0XI4QBEAABIgCtg+sABIgAtM4ErwNonQk2ClwCgTkSgNaZY6vB5/EJQOuMz/TFFqF1XowQBkAA BIgAtA6uAxAgAtA6E7wOoHUm2ChwCQTmSABaZ46tBp/HJwCtMz7TF1uE1nkxQhgAARAgAtA6uA5A gAhA60zwOoDWmWCjwCUQmCMBaJ05thp8Hp8AtM74TF9sEVrnxQhhAARAgAhA6+A6AAEiAK0zwesA WmeCjQKXQGCO8Qm47gAAIABJREFUBKB15thq8Hl8AtA64zN9sUVonRcjhAEQAAEiAK2D6wAEiAC0 zgSvA2idCTYKXAKBORKA1pljq8Hn8QnMQuuMX21YHCKQxmGUDu1sbI/DKGl8xFsQAAEQAAEQmCoB aJ2ptsw9/ErDlaFam/iMsg9LTXWCc448wxgOuYTAwVMkc3OOIL3EKo59lQSSjcGs7ausGioFApcQ mIXWebQw7J36sNK9pyrOrvUQPXjKovEy1nUwJ/J12VxPX+0kG5Mxc1s7fsn34wbH7hzeIFy81f1h sNA6N2iV11JEsja4HbyW2qAeIPBsAtA6z0Z3vRPvo3XitcGNrnYJLKY4QVS+4qYQSneOLHe00fWg PNdysjE5Y9yartgpa7Y1JXUZlp+G/0PrDLPBng6BZG0o7r6zER9B4PEIQOtMsM1PaJ00CnzHsLuS ZIRKRCuNNcM2wmS81qWjjXVhe0fmzq7+PMF3ycaUTd835ZbYSQ6+rclMkhjXrNW+ivkMbU/DjaMr XJKYrDubsFJ8yX5lCTsSVw2v7tIb2n4SUI/WiXdLU+VSu9xa66Shb3Bu+JVD0dYzVM4kiauWfyiq tXdlbq18WyNDXLXW1eEn3cFOEAABEHg1BKB1JtiUfVonjXZr11CYJGvWcjv+0yrZ9EUV6LEqq5rC GVc0u3p6lszSjSkp3qH8OMH/JHWsIE22VkPsJFuTc2NFWiA5+CYvgz7D2y3ONG8Xp1m89zRW/VDe 2ZzlSiMJ1yZn5iaXF0PbTwM60jqRrzPZEtIq3nkaK4JohdbJhY6+OpTKK927iqQ6QZRStQzO7UC4 s3flBdM92p5GG0uWTnWQnXYRe0EABEBglgSgdSbYbF2tk+5clXPVdNdBe/JTvDakxquSHZduz7Is XKo9EZxo6zneehdG4X5tK1L59KyY7R25OfLx0nKHjt9arFGterzB0PbKn+6bZGMqdpBmWRrYShnZ SdZGU6FFgb/e0+iYoe2xrzeOTwOby07eK0DV17wgFJIiTeKkkB1D27vutT93tU7oKY0mSXcOZ9Y2 zTLSOsbSNznTlpXQybJ0azEuKivM7l1qGnJo78qSWQ1PDSz2VCxu78gN/FKp4LKZbKdLufHSVlHO +dG2t68ufAKBxyYArTPB9j/SOtSDInPFsJebQ2vIzHjOF8GCEwbzZ2m7xyp/jJaBhRMn32cXqZeF xMRLWpQDlOmZpzcGWZe+DW0/uAoZ4cWLSQvJFCIiy9IoWNq6CHvp9mpXjSce2l4W1fu/q3UCm3O7 5h2ttDwik48Xp6e56u1r9tFKWyykppuLPIDT0Tr2k1qn1ztsBAEQAIH5EoDWmWDbdbVO7mISblc0 5oIpxnJXDMUYz/nqSdo0Ge98v36AU89MZ0pH53HcPHcC72kOirmJYvGK1kbRV9WJ3yThfi/CZUPb CY22PORmxN8kx5/GYbkYURJubEUqQghD259A0tU6In5Ta7I8hlbEdVTvEO89VeL1CgHUCyk7u5ab QglB6zwBHrtBAARePQFonQk2cb/WKRxNDpvlqh4FO5r7O5sf9W3QABY5H8uahtRpUnVn5MVS7850 B38ka6M52jr2dZ5PPY83NF5HjOhNw40l86JaJ7eb/p5CamkUrNxVrjUjX5MUeyvWXkxIeRTTqIa2 P9FWXa2ThSuNFfaT/VLvjNfJsoz0W92RlQS2zPTljvxJ473vFoOloXWeAI/dIAACr54AtM4Em/ik 1rmWvzQOpRrwUxWS7FemmNgjcdXshpNo5ZpqNER1ylTexGuj7V24VMturOTg5/OnmKzZfmse1sD2 ta3TvC1JnFDOcMriwMvxMK7oTj3BaWj7STZHWifLnpiHlWVJ4CiSXAxCztJwI8av0/wyaq68Tw1a 5yR27AQBEHgAAtA6E2zku2gdMeb1ouVyRKDkrEWWJ8gYLoEACIAACDwMAWidCTb1nbROluwcVWsO dz3FJt6YirEupricOhD7QAAEQAAEQOCuBKB17oq/v/B7aR0aAbJx7HMETBp41rLu++mvB7aCAAiA AAiAwAQIzELrTIATXLiQwLn50i80i8NBoEEgjcJqnn9jM96CAAiAQJsAtE6bBz6NQeCCfOljFDc1 G2KlmzyJ51kJrp7nf3rwLZVLtKaO6o2Z8ag9lvl5zp066+mlnE6d3doXby3VqFeObu3DBxAAARCo CEDrVCjwZiQCffnSnzYdrbTGqr8Dx1OeKXq+0yJD7vaswULhdun3T9GPfJ1rqzOSbQ4489RmWq/n LK0jMp3nK/0yWTW9sypGikQVeSsaCzY/5dJZ+y/TOqGnHKdpV7wTWEfUOlmW7hxFdRtLKp5VRRwE AiDwYARmoXWitW14u3qF2FfeRsnWNZztbGPzvfnSn2yyg6eUmRcGj6VZ5NxY7eMkPmxshSnnjKPe WpI8kOg53gciOcRggS/bcYnWYVYgCkujraNI6vLJHGOUlfUsIXV5HS7TOpX9nXO8QFO1s/lmVK2T ZbGvs+ku8tSsON6DAAjcjcAstI5YQHbzMFqHVuib7rI1T12qR/nSaWq6JXJSbS1uiOyYO0duVzDd ObL6VBLRPIdDqQHz/FBkNwssJpsOBXyKBN/5pRKudM45E708Ir9D2dUz3MfUu54N2Vcdv8g4zjVn UwWUaB0dSn9eLLvTvkSfo3U6mcn68qunW7uoVpkRQq+CUwdPYZa/9ShJ7EJSqq6t3vznWZYe1rYm C/+VOn87aR3Duzgveo/WqdPGy5q9LnN31VpnnDztJPsgdp76XmI/CDw2AWid6bX/rLVOT770g6uI CASljhTdVLGvy06d6EmkreRt8dPTKnlS9bpvpJYSgcUWir0JkzRP1dCK4wzGdVLKPNoKjQzkFSet sxDxpDRLQt9gRU7NjI5XHOogS2Na06+zFGPtYE9tmptEVs88riMqwIqetWQ7kF89E9GMHkEsUmVx zVnvDofD/iBWdM6G8p+LJKLakhZGzMNJRRPkedHF+stJuLb4mULiSOsUy1Dn6eRXRpVOvtA64+Vp J4VnPs5voealg/cgAALnEZi01qEf8p2xAEXCZtrTeFXPyZls78/vTVu71Z3d71VqAaNO4kRXYbq1 KDlDuNR0Q1fdQ7qz5VayiWRjcmNdBmyGLtxk3Ql3bU1Jcamzp5W6O9kYrU6rQa0j8po3tc5QXvGO /VohpXEUVqlYj3t+LtE6i8VCkkTrc6Nc73g4v/oprSNpfhV2EigH85+L3Paqs83TyaZJHOdpvto1 Cc7NFdrVOuR+Ay8pHF00sgjTjpmn/Yr9eUMXI7aDAAjMi8CktU6WRCG9trYs6cuDeF89W+bF+Sxv i+ruKLOSG4jqiqSUZ508kYPqDoraoWilq17gG9oyWOnaarfStWUdn6HwSJGVsz6l5x3FdRrPzoxE Tf65pXUykSMzj5KQlfO1TieRaZ0NtWU/3RhVACc5rB1TU2TxYpT+vOn3JVonH69DXXlFzq4sy07k Vz8R15G6EY7B/OekmHYrx1A5Y7JmeXliryxrax3Kk9bJ+NqsZP2+q3U6V0LNbfQ87QS6E1Or3cI7 EAABEMiyaWudooXED8HHiVHPug+rVgiNr9feVQzToOkyB081LFNpPjzDpSrb54w8p5BRHhkg06QL is6klhYR6b4bg5G3Fmv1adVudbWIuMzqkFSVV7wd16mf2WLEkOEXybEOrvxirZNlhK8UdIP51akK /RdJR1+Iug7mP0/j8FBo6SQKXLUMh42kdURcZ1XFmOrWIydHzdMuQPlPxQXrhsc7EACBhyMArTO9 Ju9/jE3Pz36P+vKlpxuTSfkAZVIozezj2d5V8p6ofnPNrVE1DysJt47KlGKucWAxSXECGp0ixs20 tE3+ZKUlntO4HRTsap2hvOKDWmdrMm6JCXNpvHM1qRNSObLfrEvzfWO8TpaQUVsMuc7EgJee/Op0 bv9F0qd1sqH855S6lZvrkHquknCll5pwJK1D7gv7KZn3Dc7NPHla7eRIedq7EaUmW7wHARAAgWwm cR201IwI9OZLp1/e+SiedGuyRn9DGthyGcc4o5Ll+joLJuv1+jqBxZhm5gnHuWr55YSf3GAcuLos JmMp9laMSGnMwyrGR5UDvgbnYfFqLHUd1xEZNTSZMS4rmuWYNFdcdM0N2++vYlPrUBeSUo06Tg79 +dUv0jrZQP7zLCOcGqVvZ1zWrDLf+1hah+zTcofCvmaVATAxJLrsaBsjT/vBU3Id3U8XW0EABEBg Hn1YaKdZERBL5ZzTKZVRFIO/fPh1qw9rVqjg7IsJ0GKCDfH8YnswAAIg8BoJzKIP6zWCf811uihf +gggoHVGgDhPE+ne01T3PGE9zxrCaxAAgTEIQOuMQRE2ugTOzZfePe9Zn6F1noXtFZwU+XZjZcdX UCFUAQRA4DoEoHWuwxVWQQAEQAAEQAAEpkEAWmca7QAvQAAEQAAEQAAErkMAWuc6XGEVBEAABEAA BEBgGgSgdabRDvACBEAABEAABEDgOgSgda7DFVZBAARAAARAAASmQQBaZxrtAC9AAARAAARAAASu QwBa5zpcYRUEQAAEQAAEQGAaBKB1ptEO8AIEQAAEQAAEQOA6BKB1rsMVVkEABEAABEAABKZBAFpn Gu0AL0AABEAABEAABK5DAFrnOlxhFQRAAARAAARAYBoEoHWm0Q7wAgRAAARAAARA4DoEoHWuwxVW QQAEQAAEQAAEpkEAWmca7QAvQAAEQAAEQAAErkMAWuc6XGEVBKZIIImi5Ay/0iiMzzjs/EPuVe75 Hj7ryHM5xWGUPqsAnAQCIDAOAWidMThGK03S/Zc/HQ6esiheY5gbo2q9Nob8HNreawQbb00gDhxV Wx6Oi03juK2A4q2lGqvDSM/nwXKPPBm33CPzZ2wILMad3RkHZlmy9zTV2bXJ9Z6Z7FxN8/ZnHNl7 +qgb040hKV7PRXBhKWPZubBYHA4CzyQwba2zNaVF/b2MfV1SV9FTNU326+VmrNt0s7DY10slUv8X N8axtE5RWrhUe6XTwVO5sX65pGpW6pz3Q+UO+Tm0/ZyyqmPC7dIPRqjrsJ3I17m2CqsSb/Nm2J8r lx9vTFn3W1+fND5sVo6hMMnYdHRNunMU1d13tj7HxeNy48AzVS5JEuOa5R9aEmC8cp/ja5adrXWS wFbUlnBMDr6tyUySJK6ay13r2k0PnirbQauqz3PwpWeNpVHGsvNUfYZuPr3npYfNcj0NTdnrHzbe kcD0tc6ClY/3M7UOPWmN9TXvKlSCuW202shaJ1r1a5002geH1i204cMV3w6VO+Tn0PaLXNxakuzu Lzql9+ATduJ9sL85zhP+9Po/0sZ07ypdnluLy7rteaZ8rHWyLPZ19vLo4nG54UpjqhNQp0689zTG 7aClqMYp97nYztU64VLl1rbheLK1ODeEckujtcmZuW3dg5KtydXlrZX1MYaxNMpYdo49bG8Zuvm0 jyo+xWtdUpctPd97HDY+IIHJax0my0zO74ZNrZOGG0cvf0OtSiUf2DLnTFosFhLj9DI35f0m3i1N 8aPr+DdXlu1dhXFzc+5zr1fraK7vCo+YYlYOZdnJcgcuuCOtMNA3lKwNSffWHv0wl5ise3UcpPqN yRTD3dZf/vwnNR3OVavhZr8nA+WWBx/5Wew42r41G7rl4CmSWYYR+vwJVzrPm7FoRdWrNE9gc9lZ 522/kLQyykdmFBEpkDXbL4J6g3ailVYG5lpPn8BiquMv85gD15xNxS0OXF3mnMuqbpv9QrSEIv4n +5VV/sQ3ymYZ9CfLxOVMFWCy7mzC4hEaWEw2HUuEQLhqlfXKsvSwtjVZ1FdpHN9yof0hJXBd6Zim oiBqkKO4TpZl9OB4qdg5LjfZOrpdfdXEd7qjAF5cbo5HXORKRT+LVhozl+v8ttH6kqYHv4Cs2ZYm ndOHdXAVbrU0Wrxbr7allEk35lFHUbq1WB2kbjdP+1O//1lGVZD01XZF3i6kWiRecpMhjSIbNl3k C4lr9rq82rKMdqnehqJT0mLBqptntM1vMRJv4GxonWTnqkxxqrtP783nxM2qXfvy08DNZ8jO3lPb 9369Ctn2+l8Wg/+PQmDyWoc765XOxCOp1jpJYMtMW9KP8iRcWzJrxub74jrhUmOyRQ+RNNpYchUq Kpo5XFu64Z3T8y5O6NM6C0l1t2GSpVHgKFL5CH2i3IGr7Egr5MelVG7z4UNfe0m21tQLQIMHJNnJ RUG0Nlj+GzONA0dhZU9NsjEJA/2kTg4r/egndb8/R+WWhw34mR1tH9I6p/zpj38ENltIsu5tdofD YV8EuSJfL261orrtp0y/nSzL0nhtVA0lqhRYbMGN1T5OsyT0DcaKH+7xWmeyvSUpnNL2ViOUMJr/ dzZnhk8PkSQUP/EryZ1lPf5QSIBp3i5O80iHUogS8kexN2GSJuHGViq9SOJEW1Krp9HWUWrJ1/Sh /f7gKcxshiEau4e0TiZOKlVp44QL3p4ql+TUxjyWYC8sN905MtNX4ktxWBmsfGaTwpVUR3xJ6VtR tn26d2VJBJrS5LA25cUZWud0IDfZrwyuHHUAxv5Zo/qG/M+1zmLBVMsP9ofD4VAMM7/sJkMaZSGX V5Ullxjo4qZdkmIut2R+XwxPpyZUnSCme+fWUVjRcVdqnVzo5N8OcWEM3HwGb1anr6ajm89JO31x nQH/TxeLva+PwAy0zj7ZuwpFXaJyvE66NVnjR2rnt2GP1tk5vLzjlb+OXtLJ1ad1Gs+/gysXgYtn lnukFYrrrrudvvalqqIffaUSIv+0amRG46g8zr7a5TfJNImTRhB++OKuLbePOXv7oNYRcf9+f3o0 QZZlgV09u2pf0jgK47Im9ORqdjD226GTG2ByW63+i3pv+/o6/ZjLDe0dmWleEIqgYgfzsT9kv/7B LyIhuWZt+0O/x3MRRO2rOtuDqHOadAcW12Dqd8el1vsGtU7+5ChjFfUJF7w7VW4W+gZXnONBLC8s N4nCarJZ3Yp5UKSaQJBfJnTRiC9pJQNbzAcrSg1sBce7SbyLsHJftVKCUfwaOT613jLgf3Hnqq+U 4owLbzKlRsnPbl3btIvbu/KblB9B5uvOOvHrRNRB2HFWrspkS/wMKNwZuvk0WkLUpLxZFacN/uve ZE7a6dE6Q/4PFogdr5TA5LWOuDkk9PPP2Sy1fGxy93ET2M25E/Rla4/Xoa9l2atFvSOMRjy/4BZO JTQfp53bKD07RCfNc8vtfr3La6+7vfu1L382iuBH3olHHXlMqn+qpuHGszSFMa4ajl/2/ZUFDPzv llsedvb2Ia0jOm8G/Ol/SlJT20fTZJLD2jE1RRYvtmg1Tr8dqkIbHwmp5hwccS8X81XCJfXxlJ2h 3YuvhNH6n0bB0tYVzrii26vWMNVjfw6uspBY1V5MogrQA6flT9Z8vsa7lWOonDFZs7zt0/OZ+/pU KocHtQ4BOnq0Vqed8+ZEudHGlGWz7iZsmHtpuXGwtHSVLgZF5tV3vd1wB1fJKafi4qzmJbWZN5xq vd3ZnNs9Wic/SEThWrHmfPt5trOs3//yV1ol13Kjl95k6utanL+1WKW/OrvE/m4Ltm9uC4lGYrda cejm0/62tRsjr0n/3+5N5qSdY60z6H9/adj6egnMQ+tkGQ1olGWea52UumLqwQedn4HHWicLbM6t TRRXr+S8gMZAu5+rdZ5bbvfrXbrR3T70tRcPL7+nukl0KAIgabz3Td7tyysL6vzvllvuPnu7uMmX Y26qu2WWnfKHbsJ1G5dF9mmdlH665aNCsywTUbXGwPF+O2Svja+rLeobf+u3b0fXln61/qdxWK6n knc+VeOKMurD6taL7vva8lBdnHGc5MKq9WxMNuWgpzQOy+6LJApctQz3tHzofKBvwNBUanG59HVV Ccc6j9aO3ac+DpRLHcmyuR74vfGycin8S4NHRHgiETOsRTntx2uldXINeWFcR1zD1TkCQrxbb+qR 7vlV2I6QdB+7A+yG/B/QOpfeZOrrmspv3Tvbuwr3RFykGplEg45ybUQHk8qJNiany7es69DNp/1t azfGAAmxuXuTOWknEWOTW5fVkP+nysS+10hg+lqneN5RL/ZiscjnnIvxOvqSwhL5+JvmeB16KHBz HaVZ1XuQ7kWf81aEtpPD2nPbvyfFeJ3li8brNPuwyrhO9lS5A1cUaanmuJzysO72wa89KUMlH8eT JeHWc4thrXQfUl0aF0I/Hm1FKqe4lSX0/++WWx519vbI16izjYql7n2pHJt8yh+xT6xJksZVBxX1 YR3FdahLk+dx9DTeuVplXvjZb4d2tfENa50spuFPJk2xSWPSFou+ximh0CPJ1yTFzsMtyd5TGx2N GQ1GkdR2vWjUCjd9GidE471W7iq/FAOL0VNbzFiiASaF9qN+BG6uRQ9ZEq70rnZqeFK9PTVWhDzq G5tMvTuDAqmyfPpNX7nx1lZkozEmtmviZeXSVVlebCGNvylCU+3Ha611aKaYpLokjsTgvzoI2vWr /kxNUPcei+0kUeS80fNRY+UgueqscKmyalB+tfXozZD/Q1rnwpsMaZTiAqRBfs2Ls1fr5OZdEZuk q5+p+eI89cE0xkCqO7IGbj7tb1u7MY4YNDZ0bzIn7VAHMNNX9NUoO+iH/G8UgbcPQWA2WkeMY2SF 1qG+j2JCRd9aFqFvKtRtLvF65bRqTQ8xmaAxM4mamb6sL52HVT//6NlR3dNOltu9xBpTD/KJQkXf ycD2E197MRGI01ofrZk9abhxjXzCEm9P0Oq6Ij4PlEvP63Ii0zl+0sQh31Q4lxVFszxbrfCc8kfM faJWZIpdTd/t0zpZFm0cTWaMy4pmOWY16jSv07Gdxjysohp54KUVR6nv5UIYlnPsDNtQeoVoC2Bj epmiO+3H+rE/NFJ8befTCpmYSFbFdZhmmiq1Y2seVjXNi3FZs87qihSzkKqOuJazQ1rn4HXnGhWP 20v6tY7L3TmcJko2XnI74vTScpP90qTuQy6rhmPr5RDz9uO11jpiWlsxs0mzbeMsfUfyt/7Glxca LRskvnN93y2aS9/uW2+1Qv1hwP8hrSMuz2LBor6bW21YvBPXtWkbqiJzutgaF2frkm+cFm1dMdVT ak7qbB0c+jojjZGf1HvzOXGzahTVeDtwk3nCTrSxaYbZQuKqW4486vW/URLePgSBaWudh2gCVHJW BIQyeMnI9vNr29Je55/WfyQFj5rhz/6j6q20qF+PqKGf2c0uufqEgXf3KnfAnbE2p4EtdyI7p02H y4ksJnjaTewFgVdKAFrnlTYsqjUegXTnaKILi8KJJpcukQwv8WJUrUNda4bSGkZ6wreU8h9UP4zr AymeoXXWw6n39r+7V7n93oy2Nd5air6qV6c5ZTgNV7rSmq506mjsAwEQGJ0AtM7oSGHw1RFID2un 6PprrKZ29WqOrHVoEaal5ZWR/VPuR77dWEmxcWSy3wbnPd4bJ92t3KYPV3ifhr7lVt2rJwpINo4l lls6cQx2gQAIXJMAtM416cI2CIAACIAACIDAvQlA69y7BW5YfntY3w0LvlNRo8dFzqzHWOWOZedM t3EYCIAACLxWAjPQOlfLWz5ym07Mz56Uv69a6/TkD7+XVnhWuRPyf+QvxlXNxcFq1ZlVedXyYBwE QGCWBGagdWjmx1lzNe/cABPz83gJ0eMFZe5MbNTij9cj7qw7PGppJ409S+tMyP+TlZvYzuZq0hNz De6AAAhMh8C0tU5/3vJwqebZEeO1nuf6pdXkcjnUn/98iDctuaHZ+eIRTNbdKlNvkUm6myq5XOKi m2q4308qNY3EgjYiD3mdgXvInyLfdV6s3hwd2liw5en85EMpfymuozirc/Oi0+zq5rTa7uejWoi4 keWWecLtKmH3xfWqFpCRuFpnqj4qMN8wmD+cNIe1FFmhJamVt5wWm+3Nl74rspy3ViXKl14tSm8t 09Kf//xEuX1VeIb/lLm5XnanTF/RZzzLspYIby2LMpgvfcg+5VG0/Dzt9UJS6vzz/UVTMwo3maya qzojSbLLV8Ch9ZAsrZH9u7fcvStza+XbGiV256pVrAgTr808AUqZ/kW2B7M29LuHrSAAAg9DYNpa RzRD61ZNW2hxTFI2tF65pLgHWotWFQ/lk/nPe9qUFpVj+nIfp2m8X+qszJlwcaphsn3kJykjsV49 rTmaxjtPeyq70MFTmZavqRttrHpys8i4d2F+8oG4jqTY60OS5u6Uq+IOpCamROCyU8zbEUyMDSX7 HnqR1qEVaKNUZIzmlVK6tF6n8oQPFd4fF1nIYj3iVKR1Z2Y1aWYwX7psCYVGrcXKug9pnaH855Sf fKDcIe97858P2MkX+hXrKScH3+DcPk6f2SyndWE2tQ6J15586Sfsi/XduOas8zTzpxNxJbSetbmh g5K9p0m8uJREBlqxsDmtAmnxcmHjoXL3rrxgukfrR4tV0ltLOSKu02xqvAcBEBggMEetQ0lc6DG0 dxTd0LRVlGxM2Q7S7HT+8x4Crd/oGS2lWnSWXZhqWJhuPVKKwsTT0FrnGamzNH4isXgah1GVD6HR E/Kc/OQDWqcO1NSVJ89786KLJddzgZBSSvJuDuQO0vZ4ILKfp/TILq0XPcCG8oR3yqw+9mudUs3l GSHqtfH68qWHlCuhWiVQZNnKEzwPaJ3BPFmNluuWW7l79OZs/0ni5+FMYWPvyo081EdmuyK8qXWo 3Y/zpZ+yL9SRH3VK2TtyYxVkySyXZ06iMC5jTnVao/a3tPZnsNx25voW3KyVEbXjFj6CAAiAQElg llqH4jj6KvA0ww9c1VwHnioSO9VP77x6lFCgvfx8We3if/sEoQ5W+Y38olTDubU+rUO/aNeuSQkM ZM10N4fy1t9xpPyY7H2xenuRobn2/vL85E9qHUpVVORGsFnZD9DNi04PN1o6TyQAeio3fFvrZI2n 96X1OpEtnJHqAAAROklEQVQnvETV/d8ordzVeiy2My/25ZqgPJWNHOr1xTGgdQbzn58ot3Tt+P/Z /osMF1IzLfoT+blaF2atLciFvnzpp+zT5VClPzmuQ2dLGm69Iv28IrMyjRhJxHrl5dqfwXI7Wqf9 pUZcpwMdH0EABPoIzFPrpFtLNkxdW4ZpYCumZeT56E7nP++pfv04o510I89/11+aaliYbj1SisIo kXcub9Jot9Sbv8d73Gl0VVEmyvqmfiofeI8dsakn5W9bi9RaR1S8Ly86PQ3XBlO8YKUzfX2q/4rK bNsnuPkz7dJ6ncwTPlTf4/zh7bHJT2uduv1FGeIpKnJZ08M2j/CUA7ZE8u/z4jrtcoe878t/PuC/ SHju7Fpp0csk073mRUilbLxaW1C0rS9f+in7F2kdGtyT98i2sIlUrdVPkNqfwXKf1jqNtPa9BLAR BEDg0QnMQOv05C3P6DEjiQHKycbkEi+eRCfzn/c0Nf2U5AYlsM7EyIdyvI4I7hd5uZupklv37K69 Hj9TGniS52PP0mht8tO9DVQr2RE5rtNoaytSGWagR8yl+cl7Uv62tUitdbKB1MSihsIOY9wKTj5Q 6ViyL2meGJ4UbSxZKlI9X1qvk3nCu9jLz4JRO3/4ifhKX1wnx5Cnqk5o+FY5Xoe0mlK0y2GpszKO MpT//ES5pbfH/8/3v7jKdzQQJo33vuvVY+qP7WYZXYVlHnjKcVGOj6Fq9eVLP2H/Iq1D4TAj7/BK 9iudleNsqEe2OUqu8iewZaYvj+p1UuuQopYdApAmVYcZUQjXlm54ecL4PirYBgIg8EgEZqB1srQn b7kYpSCevvQgrTMOn8p/ftyudKNUDEtXxDypxjysy1MN05jpHj+rBNaMpqIsSQaceKUHn+atUMJu 3XYMLomuOWH6ovzkeRFHKX8HtQ51ta0s7TgvujBEA1LFEPATnotdZF/WrTybAtfsTTmw4+J6Naad HeUJH/LiOH/4Cc3Rq3WoT6dvHhYNobVVTnnaNdNztPp6E2XSxaM085+fKHfI+TKXeiuv+6CdPD28 yKjNn76qsiwOXE0m91XDdSlOd8j9qKa7dfKlD9q/SOtQsbqcJxw3XUuVZHdflrs0i++cbar1iP3+ ck9qHco/YVAH2YLJ5rq84LIs27uKxM2TY+lPNAZ2gQAIvC4Cc9A61yPe7sO6XjmzthyvjTMTZLe1 1KwrfbnzJAPqkc2Xn/+gZ9BXsBjB/qAEUG0QAIEbEIDWqWNCN8A9tyLShDo9nprUXNbq0bTOvfKf l7zn+v/g6cZyT91Ooqe2CjPNtT7wGwRAYPIEoHWgdQYvUvrNLcnGsl4EbvBQsePRtA6tOHmP/Oen W2H6e9No6+ULToolGxsdT9P3HR6CAAjMksBja51ZNhmcBgEQAAEQAAEQuIAAtM4FsHAoCIAACIAA CIDA7AhA68yuyeAwCIAACIAACIDABQSgdS6AhUNBAARAAARAAARmRwBaZ3ZNBodBAARAAARAAAQu IACtcwEsHAoCIAACIAACIDA7AtA6s2syOAwCIAACIAACIHABAWidC2DhUBAAARAAARAAgdkRgNaZ XZPBYRAAARAAARAAgQsIQOtcAAuHggAIgAAIgAAIzI4AtM7smgwOgwAIgAAIgAAIXEAAWucCWDgU BEAABEAABEBgdgTuo3X+Dy8QAAEQAAEQAAEQuBWB76O+/t+o1mAMBEAABEAABEAABKZFAFpnWu0B b0AABEAABEAABMYlAK0zLk9YAwEQAAEQAAEQmBYBaJ1ptQe8AQEQAAEQAAEQGJcAtM64PGENBEAA BEAABEBgWgRerHW+/fPXP99uX6dv//7777f/blTuP59/ef/p7xcWNgqo//79+++vI1f7v2ey/PfL b+8//Pmith8F7AvbBaeDAAiAAAi8dgLna52vn35YtF7/+/DP939//1Hi7/8Y+el7Avq3vz798tNb JkmStFhI/KePf59V9r+f3/HFm1/P1ivfvv7zb2X468cfpB8+fj3h1dO7ng2q5ck/H/4nvf3t7Fqc duvb359/e/c/LhWNKvGfPl1Sx2+f30lvfv3rdBnV3r9/e9u6eBY/fvr3+xhgqxLwBgRAAARAAAT6 CZytdejRxt9/+fpv9RJhldajuL+IUbf+++XDb5//Ejrk21+/vl2w9388bf/bl5/fvH37Rnr3udIv J0/69uXntz9/KY+97KE+ZPh5oNqefP/+7etIQbSvn39+w9789OHL3znLr399+fLXJTGa//54z9nP 56rcr59+kN7++mfz6vn+fRywQ8CxHQRAAARAAARyAmdrnT/fc/auev4X+L7+8fHDl39Klt/++fLx 11/ev//1w5d/vn398vGziLn89/fvHz79+W950PevXz5+/JIHEL7+8fH3v76J096X3SHf/v788df3 79//8uHzU491Cgu8/U0U/9/fn375eaBD5dsf79+8/fWP33+SKBJVvr79+enD73VQ6L9/Pudefvv7 84ef3iz4j7/89pvYQg91/v7LP3/+/uHX9+9/+a1Zl+/f//3r8weqM22voyL/iMqTqV/ev//013/f a1D07rfq9eHjH/lZ//795dOH34Sh3//KYR158v2fLx8+/lGRPFH0t69//k7G3v9a2i+rLf7/99dv b6U372tTrb3fv/395WN59j+l4qNDyCNqm18//vEPmfjp91IdPdFqQij/8me7mI5a+u9rTvj9L7+V BL5++fChuFS+f6frqNFigkVNvG0an0AABEAABECgJnCu1vn7t7cSdTu0XiQ2/ld07hSBgl8+fPr4 28//e/P2LS86OEgk1UGS79QNUxgSp7/7+Ycf3pGu+PL1+7e/Pvz45s1Pv3789OnDz28l9u5zp8BG 6f/98/u7N29+/pIf8cd7tmA/fykfvY3jvv35y5s37//49p38qINAIqbwS90D89evb9i7z9++//f3 519/4os37377+PHjxy///Pedel/42x9+fP/bx0+ffnv3VpJ+KPp6/v3j1//xNz/98uHTp4+//MgX ohgq+u/f3rIf3r374Yeff/lNaKMGqH++kOGPHz9++OVHVp7y7csvP7775cPH33+neks/ff5Gz/Ye T0p5caroxZv//fhTw9uj3jfy5s37P5sqpgJGTcDf/Pie6vTrT2/qNvjv748/cfb2XUHhzRte9uud 0WpCKHeDanRJlWrp6+ef3/K370TLv/8fk97+9td/37//8Z5JP3/Jffv7t/9Ji7LI7//+/hMbrTOv qjzegAAIgAAIvEoCZ2od6oNgP334XL7+pN/7jT6Ir59+ZNWj/vv3v359syg6OIRI+r3SLN9+/6kc cUKnL/jPn8sf59++/Mz5z6W8+e/LO4n9fNxB9fXzL+9++umH/7398f2nIgBCDfPt69e+ocr//fXr W55Lpq+1yPr+XSiffgX27fM79qZWQV8//kCP2DIg9O+nH6W3Ijz09fef2Jtf/ijlFVWs0FLilLe/ 1GGTBqjyIvr3y/u3b979XpotNwudJP2Yx0uOPSmU5RNF/9j2No981SWcGPQjmqBWmP/98TPLhRfJ N+l/QoCQIdqxyLXsOa1GcvHNzx/Li+fLX9TkpLiKUVD/fPgf+99vVZBNaDEaW/XnL7zQOl8//fjm p/fveK5v/vvr1zf8XZ+yrWuJdyAAAiAAAiBQEDhP69DDWnrzvx+K148//fbnf98bfRB//fqmDNYI u/Q5/8lO2qDRdUQPSf5edGaI0ymUUrzoCcd+eP+heFEEpW/o679/ffn8+XeKObA3tU4qjbT/k9KR 3v7y5S96/fnhB6nSMMMKjB6wjTgU1bw5+Lram1ex0nDfhTYTcaPuKU1QuX/f/vz1f29++lT3D/33 799/fP70kXq33r0ttWCPJzmQ84uuvG1woRYpmqCxVbwlFdRorFxsUJDpvy8/s2bYjJox17LntJoQ ym/Ki+eHH999/LsplP/742ci/v/bO0MmV3koDP+XKhwuDofD4XA4VF0drq6/oK6urq6qDrduHa6u DleHy533kJCUhdJvuHc+ZvatWCiQ5ORJZ/LuOSeh/yFo0ZPIwP4uo6C4aY18q+RQV6WKEAiDsH4x c9gPficBEiABEiABj8BnWmc0WcfFIHDmL1QSgSOhk4FrAg4fCRV1gZ4+hKG1THAqK63UkePVqQHP ZHP6tVN++Z8PtAh7BKH7BBvjpJDGvNkSU7md/l9VkKfnpAGoARFxwy6jZ0EG/9WwSOeqscEarZ/f hzTKjr0Xo7mVCaJGh9P5crmUaS9Epiz5vOneWh8ODO08U/5VnPcaw96AkBFMcLB4slS8PNIjEU4z oyba702yDgbSr7wTUkgNq/fIJ0cOuvgM630cbisTlByNwFnDeSQBEiABEiABR+AjrSOz7ptknds2 6PMqEJ04Z9Yl002Sdl5qv8re/yPzqJdKIlph2Iaz88cZZtkxv0//YH1MQhd7kqCJXbDd3opQudkX gszOtiLTXAozeu5kiqeRkEriLetqqx1EHNw8gyJdsMZmNbX1MYvSg1vxhLZV79TwfV2Tlnzc9KAG QwYBJc9x1fOCtHjNyepFlSyYd2E9DXdZ16NPRm1GKLfXPPAGQzcg0m1jAAOK0ymLcgmCQrrhq8r+ 0+J4r4c8JQESIAES+I0EPtE6smB4mPWB/9at1vgu1SbeI5sUbotjhjxhWY3cIvYl3g6t2/t1G202 JqPULy7cMZ8G2bHuQhntY7hnXnuvzPpordtHdchCk4ejm+qw3Q0zX+6nNEydZkETiDIFkqMjgRcj MJ71uVAb2e4FD8HJ4HKwB4IMGsn0+XFKAmUyo5/fpyJS+UUSjwZFXoI193MeJfuX7feAzniYnvVl Gweb1Ai+SUveNu251zxrhbD9g6X6m2h77lbu67a5192KtwYpR6Ybz/tlG4dp535CTUFizh9VmQQm WUf2V3o3akb7OaLGCJ+SOJr2nfxrvg6Z6jPOIW6iOLLjKPI2iuwvzfaHRxIgARIgARJ4S+ADrTMa g9Av26s8LkUUbIJQqSjd7gubrKN1c92aGyrO98ddbENFL8XFwvZ+RiWbIMROgVGGpA7v87gUsu2d 3A7jfI81UvhIJrAXkJJryOhwya6mmt5Poe/nXKElpVRSHA825xVxHGw6iDvpofaTr6UKP/1FFixJ iAzGljbc9kPDOVD3Y4Lt9LANonzEefGsyrgjp5LidC6TxG4VOG3Jh0371hoC3aGtL9sk7Lf2Q95T l3fU1jIEglilu7MRnlgTdsoMsDjbn3aJsjvrzIwaAmP9xgDOiFdKTVUmIcY9DMI4P5hV+GZooaqM X/B5zYPN28V5rgWekQAJkAAJkIAl8IHWsY/OHPGqASyFwr/snndB6+4dBDOl7e1n83hMv/zh2Yzc bpuH2+PY1jN/bLEpoo2uvTwu70x4uTL1Rbo2WsdUibHr07W8sWS60FgTI9daoB5hPTlcADa21g3O vJFhGWny3SWM4kTt74rxHgmQAAmQAAnMEfgLWqd9uiU0LTwmLv9krnXeJwESIAESIAESIIF/S2C5 1kEWRRineVHkWaIClR9d5u2/tZ21kwAJkAAJkAAJkMAcgeVaB/v41V+32/V6q/6XV57PdZH3SYAE SIAESIAEfjGBv6F1fjE+dp0ESIAESIAESGDlBKh1Vj5ANI8ESIAESIAESGARAWqdRfhYmARIgARI gARIYOUEqHVWPkA0jwRIgARIgARIYBEBap1F+FiYBEiABEiABEhg5QSodVY+QDSPBEiABEiABEhg EQFqnUX4WJgESIAESIAESGDlBKh1Vj5ANI8ESIAESIAESGARAWqdRfhYmARIgARIgARIYOUEqHVW PkA0jwRIgARIgARIYBEBap1F+FiYBEiABEiABEhg5QT+ABYIs1RtZekFAAAAAElFTkSuQmCC --00000000000061844c05aa7fbaf3 Content-Type: image/png; name="image.png" Content-Disposition: inline; filename="image.png" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: ii_kcnq2gjv1 iVBORw0KGgoAAAANSUhEUgAAAuAAAAE6CAIAAADY8XCKAAAgAElEQVR4Aey9r5O0TBAGlr8FhcPh cDgcDodD4XCIVFEVgUwiqEol66hKVXAoTAq3lQgqBofD4XA4Ut0zwwwss8fe7d177/v1irtdfsz0 PNPT/UxPD/wPK30IAUKAECAECAFCgBD4ZQj8D79MHhKHECAECAFCgBAgBAiBlQgKKQEhQAgQAoQA IUAI/DoEiKD8ui4hgQgBQoAQIAQIAUKACMov14GuCAPfD/L7L5eTxCMECAFCgBAgBN6JwEWCsrR5 4J9+grDozgRaxrbK0zgMgzBK8qqbzi567dhYJUKIAD5hFKd52fTza8X86NX9LRIyn8AXJPX4gTht bBqGYUb18sGFdJoQIAQIAUKAEPiHELhIUOYqBD959rHi9ojHdM8D+3CtFZbD8boXfw+5eyiU/bT8 vPutJOWeHoHYNcErPgKFCMqLWkKXEwKEACFACPwTCFwkKOtQF4dPHjnga82gPAYB5jaFU6YdJHlZ lnnsWXClFdZfoxGcoNghlFqWtyJPAofxJjfvf2d3TPfyxj9F6iMOdpiJQ7f6Q2ZFBOV3dixJRQgQ AoQAIfC9CFwlKA9STCymYkWnrGOsb5VcehlvPjKU5CHW8lDsswOcoOzICC/aCMptDWkZ2zJLIlhb itNbM+xY0TJ19S1PY3Y6uzXDtnSC2R5B3s5TV+V4QVzc2c1zXxdpHMKq0n65aqqTwA/iapjH5pZi oal21aZD3mY8Rk2WgUuM5Zf3cZNpXY8EZe6KKAj8IIhLJvoHsiXVoJZeKN2yritglQNWbL3s1vST UvezzqBzhAAhQAgQAoTAdyLwWYIy3DzgHHZ6v+DQ5irEYEvcfKkpZwRlaSKMoQiCMreZt1+MMp2k EeSlz939ScMwvbxjTUAqYAZxjJEhLvCyLkMZHpZprKDo2T1DATC4UcyCI3DTI/8QjT4nKGMd8zAQ 3I0f05Ui7wjK0t8CFo0KkJ5ckM1yjqU7Mcdjvh+xgrZkvzQWJVCk/4QAIUAIEAL/CQQ+R1AW7mt3 wQwtXnMTo1f1b8fFIO0tpyceCcoyVBGSBy7I3MT40/LTW13XZeqzn1HNKUqXubYXpUVZ1U2VM+Jh 8iAQowLAEEwnSPI8z/JmXIcCCY/pRnlV11URMYrDK2QEBVmF5UUp3FRyvvPYhDOCMt58pEyWF+dl VZU5L98KKwaWQlDGmjUWOBVGdi7KZnpJ2XZ9f69TVhnjUCIG5iW3umnqsshi3wluHyXFPLaLjhAC hAAhQAgQAm9H4FMEhTOOk/STE/mWLsPcVmtjCScXXTrECYph2Q5+bIuFQyw/Z0sxUxnAETtpRVhn riPgRmZYiSCKWhOnF5xsCILiJK1cFWJJrqbCrXqWqutksHlJEBTTv8m1IrUK9fsJQeGF2XGzVSlI 1k4qMyqbFKmR6SYtb8tF2ZSQzsKooonZQHx1bAuoqKLSd0KAECAECAFC4M8i8BmCMjIeoEk/2bdH zPqtx1za/YUXfgmCwtZBtr+2Fxfos5cGt+QapuN64uPaSGIcsXCxjPfqlqdJHEVRGLLsXcY1eLbH folGEBBLlug5GA4yw2reCIoVNYISPWnHI0GZygCaYcXq7aIZbNWKR1AsRsbsiAdWFHL0gWx2qjxC pctw/YoVzQMwLGJUNP0Zh3vSHDpFCBAChAAhQAh8HwKfIChi1v9x+sncslm/oaSBfKEpnKDYUdni p6mrImEcw/SKfp0rdPcbc1G+2Gm3rpDBccgmwUt2BIVFF4SUnFMoJW1fAwjKcAKz8R9x3+n/R4Ky 3b57lMzuOhHXYfVuKz/rul6UbZdUsiMo6zq1RShTVEwnyEV05rQBdJAQIAQIAUKAEPgpBF4mKEub qFkfejmXLmcZD3ZYvSev4TEHZV3XuWZZsm4xLDV7WIuf37vDpx+XVaR7OGFR3/thHMcux91FR4Ki BEPEek5cPRQ5QMCBMwy+HKMHA8/siAceOd/e1CZKyo4gKLbnssiNL7JEPiPbgaCgEPPQ3lKxXxvW qj5oBp0mBAgBQoAQIAS+H4FXCQrPrDxJP5nHXu5RXYZSbDe58Q0valuWse/HLetCPfPs+ylBEdt4 IFAgYjtqEokskC8A+XJDMmcMTwgKpz9qDoos8OsEZeXPcdsRnJ7l7NgJLs3wJZ6oXiaeASz2HX1G tjOCwhs08nxjJd1m11T6QQgQAoQAIUAI/CACLxIUHjF4SD/ZMjsz2MMifJ1hBXlzVz4dPOFjubNE CPucR+gbzwmKkzQQ/hjHoe+agj0ujqdxDDe2x9gO8rqDi4a+rYs0jCFzg5MBO6qGeZ7Hrkr4huQn BGWdW7YvyHTjsu2x1q4p8zhkL8f5YgRlXXkGseklVTdOE0jFtgk5iOT+OSjzPWXP0nVTyAr+hGwq QRluUZAUVduPM+JRIKVkuTX6TqAzhAAhQAgQAoTATyDwEkFZ7uxRY49PP+GxCwMfmNZpH++OkQKe GWoYu7jBhcZygrJlgcgvttiUuwz8QSHyHHzzYIOz2E4kT5mOCzmjzwgK5GlwyiDvw7xWfOjclwnK evowEtPL+CPiDg9qW7qcUzDc9/OybDuCgs9w2bXKgGyhlyNbF7qOLiEECAFCgBAgBF5D4BWCwvfs nhILyD81TTeGB47wUMXB9cFPRknGKnJM03n55TyPBMW0HC9My7u6/2QZ21sSuGwPMl6QFOJ5sWOT hx7u6zFtL8zbAZd9nhMUyHPpqyzyHdxIY5q260dZyd5++HWCAo9zHeo89h3bNA3Tcvwoq+VDeA8E BVaVxJNTItw6/ZpsKkHBagOPN8uy3SC57ZB8TZPoakKAECAECAFC4I0IvEJQ3lgtFUUIEAKEACFA CBAChIAeASIoemzoDCFACBAChAAhQAj8IQSIoPwh4KlaQoAQIAQIAUKAENAjQARFjw2dIQQIAUKA ECAECIE/hAARlD8EPFVLCBAChAAhQAgQAnoEiKDosaEzhAAhQAgQAoQAIfCHECCC8oeAp2oJAUKA ECAECAFCQI8AERQ9NnSGECAECAFCgBAgBP4QAkRQ/hDwVC0hQAgQAoQAIUAI6BEggqLHhs4QAoQA IUAIEAKEwB9CgAjKHwKeqiUECAFCgBAgBAgBPQJEUPTY0BlCgBAgBAgBQoAQ+EMIEEH5Q8BTtYQA IUAIEAKEACGgR4AIih4bOkMIEAKEACFACBACfwgBIih/CHiqlhAgBAgBQoAQIAT0CBBB0WNDZwgB QoAQIAQIAULgDyFABOUPAU/VEgKEACFACBAChIAeASIoemzoDCFACBAChAAh8FkE5r4q6n757O2/ 975lqIuqm79dQCIo3w4xVUAIEAKEACHwn0Ng6TLXjpvvd+N/ANm5jW0n7b6bexFBUfp2rgLTKwbl CH39NgS61DGj5tuKf7HgJjbt9P7aTUPhmUE5vXbTP3U1IfBPdeePN2asE982DcNys7ve031mbL7c lO8wR3MdWU7WvSzL7gYUrNajs7v4R3/0uWtF9Tezr1cJynjzDTOsdFa5iU1DfEzL8aOsHv4Utn3u ClGU/1bcanvxGwhKl7v2t3eitkGfPrG0ieNwhz3XkZ/314u6p15ywdV/h0X4SMjh5ttBOeJlfe5F ctxfM4L7pv0L7vnVzt1f/wkE9rB/1GF//Py+xz8QRx01H1z660//gOFamtiygls/TeM47bzEXkmu jU0dohd78BvM0VyHlpu9YDnXqQTvWs9tbBlipvwbCMpSR6bh38YucwxlHtfnrhlW38tQXiQofe7a tm35N2bkH5SiiU0rqkb4DP29Sn0J9MO1331gmccBP13hm07SsB+HobAT4hsIytQWefUXxmTGOs8b 7OSliW33OkHBqOZvJShzd8tKFpUE3/oiQTk27RPueaduv+DHi527Hq5/HYED7L8AgmciHHv82bVw To6aj6789ed/wHCNN9/0+XRhh8dBSb5CUC734PsJytLGln3FEsq2AxGwknbpM8cMeBSACbbjb/KG n/p2T20zqmfoMUGcoOp7altx862yvURQli517LgqQ0vnsYCgKCGKpYlMMxZx/KUvE9+xTMO0/bjs OfOauzIJXDxsuWFx54eHwnPSdsAYoOmhg5y7W+TZpmFaTpBukZkmtoKyvxeha5lmdIbWVAWms2Oy S18lAatSLUolKFMdO0DvAf1lqFN2ue1FxZ2Hj4bCs5OyzkLXtkzTcsO8fQwsSf4rC7FsN0jrB4o3 3YvYh7IM0/bi8jGz6ryEc1TXdVba6GXtvK5d5pihDBpM5aZtjxhyozA3MYRg2ceM/vf/1TPdXPIt iGGqGrrcM3e7HCg3aPEyAEbQLMvxk63fFYuw9IVvOUnD4JvaPHSxm90wYyRpXZvY8vP6FvuOZZnW GT5zFZpbPBUmZ4a1aQMMeKD6wqH2hWeJVhmoy9DepKwS3zEN1M/qgP9J07C0os4j1ridApzrqrQn oDxxWWcBdDhrjxgPVWBF9dBkgWPyZSe9ulrhrckjVEDbjbbBs67rqQBd6nh515WxZ5lm8L//X7vO rf8fMIvKktVY+hJRKHKvDPXC8NQgMFRp6IkxxvrxEXYJyLqe679mlE1VCOBstnG5J/Yxsit0xkOd cYJNmdZLNud/+j93yvy//G9XatwWCrvUcbMKzAxYB+ick4xCvYS6UbOODR9MMJriEufn071Awwgj zIsKnhcgzYViteRBxQqdlSkN17quU5vzCpSi1vVSG1EVYdyCXXNDPu2Z2xRMuTAswkWs6/qoJM/G ps76oWKdjNlnbRErzm8xR+tmbDYdPxkR2zn+5Z46YI7Gm28Jt9mljhXdqhQQhD6Xnk/nmNbziuYz w3LmkfdWAg0CjsL7utThLmQCNlclLKI5c4eWmrnqAte4zkf3xyr0CkFZ2ti243bBpbX0dGltR1Dm oYocO6q536kj2w5v3TjP470IrC15aGyrphumeR7bzNssIlh/x/X8tLr3/TAt61gGlhNX/TTPQwMX cvME6uu6XlQ0Xd+PZ/GmI0GZ6si2/Kzpx2ns69TbRNkIynzPPMtNGVla7qlj+Xk7zvPUlZFt8UWC ofAMwwqY4Vn6W2DZSbtZTN5X2zgfy8B0UyhkHvu2bh5Xvpa+qdp+hPbViWM+RKlOS4C2nKE6AXXw 0qobhqFrmw764BlBOWLICQq4pSo0Nz4KFHr7sTJ+cmjzYd4wt4ljuknVjdM0tHlgWWGFvGUjKGMV 2nYowkx97lle2gzTPPUAA9d/WDs03aQZAeCpOcUHJmScE90TGz68P3CqBmcEQeFg7CMohulEtztU DL0sihJjDv4fmgYKYFp+WvfjPA2gvFuFGl2VhaHy2CGja9M99+FeVF5QQtv1vLhsu34Yl/WZuhqG 5efo+WZQQEssvmoGCxg7x/WCvIZBNR86d4WQrWQoUwm8fj/Md8qAeGoQAL5R1YDmPHVFYFkxUxPQ QQV2Cci6nuu/bpRB/FwylAWmeMdoM+qMl7awfLAMFfYpJ9cXbc6ux6/VKCLgXeoYhh1VgPI6d4pl U9qslVA3atD0xjXCOtzrBmd5oOxhCYZxGrqmZhOoc6t1ZkNOywTPIToK1MKJShzB91tkizEJ13zc xhEMY1i0wzSNXRW7pptxBqWMRgWTV8amzvopxR3G7LO2MILyLnPEwgtqPsH5iFBkXdexStJmWpc2 i0quqgCyaYcFjCUA0AEA8abzLgb7eDr0Tg3Lme94sBIwN0ljMNtdETG+waUG1UvUNsLx4eabVpA3 6HualkUizkf3xyr0AkEBRWYWeG7Etx26K0x0YQLKPjATDbd5w+Yk2C1tAjGjozsf5KIWWn8R5gJi LU/BiK8jMVeBKp9nEx8Iyt7JMr/NzDIjKD2YeicSIQ4cv9JOSyMOEgpzBFpxmmG7jXOsNRPxoSNu x98YOzt0/FkJOlTZtYflz6cE5YChhqCs4LUEQzlXg71FmOtwc9vQyPEGMRgQjBGUqU1cy8tFMvjS osYLvYA5PLsaeln6zrWDkOMxWoZxEkza6jLHSW+p4yCNBhlYKYpJPHhKKF+hhBjSPJa/c1cwEEEB JCcFaBid0uqq7Gbk35LkQziYB3zmKjC2BWhETGDA7gbBpbqq8St5RicAGDtL3VVwJBy5uwXdsad3 cccjW32CgGwofIOiOLgH2PfXyV9S/7WjjJkjHkOB64/8BIyRGcglchwTSviP1/bE5hwo6aUahUUA qJXJpaJ5spVaCbWjBvrLiXmokReEuhNWSN23sjVW68yGnJXJhycY6KVNLDUXkseuoKYrbYRBqQws mOSK0s4xOScoShFybOqs34bCcVLxvC1m1LzTHLUJMGhVFvldGRHy4Pk3AFlYXD4CWbGaLt6XolR0 ZlgUWKVHfrAS+yLVXziclfAXnDv0uHo5/y5H98cqdJ2gQFNF3iSmN53lfrIclIHnoNR5aAvv0yaW YZjW9jENw8fo0dSVaei7Dn4sU8yDQHsV+GDIGqa83zQNTnCgygcSt0PlQFDaxNo5N1j4Y2uFQFDc MHRBiG21ps/co+DS26kSqpGGrf6NoKxzVwQ2rASlt/YxfAKeqC2SwGNA2JahLpWx4k5K0KF6bCMW ANqkW+I5YqgjKCvYJ9Z+UALFP4sm7wkKaKtCLNYVQvHITIGn+1FgGeosHXKwD1rCuubQy1DsA7/d 2A1kSiUtpJqBpOwwejLFJB485ZXyTwjKTkUFMnpdFRixWI66/g62lvkzUEIVkmNXHtRVyQ5CTwOk RysAaOPOjx8ICoaYmE7DcFfsIpf8cP1xkAoEwJD2VRaJYW2bwlkfYJeA6PRfX4WifxgGf9hPADqs 5gC0scXXm6/ZnKN7gwwcofH6GrlPkgMf24i+VFk+Yw3XSagfNUtfRo5pOkFSsPAJFDTWiWfBunle YagUvcS51TqxIetpmZv8UjN5ZwH7Zaq7XcPOnLURqZbqphW9UkYjL5r/OyiJdmzqrJ9a2s4cPW/L m80RRhcUgqIZEaqwZ99xzCpTeQAHabfWMWkqOjEsR1vLPDLWKIn9mVDiGAwDsRbFjz30ODuu8W4f qtBlggIzmf1n73iYGKBLSg4Kzp0YfQA7G5bjpHzmBWbUvmlHIjFBmfkdtBebHdcP92PQRktUmVCv EBTDsIM09kyHB9w5ISx6Re6JpZwfJVSsM+8rESeQ6jX1dQ4JAE7MF762K6HpTlJjRJhnHx0iKLwx uxI0qK5Hr4b3gmorBEUZrZKOCHnkkYNPAu+HuenMWsssAHHnziIgndYSFMN04zSEnGuR1gIyuVm7 72YoWcqD9ZwSFFxycvN+KDyMRsAUwyuGTu6GU7rs0QiqWnRe/r5p6oIRCLUBpddVgREnKEqqOUgm CYrKDI5duScoam4VWiBBUOyzwXIwB4rMQjLoAGAokoeKM/h/ayM7quAJB+RZXGEMijsbKeCUeDTh ALssXKf/2ipwbs9W8brMEbNyWSDqjDp1WSCiAtb0qs15ICic67YLrJZqahRadIAacT0jKKcS6gkK tm8emhvsz7VDsQ6wrsvYlmngmJaPOShQgn9mtaCAMyt0LHOTHyRXQkEsln2doLBcIdktkPnG1fvQ tfKag5Jox77O+smSDjGw5215szkCjZaTKO2IUIU9+w4doVhtXKjnBOW0i7UV4fRbmc9o0du6/kyc 3THwASxKLQ+DERCDYDuqG90sji794+MwuUpQoAY3a9lOmGEY+io+W6Y/ISg8FABVP67EQBatHKIQ rBQzvKP29pm7Hyei8Qf1FYeV/weCApKoHgCGAxtw0IU4FmEVzeaRVHA3u7C4KPkgobTO4gL4f9rZ cKcSe4HrMD61BdShrB3RU4uE76KEc1TXdSzESopyJxgtZf58T20xr33EUB7Bdm2SgRuqI8vNO1iM UbIUt3pgsUJGtOBiNcxyXOJZ1hkSSryC5aRCDHbLX9+KvEpQEMUgzyHLFJb+pyq04OdGpZUug15X xr1sL9aqJShK07QEZdXqqmwR8H3I1+dHACa5xLNTz6fqClv+RdoV5okyMqgT4EEbHzqXL8f01Xki /OF6BU9oCJ5FE4gpIVtIA7BWCIoC+waIVv+1VUD69T0FhtJl589jOCzboQkrhvW6zUH3pvb4hRqF bT5ADb3I5qdbk/mKuGIIhIQ4xM5HjXL3HjJ2AvKYUWCt1ZIFCBsij6hmaJMfApCw9VVchks8LDC1 XcPOnbYR2qQ0EU08j70fulZU8JAspx2bOusnSzr04Edtad5pjqALpJ/RjghV2LPvhyUecGZMxzRd rK3oSFC06B269UwofgyK2E0/4Tj6U2Xu9dS7Hep6VKFrBAXScY6S4GhSCBnKDAQlqnACPI59U4S2 IZJhIaHJdOPyDtlSQ9dUNST3QWtY7ijkRPr7JZ5d2yHvz/LSuhuncey7pqxZisVBfU/gPBAU3I0A SbKYiNlkmCSLKzobQYFEn8CyI1zowcbb4a0dxmkc+raqWBraYXxJ66yKsHXACPcN07wsU19F2zqs uBYHrp/fIVe4K2PXeiQopyWcowrZVqFleVnd437vGheV0AuGJa4vQajX2nIdHjFUjsCijAeSTROz UrDX1AvD7UEpog3sP+iFkzSQUgwhMkTPTep+gkRSSJLlOcaIDC5fzphHy1Pn+tzDDCvIYB76e102 GF1R5IFqzgkEzO48y4aUW7ZCB9nwtg1hFCab0mWQ3oI5jEzMS+UfmqaUBsUrCqDTVSYF/MWApOWn DeDSQ+qbmiQr7RqUC05Ho64GzPqqDpJ0m9Qzd0myJ4Nl08ZNkIfOhVwqyw8DCdp2LXzZX69FAAwN Qxcy2gO5xHOAfStbq//aKvBWSDYKQwiYbQ50KxIT4jDxeZymEVTPZKG66zYHM98UZWbm92mNLxOU Mwm1o2buKkikn5dlHpoEUprHdenrsunGaV7YNgOmPOdW68yGnJW5m1n1sF+BJcmOPEmWmd6DOj16 F+gLGAt2AEmykOOZuNvuhiPBlx13UBL92NRZP1nUsQeft+W95ghVV+QKaEeEIuvpVyAoBssy5pZC TZI1HxyTtqIjQcHs+0ePvOv6U4m2g+BQ1NVofgLabQd5C76na+t2XLWj+ziBf1ShSwQFPJLgGZt0 oHlS2fhhmLRsHxO20yrbNZehSgPYkgnpsx7fUTzf88CB9BTYOto1ic2nhAfDBOXD5kDcroYbViO2 xe4Y/Jfybd+OBAVz+pkkuGO5EikhCkFhA0s407FhO19BTDfM2Hbig4SKf9pqVjobHpoIW+1Y2092 JI9Nik9VNG0/qboqstWlMihRU8IpqogWbvXCCv2cLcWMDW6XtnCLYXXDFRAo+mACDkfYErdh2jGf R8FExICsWqWh8uvUZtAQU4C3CvRwY+RN7LaUBGVd53vqmmLX1LZpEveTJyxZ+SChjqBA6ryhZNMi D5CCql0GFA32FFu4h/1a+fumqaXtCYpOVyVIeG9R8S2j6rbpBzvyXF2zqhDbnA/bjE8Gy8GjgDgP nYtEa6OuUmL+bXe9HoGluwmxwqJtc9fnJHEPu1K8Rv/1VeC9uBB/GuAErbacpCxj/mgCMW5B3S7b nH2PQ5XPa9yi2weoHy0vlKWVEDqG25zdqJnbDJ93AMkD8KwCsFxLV+C2fDjm+Ik0uKIExWqd2ZCz MhXDBXKyIckegBAV29MULrVRGQtoPMWDA1gYeDcHxR6FP3sleTY2ddZvK2o99uCztvB0z3eZI3jU 6hbh1I4IKerpty51/KIVD0DYbzPelETp4lVX0TPDwrwSf0zBoVtPpYKDsElC2lb1sqmV+96DG7BZ zeh+E0FR66bvhMAKun5CnQmZywgc/O7l+9QLmcUR6Tvqma99B9m2oNPXivr2u2EVXN3JpFZ4cGzq qS98f1bjq8V+j4SvSkHXfxcCEMEVT67+rjr+WLmwgP79ZuJSBOWPYUAV/0oEQDVfe4bzr2zGnxTq fQSFRdvf2Bac7O/XkN9Y+nuLwkczyVSefeHf4v6f1riv/+Nf3yLhx9XSFT+FACy0iQd2/VSdP1MP PKJX7iT5vjqJoHwftv9gycvM1kH/3XnBD3XaryQo0LvdLbT/hrdHLTM8sDGFh+joKNqb3f+FGl9V njdL+Gr1dD0h8NsRIILy23voN8kHu5swbUcuJP8m8f4iWX4jQekyF3o3zK8+TvAP4g1BPNO0vWRL IHsU5r3u/0qNjzI8P/JeCZ/XRWcJgb8QASIof2GnkciEACFACBAChMC/jgARlH+9h6l9hAAhQAgQ AoTAX4gAEZS/sNNIZEKAECAECAFC4F9HgAjKv97D1D5CgBAgBAgBQuAvRIAIyl/YaSQyIUAIEAKE ACHwryNABOVf72FqHyFACBAChAAh8BciQATlL+w0EpkQIAQIAUKAEPjXEfg1BOVHHgmAbxngL1z4 13v23e37kQ56t9AP5f0brXhoFh3QILD0ZcTexcNeFKi5jA7vEfg7h8m3m/eT19nscaNf70bgDxKU PveiWrxv/uR9da809Z567A3gz296vwZPVWR7he5Zls+l+e1nv9pBcx352sd8/ljjv9qK7xb0ouoy MZY20bxE+rvFfH/5Xe5++yNr8eX0UQUvUB+V9x3vYJzK4PyVde9vsiyxS21TsX5wAl4x8OTdJjuZ ZUHf8+2XEZSLY+T95v2A7m8jKH9EdX/W5f05ggLP0lSG6FeGBLwXwP4zBGXpq+x2nw6K/E/8/GoH wTuw2avf/yQcX23FN8t+WXW5HGOd5//IY3yntsir97/qcNdhXeaoRmY7p8AIT4j1y58ewa8TlFWR eWvHd335ijV+u0yXx8h/jaD8GdX9WZd3laDMVWiq3uae2Fbcoi6y91eb+LZvLyo6FhSZ2hxfAm5a bpg9mNS+8CxDfLBcGBJJKd4qbfuxfG34MtQpvmTctL2oOLKB5Z65pijK8NlbzqY2x8iusb9F0eCl L3zLSRq0THN344Fgh7/DHFrWxJaf17fYdwbF3ugAACAASURBVCzLtGwvLvst4CNGocKpu9Rxs6pK AseGp3C7UdEpkzZxw9hkke/Ypmngu9HhfenwOa8LvKubSyM+19Hu3a1LC+9ybXkZXeYY5jYZxAkZ ojFUaeg58LJ0ywlYX0xVCC+G35qz3BPbDCtppl/qoOlexL5rs9exM5TmJra3Xnn0ESciaUFYwcts zYKpZuk/vkt5GeosdFkj/aTsEfqXWrEufZn4iJPtx7yEdSg8J22HOvFt0zy+90X0mocaIsDFDj3B ZMU3zCul/U//5051/5f/7YNOQYig37CGS/r2RMJTxPDN6BxI03IAB6jsfIyfD8y5L2HIgLrZbpi3 oFRj81gmDkYRQtUJI+R/NgZBvpPxPtaxuxkZARoiB8ONwThWob3ZDithBo1fs64rk8rGpnhJzVty ffzKko7fnhMUCaxlu0Faj3C7kBm1yE5K0HewNJYAGetYhgpVldndOnWPOruu69yVSeCyLnLD4uTN Bk1sOUlZxmx1zFEtuJRtZ43Py5yrwIrqockCxxSKe2psu9Tx8q4rY88yd4P9HeYd1OPRGV1TraUX eDphVhWqF5w79A2mYYKeKz7uFCJ5UOlTRS2eDedT9X6muidW6xR2NjTBucJgT6sm9/hIAaMbitG5 rlO5hfcUlwduKyj7ewGW14yaBYfME2cN7dV4QAUK9evXCco9se2w7Kd5noauqRl/6HPP8tJmmOap rxPnLHR5mNw0sWmYTnS7wz1dGdkm5xrwQkjLz9sR3mRWRvbZe+ra2FIjKH3umk5UduM0DfdbZG/V bwQFDJMd8vnbWAaWE1fQhKHJPFO8fhJFcpNmBD8+NYkjRFIAVHqrSx3DsKNqAN84d1BQ1imXsq9z V1dtP87z3EMjBSnQ1AUsQ/JCxk8EH4HygDc6GVth6nPXtm0rrNA3z/V2ZrpXNcA6T10RcEIz16El GcpyT0GUPZ+62kHruvQNtAnwg87mHXfktCoUZyKhCTbME8ChPyVDmcrgAdm5TRzTTSrs8jYPLCus 0Koju9kH6s7VbJ3qyLbDWzfO83gvAsuOG8ADOKLjen5a3ft+mDZKh63BXvPSFg4vQ4VKy+nkOSaP pamqe6FTpJdaL+mbVkIdYqBjTlyjugz3ukGmdzrGNQOzz13Lz+8wXMeuqdtxXU/LBPkFc9UJo1cJ VZlW7XhnvX+SdKbACF1yHkFhUsXlvR+Gvm3uqFCvjd+dmOqPpwRlLAPTTcHizWPf1g2bxUiZh8Iz DCtgE6ClvwWWzd/oDH1iOjGMg7GvM98yDWk+ZP1jWzUddPHYnpspZo5iNKHj/RaCNUbF1nQ6+J2z MsE82q7nxWXb9QMYUo2x7VLHclwvyGsYZntDtKpjZF313X1u3leNM9KYXIkSMFSOZz9NU99kvmVs eI4Ae1i0sHzYVbFruhmbm59DdN6nSmX64axVb73qPtgZDexrX3gmWr1pGtoitE3jRYJi2q7rRUXT 9f04I14fOWvNCFKgUL9+maDgJD6s0ImLgpc2scWQAdUtVS8rLjrxf9yzwRXgMZGRoXGTjn7vq0RZ Ow1e2sSyonpTch4tgGuZBk9tAi9B5aEe1HfpnOc6ElQfNFj6xRVtCpBE9XMgKMoaMuiIcrd6E/++ NNHmaXV1gTcWJmZuos0SieKAwTDYhsKz41vuWTES2X0XiMuhOHY54GonPIZyTzdiI65cz1z7WQfJ G/AbFMVCa88IinKTFAnmiOeAD7lr+iVjHIgI52SiGGBjisKt4w0iT8jbLqoZZgAozWsTniMAzsAM lNiSqBP+N7FpBpLXMTopA17iUonJY2k71f24U6SXQoLyob7pJNQihpQ3ZoFFIf/ZGGes42RgAuB+ sYs1npXJByPO0bTCMIKijKKzMfhkvH+JoBylEmhs/6+M3+3iw5fnBAWmJdkxsCG7HrRICQlBog1T BOgoUzF94PSE9TgIIH7C0JLWTxw9jESwZRjJvWSNV1nmXAWGoSip1tiCpBabEggZ5P/dGHnS3afm XeuMDm08Va1mj+c9tQWePag5C9eDoEsb28zpaCBC2/DQp7KN2uH8pL1PCcrOaoHblL0sfRwOVtkK RbHgzJUIimk4qfCkWpugNHP3VR1BuxPyx5cJyrqOdeJZpu3HedWxNYLx5sOCz/YxDUMNcLDaHz2H GmKF/seJb5+5x7Ieh9xOg0EV1DGBg4K5N+DpfhRYhhLbADtkmFJa0zT4xK6JzVORJHoQwtgIhDIj hCuQOjysbS9Dk8eB5+DHNjdBtHUBvWINXhqIE6nxE6gGVA9M0njzrbCauszBa/rMFSRt7qss8t2t So6NUhzAopg13r6LHYSTpyIJPFaDbRkfExSNSFoQMI7BzIHK2LaOAG1R3Ni6wooVi5tcbUWbWEc9 w3k1GgE5hLcq8Qv4DDX3CfxDzCbsY3uGyWNpO9VdP+wU6aXUCAQIc65vOgn1iMG+F8c0nSApWPgE C38Y46t2YE4tzNwtN8rKO5+3nJYpx4teGKCAH43BJ+P9SwTlQSoA4uXxi3ry+OcpQVnnrghsWKRJ b61YBN4v8ajOUc4EjlAo1kkVYerKNBQWwTIV1yWuOsAOMQxUbG2nr+dlggCKrV21xhaUQXpQIQb/ vxsjxzZ+YN5hXBwHNhuzhzZCdyuhVqz6WJc0Pshe+VorXrqd0kF02qdKQ+Vw2KpGA3SUQWnvU4Ky 0xCNjwPNUZjuCoTh1QjKfnh+7Kx1I0iBQv36WYICUQqegwLFLWNbpoFjWj7koACmbtaOk/LZAhqi 9kfPoUK1qQt88QsIscnPIYqx7mOAT3oUeLrpxmloW9uuQ1S1uN4LizUozgCE3kQSLYD/ignQaZhy ObB508taZrdV/qivC+L+btZz3yXTRnixkD1iJ+1YhRa4aPjpZB1gwDz2BGkrQXFnixMwjAR526YW XXbGT04iKKcdhAPGSWoel5XRAmk3FQTgq1YkPQjM/d7GVfI1tVDomssE5bwVbWKZYfmoBWAEdkWr 9R5s3ALxCiQoGJU9weSxtJ3xhZkYDz5qOkWB6IK+YQRCtSCbhE8QgwbOQ3ODVAY7LLeA0H6M43DQ DsxlvFdZ6JqwUiFG/rFMKf8TYZT2glxnY/DJeP8SQQEDdej5z4xfVV/kdyhcmaDCCQj7KXPyderr HFIynBiTXw4ERZFMDrQjFPKMrBmHkh2JHKv93FpcdlBshaCcW2Oo+KxMxTxi0VpjK5VBiKD8342R YxsVh31m3vXO6BOqJZtzdO2YpIETSVBR7bg49qnSyAMC0MyvERRVQyDCfOLjHlohMTkoqIK6BAHN y9GcatuObdWPIAUK9etlgoIpDVtKxVQGhqkQFFYkZEaCOYSolDYsLmo/ICChwQs2SwQqrY39ibIg V3TLcEMMwsMSD5vnohI0yzpDQonH49B95m5OWxSI/3UiqRcpvaXTMOVysAbSBoFFEtOLJ3VBzNDN O/BcSlrrViqc9rI8sljBMAfHn5yHYHbJBgaALggKLBgCt+lksGUrFL5c7CDgPCINhiXFqBGUw1oM VqAV6QkIK1Tj3/oqtB4DaBhaVINLhyUexRNoq4ARqAQrNyQeKcV2ii1AyP5EU+kWA6SUaTB5LG2n umzV+1mnKPJf0De9hKA1GsRk+/bNYMfFGMfJ8AcDE1fwD/NiWaaU/4kwSnuh/s0sSCGR05nn4/0K QTnygq1ktN77iOWnxu9WoPoFYZCxceCEhwR4fjVoDFMxCcVBiyQNgcFvRZg7hbeDvMfhAtMi1VjG 1knoApY/FMWGCvkSz6k11papmEfWHp2xlcqgosS/78bIq+Zd64wkngyrkwgKw3OznqB+2xLPzpTD Eg9fXLvgsGSfKo09ILARlCft1aouRpwVggLhTmn3D5Uq141y7RBGmjJ0YXGLOw61Tw8Yftx2/QhS pFK/XiUozPimuC66jE0CoRwkKEtfl003TvPCMq7YeOhzz7SCvOnHaRz6e10220RM1A6ZKZhSOk/z csrFWMANrZwd3toBy2qr6riPh6dNJQ0k5kFZkPnDk2RHniTL8khRCTAEzxLgWFoTJBBZXlpDZtnY d01Zs6sP6J8ZxxcjKGBKrPDWTwskYoYQSeer+M/qgv26XhjqHoABts62bcE70NrbtpMyNgmKzmCG DODANoWeQT90meOEoafaNNE9LHXoQgfh0PTzO6TcdWXsWqYIrcE6iwcnpknMorF0rUjPQFinKrD8 MLBEO6WgzK1DkmzdT/M0YJJswFNWrqoZJsmablzeIett6Jqqxk1YB2ewqxUmtSzldpymEarluYRa TB5LgxHrSNX9qFMUiHQWbSeiTkKW/neC2NxVmMS9LPPQJJCcPK7nY1wzMIemrCEBc2E52UCqz8pU c1C0wjwxC2orteP9CkGBBXkruIHmgO1QPrgTDTKvh3Hs703TzZ8Yv7CRTGTdK2WvWLgD2YXDMPT3 Coamy/PiRjByAOEy9VXEcxuuRFCArOE4wATYewFblI4EBTFhKbiwgcHXLfGAYp8nyUJW5cEaw2Tm rEzVmbHWa4ztQZlVpL5q3iFJ9swZKUMJqjs178gO5CiBJFKBJzTEDiBJdh67KnG3vRXn4+K8T5V2 HhDYCMoTd6ZX3Qc7o4Ed3boN/TxP4CqdLUkW+XJY4gIjrE5ZWy6R2qcHDNlAflQP2Uz9CJLX7L5d Jigr26ZkWZbteFFRZR7zQ0tX4A4uWOdz/GTbHLxtTMTNrQnbKberGprtmIZh4Ua4Q1N36jI2bJeY gRu6Mty4uCtqhXVv3A3I/RKrne17jYrtBklQ1nW+p67pMsoFe+RwZyQ2ImJbKxWLgJXtRBLVK72l 1zBxMW71EFv3gqy53wL3AkHBOaIByUiyIPUbpDZt42YFT25Cwhm3tkt3i9j2Wzcs2jZ3fZjj8w8u mOrmwVc7aGxSAN8wbT+puiqyRWiNZScZEF3cMRSdSM90gAVntlEiGiD/CyXBzbE3ucP7aiuwc9IA oIKmeHz75cNQlzWC+zzsxtw0TYPJSWlH1QVT6Rq6jEEFoiv69kRC2O8nNl86fiwQm9sMt/TDeIYd rmChdGN8K0EdmAM8ulWAyIo9K3NHUGCB40yYiwRFbIN+GO9XCArsLo9gP7LppA/bjPuK7ZkEhUib CbZqvTh+YQvJGUFh6SwAFaib5QaJfJzSWHNrhHrINmqrUBy0SEZQgKqzbbGGAY8U2G+LFZo73/PA gQbDkxO6JrGVmTK/pontqGxvSltZhjqcFj2ldvqqKVMxj6J23OT8YGwPyrxdzL4cx8iL5l3ukled kTKUoJZT8w54bputg6ypYTc0m76y3dr8sQSHR2mcQHTep0o7DwgoBEWv3lrVPWgIVHPu42Anfeqj G3aCtLpFsLeTSTU2qPsW7oqGMx9HUODGk7YrrdSPIPUi5ft1gqLcRF9/GAEY5yLW8taqMYa5cZm3 Fv3+wmDUncZP3l/VxRIPNu7iXR9d9s5O+R4JP2oBnf8dCIDd+F0j5nfgQlJoEPh95oIIiqarftNh eGIg5Mm+/QOb49RMhLdX8M4CcU6h20/zzoqul/Ut4/mtnfItEl4HiK78owjArFy3Rf6PCkaV/04E fp+5IILyOzWFS7XM89RXsXP2dLovCb7M8FS6FJ4H8w3E50uiPd4MKHS30P72V7c8Vv38yJvH8zd0 ypslfA4Hnf3jCAxVfmPPYJv6JvVMePTAHxeKBPhbEPh95oIIym/WneHmwzOIg1R5jvJb5IWYjGna XlJtj1l4S7nfUkiXuYBCmB8fXfUttb1S6HvH83d0ynslfAUbuvZPIDDWaYAvncAUk8cXg/wJmajO vwaB32cuiKD8NcpDghIChAAhQAgQAv8dBIig/Hf6mlpKCBAChAAhQAj8NQgQQflruooEJQQIAUKA ECAE/jsIEEH57/Q1tZQQIAQIAUKAEPhrECCC8td0FQlKCBAChAAhQAj8dxAggvLf6WtqKSHwNyEw 91VR9/vHz/9N8v+Dsi5DXVTyKc3/YAupSb8LASIov6s/SBpCgBAABJYuc+1YvviOUPkNCMxtDK/5 Itb4GzrjvyDDZYLy+3ZI/xe65x9p44QveIHXnST/CY9z9gqSl7vyPzLiNM2El5V9y9sdzvrhk/oJ 71eBl1BZbnb/z7jsPnetaP9urTNI6Rgh8A4E/laCck+9hL/U6B0w/HfLGG6+Ld78+10owBO3vfwO r/ydvt+Q97nH3oP9Xc35uFw9QYHXzTridVzPC9J47uc3fdfZqQyU17JfruWCdp03c66/6e0OZ6J/ Tj/xlUnwGuRp/Am1PhP8M8e63P3aE5nh/duPrxf8jCh0DyHwEQJ/J0HB8C8RlI8698r5ubtl5feG bHdvW70i05eugVcK/l6Cso51nl97LvC55/4SNp++GR5y65evPzT9gnadNnNpY8v+qQH+Sf1k75uV b/n9NLg/e+PUFnkl32f+icrvqS1flv6J++kWQuAyAi8QlMOb5aWVhTc24yvaTdtTHq4M73cOXAfe gW65/OX16zpXgRXVQ5MFjmnyVzvP3S3ybLjO4S94B/mb2ArK/l6ErmWaUbNNvZd75pqG+Pjs9XHL UGdwIZThJ2U/PyAwFJ4dl3WGT4K24E3j4qKTiuCl5axJm0hzE1u7cdlljumXaKCmVry4/vDebS5F lzpuWlWJ79gWCohvsWcnpzbHxsPbzxX02BvFTXgVu+NFBVKIuS9j9n5vy3ZD8Rr29bT2seF4QH1x iS/cOStz/2Luc2EAuqQEgG3LhM7cqt6jPHc3Lh+IhwqydAW+zJt118MkfFZw9rJ2Xteh8Jy0HTB4 bnr/4/8cgpIofZ/YJrxeRNObfeHB6+vZx2WvGTqRiokNJ1DtbDcq2iq2uXiPKjrdi9jHJ4jjK+pF 4qa2W/EtslklX1ef1sKRqf6YKS0qvu0l9cH/K1fOLbw1KWPZiQ/djVP5SFk7gznu4SW2TFRUH9DA IGuGXuij7Uvx1rHJIt+xTdOAgYRvQhir0BaYGlbSAnpLXyb8VfOgXXy4dfA2+q4rY88yTUBT1a6T kqEkpZlSm9T74FXxVWCFtyaPUAGhu8RbDx5qXOEF8hpTcKIJH+gnSHRy1zq3KWgO+5hRIyVn35rY 8vP6FnuOxeEW/a8V7+qAxQY+2ltphC3bDXiHnpUJ4aKNwGuwAm3JKjCBMOABbzUxFgjdQb2O7aff hMB7EHiBoJiG6cZlB4H6+y20Tf+GPHy5p47l5+0Ib3QrI1u+125sK/beqrHNPJMvKIPttl3Pi8u2 64dxWdexDCwnrvoJXl8HF3KHBJbLdb2oaLq+H/eM4zDBmtvEMd2kAuGGNg8sK6w2i8CBGgrPMOyQ GdPpnvumnYBHZCZyV9FUR7blZ00/TmNfp56FyXowq1MYCvAT5tH63LO8tBmmeerrxDkZvF3qGIYT 19DcdWoS13QzFrUAX+JEiOpwv0W2uPme2CDrNM/T0DX1HZwXrP76+R2AHrumblkLT2vHFfy4HvD+ e92gBzkrc+dCdMIgdFbArNTS3wLr7BXIIxwPi3aYprGrYtlGNkM9mbRNdWRZXlp1wzB0bdNBI8E1 Oa7np9W974dpqkNLMpTlngI/YTxG05vQL5sBXle9VE1sm15aQyd3VeJZpiEJykFFl76p2n4EDYUO 5qR41XYrKLlpujEq5HgvAgtZlVA2tsTDlDYu7/0w9G1zPyqs8NwIuBM3jL+cdffSJraSFwDdKEQU VkIVde5z3zRNPhaWsQwta+M3c1dDU+d57suIkUHeK0oEBQaIHd66cZ6xdSKZtUsdy3G9IK+h81g3 8UECjv6s5HOCgpN0ZELYgLkKDMPyc3STMyigeAneQ416U6DXhCo03fxEP6Fu7V27kSNgFv+b2DRM L21hRXMZqmizljrxrg/Yc3s7loHppmCE57Fv6wZesXVaJiitGB86YZhi21EFXbjOnbTerH1gSBhP Fe2l/4TA9yDwEkHhBhwkAT+Cg/qQzAbGUblMCD1s65Zoa1T+DXfIJc25jkRcBQa5LmF8T1DmOgS2 sc2zxxsId3hLL3q+tBMSId1gcZljRRC7VW8XVIT5AT5ThYP4plA4qlQ+lvubsT5wD0qbwWNj8Ghp E0vxLOskT8RIsrYmQTFQpV+I6TtriKZ2qGHzabzJ2OKwQpLED/GOZB2mFQY62+DBLrhxqgLBo2Q5 aw/SsXAWHF3aWDhNHUFBnLPHbjLUV8SDftkJj6GA32K6ou/NPUHRSoV9IHUGohAKQTHU7lIaua6r 4jt13QozftOUmYRLsym19MdHpd3XsoUWRuACQcnf6ajpbiBumx4BNEpHsHL3oiJ6mRgLrH8O/QBd 2ERiWoFlbks8uLghu7pNbO7yoBZL3XkD952YA6VkCYgKQJsALd2OAJ7K3ABHAiv2WOMRVWkKtJqw 6vQTqtff9RFBMQMg0uzDLMoAnEFjqUCGSwNWY2/ZWBJxJVbrWZmrQlC0wiBBUezVsRdxiD1EjURj 6T8h8D4EXiEoPLrLKm9jy4wbGMEuLENsH9MwuHOfujINfdfBj2VyFgK2Rs3Oh1FimLIA0zS4tWti c1ej2ug9QQErsjOD981kypuYjZXTVBjSbBAeK2oTS11SWhcgTbAgzvwAMpQuc6wQc9nHm38E4GH1 XJm1oEAwwsF+SRm4nDj5xWWjsYZJve3HeYWRBbhgajPfMi03yso75xm62pe+jBzTdIKkYOETuP+s TGl89MIgdNIhnTo0tHaKT1knmNMhS9Q5gCPOiMGhLnCTkI6A7BOmy9zt63tzR1D0Uh11RuKA9EJV 0XUd2yIJPKbKtmVYMZvc67oVS1ApLvhbnlEh4iLo+nZKy1Vg+wdXBqFnqlxJ193gsjk0DwBigXtR oaslhwH9djhRXIYmjwOPDVrbNDgODG6xBtUm1lHlWXgFapGTjR39XTUlnxMUnKPvCYqKJ7penGwc azx26ypMgV4T9gQFGA/7gHF4cteOoOzvYkFZNYVGWkudpbo6YHX2du6KwIbl1/TWijeUn5YpNUGL lUJiUHlQXTZ6ihzHAttPH0LguxF4A0HBaf2kfmDeD0ptR2J1WoZJgKDsbA3MKeJ6VO+fMXCwmfIT DD5LUKSXRfuyERR1urYeHedGUNjQBBcp/QE21M3afQMOIqMZVbbmwe8PCAqUsIxtmQaOafksB4Ud u1dZ6JoQ0J0ZzNra56G5wUZIOyy3APaxTOmYnxMUxZeeExQR/BFNn7ZQ0ssERakLYzE8RKWAjr0n XSyL6LHe3BMUrVTIERWjC63n9R5VFJTXSWqMdx8jKCZjqazRolsvEZSjAAK37T8E9iw/SeR6xrPu 7jMXGTOjEpKH8+KkW4ID6HG2sSAJCgRoTC9rGftV4hwPBMUMy73G45Dd16ISFG3J5wQFIFfW6dis RsZ48PdGUJQLH2nfRlC0mrAnKMs09OwDW3NAdXe2QWr1jqDs70KCok6uliY2+XROR1Cwny4MWGAV ftGr5lLujJv6Oof8HyeWCU3HMmUffZagwJTBkbHoTWHpCyHwdgReISiG4hHAYvElnhCir1s0k0sI xk0OUVhdUCIoKkGBEMzJgsEW4j5vMaSDyFVQtgzw8RIPZPiJRRO4x9qWeHZGCMy3KiK4Ep4Ny5lJ mzlbm2FlRF2TOBMYJlhijgr+ofS3JR5bdXG4xKPOvKCwuYltpbFYPixEI6AXaodQhlI53i/LlAQF fYjib6Uw8hp2M67ZS3eBByFDRpmVwxKPxVc5dARlRB06lHOoC8qGwJWdtF2mPIABVp3OexN6K6xF N2ul4qtp4roFHNk5QdnjB41RIiin3XqJoKDvk/rIQFT/CoI+VqElEruedDc+n6LqJc9SyzrMiXUE ZY8WLI/wCAp8laMfbj9dfJXOj1e+9aa25HOCApELZQjCurASmlE661ij3hTsJbiin9AG/V07grLD mtku1VpCKW6BSzywYLkZoVWuQCkl7BWOndgGLCCz2R7lJuUrgC47i52QZUrE9FjJa/BuVBdJ5uHn fg6hVE5fCYF3IvASQRHpnA9JsqYd3tphnMahb6sKMzrBT7CsLcgc9XdLPIrpQXcdQKpk3Y3TOPZd U9bMZwkDfdZcGPFO0kC+KIRb0F+7Sd1PM0+SfXy0B8v09NMGLuqr2NklyaqLE4wS+BlLe20yTJIV 4W3wA57n2LG0Mn3umVaQY07t0N/rstniFVx2jADbQc4SSCHD2OUZAD3khLIk2ZEnyULrl74um26c 5mXGDGNEbGjKuhvg2NQVgcgdPa197ipMdVyWeYCcXIDjtMydmdUIs7sG91TsvIfoH0h2toOiHaYZ sk7dLdtZR1BWdL1eVvfjCLhhaHpzaaJY+N9ljhOGnkzlBJEgbfKkN5H9QX4fUw2tVJih62eY3D00 mW8ZSg6K6h2Ravn5fZrnsStj19oRFOOsW48xmLMlHtQyzOwexrG/N426UQIaLfWfJW2znPTT7kas hsKzgtC3Tn3H3uXoCAqyr/DWTwskv4awRsj0FFLDLHjmBwMVBIKM+TskRA9dU9VM+H0tagRFW7LS TLXHUQ0qMegwcY0lHc/T0KSeqSTJqqGWZ6ZAqwla/QSBtHcdR4UqPTTKMJ3ohs/+gax9dUuBeWKp rg9YtHUP9nYEuwu2YZn6KmIJSWdlqjkoerN56Mc9QQFeI1ZAYdec2NSwA4B+EAJvQeAFgmJHZSs3 TmZym/E6NmyXrWGYthtmLdqV+Z4HDqxVw47erklstjh9tN3QCtiQjHsWcZNwxPbEaiwXbzWkY+D+ TMFEhAy4q/Z2NPbCVhawPAKbkXGbMZ8+S0+wQboMVRrwXctBipstxbkhdw1DnQVBcsi9YFuFcad0 su0pFfdg8sStSnHHren4qbrNGO9lMkUFw25duiJ0cR8j7kquMDN2KCPPtmBzI4gv23hS+4yPbsVL Ldh0CKvSp2UezCwr6iDM4RoeEj9EI2u6YwAAIABJREFUPqCpWz+iGmwK8sQB8C2c2CQ/h1TYU4LC Mp3UiSNedtqbK6zGO/B8T09sM952xO43gcvd7W6YV9k2LXxQ0bFJ8Ymhpu0nVVdFtsxBsaKzbj2W cEpQgIZWbL8odGjKt+kIndnp/4RbjliC9El3s3tYgsopP7kYQYEdJ2znNe5Evt8CQaQhncGF0eyk bJuxGCCojOIhAgfHpvamtuST0QfNgYnAls4CeHpZVURsSO63Ge8JCnAKbo4eTMHr+vlEqzWayroC FkGSshRYCpuIJ0/Fuz5glQYq9hYeagtPdGDdwR4DcFbmjqAoRe2xOvTjjqDMTSQXeGBPGREU1uf0 9zsQuExQvqPyHy3z3PP9jAg44OWTXH6m0n+pFnzUR6wg+Pbe/EyBv61bQZ5gCzv85f0/3iAYxJJp GOE7xiV/cQM1rOsXS3xVNHhkH0v2unoHXUcIfB4BIiifx+76nYcZyfUb6UpEAPYs74NWn+ETz8B8 YEDPLhbnflm3QhIx7nwX8v3d/2Etg8/OjxGpX9+wf5WgwCO8Hf74qF/fCSTgP4AAEZSf6MRf5sl+ oslvqmOZ4fF98BzV/XNt3kBQujIrIW9oxpQk1xRPG7su+W/p1mWBB6bl/j8bbSeCcl0p6UpC4B9C gAjKT3Tmb/FkP9HWt9YBAWXTtD32zHWl6DcQlKGK4ZnusGyPbwM4yVtSKjz7+ku6FaI/8AaCqNw/ xO9M5L/zGBGUv7PfSGpC4IsI/HcIyheBotsJAUKAECAECAFC4OcQIILyc1hTTYQAIUAIEAKEACFw EQEiKBeBossIAUKAECAECAFC4OcQIILyc1hTTYQAIUAIEAKEACFwEQEiKBeBossIAUKAECAECAFC 4OcQIILyc1hTTYQAIUAIEAKEACFwEQEiKBeBossIAUKAECAECAFC4OcQIILyc1hTTYQAIUAIEAKE ACFwEQEiKBeBossIAUKAECAECAFC4OcQIILyc1hTTYQAIUAIEAKEACFwEQEiKBeBossIAUKAECAE CAFC4OcQIILyc1hTTYQAIUAIEAKEACFwEQEiKBeBossIAUKAECAECAFC4OcQIILyc1hTTYQAIUAI EAKEACFwEQEiKBeBossIAUKAECAECAFC4OcQIILyc1hTTYQAIUAIEAKEACFwEQEiKBeBossIAUKA ECAECAFC4OcQIILyc1hTTYQAIUAIEAKEACFwEQEiKBeBossIAUKAECAECAFC4OcQIILyc1hTTYQA IUAIEAKEACFwEQEiKBeBossIAUKAECAECAFC4OcQ+NcJylwFplcMPwfot9QErXDz/lvK/t5CX5e8 Sx0zqpfvFetp6U1s2un96SXHk68381jCO38vfRl5tmmYln+7rvqfu+udcv+tZf2u3n+C4lB4ZlBO T6746qm/BopdQ+euCF3LNEw7rMbdGfrxhxG4TFCGwjPEx7RsN0hu3fwHhZ/K4MpQgwFDBOWFfprr yH8jFXrdYGkISp97r9GWpU0c50WewXD62wnKVAWmHVXDNI3j9SH6ubte0KzvuXSqItsr3sHdP6/5 ryv5ug433w7KH/aG30JQ7qmXbHT+M1B8j2I8L3WnNgCLmzbjNI3T3OWuHdXXx42oZ2egPm98RHH0 nyHwCkExvfw+wmfomlvkGFbcvN6PbwJ+qkLLvzAX+JcIyvXJ8OdBXprYfmes5nWDdU5QwIa8RlDW sc7z5jMe4G8nKF32mRjU5+76vKa96c6lr7Lb/Q1BgS9o/utKvq5zd8vK7ocDhd9AUJYuc+2/j6Ds 1KaNLdmEqS3y6nVTezBQnzY+bxoW/0wxLxEU/ybtPXTIFpqYuxuPKTtBWg9i2I1NFvmObZqG5fhJ xY93qePlXVfGnmXygOMy1GngYIzNiwphbobCc9J2qBPfNk1PmdaPVWiLaI5hJS30xtJXCSvCUmVQ CcpUx44V3HoUb+nLxGdV+nHZM6Y1FJ6dlHUWurZlmpYb5i03fVJCiB6ltQQCVQFujMsqDRzbMi3b T6p+aLIAi7G9WDR9Xad7Eftw2DBtLy5BFkDSzeWQmOvIsuJGgAjlYyuyqohcCNzbblTcJTXUgK+o qBTeFvCCXQFMWS1zmwAy/18T26YAVvCBF4FiPQE9ZlpOmFVFKBenTota13Vqcx5h9eJbmTy4177w LCGWwenT3N1i3n9ueEpEFJ7RpY6bVaAg0K+An4z+LQP2NyyI2F5ST+uq3NjEFtcvhLPPXTOsGPSg cOfNBOdzNhy2HmHaUjP9sFAPeHc2sRWU/R0DzmaEOqBRbAYbVgOqJEbNWMfuhtXpQtXU5q/eNVeB Fd6aPGL6/KB+Zx0x9yU/bNliHI1NxvrZtBwYdAyQc62Y7gUX03K8qEBXflbmjhxosOLyQ4GWBXU/ jN/5RPNPRg0K/KgwfHjeYrauBvaH2we94u24wthkYLtQtKrJPdFxT9SPDRpcx3PDTBBxKbPOTJlB XvFeEIq3QDWRMtkENd9su9DaM2yXe+ZuBsMA96CHAszY6bg40fmtzs0vKM1pYsvP61vsOdiZwdZ4 9AInVn1dz7sMLUlfhs42YKDRuwnSyAcLGo0SbfSZU3s0UIoN4bWDyQc3KHwN2BnWEB8bItwBtP1M +QUm/7H/nyMoy3TPfUtwhrEMLCeu+mmehybzTCe9c7/X1VXbj/M892Vkm2GF3r5LHctxvSCv730/ zOu63FPH8vN2nOepKyPb4qFPGMOO6/lpBRdOqsdGr65EUKY6si0/a/pxGvs69SybR3dwwEAOynzP PMtNuWOH6+3w1o3zPN6LQFyO61hWwNzX0t8Cy05aqHcsA9NNQcJ57Nu62TgYVxe80Q5LOL4MZWgZ pihmamJHLvwufQOQAFR14phI+cabL534yvgJ1rrp4lwFhmF6ad2P8zS0uW9ZHEyQ7Bz87WYNvIyi QHAcLwhYtsJcKYQChsqLQGFhJmrDNPVN5luGoBSaohBb7P5pGrsyckxDcKOtCet6mN+P0DVh0cIy RlfFrulmD7NRxUZ0qWMYsOoBPGDuQEezDksHama6cXnvh6Fvmzs4FuVGrYcAzM6beaFHhLYgLYah ZNpJixQFqnZdLyqaru9hfUar2Ct4EScqu3GahvstsqVLQawaBTzl66fuQvWz/BxZ3QzDQqqfpiP6 3LX8/A5Deuyauh1XVGwnrodpnqfhXjdsUqDRinti22EJJmUauqbGOctJmYy7c86qxYoNHz/D2cYy VmiLOCXcsDlovmbUrGcKA0bGNN24gs5Ae6LYOo3iKQSlLzwTjdE0DW0R2qbxMUHpc8/y0maY5qkH Q8L4xCUzZQUZvy/1mOItbWJbclkDdESdiwJEWmzXXfgBCco5FNpx8aDzW5ecN6eJTbCFLTiEZYDO FJlWGl3SddkWKYYmbIvBkqAsXe5Cx7RgG+5Ny4z+fOrUjgZK2hBWe4K6MbQ5jh1GX7EhbtKM4GGm RriDdT1T/g2U/9iXVwiKYRgmfgzDsLxEzBJAn8W0Es3QWYrh0kTCKYC3UFeHwCMLf7GuaHhZdgnY cTNgrObYLTC+JUHZu3jmzlgZjKD0YFSdSEi8wvXKEGwTm/lEqFGq6grL8nzkA4fIlLDFQR640UmZ zwOjGZpKDGQ/hOWd99S2Ygj/TEB/eIRobiLBiuSVaAGlBcHRwNr3MfhaeFegKJafV6krkykPZvpl oGA2ZiqS3lObE5QnRW2N51h8SFD6jHM7BtHSxqqB5bhJGwGzIkOZEkrnMNch2Ogd971CUPTNRP39 YDgg8960ZV1anMGCEGCznFRyLa1iL21iKT5lnapwG3Z6gvK5u9DrKPqsqp+uI0AGv+ABOtYhoFpO 3OxXYzRagZCEFZrubRiclKkSFC1WTH4Wj4LCoPOUUc7L32u+btScKsxheIKt4+VrFQ9nWGwIY7Nk bFq1QTp+DIxCUdux5DMchOADM6W0nIdOFphVyAGEplXKg/DosT0jKHL8K1BoLdVR57f+RjP9aHWb 2DQDHsaEuSNO7yC4Ad9OrLq2y4TJxSY8EhQYLIpjk2Jt3xSnpiUox9rHG8TLMXgIDWcqgCV2qc2C pqfKv1X6H/vyCkExvUzkoLRl4ll2BAFx6AHDNC3xMbcZ8DI0eRx4Dn5s0+AsBCiqtODr2meuYcj7 LVPMuc9GiugePLfloIAqSQO0rksdmWxVEWyHG4auKeY0WECbWMcqke0calRs1twVgQ2LPumNM2kh Cf7f3wiQbNqPhHhbJxjbIgk8l0FiGYygoHthN6DxPHpMtLBKgciAkA/pwd/E08ILprpD7MUMBBeT dqK/DBQYCYUKKNxLV9Sx7+4wTh928aDTFUdx0G8W5cDwtobvCYpaJloyVB5gOoqNYPcqN+o8hL6Z F3qEh//kKqEsrYnNTVVAmCM4m2LLW3h7cdrLki4RKx5BASPIPtDMz931XP0Uh6dS7anNfMu03Cgr 75xnwDYhxzSdICl4+AQbeDoS17FOPMu0/TivOsFpTspUZNNipVzDwGoTJeeA44djSo4x3ag5VRg0 MsoStCxfTsexGsCfT6vAYqDmgZFRMVR8OiwCqOqw+fjx5h9R4+buFTMFLl2s03eZw/nu3pRxdPTY nhAUiSL2L5dM6yaOOi86BIOdJ1YXhqdMellBADMGdddYmI+77DyC8jBYUDCNU9MSlIfa72I2DLOR Xe/K1LEz5Vdg+S99fYmgKPR0XcGRwAH0FnE9TspnhugbxCW8rGXWSSGbh0G7Qhf6Ra/cPrHlnG0M n3QIDqNrBMUw7CCNPdPhYXRu98PyQWRlWoNVKgQFf099nUPmjBMDM1M/e1EBEmWU3hObKyJYGCep caUBEeQEBUC03Kxnk7uEr5DJCtACZnKrAgi2ERT7BHx5qx5ecOx1ZBuG6Yo1ORb8UUQHw/QSUMdR LW23riiwLyq5PKoHa8qeoBxs+jqJKaTSbjUQcihT+gko9hWCknFurW+mbjiokh19APxmrE7hRniD 1jEcBcDAjf9IUOZx6PEzwILR5+5CB+/s1C/g6ve8I5bxDvkOJqyOihWVeWhukLsD66FPRiK2fhnb Mg0c0/JZDgocPJa5VzBVkTYy9zmCcm6UThVGysB6+UsERdXbI0FR1c/N2r0BY3XDqH5qplQjPm6K B9NEK6znB/K8tWg3SCW2rxCUc0t11PmtHfzLsTkHv75AREUQlDNj9XGXXScoWqf2SYKiMlPwg8rM 7Ez5j9D8B35/naCAau8mzRw1nNJtkULg6koERekIZDjqks+G+t7rb4fxC5QnhxoYXsWtorYwaw22 A23/cPNNWwSY4Xo1ki7KPtR4JCjssqN7gaP7G3UEBZZypKGH0gVBwQV6N+8gdCvZghALLay6cAIO l/lVDfjbnSzCdQovyy+JqvstgOQctsyBTZa+6GWgWNRY7tLrM0dZ4tFhruQIgwDqOOUtASsTiggK 88abbuEaiQoPu0cxfFqCArUpsfKHG2EhReYrg1lmwT99M3XDQekR0BbI7RYLS5h1xFyrIjPeoFVs tJTgUPgHl3j4vBKwik5zUD53F6ifoQQ9F5gEcvXbpytAcPqhIzBdRw2Z8pAXjgSdgol2wTS6iQXB 347KMiU50GL1AkHZNB+G8NmoOVUYKQMT8CWCglmZCkkelWVmrfoBcdUsfguMNGbKUNR9W+KBeyDD J6r6m//I2MU6ipwhgYpxOgzrk2yfApSih0JrqY46Lxqw/y+bA0FBafrRFrj4pCuNLn3cZecE5UyZ tU4NXY40UJJlwuBWIMegFXdVh4YfCApr/pny74H5x3+9RFC8vMM4xzjcq9QzBS2BPE3LS+tunMax 75qyBk0GvbDCWz8tkIcaQmyXJSYevAVL0sRkpGGcxqFvq4rt49l7/X1HzHVkwo6caZ4gXIP96PPk rybDJFkMcmwEBZ48EFh2xFJaIHSAuZGQZTl0TVVjAuChRmgCU6YRhBqmeVmmvorkeq0Qan+jjqCg yvv5fZrnsStj15IEBWIntheG54/u4EmySQ3tfUySfQRfyAX/0ZhDrtceXkx7Y6m2w83fKAo4Hw9E nCbwfq8CxQJn7iYppPzx8agpCqf1VlDcx2keuypxtyVCtRGwzI5Zrqy/QeXsAJJk+T1bYra8SRn/ B5UDS8Yj7bh9w02qbhjH/t40oAbKjUApbR4vm+6ZZxoGc7Xo6k+bicmAz3sECIph+WkD3dlXsbNL klXXrvSKvUJqJU+SHXmSLHcgeoKyfu4upn6YBDpPQ5N6pkyS1XTE0JR1BwNmnjpIQk/vy9xVmDK/ LPPQJK7JUuHPtWLp67LpRrh/bDO+an9S5s4jPjUC6vxFEgipLbgSq2i+ZtRgh5gHhdF7Zb3iKRYD vJ4N6c7zBD3pyCRZrfqtfe6ZVpDjroChv9dlg1kYH5spUDxmJ4c6dTfFY5MsKwh9SyFLEh4ttkgQ nKSBdOh5eUJQtONCGW6yPvx2bnWBoJhOdLtDRjJkne6SZE+s+tkY33XZOUGBBXAHKxrwyRqQqa11 auvBQMlGoSJJSxFYYg+IameguRtBOVV+tHh/8Lkeh675sZ+vEJRtpyful4oKsQUXNkbw3V3sDNtA uAzVtu8ua+63wNUQFMhvavIQttAasIk2ZOn2h7DEARJY0IYNlaaTsm3GQ5UG+DRA2Ga87etVCAru xdnUYxHXQ5VeyPbtKlYDqlMISs32JLOLt83Hm0z7G3UEBdqZ+tBME3Yid1VkY5IsFgMuz1Aybbey mSB2UrVFxBp43Od5Ar569xm8nJ6IPAjwdjyKwtY/DfDLOD9/DSggRH2p9HsNm8q55zwtClhQm4V8 k3lctrfgJIKyQhKQY0J2NittUzlUGLHNUm22tBH7rYM8m06sDy497A6HzCfT9lLI4VRuhG0CiQ9b x3GzbF0EWyRB38zz4aCIhtpS7HZ78miKWjW/YQPN3Ck2wIY7ccXmfDkanxGUT92Fgwh3ueNeSY36 7TpigGfZAqi4nR6f6Ti3uJcWDlmwU1/shNsayAYXjsQFHu3J7AE+oQCzbU/K3BEU3NShMwIfExSe 9iI1/9Qo4Tb6g8LsvB1bt+JZEpcICuxDTX1UbjBdt0im8OrVT25FBZsbsC0L48dmys0atqcZOwaf cyA0k2W2nPITGNbCYB71EDKDcLszME49FGDGztzEbrgJUdj/8+Y0seUk5WZjhLfAWzYhFV1Ck3Qc 4zs5NQQF1hP5xnhQ2RgeMqtzatA41UDtBrJQJNxdL59vurtGJShnyk8EZa8b9OvHEYAxo+xm+vH6 qcKfQmBPZ3+q1s/Xw6w5PgXi84XQnRcROPiti3e94zKgUx8sHL2jmi+W8efw+aLgdPsnELgcQflE 2XTLKwjAs3EhT5Y+/zwCfydBIdX8GcX8Yw4YdvKIxyv9TFM/Vcsfw+dT0tJNX0OACMrX8HvH3cvM MhG2xcl3FEpl/F4EiKD83r7585L9vANeFnheZe5bJ5lcfx6PowQ/j89RAvr9cwgQQfk5rDU1wf4i XNc9S6TQ3EOH/2YEiKD8zb333bL/uAOGzTzwYo9ol5Hy3c38dPk/js+nJaUbv44AEZSvY0glEAKE ACFACBAChMCbESCC8mZAqThCgBAgBAgBQoAQ+DoCRFC+jiGVQAgQAoQAIUAIEAJvRoAIypsBpeII AUKAECAECAFC4OsIEEH5OoZUAiFACBAChAAhQAi8GQEiKG8GlIojBAgBQoAQIAQIga8jQATl6xhS CYQAIUAIEAKEACHwZgSIoLwZUCqOECAECAFCgBAgBL6OABGUr2NIJRAChAAhQAgQAoTAmxEggvJm QKk4QoAQIAQIAUKAEPg6AkRQvo4hlUAIEAKEACFACBACb0aACMqbAaXiCAFCgBAgBAgBQuDrCBBB +TqGVAIhQAgQAoQAIUAIvBkBIihvBpSKIwQIAUKAECAECIGvI0AE5esYUgmEACFACBAChAAh8GYE iKC8GVAqjhAgBAgBQoAQIAS+jgARlK9jSCUQAoQAIUAIEAKEwJsRIILyZkCpOEKAECAECAFCgBD4 OgJEUL6OIZVACBAChAAhQAgQAm9GgAjKmwGl4ggBQoAQIAQIAULg6wgQQfk6hlQCIUAIEAKEACFA CLwZASIobwaUiiMECAFCgBAgBAiBryNABOXrGFIJhAAhQAgQAoQAIfBmBIigvBlQKo4QIAQIAUKA ECAEvo4AEZSvY0glEAKEACFACBAChMCbEbhIUKY2j6PHT5zV44NAy3iviixJ4iQr6m56OL87MN9v SRwlZb87+skfQ53GUZy38yfvh9tGLCNrHtv1hULPbh3qPEnL7iuynhV75dhQIU7NQ9/MspvjOE7S /PZhB16pj64hBAgBQoAQIAReReAiQRlvnnH2cbI9s5i7InRM9UorLAeNUEtfRuxiM24117xyuM9c qNkMygfP+6SYvkziVPKsLnMMw3Dzfbue3H/1FDAfhYixesyw/iRDWe5FHOftKy3dJL2ntmEYXvHQ MePNV/sOv5te9iXGt9X6xi9Tk8dxcV/eWCQVRQgQAoQAIfC7ELhIUJbx3qifuojAx9lxu3cSYx3Z humEedXe2zrzLcMwrOjECS9jnbgbk3kLQelSoBbw8W/X4x9IFJysE93yXQQFKZ4liRhQOS9IJDMS Alz7v7SxZRjeCw1Vyv2AoJh+3rZt21S3BDvQUOBRSvlzX+cqNA0jrD7J7f6c4FQzIUAIEAKEwGUE LhKUY3nMjZ85rmXo+s1xdDhVP7tsamLbMOwgS2DO/gaCsrQJUibnGByYmiyO4qSS4YK+TCJcCZr7 OgvgetMNYP0qvnUrJyhZe6+KNIlxnarfxynmvrllcCotKrmEBRGSOKsHWOASN/Kzy9AUIbInx8d6 inaGIEAUp1KsZWxhZWxbWWHMbx7a6pYfypu6MvGQ+7khiL01bupqVkRW1LIXoPOWobllKWtOVyNU 2giKGTWiv6cyAManXPpRFbCyd2uGeaiSOM5xFakv4yiKCxmHYQuGm9Trup5Duq7L2Jas9WleVO0w w5FbjNTW9hBLtso4dTXvkwzWpcY9bxbNof+EACFACBACfw0CnyIonAwobkvTXjZVP18vmbumHZe5 Ag/4dYIyNxBRMINbw5Zo5NLTUMDqlJ3cNxkx+GD4t/8P62ZBF/xrRvXCCIpyEL7a8ZavMVYYO9ou sIJbj94QbzRtewsLyRubeHfQMPxy4mKlTKyxjvcrYy40gIVJtqqEIOxW5TA2bulvAZCW7WNHFQ8k Ta0SrdrOn3QfW+JRCMrCROc9+KSKuU1lQAwYnw8MilXBylAW3lg1VsLX9XSQHspkq3f/N3LerRG4 GjeU+5Ybhp3S+s+m7/SFECAECIG/EoHPEJQJI+xmUH6wkLLccdHFTp44izcRlLmOkJ9U09rnkIni pGLRRk9QxmUaGxTRSZoRPvPCIygQ3Mnre9e1FfPt3JuPZQBcg51syxjCIqZ/g+gMZzamm1TdOE/j PffhUrhxmccuB5pkRhXWMy2rSlAmlN6wvORWw9JKkWYssjLXsRukt7rt+q5KMMMGlq/maaygvYaX 3aG8aV54sw0nujVd1xQhBIassJrWlXeD6cS3FhrEFt4Ee9hp7ZGgzBjnMky2SMeQfVaFG5cnVTwn KFpI2UKO6WVN1/ddWxVplDXzOk/DDcM6wa1njWfI21EJMN2bMo/j29tTiHY40Q9CgBAgBAiBb0fg EwRlvIHn5U5LL+B8x5xV7r51172HoHDKxLISBCPh6THi52MEBfhVjwEXZRGKeTsTXTsKPZVsEQqW PUaMxsimzw3jCZAKwm+UCTdsecSMcb2EBw1kDopCUKYKWc9HmTPKHevaJkhQthwU7qQTkRPEKwdE WBjL3k6tPONZG0ExbC8MwzDwHYzImG7WQYzoQhUbE2VAXYmg6CGd6wgYnhtX+9Wqda4hBUXmoDDi ZAV5Sys7unFGxwkBQoAQ+OsQeJ2gMHfwkB57aPlQsjl8gNGFw0nl51sIylhisMJ0/AA+HkQPDCtu cOnlUwRFYSxzFWLsA3gGiwVYbhjzT8iyIWD9iPlvXJph7VNvXJ8RFJbdq1Qp8VnGe33LM8hBiSNM O+FrVQeCwuoybD8SkgW4ZOTm/cQWstSUUn7zlV08VlDwRJrPV/E0gvIE0vmeecBEDMO0/TjfsmqO BGWVa0SWG6blnXiK1CD6RggQAoTA34rAqwSFp5/IFZSzhk9NwlJCky114+wyOPYOgsIoiJKWwL7y 3UOfIihK2ozCM5YG5/SPNUFghBMUuT9ZuXF9SlB0mTpjHYl9SbLKc4LCk1nlZfybk3U8lhLVMm/0 o108QdF1XcuWqByRzfH5Kk4ICqx3YQ7KU0gxSfaW+CI9xw5x5euBoGCWbZVFLs/BMb3sviVq6zSP jhMChAAhQAj8agReJCgs10Pd1fHQuqXLcd5r6x+AotzzBoLCI/xRed8+dYoZH7hO80BQeCiAraiw Z6co0YunPIOddNJm2H3GafkKQWESiojPBg7bAmUFxX1Eb7tryCGCsmCOsOHl951gwzgvnAIoCzoL WztRjog6dzkoC8858Rjn+nwVjKD4MmWJwciSZJ9BKsRa54FvWWfpwIclnu2ydZnuN0bqlJRceZq+ EQKEACFACPw9CLxGUFhCo6n4GtjB2hWh6/opRkvGCpd2TC+/z4v4MDjmNvNdN8h3k9tHgnJ62RNA mYc7bNvgeTLgpliupXw2Ck/K5Ac4OZCZI6y48wgK5JvC8pEdlSItYpmHtrnDNuSnN648/iCR43QD d/GwW00/Z8+VXaa+qbuR+XWXP6JFrHfwCIpILBFZH5w5Okkt1jeWqW8bKHBiib1Owp7qtgx8t89H BGVdZ7Z1m6cRvVYFrs2wKngPiSSYmeVOswjKE0jnriphYzH7cO4E63accm19NDSl3Fh8eYfZE5Wi U4QAIUAIEAJ/HoGXCAqbUh8cj0CkAAAgAElEQVSffspm+pA1u3AycFxpYHfw9ZFtdyk2/pGgnF6m BYpTBiUEwi7lXhnCJFMVYujf9gJI/GRZDeJpbvx+w7Qcx7aCcnrOM9aphue3wMe0LMvEwmzcMfTB jTwcYVi2Y1teMagEZWVPheGlYpmYPIK5oIZpO65jmYZhWda2X5qzBTjpWBY8uGQoWTO5ZCgjIwh8 Gw+ccBzYBm1CaWdhsF0EBYAU+4tYzvDTKnCP0VYFVs+rWDr+iF/HD8NArMNwggJ1nEPKOR0030Wx cbs3EBbBMbHxTvp/sJ3Hlu26rs3yer2CtvFoxwydIAQIAULgr0DgBYLC/Zx1fHosPK7CMh146oYm T4ERlAme9WG5qXxg12kOyullOiz5fFlJTRVXcq6ELnrubrGPPt603SAtc/D8YtPM3BWRh27b9tJ2 /oBngNO+35LAxeedmJbthQl7oc5HNy59GfN63Lg+PAdlXce2YDKapu34cQFxpqnNuWiWE6TVvQw3 goInQ9cygRL4Be6pXsYm5+2Eo16UVewRLVC6KMn2orytYA/QxxEUwHLAPVvwJBigBteqcKMsx6fF iCqWsclChAzlym+wZVphqqeQLkOdRqzbeHPqQeTRjHUawB4j03LC8v+9F3Hg2si6oIOTG4a0hCbQ f0KAECAECIG/EYEXCMrf2DyS+Q8hoM3D/UPyULWEACFACBACfxkCRFD+sg77S8QlgvKXdBSJSQgQ AoTAb0WACMpv7Zm/Wy4iKH93/5H0hAAhQAj8cQSIoPzxLvgnBSCC8k92KzWKECAECIGfQ4AIys9h TTURAoQAIUAIEAKEwEUEiKBcBIouIwQIAUKAECAECIGfQ4AIys9hTTURAoQAIUAIEAKEwEUEiKBc BIouIwQIAUKAECAECIGfQ4AIys9hTTURAoQAIUAIEAKEwEUEiKBcBIouIwQIAUKAECAECIGfQ4AI ys9hTTURAoQAIUAIEAKEwEUEiKBcBIouIwQIAUKAECAECIGfQ4AIys9hTTURAoQAIUAIEAKEwEUE iKBcBIouIwQIAUKAECAECIGfQ4AIys9hTTURAoQAIUAIEAKEwEUEiKBcBIouIwQIAUKAECAECIGf Q4AIys9hTTURAoQAIUAIEAKEwEUEvkpQutQxo3q5WNtffdlcBaab98/bsPRl5NmmYVr+bXh+6T9+ 9hJcTzH4eglQ/E/2yFB4ZlBOT1v1nznZxKad3v8zzaWGEgJ/NQK/05VfIihLHZrG48e/jau+VcPN t4Ny/Ik+m8pAcQtd7tpRPb+94iv+cqoC046qYZrGcf5WBPrc+23EcC/SFbie99HXS1jXddcj/397 7+8jJ7KFgf4vRJVVRmQiE5nIJBbJisQisEhWvMAiWRGsRPxWryUHLTlAbwOeNkD7JCQHSBu0NkFO 0CY8JzjC0u7iu1eX2fuDp3MKqIKmenrGM2OPp1qWh6ah6tR3TtX56tQpOF3fp//KCUpfBIZxM+45 93nnI9SwvSirP+eM4BBawTm8404Iyg3i/OnqfxAlLAfby5q8HBMuu1r9ficItId94Jg6DCuEGpYb 5eCmuStvU0+3dpdMxaWSdplnXzaPl9589MNZBGXo26bGT+brxNlX7EvTia1aF92V+ygp72IkbVOX 2nze2ha7OL2F6MU5/rKMhIDSbSIArvALIygrkc6Ba20zy++fXgJ0O1Ejy/Jv/hsnKEOTxTH2+0+u JfcJ9dIGPnV1SEObatbuFuz7PEH7MjL1L4eg3CDO57X/oV+1GmwvgWM1Jlxytfr5DhBoUlfXqB0m eVlVVVlk+zitwE1zgtJXabQ/XDMQ3Oe+fulCw/ntPI+gzOWVoU5cMTqBrdpnkWNQohHd8vblGLsQ B+s8ck34HSaAfrKmZl2V+DbeT3XTjQuGTFfux8USwwmFOWNX7qerDWdXIt5TdIcGhQg0BPjrbKyb GnaQVKNwZWiYUZoGjqFTQnTT201iz02Fg75KA1snILcbpTuXL/H0VRIwmXVoERTbZL5JJ0kguC0g kPvUjjMUnBKqW36CNoGVbRQ1DNuYjMJVO2uuSDPj/ycyiJty2DXuwLrMJUZUwn0cNwB5y3d2qUPd fRa7JoICuqyL2LPgGzW5ZoehLeAiWMgyR/q9EqkaBqAXVpTufbbiBUqcw2mAK7MYulSuFPDmtAmh SGguaIQ71ruONDLiB3/6OgtHEXSTy7ZpdaesZb4BjCiN7GmJR4gfnLi9rycDAyCz0LSO5x5AUPxi Fr3PPUL8fPy+aTxDVyaBY7IuZbq7A7cNIyzqDG2a1TSLv1BE7lMnqQ476LXEy+dZRn+ITB7OgQiq vIsNAgJdEZrUilgfOzYesE60vXwH1kZhmJitpT3AScIme95uPeURajmB84zesNG0TQwlHbDFDgHS 6JY3mtkwQKk49oz1VLE59ch6Z21gLo5geM+mDFxqxMfL6jxyDDKtnG3rjnVOSgiBYabYO9NEBqi6 y1fj28QmM9HdLuqo0x0Ptqe0czwmQERzG0DeVLCEs1q6XbVkwO9SYfAehuEQ6FOnKkPDissy8S1K xt7bjEKia0jYZGAbIkHuTS+2MVSO1s7b+H/8nz6lPu9lOKmycfFhu9IjG96GgsvGj4BfEnvHvQ// iROUxcxw2zIlfa3LfQzMoBtEw5P0I17tJUc3QFA0ojtxUbddW2WBMflD7p67zKOGn9Vt17X1Icsn kjBJVsUmteND03VtU+ZZgaNekzjU8NOq7bo6jyxihAccJuu9TagT52Vd12VeYFlABIQICgd66IrA IGaQlk3b1kXsUOqmWHwZGpoGazEwdHclVMDc+CQU/O0PoUFQiLat8simmjZSwzbzdN3dl03XNYed Q3U/Zz4A5+uT81gQFKIRM8gbaESbBwYZR/dhu6hNTETZxMBAX+DwiPgAbrpOJ99RBDoNin4Ymr1D dXdXwOJTmfomMaP1UA+DoKZRm3G1NvN1jVArRL7YHUJzHs6q2KJWmM8aH4c5USTWCQkhpo/gI0rE TZF7QpOpHeVV0zZVFlozfFLALzOhATyC4SWo58Pe02dZWQRl0ghHsEkcYoZF03VdUxVZzhZNJFYn txYQjCAWbVOlgUU0bVxsXDrObWOb2lsiEJFNyWRgXFBwfgJB6erUM3QvYyR+23iALBdpXkKPawrB tsEgDdOyw/RQVXXbD5L2IrcwTcvbwSwLAqXCp/CpGEGRdrGZoPTVHvpyzkSWGA/aHrEjtLa+ST19 9PCHQNfdBMaBti7z7Ghedw7OgvTHTdvGcLsDSs3sJEFZYr41gm3LIIoNPkM3LaAcZVXDMCLRHZym Tlw00NETzyDa5QRlu6jtTrccbC/TzmpMONFP58ae29LNqqXWeJqgUMO0nDiDXtENfRmbRHf3RVXX 1SEvcGjYhmgWeoCWHXuxQW7tojY7GMA5QwHQcBSRVQo2L3bPTSgE2fghwEC90Vnx03jE/aZAUGSW eWJIXFDBbVhWNZ/6ehMERQjo1LE5TSFn9wygzOPThiygjzWnE6Yg4Osyb5w1VHAtm7jxkpZ9RghV QfxAR//MLm721hgDAXzn6cPAyRQvdBj63KdESGY5hProP5q9LUpRBLo4CHiTO5wRQCczeS6oAgJR bGIqKWoLE1G25coFtNOMIDAFBNnd7RzK3GQVmSzgtcKtL3ydCk1jRYNd8n7S5z4hzhSY4RX2RaAL oDaJPWG6XEyB0gT4YOLPciahyYLJYMkorhzwS0yoLwIqNqdN3WmWKSUoIEQ0hRZGaGVWJ7UWrIgb WJ97dFLzynFuGRsQSwEhMFwJQdE0wj4wc3fnaJ/EeBaGMkCXHONr9c7SiMNYIlwkay94cc0Ijxgs FrwkKPIuNhKUBri8k4xZM1LjQdvjsRowBbQWJN9uisR+2a7x2xk4L+5bN02C4VYHPGFmJwnKEvON EUwigyg3EjjBiGS6a3bTEId3twl2Qpy7QJM2IygSM9judIvB9lLtQJ18JfoEgLytZ7Z0s2q5NUJj xEFnGUHR6DTDHAYQcuows1QSiObf2VLy2oudsnYhzI116jNvQD1BJ5VWurLhTSgE0YRDcAiiFQk/ iX5z3g4itUzpkDgskd7qR2Kllx7fAEERrR4bxNJBuHuGfRQGIYYT7I7CJyBgW8DkkZpelBzYSASG BgtC04eM8wA0wKPUw0WfEZd4wC2PE1oGxGGiEpwt4g+C2BwxOCkqEzo7s/EioBBxnj9E08YIDnbI bYKyCAHP/VZW1DEmXDA4Wvb8yY5g0mPv63pvob9mzWqA4XGPjeXwtgjFCsQZzoLXhyUz9pl7S7O3 141nM+qlSLjEIw4JRTDOvGEA4K5oGHqgn5DVIAcct+LITWh9I3ZtFiOVEZShK3eODktU4Z7NkRhK W1YndF3EgsEKAQFosmhg3Obn+MFicXd5+1rsFf4j8FAS9dJ6zEHJYlenVozkQWY8Q1smoWubBn4o mcZb7Cic3st6GQvacNVPgrC/S4Ii72KIgONaRJwJSI1n3fbZWoYmCyxKdNuP05IFYRbyLAmK4A3R nITA6ngXoCk2TYbhRgdc60sws5MERZzMHPVEEEsmg9BQwEcM8sp0t+5cB5gKsXUdMNYtgiIrarvT rQbbS7SzHBNOAMibem5LtwxDbo1Lt7le4pk6CEhxJCTOkLf9EZd6y4tBUdtD5bqNEKyfGEoZGRSz KKR6wRFBtOEtKETR+DGM4qJP47+IfpN3Rqllyh3oCumNfiRWeunxTRAUTpHFQUEYrEGKrs73sPat u+Oa3lK0vjmkkWsSiLt3zKH6WdMKn66HleqVo8VCVn2GYye3V34NlgBGeTSWrS11oTbiJkfSTbxh m6CIWy5BMIYa0vXNooZhickSr2XPh6GSelmb+xTND776eQuBFcxpOMINFqBF9oCF8wbiV/QRmwSF mBGEkPkHFwFWIq1Kg1GYEZn1GColKOsSpCa01pTgOaQEBZvYVlkMS8+GD2sm6Dw2rO7uCMqkr4Wu F0s8wOcTZ/SxEuMBOHRvyreameVRoFDaXpFdLUSBL1chKBq1gwAXVkdqAaJtGs9a17O1YP19UySh YxBYf8RoAJfqGgRF7IlglpK+fNQBT5jZmqDwrLD1MLg1gp2SYWzpGh+Z7jAoJ6Yz8MdArAjK3BpZ UazmdadbDbZw0QntLMeEucpJfWCb40RiOnU0sTkp3qpq+YC/cps4+xoTuzZ8wdqHn5RhlnzTYM6y djaLwUkl8BMW25ZXKtg8r3wFBf9BPII9jTxILv4iJSjbvWMDtNGBrpFGAxGd+7LWy77dGUFhgsDg auBixKZguCgP8WhZKAoM/miJB1ZuhJMcOwgoCKsRw2KJZ5pYgCDQc44ICoSZxYWDKpoi8HD5dgQc O+RVCIq8qAmgGZPpBP5djTaQ9KUHu8AYWUcZGUYQB/o0FuNIwOfOEBQUFxdY0atBUEJQMAQqrBPM Yq1EWpXGCQo0WSRHqFNICZMDPtcx+ueVCUEoVczdZisvbCvsQiNiOfwYx1wAR2p1fJSHu7i14B7m MTsKOiJ4mjGiIgwi3CCxzvl21l6+IAxKEoEZJdwgKBpL8Ns2HlhM40ECVDVf4pnEw7Jl7b2MoPDS YfVV0sXmQprUpXR84IDUeKTWMoIAfyADT6ia/XIGzkIRGByaOgWe38ZQvGXugCfMDKKNPIkAKPc0 KV8RFCTMwmB1pgxHbltmq1CdYEPgLaaBDrz3aAhQK6xYM0csNQOOAh+3V4Mtv2RTO8sx4QSAQjnz +sJ47nLx5qrl1gjeXohAtYmjkW2Csjk2Xi4DbwDLXQSkz7Z2uJkxkyIy5uUmaaWCzQvV4uEMxfqH 8Tvk3hFn8xFdfJjinVHaO/jFWPA8prEgAss3WIkw96PV+dNf74CgdGWaFlXT9X1X5wHkqMy7OVC2 Ok8ySOjru7aEhFMc8DHXywozyB9sqjJPMrb3Bzog5ORWTVOXBcuohRQV6uyrtmshzCJgh5iYQQY/ sSTZsXLhGpBBwFeAC/sTv9vV5xxGSB0ipp8cIOe0LvM0GzcBLdyhMDatTIpHUDBJ9rioTUwE0QZI /cAkX9ZmWCehuqFPfRBE13WdD5qAp+5AkmzXlGlgzlnHQqHcLvGkhKDA2qiFicqQ5FpXhyzJMc99 JdKqNE5QmKOxI5Zlm0eYJIszbCngl5nQUEH6J0uSbcYk2XGv2EIjvLFNkaYHMLq+rVJvSsiRWJ3c WlpMkp2aEkIe9fkEBQYwyOHG/PHmsHP1OQubC8rWW7wUI1ZNU+Vw2ZSUvW2H0GSWAAxp6/ZyiUdc kcJES7rRy1bmKkqD0SkjyCGnHXqbtIvNBGVAG58eXCgxHpm19FWW5GUDowPm+wrOl0kliCpXk9AA 4Xp2dhvD7Q4oNTNw4DqG4YahPUSQLC0hhZjvth7BtmUQpD4mKDLdwVBGnd2hwY7umzxJFrw3dVk2 ECxw0jkNYtvstzvdYrC9VDurMeFEP50bu7YElg58ZKXbVcutEdl/iElnfZMHpiYjKEMP/cfw9oca fMyYl70N0Sz0MEgMZnuoPG4jywijlmXoPmxqwI+s0pUNb0MBe6imrSWCnD10QE13ohSyrWvYZ5yy fSm8+wjiySyTX8wkFWb4kEdhxYe2a9tOAosgz2WHd0FQCrYJGZbjYEPn+ilTNTx7leJTY3TLn7cp w1ZJ3MgLD5OxvXlzclvwbYfOHt0QJLnADl9ihOttxkOTTztiDZsXfgJfEbG+SuZdsrAL1Jh3gfZ1 GjqwdRo3HM47ORfu8CyCAhtej4uSYCLIBkOMQTSNjiLBnEBj5A6ugtn5IjkPt56OG6OnvcFCcXAo 2CV8lRIUGINHHYBunGDcP7wUaVWaQFCEJsPtYcotQgJ4d4kJQWAFRRr3uu/GrerrRTfe4CYbjQv2 i85b22FH14bVnbKW7rDzcAs9Nb1dkXhjerLgnkXGDAKIbHjcVq1p1HCW+9i5qOKD2jQCe6LZcwvw ii3jGbpD7BjQH2CjaZkHusxZStorCs/lmI5gVRm3mE8zje0utiikhe2HFtvduGk8Mmvpyx1uaIfB w7ADoeWjOMJgfUpNk/ALqcaTWxjKOqDMzNh+cUooPikh2zlTsEIYBCYZNkawzUFguh7+rvHBc1u2 CpsE54c++EkSTIvJYHk57qwHGZ0w3XtsPVhWlKTTiYPtpdrBVC9xmJL207mxZ7ZUWrXEGuExC7iH neqGBQ8EsIRtxlOQaRSin/ZXg8fy2b7P7ZFhlno4bTDjM9GmoXKrjQOks2uaGPE/s3tuQwEbiDYI CthSlUaeBQ8hwF5leSzpgnefhXhbvWMRBQAMxDFtzIjRgLF3Mlg4cJccXZGgXFKa+lkhoBC4LgIw LqxXv69blrpPIQAIcK+j8FAI3EMEFEG5h0pTIn+VCIAz2Uru+Sobqxp1JwgognInMKtKbgsBRVBu C1lVrkLgMgTqNN6zB6q1VR5ahI6PsrvsPvW7QuA8BBRBOQ8nddUXioAiKF+oYpRYDwCBJgsdeK8A y2QSHp3+ANqumngXCCiCchcoqzpuDQFFUG4NWlWwQkAhoBBQCCgEFALXRUARlOsip+5TCCgEFAIK AYWAQuDWEFAE5dagVQUrBBQCCgGFgEJAIXBdBBRBuS5y6j6FgEJAIaAQUAgoBG4NAUVQbg1aVbBC QCGgEFAIKAQUAtdFQBGU6yKn7lMIKAQUAgoBhYBC4NYQUATl1qBVBSsEFAIKAYWAQkAhcF0EFEG5 LnL34L6N94DcA6lvREThFS3XLG/xQoprlvGV3PbpYF4OxNdhq19HKy7XlrpCIXA3CJxNUOqdpWna 8duHKnjDkTa9ZBQ6qJ3gq2kn+RcvusZ3bcFrigjVDduLi5bdr60+04ucpkKwdj0ouukEvj/LJeKL y/s6i7359YKWG6UVu/y8KoSS7+9hl3l2PL7Hd8AXpy7eXnt/G3a55FVsedn0HtCtd8JdXsTiCglB WSK8uEP25Rq3yIr65PP13tanl/wNh9AKDltFtokj2s0nEZSlXrZqw3O34Nrb1NOt3dwbpFXf4A+3 0IoblO6oKKkBHF2pTigEPgsCVyEoVDfo8mWL+LJ1w9DJeQSlSRxC7Sg7VPia532clH3fNTV+yp1N jCBnX5p2djUIC3R8QsiCH3WpQFD6amdTYnhxVuBLpPN9YFFiRvB+7fOq+Czw33Clfe7rkyqGh0VQ wELugKCsED5Hf9e45Zxir3dNV+6jpMTO1ZeRqW8SlDZ1qTjN+BSCstKLVOpbcO19lUb7w2K2JK3+ hn64hVbckGQbxcgNYONidUoh8DkQuBJB8aLQoH7Owxh9EehWGLlnEpTCp8TPl9RjbnSbOsSIJPOd emfpXhxZUNF0v0hQkPqsXmTSFYExC4bVnKoi9ykNilmaKjanF6Z3VeJjYIbgq9SLccRrixhfBE+o 6UZ5M985HZShYYYp3koJNZwor6s0sA2dEqrbYTbf0Vdp4LCokuGEWT22r0sd6mU1vDudED3EmS57 ZTjEn8Qrxxo7eKX9FIlCZ43D5S6LPRNjVqYbT8IPQ52GLr5ym8k2SpP71I6zPbQXxLT8ZIZ7ahf8 bYvYs6AyolvCA9qhyVEKrdEpIbrp7crZVvo6w3e9r27hpbKqd/BKdAKYxoe63PsgIkgoSL4BQrWz 6NRyFs0DnxokgDdKafspb4gE8GGAH2ydQIVulO64WUsRHoa+ziKX4WvYQTIG7eZmbSrFCIs6w5os DHddVRcYh0T4Kbw6HvkG9BA/SUPEnup2kFZgO/AgfaJbfjqa1eRB+0NkzsaiiYHIJnX1GUvWJU6A eVqtx3qRGs8kGCBXJ66ue/Nr7vdoawubP2VpHPvUmfr/WdfD2+036hqGJo8829AJ0ahhBxOU+N76 uedaEYR3T/W4Wa4yNKy4LBPfooSwSJUExr6eDBLGmAzuwwEShj5hIjIcAn2OOW8XdTSIyQ1gllMd KAQ+OwJXISjEy8rYpG46eZ0u83R7XybzOIAdVJx7wUpM5hIjKqGlzd4mhp9vz2lOsQcs18u7MjKp vasZagJBgXupX0zUZUIVWIb4/vpTVUgJShWb1I4PTde1TZlnBXPlVWxRK8zrtmurLDAW1bDqy9DQ NMPPmh5GstgmhOguOrC+SVxKPUb02szTqR3lVdM2VRZaVB8ZICwx6KZl+UlRVjWU0iQONfy0aruu ziNrGU/CSlcDFyyMEWqHWdV0bV1EFuEBsPaQZoe67bq23Dl0Ai/3iUbMIIfqhjYPjMUi2ogrwGp4 Sdm0bX3Ye/rceGyy7qU1GEhXgohM8Rhpo3ZcAIpl4ul0XmaYdAWLMhqxQqRQ3SE0NUJMhh5ExyaK JgWhjIxVBEUjhreHJmKNc0OkgPeH0CCIb9tWeWRTvnI5CzmsEGYkOEgRiyJ2KHVHvyq9BXyYYVp2 mB6qqsZI4RV1cQh0sCTQXV3mGYsRsEVQNwEi0teJSzVCHUYQ29w3Rke4WPUrfLodQQERxV6MqtkC EyC7RK0rvQwy45kJClgdtXcjn5TYvNzSOO6DsEh31vWSusCUs7Somq7rqsTTyTgRajOPUitMy7qu yyIvYVg71eNmycrQoIZpOXEGFgAh3m0YjwySTEvpKysUCIqkqO1BTGoAs6jqQCHweRG4IkHp53EE HFjqUidt27MJCkw3YeXFcIJdVq14yin2wAhK1kNXNifnJhAUxkTmmMQEaZ+5wFumr8OpKqQEBUbY ebwci4LIEff1Q5PYiwkNXgVjImdH6JZGbz0Ibg44mzgXgtrYpKpLHU0oYMChfUEOZ6c9N3A1cMFw KYgJiuISzTcNcH6cQ4MrErIPylAn3irk1RcBpV42kVSwgkmQZZMFZ9hlHp24ysBaItTCJMl9Qpx0 MgrAgcsKKDGPCZreBGHlCKEhQlzgMDdECnif+5QI7TqE+uQPOFSC5uAkkG8B4KHZY4xPuH7MlRJU jD6MN3R57Tm66AsfedCSjkOxRojzgLFOyoOV3BOJ/ZefXQkBF60JyhaY56h1qRe58TDBmjK2qBnO uWYydUstTWzJiqBwcxIsU7heVpdwyTD0uTeybjSkdcT3rB4HwouBaAmMoGeJQa76OScokqIG0MJ6 EBsGqQEsmqy+KAQ+HwJXJSgwgx29WbO30VFdgaBgO7u6SCJYdTC8dAyGwPlT7GEmKMPQHUJDxznM mqDsb4egDG0R2ZRQ04uSA0YWMBSkaYTOH6JpR3PR5XtE0cXOEvYZDHMQrS0CuqAA8AsrCoZXwamj M9QIr5QQTQwZMGiXoV90NHOlC+faVWnk2aaBH51MTCj3yWKhaxmWwDqgJcJYz+iGnQD4yyZjwGyk FZG5xktw2VgsRFCEqqvIIO6c89omNjM6YATbICwd4aq0AYpjGSpSwNftEs2aSQj/L10DFLtgWodA v6JSoMyr6qJBmq/bfpzivB0EW+oacBIQhiUAtn7JeACjgVL/hGUJqe5L1XAwqzPUutTLGmRk3Wg8 UKflujq47pl6SdUttTSuKdDVHNo943ppXUNf57HvWHNfYb1ybUhY81ILK2uZZANhOMkeBgmMa6wE g1xa4cAJiqQoWJQ9GsQUQZkUov5+uQhcmaBg3AQcFC56w1gidJzVMInNhs60lVsCofYpWgoXnklQ hgHC6rqftwJBgXtpcKNLPOAg57WsoW8OaeSahLDZHYwdZlQ0rfCZQwqjspdjItzBJ6HnEhTBx7DZ up8t65yHclbpauASvdHCuWJ02tkdWCoyKHCkHKt0SO7Xx0aN63RXJyg4gRPQaldZ0MNq382y5gVB 0TdBWDrCVWncp8oZ4dofCO6NN37lcq5LUERSc01d9E2RhI5BqD3noAhc6cYJypgEhUjMuoEDe1ed VOtSL2uQFwRF0wwv9AxiRiyLd4xQbal72bkEKiyo6hoEZcu0IFpKrKhgcxMeQZESFEG5q/44CrcS Ho1zA8Y1VoJBrsuFoH3GVhUAACAASURBVCZGik9qZDWIKYIiGos6/jIRuDpBGSCMaIb70Bz31IgE pc89KkYvYX010IXQvYACdEAznmMoZxOUYehy3zCCPPFmn7+ZJAs5BaKLP8mBsI/PczdgECJBYWLj ojDQFohUbzeKt285DEFjtwgKA4GnBsN4zsIRwnjECq2iZUYNr2o+woGLh52lBAVWPNx5lQbqPJ+g 4IDNb2ZLPGwzyLLJgtsAf7k0i1nk+WDJjWYniL/PBAVmm5Os8514AI3gIRc5QZECDks84tJVFRmy JZ4ZYegK5y3xzLcghxd82PApuoCeMMZGlro+l6AIMSsBTlip4sa65o6c7Z2j1qVe5MYzyQ9bS4gZ wu47WAyUqFtqaUIrrkhQZHXByg8HA6BhEZRmt7GcN7ViFGNNJNjplfA49djoHWuDLLlBAvBCdLVN HI0gQTlDI/MghgRl2wBEFNWxQuAzInANgjLg4qhGzHHQFQnKgOOLjvlfkDuW71yDGOPzS7pDskvz QwU7icdf5rnSFSIogFab+7phCimcbJux6e1gDzMUn/BtxjO8pzgQtEL3Mwx+t4fIIprGIih1nmRl 3XY9SyfVwwOELarYItSJc8htratDluQz0xqrWw5DMoLCXIwdsXTbPMIkWRTiiKBgfii1wqxs2qap yjzJOLEZKwU2aMWHtmvbaU8BD9Xz4RKkwWRWTLd1Fks8m3PlGUI4qCDNkyXJNmOSLBNk2WSBoGAa INHdfVEjXkWaHm3/PI+gSEGAPCDWpLbr5T4V2S1mJWN+swg4Ok8zyKoWMopjV59zEsXWLxHG0Z7f 49ApQUp+y8qHIUpX0kVfZUleNmCRDSQ+Mw6+LPYsggKu1whySFwGyPinyzxCnT0AgT8sVcMJyjlq XelFajxc/h761jRmQOLqhs3LLY234qoERWJa0Guou6/avmsOMJxN1KBJXUqtKKsaHAEKSE/mrUA5 eI8TxFqvhLIk2Y3esTJI6KbTfAtUN7K4vskDWEBluXZokMcdTTaIiQYAUE8Z+qK46lgh8PkQuA5B gXFJn7IWlks80JC22LFtubAb1vZ3474XSB+JXdhEqkE+gmF58WJz7in2gB1feMoF1JJ5uibmQUIG Ln9Qm2654fSgthndk1WwLX2UUNxMnO2cMYJSJ7jzFYTWLX8/b5yd93ript+Abxseq1uOoVKCAnsu 0tAZN6o64byJ8ZigwHaCJJgfRWd7yRFBGVh6ggZcqzsxXPblft57vCuK2Bz3Rkld0YwhHrC2w95l 2GY8711eNlkkKLA0lLNt2YCj6UbzTVPJy6plERRYqdoGoSt3DuwpprgVc1ma4FMHKeCwzTjxYfc0 23nNd3VOIuLfBcJCu9DYuXmI9yxuWfmwYbiqLvpyh/vbsRfBdmIkF8tizyIomJiAzV3vqeqrxDOp phEjhBTzU2BeptZhqRfouQe2l3xpPKL8PVBgWMUFEDfVfdLSJuiFHnTW9ZK6+joVrOKwd8wp2b0r cUM+Dg12DBMXsRWLRdVJJvi7EgZ/2oaRG6TpxjAkTQRl3BBNKdVho3kaWXwzwFZRkkEMMlNmA1AE RVSSOv4yEDiboHwZ4iopFAIKAYXAQ0RA4FsPsfmqzQ8SAUVQHqTaVaMVAgqB+4WAIij3S19K2ptA QBGUm0BRlaEQUAgoBG4VAUVQbhVeVfgXiYAiKF+kWpRQCgGFgEJAREARFBENdfwwEFAE5WHoWbVS IaAQUAgoBBQC9woBRVDulbqUsAoBhYBCQCGgEHgYCCiC8jD0rFqpEFAIKAQUAgqBe4WAIij3Sl1K WIWAQkAhoBBQCDwMBBRBeRh6Vq1UCCgEFAIKAYXAvUJAEZR7pS4lrEJAIaAQUAgoBB4GAoqgPAw9 q1YqBBQCCgGFgELgXiGgCMq9UpcSViGgEFAIKAQUAg8DAUVQHoaeVSsVAgoBhYBCQCFwrxBQBOVe qUsJqxBQCCgEFAIKgYeBgCIoD0PPqpUKAYWAQkAhoBC4VwgognKv1KWEVQgoBBQCCgGFwMNAQBGU h6Fn1UqFgEJAIaAQUAjcKwQUQblX6lLCKgQUAgoBhYBC4GEgoAjKw9CzaqVCQCGgEFAIKATuFQKK oNwrdSlhFQIKAYWAQkAh8DAQUATlYehZtVIhoBBQCCgEFAL3CgFFUO6VupSwCgGFgEJAIaAQeBgI KIKypee+TKIwSsp+60d17l4j0OS7KNrlzR03oj3sozDK6uNqlbEdY6LOKAQUAgqBYTiToMCoHq4+ UXLoVhB2dZHu4yiK91nZrn4TvrbFPoriUz6iq9I4ipJyXYFQyGWH3SGJwnjLI2zd2VepIFGXOpqm OemJNmwVsjzXleluf6qRy8unb0tJhvaQxPvDJwnCSq6zUYMR6CfNq0/AdpL10/6uWsoLm1y2KGGV RmF0E0CUoaFpeljy6q50hLItegKY6eW6rneWphE/P67sRoztuFh1RiGgEFAI3HMEziQoZWRoRx87 Eaeh3SF2dOEa6iYb08WhnS7Tw8M2dn2d+iaBkpzk+o65TRwoQw8PZ4VBDoEO144S3YTP6DKXaJoR XdUTLiVp9ramadZuC8pt+GRncx8x5RqiVnzEMGU338r5ZUuFKrrU1TTN3ovmlXvkZnD4RILCZOMo gqDJ/3e5rhVBERSsDhUCCgGFwBkInElQ+rau+OcQ28feoi9j23CirKybusAL9GBy+JMgTerNHIbT gelX+NsdIotqGiHgTT+BoKA/ADdC/XxmKBjd55GbDhdy0qprih1wK2J6YQgrO91IUPZlke7iKN4l eS3O5tsy2+8iOF/M52FmDTP8tsr2cRQnhxb8L/Oyc/BinHlPoaG2KtI9q4AV1B9LknlEI142VX+i 6qZGaaNdshkdQYJihHnd1HWZxw4F4rOfiE9X5wlKkhbNjNcwDG0JIbF4lx6aFlqIy17QnmhfTOyx LXaLWFVbZQmG0dKyncuCk4jZPoW2HrdUsIIzCErfbKqmq4sM2rEGYWrePivzVQTlWNpjVR7JZsWH ev603cB1jZcelzmsCErfHBiwSVHubyBcJ0ioDhUCCgGFwNeBwJkEZdHYZm8TjbinFkBw4k/cdPKr 4/19vXedKC9iE2Mbi1LHL10ROF5SpjBhvj5BqaAG6jgQVndn745xIE6M2sTGn//fAJz1/HGSlhGU +QwcGGGBjekOsSWGInQvxYk+3mI6zhhpsvYNMgKMfRTr4AUsHnWZJ1ZLzKjsC4kkbLHpZNWUYmlI 7Li0AsIojhlX46lDCJSMLTk0GeeNwNPGpvbV3uYiUssyxmWvVVEM7KCAkvt6j9RnxI7aMSTy1Il4 EiIh//dRSwVRLyMobRGwEBurxfAyVEGPbeJaMwKmsjb31/G/cYlnW9pjVV4i2zBwXUsQWBCUvtoJ wDKBP3E9UZBQHSoEFAIKga8DgWsQFHTz1M9X5EPEgzlf7g3F34ZhQI/GicLqV/jaQ+Dg2gSFeSo9 KGpYICEzz5EQlG4YVr+MBEX3krJp2zr1wZkj0cELiRlkVdM2h70LP6BvmTiN4e2LsiqrVnRaUwsb dNSj4+wOyT4r67brGEGg6OI3JcEaLqvaCHIIfnQHCBEItGysfMkq2AIU6oApy/DTqu2aQwyuExem 2CKZ7iZl2zZlwjgMSrIsiqmTSc+4qxXmdds1RQhUzt43GD2AJb+ua5syTxLMqVm1dMIIwmi4xKM7 QTR/Qhc4BtK9voDQlO7uy6ZrqwRUoAcFhGr6Kt2nB0C0LRAEiDwxYyAoU1vnEdJLRlC2pR2OVXlS NkiM4QRFUqZIUBpcfdwCVqhHHSoEFAIKgYeOwJUJSpf7kweTYdfmgaFpVB5iuWWCwkTE7BPmZKcU jpVLnCIoMoLCCdbsf1ByYcWFBe7BazOvNnpKRGa+acKpSV2AbpzXgyOuD1ma7He7CNwvcbNeQpWg gsuqNuc8laOKuTjUDuI4jgIXIxAQtIFIDtE03Ql3+Ik8YAL2vmEUhmOA9bPEYaxg9QsSFERUM7yI lRXiwpmb/X8ppONQO0zE9aOVNiaUZoLCQyHzESoSl1OoHbA6YsxXMiIWGeqaMkdEY88c01gqSJ/i KmPUFwmKRNpxgU9U5UnZQKgZclmZAkHpEI0VfJ+akS1IqA4VAgoBhcDXgcBVCQqb/S3zFxdIdCUu gRh+PqUoLH7GL7dLUJgD0Ew3jKLIx1i6yfzXyiVeRlDmyMuASy/giIoVO+sxdxOcDSMo/JZF2B9a vaInHYsvaJpGKKWwaCSEaHh0aSw2ba9Q9SztAnn0obOr14gVsSSSZm/xs9ORGdfsPF+lY2GN0xEU BHgqY/oLmDRZAKlF0ErDjQtckVlpQxCWVWVFxZzmUVeYqAEqYD9OhY9/AbC+nBZOCGGIAs86wm2s thy54KogiNodq/KkbE0n6FqKAM9BQWCF5U8BWKEedagQUAgoBB46AlckKGwaL42N9BVmIEA0f86O 3ED4VgkKo1Arv8M286xcIvMZfOVmixYw6WeXj1kO/LrRWzK/uU51nGfVUEaL0RN9jp5g3ZoZFphG eilVStvh/KpnaRfQoziYJFslEMmhXoYUsk1AcHtXtcKn6wcWC+CMi123RVAQVoygjOaRNEJRbTea Qt8cksg1iKYRAGy9rCYIy1z2kgXPu3hYCMSMDstKBhYsM/wMk3zZVVAEBlwElY04luNKI3GPpOWk UJBpOtySTSAoUgQ4QTkB7FSJ+qsQUAgoBBQC5z4HhSHVF5CMsYh993W2gy0rmB+J+QDU3lULdgJP 8thlImNZExShkFEl6xwUeM7ELj3n0R3M81vxPPsumTuGnBnmPaYtMWwNg8UtcB2AskwGXGNYso3Z 5bP1EGPauzzSDtiefOzVBILSYkKsLuTtoJucKmQ/XyLJ+VXP0i7sG8UZFxbGLAhGUdgaiL2bNdS3 NTh5JuJERsecXiQozMcH4wZuthMaCQrL8qUuyxuG6vumafuugSgD+4zp01k3rDCfLpiXeCQEZWD1 4fLUeE9XN5Nyx4zoDvNUMILCiMt8ObMPXOKRSLuhyktkEwiKrExhiWcNLK6ZqiUeAWN1qBBQCCgE AIGrRFDaFB4twhfPwZXgAyA0M64HfL4EPHnEtKaPHWQt80Ma8fhu33WSrFDIpJQVQWE+6ZykWZzN L3cYjVmSbtqOR4YbxnHomWzbC7q0kawYju+5Qdqs2QZ3+T1bwSKG4/mupUNqhYPPe1nfIjgtxj80 avvTNuNd8RsmIhDD8X3P1glsq2YERS7J2VVzaSc44a9IUIahhp1Ymo4LcYxmacSwXc91bZOyCMdQ 7SChlOi253s2RD6mh9cxskJML4rjEGMimsaSZMdyNWo6ruc6lkEgRbmKTEJNx/ODwLNgnzlGUFYt FWTdilLMEZRh6ArIcdKIbrme59qmTnCFh3ESlNYxEFEkKEOXA63WqAlXWxT3OY27eBgKK2k/iaBM yK7LFAnKBKwxAsu21J/aFCdgow4VAgoBhcBDQeAKBIXFH5ZPZxtgwySBvE9GKVYrKzAJhk2ehNrz Ezc2dvHMhcyorwhKfwAXZ+GW1fmajYOexfPnSMh4CQuvg+RdufeRVhBqOEHkm/N2lzoN4AdCDT+b shBmn7Fw+e1h79sGxWudIBnDOicICoYKFsgAyWvyyDHgkS/UdHfZzjlHkvOqXkg7o7QkKMPoJVlU p6+zyDWBbgEAtrcbn+DWFrFrYktNN/QhVwUjKMPQHnYew1E33Shy9YmgDENXJYEDNwGFMAGgvi1i zwLEkFV485NoFpjPgk67eGQRFLiwgRJ1YJiEGpYXYzpNd9iN0hpOlCceYQQFdvckATIsottBuvcp f5LshrSfSFA2ERgWBGUYRGDjNLJnYAUU1KFCQCGgEHjYCFyBoDxsoB58648Z2IOHRAGgEFAIKAQU AreHgCIot4ft11WyIihflz5VaxQCCgGFwBeOgCIoX7iCvhjxFEH5YlShBFEIKAQUAg8BAUVQHoKW b6KNiqDcBIqqDIWAQkAhoBA4EwFFUM4ESl2mEFAIKAQUAgoBhcDdIaAIyt1hrWpSCCgEFAIKAYWA QuBMBBRBORModZlCQCGgEFAIKAQUAneHgCIod4e1qkkhoBBQCCgEFAIKgTMRUATlTKDUZQoBhYBC QCGgEFAI3B0CiqDcHdaqJoWAQkAhoBBQCCgEzkRAEZQzgVKXKQQUAgoBhYBCQCFwdwgognJ3WKua FAIKAYWAQkAhoBA4EwFFUM4ESl2mEFAIKAQUAgoBhcDdIaAIyt1hrWq6RwhcqM+1ELhHKlaiKgQU Al84AoqgfOEKUuJ9HgSu5Z3VTRefR1uqVoXAZ0OgK9NdVt9U9V3q6ZRSaoTFTRV56+W0TGb9FmRW BOXWtacquI8IKK5xPQTuo66VzAqB6yPQ5z414xsjKG3qEGdft23XX1+mu76z79r2EJnUv3FSddME JfeJHh7uGp9r1XcHonapQ8y4upZ49/EmaK+1u7G+egMQlKFBvOwaXf167lnddQM6u9Mi6p1FnKS9 8TqvbXiTJH2VeJZONELt/Rk9Sj6anSWJ/PZJnmEYmiywdaJp1IwO1+hSQkmLw20VnCX2opzP9OUQ Gjfp8oCguGn3mRrzCdVW8ecjKFVkEnvfzNLXsalpYrduE5sYUTkMZxn6XM5nPRBELWNT97IbMYpD aAUzQftqCEqbOKK6ZXq7BYJyZdUsRb32MHeDVOPNC6q//OUGC/ySi5KZxmc+v7QKQZht7yhccM3D axveWB/4Kd1L67Ztmq7e27qT8PF3QyZhNFv9epYk8tvn0iBSQJ19BRK1Terp1u5mpl7bKjhL7Fk4 8QDKE73VMAxtAjPFemj2trbxcV/9X9vn026od9Z0B6GG7cV5vSBn9c6iXs5PdeXO0U9OS/s6C0xC 3O1504qg/B0Zv2sa/iN/GPbHuPjP2Nb6nxY7P/1v7//NfuqqPvI6g8JdRP/T9v9V9sPQ/Z0EnUl/ 18gfpvtX3vyPY9Ze7P3xejP+m5/v/t45fxDzr0nP/8v9SZipUs3652iXn5OgDIdAJ+7swZu9TQkh TjpNPLrMI3pQ9PeVoLTFLk7PmKZw1UmO+jIy9a+PoLSpS+0zppm3QFCuqpqVqNce5jgJeP/6GTmf YHx8+9MPP/76gd9+cXHDBOXd62f601e/iTVc4/i3n394/eb91o2fVr6kY3zm0yurEKTZ9o7CBdc8 vLbhjfWVkRD668p9lICTkX/kDOMsSeS3z1U2e5vYE0vqqzTaH6bxf77mWgfbKkCxBcd/ftEnCMrQ tTX7JC6hXsqOm7aXnR+AoBArPjRNU1eHNHKoZoRC/Aiozzx366rEM3TLNuUEpclDSzdsG/zppkI3 CIqz/7tp/l1XF2nYUfJnXCG3qP9pkT+j4t91Pf5rOzjfHf4yye+G91da/F1Vfx/yf+12F+3wvzr5 aPv/LKr/NPVF7PxBnH+NxKK7CM0/rPBfh/o/XfcfVgiUU/3LM/6w7D8FgjL07b+rav739975XQ8u xmZ8VoLSZR6lyEBGOupEoUWnSFRfBDplEQgw9CBJA9sgmkZ020+rWQ19lQS2QQmeTyoWsKh3lh4k WeSaOiWEmm5cHJt9e9hhuFMj1LC83dhV+zoLHVae5e2m3nKqwIbdAEw4TPc+nUJzvA93qUPdfQ7V UYrXZXzi0uQR1Eeo4YRZsbOn28e+0x8ik0xsWwMOjw47Svc+i9XCbby0rtyPMVw4v6TlWGJXJoFj YgOp6e4Oc4SnKWJ2J9FNL2HEqiv3PgOXGs6uxAI2AR+2wOyqZLpbX6ugSV19bhUNcJWxr9KAQY9Y TMKLBKXNfAMmXKD+q2tqHo64amCouMRUjkXF2/cZ6k0juuXtyxnGbanGmmfX/e71M0rpo3NDIO9/ fEae/PBuvv3ixgnKxftf3/y6SS3ESi87/vkFefTdr5tXfVL5s+LgAHqTl9XQbci09Csx+7aIXROm PbrlJ8XemRbmwFELQzmEaudFxO2imjyCkjTop7afVMOxVQhConfcZbGHtyzHn+3yhyaPPNvQCdGo YQfpZPzD2AQwM3+fBALB2LS0LXCYYE3mm3TqcjDILF041oOLP6Yb5eOAsmAYckmElssGw63e2hUh DGHsQ7wcR7Zx8boMDTNKYTyAEVw3vd3lXWxGFi5PI5v7+FnAMjSot09DGNTYQFz3A0ZxvHzuwkMV m9wexntPEZS5+Nwn41g2n8KDo/Or0pq9xdYK2G197tHZHoc6CcK07nJPSlC6Ig7iQ1vtLNGqRRE2 CIqb/ne6AgIq1g4jJUBQOmFZg13yd2T+rvv9sQ+dSoC/ffEPSj7meKreddQ9vv5/dfKPMP13l38U CYpYyND+y6UTWxoGUMVnzEEBoohrODDquLAsWsbmSErQSkYWmftEI4a3P9Rt15aJp8/BtjbzdN3d l03XNYedQ3Uf7QwjaNRhRt1Xe4eyUIwIxSHQdTep2q5r6zLPGBXpD6FB7bhoOlYRHWOg8gLBmFGC tq2LnasTbWIY3At2qaNpxI6QJfUQyJwXBMFSdXd/aOD22NHnIVcUtfDpKoJCiOmnZdO22GrijmGn JnGo4afQqDqPLLKg5WOJTZHmZd12XVPAFbCENgx9yZpRVHVdHfICx8d6bxPqxHlZ13WZF0j+JIBv gQm2ZccHgLIp86zgLIpJgp2UR1CgZGpHedW0TZWF1qRLRsggB6U7RBY1Q8aprq4pAVGuGhZsvcRU cCwXgj1laGhEd+IC7LHKAmOCcZBJNdY9ue53r549evkj/McXaX5+Ljj3t98/Js9/+nhxcfHr9090 ncIwTqgOn2cszgERlBc/vHrxRAf/+/TlTzN9ef/LD8/xLH307OVPv0Eh7PPmW/3Ryx9/evnsEXja p6/wjnevnk5e68kPQgTl5xfg2NkHLiDf/DhGcN6/+f75Y6iVPnr67eu3rPzfXj3TmZyjmE++Z0RF Vv7Fxbacb17QJy9fjy2Y2iWoDgkK0U0LKEdZ1U0/DBKzh9PUiQvoJmXiGUS7nKBsFwVTKcPPoNe0 9SHL2TxoZcCCkDBcEGqHWdV0bQ39bBp/tssH2lVmaVE1XQcTZhgf0Bs0iUNwPDpqgsTSgM0vwRHE GjCCwlwIm8VP0/QqtqgV5rM9j+5RIChySYQKpIOhRNqlECuCommwGgW0oSv5SCXtYqAjgm1omyoN LLLMF2BSsp7r7sCTNGXqG8SMykGYC8Nl0IrVag4TdHVyWuLhABwRkfGno/NHBGVMZmDXH0LdCNl0 cC67z+QEZbwI5BZo93wrTP+XOSjASESCEpu/j0s5mwSl/MvQ/rw0C7BNu4l2/Cexf3fiPvb+NIw/ LPevrBaWfoahz2QE5X/17k8ehvnsBIUN/MDXwLqQOwPF9SEGB7G/iUUCQRGM4xDqhC3QYYCQ870i 0NkQBAPExBNG9UxlTWrrC59SN4XxjX9wIGIuG06CxlkXlhYIXV4QTbyOe0EYNYQlRWDso3QnbudS DRsEhSe39Lk3zSPRQudUKFwiO5lbXINFw/V9EdCZM00VV8um4WkJ4JtgYtt2PNY1lTv9XY7vULKY +gt3M+xZBKUCmml4U7Do6pqaqoW/XDVIUC4xlXF04lwKhjlBVoBxFBUc2Zb9jJWPTOHdq2ePv/v1 4/vX3zzmDEVCUPCW7QiK9uj561/ff/z44e2rZ5Q+/xkJBMRmHr1AXvL+l++fQpRmoihvvqUaefTs +59+efv27a9vxXjJx/c/fkMWBGUU9eLi4sObbx/RJ9//yoqB8h+/hHWcj+/fvHxMHn//ll8qjaAc ly+T880LqunfvPr1/ceLD7+9/obSFz9/XG4zRrovdmeJ2Tc7S7QocCeXEhRJUV3qEsPPVzPIpQGL 9oXDwBQbZskKTGBJ+eK9wwA9mlkR1CAYmtAEmf0fgbMoGjqVd0xQwEFPDArSVpOpK3KCIpdEqEA6 msmkPU1QBB1D9ae7WJu6MwuEGVfu0UVCIxNz1XNBr9D5+0M4Res3qciAZyciL/5d7rQ5IiIjOEfn 0XSY4+oZeTaiebUNowbrdahbIyj/rZKPOunGnOl1Dsqfcf2/LvtIyD8msxH0LR72f3OWM1yE+u/E +BjnfzfN31nwJzH+mlsHypERlP4i0P/w8jm087kjKANSejft+sLXWZfsYS4eFD0OCdNQv9IveE62 iaIIKMws5w/RNJzoCvoHEKEwoZ+PuDZZYFFYMIrTchx6qshcl8fukxU4WfikKoEtCF4QXKxYfxGM EZH17QOnLlOJ8PeYoGyXlrkYg57gIHzKyEtryyR0bdPADyWMlohscLq0y1jnnb7jXxngkIu/BnNo i8imhJpelByWRBDLQkxnrw8USUwLgw7JwkaInutCBticnzRcWVOLZiwJisgwt01lKSpqVpiqIGvD hkilGmtnrvzdq6dP0K2//1FgKFcnKDyH5cOP34xM4bfvH/NYx8XHX17q6OGx4jffUvr8p0Umy8wt oIRNgvLb62dU/+bHOT7z8f27395PlOfX7x6R5z/PhVxICcrFunypnIvcmumuhfLAHgQWOIChwtLL 9JnMfm1ROK9hS/TgSQUFzks8sqIG2P1iEGI4wW4MnzCfRYS4miCkdLiQiArrlXnsOxbrljrRWAPl TZBZ2hocQSgg5tsEBbM8OYAQr2NdjxMUuSS8hvVoxgdDmbQnCcrEJqGCy7sYNI1RGCYQqED8zs5C xxcUj4A4MEUrI2MM3a90NzUPTptRMSab4J9DDPRRzDJcOarpXtjlsVz6AQY7f8hyNR5oKM/EnMq4 cYKikd8JwYxX4+O+FJJklzkoMH3NPhL6j5N7ff+T+X/o7r8mLC58+ruTTmX2vUf/iEoeRJERlDb9 SI2/hFycz09QMLgW5EVo6AETDMILRnhYcHreT1BdC4JC3KRphQ9u9F5Z57bXgbL6pkhCxyDUxhwU DBrsKqG4tsUQ7sIBegAAGR9JREFUi6zAdZ8UNxxxL3g+QQEqchz0uAJB0f3sGI7JyFlH170pVWee z20SlHF2wW8GqgSRlg3A8aIVmOO5QxoBuTDDgi/y4k84EpxHUDRNd0LfIkYwFXJlTS2awVWDQTxh INs2laWoAvXEUsXR0yD2lv2MtaMrx0WP0R0QbWYZn0JQPv70fCQob77V9W/5utG7V0/Js9djrOTN t1T8jfMKCJNsEpQPv0CM5LtfRFLz4e2PL58/ffwIP1S7JkGRyrkgKB9/YsRrobx1b0ImvWH2hb+k vILSVwRlNn9ZUaz+rs73sCVWd1mK1soqBCGlwwWQ/g1RYRgkVlQwGs8jKPImyOx/DY4g1EmCAs53 OXDAnXzglUvCa5APhjJpr0VQtrvYJxIUmPFQ2LHBlLpejt6Mq3ziEo8VFXXTHD2ZBKJNQuxogvfG CQpLki33HdX/wfNvrrPE858i/JNaf/EkoeEi0H/3i5mR/B3qfwhfZRGUf++sKRVmavVnzkGB4Aas 7XiexdZ1QC5UkO/PuSiLfoKCg7mzCAqMLEYoRo9Yy2QDxNzu5UGX+zoyXBigKEtjWV4hLRBGPcG/ wVxkYhh8QFyPGnMEhTH42UkPMJWbbhcEgNUolkcKJ+WlwcbtDdvmJcHQx0uChZlpiQcG83lDFbsB uryweoUnZYDzKoYZTOEcLEEfLSFBZhgvH0oW40JYO6b3Q3uxVZATo4+B9qtrShBHZBhSzYrXL0UV b4erQHQ2k5ZKNRYGnODdq6ePX7559x4/b394OuWhoGeeEkx5DgrSiA+YJCtkiKySZDlBgRvnbJGL i19fPlpEUK5EUN79+I1On71eVIsxmW9ev2WU5e1RBIVKkmTXBEgq59UJCviWLbMHzQoWBe5zmpTD CDIl4w/DcAh1jfUbSVGiLYBbMiLYI7myCuEiqVFJyoeZgtgVptww1oRpXoqR4LEJMktbDw6CUHKC giu8x5N2kaDIJRFqkA6GMmmvQVBkRUGWhc53wrAm8ZF1lHK1xDPehD/CwoqXVvut3NopXMazCeCW TyQoXOEChAPsbRXjg9NvN05QphyUf+/t343gYpw9bhIUWHkRrplEwr//PUR/UvOvaeLIfvtP4vxu RtPW4u5f7rxLCH/fjKD0h78M0vEYOSvp8ybJggygZUKmzFg4A/mysN+YWxcn8ig1JygDZFYS008O sLW/LvM0Qx4nHSBYq+H/vsqSvAQCy7JF2VCGnlR390XdtE1dFWnKkmflBcLYontJ2XRtc9hDJt7E MM4hKJjmYniY1jom8k23c1HZRUEO6aZdf4KgYLYgtcKsbNqmqco8yabN5mNp4PbNEHOAqyyAfd1s nO7hB0xDbgBGljIMjYZU0ArOFSzLdRvwTTDrPMkgG7fv2hLyl/nowYSBHBl8BAK2ihEbO2KJenmE SbK48jYTlGGoId3ZQyO+uqYEQLlqzougrEQVbodCOUHBDD5Iel7bz1g34yf6t2+mNZKL375/MjKU d6+fwiIL/PLhl++ekDFJFgnKxzff6vTZq98+XFx8eP8Bb1458imCcvHbq6f08bc/v/t4cfHh1x+e rXJQzicoH3/9/gl99O0bMXhycXHx8efnVH/xM8RkPr7/5bunCzEvgHY8+R72Q398P68DjRRrtYQk k3PVrjMiKCxJdsPsQS/U2R0alhBp8hVPmARRN8FUcHjEBNVGgiLpQV2ZYgZr33d1HkDGEUyxV1Yh 2Jd8uMDE3aMeCuSJuvuq7SHX34XFJLa8vWxCIDRBYv/XIigQSbcwHx4y1OvqkCU5siJh4JVLIrRb OhhKpL0GQZF2sRaTZKfxI7SpLElW090dS2+fkmRZC+DZI45rU8HxCE0Dla4oxa0QFOaRF5mRKMWa oIAhjVtCJikxIH72NuOJoAxD9U+L/BEUmPmxSVCGoc0+6trvpv/P7PB3Xf9dHvo0+7sb/lvtOkq7 KP+7LMd/NduWnP9DJ3+GGeSgpP6fxPrnzLIlOSj/zbw/dH/iSVOTxAhKd9iHYbJyaPOFVzq40pNk YTlOZCOMs0wDBtYr9BP4LhAUWLxNQwd288EGZGvcNysfIOZ29OXONXGTG2w3C/jG5SaPpx9002U7 b065Mdjtx/Y/wzbjPLYmhsHd2HrU4BEUcG+4Sxm3Twfp3tta4sFsDtwCCCPjydJgFzFuDIbN07Z3 pM/uEDsGJO7AxssyD/RpItlPGyk1Qk0/ZTHOtuA7sZ09s40twDfBrOGhlZNifGEn7qQDWNiHnY9k fNvCXDJuuZ53WgoEZfRF49aqq2pqqnedJCta3/YSD+YgcFG5ZrFIgaCAPrfsZ6wa4idP6DdiHsgv Lx+NDOXj29fPH+v6o8ePn774/tsnIkG5uHj307dPwFqJ/uQ7zHpdOfKZoMh2x8DO5K0lHmGXzbgo jtt7IOIBXYp/9G/fINV499PLp48o1R89fvri5fPHy8yV92++e/YIxASShNxGUv6FTM5Vu84iKLDP Y9PsW7aFn1n7Yo9uk+PDBCjVTSeEbjdHHreK6gq2pRwaZvLt+2sDng3s1PizVT6MYvNTA6L8sHdg cwl+2iJyx6ceLHZKSyxtPTjMIuEBTEM2kmTht/k5ATBwOAFLRl8MvCckmWuRDoayfrFAShD+Ol2s O+ymfd3erki8DapRhoa9K6YHVhj24kkMLBVnm5+wpZ/bj6DAWDINyTOqcHCLBGX4bxn9SYx/wPZI CUEZhv+1h38Gzp86S1uhfzrRRTf8OzbXz1ibeM9/q+Qftv67Rn43nOUD3DaTZJt/2uRPMU9lbLwQ QQHjnXvpApsrf7kSQbly6V/zDdtJsl9zix9U29DDq/+ujMCNGMnK591ImaqQrwkBsJCtla67ayOE 9lZxmhupfLXN+EbKvJNCOEGBeNUN8ZNBEZRrKg/mEzelhGuKoG67RQSu7JnVDYjAjahEEZQbgfHr LQR28ggbBT9DQyFZeisB5ZNFafFJXPfxbcZEYw9qA2gkwa2ro6MIytmYNflulx3qpoUHOsUOVfzk bOju4YWKb1wPgRtRtSIoNwLjV1hI38NzPmMbto8eZ398FQ2GNwO3bdutdlJ+0W27PZkVQTlb8V0R u3OmhvCQ6bMLUBfeIwSu557VXTeiYkVQbgTGr68QeLIFvBDFS+RPlfz6Wv2QW6QIykPWvmq7QkAh oBBQCCgEvlAEFEH5QhWjxFIIKAQUAgoBhcBDRkARlIesfdV2hYBCQCGgEFAIfKEIKILyhSpGiaUQ UAgoBBQCCoGHjIAiKF+o9r+0dMsvFCYllkJAIaAQUAh8pQgogvKFKlYRlC9UMUoshYBCQCGgELgT BBRBuROYr16JIihXx0zdoRBQCCgEFAJfDwLXJSiLVz/cBBw3XuBNCPWpZXxCo75mgiK8yONTEf5a 7ldP/rhTTT40C4T2qude36mJqcpuBIHzCUoVWx5//+InuN5tuXmB9d7Wx3fMbV968mybODf2mN2T FW3/eGMofWUE5RBawWGC7EbdQ5d5djy/OPO6xrM0mzI2dS+7y0c5fk6Csmz7pKTTf5d2fvraW/61 LwLDCJlxLY1hUfHtWeCimjv+cqbuFEG5Y72o6m4IgbMJCrx75m4ISlfuo6S85nOM29SldtLeEDpX LubmULr47Ycn4ztrCdUff/Pyp98+fk7ScmUoxBv6MjL12yEofe7rJico1zSeldm0xS5OxbeOi425 lePPSFBWbT+reSs7P+ueW7uoyeI4x3d6r4xBqPEWLVCo5c4Pz9WdIih3rhpV4Y0gcB5BqXYWHb2l pqE7gIBHkEwvw9ZtP+XPHu6r8YXqRLf9pNqaiDZF7Fk60QjRTS8BVyBEUHYW4UGQtohdE66kwtPl c5/acbb3bYNSQnXLZ08+blJXn8WkQbFACF4B7fIQUJvYU9CzySPXpCAMNUBgdtt2K+ZXnRNqWN5u waNuFCUgKOTZ6/dASj789vPLJ+Txd79+RoaywLI97Hzb1AGzGXzUIRVRr2IT3kfeHyKTzGqBF4Di cBml+/m19SF7ZTzW0ZV7ZhrUcPgr1rc13uW+PheN/Bk8JzeeYzMbmjzybEMnRKOGHaR1PwzHZrOg C32djfYBd3B73hZpgdMA77R3DMCJ6qYzN7Mr0XbhtOHsymEYsMZ9FrGLdcvbl3O/2ewCXepQd59B 56CE4A01dir2KPDLbp/EPG77MPRVGoxCiyqYbhm27Jw6SXXYQTciXt4Pw7aF1DtLDxKAE4SmphsX 41xiEyiG8M6DF0zg1Ye63PuWAd8MZ753HDqOjWGS+EYscCpsGIauTALHZGo13d1h1tSGvQ3HugaE t0bIrbGlqxIY5ZgBcbhQmCvoTiQobeYb1NnjeM1h1y1vdxiVIVeTAII6VAjcAQLnERQYQSNjFUHR iOHtD3XbtWXi6WR69XSbebru7ssG3uq0c6ju53MHZg3qy9gkursvqrquDnkBTkJCUKrYolaYQyVV FhgTpch9ohEzyBu4s80DY64dHNR2BEVGUOC12Yaf1W3XtfUhyxmhkrTiEOi6m1R4bZlnU4+eFXVz KIkE5eKCffsR6crFxftffnj+9BH4pSfPf/hlPHlx8fHtj9/iaYi4fP9mPn/x7tVT8uzVz69ePAGm p3/7ZozFSMrZvH5uIhz0VZ4WVdN2XQ1amVSf+1sEBW4ofLqKoBBi+mnZtC0aCZleTdokDjX8FBCu 88gi0zvBpBrvUpcIERSBoGya2dCVGYjedV0FVjvWuzIbgaB0RWAQM0BR8R2R1E1xtg4WKzHCGasm cYgZFlBbUxVZjpY+1HubUCfOy7quy7xAgytDQyO6ExezqU+vSpV0gQ5eekrtHfKYNvN1jVArRH/f HUJz6imD5PZZxGFYtR0sn9pRXjVtU2WhtdGBt0YD3TQtb5eXVdVAd9+2kHpnaRp1mNB9tXeoHhTQ h7eBQoSFRmlgNBl0+r7a2UQf13X43GZlDEIjP90CxcKaIs1LGDGaAmw0Aoo5bNrblq6vMLbAK+zt +NB0XduUeVYwy+OinKu7maB0h8iiZsg4VX8IDWrHYJ84htNxZV2qJl6xOlII3AkCn0JQJr80DMMh 1NnMaWj29uywwDMFushroE19EVCYWS/bx0cZ7mPgvc3jCAYXN4k9+iIYufg8eSjn2tejrVCHlKCk LjH8fLkqJGlFX/gUHJR0/WmDoFwTJZGgfPjtp28f689e/4YRlN9+eEofvYAVn4/vfnrxiH7DeMvH X14+os9evf1wcfHh7atvKH3+04cx4vLu1VNNo09evH7z69u3b9++Y+cl5VxcAEE5ul5Acnl4CHX2 lm0gmVcgKDzHo8+9ydmMQZexhi6bf5BqfOWTFsazYWai7FDv6FxWAz0nKF3mEsEEh2ZvTXxIKhKv A8zIjPgMG3+pIk7p5kuBoIg8KzZZIEjaBcDlUB+CFfDpc58QZ+5TsxlKb58rXhMUFJkvmeHEROhq 431zBew7QGGEi3CiUAG3EPB8E62AqcWcurkJFFBA4qRTz4Q6eaIn9lC2lsuHjpUxCDJsEZSrWaBY mHBcszChZFjb0jVKvp+pxjRCbo4t0GZ7x4PTQsV4uLRbue4YQamAEhreFK7EqRkjV1AY9D2maama 1tWr7wqBW0bgEwjKIpo/x1eKgGoaofOHaNoqogHdiA80U/v4KMN9TLO312WxeXjuk+3ar0FQIN7q GYQYTrAbwyfAqyStaLLAorB0FaflNHJOTdiMM23LKS1/LgsIiqZphLAlDKAeLO7xy0t9yT3Isx+R cXx499tIPS4uPvz4DXnyAyM0SDjI4+/fLheIpOVsXz8LBgdNsQscyzTgo1PtOgRF8MaANtMr0AFY aZs+hGgjvZVqfOWTFsazYWZ9nce+Y6Hkhk60ywgKeJiFfz7MjFsqkgBVV+4cHVYnwj0LFA4DUp5x 7s+vBEokLEDO7lfaBcDlCBgWgcgNZ54nvZ3XvOoyMHvARZrxih5IIk8fGs8eExTRzqUWgv6U+2ZB dxtAYVRVKBZUwSGCJdqR+/OhQyhQaCAeHsfwBPTOsUChwLZMQtdm5g/rTTjb2hrWNnUt7ftbY0tb RDaF1/dGyWFjXrQkKHLdobW4rgmyzsNWFZnr4ZVhIleTAII6VAjcAQKfQFCEqdAAgwdLocXwSNK0 wqdbBhy2evL2Eg9caUbFsjAAhQ9JCBGvfTXaigDCmMrHN4z0CDSpq/N9YOtEdzEj5mQr+qZIQscg EGBfNm1jIey6KIkRlIsPb3+cQiUff/oGF6R19qGUaI+/Z0zk/ZsfXjx78ujRo0ePH+n8NCMcYzrL TFJOlMOWeFj6y3y9ACW4PyPIahYD4/PjowgKIM5m9VdwD7qfLRWOEEs1vvJJpwkKBBSIFRVsqD8n gnKaoGwrV4AKD9sqi32LEsPP2mEAgcX72NU8ZoPfRYKy3QWOCYrOk65EgrJ9uyDjuU5OuOUSO8fJ +JaFcO1gYSvdDUug1t1c6OUQfbk9grJtgXPzQTe6N+UiLaAWBpS5gUe6vvLY0jeHNAJyYYbFKu58 ru5wQVB3Qt8iRjAVAoDau0oYqdsWO9slapqRUAcKgdtG4EoERfDvUocB3Vce7YXmQCyT8PDq2EJe IO8euBjEY7wcC34xnhOGLgjBC4sq/BbkUMLC0iHUtfV4MrSJQ4yoGpC+nG7FADl5wvyO1bRiQVI5 L0dpQVAuLi5+ffmIPP/54uLizbe6/uKnd+/nz4cPGFp59/oZefzyzXv88uGnb8jEW7YJirQctsQz 5eduEJQZJGwyOJkpggLT+HnVYYC5t0BQBKxWzpXPX4cq4tkTgu7WvkogxOjkQGXsIxrPsZmBN+HW AbYyRlBWZsPpAoTB5Us8ovMRjHASZvEXfQlEDzBsz8MI7CJeI36fCYq0C6wwxCDUnBU+e03p7YJo y7ZDzWJsAaVN5gWJ8b7Tdi61EK4dLGdNUFjhM1CrecgSYDlB4cYgNBKWeD7NAqfCgNbyknAww2Fl c1jb0vXlfX9zbIGEkak7TbLgiqNo0DLdgbXgaAc5Mfq4oA3xHXqUITiwRT8hbLitplkGdaAQuD0E ziYokACie2nddS1ERKSud4AUMGL6yaFu26Yu8zTj+xFYO3rotphg28AFLNWUFyiOYlVsYT4hZOzV 1SFLctz8yS/GEoWhC9IWIEW9ZWIKwIGroW6CeYoQUKYaIyhdmWLWZN93dR7AMiyMxtut6Kssycum 7XqWHieO5FjVzaEkEpSP7399/Vwnz16/u7i4+Pjr94/pk5c/43LOh7c/fv/dT3Aar3/yA+5F/vDb j88faXxRB5NkVxERaTmXEhQcie34ADmCZeKbdCYo4Jh0DBPANo7IIpo2UkLwmEaQQzZe1+MuHhG6 eYkHsyUptcKsbNqmqco8yRj3kGsc1lwskKZtu8XYumFmyKbcfdX2kMDtwsIeW4NfmY1AF9AvmEEG FsWSZKdn9MhFmq2uKdIU0sj7vq1ST6eMloOBQz5sBeZfsMxHoUa4eyYokBqw2QXOIyjS22cRYc1p 0WWQeNsRS0zPI0ySnVcFpttO27nUQsSuDbth5gTnbaCWCAu9XBZBGZbGMEkLfz/ZAufCYPRimc+Q uG9PSzzDhr0xe1zr+gpjS50nGWTj9l0LQ5YeHpYh23N1NxOUYaghNdnDhR60bditUOPwCsaKmpaq CZKZN5OmZ3DUgULgRhE4m6AM4NQNomnUghS65dghzGghRFKnoQP7djXYhSpuw5tE76edvbB72Mdd EbzAZfeY997hlsyAJXjxi7FEceiCjBITEkiMcJ5QjtU2OW75pLjjM917FOcUXcH2dsJyLOwEZTst tlvRlzvc8wzXwibV4+y1G0MJCMe0N5fQR09fvOLbdd6/+f75E50QQmC7zs/ITy4uPvz6w/PHOtX1 R0++efntM0pf/Dzu1tkkKBcXF9vlbEdcJtXB3yYPbdjeS3Q7SMvU0/0R6r5OA1unBCB242znzFM+ WEvHzeLg3lfOVYigjHs4cWMlYuyNu75PaJwt3WtAjTpc4psnf8dm1tfpvLc5yg97xxyTBJdms6QL TT7tdDdsn+/fPSHSBFaTBawp2BHmfbFDW8DeWUCQGs4eKNiyRpGg4JZddrXYBVYYSiIoIMhmD5ok hL/LtguWD9KFuBNbvByPT9q51EKWXVskKJtALREWe7lkiWcYFsawkPpTLZAX1h1ix4AhBrbYl3mg T4HZY3sD+I90LSAsjJCbY0ud4B5rNpIKtjcLc6buBIIyTgJGmj3ZNghiuhHb9S1VkyIoM/Dq4G4Q OJ+g3I08qpYRgXlt5Qs5UIpRCCgEFAIKAYXAXSKgCMpdon2Fur4QXjKLcQXR1aUKAYWAQkAhoBD4 ZAQUQflkCG+ngJkZfCEHt9NKVapCQCGgEFAIKAS2EVAEZRuXz372C+ElsxifHRAlgEJAIaAQUAg8 KAQUQXlQ6laNVQgoBBQCCgGFwP1AQBGU+6EnJaVCQCGgEFAIKAQeFAKKoDwodavGKgQUAgoBhYBC 4H4goAjK/dCTklIhoBBQCCgEFAIPCgFFUB6UulVjFQIKAYWAQkAhcD8QUATlfuhJSakQUAgoBBQC CoEHhcD/D9LmlNQG+CNjAAAAAElFTkSuQmCC --00000000000061844c05aa7fbaf3-- From nobody Wed Jul 15 12:32:31 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 128AD3A0F29 for ; Wed, 15 Jul 2020 12:32:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jgnqWEJ7kMtq for ; Wed, 15 Jul 2020 12:32:28 -0700 (PDT) Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 096DC3A0F28 for ; Wed, 15 Jul 2020 12:32:27 -0700 (PDT) Received: by mail-wr1-x42f.google.com with SMTP id q5so4037914wru.6 for ; Wed, 15 Jul 2020 12:32:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=/e8a8RiI5Acf321qQNMkT/E8pX6PkYHwLSxkSYF9A0k=; b=KtpkGoiGDkuJy//zk1k4XJV2d9zAQRQ9llJEkT2hNTUm4HPhWewgs/lNL404bfRRQ/ CZdfrHy98dxNfpcW2tXGfRO8UqAHJnoksMpnQrM3pB2jVqxRmwh9ajjyM2FbTxfkeonx Wm0qz8InTl7IOVljQ5ZjVN7Bg8deTCDBFN00I= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=/e8a8RiI5Acf321qQNMkT/E8pX6PkYHwLSxkSYF9A0k=; b=i+eAqxIqIQUxDuIgZ9ykfOypg3w76wMBZ4r8s6LGEDp7yw/aGZtbP4i73i8IsBrF/c 5uFNKFDmybPWuJs8lO39iBKu+WHQe3DHVK9sZmMZUUy6O4G4W5D/fjbKc1/sv2Hvcu01 GnBojZQynq30GDfwjeX8nNE9j8xdabaqJaCiIA0uwILiT39J3tizrqIR4xF3jm27CELb HT0s94yQZD7kGJ1OBIpwPVu16Hc3wqDKL53+D5Y1QoSe+bhWDvNbhgkupTi9IWL6g3Kd DH19lJE9lRosAn2EZq71IWgjr7Ncy5LNLahMo8VHbeOzki5ThDuVNjLQoFfObpuEdxuu tjrQ== X-Gm-Message-State: AOAM531HkWlEQ0ZimRlwLk1mlSGJz4B+5KSw9NASq2wyHIgvyTEMkxmu Ne/jKAG2wYLfR/4hQsRV3Pq+dg== X-Google-Smtp-Source: ABdhPJzY2QQ74tXaqQIJ5IZc4LjzEirgZmw6dM/ABq9iPZv15EpKbHjts2vREgXC4dBlS/sl+wlvwA== X-Received: by 2002:adf:ec88:: with SMTP id z8mr908733wrn.395.1594841546004; Wed, 15 Jul 2020 12:32:26 -0700 (PDT) Received: from [10.0.0.3] (77.87.75.194.dyn.plus.net. [194.75.87.77]) by smtp.gmail.com with ESMTPSA id h84sm4890012wme.22.2020.07.15.12.32.25 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 15 Jul 2020 12:32:25 -0700 (PDT) Content-Type: multipart/alternative; boundary=Apple-Mail-47472CCA-1F82-4714-A73E-B257B9740982 Content-Transfer-Encoding: 7bit From: Neil Madden Mime-Version: 1.0 (1.0) Date: Wed, 15 Jul 2020 20:32:24 +0100 Message-Id: References: Cc: oauth In-Reply-To: To: Rifaat Shekh-Yusef X-Mailer: iPhone Mail (17F80) Archived-At: Subject: Re: [OAUTH-WG] Call for adoption - OAuth 2.1 document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2020 19:32:30 -0000 --Apple-Mail-47472CCA-1F82-4714-A73E-B257B9740982 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable I support adoption.=20 > On 15 Jul 2020, at 18:42, Rifaat Shekh-Yusef wro= te: >=20 > =EF=BB=BF > All, >=20 > This is a call for adoption for the following OAuth 2.1 document as a WG d= ocument: > https://www.ietf.org/id/draft-parecki-oauth-v2-1-03.html >=20 > Please, provide your feedback on the mailing list by July 29th. >=20 > Regards, > Rifaat & Hannes >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail-47472CCA-1F82-4714-A73E-B257B9740982 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
I support adoption. <= /div>

On 15 Jul 2020, at 18:42= , Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> wrote:

=EF=BB=BF
All,

This is a call for adoption for the follow= ing OAuth 2.1 document as a WG document:

Please, pro= vide your feedback on the mailing list by July 29th.
<= br>
Regards,
 Rifaat & Hannes

_______________________________________________
OAuth m= ailing list
OAuth@ietf.org
https://www.ietf.= org/mailman/listinfo/oauth
= --Apple-Mail-47472CCA-1F82-4714-A73E-B257B9740982-- From nobody Wed Jul 15 12:37:49 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95BAB3A0F4B for ; Wed, 15 Jul 2020 12:37:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bLPIyDMeQ94Q for ; Wed, 15 Jul 2020 12:37:46 -0700 (PDT) Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com [IPv6:2607:f8b0:4864:20::72e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E80EB3A0F49 for ; Wed, 15 Jul 2020 12:37:45 -0700 (PDT) Received: by mail-qk1-x72e.google.com with SMTP id k18so3000766qke.4 for ; Wed, 15 Jul 2020 12:37:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:autocrypt:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=UNDeI5b3Euq9F9KZElfyc8D5M3k7hdqHQFHQfOFfq/w=; b=kCBALeK/mXjwvUVjcw3FTROTBUo+kLewiBClTk0w6KnNnR4cQF0BrFE47+upwV9wcb tGKKPOyMFfOrWFSmOxz/KYhI4m+r3fAdCv87+mtLz6QpCA1M51oiPJjz+rX/OyBDVKO0 4hKkGE79JlEy8FTKfyoz5OB/UbrwCWWiD2pe0r6kEtUkT2yYiI35glq7O7fReE0VSZox lm/c/sD0aRb+LtBS8s/VNC/rFyKWQP5uWEHpFeCSee0ZC7/VgiJZHEHWm9FGhtdQN1pK /xdksF2pTb2X+N06zcp5sj8bRxyfnaXHGYqDAI0WB5FyvvAHmEY3diPBVCPPtwM6rYYU Tgog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:autocrypt:message-id :date:user-agent:mime-version:in-reply-to:content-language; bh=UNDeI5b3Euq9F9KZElfyc8D5M3k7hdqHQFHQfOFfq/w=; b=GQL7Qo/ZXw7Qo5QCfm/LK3lOHbDlSoFc2Hx6xEdOALKhsJHRR2PKx4lSc0z4E1Lmww CjnXfLMnJmY2QwV6dnbigXwb//BXW0b11URQmHYiERO8pNbzkzU0ViJJ1+ABkploXR6G 2aCLQy1SOgvCSz0jTRhfJDWEPOiwNiovswwI4wg2yjTqSUW5/cKXNLaXehDbBEg5W7tt is//frlk1H1BkcDE6hZn6OoIRseKrnB92NT/TocFfj40KzLMAqKGUqX9rRw9U+uGkmO4 42oy7WeZPcqEXYSnHt0Mrc8WrCKCRxnadGoa/ucK2h/SNL0Zf2Gi0CV8S0l1pguFFxGG Y/mA== X-Gm-Message-State: AOAM531Pan937AoxtoDF8/4I1+zHa3iwKFDsYu1Ik5f/a2kJK62IwDCp b+uEWIdmaR+wS8G6yJuDdbvmci1dBCiHFuB/ X-Google-Smtp-Source: ABdhPJyJH7QkRzrHVAjg8YHFTGqad977tyMiQ+A7wkVZmpIV9oexq+oVcSJBIJa/ZmR6hsxJvZbLyQ== X-Received: by 2002:a37:4903:: with SMTP id w3mr699257qka.178.1594841863982; Wed, 15 Jul 2020 12:37:43 -0700 (PDT) Received: from [192.168.8.100] ([45.232.32.197]) by smtp.gmail.com with ESMTPSA id j18sm4442445qko.95.2020.07.15.12.37.41 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 15 Jul 2020 12:37:42 -0700 (PDT) To: oauth@ietf.org References: From: John Bradley Autocrypt: addr=ve7jtb@ve7jtb.com; keydata= mQINBF1708MBEAC+aR8GCZVXEdrPOaYORjPzZCi5nvoWd2t5+xKHCalCgnz8ORFcREM38tZI yQNQ6cfB1METyr+9dVqKrBm8x00QWIlZ4hrcW87pOBek3hrsvvbmagoxzlOCLYHQ+7ESjfUe QVV5O9mESU2s3Zm+c0kLAUYtsuo7neeeiYaAkiCHo9WkpybA5o9tzeg9fK8e+bygPFYD1u8B X1Uy3GYbO9iCQIUXjgVya0117J7XgN/2QwGUbQtYKAFOIyDZfz/WXce2nthRP0nfFczLKozA 0KgSu70CEWZedRqotqzXorSbWIStjqf5WlD2g+Yf2+pbHt19xKQKplfy11qM0tJSd4UhcPu3 CWXfTVEzecQAee72A9U9yy4H3DimSxbkee/K8/f8ZkddzkUC5RxNEp3iYVThzVKbbScFU+6n JW7vwmihP1V3eBpbxpOGDF36h4CLssG1sTQFDHAstSJwQPFsUYzly6tEtLCVt1S8XIqzbTu9 /sHaBJBORmq8z1D7AWh7q9whjp0j+xcDITmIQq31Bkftxq3ru4Ow9b7cBb86bhotvDoXTQJL dEcfcB/YvobVSsy0W06GrKTf218N8+lHHL3z3GXxxoQUUU9yD45UxGSOe3rA7MQruoE+sa6O 1voGFcTDrGyYdjJ+KFsvK+GWHtMkLpHH/ArQsnTEhXXK+MfdAQARAQABtCNKb2huIFQuIEJy YWRsZXkgPHZlN2p0YkB2ZTdqdGIuY29tPokCVAQTAQgAPhYhBEiwG6+1WqDAVWlaHtAUSk/j /S+vBQJde9RyAhsDBQkDw6G9BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJENAUSk/j/S+v G6EQAIn7W2JGIaLRJhlHmA901QTwkEc/0Nj1qkJLDLKJuIB7P2/2go7/qEMngTZyZhoglM0w 9EuQie/9UXz7HtyORS+AsmDityDeUr5XkTunyTFLPiiv9E2SwJwAQVJYS6V0NbesJDnkqpTt 4UwUa+Asqw2NaCxT1THHvnFJkDYhPrCGvtOEXBFHpEzYwLoEjx2wfqU1byZsjoxYMCrNokaY J4SUw+bVZaFa+M5WNRwn7ySgEpCv1egSvUydXhFBJTbdwVmCZL7m4WJbECs/ofIYcBGtUJFV nIZ+g34iRqJUPnd4xI/F27u9ydvw+Ml8bldmMnIwhsFkkDnZb8ecBo2P4FQS3h0nB+uNYIl+ SFGLb9B17Kvhy8HtGWrn+KTUn2C96DTuJkwYwS/vUs43HhWUsCx6SLYmQpIUq1CoUOLCP5pJ VB0Q8e/zwrjkB4yMKLPdl3yFbj/bSXSvCG0LcjAAc4Thbngm+xoh5v+nZMxkL8AI9XDE3+Mi M869EDITGKQTmIIB6fKtuLJQYbhAG8uDZ0zOHAJoxArVE9ZwdYiHNGimFa04uBjtobDCz//n k1jaEd3dkjh6kVuQt3sSvf7icen27OXoBB4/HPlH/WNCaeIB13+YyfdYTcdiIB9s7W+R3Kan ANoCAT9pS/ogP5M8Tr8dvZkBPrflkXBspLBOLmc2uQINBF1708MBEADwwZM3OKVJQluPNTJf Jw0XjTJtt0dTMfXG4alx0pF1SHndJweFKtlkp0u5OJZ+YsaZtqspFe++LzBscL3sz2FPsWwP g2OS3Kg1il1QAjZSFoR7fDj5lmxQ9VQws9BSDAr1W1E5YAAnmJFDpJ2DQokYSx1B9MhgG6br UurLR0rZXGvNdNeMUCBMg6vMkvAmwR5yrwBZ8FFLTGk8zN8CUM8EFtGW7/m9r/iwsoUpdsq9 UghvVvIte1xTK+79g6IrNB14O7QUmAaV1FUA4lWqz3pHsPRLIoFS/C5F/d0fLLQ68En/nN2x Tk1totgEqO7gXJa0n48907ALvk5zubZ95lpCNb4gE8FK+hPXLLoYJ+aC2ILjsyD2sMCSEbVK 2QuGL+CmsLVRZCfy/NOhyeCC9IzUxES/Y/a9Zp1ZPdHpiZ7Bjm7O3QoaZ1Jm5vSJ9g7r4T3A fGt7hHGTk6E0jlCaKdt3aB8R4HiIZO/TgUc+tpqAaZBIWELzsqZXAdRhpNYKBAwSU80Oe7GZ zwly5454oKXZe9d7jyjEY19MEEHzWtYgbcygyLXbrUEMpwa+OlFRxuvfQyWYCY0aU7eh6qpP rSbxyj4TtJ3aetaEvNehjttSpNUSWEhsy3AGHqPMjgd5Otio0eP61quJNZdBgkqq2Xop1Lnq l48RAb5xUI1NE33CcwARAQABiQI8BBgBCAAmFiEESLAbr7VaoMBVaVoe0BRKT+P9L68FAl17 08MCGwwFCQPDob0ACgkQ0BRKT+P9L688mxAAj2d6uNsbnQ5937w5N3dWgUZNGaZOOY5XwjZy kbFzXEyOGTbWDevuE2fkkrDFZISvLwfJs5Q1fxF7hP72sSYjNFso+ngFGpF9o8QPkxn9c1vs d9W94HjZN0c4gdmLtdGWr4zZAbnWIjmuEhDxd8CFDLlhCT7L6Iii9UMbJ1trsCvp8d8vbIK+ 2pJhrCy6eIZy9ceoCH2XLaLDxoCtnMhWeSLrwA16qnXEpddtK5pXauvBkdv9bLy9z+SMvSn2 ZFSAI8nv0Ck3FfFBe3rHd16vOn//jmwwMzAb9mNDV8e7/KarWA/YmZJ4YiJ1KbuSu9mS89fG c4mug1igE9DYThB42OvD/8QGdUbkZFcr7E0QJflwrtaZ5j8wIoAUvf0IUsh/6Y6p23hYqxZy dUg43w5tEUtnBR3r/9jE4+RkQtVm8DplNTZUVkA3AVSRp23k4zsU7ioa8hzUasDf3jJMZfSd Xsiuo4Y1Eq6IddJL063Uh6jouXASjwynRW0W7CWlR1/D9z9v+I+0zK/px1vEgNRSQzqtKkMV wUDKMby9BNuIURIj6TBpKk5jBrp3kMP6Yt+Ke9Fs0pPoFX6e+LbOhBvNNGusWIadZfMpL8Ur ZWafyadOQJtqa+xpicVY+ui83oXmGajjOnbIieYlWoskl00HNzppfyBtqOMcxRa7yBIooQE= Message-ID: Date: Wed, 15 Jul 2020 15:37:39 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------F2C2BFEBCCFA34DB1FBBE7B5" Content-Language: en-GB Archived-At: Subject: Re: [OAUTH-WG] Call for adoption - OAuth 2.1 document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2020 19:37:48 -0000 This is a multi-part message in MIME format. --------------F2C2BFEBCCFA34DB1FBBE7B5 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit I support addoption On 7/15/2020 3:32 PM, Neil Madden wrote: > I support adoption.  > >> On 15 Jul 2020, at 18:42, Rifaat Shekh-Yusef >> wrote: >> >>  >> All, >> >> This is a *call for adoption* for the following *OAuth 2.1* document >> as a WG document: >> https://www.ietf.org/id/draft-parecki-oauth-v2-1-03.html >> >> Please, provide your feedback on the mailing list by *July 29th.* >> >> Regards, >>  Rifaat & Hannes >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --------------F2C2BFEBCCFA34DB1FBBE7B5 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit

I support addoption

On 7/15/2020 3:32 PM, Neil Madden wrote:
I support adoption. 

On 15 Jul 2020, at 18:42, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> wrote:


All,

This is a call for adoption for the following OAuth 2.1 document as a WG document:

Please, provide your feedback on the mailing list by July 29th.

Regards,
 Rifaat & Hannes

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--------------F2C2BFEBCCFA34DB1FBBE7B5-- From nobody Wed Jul 15 12:40:27 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 886833A0F4A for ; Wed, 15 Jul 2020 12:40:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f0FeEm5g-F-G for ; Wed, 15 Jul 2020 12:40:24 -0700 (PDT) Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01F963A0F4B for ; Wed, 15 Jul 2020 12:40:23 -0700 (PDT) Received: by mail-ej1-x631.google.com with SMTP id n26so3460861ejx.0 for ; Wed, 15 Jul 2020 12:40:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=D8/fhWStkV191i/CpcSgZl4ey/sZ9ePorCwobzCsdiM=; b=gEEVieXCRU7ZYLplAbjRDZOtRJH/qIjk0Jhx1Ze00QdV1gZde2ZVhkLpBnnthm6PrD rEgZsM+qZmbGzrAYbFFB6tPlqTitDNdiYAXT8Yo6NrjOXRHxTtX9P6OB4CdFX8/wmDvZ Y4yhpDEtqmkXMgmueUq7D+GYerFcd8pRFT68hlOqVoDRE7pEqpg5JPFg+OEqlHRcR5e9 9eS2L0U3ryOvtQU5Fm2lBBAQn/QJK1AjUp8S78TlvzV6TiLeS1hqvxsqxuerIb4BZJ5Z Tr0Yy+eiTAZI73xo3yF1y8CPBPPWd2JUz6vpDGeQ3WLfeq4swnr9JbONWmLym2JJaaJ3 p4sg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=D8/fhWStkV191i/CpcSgZl4ey/sZ9ePorCwobzCsdiM=; b=azewO3skBQsH0DNiTdylAZ12n/HzkBrakM53OpDTuL1MzBIeajjPTyztf236gFO5Iy MuMGiwxpF8Zc1bxdZCpt6yjJ/RyrVPdDWt2/WnsA9aFvrTb0H2gmWluvYFW2vb89kWKE vzWXCFbtB2FfGBiL1NKt5BjgwN7Z5+e+uaVbZzenMMAxwMP+kVrXPzgs7XAJ1Vib6hxZ dyFBtao6GyQxqsYjzVw83JAzmIAsqZlj/KLlqm8Qcohxd8ZBwwYAj9pwzcQp2QydL+9x 6pjwLUY18hFiELfRQ/aQA6zcIner7hj5EPgzfw/padWH59M3qqsuowlZQz9hXT61sU+X L2Tg== X-Gm-Message-State: AOAM532F02CBVjcQbjzCy68U/obUSaUC+TLnWV4V/C69OE3ypRvSIf/H KVdyssXMp8WDJRrQAfrb4YvO+CAq7hI= X-Google-Smtp-Source: ABdhPJwaH2RC5H4+PrG4xXto2g1HKRWNp9ANc/Zg9RRm+OEsqiQRZif2XrKE3ki3bBe1CijBsiVZzA== X-Received: by 2002:a17:906:2799:: with SMTP id j25mr513399ejc.466.1594842022369; Wed, 15 Jul 2020 12:40:22 -0700 (PDT) Received: from p200300eb8f0138c1e044bfcf5677cdbd.dip0.t-ipconnect.de (p200300eb8f0138c1e044bfcf5677cdbd.dip0.t-ipconnect.de. [2003:eb:8f01:38c1:e044:bfcf:5677:cdbd]) by smtp.gmail.com with ESMTPSA id d26sm2935891ejw.89.2020.07.15.12.40.21 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 15 Jul 2020 12:40:21 -0700 (PDT) From: Torsten Lodderstedt Message-Id: <9D1677D6-0C25-41E1-B595-02509AE6A726@lodderstedt.net> Content-Type: multipart/signed; boundary="Apple-Mail=_A6D64DFB-C8C9-4DF0-BD7F-D73EDD05F5F7"; protocol="application/pkcs7-signature"; micalg=sha-256 Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Date: Wed, 15 Jul 2020 21:40:18 +0200 In-Reply-To: Cc: oauth@ietf.org To: John Bradley References: X-Mailer: Apple Mail (2.3608.80.23.2.2) Archived-At: Subject: Re: [OAUTH-WG] Call for adoption - OAuth 2.1 document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2020 19:40:26 -0000 --Apple-Mail=_A6D64DFB-C8C9-4DF0-BD7F-D73EDD05F5F7 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 +1 > On 15. Jul 2020, at 21:37, John Bradley wrote: >=20 > I support addoption >=20 > On 7/15/2020 3:32 PM, Neil Madden wrote: >> I support adoption.=20 >>=20 >>> On 15 Jul 2020, at 18:42, Rifaat Shekh-Yusef = wrote: >>>=20 >>> =EF=BB=BF >>> All, >>>=20 >>> This is a call for adoption for the following OAuth 2.1 document as = a WG document: >>> https://www.ietf.org/id/draft-parecki-oauth-v2-1-03.html >>>=20 >>> Please, provide your feedback on the mailing list by July 29th. >>>=20 >>> Regards, >>> Rifaat & Hannes >>>=20 >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>=20 >>=20 >> _______________________________________________ >> OAuth mailing list >>=20 >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_A6D64DFB-C8C9-4DF0-BD7F-D73EDD05F5F7 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCC38w ggT0MIID3KADAgECAhBpfEIkHQiWmzF6zDsgdF+DMA0GCSqGSIb3DQEBCwUAMIGNMQswCQYDVQQG EwJJVDEQMA4GA1UECAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9udGUgU2FuIFBpZXRybzEjMCEGA1UE CgwaQWN0YWxpcyBTLnAuQS4vMDMzNTg1MjA5NjcxLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1 dGhlbnRpY2F0aW9uIENBIEcyMB4XDTIwMDIyMzE3MjEzOVoXDTIxMDIyMzE3MjEzOVowIjEgMB4G A1UEAwwXdG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQCrIaCISpAU98m6ZkDyUR3My5imAF4TKQk8eqo+oQ06PTWT/3yJXujVCjjOqOl8p11v/RoN Gf8zqYbBsqGBuJx2NyxFmAnmCjcbnxihQdcmuxLm6izvxr2MawOovDheMXnfmGy/Ns5Fs6bd+M5F jCNhP+Gljvgm/SFq1skvs7YUX2FxZmh+xPMm3FZ/a6Lyhkrd3JHzEqv8VWY69Aehezg39OuPJEpb IdjK/eBcmaIG0qn5RQdXLByJYfXhepyVAZPJT5rAgaIQL/IjSIVInxf3FxOv+ELMAErclws6mKzy zkY2JiItPEpKWzAWGCxCX2o0JjVj1f7xgaunLfJ+Ec0lAgMBAAGjggG4MIIBtDAMBgNVHRMBAf8E AjAAMB8GA1UdIwQYMBaAFGvyjZ5owSUEH1E0V/YWXJTqTWkaMH4GCCsGAQUFBwEBBHIwcDA7Bggr BgEFBQcwAoYvaHR0cDovL2NhY2VydC5hY3RhbGlzLml0L2NlcnRzL2FjdGFsaXMtYXV0Y2xpZzIw MQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3NwMDkuYWN0YWxpcy5pdC9WQS9BVVRIQ0wtRzIwIgYDVR0R BBswGYEXdG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQwRwYDVR0gBEAwPjA8BgYrgR8BGAEwMjAwBggr BgEFBQcCARYkaHR0cHM6Ly93d3cuYWN0YWxpcy5pdC9hcmVhLWRvd25sb2FkMB0GA1UdJQQWMBQG CCsGAQUFBwMCBggrBgEFBQcDBDBIBgNVHR8EQTA/MD2gO6A5hjdodHRwOi8vY3JsMDkuYWN0YWxp cy5pdC9SZXBvc2l0b3J5L0FVVEhDTC1HMi9nZXRMYXN0Q1JMMB0GA1UdDgQWBBSuRfshihlGSEJ7 2UeyOZRJ1YYyMDAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEBAH/3ECMSOoOLiwCe GsBj/WWnUhXvZyHmz3LW0DVdH3s30b2HWpomEVNDN3cWt4QSRhISqV0xyyChL6THhDY+Um2mo+z/ L5fxHd3MjhzvYKwUtLUJdWRgymlUBO9zNKi/IMVYv3O+mpOHuQrgtMaV9luDPRYPZrhF9y/InTZE tb+FOrF9ykIRlYgMzqSKjuqFmmYO4d6GkbgfGKFZsAjkySjM9BUBLb70MdysOTxZ/HtZguIKfZ4q CveZ9ZKe+LGsIpt5bFAs1LHIMBUlTCsuVIq2lD3TmScWbELn+Ace7WwKc+08GqOWZzUot5fkiIx3 /crnd7HTmUfqi0yCylHY62wwggaDMIIEa6ADAgECAhBP3hBL7ZVb3outZYfMQV7jMA0GCSqGSIb3 DQEBCwUAMGsxCzAJBgNVBAYTAklUMQ4wDAYDVQQHDAVNaWxhbjEjMCEGA1UECgwaQWN0YWxpcyBT LnAuQS4vMDMzNTg1MjA5NjcxJzAlBgNVBAMMHkFjdGFsaXMgQXV0aGVudGljYXRpb24gUm9vdCBD QTAeFw0xOTA5MjAwNzEyMDVaFw0zMDA5MjIxMTIyMDJaMIGNMQswCQYDVQQGEwJJVDEQMA4GA1UE CAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9udGUgU2FuIFBpZXRybzEjMCEGA1UECgwaQWN0YWxpcyBT LnAuQS4vMDMzNTg1MjA5NjcxLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1dGhlbnRpY2F0aW9u IENBIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt2hzetk81C/73GfKPc6UfP+J Gc7aGmPzGUeQJ1go3CdFpsBPonREDXUDdmRCIRkTDroH30RLsTO/0hEFiYjCyvvbSVSm05sXkvfJ XOXefNqK21fBayr4JCgMRyLVwqRYXlKI7bb42nYSm7YcXGTDmdcydmJuuqcLqFQawWiBMNRRVEi4 uW5uXBZgWGmq8NoKH/+5xGBFbf6tNTWcGhPVceResuwK155+OiH6jTW01Na8aLj7c7IAGJ0Y9e6h iHtRthfW7SwbU7ys73a3nNXv8Kv9XNr0RvJKHoOsKqxjffew3GKQrMXIHB5tm/je3XEnIxUT8JG3 sEsk7IfF3VirSwIDAQABo4IB/jCCAfowDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRS2Ig6 yJ94Zu2J83s4cJTJAgI20DBBBggrBgEFBQcBAQQ1MDMwMQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3Nw MDUuYWN0YWxpcy5pdC9WQS9BVVRILVJPT1QwRQYDVR0gBD4wPDA6BgRVHSAAMDIwMAYIKwYBBQUH AgEWJGh0dHBzOi8vd3d3LmFjdGFsaXMuaXQvYXJlYS1kb3dubG9hZDAnBgNVHSUEIDAeBggrBgEF BQcDAgYIKwYBBQUHAwQGCCsGAQUFBwMJMIHjBgNVHR8EgdswgdgwgZaggZOggZCGgY1sZGFwOi8v bGRhcDA1LmFjdGFsaXMuaXQvY24lM2RBY3RhbGlzJTIwQXV0aGVudGljYXRpb24lMjBSb290JTIw Q0EsbyUzZEFjdGFsaXMlMjBTLnAuQS4lMmYwMzM1ODUyMDk2NyxjJTNkSVQ/Y2VydGlmaWNhdGVS ZXZvY2F0aW9uTGlzdDtiaW5hcnkwPaA7oDmGN2h0dHA6Ly9jcmwwNS5hY3RhbGlzLml0L1JlcG9z aXRvcnkvQVVUSC1ST09UL2dldExhc3RDUkwwHQYDVR0OBBYEFGvyjZ5owSUEH1E0V/YWXJTqTWka MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAYES6GaKrcvsOQZpEwboVOb2dri/f Jrcpb7GSEW9JmA+Kep4GLmp9X50Iv8EK478kwf2aAjnPnsOdiItALcIgecS1qVxN+EY+V5GCNEy4 VAsB5gzlQBmKI9P4PxLt9pnQJneCVEvDnVBMZAllIL5s3uaCiIEb8eYZqG8taOWSM1nqjoCZULcc hXWYajBqaJg0RUOZ6f5IB0lb26HA/7EUVmh1nSVglDoUeD7elINXHph0z3if1722UydcoH4Jj3Za Y9dtQ4wJSNhSZOzES72UkS6we/556FOGs7oeJWuQe8Rq2EeeSGmGliZKUbYo4jB/C2omMn0L4QwI 5wMNrWd2FRNUUwxMBmbJYtEaDRTQ72HPA8DnbRkvRDSJkjsToqU6ZpBlBf4s5EwrhXqFVb2rM9mG CPDZJi7Hw3y8BYD/d3iTL6PW5UjOTSpFcnSIP4HW5PI6MTHXl+ab6ajCnvJw6E1TGLh3zJypv5CQ 8Ftm0z7MKLt5Zr2E4jojZXeZn1sUpSqidZyp9mG/LYMRmHMkthDRnDnO2tHv5+YOO4cUEbTt5Bww E5RPjqovsnedyd5SijIK+k1MCXFLMTfERz3qUN3i/fwueXcGy4jEf2n/FvYsEY3GBHXZCMVWPffB fbl/ITjs9Q9NG37bAEm/mg2yNq02NLjDbQIKgt9W0aBU9SsxggOpMIIDpQIBATCBojCBjTELMAkG A1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcMEFBvbnRlIFNhbiBQaWV0cm8xIzAh BgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENsaWVu dCBBdXRoZW50aWNhdGlvbiBDQSBHMgIQaXxCJB0Ilpsxesw7IHRfgzANBglghkgBZQMEAgEFAKCC AdcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNzE1MTk0MDE4 WjAvBgkqhkiG9w0BCQQxIgQgxgRWfN6HRhjnu1olyR8Qh7h0kitw9ycrZJr6O2INZhUwgbMGCSsG AQQBgjcQBDGBpTCBojCBjTELMAkGA1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcM EFBvbnRlIFNhbiBQaWV0cm8xIzAhBgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSww KgYDVQQDDCNBY3RhbGlzIENsaWVudCBBdXRoZW50aWNhdGlvbiBDQSBHMgIQaXxCJB0Ilpsxesw7 IHRfgzCBtQYLKoZIhvcNAQkQAgsxgaWggaIwgY0xCzAJBgNVBAYTAklUMRAwDgYDVQQIDAdCZXJn YW1vMRkwFwYDVQQHDBBQb250ZSBTYW4gUGlldHJvMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8w MzM1ODUyMDk2NzEsMCoGA1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzIC EGl8QiQdCJabMXrMOyB0X4MwDQYJKoZIhvcNAQEBBQAEggEAK+pyrj4uyVXBLE2GhQ4fwuDczj5G huYFh+UejeCRupFxXnllJuatc+71+HYExpngKbCxVHonr4lVBCceQlSiPMAwHAu9wo4jbz3cVfjg gs4JrSEajWGR3uqxT89OWVibE487OT6C749EVzTdM0k19usy9DixvkunMIEnO5IS5nfzxSgvIF3H Wdwa3MALrRKdba+l68DbY1/AqD7pnSFcPFBiCHAfcy4aXhI1cMzIuefijY6xTUus8QLFrLiIWsNl 5nwBXiwR2KirsIJCJ3/6542RSBDgtFXGj7VUUZueBegXeLxiW54LMSuzzrNBjEedA+iB4WkkgQeU sv9d6vfL0wAAAAAAAA== --Apple-Mail=_A6D64DFB-C8C9-4DF0-BD7F-D73EDD05F5F7-- From nobody Wed Jul 15 12:41:50 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B04463A0F52 for ; Wed, 15 Jul 2020 12:41:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mitre.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UOSwJXtqShFI for ; Wed, 15 Jul 2020 12:41:46 -0700 (PDT) Received: from smtpvbsrv1.mitre.org (smtpvbsrv1.mitre.org [198.49.146.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2107F3A0F51 for ; Wed, 15 Jul 2020 12:41:46 -0700 (PDT) Received: from smtpvbsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 0330333204E; Wed, 15 Jul 2020 15:41:45 -0400 (EDT) Received: from smtprhbv1.mitre.org (unknown [129.83.19.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpvbsrv1.mitre.org (Postfix) with ESMTPS id CAAEC33203C; Wed, 15 Jul 2020 15:41:44 -0400 (EDT) Received: from mbfesmtp-mgt.mitre.org (unknown [198.49.146.235]) by smtprhbv1.mitre.org (Postfix) with ESMTP id BD7B092FE90; Wed, 15 Jul 2020 15:41:44 -0400 (EDT) Received: by mbfesmtp-mgt.mitre.org (Postfix, from userid 600) id 4B6SSQ6NHhz3D49x; Wed, 15 Jul 2020 19:41:37 +0000 (UTC) Received: from GCC02-BL0-obe.outbound.protection.outlook.com (mail-bl2gcc02lp2100.outbound.protection.outlook.com [104.47.64.100]) by mbfesmtp-mgt.mitre.org (Postfix) with ESMTPS id 4B6SSH6TjDz3D4FB; Wed, 15 Jul 2020 19:41:35 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MDJ9vBVBxn6DA9VciQzLAiELJEdf3s07jpuovkhRa1vISSS2eSg5PtnzXOfqhVVpMVC10PEJYxyfnLQvUOVHBKAi+j9P/vTDqHdBUuA57ZwHLR7zriOjL0zeh1D2Kgb9l0cSOhpvkEhkFpYGp2Uqtbn50cmbMSF1V2PKJCMU5ee22qJTZ9qoaAISBdJQNQZZq8cw2Dojo15aoKNVTdBgGwwdrnrnn2AnIrSxlcCfe970MB8fd3AM8Fr2EHlX9wsBxwVya6LhFrsLj2lP+GcqDS7gcKH1o8bx53YrWLTD/6v+qmJyhcF6t9yjBFreI3Nu95HsBkjHffOX5sPJLSWJ4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HizWMfLMfUDNzCVBNEyagYSkuWIwCf/xsLqZu81ppEA=; b=TgQkGyvmjeAsbsvNQpBu0Jd5HNxnPUzGRjNpRtADXB9OyOq28b1fswzXz81Z+TA2f4yIhPxH1XwDJZ3OJnsjCn8hHbqG38+4ERV6gXerC+UOb3mdibJcwLdzXsvlTf38IDSro0/qNp+ewtf1azwNlc5vs72RKmDwXCnC9+13ulFcy2dDCJAwKMTGCrGBGG8TkmQkts5BBVHAGkOH0HblbUDs+6aDs0DLLkeJg7jC0pdUB5/TGtkSk+uOSk9TobfAiUnDQR7a6++Q3HqMuagtvP4gtGg5y7UprTHPC6weVAQjyYbqKwhh5wJ/YzpISR4Hx+KTYQI3OUS+HYvmcCdvNQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mitre.org; dmarc=pass action=none header.from=mitre.org; dkim=pass header.d=mitre.org; arc=none Received: from BL0PR0901MB4578.namprd09.prod.outlook.com (2603:10b6:208:1c5::17) by MN2PR09MB3581.namprd09.prod.outlook.com (2603:10b6:208:39::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3174.20; Wed, 15 Jul 2020 19:41:34 +0000 Received: from BL0PR0901MB4578.namprd09.prod.outlook.com ([fe80::411e:be0a:728a:badc]) by BL0PR0901MB4578.namprd09.prod.outlook.com ([fe80::411e:be0a:728a:badc%5]) with mapi id 15.20.3195.018; Wed, 15 Jul 2020 19:41:34 +0000 From: Michael A Peck To: oauth , Rifaat Shekh-Yusef Thread-Topic: [OAUTH-WG] Call for adoption - OAuth 2.1 document Thread-Index: AQHWWt/wnlJd3DBNcEqiHEGjpWtgug== Date: Wed, 15 Jul 2020 19:41:34 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/16.38.20061401 authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=mitre.org; x-originating-ip: [192.80.55.86] x-ms-publictraffictype: Email x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: 01d6f188-f874-43bb-37d5-08d828f71504 x-ms-traffictypediagnostic: MN2PR09MB3581: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:114; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: HstAzU5ttY3YVQa7auVJkGE69A74HUsoH8F8XtBLG33z25FB3u0wTTsECKdY1/kwXKoPdEfQvCfNvTh0QTlYTV4D8k8o4LRmzpov9xOXLvaKRHVLvqQJhIzzB940NvK2L0dhQLOXjQ3cXuSrKskS+EkMFHn1sCfjftdrQYIXfRhGHA0a8k/RfxP6uGQ2gtg7nVKeH7SXZX2qL+V2/8GvJ6W2rrk74EZ7x7PpSUlyMptFWIq6DBC1gvZu0N8IgYTs5tuYnAx70yf69iTQtoKzPYIvt6oRTkaGDfAXlzlO44DeTcD5WFrfAbh6uPcUbs0rYgjWV8JYdqg2AjvwAGCxD184BzIbIXOemNdRy97X1e+B5AcYk0agWnSuAjw76hWZ2X10hKByvd/bdwwBwATZag== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR0901MB4578.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(366004)(136003)(396003)(376002)(39860400002)(346002)(36756003)(4744005)(110136005)(2616005)(316002)(166002)(71200400001)(66946007)(66476007)(26005)(76116006)(66446008)(66556008)(966005)(6512007)(2906002)(33656002)(6486002)(21615005)(8936002)(478600001)(53546011)(186003)(5660300002)(8676002)(86362001)(64756008)(6506007); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: gdOt3R2gzkU+IwMBledrr98edncuiC+4JahaOrxqStKwRocNxKGNVjV3hle54QI/DpT/3EPAS4Us65v4sFklVlkEX/IHk801i+Xl46dgIUH/rkD2pJwyidYqkXLUzY3TmNvgajSSe7jxQPaeTbavu2beuI7ToLLZsoU+s6rAIe01WFQO0PEvNsc667rMM0Qu39wgB9ubQuaR2/nIrLyiPJVdZZaP/3ifCz1wToE0CsPvDAn2MxiV5GyDtPuLPdbWuyYkwl/aWYdiqqScNwg9ZUkrLKgBD08uBkwOFp7/7N4Odqf1Dpz5lJhcr1GVHXjlfRPq0pyoQDu4PPmh8/39J4JFjHdXT94H//UyxaRYYAl/obYdlCKJ9rdt9POmMMYu60TWcQ6Zc4klfnlFkVp298C9/NlE1Tid9PZPlRoXoUSZSCjIx1QV0ZgJ027bGezBjN6cNLRQQQbteDFivJ3qFKw78MNy5n0xdO9XYb01B3Y= x-ms-exchange-transport-forked: True Content-Type: multipart/alternative; boundary="_000_AF8FA6913B774B00B2860186DA449953mitreorg_" MIME-Version: 1.0 X-OriginatorOrg: mitre.org X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BL0PR0901MB4578.namprd09.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 01d6f188-f874-43bb-37d5-08d828f71504 X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jul 2020 19:41:34.6311 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: QgSWkqv1Ftj9fBikga6eMk/vGNpqifGlpszYl7OCn0X8dJQXZhc26g9oEkLqwe55 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR09MB3581 X-MITRE: 8GQsMWxq66rxk57w DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitre.org; h=from:to:subject:date:message-id:content-type:mime-version; s=selector1; bh=HizWMfLMfUDNzCVBNEyagYSkuWIwCf/xsLqZu81ppEA=; b=CocPsDe+6paNf8xXFPiUqPgDyt+GjXrBI4+abCjytS97OtH55kxz6/51GugLFQ3K59NueG5BOO6gpn957gM7eFoew5V3T1D+2OHCiYzIlVHC3zkVbYbzoErjW1ixXQ9IT7W6Hp8A3CwM9dhhsA0SGrkmZ3juo2vreLPmBM2Mm8A= Archived-At: Subject: Re: [OAUTH-WG] Call for adoption - OAuth 2.1 document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2020 19:41:48 -0000 --_000_AF8FA6913B774B00B2860186DA449953mitreorg_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 KzENCkkgc3VwcG9ydCBhZG9wdGlvbiBvZiB0aGlzIGRvY3VtZW50IGJ5IHRoZSB3b3JraW5nIGdy b3VwLg0KDQpGcm9tOiBPQXV0aCA8b2F1dGgtYm91bmNlc0BpZXRmLm9yZz4gb24gYmVoYWxmIG9m IERpY2sgSGFyZHQgPGRpY2suaGFyZHRAZ21haWwuY29tPg0KRGF0ZTogV2VkbmVzZGF5LCBKdWx5 IDE1LCAyMDIwIGF0IDE6NTYgUE0NClRvOiBSaWZhYXQgU2hla2gtWXVzZWYgPHJpZmFhdC5zLmll dGZAZ21haWwuY29tPg0KQ2M6ICJvYXV0aEBpZXRmLm9yZyIgPG9hdXRoQGlldGYub3JnPg0KU3Vi amVjdDogW0VYVF0gUmU6IFtPQVVUSC1XR10gQ2FsbCBmb3IgYWRvcHRpb24gLSBPQXV0aCAyLjEg ZG9jdW1lbnQNCg0KKzENCg0KT24gV2VkLCBKdWwgMTUsIDIwMjAgYXQgMTA6NDIgQU0gUmlmYWF0 IFNoZWtoLVl1c2VmIDxyaWZhYXQucy5pZXRmQGdtYWlsLmNvbTxtYWlsdG86cmlmYWF0LnMuaWV0 ZkBnbWFpbC5jb20+PiB3cm90ZToNCkFsbCwNCg0KVGhpcyBpcyBhIGNhbGwgZm9yIGFkb3B0aW9u IGZvciB0aGUgZm9sbG93aW5nIE9BdXRoIDIuMSBkb2N1bWVudCBhcyBhIFdHIGRvY3VtZW50Og0K aHR0cHM6Ly93d3cuaWV0Zi5vcmcvaWQvZHJhZnQtcGFyZWNraS1vYXV0aC12Mi0xLTAzLmh0bWwN Cg0KUGxlYXNlLCBwcm92aWRlIHlvdXIgZmVlZGJhY2sgb24gdGhlIG1haWxpbmcgbGlzdCBieSBK dWx5IDI5dGguDQoNClJlZ2FyZHMsDQogUmlmYWF0ICYgSGFubmVzDQoNCl9fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQpPQXV0aCBtYWlsaW5nIGxpc3QNCk9B dXRoQGlldGYub3JnPG1haWx0bzpPQXV0aEBpZXRmLm9yZz4NCmh0dHBzOi8vd3d3LmlldGYub3Jn L21haWxtYW4vbGlzdGluZm8vb2F1dGgNCg== --_000_AF8FA6913B774B00B2860186DA449953mitreorg_ Content-Type: text/html; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4 bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l dGEgbmFtZT0iR2VuZXJhdG9yIiBjb250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQg bWVkaXVtKSI+DQo8c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFj ZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2 IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6RGVuZ1hpYW47DQoJcGFub3NlLTE6 MiAxIDYgMCAzIDEgMSAxIDEgMTt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7 DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZh bWlseToiXEBEZW5nWGlhbiI7DQoJcGFub3NlLTE6MiAxIDYgMCAzIDEgMSAxIDEgMTt9DQovKiBT dHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05v cm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6 MTEuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCmE6bGluaywgc3Bh bi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJ dGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUt dHlwZTpleHBvcnQtb25seTsNCglmb250LXNpemU6MTAuMHB0O30NCkBwYWdlIFdvcmRTZWN0aW9u MQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4waW4gMS4waW4gMS4waW4gMS4waW47 fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxlPg0K PC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tVVMiIGxpbms9ImJsdWUiIHZsaW5rPSJwdXJwbGUiPg0K PGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiYjNDM7MTxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SSBzdXBwb3J0IGFkb3B0aW9uIG9m IHRoaXMgZG9jdW1lbnQgYnkgdGhlIHdvcmtpbmcgZ3JvdXAuPG86cD48L286cD48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXYgc3R5bGU9ImJvcmRl cjpub25lO2JvcmRlci10b3A6c29saWQgI0I1QzRERiAxLjBwdDtwYWRkaW5nOjMuMHB0IDBpbiAw aW4gMGluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTIuMHB0O2NvbG9yOmJsYWNrIj5Gcm9tOiA8L3NwYW4+PC9iPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTIuMHB0O2NvbG9yOmJsYWNrIj5PQXV0aCAmbHQ7b2F1dGgtYm91bmNlc0BpZXRmLm9yZyZn dDsgb24gYmVoYWxmIG9mIERpY2sgSGFyZHQgJmx0O2RpY2suaGFyZHRAZ21haWwuY29tJmd0Ozxi cj4NCjxiPkRhdGU6IDwvYj5XZWRuZXNkYXksIEp1bHkgMTUsIDIwMjAgYXQgMTo1NiBQTTxicj4N CjxiPlRvOiA8L2I+UmlmYWF0IFNoZWtoLVl1c2VmICZsdDtyaWZhYXQucy5pZXRmQGdtYWlsLmNv bSZndDs8YnI+DQo8Yj5DYzogPC9iPiZxdW90O29hdXRoQGlldGYub3JnJnF1b3Q7ICZsdDtvYXV0 aEBpZXRmLm9yZyZndDs8YnI+DQo8Yj5TdWJqZWN0OiA8L2I+W0VYVF0gUmU6IFtPQVVUSC1XR10g Q2FsbCBmb3IgYWRvcHRpb24gLSBPQXV0aCAyLjEgZG9jdW1lbnQ8bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiYjNDM7MTxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwv cD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+T24gV2VkLCBKdWwgMTUsIDIw MjAgYXQgMTA6NDIgQU0gUmlmYWF0IFNoZWtoLVl1c2VmICZsdDs8YSBocmVmPSJtYWlsdG86cmlm YWF0LnMuaWV0ZkBnbWFpbC5jb20iPnJpZmFhdC5zLmlldGZAZ21haWwuY29tPC9hPiZndDsgd3Jv dGU6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9u ZTtib3JkZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4w cHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tcmlnaHQ6MGluO21h cmdpbi1ib3R0b206NS4wcHQiPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkFsbCw8bzpw PjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlRoaXMgaXMgYSA8Yj5j YWxsIGZvciBhZG9wdGlvbjwvYj4gZm9yIHRoZSBmb2xsb3dpbmcgPGI+T0F1dGggMi4xPC9iPiBk b2N1bWVudCBhcyBhIFdHIGRvY3VtZW50OjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PGEgaHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvaWQvZHJh ZnQtcGFyZWNraS1vYXV0aC12Mi0xLTAzLmh0bWwiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL3d3 dy5pZXRmLm9yZy9pZC9kcmFmdC1wYXJlY2tpLW9hdXRoLXYyLTEtMDMuaHRtbDwvYT48bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7 PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+UGxlYXNlLCBw cm92aWRlIHlvdXIgZmVlZGJhY2sgb24gdGhlIG1haWxpbmcmbmJzcDtsaXN0IGJ5IDxiPkp1bHkg Mjl0aC48L2I+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPlJlZ2FyZHMsPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj4mbmJzcDtSaWZhYXQgJmFtcDsgSGFubmVzPG86cD48L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwv ZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fXzxicj4NCk9BdXRoIG1haWxpbmcgbGlzdDxicj4NCjxh IGhyZWY9Im1haWx0bzpPQXV0aEBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPk9BdXRoQGlldGYu b3JnPC9hPjxicj4NCjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGlu Zm8vb2F1dGgiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xp c3RpbmZvL29hdXRoPC9hPjxvOnA+PC9vOnA+PC9wPg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8 L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_AF8FA6913B774B00B2860186DA449953mitreorg_-- From nobody Wed Jul 15 13:25:02 2020 Return-Path: X-Original-To: oauth@ietf.org Delivered-To: oauth@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 402D33A0A65; Wed, 15 Jul 2020 13:25:01 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: IESG Secretary To: "IETF-Announce" Cc: oauth@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.8.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <159484470103.1215.1119837065310295381@ietfa.amsl.com> Date: Wed, 15 Jul 2020 13:25:01 -0700 Archived-At: Subject: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-08-03 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2020 20:25:01 -0000 The Web Authorization Protocol (oauth) WG will hold a virtual interim meeting on 2020-08-03 from 12:00 to 13:00 America/Toronto (16:00 to 17:00 UTC). Agenda: OAuth WG - Aug 3rd Interim Hosted by Web Authorization Protocol Working Group Monday, Aug 3, 2020 6:00 pm | 1 hour | (UTC+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna Meeting number: 161 700 3301 Password: 99N5Myuqwph https://ietf.webex.com/ietf/j.php?MTID=m1285bd51ffb5dcd173147c531b5fabf3 Join by video system Dial 1617003301@ietf.webex.com You can also dial 173.243.2.68 and enter your meeting number. Join by phone 1-650-479-3208 Call-in toll number (US/Canada) Access code: 161 700 3301 Information about remote participation: https://ietf.webex.com/ietf/j.php?MTID=m1285bd51ffb5dcd173147c531b5fabf3 From nobody Wed Jul 15 13:25:28 2020 Return-Path: X-Original-To: oauth@ietf.org Delivered-To: oauth@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 42A983A0FE6; Wed, 15 Jul 2020 13:25:19 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: IESG Secretary To: "IETF-Announce" Cc: oauth@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.8.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <159484471924.28820.17804912483410782132@ietfa.amsl.com> Date: Wed, 15 Jul 2020 13:25:19 -0700 Archived-At: Subject: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-08-10 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2020 20:25:25 -0000 The Web Authorization Protocol (oauth) WG will hold a virtual interim meeting on 2020-08-10 from 12:00 to 13:00 America/Toronto (16:00 to 17:00 UTC). Agenda: OAuth WG - Aug 10th Interim Hosted by Web Authorization Protocol Working Group Monday, Aug 10, 2020 12:00 pm | 1 hour | (UTC+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna Meeting number: 161 640 8279 Password: x2H2VwPMUu9 https://ietf.webex.com/ietf/j.php?MTID=m02cd2236222d8e7032dac03ee763d386 Join by video system Dial 1616408279@ietf.webex.com You can also dial 173.243.2.68 and enter your meeting number. Join by phone 1-650-479-3208 Call-in toll number (US/Canada) Access code: 161 640 8279 Information about remote participation: https://ietf.webex.com/ietf/j.php?MTID=m02cd2236222d8e7032dac03ee763d386 From nobody Wed Jul 15 13:31:32 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC4173A0FA2 for ; Wed, 15 Jul 2020 13:31:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CDeQltEmIFtm for ; Wed, 15 Jul 2020 13:31:28 -0700 (PDT) Received: from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com [IPv6:2a00:1450:4864:20::32f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A72FC3A0FEE for ; Wed, 15 Jul 2020 13:31:24 -0700 (PDT) Received: by mail-wm1-x32f.google.com with SMTP id 22so7135788wmg.1 for ; Wed, 15 Jul 2020 13:31:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=YSimqTMnn+ZghnWE8C5NhBRKgh1+IGbjIo8dhwfWNbU=; b=Gjsqycq6YqqM6OtTrrCQK98z+UVOgxHClHN3xJkfm7wpz6TpRY9d3SbyMUKDgpke2R O94e2DBsxPV0VHW41Blyqe0Or46K7Y/UP5fFUFQZqjBCU4YK87XhEsVvJYgg2LhxqSQY Fy0fQ9OGQ2Mp5duUZhTSKBMI3CMA2AMQPVOUXSI5yS1bXw7wTn6R+5wYs0z1D5J7Dt5J Sk6L+iQ5PXtVLmKKw4Q5aAU+/EmHhtg+SMkqnXz95QnHTTCzfnDACyAbj49huWD4Lia1 4a0WGWWoayOW/8JMlvfn52kHVxEF0G8DQIaKKSNDk3a+icKuXIxSce00hc6tsM5M31wP AkSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=YSimqTMnn+ZghnWE8C5NhBRKgh1+IGbjIo8dhwfWNbU=; b=R7yH7DcQ8iObJMjtYG4lmDj2fkEspAIsSlL9yvc/o0TMmmSrrnj54szv7MEsyXAgff 4qIA/BpQOl1mQIoOCl6e4Y6ZLut0bviDHD1xylKMh7ljn7QKaAqs8xtcf1zEOMWYPxNI n2w+s8pCoAADGjKC1ff8tTzTmoe9AZTYmC5P61Dbkogi805pmN3QZsqNhIE+AUjCZ3fN sxZ0xPYalfbflmWgx3fZcuH5+QKfdzb1wcArppDsvBkqVZdJgNqZhm87T+wAWar8zyie 2BRy46oxq0lwrR25nU/uDE8Ua2Lc0AaXHFThzAnFBVmyPMeNVj5qeJFu72xbB7/xxiVq 45nQ== X-Gm-Message-State: AOAM5339lua+UQ+WoQgy4c83/RoW8Ng0x9wub3Dcp59phWPlbi5uHwox iJxh8X6omGem9YQ3lssZn0MW/ao0D2EN0Esjga9b4A== X-Google-Smtp-Source: ABdhPJy+py20IgKh4Ah+puYW79xkfuKuP/cdTs45fkOqQZVVLjHYnSGmy671GcJLAhG6YqkR224Kn9EMSEN8PFi81r4= X-Received: by 2002:a1c:e908:: with SMTP id q8mr1276523wmc.59.1594845082769; Wed, 15 Jul 2020 13:31:22 -0700 (PDT) MIME-Version: 1.0 References: <880730713.11340711594833611836.JavaMail.nobody@rva2rmd101.webex.com> In-Reply-To: <880730713.11340711594833611836.JavaMail.nobody@rva2rmd101.webex.com> From: Rifaat Shekh-Yusef Date: Wed, 15 Jul 2020 16:31:11 -0400 Message-ID: To: oauth Content-Type: multipart/alternative; boundary="000000000000a15d1505aa80ce4c" Archived-At: Subject: Re: [OAUTH-WG] (Forward to others) Webex meeting invitation: OAuth WG - Aug 3rd Interim X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2020 20:31:31 -0000 --000000000000a15d1505aa80ce4c Content-Type: text/plain; charset="UTF-8" On Wed, Jul 15, 2020 at 1:20 PM Web Authorization Protocol Working Group < messenger@webex.com> wrote: > > You can forward this invitation to others. > Web Authorization Protocol Working Group invites you to join this Webex > meeting. > > Meeting number (access code): 161 700 3301 > Meeting password: 99N5Myuqwph > > Monday, August 3, 2020 > 12:00 pm | (UTC-04:00) Eastern Time (US & Canada) | 1 hr > > Join meeting > > > *Tap to join from a mobile device (attendees only)* > +1-650-479-3208,,1617003301## > <%2B1-650-479-3208,,*01*1617003301%23%23*01*> Call-in toll number > (US/Canada) > > *Join by phone* > 1-650-479-3208 Call-in toll number (US/Canada) > Global call-in numbers > > > *Join from a video system or application* > Dial 1617003301@ietf.webex.com > You can also dial 173.243.2.68 and enter your meeting number. > > *Join using Microsoft Lync or Microsoft Skype for Business* > Dial 1617003301.ietf@lync.webex.com > > > Need help? Go to http://help.webex.com > --000000000000a15d1505aa80ce4c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Wed, Jul 15, 2020 at 1:20 PM Web Authorization Prot= ocol Working Group <messenger@web= ex.com> wrote:
=C2=A0
=09
You can forward this invitation to others.

Web Authorization Protocol Working Group invites you to joi= n this Webex meeting.
=C2= =A0
Meeting number (access code): 161 700 3301
Meeting password: 99N5Myuqwph
=C2= =A0
Monday, August 3, 2020
12:00 pm=C2=A0=C2=A0|=C2=A0=C2=A0(UTC-04= :00) Eastern Time (US & Canada)=C2=A0=C2=A0|=C2=A0=C2=A01 hr
=20
=C2=A0
Join meeting
= =C2=A0
=
Tap to join from a mobile devi= ce (attendees only)
+1-650-479-3208,,1617003301## Call-in toll number (US/Canada)
=C2=A0
=
Join by phone
1-650-479-3208=C2=A0Call-in toll number (US/Canada)
Global call-in numbers<= /td>
=
=C2=A0
Join from a video system or ap= plication
Dial 1617003301@ietf.webex.com
You can also dial 173.243.2.68 and = enter your meeting number.
=C2=A0
=
Join using Microsoft Lync or Microsoft Skype for Business
Dial 1617003301.ietf@lync.webex.com
=C2= =A0
=09
=C2=A0
Need help? Go to http:/= /help.webex.com
=C2=A0
--000000000000a15d1505aa80ce4c-- From nobody Wed Jul 15 13:31:44 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D6DB3A0FF9 for ; Wed, 15 Jul 2020 13:31:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.89 X-Spam-Level: X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=msnovatec.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pXlv3a9tKvpd for ; Wed, 15 Jul 2020 13:31:25 -0700 (PDT) Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20072.outbound.protection.outlook.com [40.107.2.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AB2C3A102A for ; Wed, 15 Jul 2020 13:31:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JH6SSnL1D+bZhLoiqnV862y/NGbvwsuPbibt8lTk3ljeBQq2xe4+4PX3TUeXj0iZACgu8fl806+6dl5EvhX7kVOpT6o5of1Tvg4mBekNvMQW29IZDepikoOyb1M5gzJbN1KV2Q/Iu80DBuSqkrHZP7/w0wux0xfJvEE4iQ38RSBUiU/Jo5awx8aUFmdYUql6FXZ6xF9uOZSkGgxxH7tYF4//05qfgB785Wo9yXpJEEA483+C9j87GUG0eGJ3cVvq9CNQeGEW85UuL4UmCyZdvbNPN2I6l9NHMW71CxZQq1dQBvxyZs83WJmCa9zI/N6/8hV73F218aYTbIuqQZTjMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EgmmI54E5HHugqYIdrQRv/FqdzA8grqYy3WU7QSgZH0=; b=lxOWKdB5UkUeE5ZTMLL28znPKuT73zvNu/udyHaoFcEeniO7OdULClDFj6jzWfpPmudByaLG9Vu2QBk3CyHZTMduwDPMBeJaz/zbi4Y1GPM9NlKTykXxTd001xOl0znTv3JqKF8ZWXSDYZ/ZAh1KgIeEeO5rAIK5j7FWSw+nmo1C+iq9YTIcl7bE9XUfmNR0VLlJlCcFGTXwQl4laSTPr+WP3cuCLkr7yalru7pl2CHXy8tknWpVzJCIc9fuq7lxih7JwTT8ky8P5V9rZ+//a6jaSOvufIfLYhS8xTpB8ygujmU9SxF9rICwSiKlVgi1TQSzbnSvWh5FnZwHruRlhQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=novatec-gmbh.de; dmarc=pass action=none header.from=novatec-gmbh.de; dkim=pass header.d=novatec-gmbh.de; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=msnovatec.onmicrosoft.com; s=selector2-msnovatec-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EgmmI54E5HHugqYIdrQRv/FqdzA8grqYy3WU7QSgZH0=; b=TTcqhTaMUrGj276ghbUzg//OXUlp+KRmdx3LTJpBErYC31OgmhHvsF14jOLr/421TrA+7U1fneFUKWrQfHWTmtRDPV4NgsXbTVT2Hurznk2T2ZE2lCTxnbUBMbmfR5DTQDofloC1/MuOy4GZBehrdyZ5fMFeWfwoyivAXlcKnAc= Received: from DBBPR04MB6203.eurprd04.prod.outlook.com (2603:10a6:10:c8::22) by DB8PR04MB5850.eurprd04.prod.outlook.com (2603:10a6:10:ac::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3174.23; Wed, 15 Jul 2020 20:31:16 +0000 Received: from DBBPR04MB6203.eurprd04.prod.outlook.com ([fe80::e087:40e6:8128:6ca6]) by DBBPR04MB6203.eurprd04.prod.outlook.com ([fe80::e087:40e6:8128:6ca6%6]) with mapi id 15.20.3195.018; Wed, 15 Jul 2020 20:31:16 +0000 From: Falk Andreas To: Torsten Lodderstedt CC: "oauth@ietf.org" Thread-Topic: [OAUTH-WG] Call for adoption - OAuth 2.1 document Thread-Index: AQHWWs9m8OTFddOHEU+tdtATcaDceKkJB7UAgAABeICAAAC9AIAADeaN Date: Wed, 15 Jul 2020 20:31:16 +0000 Message-ID: References: , <9D1677D6-0C25-41E1-B595-02509AE6A726@lodderstedt.net> In-Reply-To: <9D1677D6-0C25-41E1-B595-02509AE6A726@lodderstedt.net> Accept-Language: de-DE, en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=novatec-gmbh.de; x-originating-ip: [109.193.88.57] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: d0735320-717e-47ea-09c0-08d828fe063a x-ms-traffictypediagnostic: DB8PR04MB5850: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:6430; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: HwOmIDzsjhWUbRYpKTq/3IVNd9AsKXyz5Mrbi9hDTVU1CcM4uA8s+yoIFEtldYw2n8B+b+I3BhkAfNEUD5aVecPS9C7ZF6hNhYPqpL3jCMuIUKeB4h2ysxMYfmqYu2y9ZCV6VZTIlLwZK8o5X6IbPWuBrHrKTkMZVnuxkAYX9rTCCM3nrNnTGuIr2EpvcurEmU8bNZxeZpwLFnyV5Z3JzcN6hXMayhmJ1PdBTtxHh/VL7NNxVV3Ex4mJ6+GgDR8vRIgj9h3kYbiveP7yGKC5/sKwrWqlnHSEeZwYtueu37a/xPciWqp6rfKwSglObjkqqRSvDCISLn/LKICFOH4JZSRtAZEXIxooSODq5dvpTmfZViee2CCoGiiztFtH7xIJt4uPab4m6x6cWWNPK8k8ew== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBBPR04MB6203.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(346002)(39850400004)(376002)(136003)(396003)(366004)(2906002)(83080400001)(66446008)(316002)(55016002)(86362001)(64756008)(71200400001)(66556008)(508600001)(19627405001)(8936002)(186003)(26005)(4326008)(33656002)(53546011)(6506007)(21615005)(83380400001)(8676002)(166002)(5660300002)(66946007)(9686003)(52536014)(66574015)(7696005)(76116006)(966005)(45080400002)(66476007); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: /E6BQozH0i+YZnX7uxBeQyTJsYFvuHBcQxJeR1hqC+CW4CWOaN9UnXbw4/c5RyFh3kKy0psJEUWk0lJB1Ma1J/B2emDX+ER13o3CZXGUtddyFSz99K0bI3adqMDU8vNe2EWsLo2OKuHVHYSslaFL6ZGyR0xFTNTgHUcYqpYSecmj66A74ghPEsf6EWcxPzrzkBWHgoDfMSdnH7oQf5m6au2emtVrV6Vxr6/cWaYDg1FL2pooQZ5oNVrhkpBWHGqTWk4CvAzIw2wUgBvtkW0QNMpiWL2ga/KIMrQP0aq8qxCf/aEd7lopVctAajkEX8/7Nts4wD22fy/TtKkFSZGx0EMKFDmB0hlS6P2i++8wrcSu3nvV7/O2hYh1jIcBZIqJDO2ZdTv8eb35tPsdtOAiHzVznlPJeEwtsPro1NlTTwX//l5+3Dwco87HuEDwtlOJKnMnuntz+WE/rpeAkunM9vQnGMWxJzJllhBhYVwWL1w= x-ms-exchange-transport-forked: True Content-Type: multipart/alternative; boundary="_000_DBBPR04MB620360805B19F3971A4A81D2DC7E0DBBPR04MB6203eurp_" MIME-Version: 1.0 X-OriginatorOrg: novatec-gmbh.de X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DBBPR04MB6203.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: d0735320-717e-47ea-09c0-08d828fe063a X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jul 2020 20:31:16.2637 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 0ea17416-affd-4b68-a5a5-9f2de2d9c1f9 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: w1KXBAzciszHRS2QcYqgAHfPKQ12mDFM22fY+5DK1ewx323vSoGEZ0vvvN0mhhm/+WV/bxk36PMS+w2eqyOTdQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR04MB5850 Archived-At: Subject: Re: [OAUTH-WG] Call for adoption - OAuth 2.1 document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2020 20:31:31 -0000 --_000_DBBPR04MB620360805B19F3971A4A81D2DC7E0DBBPR04MB6203eurp_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 KzENCg0KSSBzdXBwb3J0IGFkb3B0aW9uDQoNCg0KLS0NCg0KQW5kcmVhcyBGYWxrDQpNYW5hZ2lu ZyBDb25zdWx0YW50IC8gUHJhY3RpY2UgTGVhZCBBZ2lsZSBTZWN1cml0eQ0KDQpbTm92YXRlYyBM b2dvXTxodHRwczovL3d3dy5ub3ZhdGVjLWdtYmguZGUvPg0KDQpULiArNDkgNzExIDIyMDQwLTcw MDx0ZWw6KzQ5LTcxMS0yMjA0MC03MDA+IOKImSBNLiArNDkgMTUxIDQ2MTQ2Nzc4PHRlbDorNDkt MTUxLTQ2MTQ2Nzc4Pg0KYW5kcmVhcy5mYWxrQG5vdmF0ZWMtZ21iaC5kZTxtYWlsdG86YW5kcmVh cy5mYWxrQG5vdmF0ZWMtZ21iaC5kZT4g4ouFIHd3dy5ub3ZhdGVjLWdtYmguZGU8aHR0cHM6Ly93 d3cubm92YXRlYy1nbWJoLmRlLz4NCg0KTm92YXRlYyBDb25zdWx0aW5nIEdtYkgNCkRpZXNlbHN0 cmHDn2UgMTgvMSwgRC03MDc3MSBMZWluZmVsZGVuLUVjaHRlcmRpbmdlbg0KDQpGb2xnZW4gU2ll IHVucyBhdWYgRmFjZWJvb2s8aHR0cHM6Ly93d3cuZmFjZWJvb2suY29tL25vdmF0ZWMuaG9sZGlu Zy8+LCBMaW5rZWRJbjxodHRwczovL2RlLmxpbmtlZGluLmNvbS9jb21wYW55L25vdmF0ZWMtZ21i aD4sIFR3aXR0ZXI8aHR0cHM6Ly90d2l0dGVyLmNvbS9ub3ZhdGVjZ21iaD4sIFhJTkc8aHR0cHM6 Ly93d3cueGluZy5jb20vY29tcGFuaWVzL25vdmF0ZWNnbWJoPiBvZGVyIGF1ZiB1bnNlcmVtIEJs b2c8aHR0cHM6Ly9ibG9nLm5vdmF0ZWMtZ21iaC5kZS8+DQoNClNpdHo6IExlaW5mZWxkZW4tRWNo dGVyZGluZ2VuIOKImSBIYW5kZWxzcmVnaXN0ZXI6IEFtdHNnZXJpY2h0IFN0dXR0Z2FydCDiiJkg SFJCIDczOTA3OA0KR2VzY2jDpGZ0c2bDvGhyZXI6IFN0ZWZhbiBCbGVpY2hlciwgSGFucy1EaWV0 ZXIgQnJlbm5lciwgS29ucmFkIFBmZWlsc3RpY2tlciwgTWljaGFlbCBTY2h1Y2hhcnQNCg0KX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX18NClZvbjogT0F1dGggPG9hdXRoLWJvdW5jZXNA aWV0Zi5vcmc+IGltIEF1ZnRyYWcgdm9uIFRvcnN0ZW4gTG9kZGVyc3RlZHQgPHRvcnN0ZW49NDBs b2RkZXJzdGVkdC5uZXRAZG1hcmMuaWV0Zi5vcmc+DQpHZXNlbmRldDogTWl0dHdvY2gsIDE1LiBK dWxpIDIwMjAgMjE6NDANCkFuOiBKb2huIEJyYWRsZXkgPHZlN2p0YkB2ZTdqdGIuY29tPg0KQ2M6 IG9hdXRoQGlldGYub3JnIDxvYXV0aEBpZXRmLm9yZz4NCkJldHJlZmY6IFJlOiBbT0FVVEgtV0dd IENhbGwgZm9yIGFkb3B0aW9uIC0gT0F1dGggMi4xIGRvY3VtZW50DQoNCisxDQoNCj4gT24gMTUu IEp1bCAyMDIwLCBhdCAyMTozNywgSm9obiBCcmFkbGV5IDx2ZTdqdGJAdmU3anRiLmNvbT4gd3Jv dGU6DQo+DQo+IEkgc3VwcG9ydCBhZGRvcHRpb24NCj4NCj4gT24gNy8xNS8yMDIwIDM6MzIgUE0s IE5laWwgTWFkZGVuIHdyb3RlOg0KPj4gSSBzdXBwb3J0IGFkb3B0aW9uLg0KPj4NCj4+PiBPbiAx NSBKdWwgMjAyMCwgYXQgMTg6NDIsIFJpZmFhdCBTaGVraC1ZdXNlZiA8cmlmYWF0LnMuaWV0ZkBn bWFpbC5jb20+IHdyb3RlOg0KPj4+DQo+Pj4g77u/DQo+Pj4gQWxsLA0KPj4+DQo+Pj4gVGhpcyBp cyBhIGNhbGwgZm9yIGFkb3B0aW9uIGZvciB0aGUgZm9sbG93aW5nIE9BdXRoIDIuMSBkb2N1bWVu dCBhcyBhIFdHIGRvY3VtZW50Og0KPj4+IGh0dHBzOi8vd3d3LmlldGYub3JnL2lkL2RyYWZ0LXBh cmVja2ktb2F1dGgtdjItMS0wMy5odG1sDQo+Pj4NCj4+PiBQbGVhc2UsIHByb3ZpZGUgeW91ciBm ZWVkYmFjayBvbiB0aGUgbWFpbGluZyBsaXN0IGJ5IEp1bHkgMjl0aC4NCj4+Pg0KPj4+IFJlZ2Fy ZHMsDQo+Pj4gIFJpZmFhdCAmIEhhbm5lcw0KPj4+DQo+Pj4gX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX18NCj4+PiBPQXV0aCBtYWlsaW5nIGxpc3QNCj4+PiBP QXV0aEBpZXRmLm9yZw0KPj4+IGh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8v b2F1dGgNCj4+DQo+Pg0KPj4gX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX18NCj4+IE9BdXRoIG1haWxpbmcgbGlzdA0KPj4NCj4+IE9BdXRoQGlldGYub3JnDQo+ PiBodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoDQo+IF9fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQo+IE9BdXRoIG1haWxpbmcg bGlzdA0KPiBPQXV0aEBpZXRmLm9yZw0KPiBodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xp c3RpbmZvL29hdXRoDQoNCg== --_000_DBBPR04MB620360805B19F3971A4A81D2DC7E0DBBPR04MB6203eurp_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWw+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0i dGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyIgc3R5bGU9 ImRpc3BsYXk6bm9uZTsiPiBQIHttYXJnaW4tdG9wOjA7bWFyZ2luLWJvdHRvbTowO30gPC9zdHls ZT4NCjwvaGVhZD4NCjxib2R5IGRpcj0ibHRyIj4NCjxkaXYgc3R5bGU9ImZvbnQtZmFtaWx5OiBW ZXJkYW5hLCBHZW5ldmEsIHNhbnMtc2VyaWY7IGZvbnQtc2l6ZTogMTBwdDsgY29sb3I6IHJnYigw LCAwLCAwKTsgYmFja2dyb3VuZC1jb2xvcjogcmdiKDI1NSwgMjU1LCAyNTUpOyI+DQo8c3Bhbj4m IzQzOzE8YnI+DQo8L3NwYW4+DQo8ZGl2Pjxicj4NCjwvZGl2Pg0KPHNwYW4+SSBzdXBwb3J0IGFk b3B0aW9uPC9zcGFuPjxicj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXYgc3R5bGU9ImZvbnQtZmFtaWx5 OiBWZXJkYW5hLCBHZW5ldmEsIHNhbnMtc2VyaWY7IGZvbnQtc2l6ZTogMTBwdDsgY29sb3I6IHJn YigwLCAwLCAwKTsiPg0KPGJyPg0KPC9kaXY+DQo8ZGl2IGlkPSJTaWduYXR1cmUiPg0KPGRpdj4N CjxkaXYgaWQ9ImRpdnRhZ2RlZmF1bHR3cmFwcGVyIiBkaXI9Imx0ciIgc3R5bGU9ImZvbnQtc2l6 ZTogMTBwdDsgZm9udC1mYW1pbHk6IFZlcmRhbmEsIEdlbmV2YSwgc2Fucy1zZXJpZjsgY29sb3I6 IHJnYigwLCAwLCAwKTsiPg0KPHNwYW4gaWQ9Im1zLXJ0ZXJhbmdlcGFzdGUtc3RhcnQiPjwvc3Bh bj4NCjxwIHN0eWxlPSJtYXJnaW4tdG9wOiAwcHg7IG1hcmdpbi1ib3R0b206IDBweDtmb250LWZh bWlseTpWZXJkYW5hLFJvYm90byxoZWx2ZXRpY2Esc2Fucy1zZXJpZjsgZm9udC1zaXplOjEzcHg7 IG1hcmdpbi10b3A6MTZweDsgbWFyZ2luLWJvdHRvbToxNnB4Ij4NCi0tPC9wPg0KPHAgc3R5bGU9 Im1hcmdpbi10b3A6IDBweDsgbWFyZ2luLWJvdHRvbTogMHB4O2ZvbnQtZmFtaWx5OlZlcmRhbmEs Um9ib3RvLGhlbHZldGljYSxzYW5zLXNlcmlmOyBmb250LXNpemU6MTNweDsgbWFyZ2luLXRvcDox NnB4OyBtYXJnaW4tYm90dG9tOjE2cHgiPg0KPGIgc3R5bGU9ImZvbnQtc2l6ZToxMHB0Ij5BbmRy ZWFzIEZhbGs8L2I+PGJyPg0KTWFuYWdpbmcgQ29uc3VsdGFudCAvIFByYWN0aWNlIExlYWQgQWdp bGUmbmJzcDtTZWN1cml0eTwvcD4NCjxwIHN0eWxlPSJtYXJnaW4tdG9wOiAwcHg7IG1hcmdpbi1i b3R0b206IDBweDtmb250LWZhbWlseTpWZXJkYW5hLFJvYm90byxoZWx2ZXRpY2Esc2Fucy1zZXJp ZjsgZm9udC1zaXplOjEzcHg7IG1hcmdpbi10b3A6MjBweDsgbWFyZ2luLWJvdHRvbToxNXB4Ij4N CjxhIGhyZWY9Imh0dHBzOi8vd3d3Lm5vdmF0ZWMtZ21iaC5kZS8iIHRhcmdldD0iX2JsYW5rIj48 aW1nIHdpZHRoPSIxNTAiIGhlaWdodD0iMzYiIGFsdD0iTm92YXRlYyBMb2dvIiBib3JkZXI9IjAi IHN0eWxlPSIiIHNyYz0iaHR0cHM6Ly9zMy5ldS1jZW50cmFsLTEuYW1hem9uYXdzLmNvbS9ub3Zh dGVjLXNpZ25hdHVyLWxvZ28vbm92YXRlYy1iY3QucG5nIj48L2E+PC9wPg0KPHAgc3R5bGU9Im1h cmdpbi10b3A6IDBweDsgbWFyZ2luLWJvdHRvbTogMHB4O2ZvbnQtZmFtaWx5OlZlcmRhbmEsUm9i b3RvLGhlbHZldGljYSxzYW5zLXNlcmlmOyBmb250LXNpemU6MTNweDsgbWFyZ2luLXRvcDoxNnB4 OyBtYXJnaW4tYm90dG9tOjE2cHgiPg0KVC4mbmJzcDs8YSBocmVmPSJ0ZWw6JiM0Mzs0OS03MTEt MjIwNDAtNzAwIiBzdHlsZT0iY29sb3I6IHJnYigwLCAwLCAwKTsiPiYjNDM7NDkmbmJzcDs3MTEm bmJzcDsyMjA0MC03MDA8L2E+Jm5ic3A74oiZIE0uJm5ic3A7PGEgaHJlZj0idGVsOiYjNDM7NDkt MTUxLTQ2MTQ2Nzc4IiBzdHlsZT0iY29sb3I6IHJnYigwLCAwLCAwKTsiPiYjNDM7NDkmbmJzcDsx NTEmbmJzcDs0NjE0Njc3ODwvYT48YnI+DQo8c3BhbiBzdHlsZT0ibWFyZ2luLXRvcDoxNnB4OyBt YXJnaW4tYm90dG9tOjE2cHgiPjxhIGhyZWY9Im1haWx0bzphbmRyZWFzLmZhbGtAbm92YXRlYy1n bWJoLmRlIiBzdHlsZT0iY29sb3I6IHJnYigwLCAwLCAwKTsiPmFuZHJlYXMuZmFsa0Bub3ZhdGVj LWdtYmguZGU8L2E+Jm5ic3A74ouFJm5ic3A7PGEgaHJlZj0iaHR0cHM6Ly93d3cubm92YXRlYy1n bWJoLmRlLyIgc3R5bGU9ImNvbG9yOiByZ2IoMCwgMCwgMCk7Ij53d3cubm92YXRlYy1nbWJoLmRl PC9hPjwvc3Bhbj48L3A+DQo8cCBzdHlsZT0ibWFyZ2luLXRvcDogMHB4OyBtYXJnaW4tYm90dG9t OiAwcHg7Zm9udC1mYW1pbHk6VmVyZGFuYSxSb2JvdG8saGVsdmV0aWNhLHNhbnMtc2VyaWY7IGZv bnQtc2l6ZToxM3B4OyBtYXJnaW4tdG9wOjE2cHg7IG1hcmdpbi1ib3R0b206MTZweCI+DQpOb3Zh dGVjIENvbnN1bHRpbmcgR21iSDxicj4NCkRpZXNlbHN0cmHDn2UgMTgvMSwgRC03MDc3MSBMZWlu ZmVsZGVuLUVjaHRlcmRpbmdlbjwvcD4NCjxwIHN0eWxlPSJtYXJnaW4tdG9wOiAwcHg7IG1hcmdp bi1ib3R0b206IDBweDtmb250LWZhbWlseTpWZXJkYW5hLFJvYm90byxoZWx2ZXRpY2Esc2Fucy1z ZXJpZjsgbGluZS1oZWlnaHQ6OC4yNXB0OyBmb250LXNpemU6OC4yNXB0OyBtYXJnaW4tdG9wOjE2 cHg7IG1hcmdpbi1ib3R0b206MTZweCI+DQpGb2xnZW4gU2llIHVucyBhdWYmbmJzcDs8YSBocmVm PSJodHRwczovL3d3dy5mYWNlYm9vay5jb20vbm92YXRlYy5ob2xkaW5nLyIgc3R5bGU9ImNvbG9y OiByZ2IoMCwgMCwgMCk7Ij5GYWNlYm9vazwvYT4sJm5ic3A7PGEgaHJlZj0iaHR0cHM6Ly9kZS5s aW5rZWRpbi5jb20vY29tcGFueS9ub3ZhdGVjLWdtYmgiIHN0eWxlPSJjb2xvcjogcmdiKDAsIDAs IDApOyI+TGlua2VkSW48L2E+LCZuYnNwOzxhIGhyZWY9Imh0dHBzOi8vdHdpdHRlci5jb20vbm92 YXRlY2dtYmgiIHN0eWxlPSJjb2xvcjogcmdiKDAsIDAsIDApOyI+VHdpdHRlcjwvYT4sJm5ic3A7 PGEgaHJlZj0iaHR0cHM6Ly93d3cueGluZy5jb20vY29tcGFuaWVzL25vdmF0ZWNnbWJoIiBzdHls ZT0iY29sb3I6IHJnYigwLCAwLCAwKTsiPlhJTkc8L2E+Jm5ic3A7b2Rlcg0KIGF1ZiB1bnNlcmVt Jm5ic3A7PGEgaHJlZj0iaHR0cHM6Ly9ibG9nLm5vdmF0ZWMtZ21iaC5kZS8iIHN0eWxlPSJjb2xv cjogcmdiKDAsIDAsIDApOyI+QmxvZzwvYT48L3A+DQo8cCBzdHlsZT0ibWFyZ2luLXRvcDogMHB4 OyBtYXJnaW4tYm90dG9tOiAwcHg7Zm9udC1mYW1pbHk6VmVyZGFuYSxSb2JvdG8saGVsdmV0aWNh LHNhbnMtc2VyaWY7IGZvbnQtc2l6ZTo4LjI1cHQ7IG1hcmdpbi10b3A6MTZweDsgbWFyZ2luLWJv dHRvbToxNnB4Ij4NClNpdHo6IExlaW5mZWxkZW4tRWNodGVyZGluZ2VuIOKImSBIYW5kZWxzcmVn aXN0ZXI6IEFtdHNnZXJpY2h0IFN0dXR0Z2FydCDiiJkgSFJCIDczOTA3OCZuYnNwOzxicj4NCkdl c2Now6RmdHNmw7xocmVyOiBTdGVmYW4gQmxlaWNoZXIsIEhhbnMtRGlldGVyIEJyZW5uZXIsIEtv bnJhZCBQZmVpbHN0aWNrZXIsIE1pY2hhZWwgU2NodWNoYXJ0PC9wPg0KPHNwYW4gaWQ9Im1zLXJ0 ZXJhbmdlcGFzdGUtZW5kIj48L3NwYW4+PC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8 ZGl2IGlkPSJhcHBlbmRvbnNlbmQiPjwvZGl2Pg0KPGRpdiBzdHlsZT0iZm9udC1mYW1pbHk6IFZl cmRhbmEsIEdlbmV2YSwgc2Fucy1zZXJpZjsgZm9udC1zaXplOiAxMHB0OyBjb2xvcjogcmdiKDAs IDAsIDApOyI+DQo8YnI+DQo8L2Rpdj4NCjxociB0YWJpbmRleD0iLTEiIHN0eWxlPSJkaXNwbGF5 OmlubGluZS1ibG9jazsgd2lkdGg6OTglIj4NCjxkaXYgaWQ9ImRpdlJwbHlGd2RNc2ciIGRpcj0i bHRyIj48Zm9udCBmYWNlPSJDYWxpYnJpLCBzYW5zLXNlcmlmIiBjb2xvcj0iIzAwMDAwMCIgc3R5 bGU9ImZvbnQtc2l6ZTogMTFwdDsiIGRhdGEtb2dzYz0iIj48Yj5Wb246PC9iPiBPQXV0aCAmbHQ7 b2F1dGgtYm91bmNlc0BpZXRmLm9yZyZndDsgaW0gQXVmdHJhZyB2b24gVG9yc3RlbiBMb2RkZXJz dGVkdCAmbHQ7dG9yc3Rlbj00MGxvZGRlcnN0ZWR0Lm5ldEBkbWFyYy5pZXRmLm9yZyZndDs8YnI+ DQo8Yj5HZXNlbmRldDo8L2I+IE1pdHR3b2NoLCAxNS4gSnVsaSAyMDIwIDIxOjQwPGJyPg0KPGI+ QW46PC9iPiBKb2huIEJyYWRsZXkgJmx0O3ZlN2p0YkB2ZTdqdGIuY29tJmd0Ozxicj4NCjxiPkNj OjwvYj4gb2F1dGhAaWV0Zi5vcmcgJmx0O29hdXRoQGlldGYub3JnJmd0Ozxicj4NCjxiPkJldHJl ZmY6PC9iPiBSZTogW09BVVRILVdHXSBDYWxsIGZvciBhZG9wdGlvbiAtIE9BdXRoIDIuMSBkb2N1 bWVudDwvZm9udD4NCjxkaXY+Jm5ic3A7PC9kaXY+DQo8L2Rpdj4NCjxkaXYgY2xhc3M9IkJvZHlG cmFnbWVudCI+PGZvbnQgc2l6ZT0iMiI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMXB0Ij4NCjxk aXYgY2xhc3M9IlBsYWluVGV4dCI+JiM0MzsxPGJyPg0KPGJyPg0KJmd0OyBPbiAxNS4gSnVsIDIw MjAsIGF0IDIxOjM3LCBKb2huIEJyYWRsZXkgJmx0O3ZlN2p0YkB2ZTdqdGIuY29tJmd0OyB3cm90 ZTo8YnI+DQomZ3Q7IDxicj4NCiZndDsgSSBzdXBwb3J0IGFkZG9wdGlvbjxicj4NCiZndDsgPGJy Pg0KJmd0OyBPbiA3LzE1LzIwMjAgMzozMiBQTSwgTmVpbCBNYWRkZW4gd3JvdGU6PGJyPg0KJmd0 OyZndDsgSSBzdXBwb3J0IGFkb3B0aW9uLiA8YnI+DQomZ3Q7Jmd0OyA8YnI+DQomZ3Q7Jmd0OyZn dDsgT24gMTUgSnVsIDIwMjAsIGF0IDE4OjQyLCBSaWZhYXQgU2hla2gtWXVzZWYgJmx0O3JpZmFh dC5zLmlldGZAZ21haWwuY29tJmd0OyB3cm90ZTo8YnI+DQomZ3Q7Jmd0OyZndDsgPGJyPg0KJmd0 OyZndDsmZ3Q7IO+7vzxicj4NCiZndDsmZ3Q7Jmd0OyBBbGwsPGJyPg0KJmd0OyZndDsmZ3Q7IDxi cj4NCiZndDsmZ3Q7Jmd0OyBUaGlzIGlzIGEgY2FsbCBmb3IgYWRvcHRpb24gZm9yIHRoZSBmb2xs b3dpbmcgT0F1dGggMi4xIGRvY3VtZW50IGFzIGEgV0cgZG9jdW1lbnQ6PGJyPg0KJmd0OyZndDsm Z3Q7IDxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL2lkL2RyYWZ0LXBhcmVja2ktb2F1dGgt djItMS0wMy5odG1sIj5odHRwczovL3d3dy5pZXRmLm9yZy9pZC9kcmFmdC1wYXJlY2tpLW9hdXRo LXYyLTEtMDMuaHRtbDwvYT48YnI+DQomZ3Q7Jmd0OyZndDsgPGJyPg0KJmd0OyZndDsmZ3Q7IFBs ZWFzZSwgcHJvdmlkZSB5b3VyIGZlZWRiYWNrIG9uIHRoZSBtYWlsaW5nIGxpc3QgYnkgSnVseSAy OXRoLjxicj4NCiZndDsmZ3Q7Jmd0OyA8YnI+DQomZ3Q7Jmd0OyZndDsgUmVnYXJkcyw8YnI+DQom Z3Q7Jmd0OyZndDsmbmJzcDsgUmlmYWF0ICZhbXA7IEhhbm5lczxicj4NCiZndDsmZ3Q7Jmd0OyA8 YnI+DQomZ3Q7Jmd0OyZndDsgX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX188YnI+DQomZ3Q7Jmd0OyZndDsgT0F1dGggbWFpbGluZyBsaXN0PGJyPg0KJmd0OyZn dDsmZ3Q7IE9BdXRoQGlldGYub3JnPGJyPg0KJmd0OyZndDsmZ3Q7IDxhIGhyZWY9Imh0dHBzOi8v d3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGgiPmh0dHBzOi8vd3d3LmlldGYub3Jn L21haWxtYW4vbGlzdGluZm8vb2F1dGg8L2E+PGJyPg0KJmd0OyZndDsgPGJyPg0KJmd0OyZndDsg PGJyPg0KJmd0OyZndDsgX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX188YnI+DQomZ3Q7Jmd0OyBPQXV0aCBtYWlsaW5nIGxpc3Q8YnI+DQomZ3Q7Jmd0OyA8YnI+ DQomZ3Q7Jmd0OyBPQXV0aEBpZXRmLm9yZzxicj4NCiZndDsmZ3Q7IDxhIGhyZWY9Imh0dHBzOi8v d3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGgiPmh0dHBzOi8vd3d3LmlldGYub3Jn L21haWxtYW4vbGlzdGluZm8vb2F1dGg8L2E+PGJyPg0KJmd0OyBfX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fXzxicj4NCiZndDsgT0F1dGggbWFpbGluZyBsaXN0 PGJyPg0KJmd0OyBPQXV0aEBpZXRmLm9yZzxicj4NCiZndDsgPGEgaHJlZj0iaHR0cHM6Ly93d3cu aWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aCI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFp bG1hbi9saXN0aW5mby9vYXV0aDwvYT48YnI+DQo8YnI+DQo8L2Rpdj4NCjwvc3Bhbj48L2ZvbnQ+ PC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_DBBPR04MB620360805B19F3971A4A81D2DC7E0DBBPR04MB6203eurp_-- From nobody Wed Jul 15 13:32:11 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8458A3A0FDD for ; Wed, 15 Jul 2020 13:32:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NMalIZv8KkQl for ; Wed, 15 Jul 2020 13:32:02 -0700 (PDT) Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 842B43A0FBD for ; Wed, 15 Jul 2020 13:31:58 -0700 (PDT) Received: by mail-wr1-x42c.google.com with SMTP id s10so4199251wrw.12 for ; Wed, 15 Jul 2020 13:31:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=YT47rTaGnL9aoKV5Bwc+hCl2dEvTNAjGfE8P+B/92SA=; b=VgNDZujC0gI9zIU/A9rq5qIqWCuWi5NXqtBtn5s/erjfu3TQY5nZu4OWNwlVH0dGbL 6QRdvbvcJm0TTYVHAl1vvHhu2eeDfjyk3++NbmbWoSmnjreuYytudQuoFEqFn08BL8It yqjtmD736iFqOiR4xR+LyT4TNSw5/PiIFQzJ5bmMZu6aZRbj0LvWp0PWb1UMFIacXrcC 0/X8CfaavhPtgIM3wM6xWfJKXOXQKERr6apylNtDjHwbwgKy4eRzQVouKJ0EETRXl/aw z1mlfNM5pHx6wLieGRiQl0Vimab1UJXeUeqnFXlD3ezFynkya8WoDxAql4KP80XyZ3Ia /MZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=YT47rTaGnL9aoKV5Bwc+hCl2dEvTNAjGfE8P+B/92SA=; b=nWc1aWlcetgj19hUsYtIU1JmCtOh7o2bZEfDJbIaRSnaqPrRjOSSk5dWZdIio/dpKt KsaiulNmNtlofW4JWctSGksKMoK9S4TYizyfrlYQeY1t93QG43mkC8Ij+KOraNZsEsUh 6Xi3cYEoQwNSigwIzZ4GQmXibdzPgZFQWuwgoLCd9Owp4QlG+EQUKPP6N5brCOpiB3iw m5ho+57jNv7pGJqfArVuDf/uwPCG9GkFffiS1YNlvLsD75VhfH9u2rLWG6ax7gd8KaQi Lt4LAn06SU3+A2jErSNA6mN086Nz5u+EzrBlAxONbVQZKsH2dc1YVf5CeeF5kBmRJ9Kv ZZRg== X-Gm-Message-State: AOAM531ecIUt5pkwDsXoOyuPwl6UHNleyOp/C72S7KLRJklK1p3BoFHp IRNKrwOkAlmV2BNccH3dt1NXB1RaxxxzvYFtvUg1Jw== X-Google-Smtp-Source: ABdhPJzstQD5M0TVbjOEyfS6kxY4LyseRNHeuW+YdgNY03anUWE6+2MdlYCdmVTNokItx9tC1A2x7bSlmMALqSsbwpI= X-Received: by 2002:a5d:44c7:: with SMTP id z7mr1363411wrr.226.1594845116619; Wed, 15 Jul 2020 13:31:56 -0700 (PDT) MIME-Version: 1.0 References: <115462143.11346261594834086268.JavaMail.nobody@rva2rmd101.webex.com> In-Reply-To: <115462143.11346261594834086268.JavaMail.nobody@rva2rmd101.webex.com> From: Rifaat Shekh-Yusef Date: Wed, 15 Jul 2020 16:31:45 -0400 Message-ID: To: oauth Content-Type: multipart/mixed; boundary="000000000000a5fca105aa80d03a" Archived-At: Subject: [OAUTH-WG] Fwd: (Forward to others) Webex meeting invitation: OAuth WG - Aug 10th Interim X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2020 20:32:09 -0000 --000000000000a5fca105aa80d03a Content-Type: multipart/alternative; boundary="000000000000a5fc9f05aa80d038" --000000000000a5fc9f05aa80d038 Content-Type: text/plain; charset="UTF-8" ---------- Forwarded message --------- From: Web Authorization Protocol Working Group Date: Wed, Jul 15, 2020 at 1:28 PM Subject: (Forward to others) Webex meeting invitation: OAuth WG - Aug 10th Interim To: You can forward this invitation to others. Web Authorization Protocol Working Group invites you to join this Webex meeting. Meeting number (access code): 161 640 8279 Meeting password: x2H2VwPMUu9 Monday, August 10, 2020 6:00 am | (UTC-04:00) Eastern Time (US & Canada) | 1 hr Join meeting *Tap to join from a mobile device (attendees only)* +1-650-479-3208,,1616408279## <%2B1-650-479-3208,,*01*1616408279%23%23*01*> Call-in toll number (US/Canada) *Join by phone* 1-650-479-3208 Call-in toll number (US/Canada) Global call-in numbers *Join from a video system or application* Dial 1616408279@ietf.webex.com You can also dial 173.243.2.68 and enter your meeting number. *Join using Microsoft Lync or Microsoft Skype for Business* Dial 1616408279.ietf@lync.webex.com Need help? Go to http://help.webex.com --000000000000a5fc9f05aa80d038 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


---------- Forwarded message ---------
From: Web Authorization Protocol Working Gro= up <m= essenger@webex.com>
Date: Wed, Jul 15, 2020 at 1:28 PM
= Subject: (Forward to others) Webex meeting invitation: OAuth WG - Aug 10th = Interim
To: <oauth-chairs@i= etf.org>


=C2=A0
=09
You can forward this invitation to others.

Web Authorization Protocol Working Group invites you to joi= n this Webex meeting.
=C2= =A0
Meeting number (access code): 161 640 8279
Meeting password: x2H2VwPMUu9
=C2= =A0
Monday, August 10, 2020
6:00 am=C2=A0=C2=A0|=C2=A0=C2=A0(UTC-04:00) Easte= rn Time (US & Canada)=C2=A0=C2=A0|=C2=A0=C2=A01 hr
=20
=C2=A0
Join meeting
= =C2=A0
Tap to join from a mobile device = (attendees only)
+1-650-4= 79-3208,,1616408279## Call-in toll number (US/Canada)
=C2=A0
<= tr style=3D"margin:0px">=
Join by phone
1-650-479-3208=C2=A0Call-in toll number (US/Canada)
Global call-in numbers
=C2=A0
Join from a video system or appli= cation
Dial 1616408279@ietf.webex.com
You can also dial 173.243.2.68 and enter your meeting nu= mber.
=C2=A0
Join using Microsoft Lync or Microsoft Skype for Business
Dial 1616408279.ietf@lync.webex.com
=C2= =A0
=09
=C2=A0
Need help? Go to http://help.webe= x.com
=C2=A0
--000000000000a5fc9f05aa80d038 Content-Type: text/calendar; charset="UTF-8"; method=REQUEST Content-Transfer-Encoding: quoted-printable BEGIN:VCALENDAR PRODID:-//Microsoft Corporation//Outlook 10.0 MIMEDIR//EN VERSION:2.0 METHOD:REQUEST BEGIN:VTIMEZONE TZID:America/New_York TZURL:http://tzurl.org/zoneinfo-outlook/America/New_York X-LIC-LOCATION:America/New_York BEGIN:DAYLIGHT TZOFFSETFROM:-0500 TZOFFSETTO:-0400 TZNAME:EDT DTSTART:19700308T020000 RRULE:FREQ=3DYEARLY;BYMONTH=3D3;BYDAY=3D2SU END:DAYLIGHT BEGIN:STANDARD TZOFFSETFROM:-0400 TZOFFSETTO:-0500 TZNAME:EST DTSTART:19701101T020000 RRULE:FREQ=3DYEARLY;BYMONTH=3D11;BYDAY=3D1SU END:STANDARD END:VTIMEZONE BEGIN:VEVENT DTSTAMP:20200715T172806Z ATTENDEE;CN=3D"Web Authorization Protocol Working Group";ROLE=3DREQ-PARTICI= PANT;RSVP=3DTRUE:MAILTO:oauth-chairs@ietf.org ORGANIZER;CN=3D"Web Authorization Protocol Working Group":MAILTO:oauth-chai= rs@ietf.org DTSTART;TZID=3DAmerica/New_York:20200810T060000 DTEND;TZID=3DAmerica/New_York:20200810T070000 LOCATION:https://ietf.webex.com/ietf/j.php?MTID=3Dm02cd2236222d8e7032dac03e= e763d386 TRANSP:OPAQUE SEQUENCE:1594834086 UID:231b1bad-abc7-4707-b7e6-307147247c29 DESCRIPTION:\n\n\n\nJOIN WEBEX MEETING\nhttps://ietf.webex.com/ietf/j.php?M= TID=3Dm02cd2236222d8e7032dac03ee763d386\nMeeting number (access code): 161 = 640 8279\n\nMeeting password: x2H2VwPMUu9\n\n\n\nTAP TO JOIN FROM A MOBILE = DEVICE (ATTENDEES ONLY)\n+1-650-479-3208,,1616408279## tel:%2B1-650-479-320= 8,,*01*1616408279%23%23*01* Call-in toll number (US/Canada)\n\n\nJOIN BY PH= ONE\n1-650-479-3208 Call-in toll number (US/Canada)\n\nGlobal call-in numbe= rs\nhttps://ietf.webex.com/ietf/globalcallin.php?MTID=3Dm50db3a00ed4125cdeb= 4a6bf0e352cfbf\n\n\nJOIN FROM A VIDEO SYSTEM OR APPLICATION\nDial sip:16164= 08279@ietf.webex.com\nYou can also dial 173.243.2.68 and enter your meeting= number.\n\n\nJoin using Microsoft Lync or Microsoft Skype for Business\nDi= al sip:1616408279.ietf@lync.webex.com\n\n\n\n\n\nCan't join the meeting?\nh= ttps://collaborationhelp.cisco.com/article/WBX000029055\n\n\nIMPORTANT NOTI= CE: Please note that this Webex service allows audio and other information = sent during the session to be recorded, which may be discoverable in a lega= l matter. By joining this session, you automatically consent to such record= ings. If you do not consent to being recorded, discuss your concerns with t= he host or do not join the session.\n X-ALT-DESC;FMTTYPE=3Dtext/html:\n\n\n \n \n \n \n
 
\n \n\n\n\n\n\n = \n \n \n \n \n \n \n
\n When it's time, join the Webex meeting here.\n \n
 
\n Meeting number (access code): 161 640 8279\n =
\n
Meeting password:x2H2VwPMUu9
\n= \n \n \n \n \n \n
 
\n \n \n= \n
Join meeting<= /td>\n
\n
\n\n \n 
 
\n\n 
= Tap to join from a mobile device (attendees only)  
+1-650-479-3208,,161= 6408279## Call-in toll number (US/Canada) 

J= oin by phone  
1-650-479-3208 Call-in toll number (US/Canada)  
Global call-in numbe= rs 


\n\n
 
\n\nJoin from a v= ideo system or application
Dial 1616408279@ietf.webex.com 
You can also= dial 173.243.2.68 and enter your meeting number.  
=  
\n\n
Join using Microsoft Lync or Microsoft Skype for Busine= ss
Dial 1616408279.ietf@lync.webex.com
\n\n
 
\n= \n\n \n = \n \n = \n \n \n
 
Need help? Go to http://help.webex.com\n =
 =
\n
\n SUMMARY:OAuth WG - Aug 10th Interim PRIORITY:5 CLASS:PUBLIC BEGIN:VALARM TRIGGER:-PT5M ACTION:DISPLAY DESCRIPTION:Reminder END:VALARM END:VEVENT END:VCALENDAR --000000000000a5fc9f05aa80d038-- --000000000000a5fca105aa80d03a Content-Type: application/ics; name="Webex_Meeting.ics" Content-Disposition: attachment; filename="Webex_Meeting.ics" Content-Transfer-Encoding: base64 Content-ID: <173542ce7dfc1ce7aee1> X-Attachment-Id: 173542ce7dfc1ce7aee1 QkVHSU46VkNBTEVOREFSDQpQUk9ESUQ6LS8vTWljcm9zb2Z0IENvcnBvcmF0aW9uLy9PdXRsb29r IDEwLjAgTUlNRURJUi8vRU4NClZFUlNJT046Mi4wDQpNRVRIT0Q6UkVRVUVTVA0KQkVHSU46VlRJ TUVaT05FDQpUWklEOkFtZXJpY2EvTmV3X1lvcmsNClRaVVJMOmh0dHA6Ly90enVybC5vcmcvem9u ZWluZm8tb3V0bG9vay9BbWVyaWNhL05ld19Zb3JrDQpYLUxJQy1MT0NBVElPTjpBbWVyaWNhL05l d19Zb3JrDQpCRUdJTjpEQVlMSUdIVA0KVFpPRkZTRVRGUk9NOi0wNTAwDQpUWk9GRlNFVFRPOi0w NDAwDQpUWk5BTUU6RURUDQpEVFNUQVJUOjE5NzAwMzA4VDAyMDAwMA0KUlJVTEU6RlJFUT1ZRUFS TFk7QllNT05USD0zO0JZREFZPTJTVQ0KRU5EOkRBWUxJR0hUDQpCRUdJTjpTVEFOREFSRA0KVFpP RkZTRVRGUk9NOi0wNDAwDQpUWk9GRlNFVFRPOi0wNTAwDQpUWk5BTUU6RVNUDQpEVFNUQVJUOjE5 NzAxMTAxVDAyMDAwMA0KUlJVTEU6RlJFUT1ZRUFSTFk7QllNT05USD0xMTtCWURBWT0xU1UNCkVO RDpTVEFOREFSRA0KRU5EOlZUSU1FWk9ORQ0KQkVHSU46VkVWRU5UDQpEVFNUQU1QOjIwMjAwNzE1 VDE3MjgwNloNCkFUVEVOREVFO0NOPSJXZWIgQXV0aG9yaXphdGlvbiBQcm90b2NvbCBXb3JraW5n IEdyb3VwIjtST0xFPVJFUS1QQVJUSUNJUEFOVDtSU1ZQPVRSVUU6TUFJTFRPOm9hdXRoLWNoYWly c0BpZXRmLm9yZw0KT1JHQU5JWkVSO0NOPSJXZWIgQXV0aG9yaXphdGlvbiBQcm90b2NvbCBXb3Jr aW5nIEdyb3VwIjpNQUlMVE86b2F1dGgtY2hhaXJzQGlldGYub3JnDQpEVFNUQVJUO1RaSUQ9QW1l cmljYS9OZXdfWW9yazoyMDIwMDgxMFQwNjAwMDANCkRURU5EO1RaSUQ9QW1lcmljYS9OZXdfWW9y azoyMDIwMDgxMFQwNzAwMDANCkxPQ0FUSU9OOmh0dHBzOi8vaWV0Zi53ZWJleC5jb20vaWV0Zi9q LnBocD9NVElEPW0wMmNkMjIzNjIyMmQ4ZTcwMzJkYWMwM2VlNzYzZDM4Ng0KVFJBTlNQOk9QQVFV RQ0KU0VRVUVOQ0U6MTU5NDgzNDA4Ng0KVUlEOjIzMWIxYmFkLWFiYzctNDcwNy1iN2U2LTMwNzE0 NzI0N2MyOQ0KREVTQ1JJUFRJT046XG5cblxuXG5KT0lOIFdFQkVYIE1FRVRJTkdcbmh0dHBzOi8v aWV0Zi53ZWJleC5jb20vaWV0Zi9qLnBocD9NVElEPW0wMmNkMjIzNjIyMmQ4ZTcwMzJkYWMwM2Vl NzYzZDM4NlxuTWVldGluZyBudW1iZXIgKGFjY2VzcyBjb2RlKTogMTYxIDY0MCA4Mjc5XG5cbk1l ZXRpbmcgcGFzc3dvcmQ6IHgySDJWd1BNVXU5XG5cblxuXG5UQVAgVE8gSk9JTiBGUk9NIEEgTU9C SUxFIERFVklDRSAoQVRURU5ERUVTIE9OTFkpXG4rMS02NTAtNDc5LTMyMDgsLDE2MTY0MDgyNzkj IyB0ZWw6JTJCMS02NTAtNDc5LTMyMDgsLCowMSoxNjE2NDA4Mjc5JTIzJTIzKjAxKiBDYWxsLWlu IHRvbGwgbnVtYmVyIChVUy9DYW5hZGEpXG5cblxuSk9JTiBCWSBQSE9ORVxuMS02NTAtNDc5LTMy MDggQ2FsbC1pbiB0b2xsIG51bWJlciAoVVMvQ2FuYWRhKVxuXG5HbG9iYWwgY2FsbC1pbiBudW1i ZXJzXG5odHRwczovL2lldGYud2ViZXguY29tL2lldGYvZ2xvYmFsY2FsbGluLnBocD9NVElEPW01 MGRiM2EwMGVkNDEyNWNkZWI0YTZiZjBlMzUyY2ZiZlxuXG5cbkpPSU4gRlJPTSBBIFZJREVPIFNZ U1RFTSBPUiBBUFBMSUNBVElPTlxuRGlhbCBzaXA6MTYxNjQwODI3OUBpZXRmLndlYmV4LmNvbVxu WW91IGNhbiBhbHNvIGRpYWwgMTczLjI0My4yLjY4IGFuZCBlbnRlciB5b3VyIG1lZXRpbmcgbnVt YmVyLlxuXG5cbkpvaW4gdXNpbmcgTWljcm9zb2Z0IEx5bmMgb3IgTWljcm9zb2Z0IFNreXBlIGZv ciBCdXNpbmVzc1xuRGlhbCBzaXA6MTYxNjQwODI3OS5pZXRmQGx5bmMud2ViZXguY29tXG5cblxu XG5cblxuQ2FuJ3Qgam9pbiB0aGUgbWVldGluZz9cbmh0dHBzOi8vY29sbGFib3JhdGlvbmhlbHAu Y2lzY28uY29tL2FydGljbGUvV0JYMDAwMDI5MDU1XG5cblxuSU1QT1JUQU5UIE5PVElDRTogUGxl YXNlIG5vdGUgdGhhdCB0aGlzIFdlYmV4IHNlcnZpY2UgYWxsb3dzIGF1ZGlvIGFuZCBvdGhlciBp bmZvcm1hdGlvbiBzZW50IGR1cmluZyB0aGUgc2Vzc2lvbiB0byBiZSByZWNvcmRlZCwgd2hpY2gg bWF5IGJlIGRpc2NvdmVyYWJsZSBpbiBhIGxlZ2FsIG1hdHRlci4gQnkgam9pbmluZyB0aGlzIHNl c3Npb24sIHlvdSBhdXRvbWF0aWNhbGx5IGNvbnNlbnQgdG8gc3VjaCByZWNvcmRpbmdzLiBJZiB5 b3UgZG8gbm90IGNvbnNlbnQgdG8gYmVpbmcgcmVjb3JkZWQsIGRpc2N1c3MgeW91ciBjb25jZXJu cyB3aXRoIHRoZSBob3N0IG9yIGRvIG5vdCBqb2luIHRoZSBzZXNzaW9uLlxuDQpYLUFMVC1ERVND O0ZNVFRZUEU9dGV4dC9odG1sOjxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+XG50YWJsZSB7XG4JYm9y ZGVyLWNvbGxhcHNlOiBzZXBhcmF0ZTsgd2lkdGggPTEwMCU7CWJvcmRlcjogMDsJYm9yZGVyLXNw YWNpbmc6IDA7fVxuXG50ciB7XG4JbGluZS1oZWlnaHQ6IDE4cHg7fVxuXG5hLCB0ZCB7XG4JZm9u dC1zaXplOiAxNHB4Owlmb250LWZhbWlseTogQXJpYWw7CWNvbG9yOiAjMzMzOwl3b3JkLXdyYXA6 IGJyZWFrLXdvcmQ7CXdvcmQtYnJlYWs6IG5vcm1hbDsJcGFkZGluZzogMDt9XG5cbi50aXRsZSB7 XG4JZm9udC1zaXplOiAyOHB4O31cblxuLmltYWdlIHtcbgl3aWR0aDogYXV0bzsJbWF4LXdpZHRo OiBhdXRvO31cblxuLmZvb3RlciB7XG4Jd2lkdGg6IDYwNHB4O31cblxuLm1haW4ge1xuXG59QG1l ZGlhIHNjcmVlbiBhbmQgKG1heC1kZXZpY2Utd2lkdGg6IDgwMHB4KSB7XG4JLnRpdGxlIHtcbgkJ Zm9udC1zaXplOiAyMnB4ICFpbXBvcnRhbnQ7CX1cbgkuaW1hZ2Uge1xuCQl3aWR0aDogYXV0byAh aW1wb3J0YW50OwkJbWF4LXdpZHRoOiAxMDAlICFpbXBvcnRhbnQ7CX1cbgkuZm9vdGVyIHtcbgkJ d2lkdGg6IDEwMCUgIWltcG9ydGFudDsJCW1heC13aWR0aDogNjA0cHggIWltcG9ydGFudFxuCX1c bgkubWFpbiB7XG4JCXdpZHRoOiAxMDAlICFpbXBvcnRhbnQ7CQltYXgtd2lkdGg6IDYwNHB4ICFp bXBvcnRhbnRcbgl9XG59XG48L3N0eWxlPlxuXG48dGFibGUgYmdjb2xvcj0iI0ZGRkZGRiIgc3R5 bGU9InBhZGRpbmc6IDA7IG1hcmdpbjogMDsgYm9yZGVyOiAwOyB3aWR0aDogMTAwJTsiIGFsaWdu PSJsZWZ0Ij5cbgk8dHIgc3R5bGU9ImhlaWdodDogMjhweCI+PHRkPiZuYnNwOzwvdGQ+PC90cj5c bgk8dHI+XG4JCTx0ZCBhbGlnbj0ibGVmdCIgc3R5bGU9InBhZGRpbmc6IDAgMjBweDsgbWFyZ2lu OiAwIj5cbgkJCTwhLS08dGFibGUgYmdjb2xvcj0iI0ZGRkZGRiIgc3R5bGU9ImJvcmRlcjogMHB4 OyB3aWR0aDogMTAwJTsgcGFkZGluZy1sZWZ0OiA1MHB4OyBwYWRkaW5nLXJpZ2h0OiA1MHB4OyIg YWxpZ249ImxlZnQiIGNsYXNzPSJtYWluIj5cbgkJCQk8dHI+XG4JCQkJCTx0ZCBhbGlnbj0iY2Vu dGVyIiB2YWxpZ249InRvcCIgPiZuYnNwOwkJCQkJPC90ZD5cbgkJCQk8L3RyPlxuCQkJPC90YWJs ZT4tLT5cblxuXG5cblxuXG4JCQk8dGFibGU+XG4JCQkJPHRyPlxuCQkJCQk8dGQ+XG4JCQkJCQk8 Rk9OVCBTSVpFPSI0IiBDT0xPUj0iIzY2NjY2NiIgRkFDRT0iYXJpYWwiPldoZW4gaXQncyB0aW1l LCBqb2luIHRoZSBXZWJleCBtZWV0aW5nIGhlcmUuPC9GT05UPlxuCQkJCQk8L3RkPlxuCQkJCTwv dHI+XG4JCQkJPHRyIHN0eWxlPSJsaW5lLWhlaWdodDogMjBweDsiPjx0ZCBzdHlsZT0iaGVpZ2h0 OjIwcHgiPiZuYnNwOzwvdGQ+PC90cj5cbgkJCQk8dHI+XG4JCQkJCTx0ZD5cbgkJCQkJCTxGT05U IFNJWkU9IjIiIENPTE9SPSIjNjY2NjY2IiBGQUNFPSJhcmlhbCI+TWVldGluZyBudW1iZXIgKGFj Y2VzcyBjb2RlKTogMTYxIDY0MCA4Mjc5PC9GT05UPlxuCQkJCQk8L3RkPlxuCQkJCTwvdHI+XG4J CQk8L3RhYmxlPlxuCQkJPHRhYmxlPjx0cj48dGQ+PEZPTlQgU0laRT0iMiIgQ09MT1I9IiM2NjY2 NjYiIEZBQ0U9ImFyaWFsIj5NZWV0aW5nIHBhc3N3b3JkOjwvRk9OVD48L3RkPjx0ZD48Rk9OVCBT SVpFPSIyIiAgQ09MT1I9IiM2NjY2NjYiIEZBQ0U9ImFyaWFsIj54MkgyVndQTVV1OTwvRk9OVD48 L3RkPjwvdHI+PC90YWJsZT5cblxuICAgICAgICA8dGFibGU+XG4gICAgICAgIAk8dHIgc3R5bGU9 ImxpbmUtaGVpZ2h0OiAyMHB4OyI+PHRkIHN0eWxlPSJoZWlnaHQ6MjBweCI+Jm5ic3A7PC90ZD48 L3RyPlxuCQkJPHRyPlxuCQkJCTx0ZCBzdHlsZT0id2lkdGg6YXV0byFpbXBvcnRhbnQ7ICI+XG4J CQkJCTx0YWJsZSBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCIgc3R5 bGU9IndpZHRoOmF1dG87d2lkdGg6YXV0byFpbXBvcnRhbnQ7YmFja2dyb3VuZC1jb2xvcjojNDNB OTQyOyBib3JkZXI6MHB4IHNvbGlkICM0M0E5NDI7IGJvcmRlci1yYWRpdXM6MjVweDsgbWluLXdp ZHRoOjE2MHB4IWltcG9ydGFudDsiPlxuCQkJCQkJPHRyPlxuCQkJCQkJCTx0ZCBhbGlnbj0iY2Vu dGVyIiBzdHlsZT0icGFkZGluZzoxMHB4IDM2cHg7Ij48YSBocmVmPSJodHRwczovL2lldGYud2Vi ZXguY29tL2lldGYvai5waHA/TVRJRD1tMDJjZDIyMzYyMjJkOGU3MDMyZGFjMDNlZTc2M2QzODYi IHN0eWxlPSJjb2xvcjojRkZGRkZGOyBmb250LXNpemU6MjBweDsgdGV4dC1kZWNvcmF0aW9uOm5v bmU7Ij5Kb2luIG1lZXRpbmc8L2E+PC90ZD5cbgkJCQkJCTwvdHI+XG4JCQkJCTwvdGFibGU+XG4J CQkJPC90ZD5cbgkJCTwvdHI+XG4JCTwvdGFibGU+XG5cbiA8Rk9OVCBzaXplPSIyIiBDT0xPUj0i I0ZGMDAwMCIgc3R5bGU9ImZvbnQtZmFtaWx5OiBBcmlhbDsiPjwvRk9OVD5cbjxGT05UIFNJWkU9 IjEiIEZBQ0U9IkFSSUFMIj4mbmJzcDs8QlI+Jm5ic3A7PEJSPjwvRk9OVD5cblxuJm5ic3A7IDxC Uj48Rk9OVCBTSVpFPSI0IiBGQUNFPSJBUklBTCI+PEZPTlQgU0laRT0iMyIgQ09MT1I9IiM2NjY2 NjYiIEZBQ0U9ImFyaWFsIj5UYXAgdG8gam9pbiBmcm9tIGEgbW9iaWxlIGRldmljZSAoYXR0ZW5k ZWVzIG9ubHkpPC9GT05UPiAmbmJzcDsgPEJSPjxGT05UIFNJWkU9IjIiIENPTE9SPSIjNjY2NjY2 IiBGQUNFPSJhcmlhbCI+PGEgaHJlZj0ndGVsOiUyQjEtNjUwLTQ3OS0zMjA4LCwqMDEqMTYxNjQw ODI3OSUyMyUyMyowMSonIHN0eWxlPSdjb2xvcjojMDBBRkY5OyAgdGV4dC1kZWNvcmF0aW9uOm5v bmU7IGZvbnQtZmFtaWx5OiBBcmlhbDtmb250LXNpemU6IDE0cHg7bGluZS1oZWlnaHQ6IDI0cHg7 Jz4rMS02NTAtNDc5LTMyMDgsLDE2MTY0MDgyNzkjIzwvYT4gQ2FsbC1pbiB0b2xsIG51bWJlciAo VVMvQ2FuYWRhKTwvRk9OVD4mbmJzcDsgPEJSPjxCUj48Rk9OVCBTSVpFPSI0IiBGQUNFPSJBUklB TCI+PEZPTlQgU0laRT0iMyIgQ09MT1I9IiM2NjY2NjYiIEZBQ0U9ImFyaWFsIj5Kb2luIGJ5IHBo b25lPC9GT05UPiAmbmJzcDsgPEJSPjxGT05UIFNJWkU9IjIiIENPTE9SPSIjNjY2NjY2IiBGQUNF PSJhcmlhbCI+MS02NTAtNDc5LTMyMDggQ2FsbC1pbiB0b2xsIG51bWJlciAoVVMvQ2FuYWRhKTwv Rk9OVD4gJm5ic3A7IDxCUj48Rk9OVCBTSVpFPSIyIiBDT0xPUj0iIzY2NjY2NiIgRkFDRT0iYXJp YWwiPjxhIGhyZWY9Imh0dHBzOi8vaWV0Zi53ZWJleC5jb20vaWV0Zi9nbG9iYWxjYWxsaW4ucGhw P01USUQ9bTUwZGIzYTAwZWQ0MTI1Y2RlYjRhNmJmMGUzNTJjZmJmIiBzdHlsZT0idGV4dC1kZWNv cmF0aW9uOm5vbmU7Zm9udC1zaXplOjE0cHg7Y29sb3I6IzAwQUZGOSI+R2xvYmFsIGNhbGwtaW4g bnVtYmVyczwvYT48L0ZPTlQ+Jm5ic3A7IDxCUj48QlI+PEJSPlxuXG48dGFibGU+PHRyIHN0eWxl PSJsaW5lLWhlaWdodDogMjBweDsiPjx0ZCBzdHlsZT0iaGVpZ2h0OjIwcHgiPiZuYnNwOzwvdGQ+ PC90cj48L3RhYmxlPlxuXG48Rk9OVCBTSVpFPSI0IiBGQUNFPSJBUklBTCI+PEZPTlQgU0laRT0i MyIgQ09MT1I9IiM2NjY2NjYiIEZBQ0U9ImFyaWFsIj5Kb2luIGZyb20gYSB2aWRlbyBzeXN0ZW0g b3IgYXBwbGljYXRpb248L0ZPTlQ+PEJSPjxGT05UIFNJWkU9IjIiIENPTE9SPSIjNjY2NjY2IiBG QUNFPSJhcmlhbCI+RGlhbDwvRk9OVD4gPGEgaHJlZj0ic2lwOjE2MTY0MDgyNzlAaWV0Zi53ZWJl eC5jb20iPjxGT05UIFNJWkU9IjIiIENPTE9SPSIjMDBBRkY5IiBGQUNFPSJhcmlhbCI+MTYxNjQw ODI3OUBpZXRmLndlYmV4LmNvbTwvRk9OVD48L2E+Jm5ic3A7IDxCUj48Rk9OVCBTSVpFPSIyIiBD T0xPUj0iIzY2NjY2NiIgRkFDRT0iYXJpYWwiPllvdSBjYW4gYWxzbyBkaWFsIDE3My4yNDMuMi42 OCBhbmQgZW50ZXIgeW91ciBtZWV0aW5nIG51bWJlci48L0ZPTlQ+ICZuYnNwOyA8QlI+PC9GT05U PiZuYnNwOyA8QlI+XG5cbjx0YWJsZSBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiPjx0 cj48dGQgIHN0eWxlPSJjb2xvcjogIzAwMDAwMDsgZm9udC1mYW1pbHk6IEFyaWFsO2ZvbnQtc2l6 ZTogMTJweDsgZm9udC13ZWlnaHQ6IGJvbGQ7IGxpbmUtaGVpZ2h0OiAyNHB4OyI+PGI+Sm9pbiB1 c2luZyBNaWNyb3NvZnQgTHluYyBvciBNaWNyb3NvZnQgU2t5cGUgZm9yIEJ1c2luZXNzPC9iPjwv dGQ+PC90cj48dHIgc3R5bGU9Im1hcmdpbjowcHgiPjx0ZCBzdHlsZT0iY29sb3I6ICMzMzMzMzM7 IGZvbnQtZmFtaWx5OiBBcmlhbDsgZm9udC1zaXplOiAxNHB4OyBsaW5lLWhlaWdodDogMjRweDsi PkRpYWwgPGEgaHJlZj0iIHNpcDoxNjE2NDA4Mjc5LmlldGZAbHluYy53ZWJleC5jb20iICAgc3R5 bGU9InRleHQtZGVjb3JhdGlvbjpub25lO2NvbG9yOiMwMEFGRjkiPjE2MTY0MDgyNzkuaWV0ZkBs eW5jLndlYmV4LmNvbTwvYT48L3RkPjwvdHI+PC90YWJsZT5cblxuCTx0YWJsZT48dHIgc3R5bGU9 ImxpbmUtaGVpZ2h0OiAyMHB4Ij48dGQgc3R5bGU9ImhlaWdodDoyMHB4Ij4mbmJzcDs8L3RkPjwv dHI+PC90YWJsZT5cbglcblxuCQkJPHRhYmxlIHN0eWxlPSJ3aWR0aDogMTAwJTsiIGFsaWduPSJs ZWZ0IiBjbGFzcz0ibWFpbiI+XG4gICAgICAgICAgICAgICAgPHRyIHN0eWxlPSJoZWlnaHQ6IDcy cHgiPjx0ZD4mbmJzcDs8L3RkPjwvdHI+XG4JCQkJPHRyPlxuCQkJCQk8dGQgc3R5bGU9ImhlaWdo dDogMjRweDsgY29sb3I6ICMwMDAwMDA7IGZvbnQtZmFtaWx5OkFyaWFsOyBmb250LXNpemU6IDE0 cHg7IGxpbmUtaGVpZ2h0OiAyNHB4OyI+TmVlZCBoZWxwPyBHbyB0byA8YSBocmVmPSJodHRwOi8v aGVscC53ZWJleC5jb20iIHN0eWxlPSJjb2xvcjojMDQ5RkQ5OyB0ZXh0LWRlY29yYXRpb246bm9u ZTsiPmh0dHA6Ly9oZWxwLndlYmV4LmNvbTwvYT5cbgkJCQkJPC90ZD5cbgkJCQk8L3RyPlxuICAg ICAgICAgICAgICAgIDx0ciBzdHlsZT0iaGVpZ2h0OiA0NHB4Ij48dGQ+Jm5ic3A7PC90ZD48L3Ry PlxuCQkJPC90YWJsZT5cbgkJPC90ZD5cbgk8L3RyPlxuPC90YWJsZT5cbg0KU1VNTUFSWTpPQXV0 aCBXRyAtIEF1ZyAxMHRoIEludGVyaW0NClBSSU9SSVRZOjUNCkNMQVNTOlBVQkxJQw0KQkVHSU46 VkFMQVJNDQpUUklHR0VSOi1QVDVNDQpBQ1RJT046RElTUExBWQ0KREVTQ1JJUFRJT046UmVtaW5k ZXINCkVORDpWQUxBUk0NCkVORDpWRVZFTlQNCkVORDpWQ0FMRU5EQVINCg== --000000000000a5fca105aa80d03a-- From nobody Wed Jul 15 13:34:26 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1871D3A0FB5 for ; Wed, 15 Jul 2020 13:34:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JgNAST98JpwE for ; Wed, 15 Jul 2020 13:34:23 -0700 (PDT) Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E92A3A0C70 for ; Wed, 15 Jul 2020 13:34:23 -0700 (PDT) Received: by mail-wm1-x333.google.com with SMTP id g10so4159622wmc.1 for ; Wed, 15 Jul 2020 13:34:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=l5yaLqsJ6bmpAgvbT16KA6Ve9wLgEBSYwA2a91hB030=; b=ICYeSPzJBYFpnnwEMA/Fnxo9OUq3E4uyzPyFF1L9rb8e9gL4R2kPwat3/inU48519c jibJruNBLzdb6OKE86ndpAtbsatX0U9sMZ+X9n/xayH1eJJ/uXFy5flMBi/xXcFCekHk YKTY8TUylsrMg2HglW1Up4HUfvsTvP+vnwHnSRTGgtKO+rRf7ei8LXNxFuei7fxf2bEv 7g/TR1g7NttHN3Gz3993ISBauBp7LeDrGE9sSK85MORhVY+bEjqkept902Br2bcIrhFn rYT3pRq6tW3VhwzQ4DtzCDnuM54ovqgPotpTi/MXtx3y3Bglo+uV73PlIfODx5N369UK as/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=l5yaLqsJ6bmpAgvbT16KA6Ve9wLgEBSYwA2a91hB030=; b=H67/SzX6RqtHp6cKsFzV9i6MQleCpbuy7QuzpYCHBkPZ8Z6et7yjCOKIVaAWAAiDfE TeXwhH/8oGdq8i7xL91vMzmA/UXKKpMWIt4ZxCKLlortIyGjwAm3u2vTN3PHxF7y9A3n CtyWwRLYlgL9p6pKEd+zgqSJm2oWVRb8AFFMZlFXICCUv/qpANdRRbYoMkQUgJmKLCnW uW4/qTG2GslkqhdJBkKjsahIq3WB+50y7d2rfo48hTw9UiL2uZp2dFLUX9pgdJiEdrus 9xBTeCOTcmLFcR3aSuj5aZ3GqXSBWGkISgGvr7SjjhyteQ74VpNQX87hj4dF8j0YCb49 7L7g== X-Gm-Message-State: AOAM533dqz+AMJ42LXdQP9PXkLpwob1AdTItLssZeq8eXeZRS+w66JQA FnLrJCNGknwOkTzyE9bRe7+e7SgXHDfw/bBxkueYIw== X-Google-Smtp-Source: ABdhPJz5pAFKHLZXQ7fZXC4maZapveWgUfifUFQmqNKfNEt4kUD2DjrcEwDez39R5SD7//PTpkFyhX+OH7u+Iow8tL4= X-Received: by 2002:a1c:2d91:: with SMTP id t139mr1221713wmt.3.1594845261070; Wed, 15 Jul 2020 13:34:21 -0700 (PDT) MIME-Version: 1.0 References: <880730713.11340711594833611836.JavaMail.nobody@rva2rmd101.webex.com> In-Reply-To: <880730713.11340711594833611836.JavaMail.nobody@rva2rmd101.webex.com> From: Rifaat Shekh-Yusef Date: Wed, 15 Jul 2020 16:34:09 -0400 Message-ID: To: oauth Content-Type: multipart/mixed; boundary="00000000000042290f05aa80d997" Archived-At: Subject: [OAUTH-WG] Fwd: (Forward to others) Webex meeting invitation: OAuth WG - Aug 3rd Interim X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2020 20:34:25 -0000 --00000000000042290f05aa80d997 Content-Type: multipart/alternative; boundary="00000000000042290d05aa80d995" --00000000000042290d05aa80d995 Content-Type: text/plain; charset="UTF-8" Forwarding this one again to include the calendar file. ---------- Forwarded message --------- From: Web Authorization Protocol Working Group Date: Wed, Jul 15, 2020 at 1:20 PM Subject: (Forward to others) Webex meeting invitation: OAuth WG - Aug 3rd Interim To: You can forward this invitation to others. Web Authorization Protocol Working Group invites you to join this Webex meeting. Meeting number (access code): 161 700 3301 Meeting password: 99N5Myuqwph Monday, August 3, 2020 12:00 pm | (UTC-04:00) Eastern Time (US & Canada) | 1 hr Join meeting *Tap to join from a mobile device (attendees only)* +1-650-479-3208,,1617003301## <%2B1-650-479-3208,,*01*1617003301%23%23*01*> Call-in toll number (US/Canada) *Join by phone* 1-650-479-3208 Call-in toll number (US/Canada) Global call-in numbers *Join from a video system or application* Dial 1617003301@ietf.webex.com You can also dial 173.243.2.68 and enter your meeting number. *Join using Microsoft Lync or Microsoft Skype for Business* Dial 1617003301.ietf@lync.webex.com Need help? Go to http://help.webex.com --00000000000042290d05aa80d995 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Forwarding this one again to include the calendar file.

= ---------- Forwarded message ---------
From: Web Authorization Protocol Working Group <messenger@webex.c= om>
Date: Wed, Jul 15, 2020 at 1:20 PM
Subject: (Forwar= d to others) Webex meeting invitation: OAuth WG - Aug 3rd Interim
To: &= lt;oauth-chairs@ietf.org>


=C2=A0
=09
You can forward this invitation to others.

Web Authorization Protocol Working Group invites you to joi= n this Webex meeting.
=C2= =A0
Meeting number (access code): 161 700 3301
Meeting password: 99N5Myuqwph
=C2= =A0
Monday, August 3, 2020
12:00 pm=C2=A0=C2=A0|=C2=A0=C2=A0(UTC-04:00) East= ern Time (US & Canada)=C2=A0=C2=A0|=C2=A0=C2=A01 hr
=20
=C2=A0
Join meeting
= =C2=A0
Tap to join from a mobile device = (attendees only)
+1-650-4= 79-3208,,1617003301## Call-in toll number (US/Canada)
=C2=A0
<= tr style=3D"margin:0px">=
Join by phone
1-650-479-3208=C2=A0Call-in toll number (US/Canada)
Global call-in numbers
=C2=A0
Join from a video system or appli= cation
Dial 1617003301@ietf.webex.com
You can also dial 173.243.2.68 and enter your meeting nu= mber.
=C2=A0
Join using Microsoft Lync or Microsoft Skype for Business
Dial 1617003301.ietf@lync.webex.com
=C2= =A0
=09
=C2=A0
Need help? Go to http://help.webe= x.com
=C2=A0
--00000000000042290d05aa80d995 Content-Type: text/calendar; charset="UTF-8"; method=REQUEST Content-Transfer-Encoding: quoted-printable BEGIN:VCALENDAR PRODID:-//Microsoft Corporation//Outlook 10.0 MIMEDIR//EN VERSION:2.0 METHOD:REQUEST BEGIN:VTIMEZONE TZID:America/New_York TZURL:http://tzurl.org/zoneinfo-outlook/America/New_York X-LIC-LOCATION:America/New_York BEGIN:DAYLIGHT TZOFFSETFROM:-0500 TZOFFSETTO:-0400 TZNAME:EDT DTSTART:19700308T020000 RRULE:FREQ=3DYEARLY;BYMONTH=3D3;BYDAY=3D2SU END:DAYLIGHT BEGIN:STANDARD TZOFFSETFROM:-0400 TZOFFSETTO:-0500 TZNAME:EST DTSTART:19701101T020000 RRULE:FREQ=3DYEARLY;BYMONTH=3D11;BYDAY=3D1SU END:STANDARD END:VTIMEZONE BEGIN:VEVENT DTSTAMP:20200715T172011Z ATTENDEE;CN=3D"Web Authorization Protocol Working Group";ROLE=3DREQ-PARTICI= PANT;RSVP=3DTRUE:MAILTO:oauth-chairs@ietf.org ORGANIZER;CN=3D"Web Authorization Protocol Working Group":MAILTO:oauth-chai= rs@ietf.org DTSTART;TZID=3DAmerica/New_York:20200803T120000 DTEND;TZID=3DAmerica/New_York:20200803T130000 LOCATION:https://ietf.webex.com/ietf/j.php?MTID=3Dm1285bd51ffb5dcd173147c53= 1b5fabf3 TRANSP:OPAQUE SEQUENCE:1594833611 UID:2f650555-8e74-4f50-b9eb-e9391e18fd91 DESCRIPTION:\n\n\n\nJOIN WEBEX MEETING\nhttps://ietf.webex.com/ietf/j.php?M= TID=3Dm1285bd51ffb5dcd173147c531b5fabf3\nMeeting number (access code): 161 = 700 3301\n\nMeeting password: 99N5Myuqwph\n\n\n\nTAP TO JOIN FROM A MOBILE = DEVICE (ATTENDEES ONLY)\n+1-650-479-3208,,1617003301## tel:%2B1-650-479-320= 8,,*01*1617003301%23%23*01* Call-in toll number (US/Canada)\n\n\nJOIN BY PH= ONE\n1-650-479-3208 Call-in toll number (US/Canada)\n\nGlobal call-in numbe= rs\nhttps://ietf.webex.com/ietf/globalcallin.php?MTID=3Dm2d91ed8ceb631fdacd= c654450f71b65f\n\n\nJOIN FROM A VIDEO SYSTEM OR APPLICATION\nDial sip:16170= 03301@ietf.webex.com\nYou can also dial 173.243.2.68 and enter your meeting= number.\n\n\nJoin using Microsoft Lync or Microsoft Skype for Business\nDi= al sip:1617003301.ietf@lync.webex.com\n\n\n\n\n\nCan't join the meeting?\nh= ttps://collaborationhelp.cisco.com/article/WBX000029055\n\n\nIMPORTANT NOTI= CE: Please note that this Webex service allows audio and other information = sent during the session to be recorded, which may be discoverable in a lega= l matter. By joining this session, you automatically consent to such record= ings. If you do not consent to being recorded, discuss your concerns with t= he host or do not join the session.\n X-ALT-DESC;FMTTYPE=3Dtext/html:\n\n\n \n \n \n \n
 
\n \n\n\n\n\n\n = \n \n \n \n \n \n \n
\n When it's time, join the Webex meeting here.\n \n
 
\n Meeting number (access code): 161 700 3301\n =
\n
Meeting password:99N5Myuqwph
\n= \n \n \n \n \n \n
 
\n \n \n= \n
Join meeting<= /td>\n
\n
\n\n \n 
 
\n\n 
= Tap to join from a mobile device (attendees only)  
+1-650-479-3208,,161= 7003301## Call-in toll number (US/Canada) 

J= oin by phone  
1-650-479-3208 Call-in toll number (US/Canada)  
Global call-in numbe= rs 


\n\n
 
\n\nJoin from a v= ideo system or application
Dial 1617003301@ietf.webex.com 
You can also= dial 173.243.2.68 and enter your meeting number.  
=  
\n\n
Join using Microsoft Lync or Microsoft Skype for Busine= ss
Dial 1617003301.ietf@lync.webex.com
\n\n
 
\n= \n\n \n = \n \n = \n \n \n
 
Need help? Go to http://help.webex.com\n =
 =
\n
\n SUMMARY:OAuth WG - Aug 3rd Interim PRIORITY:5 CLASS:PUBLIC BEGIN:VALARM TRIGGER:-PT5M ACTION:DISPLAY DESCRIPTION:Reminder END:VALARM END:VEVENT END:VCALENDAR --00000000000042290d05aa80d995-- --00000000000042290f05aa80d997 Content-Type: application/ics; name="Webex_Meeting.ics" Content-Disposition: attachment; filename="Webex_Meeting.ics" Content-Transfer-Encoding: base64 Content-ID: <173542e363bc1ce7aee1> X-Attachment-Id: 173542e363bc1ce7aee1 QkVHSU46VkNBTEVOREFSDQpQUk9ESUQ6LS8vTWljcm9zb2Z0IENvcnBvcmF0aW9uLy9PdXRsb29r IDEwLjAgTUlNRURJUi8vRU4NClZFUlNJT046Mi4wDQpNRVRIT0Q6UkVRVUVTVA0KQkVHSU46VlRJ TUVaT05FDQpUWklEOkFtZXJpY2EvTmV3X1lvcmsNClRaVVJMOmh0dHA6Ly90enVybC5vcmcvem9u ZWluZm8tb3V0bG9vay9BbWVyaWNhL05ld19Zb3JrDQpYLUxJQy1MT0NBVElPTjpBbWVyaWNhL05l d19Zb3JrDQpCRUdJTjpEQVlMSUdIVA0KVFpPRkZTRVRGUk9NOi0wNTAwDQpUWk9GRlNFVFRPOi0w NDAwDQpUWk5BTUU6RURUDQpEVFNUQVJUOjE5NzAwMzA4VDAyMDAwMA0KUlJVTEU6RlJFUT1ZRUFS TFk7QllNT05USD0zO0JZREFZPTJTVQ0KRU5EOkRBWUxJR0hUDQpCRUdJTjpTVEFOREFSRA0KVFpP RkZTRVRGUk9NOi0wNDAwDQpUWk9GRlNFVFRPOi0wNTAwDQpUWk5BTUU6RVNUDQpEVFNUQVJUOjE5 NzAxMTAxVDAyMDAwMA0KUlJVTEU6RlJFUT1ZRUFSTFk7QllNT05USD0xMTtCWURBWT0xU1UNCkVO RDpTVEFOREFSRA0KRU5EOlZUSU1FWk9ORQ0KQkVHSU46VkVWRU5UDQpEVFNUQU1QOjIwMjAwNzE1 VDE3MjAxMVoNCkFUVEVOREVFO0NOPSJXZWIgQXV0aG9yaXphdGlvbiBQcm90b2NvbCBXb3JraW5n IEdyb3VwIjtST0xFPVJFUS1QQVJUSUNJUEFOVDtSU1ZQPVRSVUU6TUFJTFRPOm9hdXRoLWNoYWly c0BpZXRmLm9yZw0KT1JHQU5JWkVSO0NOPSJXZWIgQXV0aG9yaXphdGlvbiBQcm90b2NvbCBXb3Jr aW5nIEdyb3VwIjpNQUlMVE86b2F1dGgtY2hhaXJzQGlldGYub3JnDQpEVFNUQVJUO1RaSUQ9QW1l cmljYS9OZXdfWW9yazoyMDIwMDgwM1QxMjAwMDANCkRURU5EO1RaSUQ9QW1lcmljYS9OZXdfWW9y azoyMDIwMDgwM1QxMzAwMDANCkxPQ0FUSU9OOmh0dHBzOi8vaWV0Zi53ZWJleC5jb20vaWV0Zi9q LnBocD9NVElEPW0xMjg1YmQ1MWZmYjVkY2QxNzMxNDdjNTMxYjVmYWJmMw0KVFJBTlNQOk9QQVFV RQ0KU0VRVUVOQ0U6MTU5NDgzMzYxMQ0KVUlEOjJmNjUwNTU1LThlNzQtNGY1MC1iOWViLWU5Mzkx ZTE4ZmQ5MQ0KREVTQ1JJUFRJT046XG5cblxuXG5KT0lOIFdFQkVYIE1FRVRJTkdcbmh0dHBzOi8v aWV0Zi53ZWJleC5jb20vaWV0Zi9qLnBocD9NVElEPW0xMjg1YmQ1MWZmYjVkY2QxNzMxNDdjNTMx YjVmYWJmM1xuTWVldGluZyBudW1iZXIgKGFjY2VzcyBjb2RlKTogMTYxIDcwMCAzMzAxXG5cbk1l ZXRpbmcgcGFzc3dvcmQ6IDk5TjVNeXVxd3BoXG5cblxuXG5UQVAgVE8gSk9JTiBGUk9NIEEgTU9C SUxFIERFVklDRSAoQVRURU5ERUVTIE9OTFkpXG4rMS02NTAtNDc5LTMyMDgsLDE2MTcwMDMzMDEj IyB0ZWw6JTJCMS02NTAtNDc5LTMyMDgsLCowMSoxNjE3MDAzMzAxJTIzJTIzKjAxKiBDYWxsLWlu IHRvbGwgbnVtYmVyIChVUy9DYW5hZGEpXG5cblxuSk9JTiBCWSBQSE9ORVxuMS02NTAtNDc5LTMy MDggQ2FsbC1pbiB0b2xsIG51bWJlciAoVVMvQ2FuYWRhKVxuXG5HbG9iYWwgY2FsbC1pbiBudW1i ZXJzXG5odHRwczovL2lldGYud2ViZXguY29tL2lldGYvZ2xvYmFsY2FsbGluLnBocD9NVElEPW0y ZDkxZWQ4Y2ViNjMxZmRhY2RjNjU0NDUwZjcxYjY1ZlxuXG5cbkpPSU4gRlJPTSBBIFZJREVPIFNZ U1RFTSBPUiBBUFBMSUNBVElPTlxuRGlhbCBzaXA6MTYxNzAwMzMwMUBpZXRmLndlYmV4LmNvbVxu WW91IGNhbiBhbHNvIGRpYWwgMTczLjI0My4yLjY4IGFuZCBlbnRlciB5b3VyIG1lZXRpbmcgbnVt YmVyLlxuXG5cbkpvaW4gdXNpbmcgTWljcm9zb2Z0IEx5bmMgb3IgTWljcm9zb2Z0IFNreXBlIGZv ciBCdXNpbmVzc1xuRGlhbCBzaXA6MTYxNzAwMzMwMS5pZXRmQGx5bmMud2ViZXguY29tXG5cblxu XG5cblxuQ2FuJ3Qgam9pbiB0aGUgbWVldGluZz9cbmh0dHBzOi8vY29sbGFib3JhdGlvbmhlbHAu Y2lzY28uY29tL2FydGljbGUvV0JYMDAwMDI5MDU1XG5cblxuSU1QT1JUQU5UIE5PVElDRTogUGxl YXNlIG5vdGUgdGhhdCB0aGlzIFdlYmV4IHNlcnZpY2UgYWxsb3dzIGF1ZGlvIGFuZCBvdGhlciBp bmZvcm1hdGlvbiBzZW50IGR1cmluZyB0aGUgc2Vzc2lvbiB0byBiZSByZWNvcmRlZCwgd2hpY2gg bWF5IGJlIGRpc2NvdmVyYWJsZSBpbiBhIGxlZ2FsIG1hdHRlci4gQnkgam9pbmluZyB0aGlzIHNl c3Npb24sIHlvdSBhdXRvbWF0aWNhbGx5IGNvbnNlbnQgdG8gc3VjaCByZWNvcmRpbmdzLiBJZiB5 b3UgZG8gbm90IGNvbnNlbnQgdG8gYmVpbmcgcmVjb3JkZWQsIGRpc2N1c3MgeW91ciBjb25jZXJu cyB3aXRoIHRoZSBob3N0IG9yIGRvIG5vdCBqb2luIHRoZSBzZXNzaW9uLlxuDQpYLUFMVC1ERVND O0ZNVFRZUEU9dGV4dC9odG1sOjxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+XG50YWJsZSB7XG4JYm9y ZGVyLWNvbGxhcHNlOiBzZXBhcmF0ZTsgd2lkdGggPTEwMCU7CWJvcmRlcjogMDsJYm9yZGVyLXNw YWNpbmc6IDA7fVxuXG50ciB7XG4JbGluZS1oZWlnaHQ6IDE4cHg7fVxuXG5hLCB0ZCB7XG4JZm9u dC1zaXplOiAxNHB4Owlmb250LWZhbWlseTogQXJpYWw7CWNvbG9yOiAjMzMzOwl3b3JkLXdyYXA6 IGJyZWFrLXdvcmQ7CXdvcmQtYnJlYWs6IG5vcm1hbDsJcGFkZGluZzogMDt9XG5cbi50aXRsZSB7 XG4JZm9udC1zaXplOiAyOHB4O31cblxuLmltYWdlIHtcbgl3aWR0aDogYXV0bzsJbWF4LXdpZHRo OiBhdXRvO31cblxuLmZvb3RlciB7XG4Jd2lkdGg6IDYwNHB4O31cblxuLm1haW4ge1xuXG59QG1l ZGlhIHNjcmVlbiBhbmQgKG1heC1kZXZpY2Utd2lkdGg6IDgwMHB4KSB7XG4JLnRpdGxlIHtcbgkJ Zm9udC1zaXplOiAyMnB4ICFpbXBvcnRhbnQ7CX1cbgkuaW1hZ2Uge1xuCQl3aWR0aDogYXV0byAh aW1wb3J0YW50OwkJbWF4LXdpZHRoOiAxMDAlICFpbXBvcnRhbnQ7CX1cbgkuZm9vdGVyIHtcbgkJ d2lkdGg6IDEwMCUgIWltcG9ydGFudDsJCW1heC13aWR0aDogNjA0cHggIWltcG9ydGFudFxuCX1c bgkubWFpbiB7XG4JCXdpZHRoOiAxMDAlICFpbXBvcnRhbnQ7CQltYXgtd2lkdGg6IDYwNHB4ICFp bXBvcnRhbnRcbgl9XG59XG48L3N0eWxlPlxuXG48dGFibGUgYmdjb2xvcj0iI0ZGRkZGRiIgc3R5 bGU9InBhZGRpbmc6IDA7IG1hcmdpbjogMDsgYm9yZGVyOiAwOyB3aWR0aDogMTAwJTsiIGFsaWdu PSJsZWZ0Ij5cbgk8dHIgc3R5bGU9ImhlaWdodDogMjhweCI+PHRkPiZuYnNwOzwvdGQ+PC90cj5c bgk8dHI+XG4JCTx0ZCBhbGlnbj0ibGVmdCIgc3R5bGU9InBhZGRpbmc6IDAgMjBweDsgbWFyZ2lu OiAwIj5cbgkJCTwhLS08dGFibGUgYmdjb2xvcj0iI0ZGRkZGRiIgc3R5bGU9ImJvcmRlcjogMHB4 OyB3aWR0aDogMTAwJTsgcGFkZGluZy1sZWZ0OiA1MHB4OyBwYWRkaW5nLXJpZ2h0OiA1MHB4OyIg YWxpZ249ImxlZnQiIGNsYXNzPSJtYWluIj5cbgkJCQk8dHI+XG4JCQkJCTx0ZCBhbGlnbj0iY2Vu dGVyIiB2YWxpZ249InRvcCIgPiZuYnNwOwkJCQkJPC90ZD5cbgkJCQk8L3RyPlxuCQkJPC90YWJs ZT4tLT5cblxuXG5cblxuXG4JCQk8dGFibGU+XG4JCQkJPHRyPlxuCQkJCQk8dGQ+XG4JCQkJCQk8 Rk9OVCBTSVpFPSI0IiBDT0xPUj0iIzY2NjY2NiIgRkFDRT0iYXJpYWwiPldoZW4gaXQncyB0aW1l LCBqb2luIHRoZSBXZWJleCBtZWV0aW5nIGhlcmUuPC9GT05UPlxuCQkJCQk8L3RkPlxuCQkJCTwv dHI+XG4JCQkJPHRyIHN0eWxlPSJsaW5lLWhlaWdodDogMjBweDsiPjx0ZCBzdHlsZT0iaGVpZ2h0 OjIwcHgiPiZuYnNwOzwvdGQ+PC90cj5cbgkJCQk8dHI+XG4JCQkJCTx0ZD5cbgkJCQkJCTxGT05U IFNJWkU9IjIiIENPTE9SPSIjNjY2NjY2IiBGQUNFPSJhcmlhbCI+TWVldGluZyBudW1iZXIgKGFj Y2VzcyBjb2RlKTogMTYxIDcwMCAzMzAxPC9GT05UPlxuCQkJCQk8L3RkPlxuCQkJCTwvdHI+XG4J CQk8L3RhYmxlPlxuCQkJPHRhYmxlPjx0cj48dGQ+PEZPTlQgU0laRT0iMiIgQ09MT1I9IiM2NjY2 NjYiIEZBQ0U9ImFyaWFsIj5NZWV0aW5nIHBhc3N3b3JkOjwvRk9OVD48L3RkPjx0ZD48Rk9OVCBT SVpFPSIyIiAgQ09MT1I9IiM2NjY2NjYiIEZBQ0U9ImFyaWFsIj45OU41TXl1cXdwaDwvRk9OVD48 L3RkPjwvdHI+PC90YWJsZT5cblxuICAgICAgICA8dGFibGU+XG4gICAgICAgIAk8dHIgc3R5bGU9 ImxpbmUtaGVpZ2h0OiAyMHB4OyI+PHRkIHN0eWxlPSJoZWlnaHQ6MjBweCI+Jm5ic3A7PC90ZD48 L3RyPlxuCQkJPHRyPlxuCQkJCTx0ZCBzdHlsZT0id2lkdGg6YXV0byFpbXBvcnRhbnQ7ICI+XG4J CQkJCTx0YWJsZSBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCIgc3R5 bGU9IndpZHRoOmF1dG87d2lkdGg6YXV0byFpbXBvcnRhbnQ7YmFja2dyb3VuZC1jb2xvcjojNDNB OTQyOyBib3JkZXI6MHB4IHNvbGlkICM0M0E5NDI7IGJvcmRlci1yYWRpdXM6MjVweDsgbWluLXdp ZHRoOjE2MHB4IWltcG9ydGFudDsiPlxuCQkJCQkJPHRyPlxuCQkJCQkJCTx0ZCBhbGlnbj0iY2Vu dGVyIiBzdHlsZT0icGFkZGluZzoxMHB4IDM2cHg7Ij48YSBocmVmPSJodHRwczovL2lldGYud2Vi ZXguY29tL2lldGYvai5waHA/TVRJRD1tMTI4NWJkNTFmZmI1ZGNkMTczMTQ3YzUzMWI1ZmFiZjMi IHN0eWxlPSJjb2xvcjojRkZGRkZGOyBmb250LXNpemU6MjBweDsgdGV4dC1kZWNvcmF0aW9uOm5v bmU7Ij5Kb2luIG1lZXRpbmc8L2E+PC90ZD5cbgkJCQkJCTwvdHI+XG4JCQkJCTwvdGFibGU+XG4J CQkJPC90ZD5cbgkJCTwvdHI+XG4JCTwvdGFibGU+XG5cbiA8Rk9OVCBzaXplPSIyIiBDT0xPUj0i I0ZGMDAwMCIgc3R5bGU9ImZvbnQtZmFtaWx5OiBBcmlhbDsiPjwvRk9OVD5cbjxGT05UIFNJWkU9 IjEiIEZBQ0U9IkFSSUFMIj4mbmJzcDs8QlI+Jm5ic3A7PEJSPjwvRk9OVD5cblxuJm5ic3A7IDxC Uj48Rk9OVCBTSVpFPSI0IiBGQUNFPSJBUklBTCI+PEZPTlQgU0laRT0iMyIgQ09MT1I9IiM2NjY2 NjYiIEZBQ0U9ImFyaWFsIj5UYXAgdG8gam9pbiBmcm9tIGEgbW9iaWxlIGRldmljZSAoYXR0ZW5k ZWVzIG9ubHkpPC9GT05UPiAmbmJzcDsgPEJSPjxGT05UIFNJWkU9IjIiIENPTE9SPSIjNjY2NjY2 IiBGQUNFPSJhcmlhbCI+PGEgaHJlZj0ndGVsOiUyQjEtNjUwLTQ3OS0zMjA4LCwqMDEqMTYxNzAw MzMwMSUyMyUyMyowMSonIHN0eWxlPSdjb2xvcjojMDBBRkY5OyAgdGV4dC1kZWNvcmF0aW9uOm5v bmU7IGZvbnQtZmFtaWx5OiBBcmlhbDtmb250LXNpemU6IDE0cHg7bGluZS1oZWlnaHQ6IDI0cHg7 Jz4rMS02NTAtNDc5LTMyMDgsLDE2MTcwMDMzMDEjIzwvYT4gQ2FsbC1pbiB0b2xsIG51bWJlciAo VVMvQ2FuYWRhKTwvRk9OVD4mbmJzcDsgPEJSPjxCUj48Rk9OVCBTSVpFPSI0IiBGQUNFPSJBUklB TCI+PEZPTlQgU0laRT0iMyIgQ09MT1I9IiM2NjY2NjYiIEZBQ0U9ImFyaWFsIj5Kb2luIGJ5IHBo b25lPC9GT05UPiAmbmJzcDsgPEJSPjxGT05UIFNJWkU9IjIiIENPTE9SPSIjNjY2NjY2IiBGQUNF PSJhcmlhbCI+MS02NTAtNDc5LTMyMDggQ2FsbC1pbiB0b2xsIG51bWJlciAoVVMvQ2FuYWRhKTwv Rk9OVD4gJm5ic3A7IDxCUj48Rk9OVCBTSVpFPSIyIiBDT0xPUj0iIzY2NjY2NiIgRkFDRT0iYXJp YWwiPjxhIGhyZWY9Imh0dHBzOi8vaWV0Zi53ZWJleC5jb20vaWV0Zi9nbG9iYWxjYWxsaW4ucGhw P01USUQ9bTJkOTFlZDhjZWI2MzFmZGFjZGM2NTQ0NTBmNzFiNjVmIiBzdHlsZT0idGV4dC1kZWNv cmF0aW9uOm5vbmU7Zm9udC1zaXplOjE0cHg7Y29sb3I6IzAwQUZGOSI+R2xvYmFsIGNhbGwtaW4g bnVtYmVyczwvYT48L0ZPTlQ+Jm5ic3A7IDxCUj48QlI+PEJSPlxuXG48dGFibGU+PHRyIHN0eWxl PSJsaW5lLWhlaWdodDogMjBweDsiPjx0ZCBzdHlsZT0iaGVpZ2h0OjIwcHgiPiZuYnNwOzwvdGQ+ PC90cj48L3RhYmxlPlxuXG48Rk9OVCBTSVpFPSI0IiBGQUNFPSJBUklBTCI+PEZPTlQgU0laRT0i MyIgQ09MT1I9IiM2NjY2NjYiIEZBQ0U9ImFyaWFsIj5Kb2luIGZyb20gYSB2aWRlbyBzeXN0ZW0g b3IgYXBwbGljYXRpb248L0ZPTlQ+PEJSPjxGT05UIFNJWkU9IjIiIENPTE9SPSIjNjY2NjY2IiBG QUNFPSJhcmlhbCI+RGlhbDwvRk9OVD4gPGEgaHJlZj0ic2lwOjE2MTcwMDMzMDFAaWV0Zi53ZWJl eC5jb20iPjxGT05UIFNJWkU9IjIiIENPTE9SPSIjMDBBRkY5IiBGQUNFPSJhcmlhbCI+MTYxNzAw MzMwMUBpZXRmLndlYmV4LmNvbTwvRk9OVD48L2E+Jm5ic3A7IDxCUj48Rk9OVCBTSVpFPSIyIiBD T0xPUj0iIzY2NjY2NiIgRkFDRT0iYXJpYWwiPllvdSBjYW4gYWxzbyBkaWFsIDE3My4yNDMuMi42 OCBhbmQgZW50ZXIgeW91ciBtZWV0aW5nIG51bWJlci48L0ZPTlQ+ICZuYnNwOyA8QlI+PC9GT05U PiZuYnNwOyA8QlI+XG5cbjx0YWJsZSBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiPjx0 cj48dGQgIHN0eWxlPSJjb2xvcjogIzAwMDAwMDsgZm9udC1mYW1pbHk6IEFyaWFsO2ZvbnQtc2l6 ZTogMTJweDsgZm9udC13ZWlnaHQ6IGJvbGQ7IGxpbmUtaGVpZ2h0OiAyNHB4OyI+PGI+Sm9pbiB1 c2luZyBNaWNyb3NvZnQgTHluYyBvciBNaWNyb3NvZnQgU2t5cGUgZm9yIEJ1c2luZXNzPC9iPjwv dGQ+PC90cj48dHIgc3R5bGU9Im1hcmdpbjowcHgiPjx0ZCBzdHlsZT0iY29sb3I6ICMzMzMzMzM7 IGZvbnQtZmFtaWx5OiBBcmlhbDsgZm9udC1zaXplOiAxNHB4OyBsaW5lLWhlaWdodDogMjRweDsi PkRpYWwgPGEgaHJlZj0iIHNpcDoxNjE3MDAzMzAxLmlldGZAbHluYy53ZWJleC5jb20iICAgc3R5 bGU9InRleHQtZGVjb3JhdGlvbjpub25lO2NvbG9yOiMwMEFGRjkiPjE2MTcwMDMzMDEuaWV0ZkBs eW5jLndlYmV4LmNvbTwvYT48L3RkPjwvdHI+PC90YWJsZT5cblxuCTx0YWJsZT48dHIgc3R5bGU9 ImxpbmUtaGVpZ2h0OiAyMHB4Ij48dGQgc3R5bGU9ImhlaWdodDoyMHB4Ij4mbmJzcDs8L3RkPjwv dHI+PC90YWJsZT5cbglcblxuCQkJPHRhYmxlIHN0eWxlPSJ3aWR0aDogMTAwJTsiIGFsaWduPSJs ZWZ0IiBjbGFzcz0ibWFpbiI+XG4gICAgICAgICAgICAgICAgPHRyIHN0eWxlPSJoZWlnaHQ6IDcy cHgiPjx0ZD4mbmJzcDs8L3RkPjwvdHI+XG4JCQkJPHRyPlxuCQkJCQk8dGQgc3R5bGU9ImhlaWdo dDogMjRweDsgY29sb3I6ICMwMDAwMDA7IGZvbnQtZmFtaWx5OkFyaWFsOyBmb250LXNpemU6IDE0 cHg7IGxpbmUtaGVpZ2h0OiAyNHB4OyI+TmVlZCBoZWxwPyBHbyB0byA8YSBocmVmPSJodHRwOi8v aGVscC53ZWJleC5jb20iIHN0eWxlPSJjb2xvcjojMDQ5RkQ5OyB0ZXh0LWRlY29yYXRpb246bm9u ZTsiPmh0dHA6Ly9oZWxwLndlYmV4LmNvbTwvYT5cbgkJCQkJPC90ZD5cbgkJCQk8L3RyPlxuICAg ICAgICAgICAgICAgIDx0ciBzdHlsZT0iaGVpZ2h0OiA0NHB4Ij48dGQ+Jm5ic3A7PC90ZD48L3Ry PlxuCQkJPC90YWJsZT5cbgkJPC90ZD5cbgk8L3RyPlxuPC90YWJsZT5cbg0KU1VNTUFSWTpPQXV0 aCBXRyAtIEF1ZyAzcmQgSW50ZXJpbQ0KUFJJT1JJVFk6NQ0KQ0xBU1M6UFVCTElDDQpCRUdJTjpW QUxBUk0NClRSSUdHRVI6LVBUNU0NCkFDVElPTjpESVNQTEFZDQpERVNDUklQVElPTjpSZW1pbmRl cg0KRU5EOlZBTEFSTQ0KRU5EOlZFVkVOVA0KRU5EOlZDQUxFTkRBUg0K --00000000000042290f05aa80d997-- From nobody Wed Jul 15 13:39:53 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A9373A0FBF for ; Wed, 15 Jul 2020 13:39:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=zmartzone-eu.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BdFS-sFo1v2i for ; Wed, 15 Jul 2020 13:39:49 -0700 (PDT) Received: from mail-vs1-xe35.google.com (mail-vs1-xe35.google.com [IPv6:2607:f8b0:4864:20::e35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9AE63A0FBE for ; Wed, 15 Jul 2020 13:39:49 -0700 (PDT) Received: by mail-vs1-xe35.google.com with SMTP id m6so1813596vsl.12 for ; Wed, 15 Jul 2020 13:39:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zmartzone-eu.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xp8Z9tAnRVWapw1w+tHF6cMj7nrqnlYf3BsGJ0eDXNc=; b=LhYDHq5tydAQnlMA5zpT7mPZ5wah6oPe5DTeWdOwbrHriDomhxTrmycuBJrJN/SNlP O3D7eQY7R5kTuJQ9WAYWqc+WZ+jzN06ZCpiUV8M7LohPgFX9bbMsdwzNAZ2blI0JVqmM 8b/IGBxEvJGAqKjYswnhnn+BT7aAx9vCsYBhxXNgL1qiLBYV39Wr7czOp0IDoWh8LdZB yCz4nA2algk65CLkGM5bqVQvntpIVel0TKR/0FO8okVv0vJlMVik0/VoxnweeNBVurBU CSGzDz8CE43lmMpUN2Y4kuyhiuyBRnLXxw8EO9RY++Tp/hKx3RECYFAeQ42d1bmZZbNM OYVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xp8Z9tAnRVWapw1w+tHF6cMj7nrqnlYf3BsGJ0eDXNc=; b=Pp4zKwyCSzOg+Bg0/zzGWv+S9Yib7sWje52LuyFCkRruqKd1K0eitcx3pt7Rxaa1F/ 0nvcm3/woNbgPFtSE8durQop2cAXAkZyazt0YjfrlnB3MrYvT37KnwCh+xDHMa6crPg6 /7J3DrCdE/5Iq7O54k6n0qO8HHpOGIVcqilA96adPhpCeyCrUkbAQxOTgajVUje5od5b zN4UUD4CmK5oGeATgI+tvLI05OWJ4hQf8koM1Op0mopQ9CXOiSkZoeCt6ffS/BqUO4zI ZzwojrFpoEmODoJpHAc2MnLLiPWO9rxHTHwekzemsoTUFiYmzPK4hr/yzGq5UwlarFPw vSSA== X-Gm-Message-State: AOAM530b9ROkQZTzbONILVE4kLUhyXX9JPa7LovsHat1HnbdzLWlUn4l JulYeZzgltj7XERWFeiTuLcG7fP1Dz1tUtSELiahnA== X-Google-Smtp-Source: ABdhPJzYZUYZnFO+FKqpTprt2ytfhKlTPIpsWu4saX/t0uwJrnRTAHowHUXV6uyHvEcmuPWb4YZIN/BiaH1jZgJPujI= X-Received: by 2002:a05:6102:1e:: with SMTP id j30mr882077vsp.205.1594845588377; Wed, 15 Jul 2020 13:39:48 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Hans Zandbelt Date: Wed, 15 Jul 2020 22:39:37 +0200 Message-ID: To: Rifaat Shekh-Yusef Cc: oauth Content-Type: multipart/alternative; boundary="000000000000c468a105aa80ecd8" Archived-At: Subject: Re: [OAUTH-WG] Call for adoption - OAuth 2.1 document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2020 20:39:51 -0000 --000000000000c468a105aa80ecd8 Content-Type: text/plain; charset="UTF-8" +1 Hans. On Wed, Jul 15, 2020 at 7:43 PM Rifaat Shekh-Yusef wrote: > All, > > This is a *call for adoption* for the following *OAuth 2.1* document as a > WG document: > https://www.ietf.org/id/draft-parecki-oauth-v2-1-03.html > > Please, provide your feedback on the mailing list by *July 29th.* > > Regards, > Rifaat & Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- hans.zandbelt@zmartzone.eu ZmartZone IAM - www.zmartzone.eu --000000000000c468a105aa80ecd8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
+1

Hans.

On Wed, Jul 15, 2020= at 7:43 PM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> wrote:
All,

This is = a call for adoption for the following OAuth 2.1 document as a= WG document:

Please, provide your fee= dback on the mailing=C2=A0list by July 29th.

Regards,
=C2=A0Rifaat & Hannes

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
--000000000000c468a105aa80ecd8-- From nobody Wed Jul 15 14:12:04 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 103C73A091D for ; Wed, 15 Jul 2020 14:12:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BWlah_g4x3Jh for ; Wed, 15 Jul 2020 14:11:58 -0700 (PDT) Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBF603A084D for ; Wed, 15 Jul 2020 14:11:57 -0700 (PDT) Received: by mail-wr1-x42c.google.com with SMTP id q5so4387354wru.6 for ; Wed, 15 Jul 2020 14:11:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=zCWsO9em9CFx/f2rIqNvinUYLgHeOp9gJeeBoa3LlZs=; b=ZgRQOg9jPrYFfJIUsIljZbV/e3rABdwkdAEKEiGqsHV6aPO9qOl0iWiTMh18loBExr 096P9WnxRIqOOwc3P2gmBEQAo+5vv8eNmXODZM+o5iWGQB24CnhkXAI3B0jMeqMbP1d/ ZLMre9L1/XafZcgy5RtfNO/UuCdy6smyEYgHrkt44SUDh8o/X3FhpcrKhfPxTETEdLpw GqvTDMarFbWJxB87j4VdCGg4RYMcaRWpYcQt4t2syGxpt1lN8ezL+3EZUUBZWfqSJgzy ft6xu+p+K9g4D4rWxM0nwWVev4ALa0v15cj3L+IlIRbqXiP33gXeLQVyY6CeXo3b+yvp 7+Bw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=zCWsO9em9CFx/f2rIqNvinUYLgHeOp9gJeeBoa3LlZs=; b=RIwQzRKmrVhezvtxVcaTSlyH1QnEdSeajHf/NV4kFb4/JVo50+Qa8zO6tXHzR9UKF5 i7aQhHYBEstm4l+Ft9JlBrt3zwU0/XnSEyhgz9IV1KDGqoKKTx/iQhsenkC3WB23B0tk J+xige6zlnxUAWYTHdKDBqFiLRbbkVyTh5itm95lBpxJzMuZbV9V9omjhD0vCu/zENsq 2P0o04DknRrP0QIRykBmu5U1/mguqxhF4akTpmjDR7zeMK3Az2nY4zkX6KVBe1QUNywm iJNfZT3rnZRU94/n1+5Nk0/c5bSPzYWUGal1OJQ+g60R2eMVvUAiTHW3ULmr4Ym+etBb MYPQ== X-Gm-Message-State: AOAM5318+x562+bwETuPi7nuHSaNrJF5GcWPrqYSziMxq41OLAKFzqR6 uEZko2jHQl7HX5o7WqFPuMW4AU1PX8Rl8AJE6FwY+g== X-Google-Smtp-Source: ABdhPJw3UvmS5CHSpRCRZFbf+MiJBpODl8JE82m4jAwOkCDIKlx5Mg+16XhT5NSPLSwkvO+S8030g2tup820swudA9w= X-Received: by 2002:a5d:4d8b:: with SMTP id b11mr1442187wru.341.1594847515802; Wed, 15 Jul 2020 14:11:55 -0700 (PDT) MIME-Version: 1.0 References: <1747511884.5933621594847392645.JavaMail.nobody@rva2rmd102.webex.com> In-Reply-To: <1747511884.5933621594847392645.JavaMail.nobody@rva2rmd102.webex.com> From: Rifaat Shekh-Yusef Date: Wed, 15 Jul 2020 17:11:44 -0400 Message-ID: To: oauth Content-Type: multipart/mixed; boundary="000000000000a695d505aa815feb" Archived-At: Subject: [OAUTH-WG] Fwd: Webex meeting changed: OAuth WG - Aug 10th Interim X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2020 21:12:02 -0000 --000000000000a695d505aa815feb Content-Type: multipart/alternative; boundary="000000000000a695d405aa815fe9" --000000000000a695d405aa815fe9 Content-Type: text/plain; charset="UTF-8" ---------- Forwarded message --------- From: Web Authorization Protocol Working Group Date: Wed, Jul 15, 2020 at 5:09 PM Subject: Webex meeting changed: OAuth WG - Aug 10th Interim To: Brian noticed that the time was incorrect for this meeting, so I have updated the meeting with the proper time. Regards, Rifaat You changed the Webex meeting information. When it's time, start your Webex meeting here. Meeting number (access code): 161 640 8279 Meeting password: x2H2VwPMUu9 Monday, August 10, 2020 12:00 pm | (UTC-04:00) Eastern Time (US & Canada) | 1 hr Start meeting *Tap to join from a mobile device (attendees only)* +1-650-479-3208,,1616408279## <%2B1-650-479-3208,,*01*1616408279%23%23*01*> Call-in toll number (US/Canada) *Join by phone* 1-650-479-3208 Call-in toll number (US/Canada) Global call-in numbers *Join from a video system or application* Dial 1616408279@ietf.webex.com You can also dial 173.243.2.68 and enter your meeting number. *Join using Microsoft Lync or Microsoft Skype for Business* Dial 1616408279.ietf@lync.webex.com If you are a host, click here to view host information. Need help? Go to http://help.webex.com --000000000000a695d405aa815fe9 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


---------- Forwarded message ---------
From: Web Authorization Protocol Working Gro= up <m= essenger@webex.com>
Date: Wed, Jul 15, 2020 at 5:09 PM
= Subject: Webex meeting changed: OAuth WG - Aug 10th Interim
To: <oauth-chairs@ietf.org>

Brian noticed that the time was incorrect for this meeting, so I have= updated the meeting with the proper time.
=
Regards,
=C2=A0Rifaat

=C2=A0
=09

You changed the Webex meeting information.

=C2=A0

When it's time, start your Webex meeting here.

=C2=A0
Meeting number (access code): 161 640 8279
Meeting password: x2H2VwPMUu9
=C2=A0
Monday, August 10, 2020
12:00 pm=C2=A0=C2=A0|=C2=A0=C2=A0(UTC-04:00) Eastern Time (US &= ; Canada)=C2=A0=C2=A0|=C2=A0=C2=A01 hr
=20
=C2=A0
Start meeting
= =C2=A0
Tap to join from a mobile device = (attendees only)
+1-650-4= 79-3208,,1616408279## Call-in toll number (US/Canada)
=C2=A0
<= tr style=3D"margin:0px">=
Join by phone
1-650-479-3208=C2=A0Call-in toll number (US/Canada)
Global call-in numbers
=C2=A0
Join from a video system or appli= cation
Dial 1616408279@ietf.webex.com
You can also dial 173.243.2.68 and enter your meeting nu= mber.
=C2=A0
Join using Microsoft Lync or Microsoft Skype for Business
Dial 1616408279.ietf@lync.webex.com
=C2= =A0
If you are a host, click here to view host information.
=C2=A0
Need help? Go to http://help.webe= x.com
=C2=A0
--000000000000a695d405aa815fe9-- --000000000000a695d505aa815feb Content-Type: application/ics; name="invite.ics" Content-Disposition: attachment; filename="invite.ics" Content-Transfer-Encoding: base64 Content-ID: <17354508ffa475802341> X-Attachment-Id: 17354508ffa475802341 QkVHSU46VkNBTEVOREFSDQpQUk9ESUQ6LS8vTWljcm9zb2Z0IENvcnBvcmF0aW9uLy9PdXRsb29r IDEwLjAgTUlNRURJUi8vRU4NClZFUlNJT046Mi4wDQpNRVRIT0Q6UkVRVUVTVA0KQkVHSU46VlRJ TUVaT05FDQpUWklEOkFtZXJpY2EvTmV3X1lvcmsNClRaVVJMOmh0dHA6Ly90enVybC5vcmcvem9u ZWluZm8tb3V0bG9vay9BbWVyaWNhL05ld19Zb3JrDQpYLUxJQy1MT0NBVElPTjpBbWVyaWNhL05l d19Zb3JrDQpCRUdJTjpEQVlMSUdIVA0KVFpPRkZTRVRGUk9NOi0wNTAwDQpUWk9GRlNFVFRPOi0w NDAwDQpUWk5BTUU6RURUDQpEVFNUQVJUOjE5NzAwMzA4VDAyMDAwMA0KUlJVTEU6RlJFUT1ZRUFS TFk7QllNT05USD0zO0JZREFZPTJTVQ0KRU5EOkRBWUxJR0hUDQpCRUdJTjpTVEFOREFSRA0KVFpP RkZTRVRGUk9NOi0wNDAwDQpUWk9GRlNFVFRPOi0wNTAwDQpUWk5BTUU6RVNUDQpEVFNUQVJUOjE5 NzAxMTAxVDAyMDAwMA0KUlJVTEU6RlJFUT1ZRUFSTFk7QllNT05USD0xMTtCWURBWT0xU1UNCkVO RDpTVEFOREFSRA0KRU5EOlZUSU1FWk9ORQ0KQkVHSU46VkVWRU5UDQpEVFNUQU1QOjIwMjAwNzE1 VDIxMDk1MloNCkFUVEVOREVFO0NOPSJXZWIgQXV0aG9yaXphdGlvbiBQcm90b2NvbCBXb3JraW5n IEdyb3VwIjtST0xFPVJFUS1QQVJUSUNJUEFOVDtSU1ZQPUZBTFNFOk1BSUxUTzpvYXV0aC1jaGFp cnNAaWV0Zi5vcmcNCk9SR0FOSVpFUjtDTj0iQ2lzY28gV2ViZXgiOk1BSUxUTzptZXNzZW5nZXJA d2ViZXguY29tDQpEVFNUQVJUO1RaSUQ9QW1lcmljYS9OZXdfWW9yazoyMDIwMDgxMFQxMjAwMDAN CkRURU5EO1RaSUQ9QW1lcmljYS9OZXdfWW9yazoyMDIwMDgxMFQxMzAwMDANCkxPQ0FUSU9OOmh0 dHBzOi8vaWV0Zi53ZWJleC5jb20vaWV0Zi9qLnBocD9NVElEPW0wMmNkMjIzNjIyMmQ4ZTcwMzJk YWMwM2VlNzYzZDM4Ng0KVFJBTlNQOk9QQVFVRQ0KU0VRVUVOQ0U6MTU5NDg0NzM5Mg0KVUlEOjIz MWIxYmFkLWFiYzctNDcwNy1iN2U2LTMwNzE0NzI0N2MyOQ0KREVTQ1JJUFRJT046XG5cbkpPSU4g V0VCRVggTUVFVElOR1xuaHR0cHM6Ly9pZXRmLndlYmV4LmNvbS9pZXRmL2oucGhwP01USUQ9bTAy Y2QyMjM2MjIyZDhlNzAzMmRhYzAzZWU3NjNkMzg2XG5NZWV0aW5nIG51bWJlciAoYWNjZXNzIGNv ZGUpOiAxNjEgNjQwIDgyNzlcblxuXG5NZWV0aW5nIHBhc3N3b3JkOiB4MkgyVndQTVV1OVxuXG5c blxuVEFQIFRPIEpPSU4gRlJPTSBBIE1PQklMRSBERVZJQ0UgKEFUVEVOREVFUyBPTkxZKVxuKzEt NjUwLTQ3OS0zMjA4LCwxNjE2NDA4Mjc5IyMgdGVsOiUyQjEtNjUwLTQ3OS0zMjA4LCwqMDEqMTYx NjQwODI3OSUyMyUyMyowMSogQ2FsbC1pbiB0b2xsIG51bWJlciAoVVMvQ2FuYWRhKVxuXG5cbkpP SU4gQlkgUEhPTkVcbjEtNjUwLTQ3OS0zMjA4IENhbGwtaW4gdG9sbCBudW1iZXIgKFVTL0NhbmFk YSlcblxuR2xvYmFsIGNhbGwtaW4gbnVtYmVyc1xuaHR0cHM6Ly9pZXRmLndlYmV4LmNvbS9pZXRm L2dsb2JhbGNhbGxpbi5waHA/TVRJRD1tNTBkYjNhMDBlZDQxMjVjZGViNGE2YmYwZTM1MmNmYmZc blxuXG5KT0lOIEZST00gQSBWSURFTyBTWVNURU0gT1IgQVBQTElDQVRJT05cbkRpYWwgc2lwOjE2 MTY0MDgyNzlAaWV0Zi53ZWJleC5jb21cbllvdSBjYW4gYWxzbyBkaWFsIDE3My4yNDMuMi42OCBh bmQgZW50ZXIgeW91ciBtZWV0aW5nIG51bWJlci5cblxuXG5Kb2luIHVzaW5nIE1pY3Jvc29mdCBM eW5jIG9yIE1pY3Jvc29mdCBTa3lwZSBmb3IgQnVzaW5lc3NcbkRpYWwgc2lwOjE2MTY0MDgyNzku aWV0ZkBseW5jLndlYmV4LmNvbVxuXG5cblxuSWYgeW91IGFyZSBhIGhvc3QsIGNsaWNrIGhlcmUg dG8gdmlldyBob3N0IGluZm9ybWF0aW9uOlxuaHR0cHM6Ly9pZXRmLndlYmV4LmNvbS9pZXRmL2ou cGhwP01USUQ9bTcwOWZmODhlZmUyNGRmMWJmZGRkNTQ3Y2I5NmFiNWU2XG5cblxuXG5DYW4ndCBq b2luIHRoZSBtZWV0aW5nPyBDb250YWN0IHN1cHBvcnQgaGVyZTpcbmh0dHBzOi8vaWV0Zi53ZWJl eC5jb20vaWV0Zi9tY1xuXG5cbklNUE9SVEFOVCBOT1RJQ0U6IFBsZWFzZSBub3RlIHRoYXQgdGhp cyBXZWJleCBzZXJ2aWNlIGFsbG93cyBhdWRpbyBhbmQgb3RoZXIgaW5mb3JtYXRpb24gc2VudCBk dXJpbmcgdGhlIHNlc3Npb24gdG8gYmUgcmVjb3JkZWQsIHdoaWNoIG1heSBiZSBkaXNjb3ZlcmFi bGUgaW4gYSBsZWdhbCBtYXR0ZXIuIFlvdSBzaG91bGQgaW5mb3JtIGFsbCBtZWV0aW5nIGF0dGVu ZGVlcyBwcmlvciB0byByZWNvcmRpbmcgaWYgeW91IGludGVuZCB0byByZWNvcmQgdGhlIG1lZXRp bmcuXG4NClgtQUxULURFU0M7Rk1UVFlQRT10ZXh0L2h0bWw6PHN0eWxlIHR5cGU9InRleHQvY3Nz Ij5cbnRhYmxlIHtcbglib3JkZXItY29sbGFwc2U6IHNlcGFyYXRlOyB3aWR0aCA9MTAwJTsJYm9y ZGVyOiAwOwlib3JkZXItc3BhY2luZzogMDt9XG5cbnRyIHtcbglsaW5lLWhlaWdodDogMThweDt9 XG5cbmEsIHRkIHtcbglmb250LXNpemU6IDE0cHg7CWZvbnQtZmFtaWx5OiBBcmlhbDsJY29sb3I6 ICMzMzM7CXdvcmQtd3JhcDogYnJlYWstd29yZDsJd29yZC1icmVhazogbm9ybWFsOwlwYWRkaW5n OiAwO31cblxuLnRpdGxlIHtcbglmb250LXNpemU6IDI4cHg7fVxuXG4uaW1hZ2Uge1xuCXdpZHRo OiBhdXRvOwltYXgtd2lkdGg6IGF1dG87fVxuXG4uZm9vdGVyIHtcbgl3aWR0aDogNjA0cHg7fVxu XG4ubWFpbiB7XG5cbn1AbWVkaWEgc2NyZWVuIGFuZCAobWF4LWRldmljZS13aWR0aDogODAwcHgp IHtcbgkudGl0bGUge1xuCQlmb250LXNpemU6IDIycHggIWltcG9ydGFudDsJfVxuCS5pbWFnZSB7 XG4JCXdpZHRoOiBhdXRvICFpbXBvcnRhbnQ7CQltYXgtd2lkdGg6IDEwMCUgIWltcG9ydGFudDsJ fVxuCS5mb290ZXIge1xuCQl3aWR0aDogMTAwJSAhaW1wb3J0YW50OwkJbWF4LXdpZHRoOiA2MDRw eCAhaW1wb3J0YW50XG4JfVxuCS5tYWluIHtcbgkJd2lkdGg6IDEwMCUgIWltcG9ydGFudDsJCW1h eC13aWR0aDogNjA0cHggIWltcG9ydGFudFxuCX1cbn1cbjwvc3R5bGU+XG5cbjx0YWJsZSBiZ2Nv bG9yPSIjRkZGRkZGIiBzdHlsZT0icGFkZGluZzogMDsgbWFyZ2luOiAwOyBib3JkZXI6IDA7IHdp ZHRoOiAxMDAlOyIgYWxpZ249ImxlZnQiPlxuCTx0ciBzdHlsZT0iaGVpZ2h0OiAyOHB4Ij48dGQ+ Jm5ic3A7PC90ZD48L3RyPlxuCTx0cj5cbgkJPHRkIGFsaWduPSJsZWZ0IiBzdHlsZT0icGFkZGlu ZzogMCAyMHB4OyBtYXJnaW46IDAiPlxuCQkJPCEtLTx0YWJsZSBiZ2NvbG9yPSIjRkZGRkZGIiBz dHlsZT0iYm9yZGVyOiAwcHg7IHdpZHRoOiAxMDAlOyBwYWRkaW5nLWxlZnQ6IDUwcHg7IHBhZGRp bmctcmlnaHQ6IDUwcHg7IiBhbGlnbj0ibGVmdCIgY2xhc3M9Im1haW4iPlxuCQkJCTx0cj5cbgkJ CQkJPHRkIGFsaWduPSJjZW50ZXIiIHZhbGlnbj0idG9wIiA+Jm5ic3A7CQkJCQk8L3RkPlxuCQkJ CTwvdHI+XG4JCQk8L3RhYmxlPi0tPlxuXG5cblxuCQkJPHRhYmxlPlxuCQkJCTx0cj5cbgkJCQkJ PHRkPlxuCQkJCQkJPEZPTlQgU0laRT0iNCIgQ09MT1I9IiM2NjY2NjYiIEZBQ0U9ImFyaWFsIj5X aGVuIGl0J3MgdGltZSwgam9pbiB0aGUgV2ViZXggbWVldGluZyBoZXJlLjwvRk9OVD5cbgkJCQkJ PC90ZD5cbgkJCQk8L3RyPlxuCQkJCTx0ciBzdHlsZT0ibGluZS1oZWlnaHQ6IDIwcHg7Ij48dGQg c3R5bGU9ImhlaWdodDoyMHB4Ij4mbmJzcDs8L3RkPjwvdHI+XG4JCQkJPHRyPlxuCQkJCQk8dGQ+ XG4JCQkJCQk8Rk9OVCBTSVpFPSIyIiBDT0xPUj0iIzY2NjY2NiIgRkFDRT0iYXJpYWwiPk1lZXRp bmcgbnVtYmVyIChhY2Nlc3MgY29kZSk6IDE2MSA2NDAgODI3OTwvRk9OVD5cbgkJCQkJPC90ZD5c bgkJCQk8L3RyPlxuCQkJPC90YWJsZT5cbgkJCTx0YWJsZT48dHI+PHRkPjxGT05UIFNJWkU9IjIi IENPTE9SPSIjNjY2NjY2IiBGQUNFPSJhcmlhbCI+TWVldGluZyBwYXNzd29yZDo8L0ZPTlQ+PC90 ZD48dGQ+PEZPTlQgU0laRT0iMiIgIENPTE9SPSIjNjY2NjY2IiBGQUNFPSJhcmlhbCI+eDJIMlZ3 UE1VdTk8L0ZPTlQ+PC90ZD48L3RyPjwvdGFibGU+XG5cbiAgICAgICAgPHRhYmxlPlxuICAgICAg ICAJPHRyIHN0eWxlPSJsaW5lLWhlaWdodDogMjBweDsiPjx0ZCBzdHlsZT0iaGVpZ2h0OjIwcHgi PiZuYnNwOzwvdGQ+PC90cj5cbgkJCTx0cj5cbgkJCQk8dGQgc3R5bGU9IndpZHRoOmF1dG8haW1w b3J0YW50OyAiPlxuCQkJCQk8dGFibGUgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNw YWNpbmc9IjAiIHN0eWxlPSJ3aWR0aDphdXRvO3dpZHRoOmF1dG8haW1wb3J0YW50O2JhY2tncm91 bmQtY29sb3I6IzQzQTk0MjsgYm9yZGVyOjBweCBzb2xpZCAjNDNBOTQyOyBib3JkZXItcmFkaXVz OjI1cHg7IG1pbi13aWR0aDoxNjBweCFpbXBvcnRhbnQ7Ij5cbgkJCQkJCTx0cj5cbgkJCQkJCQk8 dGQgYWxpZ249ImNlbnRlciIgc3R5bGU9InBhZGRpbmc6MTBweCAzNnB4OyI+PGEgaHJlZj0iaHR0 cHM6Ly9pZXRmLndlYmV4LmNvbS9pZXRmL2oucGhwP01USUQ9bTAyY2QyMjM2MjIyZDhlNzAzMmRh YzAzZWU3NjNkMzg2IiBzdHlsZT0iY29sb3I6I0ZGRkZGRjsgZm9udC1zaXplOjIwcHg7IHRleHQt ZGVjb3JhdGlvbjpub25lOyI+Sm9pbiBtZWV0aW5nPC9hPjwvdGQ+XG4JCQkJCQk8L3RyPlxuCQkJ CQk8L3RhYmxlPlxuCQkJCTwvdGQ+XG4JCQk8L3RyPlxuCQk8L3RhYmxlPlxuXG4gPEZPTlQgc2l6 ZT0iMiIgQ09MT1I9IiNGRjAwMDAiIHN0eWxlPSJmb250LWZhbWlseTogQXJpYWw7Ij48L0ZPTlQ+ XG48Rk9OVCBTSVpFPSIxIiBGQUNFPSJBUklBTCI+Jm5ic3A7PEJSPiZuYnNwOzxCUj48L0ZPTlQ+ XG5cbiZuYnNwOyA8QlI+PEZPTlQgU0laRT0iNCIgRkFDRT0iQVJJQUwiPjxGT05UIFNJWkU9IjMi IENPTE9SPSIjNjY2NjY2IiBGQUNFPSJhcmlhbCI+VGFwIHRvIGpvaW4gZnJvbSBhIG1vYmlsZSBk ZXZpY2UgKGF0dGVuZGVlcyBvbmx5KTwvRk9OVD4gJm5ic3A7IDxCUj48Rk9OVCBTSVpFPSIyIiBD T0xPUj0iIzY2NjY2NiIgRkFDRT0iYXJpYWwiPjxhIGhyZWY9J3RlbDolMkIxLTY1MC00NzktMzIw OCwsKjAxKjE2MTY0MDgyNzklMjMlMjMqMDEqJyBzdHlsZT0nY29sb3I6IzAwQUZGOTsgIHRleHQt ZGVjb3JhdGlvbjpub25lOyBmb250LWZhbWlseTogQXJpYWw7Zm9udC1zaXplOiAxNHB4O2xpbmUt aGVpZ2h0OiAyNHB4Oyc+KzEtNjUwLTQ3OS0zMjA4LCwxNjE2NDA4Mjc5IyM8L2E+IENhbGwtaW4g dG9sbCBudW1iZXIgKFVTL0NhbmFkYSk8L0ZPTlQ+Jm5ic3A7IDxCUj48QlI+PEZPTlQgU0laRT0i NCIgRkFDRT0iQVJJQUwiPjxGT05UIFNJWkU9IjMiIENPTE9SPSIjNjY2NjY2IiBGQUNFPSJhcmlh bCI+Sm9pbiBieSBwaG9uZTwvRk9OVD4gJm5ic3A7IDxCUj48Rk9OVCBTSVpFPSIyIiBDT0xPUj0i IzY2NjY2NiIgRkFDRT0iYXJpYWwiPjEtNjUwLTQ3OS0zMjA4IENhbGwtaW4gdG9sbCBudW1iZXIg KFVTL0NhbmFkYSk8L0ZPTlQ+ICZuYnNwOyA8QlI+PEZPTlQgU0laRT0iMiIgQ09MT1I9IiM2NjY2 NjYiIEZBQ0U9ImFyaWFsIj48YSBocmVmPSJodHRwczovL2lldGYud2ViZXguY29tL2lldGYvZ2xv YmFsY2FsbGluLnBocD9NVElEPW01MGRiM2EwMGVkNDEyNWNkZWI0YTZiZjBlMzUyY2ZiZiIgc3R5 bGU9InRleHQtZGVjb3JhdGlvbjpub25lO2ZvbnQtc2l6ZToxNHB4O2NvbG9yOiMwMEFGRjkiPkds b2JhbCBjYWxsLWluIG51bWJlcnM8L2E+PC9GT05UPiZuYnNwOyA8QlI+PEJSPjxCUj5cblxuPHRh YmxlPjx0ciBzdHlsZT0ibGluZS1oZWlnaHQ6IDIwcHg7Ij48dGQgc3R5bGU9ImhlaWdodDoyMHB4 Ij4mbmJzcDs8L3RkPjwvdHI+PC90YWJsZT5cblxuPEZPTlQgU0laRT0iNCIgRkFDRT0iQVJJQUwi PjxGT05UIFNJWkU9IjMiIENPTE9SPSIjNjY2NjY2IiBGQUNFPSJhcmlhbCI+Sm9pbiBmcm9tIGEg dmlkZW8gc3lzdGVtIG9yIGFwcGxpY2F0aW9uPC9GT05UPjxCUj48Rk9OVCBTSVpFPSIyIiBDT0xP Uj0iIzY2NjY2NiIgRkFDRT0iYXJpYWwiPkRpYWw8L0ZPTlQ+IDxhIGhyZWY9InNpcDoxNjE2NDA4 Mjc5QGlldGYud2ViZXguY29tIj48Rk9OVCBTSVpFPSIyIiBDT0xPUj0iIzAwQUZGOSIgRkFDRT0i YXJpYWwiPjE2MTY0MDgyNzlAaWV0Zi53ZWJleC5jb208L0ZPTlQ+PC9hPiZuYnNwOyA8QlI+PEZP TlQgU0laRT0iMiIgQ09MT1I9IiM2NjY2NjYiIEZBQ0U9ImFyaWFsIj5Zb3UgY2FuIGFsc28gZGlh bCAxNzMuMjQzLjIuNjggYW5kIGVudGVyIHlvdXIgbWVldGluZyBudW1iZXIuPC9GT05UPiAmbmJz cDsgPEJSPjwvRk9OVD4mbmJzcDsgPEJSPlxuXG48dGFibGUgY2VsbHBhZGRpbmc9IjAiIGNlbGxz cGFjaW5nPSIwIj48dHI+PHRkICBzdHlsZT0iY29sb3I6ICMwMDAwMDA7IGZvbnQtZmFtaWx5OiBB cmlhbDtmb250LXNpemU6IDEycHg7IGZvbnQtd2VpZ2h0OiBib2xkOyBsaW5lLWhlaWdodDogMjRw eDsiPjxiPkpvaW4gdXNpbmcgTWljcm9zb2Z0IEx5bmMgb3IgTWljcm9zb2Z0IFNreXBlIGZvciBC dXNpbmVzczwvYj48L3RkPjwvdHI+PHRyIHN0eWxlPSJtYXJnaW46MHB4Ij48dGQgc3R5bGU9ImNv bG9yOiAjMzMzMzMzOyBmb250LWZhbWlseTogQXJpYWw7IGZvbnQtc2l6ZTogMTRweDsgbGluZS1o ZWlnaHQ6IDI0cHg7Ij5EaWFsIDxhIGhyZWY9IiBzaXA6MTYxNjQwODI3OS5pZXRmQGx5bmMud2Vi ZXguY29tIiAgIHN0eWxlPSJ0ZXh0LWRlY29yYXRpb246bm9uZTtjb2xvcjojMDBBRkY5Ij4xNjE2 NDA4Mjc5LmlldGZAbHluYy53ZWJleC5jb208L2E+PC90ZD48L3RyPjwvdGFibGU+XG5cbgk8dGFi bGU+PHRyIHN0eWxlPSJsaW5lLWhlaWdodDogMjBweCI+PHRkIHN0eWxlPSJoZWlnaHQ6MjBweCI+ Jm5ic3A7PC90ZD48L3RyPjwvdGFibGU+XG4JPHRhYmxlPjx0ciBzdHlsZT0ibWFyZ2luOjBweCI+ PHRkIHN0eWxlPSJjb2xvcjogIzMzMzMzMzsgZm9udC1mYW1pbHk6IEFyaWFsOyBmb250LXNpemU6 IDE0cHg7IGxpbmUtaGVpZ2h0OiAyNHB4OyI+SWYgeW91IGFyZSBhIGhvc3QsIDxhIGhyZWY9Imh0 dHBzOi8vaWV0Zi53ZWJleC5jb20vaWV0Zi9qLnBocD9NVElEPW03MDlmZjg4ZWZlMjRkZjFiZmRk ZDU0N2NiOTZhYjVlNiIgc3R5bGU9InRleHQtZGVjb3JhdGlvbjpub25lO2NvbG9yOiMwNDlGRDki PmNsaWNrIGhlcmU8L2E+IHRvIHZpZXcgaG9zdCBpbmZvcm1hdGlvbi48L3RkPjwvdHI+PC90YWJs ZT5cblxuCQkJPHRhYmxlIHN0eWxlPSJ3aWR0aDogMTAwJTsiIGFsaWduPSJsZWZ0IiBjbGFzcz0i bWFpbiI+XG4gICAgICAgICAgICAgICAgPHRyIHN0eWxlPSJoZWlnaHQ6IDcycHgiPjx0ZD4mbmJz cDs8L3RkPjwvdHI+XG4JCQkJPHRyPlxuCQkJCQk8dGQgc3R5bGU9ImhlaWdodDogMjRweDsgY29s b3I6ICMwMDAwMDA7IGZvbnQtZmFtaWx5OkFyaWFsOyBmb250LXNpemU6IDE0cHg7IGxpbmUtaGVp Z2h0OiAyNHB4OyI+TmVlZCBoZWxwPyBHbyB0byA8YSBocmVmPSJodHRwOi8vaGVscC53ZWJleC5j b20iIHN0eWxlPSJjb2xvcjojMDQ5RkQ5OyB0ZXh0LWRlY29yYXRpb246bm9uZTsiPmh0dHA6Ly9o ZWxwLndlYmV4LmNvbTwvYT5cbgkJCQkJPC90ZD5cbgkJCQk8L3RyPlxuICAgICAgICAgICAgICAg IDx0ciBzdHlsZT0iaGVpZ2h0OiA0NHB4Ij48dGQ+Jm5ic3A7PC90ZD48L3RyPlxuCQkJPC90YWJs ZT5cbgkJPC90ZD5cbgk8L3RyPlxuPC90YWJsZT5cbg0KU1VNTUFSWTpPQXV0aCBXRyAtIEF1ZyAx MHRoIEludGVyaW0NClBSSU9SSVRZOjUNCkNMQVNTOlBVQkxJQw0KQkVHSU46VkFMQVJNDQpUUklH R0VSOi1QVDVNDQpBQ1RJT046RElTUExBWQ0KREVTQ1JJUFRJT046UmVtaW5kZXINCkVORDpWQUxB Uk0NCkVORDpWRVZFTlQNCkVORDpWQ0FMRU5EQVINCg== --000000000000a695d505aa815feb Content-Type: application/ics; name="Webex_Meeting.ics" Content-Disposition: attachment; filename="Webex_Meeting.ics" Content-Transfer-Encoding: base64 Content-ID: <17354508ffac1ce7aee2> X-Attachment-Id: 17354508ffac1ce7aee2 QkVHSU46VkNBTEVOREFSDQpQUk9ESUQ6LS8vTWljcm9zb2Z0IENvcnBvcmF0aW9uLy9PdXRsb29r IDEwLjAgTUlNRURJUi8vRU4NClZFUlNJT046Mi4wDQpNRVRIT0Q6UkVRVUVTVA0KQkVHSU46VlRJ TUVaT05FDQpUWklEOkFtZXJpY2EvTmV3X1lvcmsNClRaVVJMOmh0dHA6Ly90enVybC5vcmcvem9u ZWluZm8tb3V0bG9vay9BbWVyaWNhL05ld19Zb3JrDQpYLUxJQy1MT0NBVElPTjpBbWVyaWNhL05l d19Zb3JrDQpCRUdJTjpEQVlMSUdIVA0KVFpPRkZTRVRGUk9NOi0wNTAwDQpUWk9GRlNFVFRPOi0w NDAwDQpUWk5BTUU6RURUDQpEVFNUQVJUOjE5NzAwMzA4VDAyMDAwMA0KUlJVTEU6RlJFUT1ZRUFS TFk7QllNT05USD0zO0JZREFZPTJTVQ0KRU5EOkRBWUxJR0hUDQpCRUdJTjpTVEFOREFSRA0KVFpP RkZTRVRGUk9NOi0wNDAwDQpUWk9GRlNFVFRPOi0wNTAwDQpUWk5BTUU6RVNUDQpEVFNUQVJUOjE5 NzAxMTAxVDAyMDAwMA0KUlJVTEU6RlJFUT1ZRUFSTFk7QllNT05USD0xMTtCWURBWT0xU1UNCkVO RDpTVEFOREFSRA0KRU5EOlZUSU1FWk9ORQ0KQkVHSU46VkVWRU5UDQpEVFNUQU1QOjIwMjAwNzE1 VDIxMDk1MloNCkFUVEVOREVFO0NOPSJXZWIgQXV0aG9yaXphdGlvbiBQcm90b2NvbCBXb3JraW5n IEdyb3VwIjtST0xFPVJFUS1QQVJUSUNJUEFOVDtSU1ZQPUZBTFNFOk1BSUxUTzpvYXV0aC1jaGFp cnNAaWV0Zi5vcmcNCk9SR0FOSVpFUjtDTj0iQ2lzY28gV2ViZXgiOk1BSUxUTzptZXNzZW5nZXJA d2ViZXguY29tDQpEVFNUQVJUO1RaSUQ9QW1lcmljYS9OZXdfWW9yazoyMDIwMDgxMFQxMjAwMDAN CkRURU5EO1RaSUQ9QW1lcmljYS9OZXdfWW9yazoyMDIwMDgxMFQxMzAwMDANCkxPQ0FUSU9OOmh0 dHBzOi8vaWV0Zi53ZWJleC5jb20vaWV0Zi9qLnBocD9NVElEPW0wMmNkMjIzNjIyMmQ4ZTcwMzJk YWMwM2VlNzYzZDM4Ng0KVFJBTlNQOk9QQVFVRQ0KU0VRVUVOQ0U6MTU5NDg0NzM5Mg0KVUlEOjIz MWIxYmFkLWFiYzctNDcwNy1iN2U2LTMwNzE0NzI0N2MyOQ0KREVTQ1JJUFRJT046XG5cbkpPSU4g V0VCRVggTUVFVElOR1xuaHR0cHM6Ly9pZXRmLndlYmV4LmNvbS9pZXRmL2oucGhwP01USUQ9bTAy Y2QyMjM2MjIyZDhlNzAzMmRhYzAzZWU3NjNkMzg2XG5NZWV0aW5nIG51bWJlciAoYWNjZXNzIGNv ZGUpOiAxNjEgNjQwIDgyNzlcblxuXG5NZWV0aW5nIHBhc3N3b3JkOiB4MkgyVndQTVV1OVxuXG5c blxuVEFQIFRPIEpPSU4gRlJPTSBBIE1PQklMRSBERVZJQ0UgKEFUVEVOREVFUyBPTkxZKVxuKzEt NjUwLTQ3OS0zMjA4LCwxNjE2NDA4Mjc5IyMgdGVsOiUyQjEtNjUwLTQ3OS0zMjA4LCwqMDEqMTYx NjQwODI3OSUyMyUyMyowMSogQ2FsbC1pbiB0b2xsIG51bWJlciAoVVMvQ2FuYWRhKVxuXG5cbkpP SU4gQlkgUEhPTkVcbjEtNjUwLTQ3OS0zMjA4IENhbGwtaW4gdG9sbCBudW1iZXIgKFVTL0NhbmFk YSlcblxuR2xvYmFsIGNhbGwtaW4gbnVtYmVyc1xuaHR0cHM6Ly9pZXRmLndlYmV4LmNvbS9pZXRm L2dsb2JhbGNhbGxpbi5waHA/TVRJRD1tNTBkYjNhMDBlZDQxMjVjZGViNGE2YmYwZTM1MmNmYmZc blxuXG5KT0lOIEZST00gQSBWSURFTyBTWVNURU0gT1IgQVBQTElDQVRJT05cbkRpYWwgc2lwOjE2 MTY0MDgyNzlAaWV0Zi53ZWJleC5jb21cbllvdSBjYW4gYWxzbyBkaWFsIDE3My4yNDMuMi42OCBh bmQgZW50ZXIgeW91ciBtZWV0aW5nIG51bWJlci5cblxuXG5Kb2luIHVzaW5nIE1pY3Jvc29mdCBM eW5jIG9yIE1pY3Jvc29mdCBTa3lwZSBmb3IgQnVzaW5lc3NcbkRpYWwgc2lwOjE2MTY0MDgyNzku aWV0ZkBseW5jLndlYmV4LmNvbVxuXG5cblxuSWYgeW91IGFyZSBhIGhvc3QsIGNsaWNrIGhlcmUg dG8gdmlldyBob3N0IGluZm9ybWF0aW9uOlxuaHR0cHM6Ly9pZXRmLndlYmV4LmNvbS9pZXRmL2ou cGhwP01USUQ9bTcwOWZmODhlZmUyNGRmMWJmZGRkNTQ3Y2I5NmFiNWU2XG5cblxuXG5DYW4ndCBq b2luIHRoZSBtZWV0aW5nPyBDb250YWN0IHN1cHBvcnQgaGVyZTpcbmh0dHBzOi8vaWV0Zi53ZWJl eC5jb20vaWV0Zi9tY1xuXG5cbklNUE9SVEFOVCBOT1RJQ0U6IFBsZWFzZSBub3RlIHRoYXQgdGhp cyBXZWJleCBzZXJ2aWNlIGFsbG93cyBhdWRpbyBhbmQgb3RoZXIgaW5mb3JtYXRpb24gc2VudCBk dXJpbmcgdGhlIHNlc3Npb24gdG8gYmUgcmVjb3JkZWQsIHdoaWNoIG1heSBiZSBkaXNjb3ZlcmFi bGUgaW4gYSBsZWdhbCBtYXR0ZXIuIFlvdSBzaG91bGQgaW5mb3JtIGFsbCBtZWV0aW5nIGF0dGVu ZGVlcyBwcmlvciB0byByZWNvcmRpbmcgaWYgeW91IGludGVuZCB0byByZWNvcmQgdGhlIG1lZXRp bmcuXG4NClgtQUxULURFU0M7Rk1UVFlQRT10ZXh0L2h0bWw6PHN0eWxlIHR5cGU9InRleHQvY3Nz Ij5cbnRhYmxlIHtcbglib3JkZXItY29sbGFwc2U6IHNlcGFyYXRlOyB3aWR0aCA9MTAwJTsJYm9y ZGVyOiAwOwlib3JkZXItc3BhY2luZzogMDt9XG5cbnRyIHtcbglsaW5lLWhlaWdodDogMThweDt9 XG5cbmEsIHRkIHtcbglmb250LXNpemU6IDE0cHg7CWZvbnQtZmFtaWx5OiBBcmlhbDsJY29sb3I6 ICMzMzM7CXdvcmQtd3JhcDogYnJlYWstd29yZDsJd29yZC1icmVhazogbm9ybWFsOwlwYWRkaW5n OiAwO31cblxuLnRpdGxlIHtcbglmb250LXNpemU6IDI4cHg7fVxuXG4uaW1hZ2Uge1xuCXdpZHRo OiBhdXRvOwltYXgtd2lkdGg6IGF1dG87fVxuXG4uZm9vdGVyIHtcbgl3aWR0aDogNjA0cHg7fVxu XG4ubWFpbiB7XG5cbn1AbWVkaWEgc2NyZWVuIGFuZCAobWF4LWRldmljZS13aWR0aDogODAwcHgp IHtcbgkudGl0bGUge1xuCQlmb250LXNpemU6IDIycHggIWltcG9ydGFudDsJfVxuCS5pbWFnZSB7 XG4JCXdpZHRoOiBhdXRvICFpbXBvcnRhbnQ7CQltYXgtd2lkdGg6IDEwMCUgIWltcG9ydGFudDsJ fVxuCS5mb290ZXIge1xuCQl3aWR0aDogMTAwJSAhaW1wb3J0YW50OwkJbWF4LXdpZHRoOiA2MDRw eCAhaW1wb3J0YW50XG4JfVxuCS5tYWluIHtcbgkJd2lkdGg6IDEwMCUgIWltcG9ydGFudDsJCW1h eC13aWR0aDogNjA0cHggIWltcG9ydGFudFxuCX1cbn1cbjwvc3R5bGU+XG5cbjx0YWJsZSBiZ2Nv bG9yPSIjRkZGRkZGIiBzdHlsZT0icGFkZGluZzogMDsgbWFyZ2luOiAwOyBib3JkZXI6IDA7IHdp ZHRoOiAxMDAlOyIgYWxpZ249ImxlZnQiPlxuCTx0ciBzdHlsZT0iaGVpZ2h0OiAyOHB4Ij48dGQ+ Jm5ic3A7PC90ZD48L3RyPlxuCTx0cj5cbgkJPHRkIGFsaWduPSJsZWZ0IiBzdHlsZT0icGFkZGlu ZzogMCAyMHB4OyBtYXJnaW46IDAiPlxuCQkJPCEtLTx0YWJsZSBiZ2NvbG9yPSIjRkZGRkZGIiBz dHlsZT0iYm9yZGVyOiAwcHg7IHdpZHRoOiAxMDAlOyBwYWRkaW5nLWxlZnQ6IDUwcHg7IHBhZGRp bmctcmlnaHQ6IDUwcHg7IiBhbGlnbj0ibGVmdCIgY2xhc3M9Im1haW4iPlxuCQkJCTx0cj5cbgkJ CQkJPHRkIGFsaWduPSJjZW50ZXIiIHZhbGlnbj0idG9wIiA+Jm5ic3A7CQkJCQk8L3RkPlxuCQkJ CTwvdHI+XG4JCQk8L3RhYmxlPi0tPlxuXG5cblxuCQkJPHRhYmxlPlxuCQkJCTx0cj5cbgkJCQkJ PHRkPlxuCQkJCQkJPEZPTlQgU0laRT0iNCIgQ09MT1I9IiM2NjY2NjYiIEZBQ0U9ImFyaWFsIj5X aGVuIGl0J3MgdGltZSwgam9pbiB0aGUgV2ViZXggbWVldGluZyBoZXJlLjwvRk9OVD5cbgkJCQkJ PC90ZD5cbgkJCQk8L3RyPlxuCQkJCTx0ciBzdHlsZT0ibGluZS1oZWlnaHQ6IDIwcHg7Ij48dGQg c3R5bGU9ImhlaWdodDoyMHB4Ij4mbmJzcDs8L3RkPjwvdHI+XG4JCQkJPHRyPlxuCQkJCQk8dGQ+ XG4JCQkJCQk8Rk9OVCBTSVpFPSIyIiBDT0xPUj0iIzY2NjY2NiIgRkFDRT0iYXJpYWwiPk1lZXRp bmcgbnVtYmVyIChhY2Nlc3MgY29kZSk6IDE2MSA2NDAgODI3OTwvRk9OVD5cbgkJCQkJPC90ZD5c bgkJCQk8L3RyPlxuCQkJPC90YWJsZT5cbgkJCTx0YWJsZT48dHI+PHRkPjxGT05UIFNJWkU9IjIi IENPTE9SPSIjNjY2NjY2IiBGQUNFPSJhcmlhbCI+TWVldGluZyBwYXNzd29yZDo8L0ZPTlQ+PC90 ZD48dGQ+PEZPTlQgU0laRT0iMiIgIENPTE9SPSIjNjY2NjY2IiBGQUNFPSJhcmlhbCI+eDJIMlZ3 UE1VdTk8L0ZPTlQ+PC90ZD48L3RyPjwvdGFibGU+XG5cbiAgICAgICAgPHRhYmxlPlxuICAgICAg ICAJPHRyIHN0eWxlPSJsaW5lLWhlaWdodDogMjBweDsiPjx0ZCBzdHlsZT0iaGVpZ2h0OjIwcHgi PiZuYnNwOzwvdGQ+PC90cj5cbgkJCTx0cj5cbgkJCQk8dGQgc3R5bGU9IndpZHRoOmF1dG8haW1w b3J0YW50OyAiPlxuCQkJCQk8dGFibGUgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNw YWNpbmc9IjAiIHN0eWxlPSJ3aWR0aDphdXRvO3dpZHRoOmF1dG8haW1wb3J0YW50O2JhY2tncm91 bmQtY29sb3I6IzQzQTk0MjsgYm9yZGVyOjBweCBzb2xpZCAjNDNBOTQyOyBib3JkZXItcmFkaXVz OjI1cHg7IG1pbi13aWR0aDoxNjBweCFpbXBvcnRhbnQ7Ij5cbgkJCQkJCTx0cj5cbgkJCQkJCQk8 dGQgYWxpZ249ImNlbnRlciIgc3R5bGU9InBhZGRpbmc6MTBweCAzNnB4OyI+PGEgaHJlZj0iaHR0 cHM6Ly9pZXRmLndlYmV4LmNvbS9pZXRmL2oucGhwP01USUQ9bTAyY2QyMjM2MjIyZDhlNzAzMmRh YzAzZWU3NjNkMzg2IiBzdHlsZT0iY29sb3I6I0ZGRkZGRjsgZm9udC1zaXplOjIwcHg7IHRleHQt ZGVjb3JhdGlvbjpub25lOyI+Sm9pbiBtZWV0aW5nPC9hPjwvdGQ+XG4JCQkJCQk8L3RyPlxuCQkJ CQk8L3RhYmxlPlxuCQkJCTwvdGQ+XG4JCQk8L3RyPlxuCQk8L3RhYmxlPlxuXG4gPEZPTlQgc2l6 ZT0iMiIgQ09MT1I9IiNGRjAwMDAiIHN0eWxlPSJmb250LWZhbWlseTogQXJpYWw7Ij48L0ZPTlQ+ XG48Rk9OVCBTSVpFPSIxIiBGQUNFPSJBUklBTCI+Jm5ic3A7PEJSPiZuYnNwOzxCUj48L0ZPTlQ+ XG5cbiZuYnNwOyA8QlI+PEZPTlQgU0laRT0iNCIgRkFDRT0iQVJJQUwiPjxGT05UIFNJWkU9IjMi IENPTE9SPSIjNjY2NjY2IiBGQUNFPSJhcmlhbCI+VGFwIHRvIGpvaW4gZnJvbSBhIG1vYmlsZSBk ZXZpY2UgKGF0dGVuZGVlcyBvbmx5KTwvRk9OVD4gJm5ic3A7IDxCUj48Rk9OVCBTSVpFPSIyIiBD T0xPUj0iIzY2NjY2NiIgRkFDRT0iYXJpYWwiPjxhIGhyZWY9J3RlbDolMkIxLTY1MC00NzktMzIw OCwsKjAxKjE2MTY0MDgyNzklMjMlMjMqMDEqJyBzdHlsZT0nY29sb3I6IzAwQUZGOTsgIHRleHQt ZGVjb3JhdGlvbjpub25lOyBmb250LWZhbWlseTogQXJpYWw7Zm9udC1zaXplOiAxNHB4O2xpbmUt aGVpZ2h0OiAyNHB4Oyc+KzEtNjUwLTQ3OS0zMjA4LCwxNjE2NDA4Mjc5IyM8L2E+IENhbGwtaW4g dG9sbCBudW1iZXIgKFVTL0NhbmFkYSk8L0ZPTlQ+Jm5ic3A7IDxCUj48QlI+PEZPTlQgU0laRT0i NCIgRkFDRT0iQVJJQUwiPjxGT05UIFNJWkU9IjMiIENPTE9SPSIjNjY2NjY2IiBGQUNFPSJhcmlh bCI+Sm9pbiBieSBwaG9uZTwvRk9OVD4gJm5ic3A7IDxCUj48Rk9OVCBTSVpFPSIyIiBDT0xPUj0i IzY2NjY2NiIgRkFDRT0iYXJpYWwiPjEtNjUwLTQ3OS0zMjA4IENhbGwtaW4gdG9sbCBudW1iZXIg KFVTL0NhbmFkYSk8L0ZPTlQ+ICZuYnNwOyA8QlI+PEZPTlQgU0laRT0iMiIgQ09MT1I9IiM2NjY2 NjYiIEZBQ0U9ImFyaWFsIj48YSBocmVmPSJodHRwczovL2lldGYud2ViZXguY29tL2lldGYvZ2xv YmFsY2FsbGluLnBocD9NVElEPW01MGRiM2EwMGVkNDEyNWNkZWI0YTZiZjBlMzUyY2ZiZiIgc3R5 bGU9InRleHQtZGVjb3JhdGlvbjpub25lO2ZvbnQtc2l6ZToxNHB4O2NvbG9yOiMwMEFGRjkiPkds b2JhbCBjYWxsLWluIG51bWJlcnM8L2E+PC9GT05UPiZuYnNwOyA8QlI+PEJSPjxCUj5cblxuPHRh YmxlPjx0ciBzdHlsZT0ibGluZS1oZWlnaHQ6IDIwcHg7Ij48dGQgc3R5bGU9ImhlaWdodDoyMHB4 Ij4mbmJzcDs8L3RkPjwvdHI+PC90YWJsZT5cblxuPEZPTlQgU0laRT0iNCIgRkFDRT0iQVJJQUwi PjxGT05UIFNJWkU9IjMiIENPTE9SPSIjNjY2NjY2IiBGQUNFPSJhcmlhbCI+Sm9pbiBmcm9tIGEg dmlkZW8gc3lzdGVtIG9yIGFwcGxpY2F0aW9uPC9GT05UPjxCUj48Rk9OVCBTSVpFPSIyIiBDT0xP Uj0iIzY2NjY2NiIgRkFDRT0iYXJpYWwiPkRpYWw8L0ZPTlQ+IDxhIGhyZWY9InNpcDoxNjE2NDA4 Mjc5QGlldGYud2ViZXguY29tIj48Rk9OVCBTSVpFPSIyIiBDT0xPUj0iIzAwQUZGOSIgRkFDRT0i YXJpYWwiPjE2MTY0MDgyNzlAaWV0Zi53ZWJleC5jb208L0ZPTlQ+PC9hPiZuYnNwOyA8QlI+PEZP TlQgU0laRT0iMiIgQ09MT1I9IiM2NjY2NjYiIEZBQ0U9ImFyaWFsIj5Zb3UgY2FuIGFsc28gZGlh bCAxNzMuMjQzLjIuNjggYW5kIGVudGVyIHlvdXIgbWVldGluZyBudW1iZXIuPC9GT05UPiAmbmJz cDsgPEJSPjwvRk9OVD4mbmJzcDsgPEJSPlxuXG48dGFibGUgY2VsbHBhZGRpbmc9IjAiIGNlbGxz cGFjaW5nPSIwIj48dHI+PHRkICBzdHlsZT0iY29sb3I6ICMwMDAwMDA7IGZvbnQtZmFtaWx5OiBB cmlhbDtmb250LXNpemU6IDEycHg7IGZvbnQtd2VpZ2h0OiBib2xkOyBsaW5lLWhlaWdodDogMjRw eDsiPjxiPkpvaW4gdXNpbmcgTWljcm9zb2Z0IEx5bmMgb3IgTWljcm9zb2Z0IFNreXBlIGZvciBC dXNpbmVzczwvYj48L3RkPjwvdHI+PHRyIHN0eWxlPSJtYXJnaW46MHB4Ij48dGQgc3R5bGU9ImNv bG9yOiAjMzMzMzMzOyBmb250LWZhbWlseTogQXJpYWw7IGZvbnQtc2l6ZTogMTRweDsgbGluZS1o ZWlnaHQ6IDI0cHg7Ij5EaWFsIDxhIGhyZWY9IiBzaXA6MTYxNjQwODI3OS5pZXRmQGx5bmMud2Vi ZXguY29tIiAgIHN0eWxlPSJ0ZXh0LWRlY29yYXRpb246bm9uZTtjb2xvcjojMDBBRkY5Ij4xNjE2 NDA4Mjc5LmlldGZAbHluYy53ZWJleC5jb208L2E+PC90ZD48L3RyPjwvdGFibGU+XG5cbgk8dGFi bGU+PHRyIHN0eWxlPSJsaW5lLWhlaWdodDogMjBweCI+PHRkIHN0eWxlPSJoZWlnaHQ6MjBweCI+ Jm5ic3A7PC90ZD48L3RyPjwvdGFibGU+XG4JPHRhYmxlPjx0ciBzdHlsZT0ibWFyZ2luOjBweCI+ PHRkIHN0eWxlPSJjb2xvcjogIzMzMzMzMzsgZm9udC1mYW1pbHk6IEFyaWFsOyBmb250LXNpemU6 IDE0cHg7IGxpbmUtaGVpZ2h0OiAyNHB4OyI+SWYgeW91IGFyZSBhIGhvc3QsIDxhIGhyZWY9Imh0 dHBzOi8vaWV0Zi53ZWJleC5jb20vaWV0Zi9qLnBocD9NVElEPW03MDlmZjg4ZWZlMjRkZjFiZmRk ZDU0N2NiOTZhYjVlNiIgc3R5bGU9InRleHQtZGVjb3JhdGlvbjpub25lO2NvbG9yOiMwNDlGRDki PmNsaWNrIGhlcmU8L2E+IHRvIHZpZXcgaG9zdCBpbmZvcm1hdGlvbi48L3RkPjwvdHI+PC90YWJs ZT5cblxuCQkJPHRhYmxlIHN0eWxlPSJ3aWR0aDogMTAwJTsiIGFsaWduPSJsZWZ0IiBjbGFzcz0i bWFpbiI+XG4gICAgICAgICAgICAgICAgPHRyIHN0eWxlPSJoZWlnaHQ6IDcycHgiPjx0ZD4mbmJz cDs8L3RkPjwvdHI+XG4JCQkJPHRyPlxuCQkJCQk8dGQgc3R5bGU9ImhlaWdodDogMjRweDsgY29s b3I6ICMwMDAwMDA7IGZvbnQtZmFtaWx5OkFyaWFsOyBmb250LXNpemU6IDE0cHg7IGxpbmUtaGVp Z2h0OiAyNHB4OyI+TmVlZCBoZWxwPyBHbyB0byA8YSBocmVmPSJodHRwOi8vaGVscC53ZWJleC5j b20iIHN0eWxlPSJjb2xvcjojMDQ5RkQ5OyB0ZXh0LWRlY29yYXRpb246bm9uZTsiPmh0dHA6Ly9o ZWxwLndlYmV4LmNvbTwvYT5cbgkJCQkJPC90ZD5cbgkJCQk8L3RyPlxuICAgICAgICAgICAgICAg IDx0ciBzdHlsZT0iaGVpZ2h0OiA0NHB4Ij48dGQ+Jm5ic3A7PC90ZD48L3RyPlxuCQkJPC90YWJs ZT5cbgkJPC90ZD5cbgk8L3RyPlxuPC90YWJsZT5cbg0KU1VNTUFSWTpPQXV0aCBXRyAtIEF1ZyAx MHRoIEludGVyaW0NClBSSU9SSVRZOjUNCkNMQVNTOlBVQkxJQw0KQkVHSU46VkFMQVJNDQpUUklH R0VSOi1QVDVNDQpBQ1RJT046RElTUExBWQ0KREVTQ1JJUFRJT046UmVtaW5kZXINCkVORDpWQUxB Uk0NCkVORDpWRVZFTlQNCkVORDpWQ0FMRU5EQVINCg== --000000000000a695d505aa815feb-- From nobody Wed Jul 15 15:05:08 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D95F3A05E2 for ; Wed, 15 Jul 2020 15:05:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V435WLwH1hMw for ; Wed, 15 Jul 2020 15:05:05 -0700 (PDT) Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 355A63A079B for ; Wed, 15 Jul 2020 15:05:05 -0700 (PDT) Received: by mail-wr1-x434.google.com with SMTP id z2so4592569wrp.2 for ; Wed, 15 Jul 2020 15:05:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=bIugLUJL0jWmqWYSWHEv/iLgHDeAgDvAil+40Aw5m98=; b=VVgIsGZF/k25Mm6uSiGwnVCXRy4CETiAjxsEKPD/QuOhWEhzy1jqMQpu0KzvEMOtBF PXZA3ODYdHNd3+K6CqEAT9xADfbMcojEk1k4dcNM1dss42uhHRrnAltMosqRDCabJntC pty0XP/kYIJGfKtwiANJkBUKcmZQQj9AIibakd+y7Rf116wbe3Rp2S+KIlrss+2rPTTJ c6lk5RuI7JXCk3G0knCbuyOeFHjgg3XPwKeok39OM1faGaV0jmAbw4KjnDcYDgnyHuq/ 4bHtJURHmWAaMWkNL02Bb4+IXDRdU2LWmFDMB2cKHQsWdOt8rhti2Snnja2O3vvJlDsZ 3BpA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=bIugLUJL0jWmqWYSWHEv/iLgHDeAgDvAil+40Aw5m98=; b=bI/gpn//te0Mu0FpOlcGhc9IxJih/J5JA9cKYTWKJwPJCtf6ONzzl1DS9ng4WQnubD P2JcQoLLV7vXDJNayF7qlCUV3g4YywA6CKDekkw3n1FWrELN+D4dI5rGds4oHMj4hFJG scjdGesvUL6L4lbDJBLZQUDv7PKXXqSwLRJytKtS+2Vd++l2xJcaXTfyP4fFp8LhnmQe k6s5ExiwCZFyFfH25lhyhrn04rcSkhY8DeIlbcNTaubMiyMUgZ/2sq6HzsmCmA9WNZNk 677Chh0raPlkq/V5d6lbBbnE4h/0A3hEdtPYYjB+xpXMATcpUJLAeX3DDD+5l7RFMzXS UoaA== X-Gm-Message-State: AOAM533Slnqc+fdmIXFedf1BkN8oIIkSHnqkUvCxWh9tuKRjF8/9Td1V Lf+mAHrB/jyoKm5+dlt20lQ3dTzoKtqIY+80AOEkpw== X-Google-Smtp-Source: ABdhPJyqnjVfPu0MVd72TnTiXZYQMiyoq2T9kVxGxJP1Rcr4aDNd46rH+2z8e4mBIrq6KrUWFnZtLLCge80UwEfwb3M= X-Received: by 2002:a5d:4d8b:: with SMTP id b11mr1685351wru.341.1594850702900; Wed, 15 Jul 2020 15:05:02 -0700 (PDT) MIME-Version: 1.0 From: Rifaat Shekh-Yusef Date: Wed, 15 Jul 2020 18:04:52 -0400 Message-ID: To: oauth Content-Type: multipart/alternative; boundary="0000000000009dc05705aa821dc8" Archived-At: Subject: [OAUTH-WG] OAuth WG Interims - Aug/Sep 2020 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2020 22:05:07 -0000 --0000000000009dc05705aa821dc8 Content-Type: text/plain; charset="UTF-8" All, As you might have noticed, we are starting a series of interim meetings in August and September. We have scheduled the following two meetings with specific topics: 1. *Aug 3rd* @ 12:00pm EDT to discuss *OAuth 2.1 *document. 2. *Aug 10th *@ 12:00pm EDT to discuss the *PAR* document More to follow. If you are interested in presenting your document during one of these upcoming interims, and have not contacted us already, please do so as soon as possible. Regards, Rifaat & Hannes --0000000000009dc05705aa821dc8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
All,

As you might have noticed, we are = starting a series of interim meetings in August and September.
We= have scheduled the following two meetings with=C2=A0specific topics:
=
1. Aug 3rd=C2=A0@ 12:00pm EDT to discuss OAuth 2.1 docum= ent.
2. Aug 10th=C2=A0@ 12:00pm EDT to discuss the PAR<= /b> document

More to=C2=A0follow.

If you are interested=C2=A0in presenting your document during one = of these upcoming interims, and have not contacted us already, please do so= as soon as possible.

Regards,
=C2=A0Rif= aat & Hannes

--0000000000009dc05705aa821dc8-- From nobody Wed Jul 15 15:55:21 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B478A3A0B14 for ; Wed, 15 Jul 2020 15:55:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T9_nCEn-6Q80 for ; Wed, 15 Jul 2020 15:55:18 -0700 (PDT) Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39E0E3A0B0B for ; Wed, 15 Jul 2020 15:55:18 -0700 (PDT) Received: by mail-wr1-x42c.google.com with SMTP id o11so4705673wrv.9 for ; Wed, 15 Jul 2020 15:55:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=CNgDaex4qViL/eV6Nh7k3zV2f93L2meDAwM09/ByYUM=; b=GvjuZAwG3pw1a4Uh2yPZyz/WVR1VV92T5BZ7r4gwMnpkCNeFy8UemUeHnHUTV/ahSr +0gLtA1n+joghC53jO5towppUdA/rgSiW9F4S3Ketl8oC1xwsxbnoaMA36VdgVQW15Li gR0g35MbofxjU7IopyUAU6Mkxug0qP1CGGfpJPbqFlFFT8/JtlzCg+U4J3mpXQ0HwEGy yi11z6YgFEqD42cCJrR322wpsp01o+9hJ3p0m4l2fvRuWRdiVXbm5WEbZITNMmyNGDn2 n4YT5t2QR2jwCQPq0NKTG0rUXdFV8jCN6aF+26s/kZ81oZXW0SfTrOt2ochRfzOSOUfg qAZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=CNgDaex4qViL/eV6Nh7k3zV2f93L2meDAwM09/ByYUM=; b=dcw6L7CS7V0tYV/KLAHLOUGYhLTjrFfx596TCN1Sezw8w2kD3p48KvnMt856P13FxL geAHACbL0C32BB9KV4bVOuFwPayDa2t1wyJJbXwkxhI2YQauyn181E9zu3jcYy2hPkj7 DZllo+D08VPkUMmNl9XPgL6NUczDCG9mAYewiO7mNSG9KmF/z8SUJC9xgw8ohMSy0qoB 9AtMF54tzdf8RMPSeVRQLQD05pbedSV7knG+4vG1v+qiAbeJCLNC8+Zj7HdUd42z0NCc 96ZKBhP53smSWFPuFkpUODUqbiCMf5cIvGgZ0d9a8E3z1dg2sK1yi1OKFW2s8t5js+Tj oIyQ== X-Gm-Message-State: AOAM53005xfRcp78LLaigoqcNE5siBd4sbRFIPdNOSwiGqAxOZs/q1HH D6/InWGSQMqvfAGnBwRQAXfYEbhXlI0hGoD0bfsh72aE X-Google-Smtp-Source: ABdhPJyIXymsr0CVsJ7/nYJS1NNKaBcPVPZYOR8DVPXDLJAycXQ8qxfUTzvqHSwumDvOsrwSf5uY0SfQbYMHAMsG8IM= X-Received: by 2002:a05:6000:1143:: with SMTP id d3mr1773179wrx.235.1594853716569; Wed, 15 Jul 2020 15:55:16 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Sascha Preibisch Date: Wed, 15 Jul 2020 15:53:58 -0700 Message-ID: To: oauth Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [OAUTH-WG] Call for adoption - OAuth 2.1 document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2020 22:55:20 -0000 +1 On Wed, 15 Jul 2020 at 13:40, Hans Zandbelt wrote: > > +1 > > Hans. > > On Wed, Jul 15, 2020 at 7:43 PM Rifaat Shekh-Yusef wrote: >> >> All, >> >> This is a call for adoption for the following OAuth 2.1 document as a WG document: >> https://www.ietf.org/id/draft-parecki-oauth-v2-1-03.html >> >> Please, provide your feedback on the mailing list by July 29th. >> >> Regards, >> Rifaat & Hannes >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > > -- > hans.zandbelt@zmartzone.eu > ZmartZone IAM - www.zmartzone.eu > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Wed Jul 15 16:37:01 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FCC23A0B65 for ; Wed, 15 Jul 2020 16:37:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auth0.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IZISH-YJ_pXq for ; Wed, 15 Jul 2020 16:36:58 -0700 (PDT) Received: from mail-pj1-x1035.google.com (mail-pj1-x1035.google.com [IPv6:2607:f8b0:4864:20::1035]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF5063A0B64 for ; Wed, 15 Jul 2020 16:36:58 -0700 (PDT) Received: by mail-pj1-x1035.google.com with SMTP id cv18so2384518pjb.1 for ; Wed, 15 Jul 2020 16:36:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=google; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:thread-index:content-language; bh=KI554EivqUwEv6wGxVS0+At4nokkP+RKUFL580dYUyY=; b=PgOJH7zKqO3Hap0ZPB7EMMrauqp/D04xQIwXex3FqQfo8MJoiTDkHWtp2uVssgkKyA xlh8NhQFO5cMNkDm6HUQp4piJFi5LEnaJDJ/NVWpC+AlANSH22QoysB0VRsttSSVsQCE ZG36MsHz0JVmUPGqHAjchxmvIWUaFpApz0/aiy1wzlEArWmFI+uPKsdTbmtkd5AbvELo BMtEvOCr58P8hQ/4cLCWiOfFuDX+XtlMjeo6zmVgxxq7qFr16B8Ufw0NXp8ArtnUPx3Q HoS6EGWL8DJQt83mHQHYJV6BBDNoUhCmMT3yPCnP24xpxYfzGXGPOlbTymIjkL1zeTjp LUOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:thread-index:content-language; bh=KI554EivqUwEv6wGxVS0+At4nokkP+RKUFL580dYUyY=; b=ipIV/ZKeb4A4Uef5UMFZCn4MiXyRjLr6wGbrtBMo2dpthctg9EC4rhDCTDfRv0gIbE Gv8TKwVoMuXEh1uiQ7xhWZsDuvqb1C2QBvbRWqMbsx1hAdWokywBdMS+O1ejdmiTFHA2 9yikrj8lfDBkJaRP/kz84P5jVLYKAMVdO4OgG1B03fkMBNRJDkg5qz+zgHi6ll4Z6v+B GoVNe/HlscZ/zJ7NSRBr7lz8dkJ480pVX54S2cHums7RCEzSoyOo4AHtlxdQ3WnDoC1c s3Nffl5LodW2rj9CY4OvdUFnmPsTvDGyfcQ+EM7am7IXZV1CgLpJtClTMxLJAzZWKzRE E3zQ== X-Gm-Message-State: AOAM531Oqfkc+5bN8tMrBuvNLg9w9betNAvtg1yLIaCWJgZ+P4Hji3wZ dgshw8IfUks2NFhS9cVFOi9Pnw== X-Google-Smtp-Source: ABdhPJxKzXnsGVig6SIQIko0DMvG2PiJ+ixKDdIFqVU6D0yZJVPWLvui8NhZxU0vKbUVUf1bsdbLAA== X-Received: by 2002:a17:902:904c:: with SMTP id w12mr1505974plz.147.1594856217479; Wed, 15 Jul 2020 16:36:57 -0700 (PDT) Received: from vibrosurface7 (c-67-171-8-60.hsd1.wa.comcast.net. [67.171.8.60]) by smtp.gmail.com with ESMTPSA id j10sm3121373pgh.28.2020.07.15.16.36.56 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 15 Jul 2020 16:36:56 -0700 (PDT) From: To: "'Dick Hardt'" , "'Rifaat Shekh-Yusef'" Cc: "'oauth'" References: In-Reply-To: Date: Wed, 15 Jul 2020 16:36:59 -0700 Message-ID: <0b6b01d65b00$d61de7a0$8259b6e0$@auth0.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0B6C_01D65AC6.29C06F30" X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQJG4+iBhh7q/Dge1phdOFKsCo3aPQLfOkCqqBFAAaA= Content-Language: en-us Archived-At: Subject: Re: [OAUTH-WG] Call for adoption - OAuth 2.1 document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2020 23:37:00 -0000 This is a multipart message in MIME format. ------=_NextPart_000_0B6C_01D65AC6.29C06F30 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable +1 =20 From: OAuth On Behalf Of Dick Hardt Sent: Wednesday, July 15, 2020 10:55 AM To: Rifaat Shekh-Yusef Cc: oauth Subject: Re: [OAUTH-WG] Call for adoption - OAuth 2.1 document =20 +1 =20 On Wed, Jul 15, 2020 at 10:42 AM Rifaat Shekh-Yusef = > wrote: All, =20 This is a call for adoption for the following OAuth 2.1 document as a WG = document: https://www.ietf.org/id/draft-parecki-oauth-v2-1-03.html =20 Please, provide your feedback on the mailing list by July 29th. =20 Regards, Rifaat & Hannes =20 _______________________________________________ OAuth mailing list OAuth@ietf.org =20 https://www.ietf.org/mailman/listinfo/oauth ------=_NextPart_000_0B6C_01D65AC6.29C06F30 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable

+1

 

From: OAuth = <oauth-bounces@ietf.org> On Behalf Of Dick = Hardt
Sent: Wednesday, July 15, 2020 10:55 AM
To: = Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Cc: oauth = <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Call for = adoption - OAuth 2.1 document

 

+1

 

On = Wed, Jul 15, 2020 at 10:42 AM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> = wrote:

All,

 

This is a call for adoption for the following = OAuth 2.1 document as a WG document:

 

Please, provide your feedback on the mailing list = by July 29th.

 

Regards,

 Rifaat & Hannes

 

_______________________________________________
OAut= h mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

------=_NextPart_000_0B6C_01D65AC6.29C06F30-- From nobody Wed Jul 15 16:53:59 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F25B83A0B84 for ; Wed, 15 Jul 2020 16:53:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.599 X-Spam-Level: X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jUoHAD0kcDUX for ; Wed, 15 Jul 2020 16:53:57 -0700 (PDT) Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A11683A0B83 for ; Wed, 15 Jul 2020 16:53:57 -0700 (PDT) Received: by mail-wr1-x435.google.com with SMTP id j4so4864877wrp.10 for ; Wed, 15 Jul 2020 16:53:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gm5Hj4LchFLQ0sZtf8WCCyasjsdiLxaFUDZR9b70bAI=; b=H8fifIRujZ2iCf85oJ42kDxFprWCYC7h1LeZ5dKbzDU2dJoy1ZY4yYnpKPD9gvPq7e +xCGRYqhmXUw9NwMe6UkaaZhQUurPNczCXz/RNzmDahXKzsDNn3rH0LgmjO7FN7UNqY9 rp5IqbLJeeQckzLMmiYf/GlpruQwqQyCmTD1HwwxYRFTmZJAZaBo/KMmWwrD4Gt6dBQP g8XAxI03tMilkorgUvqJwcTm3QUZk4E5QY1zBvS7Un+uTie0iYXwsPFJt6e+zPhZPhXr f5WxaItTg5nAdaTgCwau+wuNHu6Eoej1zmuJb9puiiuXuRtEFg7DOW+piXNVvVCQhxDQ 2IlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gm5Hj4LchFLQ0sZtf8WCCyasjsdiLxaFUDZR9b70bAI=; b=hJoyiWbTfW/WGR5da13uTT0TaFCLeXvmt3PaLcRtyCantqMp8vHEfhPKDs7jhEE0K7 FRZvxf/UB4E6QJcKXK4vnpT20yRySvTsWWHDgJL8m37SDtMNB1ccrIyrdQsfg1Cmmfl7 Jw5CK58fHDv8JNPUUwq3aV+KamCp6VhPkQ+WBRaGyXZbCmRpsfzjV/mVfWWltiTtzwEx nPtE10mdd3PNcI93hJv+A4mqtrYf5Lmr66sfjT1wrFX63upktOmZoNJ48SvKw8AXJsO/ RE5ooEYgYtRLoT0ijiCA0+NU9SOX2M5shhiMk7vq5FDXZPhjlpzirT/5tXQekag1OHwG 8Ljg== X-Gm-Message-State: AOAM531Z7T4KrsNpVDKsM0jaJAEi1nJ5homrVgWHAZdqwUHLEpeJH+Zi F37iHAl7Js/kazc/hsA2f4Ky+XPo8KN7ROlRGbXf+A== X-Google-Smtp-Source: ABdhPJyk6R+ZFguW2GXjLJWw4NymYkX/QwvKyr439oVRE2hTqUwU/ZFqf320cxuxrwi/6It+mdPyPv6mpEJq87uuSao= X-Received: by 2002:adf:ee0f:: with SMTP id y15mr2037008wrn.76.1594857235816; Wed, 15 Jul 2020 16:53:55 -0700 (PDT) MIME-Version: 1.0 References: <0b6b01d65b00$d61de7a0$8259b6e0$@auth0.com> In-Reply-To: <0b6b01d65b00$d61de7a0$8259b6e0$@auth0.com> From: William Denniss Date: Wed, 15 Jul 2020 16:53:37 -0700 Message-ID: To: vittorio.bertocci=40auth0.com@dmarc.ietf.org Cc: Dick Hardt , Rifaat Shekh-Yusef , oauth Content-Type: multipart/alternative; boundary="000000000000028f0105aa83a379" Archived-At: Subject: Re: [OAUTH-WG] Call for adoption - OAuth 2.1 document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2020 23:53:59 -0000 --000000000000028f0105aa83a379 Content-Type: text/plain; charset="UTF-8" I support adoption. On Wed, Jul 15, 2020 at 4:37 PM wrote: > +1 > > > > *From:* OAuth *On Behalf Of *Dick Hardt > *Sent:* Wednesday, July 15, 2020 10:55 AM > *To:* Rifaat Shekh-Yusef > *Cc:* oauth > *Subject:* Re: [OAUTH-WG] Call for adoption - OAuth 2.1 document > > > > +1 > > > > On Wed, Jul 15, 2020 at 10:42 AM Rifaat Shekh-Yusef < > rifaat.s.ietf@gmail.com> wrote: > > All, > > > > This is a *call for adoption* for the following *OAuth 2.1* document as a > WG document: > > https://www.ietf.org/id/draft-parecki-oauth-v2-1-03.html > > > > Please, provide your feedback on the mailing list by *July 29th.* > > > > Regards, > > Rifaat & Hannes > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --000000000000028f0105aa83a379 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I support adoption.

On Wed, Jul 15, 2020 at 4:37 PM <vit= torio.bertocci=3D40auth0.com@= dmarc.ietf.org> wrote:

+1<= /u>

=C2=A0

From: OAuth &l= t;oauth-bounces= @ietf.org> On Behalf Of Dick Hardt
Sent: Wednesday,= July 15, 2020 10:55 AM
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com&= gt;
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Call for adop= tion - OAuth 2.1 document

= =C2=A0

+1

=

=C2=A0

On Wed, Jul 15, 2020 at 10:42 AM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com&= gt; wrote:

All,

=C2=A0

This is a call for adoption for the following OAuth 2.1 document as a WG document:<= /u>

=C2=A0

Pl= ease, provide your feedback on the mailing=C2=A0list by July 29th.

=C2=A0

<= /div>

Regards,

=C2=A0Rifaat & Hannes

=C2=A0

_______________________________________________
OAuth mailing listOAuth@ietf.org= https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--000000000000028f0105aa83a379-- From nobody Wed Jul 15 23:08:56 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 010333A0F20 for ; Wed, 15 Jul 2020 23:08:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.897 X-Spam-Level: X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=leastprivilege-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DNj8aD9YkeVd for ; Wed, 15 Jul 2020 23:08:51 -0700 (PDT) Received: from mail-il1-x12b.google.com (mail-il1-x12b.google.com [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 716803A0F1F for ; Wed, 15 Jul 2020 23:08:51 -0700 (PDT) Received: by mail-il1-x12b.google.com with SMTP id p15so4042581ilh.13 for ; Wed, 15 Jul 2020 23:08:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leastprivilege-com.20150623.gappssmtp.com; s=20150623; h=from:in-reply-to:references:mime-version:date:message-id:subject:to; bh=AkkBikK1oyso669lywX6bdAhtR9jq74OqniNieNm91k=; b=TO+JZsvsyvvMKVOshDMGDgaVMjwKvTGtGUsLr37WsEzw8r8unHMc4yKt7V9IJtLvki 8jfoXrIBtYKo6hzKKxAtfZ0l1OEvNuBEue/UUKFfV++aTJ9AnRwJYEV9c4ZmBaDmCCYV JJt4XtGUC+mxMXup6MuqCF3jKlDJX53gZsqj21dI6v/xQL/Oyrmbm74MBxxZ9xV3Yl5O Rib/O+eMWBkVgZj4Iz4FFolC80DeK5Lf4k6Ltv3o9o9+Mjs7gGHv/CPu5THjQGuRmEBx h7UC5n67PCdfz+6Z7Pr5c2WsVmKb7sZe329SbeKHLb12Lv2f0XEWGNJNZ9nF8MW7naDa 3ziQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to; bh=AkkBikK1oyso669lywX6bdAhtR9jq74OqniNieNm91k=; b=mgD/gNiNNOIQ3X79zNqC195UrSAuRXfqqqKEhIJQUVtis3DYbzd+Fsz7S+zos0dL4w mf6T4BnTxPzSF+4pGhNydbpJW1R+y7X95OQLj3HcMyCjobjV22AcFPbZskwkXP7ADmO+ +JYgS7KyKeM/wcqK1apDOqg5XmuWrBDw3lOkyCwtedGrNOL959ALvXSdbk9ylSkLNyGx BgZSfQC2rlF0QzSOhJtYlohmbmLwrBpbeOoin7gNarQzjzGublVJX78Ol6JBzlPa4EEs FIwzc8hGVzGE5PReXMR0Jp8HFNtFPx63uxkzPj9mev5EY4ab5g3ho+hVMwfQvBX0EUBL SaYw== X-Gm-Message-State: AOAM531HZUoYsmn7kI2c2bQMkFtV4WMyBn/weqAA0DivDIGeN3PxkLuz OfSmSYJYDCanR5wM2/OJmvVuslVdKGpahY6RpfWczm4= X-Google-Smtp-Source: ABdhPJx8u6XlyKythqWCB6t1VWPs90kUwLyU1U9b+CKC1jRNeptN9k5t6dLJ1fyO7Tj+oi/MP59c5D8CKfVzKp0jvh0= X-Received: by 2002:a92:a1cf:: with SMTP id b76mr2986990ill.128.1594879730057; Wed, 15 Jul 2020 23:08:50 -0700 (PDT) Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Wed, 15 Jul 2020 23:08:49 -0700 From: Dominick Baier In-Reply-To: References: <0b6b01d65b00$d61de7a0$8259b6e0$@auth0.com> MIME-Version: 1.0 Date: Wed, 15 Jul 2020 23:08:49 -0700 Message-ID: To: oauth Content-Type: multipart/alternative; boundary="000000000000c51cf905aa88dfda" Archived-At: Subject: Re: [OAUTH-WG] Call for adoption - OAuth 2.1 document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jul 2020 06:08:53 -0000 --000000000000c51cf905aa88dfda Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I support adoption =E2=80=94=E2=80=94=E2=80=94 Dominick Baier On 16. July 2020 at 01:54:08, William Denniss ( wdenniss=3D40google.com@dmarc.ietf.org) wrote: I support adoption. On Wed, Jul 15, 2020 at 4:37 PM wrote: > +1 > > > > *From:* OAuth *On Behalf Of *Dick Hardt > *Sent:* Wednesday, July 15, 2020 10:55 AM > *To:* Rifaat Shekh-Yusef > *Cc:* oauth > *Subject:* Re: [OAUTH-WG] Call for adoption - OAuth 2.1 document > > > > +1 > > > > On Wed, Jul 15, 2020 at 10:42 AM Rifaat Shekh-Yusef < > rifaat.s.ietf@gmail.com> wrote: > > All, > > > > This is a *call for adoption* for the following *OAuth 2.1* document as a > WG document: > > https://www.ietf.org/id/draft-parecki-oauth-v2-1-03.html > > > > Please, provide your feedback on the mailing list by *July 29th.* > > > > Regards, > > Rifaat & Hannes > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --000000000000c51cf905aa88dfda Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable =
I su= pport adoption

=E2=80=94=E2=80=94= =E2=80=94
Dominick Baier

On 16.= July 2020 at 01:54:08, William Denniss (wdenniss=3D40google.com@dmarc.ietf.org) wrote:<= /p>

I support adoption.

<= div dir=3D"ltr" class=3D"gmail_attr">On Wed, Jul 15, 2020 at 4:37 PM <vi= ttorio.bertocci=3D40auth0.com= @dmarc.ietf.org> wrote:

+1=

=C2=A0

From: OAuth &= lt;oauth-bounce= s@ietf.org> On Behalf Of Dick Hardt
Sent: Wednesday= , July 15, 2020 10:55 AM
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com= >
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Call for ado= ption - OAuth 2.1 document

=C2=A0

+1

=C2=A0

On Wed, Jul 15, 2020 at 10:42 AM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com= > wrote:

All,

=C2=A0<= u>

This is a call for adoption<= /b> for the following OAuth 2.1 document as a WG document:=

=C2=A0

P= lease, provide your feedback on the mailing=C2=A0list by July 29th.<= u>

=C2=A0

=

Regards,

=C2=A0Rifaat & Hannes

=C2=A0

_______________________________________________
OAuth mailing list<= br>OAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.iet= f.org/mailman/listinfo/oauth
--000000000000c51cf905aa88dfda-- From nobody Thu Jul 16 00:33:20 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 515713A1027 for ; Thu, 16 Jul 2020 00:33:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=willeke-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KCoAwvkpsT3V for ; Thu, 16 Jul 2020 00:33:16 -0700 (PDT) Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 381203A1028 for ; Thu, 16 Jul 2020 00:33:16 -0700 (PDT) Received: by mail-lj1-x22b.google.com with SMTP id f5so5978892ljj.10 for ; Thu, 16 Jul 2020 00:33:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=willeke-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=XvtmfGuoqpi3XEqvx7U8O7ciuNjYsPLmAdoPkBPdB7g=; b=qk0PJDXX7beN5iZoFatPiJSk+clwCLQH8ZefV0vfiPigFaAY9QcPf42+CnM3RaiCtZ x8lsxZKbC9rMG/jUcGFMld8u2A/IZfkYq3MG3jGsnbt7ttXOZpHL8CO2ezvRiPS/h1KW vUp/aHwe55jABKxjZkASFYmN6h+OWrbWc3n7lBlt8vAiN4aCZwsROO5mGjodyEQo6rnJ 6vMevaQ3K42LuQjT5vY0O0tS8NxwALb0dQGBIFOs78JWsaseVYEu/XR5UklvCavYhKZX nICeGZLeNbJ0IJ5zVhNGDtCJCPOVPcw43AxPw6ES6MbPzYJUJ0JmlV+fOTJwEPfxognD r/qQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=XvtmfGuoqpi3XEqvx7U8O7ciuNjYsPLmAdoPkBPdB7g=; b=oQndreJWFEbnqjXJ54hAJ8xoj4W+SiTpP92rILuCLyqF6gvjOUYyNbelniy9pb0NWM Tu0ef+qoo9VOEeiVe6Vv4AYaPQTHWqw47lXBJjj+Xp1TW68DB8cNKGWuz79wpG73tJMl 94mvr3uBkm7dgk04qjxXAAOBond/ObpzHWmPQrpjxUgd5ma6NEFlcTDk9R7LQiQW1kJJ 95UCUJN+ANo2RWzG12noMDO5L05J+qSE/vuNAgEWqTWr/Akifh1WFUP7GhKLSbd5tMqe XrSIcgCRQUX8rmheMYRLcXlDLDgvV8UNYIMHgl1wCMpRzFUcuRjHUaq1WT9qeSVd1z8E a68g== X-Gm-Message-State: AOAM533pusM4FWFh4E0Yw1JnR+2H4CUSon7qi2uaG/Yf11kmhWOnmyqe qwFKsq9wD1k7cLGG8bV1exec1Q47mZUDYfccj4IUZf0M08o= X-Google-Smtp-Source: ABdhPJwrMPwIFFFNRXBOWmtlLTEvnThczEJ/xNxLWfhNCI07dinqIeqEDiJtOJx5+3MeSmuCw3uXPb/Vtke7CYg351U= X-Received: by 2002:a05:651c:156:: with SMTP id c22mr1462626ljd.453.1594884793515; Thu, 16 Jul 2020 00:33:13 -0700 (PDT) MIME-Version: 1.0 References: <0b6b01d65b00$d61de7a0$8259b6e0$@auth0.com> In-Reply-To: From: Jim Willeke Date: Thu, 16 Jul 2020 03:32:36 -0400 Message-ID: To: oauth Content-Type: multipart/alternative; boundary="0000000000009359e505aa8a0d20" Archived-At: Subject: Re: [OAUTH-WG] Call for adoption - OAuth 2.1 document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jul 2020 07:33:18 -0000 --0000000000009359e505aa8a0d20 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I support addoption -- -jim Jim Willeke On Thu, Jul 16, 2020 at 2:09 AM Dominick Baier wrote: > I support adoption > > =E2=80=94=E2=80=94=E2=80=94 > Dominick Baier > > On 16. July 2020 at 01:54:08, William Denniss ( > wdenniss=3D40google.com@dmarc.ietf.org) wrote: > > I support adoption. > > On Wed, Jul 15, 2020 at 4:37 PM 40auth0.com@dmarc.ietf.org> wrote: > >> +1 >> >> >> >> *From:* OAuth *On Behalf Of *Dick Hardt >> *Sent:* Wednesday, July 15, 2020 10:55 AM >> *To:* Rifaat Shekh-Yusef >> *Cc:* oauth >> *Subject:* Re: [OAUTH-WG] Call for adoption - OAuth 2.1 document >> >> >> >> +1 >> >> >> >> On Wed, Jul 15, 2020 at 10:42 AM Rifaat Shekh-Yusef < >> rifaat.s.ietf@gmail.com> wrote: >> >> All, >> >> >> >> This is a *call for adoption* for the following *OAuth 2.1* document as >> a WG document: >> >> https://www.ietf.org/id/draft-parecki-oauth-v2-1-03.html >> >> >> >> Please, provide your feedback on the mailing list by *July 29th.* >> >> >> >> Regards, >> >> Rifaat & Hannes >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --0000000000009359e505aa8a0d20 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I support addoption
--
-jim
Jim Willeke

<= /div>
O= n Thu, Jul 16, 2020 at 2:09 AM Dominick Baier <dbaier@leastprivilege.com> wrote:
I support adoption

=E2=80= =94=E2=80=94=E2=80=94
Dominick Baier

On 16. July 202= 0 at 01:54:08, William Denniss (wdenniss=3D40google.com@dmarc.ietf.org= ) wrote:

I support adoption.

On Wed, Jul 15, 2020 at 4:37 PM <vittorio.= bertocci=3D= 40auth0.com@dmarc.ietf.org> wrote:

+= 1

=C2=A0

From:<= /b> OAuth <o= auth-bounces@ietf.org> On Behalf Of Dick Hardt
Sent: Wednesday, July 15, 2020 10:55 AM
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gm= ail.com>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] C= all for adoption - OAuth 2.1 document

=C2=A0

+1

=C2=A0

On Wed, Jul 15, 2020 at 10:42 AM Rifaat Shekh-Yusef <rifaat.s.ietf@gm= ail.com> wrote:

<= p class=3D"MsoNormal">All,

= =C2=A0

This is a call fo= r adoption for the following OAuth 2.1 document as a WG document= :

<= div>

=C2=A0

Please, provide your feedback on the mailing=C2=A0list by July= 29th.

=C2=A0=

Regards,

=C2=A0Rifaat & Hannes

=C2=A0

_______________________________________________
OAuth ma= iling list
OAuth@iet= f.org
https://www.ietf.org/mailman/listinfo/oauth

__________________________________________= _____
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--0000000000009359e505aa8a0d20-- From nobody Thu Jul 16 00:42:24 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 811F03A103D for ; Thu, 16 Jul 2020 00:42:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.096 X-Spam-Level: X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=danielfett.de Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oTEKY_3JKbnN for ; Thu, 16 Jul 2020 00:42:21 -0700 (PDT) Received: from d3f.me (redstone.d3f.me [5.9.29.41]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE4B73A1034 for ; Thu, 16 Jul 2020 00:42:20 -0700 (PDT) Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by d3f.me (Postfix) with ESMTPA id 76980AB7E for ; Thu, 16 Jul 2020 07:42:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1594885337; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=nPE6eKJc6UzpshpZVMbffyLEp77Pr8uy7hraTeS0h5Y=; b=rot07wYOJ/BotS8kR5ivTzDE3Ws6jkzAT+hIM3P2sKUyAAO9JWAaJ19HjkRJscpOcHx2lV 6p/LqPALsocWQVFB7jush8sYnxtiXEPVv7/ImwAd4bUKodlJ+lFgSDwEVW5ZKoCXujEaxI G8XDrEkBEEdgcWN8Di9pgFMzUMGZCmo= To: oauth@ietf.org References: From: Daniel Fett Message-ID: <2ddb6572-d55c-43fc-f141-23c3ada5d535@danielfett.de> Date: Thu, 16 Jul 2020 09:42:16 +0200 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------96368E53168CFB0905F43CDB" Content-Language: de-DE ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1594885337; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=nPE6eKJc6UzpshpZVMbffyLEp77Pr8uy7hraTeS0h5Y=; b=KR1b1KkCRZ/Vq7FK+E3JZyNUEgbKc31wkK56FbuiNOookkXgd0Fd2bS2ss75M3HH0SgW3b gzS1nva5qHPWLCg2HxPUQkc/MSK9g34VfRSaFD9L0bLE3Nk/HpYxHds130egKbzD6Mtnfq Yw+FPiNUPrhpVwFptt2Rdkjk/6ZXcrw= ARC-Seal: i=1; s=dkim; d=danielfett.de; t=1594885337; a=rsa-sha256; cv=none; b=axMasVcTt9AijN12P96h3xnmdf0qPD//O/NI4bH9MlGxlcYeL+o2VADgGrQpYbanxn400Y X48LKsncRo/BYUOMNQ19c2H0T3xc1sWhkaLI6qeCtBRIW1J1rjYP9hGAeOmmjleOyeELIw Tv7KRNCAAhNJTZd4eab2zkmm3I9WOoY= ARC-Authentication-Results: i=1; d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de Authentication-Results: d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de X-Spamd-Bar: / Archived-At: Subject: Re: [OAUTH-WG] Call for adoption - OAuth 2.1 document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jul 2020 07:42:23 -0000 This is a multi-part message in MIME format. --------------96368E53168CFB0905F43CDB Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit +1 Am 15.07.20 um 19:41 schrieb Rifaat Shekh-Yusef: > All, > > This is a *call for adoption* for the following *OAuth 2.1* document > as a WG document: > https://www.ietf.org/id/draft-parecki-oauth-v2-1-03.html > > Please, provide your feedback on the mailing list by *July 29th.* > > Regards, >  Rifaat & Hannes > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- https://danielfett.de --------------96368E53168CFB0905F43CDB Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit
+1

Am 15.07.20 um 19:41 schrieb Rifaat Shekh-Yusef:
All,

This is a call for adoption for the following OAuth 2.1 document as a WG document:

Please, provide your feedback on the mailing list by July 29th.

Regards,
 Rifaat & Hannes


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



-- 
https://danielfett.de
--------------96368E53168CFB0905F43CDB-- From nobody Thu Jul 16 01:09:07 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 834183A10DB for ; Thu, 16 Jul 2020 01:09:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.987 X-Spam-Level: X-Spam-Status: No, score=-1.987 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=momentumft.co.uk Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ve0_LJKItx37 for ; Thu, 16 Jul 2020 01:09:03 -0700 (PDT) Received: from mail-pg1-x52b.google.com (mail-pg1-x52b.google.com [IPv6:2607:f8b0:4864:20::52b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D7CD3A10B9 for ; Thu, 16 Jul 2020 01:09:03 -0700 (PDT) Received: by mail-pg1-x52b.google.com with SMTP id e8so4469895pgc.5 for ; Thu, 16 Jul 2020 01:09:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=momentumft.co.uk; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ZVv4PEIPXSSasruhdj1vIoouFaxUlbIXM27ZV5Zsqqw=; b=Pg3MofTuAoS4AsQzQ8IQazd9iWATkB/nGIDvBMEknaA71RxuaNEyhBu1p1jGsk/Rlz dV7j7GDGGotidozCmspKSfwtbRwuLGBiDV74tCCZVWSA4o0Q+u8ULzxkzqyz6hwhydmj R/GulEvKabgtaePxSJ3LFvd+dTCjvP4a88Dco= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ZVv4PEIPXSSasruhdj1vIoouFaxUlbIXM27ZV5Zsqqw=; b=XGxfh4zRdGDWY+J8wnj31k/9HDRbpnXYSIvfBTazd1Btk0126NU7+y02xlSX9aSPnl UuAxiwjPbM4mh2rzJ5pz9iJUd7P+9I/WwImm3K6th09/C/znqpwXVRQEOIKQEW9jkMQ0 d8gUJGrQaUwEjK0ThavCE4u8j04USRQl7ULrgUoUseyeUyA09V0pZq8CtiFtwZSRGxC/ ysxSSGxeyYTpT1hK2W3Ddb4CFY5CtyY++k+pPcPq8xO68F2mvhYeH+em99pE7J08Qs6s kKW2HklCFjk/3HqDOMYUbb1GhcAqe9ZWmlzkmNATjb0At1qMFV6yir82kvQjz/nLsxFm P9Mw== X-Gm-Message-State: AOAM532o1bAMv4YiAIohLcto4SYARbOVCfquO6joAjmXLD5BXtc/1yep UsYrIji+VsJRQdg3E45GnIIVzf+1vx4IdjjgVV7CrlPqge0xJRnQiVGL496WM6tCiH3q1CddHDx J0bpkb0e4nMxU0w== X-Google-Smtp-Source: ABdhPJza9aM0u6NQdkKdrKq1T9Pmf8ofUeFcBArLnXCalSXI2wRGKMKkaujDtruLIKPejhLBGp+vXFcLAgLuDelv9oQ= X-Received: by 2002:a63:1c61:: with SMTP id c33mr3248109pgm.350.1594886942794; Thu, 16 Jul 2020 01:09:02 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Dave Tonge Date: Thu, 16 Jul 2020 10:08:51 +0200 Message-ID: To: Rifaat Shekh-Yusef Cc: oauth Content-Type: multipart/alternative; boundary="000000000000aeb89c05aa8a8d96" Archived-At: Subject: Re: [OAUTH-WG] Call for adoption - OAuth 2.1 document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jul 2020 08:09:06 -0000 --000000000000aeb89c05aa8a8d96 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable +1 On Wed, 15 Jul 2020 at 19:43, Rifaat Shekh-Yusef wrote: > All, > > This is a *call for adoption* for the following *OAuth 2.1* document as a > WG document: > https://www.ietf.org/id/draft-parecki-oauth-v2-1-03.html > > Please, provide your feedback on the mailing list by *July 29th.* > > Regards, > Rifaat & Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --=20 Dave Tonge CTO [image: Moneyhub Enterprise] Moneyhub Financial Technology, 5th Floor, 10 Temple Back, Bristol, BS1 6FL t: +44 (0)117 280 5120 Moneyhub Enterprise is a trading style of Moneyhub Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on the Financial Services Register (FRN 809360) at fca.org.uk/register. Moneyhub Financial Technology is registered in England & Wales, company registration number 06909772 . Moneyhub Financial Technology Limited 2018 =C2=A9 DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Moneyhub Financial Technology Limited or of any other group company. --=20 Moneyhub Enterprise is a trading style of Moneyhub Financial Technology=20 Limited which is authorised and regulated by the Financial Conduct=20 Authority ("FCA"). Moneyhub Financial Technology is entered on the=20 Financial Services Register (FRN 809360) at https://register.fca.org.uk/=20 . Moneyhub Financial Technology is registered= =20 in England & Wales, company registration number 06909772. Moneyhub=20 Financial Technology Limited 2020 =C2=A9 Moneyhub Enterprise, Regus Buildin= g,=20 Temple Quay, 1 Friary, Bristol, BS1 6EA.=C2=A0 DISCLAIMER: This email=20 (including any attachments) is subject to copyright, and the information in= =20 it is confidential. Use of this email or of any information in it other=20 than by the addressee is unauthorised and unlawful. Whilst reasonable=20 efforts are made to ensure that any attachments are virus-free, it is the= =20 recipient's sole responsibility to scan all attachments for viruses. All=20 calls and emails to and from this company may be monitored and recorded for= =20 legitimate purposes relating to this company's business. Any opinions=20 expressed in this email (or in any attachments) are those of the author and= =20 do not necessarily represent the opinions of Moneyhub Financial Technology= =20 Limited or of any other group company. --000000000000aeb89c05aa8a8d96 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
+1

On Wed, 15 Jul 2020 at 19:43, Rifaat Shekh-Yu= sef <rifaat.s.ietf@gmail.com<= /a>> wrote:
<= div dir=3D"ltr">All,

This is a call for adoption = for the following OAuth 2.1 document as a WG document:
https://www.ietf.org/id/draft-parecki-oauth-v2-1-03.html

Please, provide your feedback on the mailing=C2=A0l= ist by July 29th.

Regards,
=C2=A0= Rifaat & Hannes

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
Da= ve Tonge
CTO
3D"Moneyhub
Moneyhub Financial Technology, 5th Fl= oor, 10 Temple Back, Bristol, BS1 6FL
t:=C2=A0+44 (0)117 280 512= 0

Moneyhub = Enterprise is a trading style of Moneyhub Financial Technology Limited whic= h is authorised and regulated by the Financial Conduct Authority ("FCA= ").=C2=A0Moneyhub Financial Technology is entered on the Financial Ser= vices Register=C2=A0(FRN=C2=A0809360) at fca.= org.uk/register. Moneyhub=C2=A0Financial Technology is registered in England &= ; Wales, company registration number=C2=A0=C2=A006909772=C2=A0.<= /span>
Moneyhub=C2=A0Financial Technology L= imited 2018=C2=A0=C2=A9<= /div>

DISCLAIMER: This email (including any attachments) is subject to co= pyright, and the information in it is confidential. Use of this email or of= any information in it other than by the addressee is unauthorised and unla= wful. Whilst reasonable efforts are made to ensure that any attachments are= virus-free, it is the recipient's sole responsibility to scan all atta= chments for viruses. All calls and emails to and from this company may be m= onitored and recorded for legitimate purposes relating to this company'= s business. Any opinions expressed in this email (or in any attachments) ar= e those of the author and do not necessarily represent the opinions of Mone= yhub Financial Technology Limited or of any other group company.
<= /div>

Moneyhub Enterprise is a trading style of Moneyhub Financi= al Technology Limited which is authorised and regulated by the Financial Co= nduct Authority ("FCA"). Moneyhub Financial Technology is entered= on the Financial Services Register (FRN 809360) at https://register.fca.org.uk/. Moneyhub Financial Technology is registered in England & Wales,= company registration number 06909772. Moneyhub Financial Technology Limite= d 2020 =C2=A9 Moneyhub Enterprise, Regus Building, Temple Quay, 1 Friary, B= ristol, BS1 6EA.=C2=A0

= DISCLAIMER: This email (including any attachments) is subjec= t to copyright, and the information in it is confidential. Use of this emai= l or of any information in it other than by the addressee is unauthorised a= nd unlawful. Whilst reasonable efforts are made to ensure that any attachme= nts are virus-free, it is the recipient's sole responsibility to scan a= ll attachments for viruses. All calls and emails to and from this company m= ay be monitored and recorded for legitimate purposes relating to this compa= ny's business. Any opinions expressed in this email (or in any attachme= nts) are those of the author and do not necessarily represent the opinions = of Moneyhub Financial Technology Limited or of any other group company.


--000000000000aeb89c05aa8a8d96-- From nobody Thu Jul 16 23:57:30 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D9E33A12E5 for ; Thu, 16 Jul 2020 23:57:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.917 X-Spam-Level: X-Spam-Status: No, score=-1.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pppwdZGeC2kK for ; Thu, 16 Jul 2020 23:57:27 -0700 (PDT) Received: from p3plsmtpa06-09.prod.phx3.secureserver.net (p3plsmtpa06-09.prod.phx3.secureserver.net [173.201.192.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 496453A1272 for ; Thu, 16 Jul 2020 23:57:27 -0700 (PDT) Received: from [192.168.1.196] ([188.14.55.76]) by :SMTPAUTH: with ESMTPSA id wKJAjuQtvxIzhwKJBjOdP9; Thu, 16 Jul 2020 23:57:26 -0700 X-CMAE-Analysis: v=2.3 cv=HaBqsRM8 c=1 sm=1 tr=0 a=DY9qRO5iiV956zyxW3SWcg==:117 a=DY9qRO5iiV956zyxW3SWcg==:17 a=q0rX5H01Qin5IyBaTmIA:9 a=r77TgQKjGQsHNAKrUKIA:9 a=pGLkceISAAAA:8 a=48vgC7mUAAAA:8 a=JAJ6cMj4zPkDbOU4POAA:9 a=QEXdDO2ut3YA:10 a=ogXBCL18qa8A:10 a=DMcyKr2DkCEA:10 a=rKrVYePj7rwA:10 a=GvQGpzc11-tm4tlJJE4A:9 a=zs7l-moXUof0LyLO:21 a=_W_S_7VecoQA:10 a=D8lnhvtxf0AONpHuB7QA:9 a=ZVk8-NSrHBgA:10 a=30ssDGKg3p0A:10 a=w1C3t2QeGrPiZgrLijVG:22 X-SECURESERVER-ACCT: vladimir@connect2id.com To: oauth@ietf.org References: From: Vladimir Dzhuvinov Autocrypt: addr=vladimir@connect2id.com; prefer-encrypt=mutual; keydata= mQENBFQZaoEBCACnP2YMDex9fnf+niLglTHGKuoypUSVKPQeKDHHeFQVzhRke+HBEZBwmA9T kZ+kEhyrNqibDPkPYVPmo23tM8mbNcTVQqpmN7NwgMpqkqcAqNsIyBtt09DjWOQVm57A3K+y uXI7SdNErdt79p2xQseOhqSC9+LgWuyh+mZsl2oFD4glFFfKSCMp2jATXrAMeGzigTnW+Xe0 tRzrwFN9zqykKxhUq9oHg1cNvoDtfxgsc9ysVHbxM/PM8o9lgj3YTQwKMBcCFclTqohji7ML fQ08eQo+acKTwC1WRzeLt9PknGt3C4TmvdCl0c1BQTTTNiF96Hu4kbaiBIbsfxJOR8+VABEB AAG0LFZsYWRpbWlyIER6aHV2aW5vdiA8dmxhZGltaXJAY29ubmVjdDJpZC5jb20+iQE+BBMB AgAoBQJUGWqBAhsjBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAZ0vUyOqri Ql62B/wOO0s2JC/QvO6w9iSsRhCOa/JZi+wO+l01V7eGCQ1cYf1W26Y7iKiUlY4/Kz+cr69D pMtkv3UpDTGejKEfspLUxz5Vo3T4oAKbTtNtVIZL/XxH3/JhJ719Jj4eLoe9/djKkGYTX2O5 bMk8TpO1DDjbIw4r9XKI9ZIk96zlKnZvrg7Ho7oOl0ZIf8AzcvdqZEUogDwyr8uwOU+jIyux mOTthepBzXCNjjBjnc8I1//9YppAIaGJ5nnXelVVD1/dyOszogervzFNANEIOvNvCd9G5u4e s7qkDKWKY7/Lj1tF+tMrDTrOh6JqUKbGNeTUB8DlPvIoNyqHUYfBELdpw1Nd Organization: Connect2id Ltd. Message-ID: <546988a3-2740-98e7-a37b-8c11c0a41b8f@connect2id.com> Date: Fri, 17 Jul 2020 09:57:24 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms010304080006050403070102" X-CMAE-Envelope: MS4wfEC7DN8DqHiM/0DPgpV6pHIi5SNaryvYAC2yovLKxxQG7hJBK7UB3OyQ54pH4SD7X8xK6ak5WZj7A7aRac5qbSd686HTcB/cQITGOohDV9PiK/9SwekN FSAPRGj7gUj2TLuAA0+WkXAdabyzkcXcg1VWIFlLhU4NVWSD6xsVy3sK Archived-At: Subject: Re: [OAUTH-WG] Call for adoption - OAuth 2.1 document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2020 06:57:29 -0000 This is a cryptographically signed message in MIME format. --------------ms010304080006050403070102 Content-Type: multipart/alternative; boundary="------------83CADEE9A497DC63D3314288" Content-Language: en-US This is a multi-part message in MIME format. --------------83CADEE9A497DC63D3314288 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable +1 Vladimir On 15/07/2020 20:54, Dick Hardt wrote: > +1 > > On Wed, Jul 15, 2020 at 10:42 AM Rifaat Shekh-Yusef > > wrote: > > All, > > This is a *call for adoption* for the following *OAuth 2.1* > document as a WG document: > https://www.ietf.org/id/draft-parecki-oauth-v2-1-03.html > > Please, provide your feedback on the mailing=C2=A0list by *July 29t= h.* > > Regards, > =C2=A0Rifaat & Hannes > --------------83CADEE9A497DC63D3314288 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable

+1

Vladimir

On 15/07/2020 20:54, Dick Hardt wrote:=
+1

On Wed, Jul 15, 2020 at 10:= 42 AM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> wrote:
=
All,

This is a call for adoption for the following = OAuth 2.1 document as a WG document:

Please, provide your feedback on the mailing=C2=A0list b= y July 29th.

Regards,
=C2=A0Rifaat & Hannes

--------------83CADEE9A497DC63D3314288-- --------------ms010304080006050403070102 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CzMwggUbMIIEA6ADAgECAhBs/e7jES6a32XKZxs4R01iMA0GCSqGSIb3DQEBCwUAMIGWMQsw CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxm b3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENs aWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE5MTEwMjAwMDAw MFoXDTIxMTEwMTIzNTk1OVowKDEmMCQGCSqGSIb3DQEJARYXdmxhZGltaXJAY29ubmVjdDJp ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDG5mL+CcvSppMj/W8Kd0/E 1/y5/s94gmbIFzEugHyMPV2dd6lusiALe35QCtu3e8Wy6FkCwzxWmmzhF4FY/e4uPbDjco3w /GgHhz2KXe385u31c32/uM3jRqhYT5JvmXxte/GgmjcW1yWcPkKEz/sCezdIYpI9Pek+P4Gr xmbt8H+wJrwfrXKTJXXT+gFjCcZDRLm67X4U57TsaCoezTe7zOoPX9zxMTyZD/cvC/SfuVxQ U60ZsfZzdcgPwScgy3JaiPegcbnqqebjJqtRx42eRjrBZ1/u411rHN2QQLgiih7D1/4PJC9f /8nHgaerLy3ogdu1dw5+vQ1TRIYBmcIXAgMBAAGjggHQMIIBzDAfBgNVHSMEGDAWgBQJwPL8 C9qU21/+K9+omULPyeCtADAdBgNVHQ4EFgQU446sriG/NgywLZA2oBG79Yr2qyAwDgYDVR0P AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMC MEAGA1UdIAQ5MDcwNQYMKwYBBAGyMQECAQEBMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2Vj dGlnby5jb20vQ1BTMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwuc2VjdGlnby5jb20v U2VjdGlnb1JTQUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcmwwgYoG CCsGAQUFBwEBBH4wfDBVBggrBgEFBQcwAoZJaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0 aWdvUlNBQ2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAjBggrBgEF BQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wIgYDVR0RBBswGYEXdmxhZGltaXJAY29u bmVjdDJpZC5jb20wDQYJKoZIhvcNAQELBQADggEBAEE73kCtUigl/bhLrqS6AsCU+jKm1fxq BY09+ktBwVcu5WgM18Uov3WvzVnjXn5BNNVM3RwhWFXyW3pPnDPyjqgxcpfoyY5SJEzvcPlu wm69z/dzqasVhsHPIFSjACnUBrFZPsq/abMQr4yFOMVyX/EudYgmZVu2Er9Ui7YbTO1Nolap xlseQIgQhVcr7aSs02PLDANuwW/asgKExYzhPdt9MF1lezj968Mv74kRo1T/lm5RFNfh2QdM 9C0n1t+qRCrRF1VbsiTgChjazgNGbvl12bOAujX0up4hqw+7PaCcI3Mpyv/rKKKrRG52iCcv cMHX344tOqKM/DIdF/0WNpkwggYQMIID+KADAgECAhBNlCwQ1DvglAnFgS06KwZPMA0GCSqG SIb3DQEBDAUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKTmV3IEplcnNleTEUMBIGA1UE BxMLSmVyc2V5IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEuMCwGA1UE AxMlVVNFUlRydXN0IFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xODExMDIwMDAw MDBaFw0zMDEyMzEyMzU5NTlaMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBN YW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQx PjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJl IEVtYWlsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyjztlApB/975Rrno 1jvm2pK/KxBOqhq8gr2+JhwpKirSzZxQgT9tlC7zl6hn1fXjSo5MqXUfItMltrMaXqcESJuK 8dtK56NCSrq4iDKaKq9NxOXFmqXX2zN8HHGjQ2b2Xv0v1L5Nk1MQPKA19xeWQcpGEGFUUd0k N+oHox+L9aV1rjfNiCj3bJk6kJaOPabPi2503nn/ITX5e8WfPnGw4VuZ79Khj1YBrf24k5Ee 1sLTHsLtpiK9OjG4iQRBdq6Z/TlVx/hGAez5h36bBJMxqdHLpdwIUkTqT8se3ed0PewDch/8 kHPo5fZl5u1B0ecpq/sDN/5sCG52Ds+QU5O5EwIDAQABo4IBZDCCAWAwHwYDVR0jBBgwFoAU U3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFAnA8vwL2pTbX/4r36iZQs/J4K0AMA4G A1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMC BggrBgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDov L2NybC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdFJTQUNlcnRpZmljYXRpb25BdXRob3JpdHku Y3JsMHYGCCsGAQUFBwEBBGowaDA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1c3Qu Y29tL1VTRVJUcnVzdFJTQUFkZFRydXN0Q0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2Nz cC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBDAUAA4ICAQBBRHUAqznCFfXejpVtMnFojADd F9d6HBA4kMjjsb0XMZHztuOCtKF+xswhh2GqkW5JQrM8zVlU+A2VP72Ky2nlRA1GwmIPgou7 4TZ/XTarHG8zdMSgaDrkVYzz1g3nIVO9IHk96VwsacIvBF8JfqIs+8aWH2PfSUrNxP6Ys7U0 sZYx4rXD6+cqFq/ZW5BUfClN/rhk2ddQXyn7kkmka2RQb9d90nmNHdgKrwfQ49mQ2hWQNDkJ JIXwKjYA6VUR/fZUFeCUisdDe/0ABLTI+jheXUV1eoYV7lNwNBKpeHdNuO6Aacb533JlfeUH xvBz9OfYWUiXu09sMAviM11Q0DuMZ5760CdO2VnpsXP4KxaYIhvqPqUMWqRdWyn7crItNkZe roXaecG03i3mM7dkiPaCkgocBg0EBYsbZDZ8bsG3a08LwEsL1Ygz3SBsyECa0waq4hOf/Z85 F2w2ZpXfP+w8q4ifwO90SGZZV+HR/Jh6rEaVPDRF/CEGVqR1hiuQOZ1YL5ezMTX0ZSLwrymU E0pwi/KDaiYB15uswgeIAcA6JzPFf9pLkAFFWs1QNyN++niFhsM47qodx/PL+5jR87myx5uY dBEQkkDc+lKB1Wct6ucXqm2EmsaQ0M95QjTmy+rDWjkDYdw3Ms6mSWE3Bn7i5ZgtwCLXgAIe 5W8mybM2JzGCBDIwggQuAgEBMIGrMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRl ciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0 ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2Vj dXJlIEVtYWlsIENBAhBs/e7jES6a32XKZxs4R01iMA0GCWCGSAFlAwQCAQUAoIICVzAYBgkq hkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMDA3MTcwNjU3MjRaMC8G CSqGSIb3DQEJBDEiBCDDzjTeZiaMwLx5ADuVyV43mt44L15XwMQRj1lj8yYd6TBsBgkqhkiG 9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZI hvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIG8Bgkr BgEEAYI3EAQxga4wgaswgZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNo ZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE+MDwG A1UEAxM1U2VjdGlnbyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1h aWwgQ0ECEGz97uMRLprfZcpnGzhHTWIwgb4GCyqGSIb3DQEJEAILMYGuoIGrMIGWMQswCQYD VQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3Jk MRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVu dCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhBs/e7jES6a32XKZxs4R01i MA0GCSqGSIb3DQEBAQUABIIBABAuaNMCvSPvvvX3huV03F/0Kt4QwS9cIhKQCdEnMGh5Sgq+ XgKGSdquqVWE4/t8QtU+LIfGv9NAL5JdqatFHP5OI1VSa2KI6GzzIP4chGqi37JAMpuRNSKt rxQiipfTxyqlNfsJm8YvZwSQq9/n3G07NJMtIqL/ZQJevNKAg2S/fVGU3M+OhU/HEnUUIr09 x8F+hHadrS4T3fC9EZir6plUvk6ukUdYvDog84/lbiAtu6W65raKmfiHZVNXaJ0Ij2+45wQH BrqD/t7pfqx8c7XRDH3x6DvmjoVcuMwfMgBj2NYwkTCGwXVnwT0qrMce1KC6MSrjR72iNx45 inpdq6EAAAAAAAA= --------------ms010304080006050403070102-- From nobody Fri Jul 17 06:29:28 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B1483A08A2 for ; Fri, 17 Jul 2020 06:29:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.96 X-Spam-Level: X-Spam-Status: No, score=-0.96 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MALFORMED_FREEMAIL=0.116, MISSING_HEADERS=1.021, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iGRRBizWTza8 for ; Fri, 17 Jul 2020 06:29:25 -0700 (PDT) Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABBC13A0854 for ; Fri, 17 Jul 2020 06:29:25 -0700 (PDT) Received: by mail-wr1-x433.google.com with SMTP id f2so11099082wrp.7 for ; Fri, 17 Jul 2020 06:29:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:cc; bh=wocPlERKyuMKu/nA71bqMNjDCiCr0V8tWHkL1Us9up4=; b=Jc5mtmMBdyBLwtkInY/XeOcVEo3qlq/RgAtnEJ6wei6PFyaszN2gRJ5CmWfJxTrvbK p7H2XIMXUfJVgktM7ilMgtTCi7ZoVFtGZIEtpO84e+AOw2CcxTl6hJmsPietfN0XdIpr bwr4aSk/azLRWy6l1ecmZB1Z+IiVq2qELOB8O4l5Z7jqAtQangrMvhXnJfrTlerjUR/I RY4UkS04HMT0hkUcDLFAXdJKi7mGODbpfyhoRbyBbL4NBHltXK830LU5vhqKr5b52vkG j89SLmfbOwvOhCop7e9l+7+ObZ0WESnvs7IkML/z6PBvIlbAX9dcPMiLoDwS61unvERk i0Vg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:cc; bh=wocPlERKyuMKu/nA71bqMNjDCiCr0V8tWHkL1Us9up4=; b=pyCiC8ojeVAPmog864HMKP3hAKfFzfelRyebGk7wYAaiXneGqaUBgBKCRmoKjQYUai K5cwOfIS+VbL/FlC4ttXpez9K48YE3zN3wcF1UHqSDRI5w33/oWb3WSfunxarKDEIBX9 /1luT5pnzZDrYNRy/xvkLN6SGB1uAP0Oh7SCsg5jV5v8nEDbPIs+k6ssU0hIuUloqpIE dOKJO0pwSYSsv/ns5LKWJzHKeAsU0jJdh4PPIZWFbdbaYlwu17oZM5mZtrW1R92j1Abb dqLodjPaEuRvTIAxaOSVoqtnSGmh3nkCo+ZIeqzlagVOtXD9hPLenLwkIuh75WrlGPIt Zaww== X-Gm-Message-State: AOAM531+pq4dzahNrb+bK7uAUayBMJtYUz1tuOGTsWgbUsRwK6oIoXqy 2WxYIhl733wDUZQYvdVuCt+1q7U+IZHpplc+kn80TuZI X-Google-Smtp-Source: ABdhPJyFv+l2nCo1wCzywCpqiYVuXld7MX41193qcgyTYJAwbZ+2xJ+22aJtTz20a+YtXqYrNavojqM07Yv9M1qewto= X-Received: by 2002:a5d:5187:: with SMTP id k7mr11174388wrv.39.1594992563428; Fri, 17 Jul 2020 06:29:23 -0700 (PDT) MIME-Version: 1.0 References: <546988a3-2740-98e7-a37b-8c11c0a41b8f@connect2id.com> In-Reply-To: <546988a3-2740-98e7-a37b-8c11c0a41b8f@connect2id.com> From: Nat Sakimura Date: Fri, 17 Jul 2020 22:29:11 +0900 Message-ID: Cc: oauth Content-Type: multipart/alternative; boundary="00000000000029a32c05aaa325f4" Archived-At: Subject: Re: [OAUTH-WG] Call for adoption - OAuth 2.1 document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2020 13:29:27 -0000 --00000000000029a32c05aaa325f4 Content-Type: text/plain; charset="UTF-8" +1 On Fri, Jul 17, 2020 at 3:57 PM Vladimir Dzhuvinov wrote: > +1 > > Vladimir > On 15/07/2020 20:54, Dick Hardt wrote: > > +1 > > On Wed, Jul 15, 2020 at 10:42 AM Rifaat Shekh-Yusef < > rifaat.s.ietf@gmail.com> wrote: > >> All, >> >> This is a *call for adoption* for the following *OAuth 2.1* document as >> a WG document: >> https://www.ietf.org/id/draft-parecki-oauth-v2-1-03.html >> >> Please, provide your feedback on the mailing list by *July 29th.* >> >> Regards, >> Rifaat & Hannes >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en --00000000000029a32c05aaa325f4 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
+1

On Fri, Jul 17, 2020 at 3:57 PM Vladimir Dzhuvinov &= lt;vladimir@connect2id.com&g= t; wrote:
=20 =20 =20

+1

Vladimir

On 15/07/2020 20:54, Dick Hardt wrote:
=20
+1

On Wed, Jul 15, 2020 at 10:42 AM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> wrote:
All,

This is a call for adoption for the following OA= uth 2.1 document as a WG document:

Please, provide your feedback on the mailing=C2=A0list by = July 29th.

Regards,
=C2=A0Rifaat & Hannes

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
Nat Sakimura (=3Dnat)
Chairman, OpenID Found= ation
http://nat.= sakimura.org/
@_nat_en
--00000000000029a32c05aaa325f4-- From nobody Fri Jul 17 08:38:57 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E81773A0788 for ; Fri, 17 Jul 2020 08:38:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.92 X-Spam-Level: X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2bXCJ5c0APYC for ; Fri, 17 Jul 2020 08:38:54 -0700 (PDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A3E43A0772 for ; Fri, 17 Jul 2020 08:38:53 -0700 (PDT) Received: from [192.168.1.7] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 06HFcqlc024111 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 17 Jul 2020 11:38:52 -0400 From: Justin Richer Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Message-Id: Date: Fri, 17 Jul 2020 11:38:52 -0400 To: oauth X-Mailer: Apple Mail (2.3608.80.23.2.2) Archived-At: Subject: [OAUTH-WG] Namespacing "type" in RAR X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2020 15:38:57 -0000 The =E2=80=9Ctype=E2=80=9D field in the RAR spec serves an important = purpose: it defines what goes in the rest of the object, including what = other fields are available and what values are allowed for those fields. = It provides an API-level definition for requesting access based on = multiple dimensions, and that=E2=80=99s really powerful and flexible. = Each type can use any of the general-purpose fields like =E2=80=9Cactions=E2= =80=9D and/or add its own fields as necessary, and the =E2=80=9Ctype=E2=80= =9D parameter keeps everything well-defined. The question, then, is what defines what=E2=80=99s allowed to go into = the =E2=80=9Ctype=E2=80=9D field itself? And what defines how that value = maps to the requirements for the rest of the object? The draft doesn=E2=80= =99t say anything about it at the moment, but we should choose the = direction we want to go. On the surface, there are three main options: 1) Require all values to be registered.=20 2) Require all values to be collision-resistant (eg, URIs). 3) Require all values to be defined by the AS (and/or the RS=E2=80=99s = that it protects). Are there any other options? Here are my thoughts on each approach: 1) While it usually makes sense to register things for interoperability, = this is a case where I think that a registry would actually hurt = interoperability and adoption. Like a =E2=80=9Cscope=E2=80=9D value, the = RAR =E2=80=9Ctype=E2=80=9D is ultimately up to the AS and RS to = interpret in their own context. We :want: people to define rich objects = for their APIs and enable fine-grained access for their systems, and if = they have to register something every time they come up with a new API = to protect, it=E2=80=99s going to be an unmaintainable mess. I genuinely = don=E2=80=99t think this would scale, and that most developers would = just ignore the registry and do what they want anyway. And since many of = these systems are inside domains, it=E2=80=99s completely unenforceable = in practice. 2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to = require everything to be a URI here. It=E2=80=99s long and ugly, and a = lot of APIs are going to be internal to a given group, deployment, or = ecosystem anyway. This makes sense when you=E2=80=99ve got something = reusable across many deployments, like OIDC, but it=E2=80=99s overhead = when what you=E2=80=99re doing is tied to your environment. 3) This allows the AS and RS to define the request parameters for their = APIs just like they do today with scopes. Since it=E2=80=99s always the = combination of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, name spacing = is less of an issue across systems. We haven=E2=80=99t seen huge = problems in scope value overlap in the wild, though it does occur from = time to time it=E2=80=99s more than manageable. A client isn=E2=80=99t = going to just =E2=80=9Cspeak RAR=E2=80=9D, it=E2=80=99s going to be = speaking RAR so that it can access something in particular. And all that brings me to my proposal:=20 4) Require all values to be defined by the AS, and encourage = specification developers to use URIs for collision resistance. So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D = means, and nobody else. But we can also guide people who are developing = general-purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype= =E2=80=9D definitions. This would keep those interoperable APIs from = stepping on each other, and from stepping on any locally-defined special = =E2=80=9Ctype=E2=80=9D structure. But at the end of the day, the URI = carries no more weight than just any other string, and the AS decides = what it means and how it applies. My argument is that this seems to have worked very, very well for = scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar = descriptive cloth. What does the rest of the group think? How should we manage the RAR = =E2=80=9Ctype=E2=80=9D values and what they mean? =E2=80=94 Justin= From nobody Fri Jul 17 10:26:01 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3CB93A092E for ; Fri, 17 Jul 2020 10:25:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eBC0BCd9g6M5 for ; Fri, 17 Jul 2020 10:25:58 -0700 (PDT) Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B01AB3A08EB for ; Fri, 17 Jul 2020 10:25:57 -0700 (PDT) Received: by mail-lf1-x12c.google.com with SMTP id k15so6501078lfc.4 for ; Fri, 17 Jul 2020 10:25:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=w6wL7bNt/8pknM8hwtC5QBpSpCsxQE46tNt+yloj+3g=; b=ovRbpKenJj5vEInIciu0CuJ0wOcSyxZlYBSBN6ZLIfTtNDjLhXT2UNEs48bW3O2kUy gHKAhEXrdi5dTYa2YFuycmZP7WR+rAWQArLLdJVxuuVlEfbUFOt0HzCtSx2HTIiRUCh5 eZO6Kmplg2D7aAsDUmtja7BSucAL5YJeEpaA2DyE4/rcZE3vzOybrRl1PkBVUZhSe+8D nJLhjsnRmSZcG38MwNdypXUrTgLdJs+fScCXv2HPYjRY8pKdbc+QprlYQVGogzGCZsLN nlX8FvNjdbg1oVz/k4JGZh7M278NeaVU5dRbmr+kxZj6gnRjGr4wh0KblszkcVkZ09yR yE5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=w6wL7bNt/8pknM8hwtC5QBpSpCsxQE46tNt+yloj+3g=; b=DGP7qElOgrSXEOwVlgMgPp01e4iuFgL7FMAtzI1l34YQk5vuXvtTz3x2eiQ8wr1uS0 JYyxhBl6Wt/zweA88F90aE+DjBGqmzEaSLldYpMermYzPTsHqtgUDEuf88HQNWxWQIaH +0GdrOxq3TEjYSkZRTsazlcvtgka5O6z0zCp5G1Qrcj6daYdCgjgvgYPAIbnRpA6etys ILxJzSfI0saz45yyTnJ771zHjCsYgnGOcsJy8VHrrBKEUqDrdisf2NPl9a+sJpqaSV6t jSGc9LXp8uQBV+efybQ1zvXXTxSgzYbZipkdw71qqn0tGY9JYgErws/XMqIpI6aFC0vQ aWDw== X-Gm-Message-State: AOAM533XC970ekDCpR0VntsMz4jKrRyzp1Z3b6vesvQeFP4OJ1d1a4HH 5U3Ruer4wRl3f+arAoFm754JPHpPkPqOjLOPVbXzw04a X-Google-Smtp-Source: ABdhPJxkiu3zfggnrvq16RRQ1qguiSOur2kNLdTUOX0DKZcVE9WVS71Rlw/9D5dMohAn0vyWi6H5py8JM66dAn2Xoy4= X-Received: by 2002:a19:64c:: with SMTP id 73mr5213780lfg.0.1595006755568; Fri, 17 Jul 2020 10:25:55 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Dick Hardt Date: Fri, 17 Jul 2020 10:25:19 -0700 Message-ID: To: Justin Richer Cc: oauth Content-Type: multipart/alternative; boundary="000000000000147fce05aaa67332" Archived-At: Subject: Re: [OAUTH-WG] Namespacing "type" in RAR X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2020 17:26:00 -0000 --000000000000147fce05aaa67332 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hey Justin, glad to see that you have aligned with the latest XAuth draft on a type property being required. I like the idea that the value of the type property is fully defined by the AS, which could delegate it to a common URI for reuse. This gets GNAP out of specifying access requests, and enables other parties to define access without any required coordination with IETF or IANA. A complication in mixing plain strings and URIs is the canonicalization. A plain string can be a fixed byte representation, but a URI requires canonicalization for comparison. Mixing the two requires URI detection at the AS before canonicalization, and an AS MUST do canonicalization of URIs. The URI is retrievable, it can provide machine and/or human readable documentation in JSON schema or some such, or any other content type. Once again, the details are out of scope of GNAP, but we can provide examples to guide implementers. Are you still thinking that bare strings are allowed in GNAP, and are defined by the AS? On Fri, Jul 17, 2020 at 8:39 AM Justin Richer wrote: > The =E2=80=9Ctype=E2=80=9D field in the RAR spec serves an important purp= ose: it defines > what goes in the rest of the object, including what other fields are > available and what values are allowed for those fields. It provides an > API-level definition for requesting access based on multiple dimensions, > and that=E2=80=99s really powerful and flexible. Each type can use any of= the > general-purpose fields like =E2=80=9Cactions=E2=80=9D and/or add its own = fields as > necessary, and the =E2=80=9Ctype=E2=80=9D parameter keeps everything well= -defined. > > The question, then, is what defines what=E2=80=99s allowed to go into the= =E2=80=9Ctype=E2=80=9D > field itself? And what defines how that value maps to the requirements fo= r > the rest of the object? The draft doesn=E2=80=99t say anything about it a= t the > moment, but we should choose the direction we want to go. On the surface, > there are three main options: > > 1) Require all values to be registered. > 2) Require all values to be collision-resistant (eg, URIs). > 3) Require all values to be defined by the AS (and/or the RS=E2=80=99s th= at it > protects). > > Are there any other options? > > Here are my thoughts on each approach: > > 1) While it usually makes sense to register things for interoperability, > this is a case where I think that a registry would actually hurt > interoperability and adoption. Like a =E2=80=9Cscope=E2=80=9D value, the = RAR =E2=80=9Ctype=E2=80=9D is > ultimately up to the AS and RS to interpret in their own context. We :wan= t: > people to define rich objects for their APIs and enable fine-grained acce= ss > for their systems, and if they have to register something every time they > come up with a new API to protect, it=E2=80=99s going to be an unmaintain= able mess. > I genuinely don=E2=80=99t think this would scale, and that most developer= s would > just ignore the registry and do what they want anyway. And since many of > these systems are inside domains, it=E2=80=99s completely unenforceable i= n practice. > > 2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to require > everything to be a URI here. It=E2=80=99s long and ugly, and a lot of API= s are > going to be internal to a given group, deployment, or ecosystem anyway. > This makes sense when you=E2=80=99ve got something reusable across many > deployments, like OIDC, but it=E2=80=99s overhead when what you=E2=80=99r= e doing is tied to > your environment. > > 3) This allows the AS and RS to define the request parameters for their > APIs just like they do today with scopes. Since it=E2=80=99s always the c= ombination > of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, name spacing is less of a= n issue across > systems. We haven=E2=80=99t seen huge problems in scope value overlap in = the wild, > though it does occur from time to time it=E2=80=99s more than manageable.= A client > isn=E2=80=99t going to just =E2=80=9Cspeak RAR=E2=80=9D, it=E2=80=99s goi= ng to be speaking RAR so that it > can access something in particular. > > And all that brings me to my proposal: > > 4) Require all values to be defined by the AS, and encourage specificatio= n > developers to use URIs for collision resistance. > > So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D mea= ns, and nobody > else. But we can also guide people who are developing general-purpose > interoperable APIs to use URIs for their RAR =E2=80=9Ctype=E2=80=9D defin= itions. This would > keep those interoperable APIs from stepping on each other, and from > stepping on any locally-defined special =E2=80=9Ctype=E2=80=9D structure.= But at the end of > the day, the URI carries no more weight than just any other string, and t= he > AS decides what it means and how it applies. > > My argument is that this seems to have worked very, very well for scopes, > and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar descriptive cloth. > > What does the rest of the group think? How should we manage the RAR =E2= =80=9Ctype=E2=80=9D > values and what they mean? > > =E2=80=94 Justin > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --000000000000147fce05aaa67332 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hey Justin, glad to see that you have aligned with the lat= est XAuth draft on a type property being required.

I= like the idea that the value of the type property is fully defined by the = AS, which could delegate it to a common URI for reuse. This gets GNAP out o= f specifying access requests, and enables other parties to define access wi= thout any required coordination with IETF or IANA.

A complication in mixing plain strings and URIs is the canonicalization. A= plain string can be a fixed byte=C2=A0representation, but a URI requires c= anonicalization for comparison. Mixing the two requires=C2=A0URI detection = at the AS before canonicalization, and an AS MUST do canonicalization of UR= Is.

The URI is retrievable, it can provide machine= and/or human readable documentation in JSON schema or some such, or any ot= her content type. Once again, the details are out of scope=C2=A0of GNAP, bu= t we can provide examples to guide implementers.

A= re you still thinking that bare strings are allowed in GNAP, and=C2=A0are d= efined by the AS?



On Fri, Jul 17, 2020= at 8:39 AM Justin Richer <jricher@mi= t.edu> wrote:
The =E2=80=9Ctype=E2=80=9D field in the RAR spec serves an important p= urpose: it defines what goes in the rest of the object, including what othe= r fields are available and what values are allowed for those fields. It pro= vides an API-level definition for requesting access based on multiple dimen= sions, and that=E2=80=99s really powerful and flexible. Each type can use a= ny of the general-purpose fields like =E2=80=9Cactions=E2=80=9D and/or add = its own fields as necessary, and the =E2=80=9Ctype=E2=80=9D parameter keeps= everything well-defined.

The question, then, is what defines what=E2=80=99s allowed to go into the = =E2=80=9Ctype=E2=80=9D field itself? And what defines how that value maps t= o the requirements for the rest of the object? The draft doesn=E2=80=99t sa= y anything about it at the moment, but we should choose the direction we wa= nt to go. On the surface, there are three main options:

1) Require all values to be registered.
2) Require all values to be collision-resistant (eg, URIs).
3) Require all values to be defined by the AS (and/or the RS=E2=80=99s that= it protects).

Are there any other options?

Here are my thoughts on each approach:

1) While it usually makes sense to register things for interoperability, th= is is a case where I think that a registry would actually hurt interoperabi= lity and adoption. Like a =E2=80=9Cscope=E2=80=9D value, the RAR =E2=80=9Ct= ype=E2=80=9D is ultimately up to the AS and RS to interpret in their own co= ntext. We :want: people to define rich objects for their APIs and enable fi= ne-grained access for their systems, and if they have to register something= every time they come up with a new API to protect, it=E2=80=99s going to b= e an unmaintainable mess. I genuinely don=E2=80=99t think this would scale,= and that most developers would just ignore the registry and do what they w= ant anyway. And since many of these systems are inside domains, it=E2=80=99= s completely unenforceable in practice.

2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to require e= verything to be a URI here. It=E2=80=99s long and ugly, and a lot of APIs a= re going to be internal to a given group, deployment, or ecosystem anyway. = This makes sense when you=E2=80=99ve got something reusable across many dep= loyments, like OIDC, but it=E2=80=99s overhead when what you=E2=80=99re doi= ng is tied to your environment.

3) This allows the AS and RS to define the request parameters for their API= s just like they do today with scopes. Since it=E2=80=99s always the combin= ation of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, name spacing is less = of an issue across systems. We haven=E2=80=99t seen huge problems in scope = value overlap in the wild, though it does occur from time to time it=E2=80= =99s more than manageable. A client isn=E2=80=99t going to just =E2=80=9Csp= eak RAR=E2=80=9D, it=E2=80=99s going to be speaking RAR so that it can acce= ss something in particular.

And all that brings me to my proposal:

4) Require all values to be defined by the AS, and encourage specification = developers to use URIs for collision resistance.

So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D means= , and nobody else. But we can also guide people who are developing general-= purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=E2=80=9D= definitions. This would keep those interoperable APIs from stepping on eac= h other, and from stepping on any locally-defined special =E2=80=9Ctype=E2= =80=9D structure. But at the end of the day, the URI carries no more weight= than just any other string, and the AS decides what it means and how it ap= plies.

My argument is that this seems to have worked very, very well for scopes, a= nd the RAR =E2=80=9Ctype=E2=80=9D is cut from similar descriptive cloth.
What does the rest of the group think? How should we manage the RAR =E2=80= =9Ctype=E2=80=9D values and what they mean?

=C2=A0=E2=80=94 Justin
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--000000000000147fce05aaa67332-- From nobody Fri Jul 17 11:13:55 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 974613A0A1E for ; Fri, 17 Jul 2020 11:13:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.919 X-Spam-Level: X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S2blORhADx03 for ; Fri, 17 Jul 2020 11:13:52 -0700 (PDT) Received: from p3plsmtpa09-04.prod.phx3.secureserver.net (p3plsmtpa09-04.prod.phx3.secureserver.net [173.201.193.233]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97E533A0A1B for ; Fri, 17 Jul 2020 11:13:52 -0700 (PDT) Received: from [192.168.43.133] ([212.5.158.80]) by :SMTPAUTH: with ESMTPSA id wUrljoofxPsLmwUrmjb0DR; Fri, 17 Jul 2020 11:13:52 -0700 X-CMAE-Analysis: v=2.3 cv=bM5o382Z c=1 sm=1 tr=0 a=SIc9C+CZCxIlZgaa/X0Iow==:117 a=SIc9C+CZCxIlZgaa/X0Iow==:17 a=q0rX5H01Qin5IyBaTmIA:9 a=vQagBGPUGkCqwmVu_toA:9 a=QEXdDO2ut3YA:10 a=D8lnhvtxf0AONpHuB7QA:9 a=ZVk8-NSrHBgA:10 a=30ssDGKg3p0A:10 X-SECURESERVER-ACCT: vladimir@connect2id.com To: oauth@ietf.org References: From: Vladimir Dzhuvinov Autocrypt: addr=vladimir@connect2id.com; prefer-encrypt=mutual; keydata= mQENBFQZaoEBCACnP2YMDex9fnf+niLglTHGKuoypUSVKPQeKDHHeFQVzhRke+HBEZBwmA9T kZ+kEhyrNqibDPkPYVPmo23tM8mbNcTVQqpmN7NwgMpqkqcAqNsIyBtt09DjWOQVm57A3K+y uXI7SdNErdt79p2xQseOhqSC9+LgWuyh+mZsl2oFD4glFFfKSCMp2jATXrAMeGzigTnW+Xe0 tRzrwFN9zqykKxhUq9oHg1cNvoDtfxgsc9ysVHbxM/PM8o9lgj3YTQwKMBcCFclTqohji7ML fQ08eQo+acKTwC1WRzeLt9PknGt3C4TmvdCl0c1BQTTTNiF96Hu4kbaiBIbsfxJOR8+VABEB AAG0LFZsYWRpbWlyIER6aHV2aW5vdiA8dmxhZGltaXJAY29ubmVjdDJpZC5jb20+iQE+BBMB AgAoBQJUGWqBAhsjBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAZ0vUyOqri Ql62B/wOO0s2JC/QvO6w9iSsRhCOa/JZi+wO+l01V7eGCQ1cYf1W26Y7iKiUlY4/Kz+cr69D pMtkv3UpDTGejKEfspLUxz5Vo3T4oAKbTtNtVIZL/XxH3/JhJ719Jj4eLoe9/djKkGYTX2O5 bMk8TpO1DDjbIw4r9XKI9ZIk96zlKnZvrg7Ho7oOl0ZIf8AzcvdqZEUogDwyr8uwOU+jIyux mOTthepBzXCNjjBjnc8I1//9YppAIaGJ5nnXelVVD1/dyOszogervzFNANEIOvNvCd9G5u4e s7qkDKWKY7/Lj1tF+tMrDTrOh6JqUKbGNeTUB8DlPvIoNyqHUYfBELdpw1Nd X-Enigmail-Draft-Status: N11100 Organization: Connect2id Ltd. Message-ID: <4ea6f9af-d67f-97df-6bae-752cf34f920c@connect2id.com> Date: Fri, 17 Jul 2020 20:13:48 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms000705010307040309010109" X-CMAE-Envelope: MS4wfDBjKQSHgf2BPutvhXzzhgBMo38hRh3lfG1frCdajZuCcMvUTW3rVPFXKKWwPdArYR1iOXcefQINtKI3PpYOIlDox6XedUfOl967wFu59Fxl5FqQZZj2 bYrYe+1iwFSHH5rGx1kbUwCb8T4TI4t96dDFxgB3GSYmr2AZBjmLgGfY Archived-At: Subject: Re: [OAUTH-WG] Namespacing "type" in RAR X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2020 18:13:54 -0000 This is a cryptographically signed message in MIME format. --------------ms000705010307040309010109 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: en-US On 17/07/2020 17:38, Justin Richer wrote: > And all that brings me to my proposal:=20 > > 4) Require all values to be defined by the AS, and encourage specificat= ion developers to use URIs for collision resistance. > > So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D m= eans, and nobody else. But we can also guide people who are developing ge= neral-purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=E2= =80=9D definitions. This would keep those interoperable APIs from steppin= g on each other, and from stepping on any locally-defined special =E2=80=9C= type=E2=80=9D structure. But at the end of the day, the URI carries no mo= re weight than just any other string, and the AS decides what it means an= d how it applies. Define, but not publish in AS metadata? > My argument is that this seems to have worked very, very well for scope= s, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar descriptive clo= th. I would argue that it didn't work so well for scopes - the OAuth Resource Indicators spec is a testament to that. But one could also argue that scopes were not defined along the lines of your proposal for "type" in RAR. In fact, RFC 6749 has no mention of collision resistance or name spacing for scope values. Vladimir --------------ms000705010307040309010109 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CzMwggUbMIIEA6ADAgECAhBs/e7jES6a32XKZxs4R01iMA0GCSqGSIb3DQEBCwUAMIGWMQsw CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxm b3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENs aWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE5MTEwMjAwMDAw MFoXDTIxMTEwMTIzNTk1OVowKDEmMCQGCSqGSIb3DQEJARYXdmxhZGltaXJAY29ubmVjdDJp ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDG5mL+CcvSppMj/W8Kd0/E 1/y5/s94gmbIFzEugHyMPV2dd6lusiALe35QCtu3e8Wy6FkCwzxWmmzhF4FY/e4uPbDjco3w /GgHhz2KXe385u31c32/uM3jRqhYT5JvmXxte/GgmjcW1yWcPkKEz/sCezdIYpI9Pek+P4Gr xmbt8H+wJrwfrXKTJXXT+gFjCcZDRLm67X4U57TsaCoezTe7zOoPX9zxMTyZD/cvC/SfuVxQ U60ZsfZzdcgPwScgy3JaiPegcbnqqebjJqtRx42eRjrBZ1/u411rHN2QQLgiih7D1/4PJC9f /8nHgaerLy3ogdu1dw5+vQ1TRIYBmcIXAgMBAAGjggHQMIIBzDAfBgNVHSMEGDAWgBQJwPL8 C9qU21/+K9+omULPyeCtADAdBgNVHQ4EFgQU446sriG/NgywLZA2oBG79Yr2qyAwDgYDVR0P AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMC MEAGA1UdIAQ5MDcwNQYMKwYBBAGyMQECAQEBMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2Vj dGlnby5jb20vQ1BTMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwuc2VjdGlnby5jb20v U2VjdGlnb1JTQUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcmwwgYoG CCsGAQUFBwEBBH4wfDBVBggrBgEFBQcwAoZJaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0 aWdvUlNBQ2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAjBggrBgEF BQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wIgYDVR0RBBswGYEXdmxhZGltaXJAY29u bmVjdDJpZC5jb20wDQYJKoZIhvcNAQELBQADggEBAEE73kCtUigl/bhLrqS6AsCU+jKm1fxq BY09+ktBwVcu5WgM18Uov3WvzVnjXn5BNNVM3RwhWFXyW3pPnDPyjqgxcpfoyY5SJEzvcPlu wm69z/dzqasVhsHPIFSjACnUBrFZPsq/abMQr4yFOMVyX/EudYgmZVu2Er9Ui7YbTO1Nolap xlseQIgQhVcr7aSs02PLDANuwW/asgKExYzhPdt9MF1lezj968Mv74kRo1T/lm5RFNfh2QdM 9C0n1t+qRCrRF1VbsiTgChjazgNGbvl12bOAujX0up4hqw+7PaCcI3Mpyv/rKKKrRG52iCcv cMHX344tOqKM/DIdF/0WNpkwggYQMIID+KADAgECAhBNlCwQ1DvglAnFgS06KwZPMA0GCSqG SIb3DQEBDAUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKTmV3IEplcnNleTEUMBIGA1UE BxMLSmVyc2V5IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEuMCwGA1UE AxMlVVNFUlRydXN0IFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xODExMDIwMDAw MDBaFw0zMDEyMzEyMzU5NTlaMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBN YW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQx PjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJl IEVtYWlsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyjztlApB/975Rrno 1jvm2pK/KxBOqhq8gr2+JhwpKirSzZxQgT9tlC7zl6hn1fXjSo5MqXUfItMltrMaXqcESJuK 8dtK56NCSrq4iDKaKq9NxOXFmqXX2zN8HHGjQ2b2Xv0v1L5Nk1MQPKA19xeWQcpGEGFUUd0k N+oHox+L9aV1rjfNiCj3bJk6kJaOPabPi2503nn/ITX5e8WfPnGw4VuZ79Khj1YBrf24k5Ee 1sLTHsLtpiK9OjG4iQRBdq6Z/TlVx/hGAez5h36bBJMxqdHLpdwIUkTqT8se3ed0PewDch/8 kHPo5fZl5u1B0ecpq/sDN/5sCG52Ds+QU5O5EwIDAQABo4IBZDCCAWAwHwYDVR0jBBgwFoAU U3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFAnA8vwL2pTbX/4r36iZQs/J4K0AMA4G A1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMC BggrBgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDov L2NybC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdFJTQUNlcnRpZmljYXRpb25BdXRob3JpdHku Y3JsMHYGCCsGAQUFBwEBBGowaDA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1c3Qu Y29tL1VTRVJUcnVzdFJTQUFkZFRydXN0Q0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2Nz cC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBDAUAA4ICAQBBRHUAqznCFfXejpVtMnFojADd F9d6HBA4kMjjsb0XMZHztuOCtKF+xswhh2GqkW5JQrM8zVlU+A2VP72Ky2nlRA1GwmIPgou7 4TZ/XTarHG8zdMSgaDrkVYzz1g3nIVO9IHk96VwsacIvBF8JfqIs+8aWH2PfSUrNxP6Ys7U0 sZYx4rXD6+cqFq/ZW5BUfClN/rhk2ddQXyn7kkmka2RQb9d90nmNHdgKrwfQ49mQ2hWQNDkJ JIXwKjYA6VUR/fZUFeCUisdDe/0ABLTI+jheXUV1eoYV7lNwNBKpeHdNuO6Aacb533JlfeUH xvBz9OfYWUiXu09sMAviM11Q0DuMZ5760CdO2VnpsXP4KxaYIhvqPqUMWqRdWyn7crItNkZe roXaecG03i3mM7dkiPaCkgocBg0EBYsbZDZ8bsG3a08LwEsL1Ygz3SBsyECa0waq4hOf/Z85 F2w2ZpXfP+w8q4ifwO90SGZZV+HR/Jh6rEaVPDRF/CEGVqR1hiuQOZ1YL5ezMTX0ZSLwrymU E0pwi/KDaiYB15uswgeIAcA6JzPFf9pLkAFFWs1QNyN++niFhsM47qodx/PL+5jR87myx5uY dBEQkkDc+lKB1Wct6ucXqm2EmsaQ0M95QjTmy+rDWjkDYdw3Ms6mSWE3Bn7i5ZgtwCLXgAIe 5W8mybM2JzGCBDIwggQuAgEBMIGrMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRl ciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0 ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2Vj dXJlIEVtYWlsIENBAhBs/e7jES6a32XKZxs4R01iMA0GCWCGSAFlAwQCAQUAoIICVzAYBgkq hkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMDA3MTcxODEzNDhaMC8G CSqGSIb3DQEJBDEiBCClVirfFbzz6ZI1RWcSSXnWXHiG8eDTSuX9Est4jWWdBzBsBgkqhkiG 9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZI hvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIG8Bgkr BgEEAYI3EAQxga4wgaswgZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNo ZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE+MDwG A1UEAxM1U2VjdGlnbyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1h aWwgQ0ECEGz97uMRLprfZcpnGzhHTWIwgb4GCyqGSIb3DQEJEAILMYGuoIGrMIGWMQswCQYD VQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3Jk MRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVu dCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhBs/e7jES6a32XKZxs4R01i MA0GCSqGSIb3DQEBAQUABIIBAL4a1rSfqh6VZrgrB9szvDgxGDy1eQ9QODc5dM9DEA2pahee 8KSYtCvtXXdmkjhDhkIZplj5666AQReisqhpozNqXYFfGqDiv3hKJesW51r96q7dEqwqtGkG UX5T4zmUtTSCVplhX239w7KgoQSNCq+c5sl/i/gNJQJIR9yNulbgoj0eI7nj9+aNsuaPVENY gE5I8tq5DItObswZq0NF0y55dHLzx40zUB9j2Ryt8fDIL79txf/EeV5Yk/QdF2KLStVNeZNo 05JD9xNeoZmTpLS72kPkuz3/GrX2EgDTrLr0U40baVCwRMJCRVkGbiFEu9k3ZgIDDFkU4qB+ q76+wmEAAAAAAAA= --------------ms000705010307040309010109-- From nobody Sat Jul 18 08:10:24 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B63A3A03EA for ; Sat, 18 Jul 2020 08:10:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.918 X-Spam-Level: X-Spam-Status: No, score=-1.918 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K2syYWB0BBuX for ; Sat, 18 Jul 2020 08:10:21 -0700 (PDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 692E23A00D3 for ; Sat, 18 Jul 2020 08:10:21 -0700 (PDT) Received: from [192.168.1.3] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 06IFAIUM011088 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 18 Jul 2020 11:10:19 -0400 From: Justin Richer Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_23944AA7-2478-411B-A994-4663083F68C7" Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Date: Sat, 18 Jul 2020 11:10:18 -0400 In-Reply-To: Cc: oauth To: Dick Hardt References: X-Mailer: Apple Mail (2.3608.80.23.2.2) Archived-At: Subject: Re: [OAUTH-WG] Namespacing "type" in RAR X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Jul 2020 15:10:24 -0000 --Apple-Mail=_23944AA7-2478-411B-A994-4663083F68C7 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi Dick, This is a discussion about the RAR specification on the OAuth list, and = therefore doesn=E2=80=99t have anything to do with alignment with XAuth. = In fact, I believe the alignment is the other way around, as doesn=E2=80=99= t Xauth normatively reference RAR at this point? Even though, last I = saw, it uses a different top-level structure for conveying things, I = believe it does say to use the internal object structures. I am also a = co-author on RAR and we had already defined a =E2=80=9Ctype=E2=80=9D = field in RAR quite some time ago. You did notice that XYZ=E2=80=99s = latest draft added this field to keep the two in alignment with each = other, which has always been the goal since the initial proposal of the = RAR work, but that=E2=80=99s a time lag and not a display of new intent.=20= In any event, even though I think the decision has bearing in both = places, this isn=E2=80=99t about GNAP. Working on RAR=E2=80=99s = requirements has brought up this interesting issue of what should be in = the type field for RAR in OAuth 2. I think that it should be defined as a string, and therefore compared as = a byte value in all cases, regardless of what the content of the string = is. I don=E2=80=99t think the AS should be expected to fetch a URI for = anything. I don=E2=80=99t think the AS should normalize any of the = inputs. I think that any JSON-friendly character set should be allowed = (including spaces and unicodes), and since RAR already requires the JSON = objects to be form-encoded, this shouldn=E2=80=99t cause additional = trouble when adding them in to OAuth 2=E2=80=99s request structures. The idea of using a URI would be to get people out of each other=E2=80=99s= namespaces. It=E2=80=99s similar to the concept of =E2=80=9Cpublic=E2=80=9D= vs =E2=80=9Cprivate=E2=80=9D claims in JWT: https://tools.ietf.org/html/rfc7519#section-4.2 = What I=E2=80=99m proposing is that if you think it=E2=80=99s going to be = a general-purpose type name, then we recommend you use a URI as your = string. And beyond that, that=E2=80=99s it. It=E2=80=99s up to the AS to = figure out what to do with it, and RAR stays out of it. =E2=80=94 Justin > On Jul 17, 2020, at 1:25 PM, Dick Hardt wrote: >=20 > Hey Justin, glad to see that you have aligned with the latest XAuth = draft on a type property being required. >=20 > I like the idea that the value of the type property is fully defined = by the AS, which could delegate it to a common URI for reuse. This gets = GNAP out of specifying access requests, and enables other parties to = define access without any required coordination with IETF or IANA. >=20 > A complication in mixing plain strings and URIs is the = canonicalization. A plain string can be a fixed byte representation, but = a URI requires canonicalization for comparison. Mixing the two requires = URI detection at the AS before canonicalization, and an AS MUST do = canonicalization of URIs. >=20 > The URI is retrievable, it can provide machine and/or human readable = documentation in JSON schema or some such, or any other content type. = Once again, the details are out of scope of GNAP, but we can provide = examples to guide implementers. >=20 > Are you still thinking that bare strings are allowed in GNAP, and are = defined by the AS? >=20 >=20 >=20 > On Fri, Jul 17, 2020 at 8:39 AM Justin Richer > wrote: > The =E2=80=9Ctype=E2=80=9D field in the RAR spec serves an important = purpose: it defines what goes in the rest of the object, including what = other fields are available and what values are allowed for those fields. = It provides an API-level definition for requesting access based on = multiple dimensions, and that=E2=80=99s really powerful and flexible. = Each type can use any of the general-purpose fields like =E2=80=9Cactions=E2= =80=9D and/or add its own fields as necessary, and the =E2=80=9Ctype=E2=80= =9D parameter keeps everything well-defined. >=20 > The question, then, is what defines what=E2=80=99s allowed to go into = the =E2=80=9Ctype=E2=80=9D field itself? And what defines how that value = maps to the requirements for the rest of the object? The draft doesn=E2=80= =99t say anything about it at the moment, but we should choose the = direction we want to go. On the surface, there are three main options: >=20 > 1) Require all values to be registered.=20 > 2) Require all values to be collision-resistant (eg, URIs). > 3) Require all values to be defined by the AS (and/or the RS=E2=80=99s = that it protects). >=20 > Are there any other options? >=20 > Here are my thoughts on each approach: >=20 > 1) While it usually makes sense to register things for = interoperability, this is a case where I think that a registry would = actually hurt interoperability and adoption. Like a =E2=80=9Cscope=E2=80=9D= value, the RAR =E2=80=9Ctype=E2=80=9D is ultimately up to the AS and RS = to interpret in their own context. We :want: people to define rich = objects for their APIs and enable fine-grained access for their systems, = and if they have to register something every time they come up with a = new API to protect, it=E2=80=99s going to be an unmaintainable mess. I = genuinely don=E2=80=99t think this would scale, and that most developers = would just ignore the registry and do what they want anyway. And since = many of these systems are inside domains, it=E2=80=99s completely = unenforceable in practice. >=20 > 2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to = require everything to be a URI here. It=E2=80=99s long and ugly, and a = lot of APIs are going to be internal to a given group, deployment, or = ecosystem anyway. This makes sense when you=E2=80=99ve got something = reusable across many deployments, like OIDC, but it=E2=80=99s overhead = when what you=E2=80=99re doing is tied to your environment. >=20 > 3) This allows the AS and RS to define the request parameters for = their APIs just like they do today with scopes. Since it=E2=80=99s = always the combination of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, = name spacing is less of an issue across systems. We haven=E2=80=99t seen = huge problems in scope value overlap in the wild, though it does occur = from time to time it=E2=80=99s more than manageable. A client isn=E2=80=99= t going to just =E2=80=9Cspeak RAR=E2=80=9D, it=E2=80=99s going to be = speaking RAR so that it can access something in particular. >=20 > And all that brings me to my proposal:=20 >=20 > 4) Require all values to be defined by the AS, and encourage = specification developers to use URIs for collision resistance. >=20 > So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D = means, and nobody else. But we can also guide people who are developing = general-purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype= =E2=80=9D definitions. This would keep those interoperable APIs from = stepping on each other, and from stepping on any locally-defined special = =E2=80=9Ctype=E2=80=9D structure. But at the end of the day, the URI = carries no more weight than just any other string, and the AS decides = what it means and how it applies. >=20 > My argument is that this seems to have worked very, very well for = scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar = descriptive cloth. >=20 > What does the rest of the group think? How should we manage the RAR = =E2=80=9Ctype=E2=80=9D values and what they mean? >=20 > =E2=80=94 Justin > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth = --Apple-Mail=_23944AA7-2478-411B-A994-4663083F68C7 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Hi = Dick,

This is a = discussion about the RAR specification on the OAuth list, and therefore = doesn=E2=80=99t have anything to do with alignment with XAuth. In fact, = I believe the alignment is the other way around, as doesn=E2=80=99t = Xauth normatively reference RAR at this point? Even though, last I saw, = it uses a different top-level structure for conveying things, I believe = it does say to use the internal object structures. I am also a co-author = on RAR and we had already defined a =E2=80=9Ctype=E2=80=9D field in RAR = quite some time ago. You did notice that XYZ=E2=80=99s latest draft = added this field to keep the two in alignment with each other, which has = always been the goal since the initial proposal of the RAR work, but = that=E2=80=99s a time lag and not a display of new = intent. 

In= any event, even though I think the decision has bearing in both places, = this isn=E2=80=99t about GNAP. Working on RAR=E2=80=99s requirements has = brought up this interesting issue of what should be in the type field = for RAR in OAuth 2.

I think that it should be defined as a string, and therefore = compared as a byte value in all cases, regardless of what the content of = the string is. I don=E2=80=99t think the AS should be expected to fetch = a URI for anything. I don=E2=80=99t think the AS should normalize any of = the inputs. I think that any JSON-friendly character set should be = allowed (including spaces and unicodes), and since RAR already requires = the JSON objects to be form-encoded, this shouldn=E2=80=99t cause = additional trouble when adding them in to OAuth 2=E2=80=99s request = structures.

The = idea of using a URI would be to get people out of each other=E2=80=99s = namespaces. It=E2=80=99s similar to the concept of =E2=80=9Cpublic=E2=80=9D= vs =E2=80=9Cprivate=E2=80=9D claims in JWT:

https://tools.ietf.org/html/rfc7519#section-4.2

What I=E2=80=99m = proposing is that if you think it=E2=80=99s going to be a = general-purpose type name, then we recommend you use a URI as your = string. And beyond that, that=E2=80=99s it. It=E2=80=99s up to the AS to = figure out what to do with it, and RAR stays out of it.

 =E2=80=94 = Justin

On Jul 17, 2020, at 1:25 PM, Dick Hardt = <dick.hardt@gmail.com> wrote:

Hey Justin, glad to see that you = have aligned with the latest XAuth draft on a type property being = required.

I like the idea that the value of the type property is fully = defined by the AS, which could delegate it to a common URI for reuse. = This gets GNAP out of specifying access requests, and enables other = parties to define access without any required coordination with IETF or = IANA.

A = complication in mixing plain strings and URIs is the canonicalization. A = plain string can be a fixed byte representation, but a URI requires = canonicalization for comparison. Mixing the two requires URI = detection at the AS before canonicalization, and an AS MUST do = canonicalization of URIs.

The URI is retrievable, it can provide machine and/or human = readable documentation in JSON schema or some such, or any other content = type. Once again, the details are out of scope of GNAP, but we can = provide examples to guide implementers.

Are you still thinking that bare = strings are allowed in GNAP, and are defined by the AS?



On Fri, Jul 17, 2020 at 8:39 AM Justin = Richer <jricher@mit.edu> wrote:
The =E2=80=9Ctype=E2=80=9D = field in the RAR spec serves an important purpose: it defines what goes = in the rest of the object, including what other fields are available and = what values are allowed for those fields. It provides an API-level = definition for requesting access based on multiple dimensions, and = that=E2=80=99s really powerful and flexible. Each type can use any of = the general-purpose fields like =E2=80=9Cactions=E2=80=9D and/or add its = own fields as necessary, and the =E2=80=9Ctype=E2=80=9D parameter keeps = everything well-defined.

The question, then, is what defines what=E2=80=99s allowed to go into = the =E2=80=9Ctype=E2=80=9D field itself? And what defines how that value = maps to the requirements for the rest of the object? The draft doesn=E2=80= =99t say anything about it at the moment, but we should choose the = direction we want to go. On the surface, there are three main = options:

1) Require all values to be registered.
2) Require all values to be collision-resistant (eg, URIs).
= 3) Require all values to be defined by the AS (and/or the RS=E2=80=99s = that it protects).

Are there any other options?

Here are my thoughts on each approach:

1) While it usually makes sense to register things for interoperability, = this is a case where I think that a registry would actually hurt = interoperability and adoption. Like a =E2=80=9Cscope=E2=80=9D value, the = RAR =E2=80=9Ctype=E2=80=9D is ultimately up to the AS and RS to = interpret in their own context. We :want: people to define rich objects = for their APIs and enable fine-grained access for their systems, and if = they have to register something every time they come up with a new API = to protect, it=E2=80=99s going to be an unmaintainable mess. I genuinely = don=E2=80=99t think this would scale, and that most developers would = just ignore the registry and do what they want anyway. And since many of = these systems are inside domains, it=E2=80=99s completely unenforceable = in practice.

2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to = require everything to be a URI here. It=E2=80=99s long and ugly, and a = lot of APIs are going to be internal to a given group, deployment, or = ecosystem anyway. This makes sense when you=E2=80=99ve got something = reusable across many deployments, like OIDC, but it=E2=80=99s overhead = when what you=E2=80=99re doing is tied to your environment.
=
3) This allows the AS and RS to define the request parameters for their = APIs just like they do today with scopes. Since it=E2=80=99s always the = combination of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, name spacing = is less of an issue across systems. We haven=E2=80=99t seen huge = problems in scope value overlap in the wild, though it does occur from = time to time it=E2=80=99s more than manageable. A client isn=E2=80=99t = going to just =E2=80=9Cspeak RAR=E2=80=9D, it=E2=80=99s going to be = speaking RAR so that it can access something in particular.
=
And all that brings me to my proposal:

4) Require all values to be defined by the AS, and encourage = specification developers to use URIs for collision resistance.

So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D = means, and nobody else. But we can also guide people who are developing = general-purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype= =E2=80=9D definitions. This would keep those interoperable APIs from = stepping on each other, and from stepping on any locally-defined special = =E2=80=9Ctype=E2=80=9D structure. But at the end of the day, the URI = carries no more weight than just any other string, and the AS decides = what it means and how it applies.

My argument is that this seems to have worked very, very well for = scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar = descriptive cloth.

What does the rest of the group think? How should we manage the RAR = =E2=80=9Ctype=E2=80=9D values and what they mean?

 =E2=80=94 Justin
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

= --Apple-Mail=_23944AA7-2478-411B-A994-4663083F68C7-- From nobody Sat Jul 18 08:13:04 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A29E3A03ED for ; Sat, 18 Jul 2020 08:13:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.919 X-Spam-Level: X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jgly8Fd8R550 for ; Sat, 18 Jul 2020 08:13:01 -0700 (PDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99D8E3A0303 for ; Sat, 18 Jul 2020 08:13:01 -0700 (PDT) Received: from [192.168.1.3] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 06IFCvdt011710 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 18 Jul 2020 11:12:58 -0400 Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) From: Justin Richer In-Reply-To: <4ea6f9af-d67f-97df-6bae-752cf34f920c@connect2id.com> Date: Sat, 18 Jul 2020 11:12:57 -0400 Cc: oauth@ietf.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <4ea6f9af-d67f-97df-6bae-752cf34f920c@connect2id.com> To: Vladimir Dzhuvinov X-Mailer: Apple Mail (2.3608.80.23.2.2) Archived-At: Subject: Re: [OAUTH-WG] Namespacing "type" in RAR X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Jul 2020 15:13:03 -0000 I think publishing supported =E2=80=9Ctype=E2=80=9D parameters isn=E2=80=99= t a bad idea, and it aligns with publishing supported scopes and claims = in discovery. I have always seen the resource indicators work as providing a more = specific dimension to the requests that scopes didn=E2=80=99t allow to = be described very well, pointing at a specific RS instead of just = =E2=80=9Csome kind of access=E2=80=9D, so I=E2=80=99m not sure how = they=E2=80=99re a testament to name spacing issues with scopes. Can you = help me understand here? I do think that if nothing else we can give better guidance in RAR as to = what the =E2=80=9Ctype=E2=80=9D field is. I do think it should still = just be a string, but we can help people make better decisions about = what to put in that string. =E2=80=94 Justin > On Jul 17, 2020, at 2:13 PM, Vladimir Dzhuvinov = wrote: >=20 >=20 > On 17/07/2020 17:38, Justin Richer wrote: >> And all that brings me to my proposal:=20 >>=20 >> 4) Require all values to be defined by the AS, and encourage = specification developers to use URIs for collision resistance. >>=20 >> So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D = means, and nobody else. But we can also guide people who are developing = general-purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype= =E2=80=9D definitions. This would keep those interoperable APIs from = stepping on each other, and from stepping on any locally-defined special = =E2=80=9Ctype=E2=80=9D structure. But at the end of the day, the URI = carries no more weight than just any other string, and the AS decides = what it means and how it applies. >=20 > Define, but not publish in AS metadata? >=20 >=20 >> My argument is that this seems to have worked very, very well for = scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar = descriptive cloth. >=20 > I would argue that it didn't work so well for scopes - the OAuth > Resource Indicators spec is a testament to that. >=20 > But one could also argue that scopes were not defined along the lines = of > your proposal for "type" in RAR. In fact, RFC 6749 has no mention of > collision resistance or name spacing for scope values. >=20 >=20 > Vladimir >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Sat Jul 18 17:59:08 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 463753A0F15 for ; Sat, 18 Jul 2020 17:59:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.098 X-Spam-Level: X-Spam-Status: No, score=-0.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.999, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tOHv2KYStHND for ; Sat, 18 Jul 2020 17:59:01 -0700 (PDT) Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D58F3A0EF4 for ; Sat, 18 Jul 2020 17:59:01 -0700 (PDT) Received: by mail-lf1-x12a.google.com with SMTP id y13so7973358lfe.9 for ; Sat, 18 Jul 2020 17:59:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=L3t3YQzZu5d1ZbTAwhIxpAsBeNhx65rZmx17ENW3oYc=; b=S9A8gvTgGhSh8k/twqbniAWLXp5ljkHMkrWrPmEyTpqsCKDFp2caw4icKMYlWsgh6K P/uzbV7TLCJKPN6pBLcrJmYaDPmY4tMWsgOs1LdTuOKPO5cKW5EUeo+woLtzeD593bqu v37mPSPCTYJU7rbr2QrLlxoXgcix6vMNHFfr+ljOg6xYFo+9hsFIdkdMIab39Gk+ca2S fsnVicYHyH+//yj6+nEewfjYI7/nUkbTSFt+b8gYc+uBJ6mVodHmEvskEFaI7lO6xmbq tha0K+IcRgO6B7h7mxjXOd0+QQha/5erSStBBoTzCQ2Yt5WIyY0SbLi8Nng5DO23X3Cd QgdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=L3t3YQzZu5d1ZbTAwhIxpAsBeNhx65rZmx17ENW3oYc=; b=YVRAK6Q+LRPFSG1ZN0hbo0lGnVt9qgzilmhf+c82BqoBmlhaFg7g/R9t4JGiE/X4Iy 3dCpzcCNsZh/UBeOR+caaXthuvXLzs2fTgFtijI3TseUU0JEd1A7siFO8/oaYi2fP8uh np9zcwYxd5JCYIxyhTk/++byHuGUzwYe6XlGJ5v6ewAKsB+A0kNz57IoAI/Txk8I7Eox wtXeBuilCrkaQNzDOVHOnPPmRxt87sGx/Mp8htSLJaPYCt+WwLWQpdeyKCvQkNZkyVQj ubDVbQfhzeXv23zco/iL1rztbFOc+Ww/lyQDqkV9eXdov/p3aBLHtcvqrge+jPkSWRFy Rl/A== X-Gm-Message-State: AOAM531x8SRv9obDwF4YnllQKftwrzGZ+mjuYUlaHy0PcKsBGz/i2Q4Y rfDOhu76OzQVE3QUTWkgmjY1R4k/xXuL+QrukEc= X-Google-Smtp-Source: ABdhPJz4pVCyRmJtDb4+mgRRc6OGrxAk39mtnXH/+THBxruAHYSjxQbZCGzvwzwDeSAk6eEx37Buxj6CokyEbNxgLtE= X-Received: by 2002:a19:64c:: with SMTP id 73mr7756707lfg.0.1595120338953; Sat, 18 Jul 2020 17:58:58 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Dick Hardt Date: Sat, 18 Jul 2020 17:58:23 -0700 Message-ID: To: Justin Richer Cc: oauth Content-Type: multipart/alternative; boundary="0000000000002d6d1205aac0e556" Archived-At: Subject: Re: [OAUTH-WG] Namespacing "type" in RAR X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jul 2020 00:59:07 -0000 --0000000000002d6d1205aac0e556 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Justin: thanks for kindly pointing out which mail list this is. To clarify, public JWT claims are not just URIs, but any collision-resistant namespace: "Examples of collision-resistant namespaces include: Domain Names, Object Identifiers (OIDs) as defined in the ITU-T X.660 and X.670 Recommendation series, and Universally Unique IDentifiers (UUIDs) [RFC4122]." I think letting the "type" be any JSON string and doing a byte-wise comparison will be problematic. A client developer will be reading documentation to learn what the types are, and typing it in. Given the wide set of whitespace characters, and unicode equivalence, different byte streams will all look the same, and a byte-wise comparison will fail. Similarly for URIs. If it is a valid URI, then a byte-wise comparison is not sufficient. Canonicalization is required. These are not showstopper issues, but the specification should call out how type strings are compared, and provide caveats to an AS developer. I have no idea why you would think the AS would retrieve a URL. Since the type represents a much more complex object then a JWT claim, a client developer's tooling could pull down the JSON Schema (or some such) for a type used in their source code, and provide autocompletion and validation which would improve productivity and reduce errors. An AS that is using a defined type could use the schema for input validation. Neither of these would be at run time. JSON Schema allows comments and examples. What is the harm in non-normative language around a retrievable URI? BTW: the example in https://oauth.xyz/draft-richer-transactional-authz#rfc.section.2 has not been updated with the "type" field. On Sat, Jul 18, 2020 at 8:10 AM Justin Richer wrote: > Hi Dick, > > This is a discussion about the RAR specification on the OAuth list, and > therefore doesn=E2=80=99t have anything to do with alignment with XAuth. = In fact, I > believe the alignment is the other way around, as doesn=E2=80=99t Xauth n= ormatively > reference RAR at this point? Even though, last I saw, it uses a different > top-level structure for conveying things, I believe it does say to use th= e > internal object structures. I am also a co-author on RAR and we had alrea= dy > defined a =E2=80=9Ctype=E2=80=9D field in RAR quite some time ago. You di= d notice that > XYZ=E2=80=99s latest draft added this field to keep the two in alignment = with each > other, which has always been the goal since the initial proposal of the R= AR > work, but that=E2=80=99s a time lag and not a display of new intent. > > In any event, even though I think the decision has bearing in both places= , > this isn=E2=80=99t about GNAP. Working on RAR=E2=80=99s requirements has = brought up this > interesting issue of what should be in the type field for RAR in OAuth 2. > > I think that it should be defined as a string, and therefore compared as = a > byte value in all cases, regardless of what the content of the string is.= I > don=E2=80=99t think the AS should be expected to fetch a URI for anything= . I don=E2=80=99t > think the AS should normalize any of the inputs. I think that any > JSON-friendly character set should be allowed (including spaces and > unicodes), and since RAR already requires the JSON objects to be > form-encoded, this shouldn=E2=80=99t cause additional trouble when adding= them in > to OAuth 2=E2=80=99s request structures. > > The idea of using a URI would be to get people out of each other=E2=80=99= s > namespaces. It=E2=80=99s similar to the concept of =E2=80=9Cpublic=E2=80= =9D vs =E2=80=9Cprivate=E2=80=9D claims in > JWT: > > https://tools.ietf.org/html/rfc7519#section-4.2 > > What I=E2=80=99m proposing is that if you think it=E2=80=99s going to be = a general-purpose > type name, then we recommend you use a URI as your string. And beyond tha= t, > that=E2=80=99s it. It=E2=80=99s up to the AS to figure out what to do wit= h it, and RAR > stays out of it. > > =E2=80=94 Justin > > On Jul 17, 2020, at 1:25 PM, Dick Hardt wrote: > > Hey Justin, glad to see that you have aligned with the latest XAuth draft > on a type property being required. > > I like the idea that the value of the type property is fully defined by > the AS, which could delegate it to a common URI for reuse. This gets GNAP > out of specifying access requests, and enables other parties to define > access without any required coordination with IETF or IANA. > > A complication in mixing plain strings and URIs is the canonicalization. = A > plain string can be a fixed byte representation, but a URI requires > canonicalization for comparison. Mixing the two requires URI detection at > the AS before canonicalization, and an AS MUST do canonicalization of URI= s. > > The URI is retrievable, it can provide machine and/or human readable > documentation in JSON schema or some such, or any other content type. Onc= e > again, the details are out of scope of GNAP, but we can provide examples = to > guide implementers. > > Are you still thinking that bare strings are allowed in GNAP, and are > defined by the AS? > > > > On Fri, Jul 17, 2020 at 8:39 AM Justin Richer wrote: > >> The =E2=80=9Ctype=E2=80=9D field in the RAR spec serves an important pur= pose: it defines >> what goes in the rest of the object, including what other fields are >> available and what values are allowed for those fields. It provides an >> API-level definition for requesting access based on multiple dimensions, >> and that=E2=80=99s really powerful and flexible. Each type can use any o= f the >> general-purpose fields like =E2=80=9Cactions=E2=80=9D and/or add its own= fields as >> necessary, and the =E2=80=9Ctype=E2=80=9D parameter keeps everything wel= l-defined. >> >> The question, then, is what defines what=E2=80=99s allowed to go into th= e =E2=80=9Ctype=E2=80=9D >> field itself? And what defines how that value maps to the requirements f= or >> the rest of the object? The draft doesn=E2=80=99t say anything about it = at the >> moment, but we should choose the direction we want to go. On the surface= , >> there are three main options: >> >> 1) Require all values to be registered. >> 2) Require all values to be collision-resistant (eg, URIs). >> 3) Require all values to be defined by the AS (and/or the RS=E2=80=99s t= hat it >> protects). >> >> Are there any other options? >> >> Here are my thoughts on each approach: >> >> 1) While it usually makes sense to register things for interoperability, >> this is a case where I think that a registry would actually hurt >> interoperability and adoption. Like a =E2=80=9Cscope=E2=80=9D value, the= RAR =E2=80=9Ctype=E2=80=9D is >> ultimately up to the AS and RS to interpret in their own context. We :wa= nt: >> people to define rich objects for their APIs and enable fine-grained acc= ess >> for their systems, and if they have to register something every time the= y >> come up with a new API to protect, it=E2=80=99s going to be an unmaintai= nable mess. >> I genuinely don=E2=80=99t think this would scale, and that most develope= rs would >> just ignore the registry and do what they want anyway. And since many of >> these systems are inside domains, it=E2=80=99s completely unenforceable = in practice. >> >> 2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to requir= e >> everything to be a URI here. It=E2=80=99s long and ugly, and a lot of AP= Is are >> going to be internal to a given group, deployment, or ecosystem anyway. >> This makes sense when you=E2=80=99ve got something reusable across many >> deployments, like OIDC, but it=E2=80=99s overhead when what you=E2=80=99= re doing is tied to >> your environment. >> >> 3) This allows the AS and RS to define the request parameters for their >> APIs just like they do today with scopes. Since it=E2=80=99s always the = combination >> of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, name spacing is less of = an issue across >> systems. We haven=E2=80=99t seen huge problems in scope value overlap in= the wild, >> though it does occur from time to time it=E2=80=99s more than manageable= . A client >> isn=E2=80=99t going to just =E2=80=9Cspeak RAR=E2=80=9D, it=E2=80=99s go= ing to be speaking RAR so that it >> can access something in particular. >> >> And all that brings me to my proposal: >> >> 4) Require all values to be defined by the AS, and encourage >> specification developers to use URIs for collision resistance. >> >> So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D me= ans, and nobody >> else. But we can also guide people who are developing general-purpose >> interoperable APIs to use URIs for their RAR =E2=80=9Ctype=E2=80=9D defi= nitions. This would >> keep those interoperable APIs from stepping on each other, and from >> stepping on any locally-defined special =E2=80=9Ctype=E2=80=9D structure= . But at the end of >> the day, the URI carries no more weight than just any other string, and = the >> AS decides what it means and how it applies. >> >> My argument is that this seems to have worked very, very well for scopes= , >> and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar descriptive cloth= . >> >> What does the rest of the group think? How should we manage the RAR >> =E2=80=9Ctype=E2=80=9D values and what they mean? >> >> =E2=80=94 Justin >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > --0000000000002d6d1205aac0e556 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Justin:= thanks for kindly pointing out which mail list this is.

To clarify, public JWT claims are not just URIs, but any colli= sion-resistant=C2=A0namespace:=C2=A0
"Examples of collision-= resistant namespaces include: Domain Names, Object Identifiers (OIDs) as de= fined in the ITU-T X.660 and=C2=A0 =C2=A0 =C2=A0 X.670 Recommendation serie= s, and Universally Unique IDentifiers (UUIDs) [RFC4122]."
I think letting the "type" be any JSON string and do= ing a byte-wise comparison will be problematic. A client developer will be = reading documentation to learn what the types are,=C2=A0and typing it in. G= iven the wide set of whitespace characters, and unicode equivalence, differ= ent byte streams will all look the same, and a byte-wise comparison will fa= il.

Similarly=C2=A0for URIs. If it is a valid URI,= then a byte-wise comparison is not sufficient. Canonicalization is require= d.=C2=A0

These are not showstopper=C2=A0issues, bu= t the specification should call out how type strings are compared, and prov= ide=C2=A0caveats to an AS developer.

I have no ide= a why you would think the AS would retrieve a URL.

Since the type represents a much more complex object then a JWT claim, a c= lient developer's tooling could pull down the JSON Schema (or some such= ) for a type used in their source code, and provide autocompletion and vali= dation which would improve productivity and reduce errors. An AS that is us= ing a defined type could use the schema for input validation. Neither of th= ese would be at run time. JSON Schema allows comments and examples.

What is the harm in non-normative language around a retri= evable URI?

BTW: the example in=C2=A0https://oauth.xyz/draft-richer-transactional-authz#rfc.section.2= =C2=A0has not been updated with the "type" field.

<= /div>


=
On Sat, Jul 18, 2020 at 8:10 AM Justi= n Richer <jricher@m= it.edu> wrote:
Hi Dick,

This is a discussion about the RAR s= pecification on the OAuth list, and therefore doesn=E2=80=99t have anything= to do with alignment with XAuth. In fact, I believe the alignment is the o= ther way around, as doesn=E2=80=99t Xauth normatively reference RAR at this= point? Even though, last I saw, it uses a different top-level structure fo= r conveying things, I believe it does say to use the internal object struct= ures. I am also a co-author on RAR and we had already defined a =E2=80=9Cty= pe=E2=80=9D field in RAR quite some time ago. You did notice that XYZ=E2=80= =99s latest draft added this field to keep the two in alignment with each o= ther, which has always been the goal since the initial proposal of the RAR = work, but that=E2=80=99s a time lag and not a display of new intent.=C2=A0<= /div>

In any event, even though I think the decision has= bearing in both places, this isn=E2=80=99t about GNAP. Working on RAR=E2= =80=99s requirements has brought up this interesting issue of what should b= e in the type field for RAR in OAuth 2.

I think th= at it should be defined as a string, and therefore compared as a byte value= in all cases, regardless of what the content of the string is. I don=E2=80= =99t think the AS should be expected to fetch a URI for anything. I don=E2= =80=99t think the AS should normalize any of the inputs. I think that any J= SON-friendly character set should be allowed (including spaces and unicodes= ), and since RAR already requires the JSON objects to be form-encoded, this= shouldn=E2=80=99t cause additional trouble when adding them in to OAuth 2= =E2=80=99s request structures.

The idea of using a= URI would be to get people out of each other=E2=80=99s namespaces. It=E2= =80=99s similar to the concept of =E2=80=9Cpublic=E2=80=9D vs =E2=80=9Cpriv= ate=E2=80=9D claims in JWT:


What I=E2=80=99m = proposing is that if you think it=E2=80=99s going to be a general-purpose t= ype name, then we recommend you use a URI as your string. And beyond that, = that=E2=80=99s it. It=E2=80=99s up to the AS to figure out what to do with = it, and RAR stays out of it.

=C2=A0=E2=80=94 Justi= n

On Jul 17, 2020, at 1:25 PM, D= ick Hardt <dic= k.hardt@gmail.com> wrote:

Hey Justin,= glad to see that you have aligned with the latest XAuth draft on a type pr= operty being required.

I like the idea that the valu= e of the type property is fully defined by the AS, which could delegate it = to a common URI for reuse. This gets GNAP out of specifying access requests= , and enables other parties to define access without any required coordinat= ion with IETF or IANA.

A complication in mixing pl= ain strings and URIs is the canonicalization. A plain string can be a fixed= byte=C2=A0representation, but a URI requires canonicalization for comparis= on. Mixing the two requires=C2=A0URI detection at the AS before canonicaliz= ation, and an AS MUST do canonicalization of URIs.

The URI is retrievable, it can provide machine and/or human readable docum= entation in JSON schema or some such, or any other content type. Once again= , the details are out of scope=C2=A0of GNAP, but we can provide examples to= guide implementers.

Are you still thinking that b= are strings are allowed in GNAP, and=C2=A0are defined by the AS?
=


On Fri, Jul 17, 2020 at 8:39 AM Justin Richer <= jricher@mit.edu>= ; wrote:
The =E2= =80=9Ctype=E2=80=9D field in the RAR spec serves an important purpose: it d= efines what goes in the rest of the object, including what other fields are= available and what values are allowed for those fields. It provides an API= -level definition for requesting access based on multiple dimensions, and t= hat=E2=80=99s really powerful and flexible. Each type can use any of the ge= neral-purpose fields like =E2=80=9Cactions=E2=80=9D and/or add its own fiel= ds as necessary, and the =E2=80=9Ctype=E2=80=9D parameter keeps everything = well-defined.

The question, then, is what defines what=E2=80=99s allowed to go into the = =E2=80=9Ctype=E2=80=9D field itself? And what defines how that value maps t= o the requirements for the rest of the object? The draft doesn=E2=80=99t sa= y anything about it at the moment, but we should choose the direction we wa= nt to go. On the surface, there are three main options:

1) Require all values to be registered.
2) Require all values to be collision-resistant (eg, URIs).
3) Require all values to be defined by the AS (and/or the RS=E2=80=99s that= it protects).

Are there any other options?

Here are my thoughts on each approach:

1) While it usually makes sense to register things for interoperability, th= is is a case where I think that a registry would actually hurt interoperabi= lity and adoption. Like a =E2=80=9Cscope=E2=80=9D value, the RAR =E2=80=9Ct= ype=E2=80=9D is ultimately up to the AS and RS to interpret in their own co= ntext. We :want: people to define rich objects for their APIs and enable fi= ne-grained access for their systems, and if they have to register something= every time they come up with a new API to protect, it=E2=80=99s going to b= e an unmaintainable mess. I genuinely don=E2=80=99t think this would scale,= and that most developers would just ignore the registry and do what they w= ant anyway. And since many of these systems are inside domains, it=E2=80=99= s completely unenforceable in practice.

2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to require e= verything to be a URI here. It=E2=80=99s long and ugly, and a lot of APIs a= re going to be internal to a given group, deployment, or ecosystem anyway. = This makes sense when you=E2=80=99ve got something reusable across many dep= loyments, like OIDC, but it=E2=80=99s overhead when what you=E2=80=99re doi= ng is tied to your environment.

3) This allows the AS and RS to define the request parameters for their API= s just like they do today with scopes. Since it=E2=80=99s always the combin= ation of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, name spacing is less = of an issue across systems. We haven=E2=80=99t seen huge problems in scope = value overlap in the wild, though it does occur from time to time it=E2=80= =99s more than manageable. A client isn=E2=80=99t going to just =E2=80=9Csp= eak RAR=E2=80=9D, it=E2=80=99s going to be speaking RAR so that it can acce= ss something in particular.

And all that brings me to my proposal:

4) Require all values to be defined by the AS, and encourage specification = developers to use URIs for collision resistance.

So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D means= , and nobody else. But we can also guide people who are developing general-= purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=E2=80=9D= definitions. This would keep those interoperable APIs from stepping on eac= h other, and from stepping on any locally-defined special =E2=80=9Ctype=E2= =80=9D structure. But at the end of the day, the URI carries no more weight= than just any other string, and the AS decides what it means and how it ap= plies.

My argument is that this seems to have worked very, very well for scopes, a= nd the RAR =E2=80=9Ctype=E2=80=9D is cut from similar descriptive cloth.
What does the rest of the group think? How should we manage the RAR =E2=80= =9Ctype=E2=80=9D values and what they mean?

=C2=A0=E2=80=94 Justin
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--0000000000002d6d1205aac0e556-- From nobody Sun Jul 19 10:04:55 2020 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 986743A0B6E for ; Sun, 19 Jul 2020 10:04:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.917 X-Spam-Level: X-Spam-Status: No, score=-1.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MFSzHjYwIFrC for ; Sun, 19 Jul 2020 10:04:52 -0700 (PDT) Received: from p3plsmtpa12-01.prod.phx3.secureserver.net (p3plsmtpa12-01.prod.phx3.secureserver.net [68.178.252.230]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C16D3A0B6D for ; Sun, 19 Jul 2020 10:04:51 -0700 (PDT) Received: from [192.168.10.64] ([81.174.4.8]) by :SMTPAUTH: with ESMTPSA id xCk5jEhgvDaCExCk6jgxL3; Sun, 19 Jul 2020 10:04:51 -0700 X-CMAE-Analysis: v=2.3 cv=SvjuF8G0 c=1 sm=1 tr=0 a=vVDcMwBpR/yuU2vi46uXpQ==:117 a=vVDcMwBpR/yuU2vi46uXpQ==:17 a=q0rX5H01Qin5IyBaTmIA:9 a=r77TgQKjGQsHNAKrUKIA:9 a=A1X0JdhQAAAA:8 a=__SxRlIrAAAA:8 a=48vgC7mUAAAA:8 a=i8wZipv3lY2PXhKeaqEA:9 a=QEXdDO2ut3YA:10 a=HDiSmjr4jzRZaKFRhUYA:9 a=G3bo8Pr6VXIhWx_w:21 a=_W_S_7VecoQA:10 a=D8lnhvtxf0AONpHuB7QA:9 a=ZVk8-NSrHBgA:10 a=30ssDGKg3p0A:10 a=Df3jFdWbhGDLdZNm0fyq:22 a=H5r4HjhRfVyZ-DhAOYba:22 a=w1C3t2QeGrPiZgrLijVG:22 X-SECURESERVER-ACCT: vladimir@connect2id.com To: Justin Richer Cc: oauth@ietf.org References: <4ea6f9af-d67f-97df-6bae-752cf34f920c@connect2id.com> From: Vladimir Dzhuvinov Autocrypt: addr=vladimir@connect2id.com; prefer-encrypt=mutual; keydata= mQENBFQZaoEBCACnP2YMDex9fnf+niLglTHGKuoypUSVKPQeKDHHeFQVzhRke+HBEZBwmA9T kZ+kEhyrNqibDPkPYVPmo23tM8mbNcTVQqpmN7NwgMpqkqcAqNsIyBtt09DjWOQVm57A3K+y uXI7SdNErdt79p2xQseOhqSC9+LgWuyh+mZsl2oFD4glFFfKSCMp2jATXrAMeGzigTnW+Xe0 tRzrwFN9zqykKxhUq9oHg1cNvoDtfxgsc9ysVHbxM/PM8o9lgj3YTQwKMBcCFclTqohji7ML fQ08eQo+acKTwC1WRzeLt9PknGt3C4TmvdCl0c1BQTTTNiF96Hu4kbaiBIbsfxJOR8+VABEB AAG0LFZsYWRpbWlyIER6aHV2aW5vdiA8dmxhZGltaXJAY29ubmVjdDJpZC5jb20+iQE+BBMB AgAoBQJUGWqBAhsjBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAZ0vUyOqri Ql62B/wOO0s2JC/QvO6w9iSsRhCOa/JZi+wO+l01V7eGCQ1cYf1W26Y7iKiUlY4/Kz+cr69D pMtkv3UpDTGejKEfspLUxz5Vo3T4oAKbTtNtVIZL/XxH3/JhJ719Jj4eLoe9/djKkGYTX2O5 bMk8TpO1DDjbIw4r9XKI9ZIk96zlKnZvrg7Ho7oOl0ZIf8AzcvdqZEUogDwyr8uwOU+jIyux mOTthepBzXCNjjBjnc8I1//9YppAIaGJ5nnXelVVD1/dyOszogervzFNANEIOvNvCd9G5u4e s7qkDKWKY7/Lj1tF+tMrDTrOh6JqUKbGNeTUB8DlPvIoNyqHUYfBELdpw1Nd X-Enigmail-Draft-Status: N11100 Organization: Connect2id Ltd. Message-ID: Date: Sun, 19 Jul 2020 19:04:48 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms060504070901020404060908" X-CMAE-Envelope: MS4wfGusYBKTNZHsEbZIfuz3vAT9wno+ZtxtDtDairmZqPC2qWWXzSKAtp3e2jmOj6iVzmpHPbIw43MyqdEtQLQtIUtFTvUFS0FL7do2QjYY6swG94MTn8nm Rn3s03bvXvU4QbWhDiNQYpHPPhAK9K8GQc2Jp3kC65rnsgK1fExub1TDaU+VLoqUDM8KYbnu1Uu4Ag== Archived-At: Subject: Re: [OAUTH-WG] Namespacing "type" in RAR X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jul 2020 17:04:54 -0000 This is a cryptographically signed message in MIME format. --------------ms060504070901020404060908 Content-Type: multipart/alternative; boundary="------------2205E87AC313CB978EFA3955" Content-Language: en-US This is a multi-part message in MIME format. --------------2205E87AC313CB978EFA3955 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 18/07/2020 17:12, Justin Richer wrote: > I think publishing supported =E2=80=9Ctype=E2=80=9D parameters isn=E2=80= =99t a bad idea, and it aligns with publishing supported scopes and claim= s in discovery. If you are a developer, would you like to be able to find out if the authorization_details for a given "type" has a JSON schema and what it looks like? > I have always seen the resource indicators work as providing a more spe= cific dimension to the requests that scopes didn=E2=80=99t allow to be de= scribed very well, pointing at a specific RS instead of just =E2=80=9Csom= e kind of access=E2=80=9D, so I=E2=80=99m not sure how they=E2=80=99re a = testament to name spacing issues with scopes. Can you help me understand = here? Putting the scopes for each RS in a unique name space, for example by giving them a URI prefix which identifies the RS, can make the resource indication redundant. RS: https://some-rs.example.com/ RS scopes: read, update, delete -> https://some-rs.example.com/read https://some-rs.example.com/update https://some-rs.example.com/delete This will not work if the chosen name spacing pattern can produce ambiguities, e.g. if https://rs.example.com/accounts and https://rs.example.com/accounts/v1 are two different RSes. I have witnessed situations when an AS is given some application to deal with, with hard-wired scope values that have no name spacing, and to prevent potential collisions with other applications, Resource Indicators had to come to the rescue. I also remember one case with an application having a scope name which is also used for the OIDC userinfo endpoint. > I do think that if nothing else we can give better guidance in RAR as t= o what the =E2=80=9Ctype=E2=80=9D field is.=20 +1 > I do think it should still just be a string, but we can help people mak= e better decisions about what to put in that string. I'm still on the fence with that but I do see your argument. Vladimir > > =E2=80=94 Justin > >> On Jul 17, 2020, at 2:13 PM, Vladimir Dzhuvinov wrote: >> >> >> On 17/07/2020 17:38, Justin Richer wrote: >>> And all that brings me to my proposal:=20 >>> >>> 4) Require all values to be defined by the AS, and encourage specific= ation developers to use URIs for collision resistance. >>> >>> So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D= means, and nobody else. But we can also guide people who are developing = general-purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctyp= e=E2=80=9D definitions. This would keep those interoperable APIs from ste= pping on each other, and from stepping on any locally-defined special =E2= =80=9Ctype=E2=80=9D structure. But at the end of the day, the URI carries= no more weight than just any other string, and the AS decides what it me= ans and how it applies. >> Define, but not publish in AS metadata? >> >> >>> My argument is that this seems to have worked very, very well for sco= pes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar descriptive c= loth. >> I would argue that it didn't work so well for scopes - the OAuth >> Resource Indicators spec is a testament to that. >> >> But one could also argue that scopes were not defined along the lines = of >> your proposal for "type" in RAR. In fact, RFC 6749 has no mention of >> collision resistance or name spacing for scope values. >> >> >> Vladimir >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth --=20 Vladimir Dzhuvinov --------------2205E87AC313CB978EFA3955 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
On 18/07/2020 17:12, Justin Richer wrote:
I think publishing supported=
 =E2=80=9Ctype=E2=80=9D parameters isn=E2=80=99t a bad idea, and it align=
s with publishing supported scopes and claims in discovery.

If you are a developer, would you like to be able to find out if the authorization_details for a given "type" has a JSON schema and what it looks like?


I have always seen the resou=
rce indicators work as providing a more specific dimension to the request=
s that scopes didn=E2=80=99t allow to be described very well, pointing at=
 a specific RS instead of just =E2=80=9Csome kind of access=E2=80=9D, so =
I=E2=80=99m not sure how they=E2=80=99re a testament to name spacing issu=
es with scopes. Can you help me understand here?

Putting the scopes for each RS in a unique name space, for example by giving them a URI prefix which identifies the RS, can make the resource indication redundant.

RS: https://some-rs.example.com/

RS scopes: read, update, delete

->

https://some-rs.example.com/read
https://some-rs.example.com/update
https://some-rs.example.com/delete

    
This will not work if the chosen name spacing pattern can produce
      ambiguities, e.g. if https://rs.example.com/accounts and
      https://rs.example.com/accounts/v1 are two different RSes=
=2E

    

    


    

    
I have witnessed situations when an AS is given some application
      to deal with, with hard-wired scope values that have no name
      spacing, and to prevent potential collisions with other
      applications, Resource Indicators had to come to the rescue.

    
I also remember one case with an application having a scope name
      which is also used for the OIDC userinfo endpoint.

    

    


    

    

      
I do think that if nothing e=
lse we can give better guidance in RAR as to what the =E2=80=9Ctype=E2=80=
=9D field is. 

    

    
+1

    

    


    

    

      
I do think it should still j=
ust be a string, but we can help people make better decisions about what =
to put in that string.

    

    
I'm still on the fence with that but I do see your argument.

    


    

    
Vladimir

    

    


    

    

      

 =E2=80=94 Justin



      

        
On Jul 17, 2020, at 2:13 P=
M, Vladimir Dzhuvinov <vladimir@connect2id.com> wrote:


On 17/07/2020 17:38, Justin Richer wrote:


        

          
And all that brings me t=
o my proposal:=20

4) Require all values to be defined by the AS, and encourage specificatio=
n developers to use URIs for collision resistance.

So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D mea=
ns, and nobody else. But we can also guide people who are developing gene=
ral-purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=E2=
=80=9D definitions. This would keep those interoperable APIs from steppin=
g on each other, and from stepping on any locally-defined special =E2=80=9C=
type=E2=80=9D structure. But at the end of the day, the URI carries no mo=
re weight than just any other string, and the AS decides what it means an=
d how it applies.


        

        
Define, but not publish in AS metadata?




        

          
My argument is that this=
 seems to have worked very, very well for scopes, and the RAR =E2=80=9Cty=
pe=E2=80=9D is cut from similar descriptive cloth.


        

        
I would argue that it didn't work so well for scopes - the OAuth
Resource Indicators spec is a testament to that.

But one could also argue that scopes were not defined along the lines of
your proposal for "type" in RAR. In fact, RFC 6749 has no mention of
collision resistance or name spacing for scope values.


Vladimir


_______________________________________________
OAuth mailing list
OAut=
h@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


      

      

    

    
--=20
Vladimir Dzhuvinov

  


--------------2205E87AC313CB978EFA3955--

--------------ms060504070901020404060908
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
CzMwggUbMIIEA6ADAgECAhBs/e7jES6a32XKZxs4R01iMA0GCSqGSIb3DQEBCwUAMIGWMQsw
CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxm
b3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENs
aWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE5MTEwMjAwMDAw
MFoXDTIxMTEwMTIzNTk1OVowKDEmMCQGCSqGSIb3DQEJARYXdmxhZGltaXJAY29ubmVjdDJp
ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDG5mL+CcvSppMj/W8Kd0/E
1/y5/s94gmbIFzEugHyMPV2dd6lusiALe35QCtu3e8Wy6FkCwzxWmmzhF4FY/e4uPbDjco3w
/GgHhz2KXe385u31c32/uM3jRqhYT5JvmXxte/GgmjcW1yWcPkKEz/sCezdIYpI9Pek+P4Gr
xmbt8H+wJrwfrXKTJXXT+gFjCcZDRLm67X4U57TsaCoezTe7zOoPX9zxMTyZD/cvC/SfuVxQ
U60ZsfZzdcgPwScgy3JaiPegcbnqqebjJqtRx42eRjrBZ1/u411rHN2QQLgiih7D1/4PJC9f
/8nHgaerLy3ogdu1dw5+vQ1TRIYBmcIXAgMBAAGjggHQMIIBzDAfBgNVHSMEGDAWgBQJwPL8
C9qU21/+K9+omULPyeCtADAdBgNVHQ4EFgQU446sriG/NgywLZA2oBG79Yr2qyAwDgYDVR0P
AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMC
MEAGA1UdIAQ5MDcwNQYMKwYBBAGyMQECAQEBMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2Vj
dGlnby5jb20vQ1BTMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwuc2VjdGlnby5jb20v
U2VjdGlnb1JTQUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcmwwgYoG
CCsGAQUFBwEBBH4wfDBVBggrBgEFBQcwAoZJaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0
aWdvUlNBQ2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAjBggrBgEF
BQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wIgYDVR0RBBswGYEXdmxhZGltaXJAY29u
bmVjdDJpZC5jb20wDQYJKoZIhvcNAQELBQADggEBAEE73kCtUigl/bhLrqS6AsCU+jKm1fxq
BY09+ktBwVcu5WgM18Uov3WvzVnjXn5BNNVM3RwhWFXyW3pPnDPyjqgxcpfoyY5SJEzvcPlu
wm69z/dzqasVhsHPIFSjACnUBrFZPsq/abMQr4yFOMVyX/EudYgmZVu2Er9Ui7YbTO1Nolap
xlseQIgQhVcr7aSs02PLDANuwW/asgKExYzhPdt9MF1lezj968Mv74kRo1T/lm5RFNfh2QdM
9C0n1t+qRCrRF1VbsiTgChjazgNGbvl12bOAujX0up4hqw+7PaCcI3Mpyv/rKKKrRG52iCcv
cMHX344tOqKM/DIdF/0WNpkwggYQMIID+KADAgECAhBNlCwQ1DvglAnFgS06KwZPMA0GCSqG
SIb3DQEBDAUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKTmV3IEplcnNleTEUMBIGA1UE
BxMLSmVyc2V5IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEuMCwGA1UE
AxMlVVNFUlRydXN0IFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xODExMDIwMDAw
MDBaFw0zMDEyMzEyMzU5NTlaMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBN
YW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQx
PjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJl
IEVtYWlsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyjztlApB/975Rrno
1jvm2pK/KxBOqhq8gr2+JhwpKirSzZxQgT9tlC7zl6hn1fXjSo5MqXUfItMltrMaXqcESJuK
8dtK56NCSrq4iDKaKq9NxOXFmqXX2zN8HHGjQ2b2Xv0v1L5Nk1MQPKA19xeWQcpGEGFUUd0k
N+oHox+L9aV1rjfNiCj3bJk6kJaOPabPi2503nn/ITX5e8WfPnGw4VuZ79Khj1YBrf24k5Ee
1sLTHsLtpiK9OjG4iQRBdq6Z/TlVx/hGAez5h36bBJMxqdHLpdwIUkTqT8se3ed0PewDch/8
kHPo5fZl5u1B0ecpq/sDN/5sCG52Ds+QU5O5EwIDAQABo4IBZDCCAWAwHwYDVR0jBBgwFoAU
U3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFAnA8vwL2pTbX/4r36iZQs/J4K0AMA4G
A1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMC
BggrBgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDov
L2NybC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdFJTQUNlcnRpZmljYXRpb25BdXRob3JpdHku
Y3JsMHYGCCsGAQUFBwEBBGowaDA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1c3Qu
Y29tL1VTRVJUcnVzdFJTQUFkZFRydXN0Q0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2Nz
cC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBDAUAA4ICAQBBRHUAqznCFfXejpVtMnFojADd
F9d6HBA4kMjjsb0XMZHztuOCtKF+xswhh2GqkW5JQrM8zVlU+A2VP72Ky2nlRA1GwmIPgou7
4TZ/XTarHG8zdMSgaDrkVYzz1g3nIVO9IHk96VwsacIvBF8JfqIs+8aWH2PfSUrNxP6Ys7U0
sZYx4rXD6+cqFq/ZW5BUfClN/rhk2ddQXyn7kkmka2RQb9d90nmNHdgKrwfQ49mQ2hWQNDkJ
JIXwKjYA6VUR/fZUFeCUisdDe/0ABLTI+jheXUV1eoYV7lNwNBKpeHdNuO6Aacb533JlfeUH
xvBz9OfYWUiXu09sMAviM11Q0DuMZ5760CdO2VnpsXP4KxaYIhvqPqUMWqRdWyn7crItNkZe
roXaecG03i3mM7dkiPaCkgocBg0EBYsbZDZ8bsG3a08LwEsL1Ygz3SBsyECa0waq4hOf/Z85
F2w2ZpXfP+w8q4ifwO90SGZZV+HR/Jh6rEaVPDRF/CEGVqR1hiuQOZ1YL5ezMTX0ZSLwrymU
E0pwi/KDaiYB15uswgeIAcA6JzPFf9pLkAFFWs1QNyN++niFhsM47qodx/PL+5jR87myx5uY
dBEQkkDc+lKB1Wct6ucXqm2EmsaQ0M95QjTmy+rDWjkDYdw3Ms6mSWE3Bn7i5ZgtwCLXgAIe
5W8mybM2JzGCBDIwggQuAgEBMIGrMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRl
ciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0
ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2Vj
dXJlIEVtYWlsIENBAhBs/e7jES6a32XKZxs4R01iMA0GCWCGSAFlAwQCAQUAoIICVzAYBgkq
hkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMDA3MTkxNzA0NDhaMC8G
CSqGSIb3DQEJBDEiBCAGE25aEU+YEXTzamFlbk+yKxF9u/wvhA1SmNVd7pRgHzBsBgkqhkiG
9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZI
hvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIG8Bgkr
BgEEAYI3EAQxga4wgaswgZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNo
ZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE+MDwG
A1UEAxM1U2VjdGlnbyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1h
aWwgQ0ECEGz97uMRLprfZcpnGzhHTWIwgb4GCyqGSIb3DQEJEAILMYGuoIGrMIGWMQswCQYD
VQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3Jk
MRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVu
dCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhBs/e7jES6a32XKZxs4R01i
MA0GCSqGSIb3DQEBAQUABIIBAACJmkD4TaJiBzUuvvPL6pqtk5fnMc6v5a/6Zak35UoowUse
rLgyENerwY2u40pCusoLT8klURBAJIcLCnUavEUMPhYktlUO5GRxqscX3awHFLO6/HQKxZAe
DVmLjxJFMIVw6iYr/F0XBgVHdwQm262uPzB+FYuvZt+VeJl4IwGZYqIB2X66b7BUGxQ5HdJX
JIpjISUwFC3o9nXrL57xCEywRUZS0KQRH8hnDmiBBR0ByXnY7OCRT1DrhhJP8WxoliWeHbXf
3PhLOU6R1vf7UGmX7z4FcErJ/V/n8MlCI4AzM/BETopa2ufLIfcZeqb2QIOcxQCILGZ0O7w+
pOqTVKIAAAAAAAA=
--------------ms060504070901020404060908--


From nobody Sun Jul 19 11:54:56 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F420F3A0943 for ; Sun, 19 Jul 2020 11:54:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level: 
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bNgT6S5QWS10 for ; Sun, 19 Jul 2020 11:54:53 -0700 (PDT)
Received: from p3plsmtpa12-05.prod.phx3.secureserver.net (p3plsmtpa12-05.prod.phx3.secureserver.net [68.178.252.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 292CB3A093C for ; Sun, 19 Jul 2020 11:54:53 -0700 (PDT)
Received: from [192.168.10.64] ([81.174.4.8]) by :SMTPAUTH: with ESMTPSA id xESYjj4lV1H41xESZjwHjz; Sun, 19 Jul 2020 11:54:51 -0700
x-spam-cmae: v=2.3 cv=bYMVr9HB c=1 sm=1 tr=0 p=_Y5QVBCcAAAA:8 a=vVDcMwBpR/yuU2vi46uXpQ==:117 a=vVDcMwBpR/yuU2vi46uXpQ==:17 a=q0rX5H01Qin5IyBaTmIA:9 a=r77TgQKjGQsHNAKrUKIA:9 a=48vgC7mUAAAA:8 a=pGLkceISAAAA:8 a=LS6YZpeZAAAA:8 a=ISqk5ONUAAAA:8 a=DVqm7IH0AAAA:8 a=RTqcY2voB6rdCCIGq8QA:9 a=QEXdDO2ut3YA:10 a=PoKrNAaNe6Tg-ZzXkzgA:9 a=VP3E0GuVXfRIcDVC:21 a=_W_S_7VecoQA:10 a=TpTHUYYEVIEA:10 a=D8lnhvtxf0AONpHuB7QA:9 a=ZVk8-NSrHBgA:10 a=30ssDGKg3p0A:10 a=w1C3t2QeGrPiZgrLijVG:22 a=IdGyktwZ2tr74praB_5u:22 a=IRr2vCDBpksuBOXhfkKu:22 a=j012aKtm0j0zU2ly6LEW:22 a=M6wP_kGduNurgptF5PJY:22
x-spam-account: vladimir@connect2id.com
x-spam-domain: connect2id.com
X-CMAE-Analysis: v=2.3 cv=bYMVr9HB c=1 sm=1 tr=0 p=_Y5QVBCcAAAA:8 a=vVDcMwBpR/yuU2vi46uXpQ==:117 a=vVDcMwBpR/yuU2vi46uXpQ==:17 a=q0rX5H01Qin5IyBaTmIA:9 a=r77TgQKjGQsHNAKrUKIA:9 a=48vgC7mUAAAA:8 a=pGLkceISAAAA:8 a=LS6YZpeZAAAA:8 a=ISqk5ONUAAAA:8 a=DVqm7IH0AAAA:8 a=RTqcY2voB6rdCCIGq8QA:9 a=QEXdDO2ut3YA:10 a=PoKrNAaNe6Tg-ZzXkzgA:9 a=VP3E0GuVXfRIcDVC:21 a=_W_S_7VecoQA:10 a=TpTHUYYEVIEA:10 a=D8lnhvtxf0AONpHuB7QA:9 a=ZVk8-NSrHBgA:10 a=30ssDGKg3p0A:10 a=w1C3t2QeGrPiZgrLijVG:22 a=IdGyktwZ2tr74praB_5u:22 a=IRr2vCDBpksuBOXhfkKu:22 a=j012aKtm0j0zU2ly6LEW:22 a=M6wP_kGduNurgptF5PJY:22
X-SECURESERVER-ACCT: vladimir@connect2id.com
To: oauth@ietf.org
References: <159440889543.18992.875170114115905147@ietfa.amsl.com> 
From: Vladimir Dzhuvinov 
Autocrypt: addr=vladimir@connect2id.com; prefer-encrypt=mutual; keydata= mQENBFQZaoEBCACnP2YMDex9fnf+niLglTHGKuoypUSVKPQeKDHHeFQVzhRke+HBEZBwmA9T kZ+kEhyrNqibDPkPYVPmo23tM8mbNcTVQqpmN7NwgMpqkqcAqNsIyBtt09DjWOQVm57A3K+y uXI7SdNErdt79p2xQseOhqSC9+LgWuyh+mZsl2oFD4glFFfKSCMp2jATXrAMeGzigTnW+Xe0 tRzrwFN9zqykKxhUq9oHg1cNvoDtfxgsc9ysVHbxM/PM8o9lgj3YTQwKMBcCFclTqohji7ML fQ08eQo+acKTwC1WRzeLt9PknGt3C4TmvdCl0c1BQTTTNiF96Hu4kbaiBIbsfxJOR8+VABEB AAG0LFZsYWRpbWlyIER6aHV2aW5vdiA8dmxhZGltaXJAY29ubmVjdDJpZC5jb20+iQE+BBMB AgAoBQJUGWqBAhsjBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAZ0vUyOqri Ql62B/wOO0s2JC/QvO6w9iSsRhCOa/JZi+wO+l01V7eGCQ1cYf1W26Y7iKiUlY4/Kz+cr69D pMtkv3UpDTGejKEfspLUxz5Vo3T4oAKbTtNtVIZL/XxH3/JhJ719Jj4eLoe9/djKkGYTX2O5 bMk8TpO1DDjbIw4r9XKI9ZIk96zlKnZvrg7Ho7oOl0ZIf8AzcvdqZEUogDwyr8uwOU+jIyux mOTthepBzXCNjjBjnc8I1//9YppAIaGJ5nnXelVVD1/dyOszogervzFNANEIOvNvCd9G5u4e s7qkDKWKY7/Lj1tF+tMrDTrOh6JqUKbGNeTUB8DlPvIoNyqHUYfBELdpw1Nd
X-Enigmail-Draft-Status: N11100
Organization: Connect2id Ltd.
Message-ID: <67e8c6aa-4077-cdae-f6a2-0fc3f3aa82ac@connect2id.com>
Date: Sun, 19 Jul 2020 20:54:49 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: 
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms000504090603080909030002"
X-CMAE-Envelope: MS4wfMfcNN1+f13GvkJrJ7ZG1kTsRGJibfmCZjwxVCUYn7N7g2+16v/oXEtX/3c2aI4BI0oumMja10xOI+Sqqc50coWIjcm7m3Og/Xz7VOWuzNgwZGDSU6/d A4zzN3n/Au1ve8LPmlE25GEiHetWrxnnvQ5QTpo0GX/wSidzD/KvjDSp
Archived-At: 
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-par-02.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Sun, 19 Jul 2020 18:54:55 -0000

This is a cryptographically signed message in MIME format.

--------------ms000504090603080909030002
Content-Type: multipart/alternative;
 boundary="------------930C4CD511590D5937392620"
Content-Language: en-US

This is a multi-part message in MIME format.
--------------930C4CD511590D5937392620
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Thanks for the update. With the "require PAR" AS and client metadata the
spec is now "policy complete". I can't think of what else there is to add=
=2E


I have two comments about -02:


https://tools.ietf.org/html/draft-ietf-oauth-par-02#section-2

I didn't see a mention of https / TLS being required for the PAR
endpoint. The reader could assume http is fine.


https://tools.ietf.org/html/draft-ietf-oauth-par-02#section-2.2

>    Since the request URI can be replayed, its lifetime SHOULD be short
>    and preferably limited to one-time use.
The SHOULD is ambiguous here - does it apply to the lifetime only, or to
the lifetime and the single use.


Vladimir


On 10/07/2020 21:36, Brian Campbell wrote:
> WG,
>
> A new -02 draft of "OAuth 2.0 Pushed Authorization Requests" has been
> published. A summary of the changes, taken from the document history,
> is included below for ease of reference.=C2=A0
>
>    -02
>
>    *  Update Resource Indicators reference to the somewhat recently
>       published RFC 8707 
>
>    *  Added metadata in support of pushed authorization requests only
>       feature
>
>    *  Update to comply with draft-ietf-oauth-jwsreq-21 , which requires
>       "client_id" in the authorization request in addition to the
>       "request_uri"
>
>    *  Clarified timing of request validation
>
>    *  Add some guidance/options on the request URI structure
>
>    *  Add the key used in the request object example so that a reader
>       could validate or recreate the request object signature
>
>    *  Update to draft-ietf-oauth-jwsreq-25  and added note regarding
>       "require_signed_request_object"
>
> ---------- Forwarded message ---------
> From: >
> Date: Fri, Jul 10, 2020 at 1:21 PM
> Subject: New Version Notification for draft-ietf-oauth-par-02.txt
> To: Filip Skokan >,
> Torsten Lodderstedt  >, Brian Campbell
> >, Dave
> Tonge >, Nat Sakimura
> >
>
>
>
> A new version of I-D, draft-ietf-oauth-par-02.txt
> has been successfully submitted by Brian Campbell and posted to the
> IETF repository.
>
> Name:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0draft-ietf-oauth-par
> Revision:=C2=A0 =C2=A0 =C2=A0 =C2=A002
> Title:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 OAuth 2.0 Pushed Authorization=
 Requests
> Document date:=C2=A0 2020-07-10
> Group:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 oauth
> Pages:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 18
> URL:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0
> https://www.ietf.org/internet-drafts/draft-ietf-oauth-par-02.txt
> Status:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0https://datatracker.ietf.org/d=
oc/draft-ietf-oauth-par/
> Htmlized:=C2=A0 =C2=A0 =C2=A0 =C2=A0https://tools..ietf.org/html/draft-=
ietf-oauth-par-02
> 
> Htmlized:=C2=A0 =C2=A0 =C2=A0 =C2=A0https://datatracker.ietf.org/doc/ht=
ml/draft-ietf-oauth-par
> Diff:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0https://www.ietf.org/rfcd=
iff?url2=3Ddraft-ietf-oauth-par-02
>
> Abstract:
> =C2=A0 =C2=A0This document defines the pushed authorization request end=
point,
> =C2=A0 =C2=A0which allows clients to push the payload of an OAuth 2.0
> =C2=A0 =C2=A0authorization request to the authorization server via a di=
rect
> =C2=A0 =C2=A0request and provides them with a request URI that is used =
as
> =C2=A0 =C2=A0reference to the data in a subsequent authorization reques=
t.
>
>
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org
> .
>
> The IETF Secretariat
>
>
>
> /CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly
> prohibited..=C2=A0 If you have received this communication in error, pl=
ease
> notify the sender immediately by e-mail and delete the message and any
> file attachments from your computer. Thank you./
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

--=20
Vladimir Dzhuvinov


--------------930C4CD511590D5937392620
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable


  
    
  
  
    
Thanks for the update. With the "require PAR" AS and client
      metadata the spec is now "policy complete". I can't think of what
      else there is to add.

    

    


    

    
I have two comments about -02:

    


    

    
https://tools.ietf.org/html/draft=
-ietf-oauth-par-02#section-2

    
I didn't see a mention of https / TLS being required for the PAR
      endpoint. The reader could assume http is fine.

    

    


    

    
https://tools.ietf.org/html/dra=
ft-ietf-oauth-par-02#section-2.2

    

      

        
   Since the request URI can be replayed, =
its lifetime SHOULD be short
   and preferably limited to one-time use.

      

      The SHOULD is ambiguous here - does it apply to the lifetime only,
      or to the lifetime and the single use.

    


    

    
Vladimir

    

    


    

    
On 10/07/2020 21:36, Brian Campbell
      wrote:

    

    

      
      

        
WG,

        


        

        
A new -02 draft of "OAuth 2.0 Pushed Authorization
          Requests" has been published. A summary of the changes, taken
          from the document history, is included below for ease of
          reference.=C2=A0 

        

        


        

        

          
   -02

   *  Update Resource Indicators reference to the somewhat recently
      published RFC 8707

   *  Added metadata in support of pushed authorization requests only
      feature

   *  Update to comply with draft-ietf-oauth-jwsreq-21, which requires
      "client_id" in the authorization request in addition to the
      "request_uri"

   *  Clarified timing of request validation

   *  Add some guidance/options on the request URI structure

   *  Add the key used in the request object example so that a reader
      could validate or recreate the request object signature

   *  Update to draft-ietf=
-oauth-jwsreq-25 and added note regarding
      "require_signed_request_object"

        

        

        

          
---------- Forwarded mess=
age
            ---------

            From: <internet-drafts@ietf.org>=


            Date: Fri, Jul 10, 2020 at 1:21 PM

            Subject: New Version Notification for
            draft-ietf-oauth-par-02.txt

            To: Filip Skokan <panva.ip@gmail.c=
om>,
            Torsten Lodderstedt <torsten@lodderstedt.net>,
            Brian Campbell <bcampbell@pingidentity.com>=
,
            Dave Tonge <dave@tonge.org>,
            Nat Sakimura <nat@sakimura.org=
>

          

          

          

          

          A new version of I-D, draft-ietf-oauth-par-02.txt

          has been successfully submitted by Brian Campbell and posted
          to the

          IETF repository.

          

          Name:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0draft-ietf-oauth-=
par

          Revision:=C2=A0 =C2=A0 =C2=A0 =C2=A002

          Title:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 OAuth 2.0 Pushed Autho=
rization Requests

          Document date:=C2=A0 2020-07-10

          Group:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 oauth

          Pages:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 18

          URL:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 https://www.ietf.org/internet-drafts/draft-ietf-oauth-par-02.txt
=

          Status:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0https://datatracker.ietf.org/doc/draft-ietf-oauth-par/

          Htmlized:=C2=A0 =C2=A0 =C2=A0 =C2=A0https://tools..ietf.org/html/draft-ietf-oauth-par-02

          Htmlized:=C2=A0 =C2=A0 =C2=A0 =C2=A0https://datatracker.ietf.org/doc/html/draft-ietf-oauth-par

          Diff:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-par-02

          

          Abstract:

          =C2=A0 =C2=A0This document defines the pushed authorization req=
uest
          endpoint,

          =C2=A0 =C2=A0which allows clients to push the payload of an OAu=
th 2.0

          =C2=A0 =C2=A0authorization request to the authorization server =
via a
          direct

          =C2=A0 =C2=A0request and provides them with a request URI that =
is used
          as

          =C2=A0 =C2=A0reference to the data in a subsequent authorizatio=
n
          request.

          

          

          

          

          Please note that it may take a couple of minutes from the time
          of submission

          until the htmlized version and diff are available at tools.ietf.org=
=2E

          

          The IETF Secretariat

          

          

        

      

      

      C=
ONFIDENTIALITY
            NOTICE: This email may contain confidential and privileged
            material for the sole use of the intended recipient(s). Any
            review, use, distribution or disclosure by others is
            strictly prohibited..=C2=A0 If you have received this
            communication in error, please notify the sender immediately
            by e-mail and delete the message and any file attachments
            from your computer. Thank you.
      

      

      
____________________________=
___________________
OAuth mailing list
OAut=
h@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


    

    
--=20
Vladimir Dzhuvinov

  


--------------930C4CD511590D5937392620--

--------------ms000504090603080909030002
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
CzMwggUbMIIEA6ADAgECAhBs/e7jES6a32XKZxs4R01iMA0GCSqGSIb3DQEBCwUAMIGWMQsw
CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxm
b3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENs
aWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE5MTEwMjAwMDAw
MFoXDTIxMTEwMTIzNTk1OVowKDEmMCQGCSqGSIb3DQEJARYXdmxhZGltaXJAY29ubmVjdDJp
ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDG5mL+CcvSppMj/W8Kd0/E
1/y5/s94gmbIFzEugHyMPV2dd6lusiALe35QCtu3e8Wy6FkCwzxWmmzhF4FY/e4uPbDjco3w
/GgHhz2KXe385u31c32/uM3jRqhYT5JvmXxte/GgmjcW1yWcPkKEz/sCezdIYpI9Pek+P4Gr
xmbt8H+wJrwfrXKTJXXT+gFjCcZDRLm67X4U57TsaCoezTe7zOoPX9zxMTyZD/cvC/SfuVxQ
U60ZsfZzdcgPwScgy3JaiPegcbnqqebjJqtRx42eRjrBZ1/u411rHN2QQLgiih7D1/4PJC9f
/8nHgaerLy3ogdu1dw5+vQ1TRIYBmcIXAgMBAAGjggHQMIIBzDAfBgNVHSMEGDAWgBQJwPL8
C9qU21/+K9+omULPyeCtADAdBgNVHQ4EFgQU446sriG/NgywLZA2oBG79Yr2qyAwDgYDVR0P
AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMC
MEAGA1UdIAQ5MDcwNQYMKwYBBAGyMQECAQEBMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2Vj
dGlnby5jb20vQ1BTMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwuc2VjdGlnby5jb20v
U2VjdGlnb1JTQUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcmwwgYoG
CCsGAQUFBwEBBH4wfDBVBggrBgEFBQcwAoZJaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0
aWdvUlNBQ2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAjBggrBgEF
BQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wIgYDVR0RBBswGYEXdmxhZGltaXJAY29u
bmVjdDJpZC5jb20wDQYJKoZIhvcNAQELBQADggEBAEE73kCtUigl/bhLrqS6AsCU+jKm1fxq
BY09+ktBwVcu5WgM18Uov3WvzVnjXn5BNNVM3RwhWFXyW3pPnDPyjqgxcpfoyY5SJEzvcPlu
wm69z/dzqasVhsHPIFSjACnUBrFZPsq/abMQr4yFOMVyX/EudYgmZVu2Er9Ui7YbTO1Nolap
xlseQIgQhVcr7aSs02PLDANuwW/asgKExYzhPdt9MF1lezj968Mv74kRo1T/lm5RFNfh2QdM
9C0n1t+qRCrRF1VbsiTgChjazgNGbvl12bOAujX0up4hqw+7PaCcI3Mpyv/rKKKrRG52iCcv
cMHX344tOqKM/DIdF/0WNpkwggYQMIID+KADAgECAhBNlCwQ1DvglAnFgS06KwZPMA0GCSqG
SIb3DQEBDAUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKTmV3IEplcnNleTEUMBIGA1UE
BxMLSmVyc2V5IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEuMCwGA1UE
AxMlVVNFUlRydXN0IFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xODExMDIwMDAw
MDBaFw0zMDEyMzEyMzU5NTlaMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBN
YW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQx
PjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJl
IEVtYWlsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyjztlApB/975Rrno
1jvm2pK/KxBOqhq8gr2+JhwpKirSzZxQgT9tlC7zl6hn1fXjSo5MqXUfItMltrMaXqcESJuK
8dtK56NCSrq4iDKaKq9NxOXFmqXX2zN8HHGjQ2b2Xv0v1L5Nk1MQPKA19xeWQcpGEGFUUd0k
N+oHox+L9aV1rjfNiCj3bJk6kJaOPabPi2503nn/ITX5e8WfPnGw4VuZ79Khj1YBrf24k5Ee
1sLTHsLtpiK9OjG4iQRBdq6Z/TlVx/hGAez5h36bBJMxqdHLpdwIUkTqT8se3ed0PewDch/8
kHPo5fZl5u1B0ecpq/sDN/5sCG52Ds+QU5O5EwIDAQABo4IBZDCCAWAwHwYDVR0jBBgwFoAU
U3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFAnA8vwL2pTbX/4r36iZQs/J4K0AMA4G
A1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMC
BggrBgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDov
L2NybC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdFJTQUNlcnRpZmljYXRpb25BdXRob3JpdHku
Y3JsMHYGCCsGAQUFBwEBBGowaDA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1c3Qu
Y29tL1VTRVJUcnVzdFJTQUFkZFRydXN0Q0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2Nz
cC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBDAUAA4ICAQBBRHUAqznCFfXejpVtMnFojADd
F9d6HBA4kMjjsb0XMZHztuOCtKF+xswhh2GqkW5JQrM8zVlU+A2VP72Ky2nlRA1GwmIPgou7
4TZ/XTarHG8zdMSgaDrkVYzz1g3nIVO9IHk96VwsacIvBF8JfqIs+8aWH2PfSUrNxP6Ys7U0
sZYx4rXD6+cqFq/ZW5BUfClN/rhk2ddQXyn7kkmka2RQb9d90nmNHdgKrwfQ49mQ2hWQNDkJ
JIXwKjYA6VUR/fZUFeCUisdDe/0ABLTI+jheXUV1eoYV7lNwNBKpeHdNuO6Aacb533JlfeUH
xvBz9OfYWUiXu09sMAviM11Q0DuMZ5760CdO2VnpsXP4KxaYIhvqPqUMWqRdWyn7crItNkZe
roXaecG03i3mM7dkiPaCkgocBg0EBYsbZDZ8bsG3a08LwEsL1Ygz3SBsyECa0waq4hOf/Z85
F2w2ZpXfP+w8q4ifwO90SGZZV+HR/Jh6rEaVPDRF/CEGVqR1hiuQOZ1YL5ezMTX0ZSLwrymU
E0pwi/KDaiYB15uswgeIAcA6JzPFf9pLkAFFWs1QNyN++niFhsM47qodx/PL+5jR87myx5uY
dBEQkkDc+lKB1Wct6ucXqm2EmsaQ0M95QjTmy+rDWjkDYdw3Ms6mSWE3Bn7i5ZgtwCLXgAIe
5W8mybM2JzGCBDIwggQuAgEBMIGrMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRl
ciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0
ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2Vj
dXJlIEVtYWlsIENBAhBs/e7jES6a32XKZxs4R01iMA0GCWCGSAFlAwQCAQUAoIICVzAYBgkq
hkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMDA3MTkxODU0NDlaMC8G
CSqGSIb3DQEJBDEiBCCXP8oQz2Qxrqv9HmEvvtTa3tTx0akoiUTVTU3hJFetIDBsBgkqhkiG
9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZI
hvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIG8Bgkr
BgEEAYI3EAQxga4wgaswgZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNo
ZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE+MDwG
A1UEAxM1U2VjdGlnbyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1h
aWwgQ0ECEGz97uMRLprfZcpnGzhHTWIwgb4GCyqGSIb3DQEJEAILMYGuoIGrMIGWMQswCQYD
VQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3Jk
MRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVu
dCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhBs/e7jES6a32XKZxs4R01i
MA0GCSqGSIb3DQEBAQUABIIBAGz57L5Khpn6+NsGeyHwuQmtROzHAjbEiAj3Du09vrCg7lBr
E1qdUjg+SqXOB9W6XP54G+YqJ1RloSmx7/VoVTASVbqWTVTjBdmh/RLllXjLem0Oo0c+nKnN
hmoyRBr7N1tX88q6GB/3EtwOQXnhCz65+Ewx5Tb/yw31bVw0OKvqLktC593Az/K65tN9QQ2B
AaXYDiBXYyydYsaT3vSHptvr6R2O0x22NGH0g6J4dFo0La/LcgzqsvnQFrIVHgtuIGmK5t7v
LrCQUBgufixRDn8nSmNZUiq5pue6YoonoASrg9myN00KYGUCVtZF8igaoMICaAT2Jzm+Eq3O
9WtmHXQAAAAAAAA=
--------------ms000504090603080909030002--


From nobody Mon Jul 20 04:42:34 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3EC13A0766 for ; Mon, 20 Jul 2020 04:42:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.081
X-Spam-Level: 
X-Spam-Status: No, score=0.081 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.999, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MNkW7McN5ze7 for ; Mon, 20 Jul 2020 04:42:30 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1695C3A0764 for ; Mon, 20 Jul 2020 04:42:29 -0700 (PDT)
Received: from [192.168.1.3] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 06KBgRsM003958 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 20 Jul 2020 07:42:27 -0400
From: Justin Richer 
Message-Id: <094C7F56-93F7-41EC-AD94-A0752E76BD9D@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_7EFE2FA9-8D95-428A-B2AA-3A5EC0E241B5"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Mon, 20 Jul 2020 07:42:27 -0400
In-Reply-To: 
Cc: oauth 
To: Dick Hardt 
References:    
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: 
Subject: Re: [OAUTH-WG] Namespacing "type" in RAR
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 20 Jul 2020 11:42:33 -0000

--Apple-Mail=_7EFE2FA9-8D95-428A-B2AA-3A5EC0E241B5
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Since this is a recommendation for namespace, we could also just say =
collision-resistant like JWT, and any of those examples are fine. But =
that said, I think there=E2=80=99s something particularly compelling =
about URIs since they have somewhat-human-readable portions. But again, =
I=E2=80=99m saying it should be a recommendation to API developers and =
not a requirement in the spec. In the spec, I argue that =E2=80=9Ctype=E2=80=
=9D should be a string, full stop.

If documentation is so confusing that developers are typing in the wrong =
strings, then that=E2=80=99s bad documentation. And likely a bad choice =
for the =E2=80=9Ctype=E2=80=9D string on the part of the AS. You=E2=80=99d=
 have the same problem with any other value the developer=E2=80=99s =
supposed to copy over.  :)

I agree that we should call out explicitly how they should be compared, =
and I propose we use one of the handful of existing string-comparison =
RFC=E2=80=99s here instead of defining our own rules.

While the type could be a dereferenceable URI, requiring action on the =
AS is really getting into distributed authorization policies. We tried =
doing that with UMA1=E2=80=99s scope structures and it didn=E2=80=99t =
work very well in practice (in my memory and experience). Someone could =
profile =E2=80=9Ctype" on top of this if they wanted to do so, with =
support at the AS for that, but I don=E2=80=99t see a compelling reason =
for that to be a requirement as that=E2=80=99s a lot of complexity and a =
lot more error states (the fetch fails, or it doesn=E2=80=99t have a =
policy, or the policy=E2=80=99s in a format the AS doesn=E2=80=99t =
understand, or the AS doesn=E2=80=99t like the policy, etc).=20

And AS is always free to implement its types in such a fashion, and that =
could make plenty of sense in a smaller ecosystem. And this is yet =
another reason that we define =E2=80=9Ctype=E2=80=9D as being a string =
to be interpreted and understood by the AS =E2=80=94 so that an AS that =
wants to work this way can do so.

 =E2=80=94 Justin

PS: thanks for pointing out the error in the example in XYZ, I=E2=80=99ll =
fix that prior to publication.

> On Jul 18, 2020, at 8:58 PM, Dick Hardt  wrote:
>=20
> Justin: thanks for kindly pointing out which mail list this is.
>=20
> To clarify, public JWT claims are not just URIs, but any =
collision-resistant namespace:=20
> "Examples of collision-resistant namespaces include: Domain Names, =
Object Identifiers (OIDs) as defined in the ITU-T X.660 and      X.670 =
Recommendation series, and Universally Unique IDentifiers (UUIDs) =
[RFC4122]."
>=20
> I think letting the "type" be any JSON string and doing a byte-wise =
comparison will be problematic. A client developer will be reading =
documentation to learn what the types are, and typing it in. Given the =
wide set of whitespace characters, and unicode equivalence, different =
byte streams will all look the same, and a byte-wise comparison will =
fail.
>=20
> Similarly for URIs. If it is a valid URI, then a byte-wise comparison =
is not sufficient. Canonicalization is required.=20
>=20
> These are not showstopper issues, but the specification should call =
out how type strings are compared, and provide caveats to an AS =
developer.
>=20
> I have no idea why you would think the AS would retrieve a URL.
>=20
> Since the type represents a much more complex object then a JWT claim, =
a client developer's tooling could pull down the JSON Schema (or some =
such) for a type used in their source code, and provide autocompletion =
and validation which would improve productivity and reduce errors. An AS =
that is using a defined type could use the schema for input validation. =
Neither of these would be at run time. JSON Schema allows comments and =
examples.
>=20
> What is the harm in non-normative language around a retrievable URI?
>=20
> BTW: the example in =
https://oauth.xyz/draft-richer-transactional-authz#rfc.section.2 =
 has =
not been updated with the "type" field.
>=20
>=20
>=20
> On Sat, Jul 18, 2020 at 8:10 AM Justin Richer > wrote:
> Hi Dick,
>=20
> This is a discussion about the RAR specification on the OAuth list, =
and therefore doesn=E2=80=99t have anything to do with alignment with =
XAuth. In fact, I believe the alignment is the other way around, as =
doesn=E2=80=99t Xauth normatively reference RAR at this point? Even =
though, last I saw, it uses a different top-level structure for =
conveying things, I believe it does say to use the internal object =
structures. I am also a co-author on RAR and we had already defined a =
=E2=80=9Ctype=E2=80=9D field in RAR quite some time ago. You did notice =
that XYZ=E2=80=99s latest draft added this field to keep the two in =
alignment with each other, which has always been the goal since the =
initial proposal of the RAR work, but that=E2=80=99s a time lag and not =
a display of new intent.=20
>=20
> In any event, even though I think the decision has bearing in both =
places, this isn=E2=80=99t about GNAP. Working on RAR=E2=80=99s =
requirements has brought up this interesting issue of what should be in =
the type field for RAR in OAuth 2.
>=20
> I think that it should be defined as a string, and therefore compared =
as a byte value in all cases, regardless of what the content of the =
string is. I don=E2=80=99t think the AS should be expected to fetch a =
URI for anything. I don=E2=80=99t think the AS should normalize any of =
the inputs. I think that any JSON-friendly character set should be =
allowed (including spaces and unicodes), and since RAR already requires =
the JSON objects to be form-encoded, this shouldn=E2=80=99t cause =
additional trouble when adding them in to OAuth 2=E2=80=99s request =
structures.
>=20
> The idea of using a URI would be to get people out of each other=E2=80=99=
s namespaces. It=E2=80=99s similar to the concept of =E2=80=9Cpublic=E2=80=
=9D vs =E2=80=9Cprivate=E2=80=9D claims in JWT:
>=20
> https://tools.ietf.org/html/rfc7519#section-4.2 =

>=20
> What I=E2=80=99m proposing is that if you think it=E2=80=99s going to =
be a general-purpose type name, then we recommend you use a URI as your =
string. And beyond that, that=E2=80=99s it. It=E2=80=99s up to the AS to =
figure out what to do with it, and RAR stays out of it.
>=20
>  =E2=80=94 Justin
>=20
>> On Jul 17, 2020, at 1:25 PM, Dick Hardt > wrote:
>>=20
>> Hey Justin, glad to see that you have aligned with the latest XAuth =
draft on a type property being required.
>>=20
>> I like the idea that the value of the type property is fully defined =
by the AS, which could delegate it to a common URI for reuse. This gets =
GNAP out of specifying access requests, and enables other parties to =
define access without any required coordination with IETF or IANA.
>>=20
>> A complication in mixing plain strings and URIs is the =
canonicalization. A plain string can be a fixed byte representation, but =
a URI requires canonicalization for comparison. Mixing the two requires =
URI detection at the AS before canonicalization, and an AS MUST do =
canonicalization of URIs.
>>=20
>> The URI is retrievable, it can provide machine and/or human readable =
documentation in JSON schema or some such, or any other content type. =
Once again, the details are out of scope of GNAP, but we can provide =
examples to guide implementers.
>>=20
>> Are you still thinking that bare strings are allowed in GNAP, and are =
defined by the AS?
>>=20
>>=20
>>=20
>> On Fri, Jul 17, 2020 at 8:39 AM Justin Richer > wrote:
>> The =E2=80=9Ctype=E2=80=9D field in the RAR spec serves an important =
purpose: it defines what goes in the rest of the object, including what =
other fields are available and what values are allowed for those fields. =
It provides an API-level definition for requesting access based on =
multiple dimensions, and that=E2=80=99s really powerful and flexible. =
Each type can use any of the general-purpose fields like =E2=80=9Cactions=E2=
=80=9D and/or add its own fields as necessary, and the =E2=80=9Ctype=E2=80=
=9D parameter keeps everything well-defined.
>>=20
>> The question, then, is what defines what=E2=80=99s allowed to go into =
the =E2=80=9Ctype=E2=80=9D field itself? And what defines how that value =
maps to the requirements for the rest of the object? The draft doesn=E2=80=
=99t say anything about it at the moment, but we should choose the =
direction we want to go. On the surface, there are three main options:
>>=20
>> 1) Require all values to be registered.=20
>> 2) Require all values to be collision-resistant (eg, URIs).
>> 3) Require all values to be defined by the AS (and/or the RS=E2=80=99s =
that it protects).
>>=20
>> Are there any other options?
>>=20
>> Here are my thoughts on each approach:
>>=20
>> 1) While it usually makes sense to register things for =
interoperability, this is a case where I think that a registry would =
actually hurt interoperability and adoption. Like a =E2=80=9Cscope=E2=80=9D=
 value, the RAR =E2=80=9Ctype=E2=80=9D is ultimately up to the AS and RS =
to interpret in their own context. We :want: people to define rich =
objects for their APIs and enable fine-grained access for their systems, =
and if they have to register something every time they come up with a =
new API to protect, it=E2=80=99s going to be an unmaintainable mess. I =
genuinely don=E2=80=99t think this would scale, and that most developers =
would just ignore the registry and do what they want anyway. And since =
many of these systems are inside domains, it=E2=80=99s completely =
unenforceable in practice.
>>=20
>> 2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to =
require everything to be a URI here. It=E2=80=99s long and ugly, and a =
lot of APIs are going to be internal to a given group, deployment, or =
ecosystem anyway. This makes sense when you=E2=80=99ve got something =
reusable across many deployments, like OIDC, but it=E2=80=99s overhead =
when what you=E2=80=99re doing is tied to your environment.
>>=20
>> 3) This allows the AS and RS to define the request parameters for =
their APIs just like they do today with scopes. Since it=E2=80=99s =
always the combination of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, =
name spacing is less of an issue across systems. We haven=E2=80=99t seen =
huge problems in scope value overlap in the wild, though it does occur =
from time to time it=E2=80=99s more than manageable. A client isn=E2=80=99=
t going to just =E2=80=9Cspeak RAR=E2=80=9D, it=E2=80=99s going to be =
speaking RAR so that it can access something in particular.
>>=20
>> And all that brings me to my proposal:=20
>>=20
>> 4) Require all values to be defined by the AS, and encourage =
specification developers to use URIs for collision resistance.
>>=20
>> So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D =
means, and nobody else. But we can also guide people who are developing =
general-purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=
=E2=80=9D definitions. This would keep those interoperable APIs from =
stepping on each other, and from stepping on any locally-defined special =
=E2=80=9Ctype=E2=80=9D structure. But at the end of the day, the URI =
carries no more weight than just any other string, and the AS decides =
what it means and how it applies.
>>=20
>> My argument is that this seems to have worked very, very well for =
scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar =
descriptive cloth.
>>=20
>> What does the rest of the group think? How should we manage the RAR =
=E2=80=9Ctype=E2=80=9D values and what they mean?
>>=20
>>  =E2=80=94 Justin
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org 
>> https://www.ietf.org/mailman/listinfo/oauth =

>=20


--Apple-Mail=_7EFE2FA9-8D95-428A-B2AA-3A5EC0E241B5
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8


Since this is a recommendation for namespace, we could also =
just say collision-resistant like JWT, and any of those examples are =
fine. But that said, I think there=E2=80=99s something particularly =
compelling about URIs since they have somewhat-human-readable portions. =
But again, I=E2=80=99m saying it should be a recommendation to API =
developers and not a requirement in the spec. In the spec, I argue that =
=E2=80=9Ctype=E2=80=9D should be a string, full stop.

If documentation is so confusing that =
developers are typing in the wrong strings, then that=E2=80=99s bad =
documentation. And likely a bad choice for the =E2=80=9Ctype=E2=80=9D =
string on the part of the AS. You=E2=80=99d have the same problem with =
any other value the developer=E2=80=99s supposed to copy over. =
 :)

I agree =
that we should call out explicitly how they should be compared, and I =
propose we use one of the handful of existing string-comparison RFC=E2=80=99=
s here instead of defining our own rules.

While the type could be a =
dereferenceable URI, requiring action on the AS is really getting into =
distributed authorization policies. We tried doing that with UMA1=E2=80=99=
s scope structures and it didn=E2=80=99t work very well in practice (in =
my memory and experience). Someone could profile =E2=80=9Ctype" on top =
of this if they wanted to do so, with support at the AS for that, but I =
don=E2=80=99t see a compelling reason for that to be a requirement as =
that=E2=80=99s a lot of complexity and a lot more error states (the =
fetch fails, or it doesn=E2=80=99t have a policy, or the policy=E2=80=99s =
in a format the AS doesn=E2=80=99t understand, or the AS doesn=E2=80=99t =
like the policy, etc). 

And AS is always free to implement its =
types in such a fashion, and that could make plenty of sense in a =
smaller ecosystem. And this is yet another reason that we define =
=E2=80=9Ctype=E2=80=9D as being a string to be interpreted and =
understood by the AS =E2=80=94 so that an AS that wants to work this way =
can do so.

 =E2=80=94 Justin

PS: thanks for pointing out the error =
in the example in XYZ, I=E2=80=99ll fix that prior to publication.

On Jul 18, 2020, at 8:58 PM, Dick Hardt <dick.hardt@gmail.com> wrote:

Justin: thanks for =
kindly pointing out which mail list this is.

To clarify, public JWT claims =
are not just URIs, but any =
collision-resistant namespace: 
"Examples =
of collision-resistant namespaces include: Domain Names, Object =
Identifiers (OIDs) as defined in the ITU-T X.660 and      =
X.670 Recommendation series, and Universally Unique IDentifiers (UUIDs) =
[RFC4122]."

I =
think letting the "type" be any JSON string and doing a byte-wise =
comparison will be problematic. A client developer will be reading =
documentation to learn what the types are, and typing it in. Given =
the wide set of whitespace characters, and unicode equivalence, =
different byte streams will all look the same, and a byte-wise =
comparison will fail.

Similarly for URIs. If it is a valid URI, then a =
byte-wise comparison is not sufficient. Canonicalization is =
required. 

These are not showstopper issues, but the specification =
should call out how type strings are compared, and provide caveats =
to an AS developer.

I have no idea why you would think the AS would retrieve a =
URL.

Since the =
type represents a much more complex object then a JWT claim, a client =
developer's tooling could pull down the JSON Schema (or some such) for a =
type used in their source code, and provide autocompletion and =
validation which would improve productivity and reduce errors. An AS =
that is using a defined type could use the schema for input validation. =
Neither of these would be at run time. JSON Schema allows comments and =
examples.

What =
is the harm in non-normative language around a retrievable =
URI?

BTW: the =
example in https://oauth.xyz/draft-richer-transactional-authz#rfc.section.=
2 has not been updated with the "type" field.



On Sat, Jul =
18, 2020 at 8:10 AM Justin Richer <jricher@mit.edu> wrote:
Hi Dick,

This is a discussion =
about the RAR specification on the OAuth list, and therefore doesn=E2=80=99=
t have anything to do with alignment with XAuth. In fact, I believe the =
alignment is the other way around, as doesn=E2=80=99t Xauth normatively =
reference RAR at this point? Even though, last I saw, it uses a =
different top-level structure for conveying things, I believe it does =
say to use the internal object structures. I am also a co-author on RAR =
and we had already defined a =E2=80=9Ctype=E2=80=9D field in RAR quite =
some time ago. You did notice that XYZ=E2=80=99s latest draft added this =
field to keep the two in alignment with each other, which has always =
been the goal since the initial proposal of the RAR work, but that=E2=80=99=
s a time lag and not a display of new intent. 

In any event, even =
though I think the decision has bearing in both places, this isn=E2=80=99t=
 about GNAP. Working on RAR=E2=80=99s requirements has brought up this =
interesting issue of what should be in the type field for RAR in OAuth =
2.

I think =
that it should be defined as a string, and therefore compared as a byte =
value in all cases, regardless of what the content of the string is. I =
don=E2=80=99t think the AS should be expected to fetch a URI for =
anything. I don=E2=80=99t think the AS should normalize any of the =
inputs. I think that any JSON-friendly character set should be allowed =
(including spaces and unicodes), and since RAR already requires the JSON =
objects to be form-encoded, this shouldn=E2=80=99t cause additional =
trouble when adding them in to OAuth 2=E2=80=99s request =
structures.

The =
idea of using a URI would be to get people out of each other=E2=80=99s =
namespaces. It=E2=80=99s similar to the concept of =E2=80=9Cpublic=E2=80=9D=
 vs =E2=80=9Cprivate=E2=80=9D claims in JWT:

https://tools.ietf.org/html/rfc7519#section-4.2

What I=E2=80=99m =
proposing is that if you think it=E2=80=99s going to be a =
general-purpose type name, then we recommend you use a URI as your =
string. And beyond that, that=E2=80=99s it. It=E2=80=99s up to the AS to =
figure out what to do with it, and RAR stays out of it.

 =E2=80=94 =
Justin

On Jul 17, 2020, at 1:25 PM, =
Dick Hardt <dick.hardt@gmail.com> wrote:

Hey Justin, glad to see that you =
have aligned with the latest XAuth draft on a type property being =
required.

I like the idea that the value of the type property is fully =
defined by the AS, which could delegate it to a common URI for reuse. =
This gets GNAP out of specifying access requests, and enables other =
parties to define access without any required coordination with IETF or =
IANA.

A =
complication in mixing plain strings and URIs is the canonicalization. A =
plain string can be a fixed byte representation, but a URI requires =
canonicalization for comparison. Mixing the two requires URI =
detection at the AS before canonicalization, and an AS MUST do =
canonicalization of URIs.

The URI is retrievable, it can provide machine and/or human =
readable documentation in JSON schema or some such, or any other content =
type. Once again, the details are out of scope of GNAP, but we can =
provide examples to guide implementers.

Are you still thinking that bare =
strings are allowed in GNAP, and are defined by the AS?



On Fri, Jul 17, 2020 at 8:39 AM Justin =
Richer <jricher@mit.edu> wrote:
The =E2=80=9Ctype=E2=80=9D =
field in the RAR spec serves an important purpose: it defines what goes =
in the rest of the object, including what other fields are available and =
what values are allowed for those fields. It provides an API-level =
definition for requesting access based on multiple dimensions, and =
that=E2=80=99s really powerful and flexible. Each type can use any of =
the general-purpose fields like =E2=80=9Cactions=E2=80=9D and/or add its =
own fields as necessary, and the =E2=80=9Ctype=E2=80=9D parameter keeps =
everything well-defined.



The question, then, is what defines what=E2=80=99s allowed to go into =
the =E2=80=9Ctype=E2=80=9D field itself? And what defines how that value =
maps to the requirements for the rest of the object? The draft doesn=E2=80=
=99t say anything about it at the moment, but we should choose the =
direction we want to go. On the surface, there are three main =
options:



1) Require all values to be registered. 

2) Require all values to be collision-resistant (eg, URIs).
=

3) Require all values to be defined by the AS (and/or the RS=E2=80=99s =
that it protects).



Are there any other options?



Here are my thoughts on each approach:



1) While it usually makes sense to register things for interoperability, =
this is a case where I think that a registry would actually hurt =
interoperability and adoption. Like a =E2=80=9Cscope=E2=80=9D value, the =
RAR =E2=80=9Ctype=E2=80=9D is ultimately up to the AS and RS to =
interpret in their own context. We :want: people to define rich objects =
for their APIs and enable fine-grained access for their systems, and if =
they have to register something every time they come up with a new API =
to protect, it=E2=80=99s going to be an unmaintainable mess. I genuinely =
don=E2=80=99t think this would scale, and that most developers would =
just ignore the registry and do what they want anyway. And since many of =
these systems are inside domains, it=E2=80=99s completely unenforceable =
in practice.



2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to =
require everything to be a URI here. It=E2=80=99s long and ugly, and a =
lot of APIs are going to be internal to a given group, deployment, or =
ecosystem anyway. This makes sense when you=E2=80=99ve got something =
reusable across many deployments, like OIDC, but it=E2=80=99s overhead =
when what you=E2=80=99re doing is tied to your environment.
=



3) This allows the AS and RS to define the request parameters for their =
APIs just like they do today with scopes. Since it=E2=80=99s always the =
combination of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, name spacing =
is less of an issue across systems. We haven=E2=80=99t seen huge =
problems in scope value overlap in the wild, though it does occur from =
time to time it=E2=80=99s more than manageable. A client isn=E2=80=99t =
going to just =E2=80=9Cspeak RAR=E2=80=9D, it=E2=80=99s going to be =
speaking RAR so that it can access something in particular.
=



And all that brings me to my proposal: 



4) Require all values to be defined by the AS, and encourage =
specification developers to use URIs for collision resistance.



So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D =
means, and nobody else. But we can also guide people who are developing =
general-purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=
=E2=80=9D definitions. This would keep those interoperable APIs from =
stepping on each other, and from stepping on any locally-defined special =
=E2=80=9Ctype=E2=80=9D structure. But at the end of the day, the URI =
carries no more weight than just any other string, and the AS decides =
what it means and how it applies.



My argument is that this seems to have worked very, very well for =
scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar =
descriptive cloth.



What does the rest of the group think? How should we manage the RAR =
=E2=80=9Ctype=E2=80=9D values and what they mean?



 =E2=80=94 Justin

_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth








=

--Apple-Mail=_7EFE2FA9-8D95-428A-B2AA-3A5EC0E241B5--


From nobody Mon Jul 20 09:00:28 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 721B43A0CAE for ; Mon, 20 Jul 2020 09:00:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.081
X-Spam-Level: 
X-Spam-Status: No, score=0.081 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.999, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NWxL7Fte5zAn for ; Mon, 20 Jul 2020 09:00:23 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 753893A0CA7 for ; Mon, 20 Jul 2020 09:00:23 -0700 (PDT)
Received: from [192.168.1.3] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 06KG0K7c009090 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 20 Jul 2020 12:00:21 -0400
From: Justin Richer 
Content-Type: multipart/alternative; boundary="Apple-Mail=_2CBC7B43-8469-464A-ADD1-AF91000CE961"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Mon, 20 Jul 2020 12:00:20 -0400
References:     <094C7F56-93F7-41EC-AD94-A0752E76BD9D@mit.edu>
To: oauth 
In-Reply-To: <094C7F56-93F7-41EC-AD94-A0752E76BD9D@mit.edu>
Message-Id: <1DEE264E-8E35-4AF0-974E-3C2C4966BC78@mit.edu>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: 
Subject: Re: [OAUTH-WG] Namespacing "type" in RAR
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 20 Jul 2020 16:00:26 -0000

--Apple-Mail=_2CBC7B43-8469-464A-ADD1-AF91000CE961
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

I created a pull request with some proposed language here:

https://github.com/oauthstuff/draft-oauth-rar/pull/52 =


 =E2=80=94 Justin

> On Jul 20, 2020, at 7:42 AM, Justin Richer  wrote:
>=20
> Since this is a recommendation for namespace, we could also just say =
collision-resistant like JWT, and any of those examples are fine. But =
that said, I think there=E2=80=99s something particularly compelling =
about URIs since they have somewhat-human-readable portions. But again, =
I=E2=80=99m saying it should be a recommendation to API developers and =
not a requirement in the spec. In the spec, I argue that =E2=80=9Ctype=E2=80=
=9D should be a string, full stop.
>=20
> If documentation is so confusing that developers are typing in the =
wrong strings, then that=E2=80=99s bad documentation. And likely a bad =
choice for the =E2=80=9Ctype=E2=80=9D string on the part of the AS. =
You=E2=80=99d have the same problem with any other value the =
developer=E2=80=99s supposed to copy over.  :)
>=20
> I agree that we should call out explicitly how they should be =
compared, and I propose we use one of the handful of existing =
string-comparison RFC=E2=80=99s here instead of defining our own rules.
>=20
> While the type could be a dereferenceable URI, requiring action on the =
AS is really getting into distributed authorization policies. We tried =
doing that with UMA1=E2=80=99s scope structures and it didn=E2=80=99t =
work very well in practice (in my memory and experience). Someone could =
profile =E2=80=9Ctype" on top of this if they wanted to do so, with =
support at the AS for that, but I don=E2=80=99t see a compelling reason =
for that to be a requirement as that=E2=80=99s a lot of complexity and a =
lot more error states (the fetch fails, or it doesn=E2=80=99t have a =
policy, or the policy=E2=80=99s in a format the AS doesn=E2=80=99t =
understand, or the AS doesn=E2=80=99t like the policy, etc).=20
>=20
> And AS is always free to implement its types in such a fashion, and =
that could make plenty of sense in a smaller ecosystem. And this is yet =
another reason that we define =E2=80=9Ctype=E2=80=9D as being a string =
to be interpreted and understood by the AS =E2=80=94 so that an AS that =
wants to work this way can do so.
>=20
>  =E2=80=94 Justin
>=20
> PS: thanks for pointing out the error in the example in XYZ, I=E2=80=99l=
l fix that prior to publication.
>=20
>> On Jul 18, 2020, at 8:58 PM, Dick Hardt > wrote:
>>=20
>> Justin: thanks for kindly pointing out which mail list this is.
>>=20
>> To clarify, public JWT claims are not just URIs, but any =
collision-resistant namespace:=20
>> "Examples of collision-resistant namespaces include: Domain Names, =
Object Identifiers (OIDs) as defined in the ITU-T X.660 and      X.670 =
Recommendation series, and Universally Unique IDentifiers (UUIDs) =
[RFC4122]."
>>=20
>> I think letting the "type" be any JSON string and doing a byte-wise =
comparison will be problematic. A client developer will be reading =
documentation to learn what the types are, and typing it in. Given the =
wide set of whitespace characters, and unicode equivalence, different =
byte streams will all look the same, and a byte-wise comparison will =
fail.
>>=20
>> Similarly for URIs. If it is a valid URI, then a byte-wise comparison =
is not sufficient. Canonicalization is required.=20
>>=20
>> These are not showstopper issues, but the specification should call =
out how type strings are compared, and provide caveats to an AS =
developer.
>>=20
>> I have no idea why you would think the AS would retrieve a URL.
>>=20
>> Since the type represents a much more complex object then a JWT =
claim, a client developer's tooling could pull down the JSON Schema (or =
some such) for a type used in their source code, and provide =
autocompletion and validation which would improve productivity and =
reduce errors. An AS that is using a defined type could use the schema =
for input validation. Neither of these would be at run time. JSON Schema =
allows comments and examples.
>>=20
>> What is the harm in non-normative language around a retrievable URI?
>>=20
>> BTW: the example in =
https://oauth.xyz/draft-richer-transactional-authz#rfc.section.2 =
 has =
not been updated with the "type" field.
>>=20
>>=20
>>=20
>> On Sat, Jul 18, 2020 at 8:10 AM Justin Richer > wrote:
>> Hi Dick,
>>=20
>> This is a discussion about the RAR specification on the OAuth list, =
and therefore doesn=E2=80=99t have anything to do with alignment with =
XAuth. In fact, I believe the alignment is the other way around, as =
doesn=E2=80=99t Xauth normatively reference RAR at this point? Even =
though, last I saw, it uses a different top-level structure for =
conveying things, I believe it does say to use the internal object =
structures. I am also a co-author on RAR and we had already defined a =
=E2=80=9Ctype=E2=80=9D field in RAR quite some time ago. You did notice =
that XYZ=E2=80=99s latest draft added this field to keep the two in =
alignment with each other, which has always been the goal since the =
initial proposal of the RAR work, but that=E2=80=99s a time lag and not =
a display of new intent.=20
>>=20
>> In any event, even though I think the decision has bearing in both =
places, this isn=E2=80=99t about GNAP. Working on RAR=E2=80=99s =
requirements has brought up this interesting issue of what should be in =
the type field for RAR in OAuth 2.
>>=20
>> I think that it should be defined as a string, and therefore compared =
as a byte value in all cases, regardless of what the content of the =
string is. I don=E2=80=99t think the AS should be expected to fetch a =
URI for anything. I don=E2=80=99t think the AS should normalize any of =
the inputs. I think that any JSON-friendly character set should be =
allowed (including spaces and unicodes), and since RAR already requires =
the JSON objects to be form-encoded, this shouldn=E2=80=99t cause =
additional trouble when adding them in to OAuth 2=E2=80=99s request =
structures.
>>=20
>> The idea of using a URI would be to get people out of each other=E2=80=99=
s namespaces. It=E2=80=99s similar to the concept of =E2=80=9Cpublic=E2=80=
=9D vs =E2=80=9Cprivate=E2=80=9D claims in JWT:
>>=20
>> https://tools.ietf.org/html/rfc7519#section-4.2 =

>>=20
>> What I=E2=80=99m proposing is that if you think it=E2=80=99s going to =
be a general-purpose type name, then we recommend you use a URI as your =
string. And beyond that, that=E2=80=99s it. It=E2=80=99s up to the AS to =
figure out what to do with it, and RAR stays out of it.
>>=20
>>  =E2=80=94 Justin
>>=20
>>> On Jul 17, 2020, at 1:25 PM, Dick Hardt > wrote:
>>>=20
>>> Hey Justin, glad to see that you have aligned with the latest XAuth =
draft on a type property being required.
>>>=20
>>> I like the idea that the value of the type property is fully defined =
by the AS, which could delegate it to a common URI for reuse. This gets =
GNAP out of specifying access requests, and enables other parties to =
define access without any required coordination with IETF or IANA.
>>>=20
>>> A complication in mixing plain strings and URIs is the =
canonicalization. A plain string can be a fixed byte representation, but =
a URI requires canonicalization for comparison. Mixing the two requires =
URI detection at the AS before canonicalization, and an AS MUST do =
canonicalization of URIs.
>>>=20
>>> The URI is retrievable, it can provide machine and/or human readable =
documentation in JSON schema or some such, or any other content type. =
Once again, the details are out of scope of GNAP, but we can provide =
examples to guide implementers.
>>>=20
>>> Are you still thinking that bare strings are allowed in GNAP, and =
are defined by the AS?
>>>=20
>>>=20
>>>=20
>>> On Fri, Jul 17, 2020 at 8:39 AM Justin Richer > wrote:
>>> The =E2=80=9Ctype=E2=80=9D field in the RAR spec serves an important =
purpose: it defines what goes in the rest of the object, including what =
other fields are available and what values are allowed for those fields. =
It provides an API-level definition for requesting access based on =
multiple dimensions, and that=E2=80=99s really powerful and flexible. =
Each type can use any of the general-purpose fields like =E2=80=9Cactions=E2=
=80=9D and/or add its own fields as necessary, and the =E2=80=9Ctype=E2=80=
=9D parameter keeps everything well-defined.
>>>=20
>>> The question, then, is what defines what=E2=80=99s allowed to go =
into the =E2=80=9Ctype=E2=80=9D field itself? And what defines how that =
value maps to the requirements for the rest of the object? The draft =
doesn=E2=80=99t say anything about it at the moment, but we should =
choose the direction we want to go. On the surface, there are three main =
options:
>>>=20
>>> 1) Require all values to be registered.=20
>>> 2) Require all values to be collision-resistant (eg, URIs).
>>> 3) Require all values to be defined by the AS (and/or the RS=E2=80=99s=
 that it protects).
>>>=20
>>> Are there any other options?
>>>=20
>>> Here are my thoughts on each approach:
>>>=20
>>> 1) While it usually makes sense to register things for =
interoperability, this is a case where I think that a registry would =
actually hurt interoperability and adoption. Like a =E2=80=9Cscope=E2=80=9D=
 value, the RAR =E2=80=9Ctype=E2=80=9D is ultimately up to the AS and RS =
to interpret in their own context. We :want: people to define rich =
objects for their APIs and enable fine-grained access for their systems, =
and if they have to register something every time they come up with a =
new API to protect, it=E2=80=99s going to be an unmaintainable mess. I =
genuinely don=E2=80=99t think this would scale, and that most developers =
would just ignore the registry and do what they want anyway. And since =
many of these systems are inside domains, it=E2=80=99s completely =
unenforceable in practice.
>>>=20
>>> 2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to =
require everything to be a URI here. It=E2=80=99s long and ugly, and a =
lot of APIs are going to be internal to a given group, deployment, or =
ecosystem anyway. This makes sense when you=E2=80=99ve got something =
reusable across many deployments, like OIDC, but it=E2=80=99s overhead =
when what you=E2=80=99re doing is tied to your environment.
>>>=20
>>> 3) This allows the AS and RS to define the request parameters for =
their APIs just like they do today with scopes. Since it=E2=80=99s =
always the combination of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, =
name spacing is less of an issue across systems. We haven=E2=80=99t seen =
huge problems in scope value overlap in the wild, though it does occur =
from time to time it=E2=80=99s more than manageable. A client isn=E2=80=99=
t going to just =E2=80=9Cspeak RAR=E2=80=9D, it=E2=80=99s going to be =
speaking RAR so that it can access something in particular.
>>>=20
>>> And all that brings me to my proposal:=20
>>>=20
>>> 4) Require all values to be defined by the AS, and encourage =
specification developers to use URIs for collision resistance.
>>>=20
>>> So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D =
means, and nobody else. But we can also guide people who are developing =
general-purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=
=E2=80=9D definitions. This would keep those interoperable APIs from =
stepping on each other, and from stepping on any locally-defined special =
=E2=80=9Ctype=E2=80=9D structure. But at the end of the day, the URI =
carries no more weight than just any other string, and the AS decides =
what it means and how it applies.
>>>=20
>>> My argument is that this seems to have worked very, very well for =
scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar =
descriptive cloth.
>>>=20
>>> What does the rest of the group think? How should we manage the RAR =
=E2=80=9Ctype=E2=80=9D values and what they mean?
>>>=20
>>>  =E2=80=94 Justin
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org 
>>> https://www.ietf.org/mailman/listinfo/oauth =

>>=20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_2CBC7B43-8469-464A-ADD1-AF91000CE961
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

I =
created a pull request with some proposed language here:

https://github.com/oauthstuff/draft-oauth-rar/pull/52
=


 =E2=80=94 =
Justin

On Jul 20, 2020, at 7:42 AM, Justin Richer =
<jricher@mit.edu> =
wrote:



Since =
this is a recommendation for namespace, we could also just say =
collision-resistant like JWT, and any of those examples are fine. But =
that said, I think there=E2=80=99s something particularly compelling =
about URIs since they have somewhat-human-readable portions. But again, =
I=E2=80=99m saying it should be a recommendation to API developers and =
not a requirement in the spec. In the spec, I argue that =E2=80=9Ctype=E2=80=
=9D should be a string, full stop.

If documentation is so confusing that developers are =
typing in the wrong strings, then that=E2=80=99s bad documentation. And =
likely a bad choice for the =E2=80=9Ctype=E2=80=9D string on the part of =
the AS. You=E2=80=99d have the same problem with any other value the =
developer=E2=80=99s supposed to copy over.  :)

I agree that we should call out =
explicitly how they should be compared, and I propose we use one of the =
handful of existing string-comparison RFC=E2=80=99s here instead of =
defining our own rules.

While the type could be a dereferenceable URI, requiring =
action on the AS is really getting into distributed authorization =
policies. We tried doing that with UMA1=E2=80=99s scope structures and =
it didn=E2=80=99t work very well in practice (in my memory and =
experience). Someone could profile =E2=80=9Ctype" on top of this if they =
wanted to do so, with support at the AS for that, but I don=E2=80=99t =
see a compelling reason for that to be a requirement as that=E2=80=99s a =
lot of complexity and a lot more error states (the fetch fails, or it =
doesn=E2=80=99t have a policy, or the policy=E2=80=99s in a format the =
AS doesn=E2=80=99t understand, or the AS doesn=E2=80=99t like the =
policy, etc). 

And AS is always free to implement its types in such a =
fashion, and that could make plenty of sense in a smaller ecosystem. And =
this is yet another reason that we define =E2=80=9Ctype=E2=80=9D as =
being a string to be interpreted and understood by the AS =E2=80=94 so =
that an AS that wants to work this way can do so.
 =E2=80=94 Justin

PS: thanks for pointing =
out the error in the example in XYZ, I=E2=80=99ll fix that prior to =
publication.

On Jul 18, 2020, at 8:58 PM, =
Dick Hardt <dick.hardt@gmail.com> wrote:

Justin: thanks for kindly pointing out which mail =
list this is.

To clarify, public JWT claims are not just URIs, but any =
collision-resistant namespace: 
"Examples =
of collision-resistant namespaces include: Domain Names, Object =
Identifiers (OIDs) as defined in the ITU-T X.660 and      =
X.670 Recommendation series, and Universally Unique IDentifiers (UUIDs) =
[RFC4122]."

I =
think letting the "type" be any JSON string and doing a byte-wise =
comparison will be problematic. A client developer will be reading =
documentation to learn what the types are, and typing it in. Given =
the wide set of whitespace characters, and unicode equivalence, =
different byte streams will all look the same, and a byte-wise =
comparison will fail.

Similarly for URIs. If it is a valid URI, then a =
byte-wise comparison is not sufficient. Canonicalization is =
required. 

These are not showstopper issues, but the specification =
should call out how type strings are compared, and provide caveats =
to an AS developer.

I have no idea why you would think the AS would retrieve a =
URL.

Since the =
type represents a much more complex object then a JWT claim, a client =
developer's tooling could pull down the JSON Schema (or some such) for a =
type used in their source code, and provide autocompletion and =
validation which would improve productivity and reduce errors. An AS =
that is using a defined type could use the schema for input validation. =
Neither of these would be at run time. JSON Schema allows comments and =
examples.

What =
is the harm in non-normative language around a retrievable =
URI?

BTW: the =
example in https://oauth.xyz/draft-richer-transactional-authz#rfc.section.=
2 has not been updated with the "type" field.



On Sat, Jul =
18, 2020 at 8:10 AM Justin Richer <jricher@mit.edu> wrote:
Hi Dick,

This is a discussion =
about the RAR specification on the OAuth list, and therefore doesn=E2=80=99=
t have anything to do with alignment with XAuth. In fact, I believe the =
alignment is the other way around, as doesn=E2=80=99t Xauth normatively =
reference RAR at this point? Even though, last I saw, it uses a =
different top-level structure for conveying things, I believe it does =
say to use the internal object structures. I am also a co-author on RAR =
and we had already defined a =E2=80=9Ctype=E2=80=9D field in RAR quite =
some time ago. You did notice that XYZ=E2=80=99s latest draft added this =
field to keep the two in alignment with each other, which has always =
been the goal since the initial proposal of the RAR work, but that=E2=80=99=
s a time lag and not a display of new intent. 

In any event, even =
though I think the decision has bearing in both places, this isn=E2=80=99t=
 about GNAP. Working on RAR=E2=80=99s requirements has brought up this =
interesting issue of what should be in the type field for RAR in OAuth =
2.

I think =
that it should be defined as a string, and therefore compared as a byte =
value in all cases, regardless of what the content of the string is. I =
don=E2=80=99t think the AS should be expected to fetch a URI for =
anything. I don=E2=80=99t think the AS should normalize any of the =
inputs. I think that any JSON-friendly character set should be allowed =
(including spaces and unicodes), and since RAR already requires the JSON =
objects to be form-encoded, this shouldn=E2=80=99t cause additional =
trouble when adding them in to OAuth 2=E2=80=99s request =
structures.

The =
idea of using a URI would be to get people out of each other=E2=80=99s =
namespaces. It=E2=80=99s similar to the concept of =E2=80=9Cpublic=E2=80=9D=
 vs =E2=80=9Cprivate=E2=80=9D claims in JWT:

https://tools.ietf.org/html/rfc7519#section-4.2

What I=E2=80=99m =
proposing is that if you think it=E2=80=99s going to be a =
general-purpose type name, then we recommend you use a URI as your =
string. And beyond that, that=E2=80=99s it. It=E2=80=99s up to the AS to =
figure out what to do with it, and RAR stays out of it.

 =E2=80=94 =
Justin

On Jul 17, 2020, at 1:25 PM, =
Dick Hardt <dick.hardt@gmail.com> wrote:

Hey Justin, glad to see that you =
have aligned with the latest XAuth draft on a type property being =
required.

I like the idea that the value of the type property is fully =
defined by the AS, which could delegate it to a common URI for reuse. =
This gets GNAP out of specifying access requests, and enables other =
parties to define access without any required coordination with IETF or =
IANA.

A =
complication in mixing plain strings and URIs is the canonicalization. A =
plain string can be a fixed byte representation, but a URI requires =
canonicalization for comparison. Mixing the two requires URI =
detection at the AS before canonicalization, and an AS MUST do =
canonicalization of URIs.

The URI is retrievable, it can provide machine and/or human =
readable documentation in JSON schema or some such, or any other content =
type. Once again, the details are out of scope of GNAP, but we can =
provide examples to guide implementers.

Are you still thinking that bare =
strings are allowed in GNAP, and are defined by the AS?



On Fri, Jul 17, 2020 at 8:39 AM Justin =
Richer <jricher@mit.edu> wrote:
The =E2=80=9Ctype=E2=80=9D =
field in the RAR spec serves an important purpose: it defines what goes =
in the rest of the object, including what other fields are available and =
what values are allowed for those fields. It provides an API-level =
definition for requesting access based on multiple dimensions, and =
that=E2=80=99s really powerful and flexible. Each type can use any of =
the general-purpose fields like =E2=80=9Cactions=E2=80=9D and/or add its =
own fields as necessary, and the =E2=80=9Ctype=E2=80=9D parameter keeps =
everything well-defined.



The question, then, is what defines what=E2=80=99s allowed to go into =
the =E2=80=9Ctype=E2=80=9D field itself? And what defines how that value =
maps to the requirements for the rest of the object? The draft doesn=E2=80=
=99t say anything about it at the moment, but we should choose the =
direction we want to go. On the surface, there are three main =
options:



1) Require all values to be registered. 

2) Require all values to be collision-resistant (eg, URIs).
=

3) Require all values to be defined by the AS (and/or the RS=E2=80=99s =
that it protects).



Are there any other options?



Here are my thoughts on each approach:



1) While it usually makes sense to register things for interoperability, =
this is a case where I think that a registry would actually hurt =
interoperability and adoption. Like a =E2=80=9Cscope=E2=80=9D value, the =
RAR =E2=80=9Ctype=E2=80=9D is ultimately up to the AS and RS to =
interpret in their own context. We :want: people to define rich objects =
for their APIs and enable fine-grained access for their systems, and if =
they have to register something every time they come up with a new API =
to protect, it=E2=80=99s going to be an unmaintainable mess. I genuinely =
don=E2=80=99t think this would scale, and that most developers would =
just ignore the registry and do what they want anyway. And since many of =
these systems are inside domains, it=E2=80=99s completely unenforceable =
in practice.



2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to =
require everything to be a URI here. It=E2=80=99s long and ugly, and a =
lot of APIs are going to be internal to a given group, deployment, or =
ecosystem anyway. This makes sense when you=E2=80=99ve got something =
reusable across many deployments, like OIDC, but it=E2=80=99s overhead =
when what you=E2=80=99re doing is tied to your environment.
=



3) This allows the AS and RS to define the request parameters for their =
APIs just like they do today with scopes. Since it=E2=80=99s always the =
combination of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, name spacing =
is less of an issue across systems. We haven=E2=80=99t seen huge =
problems in scope value overlap in the wild, though it does occur from =
time to time it=E2=80=99s more than manageable. A client isn=E2=80=99t =
going to just =E2=80=9Cspeak RAR=E2=80=9D, it=E2=80=99s going to be =
speaking RAR so that it can access something in particular.
=



And all that brings me to my proposal: 



4) Require all values to be defined by the AS, and encourage =
specification developers to use URIs for collision resistance.



So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D =
means, and nobody else. But we can also guide people who are developing =
general-purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=
=E2=80=9D definitions. This would keep those interoperable APIs from =
stepping on each other, and from stepping on any locally-defined special =
=E2=80=9Ctype=E2=80=9D structure. But at the end of the day, the URI =
carries no more weight than just any other string, and the AS decides =
what it means and how it applies.



My argument is that this seems to have worked very, very well for =
scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar =
descriptive cloth.



What does the rest of the group think? How should we manage the RAR =
=E2=80=9Ctype=E2=80=9D values and what they mean?



 =E2=80=94 Justin

_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth








_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

=

--Apple-Mail=_2CBC7B43-8469-464A-ADD1-AF91000CE961--


From nobody Mon Jul 20 11:59:58 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 306BE3A0DEE for ; Mon, 20 Jul 2020 11:59:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.097
X-Spam-Level: 
X-Spam-Status: No, score=-0.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.999, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IAcnBYss0GiG for ; Mon, 20 Jul 2020 11:59:54 -0700 (PDT)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30BD83A0DD3 for ; Mon, 20 Jul 2020 11:59:54 -0700 (PDT)
Received: by mail-lj1-x22b.google.com with SMTP id x9so21395962ljc.5 for ; Mon, 20 Jul 2020 11:59:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RNeue9OsqJIwkXrShxalvEMYRAVMu6mVFvVidGl2h0Y=; b=tOYkidGXHqm6FxS2J2wanxfQOO7rRZdU0/eKOtAGAq4UWySzAtKCoUt88IpObAgTOQ 4Zt2CGifdaqAdDmzywNa2Bf8MtOlcj95/Fd6seiRH1PUSPzgFUf5fgOdmZ8/X/cI6nfD rymLUtZ2KK0EMgVcuXPo4Bs55/VF4Jq9Ke17wNZvnytT5UeWGTQXI9rGOqGmfcNdePpS CQqVZzZHXk2OZE0fu0eTTu4wkHC2o9+MUo9+2bgDHPWI8lqdqr4AnjQViBIna2uXKUrV 6h9CELSUUuQljqxDSPyjx/KKMxkBVOpgzt1xBoKts4aGjJcGKguDshdLO6JrTUetx2J0 c5rA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RNeue9OsqJIwkXrShxalvEMYRAVMu6mVFvVidGl2h0Y=; b=jDeiTJNsArw6tFASnxuhxOWRst0NtOrBv+27XVKm/8etu6SM5riogq5EkUwQdeEUFs wbPtoSEjN1Xo/5sWYdsxzSh0BzmWAccZQbIMP+VCYWt7lRVScA0NafspVSrou6gV37/4 /OqkHnuyAwhdMSA0EqZckQZ6Dk/DEwPTD/TQspGvBSEUkhC0D4NTrECzu1uE50S0IkSv Q1FrSnpv6ejZ/DWBUW0PXX87y5Is7IcKFbYwF66hQU2OoVVyJz5VP7xFb81UOEGnD6hS P9mPH+2PjUiHLWPePEqlbh4LMzY9jfMTzLJSApZ6ym7BPFPTG71JPtNgYvIGkuGeSSn9 Fepw==
X-Gm-Message-State: AOAM533i6gvDxqVA9STbdHgtsPrmCuUpM6f5UQtC4UYhZiczRQttxFnW aOHBMmJmNr6JhXHTLsETrMZ4gFVWex3K8ccTp2j0bmD6
X-Google-Smtp-Source: ABdhPJyYR6gH2LyPtUgidiqqDqb97rO2lhJNI6xy33GO/pgSA+Mv1mbSfqjvmzhv1gj0l/MpXxfsUBvOW0FXl7rpwF4=
X-Received: by 2002:a2e:80c9:: with SMTP id r9mr11387032ljg.69.1595271592098;  Mon, 20 Jul 2020 11:59:52 -0700 (PDT)
MIME-Version: 1.0
References:     <094C7F56-93F7-41EC-AD94-A0752E76BD9D@mit.edu>
In-Reply-To: <094C7F56-93F7-41EC-AD94-A0752E76BD9D@mit.edu>
From: Dick Hardt 
Date: Mon, 20 Jul 2020 11:59:16 -0700
Message-ID: 
To: Justin Richer 
Cc: oauth 
Content-Type: multipart/alternative; boundary="00000000000091453b05aae41cff"
Archived-At: 
Subject: Re: [OAUTH-WG] Namespacing "type" in RAR
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 20 Jul 2020 18:59:57 -0000

--00000000000091453b05aae41cff
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Canonicalization of URIs and unicode is fairly well specified. I was not
suggesting we invent anything there.

A byte comparison, as you suggested earlier, will be problematic, as I have
pointed out.

I'm confused why you are still talking about the AS retrieving a URI.

=E1=90=A7

On Mon, Jul 20, 2020 at 4:42 AM Justin Richer  wrote:

> Since this is a recommendation for namespace, we could also just say
> collision-resistant like JWT, and any of those examples are fine. But tha=
t
> said, I think there=E2=80=99s something particularly compelling about URI=
s since
> they have somewhat-human-readable portions. But again, I=E2=80=99m saying=
 it should
> be a recommendation to API developers and not a requirement in the spec. =
In
> the spec, I argue that =E2=80=9Ctype=E2=80=9D should be a string, full st=
op.
>
> If documentation is so confusing that developers are typing in the wrong
> strings, then that=E2=80=99s bad documentation. And likely a bad choice f=
or the
> =E2=80=9Ctype=E2=80=9D string on the part of the AS. You=E2=80=99d have t=
he same problem with any
> other value the developer=E2=80=99s supposed to copy over.  :)
>
> I agree that we should call out explicitly how they should be compared,
> and I propose we use one of the handful of existing string-comparison RFC=
=E2=80=99s
> here instead of defining our own rules.
>
> While the type could be a dereferenceable URI, requiring action on the AS
> is really getting into distributed authorization policies. We tried doing
> that with UMA1=E2=80=99s scope structures and it didn=E2=80=99t work very=
 well in practice
> (in my memory and experience). Someone could profile =E2=80=9Ctype" on to=
p of this
> if they wanted to do so, with support at the AS for that, but I don=E2=80=
=99t see a
> compelling reason for that to be a requirement as that=E2=80=99s a lot of
> complexity and a lot more error states (the fetch fails, or it doesn=E2=
=80=99t have
> a policy, or the policy=E2=80=99s in a format the AS doesn=E2=80=99t unde=
rstand, or the AS
> doesn=E2=80=99t like the policy, etc).
>
> And AS is always free to implement its types in such a fashion, and that
> could make plenty of sense in a smaller ecosystem. And this is yet anothe=
r
> reason that we define =E2=80=9Ctype=E2=80=9D as being a string to be inte=
rpreted and
> understood by the AS =E2=80=94 so that an AS that wants to work this way =
can do so.
>
>  =E2=80=94 Justin
>
> PS: thanks for pointing out the error in the example in XYZ, I=E2=80=99ll=
 fix that
> prior to publication.
>
> On Jul 18, 2020, at 8:58 PM, Dick Hardt  wrote:
>
> Justin: thanks for kindly pointing out which mail list this is.
>
> To clarify, public JWT claims are not just URIs, but any
> collision-resistant namespace:
> "Examples of collision-resistant namespaces include: Domain Names, Object
> Identifiers (OIDs) as defined in the ITU-T X.660 and      X.670
> Recommendation series, and Universally Unique IDentifiers (UUIDs)
> [RFC4122]."
>
> I think letting the "type" be any JSON string and doing a byte-wise
> comparison will be problematic. A client developer will be reading
> documentation to learn what the types are, and typing it in. Given the wi=
de
> set of whitespace characters, and unicode equivalence, different byte
> streams will all look the same, and a byte-wise comparison will fail.
>
> Similarly for URIs. If it is a valid URI, then a byte-wise comparison is
> not sufficient. Canonicalization is required.
>
> These are not showstopper issues, but the specification should call out
> how type strings are compared, and provide caveats to an AS developer.
>
> I have no idea why you would think the AS would retrieve a URL.
>
> Since the type represents a much more complex object then a JWT claim, a
> client developer's tooling could pull down the JSON Schema (or some such)
> for a type used in their source code, and provide autocompletion and
> validation which would improve productivity and reduce errors. An AS that
> is using a defined type could use the schema for input validation. Neithe=
r
> of these would be at run time. JSON Schema allows comments and examples.
>
> What is the harm in non-normative language around a retrievable URI?
>
> BTW: the example in
> https://oauth.xyz/draft-richer-transactional-authz#rfc.section.2 has not
> been updated with the "type" field.
>
>
>
> On Sat, Jul 18, 2020 at 8:10 AM Justin Richer  wrote:
>
>> Hi Dick,
>>
>> This is a discussion about the RAR specification on the OAuth list, and
>> therefore doesn=E2=80=99t have anything to do with alignment with XAuth.=
 In fact, I
>> believe the alignment is the other way around, as doesn=E2=80=99t Xauth =
normatively
>> reference RAR at this point? Even though, last I saw, it uses a differen=
t
>> top-level structure for conveying things, I believe it does say to use t=
he
>> internal object structures. I am also a co-author on RAR and we had alre=
ady
>> defined a =E2=80=9Ctype=E2=80=9D field in RAR quite some time ago. You d=
id notice that
>> XYZ=E2=80=99s latest draft added this field to keep the two in alignment=
 with each
>> other, which has always been the goal since the initial proposal of the =
RAR
>> work, but that=E2=80=99s a time lag and not a display of new intent.
>>
>> In any event, even though I think the decision has bearing in both
>> places, this isn=E2=80=99t about GNAP. Working on RAR=E2=80=99s requirem=
ents has brought up
>> this interesting issue of what should be in the type field for RAR in OA=
uth
>> 2.
>>
>> I think that it should be defined as a string, and therefore compared as
>> a byte value in all cases, regardless of what the content of the string =
is.
>> I don=E2=80=99t think the AS should be expected to fetch a URI for anyth=
ing. I
>> don=E2=80=99t think the AS should normalize any of the inputs. I think t=
hat any
>> JSON-friendly character set should be allowed (including spaces and
>> unicodes), and since RAR already requires the JSON objects to be
>> form-encoded, this shouldn=E2=80=99t cause additional trouble when addin=
g them in
>> to OAuth 2=E2=80=99s request structures.
>>
>> The idea of using a URI would be to get people out of each other=E2=80=
=99s
>> namespaces. It=E2=80=99s similar to the concept of =E2=80=9Cpublic=E2=80=
=9D vs =E2=80=9Cprivate=E2=80=9D claims in
>> JWT:
>>
>> https://tools.ietf.org/html/rfc7519#section-4.2
>>
>> What I=E2=80=99m proposing is that if you think it=E2=80=99s going to be=
 a
>> general-purpose type name, then we recommend you use a URI as your strin=
g.
>> And beyond that, that=E2=80=99s it. It=E2=80=99s up to the AS to figure =
out what to do with
>> it, and RAR stays out of it.
>>
>>  =E2=80=94 Justin
>>
>> On Jul 17, 2020, at 1:25 PM, Dick Hardt  wrote:
>>
>> Hey Justin, glad to see that you have aligned with the latest XAuth draf=
t
>> on a type property being required.
>>
>> I like the idea that the value of the type property is fully defined by
>> the AS, which could delegate it to a common URI for reuse. This gets GNA=
P
>> out of specifying access requests, and enables other parties to define
>> access without any required coordination with IETF or IANA.
>>
>> A complication in mixing plain strings and URIs is the canonicalization.
>> A plain string can be a fixed byte representation, but a URI requires
>> canonicalization for comparison. Mixing the two requires URI detection a=
t
>> the AS before canonicalization, and an AS MUST do canonicalization of UR=
Is.
>>
>> The URI is retrievable, it can provide machine and/or human readable
>> documentation in JSON schema or some such, or any other content type. On=
ce
>> again, the details are out of scope of GNAP, but we can provide examples=
 to
>> guide implementers.
>>
>> Are you still thinking that bare strings are allowed in GNAP, and are
>> defined by the AS?
>>
>>
>>
>> On Fri, Jul 17, 2020 at 8:39 AM Justin Richer  wrote:
>>
>>> The =E2=80=9Ctype=E2=80=9D field in the RAR spec serves an important pu=
rpose: it defines
>>> what goes in the rest of the object, including what other fields are
>>> available and what values are allowed for those fields. It provides an
>>> API-level definition for requesting access based on multiple dimensions=
,
>>> and that=E2=80=99s really powerful and flexible. Each type can use any =
of the
>>> general-purpose fields like =E2=80=9Cactions=E2=80=9D and/or add its ow=
n fields as
>>> necessary, and the =E2=80=9Ctype=E2=80=9D parameter keeps everything we=
ll-defined.
>>>
>>> The question, then, is what defines what=E2=80=99s allowed to go into t=
he =E2=80=9Ctype=E2=80=9D
>>> field itself? And what defines how that value maps to the requirements =
for
>>> the rest of the object? The draft doesn=E2=80=99t say anything about it=
 at the
>>> moment, but we should choose the direction we want to go. On the surfac=
e,
>>> there are three main options:
>>>
>>> 1) Require all values to be registered.
>>> 2) Require all values to be collision-resistant (eg, URIs).
>>> 3) Require all values to be defined by the AS (and/or the RS=E2=80=99s =
that it
>>> protects).
>>>
>>> Are there any other options?
>>>
>>> Here are my thoughts on each approach:
>>>
>>> 1) While it usually makes sense to register things for interoperability=
,
>>> this is a case where I think that a registry would actually hurt
>>> interoperability and adoption. Like a =E2=80=9Cscope=E2=80=9D value, th=
e RAR =E2=80=9Ctype=E2=80=9D is
>>> ultimately up to the AS and RS to interpret in their own context. We :w=
ant:
>>> people to define rich objects for their APIs and enable fine-grained ac=
cess
>>> for their systems, and if they have to register something every time th=
ey
>>> come up with a new API to protect, it=E2=80=99s going to be an unmainta=
inable mess.
>>> I genuinely don=E2=80=99t think this would scale, and that most develop=
ers would
>>> just ignore the registry and do what they want anyway. And since many o=
f
>>> these systems are inside domains, it=E2=80=99s completely unenforceable=
 in practice.
>>>
>>> 2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to requi=
re
>>> everything to be a URI here. It=E2=80=99s long and ugly, and a lot of A=
PIs are
>>> going to be internal to a given group, deployment, or ecosystem anyway.
>>> This makes sense when you=E2=80=99ve got something reusable across many
>>> deployments, like OIDC, but it=E2=80=99s overhead when what you=E2=80=
=99re doing is tied to
>>> your environment.
>>>
>>> 3) This allows the AS and RS to define the request parameters for their
>>> APIs just like they do today with scopes. Since it=E2=80=99s always the=
 combination
>>> of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, name spacing is less of=
 an issue across
>>> systems. We haven=E2=80=99t seen huge problems in scope value overlap i=
n the wild,
>>> though it does occur from time to time it=E2=80=99s more than manageabl=
e. A client
>>> isn=E2=80=99t going to just =E2=80=9Cspeak RAR=E2=80=9D, it=E2=80=99s g=
oing to be speaking RAR so that it
>>> can access something in particular.
>>>
>>> And all that brings me to my proposal:
>>>
>>> 4) Require all values to be defined by the AS, and encourage
>>> specification developers to use URIs for collision resistance.
>>>
>>> So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D m=
eans, and nobody
>>> else. But we can also guide people who are developing general-purpose
>>> interoperable APIs to use URIs for their RAR =E2=80=9Ctype=E2=80=9D def=
initions. This would
>>> keep those interoperable APIs from stepping on each other, and from
>>> stepping on any locally-defined special =E2=80=9Ctype=E2=80=9D structur=
e. But at the end of
>>> the day, the URI carries no more weight than just any other string, and=
 the
>>> AS decides what it means and how it applies.
>>>
>>> My argument is that this seems to have worked very, very well for
>>> scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar descript=
ive cloth.
>>>
>>> What does the rest of the group think? How should we manage the RAR
>>> =E2=80=9Ctype=E2=80=9D values and what they mean?
>>>
>>>  =E2=80=94 Justin
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>>
>

--00000000000091453b05aae41cff
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


Canonicalization of URIs and unicode is fairly well specif=
ied. I was not suggesting we invent anything there.

A by=
te comparison, as you suggested earlier, will be problematic, as I have poi=
nted out.

I'm confused why you are still talki=
ng about the AS retrieving a URI.

3D""=E1=90=
=A7

On Mon, Jul 20, 2020 at 4:42 AM Justin Richer <jricher@mit.edu> wrote:
On Jul =
18, 2020, at 8:58 PM, Dick Hardt <dick.hardt@gmail.com> wrote:

Justin: than=
ks for kindly pointing out which mail list this is.
<=
br>
To clarify, public JWT claims are not just URIs, but any collision-=
resistant=C2=A0namespace:=C2=A0
"Examples of collision-resis=
tant namespaces include: Domain Names, Object Identifiers (OIDs) as defined=
 in the ITU-T X.660 and=C2=A0 =C2=A0 =C2=A0 X.670 Recommendation series, an=
d Universally Unique IDentifiers (UUIDs) [RFC4122]."

I think letting the "type" be any JSON string and doing a=
 byte-wise comparison will be problematic. A client developer will be readi=
ng documentation to learn what the types are,=C2=A0and typing it in. Given =
the wide set of whitespace characters, and unicode equivalence, different b=
yte streams will all look the same, and a byte-wise comparison will fail.

Similarly=C2=A0for URIs. If it is a valid URI, then=
 a byte-wise comparison is not sufficient. Canonicalization is required.=C2=
=A0

These are not showstopper=C2=A0issues, but the=
 specification should call out how type strings are compared, and provide=
=C2=A0caveats to an AS developer.

I have no idea w=
hy you would think the AS would retrieve a URL.

Si=
nce the type represents a much more complex object then a JWT claim, a clie=
nt developer's tooling could pull down the JSON Schema (or some such) f=
or a type used in their source code, and provide autocompletion and validat=
ion which would improve productivity and reduce errors. An AS that is using=
 a defined type could use the schema for input validation. Neither of these=
 would be at run time. JSON Schema allows comments and examples.
=

What is the harm in non-normative language around a retrieva=
ble URI?

BTW: the example in=C2=A0https://oauth.xyz/draft-richer-transactional-authz#rfc.section.2=C2=
=A0has not been updated with the "type" field.



On Sat, Jul 18, 2020 at 8:10 AM Justin R=
icher <jricher@mit.=
edu> wrote:
Hi Dick,

This is a discussion about the RAR spec=
ification on the OAuth list, and therefore doesn=E2=80=99t have anything to=
 do with alignment with XAuth. In fact, I believe the alignment is the othe=
r way around, as doesn=E2=80=99t Xauth normatively reference RAR at this po=
int? Even though, last I saw, it uses a different top-level structure for c=
onveying things, I believe it does say to use the internal object structure=
s. I am also a co-author on RAR and we had already defined a =E2=80=9Ctype=
=E2=80=9D field in RAR quite some time ago. You did notice that XYZ=E2=80=
=99s latest draft added this field to keep the two in alignment with each o=
ther, which has always been the goal since the initial proposal of the RAR =
work, but that=E2=80=99s a time lag and not a display of new intent.=C2=A0<=
/div>

In any event, even though I think the decision has=
 bearing in both places, this isn=E2=80=99t about GNAP. Working on RAR=E2=
=80=99s requirements has brought up this interesting issue of what should b=
e in the type field for RAR in OAuth 2.

I think th=
at it should be defined as a string, and therefore compared as a byte value=
 in all cases, regardless of what the content of the string is. I don=E2=80=
=99t think the AS should be expected to fetch a URI for anything. I don=E2=
=80=99t think the AS should normalize any of the inputs. I think that any J=
SON-friendly character set should be allowed (including spaces and unicodes=
), and since RAR already requires the JSON objects to be form-encoded, this=
 shouldn=E2=80=99t cause additional trouble when adding them in to OAuth 2=
=E2=80=99s request structures.

The idea of using a=
 URI would be to get people out of each other=E2=80=99s namespaces. It=E2=
=80=99s similar to the concept of =E2=80=9Cpublic=E2=80=9D vs =E2=80=9Cpriv=
ate=E2=80=9D claims in JWT:


What I=E2=80=99m =
proposing is that if you think it=E2=80=99s going to be a general-purpose t=
ype name, then we recommend you use a URI as your string. And beyond that, =
that=E2=80=99s it. It=E2=80=99s up to the AS to figure out what to do with =
it, and RAR stays out of it.

=C2=A0=E2=80=94 Justi=
n

On Jul 17, 2020, at 1:25 PM, D=
ick Hardt <dic=
k.hardt@gmail.com> wrote:

Hey Justin,=
 glad to see that you have aligned with the latest XAuth draft on a type pr=
operty being required.

I like the idea that the valu=
e of the type property is fully defined by the AS, which could delegate it =
to a common URI for reuse. This gets GNAP out of specifying access requests=
, and enables other parties to define access without any required coordinat=
ion with IETF or IANA.

A complication in mixing pl=
ain strings and URIs is the canonicalization. A plain string can be a fixed=
 byte=C2=A0representation, but a URI requires canonicalization for comparis=
on. Mixing the two requires=C2=A0URI detection at the AS before canonicaliz=
ation, and an AS MUST do canonicalization of URIs.

The URI is retrievable, it can provide machine and/or human readable docum=
entation in JSON schema or some such, or any other content type. Once again=
, the details are out of scope=C2=A0of GNAP, but we can provide examples to=
 guide implementers.

Are you still thinking that b=
are strings are allowed in GNAP, and=C2=A0are defined by the AS?
=



On Fri, Jul 17, 2020 at 8:39 AM Justin Richer <=
jricher@mit.edu>=
; wrote:
The =E2=
=80=9Ctype=E2=80=9D field in the RAR spec serves an important purpose: it d=
efines what goes in the rest of the object, including what other fields are=
 available and what values are allowed for those fields. It provides an API=
-level definition for requesting access based on multiple dimensions, and t=
hat=E2=80=99s really powerful and flexible. Each type can use any of the ge=
neral-purpose fields like =E2=80=9Cactions=E2=80=9D and/or add its own fiel=
ds as necessary, and the =E2=80=9Ctype=E2=80=9D parameter keeps everything =
well-defined.



The question, then, is what defines what=E2=80=99s allowed to go into the =
=E2=80=9Ctype=E2=80=9D field itself? And what defines how that value maps t=
o the requirements for the rest of the object? The draft doesn=E2=80=99t sa=
y anything about it at the moment, but we should choose the direction we wa=
nt to go. On the surface, there are three main options:



1) Require all values to be registered. 

2) Require all values to be collision-resistant (eg, URIs).

3) Require all values to be defined by the AS (and/or the RS=E2=80=99s that=
 it protects).



Are there any other options?



Here are my thoughts on each approach:



1) While it usually makes sense to register things for interoperability, th=
is is a case where I think that a registry would actually hurt interoperabi=
lity and adoption. Like a =E2=80=9Cscope=E2=80=9D value, the RAR =E2=80=9Ct=
ype=E2=80=9D is ultimately up to the AS and RS to interpret in their own co=
ntext. We :want: people to define rich objects for their APIs and enable fi=
ne-grained access for their systems, and if they have to register something=
 every time they come up with a new API to protect, it=E2=80=99s going to b=
e an unmaintainable mess. I genuinely don=E2=80=99t think this would scale,=
 and that most developers would just ignore the registry and do what they w=
ant anyway. And since many of these systems are inside domains, it=E2=80=99=
s completely unenforceable in practice.



2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to require e=
verything to be a URI here. It=E2=80=99s long and ugly, and a lot of APIs a=
re going to be internal to a given group, deployment, or ecosystem anyway. =
This makes sense when you=E2=80=99ve got something reusable across many dep=
loyments, like OIDC, but it=E2=80=99s overhead when what you=E2=80=99re doi=
ng is tied to your environment.



3) This allows the AS and RS to define the request parameters for their API=
s just like they do today with scopes. Since it=E2=80=99s always the combin=
ation of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, name spacing is less =
of an issue across systems. We haven=E2=80=99t seen huge problems in scope =
value overlap in the wild, though it does occur from time to time it=E2=80=
=99s more than manageable. A client isn=E2=80=99t going to just =E2=80=9Csp=
eak RAR=E2=80=9D, it=E2=80=99s going to be speaking RAR so that it can acce=
ss something in particular.



And all that brings me to my proposal: 



4) Require all values to be defined by the AS, and encourage specification =
developers to use URIs for collision resistance.



So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D means=
, and nobody else. But we can also guide people who are developing general-=
purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=E2=80=9D=
 definitions. This would keep those interoperable APIs from stepping on eac=
h other, and from stepping on any locally-defined special =E2=80=9Ctype=E2=
=80=9D structure. But at the end of the day, the URI carries no more weight=
 than just any other string, and the AS decides what it means and how it ap=
plies.



My argument is that this seems to have worked very, very well for scopes, a=
nd the RAR =E2=80=9Ctype=E2=80=9D is cut from similar descriptive cloth.


What does the rest of the group think? How should we manage the RAR =E2=80=
=9Ctype=E2=80=9D values and what they mean?



=C2=A0=E2=80=94 Justin

_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth










--00000000000091453b05aae41cff--


From nobody Mon Jul 20 13:23:51 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD1503A0E93 for ; Mon, 20 Jul 2020 13:23:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mail.ru
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nb3dqYTh_JFt for ; Mon, 20 Jul 2020 13:23:48 -0700 (PDT)
Received: from smtp39.i.mail.ru (smtp39.i.mail.ru [94.100.177.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 032A83A0E90 for ; Mon, 20 Jul 2020 13:23:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mail.ru; s=mail2;  h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References:To:Subject; bh=jpCzwmZ9bAC6KmppRbB0ydAM0rChLR4/6zMzPZotwp4=;  b=eF9jlpzyI7cCI/rC8CQD2yjAotpSt51mEa8KYtDh+jmF7gLwVH0n8y+SSaCDi/AXP84jMBeUGdi4Kcu6hlINlPLJF/Wx25MsOOGH3jWN66CEI+aEzOMJLngDxo6c/Xdo32trV8FtEjM3/NWTEIuWT0s2OWxdCYQimAh5Tifgt+s=;
Received: by smtp39.i.mail.ru with esmtpa (envelope-from ) id 1jxcK9-0004e6-IL for oauth@ietf.org; Mon, 20 Jul 2020 23:23:45 +0300
To: oauth@ietf.org
References: <158801203979.26415.5550810597232016504@ietfa.amsl.com>
From: Tangui Le Pense 
Message-ID: <03b759e7-ddff-8904-09c5-0d420270233f@mail.ru>
Date: Mon, 20 Jul 2020 23:23:45 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <158801203979.26415.5550810597232016504@ietfa.amsl.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Authentication-Results: smtp39.i.mail.ru; auth=pass smtp.auth=tangui.lepense@mail.ru smtp.mailfrom=tangui.lepense@mail.ru
X-7564579A: 646B95376F6C166E
X-77F55803: 4F1203BC0FB41BD90521F83352E4771D91EDC9CB2778FA1724253D08BDDBD5E3182A05F538085040804FE27C125589B80BACCD322CA78AA22B8F642EB5EA8410B3B337150C75DD1D
X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE7DECE8D0A5E25C0FCEA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F79006370D3D68FCEFFDD9EA8638F802B75D45FF5571747095F342E8C7A0BC55FA0FE5FC0FA58044AE02A33A696D02FA98226F8CB7BDE8874FDAF3C6389733CBF5DBD5E913377AFFFEAFD269A417C69337E82CC2CC7F00164DA146DAFE8445B8C89999725571747095F342E8C26CFBAC0749D213D2E47CDBA5A9658378DA827A17800CE7A4F00A9E8C511CEB9FA2833FD35BB23DF004C906525384309383FD4D963104D47B076A6E789B0E975F5C1EE8F4F765FC63AF70AF8205D7DCD81D268191BDAD3DBD4B6F7A4D31EC0B6941894150739B64D81D268191BDAD3D78DA827A17800CE718C383925DBD9593EC76A7562686271E8729DE7A884B61D135872C767BF85DA29E625A9149C048EE0A3850AC1BE2E735D2D576BCF940C7364AD6D5ED66289B524E70A05D1297E1BB35872C767BF85DA227C277FBC8AE2E8BC6A536F79815AD9275ECD9A6C639B01B4E70A05D1297E1BBC6867C52282FAC85D9B7C4F32B44FF57C2F2A386D11C4599BD9CCCA9EDD067B1EDA766A37F9254B7
X-C8649E89: BD18E5C6210A29DFC8F067270F1482813B3CE3A841419CAC3EDC583455B5B02DB7DFA0CDD36E7CC39F595CEF8576C34B
X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2biojURwlcvcvMAkyvoC9i/A5hw==
X-Mailru-Sender: 583F1D7ACE8F49BD9992EFD99BFCA825CDCE00195D65A6B876FAD285F89A500AA688C376F5BFB3D8A5D2D6C63D114D6383AFC63A7763B797302201EBD47025992073CDDE12DEC8CD6F486DAF1ACEF02CC676CB43868BEEFB8FF63FEAB625EE02EAB4BC95F72C04283CDA0F3B3F5B9367
X-Mras: Ok
Archived-At: 
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-07.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 20 Jul 2020 20:23:50 -0000

Hello,

A few late remarks and questions about this version of the draft. Sorry 
if it was already answered, but I haven't found answers in the previous 
emails.

Section 2.1: in case the JWT is signed then encrypted, which jwt should 
include the "typ" parameter with the "at+jwt" value? The outer encrypted 
JWT (JWE), the inner signed JWT (JWS) or both?

Section 3: the example is missing the "iat" and "jti" fields that are 
mandatory per section 2.2:

    {"typ":"at+JWT","alg":"RS256","kid":"RjEwOwOA"}
    {
      "iss": "https://authorization-server.example.com/",
      "sub": " 5ba552d67",
      "aud":   "https://rs.example.com/",
      "exp": 1544645174,
      "client_id": "s6BhdRkqt3_",
      "scope": "openid profile reademail"
    }

Section 4 "Validating JWT Access Tokens":

    o  If the JWT access token is encrypted, decrypt it using the keys
       and algorithms that the resource server specified during
       registration.  If encryption was negotiated with the authorization
       server at registration time and the incoming JWT access token is
       not encrypted, the resource server SHOULD reject it.

The registration details are not documented. As an RS seems to be a 
special case of an OAuth2 client (without any grant type granted, 
except, possibily, "client_credentials") I was expecting registration of 
dynamic client registration metadata similar to those for ID tokens 
(something like "access_token_signed_response_alg", 
"access_token_encrypted_response_alg" and 
"access_token_encrypted_response_enc"), and same for discovery metadata.

Is the rationale for the absence of the registration of these fields 
that RSes are not considered as OAuth2 clients?

Also, in the same section, nothing is said about the validation of "iat" 
and "jti".

Regards,

-- 

Tangui


27.04.2020 21:27, internet-drafts@ietf.org пишет:
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Web Authorization Protocol WG of the IETF.
>
>          Title           : JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
>          Author          : Vittorio Bertocci
> 	Filename        : draft-ietf-oauth-access-token-jwt-07.txt
> 	Pages           : 19
> 	Date            : 2020-04-27
>
> Abstract:
>     This specification defines a profile for issuing OAuth 2.0 access
>     tokens in JSON web token (JWT) format.  Authorization servers and
>     resource servers from different vendors can leverage this profile to
>     issue and consume access tokens in interoperable manner.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-access-token-jwt/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-07
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-access-token-jwt-07
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-access-token-jwt-07
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From nobody Tue Jul 21 06:15:24 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D87C53A08B8 for ; Tue, 21 Jul 2020 06:15:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d9gEO6Wj_6Kw for ; Tue, 21 Jul 2020 06:15:17 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-eopbgr640121.outbound.protection.outlook.com [40.107.64.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB9803A088C for ; Tue, 21 Jul 2020 06:15:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Y4QYr+g1KjtysHFH0ncFMtnYqAmAT7/0eorQQzWvjEv9MWZ6AY6LRNRN77Oe4ZT9QDqYm/VkX0UbjRpvAhAib5dzczrL+AS/0ul748E4abYO6h2hpKOKu3y0u5YDk53tykJyDFg4Be6yUMaz36E1JWdC1/joO/rxJVNDWMJW4m9x3Ej+X6/7hyETIuYy9RHJYH++Vsdf+TksoUe5Q6t/AffuPmdsrAkU31PcfpiZmIdpkCI93aHhHp38pNfHHmHHvXbIyhmdBdZ4kEWgmq+x9TQm0XQ1PctRG8ByolpTVUDgqUhIB6sNxuXGKrBfIPM2lnU7BfmoIwpC1z6ztUKShA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;  s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jBw8KYUaCNNfhU0QUyCjVgJqPqO3opSXumv5jH5j+w4=; b=i6TrX3gvIRR5DctbgDJaCwqXwRWJ2tn8DR5Vv1Ltq4Wmf+jO5nJLC5M2QtkvLJh5e4PuZ7Ic0cKQd2LKShloPuPTUM+31Dr4zKCv9kRDHdIme66Lb5ItNZMMRHDIBNp/hL9gZfq340G4VBYjp2q3JAsjHfqtW5upopdTuLrn9UItHhipY6D3uWsvBaHviFrfAG0c/JwrWgk0gFOG0zJ4a2t211hFEUW4PKh2UifgmUWA4SWIOiqGoKEg9VyINh3lrYZw54QUQNVQupRO+cQK6nAmaIRImvF45D1L+zHTaNInX0g1J02Tn9iL2T1aHfCfZJJxrlobuMYtl8FyPmx5MQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jBw8KYUaCNNfhU0QUyCjVgJqPqO3opSXumv5jH5j+w4=; b=a3V5bqWdx3PZVbEs0OTEBa6xQpbKaUkUFxI0G9x52RJlkgW4yn/9bELwwfIRcVG1jKDdGnnPDQKdHPQgdo5Y1P9+uYadQs/suQp07hGSnDWN3O096oGG0Kw4yurI7WOSSXiaR1DMIDTUsMphxyQS+CnfuqyVK+ATfcI1Rf3xZw4=
Received: from MN2PR00MB0669.namprd00.prod.outlook.com (2603:10b6:208:1df::15) by MN2PR00MB0559.namprd00.prod.outlook.com (2603:10b6:208:fd::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3253.0; Tue, 21 Jul 2020 13:15:15 +0000
Received: from MN2PR00MB0669.namprd00.prod.outlook.com ([fe80::a431:a558:c010:fbf]) by MN2PR00MB0669.namprd00.prod.outlook.com ([fe80::a431:a558:c010:fbf%5]) with mapi id 15.20.3253.000; Tue, 21 Jul 2020 13:15:15 +0000
From: Tim Cappalli 
To: Rifaat Shekh-Yusef , oauth 
Thread-Topic: [OAUTH-WG] OAuth WG Interims - Aug/Sep 2020
Thread-Index: AQHWWvQV0BERNnQFrkWqR5x0k9CRyKkSC9X+
Date: Tue, 21 Jul 2020 13:15:15 +0000
Message-ID: 
References: 
In-Reply-To: 
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-07-21T13:14:31.2774018Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Privileged
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [100.0.202.188]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: b4c119b6-2342-4be0-9844-08d82d781bbb
x-ms-traffictypediagnostic: MN2PR00MB0559:
x-microsoft-antispam-prvs: 
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: tGD0mQLfR/2UYglhLR5jQoNzSELa6kHQCtp/DwWn9adhuGgGzZXb3UBvyTqqWucq162ZHpzb+ifdWCSZ/29ldDPVCB2+6lT5jlW6SwtI+mXwJegRHY7/xwTtv1yg4Zav8nO4yl/7MIghWUF2E7dei/4Nto/Spb+YQW+uFmxdIsLxW3ra8T6CMUGzZsdjQ86T1GjwqSFMy/tMh67PMTNXvv07vut/AYGeM/vi26APL/snTGHSUwuUl428/o26ZSN69dMP4/3GXFeQ2nfIvCt9opUlD7JN/9pSBTCaerWh4WV8sGKpjEK1HE8XCK3sRQZNwl+y0gG8dNk8JY9lw9PLBg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;  IPV:NLI; SFV:NSPM; H:MN2PR00MB0669.namprd00.prod.outlook.com; PTR:; CAT:NONE;  SFTY:; SFS:(4636009)(366004)(376002)(39860400002)(136003)(396003)(346002)(4744005)(7696005)(110136005)(66556008)(66476007)(52536014)(64756008)(55016002)(83380400001)(10290500003)(66446008)(8936002)(66946007)(8676002)(316002)(71200400001)(33656002)(82960400001)(82950400001)(9686003)(186003)(2906002)(478600001)(8990500004)(6506007)(76116006)(5660300002)(86362001)(53546011)(26005); DIR:OUT; SFP:1102; 
x-ms-exchange-antispam-messagedata: pi/DusnRzaiakpl3yPL3LtjbUdyYFN/rmT/vU+wbGo9ooZXh491JDzClZar9x+/1A3xf8lwvNWmg+P6X4EjztB9AKwGX3cZNnXGTTWKBf+xma9porrhP0Y0XPyTbfBX0S+IXe7+4XSpPXRkpMlYsSw/j86quNtWRISQBCEkhD4tbqREDIhgknsU0uC0fgmVA93cHoQQf28sbQ2GR7aAZMNJpJlkjRCFsmRqFF7YWFAHGJSr9stbqZ6HiFqvnMqJWBTcITsx+saIG0SZMgQph5BZl22pytM5bs17dbyftU8qX6BTIHt1we45vuebTGJluxLrNChiSBmXNIFfInleoAy1LP6+31nITaSxO3odhYj1ibOrnCXqlQl64ml4ez6T5SFPN7R9dXAy1RxwDouA7TdCLcLbZ4zjrF4L8wvleWFGANX9jubojAOP/W60vx61Wid/1GVyqlhy18NX8XCSLAbdIGvfVqXQtQFvMtaYdVe9k1TzON9QfX4mmB3s3tQ7HN4SVL40BPInpM6aDzOiEAIeS52oz5WutfYpA5j2jOIrBtKKG3JkQmElCfO1coW4DQ6W+vVWtpsasmXdAuPQxig==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR00MB066947BA784609DE8726FDE395780MN2PR00MB0669namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR00MB0669.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b4c119b6-2342-4be0-9844-08d82d781bbb
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jul 2020 13:15:15.5229 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: t+vfMxuY6gwFC2qJ/FblnKSVBD3X1o8DQlvQZiGgN2RclEQqzBJ19gIvl+8DIdPDCs0CQP//WdHU61cbjWR28g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR00MB0559
Archived-At: 
Subject: Re: [OAUTH-WG] OAuth WG Interims - Aug/Sep 2020
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 21 Jul 2020 13:15:23 -0000

--_000_MN2PR00MB066947BA784609DE8726FDE395780MN2PR00MB0669namp_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

The original message (and calendar invite) said the 8/10 meeting was at 6am=
 EDT. Is it 6 or 12?

tim

From: OAuth 
Date: Wednesday, July 15, 2020 at 18:05
To: oauth 
Subject: [OAUTH-WG] OAuth WG Interims - Aug/Sep 2020
All,

As you might have noticed, we are starting a series of interim meetings in =
August and September.
We have scheduled the following two meetings with specific topics:
1. Aug 3rd @ 12:00pm EDT to discuss OAuth 2.1 document.
2. Aug 10th @ 12:00pm EDT to discuss the PAR document

More to follow.

If you are interested in presenting your document during one of these upcom=
ing interims, and have not contacted us already, please do so as soon as po=
ssible.

Regards,
 Rifaat & Hannes


--_000_MN2PR00MB066947BA784609DE8726FDE395780MN2PR00MB0669namp_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable











The original message (and calendar invite) said the 8/10 meeting was a=
t 6am EDT. Is it 6 or 12?


 


tim


 




From:
OAuth <oauth-bou=
nces@ietf.org>

Date: Wednesday, July 15, 2020 at 18:05

To: oauth <oauth@ietf.org>

Subject: [OAUTH-WG] OAuth WG Interims - Aug/Sep 2020






All,




 






As you might have noticed, we are starting a series =
of interim meetings in August and September.






We have scheduled the following two meetings with&nb=
sp;specific topics:






1. Aug 3rd @ 12:00pm EDT to discuss O=
Auth 2.1 
document.






2. Aug 10th @ 12:00pm EDT to discuss the=
 PAR document






 






More to follow.






 






If you are interested in presenting your docume=
nt during one of these upcoming interims, and have not contacted us already=
, please do so as soon as possible.






 






Regards,






 Rifaat & Hannes






 










--_000_MN2PR00MB066947BA784609DE8726FDE395780MN2PR00MB0669namp_--


From nobody Tue Jul 21 06:24:01 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64BCC3A0828 for ; Tue, 21 Jul 2020 06:24:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level: 
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LPr_FmwlIL7c for ; Tue, 21 Jul 2020 06:23:59 -0700 (PDT)
Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5E6B3A0820 for ; Tue, 21 Jul 2020 06:23:58 -0700 (PDT)
Received: by mail-wr1-x435.google.com with SMTP id o11so21196014wrv.9 for ; Tue, 21 Jul 2020 06:23:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CZYHuuk0IjL++XPt41zrlQhnPeNmfSCdhIA8COVhfeM=; b=jPi0gdwZHnDiJrsIC6/kDjzVMQdMLt4R1t6z5l6XYykSKVjx2RU90GDxMp1izWy9mt twNqtPKIzqWelxop33zabWU6JlBPfd4Nt+NLNTWz3358nMhpjOilxokaCaS+N9YXrl8J KV4Kt7sPCEg8WUzFQs+NQesg0HKA27XMmRHXhNUZDthkEpso72qhZ8iirkumdq/iuXcm ekKSOxJyn+PCq/23JTAoe74hHoFrL9kqS2aRSW5dkEyYy+ARjSZ2bAp2ZavBp94U9eP+ aUCSpnv9XzyUFsgpNDZxmshO70VTyJynyp5r3aBdV97MVYOBdoh97gq4Q0VigR4dTwEr pHjA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CZYHuuk0IjL++XPt41zrlQhnPeNmfSCdhIA8COVhfeM=; b=tNd8o0d/jpuqubmlb2pSjIABSdufYRZnq3xbCB31BUqK8z/CODnCjk3zLXqC/KGeG6 vN+rkHEOPyoi+jx3jaEquBu1vIFulsgtM5Mc4/cmMLZjOM1pfsIxeUelpfc9K88b4+kJ ncGpHra/3gxW22BdoMvQlyOECpasfZL2yrmOk6m1+eBgOKMBLs0yRzz4emCe3OhwZ7S8 CKq0MXxn3UdqUeC/8xQUxy/lMi+zQZUTiQzPSEb08uxsfMiGtGBsn+IFaXLbPSGEGnQe TaiBWEGmb9d1BlyBxovsxakYkQj6t0LMbeTLC7rdbyaCB+aAZ6hgVESL5XuieDD6JxYT MTng==
X-Gm-Message-State: AOAM531mU5maU1ZVukSIQ10TnCRnUEWXsUECBKKjBIqHminMTqpAaSKh u6zPJ7lwRusvyIQS7OyEW7SnD8QfX7tcRM827UlBHg==
X-Google-Smtp-Source: ABdhPJwjHFaEpjRhDI+/CGyixSo4l64XXdkouS/atyiUD/GxSqwHlFfT+Sqv72+YJDgjNR/GbjRTx0vduul5GfoAXeU=
X-Received: by 2002:a5d:60c7:: with SMTP id x7mr25177138wrt.138.1595337837310;  Tue, 21 Jul 2020 06:23:57 -0700 (PDT)
MIME-Version: 1.0
References:  
In-Reply-To: 
From: Rifaat Shekh-Yusef 
Date: Tue, 21 Jul 2020 09:23:46 -0400
Message-ID: 
To: Tim Cappalli 
Cc: oauth 
Content-Type: multipart/alternative; boundary="00000000000016f71d05aaf38967"
Archived-At: 
Subject: Re: [OAUTH-WG] OAuth WG Interims - Aug/Sep 2020
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 21 Jul 2020 13:24:00 -0000

--00000000000016f71d05aaf38967
Content-Type: text/plain; charset="UTF-8"

It is 12:00pm EDT. I sent an updated message with the correct calendar
invite.

Regards,
 Rifaat


On Tue, Jul 21, 2020 at 9:15 AM Tim Cappalli 
wrote:

> The original message (and calendar invite) said the 8/10 meeting was at
> 6am EDT. Is it 6 or 12?
>
>
>
> tim
>
>
>
> *From: *OAuth 
> *Date: *Wednesday, July 15, 2020 at 18:05
> *To: *oauth 
> *Subject: *[OAUTH-WG] OAuth WG Interims - Aug/Sep 2020
>
> All,
>
>
>
> As you might have noticed, we are starting a series of interim meetings in
> August and September.
>
> We have scheduled the following two meetings with specific topics:
>
> 1. *Aug 3rd* @ 12:00pm EDT to discuss *OAuth 2.1 * document.
>
> 2. *Aug 10th *@ 12:00pm EDT to discuss the *PAR* document
>
>
>
> More to follow.
>
>
>
> If you are interested in presenting your document during one of these
> upcoming interims, and have not contacted us already, please do so as soon
> as possible.
>
>
>
> Regards,
>
>  Rifaat & Hannes
>
>
>

--00000000000016f71d05aaf38967
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


It is 12:00pm EDT. I sent an updated message with the corr=
ect calendar invite.

Regards,
=C2=A0Rifaat


On Tue, Jul 21, 2020 at 9:15 AM Tim Cappalli <Tim.Cappalli@microsoft.com> w=
rote:











The ori=
ginal message (and calendar invite) said the 8/10 meeting was at 6am EDT. I=
s it 6 or 12?


=
=C2=A0


tim<=
/u>


=
=C2=A0




From:
OAuth <oauth-bounces@ietf.org=
>

Date: Wednesday, July 15, 2020 at 18:05

To: oauth <oa=
uth@ietf.org>

Subject: [OAUTH-WG] OAuth WG Interims - Aug/Sep 2020






All,




=C2=A0






As you might have noticed, we are starting a series =
of interim meetings in August and September.






We have scheduled the following two meetings with=C2=
=A0specific topics:






1. Aug 3rd=C2=A0@ 12:00pm EDT to discuss O=
Auth 2.1 
document.






2. Aug 10th=C2=A0@ 12:00pm EDT to discuss the=
 PAR document






=C2=A0






More to=C2=A0follow.






=C2=A0






If you are interested=C2=A0in presenting your docume=
nt during one of these upcoming interims, and have not contacted us already=
, please do so as soon as possible.






=C2=A0






Regards,






=C2=A0Rifaat & Hannes






=C2=A0













--00000000000016f71d05aaf38967--


From nobody Tue Jul 21 07:35:57 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD6783A0933 for ; Tue, 21 Jul 2020 07:35:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.082
X-Spam-Level: 
X-Spam-Status: No, score=0.082 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.999, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zE5oa1QXMNLU for ; Tue, 21 Jul 2020 07:35:52 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63C433A0925 for ; Tue, 21 Jul 2020 07:35:52 -0700 (PDT)
Received: from [192.168.1.3] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 06LEZlUh012274 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 21 Jul 2020 10:35:48 -0400
From: Justin Richer 
Message-Id: 
Content-Type: multipart/alternative; boundary="Apple-Mail=_EE8F2919-60FE-47A3-B299-2FAE5098045B"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Tue, 21 Jul 2020 10:35:47 -0400
In-Reply-To: 
Cc: oauth 
To: Dick Hardt 
References:     <094C7F56-93F7-41EC-AD94-A0752E76BD9D@mit.edu> 
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: 
Subject: Re: [OAUTH-WG] Namespacing "type" in RAR
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 21 Jul 2020 14:35:56 -0000

--Apple-Mail=_EE8F2919-60FE-47A3-B299-2FAE5098045B
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

If we treat all the strings as just strings, without any special =
internal format to be specified or detected, then comparing the strings =
is a well-understood and well-documented process. I also think that we =
shouldn=E2=80=99t invent anything here, so if there=E2=80=99s a better =
way to say =E2=80=9Ccompare two strings so that they=E2=80=99re exact=E2=80=
=9D then that=E2=80=99s what I mean. Sorry if that was unclear.

I=E2=80=99m saying the AS should not retrieve the URI passed in the =
=E2=80=9Ctype=E2=80=9D value. You brought that up and then described the =
process that the AS would take to do so. I have said from the start that =
the use of a URI is for name spacing and not for addressing content to =
be fetched, so I=E2=80=99m confused why you think I intend otherwise.

 =E2=80=94 Justin

> On Jul 20, 2020, at 2:59 PM, Dick Hardt  wrote:
>=20
> Canonicalization of URIs and unicode is fairly well specified. I was =
not suggesting we invent anything there.
>=20
> A byte comparison, as you suggested earlier, will be problematic, as I =
have pointed out.
>=20
> I'm confused why you are still talking about the AS retrieving a URI.
>=20
> =E1=90=A7
>=20
> On Mon, Jul 20, 2020 at 4:42 AM Justin Richer > wrote:
> Since this is a recommendation for namespace, we could also just say =
collision-resistant like JWT, and any of those examples are fine. But =
that said, I think there=E2=80=99s something particularly compelling =
about URIs since they have somewhat-human-readable portions. But again, =
I=E2=80=99m saying it should be a recommendation to API developers and =
not a requirement in the spec. In the spec, I argue that =E2=80=9Ctype=E2=80=
=9D should be a string, full stop.
>=20
> If documentation is so confusing that developers are typing in the =
wrong strings, then that=E2=80=99s bad documentation. And likely a bad =
choice for the =E2=80=9Ctype=E2=80=9D string on the part of the AS. =
You=E2=80=99d have the same problem with any other value the =
developer=E2=80=99s supposed to copy over.  :)
>=20
> I agree that we should call out explicitly how they should be =
compared, and I propose we use one of the handful of existing =
string-comparison RFC=E2=80=99s here instead of defining our own rules.
>=20
> While the type could be a dereferenceable URI, requiring action on the =
AS is really getting into distributed authorization policies. We tried =
doing that with UMA1=E2=80=99s scope structures and it didn=E2=80=99t =
work very well in practice (in my memory and experience). Someone could =
profile =E2=80=9Ctype" on top of this if they wanted to do so, with =
support at the AS for that, but I don=E2=80=99t see a compelling reason =
for that to be a requirement as that=E2=80=99s a lot of complexity and a =
lot more error states (the fetch fails, or it doesn=E2=80=99t have a =
policy, or the policy=E2=80=99s in a format the AS doesn=E2=80=99t =
understand, or the AS doesn=E2=80=99t like the policy, etc).=20
>=20
> And AS is always free to implement its types in such a fashion, and =
that could make plenty of sense in a smaller ecosystem. And this is yet =
another reason that we define =E2=80=9Ctype=E2=80=9D as being a string =
to be interpreted and understood by the AS =E2=80=94 so that an AS that =
wants to work this way can do so.
>=20
>  =E2=80=94 Justin
>=20
> PS: thanks for pointing out the error in the example in XYZ, I=E2=80=99l=
l fix that prior to publication.
>=20
>> On Jul 18, 2020, at 8:58 PM, Dick Hardt > wrote:
>>=20
>> Justin: thanks for kindly pointing out which mail list this is.
>>=20
>> To clarify, public JWT claims are not just URIs, but any =
collision-resistant namespace:=20
>> "Examples of collision-resistant namespaces include: Domain Names, =
Object Identifiers (OIDs) as defined in the ITU-T X.660 and      X.670 =
Recommendation series, and Universally Unique IDentifiers (UUIDs) =
[RFC4122]."
>>=20
>> I think letting the "type" be any JSON string and doing a byte-wise =
comparison will be problematic. A client developer will be reading =
documentation to learn what the types are, and typing it in. Given the =
wide set of whitespace characters, and unicode equivalence, different =
byte streams will all look the same, and a byte-wise comparison will =
fail.
>>=20
>> Similarly for URIs. If it is a valid URI, then a byte-wise comparison =
is not sufficient. Canonicalization is required.=20
>>=20
>> These are not showstopper issues, but the specification should call =
out how type strings are compared, and provide caveats to an AS =
developer.
>>=20
>> I have no idea why you would think the AS would retrieve a URL.
>>=20
>> Since the type represents a much more complex object then a JWT =
claim, a client developer's tooling could pull down the JSON Schema (or =
some such) for a type used in their source code, and provide =
autocompletion and validation which would improve productivity and =
reduce errors. An AS that is using a defined type could use the schema =
for input validation. Neither of these would be at run time. JSON Schema =
allows comments and examples.
>>=20
>> What is the harm in non-normative language around a retrievable URI?
>>=20
>> BTW: the example in =
https://oauth.xyz/draft-richer-transactional-authz#rfc.section.2 =
 has =
not been updated with the "type" field.
>>=20
>>=20
>>=20
>> On Sat, Jul 18, 2020 at 8:10 AM Justin Richer > wrote:
>> Hi Dick,
>>=20
>> This is a discussion about the RAR specification on the OAuth list, =
and therefore doesn=E2=80=99t have anything to do with alignment with =
XAuth. In fact, I believe the alignment is the other way around, as =
doesn=E2=80=99t Xauth normatively reference RAR at this point? Even =
though, last I saw, it uses a different top-level structure for =
conveying things, I believe it does say to use the internal object =
structures. I am also a co-author on RAR and we had already defined a =
=E2=80=9Ctype=E2=80=9D field in RAR quite some time ago. You did notice =
that XYZ=E2=80=99s latest draft added this field to keep the two in =
alignment with each other, which has always been the goal since the =
initial proposal of the RAR work, but that=E2=80=99s a time lag and not =
a display of new intent.=20
>>=20
>> In any event, even though I think the decision has bearing in both =
places, this isn=E2=80=99t about GNAP. Working on RAR=E2=80=99s =
requirements has brought up this interesting issue of what should be in =
the type field for RAR in OAuth 2.
>>=20
>> I think that it should be defined as a string, and therefore compared =
as a byte value in all cases, regardless of what the content of the =
string is. I don=E2=80=99t think the AS should be expected to fetch a =
URI for anything. I don=E2=80=99t think the AS should normalize any of =
the inputs. I think that any JSON-friendly character set should be =
allowed (including spaces and unicodes), and since RAR already requires =
the JSON objects to be form-encoded, this shouldn=E2=80=99t cause =
additional trouble when adding them in to OAuth 2=E2=80=99s request =
structures.
>>=20
>> The idea of using a URI would be to get people out of each other=E2=80=99=
s namespaces. It=E2=80=99s similar to the concept of =E2=80=9Cpublic=E2=80=
=9D vs =E2=80=9Cprivate=E2=80=9D claims in JWT:
>>=20
>> https://tools.ietf.org/html/rfc7519#section-4.2 =

>>=20
>> What I=E2=80=99m proposing is that if you think it=E2=80=99s going to =
be a general-purpose type name, then we recommend you use a URI as your =
string. And beyond that, that=E2=80=99s it. It=E2=80=99s up to the AS to =
figure out what to do with it, and RAR stays out of it.
>>=20
>>  =E2=80=94 Justin
>>=20
>>> On Jul 17, 2020, at 1:25 PM, Dick Hardt > wrote:
>>>=20
>>> Hey Justin, glad to see that you have aligned with the latest XAuth =
draft on a type property being required.
>>>=20
>>> I like the idea that the value of the type property is fully defined =
by the AS, which could delegate it to a common URI for reuse. This gets =
GNAP out of specifying access requests, and enables other parties to =
define access without any required coordination with IETF or IANA.
>>>=20
>>> A complication in mixing plain strings and URIs is the =
canonicalization. A plain string can be a fixed byte representation, but =
a URI requires canonicalization for comparison. Mixing the two requires =
URI detection at the AS before canonicalization, and an AS MUST do =
canonicalization of URIs.
>>>=20
>>> The URI is retrievable, it can provide machine and/or human readable =
documentation in JSON schema or some such, or any other content type. =
Once again, the details are out of scope of GNAP, but we can provide =
examples to guide implementers.
>>>=20
>>> Are you still thinking that bare strings are allowed in GNAP, and =
are defined by the AS?
>>>=20
>>>=20
>>>=20
>>> On Fri, Jul 17, 2020 at 8:39 AM Justin Richer > wrote:
>>> The =E2=80=9Ctype=E2=80=9D field in the RAR spec serves an important =
purpose: it defines what goes in the rest of the object, including what =
other fields are available and what values are allowed for those fields. =
It provides an API-level definition for requesting access based on =
multiple dimensions, and that=E2=80=99s really powerful and flexible. =
Each type can use any of the general-purpose fields like =E2=80=9Cactions=E2=
=80=9D and/or add its own fields as necessary, and the =E2=80=9Ctype=E2=80=
=9D parameter keeps everything well-defined.
>>>=20
>>> The question, then, is what defines what=E2=80=99s allowed to go =
into the =E2=80=9Ctype=E2=80=9D field itself? And what defines how that =
value maps to the requirements for the rest of the object? The draft =
doesn=E2=80=99t say anything about it at the moment, but we should =
choose the direction we want to go. On the surface, there are three main =
options:
>>>=20
>>> 1) Require all values to be registered.=20
>>> 2) Require all values to be collision-resistant (eg, URIs).
>>> 3) Require all values to be defined by the AS (and/or the RS=E2=80=99s=
 that it protects).
>>>=20
>>> Are there any other options?
>>>=20
>>> Here are my thoughts on each approach:
>>>=20
>>> 1) While it usually makes sense to register things for =
interoperability, this is a case where I think that a registry would =
actually hurt interoperability and adoption. Like a =E2=80=9Cscope=E2=80=9D=
 value, the RAR =E2=80=9Ctype=E2=80=9D is ultimately up to the AS and RS =
to interpret in their own context. We :want: people to define rich =
objects for their APIs and enable fine-grained access for their systems, =
and if they have to register something every time they come up with a =
new API to protect, it=E2=80=99s going to be an unmaintainable mess. I =
genuinely don=E2=80=99t think this would scale, and that most developers =
would just ignore the registry and do what they want anyway. And since =
many of these systems are inside domains, it=E2=80=99s completely =
unenforceable in practice.
>>>=20
>>> 2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to =
require everything to be a URI here. It=E2=80=99s long and ugly, and a =
lot of APIs are going to be internal to a given group, deployment, or =
ecosystem anyway. This makes sense when you=E2=80=99ve got something =
reusable across many deployments, like OIDC, but it=E2=80=99s overhead =
when what you=E2=80=99re doing is tied to your environment.
>>>=20
>>> 3) This allows the AS and RS to define the request parameters for =
their APIs just like they do today with scopes. Since it=E2=80=99s =
always the combination of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, =
name spacing is less of an issue across systems. We haven=E2=80=99t seen =
huge problems in scope value overlap in the wild, though it does occur =
from time to time it=E2=80=99s more than manageable. A client isn=E2=80=99=
t going to just =E2=80=9Cspeak RAR=E2=80=9D, it=E2=80=99s going to be =
speaking RAR so that it can access something in particular.
>>>=20
>>> And all that brings me to my proposal:=20
>>>=20
>>> 4) Require all values to be defined by the AS, and encourage =
specification developers to use URIs for collision resistance.
>>>=20
>>> So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D =
means, and nobody else. But we can also guide people who are developing =
general-purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=
=E2=80=9D definitions. This would keep those interoperable APIs from =
stepping on each other, and from stepping on any locally-defined special =
=E2=80=9Ctype=E2=80=9D structure. But at the end of the day, the URI =
carries no more weight than just any other string, and the AS decides =
what it means and how it applies.
>>>=20
>>> My argument is that this seems to have worked very, very well for =
scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar =
descriptive cloth.
>>>=20
>>> What does the rest of the group think? How should we manage the RAR =
=E2=80=9Ctype=E2=80=9D values and what they mean?
>>>=20
>>>  =E2=80=94 Justin
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org 
>>> https://www.ietf.org/mailman/listinfo/oauth =

>>=20
>=20


--Apple-Mail=_EE8F2919-60FE-47A3-B299-2FAE5098045B
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8


If we treat all the strings as just strings, without any =
special internal format to be specified or detected, then comparing the =
strings is a well-understood and well-documented process. I also think =
that we shouldn=E2=80=99t invent anything here, so if there=E2=80=99s a =
better way to say =E2=80=9Ccompare two strings so that they=E2=80=99re =
exact=E2=80=9D then that=E2=80=99s what I mean. Sorry if that was =
unclear.

I=E2=80=99m saying =
the AS should not retrieve the URI passed in the =
=E2=80=9Ctype=E2=80=9D value. You brought that up and then described the =
process that the AS would take to do so. I have said from the start that =
the use of a URI is for name spacing and not for addressing content to =
be fetched, so I=E2=80=99m confused why you think I intend =
otherwise.

 =E2=80=
=94 Justin

On Jul 20, 2020, at 2:59 PM, Dick Hardt =
<dick.hardt@gmail.com> wrote:

Canonicalization of URIs and =
unicode is fairly well specified. I was not suggesting we invent =
anything there.

A =
byte comparison, as you suggested earlier, will be problematic, as I =
have pointed out.

I'm confused why you are still talking about the AS =
retrieving a URI.

3D""=E1=90=A7

On Mon, Jul =
20, 2020 at 4:42 AM Justin Richer <jricher@mit.edu> wrote:
Since this is a recommendation =
for namespace, we could also just say collision-resistant like JWT, and =
any of those examples are fine. But that said, I think there=E2=80=99s =
something particularly compelling about URIs since they have =
somewhat-human-readable portions. But again, I=E2=80=99m saying it =
should be a recommendation to API developers and not a requirement in =
the spec. In the spec, I argue that =E2=80=9Ctype=E2=80=9D should be a =
string, full stop.

If =
documentation is so confusing that developers are typing in the wrong =
strings, then that=E2=80=99s bad documentation. And likely a bad choice =
for the =E2=80=9Ctype=E2=80=9D string on the part of the AS. You=E2=80=99d=
 have the same problem with any other value the developer=E2=80=99s =
supposed to copy over.  :)

I agree that we should call out explicitly how they should be =
compared, and I propose we use one of the handful of existing =
string-comparison RFC=E2=80=99s here instead of defining our own =
rules.

While =
the type could be a dereferenceable URI, requiring action on the AS is =
really getting into distributed authorization policies. We tried doing =
that with UMA1=E2=80=99s scope structures and it didn=E2=80=99t work =
very well in practice (in my memory and experience). Someone could =
profile =E2=80=9Ctype" on top of this if they wanted to do so, with =
support at the AS for that, but I don=E2=80=99t see a compelling reason =
for that to be a requirement as that=E2=80=99s a lot of complexity and a =
lot more error states (the fetch fails, or it doesn=E2=80=99t have a =
policy, or the policy=E2=80=99s in a format the AS doesn=E2=80=99t =
understand, or the AS doesn=E2=80=99t like the policy, =
etc). 

And =
AS is always free to implement its types in such a fashion, and that =
could make plenty of sense in a smaller ecosystem. And this is yet =
another reason that we define =E2=80=9Ctype=E2=80=9D as being a string =
to be interpreted and understood by the AS =E2=80=94 so that an AS that =
wants to work this way can do so.

 =E2=80=94 Justin

PS: thanks for pointing =
out the error in the example in XYZ, I=E2=80=99ll fix that prior to =
publication.

On Jul 18, 2020, at 8:58 PM, =
Dick Hardt <dick.hardt@gmail.com> wrote:

Justin: thanks for =
kindly pointing out which mail list this is.

To clarify, public JWT claims =
are not just URIs, but any =
collision-resistant namespace: 
"Examples =
of collision-resistant namespaces include: Domain Names, Object =
Identifiers (OIDs) as defined in the ITU-T X.660 and      =
X.670 Recommendation series, and Universally Unique IDentifiers (UUIDs) =
[RFC4122]."

I =
think letting the "type" be any JSON string and doing a byte-wise =
comparison will be problematic. A client developer will be reading =
documentation to learn what the types are, and typing it in. Given =
the wide set of whitespace characters, and unicode equivalence, =
different byte streams will all look the same, and a byte-wise =
comparison will fail.

Similarly for URIs. If it is a valid URI, then a =
byte-wise comparison is not sufficient. Canonicalization is =
required. 

These are not showstopper issues, but the specification =
should call out how type strings are compared, and provide caveats =
to an AS developer.

I have no idea why you would think the AS would retrieve a =
URL.

Since the =
type represents a much more complex object then a JWT claim, a client =
developer's tooling could pull down the JSON Schema (or some such) for a =
type used in their source code, and provide autocompletion and =
validation which would improve productivity and reduce errors. An AS =
that is using a defined type could use the schema for input validation. =
Neither of these would be at run time. JSON Schema allows comments and =
examples.

What =
is the harm in non-normative language around a retrievable =
URI?

BTW: the =
example in https://oauth.xyz/draft-richer-transactional-authz#rfc.section.=
2 has not been updated with the "type" field.



On Sat, Jul =
18, 2020 at 8:10 AM Justin Richer <jricher@mit.edu> wrote:
Hi Dick,

This is a discussion =
about the RAR specification on the OAuth list, and therefore doesn=E2=80=99=
t have anything to do with alignment with XAuth. In fact, I believe the =
alignment is the other way around, as doesn=E2=80=99t Xauth normatively =
reference RAR at this point? Even though, last I saw, it uses a =
different top-level structure for conveying things, I believe it does =
say to use the internal object structures. I am also a co-author on RAR =
and we had already defined a =E2=80=9Ctype=E2=80=9D field in RAR quite =
some time ago. You did notice that XYZ=E2=80=99s latest draft added this =
field to keep the two in alignment with each other, which has always =
been the goal since the initial proposal of the RAR work, but that=E2=80=99=
s a time lag and not a display of new intent. 

In any event, even =
though I think the decision has bearing in both places, this isn=E2=80=99t=
 about GNAP. Working on RAR=E2=80=99s requirements has brought up this =
interesting issue of what should be in the type field for RAR in OAuth =
2.

I think =
that it should be defined as a string, and therefore compared as a byte =
value in all cases, regardless of what the content of the string is. I =
don=E2=80=99t think the AS should be expected to fetch a URI for =
anything. I don=E2=80=99t think the AS should normalize any of the =
inputs. I think that any JSON-friendly character set should be allowed =
(including spaces and unicodes), and since RAR already requires the JSON =
objects to be form-encoded, this shouldn=E2=80=99t cause additional =
trouble when adding them in to OAuth 2=E2=80=99s request =
structures.

The =
idea of using a URI would be to get people out of each other=E2=80=99s =
namespaces. It=E2=80=99s similar to the concept of =E2=80=9Cpublic=E2=80=9D=
 vs =E2=80=9Cprivate=E2=80=9D claims in JWT:

https://tools.ietf.org/html/rfc7519#section-4.2

What I=E2=80=99m =
proposing is that if you think it=E2=80=99s going to be a =
general-purpose type name, then we recommend you use a URI as your =
string. And beyond that, that=E2=80=99s it. It=E2=80=99s up to the AS to =
figure out what to do with it, and RAR stays out of it.

 =E2=80=94 =
Justin

On Jul 17, 2020, at 1:25 PM, =
Dick Hardt <dick.hardt@gmail.com> wrote:

Hey Justin, glad to see that you =
have aligned with the latest XAuth draft on a type property being =
required.

I like the idea that the value of the type property is fully =
defined by the AS, which could delegate it to a common URI for reuse. =
This gets GNAP out of specifying access requests, and enables other =
parties to define access without any required coordination with IETF or =
IANA.

A =
complication in mixing plain strings and URIs is the canonicalization. A =
plain string can be a fixed byte representation, but a URI requires =
canonicalization for comparison. Mixing the two requires URI =
detection at the AS before canonicalization, and an AS MUST do =
canonicalization of URIs.

The URI is retrievable, it can provide machine and/or human =
readable documentation in JSON schema or some such, or any other content =
type. Once again, the details are out of scope of GNAP, but we can =
provide examples to guide implementers.

Are you still thinking that bare =
strings are allowed in GNAP, and are defined by the AS?



On Fri, Jul 17, 2020 at 8:39 AM Justin =
Richer <jricher@mit.edu> wrote:
The =E2=80=9Ctype=E2=80=9D =
field in the RAR spec serves an important purpose: it defines what goes =
in the rest of the object, including what other fields are available and =
what values are allowed for those fields. It provides an API-level =
definition for requesting access based on multiple dimensions, and =
that=E2=80=99s really powerful and flexible. Each type can use any of =
the general-purpose fields like =E2=80=9Cactions=E2=80=9D and/or add its =
own fields as necessary, and the =E2=80=9Ctype=E2=80=9D parameter keeps =
everything well-defined.



The question, then, is what defines what=E2=80=99s allowed to go into =
the =E2=80=9Ctype=E2=80=9D field itself? And what defines how that value =
maps to the requirements for the rest of the object? The draft doesn=E2=80=
=99t say anything about it at the moment, but we should choose the =
direction we want to go. On the surface, there are three main =
options:



1) Require all values to be registered. 

2) Require all values to be collision-resistant (eg, URIs).
=

3) Require all values to be defined by the AS (and/or the RS=E2=80=99s =
that it protects).



Are there any other options?



Here are my thoughts on each approach:



1) While it usually makes sense to register things for interoperability, =
this is a case where I think that a registry would actually hurt =
interoperability and adoption. Like a =E2=80=9Cscope=E2=80=9D value, the =
RAR =E2=80=9Ctype=E2=80=9D is ultimately up to the AS and RS to =
interpret in their own context. We :want: people to define rich objects =
for their APIs and enable fine-grained access for their systems, and if =
they have to register something every time they come up with a new API =
to protect, it=E2=80=99s going to be an unmaintainable mess. I genuinely =
don=E2=80=99t think this would scale, and that most developers would =
just ignore the registry and do what they want anyway. And since many of =
these systems are inside domains, it=E2=80=99s completely unenforceable =
in practice.



2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to =
require everything to be a URI here. It=E2=80=99s long and ugly, and a =
lot of APIs are going to be internal to a given group, deployment, or =
ecosystem anyway. This makes sense when you=E2=80=99ve got something =
reusable across many deployments, like OIDC, but it=E2=80=99s overhead =
when what you=E2=80=99re doing is tied to your environment.
=



3) This allows the AS and RS to define the request parameters for their =
APIs just like they do today with scopes. Since it=E2=80=99s always the =
combination of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, name spacing =
is less of an issue across systems. We haven=E2=80=99t seen huge =
problems in scope value overlap in the wild, though it does occur from =
time to time it=E2=80=99s more than manageable. A client isn=E2=80=99t =
going to just =E2=80=9Cspeak RAR=E2=80=9D, it=E2=80=99s going to be =
speaking RAR so that it can access something in particular.
=



And all that brings me to my proposal: 



4) Require all values to be defined by the AS, and encourage =
specification developers to use URIs for collision resistance.



So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D =
means, and nobody else. But we can also guide people who are developing =
general-purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=
=E2=80=9D definitions. This would keep those interoperable APIs from =
stepping on each other, and from stepping on any locally-defined special =
=E2=80=9Ctype=E2=80=9D structure. But at the end of the day, the URI =
carries no more weight than just any other string, and the AS decides =
what it means and how it applies.



My argument is that this seems to have worked very, very well for =
scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar =
descriptive cloth.



What does the rest of the group think? How should we manage the RAR =
=E2=80=9Ctype=E2=80=9D values and what they mean?



 =E2=80=94 Justin

_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth











=

--Apple-Mail=_EE8F2919-60FE-47A3-B299-2FAE5098045B--


From nobody Tue Jul 21 07:47:35 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48DB23A09C7 for ; Tue, 21 Jul 2020 07:47:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.917
X-Spam-Level: 
X-Spam-Status: No, score=-1.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pfAvfe4Kzda2 for ; Tue, 21 Jul 2020 07:47:32 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C26F83A09B3 for ; Tue, 21 Jul 2020 07:47:31 -0700 (PDT)
Received: from [192.168.1.3] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 06LElQM7016608 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 21 Jul 2020 10:47:27 -0400
From: Justin Richer 
Message-Id: <5EFFFABC-2A9B-4353-A826-2D33D4E82600@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_5640FBE3-F8C3-4D84-B1CC-1F8AADB7C28C"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Tue, 21 Jul 2020 10:47:26 -0400
In-Reply-To: 
Cc: oauth@ietf.org
To: Vladimir Dzhuvinov 
References:  <4ea6f9af-d67f-97df-6bae-752cf34f920c@connect2id.com>  
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: 
Subject: Re: [OAUTH-WG] Namespacing "type" in RAR
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 21 Jul 2020 14:47:34 -0000

--Apple-Mail=_5640FBE3-F8C3-4D84-B1CC-1F8AADB7C28C
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8


> On Jul 19, 2020, at 1:04 PM, Vladimir Dzhuvinov =
 wrote:
>=20
> On 18/07/2020 17:12, Justin Richer wrote:
>> I think publishing supported =E2=80=9Ctype=E2=80=9D parameters =
isn=E2=80=99t a bad idea, and it aligns with publishing supported scopes =
and claims in discovery.
> If you are a developer, would you like to be able to find out if the =
authorization_details for a given "type" has a JSON schema and what it =
looks like?
>=20
>=20
>=20
I think that would be a nice thing for an AS/API to offer, but I don=E2=80=
=99t think it should be expected or required here. That might be a good =
note in the guidance, say that if you use a URI for your =E2=80=9Ctype=E2=80=
=9D field then it would be nice if it resolved to something either human =
or machine readable. What I don=E2=80=99t want is for us to require =
every AS to have to resolve these URIs in order to process and =
understand them. That=E2=80=99s why I=E2=80=99m taking the position of =
it being a string, and the URI can provide disambiguation in the way =
you=E2=80=99re talking about below.

>> I have always seen the resource indicators work as providing a more =
specific dimension to the requests that scopes didn=E2=80=99t allow to =
be described very well, pointing at a specific RS instead of just =
=E2=80=9Csome kind of access=E2=80=9D, so I=E2=80=99m not sure how =
they=E2=80=99re a testament to name spacing issues with scopes. Can you =
help me understand here?
> Putting the scopes for each RS in a unique name space, for example by =
giving them a URI prefix which identifies the RS, can make the resource =
indication redundant.
>=20
> RS: https://some-rs.example.com/ 
>=20
> RS scopes: read, update, delete
>=20
> ->
>=20
> https://some-rs.example.com/read 
> https://some-rs.example.com/update =

> https://some-rs.example.com/delete =

> This will not work if the chosen name spacing pattern can produce =
ambiguities, e.g. if https://rs.example.com/accounts =
 and https://rs.example.com/accounts/v1 =
 are two different RSes.
>=20
>=20
>=20
> I have witnessed situations when an AS is given some application to =
deal with, with hard-wired scope values that have no name spacing, and =
to prevent potential collisions with other applications, Resource =
Indicators had to come to the rescue.
>=20
That only really works if you are asking for multiple tokens for =
different resources. With RAR we can at least group things together, and =
so things like the read/update/delete can now be under the =E2=80=9Caction=
s=E2=80=9D field with =E2=80=9Chttps://some-rs.example.com/ =
=E2=80=9C be the =E2=80=9Ctype=E2=80=9D =
field. Or even better, =E2=80=9Chttps://some-rs-example.com/ =
=E2=80=9C is the =E2=80=9Clocations=E2=80=9D=
 value and the =E2=80=9Ctype=E2=80=9D is something like =
=E2=80=9Chttps://rs.example.com/accounts =
=E2=80=9D. Since things get combined =
inside an object with distinct fields, and not as substrings and =
prefixes, we don=E2=80=99t have the ambiguity with =
=E2=80=9Chttps://rs.example.com/accounts/v1 =
=E2=80=9D anymore. As a note we =
would also treat =E2=80=9Chttps://rs.example.com/accounts/ =
=E2=80=9C (with a trailing slash) as a =
distinct =E2=80=9Ctype=E2=80=9D value under this logic.
> I also remember one case with an application having a scope name which =
is also used for the OIDC userinfo endpoint.
>=20
>=20
>=20
This is exactly the kind of thing that I think we can do better to avoid =
here. So I would expect a protocol like OIDC to use something like =
=E2=80=9Chttps://openid.net/specs/connect/ =
userinfo=E2=80=9C as its =E2=80=9Ctype=E2=
=80=9D field, since it=E2=80=99s coming from a standards body and is =
meant to be used by many different systems. But if I=E2=80=99ve also got =
some custom internal timecard API I would just use =E2=80=9Ctimecard=E2=80=
=9D as the =E2=80=9Ctype=E2=80=9D there, since it=E2=80=99s internal to =
just that one AS. And if both of these have an =E2=80=9Cemail=E2=80=9D =
value for, say, =E2=80=9Cdatatype=E2=80=9D, then they don=E2=80=99t =
overlap with each other.
>> I do think that if nothing else we can give better guidance in RAR as =
to what the =E2=80=9Ctype=E2=80=9D field is.=20
> +1
>=20
>=20
>=20
>> I do think it should still just be a string, but we can help people =
make better decisions about what to put in that string.
> I'm still on the fence with that but I do see your argument.
>=20
>=20
>=20

Thanks for the feedback!

 =E2=80=94 Justin

> Vladimir
>=20
>=20
>=20
>>  =E2=80=94 Justin
>>=20
>>> On Jul 17, 2020, at 2:13 PM, Vladimir Dzhuvinov =
  wrote:
>>>=20
>>>=20
>>> On 17/07/2020 17:38, Justin Richer wrote:
>>>> And all that brings me to my proposal:=20
>>>>=20
>>>> 4) Require all values to be defined by the AS, and encourage =
specification developers to use URIs for collision resistance.
>>>>=20
>>>> So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D=
 means, and nobody else. But we can also guide people who are developing =
general-purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=
=E2=80=9D definitions. This would keep those interoperable APIs from =
stepping on each other, and from stepping on any locally-defined special =
=E2=80=9Ctype=E2=80=9D structure. But at the end of the day, the URI =
carries no more weight than just any other string, and the AS decides =
what it means and how it applies.
>>> Define, but not publish in AS metadata?
>>>=20
>>>=20
>>>> My argument is that this seems to have worked very, very well for =
scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar =
descriptive cloth.
>>> I would argue that it didn't work so well for scopes - the OAuth
>>> Resource Indicators spec is a testament to that.
>>>=20
>>> But one could also argue that scopes were not defined along the =
lines of
>>> your proposal for "type" in RAR. In fact, RFC 6749 has no mention of
>>> collision resistance or name spacing for scope values.
>>>=20
>>>=20
>>> Vladimir
>>>=20
>>>=20
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org 
>>> https://www.ietf.org/mailman/listinfo/oauth =

> --=20
> Vladimir Dzhuvinov


--Apple-Mail=_5640FBE3-F8C3-4D84-B1CC-1F8AADB7C28C
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8


On =
Jul 19, 2020, at 1:04 PM, Vladimir Dzhuvinov <vladimir@connect2id.com> wrote:

On 18/07/2020 17:12, Justin Richer wrote:
I think publishing supported =E2=80=9Ctype=E2=80=9D parameters =
isn=E2=80=99t a bad idea, and it aligns with publishing supported scopes =
and claims in discovery.
If you are a developer, would you =
like to be able to find out if the authorization_details for a given =
"type" has a JSON schema and what it looks like?

I think that would be a nice =
thing for an AS/API to offer, but I don=E2=80=99t think it should be =
expected or required here. That might be a good note in the guidance, =
say that if you use a URI for your =E2=80=9Ctype=E2=80=9D field then it =
would be nice if it resolved to something either human or machine =
readable. What I don=E2=80=99t want is for us to require every AS to =
have to resolve these URIs in order to process and understand them. =
That=E2=80=99s why I=E2=80=99m taking the position of it being a string, =
and the URI can provide disambiguation in the way you=E2=80=99re talking =
about below.

I have always seen the resource indicators work as providing a =
more specific dimension to the requests that scopes didn=E2=80=99t allow =
to be described very well, pointing at a specific RS instead of just =
=E2=80=9Csome kind of access=E2=80=9D, so I=E2=80=99m not sure how =
they=E2=80=99re a testament to name spacing issues with scopes. Can you =
help me understand here?
Putting the scopes for each RS in a =
unique name space, for example by giving them a URI prefix which =
identifies the RS, can make the resource indication redundant.
RS: https://some-rs.example.com/

RS scopes: read, update, delete

->

https://some-rs.example.com/read=

https://some-rs.example.com/up=
date
https://some-rs.example.com/de=
lete
This will not work if the chosen name =
spacing pattern can produce ambiguities, e.g. if https://rs.example.com/accounts and https://rs.example.com/account=
s/v1 are two =
different RSes.

I =
have witnessed situations when an AS is given some application to deal =
with, with hard-wired scope values that have no name spacing, and to =
prevent potential collisions with other applications, Resource =
Indicators had to come to the rescue.
That only =
really works if you are asking for multiple tokens for different =
resources. With RAR we can at least group things together, and so things =
like the read/update/delete can now be under the =E2=80=9Cactions=E2=80=9D=
 field with =E2=80=9Chttps://some-rs.example.com/=E2=80=9C be the =E2=80=9Ctype=E2=
=80=9D field. Or even better, =E2=80=9Chttps://some-rs-example.com/=E2=80=9C is the =
=E2=80=9Clocations=E2=80=9D value and the =E2=80=9Ctype=E2=80=9D is =
something like =E2=80=9Chttps://rs.example.com/accounts=E2=80=9D. Since things =
get combined inside an object with distinct fields, and not as =
substrings and prefixes, we don=E2=80=99t have the ambiguity with =E2=80=9C=
https://rs.example.com/accounts/v1=E2=80=9D anymore. As a =
note we would also treat =E2=80=9Chttps://rs.example.com/accounts/=E2=80=9C (with a =
trailing slash) as a distinct =E2=80=9Ctype=E2=80=9D value under this =
logic.
I also remember one case with an application having a =
scope name which is also used for the OIDC userinfo endpoint.

This is =
exactly the kind of thing that I think we can do better to avoid here. =
So I would expect a protocol like OIDC to use something like =E2=80=9Chttps://openid.net/specs/connect/userinfo=E2=80=9C as its =
=E2=80=9Ctype=E2=80=9D field, since it=E2=80=99s coming from a standards =
body and is meant to be used by many different systems. But if I=E2=80=99v=
e also got some custom internal timecard API I would just use =
=E2=80=9Ctimecard=E2=80=9D as the =E2=80=9Ctype=E2=80=9D there, since =
it=E2=80=99s internal to just that one AS. And if both of these have an =
=E2=80=9Cemail=E2=80=9D value for, say, =E2=80=9Cdatatype=E2=80=9D, then =
they don=E2=80=99t overlap with each other.
I do think that if nothing else we can give better guidance in =
RAR as to what the =E2=80=9Ctype=E2=80=9D field is. =

+1

I do think it should still just be a string, but we can help =
people make better decisions about what to put in that =
string.
I'm still on the fence with that but =
I do see your argument.


Thanks =
for the feedback!

 =E2=80=94 =
Justin

Vladimir

=
 =E2=80=94 Justin


On Jul 17, 2020, at 2:13 PM, Vladimir Dzhuvinov <vladimir@connect2id.com> wrote:


On 17/07/2020 17:38, Justin Richer wrote:

And all that brings me to my proposal:=20

4) Require all values to be defined by the AS, and encourage =
specification developers to use URIs for collision resistance.

So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D =
means, and nobody else. But we can also guide people who are developing =
general-purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=
=E2=80=9D definitions. This would keep those interoperable APIs from =
stepping on each other, and from stepping on any locally-defined special =
=E2=80=9Ctype=E2=80=9D structure. But at the end of the day, the URI =
carries no more weight than just any other string, and the AS decides =
what it means and how it applies.

Define, but =
not publish in AS metadata?



My argument is that this seems to have worked very, very well =
for scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar =
descriptive cloth.

I would argue =
that it didn't work so well for scopes - the OAuth
Resource Indicators spec is a testament to that.

But one could also argue that scopes were not defined along the lines of
your proposal for "type" in RAR. In fact, RFC 6749 has no mention of
collision resistance or name spacing for scope values.


Vladimir


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/=
mailman/listinfo/oauth

--=20
Vladimir Dzhuvinov

=

--Apple-Mail=_5640FBE3-F8C3-4D84-B1CC-1F8AADB7C28C--


From nobody Tue Jul 21 08:40:16 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B64D3A0B2F for ; Tue, 21 Jul 2020 08:40:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.877
X-Spam-Level: 
X-Spam-Status: No, score=-0.877 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MISSING_HEADERS=1.021, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mROfQQXHMCIo for ; Tue, 21 Jul 2020 08:40:13 -0700 (PDT)
Received: from p3plsmtpa06-02.prod.phx3.secureserver.net (p3plsmtpa06-02.prod.phx3.secureserver.net [173.201.192.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3799A3A0B19 for ; Tue, 21 Jul 2020 08:40:13 -0700 (PDT)
Received: from [192.168.10.64] ([81.174.4.8]) by :SMTPAUTH: with ESMTPSA id xuNEjsAxbWl2lxuNHjyikc; Tue, 21 Jul 2020 08:40:12 -0700
X-CMAE-Analysis: v=2.3 cv=P/lEeRIu c=1 sm=1 tr=0 a=vVDcMwBpR/yuU2vi46uXpQ==:117 a=vVDcMwBpR/yuU2vi46uXpQ==:17 a=9cW_t1CCXrUA:10 a=q0rX5H01Qin5IyBaTmIA:9 a=r77TgQKjGQsHNAKrUKIA:9 a=__SxRlIrAAAA:8 a=Z4SGUHCehHn_8yKBUucA:9 a=9e9U9rrZdsrFzqbZ:21 a=Vljy4I8DUTwr3xYs:21 a=QEXdDO2ut3YA:10 a=ewdk0vvHfyRhXx0wSCYA:9 a=oN_F3Yc7nvIw89DR:21 a=svVAWdQa0FCibpvb:21 a=rlfelC72giO_37Ou:21 a=_W_S_7VecoQA:10 a=D8lnhvtxf0AONpHuB7QA:9 a=ZVk8-NSrHBgA:10 a=30ssDGKg3p0A:10 a=H5r4HjhRfVyZ-DhAOYba:22
X-SECURESERVER-ACCT: vladimir@connect2id.com
Cc: oauth@ietf.org
References:  <4ea6f9af-d67f-97df-6bae-752cf34f920c@connect2id.com>   <5EFFFABC-2A9B-4353-A826-2D33D4E82600@mit.edu>
From: Vladimir Dzhuvinov 
Autocrypt: addr=vladimir@connect2id.com; prefer-encrypt=mutual; keydata= mQENBFQZaoEBCACnP2YMDex9fnf+niLglTHGKuoypUSVKPQeKDHHeFQVzhRke+HBEZBwmA9T kZ+kEhyrNqibDPkPYVPmo23tM8mbNcTVQqpmN7NwgMpqkqcAqNsIyBtt09DjWOQVm57A3K+y uXI7SdNErdt79p2xQseOhqSC9+LgWuyh+mZsl2oFD4glFFfKSCMp2jATXrAMeGzigTnW+Xe0 tRzrwFN9zqykKxhUq9oHg1cNvoDtfxgsc9ysVHbxM/PM8o9lgj3YTQwKMBcCFclTqohji7ML fQ08eQo+acKTwC1WRzeLt9PknGt3C4TmvdCl0c1BQTTTNiF96Hu4kbaiBIbsfxJOR8+VABEB AAG0LFZsYWRpbWlyIER6aHV2aW5vdiA8dmxhZGltaXJAY29ubmVjdDJpZC5jb20+iQE+BBMB AgAoBQJUGWqBAhsjBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAZ0vUyOqri Ql62B/wOO0s2JC/QvO6w9iSsRhCOa/JZi+wO+l01V7eGCQ1cYf1W26Y7iKiUlY4/Kz+cr69D pMtkv3UpDTGejKEfspLUxz5Vo3T4oAKbTtNtVIZL/XxH3/JhJ719Jj4eLoe9/djKkGYTX2O5 bMk8TpO1DDjbIw4r9XKI9ZIk96zlKnZvrg7Ho7oOl0ZIf8AzcvdqZEUogDwyr8uwOU+jIyux mOTthepBzXCNjjBjnc8I1//9YppAIaGJ5nnXelVVD1/dyOszogervzFNANEIOvNvCd9G5u4e s7qkDKWKY7/Lj1tF+tMrDTrOh6JqUKbGNeTUB8DlPvIoNyqHUYfBELdpw1Nd
Organization: Connect2id Ltd.
Message-ID: <9ee8ed17-141c-1aeb-901a-4d91d6aa90b0@connect2id.com>
Date: Tue, 21 Jul 2020 18:40:07 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <5EFFFABC-2A9B-4353-A826-2D33D4E82600@mit.edu>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms050201070107080109050901"
X-CMAE-Envelope: MS4wfCHgRsYN35jv8JAUlIcfipZRxNl8UR+72qyY1eOsygq9ovdi/7/fI2DMXGgF43FbUb9A0IvfIHyUVJ+vp9KuXbr4aFKWCsb3OCgebn7pcpcXRdKI7Zlo XWGVdLqJ48tucrfzU7oX9iCHzZz/HkRbdUfTy9luAMKNWvSPhS2+5o/m
Archived-At: 
Subject: Re: [OAUTH-WG] Namespacing "type" in RAR
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 21 Jul 2020 15:40:15 -0000

This is a cryptographically signed message in MIME format.

--------------ms050201070107080109050901
Content-Type: multipart/alternative;
 boundary="------------770E8762C21029F2A9BBBDAC"
Content-Language: en-US

This is a multi-part message in MIME format.
--------------770E8762C21029F2A9BBBDAC
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable


On 21/07/2020 17:47, Justin Richer wrote:
>> On Jul 19, 2020, at 1:04 PM, Vladimir Dzhuvinov
>> > wrote:
>>
>> On 18/07/2020 17:12, Justin Richer wrote:
>>> I think publishing supported =E2=80=9Ctype=E2=80=9D parameters isn=E2=
=80=99t a bad idea, and it aligns with publishing supported scopes and cl=
aims in discovery.
>>
>> If you are a developer, would you like to be able to find out if the
>> authorization_details for a given "type" has a JSON schema and what
>> it looks like?
>>
>>
> I think that would be a nice thing for an AS/API to offer, but I don=E2=
=80=99t
> think it should be expected or required here. That might be a good
> note in the guidance, say that if you use a URI for your =E2=80=9Ctype=E2=
=80=9D field
> then it would be nice if it resolved to something either human or
> machine readable. What I don=E2=80=99t want is for us to require every =
AS to
> have to resolve these URIs in order to process and understand them.
> That=E2=80=99s why I=E2=80=99m taking the position of it being a string=
, and the URI
> can provide disambiguation in the way you=E2=80=99re talking about belo=
w.

We've been thinking about giving developers the possibility to discover
the authorization_details JSON schema (if one is supplied) for a given
type via a separate AS metadata parameter. Not by making the type a
dereferceable URL, which will overload things too much.

authorization_details_json_schemas : {

=C2=A0=C2=A0=C2=A0 "" : "",

=C2=A0=C2=A0=C2=A0 "" : "",

=C2=A0=C2=A0 ...

}

The rationale -- to minimise the number of potential support calls for
providers arising from "Oh dear, why do I get this invalid_request
now..." with complex RAR JSON objects.


Vladimir



--------------770E8762C21029F2A9BBBDAC
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable


  
    
  
  
    


    

    
On 21/07/2020 17:47, Justin Richer
      wrote:

    

    

      

        
On Jul 19, 2020, at 1:04 PM, Vladimir Dzhuvinov
          <vladimir@connect2id.com>
          wrote:

        

        

          
=
On
            18/07/2020 17:12, Justin Richer wrote:

          

          

            
I think publishing sup=
ported =E2=80=9Ctype=E2=80=9D parameters isn=E2=80=99t a bad idea, and it=
 aligns with publishing supported scopes and claims in discovery.

          

          
If you are a developer, would you like to be able
            to find out if the authorization_details for a given "type"
            has a JSON schema and what it looks like?

          

          


          

        

      

      
I think that would be a nice thing for an AS/API to offer,
        but I don=E2=80=99t think it should be expected or required here.=
 That
        might be a good note in the guidance, say that if you use a URI
        for your =E2=80=9Ctype=E2=80=9D field then it would be nice if it=
 resolved to
        something either human or machine readable. What I don=E2=80=99t =
want is
        for us to require every AS to have to resolve these URIs in
        order to process and understand them. That=E2=80=99s why I=E2=80=99=
m taking the
        position of it being a string, and the URI can provide
        disambiguation in the way you=E2=80=99re talking about below.
    

    
We've been thinking about giving developers the possibility to
      discover the authorization_details JSON schema (if one is
      supplied) for a given type via a separate AS metadata parameter.
      Not by making the type a dereferceable URL, which will overload
      things too much.

    

    

    
authorization_details_json_schemas : {

    
=C2=A0=C2=A0=C2=A0 "<type-a>" : "<type-a-json-schema-ur=
l>",

    
=C2=A0=C2=A0=C2=A0 "<type-b>" : "<type-b-json-schema-ur=
l>",

    
=C2=A0=C2=A0 ...


    
}

    
The rationale -- to minimise the number of potential support
      calls for providers arising from "Oh dear, why do I get this
      invalid_request now..." with complex RAR JSON objects.

    


    

    
Vladimir

    

    


    

  


--------------770E8762C21029F2A9BBBDAC--

--------------ms050201070107080109050901
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
CzMwggUbMIIEA6ADAgECAhBs/e7jES6a32XKZxs4R01iMA0GCSqGSIb3DQEBCwUAMIGWMQsw
CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxm
b3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENs
aWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE5MTEwMjAwMDAw
MFoXDTIxMTEwMTIzNTk1OVowKDEmMCQGCSqGSIb3DQEJARYXdmxhZGltaXJAY29ubmVjdDJp
ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDG5mL+CcvSppMj/W8Kd0/E
1/y5/s94gmbIFzEugHyMPV2dd6lusiALe35QCtu3e8Wy6FkCwzxWmmzhF4FY/e4uPbDjco3w
/GgHhz2KXe385u31c32/uM3jRqhYT5JvmXxte/GgmjcW1yWcPkKEz/sCezdIYpI9Pek+P4Gr
xmbt8H+wJrwfrXKTJXXT+gFjCcZDRLm67X4U57TsaCoezTe7zOoPX9zxMTyZD/cvC/SfuVxQ
U60ZsfZzdcgPwScgy3JaiPegcbnqqebjJqtRx42eRjrBZ1/u411rHN2QQLgiih7D1/4PJC9f
/8nHgaerLy3ogdu1dw5+vQ1TRIYBmcIXAgMBAAGjggHQMIIBzDAfBgNVHSMEGDAWgBQJwPL8
C9qU21/+K9+omULPyeCtADAdBgNVHQ4EFgQU446sriG/NgywLZA2oBG79Yr2qyAwDgYDVR0P
AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMC
MEAGA1UdIAQ5MDcwNQYMKwYBBAGyMQECAQEBMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2Vj
dGlnby5jb20vQ1BTMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwuc2VjdGlnby5jb20v
U2VjdGlnb1JTQUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcmwwgYoG
CCsGAQUFBwEBBH4wfDBVBggrBgEFBQcwAoZJaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0
aWdvUlNBQ2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAjBggrBgEF
BQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wIgYDVR0RBBswGYEXdmxhZGltaXJAY29u
bmVjdDJpZC5jb20wDQYJKoZIhvcNAQELBQADggEBAEE73kCtUigl/bhLrqS6AsCU+jKm1fxq
BY09+ktBwVcu5WgM18Uov3WvzVnjXn5BNNVM3RwhWFXyW3pPnDPyjqgxcpfoyY5SJEzvcPlu
wm69z/dzqasVhsHPIFSjACnUBrFZPsq/abMQr4yFOMVyX/EudYgmZVu2Er9Ui7YbTO1Nolap
xlseQIgQhVcr7aSs02PLDANuwW/asgKExYzhPdt9MF1lezj968Mv74kRo1T/lm5RFNfh2QdM
9C0n1t+qRCrRF1VbsiTgChjazgNGbvl12bOAujX0up4hqw+7PaCcI3Mpyv/rKKKrRG52iCcv
cMHX344tOqKM/DIdF/0WNpkwggYQMIID+KADAgECAhBNlCwQ1DvglAnFgS06KwZPMA0GCSqG
SIb3DQEBDAUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKTmV3IEplcnNleTEUMBIGA1UE
BxMLSmVyc2V5IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEuMCwGA1UE
AxMlVVNFUlRydXN0IFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xODExMDIwMDAw
MDBaFw0zMDEyMzEyMzU5NTlaMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBN
YW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQx
PjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJl
IEVtYWlsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyjztlApB/975Rrno
1jvm2pK/KxBOqhq8gr2+JhwpKirSzZxQgT9tlC7zl6hn1fXjSo5MqXUfItMltrMaXqcESJuK
8dtK56NCSrq4iDKaKq9NxOXFmqXX2zN8HHGjQ2b2Xv0v1L5Nk1MQPKA19xeWQcpGEGFUUd0k
N+oHox+L9aV1rjfNiCj3bJk6kJaOPabPi2503nn/ITX5e8WfPnGw4VuZ79Khj1YBrf24k5Ee
1sLTHsLtpiK9OjG4iQRBdq6Z/TlVx/hGAez5h36bBJMxqdHLpdwIUkTqT8se3ed0PewDch/8
kHPo5fZl5u1B0ecpq/sDN/5sCG52Ds+QU5O5EwIDAQABo4IBZDCCAWAwHwYDVR0jBBgwFoAU
U3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFAnA8vwL2pTbX/4r36iZQs/J4K0AMA4G
A1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMC
BggrBgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDov
L2NybC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdFJTQUNlcnRpZmljYXRpb25BdXRob3JpdHku
Y3JsMHYGCCsGAQUFBwEBBGowaDA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1c3Qu
Y29tL1VTRVJUcnVzdFJTQUFkZFRydXN0Q0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2Nz
cC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBDAUAA4ICAQBBRHUAqznCFfXejpVtMnFojADd
F9d6HBA4kMjjsb0XMZHztuOCtKF+xswhh2GqkW5JQrM8zVlU+A2VP72Ky2nlRA1GwmIPgou7
4TZ/XTarHG8zdMSgaDrkVYzz1g3nIVO9IHk96VwsacIvBF8JfqIs+8aWH2PfSUrNxP6Ys7U0
sZYx4rXD6+cqFq/ZW5BUfClN/rhk2ddQXyn7kkmka2RQb9d90nmNHdgKrwfQ49mQ2hWQNDkJ
JIXwKjYA6VUR/fZUFeCUisdDe/0ABLTI+jheXUV1eoYV7lNwNBKpeHdNuO6Aacb533JlfeUH
xvBz9OfYWUiXu09sMAviM11Q0DuMZ5760CdO2VnpsXP4KxaYIhvqPqUMWqRdWyn7crItNkZe
roXaecG03i3mM7dkiPaCkgocBg0EBYsbZDZ8bsG3a08LwEsL1Ygz3SBsyECa0waq4hOf/Z85
F2w2ZpXfP+w8q4ifwO90SGZZV+HR/Jh6rEaVPDRF/CEGVqR1hiuQOZ1YL5ezMTX0ZSLwrymU
E0pwi/KDaiYB15uswgeIAcA6JzPFf9pLkAFFWs1QNyN++niFhsM47qodx/PL+5jR87myx5uY
dBEQkkDc+lKB1Wct6ucXqm2EmsaQ0M95QjTmy+rDWjkDYdw3Ms6mSWE3Bn7i5ZgtwCLXgAIe
5W8mybM2JzGCBDIwggQuAgEBMIGrMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRl
ciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0
ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2Vj
dXJlIEVtYWlsIENBAhBs/e7jES6a32XKZxs4R01iMA0GCWCGSAFlAwQCAQUAoIICVzAYBgkq
hkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMDA3MjExNTQwMDdaMC8G
CSqGSIb3DQEJBDEiBCCsoKP9rTj95UZEg2AeU35Ajq6PvkA4hLtExCXootxL+jBsBgkqhkiG
9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZI
hvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIG8Bgkr
BgEEAYI3EAQxga4wgaswgZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNo
ZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE+MDwG
A1UEAxM1U2VjdGlnbyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1h
aWwgQ0ECEGz97uMRLprfZcpnGzhHTWIwgb4GCyqGSIb3DQEJEAILMYGuoIGrMIGWMQswCQYD
VQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3Jk
MRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVu
dCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhBs/e7jES6a32XKZxs4R01i
MA0GCSqGSIb3DQEBAQUABIIBACiQuZKIRSC9mA+ESPaSp+Xyu1laKblc5nzlL0SW3/W5B3Hm
+VIVv4113x/mDitmem6F2O885K6dAF3V5OwdJLIxq3qv/o+kaS7zC3QPmi3Zd6qFhYEOV/i8
29dw/aH8c+itAKQWbPDVXSjNc+4dQmZnZIeZXIXdBBM42n7JOAb3db04fomOwp6aw6svG+Ce
A6L7PaRkLfiH6t58f9LlEtnxfF0+9XjilVT2g+02MhcVxZMY6pjo3eWp/2hbWItniUIyGdUC
G+hbAkgxmtw8hSq90IroRzVinso1hoG0LIBLRiQ0zCRwiM8CHW/M223qMTXw777bBbWNS0xC
x+6OVnoAAAAAAAA=
--------------ms050201070107080109050901--


From nobody Tue Jul 21 08:43:17 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 985313A0BBA for ; Tue, 21 Jul 2020 08:43:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level: 
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DxkvBUtQXfyw for ; Tue, 21 Jul 2020 08:43:13 -0700 (PDT)
Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E946E3A0B9C for ; Tue, 21 Jul 2020 08:43:10 -0700 (PDT)
Received: by mail-ej1-x62b.google.com with SMTP id lx13so22130030ejb.4 for ; Tue, 21 Jul 2020 08:43:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=fBx8fxn46I9EG93ZB/Tfc1OjSx2oliF6QLzX9spHbbU=; b=Y8pa50FBt1Cq+/9LAUDrHG65jzyD4SMAohDPwhSg9AcUvZQ0IuOWlilDbqJ5c5XrEF kGz+nuEp2XcBtr/uAl/v5EaEDEgHJHNB6y6RWaLk4NX7qZzuZZJE54d3EbkAL65DSdtK I2RE3m0adBboldiIuattVJvB/H3MxzMyasrjF+w0XAs1DN2GQmRR3q+qjfUMbBYcKT0H 4gZaq/Ahz3fPq6JJi16o1Pjg0iHaIQMtAzpyCvDmYW/SkWVp8FYQ4KxxcE+X8D1RwQIO DiiKV9s8sMm3mA50/S0/AsoqABhuYx1tvvFliVvyoxviFy98RhXFkSctaKYbRYKVVYJq JMYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=fBx8fxn46I9EG93ZB/Tfc1OjSx2oliF6QLzX9spHbbU=; b=oc2xZ+GN0i7/RZ/wpWLLH/zxfCYpidVOpShgQnkyV/hERt3pIdPdg10XOymFcbUnFY 8mMjvpPIK+gpTyo4jYabLIXXhYYX1Er6q84Uh+0mfhE2LAHz7H78JnKD2dQ2ArTkE3l0 OJxmPAEGJMgTw5CIObrVAP68QG4U/Hxqi7x9lTEdw5OvARET0pmNu5yOiAx0wVRYBkgz ydMPT+uSm9OO+xKfulXIpzmcJqrC5rpbcPT53Fpr8WAVuIbG8HuGmlZQy/SnHEBGQE6U 7EidvPh+3QKr/auyKuhDKQ7vGcW/i6LDK2zAxjb9GanKsHPzzeCJrnQ/VX5YPRc21jvt gsyw==
X-Gm-Message-State: AOAM530CB9oGoCj26bCiobP+tgjmSULHfdqfpEbdA1W/3JN1X/HEMwj6 TNesLFFCbsKJktLm1P4snTfemw==
X-Google-Smtp-Source: ABdhPJyICq6HoIKHtRPK3m6lFh8/6CIYlBzHabfnJfehuIbSRF4dGpBeQVyyfwH9oTYaMt/pQoO0rQ==
X-Received: by 2002:a17:906:a892:: with SMTP id ha18mr26548511ejb.462.1595346189104;  Tue, 21 Jul 2020 08:43:09 -0700 (PDT)
Received: from p200300eb8f0138082464f306cb2f9290.dip0.t-ipconnect.de (p200300eb8f0138082464f306cb2f9290.dip0.t-ipconnect.de. [2003:eb:8f01:3808:2464:f306:cb2f:9290]) by smtp.gmail.com with ESMTPSA id z101sm17821190ede.6.2020.07.21.08.43.07 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 21 Jul 2020 08:43:07 -0700 (PDT)
From: Torsten Lodderstedt 
Message-Id: <89302FD9-4FBF-4363-8B7E-545AB4A778AD@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_A4F37BB5-FE3A-4584-BAE0-D5DA206A5F73"; protocol="application/pkcs7-signature"; micalg=sha-256
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Tue, 21 Jul 2020 17:43:06 +0200
In-Reply-To: <9ee8ed17-141c-1aeb-901a-4d91d6aa90b0@connect2id.com>
Cc: oauth@ietf.org
To: Vladimir Dzhuvinov 
References:  <4ea6f9af-d67f-97df-6bae-752cf34f920c@connect2id.com>   <5EFFFABC-2A9B-4353-A826-2D33D4E82600@mit.edu> <9ee8ed17-141c-1aeb-901a-4d91d6aa90b0@connect2id.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: 
Subject: Re: [OAUTH-WG] Namespacing "type" in RAR
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 21 Jul 2020 15:43:16 -0000

--Apple-Mail=_A4F37BB5-FE3A-4584-BAE0-D5DA206A5F73
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8



> On 21. Jul 2020, at 17:40, Vladimir Dzhuvinov =
 wrote:
>=20
>=20
>=20
> On 21/07/2020 17:47, Justin Richer wrote:
>>> On Jul 19, 2020, at 1:04 PM, Vladimir Dzhuvinov =
 wrote:
>>>=20
>>> On 18/07/2020 17:12, Justin Richer wrote:
>>>> I think publishing supported =E2=80=9Ctype=E2=80=9D parameters =
isn=E2=80=99t a bad idea, and it aligns with publishing supported scopes =
and claims in discovery.
>>> If you are a developer, would you like to be able to find out if the =
authorization_details for a given "type" has a JSON schema and what it =
looks like?
>>>=20
>>>=20
>>>=20
>> I think that would be a nice thing for an AS/API to offer, but I =
don=E2=80=99t think it should be expected or required here. That might =
be a good note in the guidance, say that if you use a URI for your =
=E2=80=9Ctype=E2=80=9D field then it would be nice if it resolved to =
something either human or machine readable. What I don=E2=80=99t want is =
for us to require every AS to have to resolve these URIs in order to =
process and understand them. That=E2=80=99s why I=E2=80=99m taking the =
position of it being a string, and the URI can provide disambiguation in =
the way you=E2=80=99re talking about below.
> We've been thinking about giving developers the possibility to =
discover the authorization_details JSON schema (if one is supplied) for =
a given type via a separate AS metadata parameter. Not by making the =
type a dereferceable URL, which will overload things too much.
>=20
> authorization_details_json_schemas : {
>     "" : "",
>     "" : "",
>    ...
>=20
> }
> The rationale -- to minimise the number of potential support calls for =
providers arising from "Oh dear, why do I get this invalid_request =
now..." with complex RAR JSON objects.

We could borrow the "$schema=E2=80=9D element.=20

However, I=E2=80=99m on the fence regarding introducing a separate =
parameter for the schema simply because it also introduce a new error =
cause if type and schema are inconsistent.=20

best regards,
Torsten.=20

>=20
>=20
>=20
> Vladimir
>=20
>=20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_A4F37BB5-FE3A-4584-BAE0-D5DA206A5F73
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCC38w
ggT0MIID3KADAgECAhBpfEIkHQiWmzF6zDsgdF+DMA0GCSqGSIb3DQEBCwUAMIGNMQswCQYDVQQG
EwJJVDEQMA4GA1UECAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9udGUgU2FuIFBpZXRybzEjMCEGA1UE
CgwaQWN0YWxpcyBTLnAuQS4vMDMzNTg1MjA5NjcxLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1
dGhlbnRpY2F0aW9uIENBIEcyMB4XDTIwMDIyMzE3MjEzOVoXDTIxMDIyMzE3MjEzOVowIjEgMB4G
A1UEAwwXdG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCrIaCISpAU98m6ZkDyUR3My5imAF4TKQk8eqo+oQ06PTWT/3yJXujVCjjOqOl8p11v/RoN
Gf8zqYbBsqGBuJx2NyxFmAnmCjcbnxihQdcmuxLm6izvxr2MawOovDheMXnfmGy/Ns5Fs6bd+M5F
jCNhP+Gljvgm/SFq1skvs7YUX2FxZmh+xPMm3FZ/a6Lyhkrd3JHzEqv8VWY69Aehezg39OuPJEpb
IdjK/eBcmaIG0qn5RQdXLByJYfXhepyVAZPJT5rAgaIQL/IjSIVInxf3FxOv+ELMAErclws6mKzy
zkY2JiItPEpKWzAWGCxCX2o0JjVj1f7xgaunLfJ+Ec0lAgMBAAGjggG4MIIBtDAMBgNVHRMBAf8E
AjAAMB8GA1UdIwQYMBaAFGvyjZ5owSUEH1E0V/YWXJTqTWkaMH4GCCsGAQUFBwEBBHIwcDA7Bggr
BgEFBQcwAoYvaHR0cDovL2NhY2VydC5hY3RhbGlzLml0L2NlcnRzL2FjdGFsaXMtYXV0Y2xpZzIw
MQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3NwMDkuYWN0YWxpcy5pdC9WQS9BVVRIQ0wtRzIwIgYDVR0R
BBswGYEXdG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQwRwYDVR0gBEAwPjA8BgYrgR8BGAEwMjAwBggr
BgEFBQcCARYkaHR0cHM6Ly93d3cuYWN0YWxpcy5pdC9hcmVhLWRvd25sb2FkMB0GA1UdJQQWMBQG
CCsGAQUFBwMCBggrBgEFBQcDBDBIBgNVHR8EQTA/MD2gO6A5hjdodHRwOi8vY3JsMDkuYWN0YWxp
cy5pdC9SZXBvc2l0b3J5L0FVVEhDTC1HMi9nZXRMYXN0Q1JMMB0GA1UdDgQWBBSuRfshihlGSEJ7
2UeyOZRJ1YYyMDAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEBAH/3ECMSOoOLiwCe
GsBj/WWnUhXvZyHmz3LW0DVdH3s30b2HWpomEVNDN3cWt4QSRhISqV0xyyChL6THhDY+Um2mo+z/
L5fxHd3MjhzvYKwUtLUJdWRgymlUBO9zNKi/IMVYv3O+mpOHuQrgtMaV9luDPRYPZrhF9y/InTZE
tb+FOrF9ykIRlYgMzqSKjuqFmmYO4d6GkbgfGKFZsAjkySjM9BUBLb70MdysOTxZ/HtZguIKfZ4q
CveZ9ZKe+LGsIpt5bFAs1LHIMBUlTCsuVIq2lD3TmScWbELn+Ace7WwKc+08GqOWZzUot5fkiIx3
/crnd7HTmUfqi0yCylHY62wwggaDMIIEa6ADAgECAhBP3hBL7ZVb3outZYfMQV7jMA0GCSqGSIb3
DQEBCwUAMGsxCzAJBgNVBAYTAklUMQ4wDAYDVQQHDAVNaWxhbjEjMCEGA1UECgwaQWN0YWxpcyBT
LnAuQS4vMDMzNTg1MjA5NjcxJzAlBgNVBAMMHkFjdGFsaXMgQXV0aGVudGljYXRpb24gUm9vdCBD
QTAeFw0xOTA5MjAwNzEyMDVaFw0zMDA5MjIxMTIyMDJaMIGNMQswCQYDVQQGEwJJVDEQMA4GA1UE
CAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9udGUgU2FuIFBpZXRybzEjMCEGA1UECgwaQWN0YWxpcyBT
LnAuQS4vMDMzNTg1MjA5NjcxLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1dGhlbnRpY2F0aW9u
IENBIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt2hzetk81C/73GfKPc6UfP+J
Gc7aGmPzGUeQJ1go3CdFpsBPonREDXUDdmRCIRkTDroH30RLsTO/0hEFiYjCyvvbSVSm05sXkvfJ
XOXefNqK21fBayr4JCgMRyLVwqRYXlKI7bb42nYSm7YcXGTDmdcydmJuuqcLqFQawWiBMNRRVEi4
uW5uXBZgWGmq8NoKH/+5xGBFbf6tNTWcGhPVceResuwK155+OiH6jTW01Na8aLj7c7IAGJ0Y9e6h
iHtRthfW7SwbU7ys73a3nNXv8Kv9XNr0RvJKHoOsKqxjffew3GKQrMXIHB5tm/je3XEnIxUT8JG3
sEsk7IfF3VirSwIDAQABo4IB/jCCAfowDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRS2Ig6
yJ94Zu2J83s4cJTJAgI20DBBBggrBgEFBQcBAQQ1MDMwMQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3Nw
MDUuYWN0YWxpcy5pdC9WQS9BVVRILVJPT1QwRQYDVR0gBD4wPDA6BgRVHSAAMDIwMAYIKwYBBQUH
AgEWJGh0dHBzOi8vd3d3LmFjdGFsaXMuaXQvYXJlYS1kb3dubG9hZDAnBgNVHSUEIDAeBggrBgEF
BQcDAgYIKwYBBQUHAwQGCCsGAQUFBwMJMIHjBgNVHR8EgdswgdgwgZaggZOggZCGgY1sZGFwOi8v
bGRhcDA1LmFjdGFsaXMuaXQvY24lM2RBY3RhbGlzJTIwQXV0aGVudGljYXRpb24lMjBSb290JTIw
Q0EsbyUzZEFjdGFsaXMlMjBTLnAuQS4lMmYwMzM1ODUyMDk2NyxjJTNkSVQ/Y2VydGlmaWNhdGVS
ZXZvY2F0aW9uTGlzdDtiaW5hcnkwPaA7oDmGN2h0dHA6Ly9jcmwwNS5hY3RhbGlzLml0L1JlcG9z
aXRvcnkvQVVUSC1ST09UL2dldExhc3RDUkwwHQYDVR0OBBYEFGvyjZ5owSUEH1E0V/YWXJTqTWka
MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAYES6GaKrcvsOQZpEwboVOb2dri/f
Jrcpb7GSEW9JmA+Kep4GLmp9X50Iv8EK478kwf2aAjnPnsOdiItALcIgecS1qVxN+EY+V5GCNEy4
VAsB5gzlQBmKI9P4PxLt9pnQJneCVEvDnVBMZAllIL5s3uaCiIEb8eYZqG8taOWSM1nqjoCZULcc
hXWYajBqaJg0RUOZ6f5IB0lb26HA/7EUVmh1nSVglDoUeD7elINXHph0z3if1722UydcoH4Jj3Za
Y9dtQ4wJSNhSZOzES72UkS6we/556FOGs7oeJWuQe8Rq2EeeSGmGliZKUbYo4jB/C2omMn0L4QwI
5wMNrWd2FRNUUwxMBmbJYtEaDRTQ72HPA8DnbRkvRDSJkjsToqU6ZpBlBf4s5EwrhXqFVb2rM9mG
CPDZJi7Hw3y8BYD/d3iTL6PW5UjOTSpFcnSIP4HW5PI6MTHXl+ab6ajCnvJw6E1TGLh3zJypv5CQ
8Ftm0z7MKLt5Zr2E4jojZXeZn1sUpSqidZyp9mG/LYMRmHMkthDRnDnO2tHv5+YOO4cUEbTt5Bww
E5RPjqovsnedyd5SijIK+k1MCXFLMTfERz3qUN3i/fwueXcGy4jEf2n/FvYsEY3GBHXZCMVWPffB
fbl/ITjs9Q9NG37bAEm/mg2yNq02NLjDbQIKgt9W0aBU9SsxggOpMIIDpQIBATCBojCBjTELMAkG
A1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcMEFBvbnRlIFNhbiBQaWV0cm8xIzAh
BgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENsaWVu
dCBBdXRoZW50aWNhdGlvbiBDQSBHMgIQaXxCJB0Ilpsxesw7IHRfgzANBglghkgBZQMEAgEFAKCC
AdcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNzIxMTU0MzA2
WjAvBgkqhkiG9w0BCQQxIgQgiixTzUcErm7SfRG1U6ifLNixJtXsxxiTYqhARtJZwhwwgbMGCSsG
AQQBgjcQBDGBpTCBojCBjTELMAkGA1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcM
EFBvbnRlIFNhbiBQaWV0cm8xIzAhBgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSww
KgYDVQQDDCNBY3RhbGlzIENsaWVudCBBdXRoZW50aWNhdGlvbiBDQSBHMgIQaXxCJB0Ilpsxesw7
IHRfgzCBtQYLKoZIhvcNAQkQAgsxgaWggaIwgY0xCzAJBgNVBAYTAklUMRAwDgYDVQQIDAdCZXJn
YW1vMRkwFwYDVQQHDBBQb250ZSBTYW4gUGlldHJvMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8w
MzM1ODUyMDk2NzEsMCoGA1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzIC
EGl8QiQdCJabMXrMOyB0X4MwDQYJKoZIhvcNAQEBBQAEggEAYkfYDUtNPrVOy1yqKbRtvEjxEk6r
NWffxjHYC/KiKtg7k3zLIEdmHMbGPuQcqcE6SI1TWWig8VpHdwMYcbJHYsN6tR4iInX1y32go0Qp
B314Ikd4qzD2jkVlMQIKt3eRi70uMEEwWOEUM5N4E/iDxPinwueQnh7ktT1UGmvYmXGYHuovYcGh
vDluPf8uP2O0I39XIuZfpVsFH/cXo3ja0tJqAvTr+K3XpY/Cqn55iROuFXfsM9I/AX9fOn12ZFGN
xohtFcuAM4luV60ihBr2LgQNIqBbhNLoqBAQCAqSMKFhbe8SZhhxAWQSOaLHf9k7wZi9gY3F8dEs
isZOkTPT/AAAAAAAAA==
--Apple-Mail=_A4F37BB5-FE3A-4584-BAE0-D5DA206A5F73--


From nobody Tue Jul 21 09:35:58 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CC793A0BA0 for ; Tue, 21 Jul 2020 09:35:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.097
X-Spam-Level: 
X-Spam-Status: No, score=-0.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.999, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D3TX0_Rpgqrb for ; Tue, 21 Jul 2020 09:35:53 -0700 (PDT)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 437FE3A0B9E for ; Tue, 21 Jul 2020 09:35:53 -0700 (PDT)
Received: by mail-lj1-x22d.google.com with SMTP id b25so24772292ljp.6 for ; Tue, 21 Jul 2020 09:35:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=900CDddaEm+fH9R2tWnl1JvRDn9+tyTM6s+9MzFnyV4=; b=NUZGUFZ6QuIZGVOg0E7tNVEjB+0jYRScqoaAeHRqkZiMp/FoMUiUrk9njbWZ2mNoYE BaKrb4Fw734lBEtARFXzJYYBXZLmEddJRORm7jxeu5csfeXLrdUDtThtAoXXUyCvAXVR osif+5DiQW+H3XPhdY/SCNX/N1Vgh/htay+m+lmWB95P8m7Z/KsL7jmu6FIFuJKSvMW5 XmCkCMwhgm6ZzeDgsBJhVVHZKcgfOkd3XHnq8w3dx6madpWcMYlv/TShDruHyVUS8rSE Dbkdj+DaBpIKurPkWUWS6D1khcRtLwERicg16EAmfccB/usWe0JZm88vRrCm8sLI7THR ACAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=900CDddaEm+fH9R2tWnl1JvRDn9+tyTM6s+9MzFnyV4=; b=VxuNx8VK/JglAuRLk6hjTeumSPFJ0FPt2AWd0rEkfEojHEXnzavGzllVIXepTcvRcp OVrk40OIbq0eEjb2C6Xf8DJK3oqn5XYi8n7yUuzDU2ALfHAQzmm0j5bHA4jO3PWijw88 iqMAMV3XoOqU8kdXv5ranjVN38VVu8pyqvCjH4dAyI2jj+pk9szLGlGfR6ediU3Bbxca I3vg/Hn8Rh87Scpyngd3zdAI6+hafSwHxd4Ib3MvDHMhBddZ/mECyAdzAQKhm58CBcQQ zi5ust5EtyWw8TuYKDX4EVQVg+6VTFKNxPjRuj3SLXw8em+HDh6DLESadU7FevXDkJDM 2HoA==
X-Gm-Message-State: AOAM533x8SewODpxWxT2zecIQxJNwcIOPEoLkqLfrLm77olIEo4Yp/EB 1cMudGNaA+mAw1IRL6I/VEgI/tuk6V1ybXILxf0=
X-Google-Smtp-Source: ABdhPJzW2Yv2zDiJ4jh3bRSWjjmERv8dITuTUToTRSTmvQgeNDVCGdUh3rEG6/AF/MHS0hdc4tAMO8kSAx8eOHgiOds=
X-Received: by 2002:a2e:9611:: with SMTP id v17mr13847641ljh.110.1595349351123;  Tue, 21 Jul 2020 09:35:51 -0700 (PDT)
MIME-Version: 1.0
References:     <094C7F56-93F7-41EC-AD94-A0752E76BD9D@mit.edu>  
In-Reply-To: 
From: Dick Hardt 
Date: Tue, 21 Jul 2020 09:35:14 -0700
Message-ID: 
To: Justin Richer 
Cc: oauth 
Content-Type: multipart/alternative; boundary="0000000000005dd24f05aaf637c9"
Archived-At: 
Subject: Re: [OAUTH-WG] Namespacing "type" in RAR
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 21 Jul 2020 16:35:56 -0000

--0000000000005dd24f05aaf637c9
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

This statement:

=E2=80=9Ccompare two strings so that they=E2=80=99re exact=E2=80=9D

does not work for either Unicode or URIs. A string, and a canonicalized
Unicode string are not the same thing. Similar for a URI. I have assumed
you understand the canonicalization requirement, but it does not sound like
you do. Would you like examples?


wrt. the AS and URI, *you* keep saying that *I* said the AS would retrieve
the URI. I HAVE NOT SAID THAT!

I am suggesting that the URI MAY be retrievable, and I gave examples on how
that would be useful for tooling for client developers, and for an AS in
doing input validation. The URI would NOT be retrieved at run time.


On Tue, Jul 21, 2020 at 7:35 AM Justin Richer  wrote:

> If we treat all the strings as just strings, without any special internal
> format to be specified or detected, then comparing the strings is a
> well-understood and well-documented process. I also think that we shouldn=
=E2=80=99t
> invent anything here, so if there=E2=80=99s a better way to say =E2=80=9C=
compare two
> strings so that they=E2=80=99re exact=E2=80=9D then that=E2=80=99s what I=
 mean. Sorry if that was
> unclear.
>
> I=E2=80=99m saying the AS should *not* retrieve the URI passed in the =E2=
=80=9Ctype=E2=80=9D
> value. You brought that up and then described the process that the AS wou=
ld
> take to do so. I have said from the start that the use of a URI is for na=
me
> spacing and not for addressing content to be fetched, so I=E2=80=99m conf=
used why
> you think I intend otherwise.
>
>  =E2=80=94 Justin
>
> On Jul 20, 2020, at 2:59 PM, Dick Hardt  wrote:
>
> Canonicalization of URIs and unicode is fairly well specified. I was not
> suggesting we invent anything there.
>
> A byte comparison, as you suggested earlier, will be problematic, as I
> have pointed out.
>
> I'm confused why you are still talking about the AS retrieving a URI.
>
> =E1=90=A7
>
> On Mon, Jul 20, 2020 at 4:42 AM Justin Richer  wrote:
>
>> Since this is a recommendation for namespace, we could also just say
>> collision-resistant like JWT, and any of those examples are fine. But th=
at
>> said, I think there=E2=80=99s something particularly compelling about UR=
Is since
>> they have somewhat-human-readable portions. But again, I=E2=80=99m sayin=
g it should
>> be a recommendation to API developers and not a requirement in the spec.=
 In
>> the spec, I argue that =E2=80=9Ctype=E2=80=9D should be a string, full s=
top.
>>
>> If documentation is so confusing that developers are typing in the wrong
>> strings, then that=E2=80=99s bad documentation. And likely a bad choice =
for the
>> =E2=80=9Ctype=E2=80=9D string on the part of the AS. You=E2=80=99d have =
the same problem with any
>> other value the developer=E2=80=99s supposed to copy over.  :)
>>
>> I agree that we should call out explicitly how they should be compared,
>> and I propose we use one of the handful of existing string-comparison RF=
C=E2=80=99s
>> here instead of defining our own rules.
>>
>> While the type could be a dereferenceable URI, requiring action on the A=
S
>> is really getting into distributed authorization policies. We tried doin=
g
>> that with UMA1=E2=80=99s scope structures and it didn=E2=80=99t work ver=
y well in practice
>> (in my memory and experience). Someone could profile =E2=80=9Ctype" on t=
op of this
>> if they wanted to do so, with support at the AS for that, but I don=E2=
=80=99t see a
>> compelling reason for that to be a requirement as that=E2=80=99s a lot o=
f
>> complexity and a lot more error states (the fetch fails, or it doesn=E2=
=80=99t have
>> a policy, or the policy=E2=80=99s in a format the AS doesn=E2=80=99t und=
erstand, or the AS
>> doesn=E2=80=99t like the policy, etc).
>>
>> And AS is always free to implement its types in such a fashion, and that
>> could make plenty of sense in a smaller ecosystem. And this is yet anoth=
er
>> reason that we define =E2=80=9Ctype=E2=80=9D as being a string to be int=
erpreted and
>> understood by the AS =E2=80=94 so that an AS that wants to work this way=
 can do so.
>>
>>  =E2=80=94 Justin
>>
>> PS: thanks for pointing out the error in the example in XYZ, I=E2=80=99l=
l fix
>> that prior to publication.
>>
>> On Jul 18, 2020, at 8:58 PM, Dick Hardt  wrote:
>>
>> Justin: thanks for kindly pointing out which mail list this is.
>>
>> To clarify, public JWT claims are not just URIs, but any
>> collision-resistant namespace:
>> "Examples of collision-resistant namespaces include: Domain Names, Objec=
t
>> Identifiers (OIDs) as defined in the ITU-T X.660 and      X.670
>> Recommendation series, and Universally Unique IDentifiers (UUIDs)
>> [RFC4122]."
>>
>> I think letting the "type" be any JSON string and doing a byte-wise
>> comparison will be problematic. A client developer will be reading
>> documentation to learn what the types are, and typing it in. Given the w=
ide
>> set of whitespace characters, and unicode equivalence, different byte
>> streams will all look the same, and a byte-wise comparison will fail.
>>
>> Similarly for URIs. If it is a valid URI, then a byte-wise comparison is
>> not sufficient. Canonicalization is required.
>>
>> These are not showstopper issues, but the specification should call out
>> how type strings are compared, and provide caveats to an AS developer.
>>
>> I have no idea why you would think the AS would retrieve a URL.
>>
>> Since the type represents a much more complex object then a JWT claim, a
>> client developer's tooling could pull down the JSON Schema (or some such=
)
>> for a type used in their source code, and provide autocompletion and
>> validation which would improve productivity and reduce errors. An AS tha=
t
>> is using a defined type could use the schema for input validation. Neith=
er
>> of these would be at run time. JSON Schema allows comments and examples.
>>
>> What is the harm in non-normative language around a retrievable URI?
>>
>> BTW: the example in
>> https://oauth.xyz/draft-richer-transactional-authz#rfc.section.2 has not
>> been updated with the "type" field.
>>
>>
>>
>> On Sat, Jul 18, 2020 at 8:10 AM Justin Richer  wrote:
>>
>>> Hi Dick,
>>>
>>> This is a discussion about the RAR specification on the OAuth list, and
>>> therefore doesn=E2=80=99t have anything to do with alignment with XAuth=
. In fact, I
>>> believe the alignment is the other way around, as doesn=E2=80=99t Xauth=
 normatively
>>> reference RAR at this point? Even though, last I saw, it uses a differe=
nt
>>> top-level structure for conveying things, I believe it does say to use =
the
>>> internal object structures. I am also a co-author on RAR and we had alr=
eady
>>> defined a =E2=80=9Ctype=E2=80=9D field in RAR quite some time ago. You =
did notice that
>>> XYZ=E2=80=99s latest draft added this field to keep the two in alignmen=
t with each
>>> other, which has always been the goal since the initial proposal of the=
 RAR
>>> work, but that=E2=80=99s a time lag and not a display of new intent.
>>>
>>> In any event, even though I think the decision has bearing in both
>>> places, this isn=E2=80=99t about GNAP. Working on RAR=E2=80=99s require=
ments has brought up
>>> this interesting issue of what should be in the type field for RAR in O=
Auth
>>> 2.
>>>
>>> I think that it should be defined as a string, and therefore compared a=
s
>>> a byte value in all cases, regardless of what the content of the string=
 is.
>>> I don=E2=80=99t think the AS should be expected to fetch a URI for anyt=
hing. I
>>> don=E2=80=99t think the AS should normalize any of the inputs. I think =
that any
>>> JSON-friendly character set should be allowed (including spaces and
>>> unicodes), and since RAR already requires the JSON objects to be
>>> form-encoded, this shouldn=E2=80=99t cause additional trouble when addi=
ng them in
>>> to OAuth 2=E2=80=99s request structures.
>>>
>>> The idea of using a URI would be to get people out of each other=E2=80=
=99s
>>> namespaces. It=E2=80=99s similar to the concept of =E2=80=9Cpublic=E2=
=80=9D vs =E2=80=9Cprivate=E2=80=9D claims in
>>> JWT:
>>>
>>> https://tools.ietf.org/html/rfc7519#section-4.2
>>>
>>> What I=E2=80=99m proposing is that if you think it=E2=80=99s going to b=
e a
>>> general-purpose type name, then we recommend you use a URI as your stri=
ng.
>>> And beyond that, that=E2=80=99s it. It=E2=80=99s up to the AS to figure=
 out what to do with
>>> it, and RAR stays out of it.
>>>
>>>  =E2=80=94 Justin
>>>
>>> On Jul 17, 2020, at 1:25 PM, Dick Hardt  wrote:
>>>
>>> Hey Justin, glad to see that you have aligned with the latest XAuth
>>> draft on a type property being required.
>>>
>>> I like the idea that the value of the type property is fully defined by
>>> the AS, which could delegate it to a common URI for reuse. This gets GN=
AP
>>> out of specifying access requests, and enables other parties to define
>>> access without any required coordination with IETF or IANA.
>>>
>>> A complication in mixing plain strings and URIs is the canonicalization=
.
>>> A plain string can be a fixed byte representation, but a URI requires
>>> canonicalization for comparison. Mixing the two requires URI detection =
at
>>> the AS before canonicalization, and an AS MUST do canonicalization of U=
RIs.
>>>
>>> The URI is retrievable, it can provide machine and/or human readable
>>> documentation in JSON schema or some such, or any other content type. O=
nce
>>> again, the details are out of scope of GNAP, but we can provide example=
s to
>>> guide implementers.
>>>
>>> Are you still thinking that bare strings are allowed in GNAP, and are
>>> defined by the AS?
>>>
>>>
>>>
>>> On Fri, Jul 17, 2020 at 8:39 AM Justin Richer  wrote:
>>>
>>>> The =E2=80=9Ctype=E2=80=9D field in the RAR spec serves an important p=
urpose: it
>>>> defines what goes in the rest of the object, including what other fiel=
ds
>>>> are available and what values are allowed for those fields. It provide=
s an
>>>> API-level definition for requesting access based on multiple dimension=
s,
>>>> and that=E2=80=99s really powerful and flexible. Each type can use any=
 of the
>>>> general-purpose fields like =E2=80=9Cactions=E2=80=9D and/or add its o=
wn fields as
>>>> necessary, and the =E2=80=9Ctype=E2=80=9D parameter keeps everything w=
ell-defined.
>>>>
>>>> The question, then, is what defines what=E2=80=99s allowed to go into =
the
>>>> =E2=80=9Ctype=E2=80=9D field itself? And what defines how that value m=
aps to the
>>>> requirements for the rest of the object? The draft doesn=E2=80=99t say=
 anything
>>>> about it at the moment, but we should choose the direction we want to =
go.
>>>> On the surface, there are three main options:
>>>>
>>>> 1) Require all values to be registered.
>>>> 2) Require all values to be collision-resistant (eg, URIs).
>>>> 3) Require all values to be defined by the AS (and/or the RS=E2=80=99s=
 that it
>>>> protects).
>>>>
>>>> Are there any other options?
>>>>
>>>> Here are my thoughts on each approach:
>>>>
>>>> 1) While it usually makes sense to register things for
>>>> interoperability, this is a case where I think that a registry would
>>>> actually hurt interoperability and adoption. Like a =E2=80=9Cscope=E2=
=80=9D value, the RAR
>>>> =E2=80=9Ctype=E2=80=9D is ultimately up to the AS and RS to interpret =
in their own context.
>>>> We :want: people to define rich objects for their APIs and enable
>>>> fine-grained access for their systems, and if they have to register
>>>> something every time they come up with a new API to protect, it=E2=80=
=99s going to
>>>> be an unmaintainable mess. I genuinely don=E2=80=99t think this would =
scale, and
>>>> that most developers would just ignore the registry and do what they w=
ant
>>>> anyway. And since many of these systems are inside domains, it=E2=80=
=99s completely
>>>> unenforceable in practice.
>>>>
>>>> 2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to requ=
ire
>>>> everything to be a URI here. It=E2=80=99s long and ugly, and a lot of =
APIs are
>>>> going to be internal to a given group, deployment, or ecosystem anyway=
.
>>>> This makes sense when you=E2=80=99ve got something reusable across man=
y
>>>> deployments, like OIDC, but it=E2=80=99s overhead when what you=E2=80=
=99re doing is tied to
>>>> your environment.
>>>>
>>>> 3) This allows the AS and RS to define the request parameters for thei=
r
>>>> APIs just like they do today with scopes. Since it=E2=80=99s always th=
e combination
>>>> of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, name spacing is less o=
f an issue across
>>>> systems. We haven=E2=80=99t seen huge problems in scope value overlap =
in the wild,
>>>> though it does occur from time to time it=E2=80=99s more than manageab=
le. A client
>>>> isn=E2=80=99t going to just =E2=80=9Cspeak RAR=E2=80=9D, it=E2=80=99s =
going to be speaking RAR so that it
>>>> can access something in particular.
>>>>
>>>> And all that brings me to my proposal:
>>>>
>>>> 4) Require all values to be defined by the AS, and encourage
>>>> specification developers to use URIs for collision resistance.
>>>>
>>>> So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D =
means, and nobody
>>>> else. But we can also guide people who are developing general-purpose
>>>> interoperable APIs to use URIs for their RAR =E2=80=9Ctype=E2=80=9D de=
finitions. This would
>>>> keep those interoperable APIs from stepping on each other, and from
>>>> stepping on any locally-defined special =E2=80=9Ctype=E2=80=9D structu=
re. But at the end of
>>>> the day, the URI carries no more weight than just any other string, an=
d the
>>>> AS decides what it means and how it applies.
>>>>
>>>> My argument is that this seems to have worked very, very well for
>>>> scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar descrip=
tive cloth.
>>>>
>>>> What does the rest of the group think? How should we manage the RAR
>>>> =E2=80=9Ctype=E2=80=9D values and what they mean?
>>>>
>>>>  =E2=80=94 Justin
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>
>>>
>>
>

--0000000000005dd24f05aaf637c9
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


This statement:

=E2=80=9Ccompare two strings s=
o that they=E2=80=99re exact=E2=80=9D

<=
div>does not work for either Unicode or URIs. A string, and a canonicalized=
 Unicode string are not the same thing. Similar for a URI. I have assumed y=
ou understand the canonicalization requirement, but it does not sound like =
you do. Would you like examples?


wr=
t. the AS and URI, *you* keep saying that *I* said the AS would retrieve th=
e URI. I HAVE NOT SAID THAT!

I am suggesting that =
the URI MAY be retrievable, and I gave examples on how that would be useful=
 for tooling for client developers, and for an AS in doing input validation=
. The URI would NOT be retrieved at run time.


On Tue, Jul 21,=
 2020 at 7:35 AM Justin Richer <jrich=
er@mit.edu> wrote:
If we treat all t=
he strings as just strings, without any special internal format to be speci=
fied or detected, then comparing the strings is a well-understood and well-=
documented process. I also think that we shouldn=E2=80=99t invent anything =
here, so if there=E2=80=99s a better way to say =E2=80=9Ccompare two string=
s so that they=E2=80=99re exact=E2=80=9D then that=E2=80=99s what I mean. S=
orry if that was unclear.

I=E2=80=99m saying the AS sho=
uld not retrieve the URI passed in the =E2=80=9Ctype=E2=80=9D value.=
 You brought that up and then described the process that the AS would take =
to do so. I have said from the start that the use of a URI is for name spac=
ing and not for addressing content to be fetched, so I=E2=80=99m confused w=
hy you think I intend otherwise.

=C2=A0=E2=80=94 Justin<=
br>

On Jul 20, 2020, at 2:59 PM, Dic=
k Hardt <dick.=
hardt@gmail.com> wrote:

Canonicalizat=
ion of URIs and unicode is fairly well specified. I was not suggesting we i=
nvent anything there.

A byte comparison, as you suggeste=
d earlier, will be problematic, as I have pointed out.

=

I'm confused why you are still talking about the AS retrieving a U=
RI.

3D""=E1=90=A7

On Mon, Jul 20=
, 2020 at 4:42 AM Justin Richer <jricher@mit.edu> wrote:
Since this is a recommendation for n=
amespace, we could also just say collision-resistant like JWT, and any of t=
hose examples are fine. But that said, I think there=E2=80=99s something pa=
rticularly compelling about URIs since they have somewhat-human-readable po=
rtions. But again, I=E2=80=99m saying it should be a recommendation to API =
developers and not a requirement in the spec. In the spec, I argue that =E2=
=80=9Ctype=E2=80=9D should be a string, full stop.

If d=
ocumentation is so confusing that developers are typing in the wrong string=
s, then that=E2=80=99s bad documentation. And likely a bad choice for the =
=E2=80=9Ctype=E2=80=9D string on the part of the AS. You=E2=80=99d have the=
 same problem with any other value the developer=E2=80=99s supposed to copy=
 over. =C2=A0:)

I agree that we should call out explicit=
ly how they should be compared, and I propose we use one of the handful of =
existing string-comparison RFC=E2=80=99s here instead of defining our own r=
ules.

While the type could be a dereferenceable UR=
I, requiring action on the AS is really getting into distributed authorizat=
ion policies. We tried doing that with UMA1=E2=80=99s scope structures and =
it didn=E2=80=99t work very well in practice (in my memory and experience).=
 Someone could profile =E2=80=9Ctype" on top of this if they wanted to=
 do so, with support at the AS for that, but I don=E2=80=99t see a compelli=
ng reason for that to be a requirement as that=E2=80=99s a lot of complexit=
y and a lot more error states (the fetch fails, or it doesn=E2=80=99t have =
a policy, or the policy=E2=80=99s in a format the AS doesn=E2=80=99t unders=
tand, or the AS doesn=E2=80=99t like the policy, etc).=C2=A0

=

And AS is always free to implement its types in such a fashion, =
and that could make plenty of sense in a smaller ecosystem. And this is yet=
 another reason that we define =E2=80=9Ctype=E2=80=9D as being a string to =
be interpreted and understood by the AS =E2=80=94 so that an AS that wants =
to work this way can do so.

=C2=A0=E2=80=94 Justin=


PS: thanks for pointing out the error in the exam=
ple in XYZ, I=E2=80=99ll fix that prior to publication.

On Jul 18, 2020, at 8:58 PM, Dick Hardt <dick.hardt@gmail.com=
> wrote:

Justin: thanks for kindly pointing out which mail list t=
his is.

To clarify, public JWT claims are no=
t just URIs, but any collision-resistant=C2=A0namespace:=C2=A0
&q=
uot;Examples of collision-resistant namespaces include: Domain Names, Objec=
t Identifiers (OIDs) as defined in the ITU-T X.660 and=C2=A0 =C2=A0 =C2=A0 =
X.670 Recommendation series, and Universally Unique IDentifiers (UUIDs) [RF=
C4122]."

I think letting the "type"=
 be any JSON string and doing a byte-wise comparison will be problematic. A=
 client developer will be reading documentation to learn what the types are=
,=C2=A0and typing it in. Given the wide set of whitespace characters, and u=
nicode equivalence, different byte streams will all look the same, and a by=
te-wise comparison will fail.

Similarly=C2=A0for U=
RIs. If it is a valid URI, then a byte-wise comparison is not sufficient. C=
anonicalization is required.=C2=A0

These are not s=
howstopper=C2=A0issues, but the specification should call out how type stri=
ngs are compared, and provide=C2=A0caveats to an AS developer.
I have no idea why you would think the AS would retrieve a URL=
.

Since the type represents a much more complex ob=
ject then a JWT claim, a client developer's tooling could pull down the=
 JSON Schema (or some such) for a type used in their source code, and provi=
de autocompletion and validation which would improve productivity and reduc=
e errors. An AS that is using a defined type could use the schema for input=
 validation. Neither of these would be at run time. JSON Schema allows comm=
ents and examples.

What is the harm in non-normati=
ve language around a retrievable URI?

BTW: the exa=
mple in=C2=A0https://oauth.xyz/draft-richer-transaction=
al-authz#rfc.section.2=C2=A0has not been updated with the "type&qu=
ot; field.



<=
div class=3D"gmail_quote">
On Sat, Jul=
 18, 2020 at 8:10 AM Justin Richer <jricher@mit.edu> wrote:
Hi Dick,

This is a=
 discussion about the RAR specification on the OAuth list, and therefore do=
esn=E2=80=99t have anything to do with alignment with XAuth. In fact, I bel=
ieve the alignment is the other way around, as doesn=E2=80=99t Xauth normat=
ively reference RAR at this point? Even though, last I saw, it uses a diffe=
rent top-level structure for conveying things, I believe it does say to use=
 the internal object structures. I am also a co-author on RAR and we had al=
ready defined a =E2=80=9Ctype=E2=80=9D field in RAR quite some time ago. Yo=
u did notice that XYZ=E2=80=99s latest draft added this field to keep the t=
wo in alignment with each other, which has always been the goal since the i=
nitial proposal of the RAR work, but that=E2=80=99s a time lag and not a di=
splay of new intent.=C2=A0

In any event, even thou=
gh I think the decision has bearing in both places, this isn=E2=80=99t abou=
t GNAP. Working on RAR=E2=80=99s requirements has brought up this interesti=
ng issue of what should be in the type field for RAR in OAuth 2.
=

I think that it should be defined as a string, and therefore=
 compared as a byte value in all cases, regardless of what the content of t=
he string is. I don=E2=80=99t think the AS should be expected to fetch a UR=
I for anything. I don=E2=80=99t think the AS should normalize any of the in=
puts. I think that any JSON-friendly character set should be allowed (inclu=
ding spaces and unicodes), and since RAR already requires the JSON objects =
to be form-encoded, this shouldn=E2=80=99t cause additional trouble when ad=
ding them in to OAuth 2=E2=80=99s request structures.

<=
div>The idea of using a URI would be to get people out of each other=E2=80=
=99s namespaces. It=E2=80=99s similar to the concept of =E2=80=9Cpublic=E2=
=80=9D vs =E2=80=9Cprivate=E2=80=9D claims in JWT:

https://tools.ietf.org/html/rfc7519#section-4.2

What I=E2=80=99m proposing is that if you think it=E2=80=99s going to=
 be a general-purpose type name, then we recommend you use a URI as your st=
ring. And beyond that, that=E2=80=99s it. It=E2=80=99s up to the AS to figu=
re out what to do with it, and RAR stays out of it.

=C2=A0=E2=80=94 Justin

On Jul =
17, 2020, at 1:25 PM, Dick Hardt <dick.hardt@gmail.com> wrote:

Hey Justin, glad to see that you have aligned with the latest X=
Auth draft on a type property being required.

I like=
 the idea that the value of the type property is fully defined by the AS, w=
hich could delegate it to a common URI for reuse. This gets GNAP out of spe=
cifying access requests, and enables other parties to define access without=
 any required coordination with IETF or IANA.

A co=
mplication in mixing plain strings and URIs is the canonicalization. A plai=
n string can be a fixed byte=C2=A0representation, but a URI requires canoni=
calization for comparison. Mixing the two requires=C2=A0URI detection at th=
e AS before canonicalization, and an AS MUST do canonicalization of URIs.

The URI is retrievable, it can provide machine and/=
or human readable documentation in JSON schema or some such, or any other c=
ontent type. Once again, the details are out of scope=C2=A0of GNAP, but we =
can provide examples to guide implementers.

Are yo=
u still thinking that bare strings are allowed in GNAP, and=C2=A0are define=
d by the AS?



On Fri, Jul 17, 2020 at 8:3=
9 AM Justin Richer <jricher@mit.edu> wrote:
The =E2=80=9Ctype=E2=80=9D field in the RAR spec serves an =
important purpose: it defines what goes in the rest of the object, includin=
g what other fields are available and what values are allowed for those fie=
lds. It provides an API-level definition for requesting access based on mul=
tiple dimensions, and that=E2=80=99s really powerful and flexible. Each typ=
e can use any of the general-purpose fields like =E2=80=9Cactions=E2=80=9D =
and/or add its own fields as necessary, and the =E2=80=9Ctype=E2=80=9D para=
meter keeps everything well-defined.



The question, then, is what defines what=E2=80=99s allowed to go into the =
=E2=80=9Ctype=E2=80=9D field itself? And what defines how that value maps t=
o the requirements for the rest of the object? The draft doesn=E2=80=99t sa=
y anything about it at the moment, but we should choose the direction we wa=
nt to go. On the surface, there are three main options:



1) Require all values to be registered. 

2) Require all values to be collision-resistant (eg, URIs).

3) Require all values to be defined by the AS (and/or the RS=E2=80=99s that=
 it protects).



Are there any other options?



Here are my thoughts on each approach:



1) While it usually makes sense to register things for interoperability, th=
is is a case where I think that a registry would actually hurt interoperabi=
lity and adoption. Like a =E2=80=9Cscope=E2=80=9D value, the RAR =E2=80=9Ct=
ype=E2=80=9D is ultimately up to the AS and RS to interpret in their own co=
ntext. We :want: people to define rich objects for their APIs and enable fi=
ne-grained access for their systems, and if they have to register something=
 every time they come up with a new API to protect, it=E2=80=99s going to b=
e an unmaintainable mess. I genuinely don=E2=80=99t think this would scale,=
 and that most developers would just ignore the registry and do what they w=
ant anyway. And since many of these systems are inside domains, it=E2=80=99=
s completely unenforceable in practice.



2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to require e=
verything to be a URI here. It=E2=80=99s long and ugly, and a lot of APIs a=
re going to be internal to a given group, deployment, or ecosystem anyway. =
This makes sense when you=E2=80=99ve got something reusable across many dep=
loyments, like OIDC, but it=E2=80=99s overhead when what you=E2=80=99re doi=
ng is tied to your environment.



3) This allows the AS and RS to define the request parameters for their API=
s just like they do today with scopes. Since it=E2=80=99s always the combin=
ation of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, name spacing is less =
of an issue across systems. We haven=E2=80=99t seen huge problems in scope =
value overlap in the wild, though it does occur from time to time it=E2=80=
=99s more than manageable. A client isn=E2=80=99t going to just =E2=80=9Csp=
eak RAR=E2=80=9D, it=E2=80=99s going to be speaking RAR so that it can acce=
ss something in particular.



And all that brings me to my proposal: 



4) Require all values to be defined by the AS, and encourage specification =
developers to use URIs for collision resistance.



So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D means=
, and nobody else. But we can also guide people who are developing general-=
purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=E2=80=9D=
 definitions. This would keep those interoperable APIs from stepping on eac=
h other, and from stepping on any locally-defined special =E2=80=9Ctype=E2=
=80=9D structure. But at the end of the day, the URI carries no more weight=
 than just any other string, and the AS decides what it means and how it ap=
plies.



My argument is that this seems to have worked very, very well for scopes, a=
nd the RAR =E2=80=9Ctype=E2=80=9D is cut from similar descriptive cloth.


What does the rest of the group think? How should we manage the RAR =E2=80=
=9Ctype=E2=80=9D values and what they mean?



=C2=A0=E2=80=94 Justin

_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth












--0000000000005dd24f05aaf637c9--


From nobody Tue Jul 21 09:58:16 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD9253A0BDE for ; Tue, 21 Jul 2020 09:58:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.082
X-Spam-Level: 
X-Spam-Status: No, score=0.082 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.999, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x4IDKBqnvYKy for ; Tue, 21 Jul 2020 09:58:12 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E4AF3A0BDA for ; Tue, 21 Jul 2020 09:58:11 -0700 (PDT)
Received: from [192.168.1.3] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 06LGw8j2003110 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 21 Jul 2020 12:58:09 -0400
From: Justin Richer 
Message-Id: <847FC552-84CA-4227-9768-8BA488B7FEFE@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_6379A745-C141-4984-B45F-1916E310B891"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Tue, 21 Jul 2020 12:58:08 -0400
In-Reply-To: 
Cc: oauth 
To: Dick Hardt 
References:     <094C7F56-93F7-41EC-AD94-A0752E76BD9D@mit.edu>   
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: 
Subject: Re: [OAUTH-WG] Namespacing "type" in RAR
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 21 Jul 2020 16:58:15 -0000

--Apple-Mail=_6379A745-C141-4984-B45F-1916E310B891
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

String comparison works just fine when the strings happen to be URIs, =
and you aren=E2=80=99t treating them as URIs:

	=E2=80=9Chttps://schema.example.org/v1=E2=80=9D

Is different from=20

	=E2=80=9Chttps://schema.example.org/v2=E2=80=9D

And both are different from

	=E2=80=9Chttps://schema.example.org:443/v1/=E2=80=9C

All of these are strings, and the strings happen to be URIs but that=E2=80=
=99s irrelevant to the comparison process. Can you please help me =
understand why doing a string comparison on these values does not work =
in exactly the same way it would for =E2=80=9Cfoo=E2=80=9D, =E2=80=9Cbar=E2=
=80=9D, and =E2=80=9Cbaz=E2=80=9D values? Why would these need to be =
canonicalized to be compared? The definition of a JSON string is an =
ordered set of unicode code points, and this can be compared byte-wise. =
(Or code-point-wise, whatever=E2=80=99s most correct here.) Can you give =
me counter-examples as to where string comparison doesn=E2=80=99t work? =
And can you help me understand how this same worry doesn=E2=80=99t apply =
to all of the rest of the values in the RAR specification, which are =
also strings and will need to be compared?

I=E2=80=99m still very confused as to the URI retrieval issue here, if =
there even is one. It sounds like we=E2=80=99re both saying that it =
could be useful if type values are retrievable when they=E2=80=99re =
URIs, but that would be something to augment a process and not required =
for the RAR spec. I=E2=80=99m against requiring the value to be a URI =
and against requiring the AS to process that URI as a URI at runtime. =
Anything that an AS wants to do with the =E2=80=9Ctype=E2=80=9D value, =
including providing additional tooling and validation, is up to the AS =
and outside of the spec.

 =E2=80=94 Justin

> On Jul 21, 2020, at 12:35 PM, Dick Hardt  wrote:
>=20
> This statement:
>=20
> =E2=80=9Ccompare two strings so that they=E2=80=99re exact=E2=80=9D
>=20
> does not work for either Unicode or URIs. A string, and a =
canonicalized Unicode string are not the same thing. Similar for a URI. =
I have assumed you understand the canonicalization requirement, but it =
does not sound like you do. Would you like examples?
>=20
>=20
> wrt. the AS and URI, *you* keep saying that *I* said the AS would =
retrieve the URI. I HAVE NOT SAID THAT!
>=20
> I am suggesting that the URI MAY be retrievable, and I gave examples =
on how that would be useful for tooling for client developers, and for =
an AS in doing input validation. The URI would NOT be retrieved at run =
time.
>=20
>=20
> On Tue, Jul 21, 2020 at 7:35 AM Justin Richer > wrote:
> If we treat all the strings as just strings, without any special =
internal format to be specified or detected, then comparing the strings =
is a well-understood and well-documented process. I also think that we =
shouldn=E2=80=99t invent anything here, so if there=E2=80=99s a better =
way to say =E2=80=9Ccompare two strings so that they=E2=80=99re exact=E2=80=
=9D then that=E2=80=99s what I mean. Sorry if that was unclear.
>=20
> I=E2=80=99m saying the AS should not retrieve the URI passed in the =
=E2=80=9Ctype=E2=80=9D value. You brought that up and then described the =
process that the AS would take to do so. I have said from the start that =
the use of a URI is for name spacing and not for addressing content to =
be fetched, so I=E2=80=99m confused why you think I intend otherwise.
>=20
>  =E2=80=94 Justin
>=20
>> On Jul 20, 2020, at 2:59 PM, Dick Hardt > wrote:
>>=20
>> Canonicalization of URIs and unicode is fairly well specified. I was =
not suggesting we invent anything there.
>>=20
>> A byte comparison, as you suggested earlier, will be problematic, as =
I have pointed out.
>>=20
>> I'm confused why you are still talking about the AS retrieving a URI.
>>=20
>> =E1=90=A7
>>=20
>> On Mon, Jul 20, 2020 at 4:42 AM Justin Richer > wrote:
>> Since this is a recommendation for namespace, we could also just say =
collision-resistant like JWT, and any of those examples are fine. But =
that said, I think there=E2=80=99s something particularly compelling =
about URIs since they have somewhat-human-readable portions. But again, =
I=E2=80=99m saying it should be a recommendation to API developers and =
not a requirement in the spec. In the spec, I argue that =E2=80=9Ctype=E2=80=
=9D should be a string, full stop.
>>=20
>> If documentation is so confusing that developers are typing in the =
wrong strings, then that=E2=80=99s bad documentation. And likely a bad =
choice for the =E2=80=9Ctype=E2=80=9D string on the part of the AS. =
You=E2=80=99d have the same problem with any other value the =
developer=E2=80=99s supposed to copy over.  :)
>>=20
>> I agree that we should call out explicitly how they should be =
compared, and I propose we use one of the handful of existing =
string-comparison RFC=E2=80=99s here instead of defining our own rules.
>>=20
>> While the type could be a dereferenceable URI, requiring action on =
the AS is really getting into distributed authorization policies. We =
tried doing that with UMA1=E2=80=99s scope structures and it didn=E2=80=99=
t work very well in practice (in my memory and experience). Someone =
could profile =E2=80=9Ctype" on top of this if they wanted to do so, =
with support at the AS for that, but I don=E2=80=99t see a compelling =
reason for that to be a requirement as that=E2=80=99s a lot of =
complexity and a lot more error states (the fetch fails, or it doesn=E2=80=
=99t have a policy, or the policy=E2=80=99s in a format the AS doesn=E2=80=
=99t understand, or the AS doesn=E2=80=99t like the policy, etc).=20
>>=20
>> And AS is always free to implement its types in such a fashion, and =
that could make plenty of sense in a smaller ecosystem. And this is yet =
another reason that we define =E2=80=9Ctype=E2=80=9D as being a string =
to be interpreted and understood by the AS =E2=80=94 so that an AS that =
wants to work this way can do so.
>>=20
>>  =E2=80=94 Justin
>>=20
>> PS: thanks for pointing out the error in the example in XYZ, I=E2=80=99=
ll fix that prior to publication.
>>=20
>>> On Jul 18, 2020, at 8:58 PM, Dick Hardt > wrote:
>>>=20
>>> Justin: thanks for kindly pointing out which mail list this is.
>>>=20
>>> To clarify, public JWT claims are not just URIs, but any =
collision-resistant namespace:=20
>>> "Examples of collision-resistant namespaces include: Domain Names, =
Object Identifiers (OIDs) as defined in the ITU-T X.660 and      X.670 =
Recommendation series, and Universally Unique IDentifiers (UUIDs) =
[RFC4122]."
>>>=20
>>> I think letting the "type" be any JSON string and doing a byte-wise =
comparison will be problematic. A client developer will be reading =
documentation to learn what the types are, and typing it in. Given the =
wide set of whitespace characters, and unicode equivalence, different =
byte streams will all look the same, and a byte-wise comparison will =
fail.
>>>=20
>>> Similarly for URIs. If it is a valid URI, then a byte-wise =
comparison is not sufficient. Canonicalization is required.=20
>>>=20
>>> These are not showstopper issues, but the specification should call =
out how type strings are compared, and provide caveats to an AS =
developer.
>>>=20
>>> I have no idea why you would think the AS would retrieve a URL.
>>>=20
>>> Since the type represents a much more complex object then a JWT =
claim, a client developer's tooling could pull down the JSON Schema (or =
some such) for a type used in their source code, and provide =
autocompletion and validation which would improve productivity and =
reduce errors. An AS that is using a defined type could use the schema =
for input validation. Neither of these would be at run time. JSON Schema =
allows comments and examples.
>>>=20
>>> What is the harm in non-normative language around a retrievable URI?
>>>=20
>>> BTW: the example in =
https://oauth.xyz/draft-richer-transactional-authz#rfc.section.2 =
 has =
not been updated with the "type" field.
>>>=20
>>>=20
>>>=20
>>> On Sat, Jul 18, 2020 at 8:10 AM Justin Richer > wrote:
>>> Hi Dick,
>>>=20
>>> This is a discussion about the RAR specification on the OAuth list, =
and therefore doesn=E2=80=99t have anything to do with alignment with =
XAuth. In fact, I believe the alignment is the other way around, as =
doesn=E2=80=99t Xauth normatively reference RAR at this point? Even =
though, last I saw, it uses a different top-level structure for =
conveying things, I believe it does say to use the internal object =
structures. I am also a co-author on RAR and we had already defined a =
=E2=80=9Ctype=E2=80=9D field in RAR quite some time ago. You did notice =
that XYZ=E2=80=99s latest draft added this field to keep the two in =
alignment with each other, which has always been the goal since the =
initial proposal of the RAR work, but that=E2=80=99s a time lag and not =
a display of new intent.=20
>>>=20
>>> In any event, even though I think the decision has bearing in both =
places, this isn=E2=80=99t about GNAP. Working on RAR=E2=80=99s =
requirements has brought up this interesting issue of what should be in =
the type field for RAR in OAuth 2.
>>>=20
>>> I think that it should be defined as a string, and therefore =
compared as a byte value in all cases, regardless of what the content of =
the string is. I don=E2=80=99t think the AS should be expected to fetch =
a URI for anything. I don=E2=80=99t think the AS should normalize any of =
the inputs. I think that any JSON-friendly character set should be =
allowed (including spaces and unicodes), and since RAR already requires =
the JSON objects to be form-encoded, this shouldn=E2=80=99t cause =
additional trouble when adding them in to OAuth 2=E2=80=99s request =
structures.
>>>=20
>>> The idea of using a URI would be to get people out of each other=E2=80=
=99s namespaces. It=E2=80=99s similar to the concept of =E2=80=9Cpublic=E2=
=80=9D vs =E2=80=9Cprivate=E2=80=9D claims in JWT:
>>>=20
>>> https://tools.ietf.org/html/rfc7519#section-4.2 =

>>>=20
>>> What I=E2=80=99m proposing is that if you think it=E2=80=99s going =
to be a general-purpose type name, then we recommend you use a URI as =
your string. And beyond that, that=E2=80=99s it. It=E2=80=99s up to the =
AS to figure out what to do with it, and RAR stays out of it.
>>>=20
>>>  =E2=80=94 Justin
>>>=20
>>>> On Jul 17, 2020, at 1:25 PM, Dick Hardt > wrote:
>>>>=20
>>>> Hey Justin, glad to see that you have aligned with the latest XAuth =
draft on a type property being required.
>>>>=20
>>>> I like the idea that the value of the type property is fully =
defined by the AS, which could delegate it to a common URI for reuse. =
This gets GNAP out of specifying access requests, and enables other =
parties to define access without any required coordination with IETF or =
IANA.
>>>>=20
>>>> A complication in mixing plain strings and URIs is the =
canonicalization. A plain string can be a fixed byte representation, but =
a URI requires canonicalization for comparison. Mixing the two requires =
URI detection at the AS before canonicalization, and an AS MUST do =
canonicalization of URIs.
>>>>=20
>>>> The URI is retrievable, it can provide machine and/or human =
readable documentation in JSON schema or some such, or any other content =
type. Once again, the details are out of scope of GNAP, but we can =
provide examples to guide implementers.
>>>>=20
>>>> Are you still thinking that bare strings are allowed in GNAP, and =
are defined by the AS?
>>>>=20
>>>>=20
>>>>=20
>>>> On Fri, Jul 17, 2020 at 8:39 AM Justin Richer > wrote:
>>>> The =E2=80=9Ctype=E2=80=9D field in the RAR spec serves an =
important purpose: it defines what goes in the rest of the object, =
including what other fields are available and what values are allowed =
for those fields. It provides an API-level definition for requesting =
access based on multiple dimensions, and that=E2=80=99s really powerful =
and flexible. Each type can use any of the general-purpose fields like =
=E2=80=9Cactions=E2=80=9D and/or add its own fields as necessary, and =
the =E2=80=9Ctype=E2=80=9D parameter keeps everything well-defined.
>>>>=20
>>>> The question, then, is what defines what=E2=80=99s allowed to go =
into the =E2=80=9Ctype=E2=80=9D field itself? And what defines how that =
value maps to the requirements for the rest of the object? The draft =
doesn=E2=80=99t say anything about it at the moment, but we should =
choose the direction we want to go. On the surface, there are three main =
options:
>>>>=20
>>>> 1) Require all values to be registered.=20
>>>> 2) Require all values to be collision-resistant (eg, URIs).
>>>> 3) Require all values to be defined by the AS (and/or the RS=E2=80=99=
s that it protects).
>>>>=20
>>>> Are there any other options?
>>>>=20
>>>> Here are my thoughts on each approach:
>>>>=20
>>>> 1) While it usually makes sense to register things for =
interoperability, this is a case where I think that a registry would =
actually hurt interoperability and adoption. Like a =E2=80=9Cscope=E2=80=9D=
 value, the RAR =E2=80=9Ctype=E2=80=9D is ultimately up to the AS and RS =
to interpret in their own context. We :want: people to define rich =
objects for their APIs and enable fine-grained access for their systems, =
and if they have to register something every time they come up with a =
new API to protect, it=E2=80=99s going to be an unmaintainable mess. I =
genuinely don=E2=80=99t think this would scale, and that most developers =
would just ignore the registry and do what they want anyway. And since =
many of these systems are inside domains, it=E2=80=99s completely =
unenforceable in practice.
>>>>=20
>>>> 2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to =
require everything to be a URI here. It=E2=80=99s long and ugly, and a =
lot of APIs are going to be internal to a given group, deployment, or =
ecosystem anyway. This makes sense when you=E2=80=99ve got something =
reusable across many deployments, like OIDC, but it=E2=80=99s overhead =
when what you=E2=80=99re doing is tied to your environment.
>>>>=20
>>>> 3) This allows the AS and RS to define the request parameters for =
their APIs just like they do today with scopes. Since it=E2=80=99s =
always the combination of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, =
name spacing is less of an issue across systems. We haven=E2=80=99t seen =
huge problems in scope value overlap in the wild, though it does occur =
from time to time it=E2=80=99s more than manageable. A client isn=E2=80=99=
t going to just =E2=80=9Cspeak RAR=E2=80=9D, it=E2=80=99s going to be =
speaking RAR so that it can access something in particular.
>>>>=20
>>>> And all that brings me to my proposal:=20
>>>>=20
>>>> 4) Require all values to be defined by the AS, and encourage =
specification developers to use URIs for collision resistance.
>>>>=20
>>>> So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D=
 means, and nobody else. But we can also guide people who are developing =
general-purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=
=E2=80=9D definitions. This would keep those interoperable APIs from =
stepping on each other, and from stepping on any locally-defined special =
=E2=80=9Ctype=E2=80=9D structure. But at the end of the day, the URI =
carries no more weight than just any other string, and the AS decides =
what it means and how it applies.
>>>>=20
>>>> My argument is that this seems to have worked very, very well for =
scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar =
descriptive cloth.
>>>>=20
>>>> What does the rest of the group think? How should we manage the RAR =
=E2=80=9Ctype=E2=80=9D values and what they mean?
>>>>=20
>>>>  =E2=80=94 Justin
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org 
>>>> https://www.ietf.org/mailman/listinfo/oauth =

>>>=20
>>=20
>=20


--Apple-Mail=_6379A745-C141-4984-B45F-1916E310B891
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

String comparison works just fine when the strings happen to =
be URIs, and you aren=E2=80=99t treating them as URIs:

	=E2=80=9Chttps://schema.example.org/v1=E2=80=9D

Is different =
from 

	=E2=80=9Chttps://schema.example.org/v2=E2=80=9D

And both are different =
from

	=E2=80=9Chttps://schema.example.org:443/v1/=E2=80=9C

All of these are =
strings, and the strings happen to be URIs but that=E2=80=99s irrelevant =
to the comparison process. Can you please help me understand why doing a =
string comparison on these values does not work in exactly the same way =
it would for =E2=80=9Cfoo=E2=80=9D, =E2=80=9Cbar=E2=80=9D, and =E2=80=9Cba=
z=E2=80=9D values? Why would these need to be canonicalized to be =
compared? The definition of a JSON string is an ordered set of unicode =
code points, and this can be compared byte-wise. (Or code-point-wise, =
whatever=E2=80=99s most correct here.) Can you give me counter-examples =
as to where string comparison doesn=E2=80=99t work? And can you help me =
understand how this same worry doesn=E2=80=99t apply to all of the rest =
of the values in the RAR specification, which are also strings and will =
need to be compared?

I=E2=80=99m still very confused as to the URI retrieval issue =
here, if there even is one. It sounds like we=E2=80=99re both saying =
that it could be useful if type values are retrievable when they=E2=80=99r=
e URIs, but that would be something to augment a process and not =
required for the RAR spec. I=E2=80=99m against requiring the value to be =
a URI and against requiring the AS to process that URI as =
a URI at runtime. Anything that an AS wants to do with the =
=E2=80=9Ctype=E2=80=9D value, including providing additional tooling and =
validation, is up to the AS and outside of the spec.

 =E2=80=94 =
Justin

On Jul 21, 2020, at 12:35 PM, Dick Hardt =
<dick.hardt@gmail.com> wrote:

This statement:

=E2=80=9Ccompare two strings so that they=E2=80=99re =
exact=E2=80=9D

does not work for either Unicode or =
URIs. A string, and a canonicalized Unicode string are not the same =
thing. Similar for a URI. I have assumed you understand the =
canonicalization requirement, but it does not sound like you do. Would =
you like examples?


wrt. the AS and URI, =
*you* keep saying that *I* said the AS would retrieve the URI. I HAVE =
NOT SAID THAT!

I=
 am suggesting that the URI MAY be retrievable, and I gave examples on =
how that would be useful for tooling for client developers, and for an =
AS in doing input validation. The URI would NOT be retrieved at run =
time.


On Tue, Jul =
21, 2020 at 7:35 AM Justin Richer <jricher@mit.edu> wrote:
If we treat all the strings as =
just strings, without any special internal format to be specified or =
detected, then comparing the strings is a well-understood and =
well-documented process. I also think that we shouldn=E2=80=99t invent =
anything here, so if there=E2=80=99s a better way to say =E2=80=9Ccompare =
two strings so that they=E2=80=99re exact=E2=80=9D then that=E2=80=99s =
what I mean. Sorry if that was unclear.

I=E2=80=99m saying the AS should not =
retrieve the URI passed in the =E2=80=9Ctype=E2=80=9D value. You brought =
that up and then described the process that the AS would take to do so. =
I have said from the start that the use of a URI is for name spacing and =
not for addressing content to be fetched, so I=E2=80=99m confused why =
you think I intend otherwise.

 =E2=80=94 Justin

On Jul =
20, 2020, at 2:59 PM, Dick Hardt <dick.hardt@gmail.com> wrote:

Canonicalization of URIs and =
unicode is fairly well specified. I was not suggesting we invent =
anything there.

A =
byte comparison, as you suggested earlier, will be problematic, as I =
have pointed out.

I'm confused why you are still talking about the AS =
retrieving a URI.

3D""=E1=90=A7

On Mon, Jul =
20, 2020 at 4:42 AM Justin Richer <jricher@mit.edu> wrote:
Since =
this is a recommendation for namespace, we could also just say =
collision-resistant like JWT, and any of those examples are fine. But =
that said, I think there=E2=80=99s something particularly compelling =
about URIs since they have somewhat-human-readable portions. But again, =
I=E2=80=99m saying it should be a recommendation to API developers and =
not a requirement in the spec. In the spec, I argue that =E2=80=9Ctype=E2=80=
=9D should be a string, full stop.

If documentation is so confusing that developers are =
typing in the wrong strings, then that=E2=80=99s bad documentation. And =
likely a bad choice for the =E2=80=9Ctype=E2=80=9D string on the part of =
the AS. You=E2=80=99d have the same problem with any other value the =
developer=E2=80=99s supposed to copy over.  :)

I agree that we should call out =
explicitly how they should be compared, and I propose we use one of the =
handful of existing string-comparison RFC=E2=80=99s here instead of =
defining our own rules.

While the type could be a dereferenceable URI, requiring =
action on the AS is really getting into distributed authorization =
policies. We tried doing that with UMA1=E2=80=99s scope structures and =
it didn=E2=80=99t work very well in practice (in my memory and =
experience). Someone could profile =E2=80=9Ctype" on top of this if they =
wanted to do so, with support at the AS for that, but I don=E2=80=99t =
see a compelling reason for that to be a requirement as that=E2=80=99s a =
lot of complexity and a lot more error states (the fetch fails, or it =
doesn=E2=80=99t have a policy, or the policy=E2=80=99s in a format the =
AS doesn=E2=80=99t understand, or the AS doesn=E2=80=99t like the =
policy, etc). 

And AS is always free to implement its types in such a =
fashion, and that could make plenty of sense in a smaller ecosystem. And =
this is yet another reason that we define =E2=80=9Ctype=E2=80=9D as =
being a string to be interpreted and understood by the AS =E2=80=94 so =
that an AS that wants to work this way can do so.
 =E2=80=94 Justin

PS: thanks for pointing =
out the error in the example in XYZ, I=E2=80=99ll fix that prior to =
publication.

On Jul 18, 2020, at 8:58 PM, =
Dick Hardt <dick.hardt@gmail.com> wrote:

Justin: thanks for =
kindly pointing out which mail list this is.

To clarify, public JWT claims =
are not just URIs, but any =
collision-resistant namespace: 
"Examples =
of collision-resistant namespaces include: Domain Names, Object =
Identifiers (OIDs) as defined in the ITU-T X.660 and      =
X.670 Recommendation series, and Universally Unique IDentifiers (UUIDs) =
[RFC4122]."

I =
think letting the "type" be any JSON string and doing a byte-wise =
comparison will be problematic. A client developer will be reading =
documentation to learn what the types are, and typing it in. Given =
the wide set of whitespace characters, and unicode equivalence, =
different byte streams will all look the same, and a byte-wise =
comparison will fail.

Similarly for URIs. If it is a valid URI, then a =
byte-wise comparison is not sufficient. Canonicalization is =
required. 

These are not showstopper issues, but the specification =
should call out how type strings are compared, and provide caveats =
to an AS developer.

I have no idea why you would think the AS would retrieve a =
URL.

Since the =
type represents a much more complex object then a JWT claim, a client =
developer's tooling could pull down the JSON Schema (or some such) for a =
type used in their source code, and provide autocompletion and =
validation which would improve productivity and reduce errors. An AS =
that is using a defined type could use the schema for input validation. =
Neither of these would be at run time. JSON Schema allows comments and =
examples.

What =
is the harm in non-normative language around a retrievable =
URI?

BTW: the =
example in https://oauth.xyz/draft-richer-transactional-authz#rfc.section.=
2 has not been updated with the "type" field.



On Sat, Jul =
18, 2020 at 8:10 AM Justin Richer <jricher@mit.edu> wrote:
Hi Dick,

This is a discussion =
about the RAR specification on the OAuth list, and therefore doesn=E2=80=99=
t have anything to do with alignment with XAuth. In fact, I believe the =
alignment is the other way around, as doesn=E2=80=99t Xauth normatively =
reference RAR at this point? Even though, last I saw, it uses a =
different top-level structure for conveying things, I believe it does =
say to use the internal object structures. I am also a co-author on RAR =
and we had already defined a =E2=80=9Ctype=E2=80=9D field in RAR quite =
some time ago. You did notice that XYZ=E2=80=99s latest draft added this =
field to keep the two in alignment with each other, which has always =
been the goal since the initial proposal of the RAR work, but that=E2=80=99=
s a time lag and not a display of new intent. 

In any event, even =
though I think the decision has bearing in both places, this isn=E2=80=99t=
 about GNAP. Working on RAR=E2=80=99s requirements has brought up this =
interesting issue of what should be in the type field for RAR in OAuth =
2.

I think =
that it should be defined as a string, and therefore compared as a byte =
value in all cases, regardless of what the content of the string is. I =
don=E2=80=99t think the AS should be expected to fetch a URI for =
anything. I don=E2=80=99t think the AS should normalize any of the =
inputs. I think that any JSON-friendly character set should be allowed =
(including spaces and unicodes), and since RAR already requires the JSON =
objects to be form-encoded, this shouldn=E2=80=99t cause additional =
trouble when adding them in to OAuth 2=E2=80=99s request =
structures.

The =
idea of using a URI would be to get people out of each other=E2=80=99s =
namespaces. It=E2=80=99s similar to the concept of =E2=80=9Cpublic=E2=80=9D=
 vs =E2=80=9Cprivate=E2=80=9D claims in JWT:

https://tools.ietf.org/html/rfc7519#section-4.2

What I=E2=80=99m =
proposing is that if you think it=E2=80=99s going to be a =
general-purpose type name, then we recommend you use a URI as your =
string. And beyond that, that=E2=80=99s it. It=E2=80=99s up to the AS to =
figure out what to do with it, and RAR stays out of it.

 =E2=80=94 =
Justin

On Jul 17, 2020, at 1:25 PM, =
Dick Hardt <dick.hardt@gmail.com> wrote:

Hey Justin, glad to see that you =
have aligned with the latest XAuth draft on a type property being =
required.

I like the idea that the value of the type property is fully =
defined by the AS, which could delegate it to a common URI for reuse. =
This gets GNAP out of specifying access requests, and enables other =
parties to define access without any required coordination with IETF or =
IANA.

A =
complication in mixing plain strings and URIs is the canonicalization. A =
plain string can be a fixed byte representation, but a URI requires =
canonicalization for comparison. Mixing the two requires URI =
detection at the AS before canonicalization, and an AS MUST do =
canonicalization of URIs.

The URI is retrievable, it can provide machine and/or human =
readable documentation in JSON schema or some such, or any other content =
type. Once again, the details are out of scope of GNAP, but we can =
provide examples to guide implementers.

Are you still thinking that bare =
strings are allowed in GNAP, and are defined by the AS?



On Fri, Jul 17, 2020 at 8:39 AM Justin =
Richer <jricher@mit.edu> wrote:
The =E2=80=9Ctype=E2=80=9D =
field in the RAR spec serves an important purpose: it defines what goes =
in the rest of the object, including what other fields are available and =
what values are allowed for those fields. It provides an API-level =
definition for requesting access based on multiple dimensions, and =
that=E2=80=99s really powerful and flexible. Each type can use any of =
the general-purpose fields like =E2=80=9Cactions=E2=80=9D and/or add its =
own fields as necessary, and the =E2=80=9Ctype=E2=80=9D parameter keeps =
everything well-defined.



The question, then, is what defines what=E2=80=99s allowed to go into =
the =E2=80=9Ctype=E2=80=9D field itself? And what defines how that value =
maps to the requirements for the rest of the object? The draft doesn=E2=80=
=99t say anything about it at the moment, but we should choose the =
direction we want to go. On the surface, there are three main =
options:



1) Require all values to be registered. 

2) Require all values to be collision-resistant (eg, URIs).
=

3) Require all values to be defined by the AS (and/or the RS=E2=80=99s =
that it protects).



Are there any other options?



Here are my thoughts on each approach:



1) While it usually makes sense to register things for interoperability, =
this is a case where I think that a registry would actually hurt =
interoperability and adoption. Like a =E2=80=9Cscope=E2=80=9D value, the =
RAR =E2=80=9Ctype=E2=80=9D is ultimately up to the AS and RS to =
interpret in their own context. We :want: people to define rich objects =
for their APIs and enable fine-grained access for their systems, and if =
they have to register something every time they come up with a new API =
to protect, it=E2=80=99s going to be an unmaintainable mess. I genuinely =
don=E2=80=99t think this would scale, and that most developers would =
just ignore the registry and do what they want anyway. And since many of =
these systems are inside domains, it=E2=80=99s completely unenforceable =
in practice.



2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to =
require everything to be a URI here. It=E2=80=99s long and ugly, and a =
lot of APIs are going to be internal to a given group, deployment, or =
ecosystem anyway. This makes sense when you=E2=80=99ve got something =
reusable across many deployments, like OIDC, but it=E2=80=99s overhead =
when what you=E2=80=99re doing is tied to your environment.
=



3) This allows the AS and RS to define the request parameters for their =
APIs just like they do today with scopes. Since it=E2=80=99s always the =
combination of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, name spacing =
is less of an issue across systems. We haven=E2=80=99t seen huge =
problems in scope value overlap in the wild, though it does occur from =
time to time it=E2=80=99s more than manageable. A client isn=E2=80=99t =
going to just =E2=80=9Cspeak RAR=E2=80=9D, it=E2=80=99s going to be =
speaking RAR so that it can access something in particular.
=



And all that brings me to my proposal: 



4) Require all values to be defined by the AS, and encourage =
specification developers to use URIs for collision resistance.



So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D =
means, and nobody else. But we can also guide people who are developing =
general-purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=
=E2=80=9D definitions. This would keep those interoperable APIs from =
stepping on each other, and from stepping on any locally-defined special =
=E2=80=9Ctype=E2=80=9D structure. But at the end of the day, the URI =
carries no more weight than just any other string, and the AS decides =
what it means and how it applies.



My argument is that this seems to have worked very, very well for =
scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar =
descriptive cloth.



What does the rest of the group think? How should we manage the RAR =
=E2=80=9Ctype=E2=80=9D values and what they mean?



 =E2=80=94 Justin

_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth














=

--Apple-Mail=_6379A745-C141-4984-B45F-1916E310B891--


From nobody Tue Jul 21 10:04:29 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 182523A0C1B for ; Tue, 21 Jul 2020 10:04:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.097
X-Spam-Level: 
X-Spam-Status: No, score=-0.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.999, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wryvsitrP7Ps for ; Tue, 21 Jul 2020 10:04:25 -0700 (PDT)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5953D3A0BFD for ; Tue, 21 Jul 2020 10:04:24 -0700 (PDT)
Received: by mail-lj1-x235.google.com with SMTP id q4so24946383lji.2 for ; Tue, 21 Jul 2020 10:04:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=18UG9OAe9JHcEzZRjVxcIWHwSLu+1B51fi1l8MkRYLs=; b=veOpyjLAqm8dDw06k+HvhdyWvkgzkc6v0DG509j2e4Z/gir0GEYgOp3tqDSOGxXMhJ j++ODwbHh2sSeX1Ef0E03t6xNS6db4JEbXtw8nzVq4YcTgdEN4X5OLMmA/6G3Qfco32o oaOohbLO2irEZpFk9hk/GuupxD53Mwyl1rtgFr50Ss0xSjrImIDSmCOMFT0unmxiZudg UMk9UsWSvoMHr7vtG21HOYT/Bq0Km6bRG/PmLoi5/tfnUl9Ri1AkGfxml5bo160rXBzc 9JscDz83c98vTfeteJNFfenfsB8zQ/HSkdfeJlzjK+tT7b5l/L5SzscRZTGAOEnPxBIS uS4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=18UG9OAe9JHcEzZRjVxcIWHwSLu+1B51fi1l8MkRYLs=; b=N3fUTI8ug4TISnJQ0iNxMjbEnvSkAv8DT5m2zWgvE45FZTBIptmStktpcR3SImyYpD xAolzZcbDnnTaEhacXR9qkQU/Yj1X3mpDr9igJqmKFr5sCH/4hWMpUcEisatoEg4xgVE kdiZYqn6r7ykiOtrvmFG39UEfxvILRTmvqDnU4RyRsu7XUdiyfBGusWc0Y/ORIXHtBlX EDStGIfl1HdVqcbVDPnvpfs75eyBake8RyBwRsAe12QCPTIVITEBfmCx3szt2cV0VkhE 7aQXGlJcnwPE1tfpYORic32pL6jEOiqX5bj+35aemHyRNA/mXXvQEeFVyIEFfDJPWV1l NbKw==
X-Gm-Message-State: AOAM532jvzNlLpd5N4ClbScsuoeBCiZwVIlby3gJlPbDbDAAJGTyBGIS AVKXyjfrVEpAvwijoLbppsBs9N8I21nDFvFEt4R9wTceDTo=
X-Google-Smtp-Source: ABdhPJyLli+zxv0zPB8BzGrwlPiWjkdIyJUunkAqd5+57Dc8CiQ3UbnDK9cLixEVHEcibgMdJJRMOuvwM502sB7QIMI=
X-Received: by 2002:a2e:b70b:: with SMTP id j11mr13181459ljo.142.1595351062220;  Tue, 21 Jul 2020 10:04:22 -0700 (PDT)
MIME-Version: 1.0
References:     <094C7F56-93F7-41EC-AD94-A0752E76BD9D@mit.edu>    <847FC552-84CA-4227-9768-8BA488B7FEFE@mit.edu>
In-Reply-To: <847FC552-84CA-4227-9768-8BA488B7FEFE@mit.edu>
From: Dick Hardt 
Date: Tue, 21 Jul 2020 10:03:45 -0700
Message-ID: 
To: Justin Richer 
Cc: oauth 
Content-Type: multipart/alternative; boundary="0000000000005b15af05aaf69df3"
Archived-At: 
Subject: Re: [OAUTH-WG] Namespacing "type" in RAR
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 21 Jul 2020 17:04:28 -0000

--0000000000005b15af05aaf69df3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

The following are the same URI, but are different strings:

=E2=80=9Chttps://schema.example.org/v1=E2=80=9D
=E2=80=9CHTTPS://schema.example.org/v1 =E2=
=80=9D
=E2=80=9Chttps://SCHEMA.EXAMPLE.ORG/v1 =E2=
=80=9D

Before comparing them to each other, they must be canonicalized so that
they become the same string.

>From earlier in this thread, I am NOT suggesting that it must be a URI, nor
that it is required:

Since the type represents a much more complex object then a JWT claim, a
client developer's tooling could pull down the JSON Schema (or some such)
for a type used in their source code, and provide autocompletion and
validation which would improve productivity and reduce errors. An AS that
is using a defined type could use the schema for input validation. Neither
of these would be at run time. JSON Schema allows comments and examples.

What is the harm in non-normative language around a retrievable URI?


On Tue, Jul 21, 2020 at 9:58 AM Justin Richer  wrote:

> String comparison works just fine when the strings happen to be URIs, and
> you aren=E2=80=99t treating them as URIs:
>
> =E2=80=9Chttps://schema.example.org/v1=E2=80=9D
>
> Is different from
>
> =E2=80=9Chttps://schema.example.org/v2=E2=80=9D
>
> And both are different from
>
> =E2=80=9Chttps://schema.example.org:443/v1/=E2=80=9C
>
> All of these are strings, and the strings happen to be URIs but that=E2=
=80=99s
> irrelevant to the comparison process. Can you please help me understand w=
hy
> doing a string comparison on these values does not work in exactly the sa=
me
> way it would for =E2=80=9Cfoo=E2=80=9D, =E2=80=9Cbar=E2=80=9D, and =E2=80=
=9Cbaz=E2=80=9D values? Why would these need to be
> canonicalized to be compared? The definition of a JSON string is an order=
ed
> set of unicode code points, and this can be compared byte-wise. (Or
> code-point-wise, whatever=E2=80=99s most correct here.) Can you give me
> counter-examples as to where string comparison doesn=E2=80=99t work? And =
can you
> help me understand how this same worry doesn=E2=80=99t apply to all of th=
e rest of
> the values in the RAR specification, which are also strings and will need
> to be compared?
>
> I=E2=80=99m still very confused as to the URI retrieval issue here, if th=
ere even
> is one. It sounds like we=E2=80=99re both saying that it could be useful =
if type
> values are retrievable when they=E2=80=99re URIs, but that would be somet=
hing to
> augment a process and not required for the RAR spec. I=E2=80=99m against =
requiring
> the value to be a URI and against requiring the AS to process that URI *a=
s
> a URI* at runtime. Anything that an AS wants to do with the =E2=80=9Ctype=
=E2=80=9D value,
> including providing additional tooling and validation, is up to the AS an=
d
> outside of the spec.
>
>  =E2=80=94 Justin
>
> On Jul 21, 2020, at 12:35 PM, Dick Hardt  wrote:
>
> This statement:
>
> =E2=80=9Ccompare two strings so that they=E2=80=99re exact=E2=80=9D
>
> does not work for either Unicode or URIs. A string, and a canonicalized
> Unicode string are not the same thing. Similar for a URI. I have assumed
> you understand the canonicalization requirement, but it does not sound li=
ke
> you do. Would you like examples?
>
>
> wrt. the AS and URI, *you* keep saying that *I* said the AS would retriev=
e
> the URI. I HAVE NOT SAID THAT!
>
> I am suggesting that the URI MAY be retrievable, and I gave examples on
> how that would be useful for tooling for client developers, and for an AS
> in doing input validation. The URI would NOT be retrieved at run time.
>
>
> On Tue, Jul 21, 2020 at 7:35 AM Justin Richer  wrote:
>
>> If we treat all the strings as just strings, without any special interna=
l
>> format to be specified or detected, then comparing the strings is a
>> well-understood and well-documented process. I also think that we should=
n=E2=80=99t
>> invent anything here, so if there=E2=80=99s a better way to say =E2=80=
=9Ccompare two
>> strings so that they=E2=80=99re exact=E2=80=9D then that=E2=80=99s what =
I mean. Sorry if that was
>> unclear.
>>
>> I=E2=80=99m saying the AS should *not* retrieve the URI passed in the =
=E2=80=9Ctype=E2=80=9D
>> value. You brought that up and then described the process that the AS wo=
uld
>> take to do so. I have said from the start that the use of a URI is for n=
ame
>> spacing and not for addressing content to be fetched, so I=E2=80=99m con=
fused why
>> you think I intend otherwise.
>>
>>  =E2=80=94 Justin
>>
>> On Jul 20, 2020, at 2:59 PM, Dick Hardt  wrote:
>>
>> Canonicalization of URIs and unicode is fairly well specified. I was not
>> suggesting we invent anything there.
>>
>> A byte comparison, as you suggested earlier, will be problematic, as I
>> have pointed out.
>>
>> I'm confused why you are still talking about the AS retrieving a URI.
>>
>> =E1=90=A7
>>
>> On Mon, Jul 20, 2020 at 4:42 AM Justin Richer  wrote:
>>
>>> Since this is a recommendation for namespace, we could also just say
>>> collision-resistant like JWT, and any of those examples are fine. But t=
hat
>>> said, I think there=E2=80=99s something particularly compelling about U=
RIs since
>>> they have somewhat-human-readable portions. But again, I=E2=80=99m sayi=
ng it should
>>> be a recommendation to API developers and not a requirement in the spec=
. In
>>> the spec, I argue that =E2=80=9Ctype=E2=80=9D should be a string, full =
stop.
>>>
>>> If documentation is so confusing that developers are typing in the wron=
g
>>> strings, then that=E2=80=99s bad documentation. And likely a bad choice=
 for the
>>> =E2=80=9Ctype=E2=80=9D string on the part of the AS. You=E2=80=99d have=
 the same problem with any
>>> other value the developer=E2=80=99s supposed to copy over.  :)
>>>
>>> I agree that we should call out explicitly how they should be compared,
>>> and I propose we use one of the handful of existing string-comparison R=
FC=E2=80=99s
>>> here instead of defining our own rules.
>>>
>>> While the type could be a dereferenceable URI, requiring action on the
>>> AS is really getting into distributed authorization policies. We tried
>>> doing that with UMA1=E2=80=99s scope structures and it didn=E2=80=99t w=
ork very well in
>>> practice (in my memory and experience). Someone could profile =E2=80=9C=
type" on top
>>> of this if they wanted to do so, with support at the AS for that, but I
>>> don=E2=80=99t see a compelling reason for that to be a requirement as t=
hat=E2=80=99s a lot
>>> of complexity and a lot more error states (the fetch fails, or it doesn=
=E2=80=99t
>>> have a policy, or the policy=E2=80=99s in a format the AS doesn=E2=80=
=99t understand, or
>>> the AS doesn=E2=80=99t like the policy, etc).
>>>
>>> And AS is always free to implement its types in such a fashion, and tha=
t
>>> could make plenty of sense in a smaller ecosystem. And this is yet anot=
her
>>> reason that we define =E2=80=9Ctype=E2=80=9D as being a string to be in=
terpreted and
>>> understood by the AS =E2=80=94 so that an AS that wants to work this wa=
y can do so.
>>>
>>>  =E2=80=94 Justin
>>>
>>> PS: thanks for pointing out the error in the example in XYZ, I=E2=80=99=
ll fix
>>> that prior to publication.
>>>
>>> On Jul 18, 2020, at 8:58 PM, Dick Hardt  wrote:
>>>
>>> Justin: thanks for kindly pointing out which mail list this is.
>>>
>>> To clarify, public JWT claims are not just URIs, but any
>>> collision-resistant namespace:
>>> "Examples of collision-resistant namespaces include: Domain Names,
>>> Object Identifiers (OIDs) as defined in the ITU-T X.660 and      X.670
>>> Recommendation series, and Universally Unique IDentifiers (UUIDs)
>>> [RFC4122]."
>>>
>>> I think letting the "type" be any JSON string and doing a byte-wise
>>> comparison will be problematic. A client developer will be reading
>>> documentation to learn what the types are, and typing it in. Given the =
wide
>>> set of whitespace characters, and unicode equivalence, different byte
>>> streams will all look the same, and a byte-wise comparison will fail.
>>>
>>> Similarly for URIs. If it is a valid URI, then a byte-wise comparison i=
s
>>> not sufficient. Canonicalization is required.
>>>
>>> These are not showstopper issues, but the specification should call out
>>> how type strings are compared, and provide caveats to an AS developer.
>>>
>>> I have no idea why you would think the AS would retrieve a URL.
>>>
>>> Since the type represents a much more complex object then a JWT claim, =
a
>>> client developer's tooling could pull down the JSON Schema (or some suc=
h)
>>> for a type used in their source code, and provide autocompletion and
>>> validation which would improve productivity and reduce errors. An AS th=
at
>>> is using a defined type could use the schema for input validation. Neit=
her
>>> of these would be at run time. JSON Schema allows comments and examples=
.
>>>
>>> What is the harm in non-normative language around a retrievable URI?
>>>
>>> BTW: the example in
>>> https://oauth.xyz/draft-richer-transactional-authz#rfc.section.2 has
>>> not been updated with the "type" field.
>>>
>>>
>>>
>>> On Sat, Jul 18, 2020 at 8:10 AM Justin Richer  wrote:
>>>
>>>> Hi Dick,
>>>>
>>>> This is a discussion about the RAR specification on the OAuth list, an=
d
>>>> therefore doesn=E2=80=99t have anything to do with alignment with XAut=
h. In fact, I
>>>> believe the alignment is the other way around, as doesn=E2=80=99t Xaut=
h normatively
>>>> reference RAR at this point? Even though, last I saw, it uses a differ=
ent
>>>> top-level structure for conveying things, I believe it does say to use=
 the
>>>> internal object structures. I am also a co-author on RAR and we had al=
ready
>>>> defined a =E2=80=9Ctype=E2=80=9D field in RAR quite some time ago. You=
 did notice that
>>>> XYZ=E2=80=99s latest draft added this field to keep the two in alignme=
nt with each
>>>> other, which has always been the goal since the initial proposal of th=
e RAR
>>>> work, but that=E2=80=99s a time lag and not a display of new intent.
>>>>
>>>> In any event, even though I think the decision has bearing in both
>>>> places, this isn=E2=80=99t about GNAP. Working on RAR=E2=80=99s requir=
ements has brought up
>>>> this interesting issue of what should be in the type field for RAR in =
OAuth
>>>> 2.
>>>>
>>>> I think that it should be defined as a string, and therefore compared
>>>> as a byte value in all cases, regardless of what the content of the st=
ring
>>>> is. I don=E2=80=99t think the AS should be expected to fetch a URI for=
 anything. I
>>>> don=E2=80=99t think the AS should normalize any of the inputs. I think=
 that any
>>>> JSON-friendly character set should be allowed (including spaces and
>>>> unicodes), and since RAR already requires the JSON objects to be
>>>> form-encoded, this shouldn=E2=80=99t cause additional trouble when add=
ing them in
>>>> to OAuth 2=E2=80=99s request structures.
>>>>
>>>> The idea of using a URI would be to get people out of each other=E2=80=
=99s
>>>> namespaces. It=E2=80=99s similar to the concept of =E2=80=9Cpublic=E2=
=80=9D vs =E2=80=9Cprivate=E2=80=9D claims in
>>>> JWT:
>>>>
>>>> https://tools.ietf.org/html/rfc7519#section-4.2
>>>>
>>>> What I=E2=80=99m proposing is that if you think it=E2=80=99s going to =
be a
>>>> general-purpose type name, then we recommend you use a URI as your str=
ing.
>>>> And beyond that, that=E2=80=99s it. It=E2=80=99s up to the AS to figur=
e out what to do with
>>>> it, and RAR stays out of it.
>>>>
>>>>  =E2=80=94 Justin
>>>>
>>>> On Jul 17, 2020, at 1:25 PM, Dick Hardt  wrote:
>>>>
>>>> Hey Justin, glad to see that you have aligned with the latest XAuth
>>>> draft on a type property being required.
>>>>
>>>> I like the idea that the value of the type property is fully defined b=
y
>>>> the AS, which could delegate it to a common URI for reuse. This gets G=
NAP
>>>> out of specifying access requests, and enables other parties to define
>>>> access without any required coordination with IETF or IANA.
>>>>
>>>> A complication in mixing plain strings and URIs is the
>>>> canonicalization. A plain string can be a fixed byte representation, b=
ut a
>>>> URI requires canonicalization for comparison. Mixing the two requires =
URI
>>>> detection at the AS before canonicalization, and an AS MUST do
>>>> canonicalization of URIs.
>>>>
>>>> The URI is retrievable, it can provide machine and/or human readable
>>>> documentation in JSON schema or some such, or any other content type. =
Once
>>>> again, the details are out of scope of GNAP, but we can provide exampl=
es to
>>>> guide implementers.
>>>>
>>>> Are you still thinking that bare strings are allowed in GNAP, and are
>>>> defined by the AS?
>>>>
>>>>
>>>>
>>>> On Fri, Jul 17, 2020 at 8:39 AM Justin Richer  wrote:
>>>>
>>>>> The =E2=80=9Ctype=E2=80=9D field in the RAR spec serves an important =
purpose: it
>>>>> defines what goes in the rest of the object, including what other fie=
lds
>>>>> are available and what values are allowed for those fields. It provid=
es an
>>>>> API-level definition for requesting access based on multiple dimensio=
ns,
>>>>> and that=E2=80=99s really powerful and flexible. Each type can use an=
y of the
>>>>> general-purpose fields like =E2=80=9Cactions=E2=80=9D and/or add its =
own fields as
>>>>> necessary, and the =E2=80=9Ctype=E2=80=9D parameter keeps everything =
well-defined.
>>>>>
>>>>> The question, then, is what defines what=E2=80=99s allowed to go into=
 the
>>>>> =E2=80=9Ctype=E2=80=9D field itself? And what defines how that value =
maps to the
>>>>> requirements for the rest of the object? The draft doesn=E2=80=99t sa=
y anything
>>>>> about it at the moment, but we should choose the direction we want to=
 go.
>>>>> On the surface, there are three main options:
>>>>>
>>>>> 1) Require all values to be registered.
>>>>> 2) Require all values to be collision-resistant (eg, URIs).
>>>>> 3) Require all values to be defined by the AS (and/or the RS=E2=80=99=
s that it
>>>>> protects).
>>>>>
>>>>> Are there any other options?
>>>>>
>>>>> Here are my thoughts on each approach:
>>>>>
>>>>> 1) While it usually makes sense to register things for
>>>>> interoperability, this is a case where I think that a registry would
>>>>> actually hurt interoperability and adoption. Like a =E2=80=9Cscope=E2=
=80=9D value, the RAR
>>>>> =E2=80=9Ctype=E2=80=9D is ultimately up to the AS and RS to interpret=
 in their own context.
>>>>> We :want: people to define rich objects for their APIs and enable
>>>>> fine-grained access for their systems, and if they have to register
>>>>> something every time they come up with a new API to protect, it=E2=80=
=99s going to
>>>>> be an unmaintainable mess. I genuinely don=E2=80=99t think this would=
 scale, and
>>>>> that most developers would just ignore the registry and do what they =
want
>>>>> anyway. And since many of these systems are inside domains, it=E2=80=
=99s completely
>>>>> unenforceable in practice.
>>>>>
>>>>> 2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to req=
uire
>>>>> everything to be a URI here. It=E2=80=99s long and ugly, and a lot of=
 APIs are
>>>>> going to be internal to a given group, deployment, or ecosystem anywa=
y.
>>>>> This makes sense when you=E2=80=99ve got something reusable across ma=
ny
>>>>> deployments, like OIDC, but it=E2=80=99s overhead when what you=E2=80=
=99re doing is tied to
>>>>> your environment.
>>>>>
>>>>> 3) This allows the AS and RS to define the request parameters for
>>>>> their APIs just like they do today with scopes. Since it=E2=80=99s al=
ways the
>>>>> combination of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, name spac=
ing is less of an
>>>>> issue across systems. We haven=E2=80=99t seen huge problems in scope =
value overlap
>>>>> in the wild, though it does occur from time to time it=E2=80=99s more=
 than
>>>>> manageable. A client isn=E2=80=99t going to just =E2=80=9Cspeak RAR=
=E2=80=9D, it=E2=80=99s going to be
>>>>> speaking RAR so that it can access something in particular.
>>>>>
>>>>> And all that brings me to my proposal:
>>>>>
>>>>> 4) Require all values to be defined by the AS, and encourage
>>>>> specification developers to use URIs for collision resistance.
>>>>>
>>>>> So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D=
 means, and
>>>>> nobody else. But we can also guide people who are developing
>>>>> general-purpose interoperable APIs to use URIs for their RAR =E2=80=
=9Ctype=E2=80=9D
>>>>> definitions. This would keep those interoperable APIs from stepping o=
n each
>>>>> other, and from stepping on any locally-defined special =E2=80=9Ctype=
=E2=80=9D structure.
>>>>> But at the end of the day, the URI carries no more weight than just a=
ny
>>>>> other string, and the AS decides what it means and how it applies.
>>>>>
>>>>> My argument is that this seems to have worked very, very well for
>>>>> scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar descri=
ptive cloth.
>>>>>
>>>>> What does the rest of the group think? How should we manage the RAR
>>>>> =E2=80=9Ctype=E2=80=9D values and what they mean?
>>>>>
>>>>>  =E2=80=94 Justin
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>
>>>>
>>>
>>
>

--0000000000005b15af05aaf69df3
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable



The following are the same U=
RI, but are different strings:

	=E2=80=9Chttps://schema.example.org/v1=E2=
=80=9D
	=
=E2=80=9CHTTPS:=
//schema.example.org/v1=E2=80=9D
	=E2=80=9Chttps://SCHEMA.EXAMPLE.ORG/v1=E2=80=9D
<=
/div>

Before comparing them to each other, t=
hey must be canonicalized so that they become the same string.
From earlier in this thread, I am NOT suggesting that it must =
be a URI, nor that it is required:

Sinc=
e the type represents a much more complex object then a JWT claim, a client=
 developer's tooling could pull down the JSON Schema (or some such) for=
 a type used in their source code, and provide autocompletion and validatio=
n which would improve productivity and reduce errors. An AS that is using a=
 defined type could use the schema for input validation. Neither of these w=
ould be at run time. JSON Schema allows comments and examples.
<=
/div>

What is the harm in non-normative =
language around a retrievable URI?

On Tue, Jul 21, 2020 at 9:58 AM Justin Richer <jricher@mit.edu> wrote:
=
String comparison works just fine when the strings happen to be URIs, and y=
ou aren=E2=80=99t treating them as URIs:


Is different from=C2=A0

	=E2=80=9Chttps://schema.example.org/v2=E2=80=9D

And both are different from

	=E2=80=9Chttps://schema.example.org:443/=
v1/=E2=80=9C

All of these are strings, and the=
 strings happen to be URIs but that=E2=80=99s irrelevant to the comparison =
process. Can you please help me understand why doing a string comparison on=
 these values does not work in exactly the same way it would for =E2=80=9Cf=
oo=E2=80=9D, =E2=80=9Cbar=E2=80=9D, and =E2=80=9Cbaz=E2=80=9D values? Why w=
ould these need to be canonicalized to be compared? The definition of a JSO=
N string is an ordered set of unicode code points, and this can be compared=
 byte-wise. (Or code-point-wise, whatever=E2=80=99s most correct here.) Can=
 you give me counter-examples as to where string comparison doesn=E2=80=99t=
 work? And can you help me understand how this same worry doesn=E2=80=99t a=
pply to all of the rest of the values in the RAR specification, which are a=
lso strings and will need to be compared?

I=E2=80=
=99m still very confused as to the URI retrieval issue here, if there even =
is one. It sounds like we=E2=80=99re both saying that it could be useful if=
 type values are retrievable when they=E2=80=99re URIs, but that would be s=
omething to augment a process and not required for the RAR spec. I=E2=80=99=
m against requiring the value to be a URI and against requiring the AS to p=
rocess that URI as a URI at runtime. Anything that an AS wants to do=
 with the =E2=80=9Ctype=E2=80=9D value, including providing additional tool=
ing and validation, is up to the AS and outside of the spec.

=

=C2=A0=E2=80=94 Justin

On Jul 21, 2020, at 12:35 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
This stateme=
nt:

=E2=80=9Ccompare t=
wo strings so that they=E2=80=99re exact=E2=80=9D

does not work for either Unicode or URIs. A string, and a c=
anonicalized Unicode string are not the same thing. Similar for a URI. I ha=
ve assumed you understand the canonicalization requirement, but it does not=
 sound like you do. Would you like examples?


<=
/div>
wrt. the AS and URI, *you* keep saying that *I* said the AS would=
 retrieve the URI. I HAVE NOT SAID THAT!

I am sugg=
esting that the URI MAY be retrievable, and I gave examples on how that wou=
ld be useful for tooling for client developers, and for an AS in doing inpu=
t validation. The URI would NOT be retrieved at run time.


On =
Tue, Jul 21, 2020 at 7:35 AM Justin Richer <jricher@mit.edu> wrote:
If we treat all the strin=
gs as just strings, without any special internal format to be specified or =
detected, then comparing the strings is a well-understood and well-document=
ed process. I also think that we shouldn=E2=80=99t invent anything here, so=
 if there=E2=80=99s a better way to say =E2=80=9Ccompare two strings so tha=
t they=E2=80=99re exact=E2=80=9D then that=E2=80=99s what I mean. Sorry if =
that was unclear.

I=E2=80=99m saying the AS should n=
ot retrieve the URI passed in the =E2=80=9Ctype=E2=80=9D value. You bro=
ught that up and then described the process that the AS would take to do so=
. I have said from the start that the use of a URI is for name spacing and =
not for addressing content to be fetched, so I=E2=80=99m confused why you t=
hink I intend otherwise.

=C2=A0=E2=80=94 Justin
=

On Jul 20, 2020, at 2:59 PM, Dick Hardt =
<dick.hardt@gm=
ail.com> wrote:

Canonicalization of U=
RIs and unicode is fairly well specified. I was not suggesting we invent an=
ything there.

A byte comparison, as you suggested earlie=
r, will be problematic, as I have pointed out.

I&#=
39;m confused why you are still talking about the AS retrieving a URI.

3D""=E1=90=A7

On Mon, Jul 20, 2020=
 at 4:42 AM Justin Richer <jricher@mit.edu> wrote:
Since this is a recommendation for namespa=
ce, we could also just say collision-resistant like JWT, and any of those e=
xamples are fine. But that said, I think there=E2=80=99s something particul=
arly compelling about URIs since they have somewhat-human-readable portions=
. But again, I=E2=80=99m saying it should be a recommendation to API develo=
pers and not a requirement in the spec. In the spec, I argue that =E2=80=9C=
type=E2=80=9D should be a string, full stop.

If documen=
tation is so confusing that developers are typing in the wrong strings, the=
n that=E2=80=99s bad documentation. And likely a bad choice for the =E2=80=
=9Ctype=E2=80=9D string on the part of the AS. You=E2=80=99d have the same =
problem with any other value the developer=E2=80=99s supposed to copy over.=
 =C2=A0:)

I agree that we should call out explicitly how=
 they should be compared, and I propose we use one of the handful of existi=
ng string-comparison RFC=E2=80=99s here instead of defining our own rules.<=
/div>

While the type could be a dereferenceable URI, req=
uiring action on the AS is really getting into distributed authorization po=
licies. We tried doing that with UMA1=E2=80=99s scope structures and it did=
n=E2=80=99t work very well in practice (in my memory and experience). Someo=
ne could profile =E2=80=9Ctype" on top of this if they wanted to do so=
, with support at the AS for that, but I don=E2=80=99t see a compelling rea=
son for that to be a requirement as that=E2=80=99s a lot of complexity and =
a lot more error states (the fetch fails, or it doesn=E2=80=99t have a poli=
cy, or the policy=E2=80=99s in a format the AS doesn=E2=80=99t understand, =
or the AS doesn=E2=80=99t like the policy, etc).=C2=A0

=

And AS is always free to implement its types in such a fashion, and th=
at could make plenty of sense in a smaller ecosystem. And this is yet anoth=
er reason that we define =E2=80=9Ctype=E2=80=9D as being a string to be int=
erpreted and understood by the AS =E2=80=94 so that an AS that wants to wor=
k this way can do so.

=C2=A0=E2=80=94 Justin
=


PS: thanks for pointing out the error in the example in=
 XYZ, I=E2=80=99ll fix that prior to publication.

On Jul 18, 2020, at 8:58 PM, Dick Hardt <dick.hardt@gmail.com> w=
rote:

Justin: thanks for kindly pointing out which mail list this is=
.

To clarify, public JWT claims are not just=
 URIs, but any collision-resistant=C2=A0namespace:=C2=A0
"Ex=
amples of collision-resistant namespaces include: Domain Names, Object Iden=
tifiers (OIDs) as defined in the ITU-T X.660 and=C2=A0 =C2=A0 =C2=A0 X.670 =
Recommendation series, and Universally Unique IDentifiers (UUIDs) [RFC4122]=
."

I think letting the "type" be an=
y JSON string and doing a byte-wise comparison will be problematic. A clien=
t developer will be reading documentation to learn what the types are,=C2=
=A0and typing it in. Given the wide set of whitespace characters, and unico=
de equivalence, different byte streams will all look the same, and a byte-w=
ise comparison will fail.

Similarly=C2=A0for URIs.=
 If it is a valid URI, then a byte-wise comparison is not sufficient. Canon=
icalization is required.=C2=A0

These are not shows=
topper=C2=A0issues, but the specification should call out how type strings =
are compared, and provide=C2=A0caveats to an AS developer.

I have no idea why you would think the AS would retrieve a URL.

Since the type represents a much more complex object=
 then a JWT claim, a client developer's tooling could pull down the JSO=
N Schema (or some such) for a type used in their source code, and provide a=
utocompletion and validation which would improve productivity and reduce er=
rors. An AS that is using a defined type could use the schema for input val=
idation. Neither of these would be at run time. JSON Schema allows comments=
 and examples.

What is the harm in non-normative l=
anguage around a retrievable URI?

BTW: the example=
 in=C2=A0https://oauth.xyz/draft-richer-transactional-a=
uthz#rfc.section.2=C2=A0has not been updated with the "type" =
field.



On Sat, Jul 18,=
 2020 at 8:10 AM Justin Richer <jricher@mit.edu> wrote:
Hi Dick,

This is a disc=
ussion about the RAR specification on the OAuth list, and therefore doesn=
=E2=80=99t have anything to do with alignment with XAuth. In fact, I believ=
e the alignment is the other way around, as doesn=E2=80=99t Xauth normative=
ly reference RAR at this point? Even though, last I saw, it uses a differen=
t top-level structure for conveying things, I believe it does say to use th=
e internal object structures. I am also a co-author on RAR and we had alrea=
dy defined a =E2=80=9Ctype=E2=80=9D field in RAR quite some time ago. You d=
id notice that XYZ=E2=80=99s latest draft added this field to keep the two =
in alignment with each other, which has always been the goal since the init=
ial proposal of the RAR work, but that=E2=80=99s a time lag and not a displ=
ay of new intent.=C2=A0

In any event, even though =
I think the decision has bearing in both places, this isn=E2=80=99t about G=
NAP. Working on RAR=E2=80=99s requirements has brought up this interesting =
issue of what should be in the type field for RAR in OAuth 2.
I think that it should be defined as a string, and therefore co=
mpared as a byte value in all cases, regardless of what the content of the =
string is. I don=E2=80=99t think the AS should be expected to fetch a URI f=
or anything. I don=E2=80=99t think the AS should normalize any of the input=
s. I think that any JSON-friendly character set should be allowed (includin=
g spaces and unicodes), and since RAR already requires the JSON objects to =
be form-encoded, this shouldn=E2=80=99t cause additional trouble when addin=
g them in to OAuth 2=E2=80=99s request structures.

The idea of using a URI would be to get people out of each other=E2=80=99s=
 namespaces. It=E2=80=99s similar to the concept of =E2=80=9Cpublic=E2=80=
=9D vs =E2=80=9Cprivate=E2=80=9D claims in JWT:

https://tools.ietf.org/html/rfc7519#section-4.2

What I=E2=80=99m proposing is that if you think it=E2=80=99s going to be=
 a general-purpose type name, then we recommend you use a URI as your strin=
g. And beyond that, that=E2=80=99s it. It=E2=80=99s up to the AS to figure =
out what to do with it, and RAR stays out of it.

=
=C2=A0=E2=80=94 Justin

On Jul 17=
, 2020, at 1:25 PM, Dick Hardt <dick.hardt@gmail.com> wrote:

Hey Justin, glad to see that you have aligned with the latest XAu=
th draft on a type property being required.

I like t=
he idea that the value of the type property is fully defined by the AS, whi=
ch could delegate it to a common URI for reuse. This gets GNAP out of speci=
fying access requests, and enables other parties to define access without a=
ny required coordination with IETF or IANA.

A comp=
lication in mixing plain strings and URIs is the canonicalization. A plain =
string can be a fixed byte=C2=A0representation, but a URI requires canonica=
lization for comparison. Mixing the two requires=C2=A0URI detection at the =
AS before canonicalization, and an AS MUST do canonicalization of URIs.

The URI is retrievable, it can provide machine and/or=
 human readable documentation in JSON schema or some such, or any other con=
tent type. Once again, the details are out of scope=C2=A0of GNAP, but we ca=
n provide examples to guide implementers.

Are you =
still thinking that bare strings are allowed in GNAP, and=C2=A0are defined =
by the AS?



On Fri, Jul 17, 2020 at 8:39 =
AM Justin Richer <j=
richer@mit.edu> wrote:
The =E2=80=9Ctype=E2=80=9D field in the RAR spec serves an im=
portant purpose: it defines what goes in the rest of the object, including =
what other fields are available and what values are allowed for those field=
s. It provides an API-level definition for requesting access based on multi=
ple dimensions, and that=E2=80=99s really powerful and flexible. Each type =
can use any of the general-purpose fields like =E2=80=9Cactions=E2=80=9D an=
d/or add its own fields as necessary, and the =E2=80=9Ctype=E2=80=9D parame=
ter keeps everything well-defined.



The question, then, is what defines what=E2=80=99s allowed to go into the =
=E2=80=9Ctype=E2=80=9D field itself? And what defines how that value maps t=
o the requirements for the rest of the object? The draft doesn=E2=80=99t sa=
y anything about it at the moment, but we should choose the direction we wa=
nt to go. On the surface, there are three main options:



1) Require all values to be registered. 

2) Require all values to be collision-resistant (eg, URIs).

3) Require all values to be defined by the AS (and/or the RS=E2=80=99s that=
 it protects).



Are there any other options?



Here are my thoughts on each approach:



1) While it usually makes sense to register things for interoperability, th=
is is a case where I think that a registry would actually hurt interoperabi=
lity and adoption. Like a =E2=80=9Cscope=E2=80=9D value, the RAR =E2=80=9Ct=
ype=E2=80=9D is ultimately up to the AS and RS to interpret in their own co=
ntext. We :want: people to define rich objects for their APIs and enable fi=
ne-grained access for their systems, and if they have to register something=
 every time they come up with a new API to protect, it=E2=80=99s going to b=
e an unmaintainable mess. I genuinely don=E2=80=99t think this would scale,=
 and that most developers would just ignore the registry and do what they w=
ant anyway. And since many of these systems are inside domains, it=E2=80=99=
s completely unenforceable in practice.



2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to require e=
verything to be a URI here. It=E2=80=99s long and ugly, and a lot of APIs a=
re going to be internal to a given group, deployment, or ecosystem anyway. =
This makes sense when you=E2=80=99ve got something reusable across many dep=
loyments, like OIDC, but it=E2=80=99s overhead when what you=E2=80=99re doi=
ng is tied to your environment.



3) This allows the AS and RS to define the request parameters for their API=
s just like they do today with scopes. Since it=E2=80=99s always the combin=
ation of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, name spacing is less =
of an issue across systems. We haven=E2=80=99t seen huge problems in scope =
value overlap in the wild, though it does occur from time to time it=E2=80=
=99s more than manageable. A client isn=E2=80=99t going to just =E2=80=9Csp=
eak RAR=E2=80=9D, it=E2=80=99s going to be speaking RAR so that it can acce=
ss something in particular.



And all that brings me to my proposal: 



4) Require all values to be defined by the AS, and encourage specification =
developers to use URIs for collision resistance.



So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D means=
, and nobody else. But we can also guide people who are developing general-=
purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=E2=80=9D=
 definitions. This would keep those interoperable APIs from stepping on eac=
h other, and from stepping on any locally-defined special =E2=80=9Ctype=E2=
=80=9D structure. But at the end of the day, the URI carries no more weight=
 than just any other string, and the AS decides what it means and how it ap=
plies.



My argument is that this seems to have worked very, very well for scopes, a=
nd the RAR =E2=80=9Ctype=E2=80=9D is cut from similar descriptive cloth.


What does the rest of the group think? How should we manage the RAR =E2=80=
=9Ctype=E2=80=9D values and what they mean?



=C2=A0=E2=80=94 Justin

_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth















--0000000000005b15af05aaf69df3--


From nobody Tue Jul 21 10:10:41 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB8753A0C26 for ; Tue, 21 Jul 2020 10:10:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.097
X-Spam-Level: 
X-Spam-Status: No, score=-0.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.999, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pSPxT6Xz0SOz for ; Tue, 21 Jul 2020 10:10:35 -0700 (PDT)
Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C19B3A0C25 for ; Tue, 21 Jul 2020 10:10:35 -0700 (PDT)
Received: by mail-lf1-x12e.google.com with SMTP id u25so12091169lfm.1 for ; Tue, 21 Jul 2020 10:10:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=48U9M5/cA/OEyxpKYwzQ14If3tyZ/iPbh4xLHj4v3RM=; b=u4POegYt88y+ffI0XtSluUG1z4H3sjW35udj9OrcC0jsulZxEXNbm0/z4Be8bhaZs8 rwUMOmVAcaskoUoHz0bpdwySgFQyqX/T/66O6dV2nKbRzaJdJ4c+molX7Jjjv29gR3Bf pzy71/ngulJLTX1Zs6rL0FKWoNY/AdazTdq2O08UFS0ouAZ3vi8VhRiZFfVlyK9LI/Mq Vb56uhFplySX9jR/uXLFZiiRPcKM/79p4T3jCnB6IsANVsYXhFvGcSBduxgvRhetk/Gh dg0P8Twu0MYVVWAHTuzHHN1T67WLrIBht4gcWBrfzkkkwLXxoMbrqSqBQLCUIvNXmTEy ViNQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=48U9M5/cA/OEyxpKYwzQ14If3tyZ/iPbh4xLHj4v3RM=; b=qgzZ6SKbRJY+H5pAmXZjILQSHNGUvAxOh5onSrjtY4V3cS2iDVsCCUMVpRPdxEwWTQ p9ZxWbVVFdUyfR0mYg6JkAecIv7YStqaDmNLTg4SOtC+JXeH/7EsKJacVlz67cU2Tv8v pXWZO8wgnS9mik+H3ws7+r7KEwKR9XniEIXn8IQoRxmy8g+PBqK4engy5Jac7cA0wZWp jugXZf+CeWkaM4+pwSHFy+yyMep3MR34FvIMF2SHfVxt/8pz4q8XGb10O1MXBgIXo+14 BJBo1e4IBycMjHJ2e812hlLIQn1AyrXaAE5wiMbwwMy6MkXGyJBPMPmzJJXO+yCfyhFr Qt0w==
X-Gm-Message-State: AOAM533uNNsHsQ8Zpt8dhU24I7TzbnF9jJ+U8C0pmfkbK9wQ2IuKEqa/ 2VL2SQyyTpg9Rubvo1G9y/3KqbAWWMilroxQLh4=
X-Google-Smtp-Source: ABdhPJxog7g4rMuQ8caM8B91IjHGuVb7FgT0aakFKEZSpN5AGgf0hkMqnkFTdB+3gdNZhAj3K3p6A1UnxhhCTMDzdV8=
X-Received: by 2002:ac2:4a9d:: with SMTP id l29mr5597525lfp.23.1595351433215;  Tue, 21 Jul 2020 10:10:33 -0700 (PDT)
MIME-Version: 1.0
References:     <094C7F56-93F7-41EC-AD94-A0752E76BD9D@mit.edu>    <847FC552-84CA-4227-9768-8BA488B7FEFE@mit.edu> 
In-Reply-To: 
From: Dick Hardt 
Date: Tue, 21 Jul 2020 10:09:57 -0700
Message-ID: 
To: Justin Richer 
Cc: oauth 
Content-Type: multipart/alternative; boundary="00000000000078050905aaf6b314"
Archived-At: 
Subject: Re: [OAUTH-WG] Namespacing "type" in RAR
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 21 Jul 2020 17:10:40 -0000

--00000000000078050905aaf6b314
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

An explanation of the issues in Unicode can be found here:

https://en.wikipedia.org/wiki/Unicode_equivalence#Character_duplication



On Tue, Jul 21, 2020 at 10:03 AM Dick Hardt  wrote:

>
> The following are the same URI, but are different strings:
>
> =E2=80=9Chttps://schema.example.org/v1=E2=80=9D
> =E2=80=9CHTTPS://schema.example.org/v1 =E2=
=80=9D
> =E2=80=9Chttps://SCHEMA.EXAMPLE.ORG/v1 =E2=
=80=9D
>
> Before comparing them to each other, they must be canonicalized so that
> they become the same string.
>
> From earlier in this thread, I am NOT suggesting that it must be a URI,
> nor that it is required:
>
> Since the type represents a much more complex object then a JWT claim, a
> client developer's tooling could pull down the JSON Schema (or some such)
> for a type used in their source code, and provide autocompletion and
> validation which would improve productivity and reduce errors. An AS that
> is using a defined type could use the schema for input validation. Neithe=
r
> of these would be at run time. JSON Schema allows comments and examples.
>
> What is the harm in non-normative language around a retrievable URI?
>
>
> On Tue, Jul 21, 2020 at 9:58 AM Justin Richer  wrote:
>
>> String comparison works just fine when the strings happen to be URIs, an=
d
>> you aren=E2=80=99t treating them as URIs:
>>
>> =E2=80=9Chttps://schema.example.org/v1=E2=80=9D
>>
>> Is different from
>>
>> =E2=80=9Chttps://schema.example.org/v2=E2=80=9D
>>
>> And both are different from
>>
>> =E2=80=9Chttps://schema.example.org:443/v1/=E2=80=9C
>>
>> All of these are strings, and the strings happen to be URIs but that=E2=
=80=99s
>> irrelevant to the comparison process. Can you please help me understand =
why
>> doing a string comparison on these values does not work in exactly the s=
ame
>> way it would for =E2=80=9Cfoo=E2=80=9D, =E2=80=9Cbar=E2=80=9D, and =E2=
=80=9Cbaz=E2=80=9D values? Why would these need to be
>> canonicalized to be compared? The definition of a JSON string is an orde=
red
>> set of unicode code points, and this can be compared byte-wise. (Or
>> code-point-wise, whatever=E2=80=99s most correct here.) Can you give me
>> counter-examples as to where string comparison doesn=E2=80=99t work? And=
 can you
>> help me understand how this same worry doesn=E2=80=99t apply to all of t=
he rest of
>> the values in the RAR specification, which are also strings and will nee=
d
>> to be compared?
>>
>> I=E2=80=99m still very confused as to the URI retrieval issue here, if t=
here even
>> is one. It sounds like we=E2=80=99re both saying that it could be useful=
 if type
>> values are retrievable when they=E2=80=99re URIs, but that would be some=
thing to
>> augment a process and not required for the RAR spec. I=E2=80=99m against=
 requiring
>> the value to be a URI and against requiring the AS to process that URI *=
as
>> a URI* at runtime. Anything that an AS wants to do with the =E2=80=9Ctyp=
e=E2=80=9D
>> value, including providing additional tooling and validation, is up to t=
he
>> AS and outside of the spec.
>>
>>  =E2=80=94 Justin
>>
>> On Jul 21, 2020, at 12:35 PM, Dick Hardt  wrote:
>>
>> This statement:
>>
>> =E2=80=9Ccompare two strings so that they=E2=80=99re exact=E2=80=9D
>>
>> does not work for either Unicode or URIs. A string, and a canonicalized
>> Unicode string are not the same thing. Similar for a URI. I have assumed
>> you understand the canonicalization requirement, but it does not sound l=
ike
>> you do. Would you like examples?
>>
>>
>> wrt. the AS and URI, *you* keep saying that *I* said the AS would
>> retrieve the URI. I HAVE NOT SAID THAT!
>>
>> I am suggesting that the URI MAY be retrievable, and I gave examples on
>> how that would be useful for tooling for client developers, and for an A=
S
>> in doing input validation. The URI would NOT be retrieved at run time.
>>
>>
>> On Tue, Jul 21, 2020 at 7:35 AM Justin Richer  wrote:
>>
>>> If we treat all the strings as just strings, without any special
>>> internal format to be specified or detected, then comparing the strings=
 is
>>> a well-understood and well-documented process. I also think that we
>>> shouldn=E2=80=99t invent anything here, so if there=E2=80=99s a better =
way to say =E2=80=9Ccompare
>>> two strings so that they=E2=80=99re exact=E2=80=9D then that=E2=80=99s =
what I mean. Sorry if that
>>> was unclear.
>>>
>>> I=E2=80=99m saying the AS should *not* retrieve the URI passed in the =
=E2=80=9Ctype=E2=80=9D
>>> value. You brought that up and then described the process that the AS w=
ould
>>> take to do so. I have said from the start that the use of a URI is for =
name
>>> spacing and not for addressing content to be fetched, so I=E2=80=99m co=
nfused why
>>> you think I intend otherwise.
>>>
>>>  =E2=80=94 Justin
>>>
>>> On Jul 20, 2020, at 2:59 PM, Dick Hardt  wrote:
>>>
>>> Canonicalization of URIs and unicode is fairly well specified. I was no=
t
>>> suggesting we invent anything there.
>>>
>>> A byte comparison, as you suggested earlier, will be problematic, as I
>>> have pointed out.
>>>
>>> I'm confused why you are still talking about the AS retrieving a URI.
>>>
>>> =E1=90=A7
>>>
>>> On Mon, Jul 20, 2020 at 4:42 AM Justin Richer  wrote:
>>>
>>>> Since this is a recommendation for namespace, we could also just say
>>>> collision-resistant like JWT, and any of those examples are fine. But =
that
>>>> said, I think there=E2=80=99s something particularly compelling about =
URIs since
>>>> they have somewhat-human-readable portions. But again, I=E2=80=99m say=
ing it should
>>>> be a recommendation to API developers and not a requirement in the spe=
c. In
>>>> the spec, I argue that =E2=80=9Ctype=E2=80=9D should be a string, full=
 stop.
>>>>
>>>> If documentation is so confusing that developers are typing in the
>>>> wrong strings, then that=E2=80=99s bad documentation. And likely a bad=
 choice for
>>>> the =E2=80=9Ctype=E2=80=9D string on the part of the AS. You=E2=80=99d=
 have the same problem with
>>>> any other value the developer=E2=80=99s supposed to copy over.  :)
>>>>
>>>> I agree that we should call out explicitly how they should be compared=
,
>>>> and I propose we use one of the handful of existing string-comparison =
RFC=E2=80=99s
>>>> here instead of defining our own rules.
>>>>
>>>> While the type could be a dereferenceable URI, requiring action on the
>>>> AS is really getting into distributed authorization policies. We tried
>>>> doing that with UMA1=E2=80=99s scope structures and it didn=E2=80=99t =
work very well in
>>>> practice (in my memory and experience). Someone could profile =E2=80=
=9Ctype" on top
>>>> of this if they wanted to do so, with support at the AS for that, but =
I
>>>> don=E2=80=99t see a compelling reason for that to be a requirement as =
that=E2=80=99s a lot
>>>> of complexity and a lot more error states (the fetch fails, or it does=
n=E2=80=99t
>>>> have a policy, or the policy=E2=80=99s in a format the AS doesn=E2=80=
=99t understand, or
>>>> the AS doesn=E2=80=99t like the policy, etc).
>>>>
>>>> And AS is always free to implement its types in such a fashion, and
>>>> that could make plenty of sense in a smaller ecosystem. And this is ye=
t
>>>> another reason that we define =E2=80=9Ctype=E2=80=9D as being a string=
 to be interpreted
>>>> and understood by the AS =E2=80=94 so that an AS that wants to work th=
is way can do
>>>> so.
>>>>
>>>>  =E2=80=94 Justin
>>>>
>>>> PS: thanks for pointing out the error in the example in XYZ, I=E2=80=
=99ll fix
>>>> that prior to publication.
>>>>
>>>> On Jul 18, 2020, at 8:58 PM, Dick Hardt  wrote:
>>>>
>>>> Justin: thanks for kindly pointing out which mail list this is.
>>>>
>>>> To clarify, public JWT claims are not just URIs, but any
>>>> collision-resistant namespace:
>>>> "Examples of collision-resistant namespaces include: Domain Names,
>>>> Object Identifiers (OIDs) as defined in the ITU-T X.660 and      X.670
>>>> Recommendation series, and Universally Unique IDentifiers (UUIDs)
>>>> [RFC4122]."
>>>>
>>>> I think letting the "type" be any JSON string and doing a byte-wise
>>>> comparison will be problematic. A client developer will be reading
>>>> documentation to learn what the types are, and typing it in. Given the=
 wide
>>>> set of whitespace characters, and unicode equivalence, different byte
>>>> streams will all look the same, and a byte-wise comparison will fail.
>>>>
>>>> Similarly for URIs. If it is a valid URI, then a byte-wise comparison
>>>> is not sufficient. Canonicalization is required.
>>>>
>>>> These are not showstopper issues, but the specification should call ou=
t
>>>> how type strings are compared, and provide caveats to an AS developer.
>>>>
>>>> I have no idea why you would think the AS would retrieve a URL.
>>>>
>>>> Since the type represents a much more complex object then a JWT claim,
>>>> a client developer's tooling could pull down the JSON Schema (or some =
such)
>>>> for a type used in their source code, and provide autocompletion and
>>>> validation which would improve productivity and reduce errors. An AS t=
hat
>>>> is using a defined type could use the schema for input validation. Nei=
ther
>>>> of these would be at run time. JSON Schema allows comments and example=
s.
>>>>
>>>> What is the harm in non-normative language around a retrievable URI?
>>>>
>>>> BTW: the example in
>>>> https://oauth.xyz/draft-richer-transactional-authz#rfc.section.2 has
>>>> not been updated with the "type" field.
>>>>
>>>>
>>>>
>>>> On Sat, Jul 18, 2020 at 8:10 AM Justin Richer  wrote:
>>>>
>>>>> Hi Dick,
>>>>>
>>>>> This is a discussion about the RAR specification on the OAuth list,
>>>>> and therefore doesn=E2=80=99t have anything to do with alignment with=
 XAuth. In
>>>>> fact, I believe the alignment is the other way around, as doesn=E2=80=
=99t Xauth
>>>>> normatively reference RAR at this point? Even though, last I saw, it =
uses a
>>>>> different top-level structure for conveying things, I believe it does=
 say
>>>>> to use the internal object structures. I am also a co-author on RAR a=
nd we
>>>>> had already defined a =E2=80=9Ctype=E2=80=9D field in RAR quite some =
time ago. You did
>>>>> notice that XYZ=E2=80=99s latest draft added this field to keep the t=
wo in
>>>>> alignment with each other, which has always been the goal since the i=
nitial
>>>>> proposal of the RAR work, but that=E2=80=99s a time lag and not a dis=
play of new
>>>>> intent.
>>>>>
>>>>> In any event, even though I think the decision has bearing in both
>>>>> places, this isn=E2=80=99t about GNAP. Working on RAR=E2=80=99s requi=
rements has brought up
>>>>> this interesting issue of what should be in the type field for RAR in=
 OAuth
>>>>> 2.
>>>>>
>>>>> I think that it should be defined as a string, and therefore compared
>>>>> as a byte value in all cases, regardless of what the content of the s=
tring
>>>>> is. I don=E2=80=99t think the AS should be expected to fetch a URI fo=
r anything. I
>>>>> don=E2=80=99t think the AS should normalize any of the inputs. I thin=
k that any
>>>>> JSON-friendly character set should be allowed (including spaces and
>>>>> unicodes), and since RAR already requires the JSON objects to be
>>>>> form-encoded, this shouldn=E2=80=99t cause additional trouble when ad=
ding them in
>>>>> to OAuth 2=E2=80=99s request structures.
>>>>>
>>>>> The idea of using a URI would be to get people out of each other=E2=
=80=99s
>>>>> namespaces. It=E2=80=99s similar to the concept of =E2=80=9Cpublic=E2=
=80=9D vs =E2=80=9Cprivate=E2=80=9D claims in
>>>>> JWT:
>>>>>
>>>>> https://tools.ietf.org/html/rfc7519#section-4.2
>>>>>
>>>>> What I=E2=80=99m proposing is that if you think it=E2=80=99s going to=
 be a
>>>>> general-purpose type name, then we recommend you use a URI as your st=
ring.
>>>>> And beyond that, that=E2=80=99s it. It=E2=80=99s up to the AS to figu=
re out what to do with
>>>>> it, and RAR stays out of it.
>>>>>
>>>>>  =E2=80=94 Justin
>>>>>
>>>>> On Jul 17, 2020, at 1:25 PM, Dick Hardt  wrote:
>>>>>
>>>>> Hey Justin, glad to see that you have aligned with the latest XAuth
>>>>> draft on a type property being required.
>>>>>
>>>>> I like the idea that the value of the type property is fully defined
>>>>> by the AS, which could delegate it to a common URI for reuse. This ge=
ts
>>>>> GNAP out of specifying access requests, and enables other parties to =
define
>>>>> access without any required coordination with IETF or IANA.
>>>>>
>>>>> A complication in mixing plain strings and URIs is the
>>>>> canonicalization. A plain string can be a fixed byte representation, =
but a
>>>>> URI requires canonicalization for comparison. Mixing the two requires=
 URI
>>>>> detection at the AS before canonicalization, and an AS MUST do
>>>>> canonicalization of URIs.
>>>>>
>>>>> The URI is retrievable, it can provide machine and/or human readable
>>>>> documentation in JSON schema or some such, or any other content type.=
 Once
>>>>> again, the details are out of scope of GNAP, but we can provide examp=
les to
>>>>> guide implementers.
>>>>>
>>>>> Are you still thinking that bare strings are allowed in GNAP, and are
>>>>> defined by the AS?
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Jul 17, 2020 at 8:39 AM Justin Richer  wrote=
:
>>>>>
>>>>>> The =E2=80=9Ctype=E2=80=9D field in the RAR spec serves an important=
 purpose: it
>>>>>> defines what goes in the rest of the object, including what other fi=
elds
>>>>>> are available and what values are allowed for those fields. It provi=
des an
>>>>>> API-level definition for requesting access based on multiple dimensi=
ons,
>>>>>> and that=E2=80=99s really powerful and flexible. Each type can use a=
ny of the
>>>>>> general-purpose fields like =E2=80=9Cactions=E2=80=9D and/or add its=
 own fields as
>>>>>> necessary, and the =E2=80=9Ctype=E2=80=9D parameter keeps everything=
 well-defined.
>>>>>>
>>>>>> The question, then, is what defines what=E2=80=99s allowed to go int=
o the
>>>>>> =E2=80=9Ctype=E2=80=9D field itself? And what defines how that value=
 maps to the
>>>>>> requirements for the rest of the object? The draft doesn=E2=80=99t s=
ay anything
>>>>>> about it at the moment, but we should choose the direction we want t=
o go.
>>>>>> On the surface, there are three main options:
>>>>>>
>>>>>> 1) Require all values to be registered.
>>>>>> 2) Require all values to be collision-resistant (eg, URIs).
>>>>>> 3) Require all values to be defined by the AS (and/or the RS=E2=80=
=99s that
>>>>>> it protects).
>>>>>>
>>>>>> Are there any other options?
>>>>>>
>>>>>> Here are my thoughts on each approach:
>>>>>>
>>>>>> 1) While it usually makes sense to register things for
>>>>>> interoperability, this is a case where I think that a registry would
>>>>>> actually hurt interoperability and adoption. Like a =E2=80=9Cscope=
=E2=80=9D value, the RAR
>>>>>> =E2=80=9Ctype=E2=80=9D is ultimately up to the AS and RS to interpre=
t in their own context.
>>>>>> We :want: people to define rich objects for their APIs and enable
>>>>>> fine-grained access for their systems, and if they have to register
>>>>>> something every time they come up with a new API to protect, it=E2=
=80=99s going to
>>>>>> be an unmaintainable mess. I genuinely don=E2=80=99t think this woul=
d scale, and
>>>>>> that most developers would just ignore the registry and do what they=
 want
>>>>>> anyway. And since many of these systems are inside domains, it=E2=80=
=99s completely
>>>>>> unenforceable in practice.
>>>>>>
>>>>>> 2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to re=
quire
>>>>>> everything to be a URI here. It=E2=80=99s long and ugly, and a lot o=
f APIs are
>>>>>> going to be internal to a given group, deployment, or ecosystem anyw=
ay.
>>>>>> This makes sense when you=E2=80=99ve got something reusable across m=
any
>>>>>> deployments, like OIDC, but it=E2=80=99s overhead when what you=E2=
=80=99re doing is tied to
>>>>>> your environment.
>>>>>>
>>>>>> 3) This allows the AS and RS to define the request parameters for
>>>>>> their APIs just like they do today with scopes. Since it=E2=80=99s a=
lways the
>>>>>> combination of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, name spa=
cing is less of an
>>>>>> issue across systems. We haven=E2=80=99t seen huge problems in scope=
 value overlap
>>>>>> in the wild, though it does occur from time to time it=E2=80=99s mor=
e than
>>>>>> manageable. A client isn=E2=80=99t going to just =E2=80=9Cspeak RAR=
=E2=80=9D, it=E2=80=99s going to be
>>>>>> speaking RAR so that it can access something in particular.
>>>>>>
>>>>>> And all that brings me to my proposal:
>>>>>>
>>>>>> 4) Require all values to be defined by the AS, and encourage
>>>>>> specification developers to use URIs for collision resistance.
>>>>>>
>>>>>> So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=
=9D means, and
>>>>>> nobody else. But we can also guide people who are developing
>>>>>> general-purpose interoperable APIs to use URIs for their RAR =E2=80=
=9Ctype=E2=80=9D
>>>>>> definitions. This would keep those interoperable APIs from stepping =
on each
>>>>>> other, and from stepping on any locally-defined special =E2=80=9Ctyp=
e=E2=80=9D structure.
>>>>>> But at the end of the day, the URI carries no more weight than just =
any
>>>>>> other string, and the AS decides what it means and how it applies.
>>>>>>
>>>>>> My argument is that this seems to have worked very, very well for
>>>>>> scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar descr=
iptive cloth.
>>>>>>
>>>>>> What does the rest of the group think? How should we manage the RAR
>>>>>> =E2=80=9Ctype=E2=80=9D values and what they mean?
>>>>>>
>>>>>>  =E2=80=94 Justin
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>

--00000000000078050905aaf6b314
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


An explanation=C2=A0of the issues in Unic=
ode can be found here:




On Tue, Jul 21, 2020 at 10:03 AM Dick Hardt <dick.hardt@gmail.com> wrote:
<=
/div>

The following are the same URI, but are differ=
ent strings:


Before comparing them to each other, they must be canonical=
ized so that they become the same string.

From ear=
lier in this thread, I am NOT suggesting that it must be a URI, nor that it=
 is required:

Since the type represents=
 a much more complex object then a JWT claim, a client developer's tool=
ing could pull down the JSON Schema (or some such) for a type used in their=
 source code, and provide autocompletion and validation which would improve=
 productivity and reduce errors. An AS that is using a defined type could u=
se the schema for input validation. Neither of these would be at run time. =
JSON Schema allows comments and examples.

What is the harm in non-normative language around a ret=
rievable URI?

On Tue, Jul 2=
1, 2020 at 9:58 AM Justin Richer <jricher@mit.edu> wrote:
String comparison works just fine when t=
he strings happen to be URIs, and you aren=E2=80=99t treating them as URIs:=


	=E2=80=9C<=
a href=3D"https://schema.example.org/v1" target=3D"_blank">https://schema.e=
xample.org/v1=E2=80=9D

Is different from=C2=A0=


	=E2=
=80=9Chttps://s=
chema.example.org/v2=E2=80=9D

And both are dif=
ferent from

	=
=E2=80=9Chttps://schema.example.org:443/v1/=E2=80=9C

All of these are strings, and the strings happen to be URIs but that=E2=
=80=99s irrelevant to the comparison process. Can you please help me unders=
tand why doing a string comparison on these values does not work in exactly=
 the same way it would for =E2=80=9Cfoo=E2=80=9D, =E2=80=9Cbar=E2=80=9D, an=
d =E2=80=9Cbaz=E2=80=9D values? Why would these need to be canonicalized to=
 be compared? The definition of a JSON string is an ordered set of unicode =
code points, and this can be compared byte-wise. (Or code-point-wise, whate=
ver=E2=80=99s most correct here.) Can you give me counter-examples as to wh=
ere string comparison doesn=E2=80=99t work? And can you help me understand =
how this same worry doesn=E2=80=99t apply to all of the rest of the values =
in the RAR specification, which are also strings and will need to be compar=
ed?

I=E2=80=99m still very confused as to the URI =
retrieval issue here, if there even is one. It sounds like we=E2=80=99re bo=
th saying that it could be useful if type values are retrievable when they=
=E2=80=99re URIs, but that would be something to augment a process and not =
required for the RAR spec. I=E2=80=99m against requiring the value to be a =
URI and against requiring the AS to process that URI as a URI at run=
time. Anything that an AS wants to do with the =E2=80=9Ctype=E2=80=9D value=
, including providing additional tooling and validation, is up to the AS an=
d outside of the spec.

=C2=A0=E2=80=94 Justin

On Jul 21, 2020, at 12:35 PM,=
 Dick Hardt <d=
ick.hardt@gmail.com> wrote:

This statement:

=E2=80=9Ccompare two strings so that they=E2=80=99re ex=
act=E2=80=9D

does not work for eit=
her Unicode or URIs. A string, and a canonicalized Unicode string are not t=
he same thing. Similar for a URI. I have assumed you understand the canonic=
alization requirement, but it does not sound like you do. Would you like ex=
amples?


wrt. the AS and URI, *you* =
keep saying that *I* said the AS would retrieve the URI. I HAVE NOT SAID TH=
AT!

I am suggesting that the URI MAY be retrievabl=
e, and I gave examples on how that would be useful for tooling for client d=
evelopers, and for an AS in doing input validation. The URI would NOT be re=
trieved at run time.


On Tue, Jul 21, 2020 at 7:35 AM Justin R=
icher <jricher@mit.=
edu> wrote:
If we treat all the strings as just strings, without any speci=
al internal format to be specified or detected, then comparing the strings =
is a well-understood and well-documented process. I also think that we shou=
ldn=E2=80=99t invent anything here, so if there=E2=80=99s a better way to s=
ay =E2=80=9Ccompare two strings so that they=E2=80=99re exact=E2=80=9D then=
 that=E2=80=99s what I mean. Sorry if that was unclear.

I=E2=80=99m saying the AS should not retrieve the URI passed in the=
 =E2=80=9Ctype=E2=80=9D value. You brought that up and then described the p=
rocess that the AS would take to do so. I have said from the start that the=
 use of a URI is for name spacing and not for addressing content to be fetc=
hed, so I=E2=80=99m confused why you think I intend otherwise.

=C2=A0=E2=80=94 Justin

On=
 Jul 20, 2020, at 2:59 PM, Dick Hardt <dick.hardt@gmail.com> wrote:

=

Canonicalization of URIs and unicode is fairly well specif=
ied. I was not suggesting we invent anything there.

A by=
te comparison, as you suggested earlier, will be problematic, as I have poi=
nted out.

I'm confused why you are still talki=
ng about the AS retrieving a URI.

3D""=E1=90=A7

On Mon, Jul 20, 2020 at 4:42 AM Justin Richer <jricher@mit.edu> wrote=
:
Sinc=
e this is a recommendation for namespace, we could also just say collision-=
resistant like JWT, and any of those examples are fine. But that said, I th=
ink there=E2=80=99s something particularly compelling about URIs since they=
 have somewhat-human-readable portions. But again, I=E2=80=99m saying it sh=
ould be a recommendation to API developers and not a requirement in the spe=
c. In the spec, I argue that =E2=80=9Ctype=E2=80=9D should be a string, ful=
l stop.

If documentation is so confusing that developer=
s are typing in the wrong strings, then that=E2=80=99s bad documentation. A=
nd likely a bad choice for the =E2=80=9Ctype=E2=80=9D string on the part of=
 the AS. You=E2=80=99d have the same problem with any other value the devel=
oper=E2=80=99s supposed to copy over. =C2=A0:)

I agree t=
hat we should call out explicitly how they should be compared, and I propos=
e we use one of the handful of existing string-comparison RFC=E2=80=99s her=
e instead of defining our own rules.

While the typ=
e could be a dereferenceable URI, requiring action on the AS is really gett=
ing into distributed authorization policies. We tried doing that with UMA1=
=E2=80=99s scope structures and it didn=E2=80=99t work very well in practic=
e (in my memory and experience). Someone could profile =E2=80=9Ctype" =
on top of this if they wanted to do so, with support at the AS for that, bu=
t I don=E2=80=99t see a compelling reason for that to be a requirement as t=
hat=E2=80=99s a lot of complexity and a lot more error states (the fetch fa=
ils, or it doesn=E2=80=99t have a policy, or the policy=E2=80=99s in a form=
at the AS doesn=E2=80=99t understand, or the AS doesn=E2=80=99t like the po=
licy, etc).=C2=A0

And AS is always free to impleme=
nt its types in such a fashion, and that could make plenty of sense in a sm=
aller ecosystem. And this is yet another reason that we define =E2=80=9Ctyp=
e=E2=80=9D as being a string to be interpreted and understood by the AS =E2=
=80=94 so that an AS that wants to work this way can do so.

<=
/div>
=C2=A0=E2=80=94 Justin

PS: thanks for po=
inting out the error in the example in XYZ, I=E2=80=99ll fix that prior to =
publication.

On Jul 18, 2020, at=
 8:58 PM, Dick Hardt <dick.hardt@gmail.com> wrote:

=

Justin: thanks for kindl=
y pointing out which mail list this is.

To c=
larify, public JWT claims are not just URIs, but any collision-resistant=C2=
=A0namespace:=C2=A0
"Examples of collision-resistant namespa=
ces include: Domain Names, Object Identifiers (OIDs) as defined in the ITU-=
T X.660 and=C2=A0 =C2=A0 =C2=A0 X.670 Recommendation series, and Universall=
y Unique IDentifiers (UUIDs) [RFC4122]."

I th=
ink letting the "type" be any JSON string and doing a byte-wise c=
omparison will be problematic. A client developer will be reading documenta=
tion to learn what the types are,=C2=A0and typing it in. Given the wide set=
 of whitespace characters, and unicode equivalence, different byte streams =
will all look the same, and a byte-wise comparison will fail.
Similarly=C2=A0for URIs. If it is a valid URI, then a byte-wise=
 comparison is not sufficient. Canonicalization is required.=C2=A0

These are not showstopper=C2=A0issues, but the specificati=
on should call out how type strings are compared, and provide=C2=A0caveats =
to an AS developer.

I have no idea why you would t=
hink the AS would retrieve a URL.

Since the type r=
epresents a much more complex object then a JWT claim, a client developer&#=
39;s tooling could pull down the JSON Schema (or some such) for a type used=
 in their source code, and provide autocompletion and validation which woul=
d improve productivity and reduce errors. An AS that is using a defined typ=
e could use the schema for input validation. Neither of these would be at r=
un time. JSON Schema allows comments and examples.

What is the harm in non-normative language around a retrievable URI?
=


BTW: the example in=C2=A0https://oa=
uth.xyz/draft-richer-transactional-authz#rfc.section.2=C2=A0has not bee=
n updated with the "type" field.



On Sat, Jul 18, 2020 at 8:10 AM Justin Richer <jricher@mit.edu> wr=
ote:
Hi Dic=
k,

This is a discussion about the RAR specification on t=
he OAuth list, and therefore doesn=E2=80=99t have anything to do with align=
ment with XAuth. In fact, I believe the alignment is the other way around, =
as doesn=E2=80=99t Xauth normatively reference RAR at this point? Even thou=
gh, last I saw, it uses a different top-level structure for conveying thing=
s, I believe it does say to use the internal object structures. I am also a=
 co-author on RAR and we had already defined a =E2=80=9Ctype=E2=80=9D field=
 in RAR quite some time ago. You did notice that XYZ=E2=80=99s latest draft=
 added this field to keep the two in alignment with each other, which has a=
lways been the goal since the initial proposal of the RAR work, but that=E2=
=80=99s a time lag and not a display of new intent.=C2=A0

In any event, even though I think the decision has bearing in both =
places, this isn=E2=80=99t about GNAP. Working on RAR=E2=80=99s requirement=
s has brought up this interesting issue of what should be in the type field=
 for RAR in OAuth 2.

I think that it should be def=
ined as a string, and therefore compared as a byte value in all cases, rega=
rdless of what the content of the string is. I don=E2=80=99t think the AS s=
hould be expected to fetch a URI for anything. I don=E2=80=99t think the AS=
 should normalize any of the inputs. I think that any JSON-friendly charact=
er set should be allowed (including spaces and unicodes), and since RAR alr=
eady requires the JSON objects to be form-encoded, this shouldn=E2=80=99t c=
ause additional trouble when adding them in to OAuth 2=E2=80=99s request st=
ructures.

The idea of using a URI would be to get =
people out of each other=E2=80=99s namespaces. It=E2=80=99s similar to the =
concept of =E2=80=9Cpublic=E2=80=9D vs =E2=80=9Cprivate=E2=80=9D claims in =
JWT:


What I=E2=80=99m proposing is that if yo=
u think it=E2=80=99s going to be a general-purpose type name, then we recom=
mend you use a URI as your string. And beyond that, that=E2=80=99s it. It=
=E2=80=99s up to the AS to figure out what to do with it, and RAR stays out=
 of it.

=C2=A0=E2=80=94 Justin

On Jul 17, 2020, at 1:25 PM, Dick Hardt <dick.hardt@gmail.com=
> wrote:

Hey Justin, glad to see that you=
 have aligned with the latest XAuth draft on a type property being required=
.

I like the idea that the value of the type propert=
y is fully defined by the AS, which could delegate it to a common URI for r=
euse. This gets GNAP out of specifying access requests, and enables other p=
arties to define access without any required coordination with IETF or IANA=
.

A complication in mixing plain strings and URIs =
is the canonicalization. A plain string can be a fixed byte=C2=A0representa=
tion, but a URI requires canonicalization for comparison. Mixing the two re=
quires=C2=A0URI detection at the AS before canonicalization, and an AS MUST=
 do canonicalization of URIs.

The URI is retrievab=
le, it can provide machine and/or human readable documentation in JSON sche=
ma or some such, or any other content type. Once again, the details are out=
 of scope=C2=A0of GNAP, but we can provide examples to guide implementers.<=
/div>

Are you still thinking that bare strings are allow=
ed in GNAP, and=C2=A0are defined by the AS?



On Fri, Jul 17, 2020 at 8:39 AM Justin Richer <jricher@mit.edu> wrote:
The =E2=80=9Ctype=E2=80=9D f=
ield in the RAR spec serves an important purpose: it defines what goes in t=
he rest of the object, including what other fields are available and what v=
alues are allowed for those fields. It provides an API-level definition for=
 requesting access based on multiple dimensions, and that=E2=80=99s really =
powerful and flexible. Each type can use any of the general-purpose fields =
like =E2=80=9Cactions=E2=80=9D and/or add its own fields as necessary, and =
the =E2=80=9Ctype=E2=80=9D parameter keeps everything well-defined.



The question, then, is what defines what=E2=80=99s allowed to go into the =
=E2=80=9Ctype=E2=80=9D field itself? And what defines how that value maps t=
o the requirements for the rest of the object? The draft doesn=E2=80=99t sa=
y anything about it at the moment, but we should choose the direction we wa=
nt to go. On the surface, there are three main options:



1) Require all values to be registered. 

2) Require all values to be collision-resistant (eg, URIs).

3) Require all values to be defined by the AS (and/or the RS=E2=80=99s that=
 it protects).



Are there any other options?



Here are my thoughts on each approach:



1) While it usually makes sense to register things for interoperability, th=
is is a case where I think that a registry would actually hurt interoperabi=
lity and adoption. Like a =E2=80=9Cscope=E2=80=9D value, the RAR =E2=80=9Ct=
ype=E2=80=9D is ultimately up to the AS and RS to interpret in their own co=
ntext. We :want: people to define rich objects for their APIs and enable fi=
ne-grained access for their systems, and if they have to register something=
 every time they come up with a new API to protect, it=E2=80=99s going to b=
e an unmaintainable mess. I genuinely don=E2=80=99t think this would scale,=
 and that most developers would just ignore the registry and do what they w=
ant anyway. And since many of these systems are inside domains, it=E2=80=99=
s completely unenforceable in practice.



2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to require e=
verything to be a URI here. It=E2=80=99s long and ugly, and a lot of APIs a=
re going to be internal to a given group, deployment, or ecosystem anyway. =
This makes sense when you=E2=80=99ve got something reusable across many dep=
loyments, like OIDC, but it=E2=80=99s overhead when what you=E2=80=99re doi=
ng is tied to your environment.



3) This allows the AS and RS to define the request parameters for their API=
s just like they do today with scopes. Since it=E2=80=99s always the combin=
ation of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, name spacing is less =
of an issue across systems. We haven=E2=80=99t seen huge problems in scope =
value overlap in the wild, though it does occur from time to time it=E2=80=
=99s more than manageable. A client isn=E2=80=99t going to just =E2=80=9Csp=
eak RAR=E2=80=9D, it=E2=80=99s going to be speaking RAR so that it can acce=
ss something in particular.



And all that brings me to my proposal: 



4) Require all values to be defined by the AS, and encourage specification =
developers to use URIs for collision resistance.



So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D means=
, and nobody else. But we can also guide people who are developing general-=
purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=E2=80=9D=
 definitions. This would keep those interoperable APIs from stepping on eac=
h other, and from stepping on any locally-defined special =E2=80=9Ctype=E2=
=80=9D structure. But at the end of the day, the URI carries no more weight=
 than just any other string, and the AS decides what it means and how it ap=
plies.



My argument is that this seems to have worked very, very well for scopes, a=
nd the RAR =E2=80=9Ctype=E2=80=9D is cut from similar descriptive cloth.


What does the rest of the group think? How should we manage the RAR =E2=80=
=9Ctype=E2=80=9D values and what they mean?



=C2=A0=E2=80=94 Justin

_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth















--00000000000078050905aaf6b314--


From nobody Tue Jul 21 10:34:34 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEF993A0C82 for ; Tue, 21 Jul 2020 10:34:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.082
X-Spam-Level: 
X-Spam-Status: No, score=0.082 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.999, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nn3jp7N56ME5 for ; Tue, 21 Jul 2020 10:34:29 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DC863A0C80 for ; Tue, 21 Jul 2020 10:34:28 -0700 (PDT)
Received: from [192.168.1.3] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 06LHYQWO016258 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 21 Jul 2020 13:34:26 -0400
From: Justin Richer 
Message-Id: <0E6A3DE4-4EDC-4AB0-A491-D7DC960592AA@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_5FF50CAD-77B7-4F37-80EC-4B07A5C0AEB5"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Tue, 21 Jul 2020 13:34:25 -0400
In-Reply-To: 
Cc: oauth 
To: Dick Hardt 
References:     <094C7F56-93F7-41EC-AD94-A0752E76BD9D@mit.edu>    <847FC552-84CA-4227-9768-8BA488B7FEFE@mit.edu> 
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: 
Subject: Re: [OAUTH-WG] Namespacing "type" in RAR
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 21 Jul 2020 17:34:33 -0000

--Apple-Mail=_5FF50CAD-77B7-4F37-80EC-4B07A5C0AEB5
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Right, and I=E2=80=99m saying that all three of those would be DIFFERENT =
=E2=80=9Ctype=E2=80=9D values, because they=E2=80=99re different =
strings. The fact that when treated as URIs they would be equivalent is =
irrelevant. Just like =E2=80=9Cfoo=E2=80=9D, =E2=80=9CFoo=E2=80=9D, and =
=E2=80=9CFOO=E2=80=9D would be different =E2=80=9Ctype=E2=80=9D values, =
per the spec. Nothing is stopping an AS from treating them as equivalent =
internally, but that seems a bit dangerous to me. I=E2=80=99d love to =
see a formal breakdown of that, though.

As for the unicode example, if we define things as using byte =
comparisons, then that becomes an issue for proper documentation and =
configuration =E2=80=94 and again, probably a good place to have =
recommendations for picking type value strings so as to avoid such =
problems.

In short, I don=E2=80=99t think we should have any requirements on =
canonicalization for these values.

 =E2=80=94 Justin

> On Jul 21, 2020, at 1:03 PM, Dick Hardt  wrote:
>=20
>=20
> The following are the same URI, but are different strings:
>=20
> 	=E2=80=9Chttps://schema.example.org/v1 =
=E2=80=9D
> 	=E2=80=9CHTTPS://schema.example.org/v1 =
=E2=80=9D
> 	=E2=80=9Chttps://SCHEMA.EXAMPLE.ORG/v1 =
=E2=80=9D
>=20
> Before comparing them to each other, they must be canonicalized so =
that they become the same string.
>=20
> =46rom earlier in this thread, I am NOT suggesting that it must be a =
URI, nor that it is required:
>=20
> Since the type represents a much more complex object then a JWT claim, =
a client developer's tooling could pull down the JSON Schema (or some =
such) for a type used in their source code, and provide autocompletion =
and validation which would improve productivity and reduce errors. An AS =
that is using a defined type could use the schema for input validation. =
Neither of these would be at run time. JSON Schema allows comments and =
examples.
>=20
> What is the harm in non-normative language around a retrievable URI?
>=20
> On Tue, Jul 21, 2020 at 9:58 AM Justin Richer > wrote:
> String comparison works just fine when the strings happen to be URIs, =
and you aren=E2=80=99t treating them as URIs:
>=20
> 	=E2=80=9Chttps://schema.example.org/v1 =
=E2=80=9D
>=20
> Is different from=20
>=20
> 	=E2=80=9Chttps://schema.example.org/v2 =
=E2=80=9D
>=20
> And both are different from
>=20
> 	=E2=80=9Chttps://schema.example.org:443/v1 =
/=E2=80=9C
>=20
> All of these are strings, and the strings happen to be URIs but =
that=E2=80=99s irrelevant to the comparison process. Can you please help =
me understand why doing a string comparison on these values does not =
work in exactly the same way it would for =E2=80=9Cfoo=E2=80=9D, =
=E2=80=9Cbar=E2=80=9D, and =E2=80=9Cbaz=E2=80=9D values? Why would these =
need to be canonicalized to be compared? The definition of a JSON string =
is an ordered set of unicode code points, and this can be compared =
byte-wise. (Or code-point-wise, whatever=E2=80=99s most correct here.) =
Can you give me counter-examples as to where string comparison doesn=E2=80=
=99t work? And can you help me understand how this same worry doesn=E2=80=99=
t apply to all of the rest of the values in the RAR specification, which =
are also strings and will need to be compared?
>=20
> I=E2=80=99m still very confused as to the URI retrieval issue here, if =
there even is one. It sounds like we=E2=80=99re both saying that it =
could be useful if type values are retrievable when they=E2=80=99re =
URIs, but that would be something to augment a process and not required =
for the RAR spec. I=E2=80=99m against requiring the value to be a URI =
and against requiring the AS to process that URI as a URI at runtime. =
Anything that an AS wants to do with the =E2=80=9Ctype=E2=80=9D value, =
including providing additional tooling and validation, is up to the AS =
and outside of the spec.
>=20
>  =E2=80=94 Justin
>=20
>> On Jul 21, 2020, at 12:35 PM, Dick Hardt > wrote:
>>=20
>> This statement:
>>=20
>> =E2=80=9Ccompare two strings so that they=E2=80=99re exact=E2=80=9D
>>=20
>> does not work for either Unicode or URIs. A string, and a =
canonicalized Unicode string are not the same thing. Similar for a URI. =
I have assumed you understand the canonicalization requirement, but it =
does not sound like you do. Would you like examples?
>>=20
>>=20
>> wrt. the AS and URI, *you* keep saying that *I* said the AS would =
retrieve the URI. I HAVE NOT SAID THAT!
>>=20
>> I am suggesting that the URI MAY be retrievable, and I gave examples =
on how that would be useful for tooling for client developers, and for =
an AS in doing input validation. The URI would NOT be retrieved at run =
time.
>>=20
>>=20
>> On Tue, Jul 21, 2020 at 7:35 AM Justin Richer > wrote:
>> If we treat all the strings as just strings, without any special =
internal format to be specified or detected, then comparing the strings =
is a well-understood and well-documented process. I also think that we =
shouldn=E2=80=99t invent anything here, so if there=E2=80=99s a better =
way to say =E2=80=9Ccompare two strings so that they=E2=80=99re exact=E2=80=
=9D then that=E2=80=99s what I mean. Sorry if that was unclear.
>>=20
>> I=E2=80=99m saying the AS should not retrieve the URI passed in the =
=E2=80=9Ctype=E2=80=9D value. You brought that up and then described the =
process that the AS would take to do so. I have said from the start that =
the use of a URI is for name spacing and not for addressing content to =
be fetched, so I=E2=80=99m confused why you think I intend otherwise.
>>=20
>>  =E2=80=94 Justin
>>=20
>>> On Jul 20, 2020, at 2:59 PM, Dick Hardt > wrote:
>>>=20
>>> Canonicalization of URIs and unicode is fairly well specified. I was =
not suggesting we invent anything there.
>>>=20
>>> A byte comparison, as you suggested earlier, will be problematic, as =
I have pointed out.
>>>=20
>>> I'm confused why you are still talking about the AS retrieving a =
URI.
>>>=20
>>> =E1=90=A7
>>>=20
>>> On Mon, Jul 20, 2020 at 4:42 AM Justin Richer > wrote:
>>> Since this is a recommendation for namespace, we could also just say =
collision-resistant like JWT, and any of those examples are fine. But =
that said, I think there=E2=80=99s something particularly compelling =
about URIs since they have somewhat-human-readable portions. But again, =
I=E2=80=99m saying it should be a recommendation to API developers and =
not a requirement in the spec. In the spec, I argue that =E2=80=9Ctype=E2=80=
=9D should be a string, full stop.
>>>=20
>>> If documentation is so confusing that developers are typing in the =
wrong strings, then that=E2=80=99s bad documentation. And likely a bad =
choice for the =E2=80=9Ctype=E2=80=9D string on the part of the AS. =
You=E2=80=99d have the same problem with any other value the =
developer=E2=80=99s supposed to copy over.  :)
>>>=20
>>> I agree that we should call out explicitly how they should be =
compared, and I propose we use one of the handful of existing =
string-comparison RFC=E2=80=99s here instead of defining our own rules.
>>>=20
>>> While the type could be a dereferenceable URI, requiring action on =
the AS is really getting into distributed authorization policies. We =
tried doing that with UMA1=E2=80=99s scope structures and it didn=E2=80=99=
t work very well in practice (in my memory and experience). Someone =
could profile =E2=80=9Ctype" on top of this if they wanted to do so, =
with support at the AS for that, but I don=E2=80=99t see a compelling =
reason for that to be a requirement as that=E2=80=99s a lot of =
complexity and a lot more error states (the fetch fails, or it doesn=E2=80=
=99t have a policy, or the policy=E2=80=99s in a format the AS doesn=E2=80=
=99t understand, or the AS doesn=E2=80=99t like the policy, etc).=20
>>>=20
>>> And AS is always free to implement its types in such a fashion, and =
that could make plenty of sense in a smaller ecosystem. And this is yet =
another reason that we define =E2=80=9Ctype=E2=80=9D as being a string =
to be interpreted and understood by the AS =E2=80=94 so that an AS that =
wants to work this way can do so.
>>>=20
>>>  =E2=80=94 Justin
>>>=20
>>> PS: thanks for pointing out the error in the example in XYZ, I=E2=80=99=
ll fix that prior to publication.
>>>=20
>>>> On Jul 18, 2020, at 8:58 PM, Dick Hardt > wrote:
>>>>=20
>>>> Justin: thanks for kindly pointing out which mail list this is.
>>>>=20
>>>> To clarify, public JWT claims are not just URIs, but any =
collision-resistant namespace:=20
>>>> "Examples of collision-resistant namespaces include: Domain Names, =
Object Identifiers (OIDs) as defined in the ITU-T X.660 and      X.670 =
Recommendation series, and Universally Unique IDentifiers (UUIDs) =
[RFC4122]."
>>>>=20
>>>> I think letting the "type" be any JSON string and doing a byte-wise =
comparison will be problematic. A client developer will be reading =
documentation to learn what the types are, and typing it in. Given the =
wide set of whitespace characters, and unicode equivalence, different =
byte streams will all look the same, and a byte-wise comparison will =
fail.
>>>>=20
>>>> Similarly for URIs. If it is a valid URI, then a byte-wise =
comparison is not sufficient. Canonicalization is required.=20
>>>>=20
>>>> These are not showstopper issues, but the specification should call =
out how type strings are compared, and provide caveats to an AS =
developer.
>>>>=20
>>>> I have no idea why you would think the AS would retrieve a URL.
>>>>=20
>>>> Since the type represents a much more complex object then a JWT =
claim, a client developer's tooling could pull down the JSON Schema (or =
some such) for a type used in their source code, and provide =
autocompletion and validation which would improve productivity and =
reduce errors. An AS that is using a defined type could use the schema =
for input validation. Neither of these would be at run time. JSON Schema =
allows comments and examples.
>>>>=20
>>>> What is the harm in non-normative language around a retrievable =
URI?
>>>>=20
>>>> BTW: the example in =
https://oauth.xyz/draft-richer-transactional-authz#rfc.section.2 =
 has =
not been updated with the "type" field.
>>>>=20
>>>>=20
>>>>=20
>>>> On Sat, Jul 18, 2020 at 8:10 AM Justin Richer > wrote:
>>>> Hi Dick,
>>>>=20
>>>> This is a discussion about the RAR specification on the OAuth list, =
and therefore doesn=E2=80=99t have anything to do with alignment with =
XAuth. In fact, I believe the alignment is the other way around, as =
doesn=E2=80=99t Xauth normatively reference RAR at this point? Even =
though, last I saw, it uses a different top-level structure for =
conveying things, I believe it does say to use the internal object =
structures. I am also a co-author on RAR and we had already defined a =
=E2=80=9Ctype=E2=80=9D field in RAR quite some time ago. You did notice =
that XYZ=E2=80=99s latest draft added this field to keep the two in =
alignment with each other, which has always been the goal since the =
initial proposal of the RAR work, but that=E2=80=99s a time lag and not =
a display of new intent.=20
>>>>=20
>>>> In any event, even though I think the decision has bearing in both =
places, this isn=E2=80=99t about GNAP. Working on RAR=E2=80=99s =
requirements has brought up this interesting issue of what should be in =
the type field for RAR in OAuth 2.
>>>>=20
>>>> I think that it should be defined as a string, and therefore =
compared as a byte value in all cases, regardless of what the content of =
the string is. I don=E2=80=99t think the AS should be expected to fetch =
a URI for anything. I don=E2=80=99t think the AS should normalize any of =
the inputs. I think that any JSON-friendly character set should be =
allowed (including spaces and unicodes), and since RAR already requires =
the JSON objects to be form-encoded, this shouldn=E2=80=99t cause =
additional trouble when adding them in to OAuth 2=E2=80=99s request =
structures.
>>>>=20
>>>> The idea of using a URI would be to get people out of each =
other=E2=80=99s namespaces. It=E2=80=99s similar to the concept of =
=E2=80=9Cpublic=E2=80=9D vs =E2=80=9Cprivate=E2=80=9D claims in JWT:
>>>>=20
>>>> https://tools.ietf.org/html/rfc7519#section-4.2 =

>>>>=20
>>>> What I=E2=80=99m proposing is that if you think it=E2=80=99s going =
to be a general-purpose type name, then we recommend you use a URI as =
your string. And beyond that, that=E2=80=99s it. It=E2=80=99s up to the =
AS to figure out what to do with it, and RAR stays out of it.
>>>>=20
>>>>  =E2=80=94 Justin
>>>>=20
>>>>> On Jul 17, 2020, at 1:25 PM, Dick Hardt > wrote:
>>>>>=20
>>>>> Hey Justin, glad to see that you have aligned with the latest =
XAuth draft on a type property being required.
>>>>>=20
>>>>> I like the idea that the value of the type property is fully =
defined by the AS, which could delegate it to a common URI for reuse. =
This gets GNAP out of specifying access requests, and enables other =
parties to define access without any required coordination with IETF or =
IANA.
>>>>>=20
>>>>> A complication in mixing plain strings and URIs is the =
canonicalization. A plain string can be a fixed byte representation, but =
a URI requires canonicalization for comparison. Mixing the two requires =
URI detection at the AS before canonicalization, and an AS MUST do =
canonicalization of URIs.
>>>>>=20
>>>>> The URI is retrievable, it can provide machine and/or human =
readable documentation in JSON schema or some such, or any other content =
type. Once again, the details are out of scope of GNAP, but we can =
provide examples to guide implementers.
>>>>>=20
>>>>> Are you still thinking that bare strings are allowed in GNAP, and =
are defined by the AS?
>>>>>=20
>>>>>=20
>>>>>=20
>>>>> On Fri, Jul 17, 2020 at 8:39 AM Justin Richer > wrote:
>>>>> The =E2=80=9Ctype=E2=80=9D field in the RAR spec serves an =
important purpose: it defines what goes in the rest of the object, =
including what other fields are available and what values are allowed =
for those fields. It provides an API-level definition for requesting =
access based on multiple dimensions, and that=E2=80=99s really powerful =
and flexible. Each type can use any of the general-purpose fields like =
=E2=80=9Cactions=E2=80=9D and/or add its own fields as necessary, and =
the =E2=80=9Ctype=E2=80=9D parameter keeps everything well-defined.
>>>>>=20
>>>>> The question, then, is what defines what=E2=80=99s allowed to go =
into the =E2=80=9Ctype=E2=80=9D field itself? And what defines how that =
value maps to the requirements for the rest of the object? The draft =
doesn=E2=80=99t say anything about it at the moment, but we should =
choose the direction we want to go. On the surface, there are three main =
options:
>>>>>=20
>>>>> 1) Require all values to be registered.=20
>>>>> 2) Require all values to be collision-resistant (eg, URIs).
>>>>> 3) Require all values to be defined by the AS (and/or the RS=E2=80=99=
s that it protects).
>>>>>=20
>>>>> Are there any other options?
>>>>>=20
>>>>> Here are my thoughts on each approach:
>>>>>=20
>>>>> 1) While it usually makes sense to register things for =
interoperability, this is a case where I think that a registry would =
actually hurt interoperability and adoption. Like a =E2=80=9Cscope=E2=80=9D=
 value, the RAR =E2=80=9Ctype=E2=80=9D is ultimately up to the AS and RS =
to interpret in their own context. We :want: people to define rich =
objects for their APIs and enable fine-grained access for their systems, =
and if they have to register something every time they come up with a =
new API to protect, it=E2=80=99s going to be an unmaintainable mess. I =
genuinely don=E2=80=99t think this would scale, and that most developers =
would just ignore the registry and do what they want anyway. And since =
many of these systems are inside domains, it=E2=80=99s completely =
unenforceable in practice.
>>>>>=20
>>>>> 2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to =
require everything to be a URI here. It=E2=80=99s long and ugly, and a =
lot of APIs are going to be internal to a given group, deployment, or =
ecosystem anyway. This makes sense when you=E2=80=99ve got something =
reusable across many deployments, like OIDC, but it=E2=80=99s overhead =
when what you=E2=80=99re doing is tied to your environment.
>>>>>=20
>>>>> 3) This allows the AS and RS to define the request parameters for =
their APIs just like they do today with scopes. Since it=E2=80=99s =
always the combination of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, =
name spacing is less of an issue across systems. We haven=E2=80=99t seen =
huge problems in scope value overlap in the wild, though it does occur =
from time to time it=E2=80=99s more than manageable. A client isn=E2=80=99=
t going to just =E2=80=9Cspeak RAR=E2=80=9D, it=E2=80=99s going to be =
speaking RAR so that it can access something in particular.
>>>>>=20
>>>>> And all that brings me to my proposal:=20
>>>>>=20
>>>>> 4) Require all values to be defined by the AS, and encourage =
specification developers to use URIs for collision resistance.
>>>>>=20
>>>>> So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D=
 means, and nobody else. But we can also guide people who are developing =
general-purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=
=E2=80=9D definitions. This would keep those interoperable APIs from =
stepping on each other, and from stepping on any locally-defined special =
=E2=80=9Ctype=E2=80=9D structure. But at the end of the day, the URI =
carries no more weight than just any other string, and the AS decides =
what it means and how it applies.
>>>>>=20
>>>>> My argument is that this seems to have worked very, very well for =
scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar =
descriptive cloth.
>>>>>=20
>>>>> What does the rest of the group think? How should we manage the =
RAR =E2=80=9Ctype=E2=80=9D values and what they mean?
>>>>>=20
>>>>>  =E2=80=94 Justin
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org 
>>>>> https://www.ietf.org/mailman/listinfo/oauth =

>>>>=20
>>>=20
>>=20
>=20


--Apple-Mail=_5FF50CAD-77B7-4F37-80EC-4B07A5C0AEB5
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

Right, and I=E2=80=99m saying that all three of those would =
be DIFFERENT =E2=80=9Ctype=E2=80=9D values, because they=E2=80=99re =
different strings. The fact that when treated as URIs they would be =
equivalent is irrelevant. Just like =E2=80=9Cfoo=E2=80=9D, =E2=80=9CFoo=E2=
=80=9D, and =E2=80=9CFOO=E2=80=9D would be different =E2=80=9Ctype=E2=80=9D=
 values, per the spec. Nothing is stopping an AS from treating them as =
equivalent internally, but that seems a bit dangerous to me. I=E2=80=99d =
love to see a formal breakdown of that, though.

As for the unicode example, if we =
define things as using byte comparisons, then that becomes an issue for =
proper documentation and configuration =E2=80=94 and again, probably a =
good place to have recommendations for picking type value strings so as =
to avoid such problems.

In short, I don=E2=80=99t think we should have any =
requirements on canonicalization for these values.

 =E2=80=94 =
Justin

On Jul 21, 2020, at 1:03 PM, Dick Hardt =
<dick.hardt@gmail.com> wrote:


The following are the same URI, but are =
different strings:

	=E2=80=9Chttps://schema.example.org/v1=E2=80=9D
	=
=E2=80=9CHTTPS://schema.example.org/v1=E2=80=9D
	=
=E2=80=9Chttps://SCHEMA.EXAMPLE.ORG/v1=E2=80=9D

Before comparing them to each other, =
they must be canonicalized so that they become the same =
string.

=46rom =
earlier in this thread, I am NOT suggesting that it must be a URI, nor =
that it is required:

Since the type represents a much more complex =
object then a JWT claim, a client developer's tooling could pull down =
the JSON Schema (or some such) for a type used in their source code, and =
provide autocompletion and validation which would improve productivity =
and reduce errors. An AS that is using a defined type could use the =
schema for input validation. Neither of these would be at run time. JSON =
Schema allows comments and examples.

What is the harm in non-normative language around a =
retrievable =
URI?

On Tue, Jul 21, 2020 at 9:58 AM Justin Richer =
<jricher@mit.edu> =
wrote:
String comparison works just fine when the =
strings happen to be URIs, and you aren=E2=80=99t treating them as =
URIs:

	=E2=80=9Chttps://schema.example.org/v1=E2=80=9D

Is different =
from 

	=E2=80=9Chttps://schema.example.org/v2=E2=80=9D

And both are different =
from

	=E2=80=9Chttps://schema.example.org:443/v1/=E2=80=9C

All of these are =
strings, and the strings happen to be URIs but that=E2=80=99s irrelevant =
to the comparison process. Can you please help me understand why doing a =
string comparison on these values does not work in exactly the same way =
it would for =E2=80=9Cfoo=E2=80=9D, =E2=80=9Cbar=E2=80=9D, and =E2=80=9Cba=
z=E2=80=9D values? Why would these need to be canonicalized to be =
compared? The definition of a JSON string is an ordered set of unicode =
code points, and this can be compared byte-wise. (Or code-point-wise, =
whatever=E2=80=99s most correct here.) Can you give me counter-examples =
as to where string comparison doesn=E2=80=99t work? And can you help me =
understand how this same worry doesn=E2=80=99t apply to all of the rest =
of the values in the RAR specification, which are also strings and will =
need to be compared?

I=E2=80=99m still very confused as to the URI retrieval issue =
here, if there even is one. It sounds like we=E2=80=99re both saying =
that it could be useful if type values are retrievable when they=E2=80=99r=
e URIs, but that would be something to augment a process and not =
required for the RAR spec. I=E2=80=99m against requiring the value to be =
a URI and against requiring the AS to process that URI as =
a URI at runtime. Anything that an AS wants to do with the =
=E2=80=9Ctype=E2=80=9D value, including providing additional tooling and =
validation, is up to the AS and outside of the spec.

 =E2=80=94 =
Justin

On Jul 21, 2020, at 12:35 PM, =
Dick Hardt <dick.hardt@gmail.com> wrote:

This statement:

=E2=80=9Ccompare two strings so that they=E2=80=99re =
exact=E2=80=9D

does not work for either Unicode or =
URIs. A string, and a canonicalized Unicode string are not the same =
thing. Similar for a URI. I have assumed you understand the =
canonicalization requirement, but it does not sound like you do. Would =
you like examples?


wrt. the AS and URI, =
*you* keep saying that *I* said the AS would retrieve the URI. I HAVE =
NOT SAID THAT!

I=
 am suggesting that the URI MAY be retrievable, and I gave examples on =
how that would be useful for tooling for client developers, and for an =
AS in doing input validation. The URI would NOT be retrieved at run =
time.


On Tue, Jul =
21, 2020 at 7:35 AM Justin Richer <jricher@mit.edu> wrote:
If we =
treat all the strings as just strings, without any special internal =
format to be specified or detected, then comparing the strings is a =
well-understood and well-documented process. I also think that we =
shouldn=E2=80=99t invent anything here, so if there=E2=80=99s a better =
way to say =E2=80=9Ccompare two strings so that they=E2=80=99re exact=E2=80=
=9D then that=E2=80=99s what I mean. Sorry if that was =
unclear.

I=E2=80=99m saying =
the AS should not retrieve the URI passed in the =
=E2=80=9Ctype=E2=80=9D value. You brought that up and then described the =
process that the AS would take to do so. I have said from the start that =
the use of a URI is for name spacing and not for addressing content to =
be fetched, so I=E2=80=99m confused why you think I intend =
otherwise.

 =E2=80=
=94 Justin

On Jul 20, 2020, at 2:59 PM, =
Dick Hardt <dick.hardt@gmail.com> wrote:

Canonicalization of URIs and =
unicode is fairly well specified. I was not suggesting we invent =
anything there.

A =
byte comparison, as you suggested earlier, will be problematic, as I =
have pointed out.

I'm confused why you are still talking about the AS =
retrieving a URI.

3D""=E1=90=A7

On Mon, Jul =
20, 2020 at 4:42 AM Justin Richer <jricher@mit.edu> wrote:
Since =
this is a recommendation for namespace, we could also just say =
collision-resistant like JWT, and any of those examples are fine. But =
that said, I think there=E2=80=99s something particularly compelling =
about URIs since they have somewhat-human-readable portions. But again, =
I=E2=80=99m saying it should be a recommendation to API developers and =
not a requirement in the spec. In the spec, I argue that =E2=80=9Ctype=E2=80=
=9D should be a string, full stop.

If documentation is so confusing that developers are =
typing in the wrong strings, then that=E2=80=99s bad documentation. And =
likely a bad choice for the =E2=80=9Ctype=E2=80=9D string on the part of =
the AS. You=E2=80=99d have the same problem with any other value the =
developer=E2=80=99s supposed to copy over.  :)

I agree that we should call out =
explicitly how they should be compared, and I propose we use one of the =
handful of existing string-comparison RFC=E2=80=99s here instead of =
defining our own rules.

While the type could be a dereferenceable URI, requiring =
action on the AS is really getting into distributed authorization =
policies. We tried doing that with UMA1=E2=80=99s scope structures and =
it didn=E2=80=99t work very well in practice (in my memory and =
experience). Someone could profile =E2=80=9Ctype" on top of this if they =
wanted to do so, with support at the AS for that, but I don=E2=80=99t =
see a compelling reason for that to be a requirement as that=E2=80=99s a =
lot of complexity and a lot more error states (the fetch fails, or it =
doesn=E2=80=99t have a policy, or the policy=E2=80=99s in a format the =
AS doesn=E2=80=99t understand, or the AS doesn=E2=80=99t like the =
policy, etc). 

And AS is always free to implement its types in such a =
fashion, and that could make plenty of sense in a smaller ecosystem. And =
this is yet another reason that we define =E2=80=9Ctype=E2=80=9D as =
being a string to be interpreted and understood by the AS =E2=80=94 so =
that an AS that wants to work this way can do so.
 =E2=80=94 Justin

PS: thanks for pointing =
out the error in the example in XYZ, I=E2=80=99ll fix that prior to =
publication.

On Jul 18, 2020, at 8:58 PM, =
Dick Hardt <dick.hardt@gmail.com> wrote:

Justin: thanks for =
kindly pointing out which mail list this is.

To clarify, public JWT claims =
are not just URIs, but any =
collision-resistant namespace: 
"Examples =
of collision-resistant namespaces include: Domain Names, Object =
Identifiers (OIDs) as defined in the ITU-T X.660 and      =
X.670 Recommendation series, and Universally Unique IDentifiers (UUIDs) =
[RFC4122]."

I =
think letting the "type" be any JSON string and doing a byte-wise =
comparison will be problematic. A client developer will be reading =
documentation to learn what the types are, and typing it in. Given =
the wide set of whitespace characters, and unicode equivalence, =
different byte streams will all look the same, and a byte-wise =
comparison will fail.

Similarly for URIs. If it is a valid URI, then a =
byte-wise comparison is not sufficient. Canonicalization is =
required. 

These are not showstopper issues, but the specification =
should call out how type strings are compared, and provide caveats =
to an AS developer.

I have no idea why you would think the AS would retrieve a =
URL.

Since the =
type represents a much more complex object then a JWT claim, a client =
developer's tooling could pull down the JSON Schema (or some such) for a =
type used in their source code, and provide autocompletion and =
validation which would improve productivity and reduce errors. An AS =
that is using a defined type could use the schema for input validation. =
Neither of these would be at run time. JSON Schema allows comments and =
examples.

What =
is the harm in non-normative language around a retrievable =
URI?

BTW: the =
example in https://oauth.xyz/draft-richer-transactional-authz#rfc.section.=
2 has not been updated with the "type" field.



On Sat, Jul =
18, 2020 at 8:10 AM Justin Richer <jricher@mit.edu> wrote:
Hi Dick,

This is a discussion =
about the RAR specification on the OAuth list, and therefore doesn=E2=80=99=
t have anything to do with alignment with XAuth. In fact, I believe the =
alignment is the other way around, as doesn=E2=80=99t Xauth normatively =
reference RAR at this point? Even though, last I saw, it uses a =
different top-level structure for conveying things, I believe it does =
say to use the internal object structures. I am also a co-author on RAR =
and we had already defined a =E2=80=9Ctype=E2=80=9D field in RAR quite =
some time ago. You did notice that XYZ=E2=80=99s latest draft added this =
field to keep the two in alignment with each other, which has always =
been the goal since the initial proposal of the RAR work, but that=E2=80=99=
s a time lag and not a display of new intent. 

In any event, even =
though I think the decision has bearing in both places, this isn=E2=80=99t=
 about GNAP. Working on RAR=E2=80=99s requirements has brought up this =
interesting issue of what should be in the type field for RAR in OAuth =
2.

I think =
that it should be defined as a string, and therefore compared as a byte =
value in all cases, regardless of what the content of the string is. I =
don=E2=80=99t think the AS should be expected to fetch a URI for =
anything. I don=E2=80=99t think the AS should normalize any of the =
inputs. I think that any JSON-friendly character set should be allowed =
(including spaces and unicodes), and since RAR already requires the JSON =
objects to be form-encoded, this shouldn=E2=80=99t cause additional =
trouble when adding them in to OAuth 2=E2=80=99s request =
structures.

The =
idea of using a URI would be to get people out of each other=E2=80=99s =
namespaces. It=E2=80=99s similar to the concept of =E2=80=9Cpublic=E2=80=9D=
 vs =E2=80=9Cprivate=E2=80=9D claims in JWT:

https://tools.ietf.org/html/rfc7519#section-4.2

What I=E2=80=99m =
proposing is that if you think it=E2=80=99s going to be a =
general-purpose type name, then we recommend you use a URI as your =
string. And beyond that, that=E2=80=99s it. It=E2=80=99s up to the AS to =
figure out what to do with it, and RAR stays out of it.

 =E2=80=94 =
Justin

On Jul 17, 2020, at 1:25 PM, =
Dick Hardt <dick.hardt@gmail.com> wrote:

Hey Justin, glad to see that you =
have aligned with the latest XAuth draft on a type property being =
required.

I like the idea that the value of the type property is fully =
defined by the AS, which could delegate it to a common URI for reuse. =
This gets GNAP out of specifying access requests, and enables other =
parties to define access without any required coordination with IETF or =
IANA.

A =
complication in mixing plain strings and URIs is the canonicalization. A =
plain string can be a fixed byte representation, but a URI requires =
canonicalization for comparison. Mixing the two requires URI =
detection at the AS before canonicalization, and an AS MUST do =
canonicalization of URIs.

The URI is retrievable, it can provide machine and/or human =
readable documentation in JSON schema or some such, or any other content =
type. Once again, the details are out of scope of GNAP, but we can =
provide examples to guide implementers.

Are you still thinking that bare =
strings are allowed in GNAP, and are defined by the AS?



On Fri, Jul 17, 2020 at 8:39 AM Justin =
Richer <jricher@mit.edu> wrote:
The =E2=80=9Ctype=E2=80=9D =
field in the RAR spec serves an important purpose: it defines what goes =
in the rest of the object, including what other fields are available and =
what values are allowed for those fields. It provides an API-level =
definition for requesting access based on multiple dimensions, and =
that=E2=80=99s really powerful and flexible. Each type can use any of =
the general-purpose fields like =E2=80=9Cactions=E2=80=9D and/or add its =
own fields as necessary, and the =E2=80=9Ctype=E2=80=9D parameter keeps =
everything well-defined.



The question, then, is what defines what=E2=80=99s allowed to go into =
the =E2=80=9Ctype=E2=80=9D field itself? And what defines how that value =
maps to the requirements for the rest of the object? The draft doesn=E2=80=
=99t say anything about it at the moment, but we should choose the =
direction we want to go. On the surface, there are three main =
options:



1) Require all values to be registered. 

2) Require all values to be collision-resistant (eg, URIs).
=

3) Require all values to be defined by the AS (and/or the RS=E2=80=99s =
that it protects).



Are there any other options?



Here are my thoughts on each approach:



1) While it usually makes sense to register things for interoperability, =
this is a case where I think that a registry would actually hurt =
interoperability and adoption. Like a =E2=80=9Cscope=E2=80=9D value, the =
RAR =E2=80=9Ctype=E2=80=9D is ultimately up to the AS and RS to =
interpret in their own context. We :want: people to define rich objects =
for their APIs and enable fine-grained access for their systems, and if =
they have to register something every time they come up with a new API =
to protect, it=E2=80=99s going to be an unmaintainable mess. I genuinely =
don=E2=80=99t think this would scale, and that most developers would =
just ignore the registry and do what they want anyway. And since many of =
these systems are inside domains, it=E2=80=99s completely unenforceable =
in practice.



2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to =
require everything to be a URI here. It=E2=80=99s long and ugly, and a =
lot of APIs are going to be internal to a given group, deployment, or =
ecosystem anyway. This makes sense when you=E2=80=99ve got something =
reusable across many deployments, like OIDC, but it=E2=80=99s overhead =
when what you=E2=80=99re doing is tied to your environment.
=



3) This allows the AS and RS to define the request parameters for their =
APIs just like they do today with scopes. Since it=E2=80=99s always the =
combination of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, name spacing =
is less of an issue across systems. We haven=E2=80=99t seen huge =
problems in scope value overlap in the wild, though it does occur from =
time to time it=E2=80=99s more than manageable. A client isn=E2=80=99t =
going to just =E2=80=9Cspeak RAR=E2=80=9D, it=E2=80=99s going to be =
speaking RAR so that it can access something in particular.
=



And all that brings me to my proposal: 



4) Require all values to be defined by the AS, and encourage =
specification developers to use URIs for collision resistance.



So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D =
means, and nobody else. But we can also guide people who are developing =
general-purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=
=E2=80=9D definitions. This would keep those interoperable APIs from =
stepping on each other, and from stepping on any locally-defined special =
=E2=80=9Ctype=E2=80=9D structure. But at the end of the day, the URI =
carries no more weight than just any other string, and the AS decides =
what it means and how it applies.



My argument is that this seems to have worked very, very well for =
scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar =
descriptive cloth.



What does the rest of the group think? How should we manage the RAR =
=E2=80=9Ctype=E2=80=9D values and what they mean?



 =E2=80=94 Justin

_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth
















=

--Apple-Mail=_5FF50CAD-77B7-4F37-80EC-4B07A5C0AEB5--


From nobody Tue Jul 21 10:56:37 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C92D93A0D35 for ; Tue, 21 Jul 2020 10:56:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.097
X-Spam-Level: 
X-Spam-Status: No, score=-0.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.999, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AnnNKrmRmvxZ for ; Tue, 21 Jul 2020 10:56:31 -0700 (PDT)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A27F13A0D31 for ; Tue, 21 Jul 2020 10:56:30 -0700 (PDT)
Received: by mail-lj1-x22d.google.com with SMTP id j11so25018602ljo.7 for ; Tue, 21 Jul 2020 10:56:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=En0SZSMd/2C5hpzXoxl26Jk+IJSgXFeaBAKCjm55ZVs=; b=CRhs5Rfv/c9dsETuwlJiY4GZDrqrCc1+b8JWDIUog0bqCmbhsxBn/3Wh+2q60mnymq cFjBI6XfjeK+8jCDf2BgAGpYlIn4LLoq240mWSGsL95/QRYjuP7oWXxBEXqGdSGp3NKK OKS6lgvux57MuSfLikM5X/0yVboJRoHs23c/LjMIX1p//X4QLavup1QJqX9l0kOTv5eM lX804hmu1wXpnatUBHn8Aqw9XL3vTTxpk6ivTh2G+gptxg02kzNOdqWIjUaPXlwEmCzy haOSYfEi4OR3RnOKbFiUQhqbqRg8mpCjOmVDIuOd1Z19cdmJX83nwvZAqExuparkB/eW OT7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=En0SZSMd/2C5hpzXoxl26Jk+IJSgXFeaBAKCjm55ZVs=; b=T4hgiC0ayr+yN8vj2+i3LfZb6IUPqHlIBJvdmWdGyOTI8NjLPeHG46rV4wfCp8HOBf iJ9gHvkak8YWJM8eukwDgCEgoElBiTanaYXJ1+sgzaHJJ95PTxnWTqisN6A1dVHAthaL Ies5g/wJ0CM7Zy+7rJe4cV0j6zSjuWTa44SFB2i/xbmC8qS0SJwnw/vXqhMU0BPD+PVj ZW+vpjRaLjkERl9qTZa09NMZTr/ZZA+jIXlBvf+nsxF3E8M0UbwOGF5JQl4+ZPqoBSS5 tlipQrWvgPfL8F0YVqb/vPZ8YNgtLP260p4NPhzGppyltZd16qJzkyS5cmSPI+vaN1s7 0Eew==
X-Gm-Message-State: AOAM533J8TaAJSi9CdtLyaimxtHdnQ/2Efd6OXbLzyuWA/e7ECkg3efn PgRgBuc+SmXXhV2nGuAOh6qeUuAsF+yORHSoUujDPtRo
X-Google-Smtp-Source: ABdhPJwXq5hpHpnpSdtGKmmVrm1VHRB0oO1hhI6T/ShV0ZtojSYYmSgaZhapjXxUbQWX/eJcXmf07nQ9WLx/wmsFbdE=
X-Received: by 2002:a2e:80c9:: with SMTP id r9mr13740867ljg.69.1595354188674;  Tue, 21 Jul 2020 10:56:28 -0700 (PDT)
MIME-Version: 1.0
References:     <094C7F56-93F7-41EC-AD94-A0752E76BD9D@mit.edu>    <847FC552-84CA-4227-9768-8BA488B7FEFE@mit.edu>  <0E6A3DE4-4EDC-4AB0-A491-D7DC960592AA@mit.edu>
In-Reply-To: <0E6A3DE4-4EDC-4AB0-A491-D7DC960592AA@mit.edu>
From: Dick Hardt 
Date: Tue, 21 Jul 2020 10:55:52 -0700
Message-ID: 
To: Justin Richer 
Cc: oauth 
Content-Type: multipart/alternative; boundary="000000000000b4fb7e05aaf757e7"
Archived-At: 
Subject: Re: [OAUTH-WG] Namespacing "type" in RAR
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 21 Jul 2020 17:56:35 -0000

--000000000000b4fb7e05aaf757e7
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

In unicode, a glyph can be represented by more than one code point. When
reading the docs and entering a value, the developer will not know which
code point the AS intended.

Are you suggesting that AS documentation would have the bytes rather than
glyphs? Or not use glyphs that have multiple code points? Or that they only
use english?



On Tue, Jul 21, 2020 at 10:34 AM Justin Richer  wrote:

> Right, and I=E2=80=99m saying that all three of those would be DIFFERENT =
=E2=80=9Ctype=E2=80=9D
> values, because they=E2=80=99re different strings. The fact that when tre=
ated as
> URIs they would be equivalent is irrelevant. Just like =E2=80=9Cfoo=E2=80=
=9D, =E2=80=9CFoo=E2=80=9D, and
> =E2=80=9CFOO=E2=80=9D would be different =E2=80=9Ctype=E2=80=9D values, p=
er the spec. Nothing is stopping
> an AS from treating them as equivalent internally, but that seems a bit
> dangerous to me. I=E2=80=99d love to see a formal breakdown of that, thou=
gh.
>
> As for the unicode example, if we define things as using byte comparisons=
,
> then that becomes an issue for proper documentation and configuration =E2=
=80=94 and
> again, probably a good place to have recommendations for picking type val=
ue
> strings so as to avoid such problems.
>
> In short, I don=E2=80=99t think we should have any requirements on
> canonicalization for these values.
>
>  =E2=80=94 Justin
>
> On Jul 21, 2020, at 1:03 PM, Dick Hardt  wrote:
>
>
> The following are the same URI, but are different strings:
>
> =E2=80=9Chttps://schema.example.org/v1=E2=80=9D
> =E2=80=9CHTTPS://schema.example.org/v1 =E2=
=80=9D
> =E2=80=9Chttps://SCHEMA.EXAMPLE.ORG/v1 =E2=
=80=9D
>
> Before comparing them to each other, they must be canonicalized so that
> they become the same string.
>
> From earlier in this thread, I am NOT suggesting that it must be a URI,
> nor that it is required:
>
> Since the type represents a much more complex object then a JWT claim, a
> client developer's tooling could pull down the JSON Schema (or some such)
> for a type used in their source code, and provide autocompletion and
> validation which would improve productivity and reduce errors. An AS that
> is using a defined type could use the schema for input validation. Neithe=
r
> of these would be at run time. JSON Schema allows comments and examples.
>
> What is the harm in non-normative language around a retrievable URI?
>
>
> On Tue, Jul 21, 2020 at 9:58 AM Justin Richer  wrote:
>
>> String comparison works just fine when the strings happen to be URIs, an=
d
>> you aren=E2=80=99t treating them as URIs:
>>
>> =E2=80=9Chttps://schema.example.org/v1=E2=80=9D
>>
>> Is different from
>>
>> =E2=80=9Chttps://schema.example.org/v2=E2=80=9D
>>
>> And both are different from
>>
>> =E2=80=9Chttps://schema.example.org:443/v1 /=E2=80=9C
>>
>> All of these are strings, and the strings happen to be URIs but that=E2=
=80=99s
>> irrelevant to the comparison process. Can you please help me understand =
why
>> doing a string comparison on these values does not work in exactly the s=
ame
>> way it would for =E2=80=9Cfoo=E2=80=9D, =E2=80=9Cbar=E2=80=9D, and =E2=
=80=9Cbaz=E2=80=9D values? Why would these need to be
>> canonicalized to be compared? The definition of a JSON string is an orde=
red
>> set of unicode code points, and this can be compared byte-wise. (Or
>> code-point-wise, whatever=E2=80=99s most correct here.) Can you give me
>> counter-examples as to where string comparison doesn=E2=80=99t work? And=
 can you
>> help me understand how this same worry doesn=E2=80=99t apply to all of t=
he rest of
>> the values in the RAR specification, which are also strings and will nee=
d
>> to be compared?
>>
>> I=E2=80=99m still very confused as to the URI retrieval issue here, if t=
here even
>> is one. It sounds like we=E2=80=99re both saying that it could be useful=
 if type
>> values are retrievable when they=E2=80=99re URIs, but that would be some=
thing to
>> augment a process and not required for the RAR spec. I=E2=80=99m against=
 requiring
>> the value to be a URI and against requiring the AS to process that URI *=
as
>> a URI* at runtime. Anything that an AS wants to do with the =E2=80=9Ctyp=
e=E2=80=9D
>> value, including providing additional tooling and validation, is up to t=
he
>> AS and outside of the spec.
>>
>>  =E2=80=94 Justin
>>
>> On Jul 21, 2020, at 12:35 PM, Dick Hardt  wrote:
>>
>> This statement:
>>
>> =E2=80=9Ccompare two strings so that they=E2=80=99re exact=E2=80=9D
>>
>> does not work for either Unicode or URIs. A string, and a canonicalized
>> Unicode string are not the same thing. Similar for a URI. I have assumed
>> you understand the canonicalization requirement, but it does not sound l=
ike
>> you do. Would you like examples?
>>
>>
>> wrt. the AS and URI, *you* keep saying that *I* said the AS would
>> retrieve the URI. I HAVE NOT SAID THAT!
>>
>> I am suggesting that the URI MAY be retrievable, and I gave examples on
>> how that would be useful for tooling for client developers, and for an A=
S
>> in doing input validation. The URI would NOT be retrieved at run time.
>>
>>
>> On Tue, Jul 21, 2020 at 7:35 AM Justin Richer  wrote:
>>
>>> If we treat all the strings as just strings, without any special
>>> internal format to be specified or detected, then comparing the strings=
 is
>>> a well-understood and well-documented process. I also think that we
>>> shouldn=E2=80=99t invent anything here, so if there=E2=80=99s a better =
way to say =E2=80=9Ccompare
>>> two strings so that they=E2=80=99re exact=E2=80=9D then that=E2=80=99s =
what I mean. Sorry if that
>>> was unclear.
>>>
>>> I=E2=80=99m saying the AS should *not* retrieve the URI passed in the =
=E2=80=9Ctype=E2=80=9D
>>> value. You brought that up and then described the process that the AS w=
ould
>>> take to do so. I have said from the start that the use of a URI is for =
name
>>> spacing and not for addressing content to be fetched, so I=E2=80=99m co=
nfused why
>>> you think I intend otherwise.
>>>
>>>  =E2=80=94 Justin
>>>
>>> On Jul 20, 2020, at 2:59 PM, Dick Hardt  wrote:
>>>
>>> Canonicalization of URIs and unicode is fairly well specified. I was no=
t
>>> suggesting we invent anything there.
>>>
>>> A byte comparison, as you suggested earlier, will be problematic, as I
>>> have pointed out.
>>>
>>> I'm confused why you are still talking about the AS retrieving a URI.
>>>
>>> =E1=90=A7
>>>
>>> On Mon, Jul 20, 2020 at 4:42 AM Justin Richer  wrote:
>>>
>>>> Since this is a recommendation for namespace, we could also just say
>>>> collision-resistant like JWT, and any of those examples are fine. But =
that
>>>> said, I think there=E2=80=99s something particularly compelling about =
URIs since
>>>> they have somewhat-human-readable portions. But again, I=E2=80=99m say=
ing it should
>>>> be a recommendation to API developers and not a requirement in the spe=
c. In
>>>> the spec, I argue that =E2=80=9Ctype=E2=80=9D should be a string, full=
 stop.
>>>>
>>>> If documentation is so confusing that developers are typing in the
>>>> wrong strings, then that=E2=80=99s bad documentation. And likely a bad=
 choice for
>>>> the =E2=80=9Ctype=E2=80=9D string on the part of the AS. You=E2=80=99d=
 have the same problem with
>>>> any other value the developer=E2=80=99s supposed to copy over.  :)
>>>>
>>>> I agree that we should call out explicitly how they should be compared=
,
>>>> and I propose we use one of the handful of existing string-comparison =
RFC=E2=80=99s
>>>> here instead of defining our own rules.
>>>>
>>>> While the type could be a dereferenceable URI, requiring action on the
>>>> AS is really getting into distributed authorization policies. We tried
>>>> doing that with UMA1=E2=80=99s scope structures and it didn=E2=80=99t =
work very well in
>>>> practice (in my memory and experience). Someone could profile =E2=80=
=9Ctype" on top
>>>> of this if they wanted to do so, with support at the AS for that, but =
I
>>>> don=E2=80=99t see a compelling reason for that to be a requirement as =
that=E2=80=99s a lot
>>>> of complexity and a lot more error states (the fetch fails, or it does=
n=E2=80=99t
>>>> have a policy, or the policy=E2=80=99s in a format the AS doesn=E2=80=
=99t understand, or
>>>> the AS doesn=E2=80=99t like the policy, etc).
>>>>
>>>> And AS is always free to implement its types in such a fashion, and
>>>> that could make plenty of sense in a smaller ecosystem. And this is ye=
t
>>>> another reason that we define =E2=80=9Ctype=E2=80=9D as being a string=
 to be interpreted
>>>> and understood by the AS =E2=80=94 so that an AS that wants to work th=
is way can do
>>>> so.
>>>>
>>>>  =E2=80=94 Justin
>>>>
>>>> PS: thanks for pointing out the error in the example in XYZ, I=E2=80=
=99ll fix
>>>> that prior to publication.
>>>>
>>>> On Jul 18, 2020, at 8:58 PM, Dick Hardt  wrote:
>>>>
>>>> Justin: thanks for kindly pointing out which mail list this is.
>>>>
>>>> To clarify, public JWT claims are not just URIs, but any
>>>> collision-resistant namespace:
>>>> "Examples of collision-resistant namespaces include: Domain Names,
>>>> Object Identifiers (OIDs) as defined in the ITU-T X.660 and      X.670
>>>> Recommendation series, and Universally Unique IDentifiers (UUIDs)
>>>> [RFC4122]."
>>>>
>>>> I think letting the "type" be any JSON string and doing a byte-wise
>>>> comparison will be problematic. A client developer will be reading
>>>> documentation to learn what the types are, and typing it in. Given the=
 wide
>>>> set of whitespace characters, and unicode equivalence, different byte
>>>> streams will all look the same, and a byte-wise comparison will fail.
>>>>
>>>> Similarly for URIs. If it is a valid URI, then a byte-wise comparison
>>>> is not sufficient. Canonicalization is required.
>>>>
>>>> These are not showstopper issues, but the specification should call ou=
t
>>>> how type strings are compared, and provide caveats to an AS developer.
>>>>
>>>> I have no idea why you would think the AS would retrieve a URL.
>>>>
>>>> Since the type represents a much more complex object then a JWT claim,
>>>> a client developer's tooling could pull down the JSON Schema (or some =
such)
>>>> for a type used in their source code, and provide autocompletion and
>>>> validation which would improve productivity and reduce errors. An AS t=
hat
>>>> is using a defined type could use the schema for input validation. Nei=
ther
>>>> of these would be at run time. JSON Schema allows comments and example=
s.
>>>>
>>>> What is the harm in non-normative language around a retrievable URI?
>>>>
>>>> BTW: the example in
>>>> https://oauth.xyz/draft-richer-transactional-authz#rfc.section.2 has
>>>> not been updated with the "type" field.
>>>>
>>>>
>>>>
>>>> On Sat, Jul 18, 2020 at 8:10 AM Justin Richer  wrote:
>>>>
>>>>> Hi Dick,
>>>>>
>>>>> This is a discussion about the RAR specification on the OAuth list,
>>>>> and therefore doesn=E2=80=99t have anything to do with alignment with=
 XAuth. In
>>>>> fact, I believe the alignment is the other way around, as doesn=E2=80=
=99t Xauth
>>>>> normatively reference RAR at this point? Even though, last I saw, it =
uses a
>>>>> different top-level structure for conveying things, I believe it does=
 say
>>>>> to use the internal object structures. I am also a co-author on RAR a=
nd we
>>>>> had already defined a =E2=80=9Ctype=E2=80=9D field in RAR quite some =
time ago. You did
>>>>> notice that XYZ=E2=80=99s latest draft added this field to keep the t=
wo in
>>>>> alignment with each other, which has always been the goal since the i=
nitial
>>>>> proposal of the RAR work, but that=E2=80=99s a time lag and not a dis=
play of new
>>>>> intent.
>>>>>
>>>>> In any event, even though I think the decision has bearing in both
>>>>> places, this isn=E2=80=99t about GNAP. Working on RAR=E2=80=99s requi=
rements has brought up
>>>>> this interesting issue of what should be in the type field for RAR in=
 OAuth
>>>>> 2.
>>>>>
>>>>> I think that it should be defined as a string, and therefore compared
>>>>> as a byte value in all cases, regardless of what the content of the s=
tring
>>>>> is. I don=E2=80=99t think the AS should be expected to fetch a URI fo=
r anything. I
>>>>> don=E2=80=99t think the AS should normalize any of the inputs. I thin=
k that any
>>>>> JSON-friendly character set should be allowed (including spaces and
>>>>> unicodes), and since RAR already requires the JSON objects to be
>>>>> form-encoded, this shouldn=E2=80=99t cause additional trouble when ad=
ding them in
>>>>> to OAuth 2=E2=80=99s request structures.
>>>>>
>>>>> The idea of using a URI would be to get people out of each other=E2=
=80=99s
>>>>> namespaces. It=E2=80=99s similar to the concept of =E2=80=9Cpublic=E2=
=80=9D vs =E2=80=9Cprivate=E2=80=9D claims in
>>>>> JWT:
>>>>>
>>>>> https://tools.ietf.org/html/rfc7519#section-4.2
>>>>>
>>>>> What I=E2=80=99m proposing is that if you think it=E2=80=99s going to=
 be a
>>>>> general-purpose type name, then we recommend you use a URI as your st=
ring.
>>>>> And beyond that, that=E2=80=99s it. It=E2=80=99s up to the AS to figu=
re out what to do with
>>>>> it, and RAR stays out of it.
>>>>>
>>>>>  =E2=80=94 Justin
>>>>>
>>>>> On Jul 17, 2020, at 1:25 PM, Dick Hardt  wrote:
>>>>>
>>>>> Hey Justin, glad to see that you have aligned with the latest XAuth
>>>>> draft on a type property being required.
>>>>>
>>>>> I like the idea that the value of the type property is fully defined
>>>>> by the AS, which could delegate it to a common URI for reuse. This ge=
ts
>>>>> GNAP out of specifying access requests, and enables other parties to =
define
>>>>> access without any required coordination with IETF or IANA.
>>>>>
>>>>> A complication in mixing plain strings and URIs is the
>>>>> canonicalization. A plain string can be a fixed byte representation, =
but a
>>>>> URI requires canonicalization for comparison. Mixing the two requires=
 URI
>>>>> detection at the AS before canonicalization, and an AS MUST do
>>>>> canonicalization of URIs.
>>>>>
>>>>> The URI is retrievable, it can provide machine and/or human readable
>>>>> documentation in JSON schema or some such, or any other content type.=
 Once
>>>>> again, the details are out of scope of GNAP, but we can provide examp=
les to
>>>>> guide implementers.
>>>>>
>>>>> Are you still thinking that bare strings are allowed in GNAP, and are
>>>>> defined by the AS?
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Jul 17, 2020 at 8:39 AM Justin Richer  wrote=
:
>>>>>
>>>>>> The =E2=80=9Ctype=E2=80=9D field in the RAR spec serves an important=
 purpose: it
>>>>>> defines what goes in the rest of the object, including what other fi=
elds
>>>>>> are available and what values are allowed for those fields. It provi=
des an
>>>>>> API-level definition for requesting access based on multiple dimensi=
ons,
>>>>>> and that=E2=80=99s really powerful and flexible. Each type can use a=
ny of the
>>>>>> general-purpose fields like =E2=80=9Cactions=E2=80=9D and/or add its=
 own fields as
>>>>>> necessary, and the =E2=80=9Ctype=E2=80=9D parameter keeps everything=
 well-defined.
>>>>>>
>>>>>> The question, then, is what defines what=E2=80=99s allowed to go int=
o the
>>>>>> =E2=80=9Ctype=E2=80=9D field itself? And what defines how that value=
 maps to the
>>>>>> requirements for the rest of the object? The draft doesn=E2=80=99t s=
ay anything
>>>>>> about it at the moment, but we should choose the direction we want t=
o go.
>>>>>> On the surface, there are three main options:
>>>>>>
>>>>>> 1) Require all values to be registered.
>>>>>> 2) Require all values to be collision-resistant (eg, URIs).
>>>>>> 3) Require all values to be defined by the AS (and/or the RS=E2=80=
=99s that
>>>>>> it protects).
>>>>>>
>>>>>> Are there any other options?
>>>>>>
>>>>>> Here are my thoughts on each approach:
>>>>>>
>>>>>> 1) While it usually makes sense to register things for
>>>>>> interoperability, this is a case where I think that a registry would
>>>>>> actually hurt interoperability and adoption. Like a =E2=80=9Cscope=
=E2=80=9D value, the RAR
>>>>>> =E2=80=9Ctype=E2=80=9D is ultimately up to the AS and RS to interpre=
t in their own context.
>>>>>> We :want: people to define rich objects for their APIs and enable
>>>>>> fine-grained access for their systems, and if they have to register
>>>>>> something every time they come up with a new API to protect, it=E2=
=80=99s going to
>>>>>> be an unmaintainable mess. I genuinely don=E2=80=99t think this woul=
d scale, and
>>>>>> that most developers would just ignore the registry and do what they=
 want
>>>>>> anyway. And since many of these systems are inside domains, it=E2=80=
=99s completely
>>>>>> unenforceable in practice.
>>>>>>
>>>>>> 2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to re=
quire
>>>>>> everything to be a URI here. It=E2=80=99s long and ugly, and a lot o=
f APIs are
>>>>>> going to be internal to a given group, deployment, or ecosystem anyw=
ay.
>>>>>> This makes sense when you=E2=80=99ve got something reusable across m=
any
>>>>>> deployments, like OIDC, but it=E2=80=99s overhead when what you=E2=
=80=99re doing is tied to
>>>>>> your environment.
>>>>>>
>>>>>> 3) This allows the AS and RS to define the request parameters for
>>>>>> their APIs just like they do today with scopes. Since it=E2=80=99s a=
lways the
>>>>>> combination of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, name spa=
cing is less of an
>>>>>> issue across systems. We haven=E2=80=99t seen huge problems in scope=
 value overlap
>>>>>> in the wild, though it does occur from time to time it=E2=80=99s mor=
e than
>>>>>> manageable. A client isn=E2=80=99t going to just =E2=80=9Cspeak RAR=
=E2=80=9D, it=E2=80=99s going to be
>>>>>> speaking RAR so that it can access something in particular.
>>>>>>
>>>>>> And all that brings me to my proposal:
>>>>>>
>>>>>> 4) Require all values to be defined by the AS, and encourage
>>>>>> specification developers to use URIs for collision resistance.
>>>>>>
>>>>>> So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=
=9D means, and
>>>>>> nobody else. But we can also guide people who are developing
>>>>>> general-purpose interoperable APIs to use URIs for their RAR =E2=80=
=9Ctype=E2=80=9D
>>>>>> definitions. This would keep those interoperable APIs from stepping =
on each
>>>>>> other, and from stepping on any locally-defined special =E2=80=9Ctyp=
e=E2=80=9D structure.
>>>>>> But at the end of the day, the URI carries no more weight than just =
any
>>>>>> other string, and the AS decides what it means and how it applies.
>>>>>>
>>>>>> My argument is that this seems to have worked very, very well for
>>>>>> scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar descr=
iptive cloth.
>>>>>>
>>>>>> What does the rest of the group think? How should we manage the RAR
>>>>>> =E2=80=9Ctype=E2=80=9D values and what they mean?
>>>>>>
>>>>>>  =E2=80=94 Justin
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>

--000000000000b4fb7e05aaf757e7
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


In unicode, a glyph can be represented by more than one co=
de point. When reading the docs and entering a value, the developer will no=
t know which code point the AS intended.=C2=A0

Are you s=
uggesting that AS documentation would have the bytes rather than glyphs? Or=
=C2=A0not use glyphs that=C2=A0have multiple code=C2=A0points? Or that they=
 only use english?



On Tue, Jul 21, 2020=
 at 10:34 AM Justin Richer <jricher@m=
it.edu> wrote:
Right, and I=E2=80=99m sayi=
ng that all three of those would be DIFFERENT =E2=80=9Ctype=E2=80=9D values=
, because they=E2=80=99re different strings. The fact that when treated as =
URIs they would be equivalent is irrelevant. Just like =E2=80=9Cfoo=E2=80=
=9D, =E2=80=9CFoo=E2=80=9D, and =E2=80=9CFOO=E2=80=9D would be different =
=E2=80=9Ctype=E2=80=9D values, per the spec. Nothing is stopping an AS from=
 treating them as equivalent internally, but that seems a bit dangerous to =
me. I=E2=80=99d love to see a formal breakdown of that, though.

As for the unicode example, if we define things as using byte compa=
risons, then that becomes an issue for proper documentation and configurati=
on =E2=80=94 and again, probably a good place to have recommendations for p=
icking type value strings so as to avoid such problems.

In short, I don=E2=80=99t think we should have any requirements on ca=
nonicalization for these values.

=C2=A0=E2=80=94 Jus=
tin

On Jul 21, 2020, at 1:03 PM,=
 Dick Hardt <d=
ick.hardt@gmail.com> wrote:


The following are the same URI, but are different str=
ings:


<=
/div>
Before comparing them to each other, they must be canonicalized s=
o that they become the same string.

From earlier i=
n this thread, I am NOT suggesting that it must be a URI, nor that it is re=
quired:

Since the type represents a muc=
h more complex object then a JWT claim, a client developer's tooling co=
uld pull down the JSON Schema (or some such) for a type used in their sourc=
e code, and provide autocompletion and validation which would improve produ=
ctivity and reduce errors. An AS that is using a defined type could use the=
 schema for input validation. Neither of these would be at run time. JSON S=
chema allows comments and examples.

What is the harm in non-normative language around a retrievab=
le URI?

On Tue, Jul 21, 202=
0 at 9:58 AM Justin Richer <jricher@mit.edu> wrote:
String comparison works just fine when the str=
ings happen to be URIs, and you aren=E2=80=99t treating them as URIs:
<=
br>

Is different from=C2=A0
=


	=E2=80=9C<=
a href=3D"https://schema.example.org/v2" target=3D"_blank">https://schema.e=
xample.org/v2=E2=80=9D

And both are different =
from


All of t=
hese are strings, and the strings happen to be URIs but that=E2=80=99s irre=
levant to the comparison process. Can you please help me understand why doi=
ng a string comparison on these values does not work in exactly the same wa=
y it would for =E2=80=9Cfoo=E2=80=9D, =E2=80=9Cbar=E2=80=9D, and =E2=80=9Cb=
az=E2=80=9D values? Why would these need to be canonicalized to be compared=
? The definition of a JSON string is an ordered set of unicode code points,=
 and this can be compared byte-wise. (Or code-point-wise, whatever=E2=80=99=
s most correct here.) Can you give me counter-examples as to where string c=
omparison doesn=E2=80=99t work? And can you help me understand how this sam=
e worry doesn=E2=80=99t apply to all of the rest of the values in the RAR s=
pecification, which are also strings and will need to be compared?

I=E2=80=99m still very confused as to the URI retrieval is=
sue here, if there even is one. It sounds like we=E2=80=99re both saying th=
at it could be useful if type values are retrievable when they=E2=80=99re U=
RIs, but that would be something to augment a process and not required for =
the RAR spec. I=E2=80=99m against requiring the value to be a URI and again=
st requiring the AS to process that URI as a URI at runtime. Anythin=
g that an AS wants to do with the =E2=80=9Ctype=E2=80=9D value, including p=
roviding additional tooling and validation, is up to the AS and outside of =
the spec.

=C2=A0=E2=80=94 Justin
On Jul 21, 2020, at 12:35 PM, Dick Hardt &=
lt;dick.hardt@gma=
il.com> wrote:

This statement:

=E2=80=9Ccompare two strings so that they=E2=80=99re exact=E2=80=9D

does not work for either Unicode or=
 URIs. A string, and a canonicalized Unicode string are not the same thing.=
 Similar for a URI. I have assumed you understand the canonicalization requ=
irement, but it does not sound like you do. Would you like examples?
<=
div>

wrt. the AS and URI, *you* keep saying th=
at *I* said the AS would retrieve the URI. I HAVE NOT SAID THAT!
=

I am suggesting that the URI MAY be retrievable, and I gave =
examples on how that would be useful for tooling for client developers, and=
 for an AS in doing input validation. The URI would NOT be retrieved at run=
 time.


On Tue, Jul 21, 2020 at 7:35 AM Justin Richer <jricher@mit.edu> wr=
ote:
I=
f we treat all the strings as just strings, without any special internal fo=
rmat to be specified or detected, then comparing the strings is a well-unde=
rstood and well-documented process. I also think that we shouldn=E2=80=99t =
invent anything here, so if there=E2=80=99s a better way to say =E2=80=9Cco=
mpare two strings so that they=E2=80=99re exact=E2=80=9D then that=E2=80=99=
s what I mean. Sorry if that was unclear.

I=E2=80=99m s=
aying the AS should not retrieve the URI passed in the =E2=80=9Ctype=
=E2=80=9D value. You brought that up and then described the process that th=
e AS would take to do so. I have said from the start that the use of a URI =
is for name spacing and not for addressing content to be fetched, so I=E2=
=80=99m confused why you think I intend otherwise.

=C2=
=A0=E2=80=94 Justin

On Jul 20, 2=
020, at 2:59 PM, Dick Hardt <dick.hardt@gmail.com> wrote:

Canonicalization of URIs and unicode is fairly well specified. I w=
as not suggesting we invent anything there.

A byte compa=
rison, as you suggested earlier, will be problematic, as I have pointed out=
.

I'm confused why you are still talking about=
 the AS retrieving a URI.

3D""=E1=90=
=A7

On Mon, Jul 20, 2020 at 4:42 AM Justin Richer <jricher@mit.edu> wrote:
Since this i=
s a recommendation for namespace, we could also just say collision-resistan=
t like JWT, and any of those examples are fine. But that said, I think ther=
e=E2=80=99s something particularly compelling about URIs since they have so=
mewhat-human-readable portions. But again, I=E2=80=99m saying it should be =
a recommendation to API developers and not a requirement in the spec. In th=
e spec, I argue that =E2=80=9Ctype=E2=80=9D should be a string, full stop.<=
/div>

If documentation is so confusing that developers are ty=
ping in the wrong strings, then that=E2=80=99s bad documentation. And likel=
y a bad choice for the =E2=80=9Ctype=E2=80=9D string on the part of the AS.=
 You=E2=80=99d have the same problem with any other value the developer=E2=
=80=99s supposed to copy over. =C2=A0:)

I agree that we =
should call out explicitly how they should be compared, and I propose we us=
e one of the handful of existing string-comparison RFC=E2=80=99s here inste=
ad of defining our own rules.

While the type could=
 be a dereferenceable URI, requiring action on the AS is really getting int=
o distributed authorization policies. We tried doing that with UMA1=E2=80=
=99s scope structures and it didn=E2=80=99t work very well in practice (in =
my memory and experience). Someone could profile =E2=80=9Ctype" on top=
 of this if they wanted to do so, with support at the AS for that, but I do=
n=E2=80=99t see a compelling reason for that to be a requirement as that=E2=
=80=99s a lot of complexity and a lot more error states (the fetch fails, o=
r it doesn=E2=80=99t have a policy, or the policy=E2=80=99s in a format the=
 AS doesn=E2=80=99t understand, or the AS doesn=E2=80=99t like the policy, =
etc).=C2=A0

And AS is always free to implement its=
 types in such a fashion, and that could make plenty of sense in a smaller =
ecosystem. And this is yet another reason that we define =E2=80=9Ctype=E2=
=80=9D as being a string to be interpreted and understood by the AS =E2=80=
=94 so that an AS that wants to work this way can do so.

=C2=A0=E2=80=94 Justin

PS: thanks for point=
ing out the error in the example in XYZ, I=E2=80=99ll fix that prior to pub=
lication.

On Jul 18, 2020, at 8:=
58 PM, Dick Hardt <dick.hardt@gmail.com> wrote:

Justin: thanks for kindly p=
ointing out which mail list this is.

To clar=
ify, public JWT claims are not just URIs, but any collision-resistant=C2=A0=
namespace:=C2=A0
"Examples of collision-resistant namespaces=
 include: Domain Names, Object Identifiers (OIDs) as defined in the ITU-T X=
.660 and=C2=A0 =C2=A0 =C2=A0 X.670 Recommendation series, and Universally U=
nique IDentifiers (UUIDs) [RFC4122]."

I think=
 letting the "type" be any JSON string and doing a byte-wise comp=
arison will be problematic. A client developer will be reading documentatio=
n to learn what the types are,=C2=A0and typing it in. Given the wide set of=
 whitespace characters, and unicode equivalence, different byte streams wil=
l all look the same, and a byte-wise comparison will fail.

Similarly=C2=A0for URIs. If it is a valid URI, then a byte-wise co=
mparison is not sufficient. Canonicalization is required.=C2=A0
<=
br>
These are not showstopper=C2=A0issues, but the specification =
should call out how type strings are compared, and provide=C2=A0caveats to =
an AS developer.

I have no idea why you would thin=
k the AS would retrieve a URL.

Since the type repr=
esents a much more complex object then a JWT claim, a client developer'=
s tooling could pull down the JSON Schema (or some such) for a type used in=
 their source code, and provide autocompletion and validation which would i=
mprove productivity and reduce errors. An AS that is using a defined type c=
ould use the schema for input validation. Neither of these would be at run =
time. JSON Schema allows comments and examples.

Wh=
at is the harm in non-normative language around a retrievable URI?

BTW: the example in=C2=A0https://oauth=
.xyz/draft-richer-transactional-authz#rfc.section.2=C2=A0has not been u=
pdated with the "type" field.


=


On Sat, Jul 18, 2020 at 8:10 AM Justin Richer <jricher@mit.edu> wrote=
:
Hi Dick,<=
div>
This is a discussion about the RAR specification on the =
OAuth list, and therefore doesn=E2=80=99t have anything to do with alignmen=
t with XAuth. In fact, I believe the alignment is the other way around, as =
doesn=E2=80=99t Xauth normatively reference RAR at this point? Even though,=
 last I saw, it uses a different top-level structure for conveying things, =
I believe it does say to use the internal object structures. I am also a co=
-author on RAR and we had already defined a =E2=80=9Ctype=E2=80=9D field in=
 RAR quite some time ago. You did notice that XYZ=E2=80=99s latest draft ad=
ded this field to keep the two in alignment with each other, which has alwa=
ys been the goal since the initial proposal of the RAR work, but that=E2=80=
=99s a time lag and not a display of new intent.=C2=A0

=

In any event, even though I think the decision has bearing in both pla=
ces, this isn=E2=80=99t about GNAP. Working on RAR=E2=80=99s requirements h=
as brought up this interesting issue of what should be in the type field fo=
r RAR in OAuth 2.

I think that it should be define=
d as a string, and therefore compared as a byte value in all cases, regardl=
ess of what the content of the string is. I don=E2=80=99t think the AS shou=
ld be expected to fetch a URI for anything. I don=E2=80=99t think the AS sh=
ould normalize any of the inputs. I think that any JSON-friendly character =
set should be allowed (including spaces and unicodes), and since RAR alread=
y requires the JSON objects to be form-encoded, this shouldn=E2=80=99t caus=
e additional trouble when adding them in to OAuth 2=E2=80=99s request struc=
tures.

The idea of using a URI would be to get peo=
ple out of each other=E2=80=99s namespaces. It=E2=80=99s similar to the con=
cept of =E2=80=9Cpublic=E2=80=9D vs =E2=80=9Cprivate=E2=80=9D claims in JWT=
:


What I=E2=80=99m proposing is that if you t=
hink it=E2=80=99s going to be a general-purpose type name, then we recommen=
d you use a URI as your string. And beyond that, that=E2=80=99s it. It=E2=
=80=99s up to the AS to figure out what to do with it, and RAR stays out of=
 it.

=C2=A0=E2=80=94 Justin

On Jul 17, 2020, at 1:25 PM, Dick Hardt <dick.hardt@gmail.com>=
; wrote:

Hey Justin, glad to see that you ha=
ve aligned with the latest XAuth draft on a type property being required.

I like the idea that the value of the type property i=
s fully defined by the AS, which could delegate it to a common URI for reus=
e. This gets GNAP out of specifying access requests, and enables other part=
ies to define access without any required coordination with IETF or IANA.

A complication in mixing plain strings and URIs is =
the canonicalization. A plain string can be a fixed byte=C2=A0representatio=
n, but a URI requires canonicalization for comparison. Mixing the two requi=
res=C2=A0URI detection at the AS before canonicalization, and an AS MUST do=
 canonicalization of URIs.

The URI is retrievable,=
 it can provide machine and/or human readable documentation in JSON schema =
or some such, or any other content type. Once again, the details are out of=
 scope=C2=A0of GNAP, but we can provide examples to guide implementers.

Are you still thinking that bare strings are allowed =
in GNAP, and=C2=A0are defined by the AS?



On Fri, Jul 17, 2020 at 8:39 AM Justin Richer <jricher@mit.edu> wrote:
The =E2=80=9Ctype=E2=80=9D fiel=
d in the RAR spec serves an important purpose: it defines what goes in the =
rest of the object, including what other fields are available and what valu=
es are allowed for those fields. It provides an API-level definition for re=
questing access based on multiple dimensions, and that=E2=80=99s really pow=
erful and flexible. Each type can use any of the general-purpose fields lik=
e =E2=80=9Cactions=E2=80=9D and/or add its own fields as necessary, and the=
 =E2=80=9Ctype=E2=80=9D parameter keeps everything well-defined.



The question, then, is what defines what=E2=80=99s allowed to go into the =
=E2=80=9Ctype=E2=80=9D field itself? And what defines how that value maps t=
o the requirements for the rest of the object? The draft doesn=E2=80=99t sa=
y anything about it at the moment, but we should choose the direction we wa=
nt to go. On the surface, there are three main options:



1) Require all values to be registered. 

2) Require all values to be collision-resistant (eg, URIs).

3) Require all values to be defined by the AS (and/or the RS=E2=80=99s that=
 it protects).



Are there any other options?



Here are my thoughts on each approach:



1) While it usually makes sense to register things for interoperability, th=
is is a case where I think that a registry would actually hurt interoperabi=
lity and adoption. Like a =E2=80=9Cscope=E2=80=9D value, the RAR =E2=80=9Ct=
ype=E2=80=9D is ultimately up to the AS and RS to interpret in their own co=
ntext. We :want: people to define rich objects for their APIs and enable fi=
ne-grained access for their systems, and if they have to register something=
 every time they come up with a new API to protect, it=E2=80=99s going to b=
e an unmaintainable mess. I genuinely don=E2=80=99t think this would scale,=
 and that most developers would just ignore the registry and do what they w=
ant anyway. And since many of these systems are inside domains, it=E2=80=99=
s completely unenforceable in practice.



2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to require e=
verything to be a URI here. It=E2=80=99s long and ugly, and a lot of APIs a=
re going to be internal to a given group, deployment, or ecosystem anyway. =
This makes sense when you=E2=80=99ve got something reusable across many dep=
loyments, like OIDC, but it=E2=80=99s overhead when what you=E2=80=99re doi=
ng is tied to your environment.



3) This allows the AS and RS to define the request parameters for their API=
s just like they do today with scopes. Since it=E2=80=99s always the combin=
ation of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, name spacing is less =
of an issue across systems. We haven=E2=80=99t seen huge problems in scope =
value overlap in the wild, though it does occur from time to time it=E2=80=
=99s more than manageable. A client isn=E2=80=99t going to just =E2=80=9Csp=
eak RAR=E2=80=9D, it=E2=80=99s going to be speaking RAR so that it can acce=
ss something in particular.



And all that brings me to my proposal: 



4) Require all values to be defined by the AS, and encourage specification =
developers to use URIs for collision resistance.



So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D means=
, and nobody else. But we can also guide people who are developing general-=
purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=E2=80=9D=
 definitions. This would keep those interoperable APIs from stepping on eac=
h other, and from stepping on any locally-defined special =E2=80=9Ctype=E2=
=80=9D structure. But at the end of the day, the URI carries no more weight=
 than just any other string, and the AS decides what it means and how it ap=
plies.



My argument is that this seems to have worked very, very well for scopes, a=
nd the RAR =E2=80=9Ctype=E2=80=9D is cut from similar descriptive cloth.


What does the rest of the group think? How should we manage the RAR =E2=80=
=9Ctype=E2=80=9D values and what they mean?



=C2=A0=E2=80=94 Justin

_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth


















--000000000000b4fb7e05aaf757e7--


From nobody Tue Jul 21 11:05:20 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3A063A0D46 for ; Tue, 21 Jul 2020 11:05:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.082
X-Spam-Level: 
X-Spam-Status: No, score=0.082 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.999, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y2n_2l41DO6t for ; Tue, 21 Jul 2020 11:05:15 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96AE23A0D37 for ; Tue, 21 Jul 2020 11:05:14 -0700 (PDT)
Received: from [192.168.1.3] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 06LI5AEl027797 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 21 Jul 2020 14:05:11 -0400
From: Justin Richer 
Message-Id: 
Content-Type: multipart/alternative; boundary="Apple-Mail=_C6199E83-2C98-4A2D-9303-DD02D60C7AA9"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Tue, 21 Jul 2020 14:05:10 -0400
In-Reply-To: 
Cc: oauth 
To: Dick Hardt 
References:     <094C7F56-93F7-41EC-AD94-A0752E76BD9D@mit.edu>    <847FC552-84CA-4227-9768-8BA488B7FEFE@mit.edu>  <0E6A3DE4-4EDC-4AB0-A491-D7DC960592AA@mit.edu> 
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: 
Subject: Re: [OAUTH-WG] Namespacing "type" in RAR
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 21 Jul 2020 18:05:19 -0000

--Apple-Mail=_C6199E83-2C98-4A2D-9303-DD02D60C7AA9
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

I=E2=80=99m suggesting that API designers avoid using such glyphs in =
their =E2=80=9Ctype=E2=80=9D values if they want to avoid such =
human-copy errors, like they would need to do for most other strings in =
their system. If that means they stick to ASCII or put a note on the =
developer page that says =E2=80=9Chey copy and paste this value, don=E2=80=
=99t try to re-type it=E2=80=9D or whatever, that=E2=80=99s up to the =
AS.=20

You=E2=80=99d have the same kind of issue around =E2=80=9Csimilar-looking=E2=
=80=9D characters, like the semicolon vs. the greek question mark. =
Should the AS look for those and try to =E2=80=9Cfix=E2=80=9D the =
inputs? I would argue not: the AS should be strict in matching these =
values because it could have security implications.=20

This isn=E2=80=99t a problem unique to RAR, or OAuth for that matter. We =
can, and I think should, add guidance to the RAR document for all of =
these points.=20

 =E2=80=94 Justin

> On Jul 21, 2020, at 1:55 PM, Dick Hardt  wrote:
>=20
> In unicode, a glyph can be represented by more than one code point. =
When reading the docs and entering a value, the developer will not know =
which code point the AS intended.=20
>=20
> Are you suggesting that AS documentation would have the bytes rather =
than glyphs? Or not use glyphs that have multiple code points? Or that =
they only use english?
>=20
>=20
>=20
> On Tue, Jul 21, 2020 at 10:34 AM Justin Richer > wrote:
> Right, and I=E2=80=99m saying that all three of those would be =
DIFFERENT =E2=80=9Ctype=E2=80=9D values, because they=E2=80=99re =
different strings. The fact that when treated as URIs they would be =
equivalent is irrelevant. Just like =E2=80=9Cfoo=E2=80=9D, =E2=80=9CFoo=E2=
=80=9D, and =E2=80=9CFOO=E2=80=9D would be different =E2=80=9Ctype=E2=80=9D=
 values, per the spec. Nothing is stopping an AS from treating them as =
equivalent internally, but that seems a bit dangerous to me. I=E2=80=99d =
love to see a formal breakdown of that, though.
>=20
> As for the unicode example, if we define things as using byte =
comparisons, then that becomes an issue for proper documentation and =
configuration =E2=80=94 and again, probably a good place to have =
recommendations for picking type value strings so as to avoid such =
problems.
>=20
> In short, I don=E2=80=99t think we should have any requirements on =
canonicalization for these values.
>=20
>  =E2=80=94 Justin
>=20
>> On Jul 21, 2020, at 1:03 PM, Dick Hardt > wrote:
>>=20
>>=20
>> The following are the same URI, but are different strings:
>>=20
>> 	=E2=80=9Chttps://schema.example.org/v1 =
=E2=80=9D
>> 	=E2=80=9CHTTPS://schema.example.org/v1 =
=E2=80=9D
>> 	=E2=80=9Chttps://SCHEMA.EXAMPLE.ORG/v1 =
=E2=80=9D
>>=20
>> Before comparing them to each other, they must be canonicalized so =
that they become the same string.
>>=20
>> =46rom earlier in this thread, I am NOT suggesting that it must be a =
URI, nor that it is required:
>>=20
>> Since the type represents a much more complex object then a JWT =
claim, a client developer's tooling could pull down the JSON Schema (or =
some such) for a type used in their source code, and provide =
autocompletion and validation which would improve productivity and =
reduce errors. An AS that is using a defined type could use the schema =
for input validation. Neither of these would be at run time. JSON Schema =
allows comments and examples.
>>=20
>> What is the harm in non-normative language around a retrievable URI?
>>=20
>> On Tue, Jul 21, 2020 at 9:58 AM Justin Richer > wrote:
>> String comparison works just fine when the strings happen to be URIs, =
and you aren=E2=80=99t treating them as URIs:
>>=20
>> 	=E2=80=9Chttps://schema.example.org/v1 =
=E2=80=9D
>>=20
>> Is different from=20
>>=20
>> 	=E2=80=9Chttps://schema.example.org/v2 =
=E2=80=9D
>>=20
>> And both are different from
>>=20
>> 	=E2=80=9Chttps://schema.example.org:443/v1 =
/=E2=80=9C
>>=20
>> All of these are strings, and the strings happen to be URIs but =
that=E2=80=99s irrelevant to the comparison process. Can you please help =
me understand why doing a string comparison on these values does not =
work in exactly the same way it would for =E2=80=9Cfoo=E2=80=9D, =
=E2=80=9Cbar=E2=80=9D, and =E2=80=9Cbaz=E2=80=9D values? Why would these =
need to be canonicalized to be compared? The definition of a JSON string =
is an ordered set of unicode code points, and this can be compared =
byte-wise. (Or code-point-wise, whatever=E2=80=99s most correct here.) =
Can you give me counter-examples as to where string comparison doesn=E2=80=
=99t work? And can you help me understand how this same worry doesn=E2=80=99=
t apply to all of the rest of the values in the RAR specification, which =
are also strings and will need to be compared?
>>=20
>> I=E2=80=99m still very confused as to the URI retrieval issue here, =
if there even is one. It sounds like we=E2=80=99re both saying that it =
could be useful if type values are retrievable when they=E2=80=99re =
URIs, but that would be something to augment a process and not required =
for the RAR spec. I=E2=80=99m against requiring the value to be a URI =
and against requiring the AS to process that URI as a URI at runtime. =
Anything that an AS wants to do with the =E2=80=9Ctype=E2=80=9D value, =
including providing additional tooling and validation, is up to the AS =
and outside of the spec.
>>=20
>>  =E2=80=94 Justin
>>=20
>>> On Jul 21, 2020, at 12:35 PM, Dick Hardt > wrote:
>>>=20
>>> This statement:
>>>=20
>>> =E2=80=9Ccompare two strings so that they=E2=80=99re exact=E2=80=9D
>>>=20
>>> does not work for either Unicode or URIs. A string, and a =
canonicalized Unicode string are not the same thing. Similar for a URI. =
I have assumed you understand the canonicalization requirement, but it =
does not sound like you do. Would you like examples?
>>>=20
>>>=20
>>> wrt. the AS and URI, *you* keep saying that *I* said the AS would =
retrieve the URI. I HAVE NOT SAID THAT!
>>>=20
>>> I am suggesting that the URI MAY be retrievable, and I gave examples =
on how that would be useful for tooling for client developers, and for =
an AS in doing input validation. The URI would NOT be retrieved at run =
time.
>>>=20
>>>=20
>>> On Tue, Jul 21, 2020 at 7:35 AM Justin Richer > wrote:
>>> If we treat all the strings as just strings, without any special =
internal format to be specified or detected, then comparing the strings =
is a well-understood and well-documented process. I also think that we =
shouldn=E2=80=99t invent anything here, so if there=E2=80=99s a better =
way to say =E2=80=9Ccompare two strings so that they=E2=80=99re exact=E2=80=
=9D then that=E2=80=99s what I mean. Sorry if that was unclear.
>>>=20
>>> I=E2=80=99m saying the AS should not retrieve the URI passed in the =
=E2=80=9Ctype=E2=80=9D value. You brought that up and then described the =
process that the AS would take to do so. I have said from the start that =
the use of a URI is for name spacing and not for addressing content to =
be fetched, so I=E2=80=99m confused why you think I intend otherwise.
>>>=20
>>>  =E2=80=94 Justin
>>>=20
>>>> On Jul 20, 2020, at 2:59 PM, Dick Hardt > wrote:
>>>>=20
>>>> Canonicalization of URIs and unicode is fairly well specified. I =
was not suggesting we invent anything there.
>>>>=20
>>>> A byte comparison, as you suggested earlier, will be problematic, =
as I have pointed out.
>>>>=20
>>>> I'm confused why you are still talking about the AS retrieving a =
URI.
>>>>=20
>>>> =E1=90=A7
>>>>=20
>>>> On Mon, Jul 20, 2020 at 4:42 AM Justin Richer > wrote:
>>>> Since this is a recommendation for namespace, we could also just =
say collision-resistant like JWT, and any of those examples are fine. =
But that said, I think there=E2=80=99s something particularly compelling =
about URIs since they have somewhat-human-readable portions. But again, =
I=E2=80=99m saying it should be a recommendation to API developers and =
not a requirement in the spec. In the spec, I argue that =E2=80=9Ctype=E2=80=
=9D should be a string, full stop.
>>>>=20
>>>> If documentation is so confusing that developers are typing in the =
wrong strings, then that=E2=80=99s bad documentation. And likely a bad =
choice for the =E2=80=9Ctype=E2=80=9D string on the part of the AS. =
You=E2=80=99d have the same problem with any other value the =
developer=E2=80=99s supposed to copy over.  :)
>>>>=20
>>>> I agree that we should call out explicitly how they should be =
compared, and I propose we use one of the handful of existing =
string-comparison RFC=E2=80=99s here instead of defining our own rules.
>>>>=20
>>>> While the type could be a dereferenceable URI, requiring action on =
the AS is really getting into distributed authorization policies. We =
tried doing that with UMA1=E2=80=99s scope structures and it didn=E2=80=99=
t work very well in practice (in my memory and experience). Someone =
could profile =E2=80=9Ctype" on top of this if they wanted to do so, =
with support at the AS for that, but I don=E2=80=99t see a compelling =
reason for that to be a requirement as that=E2=80=99s a lot of =
complexity and a lot more error states (the fetch fails, or it doesn=E2=80=
=99t have a policy, or the policy=E2=80=99s in a format the AS doesn=E2=80=
=99t understand, or the AS doesn=E2=80=99t like the policy, etc).=20
>>>>=20
>>>> And AS is always free to implement its types in such a fashion, and =
that could make plenty of sense in a smaller ecosystem. And this is yet =
another reason that we define =E2=80=9Ctype=E2=80=9D as being a string =
to be interpreted and understood by the AS =E2=80=94 so that an AS that =
wants to work this way can do so.
>>>>=20
>>>>  =E2=80=94 Justin
>>>>=20
>>>> PS: thanks for pointing out the error in the example in XYZ, I=E2=80=99=
ll fix that prior to publication.
>>>>=20
>>>>> On Jul 18, 2020, at 8:58 PM, Dick Hardt > wrote:
>>>>>=20
>>>>> Justin: thanks for kindly pointing out which mail list this is.
>>>>>=20
>>>>> To clarify, public JWT claims are not just URIs, but any =
collision-resistant namespace:=20
>>>>> "Examples of collision-resistant namespaces include: Domain Names, =
Object Identifiers (OIDs) as defined in the ITU-T X.660 and      X.670 =
Recommendation series, and Universally Unique IDentifiers (UUIDs) =
[RFC4122]."
>>>>>=20
>>>>> I think letting the "type" be any JSON string and doing a =
byte-wise comparison will be problematic. A client developer will be =
reading documentation to learn what the types are, and typing it in. =
Given the wide set of whitespace characters, and unicode equivalence, =
different byte streams will all look the same, and a byte-wise =
comparison will fail.
>>>>>=20
>>>>> Similarly for URIs. If it is a valid URI, then a byte-wise =
comparison is not sufficient. Canonicalization is required.=20
>>>>>=20
>>>>> These are not showstopper issues, but the specification should =
call out how type strings are compared, and provide caveats to an AS =
developer.
>>>>>=20
>>>>> I have no idea why you would think the AS would retrieve a URL.
>>>>>=20
>>>>> Since the type represents a much more complex object then a JWT =
claim, a client developer's tooling could pull down the JSON Schema (or =
some such) for a type used in their source code, and provide =
autocompletion and validation which would improve productivity and =
reduce errors. An AS that is using a defined type could use the schema =
for input validation. Neither of these would be at run time. JSON Schema =
allows comments and examples.
>>>>>=20
>>>>> What is the harm in non-normative language around a retrievable =
URI?
>>>>>=20
>>>>> BTW: the example in =
https://oauth.xyz/draft-richer-transactional-authz#rfc.section.2 =
 has =
not been updated with the "type" field.
>>>>>=20
>>>>>=20
>>>>>=20
>>>>> On Sat, Jul 18, 2020 at 8:10 AM Justin Richer > wrote:
>>>>> Hi Dick,
>>>>>=20
>>>>> This is a discussion about the RAR specification on the OAuth =
list, and therefore doesn=E2=80=99t have anything to do with alignment =
with XAuth. In fact, I believe the alignment is the other way around, as =
doesn=E2=80=99t Xauth normatively reference RAR at this point? Even =
though, last I saw, it uses a different top-level structure for =
conveying things, I believe it does say to use the internal object =
structures. I am also a co-author on RAR and we had already defined a =
=E2=80=9Ctype=E2=80=9D field in RAR quite some time ago. You did notice =
that XYZ=E2=80=99s latest draft added this field to keep the two in =
alignment with each other, which has always been the goal since the =
initial proposal of the RAR work, but that=E2=80=99s a time lag and not =
a display of new intent.=20
>>>>>=20
>>>>> In any event, even though I think the decision has bearing in both =
places, this isn=E2=80=99t about GNAP. Working on RAR=E2=80=99s =
requirements has brought up this interesting issue of what should be in =
the type field for RAR in OAuth 2.
>>>>>=20
>>>>> I think that it should be defined as a string, and therefore =
compared as a byte value in all cases, regardless of what the content of =
the string is. I don=E2=80=99t think the AS should be expected to fetch =
a URI for anything. I don=E2=80=99t think the AS should normalize any of =
the inputs. I think that any JSON-friendly character set should be =
allowed (including spaces and unicodes), and since RAR already requires =
the JSON objects to be form-encoded, this shouldn=E2=80=99t cause =
additional trouble when adding them in to OAuth 2=E2=80=99s request =
structures.
>>>>>=20
>>>>> The idea of using a URI would be to get people out of each =
other=E2=80=99s namespaces. It=E2=80=99s similar to the concept of =
=E2=80=9Cpublic=E2=80=9D vs =E2=80=9Cprivate=E2=80=9D claims in JWT:
>>>>>=20
>>>>> https://tools.ietf.org/html/rfc7519#section-4.2 =

>>>>>=20
>>>>> What I=E2=80=99m proposing is that if you think it=E2=80=99s going =
to be a general-purpose type name, then we recommend you use a URI as =
your string. And beyond that, that=E2=80=99s it. It=E2=80=99s up to the =
AS to figure out what to do with it, and RAR stays out of it.
>>>>>=20
>>>>>  =E2=80=94 Justin
>>>>>=20
>>>>>> On Jul 17, 2020, at 1:25 PM, Dick Hardt > wrote:
>>>>>>=20
>>>>>> Hey Justin, glad to see that you have aligned with the latest =
XAuth draft on a type property being required.
>>>>>>=20
>>>>>> I like the idea that the value of the type property is fully =
defined by the AS, which could delegate it to a common URI for reuse. =
This gets GNAP out of specifying access requests, and enables other =
parties to define access without any required coordination with IETF or =
IANA.
>>>>>>=20
>>>>>> A complication in mixing plain strings and URIs is the =
canonicalization. A plain string can be a fixed byte representation, but =
a URI requires canonicalization for comparison. Mixing the two requires =
URI detection at the AS before canonicalization, and an AS MUST do =
canonicalization of URIs.
>>>>>>=20
>>>>>> The URI is retrievable, it can provide machine and/or human =
readable documentation in JSON schema or some such, or any other content =
type. Once again, the details are out of scope of GNAP, but we can =
provide examples to guide implementers.
>>>>>>=20
>>>>>> Are you still thinking that bare strings are allowed in GNAP, and =
are defined by the AS?
>>>>>>=20
>>>>>>=20
>>>>>>=20
>>>>>> On Fri, Jul 17, 2020 at 8:39 AM Justin Richer > wrote:
>>>>>> The =E2=80=9Ctype=E2=80=9D field in the RAR spec serves an =
important purpose: it defines what goes in the rest of the object, =
including what other fields are available and what values are allowed =
for those fields. It provides an API-level definition for requesting =
access based on multiple dimensions, and that=E2=80=99s really powerful =
and flexible. Each type can use any of the general-purpose fields like =
=E2=80=9Cactions=E2=80=9D and/or add its own fields as necessary, and =
the =E2=80=9Ctype=E2=80=9D parameter keeps everything well-defined.
>>>>>>=20
>>>>>> The question, then, is what defines what=E2=80=99s allowed to go =
into the =E2=80=9Ctype=E2=80=9D field itself? And what defines how that =
value maps to the requirements for the rest of the object? The draft =
doesn=E2=80=99t say anything about it at the moment, but we should =
choose the direction we want to go. On the surface, there are three main =
options:
>>>>>>=20
>>>>>> 1) Require all values to be registered.=20
>>>>>> 2) Require all values to be collision-resistant (eg, URIs).
>>>>>> 3) Require all values to be defined by the AS (and/or the RS=E2=80=99=
s that it protects).
>>>>>>=20
>>>>>> Are there any other options?
>>>>>>=20
>>>>>> Here are my thoughts on each approach:
>>>>>>=20
>>>>>> 1) While it usually makes sense to register things for =
interoperability, this is a case where I think that a registry would =
actually hurt interoperability and adoption. Like a =E2=80=9Cscope=E2=80=9D=
 value, the RAR =E2=80=9Ctype=E2=80=9D is ultimately up to the AS and RS =
to interpret in their own context. We :want: people to define rich =
objects for their APIs and enable fine-grained access for their systems, =
and if they have to register something every time they come up with a =
new API to protect, it=E2=80=99s going to be an unmaintainable mess. I =
genuinely don=E2=80=99t think this would scale, and that most developers =
would just ignore the registry and do what they want anyway. And since =
many of these systems are inside domains, it=E2=80=99s completely =
unenforceable in practice.
>>>>>>=20
>>>>>> 2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to =
require everything to be a URI here. It=E2=80=99s long and ugly, and a =
lot of APIs are going to be internal to a given group, deployment, or =
ecosystem anyway. This makes sense when you=E2=80=99ve got something =
reusable across many deployments, like OIDC, but it=E2=80=99s overhead =
when what you=E2=80=99re doing is tied to your environment.
>>>>>>=20
>>>>>> 3) This allows the AS and RS to define the request parameters for =
their APIs just like they do today with scopes. Since it=E2=80=99s =
always the combination of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, =
name spacing is less of an issue across systems. We haven=E2=80=99t seen =
huge problems in scope value overlap in the wild, though it does occur =
from time to time it=E2=80=99s more than manageable. A client isn=E2=80=99=
t going to just =E2=80=9Cspeak RAR=E2=80=9D, it=E2=80=99s going to be =
speaking RAR so that it can access something in particular.
>>>>>>=20
>>>>>> And all that brings me to my proposal:=20
>>>>>>=20
>>>>>> 4) Require all values to be defined by the AS, and encourage =
specification developers to use URIs for collision resistance.
>>>>>>=20
>>>>>> So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D=
 means, and nobody else. But we can also guide people who are developing =
general-purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=
=E2=80=9D definitions. This would keep those interoperable APIs from =
stepping on each other, and from stepping on any locally-defined special =
=E2=80=9Ctype=E2=80=9D structure. But at the end of the day, the URI =
carries no more weight than just any other string, and the AS decides =
what it means and how it applies.
>>>>>>=20
>>>>>> My argument is that this seems to have worked very, very well for =
scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar =
descriptive cloth.
>>>>>>=20
>>>>>> What does the rest of the group think? How should we manage the =
RAR =E2=80=9Ctype=E2=80=9D values and what they mean?
>>>>>>=20
>>>>>>  =E2=80=94 Justin
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org 
>>>>>> https://www.ietf.org/mailman/listinfo/oauth =

>>>>>=20
>>>>=20
>>>=20
>>=20
>=20


--Apple-Mail=_C6199E83-2C98-4A2D-9303-DD02D60C7AA9
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

I=E2=80=
=99m suggesting that API designers avoid using such glyphs in their =
=E2=80=9Ctype=E2=80=9D values if they want to avoid such human-copy =
errors, like they would need to do for most other strings in their =
system. If that means they stick to ASCII or put a note on the developer =
page that says =E2=80=9Chey copy and paste this value, don=E2=80=99t try =
to re-type it=E2=80=9D or whatever, that=E2=80=99s up to the =
AS. 

You=E2=80=99=
d have the same kind of issue around =E2=80=9Csimilar-looking=E2=80=9D =
characters, like the semicolon vs. the greek question mark. Should the =
AS look for those and try to =E2=80=9Cfix=E2=80=9D the inputs? I would =
argue not: the AS should be strict in matching these values because it =
could have security implications. 

This isn=E2=80=99t a problem unique to =
RAR, or OAuth for that matter. We can, and I think should, add guidance =
to the RAR document for all of these points. 

 =E2=80=94 Justin

On Jul 21, 2020, at 1:55 PM, Dick Hardt <dick.hardt@gmail.com> wrote:

In unicode, a glyph can be =
represented by more than one code point. When reading the docs and =
entering a value, the developer will not know which code point the AS =
intended. 

Are =
you suggesting that AS documentation would have the bytes rather than =
glyphs? Or not use glyphs that have multiple code points? =
Or that they only use english?



On Tue, Jul =
21, 2020 at 10:34 AM Justin Richer <jricher@mit.edu> wrote:
Right, and I=E2=80=99m saying that all three of =
those would be DIFFERENT =E2=80=9Ctype=E2=80=9D values, because =
they=E2=80=99re different strings. The fact that when treated as URIs =
they would be equivalent is irrelevant. Just like =E2=80=9Cfoo=E2=80=9D, =
=E2=80=9CFoo=E2=80=9D, and =E2=80=9CFOO=E2=80=9D would be different =
=E2=80=9Ctype=E2=80=9D values, per the spec. Nothing is stopping an AS =
from treating them as equivalent internally, but that seems a bit =
dangerous to me. I=E2=80=99d love to see a formal breakdown of that, =
though.

As for the =
unicode example, if we define things as using byte comparisons, then =
that becomes an issue for proper documentation and configuration =E2=80=94=
 and again, probably a good place to have recommendations for picking =
type value strings so as to avoid such problems.

In short, I don=E2=80=99t think we =
should have any requirements on canonicalization for these values.

 =E2=80=
=94 Justin

On Jul 21, 2020, at 1:03 PM, =
Dick Hardt <dick.hardt@gmail.com> wrote:


The following are the same URI, but are =
different strings:

	=E2=80=9Chttps://schema.example.org/v1=E2=80=9D
	=
=E2=80=9CHTTPS://schema.example.org/v1=E2=80=9D
	=
=E2=80=9Chttps://SCHEMA.EXAMPLE.ORG/v1=E2=80=9D

Before comparing them to each other, =
they must be canonicalized so that they become the same =
string.

=46rom =
earlier in this thread, I am NOT suggesting that it must be a URI, nor =
that it is required:

Since the type represents a much more complex =
object then a JWT claim, a client developer's tooling could pull down =
the JSON Schema (or some such) for a type used in their source code, and =
provide autocompletion and validation which would improve productivity =
and reduce errors. An AS that is using a defined type could use the =
schema for input validation. Neither of these would be at run time. JSON =
Schema allows comments and examples.

What is the harm in non-normative language around a =
retrievable =
URI?

On Tue, Jul 21, 2020 at 9:58 AM Justin Richer =
<jricher@mit.edu> wrote:
String =
comparison works just fine when the strings happen to be URIs, and you =
aren=E2=80=99t treating them as URIs:

	=E2=80=9Chttps://schema.example.org/v1=E2=80=9D

Is different =
from 

	=E2=80=9Chttps://schema.example.org/v2=E2=80=9D

And both are different =
from

	=E2=80=9Chttps://schema.example.org:443/v1/=E2=80=9C

All of these are =
strings, and the strings happen to be URIs but that=E2=80=99s irrelevant =
to the comparison process. Can you please help me understand why doing a =
string comparison on these values does not work in exactly the same way =
it would for =E2=80=9Cfoo=E2=80=9D, =E2=80=9Cbar=E2=80=9D, and =E2=80=9Cba=
z=E2=80=9D values? Why would these need to be canonicalized to be =
compared? The definition of a JSON string is an ordered set of unicode =
code points, and this can be compared byte-wise. (Or code-point-wise, =
whatever=E2=80=99s most correct here.) Can you give me counter-examples =
as to where string comparison doesn=E2=80=99t work? And can you help me =
understand how this same worry doesn=E2=80=99t apply to all of the rest =
of the values in the RAR specification, which are also strings and will =
need to be compared?

I=E2=80=99m still very confused as to the URI retrieval issue =
here, if there even is one. It sounds like we=E2=80=99re both saying =
that it could be useful if type values are retrievable when they=E2=80=99r=
e URIs, but that would be something to augment a process and not =
required for the RAR spec. I=E2=80=99m against requiring the value to be =
a URI and against requiring the AS to process that URI as =
a URI at runtime. Anything that an AS wants to do with the =
=E2=80=9Ctype=E2=80=9D value, including providing additional tooling and =
validation, is up to the AS and outside of the spec.

 =E2=80=94 =
Justin

On Jul 21, 2020, at 12:35 PM, =
Dick Hardt <dick.hardt@gmail.com> wrote:

This statement:

=E2=80=9Ccompare two strings so that they=E2=80=99re =
exact=E2=80=9D

does not work for either Unicode or =
URIs. A string, and a canonicalized Unicode string are not the same =
thing. Similar for a URI. I have assumed you understand the =
canonicalization requirement, but it does not sound like you do. Would =
you like examples?


wrt. the AS and URI, =
*you* keep saying that *I* said the AS would retrieve the URI. I HAVE =
NOT SAID THAT!

I=
 am suggesting that the URI MAY be retrievable, and I gave examples on =
how that would be useful for tooling for client developers, and for an =
AS in doing input validation. The URI would NOT be retrieved at run =
time.


On Tue, Jul =
21, 2020 at 7:35 AM Justin Richer <jricher@mit.edu> wrote:
If we =
treat all the strings as just strings, without any special internal =
format to be specified or detected, then comparing the strings is a =
well-understood and well-documented process. I also think that we =
shouldn=E2=80=99t invent anything here, so if there=E2=80=99s a better =
way to say =E2=80=9Ccompare two strings so that they=E2=80=99re exact=E2=80=
=9D then that=E2=80=99s what I mean. Sorry if that was =
unclear.

I=E2=80=99m saying =
the AS should not retrieve the URI passed in the =
=E2=80=9Ctype=E2=80=9D value. You brought that up and then described the =
process that the AS would take to do so. I have said from the start that =
the use of a URI is for name spacing and not for addressing content to =
be fetched, so I=E2=80=99m confused why you think I intend =
otherwise.

 =E2=80=
=94 Justin

On Jul 20, 2020, at 2:59 PM, =
Dick Hardt <dick.hardt@gmail.com> wrote:

Canonicalization of URIs and =
unicode is fairly well specified. I was not suggesting we invent =
anything there.

A =
byte comparison, as you suggested earlier, will be problematic, as I =
have pointed out.

I'm confused why you are still talking about the AS =
retrieving a URI.

3D""=E1=90=A7

On Mon, Jul =
20, 2020 at 4:42 AM Justin Richer <jricher@mit.edu> wrote:
Since =
this is a recommendation for namespace, we could also just say =
collision-resistant like JWT, and any of those examples are fine. But =
that said, I think there=E2=80=99s something particularly compelling =
about URIs since they have somewhat-human-readable portions. But again, =
I=E2=80=99m saying it should be a recommendation to API developers and =
not a requirement in the spec. In the spec, I argue that =E2=80=9Ctype=E2=80=
=9D should be a string, full stop.

If documentation is so confusing that developers are =
typing in the wrong strings, then that=E2=80=99s bad documentation. And =
likely a bad choice for the =E2=80=9Ctype=E2=80=9D string on the part of =
the AS. You=E2=80=99d have the same problem with any other value the =
developer=E2=80=99s supposed to copy over.  :)

I agree that we should call out =
explicitly how they should be compared, and I propose we use one of the =
handful of existing string-comparison RFC=E2=80=99s here instead of =
defining our own rules.

While the type could be a dereferenceable URI, requiring =
action on the AS is really getting into distributed authorization =
policies. We tried doing that with UMA1=E2=80=99s scope structures and =
it didn=E2=80=99t work very well in practice (in my memory and =
experience). Someone could profile =E2=80=9Ctype" on top of this if they =
wanted to do so, with support at the AS for that, but I don=E2=80=99t =
see a compelling reason for that to be a requirement as that=E2=80=99s a =
lot of complexity and a lot more error states (the fetch fails, or it =
doesn=E2=80=99t have a policy, or the policy=E2=80=99s in a format the =
AS doesn=E2=80=99t understand, or the AS doesn=E2=80=99t like the =
policy, etc). 

And AS is always free to implement its types in such a =
fashion, and that could make plenty of sense in a smaller ecosystem. And =
this is yet another reason that we define =E2=80=9Ctype=E2=80=9D as =
being a string to be interpreted and understood by the AS =E2=80=94 so =
that an AS that wants to work this way can do so.
 =E2=80=94 Justin

PS: thanks for pointing =
out the error in the example in XYZ, I=E2=80=99ll fix that prior to =
publication.

On Jul 18, 2020, at 8:58 PM, =
Dick Hardt <dick.hardt@gmail.com> wrote:

Justin: thanks for =
kindly pointing out which mail list this is.

To clarify, public JWT claims =
are not just URIs, but any =
collision-resistant namespace: 
"Examples =
of collision-resistant namespaces include: Domain Names, Object =
Identifiers (OIDs) as defined in the ITU-T X.660 and      =
X.670 Recommendation series, and Universally Unique IDentifiers (UUIDs) =
[RFC4122]."

I =
think letting the "type" be any JSON string and doing a byte-wise =
comparison will be problematic. A client developer will be reading =
documentation to learn what the types are, and typing it in. Given =
the wide set of whitespace characters, and unicode equivalence, =
different byte streams will all look the same, and a byte-wise =
comparison will fail.

Similarly for URIs. If it is a valid URI, then a =
byte-wise comparison is not sufficient. Canonicalization is =
required. 

These are not showstopper issues, but the specification =
should call out how type strings are compared, and provide caveats =
to an AS developer.

I have no idea why you would think the AS would retrieve a =
URL.

Since the =
type represents a much more complex object then a JWT claim, a client =
developer's tooling could pull down the JSON Schema (or some such) for a =
type used in their source code, and provide autocompletion and =
validation which would improve productivity and reduce errors. An AS =
that is using a defined type could use the schema for input validation. =
Neither of these would be at run time. JSON Schema allows comments and =
examples.

What =
is the harm in non-normative language around a retrievable =
URI?

BTW: the =
example in https://oauth.xyz/draft-richer-transactional-authz#rfc.section.=
2 has not been updated with the "type" field.



On Sat, Jul =
18, 2020 at 8:10 AM Justin Richer <jricher@mit.edu> wrote:
Hi Dick,

This is a discussion =
about the RAR specification on the OAuth list, and therefore doesn=E2=80=99=
t have anything to do with alignment with XAuth. In fact, I believe the =
alignment is the other way around, as doesn=E2=80=99t Xauth normatively =
reference RAR at this point? Even though, last I saw, it uses a =
different top-level structure for conveying things, I believe it does =
say to use the internal object structures. I am also a co-author on RAR =
and we had already defined a =E2=80=9Ctype=E2=80=9D field in RAR quite =
some time ago. You did notice that XYZ=E2=80=99s latest draft added this =
field to keep the two in alignment with each other, which has always =
been the goal since the initial proposal of the RAR work, but that=E2=80=99=
s a time lag and not a display of new intent. 

In any event, even =
though I think the decision has bearing in both places, this isn=E2=80=99t=
 about GNAP. Working on RAR=E2=80=99s requirements has brought up this =
interesting issue of what should be in the type field for RAR in OAuth =
2.

I think =
that it should be defined as a string, and therefore compared as a byte =
value in all cases, regardless of what the content of the string is. I =
don=E2=80=99t think the AS should be expected to fetch a URI for =
anything. I don=E2=80=99t think the AS should normalize any of the =
inputs. I think that any JSON-friendly character set should be allowed =
(including spaces and unicodes), and since RAR already requires the JSON =
objects to be form-encoded, this shouldn=E2=80=99t cause additional =
trouble when adding them in to OAuth 2=E2=80=99s request =
structures.

The =
idea of using a URI would be to get people out of each other=E2=80=99s =
namespaces. It=E2=80=99s similar to the concept of =E2=80=9Cpublic=E2=80=9D=
 vs =E2=80=9Cprivate=E2=80=9D claims in JWT:

https://tools.ietf.org/html/rfc7519#section-4.2

What I=E2=80=99m =
proposing is that if you think it=E2=80=99s going to be a =
general-purpose type name, then we recommend you use a URI as your =
string. And beyond that, that=E2=80=99s it. It=E2=80=99s up to the AS to =
figure out what to do with it, and RAR stays out of it.

 =E2=80=94 =
Justin

On Jul 17, 2020, at 1:25 PM, =
Dick Hardt <dick.hardt@gmail.com> wrote:

Hey Justin, glad to see that you =
have aligned with the latest XAuth draft on a type property being =
required.

I like the idea that the value of the type property is fully =
defined by the AS, which could delegate it to a common URI for reuse. =
This gets GNAP out of specifying access requests, and enables other =
parties to define access without any required coordination with IETF or =
IANA.

A =
complication in mixing plain strings and URIs is the canonicalization. A =
plain string can be a fixed byte representation, but a URI requires =
canonicalization for comparison. Mixing the two requires URI =
detection at the AS before canonicalization, and an AS MUST do =
canonicalization of URIs.

The URI is retrievable, it can provide machine and/or human =
readable documentation in JSON schema or some such, or any other content =
type. Once again, the details are out of scope of GNAP, but we can =
provide examples to guide implementers.

Are you still thinking that bare =
strings are allowed in GNAP, and are defined by the AS?



On Fri, Jul 17, 2020 at 8:39 AM Justin =
Richer <jricher@mit.edu> wrote:
The =E2=80=9Ctype=E2=80=9D =
field in the RAR spec serves an important purpose: it defines what goes =
in the rest of the object, including what other fields are available and =
what values are allowed for those fields. It provides an API-level =
definition for requesting access based on multiple dimensions, and =
that=E2=80=99s really powerful and flexible. Each type can use any of =
the general-purpose fields like =E2=80=9Cactions=E2=80=9D and/or add its =
own fields as necessary, and the =E2=80=9Ctype=E2=80=9D parameter keeps =
everything well-defined.



The question, then, is what defines what=E2=80=99s allowed to go into =
the =E2=80=9Ctype=E2=80=9D field itself? And what defines how that value =
maps to the requirements for the rest of the object? The draft doesn=E2=80=
=99t say anything about it at the moment, but we should choose the =
direction we want to go. On the surface, there are three main =
options:



1) Require all values to be registered. 

2) Require all values to be collision-resistant (eg, URIs).
=

3) Require all values to be defined by the AS (and/or the RS=E2=80=99s =
that it protects).



Are there any other options?



Here are my thoughts on each approach:



1) While it usually makes sense to register things for interoperability, =
this is a case where I think that a registry would actually hurt =
interoperability and adoption. Like a =E2=80=9Cscope=E2=80=9D value, the =
RAR =E2=80=9Ctype=E2=80=9D is ultimately up to the AS and RS to =
interpret in their own context. We :want: people to define rich objects =
for their APIs and enable fine-grained access for their systems, and if =
they have to register something every time they come up with a new API =
to protect, it=E2=80=99s going to be an unmaintainable mess. I genuinely =
don=E2=80=99t think this would scale, and that most developers would =
just ignore the registry and do what they want anyway. And since many of =
these systems are inside domains, it=E2=80=99s completely unenforceable =
in practice.



2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to =
require everything to be a URI here. It=E2=80=99s long and ugly, and a =
lot of APIs are going to be internal to a given group, deployment, or =
ecosystem anyway. This makes sense when you=E2=80=99ve got something =
reusable across many deployments, like OIDC, but it=E2=80=99s overhead =
when what you=E2=80=99re doing is tied to your environment.
=



3) This allows the AS and RS to define the request parameters for their =
APIs just like they do today with scopes. Since it=E2=80=99s always the =
combination of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, name spacing =
is less of an issue across systems. We haven=E2=80=99t seen huge =
problems in scope value overlap in the wild, though it does occur from =
time to time it=E2=80=99s more than manageable. A client isn=E2=80=99t =
going to just =E2=80=9Cspeak RAR=E2=80=9D, it=E2=80=99s going to be =
speaking RAR so that it can access something in particular.
=



And all that brings me to my proposal: 



4) Require all values to be defined by the AS, and encourage =
specification developers to use URIs for collision resistance.



So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D =
means, and nobody else. But we can also guide people who are developing =
general-purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=
=E2=80=9D definitions. This would keep those interoperable APIs from =
stepping on each other, and from stepping on any locally-defined special =
=E2=80=9Ctype=E2=80=9D structure. But at the end of the day, the URI =
carries no more weight than just any other string, and the AS decides =
what it means and how it applies.



My argument is that this seems to have worked very, very well for =
scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar =
descriptive cloth.



What does the rest of the group think? How should we manage the RAR =
=E2=80=9Ctype=E2=80=9D values and what they mean?



 =E2=80=94 Justin

_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth



















=

--Apple-Mail=_C6199E83-2C98-4A2D-9303-DD02D60C7AA9--


From nobody Tue Jul 21 13:45:47 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B724D3A0A83; Tue, 21 Jul 2020 13:45:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level: 
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V3TyMvL60ErU; Tue, 21 Jul 2020 13:45:36 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8575B3A0A6A; Tue, 21 Jul 2020 13:45:36 -0700 (PDT)
Received: from [192.168.1.3] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 06LKjYVP022831 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 21 Jul 2020 16:45:35 -0400
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Justin Richer 
In-Reply-To: <03b759e7-ddff-8904-09c5-0d420270233f@mail.ru>
Date: Tue, 21 Jul 2020 16:45:34 -0400
Cc: oauth@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: 
References: <158801203979.26415.5550810597232016504@ietfa.amsl.com> <03b759e7-ddff-8904-09c5-0d420270233f@mail.ru>
To: Tangui Le Pense 
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: 
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-07.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 21 Jul 2020 20:45:45 -0000

An RS is not considered an OAuth 2 client, though there=E2=80=99s enough =
overlap in the structure that I know several implementations that store =
RS records in the same table as the client records with a special flag =
set on them to differentiate.

The RS <-> AS communication channel has never really gotten a formal =
definition in OAuth 2. The closest we=E2=80=99ve come is Token =
Introspection, which is RFC7662, and even there we didn=E2=80=99t define =
a set of authentication and discovery mechanisms. Instead, we =
piggybacked off of the token endpoint. This has proven to be problematic =
in practice and has lead to an explosion of the kind of additional =
metadata fields like you list below.

 =E2=80=94 Justin

> On Jul 20, 2020, at 4:23 PM, Tangui Le Pense =
 wrote:
>=20
> Hello,
>=20
> A few late remarks and questions about this version of the draft. =
Sorry if it was already answered, but I haven't found answers in the =
previous emails.
>=20
> Section 2.1: in case the JWT is signed then encrypted, which jwt =
should include the "typ" parameter with the "at+jwt" value? The outer =
encrypted JWT (JWE), the inner signed JWT (JWS) or both?
>=20
> Section 3: the example is missing the "iat" and "jti" fields that are =
mandatory per section 2.2:
>=20
>   {"typ":"at+JWT","alg":"RS256","kid":"RjEwOwOA"}
>   {
>     "iss": "https://authorization-server.example.com/",
>     "sub": " 5ba552d67",
>     "aud":   "https://rs.example.com/",
>     "exp": 1544645174,
>     "client_id": "s6BhdRkqt3_",
>     "scope": "openid profile reademail"
>   }
>=20
> Section 4 "Validating JWT Access Tokens":
>=20
>   o  If the JWT access token is encrypted, decrypt it using the keys
>      and algorithms that the resource server specified during
>      registration.  If encryption was negotiated with the =
authorization
>      server at registration time and the incoming JWT access token is
>      not encrypted, the resource server SHOULD reject it.
>=20
> The registration details are not documented. As an RS seems to be a =
special case of an OAuth2 client (without any grant type granted, =
except, possibily, "client_credentials") I was expecting registration of =
dynamic client registration metadata similar to those for ID tokens =
(something like "access_token_signed_response_alg", =
"access_token_encrypted_response_alg" and =
"access_token_encrypted_response_enc"), and same for discovery metadata.
>=20
> Is the rationale for the absence of the registration of these fields =
that RSes are not considered as OAuth2 clients?
>=20
> Also, in the same section, nothing is said about the validation of =
"iat" and "jti".
>=20
> Regards,
>=20
> --=20
>=20
> Tangui
>=20
>=20
> 27.04.2020 21:27, internet-drafts@ietf.org =D0=BF=D0=B8=D1=88=D0=B5=D1=82=
:
>> A New Internet-Draft is available from the on-line Internet-Drafts =
directories.
>> This draft is a work item of the Web Authorization Protocol WG of the =
IETF.
>>=20
>>         Title           : JSON Web Token (JWT) Profile for OAuth 2.0 =
Access Tokens
>>         Author          : Vittorio Bertocci
>> 	Filename        : draft-ietf-oauth-access-token-jwt-07.txt
>> 	Pages           : 19
>> 	Date            : 2020-04-27
>>=20
>> Abstract:
>>    This specification defines a profile for issuing OAuth 2.0 access
>>    tokens in JSON web token (JWT) format.  Authorization servers and
>>    resource servers from different vendors can leverage this profile =
to
>>    issue and consume access tokens in interoperable manner.
>>=20
>>=20
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-access-token-jwt/
>>=20
>> There are also htmlized versions available at:
>> https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-07
>> =
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-access-token-jwt-07=

>>=20
>> A diff from the previous version is available at:
>> =
https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-access-token-jwt-07
>>=20
>>=20
>> Please note that it may take a couple of minutes from the time of =
submission
>> until the htmlized version and diff are available at tools.ietf.org.
>>=20
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>>=20
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From nobody Tue Jul 21 13:56:52 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF29F3A0A6D for ; Tue, 21 Jul 2020 13:56:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.104
X-Spam-Level: 
X-Spam-Status: No, score=0.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.999, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=authlete-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7WI8MtF55alS for ; Tue, 21 Jul 2020 13:56:47 -0700 (PDT)
Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A654E3A0A6C for ; Tue, 21 Jul 2020 13:56:46 -0700 (PDT)
Received: by mail-wm1-x32c.google.com with SMTP id f139so4181278wmf.5 for ; Tue, 21 Jul 2020 13:56:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=authlete-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=U7uiAH9bSC07d4YxMf0FCY9irMSpPic3yIaq08HaZAY=; b=pfs+V+O6FjzanyXjJaEp8BKqlxKwF8mKziLJfwsq93qeS6LFb9ID1NtZWVS5XhEC7Y u/rf1eaC3DEuJpRwpC/dW773DrbKBnbS47s7lUydEsOhv3YQVPhgMVC3jESEGvLe756F jDvh8+OMyC+yowEllib3/iHWX7Yy1k378ISbodMHB668SQMt5Nkz/PL7KnX4NkeQsC1X Jb96zbQITYePEwmKghRsmNblO8TioIJh/cwJc0TGrdahyYS0t0lWOdqUqVUSLxv8vtKq jx3s/UQNUQ7Zc2oUFw+chc4TfUCZ2x+4iXXylAzICFvvs/O5OYiBQ6FR7FQw5ymJtLPc dmdQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=U7uiAH9bSC07d4YxMf0FCY9irMSpPic3yIaq08HaZAY=; b=tVj6unnUPDlfilRdTgVjHsmgFeUIFq1PSnpuHJlva5Ehgd4jYAtXzfbEuBKFi6++P8 SThE9RLW0Qlt38ocguWNO1g0nFGyAtsW6L7FN5+IfiPdCaNtHDqJqZUKuDh60bdcPy/P 13bOAWnHmwZshoy+3q+nkuD6Rxvr1a1QzkEDRN6GOCCoUdK5fnrMSbtKR268uNgjPwlU AORhYKalTGcINGPh0oi9YwQxmTPHbdNO5vE9iV8rhaRRkRYzhd7KM/jdGBpdsDCYhrHL 5vCZeKgMGMCIMq4r8lqztxjMEfadC2zi2ChzVzsEg2MXACx4XajyRJfCCTzfaBYmbL3M 0xkQ==
X-Gm-Message-State: AOAM530a8CUlnpMacFntW1+SdxiG1uATy+qrSJBuAnmAkgttM8tkJzZZ 6GwmVUgvyu2/rk9kuFnRcpxcRA==
X-Google-Smtp-Source: ABdhPJzBvaQayRNorMIPJ5ZeMozXo+9ucKoxttmCz9rfY0mO7haWeuxBUJk4rrgMGneoAXcqwvno+A==
X-Received: by 2002:a1c:6408:: with SMTP id y8mr3817822wmb.52.1595365004997; Tue, 21 Jul 2020 13:56:44 -0700 (PDT)
Received: from [192.168.1.112] (home.heenan.me.uk. [212.159.108.133]) by smtp.gmail.com with ESMTPSA id 78sm4962214wma.31.2020.07.21.13.56.44 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 21 Jul 2020 13:56:44 -0700 (PDT)
From: Joseph Heenan 
Message-Id: <4A368AA7-B16C-490E-AF34-C66F0BF55366@authlete.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_7994F0CF-ABCB-4041-8A90-27FFDEBB5F4E"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Tue, 21 Jul 2020 21:56:43 +0100
In-Reply-To: 
Cc: Dick Hardt , oauth 
To: Justin Richer 
References:     <094C7F56-93F7-41EC-AD94-A0752E76BD9D@mit.edu>    <847FC552-84CA-4227-9768-8BA488B7FEFE@mit.edu>  <0E6A3DE4-4EDC-4AB0-A491-D7DC960592AA@mit.edu>  
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: 
Subject: Re: [OAUTH-WG] Namespacing "type" in RAR
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 21 Jul 2020 20:56:51 -0000

--Apple-Mail=_7994F0CF-ABCB-4041-8A90-27FFDEBB5F4E
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

I=E2=80=99d agree with this. I=E2=80=99d probably go even further and =
suggest the specification simply disallow non-ASCII values - it just =
seems like a minefield that so many people have unsuccessfully attempted =
to negotiate, and it is not necessary to force or allow AS implementors =
(or the rest of the ecosystem) venture in there.

There=E2=80=99s really no strong reason to use/allow full Unicode for =
items that are only exposed to developers, and there are significant =
reasons for applying the KISS principle - it makes life easy for AS, for =
clients, and closes an entire possible attack vector.

Joseph


> On 21 Jul 2020, at 19:05, Justin Richer  wrote:
>=20
> I=E2=80=99m suggesting that API designers avoid using such glyphs in =
their =E2=80=9Ctype=E2=80=9D values if they want to avoid such =
human-copy errors, like they would need to do for most other strings in =
their system. If that means they stick to ASCII or put a note on the =
developer page that says =E2=80=9Chey copy and paste this value, don=E2=80=
=99t try to re-type it=E2=80=9D or whatever, that=E2=80=99s up to the =
AS.=20
>=20
> You=E2=80=99d have the same kind of issue around =E2=80=9Csimilar-lookin=
g=E2=80=9D characters, like the semicolon vs. the greek question mark. =
Should the AS look for those and try to =E2=80=9Cfix=E2=80=9D the =
inputs? I would argue not: the AS should be strict in matching these =
values because it could have security implications.=20
>=20
> This isn=E2=80=99t a problem unique to RAR, or OAuth for that matter. =
We can, and I think should, add guidance to the RAR document for all of =
these points.=20
>=20
>  =E2=80=94 Justin
>=20
>> On Jul 21, 2020, at 1:55 PM, Dick Hardt > wrote:
>>=20
>> In unicode, a glyph can be represented by more than one code point. =
When reading the docs and entering a value, the developer will not know =
which code point the AS intended.=20
>>=20
>> Are you suggesting that AS documentation would have the bytes rather =
than glyphs? Or not use glyphs that have multiple code points? Or that =
they only use english?
>>=20
>>=20
>>=20
>> On Tue, Jul 21, 2020 at 10:34 AM Justin Richer > wrote:
>> Right, and I=E2=80=99m saying that all three of those would be =
DIFFERENT =E2=80=9Ctype=E2=80=9D values, because they=E2=80=99re =
different strings. The fact that when treated as URIs they would be =
equivalent is irrelevant. Just like =E2=80=9Cfoo=E2=80=9D, =E2=80=9CFoo=E2=
=80=9D, and =E2=80=9CFOO=E2=80=9D would be different =E2=80=9Ctype=E2=80=9D=
 values, per the spec. Nothing is stopping an AS from treating them as =
equivalent internally, but that seems a bit dangerous to me. I=E2=80=99d =
love to see a formal breakdown of that, though.
>>=20
>> As for the unicode example, if we define things as using byte =
comparisons, then that becomes an issue for proper documentation and =
configuration =E2=80=94 and again, probably a good place to have =
recommendations for picking type value strings so as to avoid such =
problems.
>>=20
>> In short, I don=E2=80=99t think we should have any requirements on =
canonicalization for these values.
>>=20
>>  =E2=80=94 Justin
>>=20
>>> On Jul 21, 2020, at 1:03 PM, Dick Hardt > wrote:
>>>=20
>>>=20
>>> The following are the same URI, but are different strings:
>>>=20
>>> 	=E2=80=9Chttps://schema.example.org/v1 =
=E2=80=9D
>>> 	=E2=80=9CHTTPS://schema.example.org/v1 =
=E2=80=9D
>>> 	=E2=80=9Chttps://SCHEMA.EXAMPLE.ORG/v1 =
=E2=80=9D
>>>=20
>>> Before comparing them to each other, they must be canonicalized so =
that they become the same string.
>>>=20
>>> =46rom earlier in this thread, I am NOT suggesting that it must be a =
URI, nor that it is required:
>>>=20
>>> Since the type represents a much more complex object then a JWT =
claim, a client developer's tooling could pull down the JSON Schema (or =
some such) for a type used in their source code, and provide =
autocompletion and validation which would improve productivity and =
reduce errors. An AS that is using a defined type could use the schema =
for input validation. Neither of these would be at run time. JSON Schema =
allows comments and examples.
>>>=20
>>> What is the harm in non-normative language around a retrievable URI?
>>>=20
>>> On Tue, Jul 21, 2020 at 9:58 AM Justin Richer > wrote:
>>> String comparison works just fine when the strings happen to be =
URIs, and you aren=E2=80=99t treating them as URIs:
>>>=20
>>> 	=E2=80=9Chttps://schema.example.org/v1 =
=E2=80=9D
>>>=20
>>> Is different from=20
>>>=20
>>> 	=E2=80=9Chttps://schema.example.org/v2 =
=E2=80=9D
>>>=20
>>> And both are different from
>>>=20
>>> 	=E2=80=9Chttps://schema.example.org:443/v1 =
/=E2=80=9C
>>>=20
>>> All of these are strings, and the strings happen to be URIs but =
that=E2=80=99s irrelevant to the comparison process. Can you please help =
me understand why doing a string comparison on these values does not =
work in exactly the same way it would for =E2=80=9Cfoo=E2=80=9D, =
=E2=80=9Cbar=E2=80=9D, and =E2=80=9Cbaz=E2=80=9D values? Why would these =
need to be canonicalized to be compared? The definition of a JSON string =
is an ordered set of unicode code points, and this can be compared =
byte-wise. (Or code-point-wise, whatever=E2=80=99s most correct here.) =
Can you give me counter-examples as to where string comparison doesn=E2=80=
=99t work? And can you help me understand how this same worry doesn=E2=80=99=
t apply to all of the rest of the values in the RAR specification, which =
are also strings and will need to be compared?
>>>=20
>>> I=E2=80=99m still very confused as to the URI retrieval issue here, =
if there even is one. It sounds like we=E2=80=99re both saying that it =
could be useful if type values are retrievable when they=E2=80=99re =
URIs, but that would be something to augment a process and not required =
for the RAR spec. I=E2=80=99m against requiring the value to be a URI =
and against requiring the AS to process that URI as a URI at runtime. =
Anything that an AS wants to do with the =E2=80=9Ctype=E2=80=9D value, =
including providing additional tooling and validation, is up to the AS =
and outside of the spec.
>>>=20
>>>  =E2=80=94 Justin
>>>=20
>>>> On Jul 21, 2020, at 12:35 PM, Dick Hardt > wrote:
>>>>=20
>>>> This statement:
>>>>=20
>>>> =E2=80=9Ccompare two strings so that they=E2=80=99re exact=E2=80=9D
>>>>=20
>>>> does not work for either Unicode or URIs. A string, and a =
canonicalized Unicode string are not the same thing. Similar for a URI. =
I have assumed you understand the canonicalization requirement, but it =
does not sound like you do. Would you like examples?
>>>>=20
>>>>=20
>>>> wrt. the AS and URI, *you* keep saying that *I* said the AS would =
retrieve the URI. I HAVE NOT SAID THAT!
>>>>=20
>>>> I am suggesting that the URI MAY be retrievable, and I gave =
examples on how that would be useful for tooling for client developers, =
and for an AS in doing input validation. The URI would NOT be retrieved =
at run time.
>>>>=20
>>>>=20
>>>> On Tue, Jul 21, 2020 at 7:35 AM Justin Richer > wrote:
>>>> If we treat all the strings as just strings, without any special =
internal format to be specified or detected, then comparing the strings =
is a well-understood and well-documented process. I also think that we =
shouldn=E2=80=99t invent anything here, so if there=E2=80=99s a better =
way to say =E2=80=9Ccompare two strings so that they=E2=80=99re exact=E2=80=
=9D then that=E2=80=99s what I mean. Sorry if that was unclear.
>>>>=20
>>>> I=E2=80=99m saying the AS should not retrieve the URI passed in the =
=E2=80=9Ctype=E2=80=9D value. You brought that up and then described the =
process that the AS would take to do so. I have said from the start that =
the use of a URI is for name spacing and not for addressing content to =
be fetched, so I=E2=80=99m confused why you think I intend otherwise.
>>>>=20
>>>>  =E2=80=94 Justin
>>>>=20
>>>>> On Jul 20, 2020, at 2:59 PM, Dick Hardt > wrote:
>>>>>=20
>>>>> Canonicalization of URIs and unicode is fairly well specified. I =
was not suggesting we invent anything there.
>>>>>=20
>>>>> A byte comparison, as you suggested earlier, will be problematic, =
as I have pointed out.
>>>>>=20
>>>>> I'm confused why you are still talking about the AS retrieving a =
URI.
>>>>>=20
>>>>> =E1=90=A7
>>>>>=20
>>>>> On Mon, Jul 20, 2020 at 4:42 AM Justin Richer > wrote:
>>>>> Since this is a recommendation for namespace, we could also just =
say collision-resistant like JWT, and any of those examples are fine. =
But that said, I think there=E2=80=99s something particularly compelling =
about URIs since they have somewhat-human-readable portions. But again, =
I=E2=80=99m saying it should be a recommendation to API developers and =
not a requirement in the spec. In the spec, I argue that =E2=80=9Ctype=E2=80=
=9D should be a string, full stop.
>>>>>=20
>>>>> If documentation is so confusing that developers are typing in the =
wrong strings, then that=E2=80=99s bad documentation. And likely a bad =
choice for the =E2=80=9Ctype=E2=80=9D string on the part of the AS. =
You=E2=80=99d have the same problem with any other value the =
developer=E2=80=99s supposed to copy over.  :)
>>>>>=20
>>>>> I agree that we should call out explicitly how they should be =
compared, and I propose we use one of the handful of existing =
string-comparison RFC=E2=80=99s here instead of defining our own rules.
>>>>>=20
>>>>> While the type could be a dereferenceable URI, requiring action on =
the AS is really getting into distributed authorization policies. We =
tried doing that with UMA1=E2=80=99s scope structures and it didn=E2=80=99=
t work very well in practice (in my memory and experience). Someone =
could profile =E2=80=9Ctype" on top of this if they wanted to do so, =
with support at the AS for that, but I don=E2=80=99t see a compelling =
reason for that to be a requirement as that=E2=80=99s a lot of =
complexity and a lot more error states (the fetch fails, or it doesn=E2=80=
=99t have a policy, or the policy=E2=80=99s in a format the AS doesn=E2=80=
=99t understand, or the AS doesn=E2=80=99t like the policy, etc).=20
>>>>>=20
>>>>> And AS is always free to implement its types in such a fashion, =
and that could make plenty of sense in a smaller ecosystem. And this is =
yet another reason that we define =E2=80=9Ctype=E2=80=9D as being a =
string to be interpreted and understood by the AS =E2=80=94 so that an =
AS that wants to work this way can do so.
>>>>>=20
>>>>>  =E2=80=94 Justin
>>>>>=20
>>>>> PS: thanks for pointing out the error in the example in XYZ, =
I=E2=80=99ll fix that prior to publication.
>>>>>=20
>>>>>> On Jul 18, 2020, at 8:58 PM, Dick Hardt > wrote:
>>>>>>=20
>>>>>> Justin: thanks for kindly pointing out which mail list this is.
>>>>>>=20
>>>>>> To clarify, public JWT claims are not just URIs, but any =
collision-resistant namespace:=20
>>>>>> "Examples of collision-resistant namespaces include: Domain =
Names, Object Identifiers (OIDs) as defined in the ITU-T X.660 and      =
X.670 Recommendation series, and Universally Unique IDentifiers (UUIDs) =
[RFC4122]."
>>>>>>=20
>>>>>> I think letting the "type" be any JSON string and doing a =
byte-wise comparison will be problematic. A client developer will be =
reading documentation to learn what the types are, and typing it in. =
Given the wide set of whitespace characters, and unicode equivalence, =
different byte streams will all look the same, and a byte-wise =
comparison will fail.
>>>>>>=20
>>>>>> Similarly for URIs. If it is a valid URI, then a byte-wise =
comparison is not sufficient. Canonicalization is required.=20
>>>>>>=20
>>>>>> These are not showstopper issues, but the specification should =
call out how type strings are compared, and provide caveats to an AS =
developer.
>>>>>>=20
>>>>>> I have no idea why you would think the AS would retrieve a URL.
>>>>>>=20
>>>>>> Since the type represents a much more complex object then a JWT =
claim, a client developer's tooling could pull down the JSON Schema (or =
some such) for a type used in their source code, and provide =
autocompletion and validation which would improve productivity and =
reduce errors. An AS that is using a defined type could use the schema =
for input validation. Neither of these would be at run time. JSON Schema =
allows comments and examples.
>>>>>>=20
>>>>>> What is the harm in non-normative language around a retrievable =
URI?
>>>>>>=20
>>>>>> BTW: the example in =
https://oauth.xyz/draft-richer-transactional-authz#rfc.section.2 =
 has =
not been updated with the "type" field.
>>>>>>=20
>>>>>>=20
>>>>>>=20
>>>>>> On Sat, Jul 18, 2020 at 8:10 AM Justin Richer > wrote:
>>>>>> Hi Dick,
>>>>>>=20
>>>>>> This is a discussion about the RAR specification on the OAuth =
list, and therefore doesn=E2=80=99t have anything to do with alignment =
with XAuth. In fact, I believe the alignment is the other way around, as =
doesn=E2=80=99t Xauth normatively reference RAR at this point? Even =
though, last I saw, it uses a different top-level structure for =
conveying things, I believe it does say to use the internal object =
structures. I am also a co-author on RAR and we had already defined a =
=E2=80=9Ctype=E2=80=9D field in RAR quite some time ago. You did notice =
that XYZ=E2=80=99s latest draft added this field to keep the two in =
alignment with each other, which has always been the goal since the =
initial proposal of the RAR work, but that=E2=80=99s a time lag and not =
a display of new intent.=20
>>>>>>=20
>>>>>> In any event, even though I think the decision has bearing in =
both places, this isn=E2=80=99t about GNAP. Working on RAR=E2=80=99s =
requirements has brought up this interesting issue of what should be in =
the type field for RAR in OAuth 2.
>>>>>>=20
>>>>>> I think that it should be defined as a string, and therefore =
compared as a byte value in all cases, regardless of what the content of =
the string is. I don=E2=80=99t think the AS should be expected to fetch =
a URI for anything. I don=E2=80=99t think the AS should normalize any of =
the inputs. I think that any JSON-friendly character set should be =
allowed (including spaces and unicodes), and since RAR already requires =
the JSON objects to be form-encoded, this shouldn=E2=80=99t cause =
additional trouble when adding them in to OAuth 2=E2=80=99s request =
structures.
>>>>>>=20
>>>>>> The idea of using a URI would be to get people out of each =
other=E2=80=99s namespaces. It=E2=80=99s similar to the concept of =
=E2=80=9Cpublic=E2=80=9D vs =E2=80=9Cprivate=E2=80=9D claims in JWT:
>>>>>>=20
>>>>>> https://tools.ietf.org/html/rfc7519#section-4.2 =

>>>>>>=20
>>>>>> What I=E2=80=99m proposing is that if you think it=E2=80=99s =
going to be a general-purpose type name, then we recommend you use a URI =
as your string. And beyond that, that=E2=80=99s it. It=E2=80=99s up to =
the AS to figure out what to do with it, and RAR stays out of it.
>>>>>>=20
>>>>>>  =E2=80=94 Justin
>>>>>>=20
>>>>>>> On Jul 17, 2020, at 1:25 PM, Dick Hardt > wrote:
>>>>>>>=20
>>>>>>> Hey Justin, glad to see that you have aligned with the latest =
XAuth draft on a type property being required.
>>>>>>>=20
>>>>>>> I like the idea that the value of the type property is fully =
defined by the AS, which could delegate it to a common URI for reuse. =
This gets GNAP out of specifying access requests, and enables other =
parties to define access without any required coordination with IETF or =
IANA.
>>>>>>>=20
>>>>>>> A complication in mixing plain strings and URIs is the =
canonicalization. A plain string can be a fixed byte representation, but =
a URI requires canonicalization for comparison. Mixing the two requires =
URI detection at the AS before canonicalization, and an AS MUST do =
canonicalization of URIs.
>>>>>>>=20
>>>>>>> The URI is retrievable, it can provide machine and/or human =
readable documentation in JSON schema or some such, or any other content =
type. Once again, the details are out of scope of GNAP, but we can =
provide examples to guide implementers.
>>>>>>>=20
>>>>>>> Are you still thinking that bare strings are allowed in GNAP, =
and are defined by the AS?
>>>>>>>=20
>>>>>>>=20
>>>>>>>=20
>>>>>>> On Fri, Jul 17, 2020 at 8:39 AM Justin Richer > wrote:
>>>>>>> The =E2=80=9Ctype=E2=80=9D field in the RAR spec serves an =
important purpose: it defines what goes in the rest of the object, =
including what other fields are available and what values are allowed =
for those fields. It provides an API-level definition for requesting =
access based on multiple dimensions, and that=E2=80=99s really powerful =
and flexible. Each type can use any of the general-purpose fields like =
=E2=80=9Cactions=E2=80=9D and/or add its own fields as necessary, and =
the =E2=80=9Ctype=E2=80=9D parameter keeps everything well-defined.
>>>>>>>=20
>>>>>>> The question, then, is what defines what=E2=80=99s allowed to go =
into the =E2=80=9Ctype=E2=80=9D field itself? And what defines how that =
value maps to the requirements for the rest of the object? The draft =
doesn=E2=80=99t say anything about it at the moment, but we should =
choose the direction we want to go. On the surface, there are three main =
options:
>>>>>>>=20
>>>>>>> 1) Require all values to be registered.=20
>>>>>>> 2) Require all values to be collision-resistant (eg, URIs).
>>>>>>> 3) Require all values to be defined by the AS (and/or the RS=E2=80=
=99s that it protects).
>>>>>>>=20
>>>>>>> Are there any other options?
>>>>>>>=20
>>>>>>> Here are my thoughts on each approach:
>>>>>>>=20
>>>>>>> 1) While it usually makes sense to register things for =
interoperability, this is a case where I think that a registry would =
actually hurt interoperability and adoption. Like a =E2=80=9Cscope=E2=80=9D=
 value, the RAR =E2=80=9Ctype=E2=80=9D is ultimately up to the AS and RS =
to interpret in their own context. We :want: people to define rich =
objects for their APIs and enable fine-grained access for their systems, =
and if they have to register something every time they come up with a =
new API to protect, it=E2=80=99s going to be an unmaintainable mess. I =
genuinely don=E2=80=99t think this would scale, and that most developers =
would just ignore the registry and do what they want anyway. And since =
many of these systems are inside domains, it=E2=80=99s completely =
unenforceable in practice.
>>>>>>>=20
>>>>>>> 2) This seems reasonable, but it=E2=80=99s a bit of a nuisance =
to require everything to be a URI here. It=E2=80=99s long and ugly, and =
a lot of APIs are going to be internal to a given group, deployment, or =
ecosystem anyway. This makes sense when you=E2=80=99ve got something =
reusable across many deployments, like OIDC, but it=E2=80=99s overhead =
when what you=E2=80=99re doing is tied to your environment.
>>>>>>>=20
>>>>>>> 3) This allows the AS and RS to define the request parameters =
for their APIs just like they do today with scopes. Since it=E2=80=99s =
always the combination of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, =
name spacing is less of an issue across systems. We haven=E2=80=99t seen =
huge problems in scope value overlap in the wild, though it does occur =
from time to time it=E2=80=99s more than manageable. A client isn=E2=80=99=
t going to just =E2=80=9Cspeak RAR=E2=80=9D, it=E2=80=99s going to be =
speaking RAR so that it can access something in particular.
>>>>>>>=20
>>>>>>> And all that brings me to my proposal:=20
>>>>>>>=20
>>>>>>> 4) Require all values to be defined by the AS, and encourage =
specification developers to use URIs for collision resistance.
>>>>>>>=20
>>>>>>> So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=
=9D means, and nobody else. But we can also guide people who are =
developing general-purpose interoperable APIs to use URIs for their RAR =
=E2=80=9Ctype=E2=80=9D definitions. This would keep those interoperable =
APIs from stepping on each other, and from stepping on any =
locally-defined special =E2=80=9Ctype=E2=80=9D structure. But at the end =
of the day, the URI carries no more weight than just any other string, =
and the AS decides what it means and how it applies.
>>>>>>>=20
>>>>>>> My argument is that this seems to have worked very, very well =
for scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar =
descriptive cloth.
>>>>>>>=20
>>>>>>> What does the rest of the group think? How should we manage the =
RAR =E2=80=9Ctype=E2=80=9D values and what they mean?
>>>>>>>=20
>>>>>>>  =E2=80=94 Justin
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org 
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth =

>>>>>>=20
>>>>>=20
>>>>=20
>>>=20
>>=20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_7994F0CF-ABCB-4041-8A90-27FFDEBB5F4E
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

I=E2=80=
=99d agree with this. I=E2=80=99d probably go even further and suggest =
the specification simply disallow non-ASCII values - it just seems like =
a minefield that so many people have unsuccessfully attempted to =
negotiate, and it is not necessary to force or allow AS implementors (or =
the rest of the ecosystem) venture in there.

There=E2=80=99s really no strong reason =
to use/allow full Unicode for items that are only exposed to developers, =
and there are significant reasons for applying the KISS principle - it =
makes life easy for AS, for clients, and closes an entire possible =
attack vector.

Joseph


On 21 =
Jul 2020, at 19:05, Justin Richer <jricher@mit.edu> wrote:

I=E2=80=99m suggesting =
that API designers avoid using such glyphs in their =E2=80=9Ctype=E2=80=9D=
 values if they want to avoid such human-copy errors, like they would =
need to do for most other strings in their system. If that means they =
stick to ASCII or put a note on the developer page that says =E2=80=9Chey =
copy and paste this value, don=E2=80=99t try to re-type it=E2=80=9D or =
whatever, that=E2=80=99s up to the AS. 

You=E2=80=99d have the same kind of =
issue around =E2=80=9Csimilar-looking=E2=80=9D characters, like the =
semicolon vs. the greek question mark. Should the AS look for those and =
try to =E2=80=9Cfix=E2=80=9D the inputs? I would argue not: the AS =
should be strict in matching these values because it could have security =
implications. 

This isn=E2=80=99t a problem unique to RAR, or OAuth for that =
matter. We can, and I think should, add guidance to the RAR document for =
all of these points. 

 =E2=80=94 Justin

On Jul =
21, 2020, at 1:55 PM, Dick Hardt <dick.hardt@gmail.com> wrote:

In unicode, a glyph can be =
represented by more than one code point. When reading the docs and =
entering a value, the developer will not know which code point the AS =
intended. 

Are =
you suggesting that AS documentation would have the bytes rather than =
glyphs? Or not use glyphs that have multiple code points? =
Or that they only use english?



On Tue, Jul =
21, 2020 at 10:34 AM Justin Richer <jricher@mit.edu> wrote:
Right, and I=E2=80=99m saying that all three of =
those would be DIFFERENT =E2=80=9Ctype=E2=80=9D values, because =
they=E2=80=99re different strings. The fact that when treated as URIs =
they would be equivalent is irrelevant. Just like =E2=80=9Cfoo=E2=80=9D, =
=E2=80=9CFoo=E2=80=9D, and =E2=80=9CFOO=E2=80=9D would be different =
=E2=80=9Ctype=E2=80=9D values, per the spec. Nothing is stopping an AS =
from treating them as equivalent internally, but that seems a bit =
dangerous to me. I=E2=80=99d love to see a formal breakdown of that, =
though.

As for the =
unicode example, if we define things as using byte comparisons, then =
that becomes an issue for proper documentation and configuration =E2=80=94=
 and again, probably a good place to have recommendations for picking =
type value strings so as to avoid such problems.

In short, I don=E2=80=99t think we =
should have any requirements on canonicalization for these values.

 =E2=80=
=94 Justin

On Jul 21, 2020, at 1:03 PM, =
Dick Hardt <dick.hardt@gmail.com> wrote:


The following are the same URI, but are =
different strings:

	=E2=80=9Chttps://schema.example.org/v1=E2=80=9D
	=
=E2=80=9CHTTPS://schema.example.org/v1=E2=80=9D
	=
=E2=80=9Chttps://SCHEMA.EXAMPLE.ORG/v1=E2=80=9D

Before comparing them to each other, =
they must be canonicalized so that they become the same =
string.

=46rom =
earlier in this thread, I am NOT suggesting that it must be a URI, nor =
that it is required:

Since the type represents a much more complex =
object then a JWT claim, a client developer's tooling could pull down =
the JSON Schema (or some such) for a type used in their source code, and =
provide autocompletion and validation which would improve productivity =
and reduce errors. An AS that is using a defined type could use the =
schema for input validation. Neither of these would be at run time. JSON =
Schema allows comments and examples.

What is the harm in non-normative language around a =
retrievable =
URI?

On Tue, Jul 21, 2020 at 9:58 AM Justin Richer =
<jricher@mit.edu> wrote:
String =
comparison works just fine when the strings happen to be URIs, and you =
aren=E2=80=99t treating them as URIs:

	=E2=80=9Chttps://schema.example.org/v1=E2=80=9D

Is different =
from 

	=E2=80=9Chttps://schema.example.org/v2=E2=80=9D

And both are different =
from

	=E2=80=9Chttps://schema.example.org:443/v1/=E2=80=9C

All of these are =
strings, and the strings happen to be URIs but that=E2=80=99s irrelevant =
to the comparison process. Can you please help me understand why doing a =
string comparison on these values does not work in exactly the same way =
it would for =E2=80=9Cfoo=E2=80=9D, =E2=80=9Cbar=E2=80=9D, and =E2=80=9Cba=
z=E2=80=9D values? Why would these need to be canonicalized to be =
compared? The definition of a JSON string is an ordered set of unicode =
code points, and this can be compared byte-wise. (Or code-point-wise, =
whatever=E2=80=99s most correct here.) Can you give me counter-examples =
as to where string comparison doesn=E2=80=99t work? And can you help me =
understand how this same worry doesn=E2=80=99t apply to all of the rest =
of the values in the RAR specification, which are also strings and will =
need to be compared?

I=E2=80=99m still very confused as to the URI retrieval issue =
here, if there even is one. It sounds like we=E2=80=99re both saying =
that it could be useful if type values are retrievable when they=E2=80=99r=
e URIs, but that would be something to augment a process and not =
required for the RAR spec. I=E2=80=99m against requiring the value to be =
a URI and against requiring the AS to process that URI as =
a URI at runtime. Anything that an AS wants to do with the =
=E2=80=9Ctype=E2=80=9D value, including providing additional tooling and =
validation, is up to the AS and outside of the spec.

 =E2=80=94 =
Justin

On Jul 21, 2020, at 12:35 PM, =
Dick Hardt <dick.hardt@gmail.com> wrote:

This statement:

=E2=80=9Ccompare two strings so that they=E2=80=99re =
exact=E2=80=9D

does not work for either Unicode or =
URIs. A string, and a canonicalized Unicode string are not the same =
thing. Similar for a URI. I have assumed you understand the =
canonicalization requirement, but it does not sound like you do. Would =
you like examples?


wrt. the AS and URI, =
*you* keep saying that *I* said the AS would retrieve the URI. I HAVE =
NOT SAID THAT!

I=
 am suggesting that the URI MAY be retrievable, and I gave examples on =
how that would be useful for tooling for client developers, and for an =
AS in doing input validation. The URI would NOT be retrieved at run =
time.


On Tue, Jul =
21, 2020 at 7:35 AM Justin Richer <jricher@mit.edu> wrote:
If we =
treat all the strings as just strings, without any special internal =
format to be specified or detected, then comparing the strings is a =
well-understood and well-documented process. I also think that we =
shouldn=E2=80=99t invent anything here, so if there=E2=80=99s a better =
way to say =E2=80=9Ccompare two strings so that they=E2=80=99re exact=E2=80=
=9D then that=E2=80=99s what I mean. Sorry if that was =
unclear.

I=E2=80=99m saying =
the AS should not retrieve the URI passed in the =
=E2=80=9Ctype=E2=80=9D value. You brought that up and then described the =
process that the AS would take to do so. I have said from the start that =
the use of a URI is for name spacing and not for addressing content to =
be fetched, so I=E2=80=99m confused why you think I intend =
otherwise.

 =E2=80=
=94 Justin

On Jul 20, 2020, at 2:59 PM, =
Dick Hardt <dick.hardt@gmail.com> wrote:

Canonicalization of URIs and =
unicode is fairly well specified. I was not suggesting we invent =
anything there.

A =
byte comparison, as you suggested earlier, will be problematic, as I =
have pointed out.

I'm confused why you are still talking about the AS =
retrieving a URI.

3D""=E1=90=A7

On Mon, Jul =
20, 2020 at 4:42 AM Justin Richer <jricher@mit.edu> wrote:
Since =
this is a recommendation for namespace, we could also just say =
collision-resistant like JWT, and any of those examples are fine. But =
that said, I think there=E2=80=99s something particularly compelling =
about URIs since they have somewhat-human-readable portions. But again, =
I=E2=80=99m saying it should be a recommendation to API developers and =
not a requirement in the spec. In the spec, I argue that =E2=80=9Ctype=E2=80=
=9D should be a string, full stop.

If documentation is so confusing that developers are =
typing in the wrong strings, then that=E2=80=99s bad documentation. And =
likely a bad choice for the =E2=80=9Ctype=E2=80=9D string on the part of =
the AS. You=E2=80=99d have the same problem with any other value the =
developer=E2=80=99s supposed to copy over.  :)

I agree that we should call out =
explicitly how they should be compared, and I propose we use one of the =
handful of existing string-comparison RFC=E2=80=99s here instead of =
defining our own rules.

While the type could be a dereferenceable URI, requiring =
action on the AS is really getting into distributed authorization =
policies. We tried doing that with UMA1=E2=80=99s scope structures and =
it didn=E2=80=99t work very well in practice (in my memory and =
experience). Someone could profile =E2=80=9Ctype" on top of this if they =
wanted to do so, with support at the AS for that, but I don=E2=80=99t =
see a compelling reason for that to be a requirement as that=E2=80=99s a =
lot of complexity and a lot more error states (the fetch fails, or it =
doesn=E2=80=99t have a policy, or the policy=E2=80=99s in a format the =
AS doesn=E2=80=99t understand, or the AS doesn=E2=80=99t like the =
policy, etc). 

And AS is always free to implement its types in such a =
fashion, and that could make plenty of sense in a smaller ecosystem. And =
this is yet another reason that we define =E2=80=9Ctype=E2=80=9D as =
being a string to be interpreted and understood by the AS =E2=80=94 so =
that an AS that wants to work this way can do so.
 =E2=80=94 Justin

PS: thanks for pointing =
out the error in the example in XYZ, I=E2=80=99ll fix that prior to =
publication.

On Jul 18, 2020, at 8:58 PM, =
Dick Hardt <dick.hardt@gmail.com> wrote:

Justin: thanks for =
kindly pointing out which mail list this is.

To clarify, public JWT claims =
are not just URIs, but any =
collision-resistant namespace: 
"Examples =
of collision-resistant namespaces include: Domain Names, Object =
Identifiers (OIDs) as defined in the ITU-T X.660 and      =
X.670 Recommendation series, and Universally Unique IDentifiers (UUIDs) =
[RFC4122]."

I =
think letting the "type" be any JSON string and doing a byte-wise =
comparison will be problematic. A client developer will be reading =
documentation to learn what the types are, and typing it in. Given =
the wide set of whitespace characters, and unicode equivalence, =
different byte streams will all look the same, and a byte-wise =
comparison will fail.

Similarly for URIs. If it is a valid URI, then a =
byte-wise comparison is not sufficient. Canonicalization is =
required. 

These are not showstopper issues, but the specification =
should call out how type strings are compared, and provide caveats =
to an AS developer.

I have no idea why you would think the AS would retrieve a =
URL.

Since the =
type represents a much more complex object then a JWT claim, a client =
developer's tooling could pull down the JSON Schema (or some such) for a =
type used in their source code, and provide autocompletion and =
validation which would improve productivity and reduce errors. An AS =
that is using a defined type could use the schema for input validation. =
Neither of these would be at run time. JSON Schema allows comments and =
examples.

What =
is the harm in non-normative language around a retrievable =
URI?

BTW: the =
example in https://oauth.xyz/draft-richer-transactional-authz#rfc.section.=
2 has not been updated with the "type" field.



On Sat, Jul =
18, 2020 at 8:10 AM Justin Richer <jricher@mit.edu> wrote:
Hi Dick,

This is a discussion =
about the RAR specification on the OAuth list, and therefore doesn=E2=80=99=
t have anything to do with alignment with XAuth. In fact, I believe the =
alignment is the other way around, as doesn=E2=80=99t Xauth normatively =
reference RAR at this point? Even though, last I saw, it uses a =
different top-level structure for conveying things, I believe it does =
say to use the internal object structures. I am also a co-author on RAR =
and we had already defined a =E2=80=9Ctype=E2=80=9D field in RAR quite =
some time ago. You did notice that XYZ=E2=80=99s latest draft added this =
field to keep the two in alignment with each other, which has always =
been the goal since the initial proposal of the RAR work, but that=E2=80=99=
s a time lag and not a display of new intent. 

In any event, even =
though I think the decision has bearing in both places, this isn=E2=80=99t=
 about GNAP. Working on RAR=E2=80=99s requirements has brought up this =
interesting issue of what should be in the type field for RAR in OAuth =
2.

I think =
that it should be defined as a string, and therefore compared as a byte =
value in all cases, regardless of what the content of the string is. I =
don=E2=80=99t think the AS should be expected to fetch a URI for =
anything. I don=E2=80=99t think the AS should normalize any of the =
inputs. I think that any JSON-friendly character set should be allowed =
(including spaces and unicodes), and since RAR already requires the JSON =
objects to be form-encoded, this shouldn=E2=80=99t cause additional =
trouble when adding them in to OAuth 2=E2=80=99s request =
structures.

The =
idea of using a URI would be to get people out of each other=E2=80=99s =
namespaces. It=E2=80=99s similar to the concept of =E2=80=9Cpublic=E2=80=9D=
 vs =E2=80=9Cprivate=E2=80=9D claims in JWT:

https://tools.ietf.org/html/rfc7519#section-4.2

What I=E2=80=99m =
proposing is that if you think it=E2=80=99s going to be a =
general-purpose type name, then we recommend you use a URI as your =
string. And beyond that, that=E2=80=99s it. It=E2=80=99s up to the AS to =
figure out what to do with it, and RAR stays out of it.

 =E2=80=94 =
Justin

On Jul 17, 2020, at 1:25 PM, =
Dick Hardt <dick.hardt@gmail.com> wrote:

Hey Justin, glad to see that you =
have aligned with the latest XAuth draft on a type property being =
required.

I like the idea that the value of the type property is fully =
defined by the AS, which could delegate it to a common URI for reuse. =
This gets GNAP out of specifying access requests, and enables other =
parties to define access without any required coordination with IETF or =
IANA.

A =
complication in mixing plain strings and URIs is the canonicalization. A =
plain string can be a fixed byte representation, but a URI requires =
canonicalization for comparison. Mixing the two requires URI =
detection at the AS before canonicalization, and an AS MUST do =
canonicalization of URIs.

The URI is retrievable, it can provide machine and/or human =
readable documentation in JSON schema or some such, or any other content =
type. Once again, the details are out of scope of GNAP, but we can =
provide examples to guide implementers.

Are you still thinking that bare =
strings are allowed in GNAP, and are defined by the AS?



On Fri, Jul 17, 2020 at 8:39 AM Justin =
Richer <jricher@mit.edu> wrote:
The =E2=80=9Ctype=E2=80=9D =
field in the RAR spec serves an important purpose: it defines what goes =
in the rest of the object, including what other fields are available and =
what values are allowed for those fields. It provides an API-level =
definition for requesting access based on multiple dimensions, and =
that=E2=80=99s really powerful and flexible. Each type can use any of =
the general-purpose fields like =E2=80=9Cactions=E2=80=9D and/or add its =
own fields as necessary, and the =E2=80=9Ctype=E2=80=9D parameter keeps =
everything well-defined.



The question, then, is what defines what=E2=80=99s allowed to go into =
the =E2=80=9Ctype=E2=80=9D field itself? And what defines how that value =
maps to the requirements for the rest of the object? The draft doesn=E2=80=
=99t say anything about it at the moment, but we should choose the =
direction we want to go. On the surface, there are three main =
options:



1) Require all values to be registered. 

2) Require all values to be collision-resistant (eg, URIs).
=

3) Require all values to be defined by the AS (and/or the RS=E2=80=99s =
that it protects).



Are there any other options?



Here are my thoughts on each approach:



1) While it usually makes sense to register things for interoperability, =
this is a case where I think that a registry would actually hurt =
interoperability and adoption. Like a =E2=80=9Cscope=E2=80=9D value, the =
RAR =E2=80=9Ctype=E2=80=9D is ultimately up to the AS and RS to =
interpret in their own context. We :want: people to define rich objects =
for their APIs and enable fine-grained access for their systems, and if =
they have to register something every time they come up with a new API =
to protect, it=E2=80=99s going to be an unmaintainable mess. I genuinely =
don=E2=80=99t think this would scale, and that most developers would =
just ignore the registry and do what they want anyway. And since many of =
these systems are inside domains, it=E2=80=99s completely unenforceable =
in practice.



2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to =
require everything to be a URI here. It=E2=80=99s long and ugly, and a =
lot of APIs are going to be internal to a given group, deployment, or =
ecosystem anyway. This makes sense when you=E2=80=99ve got something =
reusable across many deployments, like OIDC, but it=E2=80=99s overhead =
when what you=E2=80=99re doing is tied to your environment.
=



3) This allows the AS and RS to define the request parameters for their =
APIs just like they do today with scopes. Since it=E2=80=99s always the =
combination of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, name spacing =
is less of an issue across systems. We haven=E2=80=99t seen huge =
problems in scope value overlap in the wild, though it does occur from =
time to time it=E2=80=99s more than manageable. A client isn=E2=80=99t =
going to just =E2=80=9Cspeak RAR=E2=80=9D, it=E2=80=99s going to be =
speaking RAR so that it can access something in particular.
=



And all that brings me to my proposal: 



4) Require all values to be defined by the AS, and encourage =
specification developers to use URIs for collision resistance.



So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D =
means, and nobody else. But we can also guide people who are developing =
general-purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=
=E2=80=9D definitions. This would keep those interoperable APIs from =
stepping on each other, and from stepping on any locally-defined special =
=E2=80=9Ctype=E2=80=9D structure. But at the end of the day, the URI =
carries no more weight than just any other string, and the AS decides =
what it means and how it applies.



My argument is that this seems to have worked very, very well for =
scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar =
descriptive cloth.



What does the rest of the group think? How should we manage the RAR =
=E2=80=9Ctype=E2=80=9D values and what they mean?



 =E2=80=94 Justin

_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth




















_____________________________________________=
__
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

=

--Apple-Mail=_7994F0CF-ABCB-4041-8A90-27FFDEBB5F4E--


From nobody Wed Jul 22 08:37:32 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AFA63A090B for ; Wed, 22 Jul 2020 08:37:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level: 
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lnHI93ZMaLLp for ; Wed, 22 Jul 2020 08:37:28 -0700 (PDT)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A82CD3A0908 for ; Wed, 22 Jul 2020 08:37:28 -0700 (PDT)
Received: by mail-lj1-x235.google.com with SMTP id q6so2970234ljp.4 for ; Wed, 22 Jul 2020 08:37:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=uXMMtYJDiApPPvXhagfyuIdGIc8eGyKJOzv7Su18Ro8=; b=Mzb92nozwouqrAUZjGN91RMWiOGMYM14AKEwUpbfSIgezMSLefEB/0TQhlA1Jb3EsY CQc3YYmFCz3UCM06udcxZ6Cci8qubygZkJYKMgOIZSDYsh9U4h5UPb6NMIguYSFkbSjV ermudcZAObuL2L1TIKf4riqbNblfficFPJSr90B1gXPaChbEwnraABRgVaU5Wp4RsYrx 6zChAIL2jRvlRw3fIGg8nyGXL4wHeqIFGgkRf5Ul211dH7/Qvi0CSCRmz94QPzVAmIwK 0xStlD7wyfiixKd3DGpGCr8qqMzEf/lCGNARmrL8PImwIeVQnDM9ZquQwbWzBwiY4j8j yEKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=uXMMtYJDiApPPvXhagfyuIdGIc8eGyKJOzv7Su18Ro8=; b=cfiQ3wDNwi8ZOoygNPcs8UaqBKEHe9oSrfSlEGD0/x7Q8EYwXJrvJtKultOJgrnfWr 4esDgycFXmnk6/EQawW+omMkDM1sL3trQalCpAvjq2JLzaEZrIm/YrDa6wzoi7xHlUO3 VZditiWh8V47XigLuahfiL+yYEWlkRhCTcIyOMBS9Ot2qz9iofyp06XvOkOKw/QIOsxk N9tUw9XjnFSKNY9wxCRo0/aj3Fai0RNbtvoFFQScEGYODFvfncKy0bEMVXZfvqIrziuP 6yomY0HHDT1iKCVwsjRIQablsL+OnLlz2Gk90d9iwAE5/V2DFYnV4X7cFbksx1uzAW2E pN2g==
X-Gm-Message-State: AOAM533et28RvDxP4CcYkDszt95vsEiSpe3U3cvc77r7MkH6yE8OFK5L /3PA83ZgoyzjEy5Yex580GDDrbhvyXZQ0GuFynyClDte53yVzZmRNBK5FA4O/AGawjkf8owE1la ON89Mu/n8tTf7QxV4
X-Google-Smtp-Source: ABdhPJwolYZs0N7tqaaln7zL37vOhTVWyf1+n9UZbG0VwbEpZ+bcxCsTZbpCX7E8I8DfW5wBdIxtn4qAiCcJCd9xWpw=
X-Received: by 2002:a05:651c:1116:: with SMTP id d22mr16124850ljo.170.1595432245648;  Wed, 22 Jul 2020 08:37:25 -0700 (PDT)
MIME-Version: 1.0
From: Brian Campbell 
Date: Wed, 22 Jul 2020 09:36:59 -0600
Message-ID: 
To: oauth 
Content-Type: multipart/alternative; boundary="00000000000043fd6205ab098497"
Archived-At: 
Subject: [OAUTH-WG] swapping a jwsreq/JAR JWT for a client authentication JWT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 22 Jul 2020 15:37:30 -0000

--00000000000043fd6205ab098497
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

The TL;DR here is a somewhat tentative suggestion that a brief security
consideration be added to
https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/ that prohibits
the inclusion of a 'sub' claim containing the client id value in the
request object JWT so as to prevent the request object JWT (which is
exposed to the user agent) from being erroneously accepted as a valid JWT
for client authentication.

Some more details and the discussion that led to this here email can be
found at https://github.com/oauthstuff/draft-oauth-par/issues/41

--=20
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged=
=20
material for the sole use of the intended recipient(s). Any review, use,=20
distribution or disclosure by others is strictly prohibited.=C2=A0 If you h=
ave=20
received this communication in error, please notify the sender immediately=
=20
by e-mail and delete the message and any file attachments from your=20
computer. Thank you._

--00000000000043fd6205ab098497
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


The TL;DR here is a somewhat tentative suggestion tha=
t a brief security consideration be added to https://datatrack=
er.ietf.org/doc/draft-ietf-oauth-jwsreq/ that prohibits the inclusion o=
f a 'sub' claim containing the client id value in the request objec=
t JWT so as to prevent the request object JWT (which is exposed to the user=
 agent) from being erroneously accepted as a valid JWT for client authentic=
ation. 

Some more details and the discussion t=
hat led to this here email can be found at https://github.com/oa=
uthstuff/draft-oauth-par/issues/41




<=
span style=3D"margin:0px;padding:0px;border:0px;outline:0px;vertical-align:=
baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,=
-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ub=
untu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"=
>CONFIDENTIALITY NOTICE: This email may contain confidenti=
al and privileged material for the sole use of the intended recipient(s). A=
ny review, use, distribution or disclosure by others is strictly prohibited=
.=C2=A0 If you have received this communication in error, please notify the=
 sender immediately by e-mail and delete the message and any file attachmen=
ts from your computer. Thank you.
--00000000000043fd6205ab098497--


From nobody Wed Jul 22 09:32:26 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 286563A0B00 for ; Wed, 22 Jul 2020 09:32:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level: 
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=leastprivilege-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mjIPAEnFacnP for ; Wed, 22 Jul 2020 09:32:22 -0700 (PDT)
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D54C3A0AC8 for ; Wed, 22 Jul 2020 09:32:21 -0700 (PDT)
Received: by mail-io1-xd2f.google.com with SMTP id v6so3218313iob.4 for ; Wed, 22 Jul 2020 09:32:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leastprivilege-com.20150623.gappssmtp.com; s=20150623; h=from:in-reply-to:references:mime-version:date:message-id:subject:to; bh=I7vk7EBjDIJH5et4/GhcEY0HlC2PYXeaFJleEXBB54s=; b=xblzH4aZ2VzhGUbqP9NbHeJrgp2pPKcSRLAadNnfkohlCaaz+EH/cUkuIwJ2Ajx4i4 3JKzq0KZBka+1BEhLLfyIu4mbGZFtOh1EzWnFZf4lmTh/CRw71beeY7NViBKvG3MnYSm uNT8dkDXLyrxE8JKu6mCqVJrRuMjfv9d0VfgnhgGvJ2pbSS+B5dPev3RA30ARvswzs3p qgAIEtTxQlyqVuu1K0MBEzFChspK712P+NxPA0gkRh5gyuc1bOZh1OiuWK/RyAFfYDfP q0HeBqQLDAWwVn5txtGoAFi+DPJbAwnZtwr+FAJIFAlFIYsWdCAOjLZxkJqdEa+Emj2Y QBEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to; bh=I7vk7EBjDIJH5et4/GhcEY0HlC2PYXeaFJleEXBB54s=; b=kJGsCxPv8yMTLIQusJN3EdBHMlQx1mDUCcN8gHa6biX3rmRpm6AnEcbp7ILQa8zG3B f5ugvVv9DXVcwxMAeSiLxkKCOyIWvEuGctP32bp6B+pkcjholzN6UzfkhU7d5hTXDn3l YPHIYOqmbIBEhc4twk2qUXeS++f5hOfIqUR8RkAoM2Shwrm3qaUt1fYNPvgXWtr52Z9W m5RYqNA6CYY8DW9ippJWssjecJiERqdKkHw2sQkpguS1Hn/5OSrXKfJtE3PRI4ZryDuA 3Y0mxm9+55S5SV+L8eNV1XA2ADXgM6Jhu26WiDvq5iohfNTaM/65YP54L8730GgUMbmN iU+w==
X-Gm-Message-State: AOAM533pBPbdAlTu2TPNqih7uScZIsd/3jDjPo7wGB8BVQrYbPfSfuQy +RhR2+LmNohQr3myBZWaWE0Ma2HxTlbvZGlOOHDucUU=
X-Google-Smtp-Source: ABdhPJyzgOxmwRwuaJtD0kyXT7poPWjy4aMN4l9LZyQAaKgEJEIk2Y9wcVivKvPUu0U7OzMOiPMS+YPFJplM/BghZCQ=
X-Received: by 2002:a6b:6413:: with SMTP id t19mr537855iog.167.1595435541161;  Wed, 22 Jul 2020 09:32:21 -0700 (PDT)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Wed, 22 Jul 2020 12:32:20 -0400
From: Dominick Baier 
In-Reply-To: 
References: 
MIME-Version: 1.0
Date: Wed, 22 Jul 2020 12:32:20 -0400
Message-ID: 
To: Brian Campbell , oauth 
Content-Type: multipart/alternative; boundary="000000000000b1826905ab0a4840"
Archived-At: 
Subject: Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a client authentication JWT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 22 Jul 2020 16:32:24 -0000

--000000000000b1826905ab0a4840
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Why not use a typ header as suggested by the JWT BCP?

=E2=80=94=E2=80=94=E2=80=94
Dominick Baier

On 22. July 2020 at 17:37:41, Brian Campbell (
bcampbell=3D40pingidentity.com@dmarc.ietf.org) wrote:

The TL;DR here is a somewhat tentative suggestion that a brief security
consideration be added to
https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/
 that prohibits
the inclusion of a 'sub' claim containing the client id value in the
request object JWT so as to prevent the request object JWT (which is
exposed to the user agent) from being erroneously accepted as a valid JWT
for client authentication.

Some more details and the discussion that led to this here email can be
found at https://github.com/oauthstuff/draft-oauth-par/issues/41

*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited..  If you have
received this communication in error, please notify the sender immediately
by e-mail and delete the message and any file attachments from your
computer. Thank you.*_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--000000000000b1826905ab0a4840
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

=

Why =
not use a typ header as suggested by the JWT BCP?
 
 
=E2=80=94=E2=80=94=E2=80=94
Dominick Baier
=
 
On 22. July 2020 at 17:37:41, Brian Campbell (=
bcampbell=
=3D40pingidentity.com@dmarc.ietf.org) wrote:
 
The=
 TL;DR here is a somewhat tentative suggestion that a brief security consid=
eration be added to https://datatracker.ietf.org/doc/draft-ie=
tf-oauth-jwsreq/ that prohibits the inclusion of a 'sub' claim =
containing the client id value in the request object JWT so as to prevent t=
he request object JWT (which is exposed to the user agent) from being erron=
eously accepted as a valid JWT for client authentication. 
Some more details and the discussion that led to this here ema=
il can be found at https://github.com/oauthstuff/draft-oauth-par=
/issues/41




<=
span style=3D"margin:0px;padding:0px;border:0px;outline:0px;vertical-align:=
baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,=
-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ub=
untu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"=
>CONFIDENTIALITY NOTICE: This email may contain confidenti=
al and privileged material for the sole use of the intended recipient(s). A=
ny review, use, distribution or disclosure by others is strictly prohibited=
..=C2=A0 If you have received this communication in error, please notify th=
e sender immediately by e-mail and delete the message and any file attachme=
nts from your computer. Thank you._______________________=
________________________

OAuth mailing list

OAuth@ietf.org

https://www.iet=
f.org/mailman/listinfo/oauth



--000000000000b1826905ab0a4840--


From nobody Wed Jul 22 13:16:42 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0833A3A0858 for ; Wed, 22 Jul 2020 13:16:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.897
X-Spam-Level: 
X-Spam-Status: No, score=-0.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MISSING_HEADERS=1.021, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j_gB0XWuoGNn for ; Wed, 22 Jul 2020 13:16:39 -0700 (PDT)
Received: from p3plsmtpa07-09.prod.phx3.secureserver.net (p3plsmtpa07-09.prod.phx3.secureserver.net [173.201.192.238]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D03683A0859 for ; Wed, 22 Jul 2020 13:16:39 -0700 (PDT)
Received: from [192.168.10.64] ([81.174.4.8]) by :SMTPAUTH: with ESMTPSA id yLALjmSL1kGZCyLAMji3hj; Wed, 22 Jul 2020 13:16:39 -0700
X-CMAE-Analysis: v=2.3 cv=Wo5VzuXv c=1 sm=1 tr=0 a=vVDcMwBpR/yuU2vi46uXpQ==:117 a=vVDcMwBpR/yuU2vi46uXpQ==:17 a=9cW_t1CCXrUA:10 a=q0rX5H01Qin5IyBaTmIA:9 a=__SxRlIrAAAA:8 a=14VOZv_uNoyZSmLuyPAA:9 a=zvfu1FmlGC681QuV:21 a=GSU1Vi4mV2SUo4eE:21 a=QEXdDO2ut3YA:10 a=D8lnhvtxf0AONpHuB7QA:9 a=ZVk8-NSrHBgA:10 a=30ssDGKg3p0A:10 a=H5r4HjhRfVyZ-DhAOYba:22
X-SECURESERVER-ACCT: vladimir@connect2id.com
Cc: oauth@ietf.org
References:  <4ea6f9af-d67f-97df-6bae-752cf34f920c@connect2id.com>   <5EFFFABC-2A9B-4353-A826-2D33D4E82600@mit.edu> <9ee8ed17-141c-1aeb-901a-4d91d6aa90b0@connect2id.com> <89302FD9-4FBF-4363-8B7E-545AB4A778AD@lodderstedt.net>
From: Vladimir Dzhuvinov 
Autocrypt: addr=vladimir@connect2id.com; prefer-encrypt=mutual; keydata= mQENBFQZaoEBCACnP2YMDex9fnf+niLglTHGKuoypUSVKPQeKDHHeFQVzhRke+HBEZBwmA9T kZ+kEhyrNqibDPkPYVPmo23tM8mbNcTVQqpmN7NwgMpqkqcAqNsIyBtt09DjWOQVm57A3K+y uXI7SdNErdt79p2xQseOhqSC9+LgWuyh+mZsl2oFD4glFFfKSCMp2jATXrAMeGzigTnW+Xe0 tRzrwFN9zqykKxhUq9oHg1cNvoDtfxgsc9ysVHbxM/PM8o9lgj3YTQwKMBcCFclTqohji7ML fQ08eQo+acKTwC1WRzeLt9PknGt3C4TmvdCl0c1BQTTTNiF96Hu4kbaiBIbsfxJOR8+VABEB AAG0LFZsYWRpbWlyIER6aHV2aW5vdiA8dmxhZGltaXJAY29ubmVjdDJpZC5jb20+iQE+BBMB AgAoBQJUGWqBAhsjBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAZ0vUyOqri Ql62B/wOO0s2JC/QvO6w9iSsRhCOa/JZi+wO+l01V7eGCQ1cYf1W26Y7iKiUlY4/Kz+cr69D pMtkv3UpDTGejKEfspLUxz5Vo3T4oAKbTtNtVIZL/XxH3/JhJ719Jj4eLoe9/djKkGYTX2O5 bMk8TpO1DDjbIw4r9XKI9ZIk96zlKnZvrg7Ho7oOl0ZIf8AzcvdqZEUogDwyr8uwOU+jIyux mOTthepBzXCNjjBjnc8I1//9YppAIaGJ5nnXelVVD1/dyOszogervzFNANEIOvNvCd9G5u4e s7qkDKWKY7/Lj1tF+tMrDTrOh6JqUKbGNeTUB8DlPvIoNyqHUYfBELdpw1Nd
Organization: Connect2id Ltd.
Message-ID: <9c6b4565-7042-62cc-6346-4e668bcb0a77@connect2id.com>
Date: Wed, 22 Jul 2020 23:16:37 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <89302FD9-4FBF-4363-8B7E-545AB4A778AD@lodderstedt.net>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms080405030509060804060704"
X-CMAE-Envelope: MS4wfOToJccGNgLNwO4pbHc3H/hRaEOH1hcpJNn8XZdhVMTQ99k9mID9dZngmm9CA0ozUpDR1njlu/S2DFXVhts7FvEnVwpBvObK5hZSnhUW70T2q3PjyMwI T75B/t5oQJI4Y5Qrkjctm4rgO0yZUzxP4zAko5ohE1qvgMb5VKonYgSq
Archived-At: 
Subject: Re: [OAUTH-WG] Namespacing "type" in RAR
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 22 Jul 2020 20:16:41 -0000

This is a cryptographically signed message in MIME format.

--------------ms080405030509060804060704
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US


On 21/07/2020 18:43, Torsten Lodderstedt wrote:
>
>> On 21. Jul 2020, at 17:40, Vladimir Dzhuvinov  wrote:
>>
>>
>>
>> On 21/07/2020 17:47, Justin Richer wrote:
>>>> On Jul 19, 2020, at 1:04 PM, Vladimir Dzhuvinov  wrote:
>>>>
>>>> On 18/07/2020 17:12, Justin Richer wrote:
>>>>> I think publishing supported =E2=80=9Ctype=E2=80=9D parameters isn=E2=
=80=99t a bad idea, and it aligns with publishing supported scopes and cl=
aims in discovery.
>>>> If you are a developer, would you like to be able to find out if the=
 authorization_details for a given "type" has a JSON schema and what it l=
ooks like?
>>>>
>>>>
>>>>
>>> I think that would be a nice thing for an AS/API to offer, but I don=E2=
=80=99t think it should be expected or required here. That might be a goo=
d note in the guidance, say that if you use a URI for your =E2=80=9Ctype=E2=
=80=9D field then it would be nice if it resolved to something either hum=
an or machine readable. What I don=E2=80=99t want is for us to require ev=
ery AS to have to resolve these URIs in order to process and understand t=
hem. That=E2=80=99s why I=E2=80=99m taking the position of it being a str=
ing, and the URI can provide disambiguation in the way you=E2=80=99re tal=
king about below.
>> We've been thinking about giving developers the possibility to discove=
r the authorization_details JSON schema (if one is supplied) for a given =
type via a separate AS metadata parameter. Not by making the type a deref=
erceable URL, which will overload things too much.
>>
>> authorization_details_json_schemas : {
>>     "" : "",
>>     "" : "",
>>    ...
>>
>> }
>> The rationale -- to minimise the number of potential support calls for=
 providers arising from "Oh dear, why do I get this invalid_request now..=
=2E" with complex RAR JSON objects.
> We could borrow the "$schema=E2=80=9D element.=20

Could you elaborate?

> However, I=E2=80=99m on the fence regarding introducing a separate para=
meter for the schema simply because it also introduce a new error cause i=
f type and schema are inconsistent.=20

Another idea was to still let the AS be configured with optional JSON
schemas for each type, and if the schema check of the
authorization_details fails, to include a meaningful message in the
invalid_request error_description and the schema URL in the error_uri.

The downside of that is the schema cannot be discovered or retrieved
upfront.

We really want to make it easy for developers to debug their requests
when facing complex RARs, on their own, without having to rely on a
support desk.

IMO the std invalid_request is ok for communicating the condition of an
authorization_details object failing the schema check (if the additional
error code was your concern).

Vladimir



--------------ms080405030509060804060704
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
CzMwggUbMIIEA6ADAgECAhBs/e7jES6a32XKZxs4R01iMA0GCSqGSIb3DQEBCwUAMIGWMQsw
CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxm
b3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENs
aWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE5MTEwMjAwMDAw
MFoXDTIxMTEwMTIzNTk1OVowKDEmMCQGCSqGSIb3DQEJARYXdmxhZGltaXJAY29ubmVjdDJp
ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDG5mL+CcvSppMj/W8Kd0/E
1/y5/s94gmbIFzEugHyMPV2dd6lusiALe35QCtu3e8Wy6FkCwzxWmmzhF4FY/e4uPbDjco3w
/GgHhz2KXe385u31c32/uM3jRqhYT5JvmXxte/GgmjcW1yWcPkKEz/sCezdIYpI9Pek+P4Gr
xmbt8H+wJrwfrXKTJXXT+gFjCcZDRLm67X4U57TsaCoezTe7zOoPX9zxMTyZD/cvC/SfuVxQ
U60ZsfZzdcgPwScgy3JaiPegcbnqqebjJqtRx42eRjrBZ1/u411rHN2QQLgiih7D1/4PJC9f
/8nHgaerLy3ogdu1dw5+vQ1TRIYBmcIXAgMBAAGjggHQMIIBzDAfBgNVHSMEGDAWgBQJwPL8
C9qU21/+K9+omULPyeCtADAdBgNVHQ4EFgQU446sriG/NgywLZA2oBG79Yr2qyAwDgYDVR0P
AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMC
MEAGA1UdIAQ5MDcwNQYMKwYBBAGyMQECAQEBMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2Vj
dGlnby5jb20vQ1BTMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwuc2VjdGlnby5jb20v
U2VjdGlnb1JTQUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcmwwgYoG
CCsGAQUFBwEBBH4wfDBVBggrBgEFBQcwAoZJaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0
aWdvUlNBQ2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAjBggrBgEF
BQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wIgYDVR0RBBswGYEXdmxhZGltaXJAY29u
bmVjdDJpZC5jb20wDQYJKoZIhvcNAQELBQADggEBAEE73kCtUigl/bhLrqS6AsCU+jKm1fxq
BY09+ktBwVcu5WgM18Uov3WvzVnjXn5BNNVM3RwhWFXyW3pPnDPyjqgxcpfoyY5SJEzvcPlu
wm69z/dzqasVhsHPIFSjACnUBrFZPsq/abMQr4yFOMVyX/EudYgmZVu2Er9Ui7YbTO1Nolap
xlseQIgQhVcr7aSs02PLDANuwW/asgKExYzhPdt9MF1lezj968Mv74kRo1T/lm5RFNfh2QdM
9C0n1t+qRCrRF1VbsiTgChjazgNGbvl12bOAujX0up4hqw+7PaCcI3Mpyv/rKKKrRG52iCcv
cMHX344tOqKM/DIdF/0WNpkwggYQMIID+KADAgECAhBNlCwQ1DvglAnFgS06KwZPMA0GCSqG
SIb3DQEBDAUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKTmV3IEplcnNleTEUMBIGA1UE
BxMLSmVyc2V5IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEuMCwGA1UE
AxMlVVNFUlRydXN0IFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xODExMDIwMDAw
MDBaFw0zMDEyMzEyMzU5NTlaMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBN
YW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQx
PjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJl
IEVtYWlsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyjztlApB/975Rrno
1jvm2pK/KxBOqhq8gr2+JhwpKirSzZxQgT9tlC7zl6hn1fXjSo5MqXUfItMltrMaXqcESJuK
8dtK56NCSrq4iDKaKq9NxOXFmqXX2zN8HHGjQ2b2Xv0v1L5Nk1MQPKA19xeWQcpGEGFUUd0k
N+oHox+L9aV1rjfNiCj3bJk6kJaOPabPi2503nn/ITX5e8WfPnGw4VuZ79Khj1YBrf24k5Ee
1sLTHsLtpiK9OjG4iQRBdq6Z/TlVx/hGAez5h36bBJMxqdHLpdwIUkTqT8se3ed0PewDch/8
kHPo5fZl5u1B0ecpq/sDN/5sCG52Ds+QU5O5EwIDAQABo4IBZDCCAWAwHwYDVR0jBBgwFoAU
U3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFAnA8vwL2pTbX/4r36iZQs/J4K0AMA4G
A1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMC
BggrBgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDov
L2NybC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdFJTQUNlcnRpZmljYXRpb25BdXRob3JpdHku
Y3JsMHYGCCsGAQUFBwEBBGowaDA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1c3Qu
Y29tL1VTRVJUcnVzdFJTQUFkZFRydXN0Q0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2Nz
cC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBDAUAA4ICAQBBRHUAqznCFfXejpVtMnFojADd
F9d6HBA4kMjjsb0XMZHztuOCtKF+xswhh2GqkW5JQrM8zVlU+A2VP72Ky2nlRA1GwmIPgou7
4TZ/XTarHG8zdMSgaDrkVYzz1g3nIVO9IHk96VwsacIvBF8JfqIs+8aWH2PfSUrNxP6Ys7U0
sZYx4rXD6+cqFq/ZW5BUfClN/rhk2ddQXyn7kkmka2RQb9d90nmNHdgKrwfQ49mQ2hWQNDkJ
JIXwKjYA6VUR/fZUFeCUisdDe/0ABLTI+jheXUV1eoYV7lNwNBKpeHdNuO6Aacb533JlfeUH
xvBz9OfYWUiXu09sMAviM11Q0DuMZ5760CdO2VnpsXP4KxaYIhvqPqUMWqRdWyn7crItNkZe
roXaecG03i3mM7dkiPaCkgocBg0EBYsbZDZ8bsG3a08LwEsL1Ygz3SBsyECa0waq4hOf/Z85
F2w2ZpXfP+w8q4ifwO90SGZZV+HR/Jh6rEaVPDRF/CEGVqR1hiuQOZ1YL5ezMTX0ZSLwrymU
E0pwi/KDaiYB15uswgeIAcA6JzPFf9pLkAFFWs1QNyN++niFhsM47qodx/PL+5jR87myx5uY
dBEQkkDc+lKB1Wct6ucXqm2EmsaQ0M95QjTmy+rDWjkDYdw3Ms6mSWE3Bn7i5ZgtwCLXgAIe
5W8mybM2JzGCBDIwggQuAgEBMIGrMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRl
ciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0
ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2Vj
dXJlIEVtYWlsIENBAhBs/e7jES6a32XKZxs4R01iMA0GCWCGSAFlAwQCAQUAoIICVzAYBgkq
hkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMDA3MjIyMDE2MzdaMC8G
CSqGSIb3DQEJBDEiBCAl3kKYXm4y4H0kH8ESP7g/ydY+TtnbITqhlMLGYN2SPDBsBgkqhkiG
9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZI
hvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIG8Bgkr
BgEEAYI3EAQxga4wgaswgZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNo
ZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE+MDwG
A1UEAxM1U2VjdGlnbyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1h
aWwgQ0ECEGz97uMRLprfZcpnGzhHTWIwgb4GCyqGSIb3DQEJEAILMYGuoIGrMIGWMQswCQYD
VQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3Jk
MRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVu
dCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhBs/e7jES6a32XKZxs4R01i
MA0GCSqGSIb3DQEBAQUABIIBACB7zeX2M4UnHjzYPqcvdhDfl8mh1yj7FoGu5lgpFvpU3dCj
UbzUydVOCtD5ROLvAEcwpjsUGpx+0jmY9GGuQ9sgV/XrmCV3Bjw1jz2M4dRBqCkTtj0iZqMn
QPNpCIYI0p92CEwas4nEdC0Ww9rGV2xNiA6Wlq6SLyca9fHYjeQiv/rkRCd0XiTJlRK+zagx
O5pRPMcra231lurhn4LrsyYzju3XAm6HaQN1/rdY2RwZpH6F9ydzgMoSC3lL1SjN6tKIeRSo
e6AAhz0nCC+TPqW3A95cMeuZ40akeSyHel3Er9F88yBexcbYdpLbaOjF3i12RbHNjpWS50MF
S8vQMmEAAAAAAAA=
--------------ms080405030509060804060704--


From nobody Wed Jul 22 14:03:02 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB5293A0998 for ; Wed, 22 Jul 2020 14:03:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level: 
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id idyaqzxntLXu for ; Wed, 22 Jul 2020 14:02:59 -0700 (PDT)
Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [IPv6:2a00:1450:4864:20::633]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF2A23A0996 for ; Wed, 22 Jul 2020 14:02:58 -0700 (PDT)
Received: by mail-ej1-x633.google.com with SMTP id w9so3784409ejc.8 for ; Wed, 22 Jul 2020 14:02:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=jLOvDnFUK/UDw5yTgm+11Hur42Nl4DM9UfMsxvtU9Tg=; b=3dvehO9FYZY+IC0xFzFlPgyk1gRLRuYM9ImWcWqvmqRK4I/TcUfMp8WU4PZ7Ys+FIy wXaauIT50Z1l7n6DM+XyKL7FcY4DHP+0/4dWMtJdPwxfYvgV4vkDk3r3WwsVdIztwIqu 8Al1ZojUv4NucVebR5KpDxGT1G2pNmJ2/tkeLFGtnecC90XgOjRvJg2GfmX/DDj1qnIz H2pXpXfCwDykv9twJWPRzGA8MNbIxVqUdbkDJqVZgZK6f5MMT06gOQPJG/fAmj3vjRG2 wFp45Zw6R6qMa4l0ei4SYgmi6KVmSi6KAFU7e1+s8PcXvnomvy97VK0KEolWv/MkQhaP fPmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=jLOvDnFUK/UDw5yTgm+11Hur42Nl4DM9UfMsxvtU9Tg=; b=I9Q4jsGJqEFmDNs52qNvM4OSNh6oED/0EQhmXmkv3Nr9odhWB+Ruot02hgqhQU/m7V x4wo/mxaRzXjED5npv9ru97+OgHD0qReGOpR+tP8Gy1G3CDuctM5Jm5umV/jwcwUvS2r TDt+p94EALKh+74pDGJTkB8hlGJpxBkwvg1dTugyYfv+l5tTlZErhi7dSH9pFqYbVy8C 3KL9UxUz7W0a72YYRVVXbZ6aCfP430Rx8KXyOoA1kipPsAMDaS2BDofqVvWGOToguvdG jko6+RcU7KD+2jDaQbWXsXxYIkZ99yn0Lc0VUKWoFvGmsFUxUPLiKXdiiiNHvLxz/W0U 0cog==
X-Gm-Message-State: AOAM531u7fUljMT308WwshkFa/HQnXuq98KLER2Xnu2WIO6N6xBBkRjV pHUb4v09fdEcEdrAfhMGLdk8VqHp4NU=
X-Google-Smtp-Source: ABdhPJzVnOUxe8ZJILs0tOA90IFySXinvQemE1XHkY/tD3w2fBX0gEGkFa9yudIXuTDh7dGSYUn6+w==
X-Received: by 2002:a17:906:35cd:: with SMTP id p13mr1405550ejb.172.1595451777099;  Wed, 22 Jul 2020 14:02:57 -0700 (PDT)
Received: from p200300eb8f0138564448aa37b13c8450.dip0.t-ipconnect.de (p200300eb8f0138564448aa37b13c8450.dip0.t-ipconnect.de. [2003:eb:8f01:3856:4448:aa37:b13c:8450]) by smtp.gmail.com with ESMTPSA id m14sm501188ejx.80.2020.07.22.14.02.55 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 Jul 2020 14:02:56 -0700 (PDT)
From: Torsten Lodderstedt 
Message-Id: <0F86826A-14B0-4047-80C2-4D503C97763E@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_129B1EF8-D935-4E0D-9797-ED501BF9754F"; protocol="application/pkcs7-signature"; micalg=sha-256
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Wed, 22 Jul 2020 23:02:54 +0200
In-Reply-To: <9c6b4565-7042-62cc-6346-4e668bcb0a77@connect2id.com>
Cc: oauth@ietf.org
To: Vladimir Dzhuvinov 
References:  <4ea6f9af-d67f-97df-6bae-752cf34f920c@connect2id.com>   <5EFFFABC-2A9B-4353-A826-2D33D4E82600@mit.edu> <9ee8ed17-141c-1aeb-901a-4d91d6aa90b0@connect2id.com> <89302FD9-4FBF-4363-8B7E-545AB4A778AD@lodderstedt.net> <9c6b4565-7042-62cc-6346-4e668bcb0a77@connect2id.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: 
Subject: Re: [OAUTH-WG] Namespacing "type" in RAR
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 22 Jul 2020 21:03:01 -0000

--Apple-Mail=_129B1EF8-D935-4E0D-9797-ED501BF9754F
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8



> On 22. Jul 2020, at 22:16, Vladimir Dzhuvinov =
 wrote:
>=20
>=20
> On 21/07/2020 18:43, Torsten Lodderstedt wrote:
>>=20
>>> On 21. Jul 2020, at 17:40, Vladimir Dzhuvinov =
 wrote:
>>>=20
>>>=20
>>>=20
>>> On 21/07/2020 17:47, Justin Richer wrote:
>>>>> On Jul 19, 2020, at 1:04 PM, Vladimir Dzhuvinov =
 wrote:
>>>>>=20
>>>>> On 18/07/2020 17:12, Justin Richer wrote:
>>>>>> I think publishing supported =E2=80=9Ctype=E2=80=9D parameters =
isn=E2=80=99t a bad idea, and it aligns with publishing supported scopes =
and claims in discovery.
>>>>> If you are a developer, would you like to be able to find out if =
the authorization_details for a given "type" has a JSON schema and what =
it looks like?
>>>>>=20
>>>>>=20
>>>>>=20
>>>> I think that would be a nice thing for an AS/API to offer, but I =
don=E2=80=99t think it should be expected or required here. That might =
be a good note in the guidance, say that if you use a URI for your =
=E2=80=9Ctype=E2=80=9D field then it would be nice if it resolved to =
something either human or machine readable. What I don=E2=80=99t want is =
for us to require every AS to have to resolve these URIs in order to =
process and understand them. That=E2=80=99s why I=E2=80=99m taking the =
position of it being a string, and the URI can provide disambiguation in =
the way you=E2=80=99re talking about below.
>>> We've been thinking about giving developers the possibility to =
discover the authorization_details JSON schema (if one is supplied) for =
a given type via a separate AS metadata parameter. Not by making the =
type a dereferceable URL, which will overload things too much.
>>>=20
>>> authorization_details_json_schemas : {
>>>    "" : "",
>>>    "" : "",
>>>   ...
>>>=20
>>> }
>>> The rationale -- to minimise the number of potential support calls =
for providers arising from "Oh dear, why do I get this invalid_request =
now..." with complex RAR JSON objects.
>> We could borrow the "$schema=E2=80=9D element.=20
>=20
> Could you elaborate?

I mean we could use this element in addition to the =E2=80=9Ctype=E2=80=9D=
 element to specify the corresponding schema in each authorization =
details object. =20

>=20
>> However, I=E2=80=99m on the fence regarding introducing a separate =
parameter for the schema simply because it also introduce a new error =
cause if type and schema are inconsistent.=20
>=20
> Another idea was to still let the AS be configured with optional JSON
> schemas for each type, and if the schema check of the
> authorization_details fails, to include a meaningful message in the
> invalid_request error_description and the schema URL in the error_uri.
>=20
> The downside of that is the schema cannot be discovered or retrieved
> upfront.
>=20
> We really want to make it easy for developers to debug their requests
> when facing complex RARs, on their own, without having to rely on a
> support desk.
>=20
> IMO the std invalid_request is ok for communicating the condition of =
an
> authorization_details object failing the schema check (if the =
additional
> error code was your concern).
>=20
> Vladimir
>=20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_129B1EF8-D935-4E0D-9797-ED501BF9754F
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCC38w
ggT0MIID3KADAgECAhBpfEIkHQiWmzF6zDsgdF+DMA0GCSqGSIb3DQEBCwUAMIGNMQswCQYDVQQG
EwJJVDEQMA4GA1UECAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9udGUgU2FuIFBpZXRybzEjMCEGA1UE
CgwaQWN0YWxpcyBTLnAuQS4vMDMzNTg1MjA5NjcxLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1
dGhlbnRpY2F0aW9uIENBIEcyMB4XDTIwMDIyMzE3MjEzOVoXDTIxMDIyMzE3MjEzOVowIjEgMB4G
A1UEAwwXdG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCrIaCISpAU98m6ZkDyUR3My5imAF4TKQk8eqo+oQ06PTWT/3yJXujVCjjOqOl8p11v/RoN
Gf8zqYbBsqGBuJx2NyxFmAnmCjcbnxihQdcmuxLm6izvxr2MawOovDheMXnfmGy/Ns5Fs6bd+M5F
jCNhP+Gljvgm/SFq1skvs7YUX2FxZmh+xPMm3FZ/a6Lyhkrd3JHzEqv8VWY69Aehezg39OuPJEpb
IdjK/eBcmaIG0qn5RQdXLByJYfXhepyVAZPJT5rAgaIQL/IjSIVInxf3FxOv+ELMAErclws6mKzy
zkY2JiItPEpKWzAWGCxCX2o0JjVj1f7xgaunLfJ+Ec0lAgMBAAGjggG4MIIBtDAMBgNVHRMBAf8E
AjAAMB8GA1UdIwQYMBaAFGvyjZ5owSUEH1E0V/YWXJTqTWkaMH4GCCsGAQUFBwEBBHIwcDA7Bggr
BgEFBQcwAoYvaHR0cDovL2NhY2VydC5hY3RhbGlzLml0L2NlcnRzL2FjdGFsaXMtYXV0Y2xpZzIw
MQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3NwMDkuYWN0YWxpcy5pdC9WQS9BVVRIQ0wtRzIwIgYDVR0R
BBswGYEXdG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQwRwYDVR0gBEAwPjA8BgYrgR8BGAEwMjAwBggr
BgEFBQcCARYkaHR0cHM6Ly93d3cuYWN0YWxpcy5pdC9hcmVhLWRvd25sb2FkMB0GA1UdJQQWMBQG
CCsGAQUFBwMCBggrBgEFBQcDBDBIBgNVHR8EQTA/MD2gO6A5hjdodHRwOi8vY3JsMDkuYWN0YWxp
cy5pdC9SZXBvc2l0b3J5L0FVVEhDTC1HMi9nZXRMYXN0Q1JMMB0GA1UdDgQWBBSuRfshihlGSEJ7
2UeyOZRJ1YYyMDAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEBAH/3ECMSOoOLiwCe
GsBj/WWnUhXvZyHmz3LW0DVdH3s30b2HWpomEVNDN3cWt4QSRhISqV0xyyChL6THhDY+Um2mo+z/
L5fxHd3MjhzvYKwUtLUJdWRgymlUBO9zNKi/IMVYv3O+mpOHuQrgtMaV9luDPRYPZrhF9y/InTZE
tb+FOrF9ykIRlYgMzqSKjuqFmmYO4d6GkbgfGKFZsAjkySjM9BUBLb70MdysOTxZ/HtZguIKfZ4q
CveZ9ZKe+LGsIpt5bFAs1LHIMBUlTCsuVIq2lD3TmScWbELn+Ace7WwKc+08GqOWZzUot5fkiIx3
/crnd7HTmUfqi0yCylHY62wwggaDMIIEa6ADAgECAhBP3hBL7ZVb3outZYfMQV7jMA0GCSqGSIb3
DQEBCwUAMGsxCzAJBgNVBAYTAklUMQ4wDAYDVQQHDAVNaWxhbjEjMCEGA1UECgwaQWN0YWxpcyBT
LnAuQS4vMDMzNTg1MjA5NjcxJzAlBgNVBAMMHkFjdGFsaXMgQXV0aGVudGljYXRpb24gUm9vdCBD
QTAeFw0xOTA5MjAwNzEyMDVaFw0zMDA5MjIxMTIyMDJaMIGNMQswCQYDVQQGEwJJVDEQMA4GA1UE
CAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9udGUgU2FuIFBpZXRybzEjMCEGA1UECgwaQWN0YWxpcyBT
LnAuQS4vMDMzNTg1MjA5NjcxLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1dGhlbnRpY2F0aW9u
IENBIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt2hzetk81C/73GfKPc6UfP+J
Gc7aGmPzGUeQJ1go3CdFpsBPonREDXUDdmRCIRkTDroH30RLsTO/0hEFiYjCyvvbSVSm05sXkvfJ
XOXefNqK21fBayr4JCgMRyLVwqRYXlKI7bb42nYSm7YcXGTDmdcydmJuuqcLqFQawWiBMNRRVEi4
uW5uXBZgWGmq8NoKH/+5xGBFbf6tNTWcGhPVceResuwK155+OiH6jTW01Na8aLj7c7IAGJ0Y9e6h
iHtRthfW7SwbU7ys73a3nNXv8Kv9XNr0RvJKHoOsKqxjffew3GKQrMXIHB5tm/je3XEnIxUT8JG3
sEsk7IfF3VirSwIDAQABo4IB/jCCAfowDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRS2Ig6
yJ94Zu2J83s4cJTJAgI20DBBBggrBgEFBQcBAQQ1MDMwMQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3Nw
MDUuYWN0YWxpcy5pdC9WQS9BVVRILVJPT1QwRQYDVR0gBD4wPDA6BgRVHSAAMDIwMAYIKwYBBQUH
AgEWJGh0dHBzOi8vd3d3LmFjdGFsaXMuaXQvYXJlYS1kb3dubG9hZDAnBgNVHSUEIDAeBggrBgEF
BQcDAgYIKwYBBQUHAwQGCCsGAQUFBwMJMIHjBgNVHR8EgdswgdgwgZaggZOggZCGgY1sZGFwOi8v
bGRhcDA1LmFjdGFsaXMuaXQvY24lM2RBY3RhbGlzJTIwQXV0aGVudGljYXRpb24lMjBSb290JTIw
Q0EsbyUzZEFjdGFsaXMlMjBTLnAuQS4lMmYwMzM1ODUyMDk2NyxjJTNkSVQ/Y2VydGlmaWNhdGVS
ZXZvY2F0aW9uTGlzdDtiaW5hcnkwPaA7oDmGN2h0dHA6Ly9jcmwwNS5hY3RhbGlzLml0L1JlcG9z
aXRvcnkvQVVUSC1ST09UL2dldExhc3RDUkwwHQYDVR0OBBYEFGvyjZ5owSUEH1E0V/YWXJTqTWka
MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAYES6GaKrcvsOQZpEwboVOb2dri/f
Jrcpb7GSEW9JmA+Kep4GLmp9X50Iv8EK478kwf2aAjnPnsOdiItALcIgecS1qVxN+EY+V5GCNEy4
VAsB5gzlQBmKI9P4PxLt9pnQJneCVEvDnVBMZAllIL5s3uaCiIEb8eYZqG8taOWSM1nqjoCZULcc
hXWYajBqaJg0RUOZ6f5IB0lb26HA/7EUVmh1nSVglDoUeD7elINXHph0z3if1722UydcoH4Jj3Za
Y9dtQ4wJSNhSZOzES72UkS6we/556FOGs7oeJWuQe8Rq2EeeSGmGliZKUbYo4jB/C2omMn0L4QwI
5wMNrWd2FRNUUwxMBmbJYtEaDRTQ72HPA8DnbRkvRDSJkjsToqU6ZpBlBf4s5EwrhXqFVb2rM9mG
CPDZJi7Hw3y8BYD/d3iTL6PW5UjOTSpFcnSIP4HW5PI6MTHXl+ab6ajCnvJw6E1TGLh3zJypv5CQ
8Ftm0z7MKLt5Zr2E4jojZXeZn1sUpSqidZyp9mG/LYMRmHMkthDRnDnO2tHv5+YOO4cUEbTt5Bww
E5RPjqovsnedyd5SijIK+k1MCXFLMTfERz3qUN3i/fwueXcGy4jEf2n/FvYsEY3GBHXZCMVWPffB
fbl/ITjs9Q9NG37bAEm/mg2yNq02NLjDbQIKgt9W0aBU9SsxggOpMIIDpQIBATCBojCBjTELMAkG
A1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcMEFBvbnRlIFNhbiBQaWV0cm8xIzAh
BgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENsaWVu
dCBBdXRoZW50aWNhdGlvbiBDQSBHMgIQaXxCJB0Ilpsxesw7IHRfgzANBglghkgBZQMEAgEFAKCC
AdcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNzIyMjEwMjU1
WjAvBgkqhkiG9w0BCQQxIgQgmB19kHjoUfGq8x14FKXGMJ/xREqrowq8vHyL8dcVsDQwgbMGCSsG
AQQBgjcQBDGBpTCBojCBjTELMAkGA1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcM
EFBvbnRlIFNhbiBQaWV0cm8xIzAhBgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSww
KgYDVQQDDCNBY3RhbGlzIENsaWVudCBBdXRoZW50aWNhdGlvbiBDQSBHMgIQaXxCJB0Ilpsxesw7
IHRfgzCBtQYLKoZIhvcNAQkQAgsxgaWggaIwgY0xCzAJBgNVBAYTAklUMRAwDgYDVQQIDAdCZXJn
YW1vMRkwFwYDVQQHDBBQb250ZSBTYW4gUGlldHJvMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8w
MzM1ODUyMDk2NzEsMCoGA1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzIC
EGl8QiQdCJabMXrMOyB0X4MwDQYJKoZIhvcNAQEBBQAEggEARRFD9mkN1LDi9zV2WKYMO6KhIO/U
gg9zsyed8K+A+Us5JVpLLn81OH3XP9nNMU0xCRbyp21NsYDDESoIh1kp/c2WHib1AdRoP3TKbNRt
LY/j1IwzXYiZ3qX2Gp0b2ko8V/fCOZ4rgN2DcYzf41XKu24dOJtl/QScxgV5r+KRvF2bGbnhDlRw
sH84hBM81q/SoAgXyof2ixlKnZqLYJs5IRiMfsYyTYVWhZVhQjH0IbuECEUE8omwstVoTzXaCxlz
IcuSY44O+abR7YVvfArMKVQV1tZAT79PGnqYZZbCDLcYq87L/YsRm3x8O3uNRP7L0TkFwu5RbdBq
AlhVlmBbyQAAAAAAAA==
--Apple-Mail=_129B1EF8-D935-4E0D-9797-ED501BF9754F--


From nobody Wed Jul 22 14:55:24 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A81123A0598 for ; Wed, 22 Jul 2020 14:55:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level: 
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yyv5uR83XnVi for ; Wed, 22 Jul 2020 14:55:22 -0700 (PDT)
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEF123A0593 for ; Wed, 22 Jul 2020 14:55:21 -0700 (PDT)
Received: by mail-lf1-x12a.google.com with SMTP id i19so2175841lfj.8 for ; Wed, 22 Jul 2020 14:55:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YYdlVISumMoTe7FPd+WJiAMHKgHE7esqbUSPNeGYbVo=; b=SwVIDdIG84+vYKMNGVdobteQaXZRlv6++EYkzxSMT6bZCHdQ61XRtUC6N4F88weiIL 7AOObIMR1AjFECj3S/Wx4Q+q+Kfq47D8DeQdr7NhDClYl0/o97SdgkgfKx16aC8Y3b7K xbqFKXh0vnwlxouUGHno0PeEkwesnvOsUb4OxQCiD4b9Dvd/WPgh7XY6teMr9yXKV2RW Jexvspa1Uw9GCt5PWnlJ6j9Xp2U/Z2WyyFxt0JIGDr43QGKNog+9iGcvZS+j3e1osG05 2liy67cXq+RdkI5xjOpfII94ExSzVS99nYviLfKsAT3i6vC5j+ta1X1PT77uTDMKNcVg gi/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YYdlVISumMoTe7FPd+WJiAMHKgHE7esqbUSPNeGYbVo=; b=saS9OZKLHfPCDpi7FKySm8Rz/nixDESVRGyqElx4wfjBk5p65gOVIaaYvsAXzhpFtP Xbqof1d6U/mxs7MVSq7oXxMYlXysr/061JIoGqc9d7e85FXTGWEzlBYwQZYaZ1O5vURc qwDGa2JRyUSzf0Bn3o9KlASKS8nPDPDOQa3DFn/hKxE7c+qals5OgudLssWLligot8pq s+0Y+FMYVBnZIioqpkC7Cyuqe/Gbp8jmuFyIfRlY4ec05PckTF9sLSPBqTC3hDZ3wgVO zI0JaVKreZa/ylCyt2/g7/kvpC5HfUD7V1OQdltINqDMWiOIzPHis7aKQucE/3WcW/dj jW9g==
X-Gm-Message-State: AOAM530YW7LJ24Yh2ljwBcMBC7oOEgtel54FnkHob7Fv3dssy9JXlaJ5 pdzsC0yH+sN36J9nBjxOC2L8KZ31Gr/xFk3ck2yaa6bVwu+3g9hLlqwQCZ5KNmOLZC29BOGXBBW J/exW0fmMLuwhMA==
X-Google-Smtp-Source: ABdhPJye6ovhpY/c44Ji6Aj2EOL+S0O7Igl0pPL1M2pYJoV4HDZoJsB1ixSWkWgA7MmDz/EAgdLUmxGYXN+c7x2Vrwg=
X-Received: by 2002:a19:e009:: with SMTP id x9mr668318lfg.11.1595454919497; Wed, 22 Jul 2020 14:55:19 -0700 (PDT)
MIME-Version: 1.0
References:  
In-Reply-To: 
From: Brian Campbell 
Date: Wed, 22 Jul 2020 15:54:52 -0600
Message-ID: 
To: Dominick Baier 
Cc: oauth 
Content-Type: multipart/alternative; boundary="000000000000bb78c505ab0ecb4e"
Archived-At: 
Subject: Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a client authentication JWT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 22 Jul 2020 21:55:24 -0000

--000000000000bb78c505ab0ecb4e
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Because it wouldn't actually prevent it in this case due to JWT assertion
client authentication (a.k.a. private_key_jwt) having come about well
before the JWT BCP and the established concept of using the 'typ' header to
prevent cross-JWT confusion. Thus there's no validation rule regarding the
'typ' header defined in RFC 7523 for JWT client authentication. Explicitly
typing the request object JWT doesn't do anything to prevent it from being
used in the context of previously existing JWT applications like client
auth.

On Wed, Jul 22, 2020 at 10:32 AM Dominick Baier 
wrote:

> Why not use a typ header as suggested by the JWT BCP?
>
> =E2=80=94=E2=80=94=E2=80=94
> Dominick Baier
>
> On 22. July 2020 at 17:37:41, Brian Campbell (
> bcampbell=3D40pingidentity.com@dmarc.ietf.org) wrote:
>
> The TL;DR here is a somewhat tentative suggestion that a brief security
> consideration be added to
> https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/
>  that
> prohibits the inclusion of a 'sub' claim containing the client id value i=
n
> the request object JWT so as to prevent the request object JWT (which is
> exposed to the user agent) from being erroneously accepted as a valid JWT
> for client authentication.
>
> Some more details and the discussion that led to this here email can be
> found at https://github.com/oauthstuff/draft-oauth-par/issues/41
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly
> prohibited...  If you have received this communication in error, please
> notify the sender immediately by e-mail and delete the message and any fi=
le
> attachments from your computer. Thank you.*______________________________=
_________________
>
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

--=20
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged=
=20
material for the sole use of the intended recipient(s). Any review, use,=20
distribution or disclosure by others is strictly prohibited.=C2=A0 If you h=
ave=20
received this communication in error, please notify the sender immediately=
=20
by e-mail and delete the message and any file attachments from your=20
computer. Thank you._

--000000000000bb78c505ab0ecb4e
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


Because it wouldn't actually prevent it in this case d=
ue to JWT  assertion client authentication (a.k.a. private_key_jwt) having =
come about  well before the JWT BCP and the established concept of using th=
e 'typ' header to prevent cross-JWT confusion. Thus there's no =
validation rule regarding the 'typ' header defined in RFC 7523 for =
JWT client authentication. Explicitly typing the request object JWT doesn&#=
39;t do anything to prevent it from being used in the context of previously=
 existing JWT applications like client auth.=C2=A0

On Wed, Jul 22, 2020=
 at 10:32 AM Dominick Baier <dbaier@leastprivilege.com> wrote:
Why not use a typ header as suggested by t=
he JWT BCP?
 
 
=E2=80=94=E2=80=94=E2=80=94
Dominick Baier<=
/div>
 
On 22. July 2020 at 17:37:41, Brian Campbell (bc=
ampbell=3D40pingidentity.com@dmarc.ietf.org) wrote:
 
The TL;DR here =
is a somewhat tentative suggestion that a brief security consideration be a=
dded to https://datatracker.ietf.org/doc/draft-ietf-oauth-jws=
req/ that prohibits the inclusion of a 'sub' claim containing t=
he client id value in the request object JWT so as to prevent the request o=
bject JWT (which is exposed to the user agent) from being erroneously accep=
ted as a valid JWT for client authentication. 

Some more details and the discussion that led to this here email can be fo=
und at https://github.com/oauthstuff/draft-oauth-par/issues/41




CONFIDENTIALITY NOTICE: This email m=
ay contain confidential and privileged material for the sole use of the int=
ended recipient(s). Any review, use, distribution or disclosure by others i=
s strictly prohibited...=C2=A0 If you have received this communication in e=
rror, please notify the sender immediately by e-mail and delete the message=
 and any file attachments from your computer. Thank you._=
______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth







<=
span style=3D"margin:0px;padding:0px;border:0px;outline:0px;vertical-align:=
baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,=
-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ub=
untu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"=
>CONFIDENTIALITY NOTICE: This email may contain confidenti=
al and privileged material for the sole use of the intended recipient(s). A=
ny review, use, distribution or disclosure by others is strictly prohibited=
.=C2=A0 If you have received this communication in error, please notify the=
 sender immediately by e-mail and delete the message and any file attachmen=
ts from your computer. Thank you.
--000000000000bb78c505ab0ecb4e--


From nobody Wed Jul 22 15:14:12 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 029983A0828 for ; Wed, 22 Jul 2020 15:14:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level: 
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X6NBnx3J0MIz for ; Wed, 22 Jul 2020 15:14:05 -0700 (PDT)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D0E93A081B for ; Wed, 22 Jul 2020 15:14:04 -0700 (PDT)
Received: by mail-lj1-x22f.google.com with SMTP id q7so4231399ljm.1 for ; Wed, 22 Jul 2020 15:14:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FzSjJ92IlO+hO2wiS3AwgUlMtq3P3Obwo5+1C3jZ0Rs=; b=B+zaQvZKOxS97q8EcwAQo139ILgiAylVCk1yR8cFrQA7tIMF6rwohumBw8djiTO0Gc o5fdeAxY2hRzwyEhFHNY5jxvHnSxcX+BtwpRlFYnF66Ftg9i61Iry+DHsS94kqzBx40r Yp1hYwQgnld14Wgfpqi4I3FOsfWyDrRbWjMeCAfr0TWVW96EtVD7iXZ3b3OrxEfb8dpV plqxJisPVVeTxbmqsE4POoHh46R/xVf+m0Dh2eX4IstaHV0nrQbv00jyvZFsk/LhQr3b hRnhsdB20DNGRfB0nKCEgn6+AVjqHcxl82XyCodlIol/IlzWNZ8uI4MPcdTlAWBykVh0 59sQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FzSjJ92IlO+hO2wiS3AwgUlMtq3P3Obwo5+1C3jZ0Rs=; b=Ye1tzvbclPY1doCnZlRSRC+jQmX5ruNBK2YbJZDKA2V/QF5e/IUxCunh3Qj3G0GRIw 2HPdwwIUUAbiyCbR7a3LxzQd4s4bNNSitFkgvgYzKtotSTsORUTP0MPUiJKZE9hKef2n /Fcs7GCa5aF/sRUenn42dl5yzRhkjzw3Dja3rNtgOcoxyfKVp4c5WoQgoxIDaOApcZg4 fT8X1qzjqJMaOd/pF3ltkam6jbiYvgyTUTZBCO+zrEgh/9E+mVy4Hh4dmY/aLEBhS2Y0 QN4VNZFDrHia+6fXpKyIYUH2i1AYwwOWTu1hjCkJYEaeY5+VP4FAFwuDp68Fn/llReMC xkyw==
X-Gm-Message-State: AOAM530QqOvHFRWmZvodyNmsmiQ40Qhgk5pHapPht8nOgJzSAlW8UO2C KFSB+lF5GAMDODs6Zr7EPh8LvVafkE0SiKv+oTt7vt6LfD8VSCSqYfYwzZkkn01Q+8Jk9EGgQSY NpyVaqlISLOc73g5GO2A=
X-Google-Smtp-Source: ABdhPJzhR40cdVg010pGf2R3BccsiXH31HVy8hyDP1c+T94FSj0Yq32ch4y6c0xI2dta79InHgxwKbzCo7qtZVQrmE4=
X-Received: by 2002:a2e:9943:: with SMTP id r3mr522897ljj.280.1595456042327; Wed, 22 Jul 2020 15:14:02 -0700 (PDT)
MIME-Version: 1.0
References: <159440889543.18992.875170114115905147@ietfa.amsl.com>  <67e8c6aa-4077-cdae-f6a2-0fc3f3aa82ac@connect2id.com>
In-Reply-To: <67e8c6aa-4077-cdae-f6a2-0fc3f3aa82ac@connect2id.com>
From: Brian Campbell 
Date: Wed, 22 Jul 2020 16:13:35 -0600
Message-ID: 
To: Vladimir Dzhuvinov 
Cc: oauth 
Content-Type: multipart/alternative; boundary="000000000000a87bce05ab0f0e3b"
Archived-At: 
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-par-02.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 22 Jul 2020 22:14:07 -0000

--000000000000a87bce05ab0f0e3b
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Thanks Vladimir, both comments should be easy to address in -03 (HTTPS/TLS
required and SHOULD on short lifetime *and* single use).

On Sun, Jul 19, 2020 at 12:55 PM Vladimir Dzhuvinov 
wrote:

> Thanks for the update. With the "require PAR" AS and client metadata the
> spec is now "policy complete". I can't think of what else there is to add=
.
>
>
> I have two comments about -02:
>
>
> https://tools.ietf.org/html/draft-ietf-oauth-par-02#section-2
>
> I didn't see a mention of https / TLS being required for the PAR endpoint=
.
> The reader could assume http is fine.
>
>
> https://tools.ietf.org/html/draft-ietf-oauth-par-02#section-2.2
>
>    Since the request URI can be replayed, its lifetime SHOULD be short
>    and preferably limited to one-time use.
>
> The SHOULD is ambiguous here - does it apply to the lifetime only, or to
> the lifetime and the single use.
>
>
> Vladimir
>
>
> On 10/07/2020 21:36, Brian Campbell wrote:
>
> WG,
>
> A new -02 draft of "OAuth 2.0 Pushed Authorization Requests" has been
> published. A summary of the changes, taken from the document history, is
> included below for ease of reference.
>
>    -02
>
>    *  Update Resource Indicators reference to the somewhat recently
>       published RFC 8707 
>
>    *  Added metadata in support of pushed authorization requests only
>       feature
>
>    *  Update to comply with draft-ietf-oauth-jwsreq-21 , which requires
>       "client_id" in the authorization request in addition to the
>       "request_uri"
>
>    *  Clarified timing of request validation
>
>    *  Add some guidance/options on the request URI structure
>
>    *  Add the key used in the request object example so that a reader
>       could validate or recreate the request object signature
>
>    *  Update to draft-ietf-oauth-jwsreq-25  and added note regarding
>       "require_signed_request_object"
>
>
> ---------- Forwarded message ---------
> From: 
> Date: Fri, Jul 10, 2020 at 1:21 PM
> Subject: New Version Notification for draft-ietf-oauth-par-02.txt
> To: Filip Skokan , Torsten Lodderstedt <
> torsten@lodderstedt.net>, Brian Campbell ,
> Dave Tonge , Nat Sakimura 
>
>
>
> A new version of I-D, draft-ietf-oauth-par-02.txt
> has been successfully submitted by Brian Campbell and posted to the
> IETF repository.
>
> Name:           draft-ietf-oauth-par
> Revision:       02
> Title:          OAuth 2.0 Pushed Authorization Requests
> Document date:  2020-07-10
> Group:          oauth
> Pages:          18
> URL:
> https://www.ietf.org/internet-drafts/draft-ietf-oauth-par-02.txt
> Status:         https://datatracker.ietf.org/doc/draft-ietf-oauth-par/
> Htmlized:       https://tools..ietf.org/html/draft-ietf-oauth-par-02
> 
> Htmlized:       https://datatracker.ietf.org/doc/html/draft-ietf-oauth-pa=
r
> Diff:           https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-par-=
02
>
> Abstract:
>    This document defines the pushed authorization request endpoint,
>    which allows clients to push the payload of an OAuth 2.0
>    authorization request to the authorization server via a direct
>    request and provides them with a request URI that is used as
>    reference to the data in a subsequent authorization request.
>
>
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.=
.
> If you have received this communication in error, please notify the sende=
r
> immediately by e-mail and delete the message and any file attachments fro=
m
> your computer. Thank you.*
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oau=
th
>
> --
> Vladimir Dzhuvinov
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

--=20
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged=
=20
material for the sole use of the intended recipient(s). Any review, use,=20
distribution or disclosure by others is strictly prohibited.=C2=A0 If you h=
ave=20
received this communication in error, please notify the sender immediately=
=20
by e-mail and delete the message and any file attachments from your=20
computer. Thank you._

--000000000000a87bce05ab0f0e3b
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


Thanks Vladimir, both comments should be easy to address i=
n -03 (HTTPS/TLS required and SHOULD on short lifetime *and* single use). <=
br>

On Sun, Jul 19, 2020 at 12:55 PM Vladimir Dzhuvinov <vladimir@connect2id.com>=
; wrote:

 =20
   =20
 =20
  

    
Thanks for the update. With the "require PAR" AS and clien=
t
      metadata the spec is now "policy complete". I can't thi=
nk of what
      else there is to add.

    

    


    

    
I have two comments about -02:

    


    

    
https://tools.ietf.org/html/draft-ietf-oauth-par-02=
#section-2

    
I didn't see a mention of https / TLS being required for the PAR
      endpoint. The reader could assume http is fine.

    

    


    

    
https://tools.ietf.org/html/draft-ietf-oauth-par-=
02#section-2.2

    

      

        
   Since the request URI can be replayed, its lifetime SHOULD =
be short
   and preferably limited to one-time use.

      

      The SHOULD is ambiguous here - does it apply to the lifetime only,
      or to the lifetime and the single use.

    


    

    
Vladimir

    

    


    

    
On 10/07/2020 21:36, Brian Campbell
      wrote:

    

    

     =20
      

        
WG,

        


        

        
A new -02 draft of "OAuth 2.0 Pushed Authorization
          Requests" has been published. A summary of the changes, take=
n
          from the document history, is included below for ease of
          reference.=C2=A0 

        

        


        

        
        

        

          
---------- Forwarded messag=
e
            ---------

            From: <internet-drafts@ietf.org>

            Date: Fri, Jul 10, 2020 at 1:21 PM

            Subject: New Version Notification for
            draft-ietf-oauth-par-02.txt

            To: Filip Skokan <panva.ip@gmail.com>,
            Torsten Lodderstedt <torsten@lodderstedt.net>,
            Brian Campbell <bcampbell@pingidentity.com>,
            Dave Tonge <dave@tonge.org>,
            Nat Sakimura <nat@sakimura.org>

          

          

          

          

          A new version of I-D, draft-ietf-oauth-par-02.txt

          has been successfully submitted by Brian Campbell and posted
          to the

          IETF repository.

          

          Name:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0draft-ietf-oauth-pa=
r

          Revision:=C2=A0 =C2=A0 =C2=A0 =C2=A002

          Title:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 OAuth 2.0 Pushed Authori=
zation Requests

          Document date:=C2=A0 2020-07-10

          Group:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 oauth

          Pages:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 18

          URL:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 https://www.ietf.org/internet-drafts/draft-ietf-oauth-p=
ar-02.txt

          Status:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0https://datatracker.ietf.org/doc/draft-ietf-oauth-par/

          Htmlized:=C2=A0 =C2=A0 =C2=A0 =C2=A0htt=
ps://tools..ietf.org/html/draft-ietf-oauth-par-02

          Htmlized:=C2=A0 =C2=A0 =C2=A0 =C2=A0https://datatracker.ietf.org/doc/html/draft-ietf-oauth-par

          Diff:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-par-02<=
/a>

          

          Abstract:

          =C2=A0 =C2=A0This document defines the pushed authorization reque=
st
          endpoint,

          =C2=A0 =C2=A0which allows clients to push the payload of an OAuth=
 2.0

          =C2=A0 =C2=A0authorization request to the authorization server vi=
a a
          direct

          =C2=A0 =C2=A0request and provides them with a request URI that is=
 used
          as

          =C2=A0 =C2=A0reference to the data in a subsequent authorization
          request.

          

          

          

          

          Please note that it may take a couple of minutes from the time
          of submission

          until the htmlized version and diff are available at tools.ietf.org.

          

          The IETF Secretariat

          

          

        

      

      

      CONFIDENTIALITY
            NOTICE: This email may contain confidential and privileged
            material for the sole use of the intended recipient(s). Any
            review, use, distribution or disclosure by others is
            strictly prohibited..=C2=A0 If you have received this
            communication in error, please notify the sender immediately
            by e-mail and delete the message and any file attachments
            from your computer. Thank you.
      

      

      
_______________________________________________
OAuth mailing list
OAuth@ietf.org
h=
ttps://www.ietf.org/mailman/listinfo/oauth


    

    
--=20
Vladimir Dzhuvinov

  


_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth






<=
span style=3D"margin:0px;padding:0px;border:0px;outline:0px;vertical-align:=
baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,=
-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ub=
untu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"=
>CONFIDENTIALITY NOTICE: This email may contain confidenti=
al and privileged material for the sole use of the intended recipient(s). A=
ny review, use, distribution or disclosure by others is strictly prohibited=
.=C2=A0 If you have received this communication in error, please notify the=
 sender immediately by e-mail and delete the message and any file attachmen=
ts from your computer. Thank you.
--000000000000a87bce05ab0f0e3b--


From nobody Wed Jul 22 22:38:10 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A5673A0807 for ; Wed, 22 Jul 2020 22:38:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level: 
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=leastprivilege-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EnHdSscXH9x0 for ; Wed, 22 Jul 2020 22:38:06 -0700 (PDT)
Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AECAC3A0805 for ; Wed, 22 Jul 2020 22:38:06 -0700 (PDT)
Received: by mail-io1-xd29.google.com with SMTP id v8so5037475iox.2 for ; Wed, 22 Jul 2020 22:38:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leastprivilege-com.20150623.gappssmtp.com; s=20150623; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc; bh=1yBNcbTPKtRpFqpaCyPLZEPb06551Zk+l4aGwzNjEEU=; b=hsIEvir10KcH/yHzj35+9GlqAwtZM+b1Nvfqy1uqMKF0EmIUHMlNvpwxyigxmaJkAJ +Fs5jgqDNjz/7mkQ5yjFcIH0i2nPE8Bxaq5ywb+yYSunPXM7rbe4cryMj7p5SP8GEYhc iBfLEzJ3Z+gVNi6I7S1i8mzxUzj9yoKoXvAcxQHI37y/8GQbbQY/tO6ewRCnHGXeZqPi aam61tpiaH6o/9LwO/ikghsq3+E6Wy+47hznsOaRMe06vq0rJDzylRyx4dDUB3K8URRe HInvC1dmr2hpoVTeexJGsu+AOWQgMM95/N4rEFfrttUjQcBywSMxQjTpFgr/b4eyv3/a W/yQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc; bh=1yBNcbTPKtRpFqpaCyPLZEPb06551Zk+l4aGwzNjEEU=; b=uhX4u1oIOvhSqPMDfaIVsgL113qOxpBpNbkIcDSW3tKKQGRrdsBnHV26mZI0/sYYrN r3WB7xmi/Yp5zFhSlfILW0ZVC+kfMujYnHu8kpZiTG2hyPgs2czpq6RmFeUG8fGZS2Zh CMqAbuZWPbLjkHndg4fqi8XWKZR+r/SAobubgmoZSaUqvAgsQaComfqWBs9CRXrI3UWp qLwKNEIGSYdBGoflVyIVc6jjOdPN0ENYj1AF04pMDWZbiyWg5muQuMtgETdGFMIzKCTW hXbffSaV2QopM6XOgJ8qegDv/NgLhwYhLVbM51bSman8HEWT/oQN4c98JjZEv02fTxUA 7sWA==
X-Gm-Message-State: AOAM531bJ0iGtbh+O0msO8v72Bv/M/oa6WG4lyg73Mhpi3a9WSOTz2i2 4gI4P0LBHSXNL0JsyiD/mKqQQI1tPzQcHGfYQKiT
X-Google-Smtp-Source: ABdhPJxyzcr9bmG7w+PQDS7W1esRQKZOKwzHzgs3FtBK64/P05ZlKplwE+OEsx/oPIGvG+gywSqbercip1f9k6hH+bA=
X-Received: by 2002:a6b:6413:: with SMTP id t19mr3233979iog.167.1595482685485;  Wed, 22 Jul 2020 22:38:05 -0700 (PDT)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Thu, 23 Jul 2020 01:38:04 -0400
From: Dominick Baier 
In-Reply-To: 
References:   
MIME-Version: 1.0
Date: Thu, 23 Jul 2020 01:38:04 -0400
Message-ID: 
To: Brian Campbell 
Cc: oauth 
Content-Type: multipart/alternative; boundary="000000000000b6cbba05ab15421d"
Archived-At: 
Subject: Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a client authentication JWT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 23 Jul 2020 05:38:08 -0000

--000000000000b6cbba05ab15421d
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Good point. Thanks, Brian.

We should retrofit typs everywhere..in hindsight.

=E2=80=94=E2=80=94=E2=80=94
Dominick Baier

On 22. July 2020 at 23:55:20, Brian Campbell (bcampbell@pingidentity.com)
wrote:

Because it wouldn't actually prevent it in this case due to JWT assertion
client authentication (a.k.a. private_key_jwt) having come about well
before the JWT BCP and the established concept of using the 'typ' header to
prevent cross-JWT confusion. Thus there's no validation rule regarding the
'typ' header defined in RFC 7523 for JWT client authentication. Explicitly
typing the request object JWT doesn't do anything to prevent it from being
used in the context of previously existing JWT applications like client
auth.

On Wed, Jul 22, 2020 at 10:32 AM Dominick Baier 
wrote:

> Why not use a typ header as suggested by the JWT BCP?
>
> =E2=80=94=E2=80=94=E2=80=94
> Dominick Baier
>
> On 22. July 2020 at 17:37:41, Brian Campbell (
> bcampbell=3D40pingidentity.com@dmarc.ietf.org) wrote:
>
> The TL;DR here is a somewhat tentative suggestion that a brief security
> consideration be added to
> https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/
>  that
> prohibits the inclusion of a 'sub' claim containing the client id value i=
n
> the request object JWT so as to prevent the request object JWT (which is
> exposed to the user agent) from being erroneously accepted as a valid JWT
> for client authentication.
>
> Some more details and the discussion that led to this here email can be
> found at https://github.com/oauthstuff/draft-oauth-par/issues/41
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly
> prohibited...  If you have received this communication in error, please
> notify the sender immediately by e-mail and delete the message and any fi=
le
> attachments from your computer. Thank you.*______________________________=
_________________
>
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited.  If you have
received this communication in error, please notify the sender immediately
by e-mail and delete the message and any file attachments from your
computer. Thank you.*

--000000000000b6cbba05ab15421d
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

=

Good=
 point. Thanks, Brian.

We should retrofit typs everywhere..in hindsight.
 
 
=E2=80=94=E2=80=94=E2=80=94
Dominick Baier
 
On 22. July 2020 at 23:55:20, Brian Campbe=
ll (bcampbell@pingidentity.co=
m) wrote:
 
<=
div>
Because it wouldn't actually prevent it=
 in this case due to JWT  assertion client authentication (a.k.a. private_k=
ey_jwt) having come about  well before the JWT BCP and the established conc=
ept of using the 'typ' header to prevent cross-JWT confusion. Thus =
there's no validation rule regarding the 'typ' header defined i=
n RFC 7523 for JWT client authentication. Explicitly typing the request obj=
ect JWT doesn't do anything to prevent it from being used in the contex=
t of previously existing JWT applications like client auth.=C2=A0
=

On Wed=
, Jul 22, 2020 at 10:32 AM Dominick Baier <dbaier@leastprivilege.com> wrote:<=
br>
Why not use a typ header as=
 suggested by the JWT BCP?
 
 
=E2=80=94=E2=80=94=E2=80=94
=
Dominick Baier
 
On 22. July 2020 at 17:37:41, Brian Campb=
ell (bcampbell=3D40pingidentity.com@dmarc.ietf.org) wrote:
 =

=
The TL;DR here is a somewhat tentative suggestion that a brief security con=
sideration be added to https://datatracker.ietf.org/doc/draft=
-ietf-oauth-jwsreq/ that prohibits the inclusion of a 'sub' cla=
im containing the client id value in the request object JWT so as to preven=
t the request object JWT (which is exposed to the user agent) from being er=
roneously accepted as a valid JWT for client authentication. 

Some more details and the discussion that led to this here =
email can be found at https://github.com/oauthstuff/draft-oauth-=
par/issues/41




CONFIDENTIALITY NOTICE: This email m=
ay contain confidential and privileged material for the sole use of the int=
ended recipient(s). Any review, use, distribution or disclosure by others i=
s strictly prohibited...=C2=A0 If you have received this communication in e=
rror, please notify the sender immediately by e-mail and delete the message=
 and any file attachments from your computer. Thank you._=
______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth







<=
span style=3D"margin:0px;padding:0px;border:0px;outline:0px;vertical-align:=
baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,=
-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ub=
untu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"=
>CONFIDENTIALITY NOTICE: This email may contain confidenti=
al and privileged material for the sole use of the intended recipient(s). A=
ny review, use, distribution or disclosure by others is strictly prohibited=
.=C2=A0 If you have received this communication in error, please notify the=
 sender immediately by e-mail and delete the message and any file attachmen=
ts from your computer. Thank you.

--000000000000b6cbba05ab15421d--


From nobody Wed Jul 22 22:38:51 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F0A83A0808 for ; Wed, 22 Jul 2020 22:38:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level: 
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=leastprivilege-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YvcWhKbnjXMh for ; Wed, 22 Jul 2020 22:38:48 -0700 (PDT)
Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DED7E3A0807 for ; Wed, 22 Jul 2020 22:38:47 -0700 (PDT)
Received: by mail-io1-xd2a.google.com with SMTP id v6so5033184iob.4 for ; Wed, 22 Jul 2020 22:38:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leastprivilege-com.20150623.gappssmtp.com; s=20150623; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc; bh=zDT192MoKH5k0Rjyb+VwTKoOKQZUyps8Lqry7aLYGhs=; b=E2PzxxbUS1pBdlocHkgPMKGrVb0bH/6+Zb4VgnhNkpXO2oullGwCo7ajf/CleqWKh7 AvbHIrhSrZ6jNfy7XxpkOXbXdniBZQiaPkdVSGdlZVaSVX14mvypBf4D4DHHIY8RH8rX os2vPWe7P4nbqs9tcueNHCbee0V5ypBJ838QhnN80QJWVyWJ4lacwXC9OyWdVO8m2c1T a5iNL3OtCnbIFds4ANfJupFRWrgcuQGax8vD+Dxf2j1Bc7mujwyDbe6V1XebcvQYZA0P OzDBCa9wLQ1luhRO3ber6r/tOFFljRxJA29MOpo7CHrmYzRn7+OPtj5CphY7mO/ROIGT 0m8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc; bh=zDT192MoKH5k0Rjyb+VwTKoOKQZUyps8Lqry7aLYGhs=; b=UH69ouXEY+jJ+6a3Mzma2GL3ZrmttN1ZhMvbgiSGpNsC7LxMiv3ly0fOyUI8ot+x/y 5BKN3x92Ld7sALxchbCFllc6wGiKnBK7gc8/E3SHMqCjJIPJv5KD7ScvpjJZb/J1RZ9D u2Jc1lS77X8AZULoSMp9WXX+zb9/ibZlc5QjHCasiiC+S9tfbUUspoRWJDRw5w87YG6Q o8gZikVVGMU2DuPkWdK3ai4dn8J7+1OxYHT960TOppYpv+p9OCV1ao42qYcOJTPOZSH5 jffl18jtChdLEdmqJ/Oms0sn30+TLqXcFOs8ix7m50wZ3r0ha4u7VNL5FRdGPbLB5FNb sLDw==
X-Gm-Message-State: AOAM533Fshwp/STNzGa153xo311ofDy5NBwCwGRJoetjcnk4DtfWSxKA ltv0zgSK/+1J+UkWQENsJnTVcvsr9uknak9ArTrs
X-Google-Smtp-Source: ABdhPJzqsfwqo3+gyL4f1I1Q3apN25A2qMEDH4s8dpai9mwRdoZAg2k+df7Sp8MC4f3/CNAxtkYtJoJheDd1XST4408=
X-Received: by 2002:a05:6638:d10:: with SMTP id q16mr3225046jaj.26.1595482727119;  Wed, 22 Jul 2020 22:38:47 -0700 (PDT)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Thu, 23 Jul 2020 01:38:46 -0400
From: Dominick Baier 
In-Reply-To: 
References:    
MIME-Version: 1.0
Date: Thu, 23 Jul 2020 01:38:46 -0400
Message-ID: 
To: Brian Campbell 
Cc: oauth 
Content-Type: multipart/alternative; boundary="00000000000032181805ab15454d"
Archived-At: 
Subject: Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a client authentication JWT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 23 Jul 2020 05:38:50 -0000

--00000000000032181805ab15454d
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Even more. Jwsreq should have it. But the authors decided against it.

=E2=80=94=E2=80=94=E2=80=94
Dominick Baier

On 23. July 2020 at 07:38:04, Dominick Baier (dbaier@leastprivilege.com)
wrote:

Good point. Thanks, Brian.

We should retrofit typs everywhere..in hindsight.

=E2=80=94=E2=80=94=E2=80=94
Dominick Baier

On 22. July 2020 at 23:55:20, Brian Campbell (bcampbell@pingidentity.com)
wrote:

Because it wouldn't actually prevent it in this case due to JWT assertion
client authentication (a.k.a. private_key_jwt) having come about well
before the JWT BCP and the established concept of using the 'typ' header to
prevent cross-JWT confusion. Thus there's no validation rule regarding the
'typ' header defined in RFC 7523 for JWT client authentication. Explicitly
typing the request object JWT doesn't do anything to prevent it from being
used in the context of previously existing JWT applications like client
auth.

On Wed, Jul 22, 2020 at 10:32 AM Dominick Baier 
wrote:

> Why not use a typ header as suggested by the JWT BCP?
>
> =E2=80=94=E2=80=94=E2=80=94
> Dominick Baier
>
> On 22. July 2020 at 17:37:41, Brian Campbell (
> bcampbell=3D40pingidentity.com@dmarc.ietf.org) wrote:
>
> The TL;DR here is a somewhat tentative suggestion that a brief security
> consideration be added to
> https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/
>  that
> prohibits the inclusion of a 'sub' claim containing the client id value i=
n
> the request object JWT so as to prevent the request object JWT (which is
> exposed to the user agent) from being erroneously accepted as a valid JWT
> for client authentication.
>
> Some more details and the discussion that led to this here email can be
> found at https://github.com/oauthstuff/draft-oauth-par/issues/41
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly
> prohibited...  If you have received this communication in error, please
> notify the sender immediately by e-mail and delete the message and any fi=
le
> attachments from your computer. Thank you.*______________________________=
_________________
>
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited.  If you have
received this communication in error, please notify the sender immediately
by e-mail and delete the message and any file attachments from your
computer. Thank you.*

--00000000000032181805ab15454d
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

=

Even=
 more. Jwsreq should have it. But the authors decided against it.
  
=E2=80=94=E2=80=94=E2=80=94
Dominick B=
aier
 
On 23. July 2020 at 07:38:04, =
Dominick Baier (dbaier@leastpr=
ivilege.com) wrote:
 
Good point. Thanks, Brian.

We should retrofit typs everywhere..in hindsight.
  
=E2=80=94=E2=80=94=E2=80=94
Dominick B=
aier
 
On 22. July 2020 at 23:55:20, =
Brian Campbell (bcampbell@pin=
gidentity.com) wrote:
 
=

Because it wouldn't actuall=
y prevent it in this case due to JWT  assertion client authentication (a.k.=
a. private_key_jwt) having come about  well before the JWT BCP and the esta=
blished concept of using the 'typ' header to prevent cross-JWT conf=
usion. Thus there's no validation rule regarding the 'typ' head=
er defined in RFC 7523 for JWT client authentication. Explicitly typing the=
 request object JWT doesn't do anything to prevent it from being used i=
n the context of previously existing JWT applications like client auth.=C2=
=A0

On Wed, Jul 22, 2020 at 10:32 AM Dominick Baier <dbaier@leastprivilege.com> wrote:
Why not use a t=
yp header as suggested by the JWT BCP?
 
 
=E2=80=94=E2=80=94=
=E2=80=94
Dominick Baier
 
On 22. July 2020 at 17:37:4=
1, Brian Campbell (bcampbell=3D40pingidentity.com@dmarc.ietf.org) wrote:
 
The TL;DR here is a somewhat tentative suggestion that a brie=
f security consideration be added to https://datatracker.ietf=
.org/doc/draft-ietf-oauth-jwsreq/ that prohibits the inclusion of a =
9;sub' claim containing the client id value in the request object JWT s=
o as to prevent the request object JWT (which is exposed to the user agent)=
 from being erroneously accepted as a valid JWT for client authentication. =


Some more details and the discussion that led=
 to this here email can be found at https://github.com/oauthstuf=
f/draft-oauth-par/issues/41




CONFIDENTIALITY NOTICE: This email m=
ay contain confidential and privileged material for the sole use of the int=
ended recipient(s). Any review, use, distribution or disclosure by others i=
s strictly prohibited...=C2=A0 If you have received this communication in e=
rror, please notify the sender immediately by e-mail and delete the message=
 and any file attachments from your computer. Thank you._=
______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth







<=
span style=3D"margin:0px;padding:0px;border:0px;outline:0px;vertical-align:=
baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,=
-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ub=
untu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"=
>CONFIDENTIALITY NOTICE: This email may contain confidenti=
al and privileged material for the sole use of the intended recipient(s). A=
ny review, use, distribution or disclosure by others is strictly prohibited=
.=C2=A0 If you have received this communication in error, please notify the=
 sender immediately by e-mail and delete the message and any file attachmen=
ts from your computer. Thank you.


--00000000000032181805ab15454d--


From nobody Thu Jul 23 00:53:58 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E95C3A09E4 for ; Thu, 23 Jul 2020 00:53:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level: 
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K9z71uhSKWKh for ; Thu, 23 Jul 2020 00:53:54 -0700 (PDT)
Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32A0E3A09E0 for ; Thu, 23 Jul 2020 00:53:53 -0700 (PDT)
Received: by mail-wm1-x32c.google.com with SMTP id x5so3514813wmi.2 for ; Thu, 23 Jul 2020 00:53:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=9lF2rCENzYOmzs5zY5IGNESoWU6hmdSG6KKiW4v8zf0=; b=MD6KkveL6Z419pkCjxetL1k/9fIOhckDcZOJDLP/6BGfyJqWYbW/41ZYuw5YVN6Cc/ er4eC1S7dVVQUr0QAEHvqybAlE9MYuy6L4GEpk/z37xIuMomPEa7iP3UJdJ+pM/KNv+9 rIXP0K/S5y1JApsPbmf0p/woU+b+WhP095z4c=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=9lF2rCENzYOmzs5zY5IGNESoWU6hmdSG6KKiW4v8zf0=; b=KsGN9nx+cIeOHQKKEpChfbX/DTqovzznvcDiJYwUl1SE/kM3yzx8ZAQ8dNDZTG7Tcu PkhmWVFZwSofdjBfp19hj31WVvggsNoIcxSZl4t+BAwIBgGlBpi3n1bGIYuHL/5JxBg/ HP4/xDEpcwwlJs788lJmxvHvuPqUhQUKSE9J/K5WSqhtFf/iORD9m0InDEH7zVBiI9EV 3HAFjLqF5nXdiuhIMApdoFVPTLfJPwo68OPEtKAiaedq8G3h/y4jnfnMDplgx3xM6NS9 97x5YhQjsHBzrIANBWZQjAuiNdF+00yt9LlTJDUk4njZANpuilARoJ+GhoVflmUB2y8X 4XRg==
X-Gm-Message-State: AOAM530NVfoROZTLzP0xJyhtJ+Ac83PJ5ilGyYp7/1qoSUTlxwSxl8i5 0ol6PmTMNoSNaRn8FcghoQRVGgEbHjDGuA==
X-Google-Smtp-Source: ABdhPJzc60BQVJRTrs6GxKqp+4ni3+sqtn9GV+lLcn32B3bs7+vraLTApUIo5ZMEqX17WhiJTe5Mjg==
X-Received: by 2002:a7b:c841:: with SMTP id c1mr3187222wml.25.1595490832075; Thu, 23 Jul 2020 00:53:52 -0700 (PDT)
Received: from [10.0.0.3] (38.227.143.150.dyn.plus.net. [150.143.227.38]) by smtp.gmail.com with ESMTPSA id s19sm2889105wrb.54.2020.07.23.00.53.51 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 23 Jul 2020 00:53:51 -0700 (PDT)
Content-Type: multipart/alternative; boundary=Apple-Mail-823CB155-155F-4208-B152-054C3A044A97
Content-Transfer-Encoding: 7bit
From: Neil Madden 
Mime-Version: 1.0 (1.0)
Date: Thu, 23 Jul 2020 08:53:50 +0100
Message-Id: <2ABDD1A0-0455-4CD7-94B9-121F7D61A287@forgerock.com>
References: 
Cc: Vladimir Dzhuvinov , oauth 
In-Reply-To: 
To: Brian Campbell 
X-Mailer: iPhone Mail (17F80)
Archived-At: 
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-par-02.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 23 Jul 2020 07:53:57 -0000

--Apple-Mail-823CB155-155F-4208-B152-054C3A044A97
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

Can you expand on the risks of replay? It seems like if the request can be r=
eplayed an attacker can also block the original request and inject the URI i=
nto a different request - ie no replay.=20

(Shouldn=E2=80=99t state and/or PKCE and/or nonce prevent replay already?)

In general the draft could do with some discussion of why an attacker being a=
ble to modify an authorization request is a risk. I might just be lacking en=
ough coffee this morning to understand the risk here.=20

=E2=80=94 Neil

> On 22 Jul 2020, at 23:14, Brian Campbell  wrote:
>=20
> =EF=BB=BF
> Thanks Vladimir, both comments should be easy to address in -03 (HTTPS/TLS=
 required and SHOULD on short lifetime *and* single use).=20
>=20
>> On Sun, Jul 19, 2020 at 12:55 PM Vladimir Dzhuvinov  wrote:
>> Thanks for the update. With the "require PAR" AS and client metadata the s=
pec is now "policy complete". I can't think of what else there is to add.
>>=20
>>=20
>>=20
>> I have two comments about -02:
>>=20
>>=20
>>=20
>> https://tools.ietf.org/html/draft-ietf-oauth-par-02#section-2
>>=20
>> I didn't see a mention of https / TLS being required for the PAR endpoint=
. The reader could assume http is fine.
>>=20
>>=20
>>=20
>> https://tools.ietf.org/html/draft-ietf-oauth-par-02#section-2.2
>>=20
>>>    Since the request URI can be replayed, its lifetime SHOULD be short
>>>    and preferably limited to one-time use.
>> The SHOULD is ambiguous here - does it apply to the lifetime only, or to t=
he lifetime and the single use.
>>=20
>>=20
>> Vladimir
>>=20
>>=20
>>=20
>> On 10/07/2020 21:36, Brian Campbell wrote:
>>> WG,
>>>=20
>>> A new -02 draft of "OAuth 2.0 Pushed Authorization Requests" has been pu=
blished. A summary of the changes, taken from the document history, is inclu=
ded below for ease of reference. =20
>>>=20
>>>    -02
>>>=20
>>>    *  Update Resource Indicators reference to the somewhat recently
>>>       published RFC 8707
>>>=20
>>>    *  Added metadata in support of pushed authorization requests only
>>>       feature
>>>=20
>>>    *  Update to comply with draft-ietf-oauth-jwsreq-21, which requires
>>>       "client_id" in the authorization request in addition to the
>>>       "request_uri"
>>>=20
>>>    *  Clarified timing of request validation
>>>=20
>>>    *  Add some guidance/options on the request URI structure
>>>=20
>>>    *  Add the key used in the request object example so that a reader
>>>       could validate or recreate the request object signature
>>>=20
>>>    *  Update to draft-ietf-oauth-jwsreq-25 and added note regarding
>>>       "require_signed_request_object"
>>>=20
>>> ---------- Forwarded message ---------
>>> From: 
>>> Date: Fri, Jul 10, 2020 at 1:21 PM
>>> Subject: New Version Notification for draft-ietf-oauth-par-02.txt
>>> To: Filip Skokan , Torsten Lodderstedt , Brian Campbell , Dave Tonge , Nat Sakimura 
>>>=20
>>>=20
>>>=20
>>> A new version of I-D, draft-ietf-oauth-par-02.txt
>>> has been successfully submitted by Brian Campbell and posted to the
>>> IETF repository.
>>>=20
>>> Name:           draft-ietf-oauth-par
>>> Revision:       02
>>> Title:          OAuth 2.0 Pushed Authorization Requests
>>> Document date:  2020-07-10
>>> Group:          oauth
>>> Pages:          18
>>> URL:            https://www.ietf.org/internet-drafts/draft-ietf-oauth-pa=
r-02.txt
>>> Status:         https://datatracker.ietf.org/doc/draft-ietf-oauth-par/
>>> Htmlized:       https://tools..ietf.org/html/draft-ietf-oauth-par-02
>>> Htmlized:       https://datatracker.ietf.org/doc/html/draft-ietf-oauth-p=
ar
>>> Diff:           https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-par=
-02
>>>=20
>>> Abstract:
>>>    This document defines the pushed authorization request endpoint,
>>>    which allows clients to push the payload of an OAuth 2.0
>>>    authorization request to the authorization server via a direct
>>>    request and provides them with a request URI that is used as
>>>    reference to the data in a subsequent authorization request.
>>>=20
>>>=20
>>>=20
>>>=20
>>> Please note that it may take a couple of minutes from the time of submis=
sion
>>> until the htmlized version and diff are available at tools.ietf.org.
>>>=20
>>> The IETF Secretariat
>>>=20
>>>=20
>>>=20
>>> CONFIDENTIALITY NOTICE: This email may contain confidential and privileg=
ed material for the sole use of the intended recipient(s). Any review, use, d=
istribution or disclosure by others is strictly prohibited..  If you have re=
ceived this communication in error, please notify the sender immediately by e=
-mail and delete the message and any file attachments from your computer. Th=
ank you.=20
>>>=20
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> --=20
>> Vladimir Dzhuvinov
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged=
 material for the sole use of the intended recipient(s). Any review, use, di=
stribution or disclosure by others is strictly prohibited..  If you have rec=
eived this communication in error, please notify the sender immediately by e=
-mail and delete the message and any file attachments from your computer. Th=
ank you._______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

--Apple-Mail-823CB155-155F-4208-B152-054C3A044A97
Content-Type: text/html;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable


Can you expand on the risk=
s of replay? It seems like if the request can be replayed an attacker can al=
so block the original request and inject the URI into a different request - i=
e no replay. 

(Shouldn=
=E2=80=99t state and/or PKCE and/or nonce prevent replay already?)

In general the draft could do with s=
ome discussion of why an attacker being able to modify an authorization requ=
est is a risk. I might just be lacking enough coffee this morning to underst=
and the risk here. 

=E2=
=80=94 Neil

On 22 Jul 20=
20, at 23:14, Brian Campbell <bcampbell=3D40pingidentity.com@dmarc.ietf.o=
rg> wrote:

=EF=BB=BF
Thanks Vladimir, both comments should be eas=
y to address in -03 (HTTPS/TLS required and SHOULD on short lifetime *and* s=
ingle use). 

On Sun, Jul 19, 2020 at 12:55 PM Vladimir Dzhuvinov <vladimir@connect2id.co=
m> wrote:

 =20
   =20
 =20
  

    
Thanks for the update. With the "require PAR" AS and client
      metadata the spec is now "policy complete". I can't think of what
      else there is to add.

    

    


    

    
I have two comments about -02:

    


    

    
https://tools.ietf.org/html/draft-ietf-oauth-par-02#s=
ection-2

    
I didn't see a mention of https / TLS being required for the PAR
      endpoint. The reader could assume http is fine.

    

    


    

    
https://tools.ietf.org/html/draft-ietf-oauth-par-02=
#section-2.2

    

      

        
   Since the request URI can be replayed, its lifetime SHOULD b=
e short
   and preferably limited to one-time use.

      

      The SHOULD is ambiguous here - does it apply to the lifetime only,
      or to the lifetime and the single use.

    


    

    
Vladimir

    

    


    

    
On 10/07/2020 21:36, Brian Campbell
      wrote:

    

    

     =20
      

        
WG,

        


        

        
A new -02 draft of "OAuth 2.0 Pushed Authorization
          Requests" has been published. A summary of the changes, taken
          from the document history, is included below for ease of
          reference.  

        

        


        

        
        

        

          
---------- Forwarded message=

            ---------

            From: <internet-drafts@ietf.org>

            Date: Fri, Jul 10, 2020 at 1:21 PM

            Subject: New Version Notification for
            draft-ietf-oauth-par-02.txt

            To: Filip Skokan <panva.ip@gmail.com>,
            Torsten Lodderstedt <torsten@lodderstedt.net>,
            Brian Campbell <bcampbell@pingidentity.com>,
            Dave Tonge <dave@tonge.org>,
            Nat Sakimura <nat@sakimura.org>

          

          

          

          

          A new version of I-D, draft-ietf-oauth-par-02.txt

          has been successfully submitted by Brian Campbell and posted
          to the

          IETF repository.

          

          Name:           draft-ietf-oauth-par=


          Revision:       02

          Title:          OAuth 2.0 Pushed Authoriz=
ation Requests

          Document date:  2020-07-10

          Group:          oauth

          Pages:          18

          URL:            https://www.ietf.org/internet-drafts/draft-ietf-oauth-par-0=
2.txt

          Status:         https://datatracker.ietf.org/doc/draft-ietf-oauth-par/

          Htmlized:       http=
s://tools..ietf.org/html/draft-ietf-oauth-par-02

          Htmlized:       https://datatracker.ietf.org/doc/html/draft-ietf-oauth-par

          Diff:           https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-par-02=


          

          Abstract:

             This document defines the pushed authorization reques=
t
          endpoint,

             which allows clients to push the payload of an OAuth 2=
.0

             authorization request to the authorization server via=
 a
          direct

             request and provides them with a request URI that is u=
sed
          as

             reference to the data in a subsequent authorization
          request.

          

          

          

          

          Please note that it may take a couple of minutes from the time
          of submission

          until the htmlized version and diff are available at tools.ietf.org=
.

          

          The IETF Secretariat

          

          

        

      

      

      CONFIDENTIALITY
            NOTICE: This email may contain confidential and privileged
            material for the sole use of the intended recipient(s). Any
            review, use, distribution or disclosure by others is
            strictly prohibited..  If you have received this
            communication in error, please notify the sender immediately
            by e-mail and delete the message and any file attachments
            from your computer. Thank you.
      

      

      
_______________________________________________
OAuth mailing list
OAuth@ietf.org
ht=
tps://www.ietf.org/mailman/listinfo/oauth


    

    
--=20
Vladimir Dzhuvinov

  


_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth






CONFIDENTIALITY NOTICE: This email may contain confidential and pr=
ivileged material for the sole use of the intended recipient(s). Any review,=
 use, distribution or disclosure by others is strictly prohibited..  If=
 you have received this communication in error, please notify the sender imm=
ediately by e-mail and delete the message and any file attachments from your=
 computer. Thank you._______________________________=
________________
OAuth mailing list
OAuth@ie=
tf.org
https://www.ietf.org/mailman/listinfo/oauth
=

--Apple-Mail-823CB155-155F-4208-B152-054C3A044A97--


From nobody Thu Jul 23 13:30:14 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D6603A0B54 for ; Thu, 23 Jul 2020 13:30:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level: 
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id punKiRY9w10g for ; Thu, 23 Jul 2020 13:30:11 -0700 (PDT)
Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA2093A07EC for ; Thu, 23 Jul 2020 13:30:10 -0700 (PDT)
Received: by mail-lf1-x12f.google.com with SMTP id 140so4007632lfi.5 for ; Thu, 23 Jul 2020 13:30:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nmHwMvtdYIGApQSJQzawmyHJCjvWZRUEjpAkFXmWZr4=; b=IVyds+CrFAePTlLNQds3em2H1rOA1rajCTT2ihaHpZM9vla7qhxyBukRtoV5P6p8iw 0yJ3tu9W3LCNy1RK23tI4Fsj5atQFOonXtmgohp2q/1ogUsgAO0LvcljhKQEMJha6Ed+ rgTJVSH29smB3GmtbUm+q6ntW1MgzP1TX2RKOlwmtA68RZ+bKlJVnZhTJx1tACbB4xm6 Y3cmG+vmRTXiKQWUlzaZ/8/KTSJOxFegl/GLndZB+bBbA90/dkDxcAL96F3SQf9flxnP s++W2y2dBMiRFx3ojU92V2YTEExJIEK2ET8DNNhQ7gFlNQBwIUKedjRozAB5jdQ0xb4Y C7IQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nmHwMvtdYIGApQSJQzawmyHJCjvWZRUEjpAkFXmWZr4=; b=enm3YCT8YvfZGfJuGDJ/KQwmJkiFyf74pddRoElFzp9vZ1bjYy2vH2Mxnmkq6dFWSK nfbpJ/lQ4jbmqL7XYmopgsGM2R53dTlmj0MYdEp0PCbeIZ6U4xxTHnbx26ZU+vxyWcx3 QfG8aRZAY7LcJoKidzJ9O82Ta+FYIoGPcPVvcXyfuzkpXNFpVJC8IsgLwxlqoFSshbls IUC+SL141g7N0NzmvCrE9dhqhmoAcZKxKcgfuSorrF7EYK8Dtwf7e25VXt0gpr7Fdocd p3lWK36AHeNjEBCtDYSA0QAXXmarEvoHbt7mq/loIFF2w1D61+ZqdtiDQsKQAlO1s6Pl U+VA==
X-Gm-Message-State: AOAM533LkDSZGzl8NZvWvZ1wgvQsukgdU+DezJmItmhUskO/C/zedtfv EjYSC4zJ0aMA+4YA/cS617NuqOIFZxJsqUL+Eek2My8ctTugJ+4+rkQa9uHfPGd8TIPexZkgXfd Fh5tITtoKCuU9GY/CVJE=
X-Google-Smtp-Source: ABdhPJyFv/PNgsRusKQGfMxZP3dBkVlb+W/F0J2XWk/VyEQL0i6Dz8IWqiV64+NB76pgURY1X2sp5LTPWcrroKkfkqg=
X-Received: by 2002:a19:4857:: with SMTP id v84mr3048371lfa.195.1595536208591;  Thu, 23 Jul 2020 13:30:08 -0700 (PDT)
MIME-Version: 1.0
References:     
In-Reply-To: 
From: Brian Campbell 
Date: Thu, 23 Jul 2020 14:29:42 -0600
Message-ID: 
To: Dominick Baier 
Cc: oauth 
Content-Type: multipart/alternative; boundary="000000000000f0975305ab21b8ee"
Archived-At: 
Subject: Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a client authentication JWT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 23 Jul 2020 20:30:13 -0000

--000000000000f0975305ab21b8ee
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

In hindsight, yeah, having explicit JWT typing everywhere would be nice..
But retrofitting would be a very major undertaking, which I don't think
could reasonably be justified considering cost=E2=80=93benefit.

I can't speak directly for the Jwsreq authors but I suspect considerations
around backward/forward compatibility with OIDC's JWT request and even
existing implementations of the Jwsreq draft that has been in draft forever
came into play.

On Wed, Jul 22, 2020 at 11:38 PM Dominick Baier 
wrote:

> Even more. Jwsreq should have it. But the authors decided against it.
>
> =E2=80=94=E2=80=94=E2=80=94
> Dominick Baier
>
> On 23. July 2020 at 07:38:04, Dominick Baier (dbaier@leastprivilege.com)
> wrote:
>
> Good point. Thanks, Brian.
>
> We should retrofit typs everywhere..in hindsight.
>
> =E2=80=94=E2=80=94=E2=80=94
> Dominick Baier
>
> On 22. July 2020 at 23:55:20, Brian Campbell (bcampbell@pingidentity.com)
> wrote:
>
> Because it wouldn't actually prevent it in this case due to JWT assertion
> client authentication (a.k.a. private_key_jwt) having come about well
> before the JWT BCP and the established concept of using the 'typ' header =
to
> prevent cross-JWT confusion. Thus there's no validation rule regarding th=
e
> 'typ' header defined in RFC 7523 for JWT client authentication. Explicitl=
y
> typing the request object JWT doesn't do anything to prevent it from bein=
g
> used in the context of previously existing JWT applications like client
> auth.
>
> On Wed, Jul 22, 2020 at 10:32 AM Dominick Baier 
> wrote:
>
>> Why not use a typ header as suggested by the JWT BCP?
>>
>> =E2=80=94=E2=80=94=E2=80=94
>> Dominick Baier
>>
>> On 22. July 2020 at 17:37:41, Brian Campbell (
>> bcampbell=3D40pingidentity.com@dmarc.ietf.org) wrote:
>>
>> The TL;DR here is a somewhat tentative suggestion that a brief security
>> consideration be added to
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/
>>  that
>> prohibits the inclusion of a 'sub' claim containing the client id value =
in
>> the request object JWT so as to prevent the request object JWT (which is
>> exposed to the user agent) from being erroneously accepted as a valid JW=
T
>> for client authentication.
>>
>> Some more details and the discussion that led to this here email can be
>> found at https://github.com/oauthstuff/draft-oauth-par/issues/41
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly
>> prohibited...  If you have received this communication in error, please
>> notify the sender immediately by e-mail and delete the message and any f=
ile
>> attachments from your computer. Thank you.*_____________________________=
__________________
>>
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sende=
r
> immediately by e-mail and delete the message and any file attachments fro=
m
> your computer. Thank you.*
>
>

--=20
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged=
=20
material for the sole use of the intended recipient(s). Any review, use,=20
distribution or disclosure by others is strictly prohibited.=C2=A0 If you h=
ave=20
received this communication in error, please notify the sender immediately=
=20
by e-mail and delete the message and any file attachments from your=20
computer. Thank you._

--000000000000f0975305ab21b8ee
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


In hindsight, yeah, having explicit JWT typing everyw=
here would be nice.. But retrofitting would be a very major undertaking, wh=
ich I don't think could reasonably be justified considering cost=E2=80=
=93benefit. 

I can't speak directly for th=
e Jwsreq authors but I suspect considerations around backward/forward compa=
tibility with OIDC's JWT request and even existing implementations of t=
he Jwsreq draft that has been in draft forever came into play.
On Wed, J=
ul 22, 2020 at 11:38 PM Dominick Baier <dbaier@leastprivilege.com> wrote:
Even more. Jwsreq should have it. But the authors=
 decided against it.
 
 
=E2=80=94=E2=80=94=E2=80=94
Domini=
ck Baier
 
On 23. July 2020 at 07:38:04, Dominick Baier (<=
a href=3D"mailto:dbaier@leastprivilege.com" target=3D"_blank">dbaier@leastp=
rivilege.com) wrote:
 
Good point=
. Thanks, Brian.

We=
 should retrofit typs everywhere..in hindsight.
 
 
=E2=80=94=
=E2=80=94=E2=80=94
Dominick Baier
 
On 22. July 2020 a=
t 23:55:20, Brian Campbell (bcampbell@pingidentity.com) wrote:
 
Because it wouldn=
9;t actually prevent it in this case due to JWT  assertion client authentic=
ation (a.k.a. private_key_jwt) having come about  well before the JWT BCP a=
nd the established concept of using the 'typ' header to prevent cro=
ss-JWT confusion. Thus there's no validation rule regarding the 'ty=
p' header defined in RFC 7523 for JWT client authentication. Explicitly=
 typing the request object JWT doesn't do anything to prevent it from b=
eing used in the context of previously existing JWT applications like clien=
t auth.=C2=A0

On Wed, Jul 22, 2020 at 10:32 AM Dominick Baier <dbaier@leastprivil=
ege.com> wrote:
Why n=
ot use a typ header as suggested by the JWT BCP?
 
 
=E2=80=94=
=E2=80=94=E2=80=94
Dominick Baier
 
On 22. July 2020 a=
t 17:37:41, Brian Campbell (bcampbell=3D40pingidentity.com@dmarc.ie=
tf.org) wrote:
 
The TL;DR here is a somewhat tentative suggestion th=
at a brief security consideration be added to https://datatra=
cker.ietf.org/doc/draft-ietf-oauth-jwsreq/ that prohibits the inclusion=
 of a 'sub' claim containing the client id value in the request obj=
ect JWT so as to prevent the request object JWT (which is exposed to the us=
er agent) from being erroneously accepted as a valid JWT for client authent=
ication. 

Some more details and the discussion=
 that led to this here email can be found at https://github.com/=
oauthstuff/draft-oauth-par/issues/41




CONFIDENTIALITY NOTICE: This email m=
ay contain confidential and privileged material for the sole use of the int=
ended recipient(s). Any review, use, distribution or disclosure by others i=
s strictly prohibited...=C2=A0 If you have received this communication in e=
rror, please notify the sender immediately by e-mail and delete the message=
 and any file attachments from your computer. Thank you._=
______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth







CONFIDENTIALITY NOTICE: This email m=
ay contain confidential and privileged material for the sole use of the int=
ended recipient(s). Any review, use, distribution or disclosure by others i=
s strictly prohibited.=C2=A0 If you have received this communication in err=
or, please notify the sender immediately by e-mail and delete the message a=
nd any file attachments from your computer. Thank you.





<=
span style=3D"margin:0px;padding:0px;border:0px;outline:0px;vertical-align:=
baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,=
-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ub=
untu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"=
>CONFIDENTIALITY NOTICE: This email may contain confidenti=
al and privileged material for the sole use of the intended recipient(s). A=
ny review, use, distribution or disclosure by others is strictly prohibited=
.=C2=A0 If you have received this communication in error, please notify the=
 sender immediately by e-mail and delete the message and any file attachmen=
ts from your computer. Thank you.
--000000000000f0975305ab21b8ee--


From nobody Thu Jul 23 14:00:46 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9D903A0DA5 for ; Thu, 23 Jul 2020 14:00:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lkYvZ0d0clTK for ; Thu, 23 Jul 2020 14:00:41 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650090.outbound.protection.outlook.com [40.107.65.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EC2F3A0D9B for ; Thu, 23 Jul 2020 14:00:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IvvhTbZjwQEGyxvGvILgh8CkX20EJhMS6zDoVBpzWSJqmJdXHW0NeKmFaOOgpHExhGSf23JSiM7DXNRKhIJ4es97FGsS6PKeQhfF2Xz0g9XXhKd7KOruZKOSd4hjC2ewwJ5DAbE6nY9vcMcnNO6WtzmZd8lUOvS3xd+jHUYpanyjusWeP/sC98HnXeJWnrAN4YZybXueIFf/h3wDaX9hrF1XO839SrEgAVXrzZs8oD0aP//YKITVezGozPSiVUWcbdxrYiGjKTLZg6EEw/g4r0r7speqos5Dwf3NOnDAM/jioN9TJ87Q35FblhVcneFsC1TDSC0DhSb626j8DAPjRw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;  s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2otEfhfC0ebDiACil4YHa/Zz1ZBkB5/4S4Bx0poY9LQ=; b=EsXrNgeAm/zJxY3dTFnkbKc9Sjix5nV/hTywbRY93vbKZCOXmd4d7kuvAB/rXrSsC8XF2tUQq9fRG1CnpzBfKdrd00m6bsmhRXe+2ADgcCwzSpUdGu3/SPStjpJ3MGJx8+2kUKoWnYZjt2gZRmeEynF6avHQku2gUhp4DSym6sfg6HlWXcAI/KghsrmfyCnLWTfszUHCGYWXudkZDwxrU3LqxRIWM8nQWi0kg6SB/B4fCh7rjmBLpd958NnsmyQUR7eg73Yuh2cnOHGGD8QJNUcWBcaiQ/Jdi+MCZvl6FQaRMCCyA7W+i5mf+g5DPRWJBm5RId2fFihkwCQM2PB1+A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2otEfhfC0ebDiACil4YHa/Zz1ZBkB5/4S4Bx0poY9LQ=; b=SdSzybuPI0gJOijA+DAnrg05S8ZA+64bQen7sMJb/wIVuDEd13woKLlte6WpOouyVJtcPvb4ds+ug2nwYBrBcoqorGMiqGtzV1i6Ruuq4Wq/8Oq5DD5t6qb/jfUo+iSPUgU3HjB2JZh0LVcVO2E1Jh+lTQnYkXMJ3Lm1SSFkrkY=
Received: from CH2PR00MB0678.namprd00.prod.outlook.com (2603:10b6:610:a9::23) by CH2PR00MB0746.namprd00.prod.outlook.com (2603:10b6:610:6e::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3258.0; Thu, 23 Jul 2020 21:00:39 +0000
Received: from CH2PR00MB0678.namprd00.prod.outlook.com ([fe80::e9ce:b982:5ae1:959d]) by CH2PR00MB0678.namprd00.prod.outlook.com ([fe80::e9ce:b982:5ae1:959d%9]) with mapi id 15.20.3262.000; Thu, 23 Jul 2020 21:00:39 +0000
From: Mike Jones 
To: Brian Campbell , "dbaier@leastprivilege.com" 
CC: oauth 
Thread-Topic: [OAUTH-WG] swapping a jwsreq/JAR JWT for a client authentication JWT
Thread-Index: AdZhNEVyqbCIsZVQRMy5mltQITeI6w==
Date: Thu, 23 Jul 2020 21:00:38 +0000
Message-ID: 
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=876e6552-074b-4379-8769-e0c6158a8eac; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-07-23T20:51:38Z;  MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.89.111]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 4d82b666-e8e9-4e4f-b48c-08d82f4b743a
x-ms-traffictypediagnostic: CH2PR00MB0746:
x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr
x-microsoft-antispam-prvs: 
x-ms-oob-tlc-oobclassifiers: OLM:6108;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: xuy4PWHzHdiNZkTD5L/xZxd9WLPAfVhCZaVy59HkgmK/gZOGydWZ6tTA7xM6aZ4UqFoZfCWq39zWmlbHlRYMazfzYXGq8tU0OMRd4JIsHE+wAFYR/kK8nNxu70cmRWaDt+uRFZMn7kwZDj260wkWKpoOfxn2Xmfim36pLajgkW+77RMRgRwkc2SbSKo2zfIy2L367ONNtoAUWPmwL2Uba6cDLZIEXOOY6x5ns6O4/iGfQLz+3FG454leEinLO7+xxp8Z3vWPWpNdbefQcI54Ajg5Hcq/Q8snWC/lCJWjTachJQjpHOQLpnlNoBwYjr62q8/EeSGUP2XM/VajMxJ2fM1RYtAJ4gqdzccsmrOBsoFB6txubhuVewIciJtWu8zhyDZO/jiBB0dB7wnYL32fIQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;  IPV:NLI; SFV:NSPM; H:CH2PR00MB0678.namprd00.prod.outlook.com; PTR:; CAT:NONE;  SFTY:; SFS:(4636009)(39860400002)(346002)(396003)(136003)(366004)(376002)(53546011)(6506007)(7696005)(86362001)(66556008)(64756008)(66446008)(966005)(76116006)(66476007)(66946007)(10290500003)(52536014)(478600001)(4326008)(5660300002)(55016002)(110136005)(8990500004)(316002)(186003)(26005)(8676002)(83380400001)(71200400001)(166002)(8936002)(33656002)(9686003)(82950400001)(82960400001)(2906002); DIR:OUT; SFP:1102; 
x-ms-exchange-antispam-messagedata: JM++khrsZIwolAC1Qbn360/iqawf6YyYk4PEQzR67xeHfcNT33X8pdXbNwqs0cZqLsZ6dwTXyFQIBnqlZcoYmnRagR10uqbKCtfUFojEVMMfxjpeDohi5m+v0PIjySODtV8s2RSQG4BWgB5HuRCJ8RMu8yX3cxxeLEZ0slIIhyz5OuhPYARscL144l57WJP6zMUNiDKTcDe87j674Qs4NzmyjYSCFPiUDkEKGnte/3Ga34IUFCXfXmikmn7GlfcJNnRpFMzCT5h5zZk+CqRjfrWm2nlDZp3uWBn977jzb24CJ/kNtiED0a3uE0qanE+mWcOlT5BW+K9lT1KsWzzrqLUreJFDiBiUrNOjAUeBKrdR7CyeV1OcvBlSrL1+GUbSl92XBVh3z2JUHiBP7XOIZKLFlFqHn7fl07X0gm53uaXdfirU4fqSD8mDVwHYv7xp2DMyKKCMsr8o3ZBlp6T2UFWHa+CiK4A2ftHTU7fJ9DCRTQjJifAsrJhZ7KCTCQZiX5i5wwADZnHsPNKVAaR2r/lkLHaSW26kCrFvzKwhNs3LBEb0pi/JaVXQ6tyK+LE98BIrJe49iMQ8gfidTccgGf6iuXvxZnn7LU8whyPj2dLilQhIEZI750ZQy8qRH+VzqY0s+rDYscT/qgWe80J5xg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_CH2PR00MB067859A3F75C40D9C8D376CDF5760CH2PR00MB0678namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH2PR00MB0678.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4d82b666-e8e9-4e4f-b48c-08d82f4b743a
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jul 2020 21:00:39.0399 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 2KDmWHD1S3H4JqODuxsWBCy1HSNTx7uXVVZ4MlkFu2+U7s7syAl0XVo1QrlG6CdV6SlYscQRVcKbaqC8E4DTwg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR00MB0746
Archived-At: 
Subject: Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a client authentication JWT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 23 Jul 2020 21:00:44 -0000

--_000_CH2PR00MB067859A3F75C40D9C8D376CDF5760CH2PR00MB0678namp_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

VGhlIOKAnFVzZSBFeHBsaWNpdCBUeXBpbmc8aHR0cHM6Ly93d3cucmZjLWVkaXRvci5vcmcvcmZj
L3JmYzg3MjUuaHRtbCNzZWN0aW9uLTMuMTE+4oCdIHNlY3Rpb24gb2YgdGhlIEpXVCBCQ1AgZXhw
bGljaXRseSBzYXlzOiDigJxFeHBsaWNpdCB0eXBpbmcgaXMgUkVDT01NRU5ERUQgZm9yIG5ldyB1
c2VzIG9mIEpXVHMu4oCdICBJdCBkb2VzIG5vdCByZWNvbW1lbmQgdHJ5aW5nIHRvIHJldHJvZml0
IOKAnHR5cOKAnSB2YWx1ZXMgZm9yIGV4aXN0aW5nIEpXVCB1c2VzLCBhcyB0aGF0IHdvdWxkIG9m
dGVuIGNhdXNlIGJyZWFraW5nIGNoYW5nZXMgdG8gd29ya2luZyBlY29zeXN0ZW1zLiAgVGhlIFJl
cXVlc3QgT2JqZWN0IHdhcyBkZWZpbmVkIGJ5IE9wZW5JRCBDb25uZWN0IGluIDIwMDQsIHNvIHRo
aXMgaXMgdmVyeSBtdWNoIGFuIGV4aXN0aW5nIHVzZSDigJMgbm90IGEgbmV3IHVzZS4gIChUaGUg
T0F1dGggSkFSIGRyYWZ0LCBsaWtlIHNldmVyYWwgb3RoZXIgcHJldmlvdXMgT0F1dGggZHJhZnRz
LCBpcyBicmluZ2luZyBleGlzdGluZyBPcGVuSUQgQ29ubmVjdCBmdW5jdGlvbmFsaXR5IGludG8g
dGhlIE9BdXRoIHdvcmxkIOKAkyBpbnRlbnRpb25hbGx5IGRvaW5nIHNvIGluIHN1Y2ggYSB3YXkg
YXMgdG8gbm90IGJyZWFrIGV4aXN0aW5nIHVzYWdlcy4pDQoNCkkgYWdyZWUgd2l0aCBCcmlhbuKA
mXMgYXNzZXNzbWVudCB0aGF0IHRoZSBjb3N0L2JlbmVmaXQgb2YgYWRkaW5nIGEg4oCcdHlw4oCd
IGZpZWxkIHRvIHRoZSBSZXF1ZXN0IE9iamVjdCBkb2VzbuKAmXQgaGF2ZSBhIHJlYXNvbmFibGUg
Y29zdC9iZW5lZml0IHJhdGlvLg0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgLS0gTWlrZQ0KDQpGcm9tOiBPQXV0aCA8b2F1dGgtYm91
bmNlc0BpZXRmLm9yZz4gT24gQmVoYWxmIE9mIEJyaWFuIENhbXBiZWxsDQpTZW50OiBUaHVyc2Rh
eSwgSnVseSAyMywgMjAyMCAxOjMwIFBNDQpUbzogZGJhaWVyQGxlYXN0cHJpdmlsZWdlLmNvbQ0K
Q2M6IG9hdXRoIDxvYXV0aEBpZXRmLm9yZz4NClN1YmplY3Q6IFtFWFRFUk5BTF0gUmU6IFtPQVVU
SC1XR10gc3dhcHBpbmcgYSBqd3NyZXEvSkFSIEpXVCBmb3IgYSBjbGllbnQgYXV0aGVudGljYXRp
b24gSldUDQoNCkluIGhpbmRzaWdodCwgeWVhaCwgaGF2aW5nIGV4cGxpY2l0IEpXVCB0eXBpbmcg
ZXZlcnl3aGVyZSB3b3VsZCBiZSBuaWNlLi4gQnV0IHJldHJvZml0dGluZyB3b3VsZCBiZSBhIHZl
cnkgbWFqb3IgdW5kZXJ0YWtpbmcsIHdoaWNoIEkgZG9uJ3QgdGhpbmsgY291bGQgcmVhc29uYWJs
eSBiZSBqdXN0aWZpZWQgY29uc2lkZXJpbmcgY29zdOKAk2JlbmVmaXQuDQoNCkkgY2FuJ3Qgc3Bl
YWsgZGlyZWN0bHkgZm9yIHRoZSBKd3NyZXEgYXV0aG9ycyBidXQgSSBzdXNwZWN0IGNvbnNpZGVy
YXRpb25zIGFyb3VuZCBiYWNrd2FyZC9mb3J3YXJkIGNvbXBhdGliaWxpdHkgd2l0aCBPSURDJ3Mg
SldUIHJlcXVlc3QgYW5kIGV2ZW4gZXhpc3RpbmcgaW1wbGVtZW50YXRpb25zIG9mIHRoZSBKd3Ny
ZXEgZHJhZnQgdGhhdCBoYXMgYmVlbiBpbiBkcmFmdCBmb3JldmVyIGNhbWUgaW50byBwbGF5Lg0K
DQpPbiBXZWQsIEp1bCAyMiwgMjAyMCBhdCAxMTozOCBQTSBEb21pbmljayBCYWllciA8ZGJhaWVy
QGxlYXN0cHJpdmlsZWdlLmNvbTxtYWlsdG86ZGJhaWVyQGxlYXN0cHJpdmlsZWdlLmNvbT4+IHdy
b3RlOg0KRXZlbiBtb3JlLiBKd3NyZXEgc2hvdWxkIGhhdmUgaXQuIEJ1dCB0aGUgYXV0aG9ycyBk
ZWNpZGVkIGFnYWluc3QgaXQuDQoNCuKAlOKAlOKAlA0KRG9taW5pY2sgQmFpZXINCg0KDQpPbiAy
My4gSnVseSAyMDIwIGF0IDA3OjM4OjA0LCBEb21pbmljayBCYWllciAoZGJhaWVyQGxlYXN0cHJp
dmlsZWdlLmNvbTxtYWlsdG86ZGJhaWVyQGxlYXN0cHJpdmlsZWdlLmNvbT4pIHdyb3RlOg0KR29v
ZCBwb2ludC4uIFRoYW5rcywgQnJpYW4uDQoNCldlIHNob3VsZCByZXRyb2ZpdCB0eXBzIGV2ZXJ5
d2hlcmUuLmluIGhpbmRzaWdodC4NCg0K4oCU4oCU4oCUDQpEb21pbmljayBCYWllcg0KDQoNCk9u
IDIyLiBKdWx5IDIwMjAgYXQgMjM6NTU6MjAsIEJyaWFuIENhbXBiZWxsIChiY2FtcGJlbGxAcGlu
Z2lkZW50aXR5LmNvbTxtYWlsdG86YmNhbXBiZWxsQHBpbmdpZGVudGl0eS5jb20+KSB3cm90ZToN
CkJlY2F1c2UgaXQgd291bGRuJ3QgYWN0dWFsbHkgcHJldmVudCBpdCBpbiB0aGlzIGNhc2UgZHVl
IHRvIEpXVCBhc3NlcnRpb24gY2xpZW50IGF1dGhlbnRpY2F0aW9uIChhLmsuYS4gcHJpdmF0ZV9r
ZXlfand0KSBoYXZpbmcgY29tZSBhYm91dCB3ZWxsIGJlZm9yZSB0aGUgSldUIEJDUCBhbmQgdGhl
IGVzdGFibGlzaGVkIGNvbmNlcHQgb2YgdXNpbmcgdGhlICd0eXAnIGhlYWRlciB0byBwcmV2ZW50
IGNyb3NzLUpXVCBjb25mdXNpb24uIFRodXMgdGhlcmUncyBubyB2YWxpZGF0aW9uIHJ1bGUgcmVn
YXJkaW5nIHRoZSAndHlwJyBoZWFkZXIgZGVmaW5lZCBpbiBSRkMgNzUyMyBmb3IgSldUIGNsaWVu
dCBhdXRoZW50aWNhdGlvbi4gRXhwbGljaXRseSB0eXBpbmcgdGhlIHJlcXVlc3Qgb2JqZWN0IEpX
VCBkb2Vzbid0IGRvIGFueXRoaW5nIHRvIHByZXZlbnQgaXQgZnJvbSBiZWluZyB1c2VkIGluIHRo
ZSBjb250ZXh0IG9mIHByZXZpb3VzbHkgZXhpc3RpbmcgSldUIGFwcGxpY2F0aW9ucyBsaWtlIGNs
aWVudCBhdXRoLg0KDQpPbiBXZWQsIEp1bCAyMiwgMjAyMCBhdCAxMDozMiBBTSBEb21pbmljayBC
YWllciA8ZGJhaWVyQGxlYXN0cHJpdmlsZWdlLmNvbTxtYWlsdG86ZGJhaWVyQGxlYXN0cHJpdmls
ZWdlLmNvbT4+IHdyb3RlOg0KV2h5IG5vdCB1c2UgYSB0eXAgaGVhZGVyIGFzIHN1Z2dlc3RlZCBi
eSB0aGUgSldUIEJDUD8NCg0K4oCU4oCU4oCUDQpEb21pbmljayBCYWllcg0KDQoNCk9uIDIyLiBK
dWx5IDIwMjAgYXQgMTc6Mzc6NDEsIEJyaWFuIENhbXBiZWxsIChiY2FtcGJlbGw9NDBwaW5naWRl
bnRpdHkuY29tQGRtYXJjLmlldGYub3JnPG1haWx0bzpiY2FtcGJlbGw9NDBwaW5naWRlbnRpdHku
Y29tQGRtYXJjLmlldGYub3JnPikgd3JvdGU6DQpUaGUgVEw7RFIgaGVyZSBpcyBhIHNvbWV3aGF0
IHRlbnRhdGl2ZSBzdWdnZXN0aW9uIHRoYXQgYSBicmllZiBzZWN1cml0eSBjb25zaWRlcmF0aW9u
IGJlIGFkZGVkIHRvIGh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0LWlldGYt
b2F1dGgtandzcmVxLzxodHRwczovL2RhdGF0cmFja2VyLi5pZXRmLm9yZy9kb2MvZHJhZnQtaWV0
Zi1vYXV0aC1qd3NyZXEvPiB0aGF0IHByb2hpYml0cyB0aGUgaW5jbHVzaW9uIG9mIGEgJ3N1Yicg
Y2xhaW0gY29udGFpbmluZyB0aGUgY2xpZW50IGlkIHZhbHVlIGluIHRoZSByZXF1ZXN0IG9iamVj
dCBKV1Qgc28gYXMgdG8gcHJldmVudCB0aGUgcmVxdWVzdCBvYmplY3QgSldUICh3aGljaCBpcyBl
eHBvc2VkIHRvIHRoZSB1c2VyIGFnZW50KSBmcm9tIGJlaW5nIGVycm9uZW91c2x5IGFjY2VwdGVk
IGFzIGEgdmFsaWQgSldUIGZvciBjbGllbnQgYXV0aGVudGljYXRpb24uDQoNClNvbWUgbW9yZSBk
ZXRhaWxzIGFuZCB0aGUgZGlzY3Vzc2lvbiB0aGF0IGxlZCB0byB0aGlzIGhlcmUgZW1haWwgY2Fu
IGJlIGZvdW5kIGF0IGh0dHBzOi8vZ2l0aHViLmNvbS9vYXV0aHN0dWZmL2RyYWZ0LW9hdXRoLXBh
ci9pc3N1ZXMvNDENCg0KQ09ORklERU5USUFMSVRZIE5PVElDRTogVGhpcyBlbWFpbCBtYXkgY29u
dGFpbiBjb25maWRlbnRpYWwgYW5kIHByaXZpbGVnZWQgbWF0ZXJpYWwgZm9yIHRoZSBzb2xlIHVz
ZSBvZiB0aGUgaW50ZW5kZWQgcmVjaXBpZW50KHMpLiBBbnkgcmV2aWV3LCB1c2UsIGRpc3RyaWJ1
dGlvbiBvciBkaXNjbG9zdXJlIGJ5IG90aGVycyBpcyBzdHJpY3RseSBwcm9oaWJpdGVkLi4uICBJ
ZiB5b3UgaGF2ZSByZWNlaXZlZCB0aGlzIGNvbW11bmljYXRpb24gaW4gZXJyb3IsIHBsZWFzZSBu
b3RpZnkgdGhlIHNlbmRlciBpbW1lZGlhdGVseSBieSBlLW1haWwgYW5kIGRlbGV0ZSB0aGUgbWVz
c2FnZSBhbmQgYW55IGZpbGUgYXR0YWNobWVudHMgZnJvbSB5b3VyIGNvbXB1dGVyLiBUaGFuayB5
b3UuX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCk9BdXRo
IG1haWxpbmcgbGlzdA0KT0F1dGhAaWV0Zi5vcmc8bWFpbHRvOk9BdXRoQGlldGYub3JnPg0KaHR0
cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aA0KDQpDT05GSURFTlRJQUxJ
VFkgTk9USUNFOiBUaGlzIGVtYWlsIG1heSBjb250YWluIGNvbmZpZGVudGlhbCBhbmQgcHJpdmls
ZWdlZCBtYXRlcmlhbCBmb3IgdGhlIHNvbGUgdXNlIG9mIHRoZSBpbnRlbmRlZCByZWNpcGllbnQo
cykuIEFueSByZXZpZXcsIHVzZSwgZGlzdHJpYnV0aW9uIG9yIGRpc2Nsb3N1cmUgYnkgb3RoZXJz
IGlzIHN0cmljdGx5IHByb2hpYml0ZWQuICBJZiB5b3UgaGF2ZSByZWNlaXZlZCB0aGlzIGNvbW11
bmljYXRpb24gaW4gZXJyb3IsIHBsZWFzZSBub3RpZnkgdGhlIHNlbmRlciBpbW1lZGlhdGVseSBi
eSBlLW1haWwgYW5kIGRlbGV0ZSB0aGUgbWVzc2FnZSBhbmQgYW55IGZpbGUgYXR0YWNobWVudHMg
ZnJvbSB5b3VyIGNvbXB1dGVyLiBUaGFuayB5b3UuDQoNCkNPTkZJREVOVElBTElUWSBOT1RJQ0U6
IFRoaXMgZW1haWwgbWF5IGNvbnRhaW4gY29uZmlkZW50aWFsIGFuZCBwcml2aWxlZ2VkIG1hdGVy
aWFsIGZvciB0aGUgc29sZSB1c2Ugb2YgdGhlIGludGVuZGVkIHJlY2lwaWVudChzKS4gQW55IHJl
dmlldywgdXNlLCBkaXN0cmlidXRpb24gb3IgZGlzY2xvc3VyZSBieSBvdGhlcnMgaXMgc3RyaWN0
bHkgcHJvaGliaXRlZC4uICBJZiB5b3UgaGF2ZSByZWNlaXZlZCB0aGlzIGNvbW11bmljYXRpb24g
aW4gZXJyb3IsIHBsZWFzZSBub3RpZnkgdGhlIHNlbmRlciBpbW1lZGlhdGVseSBieSBlLW1haWwg
YW5kIGRlbGV0ZSB0aGUgbWVzc2FnZSBhbmQgYW55IGZpbGUgYXR0YWNobWVudHMgZnJvbSB5b3Vy
IGNvbXB1dGVyLiBUaGFuayB5b3UuDQo=

--_000_CH2PR00MB067859A3F75C40D9C8D376CDF5760CH2PR00MB0678namp_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
SGVsdmV0aWNhOw0KCXBhbm9zZS0xOjIgMTEgNiA0IDIgMiAyIDIgMiA0O30NCkBmb250LWZhY2UN
Cgl7Zm9udC1mYW1pbHk6IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAz
IDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAx
NSA1IDIgMiAyIDQgMyAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseToiU2Vnb2UgVUki
Ow0KCXBhbm9zZS0xOjIgMTEgNSAyIDQgMiA0IDIgMiAzO30NCi8qIFN0eWxlIERlZmluaXRpb25z
ICovDQpwLk1zb05vcm1hbCwgbGkuTXNvTm9ybWFsLCBkaXYuTXNvTm9ybWFsDQoJe21hcmdpbjow
aW47DQoJZm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJp
Zjt9DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsN
Cgljb2xvcjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0Kc3Bhbi5FbWFpbFN0
eWxlMTkNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNh
bGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6IzAwMjA2MDt9DQpzcGFuLmJjcDE0DQoJe21zby1z
dHlsZS1uYW1lOmJjcDE0O30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9y
dC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCkBwYWdlIFdvcmRT
ZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4waW4gMS4waW4gMS4waW4g
MS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0
eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRp
dCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5
XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVk
aXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hl
YWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSI+DQo8ZGl2
IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9
ImNvbG9yOiMwMDIwNjAiPlRoZSDigJw8YSBocmVmPSJodHRwczovL3d3dy5yZmMtZWRpdG9yLm9y
Zy9yZmMvcmZjODcyNS5odG1sI3NlY3Rpb24tMy4xMSI+VXNlIEV4cGxpY2l0IFR5cGluZzwvYT7i
gJ0gc2VjdGlvbiBvZiB0aGUgSldUIEJDUCBleHBsaWNpdGx5IHNheXM6IOKAnDwvc3Bhbj48c3Bh
biBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90Oyxz
YW5zLXNlcmlmO2NvbG9yOiMyMjIyMjI7YmFja2dyb3VuZDp3aGl0ZSI+RXhwbGljaXQNCiB0eXBp
bmcgaXMmbmJzcDs8L3NwYW4+PHNwYW4gY2xhc3M9ImJjcDE0Ij48Yj48c3BhbiBzdHlsZT0iZm9u
dC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2Zv
bnQtdmFyaWFudDpzbWFsbC1jYXBzO2NvbG9yOiMyMjIyMjI7YmFja2dyb3VuZDp3aGl0ZSI+UkVD
T01NRU5ERUQ8L3NwYW4+PC9iPjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtm
b250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMyMjIyMjI7YmFj
a2dyb3VuZDp3aGl0ZSI+Jm5ic3A7Zm9yDQogbmV3IHVzZXMgb2YgSldUcy48L3NwYW4+PHNwYW4g
c3R5bGU9ImNvbG9yOiMwMDIwNjAiPuKAnSZuYnNwOyBJdCBkb2VzIG5vdCByZWNvbW1lbmQgdHJ5
aW5nIHRvIHJldHJvZml0IOKAnHR5cOKAnSB2YWx1ZXMgZm9yIGV4aXN0aW5nIEpXVCB1c2VzLCBh
cyB0aGF0IHdvdWxkIG9mdGVuIGNhdXNlIGJyZWFraW5nIGNoYW5nZXMgdG8gd29ya2luZyBlY29z
eXN0ZW1zLiZuYnNwOyBUaGUgUmVxdWVzdCBPYmplY3Qgd2FzIGRlZmluZWQgYnkgT3BlbklEIENv
bm5lY3QgaW4gMjAwNCwNCiBzbyB0aGlzIGlzIHZlcnkgbXVjaCBhbiBleGlzdGluZyB1c2Ug4oCT
IG5vdCBhIG5ldyB1c2UuJm5ic3A7IChUaGUgT0F1dGggSkFSIGRyYWZ0LCBsaWtlIHNldmVyYWwg
b3RoZXIgcHJldmlvdXMgT0F1dGggZHJhZnRzLCBpcyBicmluZ2luZyBleGlzdGluZyBPcGVuSUQg
Q29ubmVjdCBmdW5jdGlvbmFsaXR5IGludG8gdGhlIE9BdXRoIHdvcmxkIOKAkyBpbnRlbnRpb25h
bGx5IGRvaW5nIHNvIGluIHN1Y2ggYSB3YXkgYXMgdG8gbm90IGJyZWFrIGV4aXN0aW5nIHVzYWdl
cy4pPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5
bGU9ImNvbG9yOiMwMDIwNjAiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz
PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMDAyMDYwIj5JIGFncmVlIHdpdGggQnJp
YW7igJlzIGFzc2Vzc21lbnQgdGhhdCB0aGUgY29zdC9iZW5lZml0IG9mIGFkZGluZyBhIOKAnHR5
cOKAnSBmaWVsZCB0byB0aGUgUmVxdWVzdCBPYmplY3QgZG9lc27igJl0IGhhdmUgYSByZWFzb25h
YmxlIGNvc3QvYmVuZWZpdCByYXRpby48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzAwMjA2MCI+PG86cD4mbmJzcDs8L286cD48
L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDIw
NjAiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyAtLSBNaWtlPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+
PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDIwNjAiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4N
CjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci10b3A6c29saWQgI0UxRTFFMSAxLjBwdDtw
YWRkaW5nOjMuMHB0IDBpbiAwaW4gMGluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiPkZyb206
PC9iPiBPQXV0aCAmbHQ7b2F1dGgtYm91bmNlc0BpZXRmLm9yZyZndDsgPGI+T24gQmVoYWxmIE9m
IDwvYj4NCkJyaWFuIENhbXBiZWxsPGJyPg0KPGI+U2VudDo8L2I+IFRodXJzZGF5LCBKdWx5IDIz
LCAyMDIwIDE6MzAgUE08YnI+DQo8Yj5Ubzo8L2I+IGRiYWllckBsZWFzdHByaXZpbGVnZS5jb208
YnI+DQo8Yj5DYzo8L2I+IG9hdXRoICZsdDtvYXV0aEBpZXRmLm9yZyZndDs8YnI+DQo8Yj5TdWJq
ZWN0OjwvYj4gW0VYVEVSTkFMXSBSZTogW09BVVRILVdHXSBzd2FwcGluZyBhIGp3c3JlcS9KQVIg
SldUIGZvciBhIGNsaWVudCBhdXRoZW50aWNhdGlvbiBKV1Q8bzpwPjwvbzpwPjwvcD4NCjwvZGl2
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPGRp
dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkluIGhpbmRzaWdodCwgeWVhaCwgaGF2aW5nIGV4cGxp
Y2l0IEpXVCB0eXBpbmcgZXZlcnl3aGVyZSB3b3VsZCBiZSBuaWNlLi4gQnV0IHJldHJvZml0dGlu
ZyB3b3VsZCBiZSBhIHZlcnkgbWFqb3IgdW5kZXJ0YWtpbmcsIHdoaWNoIEkgZG9uJ3QgdGhpbmsg
Y291bGQgcmVhc29uYWJseSBiZSBqdXN0aWZpZWQgY29uc2lkZXJpbmcgY29zdOKAk2JlbmVmaXQu
DQo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxv
OnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+
SSBjYW4ndCBzcGVhayBkaXJlY3RseSBmb3IgdGhlIEp3c3JlcSBhdXRob3JzIGJ1dCBJIHN1c3Bl
Y3QgY29uc2lkZXJhdGlvbnMgYXJvdW5kIGJhY2t3YXJkL2ZvcndhcmQgY29tcGF0aWJpbGl0eSB3
aXRoIE9JREMncyBKV1QgcmVxdWVzdCBhbmQgZXZlbiBleGlzdGluZyBpbXBsZW1lbnRhdGlvbnMg
b2YgdGhlIEp3c3JlcSBkcmFmdCB0aGF0IGhhcyBiZWVuIGluIGRyYWZ0IGZvcmV2ZXIgY2FtZSBp
bnRvIHBsYXkuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxv
OnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5P
biBXZWQsIEp1bCAyMiwgMjAyMCBhdCAxMTozOCBQTSBEb21pbmljayBCYWllciAmbHQ7PGEgaHJl
Zj0ibWFpbHRvOmRiYWllckBsZWFzdHByaXZpbGVnZS5jb20iPmRiYWllckBsZWFzdHByaXZpbGVn
ZS5jb208L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUg
c3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNDQ0NDQ0MgMS4wcHQ7cGFkZGlu
ZzowaW4gMGluIDBpbiA2LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJnaW4tcmlnaHQ6MGluIj4N
CjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6
ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPkV2
ZW4gbW9yZS4gSndzcmVxIHNob3VsZCBoYXZlIGl0LiBCdXQgdGhlIGF1dGhvcnMgZGVjaWRlZCBh
Z2FpbnN0IGl0LjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+
4oCU4oCU4oCUPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+RG9t
aW5pY2sgQmFpZXI8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwPk9uIDIzLiBKdWx5IDIwMjAgYXQgMDc6
Mzg6MDQsIERvbWluaWNrIEJhaWVyICg8YSBocmVmPSJtYWlsdG86ZGJhaWVyQGxlYXN0cHJpdmls
ZWdlLmNvbSIgdGFyZ2V0PSJfYmxhbmsiPmRiYWllckBsZWFzdHByaXZpbGVnZS5jb208L2E+KSB3
cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0
O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z
b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7
SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPkdvb2QgcG9pbnQuLiBUaGFua3MsIEJyaWFuLjxv
OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGlj
YSZxdW90OyxzYW5zLXNlcmlmIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N
CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBw
dDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+V2Ugc2hvdWxk
IHJldHJvZml0IHR5cHMgZXZlcnl3aGVyZS4uaW4gaGluZHNpZ2h0LjxvOnA+PC9vOnA+PC9zcGFu
PjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+
DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+4oCU4oCU4oCUPG86cD48L286cD48L3A+DQo8
ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+RG9taW5pY2sgQmFpZXI8bzpwPjwvbzpwPjwvcD4N
CjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwv
cD4NCjxwPk9uIDIyLiBKdWx5IDIwMjAgYXQgMjM6NTU6MjAsIEJyaWFuIENhbXBiZWxsICg8YSBo
cmVmPSJtYWlsdG86YmNhbXBiZWxsQHBpbmdpZGVudGl0eS5jb20iIHRhcmdldD0iX2JsYW5rIj5i
Y2FtcGJlbGxAcGluZ2lkZW50aXR5LmNvbTwvYT4pIHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPGJs
b2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8
ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5CZWNhdXNlIGl0IHdvdWxk
bid0IGFjdHVhbGx5IHByZXZlbnQgaXQgaW4gdGhpcyBjYXNlIGR1ZSB0byBKV1QgYXNzZXJ0aW9u
IGNsaWVudCBhdXRoZW50aWNhdGlvbiAoYS5rLmEuIHByaXZhdGVfa2V5X2p3dCkgaGF2aW5nIGNv
bWUgYWJvdXQgd2VsbCBiZWZvcmUgdGhlIEpXVCBCQ1AgYW5kIHRoZSBlc3RhYmxpc2hlZCBjb25j
ZXB0IG9mIHVzaW5nIHRoZSAndHlwJyBoZWFkZXIgdG8gcHJldmVudCBjcm9zcy1KV1QNCiBjb25m
dXNpb24uIFRodXMgdGhlcmUncyBubyB2YWxpZGF0aW9uIHJ1bGUgcmVnYXJkaW5nIHRoZSAndHlw
JyBoZWFkZXIgZGVmaW5lZCBpbiBSRkMgNzUyMyBmb3IgSldUIGNsaWVudCBhdXRoZW50aWNhdGlv
bi4gRXhwbGljaXRseSB0eXBpbmcgdGhlIHJlcXVlc3Qgb2JqZWN0IEpXVCBkb2Vzbid0IGRvIGFu
eXRoaW5nIHRvIHByZXZlbnQgaXQgZnJvbSBiZWluZyB1c2VkIGluIHRoZSBjb250ZXh0IG9mIHBy
ZXZpb3VzbHkgZXhpc3RpbmcgSldUIGFwcGxpY2F0aW9ucw0KIGxpa2UgY2xpZW50IGF1dGguJm5i
c3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5i
c3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5PbiBXZWQs
IEp1bCAyMiwgMjAyMCBhdCAxMDozMiBBTSBEb21pbmljayBCYWllciAmbHQ7PGEgaHJlZj0ibWFp
bHRvOmRiYWllckBsZWFzdHByaXZpbGVnZS5jb20iIHRhcmdldD0iX2JsYW5rIj5kYmFpZXJAbGVh
c3Rwcml2aWxlZ2UuY29tPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxi
bG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEu
MHB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXJp
Z2h0OjBpbiI+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl
PSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5z
LXNlcmlmIj5XaHkgbm90IHVzZSBhIHR5cCBoZWFkZXIgYXMgc3VnZ2VzdGVkIGJ5IHRoZSBKV1Qg
QkNQPzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+
PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+4oCU4oCU
4oCUPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+RG9taW5pY2sg
QmFpZXI8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwPk9uIDIyLiBKdWx5IDIwMjAgYXQgMTc6Mzc6NDEs
IEJyaWFuIENhbXBiZWxsICg8YSBocmVmPSJtYWlsdG86YmNhbXBiZWxsPTQwcGluZ2lkZW50aXR5
LmNvbUBkbWFyYy5pZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmJjYW1wYmVsbD00MHBpbmdpZGVu
dGl0eS5jb21AZG1hcmMuaWV0Zi5vcmc8L2E+KSB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjxibG9j
a3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPGRp
dj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlRoZSBUTDtEUiBo
ZXJlIGlzIGEgc29tZXdoYXQgdGVudGF0aXZlIHN1Z2dlc3Rpb24gdGhhdCBhIGJyaWVmIHNlY3Vy
aXR5IGNvbnNpZGVyYXRpb24gYmUgYWRkZWQgdG8NCjxhIGhyZWY9Imh0dHBzOi8vZGF0YXRyYWNr
ZXIuLmlldGYub3JnL2RvYy9kcmFmdC1pZXRmLW9hdXRoLWp3c3JlcS8iIHRhcmdldD0iX2JsYW5r
Ij4NCmh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0LWlldGYtb2F1dGgtandz
cmVxLzwvYT4gdGhhdCBwcm9oaWJpdHMgdGhlIGluY2x1c2lvbiBvZiBhICdzdWInIGNsYWltIGNv
bnRhaW5pbmcgdGhlIGNsaWVudCBpZCB2YWx1ZSBpbiB0aGUgcmVxdWVzdCBvYmplY3QgSldUIHNv
IGFzIHRvIHByZXZlbnQgdGhlIHJlcXVlc3Qgb2JqZWN0IEpXVCAod2hpY2ggaXMgZXhwb3NlZCB0
byB0aGUgdXNlciBhZ2VudCkgZnJvbSBiZWluZyBlcnJvbmVvdXNseQ0KIGFjY2VwdGVkIGFzIGEg
dmFsaWQgSldUIGZvciBjbGllbnQgYXV0aGVudGljYXRpb24uIDxvOnA+PC9vOnA+PC9wPg0KPC9k
aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8
L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5Tb21lIG1vcmUgZGV0YWlscyBhbmQg
dGhlIGRpc2N1c3Npb24gdGhhdCBsZWQgdG8gdGhpcyBoZXJlIGVtYWlsIGNhbiBiZSBmb3VuZCBh
dA0KPGEgaHJlZj0iaHR0cHM6Ly9naXRodWIuY29tL29hdXRoc3R1ZmYvZHJhZnQtb2F1dGgtcGFy
L2lzc3Vlcy80MSIgdGFyZ2V0PSJfYmxhbmsiPg0KaHR0cHM6Ly9naXRodWIuY29tL29hdXRoc3R1
ZmYvZHJhZnQtb2F1dGgtcGFyL2lzc3Vlcy80MTwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K
PC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48YnI+DQo8Yj48aT48c3BhbiBzdHlsZT0iZm9u
dC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtTZWdvZSBVSSZxdW90OyxzYW5zLXNlcmlm
O2NvbG9yOiM1NTU1NTU7Ym9yZGVyOm5vbmUgd2luZG93dGV4dCAxLjBwdDtwYWRkaW5nOjBpbiI+
Q09ORklERU5USUFMSVRZIE5PVElDRTogVGhpcyBlbWFpbCBtYXkgY29udGFpbiBjb25maWRlbnRp
YWwgYW5kIHByaXZpbGVnZWQgbWF0ZXJpYWwgZm9yIHRoZSBzb2xlIHVzZSBvZiB0aGUgaW50ZW5k
ZWQgcmVjaXBpZW50KHMpLg0KIEFueSByZXZpZXcsIHVzZSwgZGlzdHJpYnV0aW9uIG9yIGRpc2Ns
b3N1cmUgYnkgb3RoZXJzIGlzIHN0cmljdGx5IHByb2hpYml0ZWQuLi4mbmJzcDsgSWYgeW91IGhh
dmUgcmVjZWl2ZWQgdGhpcyBjb21tdW5pY2F0aW9uIGluIGVycm9yLCBwbGVhc2Ugbm90aWZ5IHRo
ZSBzZW5kZXIgaW1tZWRpYXRlbHkgYnkgZS1tYWlsIGFuZCBkZWxldGUgdGhlIG1lc3NhZ2UgYW5k
IGFueSBmaWxlIGF0dGFjaG1lbnRzIGZyb20geW91ciBjb21wdXRlci4gVGhhbmsgeW91Ljwvc3Bh
bj48L2k+PC9iPl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
DQo8YnI+DQpPQXV0aCBtYWlsaW5nIGxpc3QgPGJyPg0KPGEgaHJlZj0ibWFpbHRvOk9BdXRoQGll
dGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+T0F1dGhAaWV0Zi5vcmc8L2E+IDxicj4NCjxhIGhyZWY9
Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGgiIHRhcmdldD0iX2Js
YW5rIj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoPC9hPg0KPG86
cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8L2Js
b2NrcXVvdGU+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxicj4NCjxiPjxpPjxzcGFu
IHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1NlZ29lIFVJJnF1b3Q7
LHNhbnMtc2VyaWY7Y29sb3I6IzU1NTU1NTtib3JkZXI6bm9uZSB3aW5kb3d0ZXh0IDEuMHB0O3Bh
ZGRpbmc6MGluIj5DT05GSURFTlRJQUxJVFkgTk9USUNFOiBUaGlzIGVtYWlsIG1heSBjb250YWlu
IGNvbmZpZGVudGlhbCBhbmQgcHJpdmlsZWdlZCBtYXRlcmlhbCBmb3IgdGhlIHNvbGUgdXNlIG9m
IHRoZSBpbnRlbmRlZCByZWNpcGllbnQocykuDQogQW55IHJldmlldywgdXNlLCBkaXN0cmlidXRp
b24gb3IgZGlzY2xvc3VyZSBieSBvdGhlcnMgaXMgc3RyaWN0bHkgcHJvaGliaXRlZC4mbmJzcDsg
SWYgeW91IGhhdmUgcmVjZWl2ZWQgdGhpcyBjb21tdW5pY2F0aW9uIGluIGVycm9yLCBwbGVhc2Ug
bm90aWZ5IHRoZSBzZW5kZXIgaW1tZWRpYXRlbHkgYnkgZS1tYWlsIGFuZCBkZWxldGUgdGhlIG1l
c3NhZ2UgYW5kIGFueSBmaWxlIGF0dGFjaG1lbnRzIGZyb20geW91ciBjb21wdXRlci4gVGhhbmsg
eW91Ljwvc3Bhbj48L2k+PC9iPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvYmxv
Y2txdW90ZT4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rpdj4NCjwvYmxvY2tx
dW90ZT4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48YnI+DQo8Yj48aT48
c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtTZWdvZSBVSSZx
dW90OyxzYW5zLXNlcmlmO2NvbG9yOiM1NTU1NTU7Ym9yZGVyOm5vbmUgd2luZG93dGV4dCAxLjBw
dDtwYWRkaW5nOjBpbiI+Q09ORklERU5USUFMSVRZIE5PVElDRTogVGhpcyBlbWFpbCBtYXkgY29u
dGFpbiBjb25maWRlbnRpYWwgYW5kIHByaXZpbGVnZWQgbWF0ZXJpYWwgZm9yIHRoZSBzb2xlIHVz
ZSBvZiB0aGUgaW50ZW5kZWQgcmVjaXBpZW50KHMpLg0KIEFueSByZXZpZXcsIHVzZSwgZGlzdHJp
YnV0aW9uIG9yIGRpc2Nsb3N1cmUgYnkgb3RoZXJzIGlzIHN0cmljdGx5IHByb2hpYml0ZWQuLiZu
YnNwOyBJZiB5b3UgaGF2ZSByZWNlaXZlZCB0aGlzIGNvbW11bmljYXRpb24gaW4gZXJyb3IsIHBs
ZWFzZSBub3RpZnkgdGhlIHNlbmRlciBpbW1lZGlhdGVseSBieSBlLW1haWwgYW5kIGRlbGV0ZSB0
aGUgbWVzc2FnZSBhbmQgYW55IGZpbGUgYXR0YWNobWVudHMgZnJvbSB5b3VyIGNvbXB1dGVyLiBU
aGFuayB5b3UuPC9zcGFuPjwvaT48L2I+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvYm9keT4N
CjwvaHRtbD4NCg==

--_000_CH2PR00MB067859A3F75C40D9C8D376CDF5760CH2PR00MB0678namp_--


From nobody Thu Jul 23 15:50:58 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE4D73A0807 for ; Thu, 23 Jul 2020 15:50:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level: 
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2nrVy6rbauHn for ; Thu, 23 Jul 2020 15:50:56 -0700 (PDT)
Received: from mail-il1-x135.google.com (mail-il1-x135.google.com [IPv6:2607:f8b0:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 012813A07FF for ; Thu, 23 Jul 2020 15:50:55 -0700 (PDT)
Received: by mail-il1-x135.google.com with SMTP id a11so5763517ilk.0 for ; Thu, 23 Jul 2020 15:50:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google;  h=mime-version:references:in-reply-to:from:date:message-id:subject:to;  bh=Glj5/i+If+xV5smdo+RsZKFfDKJYpMCBNxI1dxFbOHU=; b=CiilpUf68tSqN9UNtxoY0I29Z+wkmM4KMjzY4L10g0SWjPklUZYECdFxfXszQviR/F 9ie6lyUniO0M/vnRtGcpRyEmMINe8RrOz0pWNUMQBUDbVHu9KA0vmcxnoLMvqCHt0X+0 qj+Dv5EQ5PMk8DcoboCE3er1xwzva3d/trFKBUQ68tghFovPT2iSqr32IoPZDSvXc8Yp bt9dcSjmZthITqzPp1l1XF7aj/Lr3DM9RvL5miBuWLHybyDIqxbdkmrZsbf3FuElMpti OVo7WrgqtvTUXHXQoc7x7jfYkMCn1SisJQZ4RYX0/EURVqLeI/Ydm580iB/gu1zFCdz6 hw0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=Glj5/i+If+xV5smdo+RsZKFfDKJYpMCBNxI1dxFbOHU=; b=QAilsrZAnkplE2lw94K62l2/DIg4+AmtvO1JQ+LNTVWrQ+XbFQCckUHoz/ku+CRee6 h4vo14WprhRK/D+0lKPGA8e2tYBhQiB7qjb9HHfobzPm2FF4GH/0iMGcTM0VZHqTda4O KqusGgGUu4fCPfwVDrpUNpGGocyQnXZP9zvlcJ+4XAWFie9y4xd2TzpIWf0nwTRC8o+Y ExH/F2kj/XQmWqC+cV6a0XirTWbNNM8EHBvti9qwCQ6azMQUpHZ+D2ZKK94/gC1XI0sH nvwvoA7iqiEqqC/Q5QteueI5CXadnA9ZnLvCxHMRONgtzWnAbO4WA5qw/alt/y+4Du1i EEBw==
X-Gm-Message-State: AOAM531MN6Tpzo6vK0mNMczKpVFe3socLGVEsz4izzeoAoLs01z+wbTJ hzdRDHaVTrIgKjN//uLMwOeXKBfFsik=
X-Google-Smtp-Source: ABdhPJzLfh/XbQXaAvtQcsU3DfAcmI3I/mQfAs/MszNzIfVBOZAD1SjBE1Z67WZTx+611UTY9E+9Ag==
X-Received: by 2002:a92:1a08:: with SMTP id a8mr5704912ila.187.1595544654306;  Thu, 23 Jul 2020 15:50:54 -0700 (PDT)
Received: from mail-io1-f46.google.com (mail-io1-f46.google.com. [209.85.166.46]) by smtp.gmail.com with ESMTPSA id i12sm2246081ioi.48.2020.07.23.15.50.52 for  (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 23 Jul 2020 15:50:52 -0700 (PDT)
Received: by mail-io1-f46.google.com with SMTP id d18so8019425ion.0 for ; Thu, 23 Jul 2020 15:50:52 -0700 (PDT)
X-Received: by 2002:a6b:8b86:: with SMTP id n128mr7289001iod.202.1595544652273;  Thu, 23 Jul 2020 15:50:52 -0700 (PDT)
MIME-Version: 1.0
References: <869491B5-9AA5-4593-A307-46FAAF7E990D@mit.edu> <7B488048-896B-4F88-976C-909D0BFA16D3@lodderstedt.net>
In-Reply-To: <7B488048-896B-4F88-976C-909D0BFA16D3@lodderstedt.net>
From: Aaron Parecki 
Date: Thu, 23 Jul 2020 15:49:50 -0700
X-Gmail-Original-Message-ID: 
Message-ID: 
To: oauth 
Content-Type: multipart/alternative; boundary="00000000000038dd9005ab23b0aa"
Archived-At: 
Subject: Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushed requests must become JWTs
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 23 Jul 2020 22:50:58 -0000

--00000000000038dd9005ab23b0aa
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

I know this is a bit of an old thread to dig up, but as I'm working through
this draft again, something is sticking out to me about this.

In every other instance of "*_uri" in OAuth and extensions, the value is a
URI (usually https) which will be visited by the user's browser or be sent
a POST request from a client. In the case of PAR, this "request_uri" is
actually just an identifier that is *added* to an existing URL, the
authorization endpoint, not a URL that will be visited itself. This
discrepancy is bothering me.

I would have expected that either:

* The PAR response includes a "request_uri" which is the full URL that the
client would redirect the user's browser to, OR
* The PAR response includes a "request_id" which it adds in the query
string to the authorization endpoint and then redirects the browser to

For example:

POST /as/par HTTP/1.1
...
response:
{
      "request_uri": "
https://as.example.com/auth?request=3Dbwc4JK-ESC0w8acc191e-Y1LTC2",
      "expires_in": 60
}

then the user's browser is sent to whatever the value of "request_uri" is

OR

POST /as/par HTTP/1.1
...
response:
{
      "request_id":
"urn:ietf:params:oauth:request_uri:bwc4JK-ESC0w8acc191e-Y1LTC2",
      "expires_in": 60
}

then the "request_id" is added to the authorization endpoint (as currently
described by PAR)

https://as.example.com/auth?
client_id=3Ds6BhdRkqt3&request_uri=3Durn%3Aietf%3Aparams
%3Aoauth%3Arequest_uri%3Abwc4JK-ESC0w8acc191e-Y1LTC2

My personal preference is the first option, keeping the term "request_uri"
but having it actually be the full URI, to simplify the job of the client.
In that model, the client doesn't have to mess with building URLs, and
actually provides additional flexibility for the AS as well since that
endpoint no longer needs to be the exact same URL as the authorization
endpoint.

---
Aaron Parecki
https://aaronparecki.com


On Thu, Jan 16, 2020 at 8:25 AM Torsten Lodderstedt  wrote:

> I just thought about another option. What if we change PAR to not use the
> request_uri parameter but a new parameter, e.g. request_id?
>
> That would decouple both specs. The reason why we use request_uri was to
> make the life of clients easier since they can use the standard library
> function for request objects to pass the PAR reference to the AS. Is this
> worth the trouble?
>
> Am 16.01.2020 um 16:48 schrieb Justin Richer :
>
> =EF=BB=BF+1 to this approach, and it sounds like JAR might need to come b=
ack to go
> through another round anyway thanks to the breaking changes the IESG push=
ed
> into it after it left WGLC.
>
> I=E2=80=99d rather see us get this right than publish something many of u=
s think
> is broken.
>
> Maybe PAR and JAR (and JARM?) end up going out as a bundle of specs.
>
>  =E2=80=94 Justin
>
>
>

--00000000000038dd9005ab23b0aa
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


I know this is a bit of an old thread to dig up, but =
as I'm working through this draft again, something is sticking out to m=
e about this.

In every other instance of "*_u=
ri" in OAuth and extensions, the value is a URI (usually https) which =
will be visited by the user's browser or be sent a POST request from a =
client. In the case of PAR, this "request_uri" is actually just a=
n identifier that is *added* to an existing URL, the authorization endpoint=
, not a URL that will be visited itself. This discrepancy is bothering me.<=
/div>

I would have expected that either:

<=
/div>
* The PAR response includes a "request_uri" which is th=
e full URL that the client would redirect the user's browser to, OR
* The PAR response includes a "request_id" which it adds i=
n the query string to the authorization endpoint and then redirects the bro=
wser to

For example:

POST=
 /as/par HTTP/1.1
...
response:
{
=C2=
=A0 =C2=A0 =C2=A0 "request_uri": "https://as.example.com/=
auth?request=3Dbwc4JK-ESC0w8acc191e-Y1LTC2",
=C2=A0 =C2=A0 =C2=
=A0 "expires_in": 60
}

then the u=
ser's browser is sent to whatever the value of "request_uri" =
is

OR

POST /as/par HTTP/1=
.1
...
response:
{
=C2=A0 =C2=A0 =C2=
=A0 "request_id": "urn:ietf:params:oauth:request_uri:bwc4JK-=
ESC0w8acc191e-Y1LTC2",
=C2=A0 =C2=A0 =C2=A0 "expires_in":=
 60
}

then the "request_id" is ad=
ded to the authorization endpoint (as currently described by PAR)

https://as.example.=
com/auth?client_id=
=3Ds6BhdRkqt3&request_uri=3Durn%3Aietf%3Aparams%3Aoauth%3Areques=
t_uri%3Abwc4JK-ESC0w8acc191e-Y1LTC2

My persona=
l preference is the first option, keeping the term "request_uri" =
but having it actually be the full URI, to simplify the job of the client. =
In that model, the client doesn't have to mess with building URLs, and =
actually provides additional flexibility for the AS as well since that endp=
oint no longer needs to be the exact same URL as the authorization endpoint=
.=C2=A0

---
Aaron Parecki
<=
/div>


=

On Thu, Jan 16, 2020 at 8:25 AM Torst=
en Lodderstedt <torsten=3D40lodderstedt.net@dmarc.ietf.org> wrote:
I =
just thought about another option. What if we change PAR to not use the req=
uest_uri parameter but a new parameter, e.g. request_id?

That would decouple both specs. The reason w=
hy we use request_uri was to make the life of clients easier since they can=
 use the standard library function for request objects to pass the PAR refe=
rence to the AS. Is this worth the trouble?

Am 16.01.2020 um 16:48 schrieb Justin Richer <jricher@mit.edu>:
=EF=BB=
=BF+1 to this approach, and it sounds like JAR might need to come back to g=
o through another round anyway thanks to the breaking changes the IESG push=
ed into it after it left WGLC.

I=E2=80=99d rather see us=
 get this right than publish something many of us think is broken.=C2=A0

Maybe PAR and JAR (and JARM?) end up going out as a =
bundle of specs.

=C2=A0=E2=80=94 Justin

<=
/blockquote>





--00000000000038dd9005ab23b0aa--


From nobody Fri Jul 24 00:12:27 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD7723A0A7B for ; Fri, 24 Jul 2020 00:12:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level: 
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v2IzHu6ysrvz for ; Fri, 24 Jul 2020 00:12:24 -0700 (PDT)
Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC4E93A0A8F for ; Fri, 24 Jul 2020 00:12:23 -0700 (PDT)
Received: by mail-ej1-x62a.google.com with SMTP id l4so8875852ejd.13 for ; Fri, 24 Jul 2020 00:12:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=nmFJvOc7RzefeBtB8/mCFSbt5ElbKojHxw2CNn8VdgI=; b=F70XvB0LMYfHha4nFKd6NbipSetTOaC5r+AMIPFOsSFAU1m/LXgc2Kbze38Bx6jcSo +pMIrK+zP3gkQB4Nj5dovDnepD0RYoRKhw8Q2U5+bD8ZaqN8G0/YAq2vJZN75qszzCD8 +5a4L0SvpjF1sittkK6AFm47ONaqEE0oEgjFUT6DWIhqXDfOhoO9gVhCDNll3+doMwF5 QvOAUyTXPGf7E+vMOLt1A07q8kw+rpatgcxhPBMheMN1+ZE3W5C1LmERb74dTDlmI5B7 o4oibskrJrCrYPz8VmqJg1QiMcGajRpE5K9Zj3LUGjVenoihIDNXL4CIj6J9WI6uKeTj JoPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=nmFJvOc7RzefeBtB8/mCFSbt5ElbKojHxw2CNn8VdgI=; b=fSk7w4+BlT/33YGDGQKBIDcWfDxBk3Zy0Uf8QNH2mQwYjZdMvZKt9KgX0NzfezUyEY Vxs1y9txqfKVt6TnOhK7gWX1G6JxrrvmcA8LRSnI1dYHy8memtQEbrrJvLqtBiQDVEjT JJCRmtQyPS12yW8yW++LHWI3CPiXLinRnZprb5MMwIy/ivCoY0n5ik3992PctBwXKh5o EoGrbr5tZNYeLNGrigZ2Z6s1eLTGdReSshoa0pnxrQryonX0Br9HahZjV8DoAG/d7nfn 4Zlb1o91tuB+cOfi7WLwgLz+9y+xnjIOZ9wqA2rF8u6PMUkEEHjIi+ztRxARYjlDQOBN phuw==
X-Gm-Message-State: AOAM532+40I9ssR6E2yKCT48qXBrpu2L5x+XlvFCHgUVGaIA7RGbk54S 4jOfhLkhNrohpVosiplTx21ScN6Yb+M=
X-Google-Smtp-Source: ABdhPJxFI3Nw+W299sSQfaF4Z0OU7/2Y89+XwgU2D22OX5K0r2tZzPNdekRGjFvkeiJYiHez8Xik/g==
X-Received: by 2002:a17:906:7fc8:: with SMTP id r8mr8298919ejs.412.1595574741914;  Fri, 24 Jul 2020 00:12:21 -0700 (PDT)
Received: from p200300eb8f0138d07919e861a29aecbb.dip0.t-ipconnect.de (p200300eb8f0138d07919e861a29aecbb.dip0.t-ipconnect.de. [2003:eb:8f01:38d0:7919:e861:a29a:ecbb]) by smtp.gmail.com with ESMTPSA id d23sm85536ejj.74.2020.07.24.00.12.20 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 24 Jul 2020 00:12:21 -0700 (PDT)
From: Torsten Lodderstedt 
Message-Id: <3C919E79-C162-4B5D-A2BE-95825981CF3A@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_5D8239C1-8711-4F80-A131-40B27EC3F22E"; protocol="application/pkcs7-signature"; micalg=sha-256
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Fri, 24 Jul 2020 09:12:19 +0200
In-Reply-To: 
Cc: oauth 
To: Aaron Parecki 
References: <869491B5-9AA5-4593-A307-46FAAF7E990D@mit.edu> <7B488048-896B-4F88-976C-909D0BFA16D3@lodderstedt.net> 
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: 
Subject: Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushed requests must become JWTs
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 24 Jul 2020 07:12:26 -0000

--Apple-Mail=_5D8239C1-8711-4F80-A131-40B27EC3F22E
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Hi Aaron,=20

that=E2=80=99s a very good point. I was also in favour of just providing =
the client with the URL it needs to send the user to (like XYZ and OAuth =
do).=20

In the end, we decided to stay with the current approach since it fits =
with the rest of the existing ecosystem, namely JAR and authorization =
endpoint discovery.=20

best regards,
Torsten.=20

> On 24. Jul 2020, at 00:49, Aaron Parecki  wrote:
>=20
> I know this is a bit of an old thread to dig up, but as I'm working =
through this draft again, something is sticking out to me about this.
>=20
> In every other instance of "*_uri" in OAuth and extensions, the value =
is a URI (usually https) which will be visited by the user's browser or =
be sent a POST request from a client. In the case of PAR, this =
"request_uri" is actually just an identifier that is *added* to an =
existing URL, the authorization endpoint, not a URL that will be visited =
itself. This discrepancy is bothering me.
>=20
> I would have expected that either:
>=20
> * The PAR response includes a "request_uri" which is the full URL that =
the client would redirect the user's browser to, OR
> * The PAR response includes a "request_id" which it adds in the query =
string to the authorization endpoint and then redirects the browser to
>=20
> For example:
>=20
> POST /as/par HTTP/1.1
> ...
> response:
> {
>       "request_uri": =
"https://as.example.com/auth?request=3Dbwc4JK-ESC0w8acc191e-Y1LTC2",
>       "expires_in": 60
> }
>=20
> then the user's browser is sent to whatever the value of "request_uri" =
is
>=20
> OR
>=20
> POST /as/par HTTP/1..1
> ...
> response:
> {
>       "request_id": =
"urn:ietf:params:oauth:request_uri:bwc4JK-ESC0w8acc191e-Y1LTC2",
>       "expires_in": 60
> }
>=20
> then the "request_id" is added to the authorization endpoint (as =
currently described by PAR)
>=20
> =
https://as.example.com/auth?client_id=3Ds6BhdRkqt3&request_uri=3Durn%3Aiet=
f%3Aparams%3Aoauth%3Arequest_uri%3Abwc4JK-ESC0w8acc191e-Y1LTC2
>=20
> My personal preference is the first option, keeping the term =
"request_uri" but having it actually be the full URI, to simplify the =
job of the client. In that model, the client doesn't have to mess with =
building URLs, and actually provides additional flexibility for the AS =
as well since that endpoint no longer needs to be the exact same URL as =
the authorization endpoint..=20
>=20
> ---
> Aaron Parecki
> https://aaronparecki.com
>=20
>=20
> On Thu, Jan 16, 2020 at 8:25 AM Torsten Lodderstedt =
 wrote:
> I just thought about another option. What if we change PAR to not use =
the request_uri parameter but a new parameter, e.g. request_id?
>=20
> That would decouple both specs. The reason why we use request_uri was =
to make the life of clients easier since they can use the standard =
library function for request objects to pass the PAR reference to the =
AS. Is this worth the trouble?
>=20
>> Am 16.01.2020 um 16:48 schrieb Justin Richer :
>>=20
>> =EF=BB=BF+1 to this approach, and it sounds like JAR might need to =
come back to go through another round anyway thanks to the breaking =
changes the IESG pushed into it after it left WGLC.
>>=20
>> I=E2=80=99d rather see us get this right than publish something many =
of us think is broken.=20
>>=20
>> Maybe PAR and JAR (and JARM?) end up going out as a bundle of specs.
>>=20
>>  =E2=80=94 Justin
>>=20
>>>=20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_5D8239C1-8711-4F80-A131-40B27EC3F22E
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCC38w
ggT0MIID3KADAgECAhBpfEIkHQiWmzF6zDsgdF+DMA0GCSqGSIb3DQEBCwUAMIGNMQswCQYDVQQG
EwJJVDEQMA4GA1UECAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9udGUgU2FuIFBpZXRybzEjMCEGA1UE
CgwaQWN0YWxpcyBTLnAuQS4vMDMzNTg1MjA5NjcxLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1
dGhlbnRpY2F0aW9uIENBIEcyMB4XDTIwMDIyMzE3MjEzOVoXDTIxMDIyMzE3MjEzOVowIjEgMB4G
A1UEAwwXdG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCrIaCISpAU98m6ZkDyUR3My5imAF4TKQk8eqo+oQ06PTWT/3yJXujVCjjOqOl8p11v/RoN
Gf8zqYbBsqGBuJx2NyxFmAnmCjcbnxihQdcmuxLm6izvxr2MawOovDheMXnfmGy/Ns5Fs6bd+M5F
jCNhP+Gljvgm/SFq1skvs7YUX2FxZmh+xPMm3FZ/a6Lyhkrd3JHzEqv8VWY69Aehezg39OuPJEpb
IdjK/eBcmaIG0qn5RQdXLByJYfXhepyVAZPJT5rAgaIQL/IjSIVInxf3FxOv+ELMAErclws6mKzy
zkY2JiItPEpKWzAWGCxCX2o0JjVj1f7xgaunLfJ+Ec0lAgMBAAGjggG4MIIBtDAMBgNVHRMBAf8E
AjAAMB8GA1UdIwQYMBaAFGvyjZ5owSUEH1E0V/YWXJTqTWkaMH4GCCsGAQUFBwEBBHIwcDA7Bggr
BgEFBQcwAoYvaHR0cDovL2NhY2VydC5hY3RhbGlzLml0L2NlcnRzL2FjdGFsaXMtYXV0Y2xpZzIw
MQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3NwMDkuYWN0YWxpcy5pdC9WQS9BVVRIQ0wtRzIwIgYDVR0R
BBswGYEXdG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQwRwYDVR0gBEAwPjA8BgYrgR8BGAEwMjAwBggr
BgEFBQcCARYkaHR0cHM6Ly93d3cuYWN0YWxpcy5pdC9hcmVhLWRvd25sb2FkMB0GA1UdJQQWMBQG
CCsGAQUFBwMCBggrBgEFBQcDBDBIBgNVHR8EQTA/MD2gO6A5hjdodHRwOi8vY3JsMDkuYWN0YWxp
cy5pdC9SZXBvc2l0b3J5L0FVVEhDTC1HMi9nZXRMYXN0Q1JMMB0GA1UdDgQWBBSuRfshihlGSEJ7
2UeyOZRJ1YYyMDAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEBAH/3ECMSOoOLiwCe
GsBj/WWnUhXvZyHmz3LW0DVdH3s30b2HWpomEVNDN3cWt4QSRhISqV0xyyChL6THhDY+Um2mo+z/
L5fxHd3MjhzvYKwUtLUJdWRgymlUBO9zNKi/IMVYv3O+mpOHuQrgtMaV9luDPRYPZrhF9y/InTZE
tb+FOrF9ykIRlYgMzqSKjuqFmmYO4d6GkbgfGKFZsAjkySjM9BUBLb70MdysOTxZ/HtZguIKfZ4q
CveZ9ZKe+LGsIpt5bFAs1LHIMBUlTCsuVIq2lD3TmScWbELn+Ace7WwKc+08GqOWZzUot5fkiIx3
/crnd7HTmUfqi0yCylHY62wwggaDMIIEa6ADAgECAhBP3hBL7ZVb3outZYfMQV7jMA0GCSqGSIb3
DQEBCwUAMGsxCzAJBgNVBAYTAklUMQ4wDAYDVQQHDAVNaWxhbjEjMCEGA1UECgwaQWN0YWxpcyBT
LnAuQS4vMDMzNTg1MjA5NjcxJzAlBgNVBAMMHkFjdGFsaXMgQXV0aGVudGljYXRpb24gUm9vdCBD
QTAeFw0xOTA5MjAwNzEyMDVaFw0zMDA5MjIxMTIyMDJaMIGNMQswCQYDVQQGEwJJVDEQMA4GA1UE
CAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9udGUgU2FuIFBpZXRybzEjMCEGA1UECgwaQWN0YWxpcyBT
LnAuQS4vMDMzNTg1MjA5NjcxLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1dGhlbnRpY2F0aW9u
IENBIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt2hzetk81C/73GfKPc6UfP+J
Gc7aGmPzGUeQJ1go3CdFpsBPonREDXUDdmRCIRkTDroH30RLsTO/0hEFiYjCyvvbSVSm05sXkvfJ
XOXefNqK21fBayr4JCgMRyLVwqRYXlKI7bb42nYSm7YcXGTDmdcydmJuuqcLqFQawWiBMNRRVEi4
uW5uXBZgWGmq8NoKH/+5xGBFbf6tNTWcGhPVceResuwK155+OiH6jTW01Na8aLj7c7IAGJ0Y9e6h
iHtRthfW7SwbU7ys73a3nNXv8Kv9XNr0RvJKHoOsKqxjffew3GKQrMXIHB5tm/je3XEnIxUT8JG3
sEsk7IfF3VirSwIDAQABo4IB/jCCAfowDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRS2Ig6
yJ94Zu2J83s4cJTJAgI20DBBBggrBgEFBQcBAQQ1MDMwMQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3Nw
MDUuYWN0YWxpcy5pdC9WQS9BVVRILVJPT1QwRQYDVR0gBD4wPDA6BgRVHSAAMDIwMAYIKwYBBQUH
AgEWJGh0dHBzOi8vd3d3LmFjdGFsaXMuaXQvYXJlYS1kb3dubG9hZDAnBgNVHSUEIDAeBggrBgEF
BQcDAgYIKwYBBQUHAwQGCCsGAQUFBwMJMIHjBgNVHR8EgdswgdgwgZaggZOggZCGgY1sZGFwOi8v
bGRhcDA1LmFjdGFsaXMuaXQvY24lM2RBY3RhbGlzJTIwQXV0aGVudGljYXRpb24lMjBSb290JTIw
Q0EsbyUzZEFjdGFsaXMlMjBTLnAuQS4lMmYwMzM1ODUyMDk2NyxjJTNkSVQ/Y2VydGlmaWNhdGVS
ZXZvY2F0aW9uTGlzdDtiaW5hcnkwPaA7oDmGN2h0dHA6Ly9jcmwwNS5hY3RhbGlzLml0L1JlcG9z
aXRvcnkvQVVUSC1ST09UL2dldExhc3RDUkwwHQYDVR0OBBYEFGvyjZ5owSUEH1E0V/YWXJTqTWka
MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAYES6GaKrcvsOQZpEwboVOb2dri/f
Jrcpb7GSEW9JmA+Kep4GLmp9X50Iv8EK478kwf2aAjnPnsOdiItALcIgecS1qVxN+EY+V5GCNEy4
VAsB5gzlQBmKI9P4PxLt9pnQJneCVEvDnVBMZAllIL5s3uaCiIEb8eYZqG8taOWSM1nqjoCZULcc
hXWYajBqaJg0RUOZ6f5IB0lb26HA/7EUVmh1nSVglDoUeD7elINXHph0z3if1722UydcoH4Jj3Za
Y9dtQ4wJSNhSZOzES72UkS6we/556FOGs7oeJWuQe8Rq2EeeSGmGliZKUbYo4jB/C2omMn0L4QwI
5wMNrWd2FRNUUwxMBmbJYtEaDRTQ72HPA8DnbRkvRDSJkjsToqU6ZpBlBf4s5EwrhXqFVb2rM9mG
CPDZJi7Hw3y8BYD/d3iTL6PW5UjOTSpFcnSIP4HW5PI6MTHXl+ab6ajCnvJw6E1TGLh3zJypv5CQ
8Ftm0z7MKLt5Zr2E4jojZXeZn1sUpSqidZyp9mG/LYMRmHMkthDRnDnO2tHv5+YOO4cUEbTt5Bww
E5RPjqovsnedyd5SijIK+k1MCXFLMTfERz3qUN3i/fwueXcGy4jEf2n/FvYsEY3GBHXZCMVWPffB
fbl/ITjs9Q9NG37bAEm/mg2yNq02NLjDbQIKgt9W0aBU9SsxggOpMIIDpQIBATCBojCBjTELMAkG
A1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcMEFBvbnRlIFNhbiBQaWV0cm8xIzAh
BgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENsaWVu
dCBBdXRoZW50aWNhdGlvbiBDQSBHMgIQaXxCJB0Ilpsxesw7IHRfgzANBglghkgBZQMEAgEFAKCC
AdcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNzI0MDcxMjE5
WjAvBgkqhkiG9w0BCQQxIgQgV/r8v/yjdbirNfoXv/hkBuAN1xhEt29TPJJTv+Gt+uYwgbMGCSsG
AQQBgjcQBDGBpTCBojCBjTELMAkGA1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcM
EFBvbnRlIFNhbiBQaWV0cm8xIzAhBgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSww
KgYDVQQDDCNBY3RhbGlzIENsaWVudCBBdXRoZW50aWNhdGlvbiBDQSBHMgIQaXxCJB0Ilpsxesw7
IHRfgzCBtQYLKoZIhvcNAQkQAgsxgaWggaIwgY0xCzAJBgNVBAYTAklUMRAwDgYDVQQIDAdCZXJn
YW1vMRkwFwYDVQQHDBBQb250ZSBTYW4gUGlldHJvMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8w
MzM1ODUyMDk2NzEsMCoGA1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzIC
EGl8QiQdCJabMXrMOyB0X4MwDQYJKoZIhvcNAQEBBQAEggEAfvAnTO7r3eC53Onldrrm6aSXYQ2D
4B46kj9QcLQKdtBR86A2aYAAn9gQdYSiwlphTnWtaApI5a8c2ixhHaFK+kIS1io07kDRfcuIG+MV
hkngE7BNCPDxFsVbjDaOAkZ5qSg9tobIbsRadlPp5WlfXXyzpKEep/wPYrPJuSET4W1M7WKUH8xL
g2Nh3cdFigM/49qPrXwOiKJ4jlljairJf/ZxTVtThAN7xAIAE1cyLDqQhhMdmiPPA2ldscoMJ5O1
oRHq17S0sOZWRDDTm4DaGPw8jPU+ZDHveGrUNkdZena9CsAMUkeRP41cdOX3yvM5i/lph8Ait3PI
x6bhWxE8uAAAAAAAAA==
--Apple-Mail=_5D8239C1-8711-4F80-A131-40B27EC3F22E--


From nobody Fri Jul 24 01:32:03 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F0253A0BD4 for ; Fri, 24 Jul 2020 01:32:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.415
X-Spam-Level: 
X-Spam-Status: No, score=0.415 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.267, LONGWORDS=2.035, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gXrxRYdPg80k for ; Fri, 24 Jul 2020 01:31:56 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp08.smtpout.orange.fr [80.12.242.130]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 986053A09DD for ; Fri, 24 Jul 2020 01:31:55 -0700 (PDT)
Received: from [192.168.1.11] ([90.79.51.120]) by mwinf5d15 with ME id 6wXr2300A2bcEcA03wXrry; Fri, 24 Jul 2020 10:31:53 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Fri, 24 Jul 2020 10:31:53 +0200
X-ME-IP: 90.79.51.120
From: Denis 
To: Hannes Tschofenig , Rifaat Shekh-Yusef 
Cc: Vittorio Bertocci , "oauth@ietf.org" 
References:  <125f32d3-dd3b-3add-1172-391acd831cde@free.fr>     <24ffa213-1a09-f7d1-28f8-e1b678cf85d9@free.fr>  
Message-ID: <13378fe3-9608-0f18-872e-bfa206a1d06c@free.fr>
Date: Fri, 24 Jul 2020 10:31:52 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0
MIME-Version: 1.0
In-Reply-To: 
Content-Type: multipart/alternative; boundary="------------8A467CAF7BF250964740B9A3"
Content-Language: en-GB
Archived-At: 
Subject: Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 24 Jul 2020 08:32:02 -0000

This is a multi-part message in MIME format.
--------------8A467CAF7BF250964740B9A3
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit

Hi Hannes,

This email has been left answered. It raises major issues:

    If the authorization server has no way to know that the client is
    sending a request which implies compliance
    with draft-ietf-oauth-access-token-jwt why should it behave in such
    a way ?


    If the resource server has no way to know that it is checking a JWT
    which is supposed to be compliant
    with draft-ietf-oauth-access-token-jwt why should it behave in such
    a way ?

    IMHO, a token type would be able to easily address the problem;
    otherwise sections 3 and 4 should be deleted.


What is the status of this document ?

Denis

_Note_: A remainder was sent privately to both Hannes and Rifaat on June 
23. It was also left answered. Hereafter is its content:

    Hi Hannes,

    At this time, I have not yet received an answer to the email
    attached below.

    Would you please provide a response on the mailing list ?

    Denis

> Hi  Hannes,
>
> Let us start by the last argument of this email which is copied below:
>
>     Finally, there are still two questions that have been raised but
>     which have not yet been answered at this time:
>
>       * how can a client request a JWT compliant to /this/ profile, and
>       * how can a client be confident that it got a JWT compliant to
>         /this/ profile ?
>
>     [Hannes] Regarding the two questions: It cannot and it was never
>     the intention of this work.
>
> If this document was limited to section 2, it would simply be a 
> description of a specific profile, but it is more than that
> since it includes two additional sections:
>
>     3. Requesting a JWT Access Token
>     4. Validating JWT Access Tokens
>
> In section 3, the text states:
>
>
>    If the request does not include a "resource" parameter, the 
> authorization server *MUST* use in the "aud" claim
>   as default resource indicator.
>
> If the authorization server has no way to know that the client is 
> sending a request which implies compliance
> with draft-ietf-oauth-access-token-jwt why should it behave in such a 
> way ?
>
>
> In section 4 the text states:
>
>
> resource servers receiving a JWT access token *MUST* validate it in 
> the following manner
>
>
> If the resource server has no way to know that it is checking a JWT 
> which is supposed to be compliant
> with draft-ietf-oauth-access-token-jwt why should it behave in such a 
> way ?
>
>
> The responses to these two questions are important before handling the 
> other comments.
>
> IMHO, a token type would be able to easily address the problem; 
> otherwise sections 3 and 4 should be deleted.
>
>
> The remaining of my replies are within the text below prefixed with 
> [Denis].
>
>> Hi Denis,
>>
>> Please see my response below.
>>
>> *From:* Denis 
>> *Sent:* Wednesday, June 3, 2020 12:12 PM
>> *To:* Hannes Tschofenig 
>> *Cc:* Rifaat Shekh-Yusef ; Vittorio Bertocci 
>> ; oauth@ietf.org
>> *Subject:* Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) 
>> Profile for OAuth 2.0 Access Tokens"
>>
>> Hi Hannes,
>>
>> I do appreciate your efforts to attempt to get rid of the "MUST NOT" 
>> in the "Privacy considerations" section.
>>
>> Let us look at the following proposed sentence:
>>
>> While this is technical possible, it is important to note that the 
>> OAuth 2.0 protocol does not aim to expose the content of the access 
>> token
>>     to the client. The access token is therefore, by design, 
>> considered to be opaque to the client".
>> /
>> In the context of this document/, a detailed content of the JWT is 
>> expected and thus, if a client receives a JWT compliant to this profile
>> (and if the token is not encrypted which is most often the case) it 
>> will absolutely be sure to pick up any guaranteed field within the JWT.
>> So, /in the context of this document/, the access token cannot be 
>> considered to be opaque to the client.
>>
>> [Hannes] Here we have a disconnect. The OAuth 2.0 design does not 
>> assume that the client inspects the access tokens if it flies by. 
>> This document could not change that.
>> The purpose of this document is actually quite simple: Those who want 
>> to use JWT as a format for access tokens they can use the claims 
>> described in this document.
>> You are also free to use whatever format you want.
>>
> [Denis] You wrote: "The OAuth 2.0 design does not *assume *that the 
> client inspects the access tokens if it flies by". However, there are 
> cases where
> the client may be interested to know which attributes have been placed 
> into the JWT, there should be some way(s) to be able to do it.
> Using Token Introspection (extended to be used by clients) would be 
> like bringing in an elephant to kill a mouse. Using a local API would 
> be a simple
> solution, however the IETF defines (most often) protocols rather than 
> local APIs.
>
> The user's privacy cannot be fulfilled if the client is unable to know 
> which attributes have been placed into the JWT. A solution to address 
> this issue
> would be to clearly advertise the following in the Privacy 
> Considerations section:
>
>     As the OAuth 2.0 design does not assume that the client inspects
>     the access tokens if it flies by, clients have no way to know
>     which identity
>     attributes have effectively been placed into the JWT. Since these
>     identity attributes may disclose more private information than
>     what is strictly
>     necessary to perform one or more operations, this may be a serious
>     concern for users that care about their privacy.
>
>> About the second paragraph, /in the context of this document 
>> (/besides the case where the JWT is encrypted), it is neither difficult,
>> nor impossible to parse the token/.
>> /
>> About the second paragraph, let us look at the following proposed 
>> sentence/in the context of this document/ :
>>
>>     " Additionally, there is no guarantee that the access token is 
>> conveyed by value and the authorization server implementation may change
>>       the token format at any time ".
>>
>> The argumentation that the token format may change at any point of 
>> time, while being valid in the general case, is invalid /in the 
>> context of this document/.
>> This JWT profile will be stable over time. This means that this 
>> quoted sentence is inappropriate /in the context of this document/.
>>
>> [Hannes] Here is the issue. In a given deployment you do not know how 
>> the access token is encoded nor whether the claims are in this format.
>> You don’t know whether the token is conveyed by reference or by 
>> value. Hence, why should we suddenly even give developers the impression
>> that OAuth Clients should look at the token.
>>
> [Denis] OAuth clients SHOULD only look at the attributes placed into 
> the JWT, when/if they have privacy concerns about the identity attributes
> that have been placed into the JWT. Otherwise, they would have no idea 
> on how they could be traced by the resources servers /and other servers //
> //that don't use OAuth/. In the current situation, it appears 
> necessary to clearly advertise in the Privacy Considerations section 
> that the token opacity
> may be a serious concern for users that care about their privacy.
>
> It is also important to note that the /foundational design assumption 
> /of keeping access tokens opaque to clients (and their users) is 
> closing the door
> to any confidence for clients that their privacy is indeed preserved 
> by the authorization servers.
>
>> The third proposed paragraph is stating :
>>
>>     "In scenarios where it is where it is desirable for the clients 
>> to obtain information transmitted in the access token, OAuth 2.0 
>> token introspection
>>       may provide a useful tool to enable such functionality (proper 
>> authorization assumed) ".
>>
>> RFC 7662 (OAuth 2.0 Token Introspection) is a protocol to be used by 
>> protected resources, but is not a protocol to be used by clients.
>> As indicated, in order to be usable, a "proper authorization" also 
>> needs to be managed. Besides the difficulty to support such a 
>> protocol for clients
>> and to twist its original usage as defined in RFC 7662, it is simpler 
>> to develop the code to examine the content of the JWT, since its 
>> content is guaranteed
>> to be stable over time.
>>
>> [Hannes] While it may be simpler to inspect the access token, the use 
>> of token introspection is a better match for the OAuth architecture.
>> We can talk about updating the token introspection RFC to also 
>> describe this use case, assuming there is interest.
>>
> [Denis] Updating the token introspection RFC would be like bringing a 
> bull in a china shop.
>
>> The question in general will surface why the client should get access 
>> to the content of the access token in the first place.
>> For those cases where information is passed to the client other 
>> mechanisms, such as the identity token in OIDC, have been developed.
>>
> [Denis] The reason has been explained above: it has to do with 
> correlation of the users by different resources servers,
> but also by other servers when "globally unique identifiers" are being 
> used in the "sub" claim.
>
>> The last proposed paragraph is the following:
>>
>>    " Since the content of the access token is accessible to the 
>> resource server it is important to evaluate whether the resource 
>> server gained the proper entitlement
>>       to have access to any content received in form of claims, /for 
>> example through user consent in some form, policies and agreements 
>> with the organization running /
>> /      the authorization servers, and so on/. The policies and the 
>> user interfaces to enable this user consent are, however, part of a 
>> specific deployment and therefore
>>       outside the scope of this document ".
>>
>> The sentence "for example through user consent in some form, policies 
>> and agreements with the organization running the authorization 
>> servers, and so on"
>> should be removed, since this example lets believe that the consent 
>> is handled by the authorizations servers while it might be handled by 
>> the resource servers.
>>
>> [Hannes] The information is disclosed by the authorization server and 
>> hence the consent has to be with the authorization server.
>>
>> The last proposed paragraph would be solution neutral if the example 
>> were removed. This would lead to the following sentence:
>>
>> Since the content of the access token is accessible to the resource 
>> server it is important to evaluate whether the resource server gained 
>> the proper entitlement
>> to have access to any content received in form of claims. The 
>> policies and the user interfaces to enable this user consent are, 
>> however, part of a specific deployment
>> and therefore outside the scope of this document.
>>
> [Denis] A resource server may say: "In order to perform this operation 
> , I need your date of birth". If the user agrees, then the client will 
> ask to the authorization
> server to insert the date of birth of the user into the JWT. In this 
> way, the consent is given by the client when talking to the resource 
> server. The authorization
> server is not involved with a consent given by the user. Obviously, 
> this is one scenario and other scenarios exist, but such a scenario 
> should not be prevented.
>
> The AS does not need to know which operation will be performed by the 
> user, it only needs to know that the user is willing his birth date to 
> be included into the JWT.
> However, at the moment, since there is no RFC supporting such a 
> possibility, asking for specific standardized attributes is not (yet) 
> possible.
>
>>
>> Finally, there are still two questions that have been raised but 
>> which have not yet been answered at this time:
>>
>>   * how can a client request a JWT compliant to /this/ profile, and
>>   * how can a client be confident that it got a JWT compliant to
>>     /this/ profile ?
>>
>> [Hannes] Regarding the two questions: It cannot and it was never the 
>> intention of this work.
>>
> [Denis] This point has been addressed at the top of this email. 
> However, I would like to add one point.
>
> Let us suppose that a token type would be added both in the token 
> request and within the token itself,
> and if, at the minimum, the client would  be allowed to access to this 
> token type, saying "This token is conformant to RFC XXX",
> then the client would be able to call a local API able to disclose the 
> content of the token.
>
> This would be like using a piece of cheese to catch the mouse.
>
> Denis
>
>> Ciao
>>
>> Hannes
>>
>>
>> Denis
>>
>>     Let me try to jump in here in order to make a proposal for the
>>     text in the privacy consideration section:
>>
>>     FROM:
>>
>>     *6*
>>     *. 
>>     Privacy Considerations*
>>
>>        As JWT access tokens carry information by value, it now becomes
>>
>>        possible for requestors and receivers to directly peek inside the
>>
>>        token claims collection. The client MUST NOT inspect the
>>     content of
>>
>>        the access token: the authorization server and the resource server
>>
>>        might decide to change token format at any time (for example by
>>
>>        switching from this profile to opaque tokens) hence any logic
>>     in the
>>
>>        client relying on the ability to read the access token content
>>     would
>>
>>        break without recourse. Nonetheless, authorization servers should
>>
>>        not assume that clients will comply with the above.  Whenever
>>     client
>>
>>        access to the access token content presents privacy issues for a
>>
>>        given scenario, the authorization server should take explicit
>>     steps
>>
>>        to prevent it as described below.
>>
>>        In scenarios in which JWT access tokens are accessible to the end
>>
>>        user, it should be evaluated whether the information can be
>>     accessed
>>
>>        without privacy violations (for example, if an end user would
>>     simply
>>
>>        access his or her own personal information) or if steps must
>>     be taken
>>
>>        to enforce cofidentiality. Possible measures include:
>>     encrypting the
>>
>>        access token, encrypting the sensitive claims, omitting the
>>     sensitive
>>
>>        claims or not using this profile, falling back on opaque access
>>
>>        tokens.
>>
>>        In every scenario, the content of the JWT access token will
>>
>>        eventually be accessible to the resource server.  It's
>>     important to
>>
>>        evaluate whether the resource server gained the proper
>>     entitlement to
>>
>>        have access to any content received in form of claims, for example
>>
>>        through user consent in some form, policies and agreements
>>     with the
>>
>>        organization running the authorization servers, and so on.
>>
>>     TO:
>>
>>     *6
>>     .
>>     Privacy Considerations*
>>
>>        The design of OAuth 2.0 envisions that access tokens are
>>     created by
>>
>>        authorization servers and consumed by resource servers.
>>
>>        As JWT access tokens, as described in this document, carry
>>     information by value, it is
>>
>>        possible for OAuth clients to peek inside the access token.
>>
>>        While this is technical possible, it is important to note that the
>>
>>        OAuth 2.0 protocol does not aim to expose the content of the
>>
>>        access token to the client. The access token is therefore, by
>>     design, considered to be
>>
>>        opaque to the client.
>>
>>        A number of cases may make it difficult or impossible for
>>     clients to
>>
>>        inspect the token, for example, the access token may be
>>     encrypted,
>>
>>        the access token may contain vendor-specific claims that have
>>     not been
>>
>>        standardized or have been standardized in other consortia
>>     making parsing
>>
>>        of the token difficult. Additionally, there is no guarantee
>>     that the
>>
>>        access token is conveyed by value and the authorization server
>>     implementation
>>
>>        may change the token format at any time.
>>
>>        In scenarios where it is desirable for the clients to obtain
>>     information
>>
>>        transmitted in the access token, OAuth 2.0 token introspection
>>     may provide
>>
>>        a useful tool to enable such functionality (proper
>>     authorization assumed).
>>
>>        In scenarios where the content of the access token must not be
>>     readable
>>
>>        by clients, encrypting the content of the access token is
>>     RECOMMENDED.
>>
>>        Since the content of the access token is accessible to the
>>     resource server
>>
>>        it is important to
>>
>>        evaluate whether the resource server gained the proper
>>     entitlement to
>>
>>        have access to any content received in form of claims, for example
>>
>>        through user consent in some form, policies and agreements
>>     with the
>>
>>        organization running the authorization servers, and so on. The
>>     policies
>>
>>        and the user interfaces to enable this user consent are,
>>     however, part
>>
>>        of a specific deployment and therefore outside the scope of
>>     this document.
>>
>>     How does this sound?
>>
>>     Ciao
>>
>>     Hannes
>>
>>     *From:* OAuth 
>>      *On Behalf Of *Rifaat Shekh-Yusef
>>     *Sent:* Thursday, May 14, 2020 8:03 PM
>>     *To:* Denis  
>>     *Cc:* Vittorio Bertocci 
>>     ; oauth@ietf.org
>>     
>>     *Subject:* Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT)
>>     Profile for OAuth 2.0 Access Tokens"
>>
>>     Denis,
>>
>>     You are rehashing the same issues that you have already discussed
>>     on the mailing list multiple times,
>>
>>     You could not get the WG to agree with your points, because the
>>     WG believe that this issue is outside the scope of this document.
>>
>>     The best the chairs can do at this stage is to capture your point
>>     in the shepherd write-up to the IESG.
>>
>>     We think this document has the support of the WG and is ready to
>>     move forward.
>>
>>     Regards,
>>
>>      Rifaat
>>
>>     On Thu, May 14, 2020 at 12:29 PM Denis >     > wrote:
>>
>>         Hi Vittorio,
>>
>>         I am referring to the email you sent on April the 29 th which
>>         is copied below.
>>
>>         1) You wrote:
>>
>>             /> targeting of access tokens/
>>
>>             Let me think about that a bit longer.
>>
>>             I acknowledge that the decision of including an audience
>>             has the effect of letting the AS track when the client
>>             accesses a particular resource,
>>             but at the same time that’s completely mainstream and
>>             very much by design in a very large number of cases. As
>>             such, I find the language
>>             you are suggesting to be potentially confusing, as it
>>             positions this as an exception vs a privacy protecting
>>             mainstream that is in fact not common,
>>             and ascribes to the client more latitude than I believe
>>             is legitimate to expect or grant.
>>
>>             *I’ll try to come up with concise language that clarifies
>>             to the reader that the current mechanism does allow AS
>>             tracking*.
>>
>>         Since the last draft has been published on the 27 th, you
>>         have not proposed any "concise language that clarifies to the
>>         reader
>>         that the current mechanism does allow AS tracking".
>>
>>         2) You also wrote about the "sub" uniqueness:
>>
>>             As long as an identifier identifies one resource only, it
>>             satisfies uniqueness. It doesn’t have to be a singleton.
>>
>>         RFC 7519 defines in section 4.1.2 the semantics of the "sub"
>>         claim using the following sentence:
>>
>>             The subject value MUST either be scoped to be locally
>>             unique in the context of the issuer or be globally unique.
>>
>>         The text does NOT say that the subject value "MUST be scoped
>>         to be locally unique in the context of the *resource server*".
>>
>>         Changing the semantics of an already defined claim is not
>>         permitted. If you would like to have such a semantics available,
>>         a new claim should be defined (and it would be very nice to
>>         have it !).
>>
>>         3) The text is the privacy considerations section states:
>>
>>            Although the ability to correlate requests might be
>>         required by design in many scenarios, there are scenarios
>>         where the authorization
>>            server might want to prevent correlation to preserve the
>>         desired level of privacy.
>>
>>         In the real world, it is also clients or end-users which
>>         would like to prevent correlation to preserve their desired
>>         level of privacy.
>>
>>         A better sentence would be:
>>
>>            Although the ability to correlate requests might be
>>         required by design in many scenarios, there are scenarios
>>         where the authorization
>>            server *or the client* might want to prevent correlation
>>         to preserve the desired level of privacy.
>>
>>         4) The text continues with:
>>
>>            Authorization servers should choose how to assign "sub"
>>         values according to the level of privacy required by each
>>            situation.  For instance: if a solution requires
>>         preventing tracking  principal activities across multiple
>>         resource servers,
>>            the  authorization server should ensure that JWT access
>>         tokens meant for different resource servers have distinct "sub"
>>            values that cannot be correlated in the event of resource
>>         servers collusion.
>>
>>         Authorization servers are not necessarily able to choose the
>>         level of privacy required by each situation. When there are
>>         different
>>         situations for the same resource server, the scope is
>>         (unfortunately at the moment) the only way to select the
>>         "level of privacy that is required".
>>
>>         The example ("For instance:") is only an example that
>>         provides a vague recommendation for the ASs which is NOT
>>         conformant
>>         with the semantics of the "sub" claim as defined in RFC 7519.
>>
>>         What should be discussed here are not "examples" or what an
>>         authorization server should do, but explanations about the
>>         implications
>>         for the end-user or for the client for the various values
>>         that can be placed into the "sub" claim by an AS. The problem
>>         is wider that simply
>>         a collusion between resource servers, but also with other
>>         servers that DO NOT participate in any OAuth exchange.
>>
>>         RFC 6973 (Privacy Considerations) states in section 7 :
>>         Guidelines
>>
>>             This section provides guidance for document authors in
>>             the form of a questionnaire about a protocol being designed.
>>             The questionnaire may be useful at any point in the
>>             design process, particularly after document authors have
>>             developed
>>             a high-level protocol model as described in [RFC4101].
>>
>>         One of the questions is:
>>
>>             f. *Correlation*. Does the protocol allow for correlation
>>             of identifiers ?  Are there expected ways that
>>             information exposed
>>             by the protocol will be combined or *correlated with
>>             information obtained outside the protocol* ?
>>
>>         It is important to provide an answer to these two questions.
>>
>>         Hereafter is some text that is fully conformant with RFC 7519
>>         which should be incorporated into the privacy considerations
>>         section
>>         which explains the implications of the two (and only two)
>>         flavours of the "sub" claim.
>>
>>             When the sub claim contains a locally unique identifier
>>             in the context of the issuer, this allows the tracking of
>>             principal activities
>>             across multiple resource servers.
>>
>>             When the sub claim contains a globally unique identifier,
>>             this allows to correlate principal activities across
>>             multiple resource
>>             servers, while in addition, this globally unique
>>             identifier may also allow to correlate the principal
>>             activities on servers where
>>             no access has been performed by the principals to these
>>             servers but where the same globally unique identifiers
>>             are being used
>>             by these servers.
>>
>>         Denis
>>
>>             Thanks Denis for the thorough commentary.
>>
>>             /> The title of this spec./
>>
>>             Fixed, thanks!
>>
>>             /> The client MUST NOT inspect the content of the access
>>             token/
>>
>>             This is really a sticky point. I really want to
>>             acknowledge your PoV on this, but at the same time I
>>             found this to be one of the biggest sources of issues in
>>             the use of JWT for access tokens hence I feel we really
>>             need to give solid guidance here. Let me expand further
>>             on the reasoning behind it, and perhaps we can get to
>>             language that satisfies both PoVs.
>>
>>             To me the key point is that clients should not write
>>             /code/ that inspects access tokens. Taking a dependency
>>             on the ability to do so is ignoring fundamental
>>             information about the architecture and relationships
>>             between OAuth roles, and suggests an ability of the
>>             client to understand the semantic of the content that
>>             cannot be assumed in the general case. I expanded on the
>>             details in my former reply to you on this topic, I would
>>             recommend referring to it. Clients violating this simple
>>             principle has been one of the most common sources of
>>             production issues I had to deal with in the past few
>>             years, and one of the hardest to remediate given that
>>             clients are hard to update and sometimes the things they
>>             relied on were irremediably lost. This is why I am
>>             inclined to put in here strong language.
>>
>>             That said: I have nothing against client developers
>>             examining a network trace and drawing conclusions based
>>             on the content of what they see. That doesn’t create any
>>             hard dependencies and has no implications in respect to
>>             changes in the solution behavior. However I am not sure
>>             how to phrase that in the specification, given that
>>             referring to the client inevitably refers to its code. I
>>             am open to suggestions.
>>
>>             >  3)…
>>
>>             I have a pretty hard time following the chain of
>>             reasoning in this section. Let me attempt to tackle it to
>>             the best of my understanding.
>>
>>             I think the key might be
>>
>>             /> a client should be able to choose whether it wishes
>>             the sub claim to contain [..]/
>>
>>             I don’t think that should be a choice left to the client.
>>             In business systems, my experience is that the type of
>>             identifiers to be used (when the IdP gives any choice at
>>             all)  is established at resource provisioning time. I am
>>             not aware of mechanisms thru which a client signals the
>>             nature of the identifier to be used, nor that would be
>>             fully feasible (the resource knows what it needs to
>>             perform its function).
>>
>>             Furthermore:
>>
>>             /> which has nothing to do with uniqueness since the
>>             value changes for every generated token./
>>
>>             Again, this is something that was touched on in my former
>>             reply to your message. As long as an identifier
>>             identifies one resource only, it satisfies uniqueness. It
>>             doesn’t have to be a singleton.
>>
>>             Finally, the scope is optional (for good reasons: 1^st
>>             party and non delegation scenarios don’t require it)
>>             hence it cannot be relied upon for properties that should
>>             hold in every scenario.
>>
>>             In summary: per the preceding thread on this topic, the
>>             consensus was that varying the sub content was a
>>             satisfactory way of protecting against correlation. I
>>             don’t a gree that clients should have a mechanism to
>>             request different sub flavors, as that decision should be
>>             done out of band by the AS and RS; and the scope isn’t
>>             always available anyway.
>>
>>             /> targeting of access tokens/
>>
>>             Let me think about that a bit longer.
>>
>>             I acknowledge that the decision of including an audience
>>             has the effect of letting the AS track when the client
>>             accesses a particular resource, but at the same time
>>             that’s completely mainstream and very much by design in a
>>             very large number of cases. As such, I find the language
>>             you are suggesting to be potentially confusing, as it
>>             positions this as an exception vs a privacy protecting
>>             mainstream that is in fact not common, and ascribes to
>>             the client more latitude than I believe is legitimate to
>>             expect or grant.
>>
>>             I’ll try to come up with concise language that clarifies
>>             to the reader that the current mechanism does allow AS
>>             tracking.
>>
>>             *From: *OAuth 
>>              on behalf of Denis
>>              
>>             *Date: *Wednesday, April 29, 2020 at 09:12
>>             *To: *"oauth@ietf.org" 
>>              
>>             *Subject: *Re: [OAUTH-WG] Second WGLC on "JSON Web Token
>>             (JWT) Profile for OAuth 2.0 Access Tokens"
>>
>>             You will find four comments numbered 1) to 4).
>>
>>             *1) *The title of this spec. is:
>>
>>             JSON Web Token (JWT) Profile for OAuth *2.0* Access Tokens
>>
>>             So, this spec. is supposed to be targeted to OAuth *2.0.
>>             * However, the header at the top of the page omits to
>>             mention it.
>>
>>             Currently, it is :
>>
>>             Internet-Draft OAuth Access Token JWT Profile          
>>             April 2020
>>
>>             It should rather be:
>>
>>             Internet-Draft OAuth *2.0* Access Token JWT
>>             Profile           April 2020
>>
>>             *2)* The following text is within section 6.
>>
>>             The client MUST NOT inspect the content of
>>             the access token: the authorization server and the
>>             resource server
>>             might decide to change token format at any time (for
>>             example by
>>             switching from this profile to opaque tokens) hence any
>>             logic in the
>>             client relying on the ability to read the access token
>>             content would
>>             break without recourse.
>>             Nonetheless, authorization servers should
>>             not assume that clients will comply with the above.
>>
>>             It is of a primary importance that clients MAY be able to
>>             inspect tokens before transmitting them.
>>             The "MUST NOT" is not acceptable.
>>
>>             The above text should be replaced with:
>>
>>             Reading the access token content may be useful for the
>>             user to verify that
>>             the access token content matches with its expectations. 
>>             However,
>>             the authorization server and the resource server might
>>             decide to change the
>>             token format at any time.  Thus, the client should not
>>             expect to always be
>>             in a position to read the access token content.
>>
>>             The remaining of the text about this topic is fine.
>>
>>
>>             *3) *The next topic is about the sub claim.
>>
>>             The text states:
>>
>>             Although the ability to correlate requests might be
>>             required by
>>             design in many scenarios, there are scenarios where the
>>             authorization
>>             server might want to prevent correlation to preserve the
>>             desired
>>             level of privacy. Authorization servers should choose how
>>             to assign
>>             sub values according to the level of privacy required by each
>>             situation.
>>
>>             I have a set of questions:
>>
>>              1. How can authorization servers choose how to assign
>>                 sub values according to the level of privacy required
>>                 "by each situation" ?
>>              2. How can authorization servers know the level of
>>                 privacy required "by each situation" ?
>>              3. How can the users be informed of the level of privacy
>>                 required "by each situation" ?
>>              4. How can the users *consent* with the level of privacy
>>                 required "by each situation" ?
>>
>>             Currently, the request MUST include either a resource
>>             parameter or an aud claim parameter, while it MAY include
>>             a scope parameter.
>>
>>             The syntax of the scope parameter is a list of
>>             space-delimited, case-sensitive strings (RFC 6749). It is
>>             thus subject to private agreements
>>             between clients and Authorization Servers. Since the
>>             scope is being returned, it is a primary importance that
>>             the returned scope matches
>>             with its expectations before transmitting the token to a
>>             Resource Server.
>>
>>             In theory, a client should be able to choose whether it
>>             wishes the sub claim to contain :
>>
>>               * a global unique identifier for all ASs ("globally
>>                 unique"),
>>               * a unique identifier for each AS ("locally unique in
>>                 the context of the issuer"),
>>               * a different pseudonym for each RS, or
>>               * a different pseudonym for each authorization token
>>                 request.
>>
>>             The only variable parameter that it can use for this
>>             purpose in the token request is the scope parameter.
>>
>>             RFC 7519 states is section 4.1.2:
>>
>>             The subject value MUST either be scoped to be locally
>>             unique in the context of the issuer
>>             or be globally unique.
>>
>>             It is quite hard to recognize that the sub claim is able
>>             to carry a different pseudonym for each RS, i.e. for case
>>             (c), or
>>             a different pseudonym for each authorization token
>>             request, i.e. for case (d), which has nothing to do with
>>             uniqueness
>>             since the value changes for every generated token.
>>
>>             This has implications about the following text:
>>
>>             For instance: if a solution requires preventing tracking
>>             principal activities across multiple resource servers, the
>>             authorization server should ensure that JWT access tokens
>>             meant for
>>             different resource servers have distinct sub values that
>>             cannot be
>>             correlated in the event of resource servers collusion.
>>
>>             Since it addresses case (c).
>>
>>             and also about the following text:
>>
>>             4.b) Similarly: if a solution requires preventing a
>>             resource server from
>>             correlating the principal’s activity within the resource
>>             itself, the
>>             authorization server should assign different sub values
>>             for every JWT
>>             access token issued.
>>
>>             Since it addresses case (d).
>>
>>             This means that the current text placed in the privacy
>>             considerations section was a good attempt to address the
>>             case,
>>             but that the text needs to be revised.
>>
>>             Proposed text replacement for all the previously quoted
>>             sentences:
>>
>>             According to RFC 7519 (4.1.2): The subject value MUST
>>             either be scoped to be locally unique in the context of
>>             the issuer or be globally unique.
>>
>>             When the sub claim contains a globally unique identifier,
>>             this allows to correlate principal activities across
>>             multiple resource servers, while in addition,
>>             this globally unique identifier may also allow to
>>             correlate the principal activities on servers where no
>>             access has been performed by the principals
>>             to these servers but where the same globally unique
>>             identifiers are being used by these servers.
>>
>>             When the sub claim contains a locally unique identifier
>>             in the context of the issuer, this also allows the
>>             tracking of principal activities across multiple resource
>>             servers.
>>
>>             The scope request parameter is the only way to influence
>>             on the content of the sub claim parameter. Its meaning is
>>             subject to a private agreement
>>             between the client and the AS, which means that the use
>>             of the scope parameter is the only way to choose between
>>             a locally unique identifier
>>             in the context of the issuer or a globally unique identifier.
>>
>>             Since the scope parameter is being returned, it is a
>>             primary importance that the returned scope matches with
>>             the expectations of the client before transmitting
>>             the token to a Resource Server.
>>
>>             However, there are other cases where the client would
>>             like to be able to choose whether it wishes the sub claim
>>             to contain :
>>                 - a different pseudonym for each RS so that different
>>             resource servers will be unable to correlate its
>>             activities, or
>>                 - a different pseudonym for each authorization token
>>             request, so that the same resource server cannot
>>             correlate its activities performed at different instant
>>             of time.
>>
>>             Considering the semantics of the sub claim, these two
>>             cases cannot be currently supported.
>>
>>
>>             *4) *The next topic is about the targeting of access tokens
>>
>>             Text had been proposed before the last conference call.
>>             Then, the topic has been presented at the very end of the
>>             last conference call, but no text has been included
>>             in the next draft.
>>
>>             Here is a revised text be included in the privacy
>>             considerations section:
>>
>>             For security reasons, some clients may be willing to
>>             target their access tokens but, for privacy reasons, may
>>             be unwilling to disclose to Authorization Servers
>>             an identification of the Resource Servers they are going
>>             to access, so that Authorization Servers will be unable
>>             to know which resources servers are being accessed.
>>             The disclosure of the Resource Servers names allows the
>>             Authorization Servers to list all the Resource Servers
>>             being access by all its users and in addition to list pairs
>>             of (Principal, Resource Servers) which allow to trace all
>>             the users accesses to Resource Servers performed through
>>             a given Authorization Server. When a token is targeted,
>>             this profile does not contain provisions to address these
>>             two threats.
>>
>>             Denis
>>
>>                 Hi all,
>>
>>                 This is a second working group last call for "JSON
>>                 Web Token (JWT) Profile for OAuth 2.0 Access Tokens".
>>
>>                 Here is the document:
>>
>>                 https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-06
>>
>>                 Please send your comments to the OAuth mailing list
>>                 by April 29, 2020.
>>
>>                 Regards,
>>
>>                  Rifaat & Hannes
>>
>>                 _______________________________________________
>>
>>                 OAuth mailing list
>>
>>                 OAuth@ietf.org  
>>
>>                 https://www.ietf.org/mailman/listinfo/oauth
>>
>>         _______________________________________________
>>         OAuth mailing list
>>         OAuth@ietf.org 
>>         https://www.ietf.org/mailman/listinfo/oauth
>>
>>     IMPORTANT NOTICE: The contents of this email and any attachments
>>     are confidential and may also be privileged. If you are not the
>>     intended recipient, please notify the sender immediately and do
>>     not disclose the contents to any other person, use it for any
>>     purpose, or store or copy the information in any medium. Thank you.
>>
>> IMPORTANT NOTICE: The contents of this email and any attachments are 
>> confidential and may also be privileged. If you are not the intended 
>> recipient, please notify the sender immediately and do not disclose 
>> the contents to any other person, use it for any purpose, or store or 
>> copy the information in any medium. Thank you. 
>
>


--------------8A467CAF7BF250964740B9A3
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit


  
    
  
  
    
Hi Hannes,

    


      

    
This email has been
        left answered. It raises major issues: 

      
      
If the authorization server has no
          way to know that the client is sending a request which implies
          compliance 

          with draft-ietf-oauth-access-token-jwt why should it behave in
          such a way ?
        


          

        If the resource server has no way to know
          that it is checking a JWT which is supposed to be compliant 

          with draft-ietf-oauth-access-token-jwt why should it behave in
          such a way ?

          

          IMHO, a token type would be able to easily address the
          problem; otherwise sections 3 and 4 should be deleted.

        
        


        

      

    

    
What is the status
        of this document ?

    


      

    
Denis

    


      

    
Note: A
        remainder was sent privately to both Hannes and Rifaat on June
        23. It was also left answered. Hereafter is its content:

    

      
Hi Hannes,
        
At this time, I have not yet received an answer to the email
          attached below.

        
Would you please provide a response on the mailing list ?

        Denis

      


      

    

    

      
      
Hi  Hannes,

      


      

      
Let us start by the last argument of
        this email which is copied below:

      

        
Finally,
            there are still two questions that have been raised but
            which have not yet been answered at this time: 
          
    
            
  •  how can
                a client request a JWT compliant to this
                profile, and 
    • 
            
  •  how can
                a client be confident that it got a JWT compliant to this
                profile ?
    • 
          

          
 

          
[Hannes] Regarding the two questions: It
              cannot and it was never the intention of this work. 

          

        

        
If this document was limited to section 2, it
            would simply be a description of a specific profile, but it
            is more than that 

            since it includes two additional sections:

        

          
3. Requesting a JWT Access Token

              4. Validating JWT Access Tokens

        

        
In section 3, the text states:

        


               If the request does not include a "resource" parameter,
            the authorization server MUST use in the "aud" claim
            

              as default resource indicator. 

            

            If the authorization
              server has no way to know that the client is sending a
              request which implies compliance 

              with draft-ietf-oauth-access-token-jwt why should it
              behave in such a way ?

        


          In
                section 4 the text states:

        


              

        
  
                resource servers receiving a JWT access token MUST
                validate it in the following manner

              

        


          

        
If the resource
                      server has no way to know
                that it is checking a JWT which is supposed to be
                compliant 

                with draft-ietf-oauth-access-token-jwt why should it
                behave in such a way ?

        


              

        
The
                responses to these two questions are important before
                handling the other comments.

        
IMHO, a
                token type would be able to easily address the problem;
                otherwise sections 3 and 4 should be deleted.

        

        
The
                remaining of my replies are within the text below
                prefixed with [Denis].

                

              

      

      

        
        
        
        

          
Hi Denis, 

          
 

          
Please see my response below. 

          
 

          
 

          

            

              
From: Denis <denis.ietf@free.fr>
                

                Sent: Wednesday, June 3, 2020 12:12 PM

                To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>

                Cc: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>;
                Vittorio Bertocci <vittorio.bertocci@auth0.com>;
                oauth@ietf.org

                Subject: Re: [OAUTH-WG] Second WGLC on "JSON Web
                Token (JWT) Profile for OAuth 2.0 Access Tokens"

            

          

          
 

          

            
Hi
                Hannes,

                

                I do appreciate your efforts to attempt to get rid of
                the "MUST NOT" in the "Privacy considerations" section.

                

                Let us look at the following proposed sentence:

                

                    While this is technical
                  possible, it is important to note that the OAuth 2.0
                  protocol does not aim to expose the content of the
                  access token 

                    to the client. The access
                  token is therefore, by design, considered to be opaque
                  to the client".

                

                  In the context of this document, a detailed
                content of the JWT is expected and thus, if a client
                receives a JWT compliant to this profile 

                (and if the token is not encrypted which is most often
                the case) it will absolutely be sure to pick up any
                guaranteed field within the JWT. 

                So, in the context of this document, the access token cannot be considered
                  to be opaque to the client.

                

                

          

        

      

      

        

          

            
[Hannes]
              Here we have a disconnect. The OAuth 2.0 design does not
              assume that the client inspects the access tokens if it
              flies by. This document could not change that.

              The purpose of this document is actually quite simple:
              Those who want to use JWT as a format for access tokens
              they can use the claims described in this document. 

              You are also free to use whatever format you want.

              

          

        

      

      
[Denis] You wrote: "The OAuth 2.0 design does not assume that
        the client inspects the access tokens if it flies by". However,
        there are cases where 

        the client may be interested to know which attributes have been
        placed into the JWT, there should be some way(s) to be able to
        do it. 

        Using Token Introspection (extended to be used by clients) would
        be like bringing in an elephant to kill a mouse. Using a local
        API would be a simple 

        solution, however the IETF defines (most often) protocols rather
        than local APIs.

      
The user's privacy cannot be fulfilled if the client is unable
        to know which attributes have been placed into the JWT. A
        solution to address this issue 

        would be to clearly advertise the following in the Privacy
        Considerations section:

      

        
As the OAuth 2.0 design does not assume
            that the client inspects the access tokens if it flies by,
            clients have no way to know which identity 

            attributes have effectively been placed into the JWT. Since
            these identity attributes may disclose more private
            information than what is strictly 

            necessary to perform one or more operations, this may be a
            serious concern for users that care about their privacy.

        

      

      

        

          

            
 About
                the second paragraph, in the context of this
                  document (besides the case where the JWT is
                encrypted), it is neither difficult, 

                nor impossible to parse the token.

                

                About the second paragraph, let us look at the following
                proposed sentence in the context of this document
                :

                

                    " Additionally, there is no guarantee that the
                access token is conveyed by value and the authorization
                server implementation may change 

                      the token format at any time ".

                

                The argumentation that the token format may change at
                any point of time, while being valid in the general
                case, is invalid in the context of this document.
                

                This JWT profile will be stable over time. This means
                that this quoted sentence is inappropriate in the
                  context of this document.

              

          

        

      

      

        

          

            
[Hannes]
              Here is the issue. In a given deployment you do not know
              how the access token is encoded nor whether the claims are
              in this format. 

              You don’t know whether the token is conveyed by reference
              or by value. Hence, why should we suddenly even give
              developers the impression 

              that OAuth Clients should look at the token.

          

        

      

      
[Denis] OAuth clients SHOULD only look at the attributes placed
        into the JWT, when/if they have privacy concerns about the
        identity attributes 

        that have been placed into the JWT. Otherwise, they would have
        no idea on how they could be traced by the resources servers and
          other servers 

        that don't use OAuth. In the current situation, it
        appears necessary to clearly advertise in the Privacy
        Considerations section that the token opacity 

        may be a serious concern for users that care about their
        privacy. 

      

      
It is also important to note that the foundational design
          assumption of keeping access tokens opaque to clients
        (and their users) is closing the door 

        to any confidence for clients that their privacy is indeed
        preserved by the authorization servers.

      

      

        

          

            
 The
                third proposed paragraph is stating :

                

                    " In scenarios where it is
                  where it is desirable for the clients to obtain
                  information transmitted in the access token, OAuth 2.0
                  token introspection 

                        may provide a useful tool to enable such
                  functionality (proper authorization assumed) ".

                  

                RFC 7662 (OAuth 2.0 Token Introspection) is a
                protocol to be used by protected resources, but is not a
                protocol to be used by clients. 

                As indicated, in order to be usable, a "proper authorization" also needs
                  to be managed. Besides the difficulty to support such
                  a protocol for clients 

                  and to twist its original usage as defined in RFC
                  7662, it is simpler to develop the code to examine the
                  content of the JWT, since its content is guaranteed 

                  to be stable over time.

            
[Hannes]
              While it may be simpler to inspect the access token, the
              use of token introspection is a better match for the OAuth
              architecture. 

              We can talk about updating the token introspection RFC to
              also describe this use case, assuming there is interest. 

          

        

      

      
[Denis] Updating the token introspection RFC would be like
        bringing a bull in a china shop.

      

        

          

            

            
The
              question in general will surface why the client should get
              access to the content of the access token in the first
              place. 

              For those cases where information is passed to the client
              other mechanisms, such as the identity token in OIDC, have
              been developed. 

              

          

        

      

      
[Denis] The reason has been explained above: it has to do with
        correlation of the users by different resources servers, 

        but also by other servers when "globally unique identifiers" are
        being used in the "sub" claim.

      

        

          

            
The
                last proposed paragraph is the following:

                

                   " Since the content of the access token is accessible
                to the resource server it is important to evaluate
                whether the resource server gained the proper
                entitlement 

                      to have access to any content received in form of
                claims, for example through user consent in some
                  form, policies and agreements with the organization
                  running 

                      the authorization servers, and so on. The
                policies and the user interfaces to enable this user
                consent are, however, part of a specific deployment and
                therefore 

                      outside the scope of this document ".

                

                The sentence "for example through user consent in some
                form, policies and agreements with the organization
                running the authorization servers, and so on" 

                should be removed, since this example lets believe that
                the consent is handled by the authorizations servers
                while it might be handled by the resource servers.

            
[Hannes]
              The information is disclosed by the authorization server
              and hence the consent has to be with the authorization
              server. 

          

        

      

      

        

          

            
The
                last proposed paragraph would be solution neutral if the
                example were removed. This would lead to the following
                sentence:

                

                Since the content of the access token is accessible to
                the resource server it is important to evaluate whether
                the resource server gained the proper entitlement 

                to have access to any content received in form of
                claims. The policies and the user interfaces to enable
                this user consent are, however, part of a specific
                deployment 

                and therefore outside the scope of this document.

              

          

        

      

      
[Denis] A resource server may say: "In order to perform this
        operation , I need your date of birth". If the user agrees, then
        the client will ask to the authorization 

        server to insert the date of birth of the user into the JWT. In
        this way, the consent is given by the client when talking to the
        resource server. The authorization 

        server is not involved with a consent given by the user.
        Obviously, this is one scenario and other scenarios exist, but
        such a scenario should not be prevented.

      
The AS does not need to know which operation will be performed
        by the user, it only needs to know that the user is willing his
        birth date to be included into the JWT.

        However, at the moment, since there is no RFC supporting such a
        possibility, asking for specific standardized attributes is not
        (yet) possible.

      

      

        

          

            
 

                Finally, there are still two questions that have been
                raised but which have not yet been answered at this
                time: 

            
    
              
  •  how
                  can a client request a JWT compliant to this
                  profile, and 
    • 
              
  •  how
                  can a client be confident that it got a JWT compliant
                  to this profile ?
    • 
            

            
 

            
[Hannes]
              Regarding the two questions: It cannot and it was never
              the intention of this work. 

          

        

      

      
[Denis] This point has been addressed at the top of this email.
        However, I would like to add one point.

        

        Let us suppose that a token type would be added both in the
        token request and within the token itself,

        and if, at the minimum, the client would  be allowed to access
        to this token type, saying "This token is conformant to RFC
        XXX", 

        then the client would be able to call a local API able to
        disclose the content of the token. 

      

      
This would be like using a piece of cheese to catch the mouse.

      
Denis

      

      

        

          

            

            
 

            
Ciao

            
Hannes

            
 

            


                Denis

          

          

            
 

          

          

            
Let me try to jump in here in order to
              make a proposal for the text in the privacy consideration
              section:

            
 

            
FROM:

            
6.  Privacy Considerations

            
 

            
 

            
   As JWT access tokens carry
                information by value, it now becomes

            
   possible for requestors and
                receivers to directly peek inside the

            
   token claims collection. 
                The client MUST NOT inspect the content of

            
   the access token: the
                authorization server and the resource server

            
   might decide to change
                token format at any time (for example by

            
   switching from this profile
                to opaque tokens) hence any logic in the

            
   client relying on the
                ability to read the access token content would

            
   break without recourse. 
                Nonetheless, authorization servers should

            
   not assume that clients
                will comply with the above.  Whenever client

            
   access to the access token
                content presents privacy issues for a

            
   given scenario, the
                authorization server should take explicit steps

            
   to prevent it as described
                below.

            
 

            
   In scenarios in which JWT
                access tokens are accessible to the end

            
   user, it should be
                evaluated whether the information can be accessed

            
   without privacy violations
                (for example, if an end user would simply

            
   access his or her own
                personal information) or if steps must be taken

            
   to enforce cofidentiality. 
                Possible measures include: encrypting the

            
   access token, encrypting
                the sensitive claims, omitting the sensitive

            
   claims or not using this
                profile, falling back on opaque access

            
   tokens.

            
 

            
   In every scenario, the
                content of the JWT access token will

            
   eventually be accessible to
                the resource server.  It's important to

            
   evaluate whether the
                resource server gained the proper entitlement to

            
   have access to any content
                received in form of claims, for example

            
   through user consent in
                some form, policies and agreements with the

            
   organization running the
                authorization servers, and so on.

            
 

            
TO:

            
 

            
6. 
                  Privacy Considerations

            
   The design of OAuth 2.0
                envisions that access tokens are created by 

            
   authorization servers and
                consumed by resource servers. 

            
   As JWT access tokens, as
                described in this document, carry information by value,
                it is

            
   possible for OAuth clients
                to peek inside the access token. 

            
   While this is technical
                possible, it is important to note that the

            
   OAuth 2.0 protocol does not
                aim to expose the content of the

            
   access token to the client.
                The access token is therefore, by design, considered to
                be 

            
   opaque to the client. 

            
 

            
   A number of cases may make
                it difficult or impossible for clients to 

            
   inspect the token, for
                example, the access token may be encrypted, 

            
   the access token may
                contain vendor-specific claims that have not been 

            
   standardized or have been
                standardized in other consortia making parsing 

            
   of the token difficult.
                Additionally, there is no guarantee that the 

            
   access token is conveyed by
                value and the authorization server implementation

            
   may change the token format
                at any time. 

            
 

            
   In scenarios where it is
                desirable for the clients to obtain information 

            
   transmitted in the access
                token, OAuth 2.0 token introspection may provide 

            
   a useful tool to enable
                such functionality (proper authorization assumed). 

            
 

            
   In scenarios where the
                content of the access token must not be readable 

            
   by clients, encrypting the
                content of the access token is RECOMMENDED.

            
   

            
   Since the content of the
                access token is accessible to the resource server

            
   it is important to

            
   evaluate whether the
                resource server gained the proper entitlement to

            
   have access to any content
                received in form of claims, for example

            
   through user consent in
                some form, policies and agreements with the

            
   organization running the
                authorization servers, and so on. The policies 

            
   and the user interfaces to
                enable this user consent are, however, part 

            
   of a specific deployment
                and therefore outside the scope of this document. 

            
 

            
 

            
How does this sound? 

            
 

            
Ciao

            
Hannes

            
 

            
 

            
 

            

              
From: OAuth <oauth-bounces@ietf.org>
                On Behalf Of Rifaat Shekh-Yusef

                Sent: Thursday, May 14, 2020 8:03 PM

                To: Denis <denis.ietf@free.fr>

                Cc: Vittorio Bertocci <vittorio.bertocci@auth0.com>;
                oauth@ietf.org

                Subject: Re: [OAUTH-WG] Second WGLC on "JSON Web
                Token (JWT) Profile for OAuth 2.0 Access Tokens"

            

            
 

            

              
Denis,

              

                
 

              

              

                
You are rehashing the same issues
                  that you have already discussed on the mailing list
                  multiple times,

              

              

                
You could not get the WG to agree
                  with your points, because the WG believe that this
                  issue is outside the scope of this document.

              

              

                
 

              

              

                
The best the chairs can do at this
                  stage is to capture your point in the shepherd
                  write-up to the IESG.

              

              

                
We think this document has the
                  support of the WG and is ready to move forward.

              

              

                
 

              

              

                
Regards,

              

              

                
 Rifaat

              

              

                
 

              

            

            
 

            

              

                
On Thu, May 14, 2020 at 12:29 PM
                  Denis <denis.ietf@free.fr>
                  wrote:

              

              

                

                  

                    
Hi Vittorio,

                  

                  

                    
 

                  

                  

                    
I
                        am referring to the email you sent on April the
                        29 th which is copied below.

                  

                  

                    
 

                  

                  

                    
1)
                        You wrote:

                  

                  

                    

                      
> targeting of
                            access tokens

                      
Let me think about that
                          a bit longer. 

                      
I acknowledge that the
                          decision of including an audience has the
                          effect of letting the AS track when the client
                          accesses a particular resource, 

                          but at the same time that’s completely
                          mainstream and very much by design in a very
                          large number of cases. As such, I find the
                          language 

                          you are suggesting to be potentially
                          confusing, as it positions this as an
                          exception vs a privacy protecting mainstream
                          that is in fact not common, 

                          and ascribes to the client more latitude than
                          I believe is legitimate to expect or grant.

                      
I’ll
                            try to come up with concise language that
                            clarifies to the reader that the current
                            mechanism does allow AS tracking.   

                    

                  

                  

                    
Since the last draft has been
                      published on the 27 th, you have not proposed any
                      "concise language that
                        clarifies to the reader 

                        that the current mechanism does allow AS
                        tracking".

                  

                  

                    
 

                  

                  

                    
2) You also wrote about the
                      "sub" uniqueness:

                  

                  

                    

                      
As long as an identifier
                        identifies one resource only, it satisfies
                        uniqueness. It doesn’t have to be a singleton.

                    

                  

                  

                    
RFC 7519 defines in section
                      4.1.2 the semantics of the "sub" claim using the
                      following sentence:

                    

                      
The subject value MUST either
                        be scoped to be locally unique in the context of
                        the issuer or be globally unique.

                    

                  

                  

                    
The text does NOT say that the
                      subject value "MUST be scoped to be locally unique
                      in the context of the resource server".

                  

                  

                    
Changing the semantics of an
                      already defined claim is not permitted. If you
                      would like to have such a semantics available, 

                      a new claim should be defined (and it would be
                      very nice to have it !). 

                  

                  

                    
 

                  

                  

                    
3) The text is the privacy
                      considerations section states:

                  

                  

                    
 

                  

                  

                    
   Although the ability to
                      correlate requests might be required by design in
                      many scenarios, there are scenarios where the
                      authorization

                         server might want to prevent correlation to
                      preserve the desired level of privacy. 

                  

                  

                    
 

                  

                  

                    
In the real world, it is also
                      clients or end-users which would like to prevent
                      correlation to preserve their desired level of
                      privacy.

                  

                  

                    
 

                  

                  

                    
A better sentence would be:

                  

                  

                    

                      
 

                    

                    

                      
   Although the ability to
                        correlate requests might be required by design
                        in many scenarios, there are scenarios where the
                        authorization

                           server or the client might want to
                        prevent correlation to preserve the desired
                        level of privacy. 

                    

                    

                      
 

                    

                  

                  

                    
4) The text continues with:

                  

                  

                    
 

                  

                  

                    
   Authorization servers should
                      choose how to assign "sub" values according to the
                      level of privacy required by each

                         situation.  For instance: if a solution
                      requires preventing tracking  principal activities
                      across multiple resource servers, 

                         the  authorization server should ensure that
                      JWT access tokens meant for different resource
                      servers have distinct "sub" 

                         values that cannot be correlated in the event
                      of resource servers collusion.   

                  

                  

                    
 

                  

                  

                    
Authorization servers are not
                      necessarily able to choose the level of privacy
                      required by each situation. When there are
                      different 

                      situations for the same resource server, the scope
                      is (unfortunately at the moment) the only way to
                      select the "level of privacy that is required".

                  

                  

                    
 

                  

                  

                    
The example ("For instance:")
                      is only an example that provides a vague
                      recommendation for the ASs which is NOT conformant

                      with the semantics of the "sub" claim as defined
                      in RFC 7519.

                  

                  

                    
 

                  

                  

                    
What should be discussed here
                      are not "examples" or what an authorization server
                      should do, but explanations about the implications
                      

                      for the end-user or for the client for the various
                      values that can be placed into the "sub" claim by
                      an AS. The problem is wider that simply 

                      a collusion between resource servers, but also
                      with other servers that DO NOT participate in any
                      OAuth exchange. 

                  

                  

                    
 

                  

                  

                    
RFC 6973 (Privacy
                      Considerations) states in section 7 : Guidelines

                    

                      
This section provides
                        guidance for document authors in the form of a
                        questionnaire about a protocol being designed. 
                        

                        The questionnaire may be useful at any point in
                        the design process, particularly after document
                        authors have developed 

                        a high-level protocol model as described in
                        [RFC4101].

                    

                    
One of the questions is:

                    

                      
f.  Correlation. 
                        Does the protocol allow for correlation of
                        identifiers ?  Are there expected ways that
                        information exposed 

                        by the protocol will be combined or correlated
                          with information obtained outside the protocol
                        ?

                    

                  

                  

                    
It is important to provide an
                      answer to these two questions.

                  

                  

                    
 

                  

                  

                    
Hereafter is some text that is
                      fully conformant with RFC 7519 which should be
                      incorporated into the privacy considerations
                      section 

                      which explains the implications of the two (and
                      only two) flavours of the "sub" claim.

                  

                  

                    

                      
When the sub claim contains a
                        locally unique identifier in the context of the
                        issuer, this allows the tracking of principal
                        activities 

                        across multiple resource servers.

                    

                    

                      
 

                    

                    

                      
When the sub claim contains a
                        globally unique identifier, this allows to
                        correlate principal activities across multiple
                        resource 

                        servers, while in addition, this globally unique
                        identifier may also allow to correlate the
                        principal activities on servers where 

                        no access has been performed by the principals
                        to these servers but where the same globally
                        unique identifiers are being used 

                        by these servers.

                    

                  

                  

                    
Denis

                  

                  

                    

                      
Thanks
                        Denis for the thorough commentary.

                      
 

                      
>
                          The title of this spec.

                      
Fixed,
                        thanks!

                      
 

                      
>
                          The client MUST NOT inspect the content of the
                          access token

                      
This
                        is really a sticky point. I really want to
                        acknowledge your PoV on this, but at the same
                        time I found this to be one of the biggest
                        sources of issues in the use of JWT for access
                        tokens hence I feel we really need to give solid
                        guidance here. Let me expand further on the
                        reasoning behind it, and perhaps we can get to
                        language that satisfies both PoVs.

                      
To
                        me the key point is that clients should not
                        write code that inspects access tokens.
                        Taking a dependency on the ability to do so is
                        ignoring fundamental information about the
                        architecture and relationships between OAuth
                        roles, and suggests an ability of the client to
                        understand the semantic of the content that
                        cannot be assumed in the general case. I
                        expanded on the details in my former reply to
                        you on this topic, I would recommend referring
                        to it. Clients violating this simple principle
                        has been one of the most common sources of
                        production issues I had to deal with in the past
                        few years, and one of the hardest to remediate
                        given that clients are hard to update and
                        sometimes the things they relied on were
                        irremediably lost. This is why I am inclined to
                        put in here strong language.

                      
That
                        said: I have nothing against client developers
                        examining a network trace and drawing
                        conclusions based on the content of what they
                        see. That doesn’t create any hard dependencies
                        and has no implications in respect to changes in
                        the solution behavior. However I am not sure how
                        to phrase that in the specification, given that
                        referring to the client inevitably refers to its
                        code. I am open to suggestions.

                      
 

                      
>
                         3)…

                      
I
                        have a pretty hard time following the chain of
                        reasoning in this section. Let me attempt to
                        tackle it to the best of my understanding.

                      
I
                        think the key might be   

                      
>
                          a client should be able to choose whether it
                          wishes the sub claim to contain [..]

                      
I
                        don’t think that should be a choice left to the
                        client. In business systems, my experience is
                        that the type of identifiers to be used (when
                        the IdP gives any choice at all)  is established
                        at resource provisioning time. I am not aware of
                        mechanisms thru which a client signals the
                        nature of the identifier to be used, nor that
                        would be fully feasible (the resource knows what
                        it needs to perform its function).

                      
Furthermore:

                      
>
                          which has nothing to do with uniqueness since
                          the value changes for every generated token.

                      
Again,
                        this is something that was touched on in my
                        former reply to your message. As long as an
                        identifier identifies one resource only, it
                        satisfies uniqueness. It doesn’t have to be a
                        singleton. 

                      
Finally,
                        the scope is optional (for good reasons: 1st
                        party and non delegation scenarios don’t require
                        it) hence it cannot be relied upon for
                        properties that should hold in every scenario.

                      
In
                        summary: per the preceding thread on this topic,
                        the consensus was that varying the sub content
                        was a satisfactory way of protecting against
                        correlation. I don’t a gree that clients should
                        have a mechanism to request different sub
                        flavors, as that decision should be done out of
                        band by the AS and RS; and the scope isn’t
                        always available anyway.

                      
>
                          targeting of access tokens

                      
Let
                        me think about that a bit longer. 

                      
I
                        acknowledge that the decision of including an
                        audience has the effect of letting the AS track
                        when the client accesses a particular resource,
                        but at the same time that’s completely
                        mainstream and very much by design in a very
                        large number of cases. As such, I find the
                        language you are suggesting to be potentially
                        confusing, as it positions this as an exception
                        vs a privacy protecting mainstream that is in
                        fact not common, and ascribes to the client more
                        latitude than I believe is legitimate to expect
                        or grant.

                      
I’ll
                        try to come up with concise language that
                        clarifies to the reader that the current
                        mechanism does allow AS tracking.   

                      
 

                      

                        
From:
                            OAuth 
                              <oauth-bounces@ietf.org> on
                            behalf of Denis 
                              <denis.ietf@free.fr>

                            Date: Wednesday, April 29, 2020 at
                            09:12

                            To: "oauth@ietf.org"
                            
                              <oauth@ietf.org>

                            Subject: Re: [OAUTH-WG] Second WGLC
                            on "JSON Web Token (JWT) Profile for OAuth
                            2.0 Access Tokens"

                      

                      

                        
 

                      

                      

                        
You
                          will find four comments numbered 1) to 4). 

                      

                      

                        
1)
                          The title of this spec. is:

                          

                          JSON
                            Web Token (JWT) Profile for OAuth 2.0
                            Access Tokens

                          

                          So, this spec. is supposed to be targeted to
                          OAuth 2.0.  However, the header at
                          the top of the page omits to mention it. 

                          

                          Currently, it is : 

                        
Internet-Draft      
                          OAuth Access Token JWT Profile           April
                          2020

                        
It
                          should rather be:

                        
Internet-Draft      
                          OAuth 2.0 Access Token JWT
                          Profile           April 2020

                          

                          2) The following text is within section
                          6.

                          

                          The client MUST NOT inspect the content of

                          the access token: the authorization server and
                          the resource server

                          might decide to change token format at any
                          time (for example by

                          switching from this profile to opaque tokens)
                          hence any logic in the

                          client relying on the ability to read the
                          access token content would

                          break without recourse.

                          Nonetheless, authorization servers should

                          not assume that clients will comply with the
                          above.

                        
It
                          is of a primary importance that clients MAY be
                          able to inspect tokens before transmitting
                          them.

                          The "MUST NOT" is not acceptable. 

                        
The
                          above text should be replaced with:

                          

                          Reading the access token content may be useful
                          for the user to verify that 

                          the access token content matches with its
                          expectations.  However, 

                          the authorization server and the resource
                          server might decide to change the 

                          token format at any time.  Thus, the client
                          should not expect to always be 

                          in a position to read the access token
                          content.

                          

                          The remaining of the text about this topic is
                          fine.

                          

                          

                          3) The next topic is about the sub
                          claim.

                          

                          The text states:

                          

                          Although
                            the ability to correlate requests might be
                            required by

                            design in many scenarios, there are
                            scenarios where the authorization

                            server might want to prevent correlation to
                            preserve the desired

                            level of privacy. Authorization servers
                            should choose how to assign

                            sub values according to the level of privacy
                            required by each

                            situation.

                          

                          I have a set of questions: 

                        
    
                          
  1.  How can authorization servers
                            choose how to assign sub values according to
                            the level of privacy required "by each
                            situation" ?
    2. 
                          
  2.  How can authorization servers
                            know the level of privacy required "by each
                            situation" ? 
    3. 
                          
  3.  How can the users be informed
                            of the level of privacy required "by each
                            situation" ?
    4. 
                          
  4.  How can the users consent
                            with the level of privacy required "by each
                            situation" ?
    5. 
                        

                        
Currently,
                          the request MUST include either a resource
                          parameter or an aud claim parameter, while it
                          MAY include a scope parameter.

                        
The
                          syntax of the scope parameter is a list of
                          space-delimited, case-sensitive strings (RFC
                          6749). It is thus subject to private
                          agreements 

                          between clients and Authorization Servers.
                          Since the scope is being returned, it is a
                          primary importance that the returned scope
                          matches 

                          with its expectations before transmitting the
                          token to a Resource Server.

                          

                          In theory, a client should be able to choose
                          whether it wishes the sub claim to contain :

                        
    
                          
  •  a global unique identifier for
                            all ASs ("globally unique"),
    • 
                          
  •  a unique identifier for each
                            AS ("locally unique in the context of the
                            issuer"),
    • 
                          
  •  a different pseudonym for each
                            RS, or 
    • 
                          
  •  a different pseudonym for each
                            authorization token request.
    • 
                        

                        
The
                          only variable parameter that it can use for
                          this purpose in the token request is the scope
                          parameter.

                          

                          RFC 7519 states is section 4.1.2:

                          

                          The subject value MUST either be
                            scoped to be locally unique in the context
                            of the issuer 

                            or be globally unique.

                          

                          It is quite hard to recognize that the sub
                          claim is able to carry a different pseudonym
                          for each RS, i.e. for case (c), or 

                          a different pseudonym for each authorization
                          token request, i.e. for case (d), which has
                          nothing to do with uniqueness 

                          since the value changes for every generated
                          token.

                          

                          This has implications about the following
                          text:

                          

                          For
                            instance: if a solution requires preventing
                            tracking

                            principal activities across multiple
                            resource servers, the

                            authorization server should ensure that JWT
                            access tokens meant for

                            different resource servers have distinct sub
                            values that cannot be

                            correlated in the event of resource servers
                            collusion.

                            

                          Since it addresses case (c).

                          

                          and also about the following text:

                          

                          4.b)
                            Similarly: if a solution requires preventing
                            a resource server from 

                            correlating the principal’s activity within
                            the resource itself, the 

                            authorization server should assign different
                            sub values for every JWT 

                            access token issued.

                          

                          Since it addresses case (d).

                          

                          This means that the current text placed in the
                          privacy considerations section was a good
                          attempt to address the case, 

                          but that the text needs to be revised.

                          

                          Proposed text replacement for all the
                          previously quoted sentences:

                          

                          According to RFC 7519 (4.1.2): The subject
                          value MUST either be scoped to be locally
                          unique in the context of the issuer or be
                          globally unique.

                          

                          When the sub claim contains a globally unique
                          identifier, this allows to correlate principal
                          activities across multiple resource servers,
                          while in addition, 

                          this globally unique identifier may also allow
                          to correlate the principal activities on
                          servers where no access has been performed by
                          the principals 

                          to these servers but where the same globally
                          unique identifiers are being used by these
                          servers. 

                          

                          When the sub claim contains a locally unique
                          identifier in the context of the issuer, this
                          also allows the tracking of principal
                          activities across multiple resource servers.

                          

                          The scope request parameter is the only way to
                          influence on the content of the sub claim
                          parameter. Its meaning is subject to a private
                          agreement 

                          between the client and the AS, which means
                          that the use of the scope parameter is the
                          only way to choose between a locally unique
                          identifier 

                          in the context of the issuer or a globally
                          unique identifier.

                          

                          Since the scope parameter is being returned,
                          it is a primary importance that the returned
                          scope matches with the expectations of the
                          client before transmitting 

                          the token to a Resource Server.

                          

                          However, there are other cases where the
                          client would like to be able to choose whether
                          it wishes the sub claim to contain : 

                              - a different pseudonym for each RS so
                          that different resource servers will be unable
                          to correlate its activities, or

                              - a different pseudonym for each
                          authorization token request, so that the same
                          resource server cannot correlate its
                          activities performed at different instant of
                          time. 

                          

                          Considering the semantics of the sub claim,
                          these two cases cannot be currently supported.

                          

                          

                          4) The next topic is about the
                          targeting of access tokens

                        
Text
                          had been proposed before the last conference
                          call. Then, the topic has been presented at
                          the very end of the last conference call, but
                          no text has been included 

                          in the next draft. 

                        
Here
                          is a revised text be included in the privacy
                          considerations section:

                        
For
                          security reasons, some clients may be willing
                          to target their access tokens but, for privacy
                          reasons, may be unwilling to disclose to
                          Authorization Servers 

                          an identification of the Resource Servers they
                          are going to access, so that Authorization
                          Servers will be unable to know which resources
                          servers are being accessed. 

                          The disclosure of the Resource Servers names
                          allows the Authorization Servers to list all
                          the Resource Servers being access by all its
                          users and in addition to list pairs 

                          of (Principal, Resource Servers) which allow
                          to trace all the users accesses to Resource
                          Servers performed through a given
                          Authorization Server. When a token is
                          targeted, 

                          this profile does not contain provisions to
                          address these two threats.

                          

                          Denis

                      

                      

                        

                          
Hi
                            all,

                          
 

                          
This
                            is a second working group last call for
                            "JSON Web Token (JWT) Profile for OAuth 2.0
                            Access Tokens".

                          
 

                          
Here
                            is the document:

                          
https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-06

                          
 

                          
Please
                            send your comments to the OAuth mailing list
                            by April 29, 2020.

                          
 

                          
Regards,

                          
 Rifaat
                            & Hannes

                          
 

                        

                        
 

                        
_______________________________________________

                        
OAuth mailing list

                        
OAuth@ietf.org

                        
https://www.ietf.org/mailman/listinfo/oauth

                      

                      
 

                    

                  

                  
 

                

                
_______________________________________________

                  OAuth mailing list

                  OAuth@ietf.org

                  https://www.ietf.org/mailman/listinfo/oauth

              

            

            
IMPORTANT NOTICE: The contents of this
              email and any attachments are confidential and may also be
              privileged. If you are not the intended recipient, please
              notify the sender immediately and do not disclose the
              contents to any other person, use it for any purpose, or
              store or copy the information in any medium. Thank you. 

          

          
 

        

        IMPORTANT NOTICE: The contents of this email and any attachments
        are confidential and may also be privileged. If you are not the
        intended recipient, please notify the sender immediately and do
        not disclose the contents to any other person, use it for any
        purpose, or store or copy the information in any medium. Thank
        you. 

      


      

    

    


    

  


--------------8A467CAF7BF250964740B9A3--


From nobody Fri Jul 24 13:51:11 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B15F3A0BAE; Fri, 24 Jul 2020 13:51:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.918
X-Spam-Level: 
X-Spam-Status: No, score=-1.918 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U4_73nAUUUEH; Fri, 24 Jul 2020 13:51:06 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4ED223A0BAD; Fri, 24 Jul 2020 13:51:05 -0700 (PDT)
Received: from [192.168.1.3] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 06OKp1oo027367 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 24 Jul 2020 16:51:02 -0400
From: Justin Richer 
Message-Id: <5016FEC0-B96A-47C0-9978-98CAEFA06BFA@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_491F6B41-8CA5-4CFB-B8F8-980EAD2AA396"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Fri, 24 Jul 2020 16:51:01 -0400
In-Reply-To: <0F86826A-14B0-4047-80C2-4D503C97763E@lodderstedt.net>
Cc: Vladimir Dzhuvinov , oauth@ietf.org
To: Torsten Lodderstedt 
References:  <4ea6f9af-d67f-97df-6bae-752cf34f920c@connect2id.com>   <5EFFFABC-2A9B-4353-A826-2D33D4E82600@mit.edu> <9ee8ed17-141c-1aeb-901a-4d91d6aa90b0@connect2id.com> <89302FD9-4FBF-4363-8B7E-545AB4A778AD@lodderstedt.net> <9c6b4565-7042-62cc-6346-4e668bcb0a77@connect2id.com> <0F86826A-14B0-4047-80C2-4D503C97763E@lodderstedt.net>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: 
Subject: Re: [OAUTH-WG] Namespacing "type" in RAR
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 24 Jul 2020 20:51:10 -0000

--Apple-Mail=_491F6B41-8CA5-4CFB-B8F8-980EAD2AA396
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

The more I=E2=80=99ve been thinking about it, the more I like the idea =
of using =E2=80=9C$schema=E2=80=9D for that purpose. It=E2=80=99s =
already got a well-defined definition in the JSON Schema world that =
would be familiar to people doing that, and there=E2=80=99s no need to =
overload the =E2=80=9Ctype=E2=80=9D field for that purpose. You would be =
able to do the same thing with the =E2=80=9C@context=E2=80=9D field from =
JSONLD, which has similar semantics. If we tried to put those both into =
the =E2=80=9Ctype=E2=80=9D field, and AS would have a hard time =
supporting both types of APIs, and so our goal of allowing easy =
differentiation at the AS isn=E2=80=99t really met.

A quick straw man idea:=20

We :could: define a value for =E2=80=9Ctype=E2=80=9D that is =
=E2=80=9Chttps://schema.org/ =E2=80=9C and have it =
define the =E2=80=9C$schema=E2=80=9D field and how to process the rest =
of the object using JSON Schema. Similar idea for something JSONLD =
based, it uses =E2=80=9Chttps://json-ld.org =E2=80=9D=
 and defines a =E2=80=9C@context=E2=80=9D field that says how to process =
the rest of the request object using JSON-LD.

And in all of these cases, the =E2=80=9Ctype=E2=80=9D field is always =
checked by the AS by doing a simple string comparison. The URI here is =
just to keep the two public spaces from stepping on each other in their =
definitions.=20

As for Joseph=E2=80=99s comment about unicode: I think we can recommend =
that people use ASCII because of the usability concerns, and use string =
comparison to check and compare.

 =E2=80=94 Justin

> On Jul 22, 2020, at 5:02 PM, Torsten Lodderstedt =
 wrote:
>=20
>=20
>=20
>> On 22. Jul 2020, at 22:16, Vladimir Dzhuvinov =
 wrote:
>>=20
>>=20
>> On 21/07/2020 18:43, Torsten Lodderstedt wrote:
>>>=20
>>>> On 21. Jul 2020, at 17:40, Vladimir Dzhuvinov =
 wrote:
>>>>=20
>>>>=20
>>>>=20
>>>> On 21/07/2020 17:47, Justin Richer wrote:
>>>>>> On Jul 19, 2020, at 1:04 PM, Vladimir Dzhuvinov =
 wrote:
>>>>>>=20
>>>>>> On 18/07/2020 17:12, Justin Richer wrote:
>>>>>>> I think publishing supported =E2=80=9Ctype=E2=80=9D parameters =
isn=E2=80=99t a bad idea, and it aligns with publishing supported scopes =
and claims in discovery.
>>>>>> If you are a developer, would you like to be able to find out if =
the authorization_details for a given "type" has a JSON schema and what =
it looks like?
>>>>>>=20
>>>>>>=20
>>>>>>=20
>>>>> I think that would be a nice thing for an AS/API to offer, but I =
don=E2=80=99t think it should be expected or required here. That might =
be a good note in the guidance, say that if you use a URI for your =
=E2=80=9Ctype=E2=80=9D field then it would be nice if it resolved to =
something either human or machine readable. What I don=E2=80=99t want is =
for us to require every AS to have to resolve these URIs in order to =
process and understand them. That=E2=80=99s why I=E2=80=99m taking the =
position of it being a string, and the URI can provide disambiguation in =
the way you=E2=80=99re talking about below.
>>>> We've been thinking about giving developers the possibility to =
discover the authorization_details JSON schema (if one is supplied) for =
a given type via a separate AS metadata parameter. Not by making the =
type a dereferceable URL, which will overload things too much.
>>>>=20
>>>> authorization_details_json_schemas : {
>>>>   "" : "",
>>>>   "" : "",
>>>>  ...
>>>>=20
>>>> }
>>>> The rationale -- to minimise the number of potential support calls =
for providers arising from "Oh dear, why do I get this invalid_request =
now..." with complex RAR JSON objects.
>>> We could borrow the "$schema=E2=80=9D element.=20
>>=20
>> Could you elaborate?
>=20
> I mean we could use this element in addition to the =E2=80=9Ctype=E2=80=9D=
 element to specify the corresponding schema in each authorization =
details object. =20
>=20
>>=20
>>> However, I=E2=80=99m on the fence regarding introducing a separate =
parameter for the schema simply because it also introduce a new error =
cause if type and schema are inconsistent.=20
>>=20
>> Another idea was to still let the AS be configured with optional JSON
>> schemas for each type, and if the schema check of the
>> authorization_details fails, to include a meaningful message in the
>> invalid_request error_description and the schema URL in the =
error_uri.
>>=20
>> The downside of that is the schema cannot be discovered or retrieved
>> upfront.
>>=20
>> We really want to make it easy for developers to debug their requests
>> when facing complex RARs, on their own, without having to rely on a
>> support desk.
>>=20
>> IMO the std invalid_request is ok for communicating the condition of =
an
>> authorization_details object failing the schema check (if the =
additional
>> error code was your concern).
>>=20
>> Vladimir
>>=20
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org 
> https://www.ietf.org/mailman/listinfo/oauth =


--Apple-Mail=_491F6B41-8CA5-4CFB-B8F8-980EAD2AA396
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

The =
more I=E2=80=99ve been thinking about it, the more I like the idea of =
using =E2=80=9C$schema=E2=80=9D for that purpose. It=E2=80=99s already =
got a well-defined definition in the JSON Schema world that would be =
familiar to people doing that, and there=E2=80=99s no need to overload =
the =E2=80=9Ctype=E2=80=9D field for that purpose. You would be able to =
do the same thing with the =E2=80=9C@context=E2=80=9D field from JSONLD, =
which has similar semantics. If we tried to put those both into the =
=E2=80=9Ctype=E2=80=9D field, and AS would have a hard time supporting =
both types of APIs, and so our goal of allowing easy differentiation at =
the AS isn=E2=80=99t really met.

A quick straw man idea: 

We :could: define a value for =
=E2=80=9Ctype=E2=80=9D that is =E2=80=9Chttps://schema.org/=E2=80=9C and have it define the =
=E2=80=9C$schema=E2=80=9D field and how to process the rest of the =
object using JSON Schema. Similar idea for something JSONLD based, it =
uses =E2=80=9Chttps://json-ld.org=E2=80=9D and defines a =E2=80=9C@contex=
t=E2=80=9D field that says how to process the rest of the request object =
using JSON-LD.

And in all of these cases, the =E2=80=9Ctype=E2=80=9D field =
is always checked by the AS by doing a simple string comparison. The URI =
here is just to keep the two public spaces from stepping on each other =
in their definitions. 

As for Joseph=E2=80=99s comment about unicode: I think we =
can recommend that people use ASCII because of the usability concerns, =
and use string comparison to check and compare.

 =E2=80=94 Justin

On Jul 22, 2020, at 5:02 PM, Torsten Lodderstedt <torsten=3D40lodderstedt.net@dmarc.ietf.org> =
wrote:



On =
22. Jul 2020, at 22:16, Vladimir Dzhuvinov <vladimir@connect2id.com> wrote:


On 21/07/2020 18:43, Torsten Lodderstedt =
wrote:

On 21. Jul 2020, at =
17:40, Vladimir Dzhuvinov <vladimir@connect2id.com> wrote:



On 21/07/2020 17:47, Justin =
Richer wrote:
On Jul 19, 2020, at 1:04 =
PM, Vladimir Dzhuvinov <vladimir@connect2id.com> wrote:

On 18/07/2020 17:12, Justin Richer wrote:
I think publishing =
supported =E2=80=9Ctype=E2=80=9D parameters isn=E2=80=99t a bad idea, =
and it aligns with publishing supported scopes and claims in =
discovery.
If you are a developer, would you =
like to be able to find out if the authorization_details for a given =
"type" has a JSON schema and what it looks like?



I think that would =
be a nice thing for an AS/API to offer, but I don=E2=80=99t think it =
should be expected or required here. That might be a good note in the =
guidance, say that if you use a URI for your =E2=80=9Ctype=E2=80=9D =
field then it would be nice if it resolved to something either human or =
machine readable. What I don=E2=80=99t want is for us to require every =
AS to have to resolve these URIs in order to process and understand =
them. That=E2=80=99s why I=E2=80=99m taking the position of it being a =
string, and the URI can provide disambiguation in the way you=E2=80=99re =
talking about below.
We've been thinking =
about giving developers the possibility to discover the =
authorization_details JSON schema (if one is supplied) for a given type =
via a separate AS metadata parameter. Not by making the type a =
dereferceable URL, which will overload things too much.

authorization_details_json_schemas : {
  "<type-a>" : =
"<type-a-json-schema-url>",
  "<type-b>" : =
"<type-b-json-schema-url>",
 ...

}
The rationale -- to minimise =
the number of potential support calls for providers arising from "Oh =
dear, why do I get this invalid_request now..." with complex RAR JSON =
objects.
We could borrow the "$schema=E2=80=9D =
element. 

Could you elaborate?

I mean we could use this element in addition to the =
=E2=80=9Ctype=E2=80=9D element to specify the corresponding schema in =
each authorization details object.  


However, I=E2=80=99m on the fence regarding =
introducing a separate parameter for the schema simply because it also =
introduce a new error cause if type and schema are inconsistent. 

Another idea was to still let the =
AS be configured with optional JSON
schemas for each type, =
and if the schema check of the
authorization_details =
fails, to include a meaningful message in the
invalid_request error_description and the schema URL in the =
error_uri.

The downside of that is the =
schema cannot be discovered or retrieved
upfront.

We really want to make it easy for developers =
to debug their requests
when facing complex RARs, on their =
own, without having to rely on a
support desk.

IMO the std invalid_request is ok for =
communicating the condition of an
authorization_details =
object failing the schema check (if the additional
error =
code was your concern).

Vladimir


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

=

--Apple-Mail=_491F6B41-8CA5-4CFB-B8F8-980EAD2AA396--


From nobody Fri Jul 24 14:14:42 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E84073A0B84 for ; Fri, 24 Jul 2020 14:14:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level: 
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e4lOZemTLmsJ for ; Fri, 24 Jul 2020 14:14:10 -0700 (PDT)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCDE43A0C64 for ; Fri, 24 Jul 2020 14:14:09 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id i80so5895543lfi.13 for ; Fri, 24 Jul 2020 14:14:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vzCHrwCtgSsAjrgNxD7MZUgjOhPnhoSOP0fJ40qauog=; b=Jcw2MVYJfmsVeMO/8nvocyCteCWeTB33xmZ3vcT/FUDdVz/xDYWAI/Rf+pbmWdOqtm rf1JALK+jXtSL/LdGtFQeZQ6OKMIeJE9WqFav4jWKpF6Xa3LFptG/wkPEr4OuYDocw+V TLFmlnCnpoHx8KaYYE77RiWS8U6J5z71Xsfgr+oWyYuCfBytooD3k1iBeBxgTmXSMgEz dUkAhWEBLIRvkEAPlr0mh9DnFBjGZA/SmVmNZgIFmPk1sLI1ukah2xb3yd7+AnWblasR hEPqRvfzzlKi0C0v7RF+P43MZDrppL7MKqGmaEd/TfAgayvFhEfsc5knYTotP8nnhbV7 5x0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vzCHrwCtgSsAjrgNxD7MZUgjOhPnhoSOP0fJ40qauog=; b=oBgGSuc09FXaTigimxfRItcNtvwxYzRev9Mrd6zk0mSvYUl3rvnLgUrnYhKF7wJTQn rS9WSVlEA8lO0hxZkzJVzH0stlLWvGP/Yetv21/Dcj9u75Z5Qxg8Qr+dFVsQGh1Q+vhD gyLVY8/ilnAgHfuMrrTrHhcG8lF7AhaAMVv38Wt1uz9CQKqHsREKIQGYAZUpK//ZpMRS Il/whx+6PZ1twYZMsYMc5txJtdgf80yQdVlniWvCdaw4vber7TGg1tYTXPT0/IhO0VtU I+Y/4W0eRAtSp5Pl8nT3h2nUkY+XqcIhMuYwWh+f5faJ7+SSPNn2Rs1ofxqMILnnCk6W H1Rg==
X-Gm-Message-State: AOAM532Xx28ozKEo6LI1GWNzbzbjX376a0PN2Z4W2BXlBP3COlGxCM3l HOJe+TH0bjM04/TZ3hnlBKefezDH+FxnqywtsXoZFl69wpZIdBgv4rwf9am1kvtmXEPbQXBOkm3 GagKe1tBKuDCoAQ==
X-Google-Smtp-Source: ABdhPJz3jN93ftJuKiVJBmT/VUalMFZdb6OnuPhJJAv1LGytoEfWyKtzDdWJgQlGabi2iuzPcnxqAk8dtjy7LyQ3ArY=
X-Received: by 2002:a19:c653:: with SMTP id w80mr5886921lff.167.1595625247606;  Fri, 24 Jul 2020 14:14:07 -0700 (PDT)
MIME-Version: 1.0
References:  <2ABDD1A0-0455-4CD7-94B9-121F7D61A287@forgerock.com>
In-Reply-To: <2ABDD1A0-0455-4CD7-94B9-121F7D61A287@forgerock.com>
From: Brian Campbell 
Date: Fri, 24 Jul 2020 15:13:41 -0600
Message-ID: 
To: Neil Madden 
Cc: Vladimir Dzhuvinov , oauth 
Content-Type: multipart/alternative; boundary="00000000000014249805ab3674fe"
Archived-At: 
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-par-02.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 24 Jul 2020 21:14:13 -0000

--00000000000014249805ab3674fe
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Neil,

Torsten added this issue
https://github.com/oauthstuff/draft-oauth-par/issues/53 from your
questions/comments, which touches on some things, and maybe he can provide
more thoughts. But I'll make an attempt here too.

In my mind, the one-time use suggestion on the request_uri came about less
from the risks of replay and more from the fact that the contents of a
particular auth request are unique to the one request. So it just kinda
made sense to similarly limit the reference to the data in a request. A
specific request can only be made once so it's suggested (though not
required) that a request_uri that represents that request also be usable
only once.

I believe state and/or PKCE and/or nonce can prevent replay already but
those take effect at different points in the whole dance and to catch
replay of different artifacts.

Agreed that it'd be good for the draft to have some more discussion about
the risks of modification and disclosure of the request content. Torsten
also agreed yesterday at a brief discussion during OSW so I'm hopeful he
can add some good content to the draft :) Thinking about richer
authorization requests that might have transaction data like payee account
numbers or amounts or similar etc. gives some idea of requests where
integrity and confidentiality would be good. And even more basic requests,
preventing control or modification of something like code_challenge seems
useful.





On Thu, Jul 23, 2020 at 1:53 AM Neil Madden 
wrote:

> Can you expand on the risks of replay? It seems like if the request can b=
e
> replayed an attacker can also block the original request and inject the U=
RI
> into a different request - ie no replay.
>
> (Shouldn=E2=80=99t state and/or PKCE and/or nonce prevent replay already?=
)
>
> In general the draft could do with some discussion of why an attacker
> being able to modify an authorization request is a risk. I might just be
> lacking enough coffee this morning to understand the risk here.
>
> =E2=80=94 Neil
>
> On 22 Jul 2020, at 23:14, Brian Campbell  40pingidentity.com@dmarc.ietf.org> wrote:
>
> =EF=BB=BF
> Thanks Vladimir, both comments should be easy to address in -03 (HTTPS/TL=
S
> required and SHOULD on short lifetime *and* single use).
>
> On Sun, Jul 19, 2020 at 12:55 PM Vladimir Dzhuvinov <
> vladimir@connect2id.com> wrote:
>
>> Thanks for the update. With the "require PAR" AS and client metadata the
>> spec is now "policy complete". I can't think of what else there is to ad=
d.
>>
>>
>> I have two comments about -02:
>>
>>
>> https://tools.ietf.org/html/draft-ietf-oauth-par-02#section-2
>>
>> I didn't see a mention of https / TLS being required for the PAR
>> endpoint. The reader could assume http is fine.
>>
>>
>> https://tools.ietf.org/html/draft-ietf-oauth-par-02#section-2.2
>>
>>    Since the request URI can be replayed, its lifetime SHOULD be short
>>    and preferably limited to one-time use.
>>
>> The SHOULD is ambiguous here - does it apply to the lifetime only, or to
>> the lifetime and the single use.
>>
>>
>> Vladimir
>>
>>
>> On 10/07/2020 21:36, Brian Campbell wrote:
>>
>> WG,
>>
>> A new -02 draft of "OAuth 2.0 Pushed Authorization Requests" has been
>> published. A summary of the changes, taken from the document history, is
>> included below for ease of reference.
>>
>>    -02
>>
>>    *  Update Resource Indicators reference to the somewhat recently
>>       published RFC 8707 
>>
>>    *  Added metadata in support of pushed authorization requests only
>>       feature
>>
>>    *  Update to comply with draft-ietf-oauth-jwsreq-21 , which requires
>>       "client_id" in the authorization request in addition to the
>>       "request_uri"
>>
>>    *  Clarified timing of request validation
>>
>>    *  Add some guidance/options on the request URI structure
>>
>>    *  Add the key used in the request object example so that a reader
>>       could validate or recreate the request object signature
>>
>>    *  Update to draft-ietf-oauth-jwsreq-25  and added note regarding
>>       "require_signed_request_object"
>>
>>
>> ---------- Forwarded message ---------
>> From: 
>> Date: Fri, Jul 10, 2020 at 1:21 PM
>> Subject: New Version Notification for draft-ietf-oauth-par-02.txt
>> To: Filip Skokan , Torsten Lodderstedt <
>> torsten@lodderstedt.net>, Brian Campbell ,
>> Dave Tonge , Nat Sakimura 
>>
>>
>>
>> A new version of I-D, draft-ietf-oauth-par-02.txt
>> has been successfully submitted by Brian Campbell and posted to the
>> IETF repository.
>>
>> Name:           draft-ietf-oauth-par
>> Revision:       02
>> Title:          OAuth 2.0 Pushed Authorization Requests
>> Document date:  2020-07-10
>> Group:          oauth
>> Pages:          18
>> URL:
>> https://www.ietf.org/internet-drafts/draft-ietf-oauth-par-02.txt
>> Status:         https://datatracker.ietf.org/doc/draft-ietf-oauth-par/
>> Htmlized:       https://tools..ietf.org/html/draft-ietf-oauth-par-02
>> 
>> Htmlized:
>> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-par
>> 
>> Diff:           https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-par=
-02
>>
>> Abstract:
>>    This document defines the pushed authorization request endpoint,
>>    which allows clients to push the payload of an OAuth 2..0
>>    authorization request to the authorization server via a direct
>>    request and provides them with a request URI that is used as
>>    reference to the data in a subsequent authorization request.
>>
>>
>>
>>
>> Please note that it may take a couple of minutes from the time of
>> submission
>> until the htmlized version and diff are available at tools.ietf.org..
>>
>> The IETF Secretariat
>>
>>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited=
..
>> If you have received this communication in error, please notify the send=
er
>> immediately by e-mail and delete the message and any file attachments fr=
om
>> your computer. Thank you.*
>>
>> _______________________________________________
>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oa=
uth
>>
>> --
>> Vladimir Dzhuvinov
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.=
.
> If you have received this communication in error, please notify the sende=
r
> immediately by e-mail and delete the message and any file attachments fro=
m
> your computer. Thank you.*_______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

--=20
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged=
=20
material for the sole use of the intended recipient(s). Any review, use,=20
distribution or disclosure by others is strictly prohibited.=C2=A0 If you h=
ave=20
received this communication in error, please notify the sender immediately=
=20
by e-mail and delete the message and any file attachments from your=20
computer. Thank you._

--00000000000014249805ab3674fe
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


Hi Neil, 

Torsten added =
this issue https://github.com/oauthstuff/draft-oauth-par/issues/=
53 from your questions/comments, which touches on some things, and mayb=
e he can provide more thoughts. But I'll make an attempt here too. 
=


In my mind, the one-time use suggestion on the re=
quest_uri came about less from the risks of replay and more from the fact t=
hat the contents of a particular auth request are unique to the one request=
. So it just kinda made sense to similarly limit the reference to the data =
in a request. A specific request can only be made once so it's suggeste=
d (though not required) that a request_uri that represents that request als=
o be usable only once. 

I believe state and/or=
 PKCE and/or nonce can prevent replay already but those take effect at diff=
erent points in the whole dance and to catch replay of different artifacts.=
 

Agreed that it'd be good for the draft t=
o have some more discussion about the risks of modification and disclosure =
of the request content. Torsten also agreed yesterday at a brief discussion=
 during OSW so I'm hopeful he can add some good content to the draft :)=
 Thinking about richer authorization requests that might have transaction d=
ata like payee account numbers or amounts or similar etc. gives some idea o=
f requests where integrity and confidentiality would be good. And even more=
 basic requests, preventing control or modification of something like code_=
challenge seems useful. 


 
<=
/div>


On Thu, Jul 23, 2020 at 1:=
53 AM Neil Madden <neil.madden@forgerock.com> wrote:
Can=
 you expand on the risks of replay? It seems like if the request can be rep=
layed an attacker can also block the original request and inject the URI in=
to a different request - ie no replay.=C2=A0

(Shouldn=E2=80=99t state and/or PKCE and/or nonce preven=
t replay already?)

In gene=
ral the draft could do with some discussion of why an attacker being able t=
o modify an authorization request is a risk. I might just be lacking enough=
 coffee this morning to understand the risk here.=C2=A0

=E2=80=94 Neil

On 22 Jul 2020, at 23:14, Brian Campbell <bcampbel=
l=3D=
40pingidentity.com@dmarc.ietf.org> wrote:

=

=EF=BB=BF
Thanks=
 Vladimir, both comments should be easy to address in -03 (HTTPS/TLS requir=
ed and SHOULD on short lifetime *and* single use). 

On Sun, Jul 19, 2020=
 at 12:55 PM Vladimir Dzhuvinov <vladimir@connect2id.com> wrote:

 =20
   =20
 =20
  

    
Thanks for the update. With the "require PAR" AS and clien=
t
      metadata the spec is now "policy complete". I can't thi=
nk of what
      else there is to add.

    

    


    

    
I have two comments about -02:

    


    

    
https://tools.ietf.org/html/draft-ietf-oauth-par-02=
#section-2

    
I didn't see a mention of https / TLS being required for the PAR
      endpoint. The reader could assume http is fine.

    

    


    

    
https://tools.ietf.org/html/draft-ietf-oauth-par-=
02#section-2.2

    

      

        
   Since the request URI can be replayed, its lifetime SHOULD =
be short
   and preferably limited to one-time use.

      

      The SHOULD is ambiguous here - does it apply to the lifetime only,
      or to the lifetime and the single use.

    


    

    
Vladimir

    

    


    

    
On 10/07/2020 21:36, Brian Campbell
      wrote:

    

    

     =20
      

        
WG,

        


        

        
A new -02 draft of "OAuth 2.0 Pushed Authorization
          Requests" has been published. A summary of the changes, take=
n
          from the document history, is included below for ease of
          reference.=C2=A0 

        

        


        

        
        

        

          
---------- Forwarded messag=
e
            ---------

            From: <internet-drafts@ietf.org>

            Date: Fri, Jul 10, 2020 at 1:21 PM

            Subject: New Version Notification for
            draft-ietf-oauth-par-02.txt

            To: Filip Skokan <panva.ip@gmail.com>,
            Torsten Lodderstedt <torsten@lodderstedt.net>,
            Brian Campbell <bcampbell@pingidentity.com>,
            Dave Tonge <dave@tonge.org>,
            Nat Sakimura <nat@sakimura.org>

          

          

          

          

          A new version of I-D, draft-ietf-oauth-par-02.txt

          has been successfully submitted by Brian Campbell and posted
          to the

          IETF repository.

          

          Name:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0draft-ietf-oauth-pa=
r

          Revision:=C2=A0 =C2=A0 =C2=A0 =C2=A002

          Title:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 OAuth 2.0 Pushed Authori=
zation Requests

          Document date:=C2=A0 2020-07-10

          Group:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 oauth

          Pages:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 18

          URL:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 https://www.ietf.org/internet-drafts/draft-ietf-oauth-p=
ar-02.txt

          Status:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0https://datatracker.ietf.org/doc/draft-ietf-oauth-par/

          Htmlized:=C2=A0 =C2=A0 =C2=A0 =C2=A0h=
ttps://tools..ietf.org/html/draft-ietf-oauth-par-02

          Htmlized:=C2=A0 =C2=A0 =C2=A0 =C2=A0https://datatracker.ietf.org/doc/html/draft-ietf-oauth-par

          Diff:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-par-02<=
/a>

          

          Abstract:

          =C2=A0 =C2=A0This document defines the pushed authorization reque=
st
          endpoint,

          =C2=A0 =C2=A0which allows clients to push the payload of an OAuth=
 2..0

          =C2=A0 =C2=A0authorization request to the authorization server vi=
a a
          direct

          =C2=A0 =C2=A0request and provides them with a request URI that is=
 used
          as

          =C2=A0 =C2=A0reference to the data in a subsequent authorization
          request.

          

          

          

          

          Please note that it may take a couple of minutes from the time
          of submission

          until the htmlized version and diff are available at tools.ietf.org..

          

          The IETF Secretariat

          

          

        

      

      

      CONFIDENTIALITY
            NOTICE: This email may contain confidential and privileged
            material for the sole use of the intended recipient(s). Any
            review, use, distribution or disclosure by others is
            strictly prohibited..=C2=A0 If you have received this
            communication in error, please notify the sender immediately
            by e-mail and delete the message and any file attachments
            from your computer. Thank you.
      

      

      
_______________________________________________
OAuth mailing list
OAuth@ietf.org
h=
ttps://www.ietf.org/mailman/listinfo/oauth


    

    
--=20
Vladimir Dzhuvinov

  


_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth






CONFIDENTIALITY NOTICE: This email m=
ay contain confidential and privileged material for the sole use of the int=
ended recipient(s). Any review, use, distribution or disclosure by others i=
s strictly prohibited..=C2=A0 If you have received this communication in er=
ror, please notify the sender immediately by e-mail and delete the message =
and any file attachments from your computer. Thank you._______________________________________________
OAuth m=
ailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinf=
o/oauth




<=
span style=3D"margin:0px;padding:0px;border:0px;outline:0px;vertical-align:=
baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,=
-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ub=
untu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"=
>CONFIDENTIALITY NOTICE: This email may contain confidenti=
al and privileged material for the sole use of the intended recipient(s). A=
ny review, use, distribution or disclosure by others is strictly prohibited=
.=C2=A0 If you have received this communication in error, please notify the=
 sender immediately by e-mail and delete the message and any file attachmen=
ts from your computer. Thank you.
--00000000000014249805ab3674fe--


From nobody Fri Jul 24 14:55:38 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD0D63A0D4B for ; Fri, 24 Jul 2020 14:55:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.099
X-Spam-Level: 
X-Spam-Status: No, score=-0.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.999, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wjU74wmD--Zo for ; Fri, 24 Jul 2020 14:55:33 -0700 (PDT)
Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C6A63A0D4E for ; Fri, 24 Jul 2020 14:55:33 -0700 (PDT)
Received: by mail-lf1-x12f.google.com with SMTP id h8so5951839lfp.9 for ; Fri, 24 Jul 2020 14:55:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RSQUDj9+2p5mBdhFnT2ZeK8nBXHdp9JiaUxv/nO6Jgo=; b=MI1H3+9Pag0rvLcti4Uz4LjRwT3Y97A/oRCAPFbBFpyX0mtuHY8FFPAYyLpA3wWL8L zaque2SrE4XCVMvQunZnNNsFfYZ3LNnQqbj8KW65pbp/AqXMzEkPrK6qdqY+yY/wVApD Oa5fTVd3cR8u5X696DFvVvSPdcj+8+ZSmHUX6Csa2PVxN6jICGQwTP1oL7PLxLMU3t7H ZoMCZqr2zSbq5DK88W9i0Mi8UHl0Iw+7tD19oksglICERExNnHuYgPy3UqbyO2otaEqM mS88CGO3DGmqgX9oHz0DBHICdxmLmAr8sutMO9xIkgg2esutycjqVsY8cQBnP7UMM7R9 qzxA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RSQUDj9+2p5mBdhFnT2ZeK8nBXHdp9JiaUxv/nO6Jgo=; b=ZtfB2YU3eEEGdmDM8IfJDTh0sRtcFe1Y9CAUAOZ9mxEm/cw0qXcC+HeTapBHtrPloj 9gDGXXFTzXKaRlynoPWUNQTFB8v6hVSv8g81QN8mNcNwbUJkJUgvl5g6nNxmm39TZZjd mWmsyxsN5enXLTRB6zjrYbX4NveXmUDfSdirm4niyqDz8IUixMeClKWPm5Lli0cNxtwS Mv9y3f5eMKxNcDcDxvpcjajIfmsU93QMLoSz+gbMC8eqefIKtLKQvYiodXTcjOQ/bGpU w2AYlDet6r9DDV9ej87OG6BzGCF1s4vtry3gCnZ2U9j0Snn5FiGjXvRSq+IknqijpTUg T4Hg==
X-Gm-Message-State: AOAM531peL+/1RaePTWZI5+2v6MRARdqvqecEteyjQjpytMJVw9tciE5 /poleUNbYhUggpJPYTE+XhQQb0GgyW5TYTSPQrrdUNHUuhrr2lCHtR+oJkACBTuL4Fqg6jYVPAc lIY5S/2r2Ettv2t31Z84=
X-Google-Smtp-Source: ABdhPJztICg/RrrrZuLliqU6M98WjDMWjDgJhDJa+89mUjhDEnzVUkToaQ6x7aot8PuiJlyXPTf/EL4uHvwYbrlEB4Q=
X-Received: by 2002:a19:6d1e:: with SMTP id i30mr6084160lfc.104.1595627730680;  Fri, 24 Jul 2020 14:55:30 -0700 (PDT)
MIME-Version: 1.0
References:     <094C7F56-93F7-41EC-AD94-A0752E76BD9D@mit.edu> <1DEE264E-8E35-4AF0-974E-3C2C4966BC78@mit.edu>
In-Reply-To: <1DEE264E-8E35-4AF0-974E-3C2C4966BC78@mit.edu>
From: Brian Campbell 
Date: Fri, 24 Jul 2020 15:55:04 -0600
Message-ID: 
To: Justin Richer 
Cc: oauth 
Content-Type: multipart/alternative; boundary="00000000000014db2005ab37089e"
Archived-At: 
Subject: Re: [OAUTH-WG] Namespacing "type" in RAR
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 24 Jul 2020 21:55:37 -0000

--00000000000014db2005ab37089e
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

I think I'm on board with the type being a just string and the guidance
provided about collision-resistance (rather than having a registry for
types or requiring type to be a URI or something along those lines). I
don't believe there's actually an issue with string comparison in that
context and so see no need for the draft to say anything special about it.

In looking at the pull request, however, I'm surprised by there being a
registry for the data elements. And honestly confused about how that would
even work in practice. The contents of the authorization details
object are determined
by the `type` parameter but there's also a registry of the elements that
can make up that content that are general across type. I don't see how to
reconcile that.

On Mon, Jul 20, 2020 at 10:00 AM Justin Richer  wrote:

> I created a pull request with some proposed language here:
>
> https://github.com/oauthstuff/draft-oauth-rar/pull/52
>
>  =E2=80=94 Justin
>
> On Jul 20, 2020, at 7:42 AM, Justin Richer  wrote:
>
> Since this is a recommendation for namespace, we could also just say
> collision-resistant like JWT, and any of those examples are fine. But tha=
t
> said, I think there=E2=80=99s something particularly compelling about URI=
s since
> they have somewhat-human-readable portions. But again, I=E2=80=99m saying=
 it should
> be a recommendation to API developers and not a requirement in the spec. =
In
> the spec, I argue that =E2=80=9Ctype=E2=80=9D should be a string, full st=
op.
>
> If documentation is so confusing that developers are typing in the wrong
> strings, then that=E2=80=99s bad documentation. And likely a bad choice f=
or the
> =E2=80=9Ctype=E2=80=9D string on the part of the AS. You=E2=80=99d have t=
he same problem with any
> other value the developer=E2=80=99s supposed to copy over.  :)
>
> I agree that we should call out explicitly how they should be compared,
> and I propose we use one of the handful of existing string-comparison RFC=
=E2=80=99s
> here instead of defining our own rules.
>
> While the type could be a dereferenceable URI, requiring action on the AS
> is really getting into distributed authorization policies. We tried doing
> that with UMA1=E2=80=99s scope structures and it didn=E2=80=99t work very=
 well in practice
> (in my memory and experience). Someone could profile =E2=80=9Ctype" on to=
p of this
> if they wanted to do so, with support at the AS for that, but I don=E2=80=
=99t see a
> compelling reason for that to be a requirement as that=E2=80=99s a lot of
> complexity and a lot more error states (the fetch fails, or it doesn=E2=
=80=99t have
> a policy, or the policy=E2=80=99s in a format the AS doesn=E2=80=99t unde=
rstand, or the AS
> doesn=E2=80=99t like the policy, etc).
>
> And AS is always free to implement its types in such a fashion, and that
> could make plenty of sense in a smaller ecosystem. And this is yet anothe=
r
> reason that we define =E2=80=9Ctype=E2=80=9D as being a string to be inte=
rpreted and
> understood by the AS =E2=80=94 so that an AS that wants to work this way =
can do so.
>
>  =E2=80=94 Justin
>
> PS: thanks for pointing out the error in the example in XYZ, I=E2=80=99ll=
 fix that
> prior to publication.
>
> On Jul 18, 2020, at 8:58 PM, Dick Hardt  wrote:
>
> Justin: thanks for kindly pointing out which mail list this is.
>
> To clarify, public JWT claims are not just URIs, but any
> collision-resistant namespace:
> "Examples of collision-resistant namespaces include: Domain Names, Object
> Identifiers (OIDs) as defined in the ITU-T X.660 and      X.670
> Recommendation series, and Universally Unique IDentifiers (UUIDs)
> [RFC4122]."
>
> I think letting the "type" be any JSON string and doing a byte-wise
> comparison will be problematic. A client developer will be reading
> documentation to learn what the types are, and typing it in. Given the wi=
de
> set of whitespace characters, and unicode equivalence, different byte
> streams will all look the same, and a byte-wise comparison will fail.
>
> Similarly for URIs. If it is a valid URI, then a byte-wise comparison is
> not sufficient. Canonicalization is required.
>
> These are not showstopper issues, but the specification should call out
> how type strings are compared, and provide caveats to an AS developer.
>
> I have no idea why you would think the AS would retrieve a URL.
>
> Since the type represents a much more complex object then a JWT claim, a
> client developer's tooling could pull down the JSON Schema (or some such)
> for a type used in their source code, and provide autocompletion and
> validation which would improve productivity and reduce errors. An AS that
> is using a defined type could use the schema for input validation. Neithe=
r
> of these would be at run time. JSON Schema allows comments and examples.
>
> What is the harm in non-normative language around a retrievable URI?
>
> BTW: the example in
> https://oauth.xyz/draft-richer-transactional-authz#rfc.section.2 has not
> been updated with the "type" field.
>
>
>
> On Sat, Jul 18, 2020 at 8:10 AM Justin Richer  wrote:
>
>> Hi Dick,
>>
>> This is a discussion about the RAR specification on the OAuth list, and
>> therefore doesn=E2=80=99t have anything to do with alignment with XAuth.=
 In fact, I
>> believe the alignment is the other way around, as doesn=E2=80=99t Xauth =
normatively
>> reference RAR at this point? Even though, last I saw, it uses a differen=
t
>> top-level structure for conveying things, I believe it does say to use t=
he
>> internal object structures. I am also a co-author on RAR and we had alre=
ady
>> defined a =E2=80=9Ctype=E2=80=9D field in RAR quite some time ago. You d=
id notice that
>> XYZ=E2=80=99s latest draft added this field to keep the two in alignment=
 with each
>> other, which has always been the goal since the initial proposal of the =
RAR
>> work, but that=E2=80=99s a time lag and not a display of new intent.
>>
>> In any event, even though I think the decision has bearing in both
>> places, this isn=E2=80=99t about GNAP. Working on RAR=E2=80=99s requirem=
ents has brought up
>> this interesting issue of what should be in the type field for RAR in OA=
uth
>> 2.
>>
>> I think that it should be defined as a string, and therefore compared as
>> a byte value in all cases, regardless of what the content of the string =
is.
>> I don=E2=80=99t think the AS should be expected to fetch a URI for anyth=
ing. I
>> don=E2=80=99t think the AS should normalize any of the inputs. I think t=
hat any
>> JSON-friendly character set should be allowed (including spaces and
>> unicodes), and since RAR already requires the JSON objects to be
>> form-encoded, this shouldn=E2=80=99t cause additional trouble when addin=
g them in
>> to OAuth 2=E2=80=99s request structures.
>>
>> The idea of using a URI would be to get people out of each other=E2=80=
=99s
>> namespaces. It=E2=80=99s similar to the concept of =E2=80=9Cpublic=E2=80=
=9D vs =E2=80=9Cprivate=E2=80=9D claims in
>> JWT:
>>
>> https://tools.ietf.org/html/rfc7519#section-4.2
>>
>> What I=E2=80=99m proposing is that if you think it=E2=80=99s going to be=
 a
>> general-purpose type name, then we recommend you use a URI as your strin=
g.
>> And beyond that, that=E2=80=99s it. It=E2=80=99s up to the AS to figure =
out what to do with
>> it, and RAR stays out of it.
>>
>>  =E2=80=94 Justin
>>
>> On Jul 17, 2020, at 1:25 PM, Dick Hardt  wrote:
>>
>> Hey Justin, glad to see that you have aligned with the latest XAuth draf=
t
>> on a type property being required.
>>
>> I like the idea that the value of the type property is fully defined by
>> the AS, which could delegate it to a common URI for reuse. This gets GNA=
P
>> out of specifying access requests, and enables other parties to define
>> access without any required coordination with IETF or IANA.
>>
>> A complication in mixing plain strings and URIs is the canonicalization.
>> A plain string can be a fixed byte representation, but a URI requires
>> canonicalization for comparison. Mixing the two requires URI detection a=
t
>> the AS before canonicalization, and an AS MUST do canonicalization of UR=
Is.
>>
>> The URI is retrievable, it can provide machine and/or human readable
>> documentation in JSON schema or some such, or any other content type. On=
ce
>> again, the details are out of scope of GNAP, but we can provide examples=
 to
>> guide implementers.
>>
>> Are you still thinking that bare strings are allowed in GNAP, and are
>> defined by the AS?
>>
>>
>>
>> On Fri, Jul 17, 2020 at 8:39 AM Justin Richer  wrote:
>>
>>> The =E2=80=9Ctype=E2=80=9D field in the RAR spec serves an important pu=
rpose: it defines
>>> what goes in the rest of the object, including what other fields are
>>> available and what values are allowed for those fields. It provides an
>>> API-level definition for requesting access based on multiple dimensions=
,
>>> and that=E2=80=99s really powerful and flexible. Each type can use any =
of the
>>> general-purpose fields like =E2=80=9Cactions=E2=80=9D and/or add its ow=
n fields as
>>> necessary, and the =E2=80=9Ctype=E2=80=9D parameter keeps everything we=
ll-defined.
>>>
>>> The question, then, is what defines what=E2=80=99s allowed to go into t=
he =E2=80=9Ctype=E2=80=9D
>>> field itself? And what defines how that value maps to the requirements =
for
>>> the rest of the object? The draft doesn=E2=80=99t say anything about it=
 at the
>>> moment, but we should choose the direction we want to go. On the surfac=
e,
>>> there are three main options:
>>>
>>> 1) Require all values to be registered.
>>> 2) Require all values to be collision-resistant (eg, URIs).
>>> 3) Require all values to be defined by the AS (and/or the RS=E2=80=99s =
that it
>>> protects).
>>>
>>> Are there any other options?
>>>
>>> Here are my thoughts on each approach:
>>>
>>> 1) While it usually makes sense to register things for interoperability=
,
>>> this is a case where I think that a registry would actually hurt
>>> interoperability and adoption. Like a =E2=80=9Cscope=E2=80=9D value, th=
e RAR =E2=80=9Ctype=E2=80=9D is
>>> ultimately up to the AS and RS to interpret in their own context. We :w=
ant:
>>> people to define rich objects for their APIs and enable fine-grained ac=
cess
>>> for their systems, and if they have to register something every time th=
ey
>>> come up with a new API to protect, it=E2=80=99s going to be an unmainta=
inable mess.
>>> I genuinely don=E2=80=99t think this would scale, and that most develop=
ers would
>>> just ignore the registry and do what they want anyway. And since many o=
f
>>> these systems are inside domains, it=E2=80=99s completely unenforceable=
 in practice.
>>>
>>> 2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to requi=
re
>>> everything to be a URI here. It=E2=80=99s long and ugly, and a lot of A=
PIs are
>>> going to be internal to a given group, deployment, or ecosystem anyway.
>>> This makes sense when you=E2=80=99ve got something reusable across many
>>> deployments, like OIDC, but it=E2=80=99s overhead when what you=E2=80=
=99re doing is tied to
>>> your environment.
>>>
>>> 3) This allows the AS and RS to define the request parameters for their
>>> APIs just like they do today with scopes. Since it=E2=80=99s always the=
 combination
>>> of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, name spacing is less of=
 an issue across
>>> systems. We haven=E2=80=99t seen huge problems in scope value overlap i=
n the wild,
>>> though it does occur from time to time it=E2=80=99s more than manageabl=
e. A client
>>> isn=E2=80=99t going to just =E2=80=9Cspeak RAR=E2=80=9D, it=E2=80=99s g=
oing to be speaking RAR so that it
>>> can access something in particular.
>>>
>>> And all that brings me to my proposal:
>>>
>>> 4) Require all values to be defined by the AS, and encourage
>>> specification developers to use URIs for collision resistance.
>>>
>>> So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D m=
eans, and nobody
>>> else. But we can also guide people who are developing general-purpose
>>> interoperable APIs to use URIs for their RAR =E2=80=9Ctype=E2=80=9D def=
initions. This would
>>> keep those interoperable APIs from stepping on each other, and from
>>> stepping on any locally-defined special =E2=80=9Ctype=E2=80=9D structur=
e. But at the end of
>>> the day, the URI carries no more weight than just any other string, and=
 the
>>> AS decides what it means and how it applies.
>>>
>>> My argument is that this seems to have worked very, very well for
>>> scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar descript=
ive cloth.
>>>
>>> What does the rest of the group think? How should we manage the RAR
>>> =E2=80=9Ctype=E2=80=9D values and what they mean?
>>>
>>>  =E2=80=94 Justin
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

--=20
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged=
=20
material for the sole use of the intended recipient(s). Any review, use,=20
distribution or disclosure by others is strictly prohibited.=C2=A0 If you h=
ave=20
received this communication in error, please notify the sender immediately=
=20
by e-mail and delete the message and any file attachments from your=20
computer. Thank you._

--00000000000014db2005ab37089e
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


I think I'm on board with the type being a just s=
tring and the guidance provided about collision-resistance (rather than hav=
ing a registry for types or requiring type to be a URI or something along t=
hose lines). I don't believe there's actually an issue with string =
comparison in that context and so see no need for the draft to say anything=
 special about it. 

In looking at the pull req=
uest, however, I'm surprised by there being a registry for the data ele=
ments. And honestly confused about how that would even work in practice. The contents of the authorization details object are determined by the `type` parameter<=
/span> but there's also a registry of the elements that can make up tha=
t content that are general across type. I don't see how to reconcile th=
at. 

On Mon, Jul 20, 2020 at 10:00 AM Justin Richer <jricher@mit.edu> w=
rote:
I cre=
ated a pull request with some proposed language here:

https://github.com/oauthstuff/draft-oauth-rar/pull/52
=

=C2=A0=E2=80=94 Justin

On Jul 20, 2020, at 7:42 AM, Justin Richer <jricher@mit.edu> wrote:



Since this is a recommendation for namespace, we could also just =
say collision-resistant like JWT, and any of those examples are fine. But t=
hat said, I think there=E2=80=99s something particularly compelling about U=
RIs since they have somewhat-human-readable portions. But again, I=E2=80=99=
m saying it should be a recommendation to API developers and not a requirem=
ent in the spec. In the spec, I argue that =E2=80=9Ctype=E2=80=9D should be=
 a string, full stop.

If documentation is so confusing =
that developers are typing in the wrong strings, then that=E2=80=99s bad do=
cumentation. And likely a bad choice for the =E2=80=9Ctype=E2=80=9D string =
on the part of the AS. You=E2=80=99d have the same problem with any other v=
alue the developer=E2=80=99s supposed to copy over. =C2=A0:)

=

I agree that we should call out explicitly how they should be compared=
, and I propose we use one of the handful of existing string-comparison RFC=
=E2=80=99s here instead of defining our own rules.

While the type could be a dereferenceable URI, requiring action on the AS =
is really getting into distributed authorization policies. We tried doing t=
hat with UMA1=E2=80=99s scope structures and it didn=E2=80=99t work very we=
ll in practice (in my memory and experience). Someone could profile =E2=80=
=9Ctype" on top of this if they wanted to do so, with support at the A=
S for that, but I don=E2=80=99t see a compelling reason for that to be a re=
quirement as that=E2=80=99s a lot of complexity and a lot more error states=
 (the fetch fails, or it doesn=E2=80=99t have a policy, or the policy=E2=80=
=99s in a format the AS doesn=E2=80=99t understand, or the AS doesn=E2=80=
=99t like the policy, etc).=C2=A0

And AS is always=
 free to implement its types in such a fashion, and that could make plenty =
of sense in a smaller ecosystem. And this is yet another reason that we def=
ine =E2=80=9Ctype=E2=80=9D as being a string to be interpreted and understo=
od by the AS =E2=80=94 so that an AS that wants to work this way can do so.=


=C2=A0=E2=80=94 Justin

P=
S: thanks for pointing out the error in the example in XYZ, I=E2=80=99ll fi=
x that prior to publication.

On =
Jul 18, 2020, at 8:58 PM, Dick Hardt <dick.hardt@gmail.com> wrote:

<=
div dir=3D"ltr">
Justin: =
thanks for kindly pointing out which mail list this is.

To clarify, public JWT claims are not just URIs, but any collis=
ion-resistant=C2=A0namespace:=C2=A0
"Examples of collision-r=
esistant namespaces include: Domain Names, Object Identifiers (OIDs) as def=
ined in the ITU-T X.660 and=C2=A0 =C2=A0 =C2=A0 X.670 Recommendation series=
, and Universally Unique IDentifiers (UUIDs) [RFC4122]."
I think letting the "type" be any JSON string and doi=
ng a byte-wise comparison will be problematic. A client developer will be r=
eading documentation to learn what the types are,=C2=A0and typing it in. Gi=
ven the wide set of whitespace characters, and unicode equivalence, differe=
nt byte streams will all look the same, and a byte-wise comparison will fai=
l.

Similarly=C2=A0for URIs. If it is a valid URI, =
then a byte-wise comparison is not sufficient. Canonicalization is required=
.=C2=A0

These are not showstopper=C2=A0issues, but=
 the specification should call out how type strings are compared, and provi=
de=C2=A0caveats to an AS developer.

I have no idea=
 why you would think the AS would retrieve a URL.

=
Since the type represents a much more complex object then a JWT claim, a cl=
ient developer's tooling could pull down the JSON Schema (or some such)=
 for a type used in their source code, and provide autocompletion and valid=
ation which would improve productivity and reduce errors. An AS that is usi=
ng a defined type could use the schema for input validation. Neither of the=
se would be at run time. JSON Schema allows comments and examples.

What is the harm in non-normative language around a retrie=
vable URI?

BTW: the example in=C2=A0https://oauth.xyz/draft-richer-transactional-authz#rfc.section.2=
=C2=A0has not been updated with the "type" field.

<=
/div>


=

On Sat, Jul 18, 2020 at 8:10 AM Justi=
n Richer <jricher@m=
it.edu> wrote:
Hi Dick,

This is a discussion about the RAR s=
pecification on the OAuth list, and therefore doesn=E2=80=99t have anything=
 to do with alignment with XAuth. In fact, I believe the alignment is the o=
ther way around, as doesn=E2=80=99t Xauth normatively reference RAR at this=
 point? Even though, last I saw, it uses a different top-level structure fo=
r conveying things, I believe it does say to use the internal object struct=
ures. I am also a co-author on RAR and we had already defined a =E2=80=9Cty=
pe=E2=80=9D field in RAR quite some time ago. You did notice that XYZ=E2=80=
=99s latest draft added this field to keep the two in alignment with each o=
ther, which has always been the goal since the initial proposal of the RAR =
work, but that=E2=80=99s a time lag and not a display of new intent.=C2=A0<=
/div>

In any event, even though I think the decision has=
 bearing in both places, this isn=E2=80=99t about GNAP. Working on RAR=E2=
=80=99s requirements has brought up this interesting issue of what should b=
e in the type field for RAR in OAuth 2.

I think th=
at it should be defined as a string, and therefore compared as a byte value=
 in all cases, regardless of what the content of the string is. I don=E2=80=
=99t think the AS should be expected to fetch a URI for anything. I don=E2=
=80=99t think the AS should normalize any of the inputs. I think that any J=
SON-friendly character set should be allowed (including spaces and unicodes=
), and since RAR already requires the JSON objects to be form-encoded, this=
 shouldn=E2=80=99t cause additional trouble when adding them in to OAuth 2=
=E2=80=99s request structures.

The idea of using a=
 URI would be to get people out of each other=E2=80=99s namespaces. It=E2=
=80=99s similar to the concept of =E2=80=9Cpublic=E2=80=9D vs =E2=80=9Cpriv=
ate=E2=80=9D claims in JWT:


What I=E2=80=99m =
proposing is that if you think it=E2=80=99s going to be a general-purpose t=
ype name, then we recommend you use a URI as your string. And beyond that, =
that=E2=80=99s it. It=E2=80=99s up to the AS to figure out what to do with =
it, and RAR stays out of it.

=C2=A0=E2=80=94 Justi=
n

On Jul 17, 2020, at 1:25 PM, D=
ick Hardt <dic=
k.hardt@gmail.com> wrote:

Hey Justin,=
 glad to see that you have aligned with the latest XAuth draft on a type pr=
operty being required.

I like the idea that the valu=
e of the type property is fully defined by the AS, which could delegate it =
to a common URI for reuse. This gets GNAP out of specifying access requests=
, and enables other parties to define access without any required coordinat=
ion with IETF or IANA.

A complication in mixing pl=
ain strings and URIs is the canonicalization. A plain string can be a fixed=
 byte=C2=A0representation, but a URI requires canonicalization for comparis=
on. Mixing the two requires=C2=A0URI detection at the AS before canonicaliz=
ation, and an AS MUST do canonicalization of URIs.

The URI is retrievable, it can provide machine and/or human readable docum=
entation in JSON schema or some such, or any other content type. Once again=
, the details are out of scope=C2=A0of GNAP, but we can provide examples to=
 guide implementers.

Are you still thinking that b=
are strings are allowed in GNAP, and=C2=A0are defined by the AS?
=



On Fri, Jul 17, 2020 at 8:39 AM Justin Richer <=
jricher@mit.edu>=
; wrote:
The =E2=
=80=9Ctype=E2=80=9D field in the RAR spec serves an important purpose: it d=
efines what goes in the rest of the object, including what other fields are=
 available and what values are allowed for those fields. It provides an API=
-level definition for requesting access based on multiple dimensions, and t=
hat=E2=80=99s really powerful and flexible. Each type can use any of the ge=
neral-purpose fields like =E2=80=9Cactions=E2=80=9D and/or add its own fiel=
ds as necessary, and the =E2=80=9Ctype=E2=80=9D parameter keeps everything =
well-defined.



The question, then, is what defines what=E2=80=99s allowed to go into the =
=E2=80=9Ctype=E2=80=9D field itself? And what defines how that value maps t=
o the requirements for the rest of the object? The draft doesn=E2=80=99t sa=
y anything about it at the moment, but we should choose the direction we wa=
nt to go. On the surface, there are three main options:



1) Require all values to be registered. 

2) Require all values to be collision-resistant (eg, URIs).

3) Require all values to be defined by the AS (and/or the RS=E2=80=99s that=
 it protects).



Are there any other options?



Here are my thoughts on each approach:



1) While it usually makes sense to register things for interoperability, th=
is is a case where I think that a registry would actually hurt interoperabi=
lity and adoption. Like a =E2=80=9Cscope=E2=80=9D value, the RAR =E2=80=9Ct=
ype=E2=80=9D is ultimately up to the AS and RS to interpret in their own co=
ntext. We :want: people to define rich objects for their APIs and enable fi=
ne-grained access for their systems, and if they have to register something=
 every time they come up with a new API to protect, it=E2=80=99s going to b=
e an unmaintainable mess. I genuinely don=E2=80=99t think this would scale,=
 and that most developers would just ignore the registry and do what they w=
ant anyway. And since many of these systems are inside domains, it=E2=80=99=
s completely unenforceable in practice.



2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to require e=
verything to be a URI here. It=E2=80=99s long and ugly, and a lot of APIs a=
re going to be internal to a given group, deployment, or ecosystem anyway. =
This makes sense when you=E2=80=99ve got something reusable across many dep=
loyments, like OIDC, but it=E2=80=99s overhead when what you=E2=80=99re doi=
ng is tied to your environment.



3) This allows the AS and RS to define the request parameters for their API=
s just like they do today with scopes. Since it=E2=80=99s always the combin=
ation of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, name spacing is less =
of an issue across systems. We haven=E2=80=99t seen huge problems in scope =
value overlap in the wild, though it does occur from time to time it=E2=80=
=99s more than manageable. A client isn=E2=80=99t going to just =E2=80=9Csp=
eak RAR=E2=80=9D, it=E2=80=99s going to be speaking RAR so that it can acce=
ss something in particular.



And all that brings me to my proposal: 



4) Require all values to be defined by the AS, and encourage specification =
developers to use URIs for collision resistance.



So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D means=
, and nobody else. But we can also guide people who are developing general-=
purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=E2=80=9D=
 definitions. This would keep those interoperable APIs from stepping on eac=
h other, and from stepping on any locally-defined special =E2=80=9Ctype=E2=
=80=9D structure. But at the end of the day, the URI carries no more weight=
 than just any other string, and the AS decides what it means and how it ap=
plies.



My argument is that this seems to have worked very, very well for scopes, a=
nd the RAR =E2=80=9Ctype=E2=80=9D is cut from similar descriptive cloth.


What does the rest of the group think? How should we manage the RAR =E2=80=
=9Ctype=E2=80=9D values and what they mean?



=C2=A0=E2=80=94 Justin

_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth








__________________________________=
_____________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/=
oauth

_____________________=
__________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth





<=
span style=3D"margin:0px;padding:0px;border:0px;outline:0px;vertical-align:=
baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,=
-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ub=
untu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"=
>CONFIDENTIALITY NOTICE: This email may contain confidenti=
al and privileged material for the sole use of the intended recipient(s). A=
ny review, use, distribution or disclosure by others is strictly prohibited=
.=C2=A0 If you have received this communication in error, please notify the=
 sender immediately by e-mail and delete the message and any file attachmen=
ts from your computer. Thank you.
--00000000000014db2005ab37089e--


From nobody Sat Jul 25 17:48:07 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3790A3A048D for ; Sat, 25 Jul 2020 17:47:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.081
X-Spam-Level: 
X-Spam-Status: No, score=0.081 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.999, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ikJqbdC7vh_P for ; Sat, 25 Jul 2020 17:47:54 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F32FE3A081F for ; Sat, 25 Jul 2020 17:47:53 -0700 (PDT)
Received: from [192.168.1.3] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 06Q0lphN023868 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 25 Jul 2020 20:47:52 -0400
From: Justin Richer 
Message-Id: <50FA3A37-00E5-4C9D-91B0-5829268C76C6@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_3E849586-3611-4E8F-8B24-BAC65C6DE250"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Sat, 25 Jul 2020 20:47:51 -0400
In-Reply-To: 
Cc: oauth 
To: Brian Campbell 
References:     <094C7F56-93F7-41EC-AD94-A0752E76BD9D@mit.edu> <1DEE264E-8E35-4AF0-974E-3C2C4966BC78@mit.edu> 
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: 
Subject: Re: [OAUTH-WG] Namespacing "type" in RAR
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Sun, 26 Jul 2020 00:48:05 -0000

--Apple-Mail=_3E849586-3611-4E8F-8B24-BAC65C6DE250
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Brian,

I can appreciate the confusion on the elements registry. It=E2=80=99s =
really about having a place to put re-usable components that people =
might use within their own =E2=80=9Ctype=E2=80=9D definitions, if they =
want to. The construct in use there is similar to what we used in =
Vectors of Trust (RFC8485), https://tools.ietf.org/html/rfc8485 =


A VoT =E2=80=9Ctrust framework=E2=80=9D document can technically define =
whatever categories and values that it wants to. However, there is a =
registry for common categories, designed to be core dimensions =
applicable across a number of different trust frameworks.=20

So the way that it works is that a =E2=80=9Ctype=E2=80=9D can redefine =
its own syntax and semantics for something like =E2=80=9Cactions=E2=80=9D =
or =E2=80=9Clocations=E2=80=9D, if it wants to, but the registry is =
giving people a place to look and say, =E2=80=9Coh hey, someone already =
uses =E2=80=98actions=E2=80=99 in a general way, maybe that works for me =
and I can use that definition, or maybe I should find a different =
word=E2=80=9D. So while =E2=80=9Ctype=E2=80=9D avoids the programmatic =
namespace collision of two different definitions of =E2=80=9Caction=E2=80=9D=
, the registry helps to avoid developer confusion about having two =
different uses for the same word.=20

It=E2=80=99s not foolproof, but it=E2=80=99s better than making every =
API designer start from a completely blank slate.

 =E2=80=94 Justin

> On Jul 24, 2020, at 5:55 PM, Brian Campbell =
 wrote:
>=20
> I think I'm on board with the type being a just string and the =
guidance provided about collision-resistance (rather than having a =
registry for types or requiring type to be a URI or something along =
those lines). I don't believe there's actually an issue with string =
comparison in that context and so see no need for the draft to say =
anything special about it.=20
>=20
> In looking at the pull request, however, I'm surprised by there being =
a registry for the data elements. And honestly confused about how that =
would even work in practice. The contents of the authorization details =
object are determined by the `type` parameter but there's also a =
registry of the elements that can make up that content that are general =
across type. I don't see how to reconcile that.=20
>=20
> On Mon, Jul 20, 2020 at 10:00 AM Justin Richer > wrote:
> I created a pull request with some proposed language here:
>=20
> https://github.com/oauthstuff/draft-oauth-rar/pull/52 =

>=20
>  =E2=80=94 Justin
>=20
>> On Jul 20, 2020, at 7:42 AM, Justin Richer > wrote:
>>=20
>> Since this is a recommendation for namespace, we could also just say =
collision-resistant like JWT, and any of those examples are fine. But =
that said, I think there=E2=80=99s something particularly compelling =
about URIs since they have somewhat-human-readable portions. But again, =
I=E2=80=99m saying it should be a recommendation to API developers and =
not a requirement in the spec. In the spec, I argue that =E2=80=9Ctype=E2=80=
=9D should be a string, full stop.
>>=20
>> If documentation is so confusing that developers are typing in the =
wrong strings, then that=E2=80=99s bad documentation. And likely a bad =
choice for the =E2=80=9Ctype=E2=80=9D string on the part of the AS. =
You=E2=80=99d have the same problem with any other value the =
developer=E2=80=99s supposed to copy over.  :)
>>=20
>> I agree that we should call out explicitly how they should be =
compared, and I propose we use one of the handful of existing =
string-comparison RFC=E2=80=99s here instead of defining our own rules.
>>=20
>> While the type could be a dereferenceable URI, requiring action on =
the AS is really getting into distributed authorization policies. We =
tried doing that with UMA1=E2=80=99s scope structures and it didn=E2=80=99=
t work very well in practice (in my memory and experience). Someone =
could profile =E2=80=9Ctype" on top of this if they wanted to do so, =
with support at the AS for that, but I don=E2=80=99t see a compelling =
reason for that to be a requirement as that=E2=80=99s a lot of =
complexity and a lot more error states (the fetch fails, or it doesn=E2=80=
=99t have a policy, or the policy=E2=80=99s in a format the AS doesn=E2=80=
=99t understand, or the AS doesn=E2=80=99t like the policy, etc).=20
>>=20
>> And AS is always free to implement its types in such a fashion, and =
that could make plenty of sense in a smaller ecosystem. And this is yet =
another reason that we define =E2=80=9Ctype=E2=80=9D as being a string =
to be interpreted and understood by the AS =E2=80=94 so that an AS that =
wants to work this way can do so.
>>=20
>>  =E2=80=94 Justin
>>=20
>> PS: thanks for pointing out the error in the example in XYZ, I=E2=80=99=
ll fix that prior to publication.
>>=20
>>> On Jul 18, 2020, at 8:58 PM, Dick Hardt > wrote:
>>>=20
>>> Justin: thanks for kindly pointing out which mail list this is.
>>>=20
>>> To clarify, public JWT claims are not just URIs, but any =
collision-resistant namespace:=20
>>> "Examples of collision-resistant namespaces include: Domain Names, =
Object Identifiers (OIDs) as defined in the ITU-T X.660 and      X.670 =
Recommendation series, and Universally Unique IDentifiers (UUIDs) =
[RFC4122]."
>>>=20
>>> I think letting the "type" be any JSON string and doing a byte-wise =
comparison will be problematic. A client developer will be reading =
documentation to learn what the types are, and typing it in. Given the =
wide set of whitespace characters, and unicode equivalence, different =
byte streams will all look the same, and a byte-wise comparison will =
fail.
>>>=20
>>> Similarly for URIs. If it is a valid URI, then a byte-wise =
comparison is not sufficient. Canonicalization is required.=20
>>>=20
>>> These are not showstopper issues, but the specification should call =
out how type strings are compared, and provide caveats to an AS =
developer.
>>>=20
>>> I have no idea why you would think the AS would retrieve a URL.
>>>=20
>>> Since the type represents a much more complex object then a JWT =
claim, a client developer's tooling could pull down the JSON Schema (or =
some such) for a type used in their source code, and provide =
autocompletion and validation which would improve productivity and =
reduce errors. An AS that is using a defined type could use the schema =
for input validation. Neither of these would be at run time. JSON Schema =
allows comments and examples.
>>>=20
>>> What is the harm in non-normative language around a retrievable URI?
>>>=20
>>> BTW: the example in =
https://oauth.xyz/draft-richer-transactional-authz#rfc.section.2 =
 has =
not been updated with the "type" field.
>>>=20
>>>=20
>>>=20
>>> On Sat, Jul 18, 2020 at 8:10 AM Justin Richer > wrote:
>>> Hi Dick,
>>>=20
>>> This is a discussion about the RAR specification on the OAuth list, =
and therefore doesn=E2=80=99t have anything to do with alignment with =
XAuth. In fact, I believe the alignment is the other way around, as =
doesn=E2=80=99t Xauth normatively reference RAR at this point? Even =
though, last I saw, it uses a different top-level structure for =
conveying things, I believe it does say to use the internal object =
structures. I am also a co-author on RAR and we had already defined a =
=E2=80=9Ctype=E2=80=9D field in RAR quite some time ago. You did notice =
that XYZ=E2=80=99s latest draft added this field to keep the two in =
alignment with each other, which has always been the goal since the =
initial proposal of the RAR work, but that=E2=80=99s a time lag and not =
a display of new intent.=20
>>>=20
>>> In any event, even though I think the decision has bearing in both =
places, this isn=E2=80=99t about GNAP. Working on RAR=E2=80=99s =
requirements has brought up this interesting issue of what should be in =
the type field for RAR in OAuth 2.
>>>=20
>>> I think that it should be defined as a string, and therefore =
compared as a byte value in all cases, regardless of what the content of =
the string is. I don=E2=80=99t think the AS should be expected to fetch =
a URI for anything. I don=E2=80=99t think the AS should normalize any of =
the inputs. I think that any JSON-friendly character set should be =
allowed (including spaces and unicodes), and since RAR already requires =
the JSON objects to be form-encoded, this shouldn=E2=80=99t cause =
additional trouble when adding them in to OAuth 2=E2=80=99s request =
structures.
>>>=20
>>> The idea of using a URI would be to get people out of each other=E2=80=
=99s namespaces. It=E2=80=99s similar to the concept of =E2=80=9Cpublic=E2=
=80=9D vs =E2=80=9Cprivate=E2=80=9D claims in JWT:
>>>=20
>>> https://tools.ietf.org/html/rfc7519#section-4.2 =

>>>=20
>>> What I=E2=80=99m proposing is that if you think it=E2=80=99s going =
to be a general-purpose type name, then we recommend you use a URI as =
your string. And beyond that, that=E2=80=99s it. It=E2=80=99s up to the =
AS to figure out what to do with it, and RAR stays out of it.
>>>=20
>>>  =E2=80=94 Justin
>>>=20
>>>> On Jul 17, 2020, at 1:25 PM, Dick Hardt > wrote:
>>>>=20
>>>> Hey Justin, glad to see that you have aligned with the latest XAuth =
draft on a type property being required.
>>>>=20
>>>> I like the idea that the value of the type property is fully =
defined by the AS, which could delegate it to a common URI for reuse. =
This gets GNAP out of specifying access requests, and enables other =
parties to define access without any required coordination with IETF or =
IANA.
>>>>=20
>>>> A complication in mixing plain strings and URIs is the =
canonicalization. A plain string can be a fixed byte representation, but =
a URI requires canonicalization for comparison. Mixing the two requires =
URI detection at the AS before canonicalization, and an AS MUST do =
canonicalization of URIs.
>>>>=20
>>>> The URI is retrievable, it can provide machine and/or human =
readable documentation in JSON schema or some such, or any other content =
type. Once again, the details are out of scope of GNAP, but we can =
provide examples to guide implementers.
>>>>=20
>>>> Are you still thinking that bare strings are allowed in GNAP, and =
are defined by the AS?
>>>>=20
>>>>=20
>>>>=20
>>>> On Fri, Jul 17, 2020 at 8:39 AM Justin Richer > wrote:
>>>> The =E2=80=9Ctype=E2=80=9D field in the RAR spec serves an =
important purpose: it defines what goes in the rest of the object, =
including what other fields are available and what values are allowed =
for those fields. It provides an API-level definition for requesting =
access based on multiple dimensions, and that=E2=80=99s really powerful =
and flexible. Each type can use any of the general-purpose fields like =
=E2=80=9Cactions=E2=80=9D and/or add its own fields as necessary, and =
the =E2=80=9Ctype=E2=80=9D parameter keeps everything well-defined.
>>>>=20
>>>> The question, then, is what defines what=E2=80=99s allowed to go =
into the =E2=80=9Ctype=E2=80=9D field itself? And what defines how that =
value maps to the requirements for the rest of the object? The draft =
doesn=E2=80=99t say anything about it at the moment, but we should =
choose the direction we want to go. On the surface, there are three main =
options:
>>>>=20
>>>> 1) Require all values to be registered.=20
>>>> 2) Require all values to be collision-resistant (eg, URIs).
>>>> 3) Require all values to be defined by the AS (and/or the RS=E2=80=99=
s that it protects).
>>>>=20
>>>> Are there any other options?
>>>>=20
>>>> Here are my thoughts on each approach:
>>>>=20
>>>> 1) While it usually makes sense to register things for =
interoperability, this is a case where I think that a registry would =
actually hurt interoperability and adoption. Like a =E2=80=9Cscope=E2=80=9D=
 value, the RAR =E2=80=9Ctype=E2=80=9D is ultimately up to the AS and RS =
to interpret in their own context. We :want: people to define rich =
objects for their APIs and enable fine-grained access for their systems, =
and if they have to register something every time they come up with a =
new API to protect, it=E2=80=99s going to be an unmaintainable mess. I =
genuinely don=E2=80=99t think this would scale, and that most developers =
would just ignore the registry and do what they want anyway. And since =
many of these systems are inside domains, it=E2=80=99s completely =
unenforceable in practice.
>>>>=20
>>>> 2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to =
require everything to be a URI here. It=E2=80=99s long and ugly, and a =
lot of APIs are going to be internal to a given group, deployment, or =
ecosystem anyway. This makes sense when you=E2=80=99ve got something =
reusable across many deployments, like OIDC, but it=E2=80=99s overhead =
when what you=E2=80=99re doing is tied to your environment.
>>>>=20
>>>> 3) This allows the AS and RS to define the request parameters for =
their APIs just like they do today with scopes. Since it=E2=80=99s =
always the combination of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, =
name spacing is less of an issue across systems. We haven=E2=80=99t seen =
huge problems in scope value overlap in the wild, though it does occur =
from time to time it=E2=80=99s more than manageable. A client isn=E2=80=99=
t going to just =E2=80=9Cspeak RAR=E2=80=9D, it=E2=80=99s going to be =
speaking RAR so that it can access something in particular.
>>>>=20
>>>> And all that brings me to my proposal:=20
>>>>=20
>>>> 4) Require all values to be defined by the AS, and encourage =
specification developers to use URIs for collision resistance.
>>>>=20
>>>> So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D=
 means, and nobody else. But we can also guide people who are developing =
general-purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=
=E2=80=9D definitions. This would keep those interoperable APIs from =
stepping on each other, and from stepping on any locally-defined special =
=E2=80=9Ctype=E2=80=9D structure. But at the end of the day, the URI =
carries no more weight than just any other string, and the AS decides =
what it means and how it applies.
>>>>=20
>>>> My argument is that this seems to have worked very, very well for =
scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar =
descriptive cloth.
>>>>=20
>>>> What does the rest of the group think? How should we manage the RAR =
=E2=80=9Ctype=E2=80=9D values and what they mean?
>>>>=20
>>>>  =E2=80=94 Justin
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org 
>>>> https://www.ietf.org/mailman/listinfo/oauth =

>>>=20
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org 
>> https://www.ietf.org/mailman/listinfo/oauth =

>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org 
> https://www.ietf.org/mailman/listinfo/oauth =

>=20
> CONFIDENTIALITY NOTICE: This email may contain confidential and =
privileged material for the sole use of the intended recipient(s). Any =
review, use, distribution or disclosure by others is strictly =
prohibited.  If you have received this communication in error, please =
notify the sender immediately by e-mail and delete the message and any =
file attachments from your computer. Thank you.


--Apple-Mail=_3E849586-3611-4E8F-8B24-BAC65C6DE250
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

Brian,

I =
can appreciate the confusion on the elements registry. It=E2=80=99s =
really about having a place to put re-usable components that people =
might use within their own =E2=80=9Ctype=E2=80=9D definitions, if they =
want to. The construct in use there is similar to what we used in =
Vectors of Trust (RFC8485), https://tools.ietf.org/html/rfc8485

A VoT =E2=80=9Ctrust =
framework=E2=80=9D document can technically define whatever categories =
and values that it wants to. However, there is a registry for common =
categories, designed to be core dimensions applicable across a number of =
different trust frameworks. 

So the way that it works is that a =
=E2=80=9Ctype=E2=80=9D can redefine its own syntax and semantics for =
something like =E2=80=9Cactions=E2=80=9D or =E2=80=9Clocations=E2=80=9D, =
if it wants to, but the registry is giving people a place to look and =
say, =E2=80=9Coh hey, someone already uses =E2=80=98actions=E2=80=99 in =
a general way, maybe that works for me and I can use that definition, or =
maybe I should find a different word=E2=80=9D. So while =E2=80=9Ctype=E2=80=
=9D avoids the programmatic namespace collision of two different =
definitions of =E2=80=9Caction=E2=80=9D, the registry helps to avoid =
developer confusion about having two different uses for the same =
word. 

It=E2=80=99s not foolproof, but it=E2=80=99s better than =
making every API designer start from a completely blank slate.

 =E2=80=94 =
Justin

On Jul 24, 2020, at 5:55 PM, Brian Campbell =
<bcampbell@pingidentity.com> wrote:

I think I'm on =
board with the type being a just string and the guidance provided about =
collision-resistance (rather than having a registry for types or =
requiring type to be a URI or something along those lines). I don't =
believe there's actually an issue with string comparison in that context =
and so see no need for the draft to say anything special about it. 

In =
looking at the pull request, however, I'm surprised by there being a =
registry for the data elements. And honestly confused about how that =
would even work in practice. The =
contents of the authorization details =
object are determined by the `type` parameter but there's =
also a registry of the elements that can make up that content that are =
general across type. I don't see how to reconcile that. 

On Mon, Jul =
20, 2020 at 10:00 AM Justin Richer <jricher@mit.edu> wrote:
I created a pull =
request with some proposed language here:

https://github.com/oauthstuff/draft-oauth-rar/pull/52
=


 =E2=80=94 =
Justin

On Jul 20, 2020, at 7:42 AM, =
Justin Richer <jricher@mit.edu> wrote:



Since this is a recommendation for =
namespace, we could also just say collision-resistant like JWT, and any =
of those examples are fine. But that said, I think there=E2=80=99s =
something particularly compelling about URIs since they have =
somewhat-human-readable portions. But again, I=E2=80=99m saying it =
should be a recommendation to API developers and not a requirement in =
the spec. In the spec, I argue that =E2=80=9Ctype=E2=80=9D should be a =
string, full stop.

If =
documentation is so confusing that developers are typing in the wrong =
strings, then that=E2=80=99s bad documentation. And likely a bad choice =
for the =E2=80=9Ctype=E2=80=9D string on the part of the AS. You=E2=80=99d=
 have the same problem with any other value the developer=E2=80=99s =
supposed to copy over.  :)

I agree that we should call out explicitly how they should be =
compared, and I propose we use one of the handful of existing =
string-comparison RFC=E2=80=99s here instead of defining our own =
rules.

While =
the type could be a dereferenceable URI, requiring action on the AS is =
really getting into distributed authorization policies. We tried doing =
that with UMA1=E2=80=99s scope structures and it didn=E2=80=99t work =
very well in practice (in my memory and experience). Someone could =
profile =E2=80=9Ctype" on top of this if they wanted to do so, with =
support at the AS for that, but I don=E2=80=99t see a compelling reason =
for that to be a requirement as that=E2=80=99s a lot of complexity and a =
lot more error states (the fetch fails, or it doesn=E2=80=99t have a =
policy, or the policy=E2=80=99s in a format the AS doesn=E2=80=99t =
understand, or the AS doesn=E2=80=99t like the policy, =
etc). 

And =
AS is always free to implement its types in such a fashion, and that =
could make plenty of sense in a smaller ecosystem. And this is yet =
another reason that we define =E2=80=9Ctype=E2=80=9D as being a string =
to be interpreted and understood by the AS =E2=80=94 so that an AS that =
wants to work this way can do so.

 =E2=80=94 Justin

PS: thanks for pointing =
out the error in the example in XYZ, I=E2=80=99ll fix that prior to =
publication.

On Jul 18, 2020, at 8:58 PM, =
Dick Hardt <dick.hardt@gmail.com> wrote:

Justin: thanks for =
kindly pointing out which mail list this is.

To clarify, public JWT claims =
are not just URIs, but any =
collision-resistant namespace: 
"Examples =
of collision-resistant namespaces include: Domain Names, Object =
Identifiers (OIDs) as defined in the ITU-T X.660 and      =
X.670 Recommendation series, and Universally Unique IDentifiers (UUIDs) =
[RFC4122]."

I =
think letting the "type" be any JSON string and doing a byte-wise =
comparison will be problematic. A client developer will be reading =
documentation to learn what the types are, and typing it in. Given =
the wide set of whitespace characters, and unicode equivalence, =
different byte streams will all look the same, and a byte-wise =
comparison will fail.

Similarly for URIs. If it is a valid URI, then a =
byte-wise comparison is not sufficient. Canonicalization is =
required. 

These are not showstopper issues, but the specification =
should call out how type strings are compared, and provide caveats =
to an AS developer.

I have no idea why you would think the AS would retrieve a =
URL.

Since the =
type represents a much more complex object then a JWT claim, a client =
developer's tooling could pull down the JSON Schema (or some such) for a =
type used in their source code, and provide autocompletion and =
validation which would improve productivity and reduce errors. An AS =
that is using a defined type could use the schema for input validation. =
Neither of these would be at run time. JSON Schema allows comments and =
examples.

What =
is the harm in non-normative language around a retrievable =
URI?

BTW: the =
example in https://oauth.xyz/draft-richer-transactional-authz#rfc.section.=
2 has not been updated with the "type" field.



On Sat, Jul =
18, 2020 at 8:10 AM Justin Richer <jricher@mit.edu> wrote:
Hi Dick,

This is a discussion =
about the RAR specification on the OAuth list, and therefore doesn=E2=80=99=
t have anything to do with alignment with XAuth. In fact, I believe the =
alignment is the other way around, as doesn=E2=80=99t Xauth normatively =
reference RAR at this point? Even though, last I saw, it uses a =
different top-level structure for conveying things, I believe it does =
say to use the internal object structures. I am also a co-author on RAR =
and we had already defined a =E2=80=9Ctype=E2=80=9D field in RAR quite =
some time ago. You did notice that XYZ=E2=80=99s latest draft added this =
field to keep the two in alignment with each other, which has always =
been the goal since the initial proposal of the RAR work, but that=E2=80=99=
s a time lag and not a display of new intent. 

In any event, even =
though I think the decision has bearing in both places, this isn=E2=80=99t=
 about GNAP. Working on RAR=E2=80=99s requirements has brought up this =
interesting issue of what should be in the type field for RAR in OAuth =
2.

I think =
that it should be defined as a string, and therefore compared as a byte =
value in all cases, regardless of what the content of the string is. I =
don=E2=80=99t think the AS should be expected to fetch a URI for =
anything. I don=E2=80=99t think the AS should normalize any of the =
inputs. I think that any JSON-friendly character set should be allowed =
(including spaces and unicodes), and since RAR already requires the JSON =
objects to be form-encoded, this shouldn=E2=80=99t cause additional =
trouble when adding them in to OAuth 2=E2=80=99s request =
structures.

The =
idea of using a URI would be to get people out of each other=E2=80=99s =
namespaces. It=E2=80=99s similar to the concept of =E2=80=9Cpublic=E2=80=9D=
 vs =E2=80=9Cprivate=E2=80=9D claims in JWT:

https://tools.ietf.org/html/rfc7519#section-4.2

What I=E2=80=99m =
proposing is that if you think it=E2=80=99s going to be a =
general-purpose type name, then we recommend you use a URI as your =
string. And beyond that, that=E2=80=99s it. It=E2=80=99s up to the AS to =
figure out what to do with it, and RAR stays out of it.

 =E2=80=94 =
Justin

On Jul 17, 2020, at 1:25 PM, =
Dick Hardt <dick.hardt@gmail.com> wrote:

Hey Justin, glad to see that you =
have aligned with the latest XAuth draft on a type property being =
required.

I like the idea that the value of the type property is fully =
defined by the AS, which could delegate it to a common URI for reuse. =
This gets GNAP out of specifying access requests, and enables other =
parties to define access without any required coordination with IETF or =
IANA.

A =
complication in mixing plain strings and URIs is the canonicalization. A =
plain string can be a fixed byte representation, but a URI requires =
canonicalization for comparison. Mixing the two requires URI =
detection at the AS before canonicalization, and an AS MUST do =
canonicalization of URIs.

The URI is retrievable, it can provide machine and/or human =
readable documentation in JSON schema or some such, or any other content =
type. Once again, the details are out of scope of GNAP, but we can =
provide examples to guide implementers.

Are you still thinking that bare =
strings are allowed in GNAP, and are defined by the AS?



On Fri, Jul 17, 2020 at 8:39 AM Justin =
Richer <jricher@mit.edu> wrote:
The =E2=80=9Ctype=E2=80=9D =
field in the RAR spec serves an important purpose: it defines what goes =
in the rest of the object, including what other fields are available and =
what values are allowed for those fields. It provides an API-level =
definition for requesting access based on multiple dimensions, and =
that=E2=80=99s really powerful and flexible. Each type can use any of =
the general-purpose fields like =E2=80=9Cactions=E2=80=9D and/or add its =
own fields as necessary, and the =E2=80=9Ctype=E2=80=9D parameter keeps =
everything well-defined.



The question, then, is what defines what=E2=80=99s allowed to go into =
the =E2=80=9Ctype=E2=80=9D field itself? And what defines how that value =
maps to the requirements for the rest of the object? The draft doesn=E2=80=
=99t say anything about it at the moment, but we should choose the =
direction we want to go. On the surface, there are three main =
options:



1) Require all values to be registered. 

2) Require all values to be collision-resistant (eg, URIs).
=

3) Require all values to be defined by the AS (and/or the RS=E2=80=99s =
that it protects).



Are there any other options?



Here are my thoughts on each approach:



1) While it usually makes sense to register things for interoperability, =
this is a case where I think that a registry would actually hurt =
interoperability and adoption. Like a =E2=80=9Cscope=E2=80=9D value, the =
RAR =E2=80=9Ctype=E2=80=9D is ultimately up to the AS and RS to =
interpret in their own context. We :want: people to define rich objects =
for their APIs and enable fine-grained access for their systems, and if =
they have to register something every time they come up with a new API =
to protect, it=E2=80=99s going to be an unmaintainable mess. I genuinely =
don=E2=80=99t think this would scale, and that most developers would =
just ignore the registry and do what they want anyway. And since many of =
these systems are inside domains, it=E2=80=99s completely unenforceable =
in practice.



2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to =
require everything to be a URI here. It=E2=80=99s long and ugly, and a =
lot of APIs are going to be internal to a given group, deployment, or =
ecosystem anyway. This makes sense when you=E2=80=99ve got something =
reusable across many deployments, like OIDC, but it=E2=80=99s overhead =
when what you=E2=80=99re doing is tied to your environment.
=



3) This allows the AS and RS to define the request parameters for their =
APIs just like they do today with scopes. Since it=E2=80=99s always the =
combination of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, name spacing =
is less of an issue across systems. We haven=E2=80=99t seen huge =
problems in scope value overlap in the wild, though it does occur from =
time to time it=E2=80=99s more than manageable. A client isn=E2=80=99t =
going to just =E2=80=9Cspeak RAR=E2=80=9D, it=E2=80=99s going to be =
speaking RAR so that it can access something in particular.
=



And all that brings me to my proposal: 



4) Require all values to be defined by the AS, and encourage =
specification developers to use URIs for collision resistance.



So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D =
means, and nobody else. But we can also guide people who are developing =
general-purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=
=E2=80=9D definitions. This would keep those interoperable APIs from =
stepping on each other, and from stepping on any locally-defined special =
=E2=80=9Ctype=E2=80=9D structure. But at the end of the day, the URI =
carries no more weight than just any other string, and the AS decides =
what it means and how it applies.



My argument is that this seems to have worked very, very well for =
scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar =
descriptive cloth.



What does the rest of the group think? How should we manage the RAR =
=E2=80=9Ctype=E2=80=9D values and what they mean?



 =E2=80=94 Justin

_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth








_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth






CONFIDENTIALITY NOTICE: This email may contain confidential =
and privileged material for the sole use of the intended recipient(s). =
Any review, use, distribution or disclosure by others is strictly =
prohibited.  If you have received this communication in error, =
please notify the sender immediately by e-mail and delete the message =
and any file attachments from your computer. Thank =
you.

=

--Apple-Mail=_3E849586-3611-4E8F-8B24-BAC65C6DE250--


From nobody Sun Jul 26 04:27:06 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C69D13A0DB4 for ; Sun, 26 Jul 2020 04:27:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.098
X-Spam-Level: 
X-Spam-Status: No, score=-0.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, PDS_OTHER_BAD_TLD=1.999, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TR9p43PqoXjD for ; Sun, 26 Jul 2020 04:27:02 -0700 (PDT)
Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A3813A0DB3 for ; Sun, 26 Jul 2020 04:27:01 -0700 (PDT)
Received: by mail-ej1-x62a.google.com with SMTP id y10so14283122eje.1 for ; Sun, 26 Jul 2020 04:27:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=+SzUlii+X1jrsA2JGC8zTtBOVnMHRsS7l6Py8o72uow=; b=Bhmot9tnlFcpx+ZGEnz1aj4GDeut4B/UK/XNnj5kPQX22a9fx/+N/xbhgrafh+alCH xF44agHFXs0Eyizq1kHcro4JBgft7AzLSm4Qfoyguq5Zp6C9hFaCh1yoxq3I7O2HA0YV G0qKr7YGMO3o3TMrfAen+d1dYbgxOs0wGThzUMRf9npGmy1uSsYXA0B2dILNuuYJH6Ye 3Tya/rY45zUzWjRjG8UWb40A1SK3nUTc0LeozOAUFlyRwlbRl6kWyCfxY3si/tLeKbv/ egBbzjjL+9DuLFPi/SSV1Z/XGZh2Qfmumfyft/UmnXvFNJMAkJ0U5cuPNOxsCLWBBLSX TgQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=+SzUlii+X1jrsA2JGC8zTtBOVnMHRsS7l6Py8o72uow=; b=f/PaaXO7+gCJl5cZv5TIV9j12HJsDnyjk6VGNXULQceDy9lgCqnOMmSOv08PhkIN5r SsnDPdRbxoWYbdWckSxLMPx/PsNBy1ma3QpNVKVWgh+2W1zKCRISQccuZHPEoo9Lw7QY 9RlcasBRe3e6nToyumuemxOFjI5Cfq8oP1eKM3FXlkNolHJ1mQLj5i2VCxoNaUTd97k/ yYOzqio+czADfz2TDCdXdB1AI0tVWsUzbuNH1wK/qlIUBQdIpPOvZdvhbKEmpEtpAEcv Uz+L8lANS3N6TGF9I5BDvsdNLwyeR8BrsmnQNGhLhOXpV/AW67RgUpX3adRfRx3N6Dpy jAzQ==
X-Gm-Message-State: AOAM5301NFuCL24oSS1uSHkVtkqOehgcCq4W7drsOYXT4azwTMkTrJW/ uKpAhEh/cMYZCHXkG8PA2HIeMw==
X-Google-Smtp-Source: ABdhPJwAJcBEmzZNZmTNVuTGqmQLHhGmQfiwutp+an0UtNKlv9NDxyjTfwdb9fu0i/IQuQdxowA1Gg==
X-Received: by 2002:a17:906:d04c:: with SMTP id bo12mr17398941ejb.31.1595762819675;  Sun, 26 Jul 2020 04:26:59 -0700 (PDT)
Received: from ?IPv6:2003:eb:8f01:3850:788f:f2b2:c893:de76? (p200300eb8f013850788ff2b2c893de76.dip0.t-ipconnect.de. [2003:eb:8f01:3850:788f:f2b2:c893:de76]) by smtp.gmail.com with ESMTPSA id cn16sm5000345edb.86.2020.07.26.04.26.58 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 26 Jul 2020 04:26:58 -0700 (PDT)
Content-Type: multipart/signed; boundary=Apple-Mail-B7D810C2-2DA3-4E2C-BE1A-076E99E1B59A; protocol="application/pkcs7-signature"; micalg=sha-256
Content-Transfer-Encoding: 7bit
From: Torsten Lodderstedt 
Mime-Version: 1.0 (1.0)
Date: Sun, 26 Jul 2020 13:26:57 +0200
Message-Id: 
References: <50FA3A37-00E5-4C9D-91B0-5829268C76C6@mit.edu>
Cc: Brian Campbell , oauth 
In-Reply-To: <50FA3A37-00E5-4C9D-91B0-5829268C76C6@mit.edu>
To: Justin Richer 
X-Mailer: iPad Mail (17F80)
Archived-At: 
Subject: Re: [OAUTH-WG] Namespacing "type" in RAR
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Sun, 26 Jul 2020 11:27:05 -0000

--Apple-Mail-B7D810C2-2DA3-4E2C-BE1A-076E99E1B59A
Content-Type: multipart/alternative;
	boundary=Apple-Mail-C8F6CB79-DECD-4A9E-816D-BA1E061A686A
Content-Transfer-Encoding: 7bit


--Apple-Mail-C8F6CB79-DECD-4A9E-816D-BA1E061A686A
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi,

the wording regarding type works for me.

Similar to Brian, I don=E2=80=99t understand how the data type registry is s=
upposed to work.

In my opinion, type and locations are completely different from the other el=
ements since they are required by the protocol itself. Their semantics must n=
ot be changed by applications.

The other element types are reusable components, but I don=E2=80=99t underst=
and how an application or standard would refer to them, include them into th=
ere type definition, and how overloading might happen. For example, are thes=
e elements always included in the top level container or can they be used de=
eper in the structure?

There are alternative solutions for reuse. I personally would use JSON schem=
as to define such reusable elements and the authorization data types utilizi=
ng them.=20

I therefore don=E2=80=99t see the need for a RAR specific mechanism (a regis=
try).

best regards,
Torsten.

> Am 26.07.2020 um 02:48 schrieb Justin Richer :
>=20
> =EF=BB=BFBrian,
>=20
> I can appreciate the confusion on the elements registry. It=E2=80=99s real=
ly about having a place to put re-usable components that people might use wi=
thin their own =E2=80=9Ctype=E2=80=9D definitions, if they want to. The cons=
truct in use there is similar to what we used in Vectors of Trust (RFC8485),=
 https://tools.ietf.org/html/rfc8485
>=20
> A VoT =E2=80=9Ctrust framework=E2=80=9D document can technically define wh=
atever categories and values that it wants to. However, there is a registry f=
or common categories, designed to be core dimensions applicable across a num=
ber of different trust frameworks.=20
>=20
> So the way that it works is that a =E2=80=9Ctype=E2=80=9D can redefine its=
 own syntax and semantics for something like =E2=80=9Cactions=E2=80=9D or =E2=
=80=9Clocations=E2=80=9D, if it wants to, but the registry is giving people a=
 place to look and say, =E2=80=9Coh hey, someone already uses =E2=80=98actio=
ns=E2=80=99 in a general way, maybe that works for me and I can use that def=
inition, or maybe I should find a different word=E2=80=9D. So while =E2=80=9C=
type=E2=80=9D avoids the programmatic namespace collision of two different d=
efinitions of =E2=80=9Caction=E2=80=9D, the registry helps to avoid develope=
r confusion about having two different uses for the same word.=20
>=20
> It=E2=80=99s not foolproof, but it=E2=80=99s better than making every API d=
esigner start from a completely blank slate.
>=20
>  =E2=80=94 Justin
>=20
>> On Jul 24, 2020, at 5:55 PM, Brian Campbell  w=
rote:
>>=20
>> I think I'm on board with the type being a just string and the guidance p=
rovided about collision-resistance (rather than having a registry for types o=
r requiring type to be a URI or something along those lines). I don't believ=
e there's actually an issue with string comparison in that context and so se=
e no need for the draft to say anything special about it.=20
>>=20
>> In looking at the pull request, however, I'm surprised by there being a r=
egistry for the data elements. And honestly confused about how that would ev=
en work in practice. The contents of the authorization details object are de=
termined by the `type` parameter but there's also a registry of the elements=
 that can make up that content that are general across type. I don't see how=
 to reconcile that.=20
>>=20
>> On Mon, Jul 20, 2020 at 10:00 AM Justin Richer  wrote:
>>> I created a pull request with some proposed language here:
>>>=20
>>> https://github.com/oauthstuff/draft-oauth-rar/pull/52
>>>=20
>>>  =E2=80=94 Justin
>>>=20
>>>> On Jul 20, 2020, at 7:42 AM, Justin Richer  wrote:
>>>>=20
>>>> Since this is a recommendation for namespace, we could also just say co=
llision-resistant like JWT, and any of those examples are fine. But that sai=
d, I think there=E2=80=99s something particularly compelling about URIs sinc=
e they have somewhat-human-readable portions. But again, I=E2=80=99m saying i=
t should be a recommendation to API developers and not a requirement in the s=
pec. In the spec, I argue that =E2=80=9Ctype=E2=80=9D should be a string, fu=
ll stop.
>>>>=20
>>>> If documentation is so confusing that developers are typing in the wron=
g strings, then that=E2=80=99s bad documentation. And likely a bad choice fo=
r the =E2=80=9Ctype=E2=80=9D string on the part of the AS. You=E2=80=99d hav=
e the same problem with any other value the developer=E2=80=99s supposed to c=
opy over.  :)
>>>>=20
>>>> I agree that we should call out explicitly how they should be compared,=
 and I propose we use one of the handful of existing string-comparison RFC=E2=
=80=99s here instead of defining our own rules.
>>>>=20
>>>> While the type could be a dereferenceable URI, requiring action on the A=
S is really getting into distributed authorization policies. We tried doing t=
hat with UMA1=E2=80=99s scope structures and it didn=E2=80=99t work very wel=
l in practice (in my memory and experience). Someone could profile =E2=80=9C=
type" on top of this if they wanted to do so, with support at the AS for tha=
t, but I don=E2=80=99t see a compelling reason for that to be a requirement a=
s that=E2=80=99s a lot of complexity and a lot more error states (the fetch f=
ails, or it doesn=E2=80=99t have a policy, or the policy=E2=80=99s in a form=
at the AS doesn=E2=80=99t understand, or the AS doesn=E2=80=99t like the pol=
icy, etc).=20
>>>>=20
>>>> And AS is always free to implement its types in such a fashion, and tha=
t could make plenty of sense in a smaller ecosystem. And this is yet another=
 reason that we define =E2=80=9Ctype=E2=80=9D as being a string to be interp=
reted and understood by the AS =E2=80=94 so that an AS that wants to work th=
is way can do so.
>>>>=20
>>>>  =E2=80=94 Justin
>>>>=20
>>>> PS: thanks for pointing out the error in the example in XYZ, I=E2=80=99=
ll fix that prior to publication.
>>>>=20
>>>>> On Jul 18, 2020, at 8:58 PM, Dick Hardt  wrote:
>>>>>=20
>>>>> Justin: thanks for kindly pointing out which mail list this is.
>>>>>=20
>>>>> To clarify, public JWT claims are not just URIs, but any collision-res=
istant namespace:=20
>>>>> "Examples of collision-resistant namespaces include: Domain Names, Obj=
ect Identifiers (OIDs) as defined in the ITU-T X.660 and      X.670 Recommen=
dation series, and Universally Unique IDentifiers (UUIDs) [RFC4122]."
>>>>>=20
>>>>> I think letting the "type" be any JSON string and doing a byte-wise co=
mparison will be problematic. A client developer will be reading documentati=
on to learn what the types are, and typing it in. Given the wide set of whit=
espace characters, and unicode equivalence, different byte streams will all l=
ook the same, and a byte-wise comparison will fail.
>>>>>=20
>>>>> Similarly for URIs. If it is a valid URI, then a byte-wise comparison i=
s not sufficient. Canonicalization is required.=20
>>>>>=20
>>>>> These are not showstopper issues, but the specification should call ou=
t how type strings are compared, and provide caveats to an AS developer.
>>>>>=20
>>>>> I have no idea why you would think the AS would retrieve a URL.
>>>>>=20
>>>>> Since the type represents a much more complex object then a JWT claim,=
 a client developer's tooling could pull down the JSON Schema (or some such)=
 for a type used in their source code, and provide autocompletion and valida=
tion which would improve productivity and reduce errors. An AS that is using=
 a defined type could use the schema for input validation. Neither of these w=
ould be at run time. JSON Schema allows comments and examples.
>>>>>=20
>>>>> What is the harm in non-normative language around a retrievable URI?
>>>>>=20
>>>>> BTW: the example in https://oauth.xyz/draft-richer-transactional-authz=
#rfc.section.2 has not been updated with the "type" field.
>>>>>=20
>>>>>=20
>>>>>=20
>>>>> On Sat, Jul 18, 2020 at 8:10 AM Justin Richer  wrote:=

>>>>>> Hi Dick,
>>>>>>=20
>>>>>> This is a discussion about the RAR specification on the OAuth list, a=
nd therefore doesn=E2=80=99t have anything to do with alignment with XAuth. I=
n fact, I believe the alignment is the other way around, as doesn=E2=80=99t X=
auth normatively reference RAR at this point? Even though, last I saw, it us=
es a different top-level structure for conveying things, I believe it does s=
ay to use the internal object structures. I am also a co-author on RAR and w=
e had already defined a =E2=80=9Ctype=E2=80=9D field in RAR quite some time a=
go. You did notice that XYZ=E2=80=99s latest draft added this field to keep t=
he two in alignment with each other, which has always been the goal since th=
e initial proposal of the RAR work, but that=E2=80=99s a time lag and not a d=
isplay of new intent.=20
>>>>>>=20
>>>>>> In any event, even though I think the decision has bearing in both pl=
aces, this isn=E2=80=99t about GNAP. Working on RAR=E2=80=99s requirements h=
as brought up this interesting issue of what should be in the type field for=
 RAR in OAuth 2.
>>>>>>=20
>>>>>> I think that it should be defined as a string, and therefore compared=
 as a byte value in all cases, regardless of what the content of the string i=
s. I don=E2=80=99t think the AS should be expected to fetch a URI for anythi=
ng. I don=E2=80=99t think the AS should normalize any of the inputs. I think=
 that any JSON-friendly character set should be allowed (including spaces an=
d unicodes), and since RAR already requires the JSON objects to be form-enco=
ded, this shouldn=E2=80=99t cause additional trouble when adding them in to O=
Auth 2=E2=80=99s request structures.
>>>>>>=20
>>>>>> The idea of using a URI would be to get people out of each other=E2=80=
=99s namespaces. It=E2=80=99s similar to the concept of =E2=80=9Cpublic=E2=80=
=9D vs =E2=80=9Cprivate=E2=80=9D claims in JWT:
>>>>>>=20
>>>>>> https://tools.ietf.org/html/rfc7519#section-4.2
>>>>>>=20
>>>>>> What I=E2=80=99m proposing is that if you think it=E2=80=99s going to=
 be a general-purpose type name, then we recommend you use a URI as your str=
ing. And beyond that, that=E2=80=99s it. It=E2=80=99s up to the AS to figure=
 out what to do with it, and RAR stays out of it.
>>>>>>=20
>>>>>>  =E2=80=94 Justin
>>>>>>=20
>>>>>>> On Jul 17, 2020, at 1:25 PM, Dick Hardt  wrote=
:
>>>>>>>=20
>>>>>>> Hey Justin, glad to see that you have aligned with the latest XAuth d=
raft on a type property being required.
>>>>>>>=20
>>>>>>> I like the idea that the value of the type property is fully defined=
 by the AS, which could delegate it to a common URI for reuse. This gets GNA=
P out of specifying access requests, and enables other parties to define acc=
ess without any required coordination with IETF or IANA.
>>>>>>>=20
>>>>>>> A complication in mixing plain strings and URIs is the canonicalizat=
ion. A plain string can be a fixed byte representation, but a URI requires c=
anonicalization for comparison. Mixing the two requires URI detection at the=
 AS before canonicalization, and an AS MUST do canonicalization of URIs.
>>>>>>>=20
>>>>>>> The URI is retrievable, it can provide machine and/or human readable=
 documentation in JSON schema or some such, or any other content type. Once a=
gain, the details are out of scope of GNAP, but we can provide examples to g=
uide implementers.
>>>>>>>=20
>>>>>>> Are you still thinking that bare strings are allowed in GNAP, and ar=
e defined by the AS?
>>>>>>>=20
>>>>>>>=20
>>>>>>>=20
>>>>>>> On Fri, Jul 17, 2020 at 8:39 AM Justin Richer  wrot=
e:
>>>>>>>> The =E2=80=9Ctype=E2=80=9D field in the RAR spec serves an importan=
t purpose: it defines what goes in the rest of the object, including what ot=
her fields are available and what values are allowed for those fields. It pr=
ovides an API-level definition for requesting access based on multiple dimen=
sions, and that=E2=80=99s really powerful and flexible. Each type can use an=
y of the general-purpose fields like =E2=80=9Cactions=E2=80=9D and/or add it=
s own fields as necessary, and the =E2=80=9Ctype=E2=80=9D parameter keeps ev=
erything well-defined.
>>>>>>>>=20
>>>>>>>> The question, then, is what defines what=E2=80=99s allowed to go in=
to the =E2=80=9Ctype=E2=80=9D field itself? And what defines how that value m=
aps to the requirements for the rest of the object? The draft doesn=E2=80=99=
t say anything about it at the moment, but we should choose the direction we=
 want to go. On the surface, there are three main options:
>>>>>>>>=20
>>>>>>>> 1) Require all values to be registered.=20
>>>>>>>> 2) Require all values to be collision-resistant (eg, URIs).
>>>>>>>> 3) Require all values to be defined by the AS (and/or the RS=E2=80=99=
s that it protects).
>>>>>>>>=20
>>>>>>>> Are there any other options?
>>>>>>>>=20
>>>>>>>> Here are my thoughts on each approach:
>>>>>>>>=20
>>>>>>>> 1) While it usually makes sense to register things for interoperabi=
lity, this is a case where I think that a registry would actually hurt inter=
operability and adoption. Like a =E2=80=9Cscope=E2=80=9D value, the RAR =E2=80=
=9Ctype=E2=80=9D is ultimately up to the AS and RS to interpret in their own=
 context. We :want: people to define rich objects for their APIs and enable f=
ine-grained access for their systems, and if they have to register something=
 every time they come up with a new API to protect, it=E2=80=99s going to be=
 an unmaintainable mess. I genuinely don=E2=80=99t think this would scale, a=
nd that most developers would just ignore the registry and do what they want=
 anyway. And since many of these systems are inside domains, it=E2=80=99s co=
mpletely unenforceable in practice.
>>>>>>>>=20
>>>>>>>> 2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to r=
equire everything to be a URI here. It=E2=80=99s long and ugly, and a lot of=
 APIs are going to be internal to a given group, deployment, or ecosystem an=
yway. This makes sense when you=E2=80=99ve got something reusable across man=
y deployments, like OIDC, but it=E2=80=99s overhead when what you=E2=80=99re=
 doing is tied to your environment.
>>>>>>>>=20
>>>>>>>> 3) This allows the AS and RS to define the request parameters for t=
heir APIs just like they do today with scopes. Since it=E2=80=99s always the=
 combination of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, name spacing is=
 less of an issue across systems. We haven=E2=80=99t seen huge problems in s=
cope value overlap in the wild, though it does occur from time to time it=E2=
=80=99s more than manageable. A client isn=E2=80=99t going to just =E2=80=9C=
speak RAR=E2=80=9D, it=E2=80=99s going to be speaking RAR so that it can acc=
ess something in particular.
>>>>>>>>=20
>>>>>>>> And all that brings me to my proposal:=20
>>>>>>>>=20
>>>>>>>> 4) Require all values to be defined by the AS, and encourage specif=
ication developers to use URIs for collision resistance.
>>>>>>>>=20
>>>>>>>> So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D=
 means, and nobody else. But we can also guide people who are developing gen=
eral-purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=E2=80=
=9D definitions. This would keep those interoperable APIs from stepping on e=
ach other, and from stepping on any locally-defined special =E2=80=9Ctype=E2=
=80=9D structure. But at the end of the day, the URI carries no more weight t=
han just any other string, and the AS decides what it means and how it appli=
es.
>>>>>>>>=20
>>>>>>>> My argument is that this seems to have worked very, very well for s=
copes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar descriptive cl=
oth.
>>>>>>>>=20
>>>>>>>> What does the rest of the group think? How should we manage the RAR=
 =E2=80=9Ctype=E2=80=9D values and what they mean?
>>>>>>>>=20
>>>>>>>>  =E2=80=94 Justin
>>>>>>>> _______________________________________________
>>>>>>>> OAuth mailing list
>>>>>>>> OAuth@ietf.org
>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>=20
>>>>=20
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>=20
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>=20
>> CONFIDENTIALITY NOTICE: This email may contain confidential and privilege=
d material for the sole use of the intended recipient(s). Any review, use, d=
istribution or disclosure by others is strictly prohibited.  If you have rec=
eived this communication in error, please notify the sender immediately by e=
-mail and delete the message and any file attachments from your computer. Th=
ank you.
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

--Apple-Mail-C8F6CB79-DECD-4A9E-816D-BA1E061A686A
Content-Type: text/html;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable


Hi,
=

the wording regarding type works for me.

Similar to Brian, I don=E2=80=99t u=
nderstand how the data type registry is supposed to work.

In my opinion, type and locations are complet=
ely different from the other elements since they are required by the protoco=
l itself. Their semantics must not be changed by applications.

The other element types are reusable com=
ponents, but I don=E2=80=99t understand how an application or standard would=
 refer to them, include them into there type definition, and how overloading=
 might happen. For example, are these elements always included in the top le=
vel container or can they be used deeper in the structure?

There are alternative solutions for reuse. I=
 personally would use JSON schemas to define such reusable elements and the a=
uthorization data types utilizing them. 

I therefore don=E2=80=99t see the need for a RAR specific=
 mechanism (a registry).

be=
st regards,
Torsten.

Am 26.07.2020 um 02:48 schrieb Justin Richer <jricher@=
mit.edu>:

=EF=BB=BFBrian,

I can=
 appreciate the confusion on the elements registry. It=E2=80=99s really abou=
t having a place to put re-usable components that people might use within th=
eir own =E2=80=9Ctype=E2=80=9D definitions, if they want to. The construct i=
n use there is similar to what we used in Vectors of Trust (RFC8485), <=
a href=3D"https://tools.ietf.org/html/rfc8485" class=3D"">https://tools.ietf=
.org/html/rfc8485

A VoT =E2=80=9Ctrust framework=E2=80=9D document can technically define w=
hatever categories and values that it wants to. However, there is a registry=
 for common categories, designed to be core dimensions applicable across a n=
umber of different trust frameworks. 

So the way that it works is that a =E2=80=9Ctype=E2=
=80=9D can redefine its own syntax and semantics for something like =E2=80=9C=
actions=E2=80=9D or =E2=80=9Clocations=E2=80=9D, if it wants to, but the reg=
istry is giving people a place to look and say, =E2=80=9Coh hey, someone alr=
eady uses =E2=80=98actions=E2=80=99 in a general way, maybe that works for m=
e and I can use that definition, or maybe I should find a different word=E2=80=
=9D. So while =E2=80=9Ctype=E2=80=9D avoids the programmatic namespace colli=
sion of two different definitions of =E2=80=9Caction=E2=80=9D, the registry h=
elps to avoid developer confusion about having two different uses for the sa=
me word. 

It=E2=
=80=99s not foolproof, but it=E2=80=99s better than making every API designe=
r start from a completely blank slate.

<=
/div>
 =E2=80=94 Justin

On Jul 24, 2020, at 5=
:55 PM, Brian Campbell <bcampbell@pingidentity.com> wrote:

I think I'm on board with the type being a just string and the gui=
dance provided about collision-resistance (rather than having a registry for=
 types or requiring type to be a URI or something along those lines). I don'=
t believe there's actually an issue with string comparison in that context a=
nd so see no need for the draft to say anything special about it. 

In looking at t=
he pull request, however, I'm surprised by there being a registry for the da=
ta elements. And honestly confused about how that would even work in practic=
e. The contents of the authorization details object are determined by <=
/span>the `type` parameter b=
ut there's also a registry of the elements that can make up that content tha=
t are general across type. I don't see how to reconcile that. 

On Mon, Jul 20, 2020 at 10:00 AM Justin Richer <<=
a href=3D"mailto:jricher@mit.edu" target=3D"_blank" class=3D"">jricher@mit.e=
du> wrote:
I created a pull request with some proposed langu=
age here:

https://github.com/oauthstuff/draft-oauth-rar/pull/52

 =E2=80=94 Justin

On Jul 20, 2020, at 7:42 AM, Justin Richer <jricher@mit.edu> wrote:<=
/div>


Since this is a recommendation for namespace=
, we could also just say collision-resistant like JWT, and any of those exam=
ples are fine. But that said, I think there=E2=80=99s something particularly=
 compelling about URIs since they have somewhat-human-readable portions. But=
 again, I=E2=80=99m saying it should be a recommendation to API developers a=
nd not a requirement in the spec. In the spec, I argue that =E2=80=9Ctype=E2=
=80=9D should be a string, full stop.

If documentation is so confusing that developers are typing in the wrong=
 strings, then that=E2=80=99s bad documentation. And likely a bad choice for=
 the =E2=80=9Ctype=E2=80=9D string on the part of the AS. You=E2=80=99d have=
 the same problem with any other value the developer=E2=80=99s supposed to c=
opy over.  :)

I agr=
ee that we should call out explicitly how they should be compared, and I pro=
pose we use one of the handful of existing string-comparison RFC=E2=80=99s h=
ere instead of defining our own rules.

<=
/div>
While the type could be a dereferenceable URI, requirin=
g action on the AS is really getting into distributed authorization policies=
. We tried doing that with UMA1=E2=80=99s scope structures and it didn=E2=80=
=99t work very well in practice (in my memory and experience). Someone could=
 profile =E2=80=9Ctype" on top of this if they wanted to do so, with support=
 at the AS for that, but I don=E2=80=99t see a compelling reason for that to=
 be a requirement as that=E2=80=99s a lot of complexity and a lot more error=
 states (the fetch fails, or it doesn=E2=80=99t have a policy, or the policy=
=E2=80=99s in a format the AS doesn=E2=80=99t understand, or the AS doesn=E2=
=80=99t like the policy, etc). 

And AS is always free to implement its types in such a fa=
shion, and that could make plenty of sense in a smaller ecosystem. And this i=
s yet another reason that we define =E2=80=9Ctype=E2=80=9D as being a string=
 to be interpreted and understood by the AS =E2=80=94 so that an AS that wan=
ts to work this way can do so.

 =E2=80=94 Justin

PS: thanks for pointing out the error in the example in XY=
Z, I=E2=80=99ll fix that prior to publication.

On Jul 1=
8, 2020, at 8:58 PM, Dick Hardt <dick.hardt@gmail.com> wrote:

Justin: thanks fo=
r kindly pointing out which mail list this is.

To clarify, public JWT claims are not just=
 URIs, but any collision-resistant namespace: 
"Examples of collision-resistant namespaces include: Domain Names, Object I=
dentifiers (OIDs) as defined in the ITU-T X.660 and      X.67=
0 Recommendation series, and Universally Unique IDentifiers (UUIDs) [RFC4122=
]."

I think lettin=
g the "type" be any JSON string and doing a byte-wise comparison will be pro=
blematic. A client developer will be reading documentation to learn what the=
 types are, and typing it in. Given the wide set of whitespace characte=
rs, and unicode equivalence, different byte streams will all look the same, a=
nd a byte-wise comparison will fail.

Similarly for URIs. If it is a valid URI, then a byt=
e-wise comparison is not sufficient. Canonicalization is required. 

These are not showsto=
pper issues, but the specification should call out how type strings are=
 compared, and provide caveats to an AS developer.

I have no idea why you would think the=
 AS would retrieve a URL.

Since the type represents a much more complex object then a JWT clai=
m, a client developer's tooling could pull down the JSON Schema (or some suc=
h) for a type used in their source code, and provide autocompletion and vali=
dation which would improve productivity and reduce errors. An AS that is usi=
ng a defined type could use the schema for input validation. Neither of thes=
e would be at run time. JSON Schema allows comments and examples.

What is the harm in non-norma=
tive language around a retrievable URI?

=

BTW: the example in https://oauth.xyz/draft-richer-transactional-authz#rfc.section.2 h=
as not been updated with the "type" field.



On=
 Sat, Jul 18, 2020 at 8:10 AM Justin Richer <jricher@mit.edu> wrote:
Hi=
 Dick,

This is a discuss=
ion about the RAR specification on the OAuth list, and therefore doesn=E2=80=
=99t have anything to do with alignment with XAuth. In fact, I believe the a=
lignment is the other way around, as doesn=E2=80=99t Xauth normatively refer=
ence RAR at this point? Even though, last I saw, it uses a different top-lev=
el structure for conveying things, I believe it does say to use the internal=
 object structures. I am also a co-author on RAR and we had already defined a=
 =E2=80=9Ctype=E2=80=9D field in RAR quite some time ago. You did notice tha=
t XYZ=E2=80=99s latest draft added this field to keep the two in alignment w=
ith each other, which has always been the goal since the initial proposal of=
 the RAR work, but that=E2=80=99s a time lag and not a display of new intent=
. 

In any eve=
nt, even though I think the decision has bearing in both places, this isn=E2=
=80=99t about GNAP. Working on RAR=E2=80=99s requirements has brought up thi=
s interesting issue of what should be in the type field for RAR in OAuth 2.<=
/div>

I think that it sh=
ould be defined as a string, and therefore compared as a byte value in all c=
ases, regardless of what the content of the string is. I don=E2=80=99t think=
 the AS should be expected to fetch a URI for anything. I don=E2=80=99t thin=
k the AS should normalize any of the inputs. I think that any JSON-friendly c=
haracter set should be allowed (including spaces and unicodes), and since RA=
R already requires the JSON objects to be form-encoded, this shouldn=E2=80=99=
t cause additional trouble when adding them in to OAuth 2=E2=80=99s request s=
tructures.

The ide=
a of using a URI would be to get people out of each other=E2=80=99s namespac=
es. It=E2=80=99s similar to the concept of =E2=80=9Cpublic=E2=80=9D vs =E2=80=
=9Cprivate=E2=80=9D claims in JWT:

https://tools.ietf.org/html/rfc7519#section-4.=
2

What I=E2=80=
=99m proposing is that if you think it=E2=80=99s going to be a general-purpo=
se type name, then we recommend you use a URI as your string. And beyond tha=
t, that=E2=80=99s it. It=E2=80=99s up to the AS to figure out what to do wit=
h it, and RAR stays out of it.

 =E2=80=94 Justin

On Jul 17, 2020, at 1=
:25 PM, Dick Hardt <dick.hardt@gmail.com> wrote:

Hey Justin, glad to see that you hav=
e aligned with the latest XAuth draft on a type property being required.

I like the id=
ea that the value of the type property is fully defined by the AS, which cou=
ld delegate it to a common URI for reuse. This gets GNAP out of specifying a=
ccess requests, and enables other parties to define access without any requi=
red coordination with IETF or IANA.

A complication in mixing plain strings and URIs is the can=
onicalization. A plain string can be a fixed byte representation, but a=
 URI requires canonicalization for comparison. Mixing the two requires =
URI detection at the AS before canonicalization, and an AS MUST do canonical=
ization of URIs.

T=
he URI is retrievable, it can provide machine and/or human readable document=
ation in JSON schema or some such, or any other content type. Once again, th=
e details are out of scope of GNAP, but we can provide examples to guid=
e implementers.

Ar=
e you still thinking that bare strings are allowed in GNAP, and are def=
ined by the AS?


On Fri, Jul 17, 2020 at 8:39 AM Justin Richer <=
;jricher@mit=
.edu> wrote:
The =E2=80=9Ctype=E2=80=9D field in the RAR spec serves an impo=
rtant purpose: it defines what goes in the rest of the object, including wha=
t other fields are available and what values are allowed for those fields. I=
t provides an API-level definition for requesting access based on multiple d=
imensions, and that=E2=80=99s really powerful and flexible. Each type can us=
e any of the general-purpose fields like =E2=80=9Cactions=E2=80=9D and/or ad=
d its own fields as necessary, and the =E2=80=9Ctype=E2=80=9D parameter keep=
s everything well-defined.



The question, then, is what defines what=E2=80=99s allowed to go into the =E2=
=80=9Ctype=E2=80=9D field itself? And what defines how that value maps to th=
e requirements for the rest of the object? The draft doesn=E2=80=99t say any=
thing about it at the moment, but we should choose the direction we want to g=
o. On the surface, there are three main options:



1) Require all values to be registered. 

2) Require all values to be collision-resistant (eg, URIs).

3) Require all values to be defined by the AS (and/or the RS=E2=80=99s that i=
t protects).



Are there any other options?



Here are my thoughts on each approach:



1) While it usually makes sense to register things for interoperability, thi=
s is a case where I think that a registry would actually hurt interoperabili=
ty and adoption. Like a =E2=80=9Cscope=E2=80=9D value, the RAR =E2=80=9Ctype=
=E2=80=9D is ultimately up to the AS and RS to interpret in their own contex=
t. We :want: people to define rich objects for their APIs and enable fine-gr=
ained access for their systems, and if they have to register something every=
 time they come up with a new API to protect, it=E2=80=99s going to be an un=
maintainable mess. I genuinely don=E2=80=99t think this would scale, and tha=
t most developers would just ignore the registry and do what they want anywa=
y. And since many of these systems are inside domains, it=E2=80=99s complete=
ly unenforceable in practice.



2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to require ev=
erything to be a URI here. It=E2=80=99s long and ugly, and a lot of APIs are=
 going to be internal to a given group, deployment, or ecosystem anyway. Thi=
s makes sense when you=E2=80=99ve got something reusable across many deploym=
ents, like OIDC, but it=E2=80=99s overhead when what you=E2=80=99re doing is=
 tied to your environment.



3) This allows the AS and RS to define the request parameters for their APIs=
 just like they do today with scopes. Since it=E2=80=99s always the combinat=
ion of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, name spacing is less of a=
n issue across systems. We haven=E2=80=99t seen huge problems in scope value=
 overlap in the wild, though it does occur from time to time it=E2=80=99s mo=
re than manageable. A client isn=E2=80=99t going to just =E2=80=9Cspeak RAR=E2=
=80=9D, it=E2=80=99s going to be speaking RAR so that it can access somethin=
g in particular.



And all that brings me to my proposal: 



4) Require all values to be defined by the AS, and encourage specification d=
evelopers to use URIs for collision resistance.



So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D means,=
 and nobody else. But we can also guide people who are developing general-pu=
rpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=E2=80=9D de=
finitions. This would keep those interoperable APIs from stepping on each ot=
her, and from stepping on any locally-defined special =E2=80=9Ctype=E2=80=9D=
 structure. But at the end of the day, the URI carries no more weight than j=
ust any other string, and the AS decides what it means and how it applies.


My argument is that this seems to have worked very, very well for scopes, an=
d the RAR =E2=80=9Ctype=E2=80=9D is cut from similar descriptive cloth.



What does the rest of the group think? How should we manage the RAR =E2=80=9C=
type=E2=80=9D values and what they mean?



 =E2=80=94 Justin

_______________________________________________

OAuth mailing list

OAuth@ietf.or=
g

https://www.ietf.org/mailman/listinfo/oauth<=
br class=3D"">







________________________=
_______________________
OAuth mailing list
OAuth@ietf.org=

https://www.ietf.org/mailman/listinfo/oauth

______________=
_________________________________

OAuth mailing list

OAuth@ietf.or=
g

https://www.ietf.org/mailman/listinfo/oauth<=
br class=3D"">





CONFIDENTIALITY NOTICE: This emai=
l may contain confidential and privileged material for the sole use of the i=
ntended recipient(s). Any review, use, distribution or disclosure by others i=
s strictly prohibited.  If you have received this communication in erro=
r, please notify the sender immediately by e-mail and delete the message and=
 any file attachments from your computer. Thank you.
=


______________________________=
_________________
OAuth mailing list
OAuth@i=
etf.org
https://www.ietf.org/mailman/listinfo/oauth
=

--Apple-Mail-C8F6CB79-DECD-4A9E-816D-BA1E061A686A--

--Apple-Mail-B7D810C2-2DA3-4E2C-BE1A-076E99E1B59A
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Disposition: attachment;
	filename=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCBPgw
ggT0MIID3KADAgECAhBpfEIkHQiWmzF6zDsgdF+DMA0GCSqGSIb3DQEBCwUAMIGNMQswCQYDVQQG
EwJJVDEQMA4GA1UECAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9udGUgU2FuIFBpZXRybzEjMCEGA1UE
CgwaQWN0YWxpcyBTLnAuQS4vMDMzNTg1MjA5NjcxLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1
dGhlbnRpY2F0aW9uIENBIEcyMB4XDTIwMDIyMzE3MjEzOVoXDTIxMDIyMzE3MjEzOVowIjEgMB4G
A1UEAwwXdG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCrIaCISpAU98m6ZkDyUR3My5imAF4TKQk8eqo+oQ06PTWT/3yJXujVCjjOqOl8p11v/RoN
Gf8zqYbBsqGBuJx2NyxFmAnmCjcbnxihQdcmuxLm6izvxr2MawOovDheMXnfmGy/Ns5Fs6bd+M5F
jCNhP+Gljvgm/SFq1skvs7YUX2FxZmh+xPMm3FZ/a6Lyhkrd3JHzEqv8VWY69Aehezg39OuPJEpb
IdjK/eBcmaIG0qn5RQdXLByJYfXhepyVAZPJT5rAgaIQL/IjSIVInxf3FxOv+ELMAErclws6mKzy
zkY2JiItPEpKWzAWGCxCX2o0JjVj1f7xgaunLfJ+Ec0lAgMBAAGjggG4MIIBtDAMBgNVHRMBAf8E
AjAAMB8GA1UdIwQYMBaAFGvyjZ5owSUEH1E0V/YWXJTqTWkaMH4GCCsGAQUFBwEBBHIwcDA7Bggr
BgEFBQcwAoYvaHR0cDovL2NhY2VydC5hY3RhbGlzLml0L2NlcnRzL2FjdGFsaXMtYXV0Y2xpZzIw
MQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3NwMDkuYWN0YWxpcy5pdC9WQS9BVVRIQ0wtRzIwIgYDVR0R
BBswGYEXdG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQwRwYDVR0gBEAwPjA8BgYrgR8BGAEwMjAwBggr
BgEFBQcCARYkaHR0cHM6Ly93d3cuYWN0YWxpcy5pdC9hcmVhLWRvd25sb2FkMB0GA1UdJQQWMBQG
CCsGAQUFBwMCBggrBgEFBQcDBDBIBgNVHR8EQTA/MD2gO6A5hjdodHRwOi8vY3JsMDkuYWN0YWxp
cy5pdC9SZXBvc2l0b3J5L0FVVEhDTC1HMi9nZXRMYXN0Q1JMMB0GA1UdDgQWBBSuRfshihlGSEJ7
2UeyOZRJ1YYyMDAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEBAH/3ECMSOoOLiwCe
GsBj/WWnUhXvZyHmz3LW0DVdH3s30b2HWpomEVNDN3cWt4QSRhISqV0xyyChL6THhDY+Um2mo+z/
L5fxHd3MjhzvYKwUtLUJdWRgymlUBO9zNKi/IMVYv3O+mpOHuQrgtMaV9luDPRYPZrhF9y/InTZE
tb+FOrF9ykIRlYgMzqSKjuqFmmYO4d6GkbgfGKFZsAjkySjM9BUBLb70MdysOTxZ/HtZguIKfZ4q
CveZ9ZKe+LGsIpt5bFAs1LHIMBUlTCsuVIq2lD3TmScWbELn+Ace7WwKc+08GqOWZzUot5fkiIx3
/crnd7HTmUfqi0yCylHY62wxggOpMIIDpQIBATCBojCBjTELMAkGA1UEBhMCSVQxEDAOBgNVBAgM
B0JlcmdhbW8xGTAXBgNVBAcMEFBvbnRlIFNhbiBQaWV0cm8xIzAhBgNVBAoMGkFjdGFsaXMgUy5w
LkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENsaWVudCBBdXRoZW50aWNhdGlvbiBD
QSBHMgIQaXxCJB0Ilpsxesw7IHRfgzANBglghkgBZQMEAgEFAKCCAdcwGAYJKoZIhvcNAQkDMQsG
CSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwNzI2MTEyNjU3WjAvBgkqhkiG9w0BCQQxIgQg
F5bNXRfjWUhAEvzvE+OxB8ZKsMNEDj6r+FzKzTUF7sEwgbMGCSsGAQQBgjcQBDGBpTCBojCBjTEL
MAkGA1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcMEFBvbnRlIFNhbiBQaWV0cm8x
IzAhBgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENs
aWVudCBBdXRoZW50aWNhdGlvbiBDQSBHMgIQaXxCJB0Ilpsxesw7IHRfgzCBtQYLKoZIhvcNAQkQ
AgsxgaWggaIwgY0xCzAJBgNVBAYTAklUMRAwDgYDVQQIDAdCZXJnYW1vMRkwFwYDVQQHDBBQb250
ZSBTYW4gUGlldHJvMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1ODUyMDk2NzEsMCoGA1UE
AwwjQWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzICEGl8QiQdCJabMXrMOyB0X4Mw
DQYJKoZIhvcNAQEBBQAEggEAT4zMpyA33yvIvCN4FtJWtpMSlR6+vattYfr1LK8dgxuWsK1V2nPi
djhOPKolwmDSro+X7hqeLPfah7kYX+1qC9t3hkkpz8oDVOxtxQ90zcp6TbR2Al5V5H8eIBSIFDO5
XZZeMAPslv9QPdEDNAAgo3a7h3fspYusbH0E1WikQgWtVUWH7HMtfsYakpZGCrGqumjc+orpm7z4
UmjEHeDth7Ege2a9UCHZC+h3fWPcL8ZxjmN/TZY9Ke3DinZ/sfEBpvBfsgYf/fPOPR26j8OeDTVu
yG2boe8wB9j6HqH8R69DvUao52DH75Tuj1qw3IpVUqJUQPbuC23LEuoGZdgM4gAAAAAAAA==

--Apple-Mail-B7D810C2-2DA3-4E2C-BE1A-076E99E1B59A--


From nobody Sun Jul 26 06:36:34 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CA423A0EB2 for ; Sun, 26 Jul 2020 06:36:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level: 
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U76phkmXlrLk for ; Sun, 26 Jul 2020 06:36:28 -0700 (PDT)
Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 334243A0EAE for ; Sun, 26 Jul 2020 06:36:27 -0700 (PDT)
Received: by mail-wm1-x32d.google.com with SMTP id t142so5832692wmt.4 for ; Sun, 26 Jul 2020 06:36:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=wegK68rbPVt105cygsIBRMk51eNleyfmjByPwo4SvZQ=; b=HhQY/+NnaRO9sEuJ5QxLhdl5IEM/M0dL8SoBeafOXOD0E2RM/znCRuBwH2yyFOOH2m 4C3bHmQAuxQYrITQNKNaRb8X61Ro2L6aG2z6oCCHTOglUh7p83xkQvbXHBM+Wtxt1Fy9 j90AqzCUMbWTZeSy8LEup7B/GOU7iudr1SfXk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=wegK68rbPVt105cygsIBRMk51eNleyfmjByPwo4SvZQ=; b=jmNsnjGFGrbtVxY3/JQM/IfFqJ+RLVLE39FQbAF7kkjlPtuPmHxpY9lvvjD4Scocz0 vhLBHfd9zBaSAvgfC2SxMniZNN1ZQmPyduzFZVQWlGx4qsyIzt3Tv+z0Dupgo3f+T73r bWQQVZ7jfSpgHgqZXG6fL23cINuB36i+b6jkYiZbG7u4wxNs/mkUFfKSXzHqE8aYF8DE iomMzOcqkaP8aIqjYMb+QMxetfFVaj8VWF+pyEqlgS9wSMHsJSVpEKv57nyqW3M7yg5k ump0bu5AfmG9W1xiX8ip/mZlXXJRXyknxspKV46CLRT/LPFHJiAjcP8F7nm94QHwqZju XQaQ==
X-Gm-Message-State: AOAM530Dte5L9UeBstI5ocuOVxdD8zrg1y9nEjZ6gN8jo6MSryP0kOEe CuJs7ALZIy4zLjxekVSyFMTQ2A==
X-Google-Smtp-Source: ABdhPJyOYN4eA7WtVd3r8ICMFfPA28ZgFDWqAZqtXh5lnRyfgP1PQ6GserzG6RLlHsqJQm0zecu0KA==
X-Received: by 2002:a7b:c013:: with SMTP id c19mr16313806wmb.158.1595770585716;  Sun, 26 Jul 2020 06:36:25 -0700 (PDT)
Received: from [10.0.0.6] (38.227.143.150.dyn.plus.net. [150.143.227.38]) by smtp.gmail.com with ESMTPSA id j24sm9456198wrb.49.2020.07.26.06.36.24 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 26 Jul 2020 06:36:25 -0700 (PDT)
From: Neil Madden 
Message-Id: <478A55B8-E388-4D0A-B036-ED28FCAB6A46@forgerock.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_74BF87AB-9F04-49EA-9CBD-82D0C115ED95"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Sun, 26 Jul 2020 14:36:24 +0100
In-Reply-To: 
Cc: Vladimir Dzhuvinov , oauth 
To: Brian Campbell 
References:  <2ABDD1A0-0455-4CD7-94B9-121F7D61A287@forgerock.com> 
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: 
Subject: Re: [OAUTH-WG] New Version Notification for draft-ietf-oauth-par-02.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Sun, 26 Jul 2020 13:36:32 -0000

--Apple-Mail=_74BF87AB-9F04-49EA-9CBD-82D0C115ED95
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Thanks Brian,

That sounds reasonable.

My main concern is that we don=E2=80=99t mislead people into the =
security properties provided by PAR. I=E2=80=99ve seen multiple cases =
where people assume that e.g. because they sent an OIDC request with a =
particular acr_values and got back a successful response that the user =
must have been successfully authenticated in the intended way. There are =
multiple ways that assumption can be violated; tampering with the =
request being just one of them. In those kinds of cases, the best thing =
is to strictly validate the response you get back (e.g., the =E2=80=9Cacr=E2=
=80=9D claim in the ID token in this example), which you=E2=80=99d =
generally still want to do even with PAR.

Obviously PAR can catch some of these things much earlier in the flow, =
which is great, but I just wanted to be clear whether the PAR draft is =
saying that there are either (a) some attacks that PAR catches that =
otherwise aren=E2=80=99t mitigated, or (b) there are specific attacks =
against PAR (e.g., replay) that don=E2=80=99t apply to existing flows, =
or (c) some checks you can skip if you use PAR.

Cheers,

=E2=80=94 Neil

> On 24 Jul 2020, at 22:13, Brian Campbell  =
wrote:
>=20
> Hi Neil,=20
>=20
> Torsten added this issue =
https://github.com/oauthstuff/draft-oauth-par/issues/53 =
 from your =
questions/comments, which touches on some things, and maybe he can =
provide more thoughts. But I'll make an attempt here too.=20
>=20
> In my mind, the one-time use suggestion on the request_uri came about =
less from the risks of replay and more from the fact that the contents =
of a particular auth request are unique to the one request. So it just =
kinda made sense to similarly limit the reference to the data in a =
request. A specific request can only be made once so it's suggested =
(though not required) that a request_uri that represents that request =
also be usable only once.=20
>=20
> I believe state and/or PKCE and/or nonce can prevent replay already =
but those take effect at different points in the whole dance and to =
catch replay of different artifacts.=20
>=20
> Agreed that it'd be good for the draft to have some more discussion =
about the risks of modification and disclosure of the request content. =
Torsten also agreed yesterday at a brief discussion during OSW so I'm =
hopeful he can add some good content to the draft :) Thinking about =
richer authorization requests that might have transaction data like =
payee account numbers or amounts or similar etc. gives some idea of =
requests where integrity and confidentiality would be good. And even =
more basic requests, preventing control or modification of something =
like code_challenge seems useful.=20
>=20
>=20
>=20
>=20
>=20
> On Thu, Jul 23, 2020 at 1:53 AM Neil Madden > wrote:
> Can you expand on the risks of replay? It seems like if the request =
can be replayed an attacker can also block the original request and =
inject the URI into a different request - ie no replay.=20
>=20
> (Shouldn=E2=80=99t state and/or PKCE and/or nonce prevent replay =
already?)
>=20
> In general the draft could do with some discussion of why an attacker =
being able to modify an authorization request is a risk. I might just be =
lacking enough coffee this morning to understand the risk here.=20
>=20
> =E2=80=94 Neil
>=20
>> On 22 Jul 2020, at 23:14, Brian Campbell =
> wrote:
>>=20
>> =EF=BB=BF
>> Thanks Vladimir, both comments should be easy to address in -03 =
(HTTPS/TLS required and SHOULD on short lifetime *and* single use).=20
>>=20
>> On Sun, Jul 19, 2020 at 12:55 PM Vladimir Dzhuvinov =
> wrote:
>> Thanks for the update. With the "require PAR" AS and client metadata =
the spec is now "policy complete". I can't think of what else there is =
to add.
>>=20
>>=20
>>=20
>> I have two comments about -02:
>>=20
>>=20
>>=20
>> https://tools.ietf.org/html/draft-ietf-oauth-par-02#section-2 =

>> I didn't see a mention of https / TLS being required for the PAR =
endpoint. The reader could assume http is fine.
>>=20
>>=20
>>=20
>> https://tools.ietf.org/html/draft-ietf-oauth-par-02#section-2.2 =

>>=20
>>>    Since the request URI can be replayed, its lifetime SHOULD be =
short
>>>    and preferably limited to one-time use.
>> The SHOULD is ambiguous here - does it apply to the lifetime only, or =
to the lifetime and the single use.
>>=20
>>=20
>>=20
>> Vladimir
>>=20
>>=20
>>=20
>> On 10/07/2020 21:36, Brian Campbell wrote:
>>> WG,
>>>=20
>>> A new -02 draft of "OAuth 2.0 Pushed Authorization Requests" has =
been published. A summary of the changes, taken from the document =
history, is included below for ease of reference. =20
>>>=20
>>>    -02
>>>=20
>>>    *  Update Resource Indicators reference to the somewhat recently
>>>       published RFC 8707 =

>>>=20
>>>    *  Added metadata in support of pushed authorization requests =
only
>>>       feature
>>>=20
>>>    *  Update to comply with draft-ietf-oauth-jwsreq-21 =
, =
which requires
>>>       "client_id" in the authorization request in addition to the
>>>       "request_uri"
>>>=20
>>>    *  Clarified timing of request validation
>>>=20
>>>    *  Add some guidance/options on the request URI structure
>>>=20
>>>    *  Add the key used in the request object example so that a =
reader
>>>       could validate or recreate the request object signature
>>>=20
>>>    *  Update to draft-ietf-oauth-jwsreq-25 =
 and =
added note regarding
>>>       "require_signed_request_object"
>>>=20
>>> ---------- Forwarded message ---------
>>> From: >
>>> Date: Fri, Jul 10, 2020 at 1:21 PM
>>> Subject: New Version Notification for draft-ietf-oauth-par-02.txt
>>> To: Filip Skokan >, =
Torsten Lodderstedt >, Brian Campbell =
>, Dave =
Tonge >, Nat Sakimura =
>
>>>=20
>>>=20
>>>=20
>>> A new version of I-D, draft-ietf-oauth-par-02.txt
>>> has been successfully submitted by Brian Campbell and posted to the
>>> IETF repository.
>>>=20
>>> Name:           draft-ietf-oauth-par
>>> Revision:       02
>>> Title:          OAuth 2.0 Pushed Authorization Requests
>>> Document date:  2020-07-10
>>> Group:          oauth
>>> Pages:          18
>>> URL:            =
https://www.ietf.org/internet-drafts/draft-ietf-oauth-par-02.txt =

>>> Status:         =
https://datatracker.ietf.org/doc/draft-ietf-oauth-par/ =

>>> Htmlized:       https://tools..ietf.org/html/draft-ietf-oauth-par-02 =

>>> Htmlized:       =
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-par =

>>> Diff:           =
https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-par-02 =

>>>=20
>>> Abstract:
>>>    This document defines the pushed authorization request endpoint,
>>>    which allows clients to push the payload of an OAuth 2..0
>>>    authorization request to the authorization server via a direct
>>>    request and provides them with a request URI that is used as
>>>    reference to the data in a subsequent authorization request.
>>>=20
>>>=20
>>>=20
>>>=20
>>> Please note that it may take a couple of minutes from the time of =
submission
>>> until the htmlized version and diff are available at tools.ietf.org =
..
>>>=20
>>> The IETF Secretariat
>>>=20
>>>=20
>>>=20
>>> CONFIDENTIALITY NOTICE: This email may contain confidential and =
privileged material for the sole use of the intended recipient(s). Any =
review, use, distribution or disclosure by others is strictly =
prohibited..  If you have received this communication in error, please =
notify the sender immediately by e-mail and delete the message and any =
file attachments from your computer. Thank you.=20
>>>=20
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org 
>>> https://www.ietf.org/mailman/listinfo/oauth =

>> --=20
>> Vladimir Dzhuvinov
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org 
>> https://www.ietf.org/mailman/listinfo/oauth =

>>=20
>> CONFIDENTIALITY NOTICE: This email may contain confidential and =
privileged material for the sole use of the intended recipient(s). Any =
review, use, distribution or disclosure by others is strictly =
prohibited..  If you have received this communication in error, please =
notify the sender immediately by e-mail and delete the message and any =
file attachments from your computer. Thank =
you._______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org 
>> https://www.ietf.org/mailman/listinfo/oauth =

>=20
> CONFIDENTIALITY NOTICE: This email may contain confidential and =
privileged material for the sole use of the intended recipient(s). Any =
review, use, distribution or disclosure by others is strictly =
prohibited.  If you have received this communication in error, please =
notify the sender immediately by e-mail and delete the message and any =
file attachments from your computer. Thank you.


--Apple-Mail=_74BF87AB-9F04-49EA-9CBD-82D0C115ED95
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

Thanks Brian,

That sounds reasonable.

My main concern is that we don=E2=80=99t =
mislead people into the security properties provided by PAR. I=E2=80=99ve =
seen multiple cases where people assume that e.g. because they sent an =
OIDC request with a particular acr_values and got back a successful =
response that the user must have been successfully authenticated in the =
intended way. There are multiple ways that assumption can be violated; =
tampering with the request being just one of them. In those kinds of =
cases, the best thing is to strictly validate the response you get back =
(e.g., the =E2=80=9Cacr=E2=80=9D claim in the ID token in this example), =
which you=E2=80=99d generally still want to do even with PAR.

Obviously PAR can catch =
some of these things much earlier in the flow, which is great, but I =
just wanted to be clear whether the PAR draft is saying that there are =
either (a) some attacks that PAR catches that otherwise aren=E2=80=99t =
mitigated, or (b) there are specific attacks against PAR (e.g., replay) =
that don=E2=80=99t apply to existing flows, or (c) some checks you can =
skip if you use PAR.

Cheers,

=E2=80=94 Neil

On =
24 Jul 2020, at 22:13, Brian Campbell <bcampbell@pingidentity.com> wrote:

Hi Neil, 

Torsten added this issue =
https://github.com/oauthstuff/draft-oauth-par/issues/53 =
from your questions/comments, which touches on some things, and maybe he =
can provide more thoughts. But I'll make an attempt here too. 

In =
my mind, the one-time use suggestion on the request_uri came about less =
from the risks of replay and more from the fact that the contents of a =
particular auth request are unique to the one request. So it just kinda =
made sense to similarly limit the reference to the data in a request. A =
specific request can only be made once so it's suggested (though not =
required) that a request_uri that represents that request also be usable =
only once. 

I believe state and/or PKCE and/or nonce can prevent replay =
already but those take effect at different points in the whole dance and =
to catch replay of different artifacts. 

Agreed that it'd be good =
for the draft to have some more discussion about the risks of =
modification and disclosure of the request content. Torsten also agreed =
yesterday at a brief discussion during OSW so I'm hopeful he can add =
some good content to the draft :) Thinking about richer authorization =
requests that might have transaction data like payee account numbers or =
amounts or similar etc. gives some idea of requests where integrity and =
confidentiality would be good. And even more basic requests, preventing =
control or modification of something like code_challenge seems useful. =



 


On Thu, Jul =
23, 2020 at 1:53 AM Neil Madden <neil.madden@forgerock.com> wrote:
Can you expand on the risks of replay? It seems =
like if the request can be replayed an attacker can also block the =
original request and inject the URI into a different request - ie no =
replay. 

(Shouldn=E2=80=99t state and/or PKCE and/or nonce =
prevent replay already?)

In general the draft could =
do with some discussion of why an attacker being able to modify an =
authorization request is a risk. I might just be lacking enough coffee =
this morning to understand the risk here. 

=E2=80=94 =
Neil

On 22 Jul 2020, at 23:14, Brian Campbell =
<bcampbell=3D40pingidentity.com@dmarc.ietf.org> =
wrote:

=EF=BB=BF
Thanks Vladimir, both comments should be easy to =
address in -03 (HTTPS/TLS required and SHOULD on short lifetime *and* =
single use). 

On Sun, Jul =
19, 2020 at 12:55 PM Vladimir Dzhuvinov <vladimir@connect2id.com> wrote:

 =20
   =20
 =20
  
Thanks for the update. With the "require =
PAR" AS and client
      metadata the spec is now "policy complete". I can't think of what
      else there is to add.

    


    
I have two comments about -02:


    
https://tools.ietf.org/html/draft-ietf-oauth-par-02#section-2
I didn't see a mention of https / TLS being required =
for the PAR
      endpoint. The reader could assume http is fine.

    


    
https://tools.ietf.org/html/draft-ietf-oauth-par-02#section-2.2=


      

        
   Since the request URI can be replayed, its =
lifetime SHOULD be short
   and preferably limited to one-time use.

      

      The SHOULD is ambiguous here - does it apply to the lifetime only,
      or to the lifetime and the single use.



    
Vladimir

    


    

    
On 10/07/2020 21:36, Brian Campbell
      wrote:

    

    

     =20
      

        
WG,

        


        

        
A new -02 draft of "OAuth 2.0 Pushed =
Authorization
          Requests" has been published. A summary of the changes, taken
          from the document history, is included below for ease of
          reference.  

        

        


        

        

          
   -02

   *  Update Resource Indicators reference to the somewhat recently
      published RFC 8707

   *  Added metadata in support of pushed authorization requests only
      feature

   *  Update to comply with draft-ietf-oauth-jwsreq-21, which =
requires
      "client_id" in the authorization request in addition to the
      "request_uri"

   *  Clarified timing of request validation

   *  Add some guidance/options on the request URI structure

   *  Add the key used in the request object example so that a reader
      could validate or recreate the request object signature

   *  Update to draft-ietf-oauth-jwsreq-25 and added =
note regarding
      "require_signed_request_object"

        

        

        

          
---------- Forwarded =
message
            ---------

            From: <internet-drafts@ietf.org>

            Date: Fri, Jul 10, 2020 at 1:21 PM

            Subject: New Version Notification for
            draft-ietf-oauth-par-02.txt

            To: Filip Skokan <panva.ip@gmail.com>,
            Torsten Lodderstedt <torsten@lodderstedt.net>,
            Brian Campbell <bcampbell@pingidentity.com>,
            Dave Tonge <dave@tonge.org>,
            Nat Sakimura <nat@sakimura.org>

          

          

          

          

          A new version of I-D, draft-ietf-oauth-par-02.txt
=

          has been successfully submitted by Brian Campbell and posted
          to the

          IETF repository.

          

          Name:          =
 draft-ietf-oauth-par

          Revision:       02

          Title:          OAuth 2.0 Pushed =
Authorization Requests

          Document date:  2020-07-10

          Group:          oauth

          Pages:          18

          URL:            https://www.ietf.org/internet-drafts/draft-ietf-oauth-par-02.tx=
t

          Status:         https://datatracker.ietf.org/doc/draft-ietf-oauth-par/

          Htmlized:       https://tools..ietf.org/html/draft-ietf-oauth-par-02

          Htmlized:       https://datatracker.ietf.org/doc/html/draft-ietf-oauth-par<=
br class=3D"">
          Diff:           https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-par-02=


          

          Abstract:

             This document defines the pushed authorization =
request
          endpoint,

             which allows clients to push the payload of an =
OAuth 2..0

             authorization request to the authorization server =
via a
          direct

             request and provides them with a request URI that =
is used
          as

             reference to the data in a subsequent =
authorization
          request.

          

          

          

          

          Please note that it may take a couple of minutes from the time
          of submission

          until the htmlized version and diff are available at tools.ietf.org..

          

          The IETF Secretariat

          

          

        

      

      

      CONFIDENTIALITY
            NOTICE: This email may contain confidential and privileged
            material for the sole use of the intended recipient(s). Any
            review, use, distribution or disclosure by others is
            strictly prohibited..  If you have received this
            communication in error, please notify the sender immediately
            by e-mail and delete the message and any file attachments
            from your computer. Thank you.
      

      

      
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


    

    
--=20
Vladimir Dzhuvinov

  


_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth






CONFIDENTIALITY NOTICE: This email may contain confidential =
and privileged material for the sole use of the intended recipient(s). =
Any review, use, distribution or disclosure by others is strictly =
prohibited..  If you have received this communication in error, =
please notify the sender immediately by e-mail and delete the message =
and any file attachments from your computer. Thank =
you._______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth




CONFIDENTIALITY NOTICE: This email may contain confidential =
and privileged material for the sole use of the intended recipient(s). =
Any review, use, distribution or disclosure by others is strictly =
prohibited.  If you have received this communication in error, =
please notify the sender immediately by e-mail and delete the message =
and any file attachments from your computer. Thank =
you.

=

--Apple-Mail=_74BF87AB-9F04-49EA-9CBD-82D0C115ED95--


From nobody Mon Jul 27 05:33:56 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA4C33A193B for ; Mon, 27 Jul 2020 05:33:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.081
X-Spam-Level: 
X-Spam-Status: No, score=0.081 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.999, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l8oAyvT6xrOc for ; Mon, 27 Jul 2020 05:33:26 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C64B3A192D for ; Mon, 27 Jul 2020 05:33:25 -0700 (PDT)
Received: from [192.168.1.3] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 06RCXN0c005732 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 27 Jul 2020 08:33:24 -0400
From: Justin Richer 
Message-Id: <0FF4F31A-4E43-4E9F-A74A-12CC81F91731@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_340EC222-277F-4894-9E65-C5577C6DEC9D"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Mon, 27 Jul 2020 08:33:23 -0400
In-Reply-To: 
Cc: Brian Campbell , oauth 
To: Torsten Lodderstedt 
References: <50FA3A37-00E5-4C9D-91B0-5829268C76C6@mit.edu> 
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: 
Subject: Re: [OAUTH-WG] Namespacing "type" in RAR
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 27 Jul 2020 12:33:34 -0000

--Apple-Mail=_340EC222-277F-4894-9E65-C5577C6DEC9D
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

That=E2=80=99s fair =E2=80=94 I think there=E2=80=99s value in reusable =
components but they don=E2=80=99t have to be controlled by a registry. =
I=E2=80=99ll back off the registry language for that bit and file an =
issue to that effect.

 =E2=80=94 Justin

> On Jul 26, 2020, at 7:26 AM, Torsten Lodderstedt =
 wrote:
>=20
> Hi,
>=20
> the wording regarding type works for me.
>=20
> Similar to Brian, I don=E2=80=99t understand how the data type =
registry is supposed to work.
>=20
> In my opinion, type and locations are completely different from the =
other elements since they are required by the protocol itself. Their =
semantics must not be changed by applications.
>=20
> The other element types are reusable components, but I don=E2=80=99t =
understand how an application or standard would refer to them, include =
them into there type definition, and how overloading might happen. For =
example, are these elements always included in the top level container =
or can they be used deeper in the structure?
>=20
> There are alternative solutions for reuse. I personally would use JSON =
schemas to define such reusable elements and the authorization data =
types utilizing them.=20
>=20
> I therefore don=E2=80=99t see the need for a RAR specific mechanism (a =
registry).
>=20
> best regards,
> Torsten.
>=20
>> Am 26.07.2020 um 02:48 schrieb Justin Richer :
>>=20
>> =EF=BB=BFBrian,
>>=20
>> I can appreciate the confusion on the elements registry. It=E2=80=99s =
really about having a place to put re-usable components that people =
might use within their own =E2=80=9Ctype=E2=80=9D definitions, if they =
want to. The construct in use there is similar to what we used in =
Vectors of Trust (RFC8485), https://tools.ietf.org/html/rfc8485 =

>>=20
>> A VoT =E2=80=9Ctrust framework=E2=80=9D document can technically =
define whatever categories and values that it wants to. However, there =
is a registry for common categories, designed to be core dimensions =
applicable across a number of different trust frameworks.=20
>>=20
>> So the way that it works is that a =E2=80=9Ctype=E2=80=9D can =
redefine its own syntax and semantics for something like =E2=80=9Cactions=E2=
=80=9D or =E2=80=9Clocations=E2=80=9D, if it wants to, but the registry =
is giving people a place to look and say, =E2=80=9Coh hey, someone =
already uses =E2=80=98actions=E2=80=99 in a general way, maybe that =
works for me and I can use that definition, or maybe I should find a =
different word=E2=80=9D. So while =E2=80=9Ctype=E2=80=9D avoids the =
programmatic namespace collision of two different definitions of =
=E2=80=9Caction=E2=80=9D, the registry helps to avoid developer =
confusion about having two different uses for the same word.=20
>>=20
>> It=E2=80=99s not foolproof, but it=E2=80=99s better than making every =
API designer start from a completely blank slate.
>>=20
>>  =E2=80=94 Justin
>>=20
>>> On Jul 24, 2020, at 5:55 PM, Brian Campbell =
> wrote:
>>>=20
>>> I think I'm on board with the type being a just string and the =
guidance provided about collision-resistance (rather than having a =
registry for types or requiring type to be a URI or something along =
those lines). I don't believe there's actually an issue with string =
comparison in that context and so see no need for the draft to say =
anything special about it.=20
>>>=20
>>> In looking at the pull request, however, I'm surprised by there =
being a registry for the data elements. And honestly confused about how =
that would even work in practice. The contents of the authorization =
details object are determined by the `type` parameter but there's also a =
registry of the elements that can make up that content that are general =
across type. I don't see how to reconcile that.=20
>>>=20
>>> On Mon, Jul 20, 2020 at 10:00 AM Justin Richer > wrote:
>>> I created a pull request with some proposed language here:
>>>=20
>>> https://github.com/oauthstuff/draft-oauth-rar/pull/52 =

>>>=20
>>>  =E2=80=94 Justin
>>>=20
>>>> On Jul 20, 2020, at 7:42 AM, Justin Richer > wrote:
>>>>=20
>>>> Since this is a recommendation for namespace, we could also just =
say collision-resistant like JWT, and any of those examples are fine. =
But that said, I think there=E2=80=99s something particularly compelling =
about URIs since they have somewhat-human-readable portions. But again, =
I=E2=80=99m saying it should be a recommendation to API developers and =
not a requirement in the spec. In the spec, I argue that =E2=80=9Ctype=E2=80=
=9D should be a string, full stop.
>>>>=20
>>>> If documentation is so confusing that developers are typing in the =
wrong strings, then that=E2=80=99s bad documentation. And likely a bad =
choice for the =E2=80=9Ctype=E2=80=9D string on the part of the AS. =
You=E2=80=99d have the same problem with any other value the =
developer=E2=80=99s supposed to copy over.  :)
>>>>=20
>>>> I agree that we should call out explicitly how they should be =
compared, and I propose we use one of the handful of existing =
string-comparison RFC=E2=80=99s here instead of defining our own rules.
>>>>=20
>>>> While the type could be a dereferenceable URI, requiring action on =
the AS is really getting into distributed authorization policies. We =
tried doing that with UMA1=E2=80=99s scope structures and it didn=E2=80=99=
t work very well in practice (in my memory and experience). Someone =
could profile =E2=80=9Ctype" on top of this if they wanted to do so, =
with support at the AS for that, but I don=E2=80=99t see a compelling =
reason for that to be a requirement as that=E2=80=99s a lot of =
complexity and a lot more error states (the fetch fails, or it doesn=E2=80=
=99t have a policy, or the policy=E2=80=99s in a format the AS doesn=E2=80=
=99t understand, or the AS doesn=E2=80=99t like the policy, etc).=20
>>>>=20
>>>> And AS is always free to implement its types in such a fashion, and =
that could make plenty of sense in a smaller ecosystem. And this is yet =
another reason that we define =E2=80=9Ctype=E2=80=9D as being a string =
to be interpreted and understood by the AS =E2=80=94 so that an AS that =
wants to work this way can do so.
>>>>=20
>>>>  =E2=80=94 Justin
>>>>=20
>>>> PS: thanks for pointing out the error in the example in XYZ, I=E2=80=99=
ll fix that prior to publication.
>>>>=20
>>>>> On Jul 18, 2020, at 8:58 PM, Dick Hardt > wrote:
>>>>>=20
>>>>> Justin: thanks for kindly pointing out which mail list this is.
>>>>>=20
>>>>> To clarify, public JWT claims are not just URIs, but any =
collision-resistant namespace:=20
>>>>> "Examples of collision-resistant namespaces include: Domain Names, =
Object Identifiers (OIDs) as defined in the ITU-T X.660 and      X.670 =
Recommendation series, and Universally Unique IDentifiers (UUIDs) =
[RFC4122]."
>>>>>=20
>>>>> I think letting the "type" be any JSON string and doing a =
byte-wise comparison will be problematic. A client developer will be =
reading documentation to learn what the types are, and typing it in. =
Given the wide set of whitespace characters, and unicode equivalence, =
different byte streams will all look the same, and a byte-wise =
comparison will fail.
>>>>>=20
>>>>> Similarly for URIs. If it is a valid URI, then a byte-wise =
comparison is not sufficient. Canonicalization is required.=20
>>>>>=20
>>>>> These are not showstopper issues, but the specification should =
call out how type strings are compared, and provide caveats to an AS =
developer.
>>>>>=20
>>>>> I have no idea why you would think the AS would retrieve a URL.
>>>>>=20
>>>>> Since the type represents a much more complex object then a JWT =
claim, a client developer's tooling could pull down the JSON Schema (or =
some such) for a type used in their source code, and provide =
autocompletion and validation which would improve productivity and =
reduce errors. An AS that is using a defined type could use the schema =
for input validation. Neither of these would be at run time. JSON Schema =
allows comments and examples.
>>>>>=20
>>>>> What is the harm in non-normative language around a retrievable =
URI?
>>>>>=20
>>>>> BTW: the example in =
https://oauth.xyz/draft-richer-transactional-authz#rfc.section.2 =
 has =
not been updated with the "type" field.
>>>>>=20
>>>>>=20
>>>>>=20
>>>>> On Sat, Jul 18, 2020 at 8:10 AM Justin Richer > wrote:
>>>>> Hi Dick,
>>>>>=20
>>>>> This is a discussion about the RAR specification on the OAuth =
list, and therefore doesn=E2=80=99t have anything to do with alignment =
with XAuth. In fact, I believe the alignment is the other way around, as =
doesn=E2=80=99t Xauth normatively reference RAR at this point? Even =
though, last I saw, it uses a different top-level structure for =
conveying things, I believe it does say to use the internal object =
structures. I am also a co-author on RAR and we had already defined a =
=E2=80=9Ctype=E2=80=9D field in RAR quite some time ago. You did notice =
that XYZ=E2=80=99s latest draft added this field to keep the two in =
alignment with each other, which has always been the goal since the =
initial proposal of the RAR work, but that=E2=80=99s a time lag and not =
a display of new intent.=20
>>>>>=20
>>>>> In any event, even though I think the decision has bearing in both =
places, this isn=E2=80=99t about GNAP. Working on RAR=E2=80=99s =
requirements has brought up this interesting issue of what should be in =
the type field for RAR in OAuth 2.
>>>>>=20
>>>>> I think that it should be defined as a string, and therefore =
compared as a byte value in all cases, regardless of what the content of =
the string is. I don=E2=80=99t think the AS should be expected to fetch =
a URI for anything. I don=E2=80=99t think the AS should normalize any of =
the inputs. I think that any JSON-friendly character set should be =
allowed (including spaces and unicodes), and since RAR already requires =
the JSON objects to be form-encoded, this shouldn=E2=80=99t cause =
additional trouble when adding them in to OAuth 2=E2=80=99s request =
structures.
>>>>>=20
>>>>> The idea of using a URI would be to get people out of each =
other=E2=80=99s namespaces. It=E2=80=99s similar to the concept of =
=E2=80=9Cpublic=E2=80=9D vs =E2=80=9Cprivate=E2=80=9D claims in JWT:
>>>>>=20
>>>>> https://tools.ietf.org/html/rfc7519#section-4.2 =

>>>>>=20
>>>>> What I=E2=80=99m proposing is that if you think it=E2=80=99s going =
to be a general-purpose type name, then we recommend you use a URI as =
your string. And beyond that, that=E2=80=99s it. It=E2=80=99s up to the =
AS to figure out what to do with it, and RAR stays out of it.
>>>>>=20
>>>>>  =E2=80=94 Justin
>>>>>=20
>>>>>> On Jul 17, 2020, at 1:25 PM, Dick Hardt > wrote:
>>>>>>=20
>>>>>> Hey Justin, glad to see that you have aligned with the latest =
XAuth draft on a type property being required.
>>>>>>=20
>>>>>> I like the idea that the value of the type property is fully =
defined by the AS, which could delegate it to a common URI for reuse. =
This gets GNAP out of specifying access requests, and enables other =
parties to define access without any required coordination with IETF or =
IANA.
>>>>>>=20
>>>>>> A complication in mixing plain strings and URIs is the =
canonicalization. A plain string can be a fixed byte representation, but =
a URI requires canonicalization for comparison. Mixing the two requires =
URI detection at the AS before canonicalization, and an AS MUST do =
canonicalization of URIs.
>>>>>>=20
>>>>>> The URI is retrievable, it can provide machine and/or human =
readable documentation in JSON schema or some such, or any other content =
type. Once again, the details are out of scope of GNAP, but we can =
provide examples to guide implementers.
>>>>>>=20
>>>>>> Are you still thinking that bare strings are allowed in GNAP, and =
are defined by the AS?
>>>>>>=20
>>>>>>=20
>>>>>>=20
>>>>>> On Fri, Jul 17, 2020 at 8:39 AM Justin Richer > wrote:
>>>>>> The =E2=80=9Ctype=E2=80=9D field in the RAR spec serves an =
important purpose: it defines what goes in the rest of the object, =
including what other fields are available and what values are allowed =
for those fields. It provides an API-level definition for requesting =
access based on multiple dimensions, and that=E2=80=99s really powerful =
and flexible. Each type can use any of the general-purpose fields like =
=E2=80=9Cactions=E2=80=9D and/or add its own fields as necessary, and =
the =E2=80=9Ctype=E2=80=9D parameter keeps everything well-defined.
>>>>>>=20
>>>>>> The question, then, is what defines what=E2=80=99s allowed to go =
into the =E2=80=9Ctype=E2=80=9D field itself? And what defines how that =
value maps to the requirements for the rest of the object? The draft =
doesn=E2=80=99t say anything about it at the moment, but we should =
choose the direction we want to go. On the surface, there are three main =
options:
>>>>>>=20
>>>>>> 1) Require all values to be registered.=20
>>>>>> 2) Require all values to be collision-resistant (eg, URIs).
>>>>>> 3) Require all values to be defined by the AS (and/or the RS=E2=80=99=
s that it protects).
>>>>>>=20
>>>>>> Are there any other options?
>>>>>>=20
>>>>>> Here are my thoughts on each approach:
>>>>>>=20
>>>>>> 1) While it usually makes sense to register things for =
interoperability, this is a case where I think that a registry would =
actually hurt interoperability and adoption. Like a =E2=80=9Cscope=E2=80=9D=
 value, the RAR =E2=80=9Ctype=E2=80=9D is ultimately up to the AS and RS =
to interpret in their own context. We :want: people to define rich =
objects for their APIs and enable fine-grained access for their systems, =
and if they have to register something every time they come up with a =
new API to protect, it=E2=80=99s going to be an unmaintainable mess. I =
genuinely don=E2=80=99t think this would scale, and that most developers =
would just ignore the registry and do what they want anyway. And since =
many of these systems are inside domains, it=E2=80=99s completely =
unenforceable in practice.
>>>>>>=20
>>>>>> 2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to =
require everything to be a URI here. It=E2=80=99s long and ugly, and a =
lot of APIs are going to be internal to a given group, deployment, or =
ecosystem anyway. This makes sense when you=E2=80=99ve got something =
reusable across many deployments, like OIDC, but it=E2=80=99s overhead =
when what you=E2=80=99re doing is tied to your environment.
>>>>>>=20
>>>>>> 3) This allows the AS and RS to define the request parameters for =
their APIs just like they do today with scopes. Since it=E2=80=99s =
always the combination of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, =
name spacing is less of an issue across systems. We haven=E2=80=99t seen =
huge problems in scope value overlap in the wild, though it does occur =
from time to time it=E2=80=99s more than manageable. A client isn=E2=80=99=
t going to just =E2=80=9Cspeak RAR=E2=80=9D, it=E2=80=99s going to be =
speaking RAR so that it can access something in particular.
>>>>>>=20
>>>>>> And all that brings me to my proposal:=20
>>>>>>=20
>>>>>> 4) Require all values to be defined by the AS, and encourage =
specification developers to use URIs for collision resistance.
>>>>>>=20
>>>>>> So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D=
 means, and nobody else. But we can also guide people who are developing =
general-purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=
=E2=80=9D definitions. This would keep those interoperable APIs from =
stepping on each other, and from stepping on any locally-defined special =
=E2=80=9Ctype=E2=80=9D structure. But at the end of the day, the URI =
carries no more weight than just any other string, and the AS decides =
what it means and how it applies.
>>>>>>=20
>>>>>> My argument is that this seems to have worked very, very well for =
scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar =
descriptive cloth.
>>>>>>=20
>>>>>> What does the rest of the group think? How should we manage the =
RAR =E2=80=9Ctype=E2=80=9D values and what they mean?
>>>>>>=20
>>>>>>  =E2=80=94 Justin
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org 
>>>>>> https://www.ietf.org/mailman/listinfo/oauth =

>>>>>=20
>>>>=20
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org 
>>>> https://www.ietf.org/mailman/listinfo/oauth =

>>>=20
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org 
>>> https://www.ietf.org/mailman/listinfo/oauth =

>>>=20
>>> CONFIDENTIALITY NOTICE: This email may contain confidential and =
privileged material for the sole use of the intended recipient(s). Any =
review, use, distribution or disclosure by others is strictly =
prohibited.  If you have received this communication in error, please =
notify the sender immediately by e-mail and delete the message and any =
file attachments from your computer. Thank you.
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_340EC222-277F-4894-9E65-C5577C6DEC9D
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

That=E2=80=99s fair =E2=80=94 I think there=E2=80=99s value =
in reusable components but they don=E2=80=99t have to be controlled by a =
registry. I=E2=80=99ll back off the registry language for that bit and =
file an issue to that effect.

 =E2=80=94 Justin

On Jul =
26, 2020, at 7:26 AM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:

Hi,

the wording regarding type works for =
me.

Similar to Brian, I don=E2=80=99t understand how the data =
type registry is supposed to work.

In my opinion, type and =
locations are completely different from the other elements since they =
are required by the protocol itself. Their semantics must not be changed =
by applications.

The other element types are =
reusable components, but I don=E2=80=99t understand how an application =
or standard would refer to them, include them into there type =
definition, and how overloading might happen. For example, are these =
elements always included in the top level container or can they be used =
deeper in the structure?

There are alternative =
solutions for reuse. I personally would use JSON schemas to define such =
reusable elements and the authorization data types utilizing =
them. 

I therefore don=E2=80=99t see the need for a RAR =
specific mechanism (a registry).

best regards,
Torsten.

Am 26.07.2020 um 02:48 =
schrieb Justin Richer <jricher@mit.edu>:

=EF=BB=BFBrian,

I can appreciate the =
confusion on the elements registry. It=E2=80=99s really about having a =
place to put re-usable components that people might use within their own =
=E2=80=9Ctype=E2=80=9D definitions, if they want to. The construct in =
use there is similar to what we used in Vectors of Trust =
(RFC8485), https://tools.ietf.org/html/rfc8485

A VoT =E2=80=9Ctrust =
framework=E2=80=9D document can technically define whatever categories =
and values that it wants to. However, there is a registry for common =
categories, designed to be core dimensions applicable across a number of =
different trust frameworks. 

So the way that it works is that a =
=E2=80=9Ctype=E2=80=9D can redefine its own syntax and semantics for =
something like =E2=80=9Cactions=E2=80=9D or =E2=80=9Clocations=E2=80=9D, =
if it wants to, but the registry is giving people a place to look and =
say, =E2=80=9Coh hey, someone already uses =E2=80=98actions=E2=80=99 in =
a general way, maybe that works for me and I can use that definition, or =
maybe I should find a different word=E2=80=9D. So while =E2=80=9Ctype=E2=80=
=9D avoids the programmatic namespace collision of two different =
definitions of =E2=80=9Caction=E2=80=9D, the registry helps to avoid =
developer confusion about having two different uses for the same =
word. 

It=E2=80=99s not foolproof, but it=E2=80=99s better than =
making every API designer start from a completely blank slate.

 =E2=80=94 =
Justin

On Jul 24, 2020, at 5:55 PM, =
Brian Campbell <bcampbell@pingidentity.com> wrote:

I think I'm on =
board with the type being a just string and the guidance provided about =
collision-resistance (rather than having a registry for types or =
requiring type to be a URI or something along those lines). I don't =
believe there's actually an issue with string comparison in that context =
and so see no need for the draft to say anything special about it. 

In =
looking at the pull request, however, I'm surprised by there being a =
registry for the data elements. And honestly confused about how that =
would even work in practice. The =
contents of the authorization details =
object are determined by the `type` parameter but there's =
also a registry of the elements that can make up that content that are =
general across type. I don't see how to reconcile that. 

On Mon, Jul =
20, 2020 at 10:00 AM Justin Richer <jricher@mit.edu> wrote:
I created a pull =
request with some proposed language here:

https://github.com/oauthstuff/draft-oauth-rar/pull/52
=


 =E2=80=94 =
Justin

On Jul 20, 2020, at 7:42 AM, =
Justin Richer <jricher@mit.edu> wrote:



Since this is a recommendation for =
namespace, we could also just say collision-resistant like JWT, and any =
of those examples are fine. But that said, I think there=E2=80=99s =
something particularly compelling about URIs since they have =
somewhat-human-readable portions. But again, I=E2=80=99m saying it =
should be a recommendation to API developers and not a requirement in =
the spec. In the spec, I argue that =E2=80=9Ctype=E2=80=9D should be a =
string, full stop.

If =
documentation is so confusing that developers are typing in the wrong =
strings, then that=E2=80=99s bad documentation. And likely a bad choice =
for the =E2=80=9Ctype=E2=80=9D string on the part of the AS. You=E2=80=99d=
 have the same problem with any other value the developer=E2=80=99s =
supposed to copy over.  :)

I agree that we should call out explicitly how they should be =
compared, and I propose we use one of the handful of existing =
string-comparison RFC=E2=80=99s here instead of defining our own =
rules.

While =
the type could be a dereferenceable URI, requiring action on the AS is =
really getting into distributed authorization policies. We tried doing =
that with UMA1=E2=80=99s scope structures and it didn=E2=80=99t work =
very well in practice (in my memory and experience). Someone could =
profile =E2=80=9Ctype" on top of this if they wanted to do so, with =
support at the AS for that, but I don=E2=80=99t see a compelling reason =
for that to be a requirement as that=E2=80=99s a lot of complexity and a =
lot more error states (the fetch fails, or it doesn=E2=80=99t have a =
policy, or the policy=E2=80=99s in a format the AS doesn=E2=80=99t =
understand, or the AS doesn=E2=80=99t like the policy, =
etc). 

And =
AS is always free to implement its types in such a fashion, and that =
could make plenty of sense in a smaller ecosystem. And this is yet =
another reason that we define =E2=80=9Ctype=E2=80=9D as being a string =
to be interpreted and understood by the AS =E2=80=94 so that an AS that =
wants to work this way can do so.

 =E2=80=94 Justin

PS: thanks for pointing =
out the error in the example in XYZ, I=E2=80=99ll fix that prior to =
publication.

On Jul 18, 2020, at 8:58 PM, =
Dick Hardt <dick.hardt@gmail.com> wrote:

Justin: thanks for =
kindly pointing out which mail list this is.

To clarify, public JWT claims =
are not just URIs, but any =
collision-resistant namespace: 
"Examples =
of collision-resistant namespaces include: Domain Names, Object =
Identifiers (OIDs) as defined in the ITU-T X.660 and      =
X.670 Recommendation series, and Universally Unique IDentifiers (UUIDs) =
[RFC4122]."

I =
think letting the "type" be any JSON string and doing a byte-wise =
comparison will be problematic. A client developer will be reading =
documentation to learn what the types are, and typing it in. Given =
the wide set of whitespace characters, and unicode equivalence, =
different byte streams will all look the same, and a byte-wise =
comparison will fail.

Similarly for URIs. If it is a valid URI, then a =
byte-wise comparison is not sufficient. Canonicalization is =
required. 

These are not showstopper issues, but the specification =
should call out how type strings are compared, and provide caveats =
to an AS developer.

I have no idea why you would think the AS would retrieve a =
URL.

Since the =
type represents a much more complex object then a JWT claim, a client =
developer's tooling could pull down the JSON Schema (or some such) for a =
type used in their source code, and provide autocompletion and =
validation which would improve productivity and reduce errors. An AS =
that is using a defined type could use the schema for input validation. =
Neither of these would be at run time. JSON Schema allows comments and =
examples.

What =
is the harm in non-normative language around a retrievable =
URI?

BTW: the =
example in https://oauth.xyz/draft-richer-transactional-authz#rfc.section.=
2 has not been updated with the "type" field.



On Sat, Jul =
18, 2020 at 8:10 AM Justin Richer <jricher@mit.edu> wrote:
Hi Dick,

This is a discussion =
about the RAR specification on the OAuth list, and therefore doesn=E2=80=99=
t have anything to do with alignment with XAuth. In fact, I believe the =
alignment is the other way around, as doesn=E2=80=99t Xauth normatively =
reference RAR at this point? Even though, last I saw, it uses a =
different top-level structure for conveying things, I believe it does =
say to use the internal object structures. I am also a co-author on RAR =
and we had already defined a =E2=80=9Ctype=E2=80=9D field in RAR quite =
some time ago. You did notice that XYZ=E2=80=99s latest draft added this =
field to keep the two in alignment with each other, which has always =
been the goal since the initial proposal of the RAR work, but that=E2=80=99=
s a time lag and not a display of new intent. 

In any event, even =
though I think the decision has bearing in both places, this isn=E2=80=99t=
 about GNAP. Working on RAR=E2=80=99s requirements has brought up this =
interesting issue of what should be in the type field for RAR in OAuth =
2.

I think =
that it should be defined as a string, and therefore compared as a byte =
value in all cases, regardless of what the content of the string is. I =
don=E2=80=99t think the AS should be expected to fetch a URI for =
anything. I don=E2=80=99t think the AS should normalize any of the =
inputs. I think that any JSON-friendly character set should be allowed =
(including spaces and unicodes), and since RAR already requires the JSON =
objects to be form-encoded, this shouldn=E2=80=99t cause additional =
trouble when adding them in to OAuth 2=E2=80=99s request =
structures.

The =
idea of using a URI would be to get people out of each other=E2=80=99s =
namespaces. It=E2=80=99s similar to the concept of =E2=80=9Cpublic=E2=80=9D=
 vs =E2=80=9Cprivate=E2=80=9D claims in JWT:

https://tools.ietf.org/html/rfc7519#section-4.2

What I=E2=80=99m =
proposing is that if you think it=E2=80=99s going to be a =
general-purpose type name, then we recommend you use a URI as your =
string. And beyond that, that=E2=80=99s it. It=E2=80=99s up to the AS to =
figure out what to do with it, and RAR stays out of it.

 =E2=80=94 =
Justin

On Jul 17, 2020, at 1:25 PM, =
Dick Hardt <dick.hardt@gmail.com> wrote:

Hey Justin, glad to see that you =
have aligned with the latest XAuth draft on a type property being =
required.

I like the idea that the value of the type property is fully =
defined by the AS, which could delegate it to a common URI for reuse. =
This gets GNAP out of specifying access requests, and enables other =
parties to define access without any required coordination with IETF or =
IANA.

A =
complication in mixing plain strings and URIs is the canonicalization. A =
plain string can be a fixed byte representation, but a URI requires =
canonicalization for comparison. Mixing the two requires URI =
detection at the AS before canonicalization, and an AS MUST do =
canonicalization of URIs.

The URI is retrievable, it can provide machine and/or human =
readable documentation in JSON schema or some such, or any other content =
type. Once again, the details are out of scope of GNAP, but we can =
provide examples to guide implementers.

Are you still thinking that bare =
strings are allowed in GNAP, and are defined by the AS?



On Fri, Jul 17, 2020 at 8:39 AM Justin =
Richer <jricher@mit.edu> wrote:
The =E2=80=9Ctype=E2=80=9D =
field in the RAR spec serves an important purpose: it defines what goes =
in the rest of the object, including what other fields are available and =
what values are allowed for those fields. It provides an API-level =
definition for requesting access based on multiple dimensions, and =
that=E2=80=99s really powerful and flexible. Each type can use any of =
the general-purpose fields like =E2=80=9Cactions=E2=80=9D and/or add its =
own fields as necessary, and the =E2=80=9Ctype=E2=80=9D parameter keeps =
everything well-defined.



The question, then, is what defines what=E2=80=99s allowed to go into =
the =E2=80=9Ctype=E2=80=9D field itself? And what defines how that value =
maps to the requirements for the rest of the object? The draft doesn=E2=80=
=99t say anything about it at the moment, but we should choose the =
direction we want to go. On the surface, there are three main =
options:



1) Require all values to be registered. 

2) Require all values to be collision-resistant (eg, URIs).
=

3) Require all values to be defined by the AS (and/or the RS=E2=80=99s =
that it protects).



Are there any other options?



Here are my thoughts on each approach:



1) While it usually makes sense to register things for interoperability, =
this is a case where I think that a registry would actually hurt =
interoperability and adoption. Like a =E2=80=9Cscope=E2=80=9D value, the =
RAR =E2=80=9Ctype=E2=80=9D is ultimately up to the AS and RS to =
interpret in their own context. We :want: people to define rich objects =
for their APIs and enable fine-grained access for their systems, and if =
they have to register something every time they come up with a new API =
to protect, it=E2=80=99s going to be an unmaintainable mess. I genuinely =
don=E2=80=99t think this would scale, and that most developers would =
just ignore the registry and do what they want anyway. And since many of =
these systems are inside domains, it=E2=80=99s completely unenforceable =
in practice.



2) This seems reasonable, but it=E2=80=99s a bit of a nuisance to =
require everything to be a URI here. It=E2=80=99s long and ugly, and a =
lot of APIs are going to be internal to a given group, deployment, or =
ecosystem anyway. This makes sense when you=E2=80=99ve got something =
reusable across many deployments, like OIDC, but it=E2=80=99s overhead =
when what you=E2=80=99re doing is tied to your environment.
=



3) This allows the AS and RS to define the request parameters for their =
APIs just like they do today with scopes. Since it=E2=80=99s always the =
combination of =E2=80=9Cthis type :AT: this AS/RS=E2=80=9D, name spacing =
is less of an issue across systems. We haven=E2=80=99t seen huge =
problems in scope value overlap in the wild, though it does occur from =
time to time it=E2=80=99s more than manageable. A client isn=E2=80=99t =
going to just =E2=80=9Cspeak RAR=E2=80=9D, it=E2=80=99s going to be =
speaking RAR so that it can access something in particular.
=



And all that brings me to my proposal: 



4) Require all values to be defined by the AS, and encourage =
specification developers to use URIs for collision resistance.



So officially in RAR, the AS would decide what =E2=80=9Ctype=E2=80=9D =
means, and nobody else. But we can also guide people who are developing =
general-purpose interoperable APIs to use URIs for their RAR =E2=80=9Ctype=
=E2=80=9D definitions. This would keep those interoperable APIs from =
stepping on each other, and from stepping on any locally-defined special =
=E2=80=9Ctype=E2=80=9D structure. But at the end of the day, the URI =
carries no more weight than just any other string, and the AS decides =
what it means and how it applies.



My argument is that this seems to have worked very, very well for =
scopes, and the RAR =E2=80=9Ctype=E2=80=9D is cut from similar =
descriptive cloth.



What does the rest of the group think? How should we manage the RAR =
=E2=80=9Ctype=E2=80=9D values and what they mean?



 =E2=80=94 Justin

_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth








_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth






CONFIDENTIALITY NOTICE: This email may contain confidential =
and privileged material for the sole use of the intended recipient(s). =
Any review, use, distribution or disclosure by others is strictly =
prohibited.  If you have received this communication in error, =
please notify the sender immediately by e-mail and delete the message =
and any file attachments from your computer. Thank =
you.

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

=

--Apple-Mail=_340EC222-277F-4894-9E65-C5577C6DEC9D--


From nobody Mon Jul 27 08:09:43 2020
Return-Path: 
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 906823A0F1C; Mon, 27 Jul 2020 08:09:41 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: 
Cc: oauth@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 7.10.1
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: oauth@ietf.org
Message-ID: <159586258143.19413.8136040653842991742@ietfa.amsl.com>
Date: Mon, 27 Jul 2020 08:09:41 -0700
Archived-At: 
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-26.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 27 Jul 2020 15:09:42 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.

        Title           : The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)
        Authors         : Nat Sakimura
                          John Bradley
	Filename        : draft-ietf-oauth-jwsreq-26.txt
	Pages           : 33
	Date            : 2020-07-27

Abstract:
   The authorization request in OAuth 2.0 described in RFC 6749 utilizes
   query parameter serialization, which means that Authorization Request
   parameters are encoded in the URI of the request and sent through
   user agents such as web browsers.  While it is easy to implement, it
   means that (a) the communication through the user agents are not
   integrity protected and thus the parameters can be tainted, and (b)
   the source of the communication is not authenticated.  Because of
   these weaknesses, several attacks to the protocol have now been put
   forward.

   This document introduces the ability to send request parameters in a
   JSON Web Token (JWT) instead, which allows the request to be signed
   with JSON Web Signature (JWS) and encrypted with JSON Web Encryption
   (JWE) so that the integrity, source authentication and
   confidentiality property of the Authorization Request is attained.
   The request can be sent by value or by reference.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-26
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-26

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-jwsreq-26


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/



From nobody Thu Jul 30 04:27:42 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D33833A1094; Thu, 30 Jul 2020 04:27:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level: 
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kFWqiuPi1Eq2; Thu, 30 Jul 2020 04:27:39 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E67793A108A; Thu, 30 Jul 2020 04:27:38 -0700 (PDT)
Received: from [192.168.1.6] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 06UBRaNj020597 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 30 Jul 2020 07:27:37 -0400
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Justin Richer 
In-Reply-To: <3C919E79-C162-4B5D-A2BE-95825981CF3A@lodderstedt.net>
Date: Thu, 30 Jul 2020 07:27:36 -0400
Cc: Aaron Parecki , oauth 
Content-Transfer-Encoding: quoted-printable
Message-Id: 
References: <869491B5-9AA5-4593-A307-46FAAF7E990D@mit.edu> <7B488048-896B-4F88-976C-909D0BFA16D3@lodderstedt.net>  <3C919E79-C162-4B5D-A2BE-95825981CF3A@lodderstedt.net>
To: Torsten Lodderstedt 
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: 
Subject: Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushed requests must become JWTs
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 30 Jul 2020 11:27:41 -0000

Aaron,

The =E2=80=9Crequest_uri=E2=80=9D comes from OIDC originally, and is =
redefined in JAR. The original idea was to have a URL that the AS/IdP =
would be able to fetch to get a Request Object from, which is why JAR =
used to have language about =E2=80=9Cit MUST be fetchable and resolve to =
a JWT=E2=80=9D (or something like that). JAR has backed off that =
requirement now (I believe), but those roots are still in the name. RAR =
opts to re-use that mechanism instead of inventing either a new =
parameter or returning a full Redirection URI.

 =E2=80=94 Justin

> On Jul 24, 2020, at 3:12 AM, Torsten Lodderstedt =
 wrote:
>=20
> Hi Aaron,=20
>=20
> that=E2=80=99s a very good point. I was also in favour of just =
providing the client with the URL it needs to send the user to (like XYZ =
and OAuth do).=20
>=20
> In the end, we decided to stay with the current approach since it fits =
with the rest of the existing ecosystem, namely JAR and authorization =
endpoint discovery.=20
>=20
> best regards,
> Torsten.=20
>=20
>> On 24. Jul 2020, at 00:49, Aaron Parecki  wrote:
>>=20
>> I know this is a bit of an old thread to dig up, but as I'm working =
through this draft again, something is sticking out to me about this.
>>=20
>> In every other instance of "*_uri" in OAuth and extensions, the value =
is a URI (usually https) which will be visited by the user's browser or =
be sent a POST request from a client. In the case of PAR, this =
"request_uri" is actually just an identifier that is *added* to an =
existing URL, the authorization endpoint, not a URL that will be visited =
itself. This discrepancy is bothering me.
>>=20
>> I would have expected that either:
>>=20
>> * The PAR response includes a "request_uri" which is the full URL =
that the client would redirect the user's browser to, OR
>> * The PAR response includes a "request_id" which it adds in the query =
string to the authorization endpoint and then redirects the browser to
>>=20
>> For example:
>>=20
>> POST /as/par HTTP/1.1
>> ...
>> response:
>> {
>>      "request_uri": =
"https://as.example.com/auth?request=3Dbwc4JK-ESC0w8acc191e-Y1LTC2",
>>      "expires_in": 60
>> }
>>=20
>> then the user's browser is sent to whatever the value of =
"request_uri" is
>>=20
>> OR
>>=20
>> POST /as/par HTTP/1..1
>> ...
>> response:
>> {
>>      "request_id": =
"urn:ietf:params:oauth:request_uri:bwc4JK-ESC0w8acc191e-Y1LTC2",
>>      "expires_in": 60
>> }
>>=20
>> then the "request_id" is added to the authorization endpoint (as =
currently described by PAR)
>>=20
>> =
https://as.example.com/auth?client_id=3Ds6BhdRkqt3&request_uri=3Durn%3Aiet=
f%3Aparams%3Aoauth%3Arequest_uri%3Abwc4JK-ESC0w8acc191e-Y1LTC2
>>=20
>> My personal preference is the first option, keeping the term =
"request_uri" but having it actually be the full URI, to simplify the =
job of the client. In that model, the client doesn't have to mess with =
building URLs, and actually provides additional flexibility for the AS =
as well since that endpoint no longer needs to be the exact same URL as =
the authorization endpoint..=20
>>=20
>> ---
>> Aaron Parecki
>> https://aaronparecki.com
>>=20
>>=20
>> On Thu, Jan 16, 2020 at 8:25 AM Torsten Lodderstedt =
 wrote:
>> I just thought about another option. What if we change PAR to not use =
the request_uri parameter but a new parameter, e.g. request_id?
>>=20
>> That would decouple both specs. The reason why we use request_uri was =
to make the life of clients easier since they can use the standard =
library function for request objects to pass the PAR reference to the =
AS. Is this worth the trouble?
>>=20
>>> Am 16.01.2020 um 16:48 schrieb Justin Richer :
>>>=20
>>> =EF=BB=BF+1 to this approach, and it sounds like JAR might need to =
come back to go through another round anyway thanks to the breaking =
changes the IESG pushed into it after it left WGLC.
>>>=20
>>> I=E2=80=99d rather see us get this right than publish something many =
of us think is broken.=20
>>>=20
>>> Maybe PAR and JAR (and JARM?) end up going out as a bundle of specs.
>>>=20
>>> =E2=80=94 Justin
>>>=20
>>>>=20
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From nobody Thu Jul 30 04:49:40 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AAF83A0DE6 for ; Thu, 30 Jul 2020 04:49:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level: 
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ED8NIOxkRnpb for ; Thu, 30 Jul 2020 04:49:37 -0700 (PDT)
Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E76F3A0A00 for ; Thu, 30 Jul 2020 04:49:37 -0700 (PDT)
Received: by mail-wm1-x32c.google.com with SMTP id f18so4155536wmc.0 for ; Thu, 30 Jul 2020 04:49:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=O1Kecpxt0HWcl1zv7Rsb+lMmxzxB/n/Hjyr7G3TIKoQ=; b=TMuaeruhA7TsLWf7MYH89MR3yvqdncQ+18O0iInoVqMQdSah8LkvvFBkurBCHcaK5B EEsLm18S/Y3Wm6boFuzN2CwCT2ApagIcH0LlszuVtur/9ljrSbczwnz0eNZmEy/pnfEt zHn18UhztEF9RL9GcX1X8ZCXjO0x0J/jjcEsEyCICX3DC7mNoNq2Alccd/it4m6okca4 fMe8nwSfow1BBdFRT/PssLD9riDfsiYybzgrZpKzcEWJTG2Sfy8orO7g7GZXZX4ymnjg XSaJjmYsS4624qG37YTJGDpijXYzNYOLC3Gif6SEXjuA/hre7KX3hbje4dMJldIcLGS5 ZIyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=O1Kecpxt0HWcl1zv7Rsb+lMmxzxB/n/Hjyr7G3TIKoQ=; b=Q8cuYG3+EYH49ukYqLME8DDu7r3Ev3pSZ1WuzFBmED6RrwBzkhidKnJlT6ecXkZ7v4 YF/ZL/s+GcKyhoIR/yvBiTuiK1ehI3a8RpCdBCk9Fsvd/0iZ53F4y6ziHbovTq40VjpS s4krc2ICBh1z/ejA+tv8+vt5sjFLwLJ+VxsvbkuIol4/IcVWC/Rb5g4Gdad5gxOPJKea DNlNcCer8pz+KZFCHacuJWHyca8RalOyum0ZKQC64r1VxLwqcCM0lxOk6BmlRosotp85 RtEyjQM6JmZx/61HIgJkhG3Z6dZee0d5H0nc6xeLro7zzI3l5btpRGOIu/Dxn8+qcKHU 1j5w==
X-Gm-Message-State: AOAM532ynCupyUF6L0Vn85aQQ+LwmT2zn0sh5+si2tB7u6iHtZRlVlM9 BrsCI22o0sd4I1eRc0N8MZ5hVSzisVaN8Ia8aQo=
X-Google-Smtp-Source: ABdhPJySEdtj4JTLeJNsKhaSW6HKS3Wp0svECdW3pwvayqqyihaGjVLAnPmlt0Svhc0b+BxG0d7OkWuidq3nl0btLZk=
X-Received: by 2002:a1c:e908:: with SMTP id q8mr13815782wmc.59.1596109775901;  Thu, 30 Jul 2020 04:49:35 -0700 (PDT)
MIME-Version: 1.0
References:   <546988a3-2740-98e7-a37b-8c11c0a41b8f@connect2id.com> 
In-Reply-To: 
From: Rifaat Shekh-Yusef 
Date: Thu, 30 Jul 2020 07:49:24 -0400
Message-ID: 
To: Nat Sakimura 
Cc: oauth 
Content-Type: multipart/alternative; boundary="00000000000037165d05aba744f0"
Archived-At: 
Subject: Re: [OAUTH-WG] Call for adoption - OAuth 2.1 document
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 30 Jul 2020 11:49:39 -0000

--00000000000037165d05aba744f0
Content-Type: text/plain; charset="UTF-8"

All,

This concludes our call for adoption for this document.
The WG has decided to adopt this draft as a WG document.


*Authors,*

Feel free to submit a WG version of the document.

Regards,
 Rifaat


On Fri, Jul 17, 2020 at 9:29 AM Nat Sakimura  wrote:

> +1
>
> On Fri, Jul 17, 2020 at 3:57 PM Vladimir Dzhuvinov <
> vladimir@connect2id.com> wrote:
>
>> +1
>>
>> Vladimir
>> On 15/07/2020 20:54, Dick Hardt wrote:
>>
>> +1
>>
>> On Wed, Jul 15, 2020 at 10:42 AM Rifaat Shekh-Yusef <
>> rifaat.s.ietf@gmail.com> wrote:
>>
>>> All,
>>>
>>> This is a *call for adoption* for the following *OAuth 2.1* document as
>>> a WG document:
>>> https://www.ietf.org/id/draft-parecki-oauth-v2-1-03.html
>>>
>>> Please, provide your feedback on the mailing list by *July 29th.*
>>>
>>> Regards,
>>>  Rifaat & Hannes
>>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
>
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

--00000000000037165d05aba744f0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


All,

This concludes our call for adopti=
on for this document.
The WG has decided to adopt this draft as a=
 WG document.


Authors,
=


Feel free to submit a WG version of the document.
=


Regards,
=C2=A0Rifaat


On =
Fri, Jul 17, 2020 at 9:29 AM Nat Sakimura <sakimura@gmail.com> wrote:
+1

On Fri, Jul 17, 2020 at 3=
:57 PM Vladimir Dzhuvinov <vladimir@connect2id.com> wrote:

 =20
   =20
 =20
  

    
+1

    
Vladimir

    

    
On 15/07/2020 20:54, Dick Hardt wrote:

    

    

     =20
      
+1

      

      

      

        
On Wed, Jul 15, 2020 at 10:42
          AM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
          wrote:

        

        

          
All,
            


            

            
This is a call for adoption for the following OA=
uth
                2.1 document as a WG document:

            
            


            

            
Please, provide your feedback on the mailing=C2=A0list by =
July
                29th.

            


            

            
Regards,

            
=C2=A0Rifaat & Hannes

          

        

      

    

    

  


_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth




-- 
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat=
_en

_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth




--00000000000037165d05aba744f0--


From nobody Thu Jul 30 08:30:13 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 188163A09A8 for ; Thu, 30 Jul 2020 08:30:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level: 
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EBqd-xO7Kldo for ; Thu, 30 Jul 2020 08:30:09 -0700 (PDT)
Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 267693A09A6 for ; Thu, 30 Jul 2020 08:30:09 -0700 (PDT)
Received: by mail-wr1-x42f.google.com with SMTP id r2so20228831wrs.8 for ; Thu, 30 Jul 2020 08:30:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SmgDQYEdr2VBxJtMEq/GkjWtEpoCqa+OMA8j02M4vn4=; b=tt0JP+iv+sAKlbkPDJ6J5GffN32G+ZgZWdYHnfugM+K28NeKYz8/X6BAeYmm6pzSvB VBGmiU9UAYdOxQX73JGj8yjQ9oVEy7qSaBUrxD3Gp79dTEE6NGid8AHjkN87noPfh100 LAHxNip9nBRHSVV9uEtG53PtmYD9ZHk1dzKcwRsyV4z4+CclU1dk3edX811sMaLGxiqb XTzaPKWINM+PX2SFe8cRjJR4t971I4rde28fvX1DMMDlMuGLTbcUFU2AkiEUoJdWBZDQ b5Dz4xGa5Jb1/XVUo/VQry9olTCHC5+ENSuenMoh9ALNooOGCYhHbQWePqkXC0iEm35h TgmQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SmgDQYEdr2VBxJtMEq/GkjWtEpoCqa+OMA8j02M4vn4=; b=tck2hqA+CpKbSJV0woCCnHyvKHsOq6pSR9QWypEMuTHRfKFr0QPDdc68b5fszRjK51 k5672DNkmCscy3e6Qhu820jmegS6RGxAclFerVWxrtLs3+y+2juB3ygWa+gk/08IQyhp kDFDWQZifTr1GduuM+6YF6vk/VLvaRVuH+CGC+ia3QDd0+zJHJqzECmTRfNA/ybp/ttj 57WNmCwv3t1FmxdjjazD3FMlsg/Nlhde327W6pd075XrX/sGSReMejz9if/CaJJzsbyF snSOc/pz628s008ciwKlVQgqjHqyNXLq+9wq5uS6wZHQefletoOSj5gIRlbRDTs6aR2d Y7zg==
X-Gm-Message-State: AOAM531xi9PU6rtUe0B+WYJ02AblhIG9G0mDGUhLw2Sa+a7UZ4iWmJS6 Wvx3NP4LNJ13vMyZXlDo1wnX9ams0WYlq1mdHLKBviII
X-Google-Smtp-Source: ABdhPJzqT/L/tn06hBmuFsmAylunhouuQN6KuYsX08YcQls4xRqCDXNxVz5Bf6VecSA6EzjJsqLH8+9BJHAD6ki/hCk=
X-Received: by 2002:adf:ded0:: with SMTP id i16mr34451144wrn.389.1596123007597;  Thu, 30 Jul 2020 08:30:07 -0700 (PDT)
MIME-Version: 1.0
References:   <546988a3-2740-98e7-a37b-8c11c0a41b8f@connect2id.com>
In-Reply-To: <546988a3-2740-98e7-a37b-8c11c0a41b8f@connect2id.com>
From: Sascha Preibisch 
Date: Thu, 30 Jul 2020 08:29:53 -0700
Message-ID: 
To: Vladimir Dzhuvinov 
Cc: IETF oauth WG 
Content-Type: text/plain; charset="UTF-8"
Archived-At: 
Subject: Re: [OAUTH-WG] Call for adoption - OAuth 2.1 document
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 30 Jul 2020 15:30:11 -0000

+1

On Thu, 16 Jul 2020 at 23:57, Vladimir Dzhuvinov
 wrote:
>
> +1
>
> Vladimir
>
> On 15/07/2020 20:54, Dick Hardt wrote:
>
> +1
>
> On Wed, Jul 15, 2020 at 10:42 AM Rifaat Shekh-Yusef  wrote:
>>
>> All,
>>
>> This is a call for adoption for the following OAuth 2.1 document as a WG document:
>> https://www.ietf.org/id/draft-parecki-oauth-v2-1-03.html
>>
>> Please, provide your feedback on the mailing list by July 29th.
>>
>> Regards,
>>  Rifaat & Hannes
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From nobody Thu Jul 30 08:32:55 2020
Return-Path: 
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id EE4FB3A09B1; Thu, 30 Jul 2020 08:32:51 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: 
Cc: oauth@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 7.12.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: oauth@ietf.org
Message-ID: <159612317192.1556.10511028888056609811@ietfa.amsl.com>
Date: Thu, 30 Jul 2020 08:32:51 -0700
Archived-At: 
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-1-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 30 Jul 2020 15:32:52 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.

        Title           : The OAuth 2.1 Authorization Framework
        Authors         : Dick Hardt
                          Aaron Parecki
                          Torsten Lodderstedt
	Filename        : draft-ietf-oauth-v2-1-00.txt
	Pages           : 85
	Date            : 2020-07-30

Abstract:
   The OAuth 2.1 authorization framework enables a third-party
   application to obtain limited access to an HTTP service, either on
   behalf of a resource owner by orchestrating an approval interaction
   between the resource owner and the HTTP service, or by allowing the
   third-party application to obtain access on its own behalf.  This
   specification replaces and obsoletes the OAuth 2.0 Authorization
   Framework described in RFC 6749.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-oauth-v2-1-00
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-00


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/



From nobody Thu Jul 30 08:42:09 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73A043A09F6 for ; Thu, 30 Jul 2020 08:42:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.003
X-Spam-Level: 
X-Spam-Status: No, score=-1.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DC_PNG_UNO_LARGO=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_16=1.092, HTML_IMAGE_RATIO_04=0.001, HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_2=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q-bFJGfzcbFc for ; Thu, 30 Jul 2020 08:41:59 -0700 (PDT)
Received: from mail-qv1-xf2a.google.com (mail-qv1-xf2a.google.com [IPv6:2607:f8b0:4864:20::f2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BC413A0AAD for ; Thu, 30 Jul 2020 08:41:58 -0700 (PDT)
Received: by mail-qv1-xf2a.google.com with SMTP id m9so12711405qvx.5 for ; Thu, 30 Jul 2020 08:41:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:from:date:message-id:subject:to; bh=97c6hkG0s4KW5yRxgSmIjZCs8+mK/Z0ZWlBu+/DDWGY=; b=Z1dyjP2T2G7fqEmqKvlNjukMc2R5h7S4PlUrdE9Dgl8XO5Gq2UEeh90zQwSkqpWjSZ NLEFAUiHjIYgIAS7OIeE25CYEKFAKZBjBFhRywubDSJ+nzVevwKEmT2Xd33CjZcpBVLD vmjouvFxUCEudYOXL82Cmd8jMFkMIgvW9cDG4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=97c6hkG0s4KW5yRxgSmIjZCs8+mK/Z0ZWlBu+/DDWGY=; b=XATvPqEDUdTlKjbPE6jovINtFKMT6Xl1xxf4YgJnSz6Eqm1qUpNy/4ieQMggdjzv2Z 3x1mILzIrl+DcjOWFUmkybiIvZK0ryNe9gcjTqFDRJL3ESe8LrqOTkuptirwxYKUgTtm S7pafx7cmKiqolYIWX9BlmZPt/EtnB29wq30BEAU6MSHA5BgXbCpyF4m3gob74uwaYYl sacRPzFQQ6CpA1HNp+bMdWL2o/MWmj9biTO1EbxZowOoAnX9QSg+3O5VMD+XdzB3d+Zr wlySUj9wRcv9Q1WGtsZ9TX+XDe4Su0aMXQmk95FHDAFrp3vpa7VS3xu5eTfyot6U8It6 Hh6w==
X-Gm-Message-State: AOAM530MmJN+wWCLUH2vCDyu4lPmtb3KJBzQC98DpfBXQDMHvCwG12wH JM6iBfy0AvFnOOQ5bpNjpG4k/BNMnD5AvID3CQkDL6i2eOjf
X-Google-Smtp-Source: ABdhPJwDaQ4RyJUMIo2hYkS5gstQE+GDqMkvThLwASbGcMa8ffuRcB48qEcXHAeNghauPyt5+/rve2Et1Z/Be5fIBBg=
X-Received: by 2002:a0c:e70b:: with SMTP id d11mr3522894qvn.63.1596123716612;  Thu, 30 Jul 2020 08:41:56 -0700 (PDT)
MIME-Version: 1.0
From: Warren Parad 
Date: Thu, 30 Jul 2020 17:41:45 +0200
Message-ID: 
To: oauth 
Content-Type: multipart/related; boundary="00000000000025abcd05abaa830c"
Archived-At: 
Subject: [OAUTH-WG] Authorization Code Grant diagram Improvement OAuth 2.1 draft-ietf-oauth-v2-1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 30 Jul 2020 15:42:07 -0000

--00000000000025abcd05abaa830c
Content-Type: multipart/alternative; boundary="00000000000025abcc05abaa830b"

--00000000000025abcc05abaa830b
Content-Type: text/plain; charset="UTF-8"

https://www.ietf.org/id/draft-ietf-oauth-v2-1-00.html#name-authorization-code-grant

Can we avoid using (1, 2, 3) on the left side of the diagram to describe,
I'm not even sure what they are supposed to represent, not to mention the
RO in the diagram doesn't really provide value (for me) relevant to the
code grant flow. It's confusing to see these numerical identifiers twice in
the same picture. But maybe there is something hidden in this that I'm
missing, still 3a and 3b could be used to identify different legs of the
same code path.
[image: image.png]


*Warren Parad*
Secure your user data and complete your authorization architecture.
Implement Authress .


--00000000000025abcc05abaa830b
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable



Can we avoid using (1, 2, 3) on the le=
ft side of the diagram to describe, I'm not even sure what they are sup=
posed to represent, not to mention the RO in the diagram doesn't really=
 provide value (for me) relevant to the code grant flow. It's confusing=
 to see these numerical identifiers twice in the same picture. But maybe th=
ere is something hidden in this that I'm missing, still 3a and 3b could=
 be used to identify different legs of the same code path.
3D"image.png"

=
Warren Parad
Secure your user data and comp=
lete your authorization architecture. Implement=C2=A0Authress.


--00000000000025abcc05abaa830b--

--00000000000025abcd05abaa830c
Content-Type: image/png; name="image.png"
Content-Disposition: inline; filename="image.png"
Content-Transfer-Encoding: base64
Content-ID: 
X-Attachment-Id: ii_kcnpzgwk0

iVBORw0KGgoAAAANSUhEUgAAAvkAAAJeCAIAAAChx415AAAgAElEQVR4AeydvYvbTvTu79+iSt10
qqIqqqIqboKaxU1wEdQEN8HFDS4Chlt+wRC4hhTmphCkECkEKQQpTBqRRqQRabSVFn6grbyVLmdm
pBnJkte72Rfv+nGReC1pXj7nzMyjMzPS/6rwAQEQAAEQAAEQAIHnS+B/Pd+qoWYgAAIgAAIgAAIg
UEHrwAlAAARAAARAAASeMwFonedsXdQNBEAABEAABEAAWgc+AAIgAAIgAAIg8JwJQOs8Z+uibiAA
AiAAAiAAAtA68AEQAAEQAAEQAIHnTABa5zlbF3UDARAAARAAARCA1oEPgAAIgAAIgAAIPGcCp6x1
ynjujUbeeJXesYW36Xo6nszC7I7TrbZZMJtMput0e9cp31962donyrOouL88kDIIgAAIgAAIDBO4
sdahocsbeZPrBEIRLyaed/15w0XrPZKuJt7IGy82txjtiyzZJHnZpFsGY8MwDDaNm5/u5kvkm5Sw
NUv+Lb1tkSabNFdVTWY2JWz6kfrt37LovXpbJOFqPp2MPW888aezxTpKFbbeS4Z/TOa8zKNVPnzO
tUfKLA6WM1GisT+dzZdBnN26SNdmJ04oyV/uPZcDC4PTQAAEQAAEbk3ghlonW434ML5fIJSbpWfR
oEzj/ebWZdu9cLuZiXTZJLzxSMeFgl6ee9M6eTC2DNOe/mMoYxv5zDCchQoPFdHUNg1rHPyLbtjF
qv9SbpZjS9hYWFD+a46D2wVm/lXrlMl64vQUyDDM0fr+OFRVtnQNw5xEOh18BwEQAAEQeIIEbqR1
spVXDzqDwZAyWY35jbwYI3Vt8c94Sj7484RvPvSmC6ejve5N6/xzRUUCQtjpWueOEh5MZpvMXWlh
y53MFsvlcjHzPYeZtxGXIpt/0jrbZFEXiNmeL0o0n06oSDd3gcF69x0o1h6F0KB1+uDgNxAAARB4
UgRuoHXytceaW/0hrZOvuRwy7cnYpZPvUuuU4ZgGYtPkw3F7UiRZeLQqRJ/bKiO+HIdm24rNauqK
wlvOiD50Zq11/DAJlzMxYzNdBEk3flEkwXLmj8c0oTNbhtp0Dl/x441XyTbfrOc+zfn467RqLVFJ
lmOPZ6n/481jMQtVpNF6ISdntMS3ebyU0QzTdnmBaVlREU6pln6gQj3bLF7X003TxXqjzXhVlLU3
Xm6KNGwqMF/F+iktZxVy0DCYt+qsCCoLLYxWptFq7k/G3njsz3Z5cRY03TSeTBfBJtqdw9pmdQKT
6Xw9XJ4qmZM+pQItE60AvNBlWf/CCXuLuCySYMHL5S83dHCbb4LlfMZ/opw0OJykNw0yHd8ykLYt
k2AmI5NM+gvWG7VcBX+AAAiAwFMicLDWkUqHjScjPvoMLnIpwpm/TMoy4MLkDrVOIWQUm8ynPHDk
LtWIX0UTLoPG2tSWuDE3rOkmX/Ey82FT/mOOQyqi/lPzXZ8jKpPFSCk8cYrVSAGRgjX2x3LKzjDs
WVK1Qhly8U6TuvgyDsqqksKwdciexmVVpUIg6EdIXfJpFZrWkqup89C3ZRymPtV01NRZzNcNWbYW
Z6PTzNGyI2W4x243U14Ltm+2aputVV1lnmy04NKCUtkmyx1e/LRGmu6W2XTnzfV62xFzeIZxXUyJ
V9P0fL+pJy1oqqtTg6H/mbeSPiNIMruLz/ajopK+q19pNOXXS4jvIAACIAACT4HAgVonD8Y04rNJ
mIVcVQzFdZo6SyFxd1pHjvPMj0qpJey5Wvu7V+tsi3QTzniciU1WG/okGR/S5HDG3OlyHQTB0hcr
Q+pSb2Mx/BuWN1sFwXpZ3+3b84TiMppaMp3xbLFYzFdx0dY6tMK1/kQLsdzJohG1qqpsNWLOeLpY
BWEU1oEcGlW3eboJxNht+4EscdnROrlcPMVcf7EOgvVCRoJYvZ5HaB2Kro2X4SZNk3g14XqATaI6
KNIYrJJRHXOyZ+FzE/kZcWCr+ViIBcsXCarjs1UQBqual1FrhTo4aI3n6zAM6nCbNZVxLlWcqpKL
s2pj6Ida35tqGqbtTckIiyivqm3s29ZoMl+uwyhcz4UEqzOS3mQYpjtdx0lKDiJsQxK6yJJ4IfSx
txD00+Jel4O3KoQ/QAAEQAAE7pTAQVqnkEqHbvi3YiLpwbWOHEXFWNX80WzH2qt1iFgd5dHWStdK
xfIplCI+cnwVd/Gl0HWGHkGSg6TJF0fXKRiO0D4ykVZcp065qspYBKRqpaOOiG8ytRqtrKS+Xkdm
LuI6NQQpMyiNMvJ5aEYGfqQIIHlY5yVTsOe7++xjWgmtBY3qS9T/tfSzZ1zp8QP1pKVH64RlxWvl
w+M8MkIliDZ1agJLdbRud2tZHV3x1s2kYrbyLO1jT7ksq7WOCImp4ra/tY1Sax3NtDKMRBE/Kriw
PdbrtCniLxAAARB4igQO0DpFMOExHREteByts92I3dbWTKgbOWaqUfwftI45CdUte0tNSOGjjYcU
i6HtOXIhUq11tOGYnKA9rEq30JROozwqvrt7MZv6k8lkMna5UDF9sfWn0QVqqk4vnRRvrCUStnLG
TBRIigC9dLLEfbESeWm7ti2fltnTNJ36FAGt4aVFvNveIsVTLqG41pHnGsx2m4/ND9dxH5VuVYqE
DT7dJ36XSGQ0zpCWk9XcLTjfqT6f+UR37Dk8I3mWbsU6T2k2gQtap8aC/0EABEDgyRO4VusUoa50
6H6Xr8Opgw+DAPYMqoPXDB7YypiDYTJ5W8/EMhWzHgj/Qeu0qqKriUqO/nUeonj12E6KpBOJqcvf
o3XqiIsW8qjyYNJdLsJVw2FapxYe2kQeySyhCcWILkSAOda03B6zyEut6eBTAhKx478jKmp5FRS9
RdJhyBNqraL/30mUIisyYUetyyqzTUSfcM4nmFpaR8ZjahuUm92FVpRfW+s4enwLWqeGh/9BAARA
4HkRuE7ryOFNiQyrVhnMsuzx8ANO9gyqNyZYCr2lD431d5PPnVR9a5PlimQ5dg/PYQ1rHT0k0RRa
JsuvOlTr1EpHn2WpJ8gsbx5s0izP82zN10ofGNfRy9EUrmoV+WZap54zctrqSaVdr+hplkbzQ/Xu
uEm4bROXF0oJxeM6dZnHq03S+fSsh5Fn94R8mqALV3E91ayLajr+Kko43VhXgXV0rlUVaB3N1vgK
AiAAAs+IwHVapw6o1Nqi/b/LH4Zb5unuSDWgdbZ5mmqPLj6IpFzSYTjTgN/Vi38CsdhY3qjLcnq0
vUl86sUlHa2jRS36lEorrlOvJdEfXFgrghGtIulLYXcOq0/pNBEYbbSVee9oHbW0plU6OcOmJUD7
t/gmbVnnHhEwYBaOrBBb5wzTW2VqVq/myZcDid1uYu1NGzMVow6/6TGaIhDPZBLXyK1e7eVNWg7t
r83i6/G6XaBrtY6c/9KmJ+tNXZ24Tr2jjTLu1zpaUKxdOvwFAiAAAiDwRAhcp3WKVJMXfPpASAzT
W4RRtMm39UDeHb76BtXtRixUtfi+6kMJydv7nUfH1UMzH+ylCmD1qFhs5JYn2nNOOcnh0XBmcV4W
WZLkzfN19O3zLTVRyUXZtI8pzoqiyOKl2HEtC3OI1inkemE9pkMFypZcltCzbIqyLNJI7hSiN0Bw
NDISZY6WSVEW2SbNO9EI+fQZ050GSV4UeRJMxTYyuUusuqHWqbbJQj6hmDn+Iog3SZommyhYLab+
itbolHJfGhvNozQvimyzFhu7TCEh6oc9stEiErxWE7kbX2idrdQThj1ZRmlOwawkDhZTb6aWT2t+
sd3IB+wYzJks1tEmSbOMijTna6a6c1hKoG3FnKawNsGT5dyZwxrUOpWUZbYfZkWRp3hZhGYXfAUB
EACBp0XgOq2zU5vuep1muai+AlZtx24tgpWj9969PjsZ7ixDbs6oIzc2LViWu+JplSxj4mmDIgYl
tU6jW2RkylsXfUqlrXUqWlMjB2stotU8gKcvBRUg4MO7nMLRruZfnUXavG+jOWY5tH6n1jq0I117
eA4N7J3SlZvmMcdNGob2tJqbap2K6rvzxB6edF0oekuFykt+Y+qBPcoM9VmmZdGi4DoWpD0JuT6D
/m+viWpMPFwgumhY6zQ70lQepuOQJQ+N61S1d8kUWuEzrXz4CgIgAAIgcPQE/lnrVOnKs0zT8cNm
ZzCvdF9cR6zGNe3xWm0tuo6QDAToz9JRlzQ6iJ7OUqbBbOzwdzmZluNNV9GSdgjVWqeqis1y4tJx
k9mjeVw/S3B4vY7IqNisZ2OX1imZjKe7aWp6gNYZmATkQ2exWfouVwImc7xZmPK4Vy0rSHlEc1Ej
k9neMunEdah42yxc+CPbMql09mgy1x/rfAutw5OMltOxa4uFWabJbHc8XcbNq6fKJJhPxGHTckb+
MmpNMG2zcD6RuOzRdJ3E/OUctdYRGSz8kbAUldodz1YqeWXd+ts2j1ezCVVS6A4ygzv2Z0v5iOue
avJcghm9SoIeC2W7/nKT8UdHHqx1qqpM1v6ItomZzHKnHf+uC4f/QQAEQAAEjp7AjbXO0dcIBQQB
EAABEAABEAABRQBaR7HANxAAARAAARAAgedHAFrn+dkUNQIBEAABEAABEFAEoHUUC3wDARAAARAA
ARB4fgSgdZ6fTVEjEAABEAABEAABRQBaR7HANxAAARAAARAAgedHAFrn+dkUNQIBEAABEAABEFAE
oHUUC3wDARAAARAAARB4fgSgdZ6fTVEjEAABEAABEAABRQBaR7HANxAAARAAARAAgedHAFrn+dkU
NQIBEAABEAABEFAEoHUUC3wDARAAARAAARB4fgSgdZ6fTVEjEAABEAABEAABRQBaR7HANxAAARAA
ARAAgedHAFrn+dkUNQIBEAABEAABEFAEoHUUC3wDARAAARAAARB4fgSgdZ6fTVEjEAABEAABEAAB
RQBaR7HANxAAARAAARAAgedHAFrn+dkUNQIBEAABEAABEFAEbq91kpltTsKtSuohv2VL1/TWxUNm
edR5Rb5pzTZHXcTnXrgy8Exnkd5nNR/aynfQyh61l7hHW/B6RfeYwd0k/c8WLOK5ZzPDMO1pVP5D
me62dVBq7jL7h/Lg0tMjcI3W2YZj09j9jFZ59cC9WBlORmok+ec2TJbOViPLW+c3NXqnJLdL5KaZ
XnP+Q4+Ce4qTLtwBCVysvfvUp9t4atuPJ/gGevO2t+zhdsChPVY+jG2ycKxJePCYdZtW1qnvA/cS
B0C85pTNzJ0ecNNwIlqHqukuNnlR5MU/3dYOtI6OMTrO0zmq/oTWUSzw7VAC12idalvkGf+EvmV6
q1T8kZfVA2udbeRb2l3zbXrhHSRlspqvk5s24U5JbpfITln+8Yc9o+A/pnzTy8ky/VqnCMZsdJ+x
uDxcLKIbS9ebVnDo/P7evOMtQxcf9vuwlQ9kW8TLRXD47fAtWlm3vk9M62yTuWNB69TuWAbjO4pV
9reOOh/5f9d5OofVn9A6igW+HUrgOq3TpJPMLHOs3xLyXmwVUojTNEzLnayS5oZxm4Wz5vflpmeu
KY/mk5FtmabB7NE0yITiiHzGpnGTZ7pwzHFQVmXkW014iY+kvBdehouJQ5kzZ7yIVSZFvJi4dAGV
SuWezGx3kSRr32UmnwBruvIyGLdiVxS2qqqq2Cz9kWOJ6vnrdFsNlaQZwfuzzpauNV2H8zEl1i1t
U9uqKpOVP+I4me0tE35kmwZTgZLZ3iyUoKqqygVik9mjWbDymZrD2qbrqUjGGvnrtLGKymmbBdOR
ZfKyzKNw5rgiZLaDqCqT9dRzRJmc8XIjEisDj41X0XLiWozxEoScWLp0WUNSk6ZVlQdjqznCpv93
brfmIPP1yLTnSVVFPhstwpXv2jxhb67Ey7VOpUmBYkNlIxdgtjtZdgRttwvfTC3mC7frv7CIF2PH
Ep6mlyitMdrjebDcGRd2/baqthn5AfdaezTttU5VDRg98pk9Xa99qpnJ7LEsSoctVaTHdcn6SnkM
WVD5CAU+aaZ4EcjyWm7LmXpcvae++3oJlVd/b1BVpeb87jzmzicAcgKWOw1Fs+81kHIYZjnejLto
v31FSbabudN0M0bdCQx2JuZEzGFt0+WI2dOIl6RMVtzxzFZrrb16xL2agxQdXpmu6xZvtTsxCaef
TDKznXlAHQN1KJYzWaq+tykB/RzMR612JlLdbebVLsBtshzZDQ4KyEY+89bpZknua04iqkFvV9NX
Ka5O5sGq9l1pDuUCPV0rT7+399O1ThH6NvNW1DtT4+oZd4a73zySvk19mL++1wlorar4+igE/knr
GKblLeKsKIs0nNpisCKP28xsNlrEeVkWyXpisZ6JojIJgzjNy7JM1xPLHAe8pxjQOlVVdYanbOka
JhvNwjQviyyeu6Y1jUX3QQLJnqyTvCiyzWpiNRO7ycxmtuN6i3CTplkpu/JGpnD8JRW9Lu42jaiM
RVlmVD3Z+e2WpOlNhrKm0hrMEx3SNl15rCmtZvRsNTKZt4iSLMuSKOYapQgnFhvNozQv8jScuczy
xbQ5ZWWNV7yW8XJsmUatdegSfqQs883Sa65QOZF9TNsPEp7ofMRMQ+qSHURVlcdBlGRFWeZEmesR
soZnGOZozgXmNg+4BYUMSuZDy7ho5GziOlR+NaFVrD2ZdOSbhunOYoqYbzNKeLTigYgDnEppnc3U
ssbrtCjLIkuisCu2OyaslNbpvTBduMydRY2fy5UCNca0KIo0mo+YUWNUqLt+W8ZT23SmhL7I4oXH
2DjYiUQNGp3DcXzu2/lmNW7gcFXSsOVjRJ/rtrXOkAVV6aXfzmXVZ7yVCTMPuXoXbTKzB3oJlQ2J
/L7eoAgnjLmzgDeIOEqoixAA/fUmzbI0jjZCYvcaKF97pjOjXqjM0ziM6Dah1756SWKf6XGdoWoK
kqR1SGhaYxksy9ces/2AHC+LqLnMNrxTEoabRjn9VURNZ5IuHDZabKijzJMojHdcYYAMUTWsSUC9
WFUmqmFWZThhJnfWIk+DqWsahmpmdUV3mvmAh0vvrQOB1L4cx50soyRNKbTf39X0VorUiWk6vNMp
eL9U9/l1oXY7eZ5+b+/XaJ1yM3eZMxO3YENdxFD3S6xsP6TOrcg2YdR3V6iVDl+fOIF/0zrarXvW
DF7chegeXXzao1r9q/b/NprUY+iNtI6mF2isFCPQNp4ypi1JKIJxvWqXOggmpQLPvonr1IXZbmZO
o3TqH8X/m1l969/pzVUiw1lTY6ulCHV2vSvr0nkjp5qs89WoFUMmIcG7LvoitRedrGVAl2hH4qnV
nVLaxj4zNUTERWmdNqKmJDwXGWbjWsdk4s6ODmwjFVY6UOtU5C8juViKzOfM+V1V5JumF4jxlEYS
DiCreB8uhRbl2OtUjdahGpKIEOK3VQf+R8eESuv0XbiNp5bmahSB4rSo0jrGzcyqMWo5trMqw7ES
5bx6bsu+/MJBo1c0ZGojF7mes+AjUUtHatnTV+W6ba0zZEF1ueZW9CPVWFh92NXb9eWRJJ2K6iVU
Lu1vqjfgHIRXNKd0AfJiDRhIXC8jkSKFPvs2afMvLa0zXE2pdYp46jB3UYcNySspDi0+ZTipu56O
4ShGzlsPb8ZLHpJoF6PvL0WGcje0tbmqD+LdXX3XRxabMN1jZLKdnnDIw+s7TE3rGPasrqxonD1d
TW+luNZRnQ7VResRZbk6zjPcEITWSemu0Z6IkPKeLqLjxk33S9nZvojH9QHHb8+LwD9pHXOs9mGR
Y4o7y3Tu0NxB8zF77ne3WbTwPdfmH8s05DB2E62jj+iqkVAxtF5AjIpiTKVwuuqJ6hC9iutQCJt5
IorAjZzHy6nnOqKMzJDTHCovfpLqZ4az5iORmBejazopCIfivXh3ZW08ZTJYLE7aUvc53fAU9K5C
6zriKe2aaOAz0zD0G36pH3RE1HEordNGVBXJejYeCQY2M+VR7RJesHja3A0fqnVEKIJD4VJHrjsn
vaKvlyBd5kdVdYhTNVqHJvimLjOtkb8IeDhA4Kv/7RpAxXV6LsxXoy5QXsKuufVa1Bl1bU16VhMr
PM7QlaLVkNFpgs/Up3irGo4IUepm7nfdjtbR7lQo0xZ3XoOO31b5yhWNq1t3rj15K+ui5Y2ur5dQ
iCiA19cbdDnQFTsAhT/3Gqgqk6Vn0ZTxbBXXc7/7HaMipIrDcDWJJBtNPFb3XFQ4asKGqdqeaRrS
uB3DUS3EmrYiprAqcybz9aZPmveT0ezIMVI5hfWp9ekOpnonnXenJxzy8Np7Na3Tdr+BrqavUnt6
DFWyjvN0HaDu/ahcnumMxw71R2ISk/vGwLjTcWOVyzZdT2zTtL3pEkEdZYbn+u3ftI62CFW1Nx6g
WFJkX33ad9h0I2G681i0bu1+pat15o06UQ7KLdFpw+ro/u6pPa60EqFViUzOl/AsePh6GvIwsX5z
rPLqlGQ461ZGdQ/SmRymZHX5whMfau07J6thni4Zr3OFvijKNv1uObUK8dUVamTiYRVrUi8qUbet
e3qug7UOT5xuC+letBl2O6PCluI8QuvY5mivU3EpoBPc5vF65tkmG123XodigXK9DmFvX0i4nHnc
JrpfMnLbiX80uH1D9WY37HYHWmfIdbUxco8FVek7g0SVL2+ldXp7CZXLUG/QdX66ojuW029DBhI5
FGm4oBV6ti+X9nTtqwpC326gdQzT8WdjS3Ua/HbFD9uewtueap48N6V16M9tvqElUSZNuNUxIVGo
ITKaHfmJROCmWqdjlD4Pr3sqTevo7Ys76lBX063UQf7Wbix7GgKfQ7e8me+a9rSGNjju7O9+yyxa
0eJFa7yuKyro499nRuAetA41+dZc0Q4y6otV8JPuFmVchw86fNEbXUM6vg4z8GagAtqD7su7B20N
tQjq8k2k3YFcLL0UcZ0dpVPRbbrdZEjZ63Gd5oCWyHDWg6XVyVA3rqCII7wbVzvteVfPb5+pLtr9
G92ZyW6ILtEDzXoW4rucimi6VbKGFtfROkFSoepOjs99icDYnp6LqqGF+7Tsyc6tChLi0SoNxqyR
OnyaRjuJl40epHG9U+1oHZE1rZdVdZC/hePa4+iHYu0ZpqZ12hfSRIbpqdtHcbSe0VGr9dN5MxVY
n1LH8BpvoeldbT6MB0pU3eVlg0bvwiG3knNYLbaDrquNkXssqErPg//6jIg2h9XaqaBaWaedajny
ZNWorHIZ6g1IWXXhUPI6QEplyEAqBxn3UpFVOtTnGFzrKG8ZbtGiXtG2KmnxjSunodK50w4q10XY
q3XESXz1VyvsLGPSTam1frLTlSmqND9jyUVCDRoVupbl6Vw+DJBbU8ySVrvt64CuhlYG8kod5G8d
5xluCJQaD03TGkdLTkMNdhGHdL/tNlPbDf8/JwL3oHX42mRaOBtneZFnaRwEncWh5NNsvEqLLS2f
HVMYUazvIY+z5A1YsZnTyrq6+dMdsLvYFGVR7C4rFm1SRErSpVuvTc7l2mRxoNPCtbXJQum0n03F
R/YRZVjmydp3WK11aHXHQEmGsj6ksYni0FrvNM+zJBYLFXmHPJKLQ6M5X5vMg7Y0QFi0ArssqJZ2
e22y6fjrTVYUeZZEQaj2aAjPpQfRmM6UL8oj/lYzydhFRMJFLO+k1eejQ+awaD0LXzVZduNJtH6B
NkwUzZEi8Nho7DFtRo2v4rQnK/5ID1q8q69N3utUWl+8TcN1lORFuRUrqrsjJp9ykSsat3k0pdg3
1zr9F6YLly8apwXiWboJ1xG/AeQjoTMNqUJZvKD14TsZiVkq5bd8RFPXeKxvedig0SWcnrXJLbbD
rqvse9DYQ1rHoMWhtCw7C2cO6QyhkYdcvdM6DtE6g71BHowZc+chNYh0E/J5KGLDF3dneZ5uooj7
dr+Bcup4sqLcbos0mFi0iq/fvnp/Tu3Knka0WpjCoYPV5CT5PiyxWnrOl7HQ2mTmzkJa9Z+nSbQO
RdczpHWyaB3Swv9tWSS0jUCpFF6mQTLKjvw8pXVoOS8z3brDmNGCee2eSNa0czmJql4P71mb3Jpl
p7XJu11Nb6UO8reu8ww2hEbr0EPSPGZN+K0Ib1w9485Q91smAd8fs92WWTSlvRK53FjjLjtRd91F
8P2JErgPrUNx5Uhs0qV9385Y7NfRCG2zoNl8OI82K8+Ra5nFZmhmMkZbMMOlV8d16iUYBmmhUoum
8FR1rcM33NJmaLETftlsRt9p4U0b4Gtcmh3RhiHiOXk0G4md66NpkAQTq771F3P+vSURW1q7WTcZ
CQTt0mpYiljtlPZWorlts2DmyT3K3qzenC+2V/I9oSbtOY8WrgovN5fwXffNRnEtI9rTzOvGbE/f
LL2DqNwsxGNTaZ9sEk2ta+M6fJUE7VVlch+7ypamxx3+DNaZfK4AkTD0VZa0r7W9rbox37VORWEP
AWGbLPkWcVrGQU802F38KTbmMsYs2pIezF0RtBu6sNmpTAl603o15DZt9n97tHXf3qkyNQW+dEh6
i9Y0+DZX7TkNihPfgdZn9Mi3JutY7dttbX/X2Q65rrLvQWNPtnSdeRQ1j5UQz12QBe139W59VY78
Mm1UVvUd7A3qhzAY5MijhdjTtE0Dsa+YHikxkytL+wyUh+LJC6IV8IdSDNlXlaWixSZ8Q7vcjTlQ
TV4v+dzkcjNzTCmd6RkN/HkP3PUmchtz45kio2YOK1uLjooX0d91hiEy+6iWm2X9JI7JMl5P2AFa
p+4zaYu57uGip6qndjq1oLr0dTW9lTrI37rOo6XP9/A3vZ+mdaqKC0xprd5xZ6j7LfkzoUWd6ZkE
fE0X38wFraO1iGfz9WCt82xqjIp0CLQ6js6x+/6TuiEtqqPFZu47Z6QPAiAAAiBwMgSgdU7G1EMV
pZvEnvUoQ6ff5e/8Nr9ZkEAp99w73mWGSAsEQAAEQOAECUDrnKDRs2CxEg8ILNJo5ppM27n5QDi2
9JzJ1djqvp4JWueBDIBsQAAEQOCECEDrnIDZNNcAACAASURBVJCx66rS6yX4uy/4OgHtNRr1Cff+
fzJ3THrLwaL1qDfEde4dPDIAARAAgVMkAK1zilZHnUEABEAABEDgdAhA65yOrVFTEAABEAABEDhF
AtA6p2h11BkEQAAEQAAETocAtM7p2Bo1BQEQAAEQAIFTJACtc4pWR51BAARAAARA4HQIQOucjq1R
UxAAARAAARA4RQLQOqdoddQZBEAABEAABE6HALTO6dgaNQUBEAABEACBUyQArXOKVkedQQAEQAAE
QOB0CEDrnI6tUVMQAAEQAAEQOEUC0DqnaHXUGQRAAARAAAROhwC0zunYGjUFARAAARAAgVMkAK1z
ilZHnUEABEAABEDgdAhA65yOrVFTEAABEAABEDhFAtA6p2h11BkEQAAEQAAETocAtM7p2Bo1BQEQ
AAEQAIFTJACtc4pWR51BAARAAARA4HQIQOucjq1RUxAAARAAARA4RQLQOqdoddQZBEAABEAABE6H
ALTO6dgaNQUBEAABEACBUyQArXOKVkedQQAEQAAEQOB0CDwFrVMGnuks0idvlGRmm5Nw+2D1eEhu
g3nl4XRkmYbBnPmP//dQdsyWrumtizsjPVi7O8vhoROKfNOabR461wPyGy7YnTWfIp57NjMM055G
5QFFwinVbRrUndkL/EHgLggconWKzXLi2sw0TGbZo8ki5oNIsnCsSXhPfcVm5k6bnnh4pNnGU9s+
qMu+19IeaAit8WerkeWt8wMv3HNaC1TnvGFunRPv4M+BvLaRz5i3Sosiz4viHjVrm8NtuuZ9ELTa
He5yfQmmC/ch1W7VxqKVaFhSaCc9xtfhgmnN558KRum4i01eFHmh33gc1kU8hAVbViuCieUuH+RO
TydQhpORur88rEEVa0+7w7gre/2TsU/r4nThGGwan1alD67t9VonX3smG83DTZqlSRyuFuuE9xBF
vFwE2cEZ3eTEbTJ3rEO0TpWHi0V0iGS4x9IeXDOt8ZfJai45Hnx5z4kdUJ0zxAh9PybqZFVpakA/
lK9G5qjWdAPn6Off8nuXw2Fd8+GZ6SU/2OV6kqdyPaDW6WLRSjQsKbSTHuPrcMG05vMvBSuDcX+U
+KAu4gEs2LHaNg3mq83dxSj3sNMIbCPf0mLpBzWoIhizkYqm3pG99pQXhzoEivVDRc47GT+JP6/X
OrHPTD/Sb4BExZQrl4HHxqtoOXEtxkxmj2ahkh9lsvJHIihke8uEX7tN11PxmzXy12k7NrTdzB3T
qD+jVc7HUXcerHzXotiS7an0Vc9Ypus6H8sZy9iTMoEqbXXNmVWxWfojx6I4luX663Sn6lTfSZhF
c88265mAMllNVPGy+poiXowdmdJqPW3msLS+I/KZt043SzrPnHDQA3y2WTgfO5yB5U7DfAeUqi7/
RiO0Ow+WE36N5UyWmxp1fx0HyPBK8Gyd8Vwpy20a0PSUaTJ7PA+WOyNIGc+IiPiYk6ijh5RjkL14
stvYZ8yPJbxkbhtqJopUk7tSfqXquuswIuS+DBcTzp61/GHAUiq9qsO5qFolVy5X0Zkzjzu35U6W
9YCULV1ruua2YqbZ5J4uXVa7taGNIzznZGY7s4C7MDUhbx5lhNe2mMks1aAoTKbdt6ULxxwH3Kg7
tuvBotUx8pk9Xa/rJtWya2+ltGurStmO1Y2636MqUa+6JvZoGjZtIwtmYxkupvpK0w4XTGvCVTXg
k1opyT2FbXiPwbPdJsuRXbukocUg6Dot/RtYsN+ddhv1AJ+us+02al1nRz4bLULeoZJf6L0TmYR3
QNTO48C3OrXLV65JnSn/FMHYNJo5zG08tXizqwmUkd80XIOLc95fDTQokWQejK3Gu7mP8tRWIc0X
8q50skrq7meg4YiU+L+7APvb2o7bizSKeMG7Y+rCVcOsBpvPQJdejyi1k1cDPbNWcPLMbtYkr+25
GPsqCnUbTHT0VVWlc5s34QGXa6ojO36tB+4p8zaaNGpzgExd1EEUQ+Njb4vbNVOd/hH+f73WoUHG
9qOdG4u6YfCRwDDM0ZzPbW3zYGLVHXCVrUYm8xZRkmVZEsVc1hThxLLGqyQvy3yz9Jjl78yaxz7r
xHVM0/GDhOLOdIk5DkR5moEnXThstNjkZVnkSRTG3UFRlfa6M6ttGgVxmhdlmYVTW3UQjfWo97Ec
1/XXcZJm+baq8rXHbD9I6Zpo7pr2bEMDtgiJLWIqdrKe2KboOKpKn/+mKjiOO1lGSZrmZVUN8Cnj
qW06/nqTZlkaRxtewzaopoTiSxl4hmG6szDNyyKLFyPGam69dewnky5c5s6irCiLlHi4Sx4p2m5m
tsnrXBRpNB8xY2f8btezrRjylces8TLOCE3gO6YzT7aV6BREvD5dOJZlsXooD6m7GIzkdzhkS9cw
2aiu+dw1ramQUAOW0sj1cW6PN7W+JQRstIjJ6ZL1xGJyVpJyN5i35F37NqWaytyTeaN2tRzpazKz
DcP2Q/KmMl2MTNO0xvw2YJuvx4xNRBsZ7KH6bdfBouUZ+aZB3iSa1GpsmaNVY9e+SmnX9jXqoVaj
16sqoqk0NKVWbIJwkxUEb+k1GnewYLoWGfBJrYzUiNhoHqV5kafhzFW9jIjr9EQ7VRdBzfMwCw65
006jHuDT52xV22od3zNMZxqRlxDNpnfi6oS3dGpOU5eZXSVXke81jWnCLMtyZHtK51IxawQ60a/h
BqUxJ0HUjusYpuUt4qbrqMf7oYajpdUFOHBJv9vTLYA94b6dbVYTq+6z9mqdTpfe5+QDPbNW7Ko/
ax7eFkJzu5la9Kn7Iwp805Fhl6sGvH13GKqqdDVZ8KGHCrJ3QLxhTzJQhq6ZdBRH9/16rUManBqP
7U2XYaokj2oYBF0JVS5c5T0DidbmZkLWXbM7/RJPrd2w/m5rN9XSoG00qUebiljz9TrUkkfL3RhM
DVyV9roz6yv4/5sZ3fG0fpLaTg75/JB2e11VVRnK8lHb1+7fKcBYV7UV1zENeybmBSm1AT5lOG4G
bFWeNij1O/9GdtG48d6uc7dH5zV17CND93x1u+TqbSSqRHcnetqbmXUTrdNxjG3sW4wsrCpP9zn+
auEyHlPsFKNT0aozPPCOQys1kRf2GrCUll4v5854I1yuDCes7r3pBm3hyCgUdVvNTXNV0TIl6S1E
uH8OizSBcilyD5W0Nu4M9lB9ttvBolWTJIXmC8JVM+68/ZVS13Zspw403xqPEhpO1YuLWQ1NfQUZ
SPYTQwXT4i4dZ8jX0ifr1GQj0pqe7vqHah2tmIMWHHQnqoXeqLWi6S2u19k6ztzxPd1qycwSkWCq
k+bvPHSgWZfnrqjR/NRosfKZMIxqc6qT5IbSAHKXlsMzyaymQekVIyfqaB09iaZ9DDYcLbEOwKFL
+tx+G08Z70xkchTEksYcbD78tlDzUx5uufnINZg1j97wxa3J3LZnq5ltzyjOQw4gGA12GspuvD7K
23fKrOGruMfvGxAHUQwg7R0FaPzd4+etAj3+HwdoHV7IMovXc5oSsCdykY5qGHprpJPjqYzK8Kbc
XTocT2kLBGs+pmFoDUQQaQ/hg+lXSutURTwfMZM5k/l6w2972mxVaa87s8rj5dRzHZs+FjN6tY42
EgmHNUxVJVPGb+Ipk5NSoiwb6prEPqy21tGnJYheHx9qLd3uqzuYkeeJDz+zy416RNHEBurYwzBf
jbql4RE36iD1voF6P61jq+Fr9dTjOjuO0VxOo4cUPRSESuY278PTuaN3X3Xyzf9th+FhM62nasQC
5dtnqSYdEVPe4ayTbOR1One6aJpuqx65KeEmd9EBDWqd2jd29O42nNQxrcEeqt+rO1i0aka+2fY6
PlNN1R+oVHPtju3EkYFWo7U7fh71pB6fdSvTYD4ZiWZmW2at9IYKpmmdIZ9sisi7oFbTI4QyUizM
cW1c5xALDrtTtxZVf4s7pFF3fE+3Gl3O3ambTqvZ1VjoHowclCILzjzhq2tohUAz3OqRM81p6Xou
Y+oZsJZL16nXJ7XX64zVtlMuqfjR632Md+ztmg64ZX+X1eqa+F2IWDQ42HwIsrq5EF26JnZFJQd6
Zo1At1dssm4EC0Wrp3EZ+4ybgt9J8kDMIOFBb++WWSsHfe0ho58xiKLvwsEydPycyy8+AtGahWP7
HKp1ZLkpiicnkFQvprdGOk9pHaWoVb1JAYzXeaF9ynp5S31Wu48eTF/XOnTpNt8E87Fjms4sbqaG
RZqqtPzv4TNpsLWnYSau1+5Q67LpY7b4jff+frhTJVrp1MzL7iwIqJVLM3bKDAb48EFCdST1ye3J
vjxL+SejuTCxykSb96H+i2udfXXskKHW68xpFk59KO1uq+7aSJav1emqc6gkra6kqO/NeYh3GufB
mJHioD/teUK57QgQmQX/r+0wvGvWzm867iFLaUn1clYl11yOBpjRMlVcikLs62lVujUwUOJ3qnXU
vARVoWO7rhTWakk3CfpYQrEE04+E1OutVHPxju3oyKBHUbsba7s16W/SOkU4YcxbbgQxLU4wVLC2
1un1yaaId6J1+vyno1aH3anbqAf49Drb/riO3mwardNNp7+9UEhgtM4TCipsaIZ9ZI6DnIZbeT+q
dZJNkxFQh11ag86Ha9VFaanRSVQmcVM72HC0tDoA917Scftu19QIDmq77eVuTfPRGziVotfJB3pm
rdTDWVNgylmk2dLlMyD0p7vMkkVzCzdImNLs64Fbiwi1MuhfO2T0Q4Mo+EmdCwfL0DFTVbZHID3D
x/9+Q63DPdZZ0F2RcuWuozRaRwTS1O0Ary5xGw7vCiK0RlUtwRxOX4vrKJR8JYmcmW5+VaVtfqqq
njOp11XrQsjl++M6rRgGTXjrQQ6ZBbmvYMV/oMTqkU7z7K67DPDhrU9FkWUWbVBa1egrcdPnmYgB
9eAH1LEhQ1FZ05Oro7T0+WZyNa9IMd8bzWEtHP3GmRYly5LyXmC+mDARl6F8XPqzh69WnA4HDa8A
UUeKByylpdTLWffAxl400rHdtWatxVjt3Hl70G51tWzb/kk+oOJSWlyHwvNqowAdqNdgqLQa23Gt
o7UjdQpXbIbKgYtD7qqDlVIX08CqXUoHhj2K5uZUe+LjKx9ZKcapNBAlKQ1MsUktda0NNYiGfFIV
UXZTankXL7PYD0gG1lqluqhJ/3ALDrpT4yQi+SE+vc5GWkezWq/viWQbrSOnaepbRrpD6Ls3oDUc
k8XcldNdfOBdUMRUbj3RCHBK6j5psEEpfKRmtOXP+gDBT+I+zZXQAT7W7dgPuKRxe4qhaL5VcThi
V+9g89Eh89L2ODl3qv0j156syQW8xYJ2tdC9IkXV6M/GTIOEB719p8y6LfTvDRn9x0EU2knNhYNl
6Pi5du0Rfr1W65Sb9TKIaEEsrS5ejm2K9VGjUg2jC11pHd6H0vK0NM+zJBZLhnlsiBbZ0rrULImC
UK3Pl4TEbVBEiz5LWrHanh/R0m9YZ9E6TLKi3IqVjpZYHKyAq9LuP5OPuqPFpijLPFn7DjtE6/C1
ycydhUle5HmaROuQd7PUvOnmNS9KWjHoDK5Nbs3zDfDhyw+daZBkeZ5uoohDa4NS1eXf5NrkaZgW
rbXJQ3XsJ5MuXL68nFZ5ZukmXEdiDSv1KE6T9tgyb6J1ODHLo7XJEo1czi3GTcuyam1D2seyLDn3
RqHZ5WwedqcgOhwGO44hS2nk+jjrHti4nJDK1ngVZxxNHARiJ9a+3EemNQky4ddaplprol8HtQ71
mJYf8lVzxWbumoYhVP2Q7ShIWbcjPT+SFPX6zXzTWZts9lRKu5jq127UQx7FewnDEAtUizyhfBy+
IYVqKEjQan6vNYfVXzAd0YBPamUkK9LaZL4uNprztclireG/aR0KhmgWpLXJPQ2/O1QP8ulzNhkk
q63W73u8qo3WEWGy0Zwvk8/ETgEtLtVw2cz4uthaLYvl/+pWRnWSVUVyyaV+sCjKfeKvSZuv9TL5
w7R4r63bi05SWmew4WhpqVYmfuTD7q5bDrg9LXcTa5NzuTZZyN7B5qNDFhnuOrnYNcK3h+wZuYay
5iuMLcuqd4fkqxGzLHULN9xp0JV9PfBumTV+VT8ZdcYgiv4LB8rQNZNK/wi/HaB1FmOXNmDT2gTb
nTSPs1ENowtd0yJ8bJJb8JjtrYTLbbNg5tF2YIP2BI7VVugGEE028l3OtLVlT/oN62xNO95lir62
u1EmqUp73Zl5NOMP+jWt0TRIgonVtzZ5Z21Kmcht9ERpNFnLW8oino/llkt/Ha+8A+I6NBfRz2eb
BmKHM1GbiZ1xLVANPvGlDMbWNIiX9c5rtee8v45DZPizJPkmVNoNPa0fKLBNmy3L3jwKZ7arnj1W
l6TVgtt2bIiZlraRUkz763u6aGGo0QQz+Jrour+oc5Gz043DDM5h0QVNvm1LaWntctZL3rgcXZFH
C74ZlBzZGYudiPtyL5OlR5ueWZeV8k+e7FBch1xjOqKN6Ix26odLT8Z1Bmw36B6Rb03WsXqMQ7Pn
e6hSGp++Rt3vUVzrsMkqmPGt3iY9jkLuOd8mq9ovx8s4Xjgjsb9vuGAtRAM+qZWyaUT8KRVBs9X9
37RO1bVgvzu1nEQ4ykCvsutsYqlF48yDvicmHOspUbX33Rkvgnn/nC/tSaa9oGKCXirR+q5Cv30l
L+A7UgyS1uU+l9aRp+uJwx9IPYs7qbW0zgE+tgOwv60NuD09N0SMB3zPuXj4LRV0qPnokOsKFTGl
YfJx7/CRazBr2gNiaCvL+car5hZuP+Feb+8rc132qhoi05wxhGLowt4y9JipyeDovlyrdY6uxCjQ
KROguHuP1DllJEdddy5Qep7OddSFfvKFa91iPPnaoAIgcBcEoHXugiLSeCACFKqSj5p5oByRzT8R
aAVj/iklXHwwAb6Yrp6oOvgqnAgCz5oAtM6zNi8qBwKPSgBa52HwJ+v5mh6cWJZFSo/m7HlA68MU
BLmAwJESgNY5UsOgWCDwDAhA6zyMEbPAH9FTivjqkpG/3tnu8TDFQC4gcLQEoHWO1jQoGAiAAAiA
AAiAwB0QgNa5A4hIAgRAAARAAARA4GgJQOscrWlQMBAAARAAARAAgTsgAK1zBxCRBAiAAAiAAAiA
wNESgNY5WtOgYCAAAiAAAiAAAndA4ElonTxerdWzL++g1kjiCAjk0WotXqpwBIVBEUDgBAkUm/VK
vPPlBCt/WJW3WbgMsK3tMFhHfdYT0Dr0mjT1HPOjponC3YDANpk7eAzIDYDhVBC4UwJlPLWa99Dd
acrPKbEy9ul1fPWLVZ9T1U6rLsevdejlvI/7VgD1jJD9ryB5MM855C0kR1LUvUzoRYraO633nnuT
g49Rd+UknZLeWWG2Kb3zzTRMNlp1333ayRN/gsD1BPK1V79d/vqT7++MO2sg91ZE/n745iVirWyK
eO7Z/BVg06h+y1jrhPv5Y7C3uZ/snkeqR6J10oVbv8SuwzWdO2ys/KxYe30v8O1cNPBnthpZ9DLR
G36UYx1Js3wuWqeil+3eg9h5DDMpJ+l4110Vht6BSm/YLoo8v/de9bqWUgQTy13KF9x2KnyzP5OF
Y6mXUd7s2n86++6q8E/FuNOLNzN3ujk0Rf7i8dX+3vAhrKM1kG08te3ZwTUYrml7mPjnWqQLR75j
t5MltXp3scmLIi/uN/DTqdHMrl8j3SkR/hwkcBxah95V1691eINU8oTms0brYrA6+w+UyWq+vnkw
Ug1jWrPcn9P9Hj1c6xz7/T8Zfhzc9dD9GGbiTtL3ksu7Kkwyf8Du7bqWsk2D+epOFlsV8XIRPIab
3l0V7rexH546nxQ+WOuI971fI1cfwjp6A8nDxSLaL78O4dEZJv69FpuZxXpeMHYQw0MKfO05nRqp
IenaK3FCTeAQrZNH8wk9gNw0mD2aBlktYIvNcuww0zQt119v1mMlV7ZZOPNsZhqm5U6Wsk8sA4+N
V9Fy4lqMmcwezULu1enSZUb9cRat1reNfWbVQj8PxlZ9nsGm/3dum3qMh2ZE7HlSJTPbmQXBdGRb
PJtpWJe49frfMln5I15GZnvLhIAUm6U/cixRbn+dyooqx6qbJY07fVnXVPn/A6nJcyiJZpTPlq5h
NGuSynDMK8KLFC/GDp+4cMbzuheIfGZP12tfzGjY6oCWPxXVnQfLCb/acibLTS0pIp9561Qab0Lj
8zYL52RKg8wyXad0Zr5yVcylCMam0RhiG08t5sdbAsanVeg6d7KUMrLX+lW2dO1ZnIXTkWWarjRz
y76q9APoyLLzIJh6ZFmT6tSsGdymAU/YZPZ4HizHZseReNqimpym5U5DLpmzYDZ2azdoCEtfXUzI
G3hODb3hsrHJKpiRSwnnll5X+4woQbqeCqezRr7grGotvvXaIvSdpo00ZhDnU1EnYRbNPds05bEy
WcnpLtubNe5flSmxE2Z25zH3h0FjkYOXkc9afTx57WidV1ql9hilojbGnZRsFQe+pTcaUfxW4+rt
H/h5Pa21IpvX1dGqKWwXUrsh27mTVZLFC+p1TJM5k5X0mTutgrtIkrXvMlN2C/1Uq21Weym15nBm
y3bQHTM3vH01/rDbl1Zluq57L8sZL+Jiu5k79IoI8aFgqSoDsxxPdrYiTfo3mduMN/6qorbZms2i
8ljTzZb60qZX728pKkE6+VAOQ61V3cX1dRdFX2dYcS/TevLOMBFXrVr09nVUichno0XIxwRmMhrS
6v6/qioC0vTPosrbZDmyG+Lk2If1qyovPhKST44Xm4xaiug6vEV3H85AjVYhzZ+JQbb26op35j0O
o9npVL8eonXKJAziNC/LMl1PLFMunsnXHmOjRZwVRbZZTWzTrFvFdjOz6UhelkWynlhMzBuVgWcY
5mjOLbnNA56UGH8H71lpksPV4qzUKJu4DkUWVedJp5LUIc82DNsPc5IqRTR1TGcuRmFN62Srkcm8
RZRkWZZEMR/dq20aUUWLsszCqd2M9KrBN/3jQNYtLxpITZ5DozybxlxOEUrLYnI2hysJcSRduMyd
RVlRFimVSDa3yDcN0/HXCcVON6uxZe6u4BC03VmY5mWRxYsRa1Y9UYfiOO5kGSVpmpdVGU9t05kG
lFwWLzw6M+edYa3GynDCLMty5kKIpnMR0t1MLWu8TumFg1kShULTDlif96e2445mwSZNszriSyB3
I3oD6LhlaR6HvKZM5m4tCSlP0/aDtCiKNJqPmGHsah1RTX+9SbMsjaONuH0sNkG4yagKydJjXMHx
vs0zDDZa8HGxTFeciQgn7imbaY2XlFaeBL5NXke2bnymqopwYlnjVZKXZb5ZeqxnZfaALcTYZE6i
lofxPyh9y3Fdfx0naUZOT+7EYZRlFhGk2YY3hXDCmDsLuMvHUULV2WcsalrcS9UNbaPxtUoNGqUq
I98yuQcWeRJMXWYaqrnWFWk1rqH+oa+1Ekw2mtMLL/M0nLkNTe75bCR0cBH6lmEyd8Z7nXIzc+pG
dKdVYLbjeouQPLscpLrjpWbtpcNaZ8BAtIJktNhQD5snURgLX6YbwyauQ6txnBl1wmWexmFU3/BJ
8NtoUreeHbFDxRFTSco6dCfY11JqO5KHzuzbcVCttaV1zHZ3MdAZ9vlGa5hoaZ3h9iU61WlUDxuq
/6cqUlc3jbXK8q/CbnVU8sB+lesq0zA1nzRM0xED1jZdjuo7Fj233RoZpuXR6CuHBj707WnRemIn
+v0QraOhUS2Ebvu18YSUhhy0aGCsyVdV1cgC6lyaO4mq2kYqZDOodWgKS+8f2ybPFg6/y6QCUgHE
WEydr6bByR/l7a7SOindn2oaSqui/MqjlsK5VYNX/WN/1rvJ7KZWn0PRG1Fgik+Ol0uPiZpyJUEr
lEj0WFIOUaBlPZLEqVlqVKhazqJucTJ9KqqpLYRohim6gzENbWMBFUTLhgd0yLIq+23kW6PFypfb
4eqJfj4QjgPeOdS1qoasT1rHML2gM/9IbqRVpUlGfWkbQrdsY05yJb2um5lVjyIqnW411ZH6G7mQ
dAruq2qMp5vgvmJ2yqa1B+V1ymdqbjK/eGrtyLxuIbVWxttIv9bRYoKywTURQ7KHcH/KvRardY33
GUvUlwvviVx2SUUQdzqqUvzWQmtujVH4vbDmV2Qk3WtlGdqNq79/6GutvDpaEFhZqG27beSbptdM
k3KKIUm/O62CwXy1NHWAKjWXAS8VY6aKaDdxnYGkuD+OllrggdNsax1u7yYcWZu8/r89TFeEs7Yi
BXFlB66sU1/H/9daivY7dbyHcNjTWltap9VdqN6I59h0hn2+we+rmltiXevsaV+dTjWZWWYd9hq8
02hDPLBfFVpH6wrJJ2v2FE8fqdv5hi41q3aN9B6ORiPRiw45TJPQCX85QOtss2jhe67NP5ZpiGYQ
T5nuC1qcMJ079Lbd5mNK2a51Lhx4PG3uQlQP1DEF36mjlut0nZh7AJcsXOqIrq/bPnkvyDu7ph/m
Ll9Pjaks83g59VxHVJQZzB/WOqIk3axVUqRN+lNrzuFOvcq5OhitsmzlMtImwtfpRi1fjbogxW1b
5JtMv8mgTtTvDINd2tQs7RmPNHQup96iJTc2chCmYZKLns3UcuYJnzLm5W1miPKQ7tatkb8IeJiA
RtoB62vAGgLyhlKNRPWRAXQdyza9An1RnYXUvdo4yJPdqSb/tUyD+WQkTE7viZbJ7KG3p2xjPoiK
SjRep5KKp7Rho2kXzDQMrfvqL2RtCxFmG4rraLcWFfm2YapsTNPgkqrbYCm/vcYSPrElPSfEDs16
yG0CqlJaw+c1aIxSdYE3rU8Akv8qm2pp8mNN/9DbWrvV2ZKm40GNTjrxlOKndZ505yWEoHaaKgM/
7TZVUOJykOoeLx3UOoMGKuL5iNGU3Hy9aW42WlqnKpOlZ9EMyWwVd4I6dP8vG3cNhjpQ4fwkdWpR
rJEZaCn19SKuUweC+a8Dhd/DgW7DGXJb2gAAIABJREFUtPtS/W50oDPs9Y3uMKFq0fVJitfIG46e
XlELOFPMqtvFiqktdZfZk0Jvv8rvNnWfpFuIpusoejen7mod7RJNHw0w16x0ul+v1Tqkp013HosG
peI6/CZFW4up5Ar502hJ0wnq07mR4rybvkz24421NWt0W2TH5MLIq7zi7VOObuTZ2s4t3hmL4bTp
balv6Sx7EAEoexryCZKqat+y1yGrwGuCWbxH7GStlZw61d7U1DliK2MRyXgJ/elHBYV7RE0oB2ce
5wpjUfA5v06jqga1jpxzoizbWkev/HD7l0ozmYnNEfTnOMgp2qTpxG0er2eebdKswZY6+n7r8/6n
1fQ5CNGH8Jm8BswgOtVn8XO5BWiherf31IaxJtHe0ExB0zreciNm1FR3z2/67RY9TyjFvWVTHZZw
ae51qjA0PI/XbXO2a76jD7S+mDewjqCl2qn0RV157++HO9l0xQGdfZCxyEQkwvkCD7kjUst0yCg7
wMlKvQ7Q07iocE3/0Ntau9XZp3W02YebaR0uWLWtENdVQVhggOoeL+1qHdJn/EZrICmRzzbfBPOx
Y9JUFe8X2lqHn1Sk4YLWEdm+WJ4mrqR/edBY2/JE+/yo49G7UiVkB1uKSlCdLH8bKPweDh2to3sL
XdXTGfb6xm21jt6tUeGV1qGgpLxT1CrMO9WW1ummoNdAa8tK0lFq7awO1jqqdC2tM9D96sU+0e/X
ah3qHJS+ppi6uIkk3aDMzEPldZ8Vjk09lFmT1fpH/lPTl8mlIX1ah/yAtYyqLZilVEQ0NQ3GrJlA
oFCqNk7RCC1dsNE6IgbcnsOilNRl1Ib2xnV6s66rKg72p6bOEZPAy6kti57MbXu6UEpiS/35zqyP
nO5VNuEtWzOFyIBo6xFzGpJky2u3NB5X0uYamjksaoULh00Wc1cezpYu/eloMw11bWhtBr9VoaG2
z/r9WqfbyVNyhxiCZ0vdHw+MUE/Eh2NZmnRu6xFe8SvvFdWMIP9xM7M0WUwjm4rrGNo96pZu/4je
3rLpefId4lwRKren8mpzh7Kwrf8oBD1gi0O1DgVr6mroaee8wap5Ejp2mLGEyInndGcr1tfpAmtQ
69CgaYmlQpRXw1AvVGt+QbuRoHNU/0BV1/ydJ8DHPi12x8/hEWAFnJ/Ik7llXOemVRBVG6Da9dJE
eSldocXmirVnmFzrDCQl8hH/8lVAIqwklgDqB+V3fovY7u74+Ngaiilu6y42rVW4jXEHW4qWW3Oy
/G2g8F0OemtVXZPqq0VqQ51hn2+091W0fGy4famseYZtAULe1oIlCiW6r3r1QCeFPW25fWY7q36t
QwOv1gQ6qJuecLhFS5uc8n/Xah0+6I9XabGl9ZRj26wbJfGle2JaH5eGU1eGyuXyKNMar+IsL/Is
jYOAr1rt9EFaX8aXovA1p2VRtu90O4KaplWYt0qL5sQi8Nho7GlPVhaLJfm6rSJPaOWuXCWqD7fU
lGhtV5rnWRLT4j4+nT5abIqyzJO177DrtE61m7XypOHU1DkUR2aWbdW9HJ+StvTNjenC5Suoaf1l
lm7CtXieO00Mm/bkkLXJ05BY7a5N1gIzfIGq6TRnekwuJqcleTOLPvXKlXThWJZV669tGq6jJC/K
bZnH83r5Fu97d62vw28Q8NUgHf1xkCF4CqqF8+CjqsHYalZ9NllVYqksLcHO8jzdRFEi5guF39Eq
Xq81h2XQ8u8goZXd0cw1xcruYbMKrxsvxWrB4bXJtKZ8Qw/JyZIoCJt9ZHU5OT1VE80WB2sdvjaZ
ubMwyYs8T5NoHXKFkwdjxtx5SC6fbkI+r3GYsUjyuq5t0dY78dHa8mC3S0uxGRvNaXlskYkV47vj
hbpcS5NnorQO9512axXmpLXJfHVmNOdrk/lisE46/6J1bloFSWeAasdLyd3qGzS6o3RmfHHNNo+m
tAhATKAPJJVF6zDJqOXxJfVSUoqgY0S8y21O/S6dsi3SYGLp9wKimDshVRqcHdet90jQWY11qK31
thRZ5dbJ9W8Dhe9w0FurEgFdrUM3Xr2d4W5PThq+NUw0tRDLxvv7OpU1L35LgHRWwdT12x/X2dOv
tvNqZVX1a53hGlFhVE8oMu3pfpsyn+6Xa7UO7ZOsNzd782iz8mrlUPEtgHKD9mo91WN+eSS2ShuG
aTljsfWq0wfpWofPLdMGPlZvRm4swhugmk2gh8fS9lvTnsl7NRJjrcWZPObOd/+adN5IbbpttZ8i
VvulvRWNBnk0G1l0jTWaBkkwsfat16EC7mTdlHpPavo5dANHW7nlEELCrrUgj2+DF7u6aVu3NxW7
9CPfmqxjuZ2X2V6zVVpLuwzG1jSIlxOxlby957wOdDXn1/ai3dK+vn8xmjBa7iFv56nvU6y3yZLv
h6dFKPQwgmapZJ2abv1erUMb9mod1ZTlEEPwk7UWXm3TZgu+p+/m1VKtaJOy2I1Jz0KYRUVVbZNV
DWi8jOOFM1ryuzTyVbFjn+/Q1ujtcZLRMqYnHXS8ruX22yyYeWQRQuOO1XMAtHLW9Dq2OFzr0B41
ubWdW2ayltEcuXGbZz5aSK+rs9tnrGzhGIYeb9IqpQ0kVAndKLQbWO59d8aLYN53b6wu19LkNDSt
U1W7rZU210qY1DRmzbMwOun8k9bhG5oPr4KyYi9VzUud8SJcqglxSYoxZtHDG4K5WweVqTXs9qUZ
PUK7diPVYGkVD3+kgrfO81A83UB42s4+ZhFo023KJQIzDC18oLTOYEtRVdZOVj/2FZ4a4kBrVSKg
1VfL9JpHXOidYa9vtIcJ5WOUUF2kTvtSWfPcdAFSRpO+Gaye9Tr6HNbBeelZUVi792Hy+2rUbnRN
BVstWiI85f+u1zoH0uH+pK3fOfCy60+juwCbnvUw9KFWoa9MvbeS7Bagm/XuGfhlmADNex3p63jE
eFkHp4ergCOHE+gbvQ6/+ijOvNMqdDTZI1RQLBis72MeoQBPI0s+uSfugZ5GgVHKXgJ3pXVofULP
4q3ePG/6Y7729rzagd9I6nPRbRV/08xucv5O1je5+OTPzZYj63FfdDZsgscfh4bL9kSP8GUaPUG8
J1Sdu63CEfgY3W3sRNKfkEEeoqj0NGp7KhZ/P0R+yOO+CNxe65TxaiGfvJdvVhNLf2TLfZW2ne6W
HgC3Glud9+k8hNYZyLpdPvz1ZAkcwTj0ZNmpgifr+Zqe9Ucr+gLfMXuenahOPs5v91gF+Nhxmhyl
eqYEbq91aKkDf7g+LddwtPnyhyKVzB16Gv940Xle1gNonaGsH6rqyOeeCWAcugvAWeDTu2VofRCt
A1vvrMS+i0zuN417rAJ87H5Nh9RBoEXg9lqnlQz+AAEQAAEQAAEQAIGjJACtc5RmQaFAAARAAARA
AATuiAC0zh2BRDIgAAIgAAIgAAJHSQBa5yjNgkKBAAiAAAiAAAjcEQFonTsCiWRAAARAAARAAASO
kgC0zlGaBYUCARAAARAAARC4IwLQOncEEsmAAAiAAAiAAAgcJYEH0Dp3+mD1o4SIQoEACIAACIAA
CBwtgXvROmU4GS3k+war3pc+3phHthrteU/EYHKdktwukcHUcQAEQAAEQAAEQODoCdyH1tlGvuXc
sdYpk9V8nQy/ALQfdKckt0ukP2n8CgIgAAIgAAIg8CQIHKJ18mg+oWe9mwazR9MgE4oj8hmbxk0l
04VjjoOyotfJ0VPh+cechFsR11mGi4nDTHqdxHgRF81lRbyYuHSBabmT5aY+kMxsd5Eka99lpumt
CxUcKoNxnTr/fyRe+1lslv7IsSgHy/XX6bYaKsm6zmM4a2ceBFPPtphpWs5k2fNo+zyaj3l1xMPv
ZQxrm66nI5uXYeSvU/EC4Wzp2rM4C6cjyzTd//1/2u9Ipbe4s0lIp26zcOaJqxWKMvDYJMyiuWeb
pjXbNODwBQRAAARAAARA4CACh2idMgnpJZ9lWabriWXKd1MPaJ2qqspgbLbjOobJRrMwzcsii+eu
aU1joZdIINmTdZIXRUbvDzXdZcaLncxsZjuutwg3aZqVvRNh5WZmM2+d8wu2aSRfRJqFU9uUCmi3
JFw40RX7sjYMaxJQrlWZzF3TnidtlmU4YbYfZvRSw2wTRkLVFOHEssarJC/LfLP0mHzTIS1Xsh13
NAuoKkUejLUXwm9j32KTqKyqLdVmtIhzeqHpemLJmtFLcyzHdf11nKRZftPAVrvc+AsEQAAEQAAE
TpDAIVpHw7KNJvXQfyOt06ibqirWnpQ023jKZEyDZ1EE4zp0kcxsg/mkAeRnZ4HzdjNzGqVTnyX+
38ws5vOI06DWuSbrWnJVvSKLiznbj+oAkcg1X41qiUU/xFOLR7UoImWYXtCcXIZjZssAzTb2GfMj
CkKRfFKaipQYhbOqMvAMQytOu6b4CwRAAARAAARA4DoCB2idbRYtfM+1+ccyDTkk30Tr6CJA6Q9S
B61hnEb4EQ/U0LvKaUas+XS0znYzd5i3EkEgOimPl1PPdUQZmXGd1rkma5p6kx8uYZp5L/njNl1P
bNO0velSBnVI3DB6n3PzMQ1jRNdRyWWYSVxNskbMRm0jn0kVmM6d7tU8NEZxHU0D1aXC/yAAAiAA
AiAAAgcSuFbr0IIS053HYvpkT1xn3qgTpWZ4IToyRR09XHB0wivbZO6wkaZ0+ITUNOTTTlV1QFzn
8Kx7tQ6vV5lFK1qEY43XpLniKTPH67zQPiUppk71aWKMJM5ss+VSZ7bhsiqd2+ZomWoXFwUdIK2j
zQceaFWcBgIgAAIgAAIgUBO4VuvwWItY/0vhk1WzfIUmoPj0C09qG07MOhLD1cx8aM+50jpcRo35
ulyeBp/DmvLltxTX0YIrLcWwo3T4tJjdZEgZ6HGd5oAmOw7PeljrCIQ0JcfzphPt2e5WsV2tU9Eq
HWsWR75lz+RSoDKkQmuTdtJA0DoSBP4DARAAARAAgVsSuFbrcOUwXqXFllbcjmnmRiwroUHe8kO+
DqXYzF3TMOpZpw2FghaboiyK3WXFSutUVUrrdsXa5FyuTRYSaVjrCKUjlzDLStOyF3NEGZZ5svYd
Vmudargkh2bdp3XKJOCLtbfbMoumtLKGFkjT2mTT8debrCjyLImCkG/g6tE6FUkt23UtbXaK1iab
1ngVZ3mRZ2kcBHxT2o7WKUPfYmO5IvuWRsdlIAACIAACIHBCBK7VOtU2C3zaFW4y25tHm5XnyCW0
2yyYjixmMmY540W49Oq4TlXl4dTlW6/9sNSiKZyrrnWqqtgsJ67cKj5ZNpvRh7UOXxaj7ToX8Zw8
mo3EzvXRNEiCiSXWJu8tyWFZ92qdeM43h9MKG8ebhXIXPqGaebQVnW+hHy83tOCoT+vQrivLMDqT
U3m0GDt8w75pOeM5h9GjdZo9WifkpqgqCIAACIAACNyawPVa59ZJ40IQAAEQAAEQAAEQeHQC0DqP
bgIUAARAAARAAARA4B4JQOvcI1wkDQIgAAIgAAIg8OgEoHUe3QQoAAiAAAiAAAiAwD0SgNa5R7hI
GgRAAARAAARA4NEJQOs8uglQABAAARAAARAAgXskAK1zj3CRNAiAAAiAAAiAwKMTgNZ5dBOgACAA
AiAAAiAAAvdIAFrnHuEiaRAAARAAARAAgUcnAK3z6CZAAUAABEAABEAABO6RALTOPcJF0iAAAiAA
AiAAAo9OAFrn0U2AAoAACIAACIAACNwjAWide4SLpEEABEAABEAABB6dALTOo5sABQABEAABEAAB
ELhHAtA69wgXSYMACIAACIAACDw6AWidRzcBCgACIAACIAACIHCPBKB17hEukgYBEAABEAABEHh0
AtA6j24CFAAEQAAEQAAEQOAeCUDr3CNcJA0CIAACIAACIPDoBKB1Ht0EKAAIgAAIgAAIgMA9Erhe
6/wPPiAAAiAAAiAAAiDwgATuVvgcpHWu8AEBEAABEAABEACBByHwP//zP9A6D0IamYAACIAACIAA
CDwGAWidx6COPEEABEAABEAABB6KALTOQ5FGPiAAAiAAAiAAAo9BAFrnMagjTxAAARAAARAAgYci
AK3zUKSRDwiAAAiAAAiAwGMQgNZ5DOrIEwRAAARAAARA4KEIQOs8FGnkAwIgAAIgAAIg8BgEoHUe
gzryBAEQAAEQAAEQeCgC0DoPRRr5gAAIgAAIgAAIPAYBaJ3HoI48QQAEQAAEQAAEHooAtM5DkUY+
IAACIAACIAACj0EAWucxqCNPEAABEAABEACBhyIArfNQpJEPCIAACIAACIDAYxCA1nkM6sgTBEAA
BEAABEDgoQhA6zwUaeQDAiAAAiAAAiDwGASgdR6DOvIEARAAARAAARB4KALQOg9FGvmAAAiAAAiA
AAg8BoEnoXX+fn1/9unn5WPwOaY8L75/PPvw/fyYioSygAAIgAAIgMDRE3gSWuf3p5fm2beT1zrn
X96Yrz//PXqfQgFBAARAAARA4JgIQOsckzX2lwVaZz8fHAUBEAABEACBPgJHrXX+/PfKNNof8+13
qgYd0T5NtOOJ/H7+9Uwrvfny029hm/7f6dc2BcN88wVzWX3+jN9AAARAAARAoEvgqLXO1cXfP/T5
/v6F+ea/3/z7+QlOZUkMPz+9Ml99/MEx/L3oWhJ/gwAIgAAIgAAI9BE4bq0jS4z1OhwE5rD6PBi/
gQAIgAAIgMB+AtA6+/kc01FonWOyBsoCAiAAAiDwVAg8Ca3zVGCinCAAAiAAAiAAAkdHAFrn6EyC
AoEACIAACIAACNwhAWidO4SJpEAABEAABEAABI6OALTO0ZkEBQIBEAABEAABELhDAtA6dwgTSYEA
CIAACIAACBwdAWidozMJCgQCIAACIAACIHCHBJ6E1jn/8ublx18H1Pr8yxvDMPgjiZn18s37L7+e
1SP3vr+13v04AANOAQEQAAEQAAEQaAg8O61Tvx3z8vzX5zOLvf3+jNQOtE7jt/gCAiAAAiAAAocS
eLZa5+rq6vL7W/NFHQ86//nf29cvmGlar97+97N5mdTl328fz15azDTZi9fvv/yu30Bx+efbhzd0
Op3/uQ4PtZ/m9+M9s97/lKT/fn5tvvn8/fO7V5ZpmNb7HzKlvz8+nb20TNNkL88+fm9eUn7x+8t7
Xpz2z/vNBq2znw+OggAIgAAIgEAPgWerdS7//vzvDbPe/eBxnT//vWYv3n37c3l1+ffbuxfs7KtQ
O3+/vDFffiDpc3n+89Pr+i2cFz/ev2Cv//t1fnV18efruxfszReuUvZrHcNgr959+fHr9+/fv+X7
qn7/94q9/PD9L+X74+Mr9uq/P2SEv1/PmHX25ffF1eX5jw8v2evP/Oce+7R+gtZp4cAfIAACIAAC
IHAIgWendeiF4CZ/Lbj56j2JG/r8/GCxt9/q2SwegvnK/zr/+oa9ePf1t3ij6OX5+QVdcPn9LWsC
QldXpHCESNmvdWqlpLj/+vhCy/fy97cv30nU0NvYXwv1dHV1dfH1TCavLuz/Bq3TzwW/ggAIgAAI
gMAeAs9O68j1On+/vKmDKFdXl9/OTMNklvwwZhovP8lIysWvrx9pcou9eP3247ffXAFxMfSlmee6
osmqDzRZdY3WeaNdw5l/f2e++LC7qPrHe6YVx2KmIZLfYyeRHNYmX4cIx0EABEAABECgS+C5ap2r
yx/vLeudXJnMv3/7e958Lnj85urq4u/vPyLcI+e8+Dqby2/tuM7XOq7TDsHsrtfpap12XOfq/PfP
36Sg+Hvbv/QUp2udzt+I63SA4E8QAAEQAAEQuJ7As9U6cqboM19nc/nr00v26sN3vorm4vfXTx+/
id9/vrfYm//40uPLv1/fWuzdd5rE4ut1xO9ifY9cr0MqhZ3JtTvf378wOmuTu1rn6venV+zVxx8k
cM5//feGvfr0m2zy5/Nr9vLdVx5Fuvjz/dNHtSh6n8mgdfbRwTEQAAEQAAEQ6CXwjLXO1TmtAK43
RJ3/+PT2Fe2HMq2XZ5+aDVEXv7++5/utGHuhb9C6/PNV7cPS9m1d/Pzv7IVlvXj56s2Hj29fXKd1
rq7+fv949pK2eVmvtGyvLn59fveatn+Z7MWbD/W6ol4TqR+hdRQLfAMBEAABEACBAwk8L61zYKWf
6mnQOk/Vcig3CIAACIDAIxKA1nlE+DfNGlrnpsRwPgiAAAiAAAhcQes8ISeA1nlCxkJRQQAEQAAE
joXAk9A6xwIL5QABEAABEAABEHhyBKB1npzJUGAQAAEQAAEQAIEbEHgSWufg95zfoOL1qX+/faR9
WIZpvX537K9FxxxWbTX8DwIgAAIgAAIHEzhtrXP56yN/7s6f84u/P/+j16J/U09LPpjhg50IrfNg
qJERCIAACIDA8yFw0lrn8vs7pr3Dgb/36vNfel3VS/569POvb8TzeegFWWdfL67+fn7N3v4nn7zD
XqoXoF9dDbxHnS7pff/5bVwIWuc21HANCIAACIDAiRM4aa1D72p4yx+ULLyAXunw7vslvV6ClA1J
IfPlx9/0UodX/OWffz+/NsxXH77/kS8ob97ZOfQe9SvSOj3vP7+d10Hr3I4brgIBEAABEDhpAiet
dX59eMHe/VD2p/ePn327vDr/+ubFh5+Xvz68fHP2+vXnvxff3r7gz19uvxT018cXUioNvkeda53d
95+rLG/0DVrnRrhwMgiAAAiAAAgQgZPWOt24zm8R1+FxnDeff3x6ffblx8dXb7/++PTq7Cst5Glr
nd8fZVho33vU25f8m9NB6/wbP1wNAiAAAiBwkgROWuvQMpzuep3//lxd0ezVi7O3b17/9+fyx/uX
b9+dyXd2toVLo3WuBt+j3pVH/+Zj0Dr/xg9XgwAIgAAInCSBk9Y6V80+rIuL819f3lpMhG+urmiZ
sskXKF98e2uZlnj9+VBc52roPeo7oaB/8zFonX/jh6tBAARAAAROksBpax3SIt/p+TqGYVqv3n3+
dVE7AV+m/OPySsieN1/EVvShuA6d1v8e9Y48qpO/3f/QOrfjhqtAAARAAAROmsDJa52nZH1onadk
LZQVBEAABEDgSAhA6xyJIQ4pBrTOIZRwDgiAAAiAAAi0CEDrtHAc9x/QOsdtH5QOBEAABEDgKAk8
Ca1zlORQKBAAARAAARAAgadAAFrnKVgJZQQBEAABEAABELgtgSehde7zPee3BfcY12EO6zGoI08Q
AAEQAIEnTgBa5wkZEFrnCRkLRQUBEAABEDgWAtA6x2KJA8oBrXMAJJwCAiAAAiAAAm0C0DptHkf9
F7TOUZsHhQMBEAABEDhOAtA6x2mX3lJB6/RiwY8gAAIgAAIgsI8AtM4+Okd2DFrnyAyC4oAACIAA
CDwFAtA6T8FKsozQOk/IWCgqCIAACIDAsRCA1jkWSxxQDmidAyDhFBAAARAAARBoE4DWafM46r+g
dY7aPCgcCIAACIDAcRKA1jlOu/SWClqnFwt+BAEQAAEQAIF9BKB19tE5smPQOkdmEBQHBEAABEDg
KRCA1nkKVpJlhNZ5QsZCUUEABEAABI6FwJPQOscCC+UAARAAARAAARB4cgSgdZ6cyVBgEAABEAAB
EACBGxCA1rkBLJwKAiAAAiAAAiDw5Ag8Ca3z9+v7s08/L58c3Dsu8MX3j2cfvp/fcapIDgRAAARA
AASeN4EnoXV+f3ppnn07ea1z/uWN+frz3+ftkKgdCIAACIAACNwxAWidOwZ6j8lB69wjXCQNAiAA
AiDwbAkctdb5898r02h/zLffyRZ0RPs00Y4n8vv51zOt9ObLT7+Fg/X/Tr+2KRjmmy+Yy3q2jRIV
AwEQAAEQuFMCR611ri7+/qHP9/cvzDf//ebfz09wKkti+Pnplfnq4w+O4e/FnboBEgMBEAABEACB
Z0vguLWOxI71OhwE5rCebTNExUAABEAABO6RALTOPcK946Shde4YKJIDARAAARA4CQJPQuuchCVQ
SRAAARAAARAAgfsgAK1zH1SRJgiAAAiAAAiAwLEQgNY5FkugHCAAAiAAAiAAAvdBAFrnPqgiTRAA
ARAAARAAgWMhAK1zLJZAOUAABEAABEAABO6DALTOfVBFmiAAAiAAAiAAAsdCAFpnjyV+fXzB3n7D
U/v2IMIhEAABEAABEDh2AtA6gxa6/PHOYsxq3j8xeCIOgAAIgAAIgAAIHC8BaJ0h25x/PbPOvnz7
8KJ5W9XQmfgdBEAABEAABEDgeAlA6wzY5u/n19a7H5dXvz+9evH+5wm+hGuAC34GARAAARAAgSdG
AFqn32C/Pr588fEXHfv75Y2FRTv9lPArCIAACIAACBw/AWid47cRSggCIAACIAACIHB7AtA6t2eH
K0EABEAABEAABI6fALTO8dsIJQQBEAABEAABELg9AWid27PDlSAAAiAAAiAAAsdPAFrn+G2EEoIA
CIAACIAACNyeALTO7dnhShAAARAAARAAgeMnAK1z/DZCCUEABEAABEAABG5PAFrn9uxwJQiAAAiA
AAiAwPETgNY5fhuhhCAAAiAAAiAAArcnAK2zh935lzcvxcOT95yEQyAAAiAAAiAAAsdMAFpnj3Wg
dfbAwSEQAAEQAAEQeBoEoHX22AlaZw8cHAIBEAABEACBp0EAWmePnaB19sDBIRAAARAAARB4GgSg
dfbYCVpnDxwcAgEQAAEQAIGnQQBaZ4+doHX2wMEhEAABEAABEHgaBKB19tgJWmcPHBwCARAAARAA
gadBAFpnj52gdfbAwSEQAAEQAAEQeBoEoHX22AlaZw8cHAIBEAABEACBp0EAWmePnaB19sDBIRAA
ARAAARB4GgSgdfbYCVpnDxwcAgEQAAEQAIGnQQBaZ4+doHX2wMEhEAABEAABEHgaBKB1ajtd/v1z
Xn/f9//5n7+X+47jGAiAAAiAAAiAwDERgNbh1rj49en1qw8/L643zcXPj69ff/p1wJnXp4UzQAAE
QAAEQAAE7p0AtM7V1dXFj/dzq2BgAAAgAElEQVQvX/33W4N98evzu1cWM03TevX2v5+tgM/l70+v
Xrz/AbWj8cJXEAABEAABEDhaAtA6V1d//ntlvfuuTUydfz1jL959+3N5dXXx+8uZxd5+aymbi+9v
rVf//Tlao6JgIAACIAACIAACDQFonavfH19a735oUufq56c3b7/UUuby+1vzxcdfDTH6cvn9HXv5
SQ8EtQ7jDxAAARAAARAAgaMhAK3z9/Nr882X1iyVbp3Lnx9eWO++t+I6V1fnX/ZepCeA7yAAAiAA
AiAAAo9JAFrn14cX7N2PARucf3v34sXbbztK6PL7O/PFh3awZyAJ/AwCIAACIAACIPCYBKB1fr63
rPe9Wuf8x4eX1pvPv/XprdpWP94x68PP+i/8DwIgAAIgAAIgcKwEoHV+f3ppvtVXJgtTXfz48GpI
6FxdXX57a2LBzrE6NcoFAiAAAiAAAhoBaJ2Lb29Zd1PVxc+Pr6w3//VGdDi8P/+9Ym+/9QV8NLb4
CgIgAAIgAAIg8PgEoHWuaId5e3Hy708vDcMwtQ9r7Um/Ov/yhp197axXfnxjogQgAAIgAAIgAAI7
BKB1rq4uf7x/0Y3s7IDSf/jzHx4mqPPAdxAAARAAARA4YgLQOmSc8+/vXr75TM8OvP5z+efzm5fv
vu9szbr+SpwBAiAAAiAAAiDw8ASgdQTzyz9f3n3sPkWnzxwX3z68+3KYKuq7HL+BAAiAAAiAAAg8
LAFonYfljdxAAARAAARAAAQelgC0zsPyRm73QODv59eG/Nxo3dU9FOXwJK95XvfhCR165uXvL+9e
WaZhmOzVJzwG81BsOA8EQOA5EIDW2WPF8y9vXnbehLXnbBy6fwLN++eZ9erd51/tnXAXX8/MPq3z
98sb6/Xn+v1mty3kn+//fflx2CqtH+9Yrb3E/+1tfqIE/6h1zn98/vz9b19lLr69tXrc9tfHF+ar
Tz/PL68uL84vtKVpA+f3JY3fQAAEQOBpEngSWufv1/dnn35q3fMDsT4yrXPx/ePZh1NeFP33y5vm
/fN/vr57wc6+6qP9kNa5Ov/149dhKmWPY9FbQW4ifC//fnlDz5scctt/1Dp7Xm1y8fvHz7/dbM+/
vukVgldXV73n7yHxNA49VqfxNOjceylPvrO6d8LI4IYEnoTWoUcbnz3Ck/uOTOucf3ljvv6sj+43
NPYTP527gXqq0d+v716/15eT72id4bmtyz/fPrx5aZkme/Hmw7d6qfmPd+zVhy//vX1lmaZpvf7w
TbD+8/mNZVmMz/5Y9DlsCojM1Q0znf/4dPaCmSZ7efb+7IV65+xNynP+9W27OC/kK07oYd4ynqS/
v+Ty+3t5vmEyXv43Isg1cD55yd/vn85eWcw0rVfvvvxW4bPfn16yd1++fzp7yUzDfHnMU2GP1Wk8
8UZ2V8U/9c7qrjginTsjAK2zByW0zh44D37o2vdy7GgdUcTL8+7c1sX3dxZ7zedzzn99es3qGR+a
e7LOPv86v7y6+PPljLWeIHnTuA49cLKjdeipldbZl98Xl5d/f3x6bdZa5zblGY7rXH7ve1fb8Niz
c/7lr48vzVcffvy9vLr4/eXMst7/qNUOf8qm9frD15+/f//+9XsnevTgTjGcIbTO/2fv/F0dxf7/
//1bUtmd7lRO5VS+K7eRbWQbmUK2kWlkG9lC2D4wkGLAYiDFQoohxYDFQoolzZJmsVlsxmqFD4zV
Ws2X1/G30dzkXpPozTPFvYk/Xud1HsfoM6/z4zXM5gZ7hq+3GxSOIkDgmMCktU64VMsfquX4B8nc
UiVoT+NVRTvG2p6DOtY6I9mnp2/jVWXW6t9OW8v6F//Lp+Rxg77eLclwL0xe6QGtk3W30224Qk4r
SfIiZX0roWv3rJdrnbb4qfuwnuXPsNbJWtUor4cTz57O8UL72EHZCbZ35VrzkYDQ/EmHFu930xjp
5nDtm1v/TSaj9eMb96T6G3LZdtysym8c/k+MwKS1TpZEIb22tizpy4N4H5f34BuAPNY6Nyi0p4gC
w85TJdUNBIao/KXdc/gr3fTcuM6R1jm4ykJieXdO3rtTJH9tPfTTjVHf77Mse7nWCZfUFVs2XK11
nuXP9bSO6PkreruKzq9qbDVpnanngbvzTeOVfvvOrhZuVmejwoE3JTBtrVOguFc4eipap8Bw4qf5
Ta+ZexVGg0UaWcjija07J8frFI52IzSkMrTlIa5fSS5AntA67KKxycd9WO3hwbXWeZY/QuuIGOdR
c7SqUe49cfF0jk82piQ7u5pOnFTTtuagdYoa3+umUQJ/8P8nrrcHJ4Pq34kAtM4J8NA6J+DcYVcx
D4tGiaThRszDak6v6mqa0sOj7fHG5Nz0aVxOlkbByl3thNhpPfS7cR16dqoeTXNP47OCi3S3r7vK
yBkxXseksb5pvGuM13mOPySQZIcmwdMU8rKq9L8Yf9OJfw4/e46OTwJbZvpSzOVK473vetVce2id
Jmm8HyYwfL0Nn4M9IHBFArPQOles/0nTE9M6J319jJ2N9XW0en2dxnyrYjxTPoBraDtNs17bOk2I
kpis2eVMo5NaJ4sDV5fFZCylNf3rmPzw+jpx4OkyW9A8LMdS61FXz/An2S9pStdiwWQzn3rfmFdV
YJDdQ+ldz7Nn+Pg03Lg01UqSGFfN5a5SlDPSOmXF8R8EQAAEsgxa58RVAK1zAg52gQAIgAAIgMA8
CEDrnGgnaJ0TcLALBEAABEAABOZBAFrnRDtB65yAg10gAAIgAAIgMA8C0DrzaKe7e5nG4Vkrx8Xh
A06Hv3vrwAEQAAEQAIETBKB1TsDBroJAGq4M1dpUQ1RrMEl3TtJhqalielB9zDzf1XPC5+k/vAYB
EAABECgJzELroC+pbK67/E/3nqo47dyrSRisPUvjklJP9Smci3xdNtc9umgE55NdkU9KNpadLOc9
1ncOXyzytWCZrJpef17wnhNp07HWGSdf+kBx2dl51GlGlV6nBYt9rfgYLtWqulwxnHWR52vvyu1l
t9sz4Yccmvl23DTu24Bbk1vBfV1A6SDQIACt04Ax8bd3Sh0crw1utLVLuNS4arorR+vROlm6c2S5
o43GQUur8KvuPk3DFT3gn9JTO4ez4n6bRltHkdRlNQf7SYeOtc44+dKHCj57XeZc61R1j5paRyrW
WkyjnaexViPQDHN+lVYZqtF9t0Pr3Jc/tM59+aP0LgFonS6R6X7uWSLlBs5GK625WnFeYipWqku3
Zp/WybK9IzczbY/mJWkdylcQB7bSjTT1FNLQOkUOtXLZ5f684lnWn4e8sU5PN3G5SKa13ji0WM+i
zkI/ZD85+LYmEp3zen2gC/Ood7VOJfuITlnBLF+2edVIXbUVWqcH01w3hSvTdH1KUdr3gtbpo3K7
bdA6t2ONks4hAK1zDqVpHHMXrUMZA7oP+BLHoNZ5MnVVaeHS//HW4lxRFM05pz+qoXWScGMrTFuF
VOJQXvGhPOS5l8f50rMsC2y2kGTd2+SJv/Noy5D9ZGtybqwOCS1m6JucW40UF8+O6/RpnSTcuirl
b2/ogFenddJwu7QNhTHZcFZB2Fo8Wmi9Mn/9pVcZjh+BALTOCBBhYkQC0Dojwnyxqf6UwsOpg/uP
HytlsahOO1jQruGg1qHADrPqbE2X+tkupv4UB45K6ShVTzzEo90mKMak1Mc03onxOjRgh4arcKNc
/5c0Yz1kpc5zTttrWXfch3WUayLXOsys8nnmZQ/Zp/PrcrMo8Nf7qivq/NyiZL5KxtkcVyTG65TV
ZZrbkYO31zp7R25mzq44jbW9aOr4sF05hsLL9aOrVoDWaXwZbv0WWufWxFHeaQLQOqf5TGLvPVMH
n8oKcELruHKRO3xEgNSbprj7JBLprDYRfba2jchFt6wqrkMjiLhZBlGG8ooP5SEvzQ5oHW7vyiPy
/8P21eag4vZJ42idog8rXKpM9xv9V1TW7bVOp4bX+VgqHa5apZgVBaEP6zq8z7UKrXMuKRx3GwLQ
OrfhPEYp9IM+T/Q0hrUzbRyHN+oTh7VOYPMjCVCf97x3jbBIEjgyUxSZV6GCXpOV1smjH2XMhqrU
l+d8KA95aftcrTNkv1EBMpmE+31jLaKtdWYe9WTTCg/tSVZuSPE1QnDUGye3erBeodahwVUKk7hm
LTeHOkBWNBe0Tnnd3uc/tM59uKPUIQLQOkNkprf9Llon29l8aJzxoNbpdLOMhFJkGndFSvJ456qL
xVHvUaeghtbJkq3JuB2IKNBQXvGhPOSF2XO1TjZonwJShk/dbiJPe0uqidqdlUddmDf8Q5Km8X5l
VMN+GlpHzIVjrdlz1Fivax5WtF2utjT4qfcFrdOL5WYboXVuhhoFnUUAWucsTA98EI1naYwyaZIY
0jrJxmTXCECl4bqcxaSanu9qTG6O7m26Jt43tU6W7V2lCov15xUX87B68pA35mG18qjn43X6AlhD
9pODb+XzsCi9enuFoPPzqNPIZlvjIse5Zq8PRTdeU+vkkay83bC+ztGVgQ1XJwCtc3XEKOAiAtA6
F+F6yIMPntJaqeUpCLGvc7NvkeWnTsR+EBiNAOI6o6F8liFonWdhw0lXIwCtczW0r8dwsnNULZ/6
9HSl4o2pGOvOuNinT8MRIDAqAWidUXFebAxa52JkOOGqBKB1ror31RiPNo59joBJA886I3vDq+GC
ikyVALTOfVsGWue+/FF6l8AstE7XaXwGARAAARAAARAAgTMJQOucCQqHgQAIgMAwgVOrMwyfhT0g
AAI3ITALrfPicPS2leeAMhiUa63cBPJYhSAsPBZJ2Hn1BC69aYg5/0uRQ+QMNsl+vdyUE+Dy48fW
OrT+ZbFIwhkODRzS42dx5MFTuyl9B2w8bzNuVs/jhrOuRQBa51pkr2AXt48rQIXJ10ngQq1z8BTG
2Nk/gdrz+wXBsbVOGu6Oknxd3FQ9fhY20mgfHK/AeHEBgyfgZjWIBjvuQuDRtU4abVxD4UySGK14
Uv9Si3dLU6yEwlWzufa8uKOttitL5dJCevkPr0taHbePS2jh2IcmcJnWOXiK6m08tSF22kt3BjYr
FlIKbJlzRjnWJMbpVSzeTXcGzfVdSnkvMcVcVcsniaz3tFXiamNzkcvs6GZC+WTzl2TWOeWycKnV
2cVov+zu8xZOD9W6U4rhBcUS0kN+HjylML9opFUjS9FWLEQtSbxhhlbQ1L11vofJemX/iasLN6sn
AGH3jQk8hNahNe8aN7F0Y5QfI0oD6eziLEvjnadVqRnDJa1TtwnTLI02ltxYgVasK8dUyw/2h8Ph
0Fjk//oth9vH9RmjhFdC4CKtc/AUbRlSlo36PjGkdQSfnngJ3Rkk1d2GSZZGgaOU95gksGWmLSnN
axKuLbmRqezUzSQVyT8aWqdulzRc6Yybm3xhB0r2xvQVLSCdHFYGa60m3uNnbielPS2tQ5Et1Qli
uudtHYWpywMdSlpHkq21sL/3NEl2ColVO9T3DjerPirYdj8Cj6F12gN0KKFQcUuL1zqj73Eslp5N
4zgRb2jB3TrVkgjlrIu16OnD8TLCdONovK6xaLDI3sit4H7XCkoGgfkQuETrHDxFX5FyiFZaJXae
oXUa4uFQpilLt2Yz0RlZrYrov5kUjIe0ThKQEHGrqFGWRGH1k6ubx2RQ62TRqq11xCLjVSZdWvo8
FzVti92zhq8HaJ1hNthzDwIPqXXWldbJsmS/dqmzisma6W7y7DoU+CkD1JxzxqSF4hWjFoXw8Y8y
Dd6k7XD7uAlmFPIaCFygdURieonRS5IWpRJ5odbxlDwla/eGQZ1hzi4n3N3X4t6vdSLfYLyzVmcc
LC1dlWVZVmTeuFe188G2jJOsa2kdmrDR/A1HQ7VFStmu1tEagq5jsvURN6sWDny4O4GH0DpZ8/6S
95JruVxJokOYB2zSaLfUy+yQlKbb2kRx9UryeE/+y+/ML/v4bYvbx/hMYfGVEjhf6+xdRfX2xXd9
5yqF2Gk/5OvxOoJXT7ykLVwqrZBShKQcWZNl8boT12n1IzXbokfrJDtXkRQnaOU7zfvhqe+Jepw2
hlT9LrtE62R58rgitVqWbq2BuA60TrOR8H4+BB5D64gubc3bxSl1mZtVl3m6sznT83V+02htcmaJ
KG66F33XWxEaTg5rzy36xovhhIjrzOcKh6ePSeBsrbN3FaXWItnOkQuxQwNYDF8Miom3trxoJnlN
NqbEzXWUZmlSdHwPaJ1MjNfJbzL54D89t/nED6divE4pPuhoukHpq+60eJJd6jKkA8XNbdEMz/T4
WVwOdFpTZ+X3PJfGLmZx4KpM9arxOmWo65LbH36YPeb3brq1fgytk2XlVIiFxFWrniGRVQmpGZNb
E67iwDNVTmNwaFLCtsrv1L6j3bZhcfu4LW+UNmMC52qdvdtexoYiGmVkZ7c0ZM5lRdUd15SbWidL
Q99UaDaWxLV8EG/7zlDFdTK6+awdMTuL5mEdTeo8+uFUz8Mq5ksxm0bp5enqG6MCWT7GKEv2S1Ph
jHNZNRxbZ8UPtrztjv1szMMqZnsZmzxQFG1dQ6HpYkwx3PKW1w5vtSt56vLAzeoUHey7PYFH0Tq3
J3uFEnH7uAJUmHydBM7VOq+z9vevFW5W928DeNAkAK3TpDHx97h9TLyB4N50CEDr3LctcLO6L3+U
3iUArdMlMuHPuH1MuHHg2rQIQOvctz1ws7ovf5TeJTALrdN1Gp9vTyCNw6gxTnLQgbhe62PwGOwA
ARAAARAAgRsSgNa5IezZFpWGK0O1NuesKnRYarT46myrek3HA6teWuWa5cA2CIAACIBAi8AstM5Y
4ejLUhm3OJ3xYTil8BknT/mQdO+pirNrRHWqBDytGRtFHSJfl831FdROuFSZVS+aT1OCGx+nRjDc
Lv2O5htT68TBalVOlWlXPdmYvDmJur333E/D9s+1cOfjxrppjFCN9LB2RNI9xhXdEdkWRrA6cRPo
w5p4Az2ce4+kdS5MZXzptdCzvNilJk4fn2xdw9leQUScLjZeG9xoapeEllo0fFpjOg03lix1UmLQ
akZySxudLuDcvfPSOltLaiwhJ+o4ptbZOzIbSBiSHILdWf2Np8CfsH/qtOnsm4zWSQKLM80NooSS
7i111siuNx1co3sCrTM6Uhh8EYEH0jo9qYyzLD34lsoZlxXNtHReL6HRm+c8WmnMXBaLZTRSGQ+l
FH5R0xyd3F60/mj3lTZQnY0yG5go47AyjWWV/y/Po9MufO/I1Tr47T0v+RS2AzkUpSvjOsl+ZYms
9BJX60zPxbJKCqcs9rpDqVzLV2Bz2VlvxLIni65YKw+q/9NqS2RGYrJm+4fCTr7UbHFUvfJIuNIp
switvZInwla9nBZpHWu5ssS6TVxzqgUq8+WfjvwMLKY6/jJf56k6Pl6bbfOyWH4ly2iZ/2JFlg59
sbqUWDmFFnipo02ETeWUlluuE3AP2qfl7LaeIU7gqiXEbl75PM4n+ChtzjXC8d+FK9N0/WBA1k1G
64SeIhXLtBODcG1bq+Lb03uTKdcY7OQ/j329XPeHzFDCqmrRwEvsjN8O/Rahdfq5YOu9CDyO1ulL
ZZzSr1d9JZ5dMaUmLrXOQJ7zPJWxI1IZi+PrBUUzSpIstUXByI16F61DC682a9mt08FTj3+ndpPr
dE963mexPFujD8uttA4tf234JGVo5Vhe5m1NtvSLWiyXHe89jTV6dmi9NknWvc3ucDjsD6eDZZGv
M0UMQkpFq5fPmAGtk9euP66zkE1/H6dpcljpjJlbsYjbkJ+BxRbcWO3Fct++0VokbjjuQovhtbRO
tWq40H62wvQ8SpdsTZEtm7BRAmvejMX12E/3riKpDomL5OAbnNtFsgJqGG0p4nyUIftp6fi89u+e
lYbbpW0ojMmGswqKXC/VQZPROlm40hg3vG33Khu4yeRaZ7FgquUH+8PhcMgze9JVUl55lGqCacX6
yxfaqQhd9w20znX5wvqlBB5G6/SmMm7ngKlT3tD2vjzn9W934pwnrKliBSNonXhtNNZFLXPx0dbi
93r5r1jdvf94SrrTZ+fy7ScT6tCPy8BRuO53V63PMvGkrGXJpf70X8VHWkeWzLwMKk7zisddtWg/
acPq4ZClIpRThqMCmzVauL+8amsaR2GebqhqdbHvGVqnFiG0Hm3u3aCfrT6v9vq1OeH+pPet07Is
pc92Ndwq3q/9IF8GPInCuEyt1EkF2WNfaCg7KK/3vSuXC/TSla8624NglCZxZbQi2H6zd+TmZV59
0y7dXliND9sVjYeRzXW1vHmWTUfrkMTcLi2dEgzr9qoMRA3dZIq4Tn3llvDyvmFxBYsAc7Ha8cV2
SnvX/Q+tc12+sH4pgUfROr2pjNOtKcmuyPpC3CqtM5jnvK11Dq4imSJ/lqA+gtYZaL0kCum181RJ
dQPxPv+pN3D8mJuFwNiUD7imZYoFcM3bl0/L5r6ODGzuev77jtZp5kZMo2Bp67RQvqLbK5HTJ8tE
m7O8Gynv9ambq2rrs9xJDmvH1BTKJC3LbFFKrBdpnTr2NehnS7TQRdl4/vXEXcqqtE7rZJssjxH/
03DrFdVSZCYtmumRju1TULPslSs60aoT4t3Koc4tJmuWtx3oVWqVPdqHUulw1WqmX5iU1ikqm8b7
jaNRLC2mHkdDauJkjQTl7ftMjSpcqpzUZvmf9jzHTm3xeu+gda7HFpafQ+BBtM5AKmPxk6hSK/Xz
byjPefsedDOtUzTsXfqw2lWuLrFkv9S46u76hI6QjY2hT9VJL3zTdiWtmyuNw3LxnyTc2GUnCh2v
LQ9Vsvo4Tip365OfdiqlyyQfi52RgqrDSa4s5cliyzEWjdxGlCi6kVKSimmJkFrrDPrZOf5Y69SR
s2YtWqdlImV1HU7K0mi/z/t7aKx+pVXbcI8ic/kIEUl2di2cQgOncVh0s2RJFLjq0ZjspnMjvo8D
j9I3cc1abrr9Q9OJ6ySBZ9Wpg/NosOjqHrrJ9FxLFbTI17m52XnNbKXPsVMZvN4baJ3rsYXl5xB4
DK0zlMpY5BJW3XwEwtrkZSrjoTzn7QdCR+sMpxR+TsP0nHMXrZPtbN54Ugq30sNKl4eFjnjOtHIo
91TmOZto3IxsbUIxocXTWDnZK/I1SbHzcEKyp+jXUnSrxRuTczE+JsvSKFi5q0qbXaR1aFyLJSbA
pfHO1STJzANdYnyoI2ymh6XOWoERikKpIuqVxkUHWEuE1FonG/Kzc3xL69ClKOdjiJJ2n1ExXqcO
xeXjdZYUgEujwFFZkWg7l3Ci2yfZr3TWarIe+0XCbjHHK433vuvlo5wJAzfXQkAl4Uo/0njPaesz
zom2y9WWRgn1vibTh0VXLTdWuyilYVokxfPw3NBN5pTWoSHJXJZlLb/ARcWfZacX2agboXVGxQlj
LybwEFrnRCrjfB6WJNGvQ0ujcQ0F0t485ye1Tk/q4xc3zwQM0DiXRt9JJpTMYrFojrjojE6mh19n
HvpIFaEJJyqn2L+iu5u6ryRvLZpQJFYwqSZcVWnsiwlU1YPxEq2TZdHG0WQmZutZjqmUWop22Cqn
TNia6TlaSyxkceDqspiMpdj5GOSOdjHrPql+PzvHt7QOZbc2qONpwcpxKqSeygFd+f+yg1bMw5KL
+VZ1T4/wME+QbbpWJx5zbF8MbS4zYbcydlfT4BiXNcvv7dYc6Qo428xktE5GI7lFB2s+382rl0Xq
vcmc1DoZBRml1hIQ9I0MvHyynsQVo2G/fb86G90oB0LrjIIRRkYj8BBa5zxaFJfp9jqcd+YrP+rg
KWUE5ayaxiLQfnpq01mGcBAIPJvAhLTOs+sw5xOhdebceq/R9wfXOpFv6KILK4t3NNCgOev2NTb3
8+qU7BxV8/Z1r8gpM/HGVIzmhJhTB2MfCFyJALTOlcCeaRZa50xQOOxGBB5c62TxbpkvQse4Zq/L
ReJuBH9GxUQbxz5HwKSBZ4mRITOqG1x9jQSgde7bqtA69+WP0rsEZqF1uk7jMwiAAAiAAAiAAAic
SQBa50xQOAwEQAAEQAAEQGCWBGahdRCOzq8thIVn+R2D0/cggJvGPajXZeJmVbPAuykQgNaZQiuc
6QNuH2eCwmEgAK1z32sAN6v78kfpXQLQOl0iE/6M28eEGweuTYsAtM592wM3q/vyR+ldAtA6XSIT
/ozbx4QbB65NiwC0zn3bAzer+/JH6V0C0DpdIhP+jNvHhBsHrk2LALTOfdsDN6v78kfpXQLQOl0i
E/6M28eEGweuTYsAtM592wM3q/vyR+ldAtA6XSIT/ozbx4QbB65NiwC0zn3bAzer+/JH6V0C0Dpd
IhP+jNvHhBsHrk2LALTOfdsDN6v78kfpXQLQOl0iE/6M28eEGweuTYsAtM592wM3q/vyR+ldAtA6
XSIT/ozbx4QbB65NiwC0zn3bAzer+/JH6V0C0DpdIhP+jNvHhBsHrk2LALTOfdsDN6v78kfpXQLQ
Ol0iE/6M28eEGweuTYsAtM592wM3q/vyR+ldArPQOl2n8fn2BNI4jNIzio3DKDnjMBwCAiAAAiAA
ArciAK1zK9JzLicNV4ZqbeIz6nBYaqoTnHPkGcaudEhgMe7srmT8Qcwma0NSl+GD1BbVBAEQmDmB
WWgdhKPvepWle09VnF0jqpOGG0eXmSRJTDHcbdRyL/J12VxfT+0kG5Mxc3tu9CjcLv2O9hpZ60S+
zrXVSx/7PX4WWMex32qj4kN6WNuaaEeuGF6HUt8J9bbJax3cNOrGusc79GHdgzrKHCYArTPMZmp7
kq1rONvriYiB+sZrgxtN7ZLuXZlp3j7OsjTe2oqk+y2n0p0jyy1tNGD5WZuTjckZ49a5YmdrSbK7
bxU1stbJ4n1AMF726vGzNDiK/dJY/T/ZWpwb/iHJsjTaOgq7JE4DrVODxLseAtA6PVCw6Y4EoHXu
CP/ComNfl7RVO4hyoRmUz6EAACAASURBVIlnHB6tNGasm1GU5LBZbQ5lmGdnc253OoT2jnytTqJk
Y8qm75tyQ+zsHM6soKhbtNIK8RWudM45kxYLiXF6qV6ueUjrWMuVpXJJkrjmbCqm8W5piq1M1p1N
WNYxywKby846j2YtylaIVtqieLVkwtaikFf+ov1SxS8OPFOhUpms2X7BcNDPIftZcvDzeAyZWZdN
sXdlbq18WxPVUq11w/+ehu9cTsnW0cx1TqLffpYl+6WpMPJet0210YcVbT1D5UySuGoJ8dRT3jU3
xYfN0jK85mWIuM41gT9tG1rnaUY44pYEoHVuSftlZXUeTi8zdu7ZycZsPNO6ZyXh2pSPYyzpxpQU
79A9eoTPJHWsIE22VkPsDGidvLieeElgsYVs+vs4TZPDSq96xCJfZ7IlJE688zTWCE4FNltIsu5t
dofDYX9oRnHSeHjoShLYMlO9fS6ayL4iBjOlceAobUQ9fuYVOLIfb8wyHpMcVgYv+e9decF0L4jS
LI02ltyNt3XwBz0iVRwyZJ/iQExf7uI0jfcrgy0KgZfuXUVSHSo3OfgG53bQlMadYsf9mBy2SxJ3
TDEcvxVcg9YZl/Sl1qB1LiWG469LAFrnunwvs05PzcarkAu0tYwfFP+Lx1j/8Vk21vYsy8KlWocl
mrUJbC6RW9yswyLV/r0jM2tbfbzUn+rE7ptkYyp2kGZZGthKFdl5htapw07UGZODDj2lUdVUWN0W
oZ3AZszc9D/CB7tzQl9n3ChiJRn1+EVhXMaK9q4smTWibFDrZB37JHkbYaSDp0i66GJsW3yyo247
MEJ7yH66NRtDumunUjIkGkW0FnVwWiW2bvvln/eO3LjKpYrrhdujtSlThGm5aWnPokxonX74t9oK
rXMr0ijnPALQOudxuutRSRTSa+epkuoG4v3NJnbTo9TclA/oLoY0ClyVqUchnPyxO3RW18rZn+kB
u5CYeEmLaoDyi7ROHYPqBDrqzrCM+rDYUU9d6Xb92C+30P9kR5Ebd9fUR8lh7ZiaIosXWzxP63Ra
JN2UWq2jdeyGMmk6Vr7vVLfcnA3Zb4cV60qLnrail7DoM+wM4KpMj/sm73CUNdNdB2ETsygGWmdc
2pdag9a5lBiOvy4BaJ3r8h3TevthM6blE7ZaT/z8uGS/We+qIS49B4jhLYPS4ERhT+xK1gZFkWLx
itZGo/NGqkIJXX+2Fjs5NrnWOvSQr0bWZFkem6rjOoMVqh/7tf/kHdP91uQsESnKxwJnWXY4iusc
+VmY69gXcZd62BYF3nrjOk9pncjXyoFHVFASuLpFMagh+xS/kZ1ylHftFPVyys4ubxXxN0lGV7k1
2c67NN6vXRpExDV708QNrdMhdeOP0Do3Bo7iniAArfMEoAntvovWyWjscXsxGpr0zU1f/JRO9kuN
KZ15TuJxOf5v+2RtNEdJx77O86nn5JDiiAhKeljqbNEsmxSM6u1pslFcdCC1undqrZOFK40p9pbW
TEz2S70zXud8rUOT9Jl8NGpFdAJZYiJdGu9cTWoFzHr8LK69WlbkG2LBX4w8TkIaH2PmKx9dGNfJ
GuNyaPyQyrR8vZwh+0kgxuuIYU7N8TpiUJK+3BG3NN777mWz10f5hqXRzl+umyPEoHVGAftsI9A6
z0aHE69CAFrnKlhfkdE0sHl3nHGyW1n5uiw0X+lovg9pj/EnjMVro201XKplN1a0sVXOuaxopueU
87CKRogDV5fFZCzFzieqD2mdLDsxD6unD6sxT6oYRyVqTdqEZl/VL27ns8SijaPJjJGflmMqzWE3
WXbs54B9UmK+JaY9Ma7V854u1TpZlpTr6zCumg2F0m+fyl1RCIVGaTu2Vs9RT8ONa9AELYkMLXfN
odv3+ipA69yLfF4utM59+aP0LgFonS4RfO4SOHhKY0ZSd+/xZxFwOWuR5eNzsQUExiEArTMOx+da
gdZ5Ljmcdx0C0DrX4fqqrCY7R9XKidNP1SzemEpj7tFTh2M/CFyFALTOVbCebRRa52xUOPAmBKB1
boJ59oVEG8euJ08PVycNPGtJg2PwAoG7EoDWuSv+DFrnvvxRepfALLRO12l8BgEQAAEQAAEQAIEz
CUDrnAkKh4EACIAACIAACMySwKvUOvcKX9+r3FleeXAaBEAABEAABG5DYBZaJ1rbhrc7f32ye2mO
K5d7pzznt7kQUQoIjErg0pvGqIXDGG5WuAYmRmAWWkcsaDuYp+CY6JU1x3GBxZYrl3uftQQHa4sd
IDBhApfeNCZclTm6hpvVHFvtVfsMrTNi80LrjAgTpkDgJQSgdV5C78XnQuu8GCEMjEtg0lqHUv10
E3znqaFpT+PVWaT3WHMMHT/W9rxRzi73srzfdHQXQzMLwrhXBKyBwJwJXH7TGOsmMBM7l918suyy
43GzmvOX51X7PmmtkxUJvre2LOnLg0jwXaQ0Otkox5rj5OGj7bxWuffMcz4aHBgCgZsQeOZN4ya+
PUAhuFk9QCPPsorT1joF0kvD0dfSHE+18JXLRVj4qQbAfhAoCVx60yjPw/9RCOBmNQpGGBmPALTO
eCwpvfdRyu9xzUud3roRrcMUCLwmAtA6d21NaJ274kfhxwRmoXWO3T695cqaY7Dwe5U76BB2gAAI
gAAIgAAIQOuMeA1A64wIE6ZAAARAAARAYBwC0DrjcBRWoHVGhAlTIAACIAACIDAOAWidcTgKK9A6
I8KEKRAAARAAARAYh8Cr1DrjoIEVEAABEAABEACBV0AAWucVNCKqAAIgAAIgAAIgMEjgVWqde/Ul
3avcwdbFDhAAgesQ2LsyMzfJdYzDKgiAwMgEoHVGBAqtMyJMmAKB6RJIA4szxrHc1XSbCJ6BQIsA
tE4Lx8s+QOu8jB/OBoF5EIjXBjf8jSMr3mGiHse+ztRlWHqXbEw2XWdLL/EfBK5GAFpnRLTQOiPC
hCkQmCqBaKVxK0izg6fK9i6dppvJ1uKVuonXOtP8aJqewisQuAEBaJ0RIUPrjAgTpkBgogT2riK7
e3Iu8nU+2UE76c6RZSf3c6VhcNFErya4dSMC0DojgobWGREmTIEACLyMQLhUuR2kWfn/ZdZwNgjM
mQC0zoitB60zIkyYAgEQeCGBPO6085Rr5iR+oY84HQRuQgBaZ0TM0DojwoQpEACBlxJINiaXZVmr
Bym/1CLOB4F5EoDWGbHdoHVGhAlTIAACLyaQ7hwuGev4xYZgAATmTQBaZ8T2g9YZESZMgQAIgAAI
gMA4BKB1xuEorEDrjAgTpkAABEAABEBgHALQOuNwFFagdUaECVMgAAIgAAIgMA6B+WudNArP6oyO
w2jURb/uVe447Q4rIAACIAACIPAoBGaudZK9p6nOricDXxK3NyY7V9O8fXvjs1t5uNyuyXHL7VrH
ZxAAARAAARAAgScIzFrrJIGtqMt2Qpok3PquqTLpKC1fKlZ0D0ZQO8flJgff1mQmSRJXzeWuFWga
r9wn2hK7QQAEbkVgLh3Wc/HzVu2Gch6VwJy1Dq0Gam1bHVO0ertmuUtLOdY6WZZsTd5Ih/fcNj8q
lzLPcMM/JFmWRmuTM3PbUlQjlftcf3EeCIDA2ATmoiHm4ufY7QN7INAmMGOtc3AVkYCvVaFUSJ/Y
1/u0TpZurZcn+z0uN96tV9syo3C6MaUq5V7h2yjltuqJDyAAAvckMBcNMRc/79mWKPsRCMxX60Qr
TdL9Vm9R1WBDWieL/eGTqrNPvzlVbpYl+5XBFXffijZlY5R72ivsBQEQuCWBuWiIufh5y7ZDWY9I
YL5aZ+/IzAr622xQ66RbSypS//af+fTWoXKTjcmkxWIhKc7xmKARyn3aMxwBAiBwKwJz0RBz8fNW
7YZyHpXAfLXOzubcvlTrZIHFuLN7SWufKjfLknBjK0z3o04RLy+3YxAfQQAE7khgLhpiLn7esSlR
9EMQmK/WOXiKZLZHJlctNhzX6RlMU5113puecuPderOvetMOrnzkWN8gnvOKw1EgAAITJDAXDTEX
PyfYxHDpVRGYr9ahPqOhSVWDWidcqszcdAbTXNagPeVGvi7J9pbWKkzjwKE5YOVI5cL2COVe5iWO
BgEQuCaBuWiIufh5zbaCbRDIsvlqnSxeG2xgcPKQ1ol9nRnr1nzwyy+CvnLjwDNVTuvrMMVwt90e
rFHKvdxTnAECIHAlAnPREHPx80rNBLMgUBCYsdbJ0sCWhyI7vQ0cLlXZPh443HvsiY33KveES9gF
AiBwUwJz0RBz8fOmjYfCHpDAnLVOlsVbS9FX4Vl9Umm40hVrWw2reUlj36vcl/iMc0EABMYjMBcN
MRc/x2sZWAKBPgLz1jpZloa+5bZXKe6rZpYlG8fyz1NF/QbaW+9VbtsLfAIBELgPgbloiLn4eZ9W
RKmPQ2DuWudxWgo1BQEQAAEQAAEQeA4BaJ3nUMM5IAACIAACIAACcyHwKrXOvcK29yp3Lhcb/ASB
V0NgLl/2ufj5ai4MVGSiBKB1RmwY3FZGhAlTIDBlAnP5ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAw
ZQJz+bLPxc8ptzV8ew0EoHVGbEXcVkaECVMgMGUCc/myz8XPKbc1fHsNBKB1RmxF3FZGhAlTIDBl
AnP5ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAwZQJz+bLPxc8ptzV8ew0EoHVGbEXcVkaECVMgMGUC
c/myz8XPKbc1fHsNBKB1RmxF3FZGhAlTIDBlAnP5ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAwZQJz
+bLPxc8ptzV8ew0EoHVGbEXcVkaECVMgMGUCc/myz8XPKbc1fHsNBKB1RmxF3FZGhAlTIDBlAnP5
ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAwZQJz+bLPxc8ptzV8ew0EXqXWeQ0NgzqAAAiAAAiAAAiM
QgBaZxSMMAICIAACIAACIDBRAq9S6+xdmZmbZKLI4RYIgMDsCcylb2gufs7+gkAFJk7gFWqdNLA4
Y1xbRRNnD/dAAATmSmAuGmIufs71OoDfcyHw+rROvDa44W8cWfEON2qF2NeZugzL0pKNyW5XeFkq
/oMACNyOwFw0xFz8vF3LoaTHJPDqtE600rgVpNnBU2V7l96mVZOtxSt1E691pvkIKt0GPUoBgbsQ
mIuGmIufd2lEFPpABF6b1tm7iuzuqQEjX+c3G7ST7hxZdvJyVxoGCz3QNwhVfUwCc9EQc/HzMa8i
1Pp2BF6b1rkduU5J4VLldpBm5f/ObnwEARB4TQTmoiHm4udrujZQlykSgNYZq1XyONLOU5Q8rjSW
XdgBARCYHoG5aIi5+Dm9FoZHr4sAtM5o7ZlsTC7LslYPUh7NNAyBAAhMi8BcNMRc/JxW68Kb10cA
Wme8Nk13DpeMdTyeRVgCARCYJoG5aIi5+DnNVoZXr4cAtM7raUvUBARA4FYE5qIh5uLnrdoN5Twq
AWidR2151BsEQOD5BOaiIebi5/NbAmeCwDkEoHXOoYRjQAAEQKBJYC4aYi5+NtniPQiMTwBaZ3ym
sAgCIAACIAACIDAdAtA602kLeAICIAACIAACIDA+AWid8ZnCIgiAwGsnMJe+obn4+dqvF9Tv3gRm
oXWitW14t8ptde8WybJk6xrOFlPX798S8AAEhgjMRUPMxc8hztgOAuMQmIXWOXiKZGxulMdzHK4v
sRL7uqStkDz0JQxxLghcl8BcNMRc/Lxua8E6CEDrTO8agNaZXpvAIxBoE5iLhpiLn226+AQCYxOY
tNYJl6q0aL8kc0sIaE/jVUVBZrI9XhsN7yXFO1ClaGu7tgtJ99GXNfY1D3sg8HICc9EQc/Hz5S0C
CyBwisCktU6WRCG9trYs6cuDeB+/4q6soro7T5VUNxDVjZJTrYd9IAAC9yEwFw0xFz/v04oo9XEI
TFvrFO2A8TqPc0GipiAwCwJz0RBz8XMWjQ4nZ0wAWmd6jYfxOtNrE3gEAm0Cc9EQc/GzTRefQGBs
ArPQOmNXGvZAAARA4EUE5qIh5uLnixoDJ4PAkwSgdZ5EhANAAARAoENgLhpiLn528OIjCIxMAFpn
ZKAwBwIg8AAE5qIh5uLnA1wyqOJdCUDr3BU/CgcBEJglgbloiLn4OcuLAE7PiAC0zowa6xaupnEY
nTOtPw4xHf4W7YEyQAAEQAAEXkwAWufFCF+RgTRcGaq1OWf5wsNSU53gnCPvxyewGHd29yv/NZSc
rA1JXYavoSqj1iHZGMwS65qOahbGQAAErkNgFlrn0cKwW5NbwXXa+5TVdO+pitObYzVcadJC8VqP
vMjXZXN9PbWTbEzGzO25iymG26Xf0V4ja53I17m2ajE4hXNgX4+fxZHj2O8rNj2sbU1mkiRxxfA6
lPpOqLdB69Qsmu+StcHtO3xJmz6c9f7Rbp5nQcFBD0gAWmeCjX4frROvDW70apdwpXF2pHWydOfI
cr82GgFqsjE5Y9w6V+xsLUl2962CR9Y6WbwP9i/Wdj1+lk6PYr80Vv9Pthbnhn9IsiyNto7CLonT
QOvUIJvvkrWhdC635u7pvIfWmU5bwJN7EoDWuSf9gbK7WifdOrq13Bxe/JwdKE9sjlYaM9Y9UZRw
qcmmvzSkTlwny7K9I1+rkyjZmLLp+6bcEDs7h7Mq4BWttCJbWLjSOScxtpAYp5fq5ZqHtI61XFkq
p4iG5myq3PHxbmmKrUzWnU1YD1AKbC47642jy0xalNnmo5VW5ilryYStRaGS/EUHSBW/OPBMhUpl
smb7h9z+oJ9D9rOs18+9K3Nr5duaqJZqrRv+97RwZ2nKZOto5jonkRz8PN5Dbq4LN7MsS/ZLU2Hk
vW6baqMPK9p6hsqZJHHVEuKppzxsmhQBaJ1JNQecuRsBaJ27oR8uuKt1snjvu6bGGVctb7O/Skqw
ZGM2nmm1b0LpbOJk06d10o1ZJi6tzxjlHUkdK0iTrdUQOwNaJy+wJ14SWGwhm/4+TtPksNKrHrHI
15lsCYkT7zyNNYJTgc0Wkqx7m93hcNi31GVKuVlbWqeuaRLYMlO9fS5qyL4iBjOlceAobUQ9fuZ2
ju0P+Ll35QXTvSBKszTaWPITCWIDm3O7b9RSvDHLeE9yWBm8jKFRHIjpy12cpvF+ZbBFUel07yqS
6lC5ycE3OLeDHmlcQ8G7KRCA1plCK8CH+xOA1rl/Gxx5cKR1iiPSaLf2LE3mqpePqunPl55nTC8D
DpJUP2uHji8yx1dhicqjA8V0aKxyv9ahwE5zhOaQ/aHtVTndN8nGVOwgzbI0sJUqsvMMrVOHnagz
Jk8oH3pKHYGhnjjOrG0R2glsxsxN/yN8sDsn9HXGjSJWkmVZGkdhJUj3riyZjUGsg1on69of8rNt
8cmOuu3ACG2K9zSkGyWd06kLM92ajSHdtVMpGRKNIlpr71LT1xGxbhPmYb/GVShVXPeOfM3t4VJt
mtdWRThvrO09NZ3wJmidCTcOXLshAWidG8I+t6h+rZOUSkcxWt0u51o9fRw96sxN69GVktKxtqLn
bEjriAd566zTxZy3lx6wC4mJl7SoBii/SOvUMahOoKPuDMuyLLBZfxCEenZ64zrJjiI37q6pj5LD
2jE1RRYvtnim1hnys6N17IYy6cPbMVMd0mnxVETuDlnW7vOqKy162opewqLPUPev2q1auYo3zycA
rfN8djjzNRGA1plgax5pnXBtaVxiiuH61INwjVfriS8KoN/xNAglf+UDVqTOPKSh5+jLPKQ5LuYm
isUrWhtl5wo95KtQQtfhrcVOjk2utQ495BshrDw2VVC9VOuQd0z3W5OzRKQoHwucZdnhKK5z5GdB
q5YV+YYhPy/UOpGvlQOPyG4SuLpFMSgR1yljHllGUY8irmMx2SlHeddOUS+n7OzyVhF/k+Q61+LL
rh6c3SIArdPCgQ8PSwBaZ4JNf6R19r633l1J5JT139m87vApN1b/++M69Lgc/7d9sjaao6RjX+f5
1HOaha44IoKSHpY6WzTLJmWgenuabBQXHUit7p1a62ThSmOKvSWgyX6pd8brnB/XoUn6TD4atSI6
gfJ4WBrvXE1qBcx6/Cwo17Ki2DDg54VaJ2uMy6HxQyrT8vVy4o3JuClGNichjb8RvZWkhsR4HTHM
qTleRwxK0pfiQkxpCNlls9erawlvbkkAWueWtFHWdAlA60ywbY60zi18TAOb5+NZ+krr1TqkParR
EH1nPWtbvDbaVsOlWnZjRRtb5ZzLimZ6TjkPqyglDlxdFpOxFDufqD6kdQbmN5Gd3rhOY55UMR9L
1Jq0SR34ovBXueJKtHE0mTHy03JMpTksJsuO/Rywnw34eanWybKkXF+HcdVsKJRk71tiWhXjWnNe
VbJf0TwsGqXt2Fo9Rz0NN65BE7QkMrTcoQfrWVf4TU+C1rkpbhQ2WQLQOhNsmrtonSw7eEpjRtLT
XETA5axFlp+2hSNAAASuQQBa5xpUYXN+BKB1Jthmd9I6WbJzVK2cOP0Ul3hjKo25R08djv0gAAJ3
IACtcwfoKHKCBKB1Jtgo99I6WZZFG8euJ08Ps0kDz1rS4Bi8QAAEJkwAWmfCjQPXbkhgFlrnhjxQ
FAiAAAiAAAiAwOsi8OBah5bJLWZTN9d7e11tjNqcItCdu37qWOwDARAAARCYI4FZaJ0RwrA0g0TP
Z5Ao7QxItM5te2ZL3Y47R26sFFtvv+hdsl8vN3WuoTPOvWMf1hne3eKQZOcZlJebycYZPWU7h5fr
ADFZNb1tlffqDF+Ptc718o2TO8N5zrvO0vwzq15x+eAp+cdwqVbV5YrhlPmwKHdE6zU8ra5bFD6/
WgIj3DxfLRtU7JEIPIbWoYzcTPNEkuo8A5JbpC7K23pI66ThLghfOiiFFmlrLF13xtX18FqHkKnu
Pk1DSvDZm3u9ibGxnrJI5C2py0Nz/8n3x1pnnHzmQ4UO54jonnFC65QXVBp18nllGa0jxK+Wfb7r
Iz5PnQC0ztRbCP7dhsBDaB1aB6axpm6683Sj9TQ80jrDfVuUeVqjkENzgRHKEW4u1yI7tsQUc1WM
2g1sOU/AXWbgrlICnWxdaB1aw9ePsziwFeXp53ZD63Qye6XhxtEp4Xgnn3kcFHEjxbCNKnlmY52b
RqIo0VS9+c+zbMh+nUCca1Z5NQzmOR+4GMIykJPvp0UIRZinLZ47yx9n2VZonQGb2PxoBKB1Hq3F
Ud9+Ag+hdegp0cn11KZxpHXy3cd9W+FSKzJkiwzTzMhjDvSQlFRnGyZZntm6+ahsP5raBfd/enit
k8Vbi3NFUTTnnP6ohtZJwo2tsCKThUjYrXm7OM3ivacxxc0zH9BqhZySOKRpFHia1F77+TjfeL7G
4HH+8yH7yZYSiK8OCa3i55tVAnHR2ufHdcRl2+jDco+1ThJuXZXq1UjWAK3T/6160K3QOg/a8Kh2
h8BDaB3Kq3xy6PGA1sm62+mhWodmRO/Hmrq42v0g+VnV0wdap3PNPf2RMhlQekk1X+wn2m2CsOJ5
fLoYr0OJu2i0CjfK9Xwp4lEPWaF1ofM0TyISkqdJOGo7Mn6UqyHXOo2Wz10Ysk/n1+VmUeCvRe9p
ftYLtE5xFYvxOmV1meZ25CC0zvEV8sBboHUeuPFR9QaBh9A6z43rdLUOpYIue6PoUcykheJR2se2
1jm4imRuq2cztE7jejvnLfUIKu4+iTYm5WiK6HOV8rPPQBXXoXFZRe4skXVToWTpvHhRzgPRLOFS
kYxNOQyr3XZkfkDrHOXJOrhD9imLZmm/6/CztU4lvOsLikb06H5nJDa0Thf5Q3+G1nno5kflKwIP
oXU643Wy/dIwVs3Rq9VjpOKSv+lup7TeVpmAm1I9F5me289LaJ0Oxss+NsIiSeDITFFkXgfT+mxV
WidXnWUHIrWKtjy0EnPT6fFab2Soarcd7T9X6wzZb1RAmAv3+6hWPj352PvqdKSg0ypVV611MuqN
k1s9WBivM0DzUTdD6zxqy6PebQIPoXUyMQ9Lz2cvlyM3qrhLNee8sSWHVIzXqbene09hqrMVj67k
sPbcjfhR3X5edrROQhNjzHWUZmkSJ7WxdkM0Pz34eB0Kw6muSGce71x1sTjqPWrCyrKsoXWyZGuy
cp0AkeDb9PeU9jyNgpW7EkaFQuCmf6DRVbuj8Tpna508gXiffQpIGT51u6XhxmpLNVG7dj72TnWq
j5Gvi9FhhZ9lPvaG1smv7GLUWH5emsd1zrnOqoLw5vUSgNZ5vW2Lml1C4DG0jnjmuDpNn5KYYrib
qHgU1POtioVJmB0QvqHtlKXaM1UuklorRrmSy0mtk6WhL7JGLySutaZ/DTXUg2udLA3XtpjrJtJy
+y6NB88zl/cTa2qdLNu7ilRmX6cE30Wzy5pN6iZ/xYGny2xBF4Nj5XO+8kBKa32axaK005//PE8g
3mc/OfhWXgMqtp1L4zjPeX+taCvN+lM5dZwqenXVNrVOHsnKRwdhfZ1hkI+7B1rncdseNW8SeBSt
06zz5N8/utaZfAPBQRCYCwFonbm0FPy8LgFonevyfZZ1aJ1nYcNJIAACXQLQOl0i+PyYBKB1Jtju
0DoTbBS4BAJzJACtM8dWg8/jE5iF1hm/2rAIAiAAAiAAAiDwIASgdR6koVFNEAABEAABEHhQArPQ
Oo8WhkUf1oN+G1FtEBibwKPdPMfmB3uvhQC0zgRbElpngo0Cl0BgjgSgdebYavB5fALQOuMzfbFF
aJ0XI4QBEAABIgCtg+sABIgAtM4ErwNonQk2ClwCgTkSgNaZY6vB5/EJQOuMz/TFFqF1XowQBkAA
BIgAtA6uAxAgAtA6E7wOoHUm2ChwCQTmSABaZ46tBp/HJwCtMz7TF1uE1nkxQhgAARAgAtA6uA5A
gAhA60zwOoDWmWCjwCUQmCMBaJ05thp8Hp8AtM74TF9sEVrnxQhhAARAgAhA6+A6AAEiAK0zwesA
WmeCjQKXQGCO8Qm47gAAIABJREFUBKB15thq8Hl8AtA64zN9sUVonRcjhAEQAAEiAK2D6wAEiAC0
zgSvA2idCTYKXAKBORKA1pljq8Hn8QnMQuuMX21YHCKQxmGUDu1sbI/DKGl8xFsQAAEQAAEQmCoB
aJ2ptsw9/ErDlaFam/iMsg9LTXWCc448wxgOuYTAwVMkc3OOIL3EKo59lQSSjcGs7ausGioFApcQ
mIXWebQw7J36sNK9pyrOrvUQPXjKovEy1nUwJ/J12VxPX+0kG5Mxc1s7fsn34wbH7hzeIFy81f1h
sNA6N2iV11JEsja4HbyW2qAeIPBsAtA6z0Z3vRPvo3XitcGNrnYJLKY4QVS+4qYQSneOLHe00fWg
PNdysjE5Y9yartgpa7Y1JXUZlp+G/0PrDLPBng6BZG0o7r6zER9B4PEIQOtMsM1PaJ00CnzHsLuS
ZIRKRCuNNcM2wmS81qWjjXVhe0fmzq7+PMF3ycaUTd835ZbYSQ6+rclMkhjXrNW+ivkMbU/DjaMr
XJKYrDubsFJ8yX5lCTsSVw2v7tIb2n4SUI/WiXdLU+VSu9xa66Shb3Bu+JVD0dYzVM4kiauWfyiq
tXdlbq18WyNDXLXW1eEn3cFOEAABEHg1BKB1JtiUfVonjXZr11CYJGvWcjv+0yrZ9EUV6LEqq5rC
GVc0u3p6lszSjSkp3qH8OMH/JHWsIE22VkPsJFuTc2NFWiA5+CYvgz7D2y3ONG8Xp1m89zRW/VDe
2ZzlSiMJ1yZn5iaXF0PbTwM60jqRrzPZEtIq3nkaK4JohdbJhY6+OpTKK927iqQ6QZRStQzO7UC4
s3flBdM92p5GG0uWTnWQnXYRe0EABEBglgSgdSbYbF2tk+5clXPVdNdBe/JTvDakxquSHZduz7Is
XKo9EZxo6zneehdG4X5tK1L59KyY7R25OfLx0nKHjt9arFGterzB0PbKn+6bZGMqdpBmWRrYShnZ
SdZGU6FFgb/e0+iYoe2xrzeOTwOby07eK0DV17wgFJIiTeKkkB1D27vutT93tU7oKY0mSXcOZ9Y2
zTLSOsbSNznTlpXQybJ0azEuKivM7l1qGnJo78qSWQ1PDSz2VCxu78gN/FKp4LKZbKdLufHSVlHO
+dG2t68ufAKBxyYArTPB9j/SOtSDInPFsJebQ2vIzHjOF8GCEwbzZ2m7xyp/jJaBhRMn32cXqZeF
xMRLWpQDlOmZpzcGWZe+DW0/uAoZ4cWLSQvJFCIiy9IoWNq6CHvp9mpXjSce2l4W1fu/q3UCm3O7
5h2ttDwik48Xp6e56u1r9tFKWyykppuLPIDT0Tr2k1qn1ztsBAEQAIH5EoDWmWDbdbVO7mISblc0
5oIpxnJXDMUYz/nqSdo0Ge98v36AU89MZ0pH53HcPHcC72kOirmJYvGK1kbRV9WJ3yThfi/CZUPb
CY22PORmxN8kx5/GYbkYURJubEUqQghD259A0tU6In5Ta7I8hlbEdVTvEO89VeL1CgHUCyk7u5ab
QglB6zwBHrtBAARePQFonQk2cb/WKRxNDpvlqh4FO5r7O5sf9W3QABY5H8uahtRpUnVn5MVS7850
B38ka6M52jr2dZ5PPY83NF5HjOhNw40l86JaJ7eb/p5CamkUrNxVrjUjX5MUeyvWXkxIeRTTqIa2
P9FWXa2ThSuNFfaT/VLvjNfJsoz0W92RlQS2zPTljvxJ473vFoOloXWeAI/dIAACr54AtM4Em/ik
1rmWvzQOpRrwUxWS7FemmNgjcdXshpNo5ZpqNER1ylTexGuj7V24VMturOTg5/OnmKzZfmse1sD2
ta3TvC1JnFDOcMriwMvxMK7oTj3BaWj7STZHWifLnpiHlWVJ4CiSXAxCztJwI8av0/wyaq68Tw1a
5yR27AQBEHgAAtA6E2zku2gdMeb1ouVyRKDkrEWWJ8gYLoEACIAACDwMAWidCTb1nbROluwcVWsO
dz3FJt6YirEupricOhD7QAAEQAAEQOCuBKB17oq/v/B7aR0aAbJx7HMETBp41rLu++mvB7aCAAiA
AAiAwAQIzELrTIATXLiQwLn50i80i8NBoEEgjcJqnn9jM96CAAiAQJsAtE6bBz6NQeCCfOljFDc1
G2KlmzyJ51kJrp7nf3rwLZVLtKaO6o2Z8ag9lvl5zp066+mlnE6d3doXby3VqFeObu3DBxAAARCo
CEDrVCjwZiQCffnSnzYdrbTGqr8Dx1OeKXq+0yJD7vaswULhdun3T9GPfJ1rqzOSbQ4489RmWq/n
LK0jMp3nK/0yWTW9sypGikQVeSsaCzY/5dJZ+y/TOqGnHKdpV7wTWEfUOlmW7hxFdRtLKp5VRRwE
AiDwYARmoXWitW14u3qF2FfeRsnWNZztbGPzvfnSn2yyg6eUmRcGj6VZ5NxY7eMkPmxshSnnjKPe
WpI8kOg53gciOcRggS/bcYnWYVYgCkujraNI6vLJHGOUlfUsIXV5HS7TOpX9nXO8QFO1s/lmVK2T
ZbGvs+ku8tSsON6DAAjcjcAstI5YQHbzMFqHVuib7rI1T12qR/nSaWq6JXJSbS1uiOyYO0duVzDd
ObL6VBLRPIdDqQHz/FBkNwssJpsOBXyKBN/5pRKudM45E708Ir9D2dUz3MfUu54N2Vcdv8g4zjVn
UwWUaB0dSn9eLLvTvkSfo3U6mcn68qunW7uoVpkRQq+CUwdPYZa/9ShJ7EJSqq6t3vznWZYe1rYm
C/+VOn87aR3Duzgveo/WqdPGy5q9LnN31VpnnDztJPsgdp76XmI/CDw2AWid6bX/rLVOT770g6uI
CASljhTdVLGvy06d6EmkreRt8dPTKnlS9bpvpJYSgcUWir0JkzRP1dCK4wzGdVLKPNoKjQzkFSet
sxDxpDRLQt9gRU7NjI5XHOogS2Na06+zFGPtYE9tmptEVs88riMqwIqetWQ7kF89E9GMHkEsUmVx
zVnvDofD/iBWdM6G8p+LJKLakhZGzMNJRRPkedHF+stJuLb4mULiSOsUy1Dn6eRXRpVOvtA64+Vp
J4VnPs5voealg/cgAALnEZi01qEf8p2xAEXCZtrTeFXPyZls78/vTVu71Z3d71VqAaNO4kRXYbq1
KDlDuNR0Q1fdQ7qz5VayiWRjcmNdBmyGLtxk3Ql3bU1Jcamzp5W6O9kYrU6rQa0j8po3tc5QXvGO
/VohpXEUVqlYj3t+LtE6i8VCkkTrc6Nc73g4v/oprSNpfhV2EigH85+L3Paqs83TyaZJHOdpvto1
Cc7NFdrVOuR+Ay8pHF00sgjTjpmn/Yr9eUMXI7aDAAjMi8CktU6WRCG9trYs6cuDeF89W+bF+Sxv
i+ruKLOSG4jqiqSUZ508kYPqDoraoWilq17gG9oyWOnaarfStWUdn6HwSJGVsz6l5x3FdRrPzoxE
Tf65pXUykSMzj5KQlfO1TieRaZ0NtWU/3RhVACc5rB1TU2TxYpT+vOn3JVonH69DXXlFzq4sy07k
Vz8R15G6EY7B/OekmHYrx1A5Y7JmeXliryxrax3Kk9bJ+NqsZP2+q3U6V0LNbfQ87QS6E1Or3cI7
EAABEMiyaWudooXED8HHiVHPug+rVgiNr9feVQzToOkyB081LFNpPjzDpSrb54w8p5BRHhkg06QL
is6klhYR6b4bg5G3Fmv1adVudbWIuMzqkFSVV7wd16mf2WLEkOEXybEOrvxirZNlhK8UdIP51akK
/RdJR1+Iug7mP0/j8FBo6SQKXLUMh42kdURcZ1XFmOrWIydHzdMuQPlPxQXrhsc7EACBhyMArTO9
Ju9/jE3Pz36P+vKlpxuTSfkAZVIozezj2d5V8p6ofnPNrVE1DysJt47KlGKucWAxSXECGp0ixs20
tE3+ZKUlntO4HRTsap2hvOKDWmdrMm6JCXNpvHM1qRNSObLfrEvzfWO8TpaQUVsMuc7EgJee/Op0
bv9F0qd1sqH855S6lZvrkHquknCll5pwJK1D7gv7KZn3Dc7NPHla7eRIedq7EaUmW7wHARAAgWwm
cR201IwI9OZLp1/e+SiedGuyRn9DGthyGcc4o5Ll+joLJuv1+jqBxZhm5gnHuWr55YSf3GAcuLos
JmMp9laMSGnMwyrGR5UDvgbnYfFqLHUd1xEZNTSZMS4rmuWYNFdcdM0N2++vYlPrUBeSUo06Tg79
+dUv0jrZQP7zLCOcGqVvZ1zWrDLf+1hah+zTcofCvmaVATAxJLrsaBsjT/vBU3Id3U8XW0EABEBg
Hn1YaKdZERBL5ZzTKZVRFIO/fPh1qw9rVqjg7IsJ0GKCDfH8YnswAAIg8BoJzKIP6zWCf811uihf
+gggoHVGgDhPE+ne01T3PGE9zxrCaxAAgTEIQOuMQRE2ugTOzZfePe9Zn6F1noXtFZwU+XZjZcdX
UCFUAQRA4DoEoHWuwxVWQQAEQAAEQAAEpkEAWmca7QAvQAAEQAAEQAAErkMAWuc6XGEVBEAABEAA
BEBgGgSgdabRDvACBEAABEAABEDgOgSgda7DFVZBAARAAARAAASmQQBaZxrtAC9AAARAAARAAASu
QwBa5zpcYRUEQAAEQAAEQGAaBKB1ptEO8AIEQAAEQAAEQOA6BKB1rsMVVkEABEAABEAABKZBAFpn
Gu0AL0AABEAABEAABK5DAFrnOlxhFQRAAARAAARAYBoEoHWm0Q7wAgRAAARAAARA4DoEoHWuwxVW
QQAEQAAEQAAEpkEAWmca7QAvQAAEQAAEQAAErkMAWuc6XGEVBKZIIImi5Ay/0iiMzzjs/EPuVe75
Hj7ryHM5xWGUPqsAnAQCIDAOAWidMThGK03S/Zc/HQ6esiheY5gbo2q9Nob8HNreawQbb00gDhxV
Wx6Oi03juK2A4q2lGqvDSM/nwXKPPBm33CPzZ2wILMad3RkHZlmy9zTV2bXJ9Z6Z7FxN8/ZnHNl7
+qgb040hKV7PRXBhKWPZubBYHA4CzyQwba2zNaVF/b2MfV1SV9FTNU326+VmrNt0s7DY10slUv8X
N8axtE5RWrhUe6XTwVO5sX65pGpW6pz3Q+UO+Tm0/ZyyqmPC7dIPRqjrsJ3I17m2CqsSb/Nm2J8r
lx9vTFn3W1+fND5sVo6hMMnYdHRNunMU1d13tj7HxeNy48AzVS5JEuOa5R9aEmC8cp/ja5adrXWS
wFbUlnBMDr6tyUySJK6ay13r2k0PnirbQauqz3PwpWeNpVHGsvNUfYZuPr3npYfNcj0NTdnrHzbe
kcD0tc6ClY/3M7UOPWmN9TXvKlSCuW202shaJ1r1a5002geH1i204cMV3w6VO+Tn0PaLXNxakuzu
Lzql9+ATduJ9sL85zhP+9Po/0sZ07ypdnluLy7rteaZ8rHWyLPZ19vLo4nG54UpjqhNQp0689zTG
7aClqMYp97nYztU64VLl1rbheLK1ODeEckujtcmZuW3dg5KtydXlrZX1MYaxNMpYdo49bG8Zuvm0
jyo+xWtdUpctPd97HDY+IIHJax0my0zO74ZNrZOGG0cvf0OtSiUf2DLnTFosFhLj9DI35f0m3i1N
8aPr+DdXlu1dhXFzc+5zr1fraK7vCo+YYlYOZdnJcgcuuCOtMNA3lKwNSffWHv0wl5ise3UcpPqN
yRTD3dZf/vwnNR3OVavhZr8nA+WWBx/5Wew42r41G7rl4CmSWYYR+vwJVzrPm7FoRdWrNE9gc9lZ
522/kLQyykdmFBEpkDXbL4J6g3ailVYG5lpPn8BiquMv85gD15xNxS0OXF3mnMuqbpv9QrSEIv4n
+5VV/sQ3ymYZ9CfLxOVMFWCy7mzC4hEaWEw2HUuEQLhqlfXKsvSwtjVZ1FdpHN9yof0hJXBd6Zim
oiBqkKO4TpZl9OB4qdg5LjfZOrpdfdXEd7qjAF5cbo5HXORKRT+LVhozl+v8ttH6kqYHv4Cs2ZYm
ndOHdXAVbrU0Wrxbr7allEk35lFHUbq1WB2kbjdP+1O//1lGVZD01XZF3i6kWiRecpMhjSIbNl3k
C4lr9rq82rKMdqnehqJT0mLBqptntM1vMRJv4GxonWTnqkxxqrtP783nxM2qXfvy08DNZ8jO3lPb
9369Ctn2+l8Wg/+PQmDyWoc765XOxCOp1jpJYMtMW9KP8iRcWzJrxub74jrhUmOyRQ+RNNpYchUq
Kpo5XFu64Z3T8y5O6NM6C0l1t2GSpVHgKFL5CH2i3IGr7Egr5MelVG7z4UNfe0m21tQLQIMHJNnJ
RUG0Nlj+GzONA0dhZU9NsjEJA/2kTg4r/egndb8/R+WWhw34mR1tH9I6p/zpj38ENltIsu5tdofD
YV8EuSJfL261orrtp0y/nSzL0nhtVA0lqhRYbMGN1T5OsyT0DcaKH+7xWmeyvSUpnNL2ViOUMJr/
dzZnhk8PkSQUP/EryZ1lPf5QSIBp3i5O80iHUogS8kexN2GSJuHGViq9SOJEW1Krp9HWUWrJ1/Sh
/f7gKcxshiEau4e0TiZOKlVp44QL3p4ql+TUxjyWYC8sN905MtNX4ktxWBmsfGaTwpVUR3xJ6VtR
tn26d2VJBJrS5LA25cUZWud0IDfZrwyuHHUAxv5Zo/qG/M+1zmLBVMsP9ofD4VAMM7/sJkMaZSGX
V5Ullxjo4qZdkmIut2R+XwxPpyZUnSCme+fWUVjRcVdqnVzo5N8OcWEM3HwGb1anr6ajm89JO31x
nQH/TxeLva+PwAy0zj7ZuwpFXaJyvE66NVnjR2rnt2GP1tk5vLzjlb+OXtLJ1ad1Gs+/gysXgYtn
lnukFYrrrrudvvalqqIffaUSIv+0amRG46g8zr7a5TfJNImTRhB++OKuLbePOXv7oNYRcf9+f3o0
QZZlgV09u2pf0jgK47Im9ORqdjD226GTG2ByW63+i3pv+/o6/ZjLDe0dmWleEIqgYgfzsT9kv/7B
LyIhuWZt+0O/x3MRRO2rOtuDqHOadAcW12Dqd8el1vsGtU7+5ChjFfUJF7w7VW4W+gZXnONBLC8s
N4nCarJZ3Yp5UKSaQJBfJnTRiC9pJQNbzAcrSg1sBce7SbyLsHJftVKCUfwaOT613jLgf3Hnqq+U
4owLbzKlRsnPbl3btIvbu/KblB9B5uvOOvHrRNRB2HFWrspkS/wMKNwZuvk0WkLUpLxZFacN/uve
ZE7a6dE6Q/4PFogdr5TA5LWOuDkk9PPP2Sy1fGxy93ET2M25E/Rla4/Xoa9l2atFvSOMRjy/4BZO
JTQfp53bKD07RCfNc8vtfr3La6+7vfu1L382iuBH3olHHXlMqn+qpuHGszSFMa4ajl/2/ZUFDPzv
llsedvb2Ia0jOm8G/Ol/SlJT20fTZJLD2jE1RRYvtmg1Tr8dqkIbHwmp5hwccS8X81XCJfXxlJ2h
3YuvhNH6n0bB0tYVzrii26vWMNVjfw6uspBY1V5MogrQA6flT9Z8vsa7lWOonDFZs7zt0/OZ+/pU
KocHtQ4BOnq0Vqed8+ZEudHGlGWz7iZsmHtpuXGwtHSVLgZF5tV3vd1wB1fJKafi4qzmJbWZN5xq
vd3ZnNs9Wic/SEThWrHmfPt5trOs3//yV1ol13Kjl95k6utanL+1WKW/OrvE/m4Ltm9uC4lGYrda
cejm0/62tRsjr0n/3+5N5qSdY60z6H9/adj6egnMQ+tkGQ1olGWea52UumLqwQedn4HHWicLbM6t
TRRXr+S8gMZAu5+rdZ5bbvfrXbrR3T70tRcPL7+nukl0KAIgabz3Td7tyysL6vzvllvuPnu7uMmX
Y26qu2WWnfKHbsJ1G5dF9mmdlH665aNCsywTUbXGwPF+O2Svja+rLeobf+u3b0fXln61/qdxWK6n
knc+VeOKMurD6taL7vva8lBdnHGc5MKq9WxMNuWgpzQOy+6LJApctQz3tHzofKBvwNBUanG59HVV
Ccc6j9aO3ac+DpRLHcmyuR74vfGycin8S4NHRHgiETOsRTntx2uldXINeWFcR1zD1TkCQrxbb+qR
7vlV2I6QdB+7A+yG/B/QOpfeZOrrmspv3Tvbuwr3RFykGplEg45ybUQHk8qJNiany7es69DNp/1t
azfGAAmxuXuTOWknEWOTW5fVkP+nysS+10hg+lqneN5RL/ZiscjnnIvxOvqSwhL5+JvmeB16KHBz
HaVZ1XuQ7kWf81aEtpPD2nPbvyfFeJ3li8brNPuwyrhO9lS5A1cUaanmuJzysO72wa89KUMlH8eT
JeHWc4thrXQfUl0aF0I/Hm1FKqe4lSX0/++WWx519vbI16izjYql7n2pHJt8yh+xT6xJksZVBxX1
YR3FdahLk+dx9DTeuVplXvjZb4d2tfENa50spuFPJk2xSWPSFou+ximh0CPJ1yTFzsMtyd5TGx2N
GQ1GkdR2vWjUCjd9GidE471W7iq/FAOL0VNbzFiiASaF9qN+BG6uRQ9ZEq70rnZqeFK9PTVWhDzq
G5tMvTuDAqmyfPpNX7nx1lZkozEmtmviZeXSVVlebCGNvylCU+3Ha611aKaYpLokjsTgvzoI2vWr
/kxNUPcei+0kUeS80fNRY+UgueqscKmyalB+tfXozZD/Q1rnwpsMaZTiAqRBfs2Ls1fr5OZdEZuk
q5+p+eI89cE0xkCqO7IGbj7tb1u7MY4YNDZ0bzIn7VAHMNNX9NUoO+iH/G8UgbcPQWA2WkeMY2SF
1qG+j2JCRd9aFqFvKtRtLvF65bRqTQ8xmaAxM4mamb6sL52HVT//6NlR3dNOltu9xBpTD/KJQkXf
ycD2E197MRGI01ofrZk9abhxjXzCEm9P0Oq6Ij4PlEvP63Ii0zl+0sQh31Q4lxVFszxbrfCc8kfM
faJWZIpdTd/t0zpZFm0cTWaMy4pmOWY16jSv07Gdxjysohp54KUVR6nv5UIYlnPsDNtQeoVoC2Bj
epmiO+3H+rE/NFJ8befTCpmYSFbFdZhmmiq1Y2seVjXNi3FZs87qihSzkKqOuJazQ1rn4HXnGhWP
20v6tY7L3TmcJko2XnI74vTScpP90qTuQy6rhmPr5RDz9uO11jpiWlsxs0mzbeMsfUfyt/7Glxca
LRskvnN93y2aS9/uW2+1Qv1hwP8hrSMuz2LBor6bW21YvBPXtWkbqiJzutgaF2frkm+cFm1dMdVT
ak7qbB0c+jojjZGf1HvzOXGzahTVeDtwk3nCTrSxaYbZQuKqW4486vW/URLePgSBaWudh2gCVHJW
BIQyeMnI9vNr29Je55/WfyQFj5rhz/6j6q20qF+PqKGf2c0uufqEgXf3KnfAnbE2p4EtdyI7p02H
y4ksJnjaTewFgVdKAFrnlTYsqjUegXTnaKILi8KJJpcukQwv8WJUrUNda4bSGkZ6wreU8h9UP4zr
AymeoXXWw6n39r+7V7n93oy2Nd5air6qV6c5ZTgNV7rSmq506mjsAwEQGJ0AtM7oSGHw1RFID2un
6PprrKZ29WqOrHVoEaal5ZWR/VPuR77dWEmxcWSy3wbnPd4bJ92t3KYPV3ifhr7lVt2rJwpINo4l
lls6cQx2gQAIXJMAtM416cI2CIAACIAACIDAvQlA69y7BW5YfntY3w0LvlNRo8dFzqzHWOWOZedM
t3EYCIAACLxWAjPQOlfLWz5ym07Mz56Uv69a6/TkD7+XVnhWuRPyf+QvxlXNxcFq1ZlVedXyYBwE
QGCWBGagdWjmx1lzNe/cABPz83gJ0eMFZe5MbNTij9cj7qw7PGppJ409S+tMyP+TlZvYzuZq0hNz
De6AAAhMh8C0tU5/3vJwqebZEeO1nuf6pdXkcjnUn/98iDctuaHZ+eIRTNbdKlNvkUm6myq5XOKi
m2q4308qNY3EgjYiD3mdgXvInyLfdV6s3hwd2liw5en85EMpfymuozirc/Oi0+zq5rTa7uejWoi4
keWWecLtKmH3xfWqFpCRuFpnqj4qMN8wmD+cNIe1FFmhJamVt5wWm+3Nl74rspy3ViXKl14tSm8t
09Kf//xEuX1VeIb/lLm5XnanTF/RZzzLspYIby2LMpgvfcg+5VG0/Dzt9UJS6vzz/UVTMwo3maya
qzojSbLLV8Ch9ZAsrZH9u7fcvStza+XbGiV256pVrAgTr808AUqZ/kW2B7M29LuHrSAAAg9DYNpa
RzRD61ZNW2hxTFI2tF65pLgHWotWFQ/lk/nPe9qUFpVj+nIfp2m8X+qszJlwcaphsn3kJykjsV49
rTmaxjtPeyq70MFTmZavqRttrHpys8i4d2F+8oG4jqTY60OS5u6Uq+IOpCamROCyU8zbEUyMDSX7
HnqR1qEVaKNUZIzmlVK6tF6n8oQPFd4fF1nIYj3iVKR1Z2Y1aWYwX7psCYVGrcXKug9pnaH855Sf
fKDcIe97858P2MkX+hXrKScH3+DcPk6f2SyndWE2tQ6J15586Sfsi/XduOas8zTzpxNxJbSetbmh
g5K9p0m8uJREBlqxsDmtAmnxcmHjoXL3rrxgukfrR4tV0ltLOSKu02xqvAcBEBggMEetQ0lc6DG0
dxTd0LRVlGxM2Q7S7HT+8x4Crd/oGS2lWnSWXZhqWJhuPVKKwsTT0FrnGamzNH4isXgah1GVD6HR
E/Kc/OQDWqcO1NSVJ89786KLJddzgZBSSvJuDuQO0vZ4ILKfp/TILq0XPcCG8oR3yqw+9mudUs3l
GSHqtfH68qWHlCuhWiVQZNnKEzwPaJ3BPFmNluuWW7l79OZs/0ni5+FMYWPvyo081EdmuyK8qXWo
3Y/zpZ+yL9SRH3VK2TtyYxVkySyXZ06iMC5jTnVao/a3tPZnsNx25voW3KyVEbXjFj6CAAiAQElg
llqH4jj6KvA0ww9c1VwHnioSO9VP77x6lFCgvfx8We3if/sEoQ5W+Y38olTDubU+rUO/aNeuSQkM
ZM10N4fy1t9xpPyY7H2xenuRobn2/vL85E9qHUpVVORGsFnZD9DNi04PN1o6TyQAeio3fFvrZI2n
96X1OpEtnJHqAAAROklEQVQnvETV/d8ordzVeiy2My/25ZqgPJWNHOr1xTGgdQbzn58ot3Tt+P/Z
/osMF1IzLfoT+blaF2atLciFvnzpp+zT5VClPzmuQ2dLGm69Iv28IrMyjRhJxHrl5dqfwXI7Wqf9
pUZcpwMdH0EABPoIzFPrpFtLNkxdW4ZpYCumZeT56E7nP++pfv04o510I89/11+aaliYbj1SisIo
kXcub9Jot9Sbv8d73Gl0VVEmyvqmfiofeI8dsakn5W9bi9RaR1S8Ly86PQ3XBlO8YKUzfX2q/4rK
bNsnuPkz7dJ6ncwTPlTf4/zh7bHJT2uduv1FGeIpKnJZ08M2j/CUA7ZE8u/z4jrtcoe878t/PuC/
SHju7Fpp0csk073mRUilbLxaW1C0rS9f+in7F2kdGtyT98i2sIlUrdVPkNqfwXKf1jqNtPa9BLAR
BEDg0QnMQOv05C3P6DEjiQHKycbkEi+eRCfzn/c0Nf2U5AYlsM7EyIdyvI4I7hd5uZupklv37K69
Hj9TGniS52PP0mht8tO9DVQr2RE5rtNoaytSGWagR8yl+cl7Uv62tUitdbKB1MSihsIOY9wKTj5Q
6ViyL2meGJ4UbSxZKlI9X1qvk3nCu9jLz4JRO3/4ifhKX1wnx5Cnqk5o+FY5Xoe0mlK0y2GpszKO
MpT//ES5pbfH/8/3v7jKdzQQJo33vuvVY+qP7WYZXYVlHnjKcVGOj6Fq9eVLP2H/Iq1D4TAj7/BK
9iudleNsqEe2OUqu8iewZaYvj+p1UuuQopYdApAmVYcZUQjXlm54ecL4PirYBgIg8EgEZqB1srQn
b7kYpSCevvQgrTMOn8p/ftyudKNUDEtXxDypxjysy1MN05jpHj+rBNaMpqIsSQaceKUHn+atUMJu
3XYMLomuOWH6ovzkeRFHKX8HtQ51ta0s7TgvujBEA1LFEPATnotdZF/WrTybAtfsTTmw4+J6Naad
HeUJH/LiOH/4Cc3Rq3WoT6dvHhYNobVVTnnaNdNztPp6E2XSxaM085+fKHfI+TKXeiuv+6CdPD28
yKjNn76qsiwOXE0m91XDdSlOd8j9qKa7dfKlD9q/SOtQsbqcJxw3XUuVZHdflrs0i++cbar1iP3+
ck9qHco/YVAH2YLJ5rq84LIs27uKxM2TY+lPNAZ2gQAIvC4Cc9A61yPe7sO6XjmzthyvjTMTZLe1
1KwrfbnzJAPqkc2Xn/+gZ9BXsBjB/qAEUG0QAIEbEIDWqWNCN8A9tyLShDo9nprUXNbq0bTOvfKf
l7zn+v/g6cZyT91Ooqe2CjPNtT7wGwRAYPIEoHWgdQYvUvrNLcnGsl4EbvBQsePRtA6tOHmP/Oen
W2H6e9No6+ULToolGxsdT9P3HR6CAAjMksBja51ZNhmcBgEQAAEQAAEQuIAAtM4FsHAoCIAACIAA
CIDA7AhA68yuyeAwCIAACIAACIDABQSgdS6AhUNBAARAAARAAARmRwBaZ3ZNBodBAARAAARAAAQu
IACtcwEsHAoCIAACIAACIDA7AtA6s2syOAwCIAACIAACIHABAWidC2DhUBAAARAAARAAgdkRgNaZ
XZPBYRAAARAAARAAgQsIQOtcAAuHggAIgAAIgAAIzI4AtM7smgwOgwAIgAAIgAAIXEAAWucCWDgU
BEAABEAABEBgdgTuo3X+Dy8QAAEQAAEQAAEQuBWB76O+/t+o1mAMBEAABEAABEAABKZFAFpnWu0B
b0AABEAABEAABMYlAK0zLk9YAwEQAAEQAAEQmBYBaJ1ptQe8AQEQAAEQAAEQGJcAtM64PGENBEAA
BEAABEBgWgRerHW+/fPXP99uX6dv//7777f/blTuP59/ef/p7xcWNgqo//79+++vI1f7v2ey/PfL
b+8//Pmith8F7AvbBaeDAAiAAAi8dgLna52vn35YtF7/+/DP939//1Hi7/8Y+el7Avq3vz798tNb
JkmStFhI/KePf59V9r+f3/HFm1/P1ivfvv7zb2X468cfpB8+fj3h1dO7ng2q5ck/H/4nvf3t7Fqc
duvb359/e/c/LhWNKvGfPl1Sx2+f30lvfv3rdBnV3r9/e9u6eBY/fvr3+xhgqxLwBgRAAARAAAT6
CZytdejRxt9/+fpv9RJhldajuL+IUbf+++XDb5//Ejrk21+/vl2w9388bf/bl5/fvH37Rnr3udIv
J0/69uXntz9/KY+97KE+ZPh5oNqefP/+7etIQbSvn39+w9789OHL3znLr399+fLXJTGa//54z9nP
56rcr59+kN7++mfz6vn+fRywQ8CxHQRAAARAAARyAmdrnT/fc/auev4X+L7+8fHDl39Klt/++fLx
11/ev//1w5d/vn398vGziLn89/fvHz79+W950PevXz5+/JIHEL7+8fH3v76J096X3SHf/v788df3
79//8uHzU491Cgu8/U0U/9/fn375eaBD5dsf79+8/fWP33+SKBJVvr79+enD73VQ6L9/Pudefvv7
84ef3iz4j7/89pvYQg91/v7LP3/+/uHX9+9/+a1Zl+/f//3r8weqM22voyL/iMqTqV/ev//013/f
a1D07rfq9eHjH/lZ//795dOH34Sh3//KYR158v2fLx8+/lGRPFH0t69//k7G3v9a2i+rLf7/99dv
b6U372tTrb3fv/395WN59j+l4qNDyCNqm18//vEPmfjp91IdPdFqQij/8me7mI5a+u9rTvj9L7+V
BL5++fChuFS+f6frqNFigkVNvG0an0AABEAABECgJnCu1vn7t7cSdTu0XiQ2/ld07hSBgl8+fPr4
28//e/P2LS86OEgk1UGS79QNUxgSp7/7+Ycf3pGu+PL1+7e/Pvz45s1Pv3789OnDz28l9u5zp8BG
6f/98/u7N29+/pIf8cd7tmA/fykfvY3jvv35y5s37//49p38qINAIqbwS90D89evb9i7z9++//f3
519/4os37377+PHjxy///Pedel/42x9+fP/bx0+ffnv3VpJ+KPp6/v3j1//xNz/98uHTp4+//MgX
ohgq+u/f3rIf3r374Yeff/lNaKMGqH++kOGPHz9++OVHVp7y7csvP7775cPH33+neks/ff5Gz/Ye
T0p5caroxZv//fhTw9uj3jfy5s37P5sqpgJGTcDf/Pie6vTrT2/qNvjv748/cfb2XUHhzRte9uud
0WpCKHeDanRJlWrp6+ef3/K370TLv/8fk97+9td/37//8Z5JP3/Jffv7t/9Ji7LI7//+/hMbrTOv
qjzegAAIgAAIvEoCZ2od6oNgP334XL7+pN/7jT6Ir59+ZNWj/vv3v359syg6OIRI+r3SLN9+/6kc
cUKnL/jPn8sf59++/Mz5z6W8+e/LO4n9fNxB9fXzL+9++umH/7398f2nIgBCDfPt69e+ocr//fXr
W55Lpq+1yPr+XSiffgX27fM79qZWQV8//kCP2DIg9O+nH6W3Ijz09fef2Jtf/ijlFVWs0FLilLe/
1GGTBqjyIvr3y/u3b979XpotNwudJP2Yx0uOPSmU5RNF/9j2No981SWcGPQjmqBWmP/98TPLhRfJ
N+l/QoCQIdqxyLXsOa1GcvHNzx/Li+fLX9TkpLiKUVD/fPgf+99vVZBNaDEaW/XnL7zQOl8//fjm
p/fveK5v/vvr1zf8XZ+yrWuJdyAAAiAAAiBQEDhP69DDWnrzvx+K148//fbnf98bfRB//fqmDNYI
u/Q5/8lO2qDRdUQPSf5edGaI0ymUUrzoCcd+eP+heFEEpW/o679/ffn8+XeKObA3tU4qjbT/k9KR
3v7y5S96/fnhB6nSMMMKjB6wjTgU1bw5+Lram1ex0nDfhTYTcaPuKU1QuX/f/vz1f29++lT3D/33
799/fP70kXq33r0ttWCPJzmQ84uuvG1woRYpmqCxVbwlFdRorFxsUJDpvy8/s2bYjJox17LntJoQ
ym/Ki+eHH999/LsplP/742ci/v/bO0MmV3koDP+XKhwuDofD4XA4VF0drq6/oK6urq6qDrduHa6u
DleHy533kJCUhdJvuHc+ZvatWCiQ5ORJZ/LuOSeh/yFo0ZPIwP4uo6C4aY18q+RQV6WKEAiDsH4x
c9gPficBEiABEiABj8BnWmc0WcfFIHDmL1QSgSOhk4FrAg4fCRV1gZ4+hKG1THAqK63UkePVqQHP
ZHP6tVN++Z8PtAh7BKH7BBvjpJDGvNkSU7md/l9VkKfnpAGoARFxwy6jZ0EG/9WwSOeqscEarZ/f
hzTKjr0Xo7mVCaJGh9P5crmUaS9Epiz5vOneWh8ODO08U/5VnPcaw96AkBFMcLB4slS8PNIjEU4z
oyba702yDgbSr7wTUkgNq/fIJ0cOuvgM630cbisTlByNwFnDeSQBEiABEiABR+AjrSOz7ptknds2
6PMqEJ04Z9Yl002Sdl5qv8re/yPzqJdKIlph2Iaz88cZZtkxv0//YH1MQhd7kqCJXbDd3opQudkX
gszOtiLTXAozeu5kiqeRkEriLetqqx1EHNw8gyJdsMZmNbX1MYvSg1vxhLZV79TwfV2Tlnzc9KAG
QwYBJc9x1fOCtHjNyepFlSyYd2E9DXdZ16NPRm1GKLfXPPAGQzcg0m1jAAOK0ymLcgmCQrrhq8r+
0+J4r4c8JQESIAES+I0EPtE6smB4mPWB/9at1vgu1SbeI5sUbotjhjxhWY3cIvYl3g6t2/t1G202
JqPULy7cMZ8G2bHuQhntY7hnXnuvzPpordtHdchCk4ejm+qw3Q0zX+6nNEydZkETiDIFkqMjgRcj
MJ71uVAb2e4FD8HJ4HKwB4IMGsn0+XFKAmUyo5/fpyJS+UUSjwZFXoI193MeJfuX7feAzniYnvVl
Gweb1Ai+SUveNu251zxrhbD9g6X6m2h77lbu67a5192KtwYpR6Ybz/tlG4dp535CTUFizh9VmQQm
WUf2V3o3akb7OaLGCJ+SOJr2nfxrvg6Z6jPOIW6iOLLjKPI2iuwvzfaHRxIgARIgARJ4S+ADrTMa
g9Av26s8LkUUbIJQqSjd7gubrKN1c92aGyrO98ddbENFL8XFwvZ+RiWbIMROgVGGpA7v87gUsu2d
3A7jfI81UvhIJrAXkJJryOhwya6mmt5Poe/nXKElpVRSHA825xVxHGw6iDvpofaTr6UKP/1FFixJ
iAzGljbc9kPDOVD3Y4Lt9LANonzEefGsyrgjp5LidC6TxG4VOG3Jh0371hoC3aGtL9sk7Lf2Q95T
l3fU1jIEglilu7MRnlgTdsoMsDjbn3aJsjvrzIwaAmP9xgDOiFdKTVUmIcY9DMI4P5hV+GZooaqM
X/B5zYPN28V5rgWekQAJkAAJkIAl8IHWsY/OHPGqASyFwr/snndB6+4dBDOl7e1n83hMv/zh2Yzc
bpuH2+PY1jN/bLEpoo2uvTwu70x4uTL1Rbo2WsdUibHr07W8sWS60FgTI9daoB5hPTlcADa21g3O
vJFhGWny3SWM4kTt74rxHgmQAAmQAAnMEfgLWqd9uiU0LTwmLv9krnXeJwESIAESIAESIIF/S2C5
1kEWRRineVHkWaIClR9d5u2/tZ21kwAJkAAJkAAJkMAcgeVaB/v41V+32/V6q/6XV57PdZH3SYAE
SIAESIAEfjGBv6F1fjE+dp0ESIAESIAESGDlBKh1Vj5ANI8ESIAESIAESGARAWqdRfhYmARIgARI
gARIYOUEqHVWPkA0jwRIgARIgARIYBEBap1F+FiYBEiABEiABEhg5QSodVY+QDSPBEiABEiABEhg
EQFqnUX4WJgESIAESIAESGDlBKh1Vj5ANI8ESIAESIAESGARAWqdRfhYmARIgARIgARIYOUEqHVW
PkA0jwRIgARIgARIYBEBap1F+FiYBEiABEiABEhg5QT+ABYIs1RtZekFAAAAAElFTkSuQmCC
--00000000000025abcd05abaa830c--


From nobody Thu Jul 30 08:44:10 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7614E3A09F3 for ; Thu, 30 Jul 2020 08:44:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level: 
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DC_PNG_UNO_LARGO=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_RATIO_06=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RRyaA6-7sEIv for ; Thu, 30 Jul 2020 08:44:06 -0700 (PDT)
Received: from mail-qv1-xf2b.google.com (mail-qv1-xf2b.google.com [IPv6:2607:f8b0:4864:20::f2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EA973A09DC for ; Thu, 30 Jul 2020 08:44:06 -0700 (PDT)
Received: by mail-qv1-xf2b.google.com with SMTP id y11so9735414qvl.4 for ; Thu, 30 Jul 2020 08:44:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:from:date:message-id:subject:to; bh=JHJQJkCvFqcrZAWCpGOb8UTo3d4OslU6WWxB0eGjdTA=; b=d0+1slN0H3ZwmLMn155K4lMQHAMgPCYiVXDD4pmAzdZUaJ55I5L6l/rQpLdCuKjVEd XIgHQlQVEgqnnYMu+7hm69ccE3t4q7AwvVKFwmQszyUo0mvfZDV/3ySJSaOkpWmXkwhU P+U+dOS1LHTvdLkQfuDFbbITYdSPE3yLSeQBc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=JHJQJkCvFqcrZAWCpGOb8UTo3d4OslU6WWxB0eGjdTA=; b=Ku6Tm7wLUlNyqH4PGf4yp7I26i+98cVebWs4G20DASb+z5Xm94C97AeBE9J7zurtpG okUdiPni8knRfT17kEqgeRQXkFbLZYUbG9WQk0PDBEG0ETDvI7BipTqwiimkG8p2tvMu 2ilL/3SROd/dGl3F2ECdphCeG1EsTcyD3BN80lKBTOj/je6HCzROhivfWMhRRcLsuzVD 8WtK6mmVmmSMR428UES5kKbIekelgNCsFxQIcI8j3DuByBQ2gIiIQjpUsDY5aocKOAuX wyBKyeJAPtyqy8teoEwtTtUhl8X7FBjdBEoN5SUkPmRtBeEB/BQSYjMocf2OLlHNABc0 lQxQ==
X-Gm-Message-State: AOAM530E2BhJh/luMo1ev6MAB84d/msq0lO7YIJDT6itQas9H865xe6r nweSmyFbaQD8lsbdjZdK64OEyK2fLg6NnC0PuHbEfM5d7M1Q
X-Google-Smtp-Source: ABdhPJw2LD/S4Ji8MB9bXQNAyREOymcAACMyrU+swJwY3k72x7ITyfKhD4WADNnqdeF6GsSsoQV3EWooigr3FB72wog=
X-Received: by 2002:a0c:d686:: with SMTP id k6mr3542667qvi.187.1596123841834;  Thu, 30 Jul 2020 08:44:01 -0700 (PDT)
MIME-Version: 1.0
From: Warren Parad 
Date: Thu, 30 Jul 2020 17:43:51 +0200
Message-ID: 
To: oauth 
Content-Type: multipart/related; boundary="0000000000009c6f8e05abaa8a0d"
Archived-At: 
Subject: [OAUTH-WG] Clarifying Bearer token usage OAuth 2.1 draft-ietf-oauth-v2-1-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 30 Jul 2020 15:44:09 -0000

--0000000000009c6f8e05abaa8a0d
Content-Type: multipart/alternative; boundary="0000000000009c6f8d05abaa8a0c"

--0000000000009c6f8d05abaa8a0c
Content-Type: text/plain; charset="UTF-8"

https://www.ietf.org/id/draft-ietf-oauth-v2-1-00.html#name-bearer-tokens

It seems recently more and more common to pass the access_token to some RS
via a cookie, yet 7.2.1 says it defines two methods. I think we need some
RFC2119 
keywords
here, to suggest that either SHOULD use one of these two, or MUST. And then
optionally state whether or not we recommend or reject the use of cookies
as a place for access tokens. It's also possible that the language threw me
off, because would an access token in a cookie be a bearer token, but no
matter, if I'm having this thought, then surely others have it as well,
right?

[image: image.png]

Warren Parad

Founder, CTO
Secure your user data and complete your authorization architecture.
Implement Authress .

--0000000000009c6f8d05abaa8a0c
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable



It seems rec=
ently more and more=C2=A0common to pass the access_token to some RS via a c=
ookie, yet 7.2.1 says it defines two methods. I think we need some=C2=A0RFC2119=C2=A0keywords here, to sugges=
t that either SHOULD use one of these two, or MUST. And then optionally sta=
te whether or not we recommend or reject the use of cookies as a place for =
access tokens. It's also possible that the language threw me off, becau=
se would an access token in a cookie be a bearer token, but no matter, if I=
'm having this thought, then surely others have it as well, right?
<=
/div>

3D"image.pn=

<=
p dir=3D"ltr" style=3D"line-height:1.2;border-left:solid #ffffff 1pt;border=
-right:solid #ffffff 1pt;border-top:solid #ffffff 1pt;border-bottom:solid #=
ffffff 1pt;margin-top:0pt;margin-bottom:0pt">
Warren Parad
Founder, CTO
Secure your user data and complete your authorization architecture. Implem=
ent=C2=A0Authress.


--0000000000009c6f8d05abaa8a0c--

--0000000000009c6f8e05abaa8a0d
Content-Type: image/png; name="image.png"
Content-Disposition: inline; filename="image.png"
Content-Transfer-Encoding: base64
Content-ID: 
X-Attachment-Id: ii_kd8ywyim0

iVBORw0KGgoAAAANSUhEUgAAAuUAAAD1CAIAAAB4ERwbAAAgAElEQVR4Aey9sY+sPhAGlr+Fio6O
jo6Ojo6OjoqOjiISUgrKJMVKUbIdUqTQUdFEdKukQGno6Ojo6OiIZmxjw9p7e3d7++6932zx3h6L
7fHn8czn8Rj+h40+hAAhQAgQAoQAIUAI/G4E/offLR5JRwgQAoQAIUAIEAKEwEZ8hZSAECAECAFC
gBAgBH47AsRXfvsIkXyEACFACBAChAAhQHyFdIAQIAQIAUKAECAEfjsCxFd++wiRfIQAIUAIEAKE
ACFAfIV0gBAgBAgBQoAQIAR+OwLEV377CJF8hAAhQAgQAoQAIUB8hXSAECAECAFCgBAgBH47AsRX
fvsIkXyEACFACBAChAAhQHzlV+lAf4mjMIzK26+SioQhBAgBQoAQIAT+MAJavrJ2ZRRqP1F86XUS
r1NXl3kax1GcZGXdz7qbPndtqjMhRASfOEnzsmqH5XPVvPXu4ZoImTXwRVkzfSBOl9qWZdlJs35w
I/1MCBAChAAhQAj8lxDQ8pWljsFt6j5O2p3hmW9l5J7udeJqPN/3yb/H0j9Vyv50wrL/rZzllp+B
OHQhuHwECvGVT2oJ3U4IEAKEACHw30BAy1e2sbmcPmXigeu1o+ocIli6HH6y3Sgrq6oq08CBO524
+R6r4HzFjaHWqrpeyizyGI3yy+F3js58q678c8lDxMGNC3Hp2nxItIiv/M6BJakIAUKAECAE/jAC
er5yJ9TMIi5OoiUhU3Ot5T7NdA2RsGR3kZi7ah9d4HzlwE141VZU7RtO69RVRZbARlSaX9vxQJLW
uW+uZZ6yn4trO+77LJgpEpXdMvd1iTeklxsrvAzNJU9j2II67m3NTRaFUVqPy9Rec6w0N27x9Ejj
rPuYyjpyibH+6jbtMm3bma8s/SWJojCK0oqJ/oFsWT2qtV+UYdm2DbAqASu2uXZth1lp+9Fg0G+E
ACFACBAChMAfReA5vjJeA6Agbn57wr8tdYyhmLT9Vs90fGVtE4ywCL6ydEVw3LmyvawVXGYo/eOP
lmUHZc+6gMzAjtIU40Zc4HVbxyo+7ek40WVgZcYLwOAnKQudQKF7OiI6recrU5PyIBGUxo/tS5EP
fGUdrhGLVUXIVp6QzfHOtXspx2O5nbGCvhS/NFIlUKT/CQFCgBAgBAgBQOAZvrJy13sIdRjhW9oU
nWx4Pe8cGYtof7jnK+tYJ8gluCBLm+KfTphfm6ap8pD9mTScsfSF7wZJfqnqpq1LxkNsHiJizAAI
g+1FWVmWRdlO23hB/mP7SVk3TX1JGOPhDTK+giTDCZIcClWc/tx3QcdXpmuIDMoJ0rKq66rk9Ttx
zcBS+MrUsM4CxcK4z5Oy2UFWdf0w3JqcNcYolYiQBdm1adumuhRp6EXXjxJq7vtFVwgBQoAQIAQI
gfcj8ARf4QREk7qiEXftC0yTdXbSoLnpqUucr1iO6+HHdViwxAlLtm8zVxFccbNOBH2WJgGqZMe1
CLGoLXG2wbmH4Cte1sktJJYvaytUa2BZv14Bx6IEX7HDq9xYUptQv2v4Cq/MTdu9ScG5DlLZSdXm
yJRsP+t4X56UTQn4rIw52phJxLfS9nCLKip9JwQIAUKAECAEfjkCH/OVidECQ+rKsXsiJuDcp+Ue
b3ziL8FX2KbJ/q8bpBd04WuLZ38t2/MD8fFd5DSe2OVYp1t9LfMsTZIkjlkiMKMePFPkuJ8j+Igj
aww8DBbZcb3sfMVJWsGQHvTjnq/MVQTdcFK1uOgG2+Li8RWHcTM34WEXhSt9IJubK49u6Qvc7GJV
8/AMiydd2kFH6R50h34iBAgBQoAQIAT+IAIf8hURE/g4dWXpWEzAUlJIvtEzzlfcpOrw0zb1JWOU
ww4uw7bU6P13IqN8cfN+2yD745SJgrcc+AqLPQgpOcVQatq/RhCy4Xxmp0OinPb/e76yFz88wuZw
n4j6sHb3baJt256U7ZCQcuAr2zZ3l1imt9heVIrYjbYDdJEQIAQIAUKAEPg1CHzAV9YuUzNGzGKv
fcmyJdy4fk1OxH3+yrZtS8MSbv3LuDbsITFheetPn2FaN5Eq4sWX5jaM0zT1JZ5bOvMVJVQiNn/S
+q7KEcIRnHDwvRszGPjLgYfgFf3BqS5T0n0EX3EDn8V1QpFh8hXZTnwFhVjG7pqLg+GwsfVBN+hn
QoAQIAQIAULgFyDwmK/wJE1N6soyDfIw7DpW4iDLlR+lUbu2TsMw7Rkb6i+Pvmv5ijggBGEEEflR
E1BkhXy3KJQnnzmBeMBXOBtS81dkhd/nKxt/nNyB7wws38fNcB+H7wclzTrzZGJxoukrsun4Cu/Q
xFOXlVSdQ1fpD0KAECAECAFC4Dch8JCv8HjCXerKniRawOkY4fosJyrbm/Lp4cki640lUbh6WmHG
gvMVL2shODJN49C3F/bUOp4CMl7ZYWY3KpsebhqHrrnkcQpZH5wbuEk9Lssy9XXGTz4/4Cvb0rET
R7afVt2ArfZtVaYxe6HPN+Mr28aTke0gq/tpnkEqdgDJQySPz19Zbjl7wq+fQ4LxF2RT+cp4TaLs
UnfDtCAeF2SYLC/HPAj0CyFACBAChAAh8CsQeMBX1ht74tn9U1d4ZMPC57b1xmfQYxyBJ5la1iGq
8ETfOV/ZM0jkF1ec/l1H/oAS+Rt8C+AktTioJH+yPR/STx/xFcjx4AxClsMUWXz23bf5yqZ9CIod
FPxJdafnxa19yRkZnij6tGwHvoLPjjn0yoJMo0/HvZ4YOrqFECAECAFCgBB4MQJmvsIPB2t5BqSy
2rafwoNOeCDj5AnhT8ZQpjrxbNv79AuF7vmK7XhBnFc39WTLOnXXLPLZYWe8IbuIp9hObRkHeGLI
doO47EbcI3rMVyBHZqiLJPTwiI5tu36YFBV7geP3+Qo8ZHZsyjT0XNu2bMcLk6KRjwY+8RXYghJP
bEnwjPbnZFP5CjYbBbxbjutH2fWA5IsVi6ojBAgBQoAQIAReiICZr7ywEaqKECAECAFCgBAgBAiB
byBAfOUb4FFRQoAQIAQIAUKAEHgLAsRX3gIzNUIIEAKEACFACBAC30CA+Mo3wKOihAAhQAgQAoQA
IfAWBIivvAVmaoQQIAQIAUKAECAEvoEA8ZVvgEdFCQFCgBAgBAgBQuAtCBBfeQvM1AghQAgQAoQA
IUAIfAMB4ivfAI+KEgKEACFACBAChMBbECC+8haYqRFCgBAgBAgBQoAQ+AYCxFe+AR4VJQQIAUKA
ECAECIG3IEB85S0wUyOEACFACBAChAAh8A0EiK98AzwqSggQAoQAIUAIEAJvQYD4yltgpkYIAUKA
ECAECAFC4BsIEF/5BnhUlBAgBAgBQoAQIATeggDxlbfATI0QAoQAIUAIEAKEwDcQIL7yDfCoKCFA
CBAChAAhQAi8BQHiK2+BmRohBAgBQoAQIAQIgW8gQHzlG+BRUUKAECAECAFCABFYhvrSDOu/h8Y6
Npe6X/58x4iv/PkxIAkIAUKAECAE/m4E1r7w3bT9BV799TguXep6ef/Hqdh/mK8sdWQHl/H1Y0s1
3iPQ556dtPfX/8yVNrXd/Pa5tsdLYEfV/LlC/9TdhMA/NZxv78zUZKFrW5bjFzez4/vK3Px0V37C
HC1N4nhF/2lZDgVQsMaMzuHmt/4xlL6TNH+ajD3mK9M1tOy4NhnpNrUt8bEdL0yKZvxTUA+lL0RR
/nfSzjioP8BX+tJ3//yYGnts+mHtMs/j/ntpkrAcTHfeX7/lQfaE5/8JA3EvzPHKeA3dqJrw4lAG
iTQDz9nEY9f+BW/92cE93v8FBI6wH4fnF/51HPEPBFRnzQe3/vqf32C41jZ1nOg6zPM0zQcvcVSS
5+amCdEnR/AHzNHSxI5ffMJybnMF3rVZutSxxML5N/CVtUlsK7xOfeFZyrJuKH07rv8wYXnIV4bS
d13XCa/M5t/pSJvaTlJP8BmHW52HEve7e3/6wrpMI376S2h7Wcv+OM2MgxA/wFfm7lLWf2HEZmrK
ssVBXtvU9Z/nKxgC/a18ZemvRcVCmOBqP8lXzl37grc+qNsv+OOTg7ud7v88AifYfwEEj0Q4j/ij
e+E3OWs+uvPX//4GwzVdQzvkq4cDHicl+Q5feXoEX89X1i513Gcsoew78AIn69ah8OyIBwWYYAc6
Jwu869std+2kWWDEBI+Cpm+566Ttn5XtAV9Z+9xz07qKHZMDA76iBDDWNrHtVAT916HKQs+xLdsN
02rgvGzpqyzy8bLjx5cbvzxeAi/vRgwY2gH6y6W/JoFrW7bjRfket2lTJ6qG2yX2HdtOdODNdWR7
B567DnUWsSbVqlS+MjepB+QfBmMdm5zd7gbJ5caDS+MlcLOqKWLfdWzb8eOyuw87SXYsK3FcP8qb
O8Y33y5pCHVZthuk1X2Slr4GParbtih9DIpu2ba+8OxYhhTmale+ewy5jVjaFOK17GMn//v/Gth+
KekXBDxVhV1vhb/fDoQclHodASPoluOF2T7uioFYh0voeFnL4Ju7MvZxmP24YJxp29rUCcvmmoae
49iODp+lju09+ApLN8vZtQHmPywEhH8dLoEjemWhLkN/s6rOQs+2UD/rE/6armFtl6ZMWOcOCqDX
VWleQHnSqikiGHDWHzEf6shJmrEtIs/me1RmdXXia1smqICun+yTZ9s2rQB97gVl31dp4Nh29L//
X4fBbf4fsJLK/tZUhRJRqPKoDM3K8DQgMNZ5HIg5xsbxHnYJyLbp9d8wy+Y6BnB2U7neMvcc9xU6
E6DOeNGuTNtTNud/+j8Pyvy//G/PtLjvKva55xc1mBmwDjA4muREs4SmWbNNLZ9MMJvSClfv8+2C
hhFmWJBceE6BNBeK1ZIXFSukq1Marm3b5q7kDShVbdtTfURVhHkLds2P+Spo6XIw5cKwCBexbdu9
kjyamybrh4qlmbOP+iK2p19ijrbd2Ow6rpkR+2/8yy33wBxN19ARbrPPPSe51jkgCGMuPZ/JMW36
hhadYdF55KOVQIOAs/C2rU18CKiAzVX5i+jO0qOlZq76ghti+tn9rAqJijX/m/nK2qWum3Yrbsvl
2m25A19Zxjrx3KThbqhJXDe+9tOyTLdL5Ox5SFNXt/04L8vUFcFuIMEZeH4Q5vVtGMZ53aYqcry0
HuZlGVu4kVsr0GbfD5JL2w/DpAtOnfnK3CSuExbtMM3T0OTBLsrOV5ZbETh+zrjTess9Jyy7aVnm
vkpch+8ojJfAspyI2aF1uEaOm3W7AeXI7tN+qiLbz6GSZRq6pr3fJluHtu6GCfrXZJ59F8PS1gB9
0aE6A5MI8rofx7Hv2h7G4BFfOWPI+Qp4qTq2d3oKBHv/Y2N05dTn06pi6TLP9rO6n+Z57MrIceIa
aczOV6Y6dt1YBKGGMnCCvB3nZR4ABj4dYKPR9rN2AoDnVosPLNc4RbplLnz4eOBCDn4RfIWDcYyv
WLaXXG/QMIyyqEqdIaeugQLYTpg3w7TMIyjv3qBBV2VlqDxuzNjbfCtDKIvKC0ro+kGQVl0/jNO6
PVJXy3LCEh3hAgroiJ1aw2QB2+f5QVQ2MKmW0+BuEN+VhGWugOYfp/lBGRBPAwJAP+oG0Fzm/hI5
TsrUBHRQgV0Csm16/TfNMgi2S8KywgLwHJpGnQnyDvYa1rHGMeVc+0mbs6kj/lyLIlze555luUkN
KG9Lr1g2pc9GCU2zBk1v2iCs461pcdEHyh5XYBjnsW8btp7SWy2dDdHWCY5EDBSohZdUOINv18QV
cxLu+biPExjG+NKN8zz1derbfsEJlTIbFUw+MzdN1k+pTh1BYEMP+sL4yqvMEQs+qMkH+hmhyLpt
U53l7bytXZFUXFUBZNuNLzCXAEAPAMRC+iEG+6idelrDovMdd1YClip5Cma7vySMfnCpQfUytY9w
fbyGthOVLfqetmOBCf3sfk6FDhCd/zDyFdBrZpCXVnw7F8b8FZt9YJ0a76uK3WewIl0GAaazdx/l
hhg6AxET44omDdLSJGIlA00+zlM+8ZWjz2VunFlpxlcGsPxeIgIgOJ2l2ZY2HSQU1gmURJusu097
bLUQ0aMzbue/MdB20gNdDSZU2b2nrdOHfOWEoYGvbODEBGHRq8HRQCxNvHtx6OR0hQgNCMb4ytxl
vhOUIs187XACCL2AFT67G0ZZutKth/jkOZaGURTM/+oLz8uvuechqwYZWC2KhTw5TqhfYYgY/zzX
f/BeMC9BASRFBWgYuwId0eqqHGak45LzQ+yYh4OWOrL2zWtETGDASoPgUl3V6Jb8xSQA2D5HPa9w
5h+lv0focaQPUckzeX2AgOwofIOqOLgn2I/3yb+k/htnGTNHPMIC90vEeT1tatuR3F7HOaEEB/ld
D2zOdhzxp1oUFgGgVpaeiubJXm4mCY2zBsbLS3kgkleEuhPXyOT3ug1WS2dDdHXy6QkGeu0yR02r
5JEtaOmZPsKkVCYWrHlFbXpM9HxFqULOTZP121HYTiP4uC920r7SHHUZEGpVFvldmRHyov4bgCws
Lp+BrFrDEB9rURrSGRYFVumR76zEsUr1L5zOSnAMfjuNuHo7/y5n91MqpKlBuWTiK9BzkYKJmVK6
NFKWvzLy/JWmjF3hjLrMsSzb2T+2ZYUYapr7Ko9D38OPYwtDD8qsoAkz2LJledu2ON+BJu8ontIf
xiSU/aAucw6+DjYN2T4j8BU/jn0QYt/aGQr/LLh0fqqEahxib3/nK9vSXyIXto3ya3cfXAHH1F2y
KGBAuI6l7qux6jQ1mFA99xErAOUy7QedMTTxlQ3MFes/KIHirkWXj3wFlFfhGdsGcXskqsDiwyRy
LHUND+ncJy1hQ3MaZaj2ju7uZAeyrLIOstZAUnYZHZtiIU+O85n6j96LRWt0CmDWVYERL6vs3YPp
Ze4NlFCF5DyUJ3VVMovQ8QAHMgoA2nhw6ye+ggEo1iWY7oqZ5JKf7j9P0l03cDuySMS0dm3hu0+w
S0BM+m9uQtE/jJnfnVQAHVbzB7rU4ZvTz9mcs7eD7B2h8eYWuYuSEx/7iK5V2WtjHTdJaJ4161Al
nm17UXZhwRWoaGqywIFN9rLGQCo6Db3V0tiQTVvnLr/UTD5YQIZZ2sl+D/tF10dkXqrXVvRKmY28
av7fSUmMc9Nk/dTaDubocV9ebI4w9qDwlWWodTNCFVb3HeessrIHcJCFGx2ToSGNYTnbWuaRsUXJ
83VCiWswDcTGFb92N+LsusG7PaFCoi3D/wa+Auuc4+foh1htoFpK/gqurBibALMbV9OsfJYV1tuh
7SYiqUFZF56UGVFIm7vykNkgIi2GDmHk41m+YllulKeB7fHoPKeLl0GRe2bJ7GcJFWMtJTmNxzw0
JSQPeCnfJdvvhK57WYPhY57IdIqvsFuPNRhQ3c5ODsuCpit8RZm89xjKKycXBc4Qs96Z8ZYZBKIn
BwOBZNvIVyzbT/MY0rdFSgzI5BfdcZihZikPtqPlK7g/5ZfDeAkwVgELkOAy9vLYnTJk9zZRXQzp
6z92Td1dAqF2oMy6KjC64zpYl+QrKlE4D+WRryh6vaFBEnzF1U2WkzYqMgvJYACAsEhaKn7B//c+
sqsKnnBB/orbkdHlxmYK+CgeazjBLis36b+xCVz5sy2/vvDEml1WiDqjrmRWiGaAcX3W5tzxFU59
uxW2Vg0tCi06QY246viKVkIzX8H+LWN7hYPAbiw2DbZtnboqjzzbCTF/BWoIdVYLKjjaEAbZuc5d
fpBcCRSxLZXn+QrLM5LDAllzXL1PQyvvOSmJce6brJ+s6RRfedyXF5sj0Gi5pjLOCFVY3XcYCMVq
464+5yvaITY2hKtxZXljRG8fep04h2vgA1gMW14GIyAmwX7VNLtZlF2yMf002avRfdHzFWjQLzp2
xmYcx6FOdVv8Gr7CAwUgyf22DSTkyhkLkU2x/jsr81D4x2kjZD9ps7is/P/EfhCbfzCiODVhB87l
YVfwPocYuqj5JKE01uIG+F879lBSWZjDfRi92qPvUNeB96lVwndRgx7VbZsuYttFKQk2TFld33JX
rHrvMZRXsF+7ZOCVmsTxyx52bpSEx70d2NmQ8S64WQ3CnPeD1m2BZJTgwtJbIWC7Z8bvVT7LVxDF
qCwhYRXSBuY6duDPnVkrQ3Yib7K/2KqRryhdM/KVzairskdA/+EkAL8CMMn9IGHQ8UcYYpW/gOC7
usKzBUTKFqacMm5oEuBOG+8Gl+/dDLU+p/50v4InyIq/okXEdJI94AEiK3xFtb4CEaP+G5uATO5b
DoSlL/TPgTjt8aEJu4zb8zYHvZ064k+0KEz1CWq9ITZIiFNMP2sEXncmg/0AKdEosNFqyQqEDZFX
VDO0yw/hSThjK27D/SAWttrvYb9p+wioK7YOTTyPzJ+GVjRwl2hnnJsm6ydrOo3gR31pX2mOYAjk
xDXOCFVY3ffTfhA4M6ZjhiE2NnTmK0b0TsOqE4pfgyoOq1G4jgbqeIDYOLvP/lGrQg8E2LZNx1cg
s+csGE5/ha5hrcBXkhqXx9M0tJfYtUReLeRG2X5a3SDxauzbuoE8QegcS0OF9MrwuB90gAJSCJ0g
b/ppnqahb6uGpWectFnTuRNfwXMOkG+LOZ1tgfm2uP2z8xXIGYocN8FdIey8G1+7cZqncejqmmW0
naabNNaqCPvYT1BunJd1nYc62fdwxb04j8PyBmnHfZX6zj1f0dagRxUSt2LHCYpmwIPlDe5AoVOM
K9yMgriws+dJ3GOoXIEdnAAkm2dmtOBQaxDH+wNaRB/Y/6AXXtZCdjIE0BA9P2uGGXJSId+Wpysj
Mrj1uWBKLs/CG8oAk7UgGXocbk3VYuxFkQea0fMJWPsFjgvZu2w7D/LsXReCLEw2ZcggNQbTIZmY
T9V/6ppSG1SvKIBJV5kU8C+GK50wbwGXAbLo1HxbaeagXvBBBnW1YE1Y95Dv2+aBfci31UyWXRt3
Qe4GF6KRThhHErT9XvhyvN+IANgdhi4kx0dyP+gE+163Uf+NTWBRSFSKYwin7f50rxJiciyHeprn
CVTPZoG8520OS8+Uysys8cMWP81XMMv7JKFx1ix9DTn5y7ouY5tBdvS0rUNTtf00Lys7scCUR2+1
dDZEV+dhoTXA0QeWbzvxfFtmek/qpHc2MBfcCPJtIV008/eDEme+LwfupCTmuWmyfrKq8wg+7str
zRGqrkgsMM4IRVbtV+ArFktY5pZCzbe17xyTsaEzX8FE/nuPfBh6rUT7RXAo6tY1/wH67UZlB76n
75pu2oyz+2f4CjgoQTt2YeHAjtQ9fhlMxP6x4dyuci50Hes8grOfkIkb8KPLy62MPEhtgTOqfZu5
fMF4slNQP5xCxHNxeDI2YWf5zjsFUr7925mv4GkBJgkeja5FOonCVzY8jyR869SyI7Ygph8X7Nzy
SULFXe0tK2MPj3KEM32s75qjz1Ob47MebTfM6r5OXHVfDWo01KBFFdHCM2XYYFiyfZupxXPZDp5l
rK+4XQJVnyzC6QrbHrdsN+WrLFimWJCgq3RUfp27AjpiC/A2gR6ewLyKY52Sr2zbcst9W5zH2k9n
4sH1jOU9nyQ08RVIyreUxFykBVJQdciAscHhZQcPyz9X/7Fram1HvmLSVQkSlr3U/Gyqej77zqw8
Vteivojz1KfzzJrJcnIwIM7d4CLv2pmslJh/O9xvRmDtr0Ks+NJ1pR9yzniEXaneoP/mJrAsbuJr
w5+g1Y6XVVXKn4Eg5i2o29M25zji0OTjFvdQ+AlqvS83SggDw23OYdYsXYEPVoDEA3goAliutb/g
+X+45oWZNLiiBsVq6WyIrk7FcEGf2ZRkT1pILvtjG57qozIX0HiKJxSwIPFhSbprw1FJHs1Nk/Xb
q9rOI/ioLzxz9FXmCB4Au8c/jTNCiqr91udeeOnEkxaO55l3JVGGeDM19MiwMK/En4dwGlatVHAR
zltI26reNnfygH10BXJrmN0/w1dUUeg7IcAyJeSZKULk0wic3PCny0MBZoBE6s+XqtAWAtn2kJT2
jt9zEXbQ1TNSqmQnP6f+9I3vj1r8bLU/I+FnpaD7fwoBiO+K52n/VBt/rF7Ybf8FZkK3H/THMKGG
fyMCoKmfe9D0b+zFH5XpdXyFheZf2BkMBRz3n19Y+2urwkdCyTSgY+U/wgYetnhs/+O/fkTCj5ul
O96FAOzKiQeFvavN97QDDw6Wh1Le06a2FeIrWljoIiCwLmwP9d9dNbxpnH8lX4HR7a+x+ze88Wpd
4LmROTy8x8TYXswGnmjxs8rzYgk/2zzdTwj89QgQX/nrh/DHOgDnpjDlR25C/1hb/3bFv5Gv9IUP
oxuXzz7V8A8OEYT4bNsNsj357F6Y17KBZ1q8l+HxlddK+Lgt+pUQ+BcRIL7yL44q9YkQIAQIAUKA
EPi3ECC+8m+NJ/WGECAECAFCgBD4FxEgvvIvjir1iRAgBAgBQoAQ+LcQIL7yb40n9YYQIAQIAUKA
EPgXESC+8i+OKvWJECAECAFCgBD4txAgvvJvjSf1hhAgBAgBQoAQ+BcRIL7yL44q9YkQIAQIAUKA
EPi3EPhDfOUtjyLANyPwl0T8W6P28715ywD9eDf+jV78OEz/TAPrUCXs/UHsXYf/TMd+tiN/5zT5
cfOueQXPz44D1f4hAm/jK0MZJM0q5PneDLnlAXvFuahO///rFXquEze4mJ6wqZfib7n63QFamiQ0
Pnz0bSB8txc/LeiTqsvEWLvM8Frsnxbz9fX3pf/jD9KFV53Ce6LneZqUNzgfYJyrSP/Wvdd3WdbY
566tWD/4Ad6D8OB9LAeZZUU/8+171vjlMj05R15v3k89+W185Y+o7i9zee/iK/CET2XGfmeGwLsM
3D/DV9ahLq63+aTX/8Sf3x0geKs3e7f9n4Tju734YdmfVl0ux9SU5T/ycOG5u5T169/WeBiwvvBU
I7P/psAIz60Nq3fP4M/zlU2Ree/HT335jsk4/EwAACAASURBVDV+uUxPz5H/Gl/5M6r7y1yenq8s
dWyrzueWuU7aoWqyF3Tb+DrzILn0LGQydyW+5dx2/Li4s7DDJXAs8cF6YYZklXhtthum8r3o69jk
+BZ12w2Sy5kcrLfCt0VVVshe1DZ3JYaBrWMRRaHX4RI6XtaioVr6K48ae/wl7dCzNnXCsrmmoec4
tuMGaTXs4SAxKRXG3eeeX9R1FnkuPCrcTy69sqQTBaa2SELPtW0LX/4OL4SHj74tcLZ+KW360iSH
t9GuHbydtuN19IVn2ftSEZdriMZY53HgwdvgHS9iYzHXMbz5fu/OestcO66l1f7UAM23Sxr6Lnvf
PENpaVN3H5V7l6ERyQjCBk5n7xYsRKvQ9s5vh17Hpoh91skwqwaE/lO92NahykLEyQ1TXsM2XgIv
78YmC13bPr+rRoxagBoiwMUB1WCybafa/qf/86C6/8v/9sGgIEQwbtjCU/r2QEItYvjqdw6k7XiA
AzSmn+P6ibkMFUwZUDfXj8sOlGpq7+vEySgCrCZhhPyP5iDIp5nvU5P6u5ERoCFyMN0YjFMdu7vt
cDJm0Pg98LosVCoXuxJkDe/J8/NX1nT+9pivSGAd14/yZoLiQmbUIjerQN/B0jgCZGxjHWtUVWZ3
m9w/6yy82LuvsshnQ+THF83rF9rU8bKqStlWmqdacCnbwRrr61zqyEmasS0izxaKqzW2fe4FZd9X
aeDYh8n+CvMO6nHvjJ5TrXUQeHpxUV9UL7j06BtsywY9V3ycFiJ5URlTRS0eTWetej9SXY3V0sLO
piY4V5jsed2WAZ8pYHRjMTu3ba724J/i8sBtRdVwu4DltZN2xSnzwFlDfw0eUIHiU18/y1dumevG
1TAvyzz2bcPoxFAGTpC347zMQ5N5ujjnaenTprZle8n1BmX6KnFtTj3gFZdOWHYTvIytSlzdq/a6
1FHjK0Pp215S9dM8j7dr4u7N73wF7JQb89XdVEWOl9bQhbEtAlu8UBNF8rN2Arc+t5knRFLwVAav
zz3LguAzuMqlh4rOThV/aOpumJZlGaCTgiMY2gLSIWkioyuCnoAUQCO9gm1HDaXvuq4T1+iql2b/
Zb7VDcC6zP0l4vxmaWJHEpb1loMoR3r17ABt2zq00CfADwabD9yZ4iqobTqR0CJbtgZwGE9JWOYq
ukN26TLP9rMah7wrI8eJazTySHaOYTy9mm1zk7hufO2nZZlul8hx0xbwAMro+UGY17dhGOed4WFv
cNSCvIPL61ij0nJ2qcfkvjZVdZ8YFOm0tqf0zSihCTHQMS9tUF3GW9Mi8dPOccPEHErfCcsbTNep
b5tu2jZtnSC/ILImYcwqoSrTZpzvbPQ1CWsKjDAk+vgKkyqtbsM4Dl17Q4Va+s/M34OY6h8P+cpU
Rbafg8VbpqFrWraokTKPl8CynIith9bhGjkuf0c1jIntpTAPpqEpQse2pPmQ7U9d3fYwxFOnN1PM
HKVoQqfbNQZrjIptGHRwQ7o6wTy6fhCkVdcPIxhSg7Htc8/x/CAqG5hmR0O0qXNk28zDrTfvm8EZ
GUyuRAkIK8dzmOd5aIvQsXY8J4A9vnSw19jXqW/7BVuq6yHSj6nSmHk6G9XbrLp3dsYA+zZcAhut
3jyP3SV2beuTfMV2fT9ILm0/DNOCeH3krA0zSIHiU18/yVdwiR/X6NNFO2uXuWIGgSZXqtMVN2nc
IXd0cAc4UORraOuk3z+6LlHXQaHXLnOcpNl1nscS4F6m0HOXwWtdeSAI1V/66qVJxEIAFFq6yQ1N
DFBI9XPiK8r+M6iMUlotxL+vbbI7XlNb4JyFxVnaZDdMojogNAy28RK46bUMnBRp7nEIxO1QHbsd
cHUzHmG55TvPEXduOk+vGyBZAL9BVSzw9oivKIWkSLCC1AM+lr4dVoyAICKcoolqgJwpCrdNV4hL
IY17Us0we0DpXpfx/ALwDXakRJ5Em/B/m9p2JGkeY5cyHCZulZjc13ZQ3Y8HRTot5Csf6ptJQiNi
yIBTFnYU8uvmOCMhmokJgIeXQyRSVyefjLiCMwrD+Ioyi3Rz8MF8/xZfOUsl0Nj/f2b+7jefvjzm
K7BKKc5hDzn0oEVKwAiSdJgiwEDZiukDHyisx0kA8SdMLWn9xNXTTARbhnHep6zxJutc6siyFCU1
GluQ1GErBCGD/P8wRx4Mt9a8G53RqY9a1WqPeN5yV+A5gJqzYD4Iunapy5yOASK0DXdjKvtonM4P
+vuQrxysFrhNOcrSx+Fklb1QFAt+eSa+YlteLjyp0SYo3Tx8VWfQ4YdP/PFJvrJtU5MFju2GaVn3
bENhuoawO7R/bMtSwx9MmHtHosZjQR1wWTwU/rmu+xl4UGjQDHWK4Bxh3g5YfJhEjqVEPsAsWbaU
1rYtvuxrU1srkgrmka+I9SLcgUzibl98HdsyjQIPP669C2JsC9gW6/DaQhRJja5AM6CJYKGma+jE
9dwXHt4zFL7gbMtQF0no701ybJTqABbFyvH+PTlAuLS6ZFHAWnAd62O+YhDJCAJGOZh1UAncPhCg
LYpX2zbY3mJRlWd70WXOWc9w1Y02Qc7ovUn8Ai5EzZsCd5Gy5fzU6TC5r+2gutuHgyKdlhqfAGH0
+maS0IwYnKjxbNuLsgsLrmDld3N8M07MuYN1veMnRXXjyxhtnTK+YhYGGOFHc/DBfP8WX7mTCoD4
9PxFPbn/5yFf2Zb+Ermwo5NfO7FjfNwPUn2lXBicoVCskyrC3Fd5LCyCYyueTNx1gh0iHKjYxkHf
9HWCAIqt3YzGFpRBOlQhBv//MEfOffzAvMO8OE9sNmdPfYThVgKx2PS5LWl8kMzyjVm8df/JBJF2
TJWOyumwN40G6CyD0t+HfOWgIQYfB5qjEN8N+MNn4yvH6fmxszbNIAWKT319jq9ADIPnr0Dt69RV
eeTZTgj5KwCxX3TTrHz2cIcQ5t6RqMjt2gNfwgvE4+TnFOPYjgHDBwMMLN720zx2nf14I2pe2hyF
xRYU3wBC7yKJHsD/ikUwKZxyO3B9Oyg6ZsZVdmluCzYJ/GLgrkymnPBqIfPEzbqpjh3w2PCnV/SA
AXPgM6S8RJcb28mAWSW43L7w6AsdXdHEV7QDhPPHyxoexJWxBGlGFQTgq1EkMwjMG1+nTdI3tVIY
mqf5ir4XXebYcXWvBWATDlWr7Z5M3grRDOQrGMLVYHJf28EWwzqNhyYNg6JA9IS+YXxCNSi7hA8Q
gw4uY3uFNAg3rvZw0XGO43QwTsx1utVF7NuwrSFm/rlOKf8DYZT+gly6Ofhgvn+Lr4CBOo38V+av
qi/yO1SuLF/hBwgKKiv2bR6aEtI5vBQTZ058RZFMTrQzFPIX2TJOJTcR+VnHlbe47aTYCl/RW2No
WFenYh6xaqOxlcogRFD+P8yRcx8V/60z72Zn9AXVkt05e3pM8MB1JaiocV6cx1Tp5AkB6Ob3+Iqq
IRB/1vi4u15ITE4KqqAuQUDzcjanxr5jX80zSIHiU18NfAXTIXpR01xFlq3wFXYdkizBOkIIyxhD
F1WcAJFI4Q27YQINNwYKRV2QdronyyEk8Wk/iK2CUSfadVsgGSXgQeuh8HcfLirE/00iqTcpg2dS
OOV2MA7SJIGBEouPB21BgNEve3BkSobsXiv8HBRl4rCKYYWOf3JagpkpOxgAuuArsNkIVKeXoZi9
Uvjy5AABBRIpNCyhRo2vnDZusAGjSA9A2KCZ8DrUsXMfXsM4pBp6Ou0HKY7B2ARMSCWyuSNxzzD2
n9huhRxPtJz+ZYTsNAMm97UdVJftmD8aFEX+J/TNLCFojQEx2b9jN9h1McdxqfzBxMTd/9OqWdYp
5X8gjNJfaH83C1JIpHi2fr4/w1fONGGvGY35MZ75pfm7V6h+QRhkIB0o4imXnt8NGsNUTEJx0iLJ
SmDyOwnmXWFxkPc8XWCVpBrL1NEENmCvRFFsaJDvB2mtsbFOxTyy/piMrVQGFSX+/TBHPmvejc5I
4smw0sRXGJ679QT12/eDDqYc9oP4TtwTDkuOqdLZEwI7X3nQX6PqYjxa4SsQDJV2/9Soct8kNxph
pilTF3bCuONQx/SE4cd9N88gRapPfdXzFWaLc9xTXac2g7gP8pV1aKq2n+ZlZclbbHoMZWA7UdkO
0zyNw62p2n2ZJoSBrBbMTl3mZdUyNRadQ6PnxtduxLq6uj6fEOIZWFkLOX5QFyQR8XzbiefbspRU
1AmM17NcOpYhBblITpA3kKQ2DX1bNezu02DobOUn4ytgWZz4Oswr5HTGEHbnGQCP2oKDwUEcmx68
AabPdV1BQ9D4u66XM3IJes9ghmTiyLWF2sE49IXnxXGgmjgxPCzt6IkBwpkaljfI3uur1HdsEXiD
TZkAfphnscbG2o0iPQJhm+vICePIEf2UgjIvD/m2zTAv84j5thFPd3lWzTDf1vbT6gYJdGPf1g0e
7zr5hkOrsORl2bvTPE/QLE9LNGJyXxtMYE+q7keDokBkMnAHEU0SskxCDWJLX2M++LouY5tBnvO0
6ee4YWKObdVALufK0ruBY+vqVPNXjMI8MAtqL43z/Rm+Apv5TnQFzQHboXzwjBskcY/TNNzatl++
MH/hiJpI4Ffq3rByDxIVx3EcbjVMTZ/n1E1g5ADCdR7qhOdFPBNfAe6G8wBzaW8XOPx05iuICcvm
hbMQoWk/CBRbn28LCZonawxrG12dqm9jvTcY25Myq0h917xDvq3OGSlTCZrTmnckC3KWQD6qwBM6
4kaQb7tMfZ35+zEN/bzQj6nSzxMCO1954M7MqntnZwywo1t3YZyXGVylt+fbIn2OK9yNhK0sZ89D
Usf0hCGbyPfqIbtpnkHyns99M/CVjZ2HchzH9YLkUhcBc0trf8GjYrBH6IXZfgp5PwGJp2gzdiTv
IAmg4NmW5eCJu1PPD9oztew4moUnxwo8IXmoaoM9czx2yN0Ua50dsE0uewHJV7ZtueW+7TMGBofx
8AgmdiJhZzgVA4GNHUQSzSuDZ1Y4cTMeIhFnBKOivV0j/wm+gitIC/KaZEXqN8iS2qfRBo7dhtw1
bnzX/pqwc75+fOm60g8hAsA/uNlqWiU/O0BTmwP4lu2GWd3XiSsCbyyzyYJQ5IGwmER6pAMsdLNP
GtEB+b9QEjyFe5VHyZ/tBQ5OHgFU0JWAn/O8m/myRfCmp2Ofu6YZMNHUdlZdsJy+ZUo+VCB6Rt8e
SAgHC8UpTy9MBWJLV+CzA2A+w1FaMFimOb7XoE7MER4oK0Bk1erqPPAV2A3RCfMkXxHnre/m+zN8
BY6xJ3Dw2fbyu/PMQ80OZ4JC5O0Mh8A+OX/hcIqOr7BUGIAK1M3xo0w+xmlquDVCPWQnwlUoTlok
4yvA3Nn5W8uCZxccz98KzV1uZeRBh+ERDX2buco6mt/Tpm5SdVelryzZHX4WI6UO+maoUzGPonU8
TX1nbE/KvN/MvpznyCfNuzyOrzojZSpBK1rzDnjup7qjom3g2DVbzbJj4fz5B6dndmgg0o+p0s8T
AgpfMau3UXVPGgLN6H0cHNnPQ3TDXpTX1wROjTKpphZ138Hj1/DLx/EVKKjpu9JL8wxSb/rMdxNf
+UwddO9rEYBpLyIxL60ZA547tXlp1a+vDCahNrry+qaerPFk8p4s9dFtrxyUn5Hwox7Q778DAbAb
v2vG/A5cSAoDAn+huSC+YhjLP3cZnmMIKbcv/8ApPDWL4eUNvLJCXHGYTuq8sqHn6/qR6f3SQfkR
CZ8HiO78owjAmt10Fv+PCkaN/04E/kJzQXzlF6nSuizzUKee7iF53xJzXeDheDk8h+YHeNC3RLsv
DCj019j98dfN3Df9+MqLp/cPDMqLJXwMB/36xxEY6/LKHgU3D20e2PCMgz8uFAnwtyDwF5oL4iu/
R7nGawgPSo5y5WHPL5EOIja27QZZvT/e4SX1/kglfeEDCnF5foLWj7T2mUpfO71/YlBeK+FnsKF7
/wQCU5NH+GYMTE+5f3vJn5CJ2vxrEPgLzQXxlb9Gu0hQQoAQIAQIAULgP4sA8ZX/7NBTxwkBQoAQ
IAQIgb8GAeIrf81QkaCEACFACBAChMB/FgHiK//ZoaeOEwKEACFACBACfw0CxFf+mqEiQQkBQoAQ
IAQIgf8sAsRX/rNDTx0nBH4RAstQX5rh+Iz8XyTef1GUdWwutXx29H8RAurz70KA+MrvGg+ShhD4
LyKw9oXvpvLdff9FDH5fn5cuhVeTEYn8fUPzH5XIwFf+wpPZ/9EB/IXdnvGlNPCKluw/4YB0r035
9LD8R2acoZvwvrUfeQWFbhy+qJ/wThh4cZbjF7f/jAcfSt9Jju8D00FK1wiBtyDwd/CVWx5k/L1M
b0Hln21kvIaueJfxT3USHgselDd4ifH883Z9KAP2Zu+f6s7H9Zr5CrxA1xNvFHtckcGRPy70U7/O
VaS8d/7pVp7QLn03l+aHXkGhE/1r+omveYIXO8/TO9RaJ/hXrvWl/73nRMMbxe/fkPgVUagMIfBt
BP4GvoKxYuIr3x5rfG3ntah+Nr57eH/sK2R+WAe8FfH38pVtasryuacV6x35w77/2I/w6N2w+vyT
3Zf+Q+3SdnPtUsd91wT/on6yN+jK9xb/GPivrXjuLmUt39D+hcpvuStf//6F8lSEEHgdAka+4nhZ
tb9bOy6k0YVXUuM76G03UJ4ADS+wjnwPXvLu+PGFP0x9qSMnaca2iDzb5u+uXvprErhwn8ffYA/d
aVMnqobbJfYd207afWG+3grftsQnZG/AW8emgBuhjjCrhuUOkPESuGnVFPi4agdepS5u0jQEb2Vn
XdpFWtrUOUzTvvDssEJ7NXdl7GMHTi8W51L0uefndZ2FnuuggI18DP7cldh5eL27gh57ZboN75r3
guSCjGIZqpS9wNxx/Vi8Z37Ttj61HA9oL63wJUG6Oo9vHtcLA9BlFQDsOjYM5t70EeWlv3L5QDxU
kLW/4NvK2XDdLdEXBeeg6JZtGy+Bl3cjRtrt4H/8n2NQEmXsM9eGV6IYRnO4BI7QDMtnr0bSSMXE
hh9Q7Vw/uXR16nLx7lV0vl3SEB9zbqPicHmMw4rvxS1qXj2qkPBrqntmSot64wZZc6IDyp1LB296
Klii491w40I/UTbaYAV8ei0vExXVBzQwKtpxEProhnkjxNumtkhCz7VtCyYSvq5hqmN3B9XJOkBv
HaqMqaIL2sWnW597Qdn3VRo4tg1oqtqlqRlqUroptUktB6S6jpz42pYJKiAMl3g1w12L22Y2BRpN
+EA/QSJNqW3pctAc9rGTVkrOvrWpE5bNNQ08h8O9A2wS79kJix28t7fSCDuuH/EB1dUJwaSdzxuE
AW0pajCBMOEBbzXHFvjdSb3O/ae/CYE3IWDkK7Zl+2nVQ1T/do1dO7wiS19vueeEZTfBS+mqxJWv
5pu6mr16a+qKwOab0WDKXT8I0qrrh3Fat22qIsdL62GGN/DBjdw/gSHz/SC5tP0wTEcCclp+LV3m
2X5Wg3BjV0aOE9e7geC4jZfAstyY2db5Voa2m4GDZBbz0NDcJK4TFu0wzdPQ5IGDeX+w5lMIC9AV
5uCGMnCCvB3nZR6azNPM5T73LMtLG+juNreZb/sFi2mAa/ESRHW8XRNXFL5lLsg6L8s89m1zA18G
O8dheQOgp75tOtZDbeu4+582I5a/NS06FF2dB49iEgahcyJmtNbhGjm6lzpPcD2+dOM8T32dyj6y
9atmSTc3ieMEed2P49h3bQ+dBE/l+UGY17dhGOe5iR1JWNZbDnSF0RrDaMK47PZ428xStalrB3kD
g9zXWeDYluQrJxVdh7buhgk0FAaYc+TNOKyg5Lbtp6iQ0+0SOUiyhLKx/SCmtGl1G8Zx6NrbWWGF
I0fAvbRldEY33GuXuUpOAQyjEFEYDVXUZShD27b5XFinKnacne4sfQNdXZZlqBLGDfmoKPEVmCBu
fO2nZcHeibzYPvcczw+isoHBY8PEJwn4fV3Ner6CS3gkRtiBpY4sywlL9JoLKKB4j99di2ZTYNaE
Orb9UqOf0Lax1GHmCJjF/21qW3aQd7D9uY51sltLk3jPT1i9vZ2qyPZzMMLLNHRNC+shbZ2gtGJ+
mIRhiu0mNQzhtvTSerP+gSFhtFX0l/4nBP4QAg/4CrfnIBi4FZzjp7w4sJXKbaIP477niaZHZedQ
Qm6HLk0ioi4w502p6Ee+sjQxkI99FT5dQbjTe4fREea9kAjZB4vanBuCQK9aXDAT5hb4OhYu4rtP
4arS+FQdC2N74C2UPoMDx9DS2mWO4mi2Wf6QIufauwTVQJPh5XjA09A6tLC7ON5l7HFcI2cSKLCB
ZANmFAYG2+KhMCg415GgVbKebQDpWLALrq5dKnyoia8gzsX9MFl2JF8qC/rlZjzCAm6M6Yp5NI98
xSgVjoHUGYhRKHzFUodL6eS2bYorNQ0rxANsWyYlru2u1NI9n5X22MoeeJiAGkQVj8cZhht43K5H
AI0yEKzeo6iIXiHmAhuf0zjAELaJWGVgnft+EO6EyKHuMpd7QGjFUc/0QDmNOVBqloCoAHQZsNT9
CuCpLBVwJrBqzy2eUZWmwKgJm0k/oXlzqY/4ih0Br2YfZlFGoBAGSwUyPDVhDfaWzSURdWKt6urc
FL5iFAb5imKvzqOIU+wupiQ6S/8TAm9EwMxXeCiYydKljp22MKF92LPYP7Yl4vBzX+Vx6Hv4cWxO
SsD0qHn/MGksW1Zg2xY3fm1qH1pUMTjyFTAqB6t42y2oLMRMrlzEwgxnc/LcUJc56v7TtgKHgs10
5haQsPSF58SYJT9dwzMAdzvvypoGBYIJD+ZMysDlxKUx7jFNDSz53TAta4w7wA1zV4SO7fhJUd04
7TC1vg5V4tm2F2UXFlyB8ro6pS0yC4PQSf+k9W9o/BQXs82w4kPSaPIHZ5wRg1Nb4DUhlQHJKCym
OQswj+aBr5ilOuuMxAHZhqqi2zZ1lywKmCq7juWkbOlvGlasQWW84H55NoaImqAnPCgtV4H9P7gz
igNbpU6m4QYPzqG5AxArPIoKQy0pDei3x3njOrZlGgVs0rq2xXFgcIsNqy5zzirPgi/Qilx78GUN
76ShZj1fwRX8ka+oeKInxrXHucXzsG7CFJg14chXgACxDxiHB6UOfOVYioVs1fQbaS1NlurZCWuy
t0t/iVzYq82vndhs1tYpNcGIlcJpUHlQXXa2ipTHAdtPH0LgjyPwab6Ci/5Z/UBUAHTcTcTOtgyi
AF85mB5YcaTNpJZfMKywW3YNJF/lK9LpornZ+Yq6mNvOfnTnK2ymgseU7gE76hfdsQMnkdGqKmcA
4e8P+ArUsE5dlUee7YQsf4Vdu9VF7NsQ/V0YzMbWl7G9wolLN672aPe5TumnH/MVxbXq+YoIDYmu
z3ug6dN8RWkLIzU8gKWAjqMnPS4LE7HRPPIVo1RIGRUbDL3n7Z5VFJTXyxoMjp/jKzYjrazTYlif
4itnAQRu+/8Q9nPCLJObH4+Geyh8JNCMWUhazquTXgouoAPa54LkKxC+sYOiY2RYiYLc8RU7ro4a
j1P22IrKV4w16/kKQK5s6rFFjowA4d87X1FuvGeBO18xasKRr6zzOLAPHPoB1T3YBqnVB75yLIV8
RV1rrW1q89Wdia/gOD0xYYFkhJdBNZfyzN08NCXkDnmpTIY61ynH6Kt8BVYQnoxU7wpLXwiB9yNg
5iuW4iDAgPH9oBhCtXvokwsMtk7OWNiKUOIrKl+BAI1md2GPh+sBgFQSuYPK9gw+3g+yHLkBAGWc
fT/oYJPAmqsigmfhibWcqHSFt/cZtlHUDQydwLD8EitYcBdVuO8HuarHw/0gdV0GlS1t6iqdxfph
ExsBfaJ1CHQojWN5WafkK+hSFPcrhZH3sMK43y+9B16E7BplzQ77QQ7fEjHxlQl16FTPqS2oG8Ja
btb1hfLgB9ii0o8mjFbciI00o1R8603ct4Jf0/OVI37QGSW+oh3Wp/gKukKpjwxE9V/B16c6dkRS
2IPhxudi1IOkXWpdpxWzia8c0YK9FB5fga9y9kNx7U6t9IW88X00jTXr+QrENZQpCJvISuBGGaxz
i2ZTcJTgGf2EPphLHfjKAWtmu1RrCbX4F9wPgt3NDyzVUeFY1fuEBWR223Nulv0NoMvBYtdknRIx
M1byHiyN6iK5Pfx5XFLo5aCrhMDPI/CAr4jM0Lt8W9uNr904zdM4dHWNyaHgNlgCGCShhof9IMUS
ofeOIOuy6ad5moa+rRrmwoS91nUZDICXtZB6CsEYdN9+1gzzwvNt7x8pwpJGw7yFm4Y69Q75tupO
BmMIYcEyaNsC821FLBzcQhB4biqNzlAGthOVmJ47DremavdoBpcdw8VuVLJcVEhW9nn2wADppSzf
duL5ttD7dWiqtp/mZV0wWRkRG9uq6Ue4NveXSKShaltf+hqzJtd1GSG9F+DQ1nmwugZhDvfgaY2D
MxHjA3nTbnTpxnmBBFZ/T5w28ZUNPXFQNMM0AW4Yx949nKgW/u8Lz4vjQGaFgkiQgakZTSSDkCrI
VMMoFSb7hgXmiY9tETqWkr+iOktkXmF5m5dl6qvUdw58xdIN6zlCo9sPQi3DJPFxmoZb26pHMKDT
Uv9Z/jdLb9cON2I1XgInikNH60qOHsjEV5CMxddhXiGPNoYNRaankFbmwLNGGKggECTf3yC3euzb
umHCH1tR4yvGmpVuqiOOarBnMWHSG8tfXuaxzQNbybdVAzGPTIFRE4z6CQIZS51nhSo9dMqyveSK
zxyCAwDq6QRbY6men7Bo6+7s7QR2F2zDOg91wpKZdHWq+Stms3kaxyNfAZojtkvhPJ44H3EAgP4g
BN6DgJGvuEnVyROaynnmbWrZcV7Lsl0/Ljr07cutjDzY54YToH2buWxj+2zKoVNw8hkPR+Jp5IQd
vjUYMg4CpHLgQVBBTIQMeHz3erb9jFAQfwAAIABJREFUwnReYC8FTj2rx1KlY9gRXsc6j/jx6CjH
U53it7H0LUtdI0Fiye3CziTjkexMng7lhTDx4lrneLTX9sJcPc+MZZlMyYVht639BQ9I43HmMKsx
yXasksB14BQliC/7qGl9wQfK4q0OnG6EHW1tnSery6o6CXO6h8fPT3ER6Ok+jqgG+4H3B/6AnxXF
LoUlZNVq+QrLklKXlXibdjQ32Mn34KmjgTjPvB+9PZ42l8fo/bisi33ReKeiU5vjc0xtN8zqvk5c
mb/iJLphPdeg5SvASmt2MBUGNOcHgISeHfR/xsNMLNdaM9ysDEtu0dKVJ+MrcJaFHfHGI8+3ayR4
NaRC+DCbvZydZxYTBJVRPK3g5OfU0TTWrJl90B1YF+ypMIBnUNSXhE3J43nmI18BisHN0Z0p+Lx+
PtBqg6ayoYAdk8PTH/i8hl+14j0/YZUaFHsLj9qFR0ew4WDPG9DVeeArSlVHrE7jeOArS5vI3SA4
rUZ8hY05/ftHEDDwlT8iyysb1TvCV7Zgrgvnv3yCjPlG+kWPAD5iJFUQfPlofqXC3zasII9ytEoP
5d9ydbpCqIgl4jD+d45a/uKeGEjYL5b4WdHgyYEsUezZEnQfIfCDCBBfeT24p/XK6xv4x2uEw9HH
kNZX6MUjkO4I0aObxW+/bFghHxmP2Av5/u7/YeODr93P8apf37F/la/Ag8U9/tiqXz8IJOB/AQHi
K68f5V/m2F7fwR+rcV3gKYLwdNfj83RewFf6qqgg52jBdCbfFg89e74vv2VY1xWe21aG/2xonvjK
80pJdxIC/yUEiK+8frR/i2N7fc9+uEaIPtu2G7AHwyuNvYCvjHUKD56HLX98ZYEm50lpUPf1lwwr
xIbgNQlJdXyWoE7kv/Ma8ZW/c9xIakLgpxH4V/nKT+NG9RMChAAhQAgQAoTA+xAgvvI+rKklQoAQ
IAQIAUKAEPgaAsRXvoYblSIECAFCgBAgBAiB9yFAfOV9WFNLhAAhQAgQAoQAIfA1BIivfA03KkUI
EAKEACFACBAC70OA+Mr7sKaWCAFCgBAgBAgBQuBrCBBf+RpuVIoQIAQIAUKAECAE3ocA8ZX3YU0t
EQKEACFACBAChMDXECC+8jXcqBQhQAgQAoQAIUAIvA8B4ivvw5paIgQIAUKAECAECIGvIUB85Wu4
USlCgBAgBAgBQoAQeB8CxFfehzW1RAgQAoQAIUAIEAJfQ4D4ytdwo1KEACFACBAChAAh8D4EiK+8
D2tqiRAgBAgBQoAQIAS+hgDxla/hRqUIAUKAECAECAFC4H0IEF95H9bUEiFACBAChAAhQAh8DQHi
K1/DjUoRAoQAIUAIEAKEwPsQIL7yPqypJUKAECAECAFCgBD4GgLEV76GG5UiBAgBQoAQIAQIgfch
QHzlfVhTS4QAIUAIEAKEACHwNQSIr3wNNypFCBAChAAhQAgQAu9D4N/iK0sd2cFlfB98P9IS9MIv
hx+p+2cr/bzkfe7ZSbP+rFgPa29T281vD285//j5bp5reOXf61AlgWtbthNen1f9r5V6pdx/a12/
a/QfoDheAjuq5gd3fPenvwaKQ0eX/hL7jm3ZblxPh1/oj9+OgIGvjJfAEh/bcf0ou/bLH+zLXEXP
zDyYP8RXPjFOS5OEL2RGn7dfBr4ylMHnWMzaZZ73SdrBcPrb+cpcR7ab1OM8T9PzU/RrpT6hWT9z
61wnbnB5BZX/uuZ/Xsm3bbyGblS92Tn+CF+55UG2s/uvQPEzivG41oPaACx+3k7zPM1LX/pu0jw/
b0Q7BwP1deMjqqP/n0TAzFfsoLxN8Bn79pp4lpO2nx/WJ6X46La5jp3wiZXCv8RXnl8qf4Se+fe1
Td1XRnI+b7/0fAVMyuf4yjY1Zdl+xSH87XylL74SofpaKbMmvemXdaiL6+0FIYNvaP7nlXzblv5a
VP2bw4g/wFfWvvDdv4+vHNSmSx3Zhbm7lPXnTe3JQH3Z+Lxp2vw7zTzgK+FVmn8Ynz1wsfRXHoD2
orwZxSyc2iIJPde2LccLs5pf73MvKPu+SgPH5tHJdWzyyMOAXJBchPUZL4GXd2OTha5tB8qif6pj
V8R6LCfrAPx1qDNWhaPKoPKVuUk9J7oOKN46VFnImgzTamDEa7wEblY1Rey7jm07flx23BJKCSG2
lDcSCBx5KJhWdR55rmM7bpjVw9gWEVbjBqno+rbNt0sawmXLdoO0AlkASb+UM2RpEsdJWwEi1I+9
KOpL4kOU3/WTy00yRQP4ikZK4V0BL5gZwJS1snQZIPP/talrC2AFPfgkUGwkYMRsx4uL+hLLnSxt
Vdu2zV3Jw7FBeq2yO287XAJHiGVxNrX015SPnx9reYlCO/rc84saFATGFfCTscF1xPGG3RM3yJp5
25SCbepw/UI4h9K345pBDwqn7yb4It102EeEaUvD9MNBPeDD2aZOVA03jE7bCeqAQbEZbNgMqJKY
NVOT+jtW2l2tuSs/W2qpIye+tmXC9PlO/XQDsQwVv+y4Yh5NbcHG2XY8mHQMEL1WzLcLF9PxguSC
nl1X54ErGLDi8kOFjgNt383fRaP5mlmDAt8rDJ+e15RtwoH94fbBrHgH6jC1BdguFK1uy0AM3AP1
Y5MGN/38uBC8XMpsMlN2VNZ8FITirdBMoqw9Qc132y60Vofteiv83WBY4B7MUIAZ084Ljc7vbe5+
QelOmzph2VzTwMPBjPbOoxfQWPVt0w8ZWpKhir19wkCnD+uliU8WNBoV2midU7s3UIoN4a2DyQc3
KHwN2BnWkRA7ItwB9F2n/AIT+v+IwDN8ZZ1vZegICjFVkeOl9TAvy9gWge3lN+4G+6buhmlZlqFK
XDuu0fn3ued4fhCVzW0YxmXb1lvuOWHZTcsy91XiOjxOClPa84Mwr+HGWXXg6OSV+MrcJK4TFu0w
zdPQ5IHj8tgPzh/IX1luReD4OffzcL8bX/tpWabbJRK346aXEzFvtg7XyHGzDtqdqsj2c5BwmYau
aXdKxrHDgm5cwfV1rGLHskU1c5t6ctN4HVqABKBqMs9GBjhdQ+nTN0ZXsNV9YJY6siw7yJthWuax
K0PH4WCCZHrw98IGeBljgUg63hCxTIelVvgFzJxPAoWV2agN8zy0RehYgmEYqkJscfjneeqrxLMt
QZX2LmzbafU/wdDElw72PPo69W2/uFurKiajzz3Lgi0SoAVLDzpa9Fg7MDXbT6vbMI5D197AzygF
jQ4DMNN384kREdqCLBmmku1mHTIWaNr3g+TS9sMAmzlGxd7AqXhJ1U/zPN6uiSs9DGLVKuApX79U
CtXPCUskeQtMC6l+hoEYSt8JyxtM6alvm27aULG9tBnnZZnHW9OyNYJBK26Z68YVmJR57NsGlzCa
OhmV5xTWiBWbPmGBi491qtEWcYa4Y3PSfMOs2XQKA0bGtv20hsFAe6LYOoPiKXxluAQ2GqN5HrtL
7NrWx3xlKAMnyNtxXuYBDAmjF0+ZKScqeLk8YIq3dpnryD0Q0BF1aQoQGbHdDsEJ5Ct6KIzz4k7n
9yHRd6dNbbCFHTiEdYTBFFlaBl0yDdkeR4Yu7DvHkq+sfenDwHRgG25tx4z+onVqZwMlbQhrPUPd
GLsS5w5js9gRP2sn8DBzK9zBtumUfweFvhwRMPMVy7Js/FiW5QSZWEOAeotFJ1olXbbi2ibCR4Dz
ULeSwEEL97FtaIdZZgqYdTtiJOcoIwtKSL5y9PjMu7E6GF8ZwMZ6iZB4g/uVGdllLnOR0KLU3A22
9LkhAEpRKEGNkzxQ0MuZCwQbGttKhOQ4o2XJW+46KQSHZmBDPH60tIkgSfJONIjSoODkYP37GHwj
vBswFics69yXeZknq/1poGCtZiuS3nKX85UHVe2d51h8yFeGglM9BtHapaq95bhJkwFrJktZMEpf
sTQxmOwDFX6Gr5i7ifr7wXRAIr5ry7Z2uL4FIcCEebmkXkbFXrvMUVzMNtfxPu3MfOVrpdAJKfqs
qp9pIECG8MLDd2xAQLW8tD1u3Ri0AiGJa7Tk+zTQ1KnyFSNWTH4WrYLKYPCUWc7rP2q+adZoFeY0
PcHW8fqNiocLLjaFsVsycq3aIBNdBoKhqO1U8QUPQvCBmVJ6zgMrKywy5AQC7VSMI8JjxlbHV+T8
V6AwWqqzzu/jjWb63uq2qW1HPMgJS0lc7UHoA74pggurbhwyYXKxC/d8BSaL4tikWPs3xakZ+cq5
9ekK0XQMLULHmQpgjX3uspCqVvn3RunLEQEzX7GDQuSvdFUWOG4C0XMYEMu2HfGx9/XxOrZlGgUe
flzb4qQECKw06Ns2FL5lyfKOLVbkuokjZMXf9vwV0Cxpj7ZtbRKb7UiCKfHj2LfFigcr6DLn3CSS
n1OLiglb+kvkwg5RfuU8W0iC/x8LAiT7ZEC6vG8qTN0liwKfQeJYjK+gt2EF0JaeHSgaXKVCJERI
j8zg7+IZ4QXL3SP2Yn2CO08H0T8NFNgMhRkoVMxU1XnsbjBt784HoQ8WV9EG7AbmRPj2jh/5ilon
GjZUHiA+islgZZWCJodh7uYTI8KDg3JLUdbWpvauKiDMGZxdsWUR3l9cFLP8TcSKx1fAJrIPdPNr
pR6rn+L/VOY9d0Xo2I6fFNWN0w44gOTZthdlFx5cwQ5qZ+I2NVng2G6YlnUvKI6mTkU2I1bKPQys
LlPyFTh+OKfkHDPNGq3CoJFR9qtl/XKxjs0A/nyVBRYDNQ+MjIqh4uJhx0BVh93lT9fwjBo3d58x
U+DhxaZ+X3ic/h5NGUfHjK2Gr0gUcXy5ZEY3cdZ5MSAYCtVYXZieMmFmAwHsFNTdYGE+HjJ9fOVu
sqBgBqdm5Ct3rd/E4hgWJ4fRlWlnOuVXYKGvCgIP+IpCXrcN/ApcQOeRNtOsfBYI1QG/DYqOGSuF
ip7m8AYjGl4GpfjM9n72Ka1IJ77irHqOr1iWG+VpYHs85s7dQFzdiawserAdha/g3/PQlJB146VA
1NTPUVSARJm0t8zlegkGx8sa3JZABDlfARAdvxjY0i/j22myATSIhTwEAYLtfMXVgC+LmuEFP98k
rmXZvtjAY6EhRXSwU58C6jzJpSk3VQXmRuWaZ/VgXTnylZOJ32axwFT6rYZJTnVKtwHVfoavFJxq
m7tpmg6qZGeXAH8zkqdQJSxg9BNnATCsE97zlWUaB/yMsLv0tVLo772D+kVc/R4PxDrdIFfChq1U
sf2yjO0V8n5g8/TBTMTer1NX5ZFnOyHLX4GL5zqPCqYq0s7tvsZX9EZJqzBSBjbK3+Irqt6e+Yqq
fn7RHQ0Yaxtm9UMzpRrxaVc8WDU6cbPccem9R4dJKrH9DF/RW6qzzu/94F/O3Tm5+RXiLYKv6IzV
x0P2PF8xOrUv8hWVqIIfVBZqOuU/Q0N/b9tn+Qpo+mFJzUHEBd8e5gQmr8RXlHFBwqPuD+2DcCQB
+2X8AvXJmQd2WPGyqDzMeIMpQVcwXkPbFdFouF8Nu4u6Ty2e+Qq77ext4OqxoImvwL6PtPtQu+Ar
uLnvlz3EeSV5EGKhwVV3WcD/MjdrAH8vyeJfWnhZbkpS364RJPawPRHssnRNnwaKhZjlccCh8JT9
IBPmSroxCKBOW94TMDqxiK8w57zrFm6oqPCwMoodNPIVaE0JrN8VhF0XmfoMVpqFBs3dNE0HZURA
WyBNXOxCYcYS87SKzFjAqNhoOMG/8A/uB/FVJ2CVaPNXvlYK1M9SQqIrLBG5+h1THSCSfTcQmOqj
BlR5QAxngknBRL9gkd2mgu/vV2WdkisYsfoEX9k1H6awbtZoFUbKwAT8FF/BBE+FM0/KnrRR/YDH
GnbKBUYGM2Up6r7vB0EZyA5K6uEa3hN4sekiF0ygYpwdw2YmO/IAtZihMFqqs86LDhz/l92BkKE0
/WgLfHzClkGXPh4yPV/RKbPRqaHLkQZKkk6Y3ArkGNLirurU8RNfYd3XKf8RmP/6Xw/4SlD2GAWZ
xludB7ZgKZDy6QR500/zNA19WzWg2KAmTnwd5hVSWmMIBLMcx5PzYPmemNc0TvM0Dl1dsxNCRxJw
HJelSWw46zMvMwRzcFhDnkfWFphviyGQna/AEw8ix01YOgwEFjDNEhI2x76tG8wlPLUIXWC6NYFQ
47ys6zzUidzrFUIdC5r4Cs6AsLzNyzL1Veo7kq9AZMUN4lj/yBCeb5s10N/7fNt78IVc8D/adkgb
O8KLGXQsa3e8hjtjAV8UgIjzDM7ws0CxsJq/SwrZg3x6GqrCRb8TXW7TvEx9nfn7fqLaCdiix4RZ
Nt6gcm4E+ba8zJ7jLQsp5uCkcmDYeFgeD4b4Wd2P0zTc2hbUQCkIDNPl0bT5VgS2ZTHPi55f203M
K3w8IsBXLCfMWxjOoU69Q76tutFlVuwNsjR5vu3E8225PzHzle1rpZj6YT7pMo9tHtgy39YwEGNb
NT1MmGXuIZ89v61LX2P2/bouY5v5Nsuq12vFOjRV209QfuoKvuOvqfPgIB8aAXU5I/mE1BbctlU0
3zBrcEDsk8KYnbRZ8RSLAU7QhczpZYaR9GS+rVH9tqEMbCcq8YDBONyaqsUMjo/NFCges5Njk/u7
4rE1lxPFoaNwJwmPEVvkC17WQmb1sj7gK8Z5oUw32R5+01td4Cu2l1xvkNwMCayHfFuNVdfN8cOQ
6fkK7JZ72NCIj/CApG+jU9tOBkp2ChVJWorIEcdJVDsD3d35ilb50eL9wQeInIbm9/xp5iv7kVI8
mJVcxFlfOHLBj5GxX9hJxXWs9wN+RXu7Rr6Br0CqVFvGcFbXgtO6MUvkPwUtTgjBZjic3LS9nJ1n
Hus8wmcUwnnm/QCxwlfwlM+uLau4H5oMYnZAWDEi0JzCVxp2+JndvJ9y3mU6FjTxFehnHkI3bTjy
3NeJi/m2WA14QEtJ2t3rZoK4Wd1dEtbB84FSDfhqaR28nK2IHApwfjzGwvZOLXDTuHr/HFDAj4ZK
GfcGTq9zR6qtCkhRV8T8NHtadddIE1/ZIIHIsyHRm9W2qxwqjDjPqXZbmozjGUWemCc2E9cBjqFD
1pTtBjmkgyoF4QBCFsIZdTyV21yiPc5g7qZ+OiiiobZcDsdKeaxFbZoX2EGzD4oNsOGRX/EUADkb
H/GVL5XCSYTH6fFQpkH9DgMxwhN2AVQ8t4+Pllw6PLQLlxx4JIA4Y7d3kE0unIkrPHCU2QN8FAIm
7mrqPPAVPC5iMgIf8xWeMiM1X2uU8Lz+SWEOzo9tcvEMi6f4Chx4zUNUbjBd10RmA5vVT555BZsb
sdMP08dmyi9adngaBwYfqCA0k2XFaOkKTGthMM96CFlFeK4aCKgZCjBjOjdxmG5CFPa/vjtt6nhZ
tdsY4S2wyC6koktoks5z/CCnga/A5iM/gQ8qm8Kjb01ODTqnGqjDRBaKhMf45WNWD/eofEWn/MRX
jrqx/2XgK/vv9OWHEIAppJyT+qFWqNo/j8CR3f55eT6SgBl3fPrER7fS799G4OTGvl3f8xUAu/pg
l+n5yn7szj+Hz491iSr+OgLEV76O3XdKwhN7IeWWPv88An8nXyHVfI9i/jF/DGeExGOd3tPVL7Xy
x/D5krRU6IcRIL7ywwDfVb8uLIth39i8u4Mu/FMIEF/5p4bzxZ15vz9eV3hsZhk6miywF3fuBdW9
H58XCE1V/BQCxFd+CllDvXByCfeEdUkYhjJ0+W9GgPjK3zx6Py372/0xHBOCt48kh2yWn+7ml+t/
Oz5flpQKvgEB4itvAJmaIAQIAUKAECAECIFvIUB85VvwUWFCgBAgBAgBQoAQeAMCxFfeADI1QQgQ
AoQAIUAIEALfQoD4yrfgo8KEACFACBAChAAh8AYEiK+8AWRqghAgBAgBQoAQIAS+hQDxlW/BR4UJ
AUKAECAECAFC4A0IEF95A8jUBCFACBAChAAhQAh8CwHiK9+CjwoTAoQAIUAIEAKEwBsQIL7yBpCp
CUKAECAECAFCgBD4FgLEV74FHxUmBAgBQoAQIAQIgTcgQHzlDSBTE4QAIUAIEAKEACHwLQSIr3wL
PipMCBAChAAhQAgQAm9AgPjKG0CmJggBQoAQIAQIAULgWwgQX/kWfFSYECAECAFCgBAgBN6AAPGV
N4BMTRAChAAhQAgQAoTAtxAgvvIt+KgwIUAIEAKEACFACLwBAeIrbwCZmiAECAFCgBAgBAiBbyFA
fOVb8FFhQoAQIAQIAUKAEHgDAsRX3gAyNUEIEAKEACFACBAC30KA+Mq34KPChAAhQAgQAoQAIfAG
BIivvAFkaoIQIAQIAUKAECAEvoUA8ZVvwUeFCQFCgBAgBAgBQuANCBBfeQPI1AQhQAgQAoQAIUAI
fAsB4ivfgo8KEwKEACFACBAChMAbECC+8gaQqQlCgBAgBAgBQoAQ+BYCWr4yd2Wa3H/SopnuGlun
W30psizNikvTz3e/Hy4st2uWJlk1HK5+8Y+xydMkLbvli+Wh2IR1FO19v75Rqa7o2JRZXvXfkVVX
7TPXxhpxau/GZpHDnKZplpfXDwfwmfboHkKAECAECAFC4OUIaPnKdA0s3ccrjkRj6S+xZ6t3OnE1
GmRchyphN9tpZ7jnM5eHwoeW7ai6c8QPqhmqLM0l7eoLz7Isvzz260H5Z38CIqTwMtaOHTdfJCzr
7ZKmZfeZnu6S3nLXsqzgcjcw0zVUxw6/20HxLQK4t/rCL3Nbpunltr6wSqqKECAECAFC4C9DQMtX
1unWqp/mkoDLc9Pu6DOmJnEt24vLurt1TRE6lmU5icYnr1OT+TuxeQlf6XNgGvAJr89HR5A3eEUv
Rumn+AoyPkfyMmB2QZRJoiQEeO7/tUsdywo+0VGl3g/4ih2WXdd1bX3NcAAtBR6llj/3dalj27Li
+otU788JTi0TAoQAIUAIvA4BLV85V8+8us6PrWM/7H6kx4W87ra5TV3LcqMigxX9C/jK2mXIoLxz
6GBuizRJs1oGE4YqS3DbaBmaIoL7bT+Cza702m+crxTdrb7kWYqbWsMxirEM7bWAn/JLLfe7IH6S
Fs0Iu2GiIP91HdtLjGTKC7GdS7dAiCBJcynWOnWwjbZvwzAiuIxdfS1P9c19lQVIBf0YxN47N/cN
q6K4NHIUYPDWsb0WOetO3yBUxviKnbRivOcqAgKo3PpRE7ANeG3HZayzNC1xy2mo0iRJLzJKw3YX
d6m3bdNDum3r1FWs93l5qbtxgSvXFJmuGyCWbEty7hs+JgVsYk1HGi26Q/8TAoQAIUAI/DsIPMFX
ODdQvJih+2whr99cWfq2m9alBof4fb6ytBBvsKNry/Zz5D7VeIGtLDe77TJiaMIKr/8fts1CMviv
nTQr4yvKRfjqpnuux1RjZGm/wYmuAzpHLGi77h40kgXb9HDRssJq5mLlTKypSY/baD50gAVR9qaE
IKyochk7tw7XCDjM/nGTmoeZ5k6JZe2/a4aP7QcpfGVlovMRfNDE0uUyXAYEMARCxZpgdSi7dKwZ
J+ObgCZIT3Wyrb7/Gynw3gncuhurY88ty81ps2jXd/pCCBAChMC/icDHfGXGcLwdVR/suqw33KFx
swe+40V8ZWkSpCv1vA0lZLF4udjhMfOVaZ2nFkX0snaCz7Ly+AqEfsrm1vddzVw9d+5TFQH1YD92
VQpBEzu8QuyGEx3bz+p+WubpVoZwKxRcl6kvgTXZSY3tzOum8pUZpbecILs2sA9zyQsWd1ma1I/y
a9P1Q19nmJ0De13LPNXQXysoblDfvKy825aXXNu+by8xhI2cuJ63jQ+D7aXXDjrEdukEmTgo8Zmv
LBgFs2y2o8eQfdSEn1aaJh7zFSOkbNfHDoq2H4a+qy95UrTLtszjFYM+0XVgnWfIu0kFMN3aqkzT
68vTjw440R+EACFACBACfx6BD/nKdAVHzH2YWd7lhumv3Jub7nsNX+EMimU0CILCU2vEn/fxFaBb
A4ZjlB0r5vxs9PQo9FyxHSvYI5kwViO7vrSMNkAaCS8ok3XYXoqd4uYKDynI/BWFr8w1kqCPsm6U
EtvWZchX9vwV7rMzkU/EGwdEWJDL3X/aePK0Mb5iuUEcx3EUehivsf2ihwjSE03sxJQB9Ux8xQzp
0iRA+Py0Pm5tbUsD6Ssyf4XxKCcqO9oGMs0zuk4IEAKEwL+HwEd8hXmHu0zbExBjxVb4EcYeTj8q
f76Er0wVhjJsL4zgE0BswXLSFvdpvsRXFAKz1DFGRoB2sEiB48cp/8QskwI2m5g7x30c1j+14PaI
r7BEYaVJic863ZprWUD+Sppgygrf2DrxFdaW5YaJkCzC/SW/HGa266Vmp/LCz5wPcqILT8L5ehMP
4ysPIF1uRQDExLJsN0zLPSPnzFc2uaHk+HFe3Yi2SA2ib4QAIUAI/LMIPOYrPHVFbrfocJjbjGWX
Znvah+42uPYKvsIYiZLSwL7yc0lf4itKyo1CO9YWV/z3LUHYhPMVeRBaKbg95CumLJ+pScSJJ9mk
nq/wvFh5G//mFT2PtCSNTEH96HxQdOn7vmP7WZ7IBPl6Exq+AptjmL/yEFLMt71moUjtcWPcJrvj
K5iwWxeJz/N37KC47TnfJs2j64QAIUAIEAJ/NwIP+QrLE1HPi9x1du1LXBW75gevKGVewFf4dkBS
3fZPk2O2CG7q3PEVHihg2y/smS1KbOMh7WA/enk7Hj7TvH6HrzAJRTxoB4cdrnKiy21C53voyCm+
smK6sRWUt4Ng47SsnBEouz8r22hRrog2D/krK89XCRgF+3oTjK+EMt2JwcjybR9BKsTalpGfjWeZ
xaf9oP22bZ1vV8bxlOxe+TN9IwQIAUKAEPiHEHjEV1hupK24Hjgq219i3w9zjKVMNe4D2UF5W1bx
YegsXRH6flQelr73fEV72wN8mcM7HQjhOTbgtVjapnwmC8/v5Bc4V5BZJ6w6fXwFUldhr8lNKpFS
sS5j197gvPPDghuPTkjkOPtFFTHRAAAgAElEQVTA80GsqB2W7Gm36zy0TT8xN+/zR8OIzREeXxFJ
KSJjhBNJL2vEZsg6D10LFc4sR9jL2MPl1pGfI/qIr2zbws6I8xSkzzWBGzmsCT5CIoFmYWnYLL7y
ANKlrys4wcw+nErBJh9nYPsYjW0lTzA/fXbtgUrRT4QAIUAIEAJ/AQIP+ApbcJ+fycriAJCAu3Ju
cN6WYCX4Zsp+jBWxuOcr2tuMuHEGoQRI2K3cSUMQZa5j3CdwgwhySFlGhHioHC9v2Y7nuU5UzY9p
xzY38NwY+NiO49hYmYtnkT4oyIMVluN6rhNcRpWvbOxpNLxWrBMTTzCt1LJdz/cc27Icx9kPZnPy
AD96jgMPTBkr1k0uGcrI+AI/IAQ/eB6ct7ahNl2Q7BBfASDFySWWfvywCTy9tDeBzfMm1p4/eNgL
4zgSmzacr0Abekg5xYPu+yg2nisH/iIoJ3bey/8PdsTZcX3fd1mKcHChA0LGOUM/EAKEACHwbyBg
5Cvc7TnnZ9rCYzIc24OnfRhyHBhfmeEZI46fy+eGafNXtLeZoOWraSXLVdzJqRN67KW/piG6fNv1
o7wqgQiI4zhLf0kC9OJukHfLB7QDfPjtmkU+PmfFdtwgzthLgD4quA5Vytvx0+b0/JVtm7oLk9G2
XS9MLxCFmruSi+Z4UV7fqnjnK/hj7Ds2MITwgoe316kteT/hapAUNXs0DNQuanKDpOxqOF30cXwF
sBzxNBg8gQaYwnNN+ElR4lNqRBPr1BYxQoZylVc4m60QVy2k69jkCRs23p1mFDk4U5NHcHrJdry4
+n9vlzTyXSRhMMDZFQNeQhPof0KAECAECIF/EgEjX/kne0ud+hkEjCm9P9Mc1UoIEAKEACHwn0OA
+Mp/bsh/oMPEV34AVKqSECAECAFCQEGA+IoCBn39IgLEV74IHBUjBAgBQoAQeBIB4itPAkW3PUCA
+MoDcOgnQoAQIAQIgRcgQHzlBSBSFYQAIUAIEAKEACHwowgQX/lReKlyQoAQIAQIAUKAEHgBAsRX
XgAiVUEIEAKEACFACBACP4oA8ZUfhZcqJwQIAUKAECAECIEXIEB85QUgUhWEACFACBAChAAh8KMI
EF/5UXipckKAECAECAFCgBB4AQLEV14AIlVBCBAChAAhQAgQAj+KAPGVH4WXKicECAFCgBAgBAiB
FyBAfOUFIFIVhAAhQAgQAoQAIfCjCBBf+VF4qXJCgBAgBAgBQoAQeAECxFdeACJVQQgQAoQAIUAI
EAI/igDxlR+FlyonBAgBQoAQIAQIgRcgQHzlBSBSFYQAIUAIEAKEACHwowh8jq/0uWcnzfqjEv2S
ypc6sv1yeCzNOlRJ4NqW7YTX/7+9q/VzlQfW/wsqLg6Hw+FwOBwKx1U4HPqKujocV6FwOBwOh8Ph
cDjubyaQD5p0ux9n37NnU3FOt4Vk5pnJzJNJUqbnl/7j374E11MMPt8CNP+dFpluAYmq5alWv+bL
NiVu3v8ada2iFoEfjcAPTeUavrI1MXEeX+F93s1KTvfQjar5O0y4VJGUJYbSd5Nm/fKOX0mfSx0R
N6mnZZnn9Y8iMJbB38YTVZFegeu5jT7fwr7vikWe9/f5bwVf2brM874mW7epGHyEemFSNNN/OUHo
8yB7hYZ8C1/5Qpw/b/5f0YIabN9SWY0Jb11tv/8WBJb+nkW+C2GFUC+IixbStEjlS524we2NmblR
0rVJwrem9cab3/+Fhq/s2zJP+GpSl0T3kf0xr7KS157W4V5Uw3cE1qWOaShmtUt3K+s/UNt4JX0O
hVRu+pMIQGb8y/jKRaRX4Lr6jPr351uAUShbRG3/6/8SfGWfm7LEMPDpXtqU0KSe4TWNfZ2H1Alu
f8C/XxN0Gwrf/Xv4yhfi/Jr+v/2qS7B9A45LTHjjavv1NyAw17Hr0DCv2mEcx6Fr7mU9QpoWfGUb
6+Lef7BMvLWp++YyxBfqqeMrvPkhd0ks1y5QyXtTRB4lDnGD5D4clQ05drdF7MP3MD1MqytxW8cq
DfF+6vpx2TGg1uF+rKx4US7NKNfhfl7tRbcB4T9rPzTrZNxhNWBqjr6pF2bVeAg35J5f1HUWeS4l
xPWT2yk2VxXebGOdhS4BueOivsViPWgbq4zJ7IJG0OzcpD49JYFKuIRAm9KwbFBwSqgbpBW6CHam
aWrf9Zgcwo23gHfk+OX/FR6JawG7I/LZ2sTEKwa4T+AGIOtS6VpHNL43ZewjKGDLqSuTAP6ivrDs
vi8dXASrXv5Bzi8ijfsObCMo6nvKlsfAiLzYBrgyj6GqcY2Az89dCEVCd0EnvLHB9mCRAz/4b5ua
/BDB9YVsWq975i38BnCiugjP9SCpuvDk9m06HQyAbHI/eJyZAF9JOy761iaEpO3xt9Z59nWosshn
Q8qPb73wDS/vpgZ9mvXExVcM0aY0qsb+BqOWJC2fdGx94YtiD9RXzUNslxBYu9ynQcHG2KPzgHei
77U38DYKYYJ7y9LDh4RNBZPbdQYk9fIEZ47erlFNi6FhAC44IEAaN0gON9t3aBVjz9HPWPrniJxu
gQZzOYLhPVoZhNSIT9JMbRF55Fxm09uODU5KCIEw092jc14DzD0WS/dLFRLOe/VNPQy6x2D7zDqP
MQHqnXoAhargCS9pqu/aEPDXWgre+773mXsOqiH3gnIYqjSg5Bi98yEkpoaKzQ30EElya7OYJlQe
3i50/J//TSlNxSjDOVaISxP6Th98WA+FkE28A7pJwpvIPuIrwVeUiaLeMw1jbW1TLNtgGkTHM4wj
0e1n372brzjEjcpuWtZlbDLvTI8iW69NQr20mZZ1Xaa+aU/OcAo6lj4Ny35e12Ue2qbDIDhXEfXS
elzWdWqLgHh5j1FzuoeERmU7TNM0tB22BbxAqq8I3Pe1yzziZ/UwL8vUlRGlcY3ND7nnOLBwA5F8
HaADltVPoeD/rc89gkIsy9gWIXWcgzguTeK68X2Y13XubxF105alBJzNn7lE4SvEIX7WzqDE0mYe
OYL9rm9Ki4ksm1w22DqMlogP4Oa69EwlXebSrNv2fb5H1I1vHaxUDXXqE7+4Rn6IiY5DQ0bdliZ1
HUKDHOnj2uc+j25jGdAgb7nFj6gni8TGJCHETxF8RInENVJRUJmGRTvOyzw2ecDhMwL+lgvtkCC8
pEI79/fE5bKy+sppEYHgXEXEz7t5Xdd57JqWrbAYvM7sLSAYQSyWeayzgDjOsTKp5lG9s536DghE
EVJyOpgQFHKhxFfWqU48N2kYp9c7D3Dnrm4HGHFzJ/k2OKTnB2Fe9+M4Ldtu0Bephu8HyQ3mYFBG
lV5dSuX6inGIcb6yjXcYyy0T2eA86HskLNDbtrlO3CPh95nrxhXEgWUa2uZh1vcKzpL0j6rpMdQP
QKObPeUrKua6CKaXQRYbUojrB8BAhnGCMGKwHXxMo7KbYaBXiUect/mKvin9oFOD7VvWucSEJ+OU
K/uqptqujd74nK9Qzw+isoFRse7bUPrEje/dOE1j33YYGvQQcaF30Owxi+1mb5etuUIAF4QFQMMo
YuoUfF4enlooJNnEW4CBJkeyEh/jO5E3Jb5i8swnIVFhhnpYLj1/6s/38xWp+jOV/jnB5NkaMOLh
SiMamOfK+KQJCqS+JjnmFCNcy6Z1oiV1CEl1LaguuJiu2cXzPTgqJAA3n1zsgluJRvd9a1NKpI0w
fe4e6WS+h7IUXebKMSE5syNHAHPOmcigCyhTsWmroSkdJrJs6jIH6OkXULYC+hzfbhFlWXMsfFYO
u+C2dalLJdVY0+CmYthsbUpIdJZtRIdbl7kSqHMVnpiqKy/QmgQflAXY9ktQWXIZbBnFNQP+hgtt
XUZldZY6PuegRr4CQhRn4eGA1uR1Rm/BjoSDbW1CTzNf8qjO2YBnSgiB4xr4iuMQ9oJ5fcxrgQbn
URxlhyF5VN+mW+CQiJFGuMikLyR1x8sfCC02rPIV8xA7+MoM1D6qjh03RudB3xOVHHAF9Bbk4nGN
PF/V6/jrBZyV+66qGTDUDcAnbvaUr6iYayKYQQZZbuRzkhOZbDffzhCHdy8VDkKcyoBK2vqKwQ30
g04Jtm9aB/oUy9ZPABS6vqiptmuzN4IyctBR6ysOPSec+w5CngOGS2WAiH/P1p2vWeyZt0tFcOzT
5TQC7QSD1NjpxYe1UEiiSW8hIcheJH0l501+ssTomcaQuKtI68aR3Onn37+br8iDAPVjW0lEtoYT
Gh4hXpTdHoorIO/SwdSS+klR9Swwgd/B6tH5IscsAf3xYRejMoTk9SDI0sd0l+HSn8xCcEn8QhJb
AAgfyraFsc9cvssolKf5izjOUd/B8annK0q9mA9jU1OPmAjB4J0aCE63gilReJ+me4Dpm6k1A+ET
CRzbEbpIzUq0Gj4FEgDra+zFB898D6/Ks/m2KhKuB8kRosuOeTnEA5GZ9n0DNgo7IsyA4yEfswtd
b8SRzgqqJr6yr8MtcmE9K7+zGRRDSed10khGLBisUC4AlWUHEz7PqwvKwrB6+1XsC/4H8NASTerp
2L/SlLFLgxK5hMl59mWo8jj0PXxRcoZfHCiC7ZtGGSvpCNOfgrD/Vb5iHmKIQBQHRJ4YGJ3nqjv3
ln1usoASN0zLemAlGkUela9IyRHdSSq7HncBmrJqJgw1A/BqL8nNnvIVeW7zMBJBLJMMkqKAj1wC
NtnuOrh6mBmxRSBwVh1fMTWlH3SXYPuGddSY8ARAoeqrmuocw+yNaha9rgedAwSkeBASJ8z6fCSk
1mUxaEofKq86Qin/JCxD4VHccmG0C0YE2Yd1UMiiifcQxeWcJr6R86YYjEbPNCfQC9KacSR3+vn3
7+crgkDLMUKK3SDUOrV3WDd342M9UJV0m/u6iH0CRfqV5de0mRfptW6wyn3Ju9jIZQgJKM3uK67B
FsBHH0Lb1XEVK5K4epDupBF6viKf7QTBGGpI5rVN7buKiYqXGgggctKkWdqUojfCn2m7QNkF90M8
4AaL1zKZwMaFgvgnpgwtXyF+AfVm8cIVg4tIl9YgKDNecw2pRr5ybcHoQldLSYnEyFdQxWVsSli2
9lJYYMFcovG67+Mrp70UWyvrQUDvq+hIuQbnATjc5NyrxYnmQxnRqK9MthRR4I/38BWHhlmGq7AH
0wDRtM5ztTX3Fux/m7sqjzwCi5VYKxBSfYCvyCMR3NIwlh8G4BM3u/IVsaPsGgZ1EeyZDIemV3xM
tsOSnbwVQvzexIWvcG1MTbGer4PuEmzhoifWUWMC7/I0H/jmMa84P3qY5zwV79K1OeBfsihOxo5N
YZpccE3pT2Xgkmsd5iVvZ5ManGMCXWGVb3Onks+Lzi9QiC/kd3BaUpTQ5W+MfEU/OjSgHQn0ijQ6
iJzc1V4//dcf4itMLoi1Hq5caOXEBX0oXpvqVuD/D+tBsMwjfSighHKDtHSxK+tB57QDBIGB9MBX
oCYtrzKMxVmuh8v15XIcn+/hK+amToA4JucH+P8l+MD+MTe7Zd5BQobC87Iyc8/QjIFBzKyhgiiv
RLCmLzHRwFewXiotKnCxLiJdWhN8BVSWuRLaFHaXmQHnfRzp+uJCUHeVt4GzZRp25laxiNyOeI8h
GMAxep0I+nCX8BY8LH3srIJxCYnnqLdIMUU4JPbJb2f6isVkMJIMzCGhhq84bK+g3nlg5U2UENDU
Yj3oFA/bNun7Fl8RrcNSrWGI8UbmOqb0+GUDo/MYveUAAf6DzXxS1+ybF3CWmsDS0Tko8HM9hvIt
fAA+cTOoRYoNCMDAzyn7ha8gf5aC1YsyPGRxk69Cd5IPQfI4Ax0k88MRoFdY3mZ52egGAgURty/B
VlyitY4aE54AKLXDFyOOz94Wj3dt9kZI/lJ9aqkih+j5ijY2vi2DUIDtewSkX/Z2uJkRla7w+NqU
sVPJ56Vu8S2H4vrF8Tfs2yOR9qfBRJgSg9E4OsTF2DCPaaymwDYnXETg4+jy+Sf//HK+sg513Y3z
um3r1Gawv4WfE0FRp7ZqYG/gti4D7F3F+I/bxoK8ga2I8zi0VcNOFcF4hO294zxPQ8c258L2Fhrd
x2VdoAgjQYkQ+VkDX7H9tkfn0jUggwS3hB4OL3F37PLtkLALifhp1cP21Wlo6+Y4XqRkRylUXTxM
1Fdwv+1jU1pMJNF22DaC+4WZzrCoQl3PPYckiO66roihgKcbwX7bdR7qzOcbmKVGhZvihwa+Auuq
Ae55hv2y09g3VYs76C8iXVoTfIXlnbBgG3bbAvfb4vzbCPhbLrSPsJOU7bedj/22xyk0xSJC2bmr
6x6cblvGOjk38xi8zuwtC+63PVXJYUv263wF4hlsB8et6HN/i12+oVsIyhZnkhrrWfM8tnDZub9b
74egMttLDDvgQ3U9SF6+wj2bVDPKLu4qS4O1Ky9rYXs8jDbjEON8ZUcfP38/0eA8Jm/ZxqZqhxmi
A24dlnIxk0oS1WwmSQHpevapHkP9ADS6GeRzF4t0+770Bey7NnBE3Ct3jWB6GSSpH/mKyXYQymh0
62cc6Kkv9ttCMqcx20kEq6GUb6HQu71+0CnB9k3rXGLCk3HKlb16AttZ/OCl+q7N3oiTgRw3rG1z
m/mOia/sG4wfL7n3E+SYY4u3HiIu9L4bHEYfKh91ZLvJaBB4bgrnI/Bl6vTiw3oo4HTWeUpFknOD
Aei4UVHDxu0JDjTX7IiLGD6SeCbPFBczSaUJP2y6CMp+WZdlNcAiyfPpt1/PVzp22hmW8uDk6PXH
rib4RViKP17jBik/Dw1nMvHEMPymTZjwU9BLJ843RnfMSrBBBo4SEy+/nmfe5/Y8euuFovEncMsA
bmPFj+PCcVOPHzfdpjqP4Iw2nmzkR0aV7PgSX4GTtY9NGTCRZIOI4xHHoYdIMGNwGNeDq2Duruzz
wzOuxwns8xCy1By8ldwU/jTyFQjJhw3ANlF2HFRWRbq0JvEVSWW4Pa+FRxgAX99wISi7oEjHofrb
cSb+ukInFJ6bw7ngYCo/Qw9nxTRe98xb1v6W4Fl96ie3rkqOnc5StpYJNAggk+Pj/LbjUC9SD8wL
UeXfi3MIHL5mv5eAV+icZ1/7MvJgPMCJ1qHNXFPuNOgrCy/kON/BijSeZT8nHvohpjSywDnHgB2j
1DqPyVu24YYn5yF4eGEmaX6II8XuZ2Y6hVekOj7UYWgagCY3YwfTKaH4kwzNLTpLGVIQOGXQRDBt
EDivh/+v+OBnOl+F44f81yXSqsrOlWfwvBaP8IOMUV7fE7Z4bGrKMOjkYPumdXCbmBymjOOUK/ui
psauDd4Iv+eAh+Wp6wXwywOBdJ75LEEdQmznQW7IWCk7UaqPDFzq/bnDHD/NdoZKnY477Ix3HHk9
4MXhqYcCjiZp+Ar40lgXSQC/doCjKkjYDg0xfBTxdKNDKQoABnJMO3bTOEDgVxMsArjPvnvKVz7b
uL3fImARMCAAYeK6cm641H5sEXgJAZGEXrrcXmQR+GEIWL7ywwxmxf1HEIDcotsY9I+oZ9X4DxCw
fOU/AN12+Y0IWL7yjWDbrn41AlNd3tnvui1jmweEHr+o96tBscp/IQKWr3whmLapvxABy1f+QqNY
kf5JBOYmj+DhB2wXlPT77v+ktlap70fA8pXvx9z2+J0IWL7ynWjbviwCFgGLgEXAImAR+AgClq98
BDV7j0XAImARsAhYBCwC34mA5SvfibbtyyJgEbAIWAQsAhaBjyBg+cpHULP3WAQsAhYBi4BFwCLw
nQhYvvKdaNu+LAIWAYuARcAiYBH4CAKWr3wENXuPRcAiYBGwCFgELALfiYDlK9+Jtu3LImARsAhY
BCwCFoGPIGD5ykdQ+yvv0Ty75K+U8w8IJT1W5oOtKw/R+GAb/8htnwfzbSD+DV/9N7R421r2CovA
X4KAga9Mt8BxnMcHKI3wkCbnfGwqjNewwoftnuooT/LGx4XBk5YIdb0wKbuF3e9cXuezqM5GsHc3
69bzA3wEWEzkJ7NvU1Mm/AmJQVzUI7v8tS6kln/u27VJwvJ4MvGOj4JVnsf7cxV7W/KxDJLmfLKp
7rF2bzehXGHgKyrCyh2mPz5wi6mpT38+3UP3fE7h3udB1uuaXKpI9ptP8RXVLrre8LM/kOmXOnGD
Gx8Nxq6/8Is/oMUXSvfQlNEBHq60H1gE/k4EzHyFuh5VHx+JT5P3PJe8xlfmKiI0LJp+xOdY38tq
2LZ1nvA13ELiZS37Y1545kGUIA4QQhS6tNYSX9nGW0iJl5RNh0/Jbu9ZQIlfwAPEX+vi77TG+6Ta
2tQ9TbH/Lr4CHvINfOWC8Cvm+cAtrzT7sWvW4V5UAw6ubSh8V8tXljqm8qzjM3zlYhej1H8g029j
Xdx7ZfJk7P6LvvgDWnyRZJpmzA6gudh+ZBH4KxF4wleSIvdo2ooix9ZlbpAX8Yt8pUspSVuViXAM
ljoiXmGYDU23wE3KIoCOzvtlvoJM6PLwlbXLPC4YdvOsizalNOu4NGPpn0+EX8cqxbINwWfFd0cA
XLoSn3RPqB8X7czvPN8MuefnNd5KCfWiop3GOgs9lxLqhnnD79jGOotYzcmL8mY69FvriCbNBA+H
J8TNcR7MnokO1Sn5yqPHtU1d+GV3fGHuxuh5a8rEx4qWH5en8Ps+1XmMzxRnsh3StCkNy+YO+oKY
QVpxuE+94P+lK5MAOiNuIP2KPKhc1KCNSwlx/eQ2cF/ZpgYfZn+5RbTKur7BM98JYFr203BPQUSQ
UJJcA8J4C+ipOav1QYrNKsAbpQzTWihiAHzf4YvQJdBhXNQ34dZGhPd9m5oiZvh6YVYdJT2ultYo
Xt5NDfYUYDHsvbbAKiXCT70guSH9gBGSVnWO2FM3zOoRfAd+7Z+4QVofbnUm1K0vfO4sjlymnOvY
5ViyIfEEzOdmfbSL0XlOwQC5qYpdN6mZT2rMjY+zN3qawL6OzvH/zDP59fuu7Wvf57ZIQs8lxKFe
mJ1Q7vsqjdyggOLvsxHH+xlyLyiHoUoDSgirYxlg3KbTISHGNHAfBkgIfdK8ZO8zl1ek9U09BDGz
A3A57RuLwN+PgJmvkKQZSp/G9ZmE1iZxw/tQ8bCA41WemcGyTRMTrxhA8fkeEi9t9TOeZ2QC203a
dSh8Gt4mBqLEV+BemnYnkzlBBtIRnJdDpHxCiYx8ZSx9Gpb9vK7LPLRNx6LoWAY0yNtpWZexyTyl
G9b9kHuO46XNvEFgK0NCiBtjPtvmKqY0YbxvaRKXhkU7zss8NnlA3YMQwnqE6wdBWnXDOEErcxVR
L63HZV2ntgjUahN2eoljsIpGaJg347wuU1cERJTHlr5u+mlZ12W4RfQEr02JQ/yshe72pc08ZcXt
wBVg9ZJqmJdl6u+Jy5VHld2knsBB1gFEZIbHOhwNyw5QHKrEpXxN4rQVrOA4JMiRUa197juE+Aw9
qJ2djM0IwlB4l/qKQ7zkDipij1wRI+Bbn3sE8V2WsS1CKpY5uZD7BWHGibMasejKiNL4SLPGWyCl
eX4Q5nU/jhPWEd9piz5zwZPAdtPQNqyCwFZM4wp4yTZVMXUIjRhfXNrUO/KiskTYpVRfXwER5VGM
ptGBCZC9YdaLXXaT83C+Al5Hw9tBLw0+b/Y0gfsurei9dL2hL3Dlpu7GeV3XsUpccsyLliahNMjr
YZqmoWsHCGvPRhyXbMg96vlBVDbgAVAA1sP44JDkXHe/eKHEVwxN6YOY0QG4qPaNReAvR+ApX9l4
WMH0H9OoXpaX+QpMRmGZxouyWzNeaMszMsH4SrPByPbPXCfxFUZMeMXiRHhrYqAx558f4ysQcHn4
PJqCupJI/ftchcp0B6+CECnIEmapI3nvUtYDCifPlKA3NuVa68iRGtgx0itckedwruAljkH0lMQE
QwmJ+E07fH7MsCEzSTsXhtwlyaUgtnUZpUlzctZ9qeNTEFVlKTeuTUJP6rIzTaRemCRtSkhUn04B
OAhZASWWQMHSWhAueREUkaoGPVfECPjWppRIevW5e6YHAZVkOfgQuLgE8D7fsQIoXX/ss5JMjClN
KKpe+4otti5FWqSyc2jWy3FacPRJRSlTJCZ5/IpPL0LARVe+ogPzFbOqdjE7DxNsHsqA+jnfp2Yy
t9HTZE0ufEW4k+SZ0vWmvqRL9n1rk4OEoyNd68EvjTgQXi5TG2AEOxsc8jLOBV8xNLWDFa5BbN+N
DqCobP+wCPzFCDznKzC/PZLbfA8xb72Dr6Da69RVBSxReEl9lErg85f4yr6vfe65OMO58pX7n+Er
+9IVISXUT4qqx7oDFooch1D+Io7zMFNVn4yKGZdLuDUQ9aC022VUYQTwDWsKoq2U4zE3OkR0Sogj
FxQYtGqdGPMO71TJtetYF0noe/hyyUmM2pQoq2Jq0QL7AE2k0M/YR1gB+KrKWE47WEbhX/GSMjg2
C/UVqeux8EjMt88uVcicDgiCHgQ1L15a26E5trvFCPhVL9mtmYTwr5opoFmFePWZ+06jQJvvtcWM
rN8N07LGWT0IptoacJIQhvUCttjJaAFjhcZ0hW1Ju+ZV0wgwxxfMqtrlCjKScHQe6DOIYxcyOWdi
RnMbPU1YCmzFC78vXG/sa9+mtkyjgI8VNiqvjoQ9q1a4eMspGwgjOPe+G2C8YiU5pOqFu+ArhqZg
BfchiFm+chrE/v+DEXiDr8B8mkK+wgVzCC3SOLpETUQBxpZuXwrU5c/SKlz4Il/Zd6jBu2m7SHwF
7qXZl64HQb7kC1/7Nvd1EfuEsLkfhBK/6OZFevGCw2F7NUTCHWKK+ipfkVIOm8unjdonj+ys00sc
k5OTkmuxlB3derarGQx4MJDLzkqR5g+ljkW99/MVnN5JaC2XDdX75USP2rPCV1wtCGpevLQmUqyZ
IF7Tg5TthPKXDPRRviJznA/aYpu7Ko88QkO+f0WiTl/OV44NVIgEtw28CW/jU7OqdrmCrPAVx/GS
PPGIX7ANwUf9SmdudXA+4+YAAAY5SURBVHBJzFgy1Qf4is61oJZKgqJjUxVRXzHyFcm4l/F4CHcR
Hp1TA+MVK8khr+1CyRPryE8tcglilq/IzmLf/1AE3uIrO9Qc/fye+8dpHZmvbG1C5VInrM1mrlTn
l0CB8eiXvMLyMl/Z97VNPS9rq4RTAO1+W9iPIGf8p5QIhzyf2QGhkPkKExsXlIHFQFlbr5TQT41K
oKyOrzAQxC5jCO+sWCGFJ9boWKi7cURX/B3GMVGjNvIVWB6J+ZIO9Pk6X8H4LW5m60HsmImqspRF
IH2qbsFF5m9UqsRzIn7P+QrMRU9Z+Z34BpQQBRkzXzECDutB8jrXWHim9SCOMAyF19aD+C0PaxGf
sQWMhKNyotr6Vb4iVbQkOGFZSzjrlUoK8veKWVW7mJ3nlB8OrRA/h3N9sHJoMLfR0yQt3slXTH3B
MpEAA6Bh9ZX5pln7O7U4xLjyCvbxRXiciWhGx9UhB+GQALxUe12qyCHIV16wCA9iyFf0DiCjaN9b
BP5mBN7kKzsurDrEP2KwzFd2DDcubiWDbWjtLfaId/xuytpXt7rtRziyfHzDZ1LvqK8AeEubup4v
7QZl55n95AaHpaH5Spxn5mg/o0SghZs2WClf+iIgjsPqK1NbNcO0rBvbmermPRQ1xjIgNCpb2CY7
jX1TtZx4Hd2pUcnEV1jGCQu2c7ctcL8tCvHAV3CrKQ3yZpiXeR6HtmoEzzk6BXIYlP2yLst5WkHU
9UX0BGlwXyzu3I2U9SDtTJpDCG9G2DHK9tvOx35bJoiqssRXcEchceN7NyFeXV0/nDN9ja8YQYA9
REylZd3MKRbJLm5wxq3SMuCYS/2sGRfYnFzGLt/eKGuvIozBX9wT0XNzlfmWS0pDlN5li21sqnaY
wSNn2EPNKLna7Et8BTKxl7WwBxogE6+1SQiN7gAEfqGaRvCVV8x6sYvReYT8G4ytM2bAHliNz5s9
TWjxXr5icC0YNTS+j8u2zj2Es5MpzHVMaVA044wRoIOdzkILlEOMOEms67Ip22+rGR0Xh4Rhek6/
wHQHqdvmNoPVVrZPDx3ycaCZgpjsAAD1udlfFte+twj8xQi8zVcgTLnnjgd1PQj0WrobO/8Lx27D
9HacqIGtJ2UMp1Ud2MvgBUmpnAJ+RiYwDki/rgG9NInryFsqYTOv+L04N4jz8/fiONhPu2BnBymh
eGq5uUVHfWWq8IgtCO0G6Z2f0OWHSvF0cSbOJx/dqSHVyFfgNEedR8eJ2CjnpyUf+QocVKgy/ot4
YVI98JWdbW1wgHqtT6LnNtz5Iedb15X+cerKmJk4hviG6Q6HpOE8Mz8kraos8xVYR2rZ+W/A0Y8L
ftPZstq1qb4Cy1p6ENbhFsHhZYpnPtXWpBS7GwGH88xVCse02RFvcXz0FBH/VxCW9EJnF+4h36Pc
cklp+/5eW2zDDQ/S4yiCc8vINdRmX+IruKkB1b2e1trGKvGp4xAvh93qz8B8y6y7ahcYuT07tK46
jyz/BowYlnwBRK25n3raCb00gl663tDXNtWSV/T3yD/3za8DnvzH0BCWMI+RtVBWYE+Z4P+LMPiV
HkbhkH5cQkg6+cpx8ppS6sKJ9roIxLkCXVOGIAa7WrgDWL4iG8m+/yEIGPjKD5HeimkRsAhYBP5B
BCT69Q9qZ1WyCHwIActXPgSbvckiYBGwCPw5BCxf+XPY2pZ/LAKWr/xY01nBLQIWgX8VActX/lXL
Wr0+gYDlK58Az95qEbAIWAT+BAKWr/wJVG2bPxwBy1d+uAGt+BYBi4BFwCJgEfgFCFi+8guMbFW0
CFgELAIWAYvAD0fA8pUfbkArvkXAImARsAhYBH4BApav/AIjWxUtAhYBi4BFwCLwwxGwfOWHG9CK
bxGwCFgELAIWgV+AgOUrv8DIVkWLgEXAImARsAj8cAQsX/nhBrTiWwQsAhYBi4BF4BcgYPnKLzCy
VdEiYBGwCFgELAI/HAHLV364Aa34FgGLgEXAImAR+AUIWL7yC4xsVbQIWAQsAhYBi8APR8DylR9u
QCu+RcAiYBGwCFgEfgEClq/8AiNbFS0CFgGLgEXAIvDDEbB85Ycb0IpvEbAIWAQsAhaBX4CA5Su/
wMhWRYuARcAiYBGwCPxwBP4f8IYT7lnr2ZoAAAAASUVORK5CYII=
--0000000000009c6f8e05abaa8a0d--


From nobody Thu Jul 30 08:49:47 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 068543A09DD for ; Thu, 30 Jul 2020 08:49:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.692
X-Spam-Level: 
X-Spam-Status: No, score=-0.692 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DC_PNG_UNO_LARGO=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_IMAGE_RATIO_06=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VSU3hPKrsgpp for ; Thu, 30 Jul 2020 08:49:41 -0700 (PDT)
Received: from mail-io1-xd2d.google.com (mail-io1-xd2d.google.com [IPv6:2607:f8b0:4864:20::d2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C857A3A09DB for ; Thu, 30 Jul 2020 08:49:31 -0700 (PDT)
Received: by mail-io1-xd2d.google.com with SMTP id j8so16341608ioe.9 for ; Thu, 30 Jul 2020 08:49:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google;  h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ZLAVhEPb9XKQK4/OdGGxITMKIs3RsTsnkUiMRK6RcnA=; b=gnEZLbdg0KNz87ycLxEEi9jSUkokwWhu11YApqqC9keVvBpstaSd6bmBM30wPbo7JH jENCzpuxJtGfBBgZrm6oSV1jDdBW2g7ESZKwrYAKaAO0uKG+z85cw6+E14ug/23gIpzI 661I6P4o7yoSD4d3DrAXXlw9qF9k38Vf49ci0VxKLMmRirTBlsygdifx8tgThhiW8sCT Rw8JZq9gHFfcgiZStbXFsE5usv4ztYvNRFzIt2cCkI/RbASwNW3KpZuQGqJDVtl1KDNE oJSSD9oK7TKQl5CB04rskAMKbi/9mKQRNfy+PAC5+JfTP5Z029cVrenoIASf1AGF+0+c op0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ZLAVhEPb9XKQK4/OdGGxITMKIs3RsTsnkUiMRK6RcnA=; b=AB3jRu/Z8f31+xVK+oUw62MayTHdI3bsMRDydH37xWq4AIJaADJy7Uy1UXzOyRACvd fxDktIoImvD8hgbpEZKXOKIUiQZP07dMpIC1fyh8xqd9adpdXwXVaKiHxX8YUoSB7cvN qboUZ5VtUztVcHlWy+N8IiO/OWX9c38PCV+ddPxD6/VNlhHuMQUXAeWNzO0/9DeHpFCg /iY5q2Jx0KmGdn0PiBeccMZQj7t/isxpxFEJih4w7lCD2Y20kBiS4kHxdnNwKA/SRDWR WRgbIP8oxTBTdnTetUbyk+LwnKXJMYOERulae0QA5kPzaxX8hg2WfXUtCTact8Azc0Oe B1jQ==
X-Gm-Message-State: AOAM531BdryhykneIfwYJPau4A34zXcyJYb49fqNjZcln2Sz6YbP1vIy FndVRGbfLhzB+2G6e0yDEL60V5rRU0A=
X-Google-Smtp-Source: ABdhPJx4+zfeWrWRYlQpTrBMGtowMIOr9y5OYJ18bI8L3lWG1BNGbtpfPXifnilXiVsk4ZFLTisbSA==
X-Received: by 2002:a02:6a6b:: with SMTP id m43mr4117104jaf.79.1596124170332;  Thu, 30 Jul 2020 08:49:30 -0700 (PDT)
Received: from mail-io1-f41.google.com (mail-io1-f41.google.com. [209.85.166.41]) by smtp.gmail.com with ESMTPSA id b67sm3192806ill.31.2020.07.30.08.49.28 for  (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 30 Jul 2020 08:49:29 -0700 (PDT)
Received: by mail-io1-f41.google.com with SMTP id v6so13450008iow.11 for ; Thu, 30 Jul 2020 08:49:28 -0700 (PDT)
X-Received: by 2002:a6b:8b86:: with SMTP id n128mr38874448iod.202.1596124168531;  Thu, 30 Jul 2020 08:49:28 -0700 (PDT)
MIME-Version: 1.0
References: 
In-Reply-To: 
From: Aaron Parecki 
Date: Thu, 30 Jul 2020 08:49:17 -0700
X-Gmail-Original-Message-ID: 
Message-ID: 
To: Warren Parad 
Cc: oauth 
Content-Type: multipart/related; boundary="000000000000154eb105abaa9e5e"
Archived-At: 
Subject: Re: [OAUTH-WG] Authorization Code Grant diagram Improvement OAuth 2.1 draft-ietf-oauth-v2-1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 30 Jul 2020 15:49:43 -0000

--000000000000154eb105abaa9e5e
Content-Type: multipart/alternative; boundary="000000000000154eaf05abaa9e5d"

--000000000000154eaf05abaa9e5d
Content-Type: text/plain; charset="UTF-8"

These numbers in the diagram correspond to the numbered steps in the
paragraphs below the diagram. Perhaps using non-duplicated numbers would
help, such as "1a" and "1b" instead of two instances of "1"? Although I'm
not sure how that would work exactly because the "1/2/3" are really just a
single action as described by the "Note" below the diagram in your
screenshot.

---
Aaron Parecki
https://aaronparecki.com
https://oauth2simplified.com

On Thu, Jul 30, 2020 at 8:43 AM Warren Parad  wrote:

>
> https://www.ietf.org/id/draft-ietf-oauth-v2-1-00.html#name-authorization-code-grant
>
> Can we avoid using (1, 2, 3) on the left side of the diagram to describe,
> I'm not even sure what they are supposed to represent, not to mention the
> RO in the diagram doesn't really provide value (for me) relevant to the
> code grant flow. It's confusing to see these numerical identifiers twice in
> the same picture. But maybe there is something hidden in this that I'm
> missing, still 3a and 3b could be used to identify different legs of the
> same code path.
> [image: image.png]
>
>
> *Warren Parad*
> Secure your user data and complete your authorization architecture.
> Implement Authress .
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

--000000000000154eaf05abaa9e5d
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


These numbers in the diagram correspond to the numbered st=
eps in the paragraphs below the diagram. Perhaps using non-duplicated numbe=
rs would help, such as "1a" and "1b" instead of two ins=
tances of "1"? Although I'm not sure how that would work exac=
tly because the "1/2/3" are really just a single action as descri=
bed by the "Note" below the diagram in your screenshot.

<=
/div>
On Thu, Jul 30, 2020 at=
 8:43 AM Warren Parad <wparad@rhosys=
.ch> wrote:

Can we avoid usin=
g (1, 2, 3) on the left side of the diagram to describe, I'm not even s=
ure what they are supposed to represent, not to mention the RO in the diagr=
am doesn't really provide value (for me) relevant to the code grant flo=
w. It's confusing to see these numerical identifiers twice in the same =
picture. But maybe there is something hidden in this that I'm missing, =
still 3a and 3b could be used to identify different legs of the same code p=
ath.
3D"image.png"

Warren Parad
Secure yo=
ur user data and complete your authorization architecture. Implement=C2=A0<=
a href=3D"https://bit..ly/37SSO1p" target=3D"_blank">Authress.

_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth




--000000000000154eaf05abaa9e5d--

--000000000000154eb105abaa9e5e
Content-Type: image/png; name="image.png"
Content-Disposition: inline; filename="image.png"
Content-Transfer-Encoding: base64
Content-ID: 
X-Attachment-Id: ii_kcnpzgwk0

iVBORw0KGgoAAAANSUhEUgAAAvkAAAJeCAIAAAChx415AAAgAElEQVR4AeydvYvbTvTu79+iSt10
qqIqqqIqboKaxU1wEdQEN8HFDS4Chlt+wRC4hhTmphCkECkEKQQpTBqRRqQRabSVFn6grbyVLmdm
pBnJkte72Rfv+nGReC1pXj7nzMyjMzPS/6rwAQEQAAEQAAEQAIHnS+B/Pd+qoWYgAAIgAAIgAAIg
UEHrwAlAAARAAARAAASeMwFonedsXdQNBEAABEAABEAAWgc+AAIgAAIgAAIg8JwJQOs8Z+uibiAA
AiAAAiAAAtA68AEQAAEQAAEQAIHnTABa5zlbF3UDARAAARAAARCA1oEPgAAIgAAIgAAIPGcCp6x1
ynjujUbeeJXesYW36Xo6nszC7I7TrbZZMJtMput0e9cp31962donyrOouL88kDIIgAAIgAAIDBO4
sdahocsbeZPrBEIRLyaed/15w0XrPZKuJt7IGy82txjtiyzZJHnZpFsGY8MwDDaNm5/u5kvkm5Sw
NUv+Lb1tkSabNFdVTWY2JWz6kfrt37LovXpbJOFqPp2MPW888aezxTpKFbbeS4Z/TOa8zKNVPnzO
tUfKLA6WM1GisT+dzZdBnN26SNdmJ04oyV/uPZcDC4PTQAAEQAAEbk3ghlonW434ML5fIJSbpWfR
oEzj/ebWZdu9cLuZiXTZJLzxSMeFgl6ee9M6eTC2DNOe/mMoYxv5zDCchQoPFdHUNg1rHPyLbtjF
qv9SbpZjS9hYWFD+a46D2wVm/lXrlMl64vQUyDDM0fr+OFRVtnQNw5xEOh18BwEQAAEQeIIEbqR1
spVXDzqDwZAyWY35jbwYI3Vt8c94Sj7484RvPvSmC6ejve5N6/xzRUUCQtjpWueOEh5MZpvMXWlh
y53MFsvlcjHzPYeZtxGXIpt/0jrbZFEXiNmeL0o0n06oSDd3gcF69x0o1h6F0KB1+uDgNxAAARB4
UgRuoHXytceaW/0hrZOvuRwy7cnYpZPvUuuU4ZgGYtPkw3F7UiRZeLQqRJ/bKiO+HIdm24rNauqK
wlvOiD50Zq11/DAJlzMxYzNdBEk3flEkwXLmj8c0oTNbhtp0Dl/x441XyTbfrOc+zfn467RqLVFJ
lmOPZ6n/481jMQtVpNF6ISdntMS3ebyU0QzTdnmBaVlREU6pln6gQj3bLF7X003TxXqjzXhVlLU3
Xm6KNGwqMF/F+iktZxVy0DCYt+qsCCoLLYxWptFq7k/G3njsz3Z5cRY03TSeTBfBJtqdw9pmdQKT
6Xw9XJ4qmZM+pQItE60AvNBlWf/CCXuLuCySYMHL5S83dHCbb4LlfMZ/opw0OJykNw0yHd8ykLYt
k2AmI5NM+gvWG7VcBX+AAAiAwFMicLDWkUqHjScjPvoMLnIpwpm/TMoy4MLkDrVOIWQUm8ynPHDk
LtWIX0UTLoPG2tSWuDE3rOkmX/Ey82FT/mOOQyqi/lPzXZ8jKpPFSCk8cYrVSAGRgjX2x3LKzjDs
WVK1Qhly8U6TuvgyDsqqksKwdciexmVVpUIg6EdIXfJpFZrWkqup89C3ZRymPtV01NRZzNcNWbYW
Z6PTzNGyI2W4x243U14Ltm+2aputVV1lnmy04NKCUtkmyx1e/LRGmu6W2XTnzfV62xFzeIZxXUyJ
V9P0fL+pJy1oqqtTg6H/mbeSPiNIMruLz/ajopK+q19pNOXXS4jvIAACIAACT4HAgVonD8Y04rNJ
mIVcVQzFdZo6SyFxd1pHjvPMj0qpJey5Wvu7V+tsi3QTzniciU1WG/okGR/S5HDG3OlyHQTB0hcr
Q+pSb2Mx/BuWN1sFwXpZ3+3b84TiMppaMp3xbLFYzFdx0dY6tMK1/kQLsdzJohG1qqpsNWLOeLpY
BWEU1oEcGlW3eboJxNht+4EscdnROrlcPMVcf7EOgvVCRoJYvZ5HaB2Kro2X4SZNk3g14XqATaI6
KNIYrJJRHXOyZ+FzE/kZcWCr+ViIBcsXCarjs1UQBqual1FrhTo4aI3n6zAM6nCbNZVxLlWcqpKL
s2pj6Ida35tqGqbtTckIiyivqm3s29ZoMl+uwyhcz4UEqzOS3mQYpjtdx0lKDiJsQxK6yJJ4IfSx
txD00+Jel4O3KoQ/QAAEQAAE7pTAQVqnkEqHbvi3YiLpwbWOHEXFWNX80WzH2qt1iFgd5dHWStdK
xfIplCI+cnwVd/Gl0HWGHkGSg6TJF0fXKRiO0D4ykVZcp065qspYBKRqpaOOiG8ytRqtrKS+Xkdm
LuI6NQQpMyiNMvJ5aEYGfqQIIHlY5yVTsOe7++xjWgmtBY3qS9T/tfSzZ1zp8QP1pKVH64RlxWvl
w+M8MkIliDZ1agJLdbRud2tZHV3x1s2kYrbyLO1jT7ksq7WOCImp4ra/tY1Sax3NtDKMRBE/Kriw
PdbrtCniLxAAARB4igQO0DpFMOExHREteByts92I3dbWTKgbOWaqUfwftI45CdUte0tNSOGjjYcU
i6HtOXIhUq11tOGYnKA9rEq30JROozwqvrt7MZv6k8lkMna5UDF9sfWn0QVqqk4vnRRvrCUStnLG
TBRIigC9dLLEfbESeWm7ti2fltnTNJ36FAGt4aVFvNveIsVTLqG41pHnGsx2m4/ND9dxH5VuVYqE
DT7dJ36XSGQ0zpCWk9XcLTjfqT6f+UR37Dk8I3mWbsU6T2k2gQtap8aC/0EABEDgyRO4VusUoa50
6H6Xr8Opgw+DAPYMqoPXDB7YypiDYTJ5W8/EMhWzHgj/Qeu0qqKriUqO/nUeonj12E6KpBOJqcvf
o3XqiIsW8qjyYNJdLsJVw2FapxYe2kQeySyhCcWILkSAOda03B6zyEut6eBTAhKx478jKmp5FRS9
RdJhyBNqraL/30mUIisyYUetyyqzTUSfcM4nmFpaR8ZjahuUm92FVpRfW+s4enwLWqeGh/9BAARA
4HkRuE7ryOFNiQyrVhnMsuzx8ANO9gyqNyZYCr2lD431d5PPnVR9a5PlimQ5dg/PYQ1rHT0k0RRa
JsuvOlTr1EpHn2WpJ8gsbx5s0izP82zN10ofGNfRy9EUrmoV+WZap54zctrqSaVdr+hplkbzQ/Xu
uEm4bROXF0oJxeM6dZnHq03S+fSsh5Fn94R8mqALV3E91ayLajr+Kko43VhXgXV0rlUVaB3N1vgK
AiAAAs+IwHVapw6o1Nqi/b/LH4Zb5unuSDWgdbZ5mmqPLj6IpFzSYTjTgN/Vi38CsdhY3qjLcnq0
vUl86sUlHa2jRS36lEorrlOvJdEfXFgrghGtIulLYXcOq0/pNBEYbbSVee9oHbW0plU6OcOmJUD7
t/gmbVnnHhEwYBaOrBBb5wzTW2VqVq/myZcDid1uYu1NGzMVow6/6TGaIhDPZBLXyK1e7eVNWg7t
r83i6/G6XaBrtY6c/9KmJ+tNXZ24Tr2jjTLu1zpaUKxdOvwFAiAAAiDwRAhcp3WKVJMXfPpASAzT
W4RRtMm39UDeHb76BtXtRixUtfi+6kMJydv7nUfH1UMzH+ylCmD1qFhs5JYn2nNOOcnh0XBmcV4W
WZLkzfN19O3zLTVRyUXZtI8pzoqiyOKl2HEtC3OI1inkemE9pkMFypZcltCzbIqyLNJI7hSiN0Bw
NDISZY6WSVEW2SbNO9EI+fQZ050GSV4UeRJMxTYyuUusuqHWqbbJQj6hmDn+Iog3SZommyhYLab+
itbolHJfGhvNozQvimyzFhu7TCEh6oc9stEiErxWE7kbX2idrdQThj1ZRmlOwawkDhZTb6aWT2t+
sd3IB+wYzJks1tEmSbOMijTna6a6c1hKoG3FnKawNsGT5dyZwxrUOpWUZbYfZkWRp3hZhGYXfAUB
EACBp0XgOq2zU5vuep1muai+AlZtx24tgpWj9969PjsZ7ixDbs6oIzc2LViWu+JplSxj4mmDIgYl
tU6jW2RkylsXfUqlrXUqWlMjB2stotU8gKcvBRUg4MO7nMLRruZfnUXavG+jOWY5tH6n1jq0I117
eA4N7J3SlZvmMcdNGob2tJqbap2K6rvzxB6edF0oekuFykt+Y+qBPcoM9VmmZdGi4DoWpD0JuT6D
/m+viWpMPFwgumhY6zQ70lQepuOQJQ+N61S1d8kUWuEzrXz4CgIgAAIgcPQE/lnrVOnKs0zT8cNm
ZzCvdF9cR6zGNe3xWm0tuo6QDAToz9JRlzQ6iJ7OUqbBbOzwdzmZluNNV9GSdgjVWqeqis1y4tJx
k9mjeVw/S3B4vY7IqNisZ2OX1imZjKe7aWp6gNYZmATkQ2exWfouVwImc7xZmPK4Vy0rSHlEc1Ej
k9neMunEdah42yxc+CPbMql09mgy1x/rfAutw5OMltOxa4uFWabJbHc8XcbNq6fKJJhPxGHTckb+
MmpNMG2zcD6RuOzRdJ3E/OUctdYRGSz8kbAUldodz1YqeWXd+ts2j1ezCVVS6A4ygzv2Z0v5iOue
avJcghm9SoIeC2W7/nKT8UdHHqx1qqpM1v6ItomZzHKnHf+uC4f/QQAEQAAEjp7AjbXO0dcIBQQB
EAABEAABEAABRQBaR7HANxAAARAAARAAgedHAFrn+dkUNQIBEAABEAABEFAEoHUUC3wDARAAARAA
ARB4fgSgdZ6fTVEjEAABEAABEAABRQBaR7HANxAAARAAARAAgedHAFrn+dkUNQIBEAABEAABEFAE
oHUUC3wDARAAARAAARB4fgSgdZ6fTVEjEAABEAABEAABRQBaR7HANxAAARAAARAAgedHAFrn+dkU
NQIBEAABEAABEFAEoHUUC3wDARAAARAAARB4fgSgdZ6fTVEjEAABEAABEAABRQBaR7HANxAAARAA
ARAAgedHAFrn+dkUNQIBEAABEAABEFAEoHUUC3wDARAAARAAARB4fgSgdZ6fTVEjEAABEAABEAAB
RQBaR7HANxAAARAAARAAgedHAFrn+dkUNQIBEAABEAABEFAEbq91kpltTsKtSuohv2VL1/TWxUNm
edR5Rb5pzTZHXcTnXrgy8Exnkd5nNR/aynfQyh61l7hHW/B6RfeYwd0k/c8WLOK5ZzPDMO1pVP5D
me62dVBq7jL7h/Lg0tMjcI3W2YZj09j9jFZ59cC9WBlORmok+ec2TJbOViPLW+c3NXqnJLdL5KaZ
XnP+Q4+Ce4qTLtwBCVysvfvUp9t4atuPJ/gGevO2t+zhdsChPVY+jG2ycKxJePCYdZtW1qnvA/cS
B0C85pTNzJ0ecNNwIlqHqukuNnlR5MU/3dYOtI6OMTrO0zmq/oTWUSzw7VAC12idalvkGf+EvmV6
q1T8kZfVA2udbeRb2l3zbXrhHSRlspqvk5s24U5JbpfITln+8Yc9o+A/pnzTy8ky/VqnCMZsdJ+x
uDxcLKIbS9ebVnDo/P7evOMtQxcf9vuwlQ9kW8TLRXD47fAtWlm3vk9M62yTuWNB69TuWAbjO4pV
9reOOh/5f9d5OofVn9A6igW+HUrgOq3TpJPMLHOs3xLyXmwVUojTNEzLnayS5oZxm4Wz5vflpmeu
KY/mk5FtmabB7NE0yITiiHzGpnGTZ7pwzHFQVmXkW014iY+kvBdehouJQ5kzZ7yIVSZFvJi4dAGV
SuWezGx3kSRr32UmnwBruvIyGLdiVxS2qqqq2Cz9kWOJ6vnrdFsNlaQZwfuzzpauNV2H8zEl1i1t
U9uqKpOVP+I4me0tE35kmwZTgZLZ3iyUoKqqygVik9mjWbDymZrD2qbrqUjGGvnrtLGKymmbBdOR
ZfKyzKNw5rgiZLaDqCqT9dRzRJmc8XIjEisDj41X0XLiWozxEoScWLp0WUNSk6ZVlQdjqznCpv93
brfmIPP1yLTnSVVFPhstwpXv2jxhb67Ey7VOpUmBYkNlIxdgtjtZdgRttwvfTC3mC7frv7CIF2PH
Ep6mlyitMdrjebDcGRd2/baqthn5AfdaezTttU5VDRg98pk9Xa99qpnJ7LEsSoctVaTHdcn6SnkM
WVD5CAU+aaZ4EcjyWm7LmXpcvae++3oJlVd/b1BVpeb87jzmzicAcgKWOw1Fs+81kHIYZjnejLto
v31FSbabudN0M0bdCQx2JuZEzGFt0+WI2dOIl6RMVtzxzFZrrb16xL2agxQdXpmu6xZvtTsxCaef
TDKznXlAHQN1KJYzWaq+tykB/RzMR612JlLdbebVLsBtshzZDQ4KyEY+89bpZknua04iqkFvV9NX
Ka5O5sGq9l1pDuUCPV0rT7+399O1ThH6NvNW1DtT4+oZd4a73zySvk19mL++1wlorar4+igE/knr
GKblLeKsKIs0nNpisCKP28xsNlrEeVkWyXpisZ6JojIJgzjNy7JM1xPLHAe8pxjQOlVVdYanbOka
JhvNwjQviyyeu6Y1jUX3QQLJnqyTvCiyzWpiNRO7ycxmtuN6i3CTplkpu/JGpnD8JRW9Lu42jaiM
RVlmVD3Z+e2WpOlNhrKm0hrMEx3SNl15rCmtZvRsNTKZt4iSLMuSKOYapQgnFhvNozQv8jScuczy
xbQ5ZWWNV7yW8XJsmUatdegSfqQs883Sa65QOZF9TNsPEp7ofMRMQ+qSHURVlcdBlGRFWeZEmesR
soZnGOZozgXmNg+4BYUMSuZDy7ho5GziOlR+NaFVrD2ZdOSbhunOYoqYbzNKeLTigYgDnEppnc3U
ssbrtCjLIkuisCu2OyaslNbpvTBduMydRY2fy5UCNca0KIo0mo+YUWNUqLt+W8ZT23SmhL7I4oXH
2DjYiUQNGp3DcXzu2/lmNW7gcFXSsOVjRJ/rtrXOkAVV6aXfzmXVZ7yVCTMPuXoXbTKzB3oJlQ2J
/L7eoAgnjLmzgDeIOEqoixAA/fUmzbI0jjZCYvcaKF97pjOjXqjM0ziM6Dah1756SWKf6XGdoWoK
kqR1SGhaYxksy9ces/2AHC+LqLnMNrxTEoabRjn9VURNZ5IuHDZabKijzJMojHdcYYAMUTWsSUC9
WFUmqmFWZThhJnfWIk+DqWsahmpmdUV3mvmAh0vvrQOB1L4cx50soyRNKbTf39X0VorUiWk6vNMp
eL9U9/l1oXY7eZ5+b+/XaJ1yM3eZMxO3YENdxFD3S6xsP6TOrcg2YdR3V6iVDl+fOIF/0zrarXvW
DF7chegeXXzao1r9q/b/NprUY+iNtI6mF2isFCPQNp4ypi1JKIJxvWqXOggmpQLPvonr1IXZbmZO
o3TqH8X/m1l969/pzVUiw1lTY6ulCHV2vSvr0nkjp5qs89WoFUMmIcG7LvoitRedrGVAl2hH4qnV
nVLaxj4zNUTERWmdNqKmJDwXGWbjWsdk4s6ODmwjFVY6UOtU5C8juViKzOfM+V1V5JumF4jxlEYS
DiCreB8uhRbl2OtUjdahGpKIEOK3VQf+R8eESuv0XbiNp5bmahSB4rSo0jrGzcyqMWo5trMqw7ES
5bx6bsu+/MJBo1c0ZGojF7mes+AjUUtHatnTV+W6ba0zZEF1ueZW9CPVWFh92NXb9eWRJJ2K6iVU
Lu1vqjfgHIRXNKd0AfJiDRhIXC8jkSKFPvs2afMvLa0zXE2pdYp46jB3UYcNySspDi0+ZTipu56O
4ShGzlsPb8ZLHpJoF6PvL0WGcje0tbmqD+LdXX3XRxabMN1jZLKdnnDIw+s7TE3rGPasrqxonD1d
TW+luNZRnQ7VResRZbk6zjPcEITWSemu0Z6IkPKeLqLjxk33S9nZvojH9QHHb8+LwD9pHXOs9mGR
Y4o7y3Tu0NxB8zF77ne3WbTwPdfmH8s05DB2E62jj+iqkVAxtF5AjIpiTKVwuuqJ6hC9iutQCJt5
IorAjZzHy6nnOqKMzJDTHCovfpLqZ4az5iORmBejazopCIfivXh3ZW08ZTJYLE7aUvc53fAU9K5C
6zriKe2aaOAz0zD0G36pH3RE1HEordNGVBXJejYeCQY2M+VR7RJesHja3A0fqnVEKIJD4VJHrjsn
vaKvlyBd5kdVdYhTNVqHJvimLjOtkb8IeDhA4Kv/7RpAxXV6LsxXoy5QXsKuufVa1Bl1bU16VhMr
PM7QlaLVkNFpgs/Up3irGo4IUepm7nfdjtbR7lQo0xZ3XoOO31b5yhWNq1t3rj15K+ui5Y2ur5dQ
iCiA19cbdDnQFTsAhT/3Gqgqk6Vn0ZTxbBXXc7/7HaMipIrDcDWJJBtNPFb3XFQ4asKGqdqeaRrS
uB3DUS3EmrYiprAqcybz9aZPmveT0ezIMVI5hfWp9ekOpnonnXenJxzy8Np7Na3Tdr+BrqavUnt6
DFWyjvN0HaDu/ahcnumMxw71R2ISk/vGwLjTcWOVyzZdT2zTtL3pEkEdZYbn+u3ftI62CFW1Nx6g
WFJkX33ad9h0I2G681i0bu1+pat15o06UQ7KLdFpw+ro/u6pPa60EqFViUzOl/AsePh6GvIwsX5z
rPLqlGQ461ZGdQ/SmRymZHX5whMfau07J6thni4Zr3OFvijKNv1uObUK8dUVamTiYRVrUi8qUbet
e3qug7UOT5xuC+letBl2O6PCluI8QuvY5mivU3EpoBPc5vF65tkmG123XodigXK9DmFvX0i4nHnc
JrpfMnLbiX80uH1D9WY37HYHWmfIdbUxco8FVek7g0SVL2+ldXp7CZXLUG/QdX66ojuW029DBhI5
FGm4oBV6ti+X9nTtqwpC326gdQzT8WdjS3Ua/HbFD9uewtueap48N6V16M9tvqElUSZNuNUxIVGo
ITKaHfmJROCmWqdjlD4Pr3sqTevo7Ys76lBX063UQf7Wbix7GgKfQ7e8me+a9rSGNjju7O9+yyxa
0eJFa7yuKyro499nRuAetA41+dZc0Q4y6otV8JPuFmVchw86fNEbXUM6vg4z8GagAtqD7su7B20N
tQjq8k2k3YFcLL0UcZ0dpVPRbbrdZEjZ63Gd5oCWyHDWg6XVyVA3rqCII7wbVzvteVfPb5+pLtr9
G92ZyW6ILtEDzXoW4rucimi6VbKGFtfROkFSoepOjs99icDYnp6LqqGF+7Tsyc6tChLi0SoNxqyR
OnyaRjuJl40epHG9U+1oHZE1rZdVdZC/hePa4+iHYu0ZpqZ12hfSRIbpqdtHcbSe0VGr9dN5MxVY
n1LH8BpvoeldbT6MB0pU3eVlg0bvwiG3knNYLbaDrquNkXssqErPg//6jIg2h9XaqaBaWaedajny
ZNWorHIZ6g1IWXXhUPI6QEplyEAqBxn3UpFVOtTnGFzrKG8ZbtGiXtG2KmnxjSunodK50w4q10XY
q3XESXz1VyvsLGPSTam1frLTlSmqND9jyUVCDRoVupbl6Vw+DJBbU8ySVrvt64CuhlYG8kod5G8d
5xluCJQaD03TGkdLTkMNdhGHdL/tNlPbDf8/JwL3oHX42mRaOBtneZFnaRwEncWh5NNsvEqLLS2f
HVMYUazvIY+z5A1YsZnTyrq6+dMdsLvYFGVR7C4rFm1SRErSpVuvTc7l2mRxoNPCtbXJQum0n03F
R/YRZVjmydp3WK11aHXHQEmGsj6ksYni0FrvNM+zJBYLFXmHPJKLQ6M5X5vMg7Y0QFi0ArssqJZ2
e22y6fjrTVYUeZZEQaj2aAjPpQfRmM6UL8oj/lYzydhFRMJFLO+k1eejQ+awaD0LXzVZduNJtH6B
NkwUzZEi8Nho7DFtRo2v4rQnK/5ID1q8q69N3utUWl+8TcN1lORFuRUrqrsjJp9ykSsat3k0pdg3
1zr9F6YLly8apwXiWboJ1xG/AeQjoTMNqUJZvKD14TsZiVkq5bd8RFPXeKxvedig0SWcnrXJLbbD
rqvse9DYQ1rHoMWhtCw7C2cO6QyhkYdcvdM6DtE6g71BHowZc+chNYh0E/J5KGLDF3dneZ5uooj7
dr+Bcup4sqLcbos0mFi0iq/fvnp/Tu3Knka0WpjCoYPV5CT5PiyxWnrOl7HQ2mTmzkJa9Z+nSbQO
RdczpHWyaB3Swv9tWSS0jUCpFF6mQTLKjvw8pXVoOS8z3brDmNGCee2eSNa0czmJql4P71mb3Jpl
p7XJu11Nb6UO8reu8ww2hEbr0EPSPGZN+K0Ib1w9485Q91smAd8fs92WWTSlvRK53FjjLjtRd91F
8P2JErgPrUNx5Uhs0qV9385Y7NfRCG2zoNl8OI82K8+Ra5nFZmhmMkZbMMOlV8d16iUYBmmhUoum
8FR1rcM33NJmaLETftlsRt9p4U0b4Gtcmh3RhiHiOXk0G4md66NpkAQTq771F3P+vSURW1q7WTcZ
CQTt0mpYiljtlPZWorlts2DmyT3K3qzenC+2V/I9oSbtOY8WrgovN5fwXffNRnEtI9rTzOvGbE/f
LL2DqNwsxGNTaZ9sEk2ta+M6fJUE7VVlch+7ypamxx3+DNaZfK4AkTD0VZa0r7W9rbox37VORWEP
AWGbLPkWcVrGQU802F38KTbmMsYs2pIezF0RtBu6sNmpTAl603o15DZt9n97tHXf3qkyNQW+dEh6
i9Y0+DZX7TkNihPfgdZn9Mi3JutY7dttbX/X2Q65rrLvQWNPtnSdeRQ1j5UQz12QBe139W59VY78
Mm1UVvUd7A3qhzAY5MijhdjTtE0Dsa+YHikxkytL+wyUh+LJC6IV8IdSDNlXlaWixSZ8Q7vcjTlQ
TV4v+dzkcjNzTCmd6RkN/HkP3PUmchtz45kio2YOK1uLjooX0d91hiEy+6iWm2X9JI7JMl5P2AFa
p+4zaYu57uGip6qndjq1oLr0dTW9lTrI37rOo6XP9/A3vZ+mdaqKC0xprd5xZ6j7LfkzoUWd6ZkE
fE0X38wFraO1iGfz9WCt82xqjIp0CLQ6js6x+/6TuiEtqqPFZu47Z6QPAiAAAiBwMgSgdU7G1EMV
pZvEnvUoQ6ff5e/8Nr9ZkEAp99w73mWGSAsEQAAEQOAECUDrnKDRs2CxEg8ILNJo5ppM27n5QDi2
9JzJ1djqvp4JWueBDIBsQAAEQOCECEDrnIDZNNcAACAASURBVJCx66rS6yX4uy/4OgHtNRr1Cff+
fzJ3THrLwaL1qDfEde4dPDIAARAAgVMkAK1zilZHnUEABEAABEDgdAhA65yOrVFTEAABEAABEDhF
AtA6p2h11BkEQAAEQAAETocAtM7p2Bo1BQEQAAEQAIFTJACtc4pWR51BAARAAARA4HQIQOucjq1R
UxAAARAAARA4RQLQOqdoddQZBEAABEAABE6HALTO6dgaNQUBEAABEACBUyQArXOKVkedQQAEQAAE
QOB0CEDrnI6tUVMQAAEQAAEQOEUC0DqnaHXUGQRAAARAAAROhwC0zunYGjUFARAAARAAgVMkAK1z
ilZHnUEABEAABEDgdAhA65yOrVFTEAABEAABEDhFAtA6p2h11BkEQAAEQAAETocAtM7p2Bo1BQEQ
AAEQAIFTJACtc4pWR51BAARAAARA4HQIQOucjq1RUxAAARAAARA4RQLQOqdoddQZBEAABEAABE6H
ALTO6dgaNQUBEAABEACBUyQArXOKVkedQQAEQAAEQOB0CDwFrVMGnuks0idvlGRmm5Nw+2D1eEhu
g3nl4XRkmYbBnPmP//dQdsyWrumtizsjPVi7O8vhoROKfNOabR461wPyGy7YnTWfIp57NjMM055G
5QFFwinVbRrUndkL/EHgLggconWKzXLi2sw0TGbZo8ki5oNIsnCsSXhPfcVm5k6bnnh4pNnGU9s+
qMu+19IeaAit8WerkeWt8wMv3HNaC1TnvGFunRPv4M+BvLaRz5i3Sosiz4viHjVrm8NtuuZ9ELTa
He5yfQmmC/ch1W7VxqKVaFhSaCc9xtfhgmnN558KRum4i01eFHmh33gc1kU8hAVbViuCieUuH+RO
TydQhpORur88rEEVa0+7w7gre/2TsU/r4nThGGwan1alD67t9VonX3smG83DTZqlSRyuFuuE9xBF
vFwE2cEZ3eTEbTJ3rEO0TpWHi0V0iGS4x9IeXDOt8ZfJai45Hnx5z4kdUJ0zxAh9PybqZFVpakA/
lK9G5qjWdAPn6Off8nuXw2Fd8+GZ6SU/2OV6kqdyPaDW6WLRSjQsKbSTHuPrcMG05vMvBSuDcX+U
+KAu4gEs2LHaNg3mq83dxSj3sNMIbCPf0mLpBzWoIhizkYqm3pG99pQXhzoEivVDRc47GT+JP6/X
OrHPTD/Sb4BExZQrl4HHxqtoOXEtxkxmj2ahkh9lsvJHIihke8uEX7tN11PxmzXy12k7NrTdzB3T
qD+jVc7HUXcerHzXotiS7an0Vc9Ypus6H8sZy9iTMoEqbXXNmVWxWfojx6I4luX663Sn6lTfSZhF
c88265mAMllNVPGy+poiXowdmdJqPW3msLS+I/KZt043SzrPnHDQA3y2WTgfO5yB5U7DfAeUqi7/
RiO0Ow+WE36N5UyWmxp1fx0HyPBK8Gyd8Vwpy20a0PSUaTJ7PA+WOyNIGc+IiPiYk6ijh5RjkL14
stvYZ8yPJbxkbhtqJopUk7tSfqXquuswIuS+DBcTzp61/GHAUiq9qsO5qFolVy5X0Zkzjzu35U6W
9YCULV1ruua2YqbZ5J4uXVa7taGNIzznZGY7s4C7MDUhbx5lhNe2mMks1aAoTKbdt6ULxxwH3Kg7
tuvBotUx8pk9Xa/rJtWya2+ltGurStmO1Y2636MqUa+6JvZoGjZtIwtmYxkupvpK0w4XTGvCVTXg
k1opyT2FbXiPwbPdJsuRXbukocUg6Dot/RtYsN+ddhv1AJ+us+02al1nRz4bLULeoZJf6L0TmYR3
QNTO48C3OrXLV65JnSn/FMHYNJo5zG08tXizqwmUkd80XIOLc95fDTQokWQejK3Gu7mP8tRWIc0X
8q50skrq7meg4YiU+L+7APvb2o7bizSKeMG7Y+rCVcOsBpvPQJdejyi1k1cDPbNWcPLMbtYkr+25
GPsqCnUbTHT0VVWlc5s34QGXa6ojO36tB+4p8zaaNGpzgExd1EEUQ+Njb4vbNVOd/hH+f73WoUHG
9qOdG4u6YfCRwDDM0ZzPbW3zYGLVHXCVrUYm8xZRkmVZEsVc1hThxLLGqyQvy3yz9Jjl78yaxz7r
xHVM0/GDhOLOdIk5DkR5moEnXThstNjkZVnkSRTG3UFRlfa6M6ttGgVxmhdlmYVTW3UQjfWo97Ec
1/XXcZJm+baq8rXHbD9I6Zpo7pr2bEMDtgiJLWIqdrKe2KboOKpKn/+mKjiOO1lGSZrmZVUN8Cnj
qW06/nqTZlkaRxtewzaopoTiSxl4hmG6szDNyyKLFyPGam69dewnky5c5s6irCiLlHi4Sx4p2m5m
tsnrXBRpNB8xY2f8btezrRjylces8TLOCE3gO6YzT7aV6BREvD5dOJZlsXooD6m7GIzkdzhkS9cw
2aiu+dw1ramQUAOW0sj1cW6PN7W+JQRstIjJ6ZL1xGJyVpJyN5i35F37NqWaytyTeaN2tRzpazKz
DcP2Q/KmMl2MTNO0xvw2YJuvx4xNRBsZ7KH6bdfBouUZ+aZB3iSa1GpsmaNVY9e+SmnX9jXqoVaj
16sqoqk0NKVWbIJwkxUEb+k1GnewYLoWGfBJrYzUiNhoHqV5kafhzFW9jIjr9EQ7VRdBzfMwCw65
006jHuDT52xV22od3zNMZxqRlxDNpnfi6oS3dGpOU5eZXSVXke81jWnCLMtyZHtK51IxawQ60a/h
BqUxJ0HUjusYpuUt4qbrqMf7oYajpdUFOHBJv9vTLYA94b6dbVYTq+6z9mqdTpfe5+QDPbNW7Ko/
ax7eFkJzu5la9Kn7Iwp805Fhl6sGvH13GKqqdDVZ8KGHCrJ3QLxhTzJQhq6ZdBRH9/16rUManBqP
7U2XYaokj2oYBF0JVS5c5T0DidbmZkLWXbM7/RJPrd2w/m5rN9XSoG00qUebiljz9TrUkkfL3RhM
DVyV9roz6yv4/5sZ3fG0fpLaTg75/JB2e11VVRnK8lHb1+7fKcBYV7UV1zENeybmBSm1AT5lOG4G
bFWeNij1O/9GdtG48d6uc7dH5zV17CND93x1u+TqbSSqRHcnetqbmXUTrdNxjG3sW4wsrCpP9zn+
auEyHlPsFKNT0aozPPCOQys1kRf2GrCUll4v5854I1yuDCes7r3pBm3hyCgUdVvNTXNV0TIl6S1E
uH8OizSBcilyD5W0Nu4M9lB9ttvBolWTJIXmC8JVM+68/ZVS13Zspw403xqPEhpO1YuLWQ1NfQUZ
SPYTQwXT4i4dZ8jX0ifr1GQj0pqe7vqHah2tmIMWHHQnqoXeqLWi6S2u19k6ztzxPd1qycwSkWCq
k+bvPHSgWZfnrqjR/NRosfKZMIxqc6qT5IbSAHKXlsMzyaymQekVIyfqaB09iaZ9DDYcLbEOwKFL
+tx+G08Z70xkchTEksYcbD78tlDzUx5uufnINZg1j97wxa3J3LZnq5ltzyjOQw4gGA12GspuvD7K
23fKrOGruMfvGxAHUQwg7R0FaPzd4+etAj3+HwdoHV7IMovXc5oSsCdykY5qGHprpJPjqYzK8Kbc
XTocT2kLBGs+pmFoDUQQaQ/hg+lXSutURTwfMZM5k/l6w2972mxVaa87s8rj5dRzHZs+FjN6tY42
EgmHNUxVJVPGb+Ipk5NSoiwb6prEPqy21tGnJYheHx9qLd3uqzuYkeeJDz+zy416RNHEBurYwzBf
jbql4RE36iD1voF6P61jq+Fr9dTjOjuO0VxOo4cUPRSESuY278PTuaN3X3Xyzf9th+FhM62nasQC
5dtnqSYdEVPe4ayTbOR1One6aJpuqx65KeEmd9EBDWqd2jd29O42nNQxrcEeqt+rO1i0aka+2fY6
PlNN1R+oVHPtju3EkYFWo7U7fh71pB6fdSvTYD4ZiWZmW2at9IYKpmmdIZ9sisi7oFbTI4QyUizM
cW1c5xALDrtTtxZVf4s7pFF3fE+3Gl3O3ambTqvZ1VjoHowclCILzjzhq2tohUAz3OqRM81p6Xou
Y+oZsJZL16nXJ7XX64zVtlMuqfjR632Md+ztmg64ZX+X1eqa+F2IWDQ42HwIsrq5EF26JnZFJQd6
Zo1At1dssm4EC0Wrp3EZ+4ybgt9J8kDMIOFBb++WWSsHfe0ho58xiKLvwsEydPycyy8+AtGahWP7
HKp1ZLkpiicnkFQvprdGOk9pHaWoVb1JAYzXeaF9ynp5S31Wu48eTF/XOnTpNt8E87Fjms4sbqaG
RZqqtPzv4TNpsLWnYSau1+5Q67LpY7b4jff+frhTJVrp1MzL7iwIqJVLM3bKDAb48EFCdST1ye3J
vjxL+SejuTCxykSb96H+i2udfXXskKHW68xpFk59KO1uq+7aSJav1emqc6gkra6kqO/NeYh3GufB
mJHioD/teUK57QgQmQX/r+0wvGvWzm867iFLaUn1clYl11yOBpjRMlVcikLs62lVujUwUOJ3qnXU
vARVoWO7rhTWakk3CfpYQrEE04+E1OutVHPxju3oyKBHUbsba7s16W/SOkU4YcxbbgQxLU4wVLC2
1un1yaaId6J1+vyno1aH3anbqAf49Drb/riO3mwardNNp7+9UEhgtM4TCipsaIZ9ZI6DnIZbeT+q
dZJNkxFQh11ag86Ha9VFaanRSVQmcVM72HC0tDoA917Scftu19QIDmq77eVuTfPRGziVotfJB3pm
rdTDWVNgylmk2dLlMyD0p7vMkkVzCzdImNLs64Fbiwi1MuhfO2T0Q4Mo+EmdCwfL0DFTVbZHID3D
x/9+Q63DPdZZ0F2RcuWuozRaRwTS1O0Ary5xGw7vCiK0RlUtwRxOX4vrKJR8JYmcmW5+VaVtfqqq
njOp11XrQsjl++M6rRgGTXjrQQ6ZBbmvYMV/oMTqkU7z7K67DPDhrU9FkWUWbVBa1egrcdPnmYgB
9eAH1LEhQ1FZ05Oro7T0+WZyNa9IMd8bzWEtHP3GmRYly5LyXmC+mDARl6F8XPqzh69WnA4HDa8A
UUeKByylpdTLWffAxl400rHdtWatxVjt3Hl70G51tWzb/kk+oOJSWlyHwvNqowAdqNdgqLQa23Gt
o7UjdQpXbIbKgYtD7qqDlVIX08CqXUoHhj2K5uZUe+LjKx9ZKcapNBAlKQ1MsUktda0NNYiGfFIV
UXZTankXL7PYD0gG1lqluqhJ/3ALDrpT4yQi+SE+vc5GWkezWq/viWQbrSOnaepbRrpD6Ls3oDUc
k8XcldNdfOBdUMRUbj3RCHBK6j5psEEpfKRmtOXP+gDBT+I+zZXQAT7W7dgPuKRxe4qhaL5VcThi
V+9g89Eh89L2ODl3qv0j156syQW8xYJ2tdC9IkXV6M/GTIOEB719p8y6LfTvDRn9x0EU2knNhYNl
6Pi5du0Rfr1W65Sb9TKIaEEsrS5ejm2K9VGjUg2jC11pHd6H0vK0NM+zJBZLhnlsiBbZ0rrULImC
UK3Pl4TEbVBEiz5LWrHanh/R0m9YZ9E6TLKi3IqVjpZYHKyAq9LuP5OPuqPFpijLPFn7DjtE6/C1
ycydhUle5HmaROuQd7PUvOnmNS9KWjHoDK5Nbs3zDfDhyw+daZBkeZ5uoohDa4NS1eXf5NrkaZgW
rbXJQ3XsJ5MuXL68nFZ5ZukmXEdiDSv1KE6T9tgyb6J1ODHLo7XJEo1czi3GTcuyam1D2seyLDn3
RqHZ5WwedqcgOhwGO44hS2nk+jjrHti4nJDK1ngVZxxNHARiJ9a+3EemNQky4ddaplprol8HtQ71
mJYf8lVzxWbumoYhVP2Q7ShIWbcjPT+SFPX6zXzTWZts9lRKu5jq127UQx7FewnDEAtUizyhfBy+
IYVqKEjQan6vNYfVXzAd0YBPamUkK9LaZL4uNprztclireG/aR0KhmgWpLXJPQ2/O1QP8ulzNhkk
q63W73u8qo3WEWGy0Zwvk8/ETgEtLtVw2cz4uthaLYvl/+pWRnWSVUVyyaV+sCjKfeKvSZuv9TL5
w7R4r63bi05SWmew4WhpqVYmfuTD7q5bDrg9LXcTa5NzuTZZyN7B5qNDFhnuOrnYNcK3h+wZuYay
5iuMLcuqd4fkqxGzLHULN9xp0JV9PfBumTV+VT8ZdcYgiv4LB8rQNZNK/wi/HaB1FmOXNmDT2gTb
nTSPs1ENowtd0yJ8bJJb8JjtrYTLbbNg5tF2YIP2BI7VVugGEE028l3OtLVlT/oN62xNO95lir62
u1EmqUp73Zl5NOMP+jWt0TRIgonVtzZ5Z21Kmcht9ERpNFnLW8oino/llkt/Ha+8A+I6NBfRz2eb
BmKHM1GbiZ1xLVANPvGlDMbWNIiX9c5rtee8v45DZPizJPkmVNoNPa0fKLBNmy3L3jwKZ7arnj1W
l6TVgtt2bIiZlraRUkz763u6aGGo0QQz+Jrour+oc5Gz043DDM5h0QVNvm1LaWntctZL3rgcXZFH
C74ZlBzZGYudiPtyL5OlR5ueWZeV8k+e7FBch1xjOqKN6Ix26odLT8Z1Bmw36B6Rb03WsXqMQ7Pn
e6hSGp++Rt3vUVzrsMkqmPGt3iY9jkLuOd8mq9ovx8s4Xjgjsb9vuGAtRAM+qZWyaUT8KRVBs9X9
37RO1bVgvzu1nEQ4ykCvsutsYqlF48yDvicmHOspUbX33Rkvgnn/nC/tSaa9oGKCXirR+q5Cv30l
L+A7UgyS1uU+l9aRp+uJwx9IPYs7qbW0zgE+tgOwv60NuD09N0SMB3zPuXj4LRV0qPnokOsKFTGl
YfJx7/CRazBr2gNiaCvL+car5hZuP+Feb+8rc132qhoi05wxhGLowt4y9JipyeDovlyrdY6uxCjQ
KROguHuP1DllJEdddy5Qep7OddSFfvKFa91iPPnaoAIgcBcEoHXugiLSeCACFKqSj5p5oByRzT8R
aAVj/iklXHwwAb6Yrp6oOvgqnAgCz5oAtM6zNi8qBwKPSgBa52HwJ+v5mh6cWJZFSo/m7HlA68MU
BLmAwJESgNY5UsOgWCDwDAhA6zyMEbPAH9FTivjqkpG/3tnu8TDFQC4gcLQEoHWO1jQoGAiAAAiA
AAiAwB0QgNa5A4hIAgRAAARAAARA4GgJQOscrWlQMBAAARAAARAAgTsgAK1zBxCRBAiAAAiAAAiA
wNESgNY5WtOgYCAAAiAAAiAAAndA4ElonTxerdWzL++g1kjiCAjk0WotXqpwBIVBEUDgBAkUm/VK
vPPlBCt/WJW3WbgMsK3tMFhHfdYT0Dr0mjT1HPOjponC3YDANpk7eAzIDYDhVBC4UwJlPLWa99Dd
acrPKbEy9ul1fPWLVZ9T1U6rLsevdejlvI/7VgD1jJD9ryB5MM855C0kR1LUvUzoRYraO633nnuT
g49Rd+UknZLeWWG2Kb3zzTRMNlp1333ayRN/gsD1BPK1V79d/vqT7++MO2sg91ZE/n745iVirWyK
eO7Z/BVg06h+y1jrhPv5Y7C3uZ/snkeqR6J10oVbv8SuwzWdO2ys/KxYe30v8O1cNPBnthpZ9DLR
G36UYx1Js3wuWqeil+3eg9h5DDMpJ+l4110Vht6BSm/YLoo8v/de9bqWUgQTy13KF9x2KnyzP5OF
Y6mXUd7s2n86++6q8E/FuNOLNzN3ujk0Rf7i8dX+3vAhrKM1kG08te3ZwTUYrml7mPjnWqQLR75j
t5MltXp3scmLIi/uN/DTqdHMrl8j3SkR/hwkcBxah95V1691eINU8oTms0brYrA6+w+UyWq+vnkw
Ug1jWrPcn9P9Hj1c6xz7/T8Zfhzc9dD9GGbiTtL3ksu7Kkwyf8Du7bqWsk2D+epOFlsV8XIRPIab
3l0V7rexH546nxQ+WOuI971fI1cfwjp6A8nDxSLaL78O4dEZJv69FpuZxXpeMHYQw0MKfO05nRqp
IenaK3FCTeAQrZNH8wk9gNw0mD2aBlktYIvNcuww0zQt119v1mMlV7ZZOPNsZhqm5U6Wsk8sA4+N
V9Fy4lqMmcwezULu1enSZUb9cRat1reNfWbVQj8PxlZ9nsGm/3dum3qMh2ZE7HlSJTPbmQXBdGRb
PJtpWJe49frfMln5I15GZnvLhIAUm6U/cixRbn+dyooqx6qbJY07fVnXVPn/A6nJcyiJZpTPlq5h
NGuSynDMK8KLFC/GDp+4cMbzuheIfGZP12tfzGjY6oCWPxXVnQfLCb/acibLTS0pIp9561Qab0Lj
8zYL52RKg8wyXad0Zr5yVcylCMam0RhiG08t5sdbAsanVeg6d7KUMrLX+lW2dO1ZnIXTkWWarjRz
y76q9APoyLLzIJh6ZFmT6tSsGdymAU/YZPZ4HizHZseReNqimpym5U5DLpmzYDZ2azdoCEtfXUzI
G3hODb3hsrHJKpiRSwnnll5X+4woQbqeCqezRr7grGotvvXaIvSdpo00ZhDnU1EnYRbNPds05bEy
WcnpLtubNe5flSmxE2Z25zH3h0FjkYOXkc9afTx57WidV1ql9hilojbGnZRsFQe+pTcaUfxW4+rt
H/h5Pa21IpvX1dGqKWwXUrsh27mTVZLFC+p1TJM5k5X0mTutgrtIkrXvMlN2C/1Uq21Weym15nBm
y3bQHTM3vH01/rDbl1Zluq57L8sZL+Jiu5k79IoI8aFgqSoDsxxPdrYiTfo3mduMN/6qorbZms2i
8ljTzZb60qZX728pKkE6+VAOQ61V3cX1dRdFX2dYcS/TevLOMBFXrVr09nVUichno0XIxwRmMhrS
6v6/qioC0vTPosrbZDmyG+Lk2If1qyovPhKST44Xm4xaiug6vEV3H85AjVYhzZ+JQbb26op35j0O
o9npVL8eonXKJAziNC/LMl1PLFMunsnXHmOjRZwVRbZZTWzTrFvFdjOz6UhelkWynlhMzBuVgWcY
5mjOLbnNA56UGH8H71lpksPV4qzUKJu4DkUWVedJp5LUIc82DNsPc5IqRTR1TGcuRmFN62Srkcm8
RZRkWZZEMR/dq20aUUWLsszCqd2M9KrBN/3jQNYtLxpITZ5DozybxlxOEUrLYnI2hysJcSRduMyd
RVlRFimVSDa3yDcN0/HXCcVON6uxZe6u4BC03VmY5mWRxYsRa1Y9UYfiOO5kGSVpmpdVGU9t05kG
lFwWLzw6M+edYa3GynDCLMty5kKIpnMR0t1MLWu8TumFg1kShULTDlif96e2445mwSZNszriSyB3
I3oD6LhlaR6HvKZM5m4tCSlP0/aDtCiKNJqPmGHsah1RTX+9SbMsjaONuH0sNkG4yagKydJjXMHx
vs0zDDZa8HGxTFeciQgn7imbaY2XlFaeBL5NXke2bnymqopwYlnjVZKXZb5ZeqxnZfaALcTYZE6i
lofxPyh9y3Fdfx0naUZOT+7EYZRlFhGk2YY3hXDCmDsLuMvHUULV2WcsalrcS9UNbaPxtUoNGqUq
I98yuQcWeRJMXWYaqrnWFWk1rqH+oa+1Ekw2mtMLL/M0nLkNTe75bCR0cBH6lmEyd8Z7nXIzc+pG
dKdVYLbjeouQPLscpLrjpWbtpcNaZ8BAtIJktNhQD5snURgLX6YbwyauQ6txnBl1wmWexmFU3/BJ
8NtoUreeHbFDxRFTSco6dCfY11JqO5KHzuzbcVCttaV1zHZ3MdAZ9vlGa5hoaZ3h9iU61WlUDxuq
/6cqUlc3jbXK8q/CbnVU8sB+lesq0zA1nzRM0xED1jZdjuo7Fj233RoZpuXR6CuHBj707WnRemIn
+v0QraOhUS2Ebvu18YSUhhy0aGCsyVdV1cgC6lyaO4mq2kYqZDOodWgKS+8f2ybPFg6/y6QCUgHE
WEydr6bByR/l7a7SOindn2oaSqui/MqjlsK5VYNX/WN/1rvJ7KZWn0PRG1Fgik+Ol0uPiZpyJUEr
lEj0WFIOUaBlPZLEqVlqVKhazqJucTJ9KqqpLYRohim6gzENbWMBFUTLhgd0yLIq+23kW6PFypfb
4eqJfj4QjgPeOdS1qoasT1rHML2gM/9IbqRVpUlGfWkbQrdsY05yJb2um5lVjyIqnW411ZH6G7mQ
dAruq2qMp5vgvmJ2yqa1B+V1ymdqbjK/eGrtyLxuIbVWxttIv9bRYoKywTURQ7KHcH/KvRardY33
GUvUlwvviVx2SUUQdzqqUvzWQmtujVH4vbDmV2Qk3WtlGdqNq79/6GutvDpaEFhZqG27beSbptdM
k3KKIUm/O62CwXy1NHWAKjWXAS8VY6aKaDdxnYGkuD+OllrggdNsax1u7yYcWZu8/r89TFeEs7Yi
BXFlB66sU1/H/9daivY7dbyHcNjTWltap9VdqN6I59h0hn2+we+rmltiXevsaV+dTjWZWWYd9hq8
02hDPLBfFVpH6wrJJ2v2FE8fqdv5hi41q3aN9B6ORiPRiw45TJPQCX85QOtss2jhe67NP5ZpiGYQ
T5nuC1qcMJ079Lbd5mNK2a51Lhx4PG3uQlQP1DEF36mjlut0nZh7AJcsXOqIrq/bPnkvyDu7ph/m
Ll9Pjaks83g59VxHVJQZzB/WOqIk3axVUqRN+lNrzuFOvcq5OhitsmzlMtImwtfpRi1fjbogxW1b
5JtMv8mgTtTvDINd2tQs7RmPNHQup96iJTc2chCmYZKLns3UcuYJnzLm5W1miPKQ7tatkb8IeJiA
RtoB62vAGgLyhlKNRPWRAXQdyza9An1RnYXUvdo4yJPdqSb/tUyD+WQkTE7viZbJ7KG3p2xjPoiK
SjRep5KKp7Rho2kXzDQMrfvqL2RtCxFmG4rraLcWFfm2YapsTNPgkqrbYCm/vcYSPrElPSfEDs16
yG0CqlJaw+c1aIxSdYE3rU8Akv8qm2pp8mNN/9DbWrvV2ZKm40GNTjrxlOKndZ505yWEoHaaKgM/
7TZVUOJykOoeLx3UOoMGKuL5iNGU3Hy9aW42WlqnKpOlZ9EMyWwVd4I6dP8vG3cNhjpQ4fwkdWpR
rJEZaCn19SKuUweC+a8Dhd/DgW7DGXJb2gAAIABJREFUtPtS/W50oDPs9Y3uMKFq0fVJitfIG46e
XlELOFPMqtvFiqktdZfZk0Jvv8rvNnWfpFuIpusoejen7mod7RJNHw0w16x0ul+v1Tqkp013HosG
peI6/CZFW4up5Ar502hJ0wnq07mR4rybvkz24421NWt0W2TH5MLIq7zi7VOObuTZ2s4t3hmL4bTp
balv6Sx7EAEoexryCZKqat+y1yGrwGuCWbxH7GStlZw61d7U1DliK2MRyXgJ/elHBYV7RE0oB2ce
5wpjUfA5v06jqga1jpxzoizbWkev/HD7l0ozmYnNEfTnOMgp2qTpxG0er2eebdKswZY6+n7r8/6n
1fQ5CNGH8Jm8BswgOtVn8XO5BWiherf31IaxJtHe0ExB0zreciNm1FR3z2/67RY9TyjFvWVTHZZw
ae51qjA0PI/XbXO2a76jD7S+mDewjqCl2qn0RV157++HO9l0xQGdfZCxyEQkwvkCD7kjUst0yCg7
wMlKvQ7Q07iocE3/0Ntau9XZp3W02YebaR0uWLWtENdVQVhggOoeL+1qHdJn/EZrICmRzzbfBPOx
Y9JUFe8X2lqHn1Sk4YLWEdm+WJ4mrqR/edBY2/JE+/yo49G7UiVkB1uKSlCdLH8bKPweDh2to3sL
XdXTGfb6xm21jt6tUeGV1qGgpLxT1CrMO9WW1ummoNdAa8tK0lFq7awO1jqqdC2tM9D96sU+0e/X
ah3qHJS+ppi6uIkk3aDMzEPldZ8Vjk09lFmT1fpH/lPTl8mlIX1ah/yAtYyqLZilVEQ0NQ3GrJlA
oFCqNk7RCC1dsNE6IgbcnsOilNRl1Ib2xnV6s66rKg72p6bOEZPAy6kti57MbXu6UEpiS/35zqyP
nO5VNuEtWzOFyIBo6xFzGpJky2u3NB5X0uYamjksaoULh00Wc1cezpYu/eloMw11bWhtBr9VoaG2
z/r9WqfbyVNyhxiCZ0vdHw+MUE/Eh2NZmnRu6xFe8SvvFdWMIP9xM7M0WUwjm4rrGNo96pZu/4je
3rLpefId4lwRKren8mpzh7Kwrf8oBD1gi0O1DgVr6mroaee8wap5Ejp2mLGEyInndGcr1tfpAmtQ
69CgaYmlQpRXw1AvVGt+QbuRoHNU/0BV1/ydJ8DHPi12x8/hEWAFnJ/Ik7llXOemVRBVG6Da9dJE
eSldocXmirVnmFzrDCQl8hH/8lVAIqwklgDqB+V3fovY7u74+Ngaiilu6y42rVW4jXEHW4qWW3Oy
/G2g8F0OemtVXZPqq0VqQ51hn2+091W0fGy4famseYZtAULe1oIlCiW6r3r1QCeFPW25fWY7q36t
QwOv1gQ6qJuecLhFS5uc8n/Xah0+6I9XabGl9ZRj26wbJfGle2JaH5eGU1eGyuXyKNMar+IsL/Is
jYOAr1rt9EFaX8aXovA1p2VRtu90O4KaplWYt0qL5sQi8Nho7GlPVhaLJfm6rSJPaOWuXCWqD7fU
lGhtV5rnWRLT4j4+nT5abIqyzJO177DrtE61m7XypOHU1DkUR2aWbdW9HJ+StvTNjenC5Suoaf1l
lm7CtXieO00Mm/bkkLXJ05BY7a5N1gIzfIGq6TRnekwuJqcleTOLPvXKlXThWJZV669tGq6jJC/K
bZnH83r5Fu97d62vw28Q8NUgHf1xkCF4CqqF8+CjqsHYalZ9NllVYqksLcHO8jzdRFEi5guF39Eq
Xq81h2XQ8u8goZXd0cw1xcruYbMKrxsvxWrB4bXJtKZ8Qw/JyZIoCJt9ZHU5OT1VE80WB2sdvjaZ
ubMwyYs8T5NoHXKFkwdjxtx5SC6fbkI+r3GYsUjyuq5t0dY78dHa8mC3S0uxGRvNaXlskYkV47vj
hbpcS5NnorQO9512axXmpLXJfHVmNOdrk/lisE46/6J1bloFSWeAasdLyd3qGzS6o3RmfHHNNo+m
tAhATKAPJJVF6zDJqOXxJfVSUoqgY0S8y21O/S6dsi3SYGLp9wKimDshVRqcHdet90jQWY11qK31
thRZ5dbJ9W8Dhe9w0FurEgFdrUM3Xr2d4W5PThq+NUw0tRDLxvv7OpU1L35LgHRWwdT12x/X2dOv
tvNqZVX1a53hGlFhVE8oMu3pfpsyn+6Xa7UO7ZOsNzd782iz8mrlUPEtgHKD9mo91WN+eSS2ShuG
aTljsfWq0wfpWofPLdMGPlZvRm4swhugmk2gh8fS9lvTnsl7NRJjrcWZPObOd/+adN5IbbpttZ8i
VvulvRWNBnk0G1l0jTWaBkkwsfat16EC7mTdlHpPavo5dANHW7nlEELCrrUgj2+DF7u6aVu3NxW7
9CPfmqxjuZ2X2V6zVVpLuwzG1jSIlxOxlby957wOdDXn1/ai3dK+vn8xmjBa7iFv56nvU6y3yZLv
h6dFKPQwgmapZJ2abv1erUMb9mod1ZTlEEPwk7UWXm3TZgu+p+/m1VKtaJOy2I1Jz0KYRUVVbZNV
DWi8jOOFM1ryuzTyVbFjn+/Q1ujtcZLRMqYnHXS8ruX22yyYeWQRQuOO1XMAtHLW9Dq2OFzr0B41
ubWdW2ayltEcuXGbZz5aSK+rs9tnrGzhGIYeb9IqpQ0kVAndKLQbWO59d8aLYN53b6wu19LkNDSt
U1W7rZU210qY1DRmzbMwOun8k9bhG5oPr4KyYi9VzUud8SJcqglxSYoxZtHDG4K5WweVqTXs9qUZ
PUK7diPVYGkVD3+kgrfO81A83UB42s4+ZhFo023KJQIzDC18oLTOYEtRVdZOVj/2FZ4a4kBrVSKg
1VfL9JpHXOidYa9vtIcJ5WOUUF2kTvtSWfPcdAFSRpO+Gaye9Tr6HNbBeelZUVi792Hy+2rUbnRN
BVstWiI85f+u1zoH0uH+pK3fOfCy60+juwCbnvUw9KFWoa9MvbeS7Bagm/XuGfhlmADNex3p63jE
eFkHp4ergCOHE+gbvQ6/+ijOvNMqdDTZI1RQLBis72MeoQBPI0s+uSfugZ5GgVHKXgJ3pXVofULP
4q3ePG/6Y7729rzagd9I6nPRbRV/08xucv5O1je5+OTPzZYj63FfdDZsgscfh4bL9kSP8GUaPUG8
J1Sdu63CEfgY3W3sRNKfkEEeoqj0NGp7KhZ/P0R+yOO+CNxe65TxaiGfvJdvVhNLf2TLfZW2ne6W
HgC3Glud9+k8hNYZyLpdPvz1ZAkcwTj0ZNmpgifr+Zqe9Ucr+gLfMXuenahOPs5v91gF+Nhxmhyl
eqYEbq91aKkDf7g+LddwtPnyhyKVzB16Gv940Xle1gNonaGsH6rqyOeeCWAcugvAWeDTu2VofRCt
A1vvrMS+i0zuN417rAJ87H5Nh9RBoEXg9lqnlQz+AAEQAAEQAAEQAIGjJACtc5RmQaFAAARAAARA
AATuiAC0zh2BRDIgAAIgAAIgAAJHSQBa5yjNgkKBAAiAAAiAAAjcEQFonTsCiWRAAARAAARAAASO
kgC0zlGaBYUCARAAARAAARC4IwLQOncEEsmAAAiAAAiAAAgcJYEH0Dp3+mD1o4SIQoEACIAACIAA
CBwtgXvROmU4GS3k+war3pc+3phHthrteU/EYHKdktwukcHUcQAEQAAEQAAEQODoCdyH1tlGvuXc
sdYpk9V8nQy/ALQfdKckt0ukP2n8CgIgAAIgAAIg8CQIHKJ18mg+oWe9mwazR9MgE4oj8hmbxk0l
04VjjoOyotfJ0VPh+cechFsR11mGi4nDTHqdxHgRF81lRbyYuHSBabmT5aY+kMxsd5Eka99lpumt
CxUcKoNxnTr/fyRe+1lslv7IsSgHy/XX6bYaKsm6zmM4a2ceBFPPtphpWs5k2fNo+zyaj3l1xMPv
ZQxrm66nI5uXYeSvU/EC4Wzp2rM4C6cjyzTd//1/2u9Ipbe4s0lIp26zcOaJqxWKMvDYJMyiuWeb
pjXbNODwBQRAAARAAARA4CACh2idMgnpJZ9lWabriWXKd1MPaJ2qqspgbLbjOobJRrMwzcsii+eu
aU1joZdIINmTdZIXRUbvDzXdZcaLncxsZjuutwg3aZqVvRNh5WZmM2+d8wu2aSRfRJqFU9uUCmi3
JFw40RX7sjYMaxJQrlWZzF3TnidtlmU4YbYfZvRSw2wTRkLVFOHEssarJC/LfLP0mHzTIS1Xsh13
NAuoKkUejLUXwm9j32KTqKyqLdVmtIhzeqHpemLJmtFLcyzHdf11nKRZftPAVrvc+AsEQAAEQAAE
TpDAIVpHw7KNJvXQfyOt06ibqirWnpQ023jKZEyDZ1EE4zp0kcxsg/mkAeRnZ4HzdjNzGqVTnyX+
38ws5vOI06DWuSbrWnJVvSKLiznbj+oAkcg1X41qiUU/xFOLR7UoImWYXtCcXIZjZssAzTb2GfMj
CkKRfFKaipQYhbOqMvAMQytOu6b4CwRAAARAAARA4DoCB2idbRYtfM+1+ccyDTkk30Tr6CJA6Q9S
B61hnEb4EQ/U0LvKaUas+XS0znYzd5i3EkEgOimPl1PPdUQZmXGd1rkma5p6kx8uYZp5L/njNl1P
bNO0velSBnVI3DB6n3PzMQ1jRNdRyWWYSVxNskbMRm0jn0kVmM6d7tU8NEZxHU0D1aXC/yAAAiAA
AiAAAgcSuFbr0IIS053HYvpkT1xn3qgTpWZ4IToyRR09XHB0wivbZO6wkaZ0+ITUNOTTTlV1QFzn
8Kx7tQ6vV5lFK1qEY43XpLniKTPH67zQPiUppk71aWKMJM5ss+VSZ7bhsiqd2+ZomWoXFwUdIK2j
zQceaFWcBgIgAAIgAAIgUBO4VuvwWItY/0vhk1WzfIUmoPj0C09qG07MOhLD1cx8aM+50jpcRo35
ulyeBp/DmvLltxTX0YIrLcWwo3T4tJjdZEgZ6HGd5oAmOw7PeljrCIQ0JcfzphPt2e5WsV2tU9Eq
HWsWR75lz+RSoDKkQmuTdtJA0DoSBP4DARAAARAAgVsSuFbrcOUwXqXFllbcjmnmRiwroUHe8kO+
DqXYzF3TMOpZpw2FghaboiyK3WXFSutUVUrrdsXa5FyuTRYSaVjrCKUjlzDLStOyF3NEGZZ5svYd
Vmudargkh2bdp3XKJOCLtbfbMoumtLKGFkjT2mTT8debrCjyLImCkG/g6tE6FUkt23UtbXaK1iab
1ngVZ3mRZ2kcBHxT2o7WKUPfYmO5IvuWRsdlIAACIAACIHBCBK7VOtU2C3zaFW4y25tHm5XnyCW0
2yyYjixmMmY540W49Oq4TlXl4dTlW6/9sNSiKZyrrnWqqtgsJ67cKj5ZNpvRh7UOXxaj7ToX8Zw8
mo3EzvXRNEiCiSXWJu8tyWFZ92qdeM43h9MKG8ebhXIXPqGaebQVnW+hHy83tOCoT+vQrivLMDqT
U3m0GDt8w75pOeM5h9GjdZo9WifkpqgqCIAACIAACNyawPVa59ZJ40IQAAEQAAEQAAEQeHQC0DqP
bgIUAARAAARAAARA4B4JQOvcI1wkDQIgAAIgAAIg8OgEoHUe3QQoAAiAAAiAAAiAwD0SgNa5R7hI
GgRAAARAAARA4NEJQOs8uglQABAAARAAARAAgXskAK1zj3CRNAiAAAiAAAiAwKMTgNZ5dBOgACAA
AiAAAiAAAvdIAFrnHuEiaRAAARAAARAAgUcnAK3z6CZAAUAABEAABEAABO6RALTOPcJF0iAAAiAA
AiAAAo9OAFrn0U2AAoAACIAACIAACNwjAWide4SLpEEABEAABEAABB6dALTOo5sABQABEAABEAAB
ELhHAtA69wgXSYMACIAACIAACDw6AWidRzcBCgACIAACIAACIHCPBKB17hEukgYBEAABEAABEHh0
AtA6j24CFAAEQAAEQAAEQOAeCUDr3CNcJA0CIAACIAACIPDoBKB1Ht0EKAAIgAAIgAAIgMA9Erhe
6/wPPiAAAiAAAiAAAiDwgATuVvgcpHWu8AEBEAABEAABEACBByHwP//zP9A6D0IamYAACIAACIAA
CDwGAWidx6COPEEABEAABEAABB6KALTOQ5FGPiAAAiAAAiAAAo9BAFrnMagjTxAAARAAARAAgYci
AK3zUKSRDwiAAAiAAAiAwGMQgNZ5DOrIEwRAAARAAARA4KEIQOs8FGnkAwIgAAIgAAIg8BgEoHUe
gzryBAEQAAEQAAEQeCgC0DoPRRr5gAAIgAAIgAAIPAYBaJ3HoI48QQAEQAAEQAAEHooAtM5DkUY+
IAACIAACIAACj0EAWucxqCNPEAABEAABEACBhyIArfNQpJEPCIAACIAACIDAYxCA1nkM6sgTBEAA
BEAABEDgoQhA6zwUaeQDAiAAAiAAAiDwGASgdR6DOvIEARAAARAAARB4KALQOg9FGvmAAAiAAAiA
AAg8BoEnoXX+fn1/9unn5WPwOaY8L75/PPvw/fyYioSygAAIgAAIgMDRE3gSWuf3p5fm2beT1zrn
X96Yrz//PXqfQgFBAARAAARA4JgIQOsckzX2lwVaZz8fHAUBEAABEACBPgJHrXX+/PfKNNof8+13
qgYd0T5NtOOJ/H7+9Uwrvfny029hm/7f6dc2BcN88wVzWX3+jN9AAARAAARAoEvgqLXO1cXfP/T5
/v6F+ea/3/z7+QlOZUkMPz+9Ml99/MEx/L3oWhJ/gwAIgAAIgAAI9BE4bq0jS4z1OhwE5rD6PBi/
gQAIgAAIgMB+AtA6+/kc01FonWOyBsoCAiAAAiDwVAg8Ca3zVGCinCAAAiAAAiAAAkdHAFrn6EyC
AoEACIAACIAACNwhAWidO4SJpEAABEAABEAABI6OALTO0ZkEBQIBEAABEAABELhDAtA6dwgTSYEA
CIAACIAACBwdAWidozMJCgQCIAACIAACIHCHBJ6E1jn/8ublx18H1Pr8yxvDMPgjiZn18s37L7+e
1SP3vr+13v04AANOAQEQAAEQAAEQaAg8O61Tvx3z8vzX5zOLvf3+jNQOtE7jt/gCAiAAAiAAAocS
eLZa5+rq6vL7W/NFHQ86//nf29cvmGlar97+97N5mdTl328fz15azDTZi9fvv/yu30Bx+efbhzd0
Op3/uQ4PtZ/m9+M9s97/lKT/fn5tvvn8/fO7V5ZpmNb7HzKlvz8+nb20TNNkL88+fm9eUn7x+8t7
Xpz2z/vNBq2znw+OggAIgAAIgEAPgWerdS7//vzvDbPe/eBxnT//vWYv3n37c3l1+ffbuxfs7KtQ
O3+/vDFffiDpc3n+89Pr+i2cFz/ev2Cv//t1fnV18efruxfszReuUvZrHcNgr959+fHr9+/fv+X7
qn7/94q9/PD9L+X74+Mr9uq/P2SEv1/PmHX25ffF1eX5jw8v2evP/Oce+7R+gtZp4cAfIAACIAAC
IHAIgWendeiF4CZ/Lbj56j2JG/r8/GCxt9/q2SwegvnK/zr/+oa9ePf1t3ij6OX5+QVdcPn9LWsC
QldXpHCESNmvdWqlpLj/+vhCy/fy97cv30nU0NvYXwv1dHV1dfH1TCavLuz/Bq3TzwW/ggAIgAAI
gMAeAs9O68j1On+/vKmDKFdXl9/OTMNklvwwZhovP8lIysWvrx9pcou9eP3247ffXAFxMfSlmee6
osmqDzRZdY3WeaNdw5l/f2e++LC7qPrHe6YVx2KmIZLfYyeRHNYmX4cIx0EABEAABECgS+C5ap2r
yx/vLeudXJnMv3/7e958Lnj85urq4u/vPyLcI+e8+Dqby2/tuM7XOq7TDsHsrtfpap12XOfq/PfP
36Sg+Hvbv/QUp2udzt+I63SA4E8QAAEQAAEQuJ7As9U6cqboM19nc/nr00v26sN3vorm4vfXTx+/
id9/vrfYm//40uPLv1/fWuzdd5rE4ut1xO9ifY9cr0MqhZ3JtTvf378wOmuTu1rn6venV+zVxx8k
cM5//feGvfr0m2zy5/Nr9vLdVx5Fuvjz/dNHtSh6n8mgdfbRwTEQAAEQAAEQ6CXwjLXO1TmtAK43
RJ3/+PT2Fe2HMq2XZ5+aDVEXv7++5/utGHuhb9C6/PNV7cPS9m1d/Pzv7IVlvXj56s2Hj29fXKd1
rq7+fv949pK2eVmvtGyvLn59fveatn+Z7MWbD/W6ol4TqR+hdRQLfAMBEAABEACBAwk8L61zYKWf
6mnQOk/Vcig3CIAACIDAIxKA1nlE+DfNGlrnpsRwPgiAAAiAAAhcQes8ISeA1nlCxkJRQQAEQAAE
joXAk9A6xwIL5QABEAABEAABEHhyBKB1npzJUGAQAAEQAAEQAIEbEHgSWufg95zfoOL1qX+/faR9
WIZpvX537K9FxxxWbTX8DwIgAAIgAAIHEzhtrXP56yN/7s6f84u/P/+j16J/U09LPpjhg50IrfNg
qJERCIAACIDA8yFw0lrn8vs7pr3Dgb/36vNfel3VS/569POvb8TzeegFWWdfL67+fn7N3v4nn7zD
XqoXoF9dDbxHnS7pff/5bVwIWuc21HANCIAACIDAiRM4aa1D72p4yx+ULLyAXunw7vslvV6ClA1J
IfPlx9/0UodX/OWffz+/NsxXH77/kS8ob97ZOfQe9SvSOj3vP7+d10Hr3I4brgIBEAABEDhpAiet
dX59eMHe/VD2p/ePn327vDr/+ubFh5+Xvz68fHP2+vXnvxff3r7gz19uvxT018cXUioNvkeda53d
95+rLG/0DVrnRrhwMgiAAAiAAAgQgZPWOt24zm8R1+FxnDeff3x6ffblx8dXb7/++PTq7Cst5Glr
nd8fZVho33vU25f8m9NB6/wbP1wNAiAAAiBwkgROWuvQMpzuep3//lxd0ezVi7O3b17/9+fyx/uX
b9+dyXd2toVLo3WuBt+j3pVH/+Zj0Dr/xg9XgwAIgAAInCSBk9Y6V80+rIuL819f3lpMhG+urmiZ
sskXKF98e2uZlnj9+VBc52roPeo7oaB/8zFonX/jh6tBAARAAAROksBpax3SIt/p+TqGYVqv3n3+
dVE7AV+m/OPySsieN1/EVvShuA6d1v8e9Y48qpO/3f/QOrfjhqtAAARAAAROmsDJa52nZH1onadk
LZQVBEAABEDgSAhA6xyJIQ4pBrTOIZRwDgiAAAiAAAi0CEDrtHAc9x/QOsdtH5QOBEAABEDgKAk8
Ca1zlORQKBAAARAAARAAgadAAFrnKVgJZQQBEAABEAABELgtgSehde7zPee3BfcY12EO6zGoI08Q
AAEQAIEnTgBa5wkZEFrnCRkLRQUBEAABEDgWAtA6x2KJA8oBrXMAJJwCAiAAAiAAAm0C0DptHkf9
F7TOUZsHhQMBEAABEDhOAtA6x2mX3lJB6/RiwY8gAAIgAAIgsI8AtM4+Okd2DFrnyAyC4oAACIAA
CDwFAtA6T8FKsozQOk/IWCgqCIAACIDAsRCA1jkWSxxQDmidAyDhFBAAARAAARBoE4DWafM46r+g
dY7aPCgcCIAACIDAcRKA1jlOu/SWClqnFwt+BAEQAAEQAIF9BKB19tE5smPQOkdmEBQHBEAABEDg
KRCA1nkKVpJlhNZ5QsZCUUEABEAABI6FwJPQOscCC+UAARAAARAAARB4cgSgdZ6cyVBgEAABEAAB
EACBGxCA1rkBLJwKAiAAAiAAAiDw5Ag8Ca3z9+v7s08/L58c3Dsu8MX3j2cfvp/fcapIDgRAAARA
AASeN4EnoXV+f3ppnn07ea1z/uWN+frz3+ftkKgdCIAACIAACNwxAWidOwZ6j8lB69wjXCQNAiAA
AiDwbAkctdb5898r02h/zLffyRZ0RPs00Y4n8vv51zOt9ObLT7+Fg/X/Tr+2KRjmmy+Yy3q2jRIV
AwEQAAEQuFMCR611ri7+/qHP9/cvzDf//ebfz09wKkti+Pnplfnq4w+O4e/FnboBEgMBEAABEACB
Z0vguLWOxI71OhwE5rCebTNExUAABEAABO6RALTOPcK946Shde4YKJIDARAAARA4CQJPQuuchCVQ
SRAAARAAARAAgfsgAK1zH1SRJgiAAAiAAAiAwLEQgNY5FkugHCAAAiAAAiAAAvdBAFrnPqgiTRAA
ARAAARAAgWMhAK1zLJZAOUAABEAABEAABO6DALTOfVBFmiAAAiAAAiAAAsdCAFpnjyV+fXzB3n7D
U/v2IMIhEAABEAABEDh2AtA6gxa6/PHOYsxq3j8xeCIOgAAIgAAIgAAIHC8BaJ0h25x/PbPOvnz7
8KJ5W9XQmfgdBEAABEAABEDgeAlA6wzY5u/n19a7H5dXvz+9evH+5wm+hGuAC34GARAAARAAgSdG
AFqn32C/Pr588fEXHfv75Y2FRTv9lPArCIAACIAACBw/AWid47cRSggCIAACIAACIHB7AtA6t2eH
K0EABEAABEAABI6fALTO8dsIJQQBEAABEAABELg9AWid27PDlSAAAiAAAiAAAsdPAFrn+G2EEoIA
CIAACIAACNyeALTO7dnhShAAARAAARAAgeMnAK1z/DZCCUEABEAABEAABG5PAFrn9uxwJQiAAAiA
AAiAwPETgNY5fhuhhCAAAiAAAiAAArcnAK2zh935lzcvxcOT95yEQyAAAiAAAiAAAsdMAFpnj3Wg
dfbAwSEQAAEQAAEQeBoEoHX22AlaZw8cHAIBEAABEACBp0EAWmePnaB19sDBIRAAARAAARB4GgSg
dfbYCVpnDxwcAgEQAAEQAIGnQQBaZ4+doHX2wMEhEAABEAABEHgaBKB19tgJWmcPHBwCARAAARAA
gadBAFpnj52gdfbAwSEQAAEQAAEQeBoEoHX22AlaZw8cHAIBEAABEACBp0EAWmePnaB19sDBIRAA
ARAAARB4GgSgdfbYCVpnDxwcAgEQAAEQAIGnQQBaZ4+doHX2wMEhEAABEAABEHgaBKB1ajtd/v1z
Xn/f9//5n7+X+47jGAiAAAiAAAiAwDERgNbh1rj49en1qw8/L643zcXPj69ff/p1wJnXp4UzQAAE
QAAEQAAE7p0AtM7V1dXFj/dzq2BgAAAgAElEQVQvX/33W4N98evzu1cWM03TevX2v5+tgM/l70+v
Xrz/AbWj8cJXEAABEAABEDhaAtA6V1d//ntlvfuuTUydfz1jL959+3N5dXXx+8uZxd5+aymbi+9v
rVf//Tlao6JgIAACIAACIAACDQFonavfH19a735oUufq56c3b7/UUuby+1vzxcdfDTH6cvn9HXv5
SQ8EtQ7jDxAAARAAARAAgaMhAK3z9/Nr882X1iyVbp3Lnx9eWO++t+I6V1fnX/ZepCeA7yAAAiAA
AiAAAo9JAFrn14cX7N2PARucf3v34sXbbztK6PL7O/PFh3awZyAJ/AwCIAACIAACIPCYBKB1fr63
rPe9Wuf8x4eX1pvPv/XprdpWP94x68PP+i/8DwIgAAIgAAIgcKwEoHV+f3ppvtVXJgtTXfz48GpI
6FxdXX57a2LBzrE6NcoFAiAAAiAAAhoBaJ2Lb29Zd1PVxc+Pr6w3//VGdDi8P/+9Ym+/9QV8NLb4
CgIgAAIgAAIg8PgEoHWuaId5e3Hy708vDcMwtQ9r7Um/Ov/yhp197axXfnxjogQgAAIgAAIgAAI7
BKB1rq4uf7x/0Y3s7IDSf/jzHx4mqPPAdxAAARAAARA4YgLQOmSc8+/vXr75TM8OvP5z+efzm5fv
vu9szbr+SpwBAiAAAiAAAiDw8ASgdQTzyz9f3n3sPkWnzxwX3z68+3KYKuq7HL+BAAiAAAiAAAg8
LAFonYfljdxAAARAAARAAAQelgC0zsPyRm73QODv59eG/Nxo3dU9FOXwJK95XvfhCR165uXvL+9e
WaZhmOzVJzwG81BsOA8EQOA5EIDW2WPF8y9vXnbehLXnbBy6fwLN++eZ9erd51/tnXAXX8/MPq3z
98sb6/Xn+v1mty3kn+//fflx2CqtH+9Yrb3E/+1tfqIE/6h1zn98/vz9b19lLr69tXrc9tfHF+ar
Tz/PL68uL84vtKVpA+f3JY3fQAAEQOBpEngSWufv1/dnn35q3fMDsT4yrXPx/ePZh1NeFP33y5vm
/fN/vr57wc6+6qP9kNa5Ov/149dhKmWPY9FbQW4ifC//fnlDz5scctt/1Dp7Xm1y8fvHz7/dbM+/
vukVgldXV73n7yHxNA49VqfxNOjceylPvrO6d8LI4IYEnoTWoUcbnz3Ck/uOTOucf3ljvv6sj+43
NPYTP527gXqq0d+v716/15eT72id4bmtyz/fPrx5aZkme/Hmw7d6qfmPd+zVhy//vX1lmaZpvf7w
TbD+8/mNZVmMz/5Y9DlsCojM1Q0znf/4dPaCmSZ7efb+7IV65+xNynP+9W27OC/kK07oYd4ynqS/
v+Ty+3t5vmEyXv43Isg1cD55yd/vn85eWcw0rVfvvvxW4bPfn16yd1++fzp7yUzDfHnMU2GP1Wk8
8UZ2V8U/9c7qrjginTsjAK2zByW0zh44D37o2vdy7GgdUcTL8+7c1sX3dxZ7zedzzn99es3qGR+a
e7LOPv86v7y6+PPljLWeIHnTuA49cLKjdeipldbZl98Xl5d/f3x6bdZa5zblGY7rXH7ve1fb8Niz
c/7lr48vzVcffvy9vLr4/eXMst7/qNUOf8qm9frD15+/f//+9XsnevTgTjGcIbTO/2fv/F0dxf7/
//1bUtmd7lRO5VS+K7eRbWQbmUK2kWlkG9lC2D4wkGLAYiDFQoohxYDFQoolzZJmsVlsxmqFD4zV
Ws2X1/G30dzkXpPozTPFvYk/Xud1HsfoM6/z4zXM5gZ7hq+3GxSOIkDgmMCktU64VMsfquX4B8nc
UiVoT+NVRTvG2p6DOtY6I9mnp2/jVWXW6t9OW8v6F//Lp+Rxg77eLclwL0xe6QGtk3W30224Qk4r
SfIiZX0roWv3rJdrnbb4qfuwnuXPsNbJWtUor4cTz57O8UL72EHZCbZ35VrzkYDQ/EmHFu930xjp
5nDtm1v/TSaj9eMb96T6G3LZdtysym8c/k+MwKS1TpZEIb22tizpy4N4H5f34BuAPNY6Nyi0p4gC
w85TJdUNBIao/KXdc/gr3fTcuM6R1jm4ykJieXdO3rtTJH9tPfTTjVHf77Mse7nWCZfUFVs2XK11
nuXP9bSO6PkreruKzq9qbDVpnanngbvzTeOVfvvOrhZuVmejwoE3JTBtrVOguFc4eipap8Bw4qf5
Ta+ZexVGg0UaWcjija07J8frFI52IzSkMrTlIa5fSS5AntA67KKxycd9WO3hwbXWeZY/QuuIGOdR
c7SqUe49cfF0jk82piQ7u5pOnFTTtuagdYoa3+umUQJ/8P8nrrcHJ4Pq34kAtM4J8NA6J+DcYVcx
D4tGiaThRszDak6v6mqa0sOj7fHG5Nz0aVxOlkbByl3thNhpPfS7cR16dqoeTXNP47OCi3S3r7vK
yBkxXseksb5pvGuM13mOPySQZIcmwdMU8rKq9L8Yf9OJfw4/e46OTwJbZvpSzOVK473vetVce2id
Jmm8HyYwfL0Nn4M9IHBFArPQOles/0nTE9M6J319jJ2N9XW0en2dxnyrYjxTPoBraDtNs17bOk2I
kpis2eVMo5NaJ4sDV5fFZCylNf3rmPzw+jpx4OkyW9A8LMdS61FXz/An2S9pStdiwWQzn3rfmFdV
YJDdQ+ldz7Nn+Pg03Lg01UqSGFfN5a5SlDPSOmXF8R8EQAAEsgxa58RVAK1zAg52gQAIgAAIgMA8
CEDrnGgnaJ0TcLALBEAABEAABOZBAFrnRDtB65yAg10gAAIgAAIgMA8C0DrzaKe7e5nG4Vkrx8Xh
A06Hv3vrwAEQAAEQAIETBKB1TsDBroJAGq4M1dpUQ1RrMEl3TtJhqalielB9zDzf1XPC5+k/vAYB
EAABECgJzELroC+pbK67/E/3nqo47dyrSRisPUvjklJP9Smci3xdNtc9umgE55NdkU9KNpadLOc9
1ncOXyzytWCZrJpef17wnhNp07HWGSdf+kBx2dl51GlGlV6nBYt9rfgYLtWqulwxnHWR52vvyu1l
t9sz4Yccmvl23DTu24Bbk1vBfV1A6SDQIACt04Ax8bd3Sh0crw1utLVLuNS4arorR+vROlm6c2S5
o43GQUur8KvuPk3DFT3gn9JTO4ez4n6bRltHkdRlNQf7SYeOtc44+dKHCj57XeZc61R1j5paRyrW
WkyjnaexViPQDHN+lVYZqtF9t0Pr3Jc/tM59+aP0LgFonS6R6X7uWSLlBs5GK625WnFeYipWqku3
Zp/WybK9IzczbY/mJWkdylcQB7bSjTT1FNLQOkUOtXLZ5f684lnWn4e8sU5PN3G5SKa13ji0WM+i
zkI/ZD85+LYmEp3zen2gC/Ood7VOJfuITlnBLF+2edVIXbUVWqcH01w3hSvTdH1KUdr3gtbpo3K7
bdA6t2ONks4hAK1zDqVpHHMXrUMZA7oP+BLHoNZ5MnVVaeHS//HW4lxRFM05pz+qoXWScGMrTFuF
VOJQXvGhPOS5l8f50rMsC2y2kGTd2+SJv/Noy5D9ZGtybqwOCS1m6JucW40UF8+O6/RpnSTcuirl
b2/ogFenddJwu7QNhTHZcFZB2Fo8Wmi9Mn/9pVcZjh+BALTOCBBhYkQC0Dojwnyxqf6UwsOpg/uP
HytlsahOO1jQruGg1qHADrPqbE2X+tkupv4UB45K6ShVTzzEo90mKMak1Mc03onxOjRgh4arcKNc
/5c0Yz1kpc5zTttrWXfch3WUayLXOsys8nnmZQ/Zp/PrcrMo8Nf7qivq/NyiZL5KxtkcVyTG65TV
ZZrbkYO31zp7R25mzq44jbW9aOr4sF05hsLL9aOrVoDWaXwZbv0WWufWxFHeaQLQOqf5TGLvPVMH
n8oKcELruHKRO3xEgNSbprj7JBLprDYRfba2jchFt6wqrkMjiLhZBlGG8ooP5SEvzQ5oHW7vyiPy
/8P21eag4vZJ42idog8rXKpM9xv9V1TW7bVOp4bX+VgqHa5apZgVBaEP6zq8z7UKrXMuKRx3GwLQ
OrfhPEYp9IM+T/Q0hrUzbRyHN+oTh7VOYPMjCVCf97x3jbBIEjgyUxSZV6GCXpOV1smjH2XMhqrU
l+d8KA95aftcrTNkv1EBMpmE+31jLaKtdWYe9WTTCg/tSVZuSPE1QnDUGye3erBeodahwVUKk7hm
LTeHOkBWNBe0Tnnd3uc/tM59uKPUIQLQOkNkprf9Llon29l8aJzxoNbpdLOMhFJkGndFSvJ456qL
xVHvUaeghtbJkq3JuB2IKNBQXvGhPOSF2XO1TjZonwJShk/dbiJPe0uqidqdlUddmDf8Q5Km8X5l
VMN+GlpHzIVjrdlz1Fivax5WtF2utjT4qfcFrdOL5WYboXVuhhoFnUUAWucsTA98EI1naYwyaZIY
0jrJxmTXCECl4bqcxaSanu9qTG6O7m26Jt43tU6W7V2lCov15xUX87B68pA35mG18qjn43X6AlhD
9pODb+XzsCi9enuFoPPzqNPIZlvjIse5Zq8PRTdeU+vkkay83bC+ztGVgQ1XJwCtc3XEKOAiAtA6
F+F6yIMPntJaqeUpCLGvc7NvkeWnTsR+EBiNAOI6o6F8liFonWdhw0lXIwCtczW0r8dwsnNULZ/6
9HSl4o2pGOvOuNinT8MRIDAqAWidUXFebAxa52JkOOGqBKB1ror31RiPNo59joBJA886I3vDq+GC
ikyVALTOfVsGWue+/FF6l8AstE7XaXwGARAAARAAARAAgTMJQOucCQqHgQAIgMAwgVOrMwyfhT0g
AAI3ITALrfPicPS2leeAMhiUa63cBPJYhSAsPBZJ2Hn1BC69aYg5/0uRQ+QMNsl+vdyUE+Dy48fW
OrT+ZbFIwhkODRzS42dx5MFTuyl9B2w8bzNuVs/jhrOuRQBa51pkr2AXt48rQIXJ10ngQq1z8BTG
2Nk/gdrz+wXBsbVOGu6Oknxd3FQ9fhY20mgfHK/AeHEBgyfgZjWIBjvuQuDRtU4abVxD4UySGK14
Uv9Si3dLU6yEwlWzufa8uKOttitL5dJCevkPr0taHbePS2jh2IcmcJnWOXiK6m08tSF22kt3BjYr
FlIKbJlzRjnWJMbpVSzeTXcGzfVdSnkvMcVcVcsniaz3tFXiamNzkcvs6GZC+WTzl2TWOeWycKnV
2cVov+zu8xZOD9W6U4rhBcUS0kN+HjylML9opFUjS9FWLEQtSbxhhlbQ1L11vofJemX/iasLN6sn
AGH3jQk8hNahNe8aN7F0Y5QfI0oD6eziLEvjnadVqRnDJa1TtwnTLI02ltxYgVasK8dUyw/2h8Ph
0Fjk//oth9vH9RmjhFdC4CKtc/AUbRlSlo36PjGkdQSfnngJ3Rkk1d2GSZZGgaOU95gksGWmLSnN
axKuLbmRqezUzSQVyT8aWqdulzRc6Yybm3xhB0r2xvQVLSCdHFYGa60m3uNnbielPS2tQ5Et1Qli
uudtHYWpywMdSlpHkq21sL/3NEl2ColVO9T3DjerPirYdj8Cj6F12gN0KKFQcUuL1zqj73Eslp5N
4zgRb2jB3TrVkgjlrIu16OnD8TLCdONovK6xaLDI3sit4H7XCkoGgfkQuETrHDxFX5FyiFZaJXae
oXUa4uFQpilLt2Yz0RlZrYrov5kUjIe0ThKQEHGrqFGWRGH1k6ubx2RQ62TRqq11xCLjVSZdWvo8
FzVti92zhq8HaJ1hNthzDwIPqXXWldbJsmS/dqmzisma6W7y7DoU+CkD1JxzxqSF4hWjFoXw8Y8y
Dd6k7XD7uAlmFPIaCFygdURieonRS5IWpRJ5odbxlDwla/eGQZ1hzi4n3N3X4t6vdSLfYLyzVmcc
LC1dlWVZVmTeuFe188G2jJOsa2kdmrDR/A1HQ7VFStmu1tEagq5jsvURN6sWDny4O4GH0DpZ8/6S
95JruVxJokOYB2zSaLfUy+yQlKbb2kRx9UryeE/+y+/ML/v4bYvbx/hMYfGVEjhf6+xdRfX2xXd9
5yqF2Gk/5OvxOoJXT7ykLVwqrZBShKQcWZNl8boT12n1IzXbokfrJDtXkRQnaOU7zfvhqe+Jepw2
hlT9LrtE62R58rgitVqWbq2BuA60TrOR8H4+BB5D64gubc3bxSl1mZtVl3m6sznT83V+02htcmaJ
KG66F33XWxEaTg5rzy36xovhhIjrzOcKh6ePSeBsrbN3FaXWItnOkQuxQwNYDF8Miom3trxoJnlN
NqbEzXWUZmlSdHwPaJ1MjNfJbzL54D89t/nED6divE4pPuhoukHpq+60eJJd6jKkA8XNbdEMz/T4
WVwOdFpTZ+X3PJfGLmZx4KpM9arxOmWo65LbH36YPeb3brq1fgytk2XlVIiFxFWrniGRVQmpGZNb
E67iwDNVTmNwaFLCtsrv1L6j3bZhcfu4LW+UNmMC52qdvdtexoYiGmVkZ7c0ZM5lRdUd15SbWidL
Q99UaDaWxLV8EG/7zlDFdTK6+awdMTuL5mEdTeo8+uFUz8Mq5ksxm0bp5enqG6MCWT7GKEv2S1Ph
jHNZNRxbZ8UPtrztjv1szMMqZnsZmzxQFG1dQ6HpYkwx3PKW1w5vtSt56vLAzeoUHey7PYFH0Tq3
J3uFEnH7uAJUmHydBM7VOq+z9vevFW5W928DeNAkAK3TpDHx97h9TLyB4N50CEDr3LctcLO6L3+U
3iUArdMlMuHPuH1MuHHg2rQIQOvctz1ws7ovf5TeJTALrdN1Gp9vTyCNw6gxTnLQgbhe62PwGOwA
ARAAARAAgRsSgNa5IezZFpWGK0O1NuesKnRYarT46myrek3HA6teWuWa5cA2CIAACIBAi8AstM5Y
4ejLUhm3OJ3xYTil8BknT/mQdO+pirNrRHWqBDytGRtFHSJfl831FdROuFSZVS+aT1OCGx+nRjDc
Lv2O5htT68TBalVOlWlXPdmYvDmJur333E/D9s+1cOfjxrppjFCN9LB2RNI9xhXdEdkWRrA6cRPo
w5p4Az2ce4+kdS5MZXzptdCzvNilJk4fn2xdw9leQUScLjZeG9xoapeEllo0fFpjOg03lix1UmLQ
akZySxudLuDcvfPSOltLaiwhJ+o4ptbZOzIbSBiSHILdWf2Np8CfsH/qtOnsm4zWSQKLM80NooSS
7i111siuNx1co3sCrTM6Uhh8EYEH0jo9qYyzLD34lsoZlxXNtHReL6HRm+c8WmnMXBaLZTRSGQ+l
FH5R0xyd3F60/mj3lTZQnY0yG5go47AyjWWV/y/Po9MufO/I1Tr47T0v+RS2AzkUpSvjOsl+ZYms
9BJX60zPxbJKCqcs9rpDqVzLV2Bz2VlvxLIni65YKw+q/9NqS2RGYrJm+4fCTr7UbHFUvfJIuNIp
switvZInwla9nBZpHWu5ssS6TVxzqgUq8+WfjvwMLKY6/jJf56k6Pl6bbfOyWH4ly2iZ/2JFlg59
sbqUWDmFFnipo02ETeWUlluuE3AP2qfl7LaeIU7gqiXEbl75PM4n+ChtzjXC8d+FK9N0/WBA1k1G
64SeIhXLtBODcG1bq+Lb03uTKdcY7OQ/j329XPeHzFDCqmrRwEvsjN8O/Rahdfq5YOu9CDyO1ulL
ZZzSr1d9JZ5dMaUmLrXOQJ7zPJWxI1IZi+PrBUUzSpIstUXByI16F61DC682a9mt08FTj3+ndpPr
dE963mexPFujD8uttA4tf234JGVo5Vhe5m1NtvSLWiyXHe89jTV6dmi9NknWvc3ucDjsD6eDZZGv
M0UMQkpFq5fPmAGtk9euP66zkE1/H6dpcljpjJlbsYjbkJ+BxRbcWO3Fct++0VokbjjuQovhtbRO
tWq40H62wvQ8SpdsTZEtm7BRAmvejMX12E/3riKpDomL5OAbnNtFsgJqGG0p4nyUIftp6fi89u+e
lYbbpW0ojMmGswqKXC/VQZPROlm40hg3vG33Khu4yeRaZ7FgquUH+8PhcMgze9JVUl55lGqCacX6
yxfaqQhd9w20znX5wvqlBB5G6/SmMm7ngKlT3tD2vjzn9W934pwnrKliBSNonXhtNNZFLXPx0dbi
93r5r1jdvf94SrrTZ+fy7ScT6tCPy8BRuO53V63PMvGkrGXJpf70X8VHWkeWzLwMKk7zisddtWg/
acPq4ZClIpRThqMCmzVauL+8amsaR2GebqhqdbHvGVqnFiG0Hm3u3aCfrT6v9vq1OeH+pPet07Is
pc92Ndwq3q/9IF8GPInCuEyt1EkF2WNfaCg7KK/3vSuXC/TSla8624NglCZxZbQi2H6zd+TmZV59
0y7dXliND9sVjYeRzXW1vHmWTUfrkMTcLi2dEgzr9qoMRA3dZIq4Tn3llvDyvmFxBYsAc7Ha8cV2
SnvX/Q+tc12+sH4pgUfROr2pjNOtKcmuyPpC3CqtM5jnvK11Dq4imSJ/lqA+gtYZaL0kCum181RJ
dQPxPv+pN3D8mJuFwNiUD7imZYoFcM3bl0/L5r6ODGzuev77jtZp5kZMo2Bp67RQvqLbK5HTJ8tE
m7O8Gynv9ambq2rrs9xJDmvH1BTKJC3LbFFKrBdpnTr2NehnS7TQRdl4/vXEXcqqtE7rZJssjxH/
03DrFdVSZCYtmumRju1TULPslSs60aoT4t3Koc4tJmuWtx3oVWqVPdqHUulw1WqmX5iU1ikqm8b7
jaNRLC2mHkdDauJkjQTl7ftMjSpcqpzUZvmf9jzHTm3xeu+gda7HFpafQ+BBtM5AKmPxk6hSK/Xz
byjPefsedDOtUzTsXfqw2lWuLrFkv9S46u76hI6QjY2hT9VJL3zTdiWtmyuNw3LxnyTc2GUnCh2v
LQ9Vsvo4Tip365OfdiqlyyQfi52RgqrDSa4s5cliyzEWjdxGlCi6kVKSimmJkFrrDPrZOf5Y69SR
s2YtWqdlImV1HU7K0mi/z/t7aKx+pVXbcI8ic/kIEUl2di2cQgOncVh0s2RJFLjq0ZjspnMjvo8D
j9I3cc1abrr9Q9OJ6ySBZ9Wpg/NosOjqHrrJ9FxLFbTI17m52XnNbKXPsVMZvN4baJ3rsYXl5xB4
DK0zlMpY5BJW3XwEwtrkZSrjoTzn7QdCR+sMpxR+TsP0nHMXrZPtbN54Ugq30sNKl4eFjnjOtHIo
91TmOZto3IxsbUIxocXTWDnZK/I1SbHzcEKyp+jXUnSrxRuTczE+JsvSKFi5q0qbXaR1aFyLJSbA
pfHO1STJzANdYnyoI2ymh6XOWoERikKpIuqVxkUHWEuE1FonG/Kzc3xL69ClKOdjiJJ2n1ExXqcO
xeXjdZYUgEujwFFZkWg7l3Ci2yfZr3TWarIe+0XCbjHHK433vuvlo5wJAzfXQkAl4Uo/0njPaesz
zom2y9WWRgn1vibTh0VXLTdWuyilYVokxfPw3NBN5pTWoSHJXJZlLb/ARcWfZacX2agboXVGxQlj
LybwEFrnRCrjfB6WJNGvQ0ujcQ0F0t485ye1Tk/q4xc3zwQM0DiXRt9JJpTMYrFojrjojE6mh19n
HvpIFaEJJyqn2L+iu5u6ryRvLZpQJFYwqSZcVWnsiwlU1YPxEq2TZdHG0WQmZutZjqmUWop22Cqn
TNia6TlaSyxkceDqspiMpdj5GOSOdjHrPql+PzvHt7QOZbc2qONpwcpxKqSeygFd+f+yg1bMw5KL
+VZ1T4/wME+QbbpWJx5zbF8MbS4zYbcydlfT4BiXNcvv7dYc6Qo428xktE5GI7lFB2s+382rl0Xq
vcmc1DoZBRml1hIQ9I0MvHyynsQVo2G/fb86G90oB0LrjIIRRkYj8BBa5zxaFJfp9jqcd+YrP+rg
KWUE5ayaxiLQfnpq01mGcBAIPJvAhLTOs+sw5xOhdebceq/R9wfXOpFv6KILK4t3NNCgOev2NTb3
8+qU7BxV8/Z1r8gpM/HGVIzmhJhTB2MfCFyJALTOlcCeaRZa50xQOOxGBB5c62TxbpkvQse4Zq/L
ReJuBH9GxUQbxz5HwKSBZ4mRITOqG1x9jQSgde7bqtA69+WP0rsEZqF1uk7jMwiAAAiAAAiAAAic
SQBa50xQOAwEQAAEQAAEQGCWBGahdRCOzq8thIVn+R2D0/cggJvGPajXZeJmVbPAuykQgNaZQiuc
6QNuH2eCwmEgAK1z32sAN6v78kfpXQLQOl0iE/6M28eEGweuTYsAtM592wM3q/vyR+ldAtA6XSIT
/ozbx4QbB65NiwC0zn3bAzer+/JH6V0C0DpdIhP+jNvHhBsHrk2LALTOfdsDN6v78kfpXQLQOl0i
E/6M28eEGweuTYsAtM592wM3q/vyR+ldAtA6XSIT/ozbx4QbB65NiwC0zn3bAzer+/JH6V0C0Dpd
IhP+jNvHhBsHrk2LALTOfdsDN6v78kfpXQLQOl0iE/6M28eEGweuTYsAtM592wM3q/vyR+ldAtA6
XSIT/ozbx4QbB65NiwC0zn3bAzer+/JH6V0C0DpdIhP+jNvHhBsHrk2LALTOfdsDN6v78kfpXQLQ
Ol0iE/6M28eEGweuTYsAtM592wM3q/vyR+ldArPQOl2n8fn2BNI4jNIzio3DKDnjMBwCAiAAAiAA
ArciAK1zK9JzLicNV4ZqbeIz6nBYaqoTnHPkGcaudEhgMe7srmT8Qcwma0NSl+GD1BbVBAEQmDmB
WWgdhKPvepWle09VnF0jqpOGG0eXmSRJTDHcbdRyL/J12VxfT+0kG5Mxc3tu9CjcLv2O9hpZ60S+
zrXVSx/7PX4WWMex32qj4kN6WNuaaEeuGF6HUt8J9bbJax3cNOrGusc79GHdgzrKHCYArTPMZmp7
kq1rONvriYiB+sZrgxtN7ZLuXZlp3j7OsjTe2oqk+y2n0p0jyy1tNGD5WZuTjckZ49a5YmdrSbK7
bxU1stbJ4n1AMF726vGzNDiK/dJY/T/ZWpwb/iHJsjTaOgq7JE4DrVODxLseAtA6PVCw6Y4EoHXu
CP/ComNfl7RVO4hyoRmUz6EAACAASURBVIlnHB6tNGasm1GU5LBZbQ5lmGdnc253OoT2jnytTqJk
Y8qm75tyQ+zsHM6soKhbtNIK8RWudM45kxYLiXF6qV6ueUjrWMuVpXJJkrjmbCqm8W5piq1M1p1N
WNYxywKby846j2YtylaIVtqieLVkwtaikFf+ov1SxS8OPFOhUpms2X7BcNDPIftZcvDzeAyZWZdN
sXdlbq18WxPVUq11w/+ehu9cTsnW0cx1TqLffpYl+6WpMPJet0210YcVbT1D5UySuGoJ8dRT3jU3
xYfN0jK85mWIuM41gT9tG1rnaUY44pYEoHVuSftlZXUeTi8zdu7ZycZsPNO6ZyXh2pSPYyzpxpQU
79A9eoTPJHWsIE22VkPsDGidvLieeElgsYVs+vs4TZPDSq96xCJfZ7IlJE688zTWCE4FNltIsu5t
dofDYX9oRnHSeHjoShLYMlO9fS6ayL4iBjOlceAobUQ9fuYVOLIfb8wyHpMcVgYv+e9decF0L4jS
LI02ltyNt3XwBz0iVRwyZJ/iQExf7uI0jfcrgy0KgZfuXUVSHSo3OfgG53bQlMadYsf9mBy2SxJ3
TDEcvxVcg9YZl/Sl1qB1LiWG469LAFrnunwvs05PzcarkAu0tYwfFP+Lx1j/8Vk21vYsy8KlWocl
mrUJbC6RW9yswyLV/r0jM2tbfbzUn+rE7ptkYyp2kGZZGthKFdl5htapw07UGZODDj2lUdVUWN0W
oZ3AZszc9D/CB7tzQl9n3ChiJRn1+EVhXMaK9q4smTWibFDrZB37JHkbYaSDp0i66GJsW3yyo247
MEJ7yH66NRtDumunUjIkGkW0FnVwWiW2bvvln/eO3LjKpYrrhdujtSlThGm5aWnPokxonX74t9oK
rXMr0ijnPALQOudxuutRSRTSa+epkuoG4v3NJnbTo9TclA/oLoY0ClyVqUchnPyxO3RW18rZn+kB
u5CYeEmLaoDyi7ROHYPqBDrqzrCM+rDYUU9d6Xb92C+30P9kR5Ebd9fUR8lh7ZiaIosXWzxP63Ra
JN2UWq2jdeyGMmk6Vr7vVLfcnA3Zb4cV60qLnrail7DoM+wM4KpMj/sm73CUNdNdB2ETsygGWmdc
2pdag9a5lBiOvy4BaJ3r8h3TevthM6blE7ZaT/z8uGS/We+qIS49B4jhLYPS4ERhT+xK1gZFkWLx
itZGo/NGqkIJXX+2Fjs5NrnWOvSQr0bWZFkem6rjOoMVqh/7tf/kHdP91uQsESnKxwJnWXY4iusc
+VmY69gXcZd62BYF3nrjOk9pncjXyoFHVFASuLpFMagh+xS/kZ1ylHftFPVyys4ubxXxN0lGV7k1
2c67NN6vXRpExDV708QNrdMhdeOP0Do3Bo7iniAArfMEoAntvovWyWjscXsxGpr0zU1f/JRO9kuN
KZ15TuJxOf5v+2RtNEdJx77O86nn5JDiiAhKeljqbNEsmxSM6u1pslFcdCC1undqrZOFK40p9pbW
TEz2S70zXud8rUOT9Jl8NGpFdAJZYiJdGu9cTWoFzHr8LK69WlbkG2LBX4w8TkIaH2PmKx9dGNfJ
GuNyaPyQyrR8vZwh+0kgxuuIYU7N8TpiUJK+3BG3NN777mWz10f5hqXRzl+umyPEoHVGAftsI9A6
z0aHE69CAFrnKlhfkdE0sHl3nHGyW1n5uiw0X+lovg9pj/EnjMVro201XKplN1a0sVXOuaxopueU
87CKRogDV5fFZCzFzieqD2mdLDsxD6unD6sxT6oYRyVqTdqEZl/VL27ns8SijaPJjJGflmMqzWE3
WXbs54B9UmK+JaY9Ma7V854u1TpZlpTr6zCumg2F0m+fyl1RCIVGaTu2Vs9RT8ONa9AELYkMLXfN
odv3+ipA69yLfF4utM59+aP0LgFonS4RfO4SOHhKY0ZSd+/xZxFwOWuR5eNzsQUExiEArTMOx+da
gdZ5Ljmcdx0C0DrX4fqqrCY7R9XKidNP1SzemEpj7tFTh2M/CFyFALTOVbCebRRa52xUOPAmBKB1
boJ59oVEG8euJ08PVycNPGtJg2PwAoG7EoDWuSv+DFrnvvxRepfALLRO12l8BgEQAAEQAAEQAIEz
CUDrnAkKh4EACIAACIAACMySwKvUOvcKX9+r3FleeXAaBEAABEAABG5DYBZaJ1rbhrc7f32ye2mO
K5d7pzznt7kQUQoIjErg0pvGqIXDGG5WuAYmRmAWWkcsaDuYp+CY6JU1x3GBxZYrl3uftQQHa4sd
IDBhApfeNCZclTm6hpvVHFvtVfsMrTNi80LrjAgTpkDgJQSgdV5C78XnQuu8GCEMjEtg0lqHUv10
E3znqaFpT+PVWaT3WHMMHT/W9rxRzi73srzfdHQXQzMLwrhXBKyBwJwJXH7TGOsmMBM7l918suyy
43GzmvOX51X7PmmtkxUJvre2LOnLg0jwXaQ0Otkox5rj5OGj7bxWuffMcz4aHBgCgZsQeOZN4ya+
PUAhuFk9QCPPsorT1joF0kvD0dfSHE+18JXLRVj4qQbAfhAoCVx60yjPw/9RCOBmNQpGGBmPALTO
eCwpvfdRyu9xzUud3roRrcMUCLwmAtA6d21NaJ274kfhxwRmoXWO3T695cqaY7Dwe5U76BB2gAAI
gAAIgAAIQOuMeA1A64wIE6ZAAARAAARAYBwC0DrjcBRWoHVGhAlTIAACIAACIDAOAWidcTgKK9A6
I8KEKRAAARAAARAYh8Cr1DrjoIEVEAABEAABEACBV0AAWucVNCKqAAIgAAIgAAIgMEjgVWqde/Ul
3avcwdbFDhAAgesQ2LsyMzfJdYzDKgiAwMgEoHVGBAqtMyJMmAKB6RJIA4szxrHc1XSbCJ6BQIsA
tE4Lx8s+QOu8jB/OBoF5EIjXBjf8jSMr3mGiHse+ztRlWHqXbEw2XWdLL/EfBK5GAFpnRLTQOiPC
hCkQmCqBaKVxK0izg6fK9i6dppvJ1uKVuonXOtP8aJqewisQuAEBaJ0RIUPrjAgTpkBgogT2riK7
e3Iu8nU+2UE76c6RZSf3c6VhcNFErya4dSMC0DojgobWGREmTIEACLyMQLhUuR2kWfn/ZdZwNgjM
mQC0zoitB60zIkyYAgEQeCGBPO6085Rr5iR+oY84HQRuQgBaZ0TM0DojwoQpEACBlxJINiaXZVmr
Bym/1CLOB4F5EoDWGbHdoHVGhAlTIAACLyaQ7hwuGev4xYZgAATmTQBaZ8T2g9YZESZMgQAIgAAI
gMA4BKB1xuEorEDrjAgTpkAABEAABEBgHALQOuNwFFagdUaECVMgAAIgAAIgMA6B+WudNArP6oyO
w2jURb/uVe447Q4rIAACIAACIPAoBGaudZK9p6nOricDXxK3NyY7V9O8fXvjs1t5uNyuyXHL7VrH
ZxAAARAAARAAgScIzFrrJIGtqMt2Qpok3PquqTLpKC1fKlZ0D0ZQO8flJgff1mQmSRJXzeWuFWga
r9wn2hK7QQAEbkVgLh3Wc/HzVu2Gch6VwJy1Dq0Gam1bHVO0ertmuUtLOdY6WZZsTd5Ih/fcNj8q
lzLPcMM/JFmWRmuTM3PbUlQjlftcf3EeCIDA2ATmoiHm4ufY7QN7INAmMGOtc3AVkYCvVaFUSJ/Y
1/u0TpZurZcn+z0uN96tV9syo3C6MaUq5V7h2yjltuqJDyAAAvckMBcNMRc/79mWKPsRCMxX60Qr
TdL9Vm9R1WBDWieL/eGTqrNPvzlVbpYl+5XBFXffijZlY5R72ivsBQEQuCWBuWiIufh5y7ZDWY9I
YL5aZ+/IzAr622xQ66RbSypS//af+fTWoXKTjcmkxWIhKc7xmKARyn3aMxwBAiBwKwJz0RBz8fNW
7YZyHpXAfLXOzubcvlTrZIHFuLN7SWufKjfLknBjK0z3o04RLy+3YxAfQQAE7khgLhpiLn7esSlR
9EMQmK/WOXiKZLZHJlctNhzX6RlMU5113puecuPderOvetMOrnzkWN8gnvOKw1EgAAITJDAXDTEX
PyfYxHDpVRGYr9ahPqOhSVWDWidcqszcdAbTXNagPeVGvi7J9pbWKkzjwKE5YOVI5cL2COVe5iWO
BgEQuCaBuWiIufh5zbaCbRDIsvlqnSxeG2xgcPKQ1ol9nRnr1nzwyy+CvnLjwDNVTuvrMMVwt90e
rFHKvdxTnAECIHAlAnPREHPx80rNBLMgUBCYsdbJ0sCWhyI7vQ0cLlXZPh443HvsiY33KveES9gF
AiBwUwJz0RBz8fOmjYfCHpDAnLVOlsVbS9FX4Vl9Umm40hVrWw2reUlj36vcl/iMc0EABMYjMBcN
MRc/x2sZWAKBPgLz1jpZloa+5bZXKe6rZpYlG8fyz1NF/QbaW+9VbtsLfAIBELgPgbloiLn4eZ9W
RKmPQ2DuWudxWgo1BQEQAAEQAAEQeA4BaJ3nUMM5IAACIAACIAACcyHwKrXOvcK29yp3Lhcb/ASB
V0NgLl/2ufj5ai4MVGSiBKB1RmwY3FZGhAlTIDBlAnP5ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAw
ZQJz+bLPxc8ptzV8ew0EoHVGbEXcVkaECVMgMGUCc/myz8XPKbc1fHsNBKB1RmxF3FZGhAlTIDBl
AnP5ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAwZQJz+bLPxc8ptzV8ew0EoHVGbEXcVkaECVMgMGUC
c/myz8XPKbc1fHsNBKB1RmxF3FZGhAlTIDBlAnP5ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAwZQJz
+bLPxc8ptzV8ew0EoHVGbEXcVkaECVMgMGUCc/myz8XPKbc1fHsNBKB1RmxF3FZGhAlTIDBlAnP5
ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAwZQJz+bLPxc8ptzV8ew0EXqXWeQ0NgzqAAAiAAAiAAAiM
QgBaZxSMMAICIAACIAACIDBRAq9S6+xdmZmbZKLI4RYIgMDsCcylb2gufs7+gkAFJk7gFWqdNLA4
Y1xbRRNnD/dAAATmSmAuGmIufs71OoDfcyHw+rROvDa44W8cWfEON2qF2NeZugzL0pKNyW5XeFkq
/oMACNyOwFw0xFz8vF3LoaTHJPDqtE600rgVpNnBU2V7l96mVZOtxSt1E691pvkIKt0GPUoBgbsQ
mIuGmIufd2lEFPpABF6b1tm7iuzuqQEjX+c3G7ST7hxZdvJyVxoGCz3QNwhVfUwCc9EQc/HzMa8i
1Pp2BF6b1rkduU5J4VLldpBm5f/ObnwEARB4TQTmoiHm4udrujZQlykSgNYZq1XyONLOU5Q8rjSW
XdgBARCYHoG5aIi5+Dm9FoZHr4sAtM5o7ZlsTC7LslYPUh7NNAyBAAhMi8BcNMRc/JxW68Kb10cA
Wme8Nk13DpeMdTyeRVgCARCYJoG5aIi5+DnNVoZXr4cAtM7raUvUBARA4FYE5qIh5uLnrdoN5Twq
AWidR2151BsEQOD5BOaiIebi5/NbAmeCwDkEoHXOoYRjQAAEQKBJYC4aYi5+NtniPQiMTwBaZ3ym
sAgCIAACIAACIDAdAtA602kLeAICIAACIAACIDA+AWid8ZnCIgiAwGsnMJe+obn4+dqvF9Tv3gRm
oXWitW14t8ptde8WybJk6xrOFlPX798S8AAEhgjMRUPMxc8hztgOAuMQmIXWOXiKZGxulMdzHK4v
sRL7uqStkDz0JQxxLghcl8BcNMRc/Lxua8E6CEDrTO8agNaZXpvAIxBoE5iLhpiLn226+AQCYxOY
tNYJl6q0aL8kc0sIaE/jVUVBZrI9XhsN7yXFO1ClaGu7tgtJ99GXNfY1D3sg8HICc9EQc/Hz5S0C
CyBwisCktU6WRCG9trYs6cuDeB+/4q6soro7T5VUNxDVjZJTrYd9IAAC9yEwFw0xFz/v04oo9XEI
TFvrFO2A8TqPc0GipiAwCwJz0RBz8XMWjQ4nZ0wAWmd6jYfxOtNrE3gEAm0Cc9EQc/GzTRefQGBs
ArPQOmNXGvZAAARA4EUE5qIh5uLnixoDJ4PAkwSgdZ5EhANAAARAoENgLhpiLn528OIjCIxMAFpn
ZKAwBwIg8AAE5qIh5uLnA1wyqOJdCUDr3BU/CgcBEJglgbloiLn4OcuLAE7PiAC0zowa6xaupnEY
nTOtPw4xHf4W7YEyQAAEQAAEXkwAWufFCF+RgTRcGaq1OWf5wsNSU53gnCPvxyewGHd29yv/NZSc
rA1JXYavoSqj1iHZGMwS65qOahbGQAAErkNgFlrn0cKwW5NbwXXa+5TVdO+pitObYzVcadJC8VqP
vMjXZXN9PbWTbEzGzO25iymG26Xf0V4ja53I17m2ajE4hXNgX4+fxZHj2O8rNj2sbU1mkiRxxfA6
lPpOqLdB69Qsmu+StcHtO3xJmz6c9f7Rbp5nQcFBD0gAWmeCjX4frROvDW70apdwpXF2pHWydOfI
cr82GgFqsjE5Y9w6V+xsLUl2962CR9Y6WbwP9i/Wdj1+lk6PYr80Vv9Pthbnhn9IsiyNto7CLonT
QOvUIJvvkrWhdC635u7pvIfWmU5bwJN7EoDWuSf9gbK7WifdOrq13Bxe/JwdKE9sjlYaM9Y9UZRw
qcmmvzSkTlwny7K9I1+rkyjZmLLp+6bcEDs7h7Mq4BWttCJbWLjSOScxtpAYp5fq5ZqHtI61XFkq
p4iG5myq3PHxbmmKrUzWnU1YD1AKbC47642jy0xalNnmo5VW5ilryYStRaGS/EUHSBW/OPBMhUpl
smb7h9z+oJ9D9rOs18+9K3Nr5duaqJZqrRv+97RwZ2nKZOto5jonkRz8PN5Dbq4LN7MsS/ZLU2Hk
vW6baqMPK9p6hsqZJHHVEuKppzxsmhQBaJ1JNQecuRsBaJ27oR8uuKt1snjvu6bGGVctb7O/Skqw
ZGM2nmm1b0LpbOJk06d10o1ZJi6tzxjlHUkdK0iTrdUQOwNaJy+wJ14SWGwhm/4+TtPksNKrHrHI
15lsCYkT7zyNNYJTgc0Wkqx7m93hcNi31GVKuVlbWqeuaRLYMlO9fS5qyL4iBjOlceAobUQ9fuZ2
ju0P+Ll35QXTvSBKszTaWPITCWIDm3O7b9RSvDHLeE9yWBm8jKFRHIjpy12cpvF+ZbBFUel07yqS
6lC5ycE3OLeDHmlcQ8G7KRCA1plCK8CH+xOA1rl/Gxx5cKR1iiPSaLf2LE3mqpePqunPl55nTC8D
DpJUP2uHji8yx1dhicqjA8V0aKxyv9ahwE5zhOaQ/aHtVTndN8nGVOwgzbI0sJUqsvMMrVOHnagz
Jk8oH3pKHYGhnjjOrG0R2glsxsxN/yN8sDsn9HXGjSJWkmVZGkdhJUj3riyZjUGsg1on69of8rNt
8cmOuu3ACG2K9zSkGyWd06kLM92ajSHdtVMpGRKNIlpr71LT1xGxbhPmYb/GVShVXPeOfM3t4VJt
mtdWRThvrO09NZ3wJmidCTcOXLshAWidG8I+t6h+rZOUSkcxWt0u51o9fRw96sxN69GVktKxtqLn
bEjriAd566zTxZy3lx6wC4mJl7SoBii/SOvUMahOoKPuDMuyLLBZfxCEenZ64zrJjiI37q6pj5LD
2jE1RRYvtnim1hnys6N17IYy6cPbMVMd0mnxVETuDlnW7vOqKy162opewqLPUPev2q1auYo3zycA
rfN8djjzNRGA1plgax5pnXBtaVxiiuH61INwjVfriS8KoN/xNAglf+UDVqTOPKSh5+jLPKQ5LuYm
isUrWhtl5wo95KtQQtfhrcVOjk2utQ495BshrDw2VVC9VOuQd0z3W5OzRKQoHwucZdnhKK5z5GdB
q5YV+YYhPy/UOpGvlQOPyG4SuLpFMSgR1yljHllGUY8irmMx2SlHeddOUS+n7OzyVhF/k+Q61+LL
rh6c3SIArdPCgQ8PSwBaZ4JNf6R19r633l1J5JT139m87vApN1b/++M69Lgc/7d9sjaao6RjX+f5
1HOaha44IoKSHpY6WzTLJmWgenuabBQXHUit7p1a62ThSmOKvSWgyX6pd8brnB/XoUn6TD4atSI6
gfJ4WBrvXE1qBcx6/Cwo17Ki2DDg54VaJ2uMy6HxQyrT8vVy4o3JuClGNichjb8RvZWkhsR4HTHM
qTleRwxK0pfiQkxpCNlls9erawlvbkkAWueWtFHWdAlA60ywbY60zi18TAOb5+NZ+krr1TqkParR
EH1nPWtbvDbaVsOlWnZjRRtb5ZzLimZ6TjkPqyglDlxdFpOxFDufqD6kdQbmN5Gd3rhOY55UMR9L
1Jq0SR34ovBXueJKtHE0mTHy03JMpTksJsuO/Rywnw34eanWybKkXF+HcdVsKJRk71tiWhXjWnNe
VbJf0TwsGqXt2Fo9Rz0NN65BE7QkMrTcoQfrWVf4TU+C1rkpbhQ2WQLQOhNsmrtonSw7eEpjRtLT
XETA5axFlp+2hSNAAASuQQBa5xpUYXN+BKB1Jthmd9I6WbJzVK2cOP0Ul3hjKo25R08djv0gAAJ3
IACtcwfoKHKCBKB1Jtgo99I6WZZFG8euJ08Ps0kDz1rS4Bi8QAAEJkwAWmfCjQPXbkhgFlrnhjxQ
FAiAAAiAAAiAwOsi8OBah5bJLWZTN9d7e11tjNqcItCdu37qWOwDARAAARCYI4FZaJ0RwrA0g0TP
Z5Ao7QxItM5te2ZL3Y47R26sFFtvv+hdsl8vN3WuoTPOvWMf1hne3eKQZOcZlJebycYZPWU7h5fr
ADFZNb1tlffqDF+Ptc718o2TO8N5zrvO0vwzq15x+eAp+cdwqVbV5YrhlPmwKHdE6zU8ra5bFD6/
WgIj3DxfLRtU7JEIPIbWoYzcTPNEkuo8A5JbpC7K23pI66ThLghfOiiFFmlrLF13xtX18FqHkKnu
Pk1DSvDZm3u9ibGxnrJI5C2py0Nz/8n3x1pnnHzmQ4UO54jonnFC65QXVBp18nllGa0jxK+Wfb7r
Iz5PnQC0ztRbCP7dhsBDaB1aB6axpm6683Sj9TQ80jrDfVuUeVqjkENzgRHKEW4u1yI7tsQUc1WM
2g1sOU/AXWbgrlICnWxdaB1aw9ePsziwFeXp53ZD63Qye6XhxtEp4Xgnn3kcFHEjxbCNKnlmY52b
RqIo0VS9+c+zbMh+nUCca1Z5NQzmOR+4GMIykJPvp0UIRZinLZ47yx9n2VZonQGb2PxoBKB1Hq3F
Ud9+Ag+hdegp0cn11KZxpHXy3cd9W+FSKzJkiwzTzMhjDvSQlFRnGyZZntm6+ahsP5raBfd/enit
k8Vbi3NFUTTnnP6ohtZJwo2tsCKThUjYrXm7OM3ivacxxc0zH9BqhZySOKRpFHia1F77+TjfeL7G
4HH+8yH7yZYSiK8OCa3i55tVAnHR2ufHdcRl2+jDco+1ThJuXZXq1UjWAK3T/6160K3QOg/a8Kh2
h8BDaB3Kq3xy6PGA1sm62+mhWodmRO/Hmrq42v0g+VnV0wdap3PNPf2RMhlQekk1X+wn2m2CsOJ5
fLoYr0OJu2i0CjfK9Xwp4lEPWaF1ofM0TyISkqdJOGo7Mn6UqyHXOo2Wz10Ysk/n1+VmUeCvRe9p
ftYLtE5xFYvxOmV1meZ25CC0zvEV8sBboHUeuPFR9QaBh9A6z43rdLUOpYIue6PoUcykheJR2se2
1jm4imRuq2cztE7jejvnLfUIKu4+iTYm5WiK6HOV8rPPQBXXoXFZRe4skXVToWTpvHhRzgPRLOFS
kYxNOQyr3XZkfkDrHOXJOrhD9imLZmm/6/CztU4lvOsLikb06H5nJDa0Thf5Q3+G1nno5kflKwIP
oXU643Wy/dIwVs3Rq9VjpOKSv+lup7TeVpmAm1I9F5me289LaJ0Oxss+NsIiSeDITFFkXgfT+mxV
WidXnWUHIrWKtjy0EnPT6fFab2Soarcd7T9X6wzZb1RAmAv3+6hWPj352PvqdKSg0ypVV611MuqN
k1s9WBivM0DzUTdD6zxqy6PebQIPoXUyMQ9Lz2cvlyM3qrhLNee8sSWHVIzXqbene09hqrMVj67k
sPbcjfhR3X5edrROQhNjzHWUZmkSJ7WxdkM0Pz34eB0Kw6muSGce71x1sTjqPWrCyrKsoXWyZGuy
cp0AkeDb9PeU9jyNgpW7EkaFQuCmf6DRVbuj8Tpna508gXiffQpIGT51u6XhxmpLNVG7dj72TnWq
j5Gvi9FhhZ9lPvaG1smv7GLUWH5emsd1zrnOqoLw5vUSgNZ5vW2Lml1C4DG0jnjmuDpNn5KYYrib
qHgU1POtioVJmB0QvqHtlKXaM1UuklorRrmSy0mtk6WhL7JGLySutaZ/DTXUg2udLA3XtpjrJtJy
+y6NB88zl/cTa2qdLNu7ilRmX6cE30Wzy5pN6iZ/xYGny2xBF4Nj5XO+8kBKa32axaK005//PE8g
3mc/OfhWXgMqtp1L4zjPeX+taCvN+lM5dZwqenXVNrVOHsnKRwdhfZ1hkI+7B1rncdseNW8SeBSt
06zz5N8/utaZfAPBQRCYCwFonbm0FPy8LgFonevyfZZ1aJ1nYcNJIAACXQLQOl0i+PyYBKB1Jtju
0DoTbBS4BAJzJACtM8dWg8/jE5iF1hm/2rAIAiAAAiAAAiDwIASgdR6koVFNEAABEAABEHhQArPQ
Oo8WhkUf1oN+G1FtEBibwKPdPMfmB3uvhQC0zgRbElpngo0Cl0BgjgSgdebYavB5fALQOuMzfbFF
aJ0XI4QBEAABIgCtg+sABIgAtM4ErwNonQk2ClwCgTkSgNaZY6vB5/EJQOuMz/TFFqF1XowQBkAA
BIgAtA6uAxAgAtA6E7wOoHUm2ChwCQTmSABaZ46tBp/HJwCtMz7TF1uE1nkxQhgAARAgAtA6uA5A
gAhA60zwOoDWmWCjwCUQmCMBaJ05thp8Hp8AtM74TF9sEVrnxQhhAARAgAhA6+A6AAEiAK0zwesA
WmeCjQKXQGCO8Qm47gAAIABJREFUBKB15thq8Hl8AtA64zN9sUVonRcjhAEQAAEiAK2D6wAEiAC0
zgSvA2idCTYKXAKBORKA1pljq8Hn8QnMQuuMX21YHCKQxmGUDu1sbI/DKGl8xFsQAAEQAAEQmCoB
aJ2ptsw9/ErDlaFam/iMsg9LTXWCc448wxgOuYTAwVMkc3OOIL3EKo59lQSSjcGs7ausGioFApcQ
mIXWebQw7J36sNK9pyrOrvUQPXjKovEy1nUwJ/J12VxPX+0kG5Mxc1s7fsn34wbH7hzeIFy81f1h
sNA6N2iV11JEsja4HbyW2qAeIPBsAtA6z0Z3vRPvo3XitcGNrnYJLKY4QVS+4qYQSneOLHe00fWg
PNdysjE5Y9yartgpa7Y1JXUZlp+G/0PrDLPBng6BZG0o7r6zER9B4PEIQOtMsM1PaJ00CnzHsLuS
ZIRKRCuNNcM2wmS81qWjjXVhe0fmzq7+PMF3ycaUTd835ZbYSQ6+rclMkhjXrNW+ivkMbU/DjaMr
XJKYrDubsFJ8yX5lCTsSVw2v7tIb2n4SUI/WiXdLU+VSu9xa66Shb3Bu+JVD0dYzVM4kiauWfyiq
tXdlbq18WyNDXLXW1eEn3cFOEAABEHg1BKB1JtiUfVonjXZr11CYJGvWcjv+0yrZ9EUV6LEqq5rC
GVc0u3p6lszSjSkp3qH8OMH/JHWsIE22VkPsJFuTc2NFWiA5+CYvgz7D2y3ONG8Xp1m89zRW/VDe
2ZzlSiMJ1yZn5iaXF0PbTwM60jqRrzPZEtIq3nkaK4JohdbJhY6+OpTKK927iqQ6QZRStQzO7UC4
s3flBdM92p5GG0uWTnWQnXYRe0EABEBglgSgdSbYbF2tk+5clXPVdNdBe/JTvDakxquSHZduz7Is
XKo9EZxo6zneehdG4X5tK1L59KyY7R25OfLx0nKHjt9arFGterzB0PbKn+6bZGMqdpBmWRrYShnZ
SdZGU6FFgb/e0+iYoe2xrzeOTwOby07eK0DV17wgFJIiTeKkkB1D27vutT93tU7oKY0mSXcOZ9Y2
zTLSOsbSNznTlpXQybJ0azEuKivM7l1qGnJo78qSWQ1PDSz2VCxu78gN/FKp4LKZbKdLufHSVlHO
+dG2t68ufAKBxyYArTPB9j/SOtSDInPFsJebQ2vIzHjOF8GCEwbzZ2m7xyp/jJaBhRMn32cXqZeF
xMRLWpQDlOmZpzcGWZe+DW0/uAoZ4cWLSQvJFCIiy9IoWNq6CHvp9mpXjSce2l4W1fu/q3UCm3O7
5h2ttDwik48Xp6e56u1r9tFKWyykppuLPIDT0Tr2k1qn1ztsBAEQAIH5EoDWmWDbdbVO7mISblc0
5oIpxnJXDMUYz/nqSdo0Ge98v36AU89MZ0pH53HcPHcC72kOirmJYvGK1kbRV9WJ3yThfi/CZUPb
CY22PORmxN8kx5/GYbkYURJubEUqQghD259A0tU6In5Ta7I8hlbEdVTvEO89VeL1CgHUCyk7u5ab
QglB6zwBHrtBAARePQFonQk2cb/WKRxNDpvlqh4FO5r7O5sf9W3QABY5H8uahtRpUnVn5MVS7850
B38ka6M52jr2dZ5PPY83NF5HjOhNw40l86JaJ7eb/p5CamkUrNxVrjUjX5MUeyvWXkxIeRTTqIa2
P9FWXa2ThSuNFfaT/VLvjNfJsoz0W92RlQS2zPTljvxJ473vFoOloXWeAI/dIAACr54AtM4Em/ik
1rmWvzQOpRrwUxWS7FemmNgjcdXshpNo5ZpqNER1ylTexGuj7V24VMturOTg5/OnmKzZfmse1sD2
ta3TvC1JnFDOcMriwMvxMK7oTj3BaWj7STZHWifLnpiHlWVJ4CiSXAxCztJwI8av0/wyaq68Tw1a
5yR27AQBEHgAAtA6E2zku2gdMeb1ouVyRKDkrEWWJ8gYLoEACIAACDwMAWidCTb1nbROluwcVWsO
dz3FJt6YirEupricOhD7QAAEQAAEQOCuBKB17oq/v/B7aR0aAbJx7HMETBp41rLu++mvB7aCAAiA
AAiAwAQIzELrTIATXLiQwLn50i80i8NBoEEgjcJqnn9jM96CAAiAQJsAtE6bBz6NQeCCfOljFDc1
G2KlmzyJ51kJrp7nf3rwLZVLtKaO6o2Z8ag9lvl5zp066+mlnE6d3doXby3VqFeObu3DBxAAARCo
CEDrVCjwZiQCffnSnzYdrbTGqr8Dx1OeKXq+0yJD7vaswULhdun3T9GPfJ1rqzOSbQ4489RmWq/n
LK0jMp3nK/0yWTW9sypGikQVeSsaCzY/5dJZ+y/TOqGnHKdpV7wTWEfUOlmW7hxFdRtLKp5VRRwE
AiDwYARmoXWitW14u3qF2FfeRsnWNZztbGPzvfnSn2yyg6eUmRcGj6VZ5NxY7eMkPmxshSnnjKPe
WpI8kOg53gciOcRggS/bcYnWYVYgCkujraNI6vLJHGOUlfUsIXV5HS7TOpX9nXO8QFO1s/lmVK2T
ZbGvs+ku8tSsON6DAAjcjcAstI5YQHbzMFqHVuib7rI1T12qR/nSaWq6JXJSbS1uiOyYO0duVzDd
ObL6VBLRPIdDqQHz/FBkNwssJpsOBXyKBN/5pRKudM45E708Ir9D2dUz3MfUu54N2Vcdv8g4zjVn
UwWUaB0dSn9eLLvTvkSfo3U6mcn68qunW7uoVpkRQq+CUwdPYZa/9ShJ7EJSqq6t3vznWZYe1rYm
C/+VOn87aR3Duzgveo/WqdPGy5q9LnN31VpnnDztJPsgdp76XmI/CDw2AWid6bX/rLVOT770g6uI
CASljhTdVLGvy06d6EmkreRt8dPTKnlS9bpvpJYSgcUWir0JkzRP1dCK4wzGdVLKPNoKjQzkFSet
sxDxpDRLQt9gRU7NjI5XHOogS2Na06+zFGPtYE9tmptEVs88riMqwIqetWQ7kF89E9GMHkEsUmVx
zVnvDofD/iBWdM6G8p+LJKLakhZGzMNJRRPkedHF+stJuLb4mULiSOsUy1Dn6eRXRpVOvtA64+Vp
J4VnPs5voealg/cgAALnEZi01qEf8p2xAEXCZtrTeFXPyZls78/vTVu71Z3d71VqAaNO4kRXYbq1
KDlDuNR0Q1fdQ7qz5VayiWRjcmNdBmyGLtxk3Ql3bU1Jcamzp5W6O9kYrU6rQa0j8po3tc5QXvGO
/VohpXEUVqlYj3t+LtE6i8VCkkTrc6Nc73g4v/oprSNpfhV2EigH85+L3Paqs83TyaZJHOdpvto1
Cc7NFdrVOuR+Ay8pHF00sgjTjpmn/Yr9eUMXI7aDAAjMi8CktU6WRCG9trYs6cuDeF89W+bF+Sxv
i+ruKLOSG4jqiqSUZ508kYPqDoraoWilq17gG9oyWOnaarfStWUdn6HwSJGVsz6l5x3FdRrPzoxE
Tf65pXUykSMzj5KQlfO1TieRaZ0NtWU/3RhVACc5rB1TU2TxYpT+vOn3JVonH69DXXlFzq4sy07k
Vz8R15G6EY7B/OekmHYrx1A5Y7JmeXliryxrax3Kk9bJ+NqsZP2+q3U6V0LNbfQ87QS6E1Or3cI7
EAABEMiyaWudooXED8HHiVHPug+rVgiNr9feVQzToOkyB081LFNpPjzDpSrb54w8p5BRHhkg06QL
is6klhYR6b4bg5G3Fmv1adVudbWIuMzqkFSVV7wd16mf2WLEkOEXybEOrvxirZNlhK8UdIP51akK
/RdJR1+Iug7mP0/j8FBo6SQKXLUMh42kdURcZ1XFmOrWIydHzdMuQPlPxQXrhsc7EACBhyMArTO9
Ju9/jE3Pz36P+vKlpxuTSfkAZVIozezj2d5V8p6ofnPNrVE1DysJt47KlGKucWAxSXECGp0ixs20
tE3+ZKUlntO4HRTsap2hvOKDWmdrMm6JCXNpvHM1qRNSObLfrEvzfWO8TpaQUVsMuc7EgJee/Op0
bv9F0qd1sqH855S6lZvrkHquknCll5pwJK1D7gv7KZn3Dc7NPHla7eRIedq7EaUmW7wHARAAgWwm
cR201IwI9OZLp1/e+SiedGuyRn9DGthyGcc4o5Ll+joLJuv1+jqBxZhm5gnHuWr55YSf3GAcuLos
JmMp9laMSGnMwyrGR5UDvgbnYfFqLHUd1xEZNTSZMS4rmuWYNFdcdM0N2++vYlPrUBeSUo06Tg79
+dUv0jrZQP7zLCOcGqVvZ1zWrDLf+1hah+zTcofCvmaVATAxJLrsaBsjT/vBU3Id3U8XW0EABEBg
Hn1YaKdZERBL5ZzTKZVRFIO/fPh1qw9rVqjg7IsJ0GKCDfH8YnswAAIg8BoJzKIP6zWCf811uihf
+gggoHVGgDhPE+ne01T3PGE9zxrCaxAAgTEIQOuMQRE2ugTOzZfePe9Zn6F1noXtFZwU+XZjZcdX
UCFUAQRA4DoEoHWuwxVWQQAEQAAEQAAEpkEAWmca7QAvQAAEQAAEQAAErkMAWuc6XGEVBEAABEAA
BEBgGgSgdabRDvACBEAABEAABEDgOgSgda7DFVZBAARAAARAAASmQQBaZxrtAC9AAARAAARAAASu
QwBa5zpcYRUEQAAEQAAEQGAaBKB1ptEO8AIEQAAEQAAEQOA6BKB1rsMVVkEABEAABEAABKZBAFpn
Gu0AL0AABEAABEAABK5DAFrnOlxhFQRAAARAAARAYBoEoHWm0Q7wAgRAAARAAARA4DoEoHWuwxVW
QQAEQAAEQAAEpkEAWmca7QAvQAAEQAAEQAAErkMAWuc6XGEVBKZIIImi5Ay/0iiMzzjs/EPuVe75
Hj7ryHM5xWGUPqsAnAQCIDAOAWidMThGK03S/Zc/HQ6esiheY5gbo2q9Nob8HNreawQbb00gDhxV
Wx6Oi03juK2A4q2lGqvDSM/nwXKPPBm33CPzZ2wILMad3RkHZlmy9zTV2bXJ9Z6Z7FxN8/ZnHNl7
+qgb040hKV7PRXBhKWPZubBYHA4CzyQwba2zNaVF/b2MfV1SV9FTNU326+VmrNt0s7DY10slUv8X
N8axtE5RWrhUe6XTwVO5sX65pGpW6pz3Q+UO+Tm0/ZyyqmPC7dIPRqjrsJ3I17m2CqsSb/Nm2J8r
lx9vTFn3W1+fND5sVo6hMMnYdHRNunMU1d13tj7HxeNy48AzVS5JEuOa5R9aEmC8cp/ja5adrXWS
wFbUlnBMDr6tyUySJK6ay13r2k0PnirbQauqz3PwpWeNpVHGsvNUfYZuPr3npYfNcj0NTdnrHzbe
kcD0tc6ClY/3M7UOPWmN9TXvKlSCuW202shaJ1r1a5002geH1i204cMV3w6VO+Tn0PaLXNxakuzu
Lzql9+ATduJ9sL85zhP+9Po/0sZ07ypdnluLy7rteaZ8rHWyLPZ19vLo4nG54UpjqhNQp0689zTG
7aClqMYp97nYztU64VLl1rbheLK1ODeEckujtcmZuW3dg5KtydXlrZX1MYaxNMpYdo49bG8Zuvm0
jyo+xWtdUpctPd97HDY+IIHJax0my0zO74ZNrZOGG0cvf0OtSiUf2DLnTFosFhLj9DI35f0m3i1N
8aPr+DdXlu1dhXFzc+5zr1fraK7vCo+YYlYOZdnJcgcuuCOtMNA3lKwNSffWHv0wl5ise3UcpPqN
yRTD3dZf/vwnNR3OVavhZr8nA+WWBx/5Wew42r41G7rl4CmSWYYR+vwJVzrPm7FoRdWrNE9gc9lZ
522/kLQyykdmFBEpkDXbL4J6g3ailVYG5lpPn8BiquMv85gD15xNxS0OXF3mnMuqbpv9QrSEIv4n
+5VV/sQ3ymYZ9CfLxOVMFWCy7mzC4hEaWEw2HUuEQLhqlfXKsvSwtjVZ1FdpHN9yof0hJXBd6Zim
oiBqkKO4TpZl9OB4qdg5LjfZOrpdfdXEd7qjAF5cbo5HXORKRT+LVhozl+v8ttH6kqYHv4Cs2ZYm
ndOHdXAVbrU0Wrxbr7allEk35lFHUbq1WB2kbjdP+1O//1lGVZD01XZF3i6kWiRecpMhjSIbNl3k
C4lr9rq82rKMdqnehqJT0mLBqptntM1vMRJv4GxonWTnqkxxqrtP783nxM2qXfvy08DNZ8jO3lPb
9369Ctn2+l8Wg/+PQmDyWoc765XOxCOp1jpJYMtMW9KP8iRcWzJrxub74jrhUmOyRQ+RNNpYchUq
Kpo5XFu64Z3T8y5O6NM6C0l1t2GSpVHgKFL5CH2i3IGr7Egr5MelVG7z4UNfe0m21tQLQIMHJNnJ
RUG0Nlj+GzONA0dhZU9NsjEJA/2kTg4r/egndb8/R+WWhw34mR1tH9I6p/zpj38ENltIsu5tdofD
YV8EuSJfL261orrtp0y/nSzL0nhtVA0lqhRYbMGN1T5OsyT0DcaKH+7xWmeyvSUpnNL2ViOUMJr/
dzZnhk8PkSQUP/EryZ1lPf5QSIBp3i5O80iHUogS8kexN2GSJuHGViq9SOJEW1Krp9HWUWrJ1/Sh
/f7gKcxshiEau4e0TiZOKlVp44QL3p4ql+TUxjyWYC8sN905MtNX4ktxWBmsfGaTwpVUR3xJ6VtR
tn26d2VJBJrS5LA25cUZWud0IDfZrwyuHHUAxv5Zo/qG/M+1zmLBVMsP9ofD4VAMM7/sJkMaZSGX
V5Ullxjo4qZdkmIut2R+XwxPpyZUnSCme+fWUVjRcVdqnVzo5N8OcWEM3HwGb1anr6ajm89JO31x
nQH/TxeLva+PwAy0zj7ZuwpFXaJyvE66NVnjR2rnt2GP1tk5vLzjlb+OXtLJ1ad1Gs+/gysXgYtn
lnukFYrrrrudvvalqqIffaUSIv+0amRG46g8zr7a5TfJNImTRhB++OKuLbePOXv7oNYRcf9+f3o0
QZZlgV09u2pf0jgK47Im9ORqdjD226GTG2ByW63+i3pv+/o6/ZjLDe0dmWleEIqgYgfzsT9kv/7B
LyIhuWZt+0O/x3MRRO2rOtuDqHOadAcW12Dqd8el1vsGtU7+5ChjFfUJF7w7VW4W+gZXnONBLC8s
N4nCarJZ3Yp5UKSaQJBfJnTRiC9pJQNbzAcrSg1sBce7SbyLsHJftVKCUfwaOT613jLgf3Hnqq+U
4owLbzKlRsnPbl3btIvbu/KblB9B5uvOOvHrRNRB2HFWrspkS/wMKNwZuvk0WkLUpLxZFacN/uve
ZE7a6dE6Q/4PFogdr5TA5LWOuDkk9PPP2Sy1fGxy93ET2M25E/Rla4/Xoa9l2atFvSOMRjy/4BZO
JTQfp53bKD07RCfNc8vtfr3La6+7vfu1L382iuBH3olHHXlMqn+qpuHGszSFMa4ajl/2/ZUFDPzv
llsedvb2Ia0jOm8G/Ol/SlJT20fTZJLD2jE1RRYvtmg1Tr8dqkIbHwmp5hwccS8X81XCJfXxlJ2h
3YuvhNH6n0bB0tYVzrii26vWMNVjfw6uspBY1V5MogrQA6flT9Z8vsa7lWOonDFZs7zt0/OZ+/pU
KocHtQ4BOnq0Vqed8+ZEudHGlGWz7iZsmHtpuXGwtHSVLgZF5tV3vd1wB1fJKafi4qzmJbWZN5xq
vd3ZnNs9Wic/SEThWrHmfPt5trOs3//yV1ol13Kjl95k6utanL+1WKW/OrvE/m4Ltm9uC4lGYrda
cejm0/62tRsjr0n/3+5N5qSdY60z6H9/adj6egnMQ+tkGQ1olGWea52UumLqwQedn4HHWicLbM6t
TRRXr+S8gMZAu5+rdZ5bbvfrXbrR3T70tRcPL7+nukl0KAIgabz3Td7tyysL6vzvllvuPnu7uMmX
Y26qu2WWnfKHbsJ1G5dF9mmdlH665aNCsywTUbXGwPF+O2Svja+rLeobf+u3b0fXln61/qdxWK6n
knc+VeOKMurD6taL7vva8lBdnHGc5MKq9WxMNuWgpzQOy+6LJApctQz3tHzofKBvwNBUanG59HVV
Ccc6j9aO3ac+DpRLHcmyuR74vfGycin8S4NHRHgiETOsRTntx2uldXINeWFcR1zD1TkCQrxbb+qR
7vlV2I6QdB+7A+yG/B/QOpfeZOrrmspv3Tvbuwr3RFykGplEg45ybUQHk8qJNiany7es69DNp/1t
azfGAAmxuXuTOWknEWOTW5fVkP+nysS+10hg+lqneN5RL/ZiscjnnIvxOvqSwhL5+JvmeB16KHBz
HaVZ1XuQ7kWf81aEtpPD2nPbvyfFeJ3li8brNPuwyrhO9lS5A1cUaanmuJzysO72wa89KUMlH8eT
JeHWc4thrXQfUl0aF0I/Hm1FKqe4lSX0/++WWx519vbI16izjYql7n2pHJt8yh+xT6xJksZVBxX1
YR3FdahLk+dx9DTeuVplXvjZb4d2tfENa50spuFPJk2xSWPSFou+ximh0CPJ1yTFzsMtyd5TGx2N
GQ1GkdR2vWjUCjd9GidE471W7iq/FAOL0VNbzFiiASaF9qN+BG6uRQ9ZEq70rnZqeFK9PTVWhDzq
G5tMvTuDAqmyfPpNX7nx1lZkozEmtmviZeXSVVlebCGNvylCU+3Ha611aKaYpLokjsTgvzoI2vWr
/kxNUPcei+0kUeS80fNRY+UgueqscKmyalB+tfXozZD/Q1rnwpsMaZTiAqRBfs2Ls1fr5OZdEZuk
q5+p+eI89cE0xkCqO7IGbj7tb1u7MY4YNDZ0bzIn7VAHMNNX9NUoO+iH/G8UgbcPQWA2WkeMY2SF
1qG+j2JCRd9aFqFvKtRtLvF65bRqTQ8xmaAxM4mamb6sL52HVT//6NlR3dNOltu9xBpTD/KJQkXf
ycD2E197MRGI01ofrZk9abhxjXzCEm9P0Oq6Ij4PlEvP63Ii0zl+0sQh31Q4lxVFszxbrfCc8kfM
faJWZIpdTd/t0zpZFm0cTWaMy4pmOWY16jSv07Gdxjysohp54KUVR6nv5UIYlnPsDNtQeoVoC2Bj
epmiO+3H+rE/NFJ8befTCpmYSFbFdZhmmiq1Y2seVjXNi3FZs87qihSzkKqOuJazQ1rn4HXnGhWP
20v6tY7L3TmcJko2XnI74vTScpP90qTuQy6rhmPr5RDz9uO11jpiWlsxs0mzbeMsfUfyt/7Glxca
LRskvnN93y2aS9/uW2+1Qv1hwP8hrSMuz2LBor6bW21YvBPXtWkbqiJzutgaF2frkm+cFm1dMdVT
ak7qbB0c+jojjZGf1HvzOXGzahTVeDtwk3nCTrSxaYbZQuKqW4486vW/URLePgSBaWudh2gCVHJW
BIQyeMnI9vNr29Je55/WfyQFj5rhz/6j6q20qF+PqKGf2c0uufqEgXf3KnfAnbE2p4EtdyI7p02H
y4ksJnjaTewFgVdKAFrnlTYsqjUegXTnaKILi8KJJpcukQwv8WJUrUNda4bSGkZ6wreU8h9UP4zr
AymeoXXWw6n39r+7V7n93oy2Nd5air6qV6c5ZTgNV7rSmq506mjsAwEQGJ0AtM7oSGHw1RFID2un
6PprrKZ29WqOrHVoEaal5ZWR/VPuR77dWEmxcWSy3wbnPd4bJ92t3KYPV3ifhr7lVt2rJwpINo4l
lls6cQx2gQAIXJMAtM416cI2CIAACIAACIDAvQlA69y7BW5YfntY3w0LvlNRo8dFzqzHWOWOZedM
t3EYCIAACLxWAjPQOlfLWz5ym07Mz56Uv69a6/TkD7+XVnhWuRPyf+QvxlXNxcFq1ZlVedXyYBwE
QGCWBGagdWjmx1lzNe/cABPz83gJ0eMFZe5MbNTij9cj7qw7PGppJ409S+tMyP+TlZvYzuZq0hNz
De6AAAhMh8C0tU5/3vJwqebZEeO1nuf6pdXkcjnUn/98iDctuaHZ+eIRTNbdKlNvkUm6myq5XOKi
m2q4308qNY3EgjYiD3mdgXvInyLfdV6s3hwd2liw5en85EMpfymuozirc/Oi0+zq5rTa7uejWoi4
keWWecLtKmH3xfWqFpCRuFpnqj4qMN8wmD+cNIe1FFmhJamVt5wWm+3Nl74rspy3ViXKl14tSm8t
09Kf//xEuX1VeIb/lLm5XnanTF/RZzzLspYIby2LMpgvfcg+5VG0/Dzt9UJS6vzz/UVTMwo3maya
qzojSbLLV8Ch9ZAsrZH9u7fcvStza+XbGiV256pVrAgTr808AUqZ/kW2B7M29LuHrSAAAg9DYNpa
RzRD61ZNW2hxTFI2tF65pLgHWotWFQ/lk/nPe9qUFpVj+nIfp2m8X+qszJlwcaphsn3kJykjsV49
rTmaxjtPeyq70MFTmZavqRttrHpys8i4d2F+8oG4jqTY60OS5u6Uq+IOpCamROCyU8zbEUyMDSX7
HnqR1qEVaKNUZIzmlVK6tF6n8oQPFd4fF1nIYj3iVKR1Z2Y1aWYwX7psCYVGrcXKug9pnaH855Sf
fKDcIe97858P2MkX+hXrKScH3+DcPk6f2SyndWE2tQ6J15586Sfsi/XduOas8zTzpxNxJbSetbmh
g5K9p0m8uJREBlqxsDmtAmnxcmHjoXL3rrxgukfrR4tV0ltLOSKu02xqvAcBEBggMEetQ0lc6DG0
dxTd0LRVlGxM2Q7S7HT+8x4Crd/oGS2lWnSWXZhqWJhuPVKKwsTT0FrnGamzNH4isXgah1GVD6HR
E/Kc/OQDWqcO1NSVJ89786KLJddzgZBSSvJuDuQO0vZ4ILKfp/TILq0XPcCG8oR3yqw+9mudUs3l
GSHqtfH68qWHlCuhWiVQZNnKEzwPaJ3BPFmNluuWW7l79OZs/0ni5+FMYWPvyo081EdmuyK8qXWo
3Y/zpZ+yL9SRH3VK2TtyYxVkySyXZ06iMC5jTnVao/a3tPZnsNx25voW3KyVEbXjFj6CAAiAQElg
llqH4jj6KvA0ww9c1VwHnioSO9VP77x6lFCgvfx8We3if/sEoQ5W+Y38olTDubU+rUO/aNeuSQkM
ZM10N4fy1t9xpPyY7H2xenuRobn2/vL85E9qHUpVVORGsFnZD9DNi04PN1o6TyQAeio3fFvrZI2n
96X1OpEtnJHqAAAROklEQVQnvETV/d8ordzVeiy2My/25ZqgPJWNHOr1xTGgdQbzn58ot3Tt+P/Z
/osMF1IzLfoT+blaF2atLciFvnzpp+zT5VClPzmuQ2dLGm69Iv28IrMyjRhJxHrl5dqfwXI7Wqf9
pUZcpwMdH0EABPoIzFPrpFtLNkxdW4ZpYCumZeT56E7nP++pfv04o510I89/11+aaliYbj1SisIo
kXcub9Jot9Sbv8d73Gl0VVEmyvqmfiofeI8dsakn5W9bi9RaR1S8Ly86PQ3XBlO8YKUzfX2q/4rK
bNsnuPkz7dJ6ncwTPlTf4/zh7bHJT2uduv1FGeIpKnJZ08M2j/CUA7ZE8u/z4jrtcoe878t/PuC/
SHju7Fpp0csk073mRUilbLxaW1C0rS9f+in7F2kdGtyT98i2sIlUrdVPkNqfwXKf1jqNtPa9BLAR
BEDg0QnMQOv05C3P6DEjiQHKycbkEi+eRCfzn/c0Nf2U5AYlsM7EyIdyvI4I7hd5uZupklv37K69
Hj9TGniS52PP0mht8tO9DVQr2RE5rtNoaytSGWagR8yl+cl7Uv62tUitdbKB1MSihsIOY9wKTj5Q
6ViyL2meGJ4UbSxZKlI9X1qvk3nCu9jLz4JRO3/4ifhKX1wnx5Cnqk5o+FY5Xoe0mlK0y2GpszKO
MpT//ES5pbfH/8/3v7jKdzQQJo33vuvVY+qP7WYZXYVlHnjKcVGOj6Fq9eVLP2H/Iq1D4TAj7/BK
9iudleNsqEe2OUqu8iewZaYvj+p1UuuQopYdApAmVYcZUQjXlm54ecL4PirYBgIg8EgEZqB1srQn
b7kYpSCevvQgrTMOn8p/ftyudKNUDEtXxDypxjysy1MN05jpHj+rBNaMpqIsSQaceKUHn+atUMJu
3XYMLomuOWH6ovzkeRFHKX8HtQ51ta0s7TgvujBEA1LFEPATnotdZF/WrTybAtfsTTmw4+J6Naad
HeUJH/LiOH/4Cc3Rq3WoT6dvHhYNobVVTnnaNdNztPp6E2XSxaM085+fKHfI+TKXeiuv+6CdPD28
yKjNn76qsiwOXE0m91XDdSlOd8j9qKa7dfKlD9q/SOtQsbqcJxw3XUuVZHdflrs0i++cbar1iP3+
ck9qHco/YVAH2YLJ5rq84LIs27uKxM2TY+lPNAZ2gQAIvC4Cc9A61yPe7sO6XjmzthyvjTMTZLe1
1KwrfbnzJAPqkc2Xn/+gZ9BXsBjB/qAEUG0QAIEbEIDWqWNCN8A9tyLShDo9nprUXNbq0bTOvfKf
l7zn+v/g6cZyT91Ooqe2CjPNtT7wGwRAYPIEoHWgdQYvUvrNLcnGsl4EbvBQsePRtA6tOHmP/Oen
W2H6e9No6+ULToolGxsdT9P3HR6CAAjMksBja51ZNhmcBgEQAAEQAAEQuIAAtM4FsHAoCIAACIAA
CIDA7AhA68yuyeAwCIAACIAACIDABQSgdS6AhUNBAARAAARAAARmRwBaZ3ZNBodBAARAAARAAAQu
IACtcwEsHAoCIAACIAACIDA7AtA6s2syOAwCIAACIAACIHABAWidC2DhUBAAARAAARAAgdkRgNaZ
XZPBYRAAARAAARAAgQsIQOtcAAuHggAIgAAIgAAIzI4AtM7smgwOgwAIgAAIgAAIXEAAWucCWDgU
BEAABEAABEBgdgTuo3X+Dy8QAAEQAAEQAAEQuBWB76O+/t+o1mAMBEAABEAABEAABKZFAFpnWu0B
b0AABEAABEAABMYlAK0zLk9YAwEQAAEQAAEQmBYBaJ1ptQe8AQEQAAEQAAEQGJcAtM64PGENBEAA
BEAABEBgWgRerHW+/fPXP99uX6dv//7777f/blTuP59/ef/p7xcWNgqo//79+++vI1f7v2ey/PfL
b+8//Pmith8F7AvbBaeDAAiAAAi8dgLna52vn35YtF7/+/DP939//1Hi7/8Y+el7Avq3vz798tNb
JkmStFhI/KePf59V9r+f3/HFm1/P1ivfvv7zb2X468cfpB8+fj3h1dO7ng2q5ck/H/4nvf3t7Fqc
duvb359/e/c/LhWNKvGfPl1Sx2+f30lvfv3rdBnV3r9/e9u6eBY/fvr3+xhgqxLwBgRAAARAAAT6
CZytdejRxt9/+fpv9RJhldajuL+IUbf+++XDb5//Ejrk21+/vl2w9388bf/bl5/fvH37Rnr3udIv
J0/69uXntz9/KY+97KE+ZPh5oNqefP/+7etIQbSvn39+w9789OHL3znLr399+fLXJTGa//54z9nP
56rcr59+kN7++mfz6vn+fRywQ8CxHQRAAARAAARyAmdrnT/fc/auev4X+L7+8fHDl39Klt/++fLx
11/ev//1w5d/vn398vGziLn89/fvHz79+W950PevXz5+/JIHEL7+8fH3v76J096X3SHf/v788df3
79//8uHzU491Cgu8/U0U/9/fn375eaBD5dsf79+8/fWP33+SKBJVvr79+enD73VQ6L9/Pudefvv7
84ef3iz4j7/89pvYQg91/v7LP3/+/uHX9+9/+a1Zl+/f//3r8weqM22voyL/iMqTqV/ev//013/f
a1D07rfq9eHjH/lZ//795dOH34Sh3//KYR158v2fLx8+/lGRPFH0t69//k7G3v9a2i+rLf7/99dv
b6U372tTrb3fv/395WN59j+l4qNDyCNqm18//vEPmfjp91IdPdFqQij/8me7mI5a+u9rTvj9L7+V
BL5++fChuFS+f6frqNFigkVNvG0an0AABEAABECgJnCu1vn7t7cSdTu0XiQ2/ld07hSBgl8+fPr4
28//e/P2LS86OEgk1UGS79QNUxgSp7/7+Ycf3pGu+PL1+7e/Pvz45s1Pv3789OnDz28l9u5zp8BG
6f/98/u7N29+/pIf8cd7tmA/fykfvY3jvv35y5s37//49p38qINAIqbwS90D89evb9i7z9++//f3
519/4os37377+PHjxy///Pedel/42x9+fP/bx0+ffnv3VpJ+KPp6/v3j1//xNz/98uHTp4+//MgX
ohgq+u/f3rIf3r374Yeff/lNaKMGqH++kOGPHz9++OVHVp7y7csvP7775cPH33+neks/ff5Gz/Ye
T0p5caroxZv//fhTw9uj3jfy5s37P5sqpgJGTcDf/Pie6vTrT2/qNvjv748/cfb2XUHhzRte9uud
0WpCKHeDanRJlWrp6+ef3/K370TLv/8fk97+9td/37//8Z5JP3/Jffv7t/9Ji7LI7//+/hMbrTOv
qjzegAAIgAAIvEoCZ2od6oNgP334XL7+pN/7jT6Ir59+ZNWj/vv3v359syg6OIRI+r3SLN9+/6kc
cUKnL/jPn8sf59++/Mz5z6W8+e/LO4n9fNxB9fXzL+9++umH/7398f2nIgBCDfPt69e+ocr//fXr
W55Lpq+1yPr+XSiffgX27fM79qZWQV8//kCP2DIg9O+nH6W3Ijz09fef2Jtf/ijlFVWs0FLilLe/
1GGTBqjyIvr3y/u3b979XpotNwudJP2Yx0uOPSmU5RNF/9j2No981SWcGPQjmqBWmP/98TPLhRfJ
N+l/QoCQIdqxyLXsOa1GcvHNzx/Li+fLX9TkpLiKUVD/fPgf+99vVZBNaDEaW/XnL7zQOl8//fjm
p/fveK5v/vvr1zf8XZ+yrWuJdyAAAiAAAiBQEDhP69DDWnrzvx+K148//fbnf98bfRB//fqmDNYI
u/Q5/8lO2qDRdUQPSf5edGaI0ymUUrzoCcd+eP+heFEEpW/o679/ffn8+XeKObA3tU4qjbT/k9KR
3v7y5S96/fnhB6nSMMMKjB6wjTgU1bw5+Lram1ex0nDfhTYTcaPuKU1QuX/f/vz1f29++lT3D/33
799/fP70kXq33r0ttWCPJzmQ84uuvG1woRYpmqCxVbwlFdRorFxsUJDpvy8/s2bYjJox17LntJoQ
ym/Ki+eHH999/LsplP/742ci/v/bO0MmV3koDP+XKhwuDofD4XA4VF0drq6/oK6urq6qDrduHa6u
DleHy533kJCUhdJvuHc+ZvatWCiQ5ORJZ/LuOSeh/yFo0ZPIwP4uo6C4aY18q+RQV6WKEAiDsH4x
c9gPficBEiABEiABj8BnWmc0WcfFIHDmL1QSgSOhk4FrAg4fCRV1gZ4+hKG1THAqK63UkePVqQHP
ZHP6tVN++Z8PtAh7BKH7BBvjpJDGvNkSU7md/l9VkKfnpAGoARFxwy6jZ0EG/9WwSOeqscEarZ/f
hzTKjr0Xo7mVCaJGh9P5crmUaS9Epiz5vOneWh8ODO08U/5VnPcaw96AkBFMcLB4slS8PNIjEU4z
oyba702yDgbSr7wTUkgNq/fIJ0cOuvgM630cbisTlByNwFnDeSQBEiABEiABR+AjrSOz7ptknds2
6PMqEJ04Z9Yl002Sdl5qv8re/yPzqJdKIlph2Iaz88cZZtkxv0//YH1MQhd7kqCJXbDd3opQudkX
gszOtiLTXAozeu5kiqeRkEriLetqqx1EHNw8gyJdsMZmNbX1MYvSg1vxhLZV79TwfV2Tlnzc9KAG
QwYBJc9x1fOCtHjNyepFlSyYd2E9DXdZ16NPRm1GKLfXPPAGQzcg0m1jAAOK0ymLcgmCQrrhq8r+
0+J4r4c8JQESIAES+I0EPtE6smB4mPWB/9at1vgu1SbeI5sUbotjhjxhWY3cIvYl3g6t2/t1G202
JqPULy7cMZ8G2bHuQhntY7hnXnuvzPpordtHdchCk4ejm+qw3Q0zX+6nNEydZkETiDIFkqMjgRcj
MJ71uVAb2e4FD8HJ4HKwB4IMGsn0+XFKAmUyo5/fpyJS+UUSjwZFXoI193MeJfuX7feAzniYnvVl
Gweb1Ai+SUveNu251zxrhbD9g6X6m2h77lbu67a5192KtwYpR6Ybz/tlG4dp535CTUFizh9VmQQm
WUf2V3o3akb7OaLGCJ+SOJr2nfxrvg6Z6jPOIW6iOLLjKPI2iuwvzfaHRxIgARIgARJ4S+ADrTMa
g9Av26s8LkUUbIJQqSjd7gubrKN1c92aGyrO98ddbENFL8XFwvZ+RiWbIMROgVGGpA7v87gUsu2d
3A7jfI81UvhIJrAXkJJryOhwya6mmt5Poe/nXKElpVRSHA825xVxHGw6iDvpofaTr6UKP/1FFixJ
iAzGljbc9kPDOVD3Y4Lt9LANonzEefGsyrgjp5LidC6TxG4VOG3Jh0371hoC3aGtL9sk7Lf2Q95T
l3fU1jIEglilu7MRnlgTdsoMsDjbn3aJsjvrzIwaAmP9xgDOiFdKTVUmIcY9DMI4P5hV+GZooaqM
X/B5zYPN28V5rgWekQAJkAAJkIAl8IHWsY/OHPGqASyFwr/snndB6+4dBDOl7e1n83hMv/zh2Yzc
bpuH2+PY1jN/bLEpoo2uvTwu70x4uTL1Rbo2WsdUibHr07W8sWS60FgTI9daoB5hPTlcADa21g3O
vJFhGWny3SWM4kTt74rxHgmQAAmQAAnMEfgLWqd9uiU0LTwmLv9krnXeJwESIAESIAESIIF/S2C5
1kEWRRineVHkWaIClR9d5u2/tZ21kwAJkAAJkAAJkMAcgeVaB/v41V+32/V6q/6XV57PdZH3SYAE
SIAESIAEfjGBv6F1fjE+dp0ESIAESIAESGDlBKh1Vj5ANI8ESIAESIAESGARAWqdRfhYmARIgARI
gARIYOUEqHVWPkA0jwRIgARIgARIYBEBap1F+FiYBEiABEiABEhg5QSodVY+QDSPBEiABEiABEhg
EQFqnUX4WJgESIAESIAESGDlBKh1Vj5ANI8ESIAESIAESGARAWqdRfhYmARIgARIgARIYOUEqHVW
PkA0jwRIgARIgARIYBEBap1F+FiYBEiABEiABEhg5QT+ABYIs1RtZekFAAAAAElFTkSuQmCC
--000000000000154eb105abaa9e5e--


From nobody Thu Jul 30 09:34:52 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 246703A040F for ; Thu, 30 Jul 2020 09:34:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level: 
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DC_PNG_UNO_LARGO=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g48U6eWb9JBS for ; Thu, 30 Jul 2020 09:34:47 -0700 (PDT)
Received: from mail-qv1-xf2a.google.com (mail-qv1-xf2a.google.com [IPv6:2607:f8b0:4864:20::f2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0D273A0400 for ; Thu, 30 Jul 2020 09:34:18 -0700 (PDT)
Received: by mail-qv1-xf2a.google.com with SMTP id o2so12769758qvk.6 for ; Thu, 30 Jul 2020 09:34:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode.com; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=RpSml/O9o64dC2cr1pPvP4YmyoDHspvjqWlXOYJaJYs=; b=NXn1qttts0FZMVl7s4M2xaAXAaPRlpI4w2OFiVSM6dZvuq9PRDHb4yk503MTlNcSQy xzZHKpqXPdasqZP/ZL5PjCH7if6rLkYQBAByHCHYwbWGgkKQopFz/W0HKWXRCwENAp66 I1KGPEFZjYMSEtPM1rVCayU8sWWYDSOTYNBoP6ONa2zqhYtEAE5U/VipiZiZINXWhb45 /8Nk73fe6cLny6gHjo4gpGcIaAnRA438dHRYkSL2SR2CX7iADy+p1e+cnQnkwvAO3Rom 9LhCy5ZxEddqnuDH4bKcrDGdCR7PjXR0cKX6goOZrYPG2qO8d2bVOL221rmsCAObwwiM yX9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=RpSml/O9o64dC2cr1pPvP4YmyoDHspvjqWlXOYJaJYs=; b=ZIbNZEBXVz/H2/SUEPPgAiU8qMe7pet2sGBquK/sDkP8BDX4h79HBUVGICdB5PNP/E 8vCl8+NEIUdeobcPlvxMoTIAiwJF/PH0uy2y7cxK1E8k6/9BhTkpke1QnXA4ONHhI2DB OAEad2c6W1VeFYiuN3S9iiouG45SIZH13pSPoSQDxvCid+n3d/SYt7cNELtGGn6h8ZsH GZFvo0ErAFeGiS3Odp2GQbgKmZz+4STcDaivup9kDDByCrIOYxH/MTP6AtInjYhxNruw VLsgbPbzghQvC0gT8qmKC+g8ybgZmUjglR6bw7matuUTsTZ377BP+4itT09vFgbnJ3Gr WqjQ==
X-Gm-Message-State: AOAM5304I4OuyqYSun0nELUu0XWEzT2lHXYyoINLPgcsgub7SrZGljR/ qYMkn+uMstesPhT1qo/zdu+YmqfXZi0=
X-Google-Smtp-Source: ABdhPJx+31u7oKfr1ktep1j0rWviH56s2z4EVqoRQpFT1HjJHGmiz2/bseHCdpLoF4HAY54argTlMw==
X-Received: by 2002:a05:6214:452:: with SMTP id cc18mr3205545qvb.100.1596126857032;  Thu, 30 Jul 2020 09:34:17 -0700 (PDT)
Received: from heembo.fios-router.home (pool-71-126-184-140.washdc.east.verizon.net. [71.126.184.140]) by smtp.googlemail.com with ESMTPSA id s30sm4925247qtc.87.2020.07.30.09.34.15 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 30 Jul 2020 09:34:15 -0700 (PDT)
To: Warren Parad , oauth 
References: 
From: Jim Manico 
Message-ID: <0d9c249a-0a96-7d0a-bdee-f6d76811ae00@manicode.com>
Date: Thu, 30 Jul 2020 12:34:14 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.11.0
MIME-Version: 1.0
In-Reply-To: 
Content-Type: multipart/alternative; boundary="------------6DFD61349FA4B207838BB1F7"
Content-Language: en-US
Archived-At: 
Subject: Re: [OAUTH-WG] Clarifying Bearer token usage OAuth 2.1 draft-ietf-oauth-v2-1-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 30 Jul 2020 16:34:51 -0000

This is a multi-part message in MIME format.
--------------6DFD61349FA4B207838BB1F7
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit

In a browser, HTTPOnly cookies are the *only* location where an access 
(or other) token can be stored in a way where it *cannot be stolen from 
XSS*.

It's a very strong place to store tokens from a security point of view.

Cookie storage of tokens does leave one open to CSRF attacks so it's 
certainly a trade-off. But CSRF is much easier to defense against that 
XSS and cookies are a better choice if the specific risk of having 
tokens stolen via XSS matters to your threat model.

- Jim

On 7/30/20 11:43 AM, Warren Parad wrote:
> https://www.ietf.org/id/draft-ietf-oauth-v2-1-00.html#name-bearer-tokens
>
> It seems recently more and more common to pass the access_token to 
> some RS via a cookie, yet 7.2.1 says it defines two methods. I think 
> we need some RFC2119 
>  keywords 
> here, to suggest that either SHOULD use one of these two, or MUST. And 
> then optionally state whether or not we recommend or reject the use of 
> cookies as a place for access tokens. It's also possible that the 
> language threw me off, because would an access token in a cookie be a 
> bearer token, but no matter, if I'm having this thought, then surely 
> others have it as well, right?
>
> image.png
>
> 	
>
> Warren Parad
>
> Founder, CTO
>
> Secure your user data and complete your authorization architecture. 
> Implement Authress .
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
Jim Manico
Manicode Security
https://www.manicode.com


--------------6DFD61349FA4B207838BB1F7
Content-Type: multipart/related;
 boundary="------------DF24DF968134C483429C7876"


--------------DF24DF968134C483429C7876
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit


  
    
  
  
    
In a browser, HTTPOnly cookies are the only location
      where an access (or other) token can be stored in a way where it cannot
        be stolen from XSS.

    
It's a very strong place to store tokens from a security point of
      view.

    
Cookie storage of tokens does leave one open to CSRF attacks so
      it's certainly a trade-off. But CSRF is much easier to defense
      against that XSS and cookies are a better choice if the specific
      risk of having tokens stolen via XSS matters to your threat model.

    
- Jim

    

    
On 7/30/20 11:43 AM, Warren Parad
      wrote:

    

    

      
      

        
        


        

        
It seems recently more and more common to pass the
          access_token to some RS via a cookie, yet 7.2.1 says it
          defines two methods. I think we need some RFC2119 keywords
          here, to suggest that either SHOULD use one of these two, or
          MUST. And then optionally state whether or not we recommend or
          reject the use of cookies as a place for access tokens. It's
          also possible that the language threw me off, because would an
          access token in a cookie be a bearer token, but no matter, if
          I'm having this thought, then surely others have it as well,
          right?

        

        


        

        

          
image.png

          

        

        

        

          

            

              

                
                  

                    
                      

                    		
                    
                      
Warren Parad

                      
Founder, CTO

                    		
                  

                
              

              Secure your user data and
                complete your authorization architecture. Implement Authress.

            

          

        

      

      

      

      
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


    

    
-- 
Jim Manico
Manicode Security
https://www.manicode.com

  


--------------DF24DF968134C483429C7876
Content-Type: image/png;
 name="image.png"
Content-Transfer-Encoding: base64
Content-ID: 
Content-Disposition: inline;
 filename="image.png"

iVBORw0KGgoAAAANSUhEUgAAAuUAAAD1CAIAAAB4ERwbAAAgAElEQVR4Aey9sY+sPhAGlr+F
io6Ojo6Ojo6OjoqOjiISUgrKJMVKUbIdUqTQUdFEdKukQGno6Ojo6OiIZmxjw9p7e3d7++69
32zx3h6L7fHn8czn8Rj+h40+hAAhQAgQAoQAIUAI/G4E/offLR5JRwgQAoQAIUAIEAKEwEZ8
hZSAECAECAFCgBAgBH47AsRXfvsIkXyEACFACBAChAAhQHyFdIAQIAQIAUKAECAEfjsCxFd+
+wiRfIQAIUAIEAKEACFAfIV0gBAgBAgBQoAQIAR+OwLEV377CJF8hAAhQAgQAoQAIUB8hXSA
ECAECAFCgBAgBH47AsRXfvsIkXyEACFACBAChAAhQHzlV+lAf4mjMIzK26+SioQhBAgBQoAQ
IAT+MAJavrJ2ZRRqP1F86XUSr1NXl3kax1GcZGXdz7qbPndtqjMhRASfOEnzsmqH5XPVvPXu
4ZoImTXwRVkzfSBOl9qWZdlJs35wI/1MCBAChAAhQAj8lxDQ8pWljsFt6j5O2p3hmW9l5J7u
deJqPN/3yb/H0j9Vyv50wrL/rZzllp+BOHQhuHwECvGVT2oJ3U4IEAKEACHw30BAy1e2sbmc
PmXigeu1o+ocIli6HH6y3Sgrq6oq08CBO524+R6r4HzFjaHWqrpeyizyGI3yy+F3js58q678
c8lDxMGNC3Hp2nxItIiv/M6BJakIAUKAECAE/jACer5yJ9TMIi5OoiUhU3Ot5T7NdA2RsGR3
kZi7ah9d4HzlwE141VZU7RtO69RVRZbARlSaX9vxQJLWuW+uZZ6yn4trO+77LJgpEpXdMvd1
iTeklxsrvAzNJU9j2II67m3NTRaFUVqPy9Rec6w0N27x9EjjrPuYyjpyibH+6jbtMm3bma8s
/SWJojCK0oqJ/oFsWT2qtV+UYdm2DbAqASu2uXZth1lp+9Fg0G+EACFACBAChMAfReA5vjJe
A6Agbn57wr8tdYyhmLT9Vs90fGVtE4ywCL6ydEVw3LmyvawVXGYo/eOPlmUHZc+6gMzAjtIU
40Zc4HVbxyo+7ek40WVgZcYLwOAnKQudQKF7OiI6recrU5PyIBGUxo/tS5EPfGUdrhGLVUXI
Vp6QzfHOtXspx2O5nbGCvhS/NFIlUKT/CQFCgBAgBAgBQOAZvrJy13sIdRjhW9oUnWx4Pe8c
GYtof7jnK+tYJ8gluCBLm+KfTphfm6ap8pD9mTScsfSF7wZJfqnqpq1LxkNsHiJizAAIg+1F
WVmWRdlO23hB/mP7SVk3TX1JGOPhDTK+giTDCZIcClWc/tx3QcdXpmuIDMoJ0rKq66rk9Ttx
zcBS+MrUsM4CxcK4z5Oy2UFWdf0w3JqcNcYolYiQBdm1adumuhRp6EXXjxJq7vtFVwgBQoAQ
IAQIgfcj8ARf4QREk7qiEXftC0yTdXbSoLnpqUucr1iO6+HHdViwxAlLtm8zVxFccbNOBH2W
JgGqZMe1CLGoLXG2wbmH4Cte1sktJJYvaytUa2BZv14Bx6IEX7HDq9xYUptQv2v4Cq/MTdu9
ScG5DlLZSdXmyJRsP+t4X56UTQn4rIw52phJxLfS9nCLKip9JwQIAUKAECAEfjkCH/OVidEC
Q+rKsXsiJuDcp+Ueb3ziL8FX2KbJ/q8bpBd04WuLZ38t2/MD8fFd5DSe2OVYp1t9LfMsTZIk
jlkiMKMePFPkuJ8j+Igjaww8DBbZcb3sfMVJWsGQHvTjnq/MVQTdcFK1uOgG2+Li8RWHcTM3
4WEXhSt9IJubK49u6Qvc7GJV8/AMiydd2kFH6R50h34iBAgBQoAQIAT+IAIf8hURE/g4dWXp
WEzAUlJIvtEzzlfcpOrw0zb1JWOUww4uw7bU6P13IqN8cfN+2yD745SJgrcc+AqLPQgpOcVQ
atq/RhCy4Xxmp0OinPb/e76yFz88wuZwn4j6sHb3baJt256U7ZCQcuAr2zZ3l1imt9heVIrY
jbYDdJEQIAQIAUKAEPg1CHzAV9YuUzNGzGKvfcmyJdy4fk1OxH3+yrZtS8MSbv3LuDbsITFh
eetPn2FaN5Eq4sWX5jaM0zT1JZ5bOvMVJVQiNn/S+q7KEcIRnHDwvRszGPjLgYfgFf3BqS5T
0n0EX3EDn8V1QpFh8hXZTnwFhVjG7pqLg+GwsfVBN+hnQoAQIAQIAULgFyDwmK/wJE1N6soy
DfIw7DpW4iDLlR+lUbu2TsMw7Rkb6i+Pvmv5ijggBGEEEflRE1BkhXy3KJQnnzmBeMBXOBtS
81dkhd/nKxt/nNyB7wws38fNcB+H7wclzTrzZGJxoukrsun4Cu/QxFOXlVSdQ1fpD0KAECAE
CAFC4Dch8JCv8HjCXerKniRawOkY4fosJyrbm/Lp4cki640lUbh6WmHGgvMVL2shODJN49C3
F/bUOp4CMl7ZYWY3KpsebhqHrrnkcQpZH5wbuEk9Lssy9XXGTz4/4Cvb0rETR7afVt2ArfZt
VaYxe6HPN+Mr28aTke0gq/tpnkEqdgDJQySPz19Zbjl7wq+fQ4LxF2RT+cp4TaLsUnfDtCAe
F2SYLC/HPAj0CyFACBAChAAh8CsQeMBX1ht74tn9U1d4ZMPC57b1xmfQYxyBJ5la1iGq8ETf
OV/ZM0jkF1ec/l1H/oAS+Rt8C+AktTioJH+yPR/STx/xFcjx4AxClsMUWXz23bf5yqZ9CIod
FPxJdafnxa19yRkZnij6tGwHvoLPjjn0yoJMo0/HvZ4YOrqFECAECAFCgBB4MQJmvsIPB2t5
BqSy2rafwoNOeCDj5AnhT8ZQpjrxbNv79AuF7vmK7XhBnFc39WTLOnXXLPLZYWe8IbuIp9hO
bRkHeGLIdoO47EbcI3rMVyBHZqiLJPTwiI5tu36YFBV7geP3+Qo8ZHZsyjT0XNu2bMcLk6KR
jwY+8RXYghJPbEnwjPbnZFP5CjYbBbxbjutH2fWA5IsVi6ojBAgBQoAQIAReiICZr7ywEaqK
ECAECAFCgBAgBAiBbyBAfOUb4FFRQoAQIAQIAUKAEHgLAsRX3gIzNUIIEAKEACFACBAC30CA
+Mo3wKOihAAhQAgQAoQAIfAWBIivvAVmaoQQIAQIAUKAECAEvoEA8ZVvgEdFCQFCgBAgBAgB
QuAtCBBfeQvM1AghQAgQAoQAIUAIfAMB4ivfAI+KEgKEACFACBAChMBbECC+8haYqRFCgBAg
BAgBQoAQ+AYCxFe+AR4VJQQIAUKAECAECIG3IEB85S0wUyOEACFACBAChAAh8A0EiK98Azwq
SggQAoQAIUAIEAJvQYD4yltgpkYIAUKAECAECAFC4BsIEF/5BnhUlBAgBAgBQoAQIATeggDx
lbfATI0QAoQAIUAIEAKEwDcQIL7yDfCoKCFACBAChAAhQAi8BQHiK2+BmRohBAgBQoAQIAQI
gW8gQHzlG+BRUUKAECAECAFCABFYhvrSDOu/h8Y6Npe6X/58x4iv/PkxIAkIAUKAECAE/m4E
1r7w3bT9BV799TguXep6ef/Hqdh/mK8sdWQHl/H1Y0s13iPQ556dtPfX/8yVNrXd/Pa5tsdL
YEfV/LlC/9TdhMA/NZxv78zUZKFrW5bjFzez4/vK3Px0V37CHC1N4nhF/2lZDgVQsMaMzuHm
t/4xlL6TNH+ajD3mK9M1tOy4NhnpNrUt8bEdL0yKZvxTUA+lL0RR/nfSzjioP8BX+tJ3//yY
Gnts+mHtMs/j/ntpkrAcTHfeX7/lQfaE5/8JA3EvzPHKeA3dqJrw4lAGiTQDz9nEY9f+BW/9
2cE93v8FBI6wH4fnF/51HPEPBFRnzQe3/vqf32C41jZ1nOg6zPM0zQcvcVSS5+amCdEnR/AH
zNHSxI5ffMJybnMF3rVZutSxxML5N/CVtUlsK7xOfeFZyrJuKH07rv8wYXnIV4bSd13XCa/M
5t/pSJvaTlJP8BmHW52HEve7e3/6wrpMI376S2h7Wcv+OM2MgxA/wFfm7lLWf2HEZmrKssVB
XtvU9Z/nKxgC/a18ZemvRcVCmOBqP8lXzl37grc+qNsv+OOTg7ud7v88AifYfwEEj0Q4j/ij
e+E3OWs+uvPX//4GwzVdQzvkq4cDHicl+Q5feXoEX89X1i513Gcsoew78AIn69ah8OyIBwWY
YAc6Jwu869std+2kWWDEBI+Cpm+566Ttn5XtAV9Z+9xz07qKHZMDA76iBDDWNrHtVAT916HK
Qs+xLdsN02rgvGzpqyzy8bLjx5cbvzxeAi/vRgwY2gH6y6W/JoFrW7bjRfket2lTJ6qG2yX2
HdtOdODNdWR7B567DnUWsSbVqlS+MjepB+QfBmMdm5zd7gbJ5caDS+MlcLOqKWLfdWzb8eOy
uw87SXYsK3FcP8qbO8Y33y5pCHVZthuk1X2Slr4GParbtih9DIpu2ba+8OxYhhTmale+ewy5
jVjaFOK17GMn//v/Gth+KekXBDxVhV1vhb/fDoQclHodASPoluOF2T7uioFYh0voeFnL4Ju7
MvZxmP24YJxp29rUCcvmmoae49iODp+lju09+ApLN8vZtQHmPywEhH8dLoEjemWhLkN/s6rO
Qs+2UD/rE/6armFtl6ZMWOcOCqDXVWleQHnSqikiGHDWHzEf6shJmrEtIs/me1RmdXXia1sm
qICun+yTZ9s2rQB97gVl31dp4Nh29L//X4fBbf4fsJLK/tZUhRJRqPKoDM3K8DQgMNZ5HIg5
xsbxHnYJyLbp9d8wy+Y6BnB2U7neMvcc9xU6E6DOeNGuTNtTNud/+j8Pyvy//G/PtLjvKva5
5xc1mBmwDjA4muREs4SmWbNNLZ9MMJvSClfv8+2ChhFmWJBceE6BNBeK1ZIXFSukq1Marm3b
5q7kDShVbdtTfURVhHkLds2P+Spo6XIw5cKwCBexbdu9kjyamybrh4qlmbOP+iK2p19ijrbd
2Ow6rpkR+2/8yy33wBxN19ARbrPPPSe51jkgCGMuPZ/JMW36hhadYdF55KOVQIOAs/C2rU18
CKiAzVX5i+jO0qOlZq76ghti+tn9rAqJijX/m/nK2qWum3Yrbsvl2m25A19Zxjrx3KThbqhJ
XDe+9tOyTLdL5Ox5SFNXt/04L8vUFcFuIMEZeH4Q5vVtGMZ53aYqcry0HuZlGVu4kVsr0Gbf
D5JL2w/DpAtOnfnK3CSuExbtMM3T0OTBLsrOV5ZbETh+zrjTess9Jyy7aVnmvkpch+8ojJfA
spyI2aF1uEaOm3W7AeXI7tN+qiLbz6GSZRq6pr3fJluHtu6GCfrXZJ59F8PS1gB90aE6A5MI
8rofx7Hv2h7G4BFfOWPI+Qp4qTq2d3oKBHv/Y2N05dTn06pi6TLP9rO6n+Z57MrIceIaaczO
V6Y6dt1YBKGGMnCCvB3nZR4ABj4dYKPR9rN2AoDnVosPLNc4RbplLnz4eOBCDn4RfIWDcYyv
WLaXXG/QMIyyqEqdIaeugQLYTpg3w7TMIyjv3qBBV2VlqDxuzNjbfCtDKIvKC0ro+kGQVl0/
jNO6PVJXy3LCEh3hAgroiJ1aw2QB2+f5QVQ2MKmW0+BuEN+VhGWugOYfp/lBGRBPAwJAP+oG
0Fzm/hI5TsrUBHRQgV0Csm16/TfNMgi2S8KywgLwHJpGnQnyDvYa1rHGMeVc+0mbs6kj/lyL
Ilze555luUkNKG9Lr1g2pc9GCU2zBk1v2iCs461pcdEHyh5XYBjnsW8btp7SWy2dDdHWCY5E
DBSohZdUOINv18QVcxLu+biPExjG+NKN8zz1derbfsEJlTIbFUw+MzdN1k+pTh1BYEMP+sL4
yqvMEQs+qMkH+hmhyLptU53l7bytXZFUXFUBZNuNLzCXAEAPAMRC+iEG+6idelrDovMdd1YC
lip5Cma7vySMfnCpQfUytY9wfbyGthOVLfqetmOBCf3sfk6FDhCd/zDyFdBrZpCXVnw7F8b8
FZt9YJ0a76uK3WewIl0GAaazdx/lhhg6AxET44omDdLSJGIlA00+zlM+8ZWjz2VunFlpxlcG
sPxeIgIgOJ2l2ZY2HSQU1gmURJusu097bLUQ0aMzbue/MdB20gNdDSZU2b2nrdOHfOWEoYGv
bODEBGHRq8HRQCxNvHtx6OR0hQgNCMb4ytxlvhOUIs187XACCL2AFT67G0ZZutKth/jkOZaG
URTM/+oLz8uvuechqwYZWC2KhTw5TqhfYYgY/zzXf/BeMC9BASRFBWgYuwId0eqqHGak45Lz
Q+yYh4OWOrL2zWtETGDASoPgUl3V6Jb8xSQA2D5HPa9w5h+lv0focaQPUckzeX2AgOwofIOq
OLgn2I/3yb+k/htnGTNHPMIC90vEeT1tatuR3F7HOaEEB/ldD2zOdhzxp1oUFgGgVpaeiubJ
Xm4mCY2zBsbLS3kgkleEuhPXyOT3ug1WS2dDdHXy6QkGeu0yR02r5JEtaOmZPsKkVCYWrHlF
bXpM9HxFqULOTZP121HYTiP4uC920r7SHHUZEGpVFvldmRHyov4bgCwsLp+BrFrDEB9rURrS
GRYFVumR76zEsUr1L5zOSnAMfjuNuHo7/y5n91MqpKlBuWTiK9BzkYKJmVK6NFKWvzLy/JWm
jF3hjLrMsSzb2T+2ZYUYapr7Ko9D38OPYwtDD8qsoAkz2LJledu2ON+BJu8ontIfxiSU/aAu
cw6+DjYN2T4j8BU/jn0QYt/aGQr/LLh0fqqEahxib3/nK9vSXyIXto3ya3cfXAHH1F2yKGBA
uI6l7qux6jQ1mFA99xErAOUy7QedMTTxlQ3MFes/KIHirkWXj3wFlFfhGdsGcXskqsDiwyRy
LHUND+ncJy1hQ3MaZaj2ju7uZAeyrLIOstZAUnYZHZtiIU+O85n6j96LRWt0CmDWVYERL6vs
3YPpZe4NlFCF5DyUJ3VVMovQ8QAHMgoA2nhw6ye+ggEo1iWY7oqZ5JKf7j9P0l03cDuySMS0
dm3hu0+wS0BM+m9uQtE/jJnfnVQAHVbzB7rU4ZvTz9mcs7eD7B2h8eYWuYuSEx/7iK5V2Wtj
HTdJaJ4161Alnm17UXZhwRWoaGqywIFN9rLGQCo6Db3V0tiQTVvnLr/UTD5YQIZZ2sl+D/tF
10dkXqrXVvRKmY28av7fSUmMc9Nk/dTaDubocV9ebI4w9qDwlWWodTNCFVb3HeessrIHcJCF
Gx2ToSGNYTnbWuaRsUXJ83VCiWswDcTGFb92N+LsusG7PaFCoi3D/wa+Auuc4+foh1htoFpK
/gqurBibALMbV9OsfJYV1tuh7SYiqUFZF56UGVFIm7vykNkgIi2GDmHk41m+YllulKeB7fHo
PKeLl0GRe2bJ7GcJFWMtJTmNxzw0JSQPeCnfJdvvhK57WYPhY57IdIqvsFuPNRhQ3c5ODsuC
pit8RZm89xjKKycXBc4Qs96Z8ZYZBKInBwOBZNvIVyzbT/MY0rdFSgzI5BfdcZihZikPtqPl
K7g/5ZfDeAkwVgELkOAy9vLYnTJk9zZRXQzp6z92Td1dAqF2oMy6KjC64zpYl+QrKlE4D+WR
ryh6vaFBEnzF1U2WkzYqMgvJYACAsEhaKn7B//c+sqsKnnBB/orbkdHlxmYK+CgeazjBLis3
6b+xCVz5sy2/vvDEml1WiDqjrmRWiGaAcX3W5tzxFU59uxW2Vg0tCi06QY246viKVkIzX8H+
LWN7hYPAbiw2DbZtnboqjzzbCTF/BWoIdVYLKjjaEAbZuc5dfpBcCRSxLZXn+QrLM5LDAllz
XL1PQyvvOSmJce6brJ+s6RRfedyXF5sj0Gi5pjLOCFVY3XcYCMVq464+5yvaITY2hKtxZXlj
RG8fep04h2vgA1gMW14GIyAmwX7VNLtZlF2yMf002avRfdHzFWjQLzp2xmYcx6FOdVv8Gr7C
AwUgyf22DSTkyhkLkU2x/jsr81D4x2kjZD9ps7is/P/EfhCbfzCiODVhB87lYVfwPocYuqj5
JKE01uIG+F879lBSWZjDfRi92qPvUNeB96lVwndRgx7VbZsuYttFKQk2TFld33JXrHrvMZRX
sF+7ZOCVmsTxyx52bpSEx70d2NmQ8S64WQ3CnPeD1m2BZJTgwtJbIWC7Z8bvVT7LVxDFqCwh
YRXSBuY6duDPnVkrQ3Yib7K/2KqRryhdM/KVzairskdA/+EkAL8CMMn9IGHQ8UcYYpW/gOC7
usKzBUTKFqacMm5oEuBOG+8Gl+/dDLU+p/50v4InyIq/okXEdJI94AEiK3xFtb4CEaP+G5uA
TO5bDoSlL/TPgTjt8aEJu4zb8zYHvZ064k+0KEz1CWq9ITZIiFNMP2sEXncmg/0AKdEosNFq
yQqEDZFXVDO0yw/hSThjK27D/SAWttrvYb9p+wioK7YOTTyPzJ+GVjRwl2hnnJsm6ydrOo3g
R31pX2mOYAjkxDXOCFVY3ffTfhA4M6ZjhiE2NnTmK0b0TsOqE4pfgyoOq1G4jgbqeIDYOLvP
/lGrQg8E2LZNx1cgs+csGE5/ha5hrcBXkhqXx9M0tJfYtUReLeRG2X5a3SDxauzbuoE8Qegc
S0OF9MrwuB90gAJSCJ0gb/ppnqahb6uGpWectFnTuRNfwXMOkG+LOZ1tgfm2uP2z8xXIGYoc
N8FdIey8G1+7cZqncejqmmW0naabNNaqCPvYT1BunJd1nYc62fdwxb04j8PyBmnHfZX6zj1f
0dagRxUSt2LHCYpmwIPlDe5AoVOMK9yMgriws+dJ3GOoXIEdnAAkm2dmtOBQaxDH+wNaRB/Y
/6AXXtZCdjIE0BA9P2uGGXJSId+WpysjMrj1uWBKLs/CG8oAk7UgGXocbk3VYuxFkQea0fMJ
WPsFjgvZu2w7D/LsXReCLEw2ZcggNQbTIZmYT9V/6ppSG1SvKIBJV5kU8C+GK50wbwGXAbLo
1HxbaeagXvBBBnW1YE1Y95Dv2+aBfci31UyWXRt3Qe4GF6KRThhHErT9XvhyvN+IANgdhi4k
x0dyP+gE+163Uf+NTWBRSFSKYwin7f50rxJiciyHeprnCVTPZoG8520OS8+Uysys8cMWP81X
MMv7JKFx1ix9DTn5y7ouY5tBdvS0rUNTtf00Lys7scCUR2+1dDZEV+dhoTXA0QeWbzvxfFtm
ek/qpHc2MBfcCPJtIV008/eDEme+LwfupCTmuWmyfrKq8wg+7strzRGqrkgsMM4IRVbtV+Ar
FktY5pZCzbe17xyTsaEzX8FE/nuPfBh6rUT7RXAo6tY1/wH67UZlB76n75pu2oyz+2f4Cjgo
QTt2YeHAjtQ9fhlMxP6x4dyuci50Hes8grOfkIkb8KPLy62MPEhtgTOqfZu5fMF4slNQP5xC
xHNxeDI2YWf5zjsFUr7925mv4GkBJgkeja5FOonCVzY8jyR869SyI7Ygph8X7NzySULFXe0t
K2MPj3KEM32s75qjz1Ob47MebTfM6r5OXHVfDWo01KBFFdHCM2XYYFiyfZupxXPZDp5lrK+4
XQJVnyzC6QrbHrdsN+WrLFimWJCgq3RUfp27AjpiC/A2gR6ewLyKY52Sr2zbcst9W5zH2k9n
4sH1jOU9nyQ08RVIyreUxFykBVJQdciAscHhZQcPyz9X/7Fram1HvmLSVQkSlr3U/Gyqej77
zqw8Vteivojz1KfzzJrJcnIwIM7d4CLv2pmslJh/O9xvRmDtr0Ks+NJ1pR9yzniEXaneoP/m
JrAsbuJrw5+g1Y6XVVXKn4Eg5i2o29M25zji0OTjFvdQ+AlqvS83SggDw23OYdYsXYEPVoDE
A3goAliutb/g+X+45oWZNLiiBsVq6WyIrk7FcEGf2ZRkT1pILvtjG57qozIX0HiKJxSwIPFh
Sbprw1FJHs1Nk/Xbq9rOI/ioLzxz9FXmCB4Au8c/jTNCiqr91udeeOnEkxaO55l3JVGGeDM1
9MiwMK/En4dwGlatVHARzltI26reNnfygH10BXJrmN0/w1dUUeg7IcAyJeSZKULk0wic3PCn
y0MBZoBE6s+XqtAWAtn2kJT2jt9zEXbQ1TNSqmQnP6f+9I3vj1r8bLU/I+FnpaD7fwoBiO+K
52n/VBt/rF7Ybf8FZkK3H/THMKGGfyMCoKmfe9D0b+zFH5XpdXyFheZf2BkMBRz3n19Y+2ur
wkdCyTSgY+U/wgYetnhs/+O/fkTCj5ulO96FAOzKiQeFvavN97QDDw6Wh1Le06a2FeIrWljo
IiCwLmwP9d9dNbxpnH8lX4HR7a+x+ze88Wpd4LmROTy8x8TYXswGnmjxs8rzYgk/2zzdTwj8
9QgQX/nrh/DHOgDnpjDlR25C/1hb/3bFv5Gv9IUPoxuXzz7V8A8OEYT4bNsNsj357F6Y17KB
Z1q8l+HxlddK+Lgt+pUQ+BcRIL7yL44q9YkQIAQIAUKAEPi3ECC+8m+NJ/WGECAECAFCgBD4
FxEgvvIvjir1iRAgBAgBQoAQ+LcQIL7yb40n9YYQIAQIAUKAEPgXESC+8i+OKvWJECAECAFC
gBD4txAgvvJvjSf1hhAgBAgBQoAQ+BcRIL7yL44q9YkQIAQIAUKAEPi3EPhDfOUtjyLANyPw
l0T8W6P28715ywD9eDf+jV78OEz/TAPrUCXs/UHsXYf/TMd+tiN/5zT5cfOueQXPz44D1f4h
Am/jK0MZJM0q5PneDLnlAXvFuahO///rFXquEze4mJ6wqZfib7n63QFamiQ0Pnz0bSB8txc/
LeiTqsvEWLvM8Frsnxbz9fX3pf/jD9KFV53Ce6LneZqUNzgfYJyrSP/Wvdd3WdbY566tWD/4
Ad6D8OB9LAeZZUU/8+171vjlMj05R15v3k89+W185Y+o7i9zee/iK/CET2XGfmeGwLsM3D/D
V9ahLq63+aTX/8Sf3x0geKs3e7f9n4Tju734YdmfVl0ux9SU5T/ycOG5u5T169/WeBiwvvBU
I7P/psAIz60Nq3fP4M/zlU2Ree/HT335jsk4/EwAACAASURBVDV+uUxPz5H/Gl/5M6r7y1ye
nq8sdWyrzueWuU7aoWqyF3Tb+DrzILn0LGQydyW+5dx2/Li4s7DDJXAs8cF6YYZklXhtthum
8r3o69jk+BZ12w2Sy5kcrLfCt0VVVshe1DZ3JYaBrWMRRaHX4RI6XtaioVr6K48ae/wl7dCz
NnXCsrmmoec4tuMGaTXs4SAxKRXG3eeeX9R1FnkuPCrcTy69sqQTBaa2SELPtW0LX/4OL4SH
j74tcLZ+KW360iSHt9GuHbydtuN19IVn2ftSEZdriMZY53HgwdvgHS9iYzHXMbz5fu/Oestc
O66l1f7UAM23Sxr6LnvfPENpaVN3H5V7l6ERyQjCBk5n7xYsRKvQ9s5vh17Hpoh91skwqwaE
/lO92NahykLEyQ1TXsM2XgIv78YmC13bPr+rRoxagBoiwMUB1WCybafa/qf/86C6/8v/9sGg
IEQwbtjCU/r2QEItYvjqdw6k7XiAAzSmn+P6ibkMFUwZUDfXj8sOlGpq7+vEySgCrCZhhPyP
5iDIp5nvU5P6u5ERoCFyMN0YjFMdu7vtcDJm0Pg98LosVCoXuxJkDe/J8/NX1nT+9pivSGAd
14/yZoLiQmbUIjerQN/B0jgCZGxjHWtUVWZ3m9w/6yy82LuvsshnQ+THF83rF9rU8bKqStlW
mqdacCnbwRrr61zqyEmasS0izxaKqzW2fe4FZd9XaeDYh8n+CvMO6nHvjJ5TrXUQeHpxUV9U
L7j06BtsywY9V3ycFiJ5URlTRS0eTWetej9SXY3V0sLOpiY4V5jsed2WAZ8pYHRjMTu3ba72
4J/i8sBtRdVwu4DltZN2xSnzwFlDfw0eUIHiU18/y1dumevG1TAvyzz2bcPoxFAGTpC347zM
Q5N5ujjnaenTprZle8n1BmX6KnFtTj3gFZdOWHYTvIytSlzdq/a61FHjK0Pp215S9dM8j7dr
4u7N73wF7JQb89XdVEWOl9bQhbEtAlu8UBNF8rN2Arc+t5knRFLwVAavzz3LguAzuMqlh4rO
ThV/aOpumJZlGaCTgiMY2gLSIWkioyuCnoAUQCO9gm1HDaXvuq4T1+iql2b/Zb7VDcC6zP0l
4vxmaWJHEpb1loMoR3r17ABt2zq00CfADwabD9yZ4iqobTqR0CJbtgZwGE9JWOYqukN26TLP
9rMah7wrI8eJazTySHaOYTy9mm1zk7hufO2nZZlul8hx0xbwAMro+UGY17dhGOed4WFvcNSC
vIPL61ij0nJ2qcfkvjZVdZ8YFOm0tqf0zSihCTHQMS9tUF3GW9Mi8dPOccPEHErfCcsbTNep
b5tu2jZtnSC/ILImYcwqoSrTZpzvbPQ1CWsKjDAk+vgKkyqtbsM4Dl17Q4Va+s/M34OY6h8P
+cpURbafg8VbpqFrWraokTKPl8CynIith9bhGjkuf0c1jIntpTAPpqEpQse2pPmQ7U9d3fYw
xFOnN1PMHKVoQqfbNQZrjIptGHRwQ7o6wTy6fhCkVdcPIxhSg7Htc8/x/CAqG5hmR0O0qXNk
28zDrTfvm8EZGUyuRAkIK8dzmOd5aIvQsXY8J4A9vnSw19jXqW/7BVuq6yHSj6nSmHk6G9Xb
rLp3dsYA+zZcAhut3jyP3SV2beuTfMV2fT9ILm0/DNOCeH3krA0zSIHiU18/yVdwiR/X6NNF
O2uXuWIGgSZXqtMVN2ncIXd0cAc4UORraOuk3z+6LlHXQaHXLnOcpNl1nscS4F6m0HOXwWtd
eSAI1V/66qVJxEIAFFq6yQ1NDFBI9XPiK8r+M6iMUlotxL+vbbI7XlNb4JyFxVnaZDdMojog
NAy28RK46bUMnBRp7nEIxO1QHbsdcHUzHmG55TvPEXduOk+vGyBZAL9BVSzw9oivKIWkSLCC
1AM+lr4dVoyAICKcoolqgJwpCrdNV4hLIY17Us0we0DpXpfx/ALwDXakRJ5Em/B/m9p2JGke
Y5cyHCZulZjc13ZQ3Y8HRTot5Csf6ptJQiNiyIBTFnYU8uvmOCMhmokJgIeXQyRSVyefjLiC
MwrD+Ioyi3Rz8MF8/xZfOUsl0Nj/f2b+7jefvjzmK7BKKc5hDzn0oEVKwAiSdJgiwEDZiukD
Hyisx0kA8SdMLWn9xNXTTARbhnHep6zxJutc6siyFCU1GluQ1GErBCGD/P8wRx4Mt9a8G53R
qY9a1WqPeN5yV+A5gJqzYD4Iunapy5yOASK0DXdjKvtonM4P+vuQrxysFrhNOcrSx+Fklb1Q
FAt+eSa+YlteLjyp0SYo3Tx8VWfQ4YdP/PFJvrJtU5MFju2GaVn3bENhuoawO7R/bMtSwx9M
mHtHosZjQR1wWTwU/rmu+xl4UGjQDHWK4Bxh3g5YfJhEjqVEPsAsWbaU1rYtvuxrU1srkgrm
ka+I9SLcgUzibl98HdsyjQIPP669C2JsC9gW6/DaQhRJja5AM6CJYKGma+jE9dwXHt4zFL7g
bMtQF0no701ybJTqABbFyvH+PTlAuLS6ZFHAWnAd62O+YhDJCAJGOZh1UAncPhCgLYpX2zbY
3mJRlWd70WXOWc9w1Y02Qc7ovUn8Ai5EzZsCd5Gy5fzU6TC5r+2gutuHgyKdlhqfAGH0+maS
0IwYnKjxbNuLsgsLrmDld3N8M07MuYN1veMnRXXjyxhtnTK+YhYGGOFHc/DBfP8WX7mTCoD4
9PxFPbn/5yFf2Zb+Ermwo5NfO7FjfNwPUn2lXBicoVCskyrC3Fd5LCyCYyueTNx1gh0iHKjY
xkHf9HWCAIqt3YzGFpRBOlQhBv//MEfOffzAvMO8OE9sNmdPfYThVgKx2PS5LWl8kMzyjVm8
df/JBJF2TJWOyumwN40G6CyD0t+HfOWgIQYfB5qjEN8N+MNn4yvH6fmxszbNIAWKT319jq9A
DIPnr0Dt69RVeeTZTgj5KwCxX3TTrHz2cIcQ5t6RqMjt2gNfwgvE4+TnFOPYjgHDBwMMLN72
0zx2nf14I2pe2hyFxRYU3wBC7yKJHsD/ikUwKZxyO3B9Oyg6ZsZVdmluCzYJ/GLgrkymnPBq
IfPEzbqpjh3w2PCnV/SAAXPgM6S8RJcb28mAWSW43L7w6AsdXdHEV7QDhPPHyxoexJWxBGlG
FQTgq1EkMwjMG1+nTdI3tVIYmqf5ir4XXebYcXWvBWATDlWr7Z5M3grRDOQrGMLVYHJf28EW
wzqNhyYNg6JA9IS+YXxCNSi7hA8Qgw4uY3uFNAg3rvZw0XGO43QwTsx1utVF7NuwrSFm/rlO
Kf8DYZT+gly6Ofhgvn+Lr4CBOo38V+avqi/yO1SuLF/hBwgKKiv2bR6aEtI5vBQTZ058RZFM
TrQzFPIX2TJOJTcR+VnHlbe47aTYCl/RW2NoWFenYh6xaqOxlcogRFD+P8yRcx8V/60z72Zn
9AXVkt05e3pM8MB1JaiocV6cx1Tp5AkB6Ob3+IqqIRB/1vi4u15ITE4KqqAuQUDzcjanxr5j
X80zSIHiU18NfAXTIXpR01xFlq3wFXYdkizBOkIIyxhDF1WcAJFI4Q27YQINNwYKRV2Qdron
yyEk8Wk/iK2CUSfadVsgGSXgQeuh8HcfLirE/00iqTcpg2dSOOV2MA7SJIGBEouPB21BgNEv
e3BkSobsXiv8HBRl4rCKYYWOf3JagpkpOxgAuuArsNkIVKeXoZi9Uvjy5AABBRIpNCyhRo2v
nDZusAGjSA9A2KCZ8DrUsXMfXsM4pBp6Ou0HKY7B2ARMSCWyuSNxzzD2n9huhRxPtJz+ZYTs
NAMm97UdVJftmD8aFEX+J/TNLCFojQEx2b9jN9h1McdxqfzBxMTd/9OqWdYp5X8gjNJfaH83
C1JIpHi2fr4/w1fONGGvGY35MZ75pfm7V6h+QRhkIB0o4imXnt8NGsNUTEJx0iLJSmDyOwnm
XWFxkPc8XWCVpBrL1NEENmCvRFFsaJDvB2mtsbFOxTyy/piMrVQGFSX+/TBHPmvejc5I4smw
0sRXGJ679QT12/eDDqYc9oP4TtwTDkuOqdLZEwI7X3nQX6PqYjxa4SsQDJV2/9Soct8kNxph
pilTF3bCuONQx/SE4cd9N88gRapPfdXzFWaLc9xTXac2g7gP8pV1aKq2n+ZlZclbbHoMZWA7
UdkO0zyNw62p2n2ZJoSBrBbMTl3mZdUyNRadQ6PnxtduxLq6uj6fEOIZWFkLOX5QFyQR8Xzb
iefbspRU1AmM17NcOpYhBblITpA3kKQ2DX1bNezu02DobOUn4ytgWZz4Oswr5HTGEHbnGQCP
2oKDwUEcmx68AabPdV1BQ9D4u66XM3IJes9ghmTiyLWF2sE49IXnxXGgmjgxPCzt6IkBwpka
ljfI3uur1HdsEXiDTZkAfphnscbG2o0iPQJhm+vICePIEf2UgjIvD/m2zTAv84j5thFPd3lW
zTDf1vbT6gYJdGPf1g0e7zr5hkOrsORl2bvTPE/QLE9LNGJyXxtMYE+q7keDokBkMnAHEU0S
skxCDWJLX2M++LouY5tBnvO06ee4YWKObdVALufK0ruBY+vqVPNXjMI8MAtqL43z/Rm+Apv5
TnQFzQHboXzwjBskcY/TNNzatl++MH/hiJpI4Ffq3rByDxIVx3EcbjVMTZ/n1E1g5ADCdR7q
hOdFPBNfAe6G8wBzaW8XOPx05iuICcvmhbMQoWk/CBRbn28LCZonawxrG12dqm9jvTcY25My
q0h917xDvq3OGSlTCZrTmnckC3KWQD6qwBM64kaQb7tMfZ35+zEN/bzQj6nSzxMCO1954M7M
qntnZwywo1t3YZyXGVylt+fbIn2OK9yNhK0sZ89DUsf0hCGbyPfqIbtpnkHyns99M/CVjZ2H
chzH9YLkUhcBc0trf8GjYrBH6IXZfgp5PwGJp2gzdiTvIAmg4NmW5eCJu1PPD9oztew4moUn
xwo8IXmoaoM9czx2yN0Ua50dsE0uewHJV7ZtueW+7TMGBofx8AgmdiJhZzgVA4GNHUQSzSuD
Z1Y4cTMeIhFnBKOivV0j/wm+gitIC/KaZEXqN8iS2qfRBo7dhtw1bnzX/pqwc75+fOm60g8h
AsA/uNlqWiU/O0BTmwP4lu2GWd3XiSsCbyyzyYJQ5IGwmER6pAMsdLNPGtEB+b9QEjyFe5VH
yZ/tBQ5OHgFU0JWAn/O8m/myRfCmp2Ofu6YZMNHUdlZdsJy+ZUo+VCB6Rt8eSAgHC8UpTy9M
BWJLV+CzA2A+w1FaMFimOb7XoE7MER4oK0Bk1erqPPAV2A3RCfMkXxHnre/m+zN8BY6xJ3Dw
2fbyu/PMQ80OZ4JC5O0Mh8A+OX/hcIqOr7BUGIAK1M3xo0w+xmlquDVCPWQnwlUoTlok4yvA
3Nn5W8uCZxccz98KzV1uZeRBh+ERDX2buco6mt/Tpm5SdVelryzZHX4WI6UO+maoUzGPonU8
TX1nbE/KvN/MvpznyCfNuzyOrzojZSpBK1rzDnjup7qjom3g2DVbzbJj4fz5B6dndmgg0o+p
0s8TAgpfMau3UXVPGgLN6H0cHNnPQ3TDXpTX1wROjTKpphZ138Hj1/DLx/EVKKjpu9JL8wxS
b/rMdxNf+UwddO9rEYBpLyIxL60ZA547tXlp1a+vDCahNrry+qaerPFk8p4s9dFtrxyUn5Hw
ox7Q778DAbAbv2vG/A5cSAoDAn+huSC+YhjLP3cZnmMIKbcv/8ApPDWL4eUNvLJCXHGYTuq8
sqHn6/qR6f3SQfkRCZ8HiO78owjAmt10Fv+PCkaN/04E/kJzQXzlF6nSuizzUKee7iF53xJz
XeDheDk8h+YHeNC3RLsvDCj019j98dfN3Df9+MqLp/cPDMqLJXwMB/36xxEY6/LKHgU3D20e
2PCMgz8uFAnwtyDwF5oL4iu/R7nGawgPSo5y5WHPL5EOIja27QZZvT/e4SX1/kglfeEDCnF5
foLWj7T2mUpfO71/YlBeK+FnsKF7/wQCU5NH+GYMTE+5f3vJn5CJ2vxrEPgLzQXxlb9Gu0hQ
QoAQIAQIAULgP4sA8ZX/7NBTxwkBQoAQIAQIgb8GAeIrf81QkaCEACFACBAChMB/FgHiK//Z
oaeOEwKEACFACBACfw0CxFf+mqEiQQkBQoAQIAQIgf8sAsRX/rNDTx0nBH4RAstQX5rh+Iz8
XyTef1GUdWwutXx29H8RAurz70KA+MrvGg+ShhD4LyKw9oXvpvLdff9FDH5fn5cuhVeTEYn8
fUPzH5XIwFf+wpPZ/9EB/IXdnvGlNPCKluw/4YB0r0359LD8R2acoZvwvrUfeQWFbhy+qJ/w
Thh4cZbjF7f/jAcfSt9Jju8D00FK1wiBtyDwd/CVWx5k/L1Mb0Hln21kvIaueJfxT3USHgse
lDd4ifH883Z9KAP2Zu+f6s7H9Zr5CrxA1xNvFHtckcGRPy70U7/OVaS8d/7pVp7QLn03l+aH
XkGhE/1r+omveYIXO8/TO9RaJ/hXrvWl/73nRMMbxe/fkPgVUagMIfBtBP4GvoKxYuIr3x5r
fG3ntah+Nr57eH/sK2R+WAe8FfH38pVtasryuacV6x35w77/2I/w6N2w+vyT3Zf+Q+3SdnPt
Usd91wT/on6yN+jK9xb/GPivrXjuLmUt39D+hcpvuStf//6F8lSEEHgdAka+4nhZtb9bOy6k
0YVXUuM76G03UJ4ADS+wjnwPXvLu+PGFP0x9qSMnaca2iDzb5u+uXvprErhwn8ffYA/daVMn
qobbJfYd207afWG+3grftsQnZG/AW8emgBuhjjCrhuUOkPESuGnVFPi4agdepS5u0jQEb2Vn
XdpFWtrUOUzTvvDssEJ7NXdl7GMHTi8W51L0uefndZ2FnuuggI18DP7cldh5eL27gh57ZboN
75r3guSCjGIZqpS9wNxx/Vi8Z37Ttj61HA9oL63wJUG6Oo9vHtcLA9BlFQDsOjYM5t70EeWl
v3L5QDxUkLW/4NvK2XDdLdEXBeeg6JZtGy+Bl3cjRtrt4H/8n2NQEmXsM9eGV6IYRnO4BI7Q
DMtnr0bSSMXEhh9Q7Vw/uXR16nLx7lV0vl3SEB9zbqPicHmMw4rvxS1qXj2qkPBrqntmSot6
4wZZc6IDyp1LB296Klii491w40I/UTbaYAV8ei0vExXVBzQwKtpxEProhnkjxNumtkhCz7Vt
CyYSvq5hqmN3B9XJOkBvHaqMqaIL2sWnW597Qdn3VRo4tg1oqtqlqRlqUroptUktB6S6jpz4
2pYJKiAMl3g1w12L22Y2BRpN+EA/QSJNqW3pctAc9rGTVkrOvrWpE5bNNQ08h8O9A2wS79kJ
ix28t7fSCDuuH/EB1dUJwaSdzxuEAW0pajCBMOEBbzXHFvjdSb3O/ae/CYE3IWDkK7Zl+2nV
Q1T/do1dO7wiS19vueeEZTfBS+mqxJWv5pu6mr16a+qKwOab0WDKXT8I0qrrh3Fat22qIsdL
62GGN/DBjdw/gSHz/SC5tP0wTEcCclp+LV3m2X5Wg3BjV0aOE9e7geC4jZfAstyY2db5Voa2
m4GDZBbz0NDcJK4TFu0wzdPQ5IGDeX+w5lMIC9AV5uCGMnCCvB3nZR6azNPM5T73LMtLG+ju
NreZb/sFi2mAa/ESRHW8XRNXFL5lLsg6L8s89m1zA18GO8dheQOgp75tOtZDbeu4+582I5a/
NS06FF2dB49iEgahcyJmtNbhGjm6lzpPcD2+dOM8T32dyj6y9atmSTc3ieMEed2P49h3bQ+d
BE/l+UGY17dhGOe5iR1JWNZbDnSF0RrDaMK47PZ428xStalrB3kDg9zXWeDYluQrJxVdh7bu
hgk0FAaYc+TNOKyg5Lbtp6iQ0+0SOUiyhLKx/SCmtGl1G8Zx6NrbWWGFI0fAvbRldEY33GuX
uUpOAQyjEFEYDVXUZShD27b5XFinKnacne4sfQNdXZZlqBLGDfmoKPEVmCBufO2nZcHeibzY
Pvcczw+isoHBY8PEJwn4fV3Ner6CS3gkRtiBpY4sywlL9JoLKKB4j99di2ZTYNaEOrb9UqOf
0Lax1GHmCJjF/21qW3aQd7D9uY51sltLk3jPT1i9vZ2qyPZzMMLLNHRNC+shbZ2gtGJ+mIRh
iu0mNQzhtvTSerP+gSFhtFX0l/4nBP4QAg/4CrfnIBi4FZzjp7w4sJXKbaIP477niaZHZedQ
Qm6HLk0ioi4w502p6Ee+sjQxkI99FT5dQbjTe4fREea9kAjZB4vanBuCQK9aXDAT5hb4OhYu
4rtP4arS+FQdC2N74C2UPoMDx9DS2mWO4mi2Wf6QIufauwTVQJPh5XjA09A6tLC7ON5l7HFc
I2cSKLCBZANmFAYG2+KhMCg415GgVbKebQDpWLALrq5dKnyoia8gzsX9MFl2JF8qC/rlZjzC
Am6M6Yp5NI98xSgVjoHUGYhRKHzFUodL6eS2bYorNQ0rxANsWyYlru2u1NI9n5X22MoeeJiA
GkQVj8cZhht43K5HAI0yEKzeo6iIXiHmAhuf0zjAELaJWGVgnft+EO6EyKHuMpd7QGjFUc/0
QDmNOVBqloCoAHQZsNT9CuCpLBVwJrBqzy2eUZWmwKgJm0k/oXlzqY/4ih0Br2YfZlFGoBAG
SwUyPDVhDfaWzSURdWKt6urcFL5iFAb5imKvzqOIU+wupiQ6S/8TAm9EwMxXeCiYydKljp22
MKF92LPYP7Yl4vBzX+Vx6Hv4cWxOSsD0qHn/MGksW1Zg2xY3fm1qH1pUMTjyFTAqB6t42y2o
LMRMrlzEwgxnc/LcUJc56v7TtgKHgs105haQsPSF58SYJT9dwzMAdzvvypoGBYIJD+ZMysDl
xKUx7jFNDSz53TAta4w7wA1zV4SO7fhJUd047TC1vg5V4tm2F2UXFlyB8ro6pS0yC4PQSf+k
9W9o/BQXs82w4kPSaPIHZ5wRg1Nb4DUhlQHJKCymOQswj+aBr5ilOuuMxAHZhqqi2zZ1lywK
mCq7juWkbOlvGlasQWW84H55NoaImqAnPCgtV4H9P7gzigNbpU6m4QYPzqG5AxArPIoKQy0p
Dei3x3njOrZlGgVs0rq2xXFgcIsNqy5zzirPgi/Qilx78GUN76ShZj1fwRX8ka+oeKInxrXH
ucXzsG7CFJg14chXgACxDxiHB6UOfOVYioVs1fQbaS1NlurZCWuyt0t/iVzYq82vndhs1tYp
NcGIlcJpUHlQXXa2ipTHAdtPH0LgjyPwab6Ci/5Z/UBUAHTcTcTOtgyiAF85mB5YcaTNpJZf
MKywW3YNJF/lK9LpornZ+Yq6mNvOfnTnK2ymgseU7gE76hfdsQMnkdGqKmcA4e8P+ArUsE5d
lUee7YQsf4Vdu9VF7NsQ/V0YzMbWl7G9wolLN672aPe5TumnH/MVxbXq+YoIDYmuz3ug6dN8
RWkLIzU8gKWAjqMnPS4LE7HRPPIVo1RIGRUbDL3n7Z5VFJTXyxoMjp/jKzYjrazTYlif4itn
AQRu+/8Q9nPCLJObH4+Geyh8JNCMWUhazquTXgouoAPa54LkKxC+sYOiY2RYiYLc8RU7ro4a
j1P22IrKV4w16/kKQK5s6rFFjowA4d87X1FuvGeBO18xasKRr6zzOLAPHPoB1T3YBqnVB75y
LIV8RV1rrW1q89Wdia/gOD0xYYFkhJdBNZfyzN08NCXkDnmpTIY61ynH6Kt8BVYQnoxU7wpL
XwiB9yNg5iuW4iDAgPH9oBhCtXvokwsMtk7OWNiKUOIrKl+BAI1md2GPh+sBgFQSuYPK9gw+
3g+yHLkBAGWcfT/oYJPAmqsigmfhibWcqHSFt/cZtlHUDQydwLD8EitYcBdVuO8HuarHw/0g
dV0GlS1t6iqdxfphExsBfaJ1CHQojWN5WafkK+hSFPcrhZH3sMK43y+9B16E7BplzQ77QQ7f
EjHxlQl16FTPqS2oG8Jabtb1hfLgB9ii0o8mjFbciI00o1R8603ct4Jf0/OVI37QGSW+oh3W
p/gKukKpjwxE9V/B16c6dkRS2IPhxudi1IOkXWpdpxWzia8c0YK9FB5fga9y9kNx7U6t9IW8
8X00jTXr+QrENZQpCJvISuBGGaxzi2ZTcJTgGf2EPphLHfjKAWtmu1RrCbX4F9wPgt3NDyzV
UeFY1fuEBWR223Nulv0NoMvBYtdknRIxM1byHiyN6iK5Pfx5XFLo5aCrhMDPI/CAr4jM0Lt8
W9uNr904zdM4dHWNyaHgNlgCGCShhof9IMUSofeOIOuy6ad5moa+rRrmwoS91nUZDICXtZB6
CsEYdN9+1gzzwvNt7x8pwpJGw7yFm4Y69Q75tupOBmMIYcEyaNsC821FLBzcQhB4biqNzlAG
thOVmJ47DremavdoBpcdw8VuVLJcVEhW9nn2wADppSzfduL5ttD7dWiqtp/mZV0wWRkRG9uq
6Ue4NveXSKShaltf+hqzJtd1GSG9F+DQ1nmwugZhDvfgaY2DMxHjA3nTbnTpxnmBBFZ/T5w2
8ZUNPXFQNMM0AW4Yx949nKgW/u8Lz4vjQGaFgkiQgakZTSSDkCrIVMMoFSb7hgXmiY9tETqW
kr+iOktkXmF5m5dl6qvUdw58xdIN6zlCo9sPQi3DJPFxmoZb26pHMKDTUv9Z/jdLb9cON2I1
XgInikNH60qOHsjEV5CMxddhXiGPNoYNRaankFbmwLNGGKggECTf3yC3euzbumHCH1tR4yvG
mpVuqiOOarBnMWHSG8tfXuaxzQNbybdVAzGPTIFRE4z6CQIZS51nhSo9dMqyveSKzxyCAwDq
6QRbY6men7Bo6+7s7QR2F2zDOg91wpKZdHWq+Stms3kaxyNfAZojtkvhPJ44H3EAgP4gBN6D
gJGvuEnVyROaynnmbWrZcV7Lsl0/Ljr07cutjDzY54YToH2buWxj+2zKoVNw8hkPR+Jp5IQd
vjUYMg4CpHLgQVBBTIQMeHz3erb9jFAQfwAAIABJREFUwnReYC8FTj2rx1KlY9gRXsc6j/jx
6CjHU53it7H0LUtdI0Fiye3CziTjkexMng7lhTDx4lrneLTX9sJcPc+MZZlMyYVht639BQ9I
43HmMKsxyXasksB14BQliC/7qGl9wQfK4q0OnG6EHW1tnSery6o6CXO6h8fPT3ER6Ok+jqgG
+4H3B/6AnxXFLoUlZNVq+QrLklKXlXibdjQ32Mn34KmjgTjPvB+9PZ42l8fo/bisi33ReKei
U5vjc0xtN8zqvk5cmb/iJLphPdeg5SvASmt2MBUGNOcHgISeHfR/xsNMLNdaM9ysDEtu0dKV
J+MrcJaFHfHGI8+3ayR4NaRC+DCbvZydZxYTBJVRPK3g5OfU0TTWrJl90B1YF+ypMIBnUNSX
hE3J43nmI18BisHN0Z0p+Lx+PtBqg6ayoYAdk8PTH/i8hl+14j0/YZUaFHsLj9qFR0ew4WDP
G9DVeeArSlVHrE7jeOArS5vI3SA4rUZ8hY05/ftHEDDwlT8iyysb1TvCV7Zgrgvnv3yCjPlG
+kWPAD5iJFUQfPlofqXC3zasII9ytEoP5d9ydbpCqIgl4jD+d45a/uKeGEjYL5b4WdHgyYEs
UezZEnQfIfCDCBBfeT24p/XK6xv4x2uEw9HHkNZX6MUjkO4I0aObxW+/bFghHxmP2Av5/u7/
YeODr93P8apf37F/la/Ag8U9/tiqXz8IJOB/AQHiK68f5V/m2F7fwR+rcV3gKYLwdNfj83Re
wFf6qqgg52jBdCbfFg89e74vv2VY1xWe21aG/2xonvjK80pJdxIC/yUEiK+8frR/i2N7fc9+
uEaIPtu2G7AHwyuNvYCvjHUKD56HLX98ZYEm50lpUPf1lwwrxIbgNQlJdXyWoE7kv/Ma8ZW/
c9xIakLgpxH4V/nKT+NG9RMChAAhQAgQAoTA+xAgvvI+rKklQoAQIAQIAUKAEPgaAsRXvoYb
lSIECAFCgBAgBAiB9yFAfOV9WFNLhAAhQAgQAoQAIfA1BIivfA03KkUIEAKEACFACBAC70OA
+Mr7sKaWCAFCgBAgBAgBQuBrCBBf+RpuVIoQIAQIAUKAECAE3ocA8ZX3YU0tEQKEACFACBAC
hMDXECC+8jXcqBQhQAgQAoQAIUAIvA8B4ivvw5paIgQIAUKAECAECIGvIUB85Wu4USlCgBAg
BAgBQoAQeB8CxFfehzW1RAgQAoQAIUAIEAJfQ4D4ytdwo1KEACFACBAChAAh8D4EiK+8D2tq
iRAgBAgBQoAQIAS+hgDxla/hRqUIAUKAECAECAFC4H0IEF95H9bUEiFACBAChAAhQAh8DQHi
K1/DjUoRAoQAIUAIEAKEwPsQIL7yPqypJUKAECAECAFCgBD4GgLEV76GG5UiBAgBQoAQIAQI
gfchQHzlfVhTS4QAIUAIEAKEACHwNQSIr3wNNypFCBAChAAhQAgQAu9D4N/iK0sd2cFlfB98
P9IS9MIvhx+p+2cr/bzkfe7ZSbP+rFgPa29T281vD285//j5bp5reOXf61AlgWtbthNen1f9
r5V6pdx/a12/a/QfoDheAjuq5gd3fPenvwaKQ0eX/hL7jm3ZblxPh1/oj9+OgIGvjJfAEh/b
cf0ou/bLH+zLXEXPzDyYP8RXPjFOS5OEL2RGn7dfBr4ylMHnWMzaZZ73SdrBcPrb+cpcR7ab
1OM8T9PzU/RrpT6hWT9z61wnbnB5BZX/uuZ/Xsm3bbyGblS92Tn+CF+55UG2s/uvQPEzivG4
1oPaACx+3k7zPM1LX/pu0jw/b0Q7BwP1deMjqqP/n0TAzFfsoLxN8Bn79pp4lpO2nx/WJ6X4
6La5jp3wiZXCv8RXnl8qf4Se+fe1Td1XRnI+b7/0fAVMyuf4yjY1Zdl+xSH87XylL74Sofpa
KbMmvemXdaiL6+0FIYNvaP7nlXzblv5aVP2bw4g/wFfWvvDdv4+vHNSmSx3Zhbm7lPXnTe3J
QH3Z+Lxp2vw7zTzgK+FVmn8Ynz1wsfRXHoD2orwZxSyc2iIJPde2LccLs5pf73MvKPu+SgPH
5tHJdWzyyMOAXJBchPUZL4GXd2OTha5tB8qif6pjV8R6LCfrAPx1qDNWhaPKoPKVuUk9J7oO
KN46VFnImgzTamDEa7wEblY1Rey7jm07flx23BJKCSG2lDcSCBx5KJhWdR55rmM7bpjVw9gW
EVbjBqno+rbNt0sawmXLdoO0AlkASb+UM2RpEsdJWwEi1I+9KOpL4kOU3/WTy00yRQP4ikZK
4V0BL5gZwJS1snQZIPP/talrC2AFPfgkUGwkYMRsx4uL+hLLnSxtVdu2zV3Jw7FBeq2yO287
XAJHiGVxNrX015SPnx9reYlCO/rc84saFATGFfCTscF1xPGG3RM3yJp525SCbepw/UI4h9K3
45pBDwqn7yb4It102EeEaUvD9MNBPeDD2aZOVA03jE7bCeqAQbEZbNgMqJKYNVOT+jtW2l2t
uSs/W2qpIye+tmXC9PlO/XQDsQwVv+y4Yh5NbcHG2XY8mHQMEL1WzLcLF9PxguSCnl1X54Er
GLDi8kOFjgNt383fRaP5mlmDAt8rDJ+e15RtwoH94fbBrHgH6jC1BdguFK1uy0AM3AP1Y5MG
N/38uBC8XMpsMlN2VNZ8FITirdBMoqw9Qc132y60Vofteiv83WBY4B7MUIAZ084Ljc7vbe5+
QelOmzph2VzTwMPBjPbOoxfQWPVt0w8ZWpKhir19wkCnD+uliU8WNBoV2midU7s3UIoN4a2D
yQc3KHwN2BnWkRA7ItwB9F2n/AIT+v+IwDN8ZZ1vZegICjFVkeOl9TAvy9gWge3lN+4G+6bu
hmlZlqFKXDuu0fn3ued4fhCVzW0YxmXb1lvuOWHZTcsy91XiOjxOClPa84Mwr+HGWXXg6OSV
+MrcJK4TFu0wzdPQ5IHj8tgPzh/IX1luReD4OffzcL8bX/tpWabbJRK346aXEzFvtg7XyHGz
Dtqdqsj2c5BwmYauaXdKxrHDgm5cwfV1rGLHskU1c5t6ctN4HVqABKBqMs9GBjhdQ+nTN0ZX
sNV9YJY6siw7yJthWuaxK0PH4WCCZHrw98IGeBljgUg63hCxTIelVvgFzJxPAoWV2agN8zy0
RehYgmEYqkJscfjneeqrxLMtQZX2LmzbafU/wdDElw72PPo69W2/uFurKiajzz3Lgi0SoAVL
Dzpa9Fg7MDXbT6vbMI5D197AzygFjQ4DMNN384kREdqCLBmmku1mHTIWaNr3g+TS9sMAmzlG
xd7AqXhJ1U/zPN6uiSs9DGLVKuApX79UCtXPCUskeQtMC6l+hoEYSt8JyxtM6alvm27aULG9
tBnnZZnHW9OyNYJBK26Z68YVmJR57NsGlzCaOhmV5xTWiBWbPmGBi491qtEWcYa4Y3PSfMOs
2XQKA0bGtv20hsFAe6LYOoPiKXxluAQ2GqN5HrtL7NrWx3xlKAMnyNtxXuYBDAmjF0+ZKScq
eLk8YIq3dpnryD0Q0BF1aQoQGbHdDsEJ5Ct6KIzz4k7n9yHRd6dNbbCFHTiEdYTBFFlaBl0y
DdkeR4Yu7DvHkq+sfenDwHRgG25tx4z+onVqZwMlbQhrPUPdGLsS5w5js9gRP2sn8DBzK9zB
tumUfweFvhwRMPMVy7Js/FiW5QSZWEOAeotFJ1olXbbi2ibCR4DzULeSwEEL97FtaIdZZgqY
dTtiJOcoIwtKSL5y9PjMu7E6GF8ZwMZ6iZB4g/uVGdllLnOR0KLU3A229LkhAEpRKEGNkzxQ
0MuZCwQbGttKhOQ4o2XJW+46KQSHZmBDPH60tIkgSfJONIjSoODkYP37GHwjvBswFics69yX
eZknq/1poGCtZiuS3nKX85UHVe2d51h8yFeGglM9BtHapaq95bhJkwFrJktZMEpfsTQxmOwD
FX6Gr5i7ifr7wXRAIr5ry7Z2uL4FIcCEebmkXkbFXrvMUVzMNtfxPu3MfOVrpdAJKfqsqp9p
IECG8MLDd2xAQLW8tD1u3Ri0AiGJa7Tk+zTQ1KnyFSNWTH4WrYLKYPCUWc7rP2q+adZoFeY0
PcHW8fqNiocLLjaFsVsycq3aIBNdBoKhqO1U8QUPQvCBmVJ6zgMrKywy5AQC7VSMI8JjxlbH
V+T8V6AwWqqzzu/jjWb63uq2qW1HPMgJS0lc7UHoA74pggurbhwyYXKxC/d8BSaL4tikWPs3
xakZ+cq59ekK0XQMLULHmQpgjX3uspCqVvn3RunLEQEzX7GDQuSvdFUWOG4C0XMYEMu2HfGx
9/XxOrZlGgUeflzb4qQECKw06Ns2FL5lyfKOLVbkuokjZMXf9vwV0Cxpj7ZtbRKb7UiCKfHj
2LfFigcr6DLn3CSSn1OLiglb+kvkwg5RfuU8W0iC/x8LAiT7ZEC6vG8qTN0liwKfQeJYjK+g
t2EF0JaeHSgaXKVCJERIj8zg7+IZ4QXL3SP2Yn2CO08H0T8NFNgMhRkoVMxU1XnsbjBt784H
oQ8WV9EG7AbmRPj2jh/5ilonGjZUHiA+islgZZWCJodh7uYTI8KDg3JLUdbWpvauKiDMGZxd
sWUR3l9cFLP8TcSKx1fAJrIPdPNrpR6rn+L/VOY9d0Xo2I6fFNWN0w44gOTZthdlFx5cwQ5q
Z+I2NVng2G6YlnUvKI6mTkU2I1bKPQysLlPyFTh+OKfkHDPNGq3CoJFR9qtl/XKxjs0A/nyV
BRYDNQ+MjIqh4uJhx0BVh93lT9fwjBo3d58xU+DhxaZ+X3ic/h5NGUfHjK2Gr0gUcXy5ZEY3
cdZ5MSAYCtVYXZieMmFmAwHsFNTdYGE+HjJ9fOVusqBgBqdm5Ct3rd/E4hgWJ4fRlWlnOuVX
YKGvCgIP+IpCXrcN/ApcQOeRNtOsfBYI1QG/DYqOGSuFip7m8AYjGl4GpfjM9n72Ka1IJ77i
rHqOr1iWG+VpYHs85s7dQFzdiawserAdha/g3/PQlJB146VA1NTPUVSARJm0t8zlegkGx8sa
3JZABDlfARAdvxjY0i/j22myATSIhTwEAYLtfMXVgC+LmuEFP98krmXZvtjAY6EhRXSwU58C
6jzJpSk3VQXmRuWaZ/VgXTnylZOJ32axwFT6rYZJTnVKtwHVfoavFJxqm7tpmg6qZGeXAH8z
kqdQJSxg9BNnATCsE97zlWUaB/yMsLv0tVLo772D+kVc/R4PxDrdIFfChq1Usf2yjO0V8n5g
8/TBTMTer1NX5ZFnOyHLX4GL5zqPCqYq0s7tvsZX9EZJqzBSBjbK3+Irqt6e+Yqqfn7RHQ0Y
axtm9UMzpRrxaVc8WDU6cbPccem9R4dJKrH9DF/RW6qzzu/94F/O3Tm5+RXiLYKv6IzVx0P2
PF8xOrUv8hWVqIIfVBZqOuU/Q0N/b9tn+Qpo+mFJzUHEBd8e5gQmr8RXlHFBwqPuD+2DcCQB
+2X8AvXJmQd2WPGyqDzMeIMpQVcwXkPbFdFouF8Nu4u6Ty2e+Qq77ext4OqxoImvwL6PtPtQ
u+AruLnvlz3EeSV5EGKhwVV3WcD/MjdrAH8vyeJfWnhZbkpS364RJPawPRHssnRNnwaKhZjl
ccCh8JT9IBPmSroxCKBOW94TMDqxiK8w57zrFm6oqPCwMoodNPIVaE0JrN8VhF0XmfoMVpqF
Bs3dNE0HZURAWyBNXOxCYcYS87SKzFjAqNhoOMG/8A/uB/FVJ2CVaPNXvlYK1M9SQqIrLBG5
+h1THSCSfTcQmOqjBlR5QAxngknBRL9gkd2mgu/vV2WdkisYsfoEX9k1H6awbtZoFUbKwAT8
FF/BBE+FM0/KnrRR/YDHGnbKBUYGM2Up6r7vB0EZyA5K6uEa3hN4sekiF0ygYpwdw2YmO/IA
tZihMFqqs86LDhz/l92BkKE0/WgLfHzClkGXPh4yPV/RKbPRqaHLkQZKkk6Y3ArkGNLirurU
8RNfYd3XKf8RmP/6Xw/4SlD2GAWZxludB7ZgKZDy6QR500/zNA19WzWg2KAmTnwd5hVSWmMI
BLMcx5PzYPmemNc0TvM0Dl1dsxNCRxJwHJelSWw46zMvMwRzcFhDnkfWFphviyGQna/AEw8i
x01YOgwEFjDNEhI2x76tG8wlPLUIXWC6NYFQ47ys6zzUidzrFUIdC5r4Cs6AsLzNyzL1Veo7
kq9AZMUN4lj/yBCeb5s10N/7fNt78IVc8D/adkgbO8KLGXQsa3e8hjtjAV8UgIjzDM7ws0Cx
sJq/SwrZg3x6GqrCRb8TXW7TvEx9nfn7fqLaCdiix4RZNt6gcm4E+ba8zJ7jLQsp5uCkcmDY
eFgeD4b4Wd2P0zTc2hbUQCkIDNPl0bT5VgS2ZTHPi55f203MK3w8IsBXLCfMWxjOoU69Q76t
utFlVuwNsjR5vu3E8225PzHzle1rpZj6YT7pMo9tHtgy39YwEGNbNT1MmGXuIZ89v61LX2P2
/bouY5v5Nsuq12vFOjRV209QfuoKvuOvqfPgIB8aAXU5I/mE1BbctlU03zBrcEDsk8KYnbRZ
8RSLAU7QhczpZYaR9GS+rVH9tqEMbCcq8YDBONyaqsUMjo/NFCges5Njk/u74rE1lxPFoaNw
JwmPEVvkC17WQmb1sj7gK8Z5oUw32R5+01td4Cu2l1xvkNwMCayHfFuNVdfN8cOQ6fkK7JZ7
2NCIj/CApG+jU9tOBkp2ChVJWorIEcdJVDsD3d35ilb50eL9wQeInIbm9/xp5iv7kVI8mJVc
xFlfOHLBj5GxX9hJxXWs9wN+RXu7Rr6Br0CqVFvGcFbXgtO6MUvkPwUtTgjBZjic3LS9nJ1n
Hus8wmcUwnnm/QCxwlfwlM+uLau4H5oMYnZAWDEi0JzCVxp2+JndvJ9y3mU6FjTxFehnHkI3
bTjy3NeJi/m2WA14QEtJ2t3rZoK4Wd1dEtbB84FSDfhqaR28nK2IHApwfjzGwvZOLXDTuHr/
HFDAj4ZKGfcGTq9zR6qtCkhRV8T8NHtadddIE1/ZIIHIsyHRm9W2qxwqjDjPqXZbmozjGUWe
mCc2E9cBjqFD1pTtBjmkgyoF4QBCFsIZdTyV21yiPc5g7qZ+OiiiobZcDsdKeaxFbZoX2EGz
D4oNsOGRX/EUADkbH/GVL5XCSYTH6fFQpkH9DgMxwhN2AVQ8t4+Pllw6PLQLlxx4JIA4Y7d3
kE0unIkrPHCU2QN8FAIm7mrqPPAVPC5iMgIf8xWeMiM1X2uU8Lz+SWEOzo9tcvEMi6f4Chx4
zUNUbjBd10RmA5vVT555BZsbsdMP08dmyi9adngaBwYfqCA0k2XFaOkKTGthMM96CFlFeK4a
CKgZCjBjOjdxmG5CFPa/vjtt6nhZtdsY4S2wyC6koktoks5z/CCnga/A5iM/gQ8qm8Kjb01O
DTqnGqjDRBaKhMf45WNWD/eofEWn/MRXjrqx/2XgK/vv9OWHEIAppJyT+qFWqNo/j8CR3f55
eT6SgBl3fPrER7fS799G4OTGvl3f8xUAu/pgl+n5yn7szj+Hz491iSr+OgLEV76O3XdKwhN7
IeWWPv88An8nXyHVfI9i/jF/DGeExGOd3tPVL7Xyx/D5krRU6IcRIL7ywwDfVb8uLIth39i8
u4Mu/FMIEF/5p4bzxZ15vz9eV3hsZhk6miywF3fuBdW9H58XCE1V/BQCxFd+CllDvXByCfeE
dUkYhjJ0+W9GgPjK3zx6Py372/0xHBOCt48kh2yWn+7ml+t/Oz5flpQKvgEB4itvAJmaIAQI
AUKAECAECIFvIUB85VvwUWFCgBAgBAgBQoAQeAMCxFfeADI1QQgQAoQAIUAIEALfQoD4yrfg
o8KEACFACBAChAAh8AYEiK+8AWRqghAgBAgBQoAQIAS+hQDxlW/BR4UJAUKAECAECAFC4A0I
EF95A8jUBCFACBAChAAhQAh8CwHiK9+CjwoTAoQAIUAIEAKEwBsQIL7yBpCpCUKAECAECAFC
gBD4FgLEV74FHxUmBAgBQoAQIAQIgTcgQHzlDSBTE4QAIUAIEAKEACHwLQSIr3wLPipMCBAC
hAAhQAgQAm9AgPjKG0CmJggBQoAQIAQIAULgWwgQX/kWfFSYECAECAFCgBAgBN6AAPGVN4BM
TRAChAAhQAgQAoTAtxAgvvIt+KgwIUAIEAKEACFACLwBAeIrbwCZmiAECAFCgBAgBAiBbyFA
fOVb8FFhQoAQIAQIAUKAEHgDAsRX3gAyNUEIEAKEACFACBAC30KA+Mq34KPChAAhQAgQAoQA
IfAGBIivvAFkaoIQIAQIAUKAECAEvoUA8ZVvwUeFCQFCgBAgBAgBQuANCBBfeQPI1AQhQAgQ
AoQAIUAIfAsB4ivfgo8KEwKEACFACBAChMAbECC+8gaQqQlCgBAgBAgBQoAQ+BYCWr4yd2Wa
3H/SopnuGlunW30psizNikvTz3e/Hy4st2uWJlk1HK5+8Y+xydMkLbvli+Wh2IR1FO19v75R
qa7o2JRZXvXfkVVX7TPXxhpxau/GZpHDnKZplpfXDwfwmfboHkKAECAECAFC4OUIaPnKdA0s
3ccrjkRj6S+xZ6t3OnE1GmRchyphN9tpZ7jnM5eHwoeW7ai6c8QPqhmqLM0l7eoLz7Isvzz2
60H5Z38CIqTwMtaOHTdfJCzr7ZKmZfeZnu6S3nLXsqzgcjcw0zVUxw6/20HxLQK4t/rCL3Nb
punltr6wSqqKECAECAFC4C9DQMtX1unWqp/mkoDLc9Pu6DOmJnEt24vLurt1TRE6lmU5icYn
r1OT+TuxeQlf6XNgGvAJr89HR5A3eEUvRumn+AoyPkfyMmB2QZRJoiQEeO7/tUsdywo+0VGl
3g/4ih2WXdd1bX3NcAAtBR6llj/3dalj27Li+otU788JTi0TAoQAIUAIvA4BLV85V8+8us6P
rWM/7H6kx4W87ra5TV3LcqMigxX9C/jK2mXIoLxz6GBuizRJs1oGE4YqS3DbaBmaIoL7bT+C
za702m+crxTdrb7kWYqbWsMxirEM7bWAn/JLLfe7IH6SFs0Iu2GiIP91HdtLjGTKC7GdS7dA
iCBJcynWOnWwjbZvwzAiuIxdfS1P9c19lQVIBf0YxN47N/cNq6K4NHIUYPDWsb0WOetO3yBU
xviKnbRivOcqAgKo3PpRE7ANeG3HZayzNC1xy2mo0iRJLzJKw3YXd6m3bdNDum3r1FWs93l5
qbtxgSvXFJmuGyCWbEty7hs+JgVsYk1HGi26Q/8TAoQAIUAI/DsIPMFXODdQvJih+2whr99c
Wfq2m9alBof4fb6ytBBvsKNry/Zz5D7VeIGtLDe77TJiaMIKr/8fts1CMvivnTQr4yvKRfjq
pnuux1RjZGm/wYmuAzpHLGi77h40kgXb9HDRssJq5mLlTKypSY/baD50gAVR9qaEIKyochk7
tw7XCDjM/nGTmoeZ5k6JZe2/a4aP7QcpfGVlovMRfNDE0uUyXAYEMARCxZpgdSi7dKwZJ+Ob
gCZIT3Wyrb7/Gynw3gncuhurY88ty81ps2jXd/pCCBAChMC/icDHfGXGcLwdVR/suqw33KFx
swe+40V8ZWkSpCv1vA0lZLF4udjhMfOVaZ2nFkX0snaCz7Ly+AqEfsrm1vddzVw9d+5TFQH1
YD92VQpBEzu8QuyGEx3bz+p+WubpVoZwKxRcl6kvgTXZSY3tzOum8pUZpbecILs2sA9zyQsW
d1ma1I/ya9P1Q19nmJ0De13LPNXQXysoblDfvKy825aXXNu+by8xhI2cuJ63jQ+D7aXXDjrE
dukEmTgo8ZmvLBgFs2y2o8eQfdSEn1aaJh7zFSOkbNfHDoq2H4a+qy95UrTLtszjFYM+0XVg
nWfIu0kFMN3aqkzT68vTjw440R+EACFACBACfx6BD/nKdAVHzH2YWd7lhumv3Jub7nsNX+EM
imU0CILCU2vEn/fxFaBbA4ZjlB0r5vxs9PQo9FyxHSvYI5kwViO7vrSMNkAaCS8ok3XYXoqd
4uYKDynI/BWFr8w1kqCPsm6UEtvWZchX9vwV7rMzkU/EGwdEWJDL3X/aePK0Mb5iuUEcx3EU
ehivsf2ihwjSE03sxJQB9Ux8xQzp0iRA+Py0Pm5tbUsD6Ssyf4XxKCcqO9oGMs0zuk4IEAKE
wL+HwEd8hXmHu0zbExBjxVb4EcYeTj8qf76Er0wVhjJsL4zgE0BswXLSFvdpvsRXFAKz1DFG
RoB2sEiB48cp/8QskwI2m5g7x30c1j+14PaIr7BEYaVJic863ZprWUD+Sppgygrf2DrxFdaW
5YaJkCzC/SW/HGa266Vmp/LCz5wPcqILT8L5ehMP4ysPIF1uRQDExLJsN0zLPSPnzFc2uaHk
+HFe3Yi2SA2ib4QAIUAI/LMIPOYrPHVFbrfocJjbjGWXZnvah+42uPYKvsIYiZLSwL7yc0lf
4itKyo1CO9YWV/z3LUHYhPMVeRBaKbg95CumLJ+pScSJJ9mknq/wvFh5G//mFT2PtCSNTEH9
6HxQdOn7vmP7WZ7IBPl6Exq+AptjmL/yEFLMt71moUjtcWPcJrvjK5iwWxeJz/N37KC47Tnf
Js2j64QAIUAIEAJ/NwIP+QrLE1HPi9x1du1LXBW75gevKGVewFf4dkBS3fZPk2O2CG7q3PEV
Hihg2y/smS1KbOMh7WA/enk7Hj7TvH6HrzAJRTxoB4cdrnKiy21C53voyCm+smK6sRWUt4Ng
47SsnBEouz8r22hRrog2D/krK89XCRgF+3oTjK+EMt2JwcjybR9BKsTalpGfjWeZxaf9oP22
bZ1vV8bxlOxe+TN9IwQIAUKAEPiHEHjEV1hupK24Hjgq219i3w9zjKVMNe4D2UF5W1bxYegs
XRH6flQelr73fEV72wN8mcM7HQjhOTbgtVjapnwmC8/v5Bc4V5BZJ6w6fXwFUldhr8lNKpFS
sS5j197gvPPDghuPTkjkOPtFFTHRAAAgAElEQVTA80GsqB2W7Gm36zy0TT8xN+/zR8OIzREe
XxFJKSJjhBNJL2vEZsg6D10LFc4sR9jL2MPl1pGfI/qIr2zbws6I8xSkzzWBGzmsCT5CIoFm
YWnYLL7yANKlrys4wcw+nErBJh9nYPsYjW0lTzA/fXbtgUrRT4QAIUAIEAJ/AQIP+ApbcJ+f
ycriAJCAu3JucN6WYCX4Zsp+jBWxuOcr2tuMuHEGoQRI2K3cSUMQZa5j3CdwgwhySFlGhHio
HC9v2Y7nuU5UzY9pxzY38NwY+NiO49hYmYtnkT4oyIMVluN6rhNcRpWvbOxpNLxWrBMTTzCt
1LJdz/cc27Icx9kPZnPyAD96jgMPTBkr1k0uGcrI+AI/IAQ/eB6ct7ahNl2Q7BBfASDFySWW
fvywCTy9tDeBzfMm1p4/eNgL4zgSmzacr0Abekg5xYPu+yg2nisH/iIoJ3bey/8PdsTZcX3f
d1mKcHChA0LGOUM/EAKEACHwbyBg5Cvc7TnnZ9rCYzIc24OnfRhyHBhfmeEZI46fy+eGafNX
tLeZoOWraSXLVdzJqRN67KW/piG6fNv1o7wqgQiI4zhLf0kC9OJukHfLB7QDfPjtmkU+PmfF
dtwgzthLgD4quA5Vytvx0+b0/JVtm7oLk9G2XS9MLxCFmruSi+Z4UV7fqnjnK/hj7Ds2MITw
goe316kteT/hapAUNXs0DNQuanKDpOxqOF30cXwFsBzxNBg8gQaYwnNN+ElR4lNqRBPr1BYx
QoZylVc4m60QVy2k69jkCRs23p1mFDk4U5NHcHrJdry4+n9vlzTyXSRhMMDZFQNeQhPof0KA
ECAECIF/EgEjX/kne0ud+hkEjCm9P9Mc1UoIEAKEACHwn0OA+Mp/bsh/oMPEV34AVKqSECAE
CAFCQEGA+IoCBn39IgLEV74IHBUjBAgBQoAQeBIB4itPAkW3PUCA+MoDcOgnQoAQIAQIgRcg
QHzlBSBSFYQAIUAIEAKEACHwowgQX/lReKlyQoAQIAQIAUKAEHgBAsRXXgAiVUEIEAKEACFA
CBACP4oA8ZUfhZcqJwQIAUKAECAECIEXIEB85QUgUhWEACFACBAChAAh8KMIEF/5UXipckKA
ECAECAFCgBB4AQLEV14AIlVBCBAChAAhQAgQAj+KAPGVH4WXKicECAFCgBAgBAiBFyBAfOUF
IFIVhAAhQAgQAoQAIfCjCBBf+VF4qXJCgBAgBAgBQoAQeAECxFdeACJVQQgQAoQAIUAIEAI/
igDxlR+FlyonBAgBQoAQIAQIgRcgQHzlBSBSFYQAIUAIEAKEACHwowh8jq/0uWcnzfqjEv2S
ypc6sv1yeCzNOlRJ4NqW7YTX/7+9q/VzlQfW/wsqLg6Hw+FwOBwKx1U4HPqKujocV6FwOBwO
h8PhcDjubyaQD5p0ux9n37NnU3FOt4Vk5pnJzJNJUqbnl/7j374E11MMPt8CNP+dFpluAYmq
5alWv+bLNiVu3v8ada2iFoEfjcAPTeUavrI1MXEeX+F93s1KTvfQjar5O0y4VJGUJYbSd5Nm
/fKOX0mfSx0RN6mnZZnn9Y8iMJbB38YTVZFegeu5jT7fwr7vikWe9/f5bwVf2brM874mW7ep
GHyEemFSNNN/OUHo8yB7hYZ8C1/5Qpw/b/5f0YIabN9SWY0Jb11tv/8WBJb+nkW+C2GFUC+I
ixbStEjlS524we2NmblR0rVJwrem9cab3/+Fhq/s2zJP+GpSl0T3kf0xr7KS157W4V5Uw3cE
1qWOaShmtUt3K+s/UNt4JX0OhVRu+pMIQGb8y/jKRaRX4Lr6jPr351uAUShbRG3/6/8SfGWf
m7LEMPDpXtqU0KSe4TWNfZ2H1Aluf8C/XxN0Gwrf/Xv4yhfi/Jr+v/2qS7B9A45LTHjjavv1
NyAw17Hr0DCv2mEcx6Fr7mU9QpoWfGUb6+Lef7BMvLWp++YyxBfqqeMrvPkhd0ks1y5QyXtT
RB4lDnGD5D4clQ05drdF7MP3MD1MqytxW8cqDfF+6vpx2TGg1uF+rKx4US7NKNfhfl7tRbcB
4T9rPzTrZNxhNWBqjr6pF2bVeAg35J5f1HUWeS4lxPWT2yk2VxXebGOdhS4BueOivsViPWgb
q4zJ7IJG0OzcpD49JYFKuIRAm9KwbFBwSqgbpBW6CHamaWrf9Zgcwo23gHfk+OX/FR6JawG7
I/LZ2sTEKwa4T+AGIOtS6VpHNL43ZewjKGDLqSuTAP6ivrDsvi8dXASrXv5Bzi8ijfsObCMo
6nvKlsfAiLzYBrgyj6GqcY2Az89dCEVCd0EnvLHB9mCRAz/4b5ua/BDB9YVsWq975i38BnCi
ugjP9SCpuvDk9m06HQyAbHI/eJyZAF9JOy761iaEpO3xt9Z59nWosshnQ8qPb73wDS/vpgZ9
mvXExVcM0aY0qsb+BqOWJC2fdGx94YtiD9RXzUNslxBYu9ynQcHG2KPzgHei77U38DYKYYJ7
y9LDh4RNBZPbdQYk9fIEZ47erlFNi6FhAC44IEAaN0gON9t3aBVjz9HPWPrniJxugQZzOYLh
PVoZhNSIT9JMbRF55Fxm09uODU5KCIEw092jc14DzD0WS/dLFRLOe/VNPQy6x2D7zDqPMQHq
nXoAhargCS9pqu/aEPDXWgre+773mXsOqiH3gnIYqjSg5Bi98yEkpoaKzQ30EElya7OYJlQe
3i50/J//TSlNxSjDOVaISxP6Th98WA+FkE28A7pJwpvIPuIrwVeUiaLeMw1jbW1TLNtgGkTH
M4wj0e1n372brzjEjcpuWtZlbDLvTI8iW69NQr20mZZ1Xaa+aU/OcAo6lj4Ny35e12Ue2qbD
IDhXEfXSelzWdWqLgHh5j1FzuoeERmU7TNM0tB22BbxAqq8I3Pe1yzziZ/UwL8vUlRGlcY3N
D7nnOLBwA5F8HaADltVPoeD/rc89gkIsy9gWIXWcgzguTeK68X2Y13XubxF105alBJzNn7lE
4SvEIX7WzqDE0mYeOYL9rm9Ki4ksm1w22DqMlogP4Oa69EwlXebSrNv2fb5H1I1vHaxUDXXq
E7+4Rn6IiY5DQ0bdliZ1HUKDHOnj2uc+j25jGdAgb7nFj6gni8TGJCHETxF8RInENVJRUJmG
RTvOyzw2ecDhMwL+lgvtkCC8pEI79/fE5bKy+sppEYHgXEXEz7t5Xdd57JqWrbAYvM7sLSAY
QSyWeayzgDjOsTKp5lG9s536DghEEVJyOpgQFHKhxFfWqU48N2kYp9c7D3Dnrm4HGHFzJ/k2
OKTnB2Fe9+M4Ldtu0Bephu8HyQ3mYFBGlV5dSuX6inGIcb6yjXcYyy0T2eA86HskLNDbtrlO
3CPh95nrxhXEgWUa2uZh1vcKzpL0j6rpMdQPQKObPeUrKua6CKaXQRYbUojrB8BAhnGCMGKw
HXxMo7KbYaBXiUect/mKvin9oFOD7VvWucSEJ+OUK/uqptqujd74nK9Qzw+isoFRse7bUPrE
je/dOE1j33YYGvQQcaF30Owxi+1mb5etuUIAF4QFQMMoYuoUfF4enlooJNnEW4CBJkeyEh/j
O5E3Jb5i8swnIVFhhnpYLj1/6s/38xWp+jOV/jnB5NkaMOLhSiMamOfK+KQJCqS+JjnmFCNc
y6Z1oiV1CEl1LaguuJiu2cXzPTgqJAA3n1zsgluJRvd9a1NKpI0wfe4e6WS+h7IUXebKMSE5
syNHAHPOmcigCyhTsWmroSkdJrJs6jIH6OkXULYC+hzfbhFlWXMsfFYOu+C2dalLJdVY0+Cm
YthsbUpIdJZtRIdbl7kSqHMVnpiqKy/QmgQflAXY9ktQWXIZbBnFNQP+hgttXUZldZY6Pueg
Rr4CQhRn4eGA1uR1Rm/BjoSDbW1CTzNf8qjO2YBnSgiB4xr4iuMQ9oJ5fcxrgQbnURxlhyF5
VN+mW+CQiJFGuMikLyR1x8sfCC02rPIV8xA7+MoM1D6qjh03RudB3xOVHHAF9Bbk4nGNPF/V
6/jrBZyV+66qGTDUDcAnbvaUr6iYayKYQQZZbuRzkhOZbDffzhCHdy8VDkKcyoBK2vqKwQ30
g04Jtm9aB/oUy9ZPABS6vqiptmuzN4IyctBR6ysOPSec+w5CngOGS2WAiH/P1p2vWeyZt0tF
cOzT5TQC7QSD1NjpxYe1UEiiSW8hIcheJH0l501+ssTomcaQuKtI68aR3Onn37+br8iDAPVj
W0lEtoYTGh4hXpTdHoorIO/SwdSS+klR9Swwgd/B6tH5IscsAf3xYRejMoTk9SDI0sd0l+HS
n8xCcEn8QhJbAAgfyraFsc9cvssolKf5izjOUd/B8annK0q9mA9jU1OPmAjB4J0aCE63gilR
eJ+me4Dpm6k1A+ETCRzbEbpIzUq0Gj4FEgDra+zFB898D6/Ks/m2KhKuB8kRosuOeTnEA5GZ
9n0DNgo7IsyA4yEfswtdb8SRzgqqJr6yr8MtcmE9K7+zGRRDSed10khGLBisUC4AlWUHEz7P
qwvKwrB6+1XsC/4H8NASTerp2L/SlLFLgxK5hMl59mWo8jj0PXxRcoZfHCiC7ZtGGSvpCNOf
grD/Vb5iHmKIQBQHRJ4YGJ3nqjv3ln1usoASN0zLemAlGkUela9IyRHdSSq7HncBmrJqJgw1
A/BqL8nNnvIVeW7zMBJBLJMMkqKAj1wCNtnuOrh6mBmxRSBwVh1fMTWlH3SXYPuGddSY8ARA
oeqrmuocw+yNaha9rgedAwSkeBASJ8z6fCSk1mUxaEofKq86Qin/JCxD4VHccmG0C0YE2Yd1
UMiiifcQxeWcJr6R86YYjEbPNCfQC9KacSR3+vn37+crgkDLMUKK3SDUOrV3WDd342M9UJV0
m/u6iH0CRfqV5de0mRfptW6wyn3Ju9jIZQgJKM3uK67BFsBHH0Lb1XEVK5K4epDupBF6viKf
7QTBGGpI5rVN7buKiYqXGgggctKkWdqUojfCn2m7QNkF90M84AaL1zKZwMaFgvgnpgwtXyF+
AfVm8cIVg4tIl9YgKDNecw2pRr5ybcHoQldLSYnEyFdQxWVsSli29lJYYMFcovG67+Mrp70U
WyvrQUDvq+hIuQbnATjc5NyrxYnmQxnRqK9MthRR4I/38BWHhlmGq7AH0wDRtM5ztTX3Fux/
m7sqjzwCi5VYKxBSfYCvyCMR3NIwlh8G4BM3u/IVsaPsGgZ1EeyZDIemV3xMtsOSnbwVQvze
xIWvcG1MTbGer4PuEmzhoifWUWMC7/I0H/jmMa84P3qY5zwV79K1OeBfsihOxo5NYZpccE3p
T2Xgkmsd5iVvZ5ManGMCXWGVb3Onks+Lzi9QiC/kd3BaUpTQ5W+MfEU/OjSgHQn0ijQ6iJzc
1V4//dcf4itMLoi1Hq5caOXEBX0oXpvqVuD/D+tBsMwjfSighHKDtHSxK+tB57QDBIGB9MBX
oCYtrzKMxVmuh8v15XIcn+/hK+amToA4JucH+P8l+MD+MTe7Zd5BQobC87Iyc8/QjIFBzKyh
giivRLCmLzHRwFewXiotKnCxLiJdWhN8BVSWuRLaFHaXmQHnfRzp+uJCUHeVt4GzZRp25lax
iNyOeI8hGMAxep0I+nCX8BY8LH3srIJxCYnnqLdIMUU4JPbJb2f6isVkMJIMzCGhhq84bK+g
3nlg5U2UENDUYj3oFA/bNun7Fl8RrcNSrWGI8UbmOqb0+GUDo/MYveUAAf6DzXxS1+ybF3CW
msDS0Tko8HM9hvItfAA+cTOoRYoNCMDAzyn7ha8gf5aC1YsyPGRxk69Cd5IPQfI4Ax0k88MR
oFdY3mZ52egGAgURty/BVlyitY4aE54AKLXDFyOOz94Wj3dt9kZI/lJ9aqkih+j5ijY2vi2D
UIDtewSkX/Z2uJkRla7w+NqUsVPJ56Vu8S2H4vrF8Tfs2yOR9qfBRJgSg9E4OsTF2DCPaaym
wDYnXETg4+jy+Sf//HK+sg513Y3zum3r1Gawv4WfE0FRp7ZqYG/gti4D7F3F+I/bxoK8ga2I
8zi0VcNOFcF4hO294zxPQ8c258L2Fhrdx2VdoAgjQYkQ+VkDX7H9tkfn0jUggwS3hB4OL3F3
7PLtkLALifhp1cP21Wlo6+Y4XqRkRylUXTxM1Fdwv+1jU1pMJNF22DaC+4WZzrCoQl3PPYck
iO66roihgKcbwX7bdR7qzOcbmKVGhZvihwa+AuuqAe55hv2y09g3VYs76C8iXVoTfIXlnbBg
G3bbAvfb4vzbCPhbLrSPsJOU7bedj/22xyk0xSJC2bmr6x6cblvGOjk38xi8zuwtC+63PVXJ
YUv263wF4hlsB8et6HN/i12+oVsIyhZnkhrrWfM8tnDZub9b74egMttLDDvgQ3U9SF6+wj2b
VDPKLu4qS4O1Ky9rYXs8jDbjEON8ZUcfP38/0eA8Jm/ZxqZqhxmiA24dlnIxk0oS1WwmSQHp
evapHkP9ADS6GeRzF4t0+770Bey7NnBE3Ct3jWB6GSSpH/mKyXYQymh062cc6Kkv9ttCMqcx
20kEq6GUb6HQu71+0CnB9k3rXGLCk3HKlb16AttZ/OCl+q7N3oiTgRw3rG1zm/mOia/sG4wf
L7n3E+SYY4u3HiIu9L4bHEYfKh91ZLvJaBB4bgrnI/Bl6vTiw3oo4HTWeUpFknODAei4UVHD
xu0JDjTX7IiLGD6SeCbPFBczSaUJP2y6CMp+WZdlNcAiyfPpt1/PVzp22hmW8uDk6PXHrib4
RViKP17jBik/Dw1nMvHEMPymTZjwU9BLJ843RnfMSrBBBo4SEy+/nmfe5/Y8euuFovEncMsA
bmPFj+PCcVOPHzfdpjqP4Iw2nmzkR0aV7PgSX4GTtY9NGTCRZIOI4xHHoYdIMGNwGNeDq2Du
ruzzwzOuxwns8xCy1By8ldwU/jTyFQjJhw3ANlF2HFRWRbq0JvEVSWW4Pa+FRxgAX99wISi7
oEjHofrbcSb+ukInFJ6bw7ngYCo/Qw9nxTRe98xb1v6W4Fl96ie3rkqOnc5StpYJNAggk+Pj
/LbjUC9SD8wLUeXfi3MIHL5mv5eAV+icZ1/7MvJgPMCJ1qHNXFPuNOgrCy/kON/BijSeZT8n
HvohpjSywDnHgB2j1DqPyVu24YYn5yF4eGEmaX6II8XuZ2Y6hVekOj7UYWgagCY3YwfTKaH4
kwzNLTpLGVIQOGXQRDBtEDivh/+v+OBnOl+F44f81yXSqsrOlWfwvBaP8IOMUV7fE7Z4bGrK
MOjkYPumdXCbmBymjOOUK/uipsauDd4Iv+eAh+Wp6wXwywOBdJ75LEEdQmznQW7IWCk7UaqP
DFzq/bnDHD/NdoZKnY477Ix3HHk94MXhqYcCjiZp+Ar40lgXSQC/doCjKkjYDg0xfBTxdKND
KQoABnJMO3bTOEDgVxMsArjPvnvKVz7buL3fImARMCAAYeK6cm641H5sEXgJAZGEXrrcXmQR
+GEIWL7ywwxmxf1HEIDcotsY9I+oZ9X4DxCwfOU/AN12+Y0IWL7yjWDbrn41AlNd3tnvui1j
mweEHr+o96tBscp/IQKWr3whmLapvxABy1f+QqNYkf5JBOYmj+DhB2wXlPT77v+ktlap70fA
8pXvx9z2+J0IWL7ynWjbviwCFgGLgEXAImAR+AgClq98BDV7j0XAImARsAhYBCwC34mA5Svf
ibbtyyJgEbAIWAQsAhaBjyBg+cpHULP3WAQsAhYBi4BFwCLwnQhYvvKdaNu+LAIWAYuARcAi
YBH4CAKWr3wENXuPRcAiYBGwCFgELALfiYDlK9+Jtu3LImARsAhYBCwCFoGPIGD5ykdQ+yvv
0Ty75K+U8w8IJT1W5oOtKw/R+GAb/8htnwfzbSD+DV/9N7R421r2CovAX4KAga9Mt8BxnMcH
KI3wkCbnfGwqjNewwoftnuooT/LGx4XBk5YIdb0wKbuF3e9cXuezqM5GsHc369bzA3wEWEzk
J7NvU1Mm/AmJQVzUI7v8tS6kln/u27VJwvJ4MvGOj4JVnsf7cxV7W/KxDJLmfLKp7rF2bzeh
XGHgKyrCyh2mPz5wi6mpT38+3UP3fE7h3udB1uuaXKpI9ptP8RXVLrre8LM/kOmXOnGDGx8N
xq6/8Is/oMUXSvfQlNEBHq60H1gE/k4EzHyFuh5VHx+JT5P3PJe8xlfmKiI0LJp+xOdY38tq
2LZ1nvA13ELiZS37Y1545kGUIA4QQhS6tNYSX9nGW0iJl5RNh0/Jbu9ZQIlfwAPEX+vi77TG
+6Ta2tQ9TbH/Lr4CHvINfOWC8Cvm+cAtrzT7sWvW4V5UAw6ubSh8V8tXljqm8qzjM3zlYhej
1H8g029jXdx7ZfJk7P6LvvgDWnyRZJpmzA6gudh+ZBH4KxF4wleSIvdo2ooix9ZlbpAX8Yt8
pUspSVuViXAMljoiXmGYDU23wE3KIoCOzvtlvoJM6PLwlbXLPC4YdvOsizalNOu4NGPpn0+E
X8cqxbINwWfFd0cAXLoSn3RPqB8X7czvPN8MuefnNd5KCfWiop3GOgs9lxLqhnnD79jGOotY
zcmL8mY69FvriCbNBA+HJ8TNcR7MnokO1Sn5yqPHtU1d+GV3fGHuxuh5a8rEx4qWH5en8Ps+
1XmMzxRnsh3StCkNy+YO+oKYQVpxuE+94P+lK5MAOiNuIP2KPKhc1KCNSwlx/eQ2cF/ZpgYf
Zn+5RbTKur7BM98JYFr203BPQUSQUJJcA8J4C+ipOav1QYrNKsAbpQzTWihiAHzf4YvQJdBh
XNQ34dZGhPd9m5oiZvh6YVYdJT2ultYoXt5NDfYUYDHsvbbAKiXCT70guSH9gBGSVnWO2FM3
zOoRfAd+7Z+4QVofbnUm1K0vfO4sjlymnOvY5ViyIfEEzOdmfbSL0XlOwQC5qYpdN6mZT2rM
jY+zN3qawL6OzvH/zDP59fuu7Wvf57ZIQs8lxKFemJ1Q7vsqjdyggOLvsxHH+xlyLyiHoUoD
SgirYxlg3KbTISHGNHAfBkgIfdK8ZO8zl1ek9U09BDGzA3A57RuLwN+PgJmvkKQZSp/G9ZmE
1iZxw/tQ8bCA41WemcGyTRMTrxhA8fkeEi9t9TOeZ2QC203adSh8Gt4mBqLEV+BemnYnkzlB
BtIRnJdDpHxCiYx8ZSx9Gpb9vK7LPLRNx6LoWAY0yNtpWZexyTylG9b9kHuO46XNvEFgK0NC
iBtjPtvmKqY0YbxvaRKXhkU7zss8NnlA3YMQwnqE6wdBWnXDOEErcxVRL63HZV2ntgjUahN2
eoljsIpGaJg347wuU1cERJTHlr5u+mlZ12W4RfQEr02JQ/yshe72pc08ZcXtwBVg9ZJqmJdl
6u+Jy5VHld2knsBB1gFEZIbHOhwNyw5QHKrEpXxN4rQVrOA4JMiRUa197juE+Aw9qJ2djM0I
wlB4l/qKQ7zkDipij1wRI+Bbn3sE8V2WsS1CKpY5uZD7BWHGibMasejKiNL4SLPGWyCleX4Q
5nU/jhPWEd9piz5zwZPAdtPQNqyCwFZM4wp4yTZVMXUIjRhfXNrUO/KiskTYpVRfXwER5VGM
ptGBCZC9YdaLXXaT83C+Al5Hw9tBLw0+b/Y0gfsurei9dL2hL3Dlpu7GeV3XsUpccsyLliah
NMjrYZqmoWsHCGvPRhyXbMg96vlBVDbgAVAA1sP44JDkXHe/eKHEVwxN6YOY0QG4qPaNReAv
R+ApX9l4WMH0H9OoXpaX+QpMRmGZxouyWzNeaMszMsH4SrPByPbPXCfxFUZMeMXiRHhrYqAx
558f4ysQcHn4PJqCupJI/ftchcp0B6+CECnIEmapI3nvUtYDCifPlKA3NuVa68iRGtgx0itc
kedwruAljkH0lMQEQwmJ+E07fH7MsCEzSTsXhtwlyaUgtnUZpUlzctZ9qeNTEFVlKTeuTUJP
6rIzTaRemCRtSkhUn04BOAhZASWWQMHSWhAueREUkaoGPVfECPjWppRIevW5e6YHAZVkOfgQ
uLgE8D7fsQIoXX/ss5JMjClNKKpe+4otti5FWqSyc2jWy3FacPRJRSlTJCZ5/IpPL0LARVe+
ogPzFbOqdjE7DxNsHsqA+jnfp2Yyt9HTZE0ufEW4k+SZ0vWmvqRL9n1rk4OEoyNd68EvjTgQ
Xi5TG2AEOxsc8jLOBV8xNLWDFa5BbN+NDqCobP+wCPzFCDznKzC/PZLbfA8xb72Dr6Da69RV
BSxReEl9lErg85f4yr6vfe65OMO58pX7n+Er+9IVISXUT4qqx7oDFooch1D+Io7zMFNVn4yK
GZdLuDUQ9aC022VUYQTwDWsKoq2U4zE3OkR0SogjFxQYtGqdGPMO71TJtetYF0noe/hyyUmM
2pQoq2Jq0QL7AE2k0M/YR1gB+KrKWE47WEbhX/GSMjg2C/UVqeux8EjMt88uVcicDgiCHgQ1
L15a26E5trvFCPhVL9mtmYTwr5opoFmFePWZ+06jQJvvtcWMrN8N07LGWT0IptoacJIQhvUC
ttjJaAFjhcZ0hW1Ju+ZV0wgwxxfMqtrlCjKScHQe6DOIYxcyOWdiRnMbPU1YCmzFC78vXG/s
a9+mtkyjgI8VNiqvjoQ9q1a4eMspGwgjOPe+G2C8YiU5pOqFu+ArhqZgBfchiFm+chrE/v+D
EXiDr8B8mkK+wgVzCC3SOLpETUQBxpZuXwrU5c/SKlz4Il/Zd6jBu2m7SHwF7qXZl64HQb7k
C1/7Nvd1EfuEsLkfhBK/6OZFevGCw2F7NUTCHWKK+ipfkVIOm8unjdonj+ys00sck5OTkmux
lB3derarGQx4MJDLzkqR5g+ljkW99/MVnN5JaC2XDdX75USP2rPCV1wtCGpevLQmUqyZIF7T
g5TthPKXDPRRviJznA/aYpu7Ko88QkO+f0WiTl/OV44NVIgEtw28CW/jU7OqdrmCrPAVx/GS
PPGIX7ANwUf9SmdudXA+4+YAAAY5SURBVHBJzFgy1Qf4is61oJZKgqJjUxVRXzHyFcm4l/F4
CHcRHp1TA+MVK8khr+1CyRPryE8tcglilq/IzmLf/1AE3uIrO9Qc/fye+8dpHZmvbG1C5VIn
rM1mrlTnl0CB8eiXvMLyMl/Z97VNPS9rq4RTAO1+W9iPIGf8p5QIhzyf2QGhkPkKExsXlIHF
QFlbr5TQT41KoKyOrzAQxC5jCO+sWCGFJ9boWKi7cURX/B3GMVGjNvIVWB6J+ZIO9Pk6X8H4
LW5m60HsmImqspRFIH2qbsFF5m9UqsRzIn7P+QrMRU9Z+Z34BpQQBRkzXzECDutB8jrXWHim
9SCOMAyF19aD+C0PaxGfsQWMhKNyotr6Vb4iVbQkOGFZSzjrlUoK8veKWVW7mJ3nlB8OrRA/
h3N9sHJoMLfR0yQt3slXTH3BMpEAA6Bh9ZX5pln7O7U4xLjyCvbxRXiciWhGx9UhB+GQALxU
e12qyCHIV16wCA9iyFf0DiCjaN9bBP5mBN7kKzsurDrEP2KwzFd2DDcubiWDbWjtLfaId/xu
ytpXt7rtRziyfHzDZ1LvqK8AeEubup4v7QZl55n95AaHpaH5Spxn5mg/o0SghZs2WClf+iIg
jsPqK1NbNcO0rBvbmermPRQ1xjIgNCpb2CY7jX1TtZx4Hd2pUcnEV1jGCQu2c7ctcL8tCvHA
V3CrKQ3yZpiXeR6HtmoEzzk6BXIYlP2yLst5WkHU9UX0BGlwXyzu3I2U9SDtTJpDCG9G2DHK
9tvOx35bJoiqssRXcEchceN7NyFeXV0/nDN9ja8YQYA9REylZd3MKRbJLm5wxq3SMuCYS/2s
GRfYnFzGLt/eKGuvIozBX9wT0XNzlfmWS0pDlN5li21sqnaYwSNn2EPNKLna7Et8BTKxl7Ww
BxogE6+1SQiN7gAEfqGaRvCVV8x6sYvReYT8G4ytM2bAHliNz5s9TWjxXr5icC0YNTS+j8u2
zj2Es5MpzHVMaVA044wRoIOdzkILlEOMOEms67Ip22+rGR0Xh4Rhek6/wHQHqdvmNoPVVrZP
Dx3ycaCZgpjsAAD1udlfFte+twj8xQi8zVcgTLnnjgd1PQj0WrobO/8Lx27D9HacqIGtJ2UM
p1Ud2MvgBUmpnAJ+RiYwDki/rgG9NInryFsqYTOv+L04N4jz8/fiONhPu2BnBymheGq5uUVH
fWWq8IgtCO0G6Z2f0OWHSvF0cSbOJx/dqSHVyFfgNEedR8eJ2CjnpyUf+QocVKgy/ot4YVI9
8JWdbW1wgHqtT6LnNtz5Iedb15X+cerKmJk4hviG6Q6HpOE8Mz8kraos8xVYR2rZ+W/A0Y8L
ftPZstq1qb4Cy1p6ENbhFsHhZYpnPtXWpBS7GwGH88xVCse02RFvcXz0FBH/VxCW9EJnF+4h
36Pccklp+/5eW2zDDQ/S4yiCc8vINdRmX+IruKkB1b2e1trGKvGp4xAvh93qz8B8y6y7ahcY
uT07tK46jyz/BowYlnwBRK25n3raCb00gl663tDXNtWSV/T3yD/3za8DnvzH0BCWMI+RtVBW
YE+Z4P+LMPiVHkbhkH5cQkg6+cpx8ppS6sKJ9roIxLkCXVOGIAa7WrgDWL4iG8m+/yEIGPjK
D5HeimkRsAhYBP5BBCT69Q9qZ1WyCHwIActXPgSbvckiYBGwCPw5BCxf+XPY2pZ/LAKWr/xY
01nBLQIWgX8VActX/lXLWr0+gYDlK58Az95qEbAIWAT+BAKWr/wJVG2bPxwBy1d+uAGt+BYB
i4BFwCJgEfgFCFi+8guMbFW0CFgELAIWAYvAD0fA8pUfbkArvkXAImARsAhYBH4BApav/AIj
WxUtAhYBi4BFwCLwwxGwfOWHG9CKbxGwCFgELAIWgV+AgOUrv8DIVkWLgEXAImARsAj8cAQs
X/nhBrTiWwQsAhYBi4BF4BcgYPnKLzCyVdEiYBGwCFgELAI/HAHLV364Aa34FgGLgEXAImAR
+AUIWL7yC4xsVbQIWAQsAhYBi8APR8DylR9uQCu+RcAiYBGwCFgEfgEClq/8AiNbFS0CFgGL
gEXAIvDDEbB85Ycb0IpvEbAIWAQsAhaBX4CA5Su/wMhWRYuARcAiYBGwCPxwBP4f8IYT7lnr
2ZoAAAAASUVORK5CYII=
--------------DF24DF968134C483429C7876--

--------------6DFD61349FA4B207838BB1F7--


From nobody Thu Jul 30 09:46:53 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6079C3A0C90 for ; Thu, 30 Jul 2020 09:46:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level: 
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DC_PNG_UNO_LARGO=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nrWH0CwpA_HJ for ; Thu, 30 Jul 2020 09:46:49 -0700 (PDT)
Received: from mail-il1-x133.google.com (mail-il1-x133.google.com [IPv6:2607:f8b0:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 397413A0B81 for ; Thu, 30 Jul 2020 09:46:49 -0700 (PDT)
Received: by mail-il1-x133.google.com with SMTP id t4so23018868iln.1 for ; Thu, 30 Jul 2020 09:46:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google;  h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DEmEsBCRlQSmUxXjBTS6wsEoM8QcbO5yHWseucvYQdw=; b=bh0KsWNClqe281xFSgZbnWmi/LUDwNmKAVH9rfj6rw6jCGBjH1rXOmVqeIDy59zTaS CS6jHsPtf0ShYFrVYOElQSECR2RN2BqTlKSmFhDnjl9ZDe8yCuwLxoOXyaepcJWU2m1B N1lVgn7vf9aZLbZ2XoRNYhDax1R0EGemh/KZD+X1b7w/N/OonvmjBeccfhsvRJoo8Ndr Yg5+R/Y4lVNEIjZfmauqKHjtaSnLHIviZNRpV0wpu6NV3e09V1IOK+dlOYmZUhpxnu6T 2ws5IYoNKkPHcoisUAi8xf01o/xHd6k1lAOvMubBqTHDvOilUS7V1h0soy1mYlS3wc69 H4Rg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DEmEsBCRlQSmUxXjBTS6wsEoM8QcbO5yHWseucvYQdw=; b=dWK1MxLZHfCjp9lUdZN//0OcYyJDwIDYfRk9oS8c6hGjemnGtj0g3JLMiiV/GimZ/S ZUCSWgDyGKyw33mLKrvMkv2zAA/MmnIdbH26nPlhB5am35NbO9vJ2KsCBDDlCccWUmJu iIjb48iSW9hYfAA1TScBsBbLu9GmaPLpNT4uHTI6E0gHlNTmR3i0rtKyA22GPjC1jZ6v BgpPRg4yg1JYoj8m90AJN2xwU5YjtLbu3HdtV4NuGs9UdOjBVy5Jbl5Zj5+6lBIzEv1l krgNtscFgUAo5G8iHZgM91WxPT86vGeGLTKi3MCiF7VsRPErjmMHCbBWwNjmP+Wlw1xo DXjw==
X-Gm-Message-State: AOAM532++5yfhRYBa5s4qhjS2NCyUAcv1fTYci+on+m7MleRJcCBmc6v KtlVV+HGyx8ROitL4iyicLI1oazLk8w=
X-Google-Smtp-Source: ABdhPJzFYMqgILfQvCo2lOJVFfgCHRGYWXNmX4Ct8f4AuogP253YxF8dOJoQnzoxraGohlgU0n+Qug==
X-Received: by 2002:a92:bb58:: with SMTP id w85mr16889049ili.94.1596127607920;  Thu, 30 Jul 2020 09:46:47 -0700 (PDT)
Received: from mail-il1-f182.google.com (mail-il1-f182.google.com. [209.85.166.182]) by smtp.gmail.com with ESMTPSA id f20sm3129529ilj.62.2020.07.30.09.46.46 for  (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 30 Jul 2020 09:46:46 -0700 (PDT)
Received: by mail-il1-f182.google.com with SMTP id y18so14593742ilp.10 for ; Thu, 30 Jul 2020 09:46:46 -0700 (PDT)
X-Received: by 2002:a92:c8d1:: with SMTP id c17mr24251474ilq.166.1596127606498;  Thu, 30 Jul 2020 09:46:46 -0700 (PDT)
MIME-Version: 1.0
References:  <0d9c249a-0a96-7d0a-bdee-f6d76811ae00@manicode.com>
In-Reply-To: <0d9c249a-0a96-7d0a-bdee-f6d76811ae00@manicode.com>
From: Aaron Parecki 
Date: Thu, 30 Jul 2020 09:46:35 -0700
X-Gmail-Original-Message-ID: 
Message-ID: 
To: Jim Manico 
Cc: Warren Parad , oauth 
Content-Type: multipart/related; boundary="0000000000000145d705abab6b70"
Archived-At: 
Subject: Re: [OAUTH-WG] Clarifying Bearer token usage OAuth 2.1 draft-ietf-oauth-v2-1-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 30 Jul 2020 16:46:52 -0000

--0000000000000145d705abab6b70
Content-Type: multipart/alternative; boundary="0000000000000145d605abab6b6f"

--0000000000000145d605abab6b6f
Content-Type: text/plain; charset="UTF-8"

I haven't seen any OAuth drafts that talk about sending OAuth access tokens
in HTTP cookies. OAuth 2.1 isn't supposed to add new features that don't
already exist, but this sounds like a good candidate to develop as an OAuth
extension.

---
Aaron Parecki
https://aaronparecki.com
https://oauth2simplified.com

On Thu, Jul 30, 2020 at 9:35 AM Jim Manico  wrote:

> In a browser, HTTPOnly cookies are the *only* location where an access
> (or other) token can be stored in a way where it *cannot be stolen from
> XSS*.
>
> It's a very strong place to store tokens from a security point of view.
>
> Cookie storage of tokens does leave one open to CSRF attacks so it's
> certainly a trade-off. But CSRF is much easier to defense against that XSS
> and cookies are a better choice if the specific risk of having tokens
> stolen via XSS matters to your threat model.
>
> - Jim
> On 7/30/20 11:43 AM, Warren Parad wrote:
>
> https://www.ietf.org/id/draft-ietf-oauth-v2-1-00.html#name-bearer-tokens
>
> It seems recently more and more common to pass the access_token to some RS
> via a cookie, yet 7.2.1 says it defines two methods. I think we need some
> RFC2119  keywords
> here, to suggest that either SHOULD use one of these two, or MUST. And then
> optionally state whether or not we recommend or reject the use of cookies
> as a place for access tokens. It's also possible that the language threw me
> off, because would an access token in a cookie be a bearer token, but no
> matter, if I'm having this thought, then surely others have it as well,
> right?
>
> [image: image.png]
>
> Warren Parad
>
> Founder, CTO
> Secure your user data and complete your authorization architecture.
> Implement Authress .
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
> --
> Jim Manico
> Manicode Securityhttps://www.manicode.com
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

--0000000000000145d605abab6b6f
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


I haven't seen any OAuth drafts that talk about sendin=
g OAuth access tokens in HTTP cookies. OAuth 2.1 isn't supposed to add =
new features that don't already exist, but this sounds like a good cand=
idate to develop as an OAuth extension.


On Thu, Jul 30, 2020 at 9:35 AM Jim Manico <<=
a href=3D"mailto:jim@manicode.com">jim@manicode.com> wrote:

 =20
   =20
 =20
  

    
In a browser, HTTPOnly cookies are the only location
      where an access (or other) token can be stored in a way where it c=
annot
        be stolen from XSS.

    
It's a very strong place to store tokens from a security point o=
f
      view.

    
Cookie storage of tokens does leave one open to CSRF attacks so
      it's certainly a trade-off. But CSRF is much easier to defense
      against that XSS and cookies are a better choice if the specific
      risk of having tokens stolen via XSS matters to your threat model.
    
- Jim

    

    
On 7/30/20 11:43 AM, Warren Parad
      wrote:

    

    

     =20
      

        
        


        

        
It seems recently more and more=C2=A0common to pass the
          access_token to some RS via a cookie, yet 7.2.1 says it
          defines two methods. I think we need some=C2=A0RFC2119=C2=A0keywords
          here, to suggest that either SHOULD use one of these two, or
          MUST. And then optionally state whether or not we recommend or
          reject the use of cookies as a place for access tokens. It's
          also possible that the language threw me off, because would an
          access token in a cookie be a bearer token, but no matter, if
          I'm having this thought, then surely others have it as well,
          right?

        

        


        

        

          
3D"image.png"

          

        

        

        

          

            

              =


                
                  

                    
                      

                    		
                    
                      
Warren Parad=


                      
Founder, CTO

                    		
                  

                
              

              Secure your user data and
                complete your authorization architecture. Implement=C2=A0Authress.

            

          

        

      

      

      

      
_______________________________________________
OAuth mailing list
OAuth@ietf.org
h=
ttps://www.ietf.org/mailman/listinfo/oauth


    

    
--=20
Jim Manico
Manicode Security
https://www.manicode=
.com

  


_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth




--0000000000000145d605abab6b6f--

--0000000000000145d705abab6b70
Content-Type: image/png; name="image.png"
Content-Disposition: inline; filename="image.png"
Content-Transfer-Encoding: base64
Content-ID: <173a09c3ab3cb971f161>
X-Attachment-Id: 173a09c3ab3cb971f161

iVBORw0KGgoAAAANSUhEUgAAAuUAAAD1CAIAAAB4ERwbAAAgAElEQVR4Aey9sY+sPhAGlr+Fio6O
jo6Ojo6OjoqOjiISUgrKJMVKUbIdUqTQUdFEdKukQGno6Ojo6OiIZmxjw9p7e3d7++6932zx3h6L
7fHn8czn8Rj+h40+hAAhQAgQAoQAIUAI/G4E/offLR5JRwgQAoQAIUAIEAKEwEZ8hZSAECAECAFC
gBAgBH47AsRXfvsIkXyEACFACBAChAAhQHyFdIAQIAQIAUKAECAEfjsCxFd++wiRfIQAIUAIEAKE
ACFAfIV0gBAgBAgBQoAQIAR+OwLEV377CJF8hAAhQAgQAoQAIUB8hXSAECAECAFCgBAgBH47AsRX
fvsIkXyEACFACBAChAAhQHzlV+lAf4mjMIzK26+SioQhBAgBQoAQIAT+MAJavrJ2ZRRqP1F86XUS
r1NXl3kax1GcZGXdz7qbPndtqjMhRASfOEnzsmqH5XPVvPXu4ZoImTXwRVkzfSBOl9qWZdlJs35w
I/1MCBAChAAhQAj8lxDQ8pWljsFt6j5O2p3hmW9l5J7udeJqPN/3yb/H0j9Vyv50wrL/rZzllp+B
OHQhuHwECvGVT2oJ3U4IEAKEACHw30BAy1e2sbmcPmXigeu1o+ocIli6HH6y3Sgrq6oq08CBO524
+R6r4HzFjaHWqrpeyizyGI3yy+F3js58q678c8lDxMGNC3Hp2nxItIiv/M6BJakIAUKAECAE/jAC
er5yJ9TMIi5OoiUhU3Ot5T7NdA2RsGR3kZi7ah9d4HzlwE141VZU7RtO69RVRZbARlSaX9vxQJLW
uW+uZZ6yn4trO+77LJgpEpXdMvd1iTeklxsrvAzNJU9j2II67m3NTRaFUVqPy9Rec6w0N27x9Ejj
rPuYyjpyibH+6jbtMm3bma8s/SWJojCK0oqJ/oFsWT2qtV+UYdm2DbAqASu2uXZth1lp+9Fg0G+E
ACFACBAChMAfReA5vjJeA6Agbn57wr8tdYyhmLT9Vs90fGVtE4ywCL6ydEVw3LmyvawVXGYo/eOP
lmUHZc+6gMzAjtIU40Zc4HVbxyo+7ek40WVgZcYLwOAnKQudQKF7OiI6recrU5PyIBGUxo/tS5EP
fGUdrhGLVUXIVp6QzfHOtXspx2O5nbGCvhS/NFIlUKT/CQFCgBAgBAgBQOAZvrJy13sIdRjhW9oU
nWx4Pe8cGYtof7jnK+tYJ8gluCBLm+KfTphfm6ap8pD9mTScsfSF7wZJfqnqpq1LxkNsHiJizAAI
g+1FWVmWRdlO23hB/mP7SVk3TX1JGOPhDTK+giTDCZIcClWc/tx3QcdXpmuIDMoJ0rKq66rk9Ttx
zcBS+MrUsM4CxcK4z5Oy2UFWdf0w3JqcNcYolYiQBdm1adumuhRp6EXXjxJq7vtFVwgBQoAQIAQI
gfcj8ARf4QREk7qiEXftC0yTdXbSoLnpqUucr1iO6+HHdViwxAlLtm8zVxFccbNOBH2WJgGqZMe1
CLGoLXG2wbmH4Cte1sktJJYvaytUa2BZv14Bx6IEX7HDq9xYUptQv2v4Cq/MTdu9ScG5DlLZSdXm
yJRsP+t4X56UTQn4rIw52phJxLfS9nCLKip9JwQIAUKAECAEfjkCH/OVidECQ+rKsXsiJuDcp+Ue
b3ziL8FX2KbJ/q8bpBd04WuLZ38t2/MD8fFd5DSe2OVYp1t9LfMsTZIkjlkiMKMePFPkuJ8j+Igj
aww8DBbZcb3sfMVJWsGQHvTjnq/MVQTdcFK1uOgG2+Li8RWHcTM34WEXhSt9IJubK49u6Qvc7GJV
8/AMiydd2kFH6R50h34iBAgBQoAQIAT+IAIf8hURE/g4dWXpWEzAUlJIvtEzzlfcpOrw0zb1JWOU
ww4uw7bU6P13IqN8cfN+2yD745SJgrcc+AqLPQgpOcVQatq/RhCy4Xxmp0OinPb/e76yFz88wuZw
n4j6sHb3baJt256U7ZCQcuAr2zZ3l1imt9heVIrYjbYDdJEQIAQIAUKAEPg1CHzAV9YuUzNGzGKv
fcmyJdy4fk1OxH3+yrZtS8MSbv3LuDbsITFheetPn2FaN5Eq4sWX5jaM0zT1JZ5bOvMVJVQiNn/S
+q7KEcIRnHDwvRszGPjLgYfgFf3BqS5T0n0EX3EDn8V1QpFh8hXZTnwFhVjG7pqLg+GwsfVBN+hn
QoAQIAQIAULgFyDwmK/wJE1N6soyDfIw7DpW4iDLlR+lUbu2TsMw7Rkb6i+Pvmv5ijggBGEEEflR
E1BkhXy3KJQnnzmBeMBXOBtS81dkhd/nKxt/nNyB7wws38fNcB+H7wclzTrzZGJxoukrsun4Cu/Q
xFOXlVSdQ1fpD0KAECAECAFC4Dch8JCv8HjCXerKniRawOkY4fosJyrbm/Lp4cki640lUbh6WmHG
gvMVL2shODJN49C3F/bUOp4CMl7ZYWY3KpsebhqHrrnkcQpZH5wbuEk9Lssy9XXGTz4/4Cvb0rET
R7afVt2ArfZtVaYxe6HPN+Mr28aTke0gq/tpnkEqdgDJQySPz19Zbjl7wq+fQ4LxF2RT+cp4TaLs
UnfDtCAeF2SYLC/HPAj0CyFACBAChAAh8CsQeMBX1ht74tn9U1d4ZMPC57b1xmfQYxyBJ5la1iGq
8ETfOV/ZM0jkF1ec/l1H/oAS+Rt8C+AktTioJH+yPR/STx/xFcjx4AxClsMUWXz23bf5yqZ9CIod
FPxJdafnxa19yRkZnij6tGwHvoLPjjn0yoJMo0/HvZ4YOrqFECAECAFCgBB4MQJmvsIPB2t5BqSy
2rafwoNOeCDj5AnhT8ZQpjrxbNv79AuF7vmK7XhBnFc39WTLOnXXLPLZYWe8IbuIp9hObRkHeGLI
doO47EbcI3rMVyBHZqiLJPTwiI5tu36YFBV7geP3+Qo8ZHZsyjT0XNu2bMcLk6KRjwY+8RXYghJP
bEnwjPbnZFP5CjYbBbxbjutH2fWA5IsVi6ojBAgBQoAQIAReiICZr7ywEaqKECAECAFCgBAgBAiB
byBAfOUb4FFRQoAQIAQIAUKAEHgLAsRX3gIzNUIIEAKEACFACBAC30CA+Mo3wKOihAAhQAgQAoQA
IfAWBIivvAVmaoQQIAQIAUKAECAEvoEA8ZVvgEdFCQFCgBAgBAgBQuAtCBBfeQvM1AghQAgQAoQA
IUAIfAMB4ivfAI+KEgKEACFACBAChMBbECC+8haYqRFCgBAgBAgBQoAQ+AYCxFe+AR4VJQQIAUKA
ECAECIG3IEB85S0wUyOEACFACBAChAAh8A0EiK98AzwqSggQAoQAIUAIEAJvQYD4yltgpkYIAUKA
ECAECAFC4BsIEF/5BnhUlBAgBAgBQoAQIATeggDxlbfATI0QAoQAIUAIEAKEwDcQIL7yDfCoKCFA
CBAChAAhQAi8BQHiK2+BmRohBAgBQoAQIAQIgW8gQHzlG+BRUUKAECAECAFCABFYhvrSDOu/h8Y6
Npe6X/58x4iv/PkxIAkIAUKAECAE/m4E1r7w3bT9BV799TguXep6ef/Hqdh/mK8sdWQHl/H1Y0s1
3iPQ556dtPfX/8yVNrXd/Pa5tsdLYEfV/LlC/9TdhMA/NZxv78zUZKFrW5bjFzez4/vK3Px0V37C
HC1N4nhF/2lZDgVQsMaMzuHmt/4xlL6TNH+ajD3mK9M1tOy4NhnpNrUt8bEdL0yKZvxTUA+lL0RR
/nfSzjioP8BX+tJ3//yYGnts+mHtMs/j/ntpkrAcTHfeX7/lQfaE5/8JA3EvzPHKeA3dqJrw4lAG
iTQDz9nEY9f+BW/92cE93v8FBI6wH4fnF/51HPEPBFRnzQe3/vqf32C41jZ1nOg6zPM0zQcvcVSS
5+amCdEnR/AHzNHSxI5ffMJybnMF3rVZutSxxML5N/CVtUlsK7xOfeFZyrJuKH07rv8wYXnIV4bS
d13XCa/M5t/pSJvaTlJP8BmHW52HEve7e3/6wrpMI376S2h7Wcv+OM2MgxA/wFfm7lLWf2HEZmrK
ssVBXtvU9Z/nKxgC/a18ZemvRcVCmOBqP8lXzl37grc+qNsv+OOTg7ud7v88AifYfwEEj0Q4j/ij
e+E3OWs+uvPX//4GwzVdQzvkq4cDHicl+Q5feXoEX89X1i513Gcsoew78AIn69ah8OyIBwWYYAc6
Jwu869std+2kWWDEBI+Cpm+566Ttn5XtAV9Z+9xz07qKHZMDA76iBDDWNrHtVAT916HKQs+xLdsN
02rgvGzpqyzy8bLjx5cbvzxeAi/vRgwY2gH6y6W/JoFrW7bjRfket2lTJ6qG2yX2HdtOdODNdWR7
B567DnUWsSbVqlS+MjepB+QfBmMdm5zd7gbJ5caDS+MlcLOqKWLfdWzb8eOyuw87SXYsK3FcP8qb
O8Y33y5pCHVZthuk1X2Slr4GParbtih9DIpu2ba+8OxYhhTmale+ewy5jVjaFOK17GMn//v/Gth+
KekXBDxVhV1vhb/fDoQclHodASPoluOF2T7uioFYh0voeFnL4Ju7MvZxmP24YJxp29rUCcvmmoae
49iODp+lju09+ApLN8vZtQHmPywEhH8dLoEjemWhLkN/s6rOQs+2UD/rE/6armFtl6ZMWOcOCqDX
VWleQHnSqikiGHDWHzEf6shJmrEtIs/me1RmdXXia1smqICun+yTZ9s2rQB97gVl31dp4Nh29L//
X4fBbf4fsJLK/tZUhRJRqPKoDM3K8DQgMNZ5HIg5xsbxHnYJyLbp9d8wy+Y6BnB2U7neMvcc9xU6
E6DOeNGuTNtTNud/+j8Pyvy//G/PtLjvKva55xc1mBmwDjA4muREs4SmWbNNLZ9MMJvSClfv8+2C
hhFmWJBceE6BNBeK1ZIXFSukq1Marm3b5q7kDShVbdtTfURVhHkLds2P+Spo6XIw5cKwCBexbdu9
kjyamybrh4qlmbOP+iK2p19ijrbd2Ow6rpkR+2/8yy33wBxN19ARbrPPPSe51jkgCGMuPZ/JMW36
hhadYdF55KOVQIOAs/C2rU18CKiAzVX5i+jO0qOlZq76ghti+tn9rAqJijX/m/nK2qWum3Yrbsvl
2m25A19Zxjrx3KThbqhJXDe+9tOyTLdL5Ox5SFNXt/04L8vUFcFuIMEZeH4Q5vVtGMZ53aYqcry0
HuZlGVu4kVsr0GbfD5JL2w/DpAtOnfnK3CSuExbtMM3T0OTBLsrOV5ZbETh+zrjTess9Jyy7aVnm
vkpch+8ojJfAspyI2aF1uEaOm3W7AeXI7tN+qiLbz6GSZRq6pr3fJluHtu6GCfrXZJ59F8PS1gB9
0aE6A5MI8rofx7Hv2h7G4BFfOWPI+Qp4qTq2d3oKBHv/Y2N05dTn06pi6TLP9rO6n+Z57MrIceIa
aczOV6Y6dt1YBKGGMnCCvB3nZR4ABj4dYKPR9rN2AoDnVosPLNc4RbplLnz4eOBCDn4RfIWDcYyv
WLaXXG/QMIyyqEqdIaeugQLYTpg3w7TMIyjv3qBBV2VlqDxuzNjbfCtDKIvKC0ro+kGQVl0/jNO6
PVJXy3LCEh3hAgroiJ1aw2QB2+f5QVQ2MKmW0+BuEN+VhGWugOYfp/lBGRBPAwJAP+oG0Fzm/hI5
TsrUBHRQgV0Csm16/TfNMgi2S8KywgLwHJpGnQnyDvYa1rHGMeVc+0mbs6kj/lyLIlze555luUkN
KG9Lr1g2pc9GCU2zBk1v2iCs461pcdEHyh5XYBjnsW8btp7SWy2dDdHWCY5EDBSohZdUOINv18QV
cxLu+biPExjG+NKN8zz1derbfsEJlTIbFUw+MzdN1k+pTh1BYEMP+sL4yqvMEQs+qMkH+hmhyLpt
U53l7bytXZFUXFUBZNuNLzCXAEAPAMRC+iEG+6idelrDovMdd1YClip5Cma7vySMfnCpQfUytY9w
fbyGthOVLfqetmOBCf3sfk6FDhCd/zDyFdBrZpCXVnw7F8b8FZt9YJ0a76uK3WewIl0GAaazdx/l
hhg6AxET44omDdLSJGIlA00+zlM+8ZWjz2VunFlpxlcGsPxeIgIgOJ2l2ZY2HSQU1gmURJusu097
bLUQ0aMzbue/MdB20gNdDSZU2b2nrdOHfOWEoYGvbODEBGHRq8HRQCxNvHtx6OR0hQgNCMb4ytxl
vhOUIs187XACCL2AFT67G0ZZutKth/jkOZaGURTM/+oLz8uvuechqwYZWC2KhTw5TqhfYYgY/zzX
f/BeMC9BASRFBWgYuwId0eqqHGak45LzQ+yYh4OWOrL2zWtETGDASoPgUl3V6Jb8xSQA2D5HPa9w
5h+lv0focaQPUckzeX2AgOwofIOqOLgn2I/3yb+k/htnGTNHPMIC90vEeT1tatuR3F7HOaEEB/ld
D2zOdhzxp1oUFgGgVpaeiubJXm4mCY2zBsbLS3kgkleEuhPXyOT3ug1WS2dDdHXy6QkGeu0yR02r
5JEtaOmZPsKkVCYWrHlFbXpM9HxFqULOTZP121HYTiP4uC920r7SHHUZEGpVFvldmRHyov4bgCws
Lp+BrFrDEB9rURrSGRYFVumR76zEsUr1L5zOSnAMfjuNuHo7/y5n91MqpKlBuWTiK9BzkYKJmVK6
NFKWvzLy/JWmjF3hjLrMsSzb2T+2ZYUYapr7Ko9D38OPYwtDD8qsoAkz2LJledu2ON+BJu8ontIf
xiSU/aAucw6+DjYN2T4j8BU/jn0QYt/aGQr/LLh0fqqEahxib3/nK9vSXyIXto3ya3cfXAHH1F2y
KGBAuI6l7qux6jQ1mFA99xErAOUy7QedMTTxlQ3MFes/KIHirkWXj3wFlFfhGdsGcXskqsDiwyRy
LHUND+ncJy1hQ3MaZaj2ju7uZAeyrLIOstZAUnYZHZtiIU+O85n6j96LRWt0CmDWVYERL6vs3YPp
Ze4NlFCF5DyUJ3VVMovQ8QAHMgoA2nhw6ye+ggEo1iWY7oqZ5JKf7j9P0l03cDuySMS0dm3hu0+w
S0BM+m9uQtE/jJnfnVQAHVbzB7rU4ZvTz9mcs7eD7B2h8eYWuYuSEx/7iK5V2WtjHTdJaJ4161Al
nm17UXZhwRWoaGqywIFN9rLGQCo6Db3V0tiQTVvnLr/UTD5YQIZZ2sl+D/tF10dkXqrXVvRKmY28
av7fSUmMc9Nk/dTaDubocV9ebI4w9qDwlWWodTNCFVb3HeessrIHcJCFGx2ToSGNYTnbWuaRsUXJ
83VCiWswDcTGFb92N+LsusG7PaFCoi3D/wa+Auuc4+foh1htoFpK/gqurBibALMbV9OsfJYV1tuh
7SYiqUFZF56UGVFIm7vykNkgIi2GDmHk41m+YllulKeB7fHoPKeLl0GRe2bJ7GcJFWMtJTmNxzw0
JSQPeCnfJdvvhK57WYPhY57IdIqvsFuPNRhQ3c5ODsuCpit8RZm89xjKKycXBc4Qs96Z8ZYZBKIn
BwOBZNvIVyzbT/MY0rdFSgzI5BfdcZihZikPtqPlK7g/5ZfDeAkwVgELkOAy9vLYnTJk9zZRXQzp
6z92Td1dAqF2oMy6KjC64zpYl+QrKlE4D+WRryh6vaFBEnzF1U2WkzYqMgvJYACAsEhaKn7B//c+
sqsKnnBB/orbkdHlxmYK+CgeazjBLis36b+xCVz5sy2/vvDEml1WiDqjrmRWiGaAcX3W5tzxFU59
uxW2Vg0tCi06QY246viKVkIzX8H+LWN7hYPAbiw2DbZtnboqjzzbCTF/BWoIdVYLKjjaEAbZuc5d
fpBcCRSxLZXn+QrLM5LDAllzXL1PQyvvOSmJce6brJ+s6RRfedyXF5sj0Gi5pjLOCFVY3XcYCMVq
464+5yvaITY2hKtxZXljRG8fep04h2vgA1gMW14GIyAmwX7VNLtZlF2yMf002avRfdHzFWjQLzp2
xmYcx6FOdVv8Gr7CAwUgyf22DSTkyhkLkU2x/jsr81D4x2kjZD9ps7is/P/EfhCbfzCiODVhB87l
YVfwPocYuqj5JKE01uIG+F879lBSWZjDfRi92qPvUNeB96lVwndRgx7VbZsuYttFKQk2TFld33JX
rHrvMZRXsF+7ZOCVmsTxyx52bpSEx70d2NmQ8S64WQ3CnPeD1m2BZJTgwtJbIWC7Z8bvVT7LVxDF
qCwhYRXSBuY6duDPnVkrQ3Yib7K/2KqRryhdM/KVzairskdA/+EkAL8CMMn9IGHQ8UcYYpW/gOC7
usKzBUTKFqacMm5oEuBOG+8Gl+/dDLU+p/50v4InyIq/okXEdJI94AEiK3xFtb4CEaP+G5uATO5b
DoSlL/TPgTjt8aEJu4zb8zYHvZ064k+0KEz1CWq9ITZIiFNMP2sEXncmg/0AKdEosNFqyQqEDZFX
VDO0yw/hSThjK27D/SAWttrvYb9p+wioK7YOTTyPzJ+GVjRwl2hnnJsm6ydrOo3gR31pX2mOYAjk
xDXOCFVY3ffTfhA4M6ZjhiE2NnTmK0b0TsOqE4pfgyoOq1G4jgbqeIDYOLvP/lGrQg8E2LZNx1cg
s+csGE5/ha5hrcBXkhqXx9M0tJfYtUReLeRG2X5a3SDxauzbuoE8QegcS0OF9MrwuB90gAJSCJ0g
b/ppnqahb6uGpWectFnTuRNfwXMOkG+LOZ1tgfm2uP2z8xXIGYocN8FdIey8G1+7cZqncejqmmW0
naabNNaqCPvYT1BunJd1nYc62fdwxb04j8PyBmnHfZX6zj1f0dagRxUSt2LHCYpmwIPlDe5AoVOM
K9yMgriws+dJ3GOoXIEdnAAkm2dmtOBQaxDH+wNaRB/Y/6AXXtZCdjIE0BA9P2uGGXJSId+Wpysj
Mrj1uWBKLs/CG8oAk7UgGXocbk3VYuxFkQea0fMJWPsFjgvZu2w7D/LsXReCLEw2ZcggNQbTIZmY
T9V/6ppSG1SvKIBJV5kU8C+GK50wbwGXAbLo1HxbaeagXvBBBnW1YE1Y95Dv2+aBfci31UyWXRt3
Qe4GF6KRThhHErT9XvhyvN+IANgdhi4kx0dyP+gE+163Uf+NTWBRSFSKYwin7f50rxJiciyHeprn
CVTPZoG8520OS8+Uysys8cMWP81XMMv7JKFx1ix9DTn5y7ouY5tBdvS0rUNTtf00Lys7scCUR2+1
dDZEV+dhoTXA0QeWbzvxfFtmek/qpHc2MBfcCPJtIV008/eDEme+LwfupCTmuWmyfrKq8wg+7str
zRGqrkgsMM4IRVbtV+ArFktY5pZCzbe17xyTsaEzX8FE/nuPfBh6rUT7RXAo6tY1/wH67UZlB76n
75pu2oyz+2f4CjgoQTt2YeHAjtQ9fhlMxP6x4dyuci50Hes8grOfkIkb8KPLy62MPEhtgTOqfZu5
fMF4slNQP5xCxHNxeDI2YWf5zjsFUr7925mv4GkBJgkeja5FOonCVzY8jyR869SyI7Ygph8X7Nzy
SULFXe0tK2MPj3KEM32s75qjz1Ob47MebTfM6r5OXHVfDWo01KBFFdHCM2XYYFiyfZupxXPZDp5l
rK+4XQJVnyzC6QrbHrdsN+WrLFimWJCgq3RUfp27AjpiC/A2gR6ewLyKY52Sr2zbcst9W5zH2k9n
4sH1jOU9nyQ08RVIyreUxFykBVJQdciAscHhZQcPyz9X/7Fram1HvmLSVQkSlr3U/Gyqej77zqw8
Vteivojz1KfzzJrJcnIwIM7d4CLv2pmslJh/O9xvRmDtr0Ks+NJ1pR9yzniEXaneoP/mJrAsbuJr
w5+g1Y6XVVXKn4Eg5i2o29M25zji0OTjFvdQ+AlqvS83SggDw23OYdYsXYEPVoDEA3goAliutb/g
+X+45oWZNLiiBsVq6WyIrk7FcEGf2ZRkT1pILvtjG57qozIX0HiKJxSwIPFhSbprw1FJHs1Nk/Xb
q9rOI/ioLzxz9FXmCB4Au8c/jTNCiqr91udeeOnEkxaO55l3JVGGeDM19MiwMK/En4dwGlatVHAR
zltI26reNnfygH10BXJrmN0/w1dUUeg7IcAyJeSZKULk0wic3PCny0MBZoBE6s+XqtAWAtn2kJT2
jt9zEXbQ1TNSqmQnP6f+9I3vj1r8bLU/I+FnpaD7fwoBiO+K52n/VBt/rF7Ybf8FZkK3H/THMKGG
fyMCoKmfe9D0b+zFH5XpdXyFheZf2BkMBRz3n19Y+2urwkdCyTSgY+U/wgYetnhs/+O/fkTCj5ul
O96FAOzKiQeFvavN97QDDw6Wh1Le06a2FeIrWljoIiCwLmwP9d9dNbxpnH8lX4HR7a+x+ze88Wpd
4LmROTy8x8TYXswGnmjxs8rzYgk/2zzdTwj89QgQX/nrh/DHOgDnpjDlR25C/1hb/3bFv5Gv9IUP
oxuXzz7V8A8OEYT4bNsNsj357F6Y17KBZ1q8l+HxlddK+Lgt+pUQ+BcRIL7yL44q9YkQIAQIAUKA
EPi3ECC+8m+NJ/WGECAECAFCgBD4FxEgvvIvjir1iRAgBAgBQoAQ+LcQIL7yb40n9YYQIAQIAUKA
EPgXESC+8i+OKvWJECAECAFCgBD4txAgvvJvjSf1hhAgBAgBQoAQ+BcRIL7yL44q9YkQIAQIAUKA
EPi3EPhDfOUtjyLANyPwl0T8W6P28715ywD9eDf+jV78OEz/TAPrUCXs/UHsXYf/TMd+tiN/5zT5
cfOueQXPz44D1f4hAm/jK0MZJM0q5PneDLnlAXvFuahO///rFXquEze4mJ6wqZfib7n63QFamiQ0
Pnz0bSB8txc/LeiTqsvEWLvM8Frsnxbz9fX3pf/jD9KFV53Ce6LneZqUNzgfYJyrSP/Wvdd3WdbY
566tWD/4Ad6D8OB9LAeZZUU/8+171vjlMj05R15v3k89+W185Y+o7i9zee/iK/CET2XGfmeGwLsM
3D/DV9ahLq63+aTX/8Sf3x0geKs3e7f9n4Tju734YdmfVl0ux9SU5T/ycOG5u5T169/WeBiwvvBU
I7P/psAIz60Nq3fP4M/zlU2Ree/HT335jsk4/EwAACAASURBVDV+uUxPz5H/Gl/5M6r7y1yenq8s
dWyrzueWuU7aoWqyF3Tb+DrzILn0LGQydyW+5dx2/Li4s7DDJXAs8cF6YYZklXhtthum8r3o69jk
+BZ12w2Sy5kcrLfCt0VVVshe1DZ3JYaBrWMRRaHX4RI6XtaioVr6K48ae/wl7dCzNnXCsrmmoec4
tuMGaTXs4SAxKRXG3eeeX9R1FnkuPCrcTy69sqQTBaa2SELPtW0LX/4OL4SHj74tcLZ+KW360iSH
t9GuHbydtuN19IVn2ftSEZdriMZY53HgwdvgHS9iYzHXMbz5fu/OestcO66l1f7UAM23Sxr6Lnvf
PENpaVN3H5V7l6ERyQjCBk5n7xYsRKvQ9s5vh17Hpoh91skwqwaE/lO92NahykLEyQ1TXsM2XgIv
78YmC13bPr+rRoxagBoiwMUB1WCybafa/qf/86C6/8v/9sGgIEQwbtjCU/r2QEItYvjqdw6k7XiA
AzSmn+P6ibkMFUwZUDfXj8sOlGpq7+vEySgCrCZhhPyP5iDIp5nvU5P6u5ERoCFyMN0YjFMdu7vt
cDJm0Pg98LosVCoXuxJkDe/J8/NX1nT+9pivSGAd14/yZoLiQmbUIjerQN/B0jgCZGxjHWtUVWZ3
m9w/6yy82LuvsshnQ+THF83rF9rU8bKqStlWmqdacCnbwRrr61zqyEmasS0izxaKqzW2fe4FZd9X
aeDYh8n+CvMO6nHvjJ5TrXUQeHpxUV9UL7j06BtsywY9V3ycFiJ5URlTRS0eTWetej9SXY3V0sLO
piY4V5jsed2WAZ8pYHRjMTu3ba724J/i8sBtRdVwu4DltZN2xSnzwFlDfw0eUIHiU18/y1dumevG
1TAvyzz2bcPoxFAGTpC347zMQ5N5ujjnaenTprZle8n1BmX6KnFtTj3gFZdOWHYTvIytSlzdq/a6
1FHjK0Pp215S9dM8j7dr4u7N73wF7JQb89XdVEWOl9bQhbEtAlu8UBNF8rN2Arc+t5knRFLwVAav
zz3LguAzuMqlh4rOThV/aOpumJZlGaCTgiMY2gLSIWkioyuCnoAUQCO9gm1HDaXvuq4T1+iql2b/
Zb7VDcC6zP0l4vxmaWJHEpb1loMoR3r17ABt2zq00CfADwabD9yZ4iqobTqR0CJbtgZwGE9JWOYq
ukN26TLP9rMah7wrI8eJazTySHaOYTy9mm1zk7hufO2nZZlul8hx0xbwAMro+UGY17dhGOed4WFv
cNSCvIPL61ij0nJ2qcfkvjZVdZ8YFOm0tqf0zSihCTHQMS9tUF3GW9Mi8dPOccPEHErfCcsbTNep
b5tu2jZtnSC/ILImYcwqoSrTZpzvbPQ1CWsKjDAk+vgKkyqtbsM4Dl17Q4Va+s/M34OY6h8P+cpU
Rbafg8VbpqFrWraokTKPl8CynIith9bhGjkuf0c1jIntpTAPpqEpQse2pPmQ7U9d3fYwxFOnN1PM
HKVoQqfbNQZrjIptGHRwQ7o6wTy6fhCkVdcPIxhSg7Htc8/x/CAqG5hmR0O0qXNk28zDrTfvm8EZ
GUyuRAkIK8dzmOd5aIvQsXY8J4A9vnSw19jXqW/7BVuq6yHSj6nSmHk6G9XbrLp3dsYA+zZcAhut
3jyP3SV2beuTfMV2fT9ILm0/DNOCeH3krA0zSIHiU18/yVdwiR/X6NNFO2uXuWIGgSZXqtMVN2nc
IXd0cAc4UORraOuk3z+6LlHXQaHXLnOcpNl1nscS4F6m0HOXwWtdeSAI1V/66qVJxEIAFFq6yQ1N
DFBI9XPiK8r+M6iMUlotxL+vbbI7XlNb4JyFxVnaZDdMojogNAy28RK46bUMnBRp7nEIxO1QHbsd
cHUzHmG55TvPEXduOk+vGyBZAL9BVSzw9oivKIWkSLCC1AM+lr4dVoyAICKcoolqgJwpCrdNV4hL
IY17Us0we0DpXpfx/ALwDXakRJ5Em/B/m9p2JGkeY5cyHCZulZjc13ZQ3Y8HRTot5Csf6ptJQiNi
yIBTFnYU8uvmOCMhmokJgIeXQyRSVyefjLiCMwrD+Ioyi3Rz8MF8/xZfOUsl0Nj/f2b+7jefvjzm
K7BKKc5hDzn0oEVKwAiSdJgiwEDZiukDHyisx0kA8SdMLWn9xNXTTARbhnHep6zxJutc6siyFCU1
GluQ1GErBCGD/P8wRx4Mt9a8G53RqY9a1WqPeN5yV+A5gJqzYD4Iunapy5yOASK0DXdjKvtonM4P
+vuQrxysFrhNOcrSx+Fklb1QFAt+eSa+YlteLjyp0SYo3Tx8VWfQ4YdP/PFJvrJtU5MFju2GaVn3
bENhuoawO7R/bMtSwx9MmHtHosZjQR1wWTwU/rmu+xl4UGjQDHWK4Bxh3g5YfJhEjqVEPsAsWbaU
1rYtvuxrU1srkgrmka+I9SLcgUzibl98HdsyjQIPP669C2JsC9gW6/DaQhRJja5AM6CJYKGma+jE
9dwXHt4zFL7gbMtQF0no701ybJTqABbFyvH+PTlAuLS6ZFHAWnAd62O+YhDJCAJGOZh1UAncPhCg
LYpX2zbY3mJRlWd70WXOWc9w1Y02Qc7ovUn8Ai5EzZsCd5Gy5fzU6TC5r+2gutuHgyKdlhqfAGH0
+maS0IwYnKjxbNuLsgsLrmDld3N8M07MuYN1veMnRXXjyxhtnTK+YhYGGOFHc/DBfP8WX7mTCoD4
9PxFPbn/5yFf2Zb+Ermwo5NfO7FjfNwPUn2lXBicoVCskyrC3Fd5LCyCYyueTNx1gh0iHKjYxkHf
9HWCAIqt3YzGFpRBOlQhBv//MEfOffzAvMO8OE9sNmdPfYThVgKx2PS5LWl8kMzyjVm8df/JBJF2
TJWOyumwN40G6CyD0t+HfOWgIQYfB5qjEN8N+MNn4yvH6fmxszbNIAWKT319jq9ADIPnr0Dt69RV
eeTZTgj5KwCxX3TTrHz2cIcQ5t6RqMjt2gNfwgvE4+TnFOPYjgHDBwMMLN720zx2nf14I2pe2hyF
xRYU3wBC7yKJHsD/ikUwKZxyO3B9Oyg6ZsZVdmluCzYJ/GLgrkymnPBqIfPEzbqpjh3w2PCnV/SA
AXPgM6S8RJcb28mAWSW43L7w6AsdXdHEV7QDhPPHyxoexJWxBGlGFQTgq1EkMwjMG1+nTdI3tVIY
mqf5ir4XXebYcXWvBWATDlWr7Z5M3grRDOQrGMLVYHJf28EWwzqNhyYNg6JA9IS+YXxCNSi7hA8Q
gw4uY3uFNAg3rvZw0XGO43QwTsx1utVF7NuwrSFm/rlOKf8DYZT+gly6Ofhgvn+Lr4CBOo38V+av
qi/yO1SuLF/hBwgKKiv2bR6aEtI5vBQTZ058RZFMTrQzFPIX2TJOJTcR+VnHlbe47aTYCl/RW2No
WFenYh6xaqOxlcogRFD+P8yRcx8V/60z72Zn9AXVkt05e3pM8MB1JaiocV6cx1Tp5AkB6Ob3+Iqq
IRB/1vi4u15ITE4KqqAuQUDzcjanxr5jX80zSIHiU18NfAXTIXpR01xFlq3wFXYdkizBOkIIyxhD
F1WcAJFI4Q27YQINNwYKRV2QdronyyEk8Wk/iK2CUSfadVsgGSXgQeuh8HcfLirE/00iqTcpg2dS
OOV2MA7SJIGBEouPB21BgNEve3BkSobsXiv8HBRl4rCKYYWOf3JagpkpOxgAuuArsNkIVKeXoZi9
Uvjy5AABBRIpNCyhRo2vnDZusAGjSA9A2KCZ8DrUsXMfXsM4pBp6Ou0HKY7B2ARMSCWyuSNxzzD2
n9huhRxPtJz+ZYTsNAMm97UdVJftmD8aFEX+J/TNLCFojQEx2b9jN9h1McdxqfzBxMTd/9OqWdYp
5X8gjNJfaH83C1JIpHi2fr4/w1fONGGvGY35MZ75pfm7V6h+QRhkIB0o4imXnt8NGsNUTEJx0iLJ
SmDyOwnmXWFxkPc8XWCVpBrL1NEENmCvRFFsaJDvB2mtsbFOxTyy/piMrVQGFSX+/TBHPmvejc5I
4smw0sRXGJ679QT12/eDDqYc9oP4TtwTDkuOqdLZEwI7X3nQX6PqYjxa4SsQDJV2/9Soct8kNxph
pilTF3bCuONQx/SE4cd9N88gRapPfdXzFWaLc9xTXac2g7gP8pV1aKq2n+ZlZclbbHoMZWA7UdkO
0zyNw62p2n2ZJoSBrBbMTl3mZdUyNRadQ6PnxtduxLq6uj6fEOIZWFkLOX5QFyQR8XzbiefbspRU
1AmM17NcOpYhBblITpA3kKQ2DX1bNezu02DobOUn4ytgWZz4Oswr5HTGEHbnGQCP2oKDwUEcmx68
AabPdV1BQ9D4u66XM3IJes9ghmTiyLWF2sE49IXnxXGgmjgxPCzt6IkBwpkaljfI3uur1HdsEXiD
TZkAfphnscbG2o0iPQJhm+vICePIEf2UgjIvD/m2zTAv84j5thFPd3lWzTDf1vbT6gYJdGPf1g0e
7zr5hkOrsORl2bvTPE/QLE9LNGJyXxtMYE+q7keDokBkMnAHEU0SskxCDWJLX2M++LouY5tBnvO0
6ee4YWKObdVALufK0ruBY+vqVPNXjMI8MAtqL43z/Rm+Apv5TnQFzQHboXzwjBskcY/TNNzatl++
MH/hiJpI4Ffq3rByDxIVx3EcbjVMTZ/n1E1g5ADCdR7qhOdFPBNfAe6G8wBzaW8XOPx05iuICcvm
hbMQoWk/CBRbn28LCZonawxrG12dqm9jvTcY25Myq0h917xDvq3OGSlTCZrTmnckC3KWQD6qwBM6
4kaQb7tMfZ35+zEN/bzQj6nSzxMCO1954M7MqntnZwywo1t3YZyXGVylt+fbIn2OK9yNhK0sZ89D
Usf0hCGbyPfqIbtpnkHyns99M/CVjZ2HchzH9YLkUhcBc0trf8GjYrBH6IXZfgp5PwGJp2gzdiTv
IAmg4NmW5eCJu1PPD9oztew4moUnxwo8IXmoaoM9czx2yN0Ua50dsE0uewHJV7ZtueW+7TMGBofx
8AgmdiJhZzgVA4GNHUQSzSuDZ1Y4cTMeIhFnBKOivV0j/wm+gitIC/KaZEXqN8iS2qfRBo7dhtw1
bnzX/pqwc75+fOm60g8hAsA/uNlqWiU/O0BTmwP4lu2GWd3XiSsCbyyzyYJQ5IGwmER6pAMsdLNP
GtEB+b9QEjyFe5VHyZ/tBQ5OHgFU0JWAn/O8m/myRfCmp2Ofu6YZMNHUdlZdsJy+ZUo+VCB6Rt8e
SAgHC8UpTy9MBWJLV+CzA2A+w1FaMFimOb7XoE7MER4oK0Bk1erqPPAV2A3RCfMkXxHnre/m+zN8
BY6xJ3Dw2fbyu/PMQ80OZ4JC5O0Mh8A+OX/hcIqOr7BUGIAK1M3xo0w+xmlquDVCPWQnwlUoTlok
4yvA3Nn5W8uCZxccz98KzV1uZeRBh+ERDX2buco6mt/Tpm5SdVelryzZHX4WI6UO+maoUzGPonU8
TX1nbE/KvN/MvpznyCfNuzyOrzojZSpBK1rzDnjup7qjom3g2DVbzbJj4fz5B6dndmgg0o+p0s8T
AgpfMau3UXVPGgLN6H0cHNnPQ3TDXpTX1wROjTKpphZ138Hj1/DLx/EVKKjpu9JL8wxSb/rMdxNf
+UwddO9rEYBpLyIxL60ZA547tXlp1a+vDCahNrry+qaerPFk8p4s9dFtrxyUn5Hwox7Q778DAbAb
v2vG/A5cSAoDAn+huSC+YhjLP3cZnmMIKbcv/8ApPDWL4eUNvLJCXHGYTuq8sqHn6/qR6f3SQfkR
CZ8HiO78owjAmt10Fv+PCkaN/04E/kJzQXzlF6nSuizzUKee7iF53xJzXeDheDk8h+YHeNC3RLsv
DCj019j98dfN3Df9+MqLp/cPDMqLJXwMB/36xxEY6/LKHgU3D20e2PCMgz8uFAnwtyDwF5oL4iu/
R7nGawgPSo5y5WHPL5EOIja27QZZvT/e4SX1/kglfeEDCnF5foLWj7T2mUpfO71/YlBeK+FnsKF7
/wQCU5NH+GYMTE+5f3vJn5CJ2vxrEPgLzQXxlb9Gu0hQQoAQIAQIAULgP4sA8ZX/7NBTxwkBQoAQ
IAQIgb8GAeIrf81QkaCEACFACBAChMB/FgHiK//ZoaeOEwKEACFACBACfw0CxFf+mqEiQQkBQoAQ
IAQIgf8sAsRX/rNDTx0nBH4RAstQX5rh+Iz8XyTef1GUdWwutXx29H8RAurz70KA+MrvGg+ShhD4
LyKw9oXvpvLdff9FDH5fn5cuhVeTEYn8fUPzH5XIwFf+wpPZ/9EB/IXdnvGlNPCKluw/4YB0r035
9LD8R2acoZvwvrUfeQWFbhy+qJ/wThh4cZbjF7f/jAcfSt9Jju8D00FK1wiBtyDwd/CVWx5k/L1M
b0Hln21kvIaueJfxT3USHgselDd4ifH883Z9KAP2Zu+f6s7H9Zr5CrxA1xNvFHtckcGRPy70U7/O
VaS8d/7pVp7QLn03l+aHXkGhE/1r+omveYIXO8/TO9RaJ/hXrvWl/73nRMMbxe/fkPgVUagMIfBt
BP4GvoKxYuIr3x5rfG3ntah+Nr57eH/sK2R+WAe8FfH38pVtasryuacV6x35w77/2I/w6N2w+vyT
3Zf+Q+3SdnPtUsd91wT/on6yN+jK9xb/GPivrXjuLmUt39D+hcpvuStf//6F8lSEEHgdAka+4nhZ
tb9bOy6k0YVXUuM76G03UJ4ADS+wjnwPXvLu+PGFP0x9qSMnaca2iDzb5u+uXvprErhwn8ffYA/d
aVMnqobbJfYd207afWG+3grftsQnZG/AW8emgBuhjjCrhuUOkPESuGnVFPi4agdepS5u0jQEb2Vn
XdpFWtrUOUzTvvDssEJ7NXdl7GMHTi8W51L0uefndZ2FnuuggI18DP7cldh5eL27gh57ZboN75r3
guSCjGIZqpS9wNxx/Vi8Z37Ttj61HA9oL63wJUG6Oo9vHtcLA9BlFQDsOjYM5t70EeWlv3L5QDxU
kLW/4NvK2XDdLdEXBeeg6JZtGy+Bl3cjRtrt4H/8n2NQEmXsM9eGV6IYRnO4BI7QDMtnr0bSSMXE
hh9Q7Vw/uXR16nLx7lV0vl3SEB9zbqPicHmMw4rvxS1qXj2qkPBrqntmSot64wZZc6IDyp1LB296
Klii491w40I/UTbaYAV8ei0vExXVBzQwKtpxEProhnkjxNumtkhCz7VtCyYSvq5hqmN3B9XJOkBv
HaqMqaIL2sWnW597Qdn3VRo4tg1oqtqlqRlqUroptUktB6S6jpz42pYJKiAMl3g1w12L22Y2BRpN
+EA/QSJNqW3pctAc9rGTVkrOvrWpE5bNNQ08h8O9A2wS79kJix28t7fSCDuuH/EB1dUJwaSdzxuE
AW0pajCBMOEBbzXHFvjdSb3O/ae/CYE3IWDkK7Zl+2nVQ1T/do1dO7wiS19vueeEZTfBS+mqxJWv
5pu6mr16a+qKwOab0WDKXT8I0qrrh3Fat22qIsdL62GGN/DBjdw/gSHz/SC5tP0wTEcCclp+LV3m
2X5Wg3BjV0aOE9e7geC4jZfAstyY2db5Voa2m4GDZBbz0NDcJK4TFu0wzdPQ5IGDeX+w5lMIC9AV
5uCGMnCCvB3nZR6azNPM5T73LMtLG+juNreZb/sFi2mAa/ESRHW8XRNXFL5lLsg6L8s89m1zA18G
O8dheQOgp75tOtZDbeu4+582I5a/NS06FF2dB49iEgahcyJmtNbhGjm6lzpPcD2+dOM8T32dyj6y
9atmSTc3ieMEed2P49h3bQ+dBE/l+UGY17dhGOe5iR1JWNZbDnSF0RrDaMK47PZ428xStalrB3kD
g9zXWeDYluQrJxVdh7buhgk0FAaYc+TNOKyg5Lbtp6iQ0+0SOUiyhLKx/SCmtGl1G8Zx6NrbWWGF
I0fAvbRldEY33GuXuUpOAQyjEFEYDVXUZShD27b5XFinKnacne4sfQNdXZZlqBLGDfmoKPEVmCBu
fO2nZcHeibzYPvcczw+isoHBY8PEJwn4fV3Ner6CS3gkRtiBpY4sywlL9JoLKKB4j99di2ZTYNaE
Orb9UqOf0Lax1GHmCJjF/21qW3aQd7D9uY51sltLk3jPT1i9vZ2qyPZzMMLLNHRNC+shbZ2gtGJ+
mIRhiu0mNQzhtvTSerP+gSFhtFX0l/4nBP4QAg/4CrfnIBi4FZzjp7w4sJXKbaIP477niaZHZedQ
Qm6HLk0ioi4w502p6Ee+sjQxkI99FT5dQbjTe4fREea9kAjZB4vanBuCQK9aXDAT5hb4OhYu4rtP
4arS+FQdC2N74C2UPoMDx9DS2mWO4mi2Wf6QIufauwTVQJPh5XjA09A6tLC7ON5l7HFcI2cSKLCB
ZANmFAYG2+KhMCg415GgVbKebQDpWLALrq5dKnyoia8gzsX9MFl2JF8qC/rlZjzCAm6M6Yp5NI98
xSgVjoHUGYhRKHzFUodL6eS2bYorNQ0rxANsWyYlru2u1NI9n5X22MoeeJiAGkQVj8cZhht43K5H
AI0yEKzeo6iIXiHmAhuf0zjAELaJWGVgnft+EO6EyKHuMpd7QGjFUc/0QDmNOVBqloCoAHQZsNT9
CuCpLBVwJrBqzy2eUZWmwKgJm0k/oXlzqY/4ih0Br2YfZlFGoBAGSwUyPDVhDfaWzSURdWKt6urc
FL5iFAb5imKvzqOIU+wupiQ6S/8TAm9EwMxXeCiYydKljp22MKF92LPYP7Yl4vBzX+Vx6Hv4cWxO
SsD0qHn/MGksW1Zg2xY3fm1qH1pUMTjyFTAqB6t42y2oLMRMrlzEwgxnc/LcUJc56v7TtgKHgs10
5haQsPSF58SYJT9dwzMAdzvvypoGBYIJD+ZMysDlxKUx7jFNDSz53TAta4w7wA1zV4SO7fhJUd04
7TC1vg5V4tm2F2UXFlyB8ro6pS0yC4PQSf+k9W9o/BQXs82w4kPSaPIHZ5wRg1Nb4DUhlQHJKCym
OQswj+aBr5ilOuuMxAHZhqqi2zZ1lywKmCq7juWkbOlvGlasQWW84H55NoaImqAnPCgtV4H9P7gz
igNbpU6m4QYPzqG5AxArPIoKQy0pDei3x3njOrZlGgVs0rq2xXFgcIsNqy5zzirPgi/Qilx78GUN
76ShZj1fwRX8ka+oeKInxrXHucXzsG7CFJg14chXgACxDxiHB6UOfOVYioVs1fQbaS1NlurZCWuy
t0t/iVzYq82vndhs1tYpNcGIlcJpUHlQXXa2ipTHAdtPH0LgjyPwab6Ci/5Z/UBUAHTcTcTOtgyi
AF85mB5YcaTNpJZfMKywW3YNJF/lK9LpornZ+Yq6mNvOfnTnK2ymgseU7gE76hfdsQMnkdGqKmcA
4e8P+ArUsE5dlUee7YQsf4Vdu9VF7NsQ/V0YzMbWl7G9wolLN672aPe5TumnH/MVxbXq+YoIDYmu
z3ug6dN8RWkLIzU8gKWAjqMnPS4LE7HRPPIVo1RIGRUbDL3n7Z5VFJTXyxoMjp/jKzYjrazTYlif
4itnAQRu+/8Q9nPCLJObH4+Geyh8JNCMWUhazquTXgouoAPa54LkKxC+sYOiY2RYiYLc8RU7ro4a
j1P22IrKV4w16/kKQK5s6rFFjowA4d87X1FuvGeBO18xasKRr6zzOLAPHPoB1T3YBqnVB75yLIV8
RV1rrW1q89Wdia/gOD0xYYFkhJdBNZfyzN08NCXkDnmpTIY61ynH6Kt8BVYQnoxU7wpLXwiB9yNg
5iuW4iDAgPH9oBhCtXvokwsMtk7OWNiKUOIrKl+BAI1md2GPh+sBgFQSuYPK9gw+3g+yHLkBAGWc
fT/oYJPAmqsigmfhibWcqHSFt/cZtlHUDQydwLD8EitYcBdVuO8HuarHw/0gdV0GlS1t6iqdxfph
ExsBfaJ1CHQojWN5WafkK+hSFPcrhZH3sMK43y+9B16E7BplzQ77QQ7fEjHxlQl16FTPqS2oG8Ja
btb1hfLgB9ii0o8mjFbciI00o1R8603ct4Jf0/OVI37QGSW+oh3Wp/gKukKpjwxE9V/B16c6dkRS
2IPhxudi1IOkXWpdpxWzia8c0YK9FB5fga9y9kNx7U6t9IW88X00jTXr+QrENZQpCJvISuBGGaxz
i2ZTcJTgGf2EPphLHfjKAWtmu1RrCbX4F9wPgt3NDyzVUeFY1fuEBWR223Nulv0NoMvBYtdknRIx
M1byHiyN6iK5Pfx5XFLo5aCrhMDPI/CAr4jM0Lt8W9uNr904zdM4dHWNyaHgNlgCGCShhof9IMUS
ofeOIOuy6ad5moa+rRrmwoS91nUZDICXtZB6CsEYdN9+1gzzwvNt7x8pwpJGw7yFm4Y69Q75tupO
BmMIYcEyaNsC821FLBzcQhB4biqNzlAGthOVmJ47DremavdoBpcdw8VuVLJcVEhW9nn2wADppSzf
duL5ttD7dWiqtp/mZV0wWRkRG9uq6Ue4NveXSKShaltf+hqzJtd1GSG9F+DQ1nmwugZhDvfgaY2D
MxHjA3nTbnTpxnmBBFZ/T5w28ZUNPXFQNMM0AW4Yx949nKgW/u8Lz4vjQGaFgkiQgakZTSSDkCrI
VMMoFSb7hgXmiY9tETqWkr+iOktkXmF5m5dl6qvUdw58xdIN6zlCo9sPQi3DJPFxmoZb26pHMKDT
Uv9Z/jdLb9cON2I1XgInikNH60qOHsjEV5CMxddhXiGPNoYNRaankFbmwLNGGKggECTf3yC3euzb
umHCH1tR4yvGmpVuqiOOarBnMWHSG8tfXuaxzQNbybdVAzGPTIFRE4z6CQIZS51nhSo9dMqyveSK
zxyCAwDq6QRbY6men7Bo6+7s7QR2F2zDOg91wpKZdHWq+Stms3kaxyNfAZojtkvhPJ44H3EAgP4g
BN6DgJGvuEnVyROaynnmbWrZcV7Lsl0/Ljr07cutjDzY54YToH2buWxj+2zKoVNw8hkPR+Jp5IQd
vjUYMg4CpHLgQVBBTIQMeHz3erb9jFAQfwAAIABJREFUwnReYC8FTj2rx1KlY9gRXsc6j/jx6CjH
U53it7H0LUtdI0Fiye3CziTjkexMng7lhTDx4lrneLTX9sJcPc+MZZlMyYVht639BQ9I43HmMKsx
yXasksB14BQliC/7qGl9wQfK4q0OnG6EHW1tnSery6o6CXO6h8fPT3ER6Ok+jqgG+4H3B/6AnxXF
LoUlZNVq+QrLklKXlXibdjQ32Mn34KmjgTjPvB+9PZ42l8fo/bisi33ReKeiU5vjc0xtN8zqvk5c
mb/iJLphPdeg5SvASmt2MBUGNOcHgISeHfR/xsNMLNdaM9ysDEtu0dKVJ+MrcJaFHfHGI8+3ayR4
NaRC+DCbvZydZxYTBJVRPK3g5OfU0TTWrJl90B1YF+ypMIBnUNSXhE3J43nmI18BisHN0Z0p+Lx+
PtBqg6ayoYAdk8PTH/i8hl+14j0/YZUaFHsLj9qFR0ew4WDPG9DVeeArSlVHrE7jeOArS5vI3SA4
rUZ8hY05/ftHEDDwlT8iyysb1TvCV7Zgrgvnv3yCjPlG+kWPAD5iJFUQfPlofqXC3zasII9ytEoP
5d9ydbpCqIgl4jD+d45a/uKeGEjYL5b4WdHgyYEsUezZEnQfIfCDCBBfeT24p/XK6xv4x2uEw9HH
kNZX6MUjkO4I0aObxW+/bFghHxmP2Av5/u7/YeODr93P8apf37F/la/Ag8U9/tiqXz8IJOB/AQHi
K68f5V/m2F7fwR+rcV3gKYLwdNfj83RewFf6qqgg52jBdCbfFg89e74vv2VY1xWe21aG/2xonvjK
80pJdxIC/yUEiK+8frR/i2N7fc9+uEaIPtu2G7AHwyuNvYCvjHUKD56HLX98ZYEm50lpUPf1lwwr
xIbgNQlJdXyWoE7kv/Ma8ZW/c9xIakLgpxH4V/nKT+NG9RMChAAhQAgQAoTA+xAgvvI+rKklQoAQ
IAQIAUKAEPgaAsRXvoYblSIECAFCgBAgBAiB9yFAfOV9WFNLhAAhQAgQAoQAIfA1BIivfA03KkUI
EAKEACFACBAC70OA+Mr7sKaWCAFCgBAgBAgBQuBrCBBf+RpuVIoQIAQIAUKAECAE3ocA8ZX3YU0t
EQKEACFACBAChMDXECC+8jXcqBQhQAgQAoQAIUAIvA8B4ivvw5paIgQIAUKAECAECIGvIUB85Wu4
USlCgBAgBAgBQoAQeB8CxFfehzW1RAgQAoQAIUAIEAJfQ4D4ytdwo1KEACFACBAChAAh8D4EiK+8
D2tqiRAgBAgBQoAQIAS+hgDxla/hRqUIAUKAECAECAFC4H0IEF95H9bUEiFACBAChAAhQAh8DQHi
K1/DjUoRAoQAIUAIEAKEwPsQIL7yPqypJUKAECAECAFCgBD4GgLEV76GG5UiBAgBQoAQIAQIgfch
QHzlfVhTS4QAIUAIEAKEACHwNQSIr3wNNypFCBAChAAhQAgQAu9D4N/iK0sd2cFlfB98P9IS9MIv
hx+p+2cr/bzkfe7ZSbP+rFgPa29T281vD285//j5bp5reOXf61AlgWtbthNen1f9r5V6pdx/a12/
a/QfoDheAjuq5gd3fPenvwaKQ0eX/hL7jm3ZblxPh1/oj9+OgIGvjJfAEh/bcf0ou/bLH+zLXEXP
zDyYP8RXPjFOS5OEL2RGn7dfBr4ylMHnWMzaZZ73SdrBcPrb+cpcR7ab1OM8T9PzU/RrpT6hWT9z
61wnbnB5BZX/uuZ/Xsm3bbyGblS92Tn+CF+55UG2s/uvQPEzivG41oPaACx+3k7zPM1LX/pu0jw/
b0Q7BwP1deMjqqP/n0TAzFfsoLxN8Bn79pp4lpO2nx/WJ6X46La5jp3wiZXCv8RXnl8qf4Se+fe1
Td1XRnI+b7/0fAVMyuf4yjY1Zdl+xSH87XylL74SofpaKbMmvemXdaiL6+0FIYNvaP7nlXzblv5a
VP2bw4g/wFfWvvDdv4+vHNSmSx3Zhbm7lPXnTe3JQH3Z+Lxp2vw7zTzgK+FVmn8Ynz1wsfRXHoD2
orwZxSyc2iIJPde2LccLs5pf73MvKPu+SgPH5tHJdWzyyMOAXJBchPUZL4GXd2OTha5tB8qif6pj
V8R6LCfrAPx1qDNWhaPKoPKVuUk9J7oOKN46VFnImgzTamDEa7wEblY1Rey7jm07flx23BJKCSG2
lDcSCBx5KJhWdR55rmM7bpjVw9gWEVbjBqno+rbNt0sawmXLdoO0AlkASb+UM2RpEsdJWwEi1I+9
KOpL4kOU3/WTy00yRQP4ikZK4V0BL5gZwJS1snQZIPP/talrC2AFPfgkUGwkYMRsx4uL+hLLnSxt
Vdu2zV3Jw7FBeq2yO287XAJHiGVxNrX015SPnx9reYlCO/rc84saFATGFfCTscF1xPGG3RM3yJp5
25SCbepw/UI4h9K345pBDwqn7yb4It102EeEaUvD9MNBPeDD2aZOVA03jE7bCeqAQbEZbNgMqJKY
NVOT+jtW2l2tuSs/W2qpIye+tmXC9PlO/XQDsQwVv+y4Yh5NbcHG2XY8mHQMEL1WzLcLF9PxguSC
nl1X54ErGLDi8kOFjgNt383fRaP5mlmDAt8rDJ+e15RtwoH94fbBrHgH6jC1BdguFK1uy0AM3AP1
Y5MGN/38uBC8XMpsMlN2VNZ8FITirdBMoqw9Qc132y60Vofteiv83WBY4B7MUIAZ084Ljc7vbe5+
QelOmzph2VzTwMPBjPbOoxfQWPVt0w8ZWpKhir19wkCnD+uliU8WNBoV2midU7s3UIoN4a2DyQc3
KHwN2BnWkRA7ItwB9F2n/AIT+v+IwDN8ZZ1vZegICjFVkeOl9TAvy9gWge3lN+4G+6buhmlZlqFK
XDuu0fn3ued4fhCVzW0YxmXb1lvuOWHZTcsy91XiOjxOClPa84Mwr+HGWXXg6OSV+MrcJK4TFu0w
zdPQ5IHj8tgPzh/IX1luReD4OffzcL8bX/tpWabbJRK346aXEzFvtg7XyHGzDtqdqsj2c5BwmYau
aXdKxrHDgm5cwfV1rGLHskU1c5t6ctN4HVqABKBqMs9GBjhdQ+nTN0ZXsNV9YJY6siw7yJthWuax
K0PH4WCCZHrw98IGeBljgUg63hCxTIelVvgFzJxPAoWV2agN8zy0RehYgmEYqkJscfjneeqrxLMt
QZX2LmzbafU/wdDElw72PPo69W2/uFurKiajzz3Lgi0SoAVLDzpa9Fg7MDXbT6vbMI5D197AzygF
jQ4DMNN384kREdqCLBmmku1mHTIWaNr3g+TS9sMAmzlGxd7AqXhJ1U/zPN6uiSs9DGLVKuApX79U
CtXPCUskeQtMC6l+hoEYSt8JyxtM6alvm27aULG9tBnnZZnHW9OyNYJBK26Z68YVmJR57NsGlzCa
OhmV5xTWiBWbPmGBi491qtEWcYa4Y3PSfMOs2XQKA0bGtv20hsFAe6LYOoPiKXxluAQ2GqN5HrtL
7NrWx3xlKAMnyNtxXuYBDAmjF0+ZKScqeLk8YIq3dpnryD0Q0BF1aQoQGbHdDsEJ5Ct6KIzz4k7n
9yHRd6dNbbCFHTiEdYTBFFlaBl0yDdkeR4Yu7DvHkq+sfenDwHRgG25tx4z+onVqZwMlbQhrPUPd
GLsS5w5js9gRP2sn8DBzK9zBtumUfweFvhwRMPMVy7Js/FiW5QSZWEOAeotFJ1olXbbi2ibCR4Dz
ULeSwEEL97FtaIdZZgqYdTtiJOcoIwtKSL5y9PjMu7E6GF8ZwMZ6iZB4g/uVGdllLnOR0KLU3A22
9LkhAEpRKEGNkzxQ0MuZCwQbGttKhOQ4o2XJW+46KQSHZmBDPH60tIkgSfJONIjSoODkYP37GHwj
vBswFics69yXeZknq/1poGCtZiuS3nKX85UHVe2d51h8yFeGglM9BtHapaq95bhJkwFrJktZMEpf
sTQxmOwDFX6Gr5i7ifr7wXRAIr5ry7Z2uL4FIcCEebmkXkbFXrvMUVzMNtfxPu3MfOVrpdAJKfqs
qp9pIECG8MLDd2xAQLW8tD1u3Ri0AiGJa7Tk+zTQ1KnyFSNWTH4WrYLKYPCUWc7rP2q+adZoFeY0
PcHW8fqNiocLLjaFsVsycq3aIBNdBoKhqO1U8QUPQvCBmVJ6zgMrKywy5AQC7VSMI8JjxlbHV+T8
V6AwWqqzzu/jjWb63uq2qW1HPMgJS0lc7UHoA74pggurbhwyYXKxC/d8BSaL4tikWPs3xakZ+cq5
9ekK0XQMLULHmQpgjX3uspCqVvn3RunLEQEzX7GDQuSvdFUWOG4C0XMYEMu2HfGx9/XxOrZlGgUe
flzb4qQECKw06Ns2FL5lyfKOLVbkuokjZMXf9vwV0Cxpj7ZtbRKb7UiCKfHj2LfFigcr6DLn3CSS
n1OLiglb+kvkwg5RfuU8W0iC/x8LAiT7ZEC6vG8qTN0liwKfQeJYjK+gt2EF0JaeHSgaXKVCJERI
j8zg7+IZ4QXL3SP2Yn2CO08H0T8NFNgMhRkoVMxU1XnsbjBt784HoQ8WV9EG7AbmRPj2jh/5ilon
GjZUHiA+islgZZWCJodh7uYTI8KDg3JLUdbWpvauKiDMGZxdsWUR3l9cFLP8TcSKx1fAJrIPdPNr
pR6rn+L/VOY9d0Xo2I6fFNWN0w44gOTZthdlFx5cwQ5qZ+I2NVng2G6YlnUvKI6mTkU2I1bKPQys
LlPyFTh+OKfkHDPNGq3CoJFR9qtl/XKxjs0A/nyVBRYDNQ+MjIqh4uJhx0BVh93lT9fwjBo3d58x
U+DhxaZ+X3ic/h5NGUfHjK2Gr0gUcXy5ZEY3cdZ5MSAYCtVYXZieMmFmAwHsFNTdYGE+HjJ9fOVu
sqBgBqdm5Ct3rd/E4hgWJ4fRlWlnOuVXYKGvCgIP+IpCXrcN/ApcQOeRNtOsfBYI1QG/DYqOGSuF
ip7m8AYjGl4GpfjM9n72Ka1IJ77irHqOr1iWG+VpYHs85s7dQFzdiawserAdha/g3/PQlJB146VA
1NTPUVSARJm0t8zlegkGx8sa3JZABDlfARAdvxjY0i/j22myATSIhTwEAYLtfMXVgC+LmuEFP98k
rmXZvtjAY6EhRXSwU58C6jzJpSk3VQXmRuWaZ/VgXTnylZOJ32axwFT6rYZJTnVKtwHVfoavFJxq
m7tpmg6qZGeXAH8zkqdQJSxg9BNnATCsE97zlWUaB/yMsLv0tVLo772D+kVc/R4PxDrdIFfChq1U
sf2yjO0V8n5g8/TBTMTer1NX5ZFnOyHLX4GL5zqPCqYq0s7tvsZX9EZJqzBSBjbK3+Irqt6e+Yqq
fn7RHQ0Yaxtm9UMzpRrxaVc8WDU6cbPccem9R4dJKrH9DF/RW6qzzu/94F/O3Tm5+RXiLYKv6IzV
x0P2PF8xOrUv8hWVqIIfVBZqOuU/Q0N/b9tn+Qpo+mFJzUHEBd8e5gQmr8RXlHFBwqPuD+2DcCQB
+2X8AvXJmQd2WPGyqDzMeIMpQVcwXkPbFdFouF8Nu4u6Ty2e+Qq77ext4OqxoImvwL6PtPtQu+Ar
uLnvlz3EeSV5EGKhwVV3WcD/MjdrAH8vyeJfWnhZbkpS364RJPawPRHssnRNnwaKhZjlccCh8JT9
IBPmSroxCKBOW94TMDqxiK8w57zrFm6oqPCwMoodNPIVaE0JrN8VhF0XmfoMVpqFBs3dNE0HZURA
WyBNXOxCYcYS87SKzFjAqNhoOMG/8A/uB/FVJ2CVaPNXvlYK1M9SQqIrLBG5+h1THSCSfTcQmOqj
BlR5QAxngknBRL9gkd2mgu/vV2WdkisYsfoEX9k1H6awbtZoFUbKwAT8FF/BBE+FM0/KnrRR/YDH
GnbKBUYGM2Up6r7vB0EZyA5K6uEa3hN4sekiF0ygYpwdw2YmO/IAtZihMFqqs86LDhz/l92BkKE0
/WgLfHzClkGXPh4yPV/RKbPRqaHLkQZKkk6Y3ArkGNLirurU8RNfYd3XKf8RmP/6Xw/4SlD2GAWZ
xludB7ZgKZDy6QR500/zNA19WzWg2KAmTnwd5hVSWmMIBLMcx5PzYPmemNc0TvM0Dl1dsxNCRxJw
HJelSWw46zMvMwRzcFhDnkfWFphviyGQna/AEw8ix01YOgwEFjDNEhI2x76tG8wlPLUIXWC6NYFQ
47ys6zzUidzrFUIdC5r4Cs6AsLzNyzL1Veo7kq9AZMUN4lj/yBCeb5s10N/7fNt78IVc8D/adkgb
O8KLGXQsa3e8hjtjAV8UgIjzDM7ws0CxsJq/SwrZg3x6GqrCRb8TXW7TvEx9nfn7fqLaCdiix4RZ
Nt6gcm4E+ba8zJ7jLQsp5uCkcmDYeFgeD4b4Wd2P0zTc2hbUQCkIDNPl0bT5VgS2ZTHPi55f203M
K3w8IsBXLCfMWxjOoU69Q76tutFlVuwNsjR5vu3E8225PzHzle1rpZj6YT7pMo9tHtgy39YwEGNb
NT1MmGXuIZ89v61LX2P2/bouY5v5Nsuq12vFOjRV209QfuoKvuOvqfPgIB8aAXU5I/mE1BbctlU0
3zBrcEDsk8KYnbRZ8RSLAU7QhczpZYaR9GS+rVH9tqEMbCcq8YDBONyaqsUMjo/NFCges5Njk/u7
4rE1lxPFoaNwJwmPEVvkC17WQmb1sj7gK8Z5oUw32R5+01td4Cu2l1xvkNwMCayHfFuNVdfN8cOQ
6fkK7JZ72NCIj/CApG+jU9tOBkp2ChVJWorIEcdJVDsD3d35ilb50eL9wQeInIbm9/xp5iv7kVI8
mJVcxFlfOHLBj5GxX9hJxXWs9wN+RXu7Rr6Br0CqVFvGcFbXgtO6MUvkPwUtTgjBZjic3LS9nJ1n
Hus8wmcUwnnm/QCxwlfwlM+uLau4H5oMYnZAWDEi0JzCVxp2+JndvJ9y3mU6FjTxFehnHkI3bTjy
3NeJi/m2WA14QEtJ2t3rZoK4Wd1dEtbB84FSDfhqaR28nK2IHApwfjzGwvZOLXDTuHr/HFDAj4ZK
GfcGTq9zR6qtCkhRV8T8NHtadddIE1/ZIIHIsyHRm9W2qxwqjDjPqXZbmozjGUWemCc2E9cBjqFD
1pTtBjmkgyoF4QBCFsIZdTyV21yiPc5g7qZ+OiiiobZcDsdKeaxFbZoX2EGzD4oNsOGRX/EUADkb
H/GVL5XCSYTH6fFQpkH9DgMxwhN2AVQ8t4+Pllw6PLQLlxx4JIA4Y7d3kE0unIkrPHCU2QN8FAIm
7mrqPPAVPC5iMgIf8xWeMiM1X2uU8Lz+SWEOzo9tcvEMi6f4Chx4zUNUbjBd10RmA5vVT555BZsb
sdMP08dmyi9adngaBwYfqCA0k2XFaOkKTGthMM96CFlFeK4aCKgZCjBjOjdxmG5CFPa/vjtt6nhZ
tdsY4S2wyC6koktoks5z/CCnga/A5iM/gQ8qm8Kjb01ODTqnGqjDRBaKhMf45WNWD/eofEWn/MRX
jrqx/2XgK/vv9OWHEIAppJyT+qFWqNo/j8CR3f55eT6SgBl3fPrER7fS799G4OTGvl3f8xUAu/pg
l+n5yn7szj+Hz491iSr+OgLEV76O3XdKwhN7IeWWPv88An8nXyHVfI9i/jF/DGeExGOd3tPVL7Xy
x/D5krRU6IcRIL7ywwDfVb8uLIth39i8u4Mu/FMIEF/5p4bzxZ15vz9eV3hsZhk6miywF3fuBdW9
H58XCE1V/BQCxFd+CllDvXByCfeEdUkYhjJ0+W9GgPjK3zx6Py372/0xHBOCt48kh2yWn+7ml+t/
Oz5flpQKvgEB4itvAJmaIAQIAUKAECAECIFvIUB85VvwUWFCgBAgBAgBQoAQeAMCxFfeADI1QQgQ
AoQAIUAIEALfQoD4yrfgo8KEACFACBAChAAh8AYEiK+8AWRqghAgBAgBQoAQIAS+hQDxlW/BR4UJ
AUKAECAECAFC4A0IEF95A8jUBCFACBAChAAhQAh8CwHiK9+CjwoTAoQAIUAIEAKEwBsQIL7yBpCp
CUKAECAECAFCgBD4FgLEV74FHxUmBAgBQoAQIAQIgTcgQHzlDSBTE4QAIUAIEAKEACHwLQSIr3wL
PipMCBAChAAhQAgQAm9AgPjKG0CmJggBQoAQIAQIAULgWwgQX/kWfFSYECAECAFCgBAgBN6AAPGV
N4BMTRAChAAhQAgQAoTAtxAgvvIt+KgwIUAIEAKEACFACLwBAeIrbwCZmiAECAFCgBAgBAiBbyFA
fOVb8FFhQoAQIAQIAUKAEHgDAsRX3gAyNUEIEAKEACFACBAC30KA+Mq34KPChAAhQAgQAoQAIfAG
BIivvAFkaoIQIAQIAUKAECAEvoUA8ZVvwUeFCQFCgBAgBAgBQuANCBBfeQPI1AQhQAgQAoQAIUAI
fAsB4ivfgo8KEwKEACFACBAChMAbECC+8gaQqQlCgBAgBAgBQoAQ+BYCWr4yd2Wa3H/SopnuGlun
W30psizNikvTz3e/Hy4st2uWJlk1HK5+8Y+xydMkLbvli+Wh2IR1FO19v75Rqa7o2JRZXvXfkVVX
7TPXxhpxau/GZpHDnKZplpfXDwfwmfboHkKAECAECAFC4OUIaPnKdA0s3ccrjkRj6S+xZ6t3OnE1
GmRchyphN9tpZ7jnM5eHwoeW7ai6c8QPqhmqLM0l7eoLz7Isvzz260H5Z38CIqTwMtaOHTdfJCzr
7ZKmZfeZnu6S3nLXsqzgcjcw0zVUxw6/20HxLQK4t/rCL3Nbpunltr6wSqqKECAECAFC4C9DQMtX
1unWqp/mkoDLc9Pu6DOmJnEt24vLurt1TRE6lmU5icYnr1OT+TuxeQlf6XNgGvAJr89HR5A3eEUv
Rumn+AoyPkfyMmB2QZRJoiQEeO7/tUsdywo+0VGl3g/4ih2WXdd1bX3NcAAtBR6llj/3dalj27Li
+otU788JTi0TAoQAIUAIvA4BLV85V8+8us6PrWM/7H6kx4W87ra5TV3LcqMigxX9C/jK2mXIoLxz
6GBuizRJs1oGE4YqS3DbaBmaIoL7bT+Cza702m+crxTdrb7kWYqbWsMxirEM7bWAn/JLLfe7IH6S
Fs0Iu2GiIP91HdtLjGTKC7GdS7dAiCBJcynWOnWwjbZvwzAiuIxdfS1P9c19lQVIBf0YxN47N/cN
q6K4NHIUYPDWsb0WOetO3yBUxviKnbRivOcqAgKo3PpRE7ANeG3HZayzNC1xy2mo0iRJLzJKw3YX
d6m3bdNDum3r1FWs93l5qbtxgSvXFJmuGyCWbEty7hs+JgVsYk1HGi26Q/8TAoQAIUAI/DsIPMFX
ODdQvJih+2whr99cWfq2m9alBof4fb6ytBBvsKNry/Zz5D7VeIGtLDe77TJiaMIKr/8fts1CMviv
nTQr4yvKRfjqpnuux1RjZGm/wYmuAzpHLGi77h40kgXb9HDRssJq5mLlTKypSY/baD50gAVR9qaE
IKyochk7tw7XCDjM/nGTmoeZ5k6JZe2/a4aP7QcpfGVlovMRfNDE0uUyXAYEMARCxZpgdSi7dKwZ
J+ObgCZIT3Wyrb7/Gynw3gncuhurY88ty81ps2jXd/pCCBAChMC/icDHfGXGcLwdVR/suqw33KFx
swe+40V8ZWkSpCv1vA0lZLF4udjhMfOVaZ2nFkX0snaCz7Ly+AqEfsrm1vddzVw9d+5TFQH1YD92
VQpBEzu8QuyGEx3bz+p+WubpVoZwKxRcl6kvgTXZSY3tzOum8pUZpbecILs2sA9zyQsWd1ma1I/y
a9P1Q19nmJ0De13LPNXQXysoblDfvKy825aXXNu+by8xhI2cuJ63jQ+D7aXXDjrEdukEmTgo8Zmv
LBgFs2y2o8eQfdSEn1aaJh7zFSOkbNfHDoq2H4a+qy95UrTLtszjFYM+0XVgnWfIu0kFMN3aqkzT
68vTjw440R+EACFACBACfx6BD/nKdAVHzH2YWd7lhumv3Jub7nsNX+EMimU0CILCU2vEn/fxFaBb
A4ZjlB0r5vxs9PQo9FyxHSvYI5kwViO7vrSMNkAaCS8ok3XYXoqd4uYKDynI/BWFr8w1kqCPsm6U
EtvWZchX9vwV7rMzkU/EGwdEWJDL3X/aePK0Mb5iuUEcx3EUehivsf2ihwjSE03sxJQB9Ux8xQzp
0iRA+Py0Pm5tbUsD6Ssyf4XxKCcqO9oGMs0zuk4IEAKEwL+HwEd8hXmHu0zbExBjxVb4EcYeTj8q
f76Er0wVhjJsL4zgE0BswXLSFvdpvsRXFAKz1DFGRoB2sEiB48cp/8QskwI2m5g7x30c1j+14PaI
r7BEYaVJic863ZprWUD+Sppgygrf2DrxFdaW5YaJkCzC/SW/HGa266Vmp/LCz5wPcqILT8L5ehMP
4ysPIF1uRQDExLJsN0zLPSPnzFc2uaHk+HFe3Yi2SA2ib4QAIUAI/LMIPOYrPHVFbrfocJjbjGWX
Znvah+42uPYKvsIYiZLSwL7yc0lf4itKyo1CO9YWV/z3LUHYhPMVeRBaKbg95CumLJ+pScSJJ9mk
nq/wvFh5G//mFT2PtCSNTEH96HxQdOn7vmP7WZ7IBPl6Exq+AptjmL/yEFLMt71moUjtcWPcJrvj
K5iwWxeJz/N37KC47TnfJs2j64QAIUAIEAJ/NwIP+QrLE1HPi9x1du1LXBW75gevKGVewFf4dkBS
3fZPk2O2CG7q3PEVHihg2y/smS1KbOMh7WA/enk7Hj7TvH6HrzAJRTxoB4cdrnKiy21C53voyCm+
smK6sRWUt4Ng47SsnBEouz8r22hRrog2D/krK89XCRgF+3oTjK+EMt2JwcjybR9BKsTalpGfjWeZ
xaf9oP22bZ1vV8bxlOxe+TN9IwQIAUKAEPiHEHjEV1hupK24Hjgq219i3w9zjKVMNe4D2UF5W1bx
YegsXRH6flQelr73fEV72wN8mcM7HQjhOTbgtVjapnwmC8/v5Bc4V5BZJ6w6fXwFUldhr8lNKpFS
sS5j197gvPPDghuPTkjkOPtFFTHRAAAgAElEQVTA80GsqB2W7Gm36zy0TT8xN+/zR8OIzREeXxFJ
KSJjhBNJL2vEZsg6D10LFc4sR9jL2MPl1pGfI/qIr2zbws6I8xSkzzWBGzmsCT5CIoFmYWnYLL7y
ANKlrys4wcw+nErBJh9nYPsYjW0lTzA/fXbtgUrRT4QAIUAIEAJ/AQIP+ApbcJ+fycriAJCAu3Ju
cN6WYCX4Zsp+jBWxuOcr2tuMuHEGoQRI2K3cSUMQZa5j3CdwgwhySFlGhHioHC9v2Y7nuU5UzY9p
xzY38NwY+NiO49hYmYtnkT4oyIMVluN6rhNcRpWvbOxpNLxWrBMTTzCt1LJdz/cc27Icx9kPZnPy
AD96jgMPTBkr1k0uGcrI+AI/IAQ/eB6ct7ahNl2Q7BBfASDFySWWfvywCTy9tDeBzfMm1p4/eNgL
4zgSmzacr0Abekg5xYPu+yg2nisH/iIoJ3bey/8PdsTZcX3fd1mKcHChA0LGOUM/EAKEACHwbyBg
5Cvc7TnnZ9rCYzIc24OnfRhyHBhfmeEZI46fy+eGafNXtLeZoOWraSXLVdzJqRN67KW/piG6fNv1
o7wqgQiI4zhLf0kC9OJukHfLB7QDfPjtmkU+PmfFdtwgzthLgD4quA5Vytvx0+b0/JVtm7oLk9G2
XS9MLxCFmruSi+Z4UV7fqnjnK/hj7Ds2MITwgoe316kteT/hapAUNXs0DNQuanKDpOxqOF30cXwF
sBzxNBg8gQaYwnNN+ElR4lNqRBPr1BYxQoZylVc4m60QVy2k69jkCRs23p1mFDk4U5NHcHrJdry4
+n9vlzTyXSRhMMDZFQNeQhPof0KAECAECIF/EgEjX/kne0ud+hkEjCm9P9Mc1UoIEAKEACHwn0OA
+Mp/bsh/oMPEV34AVKqSECAECAFCQEGA+IoCBn39IgLEV74IHBUjBAgBQoAQeBIB4itPAkW3PUCA
+MoDcOgnQoAQIAQIgRcgQHzlBSBSFYQAIUAIEAKEACHwowgQX/lReKlyQoAQIAQIAUKAEHgBAsRX
XgAiVUEIEAKEACFACBACP4oA8ZUfhZcqJwQIAUKAECAECIEXIEB85QUgUhWEACFACBAChAAh8KMI
EF/5UXipckKAECAECAFCgBB4AQLEV14AIlVBCBAChAAhQAgQAj+KAPGVH4WXKicECAFCgBAgBAiB
FyBAfOUFIFIVhAAhQAgQAoQAIfCjCBBf+VF4qXJCgBAgBAgBQoAQeAECxFdeACJVQQgQAoQAIUAI
EAI/igDxlR+FlyonBAgBQoAQIAQIgRcgQHzlBSBSFYQAIUAIEAKEACHwowh8jq/0uWcnzfqjEv2S
ypc6sv1yeCzNOlRJ4NqW7YTX/7+9q/VzlQfW/wsqLg6Hw+FwOBwKx1U4HPqKujocV6FwOBwOh8Ph
cDjubyaQD5p0ux9n37NnU3FOt4Vk5pnJzJNJUqbnl/7j374E11MMPt8CNP+dFpluAYmq5alWv+bL
NiVu3v8ada2iFoEfjcAPTeUavrI1MXEeX+F93s1KTvfQjar5O0y4VJGUJYbSd5Nm/fKOX0mfSx0R
N6mnZZnn9Y8iMJbB38YTVZFegeu5jT7fwr7vikWe9/f5bwVf2brM874mW7epGHyEemFSNNN/OUHo
8yB7hYZ8C1/5Qpw/b/5f0YIabN9SWY0Jb11tv/8WBJb+nkW+C2GFUC+IixbStEjlS524we2NmblR
0rVJwrem9cab3/+Fhq/s2zJP+GpSl0T3kf0xr7KS157W4V5Uw3cE1qWOaShmtUt3K+s/UNt4JX0O
hVRu+pMIQGb8y/jKRaRX4Lr6jPr351uAUShbRG3/6/8SfGWfm7LEMPDpXtqU0KSe4TWNfZ2H1Alu
f8C/XxN0Gwrf/Xv4yhfi/Jr+v/2qS7B9A45LTHjjavv1NyAw17Hr0DCv2mEcx6Fr7mU9QpoWfGUb
6+Lef7BMvLWp++YyxBfqqeMrvPkhd0ks1y5QyXtTRB4lDnGD5D4clQ05drdF7MP3MD1MqytxW8cq
DfF+6vpx2TGg1uF+rKx4US7NKNfhfl7tRbcB4T9rPzTrZNxhNWBqjr6pF2bVeAg35J5f1HUWeS4l
xPWT2yk2VxXebGOdhS4BueOivsViPWgbq4zJ7IJG0OzcpD49JYFKuIRAm9KwbFBwSqgbpBW6CHam
aWrf9Zgcwo23gHfk+OX/FR6JawG7I/LZ2sTEKwa4T+AGIOtS6VpHNL43ZewjKGDLqSuTAP6ivrDs
vi8dXASrXv5Bzi8ijfsObCMo6nvKlsfAiLzYBrgyj6GqcY2Az89dCEVCd0EnvLHB9mCRAz/4b5ua
/BDB9YVsWq975i38BnCiugjP9SCpuvDk9m06HQyAbHI/eJyZAF9JOy761iaEpO3xt9Z59nWosshn
Q8qPb73wDS/vpgZ9mvXExVcM0aY0qsb+BqOWJC2fdGx94YtiD9RXzUNslxBYu9ynQcHG2KPzgHei
77U38DYKYYJ7y9LDh4RNBZPbdQYk9fIEZ47erlFNi6FhAC44IEAaN0gON9t3aBVjz9HPWPrniJxu
gQZzOYLhPVoZhNSIT9JMbRF55Fxm09uODU5KCIEw092jc14DzD0WS/dLFRLOe/VNPQy6x2D7zDqP
MQHqnXoAhargCS9pqu/aEPDXWgre+773mXsOqiH3gnIYqjSg5Bi98yEkpoaKzQ30EElya7OYJlQe
3i50/J//TSlNxSjDOVaISxP6Th98WA+FkE28A7pJwpvIPuIrwVeUiaLeMw1jbW1TLNtgGkTHM4wj
0e1n372brzjEjcpuWtZlbDLvTI8iW69NQr20mZZ1Xaa+aU/OcAo6lj4Ny35e12Ue2qbDIDhXEfXS
elzWdWqLgHh5j1FzuoeERmU7TNM0tB22BbxAqq8I3Pe1yzziZ/UwL8vUlRGlcY3ND7nnOLBwA5F8
HaADltVPoeD/rc89gkIsy9gWIXWcgzguTeK68X2Y13XubxF105alBJzNn7lE4SvEIX7WzqDE0mYe
OYL9rm9Ki4ksm1w22DqMlogP4Oa69EwlXebSrNv2fb5H1I1vHaxUDXXqE7+4Rn6IiY5DQ0bdliZ1
HUKDHOnj2uc+j25jGdAgb7nFj6gni8TGJCHETxF8RInENVJRUJmGRTvOyzw2ecDhMwL+lgvtkCC8
pEI79/fE5bKy+sppEYHgXEXEz7t5Xdd57JqWrbAYvM7sLSAYQSyWeayzgDjOsTKp5lG9s536DghE
EVJyOpgQFHKhxFfWqU48N2kYp9c7D3Dnrm4HGHFzJ/k2OKTnB2Fe9+M4Ldtu0Bephu8HyQ3mYFBG
lV5dSuX6inGIcb6yjXcYyy0T2eA86HskLNDbtrlO3CPh95nrxhXEgWUa2uZh1vcKzpL0j6rpMdQP
QKObPeUrKua6CKaXQRYbUojrB8BAhnGCMGKwHXxMo7KbYaBXiUect/mKvin9oFOD7VvWucSEJ+OU
K/uqptqujd74nK9Qzw+isoFRse7bUPrEje/dOE1j33YYGvQQcaF30Owxi+1mb5etuUIAF4QFQMMo
YuoUfF4enlooJNnEW4CBJkeyEh/jO5E3Jb5i8swnIVFhhnpYLj1/6s/38xWp+jOV/jnB5NkaMOLh
SiMamOfK+KQJCqS+JjnmFCNcy6Z1oiV1CEl1LaguuJiu2cXzPTgqJAA3n1zsgluJRvd9a1NKpI0w
fe4e6WS+h7IUXebKMSE5syNHAHPOmcigCyhTsWmroSkdJrJs6jIH6OkXULYC+hzfbhFlWXMsfFYO
u+C2dalLJdVY0+CmYthsbUpIdJZtRIdbl7kSqHMVnpiqKy/QmgQflAXY9ktQWXIZbBnFNQP+hgtt
XUZldZY6PuegRr4CQhRn4eGA1uR1Rm/BjoSDbW1CTzNf8qjO2YBnSgiB4xr4iuMQ9oJ5fcxrgQbn
URxlhyF5VN+mW+CQiJFGuMikLyR1x8sfCC02rPIV8xA7+MoM1D6qjh03RudB3xOVHHAF9Bbk4nGN
PF/V6/jrBZyV+66qGTDUDcAnbvaUr6iYayKYQQZZbuRzkhOZbDffzhCHdy8VDkKcyoBK2vqKwQ30
g04Jtm9aB/oUy9ZPABS6vqiptmuzN4IyctBR6ysOPSec+w5CngOGS2WAiH/P1p2vWeyZt0tFcOzT
5TQC7QSD1NjpxYe1UEiiSW8hIcheJH0l501+ssTomcaQuKtI68aR3Onn37+br8iDAPVjW0lEtoYT
Gh4hXpTdHoorIO/SwdSS+klR9Swwgd/B6tH5IscsAf3xYRejMoTk9SDI0sd0l+HSn8xCcEn8QhJb
AAgfyraFsc9cvssolKf5izjOUd/B8annK0q9mA9jU1OPmAjB4J0aCE63gilReJ+me4Dpm6k1A+ET
CRzbEbpIzUq0Gj4FEgDra+zFB898D6/Ks/m2KhKuB8kRosuOeTnEA5GZ9n0DNgo7IsyA4yEfswtd
b8SRzgqqJr6yr8MtcmE9K7+zGRRDSed10khGLBisUC4AlWUHEz7PqwvKwrB6+1XsC/4H8NASTerp
2L/SlLFLgxK5hMl59mWo8jj0PXxRcoZfHCiC7ZtGGSvpCNOfgrD/Vb5iHmKIQBQHRJ4YGJ3nqjv3
ln1usoASN0zLemAlGkUela9IyRHdSSq7HncBmrJqJgw1A/BqL8nNnvIVeW7zMBJBLJMMkqKAj1wC
NtnuOrh6mBmxRSBwVh1fMTWlH3SXYPuGddSY8ARAoeqrmuocw+yNaha9rgedAwSkeBASJ8z6fCSk
1mUxaEofKq86Qin/JCxD4VHccmG0C0YE2Yd1UMiiifcQxeWcJr6R86YYjEbPNCfQC9KacSR3+vn3
7+crgkDLMUKK3SDUOrV3WDd342M9UJV0m/u6iH0CRfqV5de0mRfptW6wyn3Ju9jIZQgJKM3uK67B
FsBHH0Lb1XEVK5K4epDupBF6viKf7QTBGGpI5rVN7buKiYqXGgggctKkWdqUojfCn2m7QNkF90M8
4AaL1zKZwMaFgvgnpgwtXyF+AfVm8cIVg4tIl9YgKDNecw2pRr5ybcHoQldLSYnEyFdQxWVsSli2
9lJYYMFcovG67+Mrp70UWyvrQUDvq+hIuQbnATjc5NyrxYnmQxnRqK9MthRR4I/38BWHhlmGq7AH
0wDRtM5ztTX3Fux/m7sqjzwCi5VYKxBSfYCvyCMR3NIwlh8G4BM3u/IVsaPsGgZ1EeyZDIemV3xM
tsOSnbwVQvzexIWvcG1MTbGer4PuEmzhoifWUWMC7/I0H/jmMa84P3qY5zwV79K1OeBfsihOxo5N
YZpccE3pT2Xgkmsd5iVvZ5ManGMCXWGVb3Onks+Lzi9QiC/kd3BaUpTQ5W+MfEU/OjSgHQn0ijQ6
iJzc1V4//dcf4itMLoi1Hq5caOXEBX0oXpvqVuD/D+tBsMwjfSighHKDtHSxK+tB57QDBIGB9MBX
oCYtrzKMxVmuh8v15XIcn+/hK+amToA4JucH+P8l+MD+MTe7Zd5BQobC87Iyc8/QjIFBzKyhgiiv
RLCmLzHRwFewXiotKnCxLiJdWhN8BVSWuRLaFHaXmQHnfRzp+uJCUHeVt4GzZRp25laxiNyOeI8h
GMAxep0I+nCX8BY8LH3srIJxCYnnqLdIMUU4JPbJb2f6isVkMJIMzCGhhq84bK+g3nlg5U2UENDU
Yj3oFA/bNun7Fl8RrcNSrWGI8UbmOqb0+GUDo/MYveUAAf6DzXxS1+ybF3CWmsDS0Tko8HM9hvIt
fAA+cTOoRYoNCMDAzyn7ha8gf5aC1YsyPGRxk69Cd5IPQfI4Ax0k88MRoFdY3mZ52egGAgURty/B
VlyitY4aE54AKLXDFyOOz94Wj3dt9kZI/lJ9aqkih+j5ijY2vi2DUIDtewSkX/Z2uJkRla7w+NqU
sVPJ56Vu8S2H4vrF8Tfs2yOR9qfBRJgSg9E4OsTF2DCPaaymwDYnXETg4+jy+Sf//HK+sg513Y3z
um3r1Gawv4WfE0FRp7ZqYG/gti4D7F3F+I/bxoK8ga2I8zi0VcNOFcF4hO294zxPQ8c258L2Fhrd
x2VdoAgjQYkQ+VkDX7H9tkfn0jUggwS3hB4OL3F37PLtkLALifhp1cP21Wlo6+Y4XqRkRylUXTxM
1Fdwv+1jU1pMJNF22DaC+4WZzrCoQl3PPYckiO66roihgKcbwX7bdR7qzOcbmKVGhZvihwa+Auuq
Ae55hv2y09g3VYs76C8iXVoTfIXlnbBgG3bbAvfb4vzbCPhbLrSPsJOU7bedj/22xyk0xSJC2bmr
6x6cblvGOjk38xi8zuwtC+63PVXJYUv263wF4hlsB8et6HN/i12+oVsIyhZnkhrrWfM8tnDZub9b
74egMttLDDvgQ3U9SF6+wj2bVDPKLu4qS4O1Ky9rYXs8jDbjEON8ZUcfP38/0eA8Jm/ZxqZqhxmi
A24dlnIxk0oS1WwmSQHpevapHkP9ADS6GeRzF4t0+770Bey7NnBE3Ct3jWB6GSSpH/mKyXYQymh0
62cc6Kkv9ttCMqcx20kEq6GUb6HQu71+0CnB9k3rXGLCk3HKlb16AttZ/OCl+q7N3oiTgRw3rG1z
m/mOia/sG4wfL7n3E+SYY4u3HiIu9L4bHEYfKh91ZLvJaBB4bgrnI/Bl6vTiw3oo4HTWeUpFknOD
Aei4UVHDxu0JDjTX7IiLGD6SeCbPFBczSaUJP2y6CMp+WZdlNcAiyfPpt1/PVzp22hmW8uDk6PXH
rib4RViKP17jBik/Dw1nMvHEMPymTZjwU9BLJ843RnfMSrBBBo4SEy+/nmfe5/Y8euuFovEncMsA
bmPFj+PCcVOPHzfdpjqP4Iw2nmzkR0aV7PgSX4GTtY9NGTCRZIOI4xHHoYdIMGNwGNeDq2Duruzz
wzOuxwns8xCy1By8ldwU/jTyFQjJhw3ANlF2HFRWRbq0JvEVSWW4Pa+FRxgAX99wISi7oEjHofrb
cSb+ukInFJ6bw7ngYCo/Qw9nxTRe98xb1v6W4Fl96ie3rkqOnc5StpYJNAggk+Pj/LbjUC9SD8wL
UeXfi3MIHL5mv5eAV+icZ1/7MvJgPMCJ1qHNXFPuNOgrCy/kON/BijSeZT8nHvohpjSywDnHgB2j
1DqPyVu24YYn5yF4eGEmaX6II8XuZ2Y6hVekOj7UYWgagCY3YwfTKaH4kwzNLTpLGVIQOGXQRDBt
EDivh/+v+OBnOl+F44f81yXSqsrOlWfwvBaP8IOMUV7fE7Z4bGrKMOjkYPumdXCbmBymjOOUK/ui
psauDd4Iv+eAh+Wp6wXwywOBdJ75LEEdQmznQW7IWCk7UaqPDFzq/bnDHD/NdoZKnY477Ix3HHk9
4MXhqYcCjiZp+Ar40lgXSQC/doCjKkjYDg0xfBTxdKNDKQoABnJMO3bTOEDgVxMsArjPvnvKVz7b
uL3fImARMCAAYeK6cm641H5sEXgJAZGEXrrcXmQR+GEIWL7ywwxmxf1HEIDcotsY9I+oZ9X4DxCw
fOU/AN12+Y0IWL7yjWDbrn41AlNd3tnvui1jmweEHr+o96tBscp/IQKWr3whmLapvxABy1f+QqNY
kf5JBOYmj+DhB2wXlPT77v+ktlap70fA8pXvx9z2+J0IWL7ynWjbviwCFgGLgEXAImAR+AgClq98
BDV7j0XAImARsAhYBCwC34mA5SvfibbtyyJgEbAIWAQsAhaBjyBg+cpHULP3WAQsAhYBi4BFwCLw
nQhYvvKdaNu+LAIWAYuARcAiYBH4CAKWr3wENXuPRcAiYBGwCFgELALfiYDlK9+Jtu3LImARsAhY
BCwCFoGPIGD5ykdQ+yvv0Ty75K+U8w8IJT1W5oOtKw/R+GAb/8htnwfzbSD+DV/9N7R421r2CovA
X4KAga9Mt8BxnMcHKI3wkCbnfGwqjNewwoftnuooT/LGx4XBk5YIdb0wKbuF3e9cXuezqM5GsHc3
69bzA3wEWEzkJ7NvU1Mm/AmJQVzUI7v8tS6kln/u27VJwvJ4MvGOj4JVnsf7cxV7W/KxDJLmfLKp
7rF2bzehXGHgKyrCyh2mPz5wi6mpT38+3UP3fE7h3udB1uuaXKpI9ptP8RXVLrre8LM/kOmXOnGD
Gx8Nxq6/8Is/oMUXSvfQlNEBHq60H1gE/k4EzHyFuh5VHx+JT5P3PJe8xlfmKiI0LJp+xOdY38tq
2LZ1nvA13ELiZS37Y1545kGUIA4QQhS6tNYSX9nGW0iJl5RNh0/Jbu9ZQIlfwAPEX+vi77TG+6Ta
2tQ9TbH/Lr4CHvINfOWC8Cvm+cAtrzT7sWvW4V5UAw6ubSh8V8tXljqm8qzjM3zlYhej1H8g029j
Xdx7ZfJk7P6LvvgDWnyRZJpmzA6gudh+ZBH4KxF4wleSIvdo2ooix9ZlbpAX8Yt8pUspSVuViXAM
ljoiXmGYDU23wE3KIoCOzvtlvoJM6PLwlbXLPC4YdvOsizalNOu4NGPpn0+EX8cqxbINwWfFd0cA
XLoSn3RPqB8X7czvPN8MuefnNd5KCfWiop3GOgs9lxLqhnnD79jGOotYzcmL8mY69FvriCbNBA+H
J8TNcR7MnokO1Sn5yqPHtU1d+GV3fGHuxuh5a8rEx4qWH5en8Ps+1XmMzxRnsh3StCkNy+YO+oKY
QVpxuE+94P+lK5MAOiNuIP2KPKhc1KCNSwlx/eQ2cF/ZpgYfZn+5RbTKur7BM98JYFr203BPQUSQ
UJJcA8J4C+ipOav1QYrNKsAbpQzTWihiAHzf4YvQJdBhXNQ34dZGhPd9m5oiZvh6YVYdJT2ultYo
Xt5NDfYUYDHsvbbAKiXCT70guSH9gBGSVnWO2FM3zOoRfAd+7Z+4QVofbnUm1K0vfO4sjlymnOvY
5ViyIfEEzOdmfbSL0XlOwQC5qYpdN6mZT2rMjY+zN3qawL6OzvH/zDP59fuu7Wvf57ZIQs8lxKFe
mJ1Q7vsqjdyggOLvsxHH+xlyLyiHoUoDSgirYxlg3KbTISHGNHAfBkgIfdK8ZO8zl1ek9U09BDGz
A3A57RuLwN+PgJmvkKQZSp/G9ZmE1iZxw/tQ8bCA41WemcGyTRMTrxhA8fkeEi9t9TOeZ2QC203a
dSh8Gt4mBqLEV+BemnYnkzlBBtIRnJdDpHxCiYx8ZSx9Gpb9vK7LPLRNx6LoWAY0yNtpWZexyTyl
G9b9kHuO46XNvEFgK0NCiBtjPtvmKqY0YbxvaRKXhkU7zss8NnlA3YMQwnqE6wdBWnXDOEErcxVR
L63HZV2ntgjUahN2eoljsIpGaJg347wuU1cERJTHlr5u+mlZ12W4RfQEr02JQ/yshe72pc08ZcXt
wBVg9ZJqmJdl6u+Jy5VHld2knsBB1gFEZIbHOhwNyw5QHKrEpXxN4rQVrOA4JMiRUa197juE+Aw9
qJ2djM0IwlB4l/qKQ7zkDipij1wRI+Bbn3sE8V2WsS1CKpY5uZD7BWHGibMasejKiNL4SLPGWyCl
eX4Q5nU/jhPWEd9piz5zwZPAdtPQNqyCwFZM4wp4yTZVMXUIjRhfXNrUO/KiskTYpVRfXwER5VGM
ptGBCZC9YdaLXXaT83C+Al5Hw9tBLw0+b/Y0gfsurei9dL2hL3Dlpu7GeV3XsUpccsyLliahNMjr
YZqmoWsHCGvPRhyXbMg96vlBVDbgAVAA1sP44JDkXHe/eKHEVwxN6YOY0QG4qPaNReAvR+ApX9l4
WMH0H9OoXpaX+QpMRmGZxouyWzNeaMszMsH4SrPByPbPXCfxFUZMeMXiRHhrYqAx558f4ysQcHn4
PJqCupJI/ftchcp0B6+CECnIEmapI3nvUtYDCifPlKA3NuVa68iRGtgx0itckedwruAljkH0lMQE
QwmJ+E07fH7MsCEzSTsXhtwlyaUgtnUZpUlzctZ9qeNTEFVlKTeuTUJP6rIzTaRemCRtSkhUn04B
OAhZASWWQMHSWhAueREUkaoGPVfECPjWppRIevW5e6YHAZVkOfgQuLgE8D7fsQIoXX/ss5JMjClN
KKpe+4otti5FWqSyc2jWy3FacPRJRSlTJCZ5/IpPL0LARVe+ogPzFbOqdjE7DxNsHsqA+jnfp2Yy
t9HTZE0ufEW4k+SZ0vWmvqRL9n1rk4OEoyNd68EvjTgQXi5TG2AEOxsc8jLOBV8xNLWDFa5BbN+N
DqCobP+wCPzFCDznKzC/PZLbfA8xb72Dr6Da69RVBSxReEl9lErg85f4yr6vfe65OMO58pX7n+Er
+9IVISXUT4qqx7oDFooch1D+Io7zMFNVn4yKGZdLuDUQ9aC022VUYQTwDWsKoq2U4zE3OkR0Sogj
FxQYtGqdGPMO71TJtetYF0noe/hyyUmM2pQoq2Jq0QL7AE2k0M/YR1gB+KrKWE47WEbhX/GSMjg2
C/UVqeux8EjMt88uVcicDgiCHgQ1L15a26E5trvFCPhVL9mtmYTwr5opoFmFePWZ+06jQJvvtcWM
rN8N07LGWT0IptoacJIQhvUCttjJaAFjhcZ0hW1Ju+ZV0wgwxxfMqtrlCjKScHQe6DOIYxcyOWdi
RnMbPU1YCmzFC78vXG/sa9+mtkyjgI8VNiqvjoQ9q1a4eMspGwgjOPe+G2C8YiU5pOqFu+ArhqZg
BfchiFm+chrE/v+DEXiDr8B8mkK+wgVzCC3SOLpETUQBxpZuXwrU5c/SKlz4Il/Zd6jBu2m7SHwF
7qXZl64HQb7kC1/7Nvd1EfuEsLkfhBK/6OZFevGCw2F7NUTCHWKK+ipfkVIOm8unjdonj+ys00sc
k5OTkmuxlB3derarGQx4MJDLzkqR5g+ljkW99/MVnN5JaC2XDdX75USP2rPCV1wtCGpevLQmUqyZ
IF7Tg5TthPKXDPRRviJznA/aYpu7Ko88QkO+f0WiTl/OV44NVIgEtw28CW/jU7OqdrmCrPAVx/GS
PPGIX7ANwUf9SmdudXA+4+YAAAY5SURBVHBJzFgy1Qf4is61oJZKgqJjUxVRXzHyFcm4l/F4CHcR
Hp1TA+MVK8khr+1CyRPryE8tcglilq/IzmLf/1AE3uIrO9Qc/fye+8dpHZmvbG1C5VInrM1mrlTn
l0CB8eiXvMLyMl/Z97VNPS9rq4RTAO1+W9iPIGf8p5QIhzyf2QGhkPkKExsXlIHFQFlbr5TQT41K
oKyOrzAQxC5jCO+sWCGFJ9boWKi7cURX/B3GMVGjNvIVWB6J+ZIO9Pk6X8H4LW5m60HsmImqspRF
IH2qbsFF5m9UqsRzIn7P+QrMRU9Z+Z34BpQQBRkzXzECDutB8jrXWHim9SCOMAyF19aD+C0PaxGf
sQWMhKNyotr6Vb4iVbQkOGFZSzjrlUoK8veKWVW7mJ3nlB8OrRA/h3N9sHJoMLfR0yQt3slXTH3B
MpEAA6Bh9ZX5pln7O7U4xLjyCvbxRXiciWhGx9UhB+GQALxUe12qyCHIV16wCA9iyFf0DiCjaN9b
BP5mBN7kKzsurDrEP2KwzFd2DDcubiWDbWjtLfaId/xuytpXt7rtRziyfHzDZ1LvqK8AeEubup4v
7QZl55n95AaHpaH5Spxn5mg/o0SghZs2WClf+iIgjsPqK1NbNcO0rBvbmermPRQ1xjIgNCpb2CY7
jX1TtZx4Hd2pUcnEV1jGCQu2c7ctcL8tCvHAV3CrKQ3yZpiXeR6HtmoEzzk6BXIYlP2yLst5WkHU
9UX0BGlwXyzu3I2U9SDtTJpDCG9G2DHK9tvOx35bJoiqssRXcEchceN7NyFeXV0/nDN9ja8YQYA9
REylZd3MKRbJLm5wxq3SMuCYS/2sGRfYnFzGLt/eKGuvIozBX9wT0XNzlfmWS0pDlN5li21sqnaY
wSNn2EPNKLna7Et8BTKxl7WwBxogE6+1SQiN7gAEfqGaRvCVV8x6sYvReYT8G4ytM2bAHliNz5s9
TWjxXr5icC0YNTS+j8u2zj2Es5MpzHVMaVA044wRoIOdzkILlEOMOEms67Ip22+rGR0Xh4Rhek6/
wHQHqdvmNoPVVrZPDx3ycaCZgpjsAAD1udlfFte+twj8xQi8zVcgTLnnjgd1PQj0WrobO/8Lx27D
9HacqIGtJ2UMp1Ud2MvgBUmpnAJ+RiYwDki/rgG9NInryFsqYTOv+L04N4jz8/fiONhPu2BnBymh
eGq5uUVHfWWq8IgtCO0G6Z2f0OWHSvF0cSbOJx/dqSHVyFfgNEedR8eJ2CjnpyUf+QocVKgy/ot4
YVI98JWdbW1wgHqtT6LnNtz5Iedb15X+cerKmJk4hviG6Q6HpOE8Mz8kraos8xVYR2rZ+W/A0Y8L
ftPZstq1qb4Cy1p6ENbhFsHhZYpnPtXWpBS7GwGH88xVCse02RFvcXz0FBH/VxCW9EJnF+4h36Pc
cklp+/5eW2zDDQ/S4yiCc8vINdRmX+IruKkB1b2e1trGKvGp4xAvh93qz8B8y6y7ahcYuT07tK46
jyz/BowYlnwBRK25n3raCb00gl663tDXNtWSV/T3yD/3za8DnvzH0BCWMI+RtVBWYE+Z4P+LMPiV
HkbhkH5cQkg6+cpx8ppS6sKJ9roIxLkCXVOGIAa7WrgDWL4iG8m+/yEIGPjKD5HeimkRsAhYBP5B
BCT69Q9qZ1WyCHwIActXPgSbvckiYBGwCPw5BCxf+XPY2pZ/LAKWr/xY01nBLQIWgX8VActX/lXL
Wr0+gYDlK58Az95qEbAIWAT+BAKWr/wJVG2bPxwBy1d+uAGt+BYBi4BFwCJgEfgFCFi+8guMbFW0
CFgELAIWAYvAD0fA8pUfbkArvkXAImARsAhYBH4BApav/AIjWxUtAhYBi4BFwCLwwxGwfOWHG9CK
bxGwCFgELAIWgV+AgOUrv8DIVkWLgEXAImARsAj8cAQsX/nhBrTiWwQsAhYBi4BF4BcgYPnKLzCy
VdEiYBGwCFgELAI/HAHLV364Aa34FgGLgEXAImAR+AUIWL7yC4xsVbQIWAQsAhYBi8APR8DylR9u
QCu+RcAiYBGwCFgEfgEClq/8AiNbFS0CFgGLgEXAIvDDEbB85Ycb0IpvEbAIWAQsAhaBX4CA5Su/
wMhWRYuARcAiYBGwCPxwBP4f8IYT7lnr2ZoAAAAASUVORK5CYII=
--0000000000000145d705abab6b70--


From nobody Thu Jul 30 09:57:46 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7F7B3A0DF1 for ; Thu, 30 Jul 2020 09:57:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level: 
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_RATIO_04=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IlD7B561BmHz for ; Thu, 30 Jul 2020 09:57:42 -0700 (PDT)
Received: from mail-qv1-xf31.google.com (mail-qv1-xf31.google.com [IPv6:2607:f8b0:4864:20::f31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 891B13A0DED for ; Thu, 30 Jul 2020 09:57:42 -0700 (PDT)
Received: by mail-qv1-xf31.google.com with SMTP id x6so6999977qvr.8 for ; Thu, 30 Jul 2020 09:57:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ePMQhyMkk0gS9QOah7UCZXMk3CObrPn/x4zt93m1jLQ=; b=eJ6zXQ1vfz0ffYA/jU5JL0vfksFmWnVMjEdqTF5gXAgoWnim6AqmzUs79ZLCCJJpg0 Cv2R0cns+19fRIfBCq95cJDpkqGv9UpbwZ/yHU3C7Nr2AvYHUcWdDDs/XC0EzV7HC7JF sDIrQxlZx3NtlVxhgBZqcaKyHDOaTu/PIejrY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ePMQhyMkk0gS9QOah7UCZXMk3CObrPn/x4zt93m1jLQ=; b=PiVngfUMVpGUA4TeobiSX5mi3+qoacdZ9qdJi0RryV7jojQDjrtF2itcOuOX1GqWQP jjIlFSymMiazzCYP/lD+2WefzinWb/mf68cyRoXtTgy9rfli6wy/TIBi6++7OSTQ6paF SDPp2O8+EXWZUzN57HcyaY/ufbxGo6ZgNzVseIQ21W2dkGSRrVMq06upw+RjqAo/IeMD hdJRrg7Fne5WpiZmTxpl/KgUuqtknSXAtEDuF3hS/0T5pXNP2HDiME+Sj7MtYl0X6jFk akuhyXZPgLfWbHZPP54p56D6fwH166+DUJnBSewAqTsKzMt9KYcBpCwQPeuhGx9g0Xd7 6+pQ==
X-Gm-Message-State: AOAM53288Jn+ppHJhpSww5WPmE9nikyIG5I8CaETosOirmG7yjlQsz3G 6bKIvTMSN6OdOys1BBJretcEXK3vCtNyBAc55hkgp/VHw3hE
X-Google-Smtp-Source: ABdhPJxSKmjcINyi1V/RPeHz5J2XhG/DG9QM4byW648pIU9gucq5oDZQbr7/2PmndB0I2c1L2EmVkDzndi698C+jmIQ=
X-Received: by 2002:a0c:ac4c:: with SMTP id m12mr17540qvb.218.1596128260906; Thu, 30 Jul 2020 09:57:40 -0700 (PDT)
MIME-Version: 1.0
References:  
In-Reply-To: 
From: Warren Parad 
Date: Thu, 30 Jul 2020 18:57:29 +0200
Message-ID: 
To: Aaron Parecki 
Cc: oauth 
Content-Type: multipart/related; boundary="00000000000002492b05abab923c"
Archived-At: 
Subject: Re: [OAUTH-WG] Authorization Code Grant diagram Improvement OAuth 2.1 draft-ietf-oauth-v2-1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 30 Jul 2020 16:57:45 -0000

--00000000000002492b05abab923c
Content-Type: multipart/alternative; boundary="00000000000002492905abab923b"

--00000000000002492905abab923b
Content-Type: text/plain; charset="UTF-8"

>From the OAuth RFC, these were actually letters. I don't see a necessary
association between the left side of the diagram and the right side, it
just seems unnecessarily confusing.
[image: image.png]

Warren Parad

Founder, CTO
Secure your user data and complete your authorization architecture.
Implement Authress .


On Thu, Jul 30, 2020 at 5:49 PM Aaron Parecki  wrote:

> These numbers in the diagram correspond to the numbered steps in the
> paragraphs below the diagram. Perhaps using non-duplicated numbers would
> help, such as "1a" and "1b" instead of two instances of "1"? Although I'm
> not sure how that would work exactly because the "1/2/3" are really just a
> single action as described by the "Note" below the diagram in your
> screenshot.
>
> ---
> Aaron Parecki
> https://aaronparecki.com
> https://oauth2simplified.com
>
> On Thu, Jul 30, 2020 at 8:43 AM Warren Parad  wrote:
>
>>
>> https://www.ietf.org/id/draft-ietf-oauth-v2-1-00.html#name-authorization-code-grant
>>
>> Can we avoid using (1, 2, 3) on the left side of the diagram to describe,
>> I'm not even sure what they are supposed to represent, not to mention the
>> RO in the diagram doesn't really provide value (for me) relevant to the
>> code grant flow. It's confusing to see these numerical identifiers twice in
>> the same picture. But maybe there is something hidden in this that I'm
>> missing, still 3a and 3b could be used to identify different legs of the
>> same code path.
>> [image: image.png]
>>
>>
>> *Warren Parad*
>> Secure your user data and complete your authorization architecture.
>> Implement Authress .
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>

--00000000000002492905abab923b
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


From the OAuth RFC, these were actually letters. I don'=
;t see a necessary association between the left side of the diagram and the=
 right side, it just seems unnecessarily confusing.
3D"image.png"
Warren Parad
Founder, CTO
<=
span style=3D"font-size:x-small">Secure your user data and complete your au=
thorization architecture. Implement=C2=A0Authress.


=

On Thu, Ju=
l 30, 2020 at 5:49 PM Aaron Parecki <aaron@parecki.com> wrote:
These numbers in the diagram correspond=
 to the numbered steps in the paragraphs below the diagram. Perhaps using n=
on-duplicated numbers would help, such as "1a" and "1b"=
 instead of two instances of "1"? Although I'm not sure how t=
hat would work exactly because the "1/2/3" are really just a sing=
le action as described by the "Note" below the diagram in your sc=
reenshot.


On Thu, Jul 30, 2020 at 8:43 AM Warren Parad <wparad@rhosys.ch> wrote:

Can we avoid using (1, 2, 3) on the left =
side of the diagram to describe, I'm not even sure what they are suppos=
ed to represent, not to mention the RO in the diagram doesn't really pr=
ovide value (for me) relevant to the code grant flow. It's confusing to=
 see these numerical identifiers twice in the same picture. But maybe there=
 is something hidden in this that I'm missing, still 3a and 3b could be=
 used to identify different legs of the same code path.
=
3D"image.png"

=
Warren Parad
Secure your user data and complet=
e your authorization architecture. Implement=C2=A0Authress.
=


_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth






--00000000000002492905abab923b--

--00000000000002492b05abab923c
Content-Type: image/png; name="image.png"
Content-Disposition: inline; filename="image.png"
Content-Transfer-Encoding: base64
Content-ID: 
X-Attachment-Id: ii_kcnpzgwk0

iVBORw0KGgoAAAANSUhEUgAAAvkAAAJeCAIAAAChx415AAAgAElEQVR4AeydvYvbTvTu79+iSt10
qqIqqqIqboKaxU1wEdQEN8HFDS4Chlt+wRC4hhTmphCkECkEKQQpTBqRRqQRabSVFn6grbyVLmdm
pBnJkte72Rfv+nGReC1pXj7nzMyjMzPS/6rwAQEQAAEQAAEQAIHnS+B/Pd+qoWYgAAIgAAIgAAIg
UEHrwAlAAARAAARAAASeMwFonedsXdQNBEAABEAABEAAWgc+AAIgAAIgAAIg8JwJQOs8Z+uibiAA
AiAAAiAAAtA68AEQAAEQAAEQAIHnTABa5zlbF3UDARAAARAAARCA1oEPgAAIgAAIgAAIPGcCp6x1
ynjujUbeeJXesYW36Xo6nszC7I7TrbZZMJtMput0e9cp31962donyrOouL88kDIIgAAIgAAIDBO4
sdahocsbeZPrBEIRLyaed/15w0XrPZKuJt7IGy82txjtiyzZJHnZpFsGY8MwDDaNm5/u5kvkm5Sw
NUv+Lb1tkSabNFdVTWY2JWz6kfrt37LovXpbJOFqPp2MPW888aezxTpKFbbeS4Z/TOa8zKNVPnzO
tUfKLA6WM1GisT+dzZdBnN26SNdmJ04oyV/uPZcDC4PTQAAEQAAEbk3ghlonW434ML5fIJSbpWfR
oEzj/ebWZdu9cLuZiXTZJLzxSMeFgl6ee9M6eTC2DNOe/mMoYxv5zDCchQoPFdHUNg1rHPyLbtjF
qv9SbpZjS9hYWFD+a46D2wVm/lXrlMl64vQUyDDM0fr+OFRVtnQNw5xEOh18BwEQAAEQeIIEbqR1
spVXDzqDwZAyWY35jbwYI3Vt8c94Sj7484RvPvSmC6ejve5N6/xzRUUCQtjpWueOEh5MZpvMXWlh
y53MFsvlcjHzPYeZtxGXIpt/0jrbZFEXiNmeL0o0n06oSDd3gcF69x0o1h6F0KB1+uDgNxAAARB4
UgRuoHXytceaW/0hrZOvuRwy7cnYpZPvUuuU4ZgGYtPkw3F7UiRZeLQqRJ/bKiO+HIdm24rNauqK
wlvOiD50Zq11/DAJlzMxYzNdBEk3flEkwXLmj8c0oTNbhtp0Dl/x441XyTbfrOc+zfn467RqLVFJ
lmOPZ6n/481jMQtVpNF6ISdntMS3ebyU0QzTdnmBaVlREU6pln6gQj3bLF7X003TxXqjzXhVlLU3
Xm6KNGwqMF/F+iktZxVy0DCYt+qsCCoLLYxWptFq7k/G3njsz3Z5cRY03TSeTBfBJtqdw9pmdQKT
6Xw9XJ4qmZM+pQItE60AvNBlWf/CCXuLuCySYMHL5S83dHCbb4LlfMZ/opw0OJykNw0yHd8ykLYt
k2AmI5NM+gvWG7VcBX+AAAiAwFMicLDWkUqHjScjPvoMLnIpwpm/TMoy4MLkDrVOIWQUm8ynPHDk
LtWIX0UTLoPG2tSWuDE3rOkmX/Ey82FT/mOOQyqi/lPzXZ8jKpPFSCk8cYrVSAGRgjX2x3LKzjDs
WVK1Qhly8U6TuvgyDsqqksKwdciexmVVpUIg6EdIXfJpFZrWkqup89C3ZRymPtV01NRZzNcNWbYW
Z6PTzNGyI2W4x243U14Ltm+2aputVV1lnmy04NKCUtkmyx1e/LRGmu6W2XTnzfV62xFzeIZxXUyJ
V9P0fL+pJy1oqqtTg6H/mbeSPiNIMruLz/ajopK+q19pNOXXS4jvIAACIAACT4HAgVonD8Y04rNJ
mIVcVQzFdZo6SyFxd1pHjvPMj0qpJey5Wvu7V+tsi3QTzniciU1WG/okGR/S5HDG3OlyHQTB0hcr
Q+pSb2Mx/BuWN1sFwXpZ3+3b84TiMppaMp3xbLFYzFdx0dY6tMK1/kQLsdzJohG1qqpsNWLOeLpY
BWEU1oEcGlW3eboJxNht+4EscdnROrlcPMVcf7EOgvVCRoJYvZ5HaB2Kro2X4SZNk3g14XqATaI6
KNIYrJJRHXOyZ+FzE/kZcWCr+ViIBcsXCarjs1UQBqual1FrhTo4aI3n6zAM6nCbNZVxLlWcqpKL
s2pj6Ida35tqGqbtTckIiyivqm3s29ZoMl+uwyhcz4UEqzOS3mQYpjtdx0lKDiJsQxK6yJJ4IfSx
txD00+Jel4O3KoQ/QAAEQAAE7pTAQVqnkEqHbvi3YiLpwbWOHEXFWNX80WzH2qt1iFgd5dHWStdK
xfIplCI+cnwVd/Gl0HWGHkGSg6TJF0fXKRiO0D4ykVZcp065qspYBKRqpaOOiG8ytRqtrKS+Xkdm
LuI6NQQpMyiNMvJ5aEYGfqQIIHlY5yVTsOe7++xjWgmtBY3qS9T/tfSzZ1zp8QP1pKVH64RlxWvl
w+M8MkIliDZ1agJLdbRud2tZHV3x1s2kYrbyLO1jT7ksq7WOCImp4ra/tY1Sax3NtDKMRBE/Kriw
PdbrtCniLxAAARB4igQO0DpFMOExHREteByts92I3dbWTKgbOWaqUfwftI45CdUte0tNSOGjjYcU
i6HtOXIhUq11tOGYnKA9rEq30JROozwqvrt7MZv6k8lkMna5UDF9sfWn0QVqqk4vnRRvrCUStnLG
TBRIigC9dLLEfbESeWm7ti2fltnTNJ36FAGt4aVFvNveIsVTLqG41pHnGsx2m4/ND9dxH5VuVYqE
DT7dJ36XSGQ0zpCWk9XcLTjfqT6f+UR37Dk8I3mWbsU6T2k2gQtap8aC/0EABEDgyRO4VusUoa50
6H6Xr8Opgw+DAPYMqoPXDB7YypiDYTJ5W8/EMhWzHgj/Qeu0qqKriUqO/nUeonj12E6KpBOJqcvf
o3XqiIsW8qjyYNJdLsJVw2FapxYe2kQeySyhCcWILkSAOda03B6zyEut6eBTAhKx478jKmp5FRS9
RdJhyBNqraL/30mUIisyYUetyyqzTUSfcM4nmFpaR8ZjahuUm92FVpRfW+s4enwLWqeGh/9BAARA
4HkRuE7ryOFNiQyrVhnMsuzx8ANO9gyqNyZYCr2lD431d5PPnVR9a5PlimQ5dg/PYQ1rHT0k0RRa
JsuvOlTr1EpHn2WpJ8gsbx5s0izP82zN10ofGNfRy9EUrmoV+WZap54zctrqSaVdr+hplkbzQ/Xu
uEm4bROXF0oJxeM6dZnHq03S+fSsh5Fn94R8mqALV3E91ayLajr+Kko43VhXgXV0rlUVaB3N1vgK
AiAAAs+IwHVapw6o1Nqi/b/LH4Zb5unuSDWgdbZ5mmqPLj6IpFzSYTjTgN/Vi38CsdhY3qjLcnq0
vUl86sUlHa2jRS36lEorrlOvJdEfXFgrghGtIulLYXcOq0/pNBEYbbSVee9oHbW0plU6OcOmJUD7
t/gmbVnnHhEwYBaOrBBb5wzTW2VqVq/myZcDid1uYu1NGzMVow6/6TGaIhDPZBLXyK1e7eVNWg7t
r83i6/G6XaBrtY6c/9KmJ+tNXZ24Tr2jjTLu1zpaUKxdOvwFAiAAAiDwRAhcp3WKVJMXfPpASAzT
W4RRtMm39UDeHb76BtXtRixUtfi+6kMJydv7nUfH1UMzH+ylCmD1qFhs5JYn2nNOOcnh0XBmcV4W
WZLkzfN19O3zLTVRyUXZtI8pzoqiyOKl2HEtC3OI1inkemE9pkMFypZcltCzbIqyLNJI7hSiN0Bw
NDISZY6WSVEW2SbNO9EI+fQZ050GSV4UeRJMxTYyuUusuqHWqbbJQj6hmDn+Iog3SZommyhYLab+
itbolHJfGhvNozQvimyzFhu7TCEh6oc9stEiErxWE7kbX2idrdQThj1ZRmlOwawkDhZTb6aWT2t+
sd3IB+wYzJks1tEmSbOMijTna6a6c1hKoG3FnKawNsGT5dyZwxrUOpWUZbYfZkWRp3hZhGYXfAUB
EACBp0XgOq2zU5vuep1muai+AlZtx24tgpWj9969PjsZ7ixDbs6oIzc2LViWu+JplSxj4mmDIgYl
tU6jW2RkylsXfUqlrXUqWlMjB2stotU8gKcvBRUg4MO7nMLRruZfnUXavG+jOWY5tH6n1jq0I117
eA4N7J3SlZvmMcdNGob2tJqbap2K6rvzxB6edF0oekuFykt+Y+qBPcoM9VmmZdGi4DoWpD0JuT6D
/m+viWpMPFwgumhY6zQ70lQepuOQJQ+N61S1d8kUWuEzrXz4CgIgAAIgcPQE/lnrVOnKs0zT8cNm
ZzCvdF9cR6zGNe3xWm0tuo6QDAToz9JRlzQ6iJ7OUqbBbOzwdzmZluNNV9GSdgjVWqeqis1y4tJx
k9mjeVw/S3B4vY7IqNisZ2OX1imZjKe7aWp6gNYZmATkQ2exWfouVwImc7xZmPK4Vy0rSHlEc1Ej
k9neMunEdah42yxc+CPbMql09mgy1x/rfAutw5OMltOxa4uFWabJbHc8XcbNq6fKJJhPxGHTckb+
MmpNMG2zcD6RuOzRdJ3E/OUctdYRGSz8kbAUldodz1YqeWXd+ts2j1ezCVVS6A4ygzv2Z0v5iOue
avJcghm9SoIeC2W7/nKT8UdHHqx1qqpM1v6ItomZzHKnHf+uC4f/QQAEQAAEjp7AjbXO0dcIBQQB
EAABEAABEAABRQBaR7HANxAAARAAARAAgedHAFrn+dkUNQIBEAABEAABEFAEoHUUC3wDARAAARAA
ARB4fgSgdZ6fTVEjEAABEAABEAABRQBaR7HANxAAARAAARAAgedHAFrn+dkUNQIBEAABEAABEFAE
oHUUC3wDARAAARAAARB4fgSgdZ6fTVEjEAABEAABEAABRQBaR7HANxAAARAAARAAgedHAFrn+dkU
NQIBEAABEAABEFAEoHUUC3wDARAAARAAARB4fgSgdZ6fTVEjEAABEAABEAABRQBaR7HANxAAARAA
ARAAgedHAFrn+dkUNQIBEAABEAABEFAEoHUUC3wDARAAARAAARB4fgSgdZ6fTVEjEAABEAABEAAB
RQBaR7HANxAAARAAARAAgedHAFrn+dkUNQIBEAABEAABEFAEbq91kpltTsKtSuohv2VL1/TWxUNm
edR5Rb5pzTZHXcTnXrgy8Exnkd5nNR/aynfQyh61l7hHW/B6RfeYwd0k/c8WLOK5ZzPDMO1pVP5D
me62dVBq7jL7h/Lg0tMjcI3W2YZj09j9jFZ59cC9WBlORmok+ec2TJbOViPLW+c3NXqnJLdL5KaZ
XnP+Q4+Ce4qTLtwBCVysvfvUp9t4atuPJ/gGevO2t+zhdsChPVY+jG2ycKxJePCYdZtW1qnvA/cS
B0C85pTNzJ0ecNNwIlqHqukuNnlR5MU/3dYOtI6OMTrO0zmq/oTWUSzw7VAC12idalvkGf+EvmV6
q1T8kZfVA2udbeRb2l3zbXrhHSRlspqvk5s24U5JbpfITln+8Yc9o+A/pnzTy8ky/VqnCMZsdJ+x
uDxcLKIbS9ebVnDo/P7evOMtQxcf9vuwlQ9kW8TLRXD47fAtWlm3vk9M62yTuWNB69TuWAbjO4pV
9reOOh/5f9d5OofVn9A6igW+HUrgOq3TpJPMLHOs3xLyXmwVUojTNEzLnayS5oZxm4Wz5vflpmeu
KY/mk5FtmabB7NE0yITiiHzGpnGTZ7pwzHFQVmXkW014iY+kvBdehouJQ5kzZ7yIVSZFvJi4dAGV
SuWezGx3kSRr32UmnwBruvIyGLdiVxS2qqqq2Cz9kWOJ6vnrdFsNlaQZwfuzzpauNV2H8zEl1i1t
U9uqKpOVP+I4me0tE35kmwZTgZLZ3iyUoKqqygVik9mjWbDymZrD2qbrqUjGGvnrtLGKymmbBdOR
ZfKyzKNw5rgiZLaDqCqT9dRzRJmc8XIjEisDj41X0XLiWozxEoScWLp0WUNSk6ZVlQdjqznCpv93
brfmIPP1yLTnSVVFPhstwpXv2jxhb67Ey7VOpUmBYkNlIxdgtjtZdgRttwvfTC3mC7frv7CIF2PH
Ep6mlyitMdrjebDcGRd2/baqthn5AfdaezTttU5VDRg98pk9Xa99qpnJ7LEsSoctVaTHdcn6SnkM
WVD5CAU+aaZ4EcjyWm7LmXpcvae++3oJlVd/b1BVpeb87jzmzicAcgKWOw1Fs+81kHIYZjnejLto
v31FSbabudN0M0bdCQx2JuZEzGFt0+WI2dOIl6RMVtzxzFZrrb16xL2agxQdXpmu6xZvtTsxCaef
TDKznXlAHQN1KJYzWaq+tykB/RzMR612JlLdbebVLsBtshzZDQ4KyEY+89bpZknua04iqkFvV9NX
Ka5O5sGq9l1pDuUCPV0rT7+399O1ThH6NvNW1DtT4+oZd4a73zySvk19mL++1wlorar4+igE/knr
GKblLeKsKIs0nNpisCKP28xsNlrEeVkWyXpisZ6JojIJgzjNy7JM1xPLHAe8pxjQOlVVdYanbOka
JhvNwjQviyyeu6Y1jUX3QQLJnqyTvCiyzWpiNRO7ycxmtuN6i3CTplkpu/JGpnD8JRW9Lu42jaiM
RVlmVD3Z+e2WpOlNhrKm0hrMEx3SNl15rCmtZvRsNTKZt4iSLMuSKOYapQgnFhvNozQv8jScuczy
xbQ5ZWWNV7yW8XJsmUatdegSfqQs883Sa65QOZF9TNsPEp7ofMRMQ+qSHURVlcdBlGRFWeZEmesR
soZnGOZozgXmNg+4BYUMSuZDy7ho5GziOlR+NaFVrD2ZdOSbhunOYoqYbzNKeLTigYgDnEppnc3U
ssbrtCjLIkuisCu2OyaslNbpvTBduMydRY2fy5UCNca0KIo0mo+YUWNUqLt+W8ZT23SmhL7I4oXH
2DjYiUQNGp3DcXzu2/lmNW7gcFXSsOVjRJ/rtrXOkAVV6aXfzmXVZ7yVCTMPuXoXbTKzB3oJlQ2J
/L7eoAgnjLmzgDeIOEqoixAA/fUmzbI0jjZCYvcaKF97pjOjXqjM0ziM6Dah1756SWKf6XGdoWoK
kqR1SGhaYxksy9ces/2AHC+LqLnMNrxTEoabRjn9VURNZ5IuHDZabKijzJMojHdcYYAMUTWsSUC9
WFUmqmFWZThhJnfWIk+DqWsahmpmdUV3mvmAh0vvrQOB1L4cx50soyRNKbTf39X0VorUiWk6vNMp
eL9U9/l1oXY7eZ5+b+/XaJ1yM3eZMxO3YENdxFD3S6xsP6TOrcg2YdR3V6iVDl+fOIF/0zrarXvW
DF7chegeXXzao1r9q/b/NprUY+iNtI6mF2isFCPQNp4ypi1JKIJxvWqXOggmpQLPvonr1IXZbmZO
o3TqH8X/m1l969/pzVUiw1lTY6ulCHV2vSvr0nkjp5qs89WoFUMmIcG7LvoitRedrGVAl2hH4qnV
nVLaxj4zNUTERWmdNqKmJDwXGWbjWsdk4s6ODmwjFVY6UOtU5C8juViKzOfM+V1V5JumF4jxlEYS
DiCreB8uhRbl2OtUjdahGpKIEOK3VQf+R8eESuv0XbiNp5bmahSB4rSo0jrGzcyqMWo5trMqw7ES
5bx6bsu+/MJBo1c0ZGojF7mes+AjUUtHatnTV+W6ba0zZEF1ueZW9CPVWFh92NXb9eWRJJ2K6iVU
Lu1vqjfgHIRXNKd0AfJiDRhIXC8jkSKFPvs2afMvLa0zXE2pdYp46jB3UYcNySspDi0+ZTipu56O
4ShGzlsPb8ZLHpJoF6PvL0WGcje0tbmqD+LdXX3XRxabMN1jZLKdnnDIw+s7TE3rGPasrqxonD1d
TW+luNZRnQ7VResRZbk6zjPcEITWSemu0Z6IkPKeLqLjxk33S9nZvojH9QHHb8+LwD9pHXOs9mGR
Y4o7y3Tu0NxB8zF77ne3WbTwPdfmH8s05DB2E62jj+iqkVAxtF5AjIpiTKVwuuqJ6hC9iutQCJt5
IorAjZzHy6nnOqKMzJDTHCovfpLqZ4az5iORmBejazopCIfivXh3ZW08ZTJYLE7aUvc53fAU9K5C
6zriKe2aaOAz0zD0G36pH3RE1HEordNGVBXJejYeCQY2M+VR7RJesHja3A0fqnVEKIJD4VJHrjsn
vaKvlyBd5kdVdYhTNVqHJvimLjOtkb8IeDhA4Kv/7RpAxXV6LsxXoy5QXsKuufVa1Bl1bU16VhMr
PM7QlaLVkNFpgs/Up3irGo4IUepm7nfdjtbR7lQo0xZ3XoOO31b5yhWNq1t3rj15K+ui5Y2ur5dQ
iCiA19cbdDnQFTsAhT/3Gqgqk6Vn0ZTxbBXXc7/7HaMipIrDcDWJJBtNPFb3XFQ4asKGqdqeaRrS
uB3DUS3EmrYiprAqcybz9aZPmveT0ezIMVI5hfWp9ekOpnonnXenJxzy8Np7Na3Tdr+BrqavUnt6
DFWyjvN0HaDu/ahcnumMxw71R2ISk/vGwLjTcWOVyzZdT2zTtL3pEkEdZYbn+u3ftI62CFW1Nx6g
WFJkX33ad9h0I2G681i0bu1+pat15o06UQ7KLdFpw+ro/u6pPa60EqFViUzOl/AsePh6GvIwsX5z
rPLqlGQ461ZGdQ/SmRymZHX5whMfau07J6thni4Zr3OFvijKNv1uObUK8dUVamTiYRVrUi8qUbet
e3qug7UOT5xuC+letBl2O6PCluI8QuvY5mivU3EpoBPc5vF65tkmG123XodigXK9DmFvX0i4nHnc
JrpfMnLbiX80uH1D9WY37HYHWmfIdbUxco8FVek7g0SVL2+ldXp7CZXLUG/QdX66ojuW029DBhI5
FGm4oBV6ti+X9nTtqwpC326gdQzT8WdjS3Ua/HbFD9uewtueap48N6V16M9tvqElUSZNuNUxIVGo
ITKaHfmJROCmWqdjlD4Pr3sqTevo7Ys76lBX063UQf7Wbix7GgKfQ7e8me+a9rSGNjju7O9+yyxa
0eJFa7yuKyro499nRuAetA41+dZc0Q4y6otV8JPuFmVchw86fNEbXUM6vg4z8GagAtqD7su7B20N
tQjq8k2k3YFcLL0UcZ0dpVPRbbrdZEjZ63Gd5oCWyHDWg6XVyVA3rqCII7wbVzvteVfPb5+pLtr9
G92ZyW6ILtEDzXoW4rucimi6VbKGFtfROkFSoepOjs99icDYnp6LqqGF+7Tsyc6tChLi0SoNxqyR
OnyaRjuJl40epHG9U+1oHZE1rZdVdZC/hePa4+iHYu0ZpqZ12hfSRIbpqdtHcbSe0VGr9dN5MxVY
n1LH8BpvoeldbT6MB0pU3eVlg0bvwiG3knNYLbaDrquNkXssqErPg//6jIg2h9XaqaBaWaedajny
ZNWorHIZ6g1IWXXhUPI6QEplyEAqBxn3UpFVOtTnGFzrKG8ZbtGiXtG2KmnxjSunodK50w4q10XY
q3XESXz1VyvsLGPSTam1frLTlSmqND9jyUVCDRoVupbl6Vw+DJBbU8ySVrvt64CuhlYG8kod5G8d
5xluCJQaD03TGkdLTkMNdhGHdL/tNlPbDf8/JwL3oHX42mRaOBtneZFnaRwEncWh5NNsvEqLLS2f
HVMYUazvIY+z5A1YsZnTyrq6+dMdsLvYFGVR7C4rFm1SRErSpVuvTc7l2mRxoNPCtbXJQum0n03F
R/YRZVjmydp3WK11aHXHQEmGsj6ksYni0FrvNM+zJBYLFXmHPJKLQ6M5X5vMg7Y0QFi0ArssqJZ2
e22y6fjrTVYUeZZEQaj2aAjPpQfRmM6UL8oj/lYzydhFRMJFLO+k1eejQ+awaD0LXzVZduNJtH6B
NkwUzZEi8Nho7DFtRo2v4rQnK/5ID1q8q69N3utUWl+8TcN1lORFuRUrqrsjJp9ykSsat3k0pdg3
1zr9F6YLly8apwXiWboJ1xG/AeQjoTMNqUJZvKD14TsZiVkq5bd8RFPXeKxvedig0SWcnrXJLbbD
rqvse9DYQ1rHoMWhtCw7C2cO6QyhkYdcvdM6DtE6g71BHowZc+chNYh0E/J5KGLDF3dneZ5uooj7
dr+Bcup4sqLcbos0mFi0iq/fvnp/Tu3Knka0WpjCoYPV5CT5PiyxWnrOl7HQ2mTmzkJa9Z+nSbQO
RdczpHWyaB3Swv9tWSS0jUCpFF6mQTLKjvw8pXVoOS8z3brDmNGCee2eSNa0czmJql4P71mb3Jpl
p7XJu11Nb6UO8reu8ww2hEbr0EPSPGZN+K0Ib1w9485Q91smAd8fs92WWTSlvRK53FjjLjtRd91F
8P2JErgPrUNx5Uhs0qV9385Y7NfRCG2zoNl8OI82K8+Ra5nFZmhmMkZbMMOlV8d16iUYBmmhUoum
8FR1rcM33NJmaLETftlsRt9p4U0b4Gtcmh3RhiHiOXk0G4md66NpkAQTq771F3P+vSURW1q7WTcZ
CQTt0mpYiljtlPZWorlts2DmyT3K3qzenC+2V/I9oSbtOY8WrgovN5fwXffNRnEtI9rTzOvGbE/f
LL2DqNwsxGNTaZ9sEk2ta+M6fJUE7VVlch+7ypamxx3+DNaZfK4AkTD0VZa0r7W9rbox37VORWEP
AWGbLPkWcVrGQU802F38KTbmMsYs2pIezF0RtBu6sNmpTAl603o15DZt9n97tHXf3qkyNQW+dEh6
i9Y0+DZX7TkNihPfgdZn9Mi3JutY7dttbX/X2Q65rrLvQWNPtnSdeRQ1j5UQz12QBe139W59VY78
Mm1UVvUd7A3qhzAY5MijhdjTtE0Dsa+YHikxkytL+wyUh+LJC6IV8IdSDNlXlaWixSZ8Q7vcjTlQ
TV4v+dzkcjNzTCmd6RkN/HkP3PUmchtz45kio2YOK1uLjooX0d91hiEy+6iWm2X9JI7JMl5P2AFa
p+4zaYu57uGip6qndjq1oLr0dTW9lTrI37rOo6XP9/A3vZ+mdaqKC0xprd5xZ6j7LfkzoUWd6ZkE
fE0X38wFraO1iGfz9WCt82xqjIp0CLQ6js6x+/6TuiEtqqPFZu47Z6QPAiAAAiBwMgSgdU7G1EMV
pZvEnvUoQ6ff5e/8Nr9ZkEAp99w73mWGSAsEQAAEQOAECUDrnKDRs2CxEg8ILNJo5ppM27n5QDi2
9JzJ1djqvp4JWueBDIBsQAAEQOCECEDrnIDZNNcAACAASURBVJCx66rS6yX4uy/4OgHtNRr1Cff+
fzJ3THrLwaL1qDfEde4dPDIAARAAgVMkAK1zilZHnUEABEAABEDgdAhA65yOrVFTEAABEAABEDhF
AtA6p2h11BkEQAAEQAAETocAtM7p2Bo1BQEQAAEQAIFTJACtc4pWR51BAARAAARA4HQIQOucjq1R
UxAAARAAARA4RQLQOqdoddQZBEAABEAABE6HALTO6dgaNQUBEAABEACBUyQArXOKVkedQQAEQAAE
QOB0CEDrnI6tUVMQAAEQAAEQOEUC0DqnaHXUGQRAAARAAAROhwC0zunYGjUFARAAARAAgVMkAK1z
ilZHnUEABEAABEDgdAhA65yOrVFTEAABEAABEDhFAtA6p2h11BkEQAAEQAAETocAtM7p2Bo1BQEQ
AAEQAIFTJACtc4pWR51BAARAAARA4HQIQOucjq1RUxAAARAAARA4RQLQOqdoddQZBEAABEAABE6H
ALTO6dgaNQUBEAABEACBUyQArXOKVkedQQAEQAAEQOB0CDwFrVMGnuks0idvlGRmm5Nw+2D1eEhu
g3nl4XRkmYbBnPmP//dQdsyWrumtizsjPVi7O8vhoROKfNOabR461wPyGy7YnTWfIp57NjMM055G
5QFFwinVbRrUndkL/EHgLggconWKzXLi2sw0TGbZo8ki5oNIsnCsSXhPfcVm5k6bnnh4pNnGU9s+
qMu+19IeaAit8WerkeWt8wMv3HNaC1TnvGFunRPv4M+BvLaRz5i3Sosiz4viHjVrm8NtuuZ9ELTa
He5yfQmmC/ch1W7VxqKVaFhSaCc9xtfhgmnN558KRum4i01eFHmh33gc1kU8hAVbViuCieUuH+RO
TydQhpORur88rEEVa0+7w7gre/2TsU/r4nThGGwan1alD67t9VonX3smG83DTZqlSRyuFuuE9xBF
vFwE2cEZ3eTEbTJ3rEO0TpWHi0V0iGS4x9IeXDOt8ZfJai45Hnx5z4kdUJ0zxAh9PybqZFVpakA/
lK9G5qjWdAPn6Off8nuXw2Fd8+GZ6SU/2OV6kqdyPaDW6WLRSjQsKbSTHuPrcMG05vMvBSuDcX+U
+KAu4gEs2LHaNg3mq83dxSj3sNMIbCPf0mLpBzWoIhizkYqm3pG99pQXhzoEivVDRc47GT+JP6/X
OrHPTD/Sb4BExZQrl4HHxqtoOXEtxkxmj2ahkh9lsvJHIihke8uEX7tN11PxmzXy12k7NrTdzB3T
qD+jVc7HUXcerHzXotiS7an0Vc9Ypus6H8sZy9iTMoEqbXXNmVWxWfojx6I4luX663Sn6lTfSZhF
c88265mAMllNVPGy+poiXowdmdJqPW3msLS+I/KZt043SzrPnHDQA3y2WTgfO5yB5U7DfAeUqi7/
RiO0Ow+WE36N5UyWmxp1fx0HyPBK8Gyd8Vwpy20a0PSUaTJ7PA+WOyNIGc+IiPiYk6ijh5RjkL14
stvYZ8yPJbxkbhtqJopUk7tSfqXquuswIuS+DBcTzp61/GHAUiq9qsO5qFolVy5X0Zkzjzu35U6W
9YCULV1ruua2YqbZ5J4uXVa7taGNIzznZGY7s4C7MDUhbx5lhNe2mMks1aAoTKbdt6ULxxwH3Kg7
tuvBotUx8pk9Xa/rJtWya2+ltGurStmO1Y2636MqUa+6JvZoGjZtIwtmYxkupvpK0w4XTGvCVTXg
k1opyT2FbXiPwbPdJsuRXbukocUg6Dot/RtYsN+ddhv1AJ+us+02al1nRz4bLULeoZJf6L0TmYR3
QNTO48C3OrXLV65JnSn/FMHYNJo5zG08tXizqwmUkd80XIOLc95fDTQokWQejK3Gu7mP8tRWIc0X
8q50skrq7meg4YiU+L+7APvb2o7bizSKeMG7Y+rCVcOsBpvPQJdejyi1k1cDPbNWcPLMbtYkr+25
GPsqCnUbTHT0VVWlc5s34QGXa6ojO36tB+4p8zaaNGpzgExd1EEUQ+Njb4vbNVOd/hH+f73WoUHG
9qOdG4u6YfCRwDDM0ZzPbW3zYGLVHXCVrUYm8xZRkmVZEsVc1hThxLLGqyQvy3yz9Jjl78yaxz7r
xHVM0/GDhOLOdIk5DkR5moEnXThstNjkZVnkSRTG3UFRlfa6M6ttGgVxmhdlmYVTW3UQjfWo97Ec
1/XXcZJm+baq8rXHbD9I6Zpo7pr2bEMDtgiJLWIqdrKe2KboOKpKn/+mKjiOO1lGSZrmZVUN8Cnj
qW06/nqTZlkaRxtewzaopoTiSxl4hmG6szDNyyKLFyPGam69dewnky5c5s6irCiLlHi4Sx4p2m5m
tsnrXBRpNB8xY2f8btezrRjylces8TLOCE3gO6YzT7aV6BREvD5dOJZlsXooD6m7GIzkdzhkS9cw
2aiu+dw1ramQUAOW0sj1cW6PN7W+JQRstIjJ6ZL1xGJyVpJyN5i35F37NqWaytyTeaN2tRzpazKz
DcP2Q/KmMl2MTNO0xvw2YJuvx4xNRBsZ7KH6bdfBouUZ+aZB3iSa1GpsmaNVY9e+SmnX9jXqoVaj
16sqoqk0NKVWbIJwkxUEb+k1GnewYLoWGfBJrYzUiNhoHqV5kafhzFW9jIjr9EQ7VRdBzfMwCw65
006jHuDT52xV22od3zNMZxqRlxDNpnfi6oS3dGpOU5eZXSVXke81jWnCLMtyZHtK51IxawQ60a/h
BqUxJ0HUjusYpuUt4qbrqMf7oYajpdUFOHBJv9vTLYA94b6dbVYTq+6z9mqdTpfe5+QDPbNW7Ko/
ax7eFkJzu5la9Kn7Iwp805Fhl6sGvH13GKqqdDVZ8KGHCrJ3QLxhTzJQhq6ZdBRH9/16rUManBqP
7U2XYaokj2oYBF0JVS5c5T0DidbmZkLWXbM7/RJPrd2w/m5rN9XSoG00qUebiljz9TrUkkfL3RhM
DVyV9roz6yv4/5sZ3fG0fpLaTg75/JB2e11VVRnK8lHb1+7fKcBYV7UV1zENeybmBSm1AT5lOG4G
bFWeNij1O/9GdtG48d6uc7dH5zV17CND93x1u+TqbSSqRHcnetqbmXUTrdNxjG3sW4wsrCpP9zn+
auEyHlPsFKNT0aozPPCOQys1kRf2GrCUll4v5854I1yuDCes7r3pBm3hyCgUdVvNTXNV0TIl6S1E
uH8OizSBcilyD5W0Nu4M9lB9ttvBolWTJIXmC8JVM+68/ZVS13Zspw403xqPEhpO1YuLWQ1NfQUZ
SPYTQwXT4i4dZ8jX0ifr1GQj0pqe7vqHah2tmIMWHHQnqoXeqLWi6S2u19k6ztzxPd1qycwSkWCq
k+bvPHSgWZfnrqjR/NRosfKZMIxqc6qT5IbSAHKXlsMzyaymQekVIyfqaB09iaZ9DDYcLbEOwKFL
+tx+G08Z70xkchTEksYcbD78tlDzUx5uufnINZg1j97wxa3J3LZnq5ltzyjOQw4gGA12GspuvD7K
23fKrOGruMfvGxAHUQwg7R0FaPzd4+etAj3+HwdoHV7IMovXc5oSsCdykY5qGHprpJPjqYzK8Kbc
XTocT2kLBGs+pmFoDUQQaQ/hg+lXSutURTwfMZM5k/l6w2972mxVaa87s8rj5dRzHZs+FjN6tY42
EgmHNUxVJVPGb+Ipk5NSoiwb6prEPqy21tGnJYheHx9qLd3uqzuYkeeJDz+zy416RNHEBurYwzBf
jbql4RE36iD1voF6P61jq+Fr9dTjOjuO0VxOo4cUPRSESuY278PTuaN3X3Xyzf9th+FhM62nasQC
5dtnqSYdEVPe4ayTbOR1One6aJpuqx65KeEmd9EBDWqd2jd29O42nNQxrcEeqt+rO1i0aka+2fY6
PlNN1R+oVHPtju3EkYFWo7U7fh71pB6fdSvTYD4ZiWZmW2at9IYKpmmdIZ9sisi7oFbTI4QyUizM
cW1c5xALDrtTtxZVf4s7pFF3fE+3Gl3O3ambTqvZ1VjoHowclCILzjzhq2tohUAz3OqRM81p6Xou
Y+oZsJZL16nXJ7XX64zVtlMuqfjR632Md+ztmg64ZX+X1eqa+F2IWDQ42HwIsrq5EF26JnZFJQd6
Zo1At1dssm4EC0Wrp3EZ+4ybgt9J8kDMIOFBb++WWSsHfe0ho58xiKLvwsEydPycyy8+AtGahWP7
HKp1ZLkpiicnkFQvprdGOk9pHaWoVb1JAYzXeaF9ynp5S31Wu48eTF/XOnTpNt8E87Fjms4sbqaG
RZqqtPzv4TNpsLWnYSau1+5Q67LpY7b4jff+frhTJVrp1MzL7iwIqJVLM3bKDAb48EFCdST1ye3J
vjxL+SejuTCxykSb96H+i2udfXXskKHW68xpFk59KO1uq+7aSJav1emqc6gkra6kqO/NeYh3GufB
mJHioD/teUK57QgQmQX/r+0wvGvWzm867iFLaUn1clYl11yOBpjRMlVcikLs62lVujUwUOJ3qnXU
vARVoWO7rhTWakk3CfpYQrEE04+E1OutVHPxju3oyKBHUbsba7s16W/SOkU4YcxbbgQxLU4wVLC2
1un1yaaId6J1+vyno1aH3anbqAf49Drb/riO3mwardNNp7+9UEhgtM4TCipsaIZ9ZI6DnIZbeT+q
dZJNkxFQh11ag86Ha9VFaanRSVQmcVM72HC0tDoA917Scftu19QIDmq77eVuTfPRGziVotfJB3pm
rdTDWVNgylmk2dLlMyD0p7vMkkVzCzdImNLs64Fbiwi1MuhfO2T0Q4Mo+EmdCwfL0DFTVbZHID3D
x/9+Q63DPdZZ0F2RcuWuozRaRwTS1O0Ary5xGw7vCiK0RlUtwRxOX4vrKJR8JYmcmW5+VaVtfqqq
njOp11XrQsjl++M6rRgGTXjrQQ6ZBbmvYMV/oMTqkU7z7K67DPDhrU9FkWUWbVBa1egrcdPnmYgB
9eAH1LEhQ1FZ05Oro7T0+WZyNa9IMd8bzWEtHP3GmRYly5LyXmC+mDARl6F8XPqzh69WnA4HDa8A
UUeKByylpdTLWffAxl400rHdtWatxVjt3Hl70G51tWzb/kk+oOJSWlyHwvNqowAdqNdgqLQa23Gt
o7UjdQpXbIbKgYtD7qqDlVIX08CqXUoHhj2K5uZUe+LjKx9ZKcapNBAlKQ1MsUktda0NNYiGfFIV
UXZTankXL7PYD0gG1lqluqhJ/3ALDrpT4yQi+SE+vc5GWkezWq/viWQbrSOnaepbRrpD6Ls3oDUc
k8XcldNdfOBdUMRUbj3RCHBK6j5psEEpfKRmtOXP+gDBT+I+zZXQAT7W7dgPuKRxe4qhaL5VcThi
V+9g89Eh89L2ODl3qv0j156syQW8xYJ2tdC9IkXV6M/GTIOEB719p8y6LfTvDRn9x0EU2knNhYNl
6Pi5du0Rfr1W65Sb9TKIaEEsrS5ejm2K9VGjUg2jC11pHd6H0vK0NM+zJBZLhnlsiBbZ0rrULImC
UK3Pl4TEbVBEiz5LWrHanh/R0m9YZ9E6TLKi3IqVjpZYHKyAq9LuP5OPuqPFpijLPFn7DjtE6/C1
ycydhUle5HmaROuQd7PUvOnmNS9KWjHoDK5Nbs3zDfDhyw+daZBkeZ5uoohDa4NS1eXf5NrkaZgW
rbXJQ3XsJ5MuXL68nFZ5ZukmXEdiDSv1KE6T9tgyb6J1ODHLo7XJEo1czi3GTcuyam1D2seyLDn3
RqHZ5WwedqcgOhwGO44hS2nk+jjrHti4nJDK1ngVZxxNHARiJ9a+3EemNQky4ddaplprol8HtQ71
mJYf8lVzxWbumoYhVP2Q7ShIWbcjPT+SFPX6zXzTWZts9lRKu5jq127UQx7FewnDEAtUizyhfBy+
IYVqKEjQan6vNYfVXzAd0YBPamUkK9LaZL4uNprztclireG/aR0KhmgWpLXJPQ2/O1QP8ulzNhkk
q63W73u8qo3WEWGy0Zwvk8/ETgEtLtVw2cz4uthaLYvl/+pWRnWSVUVyyaV+sCjKfeKvSZuv9TL5
w7R4r63bi05SWmew4WhpqVYmfuTD7q5bDrg9LXcTa5NzuTZZyN7B5qNDFhnuOrnYNcK3h+wZuYay
5iuMLcuqd4fkqxGzLHULN9xp0JV9PfBumTV+VT8ZdcYgiv4LB8rQNZNK/wi/HaB1FmOXNmDT2gTb
nTSPs1ENowtd0yJ8bJJb8JjtrYTLbbNg5tF2YIP2BI7VVugGEE028l3OtLVlT/oN62xNO95lir62
u1EmqUp73Zl5NOMP+jWt0TRIgonVtzZ5Z21Kmcht9ERpNFnLW8oino/llkt/Ha+8A+I6NBfRz2eb
BmKHM1GbiZ1xLVANPvGlDMbWNIiX9c5rtee8v45DZPizJPkmVNoNPa0fKLBNmy3L3jwKZ7arnj1W
l6TVgtt2bIiZlraRUkz763u6aGGo0QQz+Jrour+oc5Gz043DDM5h0QVNvm1LaWntctZL3rgcXZFH
C74ZlBzZGYudiPtyL5OlR5ueWZeV8k+e7FBch1xjOqKN6Ix26odLT8Z1Bmw36B6Rb03WsXqMQ7Pn
e6hSGp++Rt3vUVzrsMkqmPGt3iY9jkLuOd8mq9ovx8s4Xjgjsb9vuGAtRAM+qZWyaUT8KRVBs9X9
37RO1bVgvzu1nEQ4ykCvsutsYqlF48yDvicmHOspUbX33Rkvgnn/nC/tSaa9oGKCXirR+q5Cv30l
L+A7UgyS1uU+l9aRp+uJwx9IPYs7qbW0zgE+tgOwv60NuD09N0SMB3zPuXj4LRV0qPnokOsKFTGl
YfJx7/CRazBr2gNiaCvL+car5hZuP+Feb+8rc132qhoi05wxhGLowt4y9JipyeDovlyrdY6uxCjQ
KROguHuP1DllJEdddy5Qep7OddSFfvKFa91iPPnaoAIgcBcEoHXugiLSeCACFKqSj5p5oByRzT8R
aAVj/iklXHwwAb6Yrp6oOvgqnAgCz5oAtM6zNi8qBwKPSgBa52HwJ+v5mh6cWJZFSo/m7HlA68MU
BLmAwJESgNY5UsOgWCDwDAhA6zyMEbPAH9FTivjqkpG/3tnu8TDFQC4gcLQEoHWO1jQoGAiAAAiA
AAiAwB0QgNa5A4hIAgRAAARAAARA4GgJQOscrWlQMBAAARAAARAAgTsgAK1zBxCRBAiAAAiAAAiA
wNESgNY5WtOgYCAAAiAAAiAAAndA4ElonTxerdWzL++g1kjiCAjk0WotXqpwBIVBEUDgBAkUm/VK
vPPlBCt/WJW3WbgMsK3tMFhHfdYT0Dr0mjT1HPOjponC3YDANpk7eAzIDYDhVBC4UwJlPLWa99Dd
acrPKbEy9ul1fPWLVZ9T1U6rLsevdejlvI/7VgD1jJD9ryB5MM855C0kR1LUvUzoRYraO633nnuT
g49Rd+UknZLeWWG2Kb3zzTRMNlp1333ayRN/gsD1BPK1V79d/vqT7++MO2sg91ZE/n745iVirWyK
eO7Z/BVg06h+y1jrhPv5Y7C3uZ/snkeqR6J10oVbv8SuwzWdO2ys/KxYe30v8O1cNPBnthpZ9DLR
G36UYx1Js3wuWqeil+3eg9h5DDMpJ+l4110Vht6BSm/YLoo8v/de9bqWUgQTy13KF9x2KnyzP5OF
Y6mXUd7s2n86++6q8E/FuNOLNzN3ujk0Rf7i8dX+3vAhrKM1kG08te3ZwTUYrml7mPjnWqQLR75j
t5MltXp3scmLIi/uN/DTqdHMrl8j3SkR/hwkcBxah95V1691eINU8oTms0brYrA6+w+UyWq+vnkw
Ug1jWrPcn9P9Hj1c6xz7/T8Zfhzc9dD9GGbiTtL3ksu7Kkwyf8Du7bqWsk2D+epOFlsV8XIRPIab
3l0V7rexH546nxQ+WOuI971fI1cfwjp6A8nDxSLaL78O4dEZJv69FpuZxXpeMHYQw0MKfO05nRqp
IenaK3FCTeAQrZNH8wk9gNw0mD2aBlktYIvNcuww0zQt119v1mMlV7ZZOPNsZhqm5U6Wsk8sA4+N
V9Fy4lqMmcwezULu1enSZUb9cRat1reNfWbVQj8PxlZ9nsGm/3dum3qMh2ZE7HlSJTPbmQXBdGRb
PJtpWJe49frfMln5I15GZnvLhIAUm6U/cixRbn+dyooqx6qbJY07fVnXVPn/A6nJcyiJZpTPlq5h
NGuSynDMK8KLFC/GDp+4cMbzuheIfGZP12tfzGjY6oCWPxXVnQfLCb/acibLTS0pIp9561Qab0Lj
8zYL52RKg8wyXad0Zr5yVcylCMam0RhiG08t5sdbAsanVeg6d7KUMrLX+lW2dO1ZnIXTkWWarjRz
y76q9APoyLLzIJh6ZFmT6tSsGdymAU/YZPZ4HizHZseReNqimpym5U5DLpmzYDZ2azdoCEtfXUzI
G3hODb3hsrHJKpiRSwnnll5X+4woQbqeCqezRr7grGotvvXaIvSdpo00ZhDnU1EnYRbNPds05bEy
WcnpLtubNe5flSmxE2Z25zH3h0FjkYOXkc9afTx57WidV1ql9hilojbGnZRsFQe+pTcaUfxW4+rt
H/h5Pa21IpvX1dGqKWwXUrsh27mTVZLFC+p1TJM5k5X0mTutgrtIkrXvMlN2C/1Uq21Weym15nBm
y3bQHTM3vH01/rDbl1Zluq57L8sZL+Jiu5k79IoI8aFgqSoDsxxPdrYiTfo3mduMN/6qorbZms2i
8ljTzZb60qZX728pKkE6+VAOQ61V3cX1dRdFX2dYcS/TevLOMBFXrVr09nVUichno0XIxwRmMhrS
6v6/qioC0vTPosrbZDmyG+Lk2If1qyovPhKST44Xm4xaiug6vEV3H85AjVYhzZ+JQbb26op35j0O
o9npVL8eonXKJAziNC/LMl1PLFMunsnXHmOjRZwVRbZZTWzTrFvFdjOz6UhelkWynlhMzBuVgWcY
5mjOLbnNA56UGH8H71lpksPV4qzUKJu4DkUWVedJp5LUIc82DNsPc5IqRTR1TGcuRmFN62Srkcm8
RZRkWZZEMR/dq20aUUWLsszCqd2M9KrBN/3jQNYtLxpITZ5DozybxlxOEUrLYnI2hysJcSRduMyd
RVlRFimVSDa3yDcN0/HXCcVON6uxZe6u4BC03VmY5mWRxYsRa1Y9UYfiOO5kGSVpmpdVGU9t05kG
lFwWLzw6M+edYa3GynDCLMty5kKIpnMR0t1MLWu8TumFg1kShULTDlif96e2445mwSZNszriSyB3
I3oD6LhlaR6HvKZM5m4tCSlP0/aDtCiKNJqPmGHsah1RTX+9SbMsjaONuH0sNkG4yagKydJjXMHx
vs0zDDZa8HGxTFeciQgn7imbaY2XlFaeBL5NXke2bnymqopwYlnjVZKXZb5ZeqxnZfaALcTYZE6i
lofxPyh9y3Fdfx0naUZOT+7EYZRlFhGk2YY3hXDCmDsLuMvHUULV2WcsalrcS9UNbaPxtUoNGqUq
I98yuQcWeRJMXWYaqrnWFWk1rqH+oa+1Ekw2mtMLL/M0nLkNTe75bCR0cBH6lmEyd8Z7nXIzc+pG
dKdVYLbjeouQPLscpLrjpWbtpcNaZ8BAtIJktNhQD5snURgLX6YbwyauQ6txnBl1wmWexmFU3/BJ
8NtoUreeHbFDxRFTSco6dCfY11JqO5KHzuzbcVCttaV1zHZ3MdAZ9vlGa5hoaZ3h9iU61WlUDxuq
/6cqUlc3jbXK8q/CbnVU8sB+lesq0zA1nzRM0xED1jZdjuo7Fj233RoZpuXR6CuHBj707WnRemIn
+v0QraOhUS2Ebvu18YSUhhy0aGCsyVdV1cgC6lyaO4mq2kYqZDOodWgKS+8f2ybPFg6/y6QCUgHE
WEydr6bByR/l7a7SOindn2oaSqui/MqjlsK5VYNX/WN/1rvJ7KZWn0PRG1Fgik+Ol0uPiZpyJUEr
lEj0WFIOUaBlPZLEqVlqVKhazqJucTJ9KqqpLYRohim6gzENbWMBFUTLhgd0yLIq+23kW6PFypfb
4eqJfj4QjgPeOdS1qoasT1rHML2gM/9IbqRVpUlGfWkbQrdsY05yJb2um5lVjyIqnW411ZH6G7mQ
dAruq2qMp5vgvmJ2yqa1B+V1ymdqbjK/eGrtyLxuIbVWxttIv9bRYoKywTURQ7KHcH/KvRardY33
GUvUlwvviVx2SUUQdzqqUvzWQmtujVH4vbDmV2Qk3WtlGdqNq79/6GutvDpaEFhZqG27beSbptdM
k3KKIUm/O62CwXy1NHWAKjWXAS8VY6aKaDdxnYGkuD+OllrggdNsax1u7yYcWZu8/r89TFeEs7Yi
BXFlB66sU1/H/9daivY7dbyHcNjTWltap9VdqN6I59h0hn2+we+rmltiXevsaV+dTjWZWWYd9hq8
02hDPLBfFVpH6wrJJ2v2FE8fqdv5hi41q3aN9B6ORiPRiw45TJPQCX85QOtss2jhe67NP5ZpiGYQ
T5nuC1qcMJ079Lbd5mNK2a51Lhx4PG3uQlQP1DEF36mjlut0nZh7AJcsXOqIrq/bPnkvyDu7ph/m
Ll9Pjaks83g59VxHVJQZzB/WOqIk3axVUqRN+lNrzuFOvcq5OhitsmzlMtImwtfpRi1fjbogxW1b
5JtMv8mgTtTvDINd2tQs7RmPNHQup96iJTc2chCmYZKLns3UcuYJnzLm5W1miPKQ7tatkb8IeJiA
RtoB62vAGgLyhlKNRPWRAXQdyza9An1RnYXUvdo4yJPdqSb/tUyD+WQkTE7viZbJ7KG3p2xjPoiK
SjRep5KKp7Rho2kXzDQMrfvqL2RtCxFmG4rraLcWFfm2YapsTNPgkqrbYCm/vcYSPrElPSfEDs16
yG0CqlJaw+c1aIxSdYE3rU8Akv8qm2pp8mNN/9DbWrvV2ZKm40GNTjrxlOKndZ505yWEoHaaKgM/
7TZVUOJykOoeLx3UOoMGKuL5iNGU3Hy9aW42WlqnKpOlZ9EMyWwVd4I6dP8vG3cNhjpQ4fwkdWpR
rJEZaCn19SKuUweC+a8Dhd/DgW7DGXJb2gAAIABJREFUtPtS/W50oDPs9Y3uMKFq0fVJitfIG46e
XlELOFPMqtvFiqktdZfZk0Jvv8rvNnWfpFuIpusoejen7mod7RJNHw0w16x0ul+v1Tqkp013HosG
peI6/CZFW4up5Ar502hJ0wnq07mR4rybvkz24421NWt0W2TH5MLIq7zi7VOObuTZ2s4t3hmL4bTp
balv6Sx7EAEoexryCZKqat+y1yGrwGuCWbxH7GStlZw61d7U1DliK2MRyXgJ/elHBYV7RE0oB2ce
5wpjUfA5v06jqga1jpxzoizbWkev/HD7l0ozmYnNEfTnOMgp2qTpxG0er2eebdKswZY6+n7r8/6n
1fQ5CNGH8Jm8BswgOtVn8XO5BWiherf31IaxJtHe0ExB0zreciNm1FR3z2/67RY9TyjFvWVTHZZw
ae51qjA0PI/XbXO2a76jD7S+mDewjqCl2qn0RV157++HO9l0xQGdfZCxyEQkwvkCD7kjUst0yCg7
wMlKvQ7Q07iocE3/0Ntau9XZp3W02YebaR0uWLWtENdVQVhggOoeL+1qHdJn/EZrICmRzzbfBPOx
Y9JUFe8X2lqHn1Sk4YLWEdm+WJ4mrqR/edBY2/JE+/yo49G7UiVkB1uKSlCdLH8bKPweDh2to3sL
XdXTGfb6xm21jt6tUeGV1qGgpLxT1CrMO9WW1ummoNdAa8tK0lFq7awO1jqqdC2tM9D96sU+0e/X
ah3qHJS+ppi6uIkk3aDMzEPldZ8Vjk09lFmT1fpH/lPTl8mlIX1ah/yAtYyqLZilVEQ0NQ3GrJlA
oFCqNk7RCC1dsNE6IgbcnsOilNRl1Ib2xnV6s66rKg72p6bOEZPAy6kti57MbXu6UEpiS/35zqyP
nO5VNuEtWzOFyIBo6xFzGpJky2u3NB5X0uYamjksaoULh00Wc1cezpYu/eloMw11bWhtBr9VoaG2
z/r9WqfbyVNyhxiCZ0vdHw+MUE/Eh2NZmnRu6xFe8SvvFdWMIP9xM7M0WUwjm4rrGNo96pZu/4je
3rLpefId4lwRKren8mpzh7Kwrf8oBD1gi0O1DgVr6mroaee8wap5Ejp2mLGEyInndGcr1tfpAmtQ
69CgaYmlQpRXw1AvVGt+QbuRoHNU/0BV1/ydJ8DHPi12x8/hEWAFnJ/Ik7llXOemVRBVG6Da9dJE
eSldocXmirVnmFzrDCQl8hH/8lVAIqwklgDqB+V3fovY7u74+Ngaiilu6y42rVW4jXEHW4qWW3Oy
/G2g8F0OemtVXZPqq0VqQ51hn2+091W0fGy4famseYZtAULe1oIlCiW6r3r1QCeFPW25fWY7q36t
QwOv1gQ6qJuecLhFS5uc8n/Xah0+6I9XabGl9ZRj26wbJfGle2JaH5eGU1eGyuXyKNMar+IsL/Is
jYOAr1rt9EFaX8aXovA1p2VRtu90O4KaplWYt0qL5sQi8Nho7GlPVhaLJfm6rSJPaOWuXCWqD7fU
lGhtV5rnWRLT4j4+nT5abIqyzJO177DrtE61m7XypOHU1DkUR2aWbdW9HJ+StvTNjenC5Suoaf1l
lm7CtXieO00Mm/bkkLXJ05BY7a5N1gIzfIGq6TRnekwuJqcleTOLPvXKlXThWJZV669tGq6jJC/K
bZnH83r5Fu97d62vw28Q8NUgHf1xkCF4CqqF8+CjqsHYalZ9NllVYqksLcHO8jzdRFEi5guF39Eq
Xq81h2XQ8u8goZXd0cw1xcruYbMKrxsvxWrB4bXJtKZ8Qw/JyZIoCJt9ZHU5OT1VE80WB2sdvjaZ
ubMwyYs8T5NoHXKFkwdjxtx5SC6fbkI+r3GYsUjyuq5t0dY78dHa8mC3S0uxGRvNaXlskYkV47vj
hbpcS5NnorQO9512axXmpLXJfHVmNOdrk/lisE46/6J1bloFSWeAasdLyd3qGzS6o3RmfHHNNo+m
tAhATKAPJJVF6zDJqOXxJfVSUoqgY0S8y21O/S6dsi3SYGLp9wKimDshVRqcHdet90jQWY11qK31
thRZ5dbJ9W8Dhe9w0FurEgFdrUM3Xr2d4W5PThq+NUw0tRDLxvv7OpU1L35LgHRWwdT12x/X2dOv
tvNqZVX1a53hGlFhVE8oMu3pfpsyn+6Xa7UO7ZOsNzd782iz8mrlUPEtgHKD9mo91WN+eSS2ShuG
aTljsfWq0wfpWofPLdMGPlZvRm4swhugmk2gh8fS9lvTnsl7NRJjrcWZPObOd/+adN5IbbpttZ8i
VvulvRWNBnk0G1l0jTWaBkkwsfat16EC7mTdlHpPavo5dANHW7nlEELCrrUgj2+DF7u6aVu3NxW7
9CPfmqxjuZ2X2V6zVVpLuwzG1jSIlxOxlby957wOdDXn1/ai3dK+vn8xmjBa7iFv56nvU6y3yZLv
h6dFKPQwgmapZJ2abv1erUMb9mod1ZTlEEPwk7UWXm3TZgu+p+/m1VKtaJOy2I1Jz0KYRUVVbZNV
DWi8jOOFM1ryuzTyVbFjn+/Q1ujtcZLRMqYnHXS8ruX22yyYeWQRQuOO1XMAtHLW9Dq2OFzr0B41
ubWdW2ayltEcuXGbZz5aSK+rs9tnrGzhGIYeb9IqpQ0kVAndKLQbWO59d8aLYN53b6wu19LkNDSt
U1W7rZU210qY1DRmzbMwOun8k9bhG5oPr4KyYi9VzUud8SJcqglxSYoxZtHDG4K5WweVqTXs9qUZ
PUK7diPVYGkVD3+kgrfO81A83UB42s4+ZhFo023KJQIzDC18oLTOYEtRVdZOVj/2FZ4a4kBrVSKg
1VfL9JpHXOidYa9vtIcJ5WOUUF2kTvtSWfPcdAFSRpO+Gaye9Tr6HNbBeelZUVi792Hy+2rUbnRN
BVstWiI85f+u1zoH0uH+pK3fOfCy60+juwCbnvUw9KFWoa9MvbeS7Bagm/XuGfhlmADNex3p63jE
eFkHp4ergCOHE+gbvQ6/+ijOvNMqdDTZI1RQLBis72MeoQBPI0s+uSfugZ5GgVHKXgJ3pXVofULP
4q3ePG/6Y7729rzagd9I6nPRbRV/08xucv5O1je5+OTPzZYj63FfdDZsgscfh4bL9kSP8GUaPUG8
J1Sdu63CEfgY3W3sRNKfkEEeoqj0NGp7KhZ/P0R+yOO+CNxe65TxaiGfvJdvVhNLf2TLfZW2ne6W
HgC3Glud9+k8hNYZyLpdPvz1ZAkcwTj0ZNmpgifr+Zqe9Ucr+gLfMXuenahOPs5v91gF+Nhxmhyl
eqYEbq91aKkDf7g+LddwtPnyhyKVzB16Gv940Xle1gNonaGsH6rqyOeeCWAcugvAWeDTu2VofRCt
A1vvrMS+i0zuN417rAJ87H5Nh9RBoEXg9lqnlQz+AAEQAAEQAAEQAIGjJACtc5RmQaFAAARAAARA
AATuiAC0zh2BRDIgAAIgAAIgAAJHSQBa5yjNgkKBAAiAAAiAAAjcEQFonTsCiWRAAARAAARAAASO
kgC0zlGaBYUCARAAARAAARC4IwLQOncEEsmAAAiAAAiAAAgcJYEH0Dp3+mD1o4SIQoEACIAACIAA
CBwtgXvROmU4GS3k+war3pc+3phHthrteU/EYHKdktwukcHUcQAEQAAEQAAEQODoCdyH1tlGvuXc
sdYpk9V8nQy/ALQfdKckt0ukP2n8CgIgAAIgAAIg8CQIHKJ18mg+oWe9mwazR9MgE4oj8hmbxk0l
04VjjoOyotfJ0VPh+cechFsR11mGi4nDTHqdxHgRF81lRbyYuHSBabmT5aY+kMxsd5Eka99lpumt
CxUcKoNxnTr/fyRe+1lslv7IsSgHy/XX6bYaKsm6zmM4a2ceBFPPtphpWs5k2fNo+zyaj3l1xMPv
ZQxrm66nI5uXYeSvU/EC4Wzp2rM4C6cjyzTd//1/2u9Ipbe4s0lIp26zcOaJqxWKMvDYJMyiuWeb
pjXbNODwBQRAAARAAARA4CACh2idMgnpJZ9lWabriWXKd1MPaJ2qqspgbLbjOobJRrMwzcsii+eu
aU1joZdIINmTdZIXRUbvDzXdZcaLncxsZjuutwg3aZqVvRNh5WZmM2+d8wu2aSRfRJqFU9uUCmi3
JFw40RX7sjYMaxJQrlWZzF3TnidtlmU4YbYfZvRSw2wTRkLVFOHEssarJC/LfLP0mHzTIS1Xsh13
NAuoKkUejLUXwm9j32KTqKyqLdVmtIhzeqHpemLJmtFLcyzHdf11nKRZftPAVrvc+AsEQAAEQAAE
TpDAIVpHw7KNJvXQfyOt06ibqirWnpQ023jKZEyDZ1EE4zp0kcxsg/mkAeRnZ4HzdjNzGqVTnyX+
38ws5vOI06DWuSbrWnJVvSKLiznbj+oAkcg1X41qiUU/xFOLR7UoImWYXtCcXIZjZssAzTb2GfMj
CkKRfFKaipQYhbOqMvAMQytOu6b4CwRAAARAAARA4DoCB2idbRYtfM+1+ccyDTkk30Tr6CJA6Q9S
B61hnEb4EQ/U0LvKaUas+XS0znYzd5i3EkEgOimPl1PPdUQZmXGd1rkma5p6kx8uYZp5L/njNl1P
bNO0velSBnVI3DB6n3PzMQ1jRNdRyWWYSVxNskbMRm0jn0kVmM6d7tU8NEZxHU0D1aXC/yAAAiAA
AiAAAgcSuFbr0IIS053HYvpkT1xn3qgTpWZ4IToyRR09XHB0wivbZO6wkaZ0+ITUNOTTTlV1QFzn
8Kx7tQ6vV5lFK1qEY43XpLniKTPH67zQPiUppk71aWKMJM5ss+VSZ7bhsiqd2+ZomWoXFwUdIK2j
zQceaFWcBgIgAAIgAAIgUBO4VuvwWItY/0vhk1WzfIUmoPj0C09qG07MOhLD1cx8aM+50jpcRo35
ulyeBp/DmvLltxTX0YIrLcWwo3T4tJjdZEgZ6HGd5oAmOw7PeljrCIQ0JcfzphPt2e5WsV2tU9Eq
HWsWR75lz+RSoDKkQmuTdtJA0DoSBP4DARAAARAAgVsSuFbrcOUwXqXFllbcjmnmRiwroUHe8kO+
DqXYzF3TMOpZpw2FghaboiyK3WXFSutUVUrrdsXa5FyuTRYSaVjrCKUjlzDLStOyF3NEGZZ5svYd
Vmudargkh2bdp3XKJOCLtbfbMoumtLKGFkjT2mTT8debrCjyLImCkG/g6tE6FUkt23UtbXaK1iab
1ngVZ3mRZ2kcBHxT2o7WKUPfYmO5IvuWRsdlIAACIAACIHBCBK7VOtU2C3zaFW4y25tHm5XnyCW0
2yyYjixmMmY540W49Oq4TlXl4dTlW6/9sNSiKZyrrnWqqtgsJ67cKj5ZNpvRh7UOXxaj7ToX8Zw8
mo3EzvXRNEiCiSXWJu8tyWFZ92qdeM43h9MKG8ebhXIXPqGaebQVnW+hHy83tOCoT+vQrivLMDqT
U3m0GDt8w75pOeM5h9GjdZo9WifkpqgqCIAACIAACNyawPVa59ZJ40IQAAEQAAEQAAEQeHQC0DqP
bgIUAARAAARAAARA4B4JQOvcI1wkDQIgAAIgAAIg8OgEoHUe3QQoAAiAAAiAAAiAwD0SgNa5R7hI
GgRAAARAAARA4NEJQOs8uglQABAAARAAARAAgXskAK1zj3CRNAiAAAiAAAiAwKMTgNZ5dBOgACAA
AiAAAiAAAvdIAFrnHuEiaRAAARAAARAAgUcnAK3z6CZAAUAABEAABEAABO6RALTOPcJF0iAAAiAA
AiAAAo9OAFrn0U2AAoAACIAACIAACNwjAWide4SLpEEABEAABEAABB6dALTOo5sABQABEAABEAAB
ELhHAtA69wgXSYMACIAACIAACDw6AWidRzcBCgACIAACIAACIHCPBKB17hEukgYBEAABEAABEHh0
AtA6j24CFAAEQAAEQAAEQOAeCUDr3CNcJA0CIAACIAACIPDoBKB1Ht0EKAAIgAAIgAAIgMA9Erhe
6/wPPiAAAiAAAiAAAiDwgATuVvgcpHWu8AEBEAABEAABEACBByHwP//zP9A6D0IamYAACIAACIAA
CDwGAWidx6COPEEABEAABEAABB6KALTOQ5FGPiAAAiAAAiAAAo9BAFrnMagjTxAAARAAARAAgYci
AK3zUKSRDwiAAAiAAAiAwGMQgNZ5DOrIEwRAAARAAARA4KEIQOs8FGnkAwIgAAIgAAIg8BgEoHUe
gzryBAEQAAEQAAEQeCgC0DoPRRr5gAAIgAAIgAAIPAYBaJ3HoI48QQAEQAAEQAAEHooAtM5DkUY+
IAACIAACIAACj0EAWucxqCNPEAABEAABEACBhyIArfNQpJEPCIAACIAACIDAYxCA1nkM6sgTBEAA
BEAABEDgoQhA6zwUaeQDAiAAAiAAAiDwGASgdR6DOvIEARAAARAAARB4KALQOg9FGvmAAAiAAAiA
AAg8BoEnoXX+fn1/9unn5WPwOaY8L75/PPvw/fyYioSygAAIgAAIgMDRE3gSWuf3p5fm2beT1zrn
X96Yrz//PXqfQgFBAARAAARA4JgIQOsckzX2lwVaZz8fHAUBEAABEACBPgJHrXX+/PfKNNof8+13
qgYd0T5NtOOJ/H7+9Uwrvfny029hm/7f6dc2BcN88wVzWX3+jN9AAARAAARAoEvgqLXO1cXfP/T5
/v6F+ea/3/z7+QlOZUkMPz+9Ml99/MEx/L3oWhJ/gwAIgAAIgAAI9BE4bq0jS4z1OhwE5rD6PBi/
gQAIgAAIgMB+AtA6+/kc01FonWOyBsoCAiAAAiDwVAg8Ca3zVGCinCAAAiAAAiAAAkdHAFrn6EyC
AoEACIAACIAACNwhAWidO4SJpEAABEAABEAABI6OALTO0ZkEBQIBEAABEAABELhDAtA6dwgTSYEA
CIAACIAACBwdAWidozMJCgQCIAACIAACIHCHBJ6E1jn/8ublx18H1Pr8yxvDMPgjiZn18s37L7+e
1SP3vr+13v04AANOAQEQAAEQAAEQaAg8O61Tvx3z8vzX5zOLvf3+jNQOtE7jt/gCAiAAAiAAAocS
eLZa5+rq6vL7W/NFHQ86//nf29cvmGlar97+97N5mdTl328fz15azDTZi9fvv/yu30Bx+efbhzd0
Op3/uQ4PtZ/m9+M9s97/lKT/fn5tvvn8/fO7V5ZpmNb7HzKlvz8+nb20TNNkL88+fm9eUn7x+8t7
Xpz2z/vNBq2znw+OggAIgAAIgEAPgWerdS7//vzvDbPe/eBxnT//vWYv3n37c3l1+ffbuxfs7KtQ
O3+/vDFffiDpc3n+89Pr+i2cFz/ev2Cv//t1fnV18efruxfszReuUvZrHcNgr959+fHr9+/fv+X7
qn7/94q9/PD9L+X74+Mr9uq/P2SEv1/PmHX25ffF1eX5jw8v2evP/Oce+7R+gtZp4cAfIAACIAAC
IHAIgWendeiF4CZ/Lbj56j2JG/r8/GCxt9/q2SwegvnK/zr/+oa9ePf1t3ij6OX5+QVdcPn9LWsC
QldXpHCESNmvdWqlpLj/+vhCy/fy97cv30nU0NvYXwv1dHV1dfH1TCavLuz/Bq3TzwW/ggAIgAAI
gMAeAs9O68j1On+/vKmDKFdXl9/OTMNklvwwZhovP8lIysWvrx9pcou9eP3247ffXAFxMfSlmee6
osmqDzRZdY3WeaNdw5l/f2e++LC7qPrHe6YVx2KmIZLfYyeRHNYmX4cIx0EABEAABECgS+C5ap2r
yx/vLeudXJnMv3/7e958Lnj85urq4u/vPyLcI+e8+Dqby2/tuM7XOq7TDsHsrtfpap12XOfq/PfP
36Sg+Hvbv/QUp2udzt+I63SA4E8QAAEQAAEQuJ7As9U6cqboM19nc/nr00v26sN3vorm4vfXTx+/
id9/vrfYm//40uPLv1/fWuzdd5rE4ut1xO9ifY9cr0MqhZ3JtTvf378wOmuTu1rn6venV+zVxx8k
cM5//feGvfr0m2zy5/Nr9vLdVx5Fuvjz/dNHtSh6n8mgdfbRwTEQAAEQAAEQ6CXwjLXO1TmtAK43
RJ3/+PT2Fe2HMq2XZ5+aDVEXv7++5/utGHuhb9C6/PNV7cPS9m1d/Pzv7IVlvXj56s2Hj29fXKd1
rq7+fv949pK2eVmvtGyvLn59fveatn+Z7MWbD/W6ol4TqR+hdRQLfAMBEAABEACBAwk8L61zYKWf
6mnQOk/Vcig3CIAACIDAIxKA1nlE+DfNGlrnpsRwPgiAAAiAAAhcQes8ISeA1nlCxkJRQQAEQAAE
joXAk9A6xwIL5QABEAABEAABEHhyBKB1npzJUGAQAAEQAAEQAIEbEHgSWufg95zfoOL1qX+/faR9
WIZpvX537K9FxxxWbTX8DwIgAAIgAAIHEzhtrXP56yN/7s6f84u/P/+j16J/U09LPpjhg50IrfNg
qJERCIAACIDA8yFw0lrn8vs7pr3Dgb/36vNfel3VS/569POvb8TzeegFWWdfL67+fn7N3v4nn7zD
XqoXoF9dDbxHnS7pff/5bVwIWuc21HANCIAACIDAiRM4aa1D72p4yx+ULLyAXunw7vslvV6ClA1J
IfPlx9/0UodX/OWffz+/NsxXH77/kS8ob97ZOfQe9SvSOj3vP7+d10Hr3I4brgIBEAABEDhpAiet
dX59eMHe/VD2p/ePn327vDr/+ubFh5+Xvz68fHP2+vXnvxff3r7gz19uvxT018cXUioNvkeda53d
95+rLG/0DVrnRrhwMgiAAAiAAAgQgZPWOt24zm8R1+FxnDeff3x6ffblx8dXb7/++PTq7Cst5Glr
nd8fZVho33vU25f8m9NB6/wbP1wNAiAAAiBwkgROWuvQMpzuep3//lxd0ezVi7O3b17/9+fyx/uX
b9+dyXd2toVLo3WuBt+j3pVH/+Zj0Dr/xg9XgwAIgAAInCSBk9Y6V80+rIuL819f3lpMhG+urmiZ
sskXKF98e2uZlnj9+VBc52roPeo7oaB/8zFonX/jh6tBAARAAAROksBpax3SIt/p+TqGYVqv3n3+
dVE7AV+m/OPySsieN1/EVvShuA6d1v8e9Y48qpO/3f/QOrfjhqtAAARAAAROmsDJa52nZH1onadk
LZQVBEAABEDgSAhA6xyJIQ4pBrTOIZRwDgiAAAiAAAi0CEDrtHAc9x/QOsdtH5QOBEAABEDgKAk8
Ca1zlORQKBAAARAAARAAgadAAFrnKVgJZQQBEAABEAABELgtgSehde7zPee3BfcY12EO6zGoI08Q
AAEQAIEnTgBa5wkZEFrnCRkLRQUBEAABEDgWAtA6x2KJA8oBrXMAJJwCAiAAAiAAAm0C0DptHkf9
F7TOUZsHhQMBEAABEDhOAtA6x2mX3lJB6/RiwY8gAAIgAAIgsI8AtM4+Okd2DFrnyAyC4oAACIAA
CDwFAtA6T8FKsozQOk/IWCgqCIAACIDAsRCA1jkWSxxQDmidAyDhFBAAARAAARBoE4DWafM46r+g
dY7aPCgcCIAACIDAcRKA1jlOu/SWClqnFwt+BAEQAAEQAIF9BKB19tE5smPQOkdmEBQHBEAABEDg
KRCA1nkKVpJlhNZ5QsZCUUEABEAABI6FwJPQOscCC+UAARAAARAAARB4cgSgdZ6cyVBgEAABEAAB
EACBGxCA1rkBLJwKAiAAAiAAAiDw5Ag8Ca3z9+v7s08/L58c3Dsu8MX3j2cfvp/fcapIDgRAAARA
AASeN4EnoXV+f3ppnn07ea1z/uWN+frz3+ftkKgdCIAACIAACNwxAWidOwZ6j8lB69wjXCQNAiAA
AiDwbAkctdb5898r02h/zLffyRZ0RPs00Y4n8vv51zOt9ObLT7+Fg/X/Tr+2KRjmmy+Yy3q2jRIV
AwEQAAEQuFMCR611ri7+/qHP9/cvzDf//ebfz09wKkti+Pnplfnq4w+O4e/FnboBEgMBEAABEACB
Z0vguLWOxI71OhwE5rCebTNExUAABEAABO6RALTOPcK946Shde4YKJIDARAAARA4CQJPQuuchCVQ
SRAAARAAARAAgfsgAK1zH1SRJgiAAAiAAAiAwLEQgNY5FkugHCAAAiAAAiAAAvdBAFrnPqgiTRAA
ARAAARAAgWMhAK1zLJZAOUAABEAABEAABO6DALTOfVBFmiAAAiAAAiAAAsdCAFpnjyV+fXzB3n7D
U/v2IMIhEAABEAABEDh2AtA6gxa6/PHOYsxq3j8xeCIOgAAIgAAIgAAIHC8BaJ0h25x/PbPOvnz7
8KJ5W9XQmfgdBEAABEAABEDgeAlA6wzY5u/n19a7H5dXvz+9evH+5wm+hGuAC34GARAAARAAgSdG
AFqn32C/Pr588fEXHfv75Y2FRTv9lPArCIAACIAACBw/AWid47cRSggCIAACIAACIHB7AtA6t2eH
K0EABEAABEAABI6fALTO8dsIJQQBEAABEAABELg9AWid27PDlSAAAiAAAiAAAsdPAFrn+G2EEoIA
CIAACIAACNyeALTO7dnhShAAARAAARAAgeMnAK1z/DZCCUEABEAABEAABG5PAFrn9uxwJQiAAAiA
AAiAwPETgNY5fhuhhCAAAiAAAiAAArcnAK2zh935lzcvxcOT95yEQyAAAiAAAiAAAsdMAFpnj3Wg
dfbAwSEQAAEQAAEQeBoEoHX22AlaZw8cHAIBEAABEACBp0EAWmePnaB19sDBIRAAARAAARB4GgSg
dfbYCVpnDxwcAgEQAAEQAIGnQQBaZ4+doHX2wMEhEAABEAABEHgaBKB19tgJWmcPHBwCARAAARAA
gadBAFpnj52gdfbAwSEQAAEQAAEQeBoEoHX22AlaZw8cHAIBEAABEACBp0EAWmePnaB19sDBIRAA
ARAAARB4GgSgdfbYCVpnDxwcAgEQAAEQAIGnQQBaZ4+doHX2wMEhEAABEAABEHgaBKB1ajtd/v1z
Xn/f9//5n7+X+47jGAiAAAiAAAiAwDERgNbh1rj49en1qw8/L643zcXPj69ff/p1wJnXp4UzQAAE
QAAEQAAE7p0AtM7V1dXFj/dzq2BgAAAgAElEQVQvX/33W4N98evzu1cWM03TevX2v5+tgM/l70+v
Xrz/AbWj8cJXEAABEAABEDhaAtA6V1d//ntlvfuuTUydfz1jL959+3N5dXXx+8uZxd5+aymbi+9v
rVf//Tlao6JgIAACIAACIAACDQFonavfH19a735oUufq56c3b7/UUuby+1vzxcdfDTH6cvn9HXv5
SQ8EtQ7jDxAAARAAARAAgaMhAK3z9/Nr882X1iyVbp3Lnx9eWO++t+I6V1fnX/ZepCeA7yAAAiAA
AiAAAo9JAFrn14cX7N2PARucf3v34sXbbztK6PL7O/PFh3awZyAJ/AwCIAACIAACIPCYBKB1fr63
rPe9Wuf8x4eX1pvPv/XprdpWP94x68PP+i/8DwIgAAIgAAIgcKwEoHV+f3ppvtVXJgtTXfz48GpI
6FxdXX57a2LBzrE6NcoFAiAAAiAAAhoBaJ2Lb29Zd1PVxc+Pr6w3//VGdDi8P/+9Ym+/9QV8NLb4
CgIgAAIgAAIg8PgEoHWuaId5e3Hy708vDcMwtQ9r7Um/Ov/yhp197axXfnxjogQgAAIgAAIgAAI7
BKB1rq4uf7x/0Y3s7IDSf/jzHx4mqPPAdxAAARAAARA4YgLQOmSc8+/vXr75TM8OvP5z+efzm5fv
vu9szbr+SpwBAiAAAiAAAiDw8ASgdQTzyz9f3n3sPkWnzxwX3z68+3KYKuq7HL+BAAiAAAiAAAg8
LAFonYfljdxAAARAAARAAAQelgC0zsPyRm73QODv59eG/Nxo3dU9FOXwJK95XvfhCR165uXvL+9e
WaZhmOzVJzwG81BsOA8EQOA5EIDW2WPF8y9vXnbehLXnbBy6fwLN++eZ9erd51/tnXAXX8/MPq3z
98sb6/Xn+v1mty3kn+//fflx2CqtH+9Yrb3E/+1tfqIE/6h1zn98/vz9b19lLr69tXrc9tfHF+ar
Tz/PL68uL84vtKVpA+f3JY3fQAAEQOBpEngSWufv1/dnn35q3fMDsT4yrXPx/ePZh1NeFP33y5vm
/fN/vr57wc6+6qP9kNa5Ov/149dhKmWPY9FbQW4ifC//fnlDz5scctt/1Dp7Xm1y8fvHz7/dbM+/
vukVgldXV73n7yHxNA49VqfxNOjceylPvrO6d8LI4IYEnoTWoUcbnz3Ck/uOTOucf3ljvv6sj+43
NPYTP527gXqq0d+v716/15eT72id4bmtyz/fPrx5aZkme/Hmw7d6qfmPd+zVhy//vX1lmaZpvf7w
TbD+8/mNZVmMz/5Y9DlsCojM1Q0znf/4dPaCmSZ7efb+7IV65+xNynP+9W27OC/kK07oYd4ynqS/
v+Ty+3t5vmEyXv43Isg1cD55yd/vn85eWcw0rVfvvvxW4bPfn16yd1++fzp7yUzDfHnMU2GP1Wk8
8UZ2V8U/9c7qrjginTsjAK2zByW0zh44D37o2vdy7GgdUcTL8+7c1sX3dxZ7zedzzn99es3qGR+a
e7LOPv86v7y6+PPljLWeIHnTuA49cLKjdeipldbZl98Xl5d/f3x6bdZa5zblGY7rXH7ve1fb8Niz
c/7lr48vzVcffvy9vLr4/eXMst7/qNUOf8qm9frD15+/f//+9XsnevTgTjGcIbTO/2fv/F0dxf7/
//1bUtmd7lRO5VS+K7eRbWQbmUK2kWlkG9lC2D4wkGLAYiDFQoohxYDFQoolzZJmsVlsxmqFD4zV
Ws2X1/G30dzkXpPozTPFvYk/Xud1HsfoM6/z4zXM5gZ7hq+3GxSOIkDgmMCktU64VMsfquX4B8nc
UiVoT+NVRTvG2p6DOtY6I9mnp2/jVWXW6t9OW8v6F//Lp+Rxg77eLclwL0xe6QGtk3W30224Qk4r
SfIiZX0roWv3rJdrnbb4qfuwnuXPsNbJWtUor4cTz57O8UL72EHZCbZ35VrzkYDQ/EmHFu930xjp
5nDtm1v/TSaj9eMb96T6G3LZdtysym8c/k+MwKS1TpZEIb22tizpy4N4H5f34BuAPNY6Nyi0p4gC
w85TJdUNBIao/KXdc/gr3fTcuM6R1jm4ykJieXdO3rtTJH9tPfTTjVHf77Mse7nWCZfUFVs2XK11
nuXP9bSO6PkreruKzq9qbDVpnanngbvzTeOVfvvOrhZuVmejwoE3JTBtrVOguFc4eipap8Bw4qf5
Ta+ZexVGg0UaWcjija07J8frFI52IzSkMrTlIa5fSS5AntA67KKxycd9WO3hwbXWeZY/QuuIGOdR
c7SqUe49cfF0jk82piQ7u5pOnFTTtuagdYoa3+umUQJ/8P8nrrcHJ4Pq34kAtM4J8NA6J+DcYVcx
D4tGiaThRszDak6v6mqa0sOj7fHG5Nz0aVxOlkbByl3thNhpPfS7cR16dqoeTXNP47OCi3S3r7vK
yBkxXseksb5pvGuM13mOPySQZIcmwdMU8rKq9L8Yf9OJfw4/e46OTwJbZvpSzOVK473vetVce2id
Jmm8HyYwfL0Nn4M9IHBFArPQOles/0nTE9M6J319jJ2N9XW0en2dxnyrYjxTPoBraDtNs17bOk2I
kpis2eVMo5NaJ4sDV5fFZCylNf3rmPzw+jpx4OkyW9A8LMdS61FXz/An2S9pStdiwWQzn3rfmFdV
YJDdQ+ldz7Nn+Pg03Lg01UqSGFfN5a5SlDPSOmXF8R8EQAAEsgxa58RVAK1zAg52gQAIgAAIgMA8
CEDrnGgnaJ0TcLALBEAABEAABOZBAFrnRDtB65yAg10gAAIgAAIgMA8C0DrzaKe7e5nG4Vkrx8Xh
A06Hv3vrwAEQAAEQAIETBKB1TsDBroJAGq4M1dpUQ1RrMEl3TtJhqalielB9zDzf1XPC5+k/vAYB
EAABECgJzELroC+pbK67/E/3nqo47dyrSRisPUvjklJP9Smci3xdNtc9umgE55NdkU9KNpadLOc9
1ncOXyzytWCZrJpef17wnhNp07HWGSdf+kBx2dl51GlGlV6nBYt9rfgYLtWqulwxnHWR52vvyu1l
t9sz4Yccmvl23DTu24Bbk1vBfV1A6SDQIACt04Ax8bd3Sh0crw1utLVLuNS4arorR+vROlm6c2S5
o43GQUur8KvuPk3DFT3gn9JTO4ez4n6bRltHkdRlNQf7SYeOtc44+dKHCj57XeZc61R1j5paRyrW
WkyjnaexViPQDHN+lVYZqtF9t0Pr3Jc/tM59+aP0LgFonS6R6X7uWSLlBs5GK625WnFeYipWqku3
Zp/WybK9IzczbY/mJWkdylcQB7bSjTT1FNLQOkUOtXLZ5f684lnWn4e8sU5PN3G5SKa13ji0WM+i
zkI/ZD85+LYmEp3zen2gC/Ood7VOJfuITlnBLF+2edVIXbUVWqcH01w3hSvTdH1KUdr3gtbpo3K7
bdA6t2ONks4hAK1zDqVpHHMXrUMZA7oP+BLHoNZ5MnVVaeHS//HW4lxRFM05pz+qoXWScGMrTFuF
VOJQXvGhPOS5l8f50rMsC2y2kGTd2+SJv/Noy5D9ZGtybqwOCS1m6JucW40UF8+O6/RpnSTcuirl
b2/ogFenddJwu7QNhTHZcFZB2Fo8Wmi9Mn/9pVcZjh+BALTOCBBhYkQC0Dojwnyxqf6UwsOpg/uP
HytlsahOO1jQruGg1qHADrPqbE2X+tkupv4UB45K6ShVTzzEo90mKMak1Mc03onxOjRgh4arcKNc
/5c0Yz1kpc5zTttrWXfch3WUayLXOsys8nnmZQ/Zp/PrcrMo8Nf7qivq/NyiZL5KxtkcVyTG65TV
ZZrbkYO31zp7R25mzq44jbW9aOr4sF05hsLL9aOrVoDWaXwZbv0WWufWxFHeaQLQOqf5TGLvPVMH
n8oKcELruHKRO3xEgNSbprj7JBLprDYRfba2jchFt6wqrkMjiLhZBlGG8ooP5SEvzQ5oHW7vyiPy
/8P21eag4vZJ42idog8rXKpM9xv9V1TW7bVOp4bX+VgqHa5apZgVBaEP6zq8z7UKrXMuKRx3GwLQ
OrfhPEYp9IM+T/Q0hrUzbRyHN+oTh7VOYPMjCVCf97x3jbBIEjgyUxSZV6GCXpOV1smjH2XMhqrU
l+d8KA95aftcrTNkv1EBMpmE+31jLaKtdWYe9WTTCg/tSVZuSPE1QnDUGye3erBeodahwVUKk7hm
LTeHOkBWNBe0Tnnd3uc/tM59uKPUIQLQOkNkprf9Llon29l8aJzxoNbpdLOMhFJkGndFSvJ456qL
xVHvUaeghtbJkq3JuB2IKNBQXvGhPOSF2XO1TjZonwJShk/dbiJPe0uqidqdlUddmDf8Q5Km8X5l
VMN+GlpHzIVjrdlz1Fivax5WtF2utjT4qfcFrdOL5WYboXVuhhoFnUUAWucsTA98EI1naYwyaZIY
0jrJxmTXCECl4bqcxaSanu9qTG6O7m26Jt43tU6W7V2lCov15xUX87B68pA35mG18qjn43X6AlhD
9pODb+XzsCi9enuFoPPzqNPIZlvjIse5Zq8PRTdeU+vkkay83bC+ztGVgQ1XJwCtc3XEKOAiAtA6
F+F6yIMPntJaqeUpCLGvc7NvkeWnTsR+EBiNAOI6o6F8liFonWdhw0lXIwCtczW0r8dwsnNULZ/6
9HSl4o2pGOvOuNinT8MRIDAqAWidUXFebAxa52JkOOGqBKB1ror31RiPNo59joBJA886I3vDq+GC
ikyVALTOfVsGWue+/FF6l8AstE7XaXwGARAAARAAARAAgTMJQOucCQqHgQAIgMAwgVOrMwyfhT0g
AAI3ITALrfPicPS2leeAMhiUa63cBPJYhSAsPBZJ2Hn1BC69aYg5/0uRQ+QMNsl+vdyUE+Dy48fW
OrT+ZbFIwhkODRzS42dx5MFTuyl9B2w8bzNuVs/jhrOuRQBa51pkr2AXt48rQIXJ10ngQq1z8BTG
2Nk/gdrz+wXBsbVOGu6Oknxd3FQ9fhY20mgfHK/AeHEBgyfgZjWIBjvuQuDRtU4abVxD4UySGK14
Uv9Si3dLU6yEwlWzufa8uKOttitL5dJCevkPr0taHbePS2jh2IcmcJnWOXiK6m08tSF22kt3BjYr
FlIKbJlzRjnWJMbpVSzeTXcGzfVdSnkvMcVcVcsniaz3tFXiamNzkcvs6GZC+WTzl2TWOeWycKnV
2cVov+zu8xZOD9W6U4rhBcUS0kN+HjylML9opFUjS9FWLEQtSbxhhlbQ1L11vofJemX/iasLN6sn
AGH3jQk8hNahNe8aN7F0Y5QfI0oD6eziLEvjnadVqRnDJa1TtwnTLI02ltxYgVasK8dUyw/2h8Ph
0Fjk//oth9vH9RmjhFdC4CKtc/AUbRlSlo36PjGkdQSfnngJ3Rkk1d2GSZZGgaOU95gksGWmLSnN
axKuLbmRqezUzSQVyT8aWqdulzRc6Yybm3xhB0r2xvQVLSCdHFYGa60m3uNnbielPS2tQ5Et1Qli
uudtHYWpywMdSlpHkq21sL/3NEl2ColVO9T3DjerPirYdj8Cj6F12gN0KKFQcUuL1zqj73Eslp5N
4zgRb2jB3TrVkgjlrIu16OnD8TLCdONovK6xaLDI3sit4H7XCkoGgfkQuETrHDxFX5FyiFZaJXae
oXUa4uFQpilLt2Yz0RlZrYrov5kUjIe0ThKQEHGrqFGWRGH1k6ubx2RQ62TRqq11xCLjVSZdWvo8
FzVti92zhq8HaJ1hNthzDwIPqXXWldbJsmS/dqmzisma6W7y7DoU+CkD1JxzxqSF4hWjFoXw8Y8y
Dd6k7XD7uAlmFPIaCFygdURieonRS5IWpRJ5odbxlDwla/eGQZ1hzi4n3N3X4t6vdSLfYLyzVmcc
LC1dlWVZVmTeuFe188G2jJOsa2kdmrDR/A1HQ7VFStmu1tEagq5jsvURN6sWDny4O4GH0DpZ8/6S
95JruVxJokOYB2zSaLfUy+yQlKbb2kRx9UryeE/+y+/ML/v4bYvbx/hMYfGVEjhf6+xdRfX2xXd9
5yqF2Gk/5OvxOoJXT7ykLVwqrZBShKQcWZNl8boT12n1IzXbokfrJDtXkRQnaOU7zfvhqe+Jepw2
hlT9LrtE62R58rgitVqWbq2BuA60TrOR8H4+BB5D64gubc3bxSl1mZtVl3m6sznT83V+02htcmaJ
KG66F33XWxEaTg5rzy36xovhhIjrzOcKh6ePSeBsrbN3FaXWItnOkQuxQwNYDF8Miom3trxoJnlN
NqbEzXWUZmlSdHwPaJ1MjNfJbzL54D89t/nED6divE4pPuhoukHpq+60eJJd6jKkA8XNbdEMz/T4
WVwOdFpTZ+X3PJfGLmZx4KpM9arxOmWo65LbH36YPeb3brq1fgytk2XlVIiFxFWrniGRVQmpGZNb
E67iwDNVTmNwaFLCtsrv1L6j3bZhcfu4LW+UNmMC52qdvdtexoYiGmVkZ7c0ZM5lRdUd15SbWidL
Q99UaDaWxLV8EG/7zlDFdTK6+awdMTuL5mEdTeo8+uFUz8Mq5ksxm0bp5enqG6MCWT7GKEv2S1Ph
jHNZNRxbZ8UPtrztjv1szMMqZnsZmzxQFG1dQ6HpYkwx3PKW1w5vtSt56vLAzeoUHey7PYFH0Tq3
J3uFEnH7uAJUmHydBM7VOq+z9vevFW5W928DeNAkAK3TpDHx97h9TLyB4N50CEDr3LctcLO6L3+U
3iUArdMlMuHPuH1MuHHg2rQIQOvctz1ws7ovf5TeJTALrdN1Gp9vTyCNw6gxTnLQgbhe62PwGOwA
ARAAARAAgRsSgNa5IezZFpWGK0O1NuesKnRYarT46myrek3HA6teWuWa5cA2CIAACIBAi8AstM5Y
4ejLUhm3OJ3xYTil8BknT/mQdO+pirNrRHWqBDytGRtFHSJfl831FdROuFSZVS+aT1OCGx+nRjDc
Lv2O5htT68TBalVOlWlXPdmYvDmJur333E/D9s+1cOfjxrppjFCN9LB2RNI9xhXdEdkWRrA6cRPo
w5p4Az2ce4+kdS5MZXzptdCzvNilJk4fn2xdw9leQUScLjZeG9xoapeEllo0fFpjOg03lix1UmLQ
akZySxudLuDcvfPSOltLaiwhJ+o4ptbZOzIbSBiSHILdWf2Np8CfsH/qtOnsm4zWSQKLM80NooSS
7i111siuNx1co3sCrTM6Uhh8EYEH0jo9qYyzLD34lsoZlxXNtHReL6HRm+c8WmnMXBaLZTRSGQ+l
FH5R0xyd3F60/mj3lTZQnY0yG5go47AyjWWV/y/Po9MufO/I1Tr47T0v+RS2AzkUpSvjOsl+ZYms
9BJX60zPxbJKCqcs9rpDqVzLV2Bz2VlvxLIni65YKw+q/9NqS2RGYrJm+4fCTr7UbHFUvfJIuNIp
switvZInwla9nBZpHWu5ssS6TVxzqgUq8+WfjvwMLKY6/jJf56k6Pl6bbfOyWH4ly2iZ/2JFlg59
sbqUWDmFFnipo02ETeWUlluuE3AP2qfl7LaeIU7gqiXEbl75PM4n+ChtzjXC8d+FK9N0/WBA1k1G
64SeIhXLtBODcG1bq+Lb03uTKdcY7OQ/j329XPeHzFDCqmrRwEvsjN8O/Rahdfq5YOu9CDyO1ulL
ZZzSr1d9JZ5dMaUmLrXOQJ7zPJWxI1IZi+PrBUUzSpIstUXByI16F61DC682a9mt08FTj3+ndpPr
dE963mexPFujD8uttA4tf234JGVo5Vhe5m1NtvSLWiyXHe89jTV6dmi9NknWvc3ucDjsD6eDZZGv
M0UMQkpFq5fPmAGtk9euP66zkE1/H6dpcljpjJlbsYjbkJ+BxRbcWO3Fct++0VokbjjuQovhtbRO
tWq40H62wvQ8SpdsTZEtm7BRAmvejMX12E/3riKpDomL5OAbnNtFsgJqGG0p4nyUIftp6fi89u+e
lYbbpW0ojMmGswqKXC/VQZPROlm40hg3vG33Khu4yeRaZ7FgquUH+8PhcMgze9JVUl55lGqCacX6
yxfaqQhd9w20znX5wvqlBB5G6/SmMm7ngKlT3tD2vjzn9W934pwnrKliBSNonXhtNNZFLXPx0dbi
93r5r1jdvf94SrrTZ+fy7ScT6tCPy8BRuO53V63PMvGkrGXJpf70X8VHWkeWzLwMKk7zisddtWg/
acPq4ZClIpRThqMCmzVauL+8amsaR2GebqhqdbHvGVqnFiG0Hm3u3aCfrT6v9vq1OeH+pPet07Is
pc92Ndwq3q/9IF8GPInCuEyt1EkF2WNfaCg7KK/3vSuXC/TSla8624NglCZxZbQi2H6zd+TmZV59
0y7dXliND9sVjYeRzXW1vHmWTUfrkMTcLi2dEgzr9qoMRA3dZIq4Tn3llvDyvmFxBYsAc7Ha8cV2
SnvX/Q+tc12+sH4pgUfROr2pjNOtKcmuyPpC3CqtM5jnvK11Dq4imSJ/lqA+gtYZaL0kCum181RJ
dQPxPv+pN3D8mJuFwNiUD7imZYoFcM3bl0/L5r6ODGzuev77jtZp5kZMo2Bp67RQvqLbK5HTJ8tE
m7O8Gynv9ambq2rrs9xJDmvH1BTKJC3LbFFKrBdpnTr2NehnS7TQRdl4/vXEXcqqtE7rZJssjxH/
03DrFdVSZCYtmumRju1TULPslSs60aoT4t3Koc4tJmuWtx3oVWqVPdqHUulw1WqmX5iU1ikqm8b7
jaNRLC2mHkdDauJkjQTl7ftMjSpcqpzUZvmf9jzHTm3xeu+gda7HFpafQ+BBtM5AKmPxk6hSK/Xz
byjPefsedDOtUzTsXfqw2lWuLrFkv9S46u76hI6QjY2hT9VJL3zTdiWtmyuNw3LxnyTc2GUnCh2v
LQ9Vsvo4Tip365OfdiqlyyQfi52RgqrDSa4s5cliyzEWjdxGlCi6kVKSimmJkFrrDPrZOf5Y69SR
s2YtWqdlImV1HU7K0mi/z/t7aKx+pVXbcI8ic/kIEUl2di2cQgOncVh0s2RJFLjq0ZjspnMjvo8D
j9I3cc1abrr9Q9OJ6ySBZ9Wpg/NosOjqHrrJ9FxLFbTI17m52XnNbKXPsVMZvN4baJ3rsYXl5xB4
DK0zlMpY5BJW3XwEwtrkZSrjoTzn7QdCR+sMpxR+TsP0nHMXrZPtbN54Ugq30sNKl4eFjnjOtHIo
91TmOZto3IxsbUIxocXTWDnZK/I1SbHzcEKyp+jXUnSrxRuTczE+JsvSKFi5q0qbXaR1aFyLJSbA
pfHO1STJzANdYnyoI2ymh6XOWoERikKpIuqVxkUHWEuE1FonG/Kzc3xL69ClKOdjiJJ2n1ExXqcO
xeXjdZYUgEujwFFZkWg7l3Ci2yfZr3TWarIe+0XCbjHHK433vuvlo5wJAzfXQkAl4Uo/0njPaesz
zom2y9WWRgn1vibTh0VXLTdWuyilYVokxfPw3NBN5pTWoSHJXJZlLb/ARcWfZacX2agboXVGxQlj
LybwEFrnRCrjfB6WJNGvQ0ujcQ0F0t485ye1Tk/q4xc3zwQM0DiXRt9JJpTMYrFojrjojE6mh19n
HvpIFaEJJyqn2L+iu5u6ryRvLZpQJFYwqSZcVWnsiwlU1YPxEq2TZdHG0WQmZutZjqmUWop22Cqn
TNia6TlaSyxkceDqspiMpdj5GOSOdjHrPql+PzvHt7QOZbc2qONpwcpxKqSeygFd+f+yg1bMw5KL
+VZ1T4/wME+QbbpWJx5zbF8MbS4zYbcydlfT4BiXNcvv7dYc6Qo428xktE5GI7lFB2s+382rl0Xq
vcmc1DoZBRml1hIQ9I0MvHyynsQVo2G/fb86G90oB0LrjIIRRkYj8BBa5zxaFJfp9jqcd+YrP+rg
KWUE5ayaxiLQfnpq01mGcBAIPJvAhLTOs+sw5xOhdebceq/R9wfXOpFv6KILK4t3NNCgOev2NTb3
8+qU7BxV8/Z1r8gpM/HGVIzmhJhTB2MfCFyJALTOlcCeaRZa50xQOOxGBB5c62TxbpkvQse4Zq/L
ReJuBH9GxUQbxz5HwKSBZ4mRITOqG1x9jQSgde7bqtA69+WP0rsEZqF1uk7jMwiAAAiAAAiAAAic
SQBa50xQOAwEQAAEQAAEQGCWBGahdRCOzq8thIVn+R2D0/cggJvGPajXZeJmVbPAuykQgNaZQiuc
6QNuH2eCwmEgAK1z32sAN6v78kfpXQLQOl0iE/6M28eEGweuTYsAtM592wM3q/vyR+ldAtA6XSIT
/ozbx4QbB65NiwC0zn3bAzer+/JH6V0C0DpdIhP+jNvHhBsHrk2LALTOfdsDN6v78kfpXQLQOl0i
E/6M28eEGweuTYsAtM592wM3q/vyR+ldAtA6XSIT/ozbx4QbB65NiwC0zn3bAzer+/JH6V0C0Dpd
IhP+jNvHhBsHrk2LALTOfdsDN6v78kfpXQLQOl0iE/6M28eEGweuTYsAtM592wM3q/vyR+ldAtA6
XSIT/ozbx4QbB65NiwC0zn3bAzer+/JH6V0C0DpdIhP+jNvHhBsHrk2LALTOfdsDN6v78kfpXQLQ
Ol0iE/6M28eEGweuTYsAtM592wM3q/vyR+ldArPQOl2n8fn2BNI4jNIzio3DKDnjMBwCAiAAAiAA
ArciAK1zK9JzLicNV4ZqbeIz6nBYaqoTnHPkGcaudEhgMe7srmT8Qcwma0NSl+GD1BbVBAEQmDmB
WWgdhKPvepWle09VnF0jqpOGG0eXmSRJTDHcbdRyL/J12VxfT+0kG5Mxc3tu9CjcLv2O9hpZ60S+
zrXVSx/7PX4WWMex32qj4kN6WNuaaEeuGF6HUt8J9bbJax3cNOrGusc79GHdgzrKHCYArTPMZmp7
kq1rONvriYiB+sZrgxtN7ZLuXZlp3j7OsjTe2oqk+y2n0p0jyy1tNGD5WZuTjckZ49a5YmdrSbK7
bxU1stbJ4n1AMF726vGzNDiK/dJY/T/ZWpwb/iHJsjTaOgq7JE4DrVODxLseAtA6PVCw6Y4EoHXu
CP/ComNfl7RVO4hyoRmUz6EAACAASURBVIlnHB6tNGasm1GU5LBZbQ5lmGdnc253OoT2jnytTqJk
Y8qm75tyQ+zsHM6soKhbtNIK8RWudM45kxYLiXF6qV6ueUjrWMuVpXJJkrjmbCqm8W5piq1M1p1N
WNYxywKby846j2YtylaIVtqieLVkwtaikFf+ov1SxS8OPFOhUpms2X7BcNDPIftZcvDzeAyZWZdN
sXdlbq18WxPVUq11w/+ehu9cTsnW0cx1TqLffpYl+6WpMPJet0210YcVbT1D5UySuGoJ8dRT3jU3
xYfN0jK85mWIuM41gT9tG1rnaUY44pYEoHVuSftlZXUeTi8zdu7ZycZsPNO6ZyXh2pSPYyzpxpQU
79A9eoTPJHWsIE22VkPsDGidvLieeElgsYVs+vs4TZPDSq96xCJfZ7IlJE688zTWCE4FNltIsu5t
dofDYX9oRnHSeHjoShLYMlO9fS6ayL4iBjOlceAobUQ9fuYVOLIfb8wyHpMcVgYv+e9decF0L4jS
LI02ltyNt3XwBz0iVRwyZJ/iQExf7uI0jfcrgy0KgZfuXUVSHSo3OfgG53bQlMadYsf9mBy2SxJ3
TDEcvxVcg9YZl/Sl1qB1LiWG469LAFrnunwvs05PzcarkAu0tYwfFP+Lx1j/8Vk21vYsy8KlWocl
mrUJbC6RW9yswyLV/r0jM2tbfbzUn+rE7ptkYyp2kGZZGthKFdl5htapw07UGZODDj2lUdVUWN0W
oZ3AZszc9D/CB7tzQl9n3ChiJRn1+EVhXMaK9q4smTWibFDrZB37JHkbYaSDp0i66GJsW3yyo247
MEJ7yH66NRtDumunUjIkGkW0FnVwWiW2bvvln/eO3LjKpYrrhdujtSlThGm5aWnPokxonX74t9oK
rXMr0ijnPALQOudxuutRSRTSa+epkuoG4v3NJnbTo9TclA/oLoY0ClyVqUchnPyxO3RW18rZn+kB
u5CYeEmLaoDyi7ROHYPqBDrqzrCM+rDYUU9d6Xb92C+30P9kR5Ebd9fUR8lh7ZiaIosXWzxP63Ra
JN2UWq2jdeyGMmk6Vr7vVLfcnA3Zb4cV60qLnrail7DoM+wM4KpMj/sm73CUNdNdB2ETsygGWmdc
2pdag9a5lBiOvy4BaJ3r8h3TevthM6blE7ZaT/z8uGS/We+qIS49B4jhLYPS4ERhT+xK1gZFkWLx
itZGo/NGqkIJXX+2Fjs5NrnWOvSQr0bWZFkem6rjOoMVqh/7tf/kHdP91uQsESnKxwJnWXY4iusc
+VmY69gXcZd62BYF3nrjOk9pncjXyoFHVFASuLpFMagh+xS/kZ1ylHftFPVyys4ubxXxN0lGV7k1
2c67NN6vXRpExDV708QNrdMhdeOP0Do3Bo7iniAArfMEoAntvovWyWjscXsxGpr0zU1f/JRO9kuN
KZ15TuJxOf5v+2RtNEdJx77O86nn5JDiiAhKeljqbNEsmxSM6u1pslFcdCC1undqrZOFK40p9pbW
TEz2S70zXud8rUOT9Jl8NGpFdAJZYiJdGu9cTWoFzHr8LK69WlbkG2LBX4w8TkIaH2PmKx9dGNfJ
GuNyaPyQyrR8vZwh+0kgxuuIYU7N8TpiUJK+3BG3NN777mWz10f5hqXRzl+umyPEoHVGAftsI9A6
z0aHE69CAFrnKlhfkdE0sHl3nHGyW1n5uiw0X+lovg9pj/EnjMVro201XKplN1a0sVXOuaxopueU
87CKRogDV5fFZCzFzieqD2mdLDsxD6unD6sxT6oYRyVqTdqEZl/VL27ns8SijaPJjJGflmMqzWE3
WXbs54B9UmK+JaY9Ma7V854u1TpZlpTr6zCumg2F0m+fyl1RCIVGaTu2Vs9RT8ONa9AELYkMLXfN
odv3+ipA69yLfF4utM59+aP0LgFonS4RfO4SOHhKY0ZSd+/xZxFwOWuR5eNzsQUExiEArTMOx+da
gdZ5Ljmcdx0C0DrX4fqqrCY7R9XKidNP1SzemEpj7tFTh2M/CFyFALTOVbCebRRa52xUOPAmBKB1
boJ59oVEG8euJ08PVycNPGtJg2PwAoG7EoDWuSv+DFrnvvxRepfALLRO12l8BgEQAAEQAAEQAIEz
CUDrnAkKh4EACIAACIAACMySwKvUOvcKX9+r3FleeXAaBEAABEAABG5DYBZaJ1rbhrc7f32ye2mO
K5d7pzznt7kQUQoIjErg0pvGqIXDGG5WuAYmRmAWWkcsaDuYp+CY6JU1x3GBxZYrl3uftQQHa4sd
IDBhApfeNCZclTm6hpvVHFvtVfsMrTNi80LrjAgTpkDgJQSgdV5C78XnQuu8GCEMjEtg0lqHUv10
E3znqaFpT+PVWaT3WHMMHT/W9rxRzi73srzfdHQXQzMLwrhXBKyBwJwJXH7TGOsmMBM7l918suyy
43GzmvOX51X7PmmtkxUJvre2LOnLg0jwXaQ0Otkox5rj5OGj7bxWuffMcz4aHBgCgZsQeOZN4ya+
PUAhuFk9QCPPsorT1joF0kvD0dfSHE+18JXLRVj4qQbAfhAoCVx60yjPw/9RCOBmNQpGGBmPALTO
eCwpvfdRyu9xzUud3roRrcMUCLwmAtA6d21NaJ274kfhxwRmoXWO3T695cqaY7Dwe5U76BB2gAAI
gAAIgAAIQOuMeA1A64wIE6ZAAARAAARAYBwC0DrjcBRWoHVGhAlTIAACIAACIDAOAWidcTgKK9A6
I8KEKRAAARAAARAYh8Cr1DrjoIEVEAABEAABEACBV0AAWucVNCKqAAIgAAIgAAIgMEjgVWqde/Ul
3avcwdbFDhAAgesQ2LsyMzfJdYzDKgiAwMgEoHVGBAqtMyJMmAKB6RJIA4szxrHc1XSbCJ6BQIsA
tE4Lx8s+QOu8jB/OBoF5EIjXBjf8jSMr3mGiHse+ztRlWHqXbEw2XWdLL/EfBK5GAFpnRLTQOiPC
hCkQmCqBaKVxK0izg6fK9i6dppvJ1uKVuonXOtP8aJqewisQuAEBaJ0RIUPrjAgTpkBgogT2riK7
e3Iu8nU+2UE76c6RZSf3c6VhcNFErya4dSMC0DojgobWGREmTIEACLyMQLhUuR2kWfn/ZdZwNgjM
mQC0zoitB60zIkyYAgEQeCGBPO6085Rr5iR+oY84HQRuQgBaZ0TM0DojwoQpEACBlxJINiaXZVmr
Bym/1CLOB4F5EoDWGbHdoHVGhAlTIAACLyaQ7hwuGev4xYZgAATmTQBaZ8T2g9YZESZMgQAIgAAI
gMA4BKB1xuEorEDrjAgTpkAABEAABEBgHALQOuNwFFagdUaECVMgAAIgAAIgMA6B+WudNArP6oyO
w2jURb/uVe447Q4rIAACIAACIPAoBGaudZK9p6nOricDXxK3NyY7V9O8fXvjs1t5uNyuyXHL7VrH
ZxAAARAAARAAgScIzFrrJIGtqMt2Qpok3PquqTLpKC1fKlZ0D0ZQO8flJgff1mQmSRJXzeWuFWga
r9wn2hK7QQAEbkVgLh3Wc/HzVu2Gch6VwJy1Dq0Gam1bHVO0ertmuUtLOdY6WZZsTd5Ih/fcNj8q
lzLPcMM/JFmWRmuTM3PbUlQjlftcf3EeCIDA2ATmoiHm4ufY7QN7INAmMGOtc3AVkYCvVaFUSJ/Y
1/u0TpZurZcn+z0uN96tV9syo3C6MaUq5V7h2yjltuqJDyAAAvckMBcNMRc/79mWKPsRCMxX60Qr
TdL9Vm9R1WBDWieL/eGTqrNPvzlVbpYl+5XBFXffijZlY5R72ivsBQEQuCWBuWiIufh5y7ZDWY9I
YL5aZ+/IzAr622xQ66RbSypS//af+fTWoXKTjcmkxWIhKc7xmKARyn3aMxwBAiBwKwJz0RBz8fNW
7YZyHpXAfLXOzubcvlTrZIHFuLN7SWufKjfLknBjK0z3o04RLy+3YxAfQQAE7khgLhpiLn7esSlR
9EMQmK/WOXiKZLZHJlctNhzX6RlMU5113puecuPderOvetMOrnzkWN8gnvOKw1EgAAITJDAXDTEX
PyfYxHDpVRGYr9ahPqOhSVWDWidcqszcdAbTXNagPeVGvi7J9pbWKkzjwKE5YOVI5cL2COVe5iWO
BgEQuCaBuWiIufh5zbaCbRDIsvlqnSxeG2xgcPKQ1ol9nRnr1nzwyy+CvnLjwDNVTuvrMMVwt90e
rFHKvdxTnAECIHAlAnPREHPx80rNBLMgUBCYsdbJ0sCWhyI7vQ0cLlXZPh443HvsiY33KveES9gF
AiBwUwJz0RBz8fOmjYfCHpDAnLVOlsVbS9FX4Vl9Umm40hVrWw2reUlj36vcl/iMc0EABMYjMBcN
MRc/x2sZWAKBPgLz1jpZloa+5bZXKe6rZpYlG8fyz1NF/QbaW+9VbtsLfAIBELgPgbloiLn4eZ9W
RKmPQ2DuWudxWgo1BQEQAAEQAAEQeA4BaJ3nUMM5IAACIAACIAACcyHwKrXOvcK29yp3Lhcb/ASB
V0NgLl/2ufj5ai4MVGSiBKB1RmwY3FZGhAlTIDBlAnP5ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAw
ZQJz+bLPxc8ptzV8ew0EoHVGbEXcVkaECVMgMGUCc/myz8XPKbc1fHsNBKB1RmxF3FZGhAlTIDBl
AnP5ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAwZQJz+bLPxc8ptzV8ew0EoHVGbEXcVkaECVMgMGUC
c/myz8XPKbc1fHsNBKB1RmxF3FZGhAlTIDBlAnP5ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAwZQJz
+bLPxc8ptzV8ew0EoHVGbEXcVkaECVMgMGUCc/myz8XPKbc1fHsNBKB1RmxF3FZGhAlTIDBlAnP5
ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAwZQJz+bLPxc8ptzV8ew0EXqXWeQ0NgzqAAAiAAAiAAAiM
QgBaZxSMMAICIAACIAACIDBRAq9S6+xdmZmbZKLI4RYIgMDsCcylb2gufs7+gkAFJk7gFWqdNLA4
Y1xbRRNnD/dAAATmSmAuGmIufs71OoDfcyHw+rROvDa44W8cWfEON2qF2NeZugzL0pKNyW5XeFkq
/oMACNyOwFw0xFz8vF3LoaTHJPDqtE600rgVpNnBU2V7l96mVZOtxSt1E691pvkIKt0GPUoBgbsQ
mIuGmIufd2lEFPpABF6b1tm7iuzuqQEjX+c3G7ST7hxZdvJyVxoGCz3QNwhVfUwCc9EQc/HzMa8i
1Pp2BF6b1rkduU5J4VLldpBm5f/ObnwEARB4TQTmoiHm4udrujZQlykSgNYZq1XyONLOU5Q8rjSW
XdgBARCYHoG5aIi5+Dm9FoZHr4sAtM5o7ZlsTC7LslYPUh7NNAyBAAhMi8BcNMRc/JxW68Kb10cA
Wme8Nk13DpeMdTyeRVgCARCYJoG5aIi5+DnNVoZXr4cAtM7raUvUBARA4FYE5qIh5uLnrdoN5Twq
AWidR2151BsEQOD5BOaiIebi5/NbAmeCwDkEoHXOoYRjQAAEQKBJYC4aYi5+NtniPQiMTwBaZ3ym
sAgCIAACIAACIDAdAtA602kLeAICIAACIAACIDA+AWid8ZnCIgiAwGsnMJe+obn4+dqvF9Tv3gRm
oXWitW14t8ptde8WybJk6xrOFlPX798S8AAEhgjMRUPMxc8hztgOAuMQmIXWOXiKZGxulMdzHK4v
sRL7uqStkDz0JQxxLghcl8BcNMRc/Lxua8E6CEDrTO8agNaZXpvAIxBoE5iLhpiLn226+AQCYxOY
tNYJl6q0aL8kc0sIaE/jVUVBZrI9XhsN7yXFO1ClaGu7tgtJ99GXNfY1D3sg8HICc9EQc/Hz5S0C
CyBwisCktU6WRCG9trYs6cuDeB+/4q6soro7T5VUNxDVjZJTrYd9IAAC9yEwFw0xFz/v04oo9XEI
TFvrFO2A8TqPc0GipiAwCwJz0RBz8XMWjQ4nZ0wAWmd6jYfxOtNrE3gEAm0Cc9EQc/GzTRefQGBs
ArPQOmNXGvZAAARA4EUE5qIh5uLnixoDJ4PAkwSgdZ5EhANAAARAoENgLhpiLn528OIjCIxMAFpn
ZKAwBwIg8AAE5qIh5uLnA1wyqOJdCUDr3BU/CgcBEJglgbloiLn4OcuLAE7PiAC0zowa6xaupnEY
nTOtPw4xHf4W7YEyQAAEQAAEXkwAWufFCF+RgTRcGaq1OWf5wsNSU53gnCPvxyewGHd29yv/NZSc
rA1JXYavoSqj1iHZGMwS65qOahbGQAAErkNgFlrn0cKwW5NbwXXa+5TVdO+pitObYzVcadJC8VqP
vMjXZXN9PbWTbEzGzO25iymG26Xf0V4ja53I17m2ajE4hXNgX4+fxZHj2O8rNj2sbU1mkiRxxfA6
lPpOqLdB69Qsmu+StcHtO3xJmz6c9f7Rbp5nQcFBD0gAWmeCjX4frROvDW70apdwpXF2pHWydOfI
cr82GgFqsjE5Y9w6V+xsLUl2962CR9Y6WbwP9i/Wdj1+lk6PYr80Vv9Pthbnhn9IsiyNto7CLonT
QOvUIJvvkrWhdC635u7pvIfWmU5bwJN7EoDWuSf9gbK7WifdOrq13Bxe/JwdKE9sjlYaM9Y9UZRw
qcmmvzSkTlwny7K9I1+rkyjZmLLp+6bcEDs7h7Mq4BWttCJbWLjSOScxtpAYp5fq5ZqHtI61XFkq
p4iG5myq3PHxbmmKrUzWnU1YD1AKbC47642jy0xalNnmo5VW5ilryYStRaGS/EUHSBW/OPBMhUpl
smb7h9z+oJ9D9rOs18+9K3Nr5duaqJZqrRv+97RwZ2nKZOto5jonkRz8PN5Dbq4LN7MsS/ZLU2Hk
vW6baqMPK9p6hsqZJHHVEuKppzxsmhQBaJ1JNQecuRsBaJ27oR8uuKt1snjvu6bGGVctb7O/Skqw
ZGM2nmm1b0LpbOJk06d10o1ZJi6tzxjlHUkdK0iTrdUQOwNaJy+wJ14SWGwhm/4+TtPksNKrHrHI
15lsCYkT7zyNNYJTgc0Wkqx7m93hcNi31GVKuVlbWqeuaRLYMlO9fS5qyL4iBjOlceAobUQ9fuZ2
ju0P+Ll35QXTvSBKszTaWPITCWIDm3O7b9RSvDHLeE9yWBm8jKFRHIjpy12cpvF+ZbBFUel07yqS
6lC5ycE3OLeDHmlcQ8G7KRCA1plCK8CH+xOA1rl/Gxx5cKR1iiPSaLf2LE3mqpePqunPl55nTC8D
DpJUP2uHji8yx1dhicqjA8V0aKxyv9ahwE5zhOaQ/aHtVTndN8nGVOwgzbI0sJUqsvMMrVOHnagz
Jk8oH3pKHYGhnjjOrG0R2glsxsxN/yN8sDsn9HXGjSJWkmVZGkdhJUj3riyZjUGsg1on69of8rNt
8cmOuu3ACG2K9zSkGyWd06kLM92ajSHdtVMpGRKNIlpr71LT1xGxbhPmYb/GVShVXPeOfM3t4VJt
mtdWRThvrO09NZ3wJmidCTcOXLshAWidG8I+t6h+rZOUSkcxWt0u51o9fRw96sxN69GVktKxtqLn
bEjriAd566zTxZy3lx6wC4mJl7SoBii/SOvUMahOoKPuDMuyLLBZfxCEenZ64zrJjiI37q6pj5LD
2jE1RRYvtnim1hnys6N17IYy6cPbMVMd0mnxVETuDlnW7vOqKy162opewqLPUPev2q1auYo3zycA
rfN8djjzNRGA1plgax5pnXBtaVxiiuH61INwjVfriS8KoN/xNAglf+UDVqTOPKSh5+jLPKQ5LuYm
isUrWhtl5wo95KtQQtfhrcVOjk2utQ495BshrDw2VVC9VOuQd0z3W5OzRKQoHwucZdnhKK5z5GdB
q5YV+YYhPy/UOpGvlQOPyG4SuLpFMSgR1yljHllGUY8irmMx2SlHeddOUS+n7OzyVhF/k+Q61+LL
rh6c3SIArdPCgQ8PSwBaZ4JNf6R19r633l1J5JT139m87vApN1b/++M69Lgc/7d9sjaao6RjX+f5
1HOaha44IoKSHpY6WzTLJmWgenuabBQXHUit7p1a62ThSmOKvSWgyX6pd8brnB/XoUn6TD4atSI6
gfJ4WBrvXE1qBcx6/Cwo17Ki2DDg54VaJ2uMy6HxQyrT8vVy4o3JuClGNichjb8RvZWkhsR4HTHM
qTleRwxK0pfiQkxpCNlls9erawlvbkkAWueWtFHWdAlA60ywbY60zi18TAOb5+NZ+krr1TqkParR
EH1nPWtbvDbaVsOlWnZjRRtb5ZzLimZ6TjkPqyglDlxdFpOxFDufqD6kdQbmN5Gd3rhOY55UMR9L
1Jq0SR34ovBXueJKtHE0mTHy03JMpTksJsuO/Rywnw34eanWybKkXF+HcdVsKJRk71tiWhXjWnNe
VbJf0TwsGqXt2Fo9Rz0NN65BE7QkMrTcoQfrWVf4TU+C1rkpbhQ2WQLQOhNsmrtonSw7eEpjRtLT
XETA5axFlp+2hSNAAASuQQBa5xpUYXN+BKB1Jthmd9I6WbJzVK2cOP0Ul3hjKo25R08djv0gAAJ3
IACtcwfoKHKCBKB1Jtgo99I6WZZFG8euJ08Ps0kDz1rS4Bi8QAAEJkwAWmfCjQPXbkhgFlrnhjxQ
FAiAAAiAAAiAwOsi8OBah5bJLWZTN9d7e11tjNqcItCdu37qWOwDARAAARCYI4FZaJ0RwrA0g0TP
Z5Ao7QxItM5te2ZL3Y47R26sFFtvv+hdsl8vN3WuoTPOvWMf1hne3eKQZOcZlJebycYZPWU7h5fr
ADFZNb1tlffqDF+Ptc718o2TO8N5zrvO0vwzq15x+eAp+cdwqVbV5YrhlPmwKHdE6zU8ra5bFD6/
WgIj3DxfLRtU7JEIPIbWoYzcTPNEkuo8A5JbpC7K23pI66ThLghfOiiFFmlrLF13xtX18FqHkKnu
Pk1DSvDZm3u9ibGxnrJI5C2py0Nz/8n3x1pnnHzmQ4UO54jonnFC65QXVBp18nllGa0jxK+Wfb7r
Iz5PnQC0ztRbCP7dhsBDaB1aB6axpm6683Sj9TQ80jrDfVuUeVqjkENzgRHKEW4u1yI7tsQUc1WM
2g1sOU/AXWbgrlICnWxdaB1aw9ePsziwFeXp53ZD63Qye6XhxtEp4Xgnn3kcFHEjxbCNKnlmY52b
RqIo0VS9+c+zbMh+nUCca1Z5NQzmOR+4GMIykJPvp0UIRZinLZ47yx9n2VZonQGb2PxoBKB1Hq3F
Ud9+Ag+hdegp0cn11KZxpHXy3cd9W+FSKzJkiwzTzMhjDvSQlFRnGyZZntm6+ahsP5raBfd/enit
k8Vbi3NFUTTnnP6ohtZJwo2tsCKThUjYrXm7OM3ivacxxc0zH9BqhZySOKRpFHia1F77+TjfeL7G
4HH+8yH7yZYSiK8OCa3i55tVAnHR2ufHdcRl2+jDco+1ThJuXZXq1UjWAK3T/6160K3QOg/a8Kh2
h8BDaB3Kq3xy6PGA1sm62+mhWodmRO/Hmrq42v0g+VnV0wdap3PNPf2RMhlQekk1X+wn2m2CsOJ5
fLoYr0OJu2i0CjfK9Xwp4lEPWaF1ofM0TyISkqdJOGo7Mn6UqyHXOo2Wz10Ysk/n1+VmUeCvRe9p
ftYLtE5xFYvxOmV1meZ25CC0zvEV8sBboHUeuPFR9QaBh9A6z43rdLUOpYIue6PoUcykheJR2se2
1jm4imRuq2cztE7jejvnLfUIKu4+iTYm5WiK6HOV8rPPQBXXoXFZRe4skXVToWTpvHhRzgPRLOFS
kYxNOQyr3XZkfkDrHOXJOrhD9imLZmm/6/CztU4lvOsLikb06H5nJDa0Thf5Q3+G1nno5kflKwIP
oXU643Wy/dIwVs3Rq9VjpOKSv+lup7TeVpmAm1I9F5me289LaJ0Oxss+NsIiSeDITFFkXgfT+mxV
WidXnWUHIrWKtjy0EnPT6fFab2Soarcd7T9X6wzZb1RAmAv3+6hWPj352PvqdKSg0ypVV611MuqN
k1s9WBivM0DzUTdD6zxqy6PebQIPoXUyMQ9Lz2cvlyM3qrhLNee8sSWHVIzXqbene09hqrMVj67k
sPbcjfhR3X5edrROQhNjzHWUZmkSJ7WxdkM0Pz34eB0Kw6muSGce71x1sTjqPWrCyrKsoXWyZGuy
cp0AkeDb9PeU9jyNgpW7EkaFQuCmf6DRVbuj8Tpna508gXiffQpIGT51u6XhxmpLNVG7dj72TnWq
j5Gvi9FhhZ9lPvaG1smv7GLUWH5emsd1zrnOqoLw5vUSgNZ5vW2Lml1C4DG0jnjmuDpNn5KYYrib
qHgU1POtioVJmB0QvqHtlKXaM1UuklorRrmSy0mtk6WhL7JGLySutaZ/DTXUg2udLA3XtpjrJtJy
+y6NB88zl/cTa2qdLNu7ilRmX6cE30Wzy5pN6iZ/xYGny2xBF4Nj5XO+8kBKa32axaK005//PE8g
3mc/OfhWXgMqtp1L4zjPeX+taCvN+lM5dZwqenXVNrVOHsnKRwdhfZ1hkI+7B1rncdseNW8SeBSt
06zz5N8/utaZfAPBQRCYCwFonbm0FPy8LgFonevyfZZ1aJ1nYcNJIAACXQLQOl0i+PyYBKB1Jtju
0DoTbBS4BAJzJACtM8dWg8/jE5iF1hm/2rAIAiAAAiAAAiDwIASgdR6koVFNEAABEAABEHhQArPQ
Oo8WhkUf1oN+G1FtEBibwKPdPMfmB3uvhQC0zgRbElpngo0Cl0BgjgSgdebYavB5fALQOuMzfbFF
aJ0XI4QBEAABIgCtg+sABIgAtM4ErwNonQk2ClwCgTkSgNaZY6vB5/EJQOuMz/TFFqF1XowQBkAA
BIgAtA6uAxAgAtA6E7wOoHUm2ChwCQTmSABaZ46tBp/HJwCtMz7TF1uE1nkxQhgAARAgAtA6uA5A
gAhA60zwOoDWmWCjwCUQmCMBaJ05thp8Hp8AtM74TF9sEVrnxQhhAARAgAhA6+A6AAEiAK0zwesA
WmeCjQKXQGCO8Qm47gAAIABJREFUBKB15thq8Hl8AtA64zN9sUVonRcjhAEQAAEiAK2D6wAEiAC0
zgSvA2idCTYKXAKBORKA1pljq8Hn8QnMQuuMX21YHCKQxmGUDu1sbI/DKGl8xFsQAAEQAAEQmCoB
aJ2ptsw9/ErDlaFam/iMsg9LTXWCc448wxgOuYTAwVMkc3OOIL3EKo59lQSSjcGs7ausGioFApcQ
mIXWebQw7J36sNK9pyrOrvUQPXjKovEy1nUwJ/J12VxPX+0kG5Mxc1s7fsn34wbH7hzeIFy81f1h
sNA6N2iV11JEsja4HbyW2qAeIPBsAtA6z0Z3vRPvo3XitcGNrnYJLKY4QVS+4qYQSneOLHe00fWg
PNdysjE5Y9yartgpa7Y1JXUZlp+G/0PrDLPBng6BZG0o7r6zER9B4PEIQOtMsM1PaJ00CnzHsLuS
ZIRKRCuNNcM2wmS81qWjjXVhe0fmzq7+PMF3ycaUTd835ZbYSQ6+rclMkhjXrNW+ivkMbU/DjaMr
XJKYrDubsFJ8yX5lCTsSVw2v7tIb2n4SUI/WiXdLU+VSu9xa66Shb3Bu+JVD0dYzVM4kiauWfyiq
tXdlbq18WyNDXLXW1eEn3cFOEAABEHg1BKB1JtiUfVonjXZr11CYJGvWcjv+0yrZ9EUV6LEqq5rC
GVc0u3p6lszSjSkp3qH8OMH/JHWsIE22VkPsJFuTc2NFWiA5+CYvgz7D2y3ONG8Xp1m89zRW/VDe
2ZzlSiMJ1yZn5iaXF0PbTwM60jqRrzPZEtIq3nkaK4JohdbJhY6+OpTKK927iqQ6QZRStQzO7UC4
s3flBdM92p5GG0uWTnWQnXYRe0EABEBglgSgdSbYbF2tk+5clXPVdNdBe/JTvDakxquSHZduz7Is
XKo9EZxo6zneehdG4X5tK1L59KyY7R25OfLx0nKHjt9arFGterzB0PbKn+6bZGMqdpBmWRrYShnZ
SdZGU6FFgb/e0+iYoe2xrzeOTwOby07eK0DV17wgFJIiTeKkkB1D27vutT93tU7oKY0mSXcOZ9Y2
zTLSOsbSNznTlpXQybJ0azEuKivM7l1qGnJo78qSWQ1PDSz2VCxu78gN/FKp4LKZbKdLufHSVlHO
+dG2t68ufAKBxyYArTPB9j/SOtSDInPFsJebQ2vIzHjOF8GCEwbzZ2m7xyp/jJaBhRMn32cXqZeF
xMRLWpQDlOmZpzcGWZe+DW0/uAoZ4cWLSQvJFCIiy9IoWNq6CHvp9mpXjSce2l4W1fu/q3UCm3O7
5h2ttDwik48Xp6e56u1r9tFKWyykppuLPIDT0Tr2k1qn1ztsBAEQAIH5EoDWmWDbdbVO7mISblc0
5oIpxnJXDMUYz/nqSdo0Ge98v36AU89MZ0pH53HcPHcC72kOirmJYvGK1kbRV9WJ3yThfi/CZUPb
CY22PORmxN8kx5/GYbkYURJubEUqQghD259A0tU6In5Ta7I8hlbEdVTvEO89VeL1CgHUCyk7u5ab
QglB6zwBHrtBAARePQFonQk2cb/WKRxNDpvlqh4FO5r7O5sf9W3QABY5H8uahtRpUnVn5MVS7850
B38ka6M52jr2dZ5PPY83NF5HjOhNw40l86JaJ7eb/p5CamkUrNxVrjUjX5MUeyvWXkxIeRTTqIa2
P9FWXa2ThSuNFfaT/VLvjNfJsoz0W92RlQS2zPTljvxJ473vFoOloXWeAI/dIAACr54AtM4Em/ik
1rmWvzQOpRrwUxWS7FemmNgjcdXshpNo5ZpqNER1ylTexGuj7V24VMturOTg5/OnmKzZfmse1sD2
ta3TvC1JnFDOcMriwMvxMK7oTj3BaWj7STZHWifLnpiHlWVJ4CiSXAxCztJwI8av0/wyaq68Tw1a
5yR27AQBEHgAAtA6E2zku2gdMeb1ouVyRKDkrEWWJ8gYLoEACIAACDwMAWidCTb1nbROluwcVWsO
dz3FJt6YirEupricOhD7QAAEQAAEQOCuBKB17oq/v/B7aR0aAbJx7HMETBp41rLu++mvB7aCAAiA
AAiAwAQIzELrTIATXLiQwLn50i80i8NBoEEgjcJqnn9jM96CAAiAQJsAtE6bBz6NQeCCfOljFDc1
G2KlmzyJ51kJrp7nf3rwLZVLtKaO6o2Z8ag9lvl5zp066+mlnE6d3doXby3VqFeObu3DBxAAARCo
CEDrVCjwZiQCffnSnzYdrbTGqr8Dx1OeKXq+0yJD7vaswULhdun3T9GPfJ1rqzOSbQ4489RmWq/n
LK0jMp3nK/0yWTW9sypGikQVeSsaCzY/5dJZ+y/TOqGnHKdpV7wTWEfUOlmW7hxFdRtLKp5VRRwE
AiDwYARmoXWitW14u3qF2FfeRsnWNZztbGPzvfnSn2yyg6eUmRcGj6VZ5NxY7eMkPmxshSnnjKPe
WpI8kOg53gciOcRggS/bcYnWYVYgCkujraNI6vLJHGOUlfUsIXV5HS7TOpX9nXO8QFO1s/lmVK2T
ZbGvs+ku8tSsON6DAAjcjcAstI5YQHbzMFqHVuib7rI1T12qR/nSaWq6JXJSbS1uiOyYO0duVzDd
ObL6VBLRPIdDqQHz/FBkNwssJpsOBXyKBN/5pRKudM45E708Ir9D2dUz3MfUu54N2Vcdv8g4zjVn
UwWUaB0dSn9eLLvTvkSfo3U6mcn68qunW7uoVpkRQq+CUwdPYZa/9ShJ7EJSqq6t3vznWZYe1rYm
C/+VOn87aR3Duzgveo/WqdPGy5q9LnN31VpnnDztJPsgdp76XmI/CDw2AWid6bX/rLVOT770g6uI
CASljhTdVLGvy06d6EmkreRt8dPTKnlS9bpvpJYSgcUWir0JkzRP1dCK4wzGdVLKPNoKjQzkFSet
sxDxpDRLQt9gRU7NjI5XHOogS2Na06+zFGPtYE9tmptEVs88riMqwIqetWQ7kF89E9GMHkEsUmVx
zVnvDofD/iBWdM6G8p+LJKLakhZGzMNJRRPkedHF+stJuLb4mULiSOsUy1Dn6eRXRpVOvtA64+Vp
J4VnPs5voealg/cgAALnEZi01qEf8p2xAEXCZtrTeFXPyZls78/vTVu71Z3d71VqAaNO4kRXYbq1
KDlDuNR0Q1fdQ7qz5VayiWRjcmNdBmyGLtxk3Ql3bU1Jcamzp5W6O9kYrU6rQa0j8po3tc5QXvGO
/VohpXEUVqlYj3t+LtE6i8VCkkTrc6Nc73g4v/oprSNpfhV2EigH85+L3Paqs83TyaZJHOdpvto1
Cc7NFdrVOuR+Ay8pHF00sgjTjpmn/Yr9eUMXI7aDAAjMi8CktU6WRCG9trYs6cuDeF89W+bF+Sxv
i+ruKLOSG4jqiqSUZ508kYPqDoraoWilq17gG9oyWOnaarfStWUdn6HwSJGVsz6l5x3FdRrPzoxE
Tf65pXUykSMzj5KQlfO1TieRaZ0NtWU/3RhVACc5rB1TU2TxYpT+vOn3JVonH69DXXlFzq4sy07k
Vz8R15G6EY7B/OekmHYrx1A5Y7JmeXliryxrax3Kk9bJ+NqsZP2+q3U6V0LNbfQ87QS6E1Or3cI7
EAABEMiyaWudooXED8HHiVHPug+rVgiNr9feVQzToOkyB081LFNpPjzDpSrb54w8p5BRHhkg06QL
is6klhYR6b4bg5G3Fmv1adVudbWIuMzqkFSVV7wd16mf2WLEkOEXybEOrvxirZNlhK8UdIP51akK
/RdJR1+Iug7mP0/j8FBo6SQKXLUMh42kdURcZ1XFmOrWIydHzdMuQPlPxQXrhsc7EACBhyMArTO9
Ju9/jE3Pz36P+vKlpxuTSfkAZVIozezj2d5V8p6ofnPNrVE1DysJt47KlGKucWAxSXECGp0ixs20
tE3+ZKUlntO4HRTsap2hvOKDWmdrMm6JCXNpvHM1qRNSObLfrEvzfWO8TpaQUVsMuc7EgJee/Op0
bv9F0qd1sqH855S6lZvrkHquknCll5pwJK1D7gv7KZn3Dc7NPHla7eRIedq7EaUmW7wHARAAgWwm
cR201IwI9OZLp1/e+SiedGuyRn9DGthyGcc4o5Ll+joLJuv1+jqBxZhm5gnHuWr55YSf3GAcuLos
JmMp9laMSGnMwyrGR5UDvgbnYfFqLHUd1xEZNTSZMS4rmuWYNFdcdM0N2++vYlPrUBeSUo06Tg79
+dUv0jrZQP7zLCOcGqVvZ1zWrDLf+1hah+zTcofCvmaVATAxJLrsaBsjT/vBU3Id3U8XW0EABEBg
Hn1YaKdZERBL5ZzTKZVRFIO/fPh1qw9rVqjg7IsJ0GKCDfH8YnswAAIg8BoJzKIP6zWCf811uihf
+gggoHVGgDhPE+ne01T3PGE9zxrCaxAAgTEIQOuMQRE2ugTOzZfePe9Zn6F1noXtFZwU+XZjZcdX
UCFUAQRA4DoEoHWuwxVWQQAEQAAEQAAEpkEAWmca7QAvQAAEQAAEQAAErkMAWuc6XGEVBEAABEAA
BEBgGgSgdabRDvACBEAABEAABEDgOgSgda7DFVZBAARAAARAAASmQQBaZxrtAC9AAARAAARAAASu
QwBa5zpcYRUEQAAEQAAEQGAaBKB1ptEO8AIEQAAEQAAEQOA6BKB1rsMVVkEABEAABEAABKZBAFpn
Gu0AL0AABEAABEAABK5DAFrnOlxhFQRAAARAAARAYBoEoHWm0Q7wAgRAAARAAARA4DoEoHWuwxVW
QQAEQAAEQAAEpkEAWmca7QAvQAAEQAAEQAAErkMAWuc6XGEVBKZIIImi5Ay/0iiMzzjs/EPuVe75
Hj7ryHM5xWGUPqsAnAQCIDAOAWidMThGK03S/Zc/HQ6esiheY5gbo2q9Nob8HNreawQbb00gDhxV
Wx6Oi03juK2A4q2lGqvDSM/nwXKPPBm33CPzZ2wILMad3RkHZlmy9zTV2bXJ9Z6Z7FxN8/ZnHNl7
+qgb040hKV7PRXBhKWPZubBYHA4CzyQwba2zNaVF/b2MfV1SV9FTNU326+VmrNt0s7DY10slUv8X
N8axtE5RWrhUe6XTwVO5sX65pGpW6pz3Q+UO+Tm0/ZyyqmPC7dIPRqjrsJ3I17m2CqsSb/Nm2J8r
lx9vTFn3W1+fND5sVo6hMMnYdHRNunMU1d13tj7HxeNy48AzVS5JEuOa5R9aEmC8cp/ja5adrXWS
wFbUlnBMDr6tyUySJK6ay13r2k0PnirbQauqz3PwpWeNpVHGsvNUfYZuPr3npYfNcj0NTdnrHzbe
kcD0tc6ClY/3M7UOPWmN9TXvKlSCuW202shaJ1r1a5002geH1i204cMV3w6VO+Tn0PaLXNxakuzu
Lzql9+ATduJ9sL85zhP+9Po/0sZ07ypdnluLy7rteaZ8rHWyLPZ19vLo4nG54UpjqhNQp0689zTG
7aClqMYp97nYztU64VLl1rbheLK1ODeEckujtcmZuW3dg5KtydXlrZX1MYaxNMpYdo49bG8Zuvm0
jyo+xWtdUpctPd97HDY+IIHJax0my0zO74ZNrZOGG0cvf0OtSiUf2DLnTFosFhLj9DI35f0m3i1N
8aPr+DdXlu1dhXFzc+5zr1fraK7vCo+YYlYOZdnJcgcuuCOtMNA3lKwNSffWHv0wl5ise3UcpPqN
yRTD3dZf/vwnNR3OVavhZr8nA+WWBx/5Wew42r41G7rl4CmSWYYR+vwJVzrPm7FoRdWrNE9gc9lZ
522/kLQyykdmFBEpkDXbL4J6g3ailVYG5lpPn8BiquMv85gD15xNxS0OXF3mnMuqbpv9QrSEIv4n
+5VV/sQ3ymYZ9CfLxOVMFWCy7mzC4hEaWEw2HUuEQLhqlfXKsvSwtjVZ1FdpHN9yof0hJXBd6Zim
oiBqkKO4TpZl9OB4qdg5LjfZOrpdfdXEd7qjAF5cbo5HXORKRT+LVhozl+v8ttH6kqYHv4Cs2ZYm
ndOHdXAVbrU0Wrxbr7allEk35lFHUbq1WB2kbjdP+1O//1lGVZD01XZF3i6kWiRecpMhjSIbNl3k
C4lr9rq82rKMdqnehqJT0mLBqptntM1vMRJv4GxonWTnqkxxqrtP783nxM2qXfvy08DNZ8jO3lPb
9369Ctn2+l8Wg/+PQmDyWoc765XOxCOp1jpJYMtMW9KP8iRcWzJrxub74jrhUmOyRQ+RNNpYchUq
Kpo5XFu64Z3T8y5O6NM6C0l1t2GSpVHgKFL5CH2i3IGr7Egr5MelVG7z4UNfe0m21tQLQIMHJNnJ
RUG0Nlj+GzONA0dhZU9NsjEJA/2kTg4r/egndb8/R+WWhw34mR1tH9I6p/zpj38ENltIsu5tdofD
YV8EuSJfL261orrtp0y/nSzL0nhtVA0lqhRYbMGN1T5OsyT0DcaKH+7xWmeyvSUpnNL2ViOUMJr/
dzZnhk8PkSQUP/EryZ1lPf5QSIBp3i5O80iHUogS8kexN2GSJuHGViq9SOJEW1Krp9HWUWrJ1/Sh
/f7gKcxshiEau4e0TiZOKlVp44QL3p4ql+TUxjyWYC8sN905MtNX4ktxWBmsfGaTwpVUR3xJ6VtR
tn26d2VJBJrS5LA25cUZWud0IDfZrwyuHHUAxv5Zo/qG/M+1zmLBVMsP9ofD4VAMM7/sJkMaZSGX
V5Ullxjo4qZdkmIut2R+XwxPpyZUnSCme+fWUVjRcVdqnVzo5N8OcWEM3HwGb1anr6ajm89JO31x
nQH/TxeLva+PwAy0zj7ZuwpFXaJyvE66NVnjR2rnt2GP1tk5vLzjlb+OXtLJ1ad1Gs+/gysXgYtn
lnukFYrrrrudvvalqqIffaUSIv+0amRG46g8zr7a5TfJNImTRhB++OKuLbePOXv7oNYRcf9+f3o0
QZZlgV09u2pf0jgK47Im9ORqdjD226GTG2ByW63+i3pv+/o6/ZjLDe0dmWleEIqgYgfzsT9kv/7B
LyIhuWZt+0O/x3MRRO2rOtuDqHOadAcW12Dqd8el1vsGtU7+5ChjFfUJF7w7VW4W+gZXnONBLC8s
N4nCarJZ3Yp5UKSaQJBfJnTRiC9pJQNbzAcrSg1sBce7SbyLsHJftVKCUfwaOT613jLgf3Hnqq+U
4owLbzKlRsnPbl3btIvbu/KblB9B5uvOOvHrRNRB2HFWrspkS/wMKNwZuvk0WkLUpLxZFacN/uve
ZE7a6dE6Q/4PFogdr5TA5LWOuDkk9PPP2Sy1fGxy93ET2M25E/Rla4/Xoa9l2atFvSOMRjy/4BZO
JTQfp53bKD07RCfNc8vtfr3La6+7vfu1L382iuBH3olHHXlMqn+qpuHGszSFMa4ajl/2/ZUFDPzv
llsedvb2Ia0jOm8G/Ol/SlJT20fTZJLD2jE1RRYvtmg1Tr8dqkIbHwmp5hwccS8X81XCJfXxlJ2h
3YuvhNH6n0bB0tYVzrii26vWMNVjfw6uspBY1V5MogrQA6flT9Z8vsa7lWOonDFZs7zt0/OZ+/pU
KocHtQ4BOnq0Vqed8+ZEudHGlGWz7iZsmHtpuXGwtHSVLgZF5tV3vd1wB1fJKafi4qzmJbWZN5xq
vd3ZnNs9Wic/SEThWrHmfPt5trOs3//yV1ol13Kjl95k6utanL+1WKW/OrvE/m4Ltm9uC4lGYrda
cejm0/62tRsjr0n/3+5N5qSdY60z6H9/adj6egnMQ+tkGQ1olGWea52UumLqwQedn4HHWicLbM6t
TRRXr+S8gMZAu5+rdZ5bbvfrXbrR3T70tRcPL7+nukl0KAIgabz3Td7tyysL6vzvllvuPnu7uMmX
Y26qu2WWnfKHbsJ1G5dF9mmdlH665aNCsywTUbXGwPF+O2Svja+rLeobf+u3b0fXln61/qdxWK6n
knc+VeOKMurD6taL7vva8lBdnHGc5MKq9WxMNuWgpzQOy+6LJApctQz3tHzofKBvwNBUanG59HVV
Ccc6j9aO3ac+DpRLHcmyuR74vfGycin8S4NHRHgiETOsRTntx2uldXINeWFcR1zD1TkCQrxbb+qR
7vlV2I6QdB+7A+yG/B/QOpfeZOrrmspv3Tvbuwr3RFykGplEg45ybUQHk8qJNiany7es69DNp/1t
azfGAAmxuXuTOWknEWOTW5fVkP+nysS+10hg+lqneN5RL/ZiscjnnIvxOvqSwhL5+JvmeB16KHBz
HaVZ1XuQ7kWf81aEtpPD2nPbvyfFeJ3li8brNPuwyrhO9lS5A1cUaanmuJzysO72wa89KUMlH8eT
JeHWc4thrXQfUl0aF0I/Hm1FKqe4lSX0/++WWx519vbI16izjYql7n2pHJt8yh+xT6xJksZVBxX1
YR3FdahLk+dx9DTeuVplXvjZb4d2tfENa50spuFPJk2xSWPSFou+ximh0CPJ1yTFzsMtyd5TGx2N
GQ1GkdR2vWjUCjd9GidE471W7iq/FAOL0VNbzFiiASaF9qN+BG6uRQ9ZEq70rnZqeFK9PTVWhDzq
G5tMvTuDAqmyfPpNX7nx1lZkozEmtmviZeXSVVlebCGNvylCU+3Ha611aKaYpLokjsTgvzoI2vWr
/kxNUPcei+0kUeS80fNRY+UgueqscKmyalB+tfXozZD/Q1rnwpsMaZTiAqRBfs2Ls1fr5OZdEZuk
q5+p+eI89cE0xkCqO7IGbj7tb1u7MY4YNDZ0bzIn7VAHMNNX9NUoO+iH/G8UgbcPQWA2WkeMY2SF
1qG+j2JCRd9aFqFvKtRtLvF65bRqTQ8xmaAxM4mamb6sL52HVT//6NlR3dNOltu9xBpTD/KJQkXf
ycD2E197MRGI01ofrZk9abhxjXzCEm9P0Oq6Ij4PlEvP63Ii0zl+0sQh31Q4lxVFszxbrfCc8kfM
faJWZIpdTd/t0zpZFm0cTWaMy4pmOWY16jSv07Gdxjysohp54KUVR6nv5UIYlnPsDNtQeoVoC2Bj
epmiO+3H+rE/NFJ8befTCpmYSFbFdZhmmiq1Y2seVjXNi3FZs87qihSzkKqOuJazQ1rn4HXnGhWP
20v6tY7L3TmcJko2XnI74vTScpP90qTuQy6rhmPr5RDz9uO11jpiWlsxs0mzbeMsfUfyt/7Glxca
LRskvnN93y2aS9/uW2+1Qv1hwP8hrSMuz2LBor6bW21YvBPXtWkbqiJzutgaF2frkm+cFm1dMdVT
ak7qbB0c+jojjZGf1HvzOXGzahTVeDtwk3nCTrSxaYbZQuKqW4486vW/URLePgSBaWudh2gCVHJW
BIQyeMnI9vNr29Je55/WfyQFj5rhz/6j6q20qF+PqKGf2c0uufqEgXf3KnfAnbE2p4EtdyI7p02H
y4ksJnjaTewFgVdKAFrnlTYsqjUegXTnaKILi8KJJpcukQwv8WJUrUNda4bSGkZ6wreU8h9UP4zr
AymeoXXWw6n39r+7V7n93oy2Nd5air6qV6c5ZTgNV7rSmq506mjsAwEQGJ0AtM7oSGHw1RFID2un
6PprrKZ29WqOrHVoEaal5ZWR/VPuR77dWEmxcWSy3wbnPd4bJ92t3KYPV3ifhr7lVt2rJwpINo4l
lls6cQx2gQAIXJMAtM416cI2CIAACIAACIDAvQlA69y7BW5YfntY3w0LvlNRo8dFzqzHWOWOZedM
t3EYCIAACLxWAjPQOlfLWz5ym07Mz56Uv69a6/TkD7+XVnhWuRPyf+QvxlXNxcFq1ZlVedXyYBwE
QGCWBGagdWjmx1lzNe/cABPz83gJ0eMFZe5MbNTij9cj7qw7PGppJ409S+tMyP+TlZvYzuZq0hNz
De6AAAhMh8C0tU5/3vJwqebZEeO1nuf6pdXkcjnUn/98iDctuaHZ+eIRTNbdKlNvkUm6myq5XOKi
m2q4308qNY3EgjYiD3mdgXvInyLfdV6s3hwd2liw5en85EMpfymuozirc/Oi0+zq5rTa7uejWoi4
keWWecLtKmH3xfWqFpCRuFpnqj4qMN8wmD+cNIe1FFmhJamVt5wWm+3Nl74rspy3ViXKl14tSm8t
09Kf//xEuX1VeIb/lLm5XnanTF/RZzzLspYIby2LMpgvfcg+5VG0/Dzt9UJS6vzz/UVTMwo3maya
qzojSbLLV8Ch9ZAsrZH9u7fcvStza+XbGiV256pVrAgTr808AUqZ/kW2B7M29LuHrSAAAg9DYNpa
RzRD61ZNW2hxTFI2tF65pLgHWotWFQ/lk/nPe9qUFpVj+nIfp2m8X+qszJlwcaphsn3kJykjsV49
rTmaxjtPeyq70MFTmZavqRttrHpys8i4d2F+8oG4jqTY60OS5u6Uq+IOpCamROCyU8zbEUyMDSX7
HnqR1qEVaKNUZIzmlVK6tF6n8oQPFd4fF1nIYj3iVKR1Z2Y1aWYwX7psCYVGrcXKug9pnaH855Sf
fKDcIe97858P2MkX+hXrKScH3+DcPk6f2SyndWE2tQ6J15586Sfsi/XduOas8zTzpxNxJbSetbmh
g5K9p0m8uJREBlqxsDmtAmnxcmHjoXL3rrxgukfrR4tV0ltLOSKu02xqvAcBEBggMEetQ0lc6DG0
dxTd0LRVlGxM2Q7S7HT+8x4Crd/oGS2lWnSWXZhqWJhuPVKKwsTT0FrnGamzNH4isXgah1GVD6HR
E/Kc/OQDWqcO1NSVJ89786KLJddzgZBSSvJuDuQO0vZ4ILKfp/TILq0XPcCG8oR3yqw+9mudUs3l
GSHqtfH68qWHlCuhWiVQZNnKEzwPaJ3BPFmNluuWW7l79OZs/0ni5+FMYWPvyo081EdmuyK8qXWo
3Y/zpZ+yL9SRH3VK2TtyYxVkySyXZ06iMC5jTnVao/a3tPZnsNx25voW3KyVEbXjFj6CAAiAQElg
llqH4jj6KvA0ww9c1VwHnioSO9VP77x6lFCgvfx8We3if/sEoQ5W+Y38olTDubU+rUO/aNeuSQkM
ZM10N4fy1t9xpPyY7H2xenuRobn2/vL85E9qHUpVVORGsFnZD9DNi04PN1o6TyQAeio3fFvrZI2n
96X1OpEtnJHqAAAROklEQVQnvETV/d8ordzVeiy2My/25ZqgPJWNHOr1xTGgdQbzn58ot3Tt+P/Z
/osMF1IzLfoT+blaF2atLciFvnzpp+zT5VClPzmuQ2dLGm69Iv28IrMyjRhJxHrl5dqfwXI7Wqf9
pUZcpwMdH0EABPoIzFPrpFtLNkxdW4ZpYCumZeT56E7nP++pfv04o510I89/11+aaliYbj1SisIo
kXcub9Jot9Sbv8d73Gl0VVEmyvqmfiofeI8dsakn5W9bi9RaR1S8Ly86PQ3XBlO8YKUzfX2q/4rK
bNsnuPkz7dJ6ncwTPlTf4/zh7bHJT2uduv1FGeIpKnJZ08M2j/CUA7ZE8u/z4jrtcoe878t/PuC/
SHju7Fpp0csk073mRUilbLxaW1C0rS9f+in7F2kdGtyT98i2sIlUrdVPkNqfwXKf1jqNtPa9BLAR
BEDg0QnMQOv05C3P6DEjiQHKycbkEi+eRCfzn/c0Nf2U5AYlsM7EyIdyvI4I7hd5uZupklv37K69
Hj9TGniS52PP0mht8tO9DVQr2RE5rtNoaytSGWagR8yl+cl7Uv62tUitdbKB1MSihsIOY9wKTj5Q
6ViyL2meGJ4UbSxZKlI9X1qvk3nCu9jLz4JRO3/4ifhKX1wnx5Cnqk5o+FY5Xoe0mlK0y2GpszKO
MpT//ES5pbfH/8/3v7jKdzQQJo33vuvVY+qP7WYZXYVlHnjKcVGOj6Fq9eVLP2H/Iq1D4TAj7/BK
9iudleNsqEe2OUqu8iewZaYvj+p1UuuQopYdApAmVYcZUQjXlm54ecL4PirYBgIg8EgEZqB1srQn
b7kYpSCevvQgrTMOn8p/ftyudKNUDEtXxDypxjysy1MN05jpHj+rBNaMpqIsSQaceKUHn+atUMJu
3XYMLomuOWH6ovzkeRFHKX8HtQ51ta0s7TgvujBEA1LFEPATnotdZF/WrTybAtfsTTmw4+J6Naad
HeUJH/LiOH/4Cc3Rq3WoT6dvHhYNobVVTnnaNdNztPp6E2XSxaM085+fKHfI+TKXeiuv+6CdPD28
yKjNn76qsiwOXE0m91XDdSlOd8j9qKa7dfKlD9q/SOtQsbqcJxw3XUuVZHdflrs0i++cbar1iP3+
ck9qHco/YVAH2YLJ5rq84LIs27uKxM2TY+lPNAZ2gQAIvC4Cc9A61yPe7sO6XjmzthyvjTMTZLe1
1KwrfbnzJAPqkc2Xn/+gZ9BXsBjB/qAEUG0QAIEbEIDWqWNCN8A9tyLShDo9nprUXNbq0bTOvfKf
l7zn+v/g6cZyT91Ooqe2CjPNtT7wGwRAYPIEoHWgdQYvUvrNLcnGsl4EbvBQsePRtA6tOHmP/Oen
W2H6e9No6+ULToolGxsdT9P3HR6CAAjMksBja51ZNhmcBgEQAAEQAAEQuIAAtM4FsHAoCIAACIAA
CIDA7AhA68yuyeAwCIAACIAACIDABQSgdS6AhUNBAARAAARAAARmRwBaZ3ZNBodBAARAAARAAAQu
IACtcwEsHAoCIAACIAACIDA7AtA6s2syOAwCIAACIAACIHABAWidC2DhUBAAARAAARAAgdkRgNaZ
XZPBYRAAARAAARAAgQsIQOtcAAuHggAIgAAIgAAIzI4AtM7smgwOgwAIgAAIgAAIXEAAWucCWDgU
BEAABEAABEBgdgTuo3X+Dy8QAAEQAAEQAAEQuBWB76O+/t+o1mAMBEAABEAABEAABKZFAFpnWu0B
b0AABEAABEAABMYlAK0zLk9YAwEQAAEQAAEQmBYBaJ1ptQe8AQEQAAEQAAEQGJcAtM64PGENBEAA
BEAABEBgWgRerHW+/fPXP99uX6dv//7777f/blTuP59/ef/p7xcWNgqo//79+++vI1f7v2ey/PfL
b+8//Pmith8F7AvbBaeDAAiAAAi8dgLna52vn35YtF7/+/DP939//1Hi7/8Y+el7Avq3vz798tNb
JkmStFhI/KePf59V9r+f3/HFm1/P1ivfvv7zb2X468cfpB8+fj3h1dO7ng2q5ck/H/4nvf3t7Fqc
duvb359/e/c/LhWNKvGfPl1Sx2+f30lvfv3rdBnV3r9/e9u6eBY/fvr3+xhgqxLwBgRAAARAAAT6
CZytdejRxt9/+fpv9RJhldajuL+IUbf+++XDb5//Ejrk21+/vl2w9388bf/bl5/fvH37Rnr3udIv
J0/69uXntz9/KY+97KE+ZPh5oNqefP/+7etIQbSvn39+w9789OHL3znLr399+fLXJTGa//54z9nP
56rcr59+kN7++mfz6vn+fRywQ8CxHQRAAARAAARyAmdrnT/fc/auev4X+L7+8fHDl39Klt/++fLx
11/ev//1w5d/vn398vGziLn89/fvHz79+W950PevXz5+/JIHEL7+8fH3v76J096X3SHf/v788df3
79//8uHzU491Cgu8/U0U/9/fn375eaBD5dsf79+8/fWP33+SKBJVvr79+enD73VQ6L9/Pudefvv7
84ef3iz4j7/89pvYQg91/v7LP3/+/uHX9+9/+a1Zl+/f//3r8weqM22voyL/iMqTqV/ev//013/f
a1D07rfq9eHjH/lZ//795dOH34Sh3//KYR158v2fLx8+/lGRPFH0t69//k7G3v9a2i+rLf7/99dv
b6U372tTrb3fv/395WN59j+l4qNDyCNqm18//vEPmfjp91IdPdFqQij/8me7mI5a+u9rTvj9L7+V
BL5++fChuFS+f6frqNFigkVNvG0an0AABEAABECgJnCu1vn7t7cSdTu0XiQ2/ld07hSBgl8+fPr4
28//e/P2LS86OEgk1UGS79QNUxgSp7/7+Ycf3pGu+PL1+7e/Pvz45s1Pv3789OnDz28l9u5zp8BG
6f/98/u7N29+/pIf8cd7tmA/fykfvY3jvv35y5s37//49p38qINAIqbwS90D89evb9i7z9++//f3
519/4os37377+PHjxy///Pedel/42x9+fP/bx0+ffnv3VpJ+KPp6/v3j1//xNz/98uHTp4+//MgX
ohgq+u/f3rIf3r374Yeff/lNaKMGqH++kOGPHz9++OVHVp7y7csvP7775cPH33+neks/ff5Gz/Ye
T0p5caroxZv//fhTw9uj3jfy5s37P5sqpgJGTcDf/Pie6vTrT2/qNvjv748/cfb2XUHhzRte9uud
0WpCKHeDanRJlWrp6+ef3/K370TLv/8fk97+9td/37//8Z5JP3/Jffv7t/9Ji7LI7//+/hMbrTOv
qjzegAAIgAAIvEoCZ2od6oNgP334XL7+pN/7jT6Ir59+ZNWj/vv3v359syg6OIRI+r3SLN9+/6kc
cUKnL/jPn8sf59++/Mz5z6W8+e/LO4n9fNxB9fXzL+9++umH/7398f2nIgBCDfPt69e+ocr//fXr
W55Lpq+1yPr+XSiffgX27fM79qZWQV8//kCP2DIg9O+nH6W3Ijz09fef2Jtf/ijlFVWs0FLilLe/
1GGTBqjyIvr3y/u3b979XpotNwudJP2Yx0uOPSmU5RNF/9j2No981SWcGPQjmqBWmP/98TPLhRfJ
N+l/QoCQIdqxyLXsOa1GcvHNzx/Li+fLX9TkpLiKUVD/fPgf+99vVZBNaDEaW/XnL7zQOl8//fjm
p/fveK5v/vvr1zf8XZ+yrWuJdyAAAiAAAiBQEDhP69DDWnrzvx+K148//fbnf98bfRB//fqmDNYI
u/Q5/8lO2qDRdUQPSf5edGaI0ymUUrzoCcd+eP+heFEEpW/o679/ffn8+XeKObA3tU4qjbT/k9KR
3v7y5S96/fnhB6nSMMMKjB6wjTgU1bw5+Lram1ex0nDfhTYTcaPuKU1QuX/f/vz1f29++lT3D/33
799/fP70kXq33r0ttWCPJzmQ84uuvG1woRYpmqCxVbwlFdRorFxsUJDpvy8/s2bYjJox17LntJoQ
ym/Ki+eHH999/LsplP/742ci/v/bO0MmV3koDP+XKhwuDofD4XA4VF0drq6/oK6urq6qDrduHa6u
DleHy533kJCUhdJvuHc+ZvatWCiQ5ORJZ/LuOSeh/yFo0ZPIwP4uo6C4aY18q+RQV6WKEAiDsH4x
c9gPficBEiABEiABj8BnWmc0WcfFIHDmL1QSgSOhk4FrAg4fCRV1gZ4+hKG1THAqK63UkePVqQHP
ZHP6tVN++Z8PtAh7BKH7BBvjpJDGvNkSU7md/l9VkKfnpAGoARFxwy6jZ0EG/9WwSOeqscEarZ/f
hzTKjr0Xo7mVCaJGh9P5crmUaS9Epiz5vOneWh8ODO08U/5VnPcaw96AkBFMcLB4slS8PNIjEU4z
oyba702yDgbSr7wTUkgNq/fIJ0cOuvgM630cbisTlByNwFnDeSQBEiABEiABR+AjrSOz7ptknds2
6PMqEJ04Z9Yl002Sdl5qv8re/yPzqJdKIlph2Iaz88cZZtkxv0//YH1MQhd7kqCJXbDd3opQudkX
gszOtiLTXAozeu5kiqeRkEriLetqqx1EHNw8gyJdsMZmNbX1MYvSg1vxhLZV79TwfV2Tlnzc9KAG
QwYBJc9x1fOCtHjNyepFlSyYd2E9DXdZ16NPRm1GKLfXPPAGQzcg0m1jAAOK0ymLcgmCQrrhq8r+
0+J4r4c8JQESIAES+I0EPtE6smB4mPWB/9at1vgu1SbeI5sUbotjhjxhWY3cIvYl3g6t2/t1G202
JqPULy7cMZ8G2bHuQhntY7hnXnuvzPpordtHdchCk4ejm+qw3Q0zX+6nNEydZkETiDIFkqMjgRcj
MJ71uVAb2e4FD8HJ4HKwB4IMGsn0+XFKAmUyo5/fpyJS+UUSjwZFXoI193MeJfuX7feAzniYnvVl
Gweb1Ai+SUveNu251zxrhbD9g6X6m2h77lbu67a5192KtwYpR6Ybz/tlG4dp535CTUFizh9VmQQm
WUf2V3o3akb7OaLGCJ+SOJr2nfxrvg6Z6jPOIW6iOLLjKPI2iuwvzfaHRxIgARIgARJ4S+ADrTMa
g9Av26s8LkUUbIJQqSjd7gubrKN1c92aGyrO98ddbENFL8XFwvZ+RiWbIMROgVGGpA7v87gUsu2d
3A7jfI81UvhIJrAXkJJryOhwya6mmt5Poe/nXKElpVRSHA825xVxHGw6iDvpofaTr6UKP/1FFixJ
iAzGljbc9kPDOVD3Y4Lt9LANonzEefGsyrgjp5LidC6TxG4VOG3Jh0371hoC3aGtL9sk7Lf2Q95T
l3fU1jIEglilu7MRnlgTdsoMsDjbn3aJsjvrzIwaAmP9xgDOiFdKTVUmIcY9DMI4P5hV+GZooaqM
X/B5zYPN28V5rgWekQAJkAAJkIAl8IHWsY/OHPGqASyFwr/snndB6+4dBDOl7e1n83hMv/zh2Yzc
bpuH2+PY1jN/bLEpoo2uvTwu70x4uTL1Rbo2WsdUibHr07W8sWS60FgTI9daoB5hPTlcADa21g3O
vJFhGWny3SWM4kTt74rxHgmQAAmQAAnMEfgLWqd9uiU0LTwmLv9krnXeJwESIAESIAESIIF/S2C5
1kEWRRineVHkWaIClR9d5u2/tZ21kwAJkAAJkAAJkMAcgeVaB/v41V+32/V6q/6XV57PdZH3SYAE
SIAESIAEfjGBv6F1fjE+dp0ESIAESIAESGDlBKh1Vj5ANI8ESIAESIAESGARAWqdRfhYmARIgARI
gARIYOUEqHVWPkA0jwRIgARIgARIYBEBap1F+FiYBEiABEiABEhg5QSodVY+QDSPBEiABEiABEhg
EQFqnUX4WJgESIAESIAESGDlBKh1Vj5ANI8ESIAESIAESGARAWqdRfhYmARIgARIgARIYOUEqHVW
PkA0jwRIgARIgARIYBEBap1F+FiYBEiABEiABEhg5QT+ABYIs1RtZekFAAAAAElFTkSuQmCC
--00000000000002492b05abab923c
Content-Type: image/png; name="image.png"
Content-Disposition: inline; filename="image.png"
Content-Transfer-Encoding: base64
Content-ID: 
X-Attachment-Id: ii_kd91j1p81

iVBORw0KGgoAAAANSUhEUgAAArAAAAKjCAIAAABqZKvUAAAgAElEQVR4AexdK5urMBSsQyKRSCSy
ElmJRCKRyP4EJLISWVmJRFYikcjKSiT3OwmBAAlbtt0t3TsrtpSG5GRCksnrzK7FHxAAAkAACAAB
IPDfI7D77xEAAEAACAABIAAEgEALQoCXAAgAASAABIAAEAAhwDsABIAAEAACQAAItCAEeAmAABAA
AkAACAABEAK8A0AACAABIAAEgEALQoCXAAgAASAABIAAEAAhwDsABIAAEAACQAAIEAI4ZYD3AAgA
ASAABIAAEAAhwDsABIAAEAACQAAIYIYA7wAQAAJAAAgAASCAJQO8A0AACAABIAAEgAAhgD0EeA+A
ABAAAkAACAABEIKffgfu5SXLsqL+sXRu13OWna+3H0sAEQMBIAAEgMD/gABmCKalfD/7xm7nHsvp
D9/7Xh7d3c44ZPfvPf71U0Vk7XZmmH8d8hdD1CfP2Bn79Od40C9mBkkBASAABP4LBJ4nBHV2MHe7
nRUVXwB2L5LAcy1j94MdZJ3uWfz7pPrCGv5zEdm7nRlcpMCbJATNJTB2Ozu+SoZ2lz9KCJrqcvT3
tmkYpuUckuJRWvMsIWjqPl177x8vLycWN85YHnxN5qjjDhAAAkDgzyHwLCG4nX1rR39fEwLqrA3L
tsyfIwT37EB8gCXw0Bz6zxOC17wxC4TgNQkoY7mdA164pmVbxs7wHh7xP0cIbpfAZsVoWjZL2L80
SgO/fxOE4PvY4UkgAAT+KALPEYLbJbAMx9tbjxCC5n67Ny0bw//QFHqTB+bOOAQHk0b93WiWJ8hn
r6uEz9/f2rZOPc4dWM/DSASfVuAzBE6Uxp5tGpYbnvvhKQ1bXcswDMs5xJe676T4ID1ITiEfTDsx
zZb07GRCgO7njrWIlEVHy0bFjmUahmHa+yApGKcpj44I2H0K9KqETYfQ3fGSQVOdI8+xKBrX76Kh
HO9pGj86BpQHax/nX3AmnrJ1OFUsp7ficuWYquNvm/JEUZu2F5+OoyWD+/UUEpqGYbmH+Mzj09Yo
Vko700tLlm5T53m3ftPxjPh0PFD2DOuQUeFU5+iwtxlwluOFp87MKyFnHOLEd0zDtA8Jv1+EnOUM
qI6niLR24QcgAASAwJ9G4BlCcM9D23DiIo/tRwgBx/EnCcE1tnfGPsmpr7eignfYGkJwL05xFPmu
sdsZziGKoihOWQ/MCQF1+p7ndIshFFNzjR0KbO8P7D7lnKfQMkKw2xmmcwijKDzsI1rRb66UQrCf
zog05fnY/YX04848ZKxrLiLbcg9BFMfRgVK2wrxp21uexFF0IFZguj4z9HRlCd+LVGRBJgRULBTY
8Q57myzeJ6w/ZUDsduY+iCOP+kRneZ8ED2/PloJ08XfMxXT2LvX9lDCfUahPnkn2HIIw8MgiW5SN
smqxwftQfnIYRgh2O6IzQRRHgeenVds2l8C0934YxXHI4nf40gojBLud5YUxA9rwTpw+HOMo9Agj
iiaK4vj82AKTbAqugQAQAAJ/DYHvE4J7HtmGExX3lvrhB5YMOHQ/SAjYyJI6G2aQ6O40hIBbo10y
MP3zvW35jkDWj1Cvs9uZ/pn67vuF5tJ5mLbtCIFNWMz+9JsKmyqljtI6sG6KGMT93rTN/Xar6yrz
TeqxxZ6BhSWD6R6CG1s26frc+kQbPPhyTtfBs86SIWT4547RzKymGzyMd5rMI+jiZxndOTGRFd5x
d4SAEQVBetpr7LBdG/qUWXj+7DX1D/TnJ5x7dfHyjn0w+n6/E3q3uq5LIoNdwnyGgM378NKTlrWw
ZDDAhysgAASAAEPgu4SAjZftMKcucCOEgLfxtJ+/Ofum6BXETDkbrEpLBrz8tYSA04mu26Bnq8Sl
VXQ+lu+WA8RRBNYnG4FyoVtHCO4FTTgYDoeQrOlm3IeZ7J0Vio2aKwgB78eFMZwOsR5UuqTcTBYy
5vVBQwh08dNyTb90wVYzeL/MZ1ykXNEWj6XzBxIhyEOaQdntBHXhSwbuZCvgvaBFATkFXnqcEHDW
wwt6OIsBQjAvcNwBAkDgP0fgu4SANahyG0zNtuiFljDl3dIPHMO7EwuQ/7qldp7gbA8Bt1FLCHhf
v4YQyLP2EgBqQlBntBfT3Cd8mZzC8x0BhuMn2flyObLJg74DeyUhoBH/I4SAAUfT+1JuBP3ri3pg
GYwQiDG4BDonBOY+FOsk9HlSTaZ06fBXq1/yofMVY0IwYROMoexMN0yz8+Uc076KESFgPA2EYFyK
+AYEgAAQmCHwXUJwv8Se+HPZSrXlese+77gVaRzHcTY/zM+7ihkhqC9JHMfJ98+XNTntFTMdz6c/
tspvMoLC+xeX1tF5GKNbsicsxsNdhg7vwGaE4Mslg8cJQVMmtHfA8tmOOFEkzH6jm6Hn8/LWlBBM
O2d6dnnJgJ0JlZYMugQeIQQt3xQw3VQ4XjIY4pcG9rSqb/XzAPwH6YRCU5eVYnFFAMHZys7kmxkZ
FVoiBN2ej46MsomcRwgBW1hhb0WfLi6AABAAAv81At8lBDJorFcVY0P+A2+X+3Eku3lNPNd1HWIP
O9N2XXfvpz1hKGgfwsMbEeTUu2u+Ns1W/mn6na3489EtGxzu7EMUBy7NIciEgC9Km84hiuPRpsIZ
IRg2FXrqTYVTQsApTsw2FbLU4zhmuwEr7ivB8iIxZs5o+3tnine8FHnKj90NhKDrnE2XthzGGdtU
WJ2PRLq6fZE+XR9pd5xu058YzD86Q9C2w7FDfvqPd+q6+Dl/YHsWD6yQxcJAxTYV7mjDZBAc6PjD
dNJ/Up7i2KFh2uyU6vIMAU/X9tO8uCQHdoLg6xmChp81YJsTOWwTG/AVCAABIPC/IfCLhGB+3Ety
tPMsIeCL1sMOOD6O5d16fQ7ZQTs3PIb9scOuoGn92bVMyZuRZoaAwteX40F/7LAfzvOo+Uy2vIbR
URHegUk/dMcOmyoTxxa9KGKbAaUob3lMXSk91q2FsDl6KRq+aEOJ82OB/JSfn4jThesJAcVEJy2n
jonU8fNNECYdAQiTiB1xFH4L2LFDdlDQsGz3EKYLKwYMPSld2/WPl+6gIt9DMFkyaO9XdtyRDob4
cfjYkgGdVWQnIQlAHDvkryz+AwEg8H8j8ApC8H8jiNwDASAABIAAEPgDCIAQ/IFCRBaAABAAAkAA
CDyLAAjBswjieSAABIAAEAACfwABEII/UIjIAhAAAkAACACBZxEAIXgWQTwPBIAAEAACQOAPIABC
8AcKEVkAAkAACAABIPAsAiAEzyKI54EAEAACQAAI/AEEQAj+QCEiC0AACAABIAAEnkUAhOBZBPE8
EAACQAAIAIE/gAAIwR8oRGQBCAABIAAEgMCzCIAQPIsgngcCQAAIAAEg8AcQACH4A4WILAABIAAE
gAAQeBYBEIJnEcTzQAAIAAEgAAT+AAIgBH+gEJEFIAAEgAAQAALPIgBC8CyCeB4IAAEgAASAwB9A
AITgDxQisgAEgAAQAAJA4FkEQAieRRDPAwEgAASAABD4AwiAEPyBQkQWgAAQAAJAAAg8iwAIwbMI
4nkgAASAABAAAn8AgQ0Tgmtsm2G+HYxfbM89O5j7pPqx/P10/N80/HbyTC+tv/k0HpMQuMaOGVyk
G5u4rBLX9M/NW20pItt6YdORh6YdX5/J0SUwnWP5TAz8WYrnOUuetwEx/GUE3k0IyqO7m/+xl/7F
HfCqUryffdOd9NYvtqe5plGS31aZNQ9cp3vTO6lieU388xSfvLN1QlAe1/Wya8M/CZ/8eH05RtkL
ehk5zuevHyUEqir2fOo8hiVC8I10yyyKz09x2O8QAlXVBiF41SuCeNQIvJsQNLeqKukvj13DiS7s
uqpuTdu+uANW519zV9VqvNMejZltq2o1tIG38AMIwRZK4Qdt+IOE4Hm0QAiexxAx/AYC7yYEfR6r
dG+Mx+TUAQenc+TZpmE6fnrtpyGbMos8xzQM096Hp7K/30c2umiup9BzbRbc9Y/9oHzUwfOBHsWU
h+Z4ykLM0entuRWJ71qGYVhy/G3bVunePKT5KdhT8pYbF8zWIrZZEsZ4yeB28gw5abebZLwVSeA5
Fs9vkF7vLHv37DAKvTP2YiZeE3/b1pf44FiEm9vH07aXwLTDNPFd2zQtN8geWMZoqnN8cC3TMC3n
EPWjJ3X8bXsvEp/StfZhGnvGsGRwy48+RWNYzuGYfzkIY/GYhmHvo3E8VGp2dL4cD/y18DOKq77E
/p4D53hhJl4UQm4fpwSFaVr76MInWOgNlOHfGYeMQz16nfov2vA0le+f+0eJXPIZ5/LoGl509F3b
smw3kN5chichRK9QUvTP9omNL26i7KdLBvdryt8103K8oVzGT/ffqmRv9nmsaS1HzDXp4tHZWV9i
Vk1tL06iL5cMtFWsbbVVqTd6fKEOTzMEfpL69DJY+0CUvDZdXRPRVonL34nxkgE1BX7CqrU5bprG
1vXfiBCECXs7TXtUMKoqo6/aFE+UncI9VaYHqqq66WBmaapwq7k/vBFkf9W3uU2VhVT0VIX3wamf
sNLd7yHBxSYR2DYhMEwnOBVVdT35tuGdeIdxO/uW7ad5WddVkR5sO8z711OF8T1Pjqf8WtW3+pqF
jini0RACFoVmhkBpT50dTOuQFBUzx+rj54TAsGwvPJf3prlXeSH1teo1/ob/ValnOlHOO4b6nCRZ
UVb1rSpS37aCobNZmCGYx18le8MOTte6rvLj3uzjuQSmYXop9Ze3S2jLnZkKz7a9XwLbdMPsWt3q
qsjitGDhdPHfL4Flese8qqs83ps7QQia69G19tH5Wtd1eY5cy0slfOZJs3j2PJ6jZxoiHgqZh6Zp
OX5S1E3b3K75lTr5Mjum56Ksb5Rhz7IjzseovTVsP6NWrc4O/X2W4tolAFV4unfIunUcepU6TsnW
x+yQCEgjJ3zPQ9vyjpeyruvrKXAs/6xaBJoiMt9DQAnv47y6UbmcT5dFONtWSwg08ejsJC5hHdKC
ijF0jZ3xyB4CVRVbqErTzLPvuvBFZO8M26dXvTyHjuHEw2hCla6uiegSne0huMb2ztgfibjdi9jt
myalkXTzEhg7wwnPJStg29h3b7quytAzqsk/VlWpylRVkXjWl1VV23RoqrC2aqeexZriui6pKrnH
bktFnXpsYpfeuOslPQtCoLuvRQg/bAOBjRMC0Xm3RSR2GI5asbYtj471BSOQkS6PrhlcGIH4DiFQ
2FOfPEOM5amNdYeROs0QGDrr5h22sLMpU88UswnipvgsItuOeAdMt1StBg86i788OkPL1RCg3TD2
EpgCk7bJv962RDkW0ybCLOp+NfFTCyz64rbJQ6vryJtLYEnRULB+jkOKtr8cx1NEIh4WIA9NCff+
meGiufS7QogQ9CM+BpOYWuG5mA67h0gUVypC0JaJKxgB63+6qR6aIXCTrs1sisji78aNtpcOXKhO
vWHcrkixvzUnBHlg6l63/inpYlSV5BkCdTw6O6nx77N1z3zju4RgqSpJZveX2vBFNPS5LZVwX9xt
ywpksj2oj5EupCaiu68iBEbP+EbtyCim4cslMIb5pjrdd3ODuirDHlRVbaqqYvKpWbuhQGo6NFW4
1dy/xrRJUwy7miLsKy5lvp9kGvLL1ntV96UguNwiAtsmBGYgThnwdrdp24bI9vhvqGpqhGlemubs
u6dE8FFF7uPnUahaDQo/t4eoitQAknlW32ETIeinYSfGzTrs7ncaN5v7RMxvt203iTdkQD57oWo1
uixMTjFQ+zFY1tL6RMdjRg1LEdGIeWLr+GseWj2BGH7Rxl8mNIQSQ15qDfmSQZXM9pNK7fYQsbia
xHOSlx5ohkDKXPcIX1qy+pLv6AdbMhAdcMO2j4qBDaM1zxOCbux9m3Q/RAhEc87G5xwXGs+O//oR
pMi78nNOCO555Bim7QXRMT2zSRLlg+KmlhCo49HZSdysI9kdL/zmDMFSVRI2y5/a8MR2g74Du8aO
BLuqareaJqJLTEUIhko4aTpkA/vrSzBQUDadxQ5BaKsMe05VtWl1rz9l8EBV5fP/86ZDXYXJMlXV
nq5l7nY70RI212RvGvbeD+Mko+m57k93X/yOz40isHFC0J8d6msdVaKveqwR1rfTwaTZQ9qnyEfw
HXOdEgKpUVMOI6bhu06RtUp8zoE67ykhUPJnskRNCO5F5EymzmnSgWYb7ywDxfgwpqrV4Nmfxj+2
7EcIgUSFpPipI++HU2wM0hMCwxMT66MiU3+ZEIJ0SgiGlpI/zyZBaAKdLbzQezMQgmEu4mcIgZi5
uWW+dLaUCMEwbKJyZUSJdV/9G6TOvOrunBDQC3gr8yyNA9cy7LBbc1I9TPfGhIAA7XmbKh6dneP7
NOp9hhD0QExeWEUmtFVvJSHQNhFdmj9ICNRVhqWrqtrDS9y27deEQNt0qDv+JUIw3t81Kox7VZzT
I+1rsHy5Puvujx7Gl20h8HGEgE/KL035TQDOQ2nIS92CaJN7jkHNKM1kD6Octjn7YvzcR6chBNp5
S7GpULMzbdphUzr3S2hbfENcn+ydTOnzS9vJhsFJy/vXoRnvn1IQDu385MpWRjevqIufhmTDIexr
bA9LBqYVXL7aQNdnieIZlh7mSwZTQkAz2UMPx1Zr+eCKIS9WCRSE4KH+TJil6//YDPzxSIsB/V5J
IgT9IgkbHrJ5WJqKl1e5RdRffSoJgXiIFmS+Is7yKkFL4+gBLhENMVwRj85OArrPJathjxACRRVb
qkq9QdKFNjwxhX4RhopbejcU6WqbiC6tlxAC0eywZb7OOl2VYelS7qYFsq6q6psOirt/EyeIKu5T
0zdwein86JKqtt/zueEn3f0hBK42g8DnEYKWNhWa+5jvRSvOSRgvbsGinf77I5uBvxdH2tPWDdLu
NNcQsB1e1cm3djIhYGtgXkJ7Afui0hAC6h/5psJbXaSH6abCFTMEt3Ng235WdxsLRdLU7h9ObF/v
7RI5xk4mBKxb8bNKNpRbPCccNMQebyrk8/jrWpmWth52mwrrG23UPJ74DiNd/LQZkG+la+szAc1n
CFpaHDFoe2hV11WZZ3GQLHp/6TcV3mraUTXdVCg1+gwBInl2wN6NpsoC29h1IRYJATEuO7xQIfQl
v3ShDU/dpzGykVand0a3//QS73t6Q5v1DCfMCgLiejlF0emL7YDMohkhaIpTTNtnb7e6lLfPau2n
kfSBHcig3aSG6H908ejspBrgxrTFrqHdsI9tKlRVsYWqpMyDLjzfVMj2z5bnyBlze6rH46qtbSK6
RF9CCHaGyzcVZoHdu+bSVRlKWFW1V1ZVfdOhqcK6qk3FKra9lkV2DI7dggzt273Qhu1bdYlds99M
pbuvLEbc3A4CH0gI2rZbG6ajLrZ7iMSpIg2qTXkKXNuybWfvJ6eYtnt1o9IqC1zLtBzXP6Yh+aOR
+oD6EnX7DgRj1hGClq1A8mOHdHhOrJbrZgjmK3Ld+Hm6RitqFz+0Z9mOsw/SNBS7K3l2qa9zLdof
IUZp2vi7Y4fsiJAbDIfbVrYylG53NokdNpJOUbEzVLP4xbFDy3b2QRyKPQQUzy1PhmNywZcHD8Wx
Q4sdOxxOybFl2SkhoNhjz7Es23G9KEv6zf6LhKBtrikdkSRA+xdF82ax29rw7DBDx314BGzJ4JhS
edGhMXGAlPAk5NgrZNquF6aF9BLNEy8ia7LnoBuSl6fAc7ozYIf4PCzpzuPgd26XaG+ZVIviUzzs
d9HGo7OTjh0ypPdhHDy2ZEBv47SKLVQlTQ74uVX2HkpVjx87TLpjhyE7TzJEME9X00TQosUY6G6f
ir4pGFIZXVEVC5NjdzQzuvSTRvwksKLKsEo2rdp0Qlg0R48sGXTnfZVNh6YK66r2/Zry44Wm5ez9
+Nwx1urcHemmrSvDyd5Wd3+ECr5sD4HNEILtQQOLtowAbeQfMbjNGUsr9OMpX9q//shs+uayAoOA
ABD4LxAAIfgvivlvZLIpL1lBqyP36hw4a/Yf/HL+m/uNFinMiT8BEIJfLgckBwSAwCoEQAhWwYXA
70SgKY7cY+Nj/vzeZirtzzMsN+w9OHaWgBC8rUiQMBAAAg8gAELwAEgIAgSAABAAAkDgryPwiYRA
6YRm4wXF9NeW/f18NwdsjxTbBPfiNfXRDqbvWrf0HHNSpDwzufTUe39bIc40OwXwXsvpYOEqn0tr
w3+RvcerwC1n2+92O3Hs4YuY3/Wzzs75AR/ZQjo9MBzDlX959no5XSn28ujwzZLzjbhSqAcu85Bv
b5UORstPkSuFh3bmyg/h+p0IbIQQKN2H6XABIZCRIbei/qm63+cnD+Vg37j+DiFQeVPRJv3HCcF7
5IlHh+pH0K+1Z234UWLzLw8TAtJL9JLy9vo3em7UM3e0di4rjz9LCPRVbDndWVaL0HqWELA4uSsP
1UHZW55EkijdzILHbnCHMY+FRagnEQAheBLABx9/uDV8ML4+mL429kG+ewFCoEBuxQyB4ulfuKUn
BL+Q+FISD1cB8sAX/8xs2pJ9q3/7pp0/RwhW5uDnCcFKgzTBQQg0wPzE7fcTAq0mqVYLVZohqDKf
fPl0apxqWWQ6NKzWKu0PMZt0EFt2IKCCWqeRqo2/qc7soLXp+EkS2Fb4dSPHZmmznKspm7aXcif7
au3RSzAWapY8K62KZ5BFJl1kPxHKcEQIHtdapWP3o0Pbwi8CP1HNVKyZXvXgNkKaIbgX8Z7koTsP
EbxkJrLITINgLlvM41dqsKqKcbUsMnmQ1Mk3axJ4kTxx2w4F73iDXwHyZ6CQUSYNvtFf78FKac/9
fDDdA6lPO2FKfjhM8orFcqQMz53lygkMfunYoXaFfPPKKjDNwbBkoJY5Fq4+5grjmoKhwifFbaZG
Lktiq+PXVW29nTrlcebpoHM/cTwYw5LBUMKyrLBakXyhimnSXZA/btt1hKDzWzBVPKfax+RAJjME
woXDzJnHmqqtVRgnTyhq2WV9weOXRxB4PyFgVqqWDHTapr2QTU1nzw5Mtpci0cki67RKyZMduY0j
d3tlnmVfEQKdRqoufu6FLGOKp75t7B4kBIblHOK8vrfNvcwLaqArnfYo5VpZG5kf2ofjYT6Bg+xK
7sau+Sm7dr3yWq1VMkc1n9kUsdO5aSOVY6P3PywIQXNNPMuNRAHoZJGZpx+VbPFardWVssg6+Wb2
5i78m6/B01hnhTwxd80YX6q6vpKrRSEpqJNRZrboZwgm9tzPB8MOztX1uCeHimWV+da+95Hdtpo9
B9yP5i2PHFPIVetkkUn10bCDdVVA1VFpmwKqHHutwvi8bNiryHV8b/X1fEy42oMufl3V5hFrO9TZ
Wj7JahhudCnrqkgO1m4nCIGuai8pkquqGDdolm6rlT+mB7T2z3HTySKzkOomiH4iU0d7CFZXbYpF
NUOwtsorsoRbKgS2Swi0jsoZIQjPF1IB6kezE6UW9hZ1ip3kSrt3xC35GKP+ZXD7pQJn4Z6kkaqJ
n/sp7zzOUdf3GCGwZzbptUfJPnVtJJumedPGQ27+e1/0Up6/o7Wqaq2KSBJuJ4fRQkqVEYI0Tw+2
Ew7O27SyyFRg/aIna/w6mQAq1FG7I2Xiq8uvZZHHGgqDfPNXMSs6VLWssC6iUcJMLarrR2iGQJCD
dpBR5vGsIQTcQT2p2ZK+fZXsR+oHEwIhmck0N7jPY2LiOvnmb1UBRUelbwo6QjBI80pGKi4JUfHy
ST9r49dU7e5RbYc67Zhp6GH2qh10KLUrSG2VXFIkV1UxbtE0XSmLdCnJH7NftPZPnqOeXaN9wEKq
myD6aUoI1ldtikVFCJ6p8vPs4U6PwHYJAZMyOwtnwrL0WR6ahmkaO8PuK9mSLLLEAcTLxWMl7QDD
dEgs9nQpvxbZocmuh2WUZYNbJiP2KCGY6IPMPRH32qNUiuraSC3Z4/FUp4NlWO6BJEzzbvmlbclP
at//PiCtxt4pRWtF88/CCzPNdwiRP67ywktSlnvWyiITIegla3i++YrKWq3VdbLINMwdPA5yEjO4
nu1r0vxi3qGqZYXnT/I7ElJ0Y9D2I0KgkFHmT60kBHcWMaMXdeoxVV5hz9x+/gubimMiIPz71OU2
86JdTZU/SVr3kSqgIAT6poATgqF0hOmaT2IoCuaojV/bdLD4tR3qtGOmKtwTOFJS7QiBvmqPtu9M
VA0VVazL7jRd4WJ8Ln+8bP8cPZ06IgupboLopykhWF+1KRYVIVhb5edZwh0lAhsnBL26gNy/EiFw
4/yaeiRO1HXktFVnNL7ps7tUq5v6esmSiJyef6U3p9VIVcdPBkv2FNFDrSFrg/PedLrgrclkhW4I
oa6Nq+O518XllESebZh9n7vUKg0GjK8UrdUt8xYIgeWfrjT9PFAC1g/KMqoiBdbeCe1AmRBQgMe1
VtfKIhMh6GeYuLykMEJYpv5Udqgr5IkXCcHQr02CrSME59WEoD4dLCeShZXH8scDFt+rAjpCoGwK
GCF4fHZoiRCo4ldXbZHDlYRAVGGSW+QzBPqqvVT1FFWss2hGCOjV0Cqnr1kyeB0hUCueL1ZtFSGg
HD9e5UWJ4fNLBDZCCBSapNp5vH4PAS2ud3qF3chztAQq8r5cq3koGnwOHF48OfocNbREP8RYQxM/
vcb9MI5GyY8MjxQdOVOFGzqkkU0LMwSOGYyJxRfxdPHS8oEYcC21SlMzxHcqNfG8uFeES0sG5Ifg
nkd2TwkIW6Vb4sVWQySmmBsRP3Wfa2WRaZ5ZrPnSwrqQb55EO/+qJAQimCQrLG5NP1VLBkwOkmYI
+gUhBpc0Z07UM1JuX53YQ5sKD2sJAS16u7HYdsot1skis6Hd6iqgIAT6pmAlIfjGkkG/MbMbqIop
y6U1+GnHzHYr9UXEeukjm9uipkNZtZeqnqqK8YKYpquXP2bh6diH+k2ZvolfLBmQtTxDkwenMwTf
q9pE45YkQOZVvrndbjeppCZm4asegY0Qgm8K71YAACAASURBVFVaqPIpA4kS6GSRNR12e8vTY5aX
TML35JPj+cVVA61Gqi5+kt/xEtJdvtO+rUc3Fc46csZ7lNqjVKwPzxBQ26nWMKWdR+eCgKiKxOtF
eVdLqzFzqDefyDHzLVVM+1W9qZDYfh72lEAni6wlBOu0VlfLIuvkm/W1iv8y6YDbVicrrIuo21RI
8tB8U2HX6upklFk8ROncuLjN9Zsn9qwnBA3tnHGP1/tEoFsni0ybCldXAQUh+K7C+BzXYVMh7SS+
JGm3qVCjYK6r2jzih2cIaJ+HYx0yUp+k3ZijTYVKWeElQsB61UkV4wZNCQHbxaJVTmd7P+zwXN3I
48Mcq9EdnVwyC8RfuXwe0ZQQaBXPtVWb4qfR1FSRfLHKkz0aV0mjTOHLHIGtEII1WqgSIeAjBLtb
0FTLIutqNZ0l2zsWlx71R7LFc5yo69XIKOviJyHRcG+T/K4Xxf53lwzIFo32KP20ghDo4rld4sPe
tgyDTgVKorxLrZISIWbPTI6ZQdedETLtfXgijsT+xCkD9kWmBGpZZG2rsVZrdbUsci9APZVv7jIy
+XidPPFwKM3xorPY3kEzBAeljDIZQv7zHJOOgIrRrdoePSFQh+erV5pjhxr55m9UARUhWJBFJp4+
LJ9MCkL1tT92SC97/y72J5AtWcFcW7VZxHNCMN8UIEbOfePhHo6RJzYVaqv2YtVboXjev7gq5XQ6
uhe49KYYyqnVMXrdscOp4jkLdL8mB4fOQItZ0zJx5ReF+Zzs9t0oFc+1VZtFr1AYX6zyIATjolvz
bTOEYI3RCAsE/mcEIJL0P5c+8g4Efg4BEIKfwxYxA4EfQQCE4EdgRaRA4L9HAITgv38FAMCnIQBC
8GklBnuBwGcgAELwGeUEK4EAEAACQAAI/CgC2ycEeSi5x/lRLL6IfLTDaB72VXbOtgrPk9rQHdry
LDZOcbPeZv9sS/OrYCI9I5Unx1fFP46HNPSWDlkNodleK7Z70GUeh+mUGdvKJblNGEK/4+qLKvOs
SbQplWc4uKjielWVVMW9rXuzWrgt83prdFXpCxnl/vknL4btmJKLmCfj/GOPb4EQsP2rTBmFRIbC
0/iUc5lF8fkhz3AvLBo6sMxb2SHSL1q3V9m5UsN0sO8tV3NC8MP267yU0Eb05AVaqwoUda2YIugL
bj1MCOj4P50vJJVgcW6DeYfz1GfbX2DbUhQjPx1dwC+qzFJ0j/+mfyNeUiVVTcHjxj0RUu+AaB7p
pxMCliP1gal5Zr99hxorOzzXkxrz7fj+4oPvJwTMcZwbnoqyqq7FOY2Ol04A4I14q1qBX2nd3pjn
byU9JwTfiubxh/TN/+NxrAy5UULAkZCoAM9WnYIQrCzgxeCqpmDxgVf9CELwKiRFPPXpPVVDpP8J
n+8nBKT1oZ4iJZdebEZw8KhPkFLHrJYz1mmbqmWRNcWjlWOmdIPTmen4mo6f9hMZGjulw9MPySu3
rUbDVCdPrMlAu6h5qn6I+ax5VHaZe2RQaLlq7SctB9OOzpfjwTHJ3UGvs0tatOQKgh3/luaB7uUp
9GjWiASZuY+IBS1UndZqU2UK2WWmiaCUUVaDQ6fL93HaFfxh8FhRX+LOk4UpS+ny0+UByV4YpkUO
BPqMDZNhlusnQuyZFbBnm4Zpe3ESfblkQOesR8e85cksJSGQ/RlwGeUmD6zxWg8TH5jNi6khGd2d
igH3/g9YVVVWmXZVlWSp9f4DrAnWKoqorZLqdDVNirYpGGV/+HKNHdvzPZt8DZ2OnmWY+07QW+9X
gBw4iNlRoTxOL+iofJXaY0O6THbECRNWu0ySUe5fOElAW5ZXlp+dXHf+BsYyx7omhVWN8BiQuxXL
OQxvtKZqaKsSGaGeIVDKJU9slr7qq/wIUSwZSJjJl+8nBMyTZy99K9vGr2cLgVpN0sENWS1rm+pk
kedJDXdUwwLykGky6dTqevJtwzsN1Y7JF032OqyVV+5Sn6/BkzG2Qp54MHd8tah5Og4qvhEre1Qu
WavlyiOb20/389A0LcdPirppm9s1v95a5rbM2kfna13X5MLQEnK6LcnRmvv4XNa3usrT44mLGFFE
quafJzzbQ6CTXab21lDJKPN4Zv+Zuxlzz2SISb3W9DulBY2MMjdSIXOskwmmkYt1SAuCIXSNnYYg
TwzTIKEgBEoZZZr3mHj0KY+OQgtwkqzuq2bJQFllVldJTdVmtmhwUFVJXbraJoW4nWL1UIMB1aJ9
cq2ywCLXelURu2bANBJ0hGCpaq+bITB2TLWgrq+nwO41wHTyypoMtDqZY12TwqqG5XMfjJfQ7l2O
a6qGtiqRQQpCoJNL1tmvq/I8vKJq6CL6b++/nxC09+K4t3akthfE6Vx1UEUIhl1T0jw+VS5Fe1Yl
I1dmjzV6qlaAebEXJIAEXcKRWMDMTup3eo/zj79g8w6VBoTf3tQ21TxVG0J5m9qq0WbVarl2Mc/t
px9IkGqSB60WKnX608C92frmf0YIdLLLVDD9pBMzd1msiFqx4cWiVl/hf16SUW5btcyxTiaYxBV6
IY175hsvJgSs14mKbnGBcsOmBmg8y1zZl6cwJvVpgkKRsx765QsdIeh581BlVldJTdXmBunfiGmV
1KZLr3+fc6lJoQRUTYEGCYEoETzmCD0PTJ59HSFYqtorCYFwEshFRLnrQU0V1pj/lcyxeExqUuhl
GgbbVBIKB/BS1VisSnNCoG8ihC2TT12V58FACCZwKb5ugBCQVTRozNI42FsG+fyWDZ3WajYP2ffF
vDVgbZ1ayowk10aTRYN/TTmVybWqFWBLBoIDSOl2j87sbNfKK/OIFB2qRp54YnP/lU/6aTRP+1Cj
C2oRH5RLpjrdd1+SlquIT2E/JwRTIRWtFiopXfUdtohWfOqb/ykh0MouEyHoJR15KyRmIIa3ReqU
Kcd9eOo2hefZzlU22+hP71hPqdQyxzqZ4CKyDD6QpEx+JeUigNDNlcxbPZqDkwSnhIwybf/w0rq9
Hl2TiADN/Egy1X06D15oCMEgzdFXmQHkvmIOvZkyNXXV7oLq34hJldSnO+IAvZ08flVToDSSFjMd
9grQ5AurTXlocRasIwTtQtVeSQikGkO+3amFpBe3h5hfDMWhzINO1VDXpPCqIdprqhpd06CpGtqq
RNbMCYG2iVAaz1UPpFd48uK386qhiec/vr0RQtCXAI2W+naV3Z3Uar6HYBUh0Mgi92kqLlStwFKr
oZqfpGhXyCsLK9QdqkqeWDwx+WRrMOG55IIlRTydypgEZ1/ZHgJBdngAqrvy2rR4bHx/0HIVv6vt
n5Vi27LqqpI5fhkh0MguMwvFpMCYELTNra7YXz2opWlaMbYblhYGmCYW210ZMzFChoRC5lgnEzy+
/2uEgNTqreBSpp4fx15IF1aQzzYpinL96lNHCOZVlW32flBmj6f6MkKgaQqWqraqKdBgIRMCxvAY
ISDZ4zEhCK1hVN22uqr9GkKgqsIa81kjZnWLHKMw2iaFVw1BCBgFT0pS8SL1UkXV0FQlnpiSEKjl
kkfWDV/0SussDAjBAJXuamuEgBqL8VBy1pXoai/V3GFmt88wvcwPaHf04dmFQo5ZOzPRPTmzU45R
4s7ybdW1ukMVIWmOURrtidvS5xeap1JI6VJBCFh++3nUIaxWy7ULorZfgQ4r6uCikJik9n+yvtCn
r+8vpzMEpPc+zGDe6cXiErRLhKBPR7qgVmx4sfiSwZ1mZmWlZyoYaZDWPy7JHOtkgimiPruEijQ7
0cczv9CMjGl42k/Ts6eoYtiTJQPGXIrYdqPYP5zqIvbCOLDGb1Zzv92+lMHr7VLJLmuq6uoqqana
PG2SVFTvSp6+dNp0NXay+FVNQZ/p8YWeEJAOkqBAVEHHTRyPZVq19TLH41Tp2yUwhkkWcs/AZ7Qo
X4oqPH9e3KE0x+Mx+kXfpEyrRqcZq60a0/C0+tY3APTqj/e56psIYfDkU1fleTAQgglciq/vJwT1
KQzi04VOHZbFKXQNKxjpEE9rtb5jHnYejbRNdbLICjSGW1SVvKS8Sye8l1oN1QzBSnllkfa8Q9XJ
E4snJp/Uues1TyeBu68qQqCTS9ZqufK45vbT/Vkp0vTJ9egatp+SvG9V5lkcJN0Im20q9OILl2Q+
HTMxpa/WQuUJzwgB3/04l13+DiHYsQFPXdOmQss/08FYrYyyVuZYJxNMa84u24/ekET1c5sKWf3w
kqIeenOdjDL1s6ZJbLkh9Wlz3BVQB6WcI+remckHBZ/KLuuqzOoqqanazASiXJZ/KucqvrOXTpeu
zk4Wv6IpmGRdfNUTAmJpDi/hMvHMnSAES1Wb9YZKmWOR3vBJ66KGy151EspmS0H0q07xfHhycqWW
OdY2KdTBU9W4VDVJp1PVoP5dWzVEeKryUlXqjOCvkCyjrG8iJnZ3X3VVnv8MQqBGTb77fkJwL7Oo
lyF2vPB05ZRxvuLX1aKl2tufTRppm3YLWqTcabuHKOv1d2UkJtf1JaJzY9LKsCZdrZ1r5ZVZZRkt
+XV0WSdPPLG4/7qsedoHky+UhEAnlzwIQY+0XLX2U0KztpmnrtRCpZ+GY4eWKx30YzQi9R2LCkaM
LvRaq02pkl3+DiGgY4d72zBM53AshJ8MjYxy25anwHPo1CE7unGu+3n4RiMTXF9izyGh7H0YB7pj
uHKBLZ23ILNsAsjsHfjJxw4HGeWWWmA+rUGDwMlkcXl0dmvGl3PZZT13744dkuT2o1VSXbUZJvU5
2rM3opui0VZJ0jDPInacdZSupmp3gM+bgklJiK96QtA2Zeo7dNBmH6RJ0E8XLFbtwa/eMIEkkpp8
0tg6TI7d0dWItoh2fwvK6SLI+LM7djiWOdY1KVTnWdWgA8IPVI0+/LQqcRtmMspMzTsZTvAGx3zI
2tju7pu6yvMfQQiUkI1uvp8QjMzBFyAABDaBALXdw0LDJkyCEVtDYL4+tTULYc86BEAI1uGF0EDg
v0CAJuLpDAL+gIAeARACPTaf+QsIwWeWG6wGAkAACLwZARCCNxfAy5MHIXg5pIgQCAABIAAEgMDn
IbAdQqDZdvYxkL7LfvWufhVso8PQqgAP3ntVPA8mh2BA4N0I3LKDozwh+xLDHq/CmuRo/yf7mxx8
1d3XRPO+2zTT0J+8fZ8ZSLndDiFYpVVKB6bWudx4TVkvpLvK/tdYw2JRyw2rvJp8pyN/VTwvzDCi
+gKBPGBHCb8I9b/+vFCFdZDQQVvJAR4P9o14tPFf0yjJxdkVXagv75OzA8k1Vh9ed78P8P4LEIL3
lwG3YDuEYBUiL6yNH5HuKiMp8Ks68lfFszoDeODbCIAQLEG3vukgNw7z0cf6eJasesVvuo5fd/8V
ab4oDhCCFwH5dDRbIATkQEwx4UWHgxUyxwuapPyQMdPX3YcnydtAle7NQ5qf+IFWy41J6aW5nkLP
ZRq1vcSuwLM/9DxorerTXWc/HaUvT4HL5YNPiS8844u0R59k+VQvpEo6ETWl3DA5RRx5M+gPMdMM
QZSdwj1POiOfqvq/78QzHHd/UGuV+Sd4XBa5qTq/AgYd6B40ELWap8M85MRFMS3wKNKV/B+M3omV
GqyS6KzjfS03TO4ADscTHZA3Tds7DrLI7FA4U8cdyyUzIaL98SLUnZ1Q8vioIARDwYzlmNXFPxIB
Iq9JvQdDXTxaO1tl1VMnu1QlydUA6UM7fpIEthUWXRTqKr++6dBZRLWV6s1xcErNnGqMapgQsWCu
KI+DE63y6HJHDs3FN5wgjjzHtizbY1JSPEVlFWY/df4AHpMhZk/oOv7Zfa2dWhR08sfKB64xiWaO
fxoEkZRVSfgnYI4UnLHjkXFE+PazCGyBEPAcztbg12qS6rRNmcOuvWHZHnPw39yrvKC+8J4nx1N+
rUgrOQudwd/r4BZtJKNMZi4MCx62n0t0RueyrovUt43d2F3npLyLyB47kGM2SOtt6gVIzcjeMElu
uGJexWZEY5Iy+7omntVaq9xh0eOyyEzoIrqUt1tdXS/puWt6OaDrPBKq5JhbjezyWg1W0pC1Orlk
8hvHBV9oECT5aSV0hfImEQLDiS4kCV0me1NMT+vkkulFzA6Gae2D0/XWtE1d5GXvAbYtYtcXqpy8
TMnLsUKOWVXgdE9LCDTxLNhJhGBe9XQJ66okc6BEAuB1mQWOYQhCoKvya5sOnT3sPmMX5963lAir
agro3lBbez7QEiHYkefTpm3vJIo88S2dHaaLPPdLYJtumF2rW10VWZxyBqSTIWZGzTr+ztT5fZ2d
Im+zz8V0p6FJ3XDiLJ5cAtG4RleViBB0Hg+ZB8NeYXwaN77/MALbJgRrNElHrdjQ2DL8WKvEHdlr
8KTK2ynOUW0ZXNePw6tagS6EihAo7SeJzn6DErnmXyQE1N+zAdrtcgzTa8M01eSlwlWEoCcBbNij
WnAc51e39KCKZ7XWKiW1ShaZmuZJn0px6DRPGTLiKP18hqCfOemzrNZQWK3BSi/J4NKH2jpWwkIc
t53JDVN/189JD++xTi6Z7CVCMLxdfQ40F2o5Zk3gBUKgjmfJTk4IFquezoyhSlK59JMU5G6/IwQD
VCwOwa+Y/tkADr010oB1oQorLeFSW2JGYgiijOd+DizBCIg9dZN7RAhE89K2TKRAvJcU4bwKqzUF
hsTZ1TDq5j/MO37tfY2dkwQ0X6fpzoLRKII1plUWRTQR2eR80UVblaiSDG2uRmF8lg5uvB6BbROC
oSJzJZeeps9r49xdae/allx6qySBaPKqc09MM4C9J9zjSHJjhPk83f5nFSFQ2U/vft/6k+TnMiEg
UUCqKvezb7HRB4005UWEeWtCJmlG9gOTKKLef2qfBcXF4/Ewkj+eSf1Ca5WSI6VWofrSJa/XPG2u
yd407L0fxklWCIfASzLHS0sG03RZWQwA9WDo7emDjC9oCanvv4ivcGlp4mBquWG2ZCBEXoYpep1c
MqVGhEBMJIxTV31TyzGrQrJ7o452sIcm1SLHMG0viI7p+Sp2wS3Zqal6RNi7dcLR66+sklS1e2mg
ljSrOCHQV/kRB/iy6dDiwH4gpEUfL4dUNwXU5dkx0QeiJ4L3syWDYS0hD8aqi/MqvFaGmBm2ghDQ
OojCTjl/o2u+fvGwojpNax5LJjdsksxSmbh2WDTUlo1biN2OVzhqPJQK4yMr8OXnEfhLhGBcy2Ts
2EKmaHG7H26ng2n7bMqVzZK6GyUEJBSyT8o89KI48OjCGs3HzVsTyqCmIx9atucIgSKeMdGR0V+6
ntGoBVlkFs+9Ks7pkfZBWD7XTtZqnjJkxEiMidaRNCv/U6S7QAhWabByXeeT6C57QkBlopYb1nTA
Y1lkYTn/VJf6OMzom0KOefS7/GVsz0jUsVXEs2QnEQLVrA6p/nKh6bruFRU1VXKBEGiq/CsJQcOn
RWR82LWaEHBdn6hoaCG9m3KkbQi+RCqIGUoERzVDoCEERDUdrbL5GkKgtnOWye7GcrrzpwibQ1Zl
vhfHBz+r2Nf7QtUGIZiD+J47H0oIFJqk9NKOekoJUFWrNNJvpzoqCAG9zcP0lRQLbTA6+7qB2ayL
0bVK65YMmL6f6ceRFxV15h/iaD9qTBTzjWQym5YcOiWWi9Gxw0cJwUnW+OVgaOKh/K7SWqXYZqjx
TVz92IqnqPh/jfm4m5YMNDLHI3110oR1lwkBDerm6whsU9nX9kgm0gs0XTJYlBsed8D9Jj629yum
VaL532pCIKJgQ8PJnIz4TXzKkwItzd9K8x0ijBTPkp16QiAikj51VVK/ZKCp8rqqR2ktVGHJFOmS
3pzxmj/7URcPCe7ZYRLRxjpRdEQIRPPCu0VpE5CKEKiXDPQyxMyiIrJns170g/q+yk4p1/LlF+nK
QbvriqYE2PilTLwgDrtTm9TMKqsSEYIBr15hXBEzbv0sAh9KCDqN15E8sU7blG8qnA1TiCTsj+wo
wr047s1+yaAdNhWOZJRZQVBTM5FF7gpo1rXpWqVuU+GlutXX05ebCjtZO9Om4QapmZqTnKi7Blb1
Jtqpmo588QVbE89qrVU1IdDLIpfZMb3QLtBbdYndfu+dVvOUjmPs+51cpOW7OEPQbSqcyS6v1WAV
mwpJ45VvKuxmi4kpqOSGNYSg1cklK5edF4qxKU4xbZ+l13m0fVb3DI35DxkJGdwuoW0IQqCLZ8HO
VYRAWyW7TYVlfSvP4WRTobmPz9e6rsvinIQxE6ZeUFls2QYDTRXWwME3MwybNrtg2qaAuCptfOz5
AN9UyMb2NavzX28qXClDzEwiYmaH52qqA627P7dTAwCRwnWK6jStSXLaBcHtmv0AS1eViBAoFMZ1
9uD+jyHwfkIwXwl8QOa4bVWapGptUw0hGER8nb2fnGI6IdRX+v7Y4UhGmUphlu437J8cO/xqLVia
vrgenX4DAqtEoyU5eXeiQjv1O4SgXRXPaq1V1QwBoayWRa7O3TlRWscOJRVrnebpvSBFWNN2vOh0
PHxNCLSyy2p79LVyOJ7neF/LDesIQdvq5JI180I6g7RyzLoHbpdob5mkTByf4mH/jTYerZ2rCMFC
lazo2CFJ7PJjh/0Uh7rK67g4z+6sCutQEPcrttbTNw7itjYeGuFatGYu/mjfvRMmcSdP3B87XKrC
3bHDx2SIeUKsrpJk+2SqVHd/Zqewd/apkz+eBRQ3aGOPGRAlIm4gGCX9qqxKBIRSYVzEh89fQuD9
hOCXMrrRZGiLoGJCdqPWwiwg8G4EiB4Pm3J/xxo6BKhYNdAk3q2mDHyAZgj6+SzNQ2+4PbfzDUYg
yW0hAELwhvKo8iwvb03T1HnsWo+3NG8wFUkCgQ0gUBfnS1nfm+ZWJJ4lLf38lm11fsquszmCeerN
vab1R3mujvk22hohUNs5zw/u/GcIgBC8ocDL9MA8JBoWOeWC5vwbigBJfhQCdRbwGmOOlmC2lof7
+WDsTPuQTLjD1mYIdHZuDU/Y8+sIgBD8OuRIEAgAASAABIDA9hDYACGgUzGSJ7HtYTRYdL+EzmHs
FXb48aVXtFI6mXd8afyPRKYx4bc0VYftjONzlo+Y/hNhyLWDtO/06yRob3Zw+Trcd0P8dPw6u96V
rs6eT7pfJXsnkrYbLtquPkC0+MgLf5w3QW+zZ3XVU8GwCnpVBP/FPRCCdcVcHt3hiPm6R1eFntfG
VY+/JLCGEPC4dV5QXpIyRUII2OG5vt+bRtqf9bL4V0d0y5OI+Y5+9Mn6coyy/qDjo089Hu6n49dZ
8q50dfb87H06K/qqTYxsc6JwlfW12Wpl86+fe02IeRP0w/Zwl5Iq41dXPVUk7f28ZmuoMoq/fxOE
YGUZ0xEk2XPwyscfDT6vjY8++bpw7yUE5B1ntZ+j12UeMQEBhsALCcFnvdK/3gTpCcGLXkU6AfnV
Ge8XJfWx0WyEEPhJ6jumYVj7QDpezg8xT2WL2/ZWJD7JBxuW6x9z8hFLk1nkJ17+G070ccVNwzBM
OljNHmAB1dqpwm/BPF32ELkpeYgRaOWV2dA3TXzXNk3LDQYZYsk/QXo8jJy8yxmTrtdopDL/qSoN
Vp22KRGCMDkeHJPO/UfnEbzKGYLh+P1j8sda2eKxgPMDSwbkFkohZ6zUWiX87uUp9EhX2HxE5vgS
cIMGb3PMX5Rr+oPrCuo4hEdnOoXNPESMlwyYZoFS5viW92fU04jer+U5kdXxU51Jufg3edZIxaa3
ocCETDMpeh5M9+C7lumEaRo6pmn7zEkRc5q5Ll+tTrZYeofHl8yp6Lzq6aoqAcffz1gCTu+HQB/P
kTcpchOhVzxvdU3KODPjb9QgjTwUEkGQblB/JdwZaWSRdVV1nNDoG1vgyXLeYpq2l/I5q6HkR1VV
1wRp7KGUXlD1SGtm5FFlqGjKqkcTiJWQ/rb3g0sSEp7Yx2l8ICFxa88ERCU0GLkbNCWkX3DZIbAN
QrAzSFWgrpkfMmfw1qrUTq2zg2kdkqKqqyI9WNzrV3l0LeYHYyjZPLTYKjyrZ4ekqMlRW55lghDo
tFM5IdBqtrKp7N4xypDc7Eqn5dqSm2TTS8lJIjmCE/SCO9yLLmVdFcnB2i3LIlNy6zRSiRAoNVh1
2qZUF3v3aoEtqY9wf8FTIaC18sc62WKOJCmmPj5DoJIz1mmtflPmeLaQSSOanhreiT6N5SNna+1E
CFQyx/yNTouqLi+RaxrGV4SAI/Rw/G1LosrWIcnL+laXl+TIyZ1SppkIgWEH5+p63BuGl5ZV5o/V
Mx5Pt/MwOJMtntWV4Yayyuuqan06mJafFtRyRK6xE8DpCIEuHl0TQWapZgiWwg9ZmVxRwzFxLcx8
RItxDNV/wQf4o/M1e11VnSQlf2Xeh5xDnNf3trmXeUG8XlNVv2iC5vZQQq+oesxg/QzBrOrpmg4m
Amr7WdWwSk76bSNqzXTHuASKjBGuewS2QQiGvobeuaGjYa2D5AKUzCY338O8D1MwSGvmD4sdT74X
SZgUTEiDpGRIgFwtVzZyD7dGLplqWN8P9EB+cTFoubZECHotVJJO4f0INTKDLDIl8tWmQrXD84kh
g1YpEYI+3bkGa/fcEL69BJIDdvLoLktFzGcIVssf62SLuSWrCcFUhoD8rkhdNDXs3XBMq1mgCS8M
mm4q5C0YO50+SYw9oew4++Xo4f1jb7Twqkxmin6tKxLdx6Pxtw1DetYOUlJDi0nO4tgbRzMEjIkV
xKivTA15NEfzcLo6DQJdhui+qsoPULEne5ljLXAaQqCLR9dEsNRUhEDTpCzlq2u4kmoUiHo64Zes
iO1BDoknnR1Muc6NHmUaBaNymfzcfSUHxVI1YHc1VfWrJkhLCJ6tetzUFYRA13RQwfTdBzNX0C2e
BCs4eqfxp0FgG4SAO7lkJo66W2odRH0RGWBqsv2UKjkOZrS7UwVu8tA27TBviI93Ln9u58A2TIdE
W0+XsvMuMvc4PIgZsFZpmq5In0ngxRU1HAAAIABJREFUPDR0VWq5towQDDW0FxmiBnnwuEJ6Il8R
Ao0kWqvRKmVLBsN82aDBqglPhKCvXFyoWDoMMiMEczesu2X5Y61sMUd6NSGYjL70WqskSyNlTBSs
Vpu1CzAbppCf9k7SjprSWZTKjrM/p8BGh0x+it7oXhiPvV5PzBAo4icZ2hGZ6zLEhkuDAJaQaeaE
4M46HPZC1qk3Ogb0aL6oikk9Vi9bLABXfiqqvLaqCot5REQ/OuDUhEAbT9sqmwgerYoQLIVX5opu
MkqdjgkBUyXljUn/Lg0RzDtgXVUdnpldSSpg4jddVf2qCZrbQzGuUTDXVD1u2OOEQNt0UIffyyhz
cbPRrt7F9AU8//Xn5gnB7KTXuBWgSs57guvRceLievTCOPTowhl63bapr5csiWifQrcisTjzr1JH
7F8TrlY4monqf5MuNFquXxAC0V7Qm/tNQkDtvEojlRGCflJ7yL8u/DcIQT/8lXDQXmpli/kTqwnB
tENm/d1sWNzp3U0D09g0cRdljhWEgDOCvGF8YLaMpOo4h9f5ZwiBKv7vEILzSkKgSve7hGCIi78J
w6s6eZfGTcECIeB8SxsPi3beRPDUlISA3qJZkzKxbvqVj05H/ROfEWHzMTTtEVzGvhBnHbC2qk7T
kr6ztzCXbrQt7/hFUzP8NL4/b4Jm9rBHZ6puC1VpsUNeQwjkWWJJb5xZKCYFFIRgnMMh57gSCGyD
EAysjkp0aKxVHbN6yYAdU7O8KPKC8+0SelF8sBTjLKqU3TCcKpduPk6VrkCM3indcyIMfeq0XHUz
BNSpDEuIrOoPw3k54v5avWSg1SolQjBs1mHZp6qjDa9YMpDGN3NNVRqWPTRzIjKgky3mvz9NCKj9
n7WxLG7tkoEmvDBoumTApfOs8HKJ7GHuXWSPacSN/BCMpqwHQqCd+e5jUl88SjjWLBlc+abCwysI
AZvs6CfaKJdWWKizMtxVVT1dVZ0C12++4F0L5+xUr7oJGF08Q+p8f7JoIth96sOGJcpRUPZFalLm
P47uUHnN2yR6Kfwspz1QEz4wU7DSV9VROuMvCkLA1CAVVfWrJuhhQrC26nGLJUY3zkI3jyKxJV3T
8RUhIBnPYTJukgq+tm27DUKwM+yAbyqMHLn2qVoHWv3mmwpv9bCpkE3JeaZp0Xt+zw6WKRaM21ue
HjPaTsXlhvt9YCvlkrvXhS0Wf9FTs6Bku1peebT9rF8yoGbbsQ5ZTXsN88h5YFPhOo1UIgTDJkHf
Fisq1GIcTrQNp71dIsfYmd3KANtU6Ibnkqv4jo9xKDRV18ofa2WLGX5PEwK9jHJLu/jMtTLHqhkC
LjbvOLPdS5SFhzvsblPhtb5Vl2j/1KbCYXQ9EA46EZHsyaMu31SYp8loU+FEppktGbyEELQ62eKu
Lqk+lFVeV1VZU+CntGnxIm8qpB2ednC50Wb0k2/txIqMLh5dE8EMJKI7UTxfDK/KFbtH77uCN5JI
t+P0e4ulx2cdsLaqSg9NL1WEgOmoW97xUjLd6OwYHJlW8xdN0MwelpZihmB11WMR0UKAHV7qud+R
WdXTNR1fEAKCevX2rymgf/v7NgiB5SdJd+wwZDtEO9CVrQP1l90ZIaYFQMcO2R+tlvEFJFqu61cv
Sbpz71imfEyRP6DWTu3n8SRG2qXANvZbD06MsxM8tmXbU3llDSFoB/VX93CMui1efcrKi+7Y4UMa
qToN1lanbdodO+w0W6PL6Ngh10WeaK2ulT/WyRZTXp8nBDqtVYp9OHZouQd+dJVuK7VZy8QdnYna
GZIeFTVNu5012s1cRNbkAT4w1MwQsHTXHDtcH//42KGf0q5bBsNVHEYcNAL0hOAb6epki3nyiv+a
Kq+rqvWlBy6Rz2tWWeBapuW4/pFOTvajQnU8+iaCLJzLHC+HV+Squ3WNHQUjYO/XqKOiWcjxG9Qt
H+qqqj5JTkvHSwYUWlNV+0Zr1ARp7aGYVIRAV5VYyv2J31HVo1WYa+o7FuVczGTqq5666VgmBFVC
+8xVzfoCfv/ZTxsgBJ+E+C072P65pyCfZPpGNVg/CsLfMFY65vEbyf1aGjSN/CCV/p5NJRv+fbm3
53uRv+ip+nSw0SW9CMyV0TTX2Fla+1kZ3R8NDkKwpmDv5fn0seqEW5NcWwP8Hw97v57PV6buW558
5fLDhwLwm7LFn0AI2qa6pGfyQIK/30bgUQXr37ZrW+mBEGyrPH7QGhCCHwT3uahvl2hPbhMN096H
pz/UX/ymbPFHEILn3hM8DQR+GAEQgh8GGNEDASAABIAAEPgEBLZDCG75kbav7WjL1lsX6UdeTbZQ
hqNNiE8bpN4q/HS0fQQ/HX+fEC6AABAAAkDglQhshhDQiRAvKW+kdvvKDC7HpfI68lZCQAdspoTo
tYTgNRqmKjs51K+Jf7nY8CsQAAJAAAi8HIHNEAI6jx9/6bbk1fn/DwnBayDUE4LXxI9YgAAQAAJA
4JcR2AAhuMb26MyttGTADiXPtVDn8sfMU7i5933HtPbxKfFt03RC8kyi/dNqm9IMQXA6R+z8veOn
137GQqedqk5jSf548KrcOyYij2djHIQyKs0QRNkp3Fsk+CzJJbf1hYQ+mYbvIGlL1jBvJDPNU42G
6fSUsTibo9Za1dvZauL/plapAtWmykIqFsOwnH1wGtzAamWOFdqsTL9aLVvcebggHW7ncJTPkyji
UdiHW0AACACBD0ZgA4SAozcTy6HbTPrM9sJzeW+ae5UX5H9bKX/MpEOcKK/yyDEsP6vKh9RzNTME
hukEp6Kqriff7r3Q6LRTdaW/JH+sIAQ8GtXIm8kl76PztaqKxLN6FybcDxx5eKzy4960AnIvx/+U
mqf8J/Uaf8P/yNmgE+U8niWtVZWduvi/q1Xa5WX4IJEeJ7qUt1tdXen4Fv9JL3PMvKaYluMnRd20
ze2aX29M2LLHkCSkhWzx2ngGw3AFBIAAEPgDCHwAIXhI/pi5uyZ/ZKRowYbWD7mh0BGC3hUdOb/m
nnxHbuYmcslfvwgT+eO1hKDvwMi9S/cwuf7u7SSHeX0gmiGYa552RqoJAf3YEIly47GCuMjaxF/O
GkLwXa1SkXT/SXM3vZpff3eiPExFKuZWGCGYarNyRtC5h5Eeli4p7gfi6U3ABRAAAkDgDyCwfUIw
3WLHJM7m8sd1umcardRjskfKkdyhpqg0hGDQ7e1lUha0UzVxs/nnPTs4wZYChDvOdujTW/KFT45o
+ihUHS05Zu9VCvvwTEBkeJLm/cVcPycE/qVf6+ij5+ItSpF1Gh+b+0Q6BL+ktaqyk6cyIxzf1iqV
rWbXzTXZm4a998M4yWjMz/4WZYsV2qx8RYVLzzOZwg7bb8QzsxA3gAAQAAKfi8DmCcFsSDjWPO3l
jwUhoO72eULQyfuIwWTDxBRNuef+ssgflT8OHyEEihmFPufckikhcAZSMzZ11mGzn++krORJaoZc
w1Qlo8zCryIEMlVZoVU6trv7dq+Kc3qk/RSWz7WNScPOU8kc0xMaR+tMfH4iW/ydeJQm4iYQAAJA
4CMR+DxCwDRPe7lBpmhKKr7fIwQqbdPRscN+hoB1ZI/IHovXQC9/TNslxNCeFE0t8YU2SJw8aVMl
j0szo7C8ZLCKENwvoW352Ui9aFlrVWUnt3ZOOL6rVSqQVH7SogifA2FTJToH8RpCQGsqU9nib8VD
Ky232+2mnIxRGo6bQAAIAIGNIvB5hEAjf/w9QsCUwSfaphpC0Oq0UzUlSyck1PLHt5NnOjEJzjVl
4pkkldfHwXolP6tkbwwaQtCWidvJRotNhf2pCqXmKU9k3mHfzoFt+xnJjvI/HnBRa1Vlpy7+b2qV
9pj0F2V2TC/Xqr7dqkvsmmKFhBY7DNtPSca3KvMsDpKreEZHCNoisq2JbPG34mESv8aPqvaIvOAT
CAABIPCjCHwgIVDLH3+TECi0TXWEgPrvLPKYz3nLdg9RJq23KwqpVxKdyh/T7j3fMU06OpcmwTBd
QJE0TLiVSYCKrXE6QkDCrPHB4brOQSIkbSkWFSGYni7c7TpNVSbgK514FB3totbq3E5t/Aw4flxw
5KufUROa3WH5PvummwwHCfnd8f/qHHouO3Vo2l4ow6+ULaaHtYRAJVuskT9ejAeEYFxG+AYEgMDn
IrAZQvC5EMJyIAAEgAAQAAKfjwAIweeXIXIABIAAEAACQOBpBEAInoYQEQABIAAEgAAQ+HwEQAg+
vwyRAyAABIAAEAACTyMAQvA0hIgACAABIAAEgMDnIwBC8PlliBwAASAABIAAEHgaARCCpyFEBEAA
CAABIAAEPh8BEILPL0PkAAgAASAABIDA0wiAEDwNISIAAkAACAABIPD5CIAQfH4ZIgdAAAgAASAA
BJ5GAITgaQgRARAAAkAACACBz0cAhODzyxA5AAJAAAgAASDwNAIgBE9DiAiAABAAAkAACHw+AiAE
n1+GyAEQAAJAAAgAgacRACF4GkJEAASAABAAAkDg8xEAIfj8MkQOgAAQAAJAAAg8jQAIwdMQIgIg
AASAABAAAp+PAAjB55chcgAEgAAQAAJA4GkEQAiehhARAAEgAASAABD4fARACD6/DJEDIAAEgAAQ
AAJPIwBC8DSEiAAIAAEgAASAwOcj8LmEoC7ORd18fgk8m4Omys/X27Ox4HkgAASAABD4zxH4WELQ
nH3zkN3/8+Jr27ZOPTPIgQMQAAJAAAgAgacQACF4Cr4NPAxCsIFCgAlAAAgAgc9HAITg08sQhODT
SxD2AwEgAAQ2gcDHEYIisnfTPyvspszLo2uwHw3nWEr4bu1+W0R2Z6h3qiVDH7/fXAIegwzGONdS
vLgEAkAACAABILCMwMcRguZWVWVZltfEM/dJQZdVdRObC+91XdFfXd/FLZb/rd1vbsLQ22gbxIr7
Tc1wKPPYNQ8nwkEGYrnU8SsQAAJAAAgAgQkCH0cIhP3YVNghgSUD8UrgEwgAASAABJ5AAITgCfA2
8SgIwSaKAUYAASAABD4dgY8lBJ8OPOwHAkAACAABILAlBEAItlQasAUIAAEgAASAwJsQACF4E/BI
FggAASAABIDAlhAAIdhSacAWIAAEgAAQAAJvQgCE4E3AI1kgAASAABAAAltC4GMJwf18gJYBvUl1
uoeWwZaqFGwBAkAACHwmAn+fEFxj4drQMO19kOR/TBkQhOAzax6sBgJAAAhsDIH/ghAY++RaVVV5
PceeZXip7Cx4Y+Wx3hwQgvWY4QkgAASAABCYIfB/EALv1E0LNHloGr1qclNmkeeYBk0dhKeyd3Z8
y4++axl03z3Ew5TCrUj4fcv1j/3ta2ybQkyhLY+OGVxETFW6Nw9pfgr2tmkYlhsX3S9NdY4PrmUa
puUcorNgKPdryoOathedKxHNrNTkGyAEMhq4BgJAAAgAgW8i8F8Rgqa+hM7O8M9MP+B29i3bT/Oy
rqsiPdh2mLMeuMlDyzokRX271WWeZaLnr7ODSfcrFtwyhSzRMiEwLNsLz+W9ae5VXlSsmO6XwDbd
MLtWt7oqsjgt2O0q9SwnOBVVXZf50bPc4/WBUgUheAAkBAECQAAIAIGvEPgvCIEsCGi6xyvr96tk
L+9KLI+OxRnBPTsYTjzri+uTZ7i9hmKVuMaerz18RQg6njGUBMWkSOAa250FFLQpQksRaIhFXIEQ
CCTwCQSAABAAAk8g8F8QAmN/LKqqzNNg72fd9LxCPlisJdzOgW2YjhdEx9OlFGqEpEzsn8UsPj1u
RWxk/wUh6Jcr+lLKQ0taVhC3bydvqmf80OkBEAKBID6BABAAAkDgCQT+D0IgOmWaq/dSNm/fXALT
5j26Ar6mvl6yJPIdk8byjAUwQtDvDlggBMZkD0EmKIVIR08I3ISvKYiQj3yCEDyCEsIAASAABIDA
Fwj8X4Sgba+xYwcX6qLZpP9XHTAtH7hJSSBqlwzkfYS0/+BLQqBfMjAP2epDkSAEX7zi+BkIAAEg
AAQeQeB/IwTEA8w9mySgTYXmPj5f67oui3MSxmfWG9/y9JjlJe0pvJ582+z2IBIj4JsKb3WRHoZN
hXeaawgut7ZtqpNv7b4kBO1NbCpkaWTHE9+wUKWeaXnHS8kMyo7Bke9yXC5HEIJlfPArEAACQAAI
PITAf0cI2Ei/O1DAjx3S+ULLdg9Rxg8e3ovE3zuWSbfl44Vt2x9HtJzDcOywbasscC3Tclz/mIaz
Y4ezJQPaMsiPHVISjjc6dhh6dELRtJy9H58fWUAAIXjoRUcgIAAEgAAQWEbg7xOC5fx//q8gBJ9f
hsgBEAACQGADCIAQbKAQnjIBhOAp+PAwEAACQAAIcARACD79TQAh+PQShP1AAAgAgU0g8LGEoCnP
6XnwNrwJMN9ixP2apZdHNhu8xTokCgSAABAAAh+CwMcSAsgfd28YZgg+pKrBTCAABIDAthEAIVCU
jyxilBSrPQMoYvzBWyAEPwguogYCQAAI/D8IgBDMyvqWHUxzH1/KqrwcPdM8nIQY4SzoFm6AEGyh
FGADEAACQODjEQAhmBYh+RG0I6FTfI0dY59W9+xgelzLqA9/O3km+UQmLQM/YRLHpun4Kfd0TMF0
8srMYaIZZDlXUzZtL2XOEPuo11yAEKxBC2GBABAAAkBAgwAIwQSYJg9NoXJEffrZN0iJqDy6VjB2
HJiHlkPqh9fY3pF80r1t70XsGkIWWSevTAkSz7CcQ5zX97a5l3nx/UkIEIJJCeIrEAACQAAIfAcB
EIIJavfzwTCCS3+X84MbiRQwUYN7kYQJdf5VsreYjNE1to1eg2CQPtTKK1PU9MxD4sa9HdoLEAIt
NPgBCAABIAAEHkcAhGCCFckZKQhBSwsE/vne5KFtkudjUkvkcwEDB2jbtlc6WpBX7giB30snTkxY
9xWEYB1eCA0EgAAQAAJKBEAIJrBolgza9np0nLi4Hr0wDj26cLohvpYQLMgrX2PHDPJJ0t/7CkLw
PdzwFBAAAkAACIwQACEYwUEyx6liUyHtJrgElhdFXnC+XUIvig+Wf27oYTUhWJZXBiGYwo7vQAAI
AAEg8F4EQAhm+OuOHdapZ5oW7Ra4ZwfLNPfdqQMNIWh18sqUIAjBDHbcAAJAAAgAgbciAEKggF92
TCTJHNNOwH1KXoLrdE9HE/mjOkIgjh1O5ZXpKRACBey4BQSAABAAAm9EAITgjeC/JGnsIXgJjIgE
CAABIPC/IwBC8OlvAAjBp5cg7AcCQAAIbAIBEIJNFMMTRoAQPAEeHgUCQAAIAAGBwMcSAsgfd0UI
+WPxLuMTCAABIAAEnkDgYwkB5I+7UscMwROvPx4FAkAACAABgQAIgUDiUz9BCD615GA3EAACQGBT
CIAQbKo4vmEMCME3QMMjQAAIAAEgMEUAhGCKyKd9ByH4tBKDvUAACACBTSIAQrDJYllhFAjBCrAQ
FAgAASAABHQIgBDokPmU+yAEn1JSsBMIAAEgsGkEQAg2XTwPGAdC8ABICAIEgAAQAAJfIQBC8BVC
W/8dhGDrJQT7gAAQAAIfgQAIwUcU04KRIAQL4OAnIAAEgAAQeBQBEIJHkdpqOBCCrZYM7AICQAAI
fBQCIAQfVVwKY0EIFKDgFhAAAkAACKxFAIRgLWJbCw9CsLUSgT1AAAgAgY9EAITgI4tNMhqEQAID
l0AACAABIPBdBEAIvovcVp4DIdhKScAOIAAEgMBHI/CxhADyx917B/njj66AMB4IAAEgsBUEPpYQ
bAVA2AEEgAAQAAJA4C8gAELwF0oReQACQAAIAAEg8CQCn0sI6uJc1M2T2f8DjzdVfr7e/kBGkAUg
AASAABB4JwIfSwias28esvs7sdtG2nXqmUG+DVtgBRAAAkAACHwsAiAEH1t0neEgBJ9egrAfCAAB
ILAJBEAINlEMTxgBQvAEeHgUCAABIAAEBAIfRwiKyN5N/6ywmzIvj67BfjScYymy2Lbt1u63RWR3
hnqnWjL08fvNJeAxyGCMcy3Fi0sgAASAABAAAssIfBwhaG5VVZZleU08c58UdFlVN7G58F7XFf3V
9V3cYvnf2v3mJgy9jbZBrLjf1AyHMo9d83AiHGQglksdvwIBIAAEgAAQmCDwcYRA2I9NhR0SWDIQ
rwQ+gQAQAAJA4AkEQAieAG8Tj4IQbKIYYAQQAAJA4NMR+FhC8OnAw34gAASAABAAAltCAIRgS6UB
W4AAEAACQAAIvAkBEII3AY9kgQAQAAJAAAhsCQEQgi2VBmwBAkAACAABIPAmBEAI3gQ8kgUCQAAI
AAEgsCUEQAjWlUZ18syd6aXVuscQGggAASAABIDAthEAIVhRPk2Z7E03SiLXco/XkeejFbEgKBAA
AkAACACB7SEAQvBwmdyL2LH9jDwN12ffdqJ85GTw4XgQEAgAASAABIDA9hAAIXiwTG6XwNkfr4ID
NNfj3gnOtwefRjAgAASAABAAAttGAIRg2+UD64AAEAACQAAI/AoCIAS/AjMSAQJAAAgAASCwbQRA
CLZdPrAOCAABIAAEgMCvIABC8CswIxEgAASAABAAAttGAIRg2+UD64AAEAACQAAI/AoCIAS/AjMS
AQJAAAgAASCwbQRACLZdPrAOCAABIAAEgMCvIABC8CswIxEgAASAABAAAttGAIRg2+UD64AAEAAC
QAAI/AoCIAS/AjMSAQJAAAgAASCwbQRACLZdPrAOCAABIAAEgMCvIABCsBLm+/lgHjIhabDyYQQH
AkAACAABILBRBEAIVhYMCMFKwBAcCAABIAAEPgIBEIKVxQRCsBIwBAcCQAAIAIGPQACEYGUxgRCs
BAzBgQAQAAJA4CMQACFYWUwgBCsBQ3AgAASAABD4CARACFYWEwjBSsAQHAgAASAABD4CARCClcUE
QrASMAQHAkAACACBj0AAhGBlMYEQrAQMwYEAEAACQOAjEAAhWFlMIAQrAUNwIAAEgAAQ+AgEQAhW
FhMIwUrAEBwIAAEgAAQ+AgEQgpXFBEKwEjAEBwJAAAgAgY9AAIRgZTGBEKwEDMGBABAAAkDgIxAA
IVhZTCAEKwFDcCAABIAAEPgIBEAIVhYTCMFKwBAcCAABIAAEPgIBEIKVxdSU5/RcNiufQnAgAASA
ABAAAttGAIRAXz637OAEl0eUju+X0Dmcan1U+AUIAAEgAASAwLYRACHQlU9TRI57LPufbyfP2PE/
w7T3QVLc+t/atjy6dlRg4kCCBJdAAAgAASDwSQiAEGhK634JLDephl+JEFjhuaqqqryeo71p+mdp
9qBK99boxvAkroAAEAACQAAIbB4BEAJ1ETWXwHSOV+lHIgR2LO7U6d4Y/14e3TFFkJ7FJRAAAkAA
CACBjSMAQqAuoGtsm/5ZXgKQCcG9TA+mFcgzBC1RCDsq1NHhLhAAAkAACACBbSMAQqAsn+bsG3Y8
6t35HgKD/na7nenGubyHoG3ba+wYWDRQwombQAAIAAEgsHkEQAiURXTPDobTrw+wIKM9BJfjwbb8
bHSuoDw6xiGbsARl7LgJBIAAEAACQGBrCIAQKEukyQPTCnP5N3nJoG3bKnGNvbzpsC0iywwu8iqD
/DiugQAQAAJAAAhsGQEQAnXp0KZBb+RZYEoIprsK6fcxQ1DHjLtAAAgAASAABDaIAAiBplDo0MDI
K5G0ZFBd89S3DTvMh/mA5hJYjuS2QBMtbgMBIAAEgAAQ2CQCIAS6YiHHAjIjIELQOyay3EOUyQ6M
Z24LdNHiPhAAAkAACACBLSIAQqAtlfslsMerBtqg7S072P4ZGwr1COEXIAAEgAAQ2DYCIAQL5VPn
p+wqeSPUBr2X51M+OnKgDYofgAAQAAJAAAhsEQEQgi2WCmwCAkAACAABIPDLCIAQ/DLgSA4IAAEg
AASAwBYRACFYWSr388E8ZI+sI6yMGMFfjUAeWmwXqDESqepTqdP9FkuySkgTYzi+0tv79MU1dszg
Mo+muaa+Y9KO2TFQuvDzGHAHCACBP4EACMHKYgQhWAnY7wS/X0+h51iGYVqOF54Hlcrm7Jvjfk4Y
dMuTKL0+2/OWR3UvK1KRP+vhoApjKhPXVzzos4QgDy2NpEZ9OUbZoOctLLtlB9ONi9v93jQjNDTh
xXP4BAJA4K8h8LmEoC7ORT1qwH6lbDZHCJoqP1//8/MNZbI3LS8+F2VVFuckTAYVCj0heM3rsoYQ
tPe6KsviuDesICvLqrop3t+fIwSaDPMcKCzRhP/8229qOj4fuFfl4F7mlxKzrK+C85XxfCwhoIb+
HVP3myMEdeqZwcjJ8ivfj0+I634OTFOnIqEkBJeAu5Qwpm/QLT/6rmUahuUcjuLcCAlb7OM0PjiW
aVr76MLpV5XuhWMK7p9iFpsavFt2MKZj+PoSe7ZpmLYXJ5G0ZNBUZ0rWMAzL9ZOia0OrZG8cjqfI
I4Ns79jdv8Z25yij+zCF821Kkt0bLxlQPKMnxFSKJnzbqu1p2/aeHcz98ZJFlA3DdMLLdtv7dzUd
6tfhf7xbHt2JUsz/iMIm8wxCsLJYQAhWAvbzwfPQMjydqpSSEDCbZnsImuvRtfbR+VrXdXmOXMtL
2dIDEQLD9rOqads6O9CM/DCeXjVDwNKdE4L65JnWIS0o2dA1dka3h+Ceh7blHS9lXdfXU+BYnasL
6sgNhxGThiZHXNlDpn7JQLMnQJuDWXidPZwQGKa1D07XW9M2dZFveAAIQvDzdXI5BRCCZXze+CsI
wUrwQQhWAvbjwam/7sfCs9QeJwTM+fSgcHk/++Y+JecSlIAtfmBDYXabJ6XtTmeWiBszQlCnnuEm
3eL+PfONjhDQ4v6ecxJ6lqaC+IwGEQIxmG+rZLw38ucIgdaeDqNP0foEIRCv4rs+QQjehfyX6X4c
ISiiybzobrfrN2eVR7ebCx7LCrzqPrV8qlMGa+Nvi8juDB37Qnz8fiOmveU533Guvyz8vxHgVYSg
SlwZS7rmNIAS6DtmTjCGrXl0f8jrAAAgAElEQVQvIARFZBmDTCapaPMZgvmr3pnBlgzESReaXvBO
wyaSnyMEWns6QjCaqNjguzW3/weajhdUbQ7d403Be8MPDZGY2OL2KO5L3t/7mmZw0r3B1+X/NOnj
CEFzq6qyLMtr4pn7pKBLaXPWva4r+qvr+zCrS+3Vi+5rCMHq+JubMOg2Wmtdcb+hDWplWeaxax5O
7FIC4n96m1+0ZECC1sqVh9GkwI8QAlvSzR4RAum+VKKjSYFfJQRqezghMLeu9fk7TceKKsyK9NPD
t82Nt7lVPd4jq7jPNtWWZXkOHZu21VLjXY8aQOktx+U7EPg4QiBAete8n3KGQBj1jk9sKqTJff2m
wktgqidOpnsImktgjuSsRGl+RQjGIyPxlPZTuWTQj5PICmnJwIkVByMXCUERWVY0nLKQzJjtCeC/
aec4puFpyUBpz4cQAgHFu5oOkT4+sWSw2XcAhGBl0YAQrATsF4KznXV07PBaVWVxSaNU6hDZgnuc
Vzc6aC8bMyUELW0qNGw/zau6rso8i4PkSg8sEgLWvYeXenKGX05ouNYcO6RBvhvTWYGmSj1ztKnQ
cMKsIIOul1MUndgux0VCwPNb3OYGTTv4zq6HCUFLmwpV9giMksH9w5Dn7V2BELy7TEAI3l0C2vQ/
lhBoc/TDP2yOEPxwfj8k+vs1DT2HTrxNHBO17f2aHBxzt9uJY4HldLOA0W/kuOVJsGcH5yzHC7qD
h4uEoGV+/izaESLi10Kmd0xExw4dy7KdfRgHYg9B27ZNfYkPLh07NG3XC9OC7RVYJATtLT8SErvd
Tmy1LCLusnFYuJVdIc4JgT682p4PIwTa8sEPQOB/RwCEYOUbAEKwEjAEBwJAAAgAgY9AAIRgZTGB
EKwEDMGBABAAAkDgIxAAIVhZTCAEKwFDcCAABIAAEPgIBEAIVhZTU57TcznanbYyBgQHAkAACAAB
ILA9BD6WEGCk/v6XqUr2juzGd8GiFUEXYtnATzfyAyR5KiQPgmNXgb9mpObUwK+l/6kJoel4d8ld
YwdaBu8uBHX6IARqXHD3SwTul8Aed430CDltNEz/PHU3cj8Hdr+Z/8u4VwZoqizkhwPs/VESGlBG
Q44Hu/32huV4UbZqvmdOCF4jo6w0lW7qPQ/+lDxxne4NyXXDJTC4ehYdaOTA0ZmHQ3wRYqP60xPa
XL3zBxCCd6JPaYMQvLsEtOmDEGih+ZAf3iV/TIfn5xKDVbp3wuhgBzO1uyYPrR9ybnvPfJM8n9W3
uswLkh9Y+iNCYAVncmhZ5qfAMewwf3wJaE4IltJ6wW96QvCCyJVRLBECJ84JuOslOdiGc2R+GsgR
6Neyzsqk3nIThOAtsEuJghBIYGzrEoRgW+Wx3po3eSqkjrF3r9dbXZ88O8yrk2fNO1lyKPgzjIBc
6Mnu/HtzlBdECAb5Yer9euUiOsM/lz9u23uR+CRCbO3DNPaMfl5E6EnMPRAw3wVzOWCtfHB7K9LO
A4K9D9IrTbCsljMmnwsiFseLz2IEz7QP5nLJSnSYipJ+hqDXVKJRnjFyVjzzwKiL/6fvXxM/TM7X
Qd5hkiAIwQSQX/8KQvDrkD+aIAjBo0htNdx7CAHz8zvzkHvLDhatFpRHd6QRzLHTigU8De0t8y1X
5eRXFbNMCO4kiSHmx7Xyx5fAMr1jXtVVHu/N3UAIWPTKPQSUyEwOWC8fTCLG1iHJ2STHJTmeh2kO
/QzBbA/BnQzdx5eqrq9ZYPcSikQItHLJc4iWZgg6QtDcitg1BodOFMlmCMHteooOjmlY++B4Jjnm
yR8IwQSQX/8KQvDrkD+aIAjBo0htNdx7CAEtGw+jxQ4bmgPg+wSKyJ7vGqJOsp9lfiGctzxy3cPB
daOc71y419dSjI7n6ZAZvc++3c6w/Yx1vzr5Y8pVT29o4eNRQjCVA9bKBzdFZJl+ph7SPk4IRoa2
JC3X7QRg3oyFX+GRm8M5Ol/MEMjAOWEum7wZQsAz1dRFFvuuNecFIATKYv/FmyAEvwj2uqRACNbh
9abQcy3UQV1UaqP7rWDz8NzwV92nrfWDJHAHCg1QuzUB1rkeB5FgFqI5+9LsPL8lJt17//08riF3
XyoH0bCbpq5pfG/7Z+qiitjpZ/U726QPIgRWkJVVeT3HnnckDQH608kfl6SC2OsLU8bHkWtnCKbr
I3P53Q7COvXGs++StQubCqczBGwGpjeU6fD6FxofsyUDnVyynBa/XpohcKIL6UVkoXdIJ5sx1xGC
tYrha8OLbNF+U8cYFNLJzbJKwVyEx+cvIABC8Asgfy8JEILv4fbLTyk0UhfljxXhmcWvuk+CP2L8
KaCgwfNuZ3R/u91sBoHGrNNZBYVGqjCU6VhPNVVFYsPnMBlBGkeWl1Z0/CFgPeEQSroi0/s9BGXi
OiGfWNCtaBAhGHZP0tTIY4RgJgdcRLLMsWTRLxAC87CCEAxzCySnQKcMwrzjFaL8miJy3ONIiXEd
IVitGL5Wwby5Xc9J6Nmm6RyiUy7NGIEQSO/eWy5BCN4C+yOJghA8gtKWw7xnyYD2lJmyRE7bFJFt
BRnvxquqONIUwrAUTgN3XYf4FLzX2LH67p8ogbN37WB27HFIY0QIaOW767l18sc0E99PvdBOv+8S
Aq188OKSweNyxqolA3YMYLRKQKdDhgmPAZbhigEUdwcIGPXjuy5HKw807WANPGlLewjuV75WYDqH
eMQEuiyCEAxl/Z4rEIL34P5AqiAED4C06SBvIgTU//cr6wTQNbaHYShzSOBIM+18Sl7hn+B5bMvE
Nd2IH4rn8sHLyYwJQUsLHTabJNDKH7MQF1qMqM++9eimwtkMwYJ8MG0qtMWmwjxNpE2FrBuOH5Iz
7jYVknwz31TYLdqsJARtle4NtsWxqq7nyDUtPocyJgSMSjl8J+e2jh1ejwc/PhXSnMD4JQMhGOPx
+99ACH4f8wdTBCF4ECgEmyJwjR2JEZRHZzwjQCsIMkOgEeXcO8E00m99v+WJ79qW7TjuPjieYs90
IrEzYB7hhBCwqQ0x6FfKH4tjh6ROHMRhv4dgQUaZxtVzQqCTMyYb5WOHfipbv0bOWD52GJ2rboP9
WkLQtjU7fmnsDNPehyd2CJJvRRBLBmQy4x+0awOOieZvGe4sIABCsADOe38CIXgv/p+cen1SOSBS
56i5xs50k506JO4CgZ9FADMEP4vv17GDEHyN0ZtCgBC8Cfi/kGxTXR4VeqrzU9YNNP9CzpGHD0YA
hODdhQdC8O4S0KYPQqCFBj8AASDwBxEAIXh3oYIQvLsEtOl/LCGADLG2TPEDEAACegTQdOix+Z1f
bsXpVMhOrX4nWaTyNQIfSwhA87vCJb84AR0Txx8QAAIPIPCGpuMSmHPPnQ+Yqg6i2bGqDvyNuz8d
P9QOv1Eov/TI/0sISJxl8DBDTnMGjZtfAv8lyYAQvARGRPLfILCSEJCMlzE+QbMIFVXIqaOH1xKC
5ppGycht9KJBmh9VdvKgr4lfkyzdxpLBAjjv/QmEgOMPQvDe9xCpA4HfQmAdIbhlBzuIAnvax2ut
VXW0ryUE2qRX/aCyc1UE3w8MQvB97H74SRACDvCIEHARXMMwTNs9xAMVb8os8hyT7u/Dk+TKvUr3
5iHNT1zA1nLjYiax9mPlSPUaSwY/Bi8i/nMIrCIE97Nv+Rk5pOqdP3MnXMybM2FTHh2Tu8okDxeS
sshu188rECGIslO4Jw1tN8iqHtT6Eh9IWdu03U71uvuJKVVk5GGD/eqlTBmkiG2WwkT7gpovOWVx
wvdWJIHnWLzJ6uPX29lq4m9btZ0U0z5OKQumae0j5r2rz5v2AoRAC827fwAh4CUgEQLyqGMdkqK+
3eoyzzJBCG5n37L9NC/ruirSg22Huej2mWs32wvP5b1p7lVeDBX+xwsYhODHIUYCfwqBNYSAVLpo
YfF28piwNweCvHIqCAH/UTXyvgSmYe6j87WqisSzelea5PzRDk7Xuq7y4960JJfbtKRpOYc4r+9t
cy/zYnADrl7jb/hflZJfrk73sz4nSVaUVX2ritS35fhJn2y2tMFzMI9fZycRApILJRdYdXawJE9l
S68MCMESOm/9DYSAwy8RAnrJFTuARu7e2LjA6hkBIwT9t98tUBCC38UbqX06AisIQZOHNh9tV4lr
BWIE8B1C0JMA0szo2hdy78n1wklFirQ+/F6Eg0QzFM0QgT/vsEWRNGXqmboJSu5sXARdQwi0dlJb
2W+9YmaN5Uv6xMYXIARjPDb0DYSAF4ZECNrbObAN0/GC6Hi6lJ047iDI20/NGf0kIhEC1RqjTrP1
lS8ACMEr0URcfx+BFYRA6kNl7Y7vEIK+32yLiEbSXEjStNgVA53aIDHXz5YlDK5ePSsRHSEgMQ5z
n0hrmU11jg+ubYr1hGFeo11BCJjsl9JOtmSQdvOhzdk33WSieT4znm6AEChh2cLN/5cQMNbb81mq
jBIfb+rrJUsi3zHpLq0MUKXoRXOnJcf2EAh9WflHnWarHObJaxCCJwHE4/8ZAo8Tgmvs7GRFb9Gp
TwmB0cttkgCWYip+mBRgqp8DITAWCIGj2xukJgT3InJI/VsqTVL0dthCJt0s5IUOtZ382Wn8NBhS
2zmaFAAhkKD/1Mv/lxDU6d4YpFro2z6RKxMrUWLAHemlyqUIwYJpCcEvvBYgBL8AMpL4Qwg8TAjK
o2se0rJT9C7Tg5DBHvYRti1tORoTgpM3my5UEwLaj7iwZLCKENwvoU27H+Vyup99qYm7ZQdjNEOg
sJM/PSUEejtBCGS8/8L1/0sI2uvRMZzgVFRVVWSBI6YC2lueHrO8pD2F15P/r72z9ZcNCOP4NlEU
RVEURVEURVH0J4gbN4qiKIqiKIriRtH9POPdmj323HUW+zvhXsuYeeY7mN+8PsOwHk0qFDU3TIui
yJLQt92w22wLguAM7wLy8B0E1goCmkmn9X2IrEnd1q936i60aEp9ld/IIfa4h4B1sJtBfq+6Ocd1
zREEdears0mF3SeFutXX9xDQKKdsBkU7sbBLmeIwbszpZRk5inAZC4IlO5sH4EEQcO2EIDjbK/PF
gqCu8tDRFYmcvCq6w2bKUvHeE9/U2FIdQVJNr1tkQMMGbNmhJAiCJKuGE/SDdRAEZ3svkJ/zElgp
CIrrZBSxWWDYKYQ8sFRJlBTV9K52t+ywRVaxizRs34XmCoJ2OZ9InxTV8sder5cEAQ1s9lOY2IHi
NasRnWY1Ynexm4pA3zJFIsfgmnW92qO1EfQ5e7CTGz/PTgiCs70m3ywIzlGWGDI4RzkiF39FYKUg
+CtzvjAdTCrcbaFDEOy2aFYaBkGwEhSCgQAjAEHw6QcBguDTJcBNH4KAi+YgFyAIDlJQMHMnBCAI
Pl0QEASfLgFu+ocVBPBh2pbpPQ2u0cPyCG6B4wIIfDkBfDo+/QDA/fGnS4Cb/mEFAWQ+t0z/7ELu
a4qzzm3DC0H/zPzdJDTbBHMru9g0tWir2I8TLz4dny4r9BB8ugS46X+7IHjVtykX5PKFO9u865zt
93tkyYP/6LrOfbWb5CxIim7fuk0eGZp7SA7jJsukl5G9fPYeGoJk085v7C9x5GELye7kjv6P7XZb
msGmtwqChfjblIrIc4I1G8kNli0c8eNfCLzLU3sSBPfsZjN/aYIka4YTnvNTMX8MIAjmRHbz+8sF
wcu+TV8suD8QBFUeh2m/evlF+/4jeHHTRSMYJUw7N6luTNu4ZGxjh6mnE9rApVsN9R/JPt4KQTBh
snWFvXX8k8xs8mM/guAeWmxrkyTLszQOfNtf19+2CZY/jBSC4A9hv5bUdwuCRd+mdV2EjiaLgqiY
vm/JQ+tz2f0x7WNq+sz1sSgq5pXtdFzXsS12Debm/9HOyK+V0fPQxVXnbWDy/Mb/u0pdK+NdW1gP
wWhfNNqEbXqdiaNm2fT/JT27+4kgqPLA1mW2ylvRrNvQOm4cXIsC+ZPz4lG/RWyLshNGntF4uZ5t
/TZLuYjcdscKUdHt0bYUvib2fi5IODV+LtLWdW3/WHTbxLAeAj9kiYqy7g3L0dle9OQdl7bE6Jep
0445hnejTTTEUXhu/DVtUsdSFa35kEGZXBun3aKs9f5x88AxVJklqxhuyHa2Ybvr96Y3sfUe/5bt
rOua50l8RvKtP1PftP0nInk/giC2RalnOGVwT/ty0Z2uBCgIG/iZukWmR2z0rjF3rZ2rtVfimVqw
4S8Igg3h/l/UXy0Iln2bNq4+g7QoMtrAsO+O5rk/pu+woLGv+D1x1WEvUtrkaPshg88Igpm/E3oI
WQ9Bu/tzmXiaMO0haALo4z6F/3t0u7v5goBtLeNEWVkWeRpdw1YQkA8YiXzR0paToaOON4CPbVGU
FNNPiqquyjR+2veSBd41TLKiJOe1+uD7dTIEMAiCxuCFFjY9caJs+nGeZ6Gt9B5u7rEtS7oXZUVR
pDdLkcxmb0wKLyjM+XyV+Zo46XhZiL8ltTCHgO6WDJ/25SyyyPfCRhulN/capTk76ag/xs+zk23r
u+RJvCu6bf4v05tDgk7SLC9My2G/wDa5/QgC8mioeWnrP21EI7/qEttFtSgyerRUL+2uLrlFZs9Y
t6cieU3sHLG+GE+Xxtb/QxBsTfjX8X+zIFj2bdrsL952hRc3vRMEk6/82P0xvdV93/nE7cmJBQGB
GTxBsMevmUMg0N/lcpF0f/6hY36lhy/br5/Z2Y18QUCF0bfU+7tIBo56a0izDc2r2BZnHRv9fc8P
qohcvTVDwJNHZaUgaLeca2RTY3QZGKI2OKsh5ddcIEHQpVVPEqupZ+phjkJr+YMgqBJHEs0fJBp1
BY09eT7Gz7WT/PSOXYY9J/jmq1WRBK6pSo+6YD+CoC4jRxUvoqwZtneL804ZpG5fpdOOgok9emAX
3SLT2uOukBJXltqtlF+O581lwIsOgoBH5uPnv1kQLPo2Jc9eI6+GiS01QwZ898cTDTB2e/LGHgKa
Kcd6afv+hwV7Lpe+VnkM3zxp7zpPLt2EUWVFsU/nELiapNhx94VjqVehOThPb+wZciGY4agpxzvf
3DX9ly8IqtTXREHWTNv1A2rzs7/R5MeuB7zzYscGekZ+3aYJPfxqt7Lunct2MmNSR68UBL1wGcIn
s/1o2Va4JDlIECyEb+x7rLA7ux8EAfWgLPrrutM4Am3q3fxNJNJj/Fw762VP4p09i//zPIa/er6L
nEaNFOEy7pnfkSAgK+9FGt18x1RFofGPUD/uIHwZRgVJEDy6RSZF0LRKUlfp9MAv4umwbfs/BMG2
fP8j9i8WBMu+Takq4ggCjvvjvxAEVVkUzOlaUXZ1bFXkGf3FrioaN3aY513/6EJ49pC863zT9ptO
CBgPGTAnr6OOE5Y4fZ/6hm37zFZlk6+86ExvLvDOt7eN/yOdMczzqEnzmGFHqb7nSXj1bE0SpLYt
THZyRy5oDoHbd8+Ok3k4pq5ZUXPbdh2NoSwLguvU+d1jhTpt5E8EgTj2mtNb8KrgaG9cKwjukSVJ
Ohs1oVkAgTGRfo/2E4dFO1m6j57E+3wsHvA8hr96virT0KcZJKJiOLe4k4NMpRsLHUeLxvzlyYo0
D+urWnpRektYKcb9z+6gcadSkmNCyYqax/838XTxbfo/BMGmeP8n8u8VBDzfpvwhA47742eCgCqr
yQjv/5TV8r2fmUPA5jZNGvWTOQRs8pM8aVnWVFU/qTiWc7fmLI379xUSzagSrXjU29BEMTSs2PSH
7ps5j/8FQUDt666btmm1d1JiqNObSWCjYERBmvdBcCp46opX3HaO6thQTvgmyEL87b0PgoAzZDDt
5SJw476gx/i5do5tZhKy9SQ+Of/+H/e0GSsQFcOdKIE2qZ31EPQASHo1fXzNWNdoBU8fpp1U+CgI
mKo0g9hTez3ApoFOVwKtiGcUZLNDCILN0P5vxF8rCKjbdRg6Hvs2pSuyFWRFyWZ49a1PnvvjZ4Kg
pou6n41dof5vkc3u/5AgoPbxdNbgeMggjXxDar9unb25r4qjpnt3+v//L0NTFHU3SvM8izxd6r+B
NOmPzY0r88gd5sbRpEJBNq9xXhR5Fgeu5fd9Ai8IApIessWm+ZHfOFm4dIKASR+D+aYvI1sWJoKA
TQBwk7LqfNQyMTE0WUdqgibrCYodJGRoGt0c58YmKTwVBAvxt4gfBEFd06RCuZtUGF99NqmQVfAO
W+pQZVdDEiaCYCF+np1cT+L/X+bPYkg9w3Rv/RDRQ9D9CILMtyw/iJMsz7P4asr9PNz8qovddNIs
CTzL6yUup4eADdmJijK4a6d8/yaeB17vPwFB8H6mb4rxWwXBc9+mtOxQ6JcdOt2mN8vuj58KgrqI
2BLGy+XSdSi/qeQ+Hk3qKhNFMBqbF0RZNd2oXa7WWJr72qjt8l7ry8Rv1s41q/O6plUe2rrKVh2K
8nhZIK2Ga28QJUW3RgsPXxAEFIurM+eyqu4EvtkPGdQ0WUyTRHKS7d5cbSIIaCUebUVzufTe6fkV
fFVErqHS+j9RVnX7mrCs8cMT1sf4E0fqZku0kwKGvp3xskPz2i54ZOtuyWuuariBp08EwUL8db1s
5xNP4u8t/9di248gKJOr3a7vFKSJQ/X6nl6bFbOipGimO+xYxBUEdUY7g8019y/ieY3mb0JDEPyG
2p/c862CYCVc6l6eD3uvvPX8wYqbIfO63ue5r1JX2XjsZJ4kfoPAIoH9CIJF877gJATBbgsZguCx
aIokjLLiXlVl4uvS34x7PlpxgDNVTov7H4brlywv4lswX4a4FA7nQGBrAhAEWxP+KX4Igp8Ifew6
BMEj+iKw2o5mZbpJ2GNQnAEBEDgYAQiCTxcYBMGnS4Cb/mEFAXyYcssUF0AABPgE8Ongs/mbK3B/
/Decf5HKYQUBZH5b2rQlibWwDOkXDwNuAYEvIIBPx6cLGT0Eny4BbvoQBFw0B7kAQXCQgoKZOyEA
QfDpgoAg+HQJcNOHIOCiOcgFCIKDFBTM3AkBCIJPFwQEwadLgJs+BAEXzUEuQBAcpKBg5k4IQBB8
uiAgCD5dAtz0IQi4aA5yAYLgIAUFM3dCAILg0wUBQfDpEuCmD0HARXOQCxAEBykomLkTAhAEny4I
CIJPlwA3fQgCLpqDXIAgOEhBwcydEIAg+HRBQBB8ugS46UMQcNEc5AIEwUEKCmbuhAAEwacLAoLg
0yXATR+CgIvmIBcgCA5SUDBzJwQgCD5dEBAEny4BbvoQBFw0B7kAQXCQgoKZOyEAQfDpgoAg+HQJ
cNOHIOCiOcgFCIKDFBTM3AkBCIJPFwQEwadLgJs+BAEXzUEuQBAcpKBg5k4IQBB8uiAgCD5dAtz0
IQi4aA5yAYLgIAUFM3dCAILg0wUBQfDpEuCmD0HARXOQCxAEBykomLkTAhAEny4ICIJPlwA3/cMK
Avgwbcv0ngbXKOcWMC6AAAhMCODTMcHxgR9wf/wB6OuSPKwggMxfV8Bbhsp9TXGSak0SLwRdE90m
Ye6BIWrX4m1xp64iWtHbonuIaOv4HxJcdSL3VdEMVz0Uq+J7fyB8Ot7P9LUY0UPwGq8/DA1B8Iew
z5XUPbJkfVZ/VnngGqokCoKkaNYtG+qFe2jJ+u19te2cZZU4siBIdjwkOQ8y+Z15D7X1uwVBEXlO
kE1S/cWP2JZkJ1m68T3xL8Vc13WZ+JYmi4IgSqrhRiUn2ONpCIJHJjgzJQBBMOWxo18QBDsqjF+Z
UuVxmK7/Xv8qjaWbipsuGsEk4SIwJFG1gyTLsyS6Ol50H+6sYltSvf+uH4cIp0epq2iOo3PqzmlY
+vUHguAx0d+c4QuC38S27p4qcVVBNvwozfM0Djzntr7cIAjWMf7mUBAEuy19CILdFs1Kw4qrLlrx
ysDvC1be9Fn/Omuja1fudIZ7aIqbKYLMUxU3Tdm/XSYnLf6KUvepXsuvmnAZ/wlGwIQLC+8FV1OV
BEHSnKFZXOWBo7PmsqzZwajfo45tUXbCyDMUakzLZsD6QMrAaJKYDRkkjjRJ2Iya/ow8cAxVlgTq
WDHcMG/Opq48Dn25iHZbzrz463t6bdv1iu6GRdtbkvuaYHg3R1ckUZR1LxnptA7W+P/iplNfy0Ko
5fjruohc4iPKuus74yGDKgscvWGj2eMeo3F62x6XWejbpjd0smDIYFvgP8cOQfAzow+FgCD4EPi3
JfsZQVBFlihNe7IzTxFUn6sH6jr3VUGf9im8i0LuazKNFiSOPGgOjiBo0lzuIRAESXejLM9iVxPl
dn5ElbiKoNphVhRZ6KhCd54iim1RlBTTT4qqrso0HvfVLI/xV+yvjB1F1Dv1lN7ca5TmRVlkkaNO
ZRO/h+Ah/ntkSaLmRnlRpIElC40AIvCaIChM4FSZr03jfyyCe2gKotVqlfFlXvzUWSQZ14T42Kpw
Ebo5BGVoSrJ5jbOiyJOrIbMyGse46TFTAppMMsW+JkNfFgTBpthXRA5BsALSZ4JAEHyG+/tS/Ywg
oEbkrPaPLbFray/n7h4YguKlyxf/6ywtvTTDe11XkSVpnSj5jSCQ7HaSZHnThXaGYeJITexk452U
0DBTIbbFLthDDh4q7D7EPbJlyWh6E/qT7QF1vei3ofpaLwioC2YQK5QBpRmiIUHQF1bua2LbJTJP
uv1NwRX3sZx48RdXehbaQYV7YAqdIJgllXnKiBwn8XecLtPQtzRJkFTTvcX5vKcDguAdkP8nDgiC
/6G36b0QBJvifVfkNGOOdR8L3cS8KrKmHd90ua0Aamopz8I3lrzrfF1cNWE2PPCjIKhCU5CnFc2Q
i64SaezknV/mOapDy8AQO0S/EQR9noYhBuqfH7odmn6OvsKO7XlHyWAiTxCwdrM1DEjU9T25Wpoi
dQU6kRjrBQHrgektY89AMybBhgyaYZG6pub8WHAM9nZHPEHAiz9xJGHoUKCOoqaHYCjEfuTjuWIk
AzJPbZ/c/mFmdr1wPjn9fkcAACAASURBVHHki6BYk6GdLm/0PwTBmMYnjiEIPkF9VZoQBKswfTpQ
VRZFTn9F2bV3qiLP6C92VdG4scM8L9tR44XwLAvvOl83rf3JVLMfhwyozdo3VFuiVdnkKy8605sL
vPNLBUG2XC5C+3e5CO1cx7kgGJqxKyYVjgWB/lQQzDTOYOGyIChuhqQ44wF66omXdDbqQNP7A2Mi
td4jCIZOgZ8FAW/IgC8I5NEIw0QQUI/FAGTV0b170ot7+zA3t60/XxXJzTUUmi5h+WE6fbAgCFaV
wraBIAi25fsfsUMQ/Ae8Xdz6mSGDmmq7bqi44fDTpEJqso4qjrfBo55sxYmYXsrzPHLIMJJNTZ3e
TmqgLo2+X7sRBNNOiZpEzjBPchAEdWI/HTJ4SRDkV11S3XRS1TXTGbpTqStPBEHiSLPJGh25ueBY
6tJnHf+TrvufBQF1IixNKuTFT0MG/f4NNLmkA0sKoh/A6az+s/+ZLjBVURAVw72NJnegh+DPyoCT
EAQBB8znT0MQfL4M/s+CDwkCqv6HAesmC9T4FVWHLTtMo5vrj9vB1Nc+DMX/X57Hd9O0gfHQNC1v
bHUHpaj5tCjgTuvoJoKAGuKyHRVV1dXEXEHAlA5/UuF6QVBlHs0YTO/NxMIuaRrmUBw29b/KroYk
TAQBmwDgJmUXesj7XBDQ/AaaVBj3kwrbVZ6vCoKaTaNslx1mSei7zXYKvPhJY6guZaDKr7o4nVQo
am6YFkVB8dhuOEyOGDKy6VFVJIFr6u7QUwFBsCnwFZFDEKyA9JkgEASf4X6CVFNXmSuC+p4FjqGw
9XPydGMimuouWeONCd6DgOr/6cg0NWRbhXBPPF0WRVnRnZtnTARBXaVXsxm2727n9RDUdZUFdr/s
cLJ4jpYdTqdF1DSDY7K68NLVkDRm0g+nX+h0O5W/CB1NliRZUQ038Ki9PVqsUcYeLdy7DMsOefHX
k2WHTrd8kdC/MmTACqaMxxsTxW09Pl52OMTfLDtUKAOa7VrdHAKKp1l22DwQquFwx/Xf8zCsiwWC
YB2n7UJBEGzH9j9jhiD4T4BffHtxM+S1VXyVuspoZt4XU0PWP00AguDTJQBB8OkS4KYPQcBFgws/
Eajy6BqOt+nh31DEtyDt5kPyg+EKCGxOAIJgc8Q/JABB8AOgz12GIPgce6QMAiDw9wQgCP6e+TRF
CIIpjx39OqwggA/THT1FMAUEjkMAn45PlxXcH3+6BLjpH1YQcHPEufCpZsGn0uVgwGkQAAEQAAEQ
WCQAQbCI5X0nIQjexxIxgQAIgAAIbEfguIKgSELyKLP271MV8+bpfsr98VrwCAcCOyPw4qdjZ9af
wJx7FkcZphjvsSQPKwhoJ7nnPlqmuDevmKfJ9b82T/dDGxP1GcQBCByLwKufjmPl7gjWNs7Kj2Dp
19kIQbBxkUMQbAwY0YPAawQgCF7j9f7QEATvZ/qmGCEI3gSSFw0EAY8MzoPARwhAEHwE+yhRCIIR
jH0dHk4QkG/T+Z9kxw1Vno9UnoszXvh3neel+wb3xAu+ZUfuj/f1kMEaENgBgV99Ol79FLzh1W5Q
vctT+dbxDB+izqdVY//C+fnW3fQdH9xi7eAJgQn14QRBVebM7W/q66LmJ+T2d/D6W/N8pPKcoPPC
v+s8L903uCF+6v4YTzYIgMCMwO8+Ha9+Ct7wajO7jxJPzfNUvnD+3rpsD21FtoLGZXuByYWz5/Sj
Pw8nCDpar/b7bd513xk2+3/zdDGpcEYcP0HgKYFXPx1PI8PFXxDAkMEvoP3NLRAEG3OGINgYMKIH
gdcIQBC8xuv9oSEI3s/0TTEeVhC8mv/NK2aOQZ9Kl2MOToMACIAACIDAIgEIgkUs7zsJQfA+logJ
BEAABEBgOwIQBNuxZTFDEGwMGNGDAAiAAAi8hQAEwVsw8iOBIOCzwRUQAAEQAIH9EPgaQfApn6ef
Snc/jxgsAQEQAAEQOAKBrxEEn2qpfyrdIzx8sBEEzkegyjxNuEhmUJwvb8jR2QlAEGxcwhAEGwNG
9CCwIwL3xFEk3fVtRdKv+Y4MgykgsIIABMEKSP8TBILgf+jhXhA4EoEysmTFjsq6rvKrLqteut5B
+5HyCVvPSgCCYOOShSDYGDCiB4GdECgCQ9GvWacB7rGjKk68v615i5suatd+RKOKbUmy487sncCE
GR8hAEGwMXYIgo0BI3oQAIHXCJAi0DtFUCWODD3wGsDzhoYg2LhsIQg2BozoQQAEXiRQXDVRv5Xs
rsSVJStC/8CLCE8aHIJg44KFINgYMKIHARB4lQApAiMgRZC6CvTAq/jOGx6CYOOyhSDYGDCiBwEQ
eJlA3iqCzCM9sL95Di9nCDe8hQAEwVsw8iOBIOCzwRUQAIEPEch9TTSD2FOhBz5UArtMFoJg42KB
INgYMKIHARD4BYHcV0VFkUUzRP/AL/Cd9BYIgo0LFoJgY8CIHgRA4DcEMl+9XKAHfoPuvPdAEGxc
thAEGwNG9CAAAiAAAm8hAEHwFoz8SCAI+GxwBQRAAARAYD8EIAg2LgsIgo0BI3oQAAEQAIG3EPga
QfApN8SfSvctTwciAQEQAAEQ+BoCZxQEZWAo65bW3iNbMW79pt7/Werr061fCPqfRuF2EACBvyVA
u/5Y8d+m+ZvUjmLnb/KGe35H4HyCoEocRfWyGY7ypouCMPLo0V7PPFV2knfs27mUblVEnqnKoiCI
smb6ybC+hzYQf7RyZjR+ggAIHI/AUSrao9h5vCfguBafThDcI0tS/bkj8jIwZMux5G7/7qHA8qsm
vWMl7kK698iWBcW6xlmepfHNdYNxX0TqKm+SIkNmcAQCIPBxAkepaI9i58cL9IsMOJsgqCJLVLx0
VoL30JTMoAhNyQiGVnoTKPPUN6zFXUg381VBcbkO0avEkaAIZgWFnyBwfAJHqWiPYufxn4jj5OBs
giB1aeut2RBAFVkSefssb/pjbwBV5bKT/GeRPaZbXHXhabxlYAiPfRn/aQduBwEQ+DCBo1S0R7Hz
w8X5VcmfTBBUoSnI7qx2r2K7Ha/PfVWy4plcSF1F+N9Bg4V0U1demLMwfrhiWxTtA8w9GtuMYxAA
gR8IHKWiPYqdP+DG5TcSOJkguAcGddNPASWO3DXVm8OpIsg8RWg8gU5ve+XXQro/C4LEkUQreiUZ
hAUBENg9gaNUtEexc/cFfiIDTyYIqtgSpVmrO3WVy+UitH+XizwTDE29PBUJr5bwQrrFVXs+ZMDG
Kua9Ga8mjPAgAAI7I3CUivYodu6seE9tzskEQU3VsD7ZWYAmDRrXLG/+sqshKpNFieVNF7SHZQmv
FvpjunXmPZ1UWJO3sf/tmXjVTIQHARDYmsBRKtqj2Ll1eSH+gcDZBAFVw+J4V6Lc1yZD+VRzj6fy
0YTDqUIY4LxyNE+3rusysrplh3kaB54XjpcdloEhPu6L8EqSCAsCILBDAkepaI9i5w6L+LQmnU4Q
1LSxwKAIaK7/dFIBTRkYKuKF7QN+WdbTdJtIqjxyTVViGxOpk42JaK9CybiVv0wMt4EACOyVwFEq
2qPYuddyPqNd5xME9T2iDYjGjXF+wdGGRWb4nmr5lXTr3NcUZ77egW8nroAACByFwFEq2qPYeZRy
P4OdJxQEdV3EtyCdb0C0VFr3LLzF66TD0u3zc6vTrcskuCXv0SFzI/AbBEDgowSOUtEexc6PFuaX
JX5KQfBlZYjsggAI7IjAUSrao9i5o6I9vSkQBKcvYmQQBEDgLwnc0+Aazd2p/KUBK9M6ip0rs4Ng
byDwNYLgHhrioyODNxD8IYpPpfuDWbgMAiCwEYGjtLyPYudGxYRoFwhAECxAeecpCIJ30kRcILB/
AkepaI9i5/5L/DwWQhBsXJYQBBsDRvQgsDMCR6loj2Lnzor31OZAEGxcvBAEGwNG9CCwMwJHqWiP
YufOivfU5kAQbFy8EAQbA0b0ILAzAkepaI9i586K99TmQBBsXLwQBBsDRvQgsDMCR6loj2Lnzor3
1OZAEGxcvBAEGwNG9CCwMwJHqWiPYufOivfU5kAQbFy8EAQbA0b0ILAzAkepaI9i586K99TmQBBs
XLwQBBsDRvQgsDMCR6loj2Lnzor31OZAEGxcvBAEGwNG9CCwMwJHqWiPYufOivfU5kAQbFy8EAQb
A0b0ILAzAkepaI9i586K99TmQBBsXLwQBBsDRvQgsDMCR6loj2Lnzor31OZAEGxcvBAEGwNG9CCw
MwJHqWiPYufOivfU5kAQbFy8EAQbA0b0ILAzAkepaI9i586K99TmfI0gqLLwGmbVnxfmp9L984wi
QRAAAUbgKG6Fj2InHqu/I/AtgiC/6eJF1K8H8FL+d4WPlEAABN5P4Cgt76PY+f4SQow8Al8hCKrM
10TV8R1VUr3073sJePBxHgRA4HwEjlLRHsXO8z0h+83RFwiCe+IqshkUdV0XoSkrTnzfb3nAMhAA
gYMTOEpFexQ7D/44HMr80wuCMrIUzUs7DVClnqZYYbl5Id1DU1TctE8n8xTRDDoz+tM4AAEQOBmB
o1S0R7HzZI/HrrNzekHwMfpMEXhZm37mq6IRbK9DPpZdJAwCINAQOEpFexQ78Vz9HQEIgs1YkyJQ
W0WQQw9sxhkRg8C+CByloj2Knfsq3XNbA0GwXfneA0NUfVrXkF819A9sBxoxg8CeCByloj2KnXsq
27PbAkGwYQmXgSFqfl7Ti6ffMF6wIWpEDQK7IXCUivYodu6mYL/AEAiCLQuZKYJrctWhB7bEjLhB
YE8EjlLRHsXOPZXt2W2BINi0hMubLiqqIuo3WvWIPxAAgfMTOEpFexQ7z//E7CeHEATblkV504WL
AD2wLWXEDgI7InCUivYodu6oaE9vCgTB6YsYGQQBEPhLAkepaI9i51+W3benBUHw7U8A8g8CIPBW
AkepaI9i51sLB5E9JQBB8BQPLoIACIDAawSOUtEexc7X6CP0/xCAIPgfergXBEAABGYEjuJW+Ch2
zvDi54YEIAg2hIuoQQAEvo/AUVreR7Hz+56gz+UYguBz7JEyCIDACQkcpaI9ip0nfER2m6XjCoIi
CZOi2i3YtxtW5XGYYrfDt3NFhCDwZgJHqWiPYuebiwfRPSFwWEFQhaZofJM74eKqi1b8pChxCQRA
YA8EjlLRHsXOPZTpt9gAQXCUkoYgOEpJwc4vJ3CUivYodn754/Sn2Ycg+FPc/5EYBMF/wMOtIPB3
BI5S0R7Fzr8rOaR0OEGQOPJl/ifZbVd65qkCuygoXjYq3L2drxNHbg2d7mr8eL6KrCbkONPT3I0y
ikMQAIFPEzhKRXsUOz9dnt+U/uEEQVXmeZZlWerrouYndJjnZTe58F4UOf0Vxb07xUpzb+ersjO0
vI8ft4XzVcHym8WuKho3yu84w+ObcQwCILADAkepaI9i5w6K9GtMOJwg6EoGkwo7EvgfBEBgTwSO
UtEexc49le3ZbYEgOEoJYw7BUUoKdn45gaNUtEex88sfpz/N/mEFwZ9SQmIgAAIgsJLAUSrao9i5
EjuCvYEABMEbICIKEAABEOgIHKWiPYqdHVf8vz0BCILtGSMFEACBLyJwlIr2KHZ+0aPz8axCEHy8
CGAACIDAmQgcpaI9ip1nejb2nhcIgr2XEOwDARA4FIGjuBU+ip2HKvyDG3tYQXAPjW/zZaB9ypdB
7muKk0w2duA89mVgKFY02VqBE/KDp++BIWrX4l0WUDtrU68aqauIVvQuc98VT+6rohmueSjelSLi
eTMB9BC8GegJooMgOEohfuztvUeWrA/1ZxWabOtEQZAUzfTCfFInVIkjq5NdIt/MlxIQBMmOJ8ny
E8m8h9r0zYKgjH3nmq40h29obEuykyxdLyLPCcYbby4F+u25MvEtTRYFQZRUw43Wu9OEIOAiz/2P
aXeuTUsXPvZJWTIG53ZBAIJgF8WwwohPvb3FTReNYKgoSBCIZpDnWRJdLUWUjGDS2E5dRV7XnbAi
049BUlfRHEfn1J2P4bcXBI9p/uoMXxD8KrpVN1WJqwqy4Udpnqdx4Dm39boDgoCLGIKAiwYXdk4A
gmDnBdSbNxMEVewa9jXKtu6eL2/6tH+dCYLOeUSd+6ogu+OGbZU41NT97xZzn/HJQeapipum7N/u
wqTFTztYqj7Va/lVm3qBENqOfRbeC66mKgmCpDlDs7jKA0dnzWVZs4NslIfYFmUnjDxDoca0bDYi
qPMz0cXcWZQ40tj1hGBGTVR54BiqLAnUu2K4XedK6s7cc4gd3jIwmizMhwzu6bVt1yu6Gxatobmv
CYZ3c3RFEkVZ95IfHo7iplNfy0Ko5fjruohc4iPKuus7oyGDKg9dQ2EZU03/p3Q7TGf9H4LgrCV7
/nxBEByljGeCoC5i39ZlQZB1299OF1SRJUqTnuypIKhTVxFUPx9RpFpsemZ08T8Pc1+TabRgMjDB
EQRNUss9BIIg6W6U5VnsamInX6qE8mKHWVFkoaMK3XmKKLZFUVJMPymquirTOB26TKhgFuYQVOyv
jB1F1K8tn/TmXqM0L8oiixxVnIyt8HsIHuYQ3CNLEjU3yosiDSxZaARQXZMgEBQmcKrM16bxP5K/
U1+P1WqV8WVe/NRZJBnXhPjYqnAR2jkE99iWJd2LsqIo0pulSGY44BlH/CXHxc1UJyJ5p/mef1J2
aibM+kMCEAR/CPu/klp+e+95fHMMhRqEm+gCakROa/eZICiuGtWc46xR5dm1ccfn//+YGJjhva6r
yJK0Tob8RhBIdtuHUd50oZ1hmDhSEzsZeiclNMxUiG2xCzbPBkcQNJHY8nxIpbudul7021BxrhcE
99DsRUxdUwZa75ckCPrCombqgk7pkqcuFF8TFDcdnWkOefEXV3oW2kGFe2AKrSAo2STNXhPSHtvP
E35IESc+QmD5k/IRU5DoTghAEOykIH404+nbe8+upixcerfIj26Um/hfPV9Tfa91DVwWx8+CgCrW
2az4wYlz16ps7OGdX6YxqkOpEuo8R/9GEPR5GoYYWM/GMB+SBkOGCju2Zx0lg4VcQVCGpiRbw4BE
Xd+Tq6UpUjeSMZEY6wXB1DLmSrsZk2BDBkE7AkDN+cH+wdzhiCcIePEnjiQMHQqZp7Rl+eiRfPbI
DEkOR3vzSP4ue4Yc7v/o6Sdl/+bDwg0IQBBsAHWTKJff3qpIAs/SJEFSTTdIOj/QC26UmVGvnq/v
gdG1P9tczQTB45ABjTJMpxXUdV2VjV/qvOhMbKLjnV9CSLZcLkL7d7kI7VzHuSAYmrF1XS8PGQzT
IsaCQBdGnfjTapHmECw0pslMjiAoboakOOMBeuqJl3Q26lDXNemPXpawQQneKoP5kMHUsqkgGNrm
PwsC3pABL/7EkUcjDBNBMDq/VHJL5/bmkfxd9izldafnlj8pOzUWZv0JAQiCP8H8hkTmb2+ZXGms
QJBUywtoaHubP6qNJsvNp4KAKg/ZnUwhpOnn42UJ77KLerIVJ8rbv8ghw6g53NTpbZc1dWn0/dqN
IJh2StQkcpYEQZ3YT4cMXhIE+VWXVHe6GLHRJl1Bpa48EQSJI00na/Tc5oJgqUufdfxPRgl+FgQ1
Z1IhL34aMuj3byDZNxoyUGZ57Y3HwX4JzD8p+7UUlv0VAQiCvyL9v+nM3t4qdnTLC9Jpg/t/E3m8
n9b9j2fXUfX7dNlhM6I8WYn4GOsvztC0gdGgfl3FNo1MUP1KEkTzaVHAndbRTQQBNcRlOyqqqquJ
uYKAbXHAn1S4XhBUmUczBtN7M7GwS5rIKA6bgl9lV0MSJoKATQBwk7ILPSCaCwKa30CTCuN+UmE7
0PGqIKjZNMp22WGWhL7bbHfAi580hupSBqr8qouTSYWCYgdJXhR5Gt0c59bPKBiygaO9EZh9UvZm
Huz5AAEIgg9A/1WSH3t7ZxsLkCCgNXWCIMmPGxNRT7hkjObK/SqvCzdR/T9d3UcN2VYh3BNPl0VR
VnTn5tEah9Fy+iq9ms2wfXc7r4egrqsssPtlh7f5ssP5kEHmq+PFhZeL0M5qoHl+4yv9ssMidDRZ
kmRFNdzAo/b2qOIsY09XRLqxm5I5W7146Wvgerws0OmWL9IswVeGDBjlMh5vTBS3kxyX42+WHSqU
Ac12rW4OAXXSFJFr0CpOQZRV3b4mw2TJhbLEqX0Q+NgnZR/ZhxULBCAIFqDs8tTn3t7iZshr9yNm
uxyv3UVwl5xhFAh8CYHPfVK+BPABswlBcJRC++DbW+XRNRy3l7nMyiS4oXXIxYMLILAjAh/8pOyI
AkwZE4AgGNPY8zHe3j2XDmwDgcMRwCflcEW2ucGHFQRVFq5stW7O8G8SgK/Sv+GMVEDgSwjgk/Il
Bf1CNg8rCDZzf0zr1tiMMGG2uU5L9cmK9Be4vx4Ucv51Zv9xB9sEafDxyN9v4D/SWHnrwyqDlfch
GAg8JYBPylM8X3nxuwVBVUSeqbbebCZOWRb2s2mfjyxw3PC/V9XRu/h8H7n544i3l1a7BXbjq1fW
vMnmB3NatPlw5xnochEkRXcmzooWwk9PPQqCN7k5niYz/OLvVLiV+2OSvv3elnUdWYJoxe2Wxs0i
CVozYLhRt8kF7VswXj0hbbNB9cAER5sSwCdlU7yHjPybBcE9smVBsa5xlmdpfHPdkR9fviB4TzFD
EPyC4z0wRdkKMnIOFCc/iTISBJIV0j5GWXyzFIG5RVqb7KMgWHvnL8PxBcEvI/zxtmeCQHFjApdG
viELitc6PLgXeZYlniZIVpBleb71Jhg/ZgEB/ocABMH/0DvnvV8sCDJfJd8u/X41kwJeEgS0Kx9r
IM23qKmywKEl5IIoa3a/fD11ZdH0b+SmVhQV89qmNGq4ts2wfve3iQXzH3h7aY+DF7pVCPTgdolq
v6HcytgzVUlkboi9uJcW98SnPQsESbOvri7o3ZABz80x84K44Ba55rsDLsmdQdsnZV1T2mnxU+6P
nwmC3kcSc2fZ+5Gih5Jt9TR1ZzV/VvH7EATwSTlEMf2pkd8rCGgj1qG+mENfEgRNmIc5BMyHjXmN
s6LIk6shdw1R+s4LGnNKzzbQ63zxsGjQQzAnvuZ3GZgPGwJz7xsLgnvq62LXP16lnippTpgWjZ9j
qXVPzDbo0704L3LyinwZBEFfZA9e/BbdIvPdAZNTYsnwY9bJEfneaOyJ30PwMIeg3Unwf90frxAE
Vcm2fpw8uhAE3EfuYBcgCA5WYH9g7vcKgmYv+b5xOGO9XhBMtodjznTa7fMogX5Pf+ouGI+4QhDM
gK/4WcaOqhqGqnYug+5FmnXj24/3z7piBNlshoRoD+SR11/a8JD10Uy28GcbI/Y9BCxyKrIlQTDs
79/a0Gze3O9BOLgDrpiD5WB5F7/1gmBi6H+4P34mCEZTBQTF7jYwZBmEIHh81o55BoLgmOW2pdUQ
BMt0VwuCwYFv/w1tt8idaIAmvmF4AoJgmTv/LDW7qeua2veyGVKtmrjKtM6e3E2CgMa68ywNXV1n
XTUUIJ/vOHy5sLEEGkIa5nlSbTmNnCcIHlwScd0BM+9Afq8UJtbW6wUBzxshbV3cbc9ck+eiH8ZX
ngkC5kUqSwJbN66zLakgCKYFd9xfEATHLbutLP9eQUCfwzcMGTBnv4sjqhAEb31oE0du2/VV5mvU
zX+PLLnxbrSY0HjIoM58VbEbX8SsPl1oppMg6Ht0mCfAdYJgmJnQmjF1Ezyy7Q8EwdCHsUIQ3PRu
FIXcEdAqA9aJxdwstbqlShxF9SYTbSAIRkV66EMIgkMX3ybGf68gqDPv2aRCX516/e3pz+cQUP0y
mXTVhXwuCG76qDna3fLs/29/e1NXkfrqnySBoqmyxfwfL2ObCAI2IbEpJpJw0oJvBuqJH1bh0YDP
LwUB82q4NFv16ZDB37s/ZoB6j03Dr7EgoA4VTRp0EiYVLj9shzz77Z+UQxbaxkZ/sSCoy8jqlh3m
aRx44ylezNmuecvK8n4fOvqpMOaCoKZJhaLmNnPUktC3XdafTZPHh2kD8yEDViuZQX4fvPL+UNJf
//ZmviqqTrMovnG/K5pP9ADbh2DUBUQz8WTWSUCDDoJsXsl9cJ7FgWv5bFldEyKiwYgiNKW1kwof
eghqGt1YdgdMkwrlblJhfPVHkwo/4P44v2oCm+KY52noqOQ7klY9TAUBk1LtahwsO/zhJT3W5a//
pByruP7E2m8WBLTRTeQ2y89EWZ1sTER1gqNJtMyw/eA/ThboB4+bZYfk/FWSVaPbAeepIKA9diyV
xf8wKW254PH21mXsm6osyYqiapZ3c3VRcRKqwhb/pj0EdV0lTt/oHzn9VXSrX3jYLDsk776Wa/dz
CLhujpfkYWMK3x3weNmheR1b/wn3xwVbfilcmgWzbBHkgyCo2aIGmrWBjYkWH7TDnsQn5bBFt5nh
3y0INsO6QcR4ezeAiihB4HsJ4JPyvWXPyzkEAY/M3s7j7d1bicAeEDg0AXxSDl18mxgPQbAJ1g0i
xdu7AVRECQLfSwCflO8te17ODysI4P6YV6Q4DwIgAAI/E4D7458ZfVuIwwqCzdwf7/UJgJzfa8nA
LhA4JAF8Ug5ZbJsaDUGwKd43Ro63940wERUIgAA+KXgG5gQgCOZE9vobb+9eSwZ2gcAhCeCTcshi
29RoCIJN8b4xcry9b4SJqEAABPBJwTMwJwBBMCey1994e/daMrALBA5JAJ+UQxbbpkZDEGyK942R
4+19I0xEBQIggE8KnoE5AQiCOZG9/sbbu9eSgV0gcEgC+KQcstg2NRqCYFO8b4wcb+8bYSIqEAAB
fFLwDMwJQBDMiez1N97evZYM7AKBQxLAJ+WQxbap0RAEm+J9Y+R4e98IE1GBAAjgk4JnYE4AgmBO
ZK+/8fbutWRgFwgckgA+KYcstk2NhiDYFO8bI8fb+0aYiAoEQACfFDwDcwIQBHMie/2Nt3evJQO7
QOCQBPBJOWSxjF2EkAAAIABJREFUbWo0BMGmeN8YOd7eN8JEVCAAAvik4BmYEzisIID743lR4jcI
gAAIrCcA98frWX1LyMMKArg//rtHNPc1xUmqFQmWgaFY0X1FSATZgEDqKoIZrSmoDRJHlCAAAkcn
AEFwlBL8WP/ePbJk/VoMnGJbvIz/BG24WiWOrHrZEHivR2SoIEh2vNfqs7jpwphycyza8ROiEARP
4ODSnEDua6L17Hma34DfpycAQXCUIv6UIChuumgE5QhTbIuCcU2z7i8vxl0CqavI67oTRlH+/WHq
Kprj6LKT/H3a61K8FzkjnPi6IFkBO87z8pmAgSBYhxahGAEIAjwIcwIQBHMie/39XBBUZRp4lnV9
e9u8vOniqAeA6JAgsLgd01XiSPtXBJmnKm6asn/HJX7PbrauSIIgyqrpxb0O4pwvY89UJVEQJMXw
4qEX5Z5eLU0WBUGUFN0J+wu882MT5sf3wBDmumWIR9HdsOhEwkgQlJGtSLqfNZeqPHQNypYgqaaf
tAIu9zXB8G6OrkiiKOted35uAX6fkwAEwTnL9X9yBUHwP/T+8l6OIKiKJPAsVRJExXCCdNxWf4d1
VWSJ0qwV/VwQ1GVgCKqfvyP1zeLIfU2m0YLZAEcRGKKouWFWlEUeX71bq6+Wz1epp0qaE6ZFUWSh
o0r6tc115imi5sZ5WRZ5Et6iDgbv/NN8PgqCe2RJouZGeVGkgSULqt/a2QmCe+KqkuZ1T8M9tmVJ
96KsKIr0ZimSGTKlQ4JAUJyorOsq8zXxEGM9T1nh4isEipupurvtIXslJwj7LgIQBO8iuXU8c0HA
lICpSoKkWV6Q9K3E99pBI9nz2n0+h2BBMDwf6n6vib+IjVia4b2uq8iStF68ZJ4yng/RR7x8nu5V
3LQLdQ/NvisltsTF2Qm8810ci/8/CAJKaeiDKW+6oLSzNpgguMWeJqnu0NwvA0PUOq1S18WVxoBI
OZIg6AuXmovN6UUrcBIEQOD8BCAIjlLGM0FQRZZwEVUnWlQCNGOOzUIT9FvfX13X1CJ+6XxdXDVh
VJkwWLM5BA/j2okjiVY04cqsbQwyw66Du2YVcjtzTtjk/MSI/gcNg+g31kimyrJDVIWmIA81fB+c
cz731fmkv+7ue+wogijrluNdw7Qfd6h55/uklg4eBEHuq0JrPoWnMm2XFqSuchFFUbiIRjAUe+LI
M0PbImVDBkwa1HVNc0VGsS5ZUtc1yY+mHCV73Lbkna8zT21v6FRLE/NZz7/8ir36Sr4rPKeAcfq7
CUAQHKX8Z4KgvufR1dFlkYYKrlE21DqUoaosipz+inIyiPDq+Zpqo+mX/Kc5BNTqFuV5T2RVNvbk
xXRW3Nbnl0qX8nS5CO3f5SK0cyY5FX/NOc/q5clsy3FiVZnFwdWlwRzZjodC4J0f3zs9fk0QCLId
paElSYMkSBxZXJzzMekUWCcI6ntbkMWsIHnn63v3JBb3kRKsT3v+1VfsU+GnDxl+gQAjAEFwlAdh
Lghau+95fHUMRaTZYl6YDTXPm/KVuoo4abz/KAhyX50tS3iTKW+KhnrcFSdieinP88ihDDJuy0MD
db18nk2v+HHTBRpYmE8JpIzwzj9m8kEQLA0ZNCMX3RyCugzNQRJQL4jippPqmCXzG0HwaB/OgAAI
nIUABMFRSpIjCFrz73l8c0yzm132vkzRev1hwJrFOxsyyKZjBs2I9dBh/T5T3hMT1cTjAf4qtmmE
g1WXbPKg7kZZUZZ5cvOC8aTCh/M0qVCQzWucF0WexYFr+U29XCU39xanNKcwC2xlGJPgnH+esQdB
ULeTCindZlJht/FDLwhqJgm6gQOaVCgodpCQoWl0c5wbm+YIQfCcPK6CwLcRgCA4Sok/FwQb5uJh
Y4H5pMLLuAVcBoZkNOPzG9r0+6ip/hcmk+eowd0rhGF5oaQai8sOJ+fL2B+WF1r9wsPsZukKrTqk
5YijZYG880+z8ygI6nq87NAJ867xPxIEdV0GptRJgqqIXEOlZYeirOr2NelWGQzzCFcOGTw1FRdB
AAQOTQCC4CjF9zFBUBc3Q/6xa7zFyHY53u3uf0cpa9gJAiAAAh8gAEHwAei/SvJzgqCu8ugatlvc
PLe9TIJb0/p8Hg5XQQAEQAAE9kYAgmBvJcKz54OCgGcSzoMACIAACJyHwGEFAdwfn+chRE5AAARA
AAQ+T+CwguDz6GDBqwSq1FW19y+EeNWMH8JTV8xk1uEP4Vdfvodmu0fP1FnU6ghWBqzSq6mIlFS/
DeHKO38INlmV8EPY312O7YeNsn8XUX2PbMWYbMr1y4hwGwh8EQEIgi8q7A9nlSYntiv+11tCk99n
zpUeb67ykPZoojn0uh30k+4fAw5nyK3AbDvF9mIZ+851YdX+cO9/HTU7B0/3kVqOkDYSbLYYpLUB
hru8KeXDvbTuU3WT8n6vqm75wUOgX514TRBk3sNOjpfLZbTZ84IN7xMEtHuEOlsvu5AgToEACIwI
HFcQFEm41Qb+Iz77OazyeLwL7n4MW2tJ5qvS4oZ5zyJIXUWymm2DuMEqWm0nW7cky5PAUgTFTX6u
CPmCgJvOey68JggUN6YdlNLIN2RB8XrPCU9saXL2M4EnUXAuvSYIqjJv/DfHrkoulNb4b36nIKjz
qya9LEA5WcdpEPgKAocVBFVobtOxu9dip4rEivdq3c920QaGo88z1fT2LDvNHkijqGgHnsU99kZh
avK3POztT6v2210FaH99zfYsTZYkSTE6r7/5tWt4tzv8D9sSkH8I+hvONAlVedD1QGh20K23oKQ0
90p+hUVR0pjXwCZ8HjiGKjNvw7QPwaTL4jVBMHT6k+rp/TDx3Rm3eWr+G+6+k4MjL+qyodgR25tx
OZ7xPgdj981MEPihRxtjvuAumYAPljSEysQnx1zMHfNou4eRIMgDU5bNrrunygJHV1gfkGbfuhJI
XVk0/RttBSGKijnv18m8ySM3fmhwDAIgsEAAgmAByi5PHVwQUO05dq9bRabY128NcMrhSDI0/nZ+
HC5g/pdGHdG0z3BT/TCHO5IZkPunMrJlabyZAr+H4GEOQZW4iqDaYdZ4ORa6jmjKktDWWUVg0A7F
bbs8vbnXKM2LssgiR526Ff6VIKjKxFWFzlMVz51xg3ExZ2SrKGnWLS2ruiqSmDa55sZDUSy4b6Yx
DFE2/TjPs9BWJuX55J15FAS0I6Rk+Ele5MnVkPqtHOtOEBShpUjGtav4aSdm2hIyK9gNMnNdXdd1
6soXQfPIsSN5fO74dLYwrxoz393dNfwPAiDwSACC4JHJPs8cXBBQPT2ZS8eWUdKOwXngOEFe11Vs
SeOGJI0E/DhcwGqFUdOZvPtqQuNbiQTBsIkiVXIjubFYbbKSfxAE5L2xv/Me9a6NqZLt/BuSF6jl
uQ4j14pt9OR9+LU5BE23hWLH7LZmc2i2+TDF2CiMwYnFYs6YeJkly4+H46aZBEHv6Yp8O62be/kg
CJhP7W675Zoi6mQfCQI7jBxF0v1hGsdsqCLzqHOJtFfqysNDRd0Fsz4ntnPjDwNO+3zbYRUIfITA
4QTBoy/Xy6Xvez6KT9UXfKQOjoNHncH9V/kjz8yvEqVv87T+SByZ8kH1mUgeljNfle2ujV2zDft/
HC4gUyZ96XNB0NU0NfPbqA5LHBarTZazuSAop30bg/NhqmR719A0hNVHf0+ulqZI7ZTAS1/fUfyv
9RAwL0xZEtj60F5+fAUGM2rmiulxuiTZOu6gIUv48XDcNP/CXTKl8yAImMPm3gs2PeFS244nNxnk
vlkYb4258Aq0j9JEAzQlOpk78aBCWQHjHxAAAQ6BwwmCbqpS6uui5ic0U2nkXOcovlZf8HlaFf3U
LNG4rZmZxSnqz56mWmGonckW8iFgBHlg6q5rmEE+nRRC9eY0PM9+6hLgDhkMUbB6/XeCQB/XpRNB
MJg4EgQ080HS/XbKK6Xby4aXBUHXZVIljqJ6TaOZ6864IbQodVgHht/3KrCQT+NZctM8aamv932w
LAgad1KN38eJIFDdOL3q4iAJ+D3/PwkC6tt5eR4r7znDeRA4P4HDCYKuSDCpsCNxjP/JqVDXDmwt
zqlLwLV0P8t83XJtZWjCrh0uoJiYuyK986dETeHRpMLeaxF1Lw8d/41L45lb59aseQ9BndjcIYNF
QTBtqlK39lgQNEMIa7xBUoO8EwR1nfua1PT5U1f/k76T1YLgh3gaHGM3ze8SBM+HDFhnQd5IgmZk
hQ0qzNQMs+4HQcBmlS7d15Y0/gMBEJgSgCCY8tjvL2oyH3mVAXUI9H3qDDNzPCwqbkLd/qo4uBxc
P1zQxEODBrTsMM9TtuywndzHJhWKmhvR3DVflyZr0KjhLttR8bhW/0EQkAdozqTCRUHAKlqHZrrV
VXY1JGEiCJgyof6DsrxP+rcfHr2pIKiH+pvnzriJYbUgYJMKl9wi89w3v0sQ1NS7wCYVlsXypEI2
0MB6CZpZE6EpiZobpkVRZEno227Izj8XBKRlDji49vAc4AQI/BmBwwqCPyOEhN5EgKqxocFLkVKl
LFo0PWzayl8/XNCatrwskDUQ3aujSYIgKoY39brE9vNjw/zd3IbMn+2k089ar7LAbjc+Gi16m8wj
HA0Z1HUROrTWUVZUww08fSoI6jJ2dZnmFzwO9U9QzwQBk0miyarCZXfGzd3rBUFdc+LhuGl+myCo
6zL22mWHytjLdLfKgOUkv2o0cMCq/mbZIVunKKuG0y79fCoIaORm+rxN6OIHCIDAAwEIggckOLEV
gczXlH5pHjeRV4YLuJHQhfWd80+jwcVDEigD2hezGXM4ZAZgNAj8PQEIgr9n/r0pkkeq+Kfh8zK5
XaPp9LffEYMg+B23U9x1z8Lbj4/aKXKKTIDA+whAELyPJWLaFwEIgn2VB6wBARDYOQEIgp0XEMwD
ARAAARAAgb8gAEHwF5SRBgiAAAiAAAjsnAAEwc4LCOaBAAiAAAiAwF8QgCD4C8pIAwRAAARAAAR2
TgCCYOcFBPNAAARAAARA4C8IQBD8BWWkAQIgAAIgAAI7JwBBsPMCgnkgAAIgAAIg8BcEIAj+gjLS
AAEQAAEQAIGdE4Ag2HkBwTwQAAEQAAEQ+AsCEAR/QRlpgAAIgAAIgMDOCUAQ7LyAYB4IgAAIgAAI
/AUBCIK/oIw0QAAEQAAEQGDnBCAIdl5AMA8EQAAEQAAE/oIABMFfUEYaIAACIAACILBzAhAEOy8g
mAcCIAACIAACf0EAguAvKCMNEAABEAABENg5AQiC1QWUurJox6uDcwNmnnJhf7KbLgS6B4ao+fnC
lW1PPaTLs5N3flvzfh97cdVEI7j/PoLj3XmPbMW4FSsMr1JX1fxsRcg1QdanW78QdE3KvwiTOLJk
J+tuLANDsaJVz9ALQdel/T+hIktUvDeU7j0wBPUdET3PzBe+qs+B/P3VzwuCxJEuF9lJqibzkSWu
qHbvoSmqW9Samac2tfXkX4Wq7ncJgiafiS0tC4IqvTp+XP75o8BJl2cn7/yrdmeeIlrRq3c9hufH
U8a+c03bx+vxxq3OxLYkOyvrmzfbkPuqbMezHN9DSxIExZuL0OKmy2a4qq77ycx5uuVNF9r3SBBl
zfKT8WOdeerw2v8U9QbX1wuCKnGUeXVYFZFnqrIoUM5MPxkAVokjz0NvYP6qKA8mCF57Vfmv/Co2
CLREYCeC4CJ1+vvDgqAq8zyjv9hVBcWJ2HGel9WfCYKlUvrgOV7Fzzv/qqnveqvfFc+r9nPDf0wQ
UIUku3MpUsWWbDi2+iijy8AQ9VXdCdy8sguP6ZIgkOwwz/M8S0NHE8WJ8sivmjQ58Tz+d19dLQju
kSXNsN0jWxYU6xpneZbGN9cNxt0xqat8VOoMpA4mCAbD1xzt7pVfY/Tew+xCEAi6aUhGwJoPY0FQ
Jr6pSoIgSKrpdY3m2BYnrfcLa74zzlUWOLrSiHb7lk2aSNW9LMv75NTTssmvmjD9ClAPgXULHV0W
BVExR43OZ+nyElmqUBNXZlkTpkMGkSXK9tWn9ogoqVYwDCfc06ulNa0U3QnzPndF5BoKgRNl1fR/
bB1z0mWmL9lJFxbO09enHwVJnFEDucoDm7AJgqRo1q3pwyTCk5IURh37sS3KThh5RlOcJvvgFpFr
aopEBazodtAW8JN4IqtJYRxzXVP/p+ZeCZEoSpoT9e3We+KblKCsOVdXF/Tr+DO/UJKL+aKupEm+
LkOXV5WHbclI6tCszDxV0B1qcEqSrFqjJ3coYEnRnfAHcxoLWUU37x+g2lq75jH9O4+luOnvUASP
6ZIgGLrBiqs266DIPHUqERYQPz1VpTdbb5vpo08E68wz/Ru9G+LkVa3y0KEXRlRM37fWDRlUrFad
dKxkviooLve9qpqHv38d+XkoE9/Smyda1qxrOvQz1KmriFYQN19AUdavzVszPBHy5JVfToNMt332
FokUflT0nPi7T4coqyN7RkMGVXbVJcXuX5oy9kyV3klJMby4TYD/ii3bWdcvvapPXvkqD9gXmjpu
+k8EL1GcfyCwD0FgBZHdfqkGQVAEhigZfpIXeXI1pMk3a2nIoAxNSTavcVawG+Rpr2lsiRfhhb7p
RUEgiIp1S/I8vZmy0LWqnqf7QLw9sVChNlcexvLryBIFUb9S/VdGttx/Q3N6M8meoshiT5fUtjuY
4MhWkBZlmafxLRh/ZnjmsGpyae4Cz86F81xBUFx11ttSlkWeRtdwPKjJkfmxLYqSYvpJUdVVmcYp
VdpZ4F3DJCvKIqf8TlphnHjqun4YmKSvlSCbAQmoIjD6eKglKGpenLPoReFHQfAsX/VCD8E9tmVJ
96KsKIr0ZimSGTItwsapZPaNrcYG1ZQpzY1zApeEt2iQgvxyzH1N0G+9xmkDpq5Cg8k0brB0URat
aEX9xU+1rhfSHQuCe3Y1RMmajE1QVftfwyr32PducZoXZZEGttJ/IkiSCZpH/fj3xFX7V5UqctkK
MsJvysJl1RwCagiY4ZgOlftTu0sacl8zolmEvh8kWV6UeXI15TGf1FWojnXj4l5X9yxOqK7lvfK8
gqFqVlDskOXYkgXt2j9Cy/H7miBbt7SgV0AbyqsTBFV+M2TZ6oVFlXqqpDlhWhRFFjqqpDcJ8F4x
np3t+dWvKgu/8MpXiasIKssvmUOlNC64H5LH5breiSCI7qnbDNP1gqC46aN5LLmvCqO2zYIgyP3J
3LHMU6TxOOp7BEEnAurE6WYY/pAu7yFbqFCboIuCoP9eV3HfDE9deZTDKrGltn1On+YRK54Fs/OP
6bIAPDsXznMFAX1SR63/ScILbzVdj23xeR6qaDqLhBMPTxD0DVeWbdZoZjqq+4BQI+9HQfAsXwuC
gPrmR1/k4qq3VKiHQO1m9lHKXbnGltgdTqA9+5HYUv+09OEyr+3ELm+U6EwuUNv99Qemj7w5WEi3
mUMg0N/lchFVt+vl626lSultgwbU39DKmtSVhT6XVErNZODMUwatRJleIwiq0BRmIzAU/XNepGdf
noBMQz3DrBNKZOhwa4hxX/kO6Pz/yBKG3jFWzL1MWYq/AdS28qlTqWt8NIIgCixZNm9DT2QVWd1H
h1KmN6jhQuEXXrG5efPfi4KAG8/CK584UmdyXd+jX7w+c5O+7fdeBEFVZz7NMaJCbF6lxJGFQZhX
kSVIw9vyKAgowLSj9jK8Cr8o1cUeAtHqVhk0D2NV179Nd6FCbax8rJiXK9rmazvJcmdefjMkQVIN
2/WDeHh9n1N4TJeF59m5cH7Zzrquq9TXREHWTDKI2vyjv4W3mq7Gtjgq7jZ8MzQjiV1Bj7+XnHh4
gqCvmCs2PZX6LKj5OLSeSY/+NGTwLF8LgiBxZkMJl7bFRoJgqBdHTe177CiCKOuW411D1kkyIsc5
XKqLcp/qStYfTYdDWk0clNfpKBUn7menF9KlR7SfQxB5hiw1Qz99NFQB9RV3f/aFA+qvpiGA9jXo
3vhBA1C5smmr7as6eqhiW1ojCKhuGz9oNZtN9IMgoIppTXckG0KiMY82AyMVQRW2Oe22efLKc5hF
1lAvNy9VL1MW4qcemxEgSq6dHcla/KJI3Q3uqM2d+w9TsJvqm8IvvGIcK/vTi4KAG8/jK896ZobF
ENSKHN7oPhUcPCGwH0FQ03RnKwwmgqB/IdYIgv/rfpxBWhYE/es0/sr8Kt2FCrWx4LFiXq5o2eva
6/2Z9fW9SKKb7+iyMG6UzkONfz+my67y7Fw4P7VzNsn+nifh1bM1SZDMcQv18a1mydIcgn4+QmMm
a7FQBzqr2NjI7igEJx6OIGgbMiRWeILg+rMgILt4+VoWBF0TtslR9y8JgqEHZfoZq8osDq6upUqC
bMejMebu5vn/7EM/6ZmnQRPhcmEtddZYn1tBUui/6mWyYSFdekRHpch6+SZPbFNvTgTiPDvPfpc3
Q5TNW0pTfmnMoqfIFwSjJjjriZnPvXxMjvrkpP69Z9eJ5yiihXtoLORhXudjODKZOvSbuU1J35VB
IdkYf9f+aG59/so/Rs9G5kcFQCq7z8lC/LOP7EwQiLqfJp4qjiQBe1THb3NnA/uYdJNVhlesu8z7
f0kQLL2qzf2Pr3wZ9BKGgjDzHkbPeInjPBHYkSCoy9CUDUMXGpn8dMiA+vFmS3uo9J80c94zqbB/
nXpBwJ66J+nyHjOagjX0eIxCPVbM04q2n6zXdFjPen9HEbHDUXNzfmn2+zFdFoBn58J50ghdlu6h
Oe7RGdKaN0yokTh0BPXhFgQBjdwOep8yNvrWUTtwKZ4XBMHrQwa9tV192OtXmnXpSLMCpiGDxalo
JAj6Rihrpo0Hu5pUqHe2pztOeH5M5Th9NVgHgJfQZH/6C6x+SKKP+kF90RV6ZdZPw31Mt54Lgvms
Qrq+9OpUK+f/TqZpELdOVi0LAtZX0PeOUGtyTQ8Bk1P9UGFDrC0wrpKhbpgVCotekmGqARk06SFQ
uh6/vohXvfJ96JoJgo4Jm0wzNNuXBAd7ifqsPg4ZZNTZx57VtpeAPavd+rBxuuxj8geCYP7K07hV
X8IYMhgXycrjPQmCuoptiQYbm2qXJj+zSYVl8TCpkM0j1v3sXg0vJU3uEzW3meCShL7tNlO2GhJv
mUMwvK+DICAd8yRdXjlQ7SDbYV6W9+lH97Fi5ggCmmEkdnPUsiTwLK+ZW04zldjcuzJPfJ36LwZI
PHO4kwp5di6cp/FpxaWZXFXm6+Klrw9pMmBEU7/KPHLVaXVFn0HZjopqVJLNkMG4uiez6emQLVam
VR5YsnAZh+DE84IgoDHHZlJhWSS+Lv08qfBZvtgkO9VNylHGaFKhoNgBTQPN0+jmODc2x4smFQrt
/NnI1foSq5KbS3PmyrLIxnPm+IVIV5pFA4NQbHVIf1MrfPrfdTKZjNKfJ8k1qq/687yDebo1EwTt
kEGexldTpk6O4VlkI9BDB28fL5sSuKI+rfOrJmoeW2xyTzxN7AcJOYKARoVE3acb7qmnrZxUWDeT
EyadM2VkdcsO8zQOPK+fZke5IOLP5xi0eaVWutGMyZeRowjdp48uL7Tg2aTCxVe+Zzc7YJMKm0l2
aWDJ4mgQbDH+ZtbleFJh8xzREECrMieSgP2gmdz0RGdx4Fo+W47xJ4Jg4ZUnEYNJhbOH4KWfuxIE
dcUWwPXVbrOihS1WM/plh232ioitH7pcHpYdsnWKsmo43bo0dsd2goDqP1ruuJwutzSoUlNp8LBr
JFF7aTIl4NJuMsYTBPRZuzbL+URJ0Uw3bKYQl5FraHKz6nC2lmnJGm66TeAHO9s4Fs5X2dVUaHWA
Zl39UYM2D9vFYTQePl8LVKVXU5Eo50Nbhg13jqv7Js0ydnVFkmRF1Z3AN0eLHNlEhXk82XyEs51t
zv9adcsOJbbsUBz6I5a41fXTfNVl7NEa2EHhkpG0qoutpBVlVbevzU49bMjAu9KwgCCNV3tlN0tX
2uWahhtOZ18s29TUR6OlBFT/T2cmUo933yFRV7QAYUkz0o6Ua9q5vR1lYIzSJUOGJ1oQpfkbubC8
n0XFmgVTi/skZgdVdrNUWZJlRTP9m0vNclZv8wRBXeWhrdHiTkV3XHPVHAI2t1/r90npLKjyyG2W
27GlvaONiUgPSMa6nmr2wJE59Mpc7W72IyWyWGHzXvnOqvn/9OmwfY+tlJZ1J5ovO5wOSdDdbNkh
WyCsWsN2SyNBQL0EtEdLN5egjP126bOk6Fa78JD/is0tbH6//qrSfUufjiprVzjTssPRAt7ldHF2
TuDzgmBuEX6DwA4IUGPyv5fircxHsx5/aDqvvI0bjO2s161a4IZqLtwjS+57icdhqTZf2bnU3fZK
ulRtyu2yy+7+5n+SR/2ai+mlT/3iQloyKPc1xRl1hCyFwTkQ2CcBCIJ9lgus+gCBKouCJL9X1T0P
LeWhUbiZRe8WBHVdJsFtsk8wz/Yqj67R0kIU6s8fdTDz7p+dX51ufc/CW7eNzSSS8qZ3+zNMzn/2
R7F6P4/1CD6bI6QOAgsEIAgWoODUdxKoEq/ZNo62xhz6SzeH8X5BsLnJSAAEQOCEBCAITlioyBII
gAAIgAAIvEoAguBVYvsPP5mEuH9z/9vCyQym/45tfQRvS3e22eV6CxASBEAABN5IYCeC4HHnwTfm
8Y1R7c5O2spjPhn+1ILgcTcScla0bpXXGx8Eiup36U4WzzcWQRCsKJndvXorbEYQEDgYAQiClwps
d18lCILfVswvlftiYAiCRSwbndzdq7dRPhEtCHyQwOcFwaI7Y/rWzuc40743TWN40S0yFyJtGWe6
rqHQ+mPNZk7uKDDPd2qz8Fg0rjHzn0pLw2nN7aKdTaL9fgmirBoPHlweDOP7PO18j65xW0xLgyfb
FvTbq1MPgRPcaJtgWtb+g7tktm/NaHsYmuH2dFeYKjIFxXIdnQHV3X5xMz9fy26C65p3/gEZneD6
PGUVsxcEOwCdAAAWCklEQVRcmavsiTvjZj+DBzfKlO6Cj9RJBT/Zb7Xbn2DqFvlZuks54LpFZj0E
fth5qWVe+poIlt0lL0XOCI39e032CRqc5k7dKHPjb/IWdZgUu/GEwEk5DxxDZTtfkH++kR/uuuC4
G172GE77Byy4LX7y6nEMwmkQAIHfEPi8IGBWP8j/zFMla7qYN7YltlPPM7fISwgSR7oI6rCDXrfG
mec7ta17JFlnu4xX9zxOOqehD3aSsCAvKYafFLShXBwEc5duDzbxfJ5S5K+6Leb0EAgi+STNaafC
YS9Pju9USnbYp+ZHPVCTILh0G74lrto7neXlq+a5CeadfyA2OrE8ZCAIku5GWZ7Fo43+6K4lN8o8
H6k8QdDvYDhzi0ySjJfuyOLZ4fKQgSDKph/neRbaSrcnXM1zlzyLsf85GXoYCwKCtuBG+Un8lDdR
0izmKKAqkjib7NTXJ9kcpDe32YqyyCJntBUl21+aHHEXWWApQr9VMM9jOM9tMaWy9OrNzMBPEACB
/yOwV0FAtSyrue+Jb7MVYLlP24VVtDNr/8Vs/Ff8sEsoc2TbbRzGar9Re7ijR/XgsA8NNUYX90pb
+irRt3OoULsI1/4/8nlKn88f8vIQK0cQ9Bt6j3wAcX2n3sPBiSlVHf1m4A+psRMkCAZWVBzzvhwK
NsoX22d6cN4zxNpszf6sphnCdkccQSDZ7f7MtJ/OCOKSG2Wej1SOIKAy73foGbtFpoLnpduZ+/g/
RxC0u1KOffQ0O+B2WpRkVbcT32Os7AxXECy7UX4WPxM7TzuKODbQ9oTdrJbGm267iTI9KK3vgImd
zB1h+7KRo4s+0cl2gxAEPN44DwJvJLBXQcC+K2Z4r2JbFmkHdKrZ2I5qT90iL5Fp/Mt3V+ib09b8
HN+pbQ/BfKoei2BJENRlaMmCqJCT2lv0tCXVGMH1efoLt8UcQTBs+5t0zpBG+8h2Iw2d8xTmOIc5
Z8u8n/fjYUMGg6aKrc7bIzdfPDfBvPNdWS39zxEEPB+pC26UaQv0kfefwSUaRxBw3SJTpclLd8n0
5hxHEPSCaWjZc90l8yKfVLRDPHW97Eb5WfyUtxGkPsX+Keoqd3blnlwtrdl/mp6tVpGR87yRP6ak
czfM9xg+0QBNSff7Ny6+er1dOAABEHgDgd0Kgjr1FMVNUk+3XVunA6VphjNB0LuVm3nsXCJCDcLe
SyF5cmkEAdd3ajeHoNkWfRoj76tUFWkU+I6piNRZ0H/Epje3v6gG4vk8fdltMUcQDD0WE0EwuFab
Wsb8BjkJbWvPemGmV2e/mCDoHQ+TUGu++k/zxXUTzHUfPEu1+7ksCIZVBpOx/0WfCFwfqXNB0G6g
OxMEg1vkeXixG4zqbF38f1kQDG3/oSJPHHnoiVmMa3ZyKggmziHrBTfKz+JneZu4Km7TupcF85lY
FI3TYerMjyxJ0v2kcbVAequRSU8EQachZxmAIJgBwU8Q+FsCOxEEC+6M2d6pjqNbYRnZuuMaUuMl
91dDBn1Djj5XTe/s5MNM1drItw65UeubbOMCWbBzfJlWov20D/tTn6d9ZDR8sNhH0YdoDliPfTce
0l6bLDvsBUHbcT94wRvHRF7CZNt3lMWBknHIms0hGFgxr9Pk6HRdvsgKwez13BAz7/wQojlacHP8
rGJecKNc83ykNlqi7aInD0BNBf9syIArROZmD78f3SKTY8ThcRsEAZvu+ZO8HCKe+TlMXWXpCWK9
QY2T6mfxcwXBOL32eNqUp4JsXzf+kAHHU/kzQcB/9V71bL6QBZwCARAgAjsRBEvujGnMVJRoSPEe
GJLYf3vpi8l1i7xQqmxSoWyST8/xlC2u79RnPQRLdpbx1QvijOYUpjdT/mkInrkxW/R5+hu3xaRk
JDOgDfj7rHMEAdddMruRvuM062s6kbOPc3TAJhWyPo6iyXDrG4fvy5XnJph3fpTYw+GCz9NXBQHX
Ryq5sdca77iJq5Lv34zS7ycVztwiP0v3we7+BEm9mVtkjiBgkwqX3CX3cc0PqM1vBOTSroxsWegE
Ac+NMs8dc7fHwlIPwTzJ1tuv4jB/f1V2NSShEwTMBbRsBVlRsjevH2bgeQx/JgiWXr3GmFcdmS5k
AadAAASIwF4EQb3gznhoa1BzbTQa2S/zk5QHt8iPxUpNMsv3qTtfkMbLDjm+U58KggU7aU2apkiN
y1Bz7qb50Z6a5/P0RbfFTczMC3HjPbibS8cTBM99p1KLsp8it2B1f6qKTPKp6rY+VYdlh7x8cd0E
P3cf3Cc4PXj0efqsYl7qIWD+qlu30VMfqfeEPMWK5Bz35o36erplh1O3yM/Sndo8+fXoFpknCHju
kifRTX6UkaNJokSrX2/u0MfEdaO87I75RUFQN4sLmV9qww08mtXZTYXMadmhIIiK6fuWLDVdE7Q0
Z9Fj+FNBsPDqNXmHIJg8A/gBAr8nsBtB8Pss/HTnQh/tT7d84fW2K3noZ+AyIEGwNN+Me8OpLvyl
W+RTgaO+LN4cllNlFJkBgeMSgCA4btm9zfLqXiSeJvYr355H/H2C4FNukZ+XwxGuFkkYZcW9qkra
EWPVpMsjZAs2gsBJCUAQnLRg12frHhrCRZQNP123I8AXCoIPuUVeX4Z7DVkElirTYJqo6M54B8O9
Ggy7QOCrCXyBIPjq8kXmQQAEQAAEQGAVAQiCVZgQCARAAARAAATOTQCC4Nzli9yBAAiAAAiAwCoC
EASrMCEQCIAACIAACJybAATBucsXuQMBEAABEACBVQQgCFZhQiAQAAEQAAEQODcBCIJzly9yBwIg
AAIgAAKrCEAQrMKEQCAAAiAAAiBwbgIQBOcuX+QOBEAABEAABFYRgCBYhQmBQAAEQAAEQODcBCAI
zl2+yB0IgAAIgAAIrCIAQbAKEwKBAAiAAAiAwLkJQBCcu3yROxAAARAAARBYRQCCYBUmBAIBEAAB
EACBcxOAIDh3+SJ3IAACIAACILCKAATBKkwIBAIgAAIgAALnJgBBcO7y/fvc3QND1Pz87xPef4q5
r4lGcH+XoamriFb0rtge49k6/scUV51JHFmyk1VBVwYqrppwoT9hS5wrjUEwEPggAQiCD8I/aNL3
wGi+n+wjerlcJtVSlV4dPy53kLd77JmaIgmCIEiq4UZF9R9GVYkjC4Jkx2sjiW1Jdqb11psFQRF5
TpD9R57YrQt2tlG+J36OfVUReaYqi4IgyprpJ+tl0v8IgsgSu4e2UQAjfZZ52+orDgicBoEdEYAg
2FFhHMQUEgSSFWTdX56Xa2vJP81hGd/8IErSLEsj35AF1fuP2jN1Fc1x9Hkdz8/QQkX7ZkHAT/uV
Kwt2vnL778LeI1sWFOsaZ3mWxjfXDYrVEf2nIBCMa9o9uVleDEIEgmB1ESDgaQlAEJy2aDfLGBME
s8YvSyxx5abdNR8yuCe+qYiCIGvO1dUF/co+/2xwoTms6yo0RdXva+zYFmUnjDyDbhNls60wytgz
VUkUBEkxvHh9JVLXmacI+m18R3Uvy/taJZN5quKmKfu3A8uzP20x9G1R0Y7ZPUwQ+CHLlCjr3tAs
vqdXS2PNZUV3w1FXBkvDiwJHb67aEdVgZddHM+mbqevEkfpEqQfcjJr85YFjqDL1lUiK4YZ5c5Zr
Jzf+etnO3NcEw7s5uiKJ03x1qGb/Z74qKG66AL9MfFNlhqqmN/QzVXnoEB9RMX3fGg0ZVFng6M0z
otm3bCHGSdKRJQpWC2VyoWZPyAwnkX6wh0qkfYD7GMqbLuq3PfSK9SbhAAR+QwCC4DfUvvseriBg
WFgVNplDcI8sSdS8OC/y2NNFYaUgECXF9JOiqqsyjdOyrqvUUyXNCdOiKLLQUSX9unKqQlXE7rwK
olpMUCeG8os19zWZRgsSRx76GXiCoIlmoeVNSYqy6cd5noW20ndZNIDcKC+KNLBkYSSMiLUoadYt
Lau6KpI4G5q0y2P8FfsrY0cRez7pzb1GaV6URRY5qjhkoa7rBTtbDg/x8+xkKBUnojLKfG0a/wLU
4qoLi10tRWCIkuEneZEnV0MSOwVHAkK2gqwo0pspC5duDkEZmpJsXuOsYDfIrIwWEuxPvSgIFu3J
PFWypiNHsS0p/9P91NuHAxD4LAEIgs/yP2LqVEmNG6KyOx4qfxAE99AUZSdpGm9V4kgrBYGgdb0H
DaQqsiTFTTtiFO0sRHdp9H/XlhYUq2sYt1dfEQTFVRPN8F7XZEPf/fErQdBXHLmvCs0I9gRQXd50
oQ9UE2vBCBYbnw8Vdp9v6pGXjOVu+Hlrdr0g4NpJKHtptWJcJHXleeEy04ub3oukuiZATQE3vTst
A5oB2AqCWVKZp/w0x2M2h2AyifBxyGDZniq2JSbZ7olvs8kPua9JvH6HvkxwAAIHIABBcIBC2pmJ
rIdgmEMwm0LwIAioeTf0p9JHdt2QgTQblch9dSxD6Fge9AGP0b3Ic5pDYMqycVvZoTCPa1SHltRh
3I48/EoQ9LPYir6bmWq+ARD1QvR9/UwQTBr0I9t4goC1my1qr3d/9+Rq0fTKlt+kNl4vCLh2kiBY
yFeX+sP/PEHAch523f5VZAnsGegPmohiW2oEAZ2fPRGDGQ+JshPUQzDMIZg+uY+CgGMPPQ5meK9i
WxapT6KKrP6ZWE4WZ0HgIAQgCA5SUDsykwmCWW09mPeTILhyBcG4q5zmEMxqe1YfLbeVh9S5R23z
lnv9yYWmR4QWK9Df5dK12OeCYGz/Ylf8pEW7WhBwF3EuC4LiZkiKEw8jCzX19Es6G31p5x9oo7GW
9wiCYTnlkC8uUmrkLw0ZTKQQ9cYMgmAUPHEGQUBdT9xkFi68NmTAsadOPUVxk9TTbdfW6UAZ9Vwt
pIpTIHAUAhAERymp/dj5oiCY9DSPhwyaeYRtq50qidHY+YIgoIaYZLFJdb9gcQ9NQbSayX3N7VVZ
lmuWR5D9ihPl7V/kKM3wQTsPctl+NsHvsY9jtA/BUHFOALVDBt3IyIO8GmV9SRDkV11SZ9P1mqZv
1/BumudDXwnVr8u16jx+rp0coTMydXaYefMZHSzAchd9M92PjdhQKBoE6ocMVKEfwJklsfzzqSDw
VdHs+yfofp49NHCkO45uhWVk645rSNP7ltPGWRDYPwEIgv2X0d4sfFEQsBYqm1RYFomvS/2kQhol
FjWfpobfE1elKX6TVQazHgI2qVCgOWR5UeRZHLiW39WbS4jKyHP8IKZlh0nom7IgWTQNoPtbO4eA
vv7joWkaQhabEeMn9tMQuCaoblJWVVcV06nFlnQ7WY/y1UwqHCaovSQIqsyjGYPpvZlY2KVMwxyK
w5Y0VNnVkARh3EOwYGeLaC4I2oJ0H+zk5atD/fh/GVndssM8jQPPC9n6DxJJbFJhWcwnFYp686Ck
njadVChqbjPNNAl92w1HAyWPydbPBAEraPOWleW9W3zCs6e46qIo0dSOe2BI4oq5LAu24BQI7I8A
BMH+ymTvFnEEAc2Gmw7p9nPjumWHElt2OKzQuieeLouirOjOzTN+EgTUPIz9dnmepOjW84WHtERO
Z1vf0Go73bmNJujXTYU9TIXjMqf6fzoyTQ3lViHw7We2erQgjjZuGi877HYqHHoI6nqynM8Zz35c
FASz1YW0vpC1bOcl0E9FKGjRniTJimq4gadPBEFdxnM7efHz7HxdENR1lUdus4JUlNVhY6JmXWmz
PnK67NBucqA7rtkOGVCZNcsO2TpFWTWc4IeFh88EQV0TJjbRYhit4tgzdLPwhj+4DxQugMCOCUAQ
7Lhwzmha5qtt+/qMuUOeQAAEQOC4BCAIjlt2h7G8yqIgye9Vdc9DS/n9PIDDZBiGggAIgMABCUAQ
HLDQjmZylXi0iR3zKTD0Dh8tF7AXBEAABM5NAILg3OWL3IEACIAACIDAKgIQBKswIRAIgAAIgAAI
nJsABMG5yxe5AwEQAAEQAIFVBCAIVmFCIBAAARAAARA4NwEIgnOXL3IHAiAAAiAAAqsIQBCswoRA
IAACIAACIHBuAhAE5y5f5A4EQAAEQAAEVhGAIFiFCYFAAARAAARA4NwEIAjOXb7IHQiAAAiAAAis
IgBBsAoTAoEACIAACIDAuQlAEJy7fJE7EAABEAABEFhFAIJgFSYEAgEQAAEQAIFzE4AgOHf5Incg
AAIgAAIgsIoABMEqTAgEAiAAAiAAAucmAEFw7vJF7kAABEAABEBgFQEIglWYEAgEQAAEQAAEzk0A
guDc5YvcgQAIgAAIgMAqAhAEqzAhEAiAAAiAAAicmwAEwbnLF7kDARAAARAAgVUEIAhWYUIgEAAB
EAABEDg3AQiCc5cvcgcCIAACIAACqwhAEKzChEAgAAIgAAIgcG4CEATnLl/kDgRAAARAAARWEYAg
WIUJgUAABEAABEDg3AQgCM5dvsgdCIAACIAACKwiAEGwChMCgQAIgAAIgMC5CUAQnLt8kTsQAAEQ
AAEQWEUAgmAVJgQCARAAARAAgXMTgCA4d/kidyAAAiAAAiCwigAEwSpMCAQCIAACIAAC5yYAQXDu
8kXuQAAEQAAEQGAVAQiCVZgQCARAAARAAATOTQCC4Nzli9yBAAiAAAiAwCoCEASrMCEQCIAACIAA
CJybAATBucsXuQMBEAABEACBVQQgCFZhQiAQAAEQAAEQODcBCIJzly9yBwIgAAIgAAKrCEAQrMKE
QCAAAiAAAiBwbgIQBOcuX+QOBEAABEAABFYRgCBYhQmBQAAEQAAEQODcBCAIzl2+yB0IgAAIgAAI
rCIAQbAKEwKBAAiAAAiAwLkJQBCcu3yROxAAARAAARBYRQCCYBUmBAIBEAABEACBcxOAIDh3+SJ3
IAACIAACILCKAATBKkwIBAIgAAIgAALnJgBBcO7yRe5AAARAAARAYBUBCIJVmBAIBEAABEAABM5N
AILg3OWL3IEACIAACIDAKgIQBKswIRAIgAAIgAAInJsABMG5yxe5AwEQAAEQAIFVBCAIVmFCIBAA
ARAAARA4NwEIgnOXL3IHAiAAAiAAAqsIQBCswoRAIAACIAACIHBuAhAE5y5f5A4EQAAEQAAEVhGA
IFiFCYFAAARAAARA4NwEIAjOXb7IHQiAAAiAAAisIgBBsAoTAoEACIAACIDAuQlAEJy7fJE7EAAB
EAABEFhFAIJgFSYEAgEQAAEQAIFzE4AgOHf5IncgAAIgAAIgsIoABMEqTAgEAiAAAiAAAucmAEFw
7vJF7kAABEAABEBgFQEIglWYEAgEQAAEQAAEzk0AguDc5YvcgQAIgAAIgMAqAhAEqzAhEAiAAAiA
AAicmwAEwbnLF7kDARAAARAAgVUEIAhWYUIgEAABEAABEDg3AQiCc5cvcgcCIAACIAACqwhAEKzC
hEAgAAIgAAIgcG4CEATnLl/kDgRAAARAAARWEYAgWIUJgUAABEAABEDg3AQgCM5dvsgdCIAACIAA
CKwiAEGwChMCgQAIgAAIgMC5CUAQnLt8kTsQAAEQAAEQWEUAgmAVJgQCARAAARAAgXMTgCA4d/ki
dyAAAiAAAiCwisA/jAJCzPrBWv0AAAAASUVORK5CYII=
--00000000000002492b05abab923c--


From nobody Thu Jul 30 10:13:51 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B6303A0E54 for ; Thu, 30 Jul 2020 10:13:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level: 
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DC_PNG_UNO_LARGO=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jscaGk1YfqpY for ; Thu, 30 Jul 2020 10:13:46 -0700 (PDT)
Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D3223A0E5D for ; Thu, 30 Jul 2020 10:13:29 -0700 (PDT)
Received: by mail-qk1-x72d.google.com with SMTP id h7so26268865qkk.7 for ; Thu, 30 Jul 2020 10:13:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=a+O3DGhnrN02ppd4GnHadJ4TfIWTirpQcYrL3q7hi9o=; b=JOZFfkCKQ5bMHLV6OYqOCf5T1YhFnaCnj0NcVuxr81q1FiqPi+U5kcvYrLFaldGH0Y jZ3qD3h2M7FcpUI360JL6lUzarCy8CTIdIOBEqHMxBH7Vm3uUfivrfD0Uo3CpbnAezhr nqO9Xhn6cWV2nsMq5e+TR+l19rTJcLvvCBYqo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=a+O3DGhnrN02ppd4GnHadJ4TfIWTirpQcYrL3q7hi9o=; b=M4h6TxqLgHR7l8uxuppzaK6UfeM24fCFHuRFq8u6NFlTsGVwkQnvyc1Iq3XMEoHmiD N8w4OeXnI6s746fUesEXziX1JCIy78CAPHlvur1+iS765otzUxgInYG5/4SsWhrgpAPz wMVhApWxWfHZ4ajq7/91X4ClkcUQj2DIpGmn9/d3wCU/ZOZVvc1BA4ReXqGx7eQ4d02K 9L33mv8WBBAhrUMK0Avtkyx3C7heHTPKpmx6rVAQjZYIeuFUmfff8c/GqRQrwsRbeS7g pUj3KLVV8KEb6woy++Bzkztvd4Xw3++o+bDbgrRF7MHLIdCKPM8s2j42VR8Ic5Fq4WV7 JwSQ==
X-Gm-Message-State: AOAM53146SoNzL9pYlGh2o/xiAPH59Is1QF9ehwJUXrS2hdyPWZ50DtY x+ERM4nLCM8RdgQNOn1kPZBoc/fmhbeO94oAyLNo
X-Google-Smtp-Source: ABdhPJz9Ns06cpkyNXlh+FQ58gSAs/ms3IMT6qCg3NuEfLzbQ5LqIaYKaJbZdOFStzkIVHe6dIgfXujQoWZ7SnTdUBQ=
X-Received: by 2002:a05:620a:1285:: with SMTP id w5mr182884qki.21.1596129208298;  Thu, 30 Jul 2020 10:13:28 -0700 (PDT)
MIME-Version: 1.0
References:  <0d9c249a-0a96-7d0a-bdee-f6d76811ae00@manicode.com> 
In-Reply-To: 
From: Warren Parad 
Date: Thu, 30 Jul 2020 19:13:16 +0200
Message-ID: 
To: Aaron Parecki 
Cc: Jim Manico , oauth 
Content-Type: multipart/related; boundary="0000000000007a865c05ababcadb"
Archived-At: 
Subject: Re: [OAUTH-WG] Clarifying Bearer token usage OAuth 2.1 draft-ietf-oauth-v2-1-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 30 Jul 2020 17:13:50 -0000

--0000000000007a865c05ababcadb
Content-Type: multipart/alternative; boundary="0000000000007a865a05ababcada"

--0000000000007a865a05ababcada
Content-Type: text/plain; charset="UTF-8"

>
> Cookie storage of tokens does leave one open to CSRF attacks so it's
> certainly a trade-off. But CSRF is much easier to defense against that XSS
> and cookies are a better choice if the specific risk of having tokens
> stolen via XSS matters to your threat model.


I would assume if we included cookie language, it would explicitly
specify *Secure;
HttpOnly; SameSite=Strict* as the recommendation, and then neither XSS nor
CSRF should be a problem (right?)


OAuth 2.1 isn't supposed to add new features that don't already exist, but
> this sounds like a good candidate to develop as an OAuth extension.


Is this really a *new feature* though?

Okay, I'll submit that RFC 6749 does state the cookie wouldn't be created
by the AS.

> 5.1.  Successful Response
> 
>    The authorization
> server issues an access token and optional refresh
>    token, and constructs
> the response by
> *adding the following parameters*
> *   to the entity-body
> of the HTTP response* with a 200 (OK) status code:
> 


However that wouldn't prevent a client using the password grant (I know I
said a bad word) or authorization code flow from creating the cookie to
contain that. Specifically

> 7.  Accessing Protected Resources
>    The client accesses protected resources by presenting the access
>    token to the resource server.  The resource server MUST validate the
>    access token and ensure that it has not expired and that its scope
>    covers the requested resource.
>
>
>
> *The methods used by the resource   server to validate the access token
> (as well as any error responses)   are beyond the scope of this
> specification but generally involve an   interaction or coordination
> between the resource server and the   authorization server*.
>    The method in which the client utilizes the access token to
>    authenticate with the resource server depends on the type of access
>    token issued by the authorization server.
> * Typically, it involves   using the HTTP "Authorization" request header*
> field [RFC2617] with an
>    authentication scheme defined by the specification of the access
>    token type used, such as [RFC6750].


So that's definitely some gray area. Although perhaps I'm missing a
relevant section. If we are going to go so far to detail a list of possible
RS bearer token possible locations (i.e. Header and Body), to what I assume
is to implicitly say *Don't use a query parameter*. It also suggests *Don't
use a cookie at all*, even with* SameSite=Strict*. Although maybe that is
the point.

For my reference, what makes a *new feature* and what makes *an OAuth
extension?*

Warren Parad

Founder, CTO
Secure your user data and complete your authorization architecture.
Implement Authress .


On Thu, Jul 30, 2020 at 6:46 PM Aaron Parecki  wrote:

> I haven't seen any OAuth drafts that talk about sending OAuth access
> tokens in HTTP cookies. OAuth 2.1 isn't supposed to add new features that
> don't already exist, but this sounds like a good candidate to develop as an
> OAuth extension.
>
> ---
> Aaron Parecki
> https://aaronparecki.com
> https://oauth2simplified.com
>
> On Thu, Jul 30, 2020 at 9:35 AM Jim Manico  wrote:
>
>> In a browser, HTTPOnly cookies are the *only* location where an access
>> (or other) token can be stored in a way where it *cannot be stolen from
>> XSS*.
>>
>> It's a very strong place to store tokens from a security point of view.
>>
>> Cookie storage of tokens does leave one open to CSRF attacks so it's
>> certainly a trade-off. But CSRF is much easier to defense against that XSS
>> and cookies are a better choice if the specific risk of having tokens
>> stolen via XSS matters to your threat model.
>>
>> - Jim
>> On 7/30/20 11:43 AM, Warren Parad wrote:
>>
>> https://www.ietf.org/id/draft-ietf-oauth-v2-1-00.html#name-bearer-tokens
>>
>> It seems recently more and more common to pass the access_token to some
>> RS via a cookie, yet 7.2.1 says it defines two methods. I think we need
>> some RFC2119
>>  keywords
>> here, to suggest that either SHOULD use one of these two, or MUST. And then
>> optionally state whether or not we recommend or reject the use of cookies
>> as a place for access tokens. It's also possible that the language threw me
>> off, because would an access token in a cookie be a bearer token, but no
>> matter, if I'm having this thought, then surely others have it as well,
>> right?
>>
>> [image: image.png]
>>
>> Warren Parad
>>
>> Founder, CTO
>> Secure your user data and complete your authorization architecture.
>> Implement Authress .
>>
>> _______________________________________________
>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>>
>> --
>> Jim Manico
>> Manicode Securityhttps://www.manicode.com
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>

--0000000000007a865a05ababcada
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


Cookie s=
torage of tokens does leave one open to CSRF attacks so it's certainly =
a trade-off. But CSRF is much easier to defense against that XSS and cookie=
s are a better choice if the specific risk of having tokens stolen via XSS =
matters to your threat model.

I would assum=
e if we included cookie language, it would explicitly specify=C2=A0Secur=
e; HttpOnly; SameSite=3DStrict=C2=A0as the recommendation, and then nei=
ther XSS nor CSRF should be a problem (right?)

OAuth 2.1 isn'=
t supposed to add new features that don't already exist, but this sound=
s like a good candidate to develop as an OAuth extension.
=

Is this really a new feature=C2=A0though?
<=
br>
Okay, I'll submit that RFC 6749 does state the cookie wou=
ldn't be created by the AS.
However that wouldn't prevent a client using =
the password grant (I know I said a bad word) or authorization code flow fr=
om creating the cookie to contain that. Specifically
7.=C2=A0 Accessing Protected Resources
=
=C2=A0 =C2=A0The client accesses protected resources by presenting the acce=
ss
=C2=A0 =C2=A0token to the resource server.=C2=A0 The resource server =
MUST validate the
=C2=A0 =C2=A0access token and ensure that it has not e=
xpired and that its scope
=C2=A0 =C2=A0covers the requested resource. =
=C2=A0The methods used by the resource
=C2=A0 =C2=A0server to validat=
e the access token (as well as any error responses)
=C2=A0 =C2=A0are bey=
ond the scope of this specification but generally involve an
=C2=A0 =C2=
=A0interaction or coordination between the resource server and the
=C2=
=A0 =C2=A0authorization server.
=C2=A0 =C2=A0The method in which the=
 client utilizes the access token to
=C2=A0 =C2=A0authenticate with the =
resource server depends on the type of access
=C2=A0 =C2=A0token issued =
by the authorization server. =C2=A0Typically, it involves
=C2=A0 =C2=
=A0using the HTTP "Authorization" request header field [RFC26=
17] with an
=C2=A0 =C2=A0authentication scheme defined by the specificat=
ion of the access
=C2=A0 =C2=A0token type used, such as [RFC6750].

So that's definitely some gray area. Althoug=
h perhaps I'm missing a relevant section. If we are going to go so far =
to detail a list of possible RS bearer token possible locations (i.e. Heade=
r and Body), to what I assume is to implicitly say Don't use a query=
 parameter. It also suggests=C2=A0Don't use a cookie at all,=
 even=C2=A0with SameSite=3DStrict. Although maybe that is the point.=


For my reference, what makes a new feature=
=C2=A0and what makes an OAuth extension?

=

Warren Parad=

Founde=
r, CTO
Secure your user data and complete your authorization architecture=
. Implement=C2=A0Authress.


On Thu, Jul 30, 2020 at 6:46 PM Aa=
ron Parecki <aaro=
n@parecki.com> wrote:
I haven't seen any OAuth drafts that talk=
 about sending OAuth access tokens in HTTP cookies. OAuth 2.1 isn't sup=
posed to add new features that don't already exist, but this sounds lik=
e a good candidate to develop as an OAuth extension.


On Thu, Jul 30, 2020=
 at 9:35 AM Jim Manico <jim@manicode.com> wrote:

 =20
   =20
 =20
  

    
In a browser, HTTPOnly cookies are the only location
      where an access (or other) token can be stored in a way where it c=
annot
        be stolen from XSS.

    
It's a very strong place to store tokens from a security point o=
f
      view.

    
Cookie storage of tokens does leave one open to CSRF attacks so
      it's certainly a trade-off. But CSRF is much easier to defense
      against that XSS and cookies are a better choice if the specific
      risk of having tokens stolen via XSS matters to your threat model.
    
- Jim

    

    
On 7/30/20 11:43 AM, Warren Parad
      wrote:

    

    

     =20
      

        
        


        

        
It seems recently more and more=C2=A0common to pass the
          access_token to some RS via a cookie, yet 7.2.1 says it
          defines two methods. I think we need some=C2=A0RFC2119=C2=A0keywords
          here, to suggest that either SHOULD use one of these two, or
          MUST. And then optionally state whether or not we recommend or
          reject the use of cookies as a place for access tokens. It's
          also possible that the language threw me off, because would an
          access token in a cookie be a bearer token, but no matter, if
          I'm having this thought, then surely others have it as well,
          right?

        

        


        

        

          
3D"image.png"

          

        

        

        

          

            

              =


                
                  

                    
                      

                    		
                    
                      
Warren Parad=


                      
Founder, CTO

                    		
                  

                
              

              Secure your user data and
                complete your authorization architecture. Implement=C2=A0Authress.

            

          

        

      

      

      

      
_______________________________________________
OAuth mailing list
OAuth@ietf.org
h=
ttps://www.ietf.org/mailman/listinfo/oauth


    

    
--=20
Jim Manico
Manicode Security
https://www.manicode=
.com

  


_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth






--0000000000007a865a05ababcada--

--0000000000007a865c05ababcadb
Content-Type: image/png; name="image.png"
Content-Disposition: inline; filename="image.png"
Content-Transfer-Encoding: base64
Content-ID: <173a09c3ab3cb971f161>
X-Attachment-Id: 173a09c3ab3cb971f161

iVBORw0KGgoAAAANSUhEUgAAAuUAAAD1CAIAAAB4ERwbAAAgAElEQVR4Aey9sY+sPhAGlr+Fio6O
jo6Ojo6OjoqOjiISUgrKJMVKUbIdUqTQUdFEdKukQGno6Ojo6OiIZmxjw9p7e3d7++6932zx3h6L
7fHn8czn8Rj+h40+hAAhQAgQAoQAIUAI/G4E/offLR5JRwgQAoQAIUAIEAKEwEZ8hZSAECAECAFC
gBAgBH47AsRXfvsIkXyEACFACBAChAAhQHyFdIAQIAQIAUKAECAEfjsCxFd++wiRfIQAIUAIEAKE
ACFAfIV0gBAgBAgBQoAQIAR+OwLEV377CJF8hAAhQAgQAoQAIUB8hXSAECAECAFCgBAgBH47AsRX
fvsIkXyEACFACBAChAAhQHzlV+lAf4mjMIzK26+SioQhBAgBQoAQIAT+MAJavrJ2ZRRqP1F86XUS
r1NXl3kax1GcZGXdz7qbPndtqjMhRASfOEnzsmqH5XPVvPXu4ZoImTXwRVkzfSBOl9qWZdlJs35w
I/1MCBAChAAhQAj8lxDQ8pWljsFt6j5O2p3hmW9l5J7udeJqPN/3yb/H0j9Vyv50wrL/rZzllp+B
OHQhuHwECvGVT2oJ3U4IEAKEACHw30BAy1e2sbmcPmXigeu1o+ocIli6HH6y3Sgrq6oq08CBO524
+R6r4HzFjaHWqrpeyizyGI3yy+F3js58q678c8lDxMGNC3Hp2nxItIiv/M6BJakIAUKAECAE/jAC
er5yJ9TMIi5OoiUhU3Ot5T7NdA2RsGR3kZi7ah9d4HzlwE141VZU7RtO69RVRZbARlSaX9vxQJLW
uW+uZZ6yn4trO+77LJgpEpXdMvd1iTeklxsrvAzNJU9j2II67m3NTRaFUVqPy9Rec6w0N27x9Ejj
rPuYyjpyibH+6jbtMm3bma8s/SWJojCK0oqJ/oFsWT2qtV+UYdm2DbAqASu2uXZth1lp+9Fg0G+E
ACFACBAChMAfReA5vjJeA6Agbn57wr8tdYyhmLT9Vs90fGVtE4ywCL6ydEVw3LmyvawVXGYo/eOP
lmUHZc+6gMzAjtIU40Zc4HVbxyo+7ek40WVgZcYLwOAnKQudQKF7OiI6recrU5PyIBGUxo/tS5EP
fGUdrhGLVUXIVp6QzfHOtXspx2O5nbGCvhS/NFIlUKT/CQFCgBAgBAgBQOAZvrJy13sIdRjhW9oU
nWx4Pe8cGYtof7jnK+tYJ8gluCBLm+KfTphfm6ap8pD9mTScsfSF7wZJfqnqpq1LxkNsHiJizAAI
g+1FWVmWRdlO23hB/mP7SVk3TX1JGOPhDTK+giTDCZIcClWc/tx3QcdXpmuIDMoJ0rKq66rk9Ttx
zcBS+MrUsM4CxcK4z5Oy2UFWdf0w3JqcNcYolYiQBdm1adumuhRp6EXXjxJq7vtFVwgBQoAQIAQI
gfcj8ARf4QREk7qiEXftC0yTdXbSoLnpqUucr1iO6+HHdViwxAlLtm8zVxFccbNOBH2WJgGqZMe1
CLGoLXG2wbmH4Cte1sktJJYvaytUa2BZv14Bx6IEX7HDq9xYUptQv2v4Cq/MTdu9ScG5DlLZSdXm
yJRsP+t4X56UTQn4rIw52phJxLfS9nCLKip9JwQIAUKAECAEfjkCH/OVidECQ+rKsXsiJuDcp+Ue
b3ziL8FX2KbJ/q8bpBd04WuLZ38t2/MD8fFd5DSe2OVYp1t9LfMsTZIkjlkiMKMePFPkuJ8j+Igj
aww8DBbZcb3sfMVJWsGQHvTjnq/MVQTdcFK1uOgG2+Li8RWHcTM34WEXhSt9IJubK49u6Qvc7GJV
8/AMiydd2kFH6R50h34iBAgBQoAQIAT+IAIf8hURE/g4dWXpWEzAUlJIvtEzzlfcpOrw0zb1JWOU
ww4uw7bU6P13IqN8cfN+2yD745SJgrcc+AqLPQgpOcVQatq/RhCy4Xxmp0OinPb/e76yFz88wuZw
n4j6sHb3baJt256U7ZCQcuAr2zZ3l1imt9heVIrYjbYDdJEQIAQIAUKAEPg1CHzAV9YuUzNGzGKv
fcmyJdy4fk1OxH3+yrZtS8MSbv3LuDbsITFheetPn2FaN5Eq4sWX5jaM0zT1JZ5bOvMVJVQiNn/S
+q7KEcIRnHDwvRszGPjLgYfgFf3BqS5T0n0EX3EDn8V1QpFh8hXZTnwFhVjG7pqLg+GwsfVBN+hn
QoAQIAQIAULgFyDwmK/wJE1N6soyDfIw7DpW4iDLlR+lUbu2TsMw7Rkb6i+Pvmv5ijggBGEEEflR
E1BkhXy3KJQnnzmBeMBXOBtS81dkhd/nKxt/nNyB7wws38fNcB+H7wclzTrzZGJxoukrsun4Cu/Q
xFOXlVSdQ1fpD0KAECAECAFC4Dch8JCv8HjCXerKniRawOkY4fosJyrbm/Lp4cki640lUbh6WmHG
gvMVL2shODJN49C3F/bUOp4CMl7ZYWY3KpsebhqHrrnkcQpZH5wbuEk9Lssy9XXGTz4/4Cvb0rET
R7afVt2ArfZtVaYxe6HPN+Mr28aTke0gq/tpnkEqdgDJQySPz19Zbjl7wq+fQ4LxF2RT+cp4TaLs
UnfDtCAeF2SYLC/HPAj0CyFACBAChAAh8CsQeMBX1ht74tn9U1d4ZMPC57b1xmfQYxyBJ5la1iGq
8ETfOV/ZM0jkF1ec/l1H/oAS+Rt8C+AktTioJH+yPR/STx/xFcjx4AxClsMUWXz23bf5yqZ9CIod
FPxJdafnxa19yRkZnij6tGwHvoLPjjn0yoJMo0/HvZ4YOrqFECAECAFCgBB4MQJmvsIPB2t5BqSy
2rafwoNOeCDj5AnhT8ZQpjrxbNv79AuF7vmK7XhBnFc39WTLOnXXLPLZYWe8IbuIp9hObRkHeGLI
doO47EbcI3rMVyBHZqiLJPTwiI5tu36YFBV7geP3+Qo8ZHZsyjT0XNu2bMcLk6KRjwY+8RXYghJP
bEnwjPbnZFP5CjYbBbxbjutH2fWA5IsVi6ojBAgBQoAQIAReiICZr7ywEaqKECAECAFCgBAgBAiB
byBAfOUb4FFRQoAQIAQIAUKAEHgLAsRX3gIzNUIIEAKEACFACBAC30CA+Mo3wKOihAAhQAgQAoQA
IfAWBIivvAVmaoQQIAQIAUKAECAEvoEA8ZVvgEdFCQFCgBAgBAgBQuAtCBBfeQvM1AghQAgQAoQA
IUAIfAMB4ivfAI+KEgKEACFACBAChMBbECC+8haYqRFCgBAgBAgBQoAQ+AYCxFe+AR4VJQQIAUKA
ECAECIG3IEB85S0wUyOEACFACBAChAAh8A0EiK98AzwqSggQAoQAIUAIEAJvQYD4yltgpkYIAUKA
ECAECAFC4BsIEF/5BnhUlBAgBAgBQoAQIATeggDxlbfATI0QAoQAIUAIEAKEwDcQIL7yDfCoKCFA
CBAChAAhQAi8BQHiK2+BmRohBAgBQoAQIAQIgW8gQHzlG+BRUUKAECAECAFCABFYhvrSDOu/h8Y6
Npe6X/58x4iv/PkxIAkIAUKAECAE/m4E1r7w3bT9BV799TguXep6ef/Hqdh/mK8sdWQHl/H1Y0s1
3iPQ556dtPfX/8yVNrXd/Pa5tsdLYEfV/LlC/9TdhMA/NZxv78zUZKFrW5bjFzez4/vK3Px0V37C
HC1N4nhF/2lZDgVQsMaMzuHmt/4xlL6TNH+ajD3mK9M1tOy4NhnpNrUt8bEdL0yKZvxTUA+lL0RR
/nfSzjioP8BX+tJ3//yYGnts+mHtMs/j/ntpkrAcTHfeX7/lQfaE5/8JA3EvzPHKeA3dqJrw4lAG
iTQDz9nEY9f+BW/92cE93v8FBI6wH4fnF/51HPEPBFRnzQe3/vqf32C41jZ1nOg6zPM0zQcvcVSS
5+amCdEnR/AHzNHSxI5ffMJybnMF3rVZutSxxML5N/CVtUlsK7xOfeFZyrJuKH07rv8wYXnIV4bS
d13XCa/M5t/pSJvaTlJP8BmHW52HEve7e3/6wrpMI376S2h7Wcv+OM2MgxA/wFfm7lLWf2HEZmrK
ssVBXtvU9Z/nKxgC/a18ZemvRcVCmOBqP8lXzl37grc+qNsv+OOTg7ud7v88AifYfwEEj0Q4j/ij
e+E3OWs+uvPX//4GwzVdQzvkq4cDHicl+Q5feXoEX89X1i513Gcsoew78AIn69ah8OyIBwWYYAc6
Jwu869std+2kWWDEBI+Cpm+566Ttn5XtAV9Z+9xz07qKHZMDA76iBDDWNrHtVAT916HKQs+xLdsN
02rgvGzpqyzy8bLjx5cbvzxeAi/vRgwY2gH6y6W/JoFrW7bjRfket2lTJ6qG2yX2HdtOdODNdWR7
B567DnUWsSbVqlS+MjepB+QfBmMdm5zd7gbJ5caDS+MlcLOqKWLfdWzb8eOyuw87SXYsK3FcP8qb
O8Y33y5pCHVZthuk1X2Slr4GParbtih9DIpu2ba+8OxYhhTmale+ewy5jVjaFOK17GMn//v/Gth+
KekXBDxVhV1vhb/fDoQclHodASPoluOF2T7uioFYh0voeFnL4Ju7MvZxmP24YJxp29rUCcvmmoae
49iODp+lju09+ApLN8vZtQHmPywEhH8dLoEjemWhLkN/s6rOQs+2UD/rE/6armFtl6ZMWOcOCqDX
VWleQHnSqikiGHDWHzEf6shJmrEtIs/me1RmdXXia1smqICun+yTZ9s2rQB97gVl31dp4Nh29L//
X4fBbf4fsJLK/tZUhRJRqPKoDM3K8DQgMNZ5HIg5xsbxHnYJyLbp9d8wy+Y6BnB2U7neMvcc9xU6
E6DOeNGuTNtTNud/+j8Pyvy//G/PtLjvKva55xc1mBmwDjA4muREs4SmWbNNLZ9MMJvSClfv8+2C
hhFmWJBceE6BNBeK1ZIXFSukq1Marm3b5q7kDShVbdtTfURVhHkLds2P+Spo6XIw5cKwCBexbdu9
kjyamybrh4qlmbOP+iK2p19ijrbd2Ow6rpkR+2/8yy33wBxN19ARbrPPPSe51jkgCGMuPZ/JMW36
hhadYdF55KOVQIOAs/C2rU18CKiAzVX5i+jO0qOlZq76ghti+tn9rAqJijX/m/nK2qWum3Yrbsvl
2m25A19Zxjrx3KThbqhJXDe+9tOyTLdL5Ox5SFNXt/04L8vUFcFuIMEZeH4Q5vVtGMZ53aYqcry0
HuZlGVu4kVsr0GbfD5JL2w/DpAtOnfnK3CSuExbtMM3T0OTBLsrOV5ZbETh+zrjTess9Jyy7aVnm
vkpch+8ojJfAspyI2aF1uEaOm3W7AeXI7tN+qiLbz6GSZRq6pr3fJluHtu6GCfrXZJ59F8PS1gB9
0aE6A5MI8rofx7Hv2h7G4BFfOWPI+Qp4qTq2d3oKBHv/Y2N05dTn06pi6TLP9rO6n+Z57MrIceIa
aczOV6Y6dt1YBKGGMnCCvB3nZR4ABj4dYKPR9rN2AoDnVosPLNc4RbplLnz4eOBCDn4RfIWDcYyv
WLaXXG/QMIyyqEqdIaeugQLYTpg3w7TMIyjv3qBBV2VlqDxuzNjbfCtDKIvKC0ro+kGQVl0/jNO6
PVJXy3LCEh3hAgroiJ1aw2QB2+f5QVQ2MKmW0+BuEN+VhGWugOYfp/lBGRBPAwJAP+oG0Fzm/hI5
TsrUBHRQgV0Csm16/TfNMgi2S8KywgLwHJpGnQnyDvYa1rHGMeVc+0mbs6kj/lyLIlze555luUkN
KG9Lr1g2pc9GCU2zBk1v2iCs461pcdEHyh5XYBjnsW8btp7SWy2dDdHWCY5EDBSohZdUOINv18QV
cxLu+biPExjG+NKN8zz1derbfsEJlTIbFUw+MzdN1k+pTh1BYEMP+sL4yqvMEQs+qMkH+hmhyLpt
U53l7bytXZFUXFUBZNuNLzCXAEAPAMRC+iEG+6idelrDovMdd1YClip5Cma7vySMfnCpQfUytY9w
fbyGthOVLfqetmOBCf3sfk6FDhCd/zDyFdBrZpCXVnw7F8b8FZt9YJ0a76uK3WewIl0GAaazdx/l
hhg6AxET44omDdLSJGIlA00+zlM+8ZWjz2VunFlpxlcGsPxeIgIgOJ2l2ZY2HSQU1gmURJusu097
bLUQ0aMzbue/MdB20gNdDSZU2b2nrdOHfOWEoYGvbODEBGHRq8HRQCxNvHtx6OR0hQgNCMb4ytxl
vhOUIs187XACCL2AFT67G0ZZutKth/jkOZaGURTM/+oLz8uvuechqwYZWC2KhTw5TqhfYYgY/zzX
f/BeMC9BASRFBWgYuwId0eqqHGak45LzQ+yYh4OWOrL2zWtETGDASoPgUl3V6Jb8xSQA2D5HPa9w
5h+lv0focaQPUckzeX2AgOwofIOqOLgn2I/3yb+k/htnGTNHPMIC90vEeT1tatuR3F7HOaEEB/ld
D2zOdhzxp1oUFgGgVpaeiubJXm4mCY2zBsbLS3kgkleEuhPXyOT3ug1WS2dDdHXy6QkGeu0yR02r
5JEtaOmZPsKkVCYWrHlFbXpM9HxFqULOTZP121HYTiP4uC920r7SHHUZEGpVFvldmRHyov4bgCws
Lp+BrFrDEB9rURrSGRYFVumR76zEsUr1L5zOSnAMfjuNuHo7/y5n91MqpKlBuWTiK9BzkYKJmVK6
NFKWvzLy/JWmjF3hjLrMsSzb2T+2ZYUYapr7Ko9D38OPYwtDD8qsoAkz2LJledu2ON+BJu8ontIf
xiSU/aAucw6+DjYN2T4j8BU/jn0QYt/aGQr/LLh0fqqEahxib3/nK9vSXyIXto3ya3cfXAHH1F2y
KGBAuI6l7qux6jQ1mFA99xErAOUy7QedMTTxlQ3MFes/KIHirkWXj3wFlFfhGdsGcXskqsDiwyRy
LHUND+ncJy1hQ3MaZaj2ju7uZAeyrLIOstZAUnYZHZtiIU+O85n6j96LRWt0CmDWVYERL6vs3YPp
Ze4NlFCF5DyUJ3VVMovQ8QAHMgoA2nhw6ye+ggEo1iWY7oqZ5JKf7j9P0l03cDuySMS0dm3hu0+w
S0BM+m9uQtE/jJnfnVQAHVbzB7rU4ZvTz9mcs7eD7B2h8eYWuYuSEx/7iK5V2WtjHTdJaJ4161Al
nm17UXZhwRWoaGqywIFN9rLGQCo6Db3V0tiQTVvnLr/UTD5YQIZZ2sl+D/tF10dkXqrXVvRKmY28
av7fSUmMc9Nk/dTaDubocV9ebI4w9qDwlWWodTNCFVb3HeessrIHcJCFGx2ToSGNYTnbWuaRsUXJ
83VCiWswDcTGFb92N+LsusG7PaFCoi3D/wa+Auuc4+foh1htoFpK/gqurBibALMbV9OsfJYV1tuh
7SYiqUFZF56UGVFIm7vykNkgIi2GDmHk41m+YllulKeB7fHoPKeLl0GRe2bJ7GcJFWMtJTmNxzw0
JSQPeCnfJdvvhK57WYPhY57IdIqvsFuPNRhQ3c5ODsuCpit8RZm89xjKKycXBc4Qs96Z8ZYZBKIn
BwOBZNvIVyzbT/MY0rdFSgzI5BfdcZihZikPtqPlK7g/5ZfDeAkwVgELkOAy9vLYnTJk9zZRXQzp
6z92Td1dAqF2oMy6KjC64zpYl+QrKlE4D+WRryh6vaFBEnzF1U2WkzYqMgvJYACAsEhaKn7B//c+
sqsKnnBB/orbkdHlxmYK+CgeazjBLis36b+xCVz5sy2/vvDEml1WiDqjrmRWiGaAcX3W5tzxFU59
uxW2Vg0tCi06QY246viKVkIzX8H+LWN7hYPAbiw2DbZtnboqjzzbCTF/BWoIdVYLKjjaEAbZuc5d
fpBcCRSxLZXn+QrLM5LDAllzXL1PQyvvOSmJce6brJ+s6RRfedyXF5sj0Gi5pjLOCFVY3XcYCMVq
464+5yvaITY2hKtxZXljRG8fep04h2vgA1gMW14GIyAmwX7VNLtZlF2yMf002avRfdHzFWjQLzp2
xmYcx6FOdVv8Gr7CAwUgyf22DSTkyhkLkU2x/jsr81D4x2kjZD9ps7is/P/EfhCbfzCiODVhB87l
YVfwPocYuqj5JKE01uIG+F879lBSWZjDfRi92qPvUNeB96lVwndRgx7VbZsuYttFKQk2TFld33JX
rHrvMZRXsF+7ZOCVmsTxyx52bpSEx70d2NmQ8S64WQ3CnPeD1m2BZJTgwtJbIWC7Z8bvVT7LVxDF
qCwhYRXSBuY6duDPnVkrQ3Yib7K/2KqRryhdM/KVzairskdA/+EkAL8CMMn9IGHQ8UcYYpW/gOC7
usKzBUTKFqacMm5oEuBOG+8Gl+/dDLU+p/50v4InyIq/okXEdJI94AEiK3xFtb4CEaP+G5uATO5b
DoSlL/TPgTjt8aEJu4zb8zYHvZ064k+0KEz1CWq9ITZIiFNMP2sEXncmg/0AKdEosNFqyQqEDZFX
VDO0yw/hSThjK27D/SAWttrvYb9p+wioK7YOTTyPzJ+GVjRwl2hnnJsm6ydrOo3gR31pX2mOYAjk
xDXOCFVY3ffTfhA4M6ZjhiE2NnTmK0b0TsOqE4pfgyoOq1G4jgbqeIDYOLvP/lGrQg8E2LZNx1cg
s+csGE5/ha5hrcBXkhqXx9M0tJfYtUReLeRG2X5a3SDxauzbuoE8QegcS0OF9MrwuB90gAJSCJ0g
b/ppnqahb6uGpWectFnTuRNfwXMOkG+LOZ1tgfm2uP2z8xXIGYocN8FdIey8G1+7cZqncejqmmW0
naabNNaqCPvYT1BunJd1nYc62fdwxb04j8PyBmnHfZX6zj1f0dagRxUSt2LHCYpmwIPlDe5AoVOM
K9yMgriws+dJ3GOoXIEdnAAkm2dmtOBQaxDH+wNaRB/Y/6AXXtZCdjIE0BA9P2uGGXJSId+Wpysj
Mrj1uWBKLs/CG8oAk7UgGXocbk3VYuxFkQea0fMJWPsFjgvZu2w7D/LsXReCLEw2ZcggNQbTIZmY
T9V/6ppSG1SvKIBJV5kU8C+GK50wbwGXAbLo1HxbaeagXvBBBnW1YE1Y95Dv2+aBfci31UyWXRt3
Qe4GF6KRThhHErT9XvhyvN+IANgdhi4kx0dyP+gE+163Uf+NTWBRSFSKYwin7f50rxJiciyHeprn
CVTPZoG8520OS8+Uysys8cMWP81XMMv7JKFx1ix9DTn5y7ouY5tBdvS0rUNTtf00Lys7scCUR2+1
dDZEV+dhoTXA0QeWbzvxfFtmek/qpHc2MBfcCPJtIV008/eDEme+LwfupCTmuWmyfrKq8wg+7str
zRGqrkgsMM4IRVbtV+ArFktY5pZCzbe17xyTsaEzX8FE/nuPfBh6rUT7RXAo6tY1/wH67UZlB76n
75pu2oyz+2f4CjgoQTt2YeHAjtQ9fhlMxP6x4dyuci50Hes8grOfkIkb8KPLy62MPEhtgTOqfZu5
fMF4slNQP5xCxHNxeDI2YWf5zjsFUr7925mv4GkBJgkeja5FOonCVzY8jyR869SyI7Ygph8X7Nzy
SULFXe0tK2MPj3KEM32s75qjz1Ob47MebTfM6r5OXHVfDWo01KBFFdHCM2XYYFiyfZupxXPZDp5l
rK+4XQJVnyzC6QrbHrdsN+WrLFimWJCgq3RUfp27AjpiC/A2gR6ewLyKY52Sr2zbcst9W5zH2k9n
4sH1jOU9nyQ08RVIyreUxFykBVJQdciAscHhZQcPyz9X/7Fram1HvmLSVQkSlr3U/Gyqej77zqw8
Vteivojz1KfzzJrJcnIwIM7d4CLv2pmslJh/O9xvRmDtr0Ks+NJ1pR9yzniEXaneoP/mJrAsbuJr
w5+g1Y6XVVXKn4Eg5i2o29M25zji0OTjFvdQ+AlqvS83SggDw23OYdYsXYEPVoDEA3goAliutb/g
+X+45oWZNLiiBsVq6WyIrk7FcEGf2ZRkT1pILvtjG57qozIX0HiKJxSwIPFhSbprw1FJHs1Nk/Xb
q9rOI/ioLzxz9FXmCB4Au8c/jTNCiqr91udeeOnEkxaO55l3JVGGeDM19MiwMK/En4dwGlatVHAR
zltI26reNnfygH10BXJrmN0/w1dUUeg7IcAyJeSZKULk0wic3PCny0MBZoBE6s+XqtAWAtn2kJT2
jt9zEXbQ1TNSqmQnP6f+9I3vj1r8bLU/I+FnpaD7fwoBiO+K52n/VBt/rF7Ybf8FZkK3H/THMKGG
fyMCoKmfe9D0b+zFH5XpdXyFheZf2BkMBRz3n19Y+2urwkdCyTSgY+U/wgYetnhs/+O/fkTCj5ul
O96FAOzKiQeFvavN97QDDw6Wh1Le06a2FeIrWljoIiCwLmwP9d9dNbxpnH8lX4HR7a+x+ze88Wpd
4LmROTy8x8TYXswGnmjxs8rzYgk/2zzdTwj89QgQX/nrh/DHOgDnpjDlR25C/1hb/3bFv5Gv9IUP
oxuXzz7V8A8OEYT4bNsNsj357F6Y17KBZ1q8l+HxlddK+Lgt+pUQ+BcRIL7yL44q9YkQIAQIAUKA
EPi3ECC+8m+NJ/WGECAECAFCgBD4FxEgvvIvjir1iRAgBAgBQoAQ+LcQIL7yb40n9YYQIAQIAUKA
EPgXESC+8i+OKvWJECAECAFCgBD4txAgvvJvjSf1hhAgBAgBQoAQ+BcRIL7yL44q9YkQIAQIAUKA
EPi3EPhDfOUtjyLANyPwl0T8W6P28715ywD9eDf+jV78OEz/TAPrUCXs/UHsXYf/TMd+tiN/5zT5
cfOueQXPz44D1f4hAm/jK0MZJM0q5PneDLnlAXvFuahO///rFXquEze4mJ6wqZfib7n63QFamiQ0
Pnz0bSB8txc/LeiTqsvEWLvM8Frsnxbz9fX3pf/jD9KFV53Ce6LneZqUNzgfYJyrSP/Wvdd3WdbY
566tWD/4Ad6D8OB9LAeZZUU/8+171vjlMj05R15v3k89+W185Y+o7i9zee/iK/CET2XGfmeGwLsM
3D/DV9ahLq63+aTX/8Sf3x0geKs3e7f9n4Tju734YdmfVl0ux9SU5T/ycOG5u5T169/WeBiwvvBU
I7P/psAIz60Nq3fP4M/zlU2Ree/HT335jsk4/EwAACAASURBVDV+uUxPz5H/Gl/5M6r7y1yenq8s
dWyrzueWuU7aoWqyF3Tb+DrzILn0LGQydyW+5dx2/Li4s7DDJXAs8cF6YYZklXhtthum8r3o69jk
+BZ12w2Sy5kcrLfCt0VVVshe1DZ3JYaBrWMRRaHX4RI6XtaioVr6K48ae/wl7dCzNnXCsrmmoec4
tuMGaTXs4SAxKRXG3eeeX9R1FnkuPCrcTy69sqQTBaa2SELPtW0LX/4OL4SHj74tcLZ+KW360iSH
t9GuHbydtuN19IVn2ftSEZdriMZY53HgwdvgHS9iYzHXMbz5fu/OestcO66l1f7UAM23Sxr6Lnvf
PENpaVN3H5V7l6ERyQjCBk5n7xYsRKvQ9s5vh17Hpoh91skwqwaE/lO92NahykLEyQ1TXsM2XgIv
78YmC13bPr+rRoxagBoiwMUB1WCybafa/qf/86C6/8v/9sGgIEQwbtjCU/r2QEItYvjqdw6k7XiA
AzSmn+P6ibkMFUwZUDfXj8sOlGpq7+vEySgCrCZhhPyP5iDIp5nvU5P6u5ERoCFyMN0YjFMdu7vt
cDJm0Pg98LosVCoXuxJkDe/J8/NX1nT+9pivSGAd14/yZoLiQmbUIjerQN/B0jgCZGxjHWtUVWZ3
m9w/6yy82LuvsshnQ+THF83rF9rU8bKqStlWmqdacCnbwRrr61zqyEmasS0izxaKqzW2fe4FZd9X
aeDYh8n+CvMO6nHvjJ5TrXUQeHpxUV9UL7j06BtsywY9V3ycFiJ5URlTRS0eTWetej9SXY3V0sLO
piY4V5jsed2WAZ8pYHRjMTu3ba724J/i8sBtRdVwu4DltZN2xSnzwFlDfw0eUIHiU18/y1dumevG
1TAvyzz2bcPoxFAGTpC347zMQ5N5ujjnaenTprZle8n1BmX6KnFtTj3gFZdOWHYTvIytSlzdq/a6
1FHjK0Pp215S9dM8j7dr4u7N73wF7JQb89XdVEWOl9bQhbEtAlu8UBNF8rN2Arc+t5knRFLwVAav
zz3LguAzuMqlh4rOThV/aOpumJZlGaCTgiMY2gLSIWkioyuCnoAUQCO9gm1HDaXvuq4T1+iql2b/
Zb7VDcC6zP0l4vxmaWJHEpb1loMoR3r17ABt2zq00CfADwabD9yZ4iqobTqR0CJbtgZwGE9JWOYq
ukN26TLP9rMah7wrI8eJazTySHaOYTy9mm1zk7hufO2nZZlul8hx0xbwAMro+UGY17dhGOed4WFv
cNSCvIPL61ij0nJ2qcfkvjZVdZ8YFOm0tqf0zSihCTHQMS9tUF3GW9Mi8dPOccPEHErfCcsbTNep
b5tu2jZtnSC/ILImYcwqoSrTZpzvbPQ1CWsKjDAk+vgKkyqtbsM4Dl17Q4Va+s/M34OY6h8P+cpU
Rbafg8VbpqFrWraokTKPl8CynIith9bhGjkuf0c1jIntpTAPpqEpQse2pPmQ7U9d3fYwxFOnN1PM
HKVoQqfbNQZrjIptGHRwQ7o6wTy6fhCkVdcPIxhSg7Htc8/x/CAqG5hmR0O0qXNk28zDrTfvm8EZ
GUyuRAkIK8dzmOd5aIvQsXY8J4A9vnSw19jXqW/7BVuq6yHSj6nSmHk6G9XbrLp3dsYA+zZcAhut
3jyP3SV2beuTfMV2fT9ILm0/DNOCeH3krA0zSIHiU18/yVdwiR/X6NNFO2uXuWIGgSZXqtMVN2nc
IXd0cAc4UORraOuk3z+6LlHXQaHXLnOcpNl1nscS4F6m0HOXwWtdeSAI1V/66qVJxEIAFFq6yQ1N
DFBI9XPiK8r+M6iMUlotxL+vbbI7XlNb4JyFxVnaZDdMojogNAy28RK46bUMnBRp7nEIxO1QHbsd
cHUzHmG55TvPEXduOk+vGyBZAL9BVSzw9oivKIWkSLCC1AM+lr4dVoyAICKcoolqgJwpCrdNV4hL
IY17Us0we0DpXpfx/ALwDXakRJ5Em/B/m9p2JGkeY5cyHCZulZjc13ZQ3Y8HRTot5Csf6ptJQiNi
yIBTFnYU8uvmOCMhmokJgIeXQyRSVyefjLiCMwrD+Ioyi3Rz8MF8/xZfOUsl0Nj/f2b+7jefvjzm
K7BKKc5hDzn0oEVKwAiSdJgiwEDZiukDHyisx0kA8SdMLWn9xNXTTARbhnHep6zxJutc6siyFCU1
GluQ1GErBCGD/P8wRx4Mt9a8G53RqY9a1WqPeN5yV+A5gJqzYD4Iunapy5yOASK0DXdjKvtonM4P
+vuQrxysFrhNOcrSx+Fklb1QFAt+eSa+YlteLjyp0SYo3Tx8VWfQ4YdP/PFJvrJtU5MFju2GaVn3
bENhuoawO7R/bMtSwx9MmHtHosZjQR1wWTwU/rmu+xl4UGjQDHWK4Bxh3g5YfJhEjqVEPsAsWbaU
1rYtvuxrU1srkgrmka+I9SLcgUzibl98HdsyjQIPP669C2JsC9gW6/DaQhRJja5AM6CJYKGma+jE
9dwXHt4zFL7gbMtQF0no701ybJTqABbFyvH+PTlAuLS6ZFHAWnAd62O+YhDJCAJGOZh1UAncPhCg
LYpX2zbY3mJRlWd70WXOWc9w1Y02Qc7ovUn8Ai5EzZsCd5Gy5fzU6TC5r+2gutuHgyKdlhqfAGH0
+maS0IwYnKjxbNuLsgsLrmDld3N8M07MuYN1veMnRXXjyxhtnTK+YhYGGOFHc/DBfP8WX7mTCoD4
9PxFPbn/5yFf2Zb+Ermwo5NfO7FjfNwPUn2lXBicoVCskyrC3Fd5LCyCYyueTNx1gh0iHKjYxkHf
9HWCAIqt3YzGFpRBOlQhBv//MEfOffzAvMO8OE9sNmdPfYThVgKx2PS5LWl8kMzyjVm8df/JBJF2
TJWOyumwN40G6CyD0t+HfOWgIQYfB5qjEN8N+MNn4yvH6fmxszbNIAWKT319jq9ADIPnr0Dt69RV
eeTZTgj5KwCxX3TTrHz2cIcQ5t6RqMjt2gNfwgvE4+TnFOPYjgHDBwMMLN720zx2nf14I2pe2hyF
xRYU3wBC7yKJHsD/ikUwKZxyO3B9Oyg6ZsZVdmluCzYJ/GLgrkymnPBqIfPEzbqpjh3w2PCnV/SA
AXPgM6S8RJcb28mAWSW43L7w6AsdXdHEV7QDhPPHyxoexJWxBGlGFQTgq1EkMwjMG1+nTdI3tVIY
mqf5ir4XXebYcXWvBWATDlWr7Z5M3grRDOQrGMLVYHJf28EWwzqNhyYNg6JA9IS+YXxCNSi7hA8Q
gw4uY3uFNAg3rvZw0XGO43QwTsx1utVF7NuwrSFm/rlOKf8DYZT+gly6Ofhgvn+Lr4CBOo38V+av
qi/yO1SuLF/hBwgKKiv2bR6aEtI5vBQTZ058RZFMTrQzFPIX2TJOJTcR+VnHlbe47aTYCl/RW2No
WFenYh6xaqOxlcogRFD+P8yRcx8V/60z72Zn9AXVkt05e3pM8MB1JaiocV6cx1Tp5AkB6Ob3+Iqq
IRB/1vi4u15ITE4KqqAuQUDzcjanxr5jX80zSIHiU18NfAXTIXpR01xFlq3wFXYdkizBOkIIyxhD
F1WcAJFI4Q27YQINNwYKRV2QdronyyEk8Wk/iK2CUSfadVsgGSXgQeuh8HcfLirE/00iqTcpg2dS
OOV2MA7SJIGBEouPB21BgNEve3BkSobsXiv8HBRl4rCKYYWOf3JagpkpOxgAuuArsNkIVKeXoZi9
Uvjy5AABBRIpNCyhRo2vnDZusAGjSA9A2KCZ8DrUsXMfXsM4pBp6Ou0HKY7B2ARMSCWyuSNxzzD2
n9huhRxPtJz+ZYTsNAMm97UdVJftmD8aFEX+J/TNLCFojQEx2b9jN9h1McdxqfzBxMTd/9OqWdYp
5X8gjNJfaH83C1JIpHi2fr4/w1fONGGvGY35MZ75pfm7V6h+QRhkIB0o4imXnt8NGsNUTEJx0iLJ
SmDyOwnmXWFxkPc8XWCVpBrL1NEENmCvRFFsaJDvB2mtsbFOxTyy/piMrVQGFSX+/TBHPmvejc5I
4smw0sRXGJ679QT12/eDDqYc9oP4TtwTDkuOqdLZEwI7X3nQX6PqYjxa4SsQDJV2/9Soct8kNxph
pilTF3bCuONQx/SE4cd9N88gRapPfdXzFWaLc9xTXac2g7gP8pV1aKq2n+ZlZclbbHoMZWA7UdkO
0zyNw62p2n2ZJoSBrBbMTl3mZdUyNRadQ6PnxtduxLq6uj6fEOIZWFkLOX5QFyQR8XzbiefbspRU
1AmM17NcOpYhBblITpA3kKQ2DX1bNezu02DobOUn4ytgWZz4Oswr5HTGEHbnGQCP2oKDwUEcmx68
AabPdV1BQ9D4u66XM3IJes9ghmTiyLWF2sE49IXnxXGgmjgxPCzt6IkBwpkaljfI3uur1HdsEXiD
TZkAfphnscbG2o0iPQJhm+vICePIEf2UgjIvD/m2zTAv84j5thFPd3lWzTDf1vbT6gYJdGPf1g0e
7zr5hkOrsORl2bvTPE/QLE9LNGJyXxtMYE+q7keDokBkMnAHEU0SskxCDWJLX2M++LouY5tBnvO0
6ee4YWKObdVALufK0ruBY+vqVPNXjMI8MAtqL43z/Rm+Apv5TnQFzQHboXzwjBskcY/TNNzatl++
MH/hiJpI4Ffq3rByDxIVx3EcbjVMTZ/n1E1g5ADCdR7qhOdFPBNfAe6G8wBzaW8XOPx05iuICcvm
hbMQoWk/CBRbn28LCZonawxrG12dqm9jvTcY25Myq0h917xDvq3OGSlTCZrTmnckC3KWQD6qwBM6
4kaQb7tMfZ35+zEN/bzQj6nSzxMCO1954M7MqntnZwywo1t3YZyXGVylt+fbIn2OK9yNhK0sZ89D
Usf0hCGbyPfqIbtpnkHyns99M/CVjZ2HchzH9YLkUhcBc0trf8GjYrBH6IXZfgp5PwGJp2gzdiTv
IAmg4NmW5eCJu1PPD9oztew4moUnxwo8IXmoaoM9czx2yN0Ua50dsE0uewHJV7ZtueW+7TMGBofx
8AgmdiJhZzgVA4GNHUQSzSuDZ1Y4cTMeIhFnBKOivV0j/wm+gitIC/KaZEXqN8iS2qfRBo7dhtw1
bnzX/pqwc75+fOm60g8hAsA/uNlqWiU/O0BTmwP4lu2GWd3XiSsCbyyzyYJQ5IGwmER6pAMsdLNP
GtEB+b9QEjyFe5VHyZ/tBQ5OHgFU0JWAn/O8m/myRfCmp2Ofu6YZMNHUdlZdsJy+ZUo+VCB6Rt8e
SAgHC8UpTy9MBWJLV+CzA2A+w1FaMFimOb7XoE7MER4oK0Bk1erqPPAV2A3RCfMkXxHnre/m+zN8
BY6xJ3Dw2fbyu/PMQ80OZ4JC5O0Mh8A+OX/hcIqOr7BUGIAK1M3xo0w+xmlquDVCPWQnwlUoTlok
4yvA3Nn5W8uCZxccz98KzV1uZeRBh+ERDX2buco6mt/Tpm5SdVelryzZHX4WI6UO+maoUzGPonU8
TX1nbE/KvN/MvpznyCfNuzyOrzojZSpBK1rzDnjup7qjom3g2DVbzbJj4fz5B6dndmgg0o+p0s8T
AgpfMau3UXVPGgLN6H0cHNnPQ3TDXpTX1wROjTKpphZ138Hj1/DLx/EVKKjpu9JL8wxSb/rMdxNf
+UwddO9rEYBpLyIxL60ZA547tXlp1a+vDCahNrry+qaerPFk8p4s9dFtrxyUn5Hwox7Q778DAbAb
v2vG/A5cSAoDAn+huSC+YhjLP3cZnmMIKbcv/8ApPDWL4eUNvLJCXHGYTuq8sqHn6/qR6f3SQfkR
CZ8HiO78owjAmt10Fv+PCkaN/04E/kJzQXzlF6nSuizzUKee7iF53xJzXeDheDk8h+YHeNC3RLsv
DCj019j98dfN3Df9+MqLp/cPDMqLJXwMB/36xxEY6/LKHgU3D20e2PCMgz8uFAnwtyDwF5oL4iu/
R7nGawgPSo5y5WHPL5EOIja27QZZvT/e4SX1/kglfeEDCnF5foLWj7T2mUpfO71/YlBeK+FnsKF7
/wQCU5NH+GYMTE+5f3vJn5CJ2vxrEPgLzQXxlb9Gu0hQQoAQIAQIAULgP4sA8ZX/7NBTxwkBQoAQ
IAQIgb8GAeIrf81QkaCEACFACBAChMB/FgHiK//ZoaeOEwKEACFACBACfw0CxFf+mqEiQQkBQoAQ
IAQIgf8sAsRX/rNDTx0nBH4RAstQX5rh+Iz8XyTef1GUdWwutXx29H8RAurz70KA+MrvGg+ShhD4
LyKw9oXvpvLdff9FDH5fn5cuhVeTEYn8fUPzH5XIwFf+wpPZ/9EB/IXdnvGlNPCKluw/4YB0r035
9LD8R2acoZvwvrUfeQWFbhy+qJ/wThh4cZbjF7f/jAcfSt9Jju8D00FK1wiBtyDwd/CVWx5k/L1M
b0Hln21kvIaueJfxT3USHgselDd4ifH883Z9KAP2Zu+f6s7H9Zr5CrxA1xNvFHtckcGRPy70U7/O
VaS8d/7pVp7QLn03l+aHXkGhE/1r+omveYIXO8/TO9RaJ/hXrvWl/73nRMMbxe/fkPgVUagMIfBt
BP4GvoKxYuIr3x5rfG3ntah+Nr57eH/sK2R+WAe8FfH38pVtasryuacV6x35w77/2I/w6N2w+vyT
3Zf+Q+3SdnPtUsd91wT/on6yN+jK9xb/GPivrXjuLmUt39D+hcpvuStf//6F8lSEEHgdAka+4nhZ
tb9bOy6k0YVXUuM76G03UJ4ADS+wjnwPXvLu+PGFP0x9qSMnaca2iDzb5u+uXvprErhwn8ffYA/d
aVMnqobbJfYd207afWG+3grftsQnZG/AW8emgBuhjjCrhuUOkPESuGnVFPi4agdepS5u0jQEb2Vn
XdpFWtrUOUzTvvDssEJ7NXdl7GMHTi8W51L0uefndZ2FnuuggI18DP7cldh5eL27gh57ZboN75r3
guSCjGIZqpS9wNxx/Vi8Z37Ttj61HA9oL63wJUG6Oo9vHtcLA9BlFQDsOjYM5t70EeWlv3L5QDxU
kLW/4NvK2XDdLdEXBeeg6JZtGy+Bl3cjRtrt4H/8n2NQEmXsM9eGV6IYRnO4BI7QDMtnr0bSSMXE
hh9Q7Vw/uXR16nLx7lV0vl3SEB9zbqPicHmMw4rvxS1qXj2qkPBrqntmSot64wZZc6IDyp1LB296
Klii491w40I/UTbaYAV8ei0vExXVBzQwKtpxEProhnkjxNumtkhCz7VtCyYSvq5hqmN3B9XJOkBv
HaqMqaIL2sWnW597Qdn3VRo4tg1oqtqlqRlqUroptUktB6S6jpz42pYJKiAMl3g1w12L22Y2BRpN
+EA/QSJNqW3pctAc9rGTVkrOvrWpE5bNNQ08h8O9A2wS79kJix28t7fSCDuuH/EB1dUJwaSdzxuE
AW0pajCBMOEBbzXHFvjdSb3O/ae/CYE3IWDkK7Zl+2nVQ1T/do1dO7wiS19vueeEZTfBS+mqxJWv
5pu6mr16a+qKwOab0WDKXT8I0qrrh3Fat22qIsdL62GGN/DBjdw/gSHz/SC5tP0wTEcCclp+LV3m
2X5Wg3BjV0aOE9e7geC4jZfAstyY2db5Voa2m4GDZBbz0NDcJK4TFu0wzdPQ5IGDeX+w5lMIC9AV
5uCGMnCCvB3nZR6azNPM5T73LMtLG+juNreZb/sFi2mAa/ESRHW8XRNXFL5lLsg6L8s89m1zA18G
O8dheQOgp75tOtZDbeu4+582I5a/NS06FF2dB49iEgahcyJmtNbhGjm6lzpPcD2+dOM8T32dyj6y
9atmSTc3ieMEed2P49h3bQ+dBE/l+UGY17dhGOe5iR1JWNZbDnSF0RrDaMK47PZ428xStalrB3kD
g9zXWeDYluQrJxVdh7buhgk0FAaYc+TNOKyg5Lbtp6iQ0+0SOUiyhLKx/SCmtGl1G8Zx6NrbWWGF
I0fAvbRldEY33GuXuUpOAQyjEFEYDVXUZShD27b5XFinKnacne4sfQNdXZZlqBLGDfmoKPEVmCBu
fO2nZcHeibzYPvcczw+isoHBY8PEJwn4fV3Ner6CS3gkRtiBpY4sywlL9JoLKKB4j99di2ZTYNaE
Orb9UqOf0Lax1GHmCJjF/21qW3aQd7D9uY51sltLk3jPT1i9vZ2qyPZzMMLLNHRNC+shbZ2gtGJ+
mIRhiu0mNQzhtvTSerP+gSFhtFX0l/4nBP4QAg/4CrfnIBi4FZzjp7w4sJXKbaIP477niaZHZedQ
Qm6HLk0ioi4w502p6Ee+sjQxkI99FT5dQbjTe4fREea9kAjZB4vanBuCQK9aXDAT5hb4OhYu4rtP
4arS+FQdC2N74C2UPoMDx9DS2mWO4mi2Wf6QIufauwTVQJPh5XjA09A6tLC7ON5l7HFcI2cSKLCB
ZANmFAYG2+KhMCg415GgVbKebQDpWLALrq5dKnyoia8gzsX9MFl2JF8qC/rlZjzCAm6M6Yp5NI98
xSgVjoHUGYhRKHzFUodL6eS2bYorNQ0rxANsWyYlru2u1NI9n5X22MoeeJiAGkQVj8cZhht43K5H
AI0yEKzeo6iIXiHmAhuf0zjAELaJWGVgnft+EO6EyKHuMpd7QGjFUc/0QDmNOVBqloCoAHQZsNT9
CuCpLBVwJrBqzy2eUZWmwKgJm0k/oXlzqY/4ih0Br2YfZlFGoBAGSwUyPDVhDfaWzSURdWKt6urc
FL5iFAb5imKvzqOIU+wupiQ6S/8TAm9EwMxXeCiYydKljp22MKF92LPYP7Yl4vBzX+Vx6Hv4cWxO
SsD0qHn/MGksW1Zg2xY3fm1qH1pUMTjyFTAqB6t42y2oLMRMrlzEwgxnc/LcUJc56v7TtgKHgs10
5haQsPSF58SYJT9dwzMAdzvvypoGBYIJD+ZMysDlxKUx7jFNDSz53TAta4w7wA1zV4SO7fhJUd04
7TC1vg5V4tm2F2UXFlyB8ro6pS0yC4PQSf+k9W9o/BQXs82w4kPSaPIHZ5wRg1Nb4DUhlQHJKCym
OQswj+aBr5ilOuuMxAHZhqqi2zZ1lywKmCq7juWkbOlvGlasQWW84H55NoaImqAnPCgtV4H9P7gz
igNbpU6m4QYPzqG5AxArPIoKQy0pDei3x3njOrZlGgVs0rq2xXFgcIsNqy5zzirPgi/Qilx78GUN
76ShZj1fwRX8ka+oeKInxrXHucXzsG7CFJg14chXgACxDxiHB6UOfOVYioVs1fQbaS1NlurZCWuy
t0t/iVzYq82vndhs1tYpNcGIlcJpUHlQXXa2ipTHAdtPH0LgjyPwab6Ci/5Z/UBUAHTcTcTOtgyi
AF85mB5YcaTNpJZfMKywW3YNJF/lK9LpornZ+Yq6mNvOfnTnK2ymgseU7gE76hfdsQMnkdGqKmcA
4e8P+ArUsE5dlUee7YQsf4Vdu9VF7NsQ/V0YzMbWl7G9wolLN672aPe5TumnH/MVxbXq+YoIDYmu
z3ug6dN8RWkLIzU8gKWAjqMnPS4LE7HRPPIVo1RIGRUbDL3n7Z5VFJTXyxoMjp/jKzYjrazTYlif
4itnAQRu+/8Q9nPCLJObH4+Geyh8JNCMWUhazquTXgouoAPa54LkKxC+sYOiY2RYiYLc8RU7ro4a
j1P22IrKV4w16/kKQK5s6rFFjowA4d87X1FuvGeBO18xasKRr6zzOLAPHPoB1T3YBqnVB75yLIV8
RV1rrW1q89Wdia/gOD0xYYFkhJdBNZfyzN08NCXkDnmpTIY61ynH6Kt8BVYQnoxU7wpLXwiB9yNg
5iuW4iDAgPH9oBhCtXvokwsMtk7OWNiKUOIrKl+BAI1md2GPh+sBgFQSuYPK9gw+3g+yHLkBAGWc
fT/oYJPAmqsigmfhibWcqHSFt/cZtlHUDQydwLD8EitYcBdVuO8HuarHw/0gdV0GlS1t6iqdxfph
ExsBfaJ1CHQojWN5WafkK+hSFPcrhZH3sMK43y+9B16E7BplzQ77QQ7fEjHxlQl16FTPqS2oG8Ja
btb1hfLgB9ii0o8mjFbciI00o1R8603ct4Jf0/OVI37QGSW+oh3Wp/gKukKpjwxE9V/B16c6dkRS
2IPhxudi1IOkXWpdpxWzia8c0YK9FB5fga9y9kNx7U6t9IW88X00jTXr+QrENZQpCJvISuBGGaxz
i2ZTcJTgGf2EPphLHfjKAWtmu1RrCbX4F9wPgt3NDyzVUeFY1fuEBWR223Nulv0NoMvBYtdknRIx
M1byHiyN6iK5Pfx5XFLo5aCrhMDPI/CAr4jM0Lt8W9uNr904zdM4dHWNyaHgNlgCGCShhof9IMUS
ofeOIOuy6ad5moa+rRrmwoS91nUZDICXtZB6CsEYdN9+1gzzwvNt7x8pwpJGw7yFm4Y69Q75tupO
BmMIYcEyaNsC821FLBzcQhB4biqNzlAGthOVmJ47DremavdoBpcdw8VuVLJcVEhW9nn2wADppSzf
duL5ttD7dWiqtp/mZV0wWRkRG9uq6Ue4NveXSKShaltf+hqzJtd1GSG9F+DQ1nmwugZhDvfgaY2D
MxHjA3nTbnTpxnmBBFZ/T5w28ZUNPXFQNMM0AW4Yx949nKgW/u8Lz4vjQGaFgkiQgakZTSSDkCrI
VMMoFSb7hgXmiY9tETqWkr+iOktkXmF5m5dl6qvUdw58xdIN6zlCo9sPQi3DJPFxmoZb26pHMKDT
Uv9Z/jdLb9cON2I1XgInikNH60qOHsjEV5CMxddhXiGPNoYNRaankFbmwLNGGKggECTf3yC3euzb
umHCH1tR4yvGmpVuqiOOarBnMWHSG8tfXuaxzQNbybdVAzGPTIFRE4z6CQIZS51nhSo9dMqyveSK
zxyCAwDq6QRbY6men7Bo6+7s7QR2F2zDOg91wpKZdHWq+Stms3kaxyNfAZojtkvhPJ44H3EAgP4g
BN6DgJGvuEnVyROaynnmbWrZcV7Lsl0/Ljr07cutjDzY54YToH2buWxj+2zKoVNw8hkPR+Jp5IQd
vjUYMg4CpHLgQVBBTIQMeHz3erb9jFAQfwAAIABJREFUwnReYC8FTj2rx1KlY9gRXsc6j/jx6CjH
U53it7H0LUtdI0Fiye3CziTjkexMng7lhTDx4lrneLTX9sJcPc+MZZlMyYVht639BQ9I43HmMKsx
yXasksB14BQliC/7qGl9wQfK4q0OnG6EHW1tnSery6o6CXO6h8fPT3ER6Ok+jqgG+4H3B/6AnxXF
LoUlZNVq+QrLklKXlXibdjQ32Mn34KmjgTjPvB+9PZ42l8fo/bisi33ReKeiU5vjc0xtN8zqvk5c
mb/iJLphPdeg5SvASmt2MBUGNOcHgISeHfR/xsNMLNdaM9ysDEtu0dKVJ+MrcJaFHfHGI8+3ayR4
NaRC+DCbvZydZxYTBJVRPK3g5OfU0TTWrJl90B1YF+ypMIBnUNSXhE3J43nmI18BisHN0Z0p+Lx+
PtBqg6ayoYAdk8PTH/i8hl+14j0/YZUaFHsLj9qFR0ew4WDPG9DVeeArSlVHrE7jeOArS5vI3SA4
rUZ8hY05/ftHEDDwlT8iyysb1TvCV7Zgrgvnv3yCjPlG+kWPAD5iJFUQfPlofqXC3zasII9ytEoP
5d9ydbpCqIgl4jD+d45a/uKeGEjYL5b4WdHgyYEsUezZEnQfIfCDCBBfeT24p/XK6xv4x2uEw9HH
kNZX6MUjkO4I0aObxW+/bFghHxmP2Av5/u7/YeODr93P8apf37F/la/Ag8U9/tiqXz8IJOB/AQHi
K68f5V/m2F7fwR+rcV3gKYLwdNfj83RewFf6qqgg52jBdCbfFg89e74vv2VY1xWe21aG/2xonvjK
80pJdxIC/yUEiK+8frR/i2N7fc9+uEaIPtu2G7AHwyuNvYCvjHUKD56HLX98ZYEm50lpUPf1lwwr
xIbgNQlJdXyWoE7kv/Ma8ZW/c9xIakLgpxH4V/nKT+NG9RMChAAhQAgQAoTA+xAgvvI+rKklQoAQ
IAQIAUKAEPgaAsRXvoYblSIECAFCgBAgBAiB9yFAfOV9WFNLhAAhQAgQAoQAIfA1BIivfA03KkUI
EAKEACFACBAC70OA+Mr7sKaWCAFCgBAgBAgBQuBrCBBf+RpuVIoQIAQIAUKAECAE3ocA8ZX3YU0t
EQKEACFACBAChMDXECC+8jXcqBQhQAgQAoQAIUAIvA8B4ivvw5paIgQIAUKAECAECIGvIUB85Wu4
USlCgBAgBAgBQoAQeB8CxFfehzW1RAgQAoQAIUAIEAJfQ4D4ytdwo1KEACFACBAChAAh8D4EiK+8
D2tqiRAgBAgBQoAQIAS+hgDxla/hRqUIAUKAECAECAFC4H0IEF95H9bUEiFACBAChAAhQAh8DQHi
K1/DjUoRAoQAIUAIEAKEwPsQIL7yPqypJUKAECAECAFCgBD4GgLEV76GG5UiBAgBQoAQIAQIgfch
QHzlfVhTS4QAIUAIEAKEACHwNQSIr3wNNypFCBAChAAhQAgQAu9D4N/iK0sd2cFlfB98P9IS9MIv
hx+p+2cr/bzkfe7ZSbP+rFgPa29T281vD285//j5bp5reOXf61AlgWtbthNen1f9r5V6pdx/a12/
a/QfoDheAjuq5gd3fPenvwaKQ0eX/hL7jm3ZblxPh1/oj9+OgIGvjJfAEh/bcf0ou/bLH+zLXEXP
zDyYP8RXPjFOS5OEL2RGn7dfBr4ylMHnWMzaZZ73SdrBcPrb+cpcR7ab1OM8T9PzU/RrpT6hWT9z
61wnbnB5BZX/uuZ/Xsm3bbyGblS92Tn+CF+55UG2s/uvQPEzivG41oPaACx+3k7zPM1LX/pu0jw/
b0Q7BwP1deMjqqP/n0TAzFfsoLxN8Bn79pp4lpO2nx/WJ6X46La5jp3wiZXCv8RXnl8qf4Se+fe1
Td1XRnI+b7/0fAVMyuf4yjY1Zdl+xSH87XylL74SofpaKbMmvemXdaiL6+0FIYNvaP7nlXzblv5a
VP2bw4g/wFfWvvDdv4+vHNSmSx3Zhbm7lPXnTe3JQH3Z+Lxp2vw7zTzgK+FVmn8Ynz1wsfRXHoD2
orwZxSyc2iIJPde2LccLs5pf73MvKPu+SgPH5tHJdWzyyMOAXJBchPUZL4GXd2OTha5tB8qif6pj
V8R6LCfrAPx1qDNWhaPKoPKVuUk9J7oOKN46VFnImgzTamDEa7wEblY1Rey7jm07flx23BJKCSG2
lDcSCBx5KJhWdR55rmM7bpjVw9gWEVbjBqno+rbNt0sawmXLdoO0AlkASb+UM2RpEsdJWwEi1I+9
KOpL4kOU3/WTy00yRQP4ikZK4V0BL5gZwJS1snQZIPP/talrC2AFPfgkUGwkYMRsx4uL+hLLnSxt
Vdu2zV3Jw7FBeq2yO287XAJHiGVxNrX015SPnx9reYlCO/rc84saFATGFfCTscF1xPGG3RM3yJp5
25SCbepw/UI4h9K345pBDwqn7yb4It102EeEaUvD9MNBPeDD2aZOVA03jE7bCeqAQbEZbNgMqJKY
NVOT+jtW2l2tuSs/W2qpIye+tmXC9PlO/XQDsQwVv+y4Yh5NbcHG2XY8mHQMEL1WzLcLF9PxguSC
nl1X54ErGLDi8kOFjgNt383fRaP5mlmDAt8rDJ+e15RtwoH94fbBrHgH6jC1BdguFK1uy0AM3AP1
Y5MGN/38uBC8XMpsMlN2VNZ8FITirdBMoqw9Qc132y60Vofteiv83WBY4B7MUIAZ084Ljc7vbe5+
QelOmzph2VzTwMPBjPbOoxfQWPVt0w8ZWpKhir19wkCnD+uliU8WNBoV2midU7s3UIoN4a2DyQc3
KHwN2BnWkRA7ItwB9F2n/AIT+v+IwDN8ZZ1vZegICjFVkeOl9TAvy9gWge3lN+4G+6buhmlZlqFK
XDuu0fn3ued4fhCVzW0YxmXb1lvuOWHZTcsy91XiOjxOClPa84Mwr+HGWXXg6OSV+MrcJK4TFu0w
zdPQ5IHj8tgPzh/IX1luReD4OffzcL8bX/tpWabbJRK346aXEzFvtg7XyHGzDtqdqsj2c5BwmYau
aXdKxrHDgm5cwfV1rGLHskU1c5t6ctN4HVqABKBqMs9GBjhdQ+nTN0ZXsNV9YJY6siw7yJthWuax
K0PH4WCCZHrw98IGeBljgUg63hCxTIelVvgFzJxPAoWV2agN8zy0RehYgmEYqkJscfjneeqrxLMt
QZX2LmzbafU/wdDElw72PPo69W2/uFurKiajzz3Lgi0SoAVLDzpa9Fg7MDXbT6vbMI5D197AzygF
jQ4DMNN384kREdqCLBmmku1mHTIWaNr3g+TS9sMAmzlGxd7AqXhJ1U/zPN6uiSs9DGLVKuApX79U
CtXPCUskeQtMC6l+hoEYSt8JyxtM6alvm27aULG9tBnnZZnHW9OyNYJBK26Z68YVmJR57NsGlzCa
OhmV5xTWiBWbPmGBi491qtEWcYa4Y3PSfMOs2XQKA0bGtv20hsFAe6LYOoPiKXxluAQ2GqN5HrtL
7NrWx3xlKAMnyNtxXuYBDAmjF0+ZKScqeLk8YIq3dpnryD0Q0BF1aQoQGbHdDsEJ5Ct6KIzz4k7n
9yHRd6dNbbCFHTiEdYTBFFlaBl0yDdkeR4Yu7DvHkq+sfenDwHRgG25tx4z+onVqZwMlbQhrPUPd
GLsS5w5js9gRP2sn8DBzK9zBtumUfweFvhwRMPMVy7Js/FiW5QSZWEOAeotFJ1olXbbi2ibCR4Dz
ULeSwEEL97FtaIdZZgqYdTtiJOcoIwtKSL5y9PjMu7E6GF8ZwMZ6iZB4g/uVGdllLnOR0KLU3A22
9LkhAEpRKEGNkzxQ0MuZCwQbGttKhOQ4o2XJW+46KQSHZmBDPH60tIkgSfJONIjSoODkYP37GHwj
vBswFics69yXeZknq/1poGCtZiuS3nKX85UHVe2d51h8yFeGglM9BtHapaq95bhJkwFrJktZMEpf
sTQxmOwDFX6Gr5i7ifr7wXRAIr5ry7Z2uL4FIcCEebmkXkbFXrvMUVzMNtfxPu3MfOVrpdAJKfqs
qp9pIECG8MLDd2xAQLW8tD1u3Ri0AiGJa7Tk+zTQ1KnyFSNWTH4WrYLKYPCUWc7rP2q+adZoFeY0
PcHW8fqNiocLLjaFsVsycq3aIBNdBoKhqO1U8QUPQvCBmVJ6zgMrKywy5AQC7VSMI8JjxlbHV+T8
V6AwWqqzzu/jjWb63uq2qW1HPMgJS0lc7UHoA74pggurbhwyYXKxC/d8BSaL4tikWPs3xakZ+cq5
9ekK0XQMLULHmQpgjX3uspCqVvn3RunLEQEzX7GDQuSvdFUWOG4C0XMYEMu2HfGx9/XxOrZlGgUe
flzb4qQECKw06Ns2FL5lyfKOLVbkuokjZMXf9vwV0Cxpj7ZtbRKb7UiCKfHj2LfFigcr6DLn3CSS
n1OLiglb+kvkwg5RfuU8W0iC/x8LAiT7ZEC6vG8qTN0liwKfQeJYjK+gt2EF0JaeHSgaXKVCJERI
j8zg7+IZ4QXL3SP2Yn2CO08H0T8NFNgMhRkoVMxU1XnsbjBt784HoQ8WV9EG7AbmRPj2jh/5ilon
GjZUHiA+islgZZWCJodh7uYTI8KDg3JLUdbWpvauKiDMGZxdsWUR3l9cFLP8TcSKx1fAJrIPdPNr
pR6rn+L/VOY9d0Xo2I6fFNWN0w44gOTZthdlFx5cwQ5qZ+I2NVng2G6YlnUvKI6mTkU2I1bKPQys
LlPyFTh+OKfkHDPNGq3CoJFR9qtl/XKxjs0A/nyVBRYDNQ+MjIqh4uJhx0BVh93lT9fwjBo3d58x
U+DhxaZ+X3ic/h5NGUfHjK2Gr0gUcXy5ZEY3cdZ5MSAYCtVYXZieMmFmAwHsFNTdYGE+HjJ9fOVu
sqBgBqdm5Ct3rd/E4hgWJ4fRlWlnOuVXYKGvCgIP+IpCXrcN/ApcQOeRNtOsfBYI1QG/DYqOGSuF
ip7m8AYjGl4GpfjM9n72Ka1IJ77irHqOr1iWG+VpYHs85s7dQFzdiawserAdha/g3/PQlJB146VA
1NTPUVSARJm0t8zlegkGx8sa3JZABDlfARAdvxjY0i/j22myATSIhTwEAYLtfMXVgC+LmuEFP98k
rmXZvtjAY6EhRXSwU58C6jzJpSk3VQXmRuWaZ/VgXTnylZOJ32axwFT6rYZJTnVKtwHVfoavFJxq
m7tpmg6qZGeXAH8zkqdQJSxg9BNnATCsE97zlWUaB/yMsLv0tVLo772D+kVc/R4PxDrdIFfChq1U
sf2yjO0V8n5g8/TBTMTer1NX5ZFnOyHLX4GL5zqPCqYq0s7tvsZX9EZJqzBSBjbK3+Irqt6e+Yqq
fn7RHQ0Yaxtm9UMzpRrxaVc8WDU6cbPccem9R4dJKrH9DF/RW6qzzu/94F/O3Tm5+RXiLYKv6IzV
x0P2PF8xOrUv8hWVqIIfVBZqOuU/Q0N/b9tn+Qpo+mFJzUHEBd8e5gQmr8RXlHFBwqPuD+2DcCQB
+2X8AvXJmQd2WPGyqDzMeIMpQVcwXkPbFdFouF8Nu4u6Ty2e+Qq77ext4OqxoImvwL6PtPtQu+Ar
uLnvlz3EeSV5EGKhwVV3WcD/MjdrAH8vyeJfWnhZbkpS364RJPawPRHssnRNnwaKhZjlccCh8JT9
IBPmSroxCKBOW94TMDqxiK8w57zrFm6oqPCwMoodNPIVaE0JrN8VhF0XmfoMVpqFBs3dNE0HZURA
WyBNXOxCYcYS87SKzFjAqNhoOMG/8A/uB/FVJ2CVaPNXvlYK1M9SQqIrLBG5+h1THSCSfTcQmOqj
BlR5QAxngknBRL9gkd2mgu/vV2WdkisYsfoEX9k1H6awbtZoFUbKwAT8FF/BBE+FM0/KnrRR/YDH
GnbKBUYGM2Up6r7vB0EZyA5K6uEa3hN4sekiF0ygYpwdw2YmO/IAtZihMFqqs86LDhz/l92BkKE0
/WgLfHzClkGXPh4yPV/RKbPRqaHLkQZKkk6Y3ArkGNLirurU8RNfYd3XKf8RmP/6Xw/4SlD2GAWZ
xludB7ZgKZDy6QR500/zNA19WzWg2KAmTnwd5hVSWmMIBLMcx5PzYPmemNc0TvM0Dl1dsxNCRxJw
HJelSWw46zMvMwRzcFhDnkfWFphviyGQna/AEw8ix01YOgwEFjDNEhI2x76tG8wlPLUIXWC6NYFQ
47ys6zzUidzrFUIdC5r4Cs6AsLzNyzL1Veo7kq9AZMUN4lj/yBCeb5s10N/7fNt78IVc8D/adkgb
O8KLGXQsa3e8hjtjAV8UgIjzDM7ws0CxsJq/SwrZg3x6GqrCRb8TXW7TvEx9nfn7fqLaCdiix4RZ
Nt6gcm4E+ba8zJ7jLQsp5uCkcmDYeFgeD4b4Wd2P0zTc2hbUQCkIDNPl0bT5VgS2ZTHPi55f203M
K3w8IsBXLCfMWxjOoU69Q76tutFlVuwNsjR5vu3E8225PzHzle1rpZj6YT7pMo9tHtgy39YwEGNb
NT1MmGXuIZ89v61LX2P2/bouY5v5Nsuq12vFOjRV209QfuoKvuOvqfPgIB8aAXU5I/mE1BbctlU0
3zBrcEDsk8KYnbRZ8RSLAU7QhczpZYaR9GS+rVH9tqEMbCcq8YDBONyaqsUMjo/NFCges5Njk/u7
4rE1lxPFoaNwJwmPEVvkC17WQmb1sj7gK8Z5oUw32R5+01td4Cu2l1xvkNwMCayHfFuNVdfN8cOQ
6fkK7JZ72NCIj/CApG+jU9tOBkp2ChVJWorIEcdJVDsD3d35ilb50eL9wQeInIbm9/xp5iv7kVI8
mJVcxFlfOHLBj5GxX9hJxXWs9wN+RXu7Rr6Br0CqVFvGcFbXgtO6MUvkPwUtTgjBZjic3LS9nJ1n
Hus8wmcUwnnm/QCxwlfwlM+uLau4H5oMYnZAWDEi0JzCVxp2+JndvJ9y3mU6FjTxFehnHkI3bTjy
3NeJi/m2WA14QEtJ2t3rZoK4Wd1dEtbB84FSDfhqaR28nK2IHApwfjzGwvZOLXDTuHr/HFDAj4ZK
GfcGTq9zR6qtCkhRV8T8NHtadddIE1/ZIIHIsyHRm9W2qxwqjDjPqXZbmozjGUWemCc2E9cBjqFD
1pTtBjmkgyoF4QBCFsIZdTyV21yiPc5g7qZ+OiiiobZcDsdKeaxFbZoX2EGzD4oNsOGRX/EUADkb
H/GVL5XCSYTH6fFQpkH9DgMxwhN2AVQ8t4+Pllw6PLQLlxx4JIA4Y7d3kE0unIkrPHCU2QN8FAIm
7mrqPPAVPC5iMgIf8xWeMiM1X2uU8Lz+SWEOzo9tcvEMi6f4Chx4zUNUbjBd10RmA5vVT555BZsb
sdMP08dmyi9adngaBwYfqCA0k2XFaOkKTGthMM96CFlFeK4aCKgZCjBjOjdxmG5CFPa/vjtt6nhZ
tdsY4S2wyC6koktoks5z/CCnga/A5iM/gQ8qm8Kjb01ODTqnGqjDRBaKhMf45WNWD/eofEWn/MRX
jrqx/2XgK/vv9OWHEIAppJyT+qFWqNo/j8CR3f55eT6SgBl3fPrER7fS799G4OTGvl3f8xUAu/pg
l+n5yn7szj+Hz491iSr+OgLEV76O3XdKwhN7IeWWPv88An8nXyHVfI9i/jF/DGeExGOd3tPVL7Xy
x/D5krRU6IcRIL7ywwDfVb8uLIth39i8u4Mu/FMIEF/5p4bzxZ15vz9eV3hsZhk6miywF3fuBdW9
H58XCE1V/BQCxFd+CllDvXByCfeEdUkYhjJ0+W9GgPjK3zx6Py372/0xHBOCt48kh2yWn+7ml+t/
Oz5flpQKvgEB4itvAJmaIAQIAUKAECAECIFvIUB85VvwUWFCgBAgBAgBQoAQeAMCxFfeADI1QQgQ
AoQAIUAIEALfQoD4yrfgo8KEACFACBAChAAh8AYEiK+8AWRqghAgBAgBQoAQIAS+hQDxlW/BR4UJ
AUKAECAECAFC4A0IEF95A8jUBCFACBAChAAhQAh8CwHiK9+CjwoTAoQAIUAIEAKEwBsQIL7yBpCp
CUKAECAECAFCgBD4FgLEV74FHxUmBAgBQoAQIAQIgTcgQHzlDSBTE4QAIUAIEAKEACHwLQSIr3wL
PipMCBAChAAhQAgQAm9AgPjKG0CmJggBQoAQIAQIAULgWwgQX/kWfFSYECAECAFCgBAgBN6AAPGV
N4BMTRAChAAhQAgQAoTAtxAgvvIt+KgwIUAIEAKEACFACLwBAeIrbwCZmiAECAFCgBAgBAiBbyFA
fOVb8FFhQoAQIAQIAUKAEHgDAsRX3gAyNUEIEAKEACFACBAC30KA+Mq34KPChAAhQAgQAoQAIfAG
BIivvAFkaoIQIAQIAUKAECAEvoUA8ZVvwUeFCQFCgBAgBAgBQuANCBBfeQPI1AQhQAgQAoQAIUAI
fAsB4ivfgo8KEwKEACFACBAChMAbECC+8gaQqQlCgBAgBAgBQoAQ+BYCWr4yd2Wa3H/SopnuGlun
W30psizNikvTz3e/Hy4st2uWJlk1HK5+8Y+xydMkLbvli+Wh2IR1FO19v75Rqa7o2JRZXvXfkVVX
7TPXxhpxau/GZpHDnKZplpfXDwfwmfboHkKAECAECAFC4OUIaPnKdA0s3ccrjkRj6S+xZ6t3OnE1
GmRchyphN9tpZ7jnM5eHwoeW7ai6c8QPqhmqLM0l7eoLz7Isvzz260H5Z38CIqTwMtaOHTdfJCzr
7ZKmZfeZnu6S3nLXsqzgcjcw0zVUxw6/20HxLQK4t/rCL3Nbpunltr6wSqqKECAECAFC4C9DQMtX
1unWqp/mkoDLc9Pu6DOmJnEt24vLurt1TRE6lmU5icYnr1OT+TuxeQlf6XNgGvAJr89HR5A3eEUv
Rumn+AoyPkfyMmB2QZRJoiQEeO7/tUsdywo+0VGl3g/4ih2WXdd1bX3NcAAtBR6llj/3dalj27Li
+otU788JTi0TAoQAIUAIvA4BLV85V8+8us6PrWM/7H6kx4W87ra5TV3LcqMigxX9C/jK2mXIoLxz
6GBuizRJs1oGE4YqS3DbaBmaIoL7bT+Cza702m+crxTdrb7kWYqbWsMxirEM7bWAn/JLLfe7IH6S
Fs0Iu2GiIP91HdtLjGTKC7GdS7dAiCBJcynWOnWwjbZvwzAiuIxdfS1P9c19lQVIBf0YxN47N/cN
q6K4NHIUYPDWsb0WOetO3yBUxviKnbRivOcqAgKo3PpRE7ANeG3HZayzNC1xy2mo0iRJLzJKw3YX
d6m3bdNDum3r1FWs93l5qbtxgSvXFJmuGyCWbEty7hs+JgVsYk1HGi26Q/8TAoQAIUAI/DsIPMFX
ODdQvJih+2whr99cWfq2m9alBof4fb6ytBBvsKNry/Zz5D7VeIGtLDe77TJiaMIKr/8fts1CMviv
nTQr4yvKRfjqpnuux1RjZGm/wYmuAzpHLGi77h40kgXb9HDRssJq5mLlTKypSY/baD50gAVR9qaE
IKyochk7tw7XCDjM/nGTmoeZ5k6JZe2/a4aP7QcpfGVlovMRfNDE0uUyXAYEMARCxZpgdSi7dKwZ
J+ObgCZIT3Wyrb7/Gynw3gncuhurY88ty81ps2jXd/pCCBAChMC/icDHfGXGcLwdVR/suqw33KFx
swe+40V8ZWkSpCv1vA0lZLF4udjhMfOVaZ2nFkX0snaCz7Ly+AqEfsrm1vddzVw9d+5TFQH1YD92
VQpBEzu8QuyGEx3bz+p+WubpVoZwKxRcl6kvgTXZSY3tzOum8pUZpbecILs2sA9zyQsWd1ma1I/y
a9P1Q19nmJ0De13LPNXQXysoblDfvKy825aXXNu+by8xhI2cuJ63jQ+D7aXXDjrEdukEmTgo8Zmv
LBgFs2y2o8eQfdSEn1aaJh7zFSOkbNfHDoq2H4a+qy95UrTLtszjFYM+0XVgnWfIu0kFMN3aqkzT
68vTjw440R+EACFACBACfx6BD/nKdAVHzH2YWd7lhumv3Jub7nsNX+EMimU0CILCU2vEn/fxFaBb
A4ZjlB0r5vxs9PQo9FyxHSvYI5kwViO7vrSMNkAaCS8ok3XYXoqd4uYKDynI/BWFr8w1kqCPsm6U
EtvWZchX9vwV7rMzkU/EGwdEWJDL3X/aePK0Mb5iuUEcx3EUehivsf2ihwjSE03sxJQB9Ux8xQzp
0iRA+Py0Pm5tbUsD6Ssyf4XxKCcqO9oGMs0zuk4IEAKEwL+HwEd8hXmHu0zbExBjxVb4EcYeTj8q
f76Er0wVhjJsL4zgE0BswXLSFvdpvsRXFAKz1DFGRoB2sEiB48cp/8QskwI2m5g7x30c1j+14PaI
r7BEYaVJic863ZprWUD+Sppgygrf2DrxFdaW5YaJkCzC/SW/HGa266Vmp/LCz5wPcqILT8L5ehMP
4ysPIF1uRQDExLJsN0zLPSPnzFc2uaHk+HFe3Yi2SA2ib4QAIUAI/LMIPOYrPHVFbrfocJjbjGWX
Znvah+42uPYKvsIYiZLSwL7yc0lf4itKyo1CO9YWV/z3LUHYhPMVeRBaKbg95CumLJ+pScSJJ9mk
nq/wvFh5G//mFT2PtCSNTEH96HxQdOn7vmP7WZ7IBPl6Exq+AptjmL/yEFLMt71moUjtcWPcJrvj
K5iwWxeJz/N37KC47TnfJs2j64QAIUAIEAJ/NwIP+QrLE1HPi9x1du1LXBW75gevKGVewFf4dkBS
3fZPk2O2CG7q3PEVHihg2y/smS1KbOMh7WA/enk7Hj7TvH6HrzAJRTxoB4cdrnKiy21C53voyCm+
smK6sRWUt4Ng47SsnBEouz8r22hRrog2D/krK89XCRgF+3oTjK+EMt2JwcjybR9BKsTalpGfjWeZ
xaf9oP22bZ1vV8bxlOxe+TN9IwQIAUKAEPiHEHjEV1hupK24Hjgq219i3w9zjKVMNe4D2UF5W1bx
YegsXRH6flQelr73fEV72wN8mcM7HQjhOTbgtVjapnwmC8/v5Bc4V5BZJ6w6fXwFUldhr8lNKpFS
sS5j197gvPPDghuPTkjkOPtFFTHRAAAgAElEQVTA80GsqB2W7Gm36zy0TT8xN+/zR8OIzREeXxFJ
KSJjhBNJL2vEZsg6D10LFc4sR9jL2MPl1pGfI/qIr2zbws6I8xSkzzWBGzmsCT5CIoFmYWnYLL7y
ANKlrys4wcw+nErBJh9nYPsYjW0lTzA/fXbtgUrRT4QAIUAIEAJ/AQIP+ApbcJ+fycriAJCAu3Ju
cN6WYCX4Zsp+jBWxuOcr2tuMuHEGoQRI2K3cSUMQZa5j3CdwgwhySFlGhHioHC9v2Y7nuU5UzY9p
xzY38NwY+NiO49hYmYtnkT4oyIMVluN6rhNcRpWvbOxpNLxWrBMTTzCt1LJdz/cc27Icx9kPZnPy
AD96jgMPTBkr1k0uGcrI+AI/IAQ/eB6ct7ahNl2Q7BBfASDFySWWfvywCTy9tDeBzfMm1p4/eNgL
4zgSmzacr0Abekg5xYPu+yg2nisH/iIoJ3bey/8PdsTZcX3fd1mKcHChA0LGOUM/EAKEACHwbyBg
5Cvc7TnnZ9rCYzIc24OnfRhyHBhfmeEZI46fy+eGafNXtLeZoOWraSXLVdzJqRN67KW/piG6fNv1
o7wqgQiI4zhLf0kC9OJukHfLB7QDfPjtmkU+PmfFdtwgzthLgD4quA5Vytvx0+b0/JVtm7oLk9G2
XS9MLxCFmruSi+Z4UV7fqnjnK/hj7Ds2MITwgoe316kteT/hapAUNXs0DNQuanKDpOxqOF30cXwF
sBzxNBg8gQaYwnNN+ElR4lNqRBPr1BYxQoZylVc4m60QVy2k69jkCRs23p1mFDk4U5NHcHrJdry4
+n9vlzTyXSRhMMDZFQNeQhPof0KAECAECIF/EgEjX/kne0ud+hkEjCm9P9Mc1UoIEAKEACHwn0OA
+Mp/bsh/oMPEV34AVKqSECAECAFCQEGA+IoCBn39IgLEV74IHBUjBAgBQoAQeBIB4itPAkW3PUCA
+MoDcOgnQoAQIAQIgRcgQHzlBSBSFYQAIUAIEAKEACHwowgQX/lReKlyQoAQIAQIAUKAEHgBAsRX
XgAiVUEIEAKEACFACBACP4oA8ZUfhZcqJwQIAUKAECAECIEXIEB85QUgUhWEACFACBAChAAh8KMI
EF/5UXipckKAECAECAFCgBB4AQLEV14AIlVBCBAChAAhQAgQAj+KAPGVH4WXKicECAFCgBAgBAiB
FyBAfOUFIFIVhAAhQAgQAoQAIfCjCBBf+VF4qXJCgBAgBAgBQoAQeAECxFdeACJVQQgQAoQAIUAI
EAI/igDxlR+FlyonBAgBQoAQIAQIgRcgQHzlBSBSFYQAIUAIEAKEACHwowh8jq/0uWcnzfqjEv2S
ypc6sv1yeCzNOlRJ4NqW7YTX/7+9q/VzlQfW/wsqLg6Hw+FwOBwKx1U4HPqKujocV6FwOBwOh8Ph
cDjubyaQD5p0ux9n37NnU3FOt4Vk5pnJzJNJUqbnl/7j374E11MMPt8CNP+dFpluAYmq5alWv+bL
NiVu3v8ada2iFoEfjcAPTeUavrI1MXEeX+F93s1KTvfQjar5O0y4VJGUJYbSd5Nm/fKOX0mfSx0R
N6mnZZnn9Y8iMJbB38YTVZFegeu5jT7fwr7vikWe9/f5bwVf2brM874mW7epGHyEemFSNNN/OUHo
8yB7hYZ8C1/5Qpw/b/5f0YIabN9SWY0Jb11tv/8WBJb+nkW+C2GFUC+IixbStEjlS524we2NmblR
0rVJwrem9cab3/+Fhq/s2zJP+GpSl0T3kf0xr7KS157W4V5Uw3cE1qWOaShmtUt3K+s/UNt4JX0O
hVRu+pMIQGb8y/jKRaRX4Lr6jPr351uAUShbRG3/6/8SfGWfm7LEMPDpXtqU0KSe4TWNfZ2H1Alu
f8C/XxN0Gwrf/Xv4yhfi/Jr+v/2qS7B9A45LTHjjavv1NyAw17Hr0DCv2mEcx6Fr7mU9QpoWfGUb
6+Lef7BMvLWp++YyxBfqqeMrvPkhd0ks1y5QyXtTRB4lDnGD5D4clQ05drdF7MP3MD1MqytxW8cq
DfF+6vpx2TGg1uF+rKx4US7NKNfhfl7tRbcB4T9rPzTrZNxhNWBqjr6pF2bVeAg35J5f1HUWeS4l
xPWT2yk2VxXebGOdhS4BueOivsViPWgbq4zJ7IJG0OzcpD49JYFKuIRAm9KwbFBwSqgbpBW6CHam
aWrf9Zgcwo23gHfk+OX/FR6JawG7I/LZ2sTEKwa4T+AGIOtS6VpHNL43ZewjKGDLqSuTAP6ivrDs
vi8dXASrXv5Bzi8ijfsObCMo6nvKlsfAiLzYBrgyj6GqcY2Az89dCEVCd0EnvLHB9mCRAz/4b5ua
/BDB9YVsWq975i38BnCiugjP9SCpuvDk9m06HQyAbHI/eJyZAF9JOy761iaEpO3xt9Z59nWosshn
Q8qPb73wDS/vpgZ9mvXExVcM0aY0qsb+BqOWJC2fdGx94YtiD9RXzUNslxBYu9ynQcHG2KPzgHei
77U38DYKYYJ7y9LDh4RNBZPbdQYk9fIEZ47erlFNi6FhAC44IEAaN0gON9t3aBVjz9HPWPrniJxu
gQZzOYLhPVoZhNSIT9JMbRF55Fxm09uODU5KCIEw092jc14DzD0WS/dLFRLOe/VNPQy6x2D7zDqP
MQHqnXoAhargCS9pqu/aEPDXWgre+773mXsOqiH3gnIYqjSg5Bi98yEkpoaKzQ30EElya7OYJlQe
3i50/J//TSlNxSjDOVaISxP6Th98WA+FkE28A7pJwpvIPuIrwVeUiaLeMw1jbW1TLNtgGkTHM4wj
0e1n372brzjEjcpuWtZlbDLvTI8iW69NQr20mZZ1Xaa+aU/OcAo6lj4Ny35e12Ue2qbDIDhXEfXS
elzWdWqLgHh5j1FzuoeERmU7TNM0tB22BbxAqq8I3Pe1yzziZ/UwL8vUlRGlcY3ND7nnOLBwA5F8
HaADltVPoeD/rc89gkIsy9gWIXWcgzguTeK68X2Y13XubxF105alBJzNn7lE4SvEIX7WzqDE0mYe
OYL9rm9Ki4ksm1w22DqMlogP4Oa69EwlXebSrNv2fb5H1I1vHaxUDXXqE7+4Rn6IiY5DQ0bdliZ1
HUKDHOnj2uc+j25jGdAgb7nFj6gni8TGJCHETxF8RInENVJRUJmGRTvOyzw2ecDhMwL+lgvtkCC8
pEI79/fE5bKy+sppEYHgXEXEz7t5Xdd57JqWrbAYvM7sLSAYQSyWeayzgDjOsTKp5lG9s536DghE
EVJyOpgQFHKhxFfWqU48N2kYp9c7D3Dnrm4HGHFzJ/k2OKTnB2Fe9+M4Ldtu0Bephu8HyQ3mYFBG
lV5dSuX6inGIcb6yjXcYyy0T2eA86HskLNDbtrlO3CPh95nrxhXEgWUa2uZh1vcKzpL0j6rpMdQP
QKObPeUrKua6CKaXQRYbUojrB8BAhnGCMGKwHXxMo7KbYaBXiUect/mKvin9oFOD7VvWucSEJ+OU
K/uqptqujd74nK9Qzw+isoFRse7bUPrEje/dOE1j33YYGvQQcaF30Owxi+1mb5etuUIAF4QFQMMo
YuoUfF4enlooJNnEW4CBJkeyEh/jO5E3Jb5i8swnIVFhhnpYLj1/6s/38xWp+jOV/jnB5NkaMOLh
SiMamOfK+KQJCqS+JjnmFCNcy6Z1oiV1CEl1LaguuJiu2cXzPTgqJAA3n1zsgluJRvd9a1NKpI0w
fe4e6WS+h7IUXebKMSE5syNHAHPOmcigCyhTsWmroSkdJrJs6jIH6OkXULYC+hzfbhFlWXMsfFYO
u+C2dalLJdVY0+CmYthsbUpIdJZtRIdbl7kSqHMVnpiqKy/QmgQflAXY9ktQWXIZbBnFNQP+hgtt
XUZldZY6PuegRr4CQhRn4eGA1uR1Rm/BjoSDbW1CTzNf8qjO2YBnSgiB4xr4iuMQ9oJ5fcxrgQbn
URxlhyF5VN+mW+CQiJFGuMikLyR1x8sfCC02rPIV8xA7+MoM1D6qjh03RudB3xOVHHAF9Bbk4nGN
PF/V6/jrBZyV+66qGTDUDcAnbvaUr6iYayKYQQZZbuRzkhOZbDffzhCHdy8VDkKcyoBK2vqKwQ30
g04Jtm9aB/oUy9ZPABS6vqiptmuzN4IyctBR6ysOPSec+w5CngOGS2WAiH/P1p2vWeyZt0tFcOzT
5TQC7QSD1NjpxYe1UEiiSW8hIcheJH0l501+ssTomcaQuKtI68aR3Onn37+br8iDAPVjW0lEtoYT
Gh4hXpTdHoorIO/SwdSS+klR9Swwgd/B6tH5IscsAf3xYRejMoTk9SDI0sd0l+HSn8xCcEn8QhJb
AAgfyraFsc9cvssolKf5izjOUd/B8annK0q9mA9jU1OPmAjB4J0aCE63gilReJ+me4Dpm6k1A+ET
CRzbEbpIzUq0Gj4FEgDra+zFB898D6/Ks/m2KhKuB8kRosuOeTnEA5GZ9n0DNgo7IsyA4yEfswtd
b8SRzgqqJr6yr8MtcmE9K7+zGRRDSed10khGLBisUC4AlWUHEz7PqwvKwrB6+1XsC/4H8NASTerp
2L/SlLFLgxK5hMl59mWo8jj0PXxRcoZfHCiC7ZtGGSvpCNOfgrD/Vb5iHmKIQBQHRJ4YGJ3nqjv3
ln1usoASN0zLemAlGkUela9IyRHdSSq7HncBmrJqJgw1A/BqL8nNnvIVeW7zMBJBLJMMkqKAj1wC
NtnuOrh6mBmxRSBwVh1fMTWlH3SXYPuGddSY8ARAoeqrmuocw+yNaha9rgedAwSkeBASJ8z6fCSk
1mUxaEofKq86Qin/JCxD4VHccmG0C0YE2Yd1UMiiifcQxeWcJr6R86YYjEbPNCfQC9KacSR3+vn3
7+crgkDLMUKK3SDUOrV3WDd342M9UJV0m/u6iH0CRfqV5de0mRfptW6wyn3Ju9jIZQgJKM3uK67B
FsBHH0Lb1XEVK5K4epDupBF6viKf7QTBGGpI5rVN7buKiYqXGgggctKkWdqUojfCn2m7QNkF90M8
4AaL1zKZwMaFgvgnpgwtXyF+AfVm8cIVg4tIl9YgKDNecw2pRr5ybcHoQldLSYnEyFdQxWVsSli2
9lJYYMFcovG67+Mrp70UWyvrQUDvq+hIuQbnATjc5NyrxYnmQxnRqK9MthRR4I/38BWHhlmGq7AH
0wDRtM5ztTX3Fux/m7sqjzwCi5VYKxBSfYCvyCMR3NIwlh8G4BM3u/IVsaPsGgZ1EeyZDIemV3xM
tsOSnbwVQvzexIWvcG1MTbGer4PuEmzhoifWUWMC7/I0H/jmMa84P3qY5zwV79K1OeBfsihOxo5N
YZpccE3pT2Xgkmsd5iVvZ5ManGMCXWGVb3Onks+Lzi9QiC/kd3BaUpTQ5W+MfEU/OjSgHQn0ijQ6
iJzc1V4//dcf4itMLoi1Hq5caOXEBX0oXpvqVuD/D+tBsMwjfSighHKDtHSxK+tB57QDBIGB9MBX
oCYtrzKMxVmuh8v15XIcn+/hK+amToA4JucH+P8l+MD+MTe7Zd5BQobC87Iyc8/QjIFBzKyhgiiv
RLCmLzHRwFewXiotKnCxLiJdWhN8BVSWuRLaFHaXmQHnfRzp+uJCUHeVt4GzZRp25laxiNyOeI8h
GMAxep0I+nCX8BY8LH3srIJxCYnnqLdIMUU4JPbJb2f6isVkMJIMzCGhhq84bK+g3nlg5U2UENDU
Yj3oFA/bNun7Fl8RrcNSrWGI8UbmOqb0+GUDo/MYveUAAf6DzXxS1+ybF3CWmsDS0Tko8HM9hvIt
fAA+cTOoRYoNCMDAzyn7ha8gf5aC1YsyPGRxk69Cd5IPQfI4Ax0k88MRoFdY3mZ52egGAgURty/B
VlyitY4aE54AKLXDFyOOz94Wj3dt9kZI/lJ9aqkih+j5ijY2vi2DUIDtewSkX/Z2uJkRla7w+NqU
sVPJ56Vu8S2H4vrF8Tfs2yOR9qfBRJgSg9E4OsTF2DCPaaymwDYnXETg4+jy+Sf//HK+sg513Y3z
um3r1Gawv4WfE0FRp7ZqYG/gti4D7F3F+I/bxoK8ga2I8zi0VcNOFcF4hO294zxPQ8c258L2Fhrd
x2VdoAgjQYkQ+VkDX7H9tkfn0jUggwS3hB4OL3F37PLtkLALifhp1cP21Wlo6+Y4XqRkRylUXTxM
1Fdwv+1jU1pMJNF22DaC+4WZzrCoQl3PPYckiO66roihgKcbwX7bdR7qzOcbmKVGhZvihwa+Auuq
Ae55hv2y09g3VYs76C8iXVoTfIXlnbBgG3bbAvfb4vzbCPhbLrSPsJOU7bedj/22xyk0xSJC2bmr
6x6cblvGOjk38xi8zuwtC+63PVXJYUv263wF4hlsB8et6HN/i12+oVsIyhZnkhrrWfM8tnDZub9b
74egMttLDDvgQ3U9SF6+wj2bVDPKLu4qS4O1Ky9rYXs8jDbjEON8ZUcfP38/0eA8Jm/ZxqZqhxmi
A24dlnIxk0oS1WwmSQHpevapHkP9ADS6GeRzF4t0+770Bey7NnBE3Ct3jWB6GSSpH/mKyXYQymh0
62cc6Kkv9ttCMqcx20kEq6GUb6HQu71+0CnB9k3rXGLCk3HKlb16AttZ/OCl+q7N3oiTgRw3rG1z
m/mOia/sG4wfL7n3E+SYY4u3HiIu9L4bHEYfKh91ZLvJaBB4bgrnI/Bl6vTiw3oo4HTWeUpFknOD
Aei4UVHDxu0JDjTX7IiLGD6SeCbPFBczSaUJP2y6CMp+WZdlNcAiyfPpt1/PVzp22hmW8uDk6PXH
rib4RViKP17jBik/Dw1nMvHEMPymTZjwU9BLJ843RnfMSrBBBo4SEy+/nmfe5/Y8euuFovEncMsA
bmPFj+PCcVOPHzfdpjqP4Iw2nmzkR0aV7PgSX4GTtY9NGTCRZIOI4xHHoYdIMGNwGNeDq2Duruzz
wzOuxwns8xCy1By8ldwU/jTyFQjJhw3ANlF2HFRWRbq0JvEVSWW4Pa+FRxgAX99wISi7oEjHofrb
cSb+ukInFJ6bw7ngYCo/Qw9nxTRe98xb1v6W4Fl96ie3rkqOnc5StpYJNAggk+Pj/LbjUC9SD8wL
UeXfi3MIHL5mv5eAV+icZ1/7MvJgPMCJ1qHNXFPuNOgrCy/kON/BijSeZT8nHvohpjSywDnHgB2j
1DqPyVu24YYn5yF4eGEmaX6II8XuZ2Y6hVekOj7UYWgagCY3YwfTKaH4kwzNLTpLGVIQOGXQRDBt
EDivh/+v+OBnOl+F44f81yXSqsrOlWfwvBaP8IOMUV7fE7Z4bGrKMOjkYPumdXCbmBymjOOUK/ui
psauDd4Iv+eAh+Wp6wXwywOBdJ75LEEdQmznQW7IWCk7UaqPDFzq/bnDHD/NdoZKnY477Ix3HHk9
4MXhqYcCjiZp+Ar40lgXSQC/doCjKkjYDg0xfBTxdKNDKQoABnJMO3bTOEDgVxMsArjPvnvKVz7b
uL3fImARMCAAYeK6cm641H5sEXgJAZGEXrrcXmQR+GEIWL7ywwxmxf1HEIDcotsY9I+oZ9X4DxCw
fOU/AN12+Y0IWL7yjWDbrn41AlNd3tnvui1jmweEHr+o96tBscp/IQKWr3whmLapvxABy1f+QqNY
kf5JBOYmj+DhB2wXlPT77v+ktlap70fA8pXvx9z2+J0IWL7ynWjbviwCFgGLgEXAImAR+AgClq98
BDV7j0XAImARsAhYBCwC34mA5SvfibbtyyJgEbAIWAQsAhaBjyBg+cpHULP3WAQsAhYBi4BFwCLw
nQhYvvKdaNu+LAIWAYuARcAiYBH4CAKWr3wENXuPRcAiYBGwCFgELALfiYDlK9+Jtu3LImARsAhY
BCwCFoGPIGD5ykdQ+yvv0Ty75K+U8w8IJT1W5oOtKw/R+GAb/8htnwfzbSD+DV/9N7R421r2CovA
X4KAga9Mt8BxnMcHKI3wkCbnfGwqjNewwoftnuooT/LGx4XBk5YIdb0wKbuF3e9cXuezqM5GsHc3
69bzA3wEWEzkJ7NvU1Mm/AmJQVzUI7v8tS6kln/u27VJwvJ4MvGOj4JVnsf7cxV7W/KxDJLmfLKp
7rF2bzehXGHgKyrCyh2mPz5wi6mpT38+3UP3fE7h3udB1uuaXKpI9ptP8RXVLrre8LM/kOmXOnGD
Gx8Nxq6/8Is/oMUXSvfQlNEBHq60H1gE/k4EzHyFuh5VHx+JT5P3PJe8xlfmKiI0LJp+xOdY38tq
2LZ1nvA13ELiZS37Y1545kGUIA4QQhS6tNYSX9nGW0iJl5RNh0/Jbu9ZQIlfwAPEX+vi77TG+6Ta
2tQ9TbH/Lr4CHvINfOWC8Cvm+cAtrzT7sWvW4V5UAw6ubSh8V8tXljqm8qzjM3zlYhej1H8g029j
Xdx7ZfJk7P6LvvgDWnyRZJpmzA6gudh+ZBH4KxF4wleSIvdo2ooix9ZlbpAX8Yt8pUspSVuViXAM
ljoiXmGYDU23wE3KIoCOzvtlvoJM6PLwlbXLPC4YdvOsizalNOu4NGPpn0+EX8cqxbINwWfFd0cA
XLoSn3RPqB8X7czvPN8MuefnNd5KCfWiop3GOgs9lxLqhnnD79jGOotYzcmL8mY69FvriCbNBA+H
J8TNcR7MnokO1Sn5yqPHtU1d+GV3fGHuxuh5a8rEx4qWH5en8Ps+1XmMzxRnsh3StCkNy+YO+oKY
QVpxuE+94P+lK5MAOiNuIP2KPKhc1KCNSwlx/eQ2cF/ZpgYfZn+5RbTKur7BM98JYFr203BPQUSQ
UJJcA8J4C+ipOav1QYrNKsAbpQzTWihiAHzf4YvQJdBhXNQ34dZGhPd9m5oiZvh6YVYdJT2ultYo
Xt5NDfYUYDHsvbbAKiXCT70guSH9gBGSVnWO2FM3zOoRfAd+7Z+4QVofbnUm1K0vfO4sjlymnOvY
5ViyIfEEzOdmfbSL0XlOwQC5qYpdN6mZT2rMjY+zN3qawL6OzvH/zDP59fuu7Wvf57ZIQs8lxKFe
mJ1Q7vsqjdyggOLvsxHH+xlyLyiHoUoDSgirYxlg3KbTISHGNHAfBkgIfdK8ZO8zl1ek9U09BDGz
A3A57RuLwN+PgJmvkKQZSp/G9ZmE1iZxw/tQ8bCA41WemcGyTRMTrxhA8fkeEi9t9TOeZ2QC203a
dSh8Gt4mBqLEV+BemnYnkzlBBtIRnJdDpHxCiYx8ZSx9Gpb9vK7LPLRNx6LoWAY0yNtpWZexyTyl
G9b9kHuO46XNvEFgK0NCiBtjPtvmKqY0YbxvaRKXhkU7zss8NnlA3YMQwnqE6wdBWnXDOEErcxVR
L63HZV2ntgjUahN2eoljsIpGaJg347wuU1cERJTHlr5u+mlZ12W4RfQEr02JQ/yshe72pc08ZcXt
wBVg9ZJqmJdl6u+Jy5VHld2knsBB1gFEZIbHOhwNyw5QHKrEpXxN4rQVrOA4JMiRUa197juE+Aw9
qJ2djM0IwlB4l/qKQ7zkDipij1wRI+Bbn3sE8V2WsS1CKpY5uZD7BWHGibMasejKiNL4SLPGWyCl
eX4Q5nU/jhPWEd9piz5zwZPAdtPQNqyCwFZM4wp4yTZVMXUIjRhfXNrUO/KiskTYpVRfXwER5VGM
ptGBCZC9YdaLXXaT83C+Al5Hw9tBLw0+b/Y0gfsurei9dL2hL3Dlpu7GeV3XsUpccsyLliahNMjr
YZqmoWsHCGvPRhyXbMg96vlBVDbgAVAA1sP44JDkXHe/eKHEVwxN6YOY0QG4qPaNReAvR+ApX9l4
WMH0H9OoXpaX+QpMRmGZxouyWzNeaMszMsH4SrPByPbPXCfxFUZMeMXiRHhrYqAx558f4ysQcHn4
PJqCupJI/ftchcp0B6+CECnIEmapI3nvUtYDCifPlKA3NuVa68iRGtgx0itckedwruAljkH0lMQE
QwmJ+E07fH7MsCEzSTsXhtwlyaUgtnUZpUlzctZ9qeNTEFVlKTeuTUJP6rIzTaRemCRtSkhUn04B
OAhZASWWQMHSWhAueREUkaoGPVfECPjWppRIevW5e6YHAZVkOfgQuLgE8D7fsQIoXX/ss5JMjClN
KKpe+4otti5FWqSyc2jWy3FacPRJRSlTJCZ5/IpPL0LARVe+ogPzFbOqdjE7DxNsHsqA+jnfp2Yy
t9HTZE0ufEW4k+SZ0vWmvqRL9n1rk4OEoyNd68EvjTgQXi5TG2AEOxsc8jLOBV8xNLWDFa5BbN+N
DqCobP+wCPzFCDznKzC/PZLbfA8xb72Dr6Da69RVBSxReEl9lErg85f4yr6vfe65OMO58pX7n+Er
+9IVISXUT4qqx7oDFooch1D+Io7zMFNVn4yKGZdLuDUQ9aC022VUYQTwDWsKoq2U4zE3OkR0Sogj
FxQYtGqdGPMO71TJtetYF0noe/hyyUmM2pQoq2Jq0QL7AE2k0M/YR1gB+KrKWE47WEbhX/GSMjg2
C/UVqeux8EjMt88uVcicDgiCHgQ1L15a26E5trvFCPhVL9mtmYTwr5opoFmFePWZ+06jQJvvtcWM
rN8N07LGWT0IptoacJIQhvUCttjJaAFjhcZ0hW1Ju+ZV0wgwxxfMqtrlCjKScHQe6DOIYxcyOWdi
RnMbPU1YCmzFC78vXG/sa9+mtkyjgI8VNiqvjoQ9q1a4eMspGwgjOPe+G2C8YiU5pOqFu+ArhqZg
BfchiFm+chrE/v+DEXiDr8B8mkK+wgVzCC3SOLpETUQBxpZuXwrU5c/SKlz4Il/Zd6jBu2m7SHwF
7qXZl64HQb7kC1/7Nvd1EfuEsLkfhBK/6OZFevGCw2F7NUTCHWKK+ipfkVIOm8unjdonj+ys00sc
k5OTkmuxlB3derarGQx4MJDLzkqR5g+ljkW99/MVnN5JaC2XDdX75USP2rPCV1wtCGpevLQmUqyZ
IF7Tg5TthPKXDPRRviJznA/aYpu7Ko88QkO+f0WiTl/OV44NVIgEtw28CW/jU7OqdrmCrPAVx/GS
PPGIX7ANwUf9SmdudXA+4+YAAAY5SURBVHBJzFgy1Qf4is61oJZKgqJjUxVRXzHyFcm4l/F4CHcR
Hp1TA+MVK8khr+1CyRPryE8tcglilq/IzmLf/1AE3uIrO9Qc/fye+8dpHZmvbG1C5VInrM1mrlTn
l0CB8eiXvMLyMl/Z97VNPS9rq4RTAO1+W9iPIGf8p5QIhzyf2QGhkPkKExsXlIHFQFlbr5TQT41K
oKyOrzAQxC5jCO+sWCGFJ9boWKi7cURX/B3GMVGjNvIVWB6J+ZIO9Pk6X8H4LW5m60HsmImqspRF
IH2qbsFF5m9UqsRzIn7P+QrMRU9Z+Z34BpQQBRkzXzECDutB8jrXWHim9SCOMAyF19aD+C0PaxGf
sQWMhKNyotr6Vb4iVbQkOGFZSzjrlUoK8veKWVW7mJ3nlB8OrRA/h3N9sHJoMLfR0yQt3slXTH3B
MpEAA6Bh9ZX5pln7O7U4xLjyCvbxRXiciWhGx9UhB+GQALxUe12qyCHIV16wCA9iyFf0DiCjaN9b
BP5mBN7kKzsurDrEP2KwzFd2DDcubiWDbWjtLfaId/xuytpXt7rtRziyfHzDZ1LvqK8AeEubup4v
7QZl55n95AaHpaH5Spxn5mg/o0SghZs2WClf+iIgjsPqK1NbNcO0rBvbmermPRQ1xjIgNCpb2CY7
jX1TtZx4Hd2pUcnEV1jGCQu2c7ctcL8tCvHAV3CrKQ3yZpiXeR6HtmoEzzk6BXIYlP2yLst5WkHU
9UX0BGlwXyzu3I2U9SDtTJpDCG9G2DHK9tvOx35bJoiqssRXcEchceN7NyFeXV0/nDN9ja8YQYA9
REylZd3MKRbJLm5wxq3SMuCYS/2sGRfYnFzGLt/eKGuvIozBX9wT0XNzlfmWS0pDlN5li21sqnaY
wSNn2EPNKLna7Et8BTKxl7WwBxogE6+1SQiN7gAEfqGaRvCVV8x6sYvReYT8G4ytM2bAHliNz5s9
TWjxXr5icC0YNTS+j8u2zj2Es5MpzHVMaVA044wRoIOdzkILlEOMOEms67Ip22+rGR0Xh4Rhek6/
wHQHqdvmNoPVVrZPDx3ycaCZgpjsAAD1udlfFte+twj8xQi8zVcgTLnnjgd1PQj0WrobO/8Lx27D
9HacqIGtJ2UMp1Ud2MvgBUmpnAJ+RiYwDki/rgG9NInryFsqYTOv+L04N4jz8/fiONhPu2BnBymh
eGq5uUVHfWWq8IgtCO0G6Z2f0OWHSvF0cSbOJx/dqSHVyFfgNEedR8eJ2CjnpyUf+QocVKgy/ot4
YVI98JWdbW1wgHqtT6LnNtz5Iedb15X+cerKmJk4hviG6Q6HpOE8Mz8kraos8xVYR2rZ+W/A0Y8L
ftPZstq1qb4Cy1p6ENbhFsHhZYpnPtXWpBS7GwGH88xVCse02RFvcXz0FBH/VxCW9EJnF+4h36Pc
cklp+/5eW2zDDQ/S4yiCc8vINdRmX+IruKkB1b2e1trGKvGp4xAvh93qz8B8y6y7ahcYuT07tK46
jyz/BowYlnwBRK25n3raCb00gl663tDXNtWSV/T3yD/3za8DnvzH0BCWMI+RtVBWYE+Z4P+LMPiV
HkbhkH5cQkg6+cpx8ppS6sKJ9roIxLkCXVOGIAa7WrgDWL4iG8m+/yEIGPjKD5HeimkRsAhYBP5B
BCT69Q9qZ1WyCHwIActXPgSbvckiYBGwCPw5BCxf+XPY2pZ/LAKWr/xY01nBLQIWgX8VActX/lXL
Wr0+gYDlK58Az95qEbAIWAT+BAKWr/wJVG2bPxwBy1d+uAGt+BYBi4BFwCJgEfgFCFi+8guMbFW0
CFgELAIWAYvAD0fA8pUfbkArvkXAImARsAhYBH4BApav/AIjWxUtAhYBi4BFwCLwwxGwfOWHG9CK
bxGwCFgELAIWgV+AgOUrv8DIVkWLgEXAImARsAj8cAQsX/nhBrTiWwQsAhYBi4BF4BcgYPnKLzCy
VdEiYBGwCFgELAI/HAHLV364Aa34FgGLgEXAImAR+AUIWL7yC4xsVbQIWAQsAhYBi8APR8DylR9u
QCu+RcAiYBGwCFgEfgEClq/8AiNbFS0CFgGLgEXAIvDDEbB85Ycb0IpvEbAIWAQsAhaBX4CA5Su/
wMhWRYuARcAiYBGwCPxwBP4f8IYT7lnr2ZoAAAAASUVORK5CYII=
--0000000000007a865c05ababcadb--


From nobody Thu Jul 30 10:24:09 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 917BC3A0FC9 for ; Thu, 30 Jul 2020 10:24:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.085
X-Spam-Level: 
X-Spam-Status: No, score=-2.085 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_RATIO_04=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LRJj8NKBGjId for ; Thu, 30 Jul 2020 10:24:05 -0700 (PDT)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B76023A0C41 for ; Thu, 30 Jul 2020 10:24:04 -0700 (PDT)
Received: by mail-lj1-x22c.google.com with SMTP id q6so29705985ljp.4 for ; Thu, 30 Jul 2020 10:24:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vnMcUyzMhzK/1LObXWMtcDr2WiIklOK5QGtpuclaEd4=; b=TDsOPagL9mEdSntKkGk77A7obY6Af//k2aIYgCozTG+sGWQEfxcFYqXc6k62pGM9P9 mVyvFw0JEaR55QEAbJ1oEMBzVVu3ZzHMePWndIzS41Nz4aCi8rWUvEZ04s1EV4+rrtWe qn6ZrDrO5k6xKWp3GwlR789S869Sb11+6fwmKQdm75ijBmNcWEm7ylYzCAecShekMKxp ODS5N7sjTM0DCoIbseQD4we/SEcmupKEOZ8ePthbYmm4AzTx57/8ydWx2FZ49prl86Kq acEhddLoHnOxbWVRBaIgNkvbEKShl2TSIjh4BjqZ0wmPrQjcMGjTetqNMJ4jLDRDHoNh 40Iw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vnMcUyzMhzK/1LObXWMtcDr2WiIklOK5QGtpuclaEd4=; b=XydBoBmH3dFk3aQ0g/VSZd8im2vBnTgTr0UvwW8dFvNXVP4ag4S6MyEXjQc3FCfWts BcKFBKIjyw+bKjpRy+Rif+jX/KNC3R1pDQsDPsP+jG4+6bTVUkjb4yvKRL0RS1NYb7R4 9OS01KmKdzs8XWWgOdVsC+psd79f7V72FoFD9NDmbIRUTxswQ47EM/VyZh/JXXQejp1Y fxVMHwYyyRW1Us9PNfEZrC5f2yHUe56ey6u9xZs+mzvL6fuzEitXlouar16JHf3dzLWo ciXjXuHHdYYwzT+s5thmNgOU75qpShZJL8D+NGhhkzA/lj19hWRbE8eVCXk2pDSf8L5D yC7Q==
X-Gm-Message-State: AOAM5330IhVOa/I/73sZhFvkmBwomz2tLRe8fZmvyT36XFouxnCaDgik p8VztsQnpRB7G7PJV0zL7Ow/5iyAx55jvoQoiFI=
X-Google-Smtp-Source: ABdhPJxLeZ7AC7dzDAphRiJb3BvK6t6UFDb/F8dL9xyMML1pRvaBoP+BbHXjZh9ksCK5Acz0O18ip6mSaymY5l1u3wg=
X-Received: by 2002:a2e:581c:: with SMTP id m28mr131891ljb.5.1596129842599; Thu, 30 Jul 2020 10:24:02 -0700 (PDT)
MIME-Version: 1.0
References:   
In-Reply-To: 
From: Dick Hardt 
Date: Thu, 30 Jul 2020 10:23:26 -0700
Message-ID: 
To: Warren Parad 
Cc: Aaron Parecki , oauth 
Content-Type: multipart/related; boundary="00000000000049430705ababf0eb"
Archived-At: 
Subject: Re: [OAUTH-WG] Authorization Code Grant diagram Improvement OAuth 2.1 draft-ietf-oauth-v2-1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 30 Jul 2020 17:24:08 -0000

--00000000000049430705ababf0eb
Content-Type: multipart/alternative; boundary="00000000000049430505ababf0ea"

--00000000000049430505ababf0ea
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

The (A), (B), and (C) label the same flow that bounces through the
User-Agent. See note below the diagram.

Note the tails and arrows at each end of (A) and (C), and the arrows at
both ends of (B) to indicate an interaction between the RO and the AS. (in
my original version, I had the User instead of the RO).

The (A) and (C) flows are shown to go through the User-Agent to make it
clear it is a redirect flow in contrast to (D) and (E) in which the Client
directly talks to the AS.


=E1=90=A7

On Thu, Jul 30, 2020 at 9:57 AM Warren Parad  wrote:

> From the OAuth RFC, these were actually letters. I don't see a necessary
> association between the left side of the diagram and the right side, it
> just seems unnecessarily confusing.
> [image: image.png]
>
> Warren Parad
>
> Founder, CTO
> Secure your user data and complete your authorization architecture.
> Implement Authress .
>
>
> On Thu, Jul 30, 2020 at 5:49 PM Aaron Parecki  wrote:
>
>> These numbers in the diagram correspond to the numbered steps in the
>> paragraphs below the diagram. Perhaps using non-duplicated numbers would
>> help, such as "1a" and "1b" instead of two instances of "1"? Although I'=
m
>> not sure how that would work exactly because the "1/2/3" are really just=
 a
>> single action as described by the "Note" below the diagram in your
>> screenshot.
>>
>> ---
>> Aaron Parecki
>> https://aaronparecki.com
>> https://oauth2simplified.com
>>
>> On Thu, Jul 30, 2020 at 8:43 AM Warren Parad  wrote:
>>
>>>
>>> https://www.ietf.org/id/draft-ietf-oauth-v2-1-00.html#name-authorizatio=
n-code-grant
>>>
>>> Can we avoid using (1, 2, 3) on the left side of the diagram to
>>> describe, I'm not even sure what they are supposed to represent, not to
>>> mention the RO in the diagram doesn't really provide value (for me)
>>> relevant to the code grant flow. It's confusing to see these numerical
>>> identifiers twice in the same picture. But maybe there is something hid=
den
>>> in this that I'm missing, still 3a and 3b could be used to identify
>>> different legs of the same code path.
>>> [image: image.png]
>>>
>>>
>>> *Warren Parad*
>>> Secure your user data and complete your authorization architecture.
>>> Implement Authress .
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

--00000000000049430505ababf0ea
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


The (A), (B), and (C) label the same flow that bounces thr=
ough the User-Agent. See note below the diagram.

Note th=
e tails and arrows at each end of (A) and (C), and the arrows at both ends =
of (B) to indicate an interaction between the RO and the AS. (in my origina=
l version, I had the User instead of the RO).

The =
(A) and (C) flows are shown to go through=C2=A0the User-Agent to make it cl=
ear it is a redirect flow in contrast to (D) and (E) in which the Client di=
rectly talks to the AS.


3D""=E1=90=A7

On Thu, Jul 30, 2020 at 9:57 AM Warren Parad <wparad@rhosys.ch> wrote:
From the OAut=
h RFC, these were actually letters. I don't see a necessary association=
 between the left side of the diagram and the right side, it just seems unn=
ecessarily confusing.
3D"image.p=
=

<=
span style=3D"font-size:11pt;font-family:Lato,sans-serif;background-color:t=
ransparent;font-weight:700;vertical-align:baseline;white-space:pre-wrap">Wa=
rren Parad
Founder, CTO
Secure your user data and complete your authorization ar=
chitecture. Implement=C2=A0Authress.


On Thu, Jul 30, 2020 at=
 5:49 PM Aaron Parecki <aaron@parecki.com> wrote:
These numbers in the diagram corre=
spond to the numbered steps in the paragraphs below the diagram. Perhaps us=
ing non-duplicated numbers would help, such as "1a" and "1b&=
quot; instead of two instances of "1"? Although I'm not sure =
how that would work exactly because the "1/2/3" are really just a=
 single action as described by the "Note" below the diagram in yo=
ur screenshot.


On Thu, Jul 30, 2020 at 8:43 AM Warren Parad <wparad@rhosys.ch> wrote:=


Can we avoid using (1, 2, 3) on the=
 left side of the diagram to describe, I'm not even sure what they are =
supposed to represent, not to mention the RO in the diagram doesn't rea=
lly provide value (for me) relevant to the code grant flow. It's confus=
ing to see these numerical identifiers twice in the same picture. But maybe=
 there is something hidden in this that I'm missing, still 3a and 3b co=
uld be used to identify different legs of the same code path.
3D"image.png"

Warren Parad
Secure your user data and =
complete your authorization architecture. Implement=C2=A0Authress.

_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth





_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth



--00000000000049430505ababf0ea--

--00000000000049430705ababf0eb
Content-Type: image/png; name="image.png"
Content-Disposition: inline; filename="image.png"
Content-Transfer-Encoding: base64
Content-ID: 
X-Attachment-Id: ii_kcnpzgwk0

iVBORw0KGgoAAAANSUhEUgAAAvkAAAJeCAIAAAChx415AAAgAElEQVR4AeydvYvbTvTu79+iSt10
qqIqqqIqboKaxU1wEdQEN8HFDS4Chlt+wRC4hhTmphCkECkEKQQpTBqRRqQRabSVFn6grbyVLmdm
pBnJkte72Rfv+nGReC1pXj7nzMyjMzPS/6rwAQEQAAEQAAEQAIHnS+B/Pd+qoWYgAAIgAAIgAAIg
UEHrwAlAAARAAARAAASeMwFonedsXdQNBEAABEAABEAAWgc+AAIgAAIgAAIg8JwJQOs8Z+uibiAA
AiAAAiAAAtA68AEQAAEQAAEQAIHnTABa5zlbF3UDARAAARAAARCA1oEPgAAIgAAIgAAIPGcCp6x1
ynjujUbeeJXesYW36Xo6nszC7I7TrbZZMJtMput0e9cp31962donyrOouL88kDIIgAAIgAAIDBO4
sdahocsbeZPrBEIRLyaed/15w0XrPZKuJt7IGy82txjtiyzZJHnZpFsGY8MwDDaNm5/u5kvkm5Sw
NUv+Lb1tkSabNFdVTWY2JWz6kfrt37LovXpbJOFqPp2MPW888aezxTpKFbbeS4Z/TOa8zKNVPnzO
tUfKLA6WM1GisT+dzZdBnN26SNdmJ04oyV/uPZcDC4PTQAAEQAAEbk3ghlonW434ML5fIJSbpWfR
oEzj/ebWZdu9cLuZiXTZJLzxSMeFgl6ee9M6eTC2DNOe/mMoYxv5zDCchQoPFdHUNg1rHPyLbtjF
qv9SbpZjS9hYWFD+a46D2wVm/lXrlMl64vQUyDDM0fr+OFRVtnQNw5xEOh18BwEQAAEQeIIEbqR1
spVXDzqDwZAyWY35jbwYI3Vt8c94Sj7484RvPvSmC6ejve5N6/xzRUUCQtjpWueOEh5MZpvMXWlh
y53MFsvlcjHzPYeZtxGXIpt/0jrbZFEXiNmeL0o0n06oSDd3gcF69x0o1h6F0KB1+uDgNxAAARB4
UgRuoHXytceaW/0hrZOvuRwy7cnYpZPvUuuU4ZgGYtPkw3F7UiRZeLQqRJ/bKiO+HIdm24rNauqK
wlvOiD50Zq11/DAJlzMxYzNdBEk3flEkwXLmj8c0oTNbhtp0Dl/x441XyTbfrOc+zfn467RqLVFJ
lmOPZ6n/481jMQtVpNF6ISdntMS3ebyU0QzTdnmBaVlREU6pln6gQj3bLF7X003TxXqjzXhVlLU3
Xm6KNGwqMF/F+iktZxVy0DCYt+qsCCoLLYxWptFq7k/G3njsz3Z5cRY03TSeTBfBJtqdw9pmdQKT
6Xw9XJ4qmZM+pQItE60AvNBlWf/CCXuLuCySYMHL5S83dHCbb4LlfMZ/opw0OJykNw0yHd8ykLYt
k2AmI5NM+gvWG7VcBX+AAAiAwFMicLDWkUqHjScjPvoMLnIpwpm/TMoy4MLkDrVOIWQUm8ynPHDk
LtWIX0UTLoPG2tSWuDE3rOkmX/Ey82FT/mOOQyqi/lPzXZ8jKpPFSCk8cYrVSAGRgjX2x3LKzjDs
WVK1Qhly8U6TuvgyDsqqksKwdciexmVVpUIg6EdIXfJpFZrWkqup89C3ZRymPtV01NRZzNcNWbYW
Z6PTzNGyI2W4x243U14Ltm+2aputVV1lnmy04NKCUtkmyx1e/LRGmu6W2XTnzfV62xFzeIZxXUyJ
V9P0fL+pJy1oqqtTg6H/mbeSPiNIMruLz/ajopK+q19pNOXXS4jvIAACIAACT4HAgVonD8Y04rNJ
mIVcVQzFdZo6SyFxd1pHjvPMj0qpJey5Wvu7V+tsi3QTzniciU1WG/okGR/S5HDG3OlyHQTB0hcr
Q+pSb2Mx/BuWN1sFwXpZ3+3b84TiMppaMp3xbLFYzFdx0dY6tMK1/kQLsdzJohG1qqpsNWLOeLpY
BWEU1oEcGlW3eboJxNht+4EscdnROrlcPMVcf7EOgvVCRoJYvZ5HaB2Kro2X4SZNk3g14XqATaI6
KNIYrJJRHXOyZ+FzE/kZcWCr+ViIBcsXCarjs1UQBqual1FrhTo4aI3n6zAM6nCbNZVxLlWcqpKL
s2pj6Ida35tqGqbtTckIiyivqm3s29ZoMl+uwyhcz4UEqzOS3mQYpjtdx0lKDiJsQxK6yJJ4IfSx
txD00+Jel4O3KoQ/QAAEQAAE7pTAQVqnkEqHbvi3YiLpwbWOHEXFWNX80WzH2qt1iFgd5dHWStdK
xfIplCI+cnwVd/Gl0HWGHkGSg6TJF0fXKRiO0D4ykVZcp065qspYBKRqpaOOiG8ytRqtrKS+Xkdm
LuI6NQQpMyiNMvJ5aEYGfqQIIHlY5yVTsOe7++xjWgmtBY3qS9T/tfSzZ1zp8QP1pKVH64RlxWvl
w+M8MkIliDZ1agJLdbRud2tZHV3x1s2kYrbyLO1jT7ksq7WOCImp4ra/tY1Sax3NtDKMRBE/Kriw
PdbrtCniLxAAARB4igQO0DpFMOExHREteByts92I3dbWTKgbOWaqUfwftI45CdUte0tNSOGjjYcU
i6HtOXIhUq11tOGYnKA9rEq30JROozwqvrt7MZv6k8lkMna5UDF9sfWn0QVqqk4vnRRvrCUStnLG
TBRIigC9dLLEfbESeWm7ti2fltnTNJ36FAGt4aVFvNveIsVTLqG41pHnGsx2m4/ND9dxH5VuVYqE
DT7dJ36XSGQ0zpCWk9XcLTjfqT6f+UR37Dk8I3mWbsU6T2k2gQtap8aC/0EABEDgyRO4VusUoa50
6H6Xr8Opgw+DAPYMqoPXDB7YypiDYTJ5W8/EMhWzHgj/Qeu0qqKriUqO/nUeonj12E6KpBOJqcvf
o3XqiIsW8qjyYNJdLsJVw2FapxYe2kQeySyhCcWILkSAOda03B6zyEut6eBTAhKx478jKmp5FRS9
RdJhyBNqraL/30mUIisyYUetyyqzTUSfcM4nmFpaR8ZjahuUm92FVpRfW+s4enwLWqeGh/9BAARA
4HkRuE7ryOFNiQyrVhnMsuzx8ANO9gyqNyZYCr2lD431d5PPnVR9a5PlimQ5dg/PYQ1rHT0k0RRa
JsuvOlTr1EpHn2WpJ8gsbx5s0izP82zN10ofGNfRy9EUrmoV+WZap54zctrqSaVdr+hplkbzQ/Xu
uEm4bROXF0oJxeM6dZnHq03S+fSsh5Fn94R8mqALV3E91ayLajr+Kko43VhXgXV0rlUVaB3N1vgK
AiAAAs+IwHVapw6o1Nqi/b/LH4Zb5unuSDWgdbZ5mmqPLj6IpFzSYTjTgN/Vi38CsdhY3qjLcnq0
vUl86sUlHa2jRS36lEorrlOvJdEfXFgrghGtIulLYXcOq0/pNBEYbbSVee9oHbW0plU6OcOmJUD7
t/gmbVnnHhEwYBaOrBBb5wzTW2VqVq/myZcDid1uYu1NGzMVow6/6TGaIhDPZBLXyK1e7eVNWg7t
r83i6/G6XaBrtY6c/9KmJ+tNXZ24Tr2jjTLu1zpaUKxdOvwFAiAAAiDwRAhcp3WKVJMXfPpASAzT
W4RRtMm39UDeHb76BtXtRixUtfi+6kMJydv7nUfH1UMzH+ylCmD1qFhs5JYn2nNOOcnh0XBmcV4W
WZLkzfN19O3zLTVRyUXZtI8pzoqiyOKl2HEtC3OI1inkemE9pkMFypZcltCzbIqyLNJI7hSiN0Bw
NDISZY6WSVEW2SbNO9EI+fQZ050GSV4UeRJMxTYyuUusuqHWqbbJQj6hmDn+Iog3SZommyhYLab+
itbolHJfGhvNozQvimyzFhu7TCEh6oc9stEiErxWE7kbX2idrdQThj1ZRmlOwawkDhZTb6aWT2t+
sd3IB+wYzJks1tEmSbOMijTna6a6c1hKoG3FnKawNsGT5dyZwxrUOpWUZbYfZkWRp3hZhGYXfAUB
EACBp0XgOq2zU5vuep1muai+AlZtx24tgpWj9969PjsZ7ixDbs6oIzc2LViWu+JplSxj4mmDIgYl
tU6jW2RkylsXfUqlrXUqWlMjB2stotU8gKcvBRUg4MO7nMLRruZfnUXavG+jOWY5tH6n1jq0I117
eA4N7J3SlZvmMcdNGob2tJqbap2K6rvzxB6edF0oekuFykt+Y+qBPcoM9VmmZdGi4DoWpD0JuT6D
/m+viWpMPFwgumhY6zQ70lQepuOQJQ+N61S1d8kUWuEzrXz4CgIgAAIgcPQE/lnrVOnKs0zT8cNm
ZzCvdF9cR6zGNe3xWm0tuo6QDAToz9JRlzQ6iJ7OUqbBbOzwdzmZluNNV9GSdgjVWqeqis1y4tJx
k9mjeVw/S3B4vY7IqNisZ2OX1imZjKe7aWp6gNYZmATkQ2exWfouVwImc7xZmPK4Vy0rSHlEc1Ej
k9neMunEdah42yxc+CPbMql09mgy1x/rfAutw5OMltOxa4uFWabJbHc8XcbNq6fKJJhPxGHTckb+
MmpNMG2zcD6RuOzRdJ3E/OUctdYRGSz8kbAUldodz1YqeWXd+ts2j1ezCVVS6A4ygzv2Z0v5iOue
avJcghm9SoIeC2W7/nKT8UdHHqx1qqpM1v6ItomZzHKnHf+uC4f/QQAEQAAEjp7AjbXO0dcIBQQB
EAABEAABEAABRQBaR7HANxAAARAAARAAgedHAFrn+dkUNQIBEAABEAABEFAEoHUUC3wDARAAARAA
ARB4fgSgdZ6fTVEjEAABEAABEAABRQBaR7HANxAAARAAARAAgedHAFrn+dkUNQIBEAABEAABEFAE
oHUUC3wDARAAARAAARB4fgSgdZ6fTVEjEAABEAABEAABRQBaR7HANxAAARAAARAAgedHAFrn+dkU
NQIBEAABEAABEFAEoHUUC3wDARAAARAAARB4fgSgdZ6fTVEjEAABEAABEAABRQBaR7HANxAAARAA
ARAAgedHAFrn+dkUNQIBEAABEAABEFAEoHUUC3wDARAAARAAARB4fgSgdZ6fTVEjEAABEAABEAAB
RQBaR7HANxAAARAAARAAgedHAFrn+dkUNQIBEAABEAABEFAEbq91kpltTsKtSuohv2VL1/TWxUNm
edR5Rb5pzTZHXcTnXrgy8Exnkd5nNR/aynfQyh61l7hHW/B6RfeYwd0k/c8WLOK5ZzPDMO1pVP5D
me62dVBq7jL7h/Lg0tMjcI3W2YZj09j9jFZ59cC9WBlORmok+ec2TJbOViPLW+c3NXqnJLdL5KaZ
XnP+Q4+Ce4qTLtwBCVysvfvUp9t4atuPJ/gGevO2t+zhdsChPVY+jG2ycKxJePCYdZtW1qnvA/cS
B0C85pTNzJ0ecNNwIlqHqukuNnlR5MU/3dYOtI6OMTrO0zmq/oTWUSzw7VAC12idalvkGf+EvmV6
q1T8kZfVA2udbeRb2l3zbXrhHSRlspqvk5s24U5JbpfITln+8Yc9o+A/pnzTy8ky/VqnCMZsdJ+x
uDxcLKIbS9ebVnDo/P7evOMtQxcf9vuwlQ9kW8TLRXD47fAtWlm3vk9M62yTuWNB69TuWAbjO4pV
9reOOh/5f9d5OofVn9A6igW+HUrgOq3TpJPMLHOs3xLyXmwVUojTNEzLnayS5oZxm4Wz5vflpmeu
KY/mk5FtmabB7NE0yITiiHzGpnGTZ7pwzHFQVmXkW014iY+kvBdehouJQ5kzZ7yIVSZFvJi4dAGV
SuWezGx3kSRr32UmnwBruvIyGLdiVxS2qqqq2Cz9kWOJ6vnrdFsNlaQZwfuzzpauNV2H8zEl1i1t
U9uqKpOVP+I4me0tE35kmwZTgZLZ3iyUoKqqygVik9mjWbDymZrD2qbrqUjGGvnrtLGKymmbBdOR
ZfKyzKNw5rgiZLaDqCqT9dRzRJmc8XIjEisDj41X0XLiWozxEoScWLp0WUNSk6ZVlQdjqznCpv93
brfmIPP1yLTnSVVFPhstwpXv2jxhb67Ey7VOpUmBYkNlIxdgtjtZdgRttwvfTC3mC7frv7CIF2PH
Ep6mlyitMdrjebDcGRd2/baqthn5AfdaezTttU5VDRg98pk9Xa99qpnJ7LEsSoctVaTHdcn6SnkM
WVD5CAU+aaZ4EcjyWm7LmXpcvae++3oJlVd/b1BVpeb87jzmzicAcgKWOw1Fs+81kHIYZjnejLto
v31FSbabudN0M0bdCQx2JuZEzGFt0+WI2dOIl6RMVtzxzFZrrb16xL2agxQdXpmu6xZvtTsxCaef
TDKznXlAHQN1KJYzWaq+tykB/RzMR612JlLdbebVLsBtshzZDQ4KyEY+89bpZknua04iqkFvV9NX
Ka5O5sGq9l1pDuUCPV0rT7+399O1ThH6NvNW1DtT4+oZd4a73zySvk19mL++1wlorar4+igE/knr
GKblLeKsKIs0nNpisCKP28xsNlrEeVkWyXpisZ6JojIJgzjNy7JM1xPLHAe8pxjQOlVVdYanbOka
JhvNwjQviyyeu6Y1jUX3QQLJnqyTvCiyzWpiNRO7ycxmtuN6i3CTplkpu/JGpnD8JRW9Lu42jaiM
RVlmVD3Z+e2WpOlNhrKm0hrMEx3SNl15rCmtZvRsNTKZt4iSLMuSKOYapQgnFhvNozQv8jScuczy
xbQ5ZWWNV7yW8XJsmUatdegSfqQs883Sa65QOZF9TNsPEp7ofMRMQ+qSHURVlcdBlGRFWeZEmesR
soZnGOZozgXmNg+4BYUMSuZDy7ho5GziOlR+NaFVrD2ZdOSbhunOYoqYbzNKeLTigYgDnEppnc3U
ssbrtCjLIkuisCu2OyaslNbpvTBduMydRY2fy5UCNca0KIo0mo+YUWNUqLt+W8ZT23SmhL7I4oXH
2DjYiUQNGp3DcXzu2/lmNW7gcFXSsOVjRJ/rtrXOkAVV6aXfzmXVZ7yVCTMPuXoXbTKzB3oJlQ2J
/L7eoAgnjLmzgDeIOEqoixAA/fUmzbI0jjZCYvcaKF97pjOjXqjM0ziM6Dah1756SWKf6XGdoWoK
kqR1SGhaYxksy9ces/2AHC+LqLnMNrxTEoabRjn9VURNZ5IuHDZabKijzJMojHdcYYAMUTWsSUC9
WFUmqmFWZThhJnfWIk+DqWsahmpmdUV3mvmAh0vvrQOB1L4cx50soyRNKbTf39X0VorUiWk6vNMp
eL9U9/l1oXY7eZ5+b+/XaJ1yM3eZMxO3YENdxFD3S6xsP6TOrcg2YdR3V6iVDl+fOIF/0zrarXvW
DF7chegeXXzao1r9q/b/NprUY+iNtI6mF2isFCPQNp4ypi1JKIJxvWqXOggmpQLPvonr1IXZbmZO
o3TqH8X/m1l969/pzVUiw1lTY6ulCHV2vSvr0nkjp5qs89WoFUMmIcG7LvoitRedrGVAl2hH4qnV
nVLaxj4zNUTERWmdNqKmJDwXGWbjWsdk4s6ODmwjFVY6UOtU5C8juViKzOfM+V1V5JumF4jxlEYS
DiCreB8uhRbl2OtUjdahGpKIEOK3VQf+R8eESuv0XbiNp5bmahSB4rSo0jrGzcyqMWo5trMqw7ES
5bx6bsu+/MJBo1c0ZGojF7mes+AjUUtHatnTV+W6ba0zZEF1ueZW9CPVWFh92NXb9eWRJJ2K6iVU
Lu1vqjfgHIRXNKd0AfJiDRhIXC8jkSKFPvs2afMvLa0zXE2pdYp46jB3UYcNySspDi0+ZTipu56O
4ShGzlsPb8ZLHpJoF6PvL0WGcje0tbmqD+LdXX3XRxabMN1jZLKdnnDIw+s7TE3rGPasrqxonD1d
TW+luNZRnQ7VResRZbk6zjPcEITWSemu0Z6IkPKeLqLjxk33S9nZvojH9QHHb8+LwD9pHXOs9mGR
Y4o7y3Tu0NxB8zF77ne3WbTwPdfmH8s05DB2E62jj+iqkVAxtF5AjIpiTKVwuuqJ6hC9iutQCJt5
IorAjZzHy6nnOqKMzJDTHCovfpLqZ4az5iORmBejazopCIfivXh3ZW08ZTJYLE7aUvc53fAU9K5C
6zriKe2aaOAz0zD0G36pH3RE1HEordNGVBXJejYeCQY2M+VR7RJesHja3A0fqnVEKIJD4VJHrjsn
vaKvlyBd5kdVdYhTNVqHJvimLjOtkb8IeDhA4Kv/7RpAxXV6LsxXoy5QXsKuufVa1Bl1bU16VhMr
PM7QlaLVkNFpgs/Up3irGo4IUepm7nfdjtbR7lQo0xZ3XoOO31b5yhWNq1t3rj15K+ui5Y2ur5dQ
iCiA19cbdDnQFTsAhT/3Gqgqk6Vn0ZTxbBXXc7/7HaMipIrDcDWJJBtNPFb3XFQ4asKGqdqeaRrS
uB3DUS3EmrYiprAqcybz9aZPmveT0ezIMVI5hfWp9ekOpnonnXenJxzy8Np7Na3Tdr+BrqavUnt6
DFWyjvN0HaDu/ahcnumMxw71R2ISk/vGwLjTcWOVyzZdT2zTtL3pEkEdZYbn+u3ftI62CFW1Nx6g
WFJkX33ad9h0I2G681i0bu1+pat15o06UQ7KLdFpw+ro/u6pPa60EqFViUzOl/AsePh6GvIwsX5z
rPLqlGQ461ZGdQ/SmRymZHX5whMfau07J6thni4Zr3OFvijKNv1uObUK8dUVamTiYRVrUi8qUbet
e3qug7UOT5xuC+letBl2O6PCluI8QuvY5mivU3EpoBPc5vF65tkmG123XodigXK9DmFvX0i4nHnc
JrpfMnLbiX80uH1D9WY37HYHWmfIdbUxco8FVek7g0SVL2+ldXp7CZXLUG/QdX66ojuW029DBhI5
FGm4oBV6ti+X9nTtqwpC326gdQzT8WdjS3Ua/HbFD9uewtueap48N6V16M9tvqElUSZNuNUxIVGo
ITKaHfmJROCmWqdjlD4Pr3sqTevo7Ys76lBX063UQf7Wbix7GgKfQ7e8me+a9rSGNjju7O9+yyxa
0eJFa7yuKyro499nRuAetA41+dZc0Q4y6otV8JPuFmVchw86fNEbXUM6vg4z8GagAtqD7su7B20N
tQjq8k2k3YFcLL0UcZ0dpVPRbbrdZEjZ63Gd5oCWyHDWg6XVyVA3rqCII7wbVzvteVfPb5+pLtr9
G92ZyW6ILtEDzXoW4rucimi6VbKGFtfROkFSoepOjs99icDYnp6LqqGF+7Tsyc6tChLi0SoNxqyR
OnyaRjuJl40epHG9U+1oHZE1rZdVdZC/hePa4+iHYu0ZpqZ12hfSRIbpqdtHcbSe0VGr9dN5MxVY
n1LH8BpvoeldbT6MB0pU3eVlg0bvwiG3knNYLbaDrquNkXssqErPg//6jIg2h9XaqaBaWaedajny
ZNWorHIZ6g1IWXXhUPI6QEplyEAqBxn3UpFVOtTnGFzrKG8ZbtGiXtG2KmnxjSunodK50w4q10XY
q3XESXz1VyvsLGPSTam1frLTlSmqND9jyUVCDRoVupbl6Vw+DJBbU8ySVrvt64CuhlYG8kod5G8d
5xluCJQaD03TGkdLTkMNdhGHdL/tNlPbDf8/JwL3oHX42mRaOBtneZFnaRwEncWh5NNsvEqLLS2f
HVMYUazvIY+z5A1YsZnTyrq6+dMdsLvYFGVR7C4rFm1SRErSpVuvTc7l2mRxoNPCtbXJQum0n03F
R/YRZVjmydp3WK11aHXHQEmGsj6ksYni0FrvNM+zJBYLFXmHPJKLQ6M5X5vMg7Y0QFi0ArssqJZ2
e22y6fjrTVYUeZZEQaj2aAjPpQfRmM6UL8oj/lYzydhFRMJFLO+k1eejQ+awaD0LXzVZduNJtH6B
NkwUzZEi8Nho7DFtRo2v4rQnK/5ID1q8q69N3utUWl+8TcN1lORFuRUrqrsjJp9ykSsat3k0pdg3
1zr9F6YLly8apwXiWboJ1xG/AeQjoTMNqUJZvKD14TsZiVkq5bd8RFPXeKxvedig0SWcnrXJLbbD
rqvse9DYQ1rHoMWhtCw7C2cO6QyhkYdcvdM6DtE6g71BHowZc+chNYh0E/J5KGLDF3dneZ5uooj7
dr+Bcup4sqLcbos0mFi0iq/fvnp/Tu3Knka0WpjCoYPV5CT5PiyxWnrOl7HQ2mTmzkJa9Z+nSbQO
RdczpHWyaB3Swv9tWSS0jUCpFF6mQTLKjvw8pXVoOS8z3brDmNGCee2eSNa0czmJql4P71mb3Jpl
p7XJu11Nb6UO8reu8ww2hEbr0EPSPGZN+K0Ib1w9485Q91smAd8fs92WWTSlvRK53FjjLjtRd91F
8P2JErgPrUNx5Uhs0qV9385Y7NfRCG2zoNl8OI82K8+Ra5nFZmhmMkZbMMOlV8d16iUYBmmhUoum
8FR1rcM33NJmaLETftlsRt9p4U0b4Gtcmh3RhiHiOXk0G4md66NpkAQTq771F3P+vSURW1q7WTcZ
CQTt0mpYiljtlPZWorlts2DmyT3K3qzenC+2V/I9oSbtOY8WrgovN5fwXffNRnEtI9rTzOvGbE/f
LL2DqNwsxGNTaZ9sEk2ta+M6fJUE7VVlch+7ypamxx3+DNaZfK4AkTD0VZa0r7W9rbox37VORWEP
AWGbLPkWcVrGQU802F38KTbmMsYs2pIezF0RtBu6sNmpTAl603o15DZt9n97tHXf3qkyNQW+dEh6
i9Y0+DZX7TkNihPfgdZn9Mi3JutY7dttbX/X2Q65rrLvQWNPtnSdeRQ1j5UQz12QBe139W59VY78
Mm1UVvUd7A3qhzAY5MijhdjTtE0Dsa+YHikxkytL+wyUh+LJC6IV8IdSDNlXlaWixSZ8Q7vcjTlQ
TV4v+dzkcjNzTCmd6RkN/HkP3PUmchtz45kio2YOK1uLjooX0d91hiEy+6iWm2X9JI7JMl5P2AFa
p+4zaYu57uGip6qndjq1oLr0dTW9lTrI37rOo6XP9/A3vZ+mdaqKC0xprd5xZ6j7LfkzoUWd6ZkE
fE0X38wFraO1iGfz9WCt82xqjIp0CLQ6js6x+/6TuiEtqqPFZu47Z6QPAiAAAiBwMgSgdU7G1EMV
pZvEnvUoQ6ff5e/8Nr9ZkEAp99w73mWGSAsEQAAEQOAECUDrnKDRs2CxEg8ILNJo5ppM27n5QDi2
9JzJ1djqvp4JWueBDIBsQAAEQOCECEDrnIDZNNcAACAASURBVJCx66rS6yX4uy/4OgHtNRr1Cff+
fzJ3THrLwaL1qDfEde4dPDIAARAAgVMkAK1zilZHnUEABEAABEDgdAhA65yOrVFTEAABEAABEDhF
AtA6p2h11BkEQAAEQAAETocAtM7p2Bo1BQEQAAEQAIFTJACtc4pWR51BAARAAARA4HQIQOucjq1R
UxAAARAAARA4RQLQOqdoddQZBEAABEAABE6HALTO6dgaNQUBEAABEACBUyQArXOKVkedQQAEQAAE
QOB0CEDrnI6tUVMQAAEQAAEQOEUC0DqnaHXUGQRAAARAAAROhwC0zunYGjUFARAAARAAgVMkAK1z
ilZHnUEABEAABEDgdAhA65yOrVFTEAABEAABEDhFAtA6p2h11BkEQAAEQAAETocAtM7p2Bo1BQEQ
AAEQAIFTJACtc4pWR51BAARAAARA4HQIQOucjq1RUxAAARAAARA4RQLQOqdoddQZBEAABEAABE6H
ALTO6dgaNQUBEAABEACBUyQArXOKVkedQQAEQAAEQOB0CDwFrVMGnuks0idvlGRmm5Nw+2D1eEhu
g3nl4XRkmYbBnPmP//dQdsyWrumtizsjPVi7O8vhoROKfNOabR461wPyGy7YnTWfIp57NjMM055G
5QFFwinVbRrUndkL/EHgLggconWKzXLi2sw0TGbZo8ki5oNIsnCsSXhPfcVm5k6bnnh4pNnGU9s+
qMu+19IeaAit8WerkeWt8wMv3HNaC1TnvGFunRPv4M+BvLaRz5i3Sosiz4viHjVrm8NtuuZ9ELTa
He5yfQmmC/ch1W7VxqKVaFhSaCc9xtfhgmnN558KRum4i01eFHmh33gc1kU8hAVbViuCieUuH+RO
TydQhpORur88rEEVa0+7w7gre/2TsU/r4nThGGwan1alD67t9VonX3smG83DTZqlSRyuFuuE9xBF
vFwE2cEZ3eTEbTJ3rEO0TpWHi0V0iGS4x9IeXDOt8ZfJai45Hnx5z4kdUJ0zxAh9PybqZFVpakA/
lK9G5qjWdAPn6Off8nuXw2Fd8+GZ6SU/2OV6kqdyPaDW6WLRSjQsKbSTHuPrcMG05vMvBSuDcX+U
+KAu4gEs2LHaNg3mq83dxSj3sNMIbCPf0mLpBzWoIhizkYqm3pG99pQXhzoEivVDRc47GT+JP6/X
OrHPTD/Sb4BExZQrl4HHxqtoOXEtxkxmj2ahkh9lsvJHIihke8uEX7tN11PxmzXy12k7NrTdzB3T
qD+jVc7HUXcerHzXotiS7an0Vc9Ypus6H8sZy9iTMoEqbXXNmVWxWfojx6I4luX663Sn6lTfSZhF
c88265mAMllNVPGy+poiXowdmdJqPW3msLS+I/KZt043SzrPnHDQA3y2WTgfO5yB5U7DfAeUqi7/
RiO0Ow+WE36N5UyWmxp1fx0HyPBK8Gyd8Vwpy20a0PSUaTJ7PA+WOyNIGc+IiPiYk6ijh5RjkL14
stvYZ8yPJbxkbhtqJopUk7tSfqXquuswIuS+DBcTzp61/GHAUiq9qsO5qFolVy5X0Zkzjzu35U6W
9YCULV1ruua2YqbZ5J4uXVa7taGNIzznZGY7s4C7MDUhbx5lhNe2mMks1aAoTKbdt6ULxxwH3Kg7
tuvBotUx8pk9Xa/rJtWya2+ltGurStmO1Y2636MqUa+6JvZoGjZtIwtmYxkupvpK0w4XTGvCVTXg
k1opyT2FbXiPwbPdJsuRXbukocUg6Dot/RtYsN+ddhv1AJ+us+02al1nRz4bLULeoZJf6L0TmYR3
QNTO48C3OrXLV65JnSn/FMHYNJo5zG08tXizqwmUkd80XIOLc95fDTQokWQejK3Gu7mP8tRWIc0X
8q50skrq7meg4YiU+L+7APvb2o7bizSKeMG7Y+rCVcOsBpvPQJdejyi1k1cDPbNWcPLMbtYkr+25
GPsqCnUbTHT0VVWlc5s34QGXa6ojO36tB+4p8zaaNGpzgExd1EEUQ+Njb4vbNVOd/hH+f73WoUHG
9qOdG4u6YfCRwDDM0ZzPbW3zYGLVHXCVrUYm8xZRkmVZEsVc1hThxLLGqyQvy3yz9Jjl78yaxz7r
xHVM0/GDhOLOdIk5DkR5moEnXThstNjkZVnkSRTG3UFRlfa6M6ttGgVxmhdlmYVTW3UQjfWo97Ec
1/XXcZJm+baq8rXHbD9I6Zpo7pr2bEMDtgiJLWIqdrKe2KboOKpKn/+mKjiOO1lGSZrmZVUN8Cnj
qW06/nqTZlkaRxtewzaopoTiSxl4hmG6szDNyyKLFyPGam69dewnky5c5s6irCiLlHi4Sx4p2m5m
tsnrXBRpNB8xY2f8btezrRjylces8TLOCE3gO6YzT7aV6BREvD5dOJZlsXooD6m7GIzkdzhkS9cw
2aiu+dw1ramQUAOW0sj1cW6PN7W+JQRstIjJ6ZL1xGJyVpJyN5i35F37NqWaytyTeaN2tRzpazKz
DcP2Q/KmMl2MTNO0xvw2YJuvx4xNRBsZ7KH6bdfBouUZ+aZB3iSa1GpsmaNVY9e+SmnX9jXqoVaj
16sqoqk0NKVWbIJwkxUEb+k1GnewYLoWGfBJrYzUiNhoHqV5kafhzFW9jIjr9EQ7VRdBzfMwCw65
006jHuDT52xV22od3zNMZxqRlxDNpnfi6oS3dGpOU5eZXSVXke81jWnCLMtyZHtK51IxawQ60a/h
BqUxJ0HUjusYpuUt4qbrqMf7oYajpdUFOHBJv9vTLYA94b6dbVYTq+6z9mqdTpfe5+QDPbNW7Ko/
ax7eFkJzu5la9Kn7Iwp805Fhl6sGvH13GKqqdDVZ8KGHCrJ3QLxhTzJQhq6ZdBRH9/16rUManBqP
7U2XYaokj2oYBF0JVS5c5T0DidbmZkLWXbM7/RJPrd2w/m5rN9XSoG00qUebiljz9TrUkkfL3RhM
DVyV9roz6yv4/5sZ3fG0fpLaTg75/JB2e11VVRnK8lHb1+7fKcBYV7UV1zENeybmBSm1AT5lOG4G
bFWeNij1O/9GdtG48d6uc7dH5zV17CND93x1u+TqbSSqRHcnetqbmXUTrdNxjG3sW4wsrCpP9zn+
auEyHlPsFKNT0aozPPCOQys1kRf2GrCUll4v5854I1yuDCes7r3pBm3hyCgUdVvNTXNV0TIl6S1E
uH8OizSBcilyD5W0Nu4M9lB9ttvBolWTJIXmC8JVM+68/ZVS13Zspw403xqPEhpO1YuLWQ1NfQUZ
SPYTQwXT4i4dZ8jX0ifr1GQj0pqe7vqHah2tmIMWHHQnqoXeqLWi6S2u19k6ztzxPd1qycwSkWCq
k+bvPHSgWZfnrqjR/NRosfKZMIxqc6qT5IbSAHKXlsMzyaymQekVIyfqaB09iaZ9DDYcLbEOwKFL
+tx+G08Z70xkchTEksYcbD78tlDzUx5uufnINZg1j97wxa3J3LZnq5ltzyjOQw4gGA12GspuvD7K
23fKrOGruMfvGxAHUQwg7R0FaPzd4+etAj3+HwdoHV7IMovXc5oSsCdykY5qGHprpJPjqYzK8Kbc
XTocT2kLBGs+pmFoDUQQaQ/hg+lXSutURTwfMZM5k/l6w2972mxVaa87s8rj5dRzHZs+FjN6tY42
EgmHNUxVJVPGb+Ipk5NSoiwb6prEPqy21tGnJYheHx9qLd3uqzuYkeeJDz+zy416RNHEBurYwzBf
jbql4RE36iD1voF6P61jq+Fr9dTjOjuO0VxOo4cUPRSESuY278PTuaN3X3Xyzf9th+FhM62nasQC
5dtnqSYdEVPe4ayTbOR1One6aJpuqx65KeEmd9EBDWqd2jd29O42nNQxrcEeqt+rO1i0aka+2fY6
PlNN1R+oVHPtju3EkYFWo7U7fh71pB6fdSvTYD4ZiWZmW2at9IYKpmmdIZ9sisi7oFbTI4QyUizM
cW1c5xALDrtTtxZVf4s7pFF3fE+3Gl3O3ambTqvZ1VjoHowclCILzjzhq2tohUAz3OqRM81p6Xou
Y+oZsJZL16nXJ7XX64zVtlMuqfjR632Md+ztmg64ZX+X1eqa+F2IWDQ42HwIsrq5EF26JnZFJQd6
Zo1At1dssm4EC0Wrp3EZ+4ybgt9J8kDMIOFBb++WWSsHfe0ho58xiKLvwsEydPycyy8+AtGahWP7
HKp1ZLkpiicnkFQvprdGOk9pHaWoVb1JAYzXeaF9ynp5S31Wu48eTF/XOnTpNt8E87Fjms4sbqaG
RZqqtPzv4TNpsLWnYSau1+5Q67LpY7b4jff+frhTJVrp1MzL7iwIqJVLM3bKDAb48EFCdST1ye3J
vjxL+SejuTCxykSb96H+i2udfXXskKHW68xpFk59KO1uq+7aSJav1emqc6gkra6kqO/NeYh3GufB
mJHioD/teUK57QgQmQX/r+0wvGvWzm867iFLaUn1clYl11yOBpjRMlVcikLs62lVujUwUOJ3qnXU
vARVoWO7rhTWakk3CfpYQrEE04+E1OutVHPxju3oyKBHUbsba7s16W/SOkU4YcxbbgQxLU4wVLC2
1un1yaaId6J1+vyno1aH3anbqAf49Drb/riO3mwardNNp7+9UEhgtM4TCipsaIZ9ZI6DnIZbeT+q
dZJNkxFQh11ag86Ha9VFaanRSVQmcVM72HC0tDoA917Scftu19QIDmq77eVuTfPRGziVotfJB3pm
rdTDWVNgylmk2dLlMyD0p7vMkkVzCzdImNLs64Fbiwi1MuhfO2T0Q4Mo+EmdCwfL0DFTVbZHID3D
x/9+Q63DPdZZ0F2RcuWuozRaRwTS1O0Ary5xGw7vCiK0RlUtwRxOX4vrKJR8JYmcmW5+VaVtfqqq
njOp11XrQsjl++M6rRgGTXjrQQ6ZBbmvYMV/oMTqkU7z7K67DPDhrU9FkWUWbVBa1egrcdPnmYgB
9eAH1LEhQ1FZ05Oro7T0+WZyNa9IMd8bzWEtHP3GmRYly5LyXmC+mDARl6F8XPqzh69WnA4HDa8A
UUeKByylpdTLWffAxl400rHdtWatxVjt3Hl70G51tWzb/kk+oOJSWlyHwvNqowAdqNdgqLQa23Gt
o7UjdQpXbIbKgYtD7qqDlVIX08CqXUoHhj2K5uZUe+LjKx9ZKcapNBAlKQ1MsUktda0NNYiGfFIV
UXZTankXL7PYD0gG1lqluqhJ/3ALDrpT4yQi+SE+vc5GWkezWq/viWQbrSOnaepbRrpD6Ls3oDUc
k8XcldNdfOBdUMRUbj3RCHBK6j5psEEpfKRmtOXP+gDBT+I+zZXQAT7W7dgPuKRxe4qhaL5VcThi
V+9g89Eh89L2ODl3qv0j156syQW8xYJ2tdC9IkXV6M/GTIOEB719p8y6LfTvDRn9x0EU2knNhYNl
6Pi5du0Rfr1W65Sb9TKIaEEsrS5ejm2K9VGjUg2jC11pHd6H0vK0NM+zJBZLhnlsiBbZ0rrULImC
UK3Pl4TEbVBEiz5LWrHanh/R0m9YZ9E6TLKi3IqVjpZYHKyAq9LuP5OPuqPFpijLPFn7DjtE6/C1
ycydhUle5HmaROuQd7PUvOnmNS9KWjHoDK5Nbs3zDfDhyw+daZBkeZ5uoohDa4NS1eXf5NrkaZgW
rbXJQ3XsJ5MuXL68nFZ5ZukmXEdiDSv1KE6T9tgyb6J1ODHLo7XJEo1czi3GTcuyam1D2seyLDn3
RqHZ5WwedqcgOhwGO44hS2nk+jjrHti4nJDK1ngVZxxNHARiJ9a+3EemNQky4ddaplprol8HtQ71
mJYf8lVzxWbumoYhVP2Q7ShIWbcjPT+SFPX6zXzTWZts9lRKu5jq127UQx7FewnDEAtUizyhfBy+
IYVqKEjQan6vNYfVXzAd0YBPamUkK9LaZL4uNprztclireG/aR0KhmgWpLXJPQ2/O1QP8ulzNhkk
q63W73u8qo3WEWGy0Zwvk8/ETgEtLtVw2cz4uthaLYvl/+pWRnWSVUVyyaV+sCjKfeKvSZuv9TL5
w7R4r63bi05SWmew4WhpqVYmfuTD7q5bDrg9LXcTa5NzuTZZyN7B5qNDFhnuOrnYNcK3h+wZuYay
5iuMLcuqd4fkqxGzLHULN9xp0JV9PfBumTV+VT8ZdcYgiv4LB8rQNZNK/wi/HaB1FmOXNmDT2gTb
nTSPs1ENowtd0yJ8bJJb8JjtrYTLbbNg5tF2YIP2BI7VVugGEE028l3OtLVlT/oN62xNO95lir62
u1EmqUp73Zl5NOMP+jWt0TRIgonVtzZ5Z21Kmcht9ERpNFnLW8oino/llkt/Ha+8A+I6NBfRz2eb
BmKHM1GbiZ1xLVANPvGlDMbWNIiX9c5rtee8v45DZPizJPkmVNoNPa0fKLBNmy3L3jwKZ7arnj1W
l6TVgtt2bIiZlraRUkz763u6aGGo0QQz+Jrour+oc5Gz043DDM5h0QVNvm1LaWntctZL3rgcXZFH
C74ZlBzZGYudiPtyL5OlR5ueWZeV8k+e7FBch1xjOqKN6Ix26odLT8Z1Bmw36B6Rb03WsXqMQ7Pn
e6hSGp++Rt3vUVzrsMkqmPGt3iY9jkLuOd8mq9ovx8s4Xjgjsb9vuGAtRAM+qZWyaUT8KRVBs9X9
37RO1bVgvzu1nEQ4ykCvsutsYqlF48yDvicmHOspUbX33Rkvgnn/nC/tSaa9oGKCXirR+q5Cv30l
L+A7UgyS1uU+l9aRp+uJwx9IPYs7qbW0zgE+tgOwv60NuD09N0SMB3zPuXj4LRV0qPnokOsKFTGl
YfJx7/CRazBr2gNiaCvL+car5hZuP+Feb+8rc132qhoi05wxhGLowt4y9JipyeDovlyrdY6uxCjQ
KROguHuP1DllJEdddy5Qep7OddSFfvKFa91iPPnaoAIgcBcEoHXugiLSeCACFKqSj5p5oByRzT8R
aAVj/iklXHwwAb6Yrp6oOvgqnAgCz5oAtM6zNi8qBwKPSgBa52HwJ+v5mh6cWJZFSo/m7HlA68MU
BLmAwJESgNY5UsOgWCDwDAhA6zyMEbPAH9FTivjqkpG/3tnu8TDFQC4gcLQEoHWO1jQoGAiAAAiA
AAiAwB0QgNa5A4hIAgRAAARAAARA4GgJQOscrWlQMBAAARAAARAAgTsgAK1zBxCRBAiAAAiAAAiA
wNESgNY5WtOgYCAAAiAAAiAAAndA4ElonTxerdWzL++g1kjiCAjk0WotXqpwBIVBEUDgBAkUm/VK
vPPlBCt/WJW3WbgMsK3tMFhHfdYT0Dr0mjT1HPOjponC3YDANpk7eAzIDYDhVBC4UwJlPLWa99Dd
acrPKbEy9ul1fPWLVZ9T1U6rLsevdejlvI/7VgD1jJD9ryB5MM855C0kR1LUvUzoRYraO633nnuT
g49Rd+UknZLeWWG2Kb3zzTRMNlp1333ayRN/gsD1BPK1V79d/vqT7++MO2sg91ZE/n745iVirWyK
eO7Z/BVg06h+y1jrhPv5Y7C3uZ/snkeqR6J10oVbv8SuwzWdO2ys/KxYe30v8O1cNPBnthpZ9DLR
G36UYx1Js3wuWqeil+3eg9h5DDMpJ+l4110Vht6BSm/YLoo8v/de9bqWUgQTy13KF9x2KnyzP5OF
Y6mXUd7s2n86++6q8E/FuNOLNzN3ujk0Rf7i8dX+3vAhrKM1kG08te3ZwTUYrml7mPjnWqQLR75j
t5MltXp3scmLIi/uN/DTqdHMrl8j3SkR/hwkcBxah95V1691eINU8oTms0brYrA6+w+UyWq+vnkw
Ug1jWrPcn9P9Hj1c6xz7/T8Zfhzc9dD9GGbiTtL3ksu7Kkwyf8Du7bqWsk2D+epOFlsV8XIRPIab
3l0V7rexH546nxQ+WOuI971fI1cfwjp6A8nDxSLaL78O4dEZJv69FpuZxXpeMHYQw0MKfO05nRqp
IenaK3FCTeAQrZNH8wk9gNw0mD2aBlktYIvNcuww0zQt119v1mMlV7ZZOPNsZhqm5U6Wsk8sA4+N
V9Fy4lqMmcwezULu1enSZUb9cRat1reNfWbVQj8PxlZ9nsGm/3dum3qMh2ZE7HlSJTPbmQXBdGRb
PJtpWJe49frfMln5I15GZnvLhIAUm6U/cixRbn+dyooqx6qbJY07fVnXVPn/A6nJcyiJZpTPlq5h
NGuSynDMK8KLFC/GDp+4cMbzuheIfGZP12tfzGjY6oCWPxXVnQfLCb/acibLTS0pIp9561Qab0Lj
8zYL52RKg8wyXad0Zr5yVcylCMam0RhiG08t5sdbAsanVeg6d7KUMrLX+lW2dO1ZnIXTkWWarjRz
y76q9APoyLLzIJh6ZFmT6tSsGdymAU/YZPZ4HizHZseReNqimpym5U5DLpmzYDZ2azdoCEtfXUzI
G3hODb3hsrHJKpiRSwnnll5X+4woQbqeCqezRr7grGotvvXaIvSdpo00ZhDnU1EnYRbNPds05bEy
WcnpLtubNe5flSmxE2Z25zH3h0FjkYOXkc9afTx57WidV1ql9hilojbGnZRsFQe+pTcaUfxW4+rt
H/h5Pa21IpvX1dGqKWwXUrsh27mTVZLFC+p1TJM5k5X0mTutgrtIkrXvMlN2C/1Uq21Weym15nBm
y3bQHTM3vH01/rDbl1Zluq57L8sZL+Jiu5k79IoI8aFgqSoDsxxPdrYiTfo3mduMN/6qorbZms2i
8ljTzZb60qZX728pKkE6+VAOQ61V3cX1dRdFX2dYcS/TevLOMBFXrVr09nVUichno0XIxwRmMhrS
6v6/qioC0vTPosrbZDmyG+Lk2If1qyovPhKST44Xm4xaiug6vEV3H85AjVYhzZ+JQbb26op35j0O
o9npVL8eonXKJAziNC/LMl1PLFMunsnXHmOjRZwVRbZZTWzTrFvFdjOz6UhelkWynlhMzBuVgWcY
5mjOLbnNA56UGH8H71lpksPV4qzUKJu4DkUWVedJp5LUIc82DNsPc5IqRTR1TGcuRmFN62Srkcm8
RZRkWZZEMR/dq20aUUWLsszCqd2M9KrBN/3jQNYtLxpITZ5DozybxlxOEUrLYnI2hysJcSRduMyd
RVlRFimVSDa3yDcN0/HXCcVON6uxZe6u4BC03VmY5mWRxYsRa1Y9UYfiOO5kGSVpmpdVGU9t05kG
lFwWLzw6M+edYa3GynDCLMty5kKIpnMR0t1MLWu8TumFg1kShULTDlif96e2445mwSZNszriSyB3
I3oD6LhlaR6HvKZM5m4tCSlP0/aDtCiKNJqPmGHsah1RTX+9SbMsjaONuH0sNkG4yagKydJjXMHx
vs0zDDZa8HGxTFeciQgn7imbaY2XlFaeBL5NXke2bnymqopwYlnjVZKXZb5ZeqxnZfaALcTYZE6i
lofxPyh9y3Fdfx0naUZOT+7EYZRlFhGk2YY3hXDCmDsLuMvHUULV2WcsalrcS9UNbaPxtUoNGqUq
I98yuQcWeRJMXWYaqrnWFWk1rqH+oa+1Ekw2mtMLL/M0nLkNTe75bCR0cBH6lmEyd8Z7nXIzc+pG
dKdVYLbjeouQPLscpLrjpWbtpcNaZ8BAtIJktNhQD5snURgLX6YbwyauQ6txnBl1wmWexmFU3/BJ
8NtoUreeHbFDxRFTSco6dCfY11JqO5KHzuzbcVCttaV1zHZ3MdAZ9vlGa5hoaZ3h9iU61WlUDxuq
/6cqUlc3jbXK8q/CbnVU8sB+lesq0zA1nzRM0xED1jZdjuo7Fj233RoZpuXR6CuHBj707WnRemIn
+v0QraOhUS2Ebvu18YSUhhy0aGCsyVdV1cgC6lyaO4mq2kYqZDOodWgKS+8f2ybPFg6/y6QCUgHE
WEydr6bByR/l7a7SOindn2oaSqui/MqjlsK5VYNX/WN/1rvJ7KZWn0PRG1Fgik+Ol0uPiZpyJUEr
lEj0WFIOUaBlPZLEqVlqVKhazqJucTJ9KqqpLYRohim6gzENbWMBFUTLhgd0yLIq+23kW6PFypfb
4eqJfj4QjgPeOdS1qoasT1rHML2gM/9IbqRVpUlGfWkbQrdsY05yJb2um5lVjyIqnW411ZH6G7mQ
dAruq2qMp5vgvmJ2yqa1B+V1ymdqbjK/eGrtyLxuIbVWxttIv9bRYoKywTURQ7KHcH/KvRardY33
GUvUlwvviVx2SUUQdzqqUvzWQmtujVH4vbDmV2Qk3WtlGdqNq79/6GutvDpaEFhZqG27beSbptdM
k3KKIUm/O62CwXy1NHWAKjWXAS8VY6aKaDdxnYGkuD+OllrggdNsax1u7yYcWZu8/r89TFeEs7Yi
BXFlB66sU1/H/9daivY7dbyHcNjTWltap9VdqN6I59h0hn2+we+rmltiXevsaV+dTjWZWWYd9hq8
02hDPLBfFVpH6wrJJ2v2FE8fqdv5hi41q3aN9B6ORiPRiw45TJPQCX85QOtss2jhe67NP5ZpiGYQ
T5nuC1qcMJ079Lbd5mNK2a51Lhx4PG3uQlQP1DEF36mjlut0nZh7AJcsXOqIrq/bPnkvyDu7ph/m
Ll9Pjaks83g59VxHVJQZzB/WOqIk3axVUqRN+lNrzuFOvcq5OhitsmzlMtImwtfpRi1fjbogxW1b
5JtMv8mgTtTvDINd2tQs7RmPNHQup96iJTc2chCmYZKLns3UcuYJnzLm5W1miPKQ7tatkb8IeJiA
RtoB62vAGgLyhlKNRPWRAXQdyza9An1RnYXUvdo4yJPdqSb/tUyD+WQkTE7viZbJ7KG3p2xjPoiK
SjRep5KKp7Rho2kXzDQMrfvqL2RtCxFmG4rraLcWFfm2YapsTNPgkqrbYCm/vcYSPrElPSfEDs16
yG0CqlJaw+c1aIxSdYE3rU8Akv8qm2pp8mNN/9DbWrvV2ZKm40GNTjrxlOKndZ505yWEoHaaKgM/
7TZVUOJykOoeLx3UOoMGKuL5iNGU3Hy9aW42WlqnKpOlZ9EMyWwVd4I6dP8vG3cNhjpQ4fwkdWpR
rJEZaCn19SKuUweC+a8Dhd/DgW7DGXJb2gAAIABJREFUtPtS/W50oDPs9Y3uMKFq0fVJitfIG46e
XlELOFPMqtvFiqktdZfZk0Jvv8rvNnWfpFuIpusoejen7mod7RJNHw0w16x0ul+v1Tqkp013HosG
peI6/CZFW4up5Ar502hJ0wnq07mR4rybvkz24421NWt0W2TH5MLIq7zi7VOObuTZ2s4t3hmL4bTp
balv6Sx7EAEoexryCZKqat+y1yGrwGuCWbxH7GStlZw61d7U1DliK2MRyXgJ/elHBYV7RE0oB2ce
5wpjUfA5v06jqga1jpxzoizbWkev/HD7l0ozmYnNEfTnOMgp2qTpxG0er2eebdKswZY6+n7r8/6n
1fQ5CNGH8Jm8BswgOtVn8XO5BWiherf31IaxJtHe0ExB0zreciNm1FR3z2/67RY9TyjFvWVTHZZw
ae51qjA0PI/XbXO2a76jD7S+mDewjqCl2qn0RV157++HO9l0xQGdfZCxyEQkwvkCD7kjUst0yCg7
wMlKvQ7Q07iocE3/0Ntau9XZp3W02YebaR0uWLWtENdVQVhggOoeL+1qHdJn/EZrICmRzzbfBPOx
Y9JUFe8X2lqHn1Sk4YLWEdm+WJ4mrqR/edBY2/JE+/yo49G7UiVkB1uKSlCdLH8bKPweDh2to3sL
XdXTGfb6xm21jt6tUeGV1qGgpLxT1CrMO9WW1ummoNdAa8tK0lFq7awO1jqqdC2tM9D96sU+0e/X
ah3qHJS+ppi6uIkk3aDMzEPldZ8Vjk09lFmT1fpH/lPTl8mlIX1ah/yAtYyqLZilVEQ0NQ3GrJlA
oFCqNk7RCC1dsNE6IgbcnsOilNRl1Ib2xnV6s66rKg72p6bOEZPAy6kti57MbXu6UEpiS/35zqyP
nO5VNuEtWzOFyIBo6xFzGpJky2u3NB5X0uYamjksaoULh00Wc1cezpYu/eloMw11bWhtBr9VoaG2
z/r9WqfbyVNyhxiCZ0vdHw+MUE/Eh2NZmnRu6xFe8SvvFdWMIP9xM7M0WUwjm4rrGNo96pZu/4je
3rLpefId4lwRKren8mpzh7Kwrf8oBD1gi0O1DgVr6mroaee8wap5Ejp2mLGEyInndGcr1tfpAmtQ
69CgaYmlQpRXw1AvVGt+QbuRoHNU/0BV1/ydJ8DHPi12x8/hEWAFnJ/Ik7llXOemVRBVG6Da9dJE
eSldocXmirVnmFzrDCQl8hH/8lVAIqwklgDqB+V3fovY7u74+Ngaiilu6y42rVW4jXEHW4qWW3Oy
/G2g8F0OemtVXZPqq0VqQ51hn2+091W0fGy4famseYZtAULe1oIlCiW6r3r1QCeFPW25fWY7q36t
QwOv1gQ6qJuecLhFS5uc8n/Xah0+6I9XabGl9ZRj26wbJfGle2JaH5eGU1eGyuXyKNMar+IsL/Is
jYOAr1rt9EFaX8aXovA1p2VRtu90O4KaplWYt0qL5sQi8Nho7GlPVhaLJfm6rSJPaOWuXCWqD7fU
lGhtV5rnWRLT4j4+nT5abIqyzJO177DrtE61m7XypOHU1DkUR2aWbdW9HJ+StvTNjenC5Suoaf1l
lm7CtXieO00Mm/bkkLXJ05BY7a5N1gIzfIGq6TRnekwuJqcleTOLPvXKlXThWJZV669tGq6jJC/K
bZnH83r5Fu97d62vw28Q8NUgHf1xkCF4CqqF8+CjqsHYalZ9NllVYqksLcHO8jzdRFEi5guF39Eq
Xq81h2XQ8u8goZXd0cw1xcruYbMKrxsvxWrB4bXJtKZ8Qw/JyZIoCJt9ZHU5OT1VE80WB2sdvjaZ
ubMwyYs8T5NoHXKFkwdjxtx5SC6fbkI+r3GYsUjyuq5t0dY78dHa8mC3S0uxGRvNaXlskYkV47vj
hbpcS5NnorQO9512axXmpLXJfHVmNOdrk/lisE46/6J1bloFSWeAasdLyd3qGzS6o3RmfHHNNo+m
tAhATKAPJJVF6zDJqOXxJfVSUoqgY0S8y21O/S6dsi3SYGLp9wKimDshVRqcHdet90jQWY11qK31
thRZ5dbJ9W8Dhe9w0FurEgFdrUM3Xr2d4W5PThq+NUw0tRDLxvv7OpU1L35LgHRWwdT12x/X2dOv
tvNqZVX1a53hGlFhVE8oMu3pfpsyn+6Xa7UO7ZOsNzd782iz8mrlUPEtgHKD9mo91WN+eSS2ShuG
aTljsfWq0wfpWofPLdMGPlZvRm4swhugmk2gh8fS9lvTnsl7NRJjrcWZPObOd/+adN5IbbpttZ8i
VvulvRWNBnk0G1l0jTWaBkkwsfat16EC7mTdlHpPavo5dANHW7nlEELCrrUgj2+DF7u6aVu3NxW7
9CPfmqxjuZ2X2V6zVVpLuwzG1jSIlxOxlby957wOdDXn1/ai3dK+vn8xmjBa7iFv56nvU6y3yZLv
h6dFKPQwgmapZJ2abv1erUMb9mod1ZTlEEPwk7UWXm3TZgu+p+/m1VKtaJOy2I1Jz0KYRUVVbZNV
DWi8jOOFM1ryuzTyVbFjn+/Q1ujtcZLRMqYnHXS8ruX22yyYeWQRQuOO1XMAtHLW9Dq2OFzr0B41
ubWdW2ayltEcuXGbZz5aSK+rs9tnrGzhGIYeb9IqpQ0kVAndKLQbWO59d8aLYN53b6wu19LkNDSt
U1W7rZU210qY1DRmzbMwOun8k9bhG5oPr4KyYi9VzUud8SJcqglxSYoxZtHDG4K5WweVqTXs9qUZ
PUK7diPVYGkVD3+kgrfO81A83UB42s4+ZhFo023KJQIzDC18oLTOYEtRVdZOVj/2FZ4a4kBrVSKg
1VfL9JpHXOidYa9vtIcJ5WOUUF2kTvtSWfPcdAFSRpO+Gaye9Tr6HNbBeelZUVi792Hy+2rUbnRN
BVstWiI85f+u1zoH0uH+pK3fOfCy60+juwCbnvUw9KFWoa9MvbeS7Bagm/XuGfhlmADNex3p63jE
eFkHp4ergCOHE+gbvQ6/+ijOvNMqdDTZI1RQLBis72MeoQBPI0s+uSfugZ5GgVHKXgJ3pXVofULP
4q3ePG/6Y7729rzagd9I6nPRbRV/08xucv5O1je5+OTPzZYj63FfdDZsgscfh4bL9kSP8GUaPUG8
J1Sdu63CEfgY3W3sRNKfkEEeoqj0NGp7KhZ/P0R+yOO+CNxe65TxaiGfvJdvVhNLf2TLfZW2ne6W
HgC3Glud9+k8hNYZyLpdPvz1ZAkcwTj0ZNmpgifr+Zqe9Ucr+gLfMXuenahOPs5v91gF+Nhxmhyl
eqYEbq91aKkDf7g+LddwtPnyhyKVzB16Gv940Xle1gNonaGsH6rqyOeeCWAcugvAWeDTu2VofRCt
A1vvrMS+i0zuN417rAJ87H5Nh9RBoEXg9lqnlQz+AAEQAAEQAAEQAIGjJACtc5RmQaFAAARAAARA
AATuiAC0zh2BRDIgAAIgAAIgAAJHSQBa5yjNgkKBAAiAAAiAAAjcEQFonTsCiWRAAARAAARAAASO
kgC0zlGaBYUCARAAARAAARC4IwLQOncEEsmAAAiAAAiAAAgcJYEH0Dp3+mD1o4SIQoEACIAACIAA
CBwtgXvROmU4GS3k+war3pc+3phHthrteU/EYHKdktwukcHUcQAEQAAEQAAEQODoCdyH1tlGvuXc
sdYpk9V8nQy/ALQfdKckt0ukP2n8CgIgAAIgAAIg8CQIHKJ18mg+oWe9mwazR9MgE4oj8hmbxk0l
04VjjoOyotfJ0VPh+cechFsR11mGi4nDTHqdxHgRF81lRbyYuHSBabmT5aY+kMxsd5Eka99lpumt
CxUcKoNxnTr/fyRe+1lslv7IsSgHy/XX6bYaKsm6zmM4a2ceBFPPtphpWs5k2fNo+zyaj3l1xMPv
ZQxrm66nI5uXYeSvU/EC4Wzp2rM4C6cjyzTd//1/2u9Ipbe4s0lIp26zcOaJqxWKMvDYJMyiuWeb
pjXbNODwBQRAAARAAARA4CACh2idMgnpJZ9lWabriWXKd1MPaJ2qqspgbLbjOobJRrMwzcsii+eu
aU1joZdIINmTdZIXRUbvDzXdZcaLncxsZjuutwg3aZqVvRNh5WZmM2+d8wu2aSRfRJqFU9uUCmi3
JFw40RX7sjYMaxJQrlWZzF3TnidtlmU4YbYfZvRSw2wTRkLVFOHEssarJC/LfLP0mHzTIS1Xsh13
NAuoKkUejLUXwm9j32KTqKyqLdVmtIhzeqHpemLJmtFLcyzHdf11nKRZftPAVrvc+AsEQAAEQAAE
TpDAIVpHw7KNJvXQfyOt06ibqirWnpQ023jKZEyDZ1EE4zp0kcxsg/mkAeRnZ4HzdjNzGqVTnyX+
38ws5vOI06DWuSbrWnJVvSKLiznbj+oAkcg1X41qiUU/xFOLR7UoImWYXtCcXIZjZssAzTb2GfMj
CkKRfFKaipQYhbOqMvAMQytOu6b4CwRAAARAAARA4DoCB2idbRYtfM+1+ccyDTkk30Tr6CJA6Q9S
B61hnEb4EQ/U0LvKaUas+XS0znYzd5i3EkEgOimPl1PPdUQZmXGd1rkma5p6kx8uYZp5L/njNl1P
bNO0velSBnVI3DB6n3PzMQ1jRNdRyWWYSVxNskbMRm0jn0kVmM6d7tU8NEZxHU0D1aXC/yAAAiAA
AiAAAgcSuFbr0IIS053HYvpkT1xn3qgTpWZ4IToyRR09XHB0wivbZO6wkaZ0+ITUNOTTTlV1QFzn
8Kx7tQ6vV5lFK1qEY43XpLniKTPH67zQPiUppk71aWKMJM5ss+VSZ7bhsiqd2+ZomWoXFwUdIK2j
zQceaFWcBgIgAAIgAAIgUBO4VuvwWItY/0vhk1WzfIUmoPj0C09qG07MOhLD1cx8aM+50jpcRo35
ulyeBp/DmvLltxTX0YIrLcWwo3T4tJjdZEgZ6HGd5oAmOw7PeljrCIQ0JcfzphPt2e5WsV2tU9Eq
HWsWR75lz+RSoDKkQmuTdtJA0DoSBP4DARAAARAAgVsSuFbrcOUwXqXFllbcjmnmRiwroUHe8kO+
DqXYzF3TMOpZpw2FghaboiyK3WXFSutUVUrrdsXa5FyuTRYSaVjrCKUjlzDLStOyF3NEGZZ5svYd
Vmudargkh2bdp3XKJOCLtbfbMoumtLKGFkjT2mTT8debrCjyLImCkG/g6tE6FUkt23UtbXaK1iab
1ngVZ3mRZ2kcBHxT2o7WKUPfYmO5IvuWRsdlIAACIAACIHBCBK7VOtU2C3zaFW4y25tHm5XnyCW0
2yyYjixmMmY540W49Oq4TlXl4dTlW6/9sNSiKZyrrnWqqtgsJ67cKj5ZNpvRh7UOXxaj7ToX8Zw8
mo3EzvXRNEiCiSXWJu8tyWFZ92qdeM43h9MKG8ebhXIXPqGaebQVnW+hHy83tOCoT+vQrivLMDqT
U3m0GDt8w75pOeM5h9GjdZo9WifkpqgqCIAACIAACNyawPVa59ZJ40IQAAEQAAEQAAEQeHQC0DqP
bgIUAARAAARAAARA4B4JQOvcI1wkDQIgAAIgAAIg8OgEoHUe3QQoAAiAAAiAAAiAwD0SgNa5R7hI
GgRAAARAAARA4NEJQOs8uglQABAAARAAARAAgXskAK1zj3CRNAiAAAiAAAiAwKMTgNZ5dBOgACAA
AiAAAiAAAvdIAFrnHuEiaRAAARAAARAAgUcnAK3z6CZAAUAABEAABEAABO6RALTOPcJF0iAAAiAA
AiAAAo9OAFrn0U2AAoAACIAACIAACNwjAWide4SLpEEABEAABEAABB6dALTOo5sABQABEAABEAAB
ELhHAtA69wgXSYMACIAACIAACDw6AWidRzcBCgACIAACIAACIHCPBKB17hEukgYBEAABEAABEHh0
AtA6j24CFAAEQAAEQAAEQOAeCUDr3CNcJA0CIAACIAACIPDoBKB1Ht0EKAAIgAAIgAAIgMA9Erhe
6/wPPiAAAiAAAiAAAiDwgATuVvgcpHWu8AEBEAABEAABEACBByHwP//zP9A6D0IamYAACIAACIAA
CDwGAWidx6COPEEABEAABEAABB6KALTOQ5FGPiAAAiAAAiAAAo9BAFrnMagjTxAAARAAARAAgYci
AK3zUKSRDwiAAAiAAAiAwGMQgNZ5DOrIEwRAAARAAARA4KEIQOs8FGnkAwIgAAIgAAIg8BgEoHUe
gzryBAEQAAEQAAEQeCgC0DoPRRr5gAAIgAAIgAAIPAYBaJ3HoI48QQAEQAAEQAAEHooAtM5DkUY+
IAACIAACIAACj0EAWucxqCNPEAABEAABEACBhyIArfNQpJEPCIAACIAACIDAYxCA1nkM6sgTBEAA
BEAABEDgoQhA6zwUaeQDAiAAAiAAAiDwGASgdR6DOvIEARAAARAAARB4KALQOg9FGvmAAAiAAAiA
AAg8BoEnoXX+fn1/9unn5WPwOaY8L75/PPvw/fyYioSygAAIgAAIgMDRE3gSWuf3p5fm2beT1zrn
X96Yrz//PXqfQgFBAARAAARA4JgIQOsckzX2lwVaZz8fHAUBEAABEACBPgJHrXX+/PfKNNof8+13
qgYd0T5NtOOJ/H7+9Uwrvfny029hm/7f6dc2BcN88wVzWX3+jN9AAARAAARAoEvgqLXO1cXfP/T5
/v6F+ea/3/z7+QlOZUkMPz+9Ml99/MEx/L3oWhJ/gwAIgAAIgAAI9BE4bq0jS4z1OhwE5rD6PBi/
gQAIgAAIgMB+AtA6+/kc01FonWOyBsoCAiAAAiDwVAg8Ca3zVGCinCAAAiAAAiAAAkdHAFrn6EyC
AoEACIAACIAACNwhAWidO4SJpEAABEAABEAABI6OALTO0ZkEBQIBEAABEAABELhDAtA6dwgTSYEA
CIAACIAACBwdAWidozMJCgQCIAACIAACIHCHBJ6E1jn/8ublx18H1Pr8yxvDMPgjiZn18s37L7+e
1SP3vr+13v04AANOAQEQAAEQAAEQaAg8O61Tvx3z8vzX5zOLvf3+jNQOtE7jt/gCAiAAAiAAAocS
eLZa5+rq6vL7W/NFHQ86//nf29cvmGlar97+97N5mdTl328fz15azDTZi9fvv/yu30Bx+efbhzd0
Op3/uQ4PtZ/m9+M9s97/lKT/fn5tvvn8/fO7V5ZpmNb7HzKlvz8+nb20TNNkL88+fm9eUn7x+8t7
Xpz2z/vNBq2znw+OggAIgAAIgEAPgWerdS7//vzvDbPe/eBxnT//vWYv3n37c3l1+ffbuxfs7KtQ
O3+/vDFffiDpc3n+89Pr+i2cFz/ev2Cv//t1fnV18efruxfszReuUvZrHcNgr959+fHr9+/fv+X7
qn7/94q9/PD9L+X74+Mr9uq/P2SEv1/PmHX25ffF1eX5jw8v2evP/Oce+7R+gtZp4cAfIAACIAAC
IHAIgWendeiF4CZ/Lbj56j2JG/r8/GCxt9/q2SwegvnK/zr/+oa9ePf1t3ij6OX5+QVdcPn9LWsC
QldXpHCESNmvdWqlpLj/+vhCy/fy97cv30nU0NvYXwv1dHV1dfH1TCavLuz/Bq3TzwW/ggAIgAAI
gMAeAs9O68j1On+/vKmDKFdXl9/OTMNklvwwZhovP8lIysWvrx9pcou9eP3247ffXAFxMfSlmee6
osmqDzRZdY3WeaNdw5l/f2e++LC7qPrHe6YVx2KmIZLfYyeRHNYmX4cIx0EABEAABECgS+C5ap2r
yx/vLeudXJnMv3/7e958Lnj85urq4u/vPyLcI+e8+Dqby2/tuM7XOq7TDsHsrtfpap12XOfq/PfP
36Sg+Hvbv/QUp2udzt+I63SA4E8QAAEQAAEQuJ7As9U6cqboM19nc/nr00v26sN3vorm4vfXTx+/
id9/vrfYm//40uPLv1/fWuzdd5rE4ut1xO9ifY9cr0MqhZ3JtTvf378wOmuTu1rn6venV+zVxx8k
cM5//feGvfr0m2zy5/Nr9vLdVx5Fuvjz/dNHtSh6n8mgdfbRwTEQAAEQAAEQ6CXwjLXO1TmtAK43
RJ3/+PT2Fe2HMq2XZ5+aDVEXv7++5/utGHuhb9C6/PNV7cPS9m1d/Pzv7IVlvXj56s2Hj29fXKd1
rq7+fv949pK2eVmvtGyvLn59fveatn+Z7MWbD/W6ol4TqR+hdRQLfAMBEAABEACBAwk8L61zYKWf
6mnQOk/Vcig3CIAACIDAIxKA1nlE+DfNGlrnpsRwPgiAAAiAAAhcQes8ISeA1nlCxkJRQQAEQAAE
joXAk9A6xwIL5QABEAABEAABEHhyBKB1npzJUGAQAAEQAAEQAIEbEHgSWufg95zfoOL1qX+/faR9
WIZpvX537K9FxxxWbTX8DwIgAAIgAAIHEzhtrXP56yN/7s6f84u/P/+j16J/U09LPpjhg50IrfNg
qJERCIAACIDA8yFw0lrn8vs7pr3Dgb/36vNfel3VS/569POvb8TzeegFWWdfL67+fn7N3v4nn7zD
XqoXoF9dDbxHnS7pff/5bVwIWuc21HANCIAACIDAiRM4aa1D72p4yx+ULLyAXunw7vslvV6ClA1J
IfPlx9/0UodX/OWffz+/NsxXH77/kS8ob97ZOfQe9SvSOj3vP7+d10Hr3I4brgIBEAABEDhpAiet
dX59eMHe/VD2p/ePn327vDr/+ubFh5+Xvz68fHP2+vXnvxff3r7gz19uvxT018cXUioNvkeda53d
95+rLG/0DVrnRrhwMgiAAAiAAAgQgZPWOt24zm8R1+FxnDeff3x6ffblx8dXb7/++PTq7Cst5Glr
nd8fZVho33vU25f8m9NB6/wbP1wNAiAAAiBwkgROWuvQMpzuep3//lxd0ezVi7O3b17/9+fyx/uX
b9+dyXd2toVLo3WuBt+j3pVH/+Zj0Dr/xg9XgwAIgAAInCSBk9Y6V80+rIuL819f3lpMhG+urmiZ
sskXKF98e2uZlnj9+VBc52roPeo7oaB/8zFonX/jh6tBAARAAAROksBpax3SIt/p+TqGYVqv3n3+
dVE7AV+m/OPySsieN1/EVvShuA6d1v8e9Y48qpO/3f/QOrfjhqtAAARAAAROmsDJa52nZH1onadk
LZQVBEAABEDgSAhA6xyJIQ4pBrTOIZRwDgiAAAiAAAi0CEDrtHAc9x/QOsdtH5QOBEAABEDgKAk8
Ca1zlORQKBAAARAAARAAgadAAFrnKVgJZQQBEAABEAABELgtgSehde7zPee3BfcY12EO6zGoI08Q
AAEQAIEnTgBa5wkZEFrnCRkLRQUBEAABEDgWAtA6x2KJA8oBrXMAJJwCAiAAAiAAAm0C0DptHkf9
F7TOUZsHhQMBEAABEDhOAtA6x2mX3lJB6/RiwY8gAAIgAAIgsI8AtM4+Okd2DFrnyAyC4oAACIAA
CDwFAtA6T8FKsozQOk/IWCgqCIAACIDAsRCA1jkWSxxQDmidAyDhFBAAARAAARBoE4DWafM46r+g
dY7aPCgcCIAACIDAcRKA1jlOu/SWClqnFwt+BAEQAAEQAIF9BKB19tE5smPQOkdmEBQHBEAABEDg
KRCA1nkKVpJlhNZ5QsZCUUEABEAABI6FwJPQOscCC+UAARAAARAAARB4cgSgdZ6cyVBgEAABEAAB
EACBGxCA1rkBLJwKAiAAAiAAAiDw5Ag8Ca3z9+v7s08/L58c3Dsu8MX3j2cfvp/fcapIDgRAAARA
AASeN4EnoXV+f3ppnn07ea1z/uWN+frz3+ftkKgdCIAACIAACNwxAWidOwZ6j8lB69wjXCQNAiAA
AiDwbAkctdb5898r02h/zLffyRZ0RPs00Y4n8vv51zOt9ObLT7+Fg/X/Tr+2KRjmmy+Yy3q2jRIV
AwEQAAEQuFMCR611ri7+/qHP9/cvzDf//ebfz09wKkti+Pnplfnq4w+O4e/FnboBEgMBEAABEACB
Z0vguLWOxI71OhwE5rCebTNExUAABEAABO6RALTOPcK946Shde4YKJIDARAAARA4CQJPQuuchCVQ
SRAAARAAARAAgfsgAK1zH1SRJgiAAAiAAAiAwLEQgNY5FkugHCAAAiAAAiAAAvdBAFrnPqgiTRAA
ARAAARAAgWMhAK1zLJZAOUAABEAABEAABO6DALTOfVBFmiAAAiAAAiAAAsdCAFpnjyV+fXzB3n7D
U/v2IMIhEAABEAABEDh2AtA6gxa6/PHOYsxq3j8xeCIOgAAIgAAIgAAIHC8BaJ0h25x/PbPOvnz7
8KJ5W9XQmfgdBEAABEAABEDgeAlA6wzY5u/n19a7H5dXvz+9evH+5wm+hGuAC34GARAAARAAgSdG
AFqn32C/Pr588fEXHfv75Y2FRTv9lPArCIAACIAACBw/AWid47cRSggCIAACIAACIHB7AtA6t2eH
K0EABEAABEAABI6fALTO8dsIJQQBEAABEAABELg9AWid27PDlSAAAiAAAiAAAsdPAFrn+G2EEoIA
CIAACIAACNyeALTO7dnhShAAARAAARAAgeMnAK1z/DZCCUEABEAABEAABG5PAFrn9uxwJQiAAAiA
AAiAwPETgNY5fhuhhCAAAiAAAiAAArcnAK2zh935lzcvxcOT95yEQyAAAiAAAiAAAsdMAFpnj3Wg
dfbAwSEQAAEQAAEQeBoEoHX22AlaZw8cHAIBEAABEACBp0EAWmePnaB19sDBIRAAARAAARB4GgSg
dfbYCVpnDxwcAgEQAAEQAIGnQQBaZ4+doHX2wMEhEAABEAABEHgaBKB19tgJWmcPHBwCARAAARAA
gadBAFpnj52gdfbAwSEQAAEQAAEQeBoEoHX22AlaZw8cHAIBEAABEACBp0EAWmePnaB19sDBIRAA
ARAAARB4GgSgdfbYCVpnDxwcAgEQAAEQAIGnQQBaZ4+doHX2wMEhEAABEAABEHgaBKB1ajtd/v1z
Xn/f9//5n7+X+47jGAiAAAiAAAiAwDERgNbh1rj49en1qw8/L643zcXPj69ff/p1wJnXp4UzQAAE
QAAEQAAE7p0AtM7V1dXFj/dzq2BgAAAgAElEQVQvX/33W4N98evzu1cWM03TevX2v5+tgM/l70+v
Xrz/AbWj8cJXEAABEAABEDhaAtA6V1d//ntlvfuuTUydfz1jL959+3N5dXXx+8uZxd5+aymbi+9v
rVf//Tlao6JgIAACIAACIAACDQFonavfH19a735oUufq56c3b7/UUuby+1vzxcdfDTH6cvn9HXv5
SQ8EtQ7jDxAAARAAARAAgaMhAK3z9/Nr882X1iyVbp3Lnx9eWO++t+I6V1fnX/ZepCeA7yAAAiAA
AiAAAo9JAFrn14cX7N2PARucf3v34sXbbztK6PL7O/PFh3awZyAJ/AwCIAACIAACIPCYBKB1fr63
rPe9Wuf8x4eX1pvPv/XprdpWP94x68PP+i/8DwIgAAIgAAIgcKwEoHV+f3ppvtVXJgtTXfz48GpI
6FxdXX57a2LBzrE6NcoFAiAAAiAAAhoBaJ2Lb29Zd1PVxc+Pr6w3//VGdDi8P/+9Ym+/9QV8NLb4
CgIgAAIgAAIg8PgEoHWuaId5e3Hy708vDcMwtQ9r7Um/Ov/yhp197axXfnxjogQgAAIgAAIgAAI7
BKB1rq4uf7x/0Y3s7IDSf/jzHx4mqPPAdxAAARAAARA4YgLQOmSc8+/vXr75TM8OvP5z+efzm5fv
vu9szbr+SpwBAiAAAiAAAiDw8ASgdQTzyz9f3n3sPkWnzxwX3z68+3KYKuq7HL+BAAiAAAiAAAg8
LAFonYfljdxAAARAAARAAAQelgC0zsPyRm73QODv59eG/Nxo3dU9FOXwJK95XvfhCR165uXvL+9e
WaZhmOzVJzwG81BsOA8EQOA5EIDW2WPF8y9vXnbehLXnbBy6fwLN++eZ9erd51/tnXAXX8/MPq3z
98sb6/Xn+v1mty3kn+//fflx2CqtH+9Yrb3E/+1tfqIE/6h1zn98/vz9b19lLr69tXrc9tfHF+ar
Tz/PL68uL84vtKVpA+f3JY3fQAAEQOBpEngSWufv1/dnn35q3fMDsT4yrXPx/ePZh1NeFP33y5vm
/fN/vr57wc6+6qP9kNa5Ov/149dhKmWPY9FbQW4ifC//fnlDz5scctt/1Dp7Xm1y8fvHz7/dbM+/
vukVgldXV73n7yHxNA49VqfxNOjceylPvrO6d8LI4IYEnoTWoUcbnz3Ck/uOTOucf3ljvv6sj+43
NPYTP527gXqq0d+v716/15eT72id4bmtyz/fPrx5aZkme/Hmw7d6qfmPd+zVhy//vX1lmaZpvf7w
TbD+8/mNZVmMz/5Y9DlsCojM1Q0znf/4dPaCmSZ7efb+7IV65+xNynP+9W27OC/kK07oYd4ynqS/
v+Ty+3t5vmEyXv43Isg1cD55yd/vn85eWcw0rVfvvvxW4bPfn16yd1++fzp7yUzDfHnMU2GP1Wk8
8UZ2V8U/9c7qrjginTsjAK2zByW0zh44D37o2vdy7GgdUcTL8+7c1sX3dxZ7zedzzn99es3qGR+a
e7LOPv86v7y6+PPljLWeIHnTuA49cLKjdeipldbZl98Xl5d/f3x6bdZa5zblGY7rXH7ve1fb8Niz
c/7lr48vzVcffvy9vLr4/eXMst7/qNUOf8qm9frD15+/f//+9XsnevTgTjGcIbTO/2fv/F0dxf7/
//1bUtmd7lRO5VS+K7eRbWQbmUK2kWlkG9lC2D4wkGLAYiDFQoohxYDFQoolzZJmsVlsxmqFD4zV
Ws2X1/G30dzkXpPozTPFvYk/Xud1HsfoM6/z4zXM5gZ7hq+3GxSOIkDgmMCktU64VMsfquX4B8nc
UiVoT+NVRTvG2p6DOtY6I9mnp2/jVWXW6t9OW8v6F//Lp+Rxg77eLclwL0xe6QGtk3W30224Qk4r
SfIiZX0roWv3rJdrnbb4qfuwnuXPsNbJWtUor4cTz57O8UL72EHZCbZ35VrzkYDQ/EmHFu930xjp
5nDtm1v/TSaj9eMb96T6G3LZdtysym8c/k+MwKS1TpZEIb22tizpy4N4H5f34BuAPNY6Nyi0p4gC
w85TJdUNBIao/KXdc/gr3fTcuM6R1jm4ykJieXdO3rtTJH9tPfTTjVHf77Mse7nWCZfUFVs2XK11
nuXP9bSO6PkreruKzq9qbDVpnanngbvzTeOVfvvOrhZuVmejwoE3JTBtrVOguFc4eipap8Bw4qf5
Ta+ZexVGg0UaWcjija07J8frFI52IzSkMrTlIa5fSS5AntA67KKxycd9WO3hwbXWeZY/QuuIGOdR
c7SqUe49cfF0jk82piQ7u5pOnFTTtuagdYoa3+umUQJ/8P8nrrcHJ4Pq34kAtM4J8NA6J+DcYVcx
D4tGiaThRszDak6v6mqa0sOj7fHG5Nz0aVxOlkbByl3thNhpPfS7cR16dqoeTXNP47OCi3S3r7vK
yBkxXseksb5pvGuM13mOPySQZIcmwdMU8rKq9L8Yf9OJfw4/e46OTwJbZvpSzOVK473vetVce2id
Jmm8HyYwfL0Nn4M9IHBFArPQOles/0nTE9M6J319jJ2N9XW0en2dxnyrYjxTPoBraDtNs17bOk2I
kpis2eVMo5NaJ4sDV5fFZCylNf3rmPzw+jpx4OkyW9A8LMdS61FXz/An2S9pStdiwWQzn3rfmFdV
YJDdQ+ldz7Nn+Pg03Lg01UqSGFfN5a5SlDPSOmXF8R8EQAAEsgxa58RVAK1zAg52gQAIgAAIgMA8
CEDrnGgnaJ0TcLALBEAABEAABOZBAFrnRDtB65yAg10gAAIgAAIgMA8C0DrzaKe7e5nG4Vkrx8Xh
A06Hv3vrwAEQAAEQAIETBKB1TsDBroJAGq4M1dpUQ1RrMEl3TtJhqalielB9zDzf1XPC5+k/vAYB
EAABECgJzELroC+pbK67/E/3nqo47dyrSRisPUvjklJP9Smci3xdNtc9umgE55NdkU9KNpadLOc9
1ncOXyzytWCZrJpef17wnhNp07HWGSdf+kBx2dl51GlGlV6nBYt9rfgYLtWqulwxnHWR52vvyu1l
t9sz4Yccmvl23DTu24Bbk1vBfV1A6SDQIACt04Ax8bd3Sh0crw1utLVLuNS4arorR+vROlm6c2S5
o43GQUur8KvuPk3DFT3gn9JTO4ez4n6bRltHkdRlNQf7SYeOtc44+dKHCj57XeZc61R1j5paRyrW
WkyjnaexViPQDHN+lVYZqtF9t0Pr3Jc/tM59+aP0LgFonS6R6X7uWSLlBs5GK625WnFeYipWqku3
Zp/WybK9IzczbY/mJWkdylcQB7bSjTT1FNLQOkUOtXLZ5f684lnWn4e8sU5PN3G5SKa13ji0WM+i
zkI/ZD85+LYmEp3zen2gC/Ood7VOJfuITlnBLF+2edVIXbUVWqcH01w3hSvTdH1KUdr3gtbpo3K7
bdA6t2ONks4hAK1zDqVpHHMXrUMZA7oP+BLHoNZ5MnVVaeHS//HW4lxRFM05pz+qoXWScGMrTFuF
VOJQXvGhPOS5l8f50rMsC2y2kGTd2+SJv/Noy5D9ZGtybqwOCS1m6JucW40UF8+O6/RpnSTcuirl
b2/ogFenddJwu7QNhTHZcFZB2Fo8Wmi9Mn/9pVcZjh+BALTOCBBhYkQC0Dojwnyxqf6UwsOpg/uP
HytlsahOO1jQruGg1qHADrPqbE2X+tkupv4UB45K6ShVTzzEo90mKMak1Mc03onxOjRgh4arcKNc
/5c0Yz1kpc5zTttrWXfch3WUayLXOsys8nnmZQ/Zp/PrcrMo8Nf7qivq/NyiZL5KxtkcVyTG65TV
ZZrbkYO31zp7R25mzq44jbW9aOr4sF05hsLL9aOrVoDWaXwZbv0WWufWxFHeaQLQOqf5TGLvPVMH
n8oKcELruHKRO3xEgNSbprj7JBLprDYRfba2jchFt6wqrkMjiLhZBlGG8ooP5SEvzQ5oHW7vyiPy
/8P21eag4vZJ42idog8rXKpM9xv9V1TW7bVOp4bX+VgqHa5apZgVBaEP6zq8z7UKrXMuKRx3GwLQ
OrfhPEYp9IM+T/Q0hrUzbRyHN+oTh7VOYPMjCVCf97x3jbBIEjgyUxSZV6GCXpOV1smjH2XMhqrU
l+d8KA95aftcrTNkv1EBMpmE+31jLaKtdWYe9WTTCg/tSVZuSPE1QnDUGye3erBeodahwVUKk7hm
LTeHOkBWNBe0Tnnd3uc/tM59uKPUIQLQOkNkprf9Llon29l8aJzxoNbpdLOMhFJkGndFSvJ456qL
xVHvUaeghtbJkq3JuB2IKNBQXvGhPOSF2XO1TjZonwJShk/dbiJPe0uqidqdlUddmDf8Q5Km8X5l
VMN+GlpHzIVjrdlz1Fivax5WtF2utjT4qfcFrdOL5WYboXVuhhoFnUUAWucsTA98EI1naYwyaZIY
0jrJxmTXCECl4bqcxaSanu9qTG6O7m26Jt43tU6W7V2lCov15xUX87B68pA35mG18qjn43X6AlhD
9pODb+XzsCi9enuFoPPzqNPIZlvjIse5Zq8PRTdeU+vkkay83bC+ztGVgQ1XJwCtc3XEKOAiAtA6
F+F6yIMPntJaqeUpCLGvc7NvkeWnTsR+EBiNAOI6o6F8liFonWdhw0lXIwCtczW0r8dwsnNULZ/6
9HSl4o2pGOvOuNinT8MRIDAqAWidUXFebAxa52JkOOGqBKB1ror31RiPNo59joBJA886I3vDq+GC
ikyVALTOfVsGWue+/FF6l8AstE7XaXwGARAAARAAARAAgTMJQOucCQqHgQAIgMAwgVOrMwyfhT0g
AAI3ITALrfPicPS2leeAMhiUa63cBPJYhSAsPBZJ2Hn1BC69aYg5/0uRQ+QMNsl+vdyUE+Dy48fW
OrT+ZbFIwhkODRzS42dx5MFTuyl9B2w8bzNuVs/jhrOuRQBa51pkr2AXt48rQIXJ10ngQq1z8BTG
2Nk/gdrz+wXBsbVOGu6Oknxd3FQ9fhY20mgfHK/AeHEBgyfgZjWIBjvuQuDRtU4abVxD4UySGK14
Uv9Si3dLU6yEwlWzufa8uKOttitL5dJCevkPr0taHbePS2jh2IcmcJnWOXiK6m08tSF22kt3BjYr
FlIKbJlzRjnWJMbpVSzeTXcGzfVdSnkvMcVcVcsniaz3tFXiamNzkcvs6GZC+WTzl2TWOeWycKnV
2cVov+zu8xZOD9W6U4rhBcUS0kN+HjylML9opFUjS9FWLEQtSbxhhlbQ1L11vofJemX/iasLN6sn
AGH3jQk8hNahNe8aN7F0Y5QfI0oD6eziLEvjnadVqRnDJa1TtwnTLI02ltxYgVasK8dUyw/2h8Ph
0Fjk//oth9vH9RmjhFdC4CKtc/AUbRlSlo36PjGkdQSfnngJ3Rkk1d2GSZZGgaOU95gksGWmLSnN
axKuLbmRqezUzSQVyT8aWqdulzRc6Yybm3xhB0r2xvQVLSCdHFYGa60m3uNnbielPS2tQ5Et1Qli
uudtHYWpywMdSlpHkq21sL/3NEl2ColVO9T3DjerPirYdj8Cj6F12gN0KKFQcUuL1zqj73Eslp5N
4zgRb2jB3TrVkgjlrIu16OnD8TLCdONovK6xaLDI3sit4H7XCkoGgfkQuETrHDxFX5FyiFZaJXae
oXUa4uFQpilLt2Yz0RlZrYrov5kUjIe0ThKQEHGrqFGWRGH1k6ubx2RQ62TRqq11xCLjVSZdWvo8
FzVti92zhq8HaJ1hNthzDwIPqXXWldbJsmS/dqmzisma6W7y7DoU+CkD1JxzxqSF4hWjFoXw8Y8y
Dd6k7XD7uAlmFPIaCFygdURieonRS5IWpRJ5odbxlDwla/eGQZ1hzi4n3N3X4t6vdSLfYLyzVmcc
LC1dlWVZVmTeuFe188G2jJOsa2kdmrDR/A1HQ7VFStmu1tEagq5jsvURN6sWDny4O4GH0DpZ8/6S
95JruVxJokOYB2zSaLfUy+yQlKbb2kRx9UryeE/+y+/ML/v4bYvbx/hMYfGVEjhf6+xdRfX2xXd9
5yqF2Gk/5OvxOoJXT7ykLVwqrZBShKQcWZNl8boT12n1IzXbokfrJDtXkRQnaOU7zfvhqe+Jepw2
hlT9LrtE62R58rgitVqWbq2BuA60TrOR8H4+BB5D64gubc3bxSl1mZtVl3m6sznT83V+02htcmaJ
KG66F33XWxEaTg5rzy36xovhhIjrzOcKh6ePSeBsrbN3FaXWItnOkQuxQwNYDF8Miom3trxoJnlN
NqbEzXWUZmlSdHwPaJ1MjNfJbzL54D89t/nED6divE4pPuhoukHpq+60eJJd6jKkA8XNbdEMz/T4
WVwOdFpTZ+X3PJfGLmZx4KpM9arxOmWo65LbH36YPeb3brq1fgytk2XlVIiFxFWrniGRVQmpGZNb
E67iwDNVTmNwaFLCtsrv1L6j3bZhcfu4LW+UNmMC52qdvdtexoYiGmVkZ7c0ZM5lRdUd15SbWidL
Q99UaDaWxLV8EG/7zlDFdTK6+awdMTuL5mEdTeo8+uFUz8Mq5ksxm0bp5enqG6MCWT7GKEv2S1Ph
jHNZNRxbZ8UPtrztjv1szMMqZnsZmzxQFG1dQ6HpYkwx3PKW1w5vtSt56vLAzeoUHey7PYFH0Tq3
J3uFEnH7uAJUmHydBM7VOq+z9vevFW5W928DeNAkAK3TpDHx97h9TLyB4N50CEDr3LctcLO6L3+U
3iUArdMlMuHPuH1MuHHg2rQIQOvctz1ws7ovf5TeJTALrdN1Gp9vTyCNw6gxTnLQgbhe62PwGOwA
ARAAARAAgRsSgNa5IezZFpWGK0O1NuesKnRYarT46myrek3HA6teWuWa5cA2CIAACIBAi8AstM5Y
4ejLUhm3OJ3xYTil8BknT/mQdO+pirNrRHWqBDytGRtFHSJfl831FdROuFSZVS+aT1OCGx+nRjDc
Lv2O5htT68TBalVOlWlXPdmYvDmJur333E/D9s+1cOfjxrppjFCN9LB2RNI9xhXdEdkWRrA6cRPo
w5p4Az2ce4+kdS5MZXzptdCzvNilJk4fn2xdw9leQUScLjZeG9xoapeEllo0fFpjOg03lix1UmLQ
akZySxudLuDcvfPSOltLaiwhJ+o4ptbZOzIbSBiSHILdWf2Np8CfsH/qtOnsm4zWSQKLM80NooSS
7i111siuNx1co3sCrTM6Uhh8EYEH0jo9qYyzLD34lsoZlxXNtHReL6HRm+c8WmnMXBaLZTRSGQ+l
FH5R0xyd3F60/mj3lTZQnY0yG5go47AyjWWV/y/Po9MufO/I1Tr47T0v+RS2AzkUpSvjOsl+ZYms
9BJX60zPxbJKCqcs9rpDqVzLV2Bz2VlvxLIni65YKw+q/9NqS2RGYrJm+4fCTr7UbHFUvfJIuNIp
switvZInwla9nBZpHWu5ssS6TVxzqgUq8+WfjvwMLKY6/jJf56k6Pl6bbfOyWH4ly2iZ/2JFlg59
sbqUWDmFFnipo02ETeWUlluuE3AP2qfl7LaeIU7gqiXEbl75PM4n+ChtzjXC8d+FK9N0/WBA1k1G
64SeIhXLtBODcG1bq+Lb03uTKdcY7OQ/j329XPeHzFDCqmrRwEvsjN8O/Rahdfq5YOu9CDyO1ulL
ZZzSr1d9JZ5dMaUmLrXOQJ7zPJWxI1IZi+PrBUUzSpIstUXByI16F61DC682a9mt08FTj3+ndpPr
dE963mexPFujD8uttA4tf234JGVo5Vhe5m1NtvSLWiyXHe89jTV6dmi9NknWvc3ucDjsD6eDZZGv
M0UMQkpFq5fPmAGtk9euP66zkE1/H6dpcljpjJlbsYjbkJ+BxRbcWO3Fct++0VokbjjuQovhtbRO
tWq40H62wvQ8SpdsTZEtm7BRAmvejMX12E/3riKpDomL5OAbnNtFsgJqGG0p4nyUIftp6fi89u+e
lYbbpW0ojMmGswqKXC/VQZPROlm40hg3vG33Khu4yeRaZ7FgquUH+8PhcMgze9JVUl55lGqCacX6
yxfaqQhd9w20znX5wvqlBB5G6/SmMm7ngKlT3tD2vjzn9W934pwnrKliBSNonXhtNNZFLXPx0dbi
93r5r1jdvf94SrrTZ+fy7ScT6tCPy8BRuO53V63PMvGkrGXJpf70X8VHWkeWzLwMKk7zisddtWg/
acPq4ZClIpRThqMCmzVauL+8amsaR2GebqhqdbHvGVqnFiG0Hm3u3aCfrT6v9vq1OeH+pPet07Is
pc92Ndwq3q/9IF8GPInCuEyt1EkF2WNfaCg7KK/3vSuXC/TSla8624NglCZxZbQi2H6zd+TmZV59
0y7dXliND9sVjYeRzXW1vHmWTUfrkMTcLi2dEgzr9qoMRA3dZIq4Tn3llvDyvmFxBYsAc7Ha8cV2
SnvX/Q+tc12+sH4pgUfROr2pjNOtKcmuyPpC3CqtM5jnvK11Dq4imSJ/lqA+gtYZaL0kCum181RJ
dQPxPv+pN3D8mJuFwNiUD7imZYoFcM3bl0/L5r6ODGzuev77jtZp5kZMo2Bp67RQvqLbK5HTJ8tE
m7O8Gynv9ambq2rrs9xJDmvH1BTKJC3LbFFKrBdpnTr2NehnS7TQRdl4/vXEXcqqtE7rZJssjxH/
03DrFdVSZCYtmumRju1TULPslSs60aoT4t3Koc4tJmuWtx3oVWqVPdqHUulw1WqmX5iU1ikqm8b7
jaNRLC2mHkdDauJkjQTl7ftMjSpcqpzUZvmf9jzHTm3xeu+gda7HFpafQ+BBtM5AKmPxk6hSK/Xz
byjPefsedDOtUzTsXfqw2lWuLrFkv9S46u76hI6QjY2hT9VJL3zTdiWtmyuNw3LxnyTc2GUnCh2v
LQ9Vsvo4Tip365OfdiqlyyQfi52RgqrDSa4s5cliyzEWjdxGlCi6kVKSimmJkFrrDPrZOf5Y69SR
s2YtWqdlImV1HU7K0mi/z/t7aKx+pVXbcI8ic/kIEUl2di2cQgOncVh0s2RJFLjq0ZjspnMjvo8D
j9I3cc1abrr9Q9OJ6ySBZ9Wpg/NosOjqHrrJ9FxLFbTI17m52XnNbKXPsVMZvN4baJ3rsYXl5xB4
DK0zlMpY5BJW3XwEwtrkZSrjoTzn7QdCR+sMpxR+TsP0nHMXrZPtbN54Ugq30sNKl4eFjnjOtHIo
91TmOZto3IxsbUIxocXTWDnZK/I1SbHzcEKyp+jXUnSrxRuTczE+JsvSKFi5q0qbXaR1aFyLJSbA
pfHO1STJzANdYnyoI2ymh6XOWoERikKpIuqVxkUHWEuE1FonG/Kzc3xL69ClKOdjiJJ2n1ExXqcO
xeXjdZYUgEujwFFZkWg7l3Ci2yfZr3TWarIe+0XCbjHHK433vuvlo5wJAzfXQkAl4Uo/0njPaesz
zom2y9WWRgn1vibTh0VXLTdWuyilYVokxfPw3NBN5pTWoSHJXJZlLb/ARcWfZacX2agboXVGxQlj
LybwEFrnRCrjfB6WJNGvQ0ujcQ0F0t485ye1Tk/q4xc3zwQM0DiXRt9JJpTMYrFojrjojE6mh19n
HvpIFaEJJyqn2L+iu5u6ryRvLZpQJFYwqSZcVWnsiwlU1YPxEq2TZdHG0WQmZutZjqmUWop22Cqn
TNia6TlaSyxkceDqspiMpdj5GOSOdjHrPql+PzvHt7QOZbc2qONpwcpxKqSeygFd+f+yg1bMw5KL
+VZ1T4/wME+QbbpWJx5zbF8MbS4zYbcydlfT4BiXNcvv7dYc6Qo428xktE5GI7lFB2s+382rl0Xq
vcmc1DoZBRml1hIQ9I0MvHyynsQVo2G/fb86G90oB0LrjIIRRkYj8BBa5zxaFJfp9jqcd+YrP+rg
KWUE5ayaxiLQfnpq01mGcBAIPJvAhLTOs+sw5xOhdebceq/R9wfXOpFv6KILK4t3NNCgOev2NTb3
8+qU7BxV8/Z1r8gpM/HGVIzmhJhTB2MfCFyJALTOlcCeaRZa50xQOOxGBB5c62TxbpkvQse4Zq/L
ReJuBH9GxUQbxz5HwKSBZ4mRITOqG1x9jQSgde7bqtA69+WP0rsEZqF1uk7jMwiAAAiAAAiAAAic
SQBa50xQOAwEQAAEQAAEQGCWBGahdRCOzq8thIVn+R2D0/cggJvGPajXZeJmVbPAuykQgNaZQiuc
6QNuH2eCwmEgAK1z32sAN6v78kfpXQLQOl0iE/6M28eEGweuTYsAtM592wM3q/vyR+ldAtA6XSIT
/ozbx4QbB65NiwC0zn3bAzer+/JH6V0C0DpdIhP+jNvHhBsHrk2LALTOfdsDN6v78kfpXQLQOl0i
E/6M28eEGweuTYsAtM592wM3q/vyR+ldAtA6XSIT/ozbx4QbB65NiwC0zn3bAzer+/JH6V0C0Dpd
IhP+jNvHhBsHrk2LALTOfdsDN6v78kfpXQLQOl0iE/6M28eEGweuTYsAtM592wM3q/vyR+ldAtA6
XSIT/ozbx4QbB65NiwC0zn3bAzer+/JH6V0C0DpdIhP+jNvHhBsHrk2LALTOfdsDN6v78kfpXQLQ
Ol0iE/6M28eEGweuTYsAtM592wM3q/vyR+ldArPQOl2n8fn2BNI4jNIzio3DKDnjMBwCAiAAAiAA
ArciAK1zK9JzLicNV4ZqbeIz6nBYaqoTnHPkGcaudEhgMe7srmT8Qcwma0NSl+GD1BbVBAEQmDmB
WWgdhKPvepWle09VnF0jqpOGG0eXmSRJTDHcbdRyL/J12VxfT+0kG5Mxc3tu9CjcLv2O9hpZ60S+
zrXVSx/7PX4WWMex32qj4kN6WNuaaEeuGF6HUt8J9bbJax3cNOrGusc79GHdgzrKHCYArTPMZmp7
kq1rONvriYiB+sZrgxtN7ZLuXZlp3j7OsjTe2oqk+y2n0p0jyy1tNGD5WZuTjckZ49a5YmdrSbK7
bxU1stbJ4n1AMF726vGzNDiK/dJY/T/ZWpwb/iHJsjTaOgq7JE4DrVODxLseAtA6PVCw6Y4EoHXu
CP/ComNfl7RVO4hyoRmUz6EAACAASURBVIlnHB6tNGasm1GU5LBZbQ5lmGdnc253OoT2jnytTqJk
Y8qm75tyQ+zsHM6soKhbtNIK8RWudM45kxYLiXF6qV6ueUjrWMuVpXJJkrjmbCqm8W5piq1M1p1N
WNYxywKby846j2YtylaIVtqieLVkwtaikFf+ov1SxS8OPFOhUpms2X7BcNDPIftZcvDzeAyZWZdN
sXdlbq18WxPVUq11w/+ehu9cTsnW0cx1TqLffpYl+6WpMPJet0210YcVbT1D5UySuGoJ8dRT3jU3
xYfN0jK85mWIuM41gT9tG1rnaUY44pYEoHVuSftlZXUeTi8zdu7ZycZsPNO6ZyXh2pSPYyzpxpQU
79A9eoTPJHWsIE22VkPsDGidvLieeElgsYVs+vs4TZPDSq96xCJfZ7IlJE688zTWCE4FNltIsu5t
dofDYX9oRnHSeHjoShLYMlO9fS6ayL4iBjOlceAobUQ9fuYVOLIfb8wyHpMcVgYv+e9decF0L4jS
LI02ltyNt3XwBz0iVRwyZJ/iQExf7uI0jfcrgy0KgZfuXUVSHSo3OfgG53bQlMadYsf9mBy2SxJ3
TDEcvxVcg9YZl/Sl1qB1LiWG469LAFrnunwvs05PzcarkAu0tYwfFP+Lx1j/8Vk21vYsy8KlWocl
mrUJbC6RW9yswyLV/r0jM2tbfbzUn+rE7ptkYyp2kGZZGthKFdl5htapw07UGZODDj2lUdVUWN0W
oZ3AZszc9D/CB7tzQl9n3ChiJRn1+EVhXMaK9q4smTWibFDrZB37JHkbYaSDp0i66GJsW3yyo247
MEJ7yH66NRtDumunUjIkGkW0FnVwWiW2bvvln/eO3LjKpYrrhdujtSlThGm5aWnPokxonX74t9oK
rXMr0ijnPALQOudxuutRSRTSa+epkuoG4v3NJnbTo9TclA/oLoY0ClyVqUchnPyxO3RW18rZn+kB
u5CYeEmLaoDyi7ROHYPqBDrqzrCM+rDYUU9d6Xb92C+30P9kR5Ebd9fUR8lh7ZiaIosXWzxP63Ra
JN2UWq2jdeyGMmk6Vr7vVLfcnA3Zb4cV60qLnrail7DoM+wM4KpMj/sm73CUNdNdB2ETsygGWmdc
2pdag9a5lBiOvy4BaJ3r8h3TevthM6blE7ZaT/z8uGS/We+qIS49B4jhLYPS4ERhT+xK1gZFkWLx
itZGo/NGqkIJXX+2Fjs5NrnWOvSQr0bWZFkem6rjOoMVqh/7tf/kHdP91uQsESnKxwJnWXY4iusc
+VmY69gXcZd62BYF3nrjOk9pncjXyoFHVFASuLpFMagh+xS/kZ1ylHftFPVyys4ubxXxN0lGV7k1
2c67NN6vXRpExDV708QNrdMhdeOP0Do3Bo7iniAArfMEoAntvovWyWjscXsxGpr0zU1f/JRO9kuN
KZ15TuJxOf5v+2RtNEdJx77O86nn5JDiiAhKeljqbNEsmxSM6u1pslFcdCC1undqrZOFK40p9pbW
TEz2S70zXud8rUOT9Jl8NGpFdAJZYiJdGu9cTWoFzHr8LK69WlbkG2LBX4w8TkIaH2PmKx9dGNfJ
GuNyaPyQyrR8vZwh+0kgxuuIYU7N8TpiUJK+3BG3NN777mWz10f5hqXRzl+umyPEoHVGAftsI9A6
z0aHE69CAFrnKlhfkdE0sHl3nHGyW1n5uiw0X+lovg9pj/EnjMVro201XKplN1a0sVXOuaxopueU
87CKRogDV5fFZCzFzieqD2mdLDsxD6unD6sxT6oYRyVqTdqEZl/VL27ns8SijaPJjJGflmMqzWE3
WXbs54B9UmK+JaY9Ma7V854u1TpZlpTr6zCumg2F0m+fyl1RCIVGaTu2Vs9RT8ONa9AELYkMLXfN
odv3+ipA69yLfF4utM59+aP0LgFonS4RfO4SOHhKY0ZSd+/xZxFwOWuR5eNzsQUExiEArTMOx+da
gdZ5Ljmcdx0C0DrX4fqqrCY7R9XKidNP1SzemEpj7tFTh2M/CFyFALTOVbCebRRa52xUOPAmBKB1
boJ59oVEG8euJ08PVycNPGtJg2PwAoG7EoDWuSv+DFrnvvxRepfALLRO12l8BgEQAAEQAAEQAIEz
CUDrnAkKh4EACIAACIAACMySwKvUOvcKX9+r3FleeXAaBEAABEAABG5DYBZaJ1rbhrc7f32ye2mO
K5d7pzznt7kQUQoIjErg0pvGqIXDGG5WuAYmRmAWWkcsaDuYp+CY6JU1x3GBxZYrl3uftQQHa4sd
IDBhApfeNCZclTm6hpvVHFvtVfsMrTNi80LrjAgTpkDgJQSgdV5C78XnQuu8GCEMjEtg0lqHUv10
E3znqaFpT+PVWaT3WHMMHT/W9rxRzi73srzfdHQXQzMLwrhXBKyBwJwJXH7TGOsmMBM7l918suyy
43GzmvOX51X7PmmtkxUJvre2LOnLg0jwXaQ0Otkox5rj5OGj7bxWuffMcz4aHBgCgZsQeOZN4ya+
PUAhuFk9QCPPsorT1joF0kvD0dfSHE+18JXLRVj4qQbAfhAoCVx60yjPw/9RCOBmNQpGGBmPALTO
eCwpvfdRyu9xzUud3roRrcMUCLwmAtA6d21NaJ274kfhxwRmoXWO3T695cqaY7Dwe5U76BB2gAAI
gAAIgAAIQOuMeA1A64wIE6ZAAARAAARAYBwC0DrjcBRWoHVGhAlTIAACIAACIDAOAWidcTgKK9A6
I8KEKRAAARAAARAYh8Cr1DrjoIEVEAABEAABEACBV0AAWucVNCKqAAIgAAIgAAIgMEjgVWqde/Ul
3avcwdbFDhAAgesQ2LsyMzfJdYzDKgiAwMgEoHVGBAqtMyJMmAKB6RJIA4szxrHc1XSbCJ6BQIsA
tE4Lx8s+QOu8jB/OBoF5EIjXBjf8jSMr3mGiHse+ztRlWHqXbEw2XWdLL/EfBK5GAFpnRLTQOiPC
hCkQmCqBaKVxK0izg6fK9i6dppvJ1uKVuonXOtP8aJqewisQuAEBaJ0RIUPrjAgTpkBgogT2riK7
e3Iu8nU+2UE76c6RZSf3c6VhcNFErya4dSMC0DojgobWGREmTIEACLyMQLhUuR2kWfn/ZdZwNgjM
mQC0zoitB60zIkyYAgEQeCGBPO6085Rr5iR+oY84HQRuQgBaZ0TM0DojwoQpEACBlxJINiaXZVmr
Bym/1CLOB4F5EoDWGbHdoHVGhAlTIAACLyaQ7hwuGev4xYZgAATmTQBaZ8T2g9YZESZMgQAIgAAI
gMA4BKB1xuEorEDrjAgTpkAABEAABEBgHALQOuNwFFagdUaECVMgAAIgAAIgMA6B+WudNArP6oyO
w2jURb/uVe447Q4rIAACIAACIPAoBGaudZK9p6nOricDXxK3NyY7V9O8fXvjs1t5uNyuyXHL7VrH
ZxAAARAAARAAgScIzFrrJIGtqMt2Qpok3PquqTLpKC1fKlZ0D0ZQO8flJgff1mQmSRJXzeWuFWga
r9wn2hK7QQAEbkVgLh3Wc/HzVu2Gch6VwJy1Dq0Gam1bHVO0ertmuUtLOdY6WZZsTd5Ih/fcNj8q
lzLPcMM/JFmWRmuTM3PbUlQjlftcf3EeCIDA2ATmoiHm4ufY7QN7INAmMGOtc3AVkYCvVaFUSJ/Y
1/u0TpZurZcn+z0uN96tV9syo3C6MaUq5V7h2yjltuqJDyAAAvckMBcNMRc/79mWKPsRCMxX60Qr
TdL9Vm9R1WBDWieL/eGTqrNPvzlVbpYl+5XBFXffijZlY5R72ivsBQEQuCWBuWiIufh5y7ZDWY9I
YL5aZ+/IzAr622xQ66RbSypS//af+fTWoXKTjcmkxWIhKc7xmKARyn3aMxwBAiBwKwJz0RBz8fNW
7YZyHpXAfLXOzubcvlTrZIHFuLN7SWufKjfLknBjK0z3o04RLy+3YxAfQQAE7khgLhpiLn7esSlR
9EMQmK/WOXiKZLZHJlctNhzX6RlMU5113puecuPderOvetMOrnzkWN8gnvOKw1EgAAITJDAXDTEX
PyfYxHDpVRGYr9ahPqOhSVWDWidcqszcdAbTXNagPeVGvi7J9pbWKkzjwKE5YOVI5cL2COVe5iWO
BgEQuCaBuWiIufh5zbaCbRDIsvlqnSxeG2xgcPKQ1ol9nRnr1nzwyy+CvnLjwDNVTuvrMMVwt90e
rFHKvdxTnAECIHAlAnPREHPx80rNBLMgUBCYsdbJ0sCWhyI7vQ0cLlXZPh443HvsiY33KveES9gF
AiBwUwJz0RBz8fOmjYfCHpDAnLVOlsVbS9FX4Vl9Umm40hVrWw2reUlj36vcl/iMc0EABMYjMBcN
MRc/x2sZWAKBPgLz1jpZloa+5bZXKe6rZpYlG8fyz1NF/QbaW+9VbtsLfAIBELgPgbloiLn4eZ9W
RKmPQ2DuWudxWgo1BQEQAAEQAAEQeA4BaJ3nUMM5IAACIAACIAACcyHwKrXOvcK29yp3Lhcb/ASB
V0NgLl/2ufj5ai4MVGSiBKB1RmwY3FZGhAlTIDBlAnP5ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAw
ZQJz+bLPxc8ptzV8ew0EoHVGbEXcVkaECVMgMGUCc/myz8XPKbc1fHsNBKB1RmxF3FZGhAlTIDBl
AnP5ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAwZQJz+bLPxc8ptzV8ew0EoHVGbEXcVkaECVMgMGUC
c/myz8XPKbc1fHsNBKB1RmxF3FZGhAlTIDBlAnP5ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAwZQJz
+bLPxc8ptzV8ew0EoHVGbEXcVkaECVMgMGUCc/myz8XPKbc1fHsNBKB1RmxF3FZGhAlTIDBlAnP5
ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAwZQJz+bLPxc8ptzV8ew0EXqXWeQ0NgzqAAAiAAAiAAAiM
QgBaZxSMMAICIAACIAACIDBRAq9S6+xdmZmbZKLI4RYIgMDsCcylb2gufs7+gkAFJk7gFWqdNLA4
Y1xbRRNnD/dAAATmSmAuGmIufs71OoDfcyHw+rROvDa44W8cWfEON2qF2NeZugzL0pKNyW5XeFkq
/oMACNyOwFw0xFz8vF3LoaTHJPDqtE600rgVpNnBU2V7l96mVZOtxSt1E691pvkIKt0GPUoBgbsQ
mIuGmIufd2lEFPpABF6b1tm7iuzuqQEjX+c3G7ST7hxZdvJyVxoGCz3QNwhVfUwCc9EQc/HzMa8i
1Pp2BF6b1rkduU5J4VLldpBm5f/ObnwEARB4TQTmoiHm4udrujZQlykSgNYZq1XyONLOU5Q8rjSW
XdgBARCYHoG5aIi5+Dm9FoZHr4sAtM5o7ZlsTC7LslYPUh7NNAyBAAhMi8BcNMRc/JxW68Kb10cA
Wme8Nk13DpeMdTyeRVgCARCYJoG5aIi5+DnNVoZXr4cAtM7raUvUBARA4FYE5qIh5uLnrdoN5Twq
AWidR2151BsEQOD5BOaiIebi5/NbAmeCwDkEoHXOoYRjQAAEQKBJYC4aYi5+NtniPQiMTwBaZ3ym
sAgCIAACIAACIDAdAtA602kLeAICIAACIAACIDA+AWid8ZnCIgiAwGsnMJe+obn4+dqvF9Tv3gRm
oXWitW14t8ptde8WybJk6xrOFlPX798S8AAEhgjMRUPMxc8hztgOAuMQmIXWOXiKZGxulMdzHK4v
sRL7uqStkDz0JQxxLghcl8BcNMRc/Lxua8E6CEDrTO8agNaZXpvAIxBoE5iLhpiLn226+AQCYxOY
tNYJl6q0aL8kc0sIaE/jVUVBZrI9XhsN7yXFO1ClaGu7tgtJ99GXNfY1D3sg8HICc9EQc/Hz5S0C
CyBwisCktU6WRCG9trYs6cuDeB+/4q6soro7T5VUNxDVjZJTrYd9IAAC9yEwFw0xFz/v04oo9XEI
TFvrFO2A8TqPc0GipiAwCwJz0RBz8XMWjQ4nZ0wAWmd6jYfxOtNrE3gEAm0Cc9EQc/GzTRefQGBs
ArPQOmNXGvZAAARA4EUE5qIh5uLnixoDJ4PAkwSgdZ5EhANAAARAoENgLhpiLn528OIjCIxMAFpn
ZKAwBwIg8AAE5qIh5uLnA1wyqOJdCUDr3BU/CgcBEJglgbloiLn4OcuLAE7PiAC0zowa6xaupnEY
nTOtPw4xHf4W7YEyQAAEQAAEXkwAWufFCF+RgTRcGaq1OWf5wsNSU53gnCPvxyewGHd29yv/NZSc
rA1JXYavoSqj1iHZGMwS65qOahbGQAAErkNgFlrn0cKwW5NbwXXa+5TVdO+pitObYzVcadJC8VqP
vMjXZXN9PbWTbEzGzO25iymG26Xf0V4ja53I17m2ajE4hXNgX4+fxZHj2O8rNj2sbU1mkiRxxfA6
lPpOqLdB69Qsmu+StcHtO3xJmz6c9f7Rbp5nQcFBD0gAWmeCjX4frROvDW70apdwpXF2pHWydOfI
cr82GgFqsjE5Y9w6V+xsLUl2962CR9Y6WbwP9i/Wdj1+lk6PYr80Vv9Pthbnhn9IsiyNto7CLonT
QOvUIJvvkrWhdC635u7pvIfWmU5bwJN7EoDWuSf9gbK7WifdOrq13Bxe/JwdKE9sjlYaM9Y9UZRw
qcmmvzSkTlwny7K9I1+rkyjZmLLp+6bcEDs7h7Mq4BWttCJbWLjSOScxtpAYp5fq5ZqHtI61XFkq
p4iG5myq3PHxbmmKrUzWnU1YD1AKbC47642jy0xalNnmo5VW5ilryYStRaGS/EUHSBW/OPBMhUpl
smb7h9z+oJ9D9rOs18+9K3Nr5duaqJZqrRv+97RwZ2nKZOto5jonkRz8PN5Dbq4LN7MsS/ZLU2Hk
vW6baqMPK9p6hsqZJHHVEuKppzxsmhQBaJ1JNQecuRsBaJ27oR8uuKt1snjvu6bGGVctb7O/Skqw
ZGM2nmm1b0LpbOJk06d10o1ZJi6tzxjlHUkdK0iTrdUQOwNaJy+wJ14SWGwhm/4+TtPksNKrHrHI
15lsCYkT7zyNNYJTgc0Wkqx7m93hcNi31GVKuVlbWqeuaRLYMlO9fS5qyL4iBjOlceAobUQ9fuZ2
ju0P+Ll35QXTvSBKszTaWPITCWIDm3O7b9RSvDHLeE9yWBm8jKFRHIjpy12cpvF+ZbBFUel07yqS
6lC5ycE3OLeDHmlcQ8G7KRCA1plCK8CH+xOA1rl/Gxx5cKR1iiPSaLf2LE3mqpePqunPl55nTC8D
DpJUP2uHji8yx1dhicqjA8V0aKxyv9ahwE5zhOaQ/aHtVTndN8nGVOwgzbI0sJUqsvMMrVOHnagz
Jk8oH3pKHYGhnjjOrG0R2glsxsxN/yN8sDsn9HXGjSJWkmVZGkdhJUj3riyZjUGsg1on69of8rNt
8cmOuu3ACG2K9zSkGyWd06kLM92ajSHdtVMpGRKNIlpr71LT1xGxbhPmYb/GVShVXPeOfM3t4VJt
mtdWRThvrO09NZ3wJmidCTcOXLshAWidG8I+t6h+rZOUSkcxWt0u51o9fRw96sxN69GVktKxtqLn
bEjriAd566zTxZy3lx6wC4mJl7SoBii/SOvUMahOoKPuDMuyLLBZfxCEenZ64zrJjiI37q6pj5LD
2jE1RRYvtnim1hnys6N17IYy6cPbMVMd0mnxVETuDlnW7vOqKy162opewqLPUPev2q1auYo3zycA
rfN8djjzNRGA1plgax5pnXBtaVxiiuH61INwjVfriS8KoN/xNAglf+UDVqTOPKSh5+jLPKQ5LuYm
isUrWhtl5wo95KtQQtfhrcVOjk2utQ495BshrDw2VVC9VOuQd0z3W5OzRKQoHwucZdnhKK5z5GdB
q5YV+YYhPy/UOpGvlQOPyG4SuLpFMSgR1yljHllGUY8irmMx2SlHeddOUS+n7OzyVhF/k+Q61+LL
rh6c3SIArdPCgQ8PSwBaZ4JNf6R19r633l1J5JT139m87vApN1b/++M69Lgc/7d9sjaao6RjX+f5
1HOaha44IoKSHpY6WzTLJmWgenuabBQXHUit7p1a62ThSmOKvSWgyX6pd8brnB/XoUn6TD4atSI6
gfJ4WBrvXE1qBcx6/Cwo17Ki2DDg54VaJ2uMy6HxQyrT8vVy4o3JuClGNichjb8RvZWkhsR4HTHM
qTleRwxK0pfiQkxpCNlls9erawlvbkkAWueWtFHWdAlA60ywbY60zi18TAOb5+NZ+krr1TqkParR
EH1nPWtbvDbaVsOlWnZjRRtb5ZzLimZ6TjkPqyglDlxdFpOxFDufqD6kdQbmN5Gd3rhOY55UMR9L
1Jq0SR34ovBXueJKtHE0mTHy03JMpTksJsuO/Rywnw34eanWybKkXF+HcdVsKJRk71tiWhXjWnNe
VbJf0TwsGqXt2Fo9Rz0NN65BE7QkMrTcoQfrWVf4TU+C1rkpbhQ2WQLQOhNsmrtonSw7eEpjRtLT
XETA5axFlp+2hSNAAASuQQBa5xpUYXN+BKB1Jthmd9I6WbJzVK2cOP0Ul3hjKo25R08djv0gAAJ3
IACtcwfoKHKCBKB1Jtgo99I6WZZFG8euJ08Ps0kDz1rS4Bi8QAAEJkwAWmfCjQPXbkhgFlrnhjxQ
FAiAAAiAAAiAwOsi8OBah5bJLWZTN9d7e11tjNqcItCdu37qWOwDARAAARCYI4FZaJ0RwrA0g0TP
Z5Ao7QxItM5te2ZL3Y47R26sFFtvv+hdsl8vN3WuoTPOvWMf1hne3eKQZOcZlJebycYZPWU7h5fr
ADFZNb1tlffqDF+Ptc718o2TO8N5zrvO0vwzq15x+eAp+cdwqVbV5YrhlPmwKHdE6zU8ra5bFD6/
WgIj3DxfLRtU7JEIPIbWoYzcTPNEkuo8A5JbpC7K23pI66ThLghfOiiFFmlrLF13xtX18FqHkKnu
Pk1DSvDZm3u9ibGxnrJI5C2py0Nz/8n3x1pnnHzmQ4UO54jonnFC65QXVBp18nllGa0jxK+Wfb7r
Iz5PnQC0ztRbCP7dhsBDaB1aB6axpm6683Sj9TQ80jrDfVuUeVqjkENzgRHKEW4u1yI7tsQUc1WM
2g1sOU/AXWbgrlICnWxdaB1aw9ePsziwFeXp53ZD63Qye6XhxtEp4Xgnn3kcFHEjxbCNKnlmY52b
RqIo0VS9+c+zbMh+nUCca1Z5NQzmOR+4GMIykJPvp0UIRZinLZ47yx9n2VZonQGb2PxoBKB1Hq3F
Ud9+Ag+hdegp0cn11KZxpHXy3cd9W+FSKzJkiwzTzMhjDvSQlFRnGyZZntm6+ahsP5raBfd/enit
k8Vbi3NFUTTnnP6ohtZJwo2tsCKThUjYrXm7OM3ivacxxc0zH9BqhZySOKRpFHia1F77+TjfeL7G
4HH+8yH7yZYSiK8OCa3i55tVAnHR2ufHdcRl2+jDco+1ThJuXZXq1UjWAK3T/6160K3QOg/a8Kh2
h8BDaB3Kq3xy6PGA1sm62+mhWodmRO/Hmrq42v0g+VnV0wdap3PNPf2RMhlQekk1X+wn2m2CsOJ5
fLoYr0OJu2i0CjfK9Xwp4lEPWaF1ofM0TyISkqdJOGo7Mn6UqyHXOo2Wz10Ysk/n1+VmUeCvRe9p
ftYLtE5xFYvxOmV1meZ25CC0zvEV8sBboHUeuPFR9QaBh9A6z43rdLUOpYIue6PoUcykheJR2se2
1jm4imRuq2cztE7jejvnLfUIKu4+iTYm5WiK6HOV8rPPQBXXoXFZRe4skXVToWTpvHhRzgPRLOFS
kYxNOQyr3XZkfkDrHOXJOrhD9imLZmm/6/CztU4lvOsLikb06H5nJDa0Thf5Q3+G1nno5kflKwIP
oXU643Wy/dIwVs3Rq9VjpOKSv+lup7TeVpmAm1I9F5me289LaJ0Oxss+NsIiSeDITFFkXgfT+mxV
WidXnWUHIrWKtjy0EnPT6fFab2Soarcd7T9X6wzZb1RAmAv3+6hWPj352PvqdKSg0ypVV611MuqN
k1s9WBivM0DzUTdD6zxqy6PebQIPoXUyMQ9Lz2cvlyM3qrhLNee8sSWHVIzXqbene09hqrMVj67k
sPbcjfhR3X5edrROQhNjzHWUZmkSJ7WxdkM0Pz34eB0Kw6muSGce71x1sTjqPWrCyrKsoXWyZGuy
cp0AkeDb9PeU9jyNgpW7EkaFQuCmf6DRVbuj8Tpna508gXiffQpIGT51u6XhxmpLNVG7dj72TnWq
j5Gvi9FhhZ9lPvaG1smv7GLUWH5emsd1zrnOqoLw5vUSgNZ5vW2Lml1C4DG0jnjmuDpNn5KYYrib
qHgU1POtioVJmB0QvqHtlKXaM1UuklorRrmSy0mtk6WhL7JGLySutaZ/DTXUg2udLA3XtpjrJtJy
+y6NB88zl/cTa2qdLNu7ilRmX6cE30Wzy5pN6iZ/xYGny2xBF4Nj5XO+8kBKa32axaK005//PE8g
3mc/OfhWXgMqtp1L4zjPeX+taCvN+lM5dZwqenXVNrVOHsnKRwdhfZ1hkI+7B1rncdseNW8SeBSt
06zz5N8/utaZfAPBQRCYCwFonbm0FPy8LgFonevyfZZ1aJ1nYcNJIAACXQLQOl0i+PyYBKB1Jtju
0DoTbBS4BAJzJACtM8dWg8/jE5iF1hm/2rAIAiAAAiAAAiDwIASgdR6koVFNEAABEAABEHhQArPQ
Oo8WhkUf1oN+G1FtEBibwKPdPMfmB3uvhQC0zgRbElpngo0Cl0BgjgSgdebYavB5fALQOuMzfbFF
aJ0XI4QBEAABIgCtg+sABIgAtM4ErwNonQk2ClwCgTkSgNaZY6vB5/EJQOuMz/TFFqF1XowQBkAA
BIgAtA6uAxAgAtA6E7wOoHUm2ChwCQTmSABaZ46tBp/HJwCtMz7TF1uE1nkxQhgAARAgAtA6uA5A
gAhA60zwOoDWmWCjwCUQmCMBaJ05thp8Hp8AtM74TF9sEVrnxQhhAARAgAhA6+A6AAEiAK0zwesA
WmeCjQKXQGCO8Qm47gAAIABJREFUBKB15thq8Hl8AtA64zN9sUVonRcjhAEQAAEiAK2D6wAEiAC0
zgSvA2idCTYKXAKBORKA1pljq8Hn8QnMQuuMX21YHCKQxmGUDu1sbI/DKGl8xFsQAAEQAAEQmCoB
aJ2ptsw9/ErDlaFam/iMsg9LTXWCc448wxgOuYTAwVMkc3OOIL3EKo59lQSSjcGs7ausGioFApcQ
mIXWebQw7J36sNK9pyrOrvUQPXjKovEy1nUwJ/J12VxPX+0kG5Mxc1s7fsn34wbH7hzeIFy81f1h
sNA6N2iV11JEsja4HbyW2qAeIPBsAtA6z0Z3vRPvo3XitcGNrnYJLKY4QVS+4qYQSneOLHe00fWg
PNdysjE5Y9yartgpa7Y1JXUZlp+G/0PrDLPBng6BZG0o7r6zER9B4PEIQOtMsM1PaJ00CnzHsLuS
ZIRKRCuNNcM2wmS81qWjjXVhe0fmzq7+PMF3ycaUTd835ZbYSQ6+rclMkhjXrNW+ivkMbU/DjaMr
XJKYrDubsFJ8yX5lCTsSVw2v7tIb2n4SUI/WiXdLU+VSu9xa66Shb3Bu+JVD0dYzVM4kiauWfyiq
tXdlbq18WyNDXLXW1eEn3cFOEAABEHg1BKB1JtiUfVonjXZr11CYJGvWcjv+0yrZ9EUV6LEqq5rC
GVc0u3p6lszSjSkp3qH8OMH/JHWsIE22VkPsJFuTc2NFWiA5+CYvgz7D2y3ONG8Xp1m89zRW/VDe
2ZzlSiMJ1yZn5iaXF0PbTwM60jqRrzPZEtIq3nkaK4JohdbJhY6+OpTKK927iqQ6QZRStQzO7UC4
s3flBdM92p5GG0uWTnWQnXYRe0EABEBglgSgdSbYbF2tk+5clXPVdNdBe/JTvDakxquSHZduz7Is
XKo9EZxo6zneehdG4X5tK1L59KyY7R25OfLx0nKHjt9arFGterzB0PbKn+6bZGMqdpBmWRrYShnZ
SdZGU6FFgb/e0+iYoe2xrzeOTwOby07eK0DV17wgFJIiTeKkkB1D27vutT93tU7oKY0mSXcOZ9Y2
zTLSOsbSNznTlpXQybJ0azEuKivM7l1qGnJo78qSWQ1PDSz2VCxu78gN/FKp4LKZbKdLufHSVlHO
+dG2t68ufAKBxyYArTPB9j/SOtSDInPFsJebQ2vIzHjOF8GCEwbzZ2m7xyp/jJaBhRMn32cXqZeF
xMRLWpQDlOmZpzcGWZe+DW0/uAoZ4cWLSQvJFCIiy9IoWNq6CHvp9mpXjSce2l4W1fu/q3UCm3O7
5h2ttDwik48Xp6e56u1r9tFKWyykppuLPIDT0Tr2k1qn1ztsBAEQAIH5EoDWmWDbdbVO7mISblc0
5oIpxnJXDMUYz/nqSdo0Ge98v36AU89MZ0pH53HcPHcC72kOirmJYvGK1kbRV9WJ3yThfi/CZUPb
CY22PORmxN8kx5/GYbkYURJubEUqQghD259A0tU6In5Ta7I8hlbEdVTvEO89VeL1CgHUCyk7u5ab
QglB6zwBHrtBAARePQFonQk2cb/WKRxNDpvlqh4FO5r7O5sf9W3QABY5H8uahtRpUnVn5MVS7850
B38ka6M52jr2dZ5PPY83NF5HjOhNw40l86JaJ7eb/p5CamkUrNxVrjUjX5MUeyvWXkxIeRTTqIa2
P9FWXa2ThSuNFfaT/VLvjNfJsoz0W92RlQS2zPTljvxJ473vFoOloXWeAI/dIAACr54AtM4Em/ik
1rmWvzQOpRrwUxWS7FemmNgjcdXshpNo5ZpqNER1ylTexGuj7V24VMturOTg5/OnmKzZfmse1sD2
ta3TvC1JnFDOcMriwMvxMK7oTj3BaWj7STZHWifLnpiHlWVJ4CiSXAxCztJwI8av0/wyaq68Tw1a
5yR27AQBEHgAAtA6E2zku2gdMeb1ouVyRKDkrEWWJ8gYLoEACIAACDwMAWidCTb1nbROluwcVWsO
dz3FJt6YirEupricOhD7QAAEQAAEQOCuBKB17oq/v/B7aR0aAbJx7HMETBp41rLu++mvB7aCAAiA
AAiAwAQIzELrTIATXLiQwLn50i80i8NBoEEgjcJqnn9jM96CAAiAQJsAtE6bBz6NQeCCfOljFDc1
G2KlmzyJ51kJrp7nf3rwLZVLtKaO6o2Z8ag9lvl5zp066+mlnE6d3doXby3VqFeObu3DBxAAARCo
CEDrVCjwZiQCffnSnzYdrbTGqr8Dx1OeKXq+0yJD7vaswULhdun3T9GPfJ1rqzOSbQ4489RmWq/n
LK0jMp3nK/0yWTW9sypGikQVeSsaCzY/5dJZ+y/TOqGnHKdpV7wTWEfUOlmW7hxFdRtLKp5VRRwE
AiDwYARmoXWitW14u3qF2FfeRsnWNZztbGPzvfnSn2yyg6eUmRcGj6VZ5NxY7eMkPmxshSnnjKPe
WpI8kOg53gciOcRggS/bcYnWYVYgCkujraNI6vLJHGOUlfUsIXV5HS7TOpX9nXO8QFO1s/lmVK2T
ZbGvs+ku8tSsON6DAAjcjcAstI5YQHbzMFqHVuib7rI1T12qR/nSaWq6JXJSbS1uiOyYO0duVzDd
ObL6VBLRPIdDqQHz/FBkNwssJpsOBXyKBN/5pRKudM45E708Ir9D2dUz3MfUu54N2Vcdv8g4zjVn
UwWUaB0dSn9eLLvTvkSfo3U6mcn68qunW7uoVpkRQq+CUwdPYZa/9ShJ7EJSqq6t3vznWZYe1rYm
C/+VOn87aR3Duzgveo/WqdPGy5q9LnN31VpnnDztJPsgdp76XmI/CDw2AWid6bX/rLVOT770g6uI
CASljhTdVLGvy06d6EmkreRt8dPTKnlS9bpvpJYSgcUWir0JkzRP1dCK4wzGdVLKPNoKjQzkFSet
sxDxpDRLQt9gRU7NjI5XHOogS2Na06+zFGPtYE9tmptEVs88riMqwIqetWQ7kF89E9GMHkEsUmVx
zVnvDofD/iBWdM6G8p+LJKLakhZGzMNJRRPkedHF+stJuLb4mULiSOsUy1Dn6eRXRpVOvtA64+Vp
J4VnPs5voealg/cgAALnEZi01qEf8p2xAEXCZtrTeFXPyZls78/vTVu71Z3d71VqAaNO4kRXYbq1
KDlDuNR0Q1fdQ7qz5VayiWRjcmNdBmyGLtxk3Ql3bU1Jcamzp5W6O9kYrU6rQa0j8po3tc5QXvGO
/VohpXEUVqlYj3t+LtE6i8VCkkTrc6Nc73g4v/oprSNpfhV2EigH85+L3Paqs83TyaZJHOdpvto1
Cc7NFdrVOuR+Ay8pHF00sgjTjpmn/Yr9eUMXI7aDAAjMi8CktU6WRCG9trYs6cuDeF89W+bF+Sxv
i+ruKLOSG4jqiqSUZ508kYPqDoraoWilq17gG9oyWOnaarfStWUdn6HwSJGVsz6l5x3FdRrPzoxE
Tf65pXUykSMzj5KQlfO1TieRaZ0NtWU/3RhVACc5rB1TU2TxYpT+vOn3JVonH69DXXlFzq4sy07k
Vz8R15G6EY7B/OekmHYrx1A5Y7JmeXliryxrax3Kk9bJ+NqsZP2+q3U6V0LNbfQ87QS6E1Or3cI7
EAABEMiyaWudooXED8HHiVHPug+rVgiNr9feVQzToOkyB081LFNpPjzDpSrb54w8p5BRHhkg06QL
is6klhYR6b4bg5G3Fmv1adVudbWIuMzqkFSVV7wd16mf2WLEkOEXybEOrvxirZNlhK8UdIP51akK
/RdJR1+Iug7mP0/j8FBo6SQKXLUMh42kdURcZ1XFmOrWIydHzdMuQPlPxQXrhsc7EACBhyMArTO9
Ju9/jE3Pz36P+vKlpxuTSfkAZVIozezj2d5V8p6ofnPNrVE1DysJt47KlGKucWAxSXECGp0ixs20
tE3+ZKUlntO4HRTsap2hvOKDWmdrMm6JCXNpvHM1qRNSObLfrEvzfWO8TpaQUVsMuc7EgJee/Op0
bv9F0qd1sqH855S6lZvrkHquknCll5pwJK1D7gv7KZn3Dc7NPHla7eRIedq7EaUmW7wHARAAgWwm
cR201IwI9OZLp1/e+SiedGuyRn9DGthyGcc4o5Ll+joLJuv1+jqBxZhm5gnHuWr55YSf3GAcuLos
JmMp9laMSGnMwyrGR5UDvgbnYfFqLHUd1xEZNTSZMS4rmuWYNFdcdM0N2++vYlPrUBeSUo06Tg79
+dUv0jrZQP7zLCOcGqVvZ1zWrDLf+1hah+zTcofCvmaVATAxJLrsaBsjT/vBU3Id3U8XW0EABEBg
Hn1YaKdZERBL5ZzTKZVRFIO/fPh1qw9rVqjg7IsJ0GKCDfH8YnswAAIg8BoJzKIP6zWCf811uihf
+gggoHVGgDhPE+ne01T3PGE9zxrCaxAAgTEIQOuMQRE2ugTOzZfePe9Zn6F1noXtFZwU+XZjZcdX
UCFUAQRA4DoEoHWuwxVWQQAEQAAEQAAEpkEAWmca7QAvQAAEQAAEQAAErkMAWuc6XGEVBEAABEAA
BEBgGgSgdabRDvACBEAABEAABEDgOgSgda7DFVZBAARAAARAAASmQQBaZxrtAC9AAARAAARAAASu
QwBa5zpcYRUEQAAEQAAEQGAaBKB1ptEO8AIEQAAEQAAEQOA6BKB1rsMVVkEABEAABEAABKZBAFpn
Gu0AL0AABEAABEAABK5DAFrnOlxhFQRAAARAAARAYBoEoHWm0Q7wAgRAAARAAARA4DoEoHWuwxVW
QQAEQAAEQAAEpkEAWmca7QAvQAAEQAAEQAAErkMAWuc6XGEVBKZIIImi5Ay/0iiMzzjs/EPuVe75
Hj7ryHM5xWGUPqsAnAQCIDAOAWidMThGK03S/Zc/HQ6esiheY5gbo2q9Nob8HNreawQbb00gDhxV
Wx6Oi03juK2A4q2lGqvDSM/nwXKPPBm33CPzZ2wILMad3RkHZlmy9zTV2bXJ9Z6Z7FxN8/ZnHNl7
+qgb040hKV7PRXBhKWPZubBYHA4CzyQwba2zNaVF/b2MfV1SV9FTNU326+VmrNt0s7DY10slUv8X
N8axtE5RWrhUe6XTwVO5sX65pGpW6pz3Q+UO+Tm0/ZyyqmPC7dIPRqjrsJ3I17m2CqsSb/Nm2J8r
lx9vTFn3W1+fND5sVo6hMMnYdHRNunMU1d13tj7HxeNy48AzVS5JEuOa5R9aEmC8cp/ja5adrXWS
wFbUlnBMDr6tyUySJK6ay13r2k0PnirbQauqz3PwpWeNpVHGsvNUfYZuPr3npYfNcj0NTdnrHzbe
kcD0tc6ClY/3M7UOPWmN9TXvKlSCuW202shaJ1r1a5002geH1i204cMV3w6VO+Tn0PaLXNxakuzu
Lzql9+ATduJ9sL85zhP+9Po/0sZ07ypdnluLy7rteaZ8rHWyLPZ19vLo4nG54UpjqhNQp0689zTG
7aClqMYp97nYztU64VLl1rbheLK1ODeEckujtcmZuW3dg5KtydXlrZX1MYaxNMpYdo49bG8Zuvm0
jyo+xWtdUpctPd97HDY+IIHJax0my0zO74ZNrZOGG0cvf0OtSiUf2DLnTFosFhLj9DI35f0m3i1N
8aPr+DdXlu1dhXFzc+5zr1fraK7vCo+YYlYOZdnJcgcuuCOtMNA3lKwNSffWHv0wl5ise3UcpPqN
yRTD3dZf/vwnNR3OVavhZr8nA+WWBx/5Wew42r41G7rl4CmSWYYR+vwJVzrPm7FoRdWrNE9gc9lZ
522/kLQyykdmFBEpkDXbL4J6g3ailVYG5lpPn8BiquMv85gD15xNxS0OXF3mnMuqbpv9QrSEIv4n
+5VV/sQ3ymYZ9CfLxOVMFWCy7mzC4hEaWEw2HUuEQLhqlfXKsvSwtjVZ1FdpHN9yof0hJXBd6Zim
oiBqkKO4TpZl9OB4qdg5LjfZOrpdfdXEd7qjAF5cbo5HXORKRT+LVhozl+v8ttH6kqYHv4Cs2ZYm
ndOHdXAVbrU0Wrxbr7allEk35lFHUbq1WB2kbjdP+1O//1lGVZD01XZF3i6kWiRecpMhjSIbNl3k
C4lr9rq82rKMdqnehqJT0mLBqptntM1vMRJv4GxonWTnqkxxqrtP783nxM2qXfvy08DNZ8jO3lPb
9369Ctn2+l8Wg/+PQmDyWoc765XOxCOp1jpJYMtMW9KP8iRcWzJrxub74jrhUmOyRQ+RNNpYchUq
Kpo5XFu64Z3T8y5O6NM6C0l1t2GSpVHgKFL5CH2i3IGr7Egr5MelVG7z4UNfe0m21tQLQIMHJNnJ
RUG0Nlj+GzONA0dhZU9NsjEJA/2kTg4r/egndb8/R+WWhw34mR1tH9I6p/zpj38ENltIsu5tdofD
YV8EuSJfL261orrtp0y/nSzL0nhtVA0lqhRYbMGN1T5OsyT0DcaKH+7xWmeyvSUpnNL2ViOUMJr/
dzZnhk8PkSQUP/EryZ1lPf5QSIBp3i5O80iHUogS8kexN2GSJuHGViq9SOJEW1Krp9HWUWrJ1/Sh
/f7gKcxshiEau4e0TiZOKlVp44QL3p4ql+TUxjyWYC8sN905MtNX4ktxWBmsfGaTwpVUR3xJ6VtR
tn26d2VJBJrS5LA25cUZWud0IDfZrwyuHHUAxv5Zo/qG/M+1zmLBVMsP9ofD4VAMM7/sJkMaZSGX
V5Ullxjo4qZdkmIut2R+XwxPpyZUnSCme+fWUVjRcVdqnVzo5N8OcWEM3HwGb1anr6ajm89JO31x
nQH/TxeLva+PwAy0zj7ZuwpFXaJyvE66NVnjR2rnt2GP1tk5vLzjlb+OXtLJ1ad1Gs+/gysXgYtn
lnukFYrrrrudvvalqqIffaUSIv+0amRG46g8zr7a5TfJNImTRhB++OKuLbePOXv7oNYRcf9+f3o0
QZZlgV09u2pf0jgK47Im9ORqdjD226GTG2ByW63+i3pv+/o6/ZjLDe0dmWleEIqgYgfzsT9kv/7B
LyIhuWZt+0O/x3MRRO2rOtuDqHOadAcW12Dqd8el1vsGtU7+5ChjFfUJF7w7VW4W+gZXnONBLC8s
N4nCarJZ3Yp5UKSaQJBfJnTRiC9pJQNbzAcrSg1sBce7SbyLsHJftVKCUfwaOT613jLgf3Hnqq+U
4owLbzKlRsnPbl3btIvbu/KblB9B5uvOOvHrRNRB2HFWrspkS/wMKNwZuvk0WkLUpLxZFacN/uve
ZE7a6dE6Q/4PFogdr5TA5LWOuDkk9PPP2Sy1fGxy93ET2M25E/Rla4/Xoa9l2atFvSOMRjy/4BZO
JTQfp53bKD07RCfNc8vtfr3La6+7vfu1L382iuBH3olHHXlMqn+qpuHGszSFMa4ajl/2/ZUFDPzv
llsedvb2Ia0jOm8G/Ol/SlJT20fTZJLD2jE1RRYvtmg1Tr8dqkIbHwmp5hwccS8X81XCJfXxlJ2h
3YuvhNH6n0bB0tYVzrii26vWMNVjfw6uspBY1V5MogrQA6flT9Z8vsa7lWOonDFZs7zt0/OZ+/pU
KocHtQ4BOnq0Vqed8+ZEudHGlGWz7iZsmHtpuXGwtHSVLgZF5tV3vd1wB1fJKafi4qzmJbWZN5xq
vd3ZnNs9Wic/SEThWrHmfPt5trOs3//yV1ol13Kjl95k6utanL+1WKW/OrvE/m4Ltm9uC4lGYrda
cejm0/62tRsjr0n/3+5N5qSdY60z6H9/adj6egnMQ+tkGQ1olGWea52UumLqwQedn4HHWicLbM6t
TRRXr+S8gMZAu5+rdZ5bbvfrXbrR3T70tRcPL7+nukl0KAIgabz3Td7tyysL6vzvllvuPnu7uMmX
Y26qu2WWnfKHbsJ1G5dF9mmdlH665aNCsywTUbXGwPF+O2Svja+rLeobf+u3b0fXln61/qdxWK6n
knc+VeOKMurD6taL7vva8lBdnHGc5MKq9WxMNuWgpzQOy+6LJApctQz3tHzofKBvwNBUanG59HVV
Ccc6j9aO3ac+DpRLHcmyuR74vfGycin8S4NHRHgiETOsRTntx2uldXINeWFcR1zD1TkCQrxbb+qR
7vlV2I6QdB+7A+yG/B/QOpfeZOrrmspv3Tvbuwr3RFykGplEg45ybUQHk8qJNiany7es69DNp/1t
azfGAAmxuXuTOWknEWOTW5fVkP+nysS+10hg+lqneN5RL/ZiscjnnIvxOvqSwhL5+JvmeB16KHBz
HaVZ1XuQ7kWf81aEtpPD2nPbvyfFeJ3li8brNPuwyrhO9lS5A1cUaanmuJzysO72wa89KUMlH8eT
JeHWc4thrXQfUl0aF0I/Hm1FKqe4lSX0/++WWx519vbI16izjYql7n2pHJt8yh+xT6xJksZVBxX1
YR3FdahLk+dx9DTeuVplXvjZb4d2tfENa50spuFPJk2xSWPSFou+ximh0CPJ1yTFzsMtyd5TGx2N
GQ1GkdR2vWjUCjd9GidE471W7iq/FAOL0VNbzFiiASaF9qN+BG6uRQ9ZEq70rnZqeFK9PTVWhDzq
G5tMvTuDAqmyfPpNX7nx1lZkozEmtmviZeXSVVlebCGNvylCU+3Ha611aKaYpLokjsTgvzoI2vWr
/kxNUPcei+0kUeS80fNRY+UgueqscKmyalB+tfXozZD/Q1rnwpsMaZTiAqRBfs2Ls1fr5OZdEZuk
q5+p+eI89cE0xkCqO7IGbj7tb1u7MY4YNDZ0bzIn7VAHMNNX9NUoO+iH/G8UgbcPQWA2WkeMY2SF
1qG+j2JCRd9aFqFvKtRtLvF65bRqTQ8xmaAxM4mamb6sL52HVT//6NlR3dNOltu9xBpTD/KJQkXf
ycD2E197MRGI01ofrZk9abhxjXzCEm9P0Oq6Ij4PlEvP63Ii0zl+0sQh31Q4lxVFszxbrfCc8kfM
faJWZIpdTd/t0zpZFm0cTWaMy4pmOWY16jSv07Gdxjysohp54KUVR6nv5UIYlnPsDNtQeoVoC2Bj
epmiO+3H+rE/NFJ8befTCpmYSFbFdZhmmiq1Y2seVjXNi3FZs87qihSzkKqOuJazQ1rn4HXnGhWP
20v6tY7L3TmcJko2XnI74vTScpP90qTuQy6rhmPr5RDz9uO11jpiWlsxs0mzbeMsfUfyt/7Glxca
LRskvnN93y2aS9/uW2+1Qv1hwP8hrSMuz2LBor6bW21YvBPXtWkbqiJzutgaF2frkm+cFm1dMdVT
ak7qbB0c+jojjZGf1HvzOXGzahTVeDtwk3nCTrSxaYbZQuKqW4486vW/URLePgSBaWudh2gCVHJW
BIQyeMnI9vNr29Je55/WfyQFj5rhz/6j6q20qF+PqKGf2c0uufqEgXf3KnfAnbE2p4EtdyI7p02H
y4ksJnjaTewFgVdKAFrnlTYsqjUegXTnaKILi8KJJpcukQwv8WJUrUNda4bSGkZ6wreU8h9UP4zr
AymeoXXWw6n39r+7V7n93oy2Nd5air6qV6c5ZTgNV7rSmq506mjsAwEQGJ0AtM7oSGHw1RFID2un
6PprrKZ29WqOrHVoEaal5ZWR/VPuR77dWEmxcWSy3wbnPd4bJ92t3KYPV3ifhr7lVt2rJwpINo4l
lls6cQx2gQAIXJMAtM416cI2CIAACIAACIDAvQlA69y7BW5YfntY3w0LvlNRo8dFzqzHWOWOZedM
t3EYCIAACLxWAjPQOlfLWz5ym07Mz56Uv69a6/TkD7+XVnhWuRPyf+QvxlXNxcFq1ZlVedXyYBwE
QGCWBGagdWjmx1lzNe/cABPz83gJ0eMFZe5MbNTij9cj7qw7PGppJ409S+tMyP+TlZvYzuZq0hNz
De6AAAhMh8C0tU5/3vJwqebZEeO1nuf6pdXkcjnUn/98iDctuaHZ+eIRTNbdKlNvkUm6myq5XOKi
m2q4308qNY3EgjYiD3mdgXvInyLfdV6s3hwd2liw5en85EMpfymuozirc/Oi0+zq5rTa7uejWoi4
keWWecLtKmH3xfWqFpCRuFpnqj4qMN8wmD+cNIe1FFmhJamVt5wWm+3Nl74rspy3ViXKl14tSm8t
09Kf//xEuX1VeIb/lLm5XnanTF/RZzzLspYIby2LMpgvfcg+5VG0/Dzt9UJS6vzz/UVTMwo3maya
qzojSbLLV8Ch9ZAsrZH9u7fcvStza+XbGiV256pVrAgTr808AUqZ/kW2B7M29LuHrSAAAg9DYNpa
RzRD61ZNW2hxTFI2tF65pLgHWotWFQ/lk/nPe9qUFpVj+nIfp2m8X+qszJlwcaphsn3kJykjsV49
rTmaxjtPeyq70MFTmZavqRttrHpys8i4d2F+8oG4jqTY60OS5u6Uq+IOpCamROCyU8zbEUyMDSX7
HnqR1qEVaKNUZIzmlVK6tF6n8oQPFd4fF1nIYj3iVKR1Z2Y1aWYwX7psCYVGrcXKug9pnaH855Sf
fKDcIe97858P2MkX+hXrKScH3+DcPk6f2SyndWE2tQ6J15586Sfsi/XduOas8zTzpxNxJbSetbmh
g5K9p0m8uJREBlqxsDmtAmnxcmHjoXL3rrxgukfrR4tV0ltLOSKu02xqvAcBEBggMEetQ0lc6DG0
dxTd0LRVlGxM2Q7S7HT+8x4Crd/oGS2lWnSWXZhqWJhuPVKKwsTT0FrnGamzNH4isXgah1GVD6HR
E/Kc/OQDWqcO1NSVJ89786KLJddzgZBSSvJuDuQO0vZ4ILKfp/TILq0XPcCG8oR3yqw+9mudUs3l
GSHqtfH68qWHlCuhWiVQZNnKEzwPaJ3BPFmNluuWW7l79OZs/0ni5+FMYWPvyo081EdmuyK8qXWo
3Y/zpZ+yL9SRH3VK2TtyYxVkySyXZ06iMC5jTnVao/a3tPZnsNx25voW3KyVEbXjFj6CAAiAQElg
llqH4jj6KvA0ww9c1VwHnioSO9VP77x6lFCgvfx8We3if/sEoQ5W+Y38olTDubU+rUO/aNeuSQkM
ZM10N4fy1t9xpPyY7H2xenuRobn2/vL85E9qHUpVVORGsFnZD9DNi04PN1o6TyQAeio3fFvrZI2n
96X1OpEtnJHqAAAROklEQVQnvETV/d8ordzVeiy2My/25ZqgPJWNHOr1xTGgdQbzn58ot3Tt+P/Z
/osMF1IzLfoT+blaF2atLciFvnzpp+zT5VClPzmuQ2dLGm69Iv28IrMyjRhJxHrl5dqfwXI7Wqf9
pUZcpwMdH0EABPoIzFPrpFtLNkxdW4ZpYCumZeT56E7nP++pfv04o510I89/11+aaliYbj1SisIo
kXcub9Jot9Sbv8d73Gl0VVEmyvqmfiofeI8dsakn5W9bi9RaR1S8Ly86PQ3XBlO8YKUzfX2q/4rK
bNsnuPkz7dJ6ncwTPlTf4/zh7bHJT2uduv1FGeIpKnJZ08M2j/CUA7ZE8u/z4jrtcoe878t/PuC/
SHju7Fpp0csk073mRUilbLxaW1C0rS9f+in7F2kdGtyT98i2sIlUrdVPkNqfwXKf1jqNtPa9BLAR
BEDg0QnMQOv05C3P6DEjiQHKycbkEi+eRCfzn/c0Nf2U5AYlsM7EyIdyvI4I7hd5uZupklv37K69
Hj9TGniS52PP0mht8tO9DVQr2RE5rtNoaytSGWagR8yl+cl7Uv62tUitdbKB1MSihsIOY9wKTj5Q
6ViyL2meGJ4UbSxZKlI9X1qvk3nCu9jLz4JRO3/4ifhKX1wnx5Cnqk5o+FY5Xoe0mlK0y2GpszKO
MpT//ES5pbfH/8/3v7jKdzQQJo33vuvVY+qP7WYZXYVlHnjKcVGOj6Fq9eVLP2H/Iq1D4TAj7/BK
9iudleNsqEe2OUqu8iewZaYvj+p1UuuQopYdApAmVYcZUQjXlm54ecL4PirYBgIg8EgEZqB1srQn
b7kYpSCevvQgrTMOn8p/ftyudKNUDEtXxDypxjysy1MN05jpHj+rBNaMpqIsSQaceKUHn+atUMJu
3XYMLomuOWH6ovzkeRFHKX8HtQ51ta0s7TgvujBEA1LFEPATnotdZF/WrTybAtfsTTmw4+J6Naad
HeUJH/LiOH/4Cc3Rq3WoT6dvHhYNobVVTnnaNdNztPp6E2XSxaM085+fKHfI+TKXeiuv+6CdPD28
yKjNn76qsiwOXE0m91XDdSlOd8j9qKa7dfKlD9q/SOtQsbqcJxw3XUuVZHdflrs0i++cbar1iP3+
ck9qHco/YVAH2YLJ5rq84LIs27uKxM2TY+lPNAZ2gQAIvC4Cc9A61yPe7sO6XjmzthyvjTMTZLe1
1KwrfbnzJAPqkc2Xn/+gZ9BXsBjB/qAEUG0QAIEbEIDWqWNCN8A9tyLShDo9nprUXNbq0bTOvfKf
l7zn+v/g6cZyT91Ooqe2CjPNtT7wGwRAYPIEoHWgdQYvUvrNLcnGsl4EbvBQsePRtA6tOHmP/Oen
W2H6e9No6+ULToolGxsdT9P3HR6CAAjMksBja51ZNhmcBgEQAAEQAAEQuIAAtM4FsHAoCIAACIAA
CIDA7AhA68yuyeAwCIAACIAACIDABQSgdS6AhUNBAARAAARAAARmRwBaZ3ZNBodBAARAAARAAAQu
IACtcwEsHAoCIAACIAACIDA7AtA6s2syOAwCIAACIAACIHABAWidC2DhUBAAARAAARAAgdkRgNaZ
XZPBYRAAARAAARAAgQsIQOtcAAuHggAIgAAIgAAIzI4AtM7smgwOgwAIgAAIgAAIXEAAWucCWDgU
BEAABEAABEBgdgTuo3X+Dy8QAAEQAAEQAAEQuBWB76O+/t+o1mAMBEAABEAABEAABKZFAFpnWu0B
b0AABEAABEAABMYlAK0zLk9YAwEQAAEQAAEQmBYBaJ1ptQe8AQEQAAEQAAEQGJcAtM64PGENBEAA
BEAABEBgWgRerHW+/fPXP99uX6dv//7777f/blTuP59/ef/p7xcWNgqo//79+++vI1f7v2ey/PfL
b+8//Pmith8F7AvbBaeDAAiAAAi8dgLna52vn35YtF7/+/DP939//1Hi7/8Y+el7Avq3vz798tNb
JkmStFhI/KePf59V9r+f3/HFm1/P1ivfvv7zb2X468cfpB8+fj3h1dO7ng2q5ck/H/4nvf3t7Fqc
duvb359/e/c/LhWNKvGfPl1Sx2+f30lvfv3rdBnV3r9/e9u6eBY/fvr3+xhgqxLwBgRAAARAAAT6
CZytdejRxt9/+fpv9RJhldajuL+IUbf+++XDb5//Ejrk21+/vl2w9388bf/bl5/fvH37Rnr3udIv
J0/69uXntz9/KY+97KE+ZPh5oNqefP/+7etIQbSvn39+w9789OHL3znLr399+fLXJTGa//54z9nP
56rcr59+kN7++mfz6vn+fRywQ8CxHQRAAARAAARyAmdrnT/fc/auev4X+L7+8fHDl39Klt/++fLx
11/ev//1w5d/vn398vGziLn89/fvHz79+W950PevXz5+/JIHEL7+8fH3v76J096X3SHf/v788df3
79//8uHzU491Cgu8/U0U/9/fn375eaBD5dsf79+8/fWP33+SKBJVvr79+enD73VQ6L9/Pudefvv7
84ef3iz4j7/89pvYQg91/v7LP3/+/uHX9+9/+a1Zl+/f//3r8weqM22voyL/iMqTqV/ev//013/f
a1D07rfq9eHjH/lZ//795dOH34Sh3//KYR158v2fLx8+/lGRPFH0t69//k7G3v9a2i+rLf7/99dv
b6U372tTrb3fv/395WN59j+l4qNDyCNqm18//vEPmfjp91IdPdFqQij/8me7mI5a+u9rTvj9L7+V
BL5++fChuFS+f6frqNFigkVNvG0an0AABEAABECgJnCu1vn7t7cSdTu0XiQ2/ld07hSBgl8+fPr4
28//e/P2LS86OEgk1UGS79QNUxgSp7/7+Ycf3pGu+PL1+7e/Pvz45s1Pv3789OnDz28l9u5zp8BG
6f/98/u7N29+/pIf8cd7tmA/fykfvY3jvv35y5s37//49p38qINAIqbwS90D89evb9i7z9++//f3
519/4os37377+PHjxy///Pedel/42x9+fP/bx0+ffnv3VpJ+KPp6/v3j1//xNz/98uHTp4+//MgX
ohgq+u/f3rIf3r374Yeff/lNaKMGqH++kOGPHz9++OVHVp7y7csvP7775cPH33+neks/ff5Gz/Ye
T0p5caroxZv//fhTw9uj3jfy5s37P5sqpgJGTcDf/Pie6vTrT2/qNvjv748/cfb2XUHhzRte9uud
0WpCKHeDanRJlWrp6+ef3/K370TLv/8fk97+9td/37//8Z5JP3/Jffv7t/9Ji7LI7//+/hMbrTOv
qjzegAAIgAAIvEoCZ2od6oNgP334XL7+pN/7jT6Ir59+ZNWj/vv3v359syg6OIRI+r3SLN9+/6kc
cUKnL/jPn8sf59++/Mz5z6W8+e/LO4n9fNxB9fXzL+9++umH/7398f2nIgBCDfPt69e+ocr//fXr
W55Lpq+1yPr+XSiffgX27fM79qZWQV8//kCP2DIg9O+nH6W3Ijz09fef2Jtf/ijlFVWs0FLilLe/
1GGTBqjyIvr3y/u3b979XpotNwudJP2Yx0uOPSmU5RNF/9j2No981SWcGPQjmqBWmP/98TPLhRfJ
N+l/QoCQIdqxyLXsOa1GcvHNzx/Li+fLX9TkpLiKUVD/fPgf+99vVZBNaDEaW/XnL7zQOl8//fjm
p/fveK5v/vvr1zf8XZ+yrWuJdyAAAiAAAiBQEDhP69DDWnrzvx+K148//fbnf98bfRB//fqmDNYI
u/Q5/8lO2qDRdUQPSf5edGaI0ymUUrzoCcd+eP+heFEEpW/o679/ffn8+XeKObA3tU4qjbT/k9KR
3v7y5S96/fnhB6nSMMMKjB6wjTgU1bw5+Lram1ex0nDfhTYTcaPuKU1QuX/f/vz1f29++lT3D/33
799/fP70kXq33r0ttWCPJzmQ84uuvG1woRYpmqCxVbwlFdRorFxsUJDpvy8/s2bYjJox17LntJoQ
ym/Ki+eHH999/LsplP/742ci/v/bO0MmV3koDP+XKhwuDofD4XA4VF0drq6/oK6urq6qDrduHa6u
DleHy533kJCUhdJvuHc+ZvatWCiQ5ORJZ/LuOSeh/yFo0ZPIwP4uo6C4aY18q+RQV6WKEAiDsH4x
c9gPficBEiABEiABj8BnWmc0WcfFIHDmL1QSgSOhk4FrAg4fCRV1gZ4+hKG1THAqK63UkePVqQHP
ZHP6tVN++Z8PtAh7BKH7BBvjpJDGvNkSU7md/l9VkKfnpAGoARFxwy6jZ0EG/9WwSOeqscEarZ/f
hzTKjr0Xo7mVCaJGh9P5crmUaS9Epiz5vOneWh8ODO08U/5VnPcaw96AkBFMcLB4slS8PNIjEU4z
oyba702yDgbSr7wTUkgNq/fIJ0cOuvgM630cbisTlByNwFnDeSQBEiABEiABR+AjrSOz7ptknds2
6PMqEJ04Z9Yl002Sdl5qv8re/yPzqJdKIlph2Iaz88cZZtkxv0//YH1MQhd7kqCJXbDd3opQudkX
gszOtiLTXAozeu5kiqeRkEriLetqqx1EHNw8gyJdsMZmNbX1MYvSg1vxhLZV79TwfV2Tlnzc9KAG
QwYBJc9x1fOCtHjNyepFlSyYd2E9DXdZ16NPRm1GKLfXPPAGQzcg0m1jAAOK0ymLcgmCQrrhq8r+
0+J4r4c8JQESIAES+I0EPtE6smB4mPWB/9at1vgu1SbeI5sUbotjhjxhWY3cIvYl3g6t2/t1G202
JqPULy7cMZ8G2bHuQhntY7hnXnuvzPpordtHdchCk4ejm+qw3Q0zX+6nNEydZkETiDIFkqMjgRcj
MJ71uVAb2e4FD8HJ4HKwB4IMGsn0+XFKAmUyo5/fpyJS+UUSjwZFXoI193MeJfuX7feAzniYnvVl
Gweb1Ai+SUveNu251zxrhbD9g6X6m2h77lbu67a5192KtwYpR6Ybz/tlG4dp535CTUFizh9VmQQm
WUf2V3o3akb7OaLGCJ+SOJr2nfxrvg6Z6jPOIW6iOLLjKPI2iuwvzfaHRxIgARIgARJ4S+ADrTMa
g9Av26s8LkUUbIJQqSjd7gubrKN1c92aGyrO98ddbENFL8XFwvZ+RiWbIMROgVGGpA7v87gUsu2d
3A7jfI81UvhIJrAXkJJryOhwya6mmt5Poe/nXKElpVRSHA825xVxHGw6iDvpofaTr6UKP/1FFixJ
iAzGljbc9kPDOVD3Y4Lt9LANonzEefGsyrgjp5LidC6TxG4VOG3Jh0371hoC3aGtL9sk7Lf2Q95T
l3fU1jIEglilu7MRnlgTdsoMsDjbn3aJsjvrzIwaAmP9xgDOiFdKTVUmIcY9DMI4P5hV+GZooaqM
X/B5zYPN28V5rgWekQAJkAAJkIAl8IHWsY/OHPGqASyFwr/snndB6+4dBDOl7e1n83hMv/zh2Yzc
bpuH2+PY1jN/bLEpoo2uvTwu70x4uTL1Rbo2WsdUibHr07W8sWS60FgTI9daoB5hPTlcADa21g3O
vJFhGWny3SWM4kTt74rxHgmQAAmQAAnMEfgLWqd9uiU0LTwmLv9krnXeJwESIAESIAESIIF/S2C5
1kEWRRineVHkWaIClR9d5u2/tZ21kwAJkAAJkAAJkMAcgeVaB/v41V+32/V6q/6XV57PdZH3SYAE
SIAESIAEfjGBv6F1fjE+dp0ESIAESIAESGDlBKh1Vj5ANI8ESIAESIAESGARAWqdRfhYmARIgARI
gARIYOUEqHVWPkA0jwRIgARIgARIYBEBap1F+FiYBEiABEiABEhg5QSodVY+QDSPBEiABEiABEhg
EQFqnUX4WJgESIAESIAESGDlBKh1Vj5ANI8ESIAESIAESGARAWqdRfhYmARIgARIgARIYOUEqHVW
PkA0jwRIgARIgARIYBEBap1F+FiYBEiABEiABEhg5QT+ABYIs1RtZekFAAAAAElFTkSuQmCC
--00000000000049430705ababf0eb
Content-Type: image/png; name="image.png"
Content-Disposition: inline; filename="image.png"
Content-Transfer-Encoding: base64
Content-ID: 
X-Attachment-Id: ii_kd91j1p81

iVBORw0KGgoAAAANSUhEUgAAArAAAAKjCAIAAABqZKvUAAAgAElEQVR4AexdK5urMBSsQyKRSCSy
ElmJRCKRyP4EJLISWVmJRFYikcjKSiT3OwmBAAlbtt0t3TsrtpSG5GRCksnrzK7FHxAAAkAACAAB
IPDfI7D77xEAAEAACAABIAAEgEALQoCXAAgAASAABIAAEAAhwDsABIAAEAACQAAItCAEeAmAABAA
AkAACAABEAK8A0AACAABIAAEgEALQoCXAAgAASAABIAAEAAhwDsABIAAEAACQAAIEAI4ZYD3AAgA
ASAABIAAEAAhwDsABIAAEAACQAAIYIYA7wAQAAJAAAgAASCAJQO8A0AACAABIAAEgAAhgD0EeA+A
ABAAAkAACAABEIKffgfu5SXLsqL+sXRu13OWna+3H0sAEQMBIAAEgMD/gABmCKalfD/7xm7nHsvp
D9/7Xh7d3c44ZPfvPf71U0Vk7XZmmH8d8hdD1CfP2Bn79Od40C9mBkkBASAABP4LBJ4nBHV2MHe7
nRUVXwB2L5LAcy1j94MdZJ3uWfz7pPrCGv5zEdm7nRlcpMCbJATNJTB2Ozu+SoZ2lz9KCJrqcvT3
tmkYpuUckuJRWvMsIWjqPl177x8vLycWN85YHnxN5qjjDhAAAkDgzyHwLCG4nX1rR39fEwLqrA3L
tsyfIwT37EB8gCXw0Bz6zxOC17wxC4TgNQkoY7mdA164pmVbxs7wHh7xP0cIbpfAZsVoWjZL2L80
SgO/fxOE4PvY4UkgAAT+KALPEYLbJbAMx9tbjxCC5n67Ny0bw//QFHqTB+bOOAQHk0b93WiWJ8hn
r6uEz9/f2rZOPc4dWM/DSASfVuAzBE6Uxp5tGpYbnvvhKQ1bXcswDMs5xJe676T4ID1ITiEfTDsx
zZb07GRCgO7njrWIlEVHy0bFjmUahmHa+yApGKcpj44I2H0K9KqETYfQ3fGSQVOdI8+xKBrX76Kh
HO9pGj86BpQHax/nX3AmnrJ1OFUsp7ficuWYquNvm/JEUZu2F5+OoyWD+/UUEpqGYbmH+Mzj09Yo
Vko700tLlm5T53m3ftPxjPh0PFD2DOuQUeFU5+iwtxlwluOFp87MKyFnHOLEd0zDtA8Jv1+EnOUM
qI6niLR24QcgAASAwJ9G4BlCcM9D23DiIo/tRwgBx/EnCcE1tnfGPsmpr7eignfYGkJwL05xFPmu
sdsZziGKoihOWQ/MCQF1+p7ndIshFFNzjR0KbO8P7D7lnKfQMkKw2xmmcwijKDzsI1rRb66UQrCf
zog05fnY/YX04848ZKxrLiLbcg9BFMfRgVK2wrxp21uexFF0IFZguj4z9HRlCd+LVGRBJgRULBTY
8Q57myzeJ6w/ZUDsduY+iCOP+kRneZ8ED2/PloJ08XfMxXT2LvX9lDCfUahPnkn2HIIw8MgiW5SN
smqxwftQfnIYRgh2O6IzQRRHgeenVds2l8C0934YxXHI4nf40gojBLud5YUxA9rwTpw+HOMo9Agj
iiaK4vj82AKTbAqugQAQAAJ/DYHvE4J7HtmGExX3lvrhB5YMOHQ/SAjYyJI6G2aQ6O40hIBbo10y
MP3zvW35jkDWj1Cvs9uZ/pn67vuF5tJ5mLbtCIFNWMz+9JsKmyqljtI6sG6KGMT93rTN/Xar6yrz
TeqxxZ6BhSWD6R6CG1s26frc+kQbPPhyTtfBs86SIWT4547RzKymGzyMd5rMI+jiZxndOTGRFd5x
d4SAEQVBetpr7LBdG/qUWXj+7DX1D/TnJ5x7dfHyjn0w+n6/E3q3uq5LIoNdwnyGgM378NKTlrWw
ZDDAhysgAASAAEPgu4SAjZftMKcucCOEgLfxtJ+/Ofum6BXETDkbrEpLBrz8tYSA04mu26Bnq8Sl
VXQ+lu+WA8RRBNYnG4FyoVtHCO4FTTgYDoeQrOlm3IeZ7J0Vio2aKwgB78eFMZwOsR5UuqTcTBYy
5vVBQwh08dNyTb90wVYzeL/MZ1ykXNEWj6XzBxIhyEOaQdntBHXhSwbuZCvgvaBFATkFXnqcEHDW
wwt6OIsBQjAvcNwBAkDgP0fgu4SANahyG0zNtuiFljDl3dIPHMO7EwuQ/7qldp7gbA8Bt1FLCHhf
v4YQyLP2EgBqQlBntBfT3Cd8mZzC8x0BhuMn2flyObLJg74DeyUhoBH/I4SAAUfT+1JuBP3ri3pg
GYwQiDG4BDonBOY+FOsk9HlSTaZ06fBXq1/yofMVY0IwYROMoexMN0yz8+Uc076KESFgPA2EYFyK
+AYEgAAQmCHwXUJwv8Se+HPZSrXlese+77gVaRzHcTY/zM+7ihkhqC9JHMfJ98+XNTntFTMdz6c/
tspvMoLC+xeX1tF5GKNbsicsxsNdhg7vwGaE4Mslg8cJQVMmtHfA8tmOOFEkzH6jm6Hn8/LWlBBM
O2d6dnnJgJ0JlZYMugQeIQQt3xQw3VQ4XjIY4pcG9rSqb/XzAPwH6YRCU5eVYnFFAMHZys7kmxkZ
FVoiBN2ej46MsomcRwgBW1hhb0WfLi6AABAAAv81At8lBDJorFcVY0P+A2+X+3Eku3lNPNd1HWIP
O9N2XXfvpz1hKGgfwsMbEeTUu2u+Ns1W/mn6na3489EtGxzu7EMUBy7NIciEgC9Km84hiuPRpsIZ
IRg2FXrqTYVTQsApTsw2FbLU4zhmuwEr7ivB8iIxZs5o+3tnine8FHnKj90NhKDrnE2XthzGGdtU
WJ2PRLq6fZE+XR9pd5xu058YzD86Q9C2w7FDfvqPd+q6+Dl/YHsWD6yQxcJAxTYV7mjDZBAc6PjD
dNJ/Up7i2KFh2uyU6vIMAU/X9tO8uCQHdoLg6xmChp81YJsTOWwTG/AVCAABIPC/IfCLhGB+3Ety
tPMsIeCL1sMOOD6O5d16fQ7ZQTs3PIb9scOuoGn92bVMyZuRZoaAwteX40F/7LAfzvOo+Uy2vIbR
URHegUk/dMcOmyoTxxa9KGKbAaUob3lMXSk91q2FsDl6KRq+aEOJ82OB/JSfn4jThesJAcVEJy2n
jonU8fNNECYdAQiTiB1xFH4L2LFDdlDQsGz3EKYLKwYMPSld2/WPl+6gIt9DMFkyaO9XdtyRDob4
cfjYkgGdVWQnIQlAHDvkryz+AwEg8H8j8ApC8H8jiNwDASAABIAAEPgDCIAQ/IFCRBaAABAAAkAA
CDyLAAjBswjieSAABIAAEAACfwABEII/UIjIAhAAAkAACACBZxEAIXgWQTwPBIAAEAACQOAPIABC
8AcKEVkAAkAACAABIPAsAiAEzyKI54EAEAACQAAI/AEEQAj+QCEiC0AACAABIAAEnkUAhOBZBPE8
EAACQAAIAIE/gAAIwR8oRGQBCAABIAAEgMCzCIAQPIsgngcCQAAIAAEg8AcQACH4A4WILAABIAAE
gAAQeBYBEIJnEcTzQAAIAAEgAAT+AAIgBH+gEJEFIAAEgAAQAALPIgBC8CyCeB4IAAEgAASAwB9A
AITgDxQisgAEgAAQAAJA4FkEQAieRRDPAwEgAASAABD4AwiAEPyBQkQWgAAQAAJAAAg8iwAIwbMI
4nkgAASAABAAAn8AgQ0Tgmtsm2G+HYxfbM89O5j7pPqx/P10/N80/HbyTC+tv/k0HpMQuMaOGVyk
G5u4rBLX9M/NW20pItt6YdORh6YdX5/J0SUwnWP5TAz8WYrnOUuetwEx/GUE3k0IyqO7m/+xl/7F
HfCqUryffdOd9NYvtqe5plGS31aZNQ9cp3vTO6lieU388xSfvLN1QlAe1/Wya8M/CZ/8eH05RtkL
ehk5zuevHyUEqir2fOo8hiVC8I10yyyKz09x2O8QAlXVBiF41SuCeNQIvJsQNLeqKukvj13DiS7s
uqpuTdu+uANW519zV9VqvNMejZltq2o1tIG38AMIwRZK4Qdt+IOE4Hm0QAiexxAx/AYC7yYEfR6r
dG+Mx+TUAQenc+TZpmE6fnrtpyGbMos8xzQM096Hp7K/30c2umiup9BzbRbc9Y/9oHzUwfOBHsWU
h+Z4ykLM0entuRWJ71qGYVhy/G3bVunePKT5KdhT8pYbF8zWIrZZEsZ4yeB28gw5abebZLwVSeA5
Fs9vkF7vLHv37DAKvTP2YiZeE3/b1pf44FiEm9vH07aXwLTDNPFd2zQtN8geWMZoqnN8cC3TMC3n
EPWjJ3X8bXsvEp/StfZhGnvGsGRwy48+RWNYzuGYfzkIY/GYhmHvo3E8VGp2dL4cD/y18DOKq77E
/p4D53hhJl4UQm4fpwSFaVr76MInWOgNlOHfGYeMQz16nfov2vA0le+f+0eJXPIZ5/LoGl509F3b
smw3kN5chichRK9QUvTP9omNL26i7KdLBvdryt8103K8oVzGT/ffqmRv9nmsaS1HzDXp4tHZWV9i
Vk1tL06iL5cMtFWsbbVVqTd6fKEOTzMEfpL69DJY+0CUvDZdXRPRVonL34nxkgE1BX7CqrU5bprG
1vXfiBCECXs7TXtUMKoqo6/aFE+UncI9VaYHqqq66WBmaapwq7k/vBFkf9W3uU2VhVT0VIX3wamf
sNLd7yHBxSYR2DYhMEwnOBVVdT35tuGdeIdxO/uW7ad5WddVkR5sO8z711OF8T1Pjqf8WtW3+pqF
jini0RACFoVmhkBpT50dTOuQFBUzx+rj54TAsGwvPJf3prlXeSH1teo1/ob/ValnOlHOO4b6nCRZ
UVb1rSpS37aCobNZmCGYx18le8MOTte6rvLj3uzjuQSmYXop9Ze3S2jLnZkKz7a9XwLbdMPsWt3q
qsjitGDhdPHfL4Flese8qqs83ps7QQia69G19tH5Wtd1eY5cy0slfOZJs3j2PJ6jZxoiHgqZh6Zp
OX5S1E3b3K75lTr5Mjum56Ksb5Rhz7IjzseovTVsP6NWrc4O/X2W4tolAFV4unfIunUcepU6TsnW
x+yQCEgjJ3zPQ9vyjpeyruvrKXAs/6xaBJoiMt9DQAnv47y6UbmcT5dFONtWSwg08ejsJC5hHdKC
ijF0jZ3xyB4CVRVbqErTzLPvuvBFZO8M26dXvTyHjuHEw2hCla6uiegSne0huMb2ztgfibjdi9jt
myalkXTzEhg7wwnPJStg29h3b7quytAzqsk/VlWpylRVkXjWl1VV23RoqrC2aqeexZriui6pKrnH
bktFnXpsYpfeuOslPQtCoLuvRQg/bAOBjRMC0Xm3RSR2GI5asbYtj471BSOQkS6PrhlcGIH4DiFQ
2FOfPEOM5amNdYeROs0QGDrr5h22sLMpU88UswnipvgsItuOeAdMt1StBg86i788OkPL1RCg3TD2
EpgCk7bJv962RDkW0ybCLOp+NfFTCyz64rbJQ6vryJtLYEnRULB+jkOKtr8cx1NEIh4WIA9NCff+
meGiufS7QogQ9CM+BpOYWuG5mA67h0gUVypC0JaJKxgB63+6qR6aIXCTrs1sisji78aNtpcOXKhO
vWHcrkixvzUnBHlg6l63/inpYlSV5BkCdTw6O6nx77N1z3zju4RgqSpJZveX2vBFNPS5LZVwX9xt
ywpksj2oj5EupCaiu68iBEbP+EbtyCim4cslMIb5pjrdd3ODuirDHlRVbaqqYvKpWbuhQGo6NFW4
1dy/xrRJUwy7miLsKy5lvp9kGvLL1ntV96UguNwiAtsmBGYgThnwdrdp24bI9vhvqGpqhGlemubs
u6dE8FFF7uPnUahaDQo/t4eoitQAknlW32ETIeinYSfGzTrs7ncaN5v7RMxvt203iTdkQD57oWo1
uixMTjFQ+zFY1tL6RMdjRg1LEdGIeWLr+GseWj2BGH7Rxl8mNIQSQ15qDfmSQZXM9pNK7fYQsbia
xHOSlx5ohkDKXPcIX1qy+pLv6AdbMhAdcMO2j4qBDaM1zxOCbux9m3Q/RAhEc87G5xwXGs+O//oR
pMi78nNOCO555Bim7QXRMT2zSRLlg+KmlhCo49HZSdysI9kdL/zmDMFSVRI2y5/a8MR2g74Du8aO
BLuqareaJqJLTEUIhko4aTpkA/vrSzBQUDadxQ5BaKsMe05VtWl1rz9l8EBV5fP/86ZDXYXJMlXV
nq5l7nY70RI212RvGvbeD+Mko+m57k93X/yOz40isHFC0J8d6msdVaKveqwR1rfTwaTZQ9qnyEfw
HXOdEgKpUVMOI6bhu06RtUp8zoE67ykhUPJnskRNCO5F5EymzmnSgWYb7ywDxfgwpqrV4Nmfxj+2
7EcIgUSFpPipI++HU2wM0hMCwxMT66MiU3+ZEIJ0SgiGlpI/zyZBaAKdLbzQezMQgmEu4mcIgZi5
uWW+dLaUCMEwbKJyZUSJdV/9G6TOvOrunBDQC3gr8yyNA9cy7LBbc1I9TPfGhIAA7XmbKh6dneP7
NOp9hhD0QExeWEUmtFVvJSHQNhFdmj9ICNRVhqWrqtrDS9y27deEQNt0qDv+JUIw3t81Kox7VZzT
I+1rsHy5Puvujx7Gl20h8HGEgE/KL035TQDOQ2nIS92CaJN7jkHNKM1kD6Octjn7YvzcR6chBNp5
S7GpULMzbdphUzr3S2hbfENcn+ydTOnzS9vJhsFJy/vXoRnvn1IQDu385MpWRjevqIufhmTDIexr
bA9LBqYVXL7aQNdnieIZlh7mSwZTQkAz2UMPx1Zr+eCKIS9WCRSE4KH+TJil6//YDPzxSIsB/V5J
IgT9IgkbHrJ5WJqKl1e5RdRffSoJgXiIFmS+Is7yKkFL4+gBLhENMVwRj85OArrPJathjxACRRVb
qkq9QdKFNjwxhX4RhopbejcU6WqbiC6tlxAC0eywZb7OOl2VYelS7qYFsq6q6psOirt/EyeIKu5T
0zdwein86JKqtt/zueEn3f0hBK42g8DnEYKWNhWa+5jvRSvOSRgvbsGinf77I5uBvxdH2tPWDdLu
NNcQsB1e1cm3djIhYGtgXkJ7Afui0hAC6h/5psJbXaSH6abCFTMEt3Ng235WdxsLRdLU7h9ObF/v
7RI5xk4mBKxb8bNKNpRbPCccNMQebyrk8/jrWpmWth52mwrrG23UPJ74DiNd/LQZkG+la+szAc1n
CFpaHDFoe2hV11WZZ3GQLHp/6TcV3mraUTXdVCg1+gwBInl2wN6NpsoC29h1IRYJATEuO7xQIfQl
v3ShDU/dpzGykVand0a3//QS73t6Q5v1DCfMCgLiejlF0emL7YDMohkhaIpTTNtnb7e6lLfPau2n
kfSBHcig3aSG6H908ejspBrgxrTFrqHdsI9tKlRVsYWqpMyDLjzfVMj2z5bnyBlze6rH46qtbSK6
RF9CCHaGyzcVZoHdu+bSVRlKWFW1V1ZVfdOhqcK6qk3FKra9lkV2DI7dggzt273Qhu1bdYlds99M
pbuvLEbc3A4CH0gI2rZbG6ajLrZ7iMSpIg2qTXkKXNuybWfvJ6eYtnt1o9IqC1zLtBzXP6Yh+aOR
+oD6EnX7DgRj1hGClq1A8mOHdHhOrJbrZgjmK3Ld+Hm6RitqFz+0Z9mOsw/SNBS7K3l2qa9zLdof
IUZp2vi7Y4fsiJAbDIfbVrYylG53NokdNpJOUbEzVLP4xbFDy3b2QRyKPQQUzy1PhmNywZcHD8Wx
Q4sdOxxOybFl2SkhoNhjz7Es23G9KEv6zf6LhKBtrikdkSRA+xdF82ax29rw7DBDx314BGzJ4JhS
edGhMXGAlPAk5NgrZNquF6aF9BLNEy8ia7LnoBuSl6fAc7ozYIf4PCzpzuPgd26XaG+ZVIviUzzs
d9HGo7OTjh0ypPdhHDy2ZEBv47SKLVQlTQ74uVX2HkpVjx87TLpjhyE7TzJEME9X00TQosUY6G6f
ir4pGFIZXVEVC5NjdzQzuvSTRvwksKLKsEo2rdp0Qlg0R48sGXTnfZVNh6YK66r2/Zry44Wm5ez9
+Nwx1urcHemmrSvDyd5Wd3+ECr5sD4HNEILtQQOLtowAbeQfMbjNGUsr9OMpX9q//shs+uayAoOA
ABD4LxAAIfgvivlvZLIpL1lBqyP36hw4a/Yf/HL+m/uNFinMiT8BEIJfLgckBwSAwCoEQAhWwYXA
70SgKY7cY+Nj/vzeZirtzzMsN+w9OHaWgBC8rUiQMBAAAg8gAELwAEgIAgSAABAAAkDgryPwiYRA
6YRm4wXF9NeW/f18NwdsjxTbBPfiNfXRDqbvWrf0HHNSpDwzufTUe39bIc40OwXwXsvpYOEqn0tr
w3+RvcerwC1n2+92O3Hs4YuY3/Wzzs75AR/ZQjo9MBzDlX959no5XSn28ujwzZLzjbhSqAcu85Bv
b5UORstPkSuFh3bmyg/h+p0IbIQQKN2H6XABIZCRIbei/qm63+cnD+Vg37j+DiFQeVPRJv3HCcF7
5IlHh+pH0K+1Z234UWLzLw8TAtJL9JLy9vo3em7UM3e0di4rjz9LCPRVbDndWVaL0HqWELA4uSsP
1UHZW55EkijdzILHbnCHMY+FRagnEQAheBLABx9/uDV8ML4+mL429kG+ewFCoEBuxQyB4ulfuKUn
BL+Q+FISD1cB8sAX/8xs2pJ9q3/7pp0/RwhW5uDnCcFKgzTBQQg0wPzE7fcTAq0mqVYLVZohqDKf
fPl0apxqWWQ6NKzWKu0PMZt0EFt2IKCCWqeRqo2/qc7soLXp+EkS2Fb4dSPHZmmznKspm7aXcif7
au3RSzAWapY8K62KZ5BFJl1kPxHKcEQIHtdapWP3o0Pbwi8CP1HNVKyZXvXgNkKaIbgX8Z7koTsP
EbxkJrLITINgLlvM41dqsKqKcbUsMnmQ1Mk3axJ4kTxx2w4F73iDXwHyZ6CQUSYNvtFf78FKac/9
fDDdA6lPO2FKfjhM8orFcqQMz53lygkMfunYoXaFfPPKKjDNwbBkoJY5Fq4+5grjmoKhwifFbaZG
Lktiq+PXVW29nTrlcebpoHM/cTwYw5LBUMKyrLBakXyhimnSXZA/btt1hKDzWzBVPKfax+RAJjME
woXDzJnHmqqtVRgnTyhq2WV9weOXRxB4PyFgVqqWDHTapr2QTU1nzw5Mtpci0cki67RKyZMduY0j
d3tlnmVfEQKdRqoufu6FLGOKp75t7B4kBIblHOK8vrfNvcwLaqArnfYo5VpZG5kf2ofjYT6Bg+xK
7sau+Sm7dr3yWq1VMkc1n9kUsdO5aSOVY6P3PywIQXNNPMuNRAHoZJGZpx+VbPFardWVssg6+Wb2
5i78m6/B01hnhTwxd80YX6q6vpKrRSEpqJNRZrboZwgm9tzPB8MOztX1uCeHimWV+da+95Hdtpo9
B9yP5i2PHFPIVetkkUn10bCDdVVA1VFpmwKqHHutwvi8bNiryHV8b/X1fEy42oMufl3V5hFrO9TZ
Wj7JahhudCnrqkgO1m4nCIGuai8pkquqGDdolm6rlT+mB7T2z3HTySKzkOomiH4iU0d7CFZXbYpF
NUOwtsorsoRbKgS2Swi0jsoZIQjPF1IB6kezE6UW9hZ1ip3kSrt3xC35GKP+ZXD7pQJn4Z6kkaqJ
n/sp7zzOUdf3GCGwZzbptUfJPnVtJJumedPGQ27+e1/0Up6/o7Wqaq2KSBJuJ4fRQkqVEYI0Tw+2
Ew7O27SyyFRg/aIna/w6mQAq1FG7I2Xiq8uvZZHHGgqDfPNXMSs6VLWssC6iUcJMLarrR2iGQJCD
dpBR5vGsIQTcQT2p2ZK+fZXsR+oHEwIhmck0N7jPY2LiOvnmb1UBRUelbwo6QjBI80pGKi4JUfHy
ST9r49dU7e5RbYc67Zhp6GH2qh10KLUrSG2VXFIkV1UxbtE0XSmLdCnJH7NftPZPnqOeXaN9wEKq
myD6aUoI1ldtikVFCJ6p8vPs4U6PwHYJAZMyOwtnwrL0WR6ahmkaO8PuK9mSLLLEAcTLxWMl7QDD
dEgs9nQpvxbZocmuh2WUZYNbJiP2KCGY6IPMPRH32qNUiuraSC3Z4/FUp4NlWO6BJEzzbvmlbclP
at//PiCtxt4pRWtF88/CCzPNdwiRP67ywktSlnvWyiITIegla3i++YrKWq3VdbLINMwdPA5yEjO4
nu1r0vxi3qGqZYXnT/I7ElJ0Y9D2I0KgkFHmT60kBHcWMaMXdeoxVV5hz9x+/gubimMiIPz71OU2
86JdTZU/SVr3kSqgIAT6poATgqF0hOmaT2IoCuaojV/bdLD4tR3qtGOmKtwTOFJS7QiBvmqPtu9M
VA0VVazL7jRd4WJ8Ln+8bP8cPZ06IgupboLopykhWF+1KRYVIVhb5edZwh0lAhsnBL26gNy/EiFw
4/yaeiRO1HXktFVnNL7ps7tUq5v6esmSiJyef6U3p9VIVcdPBkv2FNFDrSFrg/PedLrgrclkhW4I
oa6Nq+O518XllESebZh9n7vUKg0GjK8UrdUt8xYIgeWfrjT9PFAC1g/KMqoiBdbeCe1AmRBQgMe1
VtfKIhMh6GeYuLykMEJYpv5Udqgr5IkXCcHQr02CrSME59WEoD4dLCeShZXH8scDFt+rAjpCoGwK
GCF4fHZoiRCo4ldXbZHDlYRAVGGSW+QzBPqqvVT1FFWss2hGCOjV0Cqnr1kyeB0hUCueL1ZtFSGg
HD9e5UWJ4fNLBDZCCBSapNp5vH4PAS2ud3qF3chztAQq8r5cq3koGnwOHF48OfocNbREP8RYQxM/
vcb9MI5GyY8MjxQdOVOFGzqkkU0LMwSOGYyJxRfxdPHS8oEYcC21SlMzxHcqNfG8uFeES0sG5Ifg
nkd2TwkIW6Vb4sVWQySmmBsRP3Wfa2WRaZ5ZrPnSwrqQb55EO/+qJAQimCQrLG5NP1VLBkwOkmYI
+gUhBpc0Z07UM1JuX53YQ5sKD2sJAS16u7HYdsot1skis6Hd6iqgIAT6pmAlIfjGkkG/MbMbqIop
y6U1+GnHzHYr9UXEeukjm9uipkNZtZeqnqqK8YKYpquXP2bh6diH+k2ZvolfLBmQtTxDkwenMwTf
q9pE45YkQOZVvrndbjeppCZm4asegY0Qgm8K71YAACAASURBVFVaqPIpA4kS6GSRNR12e8vTY5aX
TML35JPj+cVVA61Gqi5+kt/xEtJdvtO+rUc3Fc46csZ7lNqjVKwPzxBQ26nWMKWdR+eCgKiKxOtF
eVdLqzFzqDefyDHzLVVM+1W9qZDYfh72lEAni6wlBOu0VlfLIuvkm/W1iv8y6YDbVicrrIuo21RI
8tB8U2HX6upklFk8ROncuLjN9Zsn9qwnBA3tnHGP1/tEoFsni0ybCldXAQUh+K7C+BzXYVMh7SS+
JGm3qVCjYK6r2jzih2cIaJ+HYx0yUp+k3ZijTYVKWeElQsB61UkV4wZNCQHbxaJVTmd7P+zwXN3I
48Mcq9EdnVwyC8RfuXwe0ZQQaBXPtVWb4qfR1FSRfLHKkz0aV0mjTOHLHIGtEII1WqgSIeAjBLtb
0FTLIutqNZ0l2zsWlx71R7LFc5yo69XIKOviJyHRcG+T/K4Xxf53lwzIFo32KP20ghDo4rld4sPe
tgyDTgVKorxLrZISIWbPTI6ZQdedETLtfXgijsT+xCkD9kWmBGpZZG2rsVZrdbUsci9APZVv7jIy
+XidPPFwKM3xorPY3kEzBAeljDIZQv7zHJOOgIrRrdoePSFQh+erV5pjhxr55m9UARUhWJBFJp4+
LJ9MCkL1tT92SC97/y72J5AtWcFcW7VZxHNCMN8UIEbOfePhHo6RJzYVaqv2YtVboXjev7gq5XQ6
uhe49KYYyqnVMXrdscOp4jkLdL8mB4fOQItZ0zJx5ReF+Zzs9t0oFc+1VZtFr1AYX6zyIATjolvz
bTOEYI3RCAsE/mcEIJL0P5c+8g4Efg4BEIKfwxYxA4EfQQCE4EdgRaRA4L9HAITgv38FAMCnIQBC
8GklBnuBwGcgAELwGeUEK4EAEAACQAAI/CgC2ycEeSi5x/lRLL6IfLTDaB72VXbOtgrPk9rQHdry
LDZOcbPeZv9sS/OrYCI9I5Unx1fFP46HNPSWDlkNodleK7Z70GUeh+mUGdvKJblNGEK/4+qLKvOs
SbQplWc4uKjielWVVMW9rXuzWrgt83prdFXpCxnl/vknL4btmJKLmCfj/GOPb4EQsP2rTBmFRIbC
0/iUc5lF8fkhz3AvLBo6sMxb2SHSL1q3V9m5UsN0sO8tV3NC8MP267yU0Eb05AVaqwoUda2YIugL
bj1MCOj4P50vJJVgcW6DeYfz1GfbX2DbUhQjPx1dwC+qzFJ0j/+mfyNeUiVVTcHjxj0RUu+AaB7p
pxMCliP1gal5Zr99hxorOzzXkxrz7fj+4oPvJwTMcZwbnoqyqq7FOY2Ol04A4I14q1qBX2nd3pjn
byU9JwTfiubxh/TN/+NxrAy5UULAkZCoAM9WnYIQrCzgxeCqpmDxgVf9CELwKiRFPPXpPVVDpP8J
n+8nBKT1oZ4iJZdebEZw8KhPkFLHrJYz1mmbqmWRNcWjlWOmdIPTmen4mo6f9hMZGjulw9MPySu3
rUbDVCdPrMlAu6h5qn6I+ax5VHaZe2RQaLlq7SctB9OOzpfjwTHJ3UGvs0tatOQKgh3/luaB7uUp
9GjWiASZuY+IBS1UndZqU2UK2WWmiaCUUVaDQ6fL93HaFfxh8FhRX+LOk4UpS+ny0+UByV4YpkUO
BPqMDZNhlusnQuyZFbBnm4Zpe3ESfblkQOesR8e85cksJSGQ/RlwGeUmD6zxWg8TH5jNi6khGd2d
igH3/g9YVVVWmXZVlWSp9f4DrAnWKoqorZLqdDVNirYpGGV/+HKNHdvzPZt8DZ2OnmWY+07QW+9X
gBw4iNlRoTxOL+iofJXaY0O6THbECRNWu0ySUe5fOElAW5ZXlp+dXHf+BsYyx7omhVWN8BiQuxXL
OQxvtKZqaKsSGaGeIVDKJU9slr7qq/wIUSwZSJjJl+8nBMyTZy99K9vGr2cLgVpN0sENWS1rm+pk
kedJDXdUwwLykGky6dTqevJtwzsN1Y7JF032OqyVV+5Sn6/BkzG2Qp54MHd8tah5Og4qvhEre1Qu
WavlyiOb20/389A0LcdPirppm9s1v95a5rbM2kfna13X5MLQEnK6LcnRmvv4XNa3usrT44mLGFFE
quafJzzbQ6CTXab21lDJKPN4Zv+Zuxlzz2SISb3W9DulBY2MMjdSIXOskwmmkYt1SAuCIXSNnYYg
TwzTIKEgBEoZZZr3mHj0KY+OQgtwkqzuq2bJQFllVldJTdVmtmhwUFVJXbraJoW4nWL1UIMB1aJ9
cq2ywCLXelURu2bANBJ0hGCpaq+bITB2TLWgrq+nwO41wHTyypoMtDqZY12TwqqG5XMfjJfQ7l2O
a6qGtiqRQQpCoJNL1tmvq/I8vKJq6CL6b++/nxC09+K4t3akthfE6Vx1UEUIhl1T0jw+VS5Fe1Yl
I1dmjzV6qlaAebEXJIAEXcKRWMDMTup3eo/zj79g8w6VBoTf3tQ21TxVG0J5m9qq0WbVarl2Mc/t
px9IkGqSB60WKnX608C92frmf0YIdLLLVDD9pBMzd1msiFqx4cWiVl/hf16SUW5btcyxTiaYxBV6
IY175hsvJgSs14mKbnGBcsOmBmg8y1zZl6cwJvVpgkKRsx765QsdIeh581BlVldJTdXmBunfiGmV
1KZLr3+fc6lJoQRUTYEGCYEoETzmCD0PTJ59HSFYqtorCYFwEshFRLnrQU0V1pj/lcyxeExqUuhl
GgbbVBIKB/BS1VisSnNCoG8ihC2TT12V58FACCZwKb5ugBCQVTRozNI42FsG+fyWDZ3WajYP2ffF
vDVgbZ1ayowk10aTRYN/TTmVybWqFWBLBoIDSOl2j87sbNfKK/OIFB2qRp54YnP/lU/6aTRP+1Cj
C2oRH5RLpjrdd1+SlquIT2E/JwRTIRWtFiopXfUdtohWfOqb/ykh0MouEyHoJR15KyRmIIa3ReqU
Kcd9eOo2hefZzlU22+hP71hPqdQyxzqZ4CKyDD6QpEx+JeUigNDNlcxbPZqDkwSnhIwybf/w0rq9
Hl2TiADN/Egy1X06D15oCMEgzdFXmQHkvmIOvZkyNXXV7oLq34hJldSnO+IAvZ08flVToDSSFjMd
9grQ5AurTXlocRasIwTtQtVeSQikGkO+3amFpBe3h5hfDMWhzINO1VDXpPCqIdprqhpd06CpGtqq
RNbMCYG2iVAaz1UPpFd48uK386qhiec/vr0RQtCXAI2W+naV3Z3Uar6HYBUh0Mgi92kqLlStwFKr
oZqfpGhXyCsLK9QdqkqeWDwx+WRrMOG55IIlRTydypgEZ1/ZHgJBdngAqrvy2rR4bHx/0HIVv6vt
n5Vi27LqqpI5fhkh0MguMwvFpMCYELTNra7YXz2opWlaMbYblhYGmCYW210ZMzFChoRC5lgnEzy+
/2uEgNTqreBSpp4fx15IF1aQzzYpinL96lNHCOZVlW32flBmj6f6MkKgaQqWqraqKdBgIRMCxvAY
ISDZ4zEhCK1hVN22uqr9GkKgqsIa81kjZnWLHKMw2iaFVw1BCBgFT0pS8SL1UkXV0FQlnpiSEKjl
kkfWDV/0SussDAjBAJXuamuEgBqL8VBy1pXoai/V3GFmt88wvcwPaHf04dmFQo5ZOzPRPTmzU45R
4s7ybdW1ukMVIWmOURrtidvS5xeap1JI6VJBCFh++3nUIaxWy7ULorZfgQ4r6uCikJik9n+yvtCn
r+8vpzMEpPc+zGDe6cXiErRLhKBPR7qgVmx4sfiSwZ1mZmWlZyoYaZDWPy7JHOtkgimiPruEijQ7
0cczv9CMjGl42k/Ts6eoYtiTJQPGXIrYdqPYP5zqIvbCOLDGb1Zzv92+lMHr7VLJLmuq6uoqqana
PG2SVFTvSp6+dNp0NXay+FVNQZ/p8YWeEJAOkqBAVEHHTRyPZVq19TLH41Tp2yUwhkkWcs/AZ7Qo
X4oqPH9e3KE0x+Mx+kXfpEyrRqcZq60a0/C0+tY3APTqj/e56psIYfDkU1fleTAQgglciq/vJwT1
KQzi04VOHZbFKXQNKxjpEE9rtb5jHnYejbRNdbLICjSGW1SVvKS8Sye8l1oN1QzBSnllkfa8Q9XJ
E4snJp/Uues1TyeBu68qQqCTS9ZqufK45vbT/Vkp0vTJ9egatp+SvG9V5lkcJN0Im20q9OILl2Q+
HTMxpa/WQuUJzwgB3/04l13+DiHYsQFPXdOmQss/08FYrYyyVuZYJxNMa84u24/ekET1c5sKWf3w
kqIeenOdjDL1s6ZJbLkh9Wlz3BVQB6WcI+remckHBZ/KLuuqzOoqqanazASiXJZ/KucqvrOXTpeu
zk4Wv6IpmGRdfNUTAmJpDi/hMvHMnSAES1Wb9YZKmWOR3vBJ66KGy151EspmS0H0q07xfHhycqWW
OdY2KdTBU9W4VDVJp1PVoP5dWzVEeKryUlXqjOCvkCyjrG8iJnZ3X3VVnv8MQqBGTb77fkJwL7Oo
lyF2vPB05ZRxvuLX1aKl2tufTRppm3YLWqTcabuHKOv1d2UkJtf1JaJzY9LKsCZdrZ1r5ZVZZRkt
+XV0WSdPPLG4/7qsedoHky+UhEAnlzwIQY+0XLX2U0KztpmnrtRCpZ+GY4eWKx30YzQi9R2LCkaM
LvRaq02pkl3+DiGgY4d72zBM53AshJ8MjYxy25anwHPo1CE7unGu+3n4RiMTXF9izyGh7H0YB7pj
uHKBLZ23ILNsAsjsHfjJxw4HGeWWWmA+rUGDwMlkcXl0dmvGl3PZZT13744dkuT2o1VSXbUZJvU5
2rM3opui0VZJ0jDPInacdZSupmp3gM+bgklJiK96QtA2Zeo7dNBmH6RJ0E8XLFbtwa/eMIEkkpp8
0tg6TI7d0dWItoh2fwvK6SLI+LM7djiWOdY1KVTnWdWgA8IPVI0+/LQqcRtmMspMzTsZTvAGx3zI
2tju7pu6yvMfQQiUkI1uvp8QjMzBFyAABDaBALXdw0LDJkyCEVtDYL4+tTULYc86BEAI1uGF0EDg
v0CAJuLpDAL+gIAeARACPTaf+QsIwWeWG6wGAkAACLwZARCCNxfAy5MHIXg5pIgQCAABIAAEgMDn
IbAdQqDZdvYxkL7LfvWufhVso8PQqgAP3ntVPA8mh2BA4N0I3LKDozwh+xLDHq/CmuRo/yf7mxx8
1d3XRPO+2zTT0J+8fZ8ZSLndDiFYpVVKB6bWudx4TVkvpLvK/tdYw2JRyw2rvJp8pyN/VTwvzDCi
+gKBPGBHCb8I9b/+vFCFdZDQQVvJAR4P9o14tPFf0yjJxdkVXagv75OzA8k1Vh9ed78P8P4LEIL3
lwG3YDuEYBUiL6yNH5HuKiMp8Ks68lfFszoDeODbCIAQLEG3vukgNw7z0cf6eJasesVvuo5fd/8V
ab4oDhCCFwH5dDRbIATkQEwx4UWHgxUyxwuapPyQMdPX3YcnydtAle7NQ5qf+IFWy41J6aW5nkLP
ZRq1vcSuwLM/9DxorerTXWc/HaUvT4HL5YNPiS8844u0R59k+VQvpEo6ETWl3DA5RRx5M+gPMdMM
QZSdwj1POiOfqvq/78QzHHd/UGuV+Sd4XBa5qTq/AgYd6B40ELWap8M85MRFMS3wKNKV/B+M3omV
GqyS6KzjfS03TO4ADscTHZA3Tds7DrLI7FA4U8cdyyUzIaL98SLUnZ1Q8vioIARDwYzlmNXFPxIB
Iq9JvQdDXTxaO1tl1VMnu1QlydUA6UM7fpIEthUWXRTqKr++6dBZRLWV6s1xcErNnGqMapgQsWCu
KI+DE63y6HJHDs3FN5wgjjzHtizbY1JSPEVlFWY/df4AHpMhZk/oOv7Zfa2dWhR08sfKB64xiWaO
fxoEkZRVSfgnYI4UnLHjkXFE+PazCGyBEPAcztbg12qS6rRNmcOuvWHZHnPw39yrvKC+8J4nx1N+
rUgrOQudwd/r4BZtJKNMZi4MCx62n0t0RueyrovUt43d2F3npLyLyB47kGM2SOtt6gVIzcjeMElu
uGJexWZEY5Iy+7omntVaq9xh0eOyyEzoIrqUt1tdXS/puWt6OaDrPBKq5JhbjezyWg1W0pC1Orlk
8hvHBV9oECT5aSV0hfImEQLDiS4kCV0me1NMT+vkkulFzA6Gae2D0/XWtE1d5GXvAbYtYtcXqpy8
TMnLsUKOWVXgdE9LCDTxLNhJhGBe9XQJ66okc6BEAuB1mQWOYQhCoKvya5sOnT3sPmMX5963lAir
agro3lBbez7QEiHYkefTpm3vJIo88S2dHaaLPPdLYJtumF2rW10VWZxyBqSTIWZGzTr+ztT5fZ2d
Im+zz8V0p6FJ3XDiLJ5cAtG4RleViBB0Hg+ZB8NeYXwaN77/MALbJgRrNElHrdjQ2DL8WKvEHdlr
8KTK2ynOUW0ZXNePw6tagS6EihAo7SeJzn6DErnmXyQE1N+zAdrtcgzTa8M01eSlwlWEoCcBbNij
WnAc51e39KCKZ7XWKiW1ShaZmuZJn0px6DRPGTLiKP18hqCfOemzrNZQWK3BSi/J4NKH2jpWwkIc
t53JDVN/189JD++xTi6Z7CVCMLxdfQ40F2o5Zk3gBUKgjmfJTk4IFquezoyhSlK59JMU5G6/IwQD
VCwOwa+Y/tkADr010oB1oQorLeFSW2JGYgiijOd+DizBCIg9dZN7RAhE89K2TKRAvJcU4bwKqzUF
hsTZ1TDq5j/MO37tfY2dkwQ0X6fpzoLRKII1plUWRTQR2eR80UVblaiSDG2uRmF8lg5uvB6BbROC
oSJzJZeeps9r49xdae/allx6qySBaPKqc09MM4C9J9zjSHJjhPk83f5nFSFQ2U/vft/6k+TnMiEg
UUCqKvezb7HRB4005UWEeWtCJmlG9gOTKKLef2qfBcXF4/Ewkj+eSf1Ca5WSI6VWofrSJa/XPG2u
yd407L0fxklWCIfASzLHS0sG03RZWQwA9WDo7emDjC9oCanvv4ivcGlp4mBquWG2ZCBEXoYpep1c
MqVGhEBMJIxTV31TyzGrQrJ7o452sIcm1SLHMG0viI7p+Sp2wS3Zqal6RNi7dcLR66+sklS1e2mg
ljSrOCHQV/kRB/iy6dDiwH4gpEUfL4dUNwXU5dkx0QeiJ4L3syWDYS0hD8aqi/MqvFaGmBm2ghDQ
OojCTjl/o2u+fvGwojpNax5LJjdsksxSmbh2WDTUlo1biN2OVzhqPJQK4yMr8OXnEfhLhGBcy2Ts
2EKmaHG7H26ng2n7bMqVzZK6GyUEJBSyT8o89KI48OjCGs3HzVsTyqCmIx9atucIgSKeMdGR0V+6
ntGoBVlkFs+9Ks7pkfZBWD7XTtZqnjJkxEiMidaRNCv/U6S7QAhWabByXeeT6C57QkBlopYb1nTA
Y1lkYTn/VJf6OMzom0KOefS7/GVsz0jUsVXEs2QnEQLVrA6p/nKh6bruFRU1VXKBEGiq/CsJQcOn
RWR82LWaEHBdn6hoaCG9m3KkbQi+RCqIGUoERzVDoCEERDUdrbL5GkKgtnOWye7GcrrzpwibQ1Zl
vhfHBz+r2Nf7QtUGIZiD+J47H0oIFJqk9NKOekoJUFWrNNJvpzoqCAG9zcP0lRQLbTA6+7qB2ayL
0bVK65YMmL6f6ceRFxV15h/iaD9qTBTzjWQym5YcOiWWi9Gxw0cJwUnW+OVgaOKh/K7SWqXYZqjx
TVz92IqnqPh/jfm4m5YMNDLHI3110oR1lwkBDerm6whsU9nX9kgm0gs0XTJYlBsed8D9Jj629yum
VaL532pCIKJgQ8PJnIz4TXzKkwItzd9K8x0ijBTPkp16QiAikj51VVK/ZKCp8rqqR2ktVGHJFOmS
3pzxmj/7URcPCe7ZYRLRxjpRdEQIRPPCu0VpE5CKEKiXDPQyxMyiIrJns170g/q+yk4p1/LlF+nK
QbvriqYE2PilTLwgDrtTm9TMKqsSEYIBr15hXBEzbv0sAh9KCDqN15E8sU7blG8qnA1TiCTsj+wo
wr047s1+yaAdNhWOZJRZQVBTM5FF7gpo1rXpWqVuU+GlutXX05ebCjtZO9Om4QapmZqTnKi7Blb1
Jtqpmo588QVbE89qrVU1IdDLIpfZMb3QLtBbdYndfu+dVvOUjmPs+51cpOW7OEPQbSqcyS6v1WAV
mwpJ45VvKuxmi4kpqOSGNYSg1cklK5edF4qxKU4xbZ+l13m0fVb3DI35DxkJGdwuoW0IQqCLZ8HO
VYRAWyW7TYVlfSvP4WRTobmPz9e6rsvinIQxE6ZeUFls2QYDTRXWwME3MwybNrtg2qaAuCptfOz5
AN9UyMb2NavzX28qXClDzEwiYmaH52qqA627P7dTAwCRwnWK6jStSXLaBcHtmv0AS1eViBAoFMZ1
9uD+jyHwfkIwXwl8QOa4bVWapGptUw0hGER8nb2fnGI6IdRX+v7Y4UhGmUphlu437J8cO/xqLVia
vrgenX4DAqtEoyU5eXeiQjv1O4SgXRXPaq1V1QwBoayWRa7O3TlRWscOJRVrnebpvSBFWNN2vOh0
PHxNCLSyy2p79LVyOJ7neF/LDesIQdvq5JI180I6g7RyzLoHbpdob5mkTByf4mH/jTYerZ2rCMFC
lazo2CFJ7PJjh/0Uh7rK67g4z+6sCutQEPcrttbTNw7itjYeGuFatGYu/mjfvRMmcSdP3B87XKrC
3bHDx2SIeUKsrpJk+2SqVHd/Zqewd/apkz+eBRQ3aGOPGRAlIm4gGCX9qqxKBIRSYVzEh89fQuD9
hOCXMrrRZGiLoGJCdqPWwiwg8G4EiB4Pm3J/xxo6BKhYNdAk3q2mDHyAZgj6+SzNQ2+4PbfzDUYg
yW0hAELwhvKo8iwvb03T1HnsWo+3NG8wFUkCgQ0gUBfnS1nfm+ZWJJ4lLf38lm11fsquszmCeerN
vab1R3mujvk22hohUNs5zw/u/GcIgBC8ocDL9MA8JBoWOeWC5vwbigBJfhQCdRbwGmOOlmC2lof7
+WDsTPuQTLjD1mYIdHZuDU/Y8+sIgBD8OuRIEAgAASAABIDA9hDYACGgUzGSJ7HtYTRYdL+EzmHs
FXb48aVXtFI6mXd8afyPRKYx4bc0VYftjONzlo+Y/hNhyLWDtO/06yRob3Zw+Trcd0P8dPw6u96V
rs6eT7pfJXsnkrYbLtquPkC0+MgLf5w3QW+zZ3XVU8GwCnpVBP/FPRCCdcVcHt3hiPm6R1eFntfG
VY+/JLCGEPC4dV5QXpIyRUII2OG5vt+bRtqf9bL4V0d0y5OI+Y5+9Mn6coyy/qDjo089Hu6n49dZ
8q50dfb87H06K/qqTYxsc6JwlfW12Wpl86+fe02IeRP0w/Zwl5Iq41dXPVUk7f28ZmuoMoq/fxOE
YGUZ0xEk2XPwyscfDT6vjY8++bpw7yUE5B1ntZ+j12UeMQEBhsALCcFnvdK/3gTpCcGLXkU6AfnV
Ge8XJfWx0WyEEPhJ6jumYVj7QDpezg8xT2WL2/ZWJD7JBxuW6x9z8hFLk1nkJ17+G070ccVNwzBM
OljNHmAB1dqpwm/BPF32ELkpeYgRaOWV2dA3TXzXNk3LDQYZYsk/QXo8jJy8yxmTrtdopDL/qSoN
Vp22KRGCMDkeHJPO/UfnEbzKGYLh+P1j8sda2eKxgPMDSwbkFkohZ6zUWiX87uUp9EhX2HxE5vgS
cIMGb3PMX5Rr+oPrCuo4hEdnOoXNPESMlwyYZoFS5viW92fU04jer+U5kdXxU51Jufg3edZIxaa3
ocCETDMpeh5M9+C7lumEaRo6pmn7zEkRc5q5Ll+tTrZYeofHl8yp6Lzq6aoqAcffz1gCTu+HQB/P
kTcpchOhVzxvdU3KODPjb9QgjTwUEkGQblB/JdwZaWSRdVV1nNDoG1vgyXLeYpq2l/I5q6HkR1VV
1wRp7KGUXlD1SGtm5FFlqGjKqkcTiJWQ/rb3g0sSEp7Yx2l8ICFxa88ERCU0GLkbNCWkX3DZIbAN
QrAzSFWgrpkfMmfw1qrUTq2zg2kdkqKqqyI9WNzrV3l0LeYHYyjZPLTYKjyrZ4ekqMlRW55lghDo
tFM5IdBqtrKp7N4xypDc7Eqn5dqSm2TTS8lJIjmCE/SCO9yLLmVdFcnB2i3LIlNy6zRSiRAoNVh1
2qZUF3v3aoEtqY9wf8FTIaC18sc62WKOJCmmPj5DoJIz1mmtflPmeLaQSSOanhreiT6N5SNna+1E
CFQyx/yNTouqLi+RaxrGV4SAI/Rw/G1LosrWIcnL+laXl+TIyZ1SppkIgWEH5+p63BuGl5ZV5o/V
Mx5Pt/MwOJMtntWV4Yayyuuqan06mJafFtRyRK6xE8DpCIEuHl0TQWapZgiWwg9ZmVxRwzFxLcx8
RItxDNV/wQf4o/M1e11VnSQlf2Xeh5xDnNf3trmXeUG8XlNVv2iC5vZQQq+oesxg/QzBrOrpmg4m
Amr7WdWwSk76bSNqzXTHuASKjBGuewS2QQiGvobeuaGjYa2D5AKUzCY338O8D1MwSGvmD4sdT74X
SZgUTEiDpGRIgFwtVzZyD7dGLplqWN8P9EB+cTFoubZECHotVJJO4f0INTKDLDIl8tWmQrXD84kh
g1YpEYI+3bkGa/fcEL69BJIDdvLoLktFzGcIVssf62SLuSWrCcFUhoD8rkhdNDXs3XBMq1mgCS8M
mm4q5C0YO50+SYw9oew4++Xo4f1jb7Twqkxmin6tKxLdx6Pxtw1DetYOUlJDi0nO4tgbRzMEjIkV
xKivTA15NEfzcLo6DQJdhui+qsoPULEne5ljLXAaQqCLR9dEsNRUhEDTpCzlq2u4kmoUiHo64Zes
iO1BDoknnR1Muc6NHmUaBaNymfzcfSUHxVI1YHc1VfWrJkhLCJ6tetzUFYRA13RQwfTdBzNX0C2e
BCs4eqfxp0FgG4SAO7lkJo66W2odRH0RGWBqsv2UKjkOZrS7UwVu8tA27TBviI93Ln9u58A2TIdE
W0+XsvMuMvc4PIgZsFZpmq5In0ngxRU1HAAAIABJREFUPDR0VWq5towQDDW0FxmiBnnwuEJ6Il8R
Ao0kWqvRKmVLBsN82aDBqglPhKCvXFyoWDoMMiMEczesu2X5Y61sMUd6NSGYjL70WqskSyNlTBSs
Vpu1CzAbppCf9k7SjprSWZTKjrM/p8BGh0x+it7oXhiPvV5PzBAo4icZ2hGZ6zLEhkuDAJaQaeaE
4M46HPZC1qk3Ogb0aL6oikk9Vi9bLABXfiqqvLaqCot5REQ/OuDUhEAbT9sqmwgerYoQLIVX5opu
MkqdjgkBUyXljUn/Lg0RzDtgXVUdnpldSSpg4jddVf2qCZrbQzGuUTDXVD1u2OOEQNt0UIffyyhz
cbPRrt7F9AU8//Xn5gnB7KTXuBWgSs57guvRceLievTCOPTowhl63bapr5csiWifQrcisTjzr1JH
7F8TrlY4monqf5MuNFquXxAC0V7Qm/tNQkDtvEojlRGCflJ7yL8u/DcIQT/8lXDQXmpli/kTqwnB
tENm/d1sWNzp3U0D09g0cRdljhWEgDOCvGF8YLaMpOo4h9f5ZwiBKv7vEILzSkKgSve7hGCIi78J
w6s6eZfGTcECIeB8SxsPi3beRPDUlISA3qJZkzKxbvqVj05H/ROfEWHzMTTtEVzGvhBnHbC2qk7T
kr6ztzCXbrQt7/hFUzP8NL4/b4Jm9rBHZ6puC1VpsUNeQwjkWWJJb5xZKCYFFIRgnMMh57gSCGyD
EAysjkp0aKxVHbN6yYAdU7O8KPKC8+0SelF8sBTjLKqU3TCcKpduPk6VrkCM3indcyIMfeq0XHUz
BNSpDEuIrOoPw3k54v5avWSg1SolQjBs1mHZp6qjDa9YMpDGN3NNVRqWPTRzIjKgky3mvz9NCKj9
n7WxLG7tkoEmvDBoumTApfOs8HKJ7GHuXWSPacSN/BCMpqwHQqCd+e5jUl88SjjWLBlc+abCwysI
AZvs6CfaKJdWWKizMtxVVT1dVZ0C12++4F0L5+xUr7oJGF08Q+p8f7JoIth96sOGJcpRUPZFalLm
P47uUHnN2yR6Kfwspz1QEz4wU7DSV9VROuMvCkLA1CAVVfWrJuhhQrC26nGLJUY3zkI3jyKxJV3T
8RUhIBnPYTJukgq+tm27DUKwM+yAbyqMHLn2qVoHWv3mmwpv9bCpkE3JeaZp0Xt+zw6WKRaM21ue
HjPaTsXlhvt9YCvlkrvXhS0Wf9FTs6Bku1peebT9rF8yoGbbsQ5ZTXsN88h5YFPhOo1UIgTDJkHf
Fisq1GIcTrQNp71dIsfYmd3KANtU6Ibnkqv4jo9xKDRV18ofa2WLGX5PEwK9jHJLu/jMtTLHqhkC
LjbvOLPdS5SFhzvsblPhtb5Vl2j/1KbCYXQ9EA46EZHsyaMu31SYp8loU+FEppktGbyEELQ62eKu
Lqk+lFVeV1VZU+CntGnxIm8qpB2ednC50Wb0k2/txIqMLh5dE8EMJKI7UTxfDK/KFbtH77uCN5JI
t+P0e4ulx2cdsLaqSg9NL1WEgOmoW97xUjLd6OwYHJlW8xdN0MwelpZihmB11WMR0UKAHV7qud+R
WdXTNR1fEAKCevX2rymgf/v7NgiB5SdJd+wwZDtEO9CVrQP1l90ZIaYFQMcO2R+tlvEFJFqu61cv
Sbpz71imfEyRP6DWTu3n8SRG2qXANvZbD06MsxM8tmXbU3llDSFoB/VX93CMui1efcrKi+7Y4UMa
qToN1lanbdodO+w0W6PL6Ngh10WeaK2ulT/WyRZTXp8nBDqtVYp9OHZouQd+dJVuK7VZy8QdnYna
GZIeFTVNu5012s1cRNbkAT4w1MwQsHTXHDtcH//42KGf0q5bBsNVHEYcNAL0hOAb6epki3nyiv+a
Kq+rqvWlBy6Rz2tWWeBapuW4/pFOTvajQnU8+iaCLJzLHC+HV+Squ3WNHQUjYO/XqKOiWcjxG9Qt
H+qqqj5JTkvHSwYUWlNV+0Zr1ARp7aGYVIRAV5VYyv2J31HVo1WYa+o7FuVczGTqq5666VgmBFVC
+8xVzfoCfv/ZTxsgBJ+E+C072P65pyCfZPpGNVg/CsLfMFY65vEbyf1aGjSN/CCV/p5NJRv+fbm3
53uRv+ip+nSw0SW9CMyV0TTX2Fla+1kZ3R8NDkKwpmDv5fn0seqEW5NcWwP8Hw97v57PV6buW558
5fLDhwLwm7LFn0AI2qa6pGfyQIK/30bgUQXr37ZrW+mBEGyrPH7QGhCCHwT3uahvl2hPbhMN096H
pz/UX/ymbPFHEILn3hM8DQR+GAEQgh8GGNEDASAABIAAEPgEBLZDCG75kbav7WjL1lsX6UdeTbZQ
hqNNiE8bpN4q/HS0fQQ/HX+fEC6AABAAAkDglQhshhDQiRAvKW+kdvvKDC7HpfI68lZCQAdspoTo
tYTgNRqmKjs51K+Jf7nY8CsQAAJAAAi8HIHNEAI6jx9/6bbk1fn/DwnBayDUE4LXxI9YgAAQAAJA
4JcR2AAhuMb26MyttGTADiXPtVDn8sfMU7i5933HtPbxKfFt03RC8kyi/dNqm9IMQXA6R+z8veOn
137GQqedqk5jSf548KrcOyYij2djHIQyKs0QRNkp3Fsk+CzJJbf1hYQ+mYbvIGlL1jBvJDPNU42G
6fSUsTibo9Za1dvZauL/plapAtWmykIqFsOwnH1wGtzAamWOFdqsTL9aLVvcebggHW7ncJTPkyji
UdiHW0AACACBD0ZgA4SAozcTy6HbTPrM9sJzeW+ae5UX5H9bKX/MpEOcKK/yyDEsP6vKh9RzNTME
hukEp6Kqriff7r3Q6LRTdaW/JH+sIAQ8GtXIm8kl76PztaqKxLN6FybcDxx5eKzy4960AnIvx/+U
mqf8J/Uaf8P/yNmgE+U8niWtVZWduvi/q1Xa5WX4IJEeJ7qUt1tdXen4Fv9JL3PMvKaYluMnRd20
ze2aX29M2LLHkCSkhWzx2ngGw3AFBIAAEPgDCHwAIXhI/pi5uyZ/ZKRowYbWD7mh0BGC3hUdOb/m
nnxHbuYmcslfvwgT+eO1hKDvwMi9S/cwuf7u7SSHeX0gmiGYa552RqoJAf3YEIly47GCuMjaxF/O
GkLwXa1SkXT/SXM3vZpff3eiPExFKuZWGCGYarNyRtC5h5Eeli4p7gfi6U3ABRAAAkDgDyCwfUIw
3WLHJM7m8sd1umcardRjskfKkdyhpqg0hGDQ7e1lUha0UzVxs/nnPTs4wZYChDvOdujTW/KFT45o
+ihUHS05Zu9VCvvwTEBkeJLm/cVcPycE/qVf6+ij5+ItSpF1Gh+b+0Q6BL+ktaqyk6cyIxzf1iqV
rWbXzTXZm4a998M4yWjMz/4WZYsV2qx8RYVLzzOZwg7bb8QzsxA3gAAQAAKfi8DmCcFsSDjWPO3l
jwUhoO72eULQyfuIwWTDxBRNuef+ssgflT8OHyEEihmFPufckikhcAZSMzZ11mGzn++krORJaoZc
w1Qlo8zCryIEMlVZoVU6trv7dq+Kc3qk/RSWz7WNScPOU8kc0xMaR+tMfH4iW/ydeJQm4iYQAAJA
4CMR+DxCwDRPe7lBpmhKKr7fIwQqbdPRscN+hoB1ZI/IHovXQC9/TNslxNCeFE0t8YU2SJw8aVMl
j0szo7C8ZLCKENwvoW352Ui9aFlrVWUnt3ZOOL6rVSqQVH7SogifA2FTJToH8RpCQGsqU9nib8VD
Ky232+2mnIxRGo6bQAAIAIGNIvB5hEAjf/w9QsCUwSfaphpC0Oq0UzUlSyck1PLHt5NnOjEJzjVl
4pkkldfHwXolP6tkbwwaQtCWidvJRotNhf2pCqXmKU9k3mHfzoFt+xnJjvI/HnBRa1Vlpy7+b2qV
9pj0F2V2TC/Xqr7dqkvsmmKFhBY7DNtPSca3KvMsDpKreEZHCNoisq2JbPG34mESv8aPqvaIvOAT
CAABIPCjCHwgIVDLH3+TECi0TXWEgPrvLPKYz3nLdg9RJq23KwqpVxKdyh/T7j3fMU06OpcmwTBd
QJE0TLiVSYCKrXE6QkDCrPHB4brOQSIkbSkWFSGYni7c7TpNVSbgK514FB3totbq3E5t/Aw4flxw
5KufUROa3WH5PvummwwHCfnd8f/qHHouO3Vo2l4ow6+ULaaHtYRAJVuskT9ejAeEYFxG+AYEgMDn
IrAZQvC5EMJyIAAEgAAQAAKfjwAIweeXIXIABIAAEAACQOBpBEAInoYQEQABIAAEgAAQ+HwEQAg+
vwyRAyAABIAAEAACTyMAQvA0hIgACAABIAAEgMDnIwBC8PlliBwAASAABIAAEHgaARCCpyFEBEAA
CAABIAAEPh8BEILPL0PkAAgAASAABIDA0wiAEDwNISIAAkAACAABIPD5CIAQfH4ZIgdAAAgAASAA
BJ5GAITgaQgRARAAAkAACACBz0cAhODzyxA5AAJAAAgAASDwNAIgBE9DiAiAABAAAkAACHw+AiAE
n1+GyAEQAAJAAAgAgacRACF4GkJEAASAABAAAkDg8xEAIfj8MkQOgAAQAAJAAAg8jQAIwdMQIgIg
AASAABAAAp+PAAjB55chcgAEgAAQAAJA4GkEQAiehhARAAEgAASAABD4fARACD6/DJEDIAAEgAAQ
AAJPIwBC8DSEiAAIAAEgAASAwOcj8LmEoC7ORd18fgk8m4Omys/X27Ox4HkgAASAABD4zxH4WELQ
nH3zkN3/8+Jr27ZOPTPIgQMQAAJAAAgAgacQACF4Cr4NPAxCsIFCgAlAAAgAgc9HAITg08sQhODT
SxD2AwEgAAQ2gcDHEYIisnfTPyvspszLo2uwHw3nWEr4bu1+W0R2Z6h3qiVDH7/fXAIegwzGONdS
vLgEAkAACAABILCMwMcRguZWVWVZltfEM/dJQZdVdRObC+91XdFfXd/FLZb/rd1vbsLQ22gbxIr7
Tc1wKPPYNQ8nwkEGYrnU8SsQAAJAAAgAgQkCH0cIhP3YVNghgSUD8UrgEwgAASAABJ5AAITgCfA2
8SgIwSaKAUYAASAABD4dgY8lBJ8OPOwHAkAACAABILAlBEAItlQasAUIAAEgAASAwJsQACF4E/BI
FggAASAABIDAlhAAIdhSacAWIAAEgAAQAAJvQgCE4E3AI1kgAASAABAAAltC4GMJwf18gJYBvUl1
uoeWwZaqFGwBAkAACHwmAn+fEFxj4drQMO19kOR/TBkQhOAzax6sBgJAAAhsDIH/ghAY++RaVVV5
PceeZXip7Cx4Y+Wx3hwQgvWY4QkgAASAABCYIfB/EALv1E0LNHloGr1qclNmkeeYBk0dhKeyd3Z8
y4++axl03z3Ew5TCrUj4fcv1j/3ta2ybQkyhLY+OGVxETFW6Nw9pfgr2tmkYlhsX3S9NdY4PrmUa
puUcorNgKPdryoOathedKxHNrNTkGyAEMhq4BgJAAAgAgW8i8F8Rgqa+hM7O8M9MP+B29i3bT/Oy
rqsiPdh2mLMeuMlDyzokRX271WWeZaLnr7ODSfcrFtwyhSzRMiEwLNsLz+W9ae5VXlSsmO6XwDbd
MLtWt7oqsjgt2O0q9SwnOBVVXZf50bPc4/WBUgUheAAkBAECQAAIAIGvEPgvCIEsCGi6xyvr96tk
L+9KLI+OxRnBPTsYTjzri+uTZ7i9hmKVuMaerz18RQg6njGUBMWkSOAa250FFLQpQksRaIhFXIEQ
CCTwCQSAABAAAk8g8F8QAmN/LKqqzNNg72fd9LxCPlisJdzOgW2YjhdEx9OlFGqEpEzsn8UsPj1u
RWxk/wUh6Jcr+lLKQ0taVhC3bydvqmf80OkBEAKBID6BABAAAkDgCQT+D0IgOmWaq/dSNm/fXALT
5j26Ar6mvl6yJPIdk8byjAUwQtDvDlggBMZkD0EmKIVIR08I3ISvKYiQj3yCEDyCEsIAASAABIDA
Fwj8X4Sgba+xYwcX6qLZpP9XHTAtH7hJSSBqlwzkfYS0/+BLQqBfMjAP2epDkSAEX7zi+BkIAAEg
AAQeQeB/IwTEA8w9mySgTYXmPj5f67oui3MSxmfWG9/y9JjlJe0pvJ582+z2IBIj4JsKb3WRHoZN
hXeaawgut7ZtqpNv7b4kBO1NbCpkaWTHE9+wUKWeaXnHS8kMyo7Bke9yXC5HEIJlfPArEAACQAAI
PITAf0cI2Ei/O1DAjx3S+ULLdg9Rxg8e3ovE3zuWSbfl44Vt2x9HtJzDcOywbasscC3Tclz/mIaz
Y4ezJQPaMsiPHVISjjc6dhh6dELRtJy9H58fWUAAIXjoRUcgIAAEgAAQWEbg7xOC5fx//q8gBJ9f
hsgBEAACQGADCIAQbKAQnjIBhOAp+PAwEAACQAAIcARACD79TQAh+PQShP1AAAgAgU0g8LGEoCnP
6XnwNrwJMN9ixP2apZdHNhu8xTokCgSAABAAAh+CwMcSAsgfd28YZgg+pKrBTCAABIDAthEAIVCU
jyxilBSrPQMoYvzBWyAEPwguogYCQAAI/D8IgBDMyvqWHUxzH1/KqrwcPdM8nIQY4SzoFm6AEGyh
FGADEAACQODjEQAhmBYh+RG0I6FTfI0dY59W9+xgelzLqA9/O3km+UQmLQM/YRLHpun4Kfd0TMF0
8srMYaIZZDlXUzZtL2XOEPuo11yAEKxBC2GBABAAAkBAgwAIwQSYJg9NoXJEffrZN0iJqDy6VjB2
HJiHlkPqh9fY3pF80r1t70XsGkIWWSevTAkSz7CcQ5zX97a5l3nx/UkIEIJJCeIrEAACQAAIfAcB
EIIJavfzwTCCS3+X84MbiRQwUYN7kYQJdf5VsreYjNE1to1eg2CQPtTKK1PU9MxD4sa9HdoLEAIt
NPgBCAABIAAEHkcAhGCCFckZKQhBSwsE/vne5KFtkudjUkvkcwEDB2jbtlc6WpBX7giB30snTkxY
9xWEYB1eCA0EgAAQAAJKBEAIJrBolgza9np0nLi4Hr0wDj26cLohvpYQLMgrX2PHDPJJ0t/7CkLw
PdzwFBAAAkAACIwQACEYwUEyx6liUyHtJrgElhdFXnC+XUIvig+Wf27oYTUhWJZXBiGYwo7vQAAI
AAEg8F4EQAhm+OuOHdapZ5oW7Ra4ZwfLNPfdqQMNIWh18sqUIAjBDHbcAAJAAAgAgbciAEKggF92
TCTJHNNOwH1KXoLrdE9HE/mjOkIgjh1O5ZXpKRACBey4BQSAABAAAm9EAITgjeC/JGnsIXgJjIgE
CAABIPC/IwBC8OlvAAjBp5cg7AcCQAAIbAIBEIJNFMMTRoAQPAEeHgUCQAAIAAGBwMcSAsgfd0UI
+WPxLuMTCAABIAAEnkDgYwkB5I+7UscMwROvPx4FAkAACAABgQAIgUDiUz9BCD615GA3EAACQGBT
CIAQbKo4vmEMCME3QMMjQAAIAAEgMEUAhGCKyKd9ByH4tBKDvUAACACBTSIAQrDJYllhFAjBCrAQ
FAgAASAABHQIgBDokPmU+yAEn1JSsBMIAAEgsGkEQAg2XTwPGAdC8ABICAIEgAAQAAJfIQBC8BVC
W/8dhGDrJQT7gAAQAAIfgQAIwUcU04KRIAQL4OAnIAAEgAAQeBQBEIJHkdpqOBCCrZYM7AICQAAI
fBQCIAQfVVwKY0EIFKDgFhAAAkAACKxFAIRgLWJbCw9CsLUSgT1AAAgAgY9EAITgI4tNMhqEQAID
l0AACAABIPBdBEAIvovcVp4DIdhKScAOIAAEgMBHI/CxhADyx917B/njj66AMB4IAAEgsBUEPpYQ
bAVA2AEEgAAQAAJA4C8gAELwF0oReQACQAAIAAEg8CQCn0sI6uJc1M2T2f8DjzdVfr7e/kBGkAUg
AASAABB4JwIfSwias28esvs7sdtG2nXqmUG+DVtgBRAAAkAACHwsAiAEH1t0neEgBJ9egrAfCAAB
ILAJBEAINlEMTxgBQvAEeHgUCAABIAAEBAIfRwiKyN5N/6ywmzIvj67BfjScYymy2Lbt1u63RWR3
hnqnWjL08fvNJeAxyGCMcy3Fi0sgAASAABAAAssIfBwhaG5VVZZleU08c58UdFlVN7G58F7XFf3V
9V3cYvnf2v3mJgy9jbZBrLjf1AyHMo9d83AiHGQglksdvwIBIAAEgAAQmCDwcYRA2I9NhR0SWDIQ
rwQ+gQAQAAJA4AkEQAieAG8Tj4IQbKIYYAQQAAJA4NMR+FhC8OnAw34gAASAABAAAltCAIRgS6UB
W4AAEAACQAAIvAkBEII3AY9kgQAQAAJAAAhsCQEQgi2VBmwBAkAACAABIPAmBEAI3gQ8kgUCQAAI
AAEgsCUEQAjWlUZ18syd6aXVuscQGggAASAABIDAthEAIVhRPk2Z7E03SiLXco/XkeejFbEgKBAA
AkAACACB7SEAQvBwmdyL2LH9jDwN12ffdqJ85GTw4XgQEAgAASAABIDA9hAAIXiwTG6XwNkfr4ID
NNfj3gnOtwefRjAgAASAABAAAttGAIRg2+UD64AAEAACQAAI/AoCIAS/AjMSAQJAAAgAASCwbQRA
CLZdPrAOCAABIAAEgMCvIABC8CswIxEgAASAABAAAttGAIRg2+UD64AAEAACQAAI/AoCIAS/AjMS
AQJAAAgAASCwbQRACLZdPrAOCAABIAAEgMCvIABC8CswIxEgAASAABAAAttGAIRg2+UD64AAEAAC
QAAI/AoCIAS/AjMSAQJAAAgAASCwbQRACLZdPrAOCAABIAAEgMCvIABCsBLm+/lgHjIhabDyYQQH
AkAACAABILBRBEAIVhYMCMFKwBAcCAABIAAEPgIBEIKVxQRCsBIwBAcCQAAIAIGPQACEYGUxgRCs
BAzBgQAQAAJA4CMQACFYWUwgBCsBQ3AgAASAABD4CARACFYWEwjBSsAQHAgAASAABD4CARCClcUE
QrASMAQHAkAACACBj0AAhGBlMYEQrAQMwYEAEAACQOAjEAAhWFlMIAQrAUNwIAAEgAAQ+AgEQAhW
FhMIwUrAEBwIAAEgAAQ+AgEQgpXFBEKwEjAEBwJAAAgAgY9AAIRgZTGBEKwEDMGBABAAAkDgIxAA
IVhZTCAEKwFDcCAABIAAEPgIBEAIVhYTCMFKwBAcCAABIAAEPgIBEIKVxdSU5/RcNiufQnAgAASA
ABAAAttGAIRAXz637OAEl0eUju+X0Dmcan1U+AUIAAEgAASAwLYRACHQlU9TRI57LPufbyfP2PE/
w7T3QVLc+t/atjy6dlRg4kCCBJdAAAgAASDwSQiAEGhK634JLDephl+JEFjhuaqqqryeo71p+mdp
9qBK99boxvAkroAAEAACQAAIbB4BEAJ1ETWXwHSOV+lHIgR2LO7U6d4Y/14e3TFFkJ7FJRAAAkAA
CACBjSMAQqAuoGtsm/5ZXgKQCcG9TA+mFcgzBC1RCDsq1NHhLhAAAkAACACBbSMAQqAsn+bsG3Y8
6t35HgKD/na7nenGubyHoG3ba+wYWDRQwombQAAIAAEgsHkEQAiURXTPDobTrw+wIKM9BJfjwbb8
bHSuoDw6xiGbsARl7LgJBIAAEAACQGBrCIAQKEukyQPTCnP5N3nJoG3bKnGNvbzpsC0iywwu8iqD
/DiugQAQAAJAAAhsGQEQAnXp0KZBb+RZYEoIprsK6fcxQ1DHjLtAAAgAASAABDaIAAiBplDo0MDI
K5G0ZFBd89S3DTvMh/mA5hJYjuS2QBMtbgMBIAAEgAAQ2CQCIAS6YiHHAjIjIELQOyay3EOUyQ6M
Z24LdNHiPhAAAkAACACBLSIAQqAtlfslsMerBtqg7S072P4ZGwr1COEXIAAEgAAQ2DYCIAQL5VPn
p+wqeSPUBr2X51M+OnKgDYofgAAQAAJAAAhsEQEQgi2WCmwCAkAACAABIPDLCIAQ/DLgSA4IAAEg
AASAwBYRACFYWSr388E8ZI+sI6yMGMFfjUAeWmwXqDESqepTqdP9FkuySkgTYzi+0tv79MU1dszg
Mo+muaa+Y9KO2TFQuvDzGHAHCACBP4EACMHKYgQhWAnY7wS/X0+h51iGYVqOF54Hlcrm7Jvjfk4Y
dMuTKL0+2/OWR3UvK1KRP+vhoApjKhPXVzzos4QgDy2NpEZ9OUbZoOctLLtlB9ONi9v93jQjNDTh
xXP4BAJA4K8h8LmEoC7ORT1qwH6lbDZHCJoqP1//8/MNZbI3LS8+F2VVFuckTAYVCj0heM3rsoYQ
tPe6KsviuDesICvLqrop3t+fIwSaDPMcKCzRhP/8229qOj4fuFfl4F7mlxKzrK+C85XxfCwhoIb+
HVP3myMEdeqZwcjJ8ivfj0+I634OTFOnIqEkBJeAu5Qwpm/QLT/6rmUahuUcjuLcCAlb7OM0PjiW
aVr76MLpV5XuhWMK7p9iFpsavFt2MKZj+PoSe7ZpmLYXJ5G0ZNBUZ0rWMAzL9ZOia0OrZG8cjqfI
I4Ns79jdv8Z25yij+zCF821Kkt0bLxlQPKMnxFSKJnzbqu1p2/aeHcz98ZJFlA3DdMLLdtv7dzUd
6tfhf7xbHt2JUsz/iMIm8wxCsLJYQAhWAvbzwfPQMjydqpSSEDCbZnsImuvRtfbR+VrXdXmOXMtL
2dIDEQLD9rOqads6O9CM/DCeXjVDwNKdE4L65JnWIS0o2dA1dka3h+Ceh7blHS9lXdfXU+BYnasL
6sgNhxGThiZHXNlDpn7JQLMnQJuDWXidPZwQGKa1D07XW9M2dZFveAAIQvDzdXI5BRCCZXze+CsI
wUrwQQhWAvbjwam/7sfCs9QeJwTM+fSgcHk/++Y+JecSlIAtfmBDYXabJ6XtTmeWiBszQlCnnuEm
3eL+PfONjhDQ4v6ecxJ6lqaC+IwGEQIxmG+rZLw38ucIgdaeDqNP0foEIRCv4rs+QQjehfyX6X4c
ISiiybzobrfrN2eVR7ebCx7LCrzqPrV8qlMGa+Nvi8juDB37Qnz8fiOmveU533Guvyz8vxHgVYSg
SlwZS7rmNIAS6DtmTjCGrXl0f8jrAAAgAElEQVQvIARFZBmDTCapaPMZgvmr3pnBlgzESReaXvBO
wyaSnyMEWns6QjCaqNjguzW3/weajhdUbQ7d403Be8MPDZGY2OL2KO5L3t/7mmZw0r3B1+X/NOnj
CEFzq6qyLMtr4pn7pKBLaXPWva4r+qvr+zCrS+3Vi+5rCMHq+JubMOg2Wmtdcb+hDWplWeaxax5O
7FIC4n96m1+0ZECC1sqVh9GkwI8QAlvSzR4RAum+VKKjSYFfJQRqezghMLeu9fk7TceKKsyK9NPD
t82Nt7lVPd4jq7jPNtWWZXkOHZu21VLjXY8aQOktx+U7EPg4QiBAete8n3KGQBj1jk9sKqTJff2m
wktgqidOpnsImktgjuSsRGl+RQjGIyPxlPZTuWTQj5PICmnJwIkVByMXCUERWVY0nLKQzJjtCeC/
aec4puFpyUBpz4cQAgHFu5oOkT4+sWSw2XcAhGBl0YAQrATsF4KznXV07PBaVWVxSaNU6hDZgnuc
Vzc6aC8bMyUELW0qNGw/zau6rso8i4PkSg8sEgLWvYeXenKGX05ouNYcO6RBvhvTWYGmSj1ztKnQ
cMKsIIOul1MUndgux0VCwPNb3OYGTTv4zq6HCUFLmwpV9giMksH9w5Dn7V2BELy7TEAI3l0C2vQ/
lhBoc/TDP2yOEPxwfj8k+vs1DT2HTrxNHBO17f2aHBxzt9uJY4HldLOA0W/kuOVJsGcH5yzHC7qD
h4uEoGV+/izaESLi10Kmd0xExw4dy7KdfRgHYg9B27ZNfYkPLh07NG3XC9OC7RVYJATtLT8SErvd
Tmy1LCLusnFYuJVdIc4JgT682p4PIwTa8sEPQOB/RwCEYOUbAEKwEjAEBwJAAAgAgY9AAIRgZTGB
EKwEDMGBABAAAkDgIxAAIVhZTCAEKwFDcCAABIAAEPgIBEAIVhZTU57TcznanbYyBgQHAkAACAAB
ILA9BD6WEGCk/v6XqUr2juzGd8GiFUEXYtnATzfyAyR5KiQPgmNXgb9mpObUwK+l/6kJoel4d8ld
YwdaBu8uBHX6IARqXHD3SwTul8Aed430CDltNEz/PHU3cj8Hdr+Z/8u4VwZoqizkhwPs/VESGlBG
Q44Hu/32huV4UbZqvmdOCF4jo6w0lW7qPQ/+lDxxne4NyXXDJTC4ehYdaOTA0ZmHQ3wRYqP60xPa
XL3zBxCCd6JPaYMQvLsEtOmDEGih+ZAf3iV/TIfn5xKDVbp3wuhgBzO1uyYPrR9ybnvPfJM8n9W3
uswLkh9Y+iNCYAVncmhZ5qfAMewwf3wJaE4IltJ6wW96QvCCyJVRLBECJ84JuOslOdiGc2R+GsgR
6Neyzsqk3nIThOAtsEuJghBIYGzrEoRgW+Wx3po3eSqkjrF3r9dbXZ88O8yrk2fNO1lyKPgzjIBc
6Mnu/HtzlBdECAb5Yer9euUiOsM/lz9u23uR+CRCbO3DNPaMfl5E6EnMPRAw3wVzOWCtfHB7K9LO
A4K9D9IrTbCsljMmnwsiFseLz2IEz7QP5nLJSnSYipJ+hqDXVKJRnjFyVjzzwKiL/6fvXxM/TM7X
Qd5hkiAIwQSQX/8KQvDrkD+aIAjBo0htNdx7CAHz8zvzkHvLDhatFpRHd6QRzLHTigU8De0t8y1X
5eRXFbNMCO4kiSHmx7Xyx5fAMr1jXtVVHu/N3UAIWPTKPQSUyEwOWC8fTCLG1iHJ2STHJTmeh2kO
/QzBbA/BnQzdx5eqrq9ZYPcSikQItHLJc4iWZgg6QtDcitg1BodOFMlmCMHteooOjmlY++B4Jjnm
yR8IwQSQX/8KQvDrkD+aIAjBo0htNdx7CAEtGw+jxQ4bmgPg+wSKyJ7vGqJOsp9lfiGctzxy3cPB
daOc71y419dSjI7n6ZAZvc++3c6w/Yx1vzr5Y8pVT29o4eNRQjCVA9bKBzdFZJl+ph7SPk4IRoa2
JC3X7QRg3oyFX+GRm8M5Ol/MEMjAOWEum7wZQsAz1dRFFvuuNecFIATKYv/FmyAEvwj2uqRACNbh
9abQcy3UQV1UaqP7rWDz8NzwV92nrfWDJHAHCg1QuzUB1rkeB5FgFqI5+9LsPL8lJt17//08riF3
XyoH0bCbpq5pfG/7Z+qiitjpZ/U726QPIgRWkJVVeT3HnnckDQH608kfl6SC2OsLU8bHkWtnCKbr
I3P53Q7COvXGs++StQubCqczBGwGpjeU6fD6FxofsyUDnVyynBa/XpohcKIL6UVkoXdIJ5sx1xGC
tYrha8OLbNF+U8cYFNLJzbJKwVyEx+cvIABC8Asgfy8JEILv4fbLTyk0UhfljxXhmcWvuk+CP2L8
KaCgwfNuZ3R/u91sBoHGrNNZBYVGqjCU6VhPNVVFYsPnMBlBGkeWl1Z0/CFgPeEQSroi0/s9BGXi
OiGfWNCtaBAhGHZP0tTIY4RgJgdcRLLMsWTRLxAC87CCEAxzCySnQKcMwrzjFaL8miJy3ONIiXEd
IVitGL5Wwby5Xc9J6Nmm6RyiUy7NGIEQSO/eWy5BCN4C+yOJghA8gtKWw7xnyYD2lJmyRE7bFJFt
BRnvxquqONIUwrAUTgN3XYf4FLzX2LH67p8ogbN37WB27HFIY0QIaOW767l18sc0E99PvdBOv+8S
Aq188OKSweNyxqolA3YMYLRKQKdDhgmPAZbhigEUdwcIGPXjuy5HKw807WANPGlLewjuV75WYDqH
eMQEuiyCEAxl/Z4rEIL34P5AqiAED4C06SBvIgTU//cr6wTQNbaHYShzSOBIM+18Sl7hn+B5bMvE
Nd2IH4rn8sHLyYwJQUsLHTabJNDKH7MQF1qMqM++9eimwtkMwYJ8MG0qtMWmwjxNpE2FrBuOH5Iz
7jYVknwz31TYLdqsJARtle4NtsWxqq7nyDUtPocyJgSMSjl8J+e2jh1ejwc/PhXSnMD4JQMhGOPx
+99ACH4f8wdTBCF4ECgEmyJwjR2JEZRHZzwjQCsIMkOgEeXcO8E00m99v+WJ79qW7TjuPjieYs90
IrEzYB7hhBCwqQ0x6FfKH4tjh6ROHMRhv4dgQUaZxtVzQqCTMyYb5WOHfipbv0bOWD52GJ2rboP9
WkLQtjU7fmnsDNPehyd2CJJvRRBLBmQy4x+0awOOieZvGe4sIABCsADOe38CIXgv/p+cen1SOSBS
56i5xs50k506JO4CgZ9FADMEP4vv17GDEHyN0ZtCgBC8Cfi/kGxTXR4VeqrzU9YNNP9CzpGHD0YA
hODdhQdC8O4S0KYPQqCFBj8AASDwBxEAIXh3oYIQvLsEtOl/LCGADLG2TPEDEAACegTQdOix+Z1f
bsXpVMhOrX4nWaTyNQIfSwhA87vCJb84AR0Txx8QAAIPIPCGpuMSmHPPnQ+Yqg6i2bGqDvyNuz8d
P9QOv1Eov/TI/0sISJxl8DBDTnMGjZtfAv8lyYAQvARGRPLfILCSEJCMlzE+QbMIFVXIqaOH1xKC
5ppGycht9KJBmh9VdvKgr4lfkyzdxpLBAjjv/QmEgOMPQvDe9xCpA4HfQmAdIbhlBzuIAnvax2ut
VXW0ryUE2qRX/aCyc1UE3w8MQvB97H74SRACDvCIEHARXMMwTNs9xAMVb8os8hyT7u/Dk+TKvUr3
5iHNT1zA1nLjYiax9mPlSPUaSwY/Bi8i/nMIrCIE97Nv+Rk5pOqdP3MnXMybM2FTHh2Tu8okDxeS
sshu188rECGIslO4Jw1tN8iqHtT6Eh9IWdu03U71uvuJKVVk5GGD/eqlTBmkiG2WwkT7gpovOWVx
wvdWJIHnWLzJ6uPX29lq4m9btZ0U0z5OKQumae0j5r2rz5v2AoRAC827fwAh4CUgEQLyqGMdkqK+
3eoyzzJBCG5n37L9NC/ruirSg22Huej2mWs32wvP5b1p7lVeDBX+xwsYhODHIUYCfwqBNYSAVLpo
YfF28piwNweCvHIqCAH/UTXyvgSmYe6j87WqisSzelea5PzRDk7Xuq7y4960JJfbtKRpOYc4r+9t
cy/zYnADrl7jb/hflZJfrk73sz4nSVaUVX2ritS35fhJn2y2tMFzMI9fZycRApILJRdYdXawJE9l
S68MCMESOm/9DYSAwy8RAnrJFTuARu7e2LjA6hkBIwT9t98tUBCC38UbqX06AisIQZOHNh9tV4lr
BWIE8B1C0JMA0szo2hdy78n1wklFirQ+/F6Eg0QzFM0QgT/vsEWRNGXqmboJSu5sXARdQwi0dlJb
2W+9YmaN5Uv6xMYXIARjPDb0DYSAF4ZECNrbObAN0/GC6Hi6lJ047iDI20/NGf0kIhEC1RqjTrP1
lS8ACMEr0URcfx+BFYRA6kNl7Y7vEIK+32yLiEbSXEjStNgVA53aIDHXz5YlDK5ePSsRHSEgMQ5z
n0hrmU11jg+ubYr1hGFeo11BCJjsl9JOtmSQdvOhzdk33WSieT4znm6AEChh2cLN/5cQMNbb81mq
jBIfb+rrJUsi3zHpLq0MUKXoRXOnJcf2EAh9WflHnWarHObJaxCCJwHE4/8ZAo8Tgmvs7GRFb9Gp
TwmB0cttkgCWYip+mBRgqp8DITAWCIGj2xukJgT3InJI/VsqTVL0dthCJt0s5IUOtZ382Wn8NBhS
2zmaFAAhkKD/1Mv/lxDU6d4YpFro2z6RKxMrUWLAHemlyqUIwYJpCcEvvBYgBL8AMpL4Qwg8TAjK
o2se0rJT9C7Tg5DBHvYRti1tORoTgpM3my5UEwLaj7iwZLCKENwvoU27H+Vyup99qYm7ZQdjNEOg
sJM/PSUEejtBCGS8/8L1/0sI2uvRMZzgVFRVVWSBI6YC2lueHrO8pD2F15P/r72z9ZcNCOP4NlEU
RVEURVEURVH0J4gbN4qiKIqiKIriRtH9POPdmj323HUW+zvhXsuYeeY7mN+8PsOwHk0qFDU3TIui
yJLQt92w22wLguAM7wLy8B0E1goCmkmn9X2IrEnd1q936i60aEp9ld/IIfa4h4B1sJtBfq+6Ocd1
zREEdears0mF3SeFutXX9xDQKKdsBkU7sbBLmeIwbszpZRk5inAZC4IlO5sH4EEQcO2EIDjbK/PF
gqCu8tDRFYmcvCq6w2bKUvHeE9/U2FIdQVJNr1tkQMMGbNmhJAiCJKuGE/SDdRAEZ3svkJ/zElgp
CIrrZBSxWWDYKYQ8sFRJlBTV9K52t+ywRVaxizRs34XmCoJ2OZ9InxTV8sder5cEAQ1s9lOY2IHi
NasRnWY1Ynexm4pA3zJFIsfgmnW92qO1EfQ5e7CTGz/PTgiCs70m3ywIzlGWGDI4RzkiF39FYKUg
+CtzvjAdTCrcbaFDEOy2aFYaBkGwEhSCgQAjAEHw6QcBguDTJcBNH4KAi+YgFyAIDlJQMHMnBCAI
Pl0QEASfLgFu+ocVBPBh2pbpPQ2u0cPyCG6B4wIIfDkBfDo+/QDA/fGnS4Cb/mEFAWQ+t0z/7ELu
a4qzzm3DC0H/zPzdJDTbBHMru9g0tWir2I8TLz4dny4r9BB8ugS46X+7IHjVtykX5PKFO9u865zt
93tkyYP/6LrOfbWb5CxIim7fuk0eGZp7SA7jJsukl5G9fPYeGoJk085v7C9x5GELye7kjv6P7XZb
msGmtwqChfjblIrIc4I1G8kNli0c8eNfCLzLU3sSBPfsZjN/aYIka4YTnvNTMX8MIAjmRHbz+8sF
wcu+TV8suD8QBFUeh2m/evlF+/4jeHHTRSMYJUw7N6luTNu4ZGxjh6mnE9rApVsN9R/JPt4KQTBh
snWFvXX8k8xs8mM/guAeWmxrkyTLszQOfNtf19+2CZY/jBSC4A9hv5bUdwuCRd+mdV2EjiaLgqiY
vm/JQ+tz2f0x7WNq+sz1sSgq5pXtdFzXsS12Debm/9HOyK+V0fPQxVXnbWDy/Mb/u0pdK+NdW1gP
wWhfNNqEbXqdiaNm2fT/JT27+4kgqPLA1mW2ylvRrNvQOm4cXIsC+ZPz4lG/RWyLshNGntF4uZ5t
/TZLuYjcdscKUdHt0bYUvib2fi5IODV+LtLWdW3/WHTbxLAeAj9kiYqy7g3L0dle9OQdl7bE6Jep
0445hnejTTTEUXhu/DVtUsdSFa35kEGZXBun3aKs9f5x88AxVJklqxhuyHa2Ybvr96Y3sfUe/5bt
rOua50l8RvKtP1PftP0nInk/giC2RalnOGVwT/ty0Z2uBCgIG/iZukWmR2z0rjF3rZ2rtVfimVqw
4S8Igg3h/l/UXy0Iln2bNq4+g7QoMtrAsO+O5rk/pu+woLGv+D1x1WEvUtrkaPshg88Igpm/E3oI
WQ9Bu/tzmXiaMO0haALo4z6F/3t0u7v5goBtLeNEWVkWeRpdw1YQkA8YiXzR0paToaOON4CPbVGU
FNNPiqquyjR+2veSBd41TLKiJOe1+uD7dTIEMAiCxuCFFjY9caJs+nGeZ6Gt9B5u7rEtS7oXZUVR
pDdLkcxmb0wKLyjM+XyV+Zo46XhZiL8ltTCHgO6WDJ/25SyyyPfCRhulN/capTk76ag/xs+zk23r
u+RJvCu6bf4v05tDgk7SLC9My2G/wDa5/QgC8mioeWnrP21EI7/qEttFtSgyerRUL+2uLrlFZs9Y
t6cieU3sHLG+GE+Xxtb/QxBsTfjX8X+zIFj2bdrsL952hRc3vRMEk6/82P0xvdV93/nE7cmJBQGB
GTxBsMevmUMg0N/lcpF0f/6hY36lhy/br5/Z2Y18QUCF0bfU+7tIBo56a0izDc2r2BZnHRv9fc8P
qohcvTVDwJNHZaUgaLeca2RTY3QZGKI2OKsh5ddcIEHQpVVPEqupZ+phjkJr+YMgqBJHEs0fJBp1
BY09eT7Gz7WT/PSOXYY9J/jmq1WRBK6pSo+6YD+CoC4jRxUvoqwZtneL804ZpG5fpdOOgok9emAX
3SLT2uOukBJXltqtlF+O581lwIsOgoBH5uPnv1kQLPo2Jc9eI6+GiS01QwZ898cTDTB2e/LGHgKa
Kcd6afv+hwV7Lpe+VnkM3zxp7zpPLt2EUWVFsU/nELiapNhx94VjqVehOThPb+wZciGY4agpxzvf
3DX9ly8IqtTXREHWTNv1A2rzs7/R5MeuB7zzYscGekZ+3aYJPfxqt7Lunct2MmNSR68UBL1wGcIn
s/1o2Va4JDlIECyEb+x7rLA7ux8EAfWgLPrrutM4Am3q3fxNJNJj/Fw762VP4p09i//zPIa/er6L
nEaNFOEy7pnfkSAgK+9FGt18x1RFofGPUD/uIHwZRgVJEDy6RSZF0LRKUlfp9MAv4umwbfs/BMG2
fP8j9i8WBMu+Takq4ggCjvvjvxAEVVkUzOlaUXZ1bFXkGf3FrioaN3aY513/6EJ49pC863zT9ptO
CBgPGTAnr6OOE5Y4fZ/6hm37zFZlk6+86ExvLvDOt7eN/yOdMczzqEnzmGFHqb7nSXj1bE0SpLYt
THZyRy5oDoHbd8+Ok3k4pq5ZUXPbdh2NoSwLguvU+d1jhTpt5E8EgTj2mtNb8KrgaG9cKwjukSVJ
Ohs1oVkAgTGRfo/2E4dFO1m6j57E+3wsHvA8hr96virT0KcZJKJiOLe4k4NMpRsLHUeLxvzlyYo0
D+urWnpRektYKcb9z+6gcadSkmNCyYqax/838XTxbfo/BMGmeP8n8u8VBDzfpvwhA47742eCgCqr
yQjv/5TV8r2fmUPA5jZNGvWTOQRs8pM8aVnWVFU/qTiWc7fmLI379xUSzagSrXjU29BEMTSs2PSH
7ps5j/8FQUDt666btmm1d1JiqNObSWCjYERBmvdBcCp46opX3HaO6thQTvgmyEL87b0PgoAzZDDt
5SJw476gx/i5do5tZhKy9SQ+Of/+H/e0GSsQFcOdKIE2qZ31EPQASHo1fXzNWNdoBU8fpp1U+CgI
mKo0g9hTez3ApoFOVwKtiGcUZLNDCILN0P5vxF8rCKjbdRg6Hvs2pSuyFWRFyWZ49a1PnvvjZ4Kg
pou6n41dof5vkc3u/5AgoPbxdNbgeMggjXxDar9unb25r4qjpnt3+v//L0NTFHU3SvM8izxd6r+B
NOmPzY0r88gd5sbRpEJBNq9xXhR5Fgeu5fd9Ai8IApIessWm+ZHfOFm4dIKASR+D+aYvI1sWJoKA
TQBwk7LqfNQyMTE0WUdqgibrCYodJGRoGt0c58YmKTwVBAvxt4gfBEFd06RCuZtUGF99NqmQVfAO
W+pQZVdDEiaCYCF+np1cT+L/X+bPYkg9w3Rv/RDRQ9D9CILMtyw/iJMsz7P4asr9PNz8qovddNIs
CTzL6yUup4eADdmJijK4a6d8/yaeB17vPwFB8H6mb4rxWwXBc9+mtOxQ6JcdOt2mN8vuj58KgrqI
2BLGy+XSdSi/qeQ+Hk3qKhNFMBqbF0RZNd2oXa7WWJr72qjt8l7ry8Rv1s41q/O6plUe2rrKVh2K
8nhZIK2Ga28QJUW3RgsPXxAEFIurM+eyqu4EvtkPGdQ0WUyTRHKS7d5cbSIIaCUebUVzufTe6fkV
fFVErqHS+j9RVnX7mrCs8cMT1sf4E0fqZku0kwKGvp3xskPz2i54ZOtuyWuuariBp08EwUL8db1s
5xNP4u8t/9di248gKJOr3a7vFKSJQ/X6nl6bFbOipGimO+xYxBUEdUY7g8019y/ieY3mb0JDEPyG
2p/c862CYCVc6l6eD3uvvPX8wYqbIfO63ue5r1JX2XjsZJ4kfoPAIoH9CIJF877gJATBbgsZguCx
aIokjLLiXlVl4uvS34x7PlpxgDNVTov7H4brlywv4lswX4a4FA7nQGBrAhAEWxP+KX4Igp8Ifew6
BMEj+iKw2o5mZbpJ2GNQnAEBEDgYAQiCTxcYBMGnS4Cb/mEFAXyYcssUF0AABPgE8Ongs/mbK3B/
/Decf5HKYQUBZH5b2rQlibWwDOkXDwNuAYEvIIBPx6cLGT0Eny4BbvoQBFw0B7kAQXCQgoKZOyEA
QfDpgoAg+HQJcNOHIOCiOcgFCIKDFBTM3AkBCIJPFwQEwadLgJs+BAEXzUEuQBAcpKBg5k4IQBB8
uiAgCD5dAtz0IQi4aA5yAYLgIAUFM3dCAILg0wUBQfDpEuCmD0HARXOQCxAEBykomLkTAhAEny4I
CIJPlwA3fQgCLpqDXIAgOEhBwcydEIAg+HRBQBB8ugS46UMQcNEc5AIEwUEKCmbuhAAEwacLAoLg
0yXATR+CgIvmIBcgCA5SUDBzJwQgCD5dEBAEny4BbvoQBFw0B7kAQXCQgoKZOyEAQfDpgoAg+HQJ
cNOHIOCiOcgFCIKDFBTM3AkBCIJPFwQEwadLgJs+BAEXzUEuQBAcpKBg5k4IQBB8uiAgCD5dAtz0
IQi4aA5yAYLgIAUFM3dCAILg0wUBQfDpEuCmD0HARXOQCxAEBykomLkTAhAEny4ICIJPlwA3/cMK
Avgwbcv0ngbXKOcWMC6AAAhMCODTMcHxgR9wf/wB6OuSPKwggMxfV8Bbhsp9TXGSak0SLwRdE90m
Ye6BIWrX4m1xp64iWtHbonuIaOv4HxJcdSL3VdEMVz0Uq+J7fyB8Ot7P9LUY0UPwGq8/DA1B8Iew
z5XUPbJkfVZ/VnngGqokCoKkaNYtG+qFe2jJ+u19te2cZZU4siBIdjwkOQ8y+Z15D7X1uwVBEXlO
kE1S/cWP2JZkJ1m68T3xL8Vc13WZ+JYmi4IgSqrhRiUn2ONpCIJHJjgzJQBBMOWxo18QBDsqjF+Z
UuVxmK7/Xv8qjaWbipsuGsEk4SIwJFG1gyTLsyS6Ol50H+6sYltSvf+uH4cIp0epq2iOo3PqzmlY
+vUHguAx0d+c4QuC38S27p4qcVVBNvwozfM0Djzntr7cIAjWMf7mUBAEuy19CILdFs1Kw4qrLlrx
ysDvC1be9Fn/Omuja1fudIZ7aIqbKYLMUxU3Tdm/XSYnLf6KUvepXsuvmnAZ/wlGwIQLC+8FV1OV
BEHSnKFZXOWBo7PmsqzZwajfo45tUXbCyDMUakzLZsD6QMrAaJKYDRkkjjRJ2Iya/ow8cAxVlgTq
WDHcMG/Opq48Dn25iHZbzrz463t6bdv1iu6GRdtbkvuaYHg3R1ckUZR1LxnptA7W+P/iplNfy0Ko
5fjruohc4iPKuus74yGDKgscvWGj2eMeo3F62x6XWejbpjd0smDIYFvgP8cOQfAzow+FgCD4EPi3
JfsZQVBFlihNe7IzTxFUn6sH6jr3VUGf9im8i0LuazKNFiSOPGgOjiBo0lzuIRAESXejLM9iVxPl
dn5ElbiKoNphVhRZ6KhCd54iim1RlBTTT4qqrso0HvfVLI/xV+yvjB1F1Dv1lN7ca5TmRVlkkaNO
ZRO/h+Ah/ntkSaLmRnlRpIElC40AIvCaIChM4FSZr03jfyyCe2gKotVqlfFlXvzUWSQZ14T42Kpw
Ebo5BGVoSrJ5jbOiyJOrIbMyGse46TFTAppMMsW+JkNfFgTBpthXRA5BsALSZ4JAEHyG+/tS/Ywg
oEbkrPaPLbFray/n7h4YguKlyxf/6ywtvTTDe11XkSVpnSj5jSCQ7HaSZHnThXaGYeJITexk452U
0DBTIbbFLthDDh4q7D7EPbJlyWh6E/qT7QF1vei3ofpaLwioC2YQK5QBpRmiIUHQF1bua2LbJTJP
uv1NwRX3sZx48RdXehbaQYV7YAqdIJgllXnKiBwn8XecLtPQtzRJkFTTvcX5vKcDguAdkP8nDgiC
/6G36b0QBJvifVfkNGOOdR8L3cS8KrKmHd90ua0Aamopz8I3lrzrfF1cNWE2PPCjIKhCU5CnFc2Q
i64SaezknV/mOapDy8AQO0S/EQR9noYhBuqfH7odmn6OvsKO7XlHyWAiTxCwdrM1DEjU9T25Wpoi
dQU6kRjrBQHrgektY89AMybBhgyaYZG6pub8WHAM9nZHPEHAiz9xJGHoUKCOoqaHYCjEfuTjuWIk
AzJPbZ/c/mFmdr1wPjn9fkcAACAASURBVHHki6BYk6GdLm/0PwTBmMYnjiEIPkF9VZoQBKswfTpQ
VRZFTn9F2bV3qiLP6C92VdG4scM8L9tR44XwLAvvOl83rf3JVLMfhwyozdo3VFuiVdnkKy8605sL
vPNLBUG2XC5C+3e5CO1cx7kgGJqxKyYVjgWB/lQQzDTOYOGyIChuhqQ44wF66omXdDbqQNP7A2Mi
td4jCIZOgZ8FAW/IgC8I5NEIw0QQUI/FAGTV0b170ot7+zA3t60/XxXJzTUUmi5h+WE6fbAgCFaV
wraBIAi25fsfsUMQ/Ae8Xdz6mSGDmmq7bqi44fDTpEJqso4qjrfBo55sxYmYXsrzPHLIMJJNTZ3e
TmqgLo2+X7sRBNNOiZpEzjBPchAEdWI/HTJ4SRDkV11S3XRS1TXTGbpTqStPBEHiSLPJGh25ueBY
6tJnHf+TrvufBQF1IixNKuTFT0MG/f4NNLmkA0sKoh/A6az+s/+ZLjBVURAVw72NJnegh+DPyoCT
EAQBB8znT0MQfL4M/s+CDwkCqv6HAesmC9T4FVWHLTtMo5vrj9vB1Nc+DMX/X57Hd9O0gfHQNC1v
bHUHpaj5tCjgTuvoJoKAGuKyHRVV1dXEXEHAlA5/UuF6QVBlHs0YTO/NxMIuaRrmUBw29b/KroYk
TAQBmwDgJmUXesj7XBDQ/AaaVBj3kwrbVZ6vCoKaTaNslx1mSei7zXYKvPhJY6guZaDKr7o4nVQo
am6YFkVB8dhuOEyOGDKy6VFVJIFr6u7QUwFBsCnwFZFDEKyA9JkgEASf4X6CVFNXmSuC+p4FjqGw
9XPydGMimuouWeONCd6DgOr/6cg0NWRbhXBPPF0WRVnRnZtnTARBXaVXsxm2727n9RDUdZUFdr/s
cLJ4jpYdTqdF1DSDY7K68NLVkDRm0g+nX+h0O5W/CB1NliRZUQ038Ki9PVqsUcYeLdy7DMsOefHX
k2WHTrd8kdC/MmTACqaMxxsTxW09Pl52OMTfLDtUKAOa7VrdHAKKp1l22DwQquFwx/Xf8zCsiwWC
YB2n7UJBEGzH9j9jhiD4T4BffHtxM+S1VXyVuspoZt4XU0PWP00AguDTJQBB8OkS4KYPQcBFgws/
Eajy6BqOt+nh31DEtyDt5kPyg+EKCGxOAIJgc8Q/JABB8AOgz12GIPgce6QMAiDw9wQgCP6e+TRF
CIIpjx39OqwggA/THT1FMAUEjkMAn45PlxXcH3+6BLjpH1YQcHPEufCpZsGn0uVgwGkQAAEQAAEQ
WCQAQbCI5X0nIQjexxIxgQAIgAAIbEfguIKgSELyKLP271MV8+bpfsr98VrwCAcCOyPw4qdjZ9af
wJx7FkcZphjvsSQPKwhoJ7nnPlqmuDevmKfJ9b82T/dDGxP1GcQBCByLwKufjmPl7gjWNs7Kj2Dp
19kIQbBxkUMQbAwY0YPAawQgCF7j9f7QEATvZ/qmGCEI3gSSFw0EAY8MzoPARwhAEHwE+yhRCIIR
jH0dHk4QkG/T+Z9kxw1Vno9UnoszXvh3neel+wb3xAu+ZUfuj/f1kMEaENgBgV99Ol79FLzh1W5Q
vctT+dbxDB+izqdVY//C+fnW3fQdH9xi7eAJgQn14QRBVebM7W/q66LmJ+T2d/D6W/N8pPKcoPPC
v+s8L903uCF+6v4YTzYIgMCMwO8+Ha9+Ct7wajO7jxJPzfNUvnD+3rpsD21FtoLGZXuByYWz5/Sj
Pw8nCDpar/b7bd513xk2+3/zdDGpcEYcP0HgKYFXPx1PI8PFXxDAkMEvoP3NLRAEG3OGINgYMKIH
gdcIQBC8xuv9oSEI3s/0TTEeVhC8mv/NK2aOQZ9Kl2MOToMACIAACIDAIgEIgkUs7zsJQfA+logJ
BEAABEBgOwIQBNuxZTFDEGwMGNGDAAiAAAi8hQAEwVsw8iOBIOCzwRUQAAEQAIH9EPgaQfApn6ef
Snc/jxgsAQEQAAEQOAKBrxEEn2qpfyrdIzx8sBEEzkegyjxNuEhmUJwvb8jR2QlAEGxcwhAEGwNG
9CCwIwL3xFEk3fVtRdKv+Y4MgykgsIIABMEKSP8TBILgf+jhXhA4EoEysmTFjsq6rvKrLqteut5B
+5HyCVvPSgCCYOOShSDYGDCiB4GdECgCQ9GvWacB7rGjKk68v615i5suatd+RKOKbUmy487sncCE
GR8hAEGwMXYIgo0BI3oQAIHXCJAi0DtFUCWODD3wGsDzhoYg2LhsIQg2BozoQQAEXiRQXDVRv5Xs
rsSVJStC/8CLCE8aHIJg44KFINgYMKIHARB4lQApAiMgRZC6CvTAq/jOGx6CYOOyhSDYGDCiBwEQ
eJlA3iqCzCM9sL95Di9nCDe8hQAEwVsw8iOBIOCzwRUQAIEPEch9TTSD2FOhBz5UArtMFoJg42KB
INgYMKIHARD4BYHcV0VFkUUzRP/AL/Cd9BYIgo0LFoJgY8CIHgRA4DcEMl+9XKAHfoPuvPdAEGxc
thAEGwNG9CAAAiAAAm8hAEHwFoz8SCAI+GxwBQRAAARAYD8EIAg2LgsIgo0BI3oQAAEQAIG3EPga
QfApN8SfSvctTwciAQEQAAEQ+BoCZxQEZWAo65bW3iNbMW79pt7/Werr061fCPqfRuF2EACBvyVA
u/5Y8d+m+ZvUjmLnb/KGe35H4HyCoEocRfWyGY7ypouCMPLo0V7PPFV2knfs27mUblVEnqnKoiCI
smb6ybC+hzYQf7RyZjR+ggAIHI/AUSrao9h5vCfguBafThDcI0tS/bkj8jIwZMux5G7/7qHA8qsm
vWMl7kK698iWBcW6xlmepfHNdYNxX0TqKm+SIkNmcAQCIPBxAkepaI9i58cL9IsMOJsgqCJLVLx0
VoL30JTMoAhNyQiGVnoTKPPUN6zFXUg381VBcbkO0avEkaAIZgWFnyBwfAJHqWiPYufxn4jj5OBs
giB1aeut2RBAFVkSefssb/pjbwBV5bKT/GeRPaZbXHXhabxlYAiPfRn/aQduBwEQ+DCBo1S0R7Hz
w8X5VcmfTBBUoSnI7qx2r2K7Ha/PfVWy4plcSF1F+N9Bg4V0U1demLMwfrhiWxTtA8w9GtuMYxAA
gR8IHKWiPYqdP+DG5TcSOJkguAcGddNPASWO3DXVm8OpIsg8RWg8gU5ve+XXQro/C4LEkUQreiUZ
hAUBENg9gaNUtEexc/cFfiIDTyYIqtgSpVmrO3WVy+UitH+XizwTDE29PBUJr5bwQrrFVXs+ZMDG
Kua9Ga8mjPAgAAI7I3CUivYodu6seE9tzskEQU3VsD7ZWYAmDRrXLG/+sqshKpNFieVNF7SHZQmv
FvpjunXmPZ1UWJO3sf/tmXjVTIQHARDYmsBRKtqj2Ll1eSH+gcDZBAFVw+J4V6Lc1yZD+VRzj6fy
0YTDqUIY4LxyNE+3rusysrplh3kaB54XjpcdloEhPu6L8EqSCAsCILBDAkepaI9i5w6L+LQmnU4Q
1LSxwKAIaK7/dFIBTRkYKuKF7QN+WdbTdJtIqjxyTVViGxOpk42JaK9CybiVv0wMt4EACOyVwFEq
2qPYuddyPqNd5xME9T2iDYjGjXF+wdGGRWb4nmr5lXTr3NcUZ77egW8nroAACByFwFEq2qPYeZRy
P4OdJxQEdV3EtyCdb0C0VFr3LLzF66TD0u3zc6vTrcskuCXv0SFzI/AbBEDgowSOUtEexc6PFuaX
JX5KQfBlZYjsggAI7IjAUSrao9i5o6I9vSkQBKcvYmQQBEDgLwnc0+Aazd2p/KUBK9M6ip0rs4Ng
byDwNYLgHhrioyODNxD8IYpPpfuDWbgMAiCwEYGjtLyPYudGxYRoFwhAECxAeecpCIJ30kRcILB/
AkepaI9i5/5L/DwWQhBsXJYQBBsDRvQgsDMCR6loj2Lnzor31OZAEGxcvBAEGwNG9CCwMwJHqWiP
YufOivfU5kAQbFy8EAQbA0b0ILAzAkepaI9i586K99TmQBBsXLwQBBsDRvQgsDMCR6loj2Lnzor3
1OZAEGxcvBAEGwNG9CCwMwJHqWiPYufOivfU5kAQbFy8EAQbA0b0ILAzAkepaI9i586K99TmQBBs
XLwQBBsDRvQgsDMCR6loj2Lnzor31OZAEGxcvBAEGwNG9CCwMwJHqWiPYufOivfU5kAQbFy8EAQb
A0b0ILAzAkepaI9i586K99TmQBBsXLwQBBsDRvQgsDMCR6loj2Lnzor31OZAEGxcvBAEGwNG9CCw
MwJHqWiPYufOivfU5kAQbFy8EAQbA0b0ILAzAkepaI9i586K99TmfI0gqLLwGmbVnxfmp9L984wi
QRAAAUbgKG6Fj2InHqu/I/AtgiC/6eJF1K8H8FL+d4WPlEAABN5P4Cgt76PY+f4SQow8Al8hCKrM
10TV8R1VUr3073sJePBxHgRA4HwEjlLRHsXO8z0h+83RFwiCe+IqshkUdV0XoSkrTnzfb3nAMhAA
gYMTOEpFexQ7D/44HMr80wuCMrIUzUs7DVClnqZYYbl5Id1DU1TctE8n8xTRDDoz+tM4AAEQOBmB
o1S0R7HzZI/HrrNzekHwMfpMEXhZm37mq6IRbK9DPpZdJAwCINAQOEpFexQ78Vz9HQEIgs1YkyJQ
W0WQQw9sxhkRg8C+CByloj2Knfsq3XNbA0GwXfneA0NUfVrXkF819A9sBxoxg8CeCByloj2KnXsq
27PbAkGwYQmXgSFqfl7Ti6ffMF6wIWpEDQK7IXCUivYodu6mYL/AEAiCLQuZKYJrctWhB7bEjLhB
YE8EjlLRHsXOPZXt2W2BINi0hMubLiqqIuo3WvWIPxAAgfMTOEpFexQ7z//E7CeHEATblkV504WL
AD2wLWXEDgI7InCUivYodu6oaE9vCgTB6YsYGQQBEPhLAkepaI9i51+W3benBUHw7U8A8g8CIPBW
AkepaI9i51sLB5E9JQBB8BQPLoIACIDAawSOUtEexc7X6CP0/xCAIPgfergXBEAABGYEjuJW+Ch2
zvDi54YEIAg2hIuoQQAEvo/AUVreR7Hz+56gz+UYguBz7JEyCIDACQkcpaI9ip0nfER2m6XjCoIi
CZOi2i3YtxtW5XGYYrfDt3NFhCDwZgJHqWiPYuebiwfRPSFwWEFQhaZofJM74eKqi1b8pChxCQRA
YA8EjlLRHsXOPZTpt9gAQXCUkoYgOEpJwc4vJ3CUivYodn754/Sn2Ycg+FPc/5EYBMF/wMOtIPB3
BI5S0R7Fzr8rOaR0OEGQOPJl/ifZbVd65qkCuygoXjYq3L2drxNHbg2d7mr8eL6KrCbkONPT3I0y
ikMQAIFPEzhKRXsUOz9dnt+U/uEEQVXmeZZlWerrouYndJjnZTe58F4UOf0Vxb07xUpzb+ersjO0
vI8ft4XzVcHym8WuKho3yu84w+ObcQwCILADAkepaI9i5w6K9GtMOJwg6EoGkwo7EvgfBEBgTwSO
UtEexc49le3ZbYEgOEoJYw7BUUoKdn45gaNUtEex88sfpz/N/mEFwZ9SQmIgAAIgsJLAUSrao9i5
EjuCvYEABMEbICIKEAABEOgIHKWiPYqdHVf8vz0BCILtGSMFEACBLyJwlIr2KHZ+0aPz8axCEHy8
CGAACIDAmQgcpaI9ip1nejb2nhcIgr2XEOwDARA4FIGjuBU+ip2HKvyDG3tYQXAPjW/zZaB9ypdB
7muKk0w2duA89mVgKFY02VqBE/KDp++BIWrX4l0WUDtrU68aqauIVvQuc98VT+6rohmueSjelSLi
eTMB9BC8GegJooMgOEohfuztvUeWrA/1ZxWabOtEQZAUzfTCfFInVIkjq5NdIt/MlxIQBMmOJ8ny
E8m8h9r0zYKgjH3nmq40h29obEuykyxdLyLPCcYbby4F+u25MvEtTRYFQZRUw43Wu9OEIOAiz/2P
aXeuTUsXPvZJWTIG53ZBAIJgF8WwwohPvb3FTReNYKgoSBCIZpDnWRJdLUWUjGDS2E5dRV7XnbAi
049BUlfRHEfn1J2P4bcXBI9p/uoMXxD8KrpVN1WJqwqy4Udpnqdx4Dm39boDgoCLGIKAiwYXdk4A
gmDnBdSbNxMEVewa9jXKtu6eL2/6tH+dCYLOeUSd+6ogu+OGbZU41NT97xZzn/HJQeapipum7N/u
wqTFTztYqj7Va/lVm3qBENqOfRbeC66mKgmCpDlDs7jKA0dnzWVZs4NslIfYFmUnjDxDoca0bDYi
qPMz0cXcWZQ40tj1hGBGTVR54BiqLAnUu2K4XedK6s7cc4gd3jIwmizMhwzu6bVt1yu6Gxatobmv
CYZ3c3RFEkVZ95IfHo7iplNfy0Ko5fjruohc4iPKuus7oyGDKg9dQ2EZU03/p3Q7TGf9H4LgrCV7
/nxBEByljGeCoC5i39ZlQZB1299OF1SRJUqTnuypIKhTVxFUPx9RpFpsemZ08T8Pc1+TabRgMjDB
EQRNUss9BIIg6W6U5VnsamInX6qE8mKHWVFkoaMK3XmKKLZFUVJMPymquirTOB26TKhgFuYQVOyv
jB1F1K8tn/TmXqM0L8oiixxVnIyt8HsIHuYQ3CNLEjU3yosiDSxZaARQXZMgEBQmcKrM16bxP5K/
U1+P1WqV8WVe/NRZJBnXhPjYqnAR2jkE99iWJd2LsqIo0pulSGY44BlH/CXHxc1UJyJ5p/mef1J2
aibM+kMCEAR/CPu/klp+e+95fHMMhRqEm+gCakROa/eZICiuGtWc46xR5dm1ccfn//+YGJjhva6r
yJK0Tob8RhBIdtuHUd50oZ1hmDhSEzsZeiclNMxUiG2xCzbPBkcQNJHY8nxIpbudul7021BxrhcE
99DsRUxdUwZa75ckCPrCombqgk7pkqcuFF8TFDcdnWkOefEXV3oW2kGFe2AKrSAo2STNXhPSHtvP
E35IESc+QmD5k/IRU5DoTghAEOykIH404+nbe8+upixcerfIj26Um/hfPV9Tfa91DVwWx8+CgCrW
2az4wYlz16ps7OGdX6YxqkOpEuo8R/9GEPR5GoYYWM/GMB+SBkOGCju2Zx0lg4VcQVCGpiRbw4BE
Xd+Tq6UpUjeSMZEY6wXB1DLmSrsZk2BDBkE7AkDN+cH+wdzhiCcIePEnjiQMHQqZp7Rl+eiRfPbI
DEkOR3vzSP4ue4Yc7v/o6Sdl/+bDwg0IQBBsAHWTKJff3qpIAs/SJEFSTTdIOj/QC26UmVGvnq/v
gdG1P9tczQTB45ABjTJMpxXUdV2VjV/qvOhMbKLjnV9CSLZcLkL7d7kI7VzHuSAYmrF1XS8PGQzT
IsaCQBdGnfjTapHmECw0pslMjiAoboakOOMBeuqJl3Q26lDXNemPXpawQQneKoP5kMHUsqkgGNrm
PwsC3pABL/7EkUcjDBNBMDq/VHJL5/bmkfxd9izldafnlj8pOzUWZv0JAQiCP8H8hkTmb2+ZXGms
QJBUywtoaHubP6qNJsvNp4KAKg/ZnUwhpOnn42UJ77KLerIVJ8rbv8ghw6g53NTpbZc1dWn0/dqN
IJh2StQkcpYEQZ3YT4cMXhIE+VWXVHe6GLHRJl1Bpa48EQSJI00na/Tc5oJgqUufdfxPRgl+FgQ1
Z1IhL34aMuj3byDZNxoyUGZ57Y3HwX4JzD8p+7UUlv0VAQiCvyL9v+nM3t4qdnTLC9Jpg/t/E3m8
n9b9j2fXUfX7dNlhM6I8WYn4GOsvztC0gdGgfl3FNo1MUP1KEkTzaVHAndbRTQQBNcRlOyqqqquJ
uYKAbXHAn1S4XhBUmUczBtN7M7GwS5rIKA6bgl9lV0MSJoKATQBwk7ILPSCaCwKa30CTCuN+UmE7
0PGqIKjZNMp22WGWhL7bbHfAi580hupSBqr8qouTSYWCYgdJXhR5Gt0c59bPKBiygaO9EZh9UvZm
Huz5AAEIgg9A/1WSH3t7ZxsLkCCgNXWCIMmPGxNRT7hkjObK/SqvCzdR/T9d3UcN2VYh3BNPl0VR
VnTn5tEah9Fy+iq9ms2wfXc7r4egrqsssPtlh7f5ssP5kEHmq+PFhZeL0M5qoHl+4yv9ssMidDRZ
kmRFNdzAo/b2qOIsY09XRLqxm5I5W7146Wvgerws0OmWL9IswVeGDBjlMh5vTBS3kxyX42+WHSqU
Ac12rW4OAXXSFJFr0CpOQZRV3b4mw2TJhbLEqX0Q+NgnZR/ZhxULBCAIFqDs8tTn3t7iZshr9yNm
uxyv3UVwl5xhFAh8CYHPfVK+BPABswlBcJRC++DbW+XRNRy3l7nMyiS4oXXIxYMLILAjAh/8pOyI
AkwZE4AgGNPY8zHe3j2XDmwDgcMRwCflcEW2ucGHFQRVFq5stW7O8G8SgK/Sv+GMVEDgSwjgk/Il
Bf1CNg8rCDZzf0zr1tiMMGG2uU5L9cmK9Be4vx4Ucv51Zv9xB9sEafDxyN9v4D/SWHnrwyqDlfch
GAg8JYBPylM8X3nxuwVBVUSeqbbebCZOWRb2s2mfjyxw3PC/V9XRu/h8H7n544i3l1a7BXbjq1fW
vMnmB3NatPlw5xnochEkRXcmzooWwk9PPQqCN7k5niYz/OLvVLiV+2OSvv3elnUdWYJoxe2Wxs0i
CVozYLhRt8kF7VswXj0hbbNB9cAER5sSwCdlU7yHjPybBcE9smVBsa5xlmdpfHPdkR9fviB4TzFD
EPyC4z0wRdkKMnIOFCc/iTISBJIV0j5GWXyzFIG5RVqb7KMgWHvnL8PxBcEvI/zxtmeCQHFjApdG
viELitc6PLgXeZYlniZIVpBleb71Jhg/ZgEB/ocABMH/0DvnvV8sCDJfJd8u/X41kwJeEgS0Kx9r
IM23qKmywKEl5IIoa3a/fD11ZdH0b+SmVhQV89qmNGq4ts2wfve3iQXzH3h7aY+DF7pVCPTgdolq
v6HcytgzVUlkboi9uJcW98SnPQsESbOvri7o3ZABz80x84K44Ba55rsDLsmdQdsnZV1T2mnxU+6P
nwmC3kcSc2fZ+5Gih5Jt9TR1ZzV/VvH7EATwSTlEMf2pkd8rCGgj1qG+mENfEgRNmIc5BMyHjXmN
s6LIk6shdw1R+s4LGnNKzzbQ63zxsGjQQzAnvuZ3GZgPGwJz7xsLgnvq62LXP16lnippTpgWjZ9j
qXVPzDbo0704L3LyinwZBEFfZA9e/BbdIvPdAZNTYsnwY9bJEfneaOyJ30PwMIeg3Unwf90frxAE
Vcm2fpw8uhAE3EfuYBcgCA5WYH9g7vcKgmYv+b5xOGO9XhBMtodjznTa7fMogX5Pf+ouGI+4QhDM
gK/4WcaOqhqGqnYug+5FmnXj24/3z7piBNlshoRoD+SR11/a8JD10Uy28GcbI/Y9BCxyKrIlQTDs
79/a0Gze3O9BOLgDrpiD5WB5F7/1gmBi6H+4P34mCEZTBQTF7jYwZBmEIHh81o55BoLgmOW2pdUQ
BMt0VwuCwYFv/w1tt8idaIAmvmF4AoJgmTv/LDW7qeua2veyGVKtmrjKtM6e3E2CgMa68ywNXV1n
XTUUIJ/vOHy5sLEEGkIa5nlSbTmNnCcIHlwScd0BM+9Afq8UJtbW6wUBzxshbV3cbc9ck+eiH8ZX
ngkC5kUqSwJbN66zLakgCKYFd9xfEATHLbutLP9eQUCfwzcMGTBnv4sjqhAEb31oE0du2/VV5mvU
zX+PLLnxbrSY0HjIoM58VbEbX8SsPl1oppMg6Ht0mCfAdYJgmJnQmjF1Ezyy7Q8EwdCHsUIQ3PRu
FIXcEdAqA9aJxdwstbqlShxF9SYTbSAIRkV66EMIgkMX3ybGf68gqDPv2aRCX516/e3pz+cQUP0y
mXTVhXwuCG76qDna3fLs/29/e1NXkfrqnySBoqmyxfwfL2ObCAI2IbEpJpJw0oJvBuqJH1bh0YDP
LwUB82q4NFv16ZDB37s/ZoB6j03Dr7EgoA4VTRp0EiYVLj9shzz77Z+UQxbaxkZ/sSCoy8jqlh3m
aRx44ylezNmuecvK8n4fOvqpMOaCoKZJhaLmNnPUktC3XdafTZPHh2kD8yEDViuZQX4fvPL+UNJf
//ZmviqqTrMovnG/K5pP9ADbh2DUBUQz8WTWSUCDDoJsXsl9cJ7FgWv5bFldEyKiwYgiNKW1kwof
eghqGt1YdgdMkwrlblJhfPVHkwo/4P44v2oCm+KY52noqOQ7klY9TAUBk1LtahwsO/zhJT3W5a//
pByruP7E2m8WBLTRTeQ2y89EWZ1sTER1gqNJtMyw/eA/ThboB4+bZYfk/FWSVaPbAeepIKA9diyV
xf8wKW254PH21mXsm6osyYqiapZ3c3VRcRKqwhb/pj0EdV0lTt/oHzn9VXSrX3jYLDsk776Wa/dz
CLhujpfkYWMK3x3weNmheR1b/wn3xwVbfilcmgWzbBHkgyCo2aIGmrWBjYkWH7TDnsQn5bBFt5nh
3y0INsO6QcR4ezeAiihB4HsJ4JPyvWXPyzkEAY/M3s7j7d1bicAeEDg0AXxSDl18mxgPQbAJ1g0i
xdu7AVRECQLfSwCflO8te17ODysI4P6YV6Q4DwIgAAI/E4D7458ZfVuIwwqCzdwf7/UJgJzfa8nA
LhA4JAF8Ug5ZbJsaDUGwKd43Ro63940wERUIgAA+KXgG5gQgCOZE9vobb+9eSwZ2gcAhCeCTcshi
29RoCIJN8b4xcry9b4SJqEAABPBJwTMwJwBBMCey1994e/daMrALBA5JAJ+UQxbbpkZDEGyK942R
4+19I0xEBQIggE8KnoE5AQiCOZG9/sbbu9eSgV0gcEgC+KQcstg2NRqCYFO8b4wcb+8bYSIqEAAB
fFLwDMwJQBDMiez1N97evZYM7AKBQxLAJ+WQxbap0RAEm+J9Y+R4e98IE1GBAAjgk4JnYE4AgmBO
ZK+/8fbutWRgFwgckgA+KYcstk2NhiDYFO8bI8fb+0aYiAoEQACfFDwDcwIQBHMie/2Nt3evJQO7
QOCQBPBJOWSxjF2EkAAAIABJREFUbWo0BMGmeN8YOd7eN8JEVCAAAvik4BmYEzisIID743lR4jcI
gAAIrCcA98frWX1LyMMKArg//rtHNPc1xUmqFQmWgaFY0X1FSATZgEDqKoIZrSmoDRJHlCAAAkcn
AEFwlBL8WP/ePbJk/VoMnGJbvIz/BG24WiWOrHrZEHivR2SoIEh2vNfqs7jpwphycyza8ROiEARP
4ODSnEDua6L17Hma34DfpycAQXCUIv6UIChuumgE5QhTbIuCcU2z7i8vxl0CqavI67oTRlH+/WHq
Kprj6LKT/H3a61K8FzkjnPi6IFkBO87z8pmAgSBYhxahGAEIAjwIcwIQBHMie/39XBBUZRp4lnV9
e9u8vOniqAeA6JAgsLgd01XiSPtXBJmnKm6asn/HJX7PbrauSIIgyqrpxb0O4pwvY89UJVEQJMXw
4qEX5Z5eLU0WBUGUFN0J+wu882MT5sf3wBDmumWIR9HdsOhEwkgQlJGtSLqfNZeqPHQNypYgqaaf
tAIu9zXB8G6OrkiiKOted35uAX6fkwAEwTnL9X9yBUHwP/T+8l6OIKiKJPAsVRJExXCCdNxWf4d1
VWSJ0qwV/VwQ1GVgCKqfvyP1zeLIfU2m0YLZAEcRGKKouWFWlEUeX71bq6+Wz1epp0qaE6ZFUWSh
o0r6tc115imi5sZ5WRZ5Et6iDgbv/NN8PgqCe2RJouZGeVGkgSULqt/a2QmCe+KqkuZ1T8M9tmVJ
96KsKIr0ZimSGTKlQ4JAUJyorOsq8zXxEGM9T1nh4isEipupurvtIXslJwj7LgIQBO8iuXU8c0HA
lICpSoKkWV6Q9K3E99pBI9nz2n0+h2BBMDwf6n6vib+IjVia4b2uq8iStF68ZJ4yng/RR7x8nu5V
3LQLdQ/NvisltsTF2Qm8810ci/8/CAJKaeiDKW+6oLSzNpgguMWeJqnu0NwvA0PUOq1S18WVxoBI
OZIg6AuXmovN6UUrcBIEQOD8BCAIjlLGM0FQRZZwEVUnWlQCNGOOzUIT9FvfX13X1CJ+6XxdXDVh
VJkwWLM5BA/j2okjiVY04cqsbQwyw66Du2YVcjtzTtjk/MSI/gcNg+g31kimyrJDVIWmIA81fB+c
cz731fmkv+7ue+wogijrluNdw7Qfd6h55/uklg4eBEHuq0JrPoWnMm2XFqSuchFFUbiIRjAUe+LI
M0PbImVDBkwa1HVNc0VGsS5ZUtc1yY+mHCV73Lbkna8zT21v6FRLE/NZz7/8ir36Sr4rPKeAcfq7
CUAQHKX8Z4KgvufR1dFlkYYKrlE21DqUoaosipz+inIyiPDq+Zpqo+mX/Kc5BNTqFuV5T2RVNvbk
xXRW3Nbnl0qX8nS5CO3f5SK0cyY5FX/NOc/q5clsy3FiVZnFwdWlwRzZjodC4J0f3zs9fk0QCLId
paElSYMkSBxZXJzzMekUWCcI6ntbkMWsIHnn63v3JBb3kRKsT3v+1VfsU+GnDxl+gQAjAEFwlAdh
Lghau+95fHUMRaTZYl6YDTXPm/KVuoo4abz/KAhyX50tS3iTKW+KhnrcFSdieinP88ihDDJuy0MD
db18nk2v+HHTBRpYmE8JpIzwzj9m8kEQLA0ZNCMX3RyCugzNQRJQL4jippPqmCXzG0HwaB/OgAAI
nIUABMFRSpIjCFrz73l8c0yzm132vkzRev1hwJrFOxsyyKZjBs2I9dBh/T5T3hMT1cTjAf4qtmmE
g1WXbPKg7kZZUZZ5cvOC8aTCh/M0qVCQzWucF0WexYFr+U29XCU39xanNKcwC2xlGJPgnH+esQdB
ULeTCindZlJht/FDLwhqJgm6gQOaVCgodpCQoWl0c5wbm+YIQfCcPK6CwLcRgCA4Sok/FwQb5uJh
Y4H5pMLLuAVcBoZkNOPzG9r0+6ip/hcmk+eowd0rhGF5oaQai8sOJ+fL2B+WF1r9wsPsZukKrTqk
5YijZYG880+z8ygI6nq87NAJ867xPxIEdV0GptRJgqqIXEOlZYeirOr2NelWGQzzCFcOGTw1FRdB
AAQOTQCC4CjF9zFBUBc3Q/6xa7zFyHY53u3uf0cpa9gJAiAAAh8gAEHwAei/SvJzgqCu8ugatlvc
PLe9TIJb0/p8Hg5XQQAEQAAE9kYAgmBvJcKz54OCgGcSzoMACIAACJyHwGEFAdwfn+chRE5AAARA
AAQ+T+CwguDz6GDBqwSq1FW19y+EeNWMH8JTV8xk1uEP4Vdfvodmu0fP1FnU6ghWBqzSq6mIlFS/
DeHKO38INlmV8EPY312O7YeNsn8XUX2PbMWYbMr1y4hwGwh8EQEIgi8q7A9nlSYntiv+11tCk99n
zpUeb67ykPZoojn0uh30k+4fAw5nyK3AbDvF9mIZ+851YdX+cO9/HTU7B0/3kVqOkDYSbLYYpLUB
hru8KeXDvbTuU3WT8n6vqm75wUOgX514TRBk3sNOjpfLZbTZ84IN7xMEtHuEOlsvu5AgToEACIwI
HFcQFEm41Qb+Iz77OazyeLwL7n4MW2tJ5qvS4oZ5zyJIXUWymm2DuMEqWm0nW7cky5PAUgTFTX6u
CPmCgJvOey68JggUN6YdlNLIN2RB8XrPCU9saXL2M4EnUXAuvSYIqjJv/DfHrkoulNb4b36nIKjz
qya9LEA5WcdpEPgKAocVBFVobtOxu9dip4rEivdq3c920QaGo88z1fT2LDvNHkijqGgHnsU99kZh
avK3POztT6v2210FaH99zfYsTZYkSTE6r7/5tWt4tzv8D9sSkH8I+hvONAlVedD1QGh20K23oKQ0
90p+hUVR0pjXwCZ8HjiGKjNvw7QPwaTL4jVBMHT6k+rp/TDx3Rm3eWr+G+6+k4MjL+qyodgR25tx
OZ7xPgdj981MEPihRxtjvuAumYAPljSEysQnx1zMHfNou4eRIMgDU5bNrrunygJHV1gfkGbfuhJI
XVk0/RttBSGKijnv18m8ySM3fmhwDAIgsEAAgmAByi5PHVwQUO05dq9bRabY128NcMrhSDI0/nZ+
HC5g/pdGHdG0z3BT/TCHO5IZkPunMrJlabyZAr+H4GEOQZW4iqDaYdZ4ORa6jmjKktDWWUVg0A7F
bbs8vbnXKM2LssgiR526Ff6VIKjKxFWFzlMVz51xg3ExZ2SrKGnWLS2ruiqSmDa55sZDUSy4b6Yx
DFE2/TjPs9BWJuX55J15FAS0I6Rk+Ele5MnVkPqtHOtOEBShpUjGtav4aSdm2hIyK9gNMnNdXdd1
6soXQfPIsSN5fO74dLYwrxoz393dNfwPAiDwSACC4JHJPs8cXBBQPT2ZS8eWUdKOwXngOEFe11Vs
SeOGJI0E/DhcwGqFUdOZvPtqQuNbiQTBsIkiVXIjubFYbbKSfxAE5L2xv/Me9a6NqZLt/BuSF6jl
uQ4j14pt9OR9+LU5BE23hWLH7LZmc2i2+TDF2CiMwYnFYs6YeJkly4+H46aZBEHv6Yp8O62be/kg
CJhP7W675Zoi6mQfCQI7jBxF0v1hGsdsqCLzqHOJtFfqysNDRd0Fsz4ntnPjDwNO+3zbYRUIfITA
4QTBoy/Xy6Xvez6KT9UXfKQOjoNHncH9V/kjz8yvEqVv87T+SByZ8kH1mUgeljNfle2ujV2zDft/
HC4gUyZ96XNB0NU0NfPbqA5LHBarTZazuSAop30bg/NhqmR719A0hNVHf0+ulqZI7ZTAS1/fUfyv
9RAwL0xZEtj60F5+fAUGM2rmiulxuiTZOu6gIUv48XDcNP/CXTKl8yAImMPm3gs2PeFS244nNxnk
vlkYb4258Aq0j9JEAzQlOpk78aBCWQHjHxAAAQ6BwwmCbqpS6uui5ic0U2nkXOcovlZf8HlaFf3U
LNG4rZmZxSnqz56mWmGonckW8iFgBHlg6q5rmEE+nRRC9eY0PM9+6hLgDhkMUbB6/XeCQB/XpRNB
MJg4EgQ080HS/XbKK6Xby4aXBUHXZVIljqJ6TaOZ6864IbQodVgHht/3KrCQT+NZctM8aamv932w
LAgad1KN38eJIFDdOL3q4iAJ+D3/PwkC6tt5eR4r7znDeRA4P4HDCYKuSDCpsCNxjP/JqVDXDmwt
zqlLwLV0P8t83XJtZWjCrh0uoJiYuyK986dETeHRpMLeaxF1Lw8d/41L45lb59aseQ9BndjcIYNF
QTBtqlK39lgQNEMIa7xBUoO8EwR1nfua1PT5U1f/k76T1YLgh3gaHGM3ze8SBM+HDFhnQd5IgmZk
hQ0qzNQMs+4HQcBmlS7d15Y0/gMBEJgSgCCY8tjvL2oyH3mVAXUI9H3qDDNzPCwqbkLd/qo4uBxc
P1zQxEODBrTsMM9TtuywndzHJhWKmhvR3DVflyZr0KjhLttR8bhW/0EQkAdozqTCRUHAKlqHZrrV
VXY1JGEiCJgyof6DsrxP+rcfHr2pIKiH+pvnzriJYbUgYJMKl9wi89w3v0sQ1NS7wCYVlsXypEI2
0MB6CZpZE6EpiZobpkVRZEno227Izj8XBKRlDji49vAc4AQI/BmBwwqCPyOEhN5EgKqxocFLkVKl
LFo0PWzayl8/XNCatrwskDUQ3aujSYIgKoY39brE9vNjw/zd3IbMn+2k089ar7LAbjc+Gi16m8wj
HA0Z1HUROrTWUVZUww08fSoI6jJ2dZnmFzwO9U9QzwQBk0miyarCZXfGzd3rBUFdc+LhuGl+myCo
6zL22mWHytjLdLfKgOUkv2o0cMCq/mbZIVunKKuG0y79fCoIaORm+rxN6OIHCIDAAwEIggckOLEV
gczXlH5pHjeRV4YLuJHQhfWd80+jwcVDEigD2hezGXM4ZAZgNAj8PQEIgr9n/r0pkkeq+Kfh8zK5
XaPp9LffEYMg+B23U9x1z8Lbj4/aKXKKTIDA+whAELyPJWLaFwEIgn2VB6wBARDYOQEIgp0XEMwD
ARAAARAAgb8gAEHwF5SRBgiAAAiAAAjsnAAEwc4LCOaBAAiAAAiAwF8QgCD4C8pIAwRAAARAAAR2
TgCCYOcFBPNAAARAAARA4C8IQBD8BWWkAQIgAAIgAAI7JwBBsPMCgnkgAAIgAAIg8BcEIAj+gjLS
AAEQAAEQAIGdE4Ag2HkBwTwQAAEQAAEQ+AsCEAR/QRlpgAAIgAAIgMDOCUAQ7LyAYB4IgAAIgAAI
/AUBCIK/oIw0QAAEQAAEQGDnBCAIdl5AMA8EQAAEQAAE/oIABMFfUEYaIAACIAACILBzAhAEOy8g
mAcCIAACIAACf0EAguAvKCMNEAABEAABENg5AQiC1QWUurJox6uDcwNmnnJhf7KbLgS6B4ao+fnC
lW1PPaTLs5N3flvzfh97cdVEI7j/PoLj3XmPbMW4FSsMr1JX1fxsRcg1QdanW78QdE3KvwiTOLJk
J+tuLANDsaJVz9ALQdel/T+hIktUvDeU7j0wBPUdET3PzBe+qs+B/P3VzwuCxJEuF9lJqibzkSWu
qHbvoSmqW9Samac2tfXkX4Wq7ncJgiafiS0tC4IqvTp+XP75o8BJl2cn7/yrdmeeIlrRq3c9hufH
U8a+c03bx+vxxq3OxLYkOyvrmzfbkPuqbMezHN9DSxIExZuL0OKmy2a4qq77ycx5uuVNF9r3SBBl
zfKT8WOdeerw2v8U9QbX1wuCKnGUeXVYFZFnqrIoUM5MPxkAVokjz0NvYP6qKA8mCF57Vfmv/Co2
CLREYCeC4CJ1+vvDgqAq8zyjv9hVBcWJ2HGel9WfCYKlUvrgOV7Fzzv/qqnveqvfFc+r9nPDf0wQ
UIUku3MpUsWWbDi2+iijy8AQ9VXdCdy8sguP6ZIgkOwwz/M8S0NHE8WJ8sivmjQ58Tz+d19dLQju
kSXNsN0jWxYU6xpneZbGN9cNxt0xqat8VOoMpA4mCAbD1xzt7pVfY/Tew+xCEAi6aUhGwJoPY0FQ
Jr6pSoIgSKrpdY3m2BYnrfcLa74zzlUWOLrSiHb7lk2aSNW9LMv75NTTssmvmjD9ClAPgXULHV0W
BVExR43OZ+nyElmqUBNXZlkTpkMGkSXK9tWn9ogoqVYwDCfc06ulNa0U3QnzPndF5BoKgRNl1fR/
bB1z0mWmL9lJFxbO09enHwVJnFEDucoDm7AJgqRo1q3pwyTCk5IURh37sS3KThh5RlOcJvvgFpFr
aopEBazodtAW8JN4IqtJYRxzXVP/p+ZeCZEoSpoT9e3We+KblKCsOVdXF/Tr+DO/UJKL+aKupEm+
LkOXV5WHbclI6tCszDxV0B1qcEqSrFqjJ3coYEnRnfAHcxoLWUU37x+g2lq75jH9O4+luOnvUASP
6ZIgGLrBiqs266DIPHUqERYQPz1VpTdbb5vpo08E68wz/Ru9G+LkVa3y0KEXRlRM37fWDRlUrFad
dKxkviooLve9qpqHv38d+XkoE9/Smyda1qxrOvQz1KmriFYQN19AUdavzVszPBHy5JVfToNMt332
FokUflT0nPi7T4coqyN7RkMGVXbVJcXuX5oy9kyV3klJMby4TYD/ii3bWdcvvapPXvkqD9gXmjpu
+k8EL1GcfyCwD0FgBZHdfqkGQVAEhigZfpIXeXI1pMk3a2nIoAxNSTavcVawG+Rpr2lsiRfhhb7p
RUEgiIp1S/I8vZmy0LWqnqf7QLw9sVChNlcexvLryBIFUb9S/VdGttx/Q3N6M8meoshiT5fUtjuY
4MhWkBZlmafxLRh/ZnjmsGpyae4Cz86F81xBUFx11ttSlkWeRtdwPKjJkfmxLYqSYvpJUdVVmcYp
VdpZ4F3DJCvKIqf8TlphnHjqun4YmKSvlSCbAQmoIjD6eKglKGpenLPoReFHQfAsX/VCD8E9tmVJ
96KsKIr0ZimSGTItwsapZPaNrcYG1ZQpzY1zApeEt2iQgvxyzH1N0G+9xmkDpq5Cg8k0brB0URat
aEX9xU+1rhfSHQuCe3Y1RMmajE1QVftfwyr32PducZoXZZEGttJ/IkiSCZpH/fj3xFX7V5UqctkK
MsJvysJl1RwCagiY4ZgOlftTu0sacl8zolmEvh8kWV6UeXI15TGf1FWojnXj4l5X9yxOqK7lvfK8
gqFqVlDskOXYkgXt2j9Cy/H7miBbt7SgV0AbyqsTBFV+M2TZ6oVFlXqqpDlhWhRFFjqqpDcJ8F4x
np3t+dWvKgu/8MpXiasIKssvmUOlNC64H5LH5breiSCI7qnbDNP1gqC46aN5LLmvCqO2zYIgyP3J
3LHMU6TxOOp7BEEnAurE6WYY/pAu7yFbqFCboIuCoP9eV3HfDE9deZTDKrGltn1On+YRK54Fs/OP
6bIAPDsXznMFAX1SR63/ScILbzVdj23xeR6qaDqLhBMPTxD0DVeWbdZoZjqq+4BQI+9HQfAsXwuC
gPrmR1/k4qq3VKiHQO1m9lHKXbnGltgdTqA9+5HYUv+09OEyr+3ELm+U6EwuUNv99Qemj7w5WEi3
mUMg0N/lchFVt+vl626lSultgwbU39DKmtSVhT6XVErNZODMUwatRJleIwiq0BRmIzAU/XNepGdf
noBMQz3DrBNKZOhwa4hxX/kO6Pz/yBKG3jFWzL1MWYq/AdS28qlTqWt8NIIgCixZNm9DT2QVWd1H
h1KmN6jhQuEXXrG5efPfi4KAG8/CK584UmdyXd+jX7w+c5O+7fdeBEFVZz7NMaJCbF6lxJGFQZhX
kSVIw9vyKAgowLSj9jK8Cr8o1cUeAtHqVhk0D2NV179Nd6FCbax8rJiXK9rmazvJcmdefjMkQVIN
2/WDeHh9n1N4TJeF59m5cH7Zzrquq9TXREHWTDKI2vyjv4W3mq7Gtjgq7jZ8MzQjiV1Bj7+XnHh4
gqCvmCs2PZX6LKj5OLSeSY/+NGTwLF8LgiBxZkMJl7bFRoJgqBdHTe177CiCKOuW411D1kkyIsc5
XKqLcp/qStYfTYdDWk0clNfpKBUn7menF9KlR7SfQxB5hiw1Qz99NFQB9RV3f/aFA+qvpiGA9jXo
3vhBA1C5smmr7as6eqhiW1ojCKhuGz9oNZtN9IMgoIppTXckG0KiMY82AyMVQRW2Oe22efLKc5hF
1lAvNy9VL1MW4qcemxEgSq6dHcla/KJI3Q3uqM2d+w9TsJvqm8IvvGIcK/vTi4KAG8/jK896ZobF
ENSKHN7oPhUcPCGwH0FQ03RnKwwmgqB/IdYIgv/rfpxBWhYE/es0/sr8Kt2FCrWx4LFiXq5o2eva
6/2Z9fW9SKKb7+iyMG6UzkONfz+my67y7Fw4P7VzNsn+nifh1bM1SZDMcQv18a1mydIcgn4+QmMm
a7FQBzqr2NjI7igEJx6OIGgbMiRWeILg+rMgILt4+VoWBF0TtslR9y8JgqEHZfoZq8osDq6upUqC
bMejMebu5vn/7EM/6ZmnQRPhcmEtddZYn1tBUui/6mWyYSFdekRHpch6+SZPbFNvTgTiPDvPfpc3
Q5TNW0pTfmnMoqfIFwSjJjjriZnPvXxMjvrkpP69Z9eJ5yiihXtoLORhXudjODKZOvSbuU1J35VB
IdkYf9f+aG59/so/Rs9G5kcFQCq7z8lC/LOP7EwQiLqfJp4qjiQBe1THb3NnA/uYdJNVhlesu8z7
f0kQLL2qzf2Pr3wZ9BKGgjDzHkbPeInjPBHYkSCoy9CUDUMXGpn8dMiA+vFmS3uo9J80c94zqbB/
nXpBwJ66J+nyHjOagjX0eIxCPVbM04q2n6zXdFjPen9HEbHDUXNzfmn2+zFdFoBn58J50ghdlu6h
Oe7RGdKaN0yokTh0BPXhFgQBjdwOep8yNvrWUTtwKZ4XBMHrQwa9tV192OtXmnXpSLMCpiGDxalo
JAj6Rihrpo0Hu5pUqHe2pztOeH5M5Th9NVgHgJfQZH/6C6x+SKKP+kF90RV6ZdZPw31Mt54Lgvms
Qrq+9OpUK+f/TqZpELdOVi0LAtZX0PeOUGtyTQ8Bk1P9UGFDrC0wrpKhbpgVCotekmGqARk06SFQ
uh6/vohXvfJ96JoJgo4Jm0wzNNuXBAd7ifqsPg4ZZNTZx57VtpeAPavd+rBxuuxj8geCYP7K07hV
X8IYMhgXycrjPQmCuoptiQYbm2qXJj+zSYVl8TCpkM0j1v3sXg0vJU3uEzW3meCShL7tNlO2GhJv
mUMwvK+DICAd8yRdXjlQ7SDbYV6W9+lH97Fi5ggCmmEkdnPUsiTwLK+ZW04zldjcuzJPfJ36LwZI
PHO4kwp5di6cp/FpxaWZXFXm6+Klrw9pMmBEU7/KPHLVaXVFn0HZjopqVJLNkMG4uiez6emQLVam
VR5YsnAZh+DE84IgoDHHZlJhWSS+Lv08qfBZvtgkO9VNylHGaFKhoNgBTQPN0+jmODc2x4smFQrt
/NnI1foSq5KbS3PmyrLIxnPm+IVIV5pFA4NQbHVIf1MrfPrfdTKZjNKfJ8k1qq/687yDebo1EwTt
kEGexldTpk6O4VlkI9BDB28fL5sSuKI+rfOrJmoeW2xyTzxN7AcJOYKARoVE3acb7qmnrZxUWDeT
EyadM2VkdcsO8zQOPK+fZke5IOLP5xi0eaVWutGMyZeRowjdp48uL7Tg2aTCxVe+Zzc7YJMKm0l2
aWDJ4mgQbDH+ZtbleFJh8xzREECrMieSgP2gmdz0RGdx4Fo+W47xJ4Jg4ZUnEYNJhbOH4KWfuxIE
dcUWwPXVbrOihS1WM/plh232ioitH7pcHpYdsnWKsmo43bo0dsd2goDqP1ruuJwutzSoUlNp8LBr
JFF7aTIl4NJuMsYTBPRZuzbL+URJ0Uw3bKYQl5FraHKz6nC2lmnJGm66TeAHO9s4Fs5X2dVUaHWA
Zl39UYM2D9vFYTQePl8LVKVXU5Eo50Nbhg13jqv7Js0ydnVFkmRF1Z3AN0eLHNlEhXk82XyEs51t
zv9adcsOJbbsUBz6I5a41fXTfNVl7NEa2EHhkpG0qoutpBVlVbevzU49bMjAu9KwgCCNV3tlN0tX
2uWahhtOZ18s29TUR6OlBFT/T2cmUo933yFRV7QAYUkz0o6Ua9q5vR1lYIzSJUOGJ1oQpfkbubC8
n0XFmgVTi/skZgdVdrNUWZJlRTP9m0vNclZv8wRBXeWhrdHiTkV3XHPVHAI2t1/r90npLKjyyG2W
27GlvaONiUgPSMa6nmr2wJE59Mpc7W72IyWyWGHzXvnOqvn/9OmwfY+tlJZ1J5ovO5wOSdDdbNkh
WyCsWsN2SyNBQL0EtEdLN5egjP126bOk6Fa78JD/is0tbH6//qrSfUufjiprVzjTssPRAt7ldHF2
TuDzgmBuEX6DwA4IUGPyv5fircxHsx5/aDqvvI0bjO2s161a4IZqLtwjS+57icdhqTZf2bnU3fZK
ulRtyu2yy+7+5n+SR/2ai+mlT/3iQloyKPc1xRl1hCyFwTkQ2CcBCIJ9lgus+gCBKouCJL9X1T0P
LeWhUbiZRe8WBHVdJsFtsk8wz/Yqj67R0kIU6s8fdTDz7p+dX51ufc/CW7eNzSSS8qZ3+zNMzn/2
R7F6P4/1CD6bI6QOAgsEIAgWoODUdxKoEq/ZNo62xhz6SzeH8X5BsLnJSAAEQOCEBCAITlioyBII
gAAIgAAIvEoAguBVYvsPP5mEuH9z/9vCyQym/45tfQRvS3e22eV6CxASBEAABN5IYCeC4HHnwTfm
8Y1R7c5O2spjPhn+1ILgcTcScla0bpXXGx8Eiup36U4WzzcWQRCsKJndvXorbEYQEDgYAQiClwps
d18lCILfVswvlftiYAiCRSwbndzdq7dRPhEtCHyQwOcFwaI7Y/rWzuc40743TWN40S0yFyJtGWe6
rqHQ+mPNZk7uKDDPd2qz8Fg0rjHzn0pLw2nN7aKdTaL9fgmirBoPHlweDOP7PO18j65xW0xLgyfb
FvTbq1MPgRPcaJtgWtb+g7tktm/NaHsYmuH2dFeYKjIFxXIdnQHV3X5xMz9fy26C65p3/gEZneD6
PGUVsxcEOwCdAAAWCklEQVRcmavsiTvjZj+DBzfKlO6Cj9RJBT/Zb7Xbn2DqFvlZuks54LpFZj0E
fth5qWVe+poIlt0lL0XOCI39e032CRqc5k7dKHPjb/IWdZgUu/GEwEk5DxxDZTtfkH++kR/uuuC4
G172GE77Byy4LX7y6nEMwmkQAIHfEPi8IGBWP8j/zFMla7qYN7YltlPPM7fISwgSR7oI6rCDXrfG
mec7ta17JFlnu4xX9zxOOqehD3aSsCAvKYafFLShXBwEc5duDzbxfJ5S5K+6Leb0EAgi+STNaafC
YS9Pju9USnbYp+ZHPVCTILh0G74lrto7neXlq+a5CeadfyA2OrE8ZCAIku5GWZ7Fo43+6K4lN8o8
H6k8QdDvYDhzi0ySjJfuyOLZ4fKQgSDKph/neRbaSrcnXM1zlzyLsf85GXoYCwKCtuBG+Un8lDdR
0izmKKAqkjib7NTXJ9kcpDe32YqyyCJntBUl21+aHHEXWWApQr9VMM9jOM9tMaWy9OrNzMBPEACB
/yOwV0FAtSyrue+Jb7MVYLlP24VVtDNr/8Vs/Ff8sEsoc2TbbRzGar9Re7ijR/XgsA8NNUYX90pb
+irRt3OoULsI1/4/8nlKn88f8vIQK0cQ9Bt6j3wAcX2n3sPBiSlVHf1m4A+psRMkCAZWVBzzvhwK
NsoX22d6cN4zxNpszf6sphnCdkccQSDZ7f7MtJ/OCOKSG2Wej1SOIKAy73foGbtFpoLnpduZ+/g/
RxC0u1KOffQ0O+B2WpRkVbcT32Os7AxXECy7UX4WPxM7TzuKODbQ9oTdrJbGm267iTI9KK3vgImd
zB1h+7KRo4s+0cl2gxAEPN44DwJvJLBXQcC+K2Z4r2JbFmkHdKrZ2I5qT90iL5Fp/Mt3V+ib09b8
HN+pbQ/BfKoei2BJENRlaMmCqJCT2lv0tCXVGMH1efoLt8UcQTBs+5t0zpBG+8h2Iw2d8xTmOIc5
Z8u8n/fjYUMGg6aKrc7bIzdfPDfBvPNdWS39zxEEPB+pC26UaQv0kfefwSUaRxBw3SJTpclLd8n0
5hxHEPSCaWjZc90l8yKfVLRDPHW97Eb5WfyUtxGkPsX+Keoqd3blnlwtrdl/mp6tVpGR87yRP6ak
czfM9xg+0QBNSff7Ny6+er1dOAABEHgDgd0Kgjr1FMVNUk+3XVunA6VphjNB0LuVm3nsXCJCDcLe
SyF5cmkEAdd3ajeHoNkWfRoj76tUFWkU+I6piNRZ0H/Epje3v6gG4vk8fdltMUcQDD0WE0EwuFab
Wsb8BjkJbWvPemGmV2e/mCDoHQ+TUGu++k/zxXUTzHUfPEu1+7ksCIZVBpOx/0WfCFwfqXNB0G6g
OxMEg1vkeXixG4zqbF38f1kQDG3/oSJPHHnoiVmMa3ZyKggmziHrBTfKz+JneZu4Km7TupcF85lY
FI3TYerMjyxJ0v2kcbVAequRSU8EQachZxmAIJgBwU8Q+FsCOxEEC+6M2d6pjqNbYRnZuuMaUuMl
91dDBn1Djj5XTe/s5MNM1drItw65UeubbOMCWbBzfJlWov20D/tTn6d9ZDR8sNhH0YdoDliPfTce
0l6bLDvsBUHbcT94wRvHRF7CZNt3lMWBknHIms0hGFgxr9Pk6HRdvsgKwez13BAz7/wQojlacHP8
rGJecKNc83ykNlqi7aInD0BNBf9syIArROZmD78f3SKTY8ThcRsEAZvu+ZO8HCKe+TlMXWXpCWK9
QY2T6mfxcwXBOL32eNqUp4JsXzf+kAHHU/kzQcB/9V71bL6QBZwCARAgAjsRBEvujGnMVJRoSPEe
GJLYf3vpi8l1i7xQqmxSoWyST8/xlC2u79RnPQRLdpbx1QvijOYUpjdT/mkInrkxW/R5+hu3xaRk
JDOgDfj7rHMEAdddMruRvuM062s6kbOPc3TAJhWyPo6iyXDrG4fvy5XnJph3fpTYw+GCz9NXBQHX
Ryq5sdca77iJq5Lv34zS7ycVztwiP0v3we7+BEm9mVtkjiBgkwqX3CX3cc0PqM1vBOTSroxsWegE
Ac+NMs8dc7fHwlIPwTzJ1tuv4jB/f1V2NSShEwTMBbRsBVlRsjevH2bgeQx/JgiWXr3GmFcdmS5k
AadAAASIwF4EQb3gznhoa1BzbTQa2S/zk5QHt8iPxUpNMsv3qTtfkMbLDjm+U58KggU7aU2apkiN
y1Bz7qb50Z6a5/P0RbfFTczMC3HjPbibS8cTBM99p1KLsp8it2B1f6qKTPKp6rY+VYdlh7x8cd0E
P3cf3Cc4PXj0efqsYl7qIWD+qlu30VMfqfeEPMWK5Bz35o36erplh1O3yM/Sndo8+fXoFpknCHju
kifRTX6UkaNJokSrX2/u0MfEdaO87I75RUFQN4sLmV9qww08mtXZTYXMadmhIIiK6fuWLDVdE7Q0
Z9Fj+FNBsPDqNXmHIJg8A/gBAr8nsBtB8Pss/HTnQh/tT7d84fW2K3noZ+AyIEGwNN+Me8OpLvyl
W+RTgaO+LN4cllNlFJkBgeMSgCA4btm9zfLqXiSeJvYr355H/H2C4FNukZ+XwxGuFkkYZcW9qkra
EWPVpMsjZAs2gsBJCUAQnLRg12frHhrCRZQNP123I8AXCoIPuUVeX4Z7DVkElirTYJqo6M54B8O9
Ggy7QOCrCXyBIPjq8kXmQQAEQAAEQGAVAQiCVZgQCARAAARAAATOTQCC4Nzli9yBAAiAAAiAwCoC
EASrMCEQCIAACIAACJybAATBucsXuQMBEAABEACBVQQgCFZhQiAQAAEQAAEQODcBCIJzly9yBwIg
AAIgAAKrCEAQrMKEQCAAAiAAAiBwbgIQBOcuX+QOBEAABEAABFYRgCBYhQmBQAAEQAAEQODcBCAI
zl2+yB0IgAAIgAAIrCIAQbAKEwKBAAiAAAiAwLkJQBCcu3yROxAAARAAARBYRQCCYBUmBAIBEAAB
EACBcxOAIDh3+SJ3IAACIAACILCKAATBKkwIBAIgAAIgAALnJgBBcO7y/fvc3QND1Pz87xPef4q5
r4lGcH+XoamriFb0rtge49k6/scUV51JHFmyk1VBVwYqrppwoT9hS5wrjUEwEPggAQiCD8I/aNL3
wGi+n+wjerlcJtVSlV4dPy53kLd77JmaIgmCIEiq4UZF9R9GVYkjC4Jkx2sjiW1Jdqb11psFQRF5
TpD9R57YrQt2tlG+J36OfVUReaYqi4IgyprpJ+tl0v8IgsgSu4e2UQAjfZZ52+orDgicBoEdEYAg
2FFhHMQUEgSSFWTdX56Xa2vJP81hGd/8IErSLEsj35AF1fuP2jN1Fc1x9Hkdz8/QQkX7ZkHAT/uV
Kwt2vnL778LeI1sWFOsaZ3mWxjfXDYrVEf2nIBCMa9o9uVleDEIEgmB1ESDgaQlAEJy2aDfLGBME
s8YvSyxx5abdNR8yuCe+qYiCIGvO1dUF/co+/2xwoTms6yo0RdXva+zYFmUnjDyDbhNls60wytgz
VUkUBEkxvHh9JVLXmacI+m18R3Uvy/taJZN5quKmKfu3A8uzP20x9G1R0Y7ZPUwQ+CHLlCjr3tAs
vqdXS2PNZUV3w1FXBkvDiwJHb67aEdVgZddHM+mbqevEkfpEqQfcjJr85YFjqDL1lUiK4YZ5c5Zr
Jzf+etnO3NcEw7s5uiKJ03x1qGb/Z74qKG66AL9MfFNlhqqmN/QzVXnoEB9RMX3fGg0ZVFng6M0z
otm3bCHGSdKRJQpWC2VyoWZPyAwnkX6wh0qkfYD7GMqbLuq3PfSK9SbhAAR+QwCC4DfUvvseriBg
WFgVNplDcI8sSdS8OC/y2NNFYaUgECXF9JOiqqsyjdOyrqvUUyXNCdOiKLLQUSX9unKqQlXE7rwK
olpMUCeG8os19zWZRgsSRx76GXiCoIlmoeVNSYqy6cd5noW20ndZNIDcKC+KNLBkYSSMiLUoadYt
Lau6KpI4G5q0y2P8FfsrY0cRez7pzb1GaV6URRY5qjhkoa7rBTtbDg/x8+xkKBUnojLKfG0a/wLU
4qoLi10tRWCIkuEneZEnV0MSOwVHAkK2gqwo0pspC5duDkEZmpJsXuOsYDfIrIwWEuxPvSgIFu3J
PFWypiNHsS0p/9P91NuHAxD4LAEIgs/yP2LqVEmNG6KyOx4qfxAE99AUZSdpGm9V4kgrBYGgdb0H
DaQqsiTFTTtiFO0sRHdp9H/XlhYUq2sYt1dfEQTFVRPN8F7XZEPf/fErQdBXHLmvCs0I9gRQXd50
oQ9UE2vBCBYbnw8Vdp9v6pGXjOVu+Hlrdr0g4NpJKHtptWJcJHXleeEy04ub3oukuiZATQE3vTst
A5oB2AqCWVKZp/w0x2M2h2AyifBxyGDZniq2JSbZ7olvs8kPua9JvH6HvkxwAAIHIABBcIBC2pmJ
rIdgmEMwm0LwIAioeTf0p9JHdt2QgTQblch9dSxD6Fge9AGP0b3Ic5pDYMqycVvZoTCPa1SHltRh
3I48/EoQ9LPYir6bmWq+ARD1QvR9/UwQTBr0I9t4goC1my1qr3d/9+Rq0fTKlt+kNl4vCLh2kiBY
yFeX+sP/PEHAch523f5VZAnsGegPmohiW2oEAZ2fPRGDGQ+JshPUQzDMIZg+uY+CgGMPPQ5meK9i
WxapT6KKrP6ZWE4WZ0HgIAQgCA5SUDsykwmCWW09mPeTILhyBcG4q5zmEMxqe1YfLbeVh9S5R23z
lnv9yYWmR4QWK9Df5dK12OeCYGz/Ylf8pEW7WhBwF3EuC4LiZkiKEw8jCzX19Es6G31p5x9oo7GW
9wiCYTnlkC8uUmrkLw0ZTKQQ9cYMgmAUPHEGQUBdT9xkFi68NmTAsadOPUVxk9TTbdfW6UAZ9Vwt
pIpTIHAUAhAERymp/dj5oiCY9DSPhwyaeYRtq50qidHY+YIgoIaYZLFJdb9gcQ9NQbSayX3N7VVZ
lmuWR5D9ihPl7V/kKM3wQTsPctl+NsHvsY9jtA/BUHFOALVDBt3IyIO8GmV9SRDkV11SZ9P1mqZv
1/BumudDXwnVr8u16jx+rp0coTMydXaYefMZHSzAchd9M92PjdhQKBoE6ocMVKEfwJklsfzzqSDw
VdHs+yfofp49NHCkO45uhWVk645rSNP7ltPGWRDYPwEIgv2X0d4sfFEQsBYqm1RYFomvS/2kQhol
FjWfpobfE1elKX6TVQazHgI2qVCgOWR5UeRZHLiW39WbS4jKyHP8IKZlh0nom7IgWTQNoPtbO4eA
vv7joWkaQhabEeMn9tMQuCaoblJWVVcV06nFlnQ7WY/y1UwqHCaovSQIqsyjGYPpvZlY2KVMwxyK
w5Y0VNnVkARh3EOwYGeLaC4I2oJ0H+zk5atD/fh/GVndssM8jQPPC9n6DxJJbFJhWcwnFYp686Ck
njadVChqbjPNNAl92w1HAyWPydbPBAEraPOWleW9W3zCs6e46qIo0dSOe2BI4oq5LAu24BQI7I8A
BMH+ymTvFnEEAc2Gmw7p9nPjumWHElt2OKzQuieeLouirOjOzTN+EgTUPIz9dnmepOjW84WHtERO
Z1vf0Go73bmNJujXTYU9TIXjMqf6fzoyTQ3lViHw7We2erQgjjZuGi877HYqHHoI6nqynM8Zz35c
FASz1YW0vpC1bOcl0E9FKGjRniTJimq4gadPBEFdxnM7efHz7HxdENR1lUdus4JUlNVhY6JmXWmz
PnK67NBucqA7rtkOGVCZNcsO2TpFWTWc4IeFh88EQV0TJjbRYhit4tgzdLPwhj+4DxQugMCOCUAQ
7Lhwzmha5qtt+/qMuUOeQAAEQOC4BCAIjlt2h7G8yqIgye9Vdc9DS/n9PIDDZBiGggAIgMABCUAQ
HLDQjmZylXi0iR3zKTD0Dh8tF7AXBEAABM5NAILg3OWL3IEACIAACIDAKgIQBKswIRAIgAAIgAAI
nJsABMG5yxe5AwEQAAEQAIFVBCAIVmFCIBAAARAAARA4NwEIgnOXL3IHAiAAAiAAAqsIQBCswoRA
IAACIAACIHBuAhAE5y5f5A4EQAAEQAAEVhGAIFiFCYFAAARAAARA4NwEIAjOXb7IHQiAAAiAAAis
IgBBsAoTAoEACIAACIDAuQlAEJy7fJE7EAABEAABEFhFAIJgFSYEAgEQAAEQAIFzE4AgOHf5Incg
AAIgAAIgsIoABMEqTAgEAiAAAiAAAucmAEFw7vJF7kAABEAABEBgFQEIglWYEAgEQAAEQAAEzk0A
guDc5YvcgQAIgAAIgMAqAhAEqzAhEAiAAAiAAAicmwAEwbnLF7kDARAAARAAgVUEIAhWYUIgEAAB
EAABEDg3AQiCc5cvcgcCIAACIAACqwhAEKzChEAgAAIgAAIgcG4CEATnLl/kDgRAAARAAARWEYAg
WIUJgUAABEAABEDg3AQgCM5dvsgdCIAACIAACKwiAEGwChMCgQAIgAAIgMC5CUAQnLt8kTsQAAEQ
AAEQWEUAgmAVJgQCARAAARAAgXMTgCA4d/kidyAAAiAAAiCwigAEwSpMCAQCIAACIAAC5yYAQXDu
8kXuQAAEQAAEQGAVAQiCVZgQCARAAARAAATOTQCC4Nzli9yBAAiAAAiAwCoCEASrMCEQCIAACIAA
CJybAATBucsXuQMBEAABEACBVQQgCFZhQiAQAAEQAAEQODcBCIJzly9yBwIgAAIgAAKrCEAQrMKE
QCAAAiAAAiBwbgIQBOcuX+QOBEAABEAABFYRgCBYhQmBQAAEQAAEQODcBCAIzl2+yB0IgAAIgAAI
rCIAQbAKEwKBAAiAAAiAwLkJQBCcu3yROxAAARAAARBYRQCCYBUmBAIBEAABEACBcxOAIDh3+SJ3
IAACIAACILCKAATBKkwIBAIgAAIgAALnJgBBcO7yRe5AAARAAARAYBUBCIJVmBAIBEAABEAABM5N
AILg3OWL3IEACIAACIDAKgIQBKswIRAIgAAIgAAInJsABMG5yxe5AwEQAAEQAIFVBCAIVmFCIBAA
ARAAARA4NwEIgnOXL3IHAiAAAiAAAqsIQBCswoRAIAACIAACIHBuAhAE5y5f5A4EQAAEQAAEVhGA
IFiFCYFAAARAAARA4NwEIAjOXb7IHQiAAAiAAAisIgBBsAoTAoEACIAACIDAuQlAEJy7fJE7EAAB
EAABEFhFAIJgFSYEAgEQAAEQAIFzE4AgOHf5IncgAAIgAAIgsIoABMEqTAgEAiAAAiAAAucmAEFw
7vJF7kAABEAABEBgFQEIglWYEAgEQAAEQAAEzk0AguDc5YvcgQAIgAAIgMAqAhAEqzAhEAiAAAiA
AAicmwAEwbnLF7kDARAAARAAgVUEIAhWYUIgEAABEAABEDg3AQiCc5cvcgcCIAACIAACqwhAEKzC
hEAgAAIgAAIgcG4CEATnLl/kDgRAAARAAARWEYAgWIUJgUAABEAABEDg3AQgCM5dvsgdCIAACIAA
CKwiAEGwChMCgQAIgAAIgMC5CUAQnLt8kTsQAAEQAAEQWEUAgmAVJgQCARAAARAAgXMTgCA4d/ki
dyAAAiAAAiCwisA/jAJCzPrBWv0AAAAASUVORK5CYII=
--00000000000049430705ababf0eb--


From nobody Thu Jul 30 10:29:01 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C67D83A0FF0 for ; Thu, 30 Jul 2020 10:28:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level: 
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_RATIO_04=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FXPJg7aKyL1i for ; Thu, 30 Jul 2020 10:28:56 -0700 (PDT)
Received: from mail-qk1-x72b.google.com (mail-qk1-x72b.google.com [IPv6:2607:f8b0:4864:20::72b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6950A3A0FE6 for ; Thu, 30 Jul 2020 10:28:56 -0700 (PDT)
Received: by mail-qk1-x72b.google.com with SMTP id e13so26332739qkg.5 for ; Thu, 30 Jul 2020 10:28:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GiCI9ggwc0zOnIogzlNILkhN47bt5s62EI3W4ovjbkY=; b=V0qxQjwXxyC/XiYH69vNxFe0ThfZ5E4Kjm/jwPSzq2okLpM23AK36oohO/UUmIuAhD gCXBiUZAKBH3SQk/9kku5TjL0Kmm99AFofWScTXagHoEeK8JCmDvRTQlNJoB1dE+qhfD ixsXv0QXeV5ReQwj934Z7u8aKkNGKT1svvxn8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GiCI9ggwc0zOnIogzlNILkhN47bt5s62EI3W4ovjbkY=; b=pvg/ZPkTn7OE07tnXVkbeRb9fQlXAC3ueu2XiZBNutz4DPodKwxQlmAv3am9QdJxod dy41hsaXN7qmL4Gelg+d+KCwO3rxQHICoJfOa2/NI1n8AxQpjMBEg1dOAdhvI+IhSh0k eTm00r8nE20DjJwn3bAJvkBj/j2Em16+3uNVwLd113NtbNzxYu9DklI6JVmobU/iXm4h 0BJLxTHijSTFTjuUiEQT+xAQAi46gwJl0a2mEo5OFVq3lK8X8vMjSazGywA+HsnW10tm u+wQj/l9NqGIkFlg+HajmJ/MOiDaet2NV1fdaOa063PvRIbncRUolmTrelUyT+/IBBvF Jhfw==
X-Gm-Message-State: AOAM533nuRel+ilCRDS5cDwHXoJgcnT3nquKGXJElCnI1Vp76YyzXbKh FT9eII7Js2OxTvmQRJNf7iBMp/qB1Zahjhcji6H65Mtz4Q==
X-Google-Smtp-Source: ABdhPJzWMwHggn9EjFB8rRrkzb3FrhNPx2G6Jk0rCLnJjFO+XSaoXPWpkr8LqHhm0NVUghEDh2aOsnkQd0zsfxuL5S8=
X-Received: by 2002:a05:620a:628:: with SMTP id 8mr264841qkv.103.1596130133899;  Thu, 30 Jul 2020 10:28:53 -0700 (PDT)
MIME-Version: 1.0
References:    
In-Reply-To: 
From: Warren Parad 
Date: Thu, 30 Jul 2020 19:28:42 +0200
Message-ID: 
To: Dick Hardt 
Cc: Aaron Parecki , oauth 
Content-Type: multipart/related; boundary="000000000000a5c53a05abac0152"
Archived-At: 
Subject: Re: [OAUTH-WG] Authorization Code Grant diagram Improvement OAuth 2.1 draft-ietf-oauth-v2-1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 30 Jul 2020 17:28:59 -0000

--000000000000a5c53a05abac0152
Content-Type: multipart/alternative; boundary="000000000000a5c53805abac0151"

--000000000000a5c53805abac0151
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Wow only now I understand that, I didn't notice the hats on the arrows, and
I was further confused why (B) had two "out arrows". Would still recommend
these being 1a and 1b, 2a/b, 3a/b.

Warren Parad

Founder, CTO
Secure your user data and complete your authorization architecture.
Implement Authress .


On Thu, Jul 30, 2020 at 7:24 PM Dick Hardt  wrote:

> The (A), (B), and (C) label the same flow that bounces through the
> User-Agent. See note below the diagram.
>
> Note the tails and arrows at each end of (A) and (C), and the arrows at
> both ends of (B) to indicate an interaction between the RO and the AS. (i=
n
> my original version, I had the User instead of the RO).
>
> The (A) and (C) flows are shown to go through the User-Agent to make it
> clear it is a redirect flow in contrast to (D) and (E) in which the Clien=
t
> directly talks to the AS.
>
>
> =E1=90=A7
>
> On Thu, Jul 30, 2020 at 9:57 AM Warren Parad  wrote:
>
>> From the OAuth RFC, these were actually letters. I don't see a necessary
>> association between the left side of the diagram and the right side, it
>> just seems unnecessarily confusing.
>> [image: image.png]
>>
>> Warren Parad
>>
>> Founder, CTO
>> Secure your user data and complete your authorization architecture.
>> Implement Authress .
>>
>>
>> On Thu, Jul 30, 2020 at 5:49 PM Aaron Parecki  wrote:
>>
>>> These numbers in the diagram correspond to the numbered steps in the
>>> paragraphs below the diagram. Perhaps using non-duplicated numbers woul=
d
>>> help, such as "1a" and "1b" instead of two instances of "1"? Although I=
'm
>>> not sure how that would work exactly because the "1/2/3" are really jus=
t a
>>> single action as described by the "Note" below the diagram in your
>>> screenshot.
>>>
>>> ---
>>> Aaron Parecki
>>> https://aaronparecki.com
>>> https://oauth2simplified.com
>>>
>>> On Thu, Jul 30, 2020 at 8:43 AM Warren Parad  wrote:
>>>
>>>>
>>>> https://www.ietf.org/id/draft-ietf-oauth-v2-1-00.html#name-authorizati=
on-code-grant
>>>>
>>>> Can we avoid using (1, 2, 3) on the left side of the diagram to
>>>> describe, I'm not even sure what they are supposed to represent, not t=
o
>>>> mention the RO in the diagram doesn't really provide value (for me)
>>>> relevant to the code grant flow. It's confusing to see these numerical
>>>> identifiers twice in the same picture. But maybe there is something hi=
dden
>>>> in this that I'm missing, still 3a and 3b could be used to identify
>>>> different legs of the same code path.
>>>> [image: image.png]
>>>>
>>>>
>>>> *Warren Parad*
>>>> Secure your user data and complete your authorization architecture.
>>>> Implement Authress .
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>

--000000000000a5c53805abac0151
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


Wow only now I understand that, I didn't notice the ha=
ts on the arrows, and I was further confused why (B) had two "out arro=
ws". Would still recommend these being 1a and 1b, 2a/b, 3a/b.

<=
/tbody>
Warren Parad
Founder, CTO
Secure your user data and =
complete your authorization architecture. Implement=C2=A0Authr=
ess.

=


On Thu, Jul 30, 2020 at 7:24 PM Dick Hardt <dick.hardt@gmail.com> wrote:
The (A), (B), and (C=
) label the same flow that bounces through the User-Agent. See note below t=
he diagram.

Note the tails and arrows at each end of (A)=
 and (C), and the arrows at both ends of (B) to indicate an interaction bet=
ween the RO and the AS. (in my original version, I had the User instead of =
the RO).

The (A) and (C) flows are shown to go thr=
ough=C2=A0the User-Agent to make it clear it is a redirect flow in contrast=
 to (D) and (E) in which the Client directly talks to the AS.

3D""=E1=90=A7

On Thu, Jul 30, 202=
0 at 9:57 AM Warren Parad <wparad@rhosys.ch> wrote:
From the OAuth RFC, these were ac=
tually letters. I don't see a necessary association between the left si=
de of the diagram and the right side, it just seems unnecessarily confusing=
.
3D"image.png"
Warren Parad
=

Founder, CTO
Se=
cure your user data and complete your authorization architecture. Implement=
=C2=A0Authress.


On Thu, Jul 30, 2020 at 5:49 PM Aaron Parecki=
 <aaron@parecki.c=
om> wrote:
These numbers in the diagram correspond to the numbered =
steps in the paragraphs below the diagram. Perhaps using non-duplicated num=
bers would help, such as "1a" and "1b" instead of two i=
nstances of "1"? Although I'm not sure how that would work ex=
actly because the "1/2/3" are really just a single action as desc=
ribed by the "Note" below the diagram in your screenshot.
<=
br>
On Thu,=
 Jul 30, 2020 at 8:43 AM Warren Parad <wparad@rhosys.ch> wrote:

Can we avoid using (1, 2, 3) on the left side of the diagr=
am to describe, I'm not even sure what they are supposed to represent, =
not to mention the RO in the diagram doesn't really provide value (for =
me) relevant to the code grant flow. It's confusing to see these numeri=
cal identifiers twice in the same picture. But maybe there is something hid=
den in this that I'm missing, still 3a and 3b could be used to identify=
 different legs of the same code path.
3D"image.png"

Warren Parad
<=
/b>
Secure your user data and complete your authorizat=
ion architecture. Implement=C2=A0Authress.

_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth





_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth




--000000000000a5c53805abac0151--

--000000000000a5c53a05abac0152
Content-Type: image/png; name="image.png"
Content-Disposition: inline; filename="image.png"
Content-Transfer-Encoding: base64
Content-ID: 
X-Attachment-Id: ii_kcnpzgwk0

iVBORw0KGgoAAAANSUhEUgAAAvkAAAJeCAIAAAChx415AAAgAElEQVR4AeydvYvbTvTu79+iSt10
qqIqqqIqboKaxU1wEdQEN8HFDS4Chlt+wRC4hhTmphCkECkEKQQpTBqRRqQRabSVFn6grbyVLmdm
pBnJkte72Rfv+nGReC1pXj7nzMyjMzPS/6rwAQEQAAEQAAEQAIHnS+B/Pd+qoWYgAAIgAAIgAAIg
UEHrwAlAAARAAARAAASeMwFonedsXdQNBEAABEAABEAAWgc+AAIgAAIgAAIg8JwJQOs8Z+uibiAA
AiAAAiAAAtA68AEQAAEQAAEQAIHnTABa5zlbF3UDARAAARAAARCA1oEPgAAIgAAIgAAIPGcCp6x1
ynjujUbeeJXesYW36Xo6nszC7I7TrbZZMJtMput0e9cp31962donyrOouL88kDIIgAAIgAAIDBO4
sdahocsbeZPrBEIRLyaed/15w0XrPZKuJt7IGy82txjtiyzZJHnZpFsGY8MwDDaNm5/u5kvkm5Sw
NUv+Lb1tkSabNFdVTWY2JWz6kfrt37LovXpbJOFqPp2MPW888aezxTpKFbbeS4Z/TOa8zKNVPnzO
tUfKLA6WM1GisT+dzZdBnN26SNdmJ04oyV/uPZcDC4PTQAAEQAAEbk3ghlonW434ML5fIJSbpWfR
oEzj/ebWZdu9cLuZiXTZJLzxSMeFgl6ee9M6eTC2DNOe/mMoYxv5zDCchQoPFdHUNg1rHPyLbtjF
qv9SbpZjS9hYWFD+a46D2wVm/lXrlMl64vQUyDDM0fr+OFRVtnQNw5xEOh18BwEQAAEQeIIEbqR1
spVXDzqDwZAyWY35jbwYI3Vt8c94Sj7484RvPvSmC6ejve5N6/xzRUUCQtjpWueOEh5MZpvMXWlh
y53MFsvlcjHzPYeZtxGXIpt/0jrbZFEXiNmeL0o0n06oSDd3gcF69x0o1h6F0KB1+uDgNxAAARB4
UgRuoHXytceaW/0hrZOvuRwy7cnYpZPvUuuU4ZgGYtPkw3F7UiRZeLQqRJ/bKiO+HIdm24rNauqK
wlvOiD50Zq11/DAJlzMxYzNdBEk3flEkwXLmj8c0oTNbhtp0Dl/x441XyTbfrOc+zfn467RqLVFJ
lmOPZ6n/481jMQtVpNF6ISdntMS3ebyU0QzTdnmBaVlREU6pln6gQj3bLF7X003TxXqjzXhVlLU3
Xm6KNGwqMF/F+iktZxVy0DCYt+qsCCoLLYxWptFq7k/G3njsz3Z5cRY03TSeTBfBJtqdw9pmdQKT
6Xw9XJ4qmZM+pQItE60AvNBlWf/CCXuLuCySYMHL5S83dHCbb4LlfMZ/opw0OJykNw0yHd8ykLYt
k2AmI5NM+gvWG7VcBX+AAAiAwFMicLDWkUqHjScjPvoMLnIpwpm/TMoy4MLkDrVOIWQUm8ynPHDk
LtWIX0UTLoPG2tSWuDE3rOkmX/Ey82FT/mOOQyqi/lPzXZ8jKpPFSCk8cYrVSAGRgjX2x3LKzjDs
WVK1Qhly8U6TuvgyDsqqksKwdciexmVVpUIg6EdIXfJpFZrWkqup89C3ZRymPtV01NRZzNcNWbYW
Z6PTzNGyI2W4x243U14Ltm+2aputVV1lnmy04NKCUtkmyx1e/LRGmu6W2XTnzfV62xFzeIZxXUyJ
V9P0fL+pJy1oqqtTg6H/mbeSPiNIMruLz/ajopK+q19pNOXXS4jvIAACIAACT4HAgVonD8Y04rNJ
mIVcVQzFdZo6SyFxd1pHjvPMj0qpJey5Wvu7V+tsi3QTzniciU1WG/okGR/S5HDG3OlyHQTB0hcr
Q+pSb2Mx/BuWN1sFwXpZ3+3b84TiMppaMp3xbLFYzFdx0dY6tMK1/kQLsdzJohG1qqpsNWLOeLpY
BWEU1oEcGlW3eboJxNht+4EscdnROrlcPMVcf7EOgvVCRoJYvZ5HaB2Kro2X4SZNk3g14XqATaI6
KNIYrJJRHXOyZ+FzE/kZcWCr+ViIBcsXCarjs1UQBqual1FrhTo4aI3n6zAM6nCbNZVxLlWcqpKL
s2pj6Ida35tqGqbtTckIiyivqm3s29ZoMl+uwyhcz4UEqzOS3mQYpjtdx0lKDiJsQxK6yJJ4IfSx
txD00+Jel4O3KoQ/QAAEQAAE7pTAQVqnkEqHbvi3YiLpwbWOHEXFWNX80WzH2qt1iFgd5dHWStdK
xfIplCI+cnwVd/Gl0HWGHkGSg6TJF0fXKRiO0D4ykVZcp065qspYBKRqpaOOiG8ytRqtrKS+Xkdm
LuI6NQQpMyiNMvJ5aEYGfqQIIHlY5yVTsOe7++xjWgmtBY3qS9T/tfSzZ1zp8QP1pKVH64RlxWvl
w+M8MkIliDZ1agJLdbRud2tZHV3x1s2kYrbyLO1jT7ksq7WOCImp4ra/tY1Sax3NtDKMRBE/Kriw
PdbrtCniLxAAARB4igQO0DpFMOExHREteByts92I3dbWTKgbOWaqUfwftI45CdUte0tNSOGjjYcU
i6HtOXIhUq11tOGYnKA9rEq30JROozwqvrt7MZv6k8lkMna5UDF9sfWn0QVqqk4vnRRvrCUStnLG
TBRIigC9dLLEfbESeWm7ti2fltnTNJ36FAGt4aVFvNveIsVTLqG41pHnGsx2m4/ND9dxH5VuVYqE
DT7dJ36XSGQ0zpCWk9XcLTjfqT6f+UR37Dk8I3mWbsU6T2k2gQtap8aC/0EABEDgyRO4VusUoa50
6H6Xr8Opgw+DAPYMqoPXDB7YypiDYTJ5W8/EMhWzHgj/Qeu0qqKriUqO/nUeonj12E6KpBOJqcvf
o3XqiIsW8qjyYNJdLsJVw2FapxYe2kQeySyhCcWILkSAOda03B6zyEut6eBTAhKx478jKmp5FRS9
RdJhyBNqraL/30mUIisyYUetyyqzTUSfcM4nmFpaR8ZjahuUm92FVpRfW+s4enwLWqeGh/9BAARA
4HkRuE7ryOFNiQyrVhnMsuzx8ANO9gyqNyZYCr2lD431d5PPnVR9a5PlimQ5dg/PYQ1rHT0k0RRa
JsuvOlTr1EpHn2WpJ8gsbx5s0izP82zN10ofGNfRy9EUrmoV+WZap54zctrqSaVdr+hplkbzQ/Xu
uEm4bROXF0oJxeM6dZnHq03S+fSsh5Fn94R8mqALV3E91ayLajr+Kko43VhXgXV0rlUVaB3N1vgK
AiAAAs+IwHVapw6o1Nqi/b/LH4Zb5unuSDWgdbZ5mmqPLj6IpFzSYTjTgN/Vi38CsdhY3qjLcnq0
vUl86sUlHa2jRS36lEorrlOvJdEfXFgrghGtIulLYXcOq0/pNBEYbbSVee9oHbW0plU6OcOmJUD7
t/gmbVnnHhEwYBaOrBBb5wzTW2VqVq/myZcDid1uYu1NGzMVow6/6TGaIhDPZBLXyK1e7eVNWg7t
r83i6/G6XaBrtY6c/9KmJ+tNXZ24Tr2jjTLu1zpaUKxdOvwFAiAAAiDwRAhcp3WKVJMXfPpASAzT
W4RRtMm39UDeHb76BtXtRixUtfi+6kMJydv7nUfH1UMzH+ylCmD1qFhs5JYn2nNOOcnh0XBmcV4W
WZLkzfN19O3zLTVRyUXZtI8pzoqiyOKl2HEtC3OI1inkemE9pkMFypZcltCzbIqyLNJI7hSiN0Bw
NDISZY6WSVEW2SbNO9EI+fQZ050GSV4UeRJMxTYyuUusuqHWqbbJQj6hmDn+Iog3SZommyhYLab+
itbolHJfGhvNozQvimyzFhu7TCEh6oc9stEiErxWE7kbX2idrdQThj1ZRmlOwawkDhZTb6aWT2t+
sd3IB+wYzJks1tEmSbOMijTna6a6c1hKoG3FnKawNsGT5dyZwxrUOpWUZbYfZkWRp3hZhGYXfAUB
EACBp0XgOq2zU5vuep1muai+AlZtx24tgpWj9969PjsZ7ixDbs6oIzc2LViWu+JplSxj4mmDIgYl
tU6jW2RkylsXfUqlrXUqWlMjB2stotU8gKcvBRUg4MO7nMLRruZfnUXavG+jOWY5tH6n1jq0I117
eA4N7J3SlZvmMcdNGob2tJqbap2K6rvzxB6edF0oekuFykt+Y+qBPcoM9VmmZdGi4DoWpD0JuT6D
/m+viWpMPFwgumhY6zQ70lQepuOQJQ+N61S1d8kUWuEzrXz4CgIgAAIgcPQE/lnrVOnKs0zT8cNm
ZzCvdF9cR6zGNe3xWm0tuo6QDAToz9JRlzQ6iJ7OUqbBbOzwdzmZluNNV9GSdgjVWqeqis1y4tJx
k9mjeVw/S3B4vY7IqNisZ2OX1imZjKe7aWp6gNYZmATkQ2exWfouVwImc7xZmPK4Vy0rSHlEc1Ej
k9neMunEdah42yxc+CPbMql09mgy1x/rfAutw5OMltOxa4uFWabJbHc8XcbNq6fKJJhPxGHTckb+
MmpNMG2zcD6RuOzRdJ3E/OUctdYRGSz8kbAUldodz1YqeWXd+ts2j1ezCVVS6A4ygzv2Z0v5iOue
avJcghm9SoIeC2W7/nKT8UdHHqx1qqpM1v6ItomZzHKnHf+uC4f/QQAEQAAEjp7AjbXO0dcIBQQB
EAABEAABEAABRQBaR7HANxAAARAAARAAgedHAFrn+dkUNQIBEAABEAABEFAEoHUUC3wDARAAARAA
ARB4fgSgdZ6fTVEjEAABEAABEAABRQBaR7HANxAAARAAARAAgedHAFrn+dkUNQIBEAABEAABEFAE
oHUUC3wDARAAARAAARB4fgSgdZ6fTVEjEAABEAABEAABRQBaR7HANxAAARAAARAAgedHAFrn+dkU
NQIBEAABEAABEFAEoHUUC3wDARAAARAAARB4fgSgdZ6fTVEjEAABEAABEAABRQBaR7HANxAAARAA
ARAAgedHAFrn+dkUNQIBEAABEAABEFAEoHUUC3wDARAAARAAARB4fgSgdZ6fTVEjEAABEAABEAAB
RQBaR7HANxAAARAAARAAgedHAFrn+dkUNQIBEAABEAABEFAEbq91kpltTsKtSuohv2VL1/TWxUNm
edR5Rb5pzTZHXcTnXrgy8Exnkd5nNR/aynfQyh61l7hHW/B6RfeYwd0k/c8WLOK5ZzPDMO1pVP5D
me62dVBq7jL7h/Lg0tMjcI3W2YZj09j9jFZ59cC9WBlORmok+ec2TJbOViPLW+c3NXqnJLdL5KaZ
XnP+Q4+Ce4qTLtwBCVysvfvUp9t4atuPJ/gGevO2t+zhdsChPVY+jG2ycKxJePCYdZtW1qnvA/cS
B0C85pTNzJ0ecNNwIlqHqukuNnlR5MU/3dYOtI6OMTrO0zmq/oTWUSzw7VAC12idalvkGf+EvmV6
q1T8kZfVA2udbeRb2l3zbXrhHSRlspqvk5s24U5JbpfITln+8Yc9o+A/pnzTy8ky/VqnCMZsdJ+x
uDxcLKIbS9ebVnDo/P7evOMtQxcf9vuwlQ9kW8TLRXD47fAtWlm3vk9M62yTuWNB69TuWAbjO4pV
9reOOh/5f9d5OofVn9A6igW+HUrgOq3TpJPMLHOs3xLyXmwVUojTNEzLnayS5oZxm4Wz5vflpmeu
KY/mk5FtmabB7NE0yITiiHzGpnGTZ7pwzHFQVmXkW014iY+kvBdehouJQ5kzZ7yIVSZFvJi4dAGV
SuWezGx3kSRr32UmnwBruvIyGLdiVxS2qqqq2Cz9kWOJ6vnrdFsNlaQZwfuzzpauNV2H8zEl1i1t
U9uqKpOVP+I4me0tE35kmwZTgZLZ3iyUoKqqygVik9mjWbDymZrD2qbrqUjGGvnrtLGKymmbBdOR
ZfKyzKNw5rgiZLaDqCqT9dRzRJmc8XIjEisDj41X0XLiWozxEoScWLp0WUNSk6ZVlQdjqznCpv93
brfmIPP1yLTnSVVFPhstwpXv2jxhb67Ey7VOpUmBYkNlIxdgtjtZdgRttwvfTC3mC7frv7CIF2PH
Ep6mlyitMdrjebDcGRd2/baqthn5AfdaezTttU5VDRg98pk9Xa99qpnJ7LEsSoctVaTHdcn6SnkM
WVD5CAU+aaZ4EcjyWm7LmXpcvae++3oJlVd/b1BVpeb87jzmzicAcgKWOw1Fs+81kHIYZjnejLto
v31FSbabudN0M0bdCQx2JuZEzGFt0+WI2dOIl6RMVtzxzFZrrb16xL2agxQdXpmu6xZvtTsxCaef
TDKznXlAHQN1KJYzWaq+tykB/RzMR612JlLdbebVLsBtshzZDQ4KyEY+89bpZknua04iqkFvV9NX
Ka5O5sGq9l1pDuUCPV0rT7+399O1ThH6NvNW1DtT4+oZd4a73zySvk19mL++1wlorar4+igE/knr
GKblLeKsKIs0nNpisCKP28xsNlrEeVkWyXpisZ6JojIJgzjNy7JM1xPLHAe8pxjQOlVVdYanbOka
JhvNwjQviyyeu6Y1jUX3QQLJnqyTvCiyzWpiNRO7ycxmtuN6i3CTplkpu/JGpnD8JRW9Lu42jaiM
RVlmVD3Z+e2WpOlNhrKm0hrMEx3SNl15rCmtZvRsNTKZt4iSLMuSKOYapQgnFhvNozQv8jScuczy
xbQ5ZWWNV7yW8XJsmUatdegSfqQs883Sa65QOZF9TNsPEp7ofMRMQ+qSHURVlcdBlGRFWeZEmesR
soZnGOZozgXmNg+4BYUMSuZDy7ho5GziOlR+NaFVrD2ZdOSbhunOYoqYbzNKeLTigYgDnEppnc3U
ssbrtCjLIkuisCu2OyaslNbpvTBduMydRY2fy5UCNca0KIo0mo+YUWNUqLt+W8ZT23SmhL7I4oXH
2DjYiUQNGp3DcXzu2/lmNW7gcFXSsOVjRJ/rtrXOkAVV6aXfzmXVZ7yVCTMPuXoXbTKzB3oJlQ2J
/L7eoAgnjLmzgDeIOEqoixAA/fUmzbI0jjZCYvcaKF97pjOjXqjM0ziM6Dah1756SWKf6XGdoWoK
kqR1SGhaYxksy9ces/2AHC+LqLnMNrxTEoabRjn9VURNZ5IuHDZabKijzJMojHdcYYAMUTWsSUC9
WFUmqmFWZThhJnfWIk+DqWsahmpmdUV3mvmAh0vvrQOB1L4cx50soyRNKbTf39X0VorUiWk6vNMp
eL9U9/l1oXY7eZ5+b+/XaJ1yM3eZMxO3YENdxFD3S6xsP6TOrcg2YdR3V6iVDl+fOIF/0zrarXvW
DF7chegeXXzao1r9q/b/NprUY+iNtI6mF2isFCPQNp4ypi1JKIJxvWqXOggmpQLPvonr1IXZbmZO
o3TqH8X/m1l969/pzVUiw1lTY6ulCHV2vSvr0nkjp5qs89WoFUMmIcG7LvoitRedrGVAl2hH4qnV
nVLaxj4zNUTERWmdNqKmJDwXGWbjWsdk4s6ODmwjFVY6UOtU5C8juViKzOfM+V1V5JumF4jxlEYS
DiCreB8uhRbl2OtUjdahGpKIEOK3VQf+R8eESuv0XbiNp5bmahSB4rSo0jrGzcyqMWo5trMqw7ES
5bx6bsu+/MJBo1c0ZGojF7mes+AjUUtHatnTV+W6ba0zZEF1ueZW9CPVWFh92NXb9eWRJJ2K6iVU
Lu1vqjfgHIRXNKd0AfJiDRhIXC8jkSKFPvs2afMvLa0zXE2pdYp46jB3UYcNySspDi0+ZTipu56O
4ShGzlsPb8ZLHpJoF6PvL0WGcje0tbmqD+LdXX3XRxabMN1jZLKdnnDIw+s7TE3rGPasrqxonD1d
TW+luNZRnQ7VResRZbk6zjPcEITWSemu0Z6IkPKeLqLjxk33S9nZvojH9QHHb8+LwD9pHXOs9mGR
Y4o7y3Tu0NxB8zF77ne3WbTwPdfmH8s05DB2E62jj+iqkVAxtF5AjIpiTKVwuuqJ6hC9iutQCJt5
IorAjZzHy6nnOqKMzJDTHCovfpLqZ4az5iORmBejazopCIfivXh3ZW08ZTJYLE7aUvc53fAU9K5C
6zriKe2aaOAz0zD0G36pH3RE1HEordNGVBXJejYeCQY2M+VR7RJesHja3A0fqnVEKIJD4VJHrjsn
vaKvlyBd5kdVdYhTNVqHJvimLjOtkb8IeDhA4Kv/7RpAxXV6LsxXoy5QXsKuufVa1Bl1bU16VhMr
PM7QlaLVkNFpgs/Up3irGo4IUepm7nfdjtbR7lQo0xZ3XoOO31b5yhWNq1t3rj15K+ui5Y2ur5dQ
iCiA19cbdDnQFTsAhT/3Gqgqk6Vn0ZTxbBXXc7/7HaMipIrDcDWJJBtNPFb3XFQ4asKGqdqeaRrS
uB3DUS3EmrYiprAqcybz9aZPmveT0ezIMVI5hfWp9ekOpnonnXenJxzy8Np7Na3Tdr+BrqavUnt6
DFWyjvN0HaDu/ahcnumMxw71R2ISk/vGwLjTcWOVyzZdT2zTtL3pEkEdZYbn+u3ftI62CFW1Nx6g
WFJkX33ad9h0I2G681i0bu1+pat15o06UQ7KLdFpw+ro/u6pPa60EqFViUzOl/AsePh6GvIwsX5z
rPLqlGQ461ZGdQ/SmRymZHX5whMfau07J6thni4Zr3OFvijKNv1uObUK8dUVamTiYRVrUi8qUbet
e3qug7UOT5xuC+letBl2O6PCluI8QuvY5mivU3EpoBPc5vF65tkmG123XodigXK9DmFvX0i4nHnc
JrpfMnLbiX80uH1D9WY37HYHWmfIdbUxco8FVek7g0SVL2+ldXp7CZXLUG/QdX66ojuW029DBhI5
FGm4oBV6ti+X9nTtqwpC326gdQzT8WdjS3Ua/HbFD9uewtueap48N6V16M9tvqElUSZNuNUxIVGo
ITKaHfmJROCmWqdjlD4Pr3sqTevo7Ys76lBX063UQf7Wbix7GgKfQ7e8me+a9rSGNjju7O9+yyxa
0eJFa7yuKyro499nRuAetA41+dZc0Q4y6otV8JPuFmVchw86fNEbXUM6vg4z8GagAtqD7su7B20N
tQjq8k2k3YFcLL0UcZ0dpVPRbbrdZEjZ63Gd5oCWyHDWg6XVyVA3rqCII7wbVzvteVfPb5+pLtr9
G92ZyW6ILtEDzXoW4rucimi6VbKGFtfROkFSoepOjs99icDYnp6LqqGF+7Tsyc6tChLi0SoNxqyR
OnyaRjuJl40epHG9U+1oHZE1rZdVdZC/hePa4+iHYu0ZpqZ12hfSRIbpqdtHcbSe0VGr9dN5MxVY
n1LH8BpvoeldbT6MB0pU3eVlg0bvwiG3knNYLbaDrquNkXssqErPg//6jIg2h9XaqaBaWaedajny
ZNWorHIZ6g1IWXXhUPI6QEplyEAqBxn3UpFVOtTnGFzrKG8ZbtGiXtG2KmnxjSunodK50w4q10XY
q3XESXz1VyvsLGPSTam1frLTlSmqND9jyUVCDRoVupbl6Vw+DJBbU8ySVrvt64CuhlYG8kod5G8d
5xluCJQaD03TGkdLTkMNdhGHdL/tNlPbDf8/JwL3oHX42mRaOBtneZFnaRwEncWh5NNsvEqLLS2f
HVMYUazvIY+z5A1YsZnTyrq6+dMdsLvYFGVR7C4rFm1SRErSpVuvTc7l2mRxoNPCtbXJQum0n03F
R/YRZVjmydp3WK11aHXHQEmGsj6ksYni0FrvNM+zJBYLFXmHPJKLQ6M5X5vMg7Y0QFi0ArssqJZ2
e22y6fjrTVYUeZZEQaj2aAjPpQfRmM6UL8oj/lYzydhFRMJFLO+k1eejQ+awaD0LXzVZduNJtH6B
NkwUzZEi8Nho7DFtRo2v4rQnK/5ID1q8q69N3utUWl+8TcN1lORFuRUrqrsjJp9ykSsat3k0pdg3
1zr9F6YLly8apwXiWboJ1xG/AeQjoTMNqUJZvKD14TsZiVkq5bd8RFPXeKxvedig0SWcnrXJLbbD
rqvse9DYQ1rHoMWhtCw7C2cO6QyhkYdcvdM6DtE6g71BHowZc+chNYh0E/J5KGLDF3dneZ5uooj7
dr+Bcup4sqLcbos0mFi0iq/fvnp/Tu3Knka0WpjCoYPV5CT5PiyxWnrOl7HQ2mTmzkJa9Z+nSbQO
RdczpHWyaB3Swv9tWSS0jUCpFF6mQTLKjvw8pXVoOS8z3brDmNGCee2eSNa0czmJql4P71mb3Jpl
p7XJu11Nb6UO8reu8ww2hEbr0EPSPGZN+K0Ib1w9485Q91smAd8fs92WWTSlvRK53FjjLjtRd91F
8P2JErgPrUNx5Uhs0qV9385Y7NfRCG2zoNl8OI82K8+Ra5nFZmhmMkZbMMOlV8d16iUYBmmhUoum
8FR1rcM33NJmaLETftlsRt9p4U0b4Gtcmh3RhiHiOXk0G4md66NpkAQTq771F3P+vSURW1q7WTcZ
CQTt0mpYiljtlPZWorlts2DmyT3K3qzenC+2V/I9oSbtOY8WrgovN5fwXffNRnEtI9rTzOvGbE/f
LL2DqNwsxGNTaZ9sEk2ta+M6fJUE7VVlch+7ypamxx3+DNaZfK4AkTD0VZa0r7W9rbox37VORWEP
AWGbLPkWcVrGQU802F38KTbmMsYs2pIezF0RtBu6sNmpTAl603o15DZt9n97tHXf3qkyNQW+dEh6
i9Y0+DZX7TkNihPfgdZn9Mi3JutY7dttbX/X2Q65rrLvQWNPtnSdeRQ1j5UQz12QBe139W59VY78
Mm1UVvUd7A3qhzAY5MijhdjTtE0Dsa+YHikxkytL+wyUh+LJC6IV8IdSDNlXlaWixSZ8Q7vcjTlQ
TV4v+dzkcjNzTCmd6RkN/HkP3PUmchtz45kio2YOK1uLjooX0d91hiEy+6iWm2X9JI7JMl5P2AFa
p+4zaYu57uGip6qndjq1oLr0dTW9lTrI37rOo6XP9/A3vZ+mdaqKC0xprd5xZ6j7LfkzoUWd6ZkE
fE0X38wFraO1iGfz9WCt82xqjIp0CLQ6js6x+/6TuiEtqqPFZu47Z6QPAiAAAiBwMgSgdU7G1EMV
pZvEnvUoQ6ff5e/8Nr9ZkEAp99w73mWGSAsEQAAEQOAECUDrnKDRs2CxEg8ILNJo5ppM27n5QDi2
9JzJ1djqvp4JWueBDIBsQAAEQOCECEDrnIDZNNcAACAASURBVJCx66rS6yX4uy/4OgHtNRr1Cff+
fzJ3THrLwaL1qDfEde4dPDIAARAAgVMkAK1zilZHnUEABEAABEDgdAhA65yOrVFTEAABEAABEDhF
AtA6p2h11BkEQAAEQAAETocAtM7p2Bo1BQEQAAEQAIFTJACtc4pWR51BAARAAARA4HQIQOucjq1R
UxAAARAAARA4RQLQOqdoddQZBEAABEAABE6HALTO6dgaNQUBEAABEACBUyQArXOKVkedQQAEQAAE
QOB0CEDrnI6tUVMQAAEQAAEQOEUC0DqnaHXUGQRAAARAAAROhwC0zunYGjUFARAAARAAgVMkAK1z
ilZHnUEABEAABEDgdAhA65yOrVFTEAABEAABEDhFAtA6p2h11BkEQAAEQAAETocAtM7p2Bo1BQEQ
AAEQAIFTJACtc4pWR51BAARAAARA4HQIQOucjq1RUxAAARAAARA4RQLQOqdoddQZBEAABEAABE6H
ALTO6dgaNQUBEAABEACBUyQArXOKVkedQQAEQAAEQOB0CDwFrVMGnuks0idvlGRmm5Nw+2D1eEhu
g3nl4XRkmYbBnPmP//dQdsyWrumtizsjPVi7O8vhoROKfNOabR461wPyGy7YnTWfIp57NjMM055G
5QFFwinVbRrUndkL/EHgLggconWKzXLi2sw0TGbZo8ki5oNIsnCsSXhPfcVm5k6bnnh4pNnGU9s+
qMu+19IeaAit8WerkeWt8wMv3HNaC1TnvGFunRPv4M+BvLaRz5i3Sosiz4viHjVrm8NtuuZ9ELTa
He5yfQmmC/ch1W7VxqKVaFhSaCc9xtfhgmnN558KRum4i01eFHmh33gc1kU8hAVbViuCieUuH+RO
TydQhpORur88rEEVa0+7w7gre/2TsU/r4nThGGwan1alD67t9VonX3smG83DTZqlSRyuFuuE9xBF
vFwE2cEZ3eTEbTJ3rEO0TpWHi0V0iGS4x9IeXDOt8ZfJai45Hnx5z4kdUJ0zxAh9PybqZFVpakA/
lK9G5qjWdAPn6Off8nuXw2Fd8+GZ6SU/2OV6kqdyPaDW6WLRSjQsKbSTHuPrcMG05vMvBSuDcX+U
+KAu4gEs2LHaNg3mq83dxSj3sNMIbCPf0mLpBzWoIhizkYqm3pG99pQXhzoEivVDRc47GT+JP6/X
OrHPTD/Sb4BExZQrl4HHxqtoOXEtxkxmj2ahkh9lsvJHIihke8uEX7tN11PxmzXy12k7NrTdzB3T
qD+jVc7HUXcerHzXotiS7an0Vc9Ypus6H8sZy9iTMoEqbXXNmVWxWfojx6I4luX663Sn6lTfSZhF
c88265mAMllNVPGy+poiXowdmdJqPW3msLS+I/KZt043SzrPnHDQA3y2WTgfO5yB5U7DfAeUqi7/
RiO0Ow+WE36N5UyWmxp1fx0HyPBK8Gyd8Vwpy20a0PSUaTJ7PA+WOyNIGc+IiPiYk6ijh5RjkL14
stvYZ8yPJbxkbhtqJopUk7tSfqXquuswIuS+DBcTzp61/GHAUiq9qsO5qFolVy5X0Zkzjzu35U6W
9YCULV1ruua2YqbZ5J4uXVa7taGNIzznZGY7s4C7MDUhbx5lhNe2mMks1aAoTKbdt6ULxxwH3Kg7
tuvBotUx8pk9Xa/rJtWya2+ltGurStmO1Y2636MqUa+6JvZoGjZtIwtmYxkupvpK0w4XTGvCVTXg
k1opyT2FbXiPwbPdJsuRXbukocUg6Dot/RtYsN+ddhv1AJ+us+02al1nRz4bLULeoZJf6L0TmYR3
QNTO48C3OrXLV65JnSn/FMHYNJo5zG08tXizqwmUkd80XIOLc95fDTQokWQejK3Gu7mP8tRWIc0X
8q50skrq7meg4YiU+L+7APvb2o7bizSKeMG7Y+rCVcOsBpvPQJdejyi1k1cDPbNWcPLMbtYkr+25
GPsqCnUbTHT0VVWlc5s34QGXa6ojO36tB+4p8zaaNGpzgExd1EEUQ+Njb4vbNVOd/hH+f73WoUHG
9qOdG4u6YfCRwDDM0ZzPbW3zYGLVHXCVrUYm8xZRkmVZEsVc1hThxLLGqyQvy3yz9Jjl78yaxz7r
xHVM0/GDhOLOdIk5DkR5moEnXThstNjkZVnkSRTG3UFRlfa6M6ttGgVxmhdlmYVTW3UQjfWo97Ec
1/XXcZJm+baq8rXHbD9I6Zpo7pr2bEMDtgiJLWIqdrKe2KboOKpKn/+mKjiOO1lGSZrmZVUN8Cnj
qW06/nqTZlkaRxtewzaopoTiSxl4hmG6szDNyyKLFyPGam69dewnky5c5s6irCiLlHi4Sx4p2m5m
tsnrXBRpNB8xY2f8btezrRjylces8TLOCE3gO6YzT7aV6BREvD5dOJZlsXooD6m7GIzkdzhkS9cw
2aiu+dw1ramQUAOW0sj1cW6PN7W+JQRstIjJ6ZL1xGJyVpJyN5i35F37NqWaytyTeaN2tRzpazKz
DcP2Q/KmMl2MTNO0xvw2YJuvx4xNRBsZ7KH6bdfBouUZ+aZB3iSa1GpsmaNVY9e+SmnX9jXqoVaj
16sqoqk0NKVWbIJwkxUEb+k1GnewYLoWGfBJrYzUiNhoHqV5kafhzFW9jIjr9EQ7VRdBzfMwCw65
006jHuDT52xV22od3zNMZxqRlxDNpnfi6oS3dGpOU5eZXSVXke81jWnCLMtyZHtK51IxawQ60a/h
BqUxJ0HUjusYpuUt4qbrqMf7oYajpdUFOHBJv9vTLYA94b6dbVYTq+6z9mqdTpfe5+QDPbNW7Ko/
ax7eFkJzu5la9Kn7Iwp805Fhl6sGvH13GKqqdDVZ8KGHCrJ3QLxhTzJQhq6ZdBRH9/16rUManBqP
7U2XYaokj2oYBF0JVS5c5T0DidbmZkLWXbM7/RJPrd2w/m5rN9XSoG00qUebiljz9TrUkkfL3RhM
DVyV9roz6yv4/5sZ3fG0fpLaTg75/JB2e11VVRnK8lHb1+7fKcBYV7UV1zENeybmBSm1AT5lOG4G
bFWeNij1O/9GdtG48d6uc7dH5zV17CND93x1u+TqbSSqRHcnetqbmXUTrdNxjG3sW4wsrCpP9zn+
auEyHlPsFKNT0aozPPCOQys1kRf2GrCUll4v5854I1yuDCes7r3pBm3hyCgUdVvNTXNV0TIl6S1E
uH8OizSBcilyD5W0Nu4M9lB9ttvBolWTJIXmC8JVM+68/ZVS13Zspw403xqPEhpO1YuLWQ1NfQUZ
SPYTQwXT4i4dZ8jX0ifr1GQj0pqe7vqHah2tmIMWHHQnqoXeqLWi6S2u19k6ztzxPd1qycwSkWCq
k+bvPHSgWZfnrqjR/NRosfKZMIxqc6qT5IbSAHKXlsMzyaymQekVIyfqaB09iaZ9DDYcLbEOwKFL
+tx+G08Z70xkchTEksYcbD78tlDzUx5uufnINZg1j97wxa3J3LZnq5ltzyjOQw4gGA12GspuvD7K
23fKrOGruMfvGxAHUQwg7R0FaPzd4+etAj3+HwdoHV7IMovXc5oSsCdykY5qGHprpJPjqYzK8Kbc
XTocT2kLBGs+pmFoDUQQaQ/hg+lXSutURTwfMZM5k/l6w2972mxVaa87s8rj5dRzHZs+FjN6tY42
EgmHNUxVJVPGb+Ipk5NSoiwb6prEPqy21tGnJYheHx9qLd3uqzuYkeeJDz+zy416RNHEBurYwzBf
jbql4RE36iD1voF6P61jq+Fr9dTjOjuO0VxOo4cUPRSESuY278PTuaN3X3Xyzf9th+FhM62nasQC
5dtnqSYdEVPe4ayTbOR1One6aJpuqx65KeEmd9EBDWqd2jd29O42nNQxrcEeqt+rO1i0aka+2fY6
PlNN1R+oVHPtju3EkYFWo7U7fh71pB6fdSvTYD4ZiWZmW2at9IYKpmmdIZ9sisi7oFbTI4QyUizM
cW1c5xALDrtTtxZVf4s7pFF3fE+3Gl3O3ambTqvZ1VjoHowclCILzjzhq2tohUAz3OqRM81p6Xou
Y+oZsJZL16nXJ7XX64zVtlMuqfjR632Md+ztmg64ZX+X1eqa+F2IWDQ42HwIsrq5EF26JnZFJQd6
Zo1At1dssm4EC0Wrp3EZ+4ybgt9J8kDMIOFBb++WWSsHfe0ho58xiKLvwsEydPycyy8+AtGahWP7
HKp1ZLkpiicnkFQvprdGOk9pHaWoVb1JAYzXeaF9ynp5S31Wu48eTF/XOnTpNt8E87Fjms4sbqaG
RZqqtPzv4TNpsLWnYSau1+5Q67LpY7b4jff+frhTJVrp1MzL7iwIqJVLM3bKDAb48EFCdST1ye3J
vjxL+SejuTCxykSb96H+i2udfXXskKHW68xpFk59KO1uq+7aSJav1emqc6gkra6kqO/NeYh3GufB
mJHioD/teUK57QgQmQX/r+0wvGvWzm867iFLaUn1clYl11yOBpjRMlVcikLs62lVujUwUOJ3qnXU
vARVoWO7rhTWakk3CfpYQrEE04+E1OutVHPxju3oyKBHUbsba7s16W/SOkU4YcxbbgQxLU4wVLC2
1un1yaaId6J1+vyno1aH3anbqAf49Drb/riO3mwardNNp7+9UEhgtM4TCipsaIZ9ZI6DnIZbeT+q
dZJNkxFQh11ag86Ha9VFaanRSVQmcVM72HC0tDoA917Scftu19QIDmq77eVuTfPRGziVotfJB3pm
rdTDWVNgylmk2dLlMyD0p7vMkkVzCzdImNLs64Fbiwi1MuhfO2T0Q4Mo+EmdCwfL0DFTVbZHID3D
x/9+Q63DPdZZ0F2RcuWuozRaRwTS1O0Ary5xGw7vCiK0RlUtwRxOX4vrKJR8JYmcmW5+VaVtfqqq
njOp11XrQsjl++M6rRgGTXjrQQ6ZBbmvYMV/oMTqkU7z7K67DPDhrU9FkWUWbVBa1egrcdPnmYgB
9eAH1LEhQ1FZ05Oro7T0+WZyNa9IMd8bzWEtHP3GmRYly5LyXmC+mDARl6F8XPqzh69WnA4HDa8A
UUeKByylpdTLWffAxl400rHdtWatxVjt3Hl70G51tWzb/kk+oOJSWlyHwvNqowAdqNdgqLQa23Gt
o7UjdQpXbIbKgYtD7qqDlVIX08CqXUoHhj2K5uZUe+LjKx9ZKcapNBAlKQ1MsUktda0NNYiGfFIV
UXZTankXL7PYD0gG1lqluqhJ/3ALDrpT4yQi+SE+vc5GWkezWq/viWQbrSOnaepbRrpD6Ls3oDUc
k8XcldNdfOBdUMRUbj3RCHBK6j5psEEpfKRmtOXP+gDBT+I+zZXQAT7W7dgPuKRxe4qhaL5VcThi
V+9g89Eh89L2ODl3qv0j156syQW8xYJ2tdC9IkXV6M/GTIOEB719p8y6LfTvDRn9x0EU2knNhYNl
6Pi5du0Rfr1W65Sb9TKIaEEsrS5ejm2K9VGjUg2jC11pHd6H0vK0NM+zJBZLhnlsiBbZ0rrULImC
UK3Pl4TEbVBEiz5LWrHanh/R0m9YZ9E6TLKi3IqVjpZYHKyAq9LuP5OPuqPFpijLPFn7DjtE6/C1
ycydhUle5HmaROuQd7PUvOnmNS9KWjHoDK5Nbs3zDfDhyw+daZBkeZ5uoohDa4NS1eXf5NrkaZgW
rbXJQ3XsJ5MuXL68nFZ5ZukmXEdiDSv1KE6T9tgyb6J1ODHLo7XJEo1czi3GTcuyam1D2seyLDn3
RqHZ5WwedqcgOhwGO44hS2nk+jjrHti4nJDK1ngVZxxNHARiJ9a+3EemNQky4ddaplprol8HtQ71
mJYf8lVzxWbumoYhVP2Q7ShIWbcjPT+SFPX6zXzTWZts9lRKu5jq127UQx7FewnDEAtUizyhfBy+
IYVqKEjQan6vNYfVXzAd0YBPamUkK9LaZL4uNprztclireG/aR0KhmgWpLXJPQ2/O1QP8ulzNhkk
q63W73u8qo3WEWGy0Zwvk8/ETgEtLtVw2cz4uthaLYvl/+pWRnWSVUVyyaV+sCjKfeKvSZuv9TL5
w7R4r63bi05SWmew4WhpqVYmfuTD7q5bDrg9LXcTa5NzuTZZyN7B5qNDFhnuOrnYNcK3h+wZuYay
5iuMLcuqd4fkqxGzLHULN9xp0JV9PfBumTV+VT8ZdcYgiv4LB8rQNZNK/wi/HaB1FmOXNmDT2gTb
nTSPs1ENowtd0yJ8bJJb8JjtrYTLbbNg5tF2YIP2BI7VVugGEE028l3OtLVlT/oN62xNO95lir62
u1EmqUp73Zl5NOMP+jWt0TRIgonVtzZ5Z21Kmcht9ERpNFnLW8oino/llkt/Ha+8A+I6NBfRz2eb
BmKHM1GbiZ1xLVANPvGlDMbWNIiX9c5rtee8v45DZPizJPkmVNoNPa0fKLBNmy3L3jwKZ7arnj1W
l6TVgtt2bIiZlraRUkz763u6aGGo0QQz+Jrour+oc5Gz043DDM5h0QVNvm1LaWntctZL3rgcXZFH
C74ZlBzZGYudiPtyL5OlR5ueWZeV8k+e7FBch1xjOqKN6Ix26odLT8Z1Bmw36B6Rb03WsXqMQ7Pn
e6hSGp++Rt3vUVzrsMkqmPGt3iY9jkLuOd8mq9ovx8s4Xjgjsb9vuGAtRAM+qZWyaUT8KRVBs9X9
37RO1bVgvzu1nEQ4ykCvsutsYqlF48yDvicmHOspUbX33Rkvgnn/nC/tSaa9oGKCXirR+q5Cv30l
L+A7UgyS1uU+l9aRp+uJwx9IPYs7qbW0zgE+tgOwv60NuD09N0SMB3zPuXj4LRV0qPnokOsKFTGl
YfJx7/CRazBr2gNiaCvL+car5hZuP+Feb+8rc132qhoi05wxhGLowt4y9JipyeDovlyrdY6uxCjQ
KROguHuP1DllJEdddy5Qep7OddSFfvKFa91iPPnaoAIgcBcEoHXugiLSeCACFKqSj5p5oByRzT8R
aAVj/iklXHwwAb6Yrp6oOvgqnAgCz5oAtM6zNi8qBwKPSgBa52HwJ+v5mh6cWJZFSo/m7HlA68MU
BLmAwJESgNY5UsOgWCDwDAhA6zyMEbPAH9FTivjqkpG/3tnu8TDFQC4gcLQEoHWO1jQoGAiAAAiA
AAiAwB0QgNa5A4hIAgRAAARAAARA4GgJQOscrWlQMBAAARAAARAAgTsgAK1zBxCRBAiAAAiAAAiA
wNESgNY5WtOgYCAAAiAAAiAAAndA4ElonTxerdWzL++g1kjiCAjk0WotXqpwBIVBEUDgBAkUm/VK
vPPlBCt/WJW3WbgMsK3tMFhHfdYT0Dr0mjT1HPOjponC3YDANpk7eAzIDYDhVBC4UwJlPLWa99Dd
acrPKbEy9ul1fPWLVZ9T1U6rLsevdejlvI/7VgD1jJD9ryB5MM855C0kR1LUvUzoRYraO633nnuT
g49Rd+UknZLeWWG2Kb3zzTRMNlp1333ayRN/gsD1BPK1V79d/vqT7++MO2sg91ZE/n745iVirWyK
eO7Z/BVg06h+y1jrhPv5Y7C3uZ/snkeqR6J10oVbv8SuwzWdO2ys/KxYe30v8O1cNPBnthpZ9DLR
G36UYx1Js3wuWqeil+3eg9h5DDMpJ+l4110Vht6BSm/YLoo8v/de9bqWUgQTy13KF9x2KnyzP5OF
Y6mXUd7s2n86++6q8E/FuNOLNzN3ujk0Rf7i8dX+3vAhrKM1kG08te3ZwTUYrml7mPjnWqQLR75j
t5MltXp3scmLIi/uN/DTqdHMrl8j3SkR/hwkcBxah95V1691eINU8oTms0brYrA6+w+UyWq+vnkw
Ug1jWrPcn9P9Hj1c6xz7/T8Zfhzc9dD9GGbiTtL3ksu7Kkwyf8Du7bqWsk2D+epOFlsV8XIRPIab
3l0V7rexH546nxQ+WOuI971fI1cfwjp6A8nDxSLaL78O4dEZJv69FpuZxXpeMHYQw0MKfO05nRqp
IenaK3FCTeAQrZNH8wk9gNw0mD2aBlktYIvNcuww0zQt119v1mMlV7ZZOPNsZhqm5U6Wsk8sA4+N
V9Fy4lqMmcwezULu1enSZUb9cRat1reNfWbVQj8PxlZ9nsGm/3dum3qMh2ZE7HlSJTPbmQXBdGRb
PJtpWJe49frfMln5I15GZnvLhIAUm6U/cixRbn+dyooqx6qbJY07fVnXVPn/A6nJcyiJZpTPlq5h
NGuSynDMK8KLFC/GDp+4cMbzuheIfGZP12tfzGjY6oCWPxXVnQfLCb/acibLTS0pIp9561Qab0Lj
8zYL52RKg8wyXad0Zr5yVcylCMam0RhiG08t5sdbAsanVeg6d7KUMrLX+lW2dO1ZnIXTkWWarjRz
y76q9APoyLLzIJh6ZFmT6tSsGdymAU/YZPZ4HizHZseReNqimpym5U5DLpmzYDZ2azdoCEtfXUzI
G3hODb3hsrHJKpiRSwnnll5X+4woQbqeCqezRr7grGotvvXaIvSdpo00ZhDnU1EnYRbNPds05bEy
WcnpLtubNe5flSmxE2Z25zH3h0FjkYOXkc9afTx57WidV1ql9hilojbGnZRsFQe+pTcaUfxW4+rt
H/h5Pa21IpvX1dGqKWwXUrsh27mTVZLFC+p1TJM5k5X0mTutgrtIkrXvMlN2C/1Uq21Weym15nBm
y3bQHTM3vH01/rDbl1Zluq57L8sZL+Jiu5k79IoI8aFgqSoDsxxPdrYiTfo3mduMN/6qorbZms2i
8ljTzZb60qZX728pKkE6+VAOQ61V3cX1dRdFX2dYcS/TevLOMBFXrVr09nVUichno0XIxwRmMhrS
6v6/qioC0vTPosrbZDmyG+Lk2If1qyovPhKST44Xm4xaiug6vEV3H85AjVYhzZ+JQbb26op35j0O
o9npVL8eonXKJAziNC/LMl1PLFMunsnXHmOjRZwVRbZZTWzTrFvFdjOz6UhelkWynlhMzBuVgWcY
5mjOLbnNA56UGH8H71lpksPV4qzUKJu4DkUWVedJp5LUIc82DNsPc5IqRTR1TGcuRmFN62Srkcm8
RZRkWZZEMR/dq20aUUWLsszCqd2M9KrBN/3jQNYtLxpITZ5DozybxlxOEUrLYnI2hysJcSRduMyd
RVlRFimVSDa3yDcN0/HXCcVON6uxZe6u4BC03VmY5mWRxYsRa1Y9UYfiOO5kGSVpmpdVGU9t05kG
lFwWLzw6M+edYa3GynDCLMty5kKIpnMR0t1MLWu8TumFg1kShULTDlif96e2445mwSZNszriSyB3
I3oD6LhlaR6HvKZM5m4tCSlP0/aDtCiKNJqPmGHsah1RTX+9SbMsjaONuH0sNkG4yagKydJjXMHx
vs0zDDZa8HGxTFeciQgn7imbaY2XlFaeBL5NXke2bnymqopwYlnjVZKXZb5ZeqxnZfaALcTYZE6i
lofxPyh9y3Fdfx0naUZOT+7EYZRlFhGk2YY3hXDCmDsLuMvHUULV2WcsalrcS9UNbaPxtUoNGqUq
I98yuQcWeRJMXWYaqrnWFWk1rqH+oa+1Ekw2mtMLL/M0nLkNTe75bCR0cBH6lmEyd8Z7nXIzc+pG
dKdVYLbjeouQPLscpLrjpWbtpcNaZ8BAtIJktNhQD5snURgLX6YbwyauQ6txnBl1wmWexmFU3/BJ
8NtoUreeHbFDxRFTSco6dCfY11JqO5KHzuzbcVCttaV1zHZ3MdAZ9vlGa5hoaZ3h9iU61WlUDxuq
/6cqUlc3jbXK8q/CbnVU8sB+lesq0zA1nzRM0xED1jZdjuo7Fj233RoZpuXR6CuHBj707WnRemIn
+v0QraOhUS2Ebvu18YSUhhy0aGCsyVdV1cgC6lyaO4mq2kYqZDOodWgKS+8f2ybPFg6/y6QCUgHE
WEydr6bByR/l7a7SOindn2oaSqui/MqjlsK5VYNX/WN/1rvJ7KZWn0PRG1Fgik+Ol0uPiZpyJUEr
lEj0WFIOUaBlPZLEqVlqVKhazqJucTJ9KqqpLYRohim6gzENbWMBFUTLhgd0yLIq+23kW6PFypfb
4eqJfj4QjgPeOdS1qoasT1rHML2gM/9IbqRVpUlGfWkbQrdsY05yJb2um5lVjyIqnW411ZH6G7mQ
dAruq2qMp5vgvmJ2yqa1B+V1ymdqbjK/eGrtyLxuIbVWxttIv9bRYoKywTURQ7KHcH/KvRardY33
GUvUlwvviVx2SUUQdzqqUvzWQmtujVH4vbDmV2Qk3WtlGdqNq79/6GutvDpaEFhZqG27beSbptdM
k3KKIUm/O62CwXy1NHWAKjWXAS8VY6aKaDdxnYGkuD+OllrggdNsax1u7yYcWZu8/r89TFeEs7Yi
BXFlB66sU1/H/9daivY7dbyHcNjTWltap9VdqN6I59h0hn2+we+rmltiXevsaV+dTjWZWWYd9hq8
02hDPLBfFVpH6wrJJ2v2FE8fqdv5hi41q3aN9B6ORiPRiw45TJPQCX85QOtss2jhe67NP5ZpiGYQ
T5nuC1qcMJ079Lbd5mNK2a51Lhx4PG3uQlQP1DEF36mjlut0nZh7AJcsXOqIrq/bPnkvyDu7ph/m
Ll9Pjaks83g59VxHVJQZzB/WOqIk3axVUqRN+lNrzuFOvcq5OhitsmzlMtImwtfpRi1fjbogxW1b
5JtMv8mgTtTvDINd2tQs7RmPNHQup96iJTc2chCmYZKLns3UcuYJnzLm5W1miPKQ7tatkb8IeJiA
RtoB62vAGgLyhlKNRPWRAXQdyza9An1RnYXUvdo4yJPdqSb/tUyD+WQkTE7viZbJ7KG3p2xjPoiK
SjRep5KKp7Rho2kXzDQMrfvqL2RtCxFmG4rraLcWFfm2YapsTNPgkqrbYCm/vcYSPrElPSfEDs16
yG0CqlJaw+c1aIxSdYE3rU8Akv8qm2pp8mNN/9DbWrvV2ZKm40GNTjrxlOKndZ505yWEoHaaKgM/
7TZVUOJykOoeLx3UOoMGKuL5iNGU3Hy9aW42WlqnKpOlZ9EMyWwVd4I6dP8vG3cNhjpQ4fwkdWpR
rJEZaCn19SKuUweC+a8Dhd/DgW7DGXJb2gAAIABJREFUtPtS/W50oDPs9Y3uMKFq0fVJitfIG46e
XlELOFPMqtvFiqktdZfZk0Jvv8rvNnWfpFuIpusoejen7mod7RJNHw0w16x0ul+v1Tqkp013HosG
peI6/CZFW4up5Ar502hJ0wnq07mR4rybvkz24421NWt0W2TH5MLIq7zi7VOObuTZ2s4t3hmL4bTp
balv6Sx7EAEoexryCZKqat+y1yGrwGuCWbxH7GStlZw61d7U1DliK2MRyXgJ/elHBYV7RE0oB2ce
5wpjUfA5v06jqga1jpxzoizbWkev/HD7l0ozmYnNEfTnOMgp2qTpxG0er2eebdKswZY6+n7r8/6n
1fQ5CNGH8Jm8BswgOtVn8XO5BWiherf31IaxJtHe0ExB0zreciNm1FR3z2/67RY9TyjFvWVTHZZw
ae51qjA0PI/XbXO2a76jD7S+mDewjqCl2qn0RV157++HO9l0xQGdfZCxyEQkwvkCD7kjUst0yCg7
wMlKvQ7Q07iocE3/0Ntau9XZp3W02YebaR0uWLWtENdVQVhggOoeL+1qHdJn/EZrICmRzzbfBPOx
Y9JUFe8X2lqHn1Sk4YLWEdm+WJ4mrqR/edBY2/JE+/yo49G7UiVkB1uKSlCdLH8bKPweDh2to3sL
XdXTGfb6xm21jt6tUeGV1qGgpLxT1CrMO9WW1ummoNdAa8tK0lFq7awO1jqqdC2tM9D96sU+0e/X
ah3qHJS+ppi6uIkk3aDMzEPldZ8Vjk09lFmT1fpH/lPTl8mlIX1ah/yAtYyqLZilVEQ0NQ3GrJlA
oFCqNk7RCC1dsNE6IgbcnsOilNRl1Ib2xnV6s66rKg72p6bOEZPAy6kti57MbXu6UEpiS/35zqyP
nO5VNuEtWzOFyIBo6xFzGpJky2u3NB5X0uYamjksaoULh00Wc1cezpYu/eloMw11bWhtBr9VoaG2
z/r9WqfbyVNyhxiCZ0vdHw+MUE/Eh2NZmnRu6xFe8SvvFdWMIP9xM7M0WUwjm4rrGNo96pZu/4je
3rLpefId4lwRKren8mpzh7Kwrf8oBD1gi0O1DgVr6mroaee8wap5Ejp2mLGEyInndGcr1tfpAmtQ
69CgaYmlQpRXw1AvVGt+QbuRoHNU/0BV1/ydJ8DHPi12x8/hEWAFnJ/Ik7llXOemVRBVG6Da9dJE
eSldocXmirVnmFzrDCQl8hH/8lVAIqwklgDqB+V3fovY7u74+Ngaiilu6y42rVW4jXEHW4qWW3Oy
/G2g8F0OemtVXZPqq0VqQ51hn2+091W0fGy4famseYZtAULe1oIlCiW6r3r1QCeFPW25fWY7q36t
QwOv1gQ6qJuecLhFS5uc8n/Xah0+6I9XabGl9ZRj26wbJfGle2JaH5eGU1eGyuXyKNMar+IsL/Is
jYOAr1rt9EFaX8aXovA1p2VRtu90O4KaplWYt0qL5sQi8Nho7GlPVhaLJfm6rSJPaOWuXCWqD7fU
lGhtV5rnWRLT4j4+nT5abIqyzJO177DrtE61m7XypOHU1DkUR2aWbdW9HJ+StvTNjenC5Suoaf1l
lm7CtXieO00Mm/bkkLXJ05BY7a5N1gIzfIGq6TRnekwuJqcleTOLPvXKlXThWJZV669tGq6jJC/K
bZnH83r5Fu97d62vw28Q8NUgHf1xkCF4CqqF8+CjqsHYalZ9NllVYqksLcHO8jzdRFEi5guF39Eq
Xq81h2XQ8u8goZXd0cw1xcruYbMKrxsvxWrB4bXJtKZ8Qw/JyZIoCJt9ZHU5OT1VE80WB2sdvjaZ
ubMwyYs8T5NoHXKFkwdjxtx5SC6fbkI+r3GYsUjyuq5t0dY78dHa8mC3S0uxGRvNaXlskYkV47vj
hbpcS5NnorQO9512axXmpLXJfHVmNOdrk/lisE46/6J1bloFSWeAasdLyd3qGzS6o3RmfHHNNo+m
tAhATKAPJJVF6zDJqOXxJfVSUoqgY0S8y21O/S6dsi3SYGLp9wKimDshVRqcHdet90jQWY11qK31
thRZ5dbJ9W8Dhe9w0FurEgFdrUM3Xr2d4W5PThq+NUw0tRDLxvv7OpU1L35LgHRWwdT12x/X2dOv
tvNqZVX1a53hGlFhVE8oMu3pfpsyn+6Xa7UO7ZOsNzd782iz8mrlUPEtgHKD9mo91WN+eSS2ShuG
aTljsfWq0wfpWofPLdMGPlZvRm4swhugmk2gh8fS9lvTnsl7NRJjrcWZPObOd/+adN5IbbpttZ8i
VvulvRWNBnk0G1l0jTWaBkkwsfat16EC7mTdlHpPavo5dANHW7nlEELCrrUgj2+DF7u6aVu3NxW7
9CPfmqxjuZ2X2V6zVVpLuwzG1jSIlxOxlby957wOdDXn1/ai3dK+vn8xmjBa7iFv56nvU6y3yZLv
h6dFKPQwgmapZJ2abv1erUMb9mod1ZTlEEPwk7UWXm3TZgu+p+/m1VKtaJOy2I1Jz0KYRUVVbZNV
DWi8jOOFM1ryuzTyVbFjn+/Q1ujtcZLRMqYnHXS8ruX22yyYeWQRQuOO1XMAtHLW9Dq2OFzr0B41
ubWdW2ayltEcuXGbZz5aSK+rs9tnrGzhGIYeb9IqpQ0kVAndKLQbWO59d8aLYN53b6wu19LkNDSt
U1W7rZU210qY1DRmzbMwOun8k9bhG5oPr4KyYi9VzUud8SJcqglxSYoxZtHDG4K5WweVqTXs9qUZ
PUK7diPVYGkVD3+kgrfO81A83UB42s4+ZhFo023KJQIzDC18oLTOYEtRVdZOVj/2FZ4a4kBrVSKg
1VfL9JpHXOidYa9vtIcJ5WOUUF2kTvtSWfPcdAFSRpO+Gaye9Tr6HNbBeelZUVi792Hy+2rUbnRN
BVstWiI85f+u1zoH0uH+pK3fOfCy60+juwCbnvUw9KFWoa9MvbeS7Bagm/XuGfhlmADNex3p63jE
eFkHp4ergCOHE+gbvQ6/+ijOvNMqdDTZI1RQLBis72MeoQBPI0s+uSfugZ5GgVHKXgJ3pXVofULP
4q3ePG/6Y7729rzagd9I6nPRbRV/08xucv5O1je5+OTPzZYj63FfdDZsgscfh4bL9kSP8GUaPUG8
J1Sdu63CEfgY3W3sRNKfkEEeoqj0NGp7KhZ/P0R+yOO+CNxe65TxaiGfvJdvVhNLf2TLfZW2ne6W
HgC3Glud9+k8hNYZyLpdPvz1ZAkcwTj0ZNmpgifr+Zqe9Ucr+gLfMXuenahOPs5v91gF+Nhxmhyl
eqYEbq91aKkDf7g+LddwtPnyhyKVzB16Gv940Xle1gNonaGsH6rqyOeeCWAcugvAWeDTu2VofRCt
A1vvrMS+i0zuN417rAJ87H5Nh9RBoEXg9lqnlQz+AAEQAAEQAAEQAIGjJACtc5RmQaFAAARAAARA
AATuiAC0zh2BRDIgAAIgAAIgAAJHSQBa5yjNgkKBAAiAAAiAAAjcEQFonTsCiWRAAARAAARAAASO
kgC0zlGaBYUCARAAARAAARC4IwLQOncEEsmAAAiAAAiAAAgcJYEH0Dp3+mD1o4SIQoEACIAACIAA
CBwtgXvROmU4GS3k+war3pc+3phHthrteU/EYHKdktwukcHUcQAEQAAEQAAEQODoCdyH1tlGvuXc
sdYpk9V8nQy/ALQfdKckt0ukP2n8CgIgAAIgAAIg8CQIHKJ18mg+oWe9mwazR9MgE4oj8hmbxk0l
04VjjoOyotfJ0VPh+cechFsR11mGi4nDTHqdxHgRF81lRbyYuHSBabmT5aY+kMxsd5Eka99lpumt
CxUcKoNxnTr/fyRe+1lslv7IsSgHy/XX6bYaKsm6zmM4a2ceBFPPtphpWs5k2fNo+zyaj3l1xMPv
ZQxrm66nI5uXYeSvU/EC4Wzp2rM4C6cjyzTd//1/2u9Ipbe4s0lIp26zcOaJqxWKMvDYJMyiuWeb
pjXbNODwBQRAAARAAARA4CACh2idMgnpJZ9lWabriWXKd1MPaJ2qqspgbLbjOobJRrMwzcsii+eu
aU1joZdIINmTdZIXRUbvDzXdZcaLncxsZjuutwg3aZqVvRNh5WZmM2+d8wu2aSRfRJqFU9uUCmi3
JFw40RX7sjYMaxJQrlWZzF3TnidtlmU4YbYfZvRSw2wTRkLVFOHEssarJC/LfLP0mHzTIS1Xsh13
NAuoKkUejLUXwm9j32KTqKyqLdVmtIhzeqHpemLJmtFLcyzHdf11nKRZftPAVrvc+AsEQAAEQAAE
TpDAIVpHw7KNJvXQfyOt06ibqirWnpQ023jKZEyDZ1EE4zp0kcxsg/mkAeRnZ4HzdjNzGqVTnyX+
38ws5vOI06DWuSbrWnJVvSKLiznbj+oAkcg1X41qiUU/xFOLR7UoImWYXtCcXIZjZssAzTb2GfMj
CkKRfFKaipQYhbOqMvAMQytOu6b4CwRAAARAAARA4DoCB2idbRYtfM+1+ccyDTkk30Tr6CJA6Q9S
B61hnEb4EQ/U0LvKaUas+XS0znYzd5i3EkEgOimPl1PPdUQZmXGd1rkma5p6kx8uYZp5L/njNl1P
bNO0velSBnVI3DB6n3PzMQ1jRNdRyWWYSVxNskbMRm0jn0kVmM6d7tU8NEZxHU0D1aXC/yAAAiAA
AiAAAgcSuFbr0IIS053HYvpkT1xn3qgTpWZ4IToyRR09XHB0wivbZO6wkaZ0+ITUNOTTTlV1QFzn
8Kx7tQ6vV5lFK1qEY43XpLniKTPH67zQPiUppk71aWKMJM5ss+VSZ7bhsiqd2+ZomWoXFwUdIK2j
zQceaFWcBgIgAAIgAAIgUBO4VuvwWItY/0vhk1WzfIUmoPj0C09qG07MOhLD1cx8aM+50jpcRo35
ulyeBp/DmvLltxTX0YIrLcWwo3T4tJjdZEgZ6HGd5oAmOw7PeljrCIQ0JcfzphPt2e5WsV2tU9Eq
HWsWR75lz+RSoDKkQmuTdtJA0DoSBP4DARAAARAAgVsSuFbrcOUwXqXFllbcjmnmRiwroUHe8kO+
DqXYzF3TMOpZpw2FghaboiyK3WXFSutUVUrrdsXa5FyuTRYSaVjrCKUjlzDLStOyF3NEGZZ5svYd
Vmudargkh2bdp3XKJOCLtbfbMoumtLKGFkjT2mTT8debrCjyLImCkG/g6tE6FUkt23UtbXaK1iab
1ngVZ3mRZ2kcBHxT2o7WKUPfYmO5IvuWRsdlIAACIAACIHBCBK7VOtU2C3zaFW4y25tHm5XnyCW0
2yyYjixmMmY540W49Oq4TlXl4dTlW6/9sNSiKZyrrnWqqtgsJ67cKj5ZNpvRh7UOXxaj7ToX8Zw8
mo3EzvXRNEiCiSXWJu8tyWFZ92qdeM43h9MKG8ebhXIXPqGaebQVnW+hHy83tOCoT+vQrivLMDqT
U3m0GDt8w75pOeM5h9GjdZo9WifkpqgqCIAACIAACNyawPVa59ZJ40IQAAEQAAEQAAEQeHQC0DqP
bgIUAARAAARAAARA4B4JQOvcI1wkDQIgAAIgAAIg8OgEoHUe3QQoAAiAAAiAAAiAwD0SgNa5R7hI
GgRAAARAAARA4NEJQOs8uglQABAAARAAARAAgXskAK1zj3CRNAiAAAiAAAiAwKMTgNZ5dBOgACAA
AiAAAiAAAvdIAFrnHuEiaRAAARAAARAAgUcnAK3z6CZAAUAABEAABEAABO6RALTOPcJF0iAAAiAA
AiAAAo9OAFrn0U2AAoAACIAACIAACNwjAWide4SLpEEABEAABEAABB6dALTOo5sABQABEAABEAAB
ELhHAtA69wgXSYMACIAACIAACDw6AWidRzcBCgACIAACIAACIHCPBKB17hEukgYBEAABEAABEHh0
AtA6j24CFAAEQAAEQAAEQOAeCUDr3CNcJA0CIAACIAACIPDoBKB1Ht0EKAAIgAAIgAAIgMA9Erhe
6/wPPiAAAiAAAiAAAiDwgATuVvgcpHWu8AEBEAABEAABEACBByHwP//zP9A6D0IamYAACIAACIAA
CDwGAWidx6COPEEABEAABEAABB6KALTOQ5FGPiAAAiAAAiAAAo9BAFrnMagjTxAAARAAARAAgYci
AK3zUKSRDwiAAAiAAAiAwGMQgNZ5DOrIEwRAAARAAARA4KEIQOs8FGnkAwIgAAIgAAIg8BgEoHUe
gzryBAEQAAEQAAEQeCgC0DoPRRr5gAAIgAAIgAAIPAYBaJ3HoI48QQAEQAAEQAAEHooAtM5DkUY+
IAACIAACIAACj0EAWucxqCNPEAABEAABEACBhyIArfNQpJEPCIAACIAACIDAYxCA1nkM6sgTBEAA
BEAABEDgoQhA6zwUaeQDAiAAAiAAAiDwGASgdR6DOvIEARAAARAAARB4KALQOg9FGvmAAAiAAAiA
AAg8BoEnoXX+fn1/9unn5WPwOaY8L75/PPvw/fyYioSygAAIgAAIgMDRE3gSWuf3p5fm2beT1zrn
X96Yrz//PXqfQgFBAARAAARA4JgIQOsckzX2lwVaZz8fHAUBEAABEACBPgJHrXX+/PfKNNof8+13
qgYd0T5NtOOJ/H7+9Uwrvfny029hm/7f6dc2BcN88wVzWX3+jN9AAARAAARAoEvgqLXO1cXfP/T5
/v6F+ea/3/z7+QlOZUkMPz+9Ml99/MEx/L3oWhJ/gwAIgAAIgAAI9BE4bq0jS4z1OhwE5rD6PBi/
gQAIgAAIgMB+AtA6+/kc01FonWOyBsoCAiAAAiDwVAg8Ca3zVGCinCAAAiAAAiAAAkdHAFrn6EyC
AoEACIAACIAACNwhAWidO4SJpEAABEAABEAABI6OALTO0ZkEBQIBEAABEAABELhDAtA6dwgTSYEA
CIAACIAACBwdAWidozMJCgQCIAACIAACIHCHBJ6E1jn/8ublx18H1Pr8yxvDMPgjiZn18s37L7+e
1SP3vr+13v04AANOAQEQAAEQAAEQaAg8O61Tvx3z8vzX5zOLvf3+jNQOtE7jt/gCAiAAAiAAAocS
eLZa5+rq6vL7W/NFHQ86//nf29cvmGlar97+97N5mdTl328fz15azDTZi9fvv/yu30Bx+efbhzd0
Op3/uQ4PtZ/m9+M9s97/lKT/fn5tvvn8/fO7V5ZpmNb7HzKlvz8+nb20TNNkL88+fm9eUn7x+8t7
Xpz2z/vNBq2znw+OggAIgAAIgEAPgWerdS7//vzvDbPe/eBxnT//vWYv3n37c3l1+ffbuxfs7KtQ
O3+/vDFffiDpc3n+89Pr+i2cFz/ev2Cv//t1fnV18efruxfszReuUvZrHcNgr959+fHr9+/fv+X7
qn7/94q9/PD9L+X74+Mr9uq/P2SEv1/PmHX25ffF1eX5jw8v2evP/Oce+7R+gtZp4cAfIAACIAAC
IHAIgWendeiF4CZ/Lbj56j2JG/r8/GCxt9/q2SwegvnK/zr/+oa9ePf1t3ij6OX5+QVdcPn9LWsC
QldXpHCESNmvdWqlpLj/+vhCy/fy97cv30nU0NvYXwv1dHV1dfH1TCavLuz/Bq3TzwW/ggAIgAAI
gMAeAs9O68j1On+/vKmDKFdXl9/OTMNklvwwZhovP8lIysWvrx9pcou9eP3247ffXAFxMfSlmee6
osmqDzRZdY3WeaNdw5l/f2e++LC7qPrHe6YVx2KmIZLfYyeRHNYmX4cIx0EABEAABECgS+C5ap2r
yx/vLeudXJnMv3/7e958Lnj85urq4u/vPyLcI+e8+Dqby2/tuM7XOq7TDsHsrtfpap12XOfq/PfP
36Sg+Hvbv/QUp2udzt+I63SA4E8QAAEQAAEQuJ7As9U6cqboM19nc/nr00v26sN3vorm4vfXTx+/
id9/vrfYm//40uPLv1/fWuzdd5rE4ut1xO9ifY9cr0MqhZ3JtTvf378wOmuTu1rn6venV+zVxx8k
cM5//feGvfr0m2zy5/Nr9vLdVx5Fuvjz/dNHtSh6n8mgdfbRwTEQAAEQAAEQ6CXwjLXO1TmtAK43
RJ3/+PT2Fe2HMq2XZ5+aDVEXv7++5/utGHuhb9C6/PNV7cPS9m1d/Pzv7IVlvXj56s2Hj29fXKd1
rq7+fv949pK2eVmvtGyvLn59fveatn+Z7MWbD/W6ol4TqR+hdRQLfAMBEAABEACBAwk8L61zYKWf
6mnQOk/Vcig3CIAACIDAIxKA1nlE+DfNGlrnpsRwPgiAAAiAAAhcQes8ISeA1nlCxkJRQQAEQAAE
joXAk9A6xwIL5QABEAABEAABEHhyBKB1npzJUGAQAAEQAAEQAIEbEHgSWufg95zfoOL1qX+/faR9
WIZpvX537K9FxxxWbTX8DwIgAAIgAAIHEzhtrXP56yN/7s6f84u/P/+j16J/U09LPpjhg50IrfNg
qJERCIAACIDA8yFw0lrn8vs7pr3Dgb/36vNfel3VS/569POvb8TzeegFWWdfL67+fn7N3v4nn7zD
XqoXoF9dDbxHnS7pff/5bVwIWuc21HANCIAACIDAiRM4aa1D72p4yx+ULLyAXunw7vslvV6ClA1J
IfPlx9/0UodX/OWffz+/NsxXH77/kS8ob97ZOfQe9SvSOj3vP7+d10Hr3I4brgIBEAABEDhpAiet
dX59eMHe/VD2p/ePn327vDr/+ubFh5+Xvz68fHP2+vXnvxff3r7gz19uvxT018cXUioNvkeda53d
95+rLG/0DVrnRrhwMgiAAAiAAAgQgZPWOt24zm8R1+FxnDeff3x6ffblx8dXb7/++PTq7Cst5Glr
nd8fZVho33vU25f8m9NB6/wbP1wNAiAAAiBwkgROWuvQMpzuep3//lxd0ezVi7O3b17/9+fyx/uX
b9+dyXd2toVLo3WuBt+j3pVH/+Zj0Dr/xg9XgwAIgAAInCSBk9Y6V80+rIuL819f3lpMhG+urmiZ
sskXKF98e2uZlnj9+VBc52roPeo7oaB/8zFonX/jh6tBAARAAAROksBpax3SIt/p+TqGYVqv3n3+
dVE7AV+m/OPySsieN1/EVvShuA6d1v8e9Y48qpO/3f/QOrfjhqtAAARAAAROmsDJa52nZH1onadk
LZQVBEAABEDgSAhA6xyJIQ4pBrTOIZRwDgiAAAiAAAi0CEDrtHAc9x/QOsdtH5QOBEAABEDgKAk8
Ca1zlORQKBAAARAAARAAgadAAFrnKVgJZQQBEAABEAABELgtgSehde7zPee3BfcY12EO6zGoI08Q
AAEQAIEnTgBa5wkZEFrnCRkLRQUBEAABEDgWAtA6x2KJA8oBrXMAJJwCAiAAAiAAAm0C0DptHkf9
F7TOUZsHhQMBEAABEDhOAtA6x2mX3lJB6/RiwY8gAAIgAAIgsI8AtM4+Okd2DFrnyAyC4oAACIAA
CDwFAtA6T8FKsozQOk/IWCgqCIAACIDAsRCA1jkWSxxQDmidAyDhFBAAARAAARBoE4DWafM46r+g
dY7aPCgcCIAACIDAcRKA1jlOu/SWClqnFwt+BAEQAAEQAIF9BKB19tE5smPQOkdmEBQHBEAABEDg
KRCA1nkKVpJlhNZ5QsZCUUEABEAABI6FwJPQOscCC+UAARAAARAAARB4cgSgdZ6cyVBgEAABEAAB
EACBGxCA1rkBLJwKAiAAAiAAAiDw5Ag8Ca3z9+v7s08/L58c3Dsu8MX3j2cfvp/fcapIDgRAAARA
AASeN4EnoXV+f3ppnn07ea1z/uWN+frz3+ftkKgdCIAACIAACNwxAWidOwZ6j8lB69wjXCQNAiAA
AiDwbAkctdb5898r02h/zLffyRZ0RPs00Y4n8vv51zOt9ObLT7+Fg/X/Tr+2KRjmmy+Yy3q2jRIV
AwEQAAEQuFMCR611ri7+/qHP9/cvzDf//ebfz09wKkti+Pnplfnq4w+O4e/FnboBEgMBEAABEACB
Z0vguLWOxI71OhwE5rCebTNExUAABEAABO6RALTOPcK946Shde4YKJIDARAAARA4CQJPQuuchCVQ
SRAAARAAARAAgfsgAK1zH1SRJgiAAAiAAAiAwLEQgNY5FkugHCAAAiAAAiAAAvdBAFrnPqgiTRAA
ARAAARAAgWMhAK1zLJZAOUAABEAABEAABO6DALTOfVBFmiAAAiAAAiAAAsdCAFpnjyV+fXzB3n7D
U/v2IMIhEAABEAABEDh2AtA6gxa6/PHOYsxq3j8xeCIOgAAIgAAIgAAIHC8BaJ0h25x/PbPOvnz7
8KJ5W9XQmfgdBEAABEAABEDgeAlA6wzY5u/n19a7H5dXvz+9evH+5wm+hGuAC34GARAAARAAgSdG
AFqn32C/Pr588fEXHfv75Y2FRTv9lPArCIAACIAACBw/AWid47cRSggCIAACIAACIHB7AtA6t2eH
K0EABEAABEAABI6fALTO8dsIJQQBEAABEAABELg9AWid27PDlSAAAiAAAiAAAsdPAFrn+G2EEoIA
CIAACIAACNyeALTO7dnhShAAARAAARAAgeMnAK1z/DZCCUEABEAABEAABG5PAFrn9uxwJQiAAAiA
AAiAwPETgNY5fhuhhCAAAiAAAiAAArcnAK2zh935lzcvxcOT95yEQyAAAiAAAiAAAsdMAFpnj3Wg
dfbAwSEQAAEQAAEQeBoEoHX22AlaZw8cHAIBEAABEACBp0EAWmePnaB19sDBIRAAARAAARB4GgSg
dfbYCVpnDxwcAgEQAAEQAIGnQQBaZ4+doHX2wMEhEAABEAABEHgaBKB19tgJWmcPHBwCARAAARAA
gadBAFpnj52gdfbAwSEQAAEQAAEQeBoEoHX22AlaZw8cHAIBEAABEACBp0EAWmePnaB19sDBIRAA
ARAAARB4GgSgdfbYCVpnDxwcAgEQAAEQAIGnQQBaZ4+doHX2wMEhEAABEAABEHgaBKB1ajtd/v1z
Xn/f9//5n7+X+47jGAiAAAiAAAiAwDERgNbh1rj49en1qw8/L643zcXPj69ff/p1wJnXp4UzQAAE
QAAEQAAE7p0AtM7V1dXFj/dzq2BgAAAgAElEQVQvX/33W4N98evzu1cWM03TevX2v5+tgM/l70+v
Xrz/AbWj8cJXEAABEAABEDhaAtA6V1d//ntlvfuuTUydfz1jL959+3N5dXXx+8uZxd5+aymbi+9v
rVf//Tlao6JgIAACIAACIAACDQFonavfH19a735oUufq56c3b7/UUuby+1vzxcdfDTH6cvn9HXv5
SQ8EtQ7jDxAAARAAARAAgaMhAK3z9/Nr882X1iyVbp3Lnx9eWO++t+I6V1fnX/ZepCeA7yAAAiAA
AiAAAo9JAFrn14cX7N2PARucf3v34sXbbztK6PL7O/PFh3awZyAJ/AwCIAACIAACIPCYBKB1fr63
rPe9Wuf8x4eX1pvPv/XprdpWP94x68PP+i/8DwIgAAIgAAIgcKwEoHV+f3ppvtVXJgtTXfz48GpI
6FxdXX57a2LBzrE6NcoFAiAAAiAAAhoBaJ2Lb29Zd1PVxc+Pr6w3//VGdDi8P/+9Ym+/9QV8NLb4
CgIgAAIgAAIg8PgEoHWuaId5e3Hy708vDcMwtQ9r7Um/Ov/yhp197axXfnxjogQgAAIgAAIgAAI7
BKB1rq4uf7x/0Y3s7IDSf/jzHx4mqPPAdxAAARAAARA4YgLQOmSc8+/vXr75TM8OvP5z+efzm5fv
vu9szbr+SpwBAiAAAiAAAiDw8ASgdQTzyz9f3n3sPkWnzxwX3z68+3KYKuq7HL+BAAiAAAiAAAg8
LAFonYfljdxAAARAAARAAAQelgC0zsPyRm73QODv59eG/Nxo3dU9FOXwJK95XvfhCR165uXvL+9e
WaZhmOzVJzwG81BsOA8EQOA5EIDW2WPF8y9vXnbehLXnbBy6fwLN++eZ9erd51/tnXAXX8/MPq3z
98sb6/Xn+v1mty3kn+//fflx2CqtH+9Yrb3E/+1tfqIE/6h1zn98/vz9b19lLr69tXrc9tfHF+ar
Tz/PL68uL84vtKVpA+f3JY3fQAAEQOBpEngSWufv1/dnn35q3fMDsT4yrXPx/ePZh1NeFP33y5vm
/fN/vr57wc6+6qP9kNa5Ov/149dhKmWPY9FbQW4ifC//fnlDz5scctt/1Dp7Xm1y8fvHz7/dbM+/
vukVgldXV73n7yHxNA49VqfxNOjceylPvrO6d8LI4IYEnoTWoUcbnz3Ck/uOTOucf3ljvv6sj+43
NPYTP527gXqq0d+v716/15eT72id4bmtyz/fPrx5aZkme/Hmw7d6qfmPd+zVhy//vX1lmaZpvf7w
TbD+8/mNZVmMz/5Y9DlsCojM1Q0znf/4dPaCmSZ7efb+7IV65+xNynP+9W27OC/kK07oYd4ynqS/
v+Ty+3t5vmEyXv43Isg1cD55yd/vn85eWcw0rVfvvvxW4bPfn16yd1++fzp7yUzDfHnMU2GP1Wk8
8UZ2V8U/9c7qrjginTsjAK2zByW0zh44D37o2vdy7GgdUcTL8+7c1sX3dxZ7zedzzn99es3qGR+a
e7LOPv86v7y6+PPljLWeIHnTuA49cLKjdeipldbZl98Xl5d/f3x6bdZa5zblGY7rXH7ve1fb8Niz
c/7lr48vzVcffvy9vLr4/eXMst7/qNUOf8qm9frD15+/f//+9XsnevTgTjGcIbTO/2fv/F0dxf7/
//1bUtmd7lRO5VS+K7eRbWQbmUK2kWlkG9lC2D4wkGLAYiDFQoohxYDFQoolzZJmsVlsxmqFD4zV
Ws2X1/G30dzkXpPozTPFvYk/Xud1HsfoM6/z4zXM5gZ7hq+3GxSOIkDgmMCktU64VMsfquX4B8nc
UiVoT+NVRTvG2p6DOtY6I9mnp2/jVWXW6t9OW8v6F//Lp+Rxg77eLclwL0xe6QGtk3W30224Qk4r
SfIiZX0roWv3rJdrnbb4qfuwnuXPsNbJWtUor4cTz57O8UL72EHZCbZ35VrzkYDQ/EmHFu930xjp
5nDtm1v/TSaj9eMb96T6G3LZdtysym8c/k+MwKS1TpZEIb22tizpy4N4H5f34BuAPNY6Nyi0p4gC
w85TJdUNBIao/KXdc/gr3fTcuM6R1jm4ykJieXdO3rtTJH9tPfTTjVHf77Mse7nWCZfUFVs2XK11
nuXP9bSO6PkreruKzq9qbDVpnanngbvzTeOVfvvOrhZuVmejwoE3JTBtrVOguFc4eipap8Bw4qf5
Ta+ZexVGg0UaWcjija07J8frFI52IzSkMrTlIa5fSS5AntA67KKxycd9WO3hwbXWeZY/QuuIGOdR
c7SqUe49cfF0jk82piQ7u5pOnFTTtuagdYoa3+umUQJ/8P8nrrcHJ4Pq34kAtM4J8NA6J+DcYVcx
D4tGiaThRszDak6v6mqa0sOj7fHG5Nz0aVxOlkbByl3thNhpPfS7cR16dqoeTXNP47OCi3S3r7vK
yBkxXseksb5pvGuM13mOPySQZIcmwdMU8rKq9L8Yf9OJfw4/e46OTwJbZvpSzOVK473vetVce2id
Jmm8HyYwfL0Nn4M9IHBFArPQOles/0nTE9M6J319jJ2N9XW0en2dxnyrYjxTPoBraDtNs17bOk2I
kpis2eVMo5NaJ4sDV5fFZCylNf3rmPzw+jpx4OkyW9A8LMdS61FXz/An2S9pStdiwWQzn3rfmFdV
YJDdQ+ldz7Nn+Pg03Lg01UqSGFfN5a5SlDPSOmXF8R8EQAAEsgxa58RVAK1zAg52gQAIgAAIgMA8
CEDrnGgnaJ0TcLALBEAABEAABOZBAFrnRDtB65yAg10gAAIgAAIgMA8C0DrzaKe7e5nG4Vkrx8Xh
A06Hv3vrwAEQAAEQAIETBKB1TsDBroJAGq4M1dpUQ1RrMEl3TtJhqalielB9zDzf1XPC5+k/vAYB
EAABECgJzELroC+pbK67/E/3nqo47dyrSRisPUvjklJP9Smci3xdNtc9umgE55NdkU9KNpadLOc9
1ncOXyzytWCZrJpef17wnhNp07HWGSdf+kBx2dl51GlGlV6nBYt9rfgYLtWqulwxnHWR52vvyu1l
t9sz4Yccmvl23DTu24Bbk1vBfV1A6SDQIACt04Ax8bd3Sh0crw1utLVLuNS4arorR+vROlm6c2S5
o43GQUur8KvuPk3DFT3gn9JTO4ez4n6bRltHkdRlNQf7SYeOtc44+dKHCj57XeZc61R1j5paRyrW
WkyjnaexViPQDHN+lVYZqtF9t0Pr3Jc/tM59+aP0LgFonS6R6X7uWSLlBs5GK625WnFeYipWqku3
Zp/WybK9IzczbY/mJWkdylcQB7bSjTT1FNLQOkUOtXLZ5f684lnWn4e8sU5PN3G5SKa13ji0WM+i
zkI/ZD85+LYmEp3zen2gC/Ood7VOJfuITlnBLF+2edVIXbUVWqcH01w3hSvTdH1KUdr3gtbpo3K7
bdA6t2ONks4hAK1zDqVpHHMXrUMZA7oP+BLHoNZ5MnVVaeHS//HW4lxRFM05pz+qoXWScGMrTFuF
VOJQXvGhPOS5l8f50rMsC2y2kGTd2+SJv/Noy5D9ZGtybqwOCS1m6JucW40UF8+O6/RpnSTcuirl
b2/ogFenddJwu7QNhTHZcFZB2Fo8Wmi9Mn/9pVcZjh+BALTOCBBhYkQC0Dojwnyxqf6UwsOpg/uP
HytlsahOO1jQruGg1qHADrPqbE2X+tkupv4UB45K6ShVTzzEo90mKMak1Mc03onxOjRgh4arcKNc
/5c0Yz1kpc5zTttrWXfch3WUayLXOsys8nnmZQ/Zp/PrcrMo8Nf7qivq/NyiZL5KxtkcVyTG65TV
ZZrbkYO31zp7R25mzq44jbW9aOr4sF05hsLL9aOrVoDWaXwZbv0WWufWxFHeaQLQOqf5TGLvPVMH
n8oKcELruHKRO3xEgNSbprj7JBLprDYRfba2jchFt6wqrkMjiLhZBlGG8ooP5SEvzQ5oHW7vyiPy
/8P21eag4vZJ42idog8rXKpM9xv9V1TW7bVOp4bX+VgqHa5apZgVBaEP6zq8z7UKrXMuKRx3GwLQ
OrfhPEYp9IM+T/Q0hrUzbRyHN+oTh7VOYPMjCVCf97x3jbBIEjgyUxSZV6GCXpOV1smjH2XMhqrU
l+d8KA95aftcrTNkv1EBMpmE+31jLaKtdWYe9WTTCg/tSVZuSPE1QnDUGye3erBeodahwVUKk7hm
LTeHOkBWNBe0Tnnd3uc/tM59uKPUIQLQOkNkprf9Llon29l8aJzxoNbpdLOMhFJkGndFSvJ456qL
xVHvUaeghtbJkq3JuB2IKNBQXvGhPOSF2XO1TjZonwJShk/dbiJPe0uqidqdlUddmDf8Q5Km8X5l
VMN+GlpHzIVjrdlz1Fivax5WtF2utjT4qfcFrdOL5WYboXVuhhoFnUUAWucsTA98EI1naYwyaZIY
0jrJxmTXCECl4bqcxaSanu9qTG6O7m26Jt43tU6W7V2lCov15xUX87B68pA35mG18qjn43X6AlhD
9pODb+XzsCi9enuFoPPzqNPIZlvjIse5Zq8PRTdeU+vkkay83bC+ztGVgQ1XJwCtc3XEKOAiAtA6
F+F6yIMPntJaqeUpCLGvc7NvkeWnTsR+EBiNAOI6o6F8liFonWdhw0lXIwCtczW0r8dwsnNULZ/6
9HSl4o2pGOvOuNinT8MRIDAqAWidUXFebAxa52JkOOGqBKB1ror31RiPNo59joBJA886I3vDq+GC
ikyVALTOfVsGWue+/FF6l8AstE7XaXwGARAAARAAARAAgTMJQOucCQqHgQAIgMAwgVOrMwyfhT0g
AAI3ITALrfPicPS2leeAMhiUa63cBPJYhSAsPBZJ2Hn1BC69aYg5/0uRQ+QMNsl+vdyUE+Dy48fW
OrT+ZbFIwhkODRzS42dx5MFTuyl9B2w8bzNuVs/jhrOuRQBa51pkr2AXt48rQIXJ10ngQq1z8BTG
2Nk/gdrz+wXBsbVOGu6Oknxd3FQ9fhY20mgfHK/AeHEBgyfgZjWIBjvuQuDRtU4abVxD4UySGK14
Uv9Si3dLU6yEwlWzufa8uKOttitL5dJCevkPr0taHbePS2jh2IcmcJnWOXiK6m08tSF22kt3BjYr
FlIKbJlzRjnWJMbpVSzeTXcGzfVdSnkvMcVcVcsniaz3tFXiamNzkcvs6GZC+WTzl2TWOeWycKnV
2cVov+zu8xZOD9W6U4rhBcUS0kN+HjylML9opFUjS9FWLEQtSbxhhlbQ1L11vofJemX/iasLN6sn
AGH3jQk8hNahNe8aN7F0Y5QfI0oD6eziLEvjnadVqRnDJa1TtwnTLI02ltxYgVasK8dUyw/2h8Ph
0Fjk//oth9vH9RmjhFdC4CKtc/AUbRlSlo36PjGkdQSfnngJ3Rkk1d2GSZZGgaOU95gksGWmLSnN
axKuLbmRqezUzSQVyT8aWqdulzRc6Yybm3xhB0r2xvQVLSCdHFYGa60m3uNnbielPS2tQ5Et1Qli
uudtHYWpywMdSlpHkq21sL/3NEl2ColVO9T3DjerPirYdj8Cj6F12gN0KKFQcUuL1zqj73Eslp5N
4zgRb2jB3TrVkgjlrIu16OnD8TLCdONovK6xaLDI3sit4H7XCkoGgfkQuETrHDxFX5FyiFZaJXae
oXUa4uFQpilLt2Yz0RlZrYrov5kUjIe0ThKQEHGrqFGWRGH1k6ubx2RQ62TRqq11xCLjVSZdWvo8
FzVti92zhq8HaJ1hNthzDwIPqXXWldbJsmS/dqmzisma6W7y7DoU+CkD1JxzxqSF4hWjFoXw8Y8y
Dd6k7XD7uAlmFPIaCFygdURieonRS5IWpRJ5odbxlDwla/eGQZ1hzi4n3N3X4t6vdSLfYLyzVmcc
LC1dlWVZVmTeuFe188G2jJOsa2kdmrDR/A1HQ7VFStmu1tEagq5jsvURN6sWDny4O4GH0DpZ8/6S
95JruVxJokOYB2zSaLfUy+yQlKbb2kRx9UryeE/+y+/ML/v4bYvbx/hMYfGVEjhf6+xdRfX2xXd9
5yqF2Gk/5OvxOoJXT7ykLVwqrZBShKQcWZNl8boT12n1IzXbokfrJDtXkRQnaOU7zfvhqe+Jepw2
hlT9LrtE62R58rgitVqWbq2BuA60TrOR8H4+BB5D64gubc3bxSl1mZtVl3m6sznT83V+02htcmaJ
KG66F33XWxEaTg5rzy36xovhhIjrzOcKh6ePSeBsrbN3FaXWItnOkQuxQwNYDF8Miom3trxoJnlN
NqbEzXWUZmlSdHwPaJ1MjNfJbzL54D89t/nED6divE4pPuhoukHpq+60eJJd6jKkA8XNbdEMz/T4
WVwOdFpTZ+X3PJfGLmZx4KpM9arxOmWo65LbH36YPeb3brq1fgytk2XlVIiFxFWrniGRVQmpGZNb
E67iwDNVTmNwaFLCtsrv1L6j3bZhcfu4LW+UNmMC52qdvdtexoYiGmVkZ7c0ZM5lRdUd15SbWidL
Q99UaDaWxLV8EG/7zlDFdTK6+awdMTuL5mEdTeo8+uFUz8Mq5ksxm0bp5enqG6MCWT7GKEv2S1Ph
jHNZNRxbZ8UPtrztjv1szMMqZnsZmzxQFG1dQ6HpYkwx3PKW1w5vtSt56vLAzeoUHey7PYFH0Tq3
J3uFEnH7uAJUmHydBM7VOq+z9vevFW5W928DeNAkAK3TpDHx97h9TLyB4N50CEDr3LctcLO6L3+U
3iUArdMlMuHPuH1MuHHg2rQIQOvctz1ws7ovf5TeJTALrdN1Gp9vTyCNw6gxTnLQgbhe62PwGOwA
ARAAARAAgRsSgNa5IezZFpWGK0O1NuesKnRYarT46myrek3HA6teWuWa5cA2CIAACIBAi8AstM5Y
4ejLUhm3OJ3xYTil8BknT/mQdO+pirNrRHWqBDytGRtFHSJfl831FdROuFSZVS+aT1OCGx+nRjDc
Lv2O5htT68TBalVOlWlXPdmYvDmJur333E/D9s+1cOfjxrppjFCN9LB2RNI9xhXdEdkWRrA6cRPo
w5p4Az2ce4+kdS5MZXzptdCzvNilJk4fn2xdw9leQUScLjZeG9xoapeEllo0fFpjOg03lix1UmLQ
akZySxudLuDcvfPSOltLaiwhJ+o4ptbZOzIbSBiSHILdWf2Np8CfsH/qtOnsm4zWSQKLM80NooSS
7i111siuNx1co3sCrTM6Uhh8EYEH0jo9qYyzLD34lsoZlxXNtHReL6HRm+c8WmnMXBaLZTRSGQ+l
FH5R0xyd3F60/mj3lTZQnY0yG5go47AyjWWV/y/Po9MufO/I1Tr47T0v+RS2AzkUpSvjOsl+ZYms
9BJX60zPxbJKCqcs9rpDqVzLV2Bz2VlvxLIni65YKw+q/9NqS2RGYrJm+4fCTr7UbHFUvfJIuNIp
switvZInwla9nBZpHWu5ssS6TVxzqgUq8+WfjvwMLKY6/jJf56k6Pl6bbfOyWH4ly2iZ/2JFlg59
sbqUWDmFFnipo02ETeWUlluuE3AP2qfl7LaeIU7gqiXEbl75PM4n+ChtzjXC8d+FK9N0/WBA1k1G
64SeIhXLtBODcG1bq+Lb03uTKdcY7OQ/j329XPeHzFDCqmrRwEvsjN8O/Rahdfq5YOu9CDyO1ulL
ZZzSr1d9JZ5dMaUmLrXOQJ7zPJWxI1IZi+PrBUUzSpIstUXByI16F61DC682a9mt08FTj3+ndpPr
dE963mexPFujD8uttA4tf234JGVo5Vhe5m1NtvSLWiyXHe89jTV6dmi9NknWvc3ucDjsD6eDZZGv
M0UMQkpFq5fPmAGtk9euP66zkE1/H6dpcljpjJlbsYjbkJ+BxRbcWO3Fct++0VokbjjuQovhtbRO
tWq40H62wvQ8SpdsTZEtm7BRAmvejMX12E/3riKpDomL5OAbnNtFsgJqGG0p4nyUIftp6fi89u+e
lYbbpW0ojMmGswqKXC/VQZPROlm40hg3vG33Khu4yeRaZ7FgquUH+8PhcMgze9JVUl55lGqCacX6
yxfaqQhd9w20znX5wvqlBB5G6/SmMm7ngKlT3tD2vjzn9W934pwnrKliBSNonXhtNNZFLXPx0dbi
93r5r1jdvf94SrrTZ+fy7ScT6tCPy8BRuO53V63PMvGkrGXJpf70X8VHWkeWzLwMKk7zisddtWg/
acPq4ZClIpRThqMCmzVauL+8amsaR2GebqhqdbHvGVqnFiG0Hm3u3aCfrT6v9vq1OeH+pPet07Is
pc92Ndwq3q/9IF8GPInCuEyt1EkF2WNfaCg7KK/3vSuXC/TSla8624NglCZxZbQi2H6zd+TmZV59
0y7dXliND9sVjYeRzXW1vHmWTUfrkMTcLi2dEgzr9qoMRA3dZIq4Tn3llvDyvmFxBYsAc7Ha8cV2
SnvX/Q+tc12+sH4pgUfROr2pjNOtKcmuyPpC3CqtM5jnvK11Dq4imSJ/lqA+gtYZaL0kCum181RJ
dQPxPv+pN3D8mJuFwNiUD7imZYoFcM3bl0/L5r6ODGzuev77jtZp5kZMo2Bp67RQvqLbK5HTJ8tE
m7O8Gynv9ambq2rrs9xJDmvH1BTKJC3LbFFKrBdpnTr2NehnS7TQRdl4/vXEXcqqtE7rZJssjxH/
03DrFdVSZCYtmumRju1TULPslSs60aoT4t3Koc4tJmuWtx3oVWqVPdqHUulw1WqmX5iU1ikqm8b7
jaNRLC2mHkdDauJkjQTl7ftMjSpcqpzUZvmf9jzHTm3xeu+gda7HFpafQ+BBtM5AKmPxk6hSK/Xz
byjPefsedDOtUzTsXfqw2lWuLrFkv9S46u76hI6QjY2hT9VJL3zTdiWtmyuNw3LxnyTc2GUnCh2v
LQ9Vsvo4Tip365OfdiqlyyQfi52RgqrDSa4s5cliyzEWjdxGlCi6kVKSimmJkFrrDPrZOf5Y69SR
s2YtWqdlImV1HU7K0mi/z/t7aKx+pVXbcI8ic/kIEUl2di2cQgOncVh0s2RJFLjq0ZjspnMjvo8D
j9I3cc1abrr9Q9OJ6ySBZ9Wpg/NosOjqHrrJ9FxLFbTI17m52XnNbKXPsVMZvN4baJ3rsYXl5xB4
DK0zlMpY5BJW3XwEwtrkZSrjoTzn7QdCR+sMpxR+TsP0nHMXrZPtbN54Ugq30sNKl4eFjnjOtHIo
91TmOZto3IxsbUIxocXTWDnZK/I1SbHzcEKyp+jXUnSrxRuTczE+JsvSKFi5q0qbXaR1aFyLJSbA
pfHO1STJzANdYnyoI2ymh6XOWoERikKpIuqVxkUHWEuE1FonG/Kzc3xL69ClKOdjiJJ2n1ExXqcO
xeXjdZYUgEujwFFZkWg7l3Ci2yfZr3TWarIe+0XCbjHHK433vuvlo5wJAzfXQkAl4Uo/0njPaesz
zom2y9WWRgn1vibTh0VXLTdWuyilYVokxfPw3NBN5pTWoSHJXJZlLb/ARcWfZacX2agboXVGxQlj
LybwEFrnRCrjfB6WJNGvQ0ujcQ0F0t485ye1Tk/q4xc3zwQM0DiXRt9JJpTMYrFojrjojE6mh19n
HvpIFaEJJyqn2L+iu5u6ryRvLZpQJFYwqSZcVWnsiwlU1YPxEq2TZdHG0WQmZutZjqmUWop22Cqn
TNia6TlaSyxkceDqspiMpdj5GOSOdjHrPql+PzvHt7QOZbc2qONpwcpxKqSeygFd+f+yg1bMw5KL
+VZ1T4/wME+QbbpWJx5zbF8MbS4zYbcydlfT4BiXNcvv7dYc6Qo428xktE5GI7lFB2s+382rl0Xq
vcmc1DoZBRml1hIQ9I0MvHyynsQVo2G/fb86G90oB0LrjIIRRkYj8BBa5zxaFJfp9jqcd+YrP+rg
KWUE5ayaxiLQfnpq01mGcBAIPJvAhLTOs+sw5xOhdebceq/R9wfXOpFv6KILK4t3NNCgOev2NTb3
8+qU7BxV8/Z1r8gpM/HGVIzmhJhTB2MfCFyJALTOlcCeaRZa50xQOOxGBB5c62TxbpkvQse4Zq/L
ReJuBH9GxUQbxz5HwKSBZ4mRITOqG1x9jQSgde7bqtA69+WP0rsEZqF1uk7jMwiAAAiAAAiAAAic
SQBa50xQOAwEQAAEQAAEQGCWBGahdRCOzq8thIVn+R2D0/cggJvGPajXZeJmVbPAuykQgNaZQiuc
6QNuH2eCwmEgAK1z32sAN6v78kfpXQLQOl0iE/6M28eEGweuTYsAtM592wM3q/vyR+ldAtA6XSIT
/ozbx4QbB65NiwC0zn3bAzer+/JH6V0C0DpdIhP+jNvHhBsHrk2LALTOfdsDN6v78kfpXQLQOl0i
E/6M28eEGweuTYsAtM592wM3q/vyR+ldAtA6XSIT/ozbx4QbB65NiwC0zn3bAzer+/JH6V0C0Dpd
IhP+jNvHhBsHrk2LALTOfdsDN6v78kfpXQLQOl0iE/6M28eEGweuTYsAtM592wM3q/vyR+ldAtA6
XSIT/ozbx4QbB65NiwC0zn3bAzer+/JH6V0C0DpdIhP+jNvHhBsHrk2LALTOfdsDN6v78kfpXQLQ
Ol0iE/6M28eEGweuTYsAtM592wM3q/vyR+ldArPQOl2n8fn2BNI4jNIzio3DKDnjMBwCAiAAAiAA
ArciAK1zK9JzLicNV4ZqbeIz6nBYaqoTnHPkGcaudEhgMe7srmT8Qcwma0NSl+GD1BbVBAEQmDmB
WWgdhKPvepWle09VnF0jqpOGG0eXmSRJTDHcbdRyL/J12VxfT+0kG5Mxc3tu9CjcLv2O9hpZ60S+
zrXVSx/7PX4WWMex32qj4kN6WNuaaEeuGF6HUt8J9bbJax3cNOrGusc79GHdgzrKHCYArTPMZmp7
kq1rONvriYiB+sZrgxtN7ZLuXZlp3j7OsjTe2oqk+y2n0p0jyy1tNGD5WZuTjckZ49a5YmdrSbK7
bxU1stbJ4n1AMF726vGzNDiK/dJY/T/ZWpwb/iHJsjTaOgq7JE4DrVODxLseAtA6PVCw6Y4EoHXu
CP/ComNfl7RVO4hyoRmUz6EAACAASURBVIlnHB6tNGasm1GU5LBZbQ5lmGdnc253OoT2jnytTqJk
Y8qm75tyQ+zsHM6soKhbtNIK8RWudM45kxYLiXF6qV6ueUjrWMuVpXJJkrjmbCqm8W5piq1M1p1N
WNYxywKby846j2YtylaIVtqieLVkwtaikFf+ov1SxS8OPFOhUpms2X7BcNDPIftZcvDzeAyZWZdN
sXdlbq18WxPVUq11w/+ehu9cTsnW0cx1TqLffpYl+6WpMPJet0210YcVbT1D5UySuGoJ8dRT3jU3
xYfN0jK85mWIuM41gT9tG1rnaUY44pYEoHVuSftlZXUeTi8zdu7ZycZsPNO6ZyXh2pSPYyzpxpQU
79A9eoTPJHWsIE22VkPsDGidvLieeElgsYVs+vs4TZPDSq96xCJfZ7IlJE688zTWCE4FNltIsu5t
dofDYX9oRnHSeHjoShLYMlO9fS6ayL4iBjOlceAobUQ9fuYVOLIfb8wyHpMcVgYv+e9decF0L4jS
LI02ltyNt3XwBz0iVRwyZJ/iQExf7uI0jfcrgy0KgZfuXUVSHSo3OfgG53bQlMadYsf9mBy2SxJ3
TDEcvxVcg9YZl/Sl1qB1LiWG469LAFrnunwvs05PzcarkAu0tYwfFP+Lx1j/8Vk21vYsy8KlWocl
mrUJbC6RW9yswyLV/r0jM2tbfbzUn+rE7ptkYyp2kGZZGthKFdl5htapw07UGZODDj2lUdVUWN0W
oZ3AZszc9D/CB7tzQl9n3ChiJRn1+EVhXMaK9q4smTWibFDrZB37JHkbYaSDp0i66GJsW3yyo247
MEJ7yH66NRtDumunUjIkGkW0FnVwWiW2bvvln/eO3LjKpYrrhdujtSlThGm5aWnPokxonX74t9oK
rXMr0ijnPALQOudxuutRSRTSa+epkuoG4v3NJnbTo9TclA/oLoY0ClyVqUchnPyxO3RW18rZn+kB
u5CYeEmLaoDyi7ROHYPqBDrqzrCM+rDYUU9d6Xb92C+30P9kR5Ebd9fUR8lh7ZiaIosXWzxP63Ra
JN2UWq2jdeyGMmk6Vr7vVLfcnA3Zb4cV60qLnrail7DoM+wM4KpMj/sm73CUNdNdB2ETsygGWmdc
2pdag9a5lBiOvy4BaJ3r8h3TevthM6blE7ZaT/z8uGS/We+qIS49B4jhLYPS4ERhT+xK1gZFkWLx
itZGo/NGqkIJXX+2Fjs5NrnWOvSQr0bWZFkem6rjOoMVqh/7tf/kHdP91uQsESnKxwJnWXY4iusc
+VmY69gXcZd62BYF3nrjOk9pncjXyoFHVFASuLpFMagh+xS/kZ1ylHftFPVyys4ubxXxN0lGV7k1
2c67NN6vXRpExDV708QNrdMhdeOP0Do3Bo7iniAArfMEoAntvovWyWjscXsxGpr0zU1f/JRO9kuN
KZ15TuJxOf5v+2RtNEdJx77O86nn5JDiiAhKeljqbNEsmxSM6u1pslFcdCC1undqrZOFK40p9pbW
TEz2S70zXud8rUOT9Jl8NGpFdAJZYiJdGu9cTWoFzHr8LK69WlbkG2LBX4w8TkIaH2PmKx9dGNfJ
GuNyaPyQyrR8vZwh+0kgxuuIYU7N8TpiUJK+3BG3NN777mWz10f5hqXRzl+umyPEoHVGAftsI9A6
z0aHE69CAFrnKlhfkdE0sHl3nHGyW1n5uiw0X+lovg9pj/EnjMVro201XKplN1a0sVXOuaxopueU
87CKRogDV5fFZCzFzieqD2mdLDsxD6unD6sxT6oYRyVqTdqEZl/VL27ns8SijaPJjJGflmMqzWE3
WXbs54B9UmK+JaY9Ma7V854u1TpZlpTr6zCumg2F0m+fyl1RCIVGaTu2Vs9RT8ONa9AELYkMLXfN
odv3+ipA69yLfF4utM59+aP0LgFonS4RfO4SOHhKY0ZSd+/xZxFwOWuR5eNzsQUExiEArTMOx+da
gdZ5Ljmcdx0C0DrX4fqqrCY7R9XKidNP1SzemEpj7tFTh2M/CFyFALTOVbCebRRa52xUOPAmBKB1
boJ59oVEG8euJ08PVycNPGtJg2PwAoG7EoDWuSv+DFrnvvxRepfALLRO12l8BgEQAAEQAAEQAIEz
CUDrnAkKh4EACIAACIAACMySwKvUOvcKX9+r3FleeXAaBEAABEAABG5DYBZaJ1rbhrc7f32ye2mO
K5d7pzznt7kQUQoIjErg0pvGqIXDGG5WuAYmRmAWWkcsaDuYp+CY6JU1x3GBxZYrl3uftQQHa4sd
IDBhApfeNCZclTm6hpvVHFvtVfsMrTNi80LrjAgTpkDgJQSgdV5C78XnQuu8GCEMjEtg0lqHUv10
E3znqaFpT+PVWaT3WHMMHT/W9rxRzi73srzfdHQXQzMLwrhXBKyBwJwJXH7TGOsmMBM7l918suyy
43GzmvOX51X7PmmtkxUJvre2LOnLg0jwXaQ0Otkox5rj5OGj7bxWuffMcz4aHBgCgZsQeOZN4ya+
PUAhuFk9QCPPsorT1joF0kvD0dfSHE+18JXLRVj4qQbAfhAoCVx60yjPw/9RCOBmNQpGGBmPALTO
eCwpvfdRyu9xzUud3roRrcMUCLwmAtA6d21NaJ274kfhxwRmoXWO3T695cqaY7Dwe5U76BB2gAAI
gAAIgAAIQOuMeA1A64wIE6ZAAARAAARAYBwC0DrjcBRWoHVGhAlTIAACIAACIDAOAWidcTgKK9A6
I8KEKRAAARAAARAYh8Cr1DrjoIEVEAABEAABEACBV0AAWucVNCKqAAIgAAIgAAIgMEjgVWqde/Ul
3avcwdbFDhAAgesQ2LsyMzfJdYzDKgiAwMgEoHVGBAqtMyJMmAKB6RJIA4szxrHc1XSbCJ6BQIsA
tE4Lx8s+QOu8jB/OBoF5EIjXBjf8jSMr3mGiHse+ztRlWHqXbEw2XWdLL/EfBK5GAFpnRLTQOiPC
hCkQmCqBaKVxK0izg6fK9i6dppvJ1uKVuonXOtP8aJqewisQuAEBaJ0RIUPrjAgTpkBgogT2riK7
e3Iu8nU+2UE76c6RZSf3c6VhcNFErya4dSMC0DojgobWGREmTIEACLyMQLhUuR2kWfn/ZdZwNgjM
mQC0zoitB60zIkyYAgEQeCGBPO6085Rr5iR+oY84HQRuQgBaZ0TM0DojwoQpEACBlxJINiaXZVmr
Bym/1CLOB4F5EoDWGbHdoHVGhAlTIAACLyaQ7hwuGev4xYZgAATmTQBaZ8T2g9YZESZMgQAIgAAI
gMA4BKB1xuEorEDrjAgTpkAABEAABEBgHALQOuNwFFagdUaECVMgAAIgAAIgMA6B+WudNArP6oyO
w2jURb/uVe447Q4rIAACIAACIPAoBGaudZK9p6nOricDXxK3NyY7V9O8fXvjs1t5uNyuyXHL7VrH
ZxAAARAAARAAgScIzFrrJIGtqMt2Qpok3PquqTLpKC1fKlZ0D0ZQO8flJgff1mQmSRJXzeWuFWga
r9wn2hK7QQAEbkVgLh3Wc/HzVu2Gch6VwJy1Dq0Gam1bHVO0ertmuUtLOdY6WZZsTd5Ih/fcNj8q
lzLPcMM/JFmWRmuTM3PbUlQjlftcf3EeCIDA2ATmoiHm4ufY7QN7INAmMGOtc3AVkYCvVaFUSJ/Y
1/u0TpZurZcn+z0uN96tV9syo3C6MaUq5V7h2yjltuqJDyAAAvckMBcNMRc/79mWKPsRCMxX60Qr
TdL9Vm9R1WBDWieL/eGTqrNPvzlVbpYl+5XBFXffijZlY5R72ivsBQEQuCWBuWiIufh5y7ZDWY9I
YL5aZ+/IzAr622xQ66RbSypS//af+fTWoXKTjcmkxWIhKc7xmKARyn3aMxwBAiBwKwJz0RBz8fNW
7YZyHpXAfLXOzubcvlTrZIHFuLN7SWufKjfLknBjK0z3o04RLy+3YxAfQQAE7khgLhpiLn7esSlR
9EMQmK/WOXiKZLZHJlctNhzX6RlMU5113puecuPderOvetMOrnzkWN8gnvOKw1EgAAITJDAXDTEX
PyfYxHDpVRGYr9ahPqOhSVWDWidcqszcdAbTXNagPeVGvi7J9pbWKkzjwKE5YOVI5cL2COVe5iWO
BgEQuCaBuWiIufh5zbaCbRDIsvlqnSxeG2xgcPKQ1ol9nRnr1nzwyy+CvnLjwDNVTuvrMMVwt90e
rFHKvdxTnAECIHAlAnPREHPx80rNBLMgUBCYsdbJ0sCWhyI7vQ0cLlXZPh443HvsiY33KveES9gF
AiBwUwJz0RBz8fOmjYfCHpDAnLVOlsVbS9FX4Vl9Umm40hVrWw2reUlj36vcl/iMc0EABMYjMBcN
MRc/x2sZWAKBPgLz1jpZloa+5bZXKe6rZpYlG8fyz1NF/QbaW+9VbtsLfAIBELgPgbloiLn4eZ9W
RKmPQ2DuWudxWgo1BQEQAAEQAAEQeA4BaJ3nUMM5IAACIAACIAACcyHwKrXOvcK29yp3Lhcb/ASB
V0NgLl/2ufj5ai4MVGSiBKB1RmwY3FZGhAlTIDBlAnP5ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAw
ZQJz+bLPxc8ptzV8ew0EoHVGbEXcVkaECVMgMGUCc/myz8XPKbc1fHsNBKB1RmxF3FZGhAlTIDBl
AnP5ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAwZQJz+bLPxc8ptzV8ew0EoHVGbEXcVkaECVMgMGUC
c/myz8XPKbc1fHsNBKB1RmxF3FZGhAlTIDBlAnP5ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAwZQJz
+bLPxc8ptzV8ew0EoHVGbEXcVkaECVMgMGUCc/myz8XPKbc1fHsNBKB1RmxF3FZGhAlTIDBlAnP5
ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAwZQJz+bLPxc8ptzV8ew0EXqXWeQ0NgzqAAAiAAAiAAAiM
QgBaZxSMMAICIAACIAACIDBRAq9S6+xdmZmbZKLI4RYIgMDsCcylb2gufs7+gkAFJk7gFWqdNLA4
Y1xbRRNnD/dAAATmSmAuGmIufs71OoDfcyHw+rROvDa44W8cWfEON2qF2NeZugzL0pKNyW5XeFkq
/oMACNyOwFw0xFz8vF3LoaTHJPDqtE600rgVpNnBU2V7l96mVZOtxSt1E691pvkIKt0GPUoBgbsQ
mIuGmIufd2lEFPpABF6b1tm7iuzuqQEjX+c3G7ST7hxZdvJyVxoGCz3QNwhVfUwCc9EQc/HzMa8i
1Pp2BF6b1rkduU5J4VLldpBm5f/ObnwEARB4TQTmoiHm4udrujZQlykSgNYZq1XyONLOU5Q8rjSW
XdgBARCYHoG5aIi5+Dm9FoZHr4sAtM5o7ZlsTC7LslYPUh7NNAyBAAhMi8BcNMRc/JxW68Kb10cA
Wme8Nk13DpeMdTyeRVgCARCYJoG5aIi5+DnNVoZXr4cAtM7raUvUBARA4FYE5qIh5uLnrdoN5Twq
AWidR2151BsEQOD5BOaiIebi5/NbAmeCwDkEoHXOoYRjQAAEQKBJYC4aYi5+NtniPQiMTwBaZ3ym
sAgCIAACIAACIDAdAtA602kLeAICIAACIAACIDA+AWid8ZnCIgiAwGsnMJe+obn4+dqvF9Tv3gRm
oXWitW14t8ptde8WybJk6xrOFlPX798S8AAEhgjMRUPMxc8hztgOAuMQmIXWOXiKZGxulMdzHK4v
sRL7uqStkDz0JQxxLghcl8BcNMRc/Lxua8E6CEDrTO8agNaZXpvAIxBoE5iLhpiLn226+AQCYxOY
tNYJl6q0aL8kc0sIaE/jVUVBZrI9XhsN7yXFO1ClaGu7tgtJ99GXNfY1D3sg8HICc9EQc/Hz5S0C
CyBwisCktU6WRCG9trYs6cuDeB+/4q6soro7T5VUNxDVjZJTrYd9IAAC9yEwFw0xFz/v04oo9XEI
TFvrFO2A8TqPc0GipiAwCwJz0RBz8XMWjQ4nZ0wAWmd6jYfxOtNrE3gEAm0Cc9EQc/GzTRefQGBs
ArPQOmNXGvZAAARA4EUE5qIh5uLnixoDJ4PAkwSgdZ5EhANAAARAoENgLhpiLn528OIjCIxMAFpn
ZKAwBwIg8AAE5qIh5uLnA1wyqOJdCUDr3BU/CgcBEJglgbloiLn4OcuLAE7PiAC0zowa6xaupnEY
nTOtPw4xHf4W7YEyQAAEQAAEXkwAWufFCF+RgTRcGaq1OWf5wsNSU53gnCPvxyewGHd29yv/NZSc
rA1JXYavoSqj1iHZGMwS65qOahbGQAAErkNgFlrn0cKwW5NbwXXa+5TVdO+pitObYzVcadJC8VqP
vMjXZXN9PbWTbEzGzO25iymG26Xf0V4ja53I17m2ajE4hXNgX4+fxZHj2O8rNj2sbU1mkiRxxfA6
lPpOqLdB69Qsmu+StcHtO3xJmz6c9f7Rbp5nQcFBD0gAWmeCjX4frROvDW70apdwpXF2pHWydOfI
cr82GgFqsjE5Y9w6V+xsLUl2962CR9Y6WbwP9i/Wdj1+lk6PYr80Vv9Pthbnhn9IsiyNto7CLonT
QOvUIJvvkrWhdC635u7pvIfWmU5bwJN7EoDWuSf9gbK7WifdOrq13Bxe/JwdKE9sjlYaM9Y9UZRw
qcmmvzSkTlwny7K9I1+rkyjZmLLp+6bcEDs7h7Mq4BWttCJbWLjSOScxtpAYp5fq5ZqHtI61XFkq
p4iG5myq3PHxbmmKrUzWnU1YD1AKbC47642jy0xalNnmo5VW5ilryYStRaGS/EUHSBW/OPBMhUpl
smb7h9z+oJ9D9rOs18+9K3Nr5duaqJZqrRv+97RwZ2nKZOto5jonkRz8PN5Dbq4LN7MsS/ZLU2Hk
vW6baqMPK9p6hsqZJHHVEuKppzxsmhQBaJ1JNQecuRsBaJ27oR8uuKt1snjvu6bGGVctb7O/Skqw
ZGM2nmm1b0LpbOJk06d10o1ZJi6tzxjlHUkdK0iTrdUQOwNaJy+wJ14SWGwhm/4+TtPksNKrHrHI
15lsCYkT7zyNNYJTgc0Wkqx7m93hcNi31GVKuVlbWqeuaRLYMlO9fS5qyL4iBjOlceAobUQ9fuZ2
ju0P+Ll35QXTvSBKszTaWPITCWIDm3O7b9RSvDHLeE9yWBm8jKFRHIjpy12cpvF+ZbBFUel07yqS
6lC5ycE3OLeDHmlcQ8G7KRCA1plCK8CH+xOA1rl/Gxx5cKR1iiPSaLf2LE3mqpePqunPl55nTC8D
DpJUP2uHji8yx1dhicqjA8V0aKxyv9ahwE5zhOaQ/aHtVTndN8nGVOwgzbI0sJUqsvMMrVOHnagz
Jk8oH3pKHYGhnjjOrG0R2glsxsxN/yN8sDsn9HXGjSJWkmVZGkdhJUj3riyZjUGsg1on69of8rNt
8cmOuu3ACG2K9zSkGyWd06kLM92ajSHdtVMpGRKNIlpr71LT1xGxbhPmYb/GVShVXPeOfM3t4VJt
mtdWRThvrO09NZ3wJmidCTcOXLshAWidG8I+t6h+rZOUSkcxWt0u51o9fRw96sxN69GVktKxtqLn
bEjriAd566zTxZy3lx6wC4mJl7SoBii/SOvUMahOoKPuDMuyLLBZfxCEenZ64zrJjiI37q6pj5LD
2jE1RRYvtnim1hnys6N17IYy6cPbMVMd0mnxVETuDlnW7vOqKy162opewqLPUPev2q1auYo3zycA
rfN8djjzNRGA1plgax5pnXBtaVxiiuH61INwjVfriS8KoN/xNAglf+UDVqTOPKSh5+jLPKQ5LuYm
isUrWhtl5wo95KtQQtfhrcVOjk2utQ495BshrDw2VVC9VOuQd0z3W5OzRKQoHwucZdnhKK5z5GdB
q5YV+YYhPy/UOpGvlQOPyG4SuLpFMSgR1yljHllGUY8irmMx2SlHeddOUS+n7OzyVhF/k+Q61+LL
rh6c3SIArdPCgQ8PSwBaZ4JNf6R19r633l1J5JT139m87vApN1b/++M69Lgc/7d9sjaao6RjX+f5
1HOaha44IoKSHpY6WzTLJmWgenuabBQXHUit7p1a62ThSmOKvSWgyX6pd8brnB/XoUn6TD4atSI6
gfJ4WBrvXE1qBcx6/Cwo17Ki2DDg54VaJ2uMy6HxQyrT8vVy4o3JuClGNichjb8RvZWkhsR4HTHM
qTleRwxK0pfiQkxpCNlls9erawlvbkkAWueWtFHWdAlA60ywbY60zi18TAOb5+NZ+krr1TqkParR
EH1nPWtbvDbaVsOlWnZjRRtb5ZzLimZ6TjkPqyglDlxdFpOxFDufqD6kdQbmN5Gd3rhOY55UMR9L
1Jq0SR34ovBXueJKtHE0mTHy03JMpTksJsuO/Rywnw34eanWybKkXF+HcdVsKJRk71tiWhXjWnNe
VbJf0TwsGqXt2Fo9Rz0NN65BE7QkMrTcoQfrWVf4TU+C1rkpbhQ2WQLQOhNsmrtonSw7eEpjRtLT
XETA5axFlp+2hSNAAASuQQBa5xpUYXN+BKB1Jthmd9I6WbJzVK2cOP0Ul3hjKo25R08djv0gAAJ3
IACtcwfoKHKCBKB1Jtgo99I6WZZFG8euJ08Ps0kDz1rS4Bi8QAAEJkwAWmfCjQPXbkhgFlrnhjxQ
FAiAAAiAAAiAwOsi8OBah5bJLWZTN9d7e11tjNqcItCdu37qWOwDARAAARCYI4FZaJ0RwrA0g0TP
Z5Ao7QxItM5te2ZL3Y47R26sFFtvv+hdsl8vN3WuoTPOvWMf1hne3eKQZOcZlJebycYZPWU7h5fr
ADFZNb1tlffqDF+Ptc718o2TO8N5zrvO0vwzq15x+eAp+cdwqVbV5YrhlPmwKHdE6zU8ra5bFD6/
WgIj3DxfLRtU7JEIPIbWoYzcTPNEkuo8A5JbpC7K23pI66ThLghfOiiFFmlrLF13xtX18FqHkKnu
Pk1DSvDZm3u9ibGxnrJI5C2py0Nz/8n3x1pnnHzmQ4UO54jonnFC65QXVBp18nllGa0jxK+Wfb7r
Iz5PnQC0ztRbCP7dhsBDaB1aB6axpm6683Sj9TQ80jrDfVuUeVqjkENzgRHKEW4u1yI7tsQUc1WM
2g1sOU/AXWbgrlICnWxdaB1aw9ePsziwFeXp53ZD63Qye6XhxtEp4Xgnn3kcFHEjxbCNKnlmY52b
RqIo0VS9+c+zbMh+nUCca1Z5NQzmOR+4GMIykJPvp0UIRZinLZ47yx9n2VZonQGb2PxoBKB1Hq3F
Ud9+Ag+hdegp0cn11KZxpHXy3cd9W+FSKzJkiwzTzMhjDvSQlFRnGyZZntm6+ahsP5raBfd/enit
k8Vbi3NFUTTnnP6ohtZJwo2tsCKThUjYrXm7OM3ivacxxc0zH9BqhZySOKRpFHia1F77+TjfeL7G
4HH+8yH7yZYSiK8OCa3i55tVAnHR2ufHdcRl2+jDco+1ThJuXZXq1UjWAK3T/6160K3QOg/a8Kh2
h8BDaB3Kq3xy6PGA1sm62+mhWodmRO/Hmrq42v0g+VnV0wdap3PNPf2RMhlQekk1X+wn2m2CsOJ5
fLoYr0OJu2i0CjfK9Xwp4lEPWaF1ofM0TyISkqdJOGo7Mn6UqyHXOo2Wz10Ysk/n1+VmUeCvRe9p
ftYLtE5xFYvxOmV1meZ25CC0zvEV8sBboHUeuPFR9QaBh9A6z43rdLUOpYIue6PoUcykheJR2se2
1jm4imRuq2cztE7jejvnLfUIKu4+iTYm5WiK6HOV8rPPQBXXoXFZRe4skXVToWTpvHhRzgPRLOFS
kYxNOQyr3XZkfkDrHOXJOrhD9imLZmm/6/CztU4lvOsLikb06H5nJDa0Thf5Q3+G1nno5kflKwIP
oXU643Wy/dIwVs3Rq9VjpOKSv+lup7TeVpmAm1I9F5me289LaJ0Oxss+NsIiSeDITFFkXgfT+mxV
WidXnWUHIrWKtjy0EnPT6fFab2Soarcd7T9X6wzZb1RAmAv3+6hWPj352PvqdKSg0ypVV611MuqN
k1s9WBivM0DzUTdD6zxqy6PebQIPoXUyMQ9Lz2cvlyM3qrhLNee8sSWHVIzXqbene09hqrMVj67k
sPbcjfhR3X5edrROQhNjzHWUZmkSJ7WxdkM0Pz34eB0Kw6muSGce71x1sTjqPWrCyrKsoXWyZGuy
cp0AkeDb9PeU9jyNgpW7EkaFQuCmf6DRVbuj8Tpna508gXiffQpIGT51u6XhxmpLNVG7dj72TnWq
j5Gvi9FhhZ9lPvaG1smv7GLUWH5emsd1zrnOqoLw5vUSgNZ5vW2Lml1C4DG0jnjmuDpNn5KYYrib
qHgU1POtioVJmB0QvqHtlKXaM1UuklorRrmSy0mtk6WhL7JGLySutaZ/DTXUg2udLA3XtpjrJtJy
+y6NB88zl/cTa2qdLNu7ilRmX6cE30Wzy5pN6iZ/xYGny2xBF4Nj5XO+8kBKa32axaK005//PE8g
3mc/OfhWXgMqtp1L4zjPeX+taCvN+lM5dZwqenXVNrVOHsnKRwdhfZ1hkI+7B1rncdseNW8SeBSt
06zz5N8/utaZfAPBQRCYCwFonbm0FPy8LgFonevyfZZ1aJ1nYcNJIAACXQLQOl0i+PyYBKB1Jtju
0DoTbBS4BAJzJACtM8dWg8/jE5iF1hm/2rAIAiAAAiAAAiDwIASgdR6koVFNEAABEAABEHhQArPQ
Oo8WhkUf1oN+G1FtEBibwKPdPMfmB3uvhQC0zgRbElpngo0Cl0BgjgSgdebYavB5fALQOuMzfbFF
aJ0XI4QBEAABIgCtg+sABIgAtM4ErwNonQk2ClwCgTkSgNaZY6vB5/EJQOuMz/TFFqF1XowQBkAA
BIgAtA6uAxAgAtA6E7wOoHUm2ChwCQTmSABaZ46tBp/HJwCtMz7TF1uE1nkxQhgAARAgAtA6uA5A
gAhA60zwOoDWmWCjwCUQmCMBaJ05thp8Hp8AtM74TF9sEVrnxQhhAARAgAhA6+A6AAEiAK0zwesA
WmeCjQKXQGCO8Qm47gAAIABJREFUBKB15thq8Hl8AtA64zN9sUVonRcjhAEQAAEiAK2D6wAEiAC0
zgSvA2idCTYKXAKBORKA1pljq8Hn8QnMQuuMX21YHCKQxmGUDu1sbI/DKGl8xFsQAAEQAAEQmCoB
aJ2ptsw9/ErDlaFam/iMsg9LTXWCc448wxgOuYTAwVMkc3OOIL3EKo59lQSSjcGs7ausGioFApcQ
mIXWebQw7J36sNK9pyrOrvUQPXjKovEy1nUwJ/J12VxPX+0kG5Mxc1s7fsn34wbH7hzeIFy81f1h
sNA6N2iV11JEsja4HbyW2qAeIPBsAtA6z0Z3vRPvo3XitcGNrnYJLKY4QVS+4qYQSneOLHe00fWg
PNdysjE5Y9yartgpa7Y1JXUZlp+G/0PrDLPBng6BZG0o7r6zER9B4PEIQOtMsM1PaJ00CnzHsLuS
ZIRKRCuNNcM2wmS81qWjjXVhe0fmzq7+PMF3ycaUTd835ZbYSQ6+rclMkhjXrNW+ivkMbU/DjaMr
XJKYrDubsFJ8yX5lCTsSVw2v7tIb2n4SUI/WiXdLU+VSu9xa66Shb3Bu+JVD0dYzVM4kiauWfyiq
tXdlbq18WyNDXLXW1eEn3cFOEAABEHg1BKB1JtiUfVonjXZr11CYJGvWcjv+0yrZ9EUV6LEqq5rC
GVc0u3p6lszSjSkp3qH8OMH/JHWsIE22VkPsJFuTc2NFWiA5+CYvgz7D2y3ONG8Xp1m89zRW/VDe
2ZzlSiMJ1yZn5iaXF0PbTwM60jqRrzPZEtIq3nkaK4JohdbJhY6+OpTKK927iqQ6QZRStQzO7UC4
s3flBdM92p5GG0uWTnWQnXYRe0EABEBglgSgdSbYbF2tk+5clXPVdNdBe/JTvDakxquSHZduz7Is
XKo9EZxo6zneehdG4X5tK1L59KyY7R25OfLx0nKHjt9arFGterzB0PbKn+6bZGMqdpBmWRrYShnZ
SdZGU6FFgb/e0+iYoe2xrzeOTwOby07eK0DV17wgFJIiTeKkkB1D27vutT93tU7oKY0mSXcOZ9Y2
zTLSOsbSNznTlpXQybJ0azEuKivM7l1qGnJo78qSWQ1PDSz2VCxu78gN/FKp4LKZbKdLufHSVlHO
+dG2t68ufAKBxyYArTPB9j/SOtSDInPFsJebQ2vIzHjOF8GCEwbzZ2m7xyp/jJaBhRMn32cXqZeF
xMRLWpQDlOmZpzcGWZe+DW0/uAoZ4cWLSQvJFCIiy9IoWNq6CHvp9mpXjSce2l4W1fu/q3UCm3O7
5h2ttDwik48Xp6e56u1r9tFKWyykppuLPIDT0Tr2k1qn1ztsBAEQAIH5EoDWmWDbdbVO7mISblc0
5oIpxnJXDMUYz/nqSdo0Ge98v36AU89MZ0pH53HcPHcC72kOirmJYvGK1kbRV9WJ3yThfi/CZUPb
CY22PORmxN8kx5/GYbkYURJubEUqQghD259A0tU6In5Ta7I8hlbEdVTvEO89VeL1CgHUCyk7u5ab
QglB6zwBHrtBAARePQFonQk2cb/WKRxNDpvlqh4FO5r7O5sf9W3QABY5H8uahtRpUnVn5MVS7850
B38ka6M52jr2dZ5PPY83NF5HjOhNw40l86JaJ7eb/p5CamkUrNxVrjUjX5MUeyvWXkxIeRTTqIa2
P9FWXa2ThSuNFfaT/VLvjNfJsoz0W92RlQS2zPTljvxJ473vFoOloXWeAI/dIAACr54AtM4Em/ik
1rmWvzQOpRrwUxWS7FemmNgjcdXshpNo5ZpqNER1ylTexGuj7V24VMturOTg5/OnmKzZfmse1sD2
ta3TvC1JnFDOcMriwMvxMK7oTj3BaWj7STZHWifLnpiHlWVJ4CiSXAxCztJwI8av0/wyaq68Tw1a
5yR27AQBEHgAAtA6E2zku2gdMeb1ouVyRKDkrEWWJ8gYLoEACIAACDwMAWidCTb1nbROluwcVWsO
dz3FJt6YirEupricOhD7QAAEQAAEQOCuBKB17oq/v/B7aR0aAbJx7HMETBp41rLu++mvB7aCAAiA
AAiAwAQIzELrTIATXLiQwLn50i80i8NBoEEgjcJqnn9jM96CAAiAQJsAtE6bBz6NQeCCfOljFDc1
G2KlmzyJ51kJrp7nf3rwLZVLtKaO6o2Z8ag9lvl5zp066+mlnE6d3doXby3VqFeObu3DBxAAARCo
CEDrVCjwZiQCffnSnzYdrbTGqr8Dx1OeKXq+0yJD7vaswULhdun3T9GPfJ1rqzOSbQ4489RmWq/n
LK0jMp3nK/0yWTW9sypGikQVeSsaCzY/5dJZ+y/TOqGnHKdpV7wTWEfUOlmW7hxFdRtLKp5VRRwE
AiDwYARmoXWitW14u3qF2FfeRsnWNZztbGPzvfnSn2yyg6eUmRcGj6VZ5NxY7eMkPmxshSnnjKPe
WpI8kOg53gciOcRggS/bcYnWYVYgCkujraNI6vLJHGOUlfUsIXV5HS7TOpX9nXO8QFO1s/lmVK2T
ZbGvs+ku8tSsON6DAAjcjcAstI5YQHbzMFqHVuib7rI1T12qR/nSaWq6JXJSbS1uiOyYO0duVzDd
ObL6VBLRPIdDqQHz/FBkNwssJpsOBXyKBN/5pRKudM45E708Ir9D2dUz3MfUu54N2Vcdv8g4zjVn
UwWUaB0dSn9eLLvTvkSfo3U6mcn68qunW7uoVpkRQq+CUwdPYZa/9ShJ7EJSqq6t3vznWZYe1rYm
C/+VOn87aR3Duzgveo/WqdPGy5q9LnN31VpnnDztJPsgdp76XmI/CDw2AWid6bX/rLVOT770g6uI
CASljhTdVLGvy06d6EmkreRt8dPTKnlS9bpvpJYSgcUWir0JkzRP1dCK4wzGdVLKPNoKjQzkFSet
sxDxpDRLQt9gRU7NjI5XHOogS2Na06+zFGPtYE9tmptEVs88riMqwIqetWQ7kF89E9GMHkEsUmVx
zVnvDofD/iBWdM6G8p+LJKLakhZGzMNJRRPkedHF+stJuLb4mULiSOsUy1Dn6eRXRpVOvtA64+Vp
J4VnPs5voealg/cgAALnEZi01qEf8p2xAEXCZtrTeFXPyZls78/vTVu71Z3d71VqAaNO4kRXYbq1
KDlDuNR0Q1fdQ7qz5VayiWRjcmNdBmyGLtxk3Ql3bU1Jcamzp5W6O9kYrU6rQa0j8po3tc5QXvGO
/VohpXEUVqlYj3t+LtE6i8VCkkTrc6Nc73g4v/oprSNpfhV2EigH85+L3Paqs83TyaZJHOdpvto1
Cc7NFdrVOuR+Ay8pHF00sgjTjpmn/Yr9eUMXI7aDAAjMi8CktU6WRCG9trYs6cuDeF89W+bF+Sxv
i+ruKLOSG4jqiqSUZ508kYPqDoraoWilq17gG9oyWOnaarfStWUdn6HwSJGVsz6l5x3FdRrPzoxE
Tf65pXUykSMzj5KQlfO1TieRaZ0NtWU/3RhVACc5rB1TU2TxYpT+vOn3JVonH69DXXlFzq4sy07k
Vz8R15G6EY7B/OekmHYrx1A5Y7JmeXliryxrax3Kk9bJ+NqsZP2+q3U6V0LNbfQ87QS6E1Or3cI7
EAABEMiyaWudooXED8HHiVHPug+rVgiNr9feVQzToOkyB081LFNpPjzDpSrb54w8p5BRHhkg06QL
is6klhYR6b4bg5G3Fmv1adVudbWIuMzqkFSVV7wd16mf2WLEkOEXybEOrvxirZNlhK8UdIP51akK
/RdJR1+Iug7mP0/j8FBo6SQKXLUMh42kdURcZ1XFmOrWIydHzdMuQPlPxQXrhsc7EACBhyMArTO9
Ju9/jE3Pz36P+vKlpxuTSfkAZVIozezj2d5V8p6ofnPNrVE1DysJt47KlGKucWAxSXECGp0ixs20
tE3+ZKUlntO4HRTsap2hvOKDWmdrMm6JCXNpvHM1qRNSObLfrEvzfWO8TpaQUVsMuc7EgJee/Op0
bv9F0qd1sqH855S6lZvrkHquknCll5pwJK1D7gv7KZn3Dc7NPHla7eRIedq7EaUmW7wHARAAgWwm
cR201IwI9OZLp1/e+SiedGuyRn9DGthyGcc4o5Ll+joLJuv1+jqBxZhm5gnHuWr55YSf3GAcuLos
JmMp9laMSGnMwyrGR5UDvgbnYfFqLHUd1xEZNTSZMS4rmuWYNFdcdM0N2++vYlPrUBeSUo06Tg79
+dUv0jrZQP7zLCOcGqVvZ1zWrDLf+1hah+zTcofCvmaVATAxJLrsaBsjT/vBU3Id3U8XW0EABEBg
Hn1YaKdZERBL5ZzTKZVRFIO/fPh1qw9rVqjg7IsJ0GKCDfH8YnswAAIg8BoJzKIP6zWCf811uihf
+gggoHVGgDhPE+ne01T3PGE9zxrCaxAAgTEIQOuMQRE2ugTOzZfePe9Zn6F1noXtFZwU+XZjZcdX
UCFUAQRA4DoEoHWuwxVWQQAEQAAEQAAEpkEAWmca7QAvQAAEQAAEQAAErkMAWuc6XGEVBEAABEAA
BEBgGgSgdabRDvACBEAABEAABEDgOgSgda7DFVZBAARAAARAAASmQQBaZxrtAC9AAARAAARAAASu
QwBa5zpcYRUEQAAEQAAEQGAaBKB1ptEO8AIEQAAEQAAEQOA6BKB1rsMVVkEABEAABEAABKZBAFpn
Gu0AL0AABEAABEAABK5DAFrnOlxhFQRAAARAAARAYBoEoHWm0Q7wAgRAAARAAARA4DoEoHWuwxVW
QQAEQAAEQAAEpkEAWmca7QAvQAAEQAAEQAAErkMAWuc6XGEVBKZIIImi5Ay/0iiMzzjs/EPuVe75
Hj7ryHM5xWGUPqsAnAQCIDAOAWidMThGK03S/Zc/HQ6esiheY5gbo2q9Nob8HNreawQbb00gDhxV
Wx6Oi03juK2A4q2lGqvDSM/nwXKPPBm33CPzZ2wILMad3RkHZlmy9zTV2bXJ9Z6Z7FxN8/ZnHNl7
+qgb040hKV7PRXBhKWPZubBYHA4CzyQwba2zNaVF/b2MfV1SV9FTNU326+VmrNt0s7DY10slUv8X
N8axtE5RWrhUe6XTwVO5sX65pGpW6pz3Q+UO+Tm0/ZyyqmPC7dIPRqjrsJ3I17m2CqsSb/Nm2J8r
lx9vTFn3W1+fND5sVo6hMMnYdHRNunMU1d13tj7HxeNy48AzVS5JEuOa5R9aEmC8cp/ja5adrXWS
wFbUlnBMDr6tyUySJK6ay13r2k0PnirbQauqz3PwpWeNpVHGsvNUfYZuPr3npYfNcj0NTdnrHzbe
kcD0tc6ClY/3M7UOPWmN9TXvKlSCuW202shaJ1r1a5002geH1i204cMV3w6VO+Tn0PaLXNxakuzu
Lzql9+ATduJ9sL85zhP+9Po/0sZ07ypdnluLy7rteaZ8rHWyLPZ19vLo4nG54UpjqhNQp0689zTG
7aClqMYp97nYztU64VLl1rbheLK1ODeEckujtcmZuW3dg5KtydXlrZX1MYaxNMpYdo49bG8Zuvm0
jyo+xWtdUpctPd97HDY+IIHJax0my0zO74ZNrZOGG0cvf0OtSiUf2DLnTFosFhLj9DI35f0m3i1N
8aPr+DdXlu1dhXFzc+5zr1fraK7vCo+YYlYOZdnJcgcuuCOtMNA3lKwNSffWHv0wl5ise3UcpPqN
yRTD3dZf/vwnNR3OVavhZr8nA+WWBx/5Wew42r41G7rl4CmSWYYR+vwJVzrPm7FoRdWrNE9gc9lZ
522/kLQyykdmFBEpkDXbL4J6g3ailVYG5lpPn8BiquMv85gD15xNxS0OXF3mnMuqbpv9QrSEIv4n
+5VV/sQ3ymYZ9CfLxOVMFWCy7mzC4hEaWEw2HUuEQLhqlfXKsvSwtjVZ1FdpHN9yof0hJXBd6Zim
oiBqkKO4TpZl9OB4qdg5LjfZOrpdfdXEd7qjAF5cbo5HXORKRT+LVhozl+v8ttH6kqYHv4Cs2ZYm
ndOHdXAVbrU0Wrxbr7allEk35lFHUbq1WB2kbjdP+1O//1lGVZD01XZF3i6kWiRecpMhjSIbNl3k
C4lr9rq82rKMdqnehqJT0mLBqptntM1vMRJv4GxonWTnqkxxqrtP783nxM2qXfvy08DNZ8jO3lPb
9369Ctn2+l8Wg/+PQmDyWoc765XOxCOp1jpJYMtMW9KP8iRcWzJrxub74jrhUmOyRQ+RNNpYchUq
Kpo5XFu64Z3T8y5O6NM6C0l1t2GSpVHgKFL5CH2i3IGr7Egr5MelVG7z4UNfe0m21tQLQIMHJNnJ
RUG0Nlj+GzONA0dhZU9NsjEJA/2kTg4r/egndb8/R+WWhw34mR1tH9I6p/zpj38ENltIsu5tdofD
YV8EuSJfL261orrtp0y/nSzL0nhtVA0lqhRYbMGN1T5OsyT0DcaKH+7xWmeyvSUpnNL2ViOUMJr/
dzZnhk8PkSQUP/EryZ1lPf5QSIBp3i5O80iHUogS8kexN2GSJuHGViq9SOJEW1Krp9HWUWrJ1/Sh
/f7gKcxshiEau4e0TiZOKlVp44QL3p4ql+TUxjyWYC8sN905MtNX4ktxWBmsfGaTwpVUR3xJ6VtR
tn26d2VJBJrS5LA25cUZWud0IDfZrwyuHHUAxv5Zo/qG/M+1zmLBVMsP9ofD4VAMM7/sJkMaZSGX
V5Ullxjo4qZdkmIut2R+XwxPpyZUnSCme+fWUVjRcVdqnVzo5N8OcWEM3HwGb1anr6ajm89JO31x
nQH/TxeLva+PwAy0zj7ZuwpFXaJyvE66NVnjR2rnt2GP1tk5vLzjlb+OXtLJ1ad1Gs+/gysXgYtn
lnukFYrrrrudvvalqqIffaUSIv+0amRG46g8zr7a5TfJNImTRhB++OKuLbePOXv7oNYRcf9+f3o0
QZZlgV09u2pf0jgK47Im9ORqdjD226GTG2ByW63+i3pv+/o6/ZjLDe0dmWleEIqgYgfzsT9kv/7B
LyIhuWZt+0O/x3MRRO2rOtuDqHOadAcW12Dqd8el1vsGtU7+5ChjFfUJF7w7VW4W+gZXnONBLC8s
N4nCarJZ3Yp5UKSaQJBfJnTRiC9pJQNbzAcrSg1sBce7SbyLsHJftVKCUfwaOT613jLgf3Hnqq+U
4owLbzKlRsnPbl3btIvbu/KblB9B5uvOOvHrRNRB2HFWrspkS/wMKNwZuvk0WkLUpLxZFacN/uve
ZE7a6dE6Q/4PFogdr5TA5LWOuDkk9PPP2Sy1fGxy93ET2M25E/Rla4/Xoa9l2atFvSOMRjy/4BZO
JTQfp53bKD07RCfNc8vtfr3La6+7vfu1L382iuBH3olHHXlMqn+qpuHGszSFMa4ajl/2/ZUFDPzv
llsedvb2Ia0jOm8G/Ol/SlJT20fTZJLD2jE1RRYvtmg1Tr8dqkIbHwmp5hwccS8X81XCJfXxlJ2h
3YuvhNH6n0bB0tYVzrii26vWMNVjfw6uspBY1V5MogrQA6flT9Z8vsa7lWOonDFZs7zt0/OZ+/pU
KocHtQ4BOnq0Vqed8+ZEudHGlGWz7iZsmHtpuXGwtHSVLgZF5tV3vd1wB1fJKafi4qzmJbWZN5xq
vd3ZnNs9Wic/SEThWrHmfPt5trOs3//yV1ol13Kjl95k6utanL+1WKW/OrvE/m4Ltm9uC4lGYrda
cejm0/62tRsjr0n/3+5N5qSdY60z6H9/adj6egnMQ+tkGQ1olGWea52UumLqwQedn4HHWicLbM6t
TRRXr+S8gMZAu5+rdZ5bbvfrXbrR3T70tRcPL7+nukl0KAIgabz3Td7tyysL6vzvllvuPnu7uMmX
Y26qu2WWnfKHbsJ1G5dF9mmdlH665aNCsywTUbXGwPF+O2Svja+rLeobf+u3b0fXln61/qdxWK6n
knc+VeOKMurD6taL7vva8lBdnHGc5MKq9WxMNuWgpzQOy+6LJApctQz3tHzofKBvwNBUanG59HVV
Ccc6j9aO3ac+DpRLHcmyuR74vfGycin8S4NHRHgiETOsRTntx2uldXINeWFcR1zD1TkCQrxbb+qR
7vlV2I6QdB+7A+yG/B/QOpfeZOrrmspv3Tvbuwr3RFykGplEg45ybUQHk8qJNiany7es69DNp/1t
azfGAAmxuXuTOWknEWOTW5fVkP+nysS+10hg+lqneN5RL/ZiscjnnIvxOvqSwhL5+JvmeB16KHBz
HaVZ1XuQ7kWf81aEtpPD2nPbvyfFeJ3li8brNPuwyrhO9lS5A1cUaanmuJzysO72wa89KUMlH8eT
JeHWc4thrXQfUl0aF0I/Hm1FKqe4lSX0/++WWx519vbI16izjYql7n2pHJt8yh+xT6xJksZVBxX1
YR3FdahLk+dx9DTeuVplXvjZb4d2tfENa50spuFPJk2xSWPSFou+ximh0CPJ1yTFzsMtyd5TGx2N
GQ1GkdR2vWjUCjd9GidE471W7iq/FAOL0VNbzFiiASaF9qN+BG6uRQ9ZEq70rnZqeFK9PTVWhDzq
G5tMvTuDAqmyfPpNX7nx1lZkozEmtmviZeXSVVlebCGNvylCU+3Ha611aKaYpLokjsTgvzoI2vWr
/kxNUPcei+0kUeS80fNRY+UgueqscKmyalB+tfXozZD/Q1rnwpsMaZTiAqRBfs2Ls1fr5OZdEZuk
q5+p+eI89cE0xkCqO7IGbj7tb1u7MY4YNDZ0bzIn7VAHMNNX9NUoO+iH/G8UgbcPQWA2WkeMY2SF
1qG+j2JCRd9aFqFvKtRtLvF65bRqTQ8xmaAxM4mamb6sL52HVT//6NlR3dNOltu9xBpTD/KJQkXf
ycD2E197MRGI01ofrZk9abhxjXzCEm9P0Oq6Ij4PlEvP63Ii0zl+0sQh31Q4lxVFszxbrfCc8kfM
faJWZIpdTd/t0zpZFm0cTWaMy4pmOWY16jSv07Gdxjysohp54KUVR6nv5UIYlnPsDNtQeoVoC2Bj
epmiO+3H+rE/NFJ8befTCpmYSFbFdZhmmiq1Y2seVjXNi3FZs87qihSzkKqOuJazQ1rn4HXnGhWP
20v6tY7L3TmcJko2XnI74vTScpP90qTuQy6rhmPr5RDz9uO11jpiWlsxs0mzbeMsfUfyt/7Glxca
LRskvnN93y2aS9/uW2+1Qv1hwP8hrSMuz2LBor6bW21YvBPXtWkbqiJzutgaF2frkm+cFm1dMdVT
ak7qbB0c+jojjZGf1HvzOXGzahTVeDtwk3nCTrSxaYbZQuKqW4486vW/URLePgSBaWudh2gCVHJW
BIQyeMnI9vNr29Je55/WfyQFj5rhz/6j6q20qF+PqKGf2c0uufqEgXf3KnfAnbE2p4EtdyI7p02H
y4ksJnjaTewFgVdKAFrnlTYsqjUegXTnaKILi8KJJpcukQwv8WJUrUNda4bSGkZ6wreU8h9UP4zr
AymeoXXWw6n39r+7V7n93oy2Nd5air6qV6c5ZTgNV7rSmq506mjsAwEQGJ0AtM7oSGHw1RFID2un
6PprrKZ29WqOrHVoEaal5ZWR/VPuR77dWEmxcWSy3wbnPd4bJ92t3KYPV3ifhr7lVt2rJwpINo4l
lls6cQx2gQAIXJMAtM416cI2CIAACIAACIDAvQlA69y7BW5YfntY3w0LvlNRo8dFzqzHWOWOZedM
t3EYCIAACLxWAjPQOlfLWz5ym07Mz56Uv69a6/TkD7+XVnhWuRPyf+QvxlXNxcFq1ZlVedXyYBwE
QGCWBGagdWjmx1lzNe/cABPz83gJ0eMFZe5MbNTij9cj7qw7PGppJ409S+tMyP+TlZvYzuZq0hNz
De6AAAhMh8C0tU5/3vJwqebZEeO1nuf6pdXkcjnUn/98iDctuaHZ+eIRTNbdKlNvkUm6myq5XOKi
m2q4308qNY3EgjYiD3mdgXvInyLfdV6s3hwd2liw5en85EMpfymuozirc/Oi0+zq5rTa7uejWoi4
keWWecLtKmH3xfWqFpCRuFpnqj4qMN8wmD+cNIe1FFmhJamVt5wWm+3Nl74rspy3ViXKl14tSm8t
09Kf//xEuX1VeIb/lLm5XnanTF/RZzzLspYIby2LMpgvfcg+5VG0/Dzt9UJS6vzz/UVTMwo3maya
qzojSbLLV8Ch9ZAsrZH9u7fcvStza+XbGiV256pVrAgTr808AUqZ/kW2B7M29LuHrSAAAg9DYNpa
RzRD61ZNW2hxTFI2tF65pLgHWotWFQ/lk/nPe9qUFpVj+nIfp2m8X+qszJlwcaphsn3kJykjsV49
rTmaxjtPeyq70MFTmZavqRttrHpys8i4d2F+8oG4jqTY60OS5u6Uq+IOpCamROCyU8zbEUyMDSX7
HnqR1qEVaKNUZIzmlVK6tF6n8oQPFd4fF1nIYj3iVKR1Z2Y1aWYwX7psCYVGrcXKug9pnaH855Sf
fKDcIe97858P2MkX+hXrKScH3+DcPk6f2SyndWE2tQ6J15586Sfsi/XduOas8zTzpxNxJbSetbmh
g5K9p0m8uJREBlqxsDmtAmnxcmHjoXL3rrxgukfrR4tV0ltLOSKu02xqvAcBEBggMEetQ0lc6DG0
dxTd0LRVlGxM2Q7S7HT+8x4Crd/oGS2lWnSWXZhqWJhuPVKKwsTT0FrnGamzNH4isXgah1GVD6HR
E/Kc/OQDWqcO1NSVJ89786KLJddzgZBSSvJuDuQO0vZ4ILKfp/TILq0XPcCG8oR3yqw+9mudUs3l
GSHqtfH68qWHlCuhWiVQZNnKEzwPaJ3BPFmNluuWW7l79OZs/0ni5+FMYWPvyo081EdmuyK8qXWo
3Y/zpZ+yL9SRH3VK2TtyYxVkySyXZ06iMC5jTnVao/a3tPZnsNx25voW3KyVEbXjFj6CAAiAQElg
llqH4jj6KvA0ww9c1VwHnioSO9VP77x6lFCgvfx8We3if/sEoQ5W+Y38olTDubU+rUO/aNeuSQkM
ZM10N4fy1t9xpPyY7H2xenuRobn2/vL85E9qHUpVVORGsFnZD9DNi04PN1o6TyQAeio3fFvrZI2n
96X1OpEtnJHqAAAROklEQVQnvETV/d8ordzVeiy2My/25ZqgPJWNHOr1xTGgdQbzn58ot3Tt+P/Z
/osMF1IzLfoT+blaF2atLciFvnzpp+zT5VClPzmuQ2dLGm69Iv28IrMyjRhJxHrl5dqfwXI7Wqf9
pUZcpwMdH0EABPoIzFPrpFtLNkxdW4ZpYCumZeT56E7nP++pfv04o510I89/11+aaliYbj1SisIo
kXcub9Jot9Sbv8d73Gl0VVEmyvqmfiofeI8dsakn5W9bi9RaR1S8Ly86PQ3XBlO8YKUzfX2q/4rK
bNsnuPkz7dJ6ncwTPlTf4/zh7bHJT2uduv1FGeIpKnJZ08M2j/CUA7ZE8u/z4jrtcoe878t/PuC/
SHju7Fpp0csk073mRUilbLxaW1C0rS9f+in7F2kdGtyT98i2sIlUrdVPkNqfwXKf1jqNtPa9BLAR
BEDg0QnMQOv05C3P6DEjiQHKycbkEi+eRCfzn/c0Nf2U5AYlsM7EyIdyvI4I7hd5uZupklv37K69
Hj9TGniS52PP0mht8tO9DVQr2RE5rtNoaytSGWagR8yl+cl7Uv62tUitdbKB1MSihsIOY9wKTj5Q
6ViyL2meGJ4UbSxZKlI9X1qvk3nCu9jLz4JRO3/4ifhKX1wnx5Cnqk5o+FY5Xoe0mlK0y2GpszKO
MpT//ES5pbfH/8/3v7jKdzQQJo33vuvVY+qP7WYZXYVlHnjKcVGOj6Fq9eVLP2H/Iq1D4TAj7/BK
9iudleNsqEe2OUqu8iewZaYvj+p1UuuQopYdApAmVYcZUQjXlm54ecL4PirYBgIg8EgEZqB1srQn
b7kYpSCevvQgrTMOn8p/ftyudKNUDEtXxDypxjysy1MN05jpHj+rBNaMpqIsSQaceKUHn+atUMJu
3XYMLomuOWH6ovzkeRFHKX8HtQ51ta0s7TgvujBEA1LFEPATnotdZF/WrTybAtfsTTmw4+J6Naad
HeUJH/LiOH/4Cc3Rq3WoT6dvHhYNobVVTnnaNdNztPp6E2XSxaM085+fKHfI+TKXeiuv+6CdPD28
yKjNn76qsiwOXE0m91XDdSlOd8j9qKa7dfKlD9q/SOtQsbqcJxw3XUuVZHdflrs0i++cbar1iP3+
ck9qHco/YVAH2YLJ5rq84LIs27uKxM2TY+lPNAZ2gQAIvC4Cc9A61yPe7sO6XjmzthyvjTMTZLe1
1KwrfbnzJAPqkc2Xn/+gZ9BXsBjB/qAEUG0QAIEbEIDWqWNCN8A9tyLShDo9nprUXNbq0bTOvfKf
l7zn+v/g6cZyT91Ooqe2CjPNtT7wGwRAYPIEoHWgdQYvUvrNLcnGsl4EbvBQsePRtA6tOHmP/Oen
W2H6e9No6+ULToolGxsdT9P3HR6CAAjMksBja51ZNhmcBgEQAAEQAAEQuIAAtM4FsHAoCIAACIAA
CIDA7AhA68yuyeAwCIAACIAACIDABQSgdS6AhUNBAARAAARAAARmRwBaZ3ZNBodBAARAAARAAAQu
IACtcwEsHAoCIAACIAACIDA7AtA6s2syOAwCIAACIAACIHABAWidC2DhUBAAARAAARAAgdkRgNaZ
XZPBYRAAARAAARAAgQsIQOtcAAuHggAIgAAIgAAIzI4AtM7smgwOgwAIgAAIgAAIXEAAWucCWDgU
BEAABEAABEBgdgTuo3X+Dy8QAAEQAAEQAAEQuBWB76O+/t+o1mAMBEAABEAABEAABKZFAFpnWu0B
b0AABEAABEAABMYlAK0zLk9YAwEQAAEQAAEQmBYBaJ1ptQe8AQEQAAEQAAEQGJcAtM64PGENBEAA
BEAABEBgWgRerHW+/fPXP99uX6dv//7777f/blTuP59/ef/p7xcWNgqo//79+++vI1f7v2ey/PfL
b+8//Pmith8F7AvbBaeDAAiAAAi8dgLna52vn35YtF7/+/DP939//1Hi7/8Y+el7Avq3vz798tNb
JkmStFhI/KePf59V9r+f3/HFm1/P1ivfvv7zb2X468cfpB8+fj3h1dO7ng2q5ck/H/4nvf3t7Fqc
duvb359/e/c/LhWNKvGfPl1Sx2+f30lvfv3rdBnV3r9/e9u6eBY/fvr3+xhgqxLwBgRAAARAAAT6
CZytdejRxt9/+fpv9RJhldajuL+IUbf+++XDb5//Ejrk21+/vl2w9388bf/bl5/fvH37Rnr3udIv
J0/69uXntz9/KY+97KE+ZPh5oNqefP/+7etIQbSvn39+w9789OHL3znLr399+fLXJTGa//54z9nP
56rcr59+kN7++mfz6vn+fRywQ8CxHQRAAARAAARyAmdrnT/fc/auev4X+L7+8fHDl39Klt/++fLx
11/ev//1w5d/vn398vGziLn89/fvHz79+W950PevXz5+/JIHEL7+8fH3v76J096X3SHf/v788df3
79//8uHzU491Cgu8/U0U/9/fn375eaBD5dsf79+8/fWP33+SKBJVvr79+enD73VQ6L9/Pudefvv7
84ef3iz4j7/89pvYQg91/v7LP3/+/uHX9+9/+a1Zl+/f//3r8weqM22voyL/iMqTqV/ev//013/f
a1D07rfq9eHjH/lZ//795dOH34Sh3//KYR158v2fLx8+/lGRPFH0t69//k7G3v9a2i+rLf7/99dv
b6U372tTrb3fv/395WN59j+l4qNDyCNqm18//vEPmfjp91IdPdFqQij/8me7mI5a+u9rTvj9L7+V
BL5++fChuFS+f6frqNFigkVNvG0an0AABEAABECgJnCu1vn7t7cSdTu0XiQ2/ld07hSBgl8+fPr4
28//e/P2LS86OEgk1UGS79QNUxgSp7/7+Ycf3pGu+PL1+7e/Pvz45s1Pv3789OnDz28l9u5zp8BG
6f/98/u7N29+/pIf8cd7tmA/fykfvY3jvv35y5s37//49p38qINAIqbwS90D89evb9i7z9++//f3
519/4os37377+PHjxy///Pedel/42x9+fP/bx0+ffnv3VpJ+KPp6/v3j1//xNz/98uHTp4+//MgX
ohgq+u/f3rIf3r374Yeff/lNaKMGqH++kOGPHz9++OVHVp7y7csvP7775cPH33+neks/ff5Gz/Ye
T0p5caroxZv//fhTw9uj3jfy5s37P5sqpgJGTcDf/Pie6vTrT2/qNvjv748/cfb2XUHhzRte9uud
0WpCKHeDanRJlWrp6+ef3/K370TLv/8fk97+9td/37//8Z5JP3/Jffv7t/9Ji7LI7//+/hMbrTOv
qjzegAAIgAAIvEoCZ2od6oNgP334XL7+pN/7jT6Ir59+ZNWj/vv3v359syg6OIRI+r3SLN9+/6kc
cUKnL/jPn8sf59++/Mz5z6W8+e/LO4n9fNxB9fXzL+9++umH/7398f2nIgBCDfPt69e+ocr//fXr
W55Lpq+1yPr+XSiffgX27fM79qZWQV8//kCP2DIg9O+nH6W3Ijz09fef2Jtf/ijlFVWs0FLilLe/
1GGTBqjyIvr3y/u3b979XpotNwudJP2Yx0uOPSmU5RNF/9j2No981SWcGPQjmqBWmP/98TPLhRfJ
N+l/QoCQIdqxyLXsOa1GcvHNzx/Li+fLX9TkpLiKUVD/fPgf+99vVZBNaDEaW/XnL7zQOl8//fjm
p/fveK5v/vvr1zf8XZ+yrWuJdyAAAiAAAiBQEDhP69DDWnrzvx+K148//fbnf98bfRB//fqmDNYI
u/Q5/8lO2qDRdUQPSf5edGaI0ymUUrzoCcd+eP+heFEEpW/o679/ffn8+XeKObA3tU4qjbT/k9KR
3v7y5S96/fnhB6nSMMMKjB6wjTgU1bw5+Lram1ex0nDfhTYTcaPuKU1QuX/f/vz1f29++lT3D/33
799/fP70kXq33r0ttWCPJzmQ84uuvG1woRYpmqCxVbwlFdRorFxsUJDpvy8/s2bYjJox17LntJoQ
ym/Ki+eHH999/LsplP/742ci/v/bO0MmV3koDP+XKhwuDofD4XA4VF0drq6/oK6urq6qDrduHa6u
DleHy533kJCUhdJvuHc+ZvatWCiQ5ORJZ/LuOSeh/yFo0ZPIwP4uo6C4aY18q+RQV6WKEAiDsH4x
c9gPficBEiABEiABj8BnWmc0WcfFIHDmL1QSgSOhk4FrAg4fCRV1gZ4+hKG1THAqK63UkePVqQHP
ZHP6tVN++Z8PtAh7BKH7BBvjpJDGvNkSU7md/l9VkKfnpAGoARFxwy6jZ0EG/9WwSOeqscEarZ/f
hzTKjr0Xo7mVCaJGh9P5crmUaS9Epiz5vOneWh8ODO08U/5VnPcaw96AkBFMcLB4slS8PNIjEU4z
oyba702yDgbSr7wTUkgNq/fIJ0cOuvgM630cbisTlByNwFnDeSQBEiABEiABR+AjrSOz7ptknds2
6PMqEJ04Z9Yl002Sdl5qv8re/yPzqJdKIlph2Iaz88cZZtkxv0//YH1MQhd7kqCJXbDd3opQudkX
gszOtiLTXAozeu5kiqeRkEriLetqqx1EHNw8gyJdsMZmNbX1MYvSg1vxhLZV79TwfV2Tlnzc9KAG
QwYBJc9x1fOCtHjNyepFlSyYd2E9DXdZ16NPRm1GKLfXPPAGQzcg0m1jAAOK0ymLcgmCQrrhq8r+
0+J4r4c8JQESIAES+I0EPtE6smB4mPWB/9at1vgu1SbeI5sUbotjhjxhWY3cIvYl3g6t2/t1G202
JqPULy7cMZ8G2bHuQhntY7hnXnuvzPpordtHdchCk4ejm+qw3Q0zX+6nNEydZkETiDIFkqMjgRcj
MJ71uVAb2e4FD8HJ4HKwB4IMGsn0+XFKAmUyo5/fpyJS+UUSjwZFXoI193MeJfuX7feAzniYnvVl
Gweb1Ai+SUveNu251zxrhbD9g6X6m2h77lbu67a5192KtwYpR6Ybz/tlG4dp535CTUFizh9VmQQm
WUf2V3o3akb7OaLGCJ+SOJr2nfxrvg6Z6jPOIW6iOLLjKPI2iuwvzfaHRxIgARIgARJ4S+ADrTMa
g9Av26s8LkUUbIJQqSjd7gubrKN1c92aGyrO98ddbENFL8XFwvZ+RiWbIMROgVGGpA7v87gUsu2d
3A7jfI81UvhIJrAXkJJryOhwya6mmt5Poe/nXKElpVRSHA825xVxHGw6iDvpofaTr6UKP/1FFixJ
iAzGljbc9kPDOVD3Y4Lt9LANonzEefGsyrgjp5LidC6TxG4VOG3Jh0371hoC3aGtL9sk7Lf2Q95T
l3fU1jIEglilu7MRnlgTdsoMsDjbn3aJsjvrzIwaAmP9xgDOiFdKTVUmIcY9DMI4P5hV+GZooaqM
X/B5zYPN28V5rgWekQAJkAAJkIAl8IHWsY/OHPGqASyFwr/snndB6+4dBDOl7e1n83hMv/zh2Yzc
bpuH2+PY1jN/bLEpoo2uvTwu70x4uTL1Rbo2WsdUibHr07W8sWS60FgTI9daoB5hPTlcADa21g3O
vJFhGWny3SWM4kTt74rxHgmQAAmQAAnMEfgLWqd9uiU0LTwmLv9krnXeJwESIAESIAESIIF/S2C5
1kEWRRineVHkWaIClR9d5u2/tZ21kwAJkAAJkAAJkMAcgeVaB/v41V+32/V6q/6XV57PdZH3SYAE
SIAESIAEfjGBv6F1fjE+dp0ESIAESIAESGDlBKh1Vj5ANI8ESIAESIAESGARAWqdRfhYmARIgARI
gARIYOUEqHVWPkA0jwRIgARIgARIYBEBap1F+FiYBEiABEiABEhg5QSodVY+QDSPBEiABEiABEhg
EQFqnUX4WJgESIAESIAESGDlBKh1Vj5ANI8ESIAESIAESGARAWqdRfhYmARIgARIgARIYOUEqHVW
PkA0jwRIgARIgARIYBEBap1F+FiYBEiABEiABEhg5QT+ABYIs1RtZekFAAAAAElFTkSuQmCC
--000000000000a5c53a05abac0152
Content-Type: image/png; name="image.png"
Content-Disposition: inline; filename="image.png"
Content-Transfer-Encoding: base64
Content-ID: 
X-Attachment-Id: ii_kd91j1p81

iVBORw0KGgoAAAANSUhEUgAAArAAAAKjCAIAAABqZKvUAAAgAElEQVR4AexdK5urMBSsQyKRSCSy
ElmJRCKRyP4EJLISWVmJRFYikcjKSiT3OwmBAAlbtt0t3TsrtpSG5GRCksnrzK7FHxAAAkAACAAB
IPDfI7D77xEAAEAACAABIAAEgEALQoCXAAgAASAABIAAEAAhwDsABIAAEAACQAAItCAEeAmAABAA
AkAACAABEAK8A0AACAABIAAEgEALQoCXAAgAASAABIAAEAAhwDsABIAAEAACQAAIEAI4ZYD3AAgA
ASAABIAAEAAhwDsABIAAEAACQAAIYIYA7wAQAAJAAAgAASCAJQO8A0AACAABIAAEgAAhgD0EeA+A
ABAAAkAACAABEIKffgfu5SXLsqL+sXRu13OWna+3H0sAEQMBIAAEgMD/gABmCKalfD/7xm7nHsvp
D9/7Xh7d3c44ZPfvPf71U0Vk7XZmmH8d8hdD1CfP2Bn79Od40C9mBkkBASAABP4LBJ4nBHV2MHe7
nRUVXwB2L5LAcy1j94MdZJ3uWfz7pPrCGv5zEdm7nRlcpMCbJATNJTB2Ozu+SoZ2lz9KCJrqcvT3
tmkYpuUckuJRWvMsIWjqPl177x8vLycWN85YHnxN5qjjDhAAAkDgzyHwLCG4nX1rR39fEwLqrA3L
tsyfIwT37EB8gCXw0Bz6zxOC17wxC4TgNQkoY7mdA164pmVbxs7wHh7xP0cIbpfAZsVoWjZL2L80
SgO/fxOE4PvY4UkgAAT+KALPEYLbJbAMx9tbjxCC5n67Ny0bw//QFHqTB+bOOAQHk0b93WiWJ8hn
r6uEz9/f2rZOPc4dWM/DSASfVuAzBE6Uxp5tGpYbnvvhKQ1bXcswDMs5xJe676T4ID1ITiEfTDsx
zZb07GRCgO7njrWIlEVHy0bFjmUahmHa+yApGKcpj44I2H0K9KqETYfQ3fGSQVOdI8+xKBrX76Kh
HO9pGj86BpQHax/nX3AmnrJ1OFUsp7ficuWYquNvm/JEUZu2F5+OoyWD+/UUEpqGYbmH+Mzj09Yo
Vko700tLlm5T53m3ftPxjPh0PFD2DOuQUeFU5+iwtxlwluOFp87MKyFnHOLEd0zDtA8Jv1+EnOUM
qI6niLR24QcgAASAwJ9G4BlCcM9D23DiIo/tRwgBx/EnCcE1tnfGPsmpr7eignfYGkJwL05xFPmu
sdsZziGKoihOWQ/MCQF1+p7ndIshFFNzjR0KbO8P7D7lnKfQMkKw2xmmcwijKDzsI1rRb66UQrCf
zog05fnY/YX04848ZKxrLiLbcg9BFMfRgVK2wrxp21uexFF0IFZguj4z9HRlCd+LVGRBJgRULBTY
8Q57myzeJ6w/ZUDsduY+iCOP+kRneZ8ED2/PloJ08XfMxXT2LvX9lDCfUahPnkn2HIIw8MgiW5SN
smqxwftQfnIYRgh2O6IzQRRHgeenVds2l8C0934YxXHI4nf40gojBLud5YUxA9rwTpw+HOMo9Agj
iiaK4vj82AKTbAqugQAQAAJ/DYHvE4J7HtmGExX3lvrhB5YMOHQ/SAjYyJI6G2aQ6O40hIBbo10y
MP3zvW35jkDWj1Cvs9uZ/pn67vuF5tJ5mLbtCIFNWMz+9JsKmyqljtI6sG6KGMT93rTN/Xar6yrz
TeqxxZ6BhSWD6R6CG1s26frc+kQbPPhyTtfBs86SIWT4547RzKymGzyMd5rMI+jiZxndOTGRFd5x
d4SAEQVBetpr7LBdG/qUWXj+7DX1D/TnJ5x7dfHyjn0w+n6/E3q3uq5LIoNdwnyGgM378NKTlrWw
ZDDAhysgAASAAEPgu4SAjZftMKcucCOEgLfxtJ+/Ofum6BXETDkbrEpLBrz8tYSA04mu26Bnq8Sl
VXQ+lu+WA8RRBNYnG4FyoVtHCO4FTTgYDoeQrOlm3IeZ7J0Vio2aKwgB78eFMZwOsR5UuqTcTBYy
5vVBQwh08dNyTb90wVYzeL/MZ1ykXNEWj6XzBxIhyEOaQdntBHXhSwbuZCvgvaBFATkFXnqcEHDW
wwt6OIsBQjAvcNwBAkDgP0fgu4SANahyG0zNtuiFljDl3dIPHMO7EwuQ/7qldp7gbA8Bt1FLCHhf
v4YQyLP2EgBqQlBntBfT3Cd8mZzC8x0BhuMn2flyObLJg74DeyUhoBH/I4SAAUfT+1JuBP3ri3pg
GYwQiDG4BDonBOY+FOsk9HlSTaZ06fBXq1/yofMVY0IwYROMoexMN0yz8+Uc076KESFgPA2EYFyK
+AYEgAAQmCHwXUJwv8Se+HPZSrXlese+77gVaRzHcTY/zM+7ihkhqC9JHMfJ98+XNTntFTMdz6c/
tspvMoLC+xeX1tF5GKNbsicsxsNdhg7vwGaE4Mslg8cJQVMmtHfA8tmOOFEkzH6jm6Hn8/LWlBBM
O2d6dnnJgJ0JlZYMugQeIQQt3xQw3VQ4XjIY4pcG9rSqb/XzAPwH6YRCU5eVYnFFAMHZys7kmxkZ
FVoiBN2ej46MsomcRwgBW1hhb0WfLi6AABAAAv81At8lBDJorFcVY0P+A2+X+3Eku3lNPNd1HWIP
O9N2XXfvpz1hKGgfwsMbEeTUu2u+Ns1W/mn6na3489EtGxzu7EMUBy7NIciEgC9Km84hiuPRpsIZ
IRg2FXrqTYVTQsApTsw2FbLU4zhmuwEr7ivB8iIxZs5o+3tnine8FHnKj90NhKDrnE2XthzGGdtU
WJ2PRLq6fZE+XR9pd5xu058YzD86Q9C2w7FDfvqPd+q6+Dl/YHsWD6yQxcJAxTYV7mjDZBAc6PjD
dNJ/Up7i2KFh2uyU6vIMAU/X9tO8uCQHdoLg6xmChp81YJsTOWwTG/AVCAABIPC/IfCLhGB+3Ety
tPMsIeCL1sMOOD6O5d16fQ7ZQTs3PIb9scOuoGn92bVMyZuRZoaAwteX40F/7LAfzvOo+Uy2vIbR
URHegUk/dMcOmyoTxxa9KGKbAaUob3lMXSk91q2FsDl6KRq+aEOJ82OB/JSfn4jThesJAcVEJy2n
jonU8fNNECYdAQiTiB1xFH4L2LFDdlDQsGz3EKYLKwYMPSld2/WPl+6gIt9DMFkyaO9XdtyRDob4
cfjYkgGdVWQnIQlAHDvkryz+AwEg8H8j8ApC8H8jiNwDASAABIAAEPgDCIAQ/IFCRBaAABAAAkAA
CDyLAAjBswjieSAABIAAEAACfwABEII/UIjIAhAAAkAACACBZxEAIXgWQTwPBIAAEAACQOAPIABC
8AcKEVkAAkAACAABIPAsAiAEzyKI54EAEAACQAAI/AEEQAj+QCEiC0AACAABIAAEnkUAhOBZBPE8
EAACQAAIAIE/gAAIwR8oRGQBCAABIAAEgMCzCIAQPIsgngcCQAAIAAEg8AcQACH4A4WILAABIAAE
gAAQeBYBEIJnEcTzQAAIAAEgAAT+AAIgBH+gEJEFIAAEgAAQAALPIgBC8CyCeB4IAAEgAASAwB9A
AITgDxQisgAEgAAQAAJA4FkEQAieRRDPAwEgAASAABD4AwiAEPyBQkQWgAAQAAJAAAg8iwAIwbMI
4nkgAASAABAAAn8AgQ0Tgmtsm2G+HYxfbM89O5j7pPqx/P10/N80/HbyTC+tv/k0HpMQuMaOGVyk
G5u4rBLX9M/NW20pItt6YdORh6YdX5/J0SUwnWP5TAz8WYrnOUuetwEx/GUE3k0IyqO7m/+xl/7F
HfCqUryffdOd9NYvtqe5plGS31aZNQ9cp3vTO6lieU388xSfvLN1QlAe1/Wya8M/CZ/8eH05RtkL
ehk5zuevHyUEqir2fOo8hiVC8I10yyyKz09x2O8QAlXVBiF41SuCeNQIvJsQNLeqKukvj13DiS7s
uqpuTdu+uANW519zV9VqvNMejZltq2o1tIG38AMIwRZK4Qdt+IOE4Hm0QAiexxAx/AYC7yYEfR6r
dG+Mx+TUAQenc+TZpmE6fnrtpyGbMos8xzQM096Hp7K/30c2umiup9BzbRbc9Y/9oHzUwfOBHsWU
h+Z4ykLM0entuRWJ71qGYVhy/G3bVunePKT5KdhT8pYbF8zWIrZZEsZ4yeB28gw5abebZLwVSeA5
Fs9vkF7vLHv37DAKvTP2YiZeE3/b1pf44FiEm9vH07aXwLTDNPFd2zQtN8geWMZoqnN8cC3TMC3n
EPWjJ3X8bXsvEp/StfZhGnvGsGRwy48+RWNYzuGYfzkIY/GYhmHvo3E8VGp2dL4cD/y18DOKq77E
/p4D53hhJl4UQm4fpwSFaVr76MInWOgNlOHfGYeMQz16nfov2vA0le+f+0eJXPIZ5/LoGl509F3b
smw3kN5chichRK9QUvTP9omNL26i7KdLBvdryt8103K8oVzGT/ffqmRv9nmsaS1HzDXp4tHZWV9i
Vk1tL06iL5cMtFWsbbVVqTd6fKEOTzMEfpL69DJY+0CUvDZdXRPRVonL34nxkgE1BX7CqrU5bprG
1vXfiBCECXs7TXtUMKoqo6/aFE+UncI9VaYHqqq66WBmaapwq7k/vBFkf9W3uU2VhVT0VIX3wamf
sNLd7yHBxSYR2DYhMEwnOBVVdT35tuGdeIdxO/uW7ad5WddVkR5sO8z711OF8T1Pjqf8WtW3+pqF
jini0RACFoVmhkBpT50dTOuQFBUzx+rj54TAsGwvPJf3prlXeSH1teo1/ob/ValnOlHOO4b6nCRZ
UVb1rSpS37aCobNZmCGYx18le8MOTte6rvLj3uzjuQSmYXop9Ze3S2jLnZkKz7a9XwLbdMPsWt3q
qsjitGDhdPHfL4Flese8qqs83ps7QQia69G19tH5Wtd1eY5cy0slfOZJs3j2PJ6jZxoiHgqZh6Zp
OX5S1E3b3K75lTr5Mjum56Ksb5Rhz7IjzseovTVsP6NWrc4O/X2W4tolAFV4unfIunUcepU6TsnW
x+yQCEgjJ3zPQ9vyjpeyruvrKXAs/6xaBJoiMt9DQAnv47y6UbmcT5dFONtWSwg08ejsJC5hHdKC
ijF0jZ3xyB4CVRVbqErTzLPvuvBFZO8M26dXvTyHjuHEw2hCla6uiegSne0huMb2ztgfibjdi9jt
myalkXTzEhg7wwnPJStg29h3b7quytAzqsk/VlWpylRVkXjWl1VV23RoqrC2aqeexZriui6pKrnH
bktFnXpsYpfeuOslPQtCoLuvRQg/bAOBjRMC0Xm3RSR2GI5asbYtj471BSOQkS6PrhlcGIH4DiFQ
2FOfPEOM5amNdYeROs0QGDrr5h22sLMpU88UswnipvgsItuOeAdMt1StBg86i788OkPL1RCg3TD2
EpgCk7bJv962RDkW0ybCLOp+NfFTCyz64rbJQ6vryJtLYEnRULB+jkOKtr8cx1NEIh4WIA9NCff+
meGiufS7QogQ9CM+BpOYWuG5mA67h0gUVypC0JaJKxgB63+6qR6aIXCTrs1sisji78aNtpcOXKhO
vWHcrkixvzUnBHlg6l63/inpYlSV5BkCdTw6O6nx77N1z3zju4RgqSpJZveX2vBFNPS5LZVwX9xt
ywpksj2oj5EupCaiu68iBEbP+EbtyCim4cslMIb5pjrdd3ODuirDHlRVbaqqYvKpWbuhQGo6NFW4
1dy/xrRJUwy7miLsKy5lvp9kGvLL1ntV96UguNwiAtsmBGYgThnwdrdp24bI9vhvqGpqhGlemubs
u6dE8FFF7uPnUahaDQo/t4eoitQAknlW32ETIeinYSfGzTrs7ncaN5v7RMxvt203iTdkQD57oWo1
uixMTjFQ+zFY1tL6RMdjRg1LEdGIeWLr+GseWj2BGH7Rxl8mNIQSQ15qDfmSQZXM9pNK7fYQsbia
xHOSlx5ohkDKXPcIX1qy+pLv6AdbMhAdcMO2j4qBDaM1zxOCbux9m3Q/RAhEc87G5xwXGs+O//oR
pMi78nNOCO555Bim7QXRMT2zSRLlg+KmlhCo49HZSdysI9kdL/zmDMFSVRI2y5/a8MR2g74Du8aO
BLuqareaJqJLTEUIhko4aTpkA/vrSzBQUDadxQ5BaKsMe05VtWl1rz9l8EBV5fP/86ZDXYXJMlXV
nq5l7nY70RI212RvGvbeD+Mko+m57k93X/yOz40isHFC0J8d6msdVaKveqwR1rfTwaTZQ9qnyEfw
HXOdEgKpUVMOI6bhu06RtUp8zoE67ykhUPJnskRNCO5F5EymzmnSgWYb7ywDxfgwpqrV4Nmfxj+2
7EcIgUSFpPipI++HU2wM0hMCwxMT66MiU3+ZEIJ0SgiGlpI/zyZBaAKdLbzQezMQgmEu4mcIgZi5
uWW+dLaUCMEwbKJyZUSJdV/9G6TOvOrunBDQC3gr8yyNA9cy7LBbc1I9TPfGhIAA7XmbKh6dneP7
NOp9hhD0QExeWEUmtFVvJSHQNhFdmj9ICNRVhqWrqtrDS9y27deEQNt0qDv+JUIw3t81Kox7VZzT
I+1rsHy5Puvujx7Gl20h8HGEgE/KL035TQDOQ2nIS92CaJN7jkHNKM1kD6Octjn7YvzcR6chBNp5
S7GpULMzbdphUzr3S2hbfENcn+ydTOnzS9vJhsFJy/vXoRnvn1IQDu385MpWRjevqIufhmTDIexr
bA9LBqYVXL7aQNdnieIZlh7mSwZTQkAz2UMPx1Zr+eCKIS9WCRSE4KH+TJil6//YDPzxSIsB/V5J
IgT9IgkbHrJ5WJqKl1e5RdRffSoJgXiIFmS+Is7yKkFL4+gBLhENMVwRj85OArrPJathjxACRRVb
qkq9QdKFNjwxhX4RhopbejcU6WqbiC6tlxAC0eywZb7OOl2VYelS7qYFsq6q6psOirt/EyeIKu5T
0zdwein86JKqtt/zueEn3f0hBK42g8DnEYKWNhWa+5jvRSvOSRgvbsGinf77I5uBvxdH2tPWDdLu
NNcQsB1e1cm3djIhYGtgXkJ7Afui0hAC6h/5psJbXaSH6abCFTMEt3Ng235WdxsLRdLU7h9ObF/v
7RI5xk4mBKxb8bNKNpRbPCccNMQebyrk8/jrWpmWth52mwrrG23UPJ74DiNd/LQZkG+la+szAc1n
CFpaHDFoe2hV11WZZ3GQLHp/6TcV3mraUTXdVCg1+gwBInl2wN6NpsoC29h1IRYJATEuO7xQIfQl
v3ShDU/dpzGykVand0a3//QS73t6Q5v1DCfMCgLiejlF0emL7YDMohkhaIpTTNtnb7e6lLfPau2n
kfSBHcig3aSG6H908ejspBrgxrTFrqHdsI9tKlRVsYWqpMyDLjzfVMj2z5bnyBlze6rH46qtbSK6
RF9CCHaGyzcVZoHdu+bSVRlKWFW1V1ZVfdOhqcK6qk3FKra9lkV2DI7dggzt273Qhu1bdYlds99M
pbuvLEbc3A4CH0gI2rZbG6ajLrZ7iMSpIg2qTXkKXNuybWfvJ6eYtnt1o9IqC1zLtBzXP6Yh+aOR
+oD6EnX7DgRj1hGClq1A8mOHdHhOrJbrZgjmK3Ld+Hm6RitqFz+0Z9mOsw/SNBS7K3l2qa9zLdof
IUZp2vi7Y4fsiJAbDIfbVrYylG53NokdNpJOUbEzVLP4xbFDy3b2QRyKPQQUzy1PhmNywZcHD8Wx
Q4sdOxxOybFl2SkhoNhjz7Es23G9KEv6zf6LhKBtrikdkSRA+xdF82ax29rw7DBDx314BGzJ4JhS
edGhMXGAlPAk5NgrZNquF6aF9BLNEy8ia7LnoBuSl6fAc7ozYIf4PCzpzuPgd26XaG+ZVIviUzzs
d9HGo7OTjh0ypPdhHDy2ZEBv47SKLVQlTQ74uVX2HkpVjx87TLpjhyE7TzJEME9X00TQosUY6G6f
ir4pGFIZXVEVC5NjdzQzuvSTRvwksKLKsEo2rdp0Qlg0R48sGXTnfZVNh6YK66r2/Zry44Wm5ez9
+Nwx1urcHemmrSvDyd5Wd3+ECr5sD4HNEILtQQOLtowAbeQfMbjNGUsr9OMpX9q//shs+uayAoOA
ABD4LxAAIfgvivlvZLIpL1lBqyP36hw4a/Yf/HL+m/uNFinMiT8BEIJfLgckBwSAwCoEQAhWwYXA
70SgKY7cY+Nj/vzeZirtzzMsN+w9OHaWgBC8rUiQMBAAAg8gAELwAEgIAgSAABAAAkDgryPwiYRA
6YRm4wXF9NeW/f18NwdsjxTbBPfiNfXRDqbvWrf0HHNSpDwzufTUe39bIc40OwXwXsvpYOEqn0tr
w3+RvcerwC1n2+92O3Hs4YuY3/Wzzs75AR/ZQjo9MBzDlX959no5XSn28ujwzZLzjbhSqAcu85Bv
b5UORstPkSuFh3bmyg/h+p0IbIQQKN2H6XABIZCRIbei/qm63+cnD+Vg37j+DiFQeVPRJv3HCcF7
5IlHh+pH0K+1Z234UWLzLw8TAtJL9JLy9vo3em7UM3e0di4rjz9LCPRVbDndWVaL0HqWELA4uSsP
1UHZW55EkijdzILHbnCHMY+FRagnEQAheBLABx9/uDV8ML4+mL429kG+ewFCoEBuxQyB4ulfuKUn
BL+Q+FISD1cB8sAX/8xs2pJ9q3/7pp0/RwhW5uDnCcFKgzTBQQg0wPzE7fcTAq0mqVYLVZohqDKf
fPl0apxqWWQ6NKzWKu0PMZt0EFt2IKCCWqeRqo2/qc7soLXp+EkS2Fb4dSPHZmmznKspm7aXcif7
au3RSzAWapY8K62KZ5BFJl1kPxHKcEQIHtdapWP3o0Pbwi8CP1HNVKyZXvXgNkKaIbgX8Z7koTsP
EbxkJrLITINgLlvM41dqsKqKcbUsMnmQ1Mk3axJ4kTxx2w4F73iDXwHyZ6CQUSYNvtFf78FKac/9
fDDdA6lPO2FKfjhM8orFcqQMz53lygkMfunYoXaFfPPKKjDNwbBkoJY5Fq4+5grjmoKhwifFbaZG
Lktiq+PXVW29nTrlcebpoHM/cTwYw5LBUMKyrLBakXyhimnSXZA/btt1hKDzWzBVPKfax+RAJjME
woXDzJnHmqqtVRgnTyhq2WV9weOXRxB4PyFgVqqWDHTapr2QTU1nzw5Mtpci0cki67RKyZMduY0j
d3tlnmVfEQKdRqoufu6FLGOKp75t7B4kBIblHOK8vrfNvcwLaqArnfYo5VpZG5kf2ofjYT6Bg+xK
7sau+Sm7dr3yWq1VMkc1n9kUsdO5aSOVY6P3PywIQXNNPMuNRAHoZJGZpx+VbPFardWVssg6+Wb2
5i78m6/B01hnhTwxd80YX6q6vpKrRSEpqJNRZrboZwgm9tzPB8MOztX1uCeHimWV+da+95Hdtpo9
B9yP5i2PHFPIVetkkUn10bCDdVVA1VFpmwKqHHutwvi8bNiryHV8b/X1fEy42oMufl3V5hFrO9TZ
Wj7JahhudCnrqkgO1m4nCIGuai8pkquqGDdolm6rlT+mB7T2z3HTySKzkOomiH4iU0d7CFZXbYpF
NUOwtsorsoRbKgS2Swi0jsoZIQjPF1IB6kezE6UW9hZ1ip3kSrt3xC35GKP+ZXD7pQJn4Z6kkaqJ
n/sp7zzOUdf3GCGwZzbptUfJPnVtJJumedPGQ27+e1/0Up6/o7Wqaq2KSBJuJ4fRQkqVEYI0Tw+2
Ew7O27SyyFRg/aIna/w6mQAq1FG7I2Xiq8uvZZHHGgqDfPNXMSs6VLWssC6iUcJMLarrR2iGQJCD
dpBR5vGsIQTcQT2p2ZK+fZXsR+oHEwIhmck0N7jPY2LiOvnmb1UBRUelbwo6QjBI80pGKi4JUfHy
ST9r49dU7e5RbYc67Zhp6GH2qh10KLUrSG2VXFIkV1UxbtE0XSmLdCnJH7NftPZPnqOeXaN9wEKq
myD6aUoI1ldtikVFCJ6p8vPs4U6PwHYJAZMyOwtnwrL0WR6ahmkaO8PuK9mSLLLEAcTLxWMl7QDD
dEgs9nQpvxbZocmuh2WUZYNbJiP2KCGY6IPMPRH32qNUiuraSC3Z4/FUp4NlWO6BJEzzbvmlbclP
at//PiCtxt4pRWtF88/CCzPNdwiRP67ywktSlnvWyiITIegla3i++YrKWq3VdbLINMwdPA5yEjO4
nu1r0vxi3qGqZYXnT/I7ElJ0Y9D2I0KgkFHmT60kBHcWMaMXdeoxVV5hz9x+/gubimMiIPz71OU2
86JdTZU/SVr3kSqgIAT6poATgqF0hOmaT2IoCuaojV/bdLD4tR3qtGOmKtwTOFJS7QiBvmqPtu9M
VA0VVazL7jRd4WJ8Ln+8bP8cPZ06IgupboLopykhWF+1KRYVIVhb5edZwh0lAhsnBL26gNy/EiFw
4/yaeiRO1HXktFVnNL7ps7tUq5v6esmSiJyef6U3p9VIVcdPBkv2FNFDrSFrg/PedLrgrclkhW4I
oa6Nq+O518XllESebZh9n7vUKg0GjK8UrdUt8xYIgeWfrjT9PFAC1g/KMqoiBdbeCe1AmRBQgMe1
VtfKIhMh6GeYuLykMEJYpv5Udqgr5IkXCcHQr02CrSME59WEoD4dLCeShZXH8scDFt+rAjpCoGwK
GCF4fHZoiRCo4ldXbZHDlYRAVGGSW+QzBPqqvVT1FFWss2hGCOjV0Cqnr1kyeB0hUCueL1ZtFSGg
HD9e5UWJ4fNLBDZCCBSapNp5vH4PAS2ud3qF3chztAQq8r5cq3koGnwOHF48OfocNbREP8RYQxM/
vcb9MI5GyY8MjxQdOVOFGzqkkU0LMwSOGYyJxRfxdPHS8oEYcC21SlMzxHcqNfG8uFeES0sG5Ifg
nkd2TwkIW6Vb4sVWQySmmBsRP3Wfa2WRaZ5ZrPnSwrqQb55EO/+qJAQimCQrLG5NP1VLBkwOkmYI
+gUhBpc0Z07UM1JuX53YQ5sKD2sJAS16u7HYdsot1skis6Hd6iqgIAT6pmAlIfjGkkG/MbMbqIop
y6U1+GnHzHYr9UXEeukjm9uipkNZtZeqnqqK8YKYpquXP2bh6diH+k2ZvolfLBmQtTxDkwenMwTf
q9pE45YkQOZVvrndbjeppCZm4asegY0Qgm8K71YAACAASURBVFVaqPIpA4kS6GSRNR12e8vTY5aX
TML35JPj+cVVA61Gqi5+kt/xEtJdvtO+rUc3Fc46csZ7lNqjVKwPzxBQ26nWMKWdR+eCgKiKxOtF
eVdLqzFzqDefyDHzLVVM+1W9qZDYfh72lEAni6wlBOu0VlfLIuvkm/W1iv8y6YDbVicrrIuo21RI
8tB8U2HX6upklFk8ROncuLjN9Zsn9qwnBA3tnHGP1/tEoFsni0ybCldXAQUh+K7C+BzXYVMh7SS+
JGm3qVCjYK6r2jzih2cIaJ+HYx0yUp+k3ZijTYVKWeElQsB61UkV4wZNCQHbxaJVTmd7P+zwXN3I
48Mcq9EdnVwyC8RfuXwe0ZQQaBXPtVWb4qfR1FSRfLHKkz0aV0mjTOHLHIGtEII1WqgSIeAjBLtb
0FTLIutqNZ0l2zsWlx71R7LFc5yo69XIKOviJyHRcG+T/K4Xxf53lwzIFo32KP20ghDo4rld4sPe
tgyDTgVKorxLrZISIWbPTI6ZQdedETLtfXgijsT+xCkD9kWmBGpZZG2rsVZrdbUsci9APZVv7jIy
+XidPPFwKM3xorPY3kEzBAeljDIZQv7zHJOOgIrRrdoePSFQh+erV5pjhxr55m9UARUhWJBFJp4+
LJ9MCkL1tT92SC97/y72J5AtWcFcW7VZxHNCMN8UIEbOfePhHo6RJzYVaqv2YtVboXjev7gq5XQ6
uhe49KYYyqnVMXrdscOp4jkLdL8mB4fOQItZ0zJx5ReF+Zzs9t0oFc+1VZtFr1AYX6zyIATjolvz
bTOEYI3RCAsE/mcEIJL0P5c+8g4Efg4BEIKfwxYxA4EfQQCE4EdgRaRA4L9HAITgv38FAMCnIQBC
8GklBnuBwGcgAELwGeUEK4EAEAACQAAI/CgC2ycEeSi5x/lRLL6IfLTDaB72VXbOtgrPk9rQHdry
LDZOcbPeZv9sS/OrYCI9I5Unx1fFP46HNPSWDlkNodleK7Z70GUeh+mUGdvKJblNGEK/4+qLKvOs
SbQplWc4uKjielWVVMW9rXuzWrgt83prdFXpCxnl/vknL4btmJKLmCfj/GOPb4EQsP2rTBmFRIbC
0/iUc5lF8fkhz3AvLBo6sMxb2SHSL1q3V9m5UsN0sO8tV3NC8MP267yU0Eb05AVaqwoUda2YIugL
bj1MCOj4P50vJJVgcW6DeYfz1GfbX2DbUhQjPx1dwC+qzFJ0j/+mfyNeUiVVTcHjxj0RUu+AaB7p
pxMCliP1gal5Zr99hxorOzzXkxrz7fj+4oPvJwTMcZwbnoqyqq7FOY2Ol04A4I14q1qBX2nd3pjn
byU9JwTfiubxh/TN/+NxrAy5UULAkZCoAM9WnYIQrCzgxeCqpmDxgVf9CELwKiRFPPXpPVVDpP8J
n+8nBKT1oZ4iJZdebEZw8KhPkFLHrJYz1mmbqmWRNcWjlWOmdIPTmen4mo6f9hMZGjulw9MPySu3
rUbDVCdPrMlAu6h5qn6I+ax5VHaZe2RQaLlq7SctB9OOzpfjwTHJ3UGvs0tatOQKgh3/luaB7uUp
9GjWiASZuY+IBS1UndZqU2UK2WWmiaCUUVaDQ6fL93HaFfxh8FhRX+LOk4UpS+ny0+UByV4YpkUO
BPqMDZNhlusnQuyZFbBnm4Zpe3ESfblkQOesR8e85cksJSGQ/RlwGeUmD6zxWg8TH5jNi6khGd2d
igH3/g9YVVVWmXZVlWSp9f4DrAnWKoqorZLqdDVNirYpGGV/+HKNHdvzPZt8DZ2OnmWY+07QW+9X
gBw4iNlRoTxOL+iofJXaY0O6THbECRNWu0ySUe5fOElAW5ZXlp+dXHf+BsYyx7omhVWN8BiQuxXL
OQxvtKZqaKsSGaGeIVDKJU9slr7qq/wIUSwZSJjJl+8nBMyTZy99K9vGr2cLgVpN0sENWS1rm+pk
kedJDXdUwwLykGky6dTqevJtwzsN1Y7JF032OqyVV+5Sn6/BkzG2Qp54MHd8tah5Og4qvhEre1Qu
WavlyiOb20/389A0LcdPirppm9s1v95a5rbM2kfna13X5MLQEnK6LcnRmvv4XNa3usrT44mLGFFE
quafJzzbQ6CTXab21lDJKPN4Zv+Zuxlzz2SISb3W9DulBY2MMjdSIXOskwmmkYt1SAuCIXSNnYYg
TwzTIKEgBEoZZZr3mHj0KY+OQgtwkqzuq2bJQFllVldJTdVmtmhwUFVJXbraJoW4nWL1UIMB1aJ9
cq2ywCLXelURu2bANBJ0hGCpaq+bITB2TLWgrq+nwO41wHTyypoMtDqZY12TwqqG5XMfjJfQ7l2O
a6qGtiqRQQpCoJNL1tmvq/I8vKJq6CL6b++/nxC09+K4t3akthfE6Vx1UEUIhl1T0jw+VS5Fe1Yl
I1dmjzV6qlaAebEXJIAEXcKRWMDMTup3eo/zj79g8w6VBoTf3tQ21TxVG0J5m9qq0WbVarl2Mc/t
px9IkGqSB60WKnX608C92frmf0YIdLLLVDD9pBMzd1msiFqx4cWiVl/hf16SUW5btcyxTiaYxBV6
IY175hsvJgSs14mKbnGBcsOmBmg8y1zZl6cwJvVpgkKRsx765QsdIeh581BlVldJTdXmBunfiGmV
1KZLr3+fc6lJoQRUTYEGCYEoETzmCD0PTJ59HSFYqtorCYFwEshFRLnrQU0V1pj/lcyxeExqUuhl
GgbbVBIKB/BS1VisSnNCoG8ihC2TT12V58FACCZwKb5ugBCQVTRozNI42FsG+fyWDZ3WajYP2ffF
vDVgbZ1ayowk10aTRYN/TTmVybWqFWBLBoIDSOl2j87sbNfKK/OIFB2qRp54YnP/lU/6aTRP+1Cj
C2oRH5RLpjrdd1+SlquIT2E/JwRTIRWtFiopXfUdtohWfOqb/ykh0MouEyHoJR15KyRmIIa3ReqU
Kcd9eOo2hefZzlU22+hP71hPqdQyxzqZ4CKyDD6QpEx+JeUigNDNlcxbPZqDkwSnhIwybf/w0rq9
Hl2TiADN/Egy1X06D15oCMEgzdFXmQHkvmIOvZkyNXXV7oLq34hJldSnO+IAvZ08flVToDSSFjMd
9grQ5AurTXlocRasIwTtQtVeSQikGkO+3amFpBe3h5hfDMWhzINO1VDXpPCqIdprqhpd06CpGtqq
RNbMCYG2iVAaz1UPpFd48uK386qhiec/vr0RQtCXAI2W+naV3Z3Uar6HYBUh0Mgi92kqLlStwFKr
oZqfpGhXyCsLK9QdqkqeWDwx+WRrMOG55IIlRTydypgEZ1/ZHgJBdngAqrvy2rR4bHx/0HIVv6vt
n5Vi27LqqpI5fhkh0MguMwvFpMCYELTNra7YXz2opWlaMbYblhYGmCYW210ZMzFChoRC5lgnEzy+
/2uEgNTqreBSpp4fx15IF1aQzzYpinL96lNHCOZVlW32flBmj6f6MkKgaQqWqraqKdBgIRMCxvAY
ISDZ4zEhCK1hVN22uqr9GkKgqsIa81kjZnWLHKMw2iaFVw1BCBgFT0pS8SL1UkXV0FQlnpiSEKjl
kkfWDV/0SussDAjBAJXuamuEgBqL8VBy1pXoai/V3GFmt88wvcwPaHf04dmFQo5ZOzPRPTmzU45R
4s7ybdW1ukMVIWmOURrtidvS5xeap1JI6VJBCFh++3nUIaxWy7ULorZfgQ4r6uCikJik9n+yvtCn
r+8vpzMEpPc+zGDe6cXiErRLhKBPR7qgVmx4sfiSwZ1mZmWlZyoYaZDWPy7JHOtkgimiPruEijQ7
0cczv9CMjGl42k/Ts6eoYtiTJQPGXIrYdqPYP5zqIvbCOLDGb1Zzv92+lMHr7VLJLmuq6uoqqana
PG2SVFTvSp6+dNp0NXay+FVNQZ/p8YWeEJAOkqBAVEHHTRyPZVq19TLH41Tp2yUwhkkWcs/AZ7Qo
X4oqPH9e3KE0x+Mx+kXfpEyrRqcZq60a0/C0+tY3APTqj/e56psIYfDkU1fleTAQgglciq/vJwT1
KQzi04VOHZbFKXQNKxjpEE9rtb5jHnYejbRNdbLICjSGW1SVvKS8Sye8l1oN1QzBSnllkfa8Q9XJ
E4snJp/Uues1TyeBu68qQqCTS9ZqufK45vbT/Vkp0vTJ9egatp+SvG9V5lkcJN0Im20q9OILl2Q+
HTMxpa/WQuUJzwgB3/04l13+DiHYsQFPXdOmQss/08FYrYyyVuZYJxNMa84u24/ekET1c5sKWf3w
kqIeenOdjDL1s6ZJbLkh9Wlz3BVQB6WcI+remckHBZ/KLuuqzOoqqanazASiXJZ/KucqvrOXTpeu
zk4Wv6IpmGRdfNUTAmJpDi/hMvHMnSAES1Wb9YZKmWOR3vBJ66KGy151EspmS0H0q07xfHhycqWW
OdY2KdTBU9W4VDVJp1PVoP5dWzVEeKryUlXqjOCvkCyjrG8iJnZ3X3VVnv8MQqBGTb77fkJwL7Oo
lyF2vPB05ZRxvuLX1aKl2tufTRppm3YLWqTcabuHKOv1d2UkJtf1JaJzY9LKsCZdrZ1r5ZVZZRkt
+XV0WSdPPLG4/7qsedoHky+UhEAnlzwIQY+0XLX2U0KztpmnrtRCpZ+GY4eWKx30YzQi9R2LCkaM
LvRaq02pkl3+DiGgY4d72zBM53AshJ8MjYxy25anwHPo1CE7unGu+3n4RiMTXF9izyGh7H0YB7pj
uHKBLZ23ILNsAsjsHfjJxw4HGeWWWmA+rUGDwMlkcXl0dmvGl3PZZT13744dkuT2o1VSXbUZJvU5
2rM3opui0VZJ0jDPInacdZSupmp3gM+bgklJiK96QtA2Zeo7dNBmH6RJ0E8XLFbtwa/eMIEkkpp8
0tg6TI7d0dWItoh2fwvK6SLI+LM7djiWOdY1KVTnWdWgA8IPVI0+/LQqcRtmMspMzTsZTvAGx3zI
2tju7pu6yvMfQQiUkI1uvp8QjMzBFyAABDaBALXdw0LDJkyCEVtDYL4+tTULYc86BEAI1uGF0EDg
v0CAJuLpDAL+gIAeARACPTaf+QsIwWeWG6wGAkAACLwZARCCNxfAy5MHIXg5pIgQCAABIAAEgMDn
IbAdQqDZdvYxkL7LfvWufhVso8PQqgAP3ntVPA8mh2BA4N0I3LKDozwh+xLDHq/CmuRo/yf7mxx8
1d3XRPO+2zTT0J+8fZ8ZSLndDiFYpVVKB6bWudx4TVkvpLvK/tdYw2JRyw2rvJp8pyN/VTwvzDCi
+gKBPGBHCb8I9b/+vFCFdZDQQVvJAR4P9o14tPFf0yjJxdkVXagv75OzA8k1Vh9ed78P8P4LEIL3
lwG3YDuEYBUiL6yNH5HuKiMp8Ks68lfFszoDeODbCIAQLEG3vukgNw7z0cf6eJasesVvuo5fd/8V
ab4oDhCCFwH5dDRbIATkQEwx4UWHgxUyxwuapPyQMdPX3YcnydtAle7NQ5qf+IFWy41J6aW5nkLP
ZRq1vcSuwLM/9DxorerTXWc/HaUvT4HL5YNPiS8844u0R59k+VQvpEo6ETWl3DA5RRx5M+gPMdMM
QZSdwj1POiOfqvq/78QzHHd/UGuV+Sd4XBa5qTq/AgYd6B40ELWap8M85MRFMS3wKNKV/B+M3omV
GqyS6KzjfS03TO4ADscTHZA3Tds7DrLI7FA4U8cdyyUzIaL98SLUnZ1Q8vioIARDwYzlmNXFPxIB
Iq9JvQdDXTxaO1tl1VMnu1QlydUA6UM7fpIEthUWXRTqKr++6dBZRLWV6s1xcErNnGqMapgQsWCu
KI+DE63y6HJHDs3FN5wgjjzHtizbY1JSPEVlFWY/df4AHpMhZk/oOv7Zfa2dWhR08sfKB64xiWaO
fxoEkZRVSfgnYI4UnLHjkXFE+PazCGyBEPAcztbg12qS6rRNmcOuvWHZHnPw39yrvKC+8J4nx1N+
rUgrOQudwd/r4BZtJKNMZi4MCx62n0t0RueyrovUt43d2F3npLyLyB47kGM2SOtt6gVIzcjeMElu
uGJexWZEY5Iy+7omntVaq9xh0eOyyEzoIrqUt1tdXS/puWt6OaDrPBKq5JhbjezyWg1W0pC1Orlk
8hvHBV9oECT5aSV0hfImEQLDiS4kCV0me1NMT+vkkulFzA6Gae2D0/XWtE1d5GXvAbYtYtcXqpy8
TMnLsUKOWVXgdE9LCDTxLNhJhGBe9XQJ66okc6BEAuB1mQWOYQhCoKvya5sOnT3sPmMX5963lAir
agro3lBbez7QEiHYkefTpm3vJIo88S2dHaaLPPdLYJtumF2rW10VWZxyBqSTIWZGzTr+ztT5fZ2d
Im+zz8V0p6FJ3XDiLJ5cAtG4RleViBB0Hg+ZB8NeYXwaN77/MALbJgRrNElHrdjQ2DL8WKvEHdlr
8KTK2ynOUW0ZXNePw6tagS6EihAo7SeJzn6DErnmXyQE1N+zAdrtcgzTa8M01eSlwlWEoCcBbNij
WnAc51e39KCKZ7XWKiW1ShaZmuZJn0px6DRPGTLiKP18hqCfOemzrNZQWK3BSi/J4NKH2jpWwkIc
t53JDVN/189JD++xTi6Z7CVCMLxdfQ40F2o5Zk3gBUKgjmfJTk4IFquezoyhSlK59JMU5G6/IwQD
VCwOwa+Y/tkADr010oB1oQorLeFSW2JGYgiijOd+DizBCIg9dZN7RAhE89K2TKRAvJcU4bwKqzUF
hsTZ1TDq5j/MO37tfY2dkwQ0X6fpzoLRKII1plUWRTQR2eR80UVblaiSDG2uRmF8lg5uvB6BbROC
oSJzJZeeps9r49xdae/allx6qySBaPKqc09MM4C9J9zjSHJjhPk83f5nFSFQ2U/vft/6k+TnMiEg
UUCqKvezb7HRB4005UWEeWtCJmlG9gOTKKLef2qfBcXF4/Ewkj+eSf1Ca5WSI6VWofrSJa/XPG2u
yd407L0fxklWCIfASzLHS0sG03RZWQwA9WDo7emDjC9oCanvv4ivcGlp4mBquWG2ZCBEXoYpep1c
MqVGhEBMJIxTV31TyzGrQrJ7o452sIcm1SLHMG0viI7p+Sp2wS3Zqal6RNi7dcLR66+sklS1e2mg
ljSrOCHQV/kRB/iy6dDiwH4gpEUfL4dUNwXU5dkx0QeiJ4L3syWDYS0hD8aqi/MqvFaGmBm2ghDQ
OojCTjl/o2u+fvGwojpNax5LJjdsksxSmbh2WDTUlo1biN2OVzhqPJQK4yMr8OXnEfhLhGBcy2Ts
2EKmaHG7H26ng2n7bMqVzZK6GyUEJBSyT8o89KI48OjCGs3HzVsTyqCmIx9atucIgSKeMdGR0V+6
ntGoBVlkFs+9Ks7pkfZBWD7XTtZqnjJkxEiMidaRNCv/U6S7QAhWabByXeeT6C57QkBlopYb1nTA
Y1lkYTn/VJf6OMzom0KOefS7/GVsz0jUsVXEs2QnEQLVrA6p/nKh6bruFRU1VXKBEGiq/CsJQcOn
RWR82LWaEHBdn6hoaCG9m3KkbQi+RCqIGUoERzVDoCEERDUdrbL5GkKgtnOWye7GcrrzpwibQ1Zl
vhfHBz+r2Nf7QtUGIZiD+J47H0oIFJqk9NKOekoJUFWrNNJvpzoqCAG9zcP0lRQLbTA6+7qB2ayL
0bVK65YMmL6f6ceRFxV15h/iaD9qTBTzjWQym5YcOiWWi9Gxw0cJwUnW+OVgaOKh/K7SWqXYZqjx
TVz92IqnqPh/jfm4m5YMNDLHI3110oR1lwkBDerm6whsU9nX9kgm0gs0XTJYlBsed8D9Jj629yum
VaL532pCIKJgQ8PJnIz4TXzKkwItzd9K8x0ijBTPkp16QiAikj51VVK/ZKCp8rqqR2ktVGHJFOmS
3pzxmj/7URcPCe7ZYRLRxjpRdEQIRPPCu0VpE5CKEKiXDPQyxMyiIrJns170g/q+yk4p1/LlF+nK
QbvriqYE2PilTLwgDrtTm9TMKqsSEYIBr15hXBEzbv0sAh9KCDqN15E8sU7blG8qnA1TiCTsj+wo
wr047s1+yaAdNhWOZJRZQVBTM5FF7gpo1rXpWqVuU+GlutXX05ebCjtZO9Om4QapmZqTnKi7Blb1
Jtqpmo588QVbE89qrVU1IdDLIpfZMb3QLtBbdYndfu+dVvOUjmPs+51cpOW7OEPQbSqcyS6v1WAV
mwpJ45VvKuxmi4kpqOSGNYSg1cklK5edF4qxKU4xbZ+l13m0fVb3DI35DxkJGdwuoW0IQqCLZ8HO
VYRAWyW7TYVlfSvP4WRTobmPz9e6rsvinIQxE6ZeUFls2QYDTRXWwME3MwybNrtg2qaAuCptfOz5
AN9UyMb2NavzX28qXClDzEwiYmaH52qqA627P7dTAwCRwnWK6jStSXLaBcHtmv0AS1eViBAoFMZ1
9uD+jyHwfkIwXwl8QOa4bVWapGptUw0hGER8nb2fnGI6IdRX+v7Y4UhGmUphlu437J8cO/xqLVia
vrgenX4DAqtEoyU5eXeiQjv1O4SgXRXPaq1V1QwBoayWRa7O3TlRWscOJRVrnebpvSBFWNN2vOh0
PHxNCLSyy2p79LVyOJ7neF/LDesIQdvq5JI180I6g7RyzLoHbpdob5mkTByf4mH/jTYerZ2rCMFC
lazo2CFJ7PJjh/0Uh7rK67g4z+6sCutQEPcrttbTNw7itjYeGuFatGYu/mjfvRMmcSdP3B87XKrC
3bHDx2SIeUKsrpJk+2SqVHd/Zqewd/apkz+eBRQ3aGOPGRAlIm4gGCX9qqxKBIRSYVzEh89fQuD9
hOCXMrrRZGiLoGJCdqPWwiwg8G4EiB4Pm3J/xxo6BKhYNdAk3q2mDHyAZgj6+SzNQ2+4PbfzDUYg
yW0hAELwhvKo8iwvb03T1HnsWo+3NG8wFUkCgQ0gUBfnS1nfm+ZWJJ4lLf38lm11fsquszmCeerN
vab1R3mujvk22hohUNs5zw/u/GcIgBC8ocDL9MA8JBoWOeWC5vwbigBJfhQCdRbwGmOOlmC2lof7
+WDsTPuQTLjD1mYIdHZuDU/Y8+sIgBD8OuRIEAgAASAABIDA9hDYACGgUzGSJ7HtYTRYdL+EzmHs
FXb48aVXtFI6mXd8afyPRKYx4bc0VYftjONzlo+Y/hNhyLWDtO/06yRob3Zw+Trcd0P8dPw6u96V
rs6eT7pfJXsnkrYbLtquPkC0+MgLf5w3QW+zZ3XVU8GwCnpVBP/FPRCCdcVcHt3hiPm6R1eFntfG
VY+/JLCGEPC4dV5QXpIyRUII2OG5vt+bRtqf9bL4V0d0y5OI+Y5+9Mn6coyy/qDjo089Hu6n49dZ
8q50dfb87H06K/qqTYxsc6JwlfW12Wpl86+fe02IeRP0w/Zwl5Iq41dXPVUk7f28ZmuoMoq/fxOE
YGUZ0xEk2XPwyscfDT6vjY8++bpw7yUE5B1ntZ+j12UeMQEBhsALCcFnvdK/3gTpCcGLXkU6AfnV
Ge8XJfWx0WyEEPhJ6jumYVj7QDpezg8xT2WL2/ZWJD7JBxuW6x9z8hFLk1nkJ17+G070ccVNwzBM
OljNHmAB1dqpwm/BPF32ELkpeYgRaOWV2dA3TXzXNk3LDQYZYsk/QXo8jJy8yxmTrtdopDL/qSoN
Vp22KRGCMDkeHJPO/UfnEbzKGYLh+P1j8sda2eKxgPMDSwbkFkohZ6zUWiX87uUp9EhX2HxE5vgS
cIMGb3PMX5Rr+oPrCuo4hEdnOoXNPESMlwyYZoFS5viW92fU04jer+U5kdXxU51Jufg3edZIxaa3
ocCETDMpeh5M9+C7lumEaRo6pmn7zEkRc5q5Ll+tTrZYeofHl8yp6Lzq6aoqAcffz1gCTu+HQB/P
kTcpchOhVzxvdU3KODPjb9QgjTwUEkGQblB/JdwZaWSRdVV1nNDoG1vgyXLeYpq2l/I5q6HkR1VV
1wRp7KGUXlD1SGtm5FFlqGjKqkcTiJWQ/rb3g0sSEp7Yx2l8ICFxa88ERCU0GLkbNCWkX3DZIbAN
QrAzSFWgrpkfMmfw1qrUTq2zg2kdkqKqqyI9WNzrV3l0LeYHYyjZPLTYKjyrZ4ekqMlRW55lghDo
tFM5IdBqtrKp7N4xypDc7Eqn5dqSm2TTS8lJIjmCE/SCO9yLLmVdFcnB2i3LIlNy6zRSiRAoNVh1
2qZUF3v3aoEtqY9wf8FTIaC18sc62WKOJCmmPj5DoJIz1mmtflPmeLaQSSOanhreiT6N5SNna+1E
CFQyx/yNTouqLi+RaxrGV4SAI/Rw/G1LosrWIcnL+laXl+TIyZ1SppkIgWEH5+p63BuGl5ZV5o/V
Mx5Pt/MwOJMtntWV4Yayyuuqan06mJafFtRyRK6xE8DpCIEuHl0TQWapZgiWwg9ZmVxRwzFxLcx8
RItxDNV/wQf4o/M1e11VnSQlf2Xeh5xDnNf3trmXeUG8XlNVv2iC5vZQQq+oesxg/QzBrOrpmg4m
Amr7WdWwSk76bSNqzXTHuASKjBGuewS2QQiGvobeuaGjYa2D5AKUzCY338O8D1MwSGvmD4sdT74X
SZgUTEiDpGRIgFwtVzZyD7dGLplqWN8P9EB+cTFoubZECHotVJJO4f0INTKDLDIl8tWmQrXD84kh
g1YpEYI+3bkGa/fcEL69BJIDdvLoLktFzGcIVssf62SLuSWrCcFUhoD8rkhdNDXs3XBMq1mgCS8M
mm4q5C0YO50+SYw9oew4++Xo4f1jb7Twqkxmin6tKxLdx6Pxtw1DetYOUlJDi0nO4tgbRzMEjIkV
xKivTA15NEfzcLo6DQJdhui+qsoPULEne5ljLXAaQqCLR9dEsNRUhEDTpCzlq2u4kmoUiHo64Zes
iO1BDoknnR1Muc6NHmUaBaNymfzcfSUHxVI1YHc1VfWrJkhLCJ6tetzUFYRA13RQwfTdBzNX0C2e
BCs4eqfxp0FgG4SAO7lkJo66W2odRH0RGWBqsv2UKjkOZrS7UwVu8tA27TBviI93Ln9u58A2TIdE
W0+XsvMuMvc4PIgZsFZpmq5In0ngxRU1HAAAIABJREFUPDR0VWq5towQDDW0FxmiBnnwuEJ6Il8R
Ao0kWqvRKmVLBsN82aDBqglPhKCvXFyoWDoMMiMEczesu2X5Y61sMUd6NSGYjL70WqskSyNlTBSs
Vpu1CzAbppCf9k7SjprSWZTKjrM/p8BGh0x+it7oXhiPvV5PzBAo4icZ2hGZ6zLEhkuDAJaQaeaE
4M46HPZC1qk3Ogb0aL6oikk9Vi9bLABXfiqqvLaqCot5REQ/OuDUhEAbT9sqmwgerYoQLIVX5opu
MkqdjgkBUyXljUn/Lg0RzDtgXVUdnpldSSpg4jddVf2qCZrbQzGuUTDXVD1u2OOEQNt0UIffyyhz
cbPRrt7F9AU8//Xn5gnB7KTXuBWgSs57guvRceLievTCOPTowhl63bapr5csiWifQrcisTjzr1JH
7F8TrlY4monqf5MuNFquXxAC0V7Qm/tNQkDtvEojlRGCflJ7yL8u/DcIQT/8lXDQXmpli/kTqwnB
tENm/d1sWNzp3U0D09g0cRdljhWEgDOCvGF8YLaMpOo4h9f5ZwiBKv7vEILzSkKgSve7hGCIi78J
w6s6eZfGTcECIeB8SxsPi3beRPDUlISA3qJZkzKxbvqVj05H/ROfEWHzMTTtEVzGvhBnHbC2qk7T
kr6ztzCXbrQt7/hFUzP8NL4/b4Jm9rBHZ6puC1VpsUNeQwjkWWJJb5xZKCYFFIRgnMMh57gSCGyD
EAysjkp0aKxVHbN6yYAdU7O8KPKC8+0SelF8sBTjLKqU3TCcKpduPk6VrkCM3indcyIMfeq0XHUz
BNSpDEuIrOoPw3k54v5avWSg1SolQjBs1mHZp6qjDa9YMpDGN3NNVRqWPTRzIjKgky3mvz9NCKj9
n7WxLG7tkoEmvDBoumTApfOs8HKJ7GHuXWSPacSN/BCMpqwHQqCd+e5jUl88SjjWLBlc+abCwysI
AZvs6CfaKJdWWKizMtxVVT1dVZ0C12++4F0L5+xUr7oJGF08Q+p8f7JoIth96sOGJcpRUPZFalLm
P47uUHnN2yR6Kfwspz1QEz4wU7DSV9VROuMvCkLA1CAVVfWrJuhhQrC26nGLJUY3zkI3jyKxJV3T
8RUhIBnPYTJukgq+tm27DUKwM+yAbyqMHLn2qVoHWv3mmwpv9bCpkE3JeaZp0Xt+zw6WKRaM21ue
HjPaTsXlhvt9YCvlkrvXhS0Wf9FTs6Bku1peebT9rF8yoGbbsQ5ZTXsN88h5YFPhOo1UIgTDJkHf
Fisq1GIcTrQNp71dIsfYmd3KANtU6Ibnkqv4jo9xKDRV18ofa2WLGX5PEwK9jHJLu/jMtTLHqhkC
LjbvOLPdS5SFhzvsblPhtb5Vl2j/1KbCYXQ9EA46EZHsyaMu31SYp8loU+FEppktGbyEELQ62eKu
Lqk+lFVeV1VZU+CntGnxIm8qpB2ednC50Wb0k2/txIqMLh5dE8EMJKI7UTxfDK/KFbtH77uCN5JI
t+P0e4ulx2cdsLaqSg9NL1WEgOmoW97xUjLd6OwYHJlW8xdN0MwelpZihmB11WMR0UKAHV7qud+R
WdXTNR1fEAKCevX2rymgf/v7NgiB5SdJd+wwZDtEO9CVrQP1l90ZIaYFQMcO2R+tlvEFJFqu61cv
Sbpz71imfEyRP6DWTu3n8SRG2qXANvZbD06MsxM8tmXbU3llDSFoB/VX93CMui1efcrKi+7Y4UMa
qToN1lanbdodO+w0W6PL6Ngh10WeaK2ulT/WyRZTXp8nBDqtVYp9OHZouQd+dJVuK7VZy8QdnYna
GZIeFTVNu5012s1cRNbkAT4w1MwQsHTXHDtcH//42KGf0q5bBsNVHEYcNAL0hOAb6epki3nyiv+a
Kq+rqvWlBy6Rz2tWWeBapuW4/pFOTvajQnU8+iaCLJzLHC+HV+Squ3WNHQUjYO/XqKOiWcjxG9Qt
H+qqqj5JTkvHSwYUWlNV+0Zr1ARp7aGYVIRAV5VYyv2J31HVo1WYa+o7FuVczGTqq5666VgmBFVC
+8xVzfoCfv/ZTxsgBJ+E+C072P65pyCfZPpGNVg/CsLfMFY65vEbyf1aGjSN/CCV/p5NJRv+fbm3
53uRv+ip+nSw0SW9CMyV0TTX2Fla+1kZ3R8NDkKwpmDv5fn0seqEW5NcWwP8Hw97v57PV6buW558
5fLDhwLwm7LFn0AI2qa6pGfyQIK/30bgUQXr37ZrW+mBEGyrPH7QGhCCHwT3uahvl2hPbhMN096H
pz/UX/ymbPFHEILn3hM8DQR+GAEQgh8GGNEDASAABIAAEPgEBLZDCG75kbav7WjL1lsX6UdeTbZQ
hqNNiE8bpN4q/HS0fQQ/HX+fEC6AABAAAkDglQhshhDQiRAvKW+kdvvKDC7HpfI68lZCQAdspoTo
tYTgNRqmKjs51K+Jf7nY8CsQAAJAAAi8HIHNEAI6jx9/6bbk1fn/DwnBayDUE4LXxI9YgAAQAAJA
4JcR2AAhuMb26MyttGTADiXPtVDn8sfMU7i5933HtPbxKfFt03RC8kyi/dNqm9IMQXA6R+z8veOn
137GQqedqk5jSf548KrcOyYij2djHIQyKs0QRNkp3Fsk+CzJJbf1hYQ+mYbvIGlL1jBvJDPNU42G
6fSUsTibo9Za1dvZauL/plapAtWmykIqFsOwnH1wGtzAamWOFdqsTL9aLVvcebggHW7ncJTPkyji
UdiHW0AACACBD0ZgA4SAozcTy6HbTPrM9sJzeW+ae5UX5H9bKX/MpEOcKK/yyDEsP6vKh9RzNTME
hukEp6Kqriff7r3Q6LRTdaW/JH+sIAQ8GtXIm8kl76PztaqKxLN6FybcDxx5eKzy4960AnIvx/+U
mqf8J/Uaf8P/yNmgE+U8niWtVZWduvi/q1Xa5WX4IJEeJ7qUt1tdXen4Fv9JL3PMvKaYluMnRd20
ze2aX29M2LLHkCSkhWzx2ngGw3AFBIAAEPgDCHwAIXhI/pi5uyZ/ZKRowYbWD7mh0BGC3hUdOb/m
nnxHbuYmcslfvwgT+eO1hKDvwMi9S/cwuf7u7SSHeX0gmiGYa552RqoJAf3YEIly47GCuMjaxF/O
GkLwXa1SkXT/SXM3vZpff3eiPExFKuZWGCGYarNyRtC5h5Eeli4p7gfi6U3ABRAAAkDgDyCwfUIw
3WLHJM7m8sd1umcardRjskfKkdyhpqg0hGDQ7e1lUha0UzVxs/nnPTs4wZYChDvOdujTW/KFT45o
+ihUHS05Zu9VCvvwTEBkeJLm/cVcPycE/qVf6+ij5+ItSpF1Gh+b+0Q6BL+ktaqyk6cyIxzf1iqV
rWbXzTXZm4a998M4yWjMz/4WZYsV2qx8RYVLzzOZwg7bb8QzsxA3gAAQAAKfi8DmCcFsSDjWPO3l
jwUhoO72eULQyfuIwWTDxBRNuef+ssgflT8OHyEEihmFPufckikhcAZSMzZ11mGzn++krORJaoZc
w1Qlo8zCryIEMlVZoVU6trv7dq+Kc3qk/RSWz7WNScPOU8kc0xMaR+tMfH4iW/ydeJQm4iYQAAJA
4CMR+DxCwDRPe7lBpmhKKr7fIwQqbdPRscN+hoB1ZI/IHovXQC9/TNslxNCeFE0t8YU2SJw8aVMl
j0szo7C8ZLCKENwvoW352Ui9aFlrVWUnt3ZOOL6rVSqQVH7SogifA2FTJToH8RpCQGsqU9nib8VD
Ky232+2mnIxRGo6bQAAIAIGNIvB5hEAjf/w9QsCUwSfaphpC0Oq0UzUlSyck1PLHt5NnOjEJzjVl
4pkkldfHwXolP6tkbwwaQtCWidvJRotNhf2pCqXmKU9k3mHfzoFt+xnJjvI/HnBRa1Vlpy7+b2qV
9pj0F2V2TC/Xqr7dqkvsmmKFhBY7DNtPSca3KvMsDpKreEZHCNoisq2JbPG34mESv8aPqvaIvOAT
CAABIPCjCHwgIVDLH3+TECi0TXWEgPrvLPKYz3nLdg9RJq23KwqpVxKdyh/T7j3fMU06OpcmwTBd
QJE0TLiVSYCKrXE6QkDCrPHB4brOQSIkbSkWFSGYni7c7TpNVSbgK514FB3totbq3E5t/Aw4flxw
5KufUROa3WH5PvummwwHCfnd8f/qHHouO3Vo2l4ow6+ULaaHtYRAJVuskT9ejAeEYFxG+AYEgMDn
IrAZQvC5EMJyIAAEgAAQAAKfjwAIweeXIXIABIAAEAACQOBpBEAInoYQEQABIAAEgAAQ+HwEQAg+
vwyRAyAABIAAEAACTyMAQvA0hIgACAABIAAEgMDnIwBC8PlliBwAASAABIAAEHgaARCCpyFEBEAA
CAABIAAEPh8BEILPL0PkAAgAASAABIDA0wiAEDwNISIAAkAACAABIPD5CIAQfH4ZIgdAAAgAASAA
BJ5GAITgaQgRARAAAkAACACBz0cAhODzyxA5AAJAAAgAASDwNAIgBE9DiAiAABAAAkAACHw+AiAE
n1+GyAEQAAJAAAgAgacRACF4GkJEAASAABAAAkDg8xEAIfj8MkQOgAAQAAJAAAg8jQAIwdMQIgIg
AASAABAAAp+PAAjB55chcgAEgAAQAAJA4GkEQAiehhARAAEgAASAABD4fARACD6/DJEDIAAEgAAQ
AAJPIwBC8DSEiAAIAAEgAASAwOcj8LmEoC7ORd18fgk8m4Omys/X27Ox4HkgAASAABD4zxH4WELQ
nH3zkN3/8+Jr27ZOPTPIgQMQAAJAAAgAgacQACF4Cr4NPAxCsIFCgAlAAAgAgc9HAITg08sQhODT
SxD2AwEgAAQ2gcDHEYIisnfTPyvspszLo2uwHw3nWEr4bu1+W0R2Z6h3qiVDH7/fXAIegwzGONdS
vLgEAkAACAABILCMwMcRguZWVWVZltfEM/dJQZdVdRObC+91XdFfXd/FLZb/rd1vbsLQ22gbxIr7
Tc1wKPPYNQ8nwkEGYrnU8SsQAAJAAAgAgQkCH0cIhP3YVNghgSUD8UrgEwgAASAABJ5AAITgCfA2
8SgIwSaKAUYAASAABD4dgY8lBJ8OPOwHAkAACAABILAlBEAItlQasAUIAAEgAASAwJsQACF4E/BI
FggAASAABIDAlhAAIdhSacAWIAAEgAAQAAJvQgCE4E3AI1kgAASAABAAAltC4GMJwf18gJYBvUl1
uoeWwZaqFGwBAkAACHwmAn+fEFxj4drQMO19kOR/TBkQhOAzax6sBgJAAAhsDIH/ghAY++RaVVV5
PceeZXip7Cx4Y+Wx3hwQgvWY4QkgAASAABCYIfB/EALv1E0LNHloGr1qclNmkeeYBk0dhKeyd3Z8
y4++axl03z3Ew5TCrUj4fcv1j/3ta2ybQkyhLY+OGVxETFW6Nw9pfgr2tmkYlhsX3S9NdY4PrmUa
puUcorNgKPdryoOathedKxHNrNTkGyAEMhq4BgJAAAgAgW8i8F8Rgqa+hM7O8M9MP+B29i3bT/Oy
rqsiPdh2mLMeuMlDyzokRX271WWeZaLnr7ODSfcrFtwyhSzRMiEwLNsLz+W9ae5VXlSsmO6XwDbd
MLtWt7oqsjgt2O0q9SwnOBVVXZf50bPc4/WBUgUheAAkBAECQAAIAIGvEPgvCIEsCGi6xyvr96tk
L+9KLI+OxRnBPTsYTjzri+uTZ7i9hmKVuMaerz18RQg6njGUBMWkSOAa250FFLQpQksRaIhFXIEQ
CCTwCQSAABAAAk8g8F8QAmN/LKqqzNNg72fd9LxCPlisJdzOgW2YjhdEx9OlFGqEpEzsn8UsPj1u
RWxk/wUh6Jcr+lLKQ0taVhC3bydvqmf80OkBEAKBID6BABAAAkDgCQT+D0IgOmWaq/dSNm/fXALT
5j26Ar6mvl6yJPIdk8byjAUwQtDvDlggBMZkD0EmKIVIR08I3ISvKYiQj3yCEDyCEsIAASAABIDA
Fwj8X4Sgba+xYwcX6qLZpP9XHTAtH7hJSSBqlwzkfYS0/+BLQqBfMjAP2epDkSAEX7zi+BkIAAEg
AAQeQeB/IwTEA8w9mySgTYXmPj5f67oui3MSxmfWG9/y9JjlJe0pvJ582+z2IBIj4JsKb3WRHoZN
hXeaawgut7ZtqpNv7b4kBO1NbCpkaWTHE9+wUKWeaXnHS8kMyo7Bke9yXC5HEIJlfPArEAACQAAI
PITAf0cI2Ei/O1DAjx3S+ULLdg9Rxg8e3ovE3zuWSbfl44Vt2x9HtJzDcOywbasscC3Tclz/mIaz
Y4ezJQPaMsiPHVISjjc6dhh6dELRtJy9H58fWUAAIXjoRUcgIAAEgAAQWEbg7xOC5fx//q8gBJ9f
hsgBEAACQGADCIAQbKAQnjIBhOAp+PAwEAACQAAIcARACD79TQAh+PQShP1AAAgAgU0g8LGEoCnP
6XnwNrwJMN9ixP2apZdHNhu8xTokCgSAABAAAh+CwMcSAsgfd28YZgg+pKrBTCAABIDAthEAIVCU
jyxilBSrPQMoYvzBWyAEPwguogYCQAAI/D8IgBDMyvqWHUxzH1/KqrwcPdM8nIQY4SzoFm6AEGyh
FGADEAACQODjEQAhmBYh+RG0I6FTfI0dY59W9+xgelzLqA9/O3km+UQmLQM/YRLHpun4Kfd0TMF0
8srMYaIZZDlXUzZtL2XOEPuo11yAEKxBC2GBABAAAkBAgwAIwQSYJg9NoXJEffrZN0iJqDy6VjB2
HJiHlkPqh9fY3pF80r1t70XsGkIWWSevTAkSz7CcQ5zX97a5l3nx/UkIEIJJCeIrEAACQAAIfAcB
EIIJavfzwTCCS3+X84MbiRQwUYN7kYQJdf5VsreYjNE1to1eg2CQPtTKK1PU9MxD4sa9HdoLEAIt
NPgBCAABIAAEHkcAhGCCFckZKQhBSwsE/vne5KFtkudjUkvkcwEDB2jbtlc6WpBX7giB30snTkxY
9xWEYB1eCA0EgAAQAAJKBEAIJrBolgza9np0nLi4Hr0wDj26cLohvpYQLMgrX2PHDPJJ0t/7CkLw
PdzwFBAAAkAACIwQACEYwUEyx6liUyHtJrgElhdFXnC+XUIvig+Wf27oYTUhWJZXBiGYwo7vQAAI
AAEg8F4EQAhm+OuOHdapZ5oW7Ra4ZwfLNPfdqQMNIWh18sqUIAjBDHbcAAJAAAgAgbciAEKggF92
TCTJHNNOwH1KXoLrdE9HE/mjOkIgjh1O5ZXpKRACBey4BQSAABAAAm9EAITgjeC/JGnsIXgJjIgE
CAABIPC/IwBC8OlvAAjBp5cg7AcCQAAIbAIBEIJNFMMTRoAQPAEeHgUCQAAIAAGBwMcSAsgfd0UI
+WPxLuMTCAABIAAEnkDgYwkB5I+7UscMwROvPx4FAkAACAABgQAIgUDiUz9BCD615GA3EAACQGBT
CIAQbKo4vmEMCME3QMMjQAAIAAEgMEUAhGCKyKd9ByH4tBKDvUAACACBTSIAQrDJYllhFAjBCrAQ
FAgAASAABHQIgBDokPmU+yAEn1JSsBMIAAEgsGkEQAg2XTwPGAdC8ABICAIEgAAQAAJfIQBC8BVC
W/8dhGDrJQT7gAAQAAIfgQAIwUcU04KRIAQL4OAnIAAEgAAQeBQBEIJHkdpqOBCCrZYM7AICQAAI
fBQCIAQfVVwKY0EIFKDgFhAAAkAACKxFAIRgLWJbCw9CsLUSgT1AAAgAgY9EAITgI4tNMhqEQAID
l0AACAABIPBdBEAIvovcVp4DIdhKScAOIAAEgMBHI/CxhADyx917B/njj66AMB4IAAEgsBUEPpYQ
bAVA2AEEgAAQAAJA4C8gAELwF0oReQACQAAIAAEg8CQCn0sI6uJc1M2T2f8DjzdVfr7e/kBGkAUg
AASAABB4JwIfSwias28esvs7sdtG2nXqmUG+DVtgBRAAAkAACHwsAiAEH1t0neEgBJ9egrAfCAAB
ILAJBEAINlEMTxgBQvAEeHgUCAABIAAEBAIfRwiKyN5N/6ywmzIvj67BfjScYymy2Lbt1u63RWR3
hnqnWjL08fvNJeAxyGCMcy3Fi0sgAASAABAAAssIfBwhaG5VVZZleU08c58UdFlVN7G58F7XFf3V
9V3cYvnf2v3mJgy9jbZBrLjf1AyHMo9d83AiHGQglksdvwIBIAAEgAAQmCDwcYRA2I9NhR0SWDIQ
rwQ+gQAQAAJA4AkEQAieAG8Tj4IQbKIYYAQQAAJA4NMR+FhC8OnAw34gAASAABAAAltCAIRgS6UB
W4AAEAACQAAIvAkBEII3AY9kgQAQAAJAAAhsCQEQgi2VBmwBAkAACAABIPAmBEAI3gQ8kgUCQAAI
AAEgsCUEQAjWlUZ18syd6aXVuscQGggAASAABIDAthEAIVhRPk2Z7E03SiLXco/XkeejFbEgKBAA
AkAACACB7SEAQvBwmdyL2LH9jDwN12ffdqJ85GTw4XgQEAgAASAABIDA9hAAIXiwTG6XwNkfr4ID
NNfj3gnOtwefRjAgAASAABAAAttGAIRg2+UD64AAEAACQAAI/AoCIAS/AjMSAQJAAAgAASCwbQRA
CLZdPrAOCAABIAAEgMCvIABC8CswIxEgAASAABAAAttGAIRg2+UD64AAEAACQAAI/AoCIAS/AjMS
AQJAAAgAASCwbQRACLZdPrAOCAABIAAEgMCvIABC8CswIxEgAASAABAAAttGAIRg2+UD64AAEAAC
QAAI/AoCIAS/AjMSAQJAAAgAASCwbQRACLZdPrAOCAABIAAEgMCvIABCsBLm+/lgHjIhabDyYQQH
AkAACAABILBRBEAIVhYMCMFKwBAcCAABIAAEPgIBEIKVxQRCsBIwBAcCQAAIAIGPQACEYGUxgRCs
BAzBgQAQAAJA4CMQACFYWUwgBCsBQ3AgAASAABD4CARACFYWEwjBSsAQHAgAASAABD4CARCClcUE
QrASMAQHAkAACACBj0AAhGBlMYEQrAQMwYEAEAACQOAjEAAhWFlMIAQrAUNwIAAEgAAQ+AgEQAhW
FhMIwUrAEBwIAAEgAAQ+AgEQgpXFBEKwEjAEBwJAAAgAgY9AAIRgZTGBEKwEDMGBABAAAkDgIxAA
IVhZTCAEKwFDcCAABIAAEPgIBEAIVhYTCMFKwBAcCAABIAAEPgIBEIKVxdSU5/RcNiufQnAgAASA
ABAAAttGAIRAXz637OAEl0eUju+X0Dmcan1U+AUIAAEgAASAwLYRACHQlU9TRI57LPufbyfP2PE/
w7T3QVLc+t/atjy6dlRg4kCCBJdAAAgAASDwSQiAEGhK634JLDephl+JEFjhuaqqqryeo71p+mdp
9qBK99boxvAkroAAEAACQAAIbB4BEAJ1ETWXwHSOV+lHIgR2LO7U6d4Y/14e3TFFkJ7FJRAAAkAA
CACBjSMAQqAuoGtsm/5ZXgKQCcG9TA+mFcgzBC1RCDsq1NHhLhAAAkAACACBbSMAQqAsn+bsG3Y8
6t35HgKD/na7nenGubyHoG3ba+wYWDRQwombQAAIAAEgsHkEQAiURXTPDobTrw+wIKM9BJfjwbb8
bHSuoDw6xiGbsARl7LgJBIAAEAACQGBrCIAQKEukyQPTCnP5N3nJoG3bKnGNvbzpsC0iywwu8iqD
/DiugQAQAAJAAAhsGQEQAnXp0KZBb+RZYEoIprsK6fcxQ1DHjLtAAAgAASAABDaIAAiBplDo0MDI
K5G0ZFBd89S3DTvMh/mA5hJYjuS2QBMtbgMBIAAEgAAQ2CQCIAS6YiHHAjIjIELQOyay3EOUyQ6M
Z24LdNHiPhAAAkAACACBLSIAQqAtlfslsMerBtqg7S072P4ZGwr1COEXIAAEgAAQ2DYCIAQL5VPn
p+wqeSPUBr2X51M+OnKgDYofgAAQAAJAAAhsEQEQgi2WCmwCAkAACAABIPDLCIAQ/DLgSA4IAAEg
AASAwBYRACFYWSr388E8ZI+sI6yMGMFfjUAeWmwXqDESqepTqdP9FkuySkgTYzi+0tv79MU1dszg
Mo+muaa+Y9KO2TFQuvDzGHAHCACBP4EACMHKYgQhWAnY7wS/X0+h51iGYVqOF54Hlcrm7Jvjfk4Y
dMuTKL0+2/OWR3UvK1KRP+vhoApjKhPXVzzos4QgDy2NpEZ9OUbZoOctLLtlB9ONi9v93jQjNDTh
xXP4BAJA4K8h8LmEoC7ORT1qwH6lbDZHCJoqP1//8/MNZbI3LS8+F2VVFuckTAYVCj0heM3rsoYQ
tPe6KsviuDesICvLqrop3t+fIwSaDPMcKCzRhP/8229qOj4fuFfl4F7mlxKzrK+C85XxfCwhoIb+
HVP3myMEdeqZwcjJ8ivfj0+I634OTFOnIqEkBJeAu5Qwpm/QLT/6rmUahuUcjuLcCAlb7OM0PjiW
aVr76MLpV5XuhWMK7p9iFpsavFt2MKZj+PoSe7ZpmLYXJ5G0ZNBUZ0rWMAzL9ZOia0OrZG8cjqfI
I4Ns79jdv8Z25yij+zCF821Kkt0bLxlQPKMnxFSKJnzbqu1p2/aeHcz98ZJFlA3DdMLLdtv7dzUd
6tfhf7xbHt2JUsz/iMIm8wxCsLJYQAhWAvbzwfPQMjydqpSSEDCbZnsImuvRtfbR+VrXdXmOXMtL
2dIDEQLD9rOqads6O9CM/DCeXjVDwNKdE4L65JnWIS0o2dA1dka3h+Ceh7blHS9lXdfXU+BYnasL
6sgNhxGThiZHXNlDpn7JQLMnQJuDWXidPZwQGKa1D07XW9M2dZFveAAIQvDzdXI5BRCCZXze+CsI
wUrwQQhWAvbjwam/7sfCs9QeJwTM+fSgcHk/++Y+JecSlIAtfmBDYXabJ6XtTmeWiBszQlCnnuEm
3eL+PfONjhDQ4v6ecxJ6lqaC+IwGEQIxmG+rZLw38ucIgdaeDqNP0foEIRCv4rs+QQjehfyX6X4c
ISiiybzobrfrN2eVR7ebCx7LCrzqPrV8qlMGa+Nvi8juDB37Qnz8fiOmveU533Guvyz8vxHgVYSg
SlwZS7rmNIAS6DtmTjCGrXl0f8jrAAAgAElEQVQvIARFZBmDTCapaPMZgvmr3pnBlgzESReaXvBO
wyaSnyMEWns6QjCaqNjguzW3/weajhdUbQ7d403Be8MPDZGY2OL2KO5L3t/7mmZw0r3B1+X/NOnj
CEFzq6qyLMtr4pn7pKBLaXPWva4r+qvr+zCrS+3Vi+5rCMHq+JubMOg2Wmtdcb+hDWplWeaxax5O
7FIC4n96m1+0ZECC1sqVh9GkwI8QAlvSzR4RAum+VKKjSYFfJQRqezghMLeu9fk7TceKKsyK9NPD
t82Nt7lVPd4jq7jPNtWWZXkOHZu21VLjXY8aQOktx+U7EPg4QiBAete8n3KGQBj1jk9sKqTJff2m
wktgqidOpnsImktgjuSsRGl+RQjGIyPxlPZTuWTQj5PICmnJwIkVByMXCUERWVY0nLKQzJjtCeC/
aec4puFpyUBpz4cQAgHFu5oOkT4+sWSw2XcAhGBl0YAQrATsF4KznXV07PBaVWVxSaNU6hDZgnuc
Vzc6aC8bMyUELW0qNGw/zau6rso8i4PkSg8sEgLWvYeXenKGX05ouNYcO6RBvhvTWYGmSj1ztKnQ
cMKsIIOul1MUndgux0VCwPNb3OYGTTv4zq6HCUFLmwpV9giMksH9w5Dn7V2BELy7TEAI3l0C2vQ/
lhBoc/TDP2yOEPxwfj8k+vs1DT2HTrxNHBO17f2aHBxzt9uJY4HldLOA0W/kuOVJsGcH5yzHC7qD
h4uEoGV+/izaESLi10Kmd0xExw4dy7KdfRgHYg9B27ZNfYkPLh07NG3XC9OC7RVYJATtLT8SErvd
Tmy1LCLusnFYuJVdIc4JgT682p4PIwTa8sEPQOB/RwCEYOUbAEKwEjAEBwJAAAgAgY9AAIRgZTGB
EKwEDMGBABAAAkDgIxAAIVhZTCAEKwFDcCAABIAAEPgIBEAIVhZTU57TcznanbYyBgQHAkAACAAB
ILA9BD6WEGCk/v6XqUr2juzGd8GiFUEXYtnATzfyAyR5KiQPgmNXgb9mpObUwK+l/6kJoel4d8ld
YwdaBu8uBHX6IARqXHD3SwTul8Aed430CDltNEz/PHU3cj8Hdr+Z/8u4VwZoqizkhwPs/VESGlBG
Q44Hu/32huV4UbZqvmdOCF4jo6w0lW7qPQ/+lDxxne4NyXXDJTC4ehYdaOTA0ZmHQ3wRYqP60xPa
XL3zBxCCd6JPaYMQvLsEtOmDEGih+ZAf3iV/TIfn5xKDVbp3wuhgBzO1uyYPrR9ybnvPfJM8n9W3
uswLkh9Y+iNCYAVncmhZ5qfAMewwf3wJaE4IltJ6wW96QvCCyJVRLBECJ84JuOslOdiGc2R+GsgR
6Neyzsqk3nIThOAtsEuJghBIYGzrEoRgW+Wx3po3eSqkjrF3r9dbXZ88O8yrk2fNO1lyKPgzjIBc
6Mnu/HtzlBdECAb5Yer9euUiOsM/lz9u23uR+CRCbO3DNPaMfl5E6EnMPRAw3wVzOWCtfHB7K9LO
A4K9D9IrTbCsljMmnwsiFseLz2IEz7QP5nLJSnSYipJ+hqDXVKJRnjFyVjzzwKiL/6fvXxM/TM7X
Qd5hkiAIwQSQX/8KQvDrkD+aIAjBo0htNdx7CAHz8zvzkHvLDhatFpRHd6QRzLHTigU8De0t8y1X
5eRXFbNMCO4kiSHmx7Xyx5fAMr1jXtVVHu/N3UAIWPTKPQSUyEwOWC8fTCLG1iHJ2STHJTmeh2kO
/QzBbA/BnQzdx5eqrq9ZYPcSikQItHLJc4iWZgg6QtDcitg1BodOFMlmCMHteooOjmlY++B4Jjnm
yR8IwQSQX/8KQvDrkD+aIAjBo0htNdx7CAEtGw+jxQ4bmgPg+wSKyJ7vGqJOsp9lfiGctzxy3cPB
daOc71y419dSjI7n6ZAZvc++3c6w/Yx1vzr5Y8pVT29o4eNRQjCVA9bKBzdFZJl+ph7SPk4IRoa2
JC3X7QRg3oyFX+GRm8M5Ol/MEMjAOWEum7wZQsAz1dRFFvuuNecFIATKYv/FmyAEvwj2uqRACNbh
9abQcy3UQV1UaqP7rWDz8NzwV92nrfWDJHAHCg1QuzUB1rkeB5FgFqI5+9LsPL8lJt17//08riF3
XyoH0bCbpq5pfG/7Z+qiitjpZ/U726QPIgRWkJVVeT3HnnckDQH608kfl6SC2OsLU8bHkWtnCKbr
I3P53Q7COvXGs++StQubCqczBGwGpjeU6fD6FxofsyUDnVyynBa/XpohcKIL6UVkoXdIJ5sx1xGC
tYrha8OLbNF+U8cYFNLJzbJKwVyEx+cvIABC8Asgfy8JEILv4fbLTyk0UhfljxXhmcWvuk+CP2L8
KaCgwfNuZ3R/u91sBoHGrNNZBYVGqjCU6VhPNVVFYsPnMBlBGkeWl1Z0/CFgPeEQSroi0/s9BGXi
OiGfWNCtaBAhGHZP0tTIY4RgJgdcRLLMsWTRLxAC87CCEAxzCySnQKcMwrzjFaL8miJy3ONIiXEd
IVitGL5Wwby5Xc9J6Nmm6RyiUy7NGIEQSO/eWy5BCN4C+yOJghA8gtKWw7xnyYD2lJmyRE7bFJFt
BRnvxquqONIUwrAUTgN3XYf4FLzX2LH67p8ogbN37WB27HFIY0QIaOW767l18sc0E99PvdBOv+8S
Aq188OKSweNyxqolA3YMYLRKQKdDhgmPAZbhigEUdwcIGPXjuy5HKw807WANPGlLewjuV75WYDqH
eMQEuiyCEAxl/Z4rEIL34P5AqiAED4C06SBvIgTU//cr6wTQNbaHYShzSOBIM+18Sl7hn+B5bMvE
Nd2IH4rn8sHLyYwJQUsLHTabJNDKH7MQF1qMqM++9eimwtkMwYJ8MG0qtMWmwjxNpE2FrBuOH5Iz
7jYVknwz31TYLdqsJARtle4NtsWxqq7nyDUtPocyJgSMSjl8J+e2jh1ejwc/PhXSnMD4JQMhGOPx
+99ACH4f8wdTBCF4ECgEmyJwjR2JEZRHZzwjQCsIMkOgEeXcO8E00m99v+WJ79qW7TjuPjieYs90
IrEzYB7hhBCwqQ0x6FfKH4tjh6ROHMRhv4dgQUaZxtVzQqCTMyYb5WOHfipbv0bOWD52GJ2rboP9
WkLQtjU7fmnsDNPehyd2CJJvRRBLBmQy4x+0awOOieZvGe4sIABCsADOe38CIXgv/p+cen1SOSBS
56i5xs50k506JO4CgZ9FADMEP4vv17GDEHyN0ZtCgBC8Cfi/kGxTXR4VeqrzU9YNNP9CzpGHD0YA
hODdhQdC8O4S0KYPQqCFBj8AASDwBxEAIXh3oYIQvLsEtOl/LCGADLG2TPEDEAACegTQdOix+Z1f
bsXpVMhOrX4nWaTyNQIfSwhA87vCJb84AR0Txx8QAAIPIPCGpuMSmHPPnQ+Yqg6i2bGqDvyNuz8d
P9QOv1Eov/TI/0sISJxl8DBDTnMGjZtfAv8lyYAQvARGRPLfILCSEJCMlzE+QbMIFVXIqaOH1xKC
5ppGycht9KJBmh9VdvKgr4lfkyzdxpLBAjjv/QmEgOMPQvDe9xCpA4HfQmAdIbhlBzuIAnvax2ut
VXW0ryUE2qRX/aCyc1UE3w8MQvB97H74SRACDvCIEHARXMMwTNs9xAMVb8os8hyT7u/Dk+TKvUr3
5iHNT1zA1nLjYiax9mPlSPUaSwY/Bi8i/nMIrCIE97Nv+Rk5pOqdP3MnXMybM2FTHh2Tu8okDxeS
sshu188rECGIslO4Jw1tN8iqHtT6Eh9IWdu03U71uvuJKVVk5GGD/eqlTBmkiG2WwkT7gpovOWVx
wvdWJIHnWLzJ6uPX29lq4m9btZ0U0z5OKQumae0j5r2rz5v2AoRAC827fwAh4CUgEQLyqGMdkqK+
3eoyzzJBCG5n37L9NC/ruirSg22Huej2mWs32wvP5b1p7lVeDBX+xwsYhODHIUYCfwqBNYSAVLpo
YfF28piwNweCvHIqCAH/UTXyvgSmYe6j87WqisSzelea5PzRDk7Xuq7y4960JJfbtKRpOYc4r+9t
cy/zYnADrl7jb/hflZJfrk73sz4nSVaUVX2ritS35fhJn2y2tMFzMI9fZycRApILJRdYdXawJE9l
S68MCMESOm/9DYSAwy8RAnrJFTuARu7e2LjA6hkBIwT9t98tUBCC38UbqX06AisIQZOHNh9tV4lr
BWIE8B1C0JMA0szo2hdy78n1wklFirQ+/F6Eg0QzFM0QgT/vsEWRNGXqmboJSu5sXARdQwi0dlJb
2W+9YmaN5Uv6xMYXIARjPDb0DYSAF4ZECNrbObAN0/GC6Hi6lJ047iDI20/NGf0kIhEC1RqjTrP1
lS8ACMEr0URcfx+BFYRA6kNl7Y7vEIK+32yLiEbSXEjStNgVA53aIDHXz5YlDK5ePSsRHSEgMQ5z
n0hrmU11jg+ubYr1hGFeo11BCJjsl9JOtmSQdvOhzdk33WSieT4znm6AEChh2cLN/5cQMNbb81mq
jBIfb+rrJUsi3zHpLq0MUKXoRXOnJcf2EAh9WflHnWarHObJaxCCJwHE4/8ZAo8Tgmvs7GRFb9Gp
TwmB0cttkgCWYip+mBRgqp8DITAWCIGj2xukJgT3InJI/VsqTVL0dthCJt0s5IUOtZ382Wn8NBhS
2zmaFAAhkKD/1Mv/lxDU6d4YpFro2z6RKxMrUWLAHemlyqUIwYJpCcEvvBYgBL8AMpL4Qwg8TAjK
o2se0rJT9C7Tg5DBHvYRti1tORoTgpM3my5UEwLaj7iwZLCKENwvoU27H+Vyup99qYm7ZQdjNEOg
sJM/PSUEejtBCGS8/8L1/0sI2uvRMZzgVFRVVWSBI6YC2lueHrO8pD2F15P/r72z9ZcNCOP4NlEU
RVEURVEURVH0J4gbN4qiKIqiKIriRtH9POPdmj323HUW+zvhXsuYeeY7mN+8PsOwHk0qFDU3TIui
yJLQt92w22wLguAM7wLy8B0E1goCmkmn9X2IrEnd1q936i60aEp9ld/IIfa4h4B1sJtBfq+6Ocd1
zREEdears0mF3SeFutXX9xDQKKdsBkU7sbBLmeIwbszpZRk5inAZC4IlO5sH4EEQcO2EIDjbK/PF
gqCu8tDRFYmcvCq6w2bKUvHeE9/U2FIdQVJNr1tkQMMGbNmhJAiCJKuGE/SDdRAEZ3svkJ/zElgp
CIrrZBSxWWDYKYQ8sFRJlBTV9K52t+ywRVaxizRs34XmCoJ2OZ9InxTV8sder5cEAQ1s9lOY2IHi
NasRnWY1Ynexm4pA3zJFIsfgmnW92qO1EfQ5e7CTGz/PTgiCs70m3ywIzlGWGDI4RzkiF39FYKUg
+CtzvjAdTCrcbaFDEOy2aFYaBkGwEhSCgQAjAEHw6QcBguDTJcBNH4KAi+YgFyAIDlJQMHMnBCAI
Pl0QEASfLgFu+ocVBPBh2pbpPQ2u0cPyCG6B4wIIfDkBfDo+/QDA/fGnS4Cb/mEFAWQ+t0z/7ELu
a4qzzm3DC0H/zPzdJDTbBHMru9g0tWir2I8TLz4dny4r9BB8ugS46X+7IHjVtykX5PKFO9u865zt
93tkyYP/6LrOfbWb5CxIim7fuk0eGZp7SA7jJsukl5G9fPYeGoJk085v7C9x5GELye7kjv6P7XZb
msGmtwqChfjblIrIc4I1G8kNli0c8eNfCLzLU3sSBPfsZjN/aYIka4YTnvNTMX8MIAjmRHbz+8sF
wcu+TV8suD8QBFUeh2m/evlF+/4jeHHTRSMYJUw7N6luTNu4ZGxjh6mnE9rApVsN9R/JPt4KQTBh
snWFvXX8k8xs8mM/guAeWmxrkyTLszQOfNtf19+2CZY/jBSC4A9hv5bUdwuCRd+mdV2EjiaLgqiY
vm/JQ+tz2f0x7WNq+sz1sSgq5pXtdFzXsS12Debm/9HOyK+V0fPQxVXnbWDy/Mb/u0pdK+NdW1gP
wWhfNNqEbXqdiaNm2fT/JT27+4kgqPLA1mW2ylvRrNvQOm4cXIsC+ZPz4lG/RWyLshNGntF4uZ5t
/TZLuYjcdscKUdHt0bYUvib2fi5IODV+LtLWdW3/WHTbxLAeAj9kiYqy7g3L0dle9OQdl7bE6Jep
0445hnejTTTEUXhu/DVtUsdSFa35kEGZXBun3aKs9f5x88AxVJklqxhuyHa2Ybvr96Y3sfUe/5bt
rOua50l8RvKtP1PftP0nInk/giC2RalnOGVwT/ty0Z2uBCgIG/iZukWmR2z0rjF3rZ2rtVfimVqw
4S8Igg3h/l/UXy0Iln2bNq4+g7QoMtrAsO+O5rk/pu+woLGv+D1x1WEvUtrkaPshg88Igpm/E3oI
WQ9Bu/tzmXiaMO0haALo4z6F/3t0u7v5goBtLeNEWVkWeRpdw1YQkA8YiXzR0paToaOON4CPbVGU
FNNPiqquyjR+2veSBd41TLKiJOe1+uD7dTIEMAiCxuCFFjY9caJs+nGeZ6Gt9B5u7rEtS7oXZUVR
pDdLkcxmb0wKLyjM+XyV+Zo46XhZiL8ltTCHgO6WDJ/25SyyyPfCRhulN/capTk76ag/xs+zk23r
u+RJvCu6bf4v05tDgk7SLC9My2G/wDa5/QgC8mioeWnrP21EI7/qEttFtSgyerRUL+2uLrlFZs9Y
t6cieU3sHLG+GE+Xxtb/QxBsTfjX8X+zIFj2bdrsL952hRc3vRMEk6/82P0xvdV93/nE7cmJBQGB
GTxBsMevmUMg0N/lcpF0f/6hY36lhy/br5/Z2Y18QUCF0bfU+7tIBo56a0izDc2r2BZnHRv9fc8P
qohcvTVDwJNHZaUgaLeca2RTY3QZGKI2OKsh5ddcIEHQpVVPEqupZ+phjkJr+YMgqBJHEs0fJBp1
BY09eT7Gz7WT/PSOXYY9J/jmq1WRBK6pSo+6YD+CoC4jRxUvoqwZtneL804ZpG5fpdOOgok9emAX
3SLT2uOukBJXltqtlF+O581lwIsOgoBH5uPnv1kQLPo2Jc9eI6+GiS01QwZ898cTDTB2e/LGHgKa
Kcd6afv+hwV7Lpe+VnkM3zxp7zpPLt2EUWVFsU/nELiapNhx94VjqVehOThPb+wZciGY4agpxzvf
3DX9ly8IqtTXREHWTNv1A2rzs7/R5MeuB7zzYscGekZ+3aYJPfxqt7Lunct2MmNSR68UBL1wGcIn
s/1o2Va4JDlIECyEb+x7rLA7ux8EAfWgLPrrutM4Am3q3fxNJNJj/Fw762VP4p09i//zPIa/er6L
nEaNFOEy7pnfkSAgK+9FGt18x1RFofGPUD/uIHwZRgVJEDy6RSZF0LRKUlfp9MAv4umwbfs/BMG2
fP8j9i8WBMu+Takq4ggCjvvjvxAEVVkUzOlaUXZ1bFXkGf3FrioaN3aY513/6EJ49pC863zT9ptO
CBgPGTAnr6OOE5Y4fZ/6hm37zFZlk6+86ExvLvDOt7eN/yOdMczzqEnzmGFHqb7nSXj1bE0SpLYt
THZyRy5oDoHbd8+Ok3k4pq5ZUXPbdh2NoSwLguvU+d1jhTpt5E8EgTj2mtNb8KrgaG9cKwjukSVJ
Ohs1oVkAgTGRfo/2E4dFO1m6j57E+3wsHvA8hr96virT0KcZJKJiOLe4k4NMpRsLHUeLxvzlyYo0
D+urWnpRektYKcb9z+6gcadSkmNCyYqax/838XTxbfo/BMGmeP8n8u8VBDzfpvwhA47742eCgCqr
yQjv/5TV8r2fmUPA5jZNGvWTOQRs8pM8aVnWVFU/qTiWc7fmLI379xUSzagSrXjU29BEMTSs2PSH
7ps5j/8FQUDt666btmm1d1JiqNObSWCjYERBmvdBcCp46opX3HaO6thQTvgmyEL87b0PgoAzZDDt
5SJw476gx/i5do5tZhKy9SQ+Of/+H/e0GSsQFcOdKIE2qZ31EPQASHo1fXzNWNdoBU8fpp1U+CgI
mKo0g9hTez3ApoFOVwKtiGcUZLNDCILN0P5vxF8rCKjbdRg6Hvs2pSuyFWRFyWZ49a1PnvvjZ4Kg
pou6n41dof5vkc3u/5AgoPbxdNbgeMggjXxDar9unb25r4qjpnt3+v//L0NTFHU3SvM8izxd6r+B
NOmPzY0r88gd5sbRpEJBNq9xXhR5Fgeu5fd9Ai8IApIessWm+ZHfOFm4dIKASR+D+aYvI1sWJoKA
TQBwk7LqfNQyMTE0WUdqgibrCYodJGRoGt0c58YmKTwVBAvxt4gfBEFd06RCuZtUGF99NqmQVfAO
W+pQZVdDEiaCYCF+np1cT+L/X+bPYkg9w3Rv/RDRQ9D9CILMtyw/iJMsz7P4asr9PNz8qovddNIs
CTzL6yUup4eADdmJijK4a6d8/yaeB17vPwFB8H6mb4rxWwXBc9+mtOxQ6JcdOt2mN8vuj58KgrqI
2BLGy+XSdSi/qeQ+Hk3qKhNFMBqbF0RZNd2oXa7WWJr72qjt8l7ry8Rv1s41q/O6plUe2rrKVh2K
8nhZIK2Ga28QJUW3RgsPXxAEFIurM+eyqu4EvtkPGdQ0WUyTRHKS7d5cbSIIaCUebUVzufTe6fkV
fFVErqHS+j9RVnX7mrCs8cMT1sf4E0fqZku0kwKGvp3xskPz2i54ZOtuyWuuariBp08EwUL8db1s
5xNP4u8t/9di248gKJOr3a7vFKSJQ/X6nl6bFbOipGimO+xYxBUEdUY7g8019y/ieY3mb0JDEPyG
2p/c862CYCVc6l6eD3uvvPX8wYqbIfO63ue5r1JX2XjsZJ4kfoPAIoH9CIJF877gJATBbgsZguCx
aIokjLLiXlVl4uvS34x7PlpxgDNVTov7H4brlywv4lswX4a4FA7nQGBrAhAEWxP+KX4Igp8Ifew6
BMEj+iKw2o5mZbpJ2GNQnAEBEDgYAQiCTxcYBMGnS4Cb/mEFAXyYcssUF0AABPgE8Ongs/mbK3B/
/Decf5HKYQUBZH5b2rQlibWwDOkXDwNuAYEvIIBPx6cLGT0Eny4BbvoQBFw0B7kAQXCQgoKZOyEA
QfDpgoAg+HQJcNOHIOCiOcgFCIKDFBTM3AkBCIJPFwQEwadLgJs+BAEXzUEuQBAcpKBg5k4IQBB8
uiAgCD5dAtz0IQi4aA5yAYLgIAUFM3dCAILg0wUBQfDpEuCmD0HARXOQCxAEBykomLkTAhAEny4I
CIJPlwA3fQgCLpqDXIAgOEhBwcydEIAg+HRBQBB8ugS46UMQcNEc5AIEwUEKCmbuhAAEwacLAoLg
0yXATR+CgIvmIBcgCA5SUDBzJwQgCD5dEBAEny4BbvoQBFw0B7kAQXCQgoKZOyEAQfDpgoAg+HQJ
cNOHIOCiOcgFCIKDFBTM3AkBCIJPFwQEwadLgJs+BAEXzUEuQBAcpKBg5k4IQBB8uiAgCD5dAtz0
IQi4aA5yAYLgIAUFM3dCAILg0wUBQfDpEuCmD0HARXOQCxAEBykomLkTAhAEny4ICIJPlwA3/cMK
Avgwbcv0ngbXKOcWMC6AAAhMCODTMcHxgR9wf/wB6OuSPKwggMxfV8Bbhsp9TXGSak0SLwRdE90m
Ye6BIWrX4m1xp64iWtHbonuIaOv4HxJcdSL3VdEMVz0Uq+J7fyB8Ot7P9LUY0UPwGq8/DA1B8Iew
z5XUPbJkfVZ/VnngGqokCoKkaNYtG+qFe2jJ+u19te2cZZU4siBIdjwkOQ8y+Z15D7X1uwVBEXlO
kE1S/cWP2JZkJ1m68T3xL8Vc13WZ+JYmi4IgSqrhRiUn2ONpCIJHJjgzJQBBMOWxo18QBDsqjF+Z
UuVxmK7/Xv8qjaWbipsuGsEk4SIwJFG1gyTLsyS6Ol50H+6sYltSvf+uH4cIp0epq2iOo3PqzmlY
+vUHguAx0d+c4QuC38S27p4qcVVBNvwozfM0Djzntr7cIAjWMf7mUBAEuy19CILdFs1Kw4qrLlrx
ysDvC1be9Fn/Omuja1fudIZ7aIqbKYLMUxU3Tdm/XSYnLf6KUvepXsuvmnAZ/wlGwIQLC+8FV1OV
BEHSnKFZXOWBo7PmsqzZwajfo45tUXbCyDMUakzLZsD6QMrAaJKYDRkkjjRJ2Iya/ow8cAxVlgTq
WDHcMG/Opq48Dn25iHZbzrz463t6bdv1iu6GRdtbkvuaYHg3R1ckUZR1LxnptA7W+P/iplNfy0Ko
5fjruohc4iPKuus74yGDKgscvWGj2eMeo3F62x6XWejbpjd0smDIYFvgP8cOQfAzow+FgCD4EPi3
JfsZQVBFlihNe7IzTxFUn6sH6jr3VUGf9im8i0LuazKNFiSOPGgOjiBo0lzuIRAESXejLM9iVxPl
dn5ElbiKoNphVhRZ6KhCd54iim1RlBTTT4qqrso0HvfVLI/xV+yvjB1F1Dv1lN7ca5TmRVlkkaNO
ZRO/h+Ah/ntkSaLmRnlRpIElC40AIvCaIChM4FSZr03jfyyCe2gKotVqlfFlXvzUWSQZ14T42Kpw
Ebo5BGVoSrJ5jbOiyJOrIbMyGse46TFTAppMMsW+JkNfFgTBpthXRA5BsALSZ4JAEHyG+/tS/Ywg
oEbkrPaPLbFray/n7h4YguKlyxf/6ywtvTTDe11XkSVpnSj5jSCQ7HaSZHnThXaGYeJITexk452U
0DBTIbbFLthDDh4q7D7EPbJlyWh6E/qT7QF1vei3ofpaLwioC2YQK5QBpRmiIUHQF1bua2LbJTJP
uv1NwRX3sZx48RdXehbaQYV7YAqdIJgllXnKiBwn8XecLtPQtzRJkFTTvcX5vKcDguAdkP8nDgiC
/6G36b0QBJvifVfkNGOOdR8L3cS8KrKmHd90ua0Aamopz8I3lrzrfF1cNWE2PPCjIKhCU5CnFc2Q
i64SaezknV/mOapDy8AQO0S/EQR9noYhBuqfH7odmn6OvsKO7XlHyWAiTxCwdrM1DEjU9T25Wpoi
dQU6kRjrBQHrgektY89AMybBhgyaYZG6pub8WHAM9nZHPEHAiz9xJGHoUKCOoqaHYCjEfuTjuWIk
AzJPbZ/c/mFmdr1wPjn9fkcAACAASURBVHHki6BYk6GdLm/0PwTBmMYnjiEIPkF9VZoQBKswfTpQ
VRZFTn9F2bV3qiLP6C92VdG4scM8L9tR44XwLAvvOl83rf3JVLMfhwyozdo3VFuiVdnkKy8605sL
vPNLBUG2XC5C+3e5CO1cx7kgGJqxKyYVjgWB/lQQzDTOYOGyIChuhqQ44wF66omXdDbqQNP7A2Mi
td4jCIZOgZ8FAW/IgC8I5NEIw0QQUI/FAGTV0b170ot7+zA3t60/XxXJzTUUmi5h+WE6fbAgCFaV
wraBIAi25fsfsUMQ/Ae8Xdz6mSGDmmq7bqi44fDTpEJqso4qjrfBo55sxYmYXsrzPHLIMJJNTZ3e
TmqgLo2+X7sRBNNOiZpEzjBPchAEdWI/HTJ4SRDkV11S3XRS1TXTGbpTqStPBEHiSLPJGh25ueBY
6tJnHf+TrvufBQF1IixNKuTFT0MG/f4NNLmkA0sKoh/A6az+s/+ZLjBVURAVw72NJnegh+DPyoCT
EAQBB8znT0MQfL4M/s+CDwkCqv6HAesmC9T4FVWHLTtMo5vrj9vB1Nc+DMX/X57Hd9O0gfHQNC1v
bHUHpaj5tCjgTuvoJoKAGuKyHRVV1dXEXEHAlA5/UuF6QVBlHs0YTO/NxMIuaRrmUBw29b/KroYk
TAQBmwDgJmUXesj7XBDQ/AaaVBj3kwrbVZ6vCoKaTaNslx1mSei7zXYKvPhJY6guZaDKr7o4nVQo
am6YFkVB8dhuOEyOGDKy6VFVJIFr6u7QUwFBsCnwFZFDEKyA9JkgEASf4X6CVFNXmSuC+p4FjqGw
9XPydGMimuouWeONCd6DgOr/6cg0NWRbhXBPPF0WRVnRnZtnTARBXaVXsxm2727n9RDUdZUFdr/s
cLJ4jpYdTqdF1DSDY7K68NLVkDRm0g+nX+h0O5W/CB1NliRZUQ038Ki9PVqsUcYeLdy7DMsOefHX
k2WHTrd8kdC/MmTACqaMxxsTxW09Pl52OMTfLDtUKAOa7VrdHAKKp1l22DwQquFwx/Xf8zCsiwWC
YB2n7UJBEGzH9j9jhiD4T4BffHtxM+S1VXyVuspoZt4XU0PWP00AguDTJQBB8OkS4KYPQcBFgws/
Eajy6BqOt+nh31DEtyDt5kPyg+EKCGxOAIJgc8Q/JABB8AOgz12GIPgce6QMAiDw9wQgCP6e+TRF
CIIpjx39OqwggA/THT1FMAUEjkMAn45PlxXcH3+6BLjpH1YQcHPEufCpZsGn0uVgwGkQAAEQAAEQ
WCQAQbCI5X0nIQjexxIxgQAIgAAIbEfguIKgSELyKLP271MV8+bpfsr98VrwCAcCOyPw4qdjZ9af
wJx7FkcZphjvsSQPKwhoJ7nnPlqmuDevmKfJ9b82T/dDGxP1GcQBCByLwKufjmPl7gjWNs7Kj2Dp
19kIQbBxkUMQbAwY0YPAawQgCF7j9f7QEATvZ/qmGCEI3gSSFw0EAY8MzoPARwhAEHwE+yhRCIIR
jH0dHk4QkG/T+Z9kxw1Vno9UnoszXvh3neel+wb3xAu+ZUfuj/f1kMEaENgBgV99Ol79FLzh1W5Q
vctT+dbxDB+izqdVY//C+fnW3fQdH9xi7eAJgQn14QRBVebM7W/q66LmJ+T2d/D6W/N8pPKcoPPC
v+s8L903uCF+6v4YTzYIgMCMwO8+Ha9+Ct7wajO7jxJPzfNUvnD+3rpsD21FtoLGZXuByYWz5/Sj
Pw8nCDpar/b7bd513xk2+3/zdDGpcEYcP0HgKYFXPx1PI8PFXxDAkMEvoP3NLRAEG3OGINgYMKIH
gdcIQBC8xuv9oSEI3s/0TTEeVhC8mv/NK2aOQZ9Kl2MOToMACIAACIDAIgEIgkUs7zsJQfA+logJ
BEAABEBgOwIQBNuxZTFDEGwMGNGDAAiAAAi8hQAEwVsw8iOBIOCzwRUQAAEQAIH9EPgaQfApn6ef
Snc/jxgsAQEQAAEQOAKBrxEEn2qpfyrdIzx8sBEEzkegyjxNuEhmUJwvb8jR2QlAEGxcwhAEGwNG
9CCwIwL3xFEk3fVtRdKv+Y4MgykgsIIABMEKSP8TBILgf+jhXhA4EoEysmTFjsq6rvKrLqteut5B
+5HyCVvPSgCCYOOShSDYGDCiB4GdECgCQ9GvWacB7rGjKk68v615i5suatd+RKOKbUmy487sncCE
GR8hAEGwMXYIgo0BI3oQAIHXCJAi0DtFUCWODD3wGsDzhoYg2LhsIQg2BozoQQAEXiRQXDVRv5Xs
rsSVJStC/8CLCE8aHIJg44KFINgYMKIHARB4lQApAiMgRZC6CvTAq/jOGx6CYOOyhSDYGDCiBwEQ
eJlA3iqCzCM9sL95Di9nCDe8hQAEwVsw8iOBIOCzwRUQAIEPEch9TTSD2FOhBz5UArtMFoJg42KB
INgYMKIHARD4BYHcV0VFkUUzRP/AL/Cd9BYIgo0LFoJgY8CIHgRA4DcEMl+9XKAHfoPuvPdAEGxc
thAEGwNG9CAAAiAAAm8hAEHwFoz8SCAI+GxwBQRAAARAYD8EIAg2LgsIgo0BI3oQAAEQAIG3EPga
QfApN8SfSvctTwciAQEQAAEQ+BoCZxQEZWAo65bW3iNbMW79pt7/Werr061fCPqfRuF2EACBvyVA
u/5Y8d+m+ZvUjmLnb/KGe35H4HyCoEocRfWyGY7ypouCMPLo0V7PPFV2knfs27mUblVEnqnKoiCI
smb6ybC+hzYQf7RyZjR+ggAIHI/AUSrao9h5vCfguBafThDcI0tS/bkj8jIwZMux5G7/7qHA8qsm
vWMl7kK698iWBcW6xlmepfHNdYNxX0TqKm+SIkNmcAQCIPBxAkepaI9i58cL9IsMOJsgqCJLVLx0
VoL30JTMoAhNyQiGVnoTKPPUN6zFXUg381VBcbkO0avEkaAIZgWFnyBwfAJHqWiPYufxn4jj5OBs
giB1aeut2RBAFVkSefssb/pjbwBV5bKT/GeRPaZbXHXhabxlYAiPfRn/aQduBwEQ+DCBo1S0R7Hz
w8X5VcmfTBBUoSnI7qx2r2K7Ha/PfVWy4plcSF1F+N9Bg4V0U1demLMwfrhiWxTtA8w9GtuMYxAA
gR8IHKWiPYqdP+DG5TcSOJkguAcGddNPASWO3DXVm8OpIsg8RWg8gU5ve+XXQro/C4LEkUQreiUZ
hAUBENg9gaNUtEexc/cFfiIDTyYIqtgSpVmrO3WVy+UitH+XizwTDE29PBUJr5bwQrrFVXs+ZMDG
Kua9Ga8mjPAgAAI7I3CUivYodu6seE9tzskEQU3VsD7ZWYAmDRrXLG/+sqshKpNFieVNF7SHZQmv
FvpjunXmPZ1UWJO3sf/tmXjVTIQHARDYmsBRKtqj2Ll1eSH+gcDZBAFVw+J4V6Lc1yZD+VRzj6fy
0YTDqUIY4LxyNE+3rusysrplh3kaB54XjpcdloEhPu6L8EqSCAsCILBDAkepaI9i5w6L+LQmnU4Q
1LSxwKAIaK7/dFIBTRkYKuKF7QN+WdbTdJtIqjxyTVViGxOpk42JaK9CybiVv0wMt4EACOyVwFEq
2qPYuddyPqNd5xME9T2iDYjGjXF+wdGGRWb4nmr5lXTr3NcUZ77egW8nroAACByFwFEq2qPYeZRy
P4OdJxQEdV3EtyCdb0C0VFr3LLzF66TD0u3zc6vTrcskuCXv0SFzI/AbBEDgowSOUtEexc6PFuaX
JX5KQfBlZYjsggAI7IjAUSrao9i5o6I9vSkQBKcvYmQQBEDgLwnc0+Aazd2p/KUBK9M6ip0rs4Ng
byDwNYLgHhrioyODNxD8IYpPpfuDWbgMAiCwEYGjtLyPYudGxYRoFwhAECxAeecpCIJ30kRcILB/
AkepaI9i5/5L/DwWQhBsXJYQBBsDRvQgsDMCR6loj2Lnzor31OZAEGxcvBAEGwNG9CCwMwJHqWiP
YufOivfU5kAQbFy8EAQbA0b0ILAzAkepaI9i586K99TmQBBsXLwQBBsDRvQgsDMCR6loj2Lnzor3
1OZAEGxcvBAEGwNG9CCwMwJHqWiPYufOivfU5kAQbFy8EAQbA0b0ILAzAkepaI9i586K99TmQBBs
XLwQBBsDRvQgsDMCR6loj2Lnzor31OZAEGxcvBAEGwNG9CCwMwJHqWiPYufOivfU5kAQbFy8EAQb
A0b0ILAzAkepaI9i586K99TmQBBsXLwQBBsDRvQgsDMCR6loj2Lnzor31OZAEGxcvBAEGwNG9CCw
MwJHqWiPYufOivfU5kAQbFy8EAQbA0b0ILAzAkepaI9i586K99TmfI0gqLLwGmbVnxfmp9L984wi
QRAAAUbgKG6Fj2InHqu/I/AtgiC/6eJF1K8H8FL+d4WPlEAABN5P4Cgt76PY+f4SQow8Al8hCKrM
10TV8R1VUr3073sJePBxHgRA4HwEjlLRHsXO8z0h+83RFwiCe+IqshkUdV0XoSkrTnzfb3nAMhAA
gYMTOEpFexQ7D/44HMr80wuCMrIUzUs7DVClnqZYYbl5Id1DU1TctE8n8xTRDDoz+tM4AAEQOBmB
o1S0R7HzZI/HrrNzekHwMfpMEXhZm37mq6IRbK9DPpZdJAwCINAQOEpFexQ78Vz9HQEIgs1YkyJQ
W0WQQw9sxhkRg8C+CByloj2Knfsq3XNbA0GwXfneA0NUfVrXkF819A9sBxoxg8CeCByloj2KnXsq
27PbAkGwYQmXgSFqfl7Ti6ffMF6wIWpEDQK7IXCUivYodu6mYL/AEAiCLQuZKYJrctWhB7bEjLhB
YE8EjlLRHsXOPZXt2W2BINi0hMubLiqqIuo3WvWIPxAAgfMTOEpFexQ7z//E7CeHEATblkV504WL
AD2wLWXEDgI7InCUivYodu6oaE9vCgTB6YsYGQQBEPhLAkepaI9i51+W3benBUHw7U8A8g8CIPBW
AkepaI9i51sLB5E9JQBB8BQPLoIACIDAawSOUtEexc7X6CP0/xCAIPgfergXBEAABGYEjuJW+Ch2
zvDi54YEIAg2hIuoQQAEvo/AUVreR7Hz+56gz+UYguBz7JEyCIDACQkcpaI9ip0nfER2m6XjCoIi
CZOi2i3YtxtW5XGYYrfDt3NFhCDwZgJHqWiPYuebiwfRPSFwWEFQhaZofJM74eKqi1b8pChxCQRA
YA8EjlLRHsXOPZTpt9gAQXCUkoYgOEpJwc4vJ3CUivYodn754/Sn2Ycg+FPc/5EYBMF/wMOtIPB3
BI5S0R7Fzr8rOaR0OEGQOPJl/ifZbVd65qkCuygoXjYq3L2drxNHbg2d7mr8eL6KrCbkONPT3I0y
ikMQAIFPEzhKRXsUOz9dnt+U/uEEQVXmeZZlWerrouYndJjnZTe58F4UOf0Vxb07xUpzb+ersjO0
vI8ft4XzVcHym8WuKho3yu84w+ObcQwCILADAkepaI9i5w6K9GtMOJwg6EoGkwo7EvgfBEBgTwSO
UtEexc49le3ZbYEgOEoJYw7BUUoKdn45gaNUtEex88sfpz/N/mEFwZ9SQmIgAAIgsJLAUSrao9i5
EjuCvYEABMEbICIKEAABEOgIHKWiPYqdHVf8vz0BCILtGSMFEACBLyJwlIr2KHZ+0aPz8axCEHy8
CGAACIDAmQgcpaI9ip1nejb2nhcIgr2XEOwDARA4FIGjuBU+ip2HKvyDG3tYQXAPjW/zZaB9ypdB
7muKk0w2duA89mVgKFY02VqBE/KDp++BIWrX4l0WUDtrU68aqauIVvQuc98VT+6rohmueSjelSLi
eTMB9BC8GegJooMgOEohfuztvUeWrA/1ZxWabOtEQZAUzfTCfFInVIkjq5NdIt/MlxIQBMmOJ8ny
E8m8h9r0zYKgjH3nmq40h29obEuykyxdLyLPCcYbby4F+u25MvEtTRYFQZRUw43Wu9OEIOAiz/2P
aXeuTUsXPvZJWTIG53ZBAIJgF8WwwohPvb3FTReNYKgoSBCIZpDnWRJdLUWUjGDS2E5dRV7XnbAi
049BUlfRHEfn1J2P4bcXBI9p/uoMXxD8KrpVN1WJqwqy4Udpnqdx4Dm39boDgoCLGIKAiwYXdk4A
gmDnBdSbNxMEVewa9jXKtu6eL2/6tH+dCYLOeUSd+6ogu+OGbZU41NT97xZzn/HJQeapipum7N/u
wqTFTztYqj7Va/lVm3qBENqOfRbeC66mKgmCpDlDs7jKA0dnzWVZs4NslIfYFmUnjDxDoca0bDYi
qPMz0cXcWZQ40tj1hGBGTVR54BiqLAnUu2K4XedK6s7cc4gd3jIwmizMhwzu6bVt1yu6Gxatobmv
CYZ3c3RFEkVZ95IfHo7iplNfy0Ko5fjruohc4iPKuus7oyGDKg9dQ2EZU03/p3Q7TGf9H4LgrCV7
/nxBEByljGeCoC5i39ZlQZB1299OF1SRJUqTnuypIKhTVxFUPx9RpFpsemZ08T8Pc1+TabRgMjDB
EQRNUss9BIIg6W6U5VnsamInX6qE8mKHWVFkoaMK3XmKKLZFUVJMPymquirTOB26TKhgFuYQVOyv
jB1F1K8tn/TmXqM0L8oiixxVnIyt8HsIHuYQ3CNLEjU3yosiDSxZaARQXZMgEBQmcKrM16bxP5K/
U1+P1WqV8WVe/NRZJBnXhPjYqnAR2jkE99iWJd2LsqIo0pulSGY44BlH/CXHxc1UJyJ5p/mef1J2
aibM+kMCEAR/CPu/klp+e+95fHMMhRqEm+gCakROa/eZICiuGtWc46xR5dm1ccfn//+YGJjhva6r
yJK0Tob8RhBIdtuHUd50oZ1hmDhSEzsZeiclNMxUiG2xCzbPBkcQNJHY8nxIpbudul7021BxrhcE
99DsRUxdUwZa75ckCPrCombqgk7pkqcuFF8TFDcdnWkOefEXV3oW2kGFe2AKrSAo2STNXhPSHtvP
E35IESc+QmD5k/IRU5DoTghAEOykIH404+nbe8+upixcerfIj26Um/hfPV9Tfa91DVwWx8+CgCrW
2az4wYlz16ps7OGdX6YxqkOpEuo8R/9GEPR5GoYYWM/GMB+SBkOGCju2Zx0lg4VcQVCGpiRbw4BE
Xd+Tq6UpUjeSMZEY6wXB1DLmSrsZk2BDBkE7AkDN+cH+wdzhiCcIePEnjiQMHQqZp7Rl+eiRfPbI
DEkOR3vzSP4ue4Yc7v/o6Sdl/+bDwg0IQBBsAHWTKJff3qpIAs/SJEFSTTdIOj/QC26UmVGvnq/v
gdG1P9tczQTB45ABjTJMpxXUdV2VjV/qvOhMbKLjnV9CSLZcLkL7d7kI7VzHuSAYmrF1XS8PGQzT
IsaCQBdGnfjTapHmECw0pslMjiAoboakOOMBeuqJl3Q26lDXNemPXpawQQneKoP5kMHUsqkgGNrm
PwsC3pABL/7EkUcjDBNBMDq/VHJL5/bmkfxd9izldafnlj8pOzUWZv0JAQiCP8H8hkTmb2+ZXGms
QJBUywtoaHubP6qNJsvNp4KAKg/ZnUwhpOnn42UJ77KLerIVJ8rbv8ghw6g53NTpbZc1dWn0/dqN
IJh2StQkcpYEQZ3YT4cMXhIE+VWXVHe6GLHRJl1Bpa48EQSJI00na/Tc5oJgqUufdfxPRgl+FgQ1
Z1IhL34aMuj3byDZNxoyUGZ57Y3HwX4JzD8p+7UUlv0VAQiCvyL9v+nM3t4qdnTLC9Jpg/t/E3m8
n9b9j2fXUfX7dNlhM6I8WYn4GOsvztC0gdGgfl3FNo1MUP1KEkTzaVHAndbRTQQBNcRlOyqqqquJ
uYKAbXHAn1S4XhBUmUczBtN7M7GwS5rIKA6bgl9lV0MSJoKATQBwk7ILPSCaCwKa30CTCuN+UmE7
0PGqIKjZNMp22WGWhL7bbHfAi580hupSBqr8qouTSYWCYgdJXhR5Gt0c59bPKBiygaO9EZh9UvZm
Huz5AAEIgg9A/1WSH3t7ZxsLkCCgNXWCIMmPGxNRT7hkjObK/SqvCzdR/T9d3UcN2VYh3BNPl0VR
VnTn5tEah9Fy+iq9ms2wfXc7r4egrqsssPtlh7f5ssP5kEHmq+PFhZeL0M5qoHl+4yv9ssMidDRZ
kmRFNdzAo/b2qOIsY09XRLqxm5I5W7146Wvgerws0OmWL9IswVeGDBjlMh5vTBS3kxyX42+WHSqU
Ac12rW4OAXXSFJFr0CpOQZRV3b4mw2TJhbLEqX0Q+NgnZR/ZhxULBCAIFqDs8tTn3t7iZshr9yNm
uxyv3UVwl5xhFAh8CYHPfVK+BPABswlBcJRC++DbW+XRNRy3l7nMyiS4oXXIxYMLILAjAh/8pOyI
AkwZE4AgGNPY8zHe3j2XDmwDgcMRwCflcEW2ucGHFQRVFq5stW7O8G8SgK/Sv+GMVEDgSwjgk/Il
Bf1CNg8rCDZzf0zr1tiMMGG2uU5L9cmK9Be4vx4Ucv51Zv9xB9sEafDxyN9v4D/SWHnrwyqDlfch
GAg8JYBPylM8X3nxuwVBVUSeqbbebCZOWRb2s2mfjyxw3PC/V9XRu/h8H7n544i3l1a7BXbjq1fW
vMnmB3NatPlw5xnochEkRXcmzooWwk9PPQqCN7k5niYz/OLvVLiV+2OSvv3elnUdWYJoxe2Wxs0i
CVozYLhRt8kF7VswXj0hbbNB9cAER5sSwCdlU7yHjPybBcE9smVBsa5xlmdpfHPdkR9fviB4TzFD
EPyC4z0wRdkKMnIOFCc/iTISBJIV0j5GWXyzFIG5RVqb7KMgWHvnL8PxBcEvI/zxtmeCQHFjApdG
viELitc6PLgXeZYlniZIVpBleb71Jhg/ZgEB/ocABMH/0DvnvV8sCDJfJd8u/X41kwJeEgS0Kx9r
IM23qKmywKEl5IIoa3a/fD11ZdH0b+SmVhQV89qmNGq4ts2wfve3iQXzH3h7aY+DF7pVCPTgdolq
v6HcytgzVUlkboi9uJcW98SnPQsESbOvri7o3ZABz80x84K44Ba55rsDLsmdQdsnZV1T2mnxU+6P
nwmC3kcSc2fZ+5Gih5Jt9TR1ZzV/VvH7EATwSTlEMf2pkd8rCGgj1qG+mENfEgRNmIc5BMyHjXmN
s6LIk6shdw1R+s4LGnNKzzbQ63zxsGjQQzAnvuZ3GZgPGwJz7xsLgnvq62LXP16lnippTpgWjZ9j
qXVPzDbo0704L3LyinwZBEFfZA9e/BbdIvPdAZNTYsnwY9bJEfneaOyJ30PwMIeg3Unwf90frxAE
Vcm2fpw8uhAE3EfuYBcgCA5WYH9g7vcKgmYv+b5xOGO9XhBMtodjznTa7fMogX5Pf+ouGI+4QhDM
gK/4WcaOqhqGqnYug+5FmnXj24/3z7piBNlshoRoD+SR11/a8JD10Uy28GcbI/Y9BCxyKrIlQTDs
79/a0Gze3O9BOLgDrpiD5WB5F7/1gmBi6H+4P34mCEZTBQTF7jYwZBmEIHh81o55BoLgmOW2pdUQ
BMt0VwuCwYFv/w1tt8idaIAmvmF4AoJgmTv/LDW7qeua2veyGVKtmrjKtM6e3E2CgMa68ywNXV1n
XTUUIJ/vOHy5sLEEGkIa5nlSbTmNnCcIHlwScd0BM+9Afq8UJtbW6wUBzxshbV3cbc9ck+eiH8ZX
ngkC5kUqSwJbN66zLakgCKYFd9xfEATHLbutLP9eQUCfwzcMGTBnv4sjqhAEb31oE0du2/VV5mvU
zX+PLLnxbrSY0HjIoM58VbEbX8SsPl1oppMg6Ht0mCfAdYJgmJnQmjF1Ezyy7Q8EwdCHsUIQ3PRu
FIXcEdAqA9aJxdwstbqlShxF9SYTbSAIRkV66EMIgkMX3ybGf68gqDPv2aRCX516/e3pz+cQUP0y
mXTVhXwuCG76qDna3fLs/29/e1NXkfrqnySBoqmyxfwfL2ObCAI2IbEpJpJw0oJvBuqJH1bh0YDP
LwUB82q4NFv16ZDB37s/ZoB6j03Dr7EgoA4VTRp0EiYVLj9shzz77Z+UQxbaxkZ/sSCoy8jqlh3m
aRx44ylezNmuecvK8n4fOvqpMOaCoKZJhaLmNnPUktC3XdafTZPHh2kD8yEDViuZQX4fvPL+UNJf
//ZmviqqTrMovnG/K5pP9ADbh2DUBUQz8WTWSUCDDoJsXsl9cJ7FgWv5bFldEyKiwYgiNKW1kwof
eghqGt1YdgdMkwrlblJhfPVHkwo/4P44v2oCm+KY52noqOQ7klY9TAUBk1LtahwsO/zhJT3W5a//
pByruP7E2m8WBLTRTeQ2y89EWZ1sTER1gqNJtMyw/eA/ThboB4+bZYfk/FWSVaPbAeepIKA9diyV
xf8wKW254PH21mXsm6osyYqiapZ3c3VRcRKqwhb/pj0EdV0lTt/oHzn9VXSrX3jYLDsk776Wa/dz
CLhujpfkYWMK3x3weNmheR1b/wn3xwVbfilcmgWzbBHkgyCo2aIGmrWBjYkWH7TDnsQn5bBFt5nh
3y0INsO6QcR4ezeAiihB4HsJ4JPyvWXPyzkEAY/M3s7j7d1bicAeEDg0AXxSDl18mxgPQbAJ1g0i
xdu7AVRECQLfSwCflO8te17ODysI4P6YV6Q4DwIgAAI/E4D7458ZfVuIwwqCzdwf7/UJgJzfa8nA
LhA4JAF8Ug5ZbJsaDUGwKd43Ro63940wERUIgAA+KXgG5gQgCOZE9vobb+9eSwZ2gcAhCeCTcshi
29RoCIJN8b4xcry9b4SJqEAABPBJwTMwJwBBMCey1994e/daMrALBA5JAJ+UQxbbpkZDEGyK942R
4+19I0xEBQIggE8KnoE5AQiCOZG9/sbbu9eSgV0gcEgC+KQcstg2NRqCYFO8b4wcb+8bYSIqEAAB
fFLwDMwJQBDMiez1N97evZYM7AKBQxLAJ+WQxbap0RAEm+J9Y+R4e98IE1GBAAjgk4JnYE4AgmBO
ZK+/8fbutWRgFwgckgA+KYcstk2NhiDYFO8bI8fb+0aYiAoEQACfFDwDcwIQBHMie/2Nt3evJQO7
QOCQBPBJOWSxjF2EkAAAIABJREFUbWo0BMGmeN8YOd7eN8JEVCAAAvik4BmYEzisIID743lR4jcI
gAAIrCcA98frWX1LyMMKArg//rtHNPc1xUmqFQmWgaFY0X1FSATZgEDqKoIZrSmoDRJHlCAAAkcn
AEFwlBL8WP/ePbJk/VoMnGJbvIz/BG24WiWOrHrZEHivR2SoIEh2vNfqs7jpwphycyza8ROiEARP
4ODSnEDua6L17Hma34DfpycAQXCUIv6UIChuumgE5QhTbIuCcU2z7i8vxl0CqavI67oTRlH+/WHq
Kprj6LKT/H3a61K8FzkjnPi6IFkBO87z8pmAgSBYhxahGAEIAjwIcwIQBHMie/39XBBUZRp4lnV9
e9u8vOniqAeA6JAgsLgd01XiSPtXBJmnKm6asn/HJX7PbrauSIIgyqrpxb0O4pwvY89UJVEQJMXw
4qEX5Z5eLU0WBUGUFN0J+wu882MT5sf3wBDmumWIR9HdsOhEwkgQlJGtSLqfNZeqPHQNypYgqaaf
tAIu9zXB8G6OrkiiKOted35uAX6fkwAEwTnL9X9yBUHwP/T+8l6OIKiKJPAsVRJExXCCdNxWf4d1
VWSJ0qwV/VwQ1GVgCKqfvyP1zeLIfU2m0YLZAEcRGKKouWFWlEUeX71bq6+Wz1epp0qaE6ZFUWSh
o0r6tc115imi5sZ5WRZ5Et6iDgbv/NN8PgqCe2RJouZGeVGkgSULqt/a2QmCe+KqkuZ1T8M9tmVJ
96KsKIr0ZimSGTKlQ4JAUJyorOsq8zXxEGM9T1nh4isEipupurvtIXslJwj7LgIQBO8iuXU8c0HA
lICpSoKkWV6Q9K3E99pBI9nz2n0+h2BBMDwf6n6vib+IjVia4b2uq8iStF68ZJ4yng/RR7x8nu5V
3LQLdQ/NvisltsTF2Qm8810ci/8/CAJKaeiDKW+6oLSzNpgguMWeJqnu0NwvA0PUOq1S18WVxoBI
OZIg6AuXmovN6UUrcBIEQOD8BCAIjlLGM0FQRZZwEVUnWlQCNGOOzUIT9FvfX13X1CJ+6XxdXDVh
VJkwWLM5BA/j2okjiVY04cqsbQwyw66Du2YVcjtzTtjk/MSI/gcNg+g31kimyrJDVIWmIA81fB+c
cz731fmkv+7ue+wogijrluNdw7Qfd6h55/uklg4eBEHuq0JrPoWnMm2XFqSuchFFUbiIRjAUe+LI
M0PbImVDBkwa1HVNc0VGsS5ZUtc1yY+mHCV73Lbkna8zT21v6FRLE/NZz7/8ir36Sr4rPKeAcfq7
CUAQHKX8Z4KgvufR1dFlkYYKrlE21DqUoaosipz+inIyiPDq+Zpqo+mX/Kc5BNTqFuV5T2RVNvbk
xXRW3Nbnl0qX8nS5CO3f5SK0cyY5FX/NOc/q5clsy3FiVZnFwdWlwRzZjodC4J0f3zs9fk0QCLId
paElSYMkSBxZXJzzMekUWCcI6ntbkMWsIHnn63v3JBb3kRKsT3v+1VfsU+GnDxl+gQAjAEFwlAdh
Lghau+95fHUMRaTZYl6YDTXPm/KVuoo4abz/KAhyX50tS3iTKW+KhnrcFSdieinP88ihDDJuy0MD
db18nk2v+HHTBRpYmE8JpIzwzj9m8kEQLA0ZNCMX3RyCugzNQRJQL4jippPqmCXzG0HwaB/OgAAI
nIUABMFRSpIjCFrz73l8c0yzm132vkzRev1hwJrFOxsyyKZjBs2I9dBh/T5T3hMT1cTjAf4qtmmE
g1WXbPKg7kZZUZZ5cvOC8aTCh/M0qVCQzWucF0WexYFr+U29XCU39xanNKcwC2xlGJPgnH+esQdB
ULeTCindZlJht/FDLwhqJgm6gQOaVCgodpCQoWl0c5wbm+YIQfCcPK6CwLcRgCA4Sok/FwQb5uJh
Y4H5pMLLuAVcBoZkNOPzG9r0+6ip/hcmk+eowd0rhGF5oaQai8sOJ+fL2B+WF1r9wsPsZukKrTqk
5YijZYG880+z8ygI6nq87NAJ867xPxIEdV0GptRJgqqIXEOlZYeirOr2NelWGQzzCFcOGTw1FRdB
AAQOTQCC4CjF9zFBUBc3Q/6xa7zFyHY53u3uf0cpa9gJAiAAAh8gAEHwAei/SvJzgqCu8ugatlvc
PLe9TIJb0/p8Hg5XQQAEQAAE9kYAgmBvJcKz54OCgGcSzoMACIAACJyHwGEFAdwfn+chRE5AAARA
AAQ+T+CwguDz6GDBqwSq1FW19y+EeNWMH8JTV8xk1uEP4Vdfvodmu0fP1FnU6ghWBqzSq6mIlFS/
DeHKO38INlmV8EPY312O7YeNsn8XUX2PbMWYbMr1y4hwGwh8EQEIgi8q7A9nlSYntiv+11tCk99n
zpUeb67ykPZoojn0uh30k+4fAw5nyK3AbDvF9mIZ+851YdX+cO9/HTU7B0/3kVqOkDYSbLYYpLUB
hru8KeXDvbTuU3WT8n6vqm75wUOgX514TRBk3sNOjpfLZbTZ84IN7xMEtHuEOlsvu5AgToEACIwI
HFcQFEm41Qb+Iz77OazyeLwL7n4MW2tJ5qvS4oZ5zyJIXUWymm2DuMEqWm0nW7cky5PAUgTFTX6u
CPmCgJvOey68JggUN6YdlNLIN2RB8XrPCU9saXL2M4EnUXAuvSYIqjJv/DfHrkoulNb4b36nIKjz
qya9LEA5WcdpEPgKAocVBFVobtOxu9dip4rEivdq3c920QaGo88z1fT2LDvNHkijqGgHnsU99kZh
avK3POztT6v2210FaH99zfYsTZYkSTE6r7/5tWt4tzv8D9sSkH8I+hvONAlVedD1QGh20K23oKQ0
90p+hUVR0pjXwCZ8HjiGKjNvw7QPwaTL4jVBMHT6k+rp/TDx3Rm3eWr+G+6+k4MjL+qyodgR25tx
OZ7xPgdj981MEPihRxtjvuAumYAPljSEysQnx1zMHfNou4eRIMgDU5bNrrunygJHV1gfkGbfuhJI
XVk0/RttBSGKijnv18m8ySM3fmhwDAIgsEAAgmAByi5PHVwQUO05dq9bRabY128NcMrhSDI0/nZ+
HC5g/pdGHdG0z3BT/TCHO5IZkPunMrJlabyZAr+H4GEOQZW4iqDaYdZ4ORa6jmjKktDWWUVg0A7F
bbs8vbnXKM2LssgiR526Ff6VIKjKxFWFzlMVz51xg3ExZ2SrKGnWLS2ruiqSmDa55sZDUSy4b6Yx
DFE2/TjPs9BWJuX55J15FAS0I6Rk+Ele5MnVkPqtHOtOEBShpUjGtav4aSdm2hIyK9gNMnNdXdd1
6soXQfPIsSN5fO74dLYwrxoz393dNfwPAiDwSACC4JHJPs8cXBBQPT2ZS8eWUdKOwXngOEFe11Vs
SeOGJI0E/DhcwGqFUdOZvPtqQuNbiQTBsIkiVXIjubFYbbKSfxAE5L2xv/Me9a6NqZLt/BuSF6jl
uQ4j14pt9OR9+LU5BE23hWLH7LZmc2i2+TDF2CiMwYnFYs6YeJkly4+H46aZBEHv6Yp8O62be/kg
CJhP7W675Zoi6mQfCQI7jBxF0v1hGsdsqCLzqHOJtFfqysNDRd0Fsz4ntnPjDwNO+3zbYRUIfITA
4QTBoy/Xy6Xvez6KT9UXfKQOjoNHncH9V/kjz8yvEqVv87T+SByZ8kH1mUgeljNfle2ujV2zDft/
HC4gUyZ96XNB0NU0NfPbqA5LHBarTZazuSAop30bg/NhqmR719A0hNVHf0+ulqZI7ZTAS1/fUfyv
9RAwL0xZEtj60F5+fAUGM2rmiulxuiTZOu6gIUv48XDcNP/CXTKl8yAImMPm3gs2PeFS244nNxnk
vlkYb4258Aq0j9JEAzQlOpk78aBCWQHjHxAAAQ6BwwmCbqpS6uui5ic0U2nkXOcovlZf8HlaFf3U
LNG4rZmZxSnqz56mWmGonckW8iFgBHlg6q5rmEE+nRRC9eY0PM9+6hLgDhkMUbB6/XeCQB/XpRNB
MJg4EgQ080HS/XbKK6Xby4aXBUHXZVIljqJ6TaOZ6864IbQodVgHht/3KrCQT+NZctM8aamv932w
LAgad1KN38eJIFDdOL3q4iAJ+D3/PwkC6tt5eR4r7znDeRA4P4HDCYKuSDCpsCNxjP/JqVDXDmwt
zqlLwLV0P8t83XJtZWjCrh0uoJiYuyK986dETeHRpMLeaxF1Lw8d/41L45lb59aseQ9BndjcIYNF
QTBtqlK39lgQNEMIa7xBUoO8EwR1nfua1PT5U1f/k76T1YLgh3gaHGM3ze8SBM+HDFhnQd5IgmZk
hQ0qzNQMs+4HQcBmlS7d15Y0/gMBEJgSgCCY8tjvL2oyH3mVAXUI9H3qDDNzPCwqbkLd/qo4uBxc
P1zQxEODBrTsMM9TtuywndzHJhWKmhvR3DVflyZr0KjhLttR8bhW/0EQkAdozqTCRUHAKlqHZrrV
VXY1JGEiCJgyof6DsrxP+rcfHr2pIKiH+pvnzriJYbUgYJMKl9wi89w3v0sQ1NS7wCYVlsXypEI2
0MB6CZpZE6EpiZobpkVRZEno227Izj8XBKRlDji49vAc4AQI/BmBwwqCPyOEhN5EgKqxocFLkVKl
LFo0PWzayl8/XNCatrwskDUQ3aujSYIgKoY39brE9vNjw/zd3IbMn+2k089ar7LAbjc+Gi16m8wj
HA0Z1HUROrTWUVZUww08fSoI6jJ2dZnmFzwO9U9QzwQBk0miyarCZXfGzd3rBUFdc+LhuGl+myCo
6zL22mWHytjLdLfKgOUkv2o0cMCq/mbZIVunKKuG0y79fCoIaORm+rxN6OIHCIDAAwEIggckOLEV
gczXlH5pHjeRV4YLuJHQhfWd80+jwcVDEigD2hezGXM4ZAZgNAj8PQEIgr9n/r0pkkeq+Kfh8zK5
XaPp9LffEYMg+B23U9x1z8Lbj4/aKXKKTIDA+whAELyPJWLaFwEIgn2VB6wBARDYOQEIgp0XEMwD
ARAAARAAgb8gAEHwF5SRBgiAAAiAAAjsnAAEwc4LCOaBAAiAAAiAwF8QgCD4C8pIAwRAAARAAAR2
TgCCYOcFBPNAAARAAARA4C8IQBD8BWWkAQIgAAIgAAI7JwBBsPMCgnkgAAIgAAIg8BcEIAj+gjLS
AAEQAAEQAIGdE4Ag2HkBwTwQAAEQAAEQ+AsCEAR/QRlpgAAIgAAIgMDOCUAQ7LyAYB4IgAAIgAAI
/AUBCIK/oIw0QAAEQAAEQGDnBCAIdl5AMA8EQAAEQAAE/oIABMFfUEYaIAACIAACILBzAhAEOy8g
mAcCIAACIAACf0EAguAvKCMNEAABEAABENg5AQiC1QWUurJox6uDcwNmnnJhf7KbLgS6B4ao+fnC
lW1PPaTLs5N3flvzfh97cdVEI7j/PoLj3XmPbMW4FSsMr1JX1fxsRcg1QdanW78QdE3KvwiTOLJk
J+tuLANDsaJVz9ALQdel/T+hIktUvDeU7j0wBPUdET3PzBe+qs+B/P3VzwuCxJEuF9lJqibzkSWu
qHbvoSmqW9Samac2tfXkX4Wq7ncJgiafiS0tC4IqvTp+XP75o8BJl2cn7/yrdmeeIlrRq3c9hufH
U8a+c03bx+vxxq3OxLYkOyvrmzfbkPuqbMezHN9DSxIExZuL0OKmy2a4qq77ycx5uuVNF9r3SBBl
zfKT8WOdeerw2v8U9QbX1wuCKnGUeXVYFZFnqrIoUM5MPxkAVokjz0NvYP6qKA8mCF57Vfmv/Co2
CLREYCeC4CJ1+vvDgqAq8zyjv9hVBcWJ2HGel9WfCYKlUvrgOV7Fzzv/qqnveqvfFc+r9nPDf0wQ
UIUku3MpUsWWbDi2+iijy8AQ9VXdCdy8sguP6ZIgkOwwz/M8S0NHE8WJ8sivmjQ58Tz+d19dLQju
kSXNsN0jWxYU6xpneZbGN9cNxt0xqat8VOoMpA4mCAbD1xzt7pVfY/Tew+xCEAi6aUhGwJoPY0FQ
Jr6pSoIgSKrpdY3m2BYnrfcLa74zzlUWOLrSiHb7lk2aSNW9LMv75NTTssmvmjD9ClAPgXULHV0W
BVExR43OZ+nyElmqUBNXZlkTpkMGkSXK9tWn9ogoqVYwDCfc06ulNa0U3QnzPndF5BoKgRNl1fR/
bB1z0mWmL9lJFxbO09enHwVJnFEDucoDm7AJgqRo1q3pwyTCk5IURh37sS3KThh5RlOcJvvgFpFr
aopEBazodtAW8JN4IqtJYRxzXVP/p+ZeCZEoSpoT9e3We+KblKCsOVdXF/Tr+DO/UJKL+aKupEm+
LkOXV5WHbclI6tCszDxV0B1qcEqSrFqjJ3coYEnRnfAHcxoLWUU37x+g2lq75jH9O4+luOnvUASP
6ZIgGLrBiqs266DIPHUqERYQPz1VpTdbb5vpo08E68wz/Ru9G+LkVa3y0KEXRlRM37fWDRlUrFad
dKxkviooLve9qpqHv38d+XkoE9/Smyda1qxrOvQz1KmriFYQN19AUdavzVszPBHy5JVfToNMt332
FokUflT0nPi7T4coqyN7RkMGVXbVJcXuX5oy9kyV3klJMby4TYD/ii3bWdcvvapPXvkqD9gXmjpu
+k8EL1GcfyCwD0FgBZHdfqkGQVAEhigZfpIXeXI1pMk3a2nIoAxNSTavcVawG+Rpr2lsiRfhhb7p
RUEgiIp1S/I8vZmy0LWqnqf7QLw9sVChNlcexvLryBIFUb9S/VdGttx/Q3N6M8meoshiT5fUtjuY
4MhWkBZlmafxLRh/ZnjmsGpyae4Cz86F81xBUFx11ttSlkWeRtdwPKjJkfmxLYqSYvpJUdVVmcYp
VdpZ4F3DJCvKIqf8TlphnHjqun4YmKSvlSCbAQmoIjD6eKglKGpenLPoReFHQfAsX/VCD8E9tmVJ
96KsKIr0ZimSGTItwsapZPaNrcYG1ZQpzY1zApeEt2iQgvxyzH1N0G+9xmkDpq5Cg8k0brB0URat
aEX9xU+1rhfSHQuCe3Y1RMmajE1QVftfwyr32PducZoXZZEGttJ/IkiSCZpH/fj3xFX7V5UqctkK
MsJvysJl1RwCagiY4ZgOlftTu0sacl8zolmEvh8kWV6UeXI15TGf1FWojnXj4l5X9yxOqK7lvfK8
gqFqVlDskOXYkgXt2j9Cy/H7miBbt7SgV0AbyqsTBFV+M2TZ6oVFlXqqpDlhWhRFFjqqpDcJ8F4x
np3t+dWvKgu/8MpXiasIKssvmUOlNC64H5LH5breiSCI7qnbDNP1gqC46aN5LLmvCqO2zYIgyP3J
3LHMU6TxOOp7BEEnAurE6WYY/pAu7yFbqFCboIuCoP9eV3HfDE9deZTDKrGltn1On+YRK54Fs/OP
6bIAPDsXznMFAX1SR63/ScILbzVdj23xeR6qaDqLhBMPTxD0DVeWbdZoZjqq+4BQI+9HQfAsXwuC
gPrmR1/k4qq3VKiHQO1m9lHKXbnGltgdTqA9+5HYUv+09OEyr+3ELm+U6EwuUNv99Qemj7w5WEi3
mUMg0N/lchFVt+vl626lSultgwbU39DKmtSVhT6XVErNZODMUwatRJleIwiq0BRmIzAU/XNepGdf
noBMQz3DrBNKZOhwa4hxX/kO6Pz/yBKG3jFWzL1MWYq/AdS28qlTqWt8NIIgCixZNm9DT2QVWd1H
h1KmN6jhQuEXXrG5efPfi4KAG8/CK584UmdyXd+jX7w+c5O+7fdeBEFVZz7NMaJCbF6lxJGFQZhX
kSVIw9vyKAgowLSj9jK8Cr8o1cUeAtHqVhk0D2NV179Nd6FCbax8rJiXK9rmazvJcmdefjMkQVIN
2/WDeHh9n1N4TJeF59m5cH7Zzrquq9TXREHWTDKI2vyjv4W3mq7Gtjgq7jZ8MzQjiV1Bj7+XnHh4
gqCvmCs2PZX6LKj5OLSeSY/+NGTwLF8LgiBxZkMJl7bFRoJgqBdHTe177CiCKOuW411D1kkyIsc5
XKqLcp/qStYfTYdDWk0clNfpKBUn7menF9KlR7SfQxB5hiw1Qz99NFQB9RV3f/aFA+qvpiGA9jXo
3vhBA1C5smmr7as6eqhiW1ojCKhuGz9oNZtN9IMgoIppTXckG0KiMY82AyMVQRW2Oe22efLKc5hF
1lAvNy9VL1MW4qcemxEgSq6dHcla/KJI3Q3uqM2d+w9TsJvqm8IvvGIcK/vTi4KAG8/jK896ZobF
ENSKHN7oPhUcPCGwH0FQ03RnKwwmgqB/IdYIgv/rfpxBWhYE/es0/sr8Kt2FCrWx4LFiXq5o2eva
6/2Z9fW9SKKb7+iyMG6UzkONfz+my67y7Fw4P7VzNsn+nifh1bM1SZDMcQv18a1mydIcgn4+QmMm
a7FQBzqr2NjI7igEJx6OIGgbMiRWeILg+rMgILt4+VoWBF0TtslR9y8JgqEHZfoZq8osDq6upUqC
bMejMebu5vn/7EM/6ZmnQRPhcmEtddZYn1tBUui/6mWyYSFdekRHpch6+SZPbFNvTgTiPDvPfpc3
Q5TNW0pTfmnMoqfIFwSjJjjriZnPvXxMjvrkpP69Z9eJ5yiihXtoLORhXudjODKZOvSbuU1J35VB
IdkYf9f+aG59/so/Rs9G5kcFQCq7z8lC/LOP7EwQiLqfJp4qjiQBe1THb3NnA/uYdJNVhlesu8z7
f0kQLL2qzf2Pr3wZ9BKGgjDzHkbPeInjPBHYkSCoy9CUDUMXGpn8dMiA+vFmS3uo9J80c94zqbB/
nXpBwJ66J+nyHjOagjX0eIxCPVbM04q2n6zXdFjPen9HEbHDUXNzfmn2+zFdFoBn58J50ghdlu6h
Oe7RGdKaN0yokTh0BPXhFgQBjdwOep8yNvrWUTtwKZ4XBMHrQwa9tV192OtXmnXpSLMCpiGDxalo
JAj6Rihrpo0Hu5pUqHe2pztOeH5M5Th9NVgHgJfQZH/6C6x+SKKP+kF90RV6ZdZPw31Mt54Lgvms
Qrq+9OpUK+f/TqZpELdOVi0LAtZX0PeOUGtyTQ8Bk1P9UGFDrC0wrpKhbpgVCotekmGqARk06SFQ
uh6/vohXvfJ96JoJgo4Jm0wzNNuXBAd7ifqsPg4ZZNTZx57VtpeAPavd+rBxuuxj8geCYP7K07hV
X8IYMhgXycrjPQmCuoptiQYbm2qXJj+zSYVl8TCpkM0j1v3sXg0vJU3uEzW3meCShL7tNlO2GhJv
mUMwvK+DICAd8yRdXjlQ7SDbYV6W9+lH97Fi5ggCmmEkdnPUsiTwLK+ZW04zldjcuzJPfJ36LwZI
PHO4kwp5di6cp/FpxaWZXFXm6+Klrw9pMmBEU7/KPHLVaXVFn0HZjopqVJLNkMG4uiez6emQLVam
VR5YsnAZh+DE84IgoDHHZlJhWSS+Lv08qfBZvtgkO9VNylHGaFKhoNgBTQPN0+jmODc2x4smFQrt
/NnI1foSq5KbS3PmyrLIxnPm+IVIV5pFA4NQbHVIf1MrfPrfdTKZjNKfJ8k1qq/687yDebo1EwTt
kEGexldTpk6O4VlkI9BDB28fL5sSuKI+rfOrJmoeW2xyTzxN7AcJOYKARoVE3acb7qmnrZxUWDeT
EyadM2VkdcsO8zQOPK+fZke5IOLP5xi0eaVWutGMyZeRowjdp48uL7Tg2aTCxVe+Zzc7YJMKm0l2
aWDJ4mgQbDH+ZtbleFJh8xzREECrMieSgP2gmdz0RGdx4Fo+W47xJ4Jg4ZUnEYNJhbOH4KWfuxIE
dcUWwPXVbrOihS1WM/plh232ioitH7pcHpYdsnWKsmo43bo0dsd2goDqP1ruuJwutzSoUlNp8LBr
JFF7aTIl4NJuMsYTBPRZuzbL+URJ0Uw3bKYQl5FraHKz6nC2lmnJGm66TeAHO9s4Fs5X2dVUaHWA
Zl39UYM2D9vFYTQePl8LVKVXU5Eo50Nbhg13jqv7Js0ydnVFkmRF1Z3AN0eLHNlEhXk82XyEs51t
zv9adcsOJbbsUBz6I5a41fXTfNVl7NEa2EHhkpG0qoutpBVlVbevzU49bMjAu9KwgCCNV3tlN0tX
2uWahhtOZ18s29TUR6OlBFT/T2cmUo933yFRV7QAYUkz0o6Ua9q5vR1lYIzSJUOGJ1oQpfkbubC8
n0XFmgVTi/skZgdVdrNUWZJlRTP9m0vNclZv8wRBXeWhrdHiTkV3XHPVHAI2t1/r90npLKjyyG2W
27GlvaONiUgPSMa6nmr2wJE59Mpc7W72IyWyWGHzXvnOqvn/9OmwfY+tlJZ1J5ovO5wOSdDdbNkh
WyCsWsN2SyNBQL0EtEdLN5egjP126bOk6Fa78JD/is0tbH6//qrSfUufjiprVzjTssPRAt7ldHF2
TuDzgmBuEX6DwA4IUGPyv5fircxHsx5/aDqvvI0bjO2s161a4IZqLtwjS+57icdhqTZf2bnU3fZK
ulRtyu2yy+7+5n+SR/2ai+mlT/3iQloyKPc1xRl1hCyFwTkQ2CcBCIJ9lgus+gCBKouCJL9X1T0P
LeWhUbiZRe8WBHVdJsFtsk8wz/Yqj67R0kIU6s8fdTDz7p+dX51ufc/CW7eNzSSS8qZ3+zNMzn/2
R7F6P4/1CD6bI6QOAgsEIAgWoODUdxKoEq/ZNo62xhz6SzeH8X5BsLnJSAAEQOCEBCAITlioyBII
gAAIgAAIvEoAguBVYvsPP5mEuH9z/9vCyQym/45tfQRvS3e22eV6CxASBEAABN5IYCeC4HHnwTfm
8Y1R7c5O2spjPhn+1ILgcTcScla0bpXXGx8Eiup36U4WzzcWQRCsKJndvXorbEYQEDgYAQiClwps
d18lCILfVswvlftiYAiCRSwbndzdq7dRPhEtCHyQwOcFwaI7Y/rWzuc40743TWN40S0yFyJtGWe6
rqHQ+mPNZk7uKDDPd2qz8Fg0rjHzn0pLw2nN7aKdTaL9fgmirBoPHlweDOP7PO18j65xW0xLgyfb
FvTbq1MPgRPcaJtgWtb+g7tktm/NaHsYmuH2dFeYKjIFxXIdnQHV3X5xMz9fy26C65p3/gEZneD6
PGUVsxcEOwCdAAAWCklEQVRcmavsiTvjZj+DBzfKlO6Cj9RJBT/Zb7Xbn2DqFvlZuks54LpFZj0E
fth5qWVe+poIlt0lL0XOCI39e032CRqc5k7dKHPjb/IWdZgUu/GEwEk5DxxDZTtfkH++kR/uuuC4
G172GE77Byy4LX7y6nEMwmkQAIHfEPi8IGBWP8j/zFMla7qYN7YltlPPM7fISwgSR7oI6rCDXrfG
mec7ta17JFlnu4xX9zxOOqehD3aSsCAvKYafFLShXBwEc5duDzbxfJ5S5K+6Leb0EAgi+STNaafC
YS9Pju9USnbYp+ZHPVCTILh0G74lrto7neXlq+a5CeadfyA2OrE8ZCAIku5GWZ7Fo43+6K4lN8o8
H6k8QdDvYDhzi0ySjJfuyOLZ4fKQgSDKph/neRbaSrcnXM1zlzyLsf85GXoYCwKCtuBG+Un8lDdR
0izmKKAqkjib7NTXJ9kcpDe32YqyyCJntBUl21+aHHEXWWApQr9VMM9jOM9tMaWy9OrNzMBPEACB
/yOwV0FAtSyrue+Jb7MVYLlP24VVtDNr/8Vs/Ff8sEsoc2TbbRzGar9Re7ijR/XgsA8NNUYX90pb
+irRt3OoULsI1/4/8nlKn88f8vIQK0cQ9Bt6j3wAcX2n3sPBiSlVHf1m4A+psRMkCAZWVBzzvhwK
NsoX22d6cN4zxNpszf6sphnCdkccQSDZ7f7MtJ/OCOKSG2Wej1SOIKAy73foGbtFpoLnpduZ+/g/
RxC0u1KOffQ0O+B2WpRkVbcT32Os7AxXECy7UX4WPxM7TzuKODbQ9oTdrJbGm267iTI9KK3vgImd
zB1h+7KRo4s+0cl2gxAEPN44DwJvJLBXQcC+K2Z4r2JbFmkHdKrZ2I5qT90iL5Fp/Mt3V+ib09b8
HN+pbQ/BfKoei2BJENRlaMmCqJCT2lv0tCXVGMH1efoLt8UcQTBs+5t0zpBG+8h2Iw2d8xTmOIc5
Z8u8n/fjYUMGg6aKrc7bIzdfPDfBvPNdWS39zxEEPB+pC26UaQv0kfefwSUaRxBw3SJTpclLd8n0
5hxHEPSCaWjZc90l8yKfVLRDPHW97Eb5WfyUtxGkPsX+Keoqd3blnlwtrdl/mp6tVpGR87yRP6ak
czfM9xg+0QBNSff7Ny6+er1dOAABEHgDgd0Kgjr1FMVNUk+3XVunA6VphjNB0LuVm3nsXCJCDcLe
SyF5cmkEAdd3ajeHoNkWfRoj76tUFWkU+I6piNRZ0H/Epje3v6gG4vk8fdltMUcQDD0WE0EwuFab
Wsb8BjkJbWvPemGmV2e/mCDoHQ+TUGu++k/zxXUTzHUfPEu1+7ksCIZVBpOx/0WfCFwfqXNB0G6g
OxMEg1vkeXixG4zqbF38f1kQDG3/oSJPHHnoiVmMa3ZyKggmziHrBTfKz+JneZu4Km7TupcF85lY
FI3TYerMjyxJ0v2kcbVAequRSU8EQachZxmAIJgBwU8Q+FsCOxEEC+6M2d6pjqNbYRnZuuMaUuMl
91dDBn1Djj5XTe/s5MNM1drItw65UeubbOMCWbBzfJlWov20D/tTn6d9ZDR8sNhH0YdoDliPfTce
0l6bLDvsBUHbcT94wRvHRF7CZNt3lMWBknHIms0hGFgxr9Pk6HRdvsgKwez13BAz7/wQojlacHP8
rGJecKNc83ykNlqi7aInD0BNBf9syIArROZmD78f3SKTY8ThcRsEAZvu+ZO8HCKe+TlMXWXpCWK9
QY2T6mfxcwXBOL32eNqUp4JsXzf+kAHHU/kzQcB/9V71bL6QBZwCARAgAjsRBEvujGnMVJRoSPEe
GJLYf3vpi8l1i7xQqmxSoWyST8/xlC2u79RnPQRLdpbx1QvijOYUpjdT/mkInrkxW/R5+hu3xaRk
JDOgDfj7rHMEAdddMruRvuM062s6kbOPc3TAJhWyPo6iyXDrG4fvy5XnJph3fpTYw+GCz9NXBQHX
Ryq5sdca77iJq5Lv34zS7ycVztwiP0v3we7+BEm9mVtkjiBgkwqX3CX3cc0PqM1vBOTSroxsWegE
Ac+NMs8dc7fHwlIPwTzJ1tuv4jB/f1V2NSShEwTMBbRsBVlRsjevH2bgeQx/JgiWXr3GmFcdmS5k
AadAAASIwF4EQb3gznhoa1BzbTQa2S/zk5QHt8iPxUpNMsv3qTtfkMbLDjm+U58KggU7aU2apkiN
y1Bz7qb50Z6a5/P0RbfFTczMC3HjPbibS8cTBM99p1KLsp8it2B1f6qKTPKp6rY+VYdlh7x8cd0E
P3cf3Cc4PXj0efqsYl7qIWD+qlu30VMfqfeEPMWK5Bz35o36erplh1O3yM/Sndo8+fXoFpknCHju
kifRTX6UkaNJokSrX2/u0MfEdaO87I75RUFQN4sLmV9qww08mtXZTYXMadmhIIiK6fuWLDVdE7Q0
Z9Fj+FNBsPDqNXmHIJg8A/gBAr8nsBtB8Pss/HTnQh/tT7d84fW2K3noZ+AyIEGwNN+Me8OpLvyl
W+RTgaO+LN4cllNlFJkBgeMSgCA4btm9zfLqXiSeJvYr355H/H2C4FNukZ+XwxGuFkkYZcW9qkra
EWPVpMsjZAs2gsBJCUAQnLRg12frHhrCRZQNP123I8AXCoIPuUVeX4Z7DVkElirTYJqo6M54B8O9
Ggy7QOCrCXyBIPjq8kXmQQAEQAAEQGAVAQiCVZgQCARAAARAAATOTQCC4Nzli9yBAAiAAAiAwCoC
EASrMCEQCIAACIAACJybAATBucsXuQMBEAABEACBVQQgCFZhQiAQAAEQAAEQODcBCIJzly9yBwIg
AAIgAAKrCEAQrMKEQCAAAiAAAiBwbgIQBOcuX+QOBEAABEAABFYRgCBYhQmBQAAEQAAEQODcBCAI
zl2+yB0IgAAIgAAIrCIAQbAKEwKBAAiAAAiAwLkJQBCcu3yROxAAARAAARBYRQCCYBUmBAIBEAAB
EACBcxOAIDh3+SJ3IAACIAACILCKAATBKkwIBAIgAAIgAALnJgBBcO7y/fvc3QND1Pz87xPef4q5
r4lGcH+XoamriFb0rtge49k6/scUV51JHFmyk1VBVwYqrppwoT9hS5wrjUEwEPggAQiCD8I/aNL3
wGi+n+wjerlcJtVSlV4dPy53kLd77JmaIgmCIEiq4UZF9R9GVYkjC4Jkx2sjiW1Jdqb11psFQRF5
TpD9R57YrQt2tlG+J36OfVUReaYqi4IgyprpJ+tl0v8IgsgSu4e2UQAjfZZ52+orDgicBoEdEYAg
2FFhHMQUEgSSFWTdX56Xa2vJP81hGd/8IErSLEsj35AF1fuP2jN1Fc1x9Hkdz8/QQkX7ZkHAT/uV
Kwt2vnL778LeI1sWFOsaZ3mWxjfXDYrVEf2nIBCMa9o9uVleDEIEgmB1ESDgaQlAEJy2aDfLGBME
s8YvSyxx5abdNR8yuCe+qYiCIGvO1dUF/co+/2xwoTms6yo0RdXva+zYFmUnjDyDbhNls60wytgz
VUkUBEkxvHh9JVLXmacI+m18R3Uvy/taJZN5quKmKfu3A8uzP20x9G1R0Y7ZPUwQ+CHLlCjr3tAs
vqdXS2PNZUV3w1FXBkvDiwJHb67aEdVgZddHM+mbqevEkfpEqQfcjJr85YFjqDL1lUiK4YZ5c5Zr
Jzf+etnO3NcEw7s5uiKJ03x1qGb/Z74qKG66AL9MfFNlhqqmN/QzVXnoEB9RMX3fGg0ZVFng6M0z
otm3bCHGSdKRJQpWC2VyoWZPyAwnkX6wh0qkfYD7GMqbLuq3PfSK9SbhAAR+QwCC4DfUvvseriBg
WFgVNplDcI8sSdS8OC/y2NNFYaUgECXF9JOiqqsyjdOyrqvUUyXNCdOiKLLQUSX9unKqQlXE7rwK
olpMUCeG8os19zWZRgsSRx76GXiCoIlmoeVNSYqy6cd5noW20ndZNIDcKC+KNLBkYSSMiLUoadYt
Lau6KpI4G5q0y2P8FfsrY0cRez7pzb1GaV6URRY5qjhkoa7rBTtbDg/x8+xkKBUnojLKfG0a/wLU
4qoLi10tRWCIkuEneZEnV0MSOwVHAkK2gqwo0pspC5duDkEZmpJsXuOsYDfIrIwWEuxPvSgIFu3J
PFWypiNHsS0p/9P91NuHAxD4LAEIgs/yP2LqVEmNG6KyOx4qfxAE99AUZSdpGm9V4kgrBYGgdb0H
DaQqsiTFTTtiFO0sRHdp9H/XlhYUq2sYt1dfEQTFVRPN8F7XZEPf/fErQdBXHLmvCs0I9gRQXd50
oQ9UE2vBCBYbnw8Vdp9v6pGXjOVu+Hlrdr0g4NpJKHtptWJcJHXleeEy04ub3oukuiZATQE3vTst
A5oB2AqCWVKZp/w0x2M2h2AyifBxyGDZniq2JSbZ7olvs8kPua9JvH6HvkxwAAIHIABBcIBC2pmJ
rIdgmEMwm0LwIAioeTf0p9JHdt2QgTQblch9dSxD6Fge9AGP0b3Ic5pDYMqycVvZoTCPa1SHltRh
3I48/EoQ9LPYir6bmWq+ARD1QvR9/UwQTBr0I9t4goC1my1qr3d/9+Rq0fTKlt+kNl4vCLh2kiBY
yFeX+sP/PEHAch523f5VZAnsGegPmohiW2oEAZ2fPRGDGQ+JshPUQzDMIZg+uY+CgGMPPQ5meK9i
WxapT6KKrP6ZWE4WZ0HgIAQgCA5SUDsykwmCWW09mPeTILhyBcG4q5zmEMxqe1YfLbeVh9S5R23z
lnv9yYWmR4QWK9Df5dK12OeCYGz/Ylf8pEW7WhBwF3EuC4LiZkiKEw8jCzX19Es6G31p5x9oo7GW
9wiCYTnlkC8uUmrkLw0ZTKQQ9cYMgmAUPHEGQUBdT9xkFi68NmTAsadOPUVxk9TTbdfW6UAZ9Vwt
pIpTIHAUAhAERymp/dj5oiCY9DSPhwyaeYRtq50qidHY+YIgoIaYZLFJdb9gcQ9NQbSayX3N7VVZ
lmuWR5D9ihPl7V/kKM3wQTsPctl+NsHvsY9jtA/BUHFOALVDBt3IyIO8GmV9SRDkV11SZ9P1mqZv
1/BumudDXwnVr8u16jx+rp0coTMydXaYefMZHSzAchd9M92PjdhQKBoE6ocMVKEfwJklsfzzqSDw
VdHs+yfofp49NHCkO45uhWVk645rSNP7ltPGWRDYPwEIgv2X0d4sfFEQsBYqm1RYFomvS/2kQhol
FjWfpobfE1elKX6TVQazHgI2qVCgOWR5UeRZHLiW39WbS4jKyHP8IKZlh0nom7IgWTQNoPtbO4eA
vv7joWkaQhabEeMn9tMQuCaoblJWVVcV06nFlnQ7WY/y1UwqHCaovSQIqsyjGYPpvZlY2KVMwxyK
w5Y0VNnVkARh3EOwYGeLaC4I2oJ0H+zk5atD/fh/GVndssM8jQPPC9n6DxJJbFJhWcwnFYp686Ck
njadVChqbjPNNAl92w1HAyWPydbPBAEraPOWleW9W3zCs6e46qIo0dSOe2BI4oq5LAu24BQI7I8A
BMH+ymTvFnEEAc2Gmw7p9nPjumWHElt2OKzQuieeLouirOjOzTN+EgTUPIz9dnmepOjW84WHtERO
Z1vf0Go73bmNJujXTYU9TIXjMqf6fzoyTQ3lViHw7We2erQgjjZuGi877HYqHHoI6nqynM8Zz35c
FASz1YW0vpC1bOcl0E9FKGjRniTJimq4gadPBEFdxnM7efHz7HxdENR1lUdus4JUlNVhY6JmXWmz
PnK67NBucqA7rtkOGVCZNcsO2TpFWTWc4IeFh88EQV0TJjbRYhit4tgzdLPwhj+4DxQugMCOCUAQ
7Lhwzmha5qtt+/qMuUOeQAAEQOC4BCAIjlt2h7G8yqIgye9Vdc9DS/n9PIDDZBiGggAIgMABCUAQ
HLDQjmZylXi0iR3zKTD0Dh8tF7AXBEAABM5NAILg3OWL3IEACIAACIDAKgIQBKswIRAIgAAIgAAI
nJsABMG5yxe5AwEQAAEQAIFVBCAIVmFCIBAAARAAARA4NwEIgnOXL3IHAiAAAiAAAqsIQBCswoRA
IAACIAACIHBuAhAE5y5f5A4EQAAEQAAEVhGAIFiFCYFAAARAAARA4NwEIAjOXb7IHQiAAAiAAAis
IgBBsAoTAoEACIAACIDAuQlAEJy7fJE7EAABEAABEFhFAIJgFSYEAgEQAAEQAIFzE4AgOHf5Incg
AAIgAAIgsIoABMEqTAgEAiAAAiAAAucmAEFw7vJF7kAABEAABEBgFQEIglWYEAgEQAAEQAAEzk0A
guDc5YvcgQAIgAAIgMAqAhAEqzAhEAiAAAiAAAicmwAEwbnLF7kDARAAARAAgVUEIAhWYUIgEAAB
EAABEDg3AQiCc5cvcgcCIAACIAACqwhAEKzChEAgAAIgAAIgcG4CEATnLl/kDgRAAARAAARWEYAg
WIUJgUAABEAABEDg3AQgCM5dvsgdCIAACIAACKwiAEGwChMCgQAIgAAIgMC5CUAQnLt8kTsQAAEQ
AAEQWEUAgmAVJgQCARAAARAAgXMTgCA4d/kidyAAAiAAAiCwigAEwSpMCAQCIAACIAAC5yYAQXDu
8kXuQAAEQAAEQGAVAQiCVZgQCARAAARAAATOTQCC4Nzli9yBAAiAAAiAwCoCEASrMCEQCIAACIAA
CJybAATBucsXuQMBEAABEACBVQQgCFZhQiAQAAEQAAEQODcBCIJzly9yBwIgAAIgAAKrCEAQrMKE
QCAAAiAAAiBwbgIQBOcuX+QOBEAABEAABFYRgCBYhQmBQAAEQAAEQODcBCAIzl2+yB0IgAAIgAAI
rCIAQbAKEwKBAAiAAAiAwLkJQBCcu3yROxAAARAAARBYRQCCYBUmBAIBEAABEACBcxOAIDh3+SJ3
IAACIAACILCKAATBKkwIBAIgAAIgAALnJgBBcO7yRe5AAARAAARAYBUBCIJVmBAIBEAABEAABM5N
AILg3OWL3IEACIAACIDAKgIQBKswIRAIgAAIgAAInJsABMG5yxe5AwEQAAEQAIFVBCAIVmFCIBAA
ARAAARA4NwEIgnOXL3IHAiAAAiAAAqsIQBCswoRAIAACIAACIHBuAhAE5y5f5A4EQAAEQAAEVhGA
IFiFCYFAAARAAARA4NwEIAjOXb7IHQiAAAiAAAisIgBBsAoTAoEACIAACIDAuQlAEJy7fJE7EAAB
EAABEFhFAIJgFSYEAgEQAAEQAIFzE4AgOHf5IncgAAIgAAIgsIoABMEqTAgEAiAAAiAAAucmAEFw
7vJF7kAABEAABEBgFQEIglWYEAgEQAAEQAAEzk0AguDc5YvcgQAIgAAIgMAqAhAEqzAhEAiAAAiA
AAicmwAEwbnLF7kDARAAARAAgVUEIAhWYUIgEAABEAABEDg3AQiCc5cvcgcCIAACIAACqwhAEKzC
hEAgAAIgAAIgcG4CEATnLl/kDgRAAARAAARWEYAgWIUJgUAABEAABEDg3AQgCM5dvsgdCIAACIAA
CKwiAEGwChMCgQAIgAAIgMC5CUAQnLt8kTsQAAEQAAEQWEUAgmAVJgQCARAAARAAgXMTgCA4d/ki
dyAAAiAAAiCwisA/jAJCzPrBWv0AAAAASUVORK5CYII=
--000000000000a5c53a05abac0152--


From nobody Thu Jul 30 10:37:14 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BF8C3A0FF2 for ; Thu, 30 Jul 2020 10:37:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.085
X-Spam-Level: 
X-Spam-Status: No, score=-2.085 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_RATIO_06=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I9jfaxaiMBhM for ; Thu, 30 Jul 2020 10:37:10 -0700 (PDT)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D8C63A0FF1 for ; Thu, 30 Jul 2020 10:37:09 -0700 (PDT)
Received: by mail-lf1-x12b.google.com with SMTP id b30so15395473lfj.12 for ; Thu, 30 Jul 2020 10:37:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dzyzFi5ww+uLhb8wZwwAWUXWNPeVxYpJLk7pmmsgNMs=; b=fM5zAbarwXlXrizlzmbP3dIRiDXxuHYirZVmOShbFc7VEaYoyADLgtCa09vit8rI8E io+LFw1kAnYh/1pEOCznvlNt4IvIAM3v2agc9YyOW2P0kgePFk9bZZWMArdGsAjdcWic F3vTnyiehw/TCUtJLYRuphbB02sXKw4MgfQdR44nqdzzS7Dm3p/w3ulX4czgLW5MlWZY qGmXDunLZrFQbQ+jW5GVBVUcWern6L9ZQm+c484s8r2gV8eavW3wSdQRMDxrH788ubGB 7g1fiiGP7q8WFFdPpffc39xHMWIgauvtv9MbGcNApuQYL0/eIftXnqSJ2itGZtwrnKn0 s9yw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dzyzFi5ww+uLhb8wZwwAWUXWNPeVxYpJLk7pmmsgNMs=; b=XIzuTjXbX0IE4TuG6QzruArYVQuN8fGZbWwcpQB1Ylaeg73L5I/cLYjXCHsCSKX/N7 G3kaIOwAw5PvfJSKmwJzOpVL6i5bqoDLjxsjtW2hLj7lx5sNpRRvq/Dnc6RprJYJtCNB r8nyFgzLRDyZDa/sdnvgCkbMUr8xlOVRDEiEUQvihzJ1/BHvgB16k9xdZK6l4bvl8+jk DHsXD7l9/QXnl7hlLqTRGNsCBJOvKd5D7Pp8Je+P2878WB+NNfEMw7DnxnXMdPIcTBXz 1yIWqF9758ZdrUD4EaDWmV0sITSUyaEQvS1tXo3JOMbpePhxbukso3m5bKp4irFtX1Hw nZzw==
X-Gm-Message-State: AOAM531NpA/3eMeaBmh785jmiTt3xdngIrJljcTuI6Zdij9T3Qps+8V+ WMdVhD5ra0Ch8tcOR6cBZW4iyXmOx+mwuGHDckU=
X-Google-Smtp-Source: ABdhPJwjYFNiNN5c9vD+99ehmnBMdRUAJOTzfyNUhplxziSFwp7/xmCCbmaEG7+ZlpJugBnqACMUjItoM0O6uAtuDjU=
X-Received: by 2002:ac2:4a9d:: with SMTP id l29mr2194435lfp.23.1596130627097;  Thu, 30 Jul 2020 10:37:07 -0700 (PDT)
MIME-Version: 1.0
References:     
In-Reply-To: 
From: Dick Hardt 
Date: Thu, 30 Jul 2020 10:36:30 -0700
Message-ID: 
To: Warren Parad 
Cc: Aaron Parecki , oauth 
Content-Type: multipart/related; boundary="0000000000000b7a8605abac1fcb"
Archived-At: 
Subject: Re: [OAUTH-WG] Authorization Code Grant diagram Improvement OAuth 2.1 draft-ietf-oauth-v2-1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 30 Jul 2020 17:37:13 -0000

--0000000000000b7a8605abac1fcb
Content-Type: multipart/alternative; boundary="0000000000000b7a8505abac1fca"

--0000000000000b7a8505abac1fca
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

In retrospect, I would make the (B) line a double line with hats and arrows
at each end to indicate it is not the same as (A) and (C).

I agree that adding a sub label will clarify which leg is first, and which
is second.

I also think we should change "User authenticates" to be "User interaction"
as there is both user authN and user consent.

We also are using 2 terms for the User (User in the flow, and RO in the
box). We should settle on one.


=E1=90=A7

On Thu, Jul 30, 2020 at 10:28 AM Warren Parad  wrote:

> Wow only now I understand that, I didn't notice the hats on the arrows,
> and I was further confused why (B) had two "out arrows". Would still
> recommend these being 1a and 1b, 2a/b, 3a/b.
>
> Warren Parad
>
> Founder, CTO
> Secure your user data and complete your authorization architecture.
> Implement Authress .
>
>
> On Thu, Jul 30, 2020 at 7:24 PM Dick Hardt  wrote:
>
>> The (A), (B), and (C) label the same flow that bounces through the
>> User-Agent. See note below the diagram.
>>
>> Note the tails and arrows at each end of (A) and (C), and the arrows at
>> both ends of (B) to indicate an interaction between the RO and the AS. (=
in
>> my original version, I had the User instead of the RO).
>>
>> The (A) and (C) flows are shown to go through the User-Agent to make it
>> clear it is a redirect flow in contrast to (D) and (E) in which the Clie=
nt
>> directly talks to the AS.
>>
>>
>> =E1=90=A7
>>
>> On Thu, Jul 30, 2020 at 9:57 AM Warren Parad  wrote:
>>
>>> From the OAuth RFC, these were actually letters. I don't see a necessar=
y
>>> association between the left side of the diagram and the right side, it
>>> just seems unnecessarily confusing.
>>> [image: image.png]
>>>
>>> Warren Parad
>>>
>>> Founder, CTO
>>> Secure your user data and complete your authorization architecture.
>>> Implement Authress .
>>>
>>>
>>> On Thu, Jul 30, 2020 at 5:49 PM Aaron Parecki  wrote=
:
>>>
>>>> These numbers in the diagram correspond to the numbered steps in the
>>>> paragraphs below the diagram. Perhaps using non-duplicated numbers wou=
ld
>>>> help, such as "1a" and "1b" instead of two instances of "1"? Although =
I'm
>>>> not sure how that would work exactly because the "1/2/3" are really ju=
st a
>>>> single action as described by the "Note" below the diagram in your
>>>> screenshot.
>>>>
>>>> ---
>>>> Aaron Parecki
>>>> https://aaronparecki.com
>>>> https://oauth2simplified.com
>>>>
>>>> On Thu, Jul 30, 2020 at 8:43 AM Warren Parad  wrote:
>>>>
>>>>>
>>>>> https://www.ietf.org/id/draft-ietf-oauth-v2-1-00.html#name-authorizat=
ion-code-grant
>>>>>
>>>>> Can we avoid using (1, 2, 3) on the left side of the diagram to
>>>>> describe, I'm not even sure what they are supposed to represent, not =
to
>>>>> mention the RO in the diagram doesn't really provide value (for me)
>>>>> relevant to the code grant flow. It's confusing to see these numerica=
l
>>>>> identifiers twice in the same picture. But maybe there is something h=
idden
>>>>> in this that I'm missing, still 3a and 3b could be used to identify
>>>>> different legs of the same code path.
>>>>> [image: image.png]
>>>>>
>>>>>
>>>>> *Warren Parad*
>>>>> Secure your user data and complete your authorization architecture.
>>>>> Implement Authress .
>>>>> 
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>

--0000000000000b7a8505abac1fca
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


In retrospect, I would make the (B) line a double line wit=
h hats and arrows at each end to indicate it is not the same as (A) and (C)=
.

I agree that adding a sub label=C2=A0will clarify whic=
h leg is first, and which is second.

I also think =
we should change "User authenticates" to be "User interactio=
n" as there is both user authN and user consent.

<=
div>We also are using 2 terms for the User (User in the flow, and RO in the=
 box). We should settle on one.=C2=A0


3D""=E1=90=A7

On Thu, Jul 30, 2020 at 10:28 AM Warren Parad=
 <wparad@rhosys.ch> wrote:
W=
ow only now I understand that, I didn't notice the hats on the arrows, =
and I was further confused why (B) had two "out arrows". Would st=
ill recommend these being 1a and 1b, 2a/b, 3a/b.

Warren Parad
Founder, CTO
Secure your user data and comp=
lete your authorization architecture. Implement=C2=A0Authress<=
/a>.


On Thu, Jul 30, 2020 at 7:24 PM Dick Hardt <dick.hardt@gmail.com> wrote:
The (A=
), (B), and (C) label the same flow that bounces through the User-Agent. Se=
e note below the diagram.

Note the tails and arrows at e=
ach end of (A) and (C), and the arrows at both ends of (B) to indicate an i=
nteraction between the RO and the AS. (in my original version, I had the Us=
er instead of the RO).

The (A) and (C) flows are s=
hown to go through=C2=A0the User-Agent to make it clear it is a redirect fl=
ow in contrast to (D) and (E) in which the Client directly talks to the AS.=



3D""=E1=90=A7
On Th=
u, Jul 30, 2020 at 9:57 AM Warren Parad <wparad@rhosys.ch> wrote:
From the OAuth RFC,=
 these were actually letters. I don't see a necessary association betwe=
en the left side of the diagram and the right side, it just seems unnecessa=
rily confusing.
3D"image.png"
Warren Par=
ad
Foun=
der, CTO
Secure your user data and complete your authorization architectu=
re. Implement=C2=A0Authress.


On Thu, Jul 30, 2020 at 5:49 PM =
Aaron Parecki <aa=
ron@parecki.com> wrote:
These numbers in the diagram correspond to =
the numbered steps in the paragraphs below the diagram. Perhaps using non-d=
uplicated numbers would help, such as "1a" and "1b" ins=
tead of two instances of "1"? Although I'm not sure how that =
would work exactly because the "1/2/3" are really just a single a=
ction as described by the "Note" below the diagram in your screen=
shot.


On Thu, Jul 30, 2020 at 8:43 AM Warren Parad <wparad@rhosys.ch> wrote:
=


Can we avoid using (1, 2, 3) on the left side=
 of the diagram to describe, I'm not even sure what they are supposed t=
o represent, not to mention the RO in the diagram doesn't really provid=
e value (for me) relevant to the code grant flow. It's confusing to see=
 these numerical identifiers twice in the same picture. But maybe there is =
something hidden in this that I'm missing, still 3a and 3b could be use=
d to identify different legs of the same code path.

Warr=
en Parad
Secure your user data and complete yo=
ur authorization architecture. Implement=C2=A0Authress.

_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth





_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth







--0000000000000b7a8505abac1fca--

--0000000000000b7a8605abac1fcb
Content-Type: image/png; name="image.png"
Content-Disposition: inline; filename="image.png"
Content-Transfer-Encoding: base64
Content-ID: 
X-Attachment-Id: ii_kcnpzgwk0

iVBORw0KGgoAAAANSUhEUgAAAvkAAAJeCAIAAAChx415AAAgAElEQVR4AeydvYvbTvTu79+iSt10
qqIqqqIqboKaxU1wEdQEN8HFDS4Chlt+wRC4hhTmphCkECkEKQQpTBqRRqQRabSVFn6grbyVLmdm
pBnJkte72Rfv+nGReC1pXj7nzMyjMzPS/6rwAQEQAAEQAAEQAIHnS+B/Pd+qoWYgAAIgAAIgAAIg
UEHrwAlAAARAAARAAASeMwFonedsXdQNBEAABEAABEAAWgc+AAIgAAIgAAIg8JwJQOs8Z+uibiAA
AiAAAiAAAtA68AEQAAEQAAEQAIHnTABa5zlbF3UDARAAARAAARCA1oEPgAAIgAAIgAAIPGcCp6x1
ynjujUbeeJXesYW36Xo6nszC7I7TrbZZMJtMput0e9cp31962donyrOouL88kDIIgAAIgAAIDBO4
sdahocsbeZPrBEIRLyaed/15w0XrPZKuJt7IGy82txjtiyzZJHnZpFsGY8MwDDaNm5/u5kvkm5Sw
NUv+Lb1tkSabNFdVTWY2JWz6kfrt37LovXpbJOFqPp2MPW888aezxTpKFbbeS4Z/TOa8zKNVPnzO
tUfKLA6WM1GisT+dzZdBnN26SNdmJ04oyV/uPZcDC4PTQAAEQAAEbk3ghlonW434ML5fIJSbpWfR
oEzj/ebWZdu9cLuZiXTZJLzxSMeFgl6ee9M6eTC2DNOe/mMoYxv5zDCchQoPFdHUNg1rHPyLbtjF
qv9SbpZjS9hYWFD+a46D2wVm/lXrlMl64vQUyDDM0fr+OFRVtnQNw5xEOh18BwEQAAEQeIIEbqR1
spVXDzqDwZAyWY35jbwYI3Vt8c94Sj7484RvPvSmC6ejve5N6/xzRUUCQtjpWueOEh5MZpvMXWlh
y53MFsvlcjHzPYeZtxGXIpt/0jrbZFEXiNmeL0o0n06oSDd3gcF69x0o1h6F0KB1+uDgNxAAARB4
UgRuoHXytceaW/0hrZOvuRwy7cnYpZPvUuuU4ZgGYtPkw3F7UiRZeLQqRJ/bKiO+HIdm24rNauqK
wlvOiD50Zq11/DAJlzMxYzNdBEk3flEkwXLmj8c0oTNbhtp0Dl/x441XyTbfrOc+zfn467RqLVFJ
lmOPZ6n/481jMQtVpNF6ISdntMS3ebyU0QzTdnmBaVlREU6pln6gQj3bLF7X003TxXqjzXhVlLU3
Xm6KNGwqMF/F+iktZxVy0DCYt+qsCCoLLYxWptFq7k/G3njsz3Z5cRY03TSeTBfBJtqdw9pmdQKT
6Xw9XJ4qmZM+pQItE60AvNBlWf/CCXuLuCySYMHL5S83dHCbb4LlfMZ/opw0OJykNw0yHd8ykLYt
k2AmI5NM+gvWG7VcBX+AAAiAwFMicLDWkUqHjScjPvoMLnIpwpm/TMoy4MLkDrVOIWQUm8ynPHDk
LtWIX0UTLoPG2tSWuDE3rOkmX/Ey82FT/mOOQyqi/lPzXZ8jKpPFSCk8cYrVSAGRgjX2x3LKzjDs
WVK1Qhly8U6TuvgyDsqqksKwdciexmVVpUIg6EdIXfJpFZrWkqup89C3ZRymPtV01NRZzNcNWbYW
Z6PTzNGyI2W4x243U14Ltm+2aputVV1lnmy04NKCUtkmyx1e/LRGmu6W2XTnzfV62xFzeIZxXUyJ
V9P0fL+pJy1oqqtTg6H/mbeSPiNIMruLz/ajopK+q19pNOXXS4jvIAACIAACT4HAgVonD8Y04rNJ
mIVcVQzFdZo6SyFxd1pHjvPMj0qpJey5Wvu7V+tsi3QTzniciU1WG/okGR/S5HDG3OlyHQTB0hcr
Q+pSb2Mx/BuWN1sFwXpZ3+3b84TiMppaMp3xbLFYzFdx0dY6tMK1/kQLsdzJohG1qqpsNWLOeLpY
BWEU1oEcGlW3eboJxNht+4EscdnROrlcPMVcf7EOgvVCRoJYvZ5HaB2Kro2X4SZNk3g14XqATaI6
KNIYrJJRHXOyZ+FzE/kZcWCr+ViIBcsXCarjs1UQBqual1FrhTo4aI3n6zAM6nCbNZVxLlWcqpKL
s2pj6Ida35tqGqbtTckIiyivqm3s29ZoMl+uwyhcz4UEqzOS3mQYpjtdx0lKDiJsQxK6yJJ4IfSx
txD00+Jel4O3KoQ/QAAEQAAE7pTAQVqnkEqHbvi3YiLpwbWOHEXFWNX80WzH2qt1iFgd5dHWStdK
xfIplCI+cnwVd/Gl0HWGHkGSg6TJF0fXKRiO0D4ykVZcp065qspYBKRqpaOOiG8ytRqtrKS+Xkdm
LuI6NQQpMyiNMvJ5aEYGfqQIIHlY5yVTsOe7++xjWgmtBY3qS9T/tfSzZ1zp8QP1pKVH64RlxWvl
w+M8MkIliDZ1agJLdbRud2tZHV3x1s2kYrbyLO1jT7ksq7WOCImp4ra/tY1Sax3NtDKMRBE/Kriw
PdbrtCniLxAAARB4igQO0DpFMOExHREteByts92I3dbWTKgbOWaqUfwftI45CdUte0tNSOGjjYcU
i6HtOXIhUq11tOGYnKA9rEq30JROozwqvrt7MZv6k8lkMna5UDF9sfWn0QVqqk4vnRRvrCUStnLG
TBRIigC9dLLEfbESeWm7ti2fltnTNJ36FAGt4aVFvNveIsVTLqG41pHnGsx2m4/ND9dxH5VuVYqE
DT7dJ36XSGQ0zpCWk9XcLTjfqT6f+UR37Dk8I3mWbsU6T2k2gQtap8aC/0EABEDgyRO4VusUoa50
6H6Xr8Opgw+DAPYMqoPXDB7YypiDYTJ5W8/EMhWzHgj/Qeu0qqKriUqO/nUeonj12E6KpBOJqcvf
o3XqiIsW8qjyYNJdLsJVw2FapxYe2kQeySyhCcWILkSAOda03B6zyEut6eBTAhKx478jKmp5FRS9
RdJhyBNqraL/30mUIisyYUetyyqzTUSfcM4nmFpaR8ZjahuUm92FVpRfW+s4enwLWqeGh/9BAARA
4HkRuE7ryOFNiQyrVhnMsuzx8ANO9gyqNyZYCr2lD431d5PPnVR9a5PlimQ5dg/PYQ1rHT0k0RRa
JsuvOlTr1EpHn2WpJ8gsbx5s0izP82zN10ofGNfRy9EUrmoV+WZap54zctrqSaVdr+hplkbzQ/Xu
uEm4bROXF0oJxeM6dZnHq03S+fSsh5Fn94R8mqALV3E91ayLajr+Kko43VhXgXV0rlUVaB3N1vgK
AiAAAs+IwHVapw6o1Nqi/b/LH4Zb5unuSDWgdbZ5mmqPLj6IpFzSYTjTgN/Vi38CsdhY3qjLcnq0
vUl86sUlHa2jRS36lEorrlOvJdEfXFgrghGtIulLYXcOq0/pNBEYbbSVee9oHbW0plU6OcOmJUD7
t/gmbVnnHhEwYBaOrBBb5wzTW2VqVq/myZcDid1uYu1NGzMVow6/6TGaIhDPZBLXyK1e7eVNWg7t
r83i6/G6XaBrtY6c/9KmJ+tNXZ24Tr2jjTLu1zpaUKxdOvwFAiAAAiDwRAhcp3WKVJMXfPpASAzT
W4RRtMm39UDeHb76BtXtRixUtfi+6kMJydv7nUfH1UMzH+ylCmD1qFhs5JYn2nNOOcnh0XBmcV4W
WZLkzfN19O3zLTVRyUXZtI8pzoqiyOKl2HEtC3OI1inkemE9pkMFypZcltCzbIqyLNJI7hSiN0Bw
NDISZY6WSVEW2SbNO9EI+fQZ050GSV4UeRJMxTYyuUusuqHWqbbJQj6hmDn+Iog3SZommyhYLab+
itbolHJfGhvNozQvimyzFhu7TCEh6oc9stEiErxWE7kbX2idrdQThj1ZRmlOwawkDhZTb6aWT2t+
sd3IB+wYzJks1tEmSbOMijTna6a6c1hKoG3FnKawNsGT5dyZwxrUOpWUZbYfZkWRp3hZhGYXfAUB
EACBp0XgOq2zU5vuep1muai+AlZtx24tgpWj9969PjsZ7ixDbs6oIzc2LViWu+JplSxj4mmDIgYl
tU6jW2RkylsXfUqlrXUqWlMjB2stotU8gKcvBRUg4MO7nMLRruZfnUXavG+jOWY5tH6n1jq0I117
eA4N7J3SlZvmMcdNGob2tJqbap2K6rvzxB6edF0oekuFykt+Y+qBPcoM9VmmZdGi4DoWpD0JuT6D
/m+viWpMPFwgumhY6zQ70lQepuOQJQ+N61S1d8kUWuEzrXz4CgIgAAIgcPQE/lnrVOnKs0zT8cNm
ZzCvdF9cR6zGNe3xWm0tuo6QDAToz9JRlzQ6iJ7OUqbBbOzwdzmZluNNV9GSdgjVWqeqis1y4tJx
k9mjeVw/S3B4vY7IqNisZ2OX1imZjKe7aWp6gNYZmATkQ2exWfouVwImc7xZmPK4Vy0rSHlEc1Ej
k9neMunEdah42yxc+CPbMql09mgy1x/rfAutw5OMltOxa4uFWabJbHc8XcbNq6fKJJhPxGHTckb+
MmpNMG2zcD6RuOzRdJ3E/OUctdYRGSz8kbAUldodz1YqeWXd+ts2j1ezCVVS6A4ygzv2Z0v5iOue
avJcghm9SoIeC2W7/nKT8UdHHqx1qqpM1v6ItomZzHKnHf+uC4f/QQAEQAAEjp7AjbXO0dcIBQQB
EAABEAABEAABRQBaR7HANxAAARAAARAAgedHAFrn+dkUNQIBEAABEAABEFAEoHUUC3wDARAAARAA
ARB4fgSgdZ6fTVEjEAABEAABEAABRQBaR7HANxAAARAAARAAgedHAFrn+dkUNQIBEAABEAABEFAE
oHUUC3wDARAAARAAARB4fgSgdZ6fTVEjEAABEAABEAABRQBaR7HANxAAARAAARAAgedHAFrn+dkU
NQIBEAABEAABEFAEoHUUC3wDARAAARAAARB4fgSgdZ6fTVEjEAABEAABEAABRQBaR7HANxAAARAA
ARAAgedHAFrn+dkUNQIBEAABEAABEFAEoHUUC3wDARAAARAAARB4fgSgdZ6fTVEjEAABEAABEAAB
RQBaR7HANxAAARAAARAAgedHAFrn+dkUNQIBEAABEAABEFAEbq91kpltTsKtSuohv2VL1/TWxUNm
edR5Rb5pzTZHXcTnXrgy8Exnkd5nNR/aynfQyh61l7hHW/B6RfeYwd0k/c8WLOK5ZzPDMO1pVP5D
me62dVBq7jL7h/Lg0tMjcI3W2YZj09j9jFZ59cC9WBlORmok+ec2TJbOViPLW+c3NXqnJLdL5KaZ
XnP+Q4+Ce4qTLtwBCVysvfvUp9t4atuPJ/gGevO2t+zhdsChPVY+jG2ycKxJePCYdZtW1qnvA/cS
B0C85pTNzJ0ecNNwIlqHqukuNnlR5MU/3dYOtI6OMTrO0zmq/oTWUSzw7VAC12idalvkGf+EvmV6
q1T8kZfVA2udbeRb2l3zbXrhHSRlspqvk5s24U5JbpfITln+8Yc9o+A/pnzTy8ky/VqnCMZsdJ+x
uDxcLKIbS9ebVnDo/P7evOMtQxcf9vuwlQ9kW8TLRXD47fAtWlm3vk9M62yTuWNB69TuWAbjO4pV
9reOOh/5f9d5OofVn9A6igW+HUrgOq3TpJPMLHOs3xLyXmwVUojTNEzLnayS5oZxm4Wz5vflpmeu
KY/mk5FtmabB7NE0yITiiHzGpnGTZ7pwzHFQVmXkW014iY+kvBdehouJQ5kzZ7yIVSZFvJi4dAGV
SuWezGx3kSRr32UmnwBruvIyGLdiVxS2qqqq2Cz9kWOJ6vnrdFsNlaQZwfuzzpauNV2H8zEl1i1t
U9uqKpOVP+I4me0tE35kmwZTgZLZ3iyUoKqqygVik9mjWbDymZrD2qbrqUjGGvnrtLGKymmbBdOR
ZfKyzKNw5rgiZLaDqCqT9dRzRJmc8XIjEisDj41X0XLiWozxEoScWLp0WUNSk6ZVlQdjqznCpv93
brfmIPP1yLTnSVVFPhstwpXv2jxhb67Ey7VOpUmBYkNlIxdgtjtZdgRttwvfTC3mC7frv7CIF2PH
Ep6mlyitMdrjebDcGRd2/baqthn5AfdaezTttU5VDRg98pk9Xa99qpnJ7LEsSoctVaTHdcn6SnkM
WVD5CAU+aaZ4EcjyWm7LmXpcvae++3oJlVd/b1BVpeb87jzmzicAcgKWOw1Fs+81kHIYZjnejLto
v31FSbabudN0M0bdCQx2JuZEzGFt0+WI2dOIl6RMVtzxzFZrrb16xL2agxQdXpmu6xZvtTsxCaef
TDKznXlAHQN1KJYzWaq+tykB/RzMR612JlLdbebVLsBtshzZDQ4KyEY+89bpZknua04iqkFvV9NX
Ka5O5sGq9l1pDuUCPV0rT7+399O1ThH6NvNW1DtT4+oZd4a73zySvk19mL++1wlorar4+igE/knr
GKblLeKsKIs0nNpisCKP28xsNlrEeVkWyXpisZ6JojIJgzjNy7JM1xPLHAe8pxjQOlVVdYanbOka
JhvNwjQviyyeu6Y1jUX3QQLJnqyTvCiyzWpiNRO7ycxmtuN6i3CTplkpu/JGpnD8JRW9Lu42jaiM
RVlmVD3Z+e2WpOlNhrKm0hrMEx3SNl15rCmtZvRsNTKZt4iSLMuSKOYapQgnFhvNozQv8jScuczy
xbQ5ZWWNV7yW8XJsmUatdegSfqQs883Sa65QOZF9TNsPEp7ofMRMQ+qSHURVlcdBlGRFWeZEmesR
soZnGOZozgXmNg+4BYUMSuZDy7ho5GziOlR+NaFVrD2ZdOSbhunOYoqYbzNKeLTigYgDnEppnc3U
ssbrtCjLIkuisCu2OyaslNbpvTBduMydRY2fy5UCNca0KIo0mo+YUWNUqLt+W8ZT23SmhL7I4oXH
2DjYiUQNGp3DcXzu2/lmNW7gcFXSsOVjRJ/rtrXOkAVV6aXfzmXVZ7yVCTMPuXoXbTKzB3oJlQ2J
/L7eoAgnjLmzgDeIOEqoixAA/fUmzbI0jjZCYvcaKF97pjOjXqjM0ziM6Dah1756SWKf6XGdoWoK
kqR1SGhaYxksy9ces/2AHC+LqLnMNrxTEoabRjn9VURNZ5IuHDZabKijzJMojHdcYYAMUTWsSUC9
WFUmqmFWZThhJnfWIk+DqWsahmpmdUV3mvmAh0vvrQOB1L4cx50soyRNKbTf39X0VorUiWk6vNMp
eL9U9/l1oXY7eZ5+b+/XaJ1yM3eZMxO3YENdxFD3S6xsP6TOrcg2YdR3V6iVDl+fOIF/0zrarXvW
DF7chegeXXzao1r9q/b/NprUY+iNtI6mF2isFCPQNp4ypi1JKIJxvWqXOggmpQLPvonr1IXZbmZO
o3TqH8X/m1l969/pzVUiw1lTY6ulCHV2vSvr0nkjp5qs89WoFUMmIcG7LvoitRedrGVAl2hH4qnV
nVLaxj4zNUTERWmdNqKmJDwXGWbjWsdk4s6ODmwjFVY6UOtU5C8juViKzOfM+V1V5JumF4jxlEYS
DiCreB8uhRbl2OtUjdahGpKIEOK3VQf+R8eESuv0XbiNp5bmahSB4rSo0jrGzcyqMWo5trMqw7ES
5bx6bsu+/MJBo1c0ZGojF7mes+AjUUtHatnTV+W6ba0zZEF1ueZW9CPVWFh92NXb9eWRJJ2K6iVU
Lu1vqjfgHIRXNKd0AfJiDRhIXC8jkSKFPvs2afMvLa0zXE2pdYp46jB3UYcNySspDi0+ZTipu56O
4ShGzlsPb8ZLHpJoF6PvL0WGcje0tbmqD+LdXX3XRxabMN1jZLKdnnDIw+s7TE3rGPasrqxonD1d
TW+luNZRnQ7VResRZbk6zjPcEITWSemu0Z6IkPKeLqLjxk33S9nZvojH9QHHb8+LwD9pHXOs9mGR
Y4o7y3Tu0NxB8zF77ne3WbTwPdfmH8s05DB2E62jj+iqkVAxtF5AjIpiTKVwuuqJ6hC9iutQCJt5
IorAjZzHy6nnOqKMzJDTHCovfpLqZ4az5iORmBejazopCIfivXh3ZW08ZTJYLE7aUvc53fAU9K5C
6zriKe2aaOAz0zD0G36pH3RE1HEordNGVBXJejYeCQY2M+VR7RJesHja3A0fqnVEKIJD4VJHrjsn
vaKvlyBd5kdVdYhTNVqHJvimLjOtkb8IeDhA4Kv/7RpAxXV6LsxXoy5QXsKuufVa1Bl1bU16VhMr
PM7QlaLVkNFpgs/Up3irGo4IUepm7nfdjtbR7lQo0xZ3XoOO31b5yhWNq1t3rj15K+ui5Y2ur5dQ
iCiA19cbdDnQFTsAhT/3Gqgqk6Vn0ZTxbBXXc7/7HaMipIrDcDWJJBtNPFb3XFQ4asKGqdqeaRrS
uB3DUS3EmrYiprAqcybz9aZPmveT0ezIMVI5hfWp9ekOpnonnXenJxzy8Np7Na3Tdr+BrqavUnt6
DFWyjvN0HaDu/ahcnumMxw71R2ISk/vGwLjTcWOVyzZdT2zTtL3pEkEdZYbn+u3ftI62CFW1Nx6g
WFJkX33ad9h0I2G681i0bu1+pat15o06UQ7KLdFpw+ro/u6pPa60EqFViUzOl/AsePh6GvIwsX5z
rPLqlGQ461ZGdQ/SmRymZHX5whMfau07J6thni4Zr3OFvijKNv1uObUK8dUVamTiYRVrUi8qUbet
e3qug7UOT5xuC+letBl2O6PCluI8QuvY5mivU3EpoBPc5vF65tkmG123XodigXK9DmFvX0i4nHnc
JrpfMnLbiX80uH1D9WY37HYHWmfIdbUxco8FVek7g0SVL2+ldXp7CZXLUG/QdX66ojuW029DBhI5
FGm4oBV6ti+X9nTtqwpC326gdQzT8WdjS3Ua/HbFD9uewtueap48N6V16M9tvqElUSZNuNUxIVGo
ITKaHfmJROCmWqdjlD4Pr3sqTevo7Ys76lBX063UQf7Wbix7GgKfQ7e8me+a9rSGNjju7O9+yyxa
0eJFa7yuKyro499nRuAetA41+dZc0Q4y6otV8JPuFmVchw86fNEbXUM6vg4z8GagAtqD7su7B20N
tQjq8k2k3YFcLL0UcZ0dpVPRbbrdZEjZ63Gd5oCWyHDWg6XVyVA3rqCII7wbVzvteVfPb5+pLtr9
G92ZyW6ILtEDzXoW4rucimi6VbKGFtfROkFSoepOjs99icDYnp6LqqGF+7Tsyc6tChLi0SoNxqyR
OnyaRjuJl40epHG9U+1oHZE1rZdVdZC/hePa4+iHYu0ZpqZ12hfSRIbpqdtHcbSe0VGr9dN5MxVY
n1LH8BpvoeldbT6MB0pU3eVlg0bvwiG3knNYLbaDrquNkXssqErPg//6jIg2h9XaqaBaWaedajny
ZNWorHIZ6g1IWXXhUPI6QEplyEAqBxn3UpFVOtTnGFzrKG8ZbtGiXtG2KmnxjSunodK50w4q10XY
q3XESXz1VyvsLGPSTam1frLTlSmqND9jyUVCDRoVupbl6Vw+DJBbU8ySVrvt64CuhlYG8kod5G8d
5xluCJQaD03TGkdLTkMNdhGHdL/tNlPbDf8/JwL3oHX42mRaOBtneZFnaRwEncWh5NNsvEqLLS2f
HVMYUazvIY+z5A1YsZnTyrq6+dMdsLvYFGVR7C4rFm1SRErSpVuvTc7l2mRxoNPCtbXJQum0n03F
R/YRZVjmydp3WK11aHXHQEmGsj6ksYni0FrvNM+zJBYLFXmHPJKLQ6M5X5vMg7Y0QFi0ArssqJZ2
e22y6fjrTVYUeZZEQaj2aAjPpQfRmM6UL8oj/lYzydhFRMJFLO+k1eejQ+awaD0LXzVZduNJtH6B
NkwUzZEi8Nho7DFtRo2v4rQnK/5ID1q8q69N3utUWl+8TcN1lORFuRUrqrsjJp9ykSsat3k0pdg3
1zr9F6YLly8apwXiWboJ1xG/AeQjoTMNqUJZvKD14TsZiVkq5bd8RFPXeKxvedig0SWcnrXJLbbD
rqvse9DYQ1rHoMWhtCw7C2cO6QyhkYdcvdM6DtE6g71BHowZc+chNYh0E/J5KGLDF3dneZ5uooj7
dr+Bcup4sqLcbos0mFi0iq/fvnp/Tu3Knka0WpjCoYPV5CT5PiyxWnrOl7HQ2mTmzkJa9Z+nSbQO
RdczpHWyaB3Swv9tWSS0jUCpFF6mQTLKjvw8pXVoOS8z3brDmNGCee2eSNa0czmJql4P71mb3Jpl
p7XJu11Nb6UO8reu8ww2hEbr0EPSPGZN+K0Ib1w9485Q91smAd8fs92WWTSlvRK53FjjLjtRd91F
8P2JErgPrUNx5Uhs0qV9385Y7NfRCG2zoNl8OI82K8+Ra5nFZmhmMkZbMMOlV8d16iUYBmmhUoum
8FR1rcM33NJmaLETftlsRt9p4U0b4Gtcmh3RhiHiOXk0G4md66NpkAQTq771F3P+vSURW1q7WTcZ
CQTt0mpYiljtlPZWorlts2DmyT3K3qzenC+2V/I9oSbtOY8WrgovN5fwXffNRnEtI9rTzOvGbE/f
LL2DqNwsxGNTaZ9sEk2ta+M6fJUE7VVlch+7ypamxx3+DNaZfK4AkTD0VZa0r7W9rbox37VORWEP
AWGbLPkWcVrGQU802F38KTbmMsYs2pIezF0RtBu6sNmpTAl603o15DZt9n97tHXf3qkyNQW+dEh6
i9Y0+DZX7TkNihPfgdZn9Mi3JutY7dttbX/X2Q65rrLvQWNPtnSdeRQ1j5UQz12QBe139W59VY78
Mm1UVvUd7A3qhzAY5MijhdjTtE0Dsa+YHikxkytL+wyUh+LJC6IV8IdSDNlXlaWixSZ8Q7vcjTlQ
TV4v+dzkcjNzTCmd6RkN/HkP3PUmchtz45kio2YOK1uLjooX0d91hiEy+6iWm2X9JI7JMl5P2AFa
p+4zaYu57uGip6qndjq1oLr0dTW9lTrI37rOo6XP9/A3vZ+mdaqKC0xprd5xZ6j7LfkzoUWd6ZkE
fE0X38wFraO1iGfz9WCt82xqjIp0CLQ6js6x+/6TuiEtqqPFZu47Z6QPAiAAAiBwMgSgdU7G1EMV
pZvEnvUoQ6ff5e/8Nr9ZkEAp99w73mWGSAsEQAAEQOAECUDrnKDRs2CxEg8ILNJo5ppM27n5QDi2
9JzJ1djqvp4JWueBDIBsQAAEQOCECEDrnIDZNNcAACAASURBVJCx66rS6yX4uy/4OgHtNRr1Cff+
fzJ3THrLwaL1qDfEde4dPDIAARAAgVMkAK1zilZHnUEABEAABEDgdAhA65yOrVFTEAABEAABEDhF
AtA6p2h11BkEQAAEQAAETocAtM7p2Bo1BQEQAAEQAIFTJACtc4pWR51BAARAAARA4HQIQOucjq1R
UxAAARAAARA4RQLQOqdoddQZBEAABEAABE6HALTO6dgaNQUBEAABEACBUyQArXOKVkedQQAEQAAE
QOB0CEDrnI6tUVMQAAEQAAEQOEUC0DqnaHXUGQRAAARAAAROhwC0zunYGjUFARAAARAAgVMkAK1z
ilZHnUEABEAABEDgdAhA65yOrVFTEAABEAABEDhFAtA6p2h11BkEQAAEQAAETocAtM7p2Bo1BQEQ
AAEQAIFTJACtc4pWR51BAARAAARA4HQIQOucjq1RUxAAARAAARA4RQLQOqdoddQZBEAABEAABE6H
ALTO6dgaNQUBEAABEACBUyQArXOKVkedQQAEQAAEQOB0CDwFrVMGnuks0idvlGRmm5Nw+2D1eEhu
g3nl4XRkmYbBnPmP//dQdsyWrumtizsjPVi7O8vhoROKfNOabR461wPyGy7YnTWfIp57NjMM055G
5QFFwinVbRrUndkL/EHgLggconWKzXLi2sw0TGbZo8ki5oNIsnCsSXhPfcVm5k6bnnh4pNnGU9s+
qMu+19IeaAit8WerkeWt8wMv3HNaC1TnvGFunRPv4M+BvLaRz5i3Sosiz4viHjVrm8NtuuZ9ELTa
He5yfQmmC/ch1W7VxqKVaFhSaCc9xtfhgmnN558KRum4i01eFHmh33gc1kU8hAVbViuCieUuH+RO
TydQhpORur88rEEVa0+7w7gre/2TsU/r4nThGGwan1alD67t9VonX3smG83DTZqlSRyuFuuE9xBF
vFwE2cEZ3eTEbTJ3rEO0TpWHi0V0iGS4x9IeXDOt8ZfJai45Hnx5z4kdUJ0zxAh9PybqZFVpakA/
lK9G5qjWdAPn6Off8nuXw2Fd8+GZ6SU/2OV6kqdyPaDW6WLRSjQsKbSTHuPrcMG05vMvBSuDcX+U
+KAu4gEs2LHaNg3mq83dxSj3sNMIbCPf0mLpBzWoIhizkYqm3pG99pQXhzoEivVDRc47GT+JP6/X
OrHPTD/Sb4BExZQrl4HHxqtoOXEtxkxmj2ahkh9lsvJHIihke8uEX7tN11PxmzXy12k7NrTdzB3T
qD+jVc7HUXcerHzXotiS7an0Vc9Ypus6H8sZy9iTMoEqbXXNmVWxWfojx6I4luX663Sn6lTfSZhF
c88265mAMllNVPGy+poiXowdmdJqPW3msLS+I/KZt043SzrPnHDQA3y2WTgfO5yB5U7DfAeUqi7/
RiO0Ow+WE36N5UyWmxp1fx0HyPBK8Gyd8Vwpy20a0PSUaTJ7PA+WOyNIGc+IiPiYk6ijh5RjkL14
stvYZ8yPJbxkbhtqJopUk7tSfqXquuswIuS+DBcTzp61/GHAUiq9qsO5qFolVy5X0Zkzjzu35U6W
9YCULV1ruua2YqbZ5J4uXVa7taGNIzznZGY7s4C7MDUhbx5lhNe2mMks1aAoTKbdt6ULxxwH3Kg7
tuvBotUx8pk9Xa/rJtWya2+ltGurStmO1Y2636MqUa+6JvZoGjZtIwtmYxkupvpK0w4XTGvCVTXg
k1opyT2FbXiPwbPdJsuRXbukocUg6Dot/RtYsN+ddhv1AJ+us+02al1nRz4bLULeoZJf6L0TmYR3
QNTO48C3OrXLV65JnSn/FMHYNJo5zG08tXizqwmUkd80XIOLc95fDTQokWQejK3Gu7mP8tRWIc0X
8q50skrq7meg4YiU+L+7APvb2o7bizSKeMG7Y+rCVcOsBpvPQJdejyi1k1cDPbNWcPLMbtYkr+25
GPsqCnUbTHT0VVWlc5s34QGXa6ojO36tB+4p8zaaNGpzgExd1EEUQ+Njb4vbNVOd/hH+f73WoUHG
9qOdG4u6YfCRwDDM0ZzPbW3zYGLVHXCVrUYm8xZRkmVZEsVc1hThxLLGqyQvy3yz9Jjl78yaxz7r
xHVM0/GDhOLOdIk5DkR5moEnXThstNjkZVnkSRTG3UFRlfa6M6ttGgVxmhdlmYVTW3UQjfWo97Ec
1/XXcZJm+baq8rXHbD9I6Zpo7pr2bEMDtgiJLWIqdrKe2KboOKpKn/+mKjiOO1lGSZrmZVUN8Cnj
qW06/nqTZlkaRxtewzaopoTiSxl4hmG6szDNyyKLFyPGam69dewnky5c5s6irCiLlHi4Sx4p2m5m
tsnrXBRpNB8xY2f8btezrRjylces8TLOCE3gO6YzT7aV6BREvD5dOJZlsXooD6m7GIzkdzhkS9cw
2aiu+dw1ramQUAOW0sj1cW6PN7W+JQRstIjJ6ZL1xGJyVpJyN5i35F37NqWaytyTeaN2tRzpazKz
DcP2Q/KmMl2MTNO0xvw2YJuvx4xNRBsZ7KH6bdfBouUZ+aZB3iSa1GpsmaNVY9e+SmnX9jXqoVaj
16sqoqk0NKVWbIJwkxUEb+k1GnewYLoWGfBJrYzUiNhoHqV5kafhzFW9jIjr9EQ7VRdBzfMwCw65
006jHuDT52xV22od3zNMZxqRlxDNpnfi6oS3dGpOU5eZXSVXke81jWnCLMtyZHtK51IxawQ60a/h
BqUxJ0HUjusYpuUt4qbrqMf7oYajpdUFOHBJv9vTLYA94b6dbVYTq+6z9mqdTpfe5+QDPbNW7Ko/
ax7eFkJzu5la9Kn7Iwp805Fhl6sGvH13GKqqdDVZ8KGHCrJ3QLxhTzJQhq6ZdBRH9/16rUManBqP
7U2XYaokj2oYBF0JVS5c5T0DidbmZkLWXbM7/RJPrd2w/m5rN9XSoG00qUebiljz9TrUkkfL3RhM
DVyV9roz6yv4/5sZ3fG0fpLaTg75/JB2e11VVRnK8lHb1+7fKcBYV7UV1zENeybmBSm1AT5lOG4G
bFWeNij1O/9GdtG48d6uc7dH5zV17CND93x1u+TqbSSqRHcnetqbmXUTrdNxjG3sW4wsrCpP9zn+
auEyHlPsFKNT0aozPPCOQys1kRf2GrCUll4v5854I1yuDCes7r3pBm3hyCgUdVvNTXNV0TIl6S1E
uH8OizSBcilyD5W0Nu4M9lB9ttvBolWTJIXmC8JVM+68/ZVS13Zspw403xqPEhpO1YuLWQ1NfQUZ
SPYTQwXT4i4dZ8jX0ifr1GQj0pqe7vqHah2tmIMWHHQnqoXeqLWi6S2u19k6ztzxPd1qycwSkWCq
k+bvPHSgWZfnrqjR/NRosfKZMIxqc6qT5IbSAHKXlsMzyaymQekVIyfqaB09iaZ9DDYcLbEOwKFL
+tx+G08Z70xkchTEksYcbD78tlDzUx5uufnINZg1j97wxa3J3LZnq5ltzyjOQw4gGA12GspuvD7K
23fKrOGruMfvGxAHUQwg7R0FaPzd4+etAj3+HwdoHV7IMovXc5oSsCdykY5qGHprpJPjqYzK8Kbc
XTocT2kLBGs+pmFoDUQQaQ/hg+lXSutURTwfMZM5k/l6w2972mxVaa87s8rj5dRzHZs+FjN6tY42
EgmHNUxVJVPGb+Ipk5NSoiwb6prEPqy21tGnJYheHx9qLd3uqzuYkeeJDz+zy416RNHEBurYwzBf
jbql4RE36iD1voF6P61jq+Fr9dTjOjuO0VxOo4cUPRSESuY278PTuaN3X3Xyzf9th+FhM62nasQC
5dtnqSYdEVPe4ayTbOR1One6aJpuqx65KeEmd9EBDWqd2jd29O42nNQxrcEeqt+rO1i0aka+2fY6
PlNN1R+oVHPtju3EkYFWo7U7fh71pB6fdSvTYD4ZiWZmW2at9IYKpmmdIZ9sisi7oFbTI4QyUizM
cW1c5xALDrtTtxZVf4s7pFF3fE+3Gl3O3ambTqvZ1VjoHowclCILzjzhq2tohUAz3OqRM81p6Xou
Y+oZsJZL16nXJ7XX64zVtlMuqfjR632Md+ztmg64ZX+X1eqa+F2IWDQ42HwIsrq5EF26JnZFJQd6
Zo1At1dssm4EC0Wrp3EZ+4ybgt9J8kDMIOFBb++WWSsHfe0ho58xiKLvwsEydPycyy8+AtGahWP7
HKp1ZLkpiicnkFQvprdGOk9pHaWoVb1JAYzXeaF9ynp5S31Wu48eTF/XOnTpNt8E87Fjms4sbqaG
RZqqtPzv4TNpsLWnYSau1+5Q67LpY7b4jff+frhTJVrp1MzL7iwIqJVLM3bKDAb48EFCdST1ye3J
vjxL+SejuTCxykSb96H+i2udfXXskKHW68xpFk59KO1uq+7aSJav1emqc6gkra6kqO/NeYh3GufB
mJHioD/teUK57QgQmQX/r+0wvGvWzm867iFLaUn1clYl11yOBpjRMlVcikLs62lVujUwUOJ3qnXU
vARVoWO7rhTWakk3CfpYQrEE04+E1OutVHPxju3oyKBHUbsba7s16W/SOkU4YcxbbgQxLU4wVLC2
1un1yaaId6J1+vyno1aH3anbqAf49Drb/riO3mwardNNp7+9UEhgtM4TCipsaIZ9ZI6DnIZbeT+q
dZJNkxFQh11ag86Ha9VFaanRSVQmcVM72HC0tDoA917Scftu19QIDmq77eVuTfPRGziVotfJB3pm
rdTDWVNgylmk2dLlMyD0p7vMkkVzCzdImNLs64Fbiwi1MuhfO2T0Q4Mo+EmdCwfL0DFTVbZHID3D
x/9+Q63DPdZZ0F2RcuWuozRaRwTS1O0Ary5xGw7vCiK0RlUtwRxOX4vrKJR8JYmcmW5+VaVtfqqq
njOp11XrQsjl++M6rRgGTXjrQQ6ZBbmvYMV/oMTqkU7z7K67DPDhrU9FkWUWbVBa1egrcdPnmYgB
9eAH1LEhQ1FZ05Oro7T0+WZyNa9IMd8bzWEtHP3GmRYly5LyXmC+mDARl6F8XPqzh69WnA4HDa8A
UUeKByylpdTLWffAxl400rHdtWatxVjt3Hl70G51tWzb/kk+oOJSWlyHwvNqowAdqNdgqLQa23Gt
o7UjdQpXbIbKgYtD7qqDlVIX08CqXUoHhj2K5uZUe+LjKx9ZKcapNBAlKQ1MsUktda0NNYiGfFIV
UXZTankXL7PYD0gG1lqluqhJ/3ALDrpT4yQi+SE+vc5GWkezWq/viWQbrSOnaepbRrpD6Ls3oDUc
k8XcldNdfOBdUMRUbj3RCHBK6j5psEEpfKRmtOXP+gDBT+I+zZXQAT7W7dgPuKRxe4qhaL5VcThi
V+9g89Eh89L2ODl3qv0j156syQW8xYJ2tdC9IkXV6M/GTIOEB719p8y6LfTvDRn9x0EU2knNhYNl
6Pi5du0Rfr1W65Sb9TKIaEEsrS5ejm2K9VGjUg2jC11pHd6H0vK0NM+zJBZLhnlsiBbZ0rrULImC
UK3Pl4TEbVBEiz5LWrHanh/R0m9YZ9E6TLKi3IqVjpZYHKyAq9LuP5OPuqPFpijLPFn7DjtE6/C1
ycydhUle5HmaROuQd7PUvOnmNS9KWjHoDK5Nbs3zDfDhyw+daZBkeZ5uoohDa4NS1eXf5NrkaZgW
rbXJQ3XsJ5MuXL68nFZ5ZukmXEdiDSv1KE6T9tgyb6J1ODHLo7XJEo1czi3GTcuyam1D2seyLDn3
RqHZ5WwedqcgOhwGO44hS2nk+jjrHti4nJDK1ngVZxxNHARiJ9a+3EemNQky4ddaplprol8HtQ71
mJYf8lVzxWbumoYhVP2Q7ShIWbcjPT+SFPX6zXzTWZts9lRKu5jq127UQx7FewnDEAtUizyhfBy+
IYVqKEjQan6vNYfVXzAd0YBPamUkK9LaZL4uNprztclireG/aR0KhmgWpLXJPQ2/O1QP8ulzNhkk
q63W73u8qo3WEWGy0Zwvk8/ETgEtLtVw2cz4uthaLYvl/+pWRnWSVUVyyaV+sCjKfeKvSZuv9TL5
w7R4r63bi05SWmew4WhpqVYmfuTD7q5bDrg9LXcTa5NzuTZZyN7B5qNDFhnuOrnYNcK3h+wZuYay
5iuMLcuqd4fkqxGzLHULN9xp0JV9PfBumTV+VT8ZdcYgiv4LB8rQNZNK/wi/HaB1FmOXNmDT2gTb
nTSPs1ENowtd0yJ8bJJb8JjtrYTLbbNg5tF2YIP2BI7VVugGEE028l3OtLVlT/oN62xNO95lir62
u1EmqUp73Zl5NOMP+jWt0TRIgonVtzZ5Z21Kmcht9ERpNFnLW8oino/llkt/Ha+8A+I6NBfRz2eb
BmKHM1GbiZ1xLVANPvGlDMbWNIiX9c5rtee8v45DZPizJPkmVNoNPa0fKLBNmy3L3jwKZ7arnj1W
l6TVgtt2bIiZlraRUkz763u6aGGo0QQz+Jrour+oc5Gz043DDM5h0QVNvm1LaWntctZL3rgcXZFH
C74ZlBzZGYudiPtyL5OlR5ueWZeV8k+e7FBch1xjOqKN6Ix26odLT8Z1Bmw36B6Rb03WsXqMQ7Pn
e6hSGp++Rt3vUVzrsMkqmPGt3iY9jkLuOd8mq9ovx8s4Xjgjsb9vuGAtRAM+qZWyaUT8KRVBs9X9
37RO1bVgvzu1nEQ4ykCvsutsYqlF48yDvicmHOspUbX33Rkvgnn/nC/tSaa9oGKCXirR+q5Cv30l
L+A7UgyS1uU+l9aRp+uJwx9IPYs7qbW0zgE+tgOwv60NuD09N0SMB3zPuXj4LRV0qPnokOsKFTGl
YfJx7/CRazBr2gNiaCvL+car5hZuP+Feb+8rc132qhoi05wxhGLowt4y9JipyeDovlyrdY6uxCjQ
KROguHuP1DllJEdddy5Qep7OddSFfvKFa91iPPnaoAIgcBcEoHXugiLSeCACFKqSj5p5oByRzT8R
aAVj/iklXHwwAb6Yrp6oOvgqnAgCz5oAtM6zNi8qBwKPSgBa52HwJ+v5mh6cWJZFSo/m7HlA68MU
BLmAwJESgNY5UsOgWCDwDAhA6zyMEbPAH9FTivjqkpG/3tnu8TDFQC4gcLQEoHWO1jQoGAiAAAiA
AAiAwB0QgNa5A4hIAgRAAARAAARA4GgJQOscrWlQMBAAARAAARAAgTsgAK1zBxCRBAiAAAiAAAiA
wNESgNY5WtOgYCAAAiAAAiAAAndA4ElonTxerdWzL++g1kjiCAjk0WotXqpwBIVBEUDgBAkUm/VK
vPPlBCt/WJW3WbgMsK3tMFhHfdYT0Dr0mjT1HPOjponC3YDANpk7eAzIDYDhVBC4UwJlPLWa99Dd
acrPKbEy9ul1fPWLVZ9T1U6rLsevdejlvI/7VgD1jJD9ryB5MM855C0kR1LUvUzoRYraO633nnuT
g49Rd+UknZLeWWG2Kb3zzTRMNlp1333ayRN/gsD1BPK1V79d/vqT7++MO2sg91ZE/n745iVirWyK
eO7Z/BVg06h+y1jrhPv5Y7C3uZ/snkeqR6J10oVbv8SuwzWdO2ys/KxYe30v8O1cNPBnthpZ9DLR
G36UYx1Js3wuWqeil+3eg9h5DDMpJ+l4110Vht6BSm/YLoo8v/de9bqWUgQTy13KF9x2KnyzP5OF
Y6mXUd7s2n86++6q8E/FuNOLNzN3ujk0Rf7i8dX+3vAhrKM1kG08te3ZwTUYrml7mPjnWqQLR75j
t5MltXp3scmLIi/uN/DTqdHMrl8j3SkR/hwkcBxah95V1691eINU8oTms0brYrA6+w+UyWq+vnkw
Ug1jWrPcn9P9Hj1c6xz7/T8Zfhzc9dD9GGbiTtL3ksu7Kkwyf8Du7bqWsk2D+epOFlsV8XIRPIab
3l0V7rexH546nxQ+WOuI971fI1cfwjp6A8nDxSLaL78O4dEZJv69FpuZxXpeMHYQw0MKfO05nRqp
IenaK3FCTeAQrZNH8wk9gNw0mD2aBlktYIvNcuww0zQt119v1mMlV7ZZOPNsZhqm5U6Wsk8sA4+N
V9Fy4lqMmcwezULu1enSZUb9cRat1reNfWbVQj8PxlZ9nsGm/3dum3qMh2ZE7HlSJTPbmQXBdGRb
PJtpWJe49frfMln5I15GZnvLhIAUm6U/cixRbn+dyooqx6qbJY07fVnXVPn/A6nJcyiJZpTPlq5h
NGuSynDMK8KLFC/GDp+4cMbzuheIfGZP12tfzGjY6oCWPxXVnQfLCb/acibLTS0pIp9561Qab0Lj
8zYL52RKg8wyXad0Zr5yVcylCMam0RhiG08t5sdbAsanVeg6d7KUMrLX+lW2dO1ZnIXTkWWarjRz
y76q9APoyLLzIJh6ZFmT6tSsGdymAU/YZPZ4HizHZseReNqimpym5U5DLpmzYDZ2azdoCEtfXUzI
G3hODb3hsrHJKpiRSwnnll5X+4woQbqeCqezRr7grGotvvXaIvSdpo00ZhDnU1EnYRbNPds05bEy
WcnpLtubNe5flSmxE2Z25zH3h0FjkYOXkc9afTx57WidV1ql9hilojbGnZRsFQe+pTcaUfxW4+rt
H/h5Pa21IpvX1dGqKWwXUrsh27mTVZLFC+p1TJM5k5X0mTutgrtIkrXvMlN2C/1Uq21Weym15nBm
y3bQHTM3vH01/rDbl1Zluq57L8sZL+Jiu5k79IoI8aFgqSoDsxxPdrYiTfo3mduMN/6qorbZms2i
8ljTzZb60qZX728pKkE6+VAOQ61V3cX1dRdFX2dYcS/TevLOMBFXrVr09nVUichno0XIxwRmMhrS
6v6/qioC0vTPosrbZDmyG+Lk2If1qyovPhKST44Xm4xaiug6vEV3H85AjVYhzZ+JQbb26op35j0O
o9npVL8eonXKJAziNC/LMl1PLFMunsnXHmOjRZwVRbZZTWzTrFvFdjOz6UhelkWynlhMzBuVgWcY
5mjOLbnNA56UGH8H71lpksPV4qzUKJu4DkUWVedJp5LUIc82DNsPc5IqRTR1TGcuRmFN62Srkcm8
RZRkWZZEMR/dq20aUUWLsszCqd2M9KrBN/3jQNYtLxpITZ5DozybxlxOEUrLYnI2hysJcSRduMyd
RVlRFimVSDa3yDcN0/HXCcVON6uxZe6u4BC03VmY5mWRxYsRa1Y9UYfiOO5kGSVpmpdVGU9t05kG
lFwWLzw6M+edYa3GynDCLMty5kKIpnMR0t1MLWu8TumFg1kShULTDlif96e2445mwSZNszriSyB3
I3oD6LhlaR6HvKZM5m4tCSlP0/aDtCiKNJqPmGHsah1RTX+9SbMsjaONuH0sNkG4yagKydJjXMHx
vs0zDDZa8HGxTFeciQgn7imbaY2XlFaeBL5NXke2bnymqopwYlnjVZKXZb5ZeqxnZfaALcTYZE6i
lofxPyh9y3Fdfx0naUZOT+7EYZRlFhGk2YY3hXDCmDsLuMvHUULV2WcsalrcS9UNbaPxtUoNGqUq
I98yuQcWeRJMXWYaqrnWFWk1rqH+oa+1Ekw2mtMLL/M0nLkNTe75bCR0cBH6lmEyd8Z7nXIzc+pG
dKdVYLbjeouQPLscpLrjpWbtpcNaZ8BAtIJktNhQD5snURgLX6YbwyauQ6txnBl1wmWexmFU3/BJ
8NtoUreeHbFDxRFTSco6dCfY11JqO5KHzuzbcVCttaV1zHZ3MdAZ9vlGa5hoaZ3h9iU61WlUDxuq
/6cqUlc3jbXK8q/CbnVU8sB+lesq0zA1nzRM0xED1jZdjuo7Fj233RoZpuXR6CuHBj707WnRemIn
+v0QraOhUS2Ebvu18YSUhhy0aGCsyVdV1cgC6lyaO4mq2kYqZDOodWgKS+8f2ybPFg6/y6QCUgHE
WEydr6bByR/l7a7SOindn2oaSqui/MqjlsK5VYNX/WN/1rvJ7KZWn0PRG1Fgik+Ol0uPiZpyJUEr
lEj0WFIOUaBlPZLEqVlqVKhazqJucTJ9KqqpLYRohim6gzENbWMBFUTLhgd0yLIq+23kW6PFypfb
4eqJfj4QjgPeOdS1qoasT1rHML2gM/9IbqRVpUlGfWkbQrdsY05yJb2um5lVjyIqnW411ZH6G7mQ
dAruq2qMp5vgvmJ2yqa1B+V1ymdqbjK/eGrtyLxuIbVWxttIv9bRYoKywTURQ7KHcH/KvRardY33
GUvUlwvviVx2SUUQdzqqUvzWQmtujVH4vbDmV2Qk3WtlGdqNq79/6GutvDpaEFhZqG27beSbptdM
k3KKIUm/O62CwXy1NHWAKjWXAS8VY6aKaDdxnYGkuD+OllrggdNsax1u7yYcWZu8/r89TFeEs7Yi
BXFlB66sU1/H/9daivY7dbyHcNjTWltap9VdqN6I59h0hn2+we+rmltiXevsaV+dTjWZWWYd9hq8
02hDPLBfFVpH6wrJJ2v2FE8fqdv5hi41q3aN9B6ORiPRiw45TJPQCX85QOtss2jhe67NP5ZpiGYQ
T5nuC1qcMJ079Lbd5mNK2a51Lhx4PG3uQlQP1DEF36mjlut0nZh7AJcsXOqIrq/bPnkvyDu7ph/m
Ll9Pjaks83g59VxHVJQZzB/WOqIk3axVUqRN+lNrzuFOvcq5OhitsmzlMtImwtfpRi1fjbogxW1b
5JtMv8mgTtTvDINd2tQs7RmPNHQup96iJTc2chCmYZKLns3UcuYJnzLm5W1miPKQ7tatkb8IeJiA
RtoB62vAGgLyhlKNRPWRAXQdyza9An1RnYXUvdo4yJPdqSb/tUyD+WQkTE7viZbJ7KG3p2xjPoiK
SjRep5KKp7Rho2kXzDQMrfvqL2RtCxFmG4rraLcWFfm2YapsTNPgkqrbYCm/vcYSPrElPSfEDs16
yG0CqlJaw+c1aIxSdYE3rU8Akv8qm2pp8mNN/9DbWrvV2ZKm40GNTjrxlOKndZ505yWEoHaaKgM/
7TZVUOJykOoeLx3UOoMGKuL5iNGU3Hy9aW42WlqnKpOlZ9EMyWwVd4I6dP8vG3cNhjpQ4fwkdWpR
rJEZaCn19SKuUweC+a8Dhd/DgW7DGXJb2gAAIABJREFUtPtS/W50oDPs9Y3uMKFq0fVJitfIG46e
XlELOFPMqtvFiqktdZfZk0Jvv8rvNnWfpFuIpusoejen7mod7RJNHw0w16x0ul+v1Tqkp013HosG
peI6/CZFW4up5Ar502hJ0wnq07mR4rybvkz24421NWt0W2TH5MLIq7zi7VOObuTZ2s4t3hmL4bTp
balv6Sx7EAEoexryCZKqat+y1yGrwGuCWbxH7GStlZw61d7U1DliK2MRyXgJ/elHBYV7RE0oB2ce
5wpjUfA5v06jqga1jpxzoizbWkev/HD7l0ozmYnNEfTnOMgp2qTpxG0er2eebdKswZY6+n7r8/6n
1fQ5CNGH8Jm8BswgOtVn8XO5BWiherf31IaxJtHe0ExB0zreciNm1FR3z2/67RY9TyjFvWVTHZZw
ae51qjA0PI/XbXO2a76jD7S+mDewjqCl2qn0RV157++HO9l0xQGdfZCxyEQkwvkCD7kjUst0yCg7
wMlKvQ7Q07iocE3/0Ntau9XZp3W02YebaR0uWLWtENdVQVhggOoeL+1qHdJn/EZrICmRzzbfBPOx
Y9JUFe8X2lqHn1Sk4YLWEdm+WJ4mrqR/edBY2/JE+/yo49G7UiVkB1uKSlCdLH8bKPweDh2to3sL
XdXTGfb6xm21jt6tUeGV1qGgpLxT1CrMO9WW1ummoNdAa8tK0lFq7awO1jqqdC2tM9D96sU+0e/X
ah3qHJS+ppi6uIkk3aDMzEPldZ8Vjk09lFmT1fpH/lPTl8mlIX1ah/yAtYyqLZilVEQ0NQ3GrJlA
oFCqNk7RCC1dsNE6IgbcnsOilNRl1Ib2xnV6s66rKg72p6bOEZPAy6kti57MbXu6UEpiS/35zqyP
nO5VNuEtWzOFyIBo6xFzGpJky2u3NB5X0uYamjksaoULh00Wc1cezpYu/eloMw11bWhtBr9VoaG2
z/r9WqfbyVNyhxiCZ0vdHw+MUE/Eh2NZmnRu6xFe8SvvFdWMIP9xM7M0WUwjm4rrGNo96pZu/4je
3rLpefId4lwRKren8mpzh7Kwrf8oBD1gi0O1DgVr6mroaee8wap5Ejp2mLGEyInndGcr1tfpAmtQ
69CgaYmlQpRXw1AvVGt+QbuRoHNU/0BV1/ydJ8DHPi12x8/hEWAFnJ/Ik7llXOemVRBVG6Da9dJE
eSldocXmirVnmFzrDCQl8hH/8lVAIqwklgDqB+V3fovY7u74+Ngaiilu6y42rVW4jXEHW4qWW3Oy
/G2g8F0OemtVXZPqq0VqQ51hn2+091W0fGy4famseYZtAULe1oIlCiW6r3r1QCeFPW25fWY7q36t
QwOv1gQ6qJuecLhFS5uc8n/Xah0+6I9XabGl9ZRj26wbJfGle2JaH5eGU1eGyuXyKNMar+IsL/Is
jYOAr1rt9EFaX8aXovA1p2VRtu90O4KaplWYt0qL5sQi8Nho7GlPVhaLJfm6rSJPaOWuXCWqD7fU
lGhtV5rnWRLT4j4+nT5abIqyzJO177DrtE61m7XypOHU1DkUR2aWbdW9HJ+StvTNjenC5Suoaf1l
lm7CtXieO00Mm/bkkLXJ05BY7a5N1gIzfIGq6TRnekwuJqcleTOLPvXKlXThWJZV669tGq6jJC/K
bZnH83r5Fu97d62vw28Q8NUgHf1xkCF4CqqF8+CjqsHYalZ9NllVYqksLcHO8jzdRFEi5guF39Eq
Xq81h2XQ8u8goZXd0cw1xcruYbMKrxsvxWrB4bXJtKZ8Qw/JyZIoCJt9ZHU5OT1VE80WB2sdvjaZ
ubMwyYs8T5NoHXKFkwdjxtx5SC6fbkI+r3GYsUjyuq5t0dY78dHa8mC3S0uxGRvNaXlskYkV47vj
hbpcS5NnorQO9512axXmpLXJfHVmNOdrk/lisE46/6J1bloFSWeAasdLyd3qGzS6o3RmfHHNNo+m
tAhATKAPJJVF6zDJqOXxJfVSUoqgY0S8y21O/S6dsi3SYGLp9wKimDshVRqcHdet90jQWY11qK31
thRZ5dbJ9W8Dhe9w0FurEgFdrUM3Xr2d4W5PThq+NUw0tRDLxvv7OpU1L35LgHRWwdT12x/X2dOv
tvNqZVX1a53hGlFhVE8oMu3pfpsyn+6Xa7UO7ZOsNzd782iz8mrlUPEtgHKD9mo91WN+eSS2ShuG
aTljsfWq0wfpWofPLdMGPlZvRm4swhugmk2gh8fS9lvTnsl7NRJjrcWZPObOd/+adN5IbbpttZ8i
VvulvRWNBnk0G1l0jTWaBkkwsfat16EC7mTdlHpPavo5dANHW7nlEELCrrUgj2+DF7u6aVu3NxW7
9CPfmqxjuZ2X2V6zVVpLuwzG1jSIlxOxlby957wOdDXn1/ai3dK+vn8xmjBa7iFv56nvU6y3yZLv
h6dFKPQwgmapZJ2abv1erUMb9mod1ZTlEEPwk7UWXm3TZgu+p+/m1VKtaJOy2I1Jz0KYRUVVbZNV
DWi8jOOFM1ryuzTyVbFjn+/Q1ujtcZLRMqYnHXS8ruX22yyYeWQRQuOO1XMAtHLW9Dq2OFzr0B41
ubWdW2ayltEcuXGbZz5aSK+rs9tnrGzhGIYeb9IqpQ0kVAndKLQbWO59d8aLYN53b6wu19LkNDSt
U1W7rZU210qY1DRmzbMwOun8k9bhG5oPr4KyYi9VzUud8SJcqglxSYoxZtHDG4K5WweVqTXs9qUZ
PUK7diPVYGkVD3+kgrfO81A83UB42s4+ZhFo023KJQIzDC18oLTOYEtRVdZOVj/2FZ4a4kBrVSKg
1VfL9JpHXOidYa9vtIcJ5WOUUF2kTvtSWfPcdAFSRpO+Gaye9Tr6HNbBeelZUVi792Hy+2rUbnRN
BVstWiI85f+u1zoH0uH+pK3fOfCy60+juwCbnvUw9KFWoa9MvbeS7Bagm/XuGfhlmADNex3p63jE
eFkHp4ergCOHE+gbvQ6/+ijOvNMqdDTZI1RQLBis72MeoQBPI0s+uSfugZ5GgVHKXgJ3pXVofULP
4q3ePG/6Y7729rzagd9I6nPRbRV/08xucv5O1je5+OTPzZYj63FfdDZsgscfh4bL9kSP8GUaPUG8
J1Sdu63CEfgY3W3sRNKfkEEeoqj0NGp7KhZ/P0R+yOO+CNxe65TxaiGfvJdvVhNLf2TLfZW2ne6W
HgC3Glud9+k8hNYZyLpdPvz1ZAkcwTj0ZNmpgifr+Zqe9Ucr+gLfMXuenahOPs5v91gF+Nhxmhyl
eqYEbq91aKkDf7g+LddwtPnyhyKVzB16Gv940Xle1gNonaGsH6rqyOeeCWAcugvAWeDTu2VofRCt
A1vvrMS+i0zuN417rAJ87H5Nh9RBoEXg9lqnlQz+AAEQAAEQAAEQAIGjJACtc5RmQaFAAARAAARA
AATuiAC0zh2BRDIgAAIgAAIgAAJHSQBa5yjNgkKBAAiAAAiAAAjcEQFonTsCiWRAAARAAARAAASO
kgC0zlGaBYUCARAAARAAARC4IwLQOncEEsmAAAiAAAiAAAgcJYEH0Dp3+mD1o4SIQoEACIAACIAA
CBwtgXvROmU4GS3k+war3pc+3phHthrteU/EYHKdktwukcHUcQAEQAAEQAAEQODoCdyH1tlGvuXc
sdYpk9V8nQy/ALQfdKckt0ukP2n8CgIgAAIgAAIg8CQIHKJ18mg+oWe9mwazR9MgE4oj8hmbxk0l
04VjjoOyotfJ0VPh+cechFsR11mGi4nDTHqdxHgRF81lRbyYuHSBabmT5aY+kMxsd5Eka99lpumt
CxUcKoNxnTr/fyRe+1lslv7IsSgHy/XX6bYaKsm6zmM4a2ceBFPPtphpWs5k2fNo+zyaj3l1xMPv
ZQxrm66nI5uXYeSvU/EC4Wzp2rM4C6cjyzTd//1/2u9Ipbe4s0lIp26zcOaJqxWKMvDYJMyiuWeb
pjXbNODwBQRAAARAAARA4CACh2idMgnpJZ9lWabriWXKd1MPaJ2qqspgbLbjOobJRrMwzcsii+eu
aU1joZdIINmTdZIXRUbvDzXdZcaLncxsZjuutwg3aZqVvRNh5WZmM2+d8wu2aSRfRJqFU9uUCmi3
JFw40RX7sjYMaxJQrlWZzF3TnidtlmU4YbYfZvRSw2wTRkLVFOHEssarJC/LfLP0mHzTIS1Xsh13
NAuoKkUejLUXwm9j32KTqKyqLdVmtIhzeqHpemLJmtFLcyzHdf11nKRZftPAVrvc+AsEQAAEQAAE
TpDAIVpHw7KNJvXQfyOt06ibqirWnpQ023jKZEyDZ1EE4zp0kcxsg/mkAeRnZ4HzdjNzGqVTnyX+
38ws5vOI06DWuSbrWnJVvSKLiznbj+oAkcg1X41qiUU/xFOLR7UoImWYXtCcXIZjZssAzTb2GfMj
CkKRfFKaipQYhbOqMvAMQytOu6b4CwRAAARAAARA4DoCB2idbRYtfM+1+ccyDTkk30Tr6CJA6Q9S
B61hnEb4EQ/U0LvKaUas+XS0znYzd5i3EkEgOimPl1PPdUQZmXGd1rkma5p6kx8uYZp5L/njNl1P
bNO0velSBnVI3DB6n3PzMQ1jRNdRyWWYSVxNskbMRm0jn0kVmM6d7tU8NEZxHU0D1aXC/yAAAiAA
AiAAAgcSuFbr0IIS053HYvpkT1xn3qgTpWZ4IToyRR09XHB0wivbZO6wkaZ0+ITUNOTTTlV1QFzn
8Kx7tQ6vV5lFK1qEY43XpLniKTPH67zQPiUppk71aWKMJM5ss+VSZ7bhsiqd2+ZomWoXFwUdIK2j
zQceaFWcBgIgAAIgAAIgUBO4VuvwWItY/0vhk1WzfIUmoPj0C09qG07MOhLD1cx8aM+50jpcRo35
ulyeBp/DmvLltxTX0YIrLcWwo3T4tJjdZEgZ6HGd5oAmOw7PeljrCIQ0JcfzphPt2e5WsV2tU9Eq
HWsWR75lz+RSoDKkQmuTdtJA0DoSBP4DARAAARAAgVsSuFbrcOUwXqXFllbcjmnmRiwroUHe8kO+
DqXYzF3TMOpZpw2FghaboiyK3WXFSutUVUrrdsXa5FyuTRYSaVjrCKUjlzDLStOyF3NEGZZ5svYd
Vmudargkh2bdp3XKJOCLtbfbMoumtLKGFkjT2mTT8debrCjyLImCkG/g6tE6FUkt23UtbXaK1iab
1ngVZ3mRZ2kcBHxT2o7WKUPfYmO5IvuWRsdlIAACIAACIHBCBK7VOtU2C3zaFW4y25tHm5XnyCW0
2yyYjixmMmY540W49Oq4TlXl4dTlW6/9sNSiKZyrrnWqqtgsJ67cKj5ZNpvRh7UOXxaj7ToX8Zw8
mo3EzvXRNEiCiSXWJu8tyWFZ92qdeM43h9MKG8ebhXIXPqGaebQVnW+hHy83tOCoT+vQrivLMDqT
U3m0GDt8w75pOeM5h9GjdZo9WifkpqgqCIAACIAACNyawPVa59ZJ40IQAAEQAAEQAAEQeHQC0DqP
bgIUAARAAARAAARA4B4JQOvcI1wkDQIgAAIgAAIg8OgEoHUe3QQoAAiAAAiAAAiAwD0SgNa5R7hI
GgRAAARAAARA4NEJQOs8uglQABAAARAAARAAgXskAK1zj3CRNAiAAAiAAAiAwKMTgNZ5dBOgACAA
AiAAAiAAAvdIAFrnHuEiaRAAARAAARAAgUcnAK3z6CZAAUAABEAABEAABO6RALTOPcJF0iAAAiAA
AiAAAo9OAFrn0U2AAoAACIAACIAACNwjAWide4SLpEEABEAABEAABB6dALTOo5sABQABEAABEAAB
ELhHAtA69wgXSYMACIAACIAACDw6AWidRzcBCgACIAACIAACIHCPBKB17hEukgYBEAABEAABEHh0
AtA6j24CFAAEQAAEQAAEQOAeCUDr3CNcJA0CIAACIAACIPDoBKB1Ht0EKAAIgAAIgAAIgMA9Erhe
6/wPPiAAAiAAAiAAAiDwgATuVvgcpHWu8AEBEAABEAABEACBByHwP//zP9A6D0IamYAACIAACIAA
CDwGAWidx6COPEEABEAABEAABB6KALTOQ5FGPiAAAiAAAiAAAo9BAFrnMagjTxAAARAAARAAgYci
AK3zUKSRDwiAAAiAAAiAwGMQgNZ5DOrIEwRAAARAAARA4KEIQOs8FGnkAwIgAAIgAAIg8BgEoHUe
gzryBAEQAAEQAAEQeCgC0DoPRRr5gAAIgAAIgAAIPAYBaJ3HoI48QQAEQAAEQAAEHooAtM5DkUY+
IAACIAACIAACj0EAWucxqCNPEAABEAABEACBhyIArfNQpJEPCIAACIAACIDAYxCA1nkM6sgTBEAA
BEAABEDgoQhA6zwUaeQDAiAAAiAAAiDwGASgdR6DOvIEARAAARAAARB4KALQOg9FGvmAAAiAAAiA
AAg8BoEnoXX+fn1/9unn5WPwOaY8L75/PPvw/fyYioSygAAIgAAIgMDRE3gSWuf3p5fm2beT1zrn
X96Yrz//PXqfQgFBAARAAARA4JgIQOsckzX2lwVaZz8fHAUBEAABEACBPgJHrXX+/PfKNNof8+13
qgYd0T5NtOOJ/H7+9Uwrvfny029hm/7f6dc2BcN88wVzWX3+jN9AAARAAARAoEvgqLXO1cXfP/T5
/v6F+ea/3/z7+QlOZUkMPz+9Ml99/MEx/L3oWhJ/gwAIgAAIgAAI9BE4bq0jS4z1OhwE5rD6PBi/
gQAIgAAIgMB+AtA6+/kc01FonWOyBsoCAiAAAiDwVAg8Ca3zVGCinCAAAiAAAiAAAkdHAFrn6EyC
AoEACIAACIAACNwhAWidO4SJpEAABEAABEAABI6OALTO0ZkEBQIBEAABEAABELhDAtA6dwgTSYEA
CIAACIAACBwdAWidozMJCgQCIAACIAACIHCHBJ6E1jn/8ublx18H1Pr8yxvDMPgjiZn18s37L7+e
1SP3vr+13v04AANOAQEQAAEQAAEQaAg8O61Tvx3z8vzX5zOLvf3+jNQOtE7jt/gCAiAAAiAAAocS
eLZa5+rq6vL7W/NFHQ86//nf29cvmGlar97+97N5mdTl328fz15azDTZi9fvv/yu30Bx+efbhzd0
Op3/uQ4PtZ/m9+M9s97/lKT/fn5tvvn8/fO7V5ZpmNb7HzKlvz8+nb20TNNkL88+fm9eUn7x+8t7
Xpz2z/vNBq2znw+OggAIgAAIgEAPgWerdS7//vzvDbPe/eBxnT//vWYv3n37c3l1+ffbuxfs7KtQ
O3+/vDFffiDpc3n+89Pr+i2cFz/ev2Cv//t1fnV18efruxfszReuUvZrHcNgr959+fHr9+/fv+X7
qn7/94q9/PD9L+X74+Mr9uq/P2SEv1/PmHX25ffF1eX5jw8v2evP/Oce+7R+gtZp4cAfIAACIAAC
IHAIgWendeiF4CZ/Lbj56j2JG/r8/GCxt9/q2SwegvnK/zr/+oa9ePf1t3ij6OX5+QVdcPn9LWsC
QldXpHCESNmvdWqlpLj/+vhCy/fy97cv30nU0NvYXwv1dHV1dfH1TCavLuz/Bq3TzwW/ggAIgAAI
gMAeAs9O68j1On+/vKmDKFdXl9/OTMNklvwwZhovP8lIysWvrx9pcou9eP3247ffXAFxMfSlmee6
osmqDzRZdY3WeaNdw5l/f2e++LC7qPrHe6YVx2KmIZLfYyeRHNYmX4cIx0EABEAABECgS+C5ap2r
yx/vLeudXJnMv3/7e958Lnj85urq4u/vPyLcI+e8+Dqby2/tuM7XOq7TDsHsrtfpap12XOfq/PfP
36Sg+Hvbv/QUp2udzt+I63SA4E8QAAEQAAEQuJ7As9U6cqboM19nc/nr00v26sN3vorm4vfXTx+/
id9/vrfYm//40uPLv1/fWuzdd5rE4ut1xO9ifY9cr0MqhZ3JtTvf378wOmuTu1rn6venV+zVxx8k
cM5//feGvfr0m2zy5/Nr9vLdVx5Fuvjz/dNHtSh6n8mgdfbRwTEQAAEQAAEQ6CXwjLXO1TmtAK43
RJ3/+PT2Fe2HMq2XZ5+aDVEXv7++5/utGHuhb9C6/PNV7cPS9m1d/Pzv7IVlvXj56s2Hj29fXKd1
rq7+fv949pK2eVmvtGyvLn59fveatn+Z7MWbD/W6ol4TqR+hdRQLfAMBEAABEACBAwk8L61zYKWf
6mnQOk/Vcig3CIAACIDAIxKA1nlE+DfNGlrnpsRwPgiAAAiAAAhcQes8ISeA1nlCxkJRQQAEQAAE
joXAk9A6xwIL5QABEAABEAABEHhyBKB1npzJUGAQAAEQAAEQAIEbEHgSWufg95zfoOL1qX+/faR9
WIZpvX537K9FxxxWbTX8DwIgAAIgAAIHEzhtrXP56yN/7s6f84u/P/+j16J/U09LPpjhg50IrfNg
qJERCIAACIDA8yFw0lrn8vs7pr3Dgb/36vNfel3VS/569POvb8TzeegFWWdfL67+fn7N3v4nn7zD
XqoXoF9dDbxHnS7pff/5bVwIWuc21HANCIAACIDAiRM4aa1D72p4yx+ULLyAXunw7vslvV6ClA1J
IfPlx9/0UodX/OWffz+/NsxXH77/kS8ob97ZOfQe9SvSOj3vP7+d10Hr3I4brgIBEAABEDhpAiet
dX59eMHe/VD2p/ePn327vDr/+ubFh5+Xvz68fHP2+vXnvxff3r7gz19uvxT018cXUioNvkeda53d
95+rLG/0DVrnRrhwMgiAAAiAAAgQgZPWOt24zm8R1+FxnDeff3x6ffblx8dXb7/++PTq7Cst5Glr
nd8fZVho33vU25f8m9NB6/wbP1wNAiAAAiBwkgROWuvQMpzuep3//lxd0ezVi7O3b17/9+fyx/uX
b9+dyXd2toVLo3WuBt+j3pVH/+Zj0Dr/xg9XgwAIgAAInCSBk9Y6V80+rIuL819f3lpMhG+urmiZ
sskXKF98e2uZlnj9+VBc52roPeo7oaB/8zFonX/jh6tBAARAAAROksBpax3SIt/p+TqGYVqv3n3+
dVE7AV+m/OPySsieN1/EVvShuA6d1v8e9Y48qpO/3f/QOrfjhqtAAARAAAROmsDJa52nZH1onadk
LZQVBEAABEDgSAhA6xyJIQ4pBrTOIZRwDgiAAAiAAAi0CEDrtHAc9x/QOsdtH5QOBEAABEDgKAk8
Ca1zlORQKBAAARAAARAAgadAAFrnKVgJZQQBEAABEAABELgtgSehde7zPee3BfcY12EO6zGoI08Q
AAEQAIEnTgBa5wkZEFrnCRkLRQUBEAABEDgWAtA6x2KJA8oBrXMAJJwCAiAAAiAAAm0C0DptHkf9
F7TOUZsHhQMBEAABEDhOAtA6x2mX3lJB6/RiwY8gAAIgAAIgsI8AtM4+Okd2DFrnyAyC4oAACIAA
CDwFAtA6T8FKsozQOk/IWCgqCIAACIDAsRCA1jkWSxxQDmidAyDhFBAAARAAARBoE4DWafM46r+g
dY7aPCgcCIAACIDAcRKA1jlOu/SWClqnFwt+BAEQAAEQAIF9BKB19tE5smPQOkdmEBQHBEAABEDg
KRCA1nkKVpJlhNZ5QsZCUUEABEAABI6FwJPQOscCC+UAARAAARAAARB4cgSgdZ6cyVBgEAABEAAB
EACBGxCA1rkBLJwKAiAAAiAAAiDw5Ag8Ca3z9+v7s08/L58c3Dsu8MX3j2cfvp/fcapIDgRAAARA
AASeN4EnoXV+f3ppnn07ea1z/uWN+frz3+ftkKgdCIAACIAACNwxAWidOwZ6j8lB69wjXCQNAiAA
AiDwbAkctdb5898r02h/zLffyRZ0RPs00Y4n8vv51zOt9ObLT7+Fg/X/Tr+2KRjmmy+Yy3q2jRIV
AwEQAAEQuFMCR611ri7+/qHP9/cvzDf//ebfz09wKkti+Pnplfnq4w+O4e/FnboBEgMBEAABEACB
Z0vguLWOxI71OhwE5rCebTNExUAABEAABO6RALTOPcK946Shde4YKJIDARAAARA4CQJPQuuchCVQ
SRAAARAAARAAgfsgAK1zH1SRJgiAAAiAAAiAwLEQgNY5FkugHCAAAiAAAiAAAvdBAFrnPqgiTRAA
ARAAARAAgWMhAK1zLJZAOUAABEAABEAABO6DALTOfVBFmiAAAiAAAiAAAsdCAFpnjyV+fXzB3n7D
U/v2IMIhEAABEAABEDh2AtA6gxa6/PHOYsxq3j8xeCIOgAAIgAAIgAAIHC8BaJ0h25x/PbPOvnz7
8KJ5W9XQmfgdBEAABEAABEDgeAlA6wzY5u/n19a7H5dXvz+9evH+5wm+hGuAC34GARAAARAAgSdG
AFqn32C/Pr588fEXHfv75Y2FRTv9lPArCIAACIAACBw/AWid47cRSggCIAACIAACIHB7AtA6t2eH
K0EABEAABEAABI6fALTO8dsIJQQBEAABEAABELg9AWid27PDlSAAAiAAAiAAAsdPAFrn+G2EEoIA
CIAACIAACNyeALTO7dnhShAAARAAARAAgeMnAK1z/DZCCUEABEAABEAABG5PAFrn9uxwJQiAAAiA
AAiAwPETgNY5fhuhhCAAAiAAAiAAArcnAK2zh935lzcvxcOT95yEQyAAAiAAAiAAAsdMAFpnj3Wg
dfbAwSEQAAEQAAEQeBoEoHX22AlaZw8cHAIBEAABEACBp0EAWmePnaB19sDBIRAAARAAARB4GgSg
dfbYCVpnDxwcAgEQAAEQAIGnQQBaZ4+doHX2wMEhEAABEAABEHgaBKB19tgJWmcPHBwCARAAARAA
gadBAFpnj52gdfbAwSEQAAEQAAEQeBoEoHX22AlaZw8cHAIBEAABEACBp0EAWmePnaB19sDBIRAA
ARAAARB4GgSgdfbYCVpnDxwcAgEQAAEQAIGnQQBaZ4+doHX2wMEhEAABEAABEHgaBKB1ajtd/v1z
Xn/f9//5n7+X+47jGAiAAAiAAAiAwDERgNbh1rj49en1qw8/L643zcXPj69ff/p1wJnXp4UzQAAE
QAAEQAAE7p0AtM7V1dXFj/dzq2BgAAAgAElEQVQvX/33W4N98evzu1cWM03TevX2v5+tgM/l70+v
Xrz/AbWj8cJXEAABEAABEDhaAtA6V1d//ntlvfuuTUydfz1jL959+3N5dXXx+8uZxd5+aymbi+9v
rVf//Tlao6JgIAACIAACIAACDQFonavfH19a735oUufq56c3b7/UUuby+1vzxcdfDTH6cvn9HXv5
SQ8EtQ7jDxAAARAAARAAgaMhAK3z9/Nr882X1iyVbp3Lnx9eWO++t+I6V1fnX/ZepCeA7yAAAiAA
AiAAAo9JAFrn14cX7N2PARucf3v34sXbbztK6PL7O/PFh3awZyAJ/AwCIAACIAACIPCYBKB1fr63
rPe9Wuf8x4eX1pvPv/XprdpWP94x68PP+i/8DwIgAAIgAAIgcKwEoHV+f3ppvtVXJgtTXfz48GpI
6FxdXX57a2LBzrE6NcoFAiAAAiAAAhoBaJ2Lb29Zd1PVxc+Pr6w3//VGdDi8P/+9Ym+/9QV8NLb4
CgIgAAIgAAIg8PgEoHWuaId5e3Hy708vDcMwtQ9r7Um/Ov/yhp197axXfnxjogQgAAIgAAIgAAI7
BKB1rq4uf7x/0Y3s7IDSf/jzHx4mqPPAdxAAARAAARA4YgLQOmSc8+/vXr75TM8OvP5z+efzm5fv
vu9szbr+SpwBAiAAAiAAAiDw8ASgdQTzyz9f3n3sPkWnzxwX3z68+3KYKuq7HL+BAAiAAAiAAAg8
LAFonYfljdxAAARAAARAAAQelgC0zsPyRm73QODv59eG/Nxo3dU9FOXwJK95XvfhCR165uXvL+9e
WaZhmOzVJzwG81BsOA8EQOA5EIDW2WPF8y9vXnbehLXnbBy6fwLN++eZ9erd51/tnXAXX8/MPq3z
98sb6/Xn+v1mty3kn+//fflx2CqtH+9Yrb3E/+1tfqIE/6h1zn98/vz9b19lLr69tXrc9tfHF+ar
Tz/PL68uL84vtKVpA+f3JY3fQAAEQOBpEngSWufv1/dnn35q3fMDsT4yrXPx/ePZh1NeFP33y5vm
/fN/vr57wc6+6qP9kNa5Ov/149dhKmWPY9FbQW4ifC//fnlDz5scctt/1Dp7Xm1y8fvHz7/dbM+/
vukVgldXV73n7yHxNA49VqfxNOjceylPvrO6d8LI4IYEnoTWoUcbnz3Ck/uOTOucf3ljvv6sj+43
NPYTP527gXqq0d+v716/15eT72id4bmtyz/fPrx5aZkme/Hmw7d6qfmPd+zVhy//vX1lmaZpvf7w
TbD+8/mNZVmMz/5Y9DlsCojM1Q0znf/4dPaCmSZ7efb+7IV65+xNynP+9W27OC/kK07oYd4ynqS/
v+Ty+3t5vmEyXv43Isg1cD55yd/vn85eWcw0rVfvvvxW4bPfn16yd1++fzp7yUzDfHnMU2GP1Wk8
8UZ2V8U/9c7qrjginTsjAK2zByW0zh44D37o2vdy7GgdUcTL8+7c1sX3dxZ7zedzzn99es3qGR+a
e7LOPv86v7y6+PPljLWeIHnTuA49cLKjdeipldbZl98Xl5d/f3x6bdZa5zblGY7rXH7ve1fb8Niz
c/7lr48vzVcffvy9vLr4/eXMst7/qNUOf8qm9frD15+/f//+9XsnevTgTjGcIbTO/2fv/F0dxf7/
//1bUtmd7lRO5VS+K7eRbWQbmUK2kWlkG9lC2D4wkGLAYiDFQoohxYDFQoolzZJmsVlsxmqFD4zV
Ws2X1/G30dzkXpPozTPFvYk/Xud1HsfoM6/z4zXM5gZ7hq+3GxSOIkDgmMCktU64VMsfquX4B8nc
UiVoT+NVRTvG2p6DOtY6I9mnp2/jVWXW6t9OW8v6F//Lp+Rxg77eLclwL0xe6QGtk3W30224Qk4r
SfIiZX0roWv3rJdrnbb4qfuwnuXPsNbJWtUor4cTz57O8UL72EHZCbZ35VrzkYDQ/EmHFu930xjp
5nDtm1v/TSaj9eMb96T6G3LZdtysym8c/k+MwKS1TpZEIb22tizpy4N4H5f34BuAPNY6Nyi0p4gC
w85TJdUNBIao/KXdc/gr3fTcuM6R1jm4ykJieXdO3rtTJH9tPfTTjVHf77Mse7nWCZfUFVs2XK11
nuXP9bSO6PkreruKzq9qbDVpnanngbvzTeOVfvvOrhZuVmejwoE3JTBtrVOguFc4eipap8Bw4qf5
Ta+ZexVGg0UaWcjija07J8frFI52IzSkMrTlIa5fSS5AntA67KKxycd9WO3hwbXWeZY/QuuIGOdR
c7SqUe49cfF0jk82piQ7u5pOnFTTtuagdYoa3+umUQJ/8P8nrrcHJ4Pq34kAtM4J8NA6J+DcYVcx
D4tGiaThRszDak6v6mqa0sOj7fHG5Nz0aVxOlkbByl3thNhpPfS7cR16dqoeTXNP47OCi3S3r7vK
yBkxXseksb5pvGuM13mOPySQZIcmwdMU8rKq9L8Yf9OJfw4/e46OTwJbZvpSzOVK473vetVce2id
Jmm8HyYwfL0Nn4M9IHBFArPQOles/0nTE9M6J319jJ2N9XW0en2dxnyrYjxTPoBraDtNs17bOk2I
kpis2eVMo5NaJ4sDV5fFZCylNf3rmPzw+jpx4OkyW9A8LMdS61FXz/An2S9pStdiwWQzn3rfmFdV
YJDdQ+ldz7Nn+Pg03Lg01UqSGFfN5a5SlDPSOmXF8R8EQAAEsgxa58RVAK1zAg52gQAIgAAIgMA8
CEDrnGgnaJ0TcLALBEAABEAABOZBAFrnRDtB65yAg10gAAIgAAIgMA8C0DrzaKe7e5nG4Vkrx8Xh
A06Hv3vrwAEQAAEQAIETBKB1TsDBroJAGq4M1dpUQ1RrMEl3TtJhqalielB9zDzf1XPC5+k/vAYB
EAABECgJzELroC+pbK67/E/3nqo47dyrSRisPUvjklJP9Smci3xdNtc9umgE55NdkU9KNpadLOc9
1ncOXyzytWCZrJpef17wnhNp07HWGSdf+kBx2dl51GlGlV6nBYt9rfgYLtWqulwxnHWR52vvyu1l
t9sz4Yccmvl23DTu24Bbk1vBfV1A6SDQIACt04Ax8bd3Sh0crw1utLVLuNS4arorR+vROlm6c2S5
o43GQUur8KvuPk3DFT3gn9JTO4ez4n6bRltHkdRlNQf7SYeOtc44+dKHCj57XeZc61R1j5paRyrW
WkyjnaexViPQDHN+lVYZqtF9t0Pr3Jc/tM59+aP0LgFonS6R6X7uWSLlBs5GK625WnFeYipWqku3
Zp/WybK9IzczbY/mJWkdylcQB7bSjTT1FNLQOkUOtXLZ5f684lnWn4e8sU5PN3G5SKa13ji0WM+i
zkI/ZD85+LYmEp3zen2gC/Ood7VOJfuITlnBLF+2edVIXbUVWqcH01w3hSvTdH1KUdr3gtbpo3K7
bdA6t2ONks4hAK1zDqVpHHMXrUMZA7oP+BLHoNZ5MnVVaeHS//HW4lxRFM05pz+qoXWScGMrTFuF
VOJQXvGhPOS5l8f50rMsC2y2kGTd2+SJv/Noy5D9ZGtybqwOCS1m6JucW40UF8+O6/RpnSTcuirl
b2/ogFenddJwu7QNhTHZcFZB2Fo8Wmi9Mn/9pVcZjh+BALTOCBBhYkQC0Dojwnyxqf6UwsOpg/uP
HytlsahOO1jQruGg1qHADrPqbE2X+tkupv4UB45K6ShVTzzEo90mKMak1Mc03onxOjRgh4arcKNc
/5c0Yz1kpc5zTttrWXfch3WUayLXOsys8nnmZQ/Zp/PrcrMo8Nf7qivq/NyiZL5KxtkcVyTG65TV
ZZrbkYO31zp7R25mzq44jbW9aOr4sF05hsLL9aOrVoDWaXwZbv0WWufWxFHeaQLQOqf5TGLvPVMH
n8oKcELruHKRO3xEgNSbprj7JBLprDYRfba2jchFt6wqrkMjiLhZBlGG8ooP5SEvzQ5oHW7vyiPy
/8P21eag4vZJ42idog8rXKpM9xv9V1TW7bVOp4bX+VgqHa5apZgVBaEP6zq8z7UKrXMuKRx3GwLQ
OrfhPEYp9IM+T/Q0hrUzbRyHN+oTh7VOYPMjCVCf97x3jbBIEjgyUxSZV6GCXpOV1smjH2XMhqrU
l+d8KA95aftcrTNkv1EBMpmE+31jLaKtdWYe9WTTCg/tSVZuSPE1QnDUGye3erBeodahwVUKk7hm
LTeHOkBWNBe0Tnnd3uc/tM59uKPUIQLQOkNkprf9Llon29l8aJzxoNbpdLOMhFJkGndFSvJ456qL
xVHvUaeghtbJkq3JuB2IKNBQXvGhPOSF2XO1TjZonwJShk/dbiJPe0uqidqdlUddmDf8Q5Km8X5l
VMN+GlpHzIVjrdlz1Fivax5WtF2utjT4qfcFrdOL5WYboXVuhhoFnUUAWucsTA98EI1naYwyaZIY
0jrJxmTXCECl4bqcxaSanu9qTG6O7m26Jt43tU6W7V2lCov15xUX87B68pA35mG18qjn43X6AlhD
9pODb+XzsCi9enuFoPPzqNPIZlvjIse5Zq8PRTdeU+vkkay83bC+ztGVgQ1XJwCtc3XEKOAiAtA6
F+F6yIMPntJaqeUpCLGvc7NvkeWnTsR+EBiNAOI6o6F8liFonWdhw0lXIwCtczW0r8dwsnNULZ/6
9HSl4o2pGOvOuNinT8MRIDAqAWidUXFebAxa52JkOOGqBKB1ror31RiPNo59joBJA886I3vDq+GC
ikyVALTOfVsGWue+/FF6l8AstE7XaXwGARAAARAAARAAgTMJQOucCQqHgQAIgMAwgVOrMwyfhT0g
AAI3ITALrfPicPS2leeAMhiUa63cBPJYhSAsPBZJ2Hn1BC69aYg5/0uRQ+QMNsl+vdyUE+Dy48fW
OrT+ZbFIwhkODRzS42dx5MFTuyl9B2w8bzNuVs/jhrOuRQBa51pkr2AXt48rQIXJ10ngQq1z8BTG
2Nk/gdrz+wXBsbVOGu6Oknxd3FQ9fhY20mgfHK/AeHEBgyfgZjWIBjvuQuDRtU4abVxD4UySGK14
Uv9Si3dLU6yEwlWzufa8uKOttitL5dJCevkPr0taHbePS2jh2IcmcJnWOXiK6m08tSF22kt3BjYr
FlIKbJlzRjnWJMbpVSzeTXcGzfVdSnkvMcVcVcsniaz3tFXiamNzkcvs6GZC+WTzl2TWOeWycKnV
2cVov+zu8xZOD9W6U4rhBcUS0kN+HjylML9opFUjS9FWLEQtSbxhhlbQ1L11vofJemX/iasLN6sn
AGH3jQk8hNahNe8aN7F0Y5QfI0oD6eziLEvjnadVqRnDJa1TtwnTLI02ltxYgVasK8dUyw/2h8Ph
0Fjk//oth9vH9RmjhFdC4CKtc/AUbRlSlo36PjGkdQSfnngJ3Rkk1d2GSZZGgaOU95gksGWmLSnN
axKuLbmRqezUzSQVyT8aWqdulzRc6Yybm3xhB0r2xvQVLSCdHFYGa60m3uNnbielPS2tQ5Et1Qli
uudtHYWpywMdSlpHkq21sL/3NEl2ColVO9T3DjerPirYdj8Cj6F12gN0KKFQcUuL1zqj73Eslp5N
4zgRb2jB3TrVkgjlrIu16OnD8TLCdONovK6xaLDI3sit4H7XCkoGgfkQuETrHDxFX5FyiFZaJXae
oXUa4uFQpilLt2Yz0RlZrYrov5kUjIe0ThKQEHGrqFGWRGH1k6ubx2RQ62TRqq11xCLjVSZdWvo8
FzVti92zhq8HaJ1hNthzDwIPqXXWldbJsmS/dqmzisma6W7y7DoU+CkD1JxzxqSF4hWjFoXw8Y8y
Dd6k7XD7uAlmFPIaCFygdURieonRS5IWpRJ5odbxlDwla/eGQZ1hzi4n3N3X4t6vdSLfYLyzVmcc
LC1dlWVZVmTeuFe188G2jJOsa2kdmrDR/A1HQ7VFStmu1tEagq5jsvURN6sWDny4O4GH0DpZ8/6S
95JruVxJokOYB2zSaLfUy+yQlKbb2kRx9UryeE/+y+/ML/v4bYvbx/hMYfGVEjhf6+xdRfX2xXd9
5yqF2Gk/5OvxOoJXT7ykLVwqrZBShKQcWZNl8boT12n1IzXbokfrJDtXkRQnaOU7zfvhqe+Jepw2
hlT9LrtE62R58rgitVqWbq2BuA60TrOR8H4+BB5D64gubc3bxSl1mZtVl3m6sznT83V+02htcmaJ
KG66F33XWxEaTg5rzy36xovhhIjrzOcKh6ePSeBsrbN3FaXWItnOkQuxQwNYDF8Miom3trxoJnlN
NqbEzXWUZmlSdHwPaJ1MjNfJbzL54D89t/nED6divE4pPuhoukHpq+60eJJd6jKkA8XNbdEMz/T4
WVwOdFpTZ+X3PJfGLmZx4KpM9arxOmWo65LbH36YPeb3brq1fgytk2XlVIiFxFWrniGRVQmpGZNb
E67iwDNVTmNwaFLCtsrv1L6j3bZhcfu4LW+UNmMC52qdvdtexoYiGmVkZ7c0ZM5lRdUd15SbWidL
Q99UaDaWxLV8EG/7zlDFdTK6+awdMTuL5mEdTeo8+uFUz8Mq5ksxm0bp5enqG6MCWT7GKEv2S1Ph
jHNZNRxbZ8UPtrztjv1szMMqZnsZmzxQFG1dQ6HpYkwx3PKW1w5vtSt56vLAzeoUHey7PYFH0Tq3
J3uFEnH7uAJUmHydBM7VOq+z9vevFW5W928DeNAkAK3TpDHx97h9TLyB4N50CEDr3LctcLO6L3+U
3iUArdMlMuHPuH1MuHHg2rQIQOvctz1ws7ovf5TeJTALrdN1Gp9vTyCNw6gxTnLQgbhe62PwGOwA
ARAAARAAgRsSgNa5IezZFpWGK0O1NuesKnRYarT46myrek3HA6teWuWa5cA2CIAACIBAi8AstM5Y
4ejLUhm3OJ3xYTil8BknT/mQdO+pirNrRHWqBDytGRtFHSJfl831FdROuFSZVS+aT1OCGx+nRjDc
Lv2O5htT68TBalVOlWlXPdmYvDmJur333E/D9s+1cOfjxrppjFCN9LB2RNI9xhXdEdkWRrA6cRPo
w5p4Az2ce4+kdS5MZXzptdCzvNilJk4fn2xdw9leQUScLjZeG9xoapeEllo0fFpjOg03lix1UmLQ
akZySxudLuDcvfPSOltLaiwhJ+o4ptbZOzIbSBiSHILdWf2Np8CfsH/qtOnsm4zWSQKLM80NooSS
7i111siuNx1co3sCrTM6Uhh8EYEH0jo9qYyzLD34lsoZlxXNtHReL6HRm+c8WmnMXBaLZTRSGQ+l
FH5R0xyd3F60/mj3lTZQnY0yG5go47AyjWWV/y/Po9MufO/I1Tr47T0v+RS2AzkUpSvjOsl+ZYms
9BJX60zPxbJKCqcs9rpDqVzLV2Bz2VlvxLIni65YKw+q/9NqS2RGYrJm+4fCTr7UbHFUvfJIuNIp
switvZInwla9nBZpHWu5ssS6TVxzqgUq8+WfjvwMLKY6/jJf56k6Pl6bbfOyWH4ly2iZ/2JFlg59
sbqUWDmFFnipo02ETeWUlluuE3AP2qfl7LaeIU7gqiXEbl75PM4n+ChtzjXC8d+FK9N0/WBA1k1G
64SeIhXLtBODcG1bq+Lb03uTKdcY7OQ/j329XPeHzFDCqmrRwEvsjN8O/Rahdfq5YOu9CDyO1ulL
ZZzSr1d9JZ5dMaUmLrXOQJ7zPJWxI1IZi+PrBUUzSpIstUXByI16F61DC682a9mt08FTj3+ndpPr
dE963mexPFujD8uttA4tf234JGVo5Vhe5m1NtvSLWiyXHe89jTV6dmi9NknWvc3ucDjsD6eDZZGv
M0UMQkpFq5fPmAGtk9euP66zkE1/H6dpcljpjJlbsYjbkJ+BxRbcWO3Fct++0VokbjjuQovhtbRO
tWq40H62wvQ8SpdsTZEtm7BRAmvejMX12E/3riKpDomL5OAbnNtFsgJqGG0p4nyUIftp6fi89u+e
lYbbpW0ojMmGswqKXC/VQZPROlm40hg3vG33Khu4yeRaZ7FgquUH+8PhcMgze9JVUl55lGqCacX6
yxfaqQhd9w20znX5wvqlBB5G6/SmMm7ngKlT3tD2vjzn9W934pwnrKliBSNonXhtNNZFLXPx0dbi
93r5r1jdvf94SrrTZ+fy7ScT6tCPy8BRuO53V63PMvGkrGXJpf70X8VHWkeWzLwMKk7zisddtWg/
acPq4ZClIpRThqMCmzVauL+8amsaR2GebqhqdbHvGVqnFiG0Hm3u3aCfrT6v9vq1OeH+pPet07Is
pc92Ndwq3q/9IF8GPInCuEyt1EkF2WNfaCg7KK/3vSuXC/TSla8624NglCZxZbQi2H6zd+TmZV59
0y7dXliND9sVjYeRzXW1vHmWTUfrkMTcLi2dEgzr9qoMRA3dZIq4Tn3llvDyvmFxBYsAc7Ha8cV2
SnvX/Q+tc12+sH4pgUfROr2pjNOtKcmuyPpC3CqtM5jnvK11Dq4imSJ/lqA+gtYZaL0kCum181RJ
dQPxPv+pN3D8mJuFwNiUD7imZYoFcM3bl0/L5r6ODGzuev77jtZp5kZMo2Bp67RQvqLbK5HTJ8tE
m7O8Gynv9ambq2rrs9xJDmvH1BTKJC3LbFFKrBdpnTr2NehnS7TQRdl4/vXEXcqqtE7rZJssjxH/
03DrFdVSZCYtmumRju1TULPslSs60aoT4t3Koc4tJmuWtx3oVWqVPdqHUulw1WqmX5iU1ikqm8b7
jaNRLC2mHkdDauJkjQTl7ftMjSpcqpzUZvmf9jzHTm3xeu+gda7HFpafQ+BBtM5AKmPxk6hSK/Xz
byjPefsedDOtUzTsXfqw2lWuLrFkv9S46u76hI6QjY2hT9VJL3zTdiWtmyuNw3LxnyTc2GUnCh2v
LQ9Vsvo4Tip365OfdiqlyyQfi52RgqrDSa4s5cliyzEWjdxGlCi6kVKSimmJkFrrDPrZOf5Y69SR
s2YtWqdlImV1HU7K0mi/z/t7aKx+pVXbcI8ic/kIEUl2di2cQgOncVh0s2RJFLjq0ZjspnMjvo8D
j9I3cc1abrr9Q9OJ6ySBZ9Wpg/NosOjqHrrJ9FxLFbTI17m52XnNbKXPsVMZvN4baJ3rsYXl5xB4
DK0zlMpY5BJW3XwEwtrkZSrjoTzn7QdCR+sMpxR+TsP0nHMXrZPtbN54Ugq30sNKl4eFjnjOtHIo
91TmOZto3IxsbUIxocXTWDnZK/I1SbHzcEKyp+jXUnSrxRuTczE+JsvSKFi5q0qbXaR1aFyLJSbA
pfHO1STJzANdYnyoI2ymh6XOWoERikKpIuqVxkUHWEuE1FonG/Kzc3xL69ClKOdjiJJ2n1ExXqcO
xeXjdZYUgEujwFFZkWg7l3Ci2yfZr3TWarIe+0XCbjHHK433vuvlo5wJAzfXQkAl4Uo/0njPaesz
zom2y9WWRgn1vibTh0VXLTdWuyilYVokxfPw3NBN5pTWoSHJXJZlLb/ARcWfZacX2agboXVGxQlj
LybwEFrnRCrjfB6WJNGvQ0ujcQ0F0t485ye1Tk/q4xc3zwQM0DiXRt9JJpTMYrFojrjojE6mh19n
HvpIFaEJJyqn2L+iu5u6ryRvLZpQJFYwqSZcVWnsiwlU1YPxEq2TZdHG0WQmZutZjqmUWop22Cqn
TNia6TlaSyxkceDqspiMpdj5GOSOdjHrPql+PzvHt7QOZbc2qONpwcpxKqSeygFd+f+yg1bMw5KL
+VZ1T4/wME+QbbpWJx5zbF8MbS4zYbcydlfT4BiXNcvv7dYc6Qo428xktE5GI7lFB2s+382rl0Xq
vcmc1DoZBRml1hIQ9I0MvHyynsQVo2G/fb86G90oB0LrjIIRRkYj8BBa5zxaFJfp9jqcd+YrP+rg
KWUE5ayaxiLQfnpq01mGcBAIPJvAhLTOs+sw5xOhdebceq/R9wfXOpFv6KILK4t3NNCgOev2NTb3
8+qU7BxV8/Z1r8gpM/HGVIzmhJhTB2MfCFyJALTOlcCeaRZa50xQOOxGBB5c62TxbpkvQse4Zq/L
ReJuBH9GxUQbxz5HwKSBZ4mRITOqG1x9jQSgde7bqtA69+WP0rsEZqF1uk7jMwiAAAiAAAiAAAic
SQBa50xQOAwEQAAEQAAEQGCWBGahdRCOzq8thIVn+R2D0/cggJvGPajXZeJmVbPAuykQgNaZQiuc
6QNuH2eCwmEgAK1z32sAN6v78kfpXQLQOl0iE/6M28eEGweuTYsAtM592wM3q/vyR+ldAtA6XSIT
/ozbx4QbB65NiwC0zn3bAzer+/JH6V0C0DpdIhP+jNvHhBsHrk2LALTOfdsDN6v78kfpXQLQOl0i
E/6M28eEGweuTYsAtM592wM3q/vyR+ldAtA6XSIT/ozbx4QbB65NiwC0zn3bAzer+/JH6V0C0Dpd
IhP+jNvHhBsHrk2LALTOfdsDN6v78kfpXQLQOl0iE/6M28eEGweuTYsAtM592wM3q/vyR+ldAtA6
XSIT/ozbx4QbB65NiwC0zn3bAzer+/JH6V0C0DpdIhP+jNvHhBsHrk2LALTOfdsDN6v78kfpXQLQ
Ol0iE/6M28eEGweuTYsAtM592wM3q/vyR+ldArPQOl2n8fn2BNI4jNIzio3DKDnjMBwCAiAAAiAA
ArciAK1zK9JzLicNV4ZqbeIz6nBYaqoTnHPkGcaudEhgMe7srmT8Qcwma0NSl+GD1BbVBAEQmDmB
WWgdhKPvepWle09VnF0jqpOGG0eXmSRJTDHcbdRyL/J12VxfT+0kG5Mxc3tu9CjcLv2O9hpZ60S+
zrXVSx/7PX4WWMex32qj4kN6WNuaaEeuGF6HUt8J9bbJax3cNOrGusc79GHdgzrKHCYArTPMZmp7
kq1rONvriYiB+sZrgxtN7ZLuXZlp3j7OsjTe2oqk+y2n0p0jyy1tNGD5WZuTjckZ49a5YmdrSbK7
bxU1stbJ4n1AMF726vGzNDiK/dJY/T/ZWpwb/iHJsjTaOgq7JE4DrVODxLseAtA6PVCw6Y4EoHXu
CP/ComNfl7RVO4hyoRmUz6EAACAASURBVIlnHB6tNGasm1GU5LBZbQ5lmGdnc253OoT2jnytTqJk
Y8qm75tyQ+zsHM6soKhbtNIK8RWudM45kxYLiXF6qV6ueUjrWMuVpXJJkrjmbCqm8W5piq1M1p1N
WNYxywKby846j2YtylaIVtqieLVkwtaikFf+ov1SxS8OPFOhUpms2X7BcNDPIftZcvDzeAyZWZdN
sXdlbq18WxPVUq11w/+ehu9cTsnW0cx1TqLffpYl+6WpMPJet0210YcVbT1D5UySuGoJ8dRT3jU3
xYfN0jK85mWIuM41gT9tG1rnaUY44pYEoHVuSftlZXUeTi8zdu7ZycZsPNO6ZyXh2pSPYyzpxpQU
79A9eoTPJHWsIE22VkPsDGidvLieeElgsYVs+vs4TZPDSq96xCJfZ7IlJE688zTWCE4FNltIsu5t
dofDYX9oRnHSeHjoShLYMlO9fS6ayL4iBjOlceAobUQ9fuYVOLIfb8wyHpMcVgYv+e9decF0L4jS
LI02ltyNt3XwBz0iVRwyZJ/iQExf7uI0jfcrgy0KgZfuXUVSHSo3OfgG53bQlMadYsf9mBy2SxJ3
TDEcvxVcg9YZl/Sl1qB1LiWG469LAFrnunwvs05PzcarkAu0tYwfFP+Lx1j/8Vk21vYsy8KlWocl
mrUJbC6RW9yswyLV/r0jM2tbfbzUn+rE7ptkYyp2kGZZGthKFdl5htapw07UGZODDj2lUdVUWN0W
oZ3AZszc9D/CB7tzQl9n3ChiJRn1+EVhXMaK9q4smTWibFDrZB37JHkbYaSDp0i66GJsW3yyo247
MEJ7yH66NRtDumunUjIkGkW0FnVwWiW2bvvln/eO3LjKpYrrhdujtSlThGm5aWnPokxonX74t9oK
rXMr0ijnPALQOudxuutRSRTSa+epkuoG4v3NJnbTo9TclA/oLoY0ClyVqUchnPyxO3RW18rZn+kB
u5CYeEmLaoDyi7ROHYPqBDrqzrCM+rDYUU9d6Xb92C+30P9kR5Ebd9fUR8lh7ZiaIosXWzxP63Ra
JN2UWq2jdeyGMmk6Vr7vVLfcnA3Zb4cV60qLnrail7DoM+wM4KpMj/sm73CUNdNdB2ETsygGWmdc
2pdag9a5lBiOvy4BaJ3r8h3TevthM6blE7ZaT/z8uGS/We+qIS49B4jhLYPS4ERhT+xK1gZFkWLx
itZGo/NGqkIJXX+2Fjs5NrnWOvSQr0bWZFkem6rjOoMVqh/7tf/kHdP91uQsESnKxwJnWXY4iusc
+VmY69gXcZd62BYF3nrjOk9pncjXyoFHVFASuLpFMagh+xS/kZ1ylHftFPVyys4ubxXxN0lGV7k1
2c67NN6vXRpExDV708QNrdMhdeOP0Do3Bo7iniAArfMEoAntvovWyWjscXsxGpr0zU1f/JRO9kuN
KZ15TuJxOf5v+2RtNEdJx77O86nn5JDiiAhKeljqbNEsmxSM6u1pslFcdCC1undqrZOFK40p9pbW
TEz2S70zXud8rUOT9Jl8NGpFdAJZYiJdGu9cTWoFzHr8LK69WlbkG2LBX4w8TkIaH2PmKx9dGNfJ
GuNyaPyQyrR8vZwh+0kgxuuIYU7N8TpiUJK+3BG3NN777mWz10f5hqXRzl+umyPEoHVGAftsI9A6
z0aHE69CAFrnKlhfkdE0sHl3nHGyW1n5uiw0X+lovg9pj/EnjMVro201XKplN1a0sVXOuaxopueU
87CKRogDV5fFZCzFzieqD2mdLDsxD6unD6sxT6oYRyVqTdqEZl/VL27ns8SijaPJjJGflmMqzWE3
WXbs54B9UmK+JaY9Ma7V854u1TpZlpTr6zCumg2F0m+fyl1RCIVGaTu2Vs9RT8ONa9AELYkMLXfN
odv3+ipA69yLfF4utM59+aP0LgFonS4RfO4SOHhKY0ZSd+/xZxFwOWuR5eNzsQUExiEArTMOx+da
gdZ5Ljmcdx0C0DrX4fqqrCY7R9XKidNP1SzemEpj7tFTh2M/CFyFALTOVbCebRRa52xUOPAmBKB1
boJ59oVEG8euJ08PVycNPGtJg2PwAoG7EoDWuSv+DFrnvvxRepfALLRO12l8BgEQAAEQAAEQAIEz
CUDrnAkKh4EACIAACIAACMySwKvUOvcKX9+r3FleeXAaBEAABEAABG5DYBZaJ1rbhrc7f32ye2mO
K5d7pzznt7kQUQoIjErg0pvGqIXDGG5WuAYmRmAWWkcsaDuYp+CY6JU1x3GBxZYrl3uftQQHa4sd
IDBhApfeNCZclTm6hpvVHFvtVfsMrTNi80LrjAgTpkDgJQSgdV5C78XnQuu8GCEMjEtg0lqHUv10
E3znqaFpT+PVWaT3WHMMHT/W9rxRzi73srzfdHQXQzMLwrhXBKyBwJwJXH7TGOsmMBM7l918suyy
43GzmvOX51X7PmmtkxUJvre2LOnLg0jwXaQ0Otkox5rj5OGj7bxWuffMcz4aHBgCgZsQeOZN4ya+
PUAhuFk9QCPPsorT1joF0kvD0dfSHE+18JXLRVj4qQbAfhAoCVx60yjPw/9RCOBmNQpGGBmPALTO
eCwpvfdRyu9xzUud3roRrcMUCLwmAtA6d21NaJ274kfhxwRmoXWO3T695cqaY7Dwe5U76BB2gAAI
gAAIgAAIQOuMeA1A64wIE6ZAAARAAARAYBwC0DrjcBRWoHVGhAlTIAACIAACIDAOAWidcTgKK9A6
I8KEKRAAARAAARAYh8Cr1DrjoIEVEAABEAABEACBV0AAWucVNCKqAAIgAAIgAAIgMEjgVWqde/Ul
3avcwdbFDhAAgesQ2LsyMzfJdYzDKgiAwMgEoHVGBAqtMyJMmAKB6RJIA4szxrHc1XSbCJ6BQIsA
tE4Lx8s+QOu8jB/OBoF5EIjXBjf8jSMr3mGiHse+ztRlWHqXbEw2XWdLL/EfBK5GAFpnRLTQOiPC
hCkQmCqBaKVxK0izg6fK9i6dppvJ1uKVuonXOtP8aJqewisQuAEBaJ0RIUPrjAgTpkBgogT2riK7
e3Iu8nU+2UE76c6RZSf3c6VhcNFErya4dSMC0DojgobWGREmTIEACLyMQLhUuR2kWfn/ZdZwNgjM
mQC0zoitB60zIkyYAgEQeCGBPO6085Rr5iR+oY84HQRuQgBaZ0TM0DojwoQpEACBlxJINiaXZVmr
Bym/1CLOB4F5EoDWGbHdoHVGhAlTIAACLyaQ7hwuGev4xYZgAATmTQBaZ8T2g9YZESZMgQAIgAAI
gMA4BKB1xuEorEDrjAgTpkAABEAABEBgHALQOuNwFFagdUaECVMgAAIgAAIgMA6B+WudNArP6oyO
w2jURb/uVe447Q4rIAACIAACIPAoBGaudZK9p6nOricDXxK3NyY7V9O8fXvjs1t5uNyuyXHL7VrH
ZxAAARAAARAAgScIzFrrJIGtqMt2Qpok3PquqTLpKC1fKlZ0D0ZQO8flJgff1mQmSRJXzeWuFWga
r9wn2hK7QQAEbkVgLh3Wc/HzVu2Gch6VwJy1Dq0Gam1bHVO0ertmuUtLOdY6WZZsTd5Ih/fcNj8q
lzLPcMM/JFmWRmuTM3PbUlQjlftcf3EeCIDA2ATmoiHm4ufY7QN7INAmMGOtc3AVkYCvVaFUSJ/Y
1/u0TpZurZcn+z0uN96tV9syo3C6MaUq5V7h2yjltuqJDyAAAvckMBcNMRc/79mWKPsRCMxX60Qr
TdL9Vm9R1WBDWieL/eGTqrNPvzlVbpYl+5XBFXffijZlY5R72ivsBQEQuCWBuWiIufh5y7ZDWY9I
YL5aZ+/IzAr622xQ66RbSypS//af+fTWoXKTjcmkxWIhKc7xmKARyn3aMxwBAiBwKwJz0RBz8fNW
7YZyHpXAfLXOzubcvlTrZIHFuLN7SWufKjfLknBjK0z3o04RLy+3YxAfQQAE7khgLhpiLn7esSlR
9EMQmK/WOXiKZLZHJlctNhzX6RlMU5113puecuPderOvetMOrnzkWN8gnvOKw1EgAAITJDAXDTEX
PyfYxHDpVRGYr9ahPqOhSVWDWidcqszcdAbTXNagPeVGvi7J9pbWKkzjwKE5YOVI5cL2COVe5iWO
BgEQuCaBuWiIufh5zbaCbRDIsvlqnSxeG2xgcPKQ1ol9nRnr1nzwyy+CvnLjwDNVTuvrMMVwt90e
rFHKvdxTnAECIHAlAnPREHPx80rNBLMgUBCYsdbJ0sCWhyI7vQ0cLlXZPh443HvsiY33KveES9gF
AiBwUwJz0RBz8fOmjYfCHpDAnLVOlsVbS9FX4Vl9Umm40hVrWw2reUlj36vcl/iMc0EABMYjMBcN
MRc/x2sZWAKBPgLz1jpZloa+5bZXKe6rZpYlG8fyz1NF/QbaW+9VbtsLfAIBELgPgbloiLn4eZ9W
RKmPQ2DuWudxWgo1BQEQAAEQAAEQeA4BaJ3nUMM5IAACIAACIAACcyHwKrXOvcK29yp3Lhcb/ASB
V0NgLl/2ufj5ai4MVGSiBKB1RmwY3FZGhAlTIDBlAnP5ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAw
ZQJz+bLPxc8ptzV8ew0EoHVGbEXcVkaECVMgMGUCc/myz8XPKbc1fHsNBKB1RmxF3FZGhAlTIDBl
AnP5ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAwZQJz+bLPxc8ptzV8ew0EoHVGbEXcVkaECVMgMGUC
c/myz8XPKbc1fHsNBKB1RmxF3FZGhAlTIDBlAnP5ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAwZQJz
+bLPxc8ptzV8ew0EoHVGbEXcVkaECVMgMGUCc/myz8XPKbc1fHsNBKB1RmxF3FZGhAlTIDBlAnP5
ss/Fzym3NXx7DQSgdUZsRdxWRoQJUyAwZQJz+bLPxc8ptzV8ew0EXqXWeQ0NgzqAAAiAAAiAAAiM
QgBaZxSMMAICIAACIAACIDBRAq9S6+xdmZmbZKLI4RYIgMDsCcylb2gufs7+gkAFJk7gFWqdNLA4
Y1xbRRNnD/dAAATmSmAuGmIufs71OoDfcyHw+rROvDa44W8cWfEON2qF2NeZugzL0pKNyW5XeFkq
/oMACNyOwFw0xFz8vF3LoaTHJPDqtE600rgVpNnBU2V7l96mVZOtxSt1E691pvkIKt0GPUoBgbsQ
mIuGmIufd2lEFPpABF6b1tm7iuzuqQEjX+c3G7ST7hxZdvJyVxoGCz3QNwhVfUwCc9EQc/HzMa8i
1Pp2BF6b1rkduU5J4VLldpBm5f/ObnwEARB4TQTmoiHm4udrujZQlykSgNYZq1XyONLOU5Q8rjSW
XdgBARCYHoG5aIi5+Dm9FoZHr4sAtM5o7ZlsTC7LslYPUh7NNAyBAAhMi8BcNMRc/JxW68Kb10cA
Wme8Nk13DpeMdTyeRVgCARCYJoG5aIi5+DnNVoZXr4cAtM7raUvUBARA4FYE5qIh5uLnrdoN5Twq
AWidR2151BsEQOD5BOaiIebi5/NbAmeCwDkEoHXOoYRjQAAEQKBJYC4aYi5+NtniPQiMTwBaZ3ym
sAgCIAACIAACIDAdAtA602kLeAICIAACIAACIDA+AWid8ZnCIgiAwGsnMJe+obn4+dqvF9Tv3gRm
oXWitW14t8ptde8WybJk6xrOFlPX798S8AAEhgjMRUPMxc8hztgOAuMQmIXWOXiKZGxulMdzHK4v
sRL7uqStkDz0JQxxLghcl8BcNMRc/Lxua8E6CEDrTO8agNaZXpvAIxBoE5iLhpiLn226+AQCYxOY
tNYJl6q0aL8kc0sIaE/jVUVBZrI9XhsN7yXFO1ClaGu7tgtJ99GXNfY1D3sg8HICc9EQc/Hz5S0C
CyBwisCktU6WRCG9trYs6cuDeB+/4q6soro7T5VUNxDVjZJTrYd9IAAC9yEwFw0xFz/v04oo9XEI
TFvrFO2A8TqPc0GipiAwCwJz0RBz8XMWjQ4nZ0wAWmd6jYfxOtNrE3gEAm0Cc9EQc/GzTRefQGBs
ArPQOmNXGvZAAARA4EUE5qIh5uLnixoDJ4PAkwSgdZ5EhANAAARAoENgLhpiLn528OIjCIxMAFpn
ZKAwBwIg8AAE5qIh5uLnA1wyqOJdCUDr3BU/CgcBEJglgbloiLn4OcuLAE7PiAC0zowa6xaupnEY
nTOtPw4xHf4W7YEyQAAEQAAEXkwAWufFCF+RgTRcGaq1OWf5wsNSU53gnCPvxyewGHd29yv/NZSc
rA1JXYavoSqj1iHZGMwS65qOahbGQAAErkNgFlrn0cKwW5NbwXXa+5TVdO+pitObYzVcadJC8VqP
vMjXZXN9PbWTbEzGzO25iymG26Xf0V4ja53I17m2ajE4hXNgX4+fxZHj2O8rNj2sbU1mkiRxxfA6
lPpOqLdB69Qsmu+StcHtO3xJmz6c9f7Rbp5nQcFBD0gAWmeCjX4frROvDW70apdwpXF2pHWydOfI
cr82GgFqsjE5Y9w6V+xsLUl2962CR9Y6WbwP9i/Wdj1+lk6PYr80Vv9Pthbnhn9IsiyNto7CLonT
QOvUIJvvkrWhdC635u7pvIfWmU5bwJN7EoDWuSf9gbK7WifdOrq13Bxe/JwdKE9sjlYaM9Y9UZRw
qcmmvzSkTlwny7K9I1+rkyjZmLLp+6bcEDs7h7Mq4BWttCJbWLjSOScxtpAYp5fq5ZqHtI61XFkq
p4iG5myq3PHxbmmKrUzWnU1YD1AKbC47642jy0xalNnmo5VW5ilryYStRaGS/EUHSBW/OPBMhUpl
smb7h9z+oJ9D9rOs18+9K3Nr5duaqJZqrRv+97RwZ2nKZOto5jonkRz8PN5Dbq4LN7MsS/ZLU2Hk
vW6baqMPK9p6hsqZJHHVEuKppzxsmhQBaJ1JNQecuRsBaJ27oR8uuKt1snjvu6bGGVctb7O/Skqw
ZGM2nmm1b0LpbOJk06d10o1ZJi6tzxjlHUkdK0iTrdUQOwNaJy+wJ14SWGwhm/4+TtPksNKrHrHI
15lsCYkT7zyNNYJTgc0Wkqx7m93hcNi31GVKuVlbWqeuaRLYMlO9fS5qyL4iBjOlceAobUQ9fuZ2
ju0P+Ll35QXTvSBKszTaWPITCWIDm3O7b9RSvDHLeE9yWBm8jKFRHIjpy12cpvF+ZbBFUel07yqS
6lC5ycE3OLeDHmlcQ8G7KRCA1plCK8CH+xOA1rl/Gxx5cKR1iiPSaLf2LE3mqpePqunPl55nTC8D
DpJUP2uHji8yx1dhicqjA8V0aKxyv9ahwE5zhOaQ/aHtVTndN8nGVOwgzbI0sJUqsvMMrVOHnagz
Jk8oH3pKHYGhnjjOrG0R2glsxsxN/yN8sDsn9HXGjSJWkmVZGkdhJUj3riyZjUGsg1on69of8rNt
8cmOuu3ACG2K9zSkGyWd06kLM92ajSHdtVMpGRKNIlpr71LT1xGxbhPmYb/GVShVXPeOfM3t4VJt
mtdWRThvrO09NZ3wJmidCTcOXLshAWidG8I+t6h+rZOUSkcxWt0u51o9fRw96sxN69GVktKxtqLn
bEjriAd566zTxZy3lx6wC4mJl7SoBii/SOvUMahOoKPuDMuyLLBZfxCEenZ64zrJjiI37q6pj5LD
2jE1RRYvtnim1hnys6N17IYy6cPbMVMd0mnxVETuDlnW7vOqKy162opewqLPUPev2q1auYo3zycA
rfN8djjzNRGA1plgax5pnXBtaVxiiuH61INwjVfriS8KoN/xNAglf+UDVqTOPKSh5+jLPKQ5LuYm
isUrWhtl5wo95KtQQtfhrcVOjk2utQ495BshrDw2VVC9VOuQd0z3W5OzRKQoHwucZdnhKK5z5GdB
q5YV+YYhPy/UOpGvlQOPyG4SuLpFMSgR1yljHllGUY8irmMx2SlHeddOUS+n7OzyVhF/k+Q61+LL
rh6c3SIArdPCgQ8PSwBaZ4JNf6R19r633l1J5JT139m87vApN1b/++M69Lgc/7d9sjaao6RjX+f5
1HOaha44IoKSHpY6WzTLJmWgenuabBQXHUit7p1a62ThSmOKvSWgyX6pd8brnB/XoUn6TD4atSI6
gfJ4WBrvXE1qBcx6/Cwo17Ki2DDg54VaJ2uMy6HxQyrT8vVy4o3JuClGNichjb8RvZWkhsR4HTHM
qTleRwxK0pfiQkxpCNlls9erawlvbkkAWueWtFHWdAlA60ywbY60zi18TAOb5+NZ+krr1TqkParR
EH1nPWtbvDbaVsOlWnZjRRtb5ZzLimZ6TjkPqyglDlxdFpOxFDufqD6kdQbmN5Gd3rhOY55UMR9L
1Jq0SR34ovBXueJKtHE0mTHy03JMpTksJsuO/Rywnw34eanWybKkXF+HcdVsKJRk71tiWhXjWnNe
VbJf0TwsGqXt2Fo9Rz0NN65BE7QkMrTcoQfrWVf4TU+C1rkpbhQ2WQLQOhNsmrtonSw7eEpjRtLT
XETA5axFlp+2hSNAAASuQQBa5xpUYXN+BKB1Jthmd9I6WbJzVK2cOP0Ul3hjKo25R08djv0gAAJ3
IACtcwfoKHKCBKB1Jtgo99I6WZZFG8euJ08Ps0kDz1rS4Bi8QAAEJkwAWmfCjQPXbkhgFlrnhjxQ
FAiAAAiAAAiAwOsi8OBah5bJLWZTN9d7e11tjNqcItCdu37qWOwDARAAARCYI4FZaJ0RwrA0g0TP
Z5Ao7QxItM5te2ZL3Y47R26sFFtvv+hdsl8vN3WuoTPOvWMf1hne3eKQZOcZlJebycYZPWU7h5fr
ADFZNb1tlffqDF+Ptc718o2TO8N5zrvO0vwzq15x+eAp+cdwqVbV5YrhlPmwKHdE6zU8ra5bFD6/
WgIj3DxfLRtU7JEIPIbWoYzcTPNEkuo8A5JbpC7K23pI66ThLghfOiiFFmlrLF13xtX18FqHkKnu
Pk1DSvDZm3u9ibGxnrJI5C2py0Nz/8n3x1pnnHzmQ4UO54jonnFC65QXVBp18nllGa0jxK+Wfb7r
Iz5PnQC0ztRbCP7dhsBDaB1aB6axpm6683Sj9TQ80jrDfVuUeVqjkENzgRHKEW4u1yI7tsQUc1WM
2g1sOU/AXWbgrlICnWxdaB1aw9ePsziwFeXp53ZD63Qye6XhxtEp4Xgnn3kcFHEjxbCNKnlmY52b
RqIo0VS9+c+zbMh+nUCca1Z5NQzmOR+4GMIykJPvp0UIRZinLZ47yx9n2VZonQGb2PxoBKB1Hq3F
Ud9+Ag+hdegp0cn11KZxpHXy3cd9W+FSKzJkiwzTzMhjDvSQlFRnGyZZntm6+ahsP5raBfd/enit
k8Vbi3NFUTTnnP6ohtZJwo2tsCKThUjYrXm7OM3ivacxxc0zH9BqhZySOKRpFHia1F77+TjfeL7G
4HH+8yH7yZYSiK8OCa3i55tVAnHR2ufHdcRl2+jDco+1ThJuXZXq1UjWAK3T/6160K3QOg/a8Kh2
h8BDaB3Kq3xy6PGA1sm62+mhWodmRO/Hmrq42v0g+VnV0wdap3PNPf2RMhlQekk1X+wn2m2CsOJ5
fLoYr0OJu2i0CjfK9Xwp4lEPWaF1ofM0TyISkqdJOGo7Mn6UqyHXOo2Wz10Ysk/n1+VmUeCvRe9p
ftYLtE5xFYvxOmV1meZ25CC0zvEV8sBboHUeuPFR9QaBh9A6z43rdLUOpYIue6PoUcykheJR2se2
1jm4imRuq2cztE7jejvnLfUIKu4+iTYm5WiK6HOV8rPPQBXXoXFZRe4skXVToWTpvHhRzgPRLOFS
kYxNOQyr3XZkfkDrHOXJOrhD9imLZmm/6/CztU4lvOsLikb06H5nJDa0Thf5Q3+G1nno5kflKwIP
oXU643Wy/dIwVs3Rq9VjpOKSv+lup7TeVpmAm1I9F5me289LaJ0Oxss+NsIiSeDITFFkXgfT+mxV
WidXnWUHIrWKtjy0EnPT6fFab2Soarcd7T9X6wzZb1RAmAv3+6hWPj352PvqdKSg0ypVV611MuqN
k1s9WBivM0DzUTdD6zxqy6PebQIPoXUyMQ9Lz2cvlyM3qrhLNee8sSWHVIzXqbene09hqrMVj67k
sPbcjfhR3X5edrROQhNjzHWUZmkSJ7WxdkM0Pz34eB0Kw6muSGce71x1sTjqPWrCyrKsoXWyZGuy
cp0AkeDb9PeU9jyNgpW7EkaFQuCmf6DRVbuj8Tpna508gXiffQpIGT51u6XhxmpLNVG7dj72TnWq
j5Gvi9FhhZ9lPvaG1smv7GLUWH5emsd1zrnOqoLw5vUSgNZ5vW2Lml1C4DG0jnjmuDpNn5KYYrib
qHgU1POtioVJmB0QvqHtlKXaM1UuklorRrmSy0mtk6WhL7JGLySutaZ/DTXUg2udLA3XtpjrJtJy
+y6NB88zl/cTa2qdLNu7ilRmX6cE30Wzy5pN6iZ/xYGny2xBF4Nj5XO+8kBKa32axaK005//PE8g
3mc/OfhWXgMqtp1L4zjPeX+taCvN+lM5dZwqenXVNrVOHsnKRwdhfZ1hkI+7B1rncdseNW8SeBSt
06zz5N8/utaZfAPBQRCYCwFonbm0FPy8LgFonevyfZZ1aJ1nYcNJIAACXQLQOl0i+PyYBKB1Jtju
0DoTbBS4BAJzJACtM8dWg8/jE5iF1hm/2rAIAiAAAiAAAiDwIASgdR6koVFNEAABEAABEHhQArPQ
Oo8WhkUf1oN+G1FtEBibwKPdPMfmB3uvhQC0zgRbElpngo0Cl0BgjgSgdebYavB5fALQOuMzfbFF
aJ0XI4QBEAABIgCtg+sABIgAtM4ErwNonQk2ClwCgTkSgNaZY6vB5/EJQOuMz/TFFqF1XowQBkAA
BIgAtA6uAxAgAtA6E7wOoHUm2ChwCQTmSABaZ46tBp/HJwCtMz7TF1uE1nkxQhgAARAgAtA6uA5A
gAhA60zwOoDWmWCjwCUQmCMBaJ05thp8Hp8AtM74TF9sEVrnxQhhAARAgAhA6+A6AAEiAK0zwesA
WmeCjQKXQGCO8Qm47gAAIABJREFUBKB15thq8Hl8AtA64zN9sUVonRcjhAEQAAEiAK2D6wAEiAC0
zgSvA2idCTYKXAKBORKA1pljq8Hn8QnMQuuMX21YHCKQxmGUDu1sbI/DKGl8xFsQAAEQAAEQmCoB
aJ2ptsw9/ErDlaFam/iMsg9LTXWCc448wxgOuYTAwVMkc3OOIL3EKo59lQSSjcGs7ausGioFApcQ
mIXWebQw7J36sNK9pyrOrvUQPXjKovEy1nUwJ/J12VxPX+0kG5Mxc1s7fsn34wbH7hzeIFy81f1h
sNA6N2iV11JEsja4HbyW2qAeIPBsAtA6z0Z3vRPvo3XitcGNrnYJLKY4QVS+4qYQSneOLHe00fWg
PNdysjE5Y9yartgpa7Y1JXUZlp+G/0PrDLPBng6BZG0o7r6zER9B4PEIQOtMsM1PaJ00CnzHsLuS
ZIRKRCuNNcM2wmS81qWjjXVhe0fmzq7+PMF3ycaUTd835ZbYSQ6+rclMkhjXrNW+ivkMbU/DjaMr
XJKYrDubsFJ8yX5lCTsSVw2v7tIb2n4SUI/WiXdLU+VSu9xa66Shb3Bu+JVD0dYzVM4kiauWfyiq
tXdlbq18WyNDXLXW1eEn3cFOEAABEHg1BKB1JtiUfVonjXZr11CYJGvWcjv+0yrZ9EUV6LEqq5rC
GVc0u3p6lszSjSkp3qH8OMH/JHWsIE22VkPsJFuTc2NFWiA5+CYvgz7D2y3ONG8Xp1m89zRW/VDe
2ZzlSiMJ1yZn5iaXF0PbTwM60jqRrzPZEtIq3nkaK4JohdbJhY6+OpTKK927iqQ6QZRStQzO7UC4
s3flBdM92p5GG0uWTnWQnXYRe0EABEBglgSgdSbYbF2tk+5clXPVdNdBe/JTvDakxquSHZduz7Is
XKo9EZxo6zneehdG4X5tK1L59KyY7R25OfLx0nKHjt9arFGterzB0PbKn+6bZGMqdpBmWRrYShnZ
SdZGU6FFgb/e0+iYoe2xrzeOTwOby07eK0DV17wgFJIiTeKkkB1D27vutT93tU7oKY0mSXcOZ9Y2
zTLSOsbSNznTlpXQybJ0azEuKivM7l1qGnJo78qSWQ1PDSz2VCxu78gN/FKp4LKZbKdLufHSVlHO
+dG2t68ufAKBxyYArTPB9j/SOtSDInPFsJebQ2vIzHjOF8GCEwbzZ2m7xyp/jJaBhRMn32cXqZeF
xMRLWpQDlOmZpzcGWZe+DW0/uAoZ4cWLSQvJFCIiy9IoWNq6CHvp9mpXjSce2l4W1fu/q3UCm3O7
5h2ttDwik48Xp6e56u1r9tFKWyykppuLPIDT0Tr2k1qn1ztsBAEQAIH5EoDWmWDbdbVO7mISblc0
5oIpxnJXDMUYz/nqSdo0Ge98v36AU89MZ0pH53HcPHcC72kOirmJYvGK1kbRV9WJ3yThfi/CZUPb
CY22PORmxN8kx5/GYbkYURJubEUqQghD259A0tU6In5Ta7I8hlbEdVTvEO89VeL1CgHUCyk7u5ab
QglB6zwBHrtBAARePQFonQk2cb/WKRxNDpvlqh4FO5r7O5sf9W3QABY5H8uahtRpUnVn5MVS7850
B38ka6M52jr2dZ5PPY83NF5HjOhNw40l86JaJ7eb/p5CamkUrNxVrjUjX5MUeyvWXkxIeRTTqIa2
P9FWXa2ThSuNFfaT/VLvjNfJsoz0W92RlQS2zPTljvxJ473vFoOloXWeAI/dIAACr54AtM4Em/ik
1rmWvzQOpRrwUxWS7FemmNgjcdXshpNo5ZpqNER1ylTexGuj7V24VMturOTg5/OnmKzZfmse1sD2
ta3TvC1JnFDOcMriwMvxMK7oTj3BaWj7STZHWifLnpiHlWVJ4CiSXAxCztJwI8av0/wyaq68Tw1a
5yR27AQBEHgAAtA6E2zku2gdMeb1ouVyRKDkrEWWJ8gYLoEACIAACDwMAWidCTb1nbROluwcVWsO
dz3FJt6YirEupricOhD7QAAEQAAEQOCuBKB17oq/v/B7aR0aAbJx7HMETBp41rLu++mvB7aCAAiA
AAiAwAQIzELrTIATXLiQwLn50i80i8NBoEEgjcJqnn9jM96CAAiAQJsAtE6bBz6NQeCCfOljFDc1
G2KlmzyJ51kJrp7nf3rwLZVLtKaO6o2Z8ag9lvl5zp066+mlnE6d3doXby3VqFeObu3DBxAAARCo
CEDrVCjwZiQCffnSnzYdrbTGqr8Dx1OeKXq+0yJD7vaswULhdun3T9GPfJ1rqzOSbQ4489RmWq/n
LK0jMp3nK/0yWTW9sypGikQVeSsaCzY/5dJZ+y/TOqGnHKdpV7wTWEfUOlmW7hxFdRtLKp5VRRwE
AiDwYARmoXWitW14u3qF2FfeRsnWNZztbGPzvfnSn2yyg6eUmRcGj6VZ5NxY7eMkPmxshSnnjKPe
WpI8kOg53gciOcRggS/bcYnWYVYgCkujraNI6vLJHGOUlfUsIXV5HS7TOpX9nXO8QFO1s/lmVK2T
ZbGvs+ku8tSsON6DAAjcjcAstI5YQHbzMFqHVuib7rI1T12qR/nSaWq6JXJSbS1uiOyYO0duVzDd
ObL6VBLRPIdDqQHz/FBkNwssJpsOBXyKBN/5pRKudM45E708Ir9D2dUz3MfUu54N2Vcdv8g4zjVn
UwWUaB0dSn9eLLvTvkSfo3U6mcn68qunW7uoVpkRQq+CUwdPYZa/9ShJ7EJSqq6t3vznWZYe1rYm
C/+VOn87aR3Duzgveo/WqdPGy5q9LnN31VpnnDztJPsgdp76XmI/CDw2AWid6bX/rLVOT770g6uI
CASljhTdVLGvy06d6EmkreRt8dPTKnlS9bpvpJYSgcUWir0JkzRP1dCK4wzGdVLKPNoKjQzkFSet
sxDxpDRLQt9gRU7NjI5XHOogS2Na06+zFGPtYE9tmptEVs88riMqwIqetWQ7kF89E9GMHkEsUmVx
zVnvDofD/iBWdM6G8p+LJKLakhZGzMNJRRPkedHF+stJuLb4mULiSOsUy1Dn6eRXRpVOvtA64+Vp
J4VnPs5voealg/cgAALnEZi01qEf8p2xAEXCZtrTeFXPyZls78/vTVu71Z3d71VqAaNO4kRXYbq1
KDlDuNR0Q1fdQ7qz5VayiWRjcmNdBmyGLtxk3Ql3bU1Jcamzp5W6O9kYrU6rQa0j8po3tc5QXvGO
/VohpXEUVqlYj3t+LtE6i8VCkkTrc6Nc73g4v/oprSNpfhV2EigH85+L3Paqs83TyaZJHOdpvto1
Cc7NFdrVOuR+Ay8pHF00sgjTjpmn/Yr9eUMXI7aDAAjMi8CktU6WRCG9trYs6cuDeF89W+bF+Sxv
i+ruKLOSG4jqiqSUZ508kYPqDoraoWilq17gG9oyWOnaarfStWUdn6HwSJGVsz6l5x3FdRrPzoxE
Tf65pXUykSMzj5KQlfO1TieRaZ0NtWU/3RhVACc5rB1TU2TxYpT+vOn3JVonH69DXXlFzq4sy07k
Vz8R15G6EY7B/OekmHYrx1A5Y7JmeXliryxrax3Kk9bJ+NqsZP2+q3U6V0LNbfQ87QS6E1Or3cI7
EAABEMiyaWudooXED8HHiVHPug+rVgiNr9feVQzToOkyB081LFNpPjzDpSrb54w8p5BRHhkg06QL
is6klhYR6b4bg5G3Fmv1adVudbWIuMzqkFSVV7wd16mf2WLEkOEXybEOrvxirZNlhK8UdIP51akK
/RdJR1+Iug7mP0/j8FBo6SQKXLUMh42kdURcZ1XFmOrWIydHzdMuQPlPxQXrhsc7EACBhyMArTO9
Ju9/jE3Pz36P+vKlpxuTSfkAZVIozezj2d5V8p6ofnPNrVE1DysJt47KlGKucWAxSXECGp0ixs20
tE3+ZKUlntO4HRTsap2hvOKDWmdrMm6JCXNpvHM1qRNSObLfrEvzfWO8TpaQUVsMuc7EgJee/Op0
bv9F0qd1sqH855S6lZvrkHquknCll5pwJK1D7gv7KZn3Dc7NPHla7eRIedq7EaUmW7wHARAAgWwm
cR201IwI9OZLp1/e+SiedGuyRn9DGthyGcc4o5Ll+joLJuv1+jqBxZhm5gnHuWr55YSf3GAcuLos
JmMp9laMSGnMwyrGR5UDvgbnYfFqLHUd1xEZNTSZMS4rmuWYNFdcdM0N2++vYlPrUBeSUo06Tg79
+dUv0jrZQP7zLCOcGqVvZ1zWrDLf+1hah+zTcofCvmaVATAxJLrsaBsjT/vBU3Id3U8XW0EABEBg
Hn1YaKdZERBL5ZzTKZVRFIO/fPh1qw9rVqjg7IsJ0GKCDfH8YnswAAIg8BoJzKIP6zWCf811uihf
+gggoHVGgDhPE+ne01T3PGE9zxrCaxAAgTEIQOuMQRE2ugTOzZfePe9Zn6F1noXtFZwU+XZjZcdX
UCFUAQRA4DoEoHWuwxVWQQAEQAAEQAAEpkEAWmca7QAvQAAEQAAEQAAErkMAWuc6XGEVBEAABEAA
BEBgGgSgdabRDvACBEAABEAABEDgOgSgda7DFVZBAARAAARAAASmQQBaZxrtAC9AAARAAARAAASu
QwBa5zpcYRUEQAAEQAAEQGAaBKB1ptEO8AIEQAAEQAAEQOA6BKB1rsMVVkEABEAABEAABKZBAFpn
Gu0AL0AABEAABEAABK5DAFrnOlxhFQRAAARAAARAYBoEoHWm0Q7wAgRAAARAAARA4DoEoHWuwxVW
QQAEQAAEQAAEpkEAWmca7QAvQAAEQAAEQAAErkMAWuc6XGEVBKZIIImi5Ay/0iiMzzjs/EPuVe75
Hj7ryHM5xWGUPqsAnAQCIDAOAWidMThGK03S/Zc/HQ6esiheY5gbo2q9Nob8HNreawQbb00gDhxV
Wx6Oi03juK2A4q2lGqvDSM/nwXKPPBm33CPzZ2wILMad3RkHZlmy9zTV2bXJ9Z6Z7FxN8/ZnHNl7
+qgb040hKV7PRXBhKWPZubBYHA4CzyQwba2zNaVF/b2MfV1SV9FTNU326+VmrNt0s7DY10slUv8X
N8axtE5RWrhUe6XTwVO5sX65pGpW6pz3Q+UO+Tm0/ZyyqmPC7dIPRqjrsJ3I17m2CqsSb/Nm2J8r
lx9vTFn3W1+fND5sVo6hMMnYdHRNunMU1d13tj7HxeNy48AzVS5JEuOa5R9aEmC8cp/ja5adrXWS
wFbUlnBMDr6tyUySJK6ay13r2k0PnirbQauqz3PwpWeNpVHGsvNUfYZuPr3npYfNcj0NTdnrHzbe
kcD0tc6ClY/3M7UOPWmN9TXvKlSCuW202shaJ1r1a5002geH1i204cMV3w6VO+Tn0PaLXNxakuzu
Lzql9+ATduJ9sL85zhP+9Po/0sZ07ypdnluLy7rteaZ8rHWyLPZ19vLo4nG54UpjqhNQp0689zTG
7aClqMYp97nYztU64VLl1rbheLK1ODeEckujtcmZuW3dg5KtydXlrZX1MYaxNMpYdo49bG8Zuvm0
jyo+xWtdUpctPd97HDY+IIHJax0my0zO74ZNrZOGG0cvf0OtSiUf2DLnTFosFhLj9DI35f0m3i1N
8aPr+DdXlu1dhXFzc+5zr1fraK7vCo+YYlYOZdnJcgcuuCOtMNA3lKwNSffWHv0wl5ise3UcpPqN
yRTD3dZf/vwnNR3OVavhZr8nA+WWBx/5Wew42r41G7rl4CmSWYYR+vwJVzrPm7FoRdWrNE9gc9lZ
522/kLQyykdmFBEpkDXbL4J6g3ailVYG5lpPn8BiquMv85gD15xNxS0OXF3mnMuqbpv9QrSEIv4n
+5VV/sQ3ymYZ9CfLxOVMFWCy7mzC4hEaWEw2HUuEQLhqlfXKsvSwtjVZ1FdpHN9yof0hJXBd6Zim
oiBqkKO4TpZl9OB4qdg5LjfZOrpdfdXEd7qjAF5cbo5HXORKRT+LVhozl+v8ttH6kqYHv4Cs2ZYm
ndOHdXAVbrU0Wrxbr7allEk35lFHUbq1WB2kbjdP+1O//1lGVZD01XZF3i6kWiRecpMhjSIbNl3k
C4lr9rq82rKMdqnehqJT0mLBqptntM1vMRJv4GxonWTnqkxxqrtP783nxM2qXfvy08DNZ8jO3lPb
9369Ctn2+l8Wg/+PQmDyWoc765XOxCOp1jpJYMtMW9KP8iRcWzJrxub74jrhUmOyRQ+RNNpYchUq
Kpo5XFu64Z3T8y5O6NM6C0l1t2GSpVHgKFL5CH2i3IGr7Egr5MelVG7z4UNfe0m21tQLQIMHJNnJ
RUG0Nlj+GzONA0dhZU9NsjEJA/2kTg4r/egndb8/R+WWhw34mR1tH9I6p/zpj38ENltIsu5tdofD
YV8EuSJfL261orrtp0y/nSzL0nhtVA0lqhRYbMGN1T5OsyT0DcaKH+7xWmeyvSUpnNL2ViOUMJr/
dzZnhk8PkSQUP/EryZ1lPf5QSIBp3i5O80iHUogS8kexN2GSJuHGViq9SOJEW1Krp9HWUWrJ1/Sh
/f7gKcxshiEau4e0TiZOKlVp44QL3p4ql+TUxjyWYC8sN905MtNX4ktxWBmsfGaTwpVUR3xJ6VtR
tn26d2VJBJrS5LA25cUZWud0IDfZrwyuHHUAxv5Zo/qG/M+1zmLBVMsP9ofD4VAMM7/sJkMaZSGX
V5Ullxjo4qZdkmIut2R+XwxPpyZUnSCme+fWUVjRcVdqnVzo5N8OcWEM3HwGb1anr6ajm89JO31x
nQH/TxeLva+PwAy0zj7ZuwpFXaJyvE66NVnjR2rnt2GP1tk5vLzjlb+OXtLJ1ad1Gs+/gysXgYtn
lnukFYrrrrudvvalqqIffaUSIv+0amRG46g8zr7a5TfJNImTRhB++OKuLbePOXv7oNYRcf9+f3o0
QZZlgV09u2pf0jgK47Im9ORqdjD226GTG2ByW63+i3pv+/o6/ZjLDe0dmWleEIqgYgfzsT9kv/7B
LyIhuWZt+0O/x3MRRO2rOtuDqHOadAcW12Dqd8el1vsGtU7+5ChjFfUJF7w7VW4W+gZXnONBLC8s
N4nCarJZ3Yp5UKSaQJBfJnTRiC9pJQNbzAcrSg1sBce7SbyLsHJftVKCUfwaOT613jLgf3Hnqq+U
4owLbzKlRsnPbl3btIvbu/KblB9B5uvOOvHrRNRB2HFWrspkS/wMKNwZuvk0WkLUpLxZFacN/uve
ZE7a6dE6Q/4PFogdr5TA5LWOuDkk9PPP2Sy1fGxy93ET2M25E/Rla4/Xoa9l2atFvSOMRjy/4BZO
JTQfp53bKD07RCfNc8vtfr3La6+7vfu1L382iuBH3olHHXlMqn+qpuHGszSFMa4ajl/2/ZUFDPzv
llsedvb2Ia0jOm8G/Ol/SlJT20fTZJLD2jE1RRYvtmg1Tr8dqkIbHwmp5hwccS8X81XCJfXxlJ2h
3YuvhNH6n0bB0tYVzrii26vWMNVjfw6uspBY1V5MogrQA6flT9Z8vsa7lWOonDFZs7zt0/OZ+/pU
KocHtQ4BOnq0Vqed8+ZEudHGlGWz7iZsmHtpuXGwtHSVLgZF5tV3vd1wB1fJKafi4qzmJbWZN5xq
vd3ZnNs9Wic/SEThWrHmfPt5trOs3//yV1ol13Kjl95k6utanL+1WKW/OrvE/m4Ltm9uC4lGYrda
cejm0/62tRsjr0n/3+5N5qSdY60z6H9/adj6egnMQ+tkGQ1olGWea52UumLqwQedn4HHWicLbM6t
TRRXr+S8gMZAu5+rdZ5bbvfrXbrR3T70tRcPL7+nukl0KAIgabz3Td7tyysL6vzvllvuPnu7uMmX
Y26qu2WWnfKHbsJ1G5dF9mmdlH665aNCsywTUbXGwPF+O2Svja+rLeobf+u3b0fXln61/qdxWK6n
knc+VeOKMurD6taL7vva8lBdnHGc5MKq9WxMNuWgpzQOy+6LJApctQz3tHzofKBvwNBUanG59HVV
Ccc6j9aO3ac+DpRLHcmyuR74vfGycin8S4NHRHgiETOsRTntx2uldXINeWFcR1zD1TkCQrxbb+qR
7vlV2I6QdB+7A+yG/B/QOpfeZOrrmspv3Tvbuwr3RFykGplEg45ybUQHk8qJNiany7es69DNp/1t
azfGAAmxuXuTOWknEWOTW5fVkP+nysS+10hg+lqneN5RL/ZiscjnnIvxOvqSwhL5+JvmeB16KHBz
HaVZ1XuQ7kWf81aEtpPD2nPbvyfFeJ3li8brNPuwyrhO9lS5A1cUaanmuJzysO72wa89KUMlH8eT
JeHWc4thrXQfUl0aF0I/Hm1FKqe4lSX0/++WWx519vbI16izjYql7n2pHJt8yh+xT6xJksZVBxX1
YR3FdahLk+dx9DTeuVplXvjZb4d2tfENa50spuFPJk2xSWPSFou+ximh0CPJ1yTFzsMtyd5TGx2N
GQ1GkdR2vWjUCjd9GidE471W7iq/FAOL0VNbzFiiASaF9qN+BG6uRQ9ZEq70rnZqeFK9PTVWhDzq
G5tMvTuDAqmyfPpNX7nx1lZkozEmtmviZeXSVVlebCGNvylCU+3Ha611aKaYpLokjsTgvzoI2vWr
/kxNUPcei+0kUeS80fNRY+UgueqscKmyalB+tfXozZD/Q1rnwpsMaZTiAqRBfs2Ls1fr5OZdEZuk
q5+p+eI89cE0xkCqO7IGbj7tb1u7MY4YNDZ0bzIn7VAHMNNX9NUoO+iH/G8UgbcPQWA2WkeMY2SF
1qG+j2JCRd9aFqFvKtRtLvF65bRqTQ8xmaAxM4mamb6sL52HVT//6NlR3dNOltu9xBpTD/KJQkXf
ycD2E197MRGI01ofrZk9abhxjXzCEm9P0Oq6Ij4PlEvP63Ii0zl+0sQh31Q4lxVFszxbrfCc8kfM
faJWZIpdTd/t0zpZFm0cTWaMy4pmOWY16jSv07Gdxjysohp54KUVR6nv5UIYlnPsDNtQeoVoC2Bj
epmiO+3H+rE/NFJ8befTCpmYSFbFdZhmmiq1Y2seVjXNi3FZs87qihSzkKqOuJazQ1rn4HXnGhWP
20v6tY7L3TmcJko2XnI74vTScpP90qTuQy6rhmPr5RDz9uO11jpiWlsxs0mzbeMsfUfyt/7Glxca
LRskvnN93y2aS9/uW2+1Qv1hwP8hrSMuz2LBor6bW21YvBPXtWkbqiJzutgaF2frkm+cFm1dMdVT
ak7qbB0c+jojjZGf1HvzOXGzahTVeDtwk3nCTrSxaYbZQuKqW4486vW/URLePgSBaWudh2gCVHJW
BIQyeMnI9vNr29Je55/WfyQFj5rhz/6j6q20qF+PqKGf2c0uufqEgXf3KnfAnbE2p4EtdyI7p02H
y4ksJnjaTewFgVdKAFrnlTYsqjUegXTnaKILi8KJJpcukQwv8WJUrUNda4bSGkZ6wreU8h9UP4zr
AymeoXXWw6n39r+7V7n93oy2Nd5air6qV6c5ZTgNV7rSmq506mjsAwEQGJ0AtM7oSGHw1RFID2un
6PprrKZ29WqOrHVoEaal5ZWR/VPuR77dWEmxcWSy3wbnPd4bJ92t3KYPV3ifhr7lVt2rJwpINo4l
lls6cQx2gQAIXJMAtM416cI2CIAACIAACIDAvQlA69y7BW5YfntY3w0LvlNRo8dFzqzHWOWOZedM
t3EYCIAACLxWAjPQOlfLWz5ym07Mz56Uv69a6/TkD7+XVnhWuRPyf+QvxlXNxcFq1ZlVedXyYBwE
QGCWBGagdWjmx1lzNe/cABPz83gJ0eMFZe5MbNTij9cj7qw7PGppJ409S+tMyP+TlZvYzuZq0hNz
De6AAAhMh8C0tU5/3vJwqebZEeO1nuf6pdXkcjnUn/98iDctuaHZ+eIRTNbdKlNvkUm6myq5XOKi
m2q4308qNY3EgjYiD3mdgXvInyLfdV6s3hwd2liw5en85EMpfymuozirc/Oi0+zq5rTa7uejWoi4
keWWecLtKmH3xfWqFpCRuFpnqj4qMN8wmD+cNIe1FFmhJamVt5wWm+3Nl74rspy3ViXKl14tSm8t
09Kf//xEuX1VeIb/lLm5XnanTF/RZzzLspYIby2LMpgvfcg+5VG0/Dzt9UJS6vzz/UVTMwo3maya
qzojSbLLV8Ch9ZAsrZH9u7fcvStza+XbGiV256pVrAgTr808AUqZ/kW2B7M29LuHrSAAAg9DYNpa
RzRD61ZNW2hxTFI2tF65pLgHWotWFQ/lk/nPe9qUFpVj+nIfp2m8X+qszJlwcaphsn3kJykjsV49
rTmaxjtPeyq70MFTmZavqRttrHpys8i4d2F+8oG4jqTY60OS5u6Uq+IOpCamROCyU8zbEUyMDSX7
HnqR1qEVaKNUZIzmlVK6tF6n8oQPFd4fF1nIYj3iVKR1Z2Y1aWYwX7psCYVGrcXKug9pnaH855Sf
fKDcIe97858P2MkX+hXrKScH3+DcPk6f2SyndWE2tQ6J15586Sfsi/XduOas8zTzpxNxJbSetbmh
g5K9p0m8uJREBlqxsDmtAmnxcmHjoXL3rrxgukfrR4tV0ltLOSKu02xqvAcBEBggMEetQ0lc6DG0
dxTd0LRVlGxM2Q7S7HT+8x4Crd/oGS2lWnSWXZhqWJhuPVKKwsTT0FrnGamzNH4isXgah1GVD6HR
E/Kc/OQDWqcO1NSVJ89786KLJddzgZBSSvJuDuQO0vZ4ILKfp/TILq0XPcCG8oR3yqw+9mudUs3l
GSHqtfH68qWHlCuhWiVQZNnKEzwPaJ3BPFmNluuWW7l79OZs/0ni5+FMYWPvyo081EdmuyK8qXWo
3Y/zpZ+yL9SRH3VK2TtyYxVkySyXZ06iMC5jTnVao/a3tPZnsNx25voW3KyVEbXjFj6CAAiAQElg
llqH4jj6KvA0ww9c1VwHnioSO9VP77x6lFCgvfx8We3if/sEoQ5W+Y38olTDubU+rUO/aNeuSQkM
ZM10N4fy1t9xpPyY7H2xenuRobn2/vL85E9qHUpVVORGsFnZD9DNi04PN1o6TyQAeio3fFvrZI2n
96X1OpEtnJHqAAAROklEQVQnvETV/d8ordzVeiy2My/25ZqgPJWNHOr1xTGgdQbzn58ot3Tt+P/Z
/osMF1IzLfoT+blaF2atLciFvnzpp+zT5VClPzmuQ2dLGm69Iv28IrMyjRhJxHrl5dqfwXI7Wqf9
pUZcpwMdH0EABPoIzFPrpFtLNkxdW4ZpYCumZeT56E7nP++pfv04o510I89/11+aaliYbj1SisIo
kXcub9Jot9Sbv8d73Gl0VVEmyvqmfiofeI8dsakn5W9bi9RaR1S8Ly86PQ3XBlO8YKUzfX2q/4rK
bNsnuPkz7dJ6ncwTPlTf4/zh7bHJT2uduv1FGeIpKnJZ08M2j/CUA7ZE8u/z4jrtcoe878t/PuC/
SHju7Fpp0csk073mRUilbLxaW1C0rS9f+in7F2kdGtyT98i2sIlUrdVPkNqfwXKf1jqNtPa9BLAR
BEDg0QnMQOv05C3P6DEjiQHKycbkEi+eRCfzn/c0Nf2U5AYlsM7EyIdyvI4I7hd5uZupklv37K69
Hj9TGniS52PP0mht8tO9DVQr2RE5rtNoaytSGWagR8yl+cl7Uv62tUitdbKB1MSihsIOY9wKTj5Q
6ViyL2meGJ4UbSxZKlI9X1qvk3nCu9jLz4JRO3/4ifhKX1wnx5Cnqk5o+FY5Xoe0mlK0y2GpszKO
MpT//ES5pbfH/8/3v7jKdzQQJo33vuvVY+qP7WYZXYVlHnjKcVGOj6Fq9eVLP2H/Iq1D4TAj7/BK
9iudleNsqEe2OUqu8iewZaYvj+p1UuuQopYdApAmVYcZUQjXlm54ecL4PirYBgIg8EgEZqB1srQn
b7kYpSCevvQgrTMOn8p/ftyudKNUDEtXxDypxjysy1MN05jpHj+rBNaMpqIsSQaceKUHn+atUMJu
3XYMLomuOWH6ovzkeRFHKX8HtQ51ta0s7TgvujBEA1LFEPATnotdZF/WrTybAtfsTTmw4+J6Naad
HeUJH/LiOH/4Cc3Rq3WoT6dvHhYNobVVTnnaNdNztPp6E2XSxaM085+fKHfI+TKXeiuv+6CdPD28
yKjNn76qsiwOXE0m91XDdSlOd8j9qKa7dfKlD9q/SOtQsbqcJxw3XUuVZHdflrs0i++cbar1iP3+
ck9qHco/YVAH2YLJ5rq84LIs27uKxM2TY+lPNAZ2gQAIvC4Cc9A61yPe7sO6XjmzthyvjTMTZLe1
1KwrfbnzJAPqkc2Xn/+gZ9BXsBjB/qAEUG0QAIEbEIDWqWNCN8A9tyLShDo9nprUXNbq0bTOvfKf
l7zn+v/g6cZyT91Ooqe2CjPNtT7wGwRAYPIEoHWgdQYvUvrNLcnGsl4EbvBQsePRtA6tOHmP/Oen
W2H6e9No6+ULToolGxsdT9P3HR6CAAjMksBja51ZNhmcBgEQAAEQAAEQuIAAtM4FsHAoCIAACIAA
CIDA7AhA68yuyeAwCIAACIAACIDABQSgdS6AhUNBAARAAARAAARmRwBaZ3ZNBodBAARAAARAAAQu
IACtcwEsHAoCIAACIAACIDA7AtA6s2syOAwCIAACIAACIHABAWidC2DhUBAAARAAARAAgdkRgNaZ
XZPBYRAAARAAARAAgQsIQOtcAAuHggAIgAAIgAAIzI4AtM7smgwOgwAIgAAIgAAIXEAAWucCWDgU
BEAABEAABEBgdgTuo3X+Dy8QAAEQAAEQAAEQuBWB76O+/t+o1mAMBEAABEAABEAABKZFAFpnWu0B
b0AABEAABEAABMYlAK0zLk9YAwEQAAEQAAEQmBYBaJ1ptQe8AQEQAAEQAAEQGJcAtM64PGENBEAA
BEAABEBgWgRerHW+/fPXP99uX6dv//7777f/blTuP59/ef/p7xcWNgqo//79+++vI1f7v2ey/PfL
b+8//Pmith8F7AvbBaeDAAiAAAi8dgLna52vn35YtF7/+/DP939//1Hi7/8Y+el7Avq3vz798tNb
JkmStFhI/KePf59V9r+f3/HFm1/P1ivfvv7zb2X468cfpB8+fj3h1dO7ng2q5ck/H/4nvf3t7Fqc
duvb359/e/c/LhWNKvGfPl1Sx2+f30lvfv3rdBnV3r9/e9u6eBY/fvr3+xhgqxLwBgRAAARAAAT6
CZytdejRxt9/+fpv9RJhldajuL+IUbf+++XDb5//Ejrk21+/vl2w9388bf/bl5/fvH37Rnr3udIv
J0/69uXntz9/KY+97KE+ZPh5oNqefP/+7etIQbSvn39+w9789OHL3znLr399+fLXJTGa//54z9nP
56rcr59+kN7++mfz6vn+fRywQ8CxHQRAAARAAARyAmdrnT/fc/auev4X+L7+8fHDl39Klt/++fLx
11/ev//1w5d/vn398vGziLn89/fvHz79+W950PevXz5+/JIHEL7+8fH3v76J096X3SHf/v788df3
79//8uHzU491Cgu8/U0U/9/fn375eaBD5dsf79+8/fWP33+SKBJVvr79+enD73VQ6L9/Pudefvv7
84ef3iz4j7/89pvYQg91/v7LP3/+/uHX9+9/+a1Zl+/f//3r8weqM22voyL/iMqTqV/ev//013/f
a1D07rfq9eHjH/lZ//795dOH34Sh3//KYR158v2fLx8+/lGRPFH0t69//k7G3v9a2i+rLf7/99dv
b6U372tTrb3fv/395WN59j+l4qNDyCNqm18//vEPmfjp91IdPdFqQij/8me7mI5a+u9rTvj9L7+V
BL5++fChuFS+f6frqNFigkVNvG0an0AABEAABECgJnCu1vn7t7cSdTu0XiQ2/ld07hSBgl8+fPr4
28//e/P2LS86OEgk1UGS79QNUxgSp7/7+Ycf3pGu+PL1+7e/Pvz45s1Pv3789OnDz28l9u5zp8BG
6f/98/u7N29+/pIf8cd7tmA/fykfvY3jvv35y5s37//49p38qINAIqbwS90D89evb9i7z9++//f3
519/4os37377+PHjxy///Pedel/42x9+fP/bx0+ffnv3VpJ+KPp6/v3j1//xNz/98uHTp4+//MgX
ohgq+u/f3rIf3r374Yeff/lNaKMGqH++kOGPHz9++OVHVp7y7csvP7775cPH33+neks/ff5Gz/Ye
T0p5caroxZv//fhTw9uj3jfy5s37P5sqpgJGTcDf/Pie6vTrT2/qNvjv748/cfb2XUHhzRte9uud
0WpCKHeDanRJlWrp6+ef3/K370TLv/8fk97+9td/37//8Z5JP3/Jffv7t/9Ji7LI7//+/hMbrTOv
qjzegAAIgAAIvEoCZ2od6oNgP334XL7+pN/7jT6Ir59+ZNWj/vv3v359syg6OIRI+r3SLN9+/6kc
cUKnL/jPn8sf59++/Mz5z6W8+e/LO4n9fNxB9fXzL+9++umH/7398f2nIgBCDfPt69e+ocr//fXr
W55Lpq+1yPr+XSiffgX27fM79qZWQV8//kCP2DIg9O+nH6W3Ijz09fef2Jtf/ijlFVWs0FLilLe/
1GGTBqjyIvr3y/u3b979XpotNwudJP2Yx0uOPSmU5RNF/9j2No981SWcGPQjmqBWmP/98TPLhRfJ
N+l/QoCQIdqxyLXsOa1GcvHNzx/Li+fLX9TkpLiKUVD/fPgf+99vVZBNaDEaW/XnL7zQOl8//fjm
p/fveK5v/vvr1zf8XZ+yrWuJdyAAAiAAAiBQEDhP69DDWnrzvx+K148//fbnf98bfRB//fqmDNYI
u/Q5/8lO2qDRdUQPSf5edGaI0ymUUrzoCcd+eP+heFEEpW/o679/ffn8+XeKObA3tU4qjbT/k9KR
3v7y5S96/fnhB6nSMMMKjB6wjTgU1bw5+Lram1ex0nDfhTYTcaPuKU1QuX/f/vz1f29++lT3D/33
799/fP70kXq33r0ttWCPJzmQ84uuvG1woRYpmqCxVbwlFdRorFxsUJDpvy8/s2bYjJox17LntJoQ
ym/Ki+eHH999/LsplP/742ci/v/bO0MmV3koDP+XKhwuDofD4XA4VF0drq6/oK6urq6qDrduHa6u
DleHy533kJCUhdJvuHc+ZvatWCiQ5ORJZ/LuOSeh/yFo0ZPIwP4uo6C4aY18q+RQV6WKEAiDsH4x
c9gPficBEiABEiABj8BnWmc0WcfFIHDmL1QSgSOhk4FrAg4fCRV1gZ4+hKG1THAqK63UkePVqQHP
ZHP6tVN++Z8PtAh7BKH7BBvjpJDGvNkSU7md/l9VkKfnpAGoARFxwy6jZ0EG/9WwSOeqscEarZ/f
hzTKjr0Xo7mVCaJGh9P5crmUaS9Epiz5vOneWh8ODO08U/5VnPcaw96AkBFMcLB4slS8PNIjEU4z
oyba702yDgbSr7wTUkgNq/fIJ0cOuvgM630cbisTlByNwFnDeSQBEiABEiABR+AjrSOz7ptknds2
6PMqEJ04Z9Yl002Sdl5qv8re/yPzqJdKIlph2Iaz88cZZtkxv0//YH1MQhd7kqCJXbDd3opQudkX
gszOtiLTXAozeu5kiqeRkEriLetqqx1EHNw8gyJdsMZmNbX1MYvSg1vxhLZV79TwfV2Tlnzc9KAG
QwYBJc9x1fOCtHjNyepFlSyYd2E9DXdZ16NPRm1GKLfXPPAGQzcg0m1jAAOK0ymLcgmCQrrhq8r+
0+J4r4c8JQESIAES+I0EPtE6smB4mPWB/9at1vgu1SbeI5sUbotjhjxhWY3cIvYl3g6t2/t1G202
JqPULy7cMZ8G2bHuQhntY7hnXnuvzPpordtHdchCk4ejm+qw3Q0zX+6nNEydZkETiDIFkqMjgRcj
MJ71uVAb2e4FD8HJ4HKwB4IMGsn0+XFKAmUyo5/fpyJS+UUSjwZFXoI193MeJfuX7feAzniYnvVl
Gweb1Ai+SUveNu251zxrhbD9g6X6m2h77lbu67a5192KtwYpR6Ybz/tlG4dp535CTUFizh9VmQQm
WUf2V3o3akb7OaLGCJ+SOJr2nfxrvg6Z6jPOIW6iOLLjKPI2iuwvzfaHRxIgARIgARJ4S+ADrTMa
g9Av26s8LkUUbIJQqSjd7gubrKN1c92aGyrO98ddbENFL8XFwvZ+RiWbIMROgVGGpA7v87gUsu2d
3A7jfI81UvhIJrAXkJJryOhwya6mmt5Poe/nXKElpVRSHA825xVxHGw6iDvpofaTr6UKP/1FFixJ
iAzGljbc9kPDOVD3Y4Lt9LANonzEefGsyrgjp5LidC6TxG4VOG3Jh0371hoC3aGtL9sk7Lf2Q95T
l3fU1jIEglilu7MRnlgTdsoMsDjbn3aJsjvrzIwaAmP9xgDOiFdKTVUmIcY9DMI4P5hV+GZooaqM
X/B5zYPN28V5rgWekQAJkAAJkIAl8IHWsY/OHPGqASyFwr/snndB6+4dBDOl7e1n83hMv/zh2Yzc
bpuH2+PY1jN/bLEpoo2uvTwu70x4uTL1Rbo2WsdUibHr07W8sWS60FgTI9daoB5hPTlcADa21g3O
vJFhGWny3SWM4kTt74rxHgmQAAmQAAnMEfgLWqd9uiU0LTwmLv9krnXeJwESIAESIAESIIF/S2C5
1kEWRRineVHkWaIClR9d5u2/tZ21kwAJkAAJkAAJkMAcgeVaB/v41V+32/V6q/6XV57PdZH3SYAE
SIAESIAEfjGBv6F1fjE+dp0ESIAESIAESGDlBKh1Vj5ANI8ESIAESIAESGARAWqdRfhYmARIgARI
gARIYOUEqHVWPkA0jwRIgARIgARIYBEBap1F+FiYBEiABEiABEhg5QSodVY+QDSPBEiABEiABEhg
EQFqnUX4WJgESIAESIAESGDlBKh1Vj5ANI8ESIAESIAESGARAWqdRfhYmARIgARIgARIYOUEqHVW
PkA0jwRIgARIgARIYBEBap1F+FiYBEiABEiABEhg5QT+ABYIs1RtZekFAAAAAElFTkSuQmCC
--0000000000000b7a8605abac1fcb
Content-Type: image/png; name="image.png"
Content-Disposition: inline; filename="image.png"
Content-Transfer-Encoding: base64
Content-ID: 
X-Attachment-Id: ii_kd91j1p81

iVBORw0KGgoAAAANSUhEUgAAArAAAAKjCAIAAABqZKvUAAAgAElEQVR4AexdK5urMBSsQyKRSCSy
ElmJRCKRyP4EJLISWVmJRFYikcjKSiT3OwmBAAlbtt0t3TsrtpSG5GRCksnrzK7FHxAAAkAACAAB
IPDfI7D77xEAAEAACAABIAAEgEALQoCXAAgAASAABIAAEAAhwDsABIAAEAACQAAItCAEeAmAABAA
AkAACAABEAK8A0AACAABIAAEgEALQoCXAAgAASAABIAAEAAhwDsABIAAEAACQAAIEAI4ZYD3AAgA
ASAABIAAEAAhwDsABIAAEAACQAAIYIYA7wAQAAJAAAgAASCAJQO8A0AACAABIAAEgAAhgD0EeA+A
ABAAAkAACAABEIKffgfu5SXLsqL+sXRu13OWna+3H0sAEQMBIAAEgMD/gABmCKalfD/7xm7nHsvp
D9/7Xh7d3c44ZPfvPf71U0Vk7XZmmH8d8hdD1CfP2Bn79Od40C9mBkkBASAABP4LBJ4nBHV2MHe7
nRUVXwB2L5LAcy1j94MdZJ3uWfz7pPrCGv5zEdm7nRlcpMCbJATNJTB2Ozu+SoZ2lz9KCJrqcvT3
tmkYpuUckuJRWvMsIWjqPl177x8vLycWN85YHnxN5qjjDhAAAkDgzyHwLCG4nX1rR39fEwLqrA3L
tsyfIwT37EB8gCXw0Bz6zxOC17wxC4TgNQkoY7mdA164pmVbxs7wHh7xP0cIbpfAZsVoWjZL2L80
SgO/fxOE4PvY4UkgAAT+KALPEYLbJbAMx9tbjxCC5n67Ny0bw//QFHqTB+bOOAQHk0b93WiWJ8hn
r6uEz9/f2rZOPc4dWM/DSASfVuAzBE6Uxp5tGpYbnvvhKQ1bXcswDMs5xJe676T4ID1ITiEfTDsx
zZb07GRCgO7njrWIlEVHy0bFjmUahmHa+yApGKcpj44I2H0K9KqETYfQ3fGSQVOdI8+xKBrX76Kh
HO9pGj86BpQHax/nX3AmnrJ1OFUsp7ficuWYquNvm/JEUZu2F5+OoyWD+/UUEpqGYbmH+Mzj09Yo
Vko700tLlm5T53m3ftPxjPh0PFD2DOuQUeFU5+iwtxlwluOFp87MKyFnHOLEd0zDtA8Jv1+EnOUM
qI6niLR24QcgAASAwJ9G4BlCcM9D23DiIo/tRwgBx/EnCcE1tnfGPsmpr7eignfYGkJwL05xFPmu
sdsZziGKoihOWQ/MCQF1+p7ndIshFFNzjR0KbO8P7D7lnKfQMkKw2xmmcwijKDzsI1rRb66UQrCf
zog05fnY/YX04848ZKxrLiLbcg9BFMfRgVK2wrxp21uexFF0IFZguj4z9HRlCd+LVGRBJgRULBTY
8Q57myzeJ6w/ZUDsduY+iCOP+kRneZ8ED2/PloJ08XfMxXT2LvX9lDCfUahPnkn2HIIw8MgiW5SN
smqxwftQfnIYRgh2O6IzQRRHgeenVds2l8C0934YxXHI4nf40gojBLud5YUxA9rwTpw+HOMo9Agj
iiaK4vj82AKTbAqugQAQAAJ/DYHvE4J7HtmGExX3lvrhB5YMOHQ/SAjYyJI6G2aQ6O40hIBbo10y
MP3zvW35jkDWj1Cvs9uZ/pn67vuF5tJ5mLbtCIFNWMz+9JsKmyqljtI6sG6KGMT93rTN/Xar6yrz
TeqxxZ6BhSWD6R6CG1s26frc+kQbPPhyTtfBs86SIWT4547RzKymGzyMd5rMI+jiZxndOTGRFd5x
d4SAEQVBetpr7LBdG/qUWXj+7DX1D/TnJ5x7dfHyjn0w+n6/E3q3uq5LIoNdwnyGgM378NKTlrWw
ZDDAhysgAASAAEPgu4SAjZftMKcucCOEgLfxtJ+/Ofum6BXETDkbrEpLBrz8tYSA04mu26Bnq8Sl
VXQ+lu+WA8RRBNYnG4FyoVtHCO4FTTgYDoeQrOlm3IeZ7J0Vio2aKwgB78eFMZwOsR5UuqTcTBYy
5vVBQwh08dNyTb90wVYzeL/MZ1ykXNEWj6XzBxIhyEOaQdntBHXhSwbuZCvgvaBFATkFXnqcEHDW
wwt6OIsBQjAvcNwBAkDgP0fgu4SANahyG0zNtuiFljDl3dIPHMO7EwuQ/7qldp7gbA8Bt1FLCHhf
v4YQyLP2EgBqQlBntBfT3Cd8mZzC8x0BhuMn2flyObLJg74DeyUhoBH/I4SAAUfT+1JuBP3ri3pg
GYwQiDG4BDonBOY+FOsk9HlSTaZ06fBXq1/yofMVY0IwYROMoexMN0yz8+Uc076KESFgPA2EYFyK
+AYEgAAQmCHwXUJwv8Se+HPZSrXlese+77gVaRzHcTY/zM+7ihkhqC9JHMfJ98+XNTntFTMdz6c/
tspvMoLC+xeX1tF5GKNbsicsxsNdhg7vwGaE4Mslg8cJQVMmtHfA8tmOOFEkzH6jm6Hn8/LWlBBM
O2d6dnnJgJ0JlZYMugQeIQQt3xQw3VQ4XjIY4pcG9rSqb/XzAPwH6YRCU5eVYnFFAMHZys7kmxkZ
FVoiBN2ej46MsomcRwgBW1hhb0WfLi6AABAAAv81At8lBDJorFcVY0P+A2+X+3Eku3lNPNd1HWIP
O9N2XXfvpz1hKGgfwsMbEeTUu2u+Ns1W/mn6na3489EtGxzu7EMUBy7NIciEgC9Km84hiuPRpsIZ
IRg2FXrqTYVTQsApTsw2FbLU4zhmuwEr7ivB8iIxZs5o+3tnine8FHnKj90NhKDrnE2XthzGGdtU
WJ2PRLq6fZE+XR9pd5xu058YzD86Q9C2w7FDfvqPd+q6+Dl/YHsWD6yQxcJAxTYV7mjDZBAc6PjD
dNJ/Up7i2KFh2uyU6vIMAU/X9tO8uCQHdoLg6xmChp81YJsTOWwTG/AVCAABIPC/IfCLhGB+3Ety
tPMsIeCL1sMOOD6O5d16fQ7ZQTs3PIb9scOuoGn92bVMyZuRZoaAwteX40F/7LAfzvOo+Uy2vIbR
URHegUk/dMcOmyoTxxa9KGKbAaUob3lMXSk91q2FsDl6KRq+aEOJ82OB/JSfn4jThesJAcVEJy2n
jonU8fNNECYdAQiTiB1xFH4L2LFDdlDQsGz3EKYLKwYMPSld2/WPl+6gIt9DMFkyaO9XdtyRDob4
cfjYkgGdVWQnIQlAHDvkryz+AwEg8H8j8ApC8H8jiNwDASAABIAAEPgDCIAQ/IFCRBaAABAAAkAA
CDyLAAjBswjieSAABIAAEAACfwABEII/UIjIAhAAAkAACACBZxEAIXgWQTwPBIAAEAACQOAPIABC
8AcKEVkAAkAACAABIPAsAiAEzyKI54EAEAACQAAI/AEEQAj+QCEiC0AACAABIAAEnkUAhOBZBPE8
EAACQAAIAIE/gAAIwR8oRGQBCAABIAAEgMCzCIAQPIsgngcCQAAIAAEg8AcQACH4A4WILAABIAAE
gAAQeBYBEIJnEcTzQAAIAAEgAAT+AAIgBH+gEJEFIAAEgAAQAALPIgBC8CyCeB4IAAEgAASAwB9A
AITgDxQisgAEgAAQAAJA4FkEQAieRRDPAwEgAASAABD4AwiAEPyBQkQWgAAQAAJAAAg8iwAIwbMI
4nkgAASAABAAAn8AgQ0Tgmtsm2G+HYxfbM89O5j7pPqx/P10/N80/HbyTC+tv/k0HpMQuMaOGVyk
G5u4rBLX9M/NW20pItt6YdORh6YdX5/J0SUwnWP5TAz8WYrnOUuetwEx/GUE3k0IyqO7m/+xl/7F
HfCqUryffdOd9NYvtqe5plGS31aZNQ9cp3vTO6lieU388xSfvLN1QlAe1/Wya8M/CZ/8eH05RtkL
ehk5zuevHyUEqir2fOo8hiVC8I10yyyKz09x2O8QAlXVBiF41SuCeNQIvJsQNLeqKukvj13DiS7s
uqpuTdu+uANW519zV9VqvNMejZltq2o1tIG38AMIwRZK4Qdt+IOE4Hm0QAiexxAx/AYC7yYEfR6r
dG+Mx+TUAQenc+TZpmE6fnrtpyGbMos8xzQM096Hp7K/30c2umiup9BzbRbc9Y/9oHzUwfOBHsWU
h+Z4ykLM0entuRWJ71qGYVhy/G3bVunePKT5KdhT8pYbF8zWIrZZEsZ4yeB28gw5abebZLwVSeA5
Fs9vkF7vLHv37DAKvTP2YiZeE3/b1pf44FiEm9vH07aXwLTDNPFd2zQtN8geWMZoqnN8cC3TMC3n
EPWjJ3X8bXsvEp/StfZhGnvGsGRwy48+RWNYzuGYfzkIY/GYhmHvo3E8VGp2dL4cD/y18DOKq77E
/p4D53hhJl4UQm4fpwSFaVr76MInWOgNlOHfGYeMQz16nfov2vA0le+f+0eJXPIZ5/LoGl509F3b
smw3kN5chichRK9QUvTP9omNL26i7KdLBvdryt8103K8oVzGT/ffqmRv9nmsaS1HzDXp4tHZWV9i
Vk1tL06iL5cMtFWsbbVVqTd6fKEOTzMEfpL69DJY+0CUvDZdXRPRVonL34nxkgE1BX7CqrU5bprG
1vXfiBCECXs7TXtUMKoqo6/aFE+UncI9VaYHqqq66WBmaapwq7k/vBFkf9W3uU2VhVT0VIX3wamf
sNLd7yHBxSYR2DYhMEwnOBVVdT35tuGdeIdxO/uW7ad5WddVkR5sO8z711OF8T1Pjqf8WtW3+pqF
jini0RACFoVmhkBpT50dTOuQFBUzx+rj54TAsGwvPJf3prlXeSH1teo1/ob/ValnOlHOO4b6nCRZ
UVb1rSpS37aCobNZmCGYx18le8MOTte6rvLj3uzjuQSmYXop9Ze3S2jLnZkKz7a9XwLbdMPsWt3q
qsjitGDhdPHfL4Flese8qqs83ps7QQia69G19tH5Wtd1eY5cy0slfOZJs3j2PJ6jZxoiHgqZh6Zp
OX5S1E3b3K75lTr5Mjum56Ksb5Rhz7IjzseovTVsP6NWrc4O/X2W4tolAFV4unfIunUcepU6TsnW
x+yQCEgjJ3zPQ9vyjpeyruvrKXAs/6xaBJoiMt9DQAnv47y6UbmcT5dFONtWSwg08ejsJC5hHdKC
ijF0jZ3xyB4CVRVbqErTzLPvuvBFZO8M26dXvTyHjuHEw2hCla6uiegSne0huMb2ztgfibjdi9jt
myalkXTzEhg7wwnPJStg29h3b7quytAzqsk/VlWpylRVkXjWl1VV23RoqrC2aqeexZriui6pKrnH
bktFnXpsYpfeuOslPQtCoLuvRQg/bAOBjRMC0Xm3RSR2GI5asbYtj471BSOQkS6PrhlcGIH4DiFQ
2FOfPEOM5amNdYeROs0QGDrr5h22sLMpU88UswnipvgsItuOeAdMt1StBg86i788OkPL1RCg3TD2
EpgCk7bJv962RDkW0ybCLOp+NfFTCyz64rbJQ6vryJtLYEnRULB+jkOKtr8cx1NEIh4WIA9NCff+
meGiufS7QogQ9CM+BpOYWuG5mA67h0gUVypC0JaJKxgB63+6qR6aIXCTrs1sisji78aNtpcOXKhO
vWHcrkixvzUnBHlg6l63/inpYlSV5BkCdTw6O6nx77N1z3zju4RgqSpJZveX2vBFNPS5LZVwX9xt
ywpksj2oj5EupCaiu68iBEbP+EbtyCim4cslMIb5pjrdd3ODuirDHlRVbaqqYvKpWbuhQGo6NFW4
1dy/xrRJUwy7miLsKy5lvp9kGvLL1ntV96UguNwiAtsmBGYgThnwdrdp24bI9vhvqGpqhGlemubs
u6dE8FFF7uPnUahaDQo/t4eoitQAknlW32ETIeinYSfGzTrs7ncaN5v7RMxvt203iTdkQD57oWo1
uixMTjFQ+zFY1tL6RMdjRg1LEdGIeWLr+GseWj2BGH7Rxl8mNIQSQ15qDfmSQZXM9pNK7fYQsbia
xHOSlx5ohkDKXPcIX1qy+pLv6AdbMhAdcMO2j4qBDaM1zxOCbux9m3Q/RAhEc87G5xwXGs+O//oR
pMi78nNOCO555Bim7QXRMT2zSRLlg+KmlhCo49HZSdysI9kdL/zmDMFSVRI2y5/a8MR2g74Du8aO
BLuqareaJqJLTEUIhko4aTpkA/vrSzBQUDadxQ5BaKsMe05VtWl1rz9l8EBV5fP/86ZDXYXJMlXV
nq5l7nY70RI212RvGvbeD+Mko+m57k93X/yOz40isHFC0J8d6msdVaKveqwR1rfTwaTZQ9qnyEfw
HXOdEgKpUVMOI6bhu06RtUp8zoE67ykhUPJnskRNCO5F5EymzmnSgWYb7ywDxfgwpqrV4Nmfxj+2
7EcIgUSFpPipI++HU2wM0hMCwxMT66MiU3+ZEIJ0SgiGlpI/zyZBaAKdLbzQezMQgmEu4mcIgZi5
uWW+dLaUCMEwbKJyZUSJdV/9G6TOvOrunBDQC3gr8yyNA9cy7LBbc1I9TPfGhIAA7XmbKh6dneP7
NOp9hhD0QExeWEUmtFVvJSHQNhFdmj9ICNRVhqWrqtrDS9y27deEQNt0qDv+JUIw3t81Kox7VZzT
I+1rsHy5Puvujx7Gl20h8HGEgE/KL035TQDOQ2nIS92CaJN7jkHNKM1kD6Octjn7YvzcR6chBNp5
S7GpULMzbdphUzr3S2hbfENcn+ydTOnzS9vJhsFJy/vXoRnvn1IQDu385MpWRjevqIufhmTDIexr
bA9LBqYVXL7aQNdnieIZlh7mSwZTQkAz2UMPx1Zr+eCKIS9WCRSE4KH+TJil6//YDPzxSIsB/V5J
IgT9IgkbHrJ5WJqKl1e5RdRffSoJgXiIFmS+Is7yKkFL4+gBLhENMVwRj85OArrPJathjxACRRVb
qkq9QdKFNjwxhX4RhopbejcU6WqbiC6tlxAC0eywZb7OOl2VYelS7qYFsq6q6psOirt/EyeIKu5T
0zdwein86JKqtt/zueEn3f0hBK42g8DnEYKWNhWa+5jvRSvOSRgvbsGinf77I5uBvxdH2tPWDdLu
NNcQsB1e1cm3djIhYGtgXkJ7Afui0hAC6h/5psJbXaSH6abCFTMEt3Ng235WdxsLRdLU7h9ObF/v
7RI5xk4mBKxb8bNKNpRbPCccNMQebyrk8/jrWpmWth52mwrrG23UPJ74DiNd/LQZkG+la+szAc1n
CFpaHDFoe2hV11WZZ3GQLHp/6TcV3mraUTXdVCg1+gwBInl2wN6NpsoC29h1IRYJATEuO7xQIfQl
v3ShDU/dpzGykVand0a3//QS73t6Q5v1DCfMCgLiejlF0emL7YDMohkhaIpTTNtnb7e6lLfPau2n
kfSBHcig3aSG6H908ejspBrgxrTFrqHdsI9tKlRVsYWqpMyDLjzfVMj2z5bnyBlze6rH46qtbSK6
RF9CCHaGyzcVZoHdu+bSVRlKWFW1V1ZVfdOhqcK6qk3FKra9lkV2DI7dggzt273Qhu1bdYlds99M
pbuvLEbc3A4CH0gI2rZbG6ajLrZ7iMSpIg2qTXkKXNuybWfvJ6eYtnt1o9IqC1zLtBzXP6Yh+aOR
+oD6EnX7DgRj1hGClq1A8mOHdHhOrJbrZgjmK3Ld+Hm6RitqFz+0Z9mOsw/SNBS7K3l2qa9zLdof
IUZp2vi7Y4fsiJAbDIfbVrYylG53NokdNpJOUbEzVLP4xbFDy3b2QRyKPQQUzy1PhmNywZcHD8Wx
Q4sdOxxOybFl2SkhoNhjz7Es23G9KEv6zf6LhKBtrikdkSRA+xdF82ax29rw7DBDx314BGzJ4JhS
edGhMXGAlPAk5NgrZNquF6aF9BLNEy8ia7LnoBuSl6fAc7ozYIf4PCzpzuPgd26XaG+ZVIviUzzs
d9HGo7OTjh0ypPdhHDy2ZEBv47SKLVQlTQ74uVX2HkpVjx87TLpjhyE7TzJEME9X00TQosUY6G6f
ir4pGFIZXVEVC5NjdzQzuvSTRvwksKLKsEo2rdp0Qlg0R48sGXTnfZVNh6YK66r2/Zry44Wm5ez9
+Nwx1urcHemmrSvDyd5Wd3+ECr5sD4HNEILtQQOLtowAbeQfMbjNGUsr9OMpX9q//shs+uayAoOA
ABD4LxAAIfgvivlvZLIpL1lBqyP36hw4a/Yf/HL+m/uNFinMiT8BEIJfLgckBwSAwCoEQAhWwYXA
70SgKY7cY+Nj/vzeZirtzzMsN+w9OHaWgBC8rUiQMBAAAg8gAELwAEgIAgSAABAAAkDgryPwiYRA
6YRm4wXF9NeW/f18NwdsjxTbBPfiNfXRDqbvWrf0HHNSpDwzufTUe39bIc40OwXwXsvpYOEqn0tr
w3+RvcerwC1n2+92O3Hs4YuY3/Wzzs75AR/ZQjo9MBzDlX959no5XSn28ujwzZLzjbhSqAcu85Bv
b5UORstPkSuFh3bmyg/h+p0IbIQQKN2H6XABIZCRIbei/qm63+cnD+Vg37j+DiFQeVPRJv3HCcF7
5IlHh+pH0K+1Z234UWLzLw8TAtJL9JLy9vo3em7UM3e0di4rjz9LCPRVbDndWVaL0HqWELA4uSsP
1UHZW55EkijdzILHbnCHMY+FRagnEQAheBLABx9/uDV8ML4+mL429kG+ewFCoEBuxQyB4ulfuKUn
BL+Q+FISD1cB8sAX/8xs2pJ9q3/7pp0/RwhW5uDnCcFKgzTBQQg0wPzE7fcTAq0mqVYLVZohqDKf
fPl0apxqWWQ6NKzWKu0PMZt0EFt2IKCCWqeRqo2/qc7soLXp+EkS2Fb4dSPHZmmznKspm7aXcif7
au3RSzAWapY8K62KZ5BFJl1kPxHKcEQIHtdapWP3o0Pbwi8CP1HNVKyZXvXgNkKaIbgX8Z7koTsP
EbxkJrLITINgLlvM41dqsKqKcbUsMnmQ1Mk3axJ4kTxx2w4F73iDXwHyZ6CQUSYNvtFf78FKac/9
fDDdA6lPO2FKfjhM8orFcqQMz53lygkMfunYoXaFfPPKKjDNwbBkoJY5Fq4+5grjmoKhwifFbaZG
Lktiq+PXVW29nTrlcebpoHM/cTwYw5LBUMKyrLBakXyhimnSXZA/btt1hKDzWzBVPKfax+RAJjME
woXDzJnHmqqtVRgnTyhq2WV9weOXRxB4PyFgVqqWDHTapr2QTU1nzw5Mtpci0cki67RKyZMduY0j
d3tlnmVfEQKdRqoufu6FLGOKp75t7B4kBIblHOK8vrfNvcwLaqArnfYo5VpZG5kf2ofjYT6Bg+xK
7sau+Sm7dr3yWq1VMkc1n9kUsdO5aSOVY6P3PywIQXNNPMuNRAHoZJGZpx+VbPFardWVssg6+Wb2
5i78m6/B01hnhTwxd80YX6q6vpKrRSEpqJNRZrboZwgm9tzPB8MOztX1uCeHimWV+da+95Hdtpo9
B9yP5i2PHFPIVetkkUn10bCDdVVA1VFpmwKqHHutwvi8bNiryHV8b/X1fEy42oMufl3V5hFrO9TZ
Wj7JahhudCnrqkgO1m4nCIGuai8pkquqGDdolm6rlT+mB7T2z3HTySKzkOomiH4iU0d7CFZXbYpF
NUOwtsorsoRbKgS2Swi0jsoZIQjPF1IB6kezE6UW9hZ1ip3kSrt3xC35GKP+ZXD7pQJn4Z6kkaqJ
n/sp7zzOUdf3GCGwZzbptUfJPnVtJJumedPGQ27+e1/0Up6/o7Wqaq2KSBJuJ4fRQkqVEYI0Tw+2
Ew7O27SyyFRg/aIna/w6mQAq1FG7I2Xiq8uvZZHHGgqDfPNXMSs6VLWssC6iUcJMLarrR2iGQJCD
dpBR5vGsIQTcQT2p2ZK+fZXsR+oHEwIhmck0N7jPY2LiOvnmb1UBRUelbwo6QjBI80pGKi4JUfHy
ST9r49dU7e5RbYc67Zhp6GH2qh10KLUrSG2VXFIkV1UxbtE0XSmLdCnJH7NftPZPnqOeXaN9wEKq
myD6aUoI1ldtikVFCJ6p8vPs4U6PwHYJAZMyOwtnwrL0WR6ahmkaO8PuK9mSLLLEAcTLxWMl7QDD
dEgs9nQpvxbZocmuh2WUZYNbJiP2KCGY6IPMPRH32qNUiuraSC3Z4/FUp4NlWO6BJEzzbvmlbclP
at//PiCtxt4pRWtF88/CCzPNdwiRP67ywktSlnvWyiITIegla3i++YrKWq3VdbLINMwdPA5yEjO4
nu1r0vxi3qGqZYXnT/I7ElJ0Y9D2I0KgkFHmT60kBHcWMaMXdeoxVV5hz9x+/gubimMiIPz71OU2
86JdTZU/SVr3kSqgIAT6poATgqF0hOmaT2IoCuaojV/bdLD4tR3qtGOmKtwTOFJS7QiBvmqPtu9M
VA0VVazL7jRd4WJ8Ln+8bP8cPZ06IgupboLopykhWF+1KRYVIVhb5edZwh0lAhsnBL26gNy/EiFw
4/yaeiRO1HXktFVnNL7ps7tUq5v6esmSiJyef6U3p9VIVcdPBkv2FNFDrSFrg/PedLrgrclkhW4I
oa6Nq+O518XllESebZh9n7vUKg0GjK8UrdUt8xYIgeWfrjT9PFAC1g/KMqoiBdbeCe1AmRBQgMe1
VtfKIhMh6GeYuLykMEJYpv5Udqgr5IkXCcHQr02CrSME59WEoD4dLCeShZXH8scDFt+rAjpCoGwK
GCF4fHZoiRCo4ldXbZHDlYRAVGGSW+QzBPqqvVT1FFWss2hGCOjV0Cqnr1kyeB0hUCueL1ZtFSGg
HD9e5UWJ4fNLBDZCCBSapNp5vH4PAS2ud3qF3chztAQq8r5cq3koGnwOHF48OfocNbREP8RYQxM/
vcb9MI5GyY8MjxQdOVOFGzqkkU0LMwSOGYyJxRfxdPHS8oEYcC21SlMzxHcqNfG8uFeES0sG5Ifg
nkd2TwkIW6Vb4sVWQySmmBsRP3Wfa2WRaZ5ZrPnSwrqQb55EO/+qJAQimCQrLG5NP1VLBkwOkmYI
+gUhBpc0Z07UM1JuX53YQ5sKD2sJAS16u7HYdsot1skis6Hd6iqgIAT6pmAlIfjGkkG/MbMbqIop
y6U1+GnHzHYr9UXEeukjm9uipkNZtZeqnqqK8YKYpquXP2bh6diH+k2ZvolfLBmQtTxDkwenMwTf
q9pE45YkQOZVvrndbjeppCZm4asegY0Qgm8K71YAACAASURBVFVaqPIpA4kS6GSRNR12e8vTY5aX
TML35JPj+cVVA61Gqi5+kt/xEtJdvtO+rUc3Fc46csZ7lNqjVKwPzxBQ26nWMKWdR+eCgKiKxOtF
eVdLqzFzqDefyDHzLVVM+1W9qZDYfh72lEAni6wlBOu0VlfLIuvkm/W1iv8y6YDbVicrrIuo21RI
8tB8U2HX6upklFk8ROncuLjN9Zsn9qwnBA3tnHGP1/tEoFsni0ybCldXAQUh+K7C+BzXYVMh7SS+
JGm3qVCjYK6r2jzih2cIaJ+HYx0yUp+k3ZijTYVKWeElQsB61UkV4wZNCQHbxaJVTmd7P+zwXN3I
48Mcq9EdnVwyC8RfuXwe0ZQQaBXPtVWb4qfR1FSRfLHKkz0aV0mjTOHLHIGtEII1WqgSIeAjBLtb
0FTLIutqNZ0l2zsWlx71R7LFc5yo69XIKOviJyHRcG+T/K4Xxf53lwzIFo32KP20ghDo4rld4sPe
tgyDTgVKorxLrZISIWbPTI6ZQdedETLtfXgijsT+xCkD9kWmBGpZZG2rsVZrdbUsci9APZVv7jIy
+XidPPFwKM3xorPY3kEzBAeljDIZQv7zHJOOgIrRrdoePSFQh+erV5pjhxr55m9UARUhWJBFJp4+
LJ9MCkL1tT92SC97/y72J5AtWcFcW7VZxHNCMN8UIEbOfePhHo6RJzYVaqv2YtVboXjev7gq5XQ6
uhe49KYYyqnVMXrdscOp4jkLdL8mB4fOQItZ0zJx5ReF+Zzs9t0oFc+1VZtFr1AYX6zyIATjolvz
bTOEYI3RCAsE/mcEIJL0P5c+8g4Efg4BEIKfwxYxA4EfQQCE4EdgRaRA4L9HAITgv38FAMCnIQBC
8GklBnuBwGcgAELwGeUEK4EAEAACQAAI/CgC2ycEeSi5x/lRLL6IfLTDaB72VXbOtgrPk9rQHdry
LDZOcbPeZv9sS/OrYCI9I5Unx1fFP46HNPSWDlkNodleK7Z70GUeh+mUGdvKJblNGEK/4+qLKvOs
SbQplWc4uKjielWVVMW9rXuzWrgt83prdFXpCxnl/vknL4btmJKLmCfj/GOPb4EQsP2rTBmFRIbC
0/iUc5lF8fkhz3AvLBo6sMxb2SHSL1q3V9m5UsN0sO8tV3NC8MP267yU0Eb05AVaqwoUda2YIugL
bj1MCOj4P50vJJVgcW6DeYfz1GfbX2DbUhQjPx1dwC+qzFJ0j/+mfyNeUiVVTcHjxj0RUu+AaB7p
pxMCliP1gal5Zr99hxorOzzXkxrz7fj+4oPvJwTMcZwbnoqyqq7FOY2Ol04A4I14q1qBX2nd3pjn
byU9JwTfiubxh/TN/+NxrAy5UULAkZCoAM9WnYIQrCzgxeCqpmDxgVf9CELwKiRFPPXpPVVDpP8J
n+8nBKT1oZ4iJZdebEZw8KhPkFLHrJYz1mmbqmWRNcWjlWOmdIPTmen4mo6f9hMZGjulw9MPySu3
rUbDVCdPrMlAu6h5qn6I+ax5VHaZe2RQaLlq7SctB9OOzpfjwTHJ3UGvs0tatOQKgh3/luaB7uUp
9GjWiASZuY+IBS1UndZqU2UK2WWmiaCUUVaDQ6fL93HaFfxh8FhRX+LOk4UpS+ny0+UByV4YpkUO
BPqMDZNhlusnQuyZFbBnm4Zpe3ESfblkQOesR8e85cksJSGQ/RlwGeUmD6zxWg8TH5jNi6khGd2d
igH3/g9YVVVWmXZVlWSp9f4DrAnWKoqorZLqdDVNirYpGGV/+HKNHdvzPZt8DZ2OnmWY+07QW+9X
gBw4iNlRoTxOL+iofJXaY0O6THbECRNWu0ySUe5fOElAW5ZXlp+dXHf+BsYyx7omhVWN8BiQuxXL
OQxvtKZqaKsSGaGeIVDKJU9slr7qq/wIUSwZSJjJl+8nBMyTZy99K9vGr2cLgVpN0sENWS1rm+pk
kedJDXdUwwLykGky6dTqevJtwzsN1Y7JF032OqyVV+5Sn6/BkzG2Qp54MHd8tah5Og4qvhEre1Qu
WavlyiOb20/389A0LcdPirppm9s1v95a5rbM2kfna13X5MLQEnK6LcnRmvv4XNa3usrT44mLGFFE
quafJzzbQ6CTXab21lDJKPN4Zv+Zuxlzz2SISb3W9DulBY2MMjdSIXOskwmmkYt1SAuCIXSNnYYg
TwzTIKEgBEoZZZr3mHj0KY+OQgtwkqzuq2bJQFllVldJTdVmtmhwUFVJXbraJoW4nWL1UIMB1aJ9
cq2ywCLXelURu2bANBJ0hGCpaq+bITB2TLWgrq+nwO41wHTyypoMtDqZY12TwqqG5XMfjJfQ7l2O
a6qGtiqRQQpCoJNL1tmvq/I8vKJq6CL6b++/nxC09+K4t3akthfE6Vx1UEUIhl1T0jw+VS5Fe1Yl
I1dmjzV6qlaAebEXJIAEXcKRWMDMTup3eo/zj79g8w6VBoTf3tQ21TxVG0J5m9qq0WbVarl2Mc/t
px9IkGqSB60WKnX608C92frmf0YIdLLLVDD9pBMzd1msiFqx4cWiVl/hf16SUW5btcyxTiaYxBV6
IY175hsvJgSs14mKbnGBcsOmBmg8y1zZl6cwJvVpgkKRsx765QsdIeh581BlVldJTdXmBunfiGmV
1KZLr3+fc6lJoQRUTYEGCYEoETzmCD0PTJ59HSFYqtorCYFwEshFRLnrQU0V1pj/lcyxeExqUuhl
GgbbVBIKB/BS1VisSnNCoG8ihC2TT12V58FACCZwKb5ugBCQVTRozNI42FsG+fyWDZ3WajYP2ffF
vDVgbZ1ayowk10aTRYN/TTmVybWqFWBLBoIDSOl2j87sbNfKK/OIFB2qRp54YnP/lU/6aTRP+1Cj
C2oRH5RLpjrdd1+SlquIT2E/JwRTIRWtFiopXfUdtohWfOqb/ykh0MouEyHoJR15KyRmIIa3ReqU
Kcd9eOo2hefZzlU22+hP71hPqdQyxzqZ4CKyDD6QpEx+JeUigNDNlcxbPZqDkwSnhIwybf/w0rq9
Hl2TiADN/Egy1X06D15oCMEgzdFXmQHkvmIOvZkyNXXV7oLq34hJldSnO+IAvZ08flVToDSSFjMd
9grQ5AurTXlocRasIwTtQtVeSQikGkO+3amFpBe3h5hfDMWhzINO1VDXpPCqIdprqhpd06CpGtqq
RNbMCYG2iVAaz1UPpFd48uK386qhiec/vr0RQtCXAI2W+naV3Z3Uar6HYBUh0Mgi92kqLlStwFKr
oZqfpGhXyCsLK9QdqkqeWDwx+WRrMOG55IIlRTydypgEZ1/ZHgJBdngAqrvy2rR4bHx/0HIVv6vt
n5Vi27LqqpI5fhkh0MguMwvFpMCYELTNra7YXz2opWlaMbYblhYGmCYW210ZMzFChoRC5lgnEzy+
/2uEgNTqreBSpp4fx15IF1aQzzYpinL96lNHCOZVlW32flBmj6f6MkKgaQqWqraqKdBgIRMCxvAY
ISDZ4zEhCK1hVN22uqr9GkKgqsIa81kjZnWLHKMw2iaFVw1BCBgFT0pS8SL1UkXV0FQlnpiSEKjl
kkfWDV/0SussDAjBAJXuamuEgBqL8VBy1pXoai/V3GFmt88wvcwPaHf04dmFQo5ZOzPRPTmzU45R
4s7ybdW1ukMVIWmOURrtidvS5xeap1JI6VJBCFh++3nUIaxWy7ULorZfgQ4r6uCikJik9n+yvtCn
r+8vpzMEpPc+zGDe6cXiErRLhKBPR7qgVmx4sfiSwZ1mZmWlZyoYaZDWPy7JHOtkgimiPruEijQ7
0cczv9CMjGl42k/Ts6eoYtiTJQPGXIrYdqPYP5zqIvbCOLDGb1Zzv92+lMHr7VLJLmuq6uoqqana
PG2SVFTvSp6+dNp0NXay+FVNQZ/p8YWeEJAOkqBAVEHHTRyPZVq19TLH41Tp2yUwhkkWcs/AZ7Qo
X4oqPH9e3KE0x+Mx+kXfpEyrRqcZq60a0/C0+tY3APTqj/e56psIYfDkU1fleTAQgglciq/vJwT1
KQzi04VOHZbFKXQNKxjpEE9rtb5jHnYejbRNdbLICjSGW1SVvKS8Sye8l1oN1QzBSnllkfa8Q9XJ
E4snJp/Uues1TyeBu68qQqCTS9ZqufK45vbT/Vkp0vTJ9egatp+SvG9V5lkcJN0Im20q9OILl2Q+
HTMxpa/WQuUJzwgB3/04l13+DiHYsQFPXdOmQss/08FYrYyyVuZYJxNMa84u24/ekET1c5sKWf3w
kqIeenOdjDL1s6ZJbLkh9Wlz3BVQB6WcI+remckHBZ/KLuuqzOoqqanazASiXJZ/KucqvrOXTpeu
zk4Wv6IpmGRdfNUTAmJpDi/hMvHMnSAES1Wb9YZKmWOR3vBJ66KGy151EspmS0H0q07xfHhycqWW
OdY2KdTBU9W4VDVJp1PVoP5dWzVEeKryUlXqjOCvkCyjrG8iJnZ3X3VVnv8MQqBGTb77fkJwL7Oo
lyF2vPB05ZRxvuLX1aKl2tufTRppm3YLWqTcabuHKOv1d2UkJtf1JaJzY9LKsCZdrZ1r5ZVZZRkt
+XV0WSdPPLG4/7qsedoHky+UhEAnlzwIQY+0XLX2U0KztpmnrtRCpZ+GY4eWKx30YzQi9R2LCkaM
LvRaq02pkl3+DiGgY4d72zBM53AshJ8MjYxy25anwHPo1CE7unGu+3n4RiMTXF9izyGh7H0YB7pj
uHKBLZ23ILNsAsjsHfjJxw4HGeWWWmA+rUGDwMlkcXl0dmvGl3PZZT13744dkuT2o1VSXbUZJvU5
2rM3opui0VZJ0jDPInacdZSupmp3gM+bgklJiK96QtA2Zeo7dNBmH6RJ0E8XLFbtwa/eMIEkkpp8
0tg6TI7d0dWItoh2fwvK6SLI+LM7djiWOdY1KVTnWdWgA8IPVI0+/LQqcRtmMspMzTsZTvAGx3zI
2tju7pu6yvMfQQiUkI1uvp8QjMzBFyAABDaBALXdw0LDJkyCEVtDYL4+tTULYc86BEAI1uGF0EDg
v0CAJuLpDAL+gIAeARACPTaf+QsIwWeWG6wGAkAACLwZARCCNxfAy5MHIXg5pIgQCAABIAAEgMDn
IbAdQqDZdvYxkL7LfvWufhVso8PQqgAP3ntVPA8mh2BA4N0I3LKDozwh+xLDHq/CmuRo/yf7mxx8
1d3XRPO+2zTT0J+8fZ8ZSLndDiFYpVVKB6bWudx4TVkvpLvK/tdYw2JRyw2rvJp8pyN/VTwvzDCi
+gKBPGBHCb8I9b/+vFCFdZDQQVvJAR4P9o14tPFf0yjJxdkVXagv75OzA8k1Vh9ed78P8P4LEIL3
lwG3YDuEYBUiL6yNH5HuKiMp8Ks68lfFszoDeODbCIAQLEG3vukgNw7z0cf6eJasesVvuo5fd/8V
ab4oDhCCFwH5dDRbIATkQEwx4UWHgxUyxwuapPyQMdPX3YcnydtAle7NQ5qf+IFWy41J6aW5nkLP
ZRq1vcSuwLM/9DxorerTXWc/HaUvT4HL5YNPiS8844u0R59k+VQvpEo6ETWl3DA5RRx5M+gPMdMM
QZSdwj1POiOfqvq/78QzHHd/UGuV+Sd4XBa5qTq/AgYd6B40ELWap8M85MRFMS3wKNKV/B+M3omV
GqyS6KzjfS03TO4ADscTHZA3Tds7DrLI7FA4U8cdyyUzIaL98SLUnZ1Q8vioIARDwYzlmNXFPxIB
Iq9JvQdDXTxaO1tl1VMnu1QlydUA6UM7fpIEthUWXRTqKr++6dBZRLWV6s1xcErNnGqMapgQsWCu
KI+DE63y6HJHDs3FN5wgjjzHtizbY1JSPEVlFWY/df4AHpMhZk/oOv7Zfa2dWhR08sfKB64xiWaO
fxoEkZRVSfgnYI4UnLHjkXFE+PazCGyBEPAcztbg12qS6rRNmcOuvWHZHnPw39yrvKC+8J4nx1N+
rUgrOQudwd/r4BZtJKNMZi4MCx62n0t0RueyrovUt43d2F3npLyLyB47kGM2SOtt6gVIzcjeMElu
uGJexWZEY5Iy+7omntVaq9xh0eOyyEzoIrqUt1tdXS/puWt6OaDrPBKq5JhbjezyWg1W0pC1Orlk
8hvHBV9oECT5aSV0hfImEQLDiS4kCV0me1NMT+vkkulFzA6Gae2D0/XWtE1d5GXvAbYtYtcXqpy8
TMnLsUKOWVXgdE9LCDTxLNhJhGBe9XQJ66okc6BEAuB1mQWOYQhCoKvya5sOnT3sPmMX5963lAir
agro3lBbez7QEiHYkefTpm3vJIo88S2dHaaLPPdLYJtumF2rW10VWZxyBqSTIWZGzTr+ztT5fZ2d
Im+zz8V0p6FJ3XDiLJ5cAtG4RleViBB0Hg+ZB8NeYXwaN77/MALbJgRrNElHrdjQ2DL8WKvEHdlr
8KTK2ynOUW0ZXNePw6tagS6EihAo7SeJzn6DErnmXyQE1N+zAdrtcgzTa8M01eSlwlWEoCcBbNij
WnAc51e39KCKZ7XWKiW1ShaZmuZJn0px6DRPGTLiKP18hqCfOemzrNZQWK3BSi/J4NKH2jpWwkIc
t53JDVN/189JD++xTi6Z7CVCMLxdfQ40F2o5Zk3gBUKgjmfJTk4IFquezoyhSlK59JMU5G6/IwQD
VCwOwa+Y/tkADr010oB1oQorLeFSW2JGYgiijOd+DizBCIg9dZN7RAhE89K2TKRAvJcU4bwKqzUF
hsTZ1TDq5j/MO37tfY2dkwQ0X6fpzoLRKII1plUWRTQR2eR80UVblaiSDG2uRmF8lg5uvB6BbROC
oSJzJZeeps9r49xdae/allx6qySBaPKqc09MM4C9J9zjSHJjhPk83f5nFSFQ2U/vft/6k+TnMiEg
UUCqKvezb7HRB4005UWEeWtCJmlG9gOTKKLef2qfBcXF4/Ewkj+eSf1Ca5WSI6VWofrSJa/XPG2u
yd407L0fxklWCIfASzLHS0sG03RZWQwA9WDo7emDjC9oCanvv4ivcGlp4mBquWG2ZCBEXoYpep1c
MqVGhEBMJIxTV31TyzGrQrJ7o452sIcm1SLHMG0viI7p+Sp2wS3Zqal6RNi7dcLR66+sklS1e2mg
ljSrOCHQV/kRB/iy6dDiwH4gpEUfL4dUNwXU5dkx0QeiJ4L3syWDYS0hD8aqi/MqvFaGmBm2ghDQ
OojCTjl/o2u+fvGwojpNax5LJjdsksxSmbh2WDTUlo1biN2OVzhqPJQK4yMr8OXnEfhLhGBcy2Ts
2EKmaHG7H26ng2n7bMqVzZK6GyUEJBSyT8o89KI48OjCGs3HzVsTyqCmIx9atucIgSKeMdGR0V+6
ntGoBVlkFs+9Ks7pkfZBWD7XTtZqnjJkxEiMidaRNCv/U6S7QAhWabByXeeT6C57QkBlopYb1nTA
Y1lkYTn/VJf6OMzom0KOefS7/GVsz0jUsVXEs2QnEQLVrA6p/nKh6bruFRU1VXKBEGiq/CsJQcOn
RWR82LWaEHBdn6hoaCG9m3KkbQi+RCqIGUoERzVDoCEERDUdrbL5GkKgtnOWye7GcrrzpwibQ1Zl
vhfHBz+r2Nf7QtUGIZiD+J47H0oIFJqk9NKOekoJUFWrNNJvpzoqCAG9zcP0lRQLbTA6+7qB2ayL
0bVK65YMmL6f6ceRFxV15h/iaD9qTBTzjWQym5YcOiWWi9Gxw0cJwUnW+OVgaOKh/K7SWqXYZqjx
TVz92IqnqPh/jfm4m5YMNDLHI3110oR1lwkBDerm6whsU9nX9kgm0gs0XTJYlBsed8D9Jj629yum
VaL532pCIKJgQ8PJnIz4TXzKkwItzd9K8x0ijBTPkp16QiAikj51VVK/ZKCp8rqqR2ktVGHJFOmS
3pzxmj/7URcPCe7ZYRLRxjpRdEQIRPPCu0VpE5CKEKiXDPQyxMyiIrJns170g/q+yk4p1/LlF+nK
QbvriqYE2PilTLwgDrtTm9TMKqsSEYIBr15hXBEzbv0sAh9KCDqN15E8sU7blG8qnA1TiCTsj+wo
wr047s1+yaAdNhWOZJRZQVBTM5FF7gpo1rXpWqVuU+GlutXX05ebCjtZO9Om4QapmZqTnKi7Blb1
Jtqpmo588QVbE89qrVU1IdDLIpfZMb3QLtBbdYndfu+dVvOUjmPs+51cpOW7OEPQbSqcyS6v1WAV
mwpJ45VvKuxmi4kpqOSGNYSg1cklK5edF4qxKU4xbZ+l13m0fVb3DI35DxkJGdwuoW0IQqCLZ8HO
VYRAWyW7TYVlfSvP4WRTobmPz9e6rsvinIQxE6ZeUFls2QYDTRXWwME3MwybNrtg2qaAuCptfOz5
AN9UyMb2NavzX28qXClDzEwiYmaH52qqA627P7dTAwCRwnWK6jStSXLaBcHtmv0AS1eViBAoFMZ1
9uD+jyHwfkIwXwl8QOa4bVWapGptUw0hGER8nb2fnGI6IdRX+v7Y4UhGmUphlu437J8cO/xqLVia
vrgenX4DAqtEoyU5eXeiQjv1O4SgXRXPaq1V1QwBoayWRa7O3TlRWscOJRVrnebpvSBFWNN2vOh0
PHxNCLSyy2p79LVyOJ7neF/LDesIQdvq5JI180I6g7RyzLoHbpdob5mkTByf4mH/jTYerZ2rCMFC
lazo2CFJ7PJjh/0Uh7rK67g4z+6sCutQEPcrttbTNw7itjYeGuFatGYu/mjfvRMmcSdP3B87XKrC
3bHDx2SIeUKsrpJk+2SqVHd/Zqewd/apkz+eBRQ3aGOPGRAlIm4gGCX9qqxKBIRSYVzEh89fQuD9
hOCXMrrRZGiLoGJCdqPWwiwg8G4EiB4Pm3J/xxo6BKhYNdAk3q2mDHyAZgj6+SzNQ2+4PbfzDUYg
yW0hAELwhvKo8iwvb03T1HnsWo+3NG8wFUkCgQ0gUBfnS1nfm+ZWJJ4lLf38lm11fsquszmCeerN
vab1R3mujvk22hohUNs5zw/u/GcIgBC8ocDL9MA8JBoWOeWC5vwbigBJfhQCdRbwGmOOlmC2lof7
+WDsTPuQTLjD1mYIdHZuDU/Y8+sIgBD8OuRIEAgAASAABIDA9hDYACGgUzGSJ7HtYTRYdL+EzmHs
FXb48aVXtFI6mXd8afyPRKYx4bc0VYftjONzlo+Y/hNhyLWDtO/06yRob3Zw+Trcd0P8dPw6u96V
rs6eT7pfJXsnkrYbLtquPkC0+MgLf5w3QW+zZ3XVU8GwCnpVBP/FPRCCdcVcHt3hiPm6R1eFntfG
VY+/JLCGEPC4dV5QXpIyRUII2OG5vt+bRtqf9bL4V0d0y5OI+Y5+9Mn6coyy/qDjo089Hu6n49dZ
8q50dfb87H06K/qqTYxsc6JwlfW12Wpl86+fe02IeRP0w/Zwl5Iq41dXPVUk7f28ZmuoMoq/fxOE
YGUZ0xEk2XPwyscfDT6vjY8++bpw7yUE5B1ntZ+j12UeMQEBhsALCcFnvdK/3gTpCcGLXkU6AfnV
Ge8XJfWx0WyEEPhJ6jumYVj7QDpezg8xT2WL2/ZWJD7JBxuW6x9z8hFLk1nkJ17+G070ccVNwzBM
OljNHmAB1dqpwm/BPF32ELkpeYgRaOWV2dA3TXzXNk3LDQYZYsk/QXo8jJy8yxmTrtdopDL/qSoN
Vp22KRGCMDkeHJPO/UfnEbzKGYLh+P1j8sda2eKxgPMDSwbkFkohZ6zUWiX87uUp9EhX2HxE5vgS
cIMGb3PMX5Rr+oPrCuo4hEdnOoXNPESMlwyYZoFS5viW92fU04jer+U5kdXxU51Jufg3edZIxaa3
ocCETDMpeh5M9+C7lumEaRo6pmn7zEkRc5q5Ll+tTrZYeofHl8yp6Lzq6aoqAcffz1gCTu+HQB/P
kTcpchOhVzxvdU3KODPjb9QgjTwUEkGQblB/JdwZaWSRdVV1nNDoG1vgyXLeYpq2l/I5q6HkR1VV
1wRp7KGUXlD1SGtm5FFlqGjKqkcTiJWQ/rb3g0sSEp7Yx2l8ICFxa88ERCU0GLkbNCWkX3DZIbAN
QrAzSFWgrpkfMmfw1qrUTq2zg2kdkqKqqyI9WNzrV3l0LeYHYyjZPLTYKjyrZ4ekqMlRW55lghDo
tFM5IdBqtrKp7N4xypDc7Eqn5dqSm2TTS8lJIjmCE/SCO9yLLmVdFcnB2i3LIlNy6zRSiRAoNVh1
2qZUF3v3aoEtqY9wf8FTIaC18sc62WKOJCmmPj5DoJIz1mmtflPmeLaQSSOanhreiT6N5SNna+1E
CFQyx/yNTouqLi+RaxrGV4SAI/Rw/G1LosrWIcnL+laXl+TIyZ1SppkIgWEH5+p63BuGl5ZV5o/V
Mx5Pt/MwOJMtntWV4Yayyuuqan06mJafFtRyRK6xE8DpCIEuHl0TQWapZgiWwg9ZmVxRwzFxLcx8
RItxDNV/wQf4o/M1e11VnSQlf2Xeh5xDnNf3trmXeUG8XlNVv2iC5vZQQq+oesxg/QzBrOrpmg4m
Amr7WdWwSk76bSNqzXTHuASKjBGuewS2QQiGvobeuaGjYa2D5AKUzCY338O8D1MwSGvmD4sdT74X
SZgUTEiDpGRIgFwtVzZyD7dGLplqWN8P9EB+cTFoubZECHotVJJO4f0INTKDLDIl8tWmQrXD84kh
g1YpEYI+3bkGa/fcEL69BJIDdvLoLktFzGcIVssf62SLuSWrCcFUhoD8rkhdNDXs3XBMq1mgCS8M
mm4q5C0YO50+SYw9oew4++Xo4f1jb7Twqkxmin6tKxLdx6Pxtw1DetYOUlJDi0nO4tgbRzMEjIkV
xKivTA15NEfzcLo6DQJdhui+qsoPULEne5ljLXAaQqCLR9dEsNRUhEDTpCzlq2u4kmoUiHo64Zes
iO1BDoknnR1Muc6NHmUaBaNymfzcfSUHxVI1YHc1VfWrJkhLCJ6tetzUFYRA13RQwfTdBzNX0C2e
BCs4eqfxp0FgG4SAO7lkJo66W2odRH0RGWBqsv2UKjkOZrS7UwVu8tA27TBviI93Ln9u58A2TIdE
W0+XsvMuMvc4PIgZsFZpmq5In0ngxRU1HAAAIABJREFUPDR0VWq5towQDDW0FxmiBnnwuEJ6Il8R
Ao0kWqvRKmVLBsN82aDBqglPhKCvXFyoWDoMMiMEczesu2X5Y61sMUd6NSGYjL70WqskSyNlTBSs
Vpu1CzAbppCf9k7SjprSWZTKjrM/p8BGh0x+it7oXhiPvV5PzBAo4icZ2hGZ6zLEhkuDAJaQaeaE
4M46HPZC1qk3Ogb0aL6oikk9Vi9bLABXfiqqvLaqCot5REQ/OuDUhEAbT9sqmwgerYoQLIVX5opu
MkqdjgkBUyXljUn/Lg0RzDtgXVUdnpldSSpg4jddVf2qCZrbQzGuUTDXVD1u2OOEQNt0UIffyyhz
cbPRrt7F9AU8//Xn5gnB7KTXuBWgSs57guvRceLievTCOPTowhl63bapr5csiWifQrcisTjzr1JH
7F8TrlY4monqf5MuNFquXxAC0V7Qm/tNQkDtvEojlRGCflJ7yL8u/DcIQT/8lXDQXmpli/kTqwnB
tENm/d1sWNzp3U0D09g0cRdljhWEgDOCvGF8YLaMpOo4h9f5ZwiBKv7vEILzSkKgSve7hGCIi78J
w6s6eZfGTcECIeB8SxsPi3beRPDUlISA3qJZkzKxbvqVj05H/ROfEWHzMTTtEVzGvhBnHbC2qk7T
kr6ztzCXbrQt7/hFUzP8NL4/b4Jm9rBHZ6puC1VpsUNeQwjkWWJJb5xZKCYFFIRgnMMh57gSCGyD
EAysjkp0aKxVHbN6yYAdU7O8KPKC8+0SelF8sBTjLKqU3TCcKpduPk6VrkCM3indcyIMfeq0XHUz
BNSpDEuIrOoPw3k54v5avWSg1SolQjBs1mHZp6qjDa9YMpDGN3NNVRqWPTRzIjKgky3mvz9NCKj9
n7WxLG7tkoEmvDBoumTApfOs8HKJ7GHuXWSPacSN/BCMpqwHQqCd+e5jUl88SjjWLBlc+abCwysI
AZvs6CfaKJdWWKizMtxVVT1dVZ0C12++4F0L5+xUr7oJGF08Q+p8f7JoIth96sOGJcpRUPZFalLm
P47uUHnN2yR6Kfwspz1QEz4wU7DSV9VROuMvCkLA1CAVVfWrJuhhQrC26nGLJUY3zkI3jyKxJV3T
8RUhIBnPYTJukgq+tm27DUKwM+yAbyqMHLn2qVoHWv3mmwpv9bCpkE3JeaZp0Xt+zw6WKRaM21ue
HjPaTsXlhvt9YCvlkrvXhS0Wf9FTs6Bku1peebT9rF8yoGbbsQ5ZTXsN88h5YFPhOo1UIgTDJkHf
Fisq1GIcTrQNp71dIsfYmd3KANtU6Ibnkqv4jo9xKDRV18ofa2WLGX5PEwK9jHJLu/jMtTLHqhkC
LjbvOLPdS5SFhzvsblPhtb5Vl2j/1KbCYXQ9EA46EZHsyaMu31SYp8loU+FEppktGbyEELQ62eKu
Lqk+lFVeV1VZU+CntGnxIm8qpB2ednC50Wb0k2/txIqMLh5dE8EMJKI7UTxfDK/KFbtH77uCN5JI
t+P0e4ulx2cdsLaqSg9NL1WEgOmoW97xUjLd6OwYHJlW8xdN0MwelpZihmB11WMR0UKAHV7qud+R
WdXTNR1fEAKCevX2rymgf/v7NgiB5SdJd+wwZDtEO9CVrQP1l90ZIaYFQMcO2R+tlvEFJFqu61cv
Sbpz71imfEyRP6DWTu3n8SRG2qXANvZbD06MsxM8tmXbU3llDSFoB/VX93CMui1efcrKi+7Y4UMa
qToN1lanbdodO+w0W6PL6Ngh10WeaK2ulT/WyRZTXp8nBDqtVYp9OHZouQd+dJVuK7VZy8QdnYna
GZIeFTVNu5012s1cRNbkAT4w1MwQsHTXHDtcH//42KGf0q5bBsNVHEYcNAL0hOAb6epki3nyiv+a
Kq+rqvWlBy6Rz2tWWeBapuW4/pFOTvajQnU8+iaCLJzLHC+HV+Squ3WNHQUjYO/XqKOiWcjxG9Qt
H+qqqj5JTkvHSwYUWlNV+0Zr1ARp7aGYVIRAV5VYyv2J31HVo1WYa+o7FuVczGTqq5666VgmBFVC
+8xVzfoCfv/ZTxsgBJ+E+C072P65pyCfZPpGNVg/CsLfMFY65vEbyf1aGjSN/CCV/p5NJRv+fbm3
53uRv+ip+nSw0SW9CMyV0TTX2Fla+1kZ3R8NDkKwpmDv5fn0seqEW5NcWwP8Hw97v57PV6buW558
5fLDhwLwm7LFn0AI2qa6pGfyQIK/30bgUQXr37ZrW+mBEGyrPH7QGhCCHwT3uahvl2hPbhMN096H
pz/UX/ymbPFHEILn3hM8DQR+GAEQgh8GGNEDASAABIAAEPgEBLZDCG75kbav7WjL1lsX6UdeTbZQ
hqNNiE8bpN4q/HS0fQQ/HX+fEC6AABAAAkDglQhshhDQiRAvKW+kdvvKDC7HpfI68lZCQAdspoTo
tYTgNRqmKjs51K+Jf7nY8CsQAAJAAAi8HIHNEAI6jx9/6bbk1fn/DwnBayDUE4LXxI9YgAAQAAJA
4JcR2AAhuMb26MyttGTADiXPtVDn8sfMU7i5933HtPbxKfFt03RC8kyi/dNqm9IMQXA6R+z8veOn
137GQqedqk5jSf548KrcOyYij2djHIQyKs0QRNkp3Fsk+CzJJbf1hYQ+mYbvIGlL1jBvJDPNU42G
6fSUsTibo9Za1dvZauL/plapAtWmykIqFsOwnH1wGtzAamWOFdqsTL9aLVvcebggHW7ncJTPkyji
UdiHW0AACACBD0ZgA4SAozcTy6HbTPrM9sJzeW+ae5UX5H9bKX/MpEOcKK/yyDEsP6vKh9RzNTME
hukEp6Kqriff7r3Q6LRTdaW/JH+sIAQ8GtXIm8kl76PztaqKxLN6FybcDxx5eKzy4960AnIvx/+U
mqf8J/Uaf8P/yNmgE+U8niWtVZWduvi/q1Xa5WX4IJEeJ7qUt1tdXen4Fv9JL3PMvKaYluMnRd20
ze2aX29M2LLHkCSkhWzx2ngGw3AFBIAAEPgDCHwAIXhI/pi5uyZ/ZKRowYbWD7mh0BGC3hUdOb/m
nnxHbuYmcslfvwgT+eO1hKDvwMi9S/cwuf7u7SSHeX0gmiGYa552RqoJAf3YEIly47GCuMjaxF/O
GkLwXa1SkXT/SXM3vZpff3eiPExFKuZWGCGYarNyRtC5h5Eeli4p7gfi6U3ABRAAAkDgDyCwfUIw
3WLHJM7m8sd1umcardRjskfKkdyhpqg0hGDQ7e1lUha0UzVxs/nnPTs4wZYChDvOdujTW/KFT45o
+ihUHS05Zu9VCvvwTEBkeJLm/cVcPycE/qVf6+ij5+ItSpF1Gh+b+0Q6BL+ktaqyk6cyIxzf1iqV
rWbXzTXZm4a998M4yWjMz/4WZYsV2qx8RYVLzzOZwg7bb8QzsxA3gAAQAAKfi8DmCcFsSDjWPO3l
jwUhoO72eULQyfuIwWTDxBRNuef+ssgflT8OHyEEihmFPufckikhcAZSMzZ11mGzn++krORJaoZc
w1Qlo8zCryIEMlVZoVU6trv7dq+Kc3qk/RSWz7WNScPOU8kc0xMaR+tMfH4iW/ydeJQm4iYQAAJA
4CMR+DxCwDRPe7lBpmhKKr7fIwQqbdPRscN+hoB1ZI/IHovXQC9/TNslxNCeFE0t8YU2SJw8aVMl
j0szo7C8ZLCKENwvoW352Ui9aFlrVWUnt3ZOOL6rVSqQVH7SogifA2FTJToH8RpCQGsqU9nib8VD
Ky232+2mnIxRGo6bQAAIAIGNIvB5hEAjf/w9QsCUwSfaphpC0Oq0UzUlSyck1PLHt5NnOjEJzjVl
4pkkldfHwXolP6tkbwwaQtCWidvJRotNhf2pCqXmKU9k3mHfzoFt+xnJjvI/HnBRa1Vlpy7+b2qV
9pj0F2V2TC/Xqr7dqkvsmmKFhBY7DNtPSca3KvMsDpKreEZHCNoisq2JbPG34mESv8aPqvaIvOAT
CAABIPCjCHwgIVDLH3+TECi0TXWEgPrvLPKYz3nLdg9RJq23KwqpVxKdyh/T7j3fMU06OpcmwTBd
QJE0TLiVSYCKrXE6QkDCrPHB4brOQSIkbSkWFSGYni7c7TpNVSbgK514FB3totbq3E5t/Aw4flxw
5KufUROa3WH5PvummwwHCfnd8f/qHHouO3Vo2l4ow6+ULaaHtYRAJVuskT9ejAeEYFxG+AYEgMDn
IrAZQvC5EMJyIAAEgAAQAAKfjwAIweeXIXIABIAAEAACQOBpBEAInoYQEQABIAAEgAAQ+HwEQAg+
vwyRAyAABIAAEAACTyMAQvA0hIgACAABIAAEgMDnIwBC8PlliBwAASAABIAAEHgaARCCpyFEBEAA
CAABIAAEPh8BEILPL0PkAAgAASAABIDA0wiAEDwNISIAAkAACAABIPD5CIAQfH4ZIgdAAAgAASAA
BJ5GAITgaQgRARAAAkAACACBz0cAhODzyxA5AAJAAAgAASDwNAIgBE9DiAiAABAAAkAACHw+AiAE
n1+GyAEQAAJAAAgAgacRACF4GkJEAASAABAAAkDg8xEAIfj8MkQOgAAQAAJAAAg8jQAIwdMQIgIg
AASAABAAAp+PAAjB55chcgAEgAAQAAJA4GkEQAiehhARAAEgAASAABD4fARACD6/DJEDIAAEgAAQ
AAJPIwBC8DSEiAAIAAEgAASAwOcj8LmEoC7ORd18fgk8m4Omys/X27Ox4HkgAASAABD4zxH4WELQ
nH3zkN3/8+Jr27ZOPTPIgQMQAAJAAAgAgacQACF4Cr4NPAxCsIFCgAlAAAgAgc9HAITg08sQhODT
SxD2AwEgAAQ2gcDHEYIisnfTPyvspszLo2uwHw3nWEr4bu1+W0R2Z6h3qiVDH7/fXAIegwzGONdS
vLgEAkAACAABILCMwMcRguZWVWVZltfEM/dJQZdVdRObC+91XdFfXd/FLZb/rd1vbsLQ22gbxIr7
Tc1wKPPYNQ8nwkEGYrnU8SsQAAJAAAgAgQkCH0cIhP3YVNghgSUD8UrgEwgAASAABJ5AAITgCfA2
8SgIwSaKAUYAASAABD4dgY8lBJ8OPOwHAkAACAABILAlBEAItlQasAUIAAEgAASAwJsQACF4E/BI
FggAASAABIDAlhAAIdhSacAWIAAEgAAQAAJvQgCE4E3AI1kgAASAABAAAltC4GMJwf18gJYBvUl1
uoeWwZaqFGwBAkAACHwmAn+fEFxj4drQMO19kOR/TBkQhOAzax6sBgJAAAhsDIH/ghAY++RaVVV5
PceeZXip7Cx4Y+Wx3hwQgvWY4QkgAASAABCYIfB/EALv1E0LNHloGr1qclNmkeeYBk0dhKeyd3Z8
y4++axl03z3Ew5TCrUj4fcv1j/3ta2ybQkyhLY+OGVxETFW6Nw9pfgr2tmkYlhsX3S9NdY4PrmUa
puUcorNgKPdryoOathedKxHNrNTkGyAEMhq4BgJAAAgAgW8i8F8Rgqa+hM7O8M9MP+B29i3bT/Oy
rqsiPdh2mLMeuMlDyzokRX271WWeZaLnr7ODSfcrFtwyhSzRMiEwLNsLz+W9ae5VXlSsmO6XwDbd
MLtWt7oqsjgt2O0q9SwnOBVVXZf50bPc4/WBUgUheAAkBAECQAAIAIGvEPgvCIEsCGi6xyvr96tk
L+9KLI+OxRnBPTsYTjzri+uTZ7i9hmKVuMaerz18RQg6njGUBMWkSOAa250FFLQpQksRaIhFXIEQ
CCTwCQSAABAAAk8g8F8QAmN/LKqqzNNg72fd9LxCPlisJdzOgW2YjhdEx9OlFGqEpEzsn8UsPj1u
RWxk/wUh6Jcr+lLKQ0taVhC3bydvqmf80OkBEAKBID6BABAAAkDgCQT+D0IgOmWaq/dSNm/fXALT
5j26Ar6mvl6yJPIdk8byjAUwQtDvDlggBMZkD0EmKIVIR08I3ISvKYiQj3yCEDyCEsIAASAABIDA
Fwj8X4Sgba+xYwcX6qLZpP9XHTAtH7hJSSBqlwzkfYS0/+BLQqBfMjAP2epDkSAEX7zi+BkIAAEg
AAQeQeB/IwTEA8w9mySgTYXmPj5f67oui3MSxmfWG9/y9JjlJe0pvJ582+z2IBIj4JsKb3WRHoZN
hXeaawgut7ZtqpNv7b4kBO1NbCpkaWTHE9+wUKWeaXnHS8kMyo7Bke9yXC5HEIJlfPArEAACQAAI
PITAf0cI2Ei/O1DAjx3S+ULLdg9Rxg8e3ovE3zuWSbfl44Vt2x9HtJzDcOywbasscC3Tclz/mIaz
Y4ezJQPaMsiPHVISjjc6dhh6dELRtJy9H58fWUAAIXjoRUcgIAAEgAAQWEbg7xOC5fx//q8gBJ9f
hsgBEAACQGADCIAQbKAQnjIBhOAp+PAwEAACQAAIcARACD79TQAh+PQShP1AAAgAgU0g8LGEoCnP
6XnwNrwJMN9ixP2apZdHNhu8xTokCgSAABAAAh+CwMcSAsgfd28YZgg+pKrBTCAABIDAthEAIVCU
jyxilBSrPQMoYvzBWyAEPwguogYCQAAI/D8IgBDMyvqWHUxzH1/KqrwcPdM8nIQY4SzoFm6AEGyh
FGADEAACQODjEQAhmBYh+RG0I6FTfI0dY59W9+xgelzLqA9/O3km+UQmLQM/YRLHpun4Kfd0TMF0
8srMYaIZZDlXUzZtL2XOEPuo11yAEKxBC2GBABAAAkBAgwAIwQSYJg9NoXJEffrZN0iJqDy6VjB2
HJiHlkPqh9fY3pF80r1t70XsGkIWWSevTAkSz7CcQ5zX97a5l3nx/UkIEIJJCeIrEAACQAAIfAcB
EIIJavfzwTCCS3+X84MbiRQwUYN7kYQJdf5VsreYjNE1to1eg2CQPtTKK1PU9MxD4sa9HdoLEAIt
NPgBCAABIAAEHkcAhGCCFckZKQhBSwsE/vne5KFtkudjUkvkcwEDB2jbtlc6WpBX7giB30snTkxY
9xWEYB1eCA0EgAAQAAJKBEAIJrBolgza9np0nLi4Hr0wDj26cLohvpYQLMgrX2PHDPJJ0t/7CkLw
PdzwFBAAAkAACIwQACEYwUEyx6liUyHtJrgElhdFXnC+XUIvig+Wf27oYTUhWJZXBiGYwo7vQAAI
AAEg8F4EQAhm+OuOHdapZ5oW7Ra4ZwfLNPfdqQMNIWh18sqUIAjBDHbcAAJAAAgAgbciAEKggF92
TCTJHNNOwH1KXoLrdE9HE/mjOkIgjh1O5ZXpKRACBey4BQSAABAAAm9EAITgjeC/JGnsIXgJjIgE
CAABIPC/IwBC8OlvAAjBp5cg7AcCQAAIbAIBEIJNFMMTRoAQPAEeHgUCQAAIAAGBwMcSAsgfd0UI
+WPxLuMTCAABIAAEnkDgYwkB5I+7UscMwROvPx4FAkAACAABgQAIgUDiUz9BCD615GA3EAACQGBT
CIAQbKo4vmEMCME3QMMjQAAIAAEgMEUAhGCKyKd9ByH4tBKDvUAACACBTSIAQrDJYllhFAjBCrAQ
FAgAASAABHQIgBDokPmU+yAEn1JSsBMIAAEgsGkEQAg2XTwPGAdC8ABICAIEgAAQAAJfIQBC8BVC
W/8dhGDrJQT7gAAQAAIfgQAIwUcU04KRIAQL4OAnIAAEgAAQeBQBEIJHkdpqOBCCrZYM7AICQAAI
fBQCIAQfVVwKY0EIFKDgFhAAAkAACKxFAIRgLWJbCw9CsLUSgT1AAAgAgY9EAITgI4tNMhqEQAID
l0AACAABIPBdBEAIvovcVp4DIdhKScAOIAAEgMBHI/CxhADyx917B/njj66AMB4IAAEgsBUEPpYQ
bAVA2AEEgAAQAAJA4C8gAELwF0oReQACQAAIAAEg8CQCn0sI6uJc1M2T2f8DjzdVfr7e/kBGkAUg
AASAABB4JwIfSwias28esvs7sdtG2nXqmUG+DVtgBRAAAkAACHwsAiAEH1t0neEgBJ9egrAfCAAB
ILAJBEAINlEMTxgBQvAEeHgUCAABIAAEBAIfRwiKyN5N/6ywmzIvj67BfjScYymy2Lbt1u63RWR3
hnqnWjL08fvNJeAxyGCMcy3Fi0sgAASAABAAAssIfBwhaG5VVZZleU08c58UdFlVN7G58F7XFf3V
9V3cYvnf2v3mJgy9jbZBrLjf1AyHMo9d83AiHGQglksdvwIBIAAEgAAQmCDwcYRA2I9NhR0SWDIQ
rwQ+gQAQAAJA4AkEQAieAG8Tj4IQbKIYYAQQAAJA4NMR+FhC8OnAw34gAASAABAAAltCAIRgS6UB
W4AAEAACQAAIvAkBEII3AY9kgQAQAAJAAAhsCQEQgi2VBmwBAkAACAABIPAmBEAI3gQ8kgUCQAAI
AAEgsCUEQAjWlUZ18syd6aXVuscQGggAASAABIDAthEAIVhRPk2Z7E03SiLXco/XkeejFbEgKBAA
AkAACACB7SEAQvBwmdyL2LH9jDwN12ffdqJ85GTw4XgQEAgAASAABIDA9hAAIXiwTG6XwNkfr4ID
NNfj3gnOtwefRjAgAASAABAAAttGAIRg2+UD64AAEAACQAAI/AoCIAS/AjMSAQJAAAgAASCwbQRA
CLZdPrAOCAABIAAEgMCvIABC8CswIxEgAASAABAAAttGAIRg2+UD64AAEAACQAAI/AoCIAS/AjMS
AQJAAAgAASCwbQRACLZdPrAOCAABIAAEgMCvIABC8CswIxEgAASAABAAAttGAIRg2+UD64AAEAAC
QAAI/AoCIAS/AjMSAQJAAAgAASCwbQRACLZdPrAOCAABIAAEgMCvIABCsBLm+/lgHjIhabDyYQQH
AkAACAABILBRBEAIVhYMCMFKwBAcCAABIAAEPgIBEIKVxQRCsBIwBAcCQAAIAIGPQACEYGUxgRCs
BAzBgQAQAAJA4CMQACFYWUwgBCsBQ3AgAASAABD4CARACFYWEwjBSsAQHAgAASAABD4CARCClcUE
QrASMAQHAkAACACBj0AAhGBlMYEQrAQMwYEAEAACQOAjEAAhWFlMIAQrAUNwIAAEgAAQ+AgEQAhW
FhMIwUrAEBwIAAEgAAQ+AgEQgpXFBEKwEjAEBwJAAAgAgY9AAIRgZTGBEKwEDMGBABAAAkDgIxAA
IVhZTCAEKwFDcCAABIAAEPgIBEAIVhYTCMFKwBAcCAABIAAEPgIBEIKVxdSU5/RcNiufQnAgAASA
ABAAAttGAIRAXz637OAEl0eUju+X0Dmcan1U+AUIAAEgAASAwLYRACHQlU9TRI57LPufbyfP2PE/
w7T3QVLc+t/atjy6dlRg4kCCBJdAAAgAASDwSQiAEGhK634JLDephl+JEFjhuaqqqryeo71p+mdp
9qBK99boxvAkroAAEAACQAAIbB4BEAJ1ETWXwHSOV+lHIgR2LO7U6d4Y/14e3TFFkJ7FJRAAAkAA
CACBjSMAQqAuoGtsm/5ZXgKQCcG9TA+mFcgzBC1RCDsq1NHhLhAAAkAACACBbSMAQqAsn+bsG3Y8
6t35HgKD/na7nenGubyHoG3ba+wYWDRQwombQAAIAAEgsHkEQAiURXTPDobTrw+wIKM9BJfjwbb8
bHSuoDw6xiGbsARl7LgJBIAAEAACQGBrCIAQKEukyQPTCnP5N3nJoG3bKnGNvbzpsC0iywwu8iqD
/DiugQAQAAJAAAhsGQEQAnXp0KZBb+RZYEoIprsK6fcxQ1DHjLtAAAgAASAABDaIAAiBplDo0MDI
K5G0ZFBd89S3DTvMh/mA5hJYjuS2QBMtbgMBIAAEgAAQ2CQCIAS6YiHHAjIjIELQOyay3EOUyQ6M
Z24LdNHiPhAAAkAACACBLSIAQqAtlfslsMerBtqg7S072P4ZGwr1COEXIAAEgAAQ2DYCIAQL5VPn
p+wqeSPUBr2X51M+OnKgDYofgAAQAAJAAAhsEQEQgi2WCmwCAkAACAABIPDLCIAQ/DLgSA4IAAEg
AASAwBYRACFYWSr388E8ZI+sI6yMGMFfjUAeWmwXqDESqepTqdP9FkuySkgTYzi+0tv79MU1dszg
Mo+muaa+Y9KO2TFQuvDzGHAHCACBP4EACMHKYgQhWAnY7wS/X0+h51iGYVqOF54Hlcrm7Jvjfk4Y
dMuTKL0+2/OWR3UvK1KRP+vhoApjKhPXVzzos4QgDy2NpEZ9OUbZoOctLLtlB9ONi9v93jQjNDTh
xXP4BAJA4K8h8LmEoC7ORT1qwH6lbDZHCJoqP1//8/MNZbI3LS8+F2VVFuckTAYVCj0heM3rsoYQ
tPe6KsviuDesICvLqrop3t+fIwSaDPMcKCzRhP/8229qOj4fuFfl4F7mlxKzrK+C85XxfCwhoIb+
HVP3myMEdeqZwcjJ8ivfj0+I634OTFOnIqEkBJeAu5Qwpm/QLT/6rmUahuUcjuLcCAlb7OM0PjiW
aVr76MLpV5XuhWMK7p9iFpsavFt2MKZj+PoSe7ZpmLYXJ5G0ZNBUZ0rWMAzL9ZOia0OrZG8cjqfI
I4Ns79jdv8Z25yij+zCF821Kkt0bLxlQPKMnxFSKJnzbqu1p2/aeHcz98ZJFlA3DdMLLdtv7dzUd
6tfhf7xbHt2JUsz/iMIm8wxCsLJYQAhWAvbzwfPQMjydqpSSEDCbZnsImuvRtfbR+VrXdXmOXMtL
2dIDEQLD9rOqads6O9CM/DCeXjVDwNKdE4L65JnWIS0o2dA1dka3h+Ceh7blHS9lXdfXU+BYnasL
6sgNhxGThiZHXNlDpn7JQLMnQJuDWXidPZwQGKa1D07XW9M2dZFveAAIQvDzdXI5BRCCZXze+CsI
wUrwQQhWAvbjwam/7sfCs9QeJwTM+fSgcHk/++Y+JecSlIAtfmBDYXabJ6XtTmeWiBszQlCnnuEm
3eL+PfONjhDQ4v6ecxJ6lqaC+IwGEQIxmG+rZLw38ucIgdaeDqNP0foEIRCv4rs+QQjehfyX6X4c
ISiiybzobrfrN2eVR7ebCx7LCrzqPrV8qlMGa+Nvi8juDB37Qnz8fiOmveU533Guvyz8vxHgVYSg
SlwZS7rmNIAS6DtmTjCGrXl0f8jrAAAgAElEQVQvIARFZBmDTCapaPMZgvmr3pnBlgzESReaXvBO
wyaSnyMEWns6QjCaqNjguzW3/weajhdUbQ7d403Be8MPDZGY2OL2KO5L3t/7mmZw0r3B1+X/NOnj
CEFzq6qyLMtr4pn7pKBLaXPWva4r+qvr+zCrS+3Vi+5rCMHq+JubMOg2Wmtdcb+hDWplWeaxax5O
7FIC4n96m1+0ZECC1sqVh9GkwI8QAlvSzR4RAum+VKKjSYFfJQRqezghMLeu9fk7TceKKsyK9NPD
t82Nt7lVPd4jq7jPNtWWZXkOHZu21VLjXY8aQOktx+U7EPg4QiBAete8n3KGQBj1jk9sKqTJff2m
wktgqidOpnsImktgjuSsRGl+RQjGIyPxlPZTuWTQj5PICmnJwIkVByMXCUERWVY0nLKQzJjtCeC/
aec4puFpyUBpz4cQAgHFu5oOkT4+sWSw2XcAhGBl0YAQrATsF4KznXV07PBaVWVxSaNU6hDZgnuc
Vzc6aC8bMyUELW0qNGw/zau6rso8i4PkSg8sEgLWvYeXenKGX05ouNYcO6RBvhvTWYGmSj1ztKnQ
cMKsIIOul1MUndgux0VCwPNb3OYGTTv4zq6HCUFLmwpV9giMksH9w5Dn7V2BELy7TEAI3l0C2vQ/
lhBoc/TDP2yOEPxwfj8k+vs1DT2HTrxNHBO17f2aHBxzt9uJY4HldLOA0W/kuOVJsGcH5yzHC7qD
h4uEoGV+/izaESLi10Kmd0xExw4dy7KdfRgHYg9B27ZNfYkPLh07NG3XC9OC7RVYJATtLT8SErvd
Tmy1LCLusnFYuJVdIc4JgT682p4PIwTa8sEPQOB/RwCEYOUbAEKwEjAEBwJAAAgAgY9AAIRgZTGB
EKwEDMGBABAAAkDgIxAAIVhZTCAEKwFDcCAABIAAEPgIBEAIVhZTU57TcznanbYyBgQHAkAACAAB
ILA9BD6WEGCk/v6XqUr2juzGd8GiFUEXYtnATzfyAyR5KiQPgmNXgb9mpObUwK+l/6kJoel4d8ld
YwdaBu8uBHX6IARqXHD3SwTul8Aed430CDltNEz/PHU3cj8Hdr+Z/8u4VwZoqizkhwPs/VESGlBG
Q44Hu/32huV4UbZqvmdOCF4jo6w0lW7qPQ/+lDxxne4NyXXDJTC4ehYdaOTA0ZmHQ3wRYqP60xPa
XL3zBxCCd6JPaYMQvLsEtOmDEGih+ZAf3iV/TIfn5xKDVbp3wuhgBzO1uyYPrR9ybnvPfJM8n9W3
uswLkh9Y+iNCYAVncmhZ5qfAMewwf3wJaE4IltJ6wW96QvCCyJVRLBECJ84JuOslOdiGc2R+GsgR
6Neyzsqk3nIThOAtsEuJghBIYGzrEoRgW+Wx3po3eSqkjrF3r9dbXZ88O8yrk2fNO1lyKPgzjIBc
6Mnu/HtzlBdECAb5Yer9euUiOsM/lz9u23uR+CRCbO3DNPaMfl5E6EnMPRAw3wVzOWCtfHB7K9LO
A4K9D9IrTbCsljMmnwsiFseLz2IEz7QP5nLJSnSYipJ+hqDXVKJRnjFyVjzzwKiL/6fvXxM/TM7X
Qd5hkiAIwQSQX/8KQvDrkD+aIAjBo0htNdx7CAHz8zvzkHvLDhatFpRHd6QRzLHTigU8De0t8y1X
5eRXFbNMCO4kiSHmx7Xyx5fAMr1jXtVVHu/N3UAIWPTKPQSUyEwOWC8fTCLG1iHJ2STHJTmeh2kO
/QzBbA/BnQzdx5eqrq9ZYPcSikQItHLJc4iWZgg6QtDcitg1BodOFMlmCMHteooOjmlY++B4Jjnm
yR8IwQSQX/8KQvDrkD+aIAjBo0htNdx7CAEtGw+jxQ4bmgPg+wSKyJ7vGqJOsp9lfiGctzxy3cPB
daOc71y419dSjI7n6ZAZvc++3c6w/Yx1vzr5Y8pVT29o4eNRQjCVA9bKBzdFZJl+ph7SPk4IRoa2
JC3X7QRg3oyFX+GRm8M5Ol/MEMjAOWEum7wZQsAz1dRFFvuuNecFIATKYv/FmyAEvwj2uqRACNbh
9abQcy3UQV1UaqP7rWDz8NzwV92nrfWDJHAHCg1QuzUB1rkeB5FgFqI5+9LsPL8lJt17//08riF3
XyoH0bCbpq5pfG/7Z+qiitjpZ/U726QPIgRWkJVVeT3HnnckDQH608kfl6SC2OsLU8bHkWtnCKbr
I3P53Q7COvXGs++StQubCqczBGwGpjeU6fD6FxofsyUDnVyynBa/XpohcKIL6UVkoXdIJ5sx1xGC
tYrha8OLbNF+U8cYFNLJzbJKwVyEx+cvIABC8Asgfy8JEILv4fbLTyk0UhfljxXhmcWvuk+CP2L8
KaCgwfNuZ3R/u91sBoHGrNNZBYVGqjCU6VhPNVVFYsPnMBlBGkeWl1Z0/CFgPeEQSroi0/s9BGXi
OiGfWNCtaBAhGHZP0tTIY4RgJgdcRLLMsWTRLxAC87CCEAxzCySnQKcMwrzjFaL8miJy3ONIiXEd
IVitGL5Wwby5Xc9J6Nmm6RyiUy7NGIEQSO/eWy5BCN4C+yOJghA8gtKWw7xnyYD2lJmyRE7bFJFt
BRnvxquqONIUwrAUTgN3XYf4FLzX2LH67p8ogbN37WB27HFIY0QIaOW767l18sc0E99PvdBOv+8S
Aq188OKSweNyxqolA3YMYLRKQKdDhgmPAZbhigEUdwcIGPXjuy5HKw807WANPGlLewjuV75WYDqH
eMQEuiyCEAxl/Z4rEIL34P5AqiAED4C06SBvIgTU//cr6wTQNbaHYShzSOBIM+18Sl7hn+B5bMvE
Nd2IH4rn8sHLyYwJQUsLHTabJNDKH7MQF1qMqM++9eimwtkMwYJ8MG0qtMWmwjxNpE2FrBuOH5Iz
7jYVknwz31TYLdqsJARtle4NtsWxqq7nyDUtPocyJgSMSjl8J+e2jh1ejwc/PhXSnMD4JQMhGOPx
+99ACH4f8wdTBCF4ECgEmyJwjR2JEZRHZzwjQCsIMkOgEeXcO8E00m99v+WJ79qW7TjuPjieYs90
IrEzYB7hhBCwqQ0x6FfKH4tjh6ROHMRhv4dgQUaZxtVzQqCTMyYb5WOHfipbv0bOWD52GJ2rboP9
WkLQtjU7fmnsDNPehyd2CJJvRRBLBmQy4x+0awOOieZvGe4sIABCsADOe38CIXgv/p+cen1SOSBS
56i5xs50k506JO4CgZ9FADMEP4vv17GDEHyN0ZtCgBC8Cfi/kGxTXR4VeqrzU9YNNP9CzpGHD0YA
hODdhQdC8O4S0KYPQqCFBj8AASDwBxEAIXh3oYIQvLsEtOl/LCGADLG2TPEDEAACegTQdOix+Z1f
bsXpVMhOrX4nWaTyNQIfSwhA87vCJb84AR0Txx8QAAIPIPCGpuMSmHPPnQ+Yqg6i2bGqDvyNuz8d
P9QOv1Eov/TI/0sISJxl8DBDTnMGjZtfAv8lyYAQvARGRPLfILCSEJCMlzE+QbMIFVXIqaOH1xKC
5ppGycht9KJBmh9VdvKgr4lfkyzdxpLBAjjv/QmEgOMPQvDe9xCpA4HfQmAdIbhlBzuIAnvax2ut
VXW0ryUE2qRX/aCyc1UE3w8MQvB97H74SRACDvCIEHARXMMwTNs9xAMVb8os8hyT7u/Dk+TKvUr3
5iHNT1zA1nLjYiax9mPlSPUaSwY/Bi8i/nMIrCIE97Nv+Rk5pOqdP3MnXMybM2FTHh2Tu8okDxeS
sshu188rECGIslO4Jw1tN8iqHtT6Eh9IWdu03U71uvuJKVVk5GGD/eqlTBmkiG2WwkT7gpovOWVx
wvdWJIHnWLzJ6uPX29lq4m9btZ0U0z5OKQumae0j5r2rz5v2AoRAC827fwAh4CUgEQLyqGMdkqK+
3eoyzzJBCG5n37L9NC/ruirSg22Huej2mWs32wvP5b1p7lVeDBX+xwsYhODHIUYCfwqBNYSAVLpo
YfF28piwNweCvHIqCAH/UTXyvgSmYe6j87WqisSzelea5PzRDk7Xuq7y4960JJfbtKRpOYc4r+9t
cy/zYnADrl7jb/hflZJfrk73sz4nSVaUVX2ritS35fhJn2y2tMFzMI9fZycRApILJRdYdXawJE9l
S68MCMESOm/9DYSAwy8RAnrJFTuARu7e2LjA6hkBIwT9t98tUBCC38UbqX06AisIQZOHNh9tV4lr
BWIE8B1C0JMA0szo2hdy78n1wklFirQ+/F6Eg0QzFM0QgT/vsEWRNGXqmboJSu5sXARdQwi0dlJb
2W+9YmaN5Uv6xMYXIARjPDb0DYSAF4ZECNrbObAN0/GC6Hi6lJ047iDI20/NGf0kIhEC1RqjTrP1
lS8ACMEr0URcfx+BFYRA6kNl7Y7vEIK+32yLiEbSXEjStNgVA53aIDHXz5YlDK5ePSsRHSEgMQ5z
n0hrmU11jg+ubYr1hGFeo11BCJjsl9JOtmSQdvOhzdk33WSieT4znm6AEChh2cLN/5cQMNbb81mq
jBIfb+rrJUsi3zHpLq0MUKXoRXOnJcf2EAh9WflHnWarHObJaxCCJwHE4/8ZAo8Tgmvs7GRFb9Gp
TwmB0cttkgCWYip+mBRgqp8DITAWCIGj2xukJgT3InJI/VsqTVL0dthCJt0s5IUOtZ382Wn8NBhS
2zmaFAAhkKD/1Mv/lxDU6d4YpFro2z6RKxMrUWLAHemlyqUIwYJpCcEvvBYgBL8AMpL4Qwg8TAjK
o2se0rJT9C7Tg5DBHvYRti1tORoTgpM3my5UEwLaj7iwZLCKENwvoU27H+Vyup99qYm7ZQdjNEOg
sJM/PSUEejtBCGS8/8L1/0sI2uvRMZzgVFRVVWSBI6YC2lueHrO8pD2F15P/r72z9ZcNCOP4NlEU
RVEURVEURVH0J4gbN4qiKIqiKIriRtH9POPdmj323HUW+zvhXsuYeeY7mN+8PsOwHk0qFDU3TIui
yJLQt92w22wLguAM7wLy8B0E1goCmkmn9X2IrEnd1q936i60aEp9ld/IIfa4h4B1sJtBfq+6Ocd1
zREEdears0mF3SeFutXX9xDQKKdsBkU7sbBLmeIwbszpZRk5inAZC4IlO5sH4EEQcO2EIDjbK/PF
gqCu8tDRFYmcvCq6w2bKUvHeE9/U2FIdQVJNr1tkQMMGbNmhJAiCJKuGE/SDdRAEZ3svkJ/zElgp
CIrrZBSxWWDYKYQ8sFRJlBTV9K52t+ywRVaxizRs34XmCoJ2OZ9InxTV8sder5cEAQ1s9lOY2IHi
NasRnWY1Ynexm4pA3zJFIsfgmnW92qO1EfQ5e7CTGz/PTgiCs70m3ywIzlGWGDI4RzkiF39FYKUg
+CtzvjAdTCrcbaFDEOy2aFYaBkGwEhSCgQAjAEHw6QcBguDTJcBNH4KAi+YgFyAIDlJQMHMnBCAI
Pl0QEASfLgFu+ocVBPBh2pbpPQ2u0cPyCG6B4wIIfDkBfDo+/QDA/fGnS4Cb/mEFAWQ+t0z/7ELu
a4qzzm3DC0H/zPzdJDTbBHMru9g0tWir2I8TLz4dny4r9BB8ugS46X+7IHjVtykX5PKFO9u865zt
93tkyYP/6LrOfbWb5CxIim7fuk0eGZp7SA7jJsukl5G9fPYeGoJk085v7C9x5GELye7kjv6P7XZb
msGmtwqChfjblIrIc4I1G8kNli0c8eNfCLzLU3sSBPfsZjN/aYIka4YTnvNTMX8MIAjmRHbz+8sF
wcu+TV8suD8QBFUeh2m/evlF+/4jeHHTRSMYJUw7N6luTNu4ZGxjh6mnE9rApVsN9R/JPt4KQTBh
snWFvXX8k8xs8mM/guAeWmxrkyTLszQOfNtf19+2CZY/jBSC4A9hv5bUdwuCRd+mdV2EjiaLgqiY
vm/JQ+tz2f0x7WNq+sz1sSgq5pXtdFzXsS12Debm/9HOyK+V0fPQxVXnbWDy/Mb/u0pdK+NdW1gP
wWhfNNqEbXqdiaNm2fT/JT27+4kgqPLA1mW2ylvRrNvQOm4cXIsC+ZPz4lG/RWyLshNGntF4uZ5t
/TZLuYjcdscKUdHt0bYUvib2fi5IODV+LtLWdW3/WHTbxLAeAj9kiYqy7g3L0dle9OQdl7bE6Jep
0445hnejTTTEUXhu/DVtUsdSFa35kEGZXBun3aKs9f5x88AxVJklqxhuyHa2Ybvr96Y3sfUe/5bt
rOua50l8RvKtP1PftP0nInk/giC2RalnOGVwT/ty0Z2uBCgIG/iZukWmR2z0rjF3rZ2rtVfimVqw
4S8Igg3h/l/UXy0Iln2bNq4+g7QoMtrAsO+O5rk/pu+woLGv+D1x1WEvUtrkaPshg88Igpm/E3oI
WQ9Bu/tzmXiaMO0haALo4z6F/3t0u7v5goBtLeNEWVkWeRpdw1YQkA8YiXzR0paToaOON4CPbVGU
FNNPiqquyjR+2veSBd41TLKiJOe1+uD7dTIEMAiCxuCFFjY9caJs+nGeZ6Gt9B5u7rEtS7oXZUVR
pDdLkcxmb0wKLyjM+XyV+Zo46XhZiL8ltTCHgO6WDJ/25SyyyPfCRhulN/capTk76ag/xs+zk23r
u+RJvCu6bf4v05tDgk7SLC9My2G/wDa5/QgC8mioeWnrP21EI7/qEttFtSgyerRUL+2uLrlFZs9Y
t6cieU3sHLG+GE+Xxtb/QxBsTfjX8X+zIFj2bdrsL952hRc3vRMEk6/82P0xvdV93/nE7cmJBQGB
GTxBsMevmUMg0N/lcpF0f/6hY36lhy/br5/Z2Y18QUCF0bfU+7tIBo56a0izDc2r2BZnHRv9fc8P
qohcvTVDwJNHZaUgaLeca2RTY3QZGKI2OKsh5ddcIEHQpVVPEqupZ+phjkJr+YMgqBJHEs0fJBp1
BY09eT7Gz7WT/PSOXYY9J/jmq1WRBK6pSo+6YD+CoC4jRxUvoqwZtneL804ZpG5fpdOOgok9emAX
3SLT2uOukBJXltqtlF+O581lwIsOgoBH5uPnv1kQLPo2Jc9eI6+GiS01QwZ898cTDTB2e/LGHgKa
Kcd6afv+hwV7Lpe+VnkM3zxp7zpPLt2EUWVFsU/nELiapNhx94VjqVehOThPb+wZciGY4agpxzvf
3DX9ly8IqtTXREHWTNv1A2rzs7/R5MeuB7zzYscGekZ+3aYJPfxqt7Lunct2MmNSR68UBL1wGcIn
s/1o2Va4JDlIECyEb+x7rLA7ux8EAfWgLPrrutM4Am3q3fxNJNJj/Fw762VP4p09i//zPIa/er6L
nEaNFOEy7pnfkSAgK+9FGt18x1RFofGPUD/uIHwZRgVJEDy6RSZF0LRKUlfp9MAv4umwbfs/BMG2
fP8j9i8WBMu+Takq4ggCjvvjvxAEVVkUzOlaUXZ1bFXkGf3FrioaN3aY513/6EJ49pC863zT9ptO
CBgPGTAnr6OOE5Y4fZ/6hm37zFZlk6+86ExvLvDOt7eN/yOdMczzqEnzmGFHqb7nSXj1bE0SpLYt
THZyRy5oDoHbd8+Ok3k4pq5ZUXPbdh2NoSwLguvU+d1jhTpt5E8EgTj2mtNb8KrgaG9cKwjukSVJ
Ohs1oVkAgTGRfo/2E4dFO1m6j57E+3wsHvA8hr96virT0KcZJKJiOLe4k4NMpRsLHUeLxvzlyYo0
D+urWnpRektYKcb9z+6gcadSkmNCyYqax/838XTxbfo/BMGmeP8n8u8VBDzfpvwhA47742eCgCqr
yQjv/5TV8r2fmUPA5jZNGvWTOQRs8pM8aVnWVFU/qTiWc7fmLI379xUSzagSrXjU29BEMTSs2PSH
7ps5j/8FQUDt666btmm1d1JiqNObSWCjYERBmvdBcCp46opX3HaO6thQTvgmyEL87b0PgoAzZDDt
5SJw476gx/i5do5tZhKy9SQ+Of/+H/e0GSsQFcOdKIE2qZ31EPQASHo1fXzNWNdoBU8fpp1U+CgI
mKo0g9hTez3ApoFOVwKtiGcUZLNDCILN0P5vxF8rCKjbdRg6Hvs2pSuyFWRFyWZ49a1PnvvjZ4Kg
pou6n41dof5vkc3u/5AgoPbxdNbgeMggjXxDar9unb25r4qjpnt3+v//L0NTFHU3SvM8izxd6r+B
NOmPzY0r88gd5sbRpEJBNq9xXhR5Fgeu5fd9Ai8IApIessWm+ZHfOFm4dIKASR+D+aYvI1sWJoKA
TQBwk7LqfNQyMTE0WUdqgibrCYodJGRoGt0c58YmKTwVBAvxt4gfBEFd06RCuZtUGF99NqmQVfAO
W+pQZVdDEiaCYCF+np1cT+L/X+bPYkg9w3Rv/RDRQ9D9CILMtyw/iJMsz7P4asr9PNz8qovddNIs
CTzL6yUup4eADdmJijK4a6d8/yaeB17vPwFB8H6mb4rxWwXBc9+mtOxQ6JcdOt2mN8vuj58KgrqI
2BLGy+XSdSi/qeQ+Hk3qKhNFMBqbF0RZNd2oXa7WWJr72qjt8l7ry8Rv1s41q/O6plUe2rrKVh2K
8nhZIK2Ga28QJUW3RgsPXxAEFIurM+eyqu4EvtkPGdQ0WUyTRHKS7d5cbSIIaCUebUVzufTe6fkV
fFVErqHS+j9RVnX7mrCs8cMT1sf4E0fqZku0kwKGvp3xskPz2i54ZOtuyWuuariBp08EwUL8db1s
5xNP4u8t/9di248gKJOr3a7vFKSJQ/X6nl6bFbOipGimO+xYxBUEdUY7g8019y/ieY3mb0JDEPyG
2p/c862CYCVc6l6eD3uvvPX8wYqbIfO63ue5r1JX2XjsZJ4kfoPAIoH9CIJF877gJATBbgsZguCx
aIokjLLiXlVl4uvS34x7PlpxgDNVTov7H4brlywv4lswX4a4FA7nQGBrAhAEWxP+KX4Igp8Ifew6
BMEj+iKw2o5mZbpJ2GNQnAEBEDgYAQiCTxcYBMGnS4Cb/mEFAXyYcssUF0AABPgE8Ongs/mbK3B/
/Decf5HKYQUBZH5b2rQlibWwDOkXDwNuAYEvIIBPx6cLGT0Eny4BbvoQBFw0B7kAQXCQgoKZOyEA
QfDpgoAg+HQJcNOHIOCiOcgFCIKDFBTM3AkBCIJPFwQEwadLgJs+BAEXzUEuQBAcpKBg5k4IQBB8
uiAgCD5dAtz0IQi4aA5yAYLgIAUFM3dCAILg0wUBQfDpEuCmD0HARXOQCxAEBykomLkTAhAEny4I
CIJPlwA3fQgCLpqDXIAgOEhBwcydEIAg+HRBQBB8ugS46UMQcNEc5AIEwUEKCmbuhAAEwacLAoLg
0yXATR+CgIvmIBcgCA5SUDBzJwQgCD5dEBAEny4BbvoQBFw0B7kAQXCQgoKZOyEAQfDpgoAg+HQJ
cNOHIOCiOcgFCIKDFBTM3AkBCIJPFwQEwadLgJs+BAEXzUEuQBAcpKBg5k4IQBB8uiAgCD5dAtz0
IQi4aA5yAYLgIAUFM3dCAILg0wUBQfDpEuCmD0HARXOQCxAEBykomLkTAhAEny4ICIJPlwA3/cMK
Avgwbcv0ngbXKOcWMC6AAAhMCODTMcHxgR9wf/wB6OuSPKwggMxfV8Bbhsp9TXGSak0SLwRdE90m
Ye6BIWrX4m1xp64iWtHbonuIaOv4HxJcdSL3VdEMVz0Uq+J7fyB8Ot7P9LUY0UPwGq8/DA1B8Iew
z5XUPbJkfVZ/VnngGqokCoKkaNYtG+qFe2jJ+u19te2cZZU4siBIdjwkOQ8y+Z15D7X1uwVBEXlO
kE1S/cWP2JZkJ1m68T3xL8Vc13WZ+JYmi4IgSqrhRiUn2ONpCIJHJjgzJQBBMOWxo18QBDsqjF+Z
UuVxmK7/Xv8qjaWbipsuGsEk4SIwJFG1gyTLsyS6Ol50H+6sYltSvf+uH4cIp0epq2iOo3PqzmlY
+vUHguAx0d+c4QuC38S27p4qcVVBNvwozfM0Djzntr7cIAjWMf7mUBAEuy19CILdFs1Kw4qrLlrx
ysDvC1be9Fn/Omuja1fudIZ7aIqbKYLMUxU3Tdm/XSYnLf6KUvepXsuvmnAZ/wlGwIQLC+8FV1OV
BEHSnKFZXOWBo7PmsqzZwajfo45tUXbCyDMUakzLZsD6QMrAaJKYDRkkjjRJ2Iya/ow8cAxVlgTq
WDHcMG/Opq48Dn25iHZbzrz463t6bdv1iu6GRdtbkvuaYHg3R1ckUZR1LxnptA7W+P/iplNfy0Ko
5fjruohc4iPKuus74yGDKgscvWGj2eMeo3F62x6XWejbpjd0smDIYFvgP8cOQfAzow+FgCD4EPi3
JfsZQVBFlihNe7IzTxFUn6sH6jr3VUGf9im8i0LuazKNFiSOPGgOjiBo0lzuIRAESXejLM9iVxPl
dn5ElbiKoNphVhRZ6KhCd54iim1RlBTTT4qqrso0HvfVLI/xV+yvjB1F1Dv1lN7ca5TmRVlkkaNO
ZRO/h+Ah/ntkSaLmRnlRpIElC40AIvCaIChM4FSZr03jfyyCe2gKotVqlfFlXvzUWSQZ14T42Kpw
Ebo5BGVoSrJ5jbOiyJOrIbMyGse46TFTAppMMsW+JkNfFgTBpthXRA5BsALSZ4JAEHyG+/tS/Ywg
oEbkrPaPLbFray/n7h4YguKlyxf/6ywtvTTDe11XkSVpnSj5jSCQ7HaSZHnThXaGYeJITexk452U
0DBTIbbFLthDDh4q7D7EPbJlyWh6E/qT7QF1vei3ofpaLwioC2YQK5QBpRmiIUHQF1bua2LbJTJP
uv1NwRX3sZx48RdXehbaQYV7YAqdIJgllXnKiBwn8XecLtPQtzRJkFTTvcX5vKcDguAdkP8nDgiC
/6G36b0QBJvifVfkNGOOdR8L3cS8KrKmHd90ua0Aamopz8I3lrzrfF1cNWE2PPCjIKhCU5CnFc2Q
i64SaezknV/mOapDy8AQO0S/EQR9noYhBuqfH7odmn6OvsKO7XlHyWAiTxCwdrM1DEjU9T25Wpoi
dQU6kRjrBQHrgektY89AMybBhgyaYZG6pub8WHAM9nZHPEHAiz9xJGHoUKCOoqaHYCjEfuTjuWIk
AzJPbZ/c/mFmdr1wPjn9fkcAACAASURBVHHki6BYk6GdLm/0PwTBmMYnjiEIPkF9VZoQBKswfTpQ
VRZFTn9F2bV3qiLP6C92VdG4scM8L9tR44XwLAvvOl83rf3JVLMfhwyozdo3VFuiVdnkKy8605sL
vPNLBUG2XC5C+3e5CO1cx7kgGJqxKyYVjgWB/lQQzDTOYOGyIChuhqQ44wF66omXdDbqQNP7A2Mi
td4jCIZOgZ8FAW/IgC8I5NEIw0QQUI/FAGTV0b170ot7+zA3t60/XxXJzTUUmi5h+WE6fbAgCFaV
wraBIAi25fsfsUMQ/Ae8Xdz6mSGDmmq7bqi44fDTpEJqso4qjrfBo55sxYmYXsrzPHLIMJJNTZ3e
TmqgLo2+X7sRBNNOiZpEzjBPchAEdWI/HTJ4SRDkV11S3XRS1TXTGbpTqStPBEHiSLPJGh25ueBY
6tJnHf+TrvufBQF1IixNKuTFT0MG/f4NNLmkA0sKoh/A6az+s/+ZLjBVURAVw72NJnegh+DPyoCT
EAQBB8znT0MQfL4M/s+CDwkCqv6HAesmC9T4FVWHLTtMo5vrj9vB1Nc+DMX/X57Hd9O0gfHQNC1v
bHUHpaj5tCjgTuvoJoKAGuKyHRVV1dXEXEHAlA5/UuF6QVBlHs0YTO/NxMIuaRrmUBw29b/KroYk
TAQBmwDgJmUXesj7XBDQ/AaaVBj3kwrbVZ6vCoKaTaNslx1mSei7zXYKvPhJY6guZaDKr7o4nVQo
am6YFkVB8dhuOEyOGDKy6VFVJIFr6u7QUwFBsCnwFZFDEKyA9JkgEASf4X6CVFNXmSuC+p4FjqGw
9XPydGMimuouWeONCd6DgOr/6cg0NWRbhXBPPF0WRVnRnZtnTARBXaVXsxm2727n9RDUdZUFdr/s
cLJ4jpYdTqdF1DSDY7K68NLVkDRm0g+nX+h0O5W/CB1NliRZUQ038Ki9PVqsUcYeLdy7DMsOefHX
k2WHTrd8kdC/MmTACqaMxxsTxW09Pl52OMTfLDtUKAOa7VrdHAKKp1l22DwQquFwx/Xf8zCsiwWC
YB2n7UJBEGzH9j9jhiD4T4BffHtxM+S1VXyVuspoZt4XU0PWP00AguDTJQBB8OkS4KYPQcBFgws/
Eajy6BqOt+nh31DEtyDt5kPyg+EKCGxOAIJgc8Q/JABB8AOgz12GIPgce6QMAiDw9wQgCP6e+TRF
CIIpjx39OqwggA/THT1FMAUEjkMAn45PlxXcH3+6BLjpH1YQcHPEufCpZsGn0uVgwGkQAAEQAAEQ
WCQAQbCI5X0nIQjexxIxgQAIgAAIbEfguIKgSELyKLP271MV8+bpfsr98VrwCAcCOyPw4qdjZ9af
wJx7FkcZphjvsSQPKwhoJ7nnPlqmuDevmKfJ9b82T/dDGxP1GcQBCByLwKufjmPl7gjWNs7Kj2Dp
19kIQbBxkUMQbAwY0YPAawQgCF7j9f7QEATvZ/qmGCEI3gSSFw0EAY8MzoPARwhAEHwE+yhRCIIR
jH0dHk4QkG/T+Z9kxw1Vno9UnoszXvh3neel+wb3xAu+ZUfuj/f1kMEaENgBgV99Ol79FLzh1W5Q
vctT+dbxDB+izqdVY//C+fnW3fQdH9xi7eAJgQn14QRBVebM7W/q66LmJ+T2d/D6W/N8pPKcoPPC
v+s8L903uCF+6v4YTzYIgMCMwO8+Ha9+Ct7wajO7jxJPzfNUvnD+3rpsD21FtoLGZXuByYWz5/Sj
Pw8nCDpar/b7bd513xk2+3/zdDGpcEYcP0HgKYFXPx1PI8PFXxDAkMEvoP3NLRAEG3OGINgYMKIH
gdcIQBC8xuv9oSEI3s/0TTEeVhC8mv/NK2aOQZ9Kl2MOToMACIAACIDAIgEIgkUs7zsJQfA+logJ
BEAABEBgOwIQBNuxZTFDEGwMGNGDAAiAAAi8hQAEwVsw8iOBIOCzwRUQAAEQAIH9EPgaQfApn6ef
Snc/jxgsAQEQAAEQOAKBrxEEn2qpfyrdIzx8sBEEzkegyjxNuEhmUJwvb8jR2QlAEGxcwhAEGwNG
9CCwIwL3xFEk3fVtRdKv+Y4MgykgsIIABMEKSP8TBILgf+jhXhA4EoEysmTFjsq6rvKrLqteut5B
+5HyCVvPSgCCYOOShSDYGDCiB4GdECgCQ9GvWacB7rGjKk68v615i5suatd+RKOKbUmy487sncCE
GR8hAEGwMXYIgo0BI3oQAIHXCJAi0DtFUCWODD3wGsDzhoYg2LhsIQg2BozoQQAEXiRQXDVRv5Xs
rsSVJStC/8CLCE8aHIJg44KFINgYMKIHARB4lQApAiMgRZC6CvTAq/jOGx6CYOOyhSDYGDCiBwEQ
eJlA3iqCzCM9sL95Di9nCDe8hQAEwVsw8iOBIOCzwRUQAIEPEch9TTSD2FOhBz5UArtMFoJg42KB
INgYMKIHARD4BYHcV0VFkUUzRP/AL/Cd9BYIgo0LFoJgY8CIHgRA4DcEMl+9XKAHfoPuvPdAEGxc
thAEGwNG9CAAAiAAAm8hAEHwFoz8SCAI+GxwBQRAAARAYD8EIAg2LgsIgo0BI3oQAAEQAIG3EPga
QfApN8SfSvctTwciAQEQAAEQ+BoCZxQEZWAo65bW3iNbMW79pt7/Werr061fCPqfRuF2EACBvyVA
u/5Y8d+m+ZvUjmLnb/KGe35H4HyCoEocRfWyGY7ypouCMPLo0V7PPFV2knfs27mUblVEnqnKoiCI
smb6ybC+hzYQf7RyZjR+ggAIHI/AUSrao9h5vCfguBafThDcI0tS/bkj8jIwZMux5G7/7qHA8qsm
vWMl7kK698iWBcW6xlmepfHNdYNxX0TqKm+SIkNmcAQCIPBxAkepaI9i58cL9IsMOJsgqCJLVLx0
VoL30JTMoAhNyQiGVnoTKPPUN6zFXUg381VBcbkO0avEkaAIZgWFnyBwfAJHqWiPYufxn4jj5OBs
giB1aeut2RBAFVkSefssb/pjbwBV5bKT/GeRPaZbXHXhabxlYAiPfRn/aQduBwEQ+DCBo1S0R7Hz
w8X5VcmfTBBUoSnI7qx2r2K7Ha/PfVWy4plcSF1F+N9Bg4V0U1demLMwfrhiWxTtA8w9GtuMYxAA
gR8IHKWiPYqdP+DG5TcSOJkguAcGddNPASWO3DXVm8OpIsg8RWg8gU5ve+XXQro/C4LEkUQreiUZ
hAUBENg9gaNUtEexc/cFfiIDTyYIqtgSpVmrO3WVy+UitH+XizwTDE29PBUJr5bwQrrFVXs+ZMDG
Kua9Ga8mjPAgAAI7I3CUivYodu6seE9tzskEQU3VsD7ZWYAmDRrXLG/+sqshKpNFieVNF7SHZQmv
FvpjunXmPZ1UWJO3sf/tmXjVTIQHARDYmsBRKtqj2Ll1eSH+gcDZBAFVw+J4V6Lc1yZD+VRzj6fy
0YTDqUIY4LxyNE+3rusysrplh3kaB54XjpcdloEhPu6L8EqSCAsCILBDAkepaI9i5w6L+LQmnU4Q
1LSxwKAIaK7/dFIBTRkYKuKF7QN+WdbTdJtIqjxyTVViGxOpk42JaK9CybiVv0wMt4EACOyVwFEq
2qPYuddyPqNd5xME9T2iDYjGjXF+wdGGRWb4nmr5lXTr3NcUZ77egW8nroAACByFwFEq2qPYeZRy
P4OdJxQEdV3EtyCdb0C0VFr3LLzF66TD0u3zc6vTrcskuCXv0SFzI/AbBEDgowSOUtEexc6PFuaX
JX5KQfBlZYjsggAI7IjAUSrao9i5o6I9vSkQBKcvYmQQBEDgLwnc0+Aazd2p/KUBK9M6ip0rs4Ng
byDwNYLgHhrioyODNxD8IYpPpfuDWbgMAiCwEYGjtLyPYudGxYRoFwhAECxAeecpCIJ30kRcILB/
AkepaI9i5/5L/DwWQhBsXJYQBBsDRvQgsDMCR6loj2Lnzor31OZAEGxcvBAEGwNG9CCwMwJHqWiP
YufOivfU5kAQbFy8EAQbA0b0ILAzAkepaI9i586K99TmQBBsXLwQBBsDRvQgsDMCR6loj2Lnzor3
1OZAEGxcvBAEGwNG9CCwMwJHqWiPYufOivfU5kAQbFy8EAQbA0b0ILAzAkepaI9i586K99TmQBBs
XLwQBBsDRvQgsDMCR6loj2Lnzor31OZAEGxcvBAEGwNG9CCwMwJHqWiPYufOivfU5kAQbFy8EAQb
A0b0ILAzAkepaI9i586K99TmQBBsXLwQBBsDRvQgsDMCR6loj2Lnzor31OZAEGxcvBAEGwNG9CCw
MwJHqWiPYufOivfU5kAQbFy8EAQbA0b0ILAzAkepaI9i586K99TmfI0gqLLwGmbVnxfmp9L984wi
QRAAAUbgKG6Fj2InHqu/I/AtgiC/6eJF1K8H8FL+d4WPlEAABN5P4Cgt76PY+f4SQow8Al8hCKrM
10TV8R1VUr3073sJePBxHgRA4HwEjlLRHsXO8z0h+83RFwiCe+IqshkUdV0XoSkrTnzfb3nAMhAA
gYMTOEpFexQ7D/44HMr80wuCMrIUzUs7DVClnqZYYbl5Id1DU1TctE8n8xTRDDoz+tM4AAEQOBmB
o1S0R7HzZI/HrrNzekHwMfpMEXhZm37mq6IRbK9DPpZdJAwCINAQOEpFexQ78Vz9HQEIgs1YkyJQ
W0WQQw9sxhkRg8C+CByloj2Knfsq3XNbA0GwXfneA0NUfVrXkF819A9sBxoxg8CeCByloj2KnXsq
27PbAkGwYQmXgSFqfl7Ti6ffMF6wIWpEDQK7IXCUivYodu6mYL/AEAiCLQuZKYJrctWhB7bEjLhB
YE8EjlLRHsXOPZXt2W2BINi0hMubLiqqIuo3WvWIPxAAgfMTOEpFexQ7z//E7CeHEATblkV504WL
AD2wLWXEDgI7InCUivYodu6oaE9vCgTB6YsYGQQBEPhLAkepaI9i51+W3benBUHw7U8A8g8CIPBW
AkepaI9i51sLB5E9JQBB8BQPLoIACIDAawSOUtEexc7X6CP0/xCAIPgfergXBEAABGYEjuJW+Ch2
zvDi54YEIAg2hIuoQQAEvo/AUVreR7Hz+56gz+UYguBz7JEyCIDACQkcpaI9ip0nfER2m6XjCoIi
CZOi2i3YtxtW5XGYYrfDt3NFhCDwZgJHqWiPYuebiwfRPSFwWEFQhaZofJM74eKqi1b8pChxCQRA
YA8EjlLRHsXOPZTpt9gAQXCUkoYgOEpJwc4vJ3CUivYodn754/Sn2Ycg+FPc/5EYBMF/wMOtIPB3
BI5S0R7Fzr8rOaR0OEGQOPJl/ifZbVd65qkCuygoXjYq3L2drxNHbg2d7mr8eL6KrCbkONPT3I0y
ikMQAIFPEzhKRXsUOz9dnt+U/uEEQVXmeZZlWerrouYndJjnZTe58F4UOf0Vxb07xUpzb+ersjO0
vI8ft4XzVcHym8WuKho3yu84w+ObcQwCILADAkepaI9i5w6K9GtMOJwg6EoGkwo7EvgfBEBgTwSO
UtEexc49le3ZbYEgOEoJYw7BUUoKdn45gaNUtEex88sfpz/N/mEFwZ9SQmIgAAIgsJLAUSrao9i5
EjuCvYEABMEbICIKEAABEOgIHKWiPYqdHVf8vz0BCILtGSMFEACBLyJwlIr2KHZ+0aPz8axCEHy8
CGAACIDAmQgcpaI9ip1nejb2nhcIgr2XEOwDARA4FIGjuBU+ip2HKvyDG3tYQXAPjW/zZaB9ypdB
7muKk0w2duA89mVgKFY02VqBE/KDp++BIWrX4l0WUDtrU68aqauIVvQuc98VT+6rohmueSjelSLi
eTMB9BC8GegJooMgOEohfuztvUeWrA/1ZxWabOtEQZAUzfTCfFInVIkjq5NdIt/MlxIQBMmOJ8ny
E8m8h9r0zYKgjH3nmq40h29obEuykyxdLyLPCcYbby4F+u25MvEtTRYFQZRUw43Wu9OEIOAiz/2P
aXeuTUsXPvZJWTIG53ZBAIJgF8WwwohPvb3FTReNYKgoSBCIZpDnWRJdLUWUjGDS2E5dRV7XnbAi
049BUlfRHEfn1J2P4bcXBI9p/uoMXxD8KrpVN1WJqwqy4Udpnqdx4Dm39boDgoCLGIKAiwYXdk4A
gmDnBdSbNxMEVewa9jXKtu6eL2/6tH+dCYLOeUSd+6ogu+OGbZU41NT97xZzn/HJQeapipum7N/u
wqTFTztYqj7Va/lVm3qBENqOfRbeC66mKgmCpDlDs7jKA0dnzWVZs4NslIfYFmUnjDxDoca0bDYi
qPMz0cXcWZQ40tj1hGBGTVR54BiqLAnUu2K4XedK6s7cc4gd3jIwmizMhwzu6bVt1yu6Gxatobmv
CYZ3c3RFEkVZ95IfHo7iplNfy0Ko5fjruohc4iPKuus7oyGDKg9dQ2EZU03/p3Q7TGf9H4LgrCV7
/nxBEByljGeCoC5i39ZlQZB1299OF1SRJUqTnuypIKhTVxFUPx9RpFpsemZ08T8Pc1+TabRgMjDB
EQRNUss9BIIg6W6U5VnsamInX6qE8mKHWVFkoaMK3XmKKLZFUVJMPymquirTOB26TKhgFuYQVOyv
jB1F1K8tn/TmXqM0L8oiixxVnIyt8HsIHuYQ3CNLEjU3yosiDSxZaARQXZMgEBQmcKrM16bxP5K/
U1+P1WqV8WVe/NRZJBnXhPjYqnAR2jkE99iWJd2LsqIo0pulSGY44BlH/CXHxc1UJyJ5p/mef1J2
aibM+kMCEAR/CPu/klp+e+95fHMMhRqEm+gCakROa/eZICiuGtWc46xR5dm1ccfn//+YGJjhva6r
yJK0Tob8RhBIdtuHUd50oZ1hmDhSEzsZeiclNMxUiG2xCzbPBkcQNJHY8nxIpbudul7021BxrhcE
99DsRUxdUwZa75ckCPrCombqgk7pkqcuFF8TFDcdnWkOefEXV3oW2kGFe2AKrSAo2STNXhPSHtvP
E35IESc+QmD5k/IRU5DoTghAEOykIH404+nbe8+upixcerfIj26Um/hfPV9Tfa91DVwWx8+CgCrW
2az4wYlz16ps7OGdX6YxqkOpEuo8R/9GEPR5GoYYWM/GMB+SBkOGCju2Zx0lg4VcQVCGpiRbw4BE
Xd+Tq6UpUjeSMZEY6wXB1DLmSrsZk2BDBkE7AkDN+cH+wdzhiCcIePEnjiQMHQqZp7Rl+eiRfPbI
DEkOR3vzSP4ue4Yc7v/o6Sdl/+bDwg0IQBBsAHWTKJff3qpIAs/SJEFSTTdIOj/QC26UmVGvnq/v
gdG1P9tczQTB45ABjTJMpxXUdV2VjV/qvOhMbKLjnV9CSLZcLkL7d7kI7VzHuSAYmrF1XS8PGQzT
IsaCQBdGnfjTapHmECw0pslMjiAoboakOOMBeuqJl3Q26lDXNemPXpawQQneKoP5kMHUsqkgGNrm
PwsC3pABL/7EkUcjDBNBMDq/VHJL5/bmkfxd9izldafnlj8pOzUWZv0JAQiCP8H8hkTmb2+ZXGms
QJBUywtoaHubP6qNJsvNp4KAKg/ZnUwhpOnn42UJ77KLerIVJ8rbv8ghw6g53NTpbZc1dWn0/dqN
IJh2StQkcpYEQZ3YT4cMXhIE+VWXVHe6GLHRJl1Bpa48EQSJI00na/Tc5oJgqUufdfxPRgl+FgQ1
Z1IhL34aMuj3byDZNxoyUGZ57Y3HwX4JzD8p+7UUlv0VAQiCvyL9v+nM3t4qdnTLC9Jpg/t/E3m8
n9b9j2fXUfX7dNlhM6I8WYn4GOsvztC0gdGgfl3FNo1MUP1KEkTzaVHAndbRTQQBNcRlOyqqqquJ
uYKAbXHAn1S4XhBUmUczBtN7M7GwS5rIKA6bgl9lV0MSJoKATQBwk7ILPSCaCwKa30CTCuN+UmE7
0PGqIKjZNMp22WGWhL7bbHfAi580hupSBqr8qouTSYWCYgdJXhR5Gt0c59bPKBiygaO9EZh9UvZm
Huz5AAEIgg9A/1WSH3t7ZxsLkCCgNXWCIMmPGxNRT7hkjObK/SqvCzdR/T9d3UcN2VYh3BNPl0VR
VnTn5tEah9Fy+iq9ms2wfXc7r4egrqsssPtlh7f5ssP5kEHmq+PFhZeL0M5qoHl+4yv9ssMidDRZ
kmRFNdzAo/b2qOIsY09XRLqxm5I5W7146Wvgerws0OmWL9IswVeGDBjlMh5vTBS3kxyX42+WHSqU
Ac12rW4OAXXSFJFr0CpOQZRV3b4mw2TJhbLEqX0Q+NgnZR/ZhxULBCAIFqDs8tTn3t7iZshr9yNm
uxyv3UVwl5xhFAh8CYHPfVK+BPABswlBcJRC++DbW+XRNRy3l7nMyiS4oXXIxYMLILAjAh/8pOyI
AkwZE4AgGNPY8zHe3j2XDmwDgcMRwCflcEW2ucGHFQRVFq5stW7O8G8SgK/Sv+GMVEDgSwjgk/Il
Bf1CNg8rCDZzf0zr1tiMMGG2uU5L9cmK9Be4vx4Ucv51Zv9xB9sEafDxyN9v4D/SWHnrwyqDlfch
GAg8JYBPylM8X3nxuwVBVUSeqbbebCZOWRb2s2mfjyxw3PC/V9XRu/h8H7n544i3l1a7BXbjq1fW
vMnmB3NatPlw5xnochEkRXcmzooWwk9PPQqCN7k5niYz/OLvVLiV+2OSvv3elnUdWYJoxe2Wxs0i
CVozYLhRt8kF7VswXj0hbbNB9cAER5sSwCdlU7yHjPybBcE9smVBsa5xlmdpfHPdkR9fviB4TzFD
EPyC4z0wRdkKMnIOFCc/iTISBJIV0j5GWXyzFIG5RVqb7KMgWHvnL8PxBcEvI/zxtmeCQHFjApdG
viELitc6PLgXeZYlniZIVpBleb71Jhg/ZgEB/ocABMH/0DvnvV8sCDJfJd8u/X41kwJeEgS0Kx9r
IM23qKmywKEl5IIoa3a/fD11ZdH0b+SmVhQV89qmNGq4ts2wfve3iQXzH3h7aY+DF7pVCPTgdolq
v6HcytgzVUlkboi9uJcW98SnPQsESbOvri7o3ZABz80x84K44Ba55rsDLsmdQdsnZV1T2mnxU+6P
nwmC3kcSc2fZ+5Gih5Jt9TR1ZzV/VvH7EATwSTlEMf2pkd8rCGgj1qG+mENfEgRNmIc5BMyHjXmN
s6LIk6shdw1R+s4LGnNKzzbQ63zxsGjQQzAnvuZ3GZgPGwJz7xsLgnvq62LXP16lnippTpgWjZ9j
qXVPzDbo0704L3LyinwZBEFfZA9e/BbdIvPdAZNTYsnwY9bJEfneaOyJ30PwMIeg3Unwf90frxAE
Vcm2fpw8uhAE3EfuYBcgCA5WYH9g7vcKgmYv+b5xOGO9XhBMtodjznTa7fMogX5Pf+ouGI+4QhDM
gK/4WcaOqhqGqnYug+5FmnXj24/3z7piBNlshoRoD+SR11/a8JD10Uy28GcbI/Y9BCxyKrIlQTDs
79/a0Gze3O9BOLgDrpiD5WB5F7/1gmBi6H+4P34mCEZTBQTF7jYwZBmEIHh81o55BoLgmOW2pdUQ
BMt0VwuCwYFv/w1tt8idaIAmvmF4AoJgmTv/LDW7qeua2veyGVKtmrjKtM6e3E2CgMa68ywNXV1n
XTUUIJ/vOHy5sLEEGkIa5nlSbTmNnCcIHlwScd0BM+9Afq8UJtbW6wUBzxshbV3cbc9ck+eiH8ZX
ngkC5kUqSwJbN66zLakgCKYFd9xfEATHLbutLP9eQUCfwzcMGTBnv4sjqhAEb31oE0du2/VV5mvU
zX+PLLnxbrSY0HjIoM58VbEbX8SsPl1oppMg6Ht0mCfAdYJgmJnQmjF1Ezyy7Q8EwdCHsUIQ3PRu
FIXcEdAqA9aJxdwstbqlShxF9SYTbSAIRkV66EMIgkMX3ybGf68gqDPv2aRCX516/e3pz+cQUP0y
mXTVhXwuCG76qDna3fLs/29/e1NXkfrqnySBoqmyxfwfL2ObCAI2IbEpJpJw0oJvBuqJH1bh0YDP
LwUB82q4NFv16ZDB37s/ZoB6j03Dr7EgoA4VTRp0EiYVLj9shzz77Z+UQxbaxkZ/sSCoy8jqlh3m
aRx44ylezNmuecvK8n4fOvqpMOaCoKZJhaLmNnPUktC3XdafTZPHh2kD8yEDViuZQX4fvPL+UNJf
//ZmviqqTrMovnG/K5pP9ADbh2DUBUQz8WTWSUCDDoJsXsl9cJ7FgWv5bFldEyKiwYgiNKW1kwof
eghqGt1YdgdMkwrlblJhfPVHkwo/4P44v2oCm+KY52noqOQ7klY9TAUBk1LtahwsO/zhJT3W5a//
pByruP7E2m8WBLTRTeQ2y89EWZ1sTER1gqNJtMyw/eA/ThboB4+bZYfk/FWSVaPbAeepIKA9diyV
xf8wKW254PH21mXsm6osyYqiapZ3c3VRcRKqwhb/pj0EdV0lTt/oHzn9VXSrX3jYLDsk776Wa/dz
CLhujpfkYWMK3x3weNmheR1b/wn3xwVbfilcmgWzbBHkgyCo2aIGmrWBjYkWH7TDnsQn5bBFt5nh
3y0INsO6QcR4ezeAiihB4HsJ4JPyvWXPyzkEAY/M3s7j7d1bicAeEDg0AXxSDl18mxgPQbAJ1g0i
xdu7AVRECQLfSwCflO8te17ODysI4P6YV6Q4DwIgAAI/E4D7458ZfVuIwwqCzdwf7/UJgJzfa8nA
LhA4JAF8Ug5ZbJsaDUGwKd43Ro63940wERUIgAA+KXgG5gQgCOZE9vobb+9eSwZ2gcAhCeCTcshi
29RoCIJN8b4xcry9b4SJqEAABPBJwTMwJwBBMCey1994e/daMrALBA5JAJ+UQxbbpkZDEGyK942R
4+19I0xEBQIggE8KnoE5AQiCOZG9/sbbu9eSgV0gcEgC+KQcstg2NRqCYFO8b4wcb+8bYSIqEAAB
fFLwDMwJQBDMiez1N97evZYM7AKBQxLAJ+WQxbap0RAEm+J9Y+R4e98IE1GBAAjgk4JnYE4AgmBO
ZK+/8fbutWRgFwgckgA+KYcstk2NhiDYFO8bI8fb+0aYiAoEQACfFDwDcwIQBHMie/2Nt3evJQO7
QOCQBPBJOWSxjF2EkAAAIABJREFUbWo0BMGmeN8YOd7eN8JEVCAAAvik4BmYEzisIID743lR4jcI
gAAIrCcA98frWX1LyMMKArg//rtHNPc1xUmqFQmWgaFY0X1FSATZgEDqKoIZrSmoDRJHlCAAAkcn
AEFwlBL8WP/ePbJk/VoMnGJbvIz/BG24WiWOrHrZEHivR2SoIEh2vNfqs7jpwphycyza8ROiEARP
4ODSnEDua6L17Hma34DfpycAQXCUIv6UIChuumgE5QhTbIuCcU2z7i8vxl0CqavI67oTRlH+/WHq
Kprj6LKT/H3a61K8FzkjnPi6IFkBO87z8pmAgSBYhxahGAEIAjwIcwIQBHMie/39XBBUZRp4lnV9
e9u8vOniqAeA6JAgsLgd01XiSPtXBJmnKm6asn/HJX7PbrauSIIgyqrpxb0O4pwvY89UJVEQJMXw
4qEX5Z5eLU0WBUGUFN0J+wu882MT5sf3wBDmumWIR9HdsOhEwkgQlJGtSLqfNZeqPHQNypYgqaaf
tAIu9zXB8G6OrkiiKOted35uAX6fkwAEwTnL9X9yBUHwP/T+8l6OIKiKJPAsVRJExXCCdNxWf4d1
VWSJ0qwV/VwQ1GVgCKqfvyP1zeLIfU2m0YLZAEcRGKKouWFWlEUeX71bq6+Wz1epp0qaE6ZFUWSh
o0r6tc115imi5sZ5WRZ5Et6iDgbv/NN8PgqCe2RJouZGeVGkgSULqt/a2QmCe+KqkuZ1T8M9tmVJ
96KsKIr0ZimSGTKlQ4JAUJyorOsq8zXxEGM9T1nh4isEipupurvtIXslJwj7LgIQBO8iuXU8c0HA
lICpSoKkWV6Q9K3E99pBI9nz2n0+h2BBMDwf6n6vib+IjVia4b2uq8iStF68ZJ4yng/RR7x8nu5V
3LQLdQ/NvisltsTF2Qm8810ci/8/CAJKaeiDKW+6oLSzNpgguMWeJqnu0NwvA0PUOq1S18WVxoBI
OZIg6AuXmovN6UUrcBIEQOD8BCAIjlLGM0FQRZZwEVUnWlQCNGOOzUIT9FvfX13X1CJ+6XxdXDVh
VJkwWLM5BA/j2okjiVY04cqsbQwyw66Du2YVcjtzTtjk/MSI/gcNg+g31kimyrJDVIWmIA81fB+c
cz731fmkv+7ue+wogijrluNdw7Qfd6h55/uklg4eBEHuq0JrPoWnMm2XFqSuchFFUbiIRjAUe+LI
M0PbImVDBkwa1HVNc0VGsS5ZUtc1yY+mHCV73Lbkna8zT21v6FRLE/NZz7/8ir36Sr4rPKeAcfq7
CUAQHKX8Z4KgvufR1dFlkYYKrlE21DqUoaosipz+inIyiPDq+Zpqo+mX/Kc5BNTqFuV5T2RVNvbk
xXRW3Nbnl0qX8nS5CO3f5SK0cyY5FX/NOc/q5clsy3FiVZnFwdWlwRzZjodC4J0f3zs9fk0QCLId
paElSYMkSBxZXJzzMekUWCcI6ntbkMWsIHnn63v3JBb3kRKsT3v+1VfsU+GnDxl+gQAjAEFwlAdh
Lghau+95fHUMRaTZYl6YDTXPm/KVuoo4abz/KAhyX50tS3iTKW+KhnrcFSdieinP88ihDDJuy0MD
db18nk2v+HHTBRpYmE8JpIzwzj9m8kEQLA0ZNCMX3RyCugzNQRJQL4jippPqmCXzG0HwaB/OgAAI
nIUABMFRSpIjCFrz73l8c0yzm132vkzRev1hwJrFOxsyyKZjBs2I9dBh/T5T3hMT1cTjAf4qtmmE
g1WXbPKg7kZZUZZ5cvOC8aTCh/M0qVCQzWucF0WexYFr+U29XCU39xanNKcwC2xlGJPgnH+esQdB
ULeTCindZlJht/FDLwhqJgm6gQOaVCgodpCQoWl0c5wbm+YIQfCcPK6CwLcRgCA4Sok/FwQb5uJh
Y4H5pMLLuAVcBoZkNOPzG9r0+6ip/hcmk+eowd0rhGF5oaQai8sOJ+fL2B+WF1r9wsPsZukKrTqk
5YijZYG880+z8ygI6nq87NAJ867xPxIEdV0GptRJgqqIXEOlZYeirOr2NelWGQzzCFcOGTw1FRdB
AAQOTQCC4CjF9zFBUBc3Q/6xa7zFyHY53u3uf0cpa9gJAiAAAh8gAEHwAei/SvJzgqCu8ugatlvc
PLe9TIJb0/p8Hg5XQQAEQAAE9kYAgmBvJcKz54OCgGcSzoMACIAACJyHwGEFAdwfn+chRE5AAARA
AAQ+T+CwguDz6GDBqwSq1FW19y+EeNWMH8JTV8xk1uEP4Vdfvodmu0fP1FnU6ghWBqzSq6mIlFS/
DeHKO38INlmV8EPY312O7YeNsn8XUX2PbMWYbMr1y4hwGwh8EQEIgi8q7A9nlSYntiv+11tCk99n
zpUeb67ykPZoojn0uh30k+4fAw5nyK3AbDvF9mIZ+851YdX+cO9/HTU7B0/3kVqOkDYSbLYYpLUB
hru8KeXDvbTuU3WT8n6vqm75wUOgX514TRBk3sNOjpfLZbTZ84IN7xMEtHuEOlsvu5AgToEACIwI
HFcQFEm41Qb+Iz77OazyeLwL7n4MW2tJ5qvS4oZ5zyJIXUWymm2DuMEqWm0nW7cky5PAUgTFTX6u
CPmCgJvOey68JggUN6YdlNLIN2RB8XrPCU9saXL2M4EnUXAuvSYIqjJv/DfHrkoulNb4b36nIKjz
qya9LEA5WcdpEPgKAocVBFVobtOxu9dip4rEivdq3c920QaGo88z1fT2LDvNHkijqGgHnsU99kZh
avK3POztT6v2210FaH99zfYsTZYkSTE6r7/5tWt4tzv8D9sSkH8I+hvONAlVedD1QGh20K23oKQ0
90p+hUVR0pjXwCZ8HjiGKjNvw7QPwaTL4jVBMHT6k+rp/TDx3Rm3eWr+G+6+k4MjL+qyodgR25tx
OZ7xPgdj981MEPihRxtjvuAumYAPljSEysQnx1zMHfNou4eRIMgDU5bNrrunygJHV1gfkGbfuhJI
XVk0/RttBSGKijnv18m8ySM3fmhwDAIgsEAAgmAByi5PHVwQUO05dq9bRabY128NcMrhSDI0/nZ+
HC5g/pdGHdG0z3BT/TCHO5IZkPunMrJlabyZAr+H4GEOQZW4iqDaYdZ4ORa6jmjKktDWWUVg0A7F
bbs8vbnXKM2LssgiR526Ff6VIKjKxFWFzlMVz51xg3ExZ2SrKGnWLS2ruiqSmDa55sZDUSy4b6Yx
DFE2/TjPs9BWJuX55J15FAS0I6Rk+Ele5MnVkPqtHOtOEBShpUjGtav4aSdm2hIyK9gNMnNdXdd1
6soXQfPIsSN5fO74dLYwrxoz393dNfwPAiDwSACC4JHJPs8cXBBQPT2ZS8eWUdKOwXngOEFe11Vs
SeOGJI0E/DhcwGqFUdOZvPtqQuNbiQTBsIkiVXIjubFYbbKSfxAE5L2xv/Me9a6NqZLt/BuSF6jl
uQ4j14pt9OR9+LU5BE23hWLH7LZmc2i2+TDF2CiMwYnFYs6YeJkly4+H46aZBEHv6Yp8O62be/kg
CJhP7W675Zoi6mQfCQI7jBxF0v1hGsdsqCLzqHOJtFfqysNDRd0Fsz4ntnPjDwNO+3zbYRUIfITA
4QTBoy/Xy6Xvez6KT9UXfKQOjoNHncH9V/kjz8yvEqVv87T+SByZ8kH1mUgeljNfle2ujV2zDft/
HC4gUyZ96XNB0NU0NfPbqA5LHBarTZazuSAop30bg/NhqmR719A0hNVHf0+ulqZI7ZTAS1/fUfyv
9RAwL0xZEtj60F5+fAUGM2rmiulxuiTZOu6gIUv48XDcNP/CXTKl8yAImMPm3gs2PeFS244nNxnk
vlkYb4258Aq0j9JEAzQlOpk78aBCWQHjHxAAAQ6BwwmCbqpS6uui5ic0U2nkXOcovlZf8HlaFf3U
LNG4rZmZxSnqz56mWmGonckW8iFgBHlg6q5rmEE+nRRC9eY0PM9+6hLgDhkMUbB6/XeCQB/XpRNB
MJg4EgQ080HS/XbKK6Xby4aXBUHXZVIljqJ6TaOZ6864IbQodVgHht/3KrCQT+NZctM8aamv932w
LAgad1KN38eJIFDdOL3q4iAJ+D3/PwkC6tt5eR4r7znDeRA4P4HDCYKuSDCpsCNxjP/JqVDXDmwt
zqlLwLV0P8t83XJtZWjCrh0uoJiYuyK986dETeHRpMLeaxF1Lw8d/41L45lb59aseQ9BndjcIYNF
QTBtqlK39lgQNEMIa7xBUoO8EwR1nfua1PT5U1f/k76T1YLgh3gaHGM3ze8SBM+HDFhnQd5IgmZk
hQ0qzNQMs+4HQcBmlS7d15Y0/gMBEJgSgCCY8tjvL2oyH3mVAXUI9H3qDDNzPCwqbkLd/qo4uBxc
P1zQxEODBrTsMM9TtuywndzHJhWKmhvR3DVflyZr0KjhLttR8bhW/0EQkAdozqTCRUHAKlqHZrrV
VXY1JGEiCJgyof6DsrxP+rcfHr2pIKiH+pvnzriJYbUgYJMKl9wi89w3v0sQ1NS7wCYVlsXypEI2
0MB6CZpZE6EpiZobpkVRZEno227Izj8XBKRlDji49vAc4AQI/BmBwwqCPyOEhN5EgKqxocFLkVKl
LFo0PWzayl8/XNCatrwskDUQ3aujSYIgKoY39brE9vNjw/zd3IbMn+2k089ar7LAbjc+Gi16m8wj
HA0Z1HUROrTWUVZUww08fSoI6jJ2dZnmFzwO9U9QzwQBk0miyarCZXfGzd3rBUFdc+LhuGl+myCo
6zL22mWHytjLdLfKgOUkv2o0cMCq/mbZIVunKKuG0y79fCoIaORm+rxN6OIHCIDAAwEIggckOLEV
gczXlH5pHjeRV4YLuJHQhfWd80+jwcVDEigD2hezGXM4ZAZgNAj8PQEIgr9n/r0pkkeq+Kfh8zK5
XaPp9LffEYMg+B23U9x1z8Lbj4/aKXKKTIDA+whAELyPJWLaFwEIgn2VB6wBARDYOQEIgp0XEMwD
ARAAARAAgb8gAEHwF5SRBgiAAAiAAAjsnAAEwc4LCOaBAAiAAAiAwF8QgCD4C8pIAwRAAARAAAR2
TgCCYOcFBPNAAARAAARA4C8IQBD8BWWkAQIgAAIgAAI7JwBBsPMCgnkgAAIgAAIg8BcEIAj+gjLS
AAEQAAEQAIGdE4Ag2HkBwTwQAAEQAAEQ+AsCEAR/QRlpgAAIgAAIgMDOCUAQ7LyAYB4IgAAIgAAI
/AUBCIK/oIw0QAAEQAAEQGDnBCAIdl5AMA8EQAAEQAAE/oIABMFfUEYaIAACIAACILBzAhAEOy8g
mAcCIAACIAACf0EAguAvKCMNEAABEAABENg5AQiC1QWUurJox6uDcwNmnnJhf7KbLgS6B4ao+fnC
lW1PPaTLs5N3flvzfh97cdVEI7j/PoLj3XmPbMW4FSsMr1JX1fxsRcg1QdanW78QdE3KvwiTOLJk
J+tuLANDsaJVz9ALQdel/T+hIktUvDeU7j0wBPUdET3PzBe+qs+B/P3VzwuCxJEuF9lJqibzkSWu
qHbvoSmqW9Samac2tfXkX4Wq7ncJgiafiS0tC4IqvTp+XP75o8BJl2cn7/yrdmeeIlrRq3c9hufH
U8a+c03bx+vxxq3OxLYkOyvrmzfbkPuqbMezHN9DSxIExZuL0OKmy2a4qq77ycx5uuVNF9r3SBBl
zfKT8WOdeerw2v8U9QbX1wuCKnGUeXVYFZFnqrIoUM5MPxkAVokjz0NvYP6qKA8mCF57Vfmv/Co2
CLREYCeC4CJ1+vvDgqAq8zyjv9hVBcWJ2HGel9WfCYKlUvrgOV7Fzzv/qqnveqvfFc+r9nPDf0wQ
UIUku3MpUsWWbDi2+iijy8AQ9VXdCdy8sguP6ZIgkOwwz/M8S0NHE8WJ8sivmjQ58Tz+d19dLQju
kSXNsN0jWxYU6xpneZbGN9cNxt0xqat8VOoMpA4mCAbD1xzt7pVfY/Tew+xCEAi6aUhGwJoPY0FQ
Jr6pSoIgSKrpdY3m2BYnrfcLa74zzlUWOLrSiHb7lk2aSNW9LMv75NTTssmvmjD9ClAPgXULHV0W
BVExR43OZ+nyElmqUBNXZlkTpkMGkSXK9tWn9ogoqVYwDCfc06ulNa0U3QnzPndF5BoKgRNl1fR/
bB1z0mWmL9lJFxbO09enHwVJnFEDucoDm7AJgqRo1q3pwyTCk5IURh37sS3KThh5RlOcJvvgFpFr
aopEBazodtAW8JN4IqtJYRxzXVP/p+ZeCZEoSpoT9e3We+KblKCsOVdXF/Tr+DO/UJKL+aKupEm+
LkOXV5WHbclI6tCszDxV0B1qcEqSrFqjJ3coYEnRnfAHcxoLWUU37x+g2lq75jH9O4+luOnvUASP
6ZIgGLrBiqs266DIPHUqERYQPz1VpTdbb5vpo08E68wz/Ru9G+LkVa3y0KEXRlRM37fWDRlUrFad
dKxkviooLve9qpqHv38d+XkoE9/Smyda1qxrOvQz1KmriFYQN19AUdavzVszPBHy5JVfToNMt332
FokUflT0nPi7T4coqyN7RkMGVXbVJcXuX5oy9kyV3klJMby4TYD/ii3bWdcvvapPXvkqD9gXmjpu
+k8EL1GcfyCwD0FgBZHdfqkGQVAEhigZfpIXeXI1pMk3a2nIoAxNSTavcVawG+Rpr2lsiRfhhb7p
RUEgiIp1S/I8vZmy0LWqnqf7QLw9sVChNlcexvLryBIFUb9S/VdGttx/Q3N6M8meoshiT5fUtjuY
4MhWkBZlmafxLRh/ZnjmsGpyae4Cz86F81xBUFx11ttSlkWeRtdwPKjJkfmxLYqSYvpJUdVVmcYp
VdpZ4F3DJCvKIqf8TlphnHjqun4YmKSvlSCbAQmoIjD6eKglKGpenLPoReFHQfAsX/VCD8E9tmVJ
96KsKIr0ZimSGTItwsapZPaNrcYG1ZQpzY1zApeEt2iQgvxyzH1N0G+9xmkDpq5Cg8k0brB0URat
aEX9xU+1rhfSHQuCe3Y1RMmajE1QVftfwyr32PducZoXZZEGttJ/IkiSCZpH/fj3xFX7V5UqctkK
MsJvysJl1RwCagiY4ZgOlftTu0sacl8zolmEvh8kWV6UeXI15TGf1FWojnXj4l5X9yxOqK7lvfK8
gqFqVlDskOXYkgXt2j9Cy/H7miBbt7SgV0AbyqsTBFV+M2TZ6oVFlXqqpDlhWhRFFjqqpDcJ8F4x
np3t+dWvKgu/8MpXiasIKssvmUOlNC64H5LH5breiSCI7qnbDNP1gqC46aN5LLmvCqO2zYIgyP3J
3LHMU6TxOOp7BEEnAurE6WYY/pAu7yFbqFCboIuCoP9eV3HfDE9deZTDKrGltn1On+YRK54Fs/OP
6bIAPDsXznMFAX1SR63/ScILbzVdj23xeR6qaDqLhBMPTxD0DVeWbdZoZjqq+4BQI+9HQfAsXwuC
gPrmR1/k4qq3VKiHQO1m9lHKXbnGltgdTqA9+5HYUv+09OEyr+3ELm+U6EwuUNv99Qemj7w5WEi3
mUMg0N/lchFVt+vl626lSultgwbU39DKmtSVhT6XVErNZODMUwatRJleIwiq0BRmIzAU/XNepGdf
noBMQz3DrBNKZOhwa4hxX/kO6Pz/yBKG3jFWzL1MWYq/AdS28qlTqWt8NIIgCixZNm9DT2QVWd1H
h1KmN6jhQuEXXrG5efPfi4KAG8/CK584UmdyXd+jX7w+c5O+7fdeBEFVZz7NMaJCbF6lxJGFQZhX
kSVIw9vyKAgowLSj9jK8Cr8o1cUeAtHqVhk0D2NV179Nd6FCbax8rJiXK9rmazvJcmdefjMkQVIN
2/WDeHh9n1N4TJeF59m5cH7Zzrquq9TXREHWTDKI2vyjv4W3mq7Gtjgq7jZ8MzQjiV1Bj7+XnHh4
gqCvmCs2PZX6LKj5OLSeSY/+NGTwLF8LgiBxZkMJl7bFRoJgqBdHTe177CiCKOuW411D1kkyIsc5
XKqLcp/qStYfTYdDWk0clNfpKBUn7menF9KlR7SfQxB5hiw1Qz99NFQB9RV3f/aFA+qvpiGA9jXo
3vhBA1C5smmr7as6eqhiW1ojCKhuGz9oNZtN9IMgoIppTXckG0KiMY82AyMVQRW2Oe22efLKc5hF
1lAvNy9VL1MW4qcemxEgSq6dHcla/KJI3Q3uqM2d+w9TsJvqm8IvvGIcK/vTi4KAG8/jK896ZobF
ENSKHN7oPhUcPCGwH0FQ03RnKwwmgqB/IdYIgv/rfpxBWhYE/es0/sr8Kt2FCrWx4LFiXq5o2eva
6/2Z9fW9SKKb7+iyMG6UzkONfz+my67y7Fw4P7VzNsn+nifh1bM1SZDMcQv18a1mydIcgn4+QmMm
a7FQBzqr2NjI7igEJx6OIGgbMiRWeILg+rMgILt4+VoWBF0TtslR9y8JgqEHZfoZq8osDq6upUqC
bMejMebu5vn/7EM/6ZmnQRPhcmEtddZYn1tBUui/6mWyYSFdekRHpch6+SZPbFNvTgTiPDvPfpc3
Q5TNW0pTfmnMoqfIFwSjJjjriZnPvXxMjvrkpP69Z9eJ5yiihXtoLORhXudjODKZOvSbuU1J35VB
IdkYf9f+aG59/so/Rs9G5kcFQCq7z8lC/LOP7EwQiLqfJp4qjiQBe1THb3NnA/uYdJNVhlesu8z7
f0kQLL2qzf2Pr3wZ9BKGgjDzHkbPeInjPBHYkSCoy9CUDUMXGpn8dMiA+vFmS3uo9J80c94zqbB/
nXpBwJ66J+nyHjOagjX0eIxCPVbM04q2n6zXdFjPen9HEbHDUXNzfmn2+zFdFoBn58J50ghdlu6h
Oe7RGdKaN0yokTh0BPXhFgQBjdwOep8yNvrWUTtwKZ4XBMHrQwa9tV192OtXmnXpSLMCpiGDxalo
JAj6Rihrpo0Hu5pUqHe2pztOeH5M5Th9NVgHgJfQZH/6C6x+SKKP+kF90RV6ZdZPw31Mt54Lgvms
Qrq+9OpUK+f/TqZpELdOVi0LAtZX0PeOUGtyTQ8Bk1P9UGFDrC0wrpKhbpgVCotekmGqARk06SFQ
uh6/vohXvfJ96JoJgo4Jm0wzNNuXBAd7ifqsPg4ZZNTZx57VtpeAPavd+rBxuuxj8geCYP7K07hV
X8IYMhgXycrjPQmCuoptiQYbm2qXJj+zSYVl8TCpkM0j1v3sXg0vJU3uEzW3meCShL7tNlO2GhJv
mUMwvK+DICAd8yRdXjlQ7SDbYV6W9+lH97Fi5ggCmmEkdnPUsiTwLK+ZW04zldjcuzJPfJ36LwZI
PHO4kwp5di6cp/FpxaWZXFXm6+Klrw9pMmBEU7/KPHLVaXVFn0HZjopqVJLNkMG4uiez6emQLVam
VR5YsnAZh+DE84IgoDHHZlJhWSS+Lv08qfBZvtgkO9VNylHGaFKhoNgBTQPN0+jmODc2x4smFQrt
/NnI1foSq5KbS3PmyrLIxnPm+IVIV5pFA4NQbHVIf1MrfPrfdTKZjNKfJ8k1qq/687yDebo1EwTt
kEGexldTpk6O4VlkI9BDB28fL5sSuKI+rfOrJmoeW2xyTzxN7AcJOYKARoVE3acb7qmnrZxUWDeT
EyadM2VkdcsO8zQOPK+fZke5IOLP5xi0eaVWutGMyZeRowjdp48uL7Tg2aTCxVe+Zzc7YJMKm0l2
aWDJ4mgQbDH+ZtbleFJh8xzREECrMieSgP2gmdz0RGdx4Fo+W47xJ4Jg4ZUnEYNJhbOH4KWfuxIE
dcUWwPXVbrOihS1WM/plh232ioitH7pcHpYdsnWKsmo43bo0dsd2goDqP1ruuJwutzSoUlNp8LBr
JFF7aTIl4NJuMsYTBPRZuzbL+URJ0Uw3bKYQl5FraHKz6nC2lmnJGm66TeAHO9s4Fs5X2dVUaHWA
Zl39UYM2D9vFYTQePl8LVKVXU5Eo50Nbhg13jqv7Js0ydnVFkmRF1Z3AN0eLHNlEhXk82XyEs51t
zv9adcsOJbbsUBz6I5a41fXTfNVl7NEa2EHhkpG0qoutpBVlVbevzU49bMjAu9KwgCCNV3tlN0tX
2uWahhtOZ18s29TUR6OlBFT/T2cmUo933yFRV7QAYUkz0o6Ua9q5vR1lYIzSJUOGJ1oQpfkbubC8
n0XFmgVTi/skZgdVdrNUWZJlRTP9m0vNclZv8wRBXeWhrdHiTkV3XHPVHAI2t1/r90npLKjyyG2W
27GlvaONiUgPSMa6nmr2wJE59Mpc7W72IyWyWGHzXvnOqvn/9OmwfY+tlJZ1J5ovO5wOSdDdbNkh
WyCsWsN2SyNBQL0EtEdLN5egjP126bOk6Fa78JD/is0tbH6//qrSfUufjiprVzjTssPRAt7ldHF2
TuDzgmBuEX6DwA4IUGPyv5fircxHsx5/aDqvvI0bjO2s161a4IZqLtwjS+57icdhqTZf2bnU3fZK
ulRtyu2yy+7+5n+SR/2ai+mlT/3iQloyKPc1xRl1hCyFwTkQ2CcBCIJ9lgus+gCBKouCJL9X1T0P
LeWhUbiZRe8WBHVdJsFtsk8wz/Yqj67R0kIU6s8fdTDz7p+dX51ufc/CW7eNzSSS8qZ3+zNMzn/2
R7F6P4/1CD6bI6QOAgsEIAgWoODUdxKoEq/ZNo62xhz6SzeH8X5BsLnJSAAEQOCEBCAITlioyBII
gAAIgAAIvEoAguBVYvsPP5mEuH9z/9vCyQym/45tfQRvS3e22eV6CxASBEAABN5IYCeC4HHnwTfm
8Y1R7c5O2spjPhn+1ILgcTcScla0bpXXGx8Eiup36U4WzzcWQRCsKJndvXorbEYQEDgYAQiClwps
d18lCILfVswvlftiYAiCRSwbndzdq7dRPhEtCHyQwOcFwaI7Y/rWzuc40743TWN40S0yFyJtGWe6
rqHQ+mPNZk7uKDDPd2qz8Fg0rjHzn0pLw2nN7aKdTaL9fgmirBoPHlweDOP7PO18j65xW0xLgyfb
FvTbq1MPgRPcaJtgWtb+g7tktm/NaHsYmuH2dFeYKjIFxXIdnQHV3X5xMz9fy26C65p3/gEZneD6
PGUVsxcEOwCdAAAWCklEQVRcmavsiTvjZj+DBzfKlO6Cj9RJBT/Zb7Xbn2DqFvlZuks54LpFZj0E
fth5qWVe+poIlt0lL0XOCI39e032CRqc5k7dKHPjb/IWdZgUu/GEwEk5DxxDZTtfkH++kR/uuuC4
G172GE77Byy4LX7y6nEMwmkQAIHfEPi8IGBWP8j/zFMla7qYN7YltlPPM7fISwgSR7oI6rCDXrfG
mec7ta17JFlnu4xX9zxOOqehD3aSsCAvKYafFLShXBwEc5duDzbxfJ5S5K+6Leb0EAgi+STNaafC
YS9Pju9USnbYp+ZHPVCTILh0G74lrto7neXlq+a5CeadfyA2OrE8ZCAIku5GWZ7Fo43+6K4lN8o8
H6k8QdDvYDhzi0ySjJfuyOLZ4fKQgSDKph/neRbaSrcnXM1zlzyLsf85GXoYCwKCtuBG+Un8lDdR
0izmKKAqkjib7NTXJ9kcpDe32YqyyCJntBUl21+aHHEXWWApQr9VMM9jOM9tMaWy9OrNzMBPEACB
/yOwV0FAtSyrue+Jb7MVYLlP24VVtDNr/8Vs/Ff8sEsoc2TbbRzGar9Re7ijR/XgsA8NNUYX90pb
+irRt3OoULsI1/4/8nlKn88f8vIQK0cQ9Bt6j3wAcX2n3sPBiSlVHf1m4A+psRMkCAZWVBzzvhwK
NsoX22d6cN4zxNpszf6sphnCdkccQSDZ7f7MtJ/OCOKSG2Wej1SOIKAy73foGbtFpoLnpduZ+/g/
RxC0u1KOffQ0O+B2WpRkVbcT32Os7AxXECy7UX4WPxM7TzuKODbQ9oTdrJbGm267iTI9KK3vgImd
zB1h+7KRo4s+0cl2gxAEPN44DwJvJLBXQcC+K2Z4r2JbFmkHdKrZ2I5qT90iL5Fp/Mt3V+ib09b8
HN+pbQ/BfKoei2BJENRlaMmCqJCT2lv0tCXVGMH1efoLt8UcQTBs+5t0zpBG+8h2Iw2d8xTmOIc5
Z8u8n/fjYUMGg6aKrc7bIzdfPDfBvPNdWS39zxEEPB+pC26UaQv0kfefwSUaRxBw3SJTpclLd8n0
5hxHEPSCaWjZc90l8yKfVLRDPHW97Eb5WfyUtxGkPsX+Keoqd3blnlwtrdl/mp6tVpGR87yRP6ak
czfM9xg+0QBNSff7Ny6+er1dOAABEHgDgd0Kgjr1FMVNUk+3XVunA6VphjNB0LuVm3nsXCJCDcLe
SyF5cmkEAdd3ajeHoNkWfRoj76tUFWkU+I6piNRZ0H/Epje3v6gG4vk8fdltMUcQDD0WE0EwuFab
Wsb8BjkJbWvPemGmV2e/mCDoHQ+TUGu++k/zxXUTzHUfPEu1+7ksCIZVBpOx/0WfCFwfqXNB0G6g
OxMEg1vkeXixG4zqbF38f1kQDG3/oSJPHHnoiVmMa3ZyKggmziHrBTfKz+JneZu4Km7TupcF85lY
FI3TYerMjyxJ0v2kcbVAequRSU8EQachZxmAIJgBwU8Q+FsCOxEEC+6M2d6pjqNbYRnZuuMaUuMl
91dDBn1Djj5XTe/s5MNM1drItw65UeubbOMCWbBzfJlWov20D/tTn6d9ZDR8sNhH0YdoDliPfTce
0l6bLDvsBUHbcT94wRvHRF7CZNt3lMWBknHIms0hGFgxr9Pk6HRdvsgKwez13BAz7/wQojlacHP8
rGJecKNc83ykNlqi7aInD0BNBf9syIArROZmD78f3SKTY8ThcRsEAZvu+ZO8HCKe+TlMXWXpCWK9
QY2T6mfxcwXBOL32eNqUp4JsXzf+kAHHU/kzQcB/9V71bL6QBZwCARAgAjsRBEvujGnMVJRoSPEe
GJLYf3vpi8l1i7xQqmxSoWyST8/xlC2u79RnPQRLdpbx1QvijOYUpjdT/mkInrkxW/R5+hu3xaRk
JDOgDfj7rHMEAdddMruRvuM062s6kbOPc3TAJhWyPo6iyXDrG4fvy5XnJph3fpTYw+GCz9NXBQHX
Ryq5sdca77iJq5Lv34zS7ycVztwiP0v3we7+BEm9mVtkjiBgkwqX3CX3cc0PqM1vBOTSroxsWegE
Ac+NMs8dc7fHwlIPwTzJ1tuv4jB/f1V2NSShEwTMBbRsBVlRsjevH2bgeQx/JgiWXr3GmFcdmS5k
AadAAASIwF4EQb3gznhoa1BzbTQa2S/zk5QHt8iPxUpNMsv3qTtfkMbLDjm+U58KggU7aU2apkiN
y1Bz7qb50Z6a5/P0RbfFTczMC3HjPbibS8cTBM99p1KLsp8it2B1f6qKTPKp6rY+VYdlh7x8cd0E
P3cf3Cc4PXj0efqsYl7qIWD+qlu30VMfqfeEPMWK5Bz35o36erplh1O3yM/Sndo8+fXoFpknCHju
kifRTX6UkaNJokSrX2/u0MfEdaO87I75RUFQN4sLmV9qww08mtXZTYXMadmhIIiK6fuWLDVdE7Q0
Z9Fj+FNBsPDqNXmHIJg8A/gBAr8nsBtB8Pss/HTnQh/tT7d84fW2K3noZ+AyIEGwNN+Me8OpLvyl
W+RTgaO+LN4cllNlFJkBgeMSgCA4btm9zfLqXiSeJvYr355H/H2C4FNukZ+XwxGuFkkYZcW9qkra
EWPVpMsjZAs2gsBJCUAQnLRg12frHhrCRZQNP123I8AXCoIPuUVeX4Z7DVkElirTYJqo6M54B8O9
Ggy7QOCrCXyBIPjq8kXmQQAEQAAEQGAVAQiCVZgQCARAAARAAATOTQCC4Nzli9yBAAiAAAiAwCoC
EASrMCEQCIAACIAACJybAATBucsXuQMBEAABEACBVQQgCFZhQiAQAAEQAAEQODcBCIJzly9yBwIg
AAIgAAKrCEAQrMKEQCAAAiAAAiBwbgIQBOcuX+QOBEAABEAABFYRgCBYhQmBQAAEQAAEQODcBCAI
zl2+yB0IgAAIgAAIrCIAQbAKEwKBAAiAAAiAwLkJQBCcu3yROxAAARAAARBYRQCCYBUmBAIBEAAB
EACBcxOAIDh3+SJ3IAACIAACILCKAATBKkwIBAIgAAIgAALnJgBBcO7y/fvc3QND1Pz87xPef4q5
r4lGcH+XoamriFb0rtge49k6/scUV51JHFmyk1VBVwYqrppwoT9hS5wrjUEwEPggAQiCD8I/aNL3
wGi+n+wjerlcJtVSlV4dPy53kLd77JmaIgmCIEiq4UZF9R9GVYkjC4Jkx2sjiW1Jdqb11psFQRF5
TpD9R57YrQt2tlG+J36OfVUReaYqi4IgyprpJ+tl0v8IgsgSu4e2UQAjfZZ52+orDgicBoEdEYAg
2FFhHMQUEgSSFWTdX56Xa2vJP81hGd/8IErSLEsj35AF1fuP2jN1Fc1x9Hkdz8/QQkX7ZkHAT/uV
Kwt2vnL778LeI1sWFOsaZ3mWxjfXDYrVEf2nIBCMa9o9uVleDEIEgmB1ESDgaQlAEJy2aDfLGBME
s8YvSyxx5abdNR8yuCe+qYiCIGvO1dUF/co+/2xwoTms6yo0RdXva+zYFmUnjDyDbhNls60wytgz
VUkUBEkxvHh9JVLXmacI+m18R3Uvy/taJZN5quKmKfu3A8uzP20x9G1R0Y7ZPUwQ+CHLlCjr3tAs
vqdXS2PNZUV3w1FXBkvDiwJHb67aEdVgZddHM+mbqevEkfpEqQfcjJr85YFjqDL1lUiK4YZ5c5Zr
Jzf+etnO3NcEw7s5uiKJ03x1qGb/Z74qKG66AL9MfFNlhqqmN/QzVXnoEB9RMX3fGg0ZVFng6M0z
otm3bCHGSdKRJQpWC2VyoWZPyAwnkX6wh0qkfYD7GMqbLuq3PfSK9SbhAAR+QwCC4DfUvvseriBg
WFgVNplDcI8sSdS8OC/y2NNFYaUgECXF9JOiqqsyjdOyrqvUUyXNCdOiKLLQUSX9unKqQlXE7rwK
olpMUCeG8os19zWZRgsSRx76GXiCoIlmoeVNSYqy6cd5noW20ndZNIDcKC+KNLBkYSSMiLUoadYt
Lau6KpI4G5q0y2P8FfsrY0cRez7pzb1GaV6URRY5qjhkoa7rBTtbDg/x8+xkKBUnojLKfG0a/wLU
4qoLi10tRWCIkuEneZEnV0MSOwVHAkK2gqwo0pspC5duDkEZmpJsXuOsYDfIrIwWEuxPvSgIFu3J
PFWypiNHsS0p/9P91NuHAxD4LAEIgs/yP2LqVEmNG6KyOx4qfxAE99AUZSdpGm9V4kgrBYGgdb0H
DaQqsiTFTTtiFO0sRHdp9H/XlhYUq2sYt1dfEQTFVRPN8F7XZEPf/fErQdBXHLmvCs0I9gRQXd50
oQ9UE2vBCBYbnw8Vdp9v6pGXjOVu+Hlrdr0g4NpJKHtptWJcJHXleeEy04ub3oukuiZATQE3vTst
A5oB2AqCWVKZp/w0x2M2h2AyifBxyGDZniq2JSbZ7olvs8kPua9JvH6HvkxwAAIHIABBcIBC2pmJ
rIdgmEMwm0LwIAioeTf0p9JHdt2QgTQblch9dSxD6Fge9AGP0b3Ic5pDYMqycVvZoTCPa1SHltRh
3I48/EoQ9LPYir6bmWq+ARD1QvR9/UwQTBr0I9t4goC1my1qr3d/9+Rq0fTKlt+kNl4vCLh2kiBY
yFeX+sP/PEHAch523f5VZAnsGegPmohiW2oEAZ2fPRGDGQ+JshPUQzDMIZg+uY+CgGMPPQ5meK9i
WxapT6KKrP6ZWE4WZ0HgIAQgCA5SUDsykwmCWW09mPeTILhyBcG4q5zmEMxqe1YfLbeVh9S5R23z
lnv9yYWmR4QWK9Df5dK12OeCYGz/Ylf8pEW7WhBwF3EuC4LiZkiKEw8jCzX19Es6G31p5x9oo7GW
9wiCYTnlkC8uUmrkLw0ZTKQQ9cYMgmAUPHEGQUBdT9xkFi68NmTAsadOPUVxk9TTbdfW6UAZ9Vwt
pIpTIHAUAhAERymp/dj5oiCY9DSPhwyaeYRtq50qidHY+YIgoIaYZLFJdb9gcQ9NQbSayX3N7VVZ
lmuWR5D9ihPl7V/kKM3wQTsPctl+NsHvsY9jtA/BUHFOALVDBt3IyIO8GmV9SRDkV11SZ9P1mqZv
1/BumudDXwnVr8u16jx+rp0coTMydXaYefMZHSzAchd9M92PjdhQKBoE6ocMVKEfwJklsfzzqSDw
VdHs+yfofp49NHCkO45uhWVk645rSNP7ltPGWRDYPwEIgv2X0d4sfFEQsBYqm1RYFomvS/2kQhol
FjWfpobfE1elKX6TVQazHgI2qVCgOWR5UeRZHLiW39WbS4jKyHP8IKZlh0nom7IgWTQNoPtbO4eA
vv7joWkaQhabEeMn9tMQuCaoblJWVVcV06nFlnQ7WY/y1UwqHCaovSQIqsyjGYPpvZlY2KVMwxyK
w5Y0VNnVkARh3EOwYGeLaC4I2oJ0H+zk5atD/fh/GVndssM8jQPPC9n6DxJJbFJhWcwnFYp686Ck
njadVChqbjPNNAl92w1HAyWPydbPBAEraPOWleW9W3zCs6e46qIo0dSOe2BI4oq5LAu24BQI7I8A
BMH+ymTvFnEEAc2Gmw7p9nPjumWHElt2OKzQuieeLouirOjOzTN+EgTUPIz9dnmepOjW84WHtERO
Z1vf0Go73bmNJujXTYU9TIXjMqf6fzoyTQ3lViHw7We2erQgjjZuGi877HYqHHoI6nqynM8Zz35c
FASz1YW0vpC1bOcl0E9FKGjRniTJimq4gadPBEFdxnM7efHz7HxdENR1lUdus4JUlNVhY6JmXWmz
PnK67NBucqA7rtkOGVCZNcsO2TpFWTWc4IeFh88EQV0TJjbRYhit4tgzdLPwhj+4DxQugMCOCUAQ
7Lhwzmha5qtt+/qMuUOeQAAEQOC4BCAIjlt2h7G8yqIgye9Vdc9DS/n9PIDDZBiGggAIgMABCUAQ
HLDQjmZylXi0iR3zKTD0Dh8tF7AXBEAABM5NAILg3OWL3IEACIAACIDAKgIQBKswIRAIgAAIgAAI
nJsABMG5yxe5AwEQAAEQAIFVBCAIVmFCIBAAARAAARA4NwEIgnOXL3IHAiAAAiAAAqsIQBCswoRA
IAACIAACIHBuAhAE5y5f5A4EQAAEQAAEVhGAIFiFCYFAAARAAARA4NwEIAjOXb7IHQiAAAiAAAis
IgBBsAoTAoEACIAACIDAuQlAEJy7fJE7EAABEAABEFhFAIJgFSYEAgEQAAEQAIFzE4AgOHf5Incg
AAIgAAIgsIoABMEqTAgEAiAAAiAAAucmAEFw7vJF7kAABEAABEBgFQEIglWYEAgEQAAEQAAEzk0A
guDc5YvcgQAIgAAIgMAqAhAEqzAhEAiAAAiAAAicmwAEwbnLF7kDARAAARAAgVUEIAhWYUIgEAAB
EAABEDg3AQiCc5cvcgcCIAACIAACqwhAEKzChEAgAAIgAAIgcG4CEATnLl/kDgRAAARAAARWEYAg
WIUJgUAABEAABEDg3AQgCM5dvsgdCIAACIAACKwiAEGwChMCgQAIgAAIgMC5CUAQnLt8kTsQAAEQ
AAEQWEUAgmAVJgQCARAAARAAgXMTgCA4d/kidyAAAiAAAiCwigAEwSpMCAQCIAACIAAC5yYAQXDu
8kXuQAAEQAAEQGAVAQiCVZgQCARAAARAAATOTQCC4Nzli9yBAAiAAAiAwCoCEASrMCEQCIAACIAA
CJybAATBucsXuQMBEAABEACBVQQgCFZhQiAQAAEQAAEQODcBCIJzly9yBwIgAAIgAAKrCEAQrMKE
QCAAAiAAAiBwbgIQBOcuX+QOBEAABEAABFYRgCBYhQmBQAAEQAAEQODcBCAIzl2+yB0IgAAIgAAI
rCIAQbAKEwKBAAiAAAiAwLkJQBCcu3yROxAAARAAARBYRQCCYBUmBAIBEAABEACBcxOAIDh3+SJ3
IAACIAACILCKAATBKkwIBAIgAAIgAALnJgBBcO7yRe5AAARAAARAYBUBCIJVmBAIBEAABEAABM5N
AILg3OWL3IEACIAACIDAKgIQBKswIRAIgAAIgAAInJsABMG5yxe5AwEQAAEQAIFVBCAIVmFCIBAA
ARAAARA4NwEIgnOXL3IHAiAAAiAAAqsIQBCswoRAIAACIAACIHBuAhAE5y5f5A4EQAAEQAAEVhGA
IFiFCYFAAARAAARA4NwEIAjOXb7IHQiAAAiAAAisIgBBsAoTAoEACIAACIDAuQlAEJy7fJE7EAAB
EAABEFhFAIJgFSYEAgEQAAEQAIFzE4AgOHf5IncgAAIgAAIgsIoABMEqTAgEAiAAAiAAAucmAEFw
7vJF7kAABEAABEBgFQEIglWYEAgEQAAEQAAEzk0AguDc5YvcgQAIgAAIgMAqAhAEqzAhEAiAAAiA
AAicmwAEwbnLF7kDARAAARAAgVUEIAhWYUIgEAABEAABEDg3AQiCc5cvcgcCIAACIAACqwhAEKzC
hEAgAAIgAAIgcG4CEATnLl/kDgRAAARAAARWEYAgWIUJgUAABEAABEDg3AQgCM5dvsgdCIAACIAA
CKwiAEGwChMCgQAIgAAIgMC5CUAQnLt8kTsQAAEQAAEQWEUAgmAVJgQCARAAARAAgXMTgCA4d/ki
dyAAAiAAAiCwisA/jAJCzPrBWv0AAAAASUVORK5CYII=
--0000000000000b7a8605abac1fcb--


From nobody Thu Jul 30 12:15:28 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 752893A0AE1 for ; Thu, 30 Jul 2020 12:15:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level: 
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pwNWSvVWF1ew for ; Thu, 30 Jul 2020 12:15:23 -0700 (PDT)
Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C05083A0AB7 for ; Thu, 30 Jul 2020 12:15:23 -0700 (PDT)
Received: by mail-qk1-x72d.google.com with SMTP id h7so26642272qkk.7 for ; Thu, 30 Jul 2020 12:15:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode.com; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=g7lZL9V0ji/CIn211ew6SmQ2XvufePV25gq9NNwm1tY=; b=TfnFD/fewV1/cSbGsdrfpxASUZwNjwVTX209NB4ocntXXk+qO/wBBYUpc55QI6SAE1 KlOGChaLhlZ0m/TtY83I/5tSGlvZIWVAswZKZrsnx1pPzXrTPjWH/Ci9hvJvNyPAy23P SyGSo3wPqaL9cizeEwG+yd41Ev68mwByYLvslund5s9tm25x9qAtMjaaW9KhcGE9CJk9 WHAADWo3MwZLR4auR87JFk9kQnCWVGVoXqEZ8zjjYqGT67ZTBQp9s7MiX8OT5O8gfPnm pv5F1X7lmy4SxzKJq01Ww9mKTX/RKZuGGK4ZDwDTrLaMbE2YZ4N41V9smY2+AQYyoILO TTfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=g7lZL9V0ji/CIn211ew6SmQ2XvufePV25gq9NNwm1tY=; b=UdDgol0t1EqAr/PKR4ILSfz12bY8RAtMnvXcfZzo1cXD3BV+CcyEkWDHIof1wgO8ir uncvZnvE4+WfP1u2ypuIA9phqYastCegg0+t9OLnoJLxA+nLg2lDxM90qGUVFhWYS31w TIqrY+QUBU+iDd4OsZ9EmZexAFrP4Wdab26XnO+ODSt71v0oekVmGeG7LeYgb+NQrndc AEapZA1weYrQa7KjuY/IU9SKXSFar+gSswA418MWPbJccOAjScp2HY9u/yWe7EzCMYRQ xq3ygMHg88UUEjxzoLGEYz+zGZsPOcVRFWC2+oQCrqg4RWmHBTN4941o5QDy0wCErNAG gShQ==
X-Gm-Message-State: AOAM532WWA4f1vmvkrPf8TsH/RZnJUMrKWS9vASnUi9RAkzFH9Q8yvti GDw24G3IJ/yfqK+X5+merCTjsw==
X-Google-Smtp-Source: ABdhPJwMMBcuNrbGjd9VOe8mq9uoRSvg8zQ8AH7Fy3S1fvURt4RiYGsTs2rxdCpNbXkXXXuqTUWsTQ==
X-Received: by 2002:a37:5dc6:: with SMTP id r189mr706211qkb.364.1596136522751;  Thu, 30 Jul 2020 12:15:22 -0700 (PDT)
Received: from [192.168.0.197] (pool-71-126-184-140.washdc.east.verizon.net. [71.126.184.140]) by smtp.gmail.com with ESMTPSA id z68sm5058266qke.113.2020.07.30.12.15.21 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 30 Jul 2020 12:15:21 -0700 (PDT)
Content-Type: multipart/alternative; boundary=Apple-Mail-1F64C9D3-3D5C-4A52-AD40-402E5FE64295
Content-Transfer-Encoding: 7bit
From: Jim Manico 
Mime-Version: 1.0 (1.0)
Date: Thu, 30 Jul 2020 15:15:20 -0400
Message-Id: <4E2EAEF4-A0E4-4560-86C3-083A19A0F440@manicode.com>
References: 
Cc: Aaron Parecki , oauth 
In-Reply-To: 
To: Warren Parad 
X-Mailer: iPhone Mail (17G68)
Archived-At: 
Subject: Re: [OAUTH-WG] Clarifying Bearer token usage OAuth 2.1 draft-ietf-oauth-v2-1-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 30 Jul 2020 19:15:27 -0000

--Apple-Mail-1F64C9D3-3D5C-4A52-AD40-402E5FE64295
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

Yea to cookie configuration suggestions!

I suggest SameSite=3DLAX at least, which is actually the default behavior in=
 chrome if you do not set the samesite value. LAX will not break links that o=
riginate from emails, STRICT will.

Point being is that CSRF defense is easy. XSS defense is brutally hard in ap=
ps with complex UI=E2=80=99s!

--
Jim Manico
@Manicode


> On Jul 30, 2020, at 1:13 PM, Warren Parad  wrote:
>=20
> =EF=BB=BF
>> Cookie storage of tokens does leave one open to CSRF attacks so it's cert=
ainly a trade-off. But CSRF is much easier to defense against that XSS and c=
ookies are a better choice if the specific risk of having tokens stolen via X=
SS matters to your threat model.
>=20
> I would assume if we included cookie language, it would explicitly specify=
 Secure; HttpOnly; SameSite=3DStrict as the recommendation, and then neither=
 XSS nor CSRF should be a problem (right?)
>=20
>=20
>> OAuth 2.1 isn't supposed to add new features that don't already exist, bu=
t this sounds like a good candidate to develop as an OAuth extension.
>=20
> Is this really a new feature though?
>=20
> Okay, I'll submit that RFC 6749 does state the cookie wouldn't be created b=
y the AS.
>> 5.1.  Successful Response
>>    The authorization server issues an access token and optional refresh
>>    token, and constructs the response by adding the following parameters
>>    to the entity-body of the HTTP response with a 200 (OK) status code:
> =20
> However that wouldn't prevent a client using the password grant (I know I s=
aid a bad word) or authorization code flow from creating the cookie to conta=
in that. Specifically
>> 7.  Accessing Protected Resources
>>    The client accesses protected resources by presenting the access
>>    token to the resource server.  The resource server MUST validate the
>>    access token and ensure that it has not expired and that its scope
>>    covers the requested resource.  The methods used by the resource
>>    server to validate the access token (as well as any error responses)
>>    are beyond the scope of this specification but generally involve an
>>    interaction or coordination between the resource server and the
>>    authorization server.
>>    The method in which the client utilizes the access token to
>>    authenticate with the resource server depends on the type of access
>>    token issued by the authorization server.  Typically, it involves
>>    using the HTTP "Authorization" request header field [RFC2617] with an
>>    authentication scheme defined by the specification of the access
>>    token type used, such as [RFC6750].
>=20
> So that's definitely some gray area. Although perhaps I'm missing a releva=
nt section. If we are going to go so far to detail a list of possible RS bea=
rer token possible locations (i.e. Header and Body), to what I assume is to i=
mplicitly say Don't use a query parameter. It also suggests Don't use a cook=
ie at all, even with SameSite=3DStrict. Although maybe that is the point.
>=20
> For my reference, what makes a new feature and what makes an OAuth extensi=
on?
>=20
>=20
> Warren Parad
> Founder, CTO
> Secure your user data and complete your authorization architecture. Implem=
ent Authress.
>=20
>=20
>> On Thu, Jul 30, 2020 at 6:46 PM Aaron Parecki  wrote:
>> I haven't seen any OAuth drafts that talk about sending OAuth access toke=
ns in HTTP cookies. OAuth 2.1 isn't supposed to add new features that don't a=
lready exist, but this sounds like a good candidate to develop as an OAuth e=
xtension.
>>=20
>> ---
>> Aaron Parecki
>> https://aaronparecki.com
>> https://oauth2simplified.com=20
>>=20
>>> On Thu, Jul 30, 2020 at 9:35 AM Jim Manico  wrote:
>>> In a browser, HTTPOnly cookies are the only location where an access (or=
 other) token can be stored in a way where it cannot be stolen from XSS.
>>>=20
>>> It's a very strong place to store tokens from a security point of view.
>>>=20
>>> Cookie storage of tokens does leave one open to CSRF attacks so it's cer=
tainly a trade-off. But CSRF is much easier to defense against that XSS and c=
ookies are a better choice if the specific risk of having tokens stolen via X=
SS matters to your threat model.
>>>=20
>>> - Jim
>>>=20
>>> On 7/30/20 11:43 AM, Warren Parad wrote:
>>>> https://www.ietf.org/id/draft-ietf-oauth-v2-1-00.html#name-bearer-token=
s
>>>>=20
>>>> It seems recently more and more common to pass the access_token to some=
 RS via a cookie, yet 7.2.1 says it defines two methods. I think we need som=
e RFC2119 keywords here, to suggest that either SHOULD use one of these two,=
 or MUST. And then optionally state whether or not we recommend or reject th=
e use of cookies as a place for access tokens. It's also possible that the l=
anguage threw me off, because would an access token in a cookie be a bearer t=
oken, but no matter, if I'm having this thought, then surely others have it a=
s well, right?
>>>>=20
>>>> 
>>>>=20
>>>>=20
>>>>=20
>>>> Warren Parad
>>>> Founder, CTO
>>>> Secure your user data and complete your authorization architecture. Imp=
lement Authress.
>>>>=20
>>>>=20
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> --=20
>>> Jim Manico
>>> Manicode Security
>>> https://www.manicode.com
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth

--Apple-Mail-1F64C9D3-3D5C-4A52-AD40-402E5FE64295
Content-Type: text/html;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable


Yea to cookie configuration suggestion=
s!

I suggest SameSite=3DLAX at least, which is actually t=
he default behavior in chrome if you do not set the samesite value. LAX will=
 not break links that originate from emails, STRICT will.

Point being is that CSRF defense is easy. XSS defense is brutally hard in a=
pps with complex UI=E2=80=99s!

--
<=
div>Jim Manico
@Manicode


On Jul 30, 2020, at 1:13 PM, Warren Parad &l=
t;wparad@rhosys.ch> wrote:

=EF=BB=BF
Cookie storage of tokens does leave one open to CSRF a=
ttacks so it's certainly a trade-off. But CSRF is much easier to defense aga=
inst that XSS and cookies are a better choice if the specific risk of having=
 tokens stolen via XSS matters to your threat model.

I would assume if we included cookie language, it would explicitly s=
pecify Secure; HttpOnly; SameSite=3DStrict as the recommend=
ation, and then neither XSS nor CSRF should be a problem (right?)
=


OA=
uth 2.1 isn't supposed to add new features that don't already exist, but thi=
s sounds like a good candidate to develop as an OAuth extension.

Is this really a new feature though?
<=
div>
Okay, I'll submit that RFC 6749 does state the cookie wou=
ldn't be created by the AS.
However that wouldn't prevent a client using the password grant (I know I s=
aid a bad word) or authorization code flow from creating the cookie to conta=
in that. Specifically
=
7.  Accessing Protected Resources
   The client accesses p=
rotected resources by presenting the access
   token to the res=
ource server.  The resource server MUST validate the
   ac=
cess token and ensure that it has not expired and that its scope
  &=
nbsp;covers the requested resource.  The methods used by the resourc=
e
   server to validate the access token (as well as any error r=
esponses)
   are beyond the scope of this specification but gen=
erally involve an
   interaction or coordination between the re=
source server and the
   authorization server.
  &n=
bsp;The method in which the client utilizes the access token to
  &n=
bsp;authenticate with the resource server depends on the type of access
&=
nbsp;  token issued by the authorization server.  Typically, it=
 involves
   using the HTTP "Authorization" request header f=
ield [RFC2617] with an
   authentication scheme defined by the s=
pecification of the access
   token type used, such as [RFC6750=
].

So that's definitely some gray area. Alth=
ough perhaps I'm missing a relevant section. If we are going to go so far to=
 detail a list of possible RS bearer token possible locations (i.e. Header a=
nd Body), to what I assume is to implicitly say Don't use a query paramet=
er. It also suggests Don't use a cookie at all, even wi=
th SameSite=3DStrict. Although maybe that is the point.
For my reference, what makes a new feature and what m=
akes an OAuth extension?

Warren Parad
Founder, CTO=

Secure your u=
ser data and complete your authorization architecture. Implement Authress.
=



On Thu, Jul 30, 2020 at 6:46 PM Aaron Parecki <aaron@parecki.com> wrote:
I h=
aven't seen any OAuth drafts that talk about sending OAuth access tokens in H=
TTP cookies. OAuth 2.1 isn't supposed to add new features that don't already=
 exist, but this sounds like a good candidate to develop as an OAuth extensi=
on.

=


O=
n Thu, Jul 30, 2020 at 9:35 AM Jim Manico <jim@manicode.com> wrote:

 =20
   =20
 =20
  

    
In a browser, HTTPOnly cookies are the only location
      where an access (or other) token can be stored in a way where it ca=
nnot
        be stolen from XSS.

    
It's a very strong place to store tokens from a security point of
      view.

    
Cookie storage of tokens does leave one open to CSRF attacks so
      it's certainly a trade-off. But CSRF is much easier to defense
      against that XSS and cookies are a better choice if the specific
      risk of having tokens stolen via XSS matters to your threat model.
=

    
- Jim

    

    
On 7/30/20 11:43 AM, Warren Parad
      wrote:

    

    

     =20
      

        
        


        

        
It seems recently more and more common to pass the
          access_token to some RS via a cookie, yet 7.2.1 says it
          defines two methods. I think we need some =
RFC2119 keywords
          here, to suggest that either SHOULD use one of these two, or
          MUST. And then optionally state whether or not we recommend or
          reject the use of cookies as a place for access tokens. It's
          also possible that the language threw me off, because would an
          access token in a cookie be a bearer token, but no matter, if
          I'm having this thought, then surely others have it as well,
          right?

        

        


        

        

          
<image.png>


          

        

        

        

          

            

              <=
tbody>
                  

                

                    
                      

                    		
                    
                      
Warren Parad

                      
=
Founder, CTO

                    		
                  

                
              

              Secure your user data and
                complete your authorization architecture. Implement Authress.

            

          

        

      

      

      

      
_______________________________________________
OAuth mailing list
OAuth@ietf.org
ht=
tps://www.ietf.org/mailman/listinfo/oauth


    

    
--=20
Jim Manico
Manicode Security
https://www.manicode.=
com

  


_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth





=

--Apple-Mail-1F64C9D3-3D5C-4A52-AD40-402E5FE64295--


From nobody Thu Jul 30 12:21:43 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0662A3A0B58 for ; Thu, 30 Jul 2020 12:21:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level: 
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UCmDDOZz_CYq for ; Thu, 30 Jul 2020 12:21:37 -0700 (PDT)
Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AD323A0B4F for ; Thu, 30 Jul 2020 12:21:37 -0700 (PDT)
Received: by mail-lf1-x12f.google.com with SMTP id 140so15572838lfi.5 for ; Thu, 30 Jul 2020 12:21:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=d8P6/xv+//u0RvRj2sVNu8bXzQZF+jz3zNZf6BAhkQI=; b=oqqXG7q1iVtvzfXkYGsHc7YuUQnqcXjdAAkxkVm39pkEAos5b+nm1nWdgiyqGxTuFX TfSNFg7sN3/DWzLWSrICQXlgDm5Atx7sSAfH/kJOdehGfVJiVW+Hxzx6GtPbuoQt9wyA vs5tPskrzLEzVAv1rJtXOXns0OL1ahNqRekRrLaSnNTsk++RpXI/0HfvMOnpBtHW7sC4 URNc34GGrX14DSPBkd8ESJXhbgv7gTUydVyF0Z4WGrEOKnW4GXcjL78LCe9SrxFl0LlV S2VHndkeppz3TWfl7eIs4e0CSSZxHvVt1E7lD2c1xwNpTowysfC1P5fDMvMjYrqRiAOt fLzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=d8P6/xv+//u0RvRj2sVNu8bXzQZF+jz3zNZf6BAhkQI=; b=IRy76HWXoxc6Zezq6AXRlK7g2YKNcFe0FASjbuPqnkiuAUMuvGftf0Gsz5RsMYHbO7 JBL5yzN/CK0B4Je5aew2ETCEXzM8tSzN9gaM4KXZIy8HVTFfWTz0Fgp4bft9l9QxZd+B p8gQaG5BDw8jpCz48R45PYdDL9QaGNZ5t25CwNA3jTiBn89T9Cph3hJhxbPJITqiRryd MOvp1AER3Y7pRR+3GjnaITNjxNUznFGK6pZ4Sm5Y8xMymrM8Q9QNSwhDcB1jJ4QcvU5u kUG5I90HlSovZbd3VS2UYY3OxYjeuRE254On9npMkI17YkmdQpRtqznBOIbUaS78Ayia 2Brg==
X-Gm-Message-State: AOAM53128R64a0ssjzBN8wfu1aUMHmDSNM5wBAVyz+k4CQ/U1JJ7/mSW WeA1nDmqBmLAbalvNUKEHZmx8KAJFQE1HyrX6lc=
X-Google-Smtp-Source: ABdhPJyL+OlgTFF1f3LAcnyxAqqfUFzG3RfXc5ls3DEKVzTe9ph1IuV7W8ZNsT6azrO7859MyjVRuoSktT6onvEmkgE=
X-Received: by 2002:a19:8044:: with SMTP id b65mr70881lfd.91.1596136895019; Thu, 30 Jul 2020 12:21:35 -0700 (PDT)
MIME-Version: 1.0
References:  <4E2EAEF4-A0E4-4560-86C3-083A19A0F440@manicode.com>
In-Reply-To: <4E2EAEF4-A0E4-4560-86C3-083A19A0F440@manicode.com>
From: Dick Hardt 
Date: Thu, 30 Jul 2020 12:20:58 -0700
Message-ID: 
To: Jim Manico 
Cc: Warren Parad , oauth 
Content-Type: multipart/alternative; boundary="000000000000a3fff405abad94d2"
Archived-At: 
Subject: Re: [OAUTH-WG] Clarifying Bearer token usage OAuth 2.1 draft-ietf-oauth-v2-1-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 30 Jul 2020 19:21:41 -0000

--000000000000a3fff405abad94d2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

One of the constraints of the OAuth 2.1 document that aligned the WG was it
would have no new features.

I'd recommend a separate document for the cookie bearer token feature.

=E1=90=A7

On Thu, Jul 30, 2020 at 12:15 PM Jim Manico  wrote:

> Yea to cookie configuration suggestions!
>
> I suggest SameSite=3DLAX at least, which is actually the default behavior=
 in
> chrome if you do not set the samesite value. LAX will not break links tha=
t
> originate from emails, STRICT will.
>
> Point being is that CSRF defense is easy. XSS defense is brutally hard in
> apps with complex UI=E2=80=99s!
>
> --
> Jim Manico
> @Manicode
>
>
> On Jul 30, 2020, at 1:13 PM, Warren Parad  wrote:
>
> =EF=BB=BF
>
>> Cookie storage of tokens does leave one open to CSRF attacks so it's
>> certainly a trade-off. But CSRF is much easier to defense against that X=
SS
>> and cookies are a better choice if the specific risk of having tokens
>> stolen via XSS matters to your threat model.
>
>
> I would assume if we included cookie language, it would explicitly specif=
y *Secure;
> HttpOnly; SameSite=3DStrict* as the recommendation, and then neither XSS
> nor CSRF should be a problem (right?)
>
>
> OAuth 2.1 isn't supposed to add new features that don't already exist, bu=
t
>> this sounds like a good candidate to develop as an OAuth extension.
>
>
> Is this really a *new feature* though?
>
> Okay, I'll submit that RFC 6749 does state the cookie wouldn't be created
> by the AS.
>
>> 5.1.  Successful Response
>> 
>>    The authorization
>> server issues an access token and optional refresh
>>    token, and
>> constructs the response by
>> *adding the following parameters*
>> *   to the entity-body
>> of the HTTP response* with a 200 (OK) status code:
>> 
>
>
> However that wouldn't prevent a client using the password grant (I know I
> said a bad word) or authorization code flow from creating the cookie to
> contain that. Specifically
>
>> 7.  Accessing Protected Resources
>>    The client accesses protected resources by presenting the access
>>    token to the resource server.  The resource server MUST validate the
>>    access token and ensure that it has not expired and that its scope
>>    covers the requested resource.
>>
>>
>>
>> *The methods used by the resource   server to validate the access token
>> (as well as any error responses)   are beyond the scope of this
>> specification but generally involve an   interaction or coordination
>> between the resource server and the   authorization server*.
>>    The method in which the client utilizes the access token to
>>    authenticate with the resource server depends on the type of access
>>    token issued by the authorization server.
>> * Typically, it involves   using the HTTP "Authorization" request header=
*
>> field [RFC2617] with an
>>    authentication scheme defined by the specification of the access
>>    token type used, such as [RFC6750].
>
>
> So that's definitely some gray area. Although perhaps I'm missing a
> relevant section. If we are going to go so far to detail a list of possib=
le
> RS bearer token possible locations (i.e. Header and Body), to what I assu=
me
> is to implicitly say *Don't use a query parameter*. It also suggests *Don=
't
> use a cookie at all*, even with* SameSite=3DStrict*. Although maybe that =
is
> the point.
>
> For my reference, what makes a *new feature* and what makes *an OAuth
> extension?*
>
> Warren Parad
>
> Founder, CTO
> Secure your user data and complete your authorization architecture.
> Implement Authress .
>
>
> On Thu, Jul 30, 2020 at 6:46 PM Aaron Parecki  wrote:
>
>> I haven't seen any OAuth drafts that talk about sending OAuth access
>> tokens in HTTP cookies. OAuth 2.1 isn't supposed to add new features tha=
t
>> don't already exist, but this sounds like a good candidate to develop as=
 an
>> OAuth extension.
>>
>> ---
>> Aaron Parecki
>> https://aaronparecki.com
>> https://oauth2simplified.com
>>
>> On Thu, Jul 30, 2020 at 9:35 AM Jim Manico > > wrote:
>>
>>> In a browser, HTTPOnly cookies are the *only* location where an access
>>> (or other) token can be stored in a way where it *cannot be stolen from
>>> XSS*.
>>>
>>> It's a very strong place to store tokens from a security point of view.
>>>
>>> Cookie storage of tokens does leave one open to CSRF attacks so it's
>>> certainly a trade-off. But CSRF is much easier to defense against that =
XSS
>>> and cookies are a better choice if the specific risk of having tokens
>>> stolen via XSS matters to your threat model.
>>>
>>> - Jim
>>> On 7/30/20 11:43 AM, Warren Parad wrote:
>>>
>>> https://www.ietf.org/id/draft-ietf-oauth-v2-1-00.html#name-bearer-token=
s
>>>
>>> It seems recently more and more common to pass the access_token to some
>>> RS via a cookie, yet 7.2.1 says it defines two methods. I think we need
>>> some RFC2119
>>>  keyw=
ords
>>> here, to suggest that either SHOULD use one of these two, or MUST. And =
then
>>> optionally state whether or not we recommend or reject the use of cooki=
es
>>> as a place for access tokens. It's also possible that the language thre=
w me
>>> off, because would an access token in a cookie be a bearer token, but n=
o
>>> matter, if I'm having this thought, then surely others have it as well,
>>> right?
>>>
>>> 
>>>
>>>
>>> Warren Parad
>>>
>>> Founder, CTO
>>> Secure your user data and complete your authorization architecture.
>>> Implement Authress .
>>>
>>> _______________________________________________
>>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/o=
auth
>>>
>>> --
>>> Jim Manico
>>> Manicode Securityhttps://www.manicode.com
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

--000000000000a3fff405abad94d2
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


One of the constraints of the OAuth 2.1 document that alig=
ned the WG was it would have no new features.

I'd re=
commend a separate document for the cookie bearer token feature.=C2=A0

3D""=E1=90=A7

On Thu, Jul 30, 2020 at 12:1=
5 PM Jim Manico <jim@manicode.com> wrote:
Yea to cookie configuration suggestions!

=

I suggest SameSite=3DLAX at least, which is actually the default beha=
vior in chrome if you do not set the samesite value. LAX will not break lin=
ks that originate from emails, STRICT will.

Point being =
is that CSRF defense is easy. XSS defense is brutally hard in apps with com=
plex UI=E2=80=99s!
=
=EF=BB=BF
Cookie storage of tokens does leave one open to CSRF attacks so it's c=
ertainly a trade-off. But CSRF is much easier to defense against that XSS a=
nd cookies are a better choice if the specific risk of having tokens stolen=
 via XSS matters to your threat model.

I wo=
uld assume if we included cookie language, it would explicitly specify=C2=
=A0Secure; HttpOnly; SameSite=3DStrict=C2=A0as the recommendation, a=
nd then neither XSS nor CSRF should be a problem (right?)


OAuth 2=
.1 isn't supposed to add new features that don't already exist, but=
 this sounds like a good candidate to develop as an OAuth extension.

Is this really a new feature=C2=A0though?<=
/div>

Okay, I'll submit that RFC 6749 does state the=
 cookie wouldn't be created by the AS.
However that wouldn't prevent a =
client using the password grant (I know I said a bad word) or authorization=
 code flow from creating the cookie to contain that. Specifically
7.=C2=A0 Accessing Protected =
Resources
=C2=A0 =C2=A0The client accesses protected resources by presen=
ting the access
=C2=A0 =C2=A0token to the resource server.=C2=A0 The res=
ource server MUST validate the
=C2=A0 =C2=A0access token and ensure that=
 it has not expired and that its scope
=C2=A0 =C2=A0covers the requested=
 resource. =C2=A0The methods used by the resource
=C2=A0 =C2=A0server=
 to validate the access token (as well as any error responses)
=C2=A0 =
=C2=A0are beyond the scope of this specification but generally involve an=C2=A0 =C2=A0interaction or coordination between the resource server and =
the
=C2=A0 =C2=A0authorization server.
=C2=A0 =C2=A0The method in=
 which the client utilizes the access token to
=C2=A0 =C2=A0authenticate=
 with the resource server depends on the type of access
=C2=A0 =C2=A0tok=
en issued by the authorization server. =C2=A0Typically, it involves
=
=C2=A0 =C2=A0using the HTTP "Authorization" request header fi=
eld [RFC2617] with an
=C2=A0 =C2=A0authentication scheme defined by the =
specification of the access
=C2=A0 =C2=A0token type used, such as [RFC67=
50].

So that's definitely some gray are=
a. Although perhaps I'm missing a relevant section. If we are going to =
go so far to detail a list of possible RS bearer token possible locations (=
i.e. Header and Body), to what I assume is to implicitly say Don't u=
se a query parameter. It also suggests=C2=A0Don't use a cookie a=
t all, even=C2=A0with SameSite=3DStrict. Although maybe that is =
the point.

For my reference, what makes a new f=
eature=C2=A0and what makes an OAuth extension?

<=
/colgroup>
Warren Parad
Founder, CTO
Secure your user d=
ata and complete your authorization architecture. Implement=C2=A0Authress.


On Thu, Jul 30, 2020 at 6:46 PM Aaron Parecki <aaron@parecki.com> w=
rote:
I haven't seen any OAuth drafts that talk about sending OAuth =
access tokens in HTTP cookies. OAuth 2.1 isn't supposed to add new feat=
ures that don't already exist, but this sounds like a good candidate to=
 develop as an OAuth extension.


On Thu, Jul 30, 2020 at 9:35 AM Jim Manico =
<jim@manicode.com=
> wrote:

 =20
   =20
 =20
  

    
In a browser, HTTPOnly cookies are the only location
      where an access (or other) token can be stored in a way where it c=
annot
        be stolen from XSS.

    
It's a very strong place to store tokens from a security point o=
f
      view.

    
Cookie storage of tokens does leave one open to CSRF attacks so
      it's certainly a trade-off. But CSRF is much easier to defense
      against that XSS and cookies are a better choice if the specific
      risk of having tokens stolen via XSS matters to your threat model.
    
- Jim

    

    
On 7/30/20 11:43 AM, Warren Parad
      wrote:

    

    

     =20
      

        
        


        

        
It seems recently more and more=C2=A0common to pass the
          access_token to some RS via a cookie, yet 7.2.1 says it
          defines two methods. I think we need some=C2=A0RFC2119=C2=A0keywords
          here, to suggest that either SHOULD use one of these two, or
          MUST. And then optionally state whether or not we recommend or
          reject the use of cookies as a place for access tokens. It's
          also possible that the language threw me off, because would an
          access token in a cookie be a bearer token, but no matter, if
          I'm having this thought, then surely others have it as well,
          right?

        

        


        

        

          
<image.png>


          

        

        

        

          

            

              =


                
                  

                    
                      

                    		
                    
                      
Warren Parad=


                      
Founder, CTO

                    		
                  

                
              

              Secure your user data and
                complete your authorization architecture. Implement=C2=A0Authress.

            

          

        

      

      

      

      
_______________________________________________
OAuth mailing list
OAuth@ietf.org
h=
ttps://www.ietf.org/mailman/listinfo/oauth


    

    
--=20
Jim Manico
Manicode Security
https://www.manicode=
.com

  


_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth






____________________________________________=
___

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth



--000000000000a3fff405abad94d2--


From nobody Thu Jul 30 13:48:00 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E37A33A0CA1 for ; Thu, 30 Jul 2020 13:47:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level: 
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e1oGBLlIvHFs for ; Thu, 30 Jul 2020 13:47:55 -0700 (PDT)
Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11F153A0CA0 for ; Thu, 30 Jul 2020 13:47:54 -0700 (PDT)
Received: by mail-qt1-x831.google.com with SMTP id t23so18299450qto.3 for ; Thu, 30 Jul 2020 13:47:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode.com; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=gl0+JIHTh3V4IjGMCEfDYpS9FJc37O9Cl24dkINmcZk=; b=VBprmgwStYNn2b6KDz6zoZtVFUnhO6BNxTQ4OwD7aDG/+GIZ4C6aAg+3d2SfWmwZAF DLife5cMB+KgbfJ6SBZo4kWSBjIe6wMG69W8Ltih+ZSXZG90LwLgCfi6DBiv/rR602Qj lYGMz/hvUS8GS/tBGmloGLEdXUUEVq4McFPJtuJjiRVLXavyZMq9XOAbSVtHi5lUgYGZ Su3EJi7N2maeSq4nlCoq4vQTr2fNDUt6zqr0wMjAAnXJ0+jr7PNC5Hrz8X3bVZKfKZJU Pp/fahR9+TzQzxD4RewDCKbLBROahjGnxlOcIIW1CWNVGp+UPNXXuu9K8tf9Mc8AoKs3 P9bA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=gl0+JIHTh3V4IjGMCEfDYpS9FJc37O9Cl24dkINmcZk=; b=oUYH3DsvNE6E4JGDyQJvJd3H+2JDB5ixBBlLbEFoWEJJBBjxyUfUG2XR5eJA44ytR5 7igBukg+hnoganZtntHVwB1qZTT6vlYE5mc7lCkstSRIke+Y8cw6SKJebo50tA0fGlZc attVS5/OO8+yu9LRL2aIrGbTDi/cRGidv2ImcUw+zf0NhUK3F9Uu6h2Bb5UhruNbt6vk /4NM6OoIGT6CQGF49vsOamsk8zATEZDWLaiKf17kX6Pe8PgpSqMeXtAzx0NO5/Kjr93y wag1p+wGEJsxU9YSAa0uCH+wtTtxawt0lxQD6TwNxqetm7qlMqMpRsGR54uRYcXjo7Ka t4ZA==
X-Gm-Message-State: AOAM533fsKOiO4REmC2pFlE6Ffxni18n+qnJLuaqqxBZUrjNKEN1QRpb We6xVM/mlqwd5Co0NyEH6k+2OA==
X-Google-Smtp-Source: ABdhPJxAD2+Ly7ilgk4BrheU80FMD6TGfNn2kN82cVfJ9OU8TrAk9jGA5f5nPB3fxf+mWDhotzrrHw==
X-Received: by 2002:ac8:7181:: with SMTP id w1mr560407qto.172.1596142073868; Thu, 30 Jul 2020 13:47:53 -0700 (PDT)
Received: from [192.168.0.197] (pool-71-126-184-140.washdc.east.verizon.net. [71.126.184.140]) by smtp.gmail.com with ESMTPSA id h55sm5889210qte.16.2020.07.30.13.47.52 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 30 Jul 2020 13:47:53 -0700 (PDT)
Content-Type: multipart/alternative; boundary=Apple-Mail-C6328E00-E7D2-4F7D-8157-3F84C18BD49F
Content-Transfer-Encoding: 7bit
From: Jim Manico 
Mime-Version: 1.0 (1.0)
Date: Thu, 30 Jul 2020 16:47:52 -0400
Message-Id: <1842CB01-E0DE-4121-AFAF-B3BE749E55F0@manicode.com>
References: 
Cc: Warren Parad , oauth 
In-Reply-To: 
To: Dick Hardt 
X-Mailer: iPhone Mail (17G68)
Archived-At: 
Subject: Re: [OAUTH-WG] Clarifying Bearer token usage OAuth 2.1 draft-ietf-oauth-v2-1-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 30 Jul 2020 20:47:58 -0000

--Apple-Mail-C6328E00-E7D2-4F7D-8157-3F84C18BD49F
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

I politely encourage the rules to be bent and to integrate this basic but fu=
ndamental security control into the core standard.

This is just basic security; we want as much basic security in the core of a=
ny standard. Dev=E2=80=99s now need to read 20 standards to get OAuth2 basic=
s... and that=E2=80=99s a barrier to entry.

--
Jim Manico
@Manicode

> On Jul 30, 2020, at 3:21 PM, Dick Hardt  wrote:
>=20
> =EF=BB=BF
> One of the constraints of the OAuth 2.1 document that aligned the WG was i=
t would have no new features.
>=20
> I'd recommend a separate document for the cookie bearer token feature.=20
>=20
> =E1=90=A7
>=20
>> On Thu, Jul 30, 2020 at 12:15 PM Jim Manico  wrote:
>> Yea to cookie configuration suggestions!
>>=20
>> I suggest SameSite=3DLAX at least, which is actually the default behavior=
 in chrome if you do not set the samesite value. LAX will not break links th=
at originate from emails, STRICT will.
>>=20
>> Point being is that CSRF defense is easy. XSS defense is brutally hard in=
 apps with complex UI=E2=80=99s!
>>=20
>> --
>> Jim Manico
>> @Manicode
>>=20
>>=20
>>>> On Jul 30, 2020, at 1:13 PM, Warren Parad  wrote:
>>>>=20
>>> =EF=BB=BF
>>>> Cookie storage of tokens does leave one open to CSRF attacks so it's ce=
rtainly a trade-off. But CSRF is much easier to defense against that XSS and=
 cookies are a better choice if the specific risk of having tokens stolen vi=
a XSS matters to your threat model.
>>>=20
>>> I would assume if we included cookie language, it would explicitly speci=
fy Secure; HttpOnly; SameSite=3DStrict as the recommendation, and then neith=
er XSS nor CSRF should be a problem (right?)
>>>=20
>>>=20
>>>> OAuth 2.1 isn't supposed to add new features that don't already exist, b=
ut this sounds like a good candidate to develop as an OAuth extension.
>>>=20
>>> Is this really a new feature though?
>>>=20
>>> Okay, I'll submit that RFC 6749 does state the cookie wouldn't be create=
d by the AS.
>>>> 5.1.  Successful Response
>>>>    The authorization server issues an access token and optional refresh=

>>>>    token, and constructs the response by adding the following parameter=
s
>>>>    to the entity-body of the HTTP response with a 200 (OK) status code:=

>>> =20
>>> However that wouldn't prevent a client using the password grant (I know I=
 said a bad word) or authorization code flow from creating the cookie to con=
tain that. Specifically
>>>> 7.  Accessing Protected Resources
>>>>    The client accesses protected resources by presenting the access
>>>>    token to the resource server.  The resource server MUST validate the=

>>>>    access token and ensure that it has not expired and that its scope
>>>>    covers the requested resource.  The methods used by the resource
>>>>    server to validate the access token (as well as any error responses)=

>>>>    are beyond the scope of this specification but generally involve an
>>>>    interaction or coordination between the resource server and the
>>>>    authorization server.
>>>>    The method in which the client utilizes the access token to
>>>>    authenticate with the resource server depends on the type of access
>>>>    token issued by the authorization server.  Typically, it involves
>>>>    using the HTTP "Authorization" request header field [RFC2617] with a=
n
>>>>    authentication scheme defined by the specification of the access
>>>>    token type used, such as [RFC6750].
>>>=20
>>> So that's definitely some gray area. Although perhaps I'm missing a rele=
vant section. If we are going to go so far to detail a list of possible RS b=
earer token possible locations (i.e. Header and Body), to what I assume is t=
o implicitly say Don't use a query parameter. It also suggests Don't use a c=
ookie at all, even with SameSite=3DStrict. Although maybe that is the point.=

>>>=20
>>> For my reference, what makes a new feature and what makes an OAuth exten=
sion?
>>>=20
>>>=20
>>> Warren Parad
>>> Founder, CTO
>>> Secure your user data and complete your authorization architecture. Impl=
ement Authress.
>>>=20
>>>=20
>>>> On Thu, Jul 30, 2020 at 6:46 PM Aaron Parecki  wrote=
:
>>>> I haven't seen any OAuth drafts that talk about sending OAuth access to=
kens in HTTP cookies. OAuth 2.1 isn't supposed to add new features that don'=
t already exist, but this sounds like a good candidate to develop as an OAut=
h extension.
>>>>=20
>>>> ---
>>>> Aaron Parecki
>>>> https://aaronparecki.com
>>>> https://oauth2simplified.com=20
>>>>=20
>>>>> On Thu, Jul 30, 2020 at 9:35 AM Jim Manico  wrote:
>>>>> In a browser, HTTPOnly cookies are the only location where an access (=
or other) token can be stored in a way where it cannot be stolen from XSS.
>>>>>=20
>>>>> It's a very strong place to store tokens from a security point of view=
.
>>>>>=20
>>>>> Cookie storage of tokens does leave one open to CSRF attacks so it's c=
ertainly a trade-off. But CSRF is much easier to defense against that XSS an=
d cookies are a better choice if the specific risk of having tokens stolen v=
ia XSS matters to your threat model.
>>>>>=20
>>>>> - Jim
>>>>>=20
>>>>> On 7/30/20 11:43 AM, Warren Parad wrote:
>>>>>> https://www.ietf.org/id/draft-ietf-oauth-v2-1-00.html#name-bearer-tok=
ens
>>>>>>=20
>>>>>> It seems recently more and more common to pass the access_token to so=
me RS via a cookie, yet 7.2.1 says it defines two methods. I think we need s=
ome RFC2119 keywords here, to suggest that either SHOULD use one of these tw=
o, or MUST. And then optionally state whether or not we recommend or reject t=
he use of cookies as a place for access tokens. It's also possible that the l=
anguage threw me off, because would an access token in a cookie be a bearer t=
oken, but no matter, if I'm having this thought, then surely others have it a=
s well, right?
>>>>>>=20
>>>>>> 
>>>>>>=20
>>>>>>=20
>>>>>>=20
>>>>>> Warren Parad
>>>>>> Founder, CTO
>>>>>> Secure your user data and complete your authorization architecture. I=
mplement Authress.
>>>>>>=20
>>>>>>=20
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> --=20
>>>>> Jim Manico
>>>>> Manicode Security
>>>>> https://www.manicode.com
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth

--Apple-Mail-C6328E00-E7D2-4F7D-8157-3F84C18BD49F
Content-Type: text/html;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

I politely encourage the rules to be bent a=
nd to integrate this basic but fundamental security control into the core st=
andard.

This is just basic security; we want as much basi=
c security in the core of any standard. Dev=E2=80=99s now need to read 20 st=
andards to get OAuth2 basics... and that=E2=80=99s a barrier to entry.

--
Jim Manico
@Manicode

On Jul 30, 2020, at 3=
:21 PM, Dick Hardt <dick.hardt@gmail.com> wrote:

<=
/div>
=EF=BB=BF
On=
e of the constraints of the OAuth 2.1 document that aligned the WG was it wo=
uld have no new features.

I'd recommend a separate docume=
nt for the cookie bearer token feature. 

3D""=E1=90=A7

On Thu, Jul 30, 2020 at 12:15 PM J=
im Manico <jim@manicode.com> w=
rote:
Yea to cookie configuration suggestions!

I su=
ggest SameSite=3DLAX at least, which is actually the default behavior in chr=
ome if you do not set the samesite value. LAX will not break links that orig=
inate from emails, STRICT will.

Point being is that CSRF d=
efense is easy. XSS defense is brutally hard in apps with complex UI=E2=80=99=
s!

--
Jim Manico
@Ma=
nicode


On Jul 30, 2020, at 1:13 PM, Warren Parad <wparad@rhosys.ch> wrote:

=EF=BB=BF
Cookie storage of tokens=
 does leave one open to CSRF attacks so it's certainly a trade-off. But CSRF=
 is much easier to defense against that XSS and cookies are a better choice i=
f the specific risk of having tokens stolen via XSS matters to your threat m=
odel.

I would assume if we included cookie l=
anguage, it would explicitly specify Secure; HttpOnly; SameSite=3DSt=
rict as the recommendation, and then neither XSS nor CSRF should be=
 a problem (right?)


OAuth 2.1 isn't supposed to add new features tha=
t don't already exist, but this sounds like a good candidate to develop as a=
n OAuth extension.

Is this really a new f=
eature though?

Okay, I'll submit that RFC 6=
749 does state the cookie wouldn't be created by the AS.
However that wouldn't prevent a client usin=
g the password grant (I know I said a bad word) or authorization code flow f=
rom creating the cookie to contain that. Specifically
7.  Accessing Protected Resources
&n=
bsp;  The client accesses protected resources by presenting the access<=
br>   token to the resource server.  The resource server MUST=
 validate the
   access token and ensure that it has not expire=
d and that its scope
   covers the requested resource.  The methods used by the resource
   server to validate the acc=
ess token (as well as any error responses)
   are beyond the sc=
ope of this specification but generally involve an
   interacti=
on or coordination between the resource server and the
   autho=
rization server.
   The method in which the client utilizes=
 the access token to
   authenticate with the resource server d=
epends on the type of access
   token issued by the authorizati=
on server.  Typically, it involves
   using the HTTP "A=
uthorization" request header field [RFC2617] with an
   aut=
hentication scheme defined by the specification of the access
  &nbs=
p;token type used, such as [RFC6750].

So tha=
t's definitely some gray area. Although perhaps I'm missing a relevant secti=
on. If we are going to go so far to detail a list of possible RS bearer toke=
n possible locations (i.e. Header and Body), to what I assume is to implicit=
ly say Don't use a query parameter. It also suggests Don't us=
e a cookie at all, even with SameSite=3DStrict. Although may=
be that is the point.

For my reference, what makes a=
 new feature and what makes an OAuth extension?

Warren Parad
Founder, CTO=

Secure your u=
ser data and complete your authorization architecture. Implement Authress.
=



On Thu, Jul 30, 2020 at 6:46 PM Aaron Parecki <aaron@parecki.com> wrote:
I h=
aven't seen any OAuth drafts that talk about sending OAuth access tokens in H=
TTP cookies. OAuth 2.1 isn't supposed to add new features that don't already=
 exist, but this sounds like a good candidate to develop as an OAuth extensi=
on.

=


O=
n Thu, Jul 30, 2020 at 9:35 AM Jim Manico <jim@manicode.com> wrote:

 =20
   =20
 =20
  

    
In a browser, HTTPOnly cookies are the only location
      where an access (or other) token can be stored in a way where it ca=
nnot
        be stolen from XSS.

    
It's a very strong place to store tokens from a security point of
      view.

    
Cookie storage of tokens does leave one open to CSRF attacks so
      it's certainly a trade-off. But CSRF is much easier to defense
      against that XSS and cookies are a better choice if the specific
      risk of having tokens stolen via XSS matters to your threat model.
=

    
- Jim

    

    
On 7/30/20 11:43 AM, Warren Parad
      wrote:

    

    

     =20
      

        
        


        

        
It seems recently more and more common to pass the
          access_token to some RS via a cookie, yet 7.2.1 says it
          defines two methods. I think we need some =
RFC2119 keywords
          here, to suggest that either SHOULD use one of these two, or
          MUST. And then optionally state whether or not we recommend or
          reject the use of cookies as a place for access tokens. It's
          also possible that the language threw me off, because would an
          access token in a cookie be a bearer token, but no matter, if
          I'm having this thought, then surely others have it as well,
          right?

        

        


        

        

          
<image.png>


          

        

        

        

          

            

              <=
tbody>
                  

                

                    
                      

                    		
                    
                      
Warren Parad

                      
=
Founder, CTO

                    		
                  

                
              

              Secure your user data and
                complete your authorization architecture. Implement Authress.

            

          

        

      

      

      

      
_______________________________________________
OAuth mailing list
OAuth@ietf.org
ht=
tps://www.ietf.org/mailman/listinfo/oauth


    

    
--=20
Jim Manico
Manicode Security
https://www.manicode.=
com

  


_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth






_____________________________________________=
__

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth




=

--Apple-Mail-C6328E00-E7D2-4F7D-8157-3F84C18BD49F--


From nobody Thu Jul 30 13:55:33 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D2F33A0CB9 for ; Thu, 30 Jul 2020 13:55:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level: 
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ib2XgKrpw99k for ; Thu, 30 Jul 2020 13:55:25 -0700 (PDT)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E4333A0CB8 for ; Thu, 30 Jul 2020 13:55:25 -0700 (PDT)
Received: by mail-lj1-x232.google.com with SMTP id x9so30351862ljc.5 for ; Thu, 30 Jul 2020 13:55:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HSSdrEKoXWXumWLJZop1WZN14rEYgo5eGy/FYFGKpIE=; b=DaYIUqY0MwBgS6VkgtY2EcHFInvNQGv1Os18geBHVUdKn4N+wS9adn5DvdDaj8klE2 A/dMcOe0AkmGX76ycTEIUA6g6op2DYZeX2dQ6Ka25ZORmWHUMc+waiwWllA2pPmSA/Yg RMJH2G3M9q2zlf70FlK1xsJeO6PRC2/Kxx7N7RZm5zi3g9cCclU6XEEjrXav26eFPo0f Tc4RI4AubnlUpDgPzkJvAl5iJAsXLx/ETdEHOZTZpfcLHPhLP8lkzch4cVcuMuagelYt twWVVemPdXY7ClUghp5NxxnYuHUbKgObrYb2yOec3YRXyFe8mC2pwXSWuY9shC5zmcvl o/7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HSSdrEKoXWXumWLJZop1WZN14rEYgo5eGy/FYFGKpIE=; b=eoJtsFBYHsRN8lYV9V2mIX90jq98JaAaDzK1ME7dHxHdYuqeoKon7sgpAWyAqDw1c/ Sweu8tzZ2NiMKugjDgTE5vFjcqGuGnDrCgWJ8SVGY3s//e3pGcUq1TdpJjx6AzbLd+Mu 9iV9eCZtJCWkPne5/2ChP+FLX9SnFQPHHvgUSVFH5jZ0ZFnAfX2pdXObbaP57na8yk8F xZkryC2S2QsqE7T5uIVDGAx5wffgHomKK5UE1rJRr8YOON0M6W0HSQ2bmc5CUWRd3M5W C3oD2p3jVRIjXjwaFGTW4PsgaiHuAY8+pp0oD+gFFDIzGJerPZkxg8g+FVtgLCIFmVlI nS6w==
X-Gm-Message-State: AOAM530qPvSmj09VnL7gCvxlF5ABldiiLoVEbev55vtuC0ynP4srb3Ws kCe+cABFDGnfV6Fcv8eu22bHxTRlBRYsqGGVKU0=
X-Google-Smtp-Source: ABdhPJyA7w4v+j+17cVxi8K+4JG4jlVk5qwfqvyhhrsCGnwaEH0jk2w/9WUPBnkRVaYEfS2owakxV6N2xlXsG2amgoE=
X-Received: by 2002:a2e:999a:: with SMTP id w26mr453506lji.242.1596142523228;  Thu, 30 Jul 2020 13:55:23 -0700 (PDT)
MIME-Version: 1.0
References:  <1842CB01-E0DE-4121-AFAF-B3BE749E55F0@manicode.com>
In-Reply-To: <1842CB01-E0DE-4121-AFAF-B3BE749E55F0@manicode.com>
From: Dick Hardt 
Date: Thu, 30 Jul 2020 13:54:47 -0700
Message-ID: 
To: Jim Manico 
Cc: Warren Parad , oauth 
Content-Type: multipart/alternative; boundary="0000000000001ba68805abaee424"
Archived-At: 
Subject: Re: [OAUTH-WG] Clarifying Bearer token usage OAuth 2.1 draft-ietf-oauth-v2-1-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 30 Jul 2020 20:55:29 -0000

--0000000000001ba68805abaee424
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

I hear you Jim, but it is not so much rules, as expectations and expediency=
.

There may be significant debate on how to do the feature. You would not
want to hold up the OAuth 2.1 document for that would you? There are other
documents already in flight -- which other ones should OAuth 2.1 wait for?

Reducing the "20 standards" to one document was the goal of OAuth 2.1.

Having said that, if members of the working group want to get working on
this feature, and if it is completed quickly, it could be referenced or
included in OAuth 2.1 depending on the relative timing.

/Dick




=E1=90=A7

On Thu, Jul 30, 2020 at 1:47 PM Jim Manico  wrote:

> I politely encourage the rules to be bent and to integrate this basic but
> fundamental security control into the core standard.
>
> This is just basic security; we want as much basic security in the core o=
f
> any standard. Dev=E2=80=99s now need to read 20 standards to get OAuth2 b=
asics...
> and that=E2=80=99s a barrier to entry.
>
> --
> Jim Manico
> @Manicode
>
> On Jul 30, 2020, at 3:21 PM, Dick Hardt  wrote:
>
> =EF=BB=BF
> One of the constraints of the OAuth 2.1 document that aligned the WG was
> it would have no new features.
>
> I'd recommend a separate document for the cookie bearer token feature.
>
> =E1=90=A7
>
> On Thu, Jul 30, 2020 at 12:15 PM Jim Manico  wrote:
>
>> Yea to cookie configuration suggestions!
>>
>> I suggest SameSite=3DLAX at least, which is actually the default behavio=
r
>> in chrome if you do not set the samesite value. LAX will not break links
>> that originate from emails, STRICT will.
>>
>> Point being is that CSRF defense is easy. XSS defense is brutally hard i=
n
>> apps with complex UI=E2=80=99s!
>>
>> --
>> Jim Manico
>> @Manicode
>>
>>
>> On Jul 30, 2020, at 1:13 PM, Warren Parad  wrote:
>>
>> =EF=BB=BF
>>
>>> Cookie storage of tokens does leave one open to CSRF attacks so it's
>>> certainly a trade-off. But CSRF is much easier to defense against that =
XSS
>>> and cookies are a better choice if the specific risk of having tokens
>>> stolen via XSS matters to your threat model.
>>
>>
>> I would assume if we included cookie language, it would explicitly
>> specify *Secure; HttpOnly; SameSite=3DStrict* as the recommendation, and
>> then neither XSS nor CSRF should be a problem (right?)
>>
>>
>> OAuth 2.1 isn't supposed to add new features that don't already exist,
>>> but this sounds like a good candidate to develop as an OAuth extension.
>>
>>
>> Is this really a *new feature* though?
>>
>> Okay, I'll submit that RFC 6749 does state the cookie wouldn't be create=
d
>> by the AS.
>>
>>> 5.1.  Successful Response
>>> 
>>>    The authorization
>>> server issues an access token and optional refresh
>>>    token, and
>>> constructs the response by
>>> *adding the following parameters*
>>> *   to the entity-body
>>> of the HTTP response* with a 200 (OK) status code:
>>> 
>>
>>
>> However that wouldn't prevent a client using the password grant (I know =
I
>> said a bad word) or authorization code flow from creating the cookie to
>> contain that. Specifically
>>
>>> 7.  Accessing Protected Resources
>>>    The client accesses protected resources by presenting the access
>>>    token to the resource server.  The resource server MUST validate the
>>>    access token and ensure that it has not expired and that its scope
>>>    covers the requested resource.
>>>
>>>
>>>
>>> *The methods used by the resource   server to validate the access token
>>> (as well as any error responses)   are beyond the scope of this
>>> specification but generally involve an   interaction or coordination
>>> between the resource server and the   authorization server*.
>>>    The method in which the client utilizes the access token to
>>>    authenticate with the resource server depends on the type of access
>>>    token issued by the authorization server.
>>> * Typically, it involves   using the HTTP "Authorization" request heade=
r*
>>> field [RFC2617] with an
>>>    authentication scheme defined by the specification of the access
>>>    token type used, such as [RFC6750].
>>
>>
>> So that's definitely some gray area. Although perhaps I'm missing a
>> relevant section. If we are going to go so far to detail a list of possi=
ble
>> RS bearer token possible locations (i.e. Header and Body), to what I ass=
ume
>> is to implicitly say *Don't use a query parameter*. It also suggests *Do=
n't
>> use a cookie at all*, even with* SameSite=3DStrict*. Although maybe that
>> is the point.
>>
>> For my reference, what makes a *new feature* and what makes *an OAuth
>> extension?*
>>
>> Warren Parad
>>
>> Founder, CTO
>> Secure your user data and complete your authorization architecture.
>> Implement Authress .
>>
>>
>> On Thu, Jul 30, 2020 at 6:46 PM Aaron Parecki  wrote:
>>
>>> I haven't seen any OAuth drafts that talk about sending OAuth access
>>> tokens in HTTP cookies. OAuth 2.1 isn't supposed to add new features th=
at
>>> don't already exist, but this sounds like a good candidate to develop a=
s an
>>> OAuth extension.
>>>
>>> ---
>>> Aaron Parecki
>>> https://aaronparecki.com
>>> https://oauth2simplified.com
>>>
>>> On Thu, Jul 30, 2020 at 9:35 AM Jim Manico >> > wrote:
>>>
>>>> In a browser, HTTPOnly cookies are the *only* location where an access
>>>> (or other) token can be stored in a way where it *cannot be stolen
>>>> from XSS*.
>>>>
>>>> It's a very strong place to store tokens from a security point of view=
.
>>>>
>>>> Cookie storage of tokens does leave one open to CSRF attacks so it's
>>>> certainly a trade-off. But CSRF is much easier to defense against that=
 XSS
>>>> and cookies are a better choice if the specific risk of having tokens
>>>> stolen via XSS matters to your threat model.
>>>>
>>>> - Jim
>>>> On 7/30/20 11:43 AM, Warren Parad wrote:
>>>>
>>>> https://www.ietf.org/id/draft-ietf-oauth-v2-1-00.html#name-bearer-toke=
ns
>>>>
>>>> It seems recently more and more common to pass the access_token to som=
e
>>>> RS via a cookie, yet 7.2.1 says it defines two methods. I think we nee=
d
>>>> some RFC2119
>>>>  key=
words
>>>> here, to suggest that either SHOULD use one of these two, or MUST. And=
 then
>>>> optionally state whether or not we recommend or reject the use of cook=
ies
>>>> as a place for access tokens. It's also possible that the language thr=
ew me
>>>> off, because would an access token in a cookie be a bearer token, but =
no
>>>> matter, if I'm having this thought, then surely others have it as well=
,
>>>> right?
>>>>
>>>> 
>>>>
>>>>
>>>> Warren Parad
>>>>
>>>> Founder, CTO
>>>> Secure your user data and complete your authorization architecture.
>>>> Implement Authress .
>>>>
>>>> _______________________________________________
>>>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/=
oauth
>>>>
>>>> --
>>>> Jim Manico
>>>> Manicode Securityhttps://www.manicode.com
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>

--0000000000001ba68805abaee424
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


I hear you Jim, but it is not so much rules, as expectatio=
ns and expediency.

There may be significant debate on ho=
w to do the=C2=A0feature. You would not want to hold up the OAuth 2.1 docum=
ent for that would you? There are other documents already in flight -- whic=
h=C2=A0other ones should OAuth 2.1 wait for?

Reduc=
ing the "20 standards" to one document was the goal of OAuth 2.1.=


Having said that, if members=C2=A0of the working =
group want to get working on this feature, and if it is completed quickly, =
it could be referenced or included in OAuth 2.1 depending on the relative t=
iming.

/Dick




3D""=E1=90=A7

On Thu, Jul 30, =
2020 at 1:47 PM Jim Manico <jim@mani=
code.com> wrote:
I politely encourage the rules to be bent and to =
integrate this basic but fundamental security control into the core standar=
d.

This is just basic security; we want as much basic se=
curity in the core of any standard. Dev=E2=80=99s now need to read 20 stand=
ards to get OAuth2 basics... and that=E2=80=99s a barrier to entry.

--
Jim Manico
@Manicode

On Jul 30, 2020, at 3=
:21 PM, Dick Hardt <dick.hardt@gmail.com> wrote:

=EF=BB=BF
One of the co=
nstraints of the OAuth 2.1 document that aligned the WG was it would have n=
o new features.

I'd recommend a separate document fo=
r the cookie bearer token feature.=C2=A0

3D""=E1=90=A7

On Thu, Jul 30, 2020 at 12:15 PM Jim Manico <jim@manicode.com> =
wrote:
Yea to cookie configuration suggestions!

I suggest SameSite=3DLAX at least, which is actually the default behavior =
in chrome if you do not set the samesite value. LAX will not break links th=
at originate from emails, STRICT will.

Point being is th=
at CSRF defense is easy. XSS defense is brutally hard in apps with complex =
UI=E2=80=99s!

--
Jim Manico
@Manicode


On Jul 30, 2020, at 1:13 PM, Warren Parad <wparad@rhosys.ch> wrote:
=EF=BB=
=BF
Cooki=
e storage of tokens does leave one open to CSRF attacks so it's certain=
ly a trade-off. But CSRF is much easier to defense against that XSS and coo=
kies are a better choice if the specific risk of having tokens stolen via X=
SS matters to your threat model.

I would as=
sume if we included cookie language, it would explicitly specify=C2=A0Se=
cure; HttpOnly; SameSite=3DStrict=C2=A0as the recommendation, and then =
neither XSS nor CSRF should be a problem (right?)

=

OAuth 2.1 isn&#=
39;t supposed to add new features that don't already exist, but this so=
unds like a good candidate to develop as an OAuth extension.

Is this really a new feature=C2=A0though?

Okay, I'll submit that RFC 6749 does state the cookie =
wouldn't be created by the AS.
Howe=
ver that wouldn't prevent a client using the password grant (I know I s=
aid a bad word) or authorization code flow from creating the cookie to cont=
ain that. Specifically
7.=C2=A0 Accessing Protected Resources
=C2=A0 =C2=A0The client access=
es protected resources by presenting the access
=C2=A0 =C2=A0token to th=
e resource server.=C2=A0 The resource server MUST validate the
=C2=A0 =
=C2=A0access token and ensure that it has not expired and that its scope=C2=A0 =C2=A0covers the requested resource. =C2=A0The methods used by t=
he resource
=C2=A0 =C2=A0server to validate the access token (as well as=
 any error responses)
=C2=A0 =C2=A0are beyond the scope of this specific=
ation but generally involve an
=C2=A0 =C2=A0interaction or coordination =
between the resource server and the
=C2=A0 =C2=A0authorization server.
=C2=A0 =C2=A0The method in which the client utilizes the access token=
 to
=C2=A0 =C2=A0authenticate with the resource server depends on the ty=
pe of access
=C2=A0 =C2=A0token issued by the authorization server. =
=C2=A0Typically, it involves
=C2=A0 =C2=A0using the HTTP "Authoriza=
tion" request header field [RFC2617] with an
=C2=A0 =C2=A0authe=
ntication scheme defined by the specification of the access
=C2=A0 =C2=
=A0token type used, such as [RFC6750].

So t=
hat's definitely some gray area. Although perhaps I'm missing a rel=
evant section. If we are going to go so far to detail a list of possible RS=
 bearer token possible locations (i.e. Header and Body), to what I assume i=
s to implicitly say Don't use a query parameter. It also suggest=
s=C2=A0Don't use a cookie at all, even=C2=A0with SameSite=3DS=
trict. Although maybe that is the point.

For m=
y reference, what makes a new feature=C2=A0and what makes an OAut=
h extension?

Warre=
n Parad
Founder, CTO
Secure your user data and complete your authorization archi=
tecture. Implement=C2=A0Authress.


On Thu, Jul 30, 2020 at 6:4=
6 PM Aaron Parecki <aaron@parecki.com> wrote:
I haven't seen any OAuth drafts th=
at talk about sending OAuth access tokens in HTTP cookies. OAuth 2.1 isn=
9;t supposed to add new features that don't already exist, but this sou=
nds like a good candidate to develop as an OAuth extension.

<=
div>

On Thu, Jul 30,=
 2020 at 9:35 AM Jim Manico <jim@manicode.com> wrote:

 =20
   =20
 =20
  

    
In a browser, HTTPOnly cookies are the only location
      where an access (or other) token can be stored in a way where it c=
annot
        be stolen from XSS.

    
It's a very strong place to store tokens from a security point o=
f
      view.

    
Cookie storage of tokens does leave one open to CSRF attacks so
      it's certainly a trade-off. But CSRF is much easier to defense
      against that XSS and cookies are a better choice if the specific
      risk of having tokens stolen via XSS matters to your threat model.
    
- Jim

    

    
On 7/30/20 11:43 AM, Warren Parad
      wrote:

    

    

     =20
      

        
        


        

        
It seems recently more and more=C2=A0common to pass the
          access_token to some RS via a cookie, yet 7.2.1 says it
          defines two methods. I think we need some=C2=A0RFC2119=C2=A0keywords
          here, to suggest that either SHOULD use one of these two, or
          MUST. And then optionally state whether or not we recommend or
          reject the use of cookies as a place for access tokens. It's
          also possible that the language threw me off, because would an
          access token in a cookie be a bearer token, but no matter, if
          I'm having this thought, then surely others have it as well,
          right?

        

        


        

        

          
<image.png>


          

        

        

        

          

            

              =


                
                  

                    
                      

                    		
                    
                      
Warren Parad=


                      
Founder, CTO

                    		
                  

                
              

              Secure your user data and
                complete your authorization architecture. Implement=C2=A0Authress.

            

          

        

      

      

      

      
_______________________________________________
OAuth mailing list
OAuth@ietf.org
h=
ttps://www.ietf.org/mailman/listinfo/oauth


    

    
--=20
Jim Manico
Manicode Security
https://www.manicode=
.com

  


_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth





____________________________________________=
___

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth




--0000000000001ba68805abaee424--


From nobody Thu Jul 30 14:17:06 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 574F53A0CEC for ; Thu, 30 Jul 2020 14:17:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level: 
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z5XL_uMzuyLz for ; Thu, 30 Jul 2020 14:17:00 -0700 (PDT)
Received: from mail-io1-xd36.google.com (mail-io1-xd36.google.com [IPv6:2607:f8b0:4864:20::d36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59DC23A0CEA for ; Thu, 30 Jul 2020 14:17:00 -0700 (PDT)
Received: by mail-io1-xd36.google.com with SMTP id t15so20792562iob.3 for ; Thu, 30 Jul 2020 14:17:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google;  h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GvSZgreZQfNfRy1Ha1rX0bNauuZRkaSB6Hd2C2qPtcs=; b=LHXIrVodw6KO34dKs8r0qKfC4dP5ogjtf2BpNR/KPQh9EmIE9X6RQ+x8qXgA8s0C1q Dy6fV5Kc3g68DpBDgw1p+JJydNYyMljU1H5e7DhWtiwlbt4HGrCuQNXrEqkS98VImrPI oarGUc/51/JnALIgIcTmz++ZMXf1wlOaPhHxtv2xGb8fcbWzRgU9XtX3cFrKvoRJ7dc3 NbAKcoJdB/Q9sAQhTHkzmTeOJjqzH0V7F540KnlLD6z+Q8jR74vJDFYGdoVzu49vbfv8 x2XDFPNjGgr1F0+RkBpHJJM49ZMcx+3dUyPK1KuxMqYcSlOlV2jmIU3mICiedmkUtxWM qvwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GvSZgreZQfNfRy1Ha1rX0bNauuZRkaSB6Hd2C2qPtcs=; b=Ar6Pdtuz7iIDnfhHycTQFVUZBr26vWrpos/lEUQ3XLBgaaJpYPZQeW7RsC1Vy0coyZ 1F04yCgNzKJrjtTw7oyQWHJtJY5jflSPcC4kNIU7unthOI1qB/KaSfkzxAvciSpFLnmr YjTwV4l2unj7TorFXwtf+aH9lUtfsZhcN7MqXh4zCXQs7DAFDB9mVOshGfwXuahmfltu JjgJe9S1Y6N00130J44dFjm05rLshAEb2olUj9t0BDlaSormfqD3Jw84a4X0IunMY9gZ yDKVo+MKuAWYRSTjKHCBzOkpdGZ7cGYVU27Rvl7RB3MeLETaQcdf6FE3gsyouI/qR5RD iSVw==
X-Gm-Message-State: AOAM532Fpxo9+fexZdWSFDB0APy52uF08kEObK6CuTflPGnrhmukgC4K U6XvR5p6+AoNubuyjmnJW7afYlwnL1k=
X-Google-Smtp-Source: ABdhPJwETC3vfH9+53T7MW8O+9wl+bUEbtfG+6wP/QgjX892atCP2yKWf4qJssxqrOdpiYre+oHfuQ==
X-Received: by 2002:a05:6638:2401:: with SMTP id z1mr1308244jat.97.1596143818686;  Thu, 30 Jul 2020 14:16:58 -0700 (PDT)
Received: from mail-il1-f179.google.com (mail-il1-f179.google.com. [209.85.166.179]) by smtp.gmail.com with ESMTPSA id t7sm2907110ili.2.2020.07.30.14.16.57 for  (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 30 Jul 2020 14:16:57 -0700 (PDT)
Received: by mail-il1-f179.google.com with SMTP id p16so12910174ile.0 for ; Thu, 30 Jul 2020 14:16:57 -0700 (PDT)
X-Received: by 2002:a05:6e02:c21:: with SMTP id q1mr556189ilg.28.1596143817533;  Thu, 30 Jul 2020 14:16:57 -0700 (PDT)
MIME-Version: 1.0
References:  <1842CB01-E0DE-4121-AFAF-B3BE749E55F0@manicode.com> 
In-Reply-To: 
From: Aaron Parecki 
Date: Thu, 30 Jul 2020 14:16:46 -0700
X-Gmail-Original-Message-ID: 
Message-ID: 
To: Dick Hardt 
Cc: Jim Manico , oauth 
Content-Type: multipart/alternative; boundary="000000000000412f5d05abaf31d3"
Archived-At: 
Subject: Re: [OAUTH-WG] Clarifying Bearer token usage OAuth 2.1 draft-ietf-oauth-v2-1-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 30 Jul 2020 21:17:04 -0000

--000000000000412f5d05abaf31d3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

I have a draft from a coworker that defines a cookie response mode and
cookie bearer token usage. It's something we've considered bringing to the
working group but haven't actually proposed yet. Is this the kind of thing
you're talking about?

https://github.com/jaredhanson/draft-oauth-cookie-response-mode/blob/master=
/spec.txt

This looks like a good starting point and I am happy to work with Jared on
refining this.

---
Aaron Parecki
https://aaronparecki.com
https://oauth2simplified.com

On Thu, Jul 30, 2020 at 1:55 PM Dick Hardt  wrote:

> I hear you Jim, but it is not so much rules, as expectations and
> expediency.
>
> There may be significant debate on how to do the feature. You would not
> want to hold up the OAuth 2.1 document for that would you? There are othe=
r
> documents already in flight -- which other ones should OAuth 2.1 wait for=
?
>
> Reducing the "20 standards" to one document was the goal of OAuth 2.1.
>
> Having said that, if members of the working group want to get working on
> this feature, and if it is completed quickly, it could be referenced or
> included in OAuth 2.1 depending on the relative timing.
>
> /Dick
>
>
>
>
> =E1=90=A7
>
> On Thu, Jul 30, 2020 at 1:47 PM Jim Manico  wrote:
>
>> I politely encourage the rules to be bent and to integrate this basic bu=
t
>> fundamental security control into the core standard.
>>
>> This is just basic security; we want as much basic security in the core
>> of any standard. Dev=E2=80=99s now need to read 20 standards to get OAut=
h2
>> basics... and that=E2=80=99s a barrier to entry.
>>
>> --
>> Jim Manico
>> @Manicode
>>
>> On Jul 30, 2020, at 3:21 PM, Dick Hardt  wrote:
>>
>> =EF=BB=BF
>> One of the constraints of the OAuth 2.1 document that aligned the WG was
>> it would have no new features.
>>
>> I'd recommend a separate document for the cookie bearer token feature.
>>
>> =E1=90=A7
>>
>> On Thu, Jul 30, 2020 at 12:15 PM Jim Manico  wrote:
>>
>>> Yea to cookie configuration suggestions!
>>>
>>> I suggest SameSite=3DLAX at least, which is actually the default behavi=
or
>>> in chrome if you do not set the samesite value. LAX will not break link=
s
>>> that originate from emails, STRICT will.
>>>
>>> Point being is that CSRF defense is easy. XSS defense is brutally hard
>>> in apps with complex UI=E2=80=99s!
>>>
>>> --
>>> Jim Manico
>>> @Manicode
>>>
>>>
>>> On Jul 30, 2020, at 1:13 PM, Warren Parad  wrote:
>>>
>>> =EF=BB=BF
>>>
>>>> Cookie storage of tokens does leave one open to CSRF attacks so it's
>>>> certainly a trade-off. But CSRF is much easier to defense against that=
 XSS
>>>> and cookies are a better choice if the specific risk of having tokens
>>>> stolen via XSS matters to your threat model.
>>>
>>>
>>> I would assume if we included cookie language, it would explicitly
>>> specify *Secure; HttpOnly; SameSite=3DStrict* as the recommendation, an=
d
>>> then neither XSS nor CSRF should be a problem (right?)
>>>
>>>
>>> OAuth 2.1 isn't supposed to add new features that don't already exist,
>>>> but this sounds like a good candidate to develop as an OAuth extension=
.
>>>
>>>
>>> Is this really a *new feature* though?
>>>
>>> Okay, I'll submit that RFC 6749 does state the cookie wouldn't be
>>> created by the AS.
>>>
>>>> 5.1.  Successful Response
>>>> 
>>>>    The authorization
>>>> server issues an access token and optional refresh
>>>>    token, and
>>>> constructs the response by
>>>> *adding the following parameters*
>>>> *   to the
>>>> entity-body of the HTTP response* with a 200 (OK) status code:
>>>> 
>>>
>>>
>>> However that wouldn't prevent a client using the password grant (I know
>>> I said a bad word) or authorization code flow from creating the cookie =
to
>>> contain that. Specifically
>>>
>>>> 7.  Accessing Protected Resources
>>>>    The client accesses protected resources by presenting the access
>>>>    token to the resource server.  The resource server MUST validate th=
e
>>>>    access token and ensure that it has not expired and that its scope
>>>>    covers the requested resource.
>>>>
>>>>
>>>>
>>>> *The methods used by the resource   server to validate the access toke=
n
>>>> (as well as any error responses)   are beyond the scope of this
>>>> specification but generally involve an   interaction or coordination
>>>> between the resource server and the   authorization server*.
>>>>    The method in which the client utilizes the access token to
>>>>    authenticate with the resource server depends on the type of access
>>>>    token issued by the authorization server.
>>>> * Typically, it involves   using the HTTP "Authorization" request
>>>> header* field [RFC2617] with an
>>>>    authentication scheme defined by the specification of the access
>>>>    token type used, such as [RFC6750].
>>>
>>>
>>> So that's definitely some gray area. Although perhaps I'm missing a
>>> relevant section. If we are going to go so far to detail a list of poss=
ible
>>> RS bearer token possible locations (i.e. Header and Body), to what I as=
sume
>>> is to implicitly say *Don't use a query parameter*. It also suggests *D=
on't
>>> use a cookie at all*, even with* SameSite=3DStrict*. Although maybe tha=
t
>>> is the point.
>>>
>>> For my reference, what makes a *new feature* and what makes *an OAuth
>>> extension?*
>>>
>>> Warren Parad
>>>
>>> Founder, CTO
>>> Secure your user data and complete your authorization architecture.
>>> Implement Authress .
>>>
>>>
>>> On Thu, Jul 30, 2020 at 6:46 PM Aaron Parecki  wrote=
:
>>>
>>>> I haven't seen any OAuth drafts that talk about sending OAuth access
>>>> tokens in HTTP cookies. OAuth 2.1 isn't supposed to add new features t=
hat
>>>> don't already exist, but this sounds like a good candidate to develop =
as an
>>>> OAuth extension.
>>>>
>>>> ---
>>>> Aaron Parecki
>>>> https://aaronparecki.com
>>>> https://oauth2simplified.com
>>>>
>>>> On Thu, Jul 30, 2020 at 9:35 AM Jim Manico >>> > wrote:
>>>>
>>>>> In a browser, HTTPOnly cookies are the *only* location where an
>>>>> access (or other) token can be stored in a way where it *cannot be
>>>>> stolen from XSS*.
>>>>>
>>>>> It's a very strong place to store tokens from a security point of vie=
w.
>>>>>
>>>>> Cookie storage of tokens does leave one open to CSRF attacks so it's
>>>>> certainly a trade-off. But CSRF is much easier to defense against tha=
t XSS
>>>>> and cookies are a better choice if the specific risk of having tokens
>>>>> stolen via XSS matters to your threat model.
>>>>>
>>>>> - Jim
>>>>> On 7/30/20 11:43 AM, Warren Parad wrote:
>>>>>
>>>>>
>>>>> https://www.ietf.org/id/draft-ietf-oauth-v2-1-00.html#name-bearer-tok=
ens
>>>>>
>>>>> It seems recently more and more common to pass the access_token to
>>>>> some RS via a cookie, yet 7.2.1 says it defines two methods. I think =
we
>>>>> need some RFC2119
>>>>>  ke=
ywords
>>>>> here, to suggest that either SHOULD use one of these two, or MUST. An=
d then
>>>>> optionally state whether or not we recommend or reject the use of coo=
kies
>>>>> as a place for access tokens. It's also possible that the language th=
rew me
>>>>> off, because would an access token in a cookie be a bearer token, but=
 no
>>>>> matter, if I'm having this thought, then surely others have it as wel=
l,
>>>>> right?
>>>>>
>>>>> 
>>>>>
>>>>>
>>>>> Warren Parad
>>>>>
>>>>> Founder, CTO
>>>>> Secure your user data and complete your authorization architecture.
>>>>> Implement Authress .
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo=
/oauth
>>>>>
>>>>> --
>>>>> Jim Manico
>>>>> Manicode Securityhttps://www.manicode..com 
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

--000000000000412f5d05abaf31d3
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


I have a draft from a coworker that defines a cookie respo=
nse mode and cookie bearer token usage. It's something we've consid=
ered bringing to the working group but haven't actually proposed yet. I=
s this the kind of thing you're talking about?


This looks like a g=
ood starting point and I am happy to work with Jared on refining this.
On Thu, J=
ul 30, 2020 at 1:55 PM Dick Hardt <dick.hardt@gmail.com> wrote:
I hear you Jim, but it is not so mu=
ch rules, as expectations and expediency.

There may be s=
ignificant debate on how to do the=C2=A0feature. You would not want to hold=
 up the OAuth 2.1 document for that would you? There are other documents al=
ready in flight -- which=C2=A0other ones should OAuth 2.1 wait for?

Reducing the "20 standards" to one document was=
 the goal of OAuth 2.1.

Having said that, if membe=
rs=C2=A0of the working group want to get working on this feature, and if it=
 is completed quickly, it could be referenced or included in OAuth 2.1 depe=
nding on the relative timing.

/Dick

=




3D""=E1=
=90=A7

On Thu, Jul 30, 2020 at 1:47 PM Jim Manico <jim@manicode.com> wrote:
<=
/div>
I =
politely encourage the rules to be bent and to integrate this basic but fun=
damental security control into the core standard.

This i=
s just basic security; we want as much basic security in the core of any st=
andard. Dev=E2=80=99s now need to read 20 standards to get OAuth2 basics...=
 and that=E2=80=99s a barrier to entry.

-=
-
Jim Manico
@Manicode

=

On Jul 30, 2020, at 3:21 PM, Dick Hardt <dick.hardt@gmail.com> wrote:

=EF=BB=BF
One of the constraints of the OAuth 2.1 =
document that aligned the WG was it would have no new features.

I'd recommend a separate document for the cookie bearer token f=
eature.=C2=A0

3D""=E1=90=A7
On T=
hu, Jul 30, 2020 at 12:15 PM Jim Manico <jim@manicode.com> wrote:
Yea to cookie=
 configuration suggestions!

I suggest SameSite=3DLAX at=
 least, which is actually the default behavior in chrome if you do not set =
the samesite value. LAX will not break links that originate from emails, ST=
RICT will.

Point being is that CSRF defense is easy. XSS=
 defense is brutally hard in apps with complex UI=E2=80=99s!

=

--
Jim Manico
@Manicode


On Jul 30, =
2020, at 1:13 PM, Warren Parad <wparad@rhosys.ch> wrote:

=EF=BB=BF
Cookie storage of tokens does leav=
e one open to CSRF attacks so it's certainly a trade-off. But CSRF is m=
uch easier to defense against that XSS and cookies are a better choice if t=
he specific risk of having tokens stolen via XSS matters to your threat mod=
el.

I would assume if we included cookie la=
nguage, it would explicitly specify=C2=A0Secure; HttpOnly; SameSite=3DSt=
rict=C2=A0as the recommendation, and then neither XSS nor CSRF should b=
e a problem (right?)


OAuth 2.1 isn't supposed to add new fe=
atures that don't already exist, but this sounds like a good candidate =
to develop as an OAuth extension.

Is this r=
eally a new feature=C2=A0though?

Okay, I=
9;ll submit that RFC 6749 does state the cookie wouldn't be created by =
the AS.
H=
owever that wouldn't prevent a client using the password grant (I know =
I said a bad word) or authorization code flow from creating the cookie to c=
ontain that. Specifically
7.=C2=A0 Accessing Protected Resources
=C2=A0 =C2=A0The client acc=
esses protected resources by presenting the access
=C2=A0 =C2=A0token to=
 the resource server.=C2=A0 The resource server MUST validate the
=C2=A0=
 =C2=A0access token and ensure that it has not expired and that its scope=C2=A0 =C2=A0covers the requested resource. =C2=A0The methods used by =
the resource
=C2=A0 =C2=A0server to validate the access token (as well a=
s any error responses)
=C2=A0 =C2=A0are beyond the scope of this specifi=
cation but generally involve an
=C2=A0 =C2=A0interaction or coordination=
 between the resource server and the
=C2=A0 =C2=A0authorization server.
=C2=A0 =C2=A0The method in which the client utilizes the access toke=
n to
=C2=A0 =C2=A0authenticate with the resource server depends on the t=
ype of access
=C2=A0 =C2=A0token issued by the authorization server. =
=C2=A0Typically, it involves
=C2=A0 =C2=A0using the HTTP "Authoriza=
tion" request header field [RFC2617] with an
=C2=A0 =C2=A0authe=
ntication scheme defined by the specification of the access
=C2=A0 =C2=
=A0token type used, such as [RFC6750].

So t=
hat's definitely some gray area. Although perhaps I'm missing a rel=
evant section. If we are going to go so far to detail a list of possible RS=
 bearer token possible locations (i.e. Header and Body), to what I assume i=
s to implicitly say Don't use a query parameter. It also suggest=
s=C2=A0Don't use a cookie at all, even=C2=A0with SameSite=3DS=
trict. Although maybe that is the point.

For m=
y reference, what makes a new feature=C2=A0and what makes an OAut=
h extension?

Warre=
n Parad
Founder, CTO
Secure your user data and complete your authorization archi=
tecture. Implement=C2=A0Authress.


On Thu, Jul 30, 2020 at 6:4=
6 PM Aaron Parecki <aaron@parecki.com> wrote:
I haven't seen any OAuth drafts th=
at talk about sending OAuth access tokens in HTTP cookies. OAuth 2.1 isn=
9;t supposed to add new features that don't already exist, but this sou=
nds like a good candidate to develop as an OAuth extension.

<=
div>

On Thu, Jul 30,=
 2020 at 9:35 AM Jim Manico <jim@manicode.com> wrote:

 =20
   =20
 =20
  

    
In a browser, HTTPOnly cookies are the only location
      where an access (or other) token can be stored in a way where it c=
annot
        be stolen from XSS.

    
It's a very strong place to store tokens from a security point o=
f
      view.

    
Cookie storage of tokens does leave one open to CSRF attacks so
      it's certainly a trade-off. But CSRF is much easier to defense
      against that XSS and cookies are a better choice if the specific
      risk of having tokens stolen via XSS matters to your threat model.
    
- Jim

    

    
On 7/30/20 11:43 AM, Warren Parad
      wrote:

    

    

     =20
      

        
        


        

        
It seems recently more and more=C2=A0common to pass the
          access_token to some RS via a cookie, yet 7.2.1 says it
          defines two methods. I think we need some=C2=A0RFC2119=C2=A0keywords
          here, to suggest that either SHOULD use one of these two, or
          MUST. And then optionally state whether or not we recommend or
          reject the use of cookies as a place for access tokens. It's
          also possible that the language threw me off, because would an
          access token in a cookie be a bearer token, but no matter, if
          I'm having this thought, then surely others have it as well,
          right?

        

        


        

        

          
<image.png>


          

        

        

        

          

            

              =


                
                  

                    
                      

                    		
                    
                      
Warren Parad=


                      
Founder, CTO

                    		
                  

                
              

              Secure your user data and
                complete your authorization architecture. Implement=C2=A0Authress.

            

          

        

      

      

      

      
_______________________________________________
OAuth mailing list
OAuth@ietf.org
h=
ttps://www.ietf.org/mailman/listinfo/oauth


    

    
--=20
Jim Manico
Manicode Security
https://www.manicode=
..com

  


_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth






____________________________________________=
___

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth



--000000000000412f5d05abaf31d3--


From nobody Thu Jul 30 15:09:46 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00B283A0BD4 for ; Thu, 30 Jul 2020 15:09:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level: 
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3EVEaMLZNYH8 for ; Thu, 30 Jul 2020 15:09:42 -0700 (PDT)
Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 029EF3A044E for ; Thu, 30 Jul 2020 15:09:41 -0700 (PDT)
Received: by mail-qt1-x832.google.com with SMTP id v22so15676650qtq.8 for ; Thu, 30 Jul 2020 15:09:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode.com; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=uk3gWRYCcsFYgXAfy86pEXZS3sYurW9UI9yU2Umj/yM=; b=IAwoxZCBF/iNtEF1XYMLX7BDC0zERDBp9oucXOx6uK5o9sbhEYAUJHLSfvBDUcqe9Q mSUnoKI/CU+G3zFFfx+WUmaJWULeNjYTKGPRXdv7gW7vXHAxfexm8vwdRGSYSxFDzfoZ 0y3bXLDfAsBixgctZ3JpJsrj42MtiK+fpbOE1vw6YCpRwIDl5kb60vqQ6Jx2OWI5Mbzd cKkoW4+cmJPVYAbFPOISbyrvi3p8cQmxCVhN6aAWKccONPmbBuYZ+glEMDB3JHI1WyKG J6Mh1GAUVO6eS/EFKYsBDtBXrWaSw6jwuM+TAP34g2KLMJJS8YMp/yMBJURtPUDYjsEv 4ExQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=uk3gWRYCcsFYgXAfy86pEXZS3sYurW9UI9yU2Umj/yM=; b=OuINk6TArqoiOqMyj/UleG0t0c6M+KAqnUDsBqCAmFQrbpIzGv18umLPXafMNWWVHz vbkIS777YqvCgUVsF/pC6ffXY4HMrmuh3gE2nsaK1BrsLLYojNn8lnqKPljg4LoJtQNb MAd49XRmqlCYR/tmSH1Rq9Nb/hKPHONkzRV0OfAFQSMKTedZK1G1t0TxwB8JtOs3ROd+ Gn2BPw89ymI1xEZkdYffmywEAH19u+/tsgOIvPxTS90hp10wr54JWYA676mmESSXgZzb cDcxQBMdO8Z/tbIN4BLxZKfAVFRGylq5jLMRYuxDZxJq4w62sNjNzIPYMd+WiwfUpphg 1kFw==
X-Gm-Message-State: AOAM5324jf4EJpAFvEWzUIfdTM/tmc9q7Gm//jnQk6s5bOuUU2Vw/oEc 6I53rYeW+WeYyI9MHsfGZH8NRPN621k=
X-Google-Smtp-Source: ABdhPJwjNkZywlQvc6qwvfbgdrpNY6s8cJc/WiYJBOXy2lQ2DAlIgeXmXxx8pKBjOqED9s8an6lwLQ==
X-Received: by 2002:aed:27d5:: with SMTP id m21mr897094qtg.4.1596146980198; Thu, 30 Jul 2020 15:09:40 -0700 (PDT)
Received: from heembo.fios-router.home (pool-71-126-184-140.washdc.east.verizon.net. [71.126.184.140]) by smtp.googlemail.com with ESMTPSA id k25sm5823806qtp.72.2020.07.30.15.09.38 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 30 Jul 2020 15:09:39 -0700 (PDT)
To: Aaron Parecki , Dick Hardt 
Cc: oauth 
References:  <1842CB01-E0DE-4121-AFAF-B3BE749E55F0@manicode.com>  
From: Jim Manico 
Message-ID: <361274fb-f514-bb2a-6865-d8e4def69929@manicode.com>
Date: Thu, 30 Jul 2020 18:09:38 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.11.0
MIME-Version: 1.0
In-Reply-To: 
Content-Type: multipart/alternative; boundary="------------A12CDFF1DA18548CFA7C69D2"
Content-Language: en-US
Archived-At: 
Subject: Re: [OAUTH-WG] Clarifying Bearer token usage OAuth 2.1 draft-ietf-oauth-v2-1-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 30 Jul 2020 22:09:45 -0000

This is a multi-part message in MIME format.
--------------A12CDFF1DA18548CFA7C69D2
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit

Two thumbs up!

I would rather delay and get it right. Good things come to those who wait.

But; I am the least experienced standard author or advisor. I am an 
idealist and am ok stating my opinion and moving on so others with more 
experience in this area can make the decisions.

Aloha.

- Jim Manico

On 7/30/20 5:16 PM, Aaron Parecki wrote:
> I have a draft from a coworker that defines a cookie response mode and 
> cookie bearer token usage. It's something we've considered bringing to 
> the working group but haven't actually proposed yet. Is this the kind 
> of thing you're talking about?
>
> https://github.com/jaredhanson/draft-oauth-cookie-response-mode/blob/master/spec.txt
>
> This looks like a good starting point and I am happy to work with 
> Jared on refining this.
>
> ---
> Aaron Parecki
> https://aaronparecki.com
> https://oauth2simplified.com
>
> On Thu, Jul 30, 2020 at 1:55 PM Dick Hardt  > wrote:
>
>     I hear you Jim, but it is not so much rules, as expectations and
>     expediency.
>
>     There may be significant debate on how to do the feature. You
>     would not want to hold up the OAuth 2.1 document for that would
>     you? There are other documents already in flight -- which other
>     ones should OAuth 2.1 wait for?
>
>     Reducing the "20 standards" to one document was the goal of OAuth 2.1.
>
>     Having said that, if members of the working group want to get
>     working on this feature, and if it is completed quickly, it could
>     be referenced or included in OAuth 2.1 depending on the relative
>     timing.
>
>     /Dick
>
>
>
>
>     ᐧ
>
>     On Thu, Jul 30, 2020 at 1:47 PM Jim Manico      > wrote:
>
>         I politely encourage the rules to be bent and to integrate
>         this basic but fundamental security control into the core
>         standard.
>
>         This is just basic security; we want as much basic security in
>         the core of any standard. Dev’s now need to read 20 standards
>         to get OAuth2 basics... and that’s a barrier to entry.
>
>         --
>         Jim Manico
>         @Manicode
>
>>         On Jul 30, 2020, at 3:21 PM, Dick Hardt >         > wrote:
>>
>>         
>>         One of the constraints of the OAuth 2.1 document that aligned
>>         the WG was it would have no new features.
>>
>>         I'd recommend a separate document for the cookie bearer token
>>         feature.
>>
>>         ᐧ
>>
>>         On Thu, Jul 30, 2020 at 12:15 PM Jim Manico >         > wrote:
>>
>>             Yea to cookie configuration suggestions!
>>
>>             I suggest SameSite=LAX at least, which is actually the
>>             default behavior in chrome if you do not set the samesite
>>             value. LAX will not break links that originate from
>>             emails, STRICT will.
>>
>>             Point being is that CSRF defense is easy. XSS defense is
>>             brutally hard in apps with complex UI’s!
>>
>>             --
>>             Jim Manico
>>             @Manicode
>>
>>
>>>             On Jul 30, 2020, at 1:13 PM, Warren Parad
>>>             > wrote:
>>>
>>>             
>>>
>>>                 Cookie storage of tokens does leave one open to CSRF
>>>                 attacks so it's certainly a trade-off. But CSRF is
>>>                 much easier to defense against that XSS and cookies
>>>                 are a better choice if the specific risk of having
>>>                 tokens stolen via XSS matters to your threat model.
>>>
>>>
>>>             I would assume if we included cookie language, it would
>>>             explicitly specify *Secure; HttpOnly;
>>>             SameSite=Strict* as the recommendation, and then neither
>>>             XSS nor CSRF should be a problem (right?)
>>>
>>>
>>>                 OAuth 2.1 isn't supposed to add new features that
>>>                 don't already exist, but this sounds like a good
>>>                 candidate to develop as an OAuth extension.
>>>
>>>
>>>             Is this really a /new feature/ though?
>>>
>>>             Okay, I'll submit that RFC 6749 does state the cookie
>>>             wouldn't be created by the AS.
>>>
>>>                 5.1. Successful Response
>>>                 
>>>                  The
>>>                 authorization server issues an access token and
>>>                 optional refresh
>>>                  token,
>>>                 and constructs the response by *adding the following
>>>                 parameters
>>>                 *
>>>                 * to
>>>                 the entity-body of the HTTP response* with a 200
>>>                 (OK) status code:
>>>                 
>>>
>>>             However that wouldn't prevent a client using the
>>>             password grant (I know I said a bad word) or
>>>             authorization code flow from creating the cookie to
>>>             contain that. Specifically
>>>
>>>                 7. Accessing Protected Resources
>>>                    The client accesses protected resources by
>>>                 presenting the access
>>>                    token to the resource server.  The resource
>>>                 server MUST validate the
>>>                    access token and ensure that it has not expired
>>>                 and that its scope
>>>                    covers the requested resource. *The methods used
>>>                 by the resource
>>>                    server to validate the access token (as well as
>>>                 any error responses)
>>>                    are beyond the scope of this specification but
>>>                 generally involve an
>>>                    interaction or coordination between the resource
>>>                 server and the
>>>                    authorization server*.
>>>                    The method in which the client utilizes the
>>>                 access token to
>>>                    authenticate with the resource server depends on
>>>                 the type of access
>>>                    token issued by the authorization server.
>>>                 * Typically, it involves
>>>                    using the HTTP "Authorization" request header*
>>>                 field [RFC2617] with an
>>>                    authentication scheme defined by the
>>>                 specification of the access
>>>                    token type used, such as [RFC6750].
>>>
>>>
>>>             So that's definitely some gray area. Although perhaps
>>>             I'm missing a relevant section. If we are going to go so
>>>             far to detail a list of possible RS bearer token
>>>             possible locations (i.e. Header and Body), to what I
>>>             assume is to implicitly say /Don't use a query
>>>             parameter/. It also suggests /Don't use a cookie at
>>>             all/, even with/SameSite=Strict/. Although maybe that is
>>>             the point.
>>>
>>>             For my reference, what makes a /new feature/ and what
>>>             makes /an OAuth extension?/
>>>
>>>             	
>>>
>>>             Warren Parad
>>>
>>>             Founder, CTO
>>>
>>>             Secure your user data and complete your authorization
>>>             architecture. Implement Authress .
>>>
>>>
>>>             On Thu, Jul 30, 2020 at 6:46 PM Aaron Parecki
>>>             > wrote:
>>>
>>>                 I haven't seen any OAuth drafts that talk about
>>>                 sending OAuth access tokens in HTTP cookies. OAuth
>>>                 2.1 isn't supposed to add new features that don't
>>>                 already exist, but this sounds like a good candidate
>>>                 to develop as an OAuth extension.
>>>
>>>                 ---
>>>                 Aaron Parecki
>>>                 https://aaronparecki.com
>>>                 https://oauth2simplified.com
>>>
>>>                 On Thu, Jul 30, 2020 at 9:35 AM Jim Manico
>>>                 > wrote:
>>>
>>>                     In a browser, HTTPOnly cookies are the *only*
>>>                     location where an access (or other) token can be
>>>                     stored in a way where it *cannot be stolen from
>>>                     XSS*.
>>>
>>>                     It's a very strong place to store tokens from a
>>>                     security point of view.
>>>
>>>                     Cookie storage of tokens does leave one open to
>>>                     CSRF attacks so it's certainly a trade-off. But
>>>                     CSRF is much easier to defense against that XSS
>>>                     and cookies are a better choice if the specific
>>>                     risk of having tokens stolen via XSS matters to
>>>                     your threat model.
>>>
>>>                     - Jim
>>>
>>>                     On 7/30/20 11:43 AM, Warren Parad wrote:
>>>>                     https://www.ietf.org/id/draft-ietf-oauth-v2-1-00.html#name-bearer-tokens
>>>>
>>>>                     It seems recently more and more common to pass
>>>>                     the access_token to some RS via a cookie, yet
>>>>                     7.2.1 says it defines two methods. I think we
>>>>                     need some RFC2119
>>>>                      keywords
>>>>                     here, to suggest that either SHOULD use one of
>>>>                     these two, or MUST. And then optionally state
>>>>                     whether or not we recommend or reject the use
>>>>                     of cookies as a place for access tokens. It's
>>>>                     also possible that the language threw me off,
>>>>                     because would an access token in a cookie be a
>>>>                     bearer token, but no matter, if I'm having this
>>>>                     thought, then surely others have it as well, right?
>>>>
>>>>                     
>>>>
>>>>
>>>>                     	
>>>>
>>>>                     Warren Parad
>>>>
>>>>                     Founder, CTO
>>>>
>>>>                     Secure your user data and complete your
>>>>                     authorization architecture. Implement Authress
>>>>                     .
>>>>
>>>>                     _______________________________________________
>>>>                     OAuth mailing list
>>>>                     OAuth@ietf.org  
>>>>                     https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>                     -- 
>>>                     Jim Manico
>>>                     Manicode Security
>>>                     https://www.manicode..com  
>>>
>>>                     _______________________________________________
>>>                     OAuth mailing list
>>>                     OAuth@ietf.org 
>>>                     https://www.ietf.org/mailman/listinfo/oauth
>>>
>>             _______________________________________________
>>             OAuth mailing list
>>             OAuth@ietf.org 
>>             https://www.ietf.org/mailman/listinfo/oauth
>>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org 
>     https://www.ietf.org/mailman/listinfo/oauth
>
-- 
Jim Manico
Manicode Security
https://www.manicode.com


--------------A12CDFF1DA18548CFA7C69D2
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit


  
    
  
  
    
Two thumbs up!

    
I would rather delay and get it right. Good things come to those
      who wait.

    
But; I am the least experienced standard author or advisor. I am
      an idealist and am ok stating my opinion and moving on so others
      with more experience in this area can make the decisions.

    
Aloha.

    
- Jim Manico

    

    
On 7/30/20 5:16 PM, Aaron Parecki
      wrote:

    

    

      
      
I have a draft from a coworker that defines a
        cookie response mode and cookie bearer token usage. It's
        something we've considered bringing to the working group but
        haven't actually proposed yet. Is this the kind of thing you're
        talking about?
        


        

        
        


        

        
This looks like a good starting point and I am happy to
          work with Jared on refining this.

        

        
      

      

      

        
On Thu, Jul 30, 2020 at 1:55
          PM Dick Hardt <dick.hardt@gmail.com> wrote:

        

        

          
I hear you Jim, but it is not so much rules, as
            expectations and expediency.
            


            

            
There may be significant debate on how to do
              the feature. You would not want to hold up the OAuth 2.1
              document for that would you? There are other documents
              already in flight -- which other ones should OAuth 2.1
              wait for?

            


            

            
Reducing the "20 standards" to one document was the
              goal of OAuth 2.1.

            


            

            
Having said that, if members of the working group want
              to get working on this feature, and if it is completed
              quickly, it could be referenced or included in OAuth 2.1
              depending on the relative timing.

            


            

            
/Dick

            


            

            


            

            


            

            


            

          

          

          

          

            
On Thu, Jul 30, 2020 at
              1:47 PM Jim Manico <jim@manicode.com>
              wrote:

            

            

              
I politely encourage the rules to be bent
                and to integrate this basic but fundamental security
                control into the core standard.
                


                

                
This is just basic security; we want as much basic
                  security in the core of any standard. Dev’s now need
                  to read 20 standards to get OAuth2 basics... and
                  that’s a barrier to entry.

                  


                    

                      
--

                      
Jim Manico

                      
@Manicode

                    

                    


                      
On Jul 30, 2020, at 3:21
                        PM, Dick Hardt <dick.hardt@gmail.com>
                        wrote:

                        

                      

                    

                    

                      

                        
One of the constraints of the
                          OAuth 2.1 document that aligned the WG was it
                          would have no new features.
                          


                          

                          
I'd recommend a separate document for the
                            cookie bearer token feature. 

                          


                          

                        

                        

                        

                        

                          
On Thu, Jul
                            30, 2020 at 12:15 PM Jim Manico <jim@manicode.com>
                            wrote:

                          

                          

                            

                              
Yea to cookie configuration
                                suggestions!

                              


                              

                              I suggest SameSite=LAX at least, which is
                              actually the default behavior in chrome if
                              you do not set the samesite value. LAX
                              will not break links that originate from
                              emails, STRICT will.
                              


                              

                              
Point being is that CSRF defense is
                                easy. XSS defense is brutally hard in
                                apps with complex UI’s!

                              


                                

                                  
--

                                  
Jim Manico

                                  
@Manicode

                                  


                                  

                                

                                


                                  
On Jul 30,
                                    2020, at 1:13 PM, Warren Parad <wparad@rhosys.ch>
                                    wrote:

                                    

                                  

                                

                                

                                  

                                    

                                      
Cookie
                                        storage of tokens does leave one
                                        open to CSRF attacks so it's
                                        certainly a trade-off. But CSRF
                                        is much easier to defense
                                        against that XSS and cookies are
                                        a better choice if the specific
                                        risk of having tokens stolen via
                                        XSS matters to your threat
                                        model.

                                      


                                      

                                      
I would assume if we included
                                        cookie language, it would
                                        explicitly specify Secure;
                                          HttpOnly; SameSite=Strict as
                                        the recommendation, and then
                                        neither XSS nor CSRF should be a
                                        problem (right?)

                                      


                                      

                                      


                                      

                                      
OAuth
                                        2.1 isn't supposed to add new
                                        features that don't already
                                        exist, but this sounds like a
                                        good candidate to develop as an
                                        OAuth extension.

                                      


                                      

                                      
Is this really a new
                                          feature though?

                                      


                                      

                                      
Okay, I'll submit that RFC
                                        6749 does state the cookie
                                        wouldn't be created by the AS.

                                      
                                      
However that wouldn't prevent
                                        a client using the password
                                        grant (I know I said a bad word)
                                        or authorization code flow from
                                        creating the cookie to contain
                                        that. Specifically

                                      
7. 
                                        Accessing Protected Resources

                                           The client accesses protected
                                        resources by presenting the
                                        access

                                           token to the resource
                                        server.  The resource server
                                        MUST validate the

                                           access token and ensure that
                                        it has not expired and that its
                                        scope

                                           covers the requested
                                        resource.  The methods used
                                          by the resource

                                             server to validate the
                                          access token (as well as any
                                          error responses)

                                             are beyond the scope of
                                          this specification but
                                          generally involve an

                                             interaction or coordination
                                          between the resource server
                                          and the

                                             authorization server.

                                           The method in which the
                                        client utilizes the access token
                                        to

                                           authenticate with the
                                        resource server depends on the
                                        type of access

                                           token issued by the
                                        authorization server.  Typically,
                                          it involves

                                             using the HTTP
                                          "Authorization" request header
                                        field [RFC2617] with an

                                           authentication scheme defined
                                        by the specification of the
                                        access

                                           token type used, such as
                                        [RFC6750].

                                      


                                      

                                      
So that's definitely some
                                        gray area. Although perhaps I'm
                                        missing a relevant section. If
                                        we are going to go so far to
                                        detail a list of possible RS
                                        bearer token possible locations
                                        (i.e. Header and Body), to what
                                        I assume is to implicitly say Don't
                                          use a query parameter. It
                                        also suggests Don't use a
                                          cookie at all, even with
                                          SameSite=Strict. Although
                                        maybe that is the point.

                                      


                                      

                                      
For my reference, what makes
                                        a new feature and what
                                        makes an OAuth extension?

                                      


                                      

                                      

                                        

                                          

                                            

                                              

                                                
                                                  

                                                    
                                                      

                                                    		
                                                    
                                                      
Warren Parad

                                                      
Founder, CTO

                                                    		
                                                  

                                                
                                              

                                              Secure
                                                your user data and
                                                complete your
                                                authorization
                                                architecture. Implement Authress.

                                            

                                          

                                        

                                        

                                      

                                    

                                    

                                    

                                      
On
                                        Thu, Jul 30, 2020 at 6:46 PM
                                        Aaron Parecki <aaron@parecki.com>
                                        wrote:

                                      

                                      

                                        
I haven't seen
                                          any OAuth drafts that talk
                                          about sending OAuth access
                                          tokens in HTTP cookies. OAuth
                                          2.1 isn't supposed to add new
                                          features that don't already
                                          exist, but this sounds like a
                                          good candidate to develop as
                                          an OAuth extension.
                                          


                                          

                                          
                                        

                                        

                                        

                                          
On Thu,
                                            Jul 30, 2020 at 9:35 AM Jim
                                            Manico <jim@manicode.com>
                                            wrote:

                                          

                                          

                                            

                                              
In a browser, HTTPOnly
                                                cookies are the only
                                                location where an access
                                                (or other) token can be
                                                stored in a way where it
                                                cannot be stolen from
                                                  XSS.

                                              
It's a very strong
                                                place to store tokens
                                                from a security point of
                                                view.

                                              
Cookie storage of
                                                tokens does leave one
                                                open to CSRF attacks so
                                                it's certainly a
                                                trade-off. But CSRF is
                                                much easier to defense
                                                against that XSS and
                                                cookies are a better
                                                choice if the specific
                                                risk of having tokens
                                                stolen via XSS matters
                                                to your threat model.

                                              
- Jim

                                              

                                              
On 7/30/20 11:43 AM,
                                                Warren Parad wrote:

                                              

                                              

                                                

                                                  
                                                  


                                                  

                                                  
It seems recently
                                                    more and more common
                                                    to pass the
                                                    access_token to some
                                                    RS via a cookie, yet
                                                    7.2.1 says it
                                                    defines two methods.
                                                    I think we need
                                                    some RFC2119 keywords
                                                    here, to suggest
                                                    that either SHOULD
                                                    use one of these
                                                    two, or MUST. And
                                                    then optionally
                                                    state whether or not
                                                    we recommend or
                                                    reject the use of
                                                    cookies as a place
                                                    for access tokens.
                                                    It's also possible
                                                    that the language
                                                    threw me off,
                                                    because would an
                                                    access token in a
                                                    cookie be a bearer
                                                    token, but no
                                                    matter, if I'm
                                                    having this thought,
                                                    then surely others
                                                    have it as well,
                                                    right?

                                                  

                                                  


                                                  

                                                  

                                                    

                                                      
<image.png>

                                                      

                                                    

                                                  

                                                  

                                                  

                                                    

                                                      

                                                        

                                                          
                                                          

                                                          
                                                          

                                                          		
                                                          
                                                          
Warren Parad

                                                          
Founder, CTO

                                                          		
                                                          

                                                          
                                                        

                                                        Secure
                                                          your user data
                                                          and complete
                                                          your
                                                          authorization
                                                          architecture.
                                                          Implement Authress.

                                                      

                                                    

                                                  

                                                

                                                

                                                

                                                
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


                                              

                                              
-- 
Jim Manico
Manicode Security
https://www.manicode..com

                                            

_______________________________________________

                                            OAuth mailing list

                                            OAuth@ietf.org

                                            https://www.ietf.org/mailman/listinfo/oauth

                                          

                                        

                                      

                                    

                                  

                                

                              

                            

_______________________________________________

                            OAuth mailing list

                            OAuth@ietf.org

                            https://www.ietf.org/mailman/listinfo/oauth

                          

                        

                      

                    

                  

                

              

            

          

          _______________________________________________

          OAuth mailing list

          OAuth@ietf.org

          https://www.ietf.org/mailman/listinfo/oauth

        

      

    

    
-- 
Jim Manico
Manicode Security
https://www.manicode.com

  


--------------A12CDFF1DA18548CFA7C69D2--


From nobody Fri Jul 31 06:12:32 2020
Return-Path: 
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 773793A09DD; Fri, 31 Jul 2020 06:12:30 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: 
Cc: oauth@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 7.12.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: oauth@ietf.org
Message-ID: <159620115034.32558.6249632084531225541@ietfa.amsl.com>
Date: Fri, 31 Jul 2020 06:12:30 -0700
Archived-At: 
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-par-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 31 Jul 2020 13:12:31 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.

        Title           : OAuth 2.0 Pushed Authorization Requests
        Authors         : Torsten Lodderstedt
                          Brian Campbell
                          Nat Sakimura
                          Dave Tonge
                          Filip Skokan
	Filename        : draft-ietf-oauth-par-03.txt
	Pages           : 19
	Date            : 2020-07-31

Abstract:
   This document defines the pushed authorization request endpoint,
   which allows clients to push the payload of an OAuth 2.0
   authorization request to the authorization server via a direct
   request and provides them with a request URI that is used as
   reference to the data in a subsequent authorization request.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-par/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-oauth-par-03
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-par-03

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-par-03


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/



From nobody Fri Jul 31 08:30:18 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB4163A05A7 for ; Fri, 31 Jul 2020 08:30:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level: 
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JNoKiEXJdboO for ; Fri, 31 Jul 2020 08:30:14 -0700 (PDT)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C523F3A0529 for ; Fri, 31 Jul 2020 08:30:13 -0700 (PDT)
Received: by mail-lj1-x235.google.com with SMTP id r19so32784268ljn.12 for ; Fri, 31 Jul 2020 08:30:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=6DmTOQs2icyFrrO+cNp9s1FPQV9NU06v+fWtcpaygic=; b=FMsfWHnTGxxkpM4dnz1vpFnWKfYsL/oac3WeLOUNKlrolFuKMvHV0n7g1OyeC5qjVK uF7B0n3iy6P6hnc6fUvPG1B9MvHNdG8zYBc55Ym/fNcHV/A4P6YkLMwN+OrBfPsExq8u cqddyI8WJDfciOx5MyCjdIwHjcjsEXHG0fyujpV6FGNzYFH/88+Hx1PQz+vffxTWpadZ tBgfG5249Wed9owJ0EvgqMLra6fLchj7FpDANodLVpcMQ0IksOFIMty6i2+DhwLsqMem 87IhAN4TMVnHP2GlRzvZIgQLVL5PuFPjsL6liKW2Zqg/+Ra38j1gFBfGtVmawPosI9hn EXig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=6DmTOQs2icyFrrO+cNp9s1FPQV9NU06v+fWtcpaygic=; b=RcjBrJXaOCtzQZPq+klKrSnc2AobnEpbkjruDSwbwAb/hTHxJF+FQecWlvxYxK3KKp 0Owu8MaAHfoGbOn4VeW1HrH0+njeJPJyyj/4YgWAVtP2wOLh/vUsqKw+Sw25p2KIpQBb eP1kl7Sc4Mze4iKORfmD1iXQMk+L35St6yw5rHnCB3iNY15YMS+Kv2vTfGBE0vxmWPdM 6v6oL4PJDYGsOedk+NHbgSQx+H05GHFtBjz5IIosfBJnRYAMiu6hwNZeA1A1KtD9xf+8 ZnKK55/crKl80E3ukVx/XjbMVoKnGStyu4J1WBuRLhxIj55RJldy1s7K3vf+f8SdADNk KIYQ==
X-Gm-Message-State: AOAM530xqbqxmOW0SutJBZGJgplSRMsesm7FNDvnsJPy7hCxHC8MFf+X 8UNQVKzIkmxYoJd0T2EQndC2rEmmnUn8uhRaBOpLVsskvuv+gE29TPU2WwmHzZ3bXkhiCGrBdEZ R5CPkIWLGPDQqfC0GFVw=
X-Google-Smtp-Source: ABdhPJyD/Vszbyifv7x0VI1WsQ+NJ7Tc869GX/kaH4ksWy32jV4aFQiA0lDvOqLfNZE68y+/jlibAy7skHzfJ+mAwh4=
X-Received: by 2002:a05:651c:d0:: with SMTP id 16mr1880219ljr.313.1596209411148;  Fri, 31 Jul 2020 08:30:11 -0700 (PDT)
MIME-Version: 1.0
References: <159620115034.32558.6249632084531225541@ietfa.amsl.com>
In-Reply-To: <159620115034.32558.6249632084531225541@ietfa.amsl.com>
From: Brian Campbell 
Date: Fri, 31 Jul 2020 09:29:44 -0600
Message-ID: 
To: oauth 
Content-Type: multipart/alternative; boundary="000000000000f06fd205abbe7655"
Archived-At: 
Subject: [OAUTH-WG] Fwd:  I-D Action: draft-ietf-oauth-par-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 31 Jul 2020 15:30:16 -0000

--000000000000f06fd205abbe7655
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

WG,

On behalf of my multinational cohort of esteemed co-authors, I published
PAR -03 this morning (MDT) wanting to get a new draft out with some lead
time before the Aug 10 interim

where PAR will be the topic de jour. The changes are summarized below,
which mostly consist of clarifications and various fixups to the text. The
"bits on the wire" protocol seems to be stable at this point, so we got
that going for us, which is nice.

 -03

   *  Editorial updates
   *  Mention that https is required for the PAR endpoint
   *  Add some discussion of browser form posting an authz request vs.
      the benefits of PAR for any application
   *  Added text about motivations behind PAR - integrity,
      confidentiality and early client auth
   *  Better explain one-time use recommendation of the request_uri
   *  Drop the section on special error responses for request objects
   *  Clarify authorization request examples to say that the client
      directs the user-agent to make the HTTP GET request (vs. making
      the request itself)

---------- Forwarded message ---------
From: 
Date: Fri, Jul 31, 2020 at 7:12 AM
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-par-03.txt
To: 
Cc: 



A New Internet-Draft is available from the on-line Internet-Drafts
directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.

        Title           : OAuth 2.0 Pushed Authorization Requests
        Authors         : Torsten Lodderstedt
                          Brian Campbell
                          Nat Sakimura
                          Dave Tonge
                          Filip Skokan
        Filename        : draft-ietf-oauth-par-03.txt
        Pages           : 19
        Date            : 2020-07-31

Abstract:
   This document defines the pushed authorization request endpoint,
   which allows clients to push the payload of an OAuth 2.0
   authorization request to the authorization server via a direct
   request and provides them with a request URI that is used as
   reference to the data in a subsequent authorization request.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-par/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-oauth-par-03
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-par-03

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-par-03


Please note that it may take a couple of minutes from the time of submissio=
n
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--=20
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged=
=20
material for the sole use of the intended recipient(s). Any review, use,=20
distribution or disclosure by others is strictly prohibited.=C2=A0 If you h=
ave=20
received this communication in error, please notify the sender immediately=
=20
by e-mail and delete the message and any file attachments from your=20
computer. Thank you._

--000000000000f06fd205abbe7655
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


WG,

On behalf of my  multina=
tional cohort of esteemed co-authors, I published PAR -03 this morning (MDT=
) wanting to get a new draft out with some lead time before the Aug 10 interim where PAR will be the topic de jour. Th=
e changes are summarized below, which mostly consist of clarifications and =
various fixups to the text. The "bits on the wire" protocol seems=
 to be stable at this point, so we got that going for us, which is nice. 

=C2=A0-03

=C2=A0 =C2=A0* =C2=A0Ed=
itorial updates
=C2=A0 =C2=A0* =C2=A0Mention that https is required for =
the PAR endpoint
=C2=A0 =C2=A0* =C2=A0Add some discussion of browser for=
m posting an authz request vs.
=C2=A0 =C2=A0 =C2=A0 the benefits of PAR =
for any application
=C2=A0 =C2=A0* =C2=A0Added text about motivations be=
hind PAR - integrity,
=C2=A0 =C2=A0 =C2=A0 confidentiality and early cli=
ent auth
=C2=A0 =C2=A0* =C2=A0Better explain one-time use recommendation=
 of the request_uri
=C2=A0 =C2=A0* =C2=A0Drop the section on special err=
or responses for request objects
=C2=A0 =C2=A0* =C2=A0Clarify authorizat=
ion request examples to say that the client
=C2=A0 =C2=A0 =C2=A0 directs=
 the user-agent to make the HTTP GET request (vs. making
=C2=A0 =C2=A0 =
=C2=A0 the request itself)

---------- Forwarded message ---------
From: <=
span dir=3D"auto"><internet-drafts@ietf.org>
Date: Fri, Jul 31, 2020=
 at 7:12 AM
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-par-03.txt<=
br>To:  <i-d-=
announce@ietf.org>
Cc:  <oauth@ietf.org>




A New Internet-Draft is available from the on-line Internet-Drafts director=
ies.

This draft is a work item of the Web Authorization Protocol WG of the IETF.=




=C2=A0 =C2=A0 =C2=A0 =C2=A0 Title=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=
 OAuth 2.0 Pushed Authorization Requests

=C2=A0 =C2=A0 =C2=A0 =C2=A0 Authors=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0: Tors=
ten Lodderstedt

=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 Brian Campbell

=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 Nat Sakimura

=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 Dave Tonge

=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 Filip Skokan

=C2=A0 =C2=A0 =C2=A0 =C2=A0 Filename=C2=A0 =C2=A0 =C2=A0 =C2=A0 : draft-iet=
f-oauth-par-03.txt

=C2=A0 =C2=A0 =C2=A0 =C2=A0 Pages=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=
 19

=C2=A0 =C2=A0 =C2=A0 =C2=A0 Date=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 :=
 2020-07-31



Abstract:

=C2=A0 =C2=A0This document defines the pushed authorization request endpoin=
t,

=C2=A0 =C2=A0which allows clients to push the payload of an OAuth 2.0

=C2=A0 =C2=A0authorization request to the authorization server via a direct=


=C2=A0 =C2=A0request and provides them with a request URI that is used as
=C2=A0 =C2=A0reference to the data in a subsequent authorization request.




The IETF datatracker status page for this draft is:

https://datatracker.ietf.org/doc/draft-ietf-oa=
uth-par/



There are also htmlized versions available at:

https://tools.ietf.org/html/draft-ietf-oauth-par-=
03

https://datatracker.ietf.org/doc/html/d=
raft-ietf-oauth-par-03



A diff from the previous version is available at:

https://www.ietf.org/rfcdiff?url2=3Ddraft=
-ietf-oauth-par-03





Please note that it may take a couple of minutes from the time of submissio=
n

until the htmlized version and diff are available at tools.ietf.org.



Internet-Drafts are also available by anonymous FTP at:

ftp://ftp.ietf.org/internet-drafts/





_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth






<=
span style=3D"margin:0px;padding:0px;border:0px;outline:0px;vertical-align:=
baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,=
-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ub=
untu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"=
>CONFIDENTIALITY NOTICE: This email may contain confidenti=
al and privileged material for the sole use of the intended recipient(s). A=
ny review, use, distribution or disclosure by others is strictly prohibited=
.=C2=A0 If you have received this communication in error, please notify the=
 sender immediately by e-mail and delete the message and any file attachmen=
ts from your computer. Thank you.
--000000000000f06fd205abbe7655--


From nobody Fri Jul 31 16:01:00 2020
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9F663A07C2 for ; Fri, 31 Jul 2020 16:00:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level: 
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=adorsys.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BOiElfOH_-Qo for ; Fri, 31 Jul 2020 16:00:57 -0700 (PDT)
Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A13363A07BF for ; Fri, 31 Jul 2020 16:00:56 -0700 (PDT)
Received: by mail-wm1-x32c.google.com with SMTP id q76so9336012wme.4 for ; Fri, 31 Jul 2020 16:00:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adorsys.de; s=google;  h=mime-version:references:in-reply-to:from:date:message-id:subject:to;  bh=vLKmJwZUuNKi3tSjsFqxPOBOa5tLf41jb9+jFZmPJ4s=; b=SAMS2BgMEwiwmNux/2etInIS5i/pusvXjGH60ScFRIkNI0Vk0SUtUY+9xPcfHVNHok 9C8/JceFvnaV86BXjPacOGjijwHOCDQTF5UdGVjknkv8z4VLLsxvuRq38JUCdVgjd7Y8 8RnyO6VsdMplgQwxo6EWmos0tM3Byff3n79b4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=vLKmJwZUuNKi3tSjsFqxPOBOa5tLf41jb9+jFZmPJ4s=; b=qKvjppPKvgvXoEU6sHBSpAhDYWvcK1Sh/b5qTSsbDJP1y1Q3hTUn1RJ9rUi8sq/28g jEmHUARGxjChTZ2XjH9HQjVc3o+TwoeSBFP17O+jfAV8vcs9n4z9GmIE+gXyO2bL5YhW d60aVIEr9fVn2sRPya9FBmSzXOBaqo2OTmZazdbJufhtu6kKIH9WsLmvopoUWReM/m44 URSSko95B3a+9hLMhbJkf+X7WDGpKXmwdlGzKWYb5YLSDXt+E4bFEnYYC8/VrOJjHJsV cJ4XClJ9PWSIXgSQfaL+tccU+Yoid+vO1ZJ+sOiJdYBTzNWmnRq0i4jkhG3gH8BU2neF w+cw==
X-Gm-Message-State: AOAM531WbG8l/lmEFTIwq3Jjj9wd4Di9Yfbq/3F3BGfsPZdGrCcswusz udtSdWbJmxx/+E1EHqmEaq7te+B8+nh9AeLMYGIg3EVylAk=
X-Google-Smtp-Source: ABdhPJw38XCM8xQJ6mhAHHjD1pT5wkbbloW8/gyz5ygQmcQvUxLdDHHS8HEvqf+h3QYEdqtGWIQY0zYSijkrCRZBak8=
X-Received: by 2002:a1c:2bc1:: with SMTP id r184mr5915481wmr.133.1596236454523;  Fri, 31 Jul 2020 16:00:54 -0700 (PDT)
MIME-Version: 1.0
References: <159620115034.32558.6249632084531225541@ietfa.amsl.com>
In-Reply-To: <159620115034.32558.6249632084531225541@ietfa.amsl.com>
From: Francis Pouatcha 
Date: Fri, 31 Jul 2020 19:00:43 -0400
Message-ID: 
To: OAuth WG 
Content-Type: multipart/alternative; boundary="000000000000d98a9b05abc4c2a7"
Archived-At: 
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-par-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 31 Jul 2020 23:00:59 -0000

--000000000000d98a9b05abc4c2a7
Content-Type: text/plain; charset="UTF-8"

Bellow is the only remark I found from reviewing the draft draft:

2.1.  Request:

requires the parameters "code_challenge" and "code_challenge_method" but
https://openid.net/specs/openid-financial-api-part-2-ID2.html#confidential-client
mentions
that RFC7636 is not required for confidential clients. I guess those two
parameters have to be taken off the mandatory list and pushed to the list
below.

- Using jwsreq, non repudiation is provided as request is signed (jws).
This section also mentions that the request can be sent as form url
encoded (x-www-form-urlencoded). In this case, there is no way to provide
non repudiation unless we mention that request can be signed by client
using signature methods declared by the AS (AS metadata).

Best regards
/Francis


On Fri, Jul 31, 2020 at 9:12 AM  wrote:

>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Web Authorization Protocol WG of the IETF.
>
>         Title           : OAuth 2.0 Pushed Authorization Requests
>         Authors         : Torsten Lodderstedt
>                           Brian Campbell
>                           Nat Sakimura
>                           Dave Tonge
>                           Filip Skokan
>         Filename        : draft-ietf-oauth-par-03.txt
>         Pages           : 19
>         Date            : 2020-07-31
>
> Abstract:
>    This document defines the pushed authorization request endpoint,
>    which allows clients to push the payload of an OAuth 2.0
>    authorization request to the authorization server via a direct
>    request and provides them with a request URI that is used as
>    reference to the data in a subsequent authorization request.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-par/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-oauth-par-03
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-par-03
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-par-03
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


-- 
Francis Pouatcha
Co-Founder and Technical Lead
adorsys GmbH & Co. KG
https://adorsys-platform.de/solutions/

--000000000000d98a9b05abc4c2a7
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


Bellow is the only remark I found from reviewing the =
draft draft:

2.1.=C2=A0 Request:=C2=A0
<=
br>
requires the parameters "code_challenge" and "code_challenge_method" but
https://openid.net/specs/openid-financ=
ial-api-part-2-ID2.html#confidential-client=C2=A0mentions that=C2=A0RFC7636 is not required for confidential clients. I guess those =
two parameters have to be taken off the mandatory list and pushed to the li=
st below.

- =
Using jwsreq, non repudiation is provided as request is signed (jws). This =
section also mentions that the request can be sent as form url=C2=A0 encode=
d (x-www-form-=
urlencoded). In this case, there is no way to=C2=A0pro=
vide non repudiation unless we mention that request can be signed by client=
 using signature methods declared by the AS (AS metadata).

Best regards
/Francis

On Fri, Jul 31, 2020 at 9:12 AM <internet-drafts@ietf.org> wrote:


A New Internet-Draft is available from the on-line Internet-Drafts director=
ies.

This draft is a work item of the Web Authorization Protocol WG of the IETF.=




=C2=A0 =C2=A0 =C2=A0 =C2=A0 Title=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=
 OAuth 2.0 Pushed Authorization Requests

=C2=A0 =C2=A0 =C2=A0 =C2=A0 Authors=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0: Tors=
ten Lodderstedt

=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 Brian Campbell

=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 Nat Sakimura

=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 Dave Tonge

=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 Filip Skokan

=C2=A0 =C2=A0 =C2=A0 =C2=A0 Filename=C2=A0 =C2=A0 =C2=A0 =C2=A0 : draft-iet=
f-oauth-par-03.txt

=C2=A0 =C2=A0 =C2=A0 =C2=A0 Pages=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=
 19

=C2=A0 =C2=A0 =C2=A0 =C2=A0 Date=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 :=
 2020-07-31



Abstract:

=C2=A0 =C2=A0This document defines the pushed authorization request endpoin=
t,

=C2=A0 =C2=A0which allows clients to push the payload of an OAuth 2.0

=C2=A0 =C2=A0authorization request to the authorization server via a direct=


=C2=A0 =C2=A0request and provides them with a request URI that is used as
=C2=A0 =C2=A0reference to the data in a subsequent authorization request.




The IETF datatracker status page for this draft is:

https://datatracker.ietf.org/doc/draft-ietf-oa=
uth-par/



There are also htmlized versions available at:

https://tools.ietf.org/html/draft-ietf-oauth-par-=
03

https://datatracker.ietf.org/doc/html/d=
raft-ietf-oauth-par-03



A diff from the previous version is available at:

https://www.ietf.org/rfcdiff?url2=3Ddraft=
-ietf-oauth-par-03





Please note that it may take a couple of minutes from the time of submissio=
n

until the htmlized version and diff are available at tools.ietf.org.



Internet-Drafts are also available by anonymous FTP at:

ftp://ftp.ietf.org/internet-drafts/





_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth




-- 
Francis Pouatcha
Co-=
Founder and Technical Lead
adorsys GmbH & Co. KG
https://=
adorsys-platform.de/solutions/


--000000000000d98a9b05abc4c2a7--