From nobody Tue Mar 1 09:18:15 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C66E3A0D5B for ; Tue, 1 Mar 2022 09:18:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.602 X-Spam-Level: X-Spam-Status: No, score=0.602 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=danielfett.de Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gscadYC8ggte for ; Tue, 1 Mar 2022 09:18:08 -0800 (PST) Received: from d3f.me (redstone.d3f.me [5.9.29.41]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 825323A0B28 for ; Tue, 1 Mar 2022 09:18:08 -0800 (PST) Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by d3f.me (Postfix) with ESMTPA id 1090418050 for ; Tue, 1 Mar 2022 17:18:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1646155083; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=gLxatYnSKpYsa9hKGNfu8ID596TXdkmoXwbUkrSW9BQ=; b=Dk+JiGey8Jt3pdPl5B1WeqHvbf95KtPtcYKViwMBKYSiSF8BcEyr9o/pQJO2If7V9RpgvK 1Zg56BxS3aOEagE76e9wJCkWoLkjU6cnS0Nac7WuBJ7dM2fOayDn4T0StUJKlvGQFgKRN8 0oPtJJL+QUdWKmv+4nND0vxEAMcjdyI= Content-Type: multipart/alternative; boundary="------------HlZWd4xGG1o3PeCiCN7vufT0" Message-ID: Date: Tue, 1 Mar 2022 18:18:02 +0100 MIME-Version: 1.0 To: oauth Content-Language: de-DE From: Daniel Fett ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1646155083; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=gLxatYnSKpYsa9hKGNfu8ID596TXdkmoXwbUkrSW9BQ=; b=letK8f4hHAdgERQ9WWk+2TR6O4rZGqiMxmZUmbTYvr33NmJyQMRiF91bJnP7Aa+mVBgi2Q 0VTGBlsANxVFiwYY9ysDoGJFPEYy6XOZxSdEHE4EthuMF3iPXcaQa7aKsEwK5XkfJoQUB3 ZsK5BLW3NuqzniW8krijbl7S48XuZrk= ARC-Seal: i=1; s=dkim; d=danielfett.de; t=1646155083; a=rsa-sha256; cv=none; b=QEFAlLMHD0eUU4wOAOBDgo+FWcEnGg8jJRKf65kCt3bsN9xom+SI7hB93Y/Q01sOIYW8Dz 6ZtnqmkLkp8BOVRo27K8aZKFuz8k39U1Mw29BiJFIQVEJNByDnC2k5ahBw4SdZ/cK4YsFW QA0Y85GgKQj/688f3bAsNOLaTf/NGxc= ARC-Authentication-Results: i=1; d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de Authentication-Results: d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de X-Spamd-Bar: --- Archived-At: Subject: [OAUTH-WG] OAuth: The frustrating lack of good libraries X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Mar 2022 17:18:14 -0000 This is a multi-part message in MIME format. --------------HlZWd4xGG1o3PeCiCN7vufT0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit ** *Hi all,* * While helping clients to onboard into the yes ecosystem, in my consulting work, and in discussions with developers implementing OAuth 2.0, one topic comes up increasingly often: The (somewhat frustrating) lack of good, modern, and universal OAuth libraries. Many of the libraries out there have one or more of the following drawbacks:  * They are not maintained any longer  * They are not well documented (e.g., it is often unclear which specifications are supported)  * They support only a subset of the OAuth 2.0 specification  * They work only with selected providers (e.g., Google, Facebook, etc.)  * It is unclear whether they follow recent security recommendations  * They do not support modern features, such as PKCE, AS Metadata, MTLS, etc. Exceptions exist, of course, like Filip's Node.js implementation and the nimbus library for Java. But apart from those rare cases, when a developer asks me what library to use, my answer is often: "I don't think there's a good one in your language". It is a telltale sign that many providers of OAuth protected APIs also provide a custom OAuth implementation in their SDKs, which they then often have to maintain for a number of languages. This creates unnecessary costs and friction, e.g., when introducing new security features. At the same time, practically every language/framework comes with a TLS stack and making HTTPS requests is often just a few lines of code. Why aren't we there yet with OAuth? I'm well aware that OAuth 2.0 is a framework, not a single protocol like TLS, but the mentioned libraries show that this does not preclude a comprehensive library support. If I had to speculate about the reasons for this mess, I'd say that there are three:  * The core of OAuth is easy to implement. The need to create or use a library might not be obvious to developers. Of course, if you want a proper implementation with correct error handling, observing all the security recommendations, etc., the effort is huge. But just getting OAuth to work for one specific use case is relatively easy.  * OAuth is traditionally hard to configure: authorization and token endpoint URLs, client id and secret, supported scopes (and claims for OIDC), supported response types and modes, and required security features are just some of the things a developer has to figure out - often from the API's documentation - to get everything up and running. Even though configuration is not the same as implementation, I imagine that this complexity can lead to the perception that there are barely any commonalities between different OAuth flows. There might be no value, after all, in an OAuth library, if I have to provide so many details myself.  * With many extensions and specifications to choose from, it can be hard to select a reasonable subset to support. What can we do about this? I'm not sure, but I have a few ideas.  * Of course, one step would be to increase visibility and documentation for existing implementations: Beyond listing libraries (like the list on oauth.net), it would be great to have a place to go to to find libraries based on their feature support. I'm sure there are more good libraries out there.  * The OpenID Foundation has a great set of conformance tests for OIDC, FAPI and other stuff. Creating conformance tests for OAuth would be harder, given that the framework leaves many options for implementers to choose from. I’m not sure if running a conformance programme would be in the scope of IETF, but it can be worthwhile to think about if we could support such an endeavor.  * The single most important thing to do would, in my opinion, be to set a goal: Tell library developers and language maintainers what can be expected from a good, modern, and universal OAuth library. Such a recommendation would shine a light on the most important extensions for OAuth like PKCE and might even be a prerequisite for conformance tests. It may turn out to be OAuth 2.1 or something else. For me, this would in any case include AS Metadata, as that is the single most valuable building block we have to address configuration complexity. I would be interested to hear what others think about this. Is this a problem worth addressing? Are there other solutions? Is this out of scope of our work here? -Daniel * -- https://danielfett.de --------------HlZWd4xGG1o3PeCiCN7vufT0 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit

Hi all,


While helping clients to onboard into the yes ecosystem, in my consulting work, and in discussions with developers implementing OAuth 2.0, one topic comes up increasingly often: The (somewhat frustrating) lack of good, modern, and universal OAuth libraries. 


Many of the libraries out there have one or more of the following drawbacks:


 * They are not maintained any longer

 * They are not well documented (e.g., it is often unclear which specifications are supported)

 * They support only a subset of the OAuth 2.0 specification

 * They work only with selected providers (e.g., Google, Facebook, etc.)

 * It is unclear whether they follow recent security recommendations

 * They do not support modern features, such as PKCE, AS Metadata, MTLS, etc.


Exceptions exist, of course, like Filip's Node.js implementation and the nimbus library for Java. But apart from those rare cases, when a developer asks me what library to use, my answer is often: "I don't think there's a good one in your language". It is a telltale sign that many providers of OAuth protected APIs also provide a custom OAuth implementation in their SDKs, which they then often have to maintain for a number of languages. This creates unnecessary costs and friction, e.g., when introducing new security features.


At the same time, practically every language/framework comes with a TLS stack and making HTTPS requests is often just a few lines of code. Why aren't we there yet with OAuth? I'm well aware that OAuth 2.0 is a framework, not a single protocol like TLS, but the mentioned libraries show that this does not preclude a comprehensive library support.


If I had to speculate about the reasons for this mess, I'd say that there are three:


 * The core of OAuth is easy to implement. The need to create or use a library might not be obvious to developers. Of course, if you want a proper implementation with correct error handling, observing all the security recommendations, etc., the effort is huge. But just getting OAuth to work for one specific use case is relatively easy.


 * OAuth is traditionally hard to configure: authorization and token endpoint URLs, client id and secret, supported scopes (and claims for OIDC), supported response types and modes, and required security features are just some of the things a developer has to figure out - often from the API's documentation - to get everything up and running. Even though configuration is not the same as implementation, I imagine that this complexity can lead to the perception that there are barely any commonalities between different OAuth flows. There might be no value, after all, in an OAuth library, if I have to provide so many details myself.


 * With many extensions and specifications to choose from, it can be hard to select a reasonable subset to support. 


What can we do about this?


I'm not sure, but I have a few ideas.


 * Of course, one step would be to increase visibility and documentation for existing implementations: Beyond listing libraries (like the list on oauth.net), it would be great to have a place to go to to find libraries based on their feature support. I'm sure there are more good libraries out there.

 * The OpenID Foundation has a great set of conformance tests for OIDC, FAPI and other stuff. Creating conformance tests for OAuth would be harder, given that the framework leaves many options for implementers to choose from. I’m not sure if running a conformance programme would be in the scope of IETF, but it can be worthwhile to think about if we could support such an endeavor.

 * The single most important thing to do would, in my opinion, be to set a goal: Tell library developers and language maintainers what can be expected from a good, modern, and universal OAuth library. Such a recommendation would shine a light on the most important extensions for OAuth like PKCE and might even be a prerequisite for conformance tests. It may turn out to be OAuth 2.1 or something else. For me, this would in any case include AS Metadata, as that is the single most valuable building block we have to address configuration complexity. 


I would be interested to hear what others think about this. Is this a problem worth addressing? Are there other solutions? Is this out of scope of our work here? 


-Daniel

-- 
https://danielfett.de
--------------HlZWd4xGG1o3PeCiCN7vufT0-- From nobody Tue Mar 1 12:38:00 2022 Return-Path: X-Original-To: oauth@ietf.org Delivered-To: oauth@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id BED533A0DB1; Tue, 1 Mar 2022 12:37:58 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: oauth@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.46.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: oauth@ietf.org Message-ID: <164616707865.18006.12043258080956893282@ietfa.amsl.com> Date: Tue, 01 Mar 2022 12:37:58 -0800 Archived-At: Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-dpop-06.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Mar 2022 20:37:59 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) Authors : Daniel Fett Brian Campbell John Bradley Torsten Lodderstedt Michael Jones David Waite Filename : draft-ietf-oauth-dpop-06.txt Pages : 42 Date : 2022-03-01 Abstract: This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-06.html A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-dpop-06 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts From nobody Tue Mar 1 13:14:38 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A4813A0EC1 for ; Tue, 1 Mar 2022 13:14:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.108 X-Spam-Level: X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3N76vGXw9T1a for ; Tue, 1 Mar 2022 13:14:31 -0800 (PST) Received: from mail-oi1-x235.google.com (mail-oi1-x235.google.com [IPv6:2607:f8b0:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1ACB3A0ECE for ; Tue, 1 Mar 2022 13:14:31 -0800 (PST) Received: by mail-oi1-x235.google.com with SMTP id q5so17395951oij.6 for ; Tue, 01 Mar 2022 13:14:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=wvjUQ1jDp7wiHAXjWwxjJuJD5eDDRQWj2X9lbg6h18g=; b=J7jtPSzxrirz2FFiLBl9ttqdMnD5ner4Gj1L7j1Mebn2udRQEgnjq3aHFgUdwFY5LO EyzxwWsJAGybENoMgAehFlcglAFDcmEWOrbXWptEquT8UbEDfd6qczRSZzm3DVNaT3c8 7+LnInhItDTHFZLYWrZiUORPapnzV83OXzxmeX33AaSYMXZoXwhd1LFIddSj7iCVYkuW upzrZyapaFs50V6Pp6hT0mgi/APSOUXKmNZEQ9r+dSwgjkgPvbdfghvZA6P7lDCeZPAS SViLU4PL8Zxn8WJCyCekoDYIYAXyVl4yZmTxeocIR43RCdjXUxpxtb4Ozd1JwscLoC8k DtdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=wvjUQ1jDp7wiHAXjWwxjJuJD5eDDRQWj2X9lbg6h18g=; b=MDRghQiaTUWIR4D+Ia6tFQeD0Nj3GqEErjS0HvSCfqrAqjyN/KHD+YNeQoVHBewb6K 9kTHpsO7C3/3kRgcXifMTSfq0vm5XWZIhPsOX8FCIN3An3wVuGyHVaQzECsQzzycu7Uk yXHvucJK5yusl4k29PaTS1OER6SM5O1wa1V/SvCEof/MCPr/acPeGi+rTGWUOE1ZjH5F /BwkiCdzryHPrtZNBLIaWXb5iXeojUhS9011RZNdNvSRWl12VOdUppv7Cls0Ustskerz MCrWlCDk834gTqPAktB1NmE+nyGnrICltwpiqLRCY1qHEwxhdAAHWiKsHLRlGHAfp6ES +96Q== X-Gm-Message-State: AOAM531vrecLDSM5F/rVhdWYG4fRmqgsydpetz2nN+ooZxMOTYSPSJXg VQFgDWzZB0tk3EF5FVANq7NdQliI4gmekZiXnSveKn0COI/chOHDz8qPmpkbRst7JLykkgd2EgR oHix4UwbTJZB8LGNnit+YAg== X-Google-Smtp-Source: ABdhPJwxbnFs/uM1hnTjjHW9Zey1ruld4yBMc1l7h/oAIyXV7QfjuHhlt/E3TEEGTdLHPbXNo3m96M3djNDBv+0p9HU= X-Received: by 2002:a05:6808:201f:b0:2d5:1d72:4bce with SMTP id q31-20020a056808201f00b002d51d724bcemr14959795oiw.10.1646169270373; Tue, 01 Mar 2022 13:14:30 -0800 (PST) MIME-Version: 1.0 References: <164616707865.18006.12043258080956893282@ietfa.amsl.com> In-Reply-To: <164616707865.18006.12043258080956893282@ietfa.amsl.com> From: Brian Campbell Date: Tue, 1 Mar 2022 14:14:04 -0700 Message-ID: To: oauth@ietf.org Content-Type: multipart/alternative; boundary="00000000000099ec0305d92ea6ff" Archived-At: Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dpop-06.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Mar 2022 21:14:37 -0000 --00000000000099ec0305d92ea6ff Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable This -06 revisoun has a relatively small set of mostly editorial changes and a (hopefully) better name for the client metadata that was introduced in -05. On Tue, Mar 1, 2022 at 1:38 PM wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Web Authorization Protocol WG of the IET= F. > > Title : OAuth 2.0 Demonstrating Proof-of-Possession at > the Application Layer (DPoP) > Authors : Daniel Fett > Brian Campbell > John Bradley > Torsten Lodderstedt > Michael Jones > David Waite > Filename : draft-ietf-oauth-dpop-06.txt > Pages : 42 > Date : 2022-03-01 > > Abstract: > This document describes a mechanism for sender-constraining OAuth 2.0 > tokens via a proof-of-possession mechanism on the application level. > This mechanism allows for the detection of replay attacks with access > and refresh tokens. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ > > There is also an HTML version available at: > https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-06.html > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-dpop-06 > > > Internet-Drafts are also available by rsync at rsync.ietf.org: > :internet-drafts > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --=20 _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged= =20 material for the sole use of the intended recipient(s). Any review, use,=20 distribution or disclosure by others is strictly prohibited.=C2=A0 If you h= ave=20 received this communication in error, please notify the sender immediately= =20 by e-mail and delete the message and any file attachments from your=20 computer. Thank you._ --00000000000099ec0305d92ea6ff Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
This -06 revisoun has a relatively small set of mostl= y editorial changes and a (hopefully) better name for the client metadata t= hat was introduced in -05.


On Tue, Mar 1, 2022= at 1:38 PM <internet-drafts@ietf.org> wrote:

A New Internet-Draft is available from the on-line Internet-Drafts director= ies.
This draft is a work item of the Web Authorization Protocol WG of the IETF.=

=C2=A0 =C2=A0 =C2=A0 =C2=A0 Title=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:= OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP= )
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Authors=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0: Dani= el Fett
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 Brian Campbell
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 John Bradley
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 Torsten Lodderstedt
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 Michael Jones
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 David Waite
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Filename=C2=A0 =C2=A0 =C2=A0 =C2=A0 : draft-iet= f-oauth-dpop-06.txt
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Pages=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:= 42
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Date=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 := 2022-03-01

Abstract:
=C2=A0 =C2=A0This document describes a mechanism for sender-constraining OA= uth 2.0
=C2=A0 =C2=A0tokens via a proof-of-possession mechanism on the application = level.
=C2=A0 =C2=A0This mechanism allows for the detection of replay attacks with= access
=C2=A0 =C2=A0and refresh tokens.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-o= auth-dpop/

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-i= etf-oauth-dpop-06.html

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=3Ddraf= t-ietf-oauth-dpop-06


Internet-Drafts are also available by rsync at rsync.ietf.org::internet-dra= fts


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

<= span style=3D"margin:0px;padding:0px;border:0px;outline:0px;vertical-align:= baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,= -apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ub= untu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"= >CONFIDENTIALITY NOTICE: This email may contain confidenti= al and privileged material for the sole use of the intended recipient(s). A= ny review, use, distribution or disclosure by others is strictly prohibited= .=C2=A0 If you have received this communication in error, please notify the= sender immediately by e-mail and delete the message and any file attachmen= ts from your computer. Thank you. --00000000000099ec0305d92ea6ff-- From nobody Wed Mar 2 05:16:26 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DF4B3A1415 for ; Wed, 2 Mar 2022 05:16:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.107 X-Spam-Level: X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_IMAGE_RATIO_06=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s3uS1_NONpZw for ; Wed, 2 Mar 2022 05:16:12 -0800 (PST) Received: from sonic301-31.consmr.mail.ne1.yahoo.com (sonic301-31.consmr.mail.ne1.yahoo.com [66.163.184.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D25EF3A13BF for ; Wed, 2 Mar 2022 05:16:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1646226970; bh=nWFHQKBRjhk5n5DRnVkyKHEl7WhTnjIxIrdohWTgpsQ=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From:Subject:Reply-To; b=O0TOeQp8MlUtEvw9+r0Bp/FGTI4RTr88AqC2HRY/l4DSNGKblgow9J6T7UWalfLdlF+Z+BNgVGBDKyaUy8W9Awo3/dZsBu8LL5FkT4Kjm3pwq46a7dwux6cvVdLdugLgOau06sug7WKGXtVafxou2lS8mzcj0IZQWwjwNR49TYk/VtYujVvuRHN05UJ/IIFSMecpaKa3h2TgTDK8TxZGSkAWT3QZxPTcWbXlk21aXZ/NtpyvlWYmbFCqupciOuO/JB3jpK4+1ttIwCylBksjh8xzOLVSzB4WfuupcF2tD2IwVBFlBJQfd84O7hsvCzQnnO82vu3CqDoSM1kXggyrUw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1646226970; bh=cD6oin4VYtrTgPlOcRQaoA6F9wUikZLU2Pm2Z8klwKm=; h=X-Sonic-MF:Date:Subject:To:From:From:Subject; b=J0PR0QQ7CD96do0ET1RmOYzJT6wy2VDKgMHPQHIF/+YvD+NyBjMbEE7dbb04Y3gzsc4l6obNF8SmVwH/aP9+AMNsin0qnqRMP6hcabWu/iyZLmv2IMkG87istp9ftoYvMLf3X/+D/m0yzJyLu/2VeEtSKXMHcRxp8JSydiUIF/d/VwfXN87HQ1WCAgeYpmUuM1gZ2yYgX0D5BYx2t+gWQVoQT6nFsAdmx0HwpZp1TWgdvdEeLZylsGn/DyUHx3+xSmPeHAY/uh3NER08jFPPxN4VTN6i4rRUeOwBkxFxwEwcR/e/8HFyTBISgF9zzJAZVGNAdgFbSk6FLC1YpAtBvw== X-YMail-OSG: h0VDP68VM1kmnk3dbkcYvHBTOkvEcEnix2iuLL.wqMTsj5dn_njOw4a_t66Vi7q KKwNZyS2_TeRs_om8Zkp4apDgylWFdsvZycql_GxQN9z5yYuaiP1tanEJCsyoCgqwI0KKb_sYEJj 6geZbcigwyqZDONlFPtjvyNwF0tV0e.GKXCQdfzZ6kI0wAdJ9KS8ndNzBCZhV1Gji.8Jha_GEQJ. 1yeZCZoVOoTzmO22n0Ekf7MzTcYjE9xUROs0d9fUdci5NDK5VA4umPHVV91e_CLDAhaLBTh34dDw 6lZshIzwxevqwVsSBQ_mXdMSO1Fdj3pORbkVoCRgNL5rMGy5.V67PFZMi3SrwgW6d4MG0zBtcF9B X3YKDhLPy5nuSsTrI5iuRzAypNz7RFlGYKIU_2r1_5Ot7i43XN5H7EhdkCBWtdFuGc96jz326O0F TktVhqobzelCsrxrAS5WCSUc0wj4oeevDIxG45c0SbpFEkvqyBcTjeBNS1aYUHDQshLp5Jlk2HQk 8dQcYqCo5C_UmZdVLpYt2W_ttmHAbWd3MGvcksEGMfMKw3Iy4lsw9fwhwfugL0s2ytveq7PzF3sk ylLJ.0z8QAwovThU6U7Tc6YxJttTDdT0EoIv3fxT2f_ZlA0d.R8qfKxqXH3AOgNBlB25MvDLeFud 5nfniDelSMhtf5uktU6p01eAaEzWI_QaNKal3FWvcjTtKonSmP6p6rce0iQEc6Vg5k8gwcruHJCV ekm525PMFSDHB8AHhI6Fztjlga56rx.iF2somZzdmssRW2WqDorIB1X95RUKd1zXTGXj3XVGa6KA 1jNQrT2y15Fu7bY2Y51i6qelBgK4eEF02VwmMCZlYCWPcmES.ZCzmyivkHVoiraP_VP7gpsDa9Rd 6JY6yyOBRZu3ApZ6VWh.nr6vNR9Of9FF43e455mEtcRnAHeydVReL743kAbtt03mmcPeJrl469al VfoylgqXTvfbF0ntKj3vo1VJPc9VDe4.oezX6GQX2BaSqk4KtGC4alIEcmvE3DJJ3BIrY3aTMnSv sxC0DfVVhr9m2jvmY__t2fWvdKzavcf404d9C93omCM1.ZBTufLu7Tdl.WYCvC_27c51lDAFid6K Z_OHkh0bGx9nbbS9ZowaE2KPZeh3JYC3Z6LFrpB1E.PoUiCTGFkP5qA3cASIJq.P.I_k_Ks1HnDk tBb9gefOQdw7.fKj5g3R0s81bhfYGkJKUQ7WOFn1kq31w5wPqYwknHbZh0tYmxeTGcuZx9qp9vi8 99rwwaXJRt7EdaExBH8fWk8Wcb75tZBkSJCgKSlHHaLm7kcB7b3ZAKOdQ15nywFQ0iI5vmAI2S4h F_EPKvQXcrMoP4ctrMGVOoyyyOAohMtrXoZk2XwmUfwETDcQcnkpoWh0we63XXUcQMa76M7T9YH0 Akoena_bzO1CRYDIkb0c2HlELE3TNAmN8BIpuF8DLmQSaA5LrwV7cK4TvujGmtSYJ1LS2aCg_qX8 srh2tzHXr7n3HisIV2tNgMF9SqcM__3J5qVjYuduXVbJL5DOFOwNlnLcgJAq_ZZM_xLvaYbkoA_X ryRUEJcQ_s0IFkzwJJuHSjD73SLqyJ85xMKpc1lJuCNnD0BGSOK3N7B1wMpb8PPbCuJm6a9JM6JI 0g6B9YQcDbj8zSPVYiWuJmHGuDQv_UgwLtmdj8._6bYYT698T0jUP1q.9zkzCx3D5wzt4JcqyPtT TAcBodzh5lPX5uoxLRStE25MWzzUOhI1ja6_swN.UMfb0L06alcl4_lvBqUB8fGiAqDsBhqYRjDq ScftchAEM6HBZS_OVcG351cjjzcv36WgQ8xStrFhzOVgp.Vu5vh_.LNSv1_JfEsjMquEPgIwo.Mc nBnK3Y1vgyG81dp3qyK4Xceucsm4DYVLSwRwv5go.WtVPAqDj_RUB144HqXpH.81xCYJxUuo59tK K4WD0OjA5BTSpiJgVLxSbrXR2SCXC3byu1o3R1AhuxDd0AYYv_BRyq4fw6V0iZx3ZDJEW7bE9IKq LTsTtEg9oczIqtaUt0qzml4zmJsbNTlE6VsYfHU4Vpt63YmpDHHJ69Q5T7IY8eI2q5TK8NkqfXbv NVGRMBJ9WvvMErJnfTzhCbBeUiP70PO0vNwb_10Ar8yA3UEO2F40HmZfiOS2oEqCUj9J1Az77A_Z LaeIPxlWDqUTn63hpSwJ2T_V9oHJ94jd4jhy2y60O8rtCJtRJWbMSQvrsyKfpntRe9m4OSAJyv3w oU1IhV.zKePA7Tw-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic301.consmr.mail.ne1.yahoo.com with HTTP; Wed, 2 Mar 2022 13:16:10 +0000 Received: by kubenode514.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 7b87c0e58ddc04535009d29057092781; Wed, 02 Mar 2022 13:16:03 +0000 (UTC) Content-Type: multipart/alternative; boundary="------------YKDQ47F0NusCo0DHzH3aSpmL" Message-ID: <9adf226b-0b13-722d-a28c-493ba84c22a0@aol.com> Date: Wed, 2 Mar 2022 08:16:01 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.6.0 Content-Language: en-US To: Brian Campbell Cc: "oauth@ietf.org" References: <8468eaaa-445e-a49d-ba57-7c9b03cae4d4.ref@aol.com> <8468eaaa-445e-a49d-ba57-7c9b03cae4d4@aol.com> From: George Fletcher Organization: AOL LLC In-Reply-To: X-Mailer: WebService/1.1.19724 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.aol Archived-At: Subject: Re: [OAUTH-WG] DPoP proof and the public key X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2022 13:16:24 -0000 This is a multi-part message in MIME format. --------------YKDQ47F0NusCo0DHzH3aSpmL Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Thanks so much for the detailed explanation Brian! This makes sense and I get the simplicity argument. I think my only concern is that bandwidth used can also affect performance and since we are talking about proofs being sent with every request, that can add up to a lot of extra bytes (which can translate to both cost and latency). I'd prefer a mode that allows either the full JWK proof OR a key identifier so that deployments can decide what makes the most sense for their situation. For deployments where proof validation is decentralized (or performed locally) the full proof makes a ton of sense. For deployments, where proof validation is centralized then a key identifier would suffice and significantly reduce the bandwidth consumed when implementing sender-constrained tokens. It seems the WG has made a decision and moved on which is fine with me:) Thanks, George On 2/17/22 4:01 PM, Brian Campbell wrote: > A a fingerprint (or key id) does suffice to identify a key but only > when the key is already known to the other party. There are some cases > in DPoP where a key might be known or knowable (like AS interaction by > a client with jwks/jwks_uri)  but many where that's not the case > (public clients, resource access), at least without introducing other > mechanisms. Having thepublic key in every DPoP proof keeps the > protocol more consistent and avoids conditionality or caveats in the > content and validation of the proof. > > There was some discussion around the interim meeting in March > > about taking the public key out of the proof for resource access and > moving it into the access token (screenshot of the two relevant slides > from that meeting included). But there was very little support for > making that change. > > Screen Shot 2022-02-17 at 1.46.41 PM.png > > > On Thu, Feb 17, 2022 at 6:58 AM George Fletcher > wrote: > > Hi, > > I'm going to expose my ignorance here... but what is the rationale > for requiring the public key in every DPoP proof? Is there a > security reason? or is it for ease of development? If large RSA > keys are being used, that public key is rather large for sending > with every request when even a fingerprint of the key would > suffice to identify it. > > From my reading of the spec, there isn't a way for a server that > wants to remember the public key in backend session state to > optimize the proof. > > Thanks, > George > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > /CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly > prohibited.  If you have received this communication in error, please > notify the sender immediately by e-mail and delete the message and any > file attachments from your computer. Thank you./ --------------YKDQ47F0NusCo0DHzH3aSpmL Content-Type: multipart/related; boundary="------------VPr2i34iqB700C6BQXejUWSM" --------------VPr2i34iqB700C6BQXejUWSM Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit Thanks so much for the detailed explanation Brian! This makes sense and I get the simplicity argument. I think my only concern is that bandwidth used can also affect performance and since we are talking about proofs being sent with every request, that can add up to a lot of extra bytes (which can translate to both cost and latency).

I'd prefer a mode that allows either the full JWK proof OR a key identifier so that deployments can decide what makes the most sense for their situation. For deployments where proof validation is decentralized (or performed locally) the full proof makes a ton of sense. For deployments, where proof validation is centralized then a key identifier would suffice and significantly reduce the bandwidth consumed when implementing sender-constrained tokens.

It seems the WG has made a decision and moved on which is fine with me:)

Thanks,
George
On 2/17/22 4:01 PM, Brian Campbell wrote:
A a fingerprint (or key id) does suffice to identify a key but only when the key is already known to the other party. There are some cases in DPoP where a key might be known or knowable (like AS interaction by a client with jwks/jwks_uri)  but many where that's not the case (public clients, resource access), at least without introducing other mechanisms. Having the public key in every DPoP proof keeps the protocol more consistent and avoids conditionality or caveats in the content and validation of the proof.

There was some discussion around the interim meeting in March about taking the public key out of the proof for resource access and moving it into the access token (screenshot of the two relevant slides from that meeting included). But there was very little support for making that change.

Screen Shot 2022-02-17 at 1.46.41 PM.png


On Thu, Feb 17, 2022 at 6:58 AM George Fletcher <gffletch=40aol.com@dmarc.ietf.org> wrote:
Hi,

I'm going to expose my ignorance here... but what is the rationale for requiring the public key in every DPoP proof? Is there a security reason? or is it for ease of development? If large RSA keys are being used, that public key is rather large for sending with every request when even a fingerprint of the key would suffice to identify it.

From my reading of the spec, there isn't a way for a server that wants to remember the public key in backend session state to optimize the proof.

Thanks,
George
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

--------------VPr2i34iqB700C6BQXejUWSM Content-Type: image/png; name="Screen%20Shot%202022-02-17%20at%201.46.41%20PM.png" Content-Disposition: inline; filename="Screen%20Shot%202022-02-17%20at%201.46.41%20PM.png" Content-Id: Content-Transfer-Encoding: base64 iVBORw0KGgoAAAANSUhEUgAABRQAAAXMCAYAAABQiwCqAAAMY2lDQ1BJQ0MgUHJvZmlsZQAA SImVVwdck0cbv3dkkrACEZAR9hJEZgAZIawIAjIFUQlJIGHEmBBUXIiWKli3iOKoaFVE0ToA KSoi1lkUt3UUByqVWqziQuW7kIDWfuP3Pb/fvfd/n3vu/4zc5b0DQKeTL5PloboA5EsL5PER IayJqWks0mOAAgyQYCPyBQoZJy4uGkAZ6v8ur68DRNVfcVFx/XP8v4q+UKQQAICkQ5wpVAjy IW4BAC8RyOQFABBDod56RoFMhcUQG8hhgBDPUeFsNV6hwplqvH3QJjGeC3EjAGQany/PBkC7 DepZhYJsyKP9CGI3qVAiBUDHAOJAgZgvhDgR4lH5+dNUuBhiB2gvg3gXxOzMLziz/8afOczP 52cPY3Veg0IOlShkefxZ/2dp/rfk5ymHfNjBRhPLI+NV+cMa3sydFqXCNIh7pJkxsapaQ/xW IlTXHQCUKlZGJqntUVOBggvrB5gQuwn5oVEQm0IcLs2LidboM7Mk4TyI4WpBZ0oKeImauYtF irAEDedG+bT42CGcJedyNHPr+PJBvyr7NmVuEkfDf1Ms4g3xvyoSJ6ZATAUAoxZKkmMg1obY QJGbEKW2wayKxNyYIRu5Ml4Vvw3EbJE0IkTNj6VnycPjNfayfMVQvlipWMKL0eDKAnFipLo+ 2G4BfzB+I4jrRVJO0hCPSDExeigXoSg0TJ071i6SJmnyxe7JCkLiNXN7ZXlxGnucLMqLUOmt IDZRFCZo5uJjC+DiVPPj0bKCuER1nHhGDn9cnDoevBBEAy4IBSyghC0TTAM5QNLe09AD39Qj 4YAP5CAbiICLRjM0I2VwRAqfCaAI/AGRCCiG54UMjopAIdR/HNaqny4ga3C0cHBGLngMcT6I AnnwXTk4SzrsLRk8ghrJP7wLYKx5sKnG/qnjQE20RqMc4mXpDFkSw4ihxEhiONERN8EDcX88 Gj6DYXPH2bjvULSf7QmPCR2EB4RrhE7CramSEvlXsYwHnZA/XJNx5pcZ43aQ0wsPwQMgO2TG mbgJcME9oR8OHgQ9e0EtVxO3KnfWv8lzOIMvaq6xo7hRUMoISjDF4euZ2k7aXsMsqop+WR91 rJnDVeUOj3ztn/tFnYWwj/raEluMHcROYyews1gz1gBY2HGsEbuAHVXh4TX0aHANDXmLH4wn F/JI/uGPr/GpqqTCrdat2+2DZgwUiGYWqDYYd5psllySLS5gceBXQMTiSQWuo1jubu7uAKi+ Keq/qZfMwW8Fwjz3WVdyF4CA1IGBgebPumi4Tw89hdu857POvhYA+jEAznwjUMoL1Tpc9SDA fwMduKOMgTmwBg4wI3fgDfxBMAgD40AsSASpYAqssxiuZzmYAeaABaAUlIMVYC3YALaAbWAX 2AsOgAbQDE6An8F5cAlcA7fh+ukCz0AveA36EQQhIXSEgRgjFogt4oy4I2wkEAlDopF4JBXJ QLIRKaJE5iALkXJkFbIB2YrUID8iR5ATyFmkA7mF3Ee6kb+Q9yiG0lAD1Ay1Q0ejbJSDRqGJ 6GQ0G52OFqGL0GVoJVqN7kHr0RPoefQa2ok+Q/swgGlhTMwSc8HYGBeLxdKwLEyOzcPKsAqs GqvDmuAvfQXrxHqwdzgRZ+As3AWu4Ug8CRfg0/F5+FJ8A74Lr8fb8Cv4fbwX/0SgE0wJzgQ/ Ao8wkZBNmEEoJVQQdhAOE07B3dRFeE0kEplEe6IP3I2pxBzibOJS4ibiPmILsYP4kNhHIpGM Sc6kAFIsiU8qIJWS1pP2kI6TLpO6SG/JWmQLsjs5nJxGlpJLyBXk3eRj5MvkJ+R+ii7FluJH iaUIKbMoyynbKU2Ui5QuSj9Vj2pPDaAmUnOoC6iV1DrqKeod6kstLS0rLV+tCVoSrWKtSq39 Wme07mu9o+nTnGhcWjpNSVtG20lrod2ivaTT6Xb0YHoavYC+jF5DP0m/R3+rzdB21eZpC7Xn a1dp12tf1n6uQ9Gx1eHoTNEp0qnQOahzUadHl6Jrp8vV5evO063SPaJ7Q7dPj6E3Ri9WL19v qd5uvbN6T/VJ+nb6YfpC/UX62/RP6j9kYAxrBpchYCxkbGecYnQZEA3sDXgGOQblBnsN2g16 DfUNPQ2TDWcaVhkeNexkYkw7Jo+Zx1zOPMC8znw/wmwEZ4RoxJIRdSMuj3hjNNIo2EhkVGa0 z+ia0XtjlnGYca7xSuMG47smuImTyQSTGSabTU6Z9Iw0GOk/UjCybOSBkb+aoqZOpvGms023 mV4w7TMzN4swk5mtNztp1mPONA82zzFfY37MvNuCYRFoIbFYY3Hc4neWIYvDymNVstpYvZam lpGWSsutlu2W/Vb2VklWJVb7rO5aU63Z1lnWa6xbrXttLGzG28yxqbX51ZZiy7YV266zPW37 xs7eLsXuW7sGu6f2RvY8+yL7Wvs7DnSHIIfpDtUOVx2JjmzHXMdNjpecUCcvJ7FTldNFZ9TZ 21nivMm5YxRhlO8o6ajqUTdcaC4cl0KXWpf7rkzXaNcS1wbX56NtRqeNXjn69OhPbl5ueW7b 3W6P0R8zbkzJmKYxf7k7uQvcq9yvetA9wj3mezR6vPB09hR5bva86cXwGu/1rVer10dvH2+5 d513t4+NT4bPRp8bbAN2HHsp+4wvwTfEd75vs+87P2+/Ar8Dfn/6u/jn+u/2fzrWfqxo7Pax DwOsAvgBWwM6A1mBGYHfB3YGWQbxg6qDHgRbBwuDdwQ/4Thycjh7OM9D3ELkIYdD3nD9uHO5 LaFYaERoWWh7mH5YUtiGsHvhVuHZ4bXhvRFeEbMjWiIJkVGRKyNv8Mx4Al4Nr3ecz7i549qi aFEJURuiHkQ7Rcujm8aj48eNXz3+ToxtjDSmIRbE8mJXx96Ns4+bHvfTBOKEuAlVEx7Hj4mf E386gZEwNWF3wuvEkMTlibeTHJKUSa3JOsnpyTXJb1JCU1aldE4cPXHuxPOpJqmS1MY0Ulpy 2o60vklhk9ZO6kr3Si9Nvz7ZfvLMyWenmEzJm3J0qs5U/tSDGYSMlIzdGR/4sfxqfl8mL3Nj Zq+AK1gneCYMFq4RdosCRKtET7ICslZlPc0OyF6d3S0OEleIeyRcyQbJi5zInC05b3Jjc3fm DuSl5O3LJ+dn5B+R6ktzpW3TzKfNnNYhc5aVyjqn+01fO71XHiXfoUAUkxWNBQbw8H5B6aD8 Rnm/MLCwqvDtjOQZB2fqzZTOvDDLadaSWU+Kwot+mI3PFsxunWM5Z8Gc+3M5c7fOQ+Zlzmud bz1/0fyu4ojiXQuoC3IX/FLiVrKq5NXClIVNi8wWFS96+E3EN7Wl2qXy0hvf+n+7ZTG+WLK4 fYnHkvVLPpUJy86Vu5VXlH9YKlh67rsx31V+N7Asa1n7cu/lm1cQV0hXXF8ZtHLXKr1VRase rh6/un4Na03Zmldrp649W+FZsWUddZ1yXWdldGXjepv1K9Z/2CDecK0qpGrfRtONSza+2STc dHlz8Oa6LWZbyre8/17y/c2tEVvrq+2qK7YRtxVue7w9efvpH9g/1Oww2VG+4+NO6c7OXfG7 2mp8amp2m+5eXovWKmu796TvubQ3dG9jnUvd1n3MfeX7wX7l/t9/zPjx+oGoA60H2QfrDtke 2niYcbisHqmfVd/bIG7obExt7Dgy7khrk3/T4Z9cf9rZbNlcddTw6PJj1GOLjg0cLzre1yJr 6TmRfeJh69TW2ycnnrzaNqGt/VTUqTM/h/988jTn9PEzAWeaz/qdPXKOfa7hvPf5+gteFw7/ 4vXL4Xbv9vqLPhcbL/leauoY23HsctDlE1dCr/x8lXf1/LWYax3Xk67fvJF+o/Om8ObTW3m3 Xvxa+Gv/7eI7hDtld3XvVtwzvVf9m+Nv+zq9O4/eD71/4UHCg9sPBQ+fPVI8+tC16DH9ccUT iyc1T92fNneHd1/6fdLvXc9kz/p7Sv/Q+2Pjc4fnh/4M/vNC78TerhfyFwN/LX1p/HLnK89X rX1xffde57/uf1P21vjtrnfsd6ffp7x/0j/jA+lD5UfHj02foj7dGcgfGJDx5fzBowAGG5qV BcBfO+E5IRUAxiV4fpikvvMNCqK+pw4i8J+w+l44KN4A1MFOdVzntgCwHza7YsgN31VH9cRg gHp4DDeNKLI83NVcNHjjIbwdGHhpBgCpCYCP8oGB/k0DAx/hHRW7BUDLdPVdUyVEeDf4PliF rhkJi8FXor6HfpHj1z1QReAJvu7/BS8QiUgTpTziAAAAimVYSWZNTQAqAAAACAAEARoABQAA AAEAAAA+ARsABQAAAAEAAABGASgAAwAAAAEAAgAAh2kABAAAAAEAAABOAAAAAAAAAJAAAAAB AAAAkAAAAAEAA5KGAAcAAAASAAAAeKACAAQAAAABAAAFFKADAAQAAAABAAAFzAAAAABBU0NJ SQAAAFNjcmVlbnNob3RRtnHEAAAACXBIWXMAABYlAAAWJQFJUiTwAAAB2GlUWHRYTUw6Y29t LmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4 bXB0az0iWE1QIENvcmUgNS40LjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93 d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2Ny aXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczpleGlmPSJodHRwOi8vbnMu YWRvYmUuY29tL2V4aWYvMS4wLyI+CiAgICAgICAgIDxleGlmOlBpeGVsWERpbWVuc2lvbj4x MzAwPC9leGlmOlBpeGVsWERpbWVuc2lvbj4KICAgICAgICAgPGV4aWY6VXNlckNvbW1lbnQ+ U2NyZWVuc2hvdDwvZXhpZjpVc2VyQ29tbWVudD4KICAgICAgICAgPGV4aWY6UGl4ZWxZRGlt ZW5zaW9uPjE0ODQ8L2V4aWY6UGl4ZWxZRGltZW5zaW9uPgogICAgICA8L3JkZjpEZXNjcmlw dGlvbj4KICAgPC9yZGY6UkRGPgo8L3g6eG1wbWV0YT4Kz4N8/QAAABxpRE9UAAAAAgAAAAAA AALmAAAAKAAAAuYAAALmAAaraP0WvKoAAEAASURBVHgB7J0HXBTX2sZfFZSmINhFRVGxd429 mxiNpvd4c2NMM9X04k2P6cWYXr703kyMplgTS2JFjb0rSrHSQUD9zjPk4OyyuzPAAgs8Jz8y M2dO/c/uyj68pdrhw4dPCQsJkAAJkAAJkAAJkAAJkAAJkAAJkAAJkAAJkAAJ2CBQjYKiDUps QgIkQAIkQAIkQAIkQAIkQAIkQAIkQAIkQAIkYBCgoMgXAgmQAAmQAAmQAAmQAAmQAAmQAAmQ AAmQAAmQgG0CFBRto2JDEiABEiABEiABEiABEiABEiABEiABEiABEiABCop8DZAACZAACZAA CZAACZAACZAACZAACZAACZAACdgmQEHRNio2JAESIAESIAESIAESIAESIAESIAESIAESIAES oKDI1wAJkAAJkAAJkAAJkAAJkAAJkAAJkAAJkAAJkIBtAhQUbaNiQxIgARIgARIgARIgARIg ARIgARIgARIgARIgAUNQDA8PJwkSIAESIAESIAESIAESIAESIAESIAESsCSQmpoql112mVx0 0UUyceJEy/ZsQAIkULEIHD161HLBhqAYERFh2ZANSIAESIAESIAESIAESIAESIAESIAESAAE 6tevL4888ojccsstBEICJFDJCBw5csRyRxQULRGxAQmQAAmQAAmQAAmQAAmQAAmQAAmQgJkA BUUzDZ6TQOUiQEGxcj1P7oYESIAESIAESIAESIAESIAESIAEfIIABUWfeAxcBAmUCgEKiqWC lYOSAAmQAAmQAAmQAAmQAAmQAAmQQNUmQEGxaj9/7r5yE6CgWLmfL3dHAiRAAiRAAiRAAiRA AiRAAiRAAuVCgIJiuWDnpCRQJgQoKJYJZk5CAiRAAiRAAiRAAiRAAiRAAiRAAlWLAAXFqvW8 uduqRYCCYtV63twtCZAACZAACZAACZAACZAACZAACZQJAQqKZYKZk5BAuRCgoFgu2DkpCZAA CZAACZAACZAACZAACZAACVRuAhQUK/fz5e6qNgEKilX7+XP3JEACJEACJEACJEACJEACJEAC JFAqBCgolgpWDkoCPkGAgqJPPAYuggRIgARIgARIgARIgARIgARIgAQqFwEKipXreXI3JGAm QEHRTIPnJEACJEACJEACJEACJEACJEACJEACXiFAQdErGDkICfgkAQqKPvlYuCgSIAESIAES IAESIAESIAESIAESqNgEKChW7OfH1ZOAJwIUFD3R4T0SIAESIAESIAESIAESIAESIAESIIFi EaCgWCxs7EQCFYIABcUK8Zi4SBIgARIgARIgARIgARIgARIgARKoWAQoKFas58XVkkBRCFBQ LAottiUBEiABEiABEiABEiABEiABEiABErBFgIKiLUxsRAIVkgAFxQr52LhoEiABEiABEiAB EiABEiABEiABEvBtAhQUffv5cHUkUBICFBRLQo99SYAESIAESIAESIAESIAESIAESIAEXBKg oOgSCytJoFIQoKBYKR4jN0ECJEACJEACJEACJEACJEACJEACvkWAgqJvPQ+9mhMnTkhWVpb4 +/tLrVq1dLXXj7m5uZKRkSGhoaFSrVo1r4+PAfPy8oy9BAYGip+fX6nMwUFdE6Cg6JoLa0mA BEiABEiABEiABEiABEiABEiABEpAgIJiCeCVUleIiYmJibJu3TqpV6+edO/e3RAWvT3d8ePH Zffu3bJnzx5p0aKFtGvXzuuiIgTLuLg42bx5s0RGRkqnTp2kRo0a3t4Kx3NDgIKiGzCsJgES IAESIAESIAESIAESIAESIAESKD4BCorFZ1caPSEmxsfHy5o1ayQzM1Nq1qxpCHFt2rSR8PBw r02Zk5Mju3btkg0bNgjOg4ODJSYmRlq2bOk1i0gtJkIYzc7OFlgoYvxWrVpJ7dq1vbYXDuSe AAVF92x4hwRIgARIgARIgARIgARIgARIgARIoJgEKCgWE1wpdIOYmJSUZIiJycnJhqswrPkg 9sG6r1u3bobAWNKptZiohb5Tp04ZrsgRERESFRXlFUtFiIn79++X2NhYSU9Pl5MnTxqWiXCt btasmXTp0oWWiiV9kDb6U1C0AYlNSIAESIAESIAESIAESIAESIAESIAEikaAgmLReJVWa4iJ CQkJsnr1aklLSzPERD1X9erVJSgoyHBLhqiIuIrFLXBz1paJsICE0KdjJyK+YZ06dQxLxbZt 2xbUF3UuiIn79u0zxETEgcTedIFAGhISItHR0dK5c+diz6HH49EzAQqKnvnwLgmQAAmQAAmQ AAmQAAmQAAmQAAmQQDEIUFAsBjQvd0HSEoiJsBhMSUkxxESz0AfBDz9wGW7evLlhqVicRC0Q E3fs2CGbNm0ykqRgDlgnakFRzxMWFiZwsW7fvn2Rd6rdnNevX28IoxAT9Rw4QhzFPHB5hvsz REXGVCwyZtsdKCjaRsWGJEACJEACJEACJEACJEACJEACJEACdglQULRLqnTaQXA7ePCgYZkI N2ctwJlnMwtxcH+OUm7JEOIQX9FugZi4c+dOgdCHc4yphT6MgXMUCH74gajYunXrIrk/azFx 7dq1RuZoCJZmYRTj671gDlhDIp4ihEtmfwYd7xcKit5nyhFJgARIgARIgARIgARIgARIgARI oMoToKBYfi8BiIewTEQCFrg5Q5DTwh6s+LTgp0U4fYT7M0RFxCG0IypqN+eNGzcaQh/GwQ+K u3lgNQhREZmfISyinaei3ZwhWCJmolkYNc9hnlO7P2P8jh07GkKmpzl4r+gEKCgWnRl7kAAJ kAAJkAAJkAAJkAAJkAAJkAAJWBCgoGgBqJRuw805MTHRcHM+duyYQ8xE85QQ/syCHM7xA0tF uD/DUjEgIMDcxeFcWyZCTEQ8Q1gM6mIeG3V6HpwXxVJRWyZCTExNTS2Ywzyes4Cp50AbWCrC /RmiIi0VQcZ7hYKi91hyJBIgARIgARIgARIgARIgARIgARIggX8JUFAs+5cCrPfi4+MFrsGI mQhBTotvOJqLFv3MdTiH4Ic4hBAVu3bt6lKI02Lihg0bCsRE9NNuyHpOjKfn0UfU4T7ah4eH G1aKSNSCtWdkZBiWkYjpqC0TsRckeYFQap4D4+hiHlvX6TmQ/RmiYocOHYyYitnZ2Qabhg0b 6qY8FoMABcViQGMXEiABEiABEiABEiABEiABEiABEiABzwQoKHrm4+27WkyMjY01rPm0a7AW 2yD2QZDTRdfjiB/c03VwGYao16JFC8P92ZyoBWLi7t27xZWbsx4L/XGOosfU11psxBFWgxD8 WrWKluqnsmXBbx9Is6iOctY51yiX7XiVzTk/ZiLERHNxtxfn+fQcyP6MmIrIAL0u9k/ZGDtb otuPluEjzzEPy/MiEKCgWARYbEoCJEACJEACJEACJEACJEACJEACJGCPAAVFe5y80QriIdyc ISbqBCzaWtDV+K7EPd1OC4AQBXWilk6dOhmWg86Wiehjnkf3NY+Fcy1W6np9hOCn7kpqyiGp kbNKRg+qLgePBcg/e2IkNKK15ObkWyaa59B99VHfMwuV+p4++vv7Sa1agZKVflBCqi+V7l38 ZOv2AAmod54MGTZaN+OxCAQoKBYBFpuSAAmQAAmQAAmQAAmQAAmQAAmQAAnYI0BB0R4nb7SC qHb48GEjCUtSUlJBrEF3Qh7mNIuKuIYg5yzOmS0VEVMRbshwQY6Li5OcnJxCY2AcFLO4B7ET 69B1+S30fKfk0MEDUj1rhVwyJlgaNwyUzOyTsmp9lsxfWUei2vSVgFo1lDv0SaO/7ut8dBYy cd9cl5enXMH3b5OoiK0y/swwCQ6oIYdT8+SfrYHiV/dcGT7ibOcheW1BgIKiBSDeJgESIAES IAESIAESIAESIAESIAESKDqBqi4oQnCDuAerPmQbLo0CV2AIibBKjIyMlF27dgniGmJOCHju irOY6Kod2iCrMiwfo6KipGfPnhITE2PUIUnKwYMHDVFRC4WuxEs9j/M99EEOl6SEfVI9Z6Vc rMTEyIZBcgrCYfVqkq5Exb9Wp8iiNeESHdNfAgP8VPt8F2qsVc+Jcz2H3q/5XrVq1SVHiaD7 926SFhGb5byz6kntYH/Jy8kTv5p+ciQlT9Zvgag4Trk/j8VwXil49kiIg6QwcB2vjIWCYmV8 qtwTCZAACZAACZAACZAACZAACZAACZQzgaosKOrsxP/884/hKozYfRAVIax5q2g3Z1gMYr6I iAjl1lvLiG0IQQsZmrXYVpQ5tSB39OhRwxoRa+7SpYuRpKVZs2bStGlTI4YixEtt0ehpfKxB i31oh/MTShw8lHRAJPNvuWRssDRtHCwJSVkyZ16StGweJCOHNJDUtFxZtjpNFsfWlVYxA5Wo WMNBVDTP6TyHnicnN0/i9myU5nW3yAVj6klQkJ9s2pYi8xcfk1GD6krHDuFy+GiOISrWDB8v w0aMMQ9brHOIuWCzfft2ady4caEYlMUa1Ac7UVD0wYfCJZEACZAACZAACZAACZAACZAACZBA RSdQVQVFnZ0YVnyw8IOAFhYWJm3atBFkMzaLa8V9xhATExISjJiJqampRoZkuCfXrFnTsIzD vIh/6ElUdBbhsC5dBzFx9erVRnZlZEdGQhOMHxQUZFjcYfxDhw6Jv7+/IWI670mPhf3pMfVe kavlYNJ+qZ69XFkmhkgTZZl4IClTfvg1Q5Jz2kuA3zHp1e6ADBvYSNLT8mTF2jRZsEqJim2V pWKgvyFi6rH00XkOzJ+jrBATD2xRYuImGTsqQlkmIm5imnw/XyWDCWonNfK2yuiBOdKpQz05 fCRH1m0JkOp1zpYzR5+nhy3yUceY3Lx5s8EOvCDC4tnXrVu3yOP5cgcKir78dLg2EiABEiAB EiABEiABEiABEiABEqigBKqioKjFRFgmQuiD0IUCMQ6CEoS5du3alUhUhJszxEQIlnCrhbio 58FcWENGRoagXe3atV2Kirq9FgL1Ef0hJq5cuVKysrKkffv2xpqRjRkF7fCDsTEHLCHh0gvh TBfc1+OjzuFcqik35ziVgGVlvmWiEhMTErPk298y5Lhfb6lfv4kcz86QI4mx0jMmQc4a2kRS M/KU+3Oq/Kncn1vFDDBiKjqMabKARD0sKiEmxsdtNtycx58ZIUGB+ZaJsxbWkNCG/RSXUElL PSJZx1bJmME5ylKxnhw5miubtgfKqZAxMnzUOL0d20eIiTt27BCIiWAD601wAx+4o3fr1s14 FrYH9PGGFBR9/AFxeSRAAiRAAiRAAiRAAiRAAiRAAiRQEQlUNUERQt7evXsNoQ+CEoQ+c9Gi ItyfEYuwOO7PWkyEm3NaWpoh6Jnn0OcQ+iAIoj0sFSFqmUU4tNPXWkzEESLRqlWrCiwTsVaI YrqtHh9iGX4yMzMNARPj48c8FvrgGhywV8RARAKWalnKMvFs5ebcJN/NeeZv6ZIuPaVx0xZS Q8VPRL/0tFQ5dmi99G6XICMHNZLU9Dz5W4mKf8Tmi4r5MRVVEMZ/i54L8x0/nqsSsGyRZnVV zMTRERKsxMTN21Nl5rxqhpgYHh4hp0TFalT/HT2SJNnJSlQckmdYKkJUhKWiv4qpOGyE/ZiK WkzcuHGjZGdnF1hRYl147uZs2XBLrwyFgmJleIrcAwmQAAmQAAmQAAmQAAmQAAmQAAn4GIGq JChCwNu3b5+REEVbJkJMwo+5QJwLD1eJRpRQB/fnooiKEAfj4+ONuIaYA9daSNPzaEEP1xA4 IfhB0IOgBStCiIAouh/aow7r0G7OEEMheGKNcKHWY+t+OKKfnkMLl9odGvd10fMgnwoSsPjn rJILVQKWpiY35+waPaRR4xZqDeiVn0gG46ekJkvywfXSs228nDmsqRJQc2V5bJr8oSwVW7bt V5CoRc+BPseP50hi/FZpHr5Zxo1UYqKKmbhxa4rMWlRd6jbsL6Fhjm7HEDmPHTso2SmrZcwg uD/XN9yf/9kWKDVCx8oIG5aKOmbipk2bDJFX7x1HvTbtLt68eXNBtmy4olf0QkGxoj9Brp8E SIAESIAESIAESIAESIAESIAEfJBAVREUtZuzjpkIgQ5CknNBHYQ7iEuIqYgkLRDuIIRZFS0m rlu3zsjojDm0EIhx9Xxa6Mu3CDxpWDBqwQ+iIn7QDwV99NxwnYZlonZzbtmyZYFlom5jnkP3 Rx3WpueAlSKERb0OHPPyTqqYifuk1olVcsFoFTOxQZDEJ2bKdypmYm6t3tKgYaRUV+30eszH zIx0ST68Qbq2ipPRwxob7s9/r4GoWFdatoGo6F+wdyRgSVBuzi3rb5WxI8MNN+eNW1LlJ+Xm HNG4n4SGhqkM0qL2n79vPQ+uU5IPS6Zyfx7ZN0t6dm9ouD9v3KGsOoPPVqLieIOXq//BGhFu zlu2bDHEWzNb3V7zwzMBf4iKnTp1Miw6dZuKeKSgWBGfGtdMAiRAAiRAAiRAAiRAAiRAAiRA Aj5OoCoIis5iorObs/kRaQEQAhPEJcRUhKhoZamIMREzEW7OycnJhuWhWbDDHFocM8+Hc8wJ wQ+WijiGhIQUWMfpMSAmmmMmQkxEshVPRffVbcwu1rC+wzwoyOZ8MDHOsEy8eEyQNFKWifEq ActPv2dK+qkeys05SrVS7sf/iqrmfeTPISoeYaocTVonvWPiZeRgJSr+6/7859pwadG6r4QE Byg34xw5sG+zNI/YLIiZGKIsE+Hm/NOC/JiJYcoy8dSp/HnMc2CNmAeiYnLyISOmIhK1dO6I mIoq+/PWQPELGyfDRxZ2f9aWiXBzhlUnCsbWRc+jj6jHc4fgGhUVJV27drXkrMfyxSMFRV98 KlwTCZAACZAACZAACZAACZAACZAACVRwApVJUIQoBGs0uBrrAqEPmY537txpZHPW1mn6vvmo xURznY6p6Cn7M0RALSampKQYoqBZoNLj6TrneVCPAsEP69eiIizlIKQlJSXJmjVrDEEMyWLg 5gwxUffT45uPei7zEefgoYVLiGYBAYGSpMREv+MrlJtziEQ2CpL9yjJxpkrAkl2jpzRspGIm 1sh3udaCIubR4+o5IfZlZqbLMSUqwv151NDGkpaeK3+vSZfFSlRs0LS7pB3bY7g5nzMq3BAT 4eb88yI/FTOxr7IGDceoergC60lnVrhOTT4imckr5exBuQXZnzdsC1Luz46JWrSYCDdnZLzG ms1FX0NA1Of5Aml+TEVYcuL9gWeP1wEK7sPFPDQ01Dg3j+eL5xQUffGpcE0kQAIkQAIkQAIk QAIkQAIkQAIkUMEJVCZBERZos2fPlmeeeabgqUCAqls3XEaOOkuaNGliiHWGbmXyYDaLYwXC EkZQ4hGKdn+OaRujLBVbKzEvX1zCPQh0iYmJAjdnWBHCGlIX87i6DkeIUliX+VwLWRAT4ZqM OIPJySmGtWN6epqK+5dquF4jAzUELd0eY+h5zHXG4C7+h7ZYI4RLWAxmpB2V2n6b5IKzAiSy sUrAcjBTfvg9Q9JPdpdGTVqIv1+NArHNWdzTwxcwU77KaWkpknr4HyNRy/CBDSVFiYrLVqXJ wr9PSuc2p2TcqFBlreivMjUry8T51aROg77q+UQoq8DToiXmAXM9LubRzPL3KHJMJWo5nrba EBU7to9QMRVzZcP2YKkZPk6GDDtb7e24bNu204iXmZWdZfDW42EMXVCHxC/KId2YT4uLNarX METIRYsWyJ49u4z50Qfr6tu3r7z44ovGc9Dj+OqRgqKvPhmuiwRIgARIgARIgARIgARIgARI gAQqMIHKJCjCMvHTTz+VW265xeGJ1A0LkcEDOkqD+mFy8sTprMMFjU7rS4aRnLZjM1dXV0JS 7ZBglTAkTGU5VkH+1M3g2mHSMrqP1PALUmLiEUNcNAuFGN8QrJSA5XzUc2uRSwtZWEBm5nGJ 27tFalffKAGBJ2XuMpHOXc+QNq2t3ZzN42rhTM9hvs7JyZMD+3dJ4Mm1ctn4MGnSKFC5OWfJ Dypm4nE/WCY2V+LZacs98170OdaM/epx9dxpKlFL6pEN0ismQYar7M9I1JKYmC0R4TWVJWJN 5eacpmImVjfExNDQuqq/7un+qPnpFob789EkyUmPlVH9c6RLx3xRceW6k7JhZ5Ahmh49lqzE 2Uw5pawnCwrmMl0W1KMa4iKelTrHmjLUc1ixcpvs2ptY0AwJe4YOHSrvvvuu1KtXz4i3WHDT B08oKPrgQ+GSSIAESIAESIAESIAESIAESIAESKCiE6iMguLNN9/s8FhiokNl2gN9pHOnenJK JR8pboGAVk0Ji/kCWDXJyD4l6zackm2JUUrsa68ExdwCUcoQpv51sXUW9DA/7pvFR7TB+Hl5 JyT+wA4Jr7leWfPVMeIbzl2UIjuSWkvHzn1UzxPGHFr8wliuzvWcWqjU8xlzKFH1YOJ+qWG4 OasEJIZlYrayTMySrGrdVAKWZoaYqNeHOdBfF1fz6Xs4Ytvp6amSckhlf1ai4qghjeVU7kms XDbvyJBZC0WJiUjAUrfAMhH93M2RP2Y+Hz03jvmJWg5JblqsjFbuz+1j6ip36BxJyVQJd5SI eFJZj2oOGKNIRVlM7lfWmi+8skZ+WbS/oCv4IQP0E088IX369JGGDRsW3PPFEwqKvvhUuCYS IAESIAESIAESIAESIAESIAESqOAEqoKg2LldXXnn+YHSu0cDkdwTxXxiSlBTIpOhJv5r4Zan RK39iVky788sOZDaUSVvaadErjyH8bWgZRbL0MC5HveRaTkpcZeE+a1VLsh1pF5EoJxUcyQd zpb5SzNkW3xraRPTRS0DYtppy0DnsfT45jnRBtcQ4Q4m7Re/nJVqjiCJbBIs++Mz5JPvEiQl r4t06dZbiXEnjLa6D46uhEnU6zYOm1YXmCtVWSrG7/lLzuh4SEaPbCHrNx6TL3/OlMhWZ0q4 su479a/bN/qa1+o8FubQbdBOz4s1gcP+fbskKW6BTLykvnRViVpU/hhVVB/0+7evMUBR/qfi Ru5SXB58dLl8+8vegp6Yv6VKiDN58mQZNWqUtG/f3qeTtlBQLHh0PCEBEiABEiABEiABEiAB EiABEiABEvAWgaogKNaPCJbRI9oot97aSmz6Vw0sIkCIWJmZiG14XIlf1aVxw0C54vwWEhVV R/btz5B5S45LfEoHad3mtKiohTAtfGkxzHzEMnCdq1yQExN2SXit9SoDch1pULeWJB/LlrSs XGnWLFQSD2bJwr8yZOv+VtKmXbdCoqLzdjC3FgFxL1+EE+V6vFcCTsTKuaMCpZmyTEQClo++ jpfFa05I3fBGKj7gGdKggRJeVTGLlkaF+p/ek3kPznPptgkJibJk8R9Sq3qSjBgQJus2pcuO /UEyaPAQI7GM2QJS99FHjIk5UMzn+r6eH3Er//r7b8VurzSKyJH6ddW6lQUm9h4cFCjVldu2 OxdnPZbLo5o6OT1HFv25S7buPFzQBPM2bdpUrr76ajnnnHOkY8eOUru2el35aKGg6KMPhssi ARIgARIgARIgARIgARIgARIggYpMoLIJip9//rncfvvthhimBavGjRvJxRdfKC2aN1duyY4W hI7PDgKWs+CYn7ADiVdWr1otuXm5EhQYJLVqVpN2Ucdl0uWNpWVUqCEqzl+SLXHJ7ZWo2F6F WDzpIMhBiNLr0UIZ5sZ5rrKaTIzfIREB/8h45eZcL7yW7NybId/NSVWCWKCcM0ykQ/twSUzK lsV/Z8qGfVHStn23AktCxz2cFuAwH4Q1FBgDHkzaJwEnV8v4kUHSDDETlXXld3OzJONEJ+W+ fVL27d1jxAVs3bq1kcVYi4f6aF6385z6Wu8TvFatWmXEMmzVMkrFTwxUWZ9zZPeeAxKiYlF2 6NDBEC712OhvXq8WETGebqPr9FwQE1euXKliNKZLRITKHK3GzcnJkrTUNDVvjjRu3ERatGgh 1WBZWshSEc8axfy8UZd/XU1xS0lJlVk//Sxr1603WuJ/WA8ExQkTJsi4ceOMfdSpU6fgvq+d UFD0tSfC9ZAACZAACZAACZAACZAACZAACZBAJSBQmQRFZEjet2+f/Prrr4aYhXMkaoEF2cCB gxys4rQ4pY/mR2muQ/bfgwcPKjFxlWSpzMiImRcRHmG4uaalJEndwD1y+fhQMUTFA8pScXG+ pWJ0mxhD8MO4GA/FLI7hHD+Gm3P8TgnzXyfnja4jEcoyEWLiT/PypFpQT5XwRQmOqWvkrIF5 0lklHoGoCPfn7fHKUjGmmxpDxQv8d3wcna0hcX1CWewdOrhf/JWb84WjQ6RRwwCVzTlLZs3N lHTpIQ0bt5ATSiiF+JSWliaBgYESHh5uJBzRY2P9OHfeg67HEfcgCh4+fFjWrFljZNSGS3Cz ZkjwUsMQczEH7gcFBRmCIsQ48xwYRxc9n77WR8xz9OhRWb16tSCzd3R0tMq+3VYJiI2N7M54 XikpKZKjRMU6tesoy0uV+MXonC9OGntQzxXZnVH0PHjWuh3qMccvv/wi+/fHSUBAgLEHZNhu 1KiRDBkyREaOHGlk3kaiFl8tFBR99clwXSRAAiRAAiRAAiRAAiRAAiRAAiRQgQlUJkERjwEu yXv37pXly5fLzp07DcEJghEELOy1qO6psLSLjY01hDKIVrCsa9OmjTFe/IF4WRv7l+Slr1Lx CGtJq5Zh+ZaKS3PkQEp7iW4do9QqR0tFrFGLcnlK6EswErBskHPPrC0NImqpjMIZMlOJiX61 e0tEvUZK4jolyUcPSk7aGhnVT2Uz7hQh8QlZsgjuzwdaGqJiDRXv74RKQKILxtcFYuLBpDip lbdGzXHazfnH3zMlq3o3lc25hfj51TBENYiBWVn5bt04BzP8oGjRT6/dfNRzoU1SUpLBC+cQ E5srq1AIbro/1ok58IMxINSFhIQ4zIELCKHoo/uZ9wShD4JlthJ4MUfv3r2lW7duKoN0mMEB IjKsFyGObtu2TVkt5hgiqV6nnSPGwHNPSEgwxFVkdPb39zdERZy3a9dOevToIZGRkXaGK7c2 FBTLDT0nJgESIAESIAESIAESIAESIAESIIHKS6CyCYoQoCBWQUiBuAXxCWIURCUIjRC3YGWm hSpXT1aLZVpMhLjVpUsX6d+/vyFgQZTEOJjngBIVly2ZL8kJC+Sc4dXzRcU4xFSE+3OMsmDr pMTIwm7WyOacqCwT6wVukHEjahtuzjv2pMusBSfEv04fZVXXQIlq+cIgErMkHzskOSlrZFif TOnRrYGyVMySP/7Oko17m6uYij2kRnVYKp62tsO+4OaclLhHgmStmiNQIpWb8/6ETJmp3Jxz /XpKRINm4qfESM1C7zs3N9cQ63DUgh/a4EcLe+Y+uh/EN4hwKBBeISaCHYq5Pa4h/OIHc+B5 gCnGgZCpxzPPhXP84LlqMRHxCwcMGGAIirB0hBUkCkRLWKtibKxp165dyspwv9Ffj2k0dPE/ 3NdiYnJysrEHiIctW7Y01on9hIaGGm7PWDOsOX25UFD05afDtZEACZAACZAACZAACZAACZAA CZBABSVQ2QRFPAaIVxCmICjhByIRxKs9e/bI7t27DcFIC136sWmxTAtOECMhXGGcrl27yqBB gwyLNFjsoQ1+0AfC1YEDB2TB3NlyeP/vKj6hv7SMCpM4uD//m6jFsFRUMRX1HDkqAUtSwk4V M3GDipmoxETl5rzDcHPOVZaJfSSifiPlens6qQocpk+pZDIpKYfkuBIVR/U/Ll0M9+cs5f6c qbI/t5K2MV1VKyO9sbG2E6r9wcQ4qZm7Srk5Byk35yAlJirrx98yJce/p7JMhBvyaStAvW/w wJ6xL1gAgh/27Cyc6b2gPQrcjBEzEQViIiz3YNGHduair3E0zwHhUltDarZ6TfpauznjWWIO iIlnnHGGIfDpts5zYQ70W7duncTFxRWIjub16/HRF1aNEEVh4QhL1J49exo/ERERhqCINhCT sTf0czUv2vhKoaDoK0+C6yABEiABEiABEiABEiABEiABEiCBSkSgMgqKrh4PRDIIUdrqENZn EBW1sKSP6Is2a9euNYbp3LmzIVxBWHLnLg3RKi5uvxIVf5aj8fPlnBE1JFq7PytRMe5YjBL8 Oqq5TqikLsoyUbk51w/aoNrVlvoqAYvh5jxfuTmH9JZw5eZcQ1kmYj266LWhKvlokuRmrJUR Z2Qr9+d6kqCyNC9clilb45X7c1uV/bn6KWWhBzFxr9Q0sjkHSPPGSkxUCVh+nJct2dW7S/2G zVSW6MJuxZjPLK5BTIQVphYVteCn14P2OAcvCHZgrN2ctbWgbqOFN+e+GBvCpXZLDg4OLngm 6KvXo8VEtIVl4sCBAw3LRLg567HR3lWBxeKhQ4dk/fr1BaKi8zrwWsBrAvuAmAj39n79+hnP vm7duoYQaTWPq7nLu46CYnk/Ac5PAiRAAiRAAiRAAiRAAiRAAiRAApWQQFURFPWjg4AF91dY HyJxB4QviEu6wNIO9yBCwTIRVnC9evVyKybqfhAV9+2Lk/lzZ0lK4nwjpmLTpnUkbn+GsiJU iVrSOkpks1ZyKBEJWNbLeaNCVGbiANm9L0NmL8yVEwG9VYzHJkocO+1arNd1WsiCS/AJZXGX KHlpsUailo7tI5SomCULlKi4IyFaWrTqKMeOHJAax1fKeYiZ2CRIEpR79Kz5KgHLqe5GzERY JkL8w7j40fPovegj6rGvzMxM4whBET+6L9ppXmgHq8GoqCgHoVaPhSPGO72X/GvUo68WLmGp CFHRXCAm4plgHZhDC31wPTaPZ+7jfK5FRW2pCCtDXTAG3JwhOCJhDLJcw70dzx7vD7tz6PF8 6UhB0ZeeBtdCAiRAAiRAAiRAAiRAAiRAAiRAApWEQFUTFPHYtKgIK0RYo8E6DSIZ3JwhOKEg ZiIEJSTecGeZaDQ0/c8QFZVb7aL5s+XYgbkyZpi/EVMRouJclahle1yYxDQ/KmOGBkqDegGy Y0+G/LxAZXMO7iH16jUpcEHGkGaRT1tS6qmw1uRjByVPWSoOPyPf/Rmi4sK/MmXt1trSqmmm msPPEBMRM3GWipmYVaOb1G/QQrnt+hliKUQyPYc+Nx/1GtAGYpwW/OD6DMFP8wJD3NeWiRDq zMKhq3NznZ5HzwErUnPcRoiJcEGGZaJ2c0YSFlgNFlXoM4uKEJXBFUW7OUNghpszBEsIiki+ otsYDSvg/ygoVsCHxiWTQGUhkBSfLHE7VTDjQ6lyRP0cPZQmKccy1Ie8v9StFyJhESEqYHAd ie7QRJq1alBZtl3p95FzPE/WLNsmSfFH5UhSqhxOTDH2XCc8WOqqZxoWUVuiWjeUNp2UO8S/ waArPRRukARIgARIgARIgASqIIGqKCjiMZtFRYhWEBb/+ecfw/W2U6dOhkst3Jx1BmK7Lw0t KsJSMTlhoUrUku/+DFFx5+4sad86SBo0UGLibpWAZeGJfDfniIZF/p37pIqRaIiK6bEyst9x 6dQhQgmiWbJjV6ZENq4lUc2C5YByh545L0u5OfdQYmKkiv3naI2JPbkS98xCHe6jYF/aUhGi Is4hvqIe7sHO2Zz1uPpoDOL0P/M9nEPww7hwf4aoiLE3btxoWA8iMQpEvj59+hjZnM1rdBrW 46UWFbX7M+bbsmWLYWnZqlUrYw7Mg5iJFV1MBAgKih5fDrxJAiTgTQIn8k5K7F/b5c/f1suS 39fLzs3xtodv1LSu9BnSXvqN7CSjzu0p/uqvXyy+RWBT7B75+r1FMvfHVZKekmW5uKDaAdK1 d7SMu7K/jL2kr7z8v29kxaLNHvu16Rgpj7810WMb3iSBohDg664otHy77U+fL5Uv3pzvnUWq 2E9+/jVUUHQVGL2mv/qpIYHBtaR+ozBp0CRUGjWNkB4D2kqDxmElno+vwRIj5AAkQAI+TKCq Cop4JBAVkVAFyUS2bVN/bFcWikgmAtGqOGKifsyGqAj353mz5JiKqThuuL9EtwqT45l5ykKw uuzYp8TEeSekRkgvlYClsREzUbsRQ1hDcbYWNNfhHM3QNvmYiqmYtkbOHJAnndqHS06WisXo V10SDmerOeDm3K3AzVmPjf4o5mtX8+W3Ot0O+4KlIH7gIoyYg3j9NGnSxEhSgj2gaLFPj6+v 9XjOR90O9ZgDVoqwiExPTzfc0jEHrBLxYydmovP4ztdmUREiMqwV4T7dvXt3wzqxMlgm6j1T UNQkeCQBEig1AidPnJQfPlksbzz5oxxOyrdWK8lk+AL33ztGy0XXDJVagf4lGYp9vUAAf8F8 74Wf5c2nfjLcE4o65IX/HSwPz7ha7rzyDZn/02qP3Tv3aimfLpzqsQ1vVk0C+GPFy1O/kQdf ulLadW1hGwJfd7ZR+XzDaXd9Jl+9s6BM1xndvomMvbSvXHnTKAkIqlmsufkaLBY2diIBEqgg BKqyoIhHBFExPj5eNm/ebAhZEMdgDWfXzdndY9ai4qIFc1SilgUydmg1aR0dJjt3pcvsRSpO YkA3CY9orMS3/LiCENU8iXp6Ht1GX+P3/GMqpmKOEhXh/tyzW0PZszdNvv81VU4G9DHcnGvU UH+FMxV3c2FsZ1HQ1M0QICHG4Qdt8YNsx+aihVHcQ9FiIa71vKjX1zg3F7TBGOCHseFe3ahR IyOeZVFiJprHdHWOPUBsg3UihGRYJCIBT2WxTNR7pqCoSfBIAiRQKgQWzoqV6Y9+K7u3JXp9 /Lr1assTb06UQaO7eH1sDmifwNTr35dZXyyz38Gp5UMvXyWXTBpGQdGJCy/tEUDohJce+lp+ /Xa50eHj+Q9K1z7R9jqrVhRzbKPy+YblIShqKOH168iUJy+S8VcM0FW2j3wN2kbFhiRAAhWQ QFUXFPHIIF7B4g6WcRCtdDbjkj5OjIvsz4sW/CKHVUzFNi3SZcnyTMmu1lF69uqnRLXCM2ih DUcIa87xE3U9jig4HjlyVJYuWSAhNeNk/Mh6snp9mqzdFiwDBo+S5s0ijf3p9s4zOot8ZkFR i4FYA+phMQgX4ejoaOMH9RDjkOVZi4zuxjfPo9ugTu8P68N1RkaGYZUYFRVlxGWExSgS54SH h+tuXjvqPWFfeOZ16tSpFG7OZkAUFM00eE4CJOA1Anm5J+TRmz8skdBkZzH4x+Hau8fIzVPP Vx/QLv7VtDMI2xSbwPyf1ihB5vVi90fHTxc+JJ17taKwUyKKVa9zTnaufPjqr/L+i3MkOzOn AAAFxQIUVe6kPAVFDfvq20fLlCcuMr6A6TqrIwVFK0K8TwIkUJEJUFDMf3oQsyAwQbzyZtGi 4gKVqCV21TxJPJQrgUHh0rFjB8PyDnNpsU0frebX7fA9C27HyIAMUS+gVnWpHZQrWdl+Us2v tnLfbmpkLIa1JfamRTt91GKeHs+8Fuc1HDp0SLZv3y4NGzY0ktXAPRjxJeEujHiEEBr1OJgL BfPognso5jp9Tx8RxxKu5xgXiVHOOOMMw50afbHW0igYG+vF+J7WVhpzl8WYFBTLgjLnIIEq RiBNxc+bcvkMWbl4a5ntvL+KrfjaN7dLDRXTg6XsCJzfe6rs2pJQ7Anxj+vfiW8Yruv8Ul1s jFWuI4TsFx74UuL3HSm0dwqKhZBUmQpfEBQB+5JJQ+WhlyfY5s7PPtuo2JAESKACEqCgWPoP LV9UjJOlS5ca7tWwwoM7L+IBekr6AoHLLM45i3KwqkQGZIiKcAtu0KChBAUHSV5untSqVbNA hIPlHbIvo+gxtXjmfI05UGc+Hjx40EjAgjEg8g0ePNhwC8c1REAImohFiT7Oa7Siq+dHYhyd MRpiJebo1q2b2kctqyF43wMBCooe4PAWCZBA0QkkHTgmN573YolEpqLPmt/j6tvOkjufuqS4 3dmviAQQD3NE6zuL2MuxOeKPfb/iCaOSX6od2fCqMIGdmw7IM/d8Liv+3FL45r81FBTdoqn0 N3xFUATo5z+6Uc68oLct5vzss4WJjUiABCooAQqKZfPgEKsR4g6Es4SEBCOxCdyFITbqOIRa 5HO3Ii3yoR1ERAhwEBXbtGkjXbp0MdyQISziHsaEGLd7926BdSESqejx9TjmedzVYY0QLWFk 0LVrVxk0aJAh9CG2IQrWjxiUWMvhw4eNOfQ85vFR52wlqe+jH+ZAdmdk2NbZnOF+zlIyAhQU S8aPvUmABEwE4OY8YcRTsil2r6m2bE9f+fwWGTaue9lOWkVn+/XbFXLfNW/b3n1gcE2Vec5f Uo5lFPQZe2k/mfbeJOOaX6oLsPDEBYGNa3bLhOHTVAydfDcXF02MKgqK7shU/npfEhSD6wTI nH+elbDwEEvw/OyzRMQGJEACFZgABcWyeXgQ7PADAQ4ZjLUQt3fvXoEFoNml11ncM4txWK3Z MrFt27aGAAfLQQhwEBEhXqIPxoQFIdyhkXQGsQLN82AsPReOuIejLhATYX2IAsFSWw06J6zB fLBQhKiI+bSgqMfW45mv0QbXELwgJkLw7NChgwwcONBr2Zz1vFX5SEGxKj997p0EvEzg+fu/ lE9fn+vlUYs2XEhooHy1+GGJbNmgaB3ZusgEPpz+i8qq+61lv+bRDeTJdyYVJMo4nqWy3e07 bLirNoqsK9Htmxpj8Eu1Jcoq3WD5os1y/bgXLBlQULREVGkb+JKgCMh3qFiK19xxtiVvfvZZ ImIDEiCBCkyAgmL5PDyIaUgCA+s8xCCE1aI5fqOz+Kat+yAmrlu3zhDuYJkIaz78uMpOjDHQ D/PExcUZ80BU1IKfq53jHvpATMQ8GAPZjyH0wRUZ7tOuCkRFxFPUa0MbLRrq9npeXQ+xCyIk xMSOHTsa++jdu7fUrVtXd+GxhAQoKJYQILuTAAnkE/hjzjq57dJXi4TDz7+G9B3WUYaP6yZd ekVLRKNQOXXylOzbmSR7tifI6iXbZfZXfxfE9rA7+Mhze8mLn95ktznbFZPAjMe/l/een23Z +/Xv7pCBZ3a2bDftzk/lq3cXemw3ZEw3efWrWz224c3KSaC0BEW+7irP68WuoNijXxvpM6x9 oY2r7zQwpVD/5qgfZQmbl3dSco7nSmb6cdmzLUE2rN5taSFrHrRpi3ry8/pnlEXG6aDx5vv6 nK9BTYJHEiCBykiAgmL5PlVYKsKCEKIijtqCUAt7ZhEOrswQ7FJSUsRsmYhnqNu52w1ExT17 9hgCHmI4QrzUoiWO+hz94cKMeTAm4hgOGDDAODpbJjrPpS0V0RdCqSeBVMdlxLogJkKw7Nmz pxFX0movzvPy2j0BCoru2fAOCZCATQL4sjW6wz0OrqxWXQeP7ir3PnuZNGvl2ZJw15Z4eeWR 7+SPOWuthiy47+dXQ37f9qJE1K9dUMcT7xOw8+Udz2LV0bctfwnx/uo4YmUjUFqCYmXjVJX3 Y+czCXye+eAGOfuiPkVGlZGWLZ++MVfemvaT7T90zVo7TZpHNyzyXOxAAiRAApWFAAXF8n+S WlSEEAfLQC0qapEPx7S0NEMMhKgIMbFv376G0OfKMtHdjiDeIaYixEuIihDu8IPxdYGlJKwG UWCZOGTIEFtiou6vLRW1+7Pei76Po7ZMhOu3dnPu06eP4bJNMdFMquTnFBRLzpAjkECVJ/D5 m/Pk2Xu/sMUBH+L3PX+5XH7DCFvtdaMv3pqnkjHYmwN9bn/sQpl45xjdncdSIDD1+vdl1hfL PI7csEld+X2rtZuqx0F4kwQUAQqKfBlYEShtQVHPP+/H1XLXVW/oS4/Ht3+6S1nid/DYhjdJ gARIoDIToKDoG08XoiLEPIh9EBW12IfVQUREPY5wc4Y1H2Im1qtXr0B8tLsLbamI8XRMRQiK +IGFJERNnGs3Z1gNWlkmOs8NUREu1hAVsWZtDYlxdTZn7ebcr18/gZhIN2dnit65pqDoHY4c hQSqLAG4hp3T5X45sPewLQZPvD1Rxl8xwFZb50YvPvi1fDzjN+dql9dwNZv9zzO0jHNJxzuV D133nvz85V8eB2vdoYl8tzw/i7PHhrxJAhYEKChaAOJtKStBEahvPPcl+WvBRkvqj7x2tVxw 9WDLdmxAAiRAApWVAAVF33myWlTUlooQ4hAzEeIfhLjWrVsblokQFO24ObvbmbZUxDzaUhGZ oHGNNWgxsUePHm5jJrobW9ebRUW4aEMg1WJiZmamtG/fviABC8REWiZqct49UlD0Lk+ORgJV jkBRLDXOvWqgPP7mNcVmhL86TT7/FVk2f4OtMd6aeaf0G9HRVltPjfZuT5QNsXskMe6IJMQd lcT9R+Vg/DFBDMjw+nUkvF5tiWgYKt37tpbeg9tJYHAtT8PZugc38ry8Ex7b1lYJaFz94wg3 8YWzY5XIe8RY6+HEZPGvWUOtMUzqqXV2PaOVDDm7m63so+YFpCZnmi/lids/lt+/X+lQ53zR ql1j+Wjug87VxnVAoMr6XMuv4F5WxnGVNc7znuFCHRTima/zOgsm+PfEeQyw/vHTxRL7906J 33tITqi4aU1a1Fduig2kY48oGTa2u9Twq+4wDFwfPWUbdt6b7rztnziZ//MaSVDPJkG9npKP pkvt0CBp2DRcGkWGG7Emew5oq5t7PELMX6ESlSxTogbGStx/RJDwpl6jMGnUtK40UD8DR3WW Tj1behynuDd3bjqg3he7ZefmBInbdVDAJDM9S7KzctRz9ZfQuiFSOyxIHYOkTt1gadG6oQwY 2VkiGrgOtu28DmSNz1SvCV3WLNkmt18+Q1+6PeJ939HFnoNDAgo9Rwzirded2wU53eDniRMQ L16WpaD4mXJ9fu6+Ly1X/9DLV8klk4Z5bFcWr8HSfr963KDTTSTl2rx2n2xet1f27kgyPjsy UjMlM/O4VFdfCAODaql/RwOMzw98bkS1bSSd1XuaruNOIHlJAhWEAAVF33pQWlSEiLhv3z4j 7iEsFyMjIw1LPlj04Zm5ciUuyk7MloqwiNy2bZshXsbExBTETHSXgMXuPFpU3LBhg5EFevv2 7UZsxejoaME+evXqZVgmuvq+ZHcOtvNMgIKiZz68SwIkYEFg0pjnZOXirRatxBARZq5+Suoo gaEk5e+Fm+SG8S96HMK/pp907N5CbnrovGK7muEL3m8/rJQfPvxT1i7f6XE+803M3V0F/L94 4hAZdX4vl4Kfub278+vOeUFW/LHZ3W2jfsGuVwriREJc+u7DP+T7D/6UTWv3euyHm/glAW54 dzx+ocR0aW7Z/q1nfpI3n/rRsl1RGiCG5pWTRxV08UamU4iD/RpPLhjT1UmXPq3kk/kPGbfm zlwlj9z8gWSkZrtqatQ1aBwml984wnDTh1i85Pd/5JaLpjvEg3HufD/c+m8caVRDCP/h48Xy xVvzZduG/c5NC11DyPzPrWfKxde6FiFyjucJMmx/939/SOKBY4X6O1e07RSpBI2hctHEocV+ PeoxIdbCSvi3b5fLvl2HdLXtI36ha9elmQxSMVQn3HKmx8+Dovyxws4C3v5RuZ4OL+x66o3X ndX8/DyxIuSd+2UpKH7wyi/yyv+ss9zbSUpVWq/Bsny/Wj1B/MHh5y+XycyPl9j6N8rVeFFt GsqZF/Sx/Oxw1Zd1JEAC5UeAgmL5sXc3M0RFuB/DZRgiHEq7du2MpCUlsUx0nk+LimvWrDEy NIeEhBjWiV27di2ym7Pz2Ppax1SMjY014jf6+/sbSVhg/Ug3Z02p9I4UFEuPLUcmgUpPAMJG /yY3S25OnuVeb7h/nExWAl9JC8SZsZ0dXaxhsda1T2vpObCt9OjfVjr3auVg+VaUOWEVhezF X7+30MjsWZS+zm0hnNz6yIW2Mhw79y2KoAjrsKnXv1ck4VPPh+yjFynx84EXrpTqNRyt8HQb HIvibm7u5+m8vAXFb/5vkUyb8qmR0dXTOvW971c8LtHtmwpEyLsnvKmrXR61oIhQAI/c9H+2 RHfngUad10tZ9E50sMjcrMTih9Sz3rk53rm55fXQMd3lmf+7rtgWtD9+tkSeVxZZaSlZlnPZ aVBXWfY++OKVSiDo7bJ5ZRAU+Xni8tGWWmVZCor/99Icma4ShlkVO0lZSkNQLOv3qycOS+du kMdu+VCSlGW/N0pwnQC5e9qldCX3BkyOQQJlQICCYhlALsYUEOKQKRlxDmvWrGkIfKXhGozE KLCARME8oaGhXhMT9bYhXCKrM456Dlg/0jJREyq9IwXF0mPLkUmg0hNY+/cOuXrU07b2OXv9 0xLZ0nNGZ1sDqUawxFs6d6MSD9sI3ENjOjfzKIbZHRduWPf8503ZsHqP3S622kGwe/DFq1y6 W7obwK6guO7v7fLApHclOzPH3VC26keM7ynPf3Sj2zVWNkHx5qnnGzHQIFDbKXC7+yl2mtHU rqDYppMSlC+eXiJhGi7XH819QLms+8mcb5bLVBW30pOrtdVe2nRsKh/+/oCE1Am0aupwH+LE Izd96NEq06FDES6uvu0sufOpSwr1qOiCIj9P3H+eFHrYXqooK0ERFuFXDXtSNq7Z43HlgcE1 Zen+191+rurO3hYUy+P9qvfifLQrvDr3s3N933OXyxU35VuC22nPNiRAAuVDgIJi+XC3mhW/ A588edJoBs+l0hLfMM+JEyeMxCmlOQf2gvFL6qptxY33HQlQUHTkwSsSIIEiEPjg5TnyysPW FhqdekbJZ4v+V4SRy77potlrZeoN73nN+sp5B70GxshLn9+s4skFO99yeW1HUHzqvUlK5PlA YAXljTJ1+gTlqj3U5VCVSVCESzFcow8npbjcq6vKmx46V268f7xxy46geOb5vWXx7+tUfL6S Cb2YEG7h3c6IlvuueafgFz9Xa7Rbd9kNww2LVLvtESfTW3O7m/Pxt66Rc68c6HC7IguK/DwR 8fR54vCgvXhRVoKi3X/7rrp5lNzzzGWWO/SmoFhe71dXm/zynQXy9F2fubrltbq7n75EuUCf 5bXxOBAJkID3CVBQ9D5TjkgCvkKAgqKvPAmugwQqIIFbL3lV/vxlneXKL71+uOHaaNmwnBos m7dBJl/wSqlYX5m3BOswxO6zk7TFjqBoHtsb581b1ZcfY59Wf9mrVmi4yiQoFtqcjYqf1z0t zVrlW9jaERRtDFluTfB8P134kEo409JyDetW7JSJZz1rmSDIciCLBrUC/GTutpccBPeKKijy 8yT/YXv6PLF4ORT7dmkLikcOpcmLD3wls7/6y3KNSP40+59njGRLVo29JSiW5/vVeY9ItnLh GQ/bConi3Leo12/+MEX6j+xU1G5sTwIkUEYEKCiWEWhOQwLlQICCYjlA55QkUFkInBlzt62Y SA/P+I9c+N8hPrnto4fT5MI+D8vRQ6llsr6R5/aSFz+9yXKu8hAUsagXPrlJELvPuVRlQdHZ wraiC4p4tohbCBd3q2L3jwZW49i5P/WVqxwS0VREQZGfJ45P2t3niWMr713ZFRTHX9FfOqjE Xc4FERDgmoUj3LNg/Z2tMqcnH0mTdSo5F5Iq2Q2TAMtixIm1U7wlKJbn+9V5n7ddOkP+mLPW ubpUrhH65P9+va9UxuagJEACJSdAQbHkDDkCCfgqAQqKvvpkuC4SqAAE+jS4UY6rL1tWBdZQ SJTii+XmC6errL3ry3Rptz16gVx711iPcxZXUKwV6C8xKnZfo2YRRlxFxLlMTc7wOJf5Zpfe KgPygvwMyOb60hAUneNfeeNLtZ0sz+Z92Tl3XmdxBcWAoJoq+3iUssILkS3r9kh83FE707tt A0tDxFhs0CRc9u8+KDs2HbAdX7Few1CZv+Mlt2PjBpL9jO/+oK2kNVhLp14tlTVWhAqG7ScQ 1g7GH1Vrsp88Zuyl/WSacuPXpSIKivw80U8v/+ju88Sxlfeu7AqK3pvR9UgDz+wiM76+1XZs X2989pX3+9VMIvlougxvNcXy8wixYQed1UUGn91F6tUPlbB6Icqi8YQcSkyW2L+2y4+fLZVi DlhwAABAAElEQVRMlR3aTvls0VTp1NPa6trOWGxDAiTgXQIUFL3Lk6ORgC8RoKDoS0+DayGB CkQAmZ17Rdxga8W/bHxWmjSvZ6ttWTb66t0FMu1O+/GdwuvXkXMu62cIJ+1UIpjMjOMqgcsu Wfv3Tpnz9XLb8e3g3jn7n+ekfqNQt9stqqAIIfEqZREz4dazpG5ESMG4WWqNbzz1o3w847eC Ok8nfv41ZOWhtwp9Ef5r/kaJXb7DoevCWWsMix2HShcXNzyQH3vQfKuGyih9pQqmb04O4o0v 1cUVFOGe2KRFhGGRlKCEPm2FhHXO3f6SRNSvXbD8ogqKGGPiXWNUnK8zHVx6IQLectF02b0t sWBsuydDxnSTKY9fJC1jGhd0STpwTG4870XZtSWhoM7TidmN21W7Z+/9XD5/c76rWw51g8/u KvcpSyxXSZe2rt8n0x/9XiVR+sehj6uLtp0j5ZtljxXcylBCwutPzlQWYvlxKNct325LoEQ2 64iGdQrG0ScTVDw7My9d743XHcbi54kmevro7vPkdAvvnvmCoAiL5vdm32srtIXevTdeg+X9 ftV7wfGXb1fI/de8ba4qdN5KfXa9N+deiWhQ+L2qG+Mz4O4Jb8qy+Rt0ldvj8HE95GUVp5iF BEjA9whQUPS9Z8IVkYC3CFBQ9BZJjkMCVYwAElqMaH2nrV3/ue9VByHFVqdSbgTBaGzn++XA 3sO2Zuo9KEae/fBGt19+Vvyx2UhcYdd12iquZFEExaDaAfL6t3cYWa9dbQZ7heWUHVEH/eeo uF9No+q7Gsqh7iGVcfjnLz3HEkPcyG//ftyhn7sLb3ypLo6geOl1w+TGB8+V8Hr5omFaSpYS h+bLR9N/Nyxe3pw5xWHJRREUIag8p143I8b3cBhDX2yK3SMThk8rUozCC/87WP736n9cZuNL Tc6US/o9Ign7j+op3B7f/vEu6Tu8g8v7sDwe2up2ywzVfYd1lNe/u12wT3cFovYFvadaWmRC CF+0Z7q7YWT5os1y/bgX3N7XNz6e/6B07ROtLy2P3njd8fPEPWa7nyfuR7B/pzwFRfxRYvLU c+W/t59tmdXZeUclfQ362vvVTtKa+5+/XC6/0TpDc052rkwY8ZRsWR/njK3gGhbX3fu1MUJ2 FFTyhARIwGcIUFD0mUfBhZCA1wlQUPQ6Ug5IAlWDwK4t8XJ+b3uZm9cce7fIX7BKm6JdcQLr +I+y+pvy5MUuk5WY1wmR9daLp8um2L3mapfnEGB+2ficNGgc5vJ+UQRFT8KQHvzYkXS5uO/D ypXMOrMxYlEhJpVVqQyC4uU3jpD7n7/C5VYhTmYp6zizdSIaFkVQnHTPWLn14Qtcjq8rn5ry iXz93iJ96fEYoyxjv1r6iEsxUXd88+kf5a1pP+lLt8cXP50sI8/t6fI+LJBnfrpEtv0TZ/xs 33xAMlIdXQ/h5jxz9VPSonVDl2OYK9974WeZ8dgP5qpC59WqVZPYlHfd7s3ue7Y8BEW7a8Om +XlS6NF7raI8BUVsYsqTF6l4wUOldmhgkfZUUkHR196vL6jENZ+89rtHBvg35i31R42atfw8 tsNN/ZkLa++WMY2kbafm0q5rMxXeo7m07dKs4I9BlgOxAQmQQLkQqMyCYnZ2juzblyTHktMQ hNeJbzUJDg6QyMgGEhZ22nvIqVGpXeblnZCDB49J3P6DLtZmNW01CQ0NlrZtm1t+/7Eaye79 EydOypEjqbJ7N8LlOLO0O0p+u5CQQImOjpSAgJpF61iC1rm5eZKYeFTiE46o5Z+0N1I1kRrq 9+nq6t+30NDaEt2qqb1+PtSKgqIPPQwuhQQqEgHE5rt61NOWS4ZIsDb1Pct2Zd3g3v++Lb99 t8Jy2lbtGst3ysIOH/R2Clw8Lxv0uK24cw++dKVcet1wl8PaFRTPGNpB3pl1l8sxnCtfffQ7 ef/FOc7Vha7f+H6KDBjVqVC9c0VFFxQbNqlriLo1/Ow9W71//eVWX7s7BtcJkF83Pi91woLc NTHqZ325TKZe977HNvomXPrg2uepIMvwTee/7KmJce+xN6+R864aaNlON4jfd1i2rd8vWzfG yXaVnKJz75Zy9W2j9W2Px3kzV8tdE97w2AY34W5fM8DfZTu7ol15CIr8PHH5yIxKu58n7kew f6e8BUWsNCiklpFc6PZHL7T9h7SSCoquCJXn+/W1J36Qd5/72dWyHOqaNAuXS28YLmdd0Eca q7i/7spJ9SVzz/ZEadaqgSDuIgsJkEDFIlCZBUUISF9+tUDWrd8lJ1UyL3OppoSiyKb15aKL hki3rq3Nt8rkPC0tSxYtipXvZy4ptDbLBSihq31MM5ky5VKpVcv172WWYxSxAcTZv5dvko8+ /r3o6zXNhe+ebVo3lUmTxkrDhuGmO6V7mpKSIXPnrpLZv6xQ68+zN5nirBwcxN/fT7p0bik3 3nhhmQm49hZo3YqCojUjtiABEnBBwK6giK6eRAIXQ5d6FdxCR7SeIjnHrT/sZ3x9mwoY37VI a7IjtGFAxMF79atbXY5tV1C0IzDpCeZ8s1wemPiOvnR7tDumnX36ssvzdfeeI7f873y3HNzd sCsoItnAa9/e7m6YgvqVf26RSWOfL7h2d4KkLn8lvGH5i8beHUlGMhV34+j6e565TK5ScQVL u8Bl8fO358nLU7+1nGrJ/tfcWnf5qqDIzxPPj9Xu54nnUezd9QVBUa90wKjO8pKyAsb71qqU hqBoNae7+954v37z/kJ58o5P3U3hsr51hybSb3gn6Tusg3Tr29ohvq7LDqwkARKoMAQqs6C4 L+6gzJjxrSz6Y71KROX4vQKeHK1aRcrtt14gAwZ0LvPnlZycLjNnLpY33vpJhdaxTqJpXiAs ws/o006ef+4WCQy0/nfM3Le455mZx5Ugt1KefPpTOZHnyNL+mKfU78nVpWuXaHns0YmGdaj9 viVrefRoqnz11UL54KNfbfNW2qdRailr/cEDu8hTT90oYF+RCgXFivS0uFYS8CECu7cmyHm9 ptpaEeKimROF2OpUio0Q7xCCnVXp0b+NfPDb/VbNCt1PVPHrzun6gMpW6fkfQ1iyLN43w2X8 ObuCIjL1In6UnbJqyVa59uznLJs+88ENcvZFfSzbVXRB8ac1yl23TSPLfTo3sCsoXn/fOLl5 6nnO3Qtdw6r1kgGPFap3rrCbMRcxIAdG3uLcvdD1HY9fKNdMGVOovqQViCe4a3O8rFq6VZbN 2yQr/txkGYtRz/nH3ukSFh6iLx2Ovioo8vPE4TEVurD7eVKoYzEqfElQxPK79GmlYoxOsbRS Lk9BsTTer2uWbZdrznqmGE8wvwu+DLbt1FSF3oiRPkPaSy8Vw9icwKvYA7MjCZBAuRCozIJi nBIUX3v9O5m/YE0hQbFateqG2+0dt18kA/qXvaCYkpIuP/ywWF5/8wfbApd+gSAucP9+neTZ Z9QfxsrIbThfUFwhT0z7uASCohihc7p1bSNPPD5JmioL0bIqEBS//nqhvP/B7CLzrlmzpgwd 0lWmUVAsq8fFeUiABMqbwJFDaTK81R22llGWQfntLOiHTxbLo5M/tGx6xxMXyTV3nG3ZzlWD Swc86jGIvO4za+00aR5dOAadHUERmZ1XHHxLD2V5RDy8i/s/atlu2vvXydhL+lq2q8iCItyR lx143XKPrhrYFRRf/ETFKDzPdYxC87h2LQovmTRUHnp5grmry/O83BPSM/x6l/fMld4SFBGX c50KgbBRJZhB/NCNa3YJRM3ilMVxM9yKL74qKPLzxPOTtvt54nkUe3eLIig2bVHP5aAQ2OBi m5d30rBiz8zINrK/u2xso3LE+J7y0meTPbYsS0GxLN6vYDim472WiZg8QjHdhMDYsUcL4/N0 9IVnSKPIsnNhMy2DpyRAAsUkQEGRgqKdl453BcXWSlC8rkIJikMGd5Wnp9FC0c5rhW1IgAQq AQG7ogW2+tHcBwwXJl/Z9utPzpR3np1luRy7gpCrge666k2Z9+MqV7cc6j6ap9icUTiuih1B EV+I52x41mE8Txf7dx+UsV0e8NTEuGdXAKjIgmLHHlHy+R/2kgo5A7MrKL77892GdY1zf+dr ZBof0+k+5+pC1zc9dK7ceP/4QvWuKrrVmaRig3sOaF1cQRF/TFg0e42sWbpdYv/abjtTuqt1 OtdVRJdnfp44P0XHa7ufJ469indlV1AsqtUksignxR+VfTsOynJl4f7th39IZlq27UV+/sdU JYi1dNu+NAXF8nq/fvL67/LC/V+53XNxbyA2FrwH8Me+gWd1dpvEqbjjsx8JkID3CVBQ9F1B EVaU+Fx1LvhDTp/eMfLC87eWscuzdywUO3duLU89ManMXZ6tLRSrKd5g7kjcz89PBg7oKM89 ezNdnh3R8IoESKAyE+jXeLItV8ap0yfIxROH+gwKO0IYFvu1yqYb06V5sdb98v++kQ9f+dWy 7yuf3yLDxnUv1M6OoNhOZbf8aumjhfq6q0iIOyKjO9zr7nZBvV0BwA5HX42h6Cl+ZQEINyd2 BcVPFz4knXu1cjPK6Wq4yJ/V/p7TFW7O7n76Eplwy1lu7jpWdw+9TiUG8pxhriiCIsTJ+T+u MTI/I+kLMvGVRlkW/7oE1w5wObSvWijaeR9gQ/w8cflYvVpZWoKi8yJTjmXI47d+bOuPRuhr lTzL24KiL7xfT548Jdep2LAItVFaBf8GPvbGNSrjc4vSmoLjkgAJeIEABUXfFBRr1vRXSUsi pElj10mx2raJlJtvvrDMkrLoGIrTnvnMwX38lMqY7Ol3WgiiEECVs7PxasV1x46t5InHJkqz Zg288Aq2N4Sly7NaV0hwoLRs2UQCnBLd1KhRQzp2iJLJk8//dy/25vSFVoyh6AtPgWsggQpK YFy3B2TfzoOWq79MZXF84IUrLdvZbXA4KUVmfb5UxVhqrr6otXcZg9DTWP+74X356fNlnpoY 95YeeK3YcZu+fm+hPDXFOij9o69fLef/Z3ChtdgRFHv0UzEef7+/UF93FQcTkmVU27vc3S6o rwqC4oX/HSwPz7i6YM9FObErKH6//HGJ7tDUcuikA8fkzHZ3W7YrijDvTUFx384kefjG/5NY 5dZc2mV50ptuk1j4qqDIzxPPrwq7nyeeR7F3t6wERawGbtG3XTpDFv+23tbiflz9pES1beyy rTcFRV95v2Kjx46ky22XTJf1K3a53Lc3KhHn69E3rpZxlw/wxnAcgwRIoBQIUFD0TUExIKCW NG/eSFq1dPy3CUJjVItGMli54EL8QnKZsii5uXmyfft++XPxeuVlk/+H65zjubJ1W5wsX7FJ iYqOWbSxJoiH9erVlUEqoUm9evkx5ZUNoNSvHyYjRvSUsDDXcblLYz9WgiLWGhXVRP5z1ZkS EeEY/x4Wio0ahav7jVxajJbGer01JgVFb5HkOCRQBQlMvf59mfWFtTDXtU+0fDz/Qa8R+njG b/Lig18b4yEW3uCzuspIFadqwKhOEhhcy3Ke+655R379drllO0/x3Kw6f/HWPHnmni+smsnj b10j5145sFA7O4JibxWo/r051haHenAIsSNa36kv3R7tCgB2LLN81ULxP7eeJXdNu8QtA083 7AqKdmOH2hUUn3pvkpxzaT9PSyu45y1BERmob77oFYHLZ1kUTxnhfVVQ5OeJ51eG3c8Tz6PY u1uWgiJWtHd7opGcDNZ4VuWlz26WEeN7uGzmLUHRl96veqPIGv303Z/JzE+WqC+D1px0v6Ic EU/4CxXCIrq99R9wijIu25IACXiHAAVF3xQUkU04KChQQkKCTj9opR0Gq7rhw7rLTTdaJxY8 3bHkZ7Cuz1EJLTMzT4cUSUvPkt9/XyFvvf2Tslos/Lso3IfbtGkud915ibRpHVmwCOwtWFkD lmXGZDuCYlhYbenWtbVyIz/tjQOhsXGjejJ+fP8ytagsgFXCEwqKJQTI7iRQlQn88PGf8ujN H1kiwF+2ftvygjRoHGbZ1k6DywY+JpvX7SvUtGYtP+k7vKOMPLeHDB3TXULrBhdqgwqIkRAl rcqXix+W9t2K50r1/P1fyqevz7WaQl7/9g4jDpRzQzuCYt9hHeXtn6wFQj02BUVNQuSG+8fJ 5IeK94uSXUHx103PSeNmrt1ITq9ExK6g+NxHN8pZF/Q2d3V77g1BMW7XQbliyJOSmpzhdh5P N0JCA6Vrn9bSe1BbqR0WLE/c9rGn5sa9VUfeFv+afi7b+aqgyM8Tl4+roLIyC4rY5H9GTJN1 K3YW7NfdyW2PXiDX3jXW5W1vCIq+9n513uiuLfHy7vOzZf6s1aXyB4ro9k2UqPiwQFxkIQES 8C0CFBR9U1DMf5UoBdFkgAjrvpDawTJuTF+5554ryv2FlJqWKbNmLZVXpn/jMnMyBMX27aNk 6kP/kfbtivedzVubtBIUMQ/EQ/yYC/bQtm1zuf/ey6VLl8Jx9c1tffGcgqIvPhWuiQQqCAG4 Vo3rZs/ysCjx3zxtHxYh43s85KmJcQ9/kbpVfYFzlaX5k9d+kxceyLdw9DTQ80rAOdOmgOM8 zu2XviaL5sQ6Vxe6dhes346g2H9EJ3lz5pRCY7qroKB4mkxJMnhXFUHx6pHTZO1ya6FEU4WA 32tQOxWGoJ30GhAjrdQXfP1L01rlLn31qKd1U7fH2OR3pbp677oqvioo8vPE1dM6XVfZBcUH rn1X5nz99+kNuzkbf0V/eeLta13e9Yag6GvvV5cbVZWZ6cdl7o8rlZfASlm9ZIscz85z17TI 9Q++dKVcet3wIvdjBxIggdIlQEHRlwVF52dfTUJDQ+Tc8QNkyh2XOt8s8+vU1Ez5adYSmf7q t24FxXbtIChOkA5KWCzPYkdQdLU+CIoxMS3kgfuuoKDoChDrSIAEKjeB4dFT5MjBVMtNtmzb SL79+/Eixzt0HthuRlX0e/Lda2XcZf2dh1BfZFbIfde8XajeueL2xy6UiXeOca62dX1xv0dk 24b9lm1/2/y8NIoML9SOgmIhJEZF514t5dOFU13fVLX4sopkQVbl7mculQk3n2nVzOX9qiAo bordI5cPfsLl/p0rB53VRSWLOVNltG5XICA6t7ErBq5Nfa/EYyC8AsIs2C0lFXP4eeKZdGUX FKdc/ros+HmNZwjqrqdEUCV9Dfri+9USiGqAUAorF2+RJXP/keULN8nubYmW2ek9jXvB1YPk kdf+66kJ75EACZQDAQqKFUtQRNzB888bJLfdenE5vFocp6zsgqLy8jaSsFBQdHzuvCIBEqhC BJ679wv57M15tnZ8y8Pny3X3nGOrratGOzcdkMuHPmHLXQruz4t2T3eZMXb10m0ycfSzrqZw qLMSrxwamy5gRXl+7/9ZZsKNaFBHFux82dTz9CkFxdMszGdWz8SuoHjfc5fLFTeNNA9t+7wq CIqP3fKhfP/RYksmV04eJfc+e5lluz9/WSe3XvKqZbt1ae+7bWNXlPxo3gPS7Qz7LiMlFXP4 eeL2kRk3KrugeH6vqbJra4JnCOruhdcMkYdf/Y/LdiV9Dfri+9XlRi0qk4+mS+zS7bJ62TZZ o342r93nMbOn83Ade0TJ5yqWIgsJkIBvEaCg6KuCYn52ZO1NAk9cWMvVqaNcnseeIbffTgvF oryT7FgognX16jUU59MjI0M14kDec9el0lXFV6xohS7PFe2Jcb0k4GMEEuKOyNjO91uKZ1g2 RL6P5z1YrLiEWRnHlcXU44YFgx0Ew8/pIS9/cbPLpqnJmQLLylwV+NeqvPDJTTLqvF5WzRzu 27VY8eQCR0HRAWnBhbcExQdevFIuu754rnFVQVC8atiT8s+q3QXcXZ0gZtl3KpO1/kXUVRtd 9+U7C+Tpuz7Tly6PGAcWiu7Kij82C94XVuWD3+6XHv3bWDUruF9SMYefJwUoXZ5UZkFx6dwN MvkC138UcoZx6yPny6S7Xf9BraSvQV98vzrvPyk+WfZsS5A92xOkhsrMfJESWK0K3luLf18v H73yq2z9J86qudQK8JO/k94qs4yklgtiAxIgAYMABUVfFBSrqYQsAdIuprl06tjKiKMIkQvi VkCtWtKuXaTK8ty93F/B+TEUl6gYihXf5Rm/50ZEhEnfMzpI7dr5iXCMBNqqvn79ukZW6sim 9cudeVEXQEGxqMTYngRIoBABuzGk0BGJGt784U7p0lv942WzIOvX/RPftZWZWQ85/YtbZeg5 3fRloaOdL3Do1KxlfZm5+inbrtoIzo8g/XbKMx/cIGdf1MdlUwqKLrGItwTFqa9cJRdfO8z1 JBa1VUFQHNZqihw95DmUQVHcCx+c9J7M/uovC7IinmIorlm2Xa456xnLMd6ZdbeK49jesp1u YOezwOp1Z2cMzMfPE029dI5lmeUZMWlh6b53R5KtzTz9f9fLmIvPcNnWzuvH02vQl96vEA03 r49Tf/xT4qFyYd6rBMS9Kt5yVkZOwd4R43ju9pckon7tgjpPJydPnJTRHe6VpPhjnpoZ95Yn vSkBQTUt27EBCZBA2RGgoOibgmKdOiEyaGBnGTG8Z/6LARaK6gxWirVq+Uv9BnWlZVQjQ2Qs u1eL40xpKinLnDnL5GUlKGZnH3ew7ENLrLWixFCEoIi13nv35dKgYV1zLhzx9/dTlqEhUtNN YkJHKr51RUHRt54HV0MCFZLANmU5cHH/R22vHb/s3/TgeLlq8pmWQt3mtXvlyTs+lg2r99ge P6ZzM/lq6SMeLacW/bxWbr98hq0xL/zvYIFFm7vss3qQA3sPy60XT5edm+N1ldtjHZX1FlmA g2sHuGxDQdElFu8JitMnyMUTh7qexKK2KgiK3epMsoxl5skK2Iwwcf9RGdvlfsnLPWGudnnu SQywK9a/8vktMmyc/b+ql1TMwUb4eeLycRqVlc1CEeIWLBMfVWEBICraKX7+NYzwFkhc5KqU 9DXoS+/X+ye+I798s9zVNh3q7nj8Qrlmiv0YxY9M/kBmfrLEYQzni8DgmvJ34pvO1bwmARIo ZwIUFH1RUFSeYzX9pXHjehLZtIHDKwSGHCjR0U3k5skXGOKiQ4MyvEjPyJLff1suL73yjaSn ZxT6blfRBMXOnVvLtCevl6ZN65UhxdKdioJi6fLl6CRQZQg8eccn8s37i4q03xatG8p5EwbK iPE9Bee6IMnL9o37Zd6Pq+W7D/5QMZTy/2HT962O079U1olj3Vsnoj/EDbg9pxzLsBrOuN+h ewt54ZPJ0rSF638AFs6Klak3vS/pKVm2xrNK+EJB0TVGT1Y66GE3huJUCori6Qv9We3ulsQD nq2B8IeBb/96TJq1cvxF1Pzk0lOz5KbzXpL1K3eZq92eL46bIXXC8t1AnBvZTTxxyaSh8tDL Exy6n8g7KdWUX0l1w7fE4ZaUVMzBaPw8cWRqvvJFQRHxDDv3ijIvs9A5/t3BT54KjZGdnStp yv02cf8xWTZ/gxw7nFaovaeKoWO6y/SvbnHbpKSvQV96v87/aY16T73udq/6BkKgvDv7Hlvx TvH+vVLFT968bp/u7vLYKqax/LDqSZf3WEkCJFB+BCgo+qagiFcEBDlXoWuqK0vyPr3ayQvP 3yKBgeVn9Z2ZmS0LFq6SF1/6WhCj0Pn3uIooKD71xCSJjHT/u3P5vVOLNzMFxeJxYy8SIAEn AjnH8wRxnOzEOXLqalzWCvRX7k91JE0JEPjiVtzSo18b+eD3+211f+mhr+WjV3+z1RaN4K49 6txe0rFnlMR0bq5cuI7LxjW7JfbvHYKkE3ZL3YgQ+WXjcxIYXMttFwqKrtFQUOztGoxTbffQ 6yyTGXgSFG+7dIb8MWet06iFL5EE4bXv7pDweoVdF2FROG3KJ7JFuT/aLb9sfFaaNHct2sOV 8tye7jN86znwi/GVk0dKzwFt5Yhy217y2wb5a+EGeeGjm2Tw2V11s4JjScUcPRA/TzQJx6Mv CoqOKyz9Kyur2ZK+Bn3p/QoRdny3ByRu9yFLsLDYnPrKBBmp4hQ7f0nUnRGn+aWp38jv36/U VW6PV908Su55xjpJlNsBeIMESKBUCFBQ9F1B0d0D91Oxbvv36yTPPjNZAgLKT1DMysqWP/5Y LS+8+LUcOpxcyP0agmL79lHy0IMTpIM6lmexSsqC309hoUhBsTyfEucmARLwaQJxuw7KJQMf k8y07HJZZ21l2QSLqUaR4bbmz1FWJ1cqEXTbhv222nur0YvK0nHkef/GK3EzKAVF12AoKJaN oPjGtB/l7ad/cv0QnGrhvn/dvWOlU89WKtlCdSN22gJlsWtHkHQaSv7v1/sMIdC5Htdpyvp3 YKR7Ky9Xfcx17uJmllTM0XPw80STcDxWdUGxz+B2hiWeIxXHq5K+Bn3t/WonCZOZQFSbhjJ8 XE/1x4RwiWgQqv6wmCkHVRKXTbF7ZdHstZZ/HNFjffHn/6RD9yh9ySMJkICPEKjsguKM175T VnRrVIJKx2SPELuioyPljtvLUVCcuVhef+MHyc3N/ffVYM/ry8/PzxAUn3u2vAXF40pQXCPP v/ClEhSPGRaV5pc1ksh07NhSpipBEfEJy7NQUHRPv9rhw4dPRUREuG/BOyRAAiTwLwH88n/X hDdsxUvzNjSrRCyu5kNA/csGKRE0/bir216vu/busXLbIxdYjktB0TUiCoplIyj+MWed3Hbp q64fQinWPvnutTLusv5uZ+jX5OZi/8Fi0j1j5daHC7/3SirmmBfLzxMzjfzzqiwowvL+e5UJ PbKlZ9emkr4Gfe39mp2ZI2d3us8ysVPhV0vxa0YpK8cXPrmp+AOwJwmQQKkRqNSC4v5D8sYb 38sff653IShWk5Ytm8qtt5xviHOlBtjNwKmpGfLzz0vlnfd+lry8XCXGwcUZaVfyiz7XMRN1 PY5IntW7V3t5/LHrytlC8bgsXbpO3n1/lqSkpKtEJlj/KfWfGGFJEO4xpm1zuf22i6VNm2ZY ermVo0fT5NtvF8lHn/yqeDuKy1gUeHfo0FIef3SicnmuX27r9PbEdHn2NlGORwIkIKuWbJU7 LpthWBSVBQ64St33/BVy2fXDizXdb8qV6t6r3ypW36J0grsl4ju6c+0yj0VB0Uzj9DkFxbIR FPHL5XVjn5eVi7eehl8GZ+deOUAef2ui25kmX/CKSojxj9v7nm6Mu7y/PPnOtYWalFTMcR6Q nyeORKqqoIjP+Ydfu1rOnzDIEYiLq5K+Bn3x/bpz0wG5dsxzcuxIuosde7cKrtOInRjRoI53 B+ZoJEACXiFQmQXFVJWFeM2arRK375BKZnfSkZcSkEJDQ6RXz7YqCUfZC0jHj+fKrl0HZP36 HYalNwQtLSJioTg37BX/TcJiXjzuNWgYJgMHdBO4P5dXyc3Nk/j4Q7J5yx4l0p34NzOyEhTV wo1Yx+okNLS2dOvaRurWLRx+pyzXnZWVI1u27JUNG3YXfi38u5CIemEyeFAXqV3bdbzwslyv t+aioOgtkhyHBEjAgcDurQky+YKXJX7fEYd6b1/gH7kn350kZ1/Up0RD//T5Unn67s+Lbf1k NfkFVw8yEkUg26edQkHRNSUKimUjKIJ+kkrKcuEZ/yuzPwxgzuA6AbJo13RBwgZX5at3F8i0 Oz9zdcuyzp3raUnFHFcT8/PkNJWqKCji36Wn1L9Lo23+u+SN16Avvl93boao+LwUNYnN6VeP 9RliG7+vkru069rCujFbkAAJlAuByiwo4g86ELogbrkqEOb8VDgYuOaWRzlx4qSynDxhmvq0 haKp0sXpKSOZnb9yfS7vcvLkSTd884VFMIZFJY7lWfBayOftJCybFoU1+qvvguW9VtOSSnxK QbHECDkACZCAOwJHVSbMV/73rcxSYp27f2jd9bVT37pDE3l4xn+la59oO80t2xzYe1gemvSu kWTFsrHNBvgF4s5pF8uEm8+02SO/GQVF17goKJadoIgn8Ou3K+S+a952/TCKUHv2/7N3FeB2 FVd3cAsUL+4afggQPLgUlwIprg3QAg1WCiTFrVCCE5zgGtyCa6HBijsECBAIECA4Be4/67R7 us/co/fMve+++9b+vveO3Dkja3zNnj39lzc77L2O2Xa1/BNYs2yM4vCnDRc/yIwd80WJ0P/j FCfJ3/Kv4+q+C0Hm1HlqX7A9+Q8qPY1QnGu+mczgU3c0K6zRO6lYJL4LVQbbrb4isVhc3HX9 E5uy/XlWay95yBV7msWWnjcRV74kAkSgPRDoZEKxPRBmLIhA1yFAQrHrsGfIRKDHIPDmS++b IfaUxsfufTFImnEIxK77r2d2/NN60SEQQTz9rycgPi85fYS55NQRlbdqYYvzvkdsYebvPXvp KJJQTIaMhGJrCUXkwj/vf9lq715u3nnj4+RMyXg7vT25fe/DNjNb7Lxa5GoDa1cNRFuWrLHh UubUq9MPX3nt+ffMgA1PMuO/+CbLm7rfJp9yUjPy47Pr3ocic+o8ti/YnhjTUwjFOeaZ0ex2 0MZmE7u1fkKrKVFGQpbBdquvwGH8F9+a6y9+yFx19n3m4w8/LwNNoltsJ//tjquYA47bykw1 9eSJbviSCBCB9kGAhGL75AVjQgRCI0BCMTSi9I8IEIFUBJ574i1z3y3PmEdGPGfetloLZQRb yJZacQGz+S6rmbU36Zu6JbKMn1luf/7pl8hW261XPW4evONfBppRRQRkZ791/i+y57jkCgsU +STRzcG7nmfuvG5k4m/yMs0mnPzuX3HwzOrz7WN++E5OevNd/Oe56OE2Jw++1pKvdyV78t+3 y6/e25x36wGZbuTH4/a/3Fxz/gPymHhdbYMlzenX/CnxN7z86d8/m9Xm3cd8bU8EzpJjLxhg NtpqxSwnqb89etcLZq8tT039HT9gy+79b51qprbb8fLk6/HfmTXn39f88H12Gbvwjr+YZVZZ OM+76Pe1FtjffPrxl5lujzpnF7PpditnupEfgetlZ91tzv3bLea7b36U16lXaA5tssPKZueB 65kpe03m3J1y6HXmYkvWZ8kss09n7nr1pCwn0XbsM468wdx+zeOFtJ/h52qWqBw0ZLs6f0OU uzpPvRdsT5b0EGnO46mHDTfDTrmzkucgq7AVCaTghBPZbVS275nE/sFcxWS2Xk8+5WT2b1Lz q+l6mbnt6cR9ll/A9Fl2PjP7PDM1HG7oMthu9VWAQT24+6anzGVn3GVeeuYdeV34OvOs05pN tu9nNt9pVTP73DMW/o4OiQAR6FoESCh2Lf4MnQg0EwESis1El34TASKQisAH73xiRj70SqSt MG7sePPZ2K/MuLFfRrYnek0zpZl62inNNPYPE7bF+85nei85t5l08klS/WvmD19Zcuq5kW+a Me9/ZsaMHmc+fn+cGWu1LCacaCIz/UxTR38zzvIrs/RKC5nFl5mv0KErzYwv/SYCzUIApPTb r31o3nnzI/PO6//5+8zWW5ArM836KzPrnDOYfmv/n1l4ibmaFYWYvzCr8Ojdz5vnn3jbfPbx ePPl51+byaaY1MxoD2eY3v7NNMu0ZllLwrYqPrHIpTywPUkBhq+DI9Bu9VUnEGYLxoz+LOpP P/5wnL3/3Hxk+9bPPx1vJp9iMtNrmimiBZnpbB+7qLWP2Hupuc1sc5FE1Bjyngh0FwRIKHaX nGI8iUB5BEgolseMXxABIkAEiAARIAJEgAgQASJABIgAESACOQiQUMwBiD8TgW6MAAnFbpx5 jDoRIAJEgAgQASJABIgAESACRIAIEIF2RYCEYrvmDONFBKojQEKxOob0gQgQASJABIgAESAC RIAIEAEiQASIABHwECCh6AHCRyLQQQiQUOygzGRSiAARIAJEgAgQASJABIgAESACRIAItAsC JBTbJScYDyIQHgESiuExpY9EgAgQASJABIgAESACRIAIEAEiQAR6PAIkFHt8ESAAHYwACcUO zlwmjQgQASJABIgAESACRIAIEAEiQASIQFchQEKxq5BnuESg+QiQUGw+xgyBCBABIkAEiAAR IAJEgAgQASJABIhAj0OAhGKPy3ImuAchQEKxB2U2k0oEiAARIAJEgAgQASJABIgAESACRKBV CJBQbBXSDIcItB4BEoqtx5whEgEiQASIABEgAkSACBABIkAEiAAR6HgESCh2fBYzgT0YARKK PTjzmXQiQASIABEgAkSACBABIkAEiAARIALNQoCEYrOQpb9EoOsRIKHY9XnAGBABIkAEiAAR IAJEgAgQASJABIgAEeg4BEgodlyWMkFEwCFAQtFBwRsiQASIABEgAkSACBABIkAEiAARIAJE IBQCJBRDIUl/iED7IUBCsf3yhDEiAkSACBABIkAEiAARIAJEgAgQASLQ7REgodjts5AJIAKp CJBQTIWGPxABIkAEiAARIAJEgAgQASJABIgAESACjSJAQrFR5PgdEWh/BEgotn8eMYZEgAgQ ASJABIgAESACRIAIEAEiQAS6HQIkFLtdljHCRKAwAiQUC0NFh0SACBABIkAEiAARIAJEgAgQ ASJABIhAUQRIKBZFiu6IQPdDgIRi98szxpgIEAEiQASIABEgAkSACBABIkAEiEDbI0BCse2z iBEkAg0jQEKxYej4IREgAkSACBABIkAEiAARIAJEgAgQASKQhgAJxTRk+J4IdH8ESCh2/zxk CogAESACRIAIEAEiQASIABEgAkSACLQdAiQU2y5LGCEiEAwBEorBoKRHRIAIEAEiQASIABEg AkSACBABIkAEiIAgQEJRkOCVCHQeAiQUOy9PmSIiQASIABEgAkSACBABIkAEiAARIAJdjgAJ xS7PAkaACDQNARKKTYOWHhMBIkAEiAARIAJEgAgQASJABIgAEei5CJBQ7Ll5z5R3PgIkFDs/ j5lCIkAEiAARIAJEgAgQASJABIgAESACLUfgmGOOMWuttZZZccUVWx42AyQCRKC5CJBQbC6+ 9J0IEAEiQASIABEgAkSACBABIkAEiAARIAJEgAh0FAIkFDsqO5kYIkAEiAARIAJEgAgQASJA BIgAESACRIAIEAEi0FwESCg2F1/6TgSIABEgAkSACBABIkAEiAARIAJEgAgQASJABDoKARKK HZWdTAwRIAJEgAgQASJABIgAESACRIAIEAEiQASIABFoLgIkFJuLL30nAkSACBABIkAEiAAR IAJEgAgQASJABIgAESACHYUACcWOyk4mhggQASJABIgAESACRIAIEAEiQASIABEgAkSACDQX ARKKzcWXvhMBIkAEiAARIAJEgAgQASJABIgAESACRIAIEIGOQoCEYkdlJxNDBIgAESACRIAI EAEiQASIABEgAkSACBABIkAEmosACcXm4kvfiQARIAJEgAgQASJABIgAESACRIAIEAEiQASI QEchQEKxYHbec889ZvTo0c71b37zGzPHHHO4Z94QASJABIgAESACRIAIEAEiQASIABEgAkSA CBCBnoAACcWCubzhhhuaO+64w7m+/fbbzQYbbOCeeUMEiAARIAJEgAgQASJABIgAESACRIAI EAEiQAR6AgIkFAvmMgnFgkDRGREgAkSACBABIkAEiAARIAJEgAgQASJABIhARyNAQrFg9pJQ LAgUnREBIkAEiAARIAJEgAgQASJABIgAESACRIAIdDQCJBQLZi8JxYJA0RkRIAJEgAgQASJA BIgAESACRIAIEAEiQASIQEcjQEKxYPaSUCwIFJ0RASJABIgAESACRIAIEAEiQASIABEgAkSA CHQ0AiQUC2YvCcWCQNEZESACRIAIEAEiQASIABEgAkSACBABIkAEiEBHI0BCsWD2NkIojhkz xrz11ltm1KhRZvLJJze9e/c2Cy64oJl00kkLhvo/ZyH9+p+v4e/GjRtnnnvuuSjN8803n1ly ySXNtNNOGz4g+kgEiAARIAJEgAgQASJABIgAESACRIAIEAEi0CUIkFAsCHtRQvGHH34wl1xy iRkyZIh5/fXX63yfeOKJzQILLGDg30EHHWRmmmmmOjfyIpRfK620UkTywd/pppvOvP/++xJE 4vXOO+80W265pfvthBNOMHvvvbd79m++/PJLc+CBB5oRI0aY0aNH+z+bueeeO/LvmGOOiYjV OgfqxQorrGBeeOEF9+acc84xO+ywg3vmDREgAkSACBABIkAEiAARIAJEgAgQASJABIhA1yJA QrEg/kUIxX//+99m/fXXN/fdd18hX2eYYQZz1113mb59+9a5D+nXUkstZZ599tkoDBCK0CLM kttuu81svPHGzsnJJ59s9ttvP/esbx588EGz0047mffee0+/TrxfbLHFzBVXXGH69OmT+Dte 4rfnn3/e/X7hhReaXXfd1T3zhggQASJABIgAESACRIAIEAEiQASIABEgAkSgaxHoEkLxhafe Ns+OfNO8+ux75r23PjazzT2TWXTJOc3iy8xv+vZbqGsRSQm9CKEIYu3SSy+N+TD11FOb2Wef 3UwwwQQR6fbNN9/Efp933nmjbdH4XUtIv5pFKEITE2TfL7/8oqNuJptsMjPHHHNE6QUxqgXb ve+//37Tr18//drdk1B0UPCGCBABIkAEiAARIAJEgAgQASJABIgAESACbYlASwnFr8d/Z048 6Gpz8+WPpoKx1iZ9zaGn72imm6FXqpuu+CGPUBw7dqz59a9/7aIGu4HYrrvFFlsYbHOG/Pjj j+aiiy6KtP2+//575xZafquttpp7DukXPG0Gofj5559H9iB1AcJW7rPPPtusvvrqUZqxZfuR Rx4xAwYMMO+++65LH+Lz1FNPmQknnNC9kxsdV7y7+OKLIw1I+Z1XIkAEiAARIAJEgAgQASJA BIgAESACRIAIEIGuRUDzQWkxmeDTTz+tYXtuFXnn9TFmj02GmI8++DzXG5CJZ92wr1ls6Xlz 3bbKQR6hOHz4cNO/f38Xncsuu8xsv/327lnfYBsvSDYRaCOCOBMJ6Rf81CRdqC3PAwcONGec cYZE2ay88srR9u0pp5zSvZMbFLJNNtnEPPbYY/LKnHfeeWa33XZzz3Lz8ssvm08++UQeo7hP M8007pk3RIAIEAEiQASIABEgAkSACBABIkAEiAARIAJdi0BLCMVffv7FbL/msealZ94pnNq5 5p/ZDH/8KDPZFJMU/qaZDvMIRRw4cuihh7ooYOtz2mEi0FScZ555ogNScBIyDiIZPHiw+zak X/A0NKH49ttvm4UXXtj89NNPUZynmmqq6NCX+eef36XBv3nllVfM4osvbn7++efop5lnntl8 9NFH0VZw3y2fiQARIAJEgAgQASJABIgAESACRIAIEAEiQATaF4GWEIrnnXirOevom0qjsPUe a5pDTtqu9HfN+CCPUMThKuutt54LGhqd2P6L05J9+4jOUcpNSL8QRGhC8dprrzVbbbWViz3s KELrMk+AD9ImghOhYWuRQgSIABEgAkSACBABIkAEiAARIAJEgAgQASLQfRBoCaG4+jz7mM8/ +7o0KhNPPJH558dDzSST/scGYWkPAn6QRyh+9913ZvrppzfaNiKCn2222SKiEWTa2muvHWkl 5kUrpF8IKzSheOyxx5q//vWvLhknnXSS2WWXXdxz2g2+AckqgsNZ1lhjDXnklQgQASJABIgA ESACRIAIEAEiQASIABEgAkSgGyDQdEJx7JgvzDoLHdAwFNc8ephZpM/cDX8f6sM8QhHhHHHE EebII49MDXKiiSYyyy23nNl4442jw1oWWij9ROuQfoUmFHfeeWeDE56ryrnnnmt23333qt7w eyJABIgAESACRIAIEAEiQASIABEgAkSACBCBFiLQdELx4TufM3/63ekNJ+mIs3Yyv91x1Ya/ D/VhEUIRYeGwkT333NPZCswKHyc74/CWOeecM9FZKL9CE4r9+vWLHbCSGPkCLw888EBz4okn FnBJJ0SACBABIkAEiAARIAJEgAgQASJABIgAESAC7YJA0wnF+299xuy37VkNp/egE7cx2/5x 7Ya/D/VhUUIR4T377LMG2nc33nij+fjjjzOjMNNMMxnYJFx99dUT3YXwqyyhePPNN5vNNtvM xefkk082++23n3tecsklo0NY3IsGb/bee+/YSdENesPPiAARIAJEgAgQASJABIgAESACRIAI EAEiQARaiEDTCcV3Xh9jNu37P3t7ZdN24Z1/McusvHDZz4K7L0MoSuC//PKLefLJJ83dd99t 7rnnHvP444+7k5HFDa4zzjhjRDxOOOGE+nXsvopfmlCceuqpzfjx42N++w+XX3557IRqn1Dc YostzA033OA+u/fee80SSyzhnoveTDHFFKZXr15FndMdESACRIAIEAEiQASIABEgAkSACBAB IkAEiEAbINB0QvGXX2pmxVn3NN9/+2Pp5OJ05EffP8P0mmaK0t+G/qARQtGPw5dffhmdcoyD SR588MHYz0888YRZdtllY++yHsr4pQnFySabrO7gGD+c008/3eyzzz7utU8oHnLIIeZvf/ub +x32FHfccUf3zBsiQASIABEgAkSACBABIkAEiAARIAJEgAgQgc5FoOmEIqA75Pfnmzuu/Wdp FJdfvbc579bGD3QpHWDGB3mE4nXXXWdeeOEF8+qrr0Yah0OHDk31rVarmW222cZcc801zs0x xxxjBg8eHD2H9AseLr/88gaEpci3335roB2YJjvssIOBlqKITygOGzbM7LrrrvJzdH/hhRe6 57SbK664wmA79dxzz23mmWee6NTrhRfueu3TtPjyPREgAkSACBABIkAEiAARIAJEgAgQASJA BIhAPQItIRS/GPe1+e0yh5pxn2RvtdXRm3Lqyc0NI48ys845g37dZfdZhCIIQthCFDAnnXRS 8+mnnxpsL04Tn5STA0pC+iVhr7XWWub++++XR3PfffeZNddc0z3rm9GjRxtoNEpa8JtPKD71 1FMxbUqcXo13sK2YJl999VVEIo4bN845uemmm8ymm27qnnlDBIgAESACRIAIEAEiQASIABEg AkSACBABItD+CGjeKC22E1hyrDbDDNWIPZz2vO82Z9rTj39JC8e9x1bno87ZxWyybT/3rqtv sghFxA0aeyAJRfbYYw9zzjnnyGPdFYeeQFtP5PzzzzcDBgyIHkP6BQ/hr9YgXGSRRaKDY7D9 WcsXX3xhVl55ZfPSSy/p13WEIn7ceOONzW233ebcLbPMMpGtyOmmm869kxuQpNtvv7258sor 5ZWZd955zZtvvml8u5Evv/yygQalCDQZYWOSQgSIABEgAkSACBABIkAEiAARIAJEgAgQASLQ Hgi0jFBEcl98epQZvNv55p030k8+nnWO6S2ZuKtZbrVF2wOh/8Yij1C86667zHrrrReLM4i8 I444wsw+++zu/QcffGAOO+wwc9FFF7l3U045pXn33XcdcRbSLwQC7URoKWrZfPPNze677x6d Lj127Njo0BjYdoSmoS++hiJ+f+utt8xiiy1mfvjhB+cc6TzvvPPMb37zGzPxxBNH70EaHnzw web666937nBzyimnmH333Tf2Dg99+vQxzz//vHsPIlRvr3Y/8IYIEAEiQASIABEgAkSACBAB IkAEiAARIAJEoEsQaCmhiBT++P2/zeVD7zH/evxN8+pz7xpsh+41zZRmkT5zmSWWm8/suPe6 Ziq73bndJI9QRHy32267mBYe3mE78JxzzmlmmWUW88knn0TE4U8//YSfnBx33HEGB51oCekX /F100UUj+446DNwjfj///HPsNewrfvfdd+5dEqGIH4866ihz+OGHO3dyM/nkkxvYRvz666/N qFGjDE6o1rLVVltFOPnaiXBDQlEjxXsiQASIABEgAkSACBABIkAEiAARIAJEgAi0HwItJxR9 CH7+6Rcz0cQT+q/b7rkIofj9999HmoCPPfZY4fhDSw/aer6E9At+P/3006Z///4RweeHpZ+h LXnVVVdF5CgIQUgaoYjfcHjLwIEDzeeff47HXMFWaWgrTjLJJIluSSgmwsKXRIAIEAEiQASI ABEgAkSACBABIkAEiAARaBsEupxQbBskciICrbprr73WuXrooYfMqquu6p7lBtqHl156qcGp zdDOS5JZZ53V9O3b1+AgliQ/5JuQfsFP2Ejce++9zS233GJwSIoWaAuus8465rTTTou0CxHH jz76KHKCbcy77babdh67HzNmjNlnn33Mvffem0osrrTSSpE2I7ZDZ0m/fv2MJmRxEvbvfve7 rE/4GxEgAkSACBABIkAEiAARIAJEgAgQASJABIhACxEgodhEsEG0vfjii9HhIzjUplevXmbp pZeOtj+XDTakX9iC/Nprr0V/48ePN9NOO20UrznmmKNstOrcf/jhh1GaQVhi2/T8889v5ptv PvPrX/+6zi1fEAEiQASIABEgAkSACBABIkAEiAARIAJEgAh0PwRIKHa/PGOMiQARIAJEgAgQ ASJABIgAESACRIAIEAEiQASIQJchQEKxy6BnwESACBABIkAEiAARIAJEgAgQASJABIgAESAC RKD7IUBCsfvlGWNMBIgAESACRIAIEAEiQASIABEgAkSACBABIkAEugwBEopdBj0DJgJEgAgQ ASJABIgAESACRIAIEAEiQASIABEgAt0PARKK3S/PGGMiQASIABEgAkSACBABIkAEiAARIAJE gAgQASLQZQiQUOwy6BkwESACRIAIEAEiQASIABEgAkSACBABIkAEiAAR6H4IkFDsfnnGGBMB IkAEiAARIAJEgAgQASJABIgAESACRIAIEIEuQ4CEYpdBz4CJABEgAkSACBABIkAEiAARIAJE gAgQASJABIhA90OAhGL3yzPGmAgQASJABIgAESACRIAIEAEiQASIABEgAkSACHQZAiQUuwx6 BkwEiAARIAJEgAgQASJABIgAESACRIAIEAEiQAS6HwIkFLtfnjHGRIAIEAEiQASIABEgAkSA CBABIkAEiAARIAJEoMsQIKHYZdAzYCJABIgAESACRIAIEAEiQASIABEgAkSACBABItD9ECCh 2P3yjDEmAkSACBABIkAEiAARIAJEgAgQASJABIgAESACXYYACcUug54BEwEiQASIABEgAkSA CBABIkAEiAARIAJEgAgQge6HAAnF7pdnjDERIAJEgAgQASJABIgAESACRIAIEAEiQASIABHo MgRIKHYZ9AyYCBABIkAEiAARIAJEgAgQASJABIgAESACRIAIdD8ESCh2vzxjjIkAESACRIAI EAEiQASIABEgAkSACBABIkAEiECXIUBCscugb33AN9xwg3n99dejgOeaay6z7bbblorEyy+/ bA488ED3zVlnnWXmmWce99yKm3vuucc8/fTTUVD/93//ZzbaaKNWBMswiECPRuDZZ581I0aM iDCYddZZzU477RQcj/vuu888+eSTkb+9e/c2m2yySfAw2t3Db775xpx77rnmjjvuMB9++KGZ eOKJzeyzz25WXXVVc8ghh7R79Bk/IkAEOhyBTmunH3jgATNy5Mgo1xZZZBGz2WabdXgOGtNp eYgMGz9+vBk6dKjLuy222MIsuOCCZty4ceb88883tVot+m3rrbfOnbe88cYb5vrrr3d+TT31 1GavvfZyz2k3V111lXn33Xejn+ecc06z3XbbRfcXXnih+eSTT6L7JZdc0qy33nppXsTe67Ip P+y8885mlllmkcfMq/6+3ct2dyuTP/zwgznllFMc/nvssYeZbrrp3HNPuGnFvKDdceSY/X85 VIRQNJ9++qltiyndHYHNN98cPWr0t/rqq6cm55lnnqn169evZjvVmJtHHnnEfQ9/nn/++djv rXjYe++9XRx23HHHVgTJMIhAyxGwg5XaMcccU7ODlJaHnRSgJblcvVt22WWTnBR6l5Wufffd 14VhFzsK+dcKR2ntYeiwf/nll5qdzDoMpK3G1U5MQgdHuQT0AgAAQABJREFU/4gAESACpRFo 13a6dEL++8Gf//xn1+b+7ne/a9Sbtvsuq9/qtDwE+JbIc/mIPvPmm2+O8uStt96KvbckUG5e /fWvf419A//sAl/udzPNNJP7bvfdd3furfKDe7/bbru591k3t9xyS23SSSd13yEOe+65Zw3j hKLSbmW7k8rkF198Ecsbq6xTNFs6xl2oeUF3BYRj9njOgSvM+yOhGMes2z7lEYo///xzDYTd RBNNFDWUr732WiytmlCEm1deeSX2eyseSCi2AmWG0ZUIPPbYYzW7sh7VwW222aYro+LCDjFw yEtXu01y8tpDB06gm5NOOik2QMUEQv6OP/74QKHQGyJABIhA4wi0WzvdeEr+82W7kS5V01Ok 3+q0PARmaYQifpt33nldX7rlllviVaYss8wyzr30wcOGDcv8xu7gin0zfPhw574soQgy1CcT 999/f+df0Zt2KdudWCZJKNZqIeYFRctyO7rjmD2eK3lkIn4noRjHrNs+5RGKVnU31iH6hOK/ /vWv2pRTTuncvP322y3HgoRiyyFngC1GwJoVcHWskwjFvHS12yQnrz0MXSygFS6TF2g6nHDC CbWnnnqq9vjjj9fGjBkTOjj6RwSIABEojUC7tdOlE+B9cNBBB7l2126H9X7tfo9F+q1Oy0Pk UhahCK1A6VvtduHMTB07dmxtggkmcO7luzzt1bPPPtt9A4WLzz//3IVThlBMIhMHDRrk/Cpz 0y5luxPLJAlFEoocs8dbIxKKcTw6+qkqoQhwfvrpp5q1JxJ1nF0xySWh2NFFlImzCOQRb10B UoiVyLx0tdskp8ggOGReiFYqJjDHHntsSK/pFxEgAkQgCALt1k5XTRSIn5deein6A5nU3aVI v9VpeYg8yyIUr7nmGkf2oX/FNug0ufzyy53bySef3N1b+3jR/CftOyz+Cvm44oorxpwVJRST yMSjjz465leZh3Yp251YJkkoklDkmD3eGpFQjOPR0U8hCMUHH3ww6jRnnHHGGtTYWy0kFFuN OMNrNQJ5xFur44PwSCiamq+xHTofrBF3NyHBBIhCBIgAEWg3BDqRjGo3jKvEpxPJmyJ4ZBGK 9kCUmNbhJZdckurl9ttv7/ph2LHWpCLMtqSJPTzNfXf44YfHnBUhFJPIxL///e8xf7rrQyeW SRKKYeYF3bVMI94cs8dzrwihOAEczTDDDHbxhdKdEcCpZzjpGWIPZTE4AQxiiUHz0Ucfme++ +y46FS16af89/PDDZr755osecdLoP/7xD7PBBhtEp6mdfPLJZr/99hOnddf33nvP2FVfY1cC zY8//mhwwhhObp177rmN3U5Q577oiz/96U/mzDPPjJzbQ1mMHRhE8X/xxRfNP//5T2M1KM1y yy1n+vTpY6wNkqLeGmtc1bz55pvmueeeM3Yrt5l//vkNTmPDtUx8G/HHVsnoRFdEFqe6/vrX v47ijXx54YUXjN3yGMVvqaWWitI11VRTFU5XlkPki93GHuXR6NGjo5PjkEeLLrqo6dWrV+Kn UlbkR5z4O+GEE8pj7Prtt98au0IavZtkkknMzDPPHPtdP9gBh7GDtQj7r7/+2iy99NLGHv7h 4vHBBx9EzpEXs802m/40dh/KH3j65ZdfRuXBHj4UlQGUqSWWWMJMM800sTDTHsriawcoBvG3 g1hzzjnnRN5uuummBqepQxAuThtMkqpxhZ8I+9FHH43Kw7///W9jV9kNyhzy7rzzzjM4xQ6C fHniiSei+yL/iqYL7cmpp54aeYkT6K+44oroHmUTpz+jfi622GJRvKaffvoiQUducBofvn31 1VejtKG82i3FxtpJisq6X36ljOe1h4UjkOFQ1xG0WzjZGXLRRReZ3/zmN9E96uKvfvWr6F7/ Q35ZO7bRH77DiZYon2iz/TTp7yQ/8A44TjHFFAanWt55553GTp7M8ssvH7Uz+pu0e7R3VlM9 +lnqOHC79957I7wXWGCBKB1pbVbVchuin0H7C3+sDawozsAAOC6++OKZdR1tG/IPkpZH0Y/2 H/pXlCsIxlIIQ6RKfiB81Nl33nknOs10rrnmivos1Nsi/V8j/ZXEu+y1bD1M879qmqt+HwKz quW26vdp2BZ53y7tNOKKdg/1F4KTb+1W0+g+7d/HH38cjRHx+7TTTmvQLuF04K+++ir6BG2h 7luaNTZDu42xnSXBovEe+lq03xAdH7T7aWOxyLH6V6bfalYehqgbKkmlblEnML8QsQSd2WST TeQxGsvgVFqIPTDF2EVS95vcIL8x/pYTmTE+ttuGzd133x05OfTQQ81RRx0lzt0V8xz0dSKY K6200kryGPUlmKNA7PbraDzlfrQ39gAW079//2iuhPcY555++unGKlBoZ6XvdVnyyzb6Xoy1 ITIOwL2d70dzDpRRzH8wFrc2KPFTaenkMgn80IaI2ENZojr8/fffR/MGa64mms+hbltCOXNM Jn7Iteq4SPzBuMMuhEfjGoxX0J5gLm+36kbjEHGXdQ05L2gkXVXHmFlpw29lx9EYP8i8tuyY PS8u3f13nvJse5CeImkaiv7Kni3UbqVN7oHRQw89VLOEV+38889PhQwnP1uysu578cc2aDVL lqR+n/eDr6F41113geyuC2+yySaLDpjBqbJZYhurmiUx3DZuiadcsc0hazVT/K7ij51Quvhb MiA6xe2AAw6o2YGkey/xsURBtCXWEj4SdOkr4gpjspaYq/Mf4djBTG3ttdeu2QFand924hr7 JmuLkNZqsxPcOr/wAuk48sgjE/MQdmgGDBhQs4N9FyZWi5MklD/wG9thVlllFRemYC/YWFI9 06Zdo/jusssuiWFK+P6qd4i4wg9gd8QRR9TsoLIufNhMPfHEEytpKBZNl6/5YgfgNUsg1sUJ 5dMS3zWcGJgl+H211VZzh0wJjvpqJwE1u7AS86Zoexj7qMGHCy64oC59On64HzhwYMx3Owmo DR48uIY2zneLZzvIjfIr9pF6+MMf/uC+u/rqq2s77LCDexb/8uxFiXd2wOq+RZ6MHDmyhjZT /MEV5cqSXvJJdK1ax0L1M4iXnTDF4qvjbkndaCtdLPL/fdh5553ddzh9M0vswotzC00ULY3k B/qMvfbaq2YXGZy/Ot52Yl2zpHTqLoIq/ZWOe5H7Ruuh73fVNFf9PgRmVctt1e99TBt5bpd2 2i4Sxcq+X6/8tKGtwvhV6sm1114bOck6uCL02Aw2cddaay0XB4kLrnPMMUfNElE12MuT93/7 29/8ZKQ+l+m3QudhiLqRmrCCP/jp98uDzmeMK5LELlw67C2xGI3FhwwZ4t7ZxdSkz6K2VvIM cxyYhtKSpaGIeOoDWDDGz5pjaX/z7nWa/T5dl4FLL720hrYFfbikQ1+xtTNvvJUUFz9PtJ9y L9/p+NgF5VrV8V+zy6RuG5AWHFKK08HtwmodhuinrTJM7gndVcdFwBLpHjp0aOKcSjBHGUN8 MLdKk5DzgirpanSMmZYued/oOLqRMbuE2enXIhqKPJRFlYJf7P1H1ubK02+8Ubt95BO1h55/ ofaWNZj//Y8/KlfteVuVUESqsg5iwW/ohKXRyrputNFGdZ1uEdQ0oYhGGqRTVjhW26ZmNZwS vYYNSBBnWd/Lb+iM7WpfU/zRHRNUqNGZSrhp11VXXTW3c0qMrH35l7/8Jdd/hIuB0YgRI2Le hCQUrSZTza4g58bFrgI5N0mEYih/kFCc5JdE5Pr5gC3/t912WwwbeWgU36LEm4QTIq52ta22 8cYbO3z9dMoz0iv3aYNqiZd/LZouPaDEoSRWe8SFKWHrKxYSrJaHH1z0jK1KGDRp92n3ICgx SBApMwiWbxq9lh2cwNaX3lqVlia8X3fddWtWI6cuaprAQvuY5AeI/CKiB3uYECfFDfjqxYmq 5TZUP4NFm6S0++/Qz2DC5UszCMUi+WE1bWsLLbRQobjDfIIvofo939+k5yr1UPtXNc1Vvw+B WdVyW/V7jWeV+3Zpp5EGu4vE1QOr4ZWZrFNOOcW5xaILxg2QLNIl5NgMi995fRqIJSwqSxvU CkKxal8bom5kZlzBH/1+2ycUMZYVXNEnjRs3rs5n2CsUN1hog4DYkncYUyQtou+0007OzW9/ +9s6f9MIRcRRE1CYz1x22WV13zf6Iqts63psNTajhUhJZ9IVC5i33357qaj4eZLkr3io49Md yqRuG5AubU8vKZ14h7FXmlQdF8Ffq7GdumCRFCcsqCcp3YScF1RNVyNjzDSM5X2VcXTZMbuE 2ROuJBRL5PKnllA64+Zbavudc27d36BhF9eesiRjO0saoYiVCAy2rDq/6xTR+Oy///614447 Lvorki6tmQgyCsSK3WJdgz0wTFD9yWYaIZMVliYUpYFEh4z3V155Ze20006r+ZOy9dZbL9HL 9ddfP5ZeaNHZrdy1G2+8sYaBXN++fWO/77PPPk3xx++YJF3ooHBK28EHH1zDIEWfsA03ZTt3 RF5sYEoY0MRDAwm/kGbkoV7Ft9tCY2kOSSjqwQ7iY7frRdqK0JqCxhyeJZ5yTSIUQ/ljt8zH 7OxgcI9VPLv1NiIUoIWkV5IxOXj//fdj+FTBF/Z5UN+0Vp7deunq4COPPOLCChFXeOaTn/PM M0/NbumpXXXVVZEWXNICQVlCsWi69IBS8htlESepoTzg1GMYO5ffcIUmli9YQNBlGGToIYcc UoNGit1aVLNbyGsg5LU/SLdoFYRqD/14JT2DaJM2VscHkxl5f88990SfYgKsJyZwDzyAC9pY aLBigKj9QZvviyYUtVvULXnWZc3/Xj/rwZ58iysmbKJBCY0ckRDlNkQ/g3Kg44u2FXUd2ujQ rIYdLaRB3GCi52toNINQlPBwTcoPa0ahZrdiu3jBHRZcYGsLk1No0/ia56jLWkL1e9rPpPuq 9VD8rJrmqt8jHiEwq1puq34veFa9tks7jXTYbaGuLqC+2C11qcnTmsh//OMfnTs9fvC1uEKN zTDRl8MMpY5vtdVW0dgL2mi4l/f6WoZQLNNvhcpDgBiibrjMqHDjk1c+oWi3NsbGb0nzD31q Kw5nEdFzF/1efrdbgl3+4bRnX3S/jROnITfddFMdmShas/73jT5nle2kMoB+DiedY7wFDXhf Y7Hs2K+Ty2Ra24DdCCCY0TZhzmi3mruygbqNnQO+hBgXwU9rligWFhRmrLmiSPkB8xiM9/1d DRdeeKEfnWDzghDpKjvGrEuM96LqOLrMmN0LuuMfSSgWzOJX7ST14AsvqiMSfXLxivsfKOhj 652lEYoSE3S4ejBT5hACfKtX2qzdP/HWXbEiqLfDbbnllu63ojc+oYjtdNiKrQUTiN///vex tGAriRYMJnRaoa2Czk8L/NGTb5AU1s6WdhI11FX9SeqYsM3RXznCCqsmSjbbbLNYXIo8YKuk xBcDQajH+wJiQtzgihVakVCEIsqWLi/YmorGSAue/e1BPqEYyh/goDUhoW2VpP2GDlJvX9xu u+10lCMSTrBrBF94lncoS6i4QuNFE6Qgl/08ACkAol3ShGvZQaUAlJcuf4CL8iFkmvhhbfLU NJGD+Fi7SPJzdAUBL/HFSveoUaNiv8uDv4Dik2hV2kMJo8xVG3jGZMMXDPAlXbgi/sBDC7So 0a5qd3fccYd2EmvT4A4DTGsjKiJUsTUlacAb80A9JA32MJjGBNraEqpZu4w1bCODhCi3IfoZ lHFrb81hBG0/3cZJ8rDIAk0mwXKFFVaItZe6HIba8pyXHzBVIfHBFYt+fr9l7djEtJwQb5FQ /Z74l3UNVQ+rprnq9yEwq1puq36flU9lf2undhp1WfdhaW0XNFJ0vbE2gF2ys0iXUGMztIkS Pvo1TO59AfEvizDitgyhKP4V6bdC5WGIuiHxrnrNIxThvyblscioxdpFczuesJiktfv1Lgss NmkBwSD5hSv6UF98QtEnE/Ed5kY4PCakZJVtvwygT7Q2I2PBYw605pprxtLnj7diH6Q8dGKZ TGobYCIFmGnBnFEvDvrzthDjIoSH+bVWOkHeJwk0iq09e5enesEX7kPNC0Klq8wYMym9/rtQ 42j4mzdm98Pu9Gf0x3l/PX7L89dWM+SwSy/LJROFXHz85Vfastw0k1B8+umnXQOFzjGtY8Tg HpN8aBHKSl0ZsHxCMWk1EP6BjNOriiB3tOgtYyuvvHLdxFzcolHUK9v+doYQ/vgd08ILL1zX KUl8NMFpD7qR14Wventr2iQYdjWg+YW0ATd7wILzPxShCFsjMgjDIFpviXSB2Rt0JnqbkE8o hvIH2q0SH1yxPSlNMBjUbvUAqyq+CDOPeAsVV2jASTqwMg2bVEkC2zpaW6tVhGKa7VIM9PV2 5uuuu85FG1qG2qZq1oQM2zp0uq6//nrnD26KDIJjH1R8yBqcIF1awwXbmdMEK7DaL2gZaNFt CPI/aYVau8+69wd7aLuAa5KEKLch+pnDDjvMlXukP2nxS+IPbVapI7hqDZJmEYpZ+aG3eEJ7 Gf1Tktx6662xeGOSAAnRXyWF578LWQ+rprnq9yEwq1puq37v50+VZ5+I6Op2Wi+ggPxIEk1u +/bzskiXEGMz2OrShELauAvx1nFBe5PVfyWlE++K9Fsh8hBhhagb8CeEFCEUYYJB2nMsoGrB OEJ+w5hfC3bNyG+Yv+h2FxqL8ps9xER/5u41oYhdH3oxXb7FFfa5td/OgwZvdHnytW+LlgEQ UDqOwKKsdGKZ9NsG9MdpNgk1ieW3PyHGRcgPbdIB5LSYdEjKK90eYseDllDzglDpKjPG1OlI ug85job/epydpASQFIdOfpdHJuL3Hk8oXmm1DoUsLHKFJiNIyHaTZhKKmETqQRO2C8NAf2jR hCK2xPqrQTo83cBCk1EEhITuILHKmiXaZgI010RC+eN3TNh2nSaYbErckf6yoifTGNQce+yx NYRfVEIRiuh8JR1ZA2zEC9u+xa1PKIbyB1ugJAx/m3cSNrojQfkQqYov/MkjFEPFFUS6pBlb rrJE27psBaHoD9r9uKEeStyxpUMLyGkctAJtlbSFDXGvNdUwANJSZBCs3Ve912XKH5zAmL+k F1cQDFmi2yyQpkiLiCYUQSRntaHyTdrVH+yh/KdJiHIbop/R/SBs+WYJsNHb2bBlSKQZhGJW fviaMJpIlzjJFVqL2MKNrdAgFzHRCdVfSRh51xD1sGqaq34fCrOq5bbq93l5VeZ3TUS0QzsN DWxpG7HQ5JshgRa3bltRJ7RkkS4hxmYw+yPxww4TaG+nCSZcWsuoFYRio3kYqm6kYVH2fRFC ETtMJC8wltS7gPSuJl97EfmiFzH1IjIUI8TPtLGsJhTFLa5YJPRNVMBsRSjJKtu6HkMTP4vI 1PUnTQs4K85FxlI6Pt2hTPptwxlnnJEKgR6PIb+1hBgXwT9g/Nxzz0VmxvxdKTo83ONgVCmH WBTQEmpeECpdZcaYOh1J9yHH0fBf1wt/zJ4Ufqe/I6FYIIfLaCcK4fj8qFEFfG6tEz2Rguq/ L0Uaff8b/bzOOuu4RkoaK0z80VFDsyPJCLL+vsi9JhRxeEmWgNCUeOCKwg7ByZ76PToCbDdJ +9MkkZ6ch/LH75hgwzFNhg8f7uKOrbdlBVu/ddpxD2IRW46PP/74uu2jvv8hCEUM8PXW7TQN Bwlba9toQjGUPwhHH86DFcS0siDvtZ1DEJ4iVfGFP3mEYqi4avMDIN+zRNuqagWhmKZpInHU dlJxSnsRgTF11FmQ8hj4L7roorG64NtGqtoeFomTdpM1OEEapd5i8J8nfj3V9v80oYgDAKqI P9hLOrxE/A9Vbqv2M9ouVJGyo4lDEOsi+n3aRFLcajMJvm2vovmB7f9SBnD1iRMJK+0aqr9K 87/o+zL1sGqaq34fErOq5bbq90XzJ8+dnvi3QzsNrRNNyviE4X333efqDcYdaLO0ZJEuIcZm sEks9RaLE3mibXe3glBsNA9D1o08TIr8XoRQRFmBfXfJD9h3FtGLlL4ZJbjRJnH0ziho5Yt/ aaRCEqGIeEA7HiSQ3uqO8biYCZG4NXrNKtu6Hvfp0yczCB1/2BguK0XGUjo+3aFM+m3Dww8/ nAoLTL9IGfHHb6HGRWmBY1EUJ1CjbGKOBy1YvdsFdre1hJoXhEpXmTGmTkfSfchxNPzPGrMn hd/p70go5uTweMv6C0lY5nrnE/+xG5XjfUt/bjahiG1VunOVBlSu0L5YY401otWRLHXsLFA0 oTho0KAsp9FKsISNqwwehg0b5hp3/XvRe2wBhYTyx++Y9OTfTyAmoxJPaFc1ItBK1Fs9xT+5 YnAOG44Y6PjiExVJJ97JNxh4iJ+wwyeCb+Q9rkmDN3GLqz5lTxOKofxBGNjireNU5h71SksV fOFPHqEYIq4YZOgykKXthDhpLYtWEIp59lX14SxppBDaIwyoYWhdTyLS8radCUW92ps3+Ed+ YeKkSXsQ4SKawMraOi3us67+YC9r+3CIcou4VOlnoLmnt5tlLd5Iuo888kjXNqB/E2kGoZiV H7C7JmUXafDtZ0q80q6h+qs0/9PeV6mHVdNc9fuQmFUpt8C26vdp+VP2vZ74t0M7jfjrLXx+ +6jrKUyS+JJFuoQYm2GxQeotxr95ordwt4JQbDQPQ9aNPEyK/F6EUIQ/m266qcsPIZ9hL1vy CGRLkta+Nq+z0047RVHS/R/627RDgTQhh3BA2mjS0Lfziq3TaX5FARf8l1W2dT3WC2VJXms7 2tBuKytlCcXuUCb9tiHJDrPgBBNKUr58QjHUuEjCwtgP4z3YasSCMebdEnbSVROKIecFodKl 6xjinzXGFAzSriHH0QiDhGIcaRKKcTzqnsZYQ6dliERxe+UDD9b51dUvmk0oIn0wCA/NQW0o O6kRw7ZSbEcqK5pQBHGTJdjOoMMWu3h6xVj/XvQeh6NAQvnjd0yvv/56arJCEIrwHKfCak2d pLRjgATNNC0hCEVMjHR4WSt7CFsPFDWhGMofhJHX6er4+vf60AP4BWkUX3ybRyiGiCsafp2O vG3/IOPFfSsIxTzt4yxCEVt30E7k4aS3siJt7UwoYvuq4A+CtIhoW5JDhw51n2hCEcbmq4g/ 2ENdTZO8/JD0JV39OtZoP4PvNJHuH/qTFHdosEucYMxcRBMVoTQUs/JD23PElrCyEqq/Khpu iHpYNc1Vvw+NWaPlVjCv+r34U+WqiYh2aKeRFhzOJnUUV5ncg8jQ2jhYGPMli3QJMTbbcccd XdyKEIr6AJBWEIqN5mHouuHnS9lnPU5EGfA1wcU/3Z7LARkgFqX8gHBMEhzaJm5kYUnbXcRW 0TTRhCL6Zf/wE7SV0MoT/3HFactVJatsl6nHrSYUu0OZLNM2ZBGKIcdFMIUzzzzzxMqRLlO4 x7xOL7BrQjHkvCBUusqMMfPqS8hxNMIioRhHvAihOAEc2UbQlsWeJ9//+KMZPOxigxpaRjZa fnmz5pJ9ynzSdLdbbLGFsQOqKBy75dlYO2OxMK2dHmMPwHDv7CDNWPsK7rnMjT1t1NhTMo1t SI2dtBlrN6buc6sJZyypaGzDU/db2gvbIJgzzzwz+tmeRmyOOOKINKfGDjCMbVzd72+88Yax jaexNtfMHnvs4d5bIsHdF7mxHb+xW9iC+WNXIo1dtXJBW0LRLLjggu5Z39xyyy3GDniiV1ZD 0ViDyfrn0vd2YGOsOn6UT5Y0MnZ1q84PS0YYu7ITvfcxtY29sUam677BC6s5Zvbbb7/oNzsg MVbzMrq3WkJmiimmMFbDJnq2WkLGDuyi+6R/dkXKrLTSStFPllA0Vrs1ug/lDzxDWRQs11tv PWNP8ovCKPLPTu6NPd0t0WlZfOGJtdNm7AA38m+bbbYx1rZfzO8QcQX2lvQ3diAb+Y0wEFaa WBLd2AN6op8toWjsKZlpTlPf56ULZQVlBmIHlMZqF6X6hfKAcgHBN/vss49zq8ORl+i/rOaK sQN7Y41QGzuxM1YLIKrHKMMQtAP21G75xIRsD52nGTfWJqqxp2pHLuz2FFfP8eLoo4821vRC 9BvSYDUqovu0f3YxJapjtruPnFiTE6Z///7RPeqy1TKI7nfddVdjt4CneZP73trRMmiHRNCe 20GWPMauIcptzEP7ULafQblH24O2A2JNSBj0i1liNeGN3SoUObGLMMaeGBvd24m/ufjii6N7 S9Iauw0uuk/6h/Yd7TzETnSN1QhxzormB8qEPRQs+g59JvK4TN8Zqt9zEc+5CVEPq6a56vfN wqxsufWhrvq971+Z53ZrpyXultAx1uRI9Gg1FqM6azV1or4EL2ecccZoHGq1e+WT6GoX8IzV EIvu7cEVxi4Gut9DjM0wTrXkW+Qn+iBrf8/5n3RjtZTN3XffHf1kCUVjTaokOUt9V6TfCpGH zaobSQlDP4Z+2p6gbNBP4s8Xu9ht7CKhe42xstVIdc9y8+qrrxpr7iR6RJ/0wQcfGI25Hu/K N7hibIxxBOqeXZTC2QJRvyxjFuTxoYceqj9x9xhzWJI7erY2F6O5g/vxvzfWhIWxNsGNPW3a /XT++eebAQMGuOeyN1llu0wZsIfUGIxlIRg76PlTkTh1Ypks0zagPqOMQTAW0HkcalxkFSyi eRLGZCIYH9jDO6NyhbYH5csuzhqMBzFmgWBOjLkxJOS8IFS6yowxo0Rk/As5jkYwWWP2jGh0 7E92wTM/bSAUe7Icc+VVpbUUXx09uu0ga4WGYlqisU3YVubYycu25NVgc66MaA1FaNpkCbbS Igz82YbVbWPAgQ3yHlcYl25EQvlTZqUrlIZiUnptB1nDSbdYtdX4wHaTiK+hmKVlqm1P6i3P 8AtbOiSMPPt9+rQwraEY0h/YkJT4QC2+GVIEX4Sbp6EYKq44bVDSDNsqWaK3r7ezhqJ/IiFW ENEOQAMgSbTtIt+WZ5FtOkl+Nvoua7UTW1gkr3r16pUbBLScxT2uDz74P415raFoCcVcv7Ic +KvHWe1BqHKbFZ8i/Yw2y4GtZnkCbQnBUtse1hqKWThiC5LWivQ1Z4rmh96Wh/hY8jkz6mjL sT3NTmYiu3Gh+qvMQP/7Y6h6WDXNVb9vFWZFym0W7lW/z/Lb/62MZlOaJnmo8qHjpg8+ENuw OHRJ6q5ddNLO3X2WFleIsdlll13m4uBvd3SRUDf65OR21lBsVd0ANHpMipOak0SbxvH7PN/9 7LPP7vIEY1qrSOGeLWnpO3fPdkHHucPBFxgLSfnCgS9pojUUcYhLmujTpOEvDuixC1hpznPf Z5XtMvW4u2gotrJMlmkbsjQUQ42LLMnryiLKDtq7tHMLMN6XcuvbdQ01LwiVrjJjzLwKEXIc jbCyxux5cenE34toKPb4U55HPPlUKULx6CuurP1gbTW1mzSTUITha7viVbNaTBFxmJZ2DCQx qJLGzGoYpjlNfK8JRb8h9D/QxIwMMOHGrki68BEP2FnKEthswMAUh8uAFJWTY0P5U6ZjqkIo giDBNvEddtihhi2EWfYP9cnKIF2+//77CCKcUCh5h2uSnUXBcsMNN3RufUJR/7bkkkumEj7w y2r/OX98QjGUP/qkPruiF9mgk3QkXaE6DzsvBxxwgNtaEwJfhKXLrdUarAs+RFzhKeqq5OWq q65aF45+gTIjbtuZUNQDhrzyiYG6pAlX//TCdiIU/dPpNEGo80nutU0mkFn6AI+iBJb4lXUt M9gLUW5D9DOaZNAEYVI6v/7665oeYOvJ4O677+7KDyaaaQJbWbqcNUooWi2PGDHpb9HX4YNA x7ZoCddq9Qfr93Q4afeh6mHVNFf9PlQfX7XcVv0+LZ8aeV+GiEgjFEOVDx1/qzkWI4awkKRN 7+iTefV3WaRLiLGZX/+z7LZq0yKou+1MKIaqGzov0u71+CPNLAQWTqS9wzVrbAobiOJW29/U 2z+T4oLDWOQ7lBuxxzv99NNn2rQtSigiTLs7xoWBsPAt2rFGJKtsl6nH3YVQbGWZLNM2ZBGK IcZFKBt6oTRrPAK3dreKK2NWyw6vnISaF4RKV5kxpktEyk3IcTSCIKEYB5qEYhyPxKeffv65 dtLw6wuRivufe17tLUuataPkEYq+zUGs7hcV3SmjgUoyaix+2e28rjGDFlsZ0YQiOlu7rSHx c2gd6lVHX+vMboV2cUB8MXFME23bBPZPdOcewp8yHVMVQhEaclojK+u0Nm3MHjY3JD+Bkwyo cE2zY4kTAHVYPqGoT26GPzgFPEnuv//+WHg+oRjKH7t1MRYO7OykCWw+agxOOOGEyGkIfOHR IYcc4vy32zHrohEirvBUa3QgPZi0Jgm03aDhK2lulFDMS1eZAW7aRBULFBJPlFu7hSMpSVF5 1mQ0vrFbuGJuq7SHMY8KPmQNTlDvMGmRtNkt36m+YmJtt/c5tzgRW0tXEYohym2IfkavzgNP TETTxHeL0xpF9GQNthWTtAFQ/vQhAAivUUIR4eLACSkDOGk+TfMW2jPiDlfRHA3RX0n6s64h 62HVNFf9PgRmVctt1e+z8qrsb+3WTuv4a6IIi8hSB/zxh/5G12O75Vn/VAs1NoPNcIkLFlDR t/gCTWbYWBR3uDZCKBbpt0LkIeIfom74OCQ9Dx482OGChZKk8bomMDBesdtKk7yK3mmtUU06 Y36RJdputx7f5h0iUoZQRJnzD7TA4lUjklW2y5SBqoRiJ5bJMm1DFqEYYlyEccaEE07o6gjs m6YJ5lS67NqtyTGnoeYFIdKFiIUkFEOOoxG3rDE7fu9pQkKxYI6PtY38Cddel0kq/uX8C2qP vti4enrBqDTsLI9QhMeYhMuABloNRQXGYOU7XKF+jQGSL5deemnMnT+58t37zz6hCNIQ5JUW NECacIBRbn9bsz61FvHdYIMN6jT2MFmzdqBi8cXAXksIf8p0TFUIRcQbpxxKPkFTVIyX6zSB kNCTMH8wrrfkgOB75ZVX9OeRn5r8QHi+H/gAWpISFwzqQOLhFFYIOshh9jRubPkQN7j6hCLc hvAH4elBE7aVYvuJLyDXrP1MFyfETxMJIfCFFqykGVq4X331VSwaoeKKcoeTwiUsdI7+CePY Vtm3b1/nBm4bJRTz0lVmgKvrt7Vh5PDxNV/w7AvaJUwcJd1yTdr+WqQ9BHmCyQz+8raO+3HR z3mDExysInHFFeFZe6Lai2jw5U9KfaK0qwjFEOU2RD+DBSE9YUN9TjoYCgNia2/RYY5vZGEF oGtTDMgPbIHWgvTqE14l7/w+r0x+6IkJ/EM/65MTo0aNipkWWW655Vy0QvRXzrOMm5D1sGqa q34fArOq5bbq95JVIdqqdmynJX3Q3JZ6pq/+4XLiHtcs0iXU2AwLETo+WOTRW2uhQa4XrsVt I4Qi0pTXb4XIQ4QTom7AnzzBIXeCCa446AY7CCDYPaMPWsHvGBNmib/TRvzGAnWeaIUI+c7a Osz8rAyhCI+gXasJIoSTtuieFXBW2S5TBvTYuJFTnhHHTiuTZdoG3Qf5Zg9CjIuAr9ZQxPxN dpXhNxFoQGNuI+UWV9+ETqh5Qah0hSQUgUOocTT8yhuzw01PEhKKJXL733Yiess/R9YGDbs4 RiwecN75tTNuvqX2UcaKWIlgmua0CKGobYugscEKJDpQTZqkRVDbTMC3aOCsQepIEwqTdZB2 uiHD72h0yohPKMI/kDqwsYKT2gYOHBgjfPB72iRfb6WFO2iZYAKIkyGPO+64mjVgG4svsPCJ ScS9qj9lOqaqhOK9994bG6igk8fgDKQMNBZBoAIHnU8+sXbyySfHfocf2DqIvLHGm2Pb8sSf JEIR9jP9zg0TeGvAuu69+IPffQnpj7Z1hjBhPxKrfeiEQODolT38fuKJJ8aiEwJfDE4lvbgC I9ic1KuOSHPVuCLivs0e4IstRSgPyE+9bVLi1CihmJeuMgPcNEIRmlg6j1A2QbChzGJLM9IG klbSoq/Yvu5LkfYQ5VX88bUBff+ynvMGJ2grod0iYeGKNnT//fePTmMHMaW35+J3e8BQnRZb GQIrK774rexgL0S5DdHPwL6gxhEaLSCZUZ9Rz1Dv/d/9hSsM2P36gfICe4rQWJluuulifoh/ VQhFYO5r1mKyinYb/RbqrF6EQX32TxSt2l8hDnkSuh5WTXPV70NgVrXcVv0eeRairWrHdlrK IxaBtX1m1DksVmKikyZZpEvIsZkef0tbgEUKrUkp7+Uqux/S4p72Pq/fCpGHEnaIuiF+pV3R 92lSDvjgpFqMK9HGCV5y9e0hJ/kLDW9xjyvKSZLmo/9t0hwEJ0xniY47xpFFRGslI35ILzQk y0hW2S5TBkIQip1WJsu0DVmEIvIzxLjIX7wE3hjrYeHzyCOPjBYs9NhYl31faSHUvCBEusqO MfPqR6hxNMLJG7PnxaXTfieh2GCOjrNaQy/ZTmT0J5/UQDR2B9EDmjTbUUmdJRoefzKVlF7Y FkybrOvGC/cgBLRdryT/kt7p+MHum96u4IcBwgUTLdF68/0DOehvR/P9kGdM1O1JWL4X0XNV f8p0TFUJRURY21eT9CVdoQ2YZKcLW0lAKiV9I+8wqQWBI89JhCLiAmPyetuMuJcrNB2xXV2e sZUzSUL5g87X166UsP1rEgGFuFXFF4PGaaaZxqVZwl177bVjSQ8RV3g4ZMiQOnJSwpSrJlga JRTz0lVmgJtGKCI90EaReGddYUsP5I+4geatL7q9EXe46vYwxCQd4RYZnADDVVZZxcVZx8m/ R/qStn11JaGIdFYtt6H6GZQTTb75+Mkz6iIIyCSBFrXY0RL3/hX5oO1iVSUUMcDWdo788OQZ ZHpS+121v0rCIeldyHpYNc1Vvw+BWdVyW/V75FGItqod22ld/rQmPOpCktkQ7T6LdAk5NsNE VttHlnqqr1jUgB0/eVdml5BOU16/FSoPEWaIuqHjnnaPxdok8lCwkuvWW2+d5kXsPZQP5Btc sfBYRGBmSX+HRb08aYRQhDY8Fuh1WNA211ryeeFmle0yZSAEodhpZbJM25BHKCIfq46LYHKp yPwb8xu0K5jfSdlKOkcg1LygarpCE4rAOsQ4Gv4UGbPDXU8REoo9JadtOvVpldBcSRKQbzCA DKJOq9xj4lREMOgF0ZI0UQPBh9VjdHJlOkUdrh6QwUAy7F/5K9JoJKFVedttt+lPU+9hTwV+ +Bpf8AfbpQcNGlSzx6Gnfi8/NOoPtm5g8ieNu9i7En/1VRueRufRqMAfELISpr4izfgNxsTT BNvscAiPT3xhco3tJlCtB2aCaZbNN5QZaISC8IY9S3R0IIww4EHDj60eEj/kU5qE8gfbYaBh 5GtPShz69euXaXcN8auKL7Zu9e7dO6qDUg+hzeBLiLjCTwx4NEknaYUGFjR/QdjKu7wDXPw4 6uesdGkbizgAKUv09rAkW6AoM0mDK5RHHLozfPjwyHscuCTpwhVb2rUUaQ8xyBc/qmgoalMC yI80wcQUGpf+ir/EAYP/Cy+8sE4zUfxDvRW3e+21l7xu6ArNdSmfwBaTyyJStdyG6meQ3yDq 9eBasEH9HzBgQGxrYlLaRo4cGWmzS1sn38M2EU5aRBnSk1e0DVoazQ9oTaeVAWgNvfzyyzqY uvtG+6s6jzJehKqHEkTVNFf9vipmVctt1e9DtFXt2E5L+cAV4ydpk1AX88aBhx56qGsPYYNR SzPGZrfffnukSYxxEtodTEpxSIIcCoZ+X9oQlLdGJK/fCpmHEr+qdUP8ybq+9tprNYy/BB99 BY6nnHJKar/n++sTg0W3l0ObSy8i4YC+PNEL8OgLigrMCfkkKsZjRSWrbJcpAxi/C9ZFtD+T 4tdpZbJM26DtrsPESppUHRfheyyS6/ZP8g3zOrRvchjnuuuu6/IU3ECShJoXVElXo2PMpPTo d1XH0fCr6Jhdh9vJ90UIxQngyB5GYcslpacgYFX/jbXFZCyxaKxWmCmb/9ZOmXnzzTeNndQY 2wEbq4Vm7HY9Y9X2mwKhPT3aWHLA2M7X2EFz6fgiUkgz4ms1EY3drmYseRXF26qJl4pzKH9K BdqgY9u5GDsAN3bLhrHbhYy1vWHsCrmxHVIhH23jaOyk3NgTFI3V4jSWUInyoNDHBR3Z1TRj B22Ra7tia6w9qYJfxp2V9QdpAy7WzqQrwygTdkt43OOMp6r4oizZFbooP+aYY46oPiYFFyKu 8NfadTJ20G6sHU1jbScaS8wnBVf5XdF0VQkIbdA777wTtUOW3I7SYrc5GWt3tbS3iG9We2hJ TWM1/4wlos11111X2v9GP7CDLWMPz4rqsB2oGrt9Lvpr1L9Wf1e13IbqZ+zgMmrH7MnfEQSW vDd2Yl+qrKDOoG1CnbcTyJblA8q2JfyNHbRHYS666KLG2mkqnJXN7q9C1kNJVNU0V/2+KmZV y22V77uqrZK886/NKB9+GN3pGWNttOsQS3oZa5e54ejn9VsNe5zxYdW6keG1+wn1F2N1jFcw p7AL0cYupBUetzqPeNNyBDq1TIYEsuq4CO0H5t9WISMaw1jNdIMxjV30bCiaoeYFVdPVUOQL fNTdx9EFktgSJ2iX84SEYh5C/J0IEIFSCNhT+4xd0TZ2hcfYbeeOMPQ9AclpNeKMtcUR/bTN NtsYq0LvnIXyx3nIGyLQAAJ25dfYA6eM3e5urIZ2Az7wEyJABIhA8xFgW9V8jHUIVjMrIrzs AWjReAd9hNWm007cvdVeNlZzyD1jcQ9jJAoRIAJEgAgQgXZGgIRiO+cO40YEOhQBe/KssSeU Rqmz20ci7SBosfpi7XAZu23Qvbbbgow9WMM9h/LHecgbIlASAWs439jtQwarr9a2orFbskr6 QOdEgAgQgeYjwLaq+RgnhQAC0doMj36yZhSMPaCszhl28lhbe5G2OX6ERhE07ClEgAgQASJA BNodARKK7Z5DjB8R6EAE7MmjBtuXRbAd3truNPbwD4NtqdjCbg8UMPbEVfPtt99Gzqw9P2Nt ysS2s4fyR+LBKxEogwBIRGwzxsTP2sIz1rZhmc/plggQASLQEgTYVrUE5sRAsAsD25ch1l62 2X333Y21c2rsQSDGnjBvnnrqKXPEEUcYa2M4coN/9mRWc9hhh7ln3hABIkAEiAARaFcESCi2 a84wXkSgwxGwp76Zs846q1AqMQi/8cYbjT0xtc59KH/qPOYLIlAAAWzHhw2WKrauCgRDJ0SA CBCBSgiwraoEX8Mfw5YZ7KqKbcQ8j1ZeeWXzwAMPRORjnlv+TgSIABEgAkSgqxEgodjVOcDw iUAPRQDG2Pfff/9o+8/333+fioI9rTfSVrQnzSW6CeVPoud8SQSIABEgAkSACBCBCgjAHMZe e+0VHaCU5g20FXG415AhQ0zZwwDT/OR7IkAEiAARIALNRoCEYrMR7kb+33fffebJJ5+MYowT LjfZZJO2j/3w4cOj06yyIoqBGU5/xinEiyyyiMEpmEUEp+tefPHFuU7hf69evaI/+I/T5pot 7Ry3smn/+OOPowNacLo2to7iFDgYMMepxtD6WnPNNQud3hfKn6Lx/+abbwxOzLzjjjuiE1ah RTn77LNHh8jApl5VwamxQ4cOdd5sscUW7tTlW2+91ciJtMBp++23d+7SboYNG2aAkcgGG2xg llhiCXlMvMLuE7aei2A7uoQr7xq9brfddqnG6Rv1s52+g4bJyJEjoyihXdhss83aKXpB44KD BzAJFtltt91ipgnkPa9EoBMRuOeee6ITvpE22MFL0qTvxHQzTf9DoMj4GdvO77zzTvPQQw9F Yx30r1NNNZWZbbbZor4Yh87NOuus//O0De56Uj/WBnC3ZRRuv/1288ILL0Rxg6kibNcXCVU+ zjzzzGjsD3/79+9v5p9/fgmiR1+LtCs9GiAmvm0QKEIomk8//dT2g5ROQOCZZ56p2UMDapa8 qUvOvvvuW7MlM/rbdttt635vxxeWcHJxlrjnXZH+ESNG5Cbn6aefLu03wrakS+3vf/977fPP P88No1EH7Ry3RtPUnb6zp0/XLEGUWD4sURYkKe+++27M/5tvvtn5a+1Nut+mm266GuKTJZak rVni232DcmoPxcn6JPrNDvJi3xx99NGx57y6lvX7ww8/nBt+d3bw5z//2WH1u9/9rjsnJTfu KF86r19++eW6b3744YfaMcccU6jc1X2sXoTyR3nJ226KQNZ4ppVJsmY3XPnfcccdWxl06bDa BbPSEW+DD7Kwa9fxc1aci0Dak/oxwaMqZuJPp1x33nln177tueeesWSFKh+WSHdhWAIzFkbo h3bL36z4tGu7EjpP6F/3RwBcYd4fCcXun8+1n3/+uYZBr91SETXar732Wl2qumPD1QihKBNf a9Om9uKLL9bhIC8aJe3E/xVXXLFmt/KKd0Gv7Ry3oAltU89OOukkN/iR/Jbr8ccfHyTWWYTi JZdcEgs/qxwjMrfddlvMPeJqT5HMjSeIMEmX1bypnXbaae5Z3jd6JaGYC3+3cZBHKD722GO1 BRdcMCo7Vgun4XSF8qfhCPDDtkCgyHimlRHtDoRiu2HWyvypGlYR7Npt/FwkzkVwCUUYFQmr q92Ewqyr0xE6/E4hFNstf4vEp93aldBli/51DgJ5ZCJ+nwD/ZphhBjtvpHRXBHBSLrZWiFhC 0Sy00ELyGF1xSumpp54a3VsNRXPFFVfEfm/HB2zLxvZPCLaKaFV8vIN9va+++spYbUHz7LPP Rvd4L4KtJnaSaiy5Iq/c1a4amb59+7rn9ddf38w888zuGTe2KTDY7oftrziBGNt2tVhtBWPJ H/0qyH07xy1IAtvcExhNh4F7CE6ftoNus9Zaa0VlYZ555om2bFdNwnvvvRcrl1ZD0Zkh+OCD D6It4RLGOeecY6zGoTzWXf/0pz8ZbCnxxWqSZZoAQJ3C9noI7F2iXTjjjDN8b9yzLuuWQDJp di/xwaBBg+raIOdRB9wceOCBxhLPUUosMWuuueaaDkhVchK+++47M+WUU7ofX331VbPwwgu7 57/85S/Gam1Hz9jWd+WVV7rfytyE8qdMmHTbfggUGc+0Mtb77LOPOf3006Mg7eTbwLxEu0m7 YdZu+GTFpwh27TZ+LhLnrDTLbz2pHwuFmWDXKddddtnFmX+yGoqxwxQPPvhgc8IJJ0RJ3Xrr rc1VV13VULIxFxszZkz0LbZYwyRPaGm3/C0Sn3ZrV0LnCf3rHAS45blzyOHMlFjCK6ZZ1Ika iuuss04mBlgNuuGGG2rW5lwMiz59+kQanP7HvhagJZB8J7Fn+G871tqkk04a8x/q7KGlneMW Oq3t6J9oW9muoHbsscc2JYpZGooI0NoCdeUMW6CzZIEFFnBuJ598cnd/8sknp36GNgLpk7+7 7ror1a38AC1GcW/t6MnrHnntSZodyODXX3+9Zu1r1pK2O9tJqSsXVTQUQ/nTIwtkByW6yHim lcm1tmlr6JPxZyfFrQy6cFjthlnhiLeBwyLYtZsmUZE4F4G2J/VjoTArgmt3cpOloQjTTuj3 8Td27NiGk9WKLc/tlr9F4tNu7UrDGcwPOx6BIhqK3PLcAcWgUxsuveU5j1CUbLQses0a/HUT XBAg9uAJ+dldy5J28uH5558f8/uss86Sn4Jd2zluwRLZxh7NOeecLo+t5llTYppHKFqtQxcH exJ2ahxgL1VIvmmnnbZ26KGHumer0Zv63XnnnefcgYS0q6mpbuUHEoqCRK3WkyZi/0t18l0o IjCUP8mx5NvugkCR8Ux3SUur4knMGke6CHbtNvEvEuciiPSkfiwUZkVw7U5usgjFUOkgoWhq naLoE6pM0J/uhUARQpFbnu1svLuK1ZqLtixiSxq2IIpY+2Vmvvnmix5xMi0kTbV69OjR0enP b775psEpr9Y2oJl++umjb4r8+/LLL81zzz1nnn/+eTPBBBMYqxEYnWg3zTTTFPk8043e8mwJ RXP33XdnupcfcVIttjNbA//RK5z8jO2fWvxtxdjimrWFU7795JNPoi2v9qCM6BVO4L3sssvk 59jVNhcGW1sRNrYJWuImwmbxxRc3Wfi0Im6xiP73AfH98MMPoydrj9Nt7f3iiy/MP//5zyiP sQVYtrtOOOGESd4YYCPbGyaZZJJoKznK6L333hvhYDXqou3repu+eNQoZvK9XMv6g+0J2DoP WW655RwOF110kdtqj9O+f/WrX0kQla5ZW57hMbZA65ODkS/YouyLJbSNtfEVvd50003NQQcd 5MoxyhvU1PV2Vfneaj26E56L1i2UW2vPMfICJ/1aUlK8q3TV5Q6naePEdghMGjz11FOR2QKc dr366qvXmSWAO9RzlM8nnngi2qKOU5eXWWYZA7+KCLZ9w0wE6ijKAPIY7aY94Cn1NGNLfuVu edbpknhg6w/aySSp2paiTKHte+utt8yPP/4YnXrfu3fvaGt9WphJ8fDf+elA/gBbtAt2kmbs YSwG2/IhKIMokxC0cVNPPXV0n/WvUX/K1vG0OITyJ81//R5tI/pa9Jlvv/12dNrlkksuGV3L 5BHKPPxBmUV+oy1G24xyj/4urW3WcSlbXnCKPOokZMYZZzT2ICjtXd092h5rZzh6j3KQ1efB UZnxjB8YyiHMkuAPbSX6KJxyj3FQESx8//Qz6qW1Ixq9QltqD8pyP6O9QN8Byesf0M4gjRCY GUL7nCRl8qUKZklhd3V6kuKEd6Hqjfa/DHbNGj+Xrcdl4qzTmnYfuh9rJJ96WruCtgRtCgRj YLsQnJY90Xs9NkVbljQOhMOyZUkCzdryPH78eGdKaooppsicG2Keg34N7Rfa3VVWWcXNIcps eS6bjip1opHyKrilXcvEp1ntStWxZFra+L7nIsAtz3am0MniaznZou60juRe0u+vsOKgB5xY LO7kaic1NTsJreVt5bWTmJrtMOq+hz/ww9rIqLw9qBENRUmvtfcRi5udvMlP0bVRLUB8rLej 4nCWJHn00UdrSy+9dCwOgjGu0B5D/iVJs+OWFCbe2Ym9i68dANSsfcooH5GfOu64x7bgq6++ OtErO3Fy7lGWRo4cWcNpxdoPS1rXgJGWKphV9eeCCy6IxU/HVe4HDhyog6l079ddfcozPEZe yCFLCP+6665LDG/DDTd08Ya2rJ3wx7BOO1Fvrrnmct/h1PIi0iwNRV3urO3XmiXDagMGDKjZ CbqLo+QB2qwXXnghiq4deNZw6qod6Na5syRNtEUxLV12IFkbOnQo7AfXfSth2cF7DZqiqAe+ 5Gl2wH+ctC1+4braaqtF+eP7VbUttYs5NUu2xsLS4VqCtGYJPz/Yws9ph7LYiUhqmAj/8MMP LxRGI/50ZVtRKFGeI5QHa8O4Zom1RMzQPuIwpjxBv4xypNsGnde4hwmEBx54INWrRsqLnVjW 7OKQi3ueKQg7qapZUt65tzYIU+MjP/htop8uPPuCsjl48OC6U+7lW2htn3vuuf5npZ6zDmUp o92jtXT89h4RaiRfGsEsK/FdnR4/bqHqje8vnstgF3r83Gg9LhPnpDT770L1Y43mU09sV6wS gmsXl1pqKT9L6p51+4PxtC+NliXxJ6vO55UP+GEXfWtrrrmmS5O0vbjaBa7aO++8U9NtX9qY tNF0NFInGi2vglnWtUx8QrcrVceSWenibz0bgSIaitzy3I3LSKMNl9VkqNmVscQOQDoDTLRl 4u5DZI2SJ0725Vu5Wi2G6ARa//uiz1UIRdiEk3jgiq3KWqqQdpikiN8YHPhywAEHuN/FXdLV amzULr30Uv/ziAjR7vPsO2oP8uKm3fr3mtix2ic1nJSt45F0nzSx1IQibFrqiaX4AZLSrmS6 KFTFTDxq1J92IxSRnhVWWMHhbw8GkCS6K04Z1/UYgwnIlltu6b7DYNSXUaNGud+RH3ZV2XeS +NwKQhHbzTVJKuVFX/Z8+IsAAEAASURBVEE6oozZg5Ri6dBucI/2x2rc1KXFajDV7CE7md9q v0DQgLzUkjfQtsbNY/6vvfbaNWy58qVqW4qFEqsxGAtLx13fb7TRRomEph8n/7ndCMVG67if rlD++P76z7C7h/zXeZF2j5PXMclOEqsJWgPJnfatfo/2FW2aL1XKC8qPhIFFtSy55557nFur zVqDHcI8KTOegV+w65XUt0gc9XXdddctFIekOOoJPRYwtGRNxrU73OtJtU8oNpovZTHz4+Q/ d3V6dHxC1Rvtp74vg52e+FcdP1epx2XirNOadh+iH6uaTz2tXbnppptc24g2Cu1YmmBxFeMY acv+9re/xZxWKUviUVadzysfI0aMiI1BJZ76Ossss7j4430SoVglHWXrRNXyKrilXcvEJ2S7 UnUsmZYevicCQICEYoeXA3sCce2UU06J2U1Dg21PbK0dd9xx0Z9AoBsuaewx0Lfb+mpHHHFE dOAItO3kN1zt6cjyubvarYWRBqK4wyEl0OKxp0ZH5Bgm0vrgEhAe77//vvu+zE0VQhEEgMQR V8RRS6OEImzqaX/9Dv6WW26J/W63SEVhQ/sEmhIgILXGHzRNsDKnpVlx02Ek3WtCUacRmqjI X2gF2ZNta5q0hLs777wz5p0mFLU/SDeISrwDoSMSAjP4VcUfkJtSZ3SccSCKvMckOZT4gw5/ golw/vrXv7qyhJVeX/SkHaSXiLbzqd/L7yiLkkYM9opKKwhFiReuiDsm8/akwZo1R+DijN+0 hhbIGrRhf/zjHyPNWe0HvvXF1xzE97Apedttt0Xl3J42XAPZr/258MILY95kDbShyaq/hba2 3fIf+x4PIdpSrZkITUTEHYdToZ2ClqdPuCCNZSWNUHzssceiuqE13e02U1dfHnnkkUJBlfGn Sh3XkQnlj/Yz7d4nvqGVggOTbrzxxhr6D2ueI1ZekhYPrGmSGvprKVeYZB5yyCG1a6+9Nmr3 oJ286qqrut/hzp5IX0cgVykv119/fcx/9FNpgnZT4mpNl6Q5i70vM55BfdLtEcLC+AUHp6Hs QzsW7YfEAdfNN988Fl7Rh1YQio3mSxnMiqQ3i1zwv88iSBtNjw4jRL3R/vn3ZbALNX6uWo/L xNlPb9JziH6saj71tHYFeagXAQcNGpSUNdE73U9hzPPBBx84t1XLkniUVeezygfG+b7G/bbb blvDWOnss8+uod3X7a/c+4Ri1XSUrRNVy6vglnYtE59Q7UqIsWRaevieCAABEoo9pBwUMTbs N1zYvuQTJNimpDsXdADPPvusQxFq4ta+nOskoH2WpMWIxk0PNrfbbjvnR5mbKoQiwsG2WunE 0NFpKUvaIe3Ydqq37kJbRJOBqHB6NQ6aVNha7gs6VE3KQRMN/os0I27id9Y1iVDcaaedoi2o +jsYF9ZbZq3NuthJ2kmEIvyBZhi06kBAPvnkk5GXoTAL5Q8ipQ9lwWpyM6QIofjggw+68gsy AcSOFq1htddee7mffL+trTX3G2523XVX52/eCdL6Qz2BD3nKc1K522qrrXTQETGiJ6lSr32i b9y4cTXUO/kd20O14HeQ/PI7BsxJglXsmWee2bnTBDjcpw20rU0c9w3CsHYw67Qb8X2IthTt vt6G+vjjj8PrmCC9us2C9mpZSSMUxZ9Qh6nk+ROqjofyR9KfdQWBK2UNV9RZTDi0QAvlD3/4 g3OHuu6fpg1iXPyBhtQoq2WcJPpQJrjXpG7V8oJFOq0tg7KeJDARoDWnQXCXkSLjGbR3ggeu SDfGL1qg6am1teHujjvu0E4K3TebUKyaL0hEEcyKJFaP/7A4nCV6jKcXxEKkJ1S9yYq//FYE uxDjZ4QXoh7DnyJxhrs8qdqPhcinntiu6LEbFDf0+F/nWf/+/V07h4VJLaHKUladTysfiAcW LKUNRp8FpQNfYOpCK1DAvU8ohkpHkToRorz6aUx7LhKfEO1KiLFkWhr4nggIAhg35/1xy7Og 1Y2vjTRcafaasDVJb6vSttuuvPJK14GgY8C24jTx1fo1MZn2jf++KqGobR36J976pB00B486 6qi6P2iLbLHFFnWaT0i/P+A+7LDDYvgkTfAljdAokc4YV2iaiDQjbuJ31tUndqDdBAIwSexB NLH4Q8tIxCcUF1544dRThENhFsofpKFdCEUMtDX5dd999wnE0VVrhmElWwtIXilfZ5xxhv4p prmDfCwqrSIUEQ7aNF9QRyRNuNoDQHwn0bPW0MSihxZodIsfINqSNAfFvR7o2gNp5HV0TRpo a0IMYWD7qk8eiSch2lK/nbAHRon3sSu0ikFCLb/88rVGiOB2IRRD1fFQ/sRATnnQ5PbKK69c R3rJZ5gUaJu7v/3tb+WniEzXtj59rXjn0N7gtHY9gYP2j0iI8oL+UOoPFs9gs9UXrQENAhLt WBnJG88gTK0Zg+3MaYL6rdvzJBtkad/K+2YTiiHyJQ8zSUveNYtc8L9NIxRDpCdEvfHjm/Zc BDt/4t/I+BnlNkQ9RjqKxDktvfp91X4sVD71tHYFigbSjuJqD9LU2RLdYzxuD25y7vQcIWRZ yqrzSeUDkUObrm1cQ2EgTTB/0mnVhGLIdBSpE6HKa1pa9fsi8QnRroQYS+p4854IJCGQRybi dxKKSch1s3dlGy5MLtNWxJB0TMKlA8BWQBFsKZT3SVswxZ1c9UA+yZ6TuEu7ViUUdeeBbY1a /EGvpKvoFZM/dPhasKVKvoddmCyBVsq8887r3GOrokgz4iZ+Z119QtEnovS3GAjo+OttGz6h iAl8moTCLJQ/iKcut12poYi4rLfeeq6MgPAWwRZtKWswMeAfHKIH6NCSE8GWGfkOxAPyqqi0 ilAcMmRIYpT+9a9/ubgjDWmaT/Y0cecOW+y1oK2EzUh8m6ethINMBCu0JVr8gbYmH/ENFihQ R9IkRFsK8khPOLB1FgcghZZ2IRRD1fFQ/uThjMU5KT+4QjsiS7QdV58IR31/4IEHavbU+Voa cSx+ay15TDZEQpQXvw4mLSpq+6S+qRGJS9Y1bzyDQwA0rugvs0TjijYP/peRZhOKIfIlD7Oi 6c0iF3w/0gjFqukJWW/8OCc9F8FOT/wbHT8j7BD1GP4UiTPc5UmVfixkPvXEdkXv9oIZFl/0 wih2W/kLM6HKUlad98uHxFGPsdAWv/LKK/JT3RW7uHR7rQlFOA6Vjrw6EbK81iUy4UVefPBJ iHYlxFgyIfp8RQRiCJBQjMHRuQ9lGy6cyJUl0GSRDgAnU4pow/LQjrrqqqsy/7QG1UEHHSTe FL5WIRSx/Uns9SEtUM/X0ihph8EkSFZ/exX8hvZDEm46XH2vO3JtZ6oZcdPhpt37hCK2NmeJ XnnUGjU+oZh08Iz4GwqzUP4gXu1EKEK7TMqU1rLVg8011lhD4HRXkGXyHez1iKDOynuchFxG WkUo+pqYEkds85S445qm9QxtWXEHsrWIgODHoBgE8vHHHx+dbq61oHxblHqgLWHJFduQv/zy y8xgQ7Wl66yzjkurhA8y6ve//32k9Ywtz1WlXQjFUHU8lD95uMLmrOQJrligyeozteZkUeJr 7NixkW1bbP2HxrzWykeYl19+eSyaIcoLbEBKunyTCbCHpXc45JF9scj99yFvPIMxiYQP0yF5 glNGxT2u2kxJ3rf4vdmEIsKomi95mCGMIqLHJP4ODP/7NEIR7qqkpxX1RqelCHZ64t/o+FmH 6d+XrcdF4uyHkfRcpR8LnU89rV2BnUFpl7BbwicMYbtcfkcbVFTKlqWsOq/LB3ZciJx22mku brDdnCfa/JRPKKZ9WzYdeXUidHlNi7e8z4sP3IVoV0KNJSXevBKBJARIKCah0oHvyjZceXa0 9OEsmlCErQ/p4MpeoRVSVqoQilj10nHEwRpafNIOGoWYhPt/0PSCAX1sHcM3mFwnCbY2antm MLifJ0ceeaSLI7YFi4SOm/ibd9WEIia0WdtB4Ze2F4cyI+ITimlbv0NhFsofiX87EYp65R4H hQiRrcncpC2QaBM0oS421/RqptaKlbRnXVtFKKZN+H1iACvOSYLyJnXf11AU99AeBLkD7c35 5psvdsiLfKuvZQhFfJc3GQ/VluJ0WLQdOq76HobcQThD2zKvPgs2/rUdCMVQdTyUPz5GSc/D hg1LzRedR2n3zz//fJ23yG9M8nCYGiZyad/Ke59QDFFe9GQS297Q1oigLZKwfTMB4ibvmjee 0W1Ynz598ryLNIX1gTao92WkFYRi1XzJw6xoerPIBd+PLEKxSnqaUW/8uOvnItjpiX+j42cd ZtV6XCTOOry0e00YSb3V16x+LHQ+9bR25fPPP4/tMNBzBozXMAaXvMhamKlalrLqvC4fmlAc PHiwixsUR/IEh7VJWtIIxarpyKsToctrXprz4oPvQ7QrocaSeenh7z0bARKKPST/yzZc/gEl PkxphKI+WVU6h6JXHDxSVqoQitgepuN29dVXx4L3Sbt//OMfsd/LPnz22WexAYB/4E2Sf9BY kTjiAAiR0HETf/OumlBMI2K0HzhZV+KPAYOITyjikJAkCYVZKH8kju1EKMI0AbRiBWdo5YEU 0WQCSMck0VsPZRKttYaxbaWMtIpQTNOM9QlFrGAniSYUkzQUUb9wAq5gmnQFAaExLkIoao1G TAbuv//+pOhF70K2pSj/aNOR1qS0yDuYqcBCS1lpB0IxVB0P5U8RDGGiQLBv5DpixAgXDNoB EFt55UaboUCYPqEID6uWFwwsdVnTxvi19ie0qxuRvPEMtlELniBWi4i2XTd06NAinzg3rSAU EViVfMnDzCUm5yaLXPA/zSIU4bbR9ISsN36ck56LYKcn/o2OnxF2qHpcJM5JafXfacJI6lTR fix0PvW0dgV5gbIkuGui+uijj3bv9dha51+ospRV53X50ISibhOLmL/C7hpJp08ohkpHXp0I XV51XiTd58UH34RoV/LGBIJ70rWReXlSWvmu8xEgodj5eRylsFUNlx5AwrYbJitF/5JsLeVl TxVC8ZhjjnEdGBpS37ZYaNIOGk9aQ3H48OF5yasdcsghLo6YiImEjpv4m3fVhCK2rWEbaJbs vvvuLv76FFyfUEwjMUJhFsofSWtVQhEDJJxojRNW08hUrEDrDt4/VEXigitOPBa32G6vt/TC XhrCS5ITTzzRfTdw4MAatr/KqjcOe0k7cCfJL7xrFaH4+uuvJ0YhBKH41ltv1bAFXPDEFQMy EK3bbLNNDRpW2C4OrLQNxTxCEQND5Lk+URmkpW/bUhLWjLYU26xhM28nayB9ttlmi6VR0ov3 qC9lpB0IxVB1PJQ/RfA799xzY3lQtK8UdyhPIv6BP8hPkGTYfom6DRMIcpq7tqEIv9KkSnnR GtJy+qjut0DIox9oRPLGM3piiDYpT9DOSbsH3PThBnnf4nc9ed5xxx1jn+jJOE7qzhK9QKFP Rfa/aSRf8jDzw0h7bof0hKw3aenU74tgF2LijzBD1eMicdZpTLvXhBHqRpl+rBn51JPaFeQJ FA+kb4Y9ZIzBIdr+O3ZIJUmosqTrvK+RqsuHJhS1eQ7fvnRSXLUZLZ9QDJWOvDrRjPKalFZ5 lxcfuAvRrjRjLClp4JUICAIkFAWJDr+2quFabbXVXOeHbUfNlkYJRUxksD1UOmoQRD45pic/ cFdVQxFY6K2HRbQz9Ork6quv7uBsRtyc5xk3mlAEJtiCkCXrr7++w3i77bZzTosSivggFGah /EGcqhKK2EYrZQ/EdpL4p/w9+OCDSc6id9peIk7pxfZ98d+3YaY9weEj4g4GwDGQk2csCJSV TiAUYfxcMMAVJg3S7AzClqK4heaXFj3Q1gc+wZadfINrWjvZirYUW2ah6YDT2nWcyrZ17UAo AvtQdTyUP7o8JN37WvJpW/STvtXvxowZE8s/tE8PPfRQ6kKCNnWQdhqt9l/uy5QXHDAjZQra iiDB9Da4DTfcULwtfc0bz0DbWsLGlus8wQKFuMc1q61N8qsoobjrrrsmfR69A5GtSc0sQtH3 pEi+5GHm+5n2rMmFrkpPqHqTlkb/fRHsQkz8Q9bjInH205n0XKUfa0Y+9aR2BfkBEzZzzTWX a59gb1wfOgUlhaSdGCHLkq7zRQlFbf8RRGjaoraUOU16aUIxZDry6kQzyqukL+maFx98E6Jd acVYMil9fNezECCh2EPyu1UNF8gMGZgvssgiuZou2JoENf4DDjigVmYALdnWKKEIO4gST1xP OeUU8dJdm0HawQ6jhKsJQheousEkXWtKAVuRZsRN/M66+oQiThRNE9h/0aTt6aef7pyWIRRD YRbKHySiKqEIkk/KwS677OJw0Td33323cwO3IP/SRGsz4iAVffJzlgYSBnmirYRJP+qhxCtt 1TstDnjfCYSiJpP0QUJJ6e7fv7/DC4N+LXoiplfu4UZvNQeJkLS1PERbisNrYMcUxD6IwzTB oB2HV0jew1RBGWkXQjFUHQ/lTx6G+kR1YK+3Bid9i636iBv6L+SnnOasCbS8tuKll15y+Qy3 ug0PWV5AkOlJIkyKwGailLHrrrsuKYmF3uWNZ/SEG+HlEYT6YCvUx/fff79QPMRRFqGotfSz 2pMnn3zSYYM46/FQiHzJw0zSkndth/SEqjd5aZXfi2AXYuIfqh4j3kXiLOnLulbpx5qRTz2p XZF80dp+aENwgKW0o1icTpKQZakRQhE7viSOuGaZd3njjTdiiymaUAyZjrw60YzympQ38i4v PnAXol0JMZaUOPNKBNIQIKGYhkyHvcfpYLpxf+GFF+pSGKLhuvjii2PhwAZgmjz88MMxtyec cEKa09T3ZQlFbG2CVpE+ZRKni2FC7EszSDut0YT8AGmUJr7bO++80zltRtyc5xk3PqGIbZ4Y 4CXJ4YcfHstfva25DKHo49AoZqH8QVqrEopaUwf2D5PKnx4EYMstCNosmX/++SO8MSGWrfW4 T1q91v5gi560DVpzCRqSZaW7E4rQBtBtA7ZOpgkGyBovbBXWkjURw7ZqbCkX3GE0e/z48frz Woi29OCDD3ZhgPD0tbB1gAsuuKBziwlMGckjFLXpBmxZa1Ty/AlVx0P5UySd2lYn8iipLRB/ sH1Zygy2M3/77bfRT9pWLbYSy8FM8p1ckf/QDBQ/cIWJBJHQ5QWHOklYeksb+lz/xFKJQ5Fr 3ngGGOpTQ1daaaVUb1HvZpxxxlg8Ux2n/JBFKOp2AHaQk7SdkV+bbrqpiwMw04RiiHzJwywl aXWv2yU9IepNXeJSXhTBLsT4OVQ9RjKKxDklubHXOr/9hbEi/Vgz8qmntCuSEcAZYzm0C1NM MUVsoUa3E+Ie15BlqRFCEYvVepyME6nTRC+wI42aUAyZjiJ1ohnlNS3dReITol0JMZZMSwPf EwFBgISiINEDrvoUwzPPPLMuxSEaLgyMl1pqKTcwxnYj/7ATBIwtRlp7AZPrpIF2XSS9F5pQ XHXVVSMbZbArJX8gsV5++eXaA/YAFmghCOkikxxcsV00SZpB2mECCPJAwgcGIFZ9QQeAgYO4 wzeaDGhG3Pw4JD37hCLiB3tsvq09aNro+PsneJchFENhFsof4KIHSjfddFMSVJnvrrnmGpe3 wBCkHlYrIcBSH8aD34sYRva36uK7vn37ZsYDPyKv4Fb/YQtsI9LdCUWkWWso4oRYv2zDDWxU om3TmPlbK7MmYvBjyJAhse+Rf1pCtKV+O4EwkhYAsI1KpyVtkqLjp+/zCEVtQB5bw9PsRmo/ k+7z/AlVx0P5k5QG/90NN9wQwx72Bv1FAEzO9CQaeQWSScTX4sCzL8h3EAI6n3GvTW+ELi/o e/3w8LzXXnv50Sv9nDeewcEqOmws0PinmKMfwgnn2p0mWItGKotQhM1S7T8m51pQz7GNULvB va6DofIlDzMdr7T7dklPiHqTlsak93nYhRg/h6rHEv+8OIu7rGvVfqwZ+dRT2hWdL9jR5LcR 2MGEA/iSJGRZaoRQRJxgb1rHGeZj/PEHxrp6ERfuNaEYMh2IU16daEZ5RbhpkhefEO1KiLFk Wvz5nggIAiQUBYkecPXtZGElBlopQuSFaLgAI+xvyWqadCbrrLNODdo+GORjYK81e+AGh0M0 IppQlLDKXLM0KP1BfFm7Ymnpuf7662OdLLTPMNEDBsAIWOk04PdHH3005l2z4hYLJOEhiVBE XHFgBbTukAY/T3Ai4OjRo2O+lSEU8WEIzEL6U5VQRAevyTdgCIP8IOM1ESvloIidM2whFPdy HTRoUAz3pAeQF359TduGnfS9fqfThHoeSvxy18xDWfzJPdpNHKaAifSRRx4ZHXLht1+CtybK 8iZiGFjDbqV8i6t/8nuItlTbz0EYIEyhPXzBBRdEZBIILB0H/I7yWUbyCEVt4xNhgXzF4k6W BmhS+EX8abe2Iikd/jt9wiXwgSYbyuFZZ50V2UPFKZ46j9B3a3uLWDjTZRKTFBBlMFuALc2o z/7pzuIfzBxoCV1esBgiYcn1iSee0EE2dJ83nkEZhvkHCRNXlO3999+/BvMbqNPapAh+h6mI PFtfSZHNIhSxIAEtdB0PxB32B2HuRR/SpN1oQhFhhsiXPMyS0ua/a6f0VK03ftqynvOwCzF+ DlmPkZa8OGelV34L0Y81I596QrsieYCrv+iHtsJvu7X7kGWpUUIRZKc2c4E4Y5EbOyBg5xu2 pXWbJ/eaUAyZDuBTpE40o7zqvNH3efEJ0a4gvBBjSR1v3hMBHwESij4iHfysB73ScOMqZFWo hgsQYvKttxzp8Pz7rE4xLzt88sr3O+0Zp45l2ZZDuM0k7TCh0Vse0+IJG4SYIPvSzLj5Yeln n9hJIr90WjCRgjaXL2UJRXxfFTOJQwh/qhKKiAvs5uXhByy33npriXrmFY25v9KLgxmKyNJL Lx0b2CVpOBXxpxMIRRwekUa+6LKN9g2a3jA4Lu+1Dby8iRjwxGEKsj0dfmDLq7/1uWpbCjt7 RdKD8FdcccXS9uOQjjxCEYc3aXuqgpc+rAb+5ElRf0LUccQllD956QI56G95FYz8K0gw2Jzy BXH13SY9wwYjyCz5zT+BM3R50SehI8zevXv7UW/oOW88A09RXrDVTtKadQUueWYl0iKq4+Kf 8oxvhg0bFqvnSfFA+Ntvv72Lq08ohsgXHU8dBxkDpqXPf98u6QlRb/y0pT3nYRdq/ByqHiMd eXFOS6t+H6Ifa0Y+9YR2RecDdrBgcV7X2yTTVfqbUGWpUUIRcYEygR4X6vjLPXZgaZMrmlCE H6HSAb+K1IlmlFeEnSR58QnVriDsqmPJpPjzHREQBEgoChI94IrVItiqwOELmnjA4BCi7VPB 6HuWaFtO5557bqJTbDvGCry/NVA6kX79+mXaEEz01HupD0UQf/0rOmEcEIODEDCRuuuuuwpp IfjG60HihRRoWWFCrQkJiTswGzBgQA22U5Kk2XFLChPvfELxmWeeiSZBPjGGMgatmFGjRiV6 Ba1YKYPQjkMHXkSqYKb9r+oPJuGSVyhPjcprr71WQz0Qv/QVpCUOCyqjMaOJQRA4adth/Pjq uo/8kMMefHd5z8suu6xLy8CBA/OcF/4dg2m9NQSr1kmCw0VE2xLlC+U1SZ599lkXT2iG+oK2 C22FlFGdL2hPsM1ftqWuu+66zi+cyi5y6KGHuvdwnyba4DrCSdIqrdqWIj+xcJO0iAG8oC2I iaM2q5AW36T30FrSxGhSvcfBGCCTgKngiolEWSnqT9U6LvEK5Y/4l3W97LLLoryQMuyXO5SN zz77LNWLa6+9NpE8hn/oA4cPHx59i8NdtN9Io5aQ5QV1EFr2El6juxF0/HCfN54R99BUhKam rwki8YFWOE5eL9POit9y1ZPCJEIR7nBIATRN/byF7VVsBUR60GZKvJJsBVfNl6KYSbqyru2Q Holf1Xoj/mRd87DTfWjV8XOoepwX56z0/j97bwJ/XzX9/28ZK4WEJESmUFIJjb6UJo0qKiQa hEpFGlUqRIMSmkujKM2FNA+qTzQPNEtC/qJ8k8L57ef+ts5/3X3P2eece/e972mtx+P93uee s8fXntZee+215VvOeSxnPc2EcUXqQFzWBDI+LLnkkvI66eZoS1tttVWZbqwA0qZ9UFdf+tKX +gSizAvwv/BzmEWSsnEJVUw5ykGcXfpEzvYal0d+N+Un57hCmsPykpJvcw2BGIE2AsVn4ckb APd93Wg6IOC1SZxf8Dkv9HHeGLkbdd36RuceeOAB5y95cP5IoPPHtZxfwDp/rGs6wDl0GfyC x/kFnfNCwhCXX2Q7v/B2c84559Bx547Aa285fxtsGS359juLzk+Kzgtc3d133+3Ivz8C7bwG V+kv90MuzHLFM2z5vJDAebtAzguQnRdwOa+p5vxC13nBy7BRW/ghEPCC79CmvaZT6I/++E5o 314oMESsgwcddiz1x6xDeWhrMhb7Y6GhzQ2eq24hmX+8hnJo2wsssECYh7rF8H++28aTq4/n iqdNWSkbdeQ1EZ0/EhvmS+ZNf6y5MTh1fP/994d6ZlxhfGY8HmQ+ydFe6DvM95DfFHB+8ei8 7eDGcrT10IWfoT97rZ4yD69//esdf8OStwnpvDmXEI0XKDpvoqI2Sq+BHOZKvyHh/AbMQOkP Wy9dMKstyDMfJkN5JI/D9BuJo8nNiV0qrZz9eFx5TpVHf8tRTzNhXNGYDfOcsy0Nkw/qnXUO dec17Z2/qKvTvJSzHF36RI722oRbl/w0xdXm+7C8ZJs0zM/MQgB+s4lMoNiEkH03BGYIAnUC xRlSfCumIWAIGAKGQAcEvAau85fphBBrrrmm80d5O4SeGl4RInptlpBZr81TChenRu4tl4bA 1ENgJowrU69WLMeGgCEwUxEwgeJMrXkrtyEwAAImUBwANAtiCBgChsAMRICTCf5onvOnXELp zz33XLf66qtPOyT8BTjOH8UP5fJHAJ2/bGjaldEKZAhMFgRmyrgyWfC2fBgChoAh0ISACRSb ELLvhoAhUCJgAsUSCnswBAwBQ8AQiBBAGxGzDRxr9zeTuoceeij4WHjhhcNxt4kyFxBlc+if 3g5riOOKK65w/uZox3E8yF8W4bbccsvwbP8MAUMgDwIzZVzJg5bFYggYAobAeBEwgeJ48bbU DIEpjYAJFKd09VnmDQFDwBAYKQLYRvaXh/Sk4S/scf5We7f88sv3vJ/KP/wFWO6GG27oKYK/ ZMD9/ve/d/PNN1/Pe/thCBgCwyEwU8aV4VCy0IaAIWAITAwCJlCcGNwtVUNgSiJgAsUpWW2W aUPAEDAExoIAR5y5oEvTMccc4zbddFP9ako/+1vngxYmF/Vo2meffdyuu+6qX9mzIWAIZEBg JowrGWCyKAwBQ8AQmBAETKA4IbBPvUQvueQSd+2114aMv+Utb3Frr7321CuE5XhoBLgZ7Kij jiqPd33qU59qdfPo0Al3jODQQw913JoGrb/++uUtox2jGYv3md63/vWvf7mDDjqoxJrjgtxs O1WJG88POOCAMvubb765e+lLX1r+bnoYNnxT/JPx+1RsAxdeeGEpOHv729/uPvShDw0E7WTr /6mxs01eTzzxxHDxCrcYo5G42mqrufe+970DYTNZAzG37LTTTu6ee+5xCBe5/X3VVVcduA10 KedFF13kZs2aFYK89a1vdVx0M1UJnpI2JQSG73jHO+Rnrfvtb3/bPfnkk7Xf23547Wtf6zbc cMPgHUGwHGNfeumlZ7xgmHZ9+OGHu/PPP9/94Q9/CDe0v+pVrwp9euedd+6BmO/LLbdceMel RF/84hddanwcZI4bxbgyFeedHuCjH9OtPFHx7KchYAhMYgTaCBQxqO3lCEYzGQHPIBS+HYe/ DTbYYEZB8etf/7pYZpllirvuumtGlXsqF/aVr3xl2V7PO++8SV2Umdy3qJi//e1vZV0xxvz2 t7+d1PXVlDkvbOgpz+23394UpOf7sOF7IptEP/xip/AaXIUXGPflaiq2gc9//vNlPftbfvvK 1PbFZOv/qbFzsuW1LcZN/ibbHJ/Kzxe+8IWy3W200UZNRZvU3/1lNmVZGPvXWGONVvn1G049 4YQ37eq+//3vL9P7wAc+UMa57rrrlu9n4sN///vfwisNlHhoXDfeeOM+SLwGcun3Bz/4Qfie Gh9zzXGpOaUvkxUvpuK8U1GM8tV0K09ZMHswBAyBSY8AssKmPxMoTvpqHH0Gp+tCIoWcP85U wBR5u0iBWfrNb36T8m7fJhECqUXxJMpmyMpM7Fu6DqYbEzzsYmnY8BrbyfJ89dVXF2984xvD OOo1gvqyNRXbQGrB3FfAxIvJ1v9TY+dky2sC1lafJtsc3yY/00WgeO+99xb+gp5SEIXQCl7r d7/7XWPdmUCxEaKhPOy///499aIFil//+tf74v7IRz4S/FOfDz/8cPieGh9zzHFNc0pfJite TMV5p6IY5avpVp6yYPZgCBgCkx6BJmEi302gOOmrcfQZ/PKXv1wyGB/96EdHn+AkSMEf+SjL DENlAsVJUCkts5BaFLeMYmzeZmLf0uBONyZ42MXSE0880TPu3HnnnRquKfn8pS99qSyTCRR7 q3Cy9f/U2DnZ8tqLZPdfk22Ob5Of6SJQ3H333csxQQusdtttt8aKxM8mm2xS+bfooov2xOtN nlT6I/w3vvGNMq311luvDDfTTuGUIDzzwIkcqZOXvexlxX777Vdcf/31xS9/+ctSYChh/O3m xTzzzBP8L7bYYvK62Gabbco4PvnJT5bveRh2jiSOpjkFP0003XiP6Vaepvqz74aAITB5EDCB 4uSpi0mdk0cffbS47bbbwp+3jTSp85orc22Y+1xpWTx5EUgtivOmNHxsM7FvadSmGxOcY7HE sW/G267HpTWuk+m5afE3FdtASgOnC/aTrf+nxs7JltcuOFf5nWxzfJv8TAeBIpqYr371q0uB 04c//OHymfb31FNPVVVXq3ennXZaGRdCsYceeqhVODwhOCNMlVmG1pFMA4+iTQ4W++67b7JE CBlF+MiGg9Cf/vSnwl/OFP5Ea1G+5Zgjm+YUSSvlTsV5ZyaVJ1VW+2YIGAKTCwETKE6u+rDc TCIE2jD3kyi7lhWFQGpRrLzZ4yRAYLox9TkWS5OgWrJmoWnxNxXbQC6BYlagM0Q2k8bOyTbH t8nPdBAo/vSnPy2FUHPNNVdx3333FbPNNlv57sc//vHALXlQgSJCTmwqIhw7+OCDB05/OgTU wt5TTz01WaQ999yzrDd/wU7Sr3zMMUc2zSmSVsqdivPOTCpPqqz2zRAwBCYXAm0Eis/CU5db Kv2EbDSJEfA2apzXfgk3FPqdYMetzdwWyI133gZKZc4fe+wx9/jjj4dvs88+u/NHHCr98fKO O+5wt9xyi3vggQfcK17xinDDo9/xDP51PC960YvcC1/4wjKev//97+XNvMRPOpBvf87vgoZ4 F1poIbf44ou7173udWW4pgduPrv77rudPzoYyuwZV+ePcbgll1zSLbzwwo7fmjxj6f74xz+6 f/7zn07yzffLL7/cvf71rw9eue0O8hobzh9RDM+UhTLVEXESN0R/esELXhCevQFs53dww/Nz n/tc9/KXvzyk/Ytf/CLk+Q1veIP74Ac/6Oacc87gJ/4HbjfddJO7+eabQ/1xS6I/9uPmnnvu 2OvQvymDP/od8kXZKS9Y+CMytTfZ+iEv3BJI4s95znNCm+AZLGgn1C0YvPOd7ww3PNaVkzCa vPZWKDftmXrhlsH55psveJl//vlLTP2lLOGmUR226bmuLVJPl112WWgf3AS5xBJLOG/3qS86 8uSZa8etV29605tC2aTNxJ51n0j1rUH6rU5r2PA6rqZnGQNIk3ZOv+UmXL9Q6QsK1i9+8YvL 9147L/Q7bvGkXfujVqHdcFMsccT9tQxY8ZCrb3QpjxcK9IxrtFPGmZh0G+ObX1iHPqv7C+8Z Q+k3kP6Wsy+RZ2+Tynm7ZmEMZox917veVZbDa/mE9Jkf6FttyS/Ywi24/jIWd9hhh4Vga621 lvvud78bnhmjKPdUaANxmbfeemvHjciQv5TF+csIwph26623umuuucb5o4BuqaWWCmPa8573 vDh4+TvV/0dV34OOnRORV+l7XfmJEuCKhy5zfBycvkKe+ON2W3gE5lvmoC5jk463S3622247 xy3HkL+UxZ100knh+cEHHwy3P8PrvO1tbwt8V4pPC4HUP+ZgwjLmMg4wZvsjrMGt4wtV8E6P 3uae+9GPfhTC+Ms/3BlnnOG8MK+88ZlnbrMehE4//XTnjy+XQRm72oxZhCEsvBm8VF2Ycc2j 8JVXXnmlu//++91f//pX95rXvCbUBXxS1Xgy7FhBevB0EOMWbRvyF64E/pPnKh6XeZnxjm/k Ex4W0vPbHHPM4bzdy/Cef8PMkbRTwjfNKWViiYdRzTtd1xxVWRyknY2qPFX5s3eGgCFgCGgE 7JZnPwvPFPJMUvG+972v3E30DaHn2QuHCr/oq4SjjTF2bKzom/J0/AsssEBx1VVXFbvsskuZ prZfQ6J65/34448vyK8XdJb+dXwcyeAmxBTxfYUVVigvVdHh5dkL64p4V9UvXCrTlDC4QtiG kfef/exn5XWlqzU/zjrrrNKPF9KVcVDea6+9toiNjmOjxjOXZRge7rnnnsIL0cqwkg9cjGOv ttpqffZueiJo+cMzcMX3vvc9NhUq0yI9v5Aq/AK78ELnvlj1LrBfdBXEt8MOOxSeAe2Lj3jY eX766af74pEXtDPRJNBl5tkLiQvPgBca60FuedZt8eSTTy68MLnwgve+/HqBSOEXeJK14uKL Ly4oY5wvz2QX2IyqOsrV1LeG6bdkbNjwZeFaPJx77rmFX4z0lV/aCDdEYoxfk24f+PML9QIb WWAW4wjetDPaUIpy9Y1BytNG+4I60f2Jsp5//vmhSKnwGqscfYl+ttdee/XkRTDngoTNNtss 9Gl554XDKdj7vm266aZ9dShx4e6xxx4hjC4X7ydTG+gr1DMvYg3Fn/3sZ5U4Pv/5zw+Xe3Ej aRWl+r/GJUd9Dzt2jjuvw/ATVVjLuy5zvIShX+66664F9anbsDz7TZHi8MMPF++d3C750XMT tzx7AXbhBYh9eYIHgJ9o4pMYS72AskBTUMqiXXgRubm3U6FqPPtFRw+Ggpm+KZj0B7UdO6iG IjwFODJ3VNG45lH6/Oc+97mCuU7Xgzz7jf8CrLwQuiebw44VRx11VGV6ki4udhE1UZfwbHxb c8019acw5klYv+HS8y01x4nHujmy7Zwi8aRcjRl5HXbeGXTNofM4TDvLXR6dL3s2BAwBQyCF QBsNRbuUJYXgFPnGIt5rujQyDEyqH/rQhwoMLWtKLSTwx2LKa5Yl4/e7qj3ClpRAcYsttihg 0IUhqXJh7OuERX73smR0qsLqdzDeMFNCXZj73AJFBK9ek62v3OTR71hKFotjjz22UiCny8Xz vPPOWyAUGZT8LnWtkDhOi98IaOOFs2ZyOErDIqgqrH63/PLLVwqNOCrV1M68lmJP/HVtJIWJ XrRhvN3vsPfEqfPK8/e///3iggsuKLyGYdIf7TKmVN8att8OGz7Oa+o3AlPaaYxN/Ntr4Bb3 +SNuQrp94JfNgjhM/Pszn/mMBO9zc/WNQcvTtFhCAICheykT49g555xTliMVXmM1bF/yGthh ESj5qHO1gHhcAsXJ0gbKSql40AJFFv8IYOsw5P273/3uwmuR9cWU6v856zvH2DmuvObgJ/qA Vi+6zPEEw55p1bxcVd8rr7xygf24LtQlP3puYhxpmg/ZuPAnASqzg227FVdcMdlupYxcVOI1 VCvj6fLykEMOKdODJ2QRAhG3nmf1Rl2X+AcVKGIbvGpDlLTHNY8iRPUnGkp8BPsql41XTcOO FYMIFDkOLXlj01mTHh+7ChRTc+QoBYrDzDvDrDkEt2HbmW4D1Msw5ZE8mWsIGAKGQBsETKDY BqVp4EdrJqKJuOOOOxY/+clPChgCtFBiZjkWQqUWEgid4t1tf6QlCOmOPPLIgmdhOrSbEiiK PxZp3CqNnRZ2bWONRX8sr692WLT544BlmgjVdt5558IfsSnOPvvswh+3KxBYSRq4Cy64YClE RWvnoIMOChpl2s/2229ffO1rXwt/kmhugaJOD+GMaEOgqSHkj5f0CG5gytHa8kefCjQ70ZTk ncTFguP3v/+9BO/kYpxc4sFl8XHEEUcEISXp0Y7infSjjz66J42YyZH4YHYw4r3TTjsV66yz Ts9iAj+xIBBNzridIZwkPQR67JBL3NqN4+nJXM0PvWiTuBCmrLLKKqHMtIVYeCgCBbRJt912 29DmuDlSt0XqQhZQknSqbw3bb4cNL3lscn/4wx/2YE+7RZvhhBNOCGNMPAagCSKbFnXtAy1T hLksQMEzxhstjZhy9Y1hypMSCHLJit7YoUwIejSlwtdh1bUvkZ5ud7Rxf6QuaCtSdsZbfkvb F7erQNEfow7jpdag4hZWGUevuOKKUPS6ck1kG9B1UvWsF8yCD5qmvEerGTtsCBHlGy7jR0y6 HuLbZetw6VrfucbOceQ1Fz8R46x/d5njEbx7Uws99eiPeYYLPOCf0LJlI03X87rrrquTa3zu kp+quYk5hpt56bdcLEL+dH7QaquiVVddtcefP05bHHjggYU/ghxuQPYmPXq+Mw4PS94kSxln jNPHP/7x8huakdx435UGFSim0hnHPMrphUUWWaQsP/XHZs63vvWtghMtBxxwQOGPYfd8P+WU U8psDztWsGEt47JuO9SJvL/wwgvL9HjQwr1Ys1OPj10Eik1zZNs5pSejNT/qMOs67wy75pDs DdvOcpVH8mOuIWAIGAJtETCBYlukprA/b2+k5/ggt7LF5G2f9ByzRRCiKbWQYNEvDAgLKgRN McH4iHBM/DYJFNE0u+GGG3qigumKj7veeOONPX4QUEka7OBrbSjtEQ0k8Ycri1vxA276u7cd KJ9Kd1QCRTBlYeXtyAXNt1mzZoU0OZ6kNYbQaKzSPkCwoo/9ctS0K9EmtMYAbaCK0HJA60yw 0sJP/FcxOQibYk1GBCta+OZtK/Ukh+Bb0sBfVTtD+BRryeUQKCL4iY+OeRuXZX4kXxy5ZvGu ydtZ6/EXH7Gv61vD9tthw+sypJ5JRwvJWLzG/ZbwCOkFJ1wRpFW1D28ztO94OAsNBFoSR9w+ cvWNYctTJxBE+0RrzyJc5oh8THXh8VeF1SB9ibFMHynHNEQs6OZ3fOS0q0BRytZkQL+qXBPZ BiTfKVcvmGmTbCR4+6o9QZivPv3pT5dtFn+Y/tBU1//xU4XLIPWda+wcR15z8RMa47pn+rqM J7hVczwbmdoPfEN83BTtOngm7U9MGNSlXfW+TX5igSL9OBb0kD/Nm5CvmE9i01jnFzMkCDY1 0X7RBhd/zLuMw4MSt/5KXLhs8GrydhN7vqNt3pVyCxSpEz1WDsI/tynD/vvv31N2Ni3j+uCI sTap8p73vKeMOtdYQYT6UpYzzzyzTCN+EAEnGxwx6fGxrUCx7RxJWk1zSpyfqt9VmA0y7+RY c+RoZ7nKU4WVvTMEDAFDIIWACRRT6EyTbzET98gjj1SWDIYGARxaFZtvvnmPn7qFBItfvchP 2RHUccBMNgkU6+z2IMDSTCkaNUJoPWnbZHEa4g+X3W8tfPIGufXnog1zr5n2VNmJWAv46mwo Uq43v/nNtTvzaL7osnM0rI5gBLXfeEFRF07eawEQ2gJoatSRZqjYZdcUMzmUj4VKFenFCzYL hRA+apuLLDrr6MMf/nBPuXMIFOvaotaYxZYQfa2KtAawPl6PX90vtIbSsP122PBV5ah6F7ez uB/pMFrjReowbh9osNUdPdOLe7TeNOXqG8OWp0og6C+a6dEuQdM23sCQslSFl28xVoP0JeLC RqWMDWz0aHMKkhYuwnF9pHJcAsWJbgMag7pnvWAGS7Skq4ixS/d/tMI01fV//OSo75xj56jz mpOf0BjXPTfN8fATWiue48x1xPyoBTHMDV2pKT/EFwsU6+Ymjl2LfTvaZ3xzsj5au+yyy/YJ SSXvbNT4S5rK8YLTBIOSHr/ZhIwFZqTFhpSMTfCiXSm3QHFc86i/AKcsN+MfWFQR5jEEH1yO yUI5xgpJT7fjOoEitv4kH4yFMenxsY1AscscSVqjECgOMu/kWnPkaGdxGxikPHE92m9DwBAw BNogYALFNihNcT8IzrTQj0U9F390obqFBMemhalg9xqtujqisWmNt1jYpxll7CfWMVTErxme +Ogji2O0wHhfJzyVPGqNIQQSmtow96MQKH7lK1/R2eh53mqrrUq80YZrIo1TLMhqCkv5/Y2P 4Wh8k7YFl/lIO2ChoilmcjhSVUccX5Z4OHIpFGsDYjy7jtAklDhwhxUoYiIg1kiRtP2NtWVa MG91xIJN8vT1r3+9x1td3xq23w4bvieTiR9aA4ujgal+i0YKwmc0T2hbUNw+vvOd79Smpu08 oR2hKVffGLY8sUCQMqNJLPXP2IYGcR3F4bVGUIzVIH2JdGmrkp+mjRDMEojfcQkUJ7oN1NWN fq8XzIxVdZskhNGbM2gyaqrr//jJUd85x85R5zUnP6ExrntumuO5xEbaPi6L/hTp8YnNSuLv Qk35IS7NJ7EBnBpv9biDqRIhhI26XLGJG/Enri4XcQ5CCFz1ZXN1NhLhf3Te4pMBTWnnFiiO Yx6FZ9VljoW/uswIYTFxw1FohIuy+ZZjrJB0NN9YJ1D85je/Wea5qv3o8bFJoNh1jiSfoxAo Djrv5Fhz5GhncRsYtDzSDsw1BAwBQ6AtAiZQbIvUFPe30korlZO/MC4whiyesS3I8dYU1S0k vvrVr5bxvu51r0tFEb5pDaWUQBE7OynSNo3klsCUf75hdJubkhFasYheeOGFy7yDyYknntgT RRvmfhQCRewg1pE2oI6GFkfJU3/adhmCgRzEwhmBHowmwjFuk9ZaHNiT0hQzOdhnqiO9GECj Uwh7ZNJuEfA1EYt28T+sQJGbtOsILTtJJz6Cq8NwjEb8YY9IU13fws+w/XbY8Dqfdc/Y7pKy cbSyK8Xtgxu164iLbyQtBHOacvWNYcsTCwQlv+I29cM4fEqgOEhfQjiuTQvUaTgJtlojZlwC xYluA1L2lKsXzNhyTREbeFL/uDBeQqn+H/eNQeo759g56rzm5CcE35TbNMdz+7HUWzzeVMV7 //33l/4J11UY1pQf0tQCRcy/pEjb8KQsQvBBUi5cBA8pPkIL+QYRlJJurEEuG0qSJ3GxxadP jsSnZcRfnat5CMr20EMP1Xlt/X7U8yhH1nV9DGLzOsdYIYC0ESiK6SE03JmzYtLjY5NAUZed 56Y5krRGIVAcdN6Jyy6/u645hm1ncRvIXR4pl7mGgCFgCMQImEAxRmSa/uZYBMfj4olbfnOh xP/8z/8UaJpVHW2tW0ggmJM4CN9E2s5QSqDIBRspwni4pEueq4gyk28EBAihxH+dO1kEilU2 eqR8+jhQXTnq3scG0CXOJpcjHSw2EJhhv0cuH6lLp0mgmFpkcRRc4kV7VGjXXXct38dHXcWP drUG1rACxVRb1AJlNOTqiKNyUq62GorENWy/HTZ8XXn0e+wnSdkQCHSlmAnmhsc64oi/pBUv 8HP1jWHLEwsEJb/icnSfeqmjOHxKoDhIX2KRI3nBje3+xfmiPsT/uASKE90GYgyqfusF8y67 7FLlpXyH5r5giMvFAkJ1cyvf474xSH3nHDtHndec/ITgm3KbBHha67lpk5N0mCu1sJ55sws1 5Ye4tEAxtnUdp6UvZ9ECRTTEdXvs+sxx166kN3xIDz6h7k/nB5MLf//731snNwqB4qjnUexB S5mx11h3IiIFQo6xQuJvEigyR8nFf7HNbIlDj49dBYpNcyRpjEKgOOi8I2WmnQyz5hi2ncVt YNjySLnMNQQMAUOgCQETKDYhNI2+Y9AZTQphBISBiV2O0sY2teoWEjAKEr6NQFHfCpcSKDZp fKQEihwBgplpEnyhUSl5x50sAsUHHnigttU1lUmXJ37WBrxrE4g+cMSLG7DjuPRvFlBaYNsk UMRWTh3VCRQ1c9rmqLfWCBxWoLjhhhvWZbfH8H3q6KgWKHbRUCThYfptjvC1hX/mA8fupD1w g3pXipngVPtICRRz9Y1hyxMLBMGGBZLWumGsrDuqGIdPCRRTWNX1JRYtUl+4KS0G6pLxSPyP S6CYKtc42kCbNqzHpH333TcZBDuGgiGutn1bN7cSYZe+UVffOp/Djp2jzmtOfiJZIc98bBLg cbRU6o2NyTakbTh/73vfaxOk9NOUHzxqgWITn1QnUNSaoFK+Lq5cqFVmvOEBzU09/nVJC79c bNaWRiFQJO1h5+FU/pk3BRPmn0Eox1gh6TYJFLXWOkevq0iPO20Eil3mSNIbhUBx0Hkn15qD cg3Tzrq0gdQ8Sj6MDAFDwBDogoAJFLugNU38stvL8ROOa8otbcLMiMt7dtuF6hYS+ihMmx18 LegZlUBRMxpSHph8jmhwQ+aRRx5Z3H333aFo2obisAJFLhRJkRa6sfgT4uIDySduLMwVf7j6 YpdVVlklCEHJd5s/vYjVcdY9c/RI395L3hDaoCGIkI36w7Yix+W1DcVRCBR1O4ttNFblXx/1 GlagmFq0aQ3FUQkUpXyD9FsJiztseB2XfqbfS/vdc8899adWz7mY4Fx9Y9jyxAJB8nXbbbcF 25GCE27dIjkOn1ugiMkCLXxNHaOlAtGmk3xPdoFirjbQpuHqBfMee+yRDBIfhb3rrrtK/3Vz Kx669I06gWLOsXOceR2WnygBTjw0CfC04A0zK0305JNP9gjOMCfThZryQ1w5BIqYiZE+jduG f9B+Urayq8rLvKDT6/rcBntJd1QCRYl/FPMoY7BgwtiseW9Jt8nNMVZIGk0CRX25Tp22qh4f mwSKXedI8qn5/NSmr5Spyu2CWUoAp/Mi9TjImkPncZB2lqs8Oh/2bAgYAoZAGwRMoNgGpWnu B4Zg77337rmJkknxqquuKktet5A44YQTSkYoPoJYBlYP+mbBUQgU4xugYYw40lenDYT9F2EA YltibZh7LVD61Kc+pUra+wiDqHfoBxUorrDCCmV+U0dse1Mf7NeWW25ZpgVG2267ba2tTY7x Co6xLc0uTE7dopgbVCV+hBp19Skl1YKF6SJQlLKJ26bfit8qd9jwEqe+VRubrCliIcoFFaee empx3XXXBa9d2keKqc/VN4YtTywQxF4ZhCkJPf5xlA+hfUxx+NwCRdJbaKGFyv5EfaRI2z6b 7ALFXG0ghYd80wvmps0k5iAZvxAY6Atc6uZW0unSN8Yxdo46rzn5CamnlNs0x3NkWeoNDaom QsNJ/ONeeumlTUF6vjflB885BIpcWqfzySUtoyLmam2Ogo1d3jX96cuxyGuTJrXkf9QCRUlH 3Bzz6C233NJTHw8++KBEX+mefvrpYRP35z//ecGGNJRjrJDEmgSKMn/EF6NJeFw9PjYJFLvO kcSvhXgTKVDMueagXHXUpp11aQMpXqouD/beEDAEDIE6BEygWIfMNHp/0UUXFdyot+qqqwbB YV3RmBgRCgqjqbWN6hYSs2bNKv0TLqXtojVd8DsKgaJeAJBGneFvMEBrSMqKG98W3Ya532KL Lco41llnnTpoixinQQWKGCiXPL/lLW9p3MnmyBZ2lnbYYYdCp1mbUfVB29xMlY0g66+/fpkv fTsz37owOXWL4vhSg4svvpioKwntHy28naoCxWH77bDhK8GteKlvAabNpOw/oZUn7VeOdnVp HykmOFffGLY8KYEggiXdNhGAxcLxVPguWNX1Japw9dVXL+thscUW68uDrmatVT6htzc8AABA AElEQVTZBYq52oAuf92zXjDHmyhxGL34xQ6tprq5FT856jvn2DnqvMbz5DD8hMa47rlpjo9v eW4SEO6///5lv6Kfd71coyk/lCOHQJGLSmQcxsWGX4qw6/yhD30oXOLH5vMjjzyS8t7zLb5w BPuNbSjmF1MnBXR8uQWK45hHueFXzwtog9YR84U2yyGa7jnGCkkzJVCEv5K2gwmjOtLjY5NA UW+atZkjSVOPqRMpUMy15sjRzrq0gRQvVVen9t4QMAQMgToETKBYh8w0er/TTjuVDADCHq0d ERdTX0jAUSmh1EICu0zCYLA4xV5UTGjoYTdM/OGOQqCoj9Zg269OuAEGelFNfo444oiebMd2 r9hFjknj8vKXv7xSg488rLXWWj1l18K9LkeejzvuuJ54uJ2xjtjR13jvt99+dV773pPn2Wab rQyfumwD4Z7W9Ix3rbswOXVCEJhozeSmbl7++Mc/Xuab8k9VgeKw/XbY8H2NouaFPq4F3mgf VhFtStv0Em3GLu0jxQTn6hvDliclEAQXtNl0vzzkkEN64EqF74JVXV8iMW0Di7zUHc2kb+u8 DipQ3Hnnnct40ACNqUu5xtEG4vxV/dYLZjA6++yzq7wVaH+hjSo4xprleg7ZYIMNeuLogktd feccO0edVwqfi5/oAbLmR9McT1+cZ555yrpbeumla2Iqiscee6yYd955S7+Y3ehKTfkhvhwC ReLRtpHhCylrHcmNvrRhjnIiAGtLCHuk7c8+++wBp7Zh2TSVsNj+5kKpJsotUBzXPKpNbWBW Jt5oknJjZkYwwRUTOTnGCklD81pnnnmmvA6u3hSsm+vxqMfHLgJFwjbNkfhpmlPw00RdMKub d3KtOXK0sxzlacLMvhsChoAhUIWACRSrUJlm77hYQzMgHGWtstFy/PHH9/jTQq/UQuKCCy7o CQcjrY/ysUuvGVLJyygEivFuIb9jouws3CQf4qJdEJO+sVF2grUffRyQeDgCrQkhir65UtLS 2HYRKBKfvpCGY1g//OEPdZLhmaNX+tjvHHPMUSns7AuoXmgNRZhd7EPFhBYBeZBy4cZHw7ow OXWLYtKlveh0OIIdt2MErFoQiv+pKlActt8OGz6u69RvFtpSNwiUaReaWBzttttupR/8sjCC urSPOqaeeHL2jWHKkxIIkk9sIy2wwAIlFvRNsenK91T4Llil+hLpcEmT1BmLdfrO008/zaeA JZpE5E384A4qUESrSeJBm+/xxx8P6ci/LuUaVxuQvNW5esFM2RAaytE9CcPYroXoc801VxAw ynfc1NzaBZdUfecaO8eR11z8hMY49dw0x3OxirRdXLRgMV+giXqON0zjDUrtP/XclJ9cAsWf /OQnPeVabbXV+gR2jNs77rhjjz8EH20J+8qMGYJfV00yLvyQsLgxz1iVj9wCxXHNo3pco6zw 6fHm/H333ddjmmippZYqIcg1VhBhSqCIpir5g8/iApE60uNjV4Fi0xxJmk1zSl2+9PsumOn6 0eadcq05crSzHOXR+NizIWAIGAJtETCBYlukprg/bVsKZgBhEYbkjzrqqAJBGswk7+UvPrqY WkgAzbrrrluGlTiwm8PxLvkdu7HGXBdGWQvVuBBEiN1arS0Hcw6jf+CBB4YjzRzRiG93lnxx LDimV73qVT35Z1cfLU4YZQghmz5+QlyEwZ4iR41f8pKX9ISXtAYVKJImti318RjiXGmllQq0 CFn8sODRGPD9m9/8JkE7USwIpVzsHCNE3WuvvYKQOE5HyqcFBl2YnNSiGGHHIoss0oPnEkss UaBJy83JK664Ys83yctUFShSWcP222HDt20w2EPUbfK5z31usfHGG4d+h31NfUkO9fLRj360 jLpL+6hj6iWyXH1jmPKkBIKSz1hDcPnlly81UlLhu2CV6kvkA6zizQA0iOhj8XvpS3wfhLgI S+LAJX7scInmc5dyjasNNJVTL5ilbAhg11577QJBCBeA6U0d/NAXYkrNrV1wSdV3rrFzHHkF nxz8RIxz3e+mOZ6NCk5eSB3jwh9tv/32BdrFzInx5WVcmFanYVaXD3nflJ8ufJIWZn/729+W JEpXmzOgXJyyYN7n1mHm1EUXXbSn3PA/Xewtam024u86FyOo1QJW+MkmXHMLFAFrXPNofGqG y2gQ6FIfjDd6g4ex+IYbbijrMtdYQYR1AkUEnKJtzYZUivT42FWgSLypOZLvTXMKfpqoC2Z1 807ONcew7SxHeZows++GgCFgCFQhYALFKlSm4Tts3tQJ0jSjzDNMaGz7J7WQAC6Ybm3TJI6T 32gFcgOwfIs1/rowynUCRfICky9ppFx2WhH8iZ+q24M1UyT+cLUmCpo8CFD09/iZtD72sY+V foYRKFJGhHr6KFacnv5dJSgljiZil7hNmyEf1KXWRNA2mbowOalFMfnFWDlMti5f/IwgWx/d 77qIIZ22bVFfyjOKW56H7bfDhgeLtsSFCnPPPXeybqgrjjQiNBPq0j7qmHqJCzdX3xi0PCmB oM4nQlXddg8++ODwORW+C1ZNfYnEMPSujz7q/PBM3+aIrrznSOcgdO+991a2DTYBoC7lGmcb SJVVzw0IhNHyFJxiF2E7ggHRANXxpubWLrg01XeOsXNcec3BT2iMU8+6HnW96Tme9ouZDf29 7pm5/tFHH00lmfzWlJ+2cxOJNAkUEQ7G5ljqyoXQVN9OnizEMx8XX3zxEjOElVXtvykeBPQ6 T2iwpmgUAsVxzaMIULF1rstb9YyQNbazmHOsqBMoYudP8qNtrFfVh27HgwgUibNujuRb05yC nybqgllq3sm15hi2neUqTxNu9t0QMAQMgRgBEyjGiEzj30xWCJf0LqcwByx40BhhwVBlY3H3 3XcvGYlNNtmkFiWENzAS7F4iYIIx4cIOufDkrW99axkPC3ZN2iaK2FfT3/WzPpIY386MP2yC VQnDKCd2eWA6IYyNCwa4HBXWBAOMTT4Wi/ooLUJETRi+Zzdfa2kRH8c/OZpLPGisSFrczieE tqPETfi2GgDcmIsWZJ020TLLLFPodCS9Li5pIHSV/En+cTm+R1sQu0Yrr7xyWT5tQB1D81rL QGz+VOWD/Eoa1F8VwTQhvCZ98YvL7amUmfi1hgtMcFdq2xa1rZ+U4FYviuJbdZv61jD9lnIP G74Ldvfff3+Bdo4WLksdoa2L0CxeVHZpH9ouKNpfdZSrbwxSHrSW9QYDx9SqiH6DPTLBh3GZ tp0K3wWrNn2JfNE+0Eaiz2BLjbpDEIHggkUbY6nkkTliUOJCC8Z/xhIZTxD+Q13KNe42EDJY 8U9voHELPXjL7aeCFy6bG+eee25FDP/3KtX/u+DSpr6HHTvHmVfQGYafqAU8+tB2jkfIyUmH WINQ6ppNzqOPPrpRgy5Kvu9nU37azk1ErE3NHH744X1pyQt4MdpuzL9QNubZXXbZJXm8VeLR LmOnYIMLHzQIYZtUxxMLp+I4aTPin/KwyMlB45xHOWlS187QKtWXmEjZco4VbK4LhgjShPSY B++copRAMTXH6Tjr5kjxk5pTxE/K7YJZ07yTa80xTDvLWZ4UbvbNEDAEDIEYgTYCxWfhyS98 /PxiNB0Q8HbnnLfZ5TxT4vzRVOc1VJw/0uNe9KIXjbx4tCMvQAvpeEbRrbHGGiNLk3J6pjaU 1dt6cX5h57yxa+ePbHRO02sNOS8YcF6w6LyWjqvrD94wu/O2UJxnhNy73vUu54/odE6rawDf qd0DDzzgbr311rI+/eLAeY2ArlHV+qfOaDNewBDw88cinRcGOM+w14YZ9QfqxN/UHfLktSec P1Y7UN2OOp+54h+23w4bvks5/OLb/eY3vwlt0guo3MILLxz6ghf6dolmaL+5+sZkKc/QgAwQ gdc+dv62+BDSaxyF8W2AaMog9FuvieO8UNF5W5JhTC0/juAhVxtom7WHH37Y+cW280cSnbdx VjtXtI1vFP6my9iZk59oO8dTH8yH/pI25zevnN/YCGNb7rm+S35ytRHShC/0mojObwA5+Aj4 Q2/aJFcSUz6ecc6j8K1ei9z5DbLQxphHvf2+CcPQa+26O++8M6TvN5rDGF6Xmc997nPOC0bD Zy8Edn7jv87r0O9pt+OcU+oynHPNMc52Vlcee28IGAKGQFsEmK+ayASKTQjN4O9+N915rRY3 33zzOb+r6bw9Rue1EisR8RoUzmuxld8QOBDGyBAwBAwBQ2B8COy6667OayWF8dcfeSwFhnEO vL0y54/zOm9vMXzylyo4f6Q89ma/DYEsCBg/kQVGi8QQmHAEECIyx0DebEYpXJzwjFkGDAFD wBAwBLIjYALF7JDOvAgRIHqbi6Hgm222mfPGkvtAQBPS274LO/p8RLsN7UEjQ8AQMAQMgfEi 4G+gdf4W0ZCoP57tvKmHoIkU58LbhnL+qGL52puucP5iq/K3PRgCuREwfiI3ohafITB+BPxl iM4fSQ4Je1MJzl/ANf5MWIqGgCFgCBgCY0HABIpjgXl6J4KGC8eXIW8rz22xxRbO23lxMBQc cbz++uudN+BcMhf487cEO387L49GhoAhYAgYAmNEwN8O6ji+LITJC28r1vnb4oNZCI7teqP/ YRH4xBNPBG/+Nnt3xx13TMojvFIOc6c+AsZPTP06tBLMTARuvPHGUPArrrjC+VvQHcd2ocMO O6zcwAov7J8hYAgYAobAtELABIrTqjonpjDY1cNeoNhGbMrFsssu6y655JIgfGzya98NAUPA EDAE8iPgjea77373u60iZqPojDPOcP4G21b+zZMhMCgCxk8MipyFMwQmFgE2qdis0oRSASeY MItkZAgYAoaAITA9ETCB4vSs17GXCmPNGGHGgHQdwVj4W3HdAQccYEa+60Cy94aAIWAIjAEB tEfQIsFEhb91szZFf9t60FZceumla/3YB0MgJwLGT+RE0+IyBEaPgL9hOFzsyAVmmvbZZx+H zV4jQ8AQMAQMgemLgAkUp2/djr1k3KZ5wQUXuMsuuyzYR2RXkhuV559/frfooos6DPpzI6KR IWAIGAKGwORA4E9/+lMwns/Nrti15cZMtEm4gXmNNdZw73//+5O3eU6OUlguphsCxk9Mtxq1 8kxnBJg3dtppJ3fPPfc4hIuLLLKIW3XVVU2rfTpXupXNEDAEDIFnEDCBojUFQ8AQMAQMAUPA EDAEDAFDwBAwBAwBQ8AQMAQMAUPAEGiNgAkUW0NlHg0BQ8AQMAQMAUPAEDAEDAFDwBAwBAwB Q8AQMAQMAUPABIrWBgwBQ8AQMAQMAUPAEDAEDAFDwBAwBAwBQ8AQMAQMAUOgNQImUGwNlXk0 BAwBQ8AQMAQMAUPAEDAEDAFDwBAwBAwBQ8AQMAQMARMoWhswBAwBQ8AQMAQMAUPAEDAEDAFD wBAwBAwBQ8AQMAQMgdYImECxNVTm0RAwBAwBQ8AQMAQMAUPAEDAEDAFDwBAwBAwBQ8AQMARM oGhtwBAwBAwBQ8AQMAQMAUPAEDAEDAFDwBAwBAwBQ8AQMARaI2ACxdZQmUdDwBAwBAwBQ8AQ MAQMAUPAEDAEDAFDwBAwBAwBQ8AQMIGitQFDwBAwBAwBQ8AQMAQMAUPAEDAEDAFDwBAwBAwB Q8AQaI2ACRRbQzU9Pf7zn/90p59+urv66qvdAw884H73u9+52Wabzb3+9a93b3jDG9y73vUu 9+EPf9g9+9nPnp4AWKkaEbjxxhvdT3/60+Dvla98pdtkk00aw0x2D+eff7479NBD3TnnnFO2 7eOOO8794he/cCeeeGL27J933nnulltuCfEuvvji7oMf/GDWNH75y1+6ffbZp4yTMlxxxRXu 8MMPD++e85znuLPOOqv83ubhqaeecptvvrlbZ5113Nprrx2CPPbYY27jjTd2u+++u1tqqaXa RDOj/YyiXmJAn3zySbfiiiu6hx9+2H30ox91++67b+wl++9//etf7qCDDirj3XLLLd1LXvKS 8nfbh6efftodcMABpXfa20tf+tLy97APF110kZs1a1aI5q1vfatbc801h42yNvwll1zirr32 2vD9LW95S9lnagNMwIdx4jEBxbMkOyBgbaEDWBVe4Z0PPvjg8stWW23lXvSiF5W/x/3w97// 3X3/+98vk91mm23cHHPMUf4e18Oox/Sc5cg1j+XMU1NcufrtVJivmrCYCd//93//N/DxrFn+ 8Ic/OHj5V73qVW755Zd3O++8cxYIpltb2Hbbbd25557rXvayl7mLL754QsbBLBUzxSJpI1B0 f/nLXwqj6YXA3/72t2LrrbcuXvziFxe+zSb/3vSmNxUnnHBC8d///nd6gWClaYWAF0qV7cML mFuFqfL061//ulhmmWWKu+66q+rz2N75RUDhheaFF5IXN9xwQ0j3S1/6Uijj7LPPXnjBTPa8 fPKTnywx/OxnP5s9/p/85Cdl/PRnyvDtb3+7fPfc5z63U5qPP/544YVUIfy6664bwv7xj38s 3vnOd4Z3X/jCFzrFN1M9566XKhy//OUvhzp51rOeVVx33XVVXrK/Y/7Q88Zvf/vbgdL4xz/+ 0RPP7bffPlA8dYFop5LPjTbaqM5blvdf/OIXy7Q22GCDLHEOEklqnB0nHoPk3cK0RyBVz21i sbbQBqV6P6yLZGzBvffee+s9j+HL/fff35OfP//5z2NItT+JUY/p/Smm33ihYeE3Wwu/6dXn Mdc81hfxCF/k6rfjmK9S2I8QomkTNWtuv5nf069lzPEb+53KmZovxtEWOmV2SM9eCSas8cBq u+22GzI2C94WAebEpj8TKLZFc4r4Y2BZaKGFKgcpGayq3FEIQqYIZDM6m8MKFP/zn/8Un//8 54MAj3b1m9/8ZsLwRFD2/Oc/v0D44rUGQz7uueee0Bde+MIXFl7DaCR5m2oCxV133TVg8oEP fKBggQB9/OMfD+8QzHgthJHgNN0iHbVA8Ve/+lXhd6xDvXzsYx8bG3y5FmKjXnzmWny1AXai mfI24+w48WiDmfnpjkCbem4Tq7WFNijV+zGBYjU2ox7Tq1OtfutPXhVvfOMbw/y44YYb9nnK NY/1RTzCF7n67ajnqybsRwjRtIl6//33D223aj3+9a9/vVU528wXo24LrTKa2dOnPvWpgB3K I9dcc03m2C26KgSahIlhzuSf0fRA4Kqrripe8IIX9AxSc889d7HDDjsUp556ahCo4Of4448v /LHMHn8MajvttNP0AMJK0RqBYQWKXmW/px1NpEDRHxcJefHHH8vyH3PMMeHdqquuWr7L/TBq geKFF15Y+ONNJc6PPPJIcfTRR5d9nW9daLnllgtx/ehHPyqDveY1rwnvRiV0LROaRg+560VD g1B3scUWC3XyvOc9r/DmKvTnkT7nWog98cQTZZtlfrnzzjuz5jvX4qtNpkRTlHL4o+dtgmT1 02acHSceWQtnkZUItKnn0nPiwdpCApwWn0ygWA3SqMf06lSr38rJE8ZkEyj2YjTq+aoJ+97c 2K8qBDjRRdvlzx/fLfbbb7/i+uuvL7wpndYnqdrMF6NuC1VlG/W7hx56qFz/sN5DW9ZotAiY QHG0+E6q2L39s8LbRiwHKAapLbbYonj00Udr8+lt55WdUgY2b5ut1r99mH4ITCeBIkJz2vG8 884bjsB4O4HFN7/5zfBuwQUXLNipGwWNWqBInunf7MZRPtEg5Agpv+eff/5OxVp44YVDuA99 6EMFWnaQCCw33XTT4tJLL+0U30z2nLNeNI66X3r7XfrTyJ9zCRTJKMelb7vttiL3cWfiHqfQ hHmUcvA3EccN2ywcxokH+BvlR6BNPbdJ1dpCG5Tq/ZhAsR6bUY7p9an2f2kSauWcx/pTH82b XP121PNVE/ajQWd6xSratfDw3jb2QIVrM1+Mui0MlPEMgbwtxbCOAb9DDjkkQ4wWRQoBEyim 0Jlm3xAe0rHkj4mpDZ1xxhllGMKutdZabYKZn2mCgBZcDGJDsc2ENi6oRBtR+oA3rF7sueee ZftmF3AUNA6B4o9//ONQDmyeCvkLL8K7lVZaSV61ckUbEZzYvYQEM9zvfve7reIxT0WRs14E T2zrvPnNby7rZNx2SafKQizX4ktwn8xum3F2JuExmetqmLy1qec28VtbaINSvR8TKNZjM1m+ NAm1pso8pvGcKv22CXtdJnuuRuDVr351yeOhDDEI5ZovBkl7osNgVxbzVqxZXve61xX//ve/ JzpL0zr9NgLFZ+Ep582LvnKNxoyAtx3nXvGKVzhupoO8BpK79dZbw43ObbLCrbT++F7w6juo 88dWnd89qQzqBzB3xx13hD9upcLfoosuGm6O5gbpOuKWOm9/JXyeZ555nL8gIzxze+lll13m /KUQbumll3ZLLLFEeTOvjosbqrmtipuGvFDF+Qskwm1Y2o8867S4nZTb8HxPd15LJtx4DV7c dM0t19yo1Za4Ne7uu+92/uie87b5Ar7cNLXkkksGzKvK74UD4YZW0vCXZ7iXv/zloZ64cZh4 uG0b/Oecc87KbFCWm266yd18882OunnHO94R8PZH2Sv9V72kzq688sqQZ27pe+973xvwIz9H HHGE4xZXCDz8xQ9VUfS987Y7Qp3R5nRbufzyywO2BKjDdtA21JeJ6MWxxx7rvG2N8i1588cI nBcqhnfUldcuKr/HD4PUL3F4rT7HLdKQt0XqvEAuPFf9o+9wIzS3rtNnqQvBj1uWaZsQN0p6 u4/hmRvguI2dG38PPPBA5w0ROy88Dbc00649M+LWX3/94Jd/lMOP6+VvxndvCqH8/drXvjbc +M4LL1B03/jGN0LbEg/kn3JAxE8/h7iBjjxD1D/l4KZj2jj9kbZZ145DIPVv0Dag+7YeRygv eQFfb0PWcdu2ZzJUiulHykDfpq95A/whDn/kOLj0uyrqWi9VcVS9O/vss53f2AmfKIe3pdjj zR95d9zSDdGm/ZHonu/ywx8Lkcdwu7JuA+UH/8AYTPkh4qPf+Au9wm/+eY2U0EZpf+Djj+WE tkDbffvb3147z+i2Qzy0HdpQHfnjdGGc8oyi++tf/+q84DvgT9uqKiP9wF9OFKLztj/dSSed FJ4ffPDBcPsz9fm2t70t9DHayjCk+yZzV118zFNeizGMtdQRN0JzAzV9rq4dpfLVZZwdFR6D 9I1UmfimxyjaZR0PyngI9pDMn+FH9I/xxAsQwtu6+AYdc4iXsJCMOV7I7y644IIwrr773e8O Y1/woP51aQtd6lklUfs4bFtgDKAPQvQ9xoUUwVfouVXmfj1e5+TFBmmThGGsg6QtUc4qXgw+ 0590KIvMnMB8wjzjbXYFXpJ5m7r3JwRKf00PjIm0C3hR+D/aKvzzIoss4lI8HfzCggsuWEYP 1qk6ycE3lomph9SYrr/l5BVU8uFR+qO/jMUddthh4R3zpfBd4DjXXHM5MMgxj8XpD9L24jjq fg/bbyXeUc1XbbGXfIg7aLuX9IgnNfb+6U9/cl6gFJKj33pb6pJ0pUv/hp+BaCupvlcZwTMv u84p8DheYzCEXmqppUreGn6edSAE3990o3yX+SLVFvT4LPiSh1Gsy4lXU45+9J73vMd5M00h Wm/CqWcdpNOy5+ERsFue/Sg2E8gLM8qdDt9sih/+8Iediv3zn/+8WGCBBQpur0R1uOpIF8aY ucyBSy9II/7jRmm03epI77ydfPLJhRc8FX6x1RePH9h7bm7y18L3HeUmbc8QFrvvvnvBsdaY dFpeYBaOdXpmti8t4thkk00KPxnFUfT85qKbFVZYobx4JC47v71gsPACz55w/OD2XPGPrQds 1MV58QN54QV+PWG5TERs3Ul4cf3CtFhttdUa7WxwNNYL0wril7DicsSV48CDaih6BrcvTolb 3J4C+R/DtqE4vvi31lDkRme/aO3RUGQXq4qGqV/ia6OhiG0ULkERbLRL38O26S677FJ+90K+ Mqunn356aO+eeS7fecFiwUUzZ555ZvlOHn72s5+V8ZAOWnSatIbi3nvvHT7p/PzgBz8ovXuG rowLkwqeCQg2WUlbh+GZI9nsXMuR7DIS9TBsG9B9G1uwXtBe0K/ivPDbL/gK6jZFlIcbsz1T WRkHfVXjoePqWi86bOpZ9/vYODfYeqFtmVcvRK+MimNpGhPs81QR4xPjifj1QrhC1znvvZC2 2G233UIbFH/iMl5vvfXWoV3E8VPX4g+37tgz6X3uc58riEv7l2cvjCvo256J7klCtwUuE/Kb aIUXIPbFQfloI01toSfy6EeTYXPa4fve976+tKUMfoFQ6P4bRV/7s8s4mxuPYfpGbYGe+fC1 r32txIr6rSPqVTCkj9aNLVwqJ/7iGzKHHXM+85nPlHHDW8kFVpIerr75e5C20KWe67DS74dt C9jTlvLRL7GdlyLatvjH5Ij0VZ2PHLzYMG2yCy+GooWUB9dvnoU61u/kmXmmzcUA8Hh+g6gn XokDF7vmtIMqanvLcw6+sSp9eZca0/W8kYNXkDRjF7MsGrf4eY899ghBdH7wM+g8JukP0/Yk jiZX95dh5rRRzVdtsdflHKbdtxl711133R7epOn4MGOT3/Ao29Agx2UHnVOOOuqoMt243crv bbbZRsNX+dxlvki1Bd3eRr0ul4Lk7Ef6YhsvoJUkzB0BAsyJTX92y7MC/r/++Y/eVtKv7rqr OO/a64rLbr6luOfhh4snK4RWKtiEP2ILTQYjXL/rkDVP2I3SA7BOK35eeeWVKwV0euBCiCc2 2+Lw8vv73/9+4TUACgRD8q7K9buUfWXVaXktmqQgkDhhCGHYqoj4xXZdVfr6HQtXJgxNmolF cFSFI+H8rnUZDCFBlcBGp8UzjPu5555bhtMPLADWWGONJHYSh8Tb5chzlwmNfOVoQ7p8Vc8I EP0uSvjzmi3BCzjIO7+b2Bds2PolwiaBIgI+LQQSvLXLxRvaBqoWKJIGCwVNqPfXLT6aBIrY VBFM5JiA/MZlwhfSTDlHNPQCX+dfPy+//PI9cUhcOdqA7tuYeWAjQ6cdP7MBIjd+Sz7E9buw xYorrpgML/EhMPA7vRK0dLvUSxko8eA1YXryg4AvJi4YknzVXRBy6KGHln7wy7hcRVoIj21N SNc5YRkfJb06F8Y/ptTiU/xyUQvH+Ovi1e8RVmvSbcFr6zT2Ma8FFwQDOo62zymmnDrz2pet ysBcLX2uTdpdxtmceOToG6nysbGm65Z2EBPjkNfo7/GHwfoq0psk+vhYjjFHL2q9RlpPfqQM m222WcjWoG2hSz1XlT9+N2xbYANMyoarMY3T4re+YEAviHU+huXFhm2TXXixWKDY1L/ZnGbM rSMuRtR41j0jvGWjLKY2AsUcfGOcbvw7NabreWNYXiFOV/9uK9TS+QHvQecx0h627en8p551 fxlmThvVfNUWeynjsO2+7dir18DCx0geYpfL9KT/eU3ayvVqHEb/HmZOmcwCxVGvy8Ewdz+6 7777yrqkTtk0MBoNAk3CxDBn8s+oKP7iF4vfOevsYrvDDu/72+XY44rrvZBxspJcskCHQmCV k/yRkMIfa+vptDCGaLzAZLIbiHaeDNC47BjFpCdK8euPexSrrLJKseOOOxbbb799n/Dw2c9+ dogXDTsMsO68887FeuutVzAJSBwIauI2XJcWeeXCCTSL1lxzzTIO4vKq031CEH90rictBHjk gdtx/bHEYGsO4YnkBdcfS+lZMGomVvtDiCjanmiuCbHTzTfxi6AJDSB/nC8wmmhi8E6+U/7f //73Erx0wVT84JKvr371q8Upp5wSNE2rGOQuAkU0RQ466KCgJarToR7RPuFPKFcbkvhyuTnq l7ykBIr+uHCf9ttHPvKRIHg+8sgjC541fvIcCxS7lLlJoNglrpgpl/zBnGN/EU2WddZZp2+D IBbi5WoDVX2bcQLBGtq4aLrFGot17VoL5iiXP1pboPmJXVnw9+YXeuqGMWjURJsQjP0R8srk 2GwRP1obSHvGFq74wWWcqNLmZqwWf4xtUF2dv/KVryxgOtnRB4t4swfhpKbU4hN/5Mcf9SvT Jx/sMn/rW98qzjrrrAIboVw4JPnDZfwSqmoLzA0IN2gLzFHMVTp8ShtO4q1yUws0rZmIJiJj L5cdMT8iaIo3keo2garS7TLO5sRj1H0DYeF8881X1k2VlsgNN9xQfpc6rNI+QSNQvjOniuA/ 15ijF7WSDi78i/yWy+wGbQtd6rmqncTvcrQF3TfZnKwjNj0EB1ytCVyVD3DryouR9rBtsgsv FhZHviy6XDyjYci4hKaqP55a8nDir0pTEV5RvuOymQ5Ph+Y7J0Q+9rGP9fB8zGcaQ8reJFDM xTeSVopSY3rdvNGVV0ilz7err7468JdaG90fGy/5TumLdfnpOo+R5rBtjzjaUFV/GWROG9V8 1RZ7ypqj3bcde1nT6T7mzcTUwq01zFkHdqFh5xQUR2R9pPNLnuQ9As8m6jJfpNpCVXsb1bqc Mo2iH2k+3ey/N7Wcwb8zJzb9mYaix/dOLzja6ehj+gSJsXDxpIsvGbw2RhiSRYwMTmjc5CQW 6BI3LseM5TiLpAMDj6BP+/P2xeRzcOOBi8VozDR5WzY9cRCft08Yjg3ryGLtm/iocZwWmimx ZgMLGhbQOs8I7TTpYz/sFt7nd0OqCEx0PMLQ4LeKiWVRjqDJ2/AIWpizZs0K0ZInFtQSFxqN HLWJCeYRpkj8xUe80JLQQkeOUMZCV4RpCFAkDtw6wUucvv6N1p+Ow9vf1J/Dc6421BfxkC9y 1C9ZSAkUqWvBBy2GuI0RHiGJCJfF7zACRW87LwhUEKrwV9duSbuJqphyNFDQBtXEjfFa0L/2 2mvrz0HQJ2XDzTWOIJRA8KAJQdX73//+EnfSu/HGG7WXoNmr88NOOkyaJuLRDC3lqzu2q8MN 87zhhhuW+Y77tcTLBoLedJDxQ75Tjqrjw3pcwi91qI96ozUGVdU5x/FigSRYaKFKXOepxSfp 6OMq1AWbEXEdoDGrNXfZ+BGKx3n6V8yMM1fp/lnVFiS+lFvHlDP+ka60pXieIU5vi67HzAVz ZVdqM87mwgOBp5QHd1R9Y/PNNy/TWX311fsgQSCs88Gz3nyTACzExB8LFqFc844eA0iHvoWZ GDRN0VAWQXqOttCmnqV8KTdHW2BzRXCljcc8hKSPcFD8IdjRFOdjUF4sR5vswotRVimTuAj+ 4Nk0wYvBG4qf+II04tGCc7SxMc0QExtwWts+3uBOCRRz8Y1xnqp+p8b0qnljEF6hKt2qd00X g1TlZ5B5LEfbq8p/1bu4vww6p416vmrCPle7bzv2wsuwuSr9EGF/FXFySZ8WYuOvC+WaU0hT X8pSZbqoTb7azBd1bYH44/Y2ynX5qPqR1pqtUmZqg6P5aUaAPt30N+MFiv/wGnhfOf6ERmGi CBd/efvkUqmNBxR93KS5iaR9wDDrBWfdsTliYedGD5BoCWmKB646u2Rau4ijxnU7TVrrIz5m HKf1ne98R2elfKZ8+rgdzIYQ32B+ZYJKCXg4VqsX+OyWCcVMLLe31tkjwoaFpIeLplkdMQFp v1pgohdY7HZXHZskXjQ7dL5HIVDM2YbqsBjkfa76JW0tsECDVAjmWwtc9DfxI66e9KnXVHuT MONwY6ac9hsLliQfmvnDPqpQzjYQ9+26cYSjFbp/xHZldb9fdtll+zZJJO8s1rTdK7QxR0l6 XBONwar09K5srLWFzSJddnnea6+9eqJCKCLf0ASkrFBc5wgJxIRATwT+h2aw0RjRlFp84s9f elOmTxqSvo6D53POOaf0R37ZMIHatgVs5GqzFbFN0RBZwz/dP7W9POYnwRDXX5hTGRPCUwQP HJlFkNaV4nm+auMmFx7j6hu6XlnkxZsUVeYIWPDEQh1/mVtZB2LHOeeYo8c16vjoo4+urL4c baFNPVcmHr3M0RboN1pYXqX9QZ/VAn+09zTF+RiEFyO+HG2yCy/Gwkn3a47Ux+1TyhlvcMvG DN+/8pWv9MRTteEg8YCvTpOTMEIpgWIuvlHSSrmpMT2eNwbhFVJpx9+ahFpxfgadx3K0vTjv db/j/lLH3zTNaaOer5qwz9Xu24694MmpCek/CPGZA2ICT/GDALKuT8fh+J1zTiE+vV6eLALF uvaWY10+qn6k2xp1ajQaBJqEiWHO5N9MppO91qEIC9u4aDIihJwshL1EGSBx40XjMPmM7ejU CfckDW0fAkEVzLGQnijRqIy1HMWfPqoX73aLH1yEAFLu+OICnRYL9HgBouNhcSDxoNUHwySE ejraj2gg1C0Uxa/ehYbBE4qZWAa/Otpqq63KvKCZ2UR6QtJCVY0NR2pTpI9+j0KgmLMNpcox yLcc9Uu6dQJFdj+lbaHdhlZqHTEOa7uik1WgiNZKHem+xAJMKGcb0H0bjY46IRRp6/4hWkS8 hxmXesFl5zRFelxDa3hUBMOqBfzf+973apPCfIGUAbMLmjSDpW0LrbDCCtpbDwPO2CMUL8Tq hAD419gglNSUWnzS9yT/uCkhH1qLHBHkKDRCKBFu6raAsC7VFqg3SY/LIbpS3QKNzSG9aYCg VwsUuqZT57+NoCkHHuPsG2CnxzwuYBPSuNKP4QWk/vSJBMZNERbTd9hIgHKOOXpRywZd3YaK zjN5HaQttKlnwSjl5mgLxI/WseCO+YCY0HqW78xxtB9NOh+D8mK52mQXXiwsjnwdStlEUK3L Js/wl9qEjD6+r01KMBaniHbFxXGSJqYThFICxVx8o6SVclNjejxvDMIrpNKOvzUJteL8DDKP 5Wp7cd7rfuv+MsycNur5qgn7XO2+7dgLnrGJjCqFDH0xIjxFF8o5p5Cu5k8ng0BxlOvyUfYj zYMydqLcZJQfAebEpr8Zr6HYRTtRBI4333df/toaIkZtyyqnhiK3nwpzw+K9iWKmRx9p1hMl R3DrSB8RjY/Q6TBoE0re0MjTpNPiCGGKOFIs8eDedNNNKe/hG7dgowWEAAWtM23DkjhOPPHE Mo6Yia0yuC2etUYG2j4chU39aRsy2LMT0rdIY+cwRTC/Uv5RCBRztqFUOXJ+61K/pFsnUNRC n7obpnW+tdbZZBUoYl+wjk477bSyLXEkXyhnG9B9u87GoKSrbb/qBWGswcdCI9XPtIAu3iiR tHK4MdOF8KyO0EiWfosWkdiNw7+2G6gvv+BYPUIPoYUWWqiMgyPrQvFC7PLLL5dPfS4XZ0k+ 4jkitfjUhtEJX2UHti+x6IVuCxxxT5G+TIP22JXqFmjEwzFHwUBcBJif/vSng71djjwPS20E TTnwGHff0AIrTFAIaTuwjK96YYm5BKETTjihxF4fh8855ui00cZL0bBtoU09p9KXbznaAnFh y1TaNG582oGLseR7lZ1FnY9BebFcbbILLxYLFH/7298KtJWutg32+c9/vvSjNXvajDual9D2 3WLeGh5FKBffKPGl3NSYHs8bg/AKqbTjb01CrTg/g8xjudpenPe637q/DDOnjXq+asI+V7vv MvaCqTbjhF1CTZh5ks0nxqwmBRkdlueccwrxTTaB4ijX5aPsR5pXoF7ZrDbKj0CTMDHMmfyb qfSY16ATIWEX94Lr/s/m3WTBTe9qNmmkdcmz3vlsWrwTLxo22o4ai3QhPVFqRkm+i6sZKq01 I9/F5fi1MLIpDUW9SJGw2o01PKt2tThixwSNsX9tr1LSj92UQDF15IULA+K42v4W2xHscmst p5TmDzhoLbpRCBRztiFdbzmfh6lf8qHbrD7WzLPU3//8z/80ZlnbIZ2sAkW9SRAXSC8+0dgV ytkG2o4jpK2Zy8MOO0yyUxx77LFlvUj9dHExFTAKijc3tBmDqvT0eAH2EDd4o0VFebgsC+Lo mZRPbAxyG568Y0zTR3/ihViVza8Qsf+nmbkuAkVsiUr6CETrNNYlnSpXt4Umu4RayNpmYR+n l1qgMX5ojKVc4lIf9H/a4KC7520ETTnwGHffQHNYcKK/CunbQZlP4SXEH/OwkL7USo+ZOccc vahNmX0hT8O2hTb1LGVPuTnaAvGjHaxv2tYnYGjL9HmpFzaUYtL5GJQXy9UmY4FiihfTAkX4 qdQpF8qsBatiOgfs9JHxlIBNcANfwZMxRSglUNTzgIRt6wrfKOk0uV0EioPwCk3p6+9NQq0c 81iutqfznXrW/WWYOW3U81UK+5ztvsvYC64HH3xw2X9e+MIX9pySY36QfsGFU10p55xC2pNN oDjKdfko+5HmZanfroLiru1gpvo3gWJDzT/sNQe6CBLF78mXXNoQ83g/s1iRgZJBahDCXgtH jvSCB5VwiVcz8an4td1BfWRPT5Spneo64UycphYopjQUY2FjHA/H5PSulTbSyzd2m2WBLljE rhbo8i0lUHzggQfiLJS/m9KJ09W/RTtDM8J8bzrOya1tEs8oBIo521AJVKaHHPVLVura7Cc+ 8YkS2zYCRW1cWC+OMxV3oGhipjylqVEnUMzZBvQ4stFGGyXLVCdQ1Jqj0va7uFqbL5mBjh91 XyQ/qSPyRM3YJPnGliGkNwi23HLL8E7bORS7jBwflrDckK2pS50PKlDU9sI42jUIdWkLoxQo kncuj6E96suwBF/tYspikB30NoKmHHiMu2+glSvzL4IbfkP6iDP9AI0s2ShDSINgg4WrFmjd eeedISz/co45elHLGN1Ew7SFNvXclD7fc7QFSYfLkqQNYwdLCJ5R3sP36U0J8aPzMSgvlqtN xgLFFC+m+SjaWxPpC97kaDjtQNosOMlmTioutOUFUwS5QimBYg6+UdJpcrsIFAfhFZrS199T Qi385ZjHcrU9ne/Us+4vTfxNak5LCRRJf5gxivAp7HO2+65jL/1Wz8H6EkStNYlN466Uc04h 7ckmUBzlunyU/Yj2JmMmrjaJ0rWOzX89AiZQrMcmfPmnvxlq+8MO7yxUvOiG3htDG5IZ+ef4 NkQk9l0IRkuYEo7FyfFZPQhwfLCJ2MXVDJQ2Kt12oqwTzsRptxUo7rbbbnHQnt8sVvRgpG9C 1ZOm+IFx5igCR8uPPPLI8giQtqGYEiimFpP65uZVVlklCCaJq82faFaiJSoLNPKs7Tn2FPyZ H/rI4igEijnbUFX+h3mXo35Jv67N6qOybTR89TH+6SRQzNkG2o4j1EudQJHjz9Kfcdv0L+2n SdBH2oMQF23ofKUWZMSvjw2LNqJmwGX8RTNG4uXoL4Q9RXkXX1iTYyFGGqnFp84Tcw/jVlfq 0hZSi6826TYt0CQONN4ZczHdgU1JwVi7vO9a3jaCphx4TETfYLNS8KGf6QuVWAQKMYaKP+Yt Fg7yW18Chf+cY47uU5/61KckO43uIG2hTT03Juw95GgLkk6sOX3dddeFTxxxFvz1MV8Jh6vz MSgvlqtNxgLFFC+mBYrwU00a1JoH2HjjjQME9HGtoVilwamx4pkNH8FUt/2UQDEH3xjno+53 akzvMm/UbT7WpVv1XvNvVcKQLvmp2xjL1faq8l/1TveXUQoUJe1BxijCprDP2e4HGXs//OEP l31otdVWC0XVF2Zxio6xoCvlnFNIe7IJFFPtTY9v+hRWjGHdunyU/SgeG0d1gigu60z7bQLF FjW+z8mndBYo3ultMUwmilV+u9pR1LYhYGbEzp8+ZoT6eBOxABZmCPfSS/9/Tc62E+WwAxd5 1GmhJZYibWOMPN91113Bu17U8J7B/7LLLqs1/I8gVsqub8rqwsTqRT7q9YOSNhDepBWgB/pR CBRztqFB8agKl6t+ibuuzWr7XvFx0Ko86VvQppNAMWcb0H07xQCBb51AUQsi6LOiFVVVJ+N8 hx1EGUNw0VhMEeYNtAmGe+65pzx6y8YODADEwko2jHBhwMQ0Bbv52v6i+Nf5SAk26xZixJNa fMZCCuwbpej0008PR4a5mVoWA13awrgEinEZYG733nvvQt/eDbZXXXVV7DX5u42gKQceE9E3 9IYodq/0eKF5GX0MGgGv/h0fp9VxDMu7DLKorarMNm2hTT1XxR2/y9EWdJxo1sqYANZcjKR5 nlmzqs0A6XwMyovlapNdeDEtUKTcMuZoTPSzPiWkL97TphDaaEUxpwnO73vf+8ok4kWztqGY i28sE0s8pMb0LgK8qSJQzNX2EpD2fNL9pYm/Sc1pbTfAehL3P9qMUYRJCRT5nqvdDzL2cipL +hD8DULTXXfdtXy3+uqrk8XOlHNOIfGZJFAcZT/SwmLqvekC1c4VbwECAiZQbNEQfjrr+k4C xb1POrn4lz9qM9loscUWKwdMFotttRRhlPRiZ5555imPPce3WmkBYVX5YZhkIGdBqw3tt50o 64QzcXp1OyH402lhRD2lDaK1yDh6JzvRevKgTKnLWm677bay3PjVN8p2YWI333zzMh40LlL5 ppyo4GNnhYWV2FDjvTYQHt8Ay3dNLOCkzkYhUMzZhnS+h33OVb/ko67NssgSbHFTNpTi467T SaCYsw3ovt3EcNcJFB966KGeetHHYqraFba2uKGTSzYQDo2SYZlzzjnLvJ199tlV2el5p23I cVmFtDfKrklfSoI2h/hDEzqmLgvDQQWKXA6jtdnRTKsjTBMwNkueDz300OC1S1tILb7q0tXv 6xZoF110UbHddtuFMZe2UUdsYOjjuXvuuWed18r3bQRNOfCYiL6hN0TR9NfzoJ7XtDb94osv 3rNoveaaa3pwyznmtF3U5mgLbeq5p6A1P3K0BR21NlEAb4KAX/ojl8PVkc7HoLxYrjbZhReL BYp6kzguK8I9PW7Lhjz+mDcEJy0gjOPgN8I6vRlMPxBKCRR1fxmGb5S0Uu5MEyjmanspTPU3 3V+a+JvUnDbq+apJoJir3bcdezWGrJu01i4nMLCZKP2wya68jks/55xTiHcmCRRH2Y80D4pG OPyiUX4ETKDYAtN//+c/xf6nnd5KqLj94UcU9/iFwWQk7B/KgImLXb8moSJHlPVxI8KxOBKC eUDAKPEuvfTS8qnPRctl3nnnLf3K0Trx2HairBPOSDzithUokvfjjjtOgvW4XGCgNXwQGAix 4JNyI6AVQaN8FxctIXa8xC/uEUccIZ/Dzrb+ljpmQz61X+zp1BE31mm/aHkIHXXUUT3fWOhU EZpHorlEXIMIFLGbpPOB5pGmnG1Ixzvsc676JR+pNqs1OxD6V9mZggHSGg7gOZ0EijnbQNtx hHqpEyjybcEFFyzb7Wte85qwmON9FWHiQNo4Jg/0TclV/od5x9FlSauNRou+3ETC4bKg0KR3 6LU/fVmN+B+HQJG09BFWhBJ1jOD5559fYkLeZQzt0hZSiy8pd8qtW6Bp22m0I+aDOnrjG99Y lkNrMdX51++bxln85sJjIvqGxkbaJ3MT2iVCjCPaPpb44wh53HZyjjltF7U52kKbehY8Um6u tiBpcFO51kjEZrPgjz3WOtL5wP8gvBhx52iTwwgUKW9d39ZjAxhp24ycEBGccNGwrqPYLwJ0 oZRAMRffKGmlXPqVLs/tt99eeu8yb+TQUNTHwznmGlOX/GihRHyaJEfbi/NW91v3l1EIFHOM UeS9Cfu4LQ/a7tuOvTGeO+64Y9lO9WYq69kqHjwOX/U755xC/DkEim3mCz0+bbDBBj1Fa9ve UmscHWFqXT6qfqTtzsKDGY0GARMotsT1z/5I2H4/+nFSqLjjkUcVV956W8sYJ8Ybg4We7F/y kpcUMHsIzmI688wzC33EknCoqWPgVBMXq+g42Q3VF7fgF0YtFohooRp+xjlw6bTIO9otCOA0 0Tm0oIDFi76VLtZg43dMCIJizElPCwK6MLEILbUQhKNasX0z8oAgUO/AzTHHHAUMvxCMlLbp yMSly4Y/jhguscQSPXU7iECRuOT4JGUX7SHeC+VqQxJfDjdX/ZKX1GSrtWrAB+aGo6lCaPHq dogf/oYRKKIxSz+Vv2FuPevClKcWCbnagO7bTQy37kux4ExfXgLe2NrRx8ioH4QUmjHFHwz5 KEm3pXXWWacxKcZ23f+k/cQXx8RHTvCHhmCVPcgudZ5aiKUWnxRMhyU/XCITM/v33Xdfjwb9 UkstVWLSpS2MSqAYH7ehDFWa5WgtSd3gas27skAND7qeq8bZXHhMRN/Qix7BSS4a07Do453i j0VnFeUac9ouanO1haZ6ripr/C5XW9Dxam1owR6+Ce3bOtL5IMwgvBhx52iTXXixWEORvCO0 ivs2drS1nUSxPy54sPmkb2GGb4t5UfwiFJx99tnLMYIwWoCZEijm4hslzyk3NaZ3mTdSvEIq ff0NjXBphyhQcAxfU5f86LkoFijmaHs6X6ln3V+a+JvUnKbHUy1EyjVGNWGfq923HXtjTBF0 S9vQrlxeF/tv+zvXnEJ6OQSKxNM0X9S1BcK2bW+aLx3EhiJpjaofcamg1HFTnyEfRoMhYALF Drg97YVDZ19zbbHLscf1CBZ3OOLI4jtnnV38sUIo1yH6sXhlcbnccsuVnUs6GQInBBnrr79+ wbELfaxC/HCj3L333tuXT5gVfZwa/wgeufnvkEMOKRjw4/g4RhdrDIxz4NJpSflg+jjee9BB B4VBVA/m+CGMJrRg9I48gzZC0wMPPDAcaea2x/h2Z0mLI8hCXZhYwmBbSx8FJM6VVlopGJln MkNIpPPF929+85uSXOkiiJT84MKskmfsZWJAXR8hFH+DChT1kXniYicKjRMRcuZqQ2XhMjzk ql+y0jTZrrvuuj11AUYsGDgCJtjHrtY47VpczRwT76BHPEi3C1OeWiTkagO6bzcxDymBImXT l+CAE2MgzBLH+7g5Xt80y3fa9ajtLeqjhPqWT/JbR7FAGi0ujk5qQhudeUC3syqBDWG61Llu a/FCLLX4lLzF2t1c/oUQlzpgnNJ5Zgy74YYbJGhrZpgAqcVXGWHiIcWUx0Iu5sc99tijQFOc zSWE1Rp3vtMfulLTONulbzThMe6+EWvcgxdatTHphaxgGgvPJUyuMafLojZHW2iqZylfys3Z FiQdcBbMxZVLD8RP7Op8SJiuvJjEOWyb7MKLVQkUyf/CCy8ceF82/LRpGb7BU2mNWsm3HtPx hxAWIQ98Gxc9wN8JNvL9yiuvlODBTQkU8ZCLb+xJtOJHakzvMm+keIWKZCtfIczVuLEBv9BC CwVMCdAlP6l5jLiGbXvE0YZ0f2nib1Jj+KjnqybsKWuOdt9l7I3x1VrU0k7kQqnYb9vfueYU 0tNrUBR8BqWm+SLVFtq2t6Y1juQ9paGIn1H0owUWWKAcB6oUfyRv5g6HgAkUB8Tvr36n67YH HigefOSRAkHjVCK0B/UtVzKQplwEhrEGmy4zgsYqQWVVnNjOqNKIHOfApdMijzBwVXmVdwja 9G6wlB2BqfhJuZSZ2x/FD5qfQl2YWAnDLaH6qLnEW+Vq4aWEF/eAAw7oE07GcWhmdlCBIgv/ OF5+a6Y4RxuScuVyc9QveWmabGFCtM2ZKqxYYOjjrlUaSG3LrZlj0poMAkXynqMN6L7dxHA3 CRQRDq611lqVbTeuIzZN5MKmtvUwiL/4sgNufm6i+FKtOrupmtmjfHVasLkWYqnFp5SJ8TFe mMfY85sNndjOYpe2kFp8SV5Sboopx6Zm3eZSXBbyoW0Lp9KMvzWNsznxGHffQPMLcwIaL8y4 xIQ9U+1n7rnn7tNq1WFyjDldFrU52kJTPevy1T3nbAuSBvNYvHiVm+TFT+zqfFBvg/JixDts m+zCi2mBImMPG/G63cXPzN0pHhpeQ2+OxOHlN+0ZQUxMTQJF/OfiG+O09e/UmN5l3sghUKRv g5dgJ+6KK64YstwlP5pnijfGiGzYtqcxTD3r/tLE36TmtFHPV03YSxmHbfddxl5JU1xOpUib wNW3poufQdwccwrp5hIoNs0XqbbQtr01rXEEk+n+rgAAQABJREFUR81jsikfU+5+pMdFxmn6 vNFoEDCB4mhwnRKxcnvxxz72sUqbQzLIYsAZJiTWJqwqIMwk2nkxQylxsXg/+uija+PSNje0 rcI4LT2BpIRla6+9djlZoHWoKR4kOXZapQ3GbvOxxx6rg/Y9wzBXLRbRIgS/0047LYSJFzpy MypaerPNNlvIK2EYUNsQRxG5cIVdV8FYu9i+TNklkTRglDTjIXGwm85xeG51k3d1ggiJq859 2l9ShPYnmlFSVuKMsR22DdWlP8z7YeuXtLmRWzBMtdnzzjsvaF2xc/qCF7wgMBRoDcslPjA8 Eg83RA9KsbYPt94NSmi6MVFLvsR+XVV8tEfxR5+pomHbQNtxhLSx+Sr5SRnVB2s0G2LNYMLO NddcxS677NJnCqKqbLneaaZsn332aYwWBlfKiYvWSxXR37W/O++8s8pb0G5sW+e6rXGcTxNa kfo4IMeX6wjt67q5hV1tbatL4ujSFrQWJzfbdyV94c0mm2zSFxxBEn2/SmhAu6J9wdhXbVz1 RVbzommcHQUe4+wb3AIs7RNtVNpPTAgetd1jjjs10bBjDnalJV9tjswN2xaa6rmpvHwfRVsg Xr04xaROVR3hTygnLyZxDtomu/Bi2AQX4SebSWzUw0/H/ZvLWHhfpZko+RUXnhBhF3O/tCdx 4fM222yzHnMoEg4XYajMT/BYdQvnXHyjTls/p8b03LyCTrfumYsi4ZvARHhPTn9AXfKTmsdC ZM/8G7Tt6ThSz7n67TjmqxT2uozDtPuuY69Olz4ifZh+VnWSS/vv8jzsnEJa2uQY67RBqWm+ SLWFtu0tx7pcly9XP9I8LTye0egQaCNQfBae/M6w729G0xEBb5PKeY0I523mBdcLfZw/jhr+ PBMzUJE9Y+b85RvOCxecX0Q6L6wLfwNFNoJAfhJyXmsnxOx3+Zy/uCA8e2bLecGf84vlUH4v UHSeSWvMgV/EOL8T4u6++27nbUyGsP4SAeeZycaww3rww4PzRr7drbfe6rz2kvPHLp1fnDp/ HLJT1N5un/PaTs4zys7bTgxl6BRBC89+99p5oYGjjfkLelxqXJlMbWgi61fDCl7gAvkbft0a a6yhP0+758nUBgCX9usFV85rIjq/WA79jP7mTQyMFftzzjnHrbnmmiFNxlbGnTbj1FgzOaLE GF/9JodjrKbsjNFeY2REqeWPlrGE+qIdyXjtTwA4LwTLlliXcTZXopOlbwxbnnGOOcO2hYmo 5yZ8vTDdeXugwZs3D+G8aYJkkNy8mE5sItqkX7w7b3Yh9HFvnsHBB3qhhc5W47MXRjgvZHHe 1nHw6wVgzgvFsvKTufjGxsJMEg+0BS90dV6o6PwRyMCDjjJrE9H2RlGeYcco8tQW+3G0e42R 32gNPBzvWPPJelX7yfE8zjkllV/qoe36KxXPOL8N24/gD/3GeMiyt9HovN3xcWZ/RqUFb95E JlBsQsi+TzkE6pjYKVcQy/CURoDFh791zPkLcpzfjXTenprzxxwqy+S1+5zXTCu/IfwljNHM RAAh1E033RQK729pd373dWYCYaU2BAyBSYEAAnI2kL3mV8gPgjXGqRQZL5ZCx74ZAobAqBD4 yle+4rzN3RA9G7T+mP2okrJ4JwABbzfWLbvssiFlNnZQcpopG+8TAHdQpmpK1wSKTQjZ9ymH gDGxU67Kpm2GESCiIQz5I03OG7PuKysLNbQd2EGF0FhAI9Zo5iLgTSk4fxw+AODta7pTTz11 5oJhJTcEDIEJR8BfluT8EbOQjyWXXNLNmjWrMU/GizVCZB4MAUMgMwKc6mKM8icwQ8ze7I/z F8BlTsWim0gEvIkU549Ohyx4021uww03nMjsTPu0TUNx2lexFbAKAWNiq1CxdxOBgL/0Ixxf Jm2OXWyxxRbO24Rz/sbwcFTq+uuvd3vuuafz9mjK7O21116O3VWjmYuAt2sbtH/YdeUYF9pA /tbpmQuIldwQMATGigDmYS688ELnL75wV1xxheNImZC/TdN5+5Xys9Y1XqwWGvtgCBgCGRFA GxHTIhx9xyzDQw89FGLnWCzmBUx7LSPYExzVHXfc4RZZZBHHMXrMRQifPMHZmtbJm0BxWlev Fa4OAWNi65Cx9+NGADsu/vbs0jZiU/qo8F9yySVB+Njk175PbwQQNvsLlRx2jlZZZRXnL5ea 3gW20hkChsCkQcBflOT8JTR9+VlttdUcdl7Z6Ggi48WaELLvhoAhkAMB7Mr7C7F6ovKXwrlf /OIXzl842fPefkxtBPylrOEIO/Zrr7zySucvupzaBZoCuTeB4hSoJMtifgSMic2PqcU4OAJM eCzMuGyijpgY/U1q7oADDhj7JSB1ebL3E4+Av6HP+ZueQ0ZgjD/wgQ9MfKYsB4aAITDtEeCY YHwxGKY5rr76ajfXXHO1Kr/xYq1gMk+GgCEwJAIccf7Vr37VE8sxxxzjNt1005539mNqI8B6 arnllguFwAzHfvvtN7ULNEVybwLFKVJRls28CPz617921157bYiUY4LLLLNM3gQsNkOgIwLc uoiG2WWXXRbsI2JXkVvC559//nCUFfsfGLw3MgQ0Ak899ZRbb731wjGelVZaye277776sz0b AoaAITASBB5++GH3ta99LRwnY25CSxoB4zzzzNM6PePFWkNlHg0BQ2AIBE488cSgtfbnP/85 aCSiSc0JD6PphcBOO+3kLr744nDh5UknnWQKGGOqXhMojgloS8YQMAQMAUPAEDAEDAFDwBAw BAwBQ8AQMAQMAUPAEJgOCJhAcTrUopXBEDAEDAFDwBAwBAwBQ8AQMAQMAUPAEDAEDAFDwBAY EwImUBwT0JaMIWAIGAKGgCFgCBgChoAhYAgYAoaAIWAIGAKGgCEwHRAwgeJ0qEUrgyFgCBgC hoAhYAgYAoaAIWAIGAKGgCFgCBgChoAhMCYETKA4JqAtGUPAEDAEDAFDwBAwBAwBQ8AQMAQM AUPAEDAEDAFDYDogYALF6VCLVgZDwBAwBAwBQ8AQMAQMAUPAEDAEDAFDwBAwBAwBQ2BMCJhA cUxAT3Qyv/nNb9wZZ5zRmI3ZZ5/dveIVr3BLL710uHK9MYB5MAQiBJ5++ml3wAEHlG8333xz 99KXvrT8Pe6Hv//97+773/9+mew222zj5phjjvK3PRgChoAhYAgYAoaAIWAIGAKGgCFgCBgC hkA3BEyg2A2vKev79NNPd+utt16n/L/2ta91Bx98sFtrrbU6hRvU8w033OC23nprd9xxx7k3 vOENg0Yz6cJNx3I99dRT7lvf+pZ78MEH3WGHHdaD+f/+7/+6F77wheW722+/3S288MLl73E/ PPDAA27BBRcsk/3zn//sXvayl5W/7cEQMAQMAUPAEDAEDAFDwBAwBAwBQ8AQMAS6IWACxW54 TVnfgwgUKexss83mDjzwQLftttuOrOz//e9/Q/xokf3nP/9xaFO+6U1vGll644p4upbrl7/8 pdtkk03cXXfd5TbccEN38skn90BqAsUeOOyHIWAIGAKGgCFgCBgChoAhYAgYAoaAITDtEDCB 4rSr0uoCxQLF9ddfv+fYJ8KvJ554wj322GMOjbKHHnqoJyK00b74xS/2vMv1g3TnnHPOMrrp IlCcruXacccdg3YiFVYlUPznP//Z07buvPNO9+Y3v7ms33E/mIbiuBG39AwBQ8AQMAQMAUPA EDAEDAFDwBAwBKY7AiZQnO41/Ez5YoEiAsP555+/tvQHHXSQ+/KXv+ywhwdhA4/jrdhYzE3T VfA2XcvVJFCkfaC9SNt51rOeNaHHncmLCRRBwcgQMAQMAUPAEDAEDAFDwBAwBAwBQ8AQyIeA CRTzYTmpY+oqUKQw++yzj9t9993Lcl111VXhspbyRaaH6Sp4m67laiNQzNQ0skRjAsUsMFok hoAhYAgYAoaAIWAIGAKGgCFgCBgChkCJgAkUSyim98MgAsVZs2a5pZZaqgTmlFNOcR/96EfL 39g7/OMf/1j+fuUrXxlsLpYv1APCtUcffTS8ee5zn+te/vKXB3uJhOeI7Bvf+MbS9+WXX+5e //rXh9+vetWryvdND9zm+49//CN4m2eeeUptyr/85S8Ou3933HGHW2ihhdziiy/uXve61zVF V37HJiBh+fvDH/4Q8rrooouGPGJjMibBJVe54vg5nn733Xe7m266yd17772hTIsttlhw0Qis o2Hx+dvf/ubAAkGzXMTChT3f/e53Q5Jzzz23m2uuuVxRFAEnyQe3hj/nOc+Rn07i4YXUExqN F1xwgXvBC17g3v3ud7t3vOMdpX/9QBko98033xy0H/FHXZB2HdUJFKmfv/71ryHY8573vMaL WtC45EIXoTZt81//+pej/UGUre6268cffzyYG8Cf9A+eYwJ/8IMkvmHw7Nq2SVfXL/VK/UK0 +1tuuSX0NdroO9/5zlCP2pxB8Fjzj7xcffXVoU3Tj+mn73rXu8oLfsQMA208pV1dE729NgQM AUPAEDAEDAFDwBAwBAwBQ8AQyIhAG4EiC2K/hjSaygicdtpphW835Z9fnDcWx2sklv4Je+GF F/aEuf/++3u+e2FLz3f94/DDDy/9ekFD+OQFPeU7nTf9rONoev7CF75Qxnf88ccXXuhUvPWt by3f6Xi9ALP49a9/nYzSCzWKXXfdtXj+859fGceLX/zignLFlLtcEr8X0hTf/va3Cy+0q8zP S17ykuIHP/iBeO9zh8Vn0003rUxXcN1jjz1CmuAm73C9Tc6evHzmM58pv//whz8sPv7xj5e/ JdwGG2zQE+aee+4plltuuT5/+PcCpmK11VYrHn744Z4w8qOune60005lfF4gWXihtwSpdL0Q tfQ/77zzFl6AVulPv/za175WhvG3putPPc8bbbRR6Y/69cLLnu/y47Of/Wzpb+ONNw6vB8Fz 0LZNgl6AWebBC/4L2uUOO+xQ+Ju9y/dSj17gXnzpS1+qLQ/xUda99tqr8MLWvvDPfvazi802 26zwAtfymxekEszIEDAEDAFDwBAwBAwBQ8AQMAQMAUNgAhFAVtj0ZwJFVUH/9c9/fPTR4ld3 3VWcd+11xWU331Lc4wUZTz71lPI1+R4HESj6o609i/hYsFwnqKkq/bgFiltssUWBwE8EG1Uu gsLzzjuvKrvFbbfdVngNtGR4iXPllVcu/vSnP5XxjEKgiLBsxRVXbJUfhHH+cp0yP/KgBYqD 4DMKgaLXRqwsE0IkoWOPPbZSWCX4i4uQ79xzz5VgpVvXTq+//vqetE899dQyTNXDMsssU/rf Zpttqrz0vbv22mvLMOTTX1DT5weBnNfY7fHnNWr7/PHiNa95TelP8qsFim3wHKZtkwctUHz1 q19daGGo1EXsLr/88kHwSHhNXku0WHPNNcsyxeHkt9eULv2YQFEjaM+GgCFgCBgChoAhYAgY AoaAIWAITAwCTcJEvj+Lf3VH9fyCb8bQ/+ePJZ5yyaXu3ocf7ivz7M9/vlt32WXcEm94Q9+3 yfCiy5FnjpViJ++II44os77ddtu5Aw88sPzNQ91R0h5Pz/wgri233DL84iik1w50//73v92h hx4ajp3uvffeZbDtt9/eeeFQ+L3zzjuX75seyKPX4Ovx5jWcHDdav+Utb3GPPPKIu+SSS8It 1uKJI5XXXXed/Azuk08+GY5a3nrrreX79773vW7ttdd2Cy64YAh/0kknhWPH4mHdddd1YAzl Lhdxeg28cCSYZwgMvWZfOLrNrdg//vGP3a9+9av/++j/b7vttn1YDIsPx8YvvfRSR9m9UCqk xXFjOQbvNQjdsssuG45Fe221Mi/cGr7wwguXv7faaqvyyHT50j9whBfsoSuuuCLE5QVyDuz9 8BjeczSZdvSe97wnHLG95ppr3FFHHeWeeuqp8J3jteChjyOn2in555gutMYaa7izzz47PMf/ vIake4Pq27Rf6qCJyDfHc8U0wCGHHOK23nrrnmA33nhjX1z77ruv22WXXXr8kU/yC3lheGjP HDHvguewbZu0GR+8sJ7HHsJsAf2AI8nUwc9+9rNwc7x48sL70I7lN67XXnT7779/+coLTN2n P/3pcCs4t4Mfc8wx7ne/+135nQfaCcfVjQwBQ8AQMAQMAUPAEDAEDAFDwBAwBCYOATvy3FKQ e+eDDxY7HX1Msd1hhyf/Trr4kpYxjtdbrKHIsWM0rvTfkksuWXAU2NtFK7WBfNMs0FREiyqm Os2v2B+/qzQUxZ+3ndaTnhdGyKdOrtbAI9/zzTdfccMNN/TE4QVPxfvf//6e9LxAp8fP5z73 uZ7v/mKavuOtaACut956Pf7OP//8nnhylQutO8ojfxwvjY/EUi6tqUYdxkeNc+HDEVbJy4Yb bthTZn50OfJMPBw3/vnPf154QWzB0WYvRApx0ua0ZtoCCyxQeKFaX3peqFh4+51lnuQosHhM tVMvJC/DeduFQV1bwmmX49xSZi/U058anzfffPMy7Oqrr97nf7/99iu/Sxof+MAH+vzp49Or rrpq+V3XewpPAuRo21pDUfKLxqa3F1nmiYef/vSnPWOJF8j3fKefg7nEscIKK/Thz2YWWIgf XNNQ7IHRfhgChoAhYAgYAoaAIWAIGAKGgCEwIQi00VCc8Uee/+GP5X3l+BOSgkQtaPzl7XdM SGWmEo0FinqBnnrGBmGdbcSUoCbOy0QIFOvsCXJ8WJcZO35CCLW0jUKOM9cRxzU58ilxgZWm XALFN73pTWUaXgOwT7gpaSKA8xdZlH7XWWcd+RTcWKA4CD5ElFugePTRR/fkU36cfPLJZVnA 2Gu8yac+98wzz+zxq4XEqXbKUXUt1PIXzPTFDa7YCpR6PuCAA/r8pF6cc845ZVivQdkneKs6 yj777LMXXpuwJ9qll166jEfb7owFinV45mrbsUDxzW9+c4FAu4p03ryWcI+X3XbbrSwP5ge8 JmLPd/nhtTsLcBP8TaAoyJhrCBgChoAhYAgYAoaAIWAIGAKGwMQhYALFFtif7LUOtcCw6RlN RoSQk4kGFSiyiGcBzyUnMaUENbHfcQsUsZ9YpVUp+dKCQNGI41tsV88fI5Ygla4/blsKOrgc BCGiUA6BIgIvEaTgVtkIlPRwdX7Q6NOkBYqD4kN8OQWKXLpRJ4zyR3nLsqM920S6TsFBqKmd ojknGPvj1RKsdP3x6/I7mp/aXmbpKfHAZS9zzDFHGcfFF19c+uYb/Yv0yT/aj5IXfzy/9MdA zQUnfKOd6QtotNAuhWeuth0LFNHyrCOEm1Ie7D9q0mXlspkUffnLXy7jMYFiCin7ZggYAoaA IWAIGAKGgCFgCBgChsB4EGgjUJzxNhT3OOFE9/gTT/h1cXvadOUPukW8vb3JQrENRX9jrZtn nnl6sueP0Tp/m6rzAhjnj6AGO4fiAbtoXmOstJfH+5RtOgknbpUNRfnmhSoO23dC2F/zWnny s7WrbQS+4x3vcNimq6NFFlnEiY1EL+x0/pKS4PXggw92XvAWnrET9+ijj9ZFEd7HGGjbejnK 5W/aDrYEJRPf+c53SvuS8k67d9xxh/vqV78aXlFn/vix88Ks8DsHPkSEfc1vfetbIU5/5Dm0 i/DjmX9ekOra2lD0mn8O+4RVtNJKK7lf/OIX4dPb3vY25zXaqryV7/bZZ5/StqMXQLlvfOMb 4VtcR17j1r3sZS8rw2E3ca211ip/33333W6hhRYqf2OzUeyJpuwslgEqHry2qPNalOGLv13a ff3rXw/P9DOvBRueP/nJTwb7gPRNyB+1L+vyxBNPDDYzeY/9SOxZCmkbiik8c7Xt2IbiGWec EeyLSn60q8cdfyzd/eEPfwifvbA/2IHE3ijktWXdJz7xifBc9c8L0oONS755gaLZUKwCyd4Z AoaAIWAIGAKGgCFgCBgChoAhMEYEzIZig+D2Ma9x1qSRWPX9gutmNcQ83s+xhuJDDz2UzMB/ /vOfwgumCjSefHsMf2hQ6WOYTZpfOoFxayhyc2yKsCEp5fICnNKr1orzQsnyfd0Dx0i1zclT Tjml9JpDQ5EbjiWfg7g333xzmR+toTgoPkSWU0MxdaT8ta997cBl95eDlOVuaqfYo9S3LO+1 115lWI61o80p2NOPBiG0YCUO2p4Q9jDlvRcaFrQf+Y19U6GPfOQj5XsvKJXXwdUaiik8c7Xt WEPRC9F78qN/nHXWWWW+sWkqhBkFKSfuZZddJp8qXS/8L/2bhmIlRPbSEDAEDIFaBFInNmoD jfjDZMxT1yJThulQjq7l7up/smE02fLTFU/zP/kQaNOm2viRkmm/POvf4qfOFf/i4k8/14WL /ek09XPsT+LTfvSzfI9d/DT6e+YKB/Erbl0e4jS0Px1W3hfPxC+/y/yodKvilHdxnPI+5eo0 JHx4F6Wpv+nvxK1/h+dnEpQw4WdF2Xq+PxMmh9NGQ3FG21B8+K9/HUigePIll+aon2xxdBUo SsJaWMHC/8ILL5RPRZOgpvToH8YtUNxoo4108n3PdQJFfwNvKbjQAp2+CNQLfwN6GeZ73/te +SWHQBGhrha8dH3mYgwhLVAcFB/iyilQ3HTTTSV7fa4WZnctt9fiK+Nr0079zeIlztisFPrR j35Uvqee44tHxF+TyzFpfWRZjk3rY79eey/YK+VIM+XFtiMX3CDw1EJNf/txT3K6j6bwzNW2 Y4Hib3/725786B91AsV77723xJWyXn755TpY37PXMi39m0CxDx57YQgYAnUIKIbas+Del/97 ZhHzf0x4j4e6WKbO+2eKOHUy3JzTUS2AmlMejY/pVh5BabqWS8pnriGQQuD/5pOUj+7fpE+J 2xRDyl/qm44Xf1DKv/jRwjiJI3zrMK2WcUkEsevjqvPD+7pvOhrxp139nec28cRh9O+68F3f 67zo/IZ4nsFC3kv68W95L3GFsP6H+JPf2t+wz/+Pve8AlKSo1j4Tb06b2V3YXZYcBCWZCKLw EBEMyBOfghie8ZnDjz7xPXkGTPB8oiKoGMCEGBBBVESS5BwW2JzjzWli/99Xfau3pm/PTM/c mXvvXqp251Z31alTp0739Ex9c0IYQPF57fI8mk7LZ390tTLRw8Y3dDnjuOPk5COPCE1fb0LT 9ZBzwUJRFi5cWHbaG2+8Uc444wyPDkkrBPHO1LnflRTJE2T+/PkerXlw2WWXCV1uWQDmFbhT 18I1mHxNl14AZnLNNdewObAgeYkgA7Tqo4sp3VpZLr74YrnooovU8WGHHSbIKqyOi/0BwCRI oCF4IyoSAFDypje9SR3XYl2mqziZ0vW1koKM1kJXU5Za6Id8auny/I53vEMQZ49sxxXen4gV qNpPO+00eetb3zqOplgDXZpPPfVU1e2/T/0uzySi+zvd4HW577775JhjjhFYcgqSqqjmD37w g0KX82oLEuoIXdhZeB2Rvdi7Nkjo47lrH3nkkfLoo48quptuukm5+L7iFa9Q50hsInRrN4vp 8lxKn7W6t/0uzwAUBdnhTZG8Y9OdHBaK3vVkeAW+b2AJrWhLuU2TgC7eSEqjaK3Ls1KD/WM1 YDVQUgP8TI7gszmvvr9FcBxR9PiL32zUJ7b7sS0MDzIVRX9vmKr5a71mvR7ynSlr4lpm4rrs mnhlp3+ZideJWp+J6+Ka6vXcqzVvPz91zk9I/Df7eMxSj3XpeQrmcD+21ZyV/lH8xtbAsSZf fWzyrMeaNH8lSz2+V4zpR/M3az130Lr86w+i0eOrra3LM7RcrvzPtT+v2EpxxYYN5dhOan+1 For3338/b1/v9a1vfcuT22/5VSxLKwcApPN4mC6f7KuFJR/51MICz3Q5RRxAsi1ZaJ1l6ue2 227z6GuxLibmMPlryzZvkgoOaqEfTldLC0UAYEVXcOKJJ3prp7tutcV/nxbLWs7EL1rXiHPo IJ6ow+zDuo3vhYmUSy65xOP1tre9rcC9+UMf+pDH2nSD/sQnPuGY55TLX0wLxVL6rNW9XQsL Ra4BcSo9fVx66aX+ZRWcmxm/rYVigWrsidWA1UCABmC34FocIHxLDlYMOdBoowm3dlt0WwAL 1aR/0S/Wv6e16/XUw0JhqnRhrmkmrWuq9GnnrUwD5v1X2cjpS22uaSa9p/S66qH5eurJ413u Ayvkwjx+Y/R+vehzXYdkWxGZlsGcQ7dVxKjMGjQvPY+udXs96omso6Q8vuuv12LW/vFallI0 /jHVnIexUHxeuzxTqTff/0BFgOLF11zrpOCmOJ1KtYAiEjl4m34CK7Dc8pZFF00NtrCGVZXX 5z94zWte49FOZ0DRnwnXBAj9a+L517/+dW9dQPydjRs3emS1ABQZ69LUMawuPf5BB7DkcmBR 6rzzne90YJHm7NixwyPb0wDFd7/73d7aYZnnMF5lqUKX3rPPPlsBcHS11SUsoAjr24L5YNXr nSMpjGZXdQ3LQo8f4wma6zPlhVWiRwdLWufAAw/0zu+5555x84cFFGt1b9cKUDSfCbDKLOlu AGtTTwcWUBx3C9gGqwGrgQANKFAxl3Fyw7ucbM9qJ7XzOSfdvd7JpYcVuMh+J09g0RarAasB qwGrAauB6akBDQp5v4pVKKYJJmleuiYr3a/Z+s91e5g67Fj//NWuzS+T5mvKodv8tPU6r9t8 BqCo59B1mLWQthL6MDw1jQUUtSZK1Fn8wv31634TClT82BXfd1Zt2VKC29R0VQMoEgAx4wPC RdFJp9PeAhjfzQS7vvjFL3p95sGdd95ZYOnlBxQZl87kAzdjc3jo41oAZlwTsl978sDNsuj8 /f39zpw5czza4447roC2VutaunSpN8c+++yj4uoVTGScwMXZo+W1g9u111sL/ZDZhRde6M3x xje+0eOvD/z3xVNPPaW7VB0WALv66qu9eXh/wN24gI95whh85j1Ea0BdwgKK3YiXalokMg6j 5oms1prdhGq4Bns8NW/GioQbsceX+ksmk+Po4AIe+EEQVp+1urdrBSjClbxgjYxXGVRuvfXW AjoLKAZpybZZDVgN0AbR/cIMq8T0gJPtXuGkV//GGX38Ery+7ow+8yMntfJPzsi6fzq5wR3K ctH8cm0eW21aDVgNWA1YDVgNTAcNeJ9NBqBUjVzu5+MYE4OX2e7NVc0EGGPyKsXCnEePMdtK jS3Zp5dngGc14Vty0sLOyZhPz6HrQgkKzzQNa31cSDHxMwsohtTh9t5e55Jf/bokqPipK69y 7nziyZAcJ5fMDygyMystDM0XreHWrFnjIM6bsvIywTKCH+eff/44oZnAQgMj3OgThDQLs7Oa AB1p/YAi6c1Myd/+9rdNFqGPawWYMbGKXhNrWpIx269ZEC/SQVy7AjrEOzRJ1HEt1nX99dcX zHP66aer5B3mZHxAILZhAZ3fPbZW+qHlo9bPsmXLlGuwKUutAEVmGue9oueiC/ovfvELcyp1 TLdzxIn06Jqbmx2Cg7qEBRRJb2ZT1vMS8EMsR81uQjVdmDVfXZsJZDRz091b0xE4DCphAUWO rcW9XStAkfKYoC1BVILGTELDwuvPLOe8nloHrIsBigQe+V7VL9NaWDE0/jCzu6b78Ic/bPSM P+T7RtPSitUWqwGrgempAVoc5jIjTrpnhZNa/Qtn+NHPOyMPfgSvjzmjj3zWGX3ya07quZ87 Iw9f4Qzfe4mTHdxJCLJgMfoLd72+dBdMNoknel2VTlntuErnmUz66bYmfa9pufT5ZOqEc9Vr Xr2uatZTL5mqkcUco9dUjXzVjDHntsfhNTCR6xR+ltpSFrs/VHvhx1XRiUvyKDpqfIefD8/9 beNHuS0mnXkcRK/5VkMXdqw3r1+HOC83rx6r5+K5/9hPo/vD8B5HOyaTOdZ/bI4xj0059LFZ a1qzrRbHFlCsQIsZuFz+4Z57nc/86OoCYPHj37/S+b/f/8HZ2tNTAbfJJfUDiuYGPcwxEpQE WsZ985vfLNjsE0A76aSTHCSwcOiuSTdgP/8gQHHRokUFdLTKozWXCQyV01itADMCGXTBNOWm 2ykzATOGJAEcJJ8p6EfSkMAHUi3WxXWbLp+Ua968eQ6S4zgEOL70pS85ZrZg9lN//niLtdLP lVdeWbB2An2Mh8eM1Cy1AhTJi+C2/x465ZRT1FwExwj0mFaFXPtXv/pVDvVKJYAis2Kb153H BHBrVfyWlOT/2c9+dhx7E7TV8pgZu80BlQCKtbi3awko8vry/tFrZE1LaCTIGdeuadgfVAhG ahrWjz32WBCZaqNrvKZlBu1SxfxB5KyzzipFavusBqwGplADebg3p3c+6Yw8eakz/NDHnZGH CCZ+CvWnnNGH/9MZfepSJ/XsFc7IfV93Bm//gpNaC0vFzOiEJS71RX/CzKcJA70JMdc6TUSr WozpsqZa6bTa9dRq/qovRNBAY9Nf7bqC2E5lm6nnmb4mc61TqfNq5jZlN6+T2V4N37Bjis2j 2o33RVh+pNPrqGSMHqfrYnIF8vSBdBWNDWToNnrrKAO4lWCxuyuAx+7O4CNvfnTrNflr/kap 24K5jG/VfHWtf+c0+fiPNa2/1txNet2m61J9mqbS2gKKlWpsjL4bCRueXLfO2YAYdQQap3uZ CKBIMHHlypWBS+wBiIpsuN7mXG/SzZoWRj/84Q89miBAkQCkOUYf0106bKkVYMb5Vq9e7Rx/ /PGBMmnZdM2YhdRDUKnFusiX4CDBDD1nqZpg53PPPTdOnFrph7ppb28fJ8urXvUqNWctAUUy ZEIOE9QptXYmMPGXSgBFAm5+ELiYK65/njDnjANphhHgWmhZ5y+MhWmuk/qmC31QqQRQ5PiJ 3tu1BBQpD4E/063fXDePee2ZlEe303I6qFhAMUgrts1qYOZpoNiX4Xxm2Emtu8kZfuAzzvD9 H3ZG7gWgeO8nYY14IUDFzwNQ/F8nvfJKWCp+zxldcTPq65zRNX938lk8W7EJwC6gKmXpL/RV DZ6MQWMbnGJ6CxKhEtqg8fVu0zqvRM5KaOstfxD/atZEPhNdl543SKaJtmnebh2e20TXFH6m 6ijNdYXhoOnD0E4VjZaxEt1XQht2XbXkWe2atAy6DpK9VF8Qfdi2MHxJ46fT58X6vPYyH3Oa D+UtdqzXYvbrNj2uWJ+iM2QoRudv57l+aR763E9ryqJpdVsB7dhno+4rVeu5/DSan679/d65 sWbd5h+j59C1pvPXBf1jayhowwD/ueZRrF33V1tbQLFaze1h42688UZvQ6435kF1V1eXwwQU tIh7z3ve45RLSkI1EOj46Ec/Og5kSiQSyqXx7rvvdpBO3LM0C4pLSDdHZr6l22M0GvVkpctj 2GLG9mNSklKFMuj1//jHPw4kJbhEC0w/wKTHERj9wQ9+UPDA9TOqxbpMnj/96U+VNaDfao8y tbW1OZ/5zGeUrs0x+riW+uF9ccghh6hrpa/XkiVL1FSjo6MOr73W05o1a7QIqua9ovs+8IEP FPQVO6FrPq3K/NZsms/LXvYy55ZbbgkcTvd0rS/KSkCsVDHdkvl+4HpqWc477zxv/bS2C+JP 4LGjo8Oje/Ob31xUhGr0OZF7m8mGTFf+UtndeU30NaJ7fLHC5EG0tH3DG97gME4o3Zpf8pKX qMztqwFgE9TVfGgNG1Suuuoqj4a0QaC6HsdnjeZHd/lSxXz/l7oOpXjYPqsBq4H6ayCX6oNL 88+coTvfByDxgwARL4SrM9yeH/oS3Jy/4Yw+cZmTWvEdxFK83BlddZMzdP9VzuA/L3Myu9Yi nmIOmGLAN/76i21nsBqwGrAasBqwGlAaIOBTSVH0xhA/YFQVv5ACaN56TvO8GAtNo/v957qd te5jbb5MmjDHmo+ftlg76SqZT9P6+Qedm3Oax3rOoDH+tkrmM8fqcf55TZpqj8MAihESwaoG +y9brAaKawA3oSCenTzyyCMCKzlBkhIBYFJ8QEAPrNsEAJQAWBRYIsl0ue/gei1IFiMATwQA hOy7777qFbCEwKZar4v8kOxEAJoIQC8ByCKw8hK4/wbOX69GygHATgDUyeLFi9V1q9dc5Mt7 bN26dYLYnDIwMKDWzLXDBbxm0yJWqPzkJz9R/OBWLnArrxnv6choovf2ZKwJcVUFWbzVVAil IA8++OBkTGvnsBqwGtiDNJBPdUtmzbWS23qfOJGkxGcvkYjgMxGfG9gesJJIJCFOMopVtUlk tEOcBnxHicUlNu9giXfsg3722WI1YDVgNWA1YDUQrAHuRWCoENxZZSt5slTD1y+PeW4ehxFN 07MuV4JkNceX6te8Nb0+N2vdp2XR/Pzn5phix3qM2U9+/nbdpucy6Ysdax5hxpBW05nH5O0/ Lzafbtfz6vOgWs/FPk1vtgWNqaYNhmNlh1lAsayKLIHVgNXATNAAQUoCxrDCU8t5+OGHBfE0 Z8LSpt0aEDtSYHErSOwkcOf3AEO/oPglTU444QRBvEXVde655wrc4P1k9txqwGrgea6BfHpA sut+J9lNfxdndFiisxZJtHG25PNpAIvY/OGLvBOJSTSG4xiAxth+ItEWyW9/SKSxRZLLXyex tgVoTzzPNVmf5Ve6WaqPFJar1cDM0YB9T1V+LavRWakx7GOZKEhTao5yq9Rj/bUaB/HwyVfA opSsJo+CQQEn5EN6Fs1Tjw8gpyAgdIGtcvQmX/OYfPW5OYfmZ7aZx8XGBLXrcUHr03265nhN F1YGTafHmrz0MWtNZ7aZx6VkDxpv0pfjbc4T5tgCimG0ZGmsBqwGnhcaQKZs+drXvqbWevTR R8v999//vFj3VCwSWdEFYRXU1HCRV9bNS5cuHScKEiEJMjF77YjHKhdccIF3bg+sBqwGnr8a ML8gO/mMZLfeJdnVv5H84A6JRBOwPNxXKSfipN2NDABFcQAqxqPiJGDZ7swXZ2RQIk0tEonD WrGxQeLzjpZIshX0sFZUeyVsmpBfLuJgJ6SKuyuKSF7RqP0U88/hPylAiX8uDXYEY2P2rMq/ 0ala+jE1mNep1hsZT7axubzzeh9gPr1Rr9ua6r2G5wn/Sbn/yuiyZu+pMvPUqjuMvGFoaiXP ZPGp9Zoq5RdEzzaWqp8zxrOqGj5+mbQ8gbxCPof9PMlLl5L8QaT7tT5K8dI8/XUQD5NG82Zb WP4mXdCxf05zPn2saXhuyqD7g2pzrmL9/vawvP3jip1bQLGYZmy71YDVwIzXAJKfyF/+8hdB 0hO544475Prrr/fW/POf/1wQM887twe11QCtP+m+rAstQRHbUJDFWxDHVbZs2SI/+9nPBNnD ZXh4WJHNnTtXnn766WkTCkHLbmurAauBqdcAoixJfmCjZFb+XJydT4iTGhRp7ZRY50KAgRnu CnYLGQWwSAAxMl8kAUtGAIj5wQ2S3fWgJJa+WqJdB0mkoUO1A2nkN3uMBXxEawQFG+KMICOh QycnkTx4k0a5TI+BiDwdo9098Z51VG6jsmetxpA25KbXGGEPrQZqowF779VGj3sIl4qeoUXu DfJgmQgIVJEcft2606sfUMLKoOYb+/xTyxr7WNSsS63JG+sbw7FmXykeep6itbkmyhkwl3+s NzflwD+/LvzyePTkjfmCxhSdI4Q8/rH6XM9r/uClZdM0ftl1e7W1BRSr1ZwdZzVgNbDHa+A7 3/mOIDHMuHWcfvrpcsMNN6jYkOM6bUPNNIAs6KFjVCIRjPz2t78VZFWv2fyWkdWA1cDM0YD6 8pzLwkrxbsRSvE6cwY2CbCsAB+dJrKlLJJcTWjGyRKL4th5LAitsQxzFZagXKKtGJzcgsfaF GJcCfR/cpg+RSOMcfBbEEHuxC+Ma8ALAiK1BPgerx9HtkhvZjLYOvBISiTUp68ZIsgWAZSP2 KBPYFShJK/ujNhJ7qFVkZSvdw6nVDnsPX4NPfHvv+RRiTydVA9P1/quFXOTBUi0IVO14Lbse X40Meqxfds1bLcz3p9gYkgX1leLlY+2d6jG69jpCHATJwGGKlwFOmnTmcakpFI8qP8P1WP9c +tyc1389zL5qji2gWI3W7BirAauBGaGBP/7xj/La1762YC2HHXaYIDO5IGt2Qbs9qb0GkM1a Pvaxj8mVV14pyHZddIJly5Ypa0VkZy9KYzusBqwGnt8agAMyLBHxpT47LJn1N0l2/W9F0rBS dKIShZUiAT7JAigkXRSE/NIeB6iYmIV6Kc5nS7QZVosAJfMju8CnF9aN+7j8tt8h8a7D0b8v 4jNupLOzxBqXSH54g7I6iDbuJcJYjUz+QrfqeDPiN84C/V4AJNvB2wUhjb0GpcDLlnIa0Juk cnR7Uv9MXNOepP/nq6zefWcB7brdAp6O6zZDbRhTThYNLOlzk7vuM9smcmzOYfLWOtN10Bx6 rDdu7B72t5s8zOMgnrVo0/OTlydbGcZh5DJp/MdB7Dl3MVl0e1j5gviXa7OAYjkN2X6rAauB GasButV+6UtfUhm8mYzltNNOUwDjrFnYYNoyaRrYtm2bStDCrOVr164VZg9fsGCByhxOwPfk k0+21qKTdjXsRFYDk6MB80tyLWYc2x8pnNDJpiW1/o+SW3e9OOketDVJtGMRUECAeNkMoLys OyUsFSOJRsRT7AIAuAzuz0jKkgVcCGbRpmbQRwEu9sF6cSUsFw/AjiEmud6VsEJsl0jLXJFU BHld5sHycQhWjbBYzMP92UnhPAsWedeasWGuRNv2kWgrLR2TACAJJO52na7F2i0PqwGrAasB q4Gp10CtP9eqXZGWQ9d+PrqdNYsfkNJtqrPOf0xZxoFeRYBDfIRCaH5U75afYupzHo/jxcZJ KqXk0OvlGkw36DDt5pr1UvS1M9er59d9pDX79dha1RZQrJUmLR+rAasBqwGrAasBqwGrAauB KdWAcn3mHgOv7I77YamIJC19q5HROQHwb+zHIlgTugWgH/O0wHoxCjflSBwxFWMAFROwVkw2 wToRFo1ZMGqE5WIUwGNqJ0BDgIEN7QAQAUzG4NacSCqrRvUFnrEUASoKYzYqgDGDDQ5eABJj dJ1uXwqLRbhOx5lJmsCiLZVowNtwVTJomtPWbU18D9hbbNzV1xtt3VHJJrtu10oLMwW1XVNt lV5Kn+a9p8JhBABitZSmmCyqHQ8HHWOPcxZ7HxTjUUs5yavoPHiO+UE30mt5OU4XtvnPdZ9Z F53LJKrzsSmDllmvid9d9LUx16TvmSDRTH7s1zx57PHlSZ2KBRTrpFjL1mrAasBqwGrAasBq wGrAamCSNGAAKC6oOLZhGtoimR33SH7HvcjovBVgXgNAQ6CIsCIEKohv27BIpK80QD6CigIX 6EiiAzRt2HI1ICl0KwDEsRiMGbhQq+zOwxLJ7MCXdgCT5BFrBrjYCdAR7s2gBwKJF3aLAB0d gpeoXbo4LBsXg2Qx8EnQqniMk6QfO43VgNWA1YDVQH01YHwO1Xei0txDAUqTLGspmfyAmLk6 s0/z0CCZPie9btNjzXG6rda1nt8/N+cpNb/ZF8TD36box0DgoLnUunA9TSCynAxqTI3+WECx Roq0bKwGrAasBqwGrAasBqwGrAamSAPcHOliWGapL9iMizi0WXLb7pYcrBaRDhpWiTGJIFGL siZUICFdlKMABPFCbEX4PAPvg2Ui4iESMGQcxIgDV2YkbsmPdsNysRd8OAYs+CeChC2kTcAd Oj4H4+Zh3GxscmDpSCsKJoSh1SKPk23KDTrWDmtIJHoBEXcCqtJL8Gq9LmNNXp95EJbOHDNV x35ZeV5ufVXI6t+UVcEi/BC9Jo7gWmbimsJro2JKtWHm+2Ayir5WdZ5uSu4/e+9VfAfV9d7T 95pfKn3v1ek5oZ4/ek49lz4vUVeqC32Pa5ZFwS5NMFab48KOKViTj5/5+aF5a76VrsnPumbn +l7wX49i7f6Jx+4VtR4u2M/HT89z4/7SemGz1g2Pa1EsoFgLLVoeVgNWA1YDVgNWA1YDVgNW A9NPAwDw8oxnSHcouDDn+tdKbvMdiIX4ONqQDArGihFaEALwc2itiG/g6ns6M0EzxiIyPKvY i2pl+HZOuiyASGSQxsnu9RIMIX0sDqtGZpCGZSOBRcRljCSQnCU+C/wBVGZHMBYvHEeQUTrW uRz9AC5RaFPpljA7hTFSWxXVgN5A1XrzVHTCSeiYiWui2tQmebIAxUm4TnpNrGfK/WfvvUm6 caZwGvMam8fjRDLALbMv7L2ueXNsJWM0rTnez0P3aVpTPt3nH8Nz9gWNMcdP5FjPXfUcAeAg eWm+lM3PW6/JpAmim8i6ONYCihPVoB1vNWA1YDVgNWA1YDVgNWA1MG01wAQpYzChAgvzcF3O 7Xwa2aBvFBlZDWwvgXbQwA06whiIBPboBq0APl1zeTimhSHxPjarAlARmaQ5BxsjHMfkL8ra EdaHiRZYOsJlOrkI8RMBHsbnYh4AmJlhNSbSskgScw9EYhjEY1QbGjK1gKJS7QT/6E2U3mTp zdUE2U7pcP+aplSYGk4+E66NXx0z7VoFrofPwT38cVXPe0/rjPeGfg7575OJnBeTfSLzmmO1 bH7Z9bx+Wj+dHu+vzXFhx5CHHldqTDEa3a5l8fNgP9t0relqURfjWU6mgrkD3mvlxhebt4Bv DU4soFgDJVoWVgNWA1YDVgNWA1YDVgNWA9NXA/qLt7mJyI30SnrVDZLb8CcAfWkkbWkB2Ic1 ML4iE6zQsjEKp2lsNBzl3sw2rpF/3HaeuYZV9H0GKMkx3GDrTTZcqCNJuEMnEVcxhviMjQfD y3k5CGKwdEwra8doBywV5x+CuWC1qHjrweReeZmsTUTlkpUfEXSdyo+a3hQzcU3TW+MTk25P fv8ErXymrUetkY/giT0mg1RV87ZKda+fFRTE/KxSgk2DNZeUL0B7Jn3Qmsrqp8yay44PkEk3 6bGmjON0romN2qTXzXqc7tPnun+yay0H550MWSygONlX2M5nNWA1YDVgNWA1YDVgNWA1UFID /EJc7y/C3KswK3N251OSefoaye98CJaEiK3YyCQryMRMMBFAIjeuLtBHEBFjKJuLLBJWVOdk 5QKL7HdpFDFdp2Ogp9UieEYQPzGShAt04yHKHdoRAI6ZUYl0LpX4nAPcecnMFquBGmtgMt5T NRb5ecluJl4nu6bKb2XqjMX7HOTpJIKoen5TBn+beW7S8Zh9WnZ9rOn97aQPLGNr1uM9GrTz s1fz8dpLHOi5TRKON9s1v6A2cxyPTZn0sR6n+Wg6c6zZZ7ZP5FjPq3noObRcbDdpdL+mn2ht AcWJatCOtxqwGrAasBqwGrAasBqwGtgDNUCAEDsTbipSI3CB/qukn7kOwOJ6NMHSsBGgYgOS sSTjABd9GzsAjdzr0DWaQKJO6OI4iKNI60byxO6PrtSkcUjH4zgYIdN0NImELU2wSmzcHx7T SOaSj0h81nLEVFyEuRC3cQoKok26mzSCnPg32cXc/Ez23HY+q4EZpwE+oCb/bVx3Nc7E50TQ mtRnEy8hP2BYJvl66vk5tZbBlNPsJw2LpuOxSctzFj1G0/lpdL9L7f4lrZ9O89J8TPpSx37+ ft7+fvLyzxEki55Tjw8ao2n8fbp9IrWeV/Mw5/D3kcbs12MmUltAcSLas2OtBqwGrAasBqwG rAasBqwGprcGSmzECr5sY9+W7V4rmVU3SfbZv4izbTO8nwmyRZhvhd/C3XVm0DaYAxDIJCxo agAA1x6XWAdcljvg3kwgkqAcwcoxC0e1G6Q/NfBExliMIMu0g6zQUcRVlPbjcN6BsIutEpu7 nzhNrSBiLMcEHKMVkukOVzAfF6NOVa0k0nKpFuNPiXVrDkpEyeJfSrJOD16jEK8F8zZKHJmr Y5LE2gGoamQCPJVVJiZmuEi3eUwvxtT20GqgKg1491RVoyc2aCrnnpjkdvRM00DAvcjPqgkD QeTLUskju4gsik2xzx52BsylP2/1Orw1BcxBFhWBqMV4KEa+P0VoPXl85AWn5ljzWBPpNl3r 9kprjmep5Fq5Iwr05te5JqllbQHFWmrT8rIasBqwGrAasBqwGrAasBrYgzTAb+20VKTI7jd3 JzMiuR1PSeqxn0r26XvF6UOsw1GAiCkAghkQpmHL15uTyAg2eE2wnoi7r0hjVKIdsGhcDCBu cZPEWxtgeAjwUE1BgJCFMRZdi0VhfMUo3KAblki08+XgtVSktUNGAUymIykAeUlJRFsA7LUC WmxU55gBPCAnwUnwJrjnbs4q3HVgwflIRkbzfZLK90hGemVUVsiosxUg4izAiAskGZmNeTuB l7ZBhna8muG9DXCR8nMptMZkrf6wpUIZOLbOJdQGsc4yWPZWA1YDVgPVamAyAKFishV7fvpl 0nT+dj9f3a/b+dlljtVAo+43a02n2nwfN16fr90cz2M9f9A8xfqKtft5m+eePGbjFBxXI3s1 YlpAsRqtGWN4of7+97/L7bffLuvXr5d169bJtm3bZO7cubLffvvJ8uXL5QUveIGcdtpp+OWZ XwJtmeka6O7ulptvvlndF5s2bZLt27fL6OiozJkzR+bNmycHHHCAnH766XLcccdJLBbOremW W26RjRs3eqp7+9vfbu+nMW1Y3Xi3hT2wGrAasBqwGqhaAwDYAJDl8oMykt4sw0OPS/+O2yW3 4mHpWDUsjQAQnSGAgcN5yQNYdEYdSW9H8hZgaBEaJKKOEjzk/IyX2BaV2EHNkjykTWItIKCl IkFAQnEKvUQNC0dMCUAQ3w/j7RKdfZI4XQdLX2evpBoQaxEWiwQQY5iA1oJxWA42RNslCYBP WQ4KLQdR1KTuYdi/eScng7mN0us8roDEnLMDWGk/7CJHFMOYABCNdknS2UsSkXmYCeAiAMYG AItJ9WqDZABDKTvXo2SoQpCwAls6TwPlNonTZTPrCVyDgz11TXuq3MUuWbl7r9i4Pb19Kq9j tTovKTM/hrwfo4pfnWI8islUrJ0zaF6ahm2VAoocw6I+aY2PG83b7S3+V889nQDFUjJxJeX6 i6+2cKzmQ/qg9ZfiU67PAorlNFSkn6DRFVdcIT/4wQ9k1apVRah2Nx966KFy0UUXyZve9Kaa X8Tds9ijMBrgG+rqq68W3vyf+MQnwgwJRZPNZuVzn/ucfO1rX5NcTlsiFB9KcPELX/iCvPvd 7y4LDhKQ/vOf/+wxS6VSkkwmvXN9UK+1af6TXYdZT1jdTLbsdj6rAasBqwGrgXAa4LO+tl9w sVvCloN/WVTsQnVE8Es1qM1UHo6+mdywZHM9ks7vlJHRldI/fI/0DK2S/qERGR7NwuXZkdbe rCzblpUWWCSmcnl8xjuSRZzEPKwW+WLMRIKMtFyMgSYO4FEG84LE0ZJcmJDmF7ZL0z7I8szp VfZotZtTEvEP8TgnDT74XM8t3l+27tMl0jJXGhLLACa2QjcJbv0UPZyvgUPGAfS1SUOsEzlk OgD2NQFgBLin1oY/7gHoOYYgJmu8MJEiAfCZBnjYnVkhg/K49OZulTSBRFgfRqN4gTSGf+qa OIANFaAJANEBsBiZj/nmYf55ABfnSHO8SxqkTfGnbK6Yaha07QFlDxI1rDZr/34KO3P96Oya 6qfbWnO216rWGnX5VaJX0urC57g+15+z/nNNa9Z6Pl37+3iu+YXpK8ZHyxfES39ek3/BeCxv zE7ek4H9/ADCcgOLOd481sTu+PFr0u2kC5RRM/DVelypMVoOk1a3kZ1u53EpPuwPKno8x+pj 0lXDK4i/brOAotZEBfU999wj55xzjmzYsKGCUS4prdIIDHV0dFQ81g6YuAYeffRRef/73y93 3323vPe975Xvfve7E2cKDmvWrJFzzz1X7r333or5HXvsseqe6OzsLDo2DGhWr7UVFarOHWHX E0Y3dRbVsrcasBqwGrAamE4aUBsLbDfUxsIF0ggeOk4arr0Dks5tldH0BhnNbpARWOmlsjtk NNMr2WwahsByXIUAAEAASURBVISMGThbmqILpcmBF0HqCckO7ZKYAgIR2ZDssFYCg5yGxwKA 0WGsRbpDI75iHlaM2SHMByBSdmYkMpCTlpa4dM5vkMZGQH9wkY4AtaPjCi0tFC8AlziV/Jxm 2ba0Sfq7kKSlZY60NbwSIN4cd5MEa0B3nwghABpGCPs5cIuONME1uhXWi504plUjwEUFCMKl WsmLP5CUOCPlZT3sbJe+7CpJRXZIytkm2Ug/RO/DaxeWMwx36CGVaCYCuJAGl2o8BnK+OOaL RzoVsNjg7C1zYi+V5ug8clb/x/5wkC0BGjA3jAHd45pK0ddzkzhOkBINpWQsMawmXfWau1K+ RenV+47vPLfUejOv+darLrYutuuyp61Jyz3RWuugHusvpnfKHNSn23St18ZzswTJqml0n5+H Ob7UseZDGs3LpDf56mNV83OQn1FjaKDm47dE9PMqNg/bNX9zTDXHWhY9Vsuoz1kXm8tsL3bs 56PPx81jPEd0n8lTj5uK2gKKFWr98ssvl49+9KOSyWTGjSQgtGzZMlmwYIFs2bJFVq9eLf39 /ePoXvrSlwrdNFtaWsb12Yb6aYAuw0uXLvWsB2sFKD7xxBPy8pe/XPr6+sYJz2u8aNEiaWtr k82bN8vWrVvVQ8dPyPF/+ctfsNGABUNAKQea1WttAaJMSlMl6ymnm0kR2E5iNWA1YDVgNTCt NACbQbgwA0DMD8CVdycsC9fJaG61DGcBIOa2wTJxVH0fyOfpVNwBS78FsAhcBHfiTljiARzM rpbs6GOSy/QBgCMciU0DTfdYqz/c/rjHClgEwEjLRTY6qHOwZESGE2XBmBvMSrobcRi7M5IY yEsDAMckvkY2g7YJWZ+jQOwaOpCAZWGTOIuWy8D8uTLQEpFE8yIlE00blWsx3Yux8dKbLFoE ju2/xtqTAP8aYTnIuIvtABdZ03rRTayixoEyB7305p6V/vxGaGkYPODODVtFaAz/4tBbBhab cIGW7VjCoOsGDRommVFu3VADa1pFJiJdMjf2rzIveiz4IH6k3rzuFgwz2jIRDUyXTeNE1vB8 GDtTr9NMXddMuyd5nVg02BRmfQVj1MdXeR56TNBcpfqUPGTvfoy6p1pmNAYBikFzqIH4o+cK Wi/7gtr12HG1uXYKaMjop9Xzst0/R6k+0mu5dM220GVMRs6p5/HP7+el6dhejtY/tpJzCyhW oK0bb7xRzjjjjIIRvDivf/3r5TOf+YwcddRRBX15xMv55S9/KRdffLE8/fTTBX2nnHKKskqr 58UtmNCeKCvCfffd19NErQBFXv/f/e53Ht94PC5vfetblTs1Xd3NwliK1157rXzxi19UgLPZ 9+Uvf1n+3//7f2aTd/zhD39Y/vSnP6nz5uZmefjhhwvcpGkhWY+1eQJM8kEl6ymnm0kW3U5n NWA1YDVgNTBpGnA3P+63f3enAigPgNmQAg2HAZoN51bISH4z3JoHYH2ILQss7CIOE4zMQoxA uhN34NWEF6wRI8OwFoSFXvYZgIIbJZrPKItEYmN0HOYM3P/Q8pHHeW5axtrAWp2zgxaHyhqQ xwQZOS/BxVROssM5yQBgzMF6MdGflQZESGlElug5i5Hxefleku48QTLxWW5sRcUdLsgA+RBJ UUugQDsmdlHrpnDqP6wXQeVKyia4LANIVHEXI0iqgrUmkVQlgdcosjnvyNwrI7BSFNkFoHQn 1teDY7o7dwKUXABLROgF1ok5xFpkwpas062sF7Ow8GScRUSbxGyQKgqH5+hLZa/Iq6URLtgE Mb3YiuDoFlfWvAOrTUCzgEoxjwuOagpXo9SmLRVpgKrV5fmmvrG3gF7+tK71dZpJ10iviYqf Seua1jfSmHAl7v1AsEpfq7DXqQT/qtQDfu5PcLhV+JmliznP2HGB/Ga/HsPabDePi9GY7TU8 1oBd0TVVOhfXoouhJt00XWsLKIa8Mkyscfjhh6sEG3pIe3u7EGSkdVmpkk6nVRKOv/3tbwVk v//97+XMM88saLMn9dNAJSBVWCkYP3P//ff3finguJ/85Cfytre9rSQLxkDkffPAAw94dIyp yKQ+xawUPcKAg3qsLWCaSWuaaeuZNMXZiawGrAasBp5XGsC3bxUikNYNAL6cXgCIa2Qo+7gM AUhMI8FKRFoAkM3Fqx07mQacA9SCO28eFoS08HNg0YdIh/gch8UiMhxH8ivBcxBt4E30EJsf DSDyuz4hRAXc8cs+XkxuQhlUHEX0cIiSCRVZsEFhfziG3SMARlgIAmTMwzXaAcCYQHt7a1Ka 2jsk27BUsnH+8NmKYQnQZzACcsJCkgBhFLEMY8j2zCQtnlBYN0whFZ0DWVUcQ7RQPAV3qk0J /sB9O+I0wDW6EVzXwx7xMbh+A2h1ABDC+jAfyYMv4yXCjRogITM6xwm2AliMwgqRIKwACMw6 I5CoG7rdpSw/004fLCL3kVnRk+By3QXp2pT7dQKJY5SFJFooVRYg5FB+rYrdCOdvScQA6uLa qOzV0L9rdam3nJjKlR41F6AWwUZbrAaq0wDfi/Y2qk53kziqAEyaxHnrOVW91qTBLFP2AmDL 7Ag4rpdceqpi8pnt7nNfj3Br3e9fS7F2czRp/OPYX6zdHFvquNjcii8eLPzkCppX89TjeV6K TtOb9URlN3nV69gCiiE1y2Qq1113nUfNGIh0W2b8uzBlYGBAXvayl8njjz/ukR9//PEqO7TX YA/qqoF6gFS0QH3zm9/syU2AmEBxmMKs4LRgHBzkxsUtzBh+0kkn6dPQdT3WFnryOhDOtPXU QUWWpdWA1YDVgNUANQCgIAuLxMHcU9KXuwdA4hqAfHHY1i2FG/NCECDxiuzEawfomHylX0FV CWcxALROdYyUzbBeXCcRAGzRqAsQavAhDxDCBRBhUYdjwnfpfBx4Hk4iyLqC+WkLGAVSSMvE PE0VURSwiJouwKBUdNx0RAk+wloxB0AxB+ZNLXBRbmkDkEgAkRRMGd0K2WBB6czF2DbVpoBF gotYCZlFABDGAYYyGzMl4Hy0/iNiSXBVo5qUk5aUTCKTy6ehgx2Sjj4ILv1YRw7JWMgOcoEu BpfuBNyvkzHYRCLAYwx6JJ8YQMYoAMao04U5Ec/RmYVzhu2JIA7lJuisQxoje6ONmgAt/8H9 OUYAE9aRdMNORZDoJv8A5h1AWxf6kNglsheSu8xB3YkEM3A7l2aMJsBLjUEXVDGO3LL7SLfY euo0sCdscgu0w7dliVtIb/gr3ewXzDENT/a06xRG3jA00+lSTJa85jzmsV8Xpfr8tOY5x7GE fY/46fW8ul3zNvlpGvaZx/qctUnPcxbNM6hP91fTF3qs+vx19cMxxeZin1n8a/T38TwsL//Y asaZPCo5toBiCG1t27ZNxcEzM/d+4xvfkI997GMhRu8mueGGG8ZZJDKJR1hQcjen2hwxqQwB rFmzZskRRxwhe++9d0nGldKTGbNhM7mGBoiOPPJIKZV8pKQARueKFStk5cqVwmuzePFiedGL XiRz5841KMYfahl0Ty1cnummTHd3XZi1mZmew5azzjpL/vCHP3jk3/72t+UDH/iAdx72oB5r Czt3MbodO3YIrxOtOPlQo0XvC17wAlm+fHmxIV57vdfDBzitQRmKgHEt99tvPyVbLZIlVXNv egu3B1YDVgNWA1YD4TSgvsBnYfW2Rrqzf5MBuCnDcRjJVA6HhVwbLOEQL9F5Gu69W1TMQEJx DGsYZXbkyEEK8Mo7KWxEBoCZrUX7AMZjYwLQQcVLZAIUgntIchKPzUHikZcDOGuQrek/yc7U GrQjXiAp8fnWEE1Ia2w+LA9HYPWHrNGRlHIVVtaCAPJohREB4yhC4TQAoFOYZRSAYGODZKOI rwgQkIaWBBRj4BdlwhaAcwmZhZiOTLICcBGJYuiGjKiLeMEiArLnAYQSaHQBPFouAvTLN6OP GyxYNyJWYi6fgqvyKCQFmIikM6POSskk8YLVY4rgJ15bkWEa4khXEnAeYjo2jAGLUWR41hmy Qak+y+OQj6Bh3GmSltjhAAER2gVu5DEQRGDlSH24hQBsFNAm5gaIORp5GDJ0Yz6CnYz9SPCx EcAlMlXL3nghfiWuX1JmA1zsAsgIN230Uw+2WA1MWAPqBp4wF8ugzhooBbDUeeq6sZ/MNXEu llJgUjXyaL7leKvJS/wpN7fZbx6bLFU7Pj34X5ditOwv1sd2XSaiL82nFA89TyV1MblL8dCy aJpay6T5+msLKPo1EnD+rW99SxinTZe99tpLgSRNTfxSF77wIh988MHyzDPPCHnQ5ZWg5Itf /GKPCRO2EIBj6erqEianKFVuuukmOfvssz2SSy65RD74wQ965zx45StfKcxMzcJMxIzfxzF3 3nmnauMf3nC0rvvOd76j3HUroV+4kBYAuwuTk3zyk5+Um2++OTAT9pIlS9T8//M//1PSvZfx Kgl4srzuda+Ta665Rn7961+rmJSmpaeemcDi+973PrnwwgsLHqSMS/h///d/6oEyMjKiyYWx DpPJpDqfM2eOApi8zpAH//u//ysf+chHPOrzzjtPfvzjH3vn5Q6uuuoqdT1mz54tfHH8v/3b v40bxvUzaYsuvb29kkgkVMzFStZWj/tLy8T7+6c//alcccUVCkgkmBxUqOu3vOUt6joxgZFZ qrlWxXRj8tXHBMU/9alPKRB3eHhYN3s1702CvF/60pdKJk2q1b3pTYwDPgfM+/p73/teWdd5 c7w9thqwGrAamG4aCPpCHNRWWm586Vf/uYEgLEiIC/BYfpv0Zh6QwfyTOIOVX3SJ+uxPOavg 9vw04DPETMTnEvcMOf5B9uaYLJBGZG+GbSD6+BkADwEHFnbK3dmN7udaHtI1GpZ1ACaT0Vng PQtZjPcGMLdVtqVvR/zBXooCwAu8IVZLslk6Y8sBnAFMBNCXRiIYHucVeKYwO1ASVIyCD92O Exg3KqMA+7KQjXKycH+kkp4A0GNm5ThAyziBR1r7wc3ZzeCM7MqwXmQm6ggs+hAAUX2/yeUx H1bN73NRB+AiAD/GKqQlYw5AZjo7LIOj22Qk9rDkG+GyDHQ1AzAR+WHkr6tgtYks1bORiXp2 W0JmN8elvQHgIoRIMBW1KspOk1AgAE9CggJwtAkg5EmYaw5AwLnQBy0lsRYqBzqOQiLCqUP5 Z2RX5i54XWfVeGKOsSgBWUaGRNxG6AMwJl6M8QhAMb8INXhG5ivdE1yk+7QCIRXICQYecMnb wwVtXTmn31+lkzGxJrrBq/z9Ux996DVNdD3FpJvsder1aHlqsS7/Gvzneq561ua6JrqmIPmD 2mq1nmK8q1uT+4xVvxhRQD5s8axSVtDaFJokbJ+CEmZNWh+6LiWmn58+998DYXhxHpNO89Lz mzx1n9mm6YJqky/7zXN9XAlPPSZoLn+byVcfaxpTfrNPt+s2fa7HFWvX/f5a0+t28mOb5mse 83tQuftT8zPHa96sdbvZVotjCyiG0CI3+rQk1IUWaQTlqinPPvusArLMBBomnxe+8IXyyCOP qCYCisVAGT3mj3/8o7z2ta/Vp/LNb35TZaH2GnBAEOmf//ynavrXf/1XBWjqOUw63mRr165V LryV0O+zzz4em9tuu03OP/98oTtvuUJ3X4KEtI4MKq961atEx518wxveIIwxSJClXDn11FMV XwJXLARtL7300pLDSEuLukqLP1FPFN+yeU1e/epXV8qqJH2xTMaVrq0e9xcFf/LJJ+Vd73qX B1yXXMxYJ8FEXt9DDjnEI690PRxYTDceUxwwQRIBbALuQUCiSctjWlH+6Ec/EoYlCCq1ujdN 3nwfPPbYY17TD37wA3nHO97hndsDqwGrAauBmaCBgi/IIRakvkMrwM3dEGYQs28A7s18ESiM RWdjUzgMa8TnYHG3GS61vco60AHwlMWzPwu3YoJrychigHNtAO8yAPH6AHUN4ot7HyRQTr8A JRE7kC7EBK6UZRzgQiQRiY65/SKdCuhzmGeH7MyMSByYGUE/F1BskFYAYTD6A193U0RwT+ie TMAPY7OcFyCbo0BGtZtVtCqxC5amVodmAnXEyuJwO8aEyg2ZrshxWPvFAcLFCTYCyEtEYY2o XIQR41C6QEpwkfaP5A3ANMe4igRUuUGBi3Y2ikQ13TIcu0Ny0ZSk4HZNF+01oxm559l+6AfR JpNRaUww0QrmwHFzY0za8GJ7E+TRlosEUmk3yMQqbXG4jmN+gpuN8Q6AgLMA/gH0BHBKuJAr y0HXWeV2PoBr1A054H4Ol2sHsRsV8Ii54wBMSU3QME6r0CizUzPO4mzAovMUwNhIsBH8Y3AJ jyMeJpPVEKRVmyQqrdxuCxS27BkaqPQ5sSesyq5p8q+SBljUE5aPiCDwEA/fegEtk7/i4Bm1 HoLWWarP5BaGjjTeHPxQg87DjNPzmOP1cbXjNc9ytZ6nGJ1/fn1Oem+txuBy/AzSwENzvHnM Lwn8TA+a08+oYNxYZ1Cbf1y151MCKD7+wGp55N6VsuKR9bJ+1TZZuGSuHHzk3nL40cvlqJcd UO1a6jKObs4NDchyh1oXxk5kluZ6lHoAPiagWErmV7ziFXLrrbcWAJBh6DUNLfMIgBC8MQv1 R+tBgoyZDGP/7C60EOScjC/pLyZo4+8rd266M4cBqQ488EBlVVeOr7+fWZtp1cakPboQVGRc xXe/+90KkIrFJu6uUww0q3Rt9bi/mGCGAPnmzZu1ClTNa0tLXF5/Wgaa1qGakBmyr7/+en0a Cvz1X6tiuvGY4oCZ1i+66CKzSR3TypPAJi2B+aA1C6/jz3/+cznnnHPMZnVcq3vTZGwBRVMb 9thqwGpgpmqg3Jfa8f38Cs1NCZxnEeewN/sQ3HZ3ogVeIohhOCprcL4VgB2ThSArMwA72tKl YIHHGIUNdKONzgPwBGALbs1p6YO77xDGwoKOIB2cbBm3T8UIxLELUMHSDjPkYUHIQrfbNCwO I6Afzm2T7ekRxP5DihKAWBm82mGh2Iy4gPz+o6wfCRqiXa0FOyqOZ7ZkAmh5yOkAecziPEsE EnLx44dS6xJFAzcNdENWLtDYlLGO4XOJtQIVAfqpLMsRyt+A9lbwgns0M1ajlnwLOCIuI3SQ gTyZ3JAMZVZJNrkW7Q5iH0JWTHnvlmFZvWFQmuDuTKvEVoCHMbg9Y5iC56JATSN4xeKI9wga 9rcAdGyhazTbAOy1xAAiRpG0BbElqUeCsnzFo0i6whfXLwB7kTQnSjokY6HLdtbpl5HsdoCL fTgfBk1G6ZjAaRS64grjUWSqxrXm+mLSoYBFAoyNyESdhBWjsiBFbEfqRUmsaq3Jyurx915l 4y11gAZ4W/PSVFhm4rV4Pq5pKtfM5yofB5Qhlc7ICPZso/gBJZNlUAuRxoYkPOWQEAv7lAS8 1qq5Tyu8raeMnDpgCQKjwlyjMDTFFhc0NqhNj2cfC2UtRafpWZtjzPZSx6HHVPkMKzV3qT5z zeYxvyKUAxTLralcfym5SvVNKqA42D8iX/30L+T3P7uzqEyvPPMo+dy3zpOu2fgyNA3Kli1b xHTpJThEl96WFgajrn2pB+BTDFBk3DhaYDHTMF0tr776amVdWCk9tdDT06OyHZs3FPl/97vf lZNOOklZZRJ4uuOOO5QlG+PX6cI1UwYCOGYpBtrQXfvTn/60HHbYYcqCk27RBItWr17tDef1 2bRpkzAmHudlpu21sL5kDD9dmIn58ssvV6cEvbT7s+4PW9NNvFjcQ7oxn3zyyXLiiSeqF60y gx7m5eYqBppVurZ63F+8by644AJvCdQ5Y4zSddvMWH3fffcpF23txs4BvOaMOchM2SyVrodj iumGfSy85wiWmz8KMPQArV2PO+44BXj29/erjO28jryXdSHYyBAFjP9ollrdmyZP89qwXb8f TRp7bDVgNWA18LzQgN4Jut+gATwNI6HHg9KTfRSAXQN2GmlJRzYAKGOmYbr6AsADQIddBfaE SQCPGRnOZOGGuwhgFEA1AFeM5ZcGmJeD1SEBq0aAU8xKrOIPwuVWZUEGtJUnyAeQTFn55XGO F7/EE+xCNhXEatwuOxWgyAQmcbTnASi2AFjrAG/EaWRsQwB47mc9red4xQDQQT4CZHTYZtxD /mXhfOwjYEmLSuWmDaSPvbQUbACqiApzuyCjCyyCE9rImylQVDdqJk8ZHKQ7eFTmdSKBCiz8 onAXdhB70ck1w6pzhfQjhuIowNZ0DqAi5rl9RZ/0dack2QxLRFgjdjUh9zIAQ+CFag2Ugz+p 07BHGfdg4ib005KRdRtAyI5ETJrjiPlIF20AnFG6W6tkLLNVDMis86yknG7wge5BwxiXyeh8 AILIvg0LRK4th2uTzu+EBeMO0PbhGBm6FegL4Fa5fcMtGuuj67ebgZoxFhlrcR+ZFzsV9pGz FB/q2i2UnJrRRZ9D81hIRKXedjWnKWZ8rVUwgxZasOGeQeuySwmnAQWQ4EG4+52++yYfQGij zZu3y7qNW2Xz1u3S09svg0MjABZTsADHz0gEExsbZcGcWTJ/3mxZss9CmTenS9pa3T2+4jQG bvHZx+fJ7nnCyTcdqbz3zG5VlRVTj1H6HtNEOXCLTD1694Nw3Dya77iOChvKzaPZaTp9rvfk xdo13UTrStZp0prHfhmC+graxq6vbmOti163Pp9obeI/xXhFdu7c6RAYmUhZ++wWec+Z35Ct m3Zv1ovxI5h4+fUfkUNftKwYyaS1P/jgg3L00Ud789HtlolA6lVMUKEeLs9a7v/6r/+Sz3/+ 8/pUgW9MakJQLQhQLEVPJh/60IdUnELNkPEh//znP0tzM1xwfIU3HeM13n333V7P97//fWXR 5zXgIAi0YbxAf4xIjiEo9ZKXvEQYW1AXWkwyJqEu9Uz08dGPflQuu+wyPVXRmu+jE044QU4/ /XR5zWteoyz4ihIbHeVAs7Brq8f9xYQ4Dz/8sCdtKQtegnp8P5ku91deeaUCmT0GOAi7Ho4p pRsCyQS2aSGpC2Mk0tU+6EcBgs50V+f9pMt//Md/COOomqXW9yZ5P/XUUwVu97xWfiDTlMEe Ww1YDVgNzFQN0BpRA3HpfA+Srtwm/blV2M91IInJFoBNGwFNDbmwHECxeBQWhnB9zQCUGs4w CYkAsFoM9SDpSmQI4NkQ+nIA6GiL2InYgIyLCCs6nPFLtkPXZgBdBA+ziKcIkzy0wdpxzIIw h+QmtNhzkGylP7NDegAoIp0IAMVGJGAZkbZEM2DOTtATGIOrM+YitEn3XbcQxELiE4Bt6MQ/ CAjgy4UNVRPANmZgHgF/WNEgSQqwOoB0CVgC0uIP7tsEKhUMCadmKEcBigQTsUdQVpmg79k+ Kjddu14WHtQqp7xmEdyU4UaswDhYLsIFmRaB/blB6U/npA+vrcNZeWLNoKRR0yqxoQGWh7BA bITlYQNcnJkcJoEXwUXOl8O8DoDIGCwWCduxn8eNY1aLBBdbYMXYiLHMEp0g+AeoL5XvxTWj 9C7Ex2tL61ACoI24pgQIG+LwaEDWZ1owMplMytmF67ZTRnJbYYHaC9nTGOOoDNQEchmvMQbw mBmj50fPkXnxl7qbfV4nzMNSuP0nhItO1Y4/HpHbpjrsH6sBq4E9SgMuWIK3M569fC7S6nr7 zl558NGn5YlnV8nmTduku68fHnL4cYhhIECXhYUif6zJ8YcVWC4mkRwriWftLBhELFw4Tw4+ YF855MDlsmyfBQAc+eMS49zqp4n74Kg1IFM3pVPcgEcc9cASdh1B9FrnilGRP0HjSFqsvaCP gheRvZjcQTLpNj2nFpU8dJ9uK1VXQhvER89fTPagMWwrNS5IJj+9pvHXxearpn1SAMU83rBv PfmL8uRDa0PLuM/yeXLdP78gDU341XgKiz8zM+O9MV5cvUo9AB8/QHjMMceomIrFXHErpadl IN1Q+YBmIVDDxDKlsvkyu+7hhx/uWY0RqGW2XfNN5gdtKDdjWZo05nVgjDwzw7I/43IlIJXJ N+zxddddpywVTffnUmNpnUfX+a985SvC7NelSinQjOPCrq3W99f9999fkKWcFq+33357qaWI P5EN10+LU7OEXQ/HlNINY4HyftaF9yazTs+fP183jasJiP7Lv/yL1873CS1qFy1a5LXV+t70 GNsDqwGrAasBqwF+g1Z4T0q2wBrwLzLo9ABoSsCK7ykATf0ApgjY5RWgxMzGeWQxHs31wR05 BxdagHGIsdeADWITLBAjcAHuSa1EKMO8zInvCyBxrgLDAJNhkwjwEDVN72iDyC1jFslNMvkh 1HC/xed0DKBcNgtwEX0OEqn057ZLX2pUufo2xFoBsg0DQKNlHt14YYlId2dKD/BLgYoE/fCi zCprMlI8cytHt2wCmOhUYwiwETTclhpQgGIbXH1bCFQmUnAzbgEgNwRwjRaT7g0SU7EdkUU5 R1e+jPTvysptv9kiD/19l+z3snY59z+WS0cz7DVhPRgH6Md56CrNybOQbRTA4I5UVlYOZmQX XqOjkBttEQK00AeHcCqOIcCYRE3wEoaIqo3fxQgMcl+qgEX0Q10KeGzAnLR2bAUqSmtHzgmj SRWzkdKrsajRBHrwUbwJDANgBNDbiAQ4TbF9AGrOAw3CDjmDuK5bZSi3Fq9t0MUoxuA64/M5 CWvS2bHjZWHiLLidMxs2k9FAMJaxSh1TBsDQFDqKRDWqD21KOC5krOhNlz6vZz1Zc03WPNQV 52Ip9l1dddbiD6fZfdlqwbEoj0lbEySYrGs1WfNQqfWcS90G/OEHz8/+oWG5856H5a//uE82 bN6JJlpDiwyPIvkWn7i4X1JIzslnYg7PUoKMqRTDZOCHikRc0vBoiycQPqIBPzu1d8hB++8r xx5zqLz0qMOlq6ONSxkrk3fzTfTeC9J9UJu3Mrx/g967QXKU4kN+Zr95rPtYl5qrVL9/XJB8 HM/in9ttdf/qPj1e9/n5s13Tahp/HaafY4J4+3nxXMsURF9qLv+4UrRB81bTNimA4ve/eoNc fvHvKpbvze85WS78+r9VPK6WAxjf7Y1vfKPHki6zOguz11jDg1oDPhTNDxDSks7MWu0Xv1L6 X/3qV8JkL7owjiITSpQrfiCIVmSMtaiLH7RhBuG3vvWtuntc/ac//UlZ/ekOZgz+8pe/rE9D g27egCoOGCeQcfd++ctfqgzV/piRQSwJWNHVlm7CzDwdVPy6omuw6aIdFoCr9f3F9RGgI6jM mtaKQfEwzTX94Q9/UJmUdRvjG/7nf/6nPlV12PWQuJRuvvrVrxaAlWETKjEzOmN76sJs6pxH l1rfm5qvra0GrAasBqwGXAu+kfwGZFT+i4wIYhRHRwDybYaVIKz0VBIOAH1OAlvEPGIlMtEH XKCxKWRcQMZObAKY2B7vlNbYQQCmFkpv6gkkUnlOZieXSUt0AVRMx2NYHQLQI7BIMJEWigr2 Q9todidArDzAM3hZAGyiS3IGACPgSunL7YJ1XwrZmlsAZgHkjA5LZ4JJX1oBQkIi8sQYbjnV F3tsYt0v9JwVrTzH/pdgowubsmZGZGxoAWZuHO5jeEfIj40tdsDNDY7MalikNsC00suhMwNA jfLkkVglm3Gke2tGbv7ZFlnz2JAMjgzL/H1b5E0fXiaLFsNCMYaNNME+zEtrQh4QyCM4SJCP NpTDABIHoLtdsFrka3gEK4WVZBb8sShFS5c/sAJQC8tDAIzkl2AbDuiGTUtGnLrrI2/ogiWB HX0c9E1NSCWDsQ2QgbQxgpaYn1ge9cWxlIsAI09i+NMAsLAxNgfj9gE4vBh0CD8CUDeV64Ul 6mYArJvgtt2Na9wl8xrOAowMT5soLVA7cD3gEo0kOy5XB2B0D1y+V+O6ZwA4zwJdO+TnqxEz IRs2J/WKvjJmm9e5xx5MxsZyspUzE9c02TqcrPmINfPtXctCnqPYEz313Fq54Zbb5Znn1qnn Fi3CR0YQNgGT0eAlm03h2YKnLtpTKXyeMKbiCK3R8XzCPiyOH4X4HGLIiVgMYRsSDJWBHzni STnkgP3l+JccKS8/7kjp7EL4CDzbyJO8Y7TGxt4tAUCS+zl/+K5arnU68FKfaRBEfcZBP6yL FfO9aR6b9MXaTRr/cdCYoDY9rlifbuc9VGIZmk1ZQNEj9B1wHpZSuvINUadavqA+tgX1F2sj fZhrRrpqyqQAiict/bD07OKvA5WVOH4GvWfbdySRDAZZKuNWHfVdd90ldN/VhVZKTOBQr1Jr wIdy+gFCZiGmu22xUik9M16bgNDXv/51ueCCC4qx99o5hjEWdSGAw1h3uvhBG14Lylas+K3R Pv7xjwtl0aUSkEqPmUg9MDAg//jHP1QmY8YNZAZf/VAJ4suYjnTTDnrglALNyCvs2upxfwWt xd/GMAGM03nbbbepWIWmy7Pfnb6S9ZC2lG6YAZ33uy6M40hL13KFrvV049fFD8LX+t7U89ja asBqwGrg+aKBws9DfuEe+1aPaii/WnZk/w74bitAxB5Y7nUrUI87OMZIhLOaZHMjsLKDmzCO MwDEMgC+GBOQwGITNnedCWwKc51yUNuHYd22QZ4e+BmsFB2Z03CQxGDmR0CPrsS0+CNgCA40 VAS0lJQRuDXTfTkeZ2ITWhwiFzStA+E+PYBMyd1wS25y4GYdRRsQuXlJuOpCbroecxzXQnBM xUPEJpYu3Ep27FpU1mXOD7J8BFaWADJ5zNiCfdlu2YK4X42ga8F3YAKmnc0t0hqdozaxlA8m hGCPRCvYGNNysrd3QB66c5vcfxPk2oTYkSNpaZkdk9P+fYm84NgWJHbhBtkF/igZrQhZeEwQ bQxjxL4asoE/2wkw9kGfPSnkZ8ZrGODiIF4O2hKYnkTkE4ecSYCFtAIiqEhrRrLHoaLRoCJ5 stCtOgEUkhZCjag1wKiSzGCMig+JwUo2MKJO+Z2IoGWc7tHRVrzmwcp0AYDABQAIGnHte0Dv QEf7YzXYL4APpSBAzMQwSVg44s6Ag/wTyND9hAKSow5iO8JVOgZgsSkCa8goAEuVPRrujRSe F4RrwB/+C9qksXe6FfM9FfRdspS803WNE10T11ypLkrpqRZ9la6p4Nrg1uT9PqPWBKUWrLGM ktX6QTM8kpKNW3bIXfc9Iv988AnZsRNh1dSDFc9hWG7nEcqCe7EsE4Li+c2a8/QOIqYufnhi ki0+KxiegfFrk/jM4LOarc7YcyiBH6daWzuU6/P+sFhkXoVMJi2bNq6TPIDJtrZWWbxosey9 aC+Zv2CuzJs7B/R4Zrc0q5rJH/mDTkFRwCYfVL72AqLpcaLvVf/9Vux6aXpK7x8TtKJifDRt uX5NV0mtZTTl022aj9mn2yZSl1pHqb6wc2r5i8ldizlKyVJ3QHH7ll455YCPl5KhZN8v77xI DjpiSUmaenbS6oox2HRh8g5m9q1XqQfg4wcImWTigAMOKLqESunf/va3KyCsKMOQHVdccYX8 +7//u0ftB20I5Jpupx7h2AFBKupPF2ZAptWfLmFBN01f65pvNgJqdKOnlZ6Z/EPP5deBbi8F mpEm7NrqcX9pGVkzhqUGT1euXCnPPvusSmrCREbFSj0BRWaZpiu9LnRHZ6zQcoUgJMFIXd73 vvcJk+/oUut7U/O1tdWA1YDVwPNTAwTYuE0EcJVbJTuz9wBMhDVZtAcg3SBa4X4MsAjQkgL/ mKQlA6vEDDaBWYzLwJIuzXhYAMKYl7kRYNw8uAkPZEdkWdPZMjuxv6wc+L1syTwlcwD+tcLt mbOpjSP+ujEPmXU4gxkaJJ3tw5wEyBpRI+4WrQHhjsvEKQIryYEsskVjTlrqtSaw2YRtHC0T adXIcVlYENIaxk3+4YJcvK6EypiExV0rYihyzXgR1IvHGmTLyDbpT6VhWQlADMDdMKwFl85G 8hJpA1/GleQYxIKEZSQzN6dHHXnq4Z1y71+3Sc9m5K/Gj/cpuC47sYy88LVdcvyZc7ERBiSG CWid6G5fuXIK44KJ3IBwv6vcjtHMY1oJEiTM4pzg4iBA2oFMDrEXAc3hlcIrjUCVBAyJb6ox oAVeCKDP5ad4oo2rZjuvnmpDvwJGcUKZ6I5NPSZBROvHRraBnuAiKlXjUBUtK7NGN0U6YZm4 SNpih6IPVonMHk19jtFygNI1rtews1qGsg/CunNA6TAK/cHGFSBlA15duOLQE4DF5si+4LMX 1jAb/bBaVLwMhkoK+8dqwGpgKjWQQWiLLVvx3Hvocbnr/seRcGUH3JUz+IEFVuewRIzhl4iB wT4ZGRpVP7qMwGqbsV9zWfwQhedmBJ8Pw7BOpFUi47jyicjnRpwAI+o8+MfQxx+EaHGYANDY kGxUdVNrm7S0tcHSET+29HbL1o3r1fOSXmPtHa0yZ/YcJARtB8i4QPZbvq/MnTNb9l68UPZC bMaurk6VyEvpDp8PfDZOVuHnTDGwqZQMxcapdsrvWwLbdQmcD93UN/s0bSDdGJNi87Bb9ekP Bz1piLoYzzDyhGA/aSQF6zf0WiBAsfYCoomf1B1QvP2mR+U/zilMaFCJ2P91+fny+vNOqGRI TWmH8UuxP3kD3TuXLVtW03k0s3oAPiZAyAcjAVH+YlKsVEpPF1czwUoxvuXaP/nJTwpdVHXx gzYqiC5/Zi9SpjugaIo9ODioEn0QTDPdohl3kiCc32R+ugOKdFf/5je/KVdddRUyTFZmjVxP QLGzs1NlZafuec8zSUuYQmtKMyP4qaeeqpIM6bG1vjc1X1tbDVgNWA08PzUAcAobtIHsM7Ir 94iMRJ8FuAfrRAUPEgjDRg+uznT5VUAiXX9BT6sSgokZgInYK8L1GcAiNmpN2AzOS3bCYrEf Y+fI/i2vR9zDlYgXeBs+C6IAGPdW/JghmRsiAoswv8N8KJgnB0Awj40K9yr80s6kLWiG9WMK bVkZBsi5A5lCOxoSsrBhKeZGhmbIQ4CNkR2ZURomMS4oxTnAX22zwIcIHAP8c1aQ4wXXaiVE XjYMdkMuyI/varu2jsrj9/fIiSccigRdTdIAYFC5A3MGCJPGprenOysP39Mt/TuQZGVLWjY8 14ONNfNO52XJi5rl5HPnyOy5BPAAMqp1KinUvNzE0eWY7Uoa/mEZayfASKGpAw02QguAdgUW n7BgBNg5AGBxADUBxhwARixFWRVyKDBCaIJgo6tHujkrF2nFH2shoAga7PPdAmIeRtHYgGvU zOQuYEIXaUXLPkhK3viv+NJtupmWirJc2uILAe7Ox5qaITMo1HXjFQUQmnscVqX345rCbR33 Dq8G+bjZowkqwDUcsRcbYAHZFAGf2GHSFj0GVozIHK10wBnJsrpNuRo8Tf+oNVGj7hKnqZSV iTWTrpNei64r08T0pq5mTWnEPXzkiWfk5r/fLU89g5iqAAZ5646ODOF5g3AVqEeHR2QI+/eh ISTuAoCYpXU5Ph8YpzaD40RDUiVjURaKeH/zecl2PlcbkPk5izlomcjnHvcOeNsr8JHHicYm WFonZO68+cAHWmVkoE+2rF8rfT07IQWfD3yu5wBANkh7W7skMdfCvRbK4r0XyP77L5cjDj9U DjloPzzTYT2OH6mmc6nm+pRaj+Knnr580u8upQBFUnEcSzk6RVTmT13WpJ6dE3iAcnkTGF5q ybVeb7G56g4o3nrDQ/LRt1xebP6y7Z/+6rnylve9qixdPQlozffcc895UwRlJPY6yxzQLfcj H/mIijVH996TTjpJmJBEl0oBxd///vfyute9Tg9XoA4zDpvFBAgbGxsRM2LE7B53XCk9E4rU Iq4kszfT1VQXP2iTx8ah1MNksgHF/v5+ZRlIqze+qLdly5Zp8UPVv/71r+Wcc84poA2yIJ0q QDHM/UWAnWsvl/28tbVVTjzxRMRRahImsNGlnoAiXRO2bNmipmJsE504SM9drPbfS2eccYay LNX0tb43NV9bWw1YDVgN7AkaKPUltVRfwdq4SSDwg00Yre4Gc+sR5/AeGY4+CXBuG2AgF3xj Jl9+29ZgYpaWgHillUWga52YBSrF1ygBRmwC22GBMjvZBUBIYO3YL7OiB8ONuFM2DT8kAzIo 8xrnID4fgCd6ImMDSNALf+FGDEtIiEULCvcvCNCeU2Ajt51wpQPIOQh3661wLe5qisvixoXY rCKmIQC+CNxsCRByXeSoVoe1UX7+V4leVCvPEa8LiCLVkEDygDRiQW7CBrgR8hDoeu6RHrn3 pkHZ/4C9ZOlhXXLAobCKgQR0kWadhsXg6Ghc+nuzyO6clgdv2SYbnoHlJAA+Aoizl7bIqW9b KPse2ITNMN2503ARH4Y7N/oxaQKgJV2Jo/hspJUh18ZV85JABHWs1oFzgoMKVERN8Wk9yJJD NQK9D8IVug9A5kAqL0Ooab2YA+gYwfoIpxK8o/syXZvVJp3nOFagI2tF44KuhABpdaoAUICJ BICbkD26lRmkcZ7E3OSH/+pFS8Mm2Rc82rFOAAIABZvjcItG7MV4rA2WnnSQ70PEzF2okfE7 vxPu25thbdoLPcCeFddLAYtIvtOA2GkxJP9phkXo3NwJ0hI5XqINHVADQAXOyRcPqJ0xHeBk wiX0e2bCM00fBs/HNU8f7RdKMh2vBZ+LbnEP+HZL4znz19vvlRv+fLts294twwAOlYsynncj eHaODA3imTiCdjzn0Md9owM3Z/zF+z2P5wafNNhL4jiPhxxjIRJkZPIt9bzBn0a4KtOSke9v hpRoiMdV4pYkPBTjsEJMAigkoNiiwMJGmTt7Nn5MycjOTetl28a1GIsfLPCAitLyEc9W9XwH EMk5mpubFLi4ZMkiecFhhyDhy4vk0EP2x76IsV5ZaL3OH2D4jMFTBoP1sWoo9YdqcoeVoqpZ XyWykdZfuC4/D/+5f8x0O1fLUjrH+gqWyEZ+kvGS8JifbQUE4a+r4lL9H6370PdRlVPVHVBc ++wWOeuo/6xSPJEf3PQpOfrlB1Y9vhYDP/GJTxS4zp599tlCIKia8t73vlfo1qrLQQcdJMx4 rIsJKLbBpJqgVanys5/9TBh7TxdaiU02oMikNUxeo8tf//rXAusu3V6uJtBE0EmXWoM2Yd2C 9fzlarpT897QhTH3mMG4ksIPO4JeJhjH5DKvfvWrC9jUA1Csxf3V3d0tL37xiwsAdwpOkJyx R2nlp1/77ruveoD+9re/lTe84Q3e+uoJKB533HHCuIm67Ny5U2bjw79c8QOpF1xwgfzwhz/0 htX63vQY2wOrAasBq4E9QAOlvvirPn6JVl+0iy+GAFYE2XYj2Aymcv2yK3Ov9EbuAODD5CsE 5wgV0TqEcRFToIaVCTaCBBTptkaXX9cy0QUTFaAI2hw2cx2IoTgrQZfYFiRR2Y6NaEw6Y/sh kcd22ZzaLJ2NDTh3f8yNgqcwfiLmysNKJQpwj4VB/Rk/kZAY6zwsE7Nws3aAOPZnR2XLaFrm NCVkEQAnBlJkkhSCjxFsJJWVIzJIu5smxQ5/CAPSipEAG1OOcJNBgLBBbWpT2V7ZNDAE60RY zOHfE//cJivvQ4zAvoR0LUzKUa/skrmLACZmAXACBxsFcNfTjc0y9r7b1o/K0/fskL7tyFo6 CrmB4rXMTciJZy+Uo18KcC0BV27opTe7RbqH04BokUQAYmZGmSwlCaubjNpwc9OjNiDY+9BS kIXbIAxVhSAgD9nFY54wjiKBQQfnBAKHACT2ANTcBdfrXmSRHqY8BBcBPNL6EqQugEgmHAtZ CTomsJGmxSTn5TnB1hzayDPLQWhshNViB5K7tDfGpS2JDTpoqclGgIBNcGOPReZDkCaswY1l 2RRvgwt1FwDGTlyfbliwbsSUnbgKIypOJu89ujwiIiUA6QHEVRuBFWVOkNJFFvYfhjviWIl2 HSbx9rnqTuDqFUxMpVCmGpVS76caTTHpbMqtqVz/pAsccsJScpfqC8l+SsjKyV2uvx5C81mk fmLAM4DPie27euXa39wk9z36pPT0AjhE/ESHDz88DAf6EUcVP+gMIl7iENybGSsxw6QpBK3w TM/xxx4Aeix0Z1bwDp/zeBbT7Zk/UDG5Cj3GknBtjip3Z0yL54uyUMSzKAEwMY1wFElkgabL NJO1NCAb9KzZs6SxqVm64BG1fcNaWbPiMYCaw+o5EQUdP8cYjzGG+SP4oaihqVU9UwlQzp7T Jce88HA5/bRT5CUvOVpaATjqUqnOw9CXomEfS1jgKQx9rWi0TsLUpdYYZnwlNNQY1cb7qbje QEBC3MaKlvckDorTVyJBedqga1CP+esOKPILwUv2ej/Mj8O5GpqqobLv3Ph/0gpXj6ksd9xx h5xwwgmeCHy4PPHEEyXjEHrExgHdLRnTjSCMLkxowsyzupiAYph4jd/61rcKMjZPBaB44YUX yle+8hW9BBVP8bzzzvPOqz2oNWhTa0DxF7/4hZx77rne8ggMMs5jpQ+JM888s8D67Te/+U0B 4MYJ6gEo1uL++tGPfiTveMc7PB0w09mll14q73//+7HZcD+8vc6xA2YAf9e73uU1X3TRRfLf //3f3jkPKrlWpXTDrODXXHONx/uBBx6Qo446yjsvduB/X336058uuMdrfW8Wk8O2Ww1YDVgN TEcNlPpCqvr47Rn/SxXCdQTzaPPXl3tMtuZ+B0fhzfiy7XojKDs8fBGnizNpCCZyY0hg0QUT CSQSYGQNqzYcp/ilHcDW7AQ2eglYjsDiMA8AsC/TB9fYhdIIW7YNIyuwEYzCBg0Wf7BY4SeV C2HBRjHaoNx2mcQjD+u13dYFtFKkpQsBxox0wwpl80hG5jfHZS/EaowAUHT3DLBQpKxADenO xjGYBH0UDCuGtVwU4BdVkyc4ibYoAEWeE5jbOoTvh+BF675nH+iXp/6WkO3r+7B5hdXlgkZZ sHezpPF9emQA1oYjdPcGbRpAawbu4IinmEK2UxrdxbEplmRODj9plpx01iLp6ISVH767bh5Z JzsxviuGH2+HG+Suf6yRFx6/nyzdh27csOihjiGt9gjhXp5WPGP7IfX9JoFNNq04sRdX1xin WAP+4D8d+IgzEmyk9eIoQMQeXJdegIvKghHgYhbu0eQZgbWR+paAzZV2i1Y1xhKgpD4UL/AE G1xzXGccM65ZgrEWASh2QP+dsBLtbIwhliKsExUIDUAWGbijsFiUfBtoWwAapmBJuQpXDiCv AytEZndG3MsY9BCHizRfmBL30E6Anz3S1rtd5m0dhiXSbInNPVPyC1+ukrioaziMa4TvN7Gm Oai54omXUu+niXOfGg7l1lSuf2qkLj9rKblL9ZXnPHUU5eQu118PyfF2x9sNVs/Do/LoUyvl xptvk5VrNsngEABDtGfwrEsBuIvAenwUICINcLjPTqcJNPKzAp8TmRQAQTyT8bmRx4cEwUU+ y/gHj2LEbcUPVnhqOXgfR2BNSLomWCAysZZKrgUa7mXcWIuMpYjQCHjlIFxTc7OykGxvb4fl IZJFNbVI1+xOPN9GZcemjdK3czssJpEQhoAmPw8wbZS/mACsZLxcPjLjkI1tba3tcjgsFk86 /lg54zWnSmcnnk90ueZDKWSZzGsUdi7SsZTaF4ehKaWCsLKU4lF1H5bHe3EUPy724cdAWs1u 375DRhBaLoL9cCdiaR60fAmsWGnl7gKJem9cSidVy1NioNYzSeoxd90BRQp+4TuvlD/96h4e VlSOO+kQ+f4N1Sd0qWiyEsT8ArtkyRLZtGmTR8WEDUysUUkhaEJrLF34YGLsufnz8YvqWPFb VNFsm5Z7xQqtE2mlqMtUAIp+UIkAE0GjcoVADy3BqNulS5cKQZoDD9xtjVpr0KYSkKqc7Oyn mzfdvc1y++23y/HHH282lTymCy5BZlrO6UJ32yOOOEKfqroUaEaCsGur9f11/vnny09+8hNP 1i984Qvyuc99zjsPOiDYaGb3Zrbviy++uIA07Ho4qJRu/O85vv8+//nPF8wVdOK/9/xhDvz9 evMVxIttfhdqf8KgYuNsu9WA1YDVwHTUQKkv8aX6CtcCYAkA1mB+hWzO/loGnY3oZkoTWsDB 0g4JULipUxtLbgBxwKQnbKNlYg4okwsmjtXoT2MwLU0IKLYhSUcOvrxxgITDuT5Yns2VOHaR G0dWA3DDJi7fCNok+MGShZaSgNIEWYMBX0EuHEOWPOPtAXTEVhAvtmBziFcPXOE2DgFQbIGF YhLgHEwCGTdLA5Os4fgL3mwj2OjatjF+n7K8IVIHiqiaF5mFgZxhqwrgDZY2GWxy01FZcXdG 7vj9NmxWGGMRgCE3wxjGbNC0xlEbFFjXpVVyAW5yCTBCf0DdkgDYHKByS49sk1e8YZEs3LsB bsMiK3vXyyDAvWhvVP55w1bZtHVQ3vPZV8ii+bTBRDvkwPYcL2TPhtUOryXjVBI8JIhIqflC BzbkY3ArGhSgiDZa4pCAQCBrN3szAVXEt0T/EK4Zk7t00zUaVoyjqDOMvQgAVW14SIhCQJEs eC0JWHpAJfgrOvSRlC/K3ERwEcBiB4FFxl7EeSPa6c4YBYAYwX2QVgAuR+CKUE4sislZ2ML4 lzAfguszYjYCQGhF49ztI9KyaUSi2VYZ2O8Eaeo4UlrS0P3gWgwEULnXK2Ay2ankBAuv5vH4 wtUUL+HfM8V5sKdWfErPUpvesLKGpauNVJPDZbqtqRbykAdLpWCFGma8PWjFzGd8d0+/PLtq vdx9/6Py9LPrpLsXYQsAGNINOZXCMwqZlnMAD/m5kFUZnaOI5ZqSTHoEz0E8zbC/SuJ9P2tW J0IwpGUrwh8N9PaAns9OPs9pJTZmUQ5rRQKK7g8jeA7AepDAYR7PK2aAZrxalbCFPyTwBWtF WjHyXU9DCv7A0IZkLbRU7OiaLfPnzJLliJmYGu6HAdJTsn4jgFAkp0yNDrmhMZSq3B+dYrB0 bFJWi3mZA4vFI19wuJz8ipfLi485Elmj58EikjkP+HysXLcYOC1KqfvL7DOPwwhu0pvHYcZO lGYU1qo7dvXI0yvXysOPrpANm3YiEdAwkpalcB8hUAtiZ3a0NsjhBy2To444VBoRm5P3LTGf jjbGz8S9g3surqxYjTcABON3BP5nqfT95I4K/ksdsdSSp55pUgDF3u5Bef3Rn5PuHaXdd7VQ rJvbGuX6e78ge+1d3j3RHFevY4JftHYyS1hwgmN+97vfKaszfTHZ9qY3vUl+9atf8dArr3zl K+XWW2/1zv/2t7/JySef7J2bBwQjadFoXsSpABRp9XXMMcd4ojFWHdv8YJtHgIMBmKUvXbq0 wFqTOjrrrLM8slqDNuvWrVNz6gne+c53qiQi+rzSmtfysMMOk6eeesobShd2gophMglz0I9/ /GN5+9vf7o1nAqAdO3aMA5FLgWYcHHZttb6/Dj300IL105qXrs7Fytq1a+XYY49Va9Q0n/rU p+SSSy7Rp6oOux4Sl9KN372avySuXr26pNvzbcjEzfimuvDXJMZhNGOd1vre1HPZ2mrAasBq YE/VQKVf6EnP7LubMz+XfmcVlq1gK4BniCcoPYiHCPAO338BNylQkRtHYFvKOkQBjegkqAhs ERtKQn2wYsOX9EZYr3XBCpAZfBWMR2AJG0Y4yMLKbVA2DPcgVmIeSVvg+BtBfEbMwYQvzMqc ZdIUnDOOnqMsEikTN50EstgFSxe8erFZ3TCUlfmtCVmcRAZmCqYKtwLcHACehPwEtCiry4Mb ZYKV4OP+QRIAgl0EHGOSyvTKwGhWWiNtku1Lyt1/2CWP3bcdvBOSBfAGEdxszZAnnwYTpoFG RcCPhXEYM0gmwDPGCHOgh6bOmBzwwk454qWzZPEBcXmuGxag/RF54i+98tA/tkjz/EY5/yMv k/0OocVMXpK0qkSMSMZg5OaaoChjV7pgLuWnvgkEqxVxIWpuCsIjBShOxH9WAABAAElEQVRy fqoAhTygfqoDbbwObMN1AvEIriczSDOpyyCsFhl7cRTgYgadKiMreGsQk2Ma8Icv8la81Azu H7VmtNOtmxmjGXOxBVaordABM0cnaVXJceofndh5RKDSlW8U+mJCH56Tvgl82kE1Z1dOOtci EUPihSpDdDy7GjEVYbmaaBdn3/MlMutY3K0AFwDyYnuIGgukTjiZVg0nUrO5stq/VgN7ggYq fZ5XsybOwbeJC3Dg2YLn+LYd3bJq7SaVeOWxJ58DaNOt2vmcJIiYSiHpCiwTYxiYwfkoDG8y sBhvbu4A2JhS7s4x5AtobGhCYqdGxCyEZ2AfwklsWi+7tm+UYWR/HhocUj/KqPixeNYzJmIE z0/+dBKL4v0MkCeKthzARxWeAs8EBSjiCYHHAiVW7sv8fOKzpKmlSVpgpRhHNmhaLibhCn3I QQfIaScfJ4vmzZatsFp7+uln5e57H5BVq1ZL765dcJ8eVWtPYkxHe5fMmz9X9lm6BEBmTEYH B+TgA/eDccmhcsLLjlNZo8dmfV4/SgruSXXj8HHLA7eop7p63uqW2tS0infZut9Ftu/slrsf eFzuAdi9YdM2JACiVSw+P/C5wTuasXz3WbwIIHMzgESELIHFKQ3E+np65cCDD5TlS/eGVe0I 7lEm7gEI3d6qaJoZS1N9drhrct8XtVkDuWhd1ZoveZtYFM+DSgTWU06YuGNBg3Ubsz1/5Nxv q4eCbitWc6Ff+N4FcuZbXlaMZEraCZTcddddBXPTtfeyyy5DKviugnZ9Qgu0733ve0K3YDP7 La0OyYuAoFnoCmpa9xGgonUT3VPN0tvbq4CbJ5980myekqQsFIAWm3/84x89WY4++mi55ZZb AvXCG5rg7LXXXuvRL1u2TFauXIkvm+pJrdprDdoQqDNBodNPP11uvPFGT4ZqDvyAIHlwLYyv +PrXv74oS2baZlbrb3/72wU0TNhDl2F/KQWakTbs2mp9f51yyinCmJm60PKQcUKDCi18GTqA gJ5ZgmJPhl0P+ZTSDTd5BDAffPBBb0q6qdOq1v+eIsHWrVsVPzPJEMFFE+QnXa3vTfIkMM0P HF2WLl2KXyvhUmWL1YDVgNXADNRAKr9L1qd/KP3yJABDWibiizgBPgBaQ/kBuKe6EKMGs+jW rKxR8B2CQCKtRwgmso1f5jP4xp8DcETX1xZanuAftoH4kk/7NtdSsSG2AABWtzzZt0nmNicQ R5EQEvodAEL47kkQkbaC4K6OWdNC0bVYRD9AN36H6YHFyiYAivNakJSloRkyYAqYD5IeFAoA RQN4uX/dL/BMAgBAEVaSw3CX5pgkXN/U5hX7h95UDzYccOXbnJTNK/Ly3MNDMtAH/2VYMQ4N jihLhgSs7/IAPZuxgU0ifiOUAGuZODbSgDkBRo4MYcMNC0Bgme5GGPI2tCbl6FPnyUEn5GX1 um7Z/EBGHv3bNumD6+DhJy+TM//tUFm8hGAYNtNUFTIhsygrHiRy4XxqecqqEoAfLf2wMq6T 4CLBXLVRof5wHbyCxXP9TFAAlYEfZdoNKvL6ACMAF15DuEeDiMldegGeDgJkHAa4mAbQmIX1 IkscFaFX0oIl7hWXH/m6SRBQu6Q4UP9x7QkoIhM0wEXGX0ziWGWbxj2iMk6DL8/pTs3kMlwi k75wTCvum2bw6xxKypyBQyXZ3S+xnQ9DYKwXAMPgvvAk2fs0gAd74drARRFJfuJ4MWN0BPcx 7z6wQ3H/qkP7x2rAakA9LzSowe/pw3Br7ukbkBXPrZH/z96bgFlWVne/68zn1FzVXVXdXdXz DN1AMykIAhIBTYzEKJIQhaCQL3HKzU2+z3tzk+c+N3lunscMPonGxGhuEqMSVAwRQQWUQWaQ qRtoeh6qu+Z5OKdOnVPn/v5r126qm256sJsh7t19ak/vfof1vvvde/33f631+NMbbUdHr42M jbk7h8C3IcAh+6WpgvUP9uP7FTdqzDsCFBVoNM7HFT0TJvNjPs+koGNns9V8WICp3jCHbcyS a+phFcbcDLm3c6/1dHfYAGbJzlIUy5DJSObHAoRSMNzjMAd9NmduEFuxUpzCj2LOPynJnYUY ivqAwqcoN6uW/ipAUbpFRjEBCNrS1jzH3oUZ81WXvwMiQwNMxU7bvGW7Pf/8i/bwI4/ZyPCI LVmy1JYsXWat81u5Bv+KyGPri5vQRzptmHn/3A3r7EMfeJ+tXL7Uy/lFn05eBYoxR6vPwvGk 8+H2ybrVBCjqg+MkPoGfe2mb3XP/IwDeW21oiGeCv1/E3NQ+RhqNVzEP22CX1tRU+3O7rr7G hgb6GW9DtmTlKpvbVG9d3Vgm8p6SIn02nbIW2KnLlrQDJC+zOY113oaT3Y5QHqdCRq8boKhG bPrZTvvjm75iu7Z2h2161Xp+exNg4o12/iVrX3XujT6wceNGN2cdhrY8e6nia4RMj+ULb9my ZXwlqXJwTACBACNF7Z29aNJRlNvDAU4CLsQim70ogMXNN99sl156qUcTvueee9xkVCzAQ5c3 gqGoOmzfvt3EVpP/nnBpa2szmYpeccUV3FCihmNuA2j42c9+1uQncPYiEE1g2uzlZIM2euio b8JFN6rqIlBX9Ttcf4Rpj7QWYKz23Xfffa9KIp+KZ599tuevMmTirjEhEFhMvp07dx50jUB7 AVmS26HLa4FmSnusbTvZ40vswr/8y788UF0xABWg59Ax/Mgjj9jHPvYx27x584G04Ybundlm 0zp+rO1R2qPJRpHV3/GOdwQKjy5gkR9FAfcKGKNxIEfMAkZvvPFGBxWDVCga9JmuP9Tv4ske mypPZu7PP/98WLTXT/WJlkgCkQQiCbxVJHD0F1Xe/lnKBCzpKH7D+qYfgfklH9uYfwHqCSSa BEzEg6Gz4YRP6WUeXdHNmwUgysxZAJAUSG0LWFQa+U4UQ6ABdongHIFDsmTVO5dYhUmAnnSi wVoy6+xnvT+xIcDDdkBFBQMRqCiWIql5JpAXoJFMmKWoaNG5CmGKBSwq3yGAL5k8z4ehuAAW jFiCgaIj02epoYLgpGoKTgqUVB41NIbzRBh5cWOf7d3B+xKOBuuacrbmzAYbrgzbwI6S7Xx4 yob2xmygu4DpXYrn0yQmdwUCsjTYwpVNpIcFA0g4NUZk5f68Nc6vZZ+gMHn8FA5NWu/+Yeva OW7jgJNx5BPn/WbpmY02d32/vfzomHU8nweoLFjL2rR94Oa32dp1BK/JUF8FwpmRocI+lxVk Jh6YbFNzzktOQX9oLfROJtxToJdB/wS+wgTw8t8XT8fWzK6y8DzUT55fsHITZD/HviSnX4FM RgUwYqI9JuYi24gW+VE3QEb1e7i4+RjXuikza8+e096j7AhIlBm0fC8mARU88AsFhqxHjR+N wgTnhKnmGDPNMFizAL5pGKO10ysthbllpu9nlhocNdxN2njraVZsXGHJbBOAg3ye1aMc1mIi Wcs4JLI2HjtTsRztDRmMVOwVSYRVn7UO26N0wXL0+ylMGa0jCZx8CZyK8adRrhGujyCd3f32 3KaXbMu2nYBnBevqGwRYHOEjBfcjxAvNE2VAQ31s74cUonszz33IZOs+FPMwFQtEdi5NjfOh IQAYNd87uAfgp6Ap+koidmHj3BabO28RDMIG7v+0TYwPW8eerTCrutE5xskZIApwSPO115D5 TfqBoi4nAApT5CPWolxPCFDUhxQBjSnKSeiZwzn3Dav5RqAivhgFLjY1Ntl555xuH7nmV2wV /vQ0N46MjtnTz71kz8LAVBCYBHlIn5Tptky1x8dHbOMzz9iWrTv8I8kZ60639//qFXbFuy9x v3xU8Bd2CZ6zenwwipBl+IwOBeLHw52fY33obJwHUL7rngfsjh/eTyBVWLN0ZJ6I4lnG2DRj pEzfCQzW2Ctjlt9QHwDYDbAPF8yfR2C4orNXq7I52KkEAWOkDQBIKhq5m9EzpmRev2xRq130 tg341CT6N8HjGOosJxckPRX39esKKEokxcKUff1L99gzj26zzc/tBrEdI+hKFS9Ti+yM85fZ Rz95JaHY5cPmzblI4ReAIRPIE10OB57Nzmvt2rWHBV5kSix/jrMXMR0FvoTLGwUoqnz5zzuc f7os1HP5RhRDUyDaK6ZBQa0//OEPO1tRN+Hs5VSANkuXLrVdmN0ebhkcHMQRbsPhTr3mMTkC lt/E2WDQa15wmJMCOmXerojJh1uOBprpmmNt28kcX4pQLjbqbGad6iJz95UrVzrArDRbt27V YV+CB3Q4VQdAmli4hy7H2p5jkc2hzMywrHom/IULF3r9ZoPh4fnD3U86dyrGZgQohlKP1pEE Igm8WSRw0Mv7yagUU7/Avd6p79u+8h3ur0/gFeoB4AsmZpUx2IkKfkI63qR5P3eFQUCizG3R Qd1/ogOKbIc+FJU2DlgkW446KXis5W9RkJJMefVSHr5jNKaWkn/aHut91ppg+c0BaHJfhl5G AKrpOrEJnb1C3fRPkadLnicKIRXaO4EPZBiK82AIOtDF9W7yCwNR/ggDgIwrARETKLQeoIV8 KqUkVgUT9uSDvbbt+TH8bJmteVudLdqAiV6+3jbfP2I7X8zDyMF/I8yb2pacnX7BXMDEequt h5kIOFYYLtvT93Xb9he7rLG9xs69fBG+mWq8fgo+0L+/aJuf7rXtGwetNEFk5Oa45WO8c++q QlkFrk0X7bLrF9mVv3yG1eZ490qUYNcgK8qT+a7YGFMAu/IpSY1dDg440iiBATJNlMk1ybw/ 4wBnAhfLRISZpP+meFf1NFwrgDGGwuX+DFG2Bdiqb3Q8EBIrP64+QnmnDPWf5MeuA8VTdKDM o4cAFguwFoP+B3RgQEwSnGaa+ghgFNgrFiSkD18LoE7TLpkxZ9lJc0J56kfVvBCV441irfcT +X2s4teI6WE1fZslqEs23uTsw0wJX5xT+PaMzUNmZzBKcMtEWdOA0yXaLuVWDNeEfCwm6igP hgqsxRRyTBEoBu+OlK2gPCqUKmhgsgR72jiw5cffCn8OtOEtWPfXku+pULpfq7zX49wb1Vdh uWEb9+7vs4eeeN5eINhKL2agUwAwfK9xX4VD+EoU81BAXYyDY8Nj3Nt8+IewMih2IlGddV40 bDd5xjx4Svek5iTdPtxTOfzVtS9odbJICSBoZDRvg7ja0v1V1zjPVqxa56BiHj94ev7s3bXV +jr3+HOHSYhzfHwCIFR+ZYCgBBOL5rQKH2cU7TmbhYlM/XSsSL0U+EVzh+Y4EVRS/NKkk25X jX/EeRBMLr7gHIKunIe+lDeZzA4RxKOHIB5yU1Gkjnn8K2YALosQHHIwLLdv22LPPPOsOPbe trkwHK+88jK7/iPXWGvLXObUmfkzFOoxro9nXB9L2tlpZvfz4YC92WmPsbrHlOxY8z3WdCo0 bIvaIdb/P/37rXbX3Q8CADIeAP8K9FmSMSJMQ6xEjyTOeNF+mvFQLafF4DY52Icyf/ZnHn22 b+9uMseSorHZTeM1ToTjTAGUj4OTJBnz1Zg+n3PGGvvA1e+xeZjMK0/V43AydQH5sywQ1ex6 B0de+/jsND/P9usOKB5a2TIvAwke9G+lRYCUQLAnnnjiuKot9qKiOl977bWveZ3MM+VfUeDb ay2aqG655Ra77rrrDphTHw4AufDCC51lpbwE7s0GIA+X//Gmn52HAsTIhFXg3LEsMpUWW1FM sEOXUwHafOELX/D6HVqW9mWCrrafyKL2Klq3GJmHAqZHy08sua985StumnuktMcCmh1r2072 +PrqV79qN91005GqftBx+ZYUG/Ev/uIv3NdkeFKszdNOOy3c9fWxtudYZKM+EZCvADAyNz/a Il+WclVwqN/U8LpTMTYjQDGUbrSOJBBJ4FRJ4HheqE9+HfTWW7GR0kbbU/pXm4j1zoB2YDLu wxCT3WkAKSE9vHgrtTAngYUydw789wWsRAFKAVOR8wKSSBPjXTLHS3ctCiFcEr9WbBOZ7Dry pQZJ4eRYa3a1bRvbbp2FMVsIS1HeFpUHKqm/7HsyNslOVXFFUUCo6qSfA4ozDMXWGUCRagQV ZhUgbYFZsEBJXaS8FCxAAWDK5STKZMGevr/HNj+GT0cUloZmTJMvWmp7nx233S+OGC4gbfX5 zXb2xQuIHirWjbIlQMD4tD38ww7b9FCfFUYBz7JxW3lOk5397gU2fwERp0k4MZ7H72LZdr40 YlufJcI1RiJPPPYCLEb5+Mpaw8q4/fL1q23d2gUozuJTwrrx17CAfSN/ZUFLZWQM2Cglm/oH YKDkzVmAwcAUPE2awDRawWl0nSQpcG8SZmVRADHbbu4MA9DljLDctyT9KFCS074IaNPVMj3U MclMoKCYSlzqwCPYgk3AUJSJsoyv82wXARMmdYw2lwAd1fmqiRQ9mTRnsW/OMT7kS1H2Ms6Q VLmzytYFZO2AYpprBD5mSZ8BkEzT/hRKZEom6gT5ScJaTOJlMVGZR2TpBVxXTbskK4BU2Lcl xrEYrmIqJmQKHce/WqyGfOTbEx9rXC8T6QBcpK0IS1Ck2vtGL2/sHPH6tP5ktPFk5HEyW/tm q8/stqlu4bJ562677QcP2r5ugMQC7GsY2AJjyvL/yrt6GZcKJeZJgXbjBLnQ8RHcfE1O4AJi dMjvKzHDFE1Z80+R7WlARgGKmjsSfOhYuoi5ECCmHWZYC0EwHnz0ecrr9+uLXJeCJdbevhLW YhugoD5u4GJhYtj2796JqfUgOmnGj+mezMAglAmrnkOaWxX4JQbgKJKPdGrNVWJNq40KxJGG mVhTU2OLICso6Ghra4uJlZbPTwBMTWJ6XQcIyczFHDVVnEB/H3e2I1k7iKrAMxmY6a3NdfYc gOJzz7/safQcqUE3ueSSC+x3b7oO09hVPqf6pBUK9xjWxzNOjjVt2L+zAa8jXXuk48dQ9SMm OdY8jzWdCpKVghaZnX/ztjvsu3f8mD0sARR0hWeBxpvAZfnCFIYhhqnmfC3CZyrOWGQbcLC+ ocaZqopGPjTUZ7V1TfjhzXF91nXSESxfC7oXOK8PWnp2pvigtXLpYrvhN662tWtX+LMs/BDl hcz6M7td2tYS9sXs/dnpZl1+UjbfcEDxpLTiDcpEppACPWS+LJPJIy2aUOQvT2bLhwPODned fCR+8pOf9EjSCmAye9FXdvmu+9u//Vtn/ilKsHy/aTk0Gq2OySRXZtJa5JNN/uleazne9Ifm JfbmZz7zGTchPRKwKOBObEaVdaTl6quv9ijQOi+AZ7YPysNdI3NqseLC5U//9E9NUX4PXT73 uc+5me7syMpKI3+I8on58ywC6wQOyp/k7Kjgh+apPhSrUf78Pvaxj/kXrUPTzN7/4Ac/eMBM XKxUjQk9zA5djrVtJ3N8qQ4yaVbk4scff/zQKvmktnTpUlNEaJm1yyxawLrAvXA5Emv3WNpz rLJRWTK5/tSnPuX1PZRVqfNiqApE1PhdsWKFDh12ORVjU2bZkmO43HrrrXbNNdeEu9E6kkAk gUgCb20J8KJbqOyzvcWvY278EtCLXKTw5Z2/CQAssbwmAf8UMEWvxHovFkjngCLKF/9RvAIg aoq1sxOFHfFiLyRGZqxVPFurhcpwsdILInKISoX4PkdQ3DIAPLlEmz039CJKXAUzaBgmXCAz Jl0hOEuAmRZ0XAd6BKZpQ0fHKHNfXj4UUfx48deLuq6VeVz40q76S8FVHdQGX5OZ9JQigUem y2kb7J6yx+/ushfu74UAWG3L1tfaktWNNtibt0VrGmzp2nrYKoBjXv8kSnXZXiJQy9P39VrH Lt4NS0CnAFxZTJ4Xr6uxC97bbi1tOVh7sChgyaA725af9dv2Z0Yxse7CJDpvS9fPtw1XNdrp ZzZbbS0gGb4FxQSK85NsyBSlHJaiADbYitoXc1BSEVDIBv2Cr0nJgvaKT6jj5Wl9rOMk/9Ve B2AxZy/B7BQY6IufmzmPSNRHkpvEJPG6ySAZsOlyVF5a1H5nLqoe1CtkISqd3r4n6Q9cL3qg lzzKfVEm0ayVta5Vs4SXSllLaqwoD/b1FqX9mWICgJGdFMfEdVC7BSymBETq59cHPrLEUkF6 HBdAOBeAcQ5yayaPOiov/2tqFiC0lEzkITnF8a2YgM2ZJECQAMV0XGCjWIz8+Cd5C3BWI8M6 kU20RBJ4S0sgADVgG8KO/u737sV09EEbwOy3uhr3AGKUo8/oo0V+jA8pDPy5rW0ALEUP3Dk2 EkRHHiGwiqI6TzKpjWPmXMTcOcncq2V8YtQZjrpnamsztnLJAmvC1LShtt4efXqTDcECb2hq sbGRAUDKAcriecMM0Nq+xLLVYoDhv5e8hkeHrWffbs8zcH2BP1pNItyNMnf2u5I5oKL7k7lP AVUU1bepscHaYCG2tfFbtNCqAQ0FIkrnnwQk2rt7u/UP9NEuPg41zHXMQHOdqi9fkXlYjhlY leUiH2+Yt3MAlXPn1Fhfb7d99zt38rwoA1Yy1yT5IIQZ7Krli+yP/uATuNRaB/gov8PHvoTP p2O54ljTBv2LlNR5M8uRrp2d9khpwjyOdX2s+RxrOpWrtL0DQ3bLbXfavQ88ZgV9rIJJWwLg VuTtImvN8EGeQU01jtWvZczixfhPMp8LGMxW42eZd5bC+LgtWrzAavDrqVcCgZND+A4dgKUr c+kyYLKYpzF/5vBhlGdOCxHDr/+NX7fzz10PWO1f/YLCZv09XLt0bPYS9s3h0s5Od6LbEaB4 opKbdZ0YTx0dHaaoy/oJsJP/vFWrVvmvtrZ2Vurj29TXGvlg1E+mtQI85Jevvb39+DJ6g1Lv 37/fNm3a5ACYmJHLly93P5MKm/5GLpKr6jUwMOCBYxYtWnTYADInWkfdsDLz1XgQsKgxIRBR 7RYArOjQxxoJ+njrcDxtO5njS23es2eP+9OUXHVfCJRTW/W17kSX42nPsZahPBUcRmbqoRsB Af/r169/VYTtY80zShdJIJJAJIH/rhI44ZdQngv+WgtaVK7krXvqDusq/RiQCT90gIcOUwm8 cXPnIILyFGwRZyOi8jloSB5aC3gSwCjfVVi9+r5e0gVeVXgBF9hTR15Zfro+ALv8ld+VVLWB LBwkmiZtY6LdeovDtnuiz+blkkRXBvhTgqDCdKVvOLDj4Bm6Ekn8zzh16AJQnAv1r0kMFXW8 LvVywyulhobgms4FP8g4KCYCvDCZKyasb/e0PfvgPsyY0zbaX7R5i6sBE/mtxncfQGEMc2QF +pCV37ZnB+2B2/fYwD6CEaDgxKH+CagSPJbMxWzZ2fV2/mXtVt2AyV0uYWO9U/bIXXusb2/B evjYW5nO2BL8Ka49byHKbcaqwL4WrcHXU1x9QSvcPFzsPqnOxMWukUIEsuZt13mOq1E0NihX 4B+KEH0pdob7jwREVPAaBUqQubmnluyRreSjDCRZKU5ai9MhsZfY17YOqggBrw4wclytVGpn OSoNCdw8mn4UWKntMC88WTm4qKjNAhqLjJEQtFQiAZckB74LQEYBiypPiySp8wIvlSZkRjqY SD/rmBiPYdlyqC9wQoqjIokLHEzF8ado+GkzBWusIW8xEXHlBFAo+UheCswj0/Kkg4tiPMJk BFx0gJH0CeipAiuD6NHUUI0LBM/Gm3jxer4x9fOxNVN0qDy/MTU5eaXObpNyfau2K5wXNxHQ 4h+//DV0hd02CtCWqm52lp/alsEP4SRswxzRkqtqG4iETNR7IjKXp3D/QLAVARajMLnEJpwq 47uVAC1VsK2ra2qtt7vLKgA8SfKYN7fW2lvxa8q9untPh3UOFQiS0sBcxzH+jQ93A+4U+eiA mTUAXV3jfMC8Ggf5UjlAvcm89feJeMOcwv0qBiIzlDPQdI+rfM2DaYK+1NfVW1NTgy1Zssia IeyIMFHDMaadgDGJrlGCcCQmoq7RcywAnJi7yT/DxxxFqB7B/FnBubiIeYQPGABWaZjvq5Yt tLvuvNee3/Qi18kdh1iROfzBYtLdPt9u+thv2rsvv4jnBAxpr3E4k7FzEhb12/GMuXC8Hu2a MN9w/fNWNcwnXB8pP53XcqT6+RMpSOJBgm6/S+D3Iw76aWyNAv7KFN9ZqTxXxmHNClz0Z5Me DlyrZ5U4/276rg9zjJ8MLMVJTKTTAI4L2ubbnOa5bvouZuLwyBgYCWb9jBU9b+KMuSwgsbbL MG9jsNoXLZhnH7n2A3bWmav5gMWTSw8pygmXw7X70LYeLk14/clYR4DiyZBilEckgUgCkQQi CUQSiCQQSeAXVQK83/rLOO2f/bKuY3qHl1fB4fJzmDp/3SYqKGv4m5OZrZiJAlMCZp8AKdLz siylzf8BUkkJm+JlW370ZJ4moMhNntHrBFLpJ3NnAT31AngoL2AEUpmZeunVm02vi97D5esw A0iXStTb1rEezpVtQRbfdjP5kZS0uiIAsrTlywyoI/BrDFSzNgvswzE33yWBv+LPJHagKiyY czJjInsUUwA4yA3lKRgIlawN4O9wT8egTeAzccfTEygUQFCwbNZd3AybQaayAFFFPti9PGxP 3rPfdr00jnJCu8nHg8VIDmLLwLJM4w+xdUm1LT97DoyclHVuHbeXnxmwaZTabdv32JnnrEK5 gWk4hfsbmD7ZugTlNFEXOZSnboCUAi7dRxnmvZd/CNNBgEctarpMvYJWCvojH+RAD9EH/Gj9 dBzzL5QomRbLp2DJjwdMQSnSWmZEGGz73+CgZKgkgiAdEGatLtBPi/eztsMDbDpTUfVSpl6/ gEXIpvc38W8cUMxzzSQ/gYvyuyiFXy0RtwdiJi1hoXAHG9l0M2vyDJmQIWgpIDFkODrYqH1+ B5zqo+wlGYMCgJOAgsk4JpGAiolYPeU1UZYAxix1k2/KAAT1ijq8QHnUyEFGN4sGnGSdiTf6 MVUxWt58EggVd9Vs9tz35qvpG1cjfzZwn+3Ytc++eesd9vijDxPRvt+mMw24Q2DUw/TLAJLV AA7mYPeJBTZMVNwCAKMiNw/B7hN7UEFYFFle92EwHwFEEvhkVOxF5jAxiRe21tsc2Ik9Pb2Y OeNWI417glQ1c2qjVdfj8xSAcqhvHwwzXDHwnBHrr7EF02e5o2A/narCv+EQJsqjXoY+Amip MHfE9NEAYKmqugY2YjukodW4mZjnpBkF4qglsnMCc2mfX0gnEFCAosxf5StPPhcFHE0BLsmy UXOIQNFxXFRoztO+z10+55Vt3arlMOOK9g9f/TfYa9SXugQ+HJk/cC+xYP4cu/63rrGr33el 1RNJOJibvbq/EH9OJkj2yruKGK95u+ven9p/fv8nRBUf8bGVBOAdIzhQSs9jJm0Bv+MwDmXi rsBBelaIuao+knm6AOEsY1NLFstCmbbPmTOXgTRt84joLVZinujm8qmpMSFzemc28hDS80eR v8YIzpPlq18ymbEN604DVLzaVq5Y7Gk949f4E85Lr9ecFAGKr9EZ0alIApEEIglEEogkEEkg kkAkgROXgF6wJ6Y7bN/UN21weiMAFOaygFCCjgS4KCazXqjltBxIaQZE0jd+AVECmYJzCoii SL/OPAP80bYAIvnnky/uDC/09ShkXBYsrpnNbKOguc8/7QpAIq0UUpnbDaK89hMwsAkmnsBB Z5FQLv99Ecg1s+lr3+ZagU/KQ+mohm+rSF+0z4bOC6xiN/gpsSNmMevfQ/CUfRO25elu2/zs kJ35vvk2um/Sdj05AjgYt8VnNNj5VyxCaay3PS8N2mOYRu99eRQGDYoHYOQkPpekhARRjwUo SnlBtmgjbSsabV57znp2TGAhQQRT/PoNobR+8IbzbbBn3F762SBKOoBiBulXoQiVcC5Pz0yi vAoQU52b11TZ9Z89DXM+mV6JracIqAK9AgaGFDCP8IzpOp7MaKic0aetJbGaACowkMrDLksJ wpUbCWFmkWwEsGo9W+EJk4TpBVu6uCiLIRIsJHJwkrVAQS2h8iSgwUFAlYnwlZ/6wMtgLSC4 yK8AQ1Rm6zKNFnsxRgemOC5fmgIYtSBaBwsFGCpP7XveB84hJ47JLE35C1SU2aZHikahDJiL 7MMwScjUGdP0BExFPH3yE1tKLMZa33/FRFrjXw2VpFWnKqtJrgAoX3iQnFS/aIkk8FaRgO5P /dPHlF17Ou2r//BVe+yxx22AaSMJwyubAzhPV9mC9iWw89LMTf2WHx/CMm/YBgETBwd7HJgT C1qgi+6PkMmnffmxczYh5bQ2cc9gPtwFoDiRL1gsDQ0bQKa6tomPLPOczTdEfhOAOeUiEe9H emEoEuwqC7OYe50p0Oe1CQBFzT5eDqCjyNZVVTlbsGixLV2+nEAb7YBGBKMCNMxT/jRgYTDP wDwHYBI7WybcXR17HFhsX7LMamBeCsgUKFrgGj04amAXisU2yfEi9ZWs3D0aDxjNpxedf5Y9 9tQzdve992MyC9ORRew3ySCHO7D581vsNz74K/aB91/lptee4Bfkj2Q1+/nx8zSbrFh4CtIn P3n4Kfv3W79nnV193q/q20Qq6VGdZequfY0LsQ4VmGUK35gCmpWFxmMO34hxnsNiE8Z5eAr0 FqgoUNmfofT34CDsW/JRP2qta+XzN8N1lQJgNs9yvf8M4cNRvhbrAauvuvxS+zB93djImD7K Ej4TT5Z8jlKcM4iPliaGr7nKnDmg+tESSSCSQCSBSAKRBCIJRBKIJPCWkcCpf7GcQWCEEGkR 0sbrsBiIY+Vt1j/1iI1N7zdgLAeegkAemPcAuqTwZegRegFRBCcCA7mypW0BQQIaBSiWUNp8 G/BHoJAYivKjKJPWKZRAmTDLZLmGNRl5XoGCoAqxCKMB/PGakUTAkBhvYXAXgUxeexKQLT/V g8tYez78cVDJdwKwSumVn1QCrcnOATS/lpO4SfQ8Zdqrc7o0w3H5eUzhPvLH39htj/6om3xh 0Y3F7aKPL7DVZ9bbk9/ttufuJmAB/pValufs0l9bYD27J21iGAWG68QgLBXETqxYXweKDP9U TynrbkotJbUhZzWNKCo4FizCZhzFd9i8JXPt/TeuJaBz2u7/r222/aUhGJLy2QdASQs8eA3b ueoszKGyve8TS+1tFzc4QCbzZXQd6irASyiaGh4DnMORfAzFmP0qfEVlYOXJnHASxd8hBG/3 jAy5ZPYSDhexciRAtSFUftyPFIk5HPzYIJWK9H4TiCzcTTJV1ypRQjv6j7Alb4bXAVDRgUaS IXraIZZhcB2idHBxHNlNyI6+UPYIzyTzflWhGoeBT0WBGIGJNYccbFTVBQY4Y0rnZn7yvyZg MUkl3BRaacgsDeszMGUWyCj4EqBRJs6VZs43It9amiDeJEolfiqhNllyuslaM+e4OXQgBU6f guVkKudh9cK5J9wP+zfcP9r6VNTpaGWe6vNv1jbN7qvj7afXkpnny32i+UAR6Lt37bR7b7/d fvjgM/bkjr181ABMxMy5ZX4bwSrmYN4MCMi437HlGZ/ThoYHABVhGnLD6170m943uC8B3BRR dwL2l54TAvSTcZkT44sXVqDm8GSqBnAnC9Or3vMXA1LoYCIhcGfauvfvtKHeTgCbObAja/F3 V0198HEKCCQAUYBRBuBQpq01NTl3PZbNZAEhM8zHgD78GxkecREkSKvnB5MUUanHbOvmF6x7 3x5rbmm1JSvXWE19o7vsUEMEKFaoYBaGm1iHg8ODDlr6HMJ8oWegmPtnrl5qH/3Ih+xzf/tP 9r3bf0id+SQHGzKdgunM/KJAMHXVGQK1fNSu/dCvAlzxYcnnUs1iBy9hH5/M/j24hMPvHWnM H+/xw+X+87YprEOwNtu+u9P+37/5iu3a3UFfMQczhkoO+PG+wQNYLH19PFJ67cutXZGALGKo ChCUbBVISP4UU/SNPtDV1mJpQD9n+Ol9R5G9R4iFoPErMFGMXAGS7ndRrkKKRPzO5DDnrwYY 77c+TPDl8m7F8pV20/XXuumzAM1wObgNukmCJTwe7p/KdcRQPJXSjfKOJBBJIJJAJIFIApEE Ign8t5eAtCjXGlGoiFw5vdX6yvfb0NTzmAxNWFUjiFOM+M1CgQjSISBG5pyxCuZCMn8WAMUL uhQooEPSsA0qJCaHs1K4zn0oCiziB/7j+2IoTpK12GiNvLgLsFMRUsYcVPJ95SswCW4Av6Ac QDwyEfgnHKk4k68H/qAOelVXHWcDSOpCgUKuL1KI8udSX1QnKZICxQQwetAY8i+gPIyDLMqv Xw5/WXMwka5l3bF52P7zi9utd++kjQwWbdn5jfarn16BEhGzEUygn71jxF54uNcGuzCHSqC0 4pS/7bQaO/PyVltz9lxraalFRCkP6PLSY/020lOCZUi9Ka8ynQDoI5AK9Zc5XTxdtj6UkrrG Gvul31xj6zcstmfu67DH791LgAKCt8CgKwmlpI4pmJGKFLDhynn23o8usdpqmDYAYxkYPgIV xS51H2KklqnzVAyFC/lnlAb5C9QMFGFlF4CwkrfkxOrAEm5qrXr62JFkZ4ACJXall3WYVsnE 7tDiZXg/qx5KAzSgcnRMHaPrSaex4BvBZZ6/9ynNpNpB/1IB8X3gF1kHrM0iA6IKxmsS1FHK vf7Jb6fGiqrnLEU2xNrUeFLWDgKwIZBc+StAEKsD+YfnZb4eR95BHgSjwI+izKPFXoTLyC9H v2IeHWsBZKyjGYKLm2AorgQsB3Tk+kBGKjVaIgm8eSWg+z5cdIfKZLd35zZ7/p477Sff+U/b OJWzrSOwr5I5oi032+Llp7l/uu7OPTYB+3rvri1ExO21wsQY97F8GeqO1b3NvTrD7PL7ihtN wIwCLQYQCyzGEqAk84CYXdmaFktVNTCPEQoJJmItfg4nAX8EygmkEdhTU5WG3TcHliL3Ifew njV6pijwhjOyeT5NETBDQNI0DLQUDMEA0BGbEEYieeneVB0VOEz1mCpNck2B4xWrA0gU8DQO WDo0Az7qA5nalQJkinHtGP4iBT6RPCgH+Ym131ids//n//wMLjZK9sUv/5vdffdPCEjDPAU4 K8abQEkF4GolqvVn//CTduW7L/brX2/QMOzrw601Fg5XnyMdP1wep+pYOE41kw+Ojdrffflb 9gSM0BLydgY+/V1G1jJRd7N4pl6PKK42USn5R1Q/Kh8PyuIPHT2CcGwBKK0+FTBY7bEENFaK Ng6YqKtJwkI/M2YUvEURypOMNQ8CxrjIwdzVmNqy5WV/ltTVNdj7r/olu/aaXwXcrjpVIjmh fCNA8YTEFl0USSCSQCSBSAKRBCIJRBKIJCAFz6E1vWjDqhqAkdhTehA2GcBJudGGCi9ZKbsX hSIAh/i2T1RcgSow4QB8BMGVDwCKM2ARb9oCH3U8AIrEUiQl6fXy7SxA1gICiwA/UuDm6IWc uuglXYATp/ylPlRkBAZJaVB+Ar5kOu3XY/YqY94cSpmCbGhbSqDKV42lNDiY6XUiTw6o3spf i9ePtZtKh3UigQA2+H/OoqwAMNUQJKUGoKoIC+7RH3TaUw/3oZgmbO8LY3bFp5bamrMagkjE 5aRVT8+1+779ot359W2wb1AYUxVbcnadXfZbi2zx6ho3zSvmy7BbcrZ3y5g992CPDe0v2+hg ySZGqfdU4GcsW5UySDbW3TmGAtJoZ1w0zy5+3wrr2TtgD3xvB4DmhANoUmLRXGjbFOXU26/c uNIWLhEzhxYkYck5gKagAkXaK8gXIDcO2AgSl6MNeJ/knKC9QP6sAsXYZc4xHWCRkiWM78C+ H9QfFglanaSFdOq3UNnz4xwLDP1m0pCL8lE/0J0OLDpbVPthX7H2/pzJ08fEzOXK30FmztFV Hs0ZMqd1ASpqHFUD/AbRnTViBRBoLHrVvF465qxVrhVZRHkF/hUZZYASaoryFbjIf98PzgM6 Cnj0n5RI+RENQEaNOzEXk4DtqKHUvRHZtlt97EKCDTUwpuSDUcDKL85yYAzQ5PBefqu3/r9j m2b3yez26fjE0KDtf/op23H/vQSgesCeeHGL7U41WhcuL9KwAhevOM3mty/nw8d+5qpdPscL jOtiuwhQGOSn+yq4j0ITUR8P3ONiKYr15XM285DuWN1fzgqrmQNjG1BRrEKAx/p6XA0wZ9U1 1BFQBb+m+EUsawJhBvEPW9zkesYI+BGQJEZZUhMCebrbB1WC+1rPgDTzeVCn4J6MA1p6xGpu fLHWdJW+amSIzpuCvSgTbDEpBQROykyastzfHsBTGbNZMdX0wUbPKX1M05woAPNj1/2aXXXF ZdbR2WN/9YV/th/94Cc2KaCVAhxUpFyZjs9vbbDP/sHv2jsvuoDgLYH/PlXh0GV2/xztnlLa o6U5NP9D94+Ux5GOH3r9seyfSJvCa9S+gaER+5f/uMN+/OBjmJ4T9AcAOXjWBwzCIhYD6i/1 qfveROZl+jjOe0OJtYBlsQyD8RCMVT17FGClpr7OTZ6nodYX8AMqU2n1dfCcUFr6G5A8BbuW gUBgIgJ0wVBUeTKVzhfGbP/e3VZdVWvnn73B/rdPfYzArgdbDodtCWX18/ZZmM+xriNA8Vgl FaWLJBBJIJJAJIFIApEEIgm8ySVwMl/Sj6WpUmrE25sGDClMd2Hi/IzlK4Pw11DKWA+Xn7JC ZZiXZoE7YiYKaJOykwAYRGkiA1fkOKK8pHBJMRRo5SwOjsl/opQ8vWAL3OM/Ch+gINdMAShm AHPEUBQwFuShNAEYKCaJttEB/cVdAV7ETizy7p5nLV5YLcpYGmCHqnlbKMUd6IeRoqXg6V+4 SMYURVkCvQK2YgBysk3lCtS1hFmdAqXIJ1KWn3zzyWff+HjJHvtxF2Xj/L1n0oOyXHXzEmsg orKAp3gZkKmUsV0vDtmPvr7LevaMw74pW+3cpF1wzXxbf6EimFZsoLdojU1ZFO6KvfBIn219 bIigKsiYMivlOMweJEg9Kigq2WyttbUvgHExZivPmmN1TWl74YlO2/psXwAoqtXIsGFezi77 jXY76wKUcHz8J1TvJDJSvVB6HEyE/ViANanOrEKJkjlwkTLUL4GEJBnkiGzQtw/4JJSipTPq uyAFfeQpgz9+TIlYDqcc6Zj6UD/1UpBLADoKSFReDu6SkbZJfmDRpvZ1XttiL81epHyJ7ZRj DI3DBh0an7IqtjP41dTxmWrpSr9MfawxKZ0/LItkyIif0vOTzIKALQKolYcATHLguBRJZaXj MosW80nbYjg6i1HHgBLTSZlD11udXW7VsfXUqYE8jwwUqHFq4fEokz5fqDL8f/Xi0nr14VN8 xOskQbHMHgvH065TXMXjyj5sQ1j/cF+ZhMeOK8M3YeLZbTpQPe6RgT17bMsPvmc9jz1se154 yTZ2ddsOAlH0wKjuKGPu29RiZ557CdGR64hEv8/6ersBCBM22L/P+nt7ucfkMzG4f+WXVHbB MkXlbvK51u8jHedmFPgmAE8gTwbwpa6pGTNr3Xdxq29ssKa5LdY6vx0mOMxt7m8FyhBgqKEm Vxx69kzl8w4Qab8I8FMBLIpxXGkEGOq5FAccFLOwiqjQ08yxihbtjEXuW5nEpgAQ/eMAAJPq rDnBn1/kKdBJIJMYb3mYhlrr5pPpc57I1yVATH2EUL0EVCnf84ju+8nfvQH/j7X23Atb7Gu3 fNfuvOuHVoFNrbwFUKncGPPxooWt9pnfudHe9a53uL/IQHbBfBeOtdl9FR5TulO1qLzDlXOk 416Po009h5w/oTaRh+bL0bEJ+4//+qH94J5HYZAS4If3AgXT8fcTzmtsOQhIf8h/ZQlGatge mbkrrc/7egFh0VgRi1UMxRQMwzoAxQym9GWe/yOjI/TzpM/5acZNSYxX3j8Y8oCYQYAWBfbR WJPhu8ZSBl/H/T3d+BUt2OlrTrM//p+fIGBbm5f1ZvkTAYpvlp6I6hFJIJJAJIFIApEEIglE EniLSSB8ry+U+zBzfspQFfGhN+rg1ZQNwQTsJmTHKO/kwD6AURlesGMVIiUCynigFGWAwqb3 dgF0MqwNgSF/l+ecsxMFKJImZCe6D0Ve3MupmNWhdLn/ROVBogDkkRITMEikbAiIUlFFFDUx EwuYIqM3WB0v76pTABxJTUWRRGFwgEwKItoBf12B8HoFFQ3AKdWXdglccvBRACN1KmG6pAIz 1A1yoSuTAhNlDjc2MoU53zjKRcy2Pzlg9Qvq7LxLMbdDMZQ8CmMVe/mJIet4eQJ2ohz1k5+o c7AX2tfX2tJ1RP/FNHoaPTRXiyxRPPr35e1n3++0Fx8mcirKT1UNYBTm1Yo0mcSMubG5gWAC cwl2MIa/rzFbsLAexblkOzaOEAxAwCPAVnXcNvxSq1343nmYICr6qBRlcEOUW8kggM6QTqJo JRg71QJhUYSLKPdFyhSop1Thj00H1aghW+TleQR9IHBvBtrj+MwxUqnfEKT++vLKFvmyoyxC RU7doH31rcaF0mqtPKT0e3rK1nFxJ/24drhGY0+Lhh273pcCAeW9UCzVYY92DYgLSzFJ+1WO K+zKh2uDugdVDcunaz0flaMxIPN5tc3ZnWxI4dS+L5zzPGfSxSgzABMFwipdMO5SUEAFMFbF 1lhT7GqrSQCGJOq4VqP5VC9hD4WVPtXlRfm/VSRwMHijWgfA/uz6K+py19bN9tLtt9men9xL cKge65sYt10jE7ZP5qS5auuZAixpWWJrzjgXUGfYhoeI5DxBQIpywXq65JJhDGBNYA2cQ24Y MQTlz05zhOaBcKrQvaWbWcEy/KZOANDgl7EaZmJz8wJrJOpz09y5+IfFVQT301QBpjX/JvLj RJHOUx7mzFMwk2FgVzFxZPn6EwPITDCvZfkqojlB87ybQYNZjk3HbYgvUkUmSOAgi1NWNiu/ igCL5K/Iv/KnV6HeutHlf1GgUbX7N+T5A/tNYKIH9+DZI/BQbVQUazEtkwCD8jcp4Eomr60E 4fgfH/9N27DhDBfxvs5e/Pz9vT32yBM2TT36BwZpN3MX+acBS5e0zbMbPvJB+9VfvgK2W9b7 R/NNtBwsAY3jPFF4fvLQk/aNb30fOQ7ZBMHL1GfyYayAOwKANdAKjFn3oaihBjAsZqveNWRu rn4SQ1EswwMm8VyXBmysgW1YhVl9rqoav5mTNkQwFrHdq2Aeyuen2PQy2Rc7URHNE4xd+cZU HRgEXr7GjdiQPd3dtho/in/yf3waQLH9oMaoLQeejQedeWXn4Pv25A6ICFB8Rc7RViSBSAKR BCIJRBKIJBBJIJLACUhgqPSCdU0/iP++EV6Sx2AnjqFsDQLmKGJhErCmHsAFgIatidI+ArYo SjFKol6EhcCwsMlPkEwAzqBnsS8Qh31e3kPTY/dRyH5JYA+/Rr286/2bY1KstGjF2ZltymBL oJebO5PnOOyOJIBNPc7tIaIFgKJS4+OxIJ+CBB+RkueQFNt6v1f9BFaJySKTNO17KSgAYmCK jocO4WWp3qp/gXKKMAenADAFInbvHbOe/XnMl9K2Y9OIrX17C+bFiv6L2TDntz01aPf8207r 3YfJFW1DnwxAPTZytRjCNsQtWweYB/qVq00CFuJLCVOqASJGd2D+vGPTMPvUhfrGAf4yuaRf 19SSs/krGri+ygojgIKAZns3jxGJFCWIcpsW1dg7P7zQ1p+PeVa1FB6BXlKcAvBK6+kEajgI aS3BRarjVTZSGoaNKQBYVQhAWwlespLsdSUkx2Cfg2IGSiknCYv6RKy8oK+CI37C+1wXBele OSaFieQudzZ9LdjLj5O36iE+k64LwTtt63iwJs3Mea3DxfuRBIFJtY7CXpqU/7RK4E+Rtkux dyZt0OnepplNr6+2Nb60qO/VTmdEqmAW1cdBRjZUdwHYOqafAEKBIh4lmpMaC9p2s03W2Xgd MaGvsKbEJQC5mGnK1vx1WGaq7jJ/HYqLingLSyAAKxgxjGWZKe/b9DN77jvftt2PPGoDAwM2 zJw6CpNu7+iY9TIXVgBarLbZUi3LraVtMWzELgA+gk+NwRCbHAbYGYFlnWfeZB7UzcV9EPqq C8el30jIjFuIc9x9zMl+n+JCoKax2dasPcPaFi/zFHp2aMIoY8pcKOSp47jZaL+1JnHzUJex BczHzTVpa+BDTLWDSOTFvJ9gW4xB+SrUvymxzJg7e0bGbB/Mtv2jU7YLX7T9+ANOEUnaI1ZX E4RDIJEeLMhDIJHu8SwfKKppt1iJY0SADgHFNCw0gaU6PjISBHjRvCaGotLU4kvvA+9/t13z wfc5wKSZcTvRsr/+H9/1QC3dmELrC4rKjGm+IL/FCxfY//idj9p7rrgMhps+lfxiLho7RwLa 9L7w9KYt9i+33G4vv7wdEHEqCApEX+lJ4QxRZw7iP5EvRgVA4CwWAFo0S4udqlcXN2Pn+aBx KNcfPmbozwwP6Sr6uxHTevXn2Og4AdJGCRCESwvK0DNV41XjRIDiFIBjhiBF3u96hlAHPQfU f3pOTI6P2sVvP98+duN11tBY7/UI/7xWO8M04fp40obXHG0dAYpHk1B0PpJAJIFIApEEIglE EogkEEngCBKQohaz3tLjAIo/gkEIY61ClGLrB1ic4IWYSIcYbcYUYCLeYvXx82CZ7LCdkz+x CZQlZwLyYh+YfLpexKu6634BiCglcAZQ1Iuw0kOq8y/7sbSgl8B/osAq/nMheXBQSoQDjBxy dhzHZO48iUKo6M7jZFIDu68GNklKL/YqlNxKFdgjKBYyhdZxHfOFlYOaYsJIceVcTCwFTPDi AhLRMzwldZPTdgWM2bsV/4aPDFhNa7XVNmVslIArW54ftLaV9VaN4trbWbBzL5+POR4mytSn b3vefvDP223Pi+MosK4fqzmer/sHowCpGd5Gj7aMwgHAl0BRTcCMUXTJ/Dj1o2wpOaqn6uTy oI6Z6oStPq/J5izI2vgA5tb7iFqJDOSdsML50y6ZYxe9pwUFSP6gUMQEaMpuGXk5Ky6DCRa2 WfPSi1CqO2wYmiRFvFInFaYKs6hMD3Lj6+CYH585r231ntJpUX9523ybIlnT3b6ElwizVYO8 n0ntQCLHlIUUO2HRDvgqmfaVp67hj67x6NBs67iuCZmwSqID8gWp47Kc1JibgJWSg2UqU2gB fh4ARuWRSD9f/GIvImw6xQUtmTnleVJbFMWAyenXcb3YjynydaCRbbERHUhE5A4wOkNRZuUA EYkF1pa6weqSp3l+M6WfstU0dY3FMPfk/n1dCjxlLfnvm/GpAAaOVVpiY8lfoMyCNd9lYedN EPV4uLvL+l54xrbffadtfvRJ64V1WICZzh1io4Up2w6o0gNwWIClVY/fxMXnXs7HJ0yce7pw BzHGx5cJy48OAK6MErxi+AC4IsBN97LuO80NAs5kthyAjOQOm0vbiVQONvYyO+PsCwDv6phX xTTTxx9F5c3bBCatNt5na9Mlu2BBra2ag2l0JsW9yP1InmKHCbxxtmMIGGm+YIKRWwh3l6B0 TDaTyGB0rEAwpxHbMjBqLw8XraOI24SMzK3nETW6OgAA9azQTcQ6gxms5i35fRSbTSBVCZBT EYCrqG93dyfHpxx0UvTngf4+5oe4nb1+rf3uzR+xxYtk6sr8Qn26+/rtLz7/j/adb9/B84q5 BXcNAhXVgCzMxHYCtfz+pz5uV17xLj5A8aXrJC5v5Ng7Wc3o7Omzr/z7f9kjTzzN2JtgHMOc 5Rkq5qEAavlNRPQONKbwaVgE8BM7UX2f4kOkmImaHKdhnMqXpVtPcF2a8SRGqsyja/Ad0tDY xEe7aevs7ITFCmOU/hcrUe8QuofUNbFpfDTyDpCFuStTa/3TeJSvRaVP8K6xZEGzffz6D9va 01cH7zSzBHGk/ph9XNtaNP5O9hIBiidbolF+kQQiCUQSiCQQSSCSQCSBN5kEwpdJVetkvFAG +QnUAXzhBbireJ91T98hlIgX7iJmy2WhfgAAQABJREFUzn0cx9E4wSWy8cWAN4BPwIwO/FkB JXOQPdYooxMobvKJWALsY5Nrgp8QGpXjYBAnAoZiANiVUZqSgHKK7CyTZ70rK23wykwbycPf n9kQG0D7k1ISKCOPglnEjLiRoCYyaRNbTPWOo6SVqOc4ioIYCQqqkiZvgTvKKzB5BmgR+IMy 634hEYDOU5qDgKpjifwVTOX7/98ee+buUatuzBBtlPP4NezunbKzr1xA4BQxEqbtnR9cSOTR OJGai3b73222bc+NUF9K9vJQnWfa5C1zwEzqtIpTmcES9CcppAhxXGCiFCJnyHHM9wNhWiob t7UXYmKN4Dbe3+eKc01j1hafUWfv/u1FtnyN2DWov2SvfFWK/gq/zOTi1oCynEUyA4UhyJzI gjYgQE7C2JipkvpA1QsBQAFmaYApraW0FfnFaBdW1UIdXVF3sI9rHOyjzgfYfjN5ekUoSvWa kYC6zH00qp4CEr2POKZFl6kOZKUzfo2KC69VmuCctoLFxxoJ1IeI0H1t6oIG2qY+1k/XS64q O+wClauflE/f5nqVLwZuuOh4uGhbeTDkGe+kRQbKT+CizCvdryLHUjCtUok0Zs6AmoCKrZPv xPT5CotXNwOcZCifqyRk/y/wWLkgT//LloQ1s6hts/fD44I4xcRSxR2ARbEt995jpf7vW4zA GLHqJRarO9cS1adbLNtCXfHhSF3UwrAklRJIWPfEK2WGZbwR6yO191TU5Whl6byWn1s2Ycee gkYEWdOLjF0xBTs7+5ireny8d+zrxrdhPybJI0SYn2P7MbmdwFR4Htvbd+3jni7bkoVt1rd/ r719Dqzv0W57/oGHbR9AW4EbyQNyMR8NYGq8ncjOvawVtKSufY0t3fB26xkYZj4ueaTjGB8p ihODNtSP64xJBR5RzQTyMbaYi4OxJgEw51O7wJVGIN/aukY77YzzbeGytYxqTIYBOPmLpw1Y 55hPV0Z7bUW6YOfD6j6rrdlqYIaJday5yNnTqivApd9SHNc9qolP7eMwdVHpjHtAIH2k8rmK OmkeEUA6PF60rX1D9ti+AdtSSFohzVxZ00BQjmoi9mb8I1g8CaCIn1zJpKoK02iunwRQrAAc xQASx2ChTSKLFBGp5QphgoAcGXztVcFcW71yhV180Xl2wflnWh1gpQCpF7futM99/sv20P0/ BfgimAhyzhLdOs5zTezwlSuW2p/+8f9u5517JiKj7tT1RMfh0ca5euVNvdB2zd+aoiYxdf72 nffZLbfdYaPD+K4EGNd8LfaqgEI3r2eM6tkRAIeMN57rLjsNA5Y8gXVk1qyxKdnIVYrM29W3 CsQjkLG+oZH+r7d+wN8psd41kKiATOQ17hJuDg9oOT7IcxfmIvt6XusBJP+L8rtIDYhQLlP2 BXbTDdfaqjXL/T4IanH0v69Hv0WA4tH7IUoRSSCSQCSBSAKRBCIJRBL4xZQAL+GHf3vlRZdz +mI/Xu63zvJPbXD6XqI796LIyKE45lcAIpVptonmKYNSpS1PwwTAHLoYK7CPQkgmAUiDUgaI p0ApYusJYFRQET9JGpUlZUjam5TeGI7KUwA98p2Y4wWdd31Po9dvIT1SGjwdG9pWG6T0CSjM 6yWdNI2wWdIobehluoQkAmV4faeeReomn4cCfJRx2sGbwFQ1haamPJWtbwRJSKv2BA74CwqW 8uSoPXxbt+17GWAGxEwBUkCJbOX5TURlLlimLmEXXL3AFi5ttEf/c5c98K0Or5cr0eSp9joY 6HWQAs0BFp33fzrO4vVnU21ymSIfrT2d0mobASl+qFDPdFXSTr+w2XY+N2Aj3TAjaEzDwqT9 +h8ut3MvbkHZgfGI3qPkUpbFeBTopeONyRoUYKJDYzZdfHTQYk8M44Ce3m5HiV3Mry1rlUaC FVShaEujpX+mkXEVgXhisDmldMUwE8w8P2LZTeMEkSFdGz6iuL7cwnWYcZc5JnN2Kkvd+atq s6e6eF+yrUUpZGiWEMuShJKV95fO6Rq1nW1dr7GgcSYgLDjKMd8P8gnznsQccwqgVNcFgRS4 hrFYpfEm8Jm89PN8WKuCWgVLMC5UZ0F74RLWQ8d0LlTo5T8rAMln6kaF3A0AGaYpRMxERdHO Ir8a+q95Y9FqR9sttWCtJZrWWLxhqcWqWrm1COVNsBZXbL1VahOZzBaWl61WvVK+tlUfWhq0 p4i5aed3rLz/dpuGOcXhIAvaHcM3W6xqgcXrTwfQXGex3GKLpRsRRjWYi0wqBfaIaaz8XpGI 9qLlTSQB9fdhukdzhJiGL2zeYT+49xF76qnn8GPYCZgCSMXHD82vYm8xFPEFNwX7KogCXwSY UdCSqumCvX/tXDurIQkLe7N19Q/ZCMcFmuve09w7BACza2LS+rm+xE15+oXvtUpOLMIpG8S3 nOam/PgQAaf24Dt2jPoQFIUBKr+H4aJ7x+8f2qHZWuCNQPi2xStt9fpzrb5pjoOVJUyly/yK sCLjmDYviuftvOacndlaY3UAPZPMQ5pQVHfd7Ap0JbEI4NHdKB+GMnOWuJyRzpa2tQhQ9PsY 1ph/NNCNHec6JmI9NwZGC7ajb9g29Y7aFllWp/DdmK1yxmKuhpmQ+xVPGMi2ELCSkaV88ckx rubHUViUCs6i+XwKhqX82KYBImtq6pwVuQhz5nddfL6dd/Z6m0e03x27O+z/+rO/skcffsyf UwnYj5oTVbcsQOaZp6+1//mHv2dnwHL0+/Qw/a92/SIs6ls1/7mXd9nn//5rtmdvBz41GY/0 tUBGAcyK8K0OFvtWwKx3tsYbN4H63f0qSlhkJOZhMEkGq4A1K1chzN8AwU1z5uBCBPcggPGK Gs4II/o4rHMHIukNxlKS56QAxTQf6+Q6RIxajcsk54JnRslqqrO2dOFCu/G3rrFVq1d42arC 0Zbg/jn1HR4Bikfrieh8JIFIApEEIglEEogkEEkgksDBEpAixhv10AQmblM7bTKzGWf1G3lD HpoBXRRQglDBAIvynSjOWRkT6BIBW8qVcRQvvbzzes8LuhQ1B13Y0Cu3grBM8qIu8+QJwMVJ +SFk330WUWya66pqFf0w7uxErH4dmFF9XO1Thq428FeKIkqoyhJYKZBQeXr0xST+E1FGdZW/ ufPeHdPLvNZSFrjWQR+AQLHF1AY3dVZ9Z4CboPbKn1zIRj+BRMVCxTr3FgEUu2zjg/jLoi1l HOjL4X7L0pzlMY8TO/Pt71toS5bX239+4QVMkDFvIgPJIlhgSebktB/ZUWfJSsVKQVe5YTpn zsFMSeHfSQ7+p5BXaObndfI2UT47CfwqNszLEAU1Zn27izZZEGoEy7M1ae/99GI795Jm2DRS SAXUcYJFWKqQohrMnatQcgQoTG4jQuo3Oq12F+Z5KERpfnHYj/EGGBrzYFksIIKlgMJWfvUA flWAAuQXHyCC8mPDln1gxFKArrgXc5AVm16rwG4qcd3UPH4tKSsTjboE6Fqin4kb4xL3lvNH a/WRmwsLcJD8g6Mc17hCXr4f9JTLgWu0aOQGEvRdl2Moco0NmcRLxjo2yXgZBACtA0xNY2Kf knKPLDx4itZU4hW4g/wkMmV+hCUsR6e9Dhw4UBffEHCsOgrggOlCflXIvXG4ZK0/GrCqfmDh lowlW+osPgfGYP1Ci9cu59eO/DGHzLaCbTTQZ6EN/isVOZxyKSBJBZYLXVba/x823Xk3TNpA oXZAf+ZyHwO0NSaQGJ9esVyjsxfjNZjfVVF+diE3ZjMKOL7x1DHRclgJHK4PDpvwdT9YsY59 PfaNW++wZzZtY14oWK/MkEeGCJSSdzBEEWkTgCQy1VfgEWfwAb4sIkL9hYB1i5jfe7t6bBDf gnym8Pl2BDByjMm1hElyGZPjfYytnjwmog3NdsYlv0ZEdYJP4XNRAViU7wjgX3/3XkAenhPk HchLDLBgWIVgvPbF9mua22ztCxfb4uVrAbj14Yr7ibJAI21koN8aCsN2flPMNrRU29wqWH+a OwnCIuBIc0eCeUPjnxueWjL3i6HIfMdZ5n7mM/ISczBwcUEKzQu6RGOceUegneZf31efMT+C GAEEYv4N0/Pl3hF7rmfMducrxqxnJYDFmroGnl1iEVK+QEn/IDLNHMo8yf4ELMX82Cj+/CZ8 DhbQq9mgqXEOdTLr6WceIMjHiqXtdskF59q5Z6+zl7Zsta989Wv2/DMvOjPOZxWqqCjEmqvO O2ed/d9/8r9s9aplquV/nwV5qK3huDhaw/Q0GBnN29//67ftp4/8zCYwwZcpsz4iTWLirGA6 Wos9qEXWBgxLnqmwRukfPVc1v4kZK3Nl9bNMmzUuNA48GA9pFNBF/hPnzGlmoBJwhzEu82XN ywrg4oC8TO25Vmb+leKEpXO1DFt93KFNuAlIC1BknKptVYzdxe1tduNHPmyr16w45in29Zpv IkDRh0v0J5JAJIFIApEEIglEEogkEEngmCUwAyi+uOcR64pttGbAoEJlG8DPMC+7Mu0BtANM TAEqxmI5FDiYLor+XMG8zYHFwKRM4I50PDfXndl2oJGDUp4EABYAAvWbACiTU3wBiNUosQKy atH+cP/nCqfqrhfo2Yvrffxx/4nkpevHUXJr8GFULWYI55QmoAKwFgBJHjIfFTClJchSCiTb Suuv/PobFhxkoLL1E7OtAiMxT8Tmh+/oskfvHHCwLz9KNFH8Ha4+b651vjxkxamYvfv6Ndb5 wn778X/sBbMDtNS1M/kmALHOumwhDIcEin2eo7B8YBR270LhHEVBl38lLVJoUXzFTMnCPlT5 o4NKL0UcZRRZerUR1MJ1dTaPIDBdO0ZtAJbkUG9gflw9L2ZX/t5iOwdAsYY8FIjA8yV7yUdg Wh3AlvCk8njZJp4YsOy3eq2OoJg11DNHu5KYEOq85CXJTYOGlQEEy4yN8nyAZbaTHZOW2ohv TUzC3SyPaDpx8kan5qIAFCxLoce8utSYtEmAxRIAY1EA4xwAxhqUOOqmlruyxFoVVFepbwQP a1H5iprtoMfM/oHjM2mVyNPpBIuUQvnWFKAoUBjd0wYLJesdnrKGamQr5/k0UKbJUtJlKq/2 BpGZ2Wdb58LFt2bK0LEDZWljZt/Hno8bNQM5aCBKDkI16Ls0aasxe67bPmRz7+qzDEC1EZwn XkcfAdQSVcjiOUBcQIx4FUBiHcBiHezFmhXsLwVgBHQEOH9l4XofxEEltDk90WnlPV+1ctfD VsEc1WllOg3WrJXa4ZcoE6oVsrJkgorWC3uxGoBxrsVqllmiZjlsLBTeqiUWSwE6kkZ5HOgr cgvuK5eOcoyWN1wCzIvMJQJYvnXbD6yDIB/qt2nmMDHkhgb6bFQRmAH9UgBhOfwlCvxKYhK6 knG4gUBRdYURWIZD1pcvAMJjukt+3fkp64Oh3rh4MX4KEza2bRvBTEZtP6Biy8ozrH7JeqLM 4wIB4E1mv0nYYAP9+224b78HZxE7UpMJIyaQkK+4N7gvUoCHC5essqWrTufjUgPzFfeD5m5G WwlT/enRQZsH4/YSwPeljVXcq4xVgB7drzHAHlzE8mwSGKjxzVUc8/GurwPcexN1c8wWrbRS X5dluzssDQip4z6WNaZ1n6tu5CFmotiEXk/qENdXEs1JTCBi3Q9Bhuwcy9s25uRne4ZtoAgD vL6Ze4RIvzAikwIXqUeWZxJ4EmWojbDkC0ShhtWZR6byt5jFDFppe/pkHpsmTYXI0VW2avlC O++s0zAZH7O/+bsvWYmPRAnmqiDY0wxTkT674rKL7dOfuNFWrVru11JMUOc3fPyd3Aro+ek+ L9Vb6gd1WvDHP4Z9/96H7JvfucuGGYsK/CPwXB/bxCAUaK55V70g82QxWTO8JyjQkJipDjAC OipSd5oPK0UBivp440sAKpbFwidNhjHatqDN585BAhN5fwCCC5iUObR+6vfCxLCD7WnYulSX RfkEH8vE2hXbVOBl+7xW+92PX2drT1ulrjvuxedgjdeZcXvcGbzGBRGg+BrCiU5FEogkEEkg kkAkgUgCkQQiCbwigQMvo7yU6q324afvtI2F79s5686A0befH1EqY4BZsaLgLAydgRUxeU4I LCN9sYyPKIGKCujBS75wG8gBpOQf284AoTgBOgIUtS/GooKciKXI+zUv3SiCmA5nUepq9ObN eaVz5U6ZzFr0gq7jk2IgcL0YZzJrbeBlX2alYhU4BqSEXOsBXLje9cWZOrHyegq5VF6vepv3 IoMXdclHirh0EkVP3vXymN13e4+tOGeu1QKc7dwyDKDXaC8+0GWDfUW7/COr0Sim7L5bdgMU jnkdQlnINHn121ps5dktNndhVsQwAhVM2vbn+u2JO/bY2BDC0CI5OnMiTuDUpM2BjdOzh2jb KLJJAB8D4J1CWWpakrO3vW8+/phSNrivYM/dt9+2P02ZgL91bUl7zycX25kXEKkURqCCsQjT QlwoRzEPIlOLkqpOmR7BN9kPe63hvhGChCSsFrDN2Xu0T/L0hf6oKC0ZsImCi0xgMMaQPYgy ciQVx5I6JuVXTEV1gcaCZCebQJqna6dpwlQWcANfk1OYRYvFOLkgY5OYV5YBKsqgBOp/rgj0 Rl2kulMX9Qd7By3a189ryoaDZeoztkcBOMIo4qrHvkEAlYmS1dMXAk5DQDGM0iyGoreFzHQs YEwGwGIANL5SjqqlclWOX6MdlgCIUJUZi/JnyJIkiJHYkJlEzpqszUrffchqBSgCLifnosAC tsYwD08gkxjyF5Uxpj7jV0FhdRPlbKMlagH3Gs7AMnkNAEYbcoY1LLmoXDFpxndYaTdgYudT choZdLjkr45XhWcvEhgV9z4W8KJF1VVjhKZStnyAYVOPWTSm2DWrADZPpw7nEJK8yRuutnrb A+l7Fm+ZPy60t0xtj6mi4Xw+iEnmrYAs9z3wqA2xLcZWEsAjCVAtVlaa+3wIn4oDgwMMn7jl cHtwbnONnZ4rWRJG3SDRiftg1I2DiA0CtmxV5GOik09WUrZqyXyrBcEb2bkVpta4DVbStnDD pTZFoIt4LGPj+VHdBNw/Cdu1bZPlR/qYuwAmAQY1GQiICQA7nxktRxTlFWvW4SoCViJgeZEP RIqs69OTTKWHem1DXcne2ZK1JiZN3W8+NyAR91NKngLqNeWI+6ey/dlBOWKQ5alHecOFtviy 9xAIutcGn33Spp76qdWWYa55RXWBbhXmHFiKfr+xrQ83usNDP3maCzTYKwBSPArw4Vux/XwY erGj314aKdtumpcHIGxoaoGBVuN1VHrNtwKQ9MyU7MeH+4gQPMwcR8Tn+kbr6h10k2jVWeCl grbU4I8xw5e2bdu32MjguINWyZm2Ky+lrQZUvPKXLrbPfPJmW7Kk3evm7TmmkXJqEoXj7+Tl Tj+oG1h8lqPdvsXBEZizDz36jN3544dt++59zhqcwszZ/foyZpVOQXJk0jwFS9EjhvtR3h8A d9303ud4BUsBSMR0ucB1SNdTaV4U2C3wV2BjlvHd3NJsefIsaYwq2rd/xOTDG2XIWkHPjCnA eH+e4IJFDEWNyuBZwpRK32kMaJpdvqgdQPG3nKHI7nEvJ1/Wr1QhAhRfkUW0FUkgkkAkgUgC kQQiCUQSiCRwVAnwxq6Xdt6jt21/0W59+m/srIvmWyOssnJ8mFM4joqBZsUwEeaFntdofyEW YOIgIv4Tp2ZMnl0pI69w7aCLFDUd44+OB4BiECTD2X+Um0J7dP+J5CkFIvipUlpIwAFnUlEb HXUwkfzGAKpERmniZT+F+a/qxzs9l+hPAOrocjd5CrLx46oPBtMoGWpFkNbBRZWtEgCClIXX Q4CMgzKUC1tkx8ujVj+HaI8NOevrnrCBnpI9+f19tm/7hJ12YaudeREsBphxj96+y7Y8MwDz kBIA+dATKZN2Ah6dcdk8O/OdrSjOKJgDBbv7mzttqAvfjPwbh63YROTmDGy/5mUNmK8WrGf3 OG71EnbuVQstU0vNAfLqmskLdlsSxtv4YNlu/+ILtvPpUQC7irWsyNmvfGqJrVpXDQtJiqrq oCA1gMLIuh4wLatjYE6xrknL3tZtLTumUO5hJ2KWnRSYCLDnzB0k5qaFrCUPSctBO13PvjpX qxj1FZgom2HwPGea+nkpZhI4/2UqrqEkX1Xa1nFXuajjZCOKX3vGCjAuBTCWAdhC9qLGTggm qiz/URkPPMK+FtVLP42B5DRmipiZDeN3Tf47VbwC+OzszFuBzqzBDLwWGWRop0AJjRlXAn3c BACpB2nguPIU0Cg2lJtVkjhQEFmHZZJKdQoWEjJeFIxF/wQQZGKEvkEBzZYIZvPcXqv84w7L 7cHsjrxS+KeMt6DGYlqeaObuYnxYLQAEdasA0gqQkGmy10cVBXSPwW6yuoWWrMX/YdUiBxim J/YQfOVBsyGCb2CO7wi+A4nUSuvDLWqc5xmsQ7aiGq0rfF+NFNBPHWKY4cvPY2rR72Ci/Q4S aEQrE/2i5c0igd179ts/fvUWe+GFlx0k0QcIJgG6GhCfsSA2VVVO4CL3BQzC9QTVWpvGFQUm 0QNEZ+6F6aUALJPcKzth1G0eh52cmYPfQII88fGojrmzOj9g05g9l2pbrXnDu20CH4IT+FQs lZhPCDohAGf71ueJxEwAiwk+iHBcM4V/KmBwJfFTmAZ4O/PcC6ylbam+w/jEIpZYGQAyDjMy Ndxl72is2MVtlM0HGDG+/eMIw03mzbonk8wDCerpoxBgxxnxjMppTbjUYWTOfFv0gY/Y/NWn WV9fr2388Y8s8dCPbEGcApFLMHKBIklbBICsiB3JDez5kYduHYFF09TLj83cL7ovS9zXZXwM 7x8csY3d/fZwx6B1TiMjgnekCLySw5Q5i6zdVQfV0bMvJ+CV7SHAXPmsHIPRuXfvPuZy2P/e R8y/AFXTfEEaHum1MUWyVp9lcY3AXK86xGmn5rna6px94Or3EDH6emttgVXs89ebZRSe/HqM YNK8Y/defp22eesu3lf4cId/TwGBBQILyVdmkTlf2zI/LgHoSSbOMmStc3rnSDGv+rsHfatz HnWckTnF2Bb7VXO1XJNo/tM6BZu/vq6egGsNJrBeD0CB80nMnMWeVFT0wDwa/43cE4oMXVYA IPqbVwz6jDJ9ODLX04GK+Lxm+VK7+cbrbOnyJScsKD0TtZzsfo8AxRPukrfWhbLx/+u//usT rnR1dbV96lOfOuHrD3fh8PCw/cM//MOBU5/+9Kfd34AOvNa5Axf8nBt33XWXPf/8855La2ur /fZv/7ZvD0BL/spXvuIvojpw7bXX2pIlS/zckf5s3brVbrvttgOna2tr7ROf+MSB/SNt3HLL LbZ7924/vRBnq9ddd51v//M//7P19vb69llnnWVXXXXVkbI46Ph9991njz/++EHHbrjhBps3 b95Bx460M/v6NWvW2NVXX32kpNHx10kC6s8vfelLtnnzZsxJBq25udna2trsz/7sz2z1apgt 0RJJIJJAJIHXXQIoeSiW0r/kg+hfv/sFm2h70daf0Y55EEpgfIKTmAjFHfpxMEVAEclZxOpA +XKqIQwpfdH3H5gKL7t+BS/VZO8v1zI/lVLlxDaZo/JyL3AqBxuqmhf+DPk6SMRa1wdf4YEs 2NbLPUm4XuxEGI7kM0RUYoFSjURhzJBHyDCTiV8YrVEv8/7izcUCeFQgRxwEVX5Jt89lgzJf eTEXi4YyXRXQ9dSHulJ0sMaOdxpHgIXxim1+chAzaCKn7pu0ecvqUPzw8fXOdpszr8Z+9qPd 9vxD3USEVLAB/BXC5hPrIV1ndv57223DJfMw6Sti0lyw7v3jVt2E0ghLRgzFzY9325J1c1E+ UVxpZ2Nz1loWZzAPRxnCJLowlSdP+UBL2O7NQ/bdv91m/XvVXxVrX1drv/LJZbZoKawJAvkm BAaRzxQNSaPZNGQx+aXJMYF6RBpovK3XmiE3VmHymJZ/RIGDYsep4TOLQMkKv0CjdXG5oiuF SnuSpVhtusKJeWw4+419MQ61OLDLpvrYIxkwQNy3n/oR2QhkVNpJfEJOtOCPahHg4rIsTEai qspsWko85+kKxlQwvjxj/mg8qr/EMKlLzLehYqeNCJwgvYofzpds9/68g55pWJsCFGX2LHDQ 2Yes+e+Lr1Vl7fPTuJg5BUAYHNY1Gm8OCnLzeB74F5Wpu9hSqRhmcHHYfaA2FZTe8gu9ln5q 0Oo68MdVJD9kW2FcCPjTvef+DGljrIZfE/nMRVmlP2IAvAJrwz5RQ70uXEpxAeAoefJTtHEB 7AK0/RuAylDjg//eNr9WWwc22FSD+a+u9HtAfe3bwTnfJk2FceSyqZtrybYbYFe+HXAT0z6A kGAAHJKxlxj9eb0l8PK2nfaFL33NduzYjZktIAkA1AS+5eT3LQ6QF2M/K0YW428u4PqZlQGr 6e1wBt8AZrmTzFEF5nTNzzu5rrNE/wIk1zQvxFwUk90xPkBMjxA5fILASy1Wu+5S9yE7jSlx nvQ11UCO5LN7+0YbHsCfZxGwp6J7kS8Ymivgus9tXmTrz7vA6mD0TWCaH8z3fCyByTg1xn1C 5PlLYO++va0Jv6Nif4ndBQjPuExStzhjW2C9mz+Tq+aFPEz1ycZWfJIusFRNLe2btCbMqJef fwFtn7afPXCP7fz+d219umQ5wKMK7DNNcdPcN5rfpilDQad0D6g8/vhcozQyrdY94mb/zP1K IzcP01RIgYyK03HbSyTsh3fss5/15gneUmfJuiaeB2Ju8nwjkrOiucu8WebfemYGs2XCnn32 WQBI/FgimxR9Q8mAVdUwRTE779xpUzA1s9W1nKui/XxwIIHqlMH3pcAuRQu+GbZbXV31zFCj TiTwe3nmyImvmEP8YhrPEvzlmGSiOcfXQX3YnbXoKg7MrGadeNWm6qpkvtY2fSkwcGRkzPqY OzWmdu/tsieffdF27NnnwXkcdOU5WWC8yIw8r4jOzPeTpHWGP/nJlLmEKb/Mkv2JwbgWkMiD y4O2CBRUAzQXFxkLST6YKAq0gqwk6X+vFcnlgqSpqQmAuIa6wGZkbhcYr48+WXwryj8iI4cg RHIRQ9/RLwoMExfjlX5WADCNtTR9pf7NAjiuW7Parv+tD+EzFKY5NXozLRGg+GbqjVNYFzm8 FSh4oosAt66urhO9/LDXCUhbsmTJgXM9PT0OlujAa507cMHPuXHjjTfav/zLv3guGzZssKef ftq3d+zYYcuXLz+Q++c//3n7/d///QP7h9v4kz/5E/vzP//zg07t37/f5s+ff9CxQ3daWloO AIc333yzffnLX/Yk69evt02bNvn2TTfdZP/0T/906KWv2r/jjjvsgx/8oE+G4cnf+73fsy9+ 8YvH/ID4oz/6I/urv/orv/yaa66xW2+9NcwqWr8BEnjsscfs0ksv9YfdocULxF6xYsWhh6P9 SAKRBCIJnJgE9M58PG+pM+nl0Pzhn/7Evvajf7R3fLjVFi6E4ZbElis+SX4yI+IlWabC/k9V k2Ihx+MlFELBhspIahGF818KwgyegWJGKn4CFaWoKvqzWGMCqXL8ZO4sX1i6WhQ35eQLG8qH 056n2G95rlV0Z+Xt+aNYCFCUgukKJ4XL8b6QGlfaJAtQEf0LzO2E45T8l0ZZfcVvUpAuqLyX HpRJIa7sULgrJFqjG2M5ZT/9r3321N2wJEYItLGi3tad12xbnuu01iVNturMubb3pUF77sH9 RGBGuVFb1AxkVQ1gdN5V823N25pRSlAycI0Xg104NYm/MsDFPH4Jd70wiO6D37J5ORiJaZu/ OIdJHUoKbFEpUqgntDll254dAFB8GeXdoVurb83auz6Kwn5hLawiwCWEIiAIsiQMmQQm4gQl EUCUx3TrsUFru3vE6jmWwadhHLBNAVlCpVX96At9FG77CJg5rpVk44sKmTkeHEDiyE61UsO9 V6VxqS+V0OXKljqRRBWZRuNXsDyBwjdGGwEaiwyK0hzUNaJOT6+utvzynI0DtPloBNlW0Spd xeoHV8Sa0sts//hWmwAE0LAUSNlF4Jx9vcgMJTADkFgNoJhjLXasqi3wU9XSzxVl1lqUtzeL NOG4VzlKJ8VfzRGwqOjkAhVVfmaKSNljAIH4x5x+ts/iWyasdqTiZtZpAEKZjHNRYNoMG1Fj OkagByhhDqyCjihnHLFRIn0Sw1+l/wQuitEI0BGCibp/nAkqRVnyFFofyhPh6Jx3j8og13AR SBguDjxo33/kpzVtcWBY+bPvoCN6uYPB7MeramEpnkV9ML+uXooZ9lJMo1u4Rh8ASO+ZhCX8 fGuNr5OZ34nUJhzjb0g9kOdBncduWB+15dA69fQN2L9/8zZ78MEnbXQME03m6ICtBQOP9Lof 0gLPNG9iXhsnAm4VrMBsz1aLDe4nb5he3JCD0AY7CpNWYI5JNCy0mrltAF85G+7aa3VjHZYF QEzOX2GJtlU2xcgvs89MDWCSxZfciG3d9DhrGHZUXv7sNCWnOde6YLGddfY7AMozAJ2URD1k Cjolk9OxEWut9NtlLTlbN7eOe1RzuQYeY46bOQFzUawvDWoNc43LEqbWY+1LrW7DBTYHJmKu aS5gGxHqldZ91iWtY9cOe/xb37Cmji22AMS/AvgEFRJhkIfyonxl7Kx1xq587E3z8/Hu5Uhy AIi6x8AWNSdoApj2+4QNypGJtZ5vHcMT9vieXnu2e9T65HM4W21VNQ20Pedgku6RNM8rB6UA rwr5Eevc3+VmvPpApIbFYTaqTpMw3noBFSsAXdl0LQFg+EjBBzRqgVQlm5gtamu1P/1fv2+X XHoh8xmy0hLef37zB4f88CEDSfkEi3JzMftucDln1XZOqDTtKLXGno+/mUuDZ3+Qi+qsqNYC 1BRUzBmjHNOHNF2ssSoZa1HeAn2HhkdsmI+ZA0QHHwJE7O7ptRFk2NmNiTq+EfXMnmQcphyo w08n41VjwscNcplk3EhOCp6ioDcaa/pQp3cARQhXmWHAlSn2K4DJcYBdlU8mDmDqw6jMpWNM emLwytRZrXW/mJTVAnaiduVhP8q0P5HGBybPEvkgzQiwpOwC0Z3l/1bjYBoQUqbQGif+3GPQ ZCgzJT+b9P3q5UvsY9f/hi1evHBGFkee4w6917V/6D3vmZykPxGgeJIE+WbPJgIUX91DRwIU lXLZsmW2c+dOv0gg3be//e1XZzDryHnnnWdPPYX/mVmLwMobbrhh1pGDN1966SU77bTTDhz8 zne+Y7/+67/u+8cLKH7ve9+zD33oQweBiX/wB39w3KzUCFA80B1v+MYI/mjWrl1rAqYPXXK5 nDtfduX30JPRfiSBSAKRBI4igUNfNv2NX5rBCSxllKwXX9hot6B4jc3bbhdcNc+a6mUCJOYb EA5IQVyMRL0kqwyUBDnA5xUepVUgSHDMi+ePXsg9WXDGFUABi4EPRUBFvfyTIMdbdzUv/2CV nkYMBb3ra5HCGLRRZbNN+lEAFzEUM1K+yM+VFr+WP/znKOXCMiF9SqAia9SYID/9JRMpQQWZ OAGY5HjJVz0DlUrp2AsroPQszqAB+ZFCGZjr4ux/tGKP3tVjj36vzybxo5UiuMwVv73KSjjt f/j7e61tdaOde3mbDeydIN0u6+3AlE8ZUyet0rAN113abGsumGMLFlahMIp95xouClGFiNJ9 sB87bbiXQCJtabvo1xbaMgKxVNXCrpFJlUgz0yl74s4Ou//W/QREUF8AotHe+aur7PIb2m35 upxlssiOIsXwqwGUqkOhg5th00Qbzt7Za+2bCnyoxs8fJs90BgqrpEEVJXvWBxhs2lb1Q/H4 SaWcteikX04fqinkoUMHFm3z06Uuipm1Dx/Gg2itlTyKKKDiFO2ZKjBGxOwk3TQm3sUzqmzo siYbw+ei4AuBcXSJF6ly8PBJE2qtuzDgyr36S8GAOgaJSDtA5E+AvAxgYg3AahUKofwoanxo HMz0vGrk5amqKtfHz8yOxqjYUVLkxahNUOUkQGgaADQziBJJoJ3UPpz8wxZN9ZYBXRhfALQK xhMDrIW04iC6m4jL5yTgaEXMRCmJ5CX6bkXAIj9DDpKFAAw1MEa6BGbhcUBIN0dHjxWT1MFJ DXpdL2Bx5gdmTmHs67haQp3VGWG7JC+O+nA8IECdVDL1vbbZwXUeTETKRmYhoxSb+cDfo/iY yDtefZoll36cIDLzkaNfqItP7ULlw5niVCrYakQ4z57qcl5VlnfQ8YlRQEsHANWDDz1hTz71 rO3o6LZuIjbLb5x+8gso81A3sxWQwlwyOjpmuQrmmoAiGT5WTPbttT7m2TH8dMZgQlfNWQTe zdzCDTCBL8KGiT6r5g6sXnm2Tda1AJCl+UgEUEPfy89fnuAULzz9EJhd3jK5asqqh5XYCjDz /7P3HvCWXNWd7ro5x85J3coSCGUUCAqWkEgGi2gBtgGZwR7j8ZvBPxvbvPHYhjHBMw+MAx6D zdikEdjAIJCQhIQkBEJCKKEcutU53O6+OYf3fatOXV013a1uqUHCvrv73FOnatcOa+/aVetf /7XW8mgD8ANeZC4B9ADqed+ZHIUFD/h4FIz4C1c2xbELOpNFmRc3C12OM9eykZpzQjM5nc4D sB3Hjz8pll3wahjcxwC4aRZs7ifWHS+B7Vu2xO1f/lwsXntvtFCGjLEqQSPLNkMlOb61rI+C fgkWKi8BMBa+ZCeSF/FWUmVw+JLZWA3g5fqAAAhkMxXr8X94z7Zd8eMdQ7F5jIjD+COtE1iE 6eYLMJm9rtVdHS0Ar6Oxs3cn+sAIH6IE0w9Z8ZqO78IsfYCP17XAZC3y1Ief98kqKmwCqDr2 qNXxrne9jSAtx6b8068fdahbaI4rk9MrX7aqjEn76TFBuATmBP/omPdFff8JBgrkCfTK8ksg jvOHDXxi8J00H+ZZgO6OAPZZnubBsgkHBofS/H0Yc25BuJI1KNhnuxwjltt0R7Grb5BIzYOF b0Lmm4xyQbusn1G0TTk+tKUG4E7Qb5J8hc7E2g6gqD9K67CdRV9cMLlmOXeK+VX0xTWbe/YI 7kNYK6s0iaYfmh8rG+sYh1XLYpb10B3aSn3Mleam1li8eGn0Ye5sHwxmJDDuLGtr56UdAO+Y /j7HBjmXOcD1koHVnBPK2CBALML1gMeZKPuEY4+Od1/21jgMQFEZ7i2V8/JnsebMrX8eUJwr jX/D23sCii960Yvi6KOPPuAed3R0xMc//vEDzn8gGffHQtzfsQMp+0Dy7A9QlC2o2bNJc+Et 3FT2lTRNlsFZXsRlvqdi+H3yk5+M3/zN38zs3kh7enrwr9SZvw8GUNwbmPiHf/iH8cEPfrBs ygF/v+9974sPf/jDmV9Tb02y59OzI4Frr702Xvayl81Wfskll8Sv/uqvJnt2aGgozjrrrNlj 8xvzEpiXwLwEni0JyCJ49KGH4sqrvhl3PX5rHHFeVRx7YisP1OpIwDfYUaoICKZkdFfyFw/8 BaCYSh8P5oVCp2aVe57oDrvcK1NRoMeomSN8N/PgLcOrVBw8wXyoEtTjL1IqT9YrGIi/PZAn 1Af802EOh7Jn3gQryed3MgkpRACMv+QBGPWbj/+sy2jRsneaCGzSBMOEXZWEAum2dVf25TG2 Bb4mZVaihKNDxC1XbIvvfGlrqDNQXKw+uTMufOMRcee1G+NhGIbHnLEoTnrx8ujdMhw3fuXR 2L4WxVlA0cIptA7z3uXPb4mXvm5NrDisgeomUbgKJVZA7ce37Iwb/3Vz7NyEaTLBXE67aFmc 8OJO2my/iaQKgHXlpx+Nx+7sR3FCDiheSt0qDj+9NS58x8pYsUYfT/iEgu3TbkASB9E+EBl6 wZe2x5JdAHEw4WoroJcYUcrZ/vMpQcEUBX10TCpiIUMlKRv643k0oUjs09eYuZVfKkbq5u7j Y77M6jHbLrvOkgUQARJl203DRhVkE8QVSqhqqY7eF7XH9tPbYoQyUulnfwK+nCtDkMmQwSQS /GV7jDI2EpCljwA0Aoj1yFeGYhnpOf0nOqctv/LJPtAUQYsyQSAtzJkps0EAcTsMrc1j0bB5 PBp7GLe+qaiHadjIyZq51QAA1sr4FEhEpmiv6qt8Uw9z3n2aNM8A4AosKNdMfKeMqQfUO6aV BfVND6GQd+PjraPCaiTTNPtzjGSXwnRN8+iUOecqTq6HxGBQwmWCOn9Nlp/jYZ12Mr89kEcZ H06XvUnbNbfO5LnI0nGp7iQiNb4vHZdMXId1R743aldfXICjs50pDv+8/y31gpSZnbHbFbE8 l/pWrKHF2ArubAVIvP/hx+Kaa26MH93xY1hwgD/oKQ2wsJwEsrFkdLlqy+Jy6kwSbKVhbDim yDdW15jmpK4rwzyvTgCajA8PxuIYi86ZsWg75vQYalmU7NwJACX9DXqx9+7YHBvW3Y+pb3us OfzoWIgVVxNmu0Y8H8I81WuT1Q/mGevhKGDmRG8c0zAR5xMcZnVXCwxKpiDzsoayvC8p9zyH tjqJhcdGWHB7YEce/aa3xOI1R+faPjo4QCAT/DtSejvAZQsAXDXAkH177M4fxHZMntt3bYtq gCjByXQJwAB6T0uAzmFFBilHkSfOFYTjKkzfhcrJtawYfNvmh/ycJLhvu/KwpuWASYMEBNnc OxwP7hwEXOyNdWN1gLT0j2A0RrSWAdfIejTBddQAS3wC9t3OXb0xMIScMQVvxiJxmBtNH/Ic 6u1J8Ku+uR1Gexvlu5DAokOmtnnFyqXxgpNOxsy6OcdXc2hBsTSjZr2xrY63v70Hqa+mmTB1 TiAPgTplrawEzswzgbwnAOrGaItjoM9Bf48DFNpWAc/xilm9gKIs09LNRN6EkIZAn0xRIy9T ZAJ8mgk7X5SVMrBtjq/90CR83KBSStk6yZcvfRwH8llesVqDsXJMQFHfm4KL1iGQKGg+bjAW 5OP4eI4fh1QGbrab9nuzsKw6ZGlfNZ0vXjBVIo3TniVLlzMH6mMQtmT6sQQYFPDVdUALfjJr qWMS4LwGs/4ZAGiM8XMWuKwqE0FN+60ZtdedfTr5hOPjXe+4lDFbRt79p5yLlSyem0J7qpP2 X+R+j84DivsVz7+dg3sCip/61Kfisssue1Y7uD/QcH/HDlWj9wcoXn755fHmN795tqpHH300 WYuzO+ZsfO5zn4u3ve1tuUenwkaIMnV1daU5s4vv3tJb3vKWWcDu7LPPju9973uz2Q4UUNwb mKhvvfe///2zZR3MRm9v7ywjTl99fubTsyOBz3/+87M+NVtxai3g3IC/lPk0L4F5CcxL4Kct AR9G8yH0ACtav/axuOKb34gHH7k/hto2x6mv6OChl6iT9SBmsBTRS/LhuFCbeFjn4d0H9GQ3 8KTrPx/S08Rpjzp9sBeTSEYhD+7jKC1YuEYLD+ZgE6lQFIpacaIl5fOzD8/5o/CbpZ+6Kpk1 7GysbqFM6kfBtU6ZkuJSKifyFKwj/e5RsQywahRjupDfMjDSBBqWR3sL/q2shnP9mFQ0CsVF paR4gp/R3Nky0XeGCWh65T88Hndeh1kfAGOeAer0kjccFocf14ECu4vI0Ltj2VGdceJLl8XA VkHFdbGVAC5ZL4oIzczAHKtPaY1zLlkdS2AiGmAmGWKUOEpU4odv74ubvrIhtq0fjtYF9XHW Jcvi1JcsSUXkxzdtjxv+zwaUzclkGjkOHpDxJn3u9NcviVe8fTkKFr6fYJl14jNNRugMAWbi 3oFY8ZVd0cmgNsJQrAGsKwKrUEAKiQaoFSkPy3TTBvuTH4oEcWc7Umhm4L/J6lWintj2QKUg dyaoxj4RDP/zsSxZOMnOcxDZFkXUFFoQq2TlTRK8ZBvm3DsBWGdSOQbsUBkkv6xUA7EMwxDy dBl1A/R1KwxFNEYUQ0A+QEWVeM2d3U5AkfpthF+mys8UA8OUTRcTbIEx2HT3QLTcgc/LXVPR QrH1CMJyagHeagEq02y8NGt2UtFHx7MojLLdtgL3Myb6JpxNHvKT+YurLI/Rj1lzZoSb8sAH 3hS+O7X/rjL4DmXhO4BG0gYAxkgg07pnS89o3QkmK0/HzqordeZYOx6CoJQhqJgXrIK0fkFo x4VUQ+Acz032JL/1pVlz/O9H/WEXzcowMz6Lfw527XsWm3pQVe+vX3ksB7QoUsaZa+EjDzwU n/rI/4zb73sktk/A4sU/vMPaiK8+WV+COgnYAbKlCSs+AV3bfeEySOTnfvz5TQJQThN8pZoI yYunh6OLYFwNq0+I0e7VXNmAKAAqNZRjGty9lXVsivXsiFiYjESCaMHCG0/QR2ZYEfF2krIb RnviFNwanN3dHKtaCEgl+CVYxbpcrMmwwgB0XG8EjPJeQzu3ANoteeu74shTzmCeVsX6+++K a6+8Mm770Z3RtXBZnHbWOfGCU06NY44/Ks1lh4b6484vfzFqbvsOfky5aETauZaqALsyuXZC 6xUIdCUw+InAvyxGLvAEkGYvFhpjeziBXVxgAld+kDWrAJeN911zcz7H1SZ39A/HPbtH4hsb dhMhGj+O+FhsasOsGz+LCQKyJilz65ctt37tevxZIgN0zzGYdYKKo4O9rFsNgLNdmKu3AoxR F+NnO+ppY1NrcyxauoK2Y5bLsQRlbR//Bfoy2ediK+tSnoJpZhJoEzTMfpiJdSgZm/aL34gE X4C1vKTB1y3m6pYINEnZgIWZvZBLgneMcb7ooT5ZkWYQuFXmE7ADXePy5ST9ZRd5LEEz6FF+ F231PibAaRudo+axbA+bp9j2ecMXRzwDcG826BcjwT7axPx3zgg8ev/Q3HgCBq4Nlz1oPtvi iOdZto8kwKjsGtHVVq5ZA4tyOIPopA9SQEMDsTTzplUTcwPoEAmLsxJ2RhaVfrnAMsesOxnw tL0Vn4t1AMdnnHJS/Npb34BuvjDlkpU+R/7MA4rPkYH4aTdjHlD8SQnvD1AUvNG/Ybk4/e// /b+THfaTpUT8yq/8Snz2s5/NQx/4wAfSl2IJKgoSChbuLa1cuTI2bdqUh/74j/84/tt/+2+z 2Q4EUNwbmPjRj340fvd3f3e2nPmNn18J/MM//MMs6K/p83333ffz25n5ls9LYF4C/6YlsHXz lvjqV78Sjz72aGzcsS46TxiLsy5eFN0ofHV1shRQPIxajBQStOLbh3ge2VMu+veb0tYSbSsf zfnjw34mlBKVsAT72B4TmEPPaJdJwYHUd8hsdpVdA7AIEgkImtQ3VEBUcPRB1YwCVUfUkTQd 48FdCHEKpW4cU2ZNtSgehbgAFq1TMpVlyeSTZZjlYnZXM62j9JlY0IojQ21oaXm2IgEXf5Oy CeynnQKKY6OT0d9TFV/62GMxPEgESZhiwz0GFyDoxuLGuOjXjok6zvn+FWtj87rhOOyEznjZ W46Iob6x+O6/PB7r7iGoAWWpbApEzZD5SNiN57xhVXQtrov+naPx0A8xLVzeDEt0QTxMQI9v f2EdwV/wpdUacfbrD4sjjmmL676wNtbeMwDDjzIAphpbAGkH6LvDgQw6j26IX//QMZjKYXIF G7Ibx/O+zhofxNz52z2x6gcjKDkAugBINQJSgGwqejPS8VSmycuv/KtOKECX41kCgergjg9i ymjExWaOvWOdB8oJUIqSPBnkpZI3wUUoSfwszH7ZMLCIgVqKQWPMMAFOEJN2VdPGsWX1seHs tuhfiKkl9RuV1gJoYgKKYzlvEAFj1Ufk7O34UBTja0NpzzlEGek/0X5wknNrLvCu6SL6pjhB mjEKOTSDfndcvysWfR9gF/nKJBWElYloVOwq+yDxC/nJBhVjzm3OVTFXDNbDV5HYJ8svTZbL fX7bFo5l8rs8kfKcnrapZHTODACwDKE4w15M82gnuacwpwQYNY9OE2m3AQoTvKRM22G5YEAA uJyvHGBLVtMXgc4EdS2LPJWsOfY4pkQQXK/4tLQjaQLNt3bRDaf9ZdQsODbzF40/uL8JhmXD Du6853Lun3Wf5tbnsJgGdu6Mr/1/H4mHbvpOPLijLx6ebIi+Wlhy+PbTGWcrTDnz1mM6Ozk5 AsDVHLv7APoAUyZgecnQ6wNQHIGZODLYFw2TQ7EIlwJdsOcajjw1dtcaoVi3ETB0LQOApp4I 9osXdeBKAYYga/QA/v8HIWnIIpPZNiMoND4YzUM74rSljXH24UtjBROtkcld53wHBGK2M/2c f/qyq6cc5i+HbOsQZW1ZeVSc8RvvJVhGc2x55OH41Cf+Z/zLFVcTKKU9TjnzfJj13bHqsCVx yS+9jCBjx2dZj9x5W6z/zN/EAunlrI8zvGXyTiXbTzNoASDXgQTiALDs+5R+HqlbM1kvruJl iufQYP8DMJkSUKSBNj2jUQNs5cUKSGf5ms/24qLiC5uG43uP7wiJHwKVsji7u5dm4BXZlAbw klknkLitZ0fs2NbDek4gLvxS9mP6PEnfM0gLprg1tY1F+8nvkm3k4WbKa1+wiPbycgpQr5Ey x2D95UXPIu79TykKhsnkU86Cjd4zkQgAnKbJMgoFlwHDkIdrgIxFv2UECjymn0TWXck2+WJR efJPINZxEgQuzJ3pi/V4Msdl6ckotDbNjT1f0I1DKVv9fQogZp3sG8U/4rjHkbcmygYuswL9 L/oS0bESdNQMu0aGIOeOMm9zKck2MTNps3VoXt9IyHAZmd63amAbWpfljQM0yt41iIuRnrMu +rJ46RLARHwk4lNUc2ejd8vybMZlFU8qyBMGIs8cBnNJH9Hc+DKyt21TopZP55hC0dHRiik/ /kGPOzp+5S1viKXLFiuUg05eF2Wae98q9z2T73lA8ZlI7+fo3EMJKHpxzQ3QYuCRwi/BTwrE eo1Ma9KpqCBdmfbHQtzfsfL8Z/q9P0DRsg3UYhQt09yAKbmj8seLU3PnMiLzHXfcEb//+78f V199deYwWMuf/umfzj0lt2U8zg2ocfPNN4dm6GV6KkBxTzDRheEv//Iv4z3veU9ZxNP61m/f wAD0CZJ++oxQVSYjbw8OcjMlZeSqXBQjmXPf//73Q5+QBrM59dRT4/DDDy9Pe1rfc+uS6dnM jV9ZC6oJ0tpG/Vzqu3LFihV7rcPFfkvFVL2ce/rY0JTYiMnK/6KLLtprsCLrWr9+fdZnXpmn J554Yjgu7e2E2jzA9HTK8dryGvviF784Cw4///nPj29961uztS5fvjxvoLM75jfmJTAvgXkJ HAIJuGY9nQfNdWsfxTzuWu6Zd3PP3xW9kzvirDcsiWNObkDx5CGfaM8JKqrAVBQNtL9ksojp iAiphKgc0ATyuukPO5V/1OMSLBxlQ5CqlYdzjYQ0VdYM2SjOqawUz+EVPaQAZCg57yEqmb71 l2nWbEARopbKKkDd4BEeMy0YA+M0yDao5gge2j6VFPWpcerR3HoI9lpzTUu0V7djPrsTwAmz Y/MVDc9tW+6Z2R/bSQFTMDTW3jMSX/n7DXEmEZt3b8Rf1vd3BPo4Pv8iTvuFZbFtXV+su7+P BmBaCGB3+quWxpkvWwnTZAwz5vXJYJzCiaRtkjkxg2yXH9UabZ2wbR4cxA/VTLzxfcfGcc9v sxPxAKDiFf/4cPRvgbGDP8GTz18WgwCP6x/qRcHD5O2ErjjjZUtj7Y97Yu29vbHzcUwL2f/L /++RseSImuigDQZkqZZdsms82i/fFiu24EsNM+g6gn0IKGq2l/qaICcty0jQ9FcmXSZkl3NL 0EmpKEyPC6a5gz8pP7KX889hdJxnQbLscOV8y0OBzbyWyfkySYuyONFjAIsCipnIk34DIUKN LqmLdS/piB7aLpMn6yaTPjozgrjfnN/fNwGYgTLJsTaARE2dBaXrAP0ENv3kIHA8u5AVFbuY 5uKd0UyGjvsGY/nXd0c3QVdqCJRSQ70CsAkIqi8LMPBtWbnt70oSXC3Mv91hLST7gtzKuoud /MeYp4cAAEAASURBVPU08zsH3SZpUpn7soH84VzL9KdtTN+L9HEGwG8Gf56aRxvkJc3FrQeg sMYI0gZ4YR7MJHtRRhLnOuY0w5RALvPD+ZbobO7kj9cP12UVrMgqou/WLCutLDix2msGX2Jn /S1m112e8aymp7v2PauNPkSV2/fZxPaODevjqx/4k3j85ptiG/N2U9eaWEfE882bH0lAqbm1 A3Cqm/UH32+sn634hBsiQEZ7ZxcADYCNazRzTxBeZtfmDY9Ew86NsWQaUKt7UdQ/70UxyMsM gXt93Klv9O/aARjpduFPboT51NzSnJN1jEhW4wSAqevfFUdFf5yyrDVOO3JJLACkmU7GG+an ADdGQfZ6ybFk4tsGe5Z+9Jj3PfRh+kUXxCmv/WWmalVcd9UV8aE///N4bMNOQMSjeQG2jLsA fm0JhHLui8+Mt73ltbFwSXdsJPL1/X/3F7FsALNoQCVNUl03qgCQ8HbHywO2qcvLzT81XN+u Rwk6uR85JFNa4Ip/RZRp93HfceErbh55L5MdZzmCdjks/KDncdVAXdwyjLk3puWDALRbNm4C hKuLjoVLYVYuIXCWFnKY0AJudXR0AtCOE6hkW/Sig/ds2xDjA7uzPXUGRqqB0WmAEOqxLhml 9YxBO+e1wYAsFiT6ZLvNgKwSrGNbWRqITYCwDjajbRS4y7z+8Jpnccl+OAZIqB793xeG7OUe LeOb1ZHzPao8ZAyaMkAawKH5rK+4JsUEi5wUnefbJPU62ZRGZRYgFOhLZq1jQ7Jc2z4iIC1Y DRBaT37rGkNO9XTe/fZt2GjPgK+WaZ1TsNI91z56nC2+CxNpAcAs3TrtLu30xWP6nwTAbuB4 K9G5m2GC9vUNRRt+QKup23Fxae/q7Mh2TsiohLWrLCZ1Cs16Sml8MZeRX15D3G8EiHUJMIyf zDNPPSl+411vwxUbWIrDcgDpSdf2nPx5n5jz+5luzgOKz1SCPyfnH0pA8WDAPqMTv/vd704p zY2k7I79lbO/Y4dK5E8FKM4NUCKgU0Zdnlu/gVgEtUwCiwJYRoV+73vfm/s8duutt+b23D8G bLF+k/4pvRBdbMq0P0BxTzBRMNfo0L/+679env60v+f2eU8fkP/5P//n+NjHPpZl/9M//VOc fPLJoZ/FvTHn9M9phGjH/OmkuXU5hxYuXBiXXXbZLDhdlunir+n4Rz7ykSeB1R7ftm1b+r90 2+A3yvzlL3/5k8oQGFWeL37xi82WSXD3P/2n/zQb9bvcX34LQupf87DDDit37fX76ZazatWq 2Lhx417LLHfu2sVbXoDW+TQvgXkJzEvg2ZaAplO33XZLXHn1NbF501YYFLsxU+uPhUc1ERBk WXQt11k8frIwpdUZvMwAH5wLk2dAjHz094Gdh2gVq0zm8TdP7G4lbU2FQR+KKo0CigUYZeRn 94tkyN4rn7PzXOheHsmgJRwxmwBkKh4qCTzDG723EbZjEwCl5nKaRMv2QC+NUc2ePD+VFc9L rCpZkqMG1cCM2gABHSjBhT9FFSlbwIdv68sW8T1BOw1kcNtV2+OeH/bHxW87khgVBDbA7HjH 40Ox4eGR9Jn4+L28uAMkbOmsjxXHtQHuTccLL1oRq9fArNs1SqCWTXHvzdthFFJXIjrUpXJO S2sJ2PLSXz4szrpoIQwT21AwXx66tTeu/OfHox//fY0E9Dj2RYvjsOfBcFmCPyeAyO5uFCk0 4PHxqejtGY2Nj/ZHA3rlcWe0RyfmuK20cxKgafKRwVhyeU8sxLSxGXCpXtYZ39L4DB6SFtz2 WZagYpBJl8pgNiWV1xwXhcoYJoBGVvelrMzuifxnt5pkcWLmYbfnSBmkPSZ9JjqGuS9ByiI7 gk4FM0FF5G7KugA8BRzWv7AlthKAZohzy/EdB0RMH5rsGGdsd2vubLs4VwC6nvNk7tRSv49r AooqtvzP72l/kNLsj2+ZP5o6L76OiNh3jcJQAZSD+VdFFOZsv+3Ok/O0SkFsK6+8Rtwujjml 3Gf/VTxTzpVjlWqLjOZzB/9ViPOYHSiF67c/K+V7PHfxLaszzcQFF2HOzhDgJn0L6JvSk8AA qgFDq9oqAWGSJVkBFclAbZQrFECqXMZp7uy4OEwrMKcUTC2IyNmPmo7To/7sDwGMUE5xpmc/ K8k5eKiV7GelI3MrpU8yyHqIhKsJpwCKAEx3tyzAZkAV3UAI6jhggH8ARWvv/FFc84mPxZYf 3ho7G7ti95pTYt0AzL4tm2LX1sdYByAdcE5TSweAnya0HYAi9TC4eMECiDLKm5EGSAAy2mpg pU8A+FVDaZ3asjFaYCjWsNZOLz8+Rgjc4uTzWpJxPYIvCAMejeCH0ejPLe2d0Q3725kxNED7 +7bHLyyYjguWNLPeAtpgOioDsJ51ZxzwUVDciM4yhHNOKwfnJXNdZpwzcyvXddMrXh/HnntR kpiv+Or/jb/8xN/zMqqaZ+pFRI8exV8g4BcL/ZrDVselb3xVnHn2SbHux/fFusv/MY6cGmbB KPzq5TJP+ZbsS7Jc16ySNvjyQnDMG0b+plFFcBaPKxdkQLsENfNaB0ASXM37lHn5p4wFqwQW p/h8d6ghrh9uBryzDPwOIq9t27Yk466prSvaOroAslpT7raqGTPwFtigQxBBtm9n7LZtjCnA tZb2Lt63AFRRpgzp4SHkTZ80/W0EEOvqXsz4tdOr4l5oG9nMdvMn77WaSevL0P55P1fe/M99 RbASzc0pH7kLztnHSdh4mjALAmZ+/syy1DnXPAlQsj0M+UP9TiBRHVfALn04ksd5zG5e+nin 5rxsX+UZgP3JKAT0NY9HSzkmI9DffMZhLwpoio1Mcv8W5JRhmKbW1gXQ6wOAY5WWEeRJE2Un F2Nib+1byZifhD3b0IQrDRok4Ni1YAEkXliMzMt6gu54jRlUpqmxAf+JTfQVX434AdUVgKzO aV4eJujNOMgyzWckC+Oe7FysEXjm2ItOPzn+wzvfin/Gpwco/jTXt3lA0fl2EMnJux268SZM Yrfu2k3ku6ZYiS37CiZPA5P/uZrmAcWfHJmnAhRlhAlAmbwIvVj2BHE+8IEPhCxEk6bPAm33 3ntvnHDCCbnPhVDG2Z6+CN/+9reHZtQmg23867/+a26Xf/YFKAp+GXVamrZJEPIzn/nMrA/H 8vyn+32ggKKMTf1MJvV+H5Vp9mC/XvnKV+4jx753zwUUNRkXlPUmsa8kgHnNNdfE6tWrZ7PM BRQ1L/fGUJqYl5kcV8FrQTyT5uL/43/8j/LwPr9lKf7VX/1VjvneMj2TcuYBxb1JdH7fvATm JfCck0A+8BKtEZO2K6/8Zvzgh3fEzp6dMCJ25YP6MCZuzztrdZx/yRpYTlt5Sw+wKHND0IGP ZmKCYFMyE3lAV6n1b6ZSW6v8TkCR+ni2hkUIkxC9oAXFVIO5Me8N5FdZmUFRUmdIsJJz0zyY Aj1PhbJoMt/UNQqDow/tzOAbshZl+zWg0LbxaWZbkJEv8gLKUUaCivktU7Hiy5FzNYOuR7Ht 5J5XmlVxCrWpvFhAUa+AIkSI+NrfrIvGhc1x7muWw2ZAm4adsHX9SNz4pU3x6F07ObEmuoxY etrCWP38jtjyaG80ddXGSWcuoJ0o3Jiq3n7ttvj+1zYSodmKCtC0iWjRp71qSbyITxMRmk3K bRIlese2EcoeiR/fuBUG5HA0ddfDfFwWp5zTHa0dmgaitICAaXqura7jo98yIzd3AKahElEv DJPv7Ypl3+pLkNEAJUY+rtOEFyab5rIG8BChc/jsfdoLowQWyp3toQ4BJvcl4EkezzG3+9gy T6YsgC30N/elMsS+NJFGbMlIpKwEE61AQKwY6OIcTq1C5ppAJ8hXqdPoyBtPbY6tAN4jjLVm zpqjy1BMQJFyRgDTdhOQxbqdswazkZ2YH9qtIumcUU4Uy6doOy3NPqATauEfrdvHYtU3dseC Xci4nblA3fpXc1qYMeXCdymv7Dm/PaCCTcsrGdlFfUl7LM/nSFZWZPdXplJO5bHcWSmmkqHI WPlr3U9K5kUWgoGyFY2cPSNzEXDUYC85PJyTLEn7ow9NQJ0cB8Fey3NcnAflmHC8BkBReSY7 1f5Tce0L3h0NJ7yNU+Y28Emt+bf542fUXa+bR9etj69fdVP09/KiArDLICkLF3bEyhWL43nH HYXlzfNSxsO7e+Oe66+Nm/7xH2PTg/fFYGN3jB93dmwFaH987SOxA1BqDF980wSScH113amD 5daEeXIt/hQWLFyES7jJaOlaIOYGQ6uFfIWfxUFAK4GYegKyLG6DSYfJ9BAvQWSLGfDDNW8c IHEasLK3l0jrVfWxgAi5C1owWYbhODG4K05snYy3HrcoarCkcl1uaO/Ib4NX1BAJeYaXO1PU X0M9MhWL+wnXEbJO82LW2u0APA0XXRJHnf8KQJrAYumm+Nv/9U+AmOYn8MsQ5qsEEbP9DVgm HX3kmnj5RedGVd/GqLn9pjgybf29BrLQlOcMwFbBOFSM7PeQ85tZnVHYaYCrQgL87uW4qOc0 nwL0L8qyyHStwbXvNSm707KySHS9u8ab41sDjdFHH/RXKCAoCDbQvz12QzKoqWtCR13A2C7i /AaAVu5HdLIOkNB77K4egsrkxcnaxbktzY0xNKKfy8G8bw8ytgaz0Zy3gUA4NYytrj90IeIl nWsabR7DLFg25BggmmuN982Soec90qSpdYKsnKnJuS++NGNWTmW0aF8l5tpP4R53LbS8XKv5 9l6nTATENUmeSvNggL5KKoHGAgR0THwhBDAIm0+AUNNrk+XYHvMbTMbI02OA6iOAic5j++M4 eVydWsDTdlFizk3nqOfrE9O123Jd7d0WjKxnXmnq3AKYq0m0ZuqdjIFuASYIPKMubLktgOxa u6XLF+bHxNhQykh/lnk/YNCnkjFZzC/7Y9s1g/YFZwNm6WefdjI+FN8YixZTvoNyAKm8n+Z9 4QDyP90s84DiQUhuJ2aWX7j+O/FYxYxy7qlNTJjXveTFcdpRR83d/ZzZngcUf3IongpQVGYC iL7NM11xxRXxqle96kkFveQlLwmZaCb9KL71rW/N7bn+Eefuz4P8OeKII2Lt2rX582//9m/j N37jN8pD+b03QPFrX/tavPGNb3wSmGgUZvcdqnSggGJZn4uk9R933HFp9n399dc/ibG4L4Zm ef6+vucCimUeF2LNyc8///wEdwVkBVjLZNRjzaHLRXMuoFjm8dvjPsB4c7vgggvSBNr9X//6 1+M1r3mNm5k0s74MVuTpp5+egXZuuumm+BwBeMrF2b7fdtttP8HCfKblOKbr1q1LgFR5mnQr 8Nu//du57R/lozzm07wE5iUwL4FnTQI+7fNQu3XzpvjqV74Wj6xdly+ZevDfNDYyHCMjmBrV TsYv/OJ5cSaMuamGR1GiiHhYh4IC2qKpmIoOkAVdUOnyEb74pyZRrOUe42iiHuTgpwxDlRx0 IkBFzKNUJFKRQRkhn4pJlsL+4knd82kryWxuenwChkLPyETsxgzOSM5Y9sUQAIjKoOy+Dszv OgHLWgGdGvitKZJKnrqi9QlEjfFtABerqqdBzTB1VNqsr2AqkjvrhG2CDr5l7Uh87i8eizNe syJOPXsBDcLp/uPjccOX1sejd/anorlwdUt0L22IoV1j0b2qLRYtxxRtaX0cfmwbbbAwQFT0 8+99fUPcfWNPjPTh15DouadcuDTOuHgxzBT7gKzIOsixdT/ujx/fvA0L6vpYdXRLrL+vLzY+ gK+zjlpAxcX4utTJvwoVH9iQao62n7ibjFV1+qqEMAmTEoDta1tj2e2j0YbfvBYYdy18NwIq 1vCdgJeVmpBXKs6+Z0+lSLlTriAVKc2PFQ0ytKE51go2tST2OYj+dggdMJVr9qWi7vgKVnke ecp6HQPL89Q8z3P4nX79LMdE/qkFtbFWP4rIdBiQbgzAJH1Y0bacR3wPENm5F/nTM/qJTzHA 5epaFbtCgXbuqSiL8aGHzjZXaNe+VMM40adbJ7I/7EaYVyjdCbwhz0y20VSII9uV8mJ/TnW+ 6S2HC1nIKLSf6NWZN3/bUcvxU0luen6CEXP2W83sz9mN8qwnf5dNyvZYHnJW3qDohb9FQUXA xRkjI7EvE+PtmNcQ+MZ+ZhAWryXlbxeMMr0I4Mj8nqIYZLVd+MmoXfj0/ScWlT+3/+ZakJPy Z99OgfKvfeO6+Oa1tyQ70Rnls+sEbLQdWzfFgq62+N3/592xsLkuvv+vX47b8IO7ef36GGkg mvDpF8bu6rbYuJmAUBsei6H+HkAQGF2c6yAK0smqqgLIE7RqhKGlb752AptMz9Smq6JmzGtr AUxoBmALb1OovwEGYPqHY2Lo5kIwyTQMC7EOALKvjzUNYLG9Y3F04tdvwcxgHA7D/cJV7bGK a3EKcLK5kYUFIKcKoMfgKPWs1VTOfYFrhPKqAPlclIuyZfoxB8m/yxdAp744jn/9ryQY99i6 jfH3n/4sLpseTVDRqMkZQZrJrx9EL5UlS5bG4Qtb49SJ7XFCzQjkcYAqFgBl6TXiNZqXlGPs xeOERz5+PcHGl41IG1wb8hzWIRaOgilctLng6pOP9ntPszBfVHAS+1izppvi//bWxVauO02u Za01oQfUci8V3KupbYJJ3RgdmNRCCqR/jA8NNNL2OEAVcBVlAYJxPcvkZPniZZoB01xUgheB O2C998fO3T1E9R6MFk116w1exssQx5A6ZUw6fyx7eMRoyOhTrI0Uycc/Cpr2sp3jwDb/aa/B UQqgLtcTyjSIiuw9F9ACHKR8zkuWIuUkc5N2WR+lcGwKP4L1PFeMFKw+8lpWrnXmoK/6ZZ7k Rlu2Vb+MMkVl5hZRoMcSQPS4fhE1aXa/7L8si7oEFK1Pv4jKRj+K1iGIm32hbfSU9gmOAgJT jvri0kXEXfA81zWYuvqHNaf/BFedC5r2Fy+fYJgCKNbVN5KHQvgrcEonaYe+Jhkcfieoyri1 EoCnmevrzFNPjLf+8utiwSKeHQ4wuf6YiuepAzzpaWSbBxQPUGgPbtwYn8GcZ6zCDNvXaacf c0y85fzz9nX4Wdu/J6B47rnnhoEeDiT93u/9Xhx++OGzWQ/GHPnn2eTZDgtefec738m+/8Ef /EH89//+33PbP7LzNMV1YfJClYlY+oh85zvfmSa25jMC9D//8z+7mWnDhg1PMpfdWwTpPQFF gcy5YKIFCXY+9NBD2Yai5Gf+92AAxaVLl8JKuTJNn8uaZU7K6rzuuuvKXemH8qSTTpr9fSAb ewKKC2AAC+gKGpbJRfKP/uiP4s/xf1ImAT9NoE17AxR/7dd+LfNr6ixY5/gJGLoQyiotfYMe w3Usu1JT97npm9/8ZoLGJTNzTxDzUJVjnXODsmhern/O+TQvgXkJzEvgOSEBnlF9TPVh/G7W pm9965rYyMtW18a+vt58CaMTfRXXuqbmOOPck+OcVx0VM21rY6pmO2wmGQw8PENjSrYLD9SW KBiCCsQ91cfsAlDxIT4fiVUgyODzsfdd1IBUZoz2nA7Z0w6UvGa2bAVF/jw/f/jb0n1WLx71 e1E0NhMR2Yf9JfgE7IOpshvWov67MvoveRsAclpgXrUBnHXgS7BV34sAQ6rBKlITlDkpKMV2 AwpIPYpesueyB4UfLHWFmKyJm7+xKe783ki8/J0rY8miJiIwj8aNX94Ya+8aSuVm1YmdcdI5 C2MdkZ4fvAUzP9rfhu+5Fcd2xBEndcSiFU0o3uMwFIiyCk3zR9dsivtu3RXHnL4oTr1gCYFX lB3K+eBEbH5kAJASi5qHhgmwgPN3TJsveNuaWLCgLm7+6sZYD6jYRiCX58FSfNGrMJnTT560 OjReFdpRFDj9TKa5M4pazzYitX59eyy4fSg66GcbgGJrG878kYssPk2BGdRkqpXKIHhcAS7y NRuIw3xqYo6JSIMNrvx00yT7IxUhBWw+ASsTOnExwHxbF+WoCD6RLIj2s88yMq8AmMAWH0sZ WtMQj+NDcQTzY3DZBIRVsgUTNNM03/bto8zlcczg66KtBSWQftTUTjHuMBUFSyk6WYqpDBcy F0j2o/II9hj1Y5Ox9Ns7Y9mjsInwP1iVvhMrLbWjTlSbjgj8qvQwxVHJVey3G/R19oCyY37b f+WYsp49uSg2Reo+s5ZCrRRKD9ldOaE8r6yQb9vypDRXvh7kk8xDmZ8yu2QuYm6q/8UEFJEr CG2CijkOtLGGiO8GZanSP6NFKL/uI6L55Z9mvtQ/0Z48Ov8nZcT82HPsDlYyrpNf+NJVcc31 P4BxPI4/Q8ERxoG509uzPYa2r48Ln7cm2od3x7233hZbsLwbAJTrPvHsaDn2jNi8dQtuLNbF 9o2PwIYeSDAxg2cxaesAubzEuCK4/vFnJxOOfdOAPrX4IGzCFLqpqQuQC1997HNNKdhsTF2u m8kpTKETBGIeMadGh/pYV2gjvhJ7YSQ2EjxkoaysRY1xPJGcVzQR7RYQs1kmNQAQzQRMS9wl LwXrr4VJPFNTD4sSoIi1Ey+diKwEhWpjhGt8U8fCOOE//A4ssuWsr9Pxwx/dE5/758vjwQfX 0X5eLLEmCeSMAlwZDEaGmcDdaso+D9cQx9VjNkwbCkCR70QIvSi8LO0LH1YCVjCOPQEOut9L yWtPEDSvBOqfZix8veaiou9BX5g57kVZyIn9cPtjHR5Zbxysj11TyJJya1mbBMJyibXvXkeU xxnUI3BcSx8Gcl0bGeH1EPK2plqiPecLHZh248hDwE42pqCwS8ooprhbCBg6BKmGneQHvKU9 ySykBEk2BTtbJmBx7xS4y/3MLcHHYV4m2ndBWX0Lylw32IpgoACfgNmEJtDkFfQugDMlwosY +uV35qEuwcYJvmVbulxpIiwLMX0nY04vg3CCj0C1AKAgqRPK81wfh2Dk6jtR/XRyciyBTMci mYcShrjPTXFtsIv28kLEdsM4zLHjxm05jmgCimwLLubzA30SJLUcozp3439S2bZ0LEjmrm4A 8prgGqymDp9z6rmfWl4VVhbjI324kQWwTV+iRZsLOTuVnE+FGbaArRawyu20E58fb/+1N8ei JQTPQRbPpTQPKB7AaBgV6iNf+nJGmzqA7PGmc86Js44/7kCy/szy7AkoHkzFBtyYC+T8ewIU P/jBD8b73//+FNdLX/rSuPHGG2dF9+Uvf3mWHWggkttvv332mP4D9S9o0txZcKt8MBD0EmQ0 GcTkkUceye25f+YCivpm1GdeaeY8N5/mxAJtZdlzjz2d7YMBFPcV+VpQTkZdmQwu8uY3v7n8 eUDfewKKn/jEJ/YacMaHJf0jCqya9G9YBi/ZE1A89thjE5TzDdGeySjbc4Pn7Dnn5+b/m7/5 m/it3/qt2V2afpcs0UNVjoXPA4qzIp7fmJfAvASeQxLwYdx7jt/r1z4WV119Vdx3/4MAibAb eDlj0CwfuFUwVDgKzQ9/fCcfzWd5rHoeSkP3dh6mURIwL1MhM7BI8YSsuoVigWKVChtPzeng Hd2gAI7cgYkVD9uaPmt63A5bRdNnWWZF8kyBQ8ogryXmA/ocGarcus8gK1tw5t8Pc2pFa0N0 oSCMwG4Z4d4yhKIzADAyLMAoc4XtZpSJNrRYfX1pCtzCp5kHfgHJScoUH6tHQauGoZNsSdVK NF+qSVPlb39pC0Ff6uPcVy+JAfwZ3vAlwcR+/ClVx5rT2+L8N69CWWiK+2/ZFt/+LCaGROPN tqNMNLQC4gEGNnU2xKqj2mPhihaYOIFfxUlAR5R5ANyerYMEXJkgqEIfQVxQtEbpNGIRBDj6 JUvile9YhaI+Hb2bx+KWqwALNowSgXUMdmN3nPvahURwdRhUfOmvzAj7h5apSeBOzHdHHh6M eoK2tG8cj47e6fSlaMAWQUWjFxt92GjKyRpU031iSIrnFPah51MHH+cQ45q6NNsmlboECe21 08Ax9ZAgHnmmGQfbxw/qMD/fAICa3Kk8mjeBQ7YRmdOoYNYxvaYZP4HenlOaY/sL22OIMRxh YGQl5kewku2RkalYT0TVHhiKzq32Nk0yUYgx6RY4VcGrYw6oBMuKYbhtTip8SKCImkrdzTtG 47Cv9UTXKDIRUDRAjbqyqdJWN+1e9tsfbLidcvOAyd9q+sqKRM9Shu5WVtY9K8fsd3G8PN1z UubsKJ8VvXYzuc8WzM1cHCn+km0279z95bYFWxZo+jTAreUIyla5LZMKoF3GYt3RmKQqX8Yg E42uPeFN0Xzm/8N1KghiA/bViOKUn4e/5dr4E21VjjmQxZFyHH4i3yHeYXuu/c6t8bkvXhm7 MCWelLknYAIoA4IXC7feH61EAN4CK23rKGALa1XXkSfGijPOj37GcBdswccevDd2bH4UQAUT Uc6vZSBZgdPPXENTWzS3dRMZvCFHURPeoZGhBOpqAPZq6tqiDZaha/PSZauoHx+usOgGiP6s Caf+8Opoj8FdJgGyFgxuIS9BXPDq1DwzGucs74qXLmuLZR0E7wEsMk9DNYuebeD6mwS0T5+M rNcyJGWd1zQ0Y7JL1GjMfmeGCXwB4DkDmOb04yqOjYBr9b9wcZz8iksAoWCIUdZDD62NT/2v z8aP7nwAUAiWOcBQr/cx7l+ykz1TZlk3PgmPxWT7BagRxzRPR2c14VJYqFz7BfO8r8gwrGZx EkRibzGr2fY6cfZzeXC/kNkJ641t15Z8+UGU7GHgQf1BDuMGYxd+HbdO1MUWtodhH+722/KQ g74eM5gL+SdZ5KsB5wSzDDI2NTGY5ueDRNze1bcTf8aYjMsMpn7b6MuTGvJNc39WVtMVME7z 9VraVc9YtnW0J+jbowsT2Ir6WJzg5ZuMPk2tZadmX2l+AQZyLwXIa8GPpmtxuWaMA+AJROqr 0+vbcwTgXLQEBt1OxqOLKOub540DEtYzR6wrwTfmh4xW1whNih2LjKjM+a7/An2aMLt6pGmy cnYeACLWAMQZQIaMqUNPcx8cx8R5kk/RTuRCXsvIuijFMUsAvDLmMi19lrG9jpm6uPegwvch uVlzbZvL85JlvChccQTn4/uTcZVZStXMIY4qC551ZGsK+o6P9mOxgTk08rQNMh1zXaAjPk8o K8F/b4SOq4DiWaedFO94+6WxEIbiga6W5VjQvKJ8N34KaR5QPAChauZ8WwWwOIDsiSS//y2X RguI/3MlzQOKPzkSc1mEewaMKXP/4Ac/mAVTNTE1+nD6+yCDQVA+/elPZ9Y92YteWLIVVapM RosuWXr6HzSoh+k//sf/GH/913+d23P/zAUU5+5va+PmzGfz5s2zu/X591/+y3+Z/f1MNg4U UOzs7EyQc18PRQYskYlpEhh7xzvecVDNmgsoGsVZFqdvCfeW5gJvjo3gq46I9wQU/+t//a/x J3/yJ3srIl7/+tfP+rF89atfnebPe83ITm8mgpOlyboM3g9/+MOZ/VCVY2Fz+zXPUEzxzv+Z l8C8BJ5DEugneuS1V18dN37/u6y3Pen2wubJCPBljw+y+rdKIJAHf4OXtC1oizNfeka0daOc LNwUC4+YDK2D9FcoSCMLwYdulSyQIh6AUYJ4iOd/JhUIk2/7VeKM7iw02ElQFM3ABIbSl6J5 +Pigz67Z892ZIBTl5oM2CFMfSu3mYR7mOXZ4V3PUolT7MM8fFD4/00QknYld+OcaQjEbQtFW GZGF1grQpS/HRlh3Bu6o43ctD/5tPC9UyTzIsigK344b7h+Oz3/04XjJpYfH809pj1vwgfiD q3aj7EUcdnJLvPo/rIlOWIT+27JuJG64fHOsu4OIy+pQ7JsBPbTtyZdQNjA/ZPoosynqEVBE XyIPvQaAohmcgyKL8te+vAEmYmec92oc7tezD4bNBOeMAp5NYLpmVOdOTIEbAc2KfqMMw1Zs xpQQOA0XIVMAxZMxQqCScaICN9D3FhhpzbsnohXtv7NnMlqJLt1M6xoB6mr56H/RoCyMYLbF fnG4SA6jVfHlcLudv2m3Q+x4OwT2IRMKljvNlvNJJc7+ATAaYbhKEBPZq7yl1u5J/CjmHtuw 6fQHCEk0tl7QGb1HN8UAhQlIm8fxZPpkW3rwnfjI+iECWYwDqOI/kXGtYXwFTDUBt3/NbMtS 9bcRXo3EqeJZg+zZxRzEiuTO3XHE9YOwf9iPr8EwGjYHsk8cz6lshyrzO/udQqCt9sNkPtqW vkCdoLnPMjyRVPkqt7MM5WI9Zdn8nk1zzyvPnVPXns90pTKqXLM8Cyrzz9nMPlmnl42PvcyR 6V7WAPxuRicctsNBYPTFSF9MMyjnjS/7n1G36gx+qWDPbWRm+bn8o7z2lOGz3ZFH122KP/vw 32KBszsBF4NpCCi6XrZveThGHrgF1hsmqAxw28IVcfhLXxUzBO4YxKfi9u1b4/EH74q+bWtZ 7wB/yONcr8MkOn0YwiKcJmKwJp4NPH9rxZd+5JyrvPAZgK0+BagMghXdMAKts47gFLluAV75 PF3MCdYvQKslw9uidnR7bJqqjtMXdcUrVy6Io7tgOwLsC1C6FE6NDvDSxusWM14AGS7eBMqs u85AM5QPjgPbEBNgAKUxQJlp2HbTvBgyiMsUk/U+gswc99Z3xJoXnkUedfUq+tqD1dV34rpv 38BLpKrY0YsLCia7AFR+APGMOi17rRlT7lVt7XFK0xTg4jA+ZVkn6Fs9PhZdl4ScBF69yKto n4xC18F0qUC/DYA1yVpBT2Jgqib6AD93TNfHZtapoeq66IvG6AVYGwZAdY2RPTgICOuaJsuz Dz+Srjvj3JPg2qX5rtG2p4gaPDo6GB1t3FQZK4FN8wsk79zVy9hw36AtMi9zLDGlLYA1xgU/ lIU5syDdVCzoXhxNRPNuamuJQZiF3uMN8GJgEdc62Xn62ZWdL3gniCdTT2ZjQz15mAKyENOn oXMAOQiUGWxF814DmXh/r5YNSF9kOXrtaLJcz/1zHJZjPf32uUHWo3MmF1bO1Q+ifbIdttW2 GHQl8zNeY7SLzAUQyLk+L1A0ZU8nS3KaoCzTFYakerpt9VnFcW5EJjSH2ybtYe54z51Gro6f i5v3W9vjec519U1977YCnB9+5LE8zwCww05MBi59s6+Ci9VcP9OAm9Xck0u26ATzPF9Klesy rdbawnknyGkfnDltbYDkjOM5LzojLsXkuaurk2NOh6deb8o13Pw/zbVpHlBUwk+R/vifP3vA 7MSyqHdcfFG8YM2a8uez/r0noGhUW/3HPVVycRHcEcQq078nhqJKkea2AokmffQZJMQ0N3jG DTfcEOecc07uL/+ceeaZsxGe5/pJ1N/ggw8+mNm++tWvxmtf+9rylNnvvQGKRoO+6qqr0lfD GWeckT4APcHF2XZpuvtM04ECioKjgqT7SnPb/3d/93chiHowaS6geOmll8bnP//5fZ5u9G3r K9Ndd90VJ5544k8AigbMMXDO3pKmzWW0aiNZ/87v/M7ess3uEyD9zGc+k7/1u6h/S9OhKsey 5gFFpTCf5iUwL4FnWwL5cF2CDzaGHbsJvHLD9dfFd2++OTZs3BRbtm7L+6QP2T7A+jEKokpE vvnnaZ5ndH5iHoQz+IULO/G5uDbalk7HyhPwjfX85lh2eHN0LSQyJRE8wWtQennQ5zwVAXWJ uQkIKIE+waMxFBBNsFpUKgAsbG8++/MluJipss9GeNyH+AQn+Z5E2diJYrYT0+c22HbdKq/F WZjDFgwaVIskWuovcZSP7MV+gKzh0cnoJHeDTAQUBcEmVAT8HcHywIS6CtBOVt3EWFVc98Ut ce/tw3Hp+46GMzMV3/nCxnjwjoFYc3J7XHDp8mjvhMmBsmJ/beNg70w8dndf3H3Trti2dhi2 YpIcqMcOkM9M/C8SciqVEpQefsEaAvBcXBNHndoRL3jJglh+OE76MdtVuRE585/DmiZ7ypiP 8nbsZH9WobS3wIzQQnmS/g7T3xFAuSlA1To/nFuHIlXPGNQBstb1oPhtg6WyDeAYsLERRk0j yliNrEWAOVl29i2VGr6LyunCnG037ZYp85UD4T4P5p9CifI8GXAZIVggUrCqcq7fdtP5kKeN 0VvaOLSAwAwXdcXAYhR5jsnWkQWZ88biGavHN4/Ew+sHoweTZ0FiTbnrGddG5kYj/Wjg2+A9 9e5HyVPRq2PcSlPnBiZrPZUvvnxbrHoAJRczyRoDlwgqck72y2lJw5RHNpDvwp8avxVACopt k31in195bu6r5HHbcvK73PCH5VWKyYFlR1mmdZvK33myv91V/sgcOReKrTl/bYjpyVmLXdSV h22vfhb7mG8AioEPRc2iPej8qupaEs2v/HRUty1kh/O1mPdZyM/zHzu/F7nYJftdpj3lXO73 O+WzxzjMPX6w2/0Dg/HX/3B5XH/drXmNjFVYYdSUPguHHrg9dmx6KOphlx3+wguibdXRvDQZ i8HBYdwr9MaGu2+Kgd1b0t+boFN1YwsfGKeMtSarDYBrBmCRmT0KE1CAqQEgSJcWkwRUkbk+ AABWA4OOy4Q1iPV/0QowRhiEyKSWvvo9DmDX1rchlk9sw3VDc5yFW6UlXGtdXF8LO1oxnyY/ 15b3GGNv1bDui2BPTwP4MbdqWW99eQK6xppSRwR6QRhjCRlpGOAL5l8OD+0cYt3aCJC37PwL Y/lJRBoHDBL4GRkeivvveShuvemWuPu+x7gvyFDXXNhALaxpgGlUQHtZ1wA4Ub+iCd+0S4iw 3MX9qpvgVo30W7cYNYJp3n+odCz7SDuY6/2AiFwV0Uu7emnTEEDqAOy/OoCsMfxIGs1pinVo GNALb5esuWNJVDIisOvUFJ3XxFfTcBmHNQCQQwRGmxgnP6Dc8MggL6E0S8YHcGc77HEY2du3 JZhm5GHNrWXNuz7K8tRnpC/QGlvaAcqMrMy6yXrf0tJK4KXGJHMsWriEvPUJuBkFu485NaiP ZM7z/m7SxUkzfXBdEezLoF7FIcauxYnNfVBmoCxFXkQBzpq3eGbITViOyJl8Xh9NzA+BO+eG H/VxAVatzGQsJqjJWCoT0zhzzdUng6zQJvELfSo66jIMTT43jBMZzbV6jPw+j0wjew5kPu8h +kysAxynwwmAJxPdbS9sQUja4rwXlJdhWce87lqwOFYffhQs2TbayjMA8991LZn+1FPL/alB lqb1TQ9zDx2h/ZaJ2Tr1TTJejkF2xfKpSrH6bUCWpiainjfWx8svOC8u+aVX4U4AOe8jKau5 aX9rzdx8z3R7HlB8CgkOgLQLKB5suggT2Je/8JkDPAdb777y7wkofupTn4rLLrtsX9n3u//f E6CoIH7pl35pFjD66Ec/mpGA54JYgq1eSAJ7c5PRnz/wgQ/kLn33CUDNZc1Jl/Y8IwbvmeYC ch7TX+LVMEFK0FBWopGEy6Tp9I9+9KO9llXmOZDvAwUU54JoeytXE/DS598nP/nJePe73723 bPvcNxdQfN/73vckP4l7ntTPg4pga5k0edb0ea6sPbYvM2ZvCDrULU3Kv/KVr+SYl+Xt7Vvz aM2bTbIVH3jggbyxHIpyyvrmAcVSEvPf8xKYl8CzJwEfTguFzwdzlYZdO3YQjOymuPW2H8ZG fC3thsmya+eu2A0bxXVUH0M+hOvjyftcwRhUSVC58oFd0BFWhSxD8tegfNW2TceCNfgKPBFf Vce3xfIVrdHeilKIMpk+69B+fMBOv1I8ZCeopnqAYpgsQpUA8qrU+jydIFU+V5O5ktzKXf5R 0UGpKsA5QELaNAhgVl/VHP1jgwnGeEfXj2I9/enAfxabAG0qjCitFGY/dqGM9A1ORjvKlhXX qFDSb89rbcE8GQVP5WzjgyNxxd9vicNO7SLq9ZKYJBjMnTfswE/fZJx24WJM1DCRo1gZHDZN hVXFxP4N7IpYe/9A3HNdTzz+46FUjBPdzN7YqzxD4bBNGfxu6K6OF5y/MI49k6AuK+szUEut x1OLtPlFXvSqVN7cL8jqEdO4/s0Av1oBaWtoi2qZspfRN4qsJd9oalzDR1CxFgUYfTq/qwHu avsBjjG9blqP2fBWthn7GsC4KiNB0081pQRAi+qyC44Ze2mH/betuaNoEj+zdeb3wx9/m2Rj mj+bbz7PdX+ewG+1NADFaT59xzREz0s6YwDzcc2dE0ik3Sp+suvGARAeAUx8bPNw7IKRKZgo Q0gAMRmo1OV8TAVR5lDOOZVF554+2zDVZLuDcV3+v7ZHN3EoGtsBZQ1UIkOR/lfLpKT/AdiR crCfDmHZt/KbXUVf3SCZL7/5Y99oc9HTSrY5x82p+ann+5WyZSOzeNB9fGX5tsX/fpf7/E3m UpbFgcpfT6xkLb8dt8xrGcqSf9MCOMiwWjAR+WUQFw8zHrVHvCSaf+FPkUGzZ2Z+/synQyCB nBWzg1vI9rH1W+L33/+R2LZjVwboEJxxfJ3/dURt3vH4fQCKTfH8sy6A71aXfuYEd4Z2bout j9wBwEUkXMCiMnhRtWu7azxgSq0+BjE3dv3QD2kt7Cx9KgrMaE5rVNxxgKDBoUHcK/RHG8eO WnVkDNS3MvKsj4BLMsGcm+1D2+P0mR2xqrMtjl+6iHsAkdghdPBOIroINlLHy54q6YcikwBx rlNTgDG13ByqCChFk515gD2AdgneaN6Lz0HaNgY9uQC/AHy4T+jCYpsMP6JJN69cHTVtnVyO AHncx3Y+eH9s27QjHhmMeBgWd990HQAawB5m2tMAeSx56Hys+UiLOxN99so3IU/Ym5p2a5Zr awTtprgHaL4qk857qD6CDRTCypNAmMxNZTgOoJnXLWtTLddRM+BiLWWxfLBcTMVWzJc3s47p qmMUwNHzBd1GAcm8juxfmsoiTN2NpI9F2pHAmiw98trWOkDhGs29XRtp2zhgpXk4gSbrk7iI itwGU9XFyb60IZ8u/M/LyJuAPbm9bzB2Y42gj0SByLRKoF1ex/kS0THhbAPG5DmCZh6nX663 BjGbYPzUnV0vnAAel0XpSz7bJetVRmgBOrKfdqX/SVmJyJViOJ9nDNYdnz0MtinT1bb4UebN vMB0bRoFJJfFOAlw7VUhSGx/lZcAp8CezyrF2CKzbD19ca55D6QM132jPdtJTeNrAT0XLFoS y1ceThAbWIPcs2VMVtMmrx8baD15rVBMA/KfnB6KEYD6WkzMJ5iDjn32z5d89CfHkRqsVvC2 GfnU8ozUCPP2lReeH699zStgvZfzjYx7SeW6/bMCE23CPKC4l4GYu2srJj0fufxLc3cd0PYL ARkuPe/cA8r7s8g0Dyj+pJTf+c4nAqfsy+TZs/7qr/5qNsKu4KKA01/8xV+E4JtJhqFMwz3T d7/73dDvoqkEneb6XTRCtJGD95bmAooyJK+99tonBT9xsbjwwgufFPxEn41GCH4m6UABRQOf fO5zn9tnVYcSUDToiqDivpKyKH1ZmMdgKpdccslPAIoC4Zpi75k0kTY4S7kAX3PNNSnbPfPN /T13TmjaLnh5qMop65kHFEtJzH/PS2BeAs+KBHi45T8P0igvRG3eAZC4ccPGuP++e+PBhx6M LVu2JvtkaHAo17/tPTuymSoIAoq6CVHp8mFZBcP96VcRBdOHeJ+e9V9VKlyJ6LSMRddhtXH0 mR0EGumMpUtb8s28YE0ND9zJpstaVEB8oy84SRtRjHgsR7HkQZ+P4KX7fTwvepEnFX9QDlRe VZQoIR/gzWpwlVrYHv2wBwZhowgKlsq5zMGynlZMnJtUSFNhidiNOTB6EUwVGJKwFNNEljYY cbQNBVQ/h7d8syfuuGU4Xv6OpXHYahU5mC9EEp7Gd2RLm0wM2sQ5GQHSxtDGBBXRXSZh+g31 Tcf3vro5Hr1nJPq2jBNFW+XHTpivoojwW/kI2L3g4oVx7huW8ZLR38gF3TYD3Yiy+akki3hC 6SAvcrNtk5ju6fepCcVIq+mUQ55TnCtAlffMFApHySPAWI0SWMO24GIdgFJtDwrj7f2x6NGJ ZPelKTSKUvoME1ik34Jp6XORb4crgSy+3ba2EuiyKppnBv9X6ucn+4u2cMztPMd9WTSABRuY EgqG7jyjJXaf3IZPMhgqtFclUXO1PImv/j6C2eD7cBfmuYODRE8luMMYCqpt1KF+HQBjjUAi 7TZYj+aECS4ydo18mmlYG3Nl2Q/6YuXVQ2kaXQ8zsRZERLNsQcTsa4KKxXYVZaYcKkBryoCy MlVk4r5M5Tc/3KTJlVQ5YKdJecw/CspEObPjzK7MxXcenlNX5sk6PbhHvqKk/FuOEVlmk2OQ 51calYFwYClWLSSqL2NQhfLsIdlR9Se/LZpe+K4MoFFWP1vQs7lhA+d26tlsy9Otmz54vXqN 2pVR1ufHfviD+NjH/j5+jL9V8CjGQyDMDP5ljABBuhYsjM7Fy5PhpUnpGKDRFKSa3TvW4cai P0ZhWk1oKsr1UoePuxrADs1Vff4WWB8hj9dSHSbEza2tCeb4EkKgZhgwsW/n9ljKS4VXHr0y WjoXxze3w8RjvZ3U/x2LliavLWN9cfrYxjimszmOW7GIKM8AX0yQUYArAaYOfPvVw9Ry4gq8 uWYnighL0ftI4WJCEJOycy0DpITMpauKqWp8I3LO1AzsQdZvgTDTCKDiEOAeEBrXCTIRTBuD KQcQNsD1v3GiJu4fqYv1MBp7cWNhnRP0U9lyV0gwrwGwh4lNU7gR5EWl/AWtYM/znb7wKFtZ 6Qsvrw3WI5qBywbAWrZ1ndGBfOoAt+oxsW1lLccrJD4jXVMpGzk+PDQePxzg5RcvpBzfZGfT EoEwy84AKH4D9GrmK7iVgUZo8xigY7bTNZrxqpIxB429FnBRE2NFKag4BsNxlM8AEZ8nYD56 XTfBQG0FMNO3YQtszsNWrmCd3B27YLE61+ynbqkkaNgOwT19LiakiFhbmQ8GVrF88+a9TuHz XKApsy/dBNYsS6DO54JpgTkEJNtR2cruTFNj2uO8sq8yJDkIyEv+LIM6mQfWkS+JkL0m8ILa E5gzG0FZQNC+yk6UFSsY6bbHnL85RvQhzdMpyz54j0nw1flBfc2wN9sIvrJo8bK8bqoBaSeY c/qX9IWJzxX6lKzn/plRm+2ZfUAmjTVcR4KNMHUFmo12LSDus4xtlwHpfc65pb9RX5KKLmqF 8doLXxqve91rMEVvy/mnCPeW8n7Igdk1f2+ZDvG+eUDxKQQ6ygXwR//4GYb14NKrMXf9hZNP OriTfoq5f5qAokE4DByyt6T5qGwz056g3f6Yjvs7trd69txnJKnHHnsMmvf2jNS853F/v/3t bw8Di5j2DKqSOyt/ZJ+VEbGXL18em2BkXHzxxckYNItBOn7zN39z7im57cIqGCiDzou6p6cn /uzP/oyb+sfyuCw3WYx7S3MBxXe9611htOw908aNG9O0dzegd5n0zahvx6ebnouAokFxlNu+ 0pYtW8JxKZMgrWDtngzF9evXp5l6ma/89sYjhT4XeHYK+uoLcX/pD//wD2dZkwaFuffee/MG dijKKeudBxRLScx/z0tgXgI/awmUD6Q+8Opza+Pja+MHt9ySjMRNmzZHP8pGL0yOfvxM7d65 G59OfTjjN2YuwBrrqQqbCoasbU2vxnho9uHY9XZg0KAt+uNCIeAh3uRjukrGNA73q+tRSlum YuGxNXHqxUviyOO70kciz+YoUPJBKjqbJ/LgrhLCM7x/86G/VFYExwrQrSi/AMFUDshMhahh ea5nFknVGmWDCjKCJIVOkhccBHYLipaVpCIpuKmyCIOCe3sjQNFufMY1EYhFZVFErZUgJRJQ /F1PPx8EVOvZPRWnndeR+QVDZcPIckxlmnz6tlLTqaah2TaqS6AUJXZg1zT+Fgmc8AgMlfth +uCvkKrpBIokrLf6JuobIdIlTMrplum45LePjtVHAezWwjTEdDnNttSK/FT6W5xvldRpuz1S 1okiKzBaR9vdV8wHlSIULpQmz5VJkR/bwZb/VaZUGukWgCIGXYOML0Fcaq/ZFcuHbadgHMoR IJqnFUAiW1afn6KcVIT8nZkq31mH7Xdnkdxyz+wuT8+OFW2WdSiYpf/EwVaew/Aj2b+mEX9x sjCVf/FRL1U0W7eOxAgMSxW48TH6DoOqf5h9KIBjKLY525iHKuT6y0yGIt/OgyY+rcyLRf1T sfJzPbF0N/sNSAI7T7anxCoEnW3NfqMnZlv5ZqL4g2++KC/zud9t/1fOY09m81t50dLK70Ke uZ9WO2aclrJRPhZtXeX2bCFmMvk9+2GDsmflaNsci0qW3KiMTVmr1+BsfrIry/RviXyru2GI cX1wMWUdXPpRveyCqD/21VHdtQhz8AVRjdmsLLX59MwlkNdrZeR7t2yOh67/dtz19X+NH/zo 3rhvsiVGFqxgjRP0KQJZGFXXpe3IY47Ls2S7yWzzhcoEulTvrg2YLO+KQVhVw9ClNR+WjdXc 3s3aw0sjzp8gwMuObY/ntd/WtTi6YG09MZ0ABNGD1lQPxqUnHBGnrlgSd/dXxd89MpTmvrLS pgCEBI8aCMRy8sTWOJlI4cevXBJdRFiXFSisM0aAVEGpFu4pjYKKXhO0e4J1c2J8mHZwgWGS mgCU9y3mex2fKl6OEHeKQFq80HJtqsG/H+e4huueQMDPe4PRnV3fBPcKX3tFBGHw7xhi7m4Z xw/ueG2sn6iNrbzk6fPGwPqoSbKBYYwUPAk4KTOyDsZ6MiS53+XLIuugrb7sauZG1sSCswCz 1YUAiE30WdYjECBRrDWv9loBcOJ3EXiluMoEFDfg2/Hm/pnoTaCwgZccRncmKJmsQ8r1xV09 rDnH03r1d+kqPU3b0ncm417LoujLOU1wRwGNBQX1ldjY1MF9AlnTRi0IRgmus33blujdsTlZ fR2YdbfgN7IJf5nPe8HzCVo1GBu29iRwloApfdTcuKiToWD+eN9xntUh+3xZhYzzNkQdE5oC 0359TPqMoOy9fxhIRRNu/SEW1gywGRnbaU6c4T6sj2axYNfEKvrDV+pvlk8TEpjM4CxI0JeY rpGCiFPMnUnA23xpx7ilGbt+DalzRnkzbik3Cvcpo8r5hDxrmRwpExbnViI5d3YviI6uhbAu O3geaeCRgPGi7d5LXBbts34QBRAzCAtlzzAvx5Cny3kdY9xABHQQecBo2K6Mq4FZNF+3rT6V FGPg+YD1lOfvBR3NcckrXgrh5WLaoVUehe0jFfdrciiQn1GaBxQPQNAf/MIXYyeL4cGkd7/q lXHsypUHc8pPNe9PE1DcF1Bjh+ZGvf1ZAYoCSueee24uTio09t1Fds9kZF7BI9N5550X119/ /Z5ZZn+vZCwFEk3r1q1LX3kuaqZHH300jjjiiNze88/rXve6ZDS6/5vf/GbK47bbbstst6Cc 6Wdxb+lAAEXPmxtN2t8qb5YvyPV00nMRUPzVX/3VWeB3b3269dZbnyTHhx9+OI466qgDBhQt c65fS9mn733ve/dW1ey+t771rbN+HefOnUNVjhXNA4qz4p7fmJfAvxsJpEIz5yFwz98/FUGg fJTPpuWDaMHcQtFTMePl2D13/DCu/tZVsXX7Du6poyiXfbFj987Ywe8xfClp1uS5PsDLIlCB 0OzNgmUqauplWWnShEI6AgPCh3cVER96ZRekX0MUnSYYe0ZjnKkei7pFY3Haa5bFqWcsic4W lCbAxmQqqpVQtiBiKhE+irNLIMty3V/kKB6qkyXCg7mqWZ7q2ZxY9DehyCI/+/IR3D9ktCxl YVnjfI+hWAosym4bR6FU6RZvcdsopM0wblBd8KFIv5HDJPl9/FARkrGoLySVXEqlzKJcfxa1 uh+ZWBlKTPp4pD+T+Mwa3DkVd9zcH4O7puKR23tQ8mB5oAM1NjdESwfgACzJoYHxWHZkSzQt qotX//pK6jLyp/UL9lCHmlf2RLWFlO0o6syftod6VXD049U1bJpmAABAAElEQVSEkqwPSJVt FT3lVZpFe1Z+2JcO57Ns8S/2IjclbVTlKRg1tTuIov293bH4R0PRhYLb1ITftQpjz9NkXliH gswm+biW5RRfOY6V37YzK848le0ybx50H4UxVk4JhgI9EUUNtmTfirroeWlHDBMRe4zj+k+U aaQiKPBoJNRNW/BVSbtnGEtNzjVVUx7OE2Yac0FTQsBlGS+JQtJntMR66hRMXEA5C67eFcu+ M0KghlqYWoAkzbChGpGTDEX7afMq7U+Fj985NmWfxNUUjL+dXCrPAJj5XZFVjgW7Um5kmy23 cqq7lNvclIFdchzZS7Gzibpsj3OwLC8Pl3lsg8dtk/vyU9m2kNl9bCp7k+LX5Jmf+lCsghYn 0FzFM+q0QO04PvTaVxH9uiOqupfxWRG1i1azbxF2gfhWo1CkzVSynkqZWfBP70+59pU1zPal 3PEc+S7bafvcznYi78INhHKTZDcRG+67J+7++tfi4eu/Hfff/3Dcj+lwL/7+JpYejZy7c02a 5mWFgyVot+rwY5C1gSzwjScIguynAIiGBrdDiNiSutQ07O30dcj5rZ0LWF8wvbRuTKJ37dyc c27xYsZWxh7XjaBSPd8vX9EWr1jeGt2sVwIu25kDH7lnd6wdAuBhYstcFzQxWvFJsSNOZwq8 YPWKWNCKDz/WoQx6BNAzzUQdGgA85CWJPhV9ETLNmmIjJlloRzGtrmOOsyJy3xrnJRcLAHLK qMAsBpDCYZa1wVZkQsNaruE6FrBJWSIK3UXI3RQMElR0fedHMty87keIvDzEp4f9O/iG8Inb i6oYAaAaRFZZLmt+DW8P6qFpj3EP1AfjCPdMXYLIErzo2KVxGk2uBsAyEjS15YsrzXwTYKI3 ybxXHrTTQE813D9t0y6Ct1zXXwOgyT4YbvU4iUxAkXuNbDgZiZaTa7cAG/+MKJ0++liXhzCp Vs515kdurchXkHYAn4hgoaBdlIkvxWbMr7lhw0qFoQ0rdbh/J6AwEaP7dsdhhx8BOeOweOSx LVFLUJ4hzh/l/u9amWuI8uJcg5okcxJmd7YL0PiJKM0FszV9WzLXBNQ8R4BU/4UJdudcLHwu uh4mA5W3dK4jslnNI/NQIDq/GVJBR++fXhd+NM33WJope18TtPOblsqAzOBuzDlBRp9NqCbP Eyg2Wrey7e5eSkChJdHa3pmAqsfSP6PjxHqfzEaeV7IMykx2JWtXvq7U/BqweBog02mqL0ma x+C7qGPlgNxMiA7Q1m3uPWTwnqg/TBdeehdtRC0/bs2SeOVF58fJp51BOwQUDyyV60WZ+6e1 rs0DiqWE9/P9rR/eHt+6/fb95HjyoW586v3em96YiPqTjzx7vw4loLgnI6wMgrG33hkx9xvf +EYe+lkBigY8Edgp075MXV/84hdnMBPzaSKrqey+0tvf/vZZUEvz2w996EOZVeBKAGtfSf+B JXtRn4cf//jH801KN34oNB/bG9BpWQcKKJrXQCOf/exn3cx0wgknZDAYWSIHm56LgKJg7UMP PZQL+N76Mxe0XrRoEQyDrSnXA2UoWuYv/uIvxhVXXJHFn3fe/sFlgeQjjzwyAUtPmMsgPVTl WO48oKgU5tO8BP59S2BWYfxpisEnXB+k+ae5q2/sVZ78VrFRKbz7jtviclxqbNi8BQVjInq2 bwEUHM2IiUMoSbJCNBXyJV7BkoB5UFHkMuIjT8wCiz50Fqw7fRZVHvpV7nyKVrdVIeBhWgBS QKGXl7n1SyfivMsOizPO4sEeRacaRa0awIvnfVKl8Zznpr/8U4KAaX5E2ZpL2R5ZKSo+MgdR UbLa4izPVAKkiiwEzzilyJPtQ+ngsOxFdEaC1qJgIptRAKgRQCvNpTT3bVbh4NzuDgBVftPN VBj0LyZDRmWhEVmp0KXvr0r3C9Nwm4FaJpBCQ9Cx+BBx9PGxeOje4TjulIX4FEN53zQdN/yf x2PnVszlaKSmfu0AZWtegJn4sQ1x5sWyTWCBongrXj8mlVKBoVS2aGfus1fKnfo4DFAGWwj5 tqBMqTAlNGsnKkmZpFLiadnMAtSwCn8qYwFch2RqFNPBnrHoJahMzaPD0b1pItr7p6Od2urx Kagpe5p5SQZh23JtX6Vp6lN8aFfW4/GikvxmM4Ew9+2ZKs1FzwPsKIDDnuc3xq4z2mOsFQWb 4zKSxgUb6aODNDiAuTMMRQHcWhhQYngt+kzjH6Vk22TMFIlKqdwAFII3jmMbJ7SsHYzWv94a bbCImphnbTBVWwAUG2Fc1ZZBWVJP5PxKX8pvm2y/UraVfntsto/IR1nIdEyAke+UDXnzHMvL Qvjt+Z7LV1m+mybHpTiQPyunkJl2lflnyyuzWjafnDvWRzsyuS+PucGeSr0egxiWZYKyp9m/ +6DWRPTxwmC4CXCxK6raFkQN7MTsB8p2Dey56o5lUdN9GGAjzEUYU1lunjz/Z2/gQLGvWLsE NUaGhuOuq6+Iu7/65Xj4tjvjvs2bYxNR7APgtnrpEbF7EEb57h2sx61RBysNW/z0cbfmqON4 MQIzESDOMtMHH2BM/278KG7ZGC0AKk3NBO6QVeYFyUQah8FYy6JngAoDUkyP4+OVe4F+EiYB kJbDzn3nkZ1xBmuTL2QEBKsBCMcwO/7zWzfFvaNNAGHVCVZq+toEi33R4Po4r3UmXnjECnzX 1nAcpjTlCxyxsFAGbOM+iCLU34pfx2Scca1N0i6ZYdVjRHSegP2Ib9saruNqGGGjYzDlWNc0 2bUep6Z+/7xP6J6hiTa4/glqaSqd4BXXumbLMukFn8YBh/SLJ6Al0OiLCsE7WeyUlgCU9wYZ 6dO+GGM+bz7mmPjanffFj+64P7ZgMafP/d869ag4Braa9w3ZjwaYobi8zn3JYXm2URZ0A/fB vE/Q/1raNVjXFN8cqI1HRziJl1feo+oAnpq478rQ04egQ4M46B/rHP77BOu8jmbwyzGC6Tk3 BZjizWzjd5H2d7fry5KFkry7dvfFKL4mW9qXAOwBLuKz0gtQ1yVT+FncsW1drHvg3li0cFEM DBH1Gh+LDUQ1HgYY8/5lu9McmReK+iwUrKwlsJciqoWRJ+jteulSkfOLc5qoR4BOawVBPTO7 /gioFcx53VUAbvK8IXNTgNBFh1xp9uzLSO83skRHsITQb6dgts8hPmMYVVzgMqOPU7bsReUj aC4DkJHMemfY7w2wGll3EzSoa+FSTJqXYurdnbIYgU0oszXZj8jNF6Q+Swime3s0CE0d66JA pwM7OYYLAJmnMEYbMRm3XOfJBNeFAdy8YvWhaP32Jl+4IBhfyvrb5wTXeX1NLub+ceE5Z8Rp BF9dufoITK5hdNPng01e10/nvAOpZx5QPAAp+QDxsa98NTZhsvpUyYH6rdf8YhxBdKrnUjqU gKKAiv4QyvTBD34wNAHdM918880ZSdoFzvSzAhR90yWY5uJm+shHPjLr7zB38EdWocCbb4NM MtJkpu0rCdiVEYJ9g1JGjHrPe94Tn/jEJ/Z1Wqxdu3aWvaiiVcriDW94Q3zpS/v2zXkwgKIR qI26LHBaJqMqG135YNNzEVC0D5/5zGfCwDZ7pt7e3lizZs1sFO7LLrssDDhkOhhAUYD4D/7g D2aLNwDOy172stnfczf2zHvllVfGy1/+8syy57GnW46FzQOKc6U+vz0vgZ9vCTzdB7mnOu+p jh+I1CyD/zCxAEfy428fvAXJBOIiHnno/vi7v/5EPPDgIyhnsFaGBmCKyNIvzJxkFagAeJ/j aTrPs8xWfP34AN4IEKgjcf0taiKnCfQwpqRl+/02+QyVrAwepKdAJGYAxAQuG5eOx8XvOSLO PGUp0XZVNgTKPIcPGlQCKHz7kG6yuGKLxvNDUKjsp0fcth6VUXGawlyqAKwE3Yrk76LMAlSy 4Dw7D6tEqBYIEiawyA4VwiZYJCsaj4qe8QdSwZAFpPmZSs8EshDIQhfNsqxfpUSlWuaODD/+ pyJUhfItI25qojp+dMNOulkTJ54JyIJSshMz4i9/8rFoQqYb79d3WVUcfnJntC2ribNftTiW rUQhQUbpUzH7B9sQkDAVNiswKTc3UfL8lyAB+1S8PbcZhVSQlF3qWZ5g5jxP2aec+EkpWY5l 8T8Vc7frVL5Q7sZ2448N4HMcRQqCadTDWGxcOxLtPUaCRl70s5ETJGQkkxTGn4FLElgUuBLo smyUwBwPKyHNglr5w2O5+4k/1KX/xBmYciNMy+1nt8XAcQRMYP6Ms99o3U8wkGbwAzoWWwE/ BT5qAEIMCNQCA0iFXZaUIHSyN5FX9pn2uA+VP7qaFkY3iuP4dXdH1+U7oq7PyWEDVCFVplHK ARTrAdcyOI1+E+kjBRQgHH2k2NnkZvZHANF+UZd5Z/e7Xdkn+DprOs42k7r47Xkmv8uPv5Wj O5zApCyz2Ew5507+zMrTusie5/CdWSvllW20uBwPvgVIHCd9BVRjij9jPy2PE2dgtE33wl6b XETkb14+LFierMUZwAw0/6gWcCSoRVUNbhMWrIyaZcdSRqfFP7dSCu3QN6lcD/dVch7noECY yTXMfQ6K0Wu3PXh//PCKr8Wj3/9u3H3Xj+NhAKKRhrboOurE6Fh9fDy+YW2sfeSuGBvuT/NP g5e0EXG7nc+aI45H7oByACLqT85y2VdbN+JDEZcWbfhYNJBEvQFPHC/GeEKQZRrQCBBE4EbG XQ2gXQuU36PrR+K1y5pjTXNxvWnuqzmrwboGWNM+dNe2uJPrLScaLDEnmYDg4pqx+KXF1XHm iu7obtEPL9deZa2eYQ0T7NMP51D/ULZTH3mCjrqKcEoPAigmKw02ZjvXW18/LjYA3/R/OgHj TnnN0I9uIkePsrCN4yqijslZQ59rBRSTPVaAiso1fS3SV4OoyLSzbCNGj2nijHx8qZDjQuW5 rFNOvoiDgTi6cHncX98SN933AAzF/jjzsFVxpgAs/iZlwNFqrmtAOD45lkx0QTeZ+0b31Y9t EfyFsSbPOOPz9d6auBufjuO0Q1aiAF4BGhJlm7FzlRC8kpWXxrsurJQndIbA0uJAoM12NwLI et/RPJvlDnk1pO/E3oEB1hfaVd8Go3Mx9wNZjtyPGcNp7t3bNz4e2zevZR5MRUf3El6YdMPa pyuMgwBfArPU1ZDzgvHuH6R8AU5dcGiVwHyF0WmEZAHGtFSgPl8kGhlbM3LdhtEJlzMK9hzG nTZ4svNSgNB+6HuxkbVXf5IJqDKmhZ9E+kj+Ehx2EaGEYp9y5p/uRhzfJiJht7TiWqWrGyBx EYBqF3it8xx5Qd0UnHWMZb2mOTL98BrQTyTC80KkHeyDwav5PTONMjHXxz/lFPPSyOYMcs5v AXeP2x/nifdY5eH91LKLF54sh/SniftPI+vvi09/XrzoRWdGO6zghYuWMiYwuz3paaRcLzjv 6Z6/ryrnAcV9SWaP/TsAbf7x6mtiKwEc9pW8+F9z9tnx4uc/PXPTfZV7KPYfSkDR9hhkRNaY SdaBEX3nsgL1KXfOOeeko/bMxJ+fFaBoffo81PehSTag7EPNoE3rMFmWSWak5jJdddVV6Rex /L3n956szPL417/+9ZCFub90DG+o9mQxPpWvw4MBFK37xhtvTF+RJYjqvssvvzw06z6Y9FwF FGUe/su//MtskBv75OL1pje9aTYwjW+4NPd2npkOBlDU56ZzpgRlly1blubkZVCdLJA/+tyU cWp+0+rVq3NsfaNkOlTlWNY8oKgU5tO8BP59SyAVlaf54PhUkrNsFVOe+1MxSyUodY4KmJgP 7b49D/xo7YiP/8WHcQ1yAyah+onCV5UP2gCJ6CGpCAhGqhSZNCvyYd2HaguoBzxQcdAcSGZg 1lUqHigEpgSLUBBkAej3T3ah9kt+9w32xsmXLo43vvNIAp2geIDSZFXaqpZJhYN//k/wo7Lf 9pf7C5XCh3f7riJYAKZm5XRaxpnIW5adv7LxgpEJSJpLZV6FUXVbBbaQoUwWmSXgVJIjYnHj MqJGb09H+oKCtkCfe1SY51S6TN9karjP/hfAk+CTioUfFU4ByXsI8rFgSTNAYRPn1MQd3+6J tQ+PxzEndsYNX1gfvT0TccJLF0XT4pq44JJF+KvEBAtQUFveGWSo6lqkOfJiRzG1yEdKE2s2 9dUlEKmvLzVke5/HzF+Rj/3ID20uyvA7jyqV/5+99w62LLvqNNez9/n3MvOld5WmTJbKZHmn KvmSBYRTQ9MzuJiYCAhszEBET8AfAz1MDNGCJpiGnmlAMyAYAUIChEqWkpDKSeVdZlZmZZn0 7nlz77PzfWvfm5kqlVRGVUJS35N53zlnn23XNmev31kmgVpJqF0obTsu6oAGRydklcBSC+rF gQfgDrwhd44AMGJfsnsaBhd+sZNogg+qhntO+4PmJeNdhlfpGq8t5AVHMkrZJOgK47+I/cSx de1x6k2DMbexOzBDlsCvqs2CuwJ/qjufPFOLE4CKaDAyrh1jSgjxyzP14ey4EChNCSLHKRXq 5Nfb3htD8x3R9/kDMfxVmGfHsVWzydQh1X85e589wTNtJRYHLcQzkH73l+m4zGFTb5tZORxt VrbP+NzntXHzvp6f4fW8Es2URv43Y/6bLs/2BZdKSQn2eZ35c84LzxxZDx8ar0HvvBe6qIfX n2flvebwWSsq3+btGEobiV0DsXQGj8DtqwESOSMp1cLHBgGCFqSvWrEttgyD34Kdu9ae4WhZ f3m0rVgHUKHEsw3LrP+b+XO2P+otnkXq69jxU2jinICerbEO+/XDKwaiOno6Dj/wlXjyi5+L x++6J7761ME4zXiroH685uKro2fdBXHw0IE48vSemJo4jeotzjT4uFFBvXxgFeYkVq+Pteu2 smZ0JeBSHGQwk1nTp8YxbXHsUPaBtvb80KHE1SIdq2RuFXXZRcAURLUSlLtsy5q4ZVVHXIsd 3BU4nZr3vcA0U4K9FfVX3yj4FIm/OTgZ/3Bk1ilBnjq0UEJwPoZYt27vnYm37liPijTmMpgn +fHHeI5rDj/E+BFF8xu+V7oAXpybPi1vLMrgWkccHSy2HTxX9di1VnMVAwPY9mWOIs+HtB5t MVM+XHUA9rhapmQcbXPKuA6kjT/WCj/I+IHMfLS7PkfeAkT+EmzM58x3ni9AD3wSRw0J3Ekk nQVqV0lzPqSlRB3rmerImkJQPVjbtDm9+JOqu9wbnmCa6xSVWYKGd0x1xJdHAeQIk+/J90W2 nMqSvxQQDKMW0JXWUIaAYKtSo4KhxBH0czK1AwCab1sLc1BaUBelNalamjU5MwLwydpWQYjI sSIwJgDn+3MCkyenTx7FruYY5rakIerFgpMQs3xcoD7QWLCyE+BwHs0G6+T6I/AnDQTqEihk LLl/IELW2bpYQx2U+JJM6UUudWqi1+4W8jSu72/jeravczNDXrbZCPQk9VGakPchdPUnv1ZB OreXsdw/4K8fKcTBqKC+nZKSxDWl7+TG/ss1bJkyHZ8CyvOqMXO/RJ8ucK1kagf0VZq1A3BT O5bpDId66IuDyWMGRRjJ+UDr0vYifVD2YEo7Qgveu84p1fDtVyV0b7r60rjpjTdC4744MzKG E9E1sfNCzBYIFL+MwzY0Dt8Bjft8HzQevAbnJqD4Cojol5M77n8g7t2zJ9HzRlIXugtY1H/0 tltj7RBuw78Dj9caUPy93/u9+NVf/dWzLfVFoSMMpf7uvvvuBBgbg7YR6dsJKOrtWE/EjcOJ cyET0MX04MGDjeA8C4Sqtq3k4Tc7bJtAaeMwvp59e3t7G0Evev6FX/iF9BR9/sNvpIbdiPNK AUXTKWHXUMX2fpAvGAK927Zt8/ZlHd+pgKKV9yWgJ2sd6Eg/AcZDhw6dbdcv//Ivh+OycbwS QNE0gs7nO2PxxeL9tYiYK8mqbU49QDcOn3/xi1+MW265pRGU59cqnyag+DVkbd40KfDdRQH3 cOynv5OO3Jvn5tINeNksaz+uSKOwWefa93Z+lWdTnYxSnYlaYiP9kb/4UPzpn/wpHjtxviKT lV/3kSgQeHKjSnqlBoqXRDa7IBHaapL5rAAsToyNYDPIjTgMAu9i43mcv1eQJRSwI7sM990t jrCIs5aL3jEYP/Q/bo3eTpx9JJNJsQKO/Cub40JwN//niF+AP+OUo8TJu7OIjXcyMHWgkCiW b13gP/iZpvGjLoCiyfwQqoSEtJSBkjFolGIgFErgynAZDrOpICVTaFwYJmlEczP/5KeIV/Ip 9ZYBktFewN6XjJxMxzzkv+P/PRo7rh2OrTt64pE7T8b+h6di3Y6+WH9Rb1xzcz+MkwyUzJbc HXnB2CRTlDUs7S1t4i8Pst7Sgwv7B1mLdB6jtEhKKZ7XfikhdCt9TJe0IhBq5Q1/M0/plvFo oPYUl2owgSCuLYpn0p5FpQeJvCy4iHpi+6SSO7ClOHLpnMXDZRVAZHwhujmj6M5YIj9B2VJA lluKzMKtwNccdBMMKG2BuT95RVdM3DgUi6ihz1EfbSdqDzPHP/WpAnaeQFrqOOrkeGqA1vzo Kxk7AcVOyhVQdNx5r2qbwKLjW5cRPUjUDVf7Y/gzT0fP/tEihYgkZNYJIunVVa1CbWm2yPfa ZmiwzE/O2SblPCBfplUdXCSMe/PIpvFHevvna4akaXxmuvp1JmiAioSfBRjreZuPYyvjZeYl z8aUKGOFMCI2wiy6VIRzZuD9uTycgwZ72JZWQFlcX6fKeXGE5NhH9bKGdGIfkon9qj2juidj bL2R5ErPsyISABABoDi/ckfU2rujF0cfqmC2oT4puFOOesXrd99LJ+nXoKetdL08cvRUPPDw E3Hf/Y/G4UPHGButsWH9urhwy9romTgRpx+8K+7DpviBQ8djmvk+vPOy2HDp9Ti9GWDP/HQc enYfH4aOp3SiwJigyuDK1emttgvPvUM6yIHWliVokgAuHT4zNR5HntsLYIMTjY4e+gGpNgCr diQR8wOSY5ueb5k+E7eu74t37xiO7diQbWMClneLIEmR8HWlcS2cX2yNzx6djv+y9yTgld6i BbzMB3Xcxdl498qFeO+FG3DKoooyw4P9dmOoOVdcIw3wND2LVDEftxhqSKqRDwkEW+fJc4H5 v4gEpWCTXncda8vYDBCQsk5M6JTynqcO2kGdIK921He7sipOFmrkPCfesi8iFxXAb9f9eUDE OYFEaJnXODhJYJEo1qscTG6u/eCkBF1OSWY7WSaglmq9vAdVb5YOvEVYeX030DbSeNaTsf2V H9qQ7ryr1hWfPI70I3VwjLS5JnJtoc5AwTMlRlNFnPoqBaiUdXnvWFcWItL5huJEvh0AsvCx XPuhUHqXDylIPKIirRO1ScDWZRaYTj4IVAC2urWFSpGOk1nsKU+Onco+WER9fgxpViUkHT/S TfosC7oKBgJg+h6TXtJC+8vuDQQMU0qTSugQyLoK2CaQTLyse9IdepKvTmyssO8u3zOqOWvW JOlOvGLqxH1CoYMSfQNIUXbjnbkXz+GCh6oNC/75AjZ/11pqnSCxWoiC3ObnmHUMzGJ/chGQ eBF7iPPa6iRMlXGl9St8GHFd0kN1CzQQxGxFktcPJVXii98qCapHc0FS+cc59lQC10q9tzom 7RE+pFpiB3mu7KvEG2/YHbfecnNK/wpMPvnEvtixbUdcc/01uRcg0cs6bF/ZI72s6K8qUhNQ fFVkC2xQTMUxwKQBJtW6FSvo2LLwvMrsXvdkrzWgqKrp7bffnhJh36jyOgj5wz/8w/iZn/mZ jPLtBBSdPKqhqnL6zQ5Bt09/+tNf49TjG8X/pV/6pfiDP/iDs4/f8pa3nJWOOxv4IhdKMX7/ 93//2SdKdzakJ88GvuDi1QCKLr433nhjPPjgg2dzu/766+PLX/4yi3qRoDv74BtcfKcCii6+ LtDf6Pjpn/7pVPE+v52vFFA0b9XXtZHpfPlmx8DAQPzZn/1Z6HTnxY7XIp8moPhilG2GNSnQ pMCroUCCWjB+vhtzi8zZMJmCZPrOXqPCq+QFm38/ohZJBrfUy7Hv8Ufjf/+t/xXG9ihMAB6b 3biTzk1/Iw83rao/d2Ewf83alTE5Pok0DMwrzOc4Bt2TWSVfmR6SFoaB9I18DCv1YwdOmeYn g4gecdzy79bEm94zDLMDYwITlTb3jIUUHqzF2Q2z1yQtBxnmRjqZEliQ3IBLBx+Tb+7IS2Sf Ncovic2m1KOOxpUMSiZZhvETVCSm/4xdHhAVJMaaJe1hTpRqUQJEhwJeJx9ej15PSFLZCn7m mz/vCOZGO4mKk514diGOH5mJK29ZFb1IMMziVfj0sRqeuGfjwisGY8NmmGrAxAIUUiOYLpm7 pIu1LI0sdLH8RI0sxLItSylF+gemRg/WrZRZJBSlsRHMj3PWzFxLON3IwZ98Xg/LEBgownW0 k5kng0l7BBYlGOCaXoBbBBh5zWu/s4WorYABrWPzUUGKsRtnND20s28a5o16Ko2U4CL1OK87 8tr+to2CeAKxk/CMp946GNU3YKoHz9VKTAkmVik/43A9MTGXgOIZpCnboKlSUe3ZV5y57mQM pvohXHACjJSv/UelKCvQthfJnTVj/bHm0wejcmo62pDMS5XmpJckgbIS10717HbG8hFe0QP1 sp6lcVySP+kgXWybYIHshbSlDvZJo71eEDPpb6YCEMYT3M5iTUcdqZ5dW0BF4xBuWHL0Z/O3 v4zEf34epvm6w7p7NM7GafwMN18P6r8MrcEqElA0viSIJUCT9guiBTXKVjz4tuLwIKWWyaMV hxCZseMDiR4lFE8sD8VThw7Fzl1XxirsmcFs5VqSts8gkmeBE50vZP0t+3vomEEb5itfeQj7 e2diz1OoKz+H192JGcAZJKWcJ3SWkl6DgLe1U0fimSceRL30VGy45OrYspuP3R19AIn7ExAc O0PasROMLcAcvNP2Dgynt1rVMgfw4Ou5ows7iNBVSbDsLzp3CTDu6OF9cebkcywVgOuCT4Bx 6ZCFgVRhjF3NWn/bmo64YbgPu6GMS/vQDOjXVFf2AhDJ94RTgFkWd52ciz9+Egk3xruBFcFi FhHVYt+/qTd+5EI86SLRaJhgWjlcUctYMv+UBCRPlK5TUkxPyb1Iwzu2nRmaoBhnni0g2dmJ tGRb21LMAOj3d3dgpoIPF4ydBdpSAVzqQTLydJVPKVOAPuTZSZnklIBVu16K/QAGbVqgH4+p MusLF6oO2y5VeBfzmkSO56yp0mjcci9glsAqITbHdvhuE2hMMI0vCc5nlwagJvIUeNV2Y+F9 EnSlvo/Md8bHTtEu1o52pOL8MFA+bGnDUAlQcVKAe87Z1wBdAnu+pwU8DdeWpYuAadtQo/ZD lYuSoJrAF+RLFXI/qNAFmDmZwVzJeJwZnWBuVpCWG8SEA9LFTHCBtJYE2lQBxhnQkSPp/EWJ Tcv1tWW7bW8Vdel0kMJ9cSLDhy/5O8dc0k4wEMl15rn1K+PIfQZ1hu5+cFAq0HormeoDAcgi gVjsMFqWAKmekPvxyjwwiAMh7H8KrCo16L7FDxwKBQkSuyfROQulAeQxjqiLZla8l37zAoiM yfnZGYBQVPwpr5u0PUhtOsZ6+SiS4C9jQK/ngsx+gJXGOZeyfow1xpC2HKUtHZ6Si7ZToDVH A+2GFPThUmxasyJuu+HKuOaa3UiHDmZbj504EXfd/UC89dZb4+ZbbqQtRH6ZR85FS2ks7i8z 3SuJ1gQUXwm1vovjKl6sMVgnu8eHP/zhr5HgezVNE8EXfPmTP/kTNmPnvGAL6lxzzTXxwQ9+ MFWjh4eH88Vy8803h3YVG4eAj6qlDnQXOqX9BPg8vtmzRvqXOrvA//7v/378xm/8xtcBRAJU Ao4+37lz50tllc9fCAwqDfjrv/7rL5l2CvBZtesG7ZVYPB+YfLEMBAIb3qB/8Rd/MZ25vFi8 F4YJVCrB11DJ9fnv/u7vhg5hXs7xm7/5m/Fbv/VbGVWbhR/60IfOJtNO5u/8zu/k/c/+7Dlb hWcjnHeh1J6Sqh6qCeup+ZUcv/Irv5J9YxolTbVf+fM///NfJ12qmvKv/dqvxU/91E99Xfaj o6OIhg/ni95FVGcta9as+bp4LwxQPf3nfu7nEoht2NhsxNF2qFKSSoNu3769Efyi5281n/Ol bG/ClEKDni9aWDOwSYEmBV42BXznvJ4bq5ddkdcyolyCG9UXOXwXCtLIgDaOAibCvMC0+ByS 5LtYkEsbiQKKglg+SCaHDbfSCh/6o/8z7vjUHfkl3g2tH1M1Vj6EdoYfYtycJ5xBXZRG6BvC jhCb75NH8RI5OwcYAKPDhj2ZQarj2Z+HfdJ4xpPMW2+O1q9nXUu875e2xkWX9LIxlzEkvjyR bQZkKQclc5nlm9+50ILXZeRCg/KMDDhK+aYilP8NicSMnnWDRhkPIJR/hXkrYyglZ+rIi3WX XbO+JrA9pksJDeplsM8rSK6Zh91hGV43xqOMjkxKVsTEXpG/gJ6A4pnjc/HIPZPxhpsHsH2m 5FyRntOW38zEQvSvRN0KEEcwkQ6kfJgnnmXrDOKff0t5hFpUHlxkX+QpGaEafU720S3jgmG8 pE89trmYuBEmzcyr3JdSjFIo3KApzDVxMoyyBJIcYy0QBl4/WgUWlCjip4pw2j9kQCrV16q6 MKBbB6Bi7ynsZI8BME5h0B9wgNoxHgqtLZNmp0SkKugz8Mnj2ysxdQt7yw0wwMSrwSTOUIZO csy7Rt7jY7U4NTIXE3SKgKIMa4KKEEDJSCUUlVrsJDyvZbRpiJKKKO5GL0z12iPLsf5zJ5Gs hOYDFEw/2ODsCuqSh6f6j+bXiQ3dqIPg5hLgIobd8PjDHJnlOr0jcy99HfPUQyygcPyc7b/s BzMt145n50Z2iGfqYDyBRgHJjF8Pb+QFD17yFGC0zo30mT/P6od9nCXVi2uEl0DuSJdNde3A ZqTjLKUTubWvl+eBaAZQ10PiEHGyaBscRscdhxJ2GnEFExBD5Bri9a2OvSPL8c9f+kK84bLL 44qrr4tugAEPwRWr5hqk9G0XUlMJcOXT740/ghr/6Q//OP75c1+IKRxgIPIJiLECL7z9CWQJ +jGJkt5KhNm11elRBGyXY3D9VgCfvhg9dSye3vtITI+fxlPzYQB2ABHorIThwKr1AC0IxAC0 9KD224WDlgq/lKZ25SI/bdstAuCMnHw2nn/2EYA5gBZsxCotukg+q0CbfnTX1vi+VE8GEAQ8 8d0iMJXAtgPJ8Wg9AYASICJjPd6PYUfxT/ceibuQVExHFoRXdKDB3PrJC1fHB/i10xb72YGV tgXNmx+zo3yQ4CnCjoBySBBS1zlsJC7Bm/bw7rGdloeLGea8DjtmsOEKyMWYWcSOoV7clzD8 p+MW7dZZzyrqvW0tfFBTghibr12E6ZZJaXrplB+3WD9cs7MOLuocfnhThdyzkKd1FUJL8Ihz 0gKauE4nYUmf75k6sui6JDhunr5B53ku+Kc0YTp9YfJbtuDq/sXO+Mjplhitkh+xta0LVXi/ Y5ePMoQw25WOY05Rk5x3qk4L7jkHBdWYOflcIK0TCUHXIklQJOygufaL6X/jusaZv+8a7WVO YgLu+IkzALEd6ZSlo7OHfuO9o1kTAVCAVfn5kTOnU5tBsFDbiNLT+imZJ/10MqPTFsFiAVvp 4f5BSVjXXxaB/C/YmWrLVChtOVanSUPLASftY9N0gjt0MYbXwuMNrFgVQ9hB1B6oKuXuaWyL 0oBKsOrFXAxARz/2nh6qzUOgUqnDWepfA4BuWazi0RzhEonDdTcAaj/Au+9T54+ObpTeV8JS m4+5v+JZgqOAkMC1TqCM4/qmNkWxF+kYgA7iMdChSFkSRjkMxdi+aU28/U03hebSWrIM6sa6 +C93fzWe3HMw/vt/8wNxw00CitD0ZR5fu8eyzDKrXmbylxWtCSi+LDI1I30zCjhQtaf48MMP x1pUv2+44YZ0ivLN0nw7n7lQHDhwIJ588skQ3Nu4cWOqZlvX5vGdSYEXAooC4B5HkYy55557 8uWuCruA4uuxMFqWLzDHdUPNXXuJl1566UuquJv2/OO1yuf8PJvXTQo0KfD6UOD8jdfrU8Kr y7VRL1O/nDXP+MYT3HKjq4qRm2c3w4b5c5Ptl/30dJubbtkZmBnemX4wTKDLEPaeSiuq3nRw zxPxu7/92zGCmpObcsvQyL7Mlh9sdLRyZuQ0EgxdqDdjmLwHm3UwodOAkTIPbuqT4SRfPz5a T3+uk+YnEyTDZf2075QMHGjT6ku74gd/cXusGVZ6TMaCehFu+f6T4bGi/lMkwk36uS2zz228 f0r+sG9c+/OJPzf0hNpYDk9J5zyb1H+Am9RVKrnBn0c9DNYIaZbCHErbtL1FeutvKuuV9KZd YFdq/GbdtI8kmOuRdIaBEl8yryzXlDxW+igF+6zHMs5YDi/giXMxtlyi7Expo5Ib1ko+UVve FZizVAmHBimNQb2MWadC0luQKw/yT8YnYxCvXj/bmR5HaWcXkmbtqU+bRTYSchYwsj0Gmb/X Z0vhrvSteaYDHS4SlswEWRAJoB/h4lgyrnC88FW0RqlFQTbOjWvHcQ4PaKTn5jbUlLvPzEfP yYXoPYkkIwCj5S8gITW9si2m13Zwholegf2ydYAgA443GEjyEVCU+WfYYdJkMUZH8UQ9vRCT 5N0JUpgMPn0kmNhQdRZQ1EC+fWd4w85jhWqjZB5rn5qNjV8YT9CxFUCxBeA4gRUJUz8oXrLw 40/eSAIuyrCkTvXrOri6PENbBRb5LQsyShNulc5Nogky8lvmXkkgR7TkrWd99sLuS7LzJ4FJ b0zXSMA51aKdBvQDfDiZEQcpzUSqvM68yzmvCaM2pYx6gblONQrHIYbcvGZOHW+2bXkRtebB 7dEC09+GdldKXLahOqtUGXVansfzLE5ZlltwrDiwPu45cDTu+MznsBl2cVx2+eVxMXuwNhh7 y2VU5pgWvOnFW3T3S5gfygZ8N/yRVnTyx//hU/F7H/xDPhSMo3Y8laDZIqBiN7QbBJBNsAQA zTnezoca15EKQN+qVauhjuvLXDy9/zE+5jwX0yMn8Oo7DnDCus6/FlQsh4Y3xtDKNYDUrrt0 NWv4EPlW8NacYNaijjEA2KHZ7PipOPH8npiYPMUdXoD7VsW1a4bixy/ZFNduWEGY4BWTieGR 64njzP5svGt4zwgs6y3Z4eH6MrfYFvuRsvvYyELc9fBj2HYcY03vjOHBgfjf3nhpXINDFxqR fezYdiwp3eY66ljJ/JmTaY+QXBdZAJUUm5zGCRSqy4OaLsB2ovGzdn74gVZzOM5QCgy8Nnq7 AZigiXkpk7YCpxwzvNtmBb8AtWuAPv3QVanHfB8BEOVhngBAtsWQ9NDrM9qVQB5FOTsUljGS +ft+yYnAyXiuhQYJOgm0lZxYv0igFLX2XX2HYioy+5pIvCMjDkdP/MUpJNWRpFzALqH9ZzGW UX5I3fn+YaKrkqsEX7ugPc8FofI9BVBliUog2gY/OJIA1VokDnngvoDiANVsA/kIqBK3m+fd qi0zqY8dOxpHT50CkBzih/owDsK6ANd4k5Pedz11PHYsjhw7QnxGB/sHPSvnu553FLXO6yXy mgMcNI516UBSWYC4iopxfmAgvHxos4rEIVKuvRBD242DQyti46bt0YUDOFWYfU+k8xfGuO9G 9xDuX3w3S2ZB0yqgoh+EVEeeBqxv0SY00sCzc1NpEsBB00EdO6nHmnXr+WChiregLIA3FfAj oWrKqc1Bm8y7seeyDZarYI/zLD80AqJKX6Vwl4jvtRKcfij03UgXAlzPxXWX74zb3/7WWLtx U5YjfkHl4/Dxo/HXf/dPaMSuiv/u3/5wXHrF5bTrawHFXHuTRPbsuaNRr3Mhr89VE1B8feja zLVJgSYFvgUKfCNA8VvIspm0SYEmBZoU+J6nQGNT6VkG05+baVWnkqlxI8uGO4Ex4rghrmL7 KXfp7ENlNmRGa4axaVbyyw2yIKOb8RpSiH/+X//v+NKX/yWZAUFBisiN8erVazI/VYQmJydS 9bnG1/45vvb3Aiwq8S2TMYM3Uo+igqWaTwEmEzCCAVI6odQVJodNf3tPW+x8Y3+896cviKEB gAQ2362oriUPRl39T0szTTJUchyGeUqOjcK4zwPwITfYBNhWGklaWyjTwuY/JfryLuuqRAgV yuQFerOxMgLUTQSQQpR0WYaBUjJBY/qp/kQabZzlM2snI5vMNMCPaQkza0qFtrYTRpK8EkCk fxJIJZa0SAk9EDd5i0yaDJYNKjAhsShHYAGAzKx5RBSYRZknJTEK090AWVPiMVOb3tTSwTS0 04SSg5/tmcv+wBMzjFWRUuSRhK2nNLptyHRmRsLGGMw7yZXxDbfPHE9CGqVsQrPNMpP2qxIi UjtHHfFTqg1wrdhg5B4ABTfU0Fua+qNa0K8FwE17i53waosDqDXzWwQMW8IOYivjB31GJJEA FyDQDHlM85OWqtnNzAAk4iAG7jFGplCNVM1bkkB7gTvngD9VoNOWIgwq2SYDrMSi8j795LXx oanYcC/qzkjmtfVBLx/wPMGCpA20kF6N6zqdIQEH9PBs//HLduc1gbRTIDGwKymwuFRXj9ax DYJEJrUTExxMRy+lO+tdZIH1OJy8NnqGQRbrZp1SIoh769t4lsiCaWm7IGSefW5ZhGU8syqD oNyTucBhBmnUznpngZy0GbmAzcTV26Jl1Uq8N6OC7kcDAKzMS6YbJnm5Hcct1amortgZn3n4 qfjnO++MCy/ZlVohW7dsia3bt9OX2F+kUqmqSJ16sY+mTbTvhcPpUuPjy+/8hw/GP2IPvnth Mi7csAbpqIHYc3wsDpyaiM7+FbFy9UaAnB7mqR+OABWZo8PDaxMYFLQZO3MiDj//VJw+dRjH KWcY7DWGEmMb0HElTlgGhpAOhfAC6844+76rd0V0960sY5QJYr5K1VWxkXcUQHFmZjQ24Qn4 hy7aHO/ZsRHQDgkwx4I50N0CK+blR5TGsLAuSiELLgouux4scuH8m2KsHF6zNb5wbDwefGxP 9NGH773h8rh1aTT6BP7MmvjOddM1VHaVXPdw7KaXYsaCcaYZb4ugj20AOdPQsNKxHP3aQnV+ 0ZZpBu9IFZAQiTPtcZJzriXUkPmNrDG2+apUfIE1x3UTXJFCOLMOrkYas6JkLGi7En+qw1on wa4EvCQh0VM9O2lX1rvSBOL41Bvnk8RJmhDOeuIU8ZE5KJ1YJW++eVAPgT3TlTjO09HW7vjz 04CxIzh/AhhM1Vfys6+kvnUQJHXS5rw2V+otGOZ7P9975OdUVkXaDwYpbcdaqCmRXgB7nfII ukngtMVIHXxvpP1SymoHkO0DjF3iA8AYzlkmsau8DBhc6R1OdWO1HHy/q9bsx8RDR49gg3AK 4BAnPOw5HBPaPbTu6U3axZ8wHdd4FMl/yrTtVFRbtb4jNKW2apWq+isZq/118wdIFaKq7odN 33GaEzEfJTItp3wkVDVdyUhNuSAAPg1YuaAUIT2PzU4XXW2C0uDsl77+oZR4tNf0bK43dD+I CrAvkEdD6wByZl9mP1E/33H2g+NfVeZGv+YHRicI4wjiZrudJ0rgdkDLNYPdcQv2EtXuHKBt 7gnMZ5mPAqqJ/+3HP4WH9mNx01WXxg++//ti67YdhTYSq36U92ypTyOscc5xSv1ez6MJKL6e 1G3m3aRAkwKvigJNQPFVka2ZqEmBJgX+G6dAAoUwJAU0VAJL4/F6JdRWkUAJqkJssg13U5zS iGzwEyCTGWHTaRzDcxPqphaa5kaZ3bPhR585GP8F1ecTeBpV1Unmtwdj58aXQamikjQyOoKU AfmQtwxKSibIQMA4qCItQ+XPDX9DUtFNeQJobMpTsoOStZPXMdgSN/zI2rjl9jVoP7DxB6sR UCzbYxhNLpJBo55u0s+G1+/PHxLEztuMlRFlGTz8KztWnntrXP+1065Ofnru7YBunQA57a0Y pu/cDMC0LjoATVsO3QcIArMEs7gAIzqLwNUM6kvV7raoISljWPFxyTXt0wi9ZViquJHSiv4E FAWQktuzDoZZK3kRq1YPS6CUsDwTbjKfn/3BVKf9JhkYHipVp4SJZ/tIBwjyah7JhBInpSsl ZoZQJ9IKcmqIPlWrkdgxf2OUv14Vimf5GW5r6nXNM4wRifznf49k4us3SpdJc+tA1bLZ7TDC Arne26/AgrRTPk/mnx+gwQKcvmdVo9OGWR10tH7tSAZWoHsHIGIr0pU0OhbIS8mSGtzkVBWH BjJskEb16gnAxKlppEzqjH2Ptv+kNz8lowTdikqiDLVMYKGnkIY2FOnmGERVeduXJ2J4D95L 9WwsiMk4TR6SPOyDpFG9TUlEwzmSLPyxjXl4tiGQsszBcpv31Fv7kg2nLoKMS4CMLdph1MHL C460wWg59rUIAsf5sbJ+BHg+G4frBEEbaTyb1A6x0UmPxj1h9bQJThJs1bULl4Aq/eMhAByz 9HQLnptXrYu2lUgnquYIqAMnn6BCznnss1lYDcmrsTW746/v+Hw8+vhjmDrYFdu2b4uV2K/e jLbIug2bSYsDBMvmGFyxNu26lrvv7r/2eRXA4y//6I/j9GMPx9YBpDWRoHr0qf1x75MH4tj4 TCwB/C0DonYNrIxe1MaVzBrE7EQ76qfOb20snj55GBBwb5w8/lyqLSuB6PN+4g2v3Zg2E/N9 wPotWCKA0Y4n384KoC8ToNioE3SCyABUrSPPxs72qXjbptVxyfAAYKbSbEirMS7yYwXX2R/U 3zHQWJNzPWMtcS1L4M3n/HO8zyEJN4MjmOOAm6cBAXsAhXYA8PRMjLDWOtBVoebEuqSknmtF fnRhMvn+clj6ntEO45GF9qjwntuIjN9pIt+3iLQmzql2V+aii/HourNgHamk6smW7WxYIC/N G7Sytig1pgpsgpSuhXwwU0V6EnMdfawPFe4r0MN5X4A5ztSPxnFfxp3t9lKw28MhKtiZocaF XrnM2jBpUU9XJhnvD8KxNMjaK7AJIEacJcrMpLw/a4BrHx7rioew1cqKhNRgUW+e4/1pXbSi KOhVAEUmLPkn2EY6a+N6LNim2rDAobZtVbeWnvZ1h+HWy/HgngEg0ve+668SiJkfOdngTqUV LYI8JjAzNTkNOAeNl1oEFwcohzlKVMfWGE7ZTiBpNzMLmOcehD7TA7RjR2DUMdyOlKO2Bltp u56hK93dgIi8a/n40NWNbWbsfHpY13QWJt2hTI418nGf4vvAD0VKojp05/k4uojtwyqOVFr5 AqP9XcciEbGvOBT9fd1Zzwoq09J5GsBZ6VTrrEfss+9m0rlHcX7ZJp/ZJ6Ue1sGaWQf6S7pS hnTM+lkcdbY+reQr/SFCDPKOunTHpnjjLTfElm3bz/aDID+IJ2nm44tfuif+5csPxMb1a+Pt t14Xt77pTdiTXVvabJEvceQ7pDE4XyLut/K4CSh+K9Rrpm1SoEmB14UCTUDxdSFrM9MmBZoU +EYUcGeYG8JvFOE7O5x9a25g3Wi78S+bYDfXGhXHEyNSgjL5FTbtSiU2NsFueLVf5eZYBkmG IlVpCHfznMbFbTr3bsLZJiPoUovPfPKf4p677kaqowNVtfHcOE/NTOZX+enJKZgGvCDC6PT1 9yUzOweTxl6fDTObcjbbMgBFxbkwA256U5rA8olDa/gRB7Smf1N7vO2nN8euy/sAMJWaNB/T CVZltATDgFSSeWswsuZ5/pEMXXJ/jY4uzw03TdaBTf486arQUGm2VoCQQaoyxPNBVE77UM/r ObEQleEbo++6X4jOPhxF4HZ5fu9fx/wTHwVFnKKd5CUPDuhZQ/12ph/1WyTmqoPtMYvk2iSS blWYSqX/lNixpSmBI2NUmiO5y3jkLDlkMhvSJj6yfwW28kjM0OvSHtNCxcxD8NI+9pHXttVk 5lVARqU/YAq5VxJJ+M6fQJ/0MOkCjI39LrPfCrNoXknLLNz49YM02R9EyCJNT7qUyJRrzmrY S42acsapgOllurMfvKYe1i/rmffWzT7yGQHmQP84HpXeVJpIgE0pRh93YAOx0oO6GmNzGUZ5 nnYLJGq7awZvsNPYTdPLsyCXttIm8G4wTd9qX6sXZw1KIaaKNpWiKgkuKMWThxWlElln/ig1 U+HRShzH7PjseAweYx4NwnACaCagmPW1naSrX+dYa9zX25W588dgaedhe3MMe++DHCjciFPU rxOoE1jVoUtKLvJAu4tKMwri8T8zojp2jsCoYzPzJuhsnbhUstbwDPN8tgPKtUECiqn9blxp QX4Zj/Bi39F7rpFOzLysK0Haw1yaIKx7Y7SuGMAhC9JgSBilSjjjqwVJO9cfuhVwgn4Zviie mh+ID/3lX8Xo2HiqPG/fsQ1PrX2xAlvrm7cgrYydtCyb/Fev3YzUj4DJd8lR72S7p9FF1nyR dXJm5EyMH34uTjz5SMwAwDxyz1fi/sefjKeOnYxp6Oj6NAOtZjpwooIkVQ+A4vC6LbF2wxaG BYAQwJHqw8eOPB3HDu2PCTw7t7KQ9q3YgFroQAwM9PMbTJBJENd12LV3BkkyzVO0k28XH4iK 5KLDBvVPpLuur0zF9X1zsQpJ336kFHtQf9WGbhkCjh361zGRDfKPBwHZVu4553i2kw1jgNRU /2QO1wBp5lxfeJZ2CxlPZuXgSRVTztZVFV4/olinst63xElMFjw4vRTrAK92obI6CY0eQC14 CZDqqpYZpOM74gzrVn/rfKzgHehHM2B/pBV5l1CNKnXoJD8t6imRnCqpzJU5bAQqPSioOQdA OYB34AXWkzbWECBegEYBVdrkkM8J7qQs75GseX0NTRDVtYo2lw9BJOB/0gJiJaVysmQgazt1 4lLJ0/Jhr54vcZQQXGKc/+1EV9w3Ku1YZuofQvKDC/Sxfaosl4rRXugiQOoc9L3hnEnbo3SW 4FhK+XLdeD8kXGZdqf+CUsOuA0l/wUPmGLf5HqAcbSPalZqA6OG9VkMCscY7cGIG+4O8B9vx 3K7tQaWJlepcANhbwC5hOv0hvWu9dPRZJxKCOkpxb6I9xPoQoWzA7aQdPc5Z6UVVoQV/Bb7d vziG3ed4LThe4+NetTqZ9SKQvLWB6XuuFTuk/dSJvoTQbTjTMn9/jihV3N1DCfaxoGXTNf/i nsiPSWpZCHQ6LLT16BvbtrlXsh/tzXwvkUd5XwvYMqbsVNY5pV4RSERtvBWAcGVcfeWu2H3F FbECie2iql2A22w8C/2+/fvj4//4OW5b45rLdsSb3nhzXHr5lelwprHPodhvepRxRnOg9+t5 NAHF15O6zbybFGhS4FVRoAkoviqyNRM1KdCkwHciBdxpvo57OTfebo4LkCiYWL7SC9z5U31Z tWalCf25KRbA8mA7DD+3gJRhUVFKpo0NcjIlbJJVnWpsSAUbe5EYmMG20XPPPpOA4jE8Oh49 cgjHbOMxCaDoJr8GM2G5envu7Uc6ETWyZYziL2i3jk21+bm5tazCBMEkwFi4GffecCXolHhC uys27e6Lt/+7TbF5cyd5+rwwOwKK2iAqKmGF8U3Whz+2K6UDKKfOstUZ1EZXGBMauMmmPvNI DcxQ5ynoWIOhEcAzfR/570Tz6wJAxAG8knZOUP60UpswP9d+ILpv+x9iWe+0s9gn2/d3Mffo h2MZ6SLBHe3/yZcI+gh8zQM0LW3viYnhrpgaviAmegEFWqcpD3otY9QdGUaBuzxK99AK22Vd YHlgYuB7swFKYeh1WObLOC9kFuSJBOGS8TZtttOmmjHpsn2lLPlFGU4Bxk7ETbSrlcCytJMZ os+qjBHBg26Y7EJBmPv6lfl5SOesNn+UFLEsy29Iv1p0lk/f2qaMK6LKlbnlP8rMa/s/S7Du 9jfR+COzKzNniYYlzsc5lDxXaAAAQABJREFU1SmpaycggmNpiUaZq+NwFlVPGVLtiM4AJs7S LwmoQ4OZ2UUARaRW+NcP46u6cwtAsKidUkvSRQklofSUwqLgrAshntssk/Pwc9XY/umJqOBQ pQUAuUXDitSBqiS5SlvLNU9IXa7NJCX7CJQ+Pss/RsgbA+pBmYg/nvlBlmReHTIJLDIWqKYI cCwLMNK2Jeqj5CK4bdpgLHUnjvWy4y1D+jauufUgdT7LcZVxuG+kEZzMMP54nTThut5WRLhw qMIDBy3B2T4A27kJHBkMro+OFUjAIXXXAtABkQHV+diAZGILzHYSDOmgyVWXxL1HJ+MjH/9E rlXbt++MHTu34bixP/pYw4ZXror1W7YiBdWTzP7q9VsgpZX6zj4aa599XadyVlggcWr0dMwe Oxwzp47H4T1PxhP33x8PPPRY7EPV8Qz22GoksnvnGVQLSs514bmciV7pGYhtu64BVNyctNL2 3vTYmTh5ZH+cQjpxZnIMacK+GFq3g7iqiVYAVLoSQGdKcygRiurqqaMxPTmJXcWNKfWo9KJA o6BWG+fr+xbiRgDF4Y7FGO7vTqm/DuqS6zXzpDHWM0f6wiYKMqY0mH1DXV3fdVDhM6ZOvi/S lhxjxbIcMoJduf4IEAseOa4IV2UZ5KaAYnY14/44Y/x+7Ix28sHsti7nbVvcu4gHZxJd11JN CcVHW3tjz3IlruhZjgv5IKUzjnkl3HNtA3wFfGvnPdeO9Jpzfp73FE1n+uSKlHXS03E3gBeK 0tCN+U1ftNSwL5tDlni0z1/2q3+8p9KNdTAzoXHlfUXl+c8d9eXsKdMSAn2cxrxy8ux73ZjS mBKhMXSm/p+Z6ozPj/NORZLXvCy7AUi5ZrmKCnK1u57zETFtKpKv4Jb09X0grV3bJCW3OU/t a8ltpdxHZP9B6AQkqQq9zYdJPtRYF6IJKFon7TT67nDMgBZSkMAetpMxVKkDHue3Y6+7i3EH sNcJDbv44KgKPssyZTHO/OjI2CjAtB8H/NgJ9CuISl3JnbyKzVAlAJWgFUDUlqWqzLXpSe71 ouxHshYc0SLVyFi3zdp3TPVqiKt6t2G2QTMkElDAT4l81eXLE2jn+kQ869AFDecpT8BR8FIp R21CJiDKPqfK+PNdJ90dx66pal4sLqC1QB6OeYYWdUN1nrlz9e43ACS+Idau3wDoioQ2zxcE QgUvyVt7vSdOnIxP3PFZbFCOxuqBrnjn226Kzdt2xoYNW2L9xg05Jqj8Sx7lnW8f22PlaKxD jfvX4twEFF8LKjbzaFKgSYHXlAJNQPE1JWczsyYFmhT416QAm2F2mq/bITjk1/kCIAqWsDFm gywToWSght1lTGQilSisCShyb6VkFGRs5tg0ZxibzoR02NQKWNQyXEkAJBBQd1q5Yig30s8f PhRPP/VU3PnZz8Rjjz4ap/HoOIdNoqLiJFCIpASMRod2qpIx8Ss+dWPjLzNTmC8JA5NCvGSY ZGKoe2EoeAbY1DnYGle8a1Xc+r71GMy3vkVCUW5SgMc2FGYLkCrvSp6Su8Gwccl16QL31D4j pwydpz5VgSboMcV5DoYDfjIPlavecGohdh1E3Q1HKBaQTLM5wMgKkrZf8fboedev47F2AOBm Ouae/GjMPfhngchbAjgpNTZFXECd1jWof63GoyYMyNIAkpuAiosXvTemsUU1NncwRuefiunF I0h2TAAcwCTxz3qnxEO21XbA7kAnwdkKVuX1VGybsn1JV5gz2mBYgoicvbdJMopmI+3tY5kY gTYPT7JWcEWkk9HUXqC/Yoxfe4p6R1ZKEbmNrAfRyIe/5gfTJNMnM5Z1tO4E2AYz91keFkQl BBQ9GpKQ1lU2uAQSJbnazJ3sS45Zngw1kew925gtocLW2SSqYFoDnRrYHr2Vmxe3zANsqAEC aIbRsa7EzjSOWGYAiHuQOumGsROkVYSkFdElmW2d2xQGXQrK2Fuu9OWaED2VdtK4DY9PxXq8 byfAiQ1FKsLTciQj5209yFOCJOei2FkZGTIWqaiMVEawpFKSKilWT1M/lTQSl//pSddqSnLC EmSkjYjC5vjT/mI6dwFkRMwtO7yAPZYJJSFqlm9dGgVwrnfVuTCeZ/9IgPzR6yapt6Glj0Ds 1uk4x3aZ79LkEg4QeqN9aCVzGkCxD4+50Bcunx/x7UzTA0gsda2Mw7074q5njsbje/fjnfh0 bIDxvuiiC1FtHohe+qkPm6wbsKfY1889nopXrEZS+LvpyHkAWIF9tLFDz8XEgaeZp5NxlDX1 kXsfiK8+/Gg8dfJknMbBCJYEkZYrkt3LEL7SO4ik4SAS4L2M72o6Vtl64RWQUtVXupg8RwEH zxx9Os6cOpJATd/Aqli5YQdjWeci2g5kycKlbJfAJODO7OxkPPfU40i6zsXK9QCPqKumR11A Ez396pxjNd6Pf2DVYmzvXYxVSCh2+wEigUTmpGuAiAmHYyrHh2FcOHtzvXfOsY6UAUUNeJ5r Ge8FnbUUUIexSltbqWOq6TpGzMH3FWu1wKv5+c4bwfbpI1NIgPPoHTHO2tQWX1qoxJHljri5 oxabEN/bhxr03e2DccFSNa4BcFxAdbYKyLS6ZRow0HoxDajjGGquszi+Ge5lDUDyUhuP07NF bVh7gUr49/YCgmMnsBfAXBqDQQJwLkU/67kAkO+hQgFq7EVOHCldrvP9mhOFe5431sDsDOIK 4ClNLdi1QN2WALeUGjQbQawE5rlRivLBxb746AgfptQOIF2CV9BEtWel9zqw+yfo5hrWyTtY G8o8LhKG2T/kz+T141FK0lGfBO4E7Bogm1XP+p57D7UzP3WYorq0e4ycurTbd4kgsFKGegWX sJbNW5971O/ZH2i8o9I9gPQhYLQOXNiPlI9ltN0xQDtYVilS4FCzIgLd7EuorxKX9v08YKXe rLXL2AoAWKGMBDVJqLMYbYp2VnjHUn4n60QBLBkgLMzmsbREXbn1vac0pKYBIDNh0pk4tNdz qkYDPNpRgpYVxmNqdhBPejmu7RgBW+eHQGZqGRBWY2w4FhwTejZv49zFAu53ll0XbUfK8AZM NmzI+tkp89RrmfE2hmdsP/auQ7V5iv3DP995VzyKiQPnxk1X7Iw3vvmWOH56PDZv2hpX7Xa+ Ozde/mG7Gke+kxo3r9G5CSi+RoRsZtOkQJMCrx0FHnzwwbjvvvsywysQB7/lllteu8ybOTUp 0KRAkwLfTgq4j5PB+BaOxmaQrezX5OUm1q/mc6hh+ZU/DZLDPMh/ucn151d9JSOUTLEa+QWd c+Zp3WBQ8ms/X8e9dTMsA9MJgzrHZlr1ZY9epVpg5LV/ND01jWfc0bj7i1+Ij/71R+IIqnld MJkd2ENTQsCC3KwLu7h5FWA02D1tuRcQ9Eu8KlOW6oafzTobdePp3CTaFmLl5krc+hMb46ob hgBEBY5kqGickm0mE9GwOBI1aFRy4y/hGam+kZZ2CWYWmCsB2Cq2+GZhZgQSlUxUiUkgagDA 5dpn5+Oi/YCkADIJEAm62AZ/5ixAM4mB9eveGL3v+W2cfwxQcYC3R/4ial/+Y54DZiHRuASg GEMwYmuRpoKBX1YdFCa17ZIfje7LfhJpNrzWUsfq0kyMVwECavtjZO6JGJ/bi6TNaEovLiHZ 0OgvujwPZUtkhqyNjjBksqVDHpxsawGWYdLh/GSgTeqYMZrgV4nNXxrlv2TeqItwZgNsUq1X dTHw0wTcBlGfLLSWqSIVGaUqnzmYFWEymFmW3BtHAlzlqqQ1Hvcp1WElSENuhBVA2ZpR62yP 0kBGpvpZYevJEM18sh38yTD+ZkTHjlcUbelZDv2idGKqO9PfCbICeE1NMD+Q5uuBwdU+mkya YCFmvGirgGJRCxR9K0AiQ4GK5DgkbxnLXhDKLfeNxArGikBhS3qJ5kzBFFsqwYkKZ3u8zKoa 18rV25Xh9Wc6PUkVZIli++o0yMbU45yN37gozS50YcgV0lsJItDnDYCxSC/SP4zf9ByNOJSA kX2a40c+1XIdL5y9bJRrEXRVHnmq1z3TEdHx2LqCDOrttn+sfxWV8CpqqB2AiZXBPpyqIK0I 0KF00zJnEAaAR+0ngsX3ro+9sTYeOXKUbFpifHyCNWg2LrhgK17e8eZMP/Whfrppyyb6qIJH 1G3RA7D4r3Y0+jAr8DU3pUoECZxLw8b8XGStPb1/X4zsfSwWzuDw5PCz8ZV7HoivPLY3Do9P xiTr6FLvymgH2GtHcnYMQGYcxygVbMgNrliNrTkkpJWggkIr127CycomxjTrDeNRJw7HDz8d oycOxQjAovbxegfXxBBxGFYAf6bzoqy/qvoz0GNgcSouAXQ7ODkfJ5Z6sKfYnYCOgJAA2kZA kR/Z1Ba7hrDX2M6ccW7k/ACUct1ONN1mMl7Nniuvc7Ly3PElyOU88KkSqZKlikMNwaQlEmmz VeCsDTDIseFcaxFwEXD0PQZgNoNB1BpSxk+PzcXzWDC9AdBq28KZeALg8CstvXHV4mhcyvp6 GEDoE0srYyuQ7Jux/aiq6heWe+M04bfjD2gNKtDWYZ4q6sHXsvSCjbvfWPSaqrruLQDq6tBp yTWCeutwROlaVe+neA8uj08hCdeVAJpt9nDu2k7XDI8Em2ijdznPPGc4EyXpwkciQuhB5hy0 gl5+BExa2mlEpkrM6QLiHaat//VER4xM+PFJf1JK+xUwuYLkn+CgAdK1saa5BhvuR5dW2uW1 dVEqUbVepfl8X5R1gPWeQhPky77z/eM7270BtioZG1Qn62Mnqjbt8w4c/ghVLtA/7iGsi/ed afh1Po6dOA1o2oaJgvXRiTOmhjSeH0SV8lvgA6aS5JpgqSndiOTsPGrSM6hR+4FrQIlkcuwQ DMerexf10L6ibbcOCwCG9lvWRxBVmqO6TKfSGvYOSNhrn9UB6viapy8lbKp+u0chTClLJS51 qpLX5DuPxGUn7fadap7OKe35LvDMOX1WmpdnStLSdCrB/OKEFY3YunE43nTztXEl3pnb9YSN Ezfb7BiYAsh+et/+BF6vueE66r4cd933lfjyXQ+l7c4L1g3FD7//XbnG3XXfw3EVedz6xpty 70TyV3SYt0djHXpFiV8ichNQfAkCNR83KdCkQJMCTQo0KdCkQJMCryUFyqbdLfnLO0p84srN y1iwL1SiISUQU/WHTa9AIpvcBEvYYfvlO8FDGQE2yu0wHfI5ucmuMxtusnNzzX1VD4xshmUO e9isrx0eTqDxyJFjydC3ALbkxhkVxQUBTMqbQULio3/14bj3vnuQ6ECWhnK0h1Q23uULftoX qm9kS2vdgCv5VZy2ZBj3tlGbVAncwPQhDBJrL+6Kd/3MpthxIQwuG/M2wSv1N2VyJIeoCeAi OWY7zKNsmRvPjF8vFdp5CZVS1akGoCTTpldNAUUZsyrXA0hwXXugFjufgZGE98D5M1IZpDSj el7iJV62oNq8QPz2K2+Nnrf9T9E6tJHw5Zj8yE/E0sH9CTgKDrVthAGDIV1Wd476d2x9a1Su /UXCsCeXedYzJk/bML+MutjcSIzWDsco4OLY/L6UXqwtT8HEYPNS5roeV9KauiFpMgdg5r0M pGHaC7TqqabFtWEy7Rr7z7Q8S8pkPtLP1KUejjeBSlXAZX/aAMuGe1E9TxE7WTvSknmhbElX /iY/m20xxwbAaHmlj6Qgh/dWjgemK05aoKCPAQUKyc3dskqaLEtA2cOySWiYNiDLISvMUe/v pCdcps5YZpHsTElZ6CDTO466s9n2wKBWAEoFEVWplyFUBVwJRaVQUtpERpGy8l76ZZlI7o5M x7YvjUW3UqzWRRfQVsWKedg25202npNVt4JZSc5Gq/8aSQjJsIxWz6vRPLMpDKFPSVj+ZxKf NQ6zbJSZdHYc8NzyEyhQwgp6wCvnOC7gIg+VLHQyeDitaKvZ2oQs67zyjFLKNGN6AdBfhzTa syxx7cvlGD/DeFWlHMncdpwgtAPQtDChlVJsYU4sw8QzQGOhcyCO9W2N59tXxgR95lrSBnhT Zb2ZRB139cpBbPcBaGEHcP3atdEGoLB5xyUpbWRdvl2HY4oG14tj7XA8Ud8ZQJCR0bGYBGjq Rlpq7ZoVqXrpXFvArEQNAOjEnsfj8L33xOTh55nTSNnt2R8P79kbx3Fo0TK0PnrWbEGSc1V0 oiJqP00AOBx6dk/M4cxixfB6PtwAyDIuBT2sx+ZtlyJVp+MrABnm/jTxTx0/GOMnno/JcZ1j dWE/cT2AIuqVQhys0a7zdq64Ry/25S7ng8f3rW+PdWC6//nRI/EAHqVacc5Cw2imAEl7rGDw vBPH0Ff2LsWqXkBd0tlt4ogMkVxXcpgTmHMyScTc56HZOB4cLJ5cvx3DqeIrMEM7l+jrtFlI uJJljvc21zDXOp7P8p6rAka14CBlZmI67p9ri1WAYdezSE8hWfz3tUpsa0Oaq30uxkC2/2mu J3oAS99XQWKMzO4m/jMs5jdjoeLCvo54DkdGfgRb34G6rmOc9k0yzsYAOFcyh5UElL6Lunrm XglQwVWdCbUj3VbheY01RbuCflvqpJFoVDPHfIeeGx25PubEZgwQJ+cf+Zq366qH5HH8E5Tz TJt5ZJVzTyBV4uU/Iug8ap7345+Odca+EfKgPO3FOlZUy01bosTTRIX2fCW4a7C2cv2AA9SX tC3vTiQNiZP15ZnrlOubaXy/FynKel9RN4IToDTvrI90o6z8YMi4sgFdSHi6Oirtl9oD1M8P lmpIKD9enRrD1PB41rUdO6qLi9QLINfxrDRgOt6iL0zbzz6kHZDSdWhwYCil+vx4ar2kSko4 Mvc6WUukpHsipR0dgMuY6hDAbiN9lY+iSppLY71L+6VEkFea+QJwX2M7XO+zS1JcuzyXpkpF tpLG94OLqB9qrVSOZuvqYCW9a52mWHxfdACirkC9+aZrd8e111wZK7GTyAAnjvPWeTodzz73 XDz0wIOxYd2GuPW2N6EW3hX7nnoqPvXpO+PUyCQgZku87523xtXX7I49B55GavEr8c63vjne 9e635QdiKvGKDtvoUd4fryjpS0ZuAoovSaJmhCYFmhRoUqBJgSYFmhRoUuBfmQLsBd1Ay5S4 6U0JRDbHqdJMwDyMTwEUObNhPbd5ZAPJP20CyZgJ8BX1KdpDfl4rnTXLpnsa+4juzNuQWFm9 ahjj+11x6vSZOHUGSbk6Y+cmPH+k1R7VySOH4qMf+ct49JFHk3m0jue+5MskyXCXL/lSsDAZ brwbDIfsDml4pj2kdhi2TnjZlds64oq3rIgrrl8FMwHQg4SM6me51zejPNj001Y39KW9MoY+ kBmgIWz2PZKp4ywjXaMugmxKczbAMs9kE90wmbv3zAImwnSYHkZSXoEMJGLSyvzM1XKk6zJO AZYRc2m7+OaoXP9jACRdMfvJ/yWWjp0gEuDUaqQ2+uHUZdSw09WKw4nKTb8VbYNFTdPqnr/B lxYe5u2hp8cq0kNTc8djrKZq9P6YnH8WJvYUACi2G2XY7O96OsENDcibHF49x4TqYzanATLa 5x7JAFkcbcxmGsbPuOWeeKYjTJxJFTydnvSQXpZSurfVjdcnjUiV0nRmbyJPnO0j6+d16Sev jUDEjFuPLJ3rl/adjFepamG2ZdZS3azkXIrMBKUu9EbS0ryN5z1Z0Od4cta7M1KK9rthM6g7 jyHlZPJuPDsrqaXRfoEE+OXCFIK/GJZ20yhTplTSdhJB9T+VR/v2j8WOL08CfpAV8VPyqk7M Mkaysuf+UF4OS+NzXZhQifCCw6B68Nl8vM+8uZBO58UpcesJ6llJzjyMm/Qu5XmZmCxcufNE del05qJDF4BW9NsZ14QpnQu9Mi6XRnPsZLYO53r5Pk/sYgCaM3VysFhP4qaq+TQRccTSgYRz G8B6i2CU9BaYAKgRpDF9rWtV7O1YG63rtkQX6tGqo+pYpwPgUEnFM6dPAih2xqZ1axJsGBhe Gxu2bgcnkPDZ0m/LH8eXtmknJqbiNADiieNn4sjRk3Hg4KE4jhTWKMChqpgXXbg13vHG6wG+ JuPM3sfjyJ7H4sTBg6gin46jo+Nx4NRIHJucjgUAwVXbAR22XBwdSFy51s7jpXZc5yo4VtHJ yuYt22LFyrW59k5NjwGyzsbQ4OpYCQCp3b8l1hbX9mniTpx5nnX5Gcb4JP2F92Qct/Sx3ujJ towbJBIZyzsH2uO21Z1x9aqWwKQrIM9y/OX+M/GZEeZT9yDgDiAP0lSOjwp9eVv/QrxjuDXW DOAtGq+7YkhlCDBGGuPSEAaeziosjKFB3Rg4/EpcLh1I3EtH3gwMFz9WADBTJ8fUoqqpvjOE jQgY5d12bGYxttKW1onRuH+KdrIC3RgARax/dyz2MwZa4l1dc0Ft4865StRYb99dWYg+gNZ7 l7pif0t3XNVajcs7F/EC3RqfXO6Lzaje39hRjb4OASzrynhkTCoRN4vUXh9goeCtH+SUcAbH YzyWD2a+IzsI6Mbpyyx1nKZ+SgF3IM2JkjG/Mk+UNkx6QAfnjiuhACpRWZuhiWMceiV1bDs0 N6XvBOmWaxl08RC8ldCuQY9Fb3zsVBvvBMAtwsyzALTUk/dyAyTz3dtGPQWykuz0i6Cha0NK tbtmc00EG5fv5zRNQpHuGXxfC5bbD37sS/uWLpAcfpwqTlLO9afvHlWiBbdVj9ZbtHsVtRFU dVbidAm7tjozUyvAMadtQd8lLbxLnOuqTvu+IfcydqCOexsKrAOlEqKMK1W0rYd0tizXb+sq HQUou3t6kX7E+zSH/WhK+0kbiNI5F2PSug7mxzZiKLWZ66Jx6QPjuOfppM+lVTqZI232DQH5 4Ymz/9paF2PNUF9csmNr7L7qsrhg62bqhBo92Tju5+dm4sTJE/Hww0/Ec88cjF2XXBzX3Xgj ksdDSCofjU9+9s54+plD2CjtiOt374rbb38zYPpCfOJTd8b+p56LH/uh74/3vvcdSCsXiW7b 9XKPbAuRz99vvNy0LxWvCSi+FIWaz5sUaFKgSYEmBZoUaFKgSYF/RQq4mXXzX+PrvJtzN4Ta 9El1JYFENr0Ci+XrfG6Z6xt0mRkBFNmYsgF2U6lUhdIgAoluvCtIXJjvGez4eHbXbJiqharm TMAgGy7DqhSAG2PLZH8OsBLxzP698Y9/9/E48PSBOgMgYwSDZVkyFZz9JZiYdVEqQM+Jyiy4 wddWF6AnmotrdnTHtqsGY9sbemLj1m4ABBgo+BcZFTfrNAN+gfwyJdeezcTj7GV5StQMlF4a Xa/BeNdgTKSlzJpMA9UhHZIVAChveHImdhwE9DNMxoRy4TUSKBUktWxBklKczKBFcq9NxTnY icGVACRIXIyehOy0dxBpjWEdR2gIXlU5VD5v/Q/Rvv6KwhySXeZZ/nhHfqURFmU552/+lQSp Lc1iwnEEgPFEjM8/jWr0oZgCYJxZPAkzjYqYtsZkDsnAtkn3lE7kbL/JNNk884eMNjHBHE51 hpV7bzggmc1NJjgdChCWivGEmU4Po50MgrTFBTGUEkxpDRPLqHqyOZTtCPQsrW1X4zh77bOv OwoQbdkeRYXw3HXJSTAR2pfgxNtsnf9S+hEizDKGJ2c1qk/fw9mpIj42MhcjeHi2gp1InnQA HmsTrh1pJ8e1hv2VNHHcKSmiyp3tNFyJpg4i6Xtl7Z0jsemhavFsTEDakmMsW5HsO85ZKevH z1Z6KdObR9KEK4nOw6RReSKpsl2ZTz16PvK6/gwMoGQoAepxvLScs/de1J+VPvBhORwTCRgC BHrtD3FUgEFAKqUXBRfrAOMypgAwpVdozQDQTqJjKOdAL23XQ43iWtbNcQYtp1FRRZMRiTfm O5KgqosmqAgtgZIYRIgiwzwvIXl4pnNNfP4oXtNZey6/6iqk6tZENzYSW7XNBr2OnTiBdNpE bN+0jiQdsWnHxaj7rs+GnD9PGm17Pc6qZu7d8xSAwGNxYP/BOHLqDGBSsc0pOCRg7ZqpXUo7 fu3QQGzA23DL0QNx7Jk9cQwg8QRqzeOspxqT6AQU3HLxVbF6y6UAqNCM+TuHKubM1EScPH44 Tp98Llbh0foCJDErfKwoYAdSadCrvaOHeyTWeC8o+TyHFOTM2EicOqH9xMOobQKv0ReuP3rc 7UWNehAvtzsHe+LGlR1x3XBHDCMhCn6Xc8h+/KfDU/H/PYskNB6xtHO3iPSY/bwMsPimwYj3 re+MdSv6sGMJ2EQT/ZURwMlrxzXtoNg8XGcTyHEx4mcU7QnmdCfxMou7TpR8N3hYl2UAP+Pa 1uO073lsn/aPTcWu6nQ8SoRD1O2alloML9XivsVKHGQ1uh2wcBXz7r7lrjgGnHdrx3xsZbDe N9cej+CY5XIkF69pr8UpHLTcMY80MkW8GYnaXi6O0U9rulpiuH0+pa/n6Tv7UWk27bHqlCb7 E1VvgTIlKNsZk92Uxye6mK/gAITxmM5U+MCko6FO+qST9XqJdiWgStsY8glYCpa5HhbbgeVd ysoMbVybVLVNouZa4PvWcWSY66srqfcLzJkvzXXH3UhGn+LjSKGsZCsf2HTGonSdY7FLL+qk 1DyKgKgfRJjo1CtzZhwBAFJuO+PEflAFWvvHfkBxrfQQoEyvz1zn/iHHqgCeedFO+tQWtGmD EnoJAGpTWTDSvjbfDgC58kGT9RYam4/tQ56RIUObiOfZIz+cSnfKcSotOAZNQz3UZPDdbc0s x7MgaX7oJFzQU6lCy802cFH2I65NdkKhU74jpEPmRTnQ2P2Q+dkWe8F90qJaGdSzwl7G2vnc bkl7lZTbxgLai9T16lUr4oLN6+OySy6KrdsvgK6CfpTtnMY+4ulTp2I/e6S9+5AgxmTMtVdd ETfeeH109/XFKGvCP9/5RezGPpP9cvGW9fHOd9wW6zZuiK8+9Hjc8ZkvSt34wPvfE+977+0v G1A8/33SWCMNa1xTwdfkaAKKrwkZm5k0KdCkQJMCTQo0KdCkQJMCry0F3BALHPpz85/MJBt8 Jbe0PeV9jZ+MoBt1N8YyHm7eE9hhR+zmUUBR9Z+8zs0k22I254OoIM4h4SBYKMMwi9ryLGp7 bvLdTLfBbLmtVgrADblMR4Kb9bzcLJunto8OPfNMfPIf/yEOsmFmt5rxrKfqch6mK5tYt+Pu 6KkrAIRldfW3xvpdPbFtNx5LL+mP4fVd0dOTpr1gWJRMpBaIZ1BFs7ZU8ih0sHzzy7ZxlQeR vIcKPFKlTocrqIjDDKpm5jOKlThmA8MYccHTs3H5V2cTIE3mUS4mf8QjP8u12indl2eSZhh/ 7BOdX8D0CCTS7KImt7EPaSxcVcNwLcOYV678hei89AfhVqSqiV/qKG17sVi2YRH159riDBIM I0gtHgWkeB4HL/v4HQLXARwGxLQPbCeQQzbXvGRwZZ4EG0q7oBd0gbzZPsFix1I2jzDIk/Rq MFk1niWTTAaCeY45+yhBN+7T+2tKKBW6qUqXwBf5JGhF/g2GJvvNZtoRFnjeM8O4zUfGKHHq lEvy8ZyzTF7JT+aTgMyPE3Wyb2YBViaxaVmz/wEVZU5PHp+NkwCK1lsJxHYARZ2yKG2Snq5l Xhs/4sgAd3jmeRdMpmBiN0Td8ZFTsfoUY7sXcNzxSbzkiXmexCVNStWSzvbl2PKZh/f8HC5Z 53q97RfvS9vrgcapH0kB8/BRNp7zeXmevTa+4RSSZGnEyXBuvM+yLIzrnBOcBRH87xhw+AAk MpgAGGknwHvaY4RWy0iKBV52HWItQ9wLQBLHrLK/r7wuWq98R1QPPBELh/Zhb+5UVhciQoci 6SWgxMCJRUCZJ+Z649P7jsQYntJ3X3lFbNuxLfqR3BkcXhe9qAEvQNhJJBW7AM86kTza8Ybd mGfgK8TZdtXrTfnnBWbbM+hl/LHuZyfK2fiEJrla4jBSRP/x//j9+MLnP4e5vSqMPaqc2IPr wPFJ3xA6wS0AbURfgnA61hBM07NtW3Uqju19KA4/v5f2VnAmMwQKgoOQzRfGus0Xp9MjVolU q50CNB09czIm+DCxes3KWLNuPR93BplnADKAEwwpAJQKjm6QjJvCiznAkWNuHkBx9MTRGDnz DB6bxwDECKcNSik67i8dHop37tgQNw6zxiJpDAQDwMv6TB+4HjhQP3VoKv5871HsWq4A+O3G jh1OvMiHhTpuRjX6h7b2xBbqhIAifVlAJAhmKWfHsuOTUVH+OTaonO8gMoImgomU5WKeknLE rY/PMuwEduhnPpQdmJqLo7PLsRZJy504vZrs6IrPIUW7jRXphspy7MXpyv3zHfGmzmpcwMem BwEK97b2xLWtM7GrYyn2QJ/Px2Bc2b6YYeNU4dML2Nyjve/snI41fCR4YLkn9kVX7O5ciIvJ R4DReUxV6UPBIExhQAPNXtiXvgf1tK3ksiBaG+8w7RO3M1kXqJ9OUKTnwjTvbOnmumqfQY18 J9tugTrupYXvdvvGo1BRetlr5w7r4Mc3QwWck9b010xrVzw8izr3RMQxPmjlO5ZMllMKEclJ QCzzUuIvP0YxPjoA6/PDD+m1HWinuc4I/ClVa94Cin5k8bC9aeaB93juP5jsCd5ZKY4G+GnZ vh90qJO2MnnmGzjXMMcDZfgBysO2q6asJGOu/5YBICsAmlLpAJsJPPLWSoDR9w35W6IfOh1d xlUK1veQEvACjd4L3plH1odxL70kp+ZNEvTkRklYn9tW7S0KSvrh03FrvtLaMajEY34QpWT3 KWpkaBvake97o5c5VEOrY2gA251X7IrLLrs41uNAqoJ5B+MvAuZql/PUqRPxFHYSnz10JJ47 fByTEItx3ZUXx1ve8uboYw82gfrzZz//L3HgmcPM6eVY1d8Vb7/t+rhk1644PT4WH/nbf8Kx zXiaevjR97833vG2N9GnTMD6IQ0bY8Zrjxe7b8RrnOvJX5NTE1B8TcjYzKRJgSYFmhRoUqBJ gSYFvlcp8HpswF6KVu4L3QRrm9ANrxtnpQ3c4PubReVuno2/nh2VQFF6y3oKDKY0HZtjjwR+ 2GDLdCZAwEZZ6QWlWeQhu/FeOT01wwZbBgB7guSZ5RGgHSLrUaQG3KgqoYE0Ahttw/PIelXZ CM/GgSefiE987O/jJCp9bsrdtFsnN+Uk5aAQypSxgo0CSGyJdRd3xc7rh2LrJX2xehipDxld JEFaERMki6yjTkmqSBzMk1cndvy6YUQFrQpDYL4wU7RRRiKLoQzYhqTAIm2Yg15pMxHGRBoY yXrxP0G1VaMLccW9U7HqJO1CIjLtZ6nu7E8giKIyX0viNhlgi4eA3JaH5qcUheALUlot2E1s xQGFtFuqTaPqDPhx22/DEfUBOGQFTfmyjhcdf1n5LL20RaYHRGcO5y4TtRNxcvbRODp9N/bE DgLEaAfK9pY225YGYOgYECQ1O6XxUlqDa9vivVV1DCnVKUArMyqVDfOZ6uM5xrg2L4GJlD5h nAnueS/AkiA31LJfPKyLvVSIZ8iLHaXOxiqEN40HIfXxLpNvuY2j0e/ey+zK3E4j8TWNlF0N Rk4wsYp64jOHZ+LwWC3HU38PaqH0u4Bil5KIpBP4K+2AIa9fG64Uo+qf3fwGT8/FRf/P6ehn PLaqM8p4OXfUrz3547FjB6Ikoc6Bj95DBZ/5qx+NS88M65w6EDppXx91JTqZQiWuiWnkxq+e T558xO9sGd6cjUdKrxtHg8Te1+eKZ6VVcxJAR9WTW5mHy9BxCTe76eAFO4mIrwKgE4/pvgSw 0vH9Pxu97/y3FAUjjj2/6rN7Y2bfQ1F7dl8sjbNGkKmSi0ot4nIkHqz2x4HxmTgzNpqSrzt0 xLJ6NV6Ne2Jg5XAMIrGoGuYMdgLXb90R23ddlmqVMs85nKRDtuWFDfL5Oabbpn2jQ1qWkXku D0Ny1EKHU4eej4/+5z+Ko48+xDhYjAlU6U8yxp4H2JlEOq531QbmExKBjCXt0wnaOL9SQguQ cfb0kRhgXegZWsF61gZY5VqHF1kdNZBPdWYW6cJj/I7ihGZ17Ni5E2/WqPQC6IyMnCQcQIIB oefm9s6VSEci+Uy+tm9+Dg/PJ56Lk8cOZF+lrUTqsJ41/q0bBuL2baiIdyGFxpq4COIrmCsw kU55yAN5sHiAMf1/PY7Ucxvq0YCWi7wn9FbbvtgS1yGh+FO7N8bG1SsC9xYAktDIF4eH9KWd ro1lbpfh4qBTolyv6mlrjyQCSdlRruGk8Z9rSGNdqSHVegz7tA+NV2MTdLl0YSaqxP3ccnd+ /Lq6Fal66nQfar8X41zl+rbZeBYHLXfi/fgivg7dwP1hyv34PB+oeHe8vWMWicuIOxZ6Y5R2 /FBvNdZje/HRxZ64E9uLl3QuI9E4F1XUSA/SnB0AkEOp3kzdude2YpWLHuqwjG2DJdaAGlKT rgU6aGJRSVMdrUh0ujYsd/TGIh/CVKqdR3qwG7XrVt6brawtBTyVCKXNNT52KAVI82k/wUnM 8ifHNZd6fnYtyzEsnTNSGVNVwo8uVeKe6UrsxUnYJPOxrZtJSLhgsMCX4K0AlzTOtIwJaW0/ eC/A2wHAJ7imU5QECbluYxw79lM7IOtL/Wiz9wJrgm5mYD6qEJf3L+/dLIR8aZD7gFbBSPYu 7kuUfFT6MHtderK3cS1PQJE8zUOV7RK/0IUqZD0kUBtAp8VaL79aFGlX28Y7l3/5XqLu0lTg 0P2K7UkpWcpyHlo/AcvcK5GXVE9ak4d1S6/ZfDx10evQ9rT1Z25lH2TdWerZnwzw3rjkwq1x 3VVXxuYLtmEDsbe8Pym7hkq3QOLT+5+Ogwefi+NnpmJiGqczeFS/8uJt8b73vSvtKk7NzMQX v3RPPPDoXuYkUqHMzduuvyJuvvmGNAPwsU98Kh58ZE8M8EGhh48X3/eut8c73/XWVB8vo4Rq Zr+eP3LOhTXm4tk+caDZ4nofNfL4Vs9NQPFbpWAzfZMCTQo0KdCkQJMCTQo0KVCnwItt7l45 cQBw2JTOAITMIomohKBAjwCjakdKNShJmB4nc5OOhASgBttINpduj+ub7UbBBAooCkS6Ke5F xUYbVRr8VyrBTbbeD617A0w0I7/uu0EvtpZkfGEAMlwGlk28QANngccjx58DjJyNR+67P756 7/3UGz1HGBX3rblZJ66MSI22VBDO2Xp1f+y6YVVsQMV5BZ5hBXLaYMLaNEYnnwIKZVrLmwek m4EBWMDzczKgtEFGScP4euLthDERPnRLnfXLdnuH2hztVM0ZLCnrS4RCFYqRXt1IXG17CruJ j8N8STsBH6VRAEwQhUKVtdh4awVoTbteWTcoTPkWmPbnyCtVw2QMYehaumnLZiSn9CyDhMIS 3GzXTb8Z7ZtuJonIjIyc9Xv1R2lGURXLFtWbVYggE4pDh/kTsX/sDsCOT8NQT2X/25f5IwMN zUuPJAVVcWyoLi0ImABivYo0K+O1Q2fBIVMAaydDKT9t+gSPpYPX5iltyF4m0vzUhjV9Aozc t1B29tnX0YFnxLUfS27cZ6PqYRRY7h3lMohW0gSWVz/X87Qr56H/VFV1Z8ByBoEOeEYATZ48 OBnHR2pR6ce2V38Hc6IdW4p4bUZasZuEji+xZFWb80xYhXz1li3AqB3JdQ9OxQVfnCYNbVHd GRCpXlWHfh6N5mVzuPE+mWFrTR4I1TAcSKdwUN4Twf8ENfKybfnz1CALF4VG5VmOJ9OUW5LW K2BA/dI8G/VqhDkEzk97dlw2klueR851zun1nDO0Ar0GbOIakHHsC5MJLlZ6mI8r26PG81rP yujYdGH07L4hui65KrouuDDakCicGx+NKcwkTO17MGaOPg0IjxfuzRfF0FVvjBXrN8aZkycB xY7GKCqCkyePxyTSetpW1W5YD2tXL/Zdd9/ylli7YROFl4o26Kx9szE8744hyeiHjA0b1iCB KlhSGnK2faT8xge0Zb1Zwpbe/ORoVE8cj3GAxBnAvFnMQtSmaCvj6PToSBxChfmZkyPxxPPH 4zCqz62rNgEWbsBu4QBdxhgCjLCKfkRx/VNCTIlYx7Zq3K5tKT3OGlUFtBgfG8OpyrMAeVNx 6WW7AR2GUwpyjPDjh5+JZ556PFWjd112I96bN/Ihh3WWvnF8TALSTp58Hru3h5Aw64x+1tA3 b10bP7B9XexEgta13e8duVZRp476O8N1vEh2tSAVuBx/vO9k7APY7VLiDhouQtMWbL+9d31f /PhVW2Kov5f5LD1tYTka9PWuMb5dB2g57WSdYqDlne8QOss4ApK8RbgiF+oyC02nx6oxN70Y D7HetvOuuBk7iBOEfxXQbKKlK26rjUY/oOGXAG8nmNfv711Me3N/M4dUO3P9XV18eMLB0l9N UAbpfnLI9XYp7qh2xfNIIr5/sCUuQ/X5geml+EQNqfjOpbgdyURJ+MnF7jjZvybe1jUV2xfH o4d3I1lkP0E03kGanEA6ln5cZs72MO9nkRBVkrFTT+W0K+1AdvVHHyCltK4t+WGNtvJ+bRVY pLU6d3F+ClQ5H9MMg7Wsj9EGLfOctCpvN+evlMtyOPuP1TUpPsu7Zu9Cd3x+POI4BbcDBqp5 oGSo7z4XGtV5pYUfuQTtBOP4z7j0Ywpt9aMjdWYZSoBQIFPpRj/umc6+7MTJjx/4imMWPygx TwCLrZu6ErZFj8hc5tpsWYKZAoSCia7XS0iK246OTjweM88E0y3T9jpP0g4iMUhW2goNfC8J es4z3l03nTPzjkvq1K7aPvdlP0I1s662S6lHwinLNcDGWRepmRKKlNUwo5FSiYCf1oHi2GdB K/rat5Rl+xnNZbqV63YMxV5+yfa4+aZrMUUAkIjRZ/dWftwVNJ/AWd2TTzwWDz/6ZJwZnaZ9 mqgBlEbS9sLNa+InfvwDMbx2DU6cpuPer7JfeuAJgGDTLsWVF22Md73jzbESp3gPYpf6I3// GfqmO3q79Q69FO/l2Q//4HuwDYnmQ/0odabSLzjOD29ce/Z4eevgCzL8JrdNQPGbEKf5qEmB JgWaFGhSoEmBJgW+NynQ2FjZutd6c/XqKFY2etQmN7Vp9H96ho0om342t6myw2ZQJkFvoqof KSXgRrqCZEQnUoclrRt/DrNjj5mSMWzwZ9m8+lW+BqPm5n5wcIg8VKUWxENFi7zcbEsXN8fS hG03+XOfX/xLvu1s6hNohEkyrj+ZBPNS9fn0iWPxqU/8Qzzx2J5kVGBNyJeNO2BhF8zcpsu6 46KbsTV0MUwXYI4qpHpvVmhFxqVs8N3UC7oBorJBrwGiasOoo60Cw4GaH0bdT8BMqJU1xB+3 0gJAqqL2wCi1E0dAzX+querJmVO2VQAQvoBryqNtq84sxM5HZmLtUew4kp92mhA/gxuhXhtg Ft7873GgsjWWJ47GwqknYun0Q1wfwGnFKJI9RaIipSzoJ9WeBVlaNmI3EYkCCBlLs1PRsRaH Ldf9z4CTQ7SpdE32j11kwKs+6mMmT+bDBfkJ8iagxPUCdsaeHf9S7Jv6m5htOcYYKLScpZ7H J1Btg26CaKorO1YyD7KRdlZNRtEDAabMM9XMKMfnJE0pHYvNKtDPOSakt+OI0Dn6TYYugT/i e5YhV8GsqEYTRkHSwbMcdp4tk/4nm9IW7rnj2qP8NSTHKXVsxLPdhikVJfM+hwTQNNJEGv+f ZxDUAL+eRTrxwYdGYmISSSfGYAVbl92IJHUNcEZCtgIwKKhoPQUQlTrqJE8xNPx186w1+qDf 2o+djq0jgcdbpXCoU/lfqidxzj+4lUYvCKXxBvqQp+QhwChY3bDFmCBpIx+j8TMPfyZpSNzm TT1e0uKF5fvMRPUjx10jo687E8B48JDxt955uATQ7iQEAKqMuaDN0vhCjHxqHElckuHluW11 BQlFAQyeOSZg5lsGV0T7Jbujcst7YuCiy6OrF0ld5uo8KoNzrHPdqDa3s4a9kEYTI2fi7s99 OvY+8BVAvjlUnHF4cP3NcePb3pkgjtJNJnrokSfi4Yf2xOEjJ+I4EtIzSHYLqt180/Xxb374 9vQ+W2jFeIQxb3FcCoYwPharM7GAF+k57A/Osn7NAN7VkJKsAnxWx8cBCqCD4BF1nWDtHUPy 6/nnj8WzBwHvSDeClOAUc67KIlat9EZlxbpYB5Da1TuIBHg/Yx7wDpVOVaDTyywzoqOusiig I+gzjX1AJc7PHD8ax59n7aT/rrj6pli7bh1zuKyDU5MjMXLqJBKOK7EduYXxO0u3A3owaARO pqnr7OlnUMUei4v6UE8GnNi9dgVAODOQtchxpnftdJzEuur6JChjt1oHe1TV2f/06OHYN4Fk vKqngHaLC1Ukp2rxS1fviPddshHgXSlHEkH74oTJ+ea8A3YhH/tDddEEyGh8vmNSGs4Zee6f a7HPaoyRcbw3t9KePtCvh5GMPATNb5qfiHXgQPd09MXTmCx4G0DOAO+IR1Ft3oNEYs/40bgO ict9bX1xZLkjPtCNJCX27j6LbcEJ1E7fvTgaq5Ea/hzSo0+2DcSbccByRctcPM868IlYFUNI mL6vZQo158X4/PJAPNkxFDfMjcQbBnECxFjr5gPWKtYDqkC/oRXAeF6gPW20TenPdsZEdYZ4 3dhP5Jnt1vxjd6oVs9Ygrtu3Ag9jULY6BaDIO1g6tzHucsrzRAAtJTjpw+wHxpHjVLqUOZoL ROaR852+dMi73jj/XGeNl1KEAKlVAL8v4qX7SydrSKq7ApOf4tDQXxCxyrzQ3IDqu6luTbsE B12X7csEG8nbuasXdh2RuC8wf+12LtA/6XCFLBfYR2QfU2eXG6VoE3qzfjkeqCv55Hrms2wA +XJWRbnGu0jtCsvOcUO7tVvrCOmEhu550gGKNGHhcwxbF/clRRVZ4K+Ya9FmIi0gL0BB37vk 0cZYdy+TEphKNkr0PGwrP9og7RyyAoE0MQ/3SR4JMkJs9yd+YOjpwpHRtk1x1ZWXxa5dl+SH WSiD2RhMj9RmsIs4Ek8feDoeffKpdMzEdAZURvUcKd8lAPnNqwfixz7wA7Fh89aYnq7G3r1P xl333I+JBx2ETcS2jSviB979Fuwv7oyjfFT5m7/9B1SeNVtCu1ySee9837vfFj/yg+/FJMzX AopZYf7kmOHse9ijcZ83r+OfJqD4OhK3mXWTAk0KNCnQpECTAk0KNCnwSijgNtBN9CR2dVR3 ZjubYF+NzbtgwgK71CnU4ooKD2AbdpI6kdzp1vA6m+Nk12QM+OeGuAdjhL1sPkeRrJlAskZA cXYGW1G9vWWzSZ5FWgHm0jL8Z3o312zk/SruISOUm3ke+EwGwD1riUcAG2/vVQ16Zv+e+Owd d8Szzz2TzFLPivZYc2Eldl67Mra9oReJRIBEuDRVpWS29bBZ8iHMf+70YQkCtTR8HMOIIBmx 3BvTy3jTpajT1FND/V3cbIehVHJsLpluJRFaYwiGF7YCYSqYfIC+s2q52RCrWurajVrdxmex v/VkNfqxBZegkDt3JBOtSduFN0X32/59RP9a6mQYoTIo1fFYnHg+lsZQUxoBZDz+YCxOjQVI JyqfSHvAGAC1wUTQf0gnVK78lf+fvfMA0Oyq7vuZXnfK9q7ZXWmlVV011JAQohsENmBMDQLc sePEJcUV2yRO7CS2Y0yMHRwcVwwE0UEFFVDvXStt7316b/n9zps3zC67q5VWCGF0Z77vve+9 +2499757/veUqO14VTJ1mcgL+lVIZezsvz+e7v0npHzoE5juXujgzs29sQMHDLV7J6MVpn3u 4ppona8zHkA1HBbgdJOQbK4cCkyN/WKw4/MbhlPGtrhEBQua4KY0pC1G6VnmVCkP6ScpjGdl imVSBSzTNiHtnirSMrf8mZNNbqvL5JJUMlXFFS5OhaluIV7GzGcycdKoIM+BYeyCJigPGEA5 +mHeHlrfEw/dfoDyMLqgl2rAsZpmAEVAxTqkFWuR5qprkJkGoObTTDkFq5s4NpFhC2Vtxebm 3M8ciAWAZQ2oO9cJPHBd4DVFkziktOt38ICyMnm0XWyDqWIXjUkVvJTBExpB221J9NKljZLp ce6/12YGn+EjmG63TadfxpkZvWxc7pW0XZbFeabIZ+reVJ5ZNgDFStomyzKV7tg+vO7ej0sK vMLXL50b1a2AKPTjBPPYGHPNKNLK4wARozgp2NK0KHoWnhLLzzwnFq5YhTQf9vgACeuQwLGf DfalgEBZ/mG8tN59803x6B3fxvZga1x59Y/FspUrEwRIkAFg4i/+6h/j6zffhT07jfsl9WRb Lpg7Jz705iti+VzUUCnHKFJCY3hmHkfVsF9Jw/6eGMZO2RDziY+N9PfFgOXWWzvg4R6kE3th /rsAjnbt2RsHecax088cNEpDoZ3LPANtueliuQFO0H3E0QL1Qi25be6SmNUyGyC0KQEcJbK0 A6eKpwCLGyZj5DeodOIBPETv3QaAxwbHwiUxj09KvNEZApJKYyuFpaono4b3wwg0LWDCOOM4 ikRle9fTcUrdeJy3aE6cCZioNKTgUbYs4885V7CPTPinzM7jzPGOT8dYL9LU//j07rhhRycb EA20QS9ejw8CZkzGr156TrzrrI5Mr+gniMz3g3RPvU1HwNR6FX80Dvn5HnJgpiSmtEkQkARv iYMA/cPjvKcAlWvom41jNfE40nYnMwcvGx+KfZjjeBgvzecB+q1pqo6bUR3V5uF5eGheiCmJ TYBl9+B0Ze3owQQXHxyvjae4f0nVQJwOeHgfgM4d0RZnTQ6iCj0Q+wGZvjTcmnY431TdH/jU jrtI/4FxnqmfiLU4bzmItOFjE7XsK03EKlSq2yhsI5sGAmgW302SXiQOff9U44xDQMz3jBti E9CwzlZUeZ8E3KsBtBynjHowHgCkrEJi0Txtn2r6Ulr3XIc8Cbz5m0wSYKN99F5sHEeF/cOd 7G/HrBtAtqOD3rlGW5nkjiR/QzyEp+u7eydjM0BmH0QqvfEoawvATMqrA5YhwHTTEVC0Ym7g pIq+qVBHpRZNW+k675mfczmPcO57xcyZOx3rSddIBHLJq9KkoLh/qbLN/EmSOYd7L0e51TIG 6U7XF9r0fi3zqmsPy1HQqVOK8dzs5Cm+cp4jBcusrcIERQVmHRNGMmRexAEcte8EEh3nqSpN 3sUkQ3lIN1W4OR1lrqpl3NgsgonNrCcWL5ob5599epx62mkA+mwMQu8j5DnIPNLJuN2yZXOs X78pOjv7AJfxCk47qRavuYBx7H8uxH7pj77ptbFq9epcs23evCluuuV2pJz7kKDHqQsSrVe/ 6uI4e+25vK9G46Zb74g773uE8rlRTFvS/q7jrn7dVfGWq1/3XRKKWVe+yrm8aOPv/C7vf6+O LwGK36uW/QFLVw+OH//4x6dL/ba3vS1OOeUU7HUcjL/6q7/Kwe3Nd77zndHR0TEd70gnTz/9 dHzuc5+bvjUL2x8f/vCHp38f7eQf//EfGZBb8vayZcviPe95T55/8pOfxA7Bvjxfu3ZtvP71 rz9aEodcv+mmm+Kuu+465No111wTC9ntO55w4403xj333JNRTz/99Hjzm998PI+9aOO8UPVR eua///f/Pt0OP/VTPxVz5syZ/v1iOJEupI8yvOENb4hzzjmn/HnU45/8yZ/gCEE/bicWTjrp pHjXu96VifzGb/wG3gIfzPNLL700/P1SOPEW6Meo+yc+8Yn46le/Gjt37szdzCVLlsQVV1yB V7WLp+eG01gc/OiP/uiJZ/gvKIWZc+dL7fPCdqzMopJ4AwCG3T39qMChIsXC1V12pRKT0WdV 3AuT5Q69AMwAUjOGJrx3ynQatBvkIlSpxVmoCMrAGu8A0j5KJbjiT75UxoUFdz0MlIvyYVSs U9UnWQKTgNUxDpFdoPopgMSCqSgWr8XCPRewU3EGBrvjyccfjLvvuTPGGvbGigvbY3OU+t4A AEAASURBVMWa5mhDFbK2HlWnVG12sSuzxMckMhk5joKxqYARg2Xhg1oykiMTuJztHkNFm6jd tNE+GDgBnDk8rKQb6+1kGCZ4vg2JEfi5GFIijYW9gGK5wM6qUR8ZsXYkq5atH4olG5HUQyhB T9OCN5Me+Z/EoUrN6a+N6o6LoxJQsbJhLlKGLQBtSAeQp/0xCWg4tv7aGHnwL3FQgRH8dlTE 9PZM3hMDPVHRcirSib8OyLKUkr+wgSpmoyRTR1vu7LsnHu/9WyRndnoj9vQPxm1PdMbG63ti 5CmkqVDvbp5XHe0Lq1A9rY7mOZMxazagWsskGAmMpyqSIGYTgCc2kOnD4wFa0BB0newxDU1/ wryV9AL9KGGR9EZ86U0aInrBLHL0SR+VIRRkVMLUvi3UjguGWiZYqFGaI2pBM/msj3KlvJ5p eYU8oZl+TAZoP3McGlDiZU/XaNz9aFdseqAz8xWwkRmXyRRcrAEsq0HKrq6lFmARdWjA1QZs ZTVAUG1+YH7nUPi5X94fC+4eTMCxAXXpeqRaU/0e2tGmYBXSaEoZViRwTvmS4becZEteefTc QN1mBu1XTsBkVgBUWm+qVsQ3nv88X0j98EOkiLTzuhGz07lGO5chad8GN3iZaN/5FM96y5Bj 2vvGSxRq6kjemSR5VCLVOQmzbCK23dh+QPsDjVE1d3ZUt7Wh6U8BnYtIw2ccC2MAcSixxvrR prhzW2c0YxNx0dJlUUv8Js7nLTmJ+QHHKwBrtUiXzV6wCHoTBAFQQIJQ78U7n1oXo6SzYN5c pIvpV0Cofsw2yMN8/fZH4rbtjDfmutyQsJw0VD19dkZNb6yoRwKZaxOAI+O9qDIzR45Bz0pW 9yAd1A9tjNC3PXhb7TFdpI7yyKaOjq8GIGAVIJVQ0zmMIyBnWa5D4cyx9dHWPoexoqf3ujiI Q5VBAL7GlnmxYFFHzGplHcxcrkSamzwCJXan+bvB09nDhs/+ndFzcE8sPakj2vFeLRDnWLFb a2lPnQQ5xioB3MCCAEGpQwIsbKiwNh3u3ReXxO5YXR+xYvGCOGkOdteQzHIcpSShEpmMRdMT bLdzpA1BTsGhUmV0M9KJN+/oim93AqL2Itk+2h/ndiyOnz27I86ag8Sl5SheRtk/0oz1qRBQ 5Gh70HlJOCU9KXVXmMcgHnn2j1bGU0gLI3gYa9jgqKPf17H5smm8OlYDFJ7UVBO7AWYexLFK KxLpV9SM4QW8Pv5he1ecBnh/xZym2AG4ffsY4CNgTE0P3rYr6+JpQNCzsV1xEarSWxhH1+KE ZRVk9OrqwehnTH5loon+q4031vXEfPT17xitA0xswAv0aFwBjezgvXJ7NYBjYx32GEejCTrp QvpsAWN8vnQtCEvHQ5UxTD2GaEumxmwHHZIMANjpSMw8BGGVAK2CHhq0FcpcMwJ46otqgvdw I8eUlCUdzrJfEviSTmlHA28q7hXjyGY1pt/EJj3SIm6CfVx1G8b3pf2LOGHsAZy9u2c8Huqt iP0ArYJSSmpDgvmudK2hFJ90qLSuF03X9YOSr5ZFkFIaMSvpw2I5TxONfJyPyYs8XaPUoR4t hfJAlss1hZKc3PJqpu38XrwDfAxwkPQLm4pFuqajmr0gozRlO6SqNiC65ln8LR0JblqupK9s FwHM7Ib8oprkY328WbSJdUuwkawLTYvCBIxpWDfTN/8aftehCj8LEHnZkkVx+qmrYs0Zp8PL 4nSJVi7G7AC2ovfG5k2bcdS0K/Z3dSfAPz5ZSx+zFECKOe1UM08twQnSa155Waw5fU328/Yd O+OOO+6OrTv3p9q+TnuuumRtXHbphcwRtfHQY4/HrbfdG51I7KohUsVGQh3juKW5KV53xcvj zW95PRsUeK07Rsg5n/vZPseI93zdeglQfL5a8gc8na1bt4YgRxm+8IUvJIC2cePGWLVqVXk5 /viP/zj+zb/5N9O/j3TyW7/1W/HRj370kFsy9IsWLTrk2uE/5s+fPw0c/vRP/3SCAcY566yz 4tFHH83oglN/+Zcs2p8hfOlLX4q3v/3tDGb3v4rw8z//8/Gxj33suAfXv/23/zYEkAzvfve7 4+///u+LhH5Av1+o+gjkNMPAluHxxx9HNHxN+fNFcbzqqqsOARSvvvrq+OIXv/iMZZs9eza7 TzIhJxbMX4DX8OpXv3r6/K1vfeshYPyJ5fLD+7QvUtvy2muv/a5GcKPCuei//bf/lvfe8Y53 xKc//envivcv/cIDDzwQv/iLvxif+tSn4uSTTz6kur/2a7/2Q98+hzTI8/CjXNyZ1NEWeC7i lRDU5l9KJ8JkqipTLPjZ8YaxdTHtLn2/EoosepUsUHpHIFAJH434z0JKaN8BHCAgQZH2ulBT SuPkMDD9qhfC4MjcudC3XCy3k3FtY9ddZqUbaR0lA7g1vRh3Ye7vlFKUaZQRIP+UPCGW7ELB MOZDgJbad+xDbWdLHKy8P+Z0oGKNScGaOhkYWCQY68KWnswNHApOQxIRzHPBPhb4Mk6AV7As mUN6TSUr+Jpk5GXmqEaWKxfdMgEAFuPYd2oE4BI86EfSQMlFmq2oK/HzIQ7wmzF/z0gs3jgc 83dhYJ84GstLZgumR4csVFsuJyp0itCI1NWs9qhsWw5guCoq21ei1rycSjXF6LbrYuz+vyAT JFBg4idrkRal78bpp5pV743aM96NpBmSUy94kIn/Tqbjk0iP9t4Y6wf/iXr1QwOTsa27P771 zb2x85Y6JITmggPRijAvNUhaVsDEN7TAKM4aj4bZqBsuRMV8XgXNAEgBaKEau+rvSoWqHiwD mNkJNpCx58nEeT71WyAixwNRkjHnuk/ZR/Z5ASHzHPfTyzLMawKLHukcncI4BsS6pEH/BGns rFS7zDwze+wmMoaUjIMpG4fDVOV5I96dn0DluWcf3swBJNKenHnTFum9uKgAfB0SKrRBrSrR gAl1SDDOBmCcj0TSkh3DseRv98XcgwCfgBVt8+sAyqE5AAttaCLUlJKbFlLwz/J6rISmUmpR 0JHfCRZK0EVlOCHYdJQnnftow5Pf/POV38UPT8sbnmc+nEwx+vnAVPrT3U87Fwg4Y45H/JmB H56WyeeJ6U1Fn4o1fagAyMmxcbDYyHDAjPdio7ByAaYB8ETcAuAOXfiXkqUAFvYRKEVKTm0c aYkv3/0IqtFN0XFSBxshjWl7TE1qVZ41m1ADcHTupVfG8oULomvdI9G9dWMM7d8TNYBOqrQO IDHYjypu3+Bw7D2IzUHsJT6NWuuGqtkkUpf51iDhJKAB7BCVe9dH9b6t0GcxvyrlrUTiMEQ3 RLmGmBNHIMYR5mClalUjLVT2i7axgWrw5Fw/i/HRQP2Zd7U319/bE339ndHeNj9WnXY6ds/m 0cRKSI3F/r27Yh8f51vr08jcMXfBcuqLajdAjXP5KKigUpD9SKPv27cdQHErdmErY9mK1Yw7 5hFbHWJQwjC92LILMomkW3VVPZLmOn7wnTFldgH6HQdQvDh2xZq2ujh92eJY2FTPmAGQoD5Q nInxgRa5ZrvY187pxYcx6G2uDQOK9dK+GwZGcfjBvMo75HSkHTsA8mqdk33OuM7RnDh2lCIz yRSepH62gzRkvgUIlEkTT+m+iViHd+adzD2nIIO+Ck/1G3FI8TRz6XKkuVZPDMcBJOgeYyOp ElXr/u3bY9XslniyAUc0gz1xFeB9F23yxQPDsZDNsKur+mMdAPwdFc0xB9q9rFInLJVxLU5a 5Ebe3MA8zO/rB3H+g2fk10VnrGIs3ztUGXfimGUF0ouvqBuOEdr1SyNsvjF/X9o8Gct5H+2n Buvow1b69GQ8R8/WvIE15x3IWxCPz1A3de8FgK6bshE4SRzrPgyyVAnNOS8JrzJJoA5dbESN DTOHQcu2XzV9kG3F+J0grsiYc5tt7LMe7Rv+bc2UBHVM5R+F8V1q8NvHPaugD/zB1mNsHK6K e/tqOEawn4I0YdHnzj8pRU7iCRKaB5k5Tmgu5i1KDb0VAJ5gHH3PmLJsBt/jPif4mL+dh83b uThL63u8oA9pIOfrfFb6U6oQNWXGkgCj9F2sM5DuJF2BvUyb9CxTqjJztCyWO98hvEsEG6U/ pSmz7IxnVYNzHAsOYvagsLXIGOa95rh1DLh2sdxFmegT07Df2ITSBMiKpQvjrDNWx6mnnhpt CMVU8/62nEOore9HannDho2xacuO2HewG3lTyqtjJWhgEKlhJTpdk4k/L53XFK+87ALAxNNZ A1QnD/n1G26ObTv2M/cATvKOunDNSQhLvYa5pSG2btsWN958e+zY1ZnvZ8tbj5MdJa8dd1dc eH68971vR+qZ9chUyLaYOi/7prxW/i7jfq+OLwGK36uW/QFL92iAotVYuXJlbNq0KWskSPeZ z3zmmLW78MIL49577z0kzv/5P/8nrrnmmkOuzfzxxBNPhFKAZfjsZz8bSkkani2gKDD04z/+ 44eAib/8y798iNRcmc+xji8UAHesMjyf916o+rzYAUVpWZC8nGxtY18sXlcy9ljhJUDxWK3z 4rmnhOyv/uqvHrFAf/AHfxC++H5YAUUXdb/0S78U/+t//a9csK1bty5Wo4IxM7wEKM5sje/t ufOQQGIvGzGqormoViqxu6cP8A8whF1u1ZHd+VfdShBQJt2FuOCjQEUytjwvhjO7fXasOXkF anr7Y8/+gyzWi4Wzi/yUFCAvVYZc6xeSA8I3RWhgMbsQQ+H9SPscZOMEVnFqnoQhSBDRxXxy HN5hcW1ZZC5YjMtAcGuKz5h6Tk/UA7GnZ0MMNj0WzfO7kMwpwCAdr1QhESLwIOOSjGlyVCUb kjlkOsm8FqUhfZgV6pkMBUfLDh+QH5JCJRXbbaqTwfRqd6wfaROBAYqXaXlMSR0SaYQBXYi6 84IdozHvAEw7qSmZaB4yxYImijkKBIFicfQ6R6QFUr0PNaiKulmcN8f44N6oGOhFehEGC4kr kCOkE7vJF9XH8z8S1QvXkqD1/H4HndscjCd6/ia2jd6MSp/SIWPxyNbuuPfGrhh8alHUjs6O OkAZ34sydRNI8chsIX4Ek46ny5pR7N2NR+uisZi7DOmhxZXR0s4HMR1pS7rJ6D7Cn0yYHVX0 rMeCGfRecZ34PjQVV6bS5xOc5HwcuuAn5QGwo/1roOkEGuknAcZqCIgeyT+TTAKxz3l2COAo 1Z1JUEBxAMP3TwMojtCv2kPTSYtOMQRWBRPHoZdxwI6xIeqq/TGeyTE0JbnYjKTiIs6XPtQX q+8dinlIWTXDpM5qRfIW2rF8o/thhHmutplSWQ95bdPhvFCpB/MSWOSjOnPa7HQMSHte59Sx nHQn4+w514q6eTIVvEc9iye4lpFm3CNNupcvbuRnKg4/bc/p6La9F8rgDT6Os6luKeJSEMGB 6gWNSE9CEzog4TmBz3FAwop6VJ3nIJ2n5EyOGQpg+WDopYEK2npMW3ijrfGZb94RE9CYa7G5 qCS3oCKtTVglr3VEpcTcQhx/rARMGtmygd8w55RiDABudxf91zwnBuqbYtf+/fHkE0/C1HdG J4BULF2Dh9sWwFykS1OiT4mtiF1PPxybHrurAB8oi0Gqku6K6lthi0s5mYMrmHMFUxwDlYiY NiFduHjpKjZtWqB/bcHhhOYgao4bHmceq4iLAD8XLVvB84CSzN+CCa6Fdc7Qg101j9U4OFm+ 8oxU7xbAc04dJq5z/xDSibt2bUU1vJc5vD0WLl4OLgowmoUqADwdTwhlzeZYCfC1DfMKSt2q dumcJkhUPdQVV9YeiNVtDXHmkvmYMRC2KZ4v5z0qSHwlt6i5c53nDjj+wQ6zvQQHR1TXtFl4 91TVNzAnkK/vH8EjxmDO+Y4bP+bP8wkO8UxO6jys9F3a2DRVxu8QIGh37xAbGoC4qCmfGn3M qczTfYPx2AgOdKD/C9nE2EfpvkA/L8b+5BVNOIrZ3xVPNS2I1qa6uBC7ig2M+W8gGvg077i3 Y/90AW3ydQDKSeb/swETH8CO5p4mpMkArd9RNxDzIY0bAROfJM6bmkaRWGXOQ1Lwy3hGPrlu Ml6N7cVBbPB9trcu+gATX8nm10oklQ+y6bSe96yjbBV5ON8MATi18/5qEVgV4OUeTY8XaMY/ 7x7nwAY29YYAZSd5kUywySRQ7UulTu/LzEl1vDtCKXfmDsGuOvvQfiEeQpoJHPne95rAmOrQ bnxkbvYRjS2I5vjTy7TrAE45dyLxXex7lfT8+Cxl60d19n7UoG87OBrbpR1oSaLXdrJHtRvM T6nuUvpPQE/1X0G58pqaEQLirltyQ4RnXYOYmtOMGwOSQK4zTJnxlPRBu/hcIQk7lSZlc54X LCRSPlPJmPPc4HrVibB4Fymp6GRarGGsfyFlSPtw3fXLMOslkkxJcYF81yeCk84tXjcd7SMK OEL25oAWh1LDjANA1FoWEScvX4iNxDPiFNbF7WnXVVuOzF302+7dAokbYtvWbbH/YE8CiSOM 4yGkaNNWM+N5xDUbKQvaz8KUxhuuuizOv+DcbJwupBi//o3rseF7MAZ4Zmx0ME5bsTje+Nor 2GxYEp3Ybr3p1m/Fo09upC68Hyinbex7Jdc+pHvlxefHB655J3MmRDoj5NxlJb9P4SVA8fvU 8C+2bI8FKCotqNqzQXXhXbt2HbX4qiYvWLAgJ4+ZkZ5JCugv/uIv4ud+7ufyEQf8fhYJbS7K Cc8GUDwSmPjrv/7r8Z/+03/KtJ7N1wsFwD2bMp1I3BeqPoNI0ajOUYYnn3wyd3jK39/v42// 9m/H7//+739XMX7zN3/ziNdnRlT6dtu2bTMvTZ8r8fXwww9P/xbUntkO0zc4UWLz3//7f5+X jCeAbnimcZKRXvp6xhZ4+ctfHrfddlvGmzdvXoKLr3rVq1gYjUZHR0dKHv/X//pf875mHDS3 8MMSBrD3ou28MhwJUPwP/+E/xA9r+5Tt8kIdXfSqyqx9RG0cubiXGe1GzWyI3W7tHbq0roeh S/CQhW0uslmyy7gWjAPMDGkMIKmoLcWOJUsAN+qw97UnGZlyiWncDHnBL8BM8lXtCb6DFCui jUXq0oWLYseO7XEQ6RtWs8ms+mTJIGQyrMZZxrOQV+oARtMEeL7IY4rxIYZAwhjqilv78Ew6 5+FomTcEM+WCH4YHpsz1b0pGAFb5I4tGUjKrfJlkltN0M21+u7D2mczShTbRvKd6Y2NlG4t8 nBsARKjmOginJ9OdqZieSfrhQhMOORavG4zZ2H+bh60pQarkiMg/VfoACgR58MpRgD8w56BX CSimJBy3EmijIFk2GPCKRhgvHDFY9vGeTiQZ10b9RR+BIWfxb2VfBEEwZN/Q/XFHzx/RVn3R ChN+APD6oU14q72dfl5/Eo5akMhkLZbtDn2MK0lDw8GLxSgMUwmcjCLxWFE/HLM6huOSN7bE SR0AlEjl2OIFw8YxO6iou1STKAXtYz/aTjLkpdH5zG+qjyCtpB9jpOobR3lAParagUkDHFVP k+GSSVRVOpk5syG2gPKwICF0AD+LWtpw7KbfW5E6FOAwjXGOYzw0xvkgTOoQQLNOB0YAPUYH oHEARiUZrUErEostNEX19sFoOTAaC7omoqO/MhYjadJGezUJQA9TYqQUazg3fZ8De0gASX54 HFBFZthguauQpk1wkXIkoGgFpEVpL895XmLnPz8cBHpM2AMVzSB5l8EmykAETxkaCVymCrbp km+ZXqZlHB8wso089fwh97xl+yKdiv5v0n7S/yA3qpHMq2mJmoXzkc6lbS0vqsd6f1faODcd kDgbwTHGY0gz/vP1N1Oe2lixchXOoVpizux21vztmfUgc6JOoGr27Yr2LeuQ3gL6IA1Bp33V s+Ig7Xznk0/Fg09tSCCxn/jatGtsRLX1rIujdc4iJI0AwQASrJVAzC7S2bTp8QQXRnCO0NvT lTTs3FUF+C+t1yN5OKsFm4O8H+tQuW7C0VU9ddETc33rfKqDrBtlcd7txxFLJyrNNdUTcdbZ a2MOc+YoABKTTW709CIJrlOtQSSUR5jP+4hfyxw+q20BRXITiHkcIH8QNeXe3q7Yv2N9SpQv WIrEpnYoBa9oQqV/h3BYUsczJ2Ez8PzZNXFme218ZddE3APaJR0poeVYGsY+ZG3f/nhtY2+c vbAtVi9E/Zq+FlDkNm041alKnFEPAY8EhLzJYEuwBrpwvBkso2NYcLUCELUKj7wSiemN815S vVmwKwPlozGgSwAp4kgXesOtoP8FrsCesV0J6AT4vGEQyUeevQD7iMvGMMNR0xh3VtD2zDHn oWLcTP2v7amMbz72WPzMyjmxAjX4W8eQ0EJyem11bzyB5Nb+mlnRA6B80WRfrAGbuwV7h9d3 DsabsH96Ku+Va/dgZ7GhOd6HTdQzeBfcNIRjlwnASbw5X4yH5w2o//4dqveqQr+xso96jcfn B+piJzT8NqQZtZu4FwnXJ1FbpuixkjZoIc52aQl7hLNRwT4VIHIO/YRLH+pKne2DdC4zGu2I u48Dwvme62X+ETyu5/4A7dbCO3qURqr1vUK6YwDhg2oT0G60cLab82ICgtClY8m5aVxg0+bm q5gPi7kvhzJf0nJ2UI45e5HIjkM6bZKdBcsHAocH6Kq4rrMiHu5n85J5awIJOSJCC4Lv0gqS eqkGPQUuMo60t6g356IAplhsanKB+G7ymDeANjQw5MYB6xhBugQ0uSMIKZDn79JOs96j1bBw Y7OQMCdd8paeBR0tkzTpOyGBSM5H+NSTR4KZ0Jp5uLnqWBf01DGL8c1Hu6SuqSxrbnRBj45z 61CFORXeFnysq/UZiWWMl4svOC/NXzW1tWZ7qtqsFLHOVh5++JFY99TTbPTi1I55fAwR8yok qoddwyHNO6KeM/PQMOudNsZqM2DiReedHldc/nIaoCZNznz9GzfEUxu2YV4B+5XwyifNbY43 v+FKJJJX5Qbot2+/I2678wFoDsKcqr9gqO1cj4Si9opffdlF8Z53HyqhyG3+bbPvhHy/fufn 9/zsJUDxe97EPxgZHAtQ/Od//uf4iZ/4iemKiM4rtXik8PeoBb/3ve/NW9pkKu3NtbPjJtiY g/kID6pSXDL1l1xySdx+O6vaqXC8gOKRwESBI4Gi5xJeKADuuZTtuTzzQtbn6aefTvDGCe3F pO4sI97R0TENCioFW9r7VA1WG56lDbJn28amowRvGXbs2BGLFy8ufx7z+Id/+IcJMP7Mz/xM CK6/FE6sBZS4kwYNbia4qTAzdLELqBkGg4Cjnx+WcDyA4g9z+7xQdOCiV4YzF98sGP0tiDGE AwkX3Eoo6kBiTHUp1okuqF3ks8rlt8yfH8BAmD6BRhmWXmyLuaychapcM1JCqtJp9sO0/cwM zs0yLM6JgpqmWXpNnItph2be3zvwNjpKurAhGUwjpc34pSTAABJ5Ap01qAIl48ACX8kbH3Bx K2sq8uFz3QN7YMTujLr521GXxSkBoGLBK8k4GbNgei2XAJTPmK/XM7UsfpH/d3bsvUN2fPmc PK0XOM2g/cQhym+REvjwqvf5yAC2IKmx8ImBaMHG1AK0NxNQhItPHgxAR2lFVVRB17jJc9yb 9L6MM20uSmNZ0pYYba0XyMr2JuzHNaYh9ome3qhe9f6oP/P9KYUjY/P9D0qvwPdMjsYDnX8a jw3eFG04takBUdvc2RsPP9ATnfcujNr+hclE2m7G5z/pLW2tQXNKNXp9FFBgAqZLum06pT+u /smWaJlFPblpH/qcXZjMLL9SUo2ezb7lZtHHRfopQcW1fIY7JehWqEhLBwYYUMAmejWBcKFL 4wtiwBInBldD36kiLYurvTCdJQgqjXG+be9g2sJrRt0x6Yg+ruPTjCpncwN2EAEIJni+l7L3 IqHYC5DYC1A8hE3EahhGfF1EI9dqASVBevDgDZMKWtLSNxGLAaU7kABa3LQ46nDaU4t9So1p TcB9VgCkwMNm5ZToS2lIyjPOufVk+CXGJ+1WCURCd+mMRWxOGqSMGcFK8TtpXHKaIvZyvGRb 2+42lw3DY0ZJOp06JhmaDm1kuoKY2RGZB9cNZXObxtTHPIw/qeQlgCJP0a58DXJWtzgqmtuj qgXHKtgvBdEDaAYeUZrN5xLsqI2+qllx767h+Nw3b6ae9fASAoqzohHpIvmEVgQJnIdGAEVG tmyNiYfvjkqAuhokuA5g0GDv7AXxuW9cFw+v30Qc8iY47qWRWsbdijXnx9wlywEEUUvmz+s6 w+g8sCf27tmRHqIbAQsHAPEEFuVTGme1MB+h7g844PqvEdt5dapLUy03dQZGoAmlH0lPqeyD SCYO9PXEGWtOjbnz51APJjPCJGNiAntpKWWJ3U6LpwpkeoAV7MP7Mzr0OedKtXp07saTdOf+ HdGNOvfCk05F0nVuYToAW7GTE2y+APIsR5rt5XOq4tzZdYBRtA3l+LstI3HrQbtQKWIAWOdx 8qjp3hVvnjMWZy1sj1Vz23AaQhzyEriWKKgBF6yLbcY5xOF8KMBoN2WwY/lRgMDO6ZQ2+x5w xmdJS8/YAoZEZG6bmgcZcUp2ZzrMu4ZeALa9PcPRDKjahrT6XkCYx5H4XEx5Tx7ujGFUnO+r pV3IexYA7S2bdsTq00+N4frWeBnSlvOxY/rtserYA0j/llZslA72xRf3j8Y+JEUvbZyM0/D6 vB6bi9eiPty1ZWO8A3X8apyT3YD04tmQ4VXYtViP1+ob6ubGqhiOKyt6o4tyfmYc0JjjWyq7 YjYdfSNqzw9N1MUbcdKyFgnsvdDS3RNImVPfk7DPuBS62EaddvBp4QWxgHYbHBxgLhqLDqSW GwGWq6A1dAaoCuMDKT8dhzVKR/SBdjy7+3GgQw/U8y7nwDtiJCbSeU9DTCCpODhIP0FDVbRt fdkZ9g/tnX3BudKLuUlH2mSeatwVvMzsMnvad5fzSb4PuWKX+qxjgNkm362OxSFA9Lv7K+Km vaOxH/rWHIcf6VIQu8Z5gWcFy6oAE83TtULmQ6Jpe5F3oNKRbuQY27xUlfZ9awWT5iy7QCXv jJS2cx4gLcunaZckFs4z5HXMABCXKjAGa1lnmL/ldyw75wO6AqwJnhtqOXeNo0Sy4KNJFZ+C blVT1gt0AUy6xrCUSI/TUJrpYAs3liyaF+euXRNnnn4mntMXMEIcm2wmsXFwECDxKRzMrX96 Y+zcfRDlfN6VAOtpQkMap201lyCAmk5hbCFooql6PK685Jy4/PKX59zSw8bCbdhMfPiRp9jk ZHMEUH0O8+hrX3FRnLP23LTzvHHDuvjq9d/ifYX0PO8ebV3bhq6pnI/qeU83MzdddenFaHBe jemE7wgGZGN8n79eAhS/zx3wYsn+WICi0oLaN8wXCgX+m7/5m/hX/+pfHbHo73vf++Lv/u7v 8t5HP/rR8FOCioKEgoVHCkuXLkUiYkfe+p3f+Z34yEc+Mh3teADFI4GJf/RHf3RUtcfpxI9x 8kICcMcoxvN2619afZ5Lw3zjG9+YduqjsyAlClW5KSR+ItX5Z4KCzyaP5woomvdrXvOa+OY3 vxl/+qd/Gv/6X//rZ5PtS3GP0ALLly+fBo21j6jk50uhaIHjARRfaqvvbQv4LhUIdLEuYOeC 2N8uIFWBUwVKNTjwBnb+BRELMEdGW/UdVYJScpFVt1K37vALOGqUvx8J1FoW4vVI1/hggjIs xHOHHgbE5XTBYLDgz4U6zAFAmFKRGmBXEsHy6chF+0j9vXgzZqGeLAuLce/JR2ojsbNzPwtd pG5gyF1YHxqM69Id6UfKMQ6jvX9gS3TV3RuN8/dhZxfQB+mN6hpTdmEuk5FF5qsop8fkdj1a cILSdUZMyS/jT4WUhshz78FMEG+YtvWT6qw8lknIbBFPQLF953DMeaI/moYmY8kAUhYCKrYJ TS6aUDjUoF4wHmn3TuDF68RJLlHujXzSgQaMj4xfJXa+dMgQQ32oQQNAnft7Ubvs4iLzrOBU gV/IQzZf0YBFEYqGOzD0cHxj3++ABw3GAsqspNejm3pj/c2w2rs7ADPqYUBpS/ufevqukk6V 2pB9VBWuALUFpMejb7Qv1l49GRe8CmBGzIK2NtcEc5M+ijJ4sbjmTf4tFMQi05gho0EVtq1/ 2XdepL1BDikJ5wKj3OOy1CmDp2p70jvp2DUyY8CGMJQwkvDfwzBpG/fgdZs+bEpA0W5E+ov+ bUK9cRboi59GQMVaxlgVzC+8H1JH4ynpOAA4qNRiFV6ia+nbKsDAdLwDsqUEZBWgx5JZZ8Wl L/vNqEOdbWTbYzG+5cGY2LUO0UjWtwDMePpIVeFJJR6tBuWaYKCnWqiSi5zLvFsvadoqKy0r qFglkDj1EVQUvCniZOSMS2MUbSpHbrtxyGalLUwru8HjVNq2Rd6Hz0+ROO/Zdxm/6A/vm45l rECaMlW0qXv2HfUYH6CVGxbgjKUdW6NsLmiHDHuDTCYiDJTTGcDn6gEFW+ObG/bHDbffBfDT ECs6OtJpnyCBoOJsVKZbWtuzL3sevT9G77snqgSsqcsmwKd/uPWO2ISaaxmK0Uz7UMZq7NMt P/nsmL90BR63G3P+SiCCyEok7tu9K0GTpqYWnA+xEYL0YdMsbNpRXoER6URgTfuhpkdLMM8h DYVXXudYwY2BKcnEpcsWx5KleGCmjjXMk4WwhLQKjQgUsiHkeEmbaoAfoyBB1TV6sYamzAei 7geUPLh7a+zbuTGa2ubE0lVnkxbADoBEIwR7Uu1IXDIPFd859UgRI83IeBsFnBlmgvrU+sG4 q8txaRmxFU8HKfHYMtIZb2TDZu3iObGsrYmpi7aBELSh6Hix/7NqDpCp8VnQG/2Zd4TDilZ1 XObHeJRZcuUlkQBiFW2U6szUowJwipiZfponIC4YfOxCkvdg33CcxObTIrwt72Uw3Yt03BxU gM9Ewm+ENL7aPxnbkfh657L2GKDNru+ZjGV4070ILLqGd9u6+vZ44EBXzDm4J64+aX48AY70 4ER1rEX6az6g6z37emJL68KYTVlfPtGTzjy+OoSKK3Y4fxzAcZL32ueQTEQYMK5uIE/a62uj DdENsPkT9UOAiZNxO05Z7h+uiUtrhuKSxvHYT31vnGiOYTbwzsBm4iLAnG7quYnrKqGfrOgo YSv0sIONpA7eYyczfzRxPd9ltjPl6YJuK5lXBaHxx5JSiW5ajTBwq3kfTtCXlQBhCvRO0O+C hVVMnKOATfW0odhXJc+aW7HJRl8yLzme3IhU/Vy7kParg92j84G/8hmOgnkO8Ixi/3KDVuGP /mR+3wAQeweOyZ7CbmQftJ42BZ1wkwpcVwjITaUNLakWrBq34GBuBGaeDnVB92ItIcjNrMD8 K7hqIRg/rDESHONnSW9eKwB/3y30N21h/gKKNYwrpQ51oJIgNs+51nEudA1ExEwngVbOi0vO ZfSA5aUwAqOuBcZ5Z1jfSYBFX91KU87GHu6qZfPjDMDrU7CR2I6NRPPRA/YQQPH+A/ti04YN sW79ptiztzPbPB175cYCUpbk4brJ+rm569gTUNRxVwt2by85b0288pVXYragJgaxj3rfI4/G 3fc+FgyH3KSoY3fpyovPjksvuyTnrS1bt8V1N9yEBD0mH5jsNNXhOM12oN0LQJF1HbR48fnn xbve+aOsuzC3koOZiIQc3zMvFJcPuVfQSnEj3wEz4pzo6UuA4om24L+Q548FKFrFc889d9oT rSrQn/jEJ76r5hKq6s6lR2ZVQFXrvO666zKu6qK/93u/913PbWDQznQKoKqi3m7L8EyA4uFg ooPkf/7P/xm/8Au/UCbxnI5HA+BUedX78/r16+OMM85IkFTbescbZNx8VlVg6+6Ep4TUBRdg tHXNmvx9rLRcrNi2PmtZVEPX/qTPznSGcnga36v6HJ6PdFBKf3lPmpARLkN3d3f04ZXPYLtp 98IgcH3HHXeE9jQF+c4777xYsWJF3nu+vpS0VeLWoGffz3/+83HVVd9x0OL5jTfe+Jyye66A ogCmz+oJW4DzaFKNjtHHUAGx36UBve/a7zpTej5fDAJO3/72t2Pz5s3p5V1wzv5wDhCoeKZg /1tWnfFI40oAnH322Wm6oAVj7UcLJ0oXlrt0mPOyl71smgb/+q//Ol772tdmto6PVozG6xGy F8bAIP3NHL8yAaVZB6UV3ExRjf+GG27I+jhXmZ5qw0crs8/fcsstaW/Fuez888+fYjgyy+kv 20mPyr6Ilaq0jfVEfTzh2c4jgkLaf7Eup5xyynQWt95667TEeZn3sdpn+sGpE+1EOWb9OO5N 2/5euXLlMeeyo7XdCzEPHF6HF/q3C9BhFsc6TXGRrESii+hB3g3+lkEchAmVrXOXXnUgd9ll QutgvEdl4lkwu7hm5UyfYtfOlTK0q9MV069F4sZ517khmQzimXaxgIfx4VHfPdqlc8w6pyjl 4iI+GQKYlQYkeYgSw6Q/nkxGsgdkw/LcBTTllBHIeaHgwA9pSpIlFIymZ8Oot+0bfixGWh+M 1nlKKZIfO/naoUr1Ozkoq8ShUGst8qMIBFtDxsBrxfVy3su6+JWhkIwwXgEoAvZQSMvpY9Y1 /b7wc/a2oWh6EkARIKgDhw46FdHLb3p4BlxMCbFUR/UabSYjmaAjxZRRKwOM8wQSSQIpVW0A KTAmk/3YT5xsjbqL/jSqZzOmYWSz0ctnXgTHcRj7b+3/3Xiw/+6Yx1w3CzrbcmAgHr4Tlc6H V8DUsq6xb2g35w9DqsjnuRK22LqDDqS3MWzcjcEMNs4ej0veidTOaTJ9/NvunCRoyHn2H30w CZNnMtnvtLvdZw8WfZyP+GDGt8+Kc/qfZzINvvOaecgck3Y60UhGEnCIoyWWdkxX+5q9PaMA iqrcw/QBAEDoMHNIqggk4tW5CQnFJvqwDqZQxxgCRTV4060GYau0T0kxVVUZK0N4AR4FoNT2 nNKHFYBtEwCCy9pfE6ef/IuMP5g9i+i4Q/V9bM+mGANYHOczseOpmMBZR+BZGENa+PER8CQy dKT0InwwEmDUiWvafUzatQ5URmBb0quk3Akw2nYJgBf3iJbBJjP/dDjDFYuSYBINLVAuOSY4 Pt1A3udifozMR1r3N/n5bJIwbZedRb1t4DFssY0NsnlR3xa1SMRVtyI1Y1yk/bS9V3QsacB8 j1Y1xo6KOfHVhzfGnQ8+Ek2sB1xfzMXDcyNqoDq0mDWrOeYvWJhz067bb4mhBx+gTbBvV98c D6N++k/X3Yg5A2iHCioZVdiZKyTnBCTmLzop5mCLrKm5hfmPhqG+SjX1Yr7h4N7dCYY1oArr Ro3qpvUNeDXn0wgIAIbBmB1PIQg0GLmHkyrRVSrvZs0AUkb79u7MjYc1SCfWs3ZwE8b52bnW +VlaFcgYRDp1iPHRz/tW5ylV1U0JgLi+EARRDbrnwM7Yu21ddHGsa10QCxaujFMWzImzUIM8 s6UyTm8FNMP5SNqDdYz5noAudgMCfQzP9Nt1L0z93FxyZhxFArAeqb6fWFwTFy6eHfNbAU25 X3SxGzv2K/1W/NN/nHA/pQpJimFkA/iVn5xf6eMEgDIeIBL1VO3dd4cD2LHomPWZCcb0IOXs p7478M48yPGUwe5YOD4Ye/G+/CDemJuQ3Fs60gvNMxZb5scD+7tjds++eDUepHdiU3ASoPfs FtRy9+6PW1Bhbl22Kk4Z7Y2FSJPuRpLxVrDT5t7OeAtOZ7bSSZ/bPxiLWNO9SSHHEUBWXLA8 igbvQpzbXNXegKpzVeypboy3NwK2Usrrx1Frxgv0m2v64iRYjztHGuI+1KlPxSnLK7mGf/H4 4mh99LFuvRTv7ouRPOwE6dsEDerBfRnjDVgYsBSnOzRTC1Wfy283At0cW8TcgWN2h1a2zQBg WicbEa08i+xegvH2g+8kgWsBM5uvCpqsJI+URna+gUaUdqzzGu/i3NAhrhskEBtmGgB0+ct8 7IeMwxXzhQ6lB3sxByPXMpO8Wpzm+Ke/3RxDjj7uYSp6ADXzPUiqQ/oW3tJSZwB10ne4q4Ug OD3GWqWetUFuUlIPaUFAUU2HgsYccwKIgp1Ma9CZ5TE4l6W0NAl6TyC+AnDNZqhF0td1hZKL XvejdJ7rF9vLOhQbiaTGb8vn+8Vrvn+cqByHAn3G9d1iu6QTL+IA5UfbrIZYtWJpnH7ayjiV tfwsNi+cUKXxAZyt7MNMzFY01TZu3h77sNup/d1hJGTd3BolLYN5Cvg5lv3YUtr1RdwcqcPa uPCcU+PKKy/HvMEcpJW74onHn4g77nsk9nf2Rx+2eScA2F9+/up41auuQpukJXaS57e+fWds 37Uv7YsqvShduElcC404BafENO8jc7v4vHPiJz/wLkxEHMpPOfc4Zsv3Zbk+ssxlKO/5+0j3 y3jP5fgSoPhcWu1f4DPPBCjONNIviFZ6XZ7ZFDpi0SGLQRBJplqv0L/yK7+S17x399135/nM Lx22fPCDH8xLMvsSZbHbV8Q6FqB4OJjoxCbY+ZM/+ZMzs3hO54cDcKpNCkgJ6swMDkrBPCUz BQSOFgQBTVOwplycHx5XsEJ7lVdeeeXht3KS+B//43+En5mAXRnRcrzqVa8KAZQjORd5vutT 5nv48Zmcsswsx//9v/831q5dG9qxE4A6PAhOKGF2rHY9/Jmj/T548GCCdTJBBulEcHwm/Xn9 udp8fK6Aon22hxeKtCwIc3h45JFHUmrx5ptvPvxW/nbMaO9OdekTCQI8v/EbvxF/+7d/m4Db 4WkJXCo9/P73v79YTB4egd9uBihhef/99x/hbiQQJ33LRBweTpQuPvnJTz7juLdsSoHOnM8O t1tpXwjSGwRspY/Xv/7102Cl1wUg7S9tX5ae4P/hH/4hlLSWpqShmUEg9UMf+lCOXa8LIjpH bdy4cWa0VLfSfqGbL0dTvX+u88jhc/whGU/9KBcbx2qf8jnHuQ5udG5Tjqnynkdt4EqXtseR won295HSPNFr5YLsRNM52vOm78LYHX8BQyUUVXsubBNVRA8bLYJ+KTHo4pwFtao8TO1yCSxe 2T1HtVRVaJlnDZkLOKqaI0ApEzKCF1SlYjSOL9An86pkgO/GlDRkEU9SxRfpKqFVLtiVPLOM 2hTzfSLDUItoRQXch9KTBcPsozIIHOUyDPwo2ZfiwtTFKSbCWKYlV9I7vDf2Vt0aTYv2AsqT Vy2AIgv/VNsiHZkAU5NVzVQyo2Lx66lMFFVhYe3SOrPOsuQdyuziO4ERnhdQHBKQybYrmI+s /FSxZ28ZioZ1/VEH43vyQGU0wJ0JME0i/SWYUglzOAmg6DGds4g4eM5/2SfmCy5XAIpNqLfl pgmAL04YKpvOjLqX/QHSWqpf+gwPHiN8r+nvSFlv77s5Pr/vD7JaC5GO6UO06KEnemPnzQtQ n1yUTK8gdME40S+0qdJ4Y0jYSC9jSikKdPBb1Uud7Cw9ZywueRsqjG20F90knaSkE+0uY5nN z5e8mNIkklEN7SrN2U4G21c6tU3K4JPGlaGTplNa1Zte4yDIZHzvG89+t7wGgbld+4dix77h aMfOmmrOo9y3vxsAEtvw4jwL1cVmAEXtVNXByE07f4HhrgZQrAaIqGFsjAGKHOw9wDhTxZWM yg9SiWvmvidOWfJuysfmG+lbIUeLf5Z/UjXJrt04btkOqLghJvYALu7eGONbt8SkXpNhYAUo J6HJCYBGJRjHBBn9TT7WRpugtlOOa+kUzEvwOwFGjgX9m705crT9PSEUgCRx6Jrk/qVlmWES LK55Ut7jhHj2i9cmARMrcKqkanomR7qjXYyzoXpovDHq2mdFTQu0zqYHSARApxJKpG0BCYOV jbEOkPqmdVvjifUbyQ913mXLc9OuEQDHPtE+2kLMzwiabvjG12IAhytV5HMQ5xzXbd8fWzGd NA4CVoFEVzMSOkpSVzMXDtNGdDFgMbYPsWHazDh0c0QVU2lhCGcve3dthw6RQEWiWnt8ojHa fHMurWVsNzDW0WHP9XXb3CU4T8GOO3X3eW0hdh08EJ0Hd8fS5Ytj0aLFKQ1XzLGCH8wV/CmN plMGVSC1tTiI9PPoGCqjlMO53YYc5zjU3xN7tz8Re3Zu4PpQLMeZ1uvPWBOvOXUZDlWQSATk dp4bsyFsb94HudGEB9n9LGH/fF1fbKtoAWBXogvP8hR9mHxbhw7Eu5fXxQXLFkY781FunjCn FhtOzMGklWNratz5jkmAh5KluQqP5melDURWStm+suxJC5zluyAHt+MMQI05oR/gbJS4eyfr sBvInDrcHUtxOrEfQO7+qI9mgJ6TJwbilu27YzsOWc5YeVKsGO8BZKyMdUhvbgW0XUOBz1nc Ht/chaQ0UsCvWtQWi5Fu3EOad06yiQsQv6hzV1ywcG48wLUu0n4NUoUNiPt+avO+6GmeF2cz plePdMc+1Mu/BKB4Lk5cXolE2gOT9fEUoOXl9RNxLqrQD6Lqe+NwY6yuGokrqpAopQ2/MjYr tjDmXttWHauYJ7rpsnXMb7bbyaibI7MdO6jbXtqvjQ5aTL7S+AY3V4iznA2YBUhPzvLdke81 gGbF4bm3d5iNPpqxFluM4/SrZjOU8tYRm+rjqswLqNYyXtzcUt1a4G+MOaHRuVXUTSqDrqt4 t7sZ6IaGc6gStNwq+o68pudZn7APuUdsoxiJMek5iRuXnyMAcbsmawEVJ+N+JF+7sa1YBSDv vO8zbqA5nlTnlQaq2IAaxmaz86uaDKSUqU8ANvrDDcjC8QlzMAnI07v55LuExKAvQUO1LXSF xqxGOZQ8dI0jzTGrQf+MFWgmpc4tN9ddR3g3z8kjy0Law6yL3Ah1w9X1j8Ai0w9tN4yKeXXM BlxfedISzBScEh0rOlifzqbNlEpG8hi62415lw0bN8e27TtYhw1hooU+stzMDwLlfWwguXYr AM5CzdkWdJxXAxajjRyzoLuLsZl4KSrJrXPmMi4m4vHHHokHHno8tu/tBlxkcwH7imtXr4g3 vPYVMXv+QiQhO+P2O++KpzduQ+oU0zBKNtuEjH2lE13juSZy/Wa9BXhftvbM+MkPvQcTEdhq nhEct+X4nHH5kNPjiXPIA8/ix0uA4rNoLKM6sPZif2sH0lS7D3ays9WAS/C5sQTpojoG2A9q OJzZ/MIXvhBvfvObp6szU1VUgpVwtHcyM3z0ox9NRthrqj4LFgm+nXnmmRnNAaGEzOH2yq65 5ppUozbSj/3Yj8X/+3//L+OXX0cDFGXole4qXtLFhPWpT31q2oZj+fxzPc5keC2zElAy0UcL SpjdDOhT1ndmPO246QykWJTPvPPd57avoMuHACBmBqU9tbX3TEGASRDuda973SFRn8/6HJLw YT+eDaAo2KDEoDbbjha0bSNN/MiP/MjRohzX9T/7sz+bVid2ESgoa58pqSaAZP8abCdB22cb niugqESvUnJHki7dtGlTSsAKcj1TeNOb3hTXXnttvrifKe7h93XM4Xh/6qmnDr/1Xb8Fm45E h3pV1rvyMwXBtY997GM5R8yMO5M+nwtdfC8ARQFCX8ClOYayvI5R7W1KJyWgKND6mc98ZpqO yrgzj3pW7ujoiLe+9a0pKTjz3sxz51LB3cPDicwjh8/xh6ftb+tqeCZAUfBfKc3D2yUfPuzL ech3gZKeM8OJ9vfMtF6M54cv3PxdgHIwXyxC+2FQlUwcRspvACmW+roGJBQ5Zx7yPaHEoIxe LQtIe0Ww0EWm4O0AoEQT3iu1uahdRSUdNC3iwlvQUJVpmdtyl99nk3FkHZ7qQKRX9HWxUBVQ dIEukFludild4DWdcVQppUMhXOx3ozrYiHRutQz5FLNRtn9JP8XvgpZIJH/KgLogHx2BER65 LaoXrUdaGGBUQBGVsVw0E3USZqtgYaZStcxTC+UqyuOymmbJsnGH5yhnZmUaxeUEVLim98Vh 24SPaVCEIi6/eSratiOthoRipYAi9qTaqXOChzCEaVdOkEuQAUahQiAR5iITkdNIySXbwPcG adMXlU0AKwAcFbTZONJnFQtfFw1rf5U0WBv6iAV8kYURGPrP7fgQ6ohdqdpXA8P3xI6+eOw6 6rxtJaA0Uqq0sX0r85hH6ERwIz2NQ2syVTK0qcJG/9U0jaP6PB5nX1bPs4CPNLwtnnx11j87 LNPyDLKgfWhzfiSTnP0oE+zdIm4+xnUv5WXb3Hv8J4Ppr7znVSP6RMHM0vkwmePx9PZ+AKkh pNFwwEGf1sDdK53YiD6k0ol1AGZ5nb5u5FOXjKKSioX0ajUMq9IuwwB9nf0A90OOFzIifSUL aycb4mXLfy2Wz3tF0mKiAZbFinmcGSjspAD+MN7Zh3tiZO/2GNmM46IND8T45idjkjV2BdIs VaBk+JRIxzCq1ku4MpxjfTo+4B6XBN8dww5Z2y/BRYFFPkUgHvk7BoqCcbAzGEiSsYy70s4O JUHFHD9ck/cXWM9U/BJMpI1Uf/WqUpRDnXwqGqMG77W1LQCubYWphAo5bMpELowpJI9Yc3UG 6qt41X1s94HoZUNFKR+91y9ctJD2R9qP8dzAGFuyYG5uBmz62peib8NmQDFs1yHBdf2mXSn1 2DSrHVVCgBfMLch3wXPn3KVjhElUWetQt25oai7qCyijmvE4Gy2bNzyB1NwodtIWAka253zk HOmGieBJM9JL1QAm/f190QzgoMqmNDSA9HEfaot7tm9IEPeUNachAYlnd8ZBA+VvxF6tddV5 gmNhAvDHzyDg3xD2+yYAatw4sv2ln0GkyLv2bY9d2x6P1oqBeO2pK+JNfFYvAiAFmE2A136F rlTXBE1m4mecURb9vmzpm4w/eWQfNmnZ+CHeyBA0ZFwAmzV4MH7XypY4cylSnxCE3pydL3Pu IXKCwcR10HkQKCx6iZpygUt8CnqRoARg7XreBFN36Hmfoy5j1LkfGuyDLishpEpAXgw9RCd2 RReMDsRy5vr9jI87h2oB36riDJxlSVO39E5EE/RwUXsh2fdIZWuMIoHahPTn0qrx2DV3QTwB EHgpPnA6APtu3Lgr7sRGaQeCKpeMdMUs6GQdDnIexsbhOcS/AunE+wEf/2pTZ7xy/qy4/IzT YhhHLl+4+7FoHcNRGWrldfTv+obZcQFxr0AadR2g9Jf7amIFZPp6nErZdt8YacQJS1NcWd0d L2trjG4kZtczBvtplyX02xxofw/NsI1OaOP3ct8JtMNG5oMDbKgsAQCaCyjWxdyI25VYCaCr qnV2IQMXPBEgUUdh2vyDtticyBcREUZxilXFXCRQOEn6vq8FlOpx7tGLFHAl7Wg/1gNYC+6x LEhayncaveMM60al7+9Cc4E+tIMpn21eAMSOafqPstvD2bF2OM9NCF7RRug6xDq8bd+8eyS2 4GW4AgA27WVSHke9NhKpEaSBvB/0Xr7TnKvzPQFdJfVkGd3ENINibkpAkbtVAqW0hWsbdnRy XAimSnkJYPqIAULjrcG4KqT1vO87x7lM8NF8irWNaxfpk/Zhzh4F2Bbkq60cA6OB7lajYbX2 7FiybGmOVVNVLHdgoC9279kZGzc8jUbWztjfM5hStSOo5g+xNnMudaOghvIOOF8BWlrf3ICl 7gYl5mvoyybsbl689rS4/IrLow2+0io8/uQTcfPNt0UXNnZ7UeufYJyuWbEk3vQjVzHXNGPf eTLuu//ReOjhx5kPR6Kf94lzew1t5/s052X6LgF/Gkyv9Y3Msxchofj+974De7MtWYbj+bJ/ yr46nvjPJc5LgOKzaLUDAA//eNPNsRHJu8NDA6DHW1+Oa/CTTz781g/E78OZzcMBRZkcAUSZ HMOXv/zleOMb33hI3WZ6VlVa7z3veU/elykvGc+Z18uHlcoSODHIcP/sz/5seSuPRwIULZ/e cWeCiTp18drzFWYyvGWa7npcdNFFafNOEEgARzWt5mGhAABAAElEQVTdMijFtXnz5vJnHrdv 3x4rVqzIydcLc+fOjZ/6qZ9KqTvVQVVbFgBU9bAMHR0dqRZdSmqqPnnllVeWtzH0enlKiulI RAm2r3/96yn5WIh6R6pPq5Y9Mzxf9ZmZ5pHOnw2gWD5vPe071XgF2JTgmimxeDTp1vL54zkq CfnQQw9lVAEdAcAyaBNUyTyDdC69lqrYZZxnOj5XQPFY6b7yla/khXRzRhEoVgrx4osvTrq/ /vrr42tf+9r02DLSkcZlPnyML8eQKrnSURlUGbY/Vq9enXQoUDhTKtaxplRpGb70pS8dsgGh d2sBcdX4BTq+9a1vxd/jsKlgEGV6qtJswEzJ0yPR57OhC8eR84thphMWNzeUIDZIR69+9auP CZjNlFDMh6a+fBkLRAvoKFV6ww03JPhcAoplXMe0Y1W1X8ejc5pqxmWwTi76lHK0bLaVDmSc S8rxqzq1gKWAdxlOdB4xbYFcJXVnejn/5V/+5ZyTzOc//sf/mNkdC1C0P23HmVLq2sbVhIDz luPWvl6/fn1Z9ARQZ443b5xof08n/iI9OXwBZ5+zbk+msxfmVAlF1/tjLBw7O7tYPKp62cAi dzAX2O7E611QuisXguW5C3MX6dLSEOn4XnJhrdpVSpCRV7F5xa4/91JVifvubrtrPr3jbyqk n8yA3ApBJrlgGmQCWHgTLMcAEjWCjKplNyMtpBfUgknJKPlVjm+ZGIo3FcoTGR5BELzsDj4c Y/PuZRefhb9qzzCFqj2bXdqKYjk+LX3G4yYnM56gie3BfRfZlh2WORmrVG/yun8wIj4zQgMr hZZgIr9zle8N/rVf17x3OBoAFMeRRlgOoLgENb0qmMYKAMX0ZuBRppF/mWiZkIrmxVG16LKo XnhJVDYvi9Gd34zRJz9BrjBZzah4Io0I+hOTnX1R1fGBqDvjfTBlRTvOaJSycZ7X4+E090yJ J+NHpFv3/n7c13srHkursdVWFTvxhPzArX3R88DJqP7iuVcG0HaUIZaOAUtcC6YKJkfVgKXJ BBQTg0F656SxeMV7K2PRcmyCybDSF7ZhNj/Nyn8G1dv6APsEi1PiDu43VVnp35Kh8pmpzkuG OB+cuuY905qmvTJlbhhFxtV8e/tG4snNfXEQ+4fJT8os0rfaTmzFnmKL0oky9FxjqCBFJJiv KqseTJFY5Fz10XrKJaDYi6ryKGCKoI+iLBMwsW21i+OyU34r5s86I4voV9Y7wRvi8W+dJrNu MvXfaQfLn2qLglH9vTG65dEYeuzbMbruLuxZ7sTuIqgi+SdICGCjl+WRARzOdAEzCTTSCNPj OtvX+cE2JE/qUCW4OEWG5pv5cSkBBq5b5+LDM8S1nPmbc7ItVDUBFBHWTCaaSzEGQtKFh/Qh QKc6PPM2YD+0VilFwERKiBon8lyMa8un3b/dzUtiI6BiJ4DJMB9tyKmuaxPKKFfRWXNw0DKb tU5PV3dsu+6L0bd7H+rDeIkH2HiY+s5ZuDjnSZIv+px2s3zOe9LSBGO4pqGVeaWJ9i0qpTqm tt+eevxutEF2YG5hMVpUp0x5grYmtB3P1iCN3QI4qNMW7dTpTMe5sBvpxp6uA7EbQHHJ0pPw yHoSIEJN0n09qtrafnS+UjLKdMzLvhjGlEIffTUJ2Ob4ECAaQBV6sOdAdO16Os4HD3jfBZiu WTI7aU3EXaDGjRvnb0ESagCYBFBEMSdoZ+n5KSRt//SxHsAtAEXuD/fjLIJ51ede1loTP336 /Fg8n3FLB1YXE5fEwZwniEhj22bW2WvUU3rwS6CYQUgfk4/XueY7QGdTOYfSq9yhTEjCQ/ub sCc6hJTg3BakQkmwG4ndTt4ViynnvNHu6OzqiwdrZuNQZzhehmdlsov7ia85iwtrkc4fr4pP Ia04v7E9XjcXe484inoM5ynrAIXbDm6L8wCoBZxvmWyM4YWL4lx4p8VsWHQh5XXH7u5omBiO RWN4z+b9+Wkk6xZR7rdceFbMu+r1MdI2Nx686fqYd8t1Mcaa54uoh+sM5e3Nk8CalfFZFJUV iXl7dRcqzGNx4xgAZXVrXDTeGVdUD8QBvPyuq2zI9d5yNh/m0pb7If7NtEU9nbCc+QD5/9gG GLgNkEvAcQl01g/CtJ65wL47oxL7kcwtqq7SXDkPjfGcKtSt2NYbByh2fhkFwKriuQnGXEoh O85Jq4661jInD6KS3dAC2Af7Xc+zddBJDfQkgGhb5jwJGCjNpUdgicT+pAPdyMt+zi6mkyin 46X48uLUvMx1+57H8j3fXVEfN+wfi2/jxGoMW4sJDPKgNkNTG8J5bIqOlNqrYSNAsLwci+ld mbIJZpaS+apE5xwv9ZkRx3Ee8DTXHYwd28q1jOsi1zfe9DklD/09ABgvb+Z7yHwLL86kQd2V LHedO4bq+1wkEteecWq87MJzABKXYVMVkwO0l5uww0jN7ti2hTXsutiz/0BKJA7SQSOMd+1D 9rER4PrLtZOboLWAniOAwJp4KTcrnbTG2HzQ1m5txWhcft6pyVvUsdHLWyHWb9wYX/7aDYDI SLn2AkaiTt2xoDXe+WOvR826hX4aifWbd8W3br+POZBNi5xrkKRG6tN2tc9cbzGFM98h8U1b CVw2NzfG2tNPi/e/7x3wqkhQH0fIfspOP47IJxDlJUDxOBtvHaDQp667PgfSsR65AAb83a+8 8lhRXpT3nglQtNAzwQ0Zz//8n//zdF2UMBMoc5C7yFcSsZRI+eAHP5hqg0bWA3QJ3PhbEGCm +uOGDd/tQfpwQFEgcyaYaDqCQEpXWYbnKxzO8LqA+OpXv5qTRpmHg/5DACef+tSnyktpa/Kc c86Z/m1b/Zf/8l/yt5KOqn13dHRM3y9PlGCcyegLwgjSGvRUrXSS4Q1veEN85StfyXbOC1Nf H/nIR+J3f/d3py/J8KueXobnqz5lekc7PltAUelAgTEBvzIIcqlmqqOSMjz44IMxs13L68dz VAVX0KwMSrdeffXV5c/MR5CoDKq5XnPNNeXP4zo+34CiIL5qoyVoLnAtmDgzaDNw1apV0+q4 SuwqJfdsgmCh0oVlEGBSVdWXaRkEoQSRNvKSNFiOEkj3JaJUrmPeIAipROlM2vO6Y8dNhlIa 1TRux1GT84XhcPo8EbpwTnFuMQjUveUtb8nz8utYgNmRAEWlD1XvFQQU7HaeESw9vMwudFT7 ngmUapNTEHNm8FnBX01DlOHP//zPD7H7aj5XXnlleTvBvhOdR0xMuhKwLIPSqfbZzHCs9tE2 rWUtg+rZzj0l+OR1pX6d91UJL4P979xVhsPb7kT6u0zzxXp0QTfKQtb3oza1BA2VRvSaDJ2q cT29/Swc63PR7HtFzlEpMD2BuuB2nDhScrxwnrbcjEfwvvbCvOZClexyQVrucqeqknHY1XeR KvNrnDKYZrnoTElCGKQE8Iib/Ur8rs592LXaBQDegkTREq5XTTEFRSo+Px08L4Z1xvGOeSSY CWDSPbA7DtTfFM0LO1nos3DG8H2lLnBhlHyuMEA/lZq/y7TLck6lx8+C4Rag4cf0b+PxhwAV C/qirlm/qUJZtCru1XSNRvPjeNNGAqQdgOZU1J5rBRAxglWJTb305KyEU9OCqFx4UVQvvTyq 5vBOxeFDUXnKS/8M3/TjKWVWCWNdgeRUjKEe1T0UNSf/StSsfmPBhJBp0YNT9XoRHLJfKMfT 3Z+Pr+z/eErlzWPe78OG070P9sbuW1B5Hp6L1JjG8uk/mSgZNuhDkFmpKyUzZez8nXSb/SVD PB7zVo/HaS/HDlkHdsdg5BXIsV8M9odMIE+nnSpOi37maP/IWAuIqXqstAm9kk0uA80/Ia/4 kDxylqF4ciqdqdaGdB1KsRvbkOu3FRomAoQ6FpmAmYdwYBgpX0ot6pAFQIqPAGIdcSyDTHDp Ndq8tWE6hETUpARGUO1QhyXt3c1xysGrUE9siaFeVSiJA3A2ivONft6hE5wrUVzFxkEz6mrV jnedhzQDpnCtGrt/FQBaVVPXq7BDqM2y0b1bY/zeL8XEQ3dgZ03vuuTph3yHDrDmBriyDWT6 GV4cmVe4n21K+3pMD+a0iXjRNLjIeTLIWQnayXYkbv5keCdQYRzaoAJbflUCilaZOPbjUC8O LA4gOcdSoQ7biXWtzUgpNlIXoRZiWH+Y8UnG0HBNY6zHE/TBhnbAEVT1AJ2GAUWUBOrHRmsv 5h4EcZctWZDaGnsffzT23X4zdsyQ9CXOnsa2eBK5r7rGWQk+SCM6nspNBpj6QurKsV4DeMN1 8ktwgntkls9s2/hIbHjqQSS48JaMSvPcRcuRNGyjj9logaZtm5YWN0um3o/QtbTeRV9u3fA4 6or9ccZZ50fbbLxZSxOAKPIFgg+CIEPM7W6YCEL0ASLU4qkYWbNiDUfDaleun3o2du6OV7SN xNvPXwWASl7SBBWqEExQ3pTn6cH8KHc1WkUejMFKQGUt3PVCd392z46480ABEHaiPm/aCwDB 3rmiPd526oJoACDXqRCFyU7VrITAtyPO9nBQSLM5aQLiQEX82dkcmfcFmn1fWa5iAwu6oQwj SEru6x6IfQDETYA08xpxFAEY1g1td1LY2cyf7dDoEOuMB3VehFfcc/GsLIHeMd4Q+9kAa8Ou 3OpFs+nPBsCcwXjDLOZqJuS7xxpjZPHqWD54MO7fvDVWXv6KOO/SS6N24YJ0suP7w/aYBFQb x+nV4IG90c8G5vX33B+DzE+Xn9ERK698fTS0z805Y4i23vDZT8cdt9wa+6Ixzgfk3D/YFRtm zccDeWu8t6YXoHAsbhurj9uRyrsAadFXIxXZy4C5BWcwvbTDaZhwmI8adh/tuBUA1PGyUslm 2mXDIJtjAFFtAFmr6ENl5zbQDoO022rBH5p6M306u6U+TmI+dDPCvzGO9nQn/dgODVWTT00t 73vqpfdkx6CfJuYlHcO0AHQLIg5hh3NMWgV8akC9fRJJ+ErqTVTokb6G1m0hTVKQTL5vnWel T4pLoH8N9C058IujeXGYBpa9wzMUETutDfEQHty/umsQL9vQMarpFeSvOrMbKbmWICNJy3WC adhH9YyJTICy+E4wJ+d6y6WNUkvsmFPyUJX9Wsax575f5Dt8xnrUKL0IjVp+pfOsZwLz0KFp SJ9OSKbte0IbrDWox59+8tK47JKLoqNjFRuEDbSrGw1sYjA+d+3aib3vJ2P9pq3R2TOARKge mwF1aS/fbcyQCSKXZXQT1LWL82fWhfrpYbooq0uF8bjwrJPj6je/MWqYv0eQYty6aUN8/YZb oQPBxEEkiAexZ1ofP/KaK/AX0ZH2XPej4XrjLfdGZy/mEZh4B11HaIeZ9K2neWk3MU1vUHfn 91p+O8+dtrIjPvyz1yBwgI3j4wi59sk+P47IJxDlJUDxOBqvH4mMP/zMZ9mRLFQin+mRd1xx RVy85rRnivaiun88gKKAlsCWQQm5mRJ1Mo6ldKDONO67777p+il9V0ozCajJsCdTRAwlWQQZ DQIj69evz/OZXzMBRRlwwY0SZJkZT5VYmfQy7Zn3nsv54Qzv0bxb7927F3sqi3ICMB8BndJT sBOeZS4HmoCAqstHCkoxyeg7+A0CVErSGVRHVQrM8PM///OHMPR5kS8dnQjsqCJsW2q7ciZI 9nzUp8zrWMdnCygerV0FqGzXMvzTP/1T2rAsfz+b40wQRKBbCcSZgJltvmLFipQKM12lUO+8 885nk0X2V9nvPmgeR3OwcjwJHw6CKrl5JMBcQFAAUElfpeL+8i//8niSn44j+CVYa/B5z480 hhxbM0FYwUXbTLuKM50tHQn4LDP7+Mc/Hh/+8IfLn6nuXs4bx0ufx0MXzyegeCoe4LRbeCSJ 1eMts+BqKXHrwkvpYefJw8NMae7//b//d25WGOf5mkdM60QARcvh5k3p0EZ1ZqWjjxSUZBSo LIFd7VHOtD97vG13PP19pPy/b9ecvl2vTwXnFhl91fsEYAQS9cSsIxUlDFyEa9jfxaTSMDVI wSbv56KaRbaeA9PG4lSiuTgk7eI9wbKXxbSLeBl0mdoJds1L9Z9kwOgzd/alO5lvz2VqvJdp ZVn98qoBppN7Lmjt70JVmvggFT29XeBnY+nwQImB5ER8knSL8pTPA3CYWpm27zTj8CebrAH1 7SN3xHD7PdHehtOLWlgOvJhiJCqfmQlsmGI2yNTzU6/HTLosdR75kgmS0U8pCOKP0jYCijro sFsSfDA5PgKKtUgmNj8l+IcdJEDFNfC9rTJmGONXtTPmroq606+JqoWM1SY82PKgUj7oTwIm 9WJcfRcefG+K0Q1f4B51ABgCRQBcBEzCm2/1qXj7XXVVkaF1lyv4HoeiT63hcYSpftmHxOin d/4awIZSPtidg7u6f31PbLsF4HTPigQUrURKgbHZp5S2azAlFCdgwlKNHkZRxlRbhfZXFYCc z+hQorqZzbEl2BZbURHzllVE2zzs1c1C4oI2JrvsFwFsmdRR+0vgg3P7zZB0S+MrMWjfZshb nnNSEoW/8rpf3JuKM4bE0HrUuPccGE7AUK++goZKChbOf4jOuSCK6QswCixr0y/VnslXQJH/ BGGGAROHUYWU2S2yV2IIFfpHRmPuXU1IEdVGT3dv9NA2jTDLzYzpKuvFmK+mgNrl0h6amwja UW1EJbgGxyAN2ASshGmkEMm4K11WAZik13Cbs7IP++J40q7BgYReYmvpL4Ei5YpofpAnygPY qU1PbTCm7UXb0nbgU0iZcU5IWibNUooxgcVEtYjKA1B52XypQlnTwhyixK5KSknGk0gnjsbB HsYtRa5pa6D8AOqYCKhqRH0Z5r6CeU01SsyxRV9NW9zZjdOfrt5YvurkaJ7TzuZEE/WtS9uH Bzq7AWqHYumiBVm2ddd9DdXvTXEApr8eOtgOGv0wKr6CsTqL0m5iDdJrgs053h23Fs96Ax5N IlXlvRrnKSqrZNLu7U/H+ifug3ZRL6VdG5vmxLxFK6JlDgAUAEcjkpV6rKc3qbONhq1bpMm3 7dgeu3dsSg/Ua85YC+2QF2VSikyp75xdAD00NTECoDgM4DOEumhVVQP1V7oXWuGadhhHuvbE 2sr98e5zVsQKQLUa6cq8mF8FS6oZRLb9BHMF0HF04zSiG6/UmOeM1u7OmIU6NtNl3NdfGX98 /f1xEOWH3r790c4GyE+csyresLQtFtAPos5OpwwmvgBFmP8FKpVCzLma9By32j+shGeohEa5 k1Mt30iOSVWUhHeB436MeX+YcdQJeD1MuzfT/nMrLSFqz0jpDRC7EbpphR5HAHEe78ZJE6bB zgLg0Y7jffTJBGNhOWUdZN7Y1TInBknngrHumI836pu6x+Obm7bH5SevirMvfFnMvQQgce58 PCLzMP/aGHQ60J6jkqyFl2ElNidjD967u7ZvjoWrVkcjquq2qe9UTYwMAeZf9/lro/me29Ke 47VdqK+zKfY+nN6sRDr+PjxC34KH4xUAfq/DKcsoEq43Y7pgM1Kua5GiXANyyHCPp3hvCzct Jt3ZzAv7GFc7IX0oLToYF3qP3kL7DNLGy2gDpjjuV8SdAHGLGVeX4hSmTQdk3LPN9c5cIdjO XzfXqnjp4eeZcQOIaJ/xPwl9ORdVAVJVNbfyaqlBxR5VXfrcfhwECKsH8Lan8u1qms4drAXS vAjzT77LyzZkHAhU0/UZ3/e25xPkI02kF/dMSxpxwmHuZu7ZhpTdjTsH4tFe+h4wPuVm7Qc+ BeDGq4N2yRFDOs7XaktYJk45ui7hLuXS3rMbFUrrSldKpgvMZ5Xpy1KLQglFPUz7frEOdcwT pq8Ud9Iy86dpV9F29bTZHCSjT121LM5cszo6VqyireCliTME8NqLdsXunTvAFzbGjp17EuTr Rbp6Aju3uTFKyrbXECrHyKjbIvw5vzsiCvp30rP1BCbpvozVTL7nrF4ab3zTj6SX9mGcIm3f vhUHK3fE3k5AdfpnoK83FrTWxeUXrUUg5qx8x+0/sDtuue2+2LT9AHMFG2rQlnWybXQE5trL NqqlXWYhkWg5HM+uI63z2TiE+oWf/QCA4qFm5yj4UcOzWhccNZVj3yhxjmPFqsDr4uRM1atj Rf6XeE8153ueeuq4q6ZNj99897vYvak/7me+3xGPB1C86667piWklKTQiYMqgAYdDHzyk5/M 88OlFyUyQRwHiWGmpJm20rQXaDgaUDYTUMyIU1+6TPczUxVTcEUJq+cjzGR4DwdCD09fJyiq JBoEdFRpLoMMtZKXmzZtSkDmSKBQGVcArZT00snDu971rrw1E7RxR/QjSAQJzKgGe7zh+arP M+X3bABFJfAEiH2xHSnMBIb++q//Oj7wgQ8cKdoxrwlsCOyVHoBthyPZSJzZxiYooDdT0uyY mXDz+ZZQFGBWIs7yG5SwFJBTHfn5CtLmTAnhmWD44Xm4e+fYMr6q6VdeeWVKErztbW+btnuq HccS+D78eX/LhArQORYM/+7f/bsEQz2fSZ8nShcz6eZEJRSVHJ4p+WtZyzCzzI5FaTklusoI U0fVgTXTYBC0LVXvp25PH9yo0WmTQYlIHbSU4fmYR0zrRABFN4qUriyDv48EjJb3fSeUDrIc 4256qOJtmNl2J9rfZX4vrqPL3wKEGYaBGgBMUE1UWzyqPAv6Oe0JYqRKHrFlKL2eu/0ydLwz lVAcBWhk3ZwhQQGZKxbfBtvVd6s8g4CV9pNMw0W4MRy33lclSfZBSQbtAuV9mYhMQ4SgnIML 5kQw0fGqd1tBB/MZo3wa/rcuzezGl+DOd83fU+mSaNaxTDuZFnLU/lbf2NbYUPlpPLIi4VIH EwJDh24f8SkTxcm4xDNt/jMJy8ql6ZKW6eftqeIbPyXbWJDbtv0y8rSV6fkk/FnBxHCsgalo 2ToUFfsAczlfiDH6VUO0YSttheRNxZlvi5ozP0jbARQKHg3vx6nGphjv2xCTvU/jyXlDTPTh ORYgAYNiAIp49oU5nxwGbERtqubU347aVa8gW+qQBZ8qpAV/UYSiTXpHtsQ/bP+5GMbmlI5Z Kinr/Rt7Y+Nt9MnGlUicIDnHnw5YpGElNEoVtSHseSqZVQOAVC0YDuMl6yX6lswfTOQwAI4M G9QctU14W52HFBMA47zlNUiJVUbrXBgnVPrAYmGsCtoWTBRwV2JHoFFyV5KnHqBPECG7kza0 BoakEX4U1z2xtwmMi/7+0XiU+gwBlLai4qzdxDoARQFKy+nK1HTyw0OmRVYcqQ33lWjUSYIS i6JfIyAMIwJ3Fop/nTHUodo669ahmPUIIBLjcBjV1hHK3gQ9VFAPx/wAY6eeNtJ2WLubx8wL Y7SnYJZ2UJuwl1aJuqejsRqpJIEY1XhNy/vWv9JxbBlhrOsYMxWgh3VVtCvnRGFMMmboNgSv oEPaTulFmFYlFwXVLK9zhQ1FtAxZX748mrngIlUgKs/aj0hg1SC1m+1u2uRD1WL/XuYz8kCj F/uhlA+bcTWoAFeivlxUAmAeQJEKxs7GhfHtrQfiqU2b4qSTV8eSVSuRTGpIb7ENswAWAahs R5noge6uuA1hg0Y2U8bps0YKdhAA8E6kpWpa2gBpmwCMCtuxSvH4TG4aWDe4/dEJQEqk3wQL lK60j63a3l3bYitSigN9nUmjQrGzWmcDhLZxnB/Lli/DnENL0rlAuDR+AJXInTu2pkfn9rnz sAE/m+qYHoAK/UbStBJxARJVmXR+PtiNtDmAFIhQ5u3mjf3c33kglgztifeeNifOW7UYYJC5 nrldAKaYj2lL0hNwIpkYpfwD1LUbWqlizLXgqbqefCa5PorzmTt2HIh7tx9Eyq83VrQ3xhtP 74iF0HVuLDFXO45BI0grGybTFETPfiQj+1awIt83gHtQE3EoAPTJU9D5EIAMGwcaAaST04uz IBc01k7fOHz6IZR+aKGZc/YIUG0HWENCdBi+75SBLtKpisfx8AwlxenYQxyHhh8FcNeGYH3P wegCJF185tlxbye2TaGBi1/36mg/+zzU5RkfEJlUmm1tu0itvBxS2pJ8bGvnGsfpCH2VKrJE scu1e6o6/Yann4qNN14XqzY+Hjv6R/DqXB1nYC/1NfWj8QTg+PUTLbGocjReVYVAB213HQDj Y1WAiVw7l2l/jHJuE5iiTRbTNs30ZSf57mPsN9D/i8kbS4F4gWaDgLLMp8SLoJ1Oyv4oVgp0 tHFxNZKatPUm7i/D+VMHA1sgzHLbHqPQchVpDyHZWd0IAO97nHc40aMakN1NhUnmjSZ2wXwf TyB9W9/EpgUOf6pSJJn06A8bKMcr6Spdn5KulD2PzpnZfsVYyFmP9BOcowbGyXcUsXxvSjLc BFhGapBjN9KJ93aOxt2dAKWArrX1WLKEtoZRc9ceazr94R3pWkZA1M1R1bWlPdcj8q2mmZuU DhqCgGI6HiH9BDrJ1/XJCCDpBHNVsZk5Nc9yr4axnhobpK0keQPvgoWMxzWrV2LWiDllyVLe QfX5zpBv6u7qZEN7S2zetAW+Gg/KbPKNYs90hHK62agNax3iWEYpzc0d+0H6GaFu0mgjGz1q lAxQT8e96v++E2YBIp935slx1ZVXRDv4hsDlTjYeHsB7/RbGZZfmAFDNb8eRz1WXnR8XXnA+ ZauO/fv3xl133RePrt+KzUTog/GldKa0O07/O6dIF6rCKwHahMS6beYGtKCtbXr+2WfGT3/w 3cet8pyN/QJ8vQQoHkcj/87f/t1xSyeWyX3gda+Nszo6yp8v+uPxAIoStcCyQKLhdtQVtZ1l mAmoae/vCqQ0ZwYlvkoPzzPtJApMqHJnOBLj7/UjAYoy70rGyJwKsJReRp20LNdMptc0nkuY yfBeddVVoeri0YLqmwKuBm2q/dIv/dLRok5fV+JMNW3rL2OuiuMTTzwxfX+mvUnrdNlll03f 88S6XnrppakarCrhM6kDf6/rUxbu2QCKlrmUjiufn3mc2felV+aZ94/nXHt/7/7/7L13lGVX fef7q5xz6Oqu6qhWaLUiQhGwEiIIA4Mf4JmxxwbjMWsYD+Z5ed6shf/xe8Zje+xZnjesWfby c8DPzxPAhhmCkARYESEJCQUUWmqpu9WpunKuW3Urvc9nnzrNVVOdUAlrht7dt+69556zzw6/ vc/+fff39/v90396/FTBHEGdE9O+ffugo+9MDxd/ExQ+G7bfegOKlsHAF/pKLE2y2GSG+dKU VsbYj5r0A3jbbbcdv1xQvLe39/j3M/lQyr47E9kXFP7c5z6XspZ5mwNtpfL5WuViPQFFA4ro 63CtVFrmE1nbped/5CM/CDwluPilL32p9Ofjn+3Tu+++O33XpUTu0/D4CWt8OJt5xMtfC6Bo hOxPfepTqRSCgDlIv0ax0iH9QG4reQ6WgvSlbfda+/tk9/+HPs6aNS1aZ1nczuJ0fY4daE2e ZSPmDEF9ALmIzBTKbMEtsOixahQNd+inCAaWIkaiYaTFLwtg370maR38FTT0pcNzFRGf195D 4FGzPQ/6zFCdkL1BTmrfqg/8ltSyPCu+Z79pMp3fwkW09yzgC2hicop5pzMtvDmZ6zIlJX1O 3/ljtibKkn/2kPeT5bewPB0vLv23qN0wie86rhccEQwRyEAhK+PF7cz6eBYutP1iu5Ymb+HL P+rDllXwR8AoRR9FcYG4lNrCsvg7GElAUIm2UYCZI3OxADuhEqDo4tGyaAZ0KiPCZ9mmi6Js +7tgOXVAsdoHeMjzeWEA5sMMyhcX2+b4YxI8FMApZ4PzOKBIgIhqAcXtNyYFzZqn8pcW/B/8 M41BgxUWh+K/HPkoARXmoxtwxm3ipw5Nx577MeHcswVFv4P6AtSggAkoysQSbBGMmJgYTaC1 1hWySmo1IYNxYQRoN5w1xc+kTHmE3ZGaDVnC75S0PvRSAEb6oQeWCezF7r5qFDTYY00ZcKCM K8OZ0mcr8vK77/7xE//t/3TMQ/xueT0iPNc/MBvPAyhW069NvGpgKNbALqlCPgTFFStPT9mV yHKen3dDLJF3xg56/hJMpCWAAlO6Cwpq/TBMw7swcz0MqMp5RwdG01hvgbXagn9BGglFGVkD YKywnRjfyzJilFXAw7p6jtP2Q8cAiGCANuBjbQMBzDQfHhrmGHNGHefWclw/f9UAQJYA3ID7 ocgDoWkOWwcLqgEXAtaPW2SDRXCR8hopegWA0ejRdEVqV0Q4a0cak48p2R4m65EiR9MXaVw6 iEjiZLpxPEidpRbZwyrA1fiLKxPQqmPsUE6DR5RRp3kCbjxf3hqP7TsYw6x7a2Aw9u04PzrY 6C1nTqqkTWphHdbAYHNsHtqzJ77/jbupP5tP3KeeOa0AqPJAgX5obEs+FDV3rgDkEUy0DWUF Io5J3pZWzZ7tHRX1xELl88ToEJGV92KOPJzYQJo21zc0JXZUU2tXnHf+LhpUU2HqQJ0MfqVu NIsPx57NMHXRN5QZmasyWG0TpinaCcAQQKcICFJg3Bdo46bmtuQOQJDUebQIIFg9fjg+vKky bt3VlwBt5aAMcEThS3M55wrM2MrOcWRtJ9GryCjjIAeZBHwoaCxR1inGozhxHUBDHQBIJb85 tyd/iTxHUqOQF0ec+DBBF+Sk7A4eXrK4fFYs0g7LsNE8v8BzymjvS8gnlu7J96DRm6dpY0Qr 2mBUkkXMgixzhxT8RRPgefIbAfATbN84McxGw1w8B9tPQucVsGonqe83CSa0xHXv7ayNGRi6 D+CFoBJmYV93R+y46s3RdvFu6gUIT4ltBzclNDVfxo/lPABsBWWs1V+ngCN1dS5QZpTVfH4V kF3gmpefeRo/nHfGpoGD9Gd53Ekwm96qlXh3PbIAUP13C/XBPka8pxrmMgPiweWG+A7mz1fg +/At9cw7yNh+8uKyxNzuYDyNc90g32u4Zw9tIov4MG02bLtwbCPtMMPctxe/sG4o7GTO7AII fHihOl6mz67FtHk3ATwMAqXrgWxu4SL6chTQ1gBeNfiS9PkkG84gQQsEu6kmzzJ2Ciow1TYq fUq2E+O8wHOris0/+85utT99OKfNbb47fwq++lKelAYTt+B8P/tJufEXvtuuq5+X+YzAIC/k S30Pwrz99uhCPD2O6S8MXPOEiJdAXoOJCCjOMdcpz5opJ7/JfJeEZP8sIEPm71pFUNPIzNlA 4s6W0UHs3Wl3QUXHmTOT40K29zz+EeuQvx2bN8XFF+6M8y9gHsEFURaN2Wl2EdBuKPbv2xf7 9h9gvpmMaeTYMVQ0+A0Cm22yIjfcz+eUG6xu2BSYY711Laxm2a1uVjQA8GpdYoClBLrSEEZg v2r39njbW2/Ap2sveRQhNh3BDdRjcWRwHLwoc21TVzYfN153edyA+XUDGyHjkxPxyKPfjT3P 78ftC2tCxomswyS/1po622fZus6uIkgVmzP6aJ3k2jrY2Q08J66G6fjzP/e/QSg686AsZP+6 p3OA4mmaWDNnAcWzTe/AnO1dV/+AyXG21/+4zz8TQNEylTJt/uAP/iD5XtNXn8CPScagQqXi Upr0s/UZIpea9Ef2OQCFUl9lmp96nRFgT0yloJK/CaCodOeg4Yk+4DT3VXFdK68T8z7V91KF 93S+6QT2cp9yJwNV9u/fnxhmnmeb5cDsycpQCih6jgCDJufZA+CHr5KFZzk/9rGPrQmYrXd9 frgE2ZGzARRLAaW18pP9pLmp6U/+5E9SUJK1zjvVMQEzgbM8CRqeLJWa3KsgyX49Uzl6PQBF ZUawOAfdTyy3i2XB+5/92Z9N48qH9tkkWbB58CTHrLt6aRFyhpn4YBbUz10QCJQ5R5wqaR4t G9QkW3EPyoOpVD5fq1ysJ6B4KhPuMy3zRz/6AxD1X/yLf5HmgVTpE/7oN/Suu+5KR09kKOan vtZ55LUAirLI3RAynQ4E9BwXtsqkcmIqDeZzpm3ndesxD5jPjzu581zAz5I+wmZQTmX26dAc LY62ceEsyKfZDTv0LB7T2j4VMlNCazCF7GaxPIqv1GHYr9mKX8WAa11zr56bXcc1qwqFY9lj Aokyw+wHx6g73D5r9a2lQmhKSgYZ58qY6kO6D29pgY8yosmeN5PNUIQx4a56cs+Bsuc5ebld GHuxOkh+zCNZOfNjXiMbYzz2Lf9d1GxgocxyIUV6XgUUVWdU0lnxr15NLv7npYJ+vHzpbse/ pt+th4QaX3UobI0oCnMoJrPUwyAtXq9yhOqWlLaWIgDNMRgRBFEREOjE9O7CAqaSrbBqYBeU oaiXkUcZimAKrpIajjqTVxn9u0xbrKA8qo6VE+EW1ArNWoYi7X3Bp6Nm+80odypNqvQU6g2V qAdlmi4ejS8c/ZUMUKS+mlQ+h4nbs/cWYubZnqgnWIHMuYyhqKmzqJr+OvEvNzaaTNYaeA4I nMseGxvxGIoxZmrlKMr6tpqYmkiKm4Cax1QW0zigSegViH/QeQDDaupXorEdv2XbMS88rzY2 bK4ieA8sNLAOGTELKGAqyIoB/3n3rx+ytk2KKodkfdncsvyeeng4jhFEpW0DyhmAVzWAog78 Df6CiCDXGTBRRBE00EgVoVmr8EFnAJSkiFNdb6jy5zkGGZG1qKWqw6iSujS+TICfbwHoF2tT gJY5QCj9YsFhg/mEgFOOWtrBKKSa4S4Cyh4am4I1hTkjZdjc0Ryb8c03PzkdQ1Oz9Anm00QC 3USgkxoAtSn8+Mm4UtH1eC1MHAHaxOhF0T8uW1RYcKeuYh7wFPcEgCdWMrUT9TBarGCiJtHL 1BWCI33BpkNiXHLctrW6vLgyKkGUKgEUl2FDLQNKcitAKQBTgKN+ABl286MSZo2RYOdgS7WC HjUCeFSJRFHXFeTiIMEtXmKcHRgaTHMS8EAyXd7UByMQksIK8lBJm9TwrNC09flHH4mBF1+K DURNrwd81AzQqM73ACgu1bYC7HGMNtWcWABDxpriVGDMCTRiv4ucMH6RCfs2TXYUvIDvvvHB A6xzJmjH5djUtw3AFmWdtq0hiEt7Vy/zJSA0Y1zOlGv0w0cOAIw34DdxAwwjN39g1gFiVmm+ yvyk6WkRFw513EbAYQD/gtX4e6wiiEzqGxpyEYC9OD4UV9VMxUfetCU6YKIietyDHxlHCHSa uzJR5pj/U350gIk2sV+yudqfsz5SphKoJnBLPY1QL0u9TIQHMMqx4JhxXjZas2O9nD5JWTp3 OVf6LAIgLwLoLtCnUzCrCsiDPvs6uQ78LfkPnOTqOj63gWXJgBwHHKNU0cT3Wr7PcK9pOqEG M9VWAMlJmJ3fJ8J1E/fYvTKLeWnEA4t1cXRiMq6pgQne0RTfgy348kpj7Gqvjc033xpNl10F MISZq3Ug93k2rw6/Aii0d090sXFhpPBjlbUxwPyzA9m5AFcyDa0dzOmyx7LnmgBWAb19z5MP x8R9fx+XTg4B0Ed8a74q9mIufmlxIm7Z0BpfLtRgcl0fH6iZix4AvPuKFfGd5cbYjYn2LQRl KQDaHwK0x7UuPhQBCnl2TlCXw5h++7zWjJmZPo6AUI0yPvWj2EWzu9TZzxg1au8u2rqddn4c 9wjfLZbHZbj1uBEwcYhNlv2AcRfWL0WvwL+1pQ+XkOcVrhkDlBZQZAqiXtk4LEJnc3PBZ3gF 5Z0HNK9DHmW9GdzGMVWEJafmLZgsUOzzOjGEKb9yIVCV+V52AkDm6E/nUoF/B3tiK/pMV0Cc Py2Xefmd/P3uOXryfJxI3Xcfm4vRZTZQnM85T9PlClwTGMBEmXOdsYR8mZPgv0zFzHxXViCy yfPDPJVmQT3XiY6BKjYjsvlohXUGQCR51DCvNTNuNvd2x+WXXBw7tm+PhpbWVJ4MIFwCQxjC rPllXFcdjoHBsRQ4C55hYiO64eAcmJmcM2Z5bjuvuD5y7OjGwLWaG7lambpxltxB0EiuGZxL VihvbTU+E3dfELfc9LZoh7HsZoUm99/41v0xMDqdxo8M/nr6+rord6Of3RD1WC5ME2jrscee jKefexkgkU0AxmiBMtjMzt2+LzAnOV4tp/4m6TKA55ro6ekGGB2EPc1GEn1+/rZt8cu/9HO4 YPjRySQ0/Lqnc4DiaZr0GAv5f/f5L5zmrB/++WoU5X9y040//MMb9MiZAopGCf1X/+pfpVrk TJs//MM/TFFTPWjwA5mGJybN+GTwmHIQodTvosFHDEKyVioFFGVICg6VBvBw8MnUKg3goc9G ldfXkkoVXhluf4MJxsnSqQBFy/fJT34yKeJp5+gkmWxnghQsyNOJgKLHP//5zyfzy9wfW35u 6bsKoya9eT/lv61XffL8TvZ+NoDi6dr1tQIJMqRsV/vgR0nKe6nPv1Pl8XoAit5PM1r70vHi Q+5kSYDdYCiyhc80lfo01Kxff6BnkyybJvx5+8qmdCyeKpXOIbpCcGPBdDbyeTq5WE9AURky v7VSaZl1TyBAu1YqBRRP5trB60oBxRMZius1j7wWQNF57LOf/Wyqooxp5/XTJeUjX2gobwKq ptK2e73ngdOVMf/dNs6BtfzYa3kXQJzGkf4sTrk1eZxDsXQmUllSLXTxiorH+OEbf/yXlAC+ 16A8FVHWPdaBj6/xSZRhIp9miiULz9WyZmMvm99ypdPFvcCNSoRAYjKbZrHuTrogT1LCVTZY SFuaLA8/+TVTHPxoSgv/1UWu5VSZ8jx39I0smhhr5K1PMpXtvP1cJKeU6pV99C9qMX8AseYH 46XlLwIoaMpDLVEYjAgr1c9i6f8sBZJgwS5j0XYwy9WapgW4ZckiS7ogR4FJ9YHRgrKigmtU 3i7AjTrymmWxPoVCA56CgqJiwTV8rl0mIul0I5F0B2kfTFABB7cPEfVZtghmnjKuygCYkn0f SmTWPHy3MQRnBGLI268VBFgoQ0ldLk7HCkphxfb/Pap3vgNFHzSMetsfp0pnKn9net6p7uVv 5oOKGYMzj8fXh/9Pop8uRBcKahVK5vMDBVhi0zG3ZyPBMhppKxQ+lLL0oh1V8uYBECdkTuAL LznoR0kSIB8aHoxWfL8hpDQ2xwCg+vuP4sKjC8VSk3tBoEpkB1NpgCRNU2U32r+LANZLKG4J PMEEvroZy5gtFdG3qzq27KrHRB6zZ9Ab+1DAXpNoAxPISNSckw8JMJsHGJkmYMihZyZj7/dn ovs6AqG0VydAsQZtXaZZknRuO92/EEeenoj+l6ZiBt9v5YBwzd1Er93ZGN07GpBRxgwg5ML0 YkyO6guVoAiAN/UCk8hEPfepfwBz5/6GtJlumRb1oYkcasY5zXP78PhkjMo8xISur6M1NgEK apq8gFJZoF2V9yYUWX0sCvLoR3KRz5q3LnEOooj/NEAqUExZOpP4FqwEyPD+svSSbzmu118h 32DkYj5M+zUS/qGrFfNAbVJpHw7bRKnvV6ehTI6hHC4TRXlpjrLLZqRsmjvWtwIWUJYlfksB Esh7nnyOVgG2oKwbZGYJ8KQAo22A8VsHqGhgjnLGMfzqFETicBltwFw3Oo2fRN5XAB2WkYNl PnewBqgBdFxR7mDizI0OxwjP3HF8KjIBRlNDXbTX6d6oPu7FH91sJWAqgKIyswDwpdLv2NL3 7DRtbjtUVTMGMXumsdJ8IYDtXDdPII+JoYOJddnZvSltisyh/M8yRwKhwUxqSgw/N2wKtPHw 4ADProHo6OoDJG1J93IICyx6V0HBVlhIl9FG57XVxiOHp+NB/KI1tHcjk/B8aQ9ZrXOYKm8s DMQ/3tUel2/GXyNlqQQUUoYzYId+ZqxkG0scozQyshw+zpVp9vMLcuXmTpqvlQ3ArWXPozSC hY4tKs99aWMARUYFefriXOqkf9M059O5sgQXKdsC/TaHibam9UVMaQuYfzcyPpppq1pADbo9 JilDLe3ciDw4b+JqNvVhI3NHDcdmOTbJtF7Pee2cNzm7GN8dnCCO8mLsxsx5jr66p1iDyW5F XMa2RSMlfgim23cR1ne1NcbOXefH8m3/KKra2snZeZwAN7MT8egjj8bowQNxHv5CN+OX9iXk bc9yZfQszsV2dj2Kfduj66rronXDxtR2XEmJlmN0ZDAOfukLceGBPXEAUPKL/fgdbeuNq1Ym YwPg79NlNfFi/Yb4UPlEXLgyHd/HE+I3KdW2pfl4R9Us899SPLahF7AsYisM0l46e4k6HAA8 XKQOG6ljEy0+wO/9zEGtjN0tgH2C0QeZd6bom20Mbnjd8TRzxn2AbzvwN/mealyfML99iXvN AIy/rXoqLgX9l43MgzmxHR2jy4CyC7TlzPwM0bPpb3bHjPCrHPAwT31ZwTnlgob0dwXjpxrg bYoANzKn9cNZwdhZppxGBrc9lVXHgWU0WrEDXJlTHgTLHOucno4l8EzZpPzKIj/zkXUK/exH ZcB89wEI3wGo+MIkoDXjrwZwXmBTkNL7ea8EzCEHyzw/lswIGTb5DEj+FznG7JLmzWRyzPEa 2kNw3oAkZWw0aWJ/0c6tccM1V8IivgARr03uBcxfBusUz6Cnn3oi9uzdS5ATwDo2v+bYLGF7 J20cZCxJgXXmBvpKX4dlzEGuGTS5ljnumHKMuO6y3j6DMhAUkgXFTlYkxZm4+pIL4p233Ryt YBGCkSM86756x90xzHNjBrcn6r/1mMu/5Yrz47Z3vpvNqTo2kmewxHsiHn9iD2xJnluUjFum PsgAXu5ow3JfXcrQdKkNKW7y69qnyy7Wf2kjjj7fsaUvPvkvfxn3C2zGUO58zWUOeUpzBF/8 LT8nf8/PWe/3fJ1/qnx/on0oSnX9zb/8nMP4rNJPY+J7yxWXn9U1r9fJCpF++V5++eWkGK+l HB84cCC2b99+vAgnRsHNf5BNtGvXrvRVRpyBJ0rN9EoVxvwa391BEAycnMTLBAKOX84U0Vg2 n0nWkizGtVIpoHgyM9TDhw8nVl6pCZ6+GXP/XWvle7pjZ6PwngpQ1E+cbM7SZFvI8DGIivW7 +eabUyCVUh+KawGKeR6y9oyMLJvpoYceSu2b/5a/n9gX61WfPP+Tvb+RAEV93/3Wb/3WyYp6 2uP2z/e///3TnucJrxegmN/csWN0b/tc4K7Ud2h+jmPSzQEf1meSBP8/8IEPpFO9RtcBZ3qt FwmQG6wkZygKeupT8VTp05/+dPIP6DmlgTrORj5/nICi7XkykPZMy7wegOJ6zSOvBVA0Cr0+ JU1nMjaUJ+UjX9y4IbJWEJ43CqCYKrbGn7z8/rTW4m2NSzikLy0CM7DIF1icxdSZJWtqCxeo bvy4aM4cbbNAd3HMP5k39UR+te00GTIAjoBkIwCE403fqp6bmANpEfyD1Yn5+S3/TXNT2YpF gMwCeWS735gRASo6zlU2XcSafrDYRGlIq9vsuPXwOs2wTf4mQ8XFty9ZkAWAJRUO83XR7iu7 OlvMpgvTnywv7zUzB5tg/m5MiyfZwQckkqHEYn6WSJwjsyMpj3q+VwJOaA7NHSlzlrcr/CqU 5hpMwWQCVZcTpIHPSd1J7A2AIcyS51cAK1FG2gEVIXvELAr1DIwiFZFUcxpLBlsb7JXmQYKz YNbEKVGGWd6FmHRhSCX9JoGK3BBgkKsAx5JSTjvIthAUElQ0IEYZztfL61tgXmCiDlBRufnj UbXzdo4Z6EFVS1Xh7FKp7OVXnrkM5lec5J26FleGY2j2ybh7+N8DKGKeB7BTQfs8c2w2nv76 ZCy+tJF2xi7ZKgJgGJxhEVDDhtL8fXp2GrCqAQUMC5Xa5qQ8zcAEasM3nQF8NM0tEBihAEO3 A0aHfjhVcOcF2mdnopnItPoFS+OB5rVfEvihLCN3C4AJRkN3DVkN0NfYDbPsgsrYclEtJtKw 4TTH5V8BP4njAwsxcpTIw4eW+EywgwPzMTdMtOmrZ2PzLU0o7iirKJSa59bAYmtd6YxXHh6P Z799MEYxVdMvYRPjr5Gx2U65BVEqAC8Xm1GI2zGZAzienMp8htVBzWoFoOwG5Gh8lkAzIwB7 KNnJRyKyfBhFcwawpovIxz3NjcnkeEq2MvVo4fc2AAgV+mwcqqSr6FJ+GIqaltdjBt2Eedsi gPeeY5jqsiGxkWs2CqYxdvcyt+zxGGD1Rvx9buuEuSdrEZ3FcS0YmUBemI4NsGW6WjHV6wS4 cCCQwA+Op5z5JilY3wAr0LIEF9GMJfvF/CB9LkOR8mrGOYQyPo9MJ0YR5TY4CQNNxIIgSACO DApB1xTAQJCezYYBgsmMw7xcctzwEihdRA7qkZ22DV0A8QAk9Mvk4FCM42u3FhEzIEUT9W3k +jqYh/dgHjvX2LEKPsPISkAs7U6fLfF5nvmRJqT+mk6zocJ1thVNwbwlgAG7dnGSeUbGK+dY TsBQmXmV+EmtqapL81yaZzGZ7T9yAIBgGh/c5wNyYGINwLECElBPXbfS/1dvqI1rNlVHF8zK PbCT/sPDh2I/QWrau3sAZwB3icIr6FcJI/J9G1bined3MbdTT8EbBwxt6cBxPhGcSLMDbcN/ C5zmchoqgT2pu0QhvI55x7ne0SIT27akcCm4Cs2fOpduYfbij9cwXgWpBR5FKRcBcaa4cBZG ZzUASANjU3P4Vwj8UdvbE10E/qhGtmaQJUORNpAZwyyBtYKLuqbQl2AFDTsJeDNLts2U14As 48jrU1MA7Pivu6KCDQfmiW/jMqKhMB3XV8J45nnxXEUbQWXwM9i/L371ut3ReNv7ouLSa1N9 EtsUwOt7jz4az99/b9wAONMHqPQk7NSHl2vjWsbjzU0V0Q8T/LuMx2JrZ1x/y7ujm7Uvs4Q4 WXpeDd/7rah+5rH4rweOxV7cCHywsykuqyzGd5HrB6s74q3U7JbaQrxCv/+PScYjAPj72bxo QCbvAiA7sqkvzuPYJfgnRaJiL3JcoM020tQdzAvjdMMxuqCB50If7SMITbhR4FIiXSOHmzBz Pgib+Y5pWYoAlQCX+n+9A+bsnkJ1vLOuGFfUzMNURE6JNH5xzQJ++QDvfa6S3yJz0CSy0wiY v8yGWyUbCcuAhALFmlnPyf6EwjhLwBQ3zJaUZeS+FlZ9cklSgWUIzE2yS/IliK1o6GLAdYbP Lse9EZudyxUVxc7ALOnpyCHfdbXifOIzM6GEXJPO8zibQqNQT796iM2nAvkyVguwMRNQTl6J QINcuEZwjqhERu2gBDhSZmVU83hduyRgk99qYQq6kUgzs2mzEts2b4hrrr4qdl10MUA+8yHl NqK5c8sUrPc9zz8X33/q2bTWKpbVsdlCX1A2NwcLPIOtlesgAUKTreAzqK4OWJsxtMwYpXBp zPmsrQagLdLOC8igc7JlqWJjppb2v/ziHfHTt7876olSr/uaIXCVO7/x9ynqOXsZiaFfszwf b9q1LW6//bao5TxNpfe9fCAe+PbDMCaNak9zUwabnWZl3mKO4L7ZJEU/8rxLwbi4dzmLkzbd XsD6H2VDSv/Y+sjdAWnk1371l6NnQ3eq04l/8jXDuq0TTrzBSb6fAxRP0jClh3/nv/xXHvKT pYdO+/nj77k9LuzrO+15P44TBAxy1uBnPvOZ+M3f/M0fuq3RN1UQ83TvvffGjTfemH991bs+ 3AQSTQKR+lATRDIJWu7YsSN9PvGPEYtz32F33HFHMns02qnJiLr6WVwrnQmg6HWl0aT9rimm +Qta/CjpTMEC8z4ZoHhihFKBCYFC2ZprDXbNA3N/kH/1V38Vv/ALv3Daogs0ydr867/+6+P9 7EWa+ub+2Py+HvUxn9OlNwqg6KS6ffsPIjffcsstrzJ9Plk9BK3//M///PjP999//3F27fGD a3x4vQHFE28p0Kn/QU3B8/HoOd/+9reTPJ54/lrfS90V+LuBPxzfJ0syIPXZ5xjXD6URzEv9 oMpWNrr4qZIm1jmT76abbkq+Qz3/bOTzJw1QXM955LUAikZazwNFNTY2Ho/2fLL+3suOsZGe 81T6XFnP/s7zyHGiCQAAQABJREFUf2O9L8e+I0cxdYYhiJbrAlcG3TKLYRetLtsFEwUVXOa6 oEw+C1mANwDC+iyYRqlTwdDhtxF1k3LMItiFemIocqXvznX5IjJ/Nz8X7jJ56jFnm4cZoXLs br3sF8E7gb907+MNZ1lY6FOGPPkxAz69J6tgTjEPQUa/u8OvcmLgDZX2akANHauX5pEuIsO8 nAJGMzMjMTx3BBBOhhsgTjlgEwrUEkrodPlLcWj2JRSkAqwtgEOiW9agaOgkXeWjFiZNQzUA UXUrAFFz1OKfrRYltRrgizNQLAGSlvA7t7A/RhdfhokzhuKHIowyPE1ZC7wyIJdCUaUaWFld sMyq8EUlCwtyQzQBHO2cgqljG0laEFCErQhqhP6BWmJTcR72VJnShlJWRhnLWgDfaKRlwLKK TR+Kmp0firLmztQEr24TTvsHTrKdphf3xUDh2bh35I8JAkGgFJkwyM0Th2bi+bvYAD7UCzgC +wZQbwHTSJl/SeaQw4kpzAkxI62GEVZb0xIb8Ks5OHAMxVPWDawz2rua9zFAIv0p1uGnTdmV VaZZdC3AeX2DTuczRq1tmoHiym0WQVRZycZHJm+aWRuFugqn+NVNWYAXO2J6jMAJk0AoBHyo RA41Z5sdGUdXLsS29xWjcxfMNsZfLYptV/PWuKTl/fG9Ox+L++78asxhjtZGMJEt7S2xGYCz A/CqFYBLL4UyzGRCzgKGzTKOrZOcsAWUvXLOq69ujpmDw9HIb5pBy12rEmBjDBQY8zIIlWFx PEebppkrHNPP5IhAP4Cfs4FMvDra4xim98+OTqA0L8e29sbYjhl9cXo+DozPxBgATzugwwbZ x8jpAOvuSd7BG6KnoSYBoQaAKQcUhnMTCyizE8ihAIXcod4OmJ6ba6NGuuNqUowTKM4HR302 f/DJuYPzlgUXR/D/OM07oPkEg6O/oj6K1FGmkkr3spoxtZMhanAUgyos0JlJ+acNhunDceaH InOYoJYghvf1+kYAxdbO9gSaLSMbbpgYjGSeDZBq8uhsbqJv9B3WEN+YgQ3X1JGAaNuXqpIA tmhPfbHNC3JTRtnS5WWYPtPWgtXZPAWoQNnm5gjIAnKaNk7JP5mCwlirwqyZkU35Yeqh5M8Q LOTQ/mcAJWYAFM+LToCrbvwGX9BSEVfDXr2sq5Zy6VpiISZg5t738lj86aMvE7yjIeoww62i PIJ41QAWl1dPx/t3tsZW+lNgR1CjjLKs8CzQN6JHKEhmAprKZHumKYM/fJZ5yHWCmQyWND7T XErbW0eBHs2/QUUBhAQQBZLIl0b2+WK78sY8iOk8Y2cEMKoMcHvD3GQ0LRYof8QrAuPoTJtg WRv4x2jFc8wHTdwDaUtsRraNLGk0UEYyRvYYB9y3lhvV0s+zyMAh2H61RNXdOj6IiXBlfA+T 2BaA3BsAz54bL8TXCEvdDfvvCkDuPvyo1vRujMWf/WUiOgvCyqSD5XfkcDz0//5V3AD428mm 0JPTZfEkvhgbAWY3EyX6yq298WgVZqT45txB+9dfeGFsvf1naFu3nZx+ymPoxefjG1/8u3ip fyjeCYv0UsysHwfQuWeuLs4HqPpQw3wMMq99aY7JnfNvr5qJTtrx23MVcV80xCWddfFmfLwa TiYBhdS5C3nrZv6foE+OcSM3Xra4ScHxfmR+grHYjlx2UIc58noCeR3A9+MtbG610SffmK8h QE19XE953gKYuZ+2uS+aoxk5uqUaP53NBnRibkOeHbNustBzMUQwmSo21WznGn5nGPE4ok8Y +GzF4V6D5zrzVxXzQh3PKHBMysazDrC8jnILziUR8w9tVAGoqLw5RyQ3Kaugs+3g/JxmOOqW rCWUu9Sq2bv9r+wqc9wizWmzgMoPjCzF/WxCTQJkrmCWrmsXqsH6ACa6BSZv1z3KorKpWbNz uz4VdT3Bfwi9i2xeLceGjpbo6+2Lyy69BL/225NbAjdZnDf03Ts2OkKglf3xysGDcWxwhDGP uwOAyVlAcTd9ZE27ztJFhPe0zG6Iun5CcLM5jvHp/d20yuqtubXSo2iTIZ/raNNq+rMWUPmK 3URQf/ftMEEb0tw9AHvZaM4HjgwS5KWSjbVZNqmKccl5vXHzTW+NNuR5gjlkYGg4Hn3sqRhk w6GAL0dbl+rTDY565tTV9s7WRs4F+o2EUU3/OMaamf9GsUxxbaW5ex0bEudv3xqf+JVfINgt zofXSHk98vWG3/PPa5y+bofOAYpn0JR3PfZ43PX442dwZnZKO34E/48Pf4iFr0uIf/gkKCXY ZProRz8af/EXf/FDhZLxZACIPJ0scIW/f+QjHwnBLpNRSH/v934vfdY3nQrkyZLAR27u9hu/ 8Ruhg3+ZTUayFaTIlJsfvvpMAUWvNHiCgF2eBEkNBiNL5mzT2Si8JwMUSxVw73+qdtWMWXA2 T/aT/SUAIJNTdqjtK3tU89S1kv3x+7//++knTd70AeO7aT3qkzI6zZ83CqAoyCqomqe//Mu/ TLKbfz/Zuz7z7M88nY49lZ+33oCiJvxf/epXU79bHv1nrpUEm2QNj4+Pp59/67d+67iPwrXO Lz3m4j35Qlt9kJ6KFetDSQDRsWrKzcHf+973pnJ67KabfgAQ+v3EpGzo4zQ3cy5lHJ+NfP6k AYrrMY/kffFaAMUTozyXAoR5/qXvpf5tXdAIWPf29qZT1rO/S+/5D/vZxaq6eLZoPXzscBwb HmORDyjAs841on619FmkopeWr6wuM+agAKDLXdeRKAGsH9y1d7dcpTcFwXABbN78LqPFZJ5e lI6nxXI6nP3h3MQGQInwOSBL0UADnqtpquzFfKGZsuF4SinT/CO/mE/KC2UbACQxIClDEZNn y2jenAETci4p84KKiaX4g8Kle1pQARnfFwAYFlA0KwBINN1cQPkxCrgV0rxxrvpYHF78HuZj BzE3JVouLKxGwKlmTA+bajtgc7RhmtcTzdUbcazfy+duFv6YLrPwNv/FZdg1gIpDc3viUOEO mDT7+N16REyxiC8AkKUW5I/gTCuslNYJlApACdldgiedHNtGZNl6NCP9J+pTT0AxsRStG9dp 7pySejwfyoi+Wc56QyWvvPOWqLngl6Icczt/PZ3Jc5bR6/z3eB/DDlkap41G4uWZr8Z3J+5A y8FEHEBRE9ynARRfeZCgLEdbAJMAIwg0MQfzchYzPNVIxW+qbDz1Y8BO6ardGq11rXHw6F7q CcgAg6iuBgAFoGJ4eAAH8q0oREBnMK5kIY0RaKQV4EUzTZXaagB05YxWpqUyBUhzsCRC/EnF 5k8Co/xCARw3/qBsKm8qjNUoqtWw9haIzDk5fAyGYSEu+MdV0dQp4FYVF2y4Ni5seVd858v3 xje//rfJjHMzQNGW9tboaayLZgACwSAhN82PK5CVcoAh75fYO7zrh7CM8VkBUF8JSDrw4tGo h6Wrv0RLr+KnzzoBsSUUYZqDMgqi6bcReQd4XtJEGE14GOf8i8wNLbBo+3CyX8NYX+T4lOA6 7VQHgGB03Qqu57YSYRk3KMsyYGkXo5TaftPME4IX0+TVAZtO1pL+/Y7Cjj7C2NL8X5bTTb1N cfF59UQ2BtjMhmISXOcEbpe1syJNmcsx5V0BSFyZov6MC82h9/bPx8GFOvLSlJJy2UEpb8AP yuh8siAoRxZzlGWc+o1RFtl62UYILcQlAnr6KmtrZEwTZMPfZplbJplTFgQBAA4MqtQNQN/F eJJR+FUiAR+E4cVtuaeAXaaYay7uvGowFvYE+B024gJlA9hAMKgT/t3oe/1vFtjIoISZXNFf VchKeRXzBkyxxI4DHCwyN40MHI79L34PH4LFePOOHXHbZbviuu09sRl2XBPzgb2ZgQGMI8r7 /NBs/PV3XohniRRfAeNMWRHk21a3EP/8opa4oL0eYMcGXuA+oic0MG2eQEUrQqm4aLUD/Ez+ HLeq/pr6Kn2mPlwvK9G2Vg49Jz1DOF+ARNnViFu5cZzqu07gZgI/okbrbUB+Nhanog4QbGSl Ml6hLF0AMBtp65XWZozk7W7M3WlXWbdsFSUT+iqO1SKPi8gCUwLtD6OXzgA/S4zHAm3p+c2Y iQ+z1vv+YmXyw3gZORaQ+8cwWbd/rqxbhh2MmwGAmOLlV8X293+QMYGORl7W5ZkH/j6a7r07 NlORbw2NES25PN5EgJ7t8+MxBqC9H5bqIGW+pa0mLmisjqfwR7j5wx9NDGi49JQHK7j+/vga umDX0VfirZUL0c8g/M/H2CDhGfXPNzbj+7E8/m6uKiaYk24D4NtWuxJPAfDdu1Ab3YyTawhZ 3cGcNEAbj9FenbRtD+O6QBn7aVP7YyMyV0+bDCNjY7RxM/3SjWwQoiuO0PBDsCq3Y0bdh4n2 t6FxPg6YeBng4jvwo/gK59+10owYVMWtlTMwwyviafx4tnDvy3BNqpcN72EglHlowo71Kdng bGTIzi+HCbfsnOlmJfJayVwkw3rFyYY61fEcmuEewTgwMnEl5WfEpPYVQDPv3ISZKiTg0jkg RVdOYyaTSf86HSiz/Mon+ls543qKRCbZ+wJlfGFmMR4gyNmLM7BfkT2vSZGZub/AflrHcK1z NY8ZZJU5DbmrYkejnvq3tzbF+edtjjddeXls7N2S1ihuIPkcKM4Xko/Eo5CZ9u7djwuYWViC MP4AEXFSkeTc784zVZQlzbfk7zzj/GhKTEs+p+cG13hvjyW/jlQkzaVcU04fsH/I/FSZGKhX XXoBVoQ/RQCx1kT4OTbQD1npydh36Fh6Vk5NOfcvxqU7N8bNN14PY7+FPlkkGNgRzJyfixH8 qs7C2NYtBKVI/eRzT9DT50V6JjKe3RhxrrJZvX4FgLW9oz25uqlj/nPzth6QcxPMxI9/7Oej b0u2lrZuJ0v2qcm5Is3xqdNOdvZrO34OUDyD9nPh/h++9N/jCGa6p0t22r9833tjR0/P6U79 sf0uEPE7v/M76X4CUfv3708gQmkBfuVXfiU0ETY5ADVJNornWknQIY966q5z7tftV3/1V4/7 11rrOu+bsxdVQHIm3ukCnpwNoCiApimxfs/yZN2MEHy26WwU3pMBiqUmt+42Wee1gFOBVZmk mrTmyQjDAi4yEPU1l7fXqaIdlwbZ8H6CByqNpvWoT162U72/UQBFgcDcj6aAsiCWQYPOJAnQ 5cFClHFN6k8G4ub5rTegaITfHKzXTYEBY/K+zO+Zv8sCy8F8TVKVuzNN+iMV6DYJaMt8dB47 MWlif/vttx8/nJsCW8bSaMSyYkuB3OMX8OHEc81Tv4Gms5HPnzRAcT3mkdTI/HG+zjcZPGZ/ l7LTPfav//W/Dtmmpg9/+MOJ/e1nx7ayqO9Mk/OejNi1kqa6zvc+S0wy0GWi52k9+zvP84zf s7XyGZ9+xieyeEusHBatLp5H8OV0oP9wYnDJrNNEsIyFdWIipoU4izzWFy4sM/MbFUOVQheZ LN9ZXJoE7fyXQD0UbxfxnJFARa9zuGZgldflpc0/805+JpUA/TIm30Xkl0XhzXfDV88x87Sk zd7TXECmfrNMPqusRzIjQtEykJNIhIxK6+H3Gny96asxFYwrs0Xzav7mtfpKZaKO1svFvXkn ZYO2qmJFv1xVjMmygzG+tC+KlVMwaDBFRVlvqwNIrOqLTY2XRFcjEVMr8OFH5bI7mGtWV02v hDaG516MfbNfjJHFJwBBUDlpj0nabRalX0ai5alGUd0wAbAFi4VDqR/KEqi4HFvmDO5C46lo oQiVyXak0VO72rZ2kxdZU5SCcqJA6hOyrH5rVJ73iajecm1qAxW59UyWe625+pT34BqlB1UO ttJ+PlXHo6O/HXuLh2BjYJ4HVWQMxec5AMUFnYTN1MQk72NESp6DabWxB1MxQJah2SKBB2Al jeNTELPi1mI3YlARQ/OHE/hYu9gYnXV9sDnmUagGAIRbUIgAumCXJr+BbGY1N7XQ9ihwjIlq zE0tV0qpjD6DVr9nR5M4KSsOC+udyb3C77oVJZu1q0CXkjCBE/uZsfFo3joVOz/QmExnr97y rji/9da4+/Nfike++ZUU9GMrQOcmTJJbiAyUoiivAjQUDGACJZOxLHNGkELQC8FI/V2B2awB JDQ1HTs8FrUAmBXIrTJnOZSxavrbKO3Sb1KQBMvseF0FfZQnGjOxj+2PWtiaqT8BqcFdSdyT MXF0shBHAQU1iexBobRljqCkHpqeihbKYfCSWhTSl2E3PiOrGfW2DzndCVhXhpI9wZwvk3Ee c7oNMJjO66yOC3Zi4mtEDe9CmVNTU7U0NqlmGTauFS2w+4xKoUk//6cHi3HfszMw3GQU2c7+ y5T25KcN2ZeRtECdCtRxGrBDgJNdAAARxzj3sa+YzwQTG2EdtgEm1qu9U4Y5rpkCVJzjNyAU GD+L0dZEJGbkw4AP3xzH/90s96Z9acUEFBj8x0ioDq0VGGey8AQUp8fxk4bZ8YptzD0F4WRP zkwOg+lh4kt5Kum/SuSuGiC8ChBGAMQI5tOwOmf692K2OhU/df7muH7Hxtje1cbGgv1KfyqW nJuUf/Je5j5F2uNJ/Cd+8cmD8czQFOzdKTDPmnjvpbCJ3rQp+VWzIJqs2nJpLqEd7H/rnsay gJDPDjuFY3ykDj4HOIJ8r3B/66PcZ3kpa2TBieqpzmVYprNhAiDI53qBHORyjjppejxMPs0A 7r3Uv4HfjvF9DBPlbubINr4vbNoY863ttDuAFkCODFKmQ+4rS5H2oiwyTwvOdXwmpr01Yi7F 5QB5tcCMbSSfA8Pj8TIF6V4qxEWw/Ia4xyMEPdFM9eoaNqaZgx+aXOA1Fze87x/F1awBy2h/ x65t+uJdX46te5+NvTB1v3V0NC6CjXxjG/41keV7F+sBAatix9JUbGDTqGxjXzy2Uhtvfue7 4iLcR9lmdvksY+Pgl/5rLL/4TBwaGo+DbEJNsn55Gx4gL26pj28sNcRLixVxe20xtlcux/eX quJ+IjxvAIq9thZTY3SGEZ5ho9SrFcBrM2UrkHE//QWGFZ3Uv4X+GwWARqLwiki9eC44Nx1l s2qR33sAb5sBFJ8en4tHud8Ooke/o2yK4Ctl8bdF3EMA5r69fCa24mfyIe79SGVrvImI029p pO8Y6z4Ds7HJPM8YmKb9DJaTNlXwh6w/QP0jG3WcrbmERxshu043HRRkgQ04Nz2MPF6ZNhUY q8xhaa1hQem91ObUjS5Mz7NlwDtlUfnzyZ2CmClzqaeRRc4TwrZc/kvncUyfnEKOYwSIeXiM qNYTK7Q0G0jk7WZo2kQ1D+SUaQJAUXkSjC7Gtt4NsBEvgj29OTZsxMUGjGRBQFmFutUYHBhE BzsSR7H4GMG3qlHU9dBa5Jw5WNi+y051oyU3e5fRlxK/OcQ0F86ARCvquBGEFDzknTaxfA5H f6tlU8nANy24nLjmit1x7fXXRD1g4hJm0P39x+I7jz4WrxwdjmnQ8Tmeb3WYxl983iaiOV8T XYB9k2yMHkVnfOq5PdFPlOniEqAw7Sq+azvSIvQtrH/K6wYApcnmfUtPW+U+LPU93IsLghE2 33R/48ZJNaBic2Nz/OrHPxI7dm5LVTybdUDq23QVZckmktVvr/3tHKB4hm04BFD1l3d/I46t KlJrXaaZw/uuvz7esvtHM7FdK8/1OKbfKqPA5knGopE6NQkWpBJILA3gcd111x2PWJxfU/re z86PvtpOTF/5ylfip3/6p088/KrvpcBH/sPpfB2eDaBonpqo6pPQySJPpb678mOnez8bhfdk gOKJzKLSKKf5/V2kCn5ZxtJUaj5q1Fvb1yTQ++CDD76KzehxFXhNqXNw6Morr0zRrv3NtB71 yXI69d83AqCoL01lNCm7FPdUATPWqk1poCF/Fwj7N//m36x16vFj6w0oGqn8qquuOp7/xz/+ 8fhP/+k/pcX08YN8kH1cahqvGbTycqZJAFA/qHnyPv/xP/7HBDbkxw7g2sDASblp9TXXXBOP PPJI+lmWowBsDuLrB1T3A8piaZLVLEPZ801bt25NIGgOkp6NfP6kAYrrNY/k/WGbu3Ax5UzT /DffTwYo+pvPDgPL5MlND+VFQClPgveOuXvuuSc/FPkGSX5gPfs7z/PH/X7iQk4wUAafyp3m teOYUg4MHotJFsWtLEjhUCVlG5SBxSSrXJKLcp9V5uWzIG0ccW1yAu5vHM+Tu+npPBf9/HN5 6mI4AYQsDitYHHvMlC0cV68lD7PJwBiYhIKCLGYFAfQNlpSKdFW6Mp3rp5RTWmSvflnNw93z FvwDucCdYvEs8zFbmwIiAGhUE7DBTZwEcqK4UAuzWy2T79Y3+57VY7U2Khi+Uj1YZvsZ5/vz qCbTqG3AIihRy9FS2xY9TRfGrr4rWfS3kJF5pVusliMdSgeSIgSTZnzhQOyZ+qs4BuuxEUVN YuEwfaVpXwo2wWK/icAU3fhAKwdItH9sTRmI9WjoWyHm6V9QR/eCF5n2QRuttq1mozYYXZde shlVkiu2fDhqLv5oZpKYNVIq13r8OVH+ziRPWxpdl3oPAigO0G5zcc/Y/xUjsEXrKF8Lbd8P k2kvUZ7rMY2slPUFqDQ8MhOVBPe46eJdKHT9MQhDbmIaht3wPL7Q8BE6uoiyhw9KZHtRP1r4 JWue7eYeo/hmxGSrCMMUr5StdQQYwhRsEb9iTShGsqga6ppRLgHaKYMKrGBVFX76MhmRpWiD 064cUAlSQfTd8ZCYiZ7PnGaqQCaLAEKj/UeSn8YN103HeW9tj+t2vj+u3frBuPO/fSEevuvz sRFz5a2wsbpZBzfCjpEZKK7lvVR4lT2BP5k9FDYx8RyfjvEy2kgGsSy0Cso9NjAWVeMEfmDz 0WEtM83IvnWC7MiYirnKrDqCUVll3BhoSEHCODcxfgRbqE1ililDWF4CHmXm0nOYmb88NhPj 5NXVVAeTEX+qyGU/yvUU99GEcRPAWxkm6ROAeJMACMsw/Tppi0oKlMYbY12wYHJuNgYBI3Zu qosrL2qijFnbOoZs2MTCRJbLN9CeRGouR3lPGxyMiVeem477X4BtxvgHVU9t5OjOA0mlDqNt 9JG4xP0WGecCKzVtTQBqzF3UyzlK4LoBYLSRPmjAtFzzTS5J/QohOGZoJ9leS7CwdNlQDboq 6/MxfPPdN5kBgXbLgkACbOg2omM7F2nyXM6YU24mMDEEE6OvAFqsHPcwKMT0+DCm4Jg9c74g Y21DR9QgfxkDi/Nh8rUuT8RPdZfHmze3RWdjLfdHDhzclN2C2o58I9mzyiV/qaeBNAanMGXl 3iPojAsAsbsxgbyguzkqZHNz2grtKNhDo6b+pWApn5SbzwGnSuWMIqcgQ5o/0gael3xVegKy ZIRczeKXaBu7AwwrgX9jlL9cOYGp1ULwiWnOHyVAUpGxJpu0BpZb7chIDIKKzVDeXthz7ZjO DsMunOnpiw5kq4lxKEN0drVeDeThOPN7kYIZbKeRQSKINe7NKU8z/WM/vjJRjD0jgPjwGs8j EvYBgq88Xt4QPYDDBdhlHZj3zqPDPLNQASC4FLvfen1see/PUF/mGuRYtuMLd385xp56Mr4L GLN9cTbeDrg9Qf2/NEqQJeTxlzbUU8a5eBbb3iPdvcyzFXHFjTfGJW+5MW1K2SmLbGxN/4// Esee/h7MVsqLvN0CM7CX6767UBXfqeqIWwH33lSJKTY1+nsilmPNHu8G4GtmjO7BhcMwY7SL AhmEZYlxfpB+QaRgKpbjc5GNFz4P0Z/1wFs9nGMk6wFk0JHcQ1t08vsTAKf380zZAoj6rio2 35DZ/75cF4OYKr+9Yjouol0eBWx9sKw5tmEG/u6K2VgAZN9TRdT36mXMs2Xc0cTIl1Ln31E2 v2T4VdHXDQC289zY35SrFKwIWSvnuV7G2KiG+cy+T3rGa4bc4OYA8pzLcHrW0rfKtnOqri2y TU1HtncTdGMuUOwYWCl4C+e72ZLM6xVqXo45k2NqjtezAP/3jSzDjvZ3AijR184TVbzK2Nio rVqOPqIXv/nKS+PCiy7ERJjgjtQhbdqQmQHkNGt+6aX9Mcim9BROCh2/C9R1hvltgfnPjdkl 5Nio0rJlZfj50nev97QernHIOG1IpDUveTtXWBeL7nMjxwpcB9SyQVNJn0CVip+67k1xw1ve gu9efAQz1kZw5/H39z0Qh4+NsabTpBrQnefY5Rf0xbtuuzExE2dhwPYf7Y8nn34m+hkHmmMz XfBaHds2BxtUbmYYHCcBio4zxzutbTPSk5QbIBv3A1s298axAVyGrJKwBE6b6hsBFH8xzvsR AMXUSa/Tn3OA4lk0rIv2r2P+/PDzz7Og0tlnlpxot2EK+KGfeltsOAmrLz/3H+LdwSJrT39p eWppaUnsEVlYuYKf/3YmvvtktOh3MU8yHWStaD55qiRwqQJbmk4VRdXzzhZQ9JpSdpffra+B TLZv3+7XM0pno/CeDFDUxO/8888/zi6UNSjQopmowKCRre+9997EGj2xUPqiy1lC3/rWt5JJ ej7xmY8gpMCKipu+Kz/3uc+9KkqvIEQpkLwe9TmxjGt9fyMAigJvMmbzJPOzlF2XHz/Zu4BI X1/fcdBFppUMwVPt6Kw3oGjZbrrpprjvvvuOF9MI6UYw1xenJs6aReuPNE/+rum8c9LZJDcC Stmxjm/bS9Dveea7v/iLv0hsV/NU3h566KFXRVrXt2JpMBYZBH438rSgrnKuW4U8+bv1MlJw ns5GPn/SAMX1mkfytla2c3DYY9u2bUsLK0Hitra2UwKKzkEC3U8++WSeXSh373nPe1I+yp++ cnOzdk+Shaqclo6f9ezv4wX5MX/IQLvsptZNX2s6As8X5JOYF09NTMbEzDjHcObeBhdE0ISF pKwSQb3ksJwFuOy8bNeaE01pwatZmwt5z3WhD1DJAV/6VBQoUB8VBHAhrgKgQvGq8U8+KZFP 9tFz9cvIAp3yuqCuZbHqfbI/2b1Xr2Lxy3fvwbvn5NlZFhe9Luplvbo+MoCKjPqqSlgSzBOW QxXIlLeV7/nn/HlmvomFyYcMJMrevaFAgvr0IkyGuaVp2kLWUldcuPXi6Gklmqpl45+LcHJJ 98r+ZPfJZE6FhyA5xb3xxMRnUU73RwfKluaVoyhls/YFyoft2E2wgA6icsoUsuj2JeoJpp+L sY1ALVtgClXD8lLZt9wUKPvsTa2qx3g+W+gyWUXNF8XKRR+LypZtMCn1kSU4YMpP9qOfeSEH rzrOt/VKGahL4bjNEuyLycWDfKzAJPar8fD01xLzqInGdFvgEJEyDw3M4UmMOsI6LKLAThJE ZQMg1AVEKBaETGAR5TbS7jxK6CznjMJWPDIyF0NHCkROhjkyLpsHpQuG0ZJK8GALCm17DE8f Ql7mMXUDaKppj5bGdgC4eZgdowBEBOcBFKrBL6Pm0sqFhc5M5WlWGt3msl9VhgUAXQ/5TLE/ VCAnYQaPo4StIDNb3zUXb7/5Q/GBG349vnPXnfG1v/7j6NXZf0dbtAP41ZoPQu516JkAm+RB nyq5ZbwLR2niZ96CnSrRsmw8UAFryMExOTwVlYB7ujnSfM0RbDCOVD7yWaFOMnUY+Kk+kFdh CjEOAYVkq2UsNLOiLESB1gRfNp8BTGoFsUzI6TJzxDKKqMBBMrlWUafdVrjvImNQxktiqxFt dJlAFjMAwwlwpG6N5FPBeJ8jz+cnASdhd71vd3Ns31afxlAa5yi+mjza5uW9lJk609HJx+IS 4M3jD0/EE/StyrWsUvtCIMhyCib5XVNZWgbAld94FblvfVsLgZGoKeWooay1jGlN9zQptP4J RbNTacsF8inQVHWMn3nmSdu8zj7m+x4YQV8mynYFgZgSiMn1SwDSmkO7ASOwlM29+FokSM/C Am3HPe0m5zmaNaYnx2Ji5Ehi/MgorW/dwO8wOWnTbsCZmzfVx5t7CNIES4meoe6Ylq/2m2CJ dUsAtwAJskGV0xwpaywDL+hc5w7kRJaUflWXAaMSgOF87XH7SRlyYnNyJR+ZX1QstadNkeSe spdRRlMZ/ZsiPHNfZbBIZYqw4+aoZxkg8jz56bOwnjmtD1C/wv5n7B7GzHYRxnQL9WhG3pan YE8RtR2qcHTPweDl9vuBxMYBTTZt35xM7xdnZtl0YrxSjkYddHK/KeTaJ0wDwE0N95qnUceo pxF4Dchi2fsZsXtG8Fk6fDQuhHV3gM2Ib680wFJciSvLZonyXYxnidJ9gLn3IvK9por5d/Ou aPr5X2CuxEzVccc4eQzLlbu/dndciQ/Pa5YwU6YN7lyqi0ePDsXNjVXxfvxX7sH8/oHl+ujC JPQCAre0v/M90XvV9Yw92pcGnJkYjcf+89/Ed555IbGi38m9itMjsWelJvbWEugDj49vqZyM IQJ53M1MZ//dWjEfWyoX45GFyngCH5yXY059IUR7g9i8Qv0neOb2IdMbkGHI7ARlAVylrbdC 6VQmjtInM4xTTaO7ePXz+Z4CEeLZcHv7wnDyY3onwOU+NlVuWRqOq/ER/BwsyTuWmmIj7fhB GLEVDMS7ABcPLNbETfh53NWgyw36GFk3KYEpsBGfj4xMRDusfYMPlQF+Ot/I/q6jL2bonybG nH5clzClbmZeWQQA40ASTyYfGNTMZ+SnCPqsdvwieNnzjvZws9I+N/iKyWdoYkfynuYLfktJ 2eUjuXs2eTlrRrxIAJyvD2D6i5sCZUhfyJQweje0x/XXXY1lzG6CMuFXl3ZMlhrIluBgP0zE p554Cv+Io0x7zKfUxfWKPmznmI9ct9gOy4xL3+eQ6yJzhUFffBa44Vnl5l/KlznceYb6afrv +QKKVtUyps1UxxQHHFdKeR3ydMNVl8Stb78tKvFrK/NxbHgw7rjz7jgGSDgLqG2gMN0h7Ozr ig9+8P3RANN9BAxEa7anABOnGJcjkzzTZmSuM09RpmzMA+o7J3C99dCqIwWr4f7ZZ9jYyI6P i21bepNV3TT+e2cgYgyzEVDLPLaxuzN+7RMfiy3bNlOD06d8vZWthU5//o96xjlA8UdsuTF2 5fsRnmZ2N3tQwBTKN3ISkBLEOhE8PLHMghW5meiJv5V+/7Vf+7XESsmPyQgU3DhdkmVXyp5S Ec1NS0927Y8CKKqcybSU5ZUnWVUy+/Kd7Pz4yd7PRuE9GaBo3p/97Gfjk5/85Mluc/y4oI6m zYI3JtmcL7zwwvHfS/2RHT+4xgeZQn/2Z38WBr8oTetVn9I81/r8RgAUBTzyvrdNBU980JxN Kg1m5HWl5rlr5fN6AIqaiyq3+/fvX+uWrzp2PezoL3zhC8d91L3qx9N8Efz56Ec/mup4qlNt w88BXJ8oW16jnOvDUzP7U6Vmopbpz9IgTaXpbOTzJw1QtJ3Wax4xr7U2djzu/CjIeyqGoucp j7/4i7+YgGK/nyo5r8miPdGFxnr296nu/3r+5kItX6S5eHXHehZA0QWtQJuRnXXWnRR9lDBN zauqa5KvwcRkZKHqeDEfF9S1gHAu8GVoZWpmBp64EBVUVJHXfMhzBN4y8xgVW892zS5bEX6E CjiLUrQD/mULZ8uZLyw9l6zSRpcARCV0hypeKhUUhQv444qbpOKQgIX0zZ88wcSiGuVVRqXl U4euYRGviuJ/n7N5+5TeO9WVPNKx1Xw0R0rgowo7t/VF9VIdrUfuP0iFycV5T/fG6GrD/14q Y1bOlNUJf/L7pwJRCSNWHi08EI8BKhr8pYWF/RTmvaMs7o3+LKgogLIFv3HNsPISMwsl0Rpz mLrCxBlbjAsx6zI4RvKpyDUJDKXtDE4h04mC80LJw/xshSii45uuj7HODQToaCNAx0ZePQBF mGmjqNl33sE2tiZZj51Qkdf41fKbt3gGPQU7cQIAArlbnonHp3479qPs2s/NlF+Wxv4xWIew DfWPpoIouACcEe2YwDYjJ4JFNfyWmGW8m5Kc0K9cnkzJhybm4yjsxYGhuRg/NheFcQCeAeoK w2y+EZ9TRBBeHF6I1uktKMAtKbjLyPgA4HYD7VSLM3oC7pTXMYaStzZAXH1IAXfSUIKH2U39 jOkxcqE8Ob6WUEhHjhyOWcydq1pn4vaPvTM+8eHfjcMvvhh/89nPEGxnJLYDcLVhzmbwFs04 U1AA25+8wV50YJXaSsU4RUdFkVV2bMeUGGeZskpvcc4cvsMqMc804Es1jDvPU0Gd0exVABmF VrDafMvpBINrKO92iuC+IMoCY8BIxl6r8ul9NbOGyMNltj59x/mCYA6OWcb5JPkZabcNPcQ8 xzD/OwoY1AHLppXxV6Scz47NxmOj48BgEee3NcYVRIOuIcjDLABxYyUsst31mD77K5kj5MsA v0RIivJu2WLUGZARkYmpgfm4/+HROER422zYARpQKAMgKPOKgQw6gbM0G9kntIUAYfvGDYG7 u9RPmuwZZVmdScl3IpIVpWQKwOt/rgi7TgBgmXobIEQyp75RX4GN9IVh/Hri6875pYL+pjG4 J78D2paTtybL9ts8LFnIm8nSooKNDo9RgJiZnojDh/ZwFRsTzT3RgH/TNjYIriVgzS1bm6MT ToTAi0BpYhJRnzIbgXJq+lthNHnuJ4BDlVNdrbFzgPONIAx/0vEE/HKW/g5Tq/C7Js8r9K/J +i5TT/NNIC7ASQI2yFiZkHbIJbxoc+RkgbxnYKFOChjThx0cL8JCnAR4n6E9mvGX2T2Pb0RA mwHYxf0wLyWg9uD3tL6IHzd8y+0jaEwV9dlBkI9FQLIDzFNzsBO3Afo1s1E95v1od8dBA6V2 IwuCH+VizoNlJyhtEI4JfqsDDGlmPtZf5hTmtVPOiyPHomNsIF4GkHt0sTp2ARxexlwzBUD7 YLEG1h9A3eIUFNIhZKAs5i+/Pnb+3EeiBkDTMWU/HTl6MF74f/4sbliZiieHRuLxJSIWk/+N 1UsEM1mKfbTuf5+FxUr/v7unOUYIVNH2gZ+L9q6+xNx0Xh4fGojP/39/E4deeDn+WWMZQOBi fO7gSLxY1RY3tVTFB/CRSKyX+MpsNWzBinhHw3Jspk+fmCuPBwAdL+xsjDdzTRWyeARQy0As vchRJ8DfFOUkiDwyssQGE5HmaYN+xvcY/aMZtGxFgbzvwcIcYHPmNs2z2UX4FqbZ3y7Wxa0r E3EbQWIOEAzo8wSF0dnDhyoBBwEm/26mOp6Bwfi2mkK8rXY5nsd/5LOY8r8Nb01b8T0p6EeX MBfw7GK81tL64JaMBWTTeUYgkOeUQLYRzFd4JitnMu/KlSfGyLLBhGD81TmhUIc0Xh2Lyq/P 4LQWQGaReU3nlfIlx4Cn883Nw7TJomxbHu7JT2nuV17TBOHDBtkapO2+OwvQzAZLB1YaN1x/ dVx82SUE42pN6xdZtgZBMZDTkcNH4nmISoeP9LNukq0OKxYGqIGrXPe4eeVGViNm3K6F0prJ euI/dmHRsZnNBY7BWtwguD7y+Vqhi5JUDWpKPzo+BSNpTWTOslNv3jUdl5l48/VXxW3vuJU5 pZZ8l+Lo0UPxzb+/JwYIKDQHQ3IWX7VVsKe3b+qMf/Lhn4kWdMw5xl5//+H4ziOPxYHDBGqh PEa1d25yTnSt4pwnU5PmzRqSO1tm/eq6drNOdci0a556ngUbejqTz/rpCQK80bdWQjP3TQRj +cQv/2Js3b6FjE6fnJdMPiNfz3QOUHw9W/cNlveLLKh+6Zd+aU2fVzKefv3Xfz0ECs9E6E4E Bs/EJNTm0Om6QVgE/EwqtprLnSoJqOTRoAXmDOZyJkmgUuChFET9gz/4gzAgzJmkT3/60/G7 v/u76dSPfexjCaQ72XW33nrrcUB1LR+HAj2azKqIlybbWlD1M5/5TGJ06WNMYChP9pkMxzzJ 8vLc+++/Pz90/F3/gJo5CzzKDDsxrWd9Tsy79LsKpmXJ+9g6b9u27fgpZ1MOwQ3ZcKYzYc56 nozX0vsp0wa1Odt0ooxrVpwHI1orLxlYsrRM9qvBSzo6OtY69ayOCSo6vjQ1PRGs8z6yJwU/ /+2//bdnDJafrADeQ3+rpey1/FyDNtmOmjefLOnHUXNYganc3Dw/16jAbljIHrbMJ6b1lAvH lGPHdNddd70q4JTH9DP527/9235MwNjnAEnzpLl8J+YXaaFB+xr0RlB6rXSmZdbU26BUplLm 8Yl5loLYf/RHfxSf+tSnXnXKes0jLrR8Fmia7mfrasoDF52qffICeY1zsfPNWvLiXCRLWKB6 rWfKmbad9/tR5oG8nK/new5Y+S6IWAB4mIWRq8mNZsAFzF8EDjJAURiQNTbfNV9xAelcKbtP v4a2Ef9ZVOJ7DcZNWuSz+HUpaFsnf4r+jjbhtZpQChym3/hs8ruLbH8X/jBPlX3fsyVlOm31 D5lx0OjTsiQFFF3YmkrP5eq0BlfZKD3uWYKX1r0eINR7u5lkJWUuCvpYDu+dzLjJ1/plKfsg KGpFPVdFKW+D7F3lUmBURiCRQpuaY2NXD2w2TPdYhKdSWqDjeXJkdeG8epP0Zl6m/FSVl+en v4gvtr8hcAWMG/KaEIxBK5tBeZJt14DishF2RSMsGIO0JGBxNQ/9w1VjGt2Dwr4BhYyaA/6g tKCsJ/CIz1nnWV+UMhhlUxsvj8Hu82IRZZRaAsQRcRgQrbGym1dn5gMSpZFckoJWUqVU9tf6 J9WdcgM/ACZO4gNtnPauxOzxHiKofjHGASawrsPkjwimKKMHRvCzOYNSRlUEVvRRBVYAcIVi atvbbbSrH+1rwa/SF4cTOGtbztGmRZhlA4CURzSP5jWDqbRyXjS87Et4YiOoy9TiMD4akR9Y ZbUz7bGhpS+Ni8HBfpgtmO7he7G1SdNWgFpayn4VdEnMRNpcQKYacHEOVvDIwVdifmYirrzx mvjM7/8R5qbL8bd/+u9j9Ilvw7AkmA/n6cNLcFqAj1rCtMpAfIKMkr/Ks3VCGVdZRjbcIFAe HW/e2zZ1bBlxeo42q4a5Uo8SW43i7m/y2xxXRnPWD2Ji/hGJWRbMImCeGwu2AX84EyCWzyqd gmcpd4WA70ggdYNJg5K5xPj03rY52cShCRwBTBeiFR+FmwhaUY3yfXgC8Ib7VsMA7MMMmgxg Dc/CqALw4EsX9axjXqp07DL39HQB+PXA4DHYkPd2aQ64VtbGy2mFl/J/7IWZeOQZXA9gMqlS TymS3BvAJvW9bUneltUaLFLOcoCeFdqjdlN3dAN4WIdKTuCnLJFPYu7xzXqSAfIP6AeglVhF zKkLNIgRaxHN6Gc8fn4En52AUpoMJlNg8jOPHGwVL3AaKGIWuQj7qwxQo54AFfYJApPmoqMH 9tB+sNE2nhdvAhS4tbcyzmsXnKRvqKvggwCvoEkVbSkcaJ3ocNqePL2H8pAdTWNJxmRyPeG5 yEjyhbgqL9m0ZL7MJfxsbky2FCc1FmXknUy9rwxm53pqlOZPAR2ZVYsMQLBc5LoQbYUpxibP GDZVJgGligDXLQClG5Q38tgPE/Ap+lyz+y20+wVEL5clO8yYb+W+XUSjJXxWHAU+KSfvLbAJ Kzb2xSQg/kqRQH0U0lFWpB4z1FlgWx+BlmqK8+dpl0baXVNfA7YME/iD03AfwLjCncEzgzPx AqDnTn6/BNbnJOPoS6OzsXdiLj7Y2xK7EbLvDM3Es/iurO/qjtv+yYejl3WlZrjKoE09+tC9 MffQt+K7bOAMMkaux5/uhVw3iHnw1/HheXRyKm7qboxLkK2ZnRfHZqI8O/8n1hptuPfFZ+Op O++IlWOH4qrZKVzBNsQ3safvQqjfDmDeyjzw5fGIw7DN3gpT8ELAw72AQHfhS7EPgPmmDS1R W5yLY/QLsyWxmCN6KZwOe47aiZSxF5mv53d9U7op1YqsdtOnBv/ZT13GGCvnc6x3bioexoeB fhQvgqn53nr8ogIMf6UIMxLXAe/AP/BW+vMeWImPlLcmAPbmytlkTv1lArcUEO5347/2fDZ0 qgDp2ctCXHhakLeA9GHuY3/UkYf+GZ2zFwHMjHadgHHKmuSNdYUbQY7XJfxaFrDHreG8GsFC UgLpFG7yNGhI8hFL3Z37nPeMgO4qIMkwfaIkC8rlz920Hkk/+szk2U8+risWAaz727dGxzU/ FS29W3imClQi06w95nAHc/jokdi370D0HxvEL6E+EfEFChgqO3GSDRLZgAlgB8B2vteVRLZp q79D53AZg5TfAUTdLY//XF/U8rxYYDwZMI5skQ+e3wnQcx5DbplTqQFtshxNuFe5/k27cQF1 GzslQLVcM5iiOT8UBwfHKRdMSTaMy4iMfn5fd7zrHTfHps1bKON0jAJ8P/nU0ylQyzjPtxnG nmW0vI7ftGmF0OSWHD4/HevOic7pbhb4bBPsFGj3s8sxzxvHysWI0z5fDHLTWFsXn/jYL8SF u36ADaQOPMmfH/RP1jb5ad53PdM5QHE9W/N/krzsdM3SNJPVFFgn+yp/LpbOpdevBZw8Dxw4 kExn7QOBQoNgnM5MfK0SDQ4OhkExBM+c6DVpN8r2uT5cq7X+1zim/Gh27djVX+a2bduS2bFj eL2T8vn000+zM3c0gX+CiCcyzE51T4EEAb3cLYKm0xdffPGPJOunus9P4m/rOY+4wSPgL2Aj iPqjAuC6uzC4i3OSPjQFjNcCjf9X7S/n4NnCPAAikYp1gu9ikvEqUCj7L2MTuivOghxlTGWk DkaGgIRRl43k7G9zc5gijk9ER3cP5pOodC6O/edCWCXThTIv1AjOV+H0GK2qYk4ZknLOItFF qMpBuh8/+1xILLrUAfkikneuNX9lStDTxW0CaLg+JfNOn7MyZAf96w/ZX++lw3AVGDc8snxk jWULZRet8y7mqV8qB989lj6jfPnZBbTv6a784SO/Z37xalCgWgjesRHFsxnzKK7gziIfFmB1 zeJnv6bGyD7nf83XlKrCu3eZWx6Pp8b/mEAkD6JEYIbJOVOARkbqnAYgElRoQDPvJkpnPcpa wpdQRAQtzI9uSWBDDWBjE6ypBlgL9Sg/ddwE7hSqOhqL/YVPrHmoPiObLor5riu4Vi6K4IEm VoJO1LGsAYZeG76wOgE38eeWIlUbeCMrd1b2rPQ/OOLRk6Wsb7IGys6RtbKwhNkUqrGRmjWx nV86Fs/Nfi6OFAdSBFf8+EcTdRsgCsNhAMVy6o16k9pNAKEShlELJnTqYscT5wskWC5fGbiY vQuOCQIpHzrft2+maNtpmGPj+MIbGMUcbAJmygjm10QOHoNxVdEMmAJoVHyZ6L/FXvz9jcbw JJGaUbrraaOe9t4kV0kRA6RQRlQ0ZaYJPKtPTjEXjR5+JdXxN3/39+M9uO548I4vxsP/+U9i G5HC2wG/EyhJH2jiXM44ScEBKCMDaJV5gzJsfQBgBIcYIMf73eOyckwC2xrtFgAHqo6NUn8U fhQ/FW99J1YAIDvGZQ8yQDABFjBWfWV8oswn1weAQFTEhuI/oGHqaj4zbzg2032SokxRkDey pCyKpCa2MJJUzh1HlN1XiiCtisw56TLAgqVkfg2TjEi6xfo6gtWMxQhsIPuyCWC1q54+orMh LqXAR3UbAevwW5fknJst0Gf7npyOl44CRHGPcVigNQJ1XNTEs6Ma5lYtbJ5UBpuGjJfoG69f 4L1CQLEJdmkC1Gm/1XHq5ocpjSmrSjv4NoPSXqRcNc5xnKN5tX00RDt/YagYM5jN2u+OEbNi pkvsYM2elQPb100d8CBAETZnKI/sIBmUghyDR16OVqLt/sybdsVVGwnIAzvPNk3sQOaUBc4r EFiqAgCjDvCuijIIXvq71RMYTECz0xAHUvn9xR+ptMDKAo2v7znroy9O5UhZS+cwF3JKKkv6 nT8CzbLDKDY+Y6kX7bnMvLICA7ES0BhL1WT22QwDsQ2gDo5U9BNhfIUo2q0ca6KfF3EV8ML0 UnzxxX3x0uhYclmwA/+Sbzl/B4BzdXQAIPucOEr9ZPx1sZHQw2uCOk9v28E8VEbe8A0p5iz3 Fiw0CEgd9RV8mbDelLMeIMu5bhpZmORcsWijE+tn8NnBqeSD9Xygt52Yjg4xLz5e3xVDuOjp GRuMa7uaADar4ilMmO2ry6sBtq9/W2y8+bYEsvt8LHPi4Bn6xJ1fj+efeyGuAvDcyI7HMwRX eR52qs+E3bTSJgR2GoCq45Z3R9vmbYlZan/oPuGle+6OmkcfjI6Faea4qvjWEtfh7+6na2BF I6/fBCJ9CQbldeWzcYnm2cuVcd9CDSztpbgB8LIZs9IR2OvDZNjK2JR1WGQePcS8uEA/bUKO mrmXIefGaZcGyr2BdtHk38AtcMpiEw3ZSd8/OTIbjyzWxQ4Av3dUTqd2/Sr1n2IT6VaY8ueV 49cRMPG+5YbYBbv0liq8zjLW7yKw1Qii8+6a2TgfsOvJZdx0AKS/uYGI3Oz2WNclvi8jZ2XM IzOMy0XKpRk6D1wC6cCUpA7LMPSUjToC8qwwLymX1bTdIg+0Sn5f5DoZ1G4gKY8Kqc86AwA5 phw/HhMMS/6GkaEU4IQf6H5FO41Dx4Fy7bh2nMky9nrHzTIyN9ezI+LCS6OsoydGcRFhxOYj mDf3Dwzj3oCKMv8VqfcMYGIRMK7IM1i/j7KT3fzBbwYygl9i7pv5D3UTxnmAmdK2d46l7X05 b6RAJtx7nrbxGZjGMGV13lfIzSPNGcymHU01CUx869vemnwmFtgYPnLoIDEJniYAy2hMU64C rM56ZPqiHb0EJLweMHEzgYIIOjYyFI8+/L3Yf/hYYhBrqaKPR+c520Hs1edkaiRvzZc0Vzsf UXa3Z3TtkPzscr6uY6y/TwDXjq6lGgmwpdsHny01zLu//olfjksuhdxhvmeQUlloi3zu9RL7 az3TOUBxPVvzXF7nWuBcC5xrgXMtcK4FzrXAT04LsBB0B11fOTOAg/pX1gRHHTJbQAqksSJn 8baAtuhiW/DNhbvuKapY3Hv+4kIBv18EcSGiX0tbJzvvsHBYXKqcem0CIl18cj8XhemdvBJw yHsCFFlIp4Uz52eLRRbWrGb9zYWnIJ4vv6gUm/zrxwVYQZbNHfAE9uUrVe+dzvXMbAGaL0rL UVxSWdIiHlM4gmFkO+uaQWb5W3avMliHZkt+VyEQjHEx74LbxbYL61RVvruANlpsHTvxne0d 0d3eic81vfudOpUukC1XujN5U8rs8/HLUY4X9sejk/8uhhZfSWa8RuSdpnzDgBbTgoe0Wz0K TScMlgZAw2SySpWy1ltVEFK5+UzzGmW6iuuwZMM/Hu1Jm2DxFjOY9haaG6O5ZXe01l5IXVHC aOfV1kkZAh/R1yi8MBcbKrqiAeZivcxFghkkQMqzvSDdjz+m1e/Zl6yOx4/zo3l6dBF/h/qe lJlYXMkCYoFSxCtzX4yX55+MGQTV7tW8WXbeIfw+DWOeXIFM0ztJ0YGARAAVwaMMzvU+q6Ww O1NSxPifjqf+5Af0olQKGTFVnsgrP18FchrwcAakZJz7DQFi6oNxClPr6Vdg9Q3B7JyfjpV6 wDy029qJtmjDVLyqvCaxZ2QPVqIkOz40mU/+R1HCRvqPxhSvLefvjP/7T/80GjD5+8Lv/Wa0 jPVHBz6+q5U7zdUBYFBRM+YIhXLcyEgrp981S82UY+BCii0QlMzrkUtZP2UCeKnWdDTmn5ri laNMlnF/tNjU+suMdeutHGV50b6wEhdgMyaKjHOB84ATBfkvWy5ay8AeSYPnxvrYEuQ03yXm iMR4tQwAA4vMNfpRtMX1O+n8YLAlg3AI3Ha24J+SMbiEcjvG3DRNXpVsYrRv2hhLbEge3H8E 5beQWGGbUVYLmPHJqGwBWd7WScAUOq+8nnvB5pomqMTz+woxgfjIPMRYPuYBoZoBT9tgXbYS RELw2XGQGH7IfWINIleCL0s9XQT7wJ0D4FUewZQsSEpMJshpiqHqKtdpM/5uKMcAAEAASURB VEYQg/qkoAUAVVXkM8/ryzLWAINkR8u+ciQ5xzmPGNRDkIqGYhMDJiPyVYm/RcERgW1ZV743 FIbjgxd1xmWYy8JfogiMb5R0gz54v/mGFsBXog4TwKQGprm9rZIvy1R0gE8AnNyG6wwCI4KK GPCy0FaCOnkvBwLfBQuz6N5GC6fE9IX+M/WFJ6ij6bFRchd4FuAJjis0f4ftx+8rU5MxdWSQ 4EALRFCeh0nM5hUlGOGentlG0JJqEJIxGIFzDY1EW16JZ/fuY0NgMdqbGqPOzZjayuiAgff0 wGjcOzDOxkBt3LZtU/RxfBA/jIdg5m3Z2hddAKuank5bZkpez5/qBKRhHkzVNa/H4x13X0HO kAPHJeVpouNnqcPzi5WAK+OxuzgVPZx3gBI+jVFuB2DPrpr5aOH8vTCQ75tGlgGNP9xejyl8 WdzftDE6b3lXXHDJxQk0MaiRoJCRmgee/X40vvJCHGWT+xFYjptp4suR0U580M9v3BILF1wc zb199J0MUZ5fjKNC/4FYvOsrsXL4IExBIg7DDFzGeqCvMBRXN9bEM2zsfB//rdcB5l1ZXYyX mN8fXCDaN/PVrQRO0Z3FAQDXCWSqG/ByE+D+FADTUdqU8GN8h+lJ34wx3w/QJvX0aS/HbLVj lMENmA5ktQOQVYD3fpjYPcjZrWUzzO3l8VWAwkNsPd1SNRWXAjI+wYPinpWW6MXf7LvKpxhj WNZgHj6Az923Lk/FtYCgj1LGBxYa8fMZcRMMxybY4vXMAw2Ahc5RpgLPU02h5wm8VCegTZu4 0igKMNKmi5jlpjGiRQFyXsHvtcj1Em02h4lxA32Z5m7qJDtVMc78D/I0QbYFGAUVl5i77R// pXVIqrlze/bK1hlKcTYUZF/7zHObZrF9Q4z3bInvHZtIQN2CYB9jb545i6zTuC2Qf5onuN55 WSDN5UQaTvzJxrvzBGXxmetGDbnL8nOtlXyNUrdq5lvnNIHGak2/yUQft9kz3PPJm7p3NlbE 2669PK697noCNDWwHivGK7DcH33ku3F0cAKzaxjPzEXlzJdv2r01br7pbdGO2xUBSck9jxD1 ee9LB9N5PArSXGyQrdRGyIFtJrjqpqrPKdtN5rrzg22U1lO0namKuhjd2cdANf2Z5hMK7HrI /DSzb8fa61MAihfvvjD9nC48xZ98veYp9lH+3c/rmc4BiuvZmufyOtcC51rgXAuca4FzLXCu BX5yWoAFpL4SJ6bncMQN25AFrAvqZcApd83diXbhW4FSUgGrp8hCMkUlFMjhlZh4gBBL0+P4 kZtCicc8jTwTq488dB+hD6S0DOYHfkqLcxfypgROuVhXAWDBqqKdTmKxeFyh5VzP85Ut9lGR 88VkytPFrrvqWdldvKqgu9z03QJld+PA8c8AHa7y+YVs0yJVpoOmiGmViyJg8jb5IlYgVQXC ZbSKv6wDlQXLmRbXvMskkjGri4QNnV0EYGlJi+mU2Wn+HK/T6nknWzjbJy7Yj84/iA9BXEng hayFhXwNytgE5RtEoZlBwbG9BAhbUOaaeRkxNyk21it/UcHjTel9/YE/MlWMCbEIyFFBxNAK lMOa6k0ovA3UmSASmG2iCnKqAIjXCFSoHNIu/F5b3pz8LbZU98HOa0c1R5NM59nmKgX8Td+9 1kSdqFR2DPUKAKIAE7OwSLRZ1GB4KJ6S+n+wcD8BLr4JKCBjCcWTdm/nNQXYdQjWYAEGoW1k XVP4QRScHhhOMphsN/VTy+LtPceeppmQPcvAMeqd/5be/cMRbkH9MwVYsM1/yq0mgvOAtwXA xSnuPzxQjMHDs9F/aCaBjgYgqhiFCTdHZPEV2hGQqBZn+SlCeZKfTF4XAH+O7j8QBViKH/z5 fxa/gU/fR7/2+Th8x99GT4Nm0wDdNLmRlg2MYbRh28t2V8G2LvwiFpQCQehvTGZcpYpqkhkq licqKqPEcWmU1fL+oSgHUNcEUeVbQFFWcBpzXCMzEdQjG1fkKcAuo9PGKzcf7rUIWwjnX2jx XAeAqKmpSrIKf2I5Os44z6jOy1NzaROgkr6haHStjQyzhXrNoSivwMxrBOyroVILM0Th1oSQ +zUCkJTTnpqXqvSq5EPhiSnYxQXKUWCMyvETXGkDJKmDfrYf9ujz+IJrYh7aDCjbyksmpHOa da3mlcYe5VB5tjQJUCTvBa4pEMins5UQPwlQ5FeFJAkKb8oZ56dDygRt43w5xzHrv4wcC5zW MK/UALg9hLuB7xDsx00cgRvBBdvQ6zzP8hiQQeV9EvPvqmoiYpt5ah/dMCzG7qbl+LWre+hb N1EsLuVFMAQole9lAgKVCeAC4Nm4iWULEORmAIOFFzLMKzEOAS3MQxBa80kFSvbiCnO38uRg EFDxvgJezn5L9A2ikJ1Dnl4nUOtYNIJyHezZCs43GMUM5qLFowP4JjycAOdRgCghzmbMf5sB Pua5bhyQXT92zbI6iUo9xybICGNJMKkLAKIJGZkkn68d6E/yeB3g7laihfcDmg2wW2AE4g0b e2KGvKaps75RDa/JGybPAFSAjrXkA75MU7EZg5gucK7Rn9kvIfgLrDxQsCmO78APatvCXLwA k/AJfAZuoxRX1SzGCzAmvzePOXvThqgvjMf2+cm4oqM5vkNglf1VdXHJji1x0W3viEbAQf1y FpEBm7qMfl7EfcHg0WOwmsdiK6zvetijlbi/WGpth8nrpgJgKvN1Yn4DAs8/fG80PvN43NlP 4MKxOViom+LaZXyxYqr6EoxwIMp4M0FabqiciWGYi3cu4qMR2X9H1SyAHT4UCagxTOCvnUQ5 39WAnFOeA8yNY7oI4F6dtMMkvXGEe8rq62O8chm+FgFB6cMu+rizEjbj3ErcO8lzhfa4jYjS 9QCG/z97bxok2XXdd57a9726unpvNLqxEVuTWAliJUEABEmR1GZJ1siSLMqWR2NPhEcfHI75 5PEXh+1QhGJkT2gsTwwtjUVLFDcRIkCsxEIsjX1rbL13dVV17XtmVs7vd14l0IQIEqRASiTz dWdl5nv33XfvuUve87//c85d5a54sbUvron5uIYgMC/DeLyrYTAGaffPtCywoVGCmUjglvU2 gsYsx4faAfNxP/GV9V7apBI3Exm6hwn4furRiu/Uj3QTkAYWvKB5+uqkPy2wxuigTWl+gGp+ xyjfCm3o2kCw1g0RVxTp3oEu2+4GBUxSoyc30W976S/2VYdNzSy/yf5v/6ZRBBsdd45j5zfl n78jvLsBloAwz9Ls3zT2Te+z73itRJTig8j9SfxXnmJu0Uei/okzLe3uesc5ICtAnlwo5gny cb5yzmizzPxWV6l4K/OQwdoE5wXs9O0sG1Fmc87RZOE6Jtdb5GcwKNdKJdpFZuINH/xAXH7l lfjx7GZ9tpyWfw8+8micOIWvYfq1LivcwLng7E3xsdtuZqxsyzllYvJ03P/Nb8UbR08y5gAd s76uw4rx7hzoBkshJwc8gDfP9ndohb5UY2gXG7iUkbIJKKZrCN6dd3SJY1AYN569r4WOtpn5 9Hd/+zfi7H1nIaPvffj82uEzat/9/F4edUDxvZRmPa+6BOoSqEugLoG6BOoS+OmRAAvGOSJn zmPyrL+fGkCjNplgAms5d7dVWFpR6now211cnMuofYIpKr4yWNxjT5M7FALvW8OJ/smx43xu wIx8G+ZKBF7YWBfmAtX0LrRZpHq+9tndeIFBv7tcdNFYKAUuxFnsurjnimvJYkGZqfKaYJ/m zy5oDXog+yuXnLWFp897s2XJnzoWz82lPwtg60wK7kuwJNPW7ijKqj8m62wBWlAcDKShcpCm Ryhu3bKoBvoJmNCLvFAW33ze9/7w9gWyZfP4TueRAEr8ahxa/Kt4fvm/oZAR1ZhFu4E1ZljE jwMILaLMyoAQQOvmvQ+FuZN39PYECxIw2ChWyjOfxR808XVOlHh+RVPQ1m1eSSXHd+suONGI yVszimEzwUeMr9wIzSmDf5AE/RSFSOCiEz+Lm2Oo5azoJ592TKKTtcr1bzsoE5JF2VvELHU6 /SQa6VeF0ojKDShXLTxnuvRsPDf/BUwVNWiUW4VCiQKpg/6TKNLjs4CMKHceKm7z5NvRAZDU Lfhrv+G10bcUL//Fc7If2PQJ3pix19QjN+qC6EhT1IuPyaqxd9HVErSzv3ib4IsA4wJRhedB KGYxiT51CP+L+PCbObUIuIFSBsOnt2EY34HDAF7d1IFMuH8adwGvvfwywTyW47d/95/Fhbja mLr7K7EFlqYguWBiPgfhtlAYy+YzbV/BxTZZaRaIwldUQGmjZPIwpvQ5KKPMGuQo4H59dsna KmEuWR0jsM3sbMqnCdBujb7TAF2lIRVxxjT9SYZeI99bMPlcBbgBX4iWLtqe8aCZp0p8oxQX 0QnazXIxHJORaEs5TyT7Bj9jZX0E0t6yWFZIVOVdhpwBNZxL4N4k+GhQE1Gyin4TrRcuGWRz 0ei0D+URAFgBfCI/XMrht63wwydQUsa/maDDOkFybD/ZVUOw22R5tgAoajqJQFP2Ks9KR9aO irA9SBNetihivr8nRoZ7kBXl53yCiCbmjpw/OGvrK1f7l3OQQJn9qh0htCGjsmxDvh/BL+Kf HAc08g7qVfiIK0BIZ9EW5hIBRVnOp0/PMR+1ZllaAPGcm+YBpy7vLce/uvasAO/heWSquGkT If1qBb+3nNKHIF0gNzxkF+Uc4twsGGHHFjBR7gKKyLMKiGP+63xfpx+t0EbO45qbGzCG3laA lnS6doCLVubaRlxcVAEuV+lf1lU2oO4XEFsCZLLN2nleJ3Px4rFjuApYzvbHCz0mxwQfInjI BH7dGjDrXWAz6ukJoswik529A3HtluEYrcCCos2OVwF1O7qjBzbjKG3gwNTEdxEgcmd5hfwx M921L2YpTx/P7mEM2BenqZd9vgeQq4M5QobodDE1YBrNZgv5sAUGKFdE5d6MT9rGsZNxAF+F LwAeXtBcivd3UDdk/7lXT8RzpZa4fWt/XAYY2kTnv59o04+sNBDtuRTX9LfHBGXouvHWGNg8 apdF5oVJqP2F7sU5WpgNF+fI7GtWBbn5N4Etynnshaei+tB9MTc1F38xvhQDKwvxD0e7AOEi HqNcD1c641yY2rd3ECiK+fd/LMPART63tK3FHnaPHiGm4EPVHmTYHtdi09xKOx8HjMOhQWxh ahjh2XOcO8KAEPDeQ19rpXBjyPU07ThM+444Jkl3/wJzA/3q6vkx5L4adxLh+eFqd9yAmfVH MWM+SjTpr1SIuE27/yJmzpv4Yfki/mQPkEb25HVNi0SKrsafVPr4/W+N28oTsZPefBfm0U+1 DsWFgJTXEXCmh7J2ME4E/Zy9ZLHJgF3GT+IacjaqOh05f5MSeEVerfweOBe6fnDsDvQDvNO+ a/wGLDEXNHO+QzBS2SNsgXo3AROkI6+yYB19JH/v/T1nbpO9TWa5meZvhPl6LzNhgv2OScdS bc1wAqbonQCur8FQN4KzfU4meOZLGU3vWBMUdH3AB8aK6xMci/A9fW6Sn+zDEvPpOv1VMNpN CIN1+Ttp+Zz3M0/KqShksa7DNiQuV3z85hvi/VdcCTBtdOgSvjdfirvv+WbM8fuj+bWboNAJ Y++OkfjZT98eg2xylijH6dOTcc/9j2QAllU2GzGwBlRk4470uluQ+eiRmwmk159i/r5w3sBU iCaZkIK8ys31lr89ueHrpKTsKW/Wn8TtzCutlFGz9cH+vvjsr/9KnPcufShmQc74807rojOS /EAf64DiDyS2+k11CdQlUJdAXQJ1CdQl8FMtARZ6LhhnABT1eSOwuMp7mt25jHYxzSLZQ+aO ivIQQckGABWPYpa5iBmVi+IyC9mMlMjC0p11F9Deq+I3P4fJDQzI/r6BDOaS2ibXclFu1pTB RacL1OJzoVwJ2hUL0kLlSqU4FYhCOSN13uN9Ks5847nFwtd366B5VPoK8zoFski1g2pzf5G3 54QDPGrnvp0J6TPNX0BkQy7Kh3P6NTOoyyD124oiOYgpm+asCZRmjj+MPxvlRt5lALhXl/8s 3lj9MqpaCcYNSjwAyjwL/VMw3hZoP82XPXBjlYBiO1pSJ+eIN5AyqUW8VD4pI/4Y8Vlm2XrL IAojwQ68ggypfpEIhbOQlXl7F/KGg9LUgK8kFN1kG6Ie6iNqHeXCNO3NsBabN/HaTBl7aTcN TW1/fM4RSXUNFk4a5fHcZoDI6jrsBs6bZwt1Wii9GgcX/hKTRqJiboiglTL1oNAuA4CdmMPk eEH2mnlq/giwR9vvJkSvfsfS16B9IYss4FP0JZW2rDfnLakvD4GA2me/JzirbM48qVi4D3FR WwBG8pfFaH1ld/isRsDOlQUiqb66Hk8/dyze0F/hIuyn9vMxY95mKZBX4Bf8SEyNnwYAjRgc 6or3YZL7kdE+gDCZHyjbKmymZRzaEAJj9nMjaqZ5GW3tk82vkmOFMgkoWwvGk++yTwomEOks tAdAcHkSOA4mWTJh6NMJhgDYWYUGgHHHQwmFs6O9C1+py6n42/fRJMmAfDE5NlhTI2XVNYCR j6swBzNyK+VpAEhZV1CWhbwEzdZgHWbetGGaR3O5IguQflkGFHbEqsjKcGnkOQKSoK2pvGpW OQfoBZkN8B5n/6BrZaKJepdQs23QyLzkXCCgJzDqBkiyagDIFqAwOi6aSNeNEt+En0XnmDXK rlh4EiUlDfkvw2js27kJ0LrIz1rkbCJgRLlkaybbj0bMPkM7rAAetXXBFKTsBFzH1Jf+T77z SO6Pj7KBg4uAFC55NfJ8XyryNE+CHwIZy5h6zwIMtLbL+pYFtQbYsxa/fk5vXLajNyO2ympL NhMyFERJtij3NmSezEMCiMiwCgWpAhNVEa4BXGguueY8TRsmcxFXF4LpFTaNSIW7AtpoZHNG 6TZCbsGkBDBhhLYBhjSyaSGYAI+RGgAY0BcTPabggqn2MQhyCWiXGLsER4/VE8djZPY0ydfT HHYC+Y3Sp77y4svxxcPjUcVc88rRwfit3ZtjG9TBKcr5OCa3hwjq0EhgkgH64YVbRwEXMVym 7fYyN3TD7jrIzDM7vC3OJqS4Js06RpiGsSZTbAAcpwVgctk01F2j7D67LbKYp0/OUZZu6t2H mXAJYPobr56MSfr45fiaOx9PglOU+67oj5O4kriJCfN8wLQT5PMIc90RwLTti0ejMnM6LoUh +QSMxnVM8m+67fYYOXsvcwECUCzOF3Qqwfsqz6VaSM3fPGTHOTdv1gBLTz/5RMw++jDBn6bj 6cUmTI7XiZ4MSApb8K8JinKgRP0B7W5pB1RHvp+fb4yjzI23tq/G+whU8xTs169W+mMzaPon hjAn5r5jsBAnKcQAdd2GafciHeCo45P7d9BmfZRjnHLMUEb79zbmmFXa5TCsu2MAkZfSt/eU FmE9VuIbRHi+GNPzn8X8e4L0f0ZQllWihn8acPFsNre+AmPvIdjoFzFD3wo7UZ++fwl3cYJy faZtPs7j3gfxC/pNArWcxZz/Kz1sfDW3xT0EqdmLH9TLepjLnD+Qle2rb0XnMtcdPIb+JrMX mQH80mzZ75y7Zb/JndV0uJGEjc4tmKV3Kl9+ezTXN7lfuZhjopkxLaiYrhfoyzmvZjp/O+zR jHDaL9cBjBHn3jSVpk5edS7S1+M0YPM98x3xFK4MTsNW9HfHOSr94zIGnSfcROENkI4+CJO6 B2Zmbr4JNJJvMsEB8mSBF7+Jri3oH9TXdVAyJKlHu+sZ01CbbiKGf+r2j8QlH7g8f+dkNb72 2sG49577AVTpT6RaWsDfMNGcz98zGp/59CfZDO5DfmsxCQP+gYcei8P8Di0QYKtM3zYgn2U2 irNVdMOKp/MDgowog+u8dkBhN2Htz7I9axudCZgiXBmXdvksI21ovXNTEfkZiKYdP8YyMBXw v/id34yLL7og5YJAv+vhOqP2rO+a8G95sQ4o/i0FWL+9LoG6BOoSqEugLoG6BH4KJcBCTdOs qZm5dB5uNONllHxNEvVrxSouF4kq+7nTjBIqCLEVRVNsYIxI8DrwdsFvmlx4sojMBSX3erCs TGXUne9icS5LoFiwqxQUDEUWr+Tnn1yQ+9HFPa/M0wVtLipZ37LotVymzVtI47usIt/zHoAE r7bmAlg2HRd4JQjAR48acFh8+/bvLl59pRmzzyIv87WsHioA+r1zp14IRybizq3bY9soPvJY aL8977zph/TH0q1VF+ONlc/DGLkDAGQFRR4zNfwZyiKbKGEQTdsk2xABWR2ZYzRBAoztVAnd BB0Nk2jOJXuR9yrKZrV5CCWHwAkCxSgMKmQbEjCFQssMPZeL/jxH+5AQeAO5q1DpS9N3G12m lGCV7yjYmaZgjTSTtrmpLdNWAE/WeaWvSsynocrF/NrBOLbyKEogoAlZaZKt4tdBPoKKmkhO LwI+oRwJ/Blpc9LALNg5ntODuTFthq6abUpx32ojBWJfIi8Pbss6Kp+CpcKHjeteM5l90fTe amLrXpznHKeQQPYR2Spt9hNk2Qbw1wHbswTL6a4HXouJYx1xw85PEWihD0B/Hh2URgDY23/J /nj9yKF4+N6/jv3VhbhUZhyKncMxlTPGQvqzoz4qeDJD9BtamHgDHlodCgp+RXpuEmSkfMq7 isJXAN1mJqRh2S0z4xzz2upJAEW+y+aRUbMuQ4xriDEaBQtJDxKVeVtRryVAxxyQ95BGtwFG LfW5vjEgGMO0JRGTjcgLMS3nEFmIOf5VqKlTCpN+YZRb79X8Tt+KylpAkd0BgGUeD3Cpcmuw qAogYEavpqxrmEUrH/utlbBsKVNA2RKsGAE0boGH45wC6AUIob9Y2WK9PEcuseCEEaCtp23q pzXKtEC9unZvAVai7vwTbMg0pJdZWaAbdgRvTNEmk2gd34yCEFkmLunXU/Dovx9dipdQ+mX0 Kf2UE89RBjJDqUi26zI+48ZPjEdr1xBgQGdshwn3yW2tcdFm+pENVdVfLH7NuE9Yl7dsN/up RNFV/hCjSLpgNDMXuHEgRrCGnJoADmQTCrraZ3xs+o8EDJHPWaXca5vxs4avtWbGbBPtgmOL lJcdIBmw5CH4CI6XfY67clxaFke8gSwIJp9ApaaSbfxOLJ0cj3GCqYkQDcEudOwepR3HiKTe C6i3BxCsFyeup+j19xNZ/RuvHorZ2fnYBBjx/hHMePfuw+y9Oc7Cr6oMtdfLLTHT0x/nDsL6 hcm8iOxmaGvzHaRvacoNngXEVcwV+ktUULNGvOVjJ4BsN3PNMmbLjy1W4/ixk3E14Nhugqic Yr56qNzD9kUltqzOYvoME5Jyfx6m8STy+cWdQ7GXDq1vwgNEvZ+AKXgxT9ra1xun3ndJjF70 /hgewqyZcS/wn5ttNLa/VfYZwaI12nh1aiwWDjwa1Refigl8wD5OAJQtmAFf1LBAcKdlTJy7 4gunAFTXFuIfb+/H72BT3AUL8XUCo1wRlIt+cRgA9WsERekiz9va+Q3o6YwJyjpBO/TQflu4 x1/FMTqHjOARiqBvyAkQ8wn6Ug/ja5R3y3SCfjMLCG3gllHa6Pm55XgAOWwhh8/g/1BQ6i/X +2KcsCk3wia/GB+JTxAQ5g4A1nOAsj7WBtONvvHF1bY4TPt8qn0t3sdc9mQF8BB/kJtpt1s7 BEqb4n+Q5vg6LEiYoBd0YIIO87gHv5T69KX7UOLmmHGTkx+mRvqmpurJhnYsUTeZ67o+EOBz vuhgo8BNLBB10jrmAMLoD4Jeso9lHTtm3fxoAlTU7+i6Qdc21gxuOhSAmFYKxe+UpUj/yeST mxK0oXOqA6eN92VAysdWWuLx+YY4QWeToS4Arz9mgUpnDOdHfZi6QdEG4OnvnWbO/nI4N+tS QGYmhWM+oGMyVi2z/UbLC5m+iMtRFaMDvfGzn7wl9hFscpGyr7Bh+8rBV+L+h74Vp+cW2Xzi d5TxswZjdx/g/G0fvTE2DQ+yaQyYSHChB7/1VLz8yvF0daEMnU/d9M1yWH/kI/jtmsfgWvqE dT6VYSjQq3woYfYV3rjC3EEb+WPoXJKbuczDfjZPA/Slv2naULn04Bbjf/vnn40LLsSH4nc4 ausn7/1RHnVA8Ucp7fqz6hKoS6AugboE6hKoS+AnQgKCAfom09Q5zZpZWC6yg54KLatXd89d 3AkYumB0geuC2oXmQP9AXluYwwk7i/kVQAWVkQQCWRALUtQWlK69c1ntBxajqfgrQc9zrnj5 nVSmyY95Ma+Zb4KWPNc1pnnLHigWnC58vcd8igVspmeBblrNiTIwCBfzXp7ve/GY2rPykXne 3D2KtMXnYoHrErrIP4OukK/+gjqgk40MbcIkciRBo1qa4p685Yf+R3mUqzBn1h6IE6Wv4RPs WD6zAzBOlsA0DJMFZJg+26hyKgMbpRJctJaCDRA/8qUPMhWeRk2ZMUvUnFKvVUmtIbXMGhWh lLnf+VRrN3LijDmazlTCMrQBEEMTzEWBxgaUJiC2BAxtw4RnFHjmat+h3fDZ2AzoU6rOoNwe xHxxrAB7vMghWCdAKCiyBIhoII8yrxIamwFT5kDBJlBeZCcOye6jTtaL5n/z2MjKxxb9gRN2 pWw7K8Xh91QeeU+ViRPKzzTZ/+xIG2kFcjzEifK+/Fyw5TpQxtrxndjd0oWfK4CU1aviml3/ RLQFQH9GDCw2bdqUfkz//I674rXHH4r980fwFYeceHLNBE3zYgGkVkDEDDiAoipAga6ZlVCB Lf4Xil+2he3AfY5rATQ0RN5RCrkvW48KVfChWsHsuclrpG/u6UWJBhxEho7pBJW9hzmgANR5 otfIt4Gy1ASrCax9SjQgfWfx2XsMYqRinWRVnqeP1kaAvgL6Iz3tIkOOrpXgaUl2owo5c4n+ F5PxShpdIqhvZ3oU9EqCWzyEeSyDM9g3yWedQvShGMu+Efxa4xw4YmGSy7NVmpWD7hQEXz2y 7QHjCyCZ5woCcO+CSv624dhEpOdi7rKBLZdgHICGBfKlPOljHQCJinmBMsgnaibdIpm3cY/t 8yB0sLuxvW0AQOeWlK/tkC4jaJE1yiwgSNeNc5pX6TedMTTQHed14QtUmqP9QbnS0fTLqC9I FX0jszbA7FziXVcTUEmjGT9rrQIXpudOy9tAIzRSJs2BlYuybaHArfRFig/gSGAQzpVh07WN DEYbLhwyoA7ghjKSjak/tybusdz6T9T/m3XTh52uBfxNADtOBmorNzle15DnLBEiKhOnYhg/ hJrkn2Re0Mi9D9Cuj7LSpWIKkGgJ/4JLAI+rk5NEKea3CJnOwQYbou6b8B25wDxyBJNTAehz +jAJ3jQUs/wGyU5sp1y4DrSJmAsJ2EHbtFPeTstAiY3sLDuzn/7UwXXb5jB5nyZqz4XTJ4pg JCChTwL+bwIIv6xpKQ4SWGYB0HFmYCTvv4pz74Py/QZ1uG8BcAjQ8IK1mRgbHyNw0C78L7bG 2Zjhvu/snbG8bWc0Y2raCbjdQnr7+TzRrWemCE1z4lCM8BogcvmTsMQeWW7Cz2JD3NC6Eo+f nIpnEWLDtt3RT7TuqwAOtxHp/ZsrBovpJEjKUpzfshxHK0SBXiOwEO1zMyBkf1dLHO0bjhkY rV3UcZRNhypz4FEAdFm5m/gM75x+DSmZZzqHGqgFYcYYwJqMWn3SjvD9FYDe+2bK6XfxNsyq O2jXrxFd+lB0pEnzJbTFywDbf1XqIpJ1c9y+Psm83BB3ADC+AXvysup83ATg+BKBW75GlOcu +t8tjZqml+MrK61xtLknLm+Yi8vY2TrIb80h+vM1hOA+m77eQj+0jzp+3Rxx7TFJnzaYixsJ zhW+lpgrdPUhuG0/s6+20m5N/DZX5/Wiyzl+BwXR7bEZLd2AWDKvYc7Jxhc0c12TFg20j79i uZZx3ZMTDnfy7maVB49hbjJfhOXMRrmPwlA9ALD4wlwpZnls5uJE4DihnwnYC6i558EECfDG OOG5Ap1mWATBIl8SJIhHnR1f5t/mbxh9f9e2TXH7Rz8c+845l3oTtZ7fkldefikePfB0nJiY x6UGzwJ4xXFBvG/vjrj+Q1fGyGa9YgKQ4zPx4QPPxcHXsS6hXQ2mJNAps3CNvuHviGspZU3N slz6qywDRMq2tZj6xLU8skVNl7+VlFFGuibPyrkdsLYd0F/g0V9LZwbnIwFTQdotwwPxL/+X 34q955ytIN7xKPJWNAj7R3DUAcUfgZDrj6hLoC6BugTqEqhLoC6BnywJuJidmVsQ04AZA7sL ZUKzOhfu7mYXvghVeosddHfxS5gHLRGFcYXrAmmsNlMJ1DfcWoKKLszJsLYI515N6tx1L0An lqosqF0iurhX03XJ7B/fXdR7Lk/57n/eXdSrpNYAS6+76FWBz9wyjcqxC3zKi/IgsOjiXfBl I8usy7cvUH1WsWA9c91aS1PkV5QnGWIswGXbyArrJJL11lEifA4MAfgkpENef1eHKgORh9ff iFNr98fpypOYg2JaK4IDoKBZ5goyWUEQggjJWOTShn6EmGtAWVF+QSHUg1SsZDs002gyCjO4 iooInC5UH16oPGp1HCpQRVv43c8eyo6XaRTwxrvAojkayVM4LFkhfm+ACaeigmK8CgdmeX0C E1ZMycySctdybqPdZR0aobiEgruCaZf9w2ibBqSZgPVUha2yg2ii7Ty3GSUdnSwBE0tVa1/1 vTx4z0fwxX5qF/ZdgMP+l32NEvuvGaXY+hVMI/ucslNBo8/x0izMw/5ilQvwk/QAJa34fdvU uTX2df9SjLZdRS7kv/Hkedh3B17C/POeh2Pl0ItxXelE7CI6teW27oJ68F/xR0U+2d+sV1EO k6TuynX7rPXThC1BQ8aUvhSNxKuCus44dpgISKUc7AQozhX8tlVxe2AgCRmJRnG2jUzss6sw X/RbaBncYLDlLJygmxFXyZEzpN3oDwkaAgA2iPxyZKRxUiifdfPBr1YF8CwDtSAr540m6lZC uYWU6h053jNn6tOg30Pz55oAicop008ylARDVGpL+jKj/e3jybJGPtYxpxWeXSZvBjB1Z+qi nGnyizm8YEMFYMLNh40n04DMW3xZI90qSnn/SE/2+mLeQoA+nBLV5hznIk25WzFB93myHQUl y4AgsqUEg/XpeAizz788tYr5M6CH56mHR27YUO41QMFeutitmDVfOVJsCihBA14I8DYhT0Uq KFqB/buKDFcwj27AxLENEFAgr8N+YfmYp8vkXwFAacIsstk+Sr2MBn8KEHYQttAoPggF4VZp 61X7dvYdwErutYlLmkri0qEZ03HnPQOuWHdaNsFEARzBEGdAAV+CLidgrF/PZDphbi3Tc517 ZTu2IYe5sbGYoAxN1HUEUEpfk7P0rFOAt+sA2YPkof/EKuWZArCqcH0Av7wjPHWcNKdau2BG VuLsdUK8DA3HbP8wcl4GsKriLxGQiT49z6Th/C8LsZX+Kdg4yzONuN0v2IusNcWeYw5phdE3 jA/RyvipeIaAIq8jurNgVL0P+mVjR1s8PbsSrxNQqR+G456WMhGN1wA+YSuO4/9xbil+fvtg 7ODaN6YXY2yACNRtjXE5JtPOiY+090d502BsQ2a7YfkdhEl9EIbqCBs9l1Tmoh9m5TP4ln14 Aebk2NH41EBLnIPfzr+ei3iR4FcfAB29DBPiJurzBGy+F/FBeAURlz+Ez8Q38H9353o383lj 3Ny6ShCbFXwotsYcgOxupugdMvtgKh6n3ywh92HkI5C6iHxOMd6A1GIUWUC+jDHWALOkE0zc wrnjtM19K0BTALsfBUDtpX73EL35IO4oriJ68zUEqzmIufI9sDON3v3p1sXoAcy6E9bhQfxL XtKwHDfCTnyD7nIHfhQFum5uWiZi9FrcDeD4RLUr3g+4eD2Rqo+BU92D70Ub7HYAyE2Aoq1E gO6WrUg/S4Yf7TZPGQWtBOcMTrUikIVMZR5WNNvl3XmWN+5nMwaWdUtfNyw+TPW5N4F48nNc Oj8KKjYw1zUAUiagSP0r9Psa67HM5lROrPQVx6C/C/Ybhkh+z7/I1InCjUZdGbyE/83HCLz0 OozXWiRm5++ca5kTOplvOih7N6825kHnvUU2T07OYMrOrkeCeNTLTRjnO4pJHcuxb+fW+OiH b4hde+hFzCNrayvx0gsvxsMwDk/PG1BPwJL8VhfiknN2xS0fvi6GYSY6P50cn4gHH30y3jg+ xd4L8qP93QSwEq6tZGBqXWEwGdeFjunc4HEO8zfNKoolUnF/7QQWLV/+9vn7wiV/D7XaaAc4 dwNP/7CuOzTZlnGa/qaZA7ZuGoh//k9/I3bv2cVd3+NI0fJn40A6NcHXTr1n73VA8T0TZT2j ugTqEqhLoC6BugTqEvipkABrNM2VF2AkujhfBWSQpejiUz9ri0SbdAktS0wlUnDEXeol2IzL mNLMzc8lgDMwMMjiUYYSiicgQxFQxa8sO1l0JjjDgpP1dAH++c7qNEEaFqCp7LPY9PCcL1fn xZuf3zpvXsUClnzJM4HLjeu5q242xS2ZrmA1Yu4Hc8OXR+25NSU+T/InF/u1m2sn87sZCs6g 2KAwGMxBx+kGp9lB9M0+gq+kM/ci2Zt3/t19AEzFBHqxehxTsZcJSvICyuNhwEXAIkz5kJrS BShD2UEhX/MduRavAmD0mk2CzpLtULSOUlCZKr6p6gggqOwJJgkaaxatQkdP4bNGj6kK8u45 DSHR8vIo2l2A0nwEE81VRWUd7tEarERga5REzWs3+kBeFwQogMQOblCp6m7Yh/+tz2R9T6+8 HGOLr8axpXF8qJVjsMPI1+BHth19TdymAHCKOmRRyN5SqQDZ3NY9fXVxTrCzq6E3+tt2xUDr WUSJxY8e/iRbMSdvgrWZDAzusdRl/UACDixXJjEzPQVj8hhBcU5RD8cRyi9sqrbGPvLYHDu7 rokdPdcA4mhOzlVAIJW6r33zsbj/mediSt9Xk2Nx3dwrcUEvAAv329/tfwJFmsypoKnw1cqu BKki8redGH18UGFOPonKH3nkfz4n45B7BQJlxWVjU98GFPIqiuk6frWqzAvo8+RjPUnL2K7S 79M8mU0FJgbOozQyrtLXGHKzDkY+LwFU6S9MBpvmkbpQqMDIynSUv+hU3IsC7OPpOtnxUJ2Z Y7gfRVmlmhKDCpA/eVfIsxV2lmbMeR9gUzJ5MOclp/SRmKbedgoaWfbmGkCWZodlyy8ImaCj wCp3IE+wGMpEOq4LUFcxXS3E5Mxn3eU8FX11oa8nenaM4qM0S5XMTDIhFfchS2XRggl6Wwf9 HJmpYq8ijzXOV4mw2goYAykogdIVWLR34XPtZYAHj2LuARwHMJQBNUqn/fCW7rhwQMCdBOTT zDX9mgkgaz5eoqwl/CuuLMIsAqjyuqBqEcyBfgEw4LNlcNqD2rjPsbNEuhX69SqfBeAHKZcb LivIwU2hRsAEwVUkkW1QgeVsW7Rhct0+zMYJTLxVABfzlsHehAxaGb/2xRLyAorIPtiKwDW9 NPL2KvVPE2vasQE25XJrRwZUKR16I0ZWZjGvLscYjOQZSroZxPXwqYl4HLYsVM/Yt3tHnAXY M0p+bgocon0nQSx34idwC2U3MvOxrWfhRxUWHQxH/ejJSsTlX3TQgTttePoV4Yayfh3MC72U AZGmf0T5a13IpLezI6YICvPgJNsX1OcSQKqdBD85ipzuJ/jIa4CGlxtRF19/L0xMx0uwAsuD Q9GBqehlMAV3EwX8eYC85wD7zqELXNK2GE8em4wXGvEzOLQt9gBnXt7IuEJGX8H+uovx8WEi IM8A1n35+HSs7r4o9q7OxLmlKViRbfFkU0+8xJy5nyA7H2hbiQOnp+PxJQD4wS3JVLymdTmm QMW/AjNxBbl9mDS7mS8foUIPEHn6PHywXslmhL5XTyGLKfoVkCuBU4iEzeeTtLUy2Mr3bs4b mOY0bd9DO44wRDWPvnMWH7SAitdhXm67PATD8AnyvprNnusBOI8TGOcOwExh/k/iR7EI3AJL D2DwIn5rbiLNBM/6UrUPaLUpbmODawfMxEcAbB8iMNV5MC4/jCk0XNX4OubSOEaIjzTjjxFm 7tdhNK4wdq8laMse3FY4R5RoC0H7FdqwRL92wzMhffKku+f4rlkjCHALtndyrQpoqL/EFsrS 4hhnvPtP02gjqzsHVOkTafWAXJwbmCUB2ZgreJbju5iNHOs5uzooE2TT9YlzqPOFZfOfjMpJ 6nhgnr5Zck4jqjk7AAOYc7exU2KUayOaGzSmmf6pdcAS4+rukyvxAr4zlYOboc7p+hFupg7n 790dt918U2zdvoMxTfko11NPPRUHnno+xqeWcW9gMBW2BNhYu/yic+Kma6+OIYA7f+OPHD0e 33zkqTgxOaf3A+Yb8qet9ZctO9L50/na9ZoMSteFzoCaKZcBZAvmIfVyfqAuls0y5HxOnf0N Up65wUZddEeRkwBtVHFeQkbtyLkbxmgbfbu/uyv+xT/7zdhz9i7u/JuH8q4dKVmFu3HU5tra 9/fyvQ4ovpfSrOdVl0BdAnUJ1CVQl0BdAj/xEnBhZiCWFRiJSyje+hMTDFS59ZoLxiVABddy +hvy0Pl5M8rn/OxMXlvEoX4b0ZvdeVY70eedebrgPGMNCKggs9FFqotZl4gq4hwuHP3uFrxf WYwKGtYOy5HgR+2EaXiO6XxARj7kuwrARlZF/iiEtaOkGR3lqYGKmSeJCwCSZ5NPTaEn97zN NH4urhXXm2UlouDIThzo7YvtW7dFDz6YrI3pizxqT/27e9dcM81aURoSQIGxstYwHQvlY0T3 PAjA+CpsvpOokLQtgQekHVj+NeQouLiKLH33pYkomE/RLlRJ1cO0ip+3PNCvss38ip6WyoXg HeqZegTvGDvTHs2aOW8Aj0Y6TQiR69LNjH4qhOErATYyR28pZEpXKeRbPFNwUMYhxeV9b1za 87sx1Lqbe+kHsIaW1+fi8PwjcWDu/yY3waYNRYdn+TiBYXvHme1VgIkyNop6twIWjja/j8jQ H46RjgtQ/vuoC0wWFVBrlnmZm6+ifH5MMF55WhfYOMuVKcxPJ/msUtgNK2UQYKkX8Apzbp7B HfayfBfc+YP/fke8MTnOPbAtp6bjuqnnYn8PQBNKoSk7GHudCMbxo+JsOyTQyDmVVmVW6/nU mju4jiKXTEQU0EYUajVv+4X5CW6YznZNpZo0gmRJap2cIhDGCmAPz+IcgyhLqjyN0NzSjX9A CuD9DYB+FqYBJZWMMuiBQBg9JQFFYjFga8ymBIIzSEkZQEiAU9+KuiQoNgoUIC9AojSbtmwo +gLV+vjy+fZHzSmtRlO7Zpz0KZTctQXYeQJ5sutgGSZ6aFYKQGCSzwJwTSj0IE7JwFwH1Fsn w8ZWgCbYQBVM5A0yYr+WWWkbK5caiLGED7+2XTujH7PnpOqkHAElLANlVfluzOjW9i0ADJ6r 0m4k5rVV3EgszscEASUGiVasOeLTRKO9dxqQEVnwqHyeJuJbyP4T23tjN6bNBTOIdud6C3kb CGGFyq8CIjbj9zbHOgBrmhgrWzJqpm0TTLXStI1go/4EIUVGmflrHV+KBojRDHodxX8NUGoJ Gc8A2D545GQ8N3GajYg1xNQcHxjsj1tR+odxstoI82oFRvoCjEb9lsqQlI0p2Gzz6q/Rtm/L CLa2EcAEZRBsaSG/FtpaABtokZbHLJx5tBHgePX48TiGDGRHjhDteRAK2euL6/EMdrcdHa1x HgzjLdR9HF+DD8zDCsRH3Y2D7WluPMnv0bNsXOzeBiOQUjTQdxaQ0SrdtYvndjMBrdA/ppGZ Pjl7KWePwBTlPAH4ItN4kDQttNOp9p544AQBkWbm49rmFUx81+M5wLlHGLMNgH5dU8fjppGB WOnqjYdg5U2BRl/VtR7n89O3tLQYDzcOxgEevDZ+Mn79svPirF1b45XmwVhkw62PewaISo8T gXhlcj5eOnkcMG0lth07Gt86MRv3LjXER4f74uruZZhmq3H/kixEwNnTR+OXqOt2ouJ+bmwp DiGjj/Tht7CNOlHu/28BCmJTV9wGmLcd8PNblOuOVYKvAH5/fLANn5TUkzYwsMwAshoCvGL7 MMYYC4gjtiCHXiYMA85M0149vDbTrpqwv0GbvThbwkdjOfbSLg/hr/EhIkx/oKMAARe49y9L veTXEh9tnI1z6SN3A7zeWx2K8xpWODfHb03EX6y0x4xlbJqLiwEQH15tiQfxo7irshw/0wUQ xjz4Z4swR2nHm4kKfQn9/z46q/Lcxm/Xh3tgTOJPspvxR5ekvzFmydexaYCjadYsg/TjRnxv CjT62+Kmh78ZnchokbZdZR4ZgDXcBMBdoo7LBE8ZFPOirwgCOot5ZHAjx63rETZvckOS+SSD i5Ak53cnXedZ5JTzC+VxACcYSf92EOY6BlkDrUUJoNAxIp+/gTHgr49PtAbe6FyWZ8hwnlOP LjXHQ1P0Y36ak7ENQLh315b42Z/9VAwSEC8DrPG8Z55+Ou655yF+y+knjOdyCXbj6mJ8cP/5 mETfyJqtnbFNNPRjJ/Ct+HiMnV7MqbHkhgxyys1eymFk6tZCsDyvADFlKVoumjjPGd3ZjY4E Ea0vh/L1ZR34kGs8zzsXJluZ+tQAR+XWiWl5b3cHFjAl1k898a/+5f8cO3dt85a/cRT5vnX6 zN9qz9auv/38W3f8YJ/qgOIPJrf6XXUJ1CVQl0BdAnUJ1CXwUyoBF2XuRAsALgMqLsK0WIV5 5CItmVcsRvWd43oxATsW0pqwyJLSHHoZ3z3CK+nMXIWaRWk6MedzYfoMAEFeLjB9lotKzakz EmCery1MWSCST7FOrZ0jPc93uVpbPNpMRT6e5TOL3wRTeK7rWhfDNYDRQhfmpizVQUcESn2u Sr9BLAoAkqfy0DQrUqlIBbzI2xJ5UPRcVHuPgVd8H0ZB3AYzUXNnk72pjBQVyPv8c2a53+uF 75sP+RsfLDcvNYGsQv7Jeuq30CqWAd1W108DMB6NuXgRheswYOIprhGUA0WQFCgoAMAoPAY2 USmRyZVm0vQBFQ0dyxfmUMjd/sF3W6t4zy6jzvVth22UShhnBYXQ22Bc8VnFgzyElPPFF+8t eoJy5DNfvBf1r2DNAYJ0xYVxXvdvxFCbYCKKEPXzAELBnPNZlLL/PWZR4tPMlpu9n6wyX/NO ENEbOKlcVNTsh5ub98SFfb8RWzougdkISEW/9XqNmUJpM51lKg7v28hk41wqjICn+bC3kvHd dBsnNvL0nADhwnIp/sPnvobyuxCT84DgJ07GrUsvx9ntgryARPTzbphpmnnSgRNMSmWYcqfi Rn6MtGST2BDm6lGh31YAkgRuGxKY8140V+9DuOSWwF2yFTknmy39kAmuwVSszKPtw5isUj4P GXKyFfU7phm8sjECsz4PNfsXRPTRVnN9yfkEBbO78FdmoI9sD/pXypF0OdfQqaqimIBzstXM R8XXviEqrVl0pgdYMiCDrKB1I6pyXzOMYcFCy6Ipt0CDJtaaSIIr2MHSVNqyr5NOgMt5K+cl gQfqjDgxgUQpp27KuQFwMV0m2PmsIDJco3yVzSPRv2UYNiDP5j79O2Zb+2xefMlxX6XtKz4f MGOJOdW5qhFQahGwuaWzJ9thmmfcMb6GKSooSZELrLtqfHwrbhSYWgReBeINhGAEaCWwAKBW nlmIDkyoWylPmp+Txqi8gsNtAPPKfZVBqVwFLhcBDA4trBGVl2i+mLNrznphb1cMdmMGCtCy DghnlGOZ589OzMGooi0AX7YA2O7H1Lavk1xIN8+Ym2fO6yDISD/1buK+VdsJAFEpwJ0DLKe/ Id2SG0ucawJIp0p80oclG1Scl1nbTboqbbVKGce5VgL02EGUY++fALh8da0J4Hw9dgCS9AHM nMJk917AvSNj43F9b0dcRuTziUoTfvlwaYBJ8nlEhtaVwwTgluywQeawDvrAHIFKpqhPI3IZ AP1p4/kLAE6T9LE2+s4mpgzh9FP8fQUGce/kqbh08XRuotwHMPcS5sUfxLffpYOYecPUewoT 1gdgnlUJlHILQVsuhQH4AP5P76Qd27fvjT2jA7Fn/yVx9sWXRKvMdfwyitwVbC76LJ9z9qD/ V4h2/caBp+LOx56Oi4e746aecrz0/GvxFyfmMDEfjP08t+fUidizqR+T4oE4hunzdfAsrwSU m6Jenyfi8lxbb9xePg0jci2ehdF3B9GT9Vd5C0FRto/0xxj9YgKgtx/BbqHdS3wfp2/IUtX0 uZs+Mc2YOME46SO4zw7kYGsdYl0wyyf9Km5fnIsD+Oa7u9qPCXgpfqGb337a8L/DlpzCH+xH q9OwOVfjAIzNLxK2aCcBbn6uHaiP39ovYdZ8sNSOufQ8PiEN3ALgWekh1Xr8XMs8bVCOP1/r jlcAEz+MKfRlmHE/Rxt+odyLP8am+AS+FWWY3087DPZ2xkfojx3U1TGb8wtjtRGgdBxXEWvs WhgFvJH6ZVAv+sGa44RNGH/vOwDCG4je3dPVmsG7mlzrMK7amBM1oc61Cv3Z+cFpo5G8XevI ytOMvwIQn/Mq/Yxum599Q1x5b7IUSd+AzCydEe79cUwGo6U1nf+4uVgbFPO2fkQ9bx9xDqxw /cklAhIBKs5CaT7v7O3xC7/wGSLGd7PuYlOWdE8/80zc+wBuMQBwxfENntXEb92Vl+yLj91y Y5adLh6vM67ufeCROD42jTm05scmLvqjzG3zcp70Z2mNtpD12MIYyXUVspRx7u+cTM7Sxn1e 09+iayGBx6wP85vrO+dURjZsRH6nmcvtA+vc60aSTNmCwRixe/vm+L1/8dkYZSPg3RxvX0vV vr/X66o6oPhuWqOepi6BugTqEqhLoC6BugR+IiTggupvu5iStSeQ6A61pspLLL5lKbJ+5HCR qaINcMAC0sViseAtruaiEoaH/oXcfXepLNjoQlv/RTrf1p9ZDRTMxTqLSheoLs7TLJp883DF yuEbj+SwbsXC1HoWL8973e9q/67nEwrJ+1QLc8WeabhM3rKezNO8eHKaAwmepv9DFsPmJQjp e5r0mG6jDL4nk40FsszGVnbouzC/Gxkais3Dw/mdGy3Gtx3v1CY+4+3HO6V9e7of5Lt5f6dn Fnmp3icMkmBghWAuq5UZmH0nY6l6AsYDwU8aTqGSq1jPoVwB0gBCGpHS6JV8SnBAJqMvoy2r 1KisCDSKv9gleEvgUFnSE7heXLMMXhdQlGlogBH0jwSPbMV8cc77ZYCohCTAld8pO9FN+5qu jl0dH+d9O2dJ9LbjteX/Fk/Pfx7/WijuG7LPPMjU1OYtOEnmWX77Sjussj1dn4oLen4+uprl MtVSvi3zH9LX8dMz8X/+xd2YzJbjyOn5qBw9FJ+pvAY7CyCGomjK2olSJgNNCMrDdnacCiSq zNnXjWxufXLckraCUiegaG2qAFyybgTDMrCL9/E5wWHBO6VPHpoSZwACmWVcX4dVso4pNDsO UUV5F4RX0Rb4S3CRz5o183DmCcYlche8S1CfMoN2wQSkHDlfANphilpZRqGnzBXybAQoTQAQ Jd++Cekmy9HicxzLdDDLg65bjFu/WyPvl/ls5VDkBSSpXL4aGbOy+jQJFsCm0AUA6X3ckMow sjIPQSUVZn1EOieoCDdQJ+cRHwoukD7XVgYHomvrCIxB5w3raaemfORfJV2WivzS3yTznGOw wjyp2bfgJ8KKEoq6A8Vozo9hr/soNC6ttM/Gid0nR/FniF88vmI+DYhlW8J6K83hgxFAshlA oZXy2c4UL9u+AhDaRBsJkAumrVIW/dk18sxVgLjnMdX95snTNB0mwchn/zCgzyD+7GBOtQCS +LL8ZZV/+hgILQxEApiwYcTPAIa6sBclEVEZAABAAElEQVQB+ZRrP+aazV09aeqrbzR7XgNy budezdvXkYGMMPsQuW34h4OcaY+lLVsZ6AJesqMW7KPk3cK5jtPMNQRfOQpQNo7fu93UaRMR jcsA+qcYl4dp7R7qfQ7ya8H8U/PoY7B8hynD2TibLI1ujYkpDKapf+FDkXLwnBlkbgybbsF0 6rhAefG4SP0a02ejvjoXaMYl+i5wU2yeGMtAJt9cJlAM9fkAJsq7QLSeo4EOEGVjDQBvF2y4 rrnJ2A5Tdb6jNx6AHdvctylu+uAH4qz3fyCaCNpSBK5AOjzb38XsoPlW9FuDp8iOc+6ceP31 KL/xfHSPH42vPvFqHAHA/xg0ynPwITjDeLlrtRNAtTnOrcA+a2ZjjH7+jXJXnMS8+ramBYKy rMWrRE++swRzlHp+lCAtg4Cur/cOYg4OS496jFCQBsbhSX97Kc8Q8u2hj83Sn/ST2AiQtYN+ LHN1jDLN0T7DPHMrIOMrgIlfx7fjANc/gRm38PHX8If4CiCfwOV+/Em+CA33K5gsGwDmH8KW bEdGfw0o9izlurppNT7SskT65vhyqSfnnZurs5hQl+JLpHmtdZjALXNxPYDiqzCGv9GAzz+A 6E9iVj0ES/Qe8jiImfVFRIC+upPI5LAuB3GS6W+Gc5/m+BPMLyXG0wDRwWn2ZEhrtq7P0GXS 9CKDSjMMReTQTN8uE+SoF3cYC6vcD9u6ibFsW2lXbZs4naRrAU42Yp7v+CgxjmUuu4bxIEt6 Eu+m9l7HAnNMumjggpsgTKzUhX6AvJ3rBAyB1yigKxKeTb5uChn9uVhncYl2WgP0fn65IZa3 7o1rb70Fv7JtrF8ImIeP0BdefCEe+daTMQdTNwFGQEDJ2dd84MK48drLcx52PjlGdPhvPvJ4 HDk5wUYuvyFuCGU5LZZuDgDGeff3oI0xZ63dYNZ9i2XWbBlRsFZjjUg6p8IiPfMadahtFCtT 5znnTfPXgkDftfZxAVlmogRo9YtqtGeBxssvuSD+6Wf/JxiXAwrubxzmp2zOPL7TuTOvvxef 64DieyHFeh51CdQlUJdAXQJ1CdQl8FMjAZW6+eVVTJ7ZeWcl6OJUhmIydljQaY6ogsaKsFjs sox0Eez/BBdJIygpi1EAQ7Pm1dI80f36WYyjQGa6jYUm+dfWhyTN+2TvCCwWu+DF4pFU3sbi vnivLSldTOY/LtYATguW57lWLD59Bnfw8p9HsQh12V+AA5o0uoA2XeFTsVhQW1hBBBfAXhMI 8bO78G0o9X09fTFKFOeBvt5cSJveJ1jWM4+iHGee4TOJLPuZh+l+FAvkM5/57Z8tjzJWXqgH fkUps5z6AsSzJmDhLODhBAroFK9Jzs2giMCcawDsQiFcW1/ktQQYgkxRyFZ50Xu4Ri42Mofc iwKuQflBI9HovSYJZQCuBBgB0MBndC5evHOHMaVVbGilbM9kB+K/qzXOQmm8JkZa3w8ogEqs VnfGoQ/HMvDFi8v/IQ6tPp7O5/ULl6AiScm+aHval5ypMv0e5Ulfjhd2/xzMrX/Icy31Rr6U 4b08vlubHz5+Kv7frz+EmWc1Xjs1H42HDsbPNR6O/mZkS98UsCU8R5q/JsPTMZZtp3pHeflf GzcJLm60g/4CjUCqGaMKoeqwoIIAkMEx5NMInpEZeq6KLgdyMa3lzXbg3UAEDPKoaGoL89AA CMnFIQ/nDM2fW2CwaZZcFeTjPYNqcD1ZQzxH1o9Kt3k3AHBpeicjUD+ZyRBGsebJaqXUiU+W i/6R7xaLl/4ZBSdNR0oUcvIDlMSxZPrns09XKZu9j5mGZ6jScgCUUSTmG8Y/z0xAkEJqUu00 p3ztk768x/IIDCKABBkEFldhObVsH40eAA1qnDJnMst3gzzYwQQfqGgCpc6LshMX2axRLgn+ wrwDFiTyM4xBwJy7Tq9km34KW+cR6Vgo+spI5vcaLMwyvvMMJmEU5hyhlENJVAF/1pFTE7Js 5BlyPkEB0geiQO8Kg1q2YBl3FgIhmjUmeEHZlNsqCv7zp6bjdQDiBerbhXwuh325tw9fieS2 Ari3CvBS4rntjKpuWFD2oXmApMV+gFWAyS4APkfLuoAH8ioCUFAFxnoC0shPk2PB4nbLiowh ZsJn4x7SdFN2x/wK6U5Mz8by9FxswWdgPyDnLBGVTwAcLlHX1rXFaF+YJXIubgQwTW7t6yfY CKau3HsaE/KFraPRNzeXkaLtw4u2Fc/oAcDR9HmZ/jjDs2n56APQ6KA8uAeMKWRj5O0hgs3Q cPHyoaPxPF1phLF1JcBuC33lWYC7pzHB7gOcuhZz4z7YfqdoNwG1E2190cO5D15/TWy54GJA K8Yk9ROwtx/ZH5JJTz9wJszfGE7r09O5yoZocuLDpPjl+x+O+wGArmLuPR/5P0UQkXvwjdfe NRjX4IuwND0Zc7Tdoa7NyTq9DXPrcwDrXgBwe5BAKe2M2ZsA7gYBzB5r6iSI0Ch+J1djG+PH /nISWS/S5/p5XhGURV+U9vP12I789eV3iraap6zKdRPFmgHZ//IY7gQYX7e0APABMP41jMMX 1nviQ5gnX00wlderzYCZnTmX306AlWH6932V9ngWJuf5+F68hQ2SMeaNL5Xw1Ag4fCOsw50A fw9g+vwIJtQXEuzl5rZVWKMNAJWd9KOm+JnO1djMJtaDpdZ4Fi762fhjvK5lNQ7Tzw8C6l7e jyk8QGYbfghB0LI/C/47BuZp+2Z+t1vom1X6uKw75/R1QC4DBBm5vJ3PmtOvSCIEtNYvazNp G20X8slI6DlpIDkYjo1sNFRpW9crFdZIgmeI2+k3xzSPJaEgG2OT/tVAXxck1F0ESTJf3mhv v5mU8vgcQUbOFfOEcwczFhnbd5L1Pbonmi68IpoHNgMILsSTzz4bB555KeZhHOfmHsHxejAH v+byS+OqKy/DrLiVNVgljp4ciycOHIjDJyb5DayyUWywPTdTmSt5rptB+jK0HmVegn/pk5W+ qwxIRF3tvq6DvL9gmltW+wuVTPZ1+kqkzM7Vzi1FT2Oe8rOy4IRrRedog8O1M0+0M09fesG5 8dv/+FfeEVBURj7LI8fRxvfa57zwQ/hTBxR/CEKtZ1mXQF0CdQnUJVCXQF0CP7kSEASYxy/V aZgdLv5U/nVCrr+vscnjLIRbYvOmLay4WfCyAHXRnAvfBOdU5l1cohxxT5nVp867x6YPsiAm GEb3ruhq6c/FdC6YWVT6pVgiCjL6CYVXxgTKbjo+31DCXDR6lbeNg+8bi0tPnAkovvW5SOy9 Z768r+af0VxrZUkgkzLJtJJhWYAn4BiwPzQFSlYiSklnJ5E/MXEeGd6UPoDInVxcUH/n48wF 75llfntq8/FQhu90nJlXpj1DBt/1mnlvyO6dylC7/83rKhHehJJblM2SoQ2gBAhLrAMyaipd RtktE92zBKuReKC8Y55XewdkLAFClqvzvPDnRAr9/LUC/KHK4k9wPpmNKk0WT/BLM9V2lPtW FM3WBpRSgpa0AAtYhjWc9WsmCWrCuVHUyvcBruHPsHE4703E6gwJ1mQK7xYw8U/jaOkuFGgC CNnHYIqkvz9kqLIjICeTAgyVOkRsa7kkLu/7l4AqQ2Srsl+Io1CRlP4P/3ju1cPxhfu+FZ2Y 9b06TnCJ157DLPAQftBQ9gB7VgD/NWHtQAkVUrKfgrSJd9FSRZkdM44t/Sk6bmv9GtSOcSlb hN6LzDXHVf5NyMazglL2Cfu2IlfpVAQJqKXSS5sBrgg8p2xQqkFpogE3CRXmEIhEBE0hwirK dPpPlYVHRoI7CQaitBqROFmIORcwuzD2SgA6NAhpC/laAgqdX9zwaKKODSigTgZrRDFuAlCx HOADCQKosHu/PjhbuwAjADoVCN02zxsAJM3hAYCsv/4O19kAycBB+SgTkj3ysH+oFMu0LJjX KN+WB5lqhpjMJdqhOro5Ogc66UM+uwCfuTPnRvt1+qWkgFXnReY267PipguCE9xtwqer/gKJ IZLs8CMgbFs6W2JPD0Af4EiJOpVhg1bn5qMZ+TRn21AM6vkm6Jmqu8CHDwQgUC5cN8KqADox P2JmaTmWmZcNRLGFIAhV6lUBrMG7IwBmNU4jzzuOY3YL2LYZQOE8GHcXD/cClrYm+DYLoNhC +kZMKY0M3QKLqZRsLcBB5N21ZXNU8Z27Rj0FW/Rl2QIoJUgigK8fQ+tsf22j7XWZsMxzK8wx 9Nwsg2ADcWXSZFumWTuBiNoxsR2DOXaqRRkTbZgI0AuYaj85X4ljsLT29nXFVX0EdwAweoPy zfaPxM5NvTEICLlGv1xCFh49yKKLOs/ip3EBpp5zTSdt5ibZLGUzcEs7efTTn9Zgaz41BzOY YDAX8Pt1EX4Rp5kYHl9tBMRrIs1K7AcE6yG/eynHC0vl2DM8EOcOYEJ71VWx5f1XSSmlFzC/ UGY3rvT7OYev4dXp04wP+iXtsMhzBgaHo7cPv4wJ9NkJmWX47S0B2hw78Ei0Hnw2Tp06HQ8S PTrmZuLTQ52xBVbec/iUfJxNFVmkHwSUu7i1Gk+XW+L+cjtAX0NcT1CWAeryTaJHv9w7HBdy 3/m0k79x48h4kXIZObsXOSzSTmOOV549CkDaSTucprxTvHdTh82Mr2XGw8OrrXEaduyVi5Ox i2F4D2bgTxJk5gNsJt3E847g5/GuUhdtDluxZS52MxF8A9bho8zlAn43Ni4h62r8VaU32Za3 AEDuguV6YL0VELQ9dsMA/Sig6ALzw9fxqziPP8Ub2LDaiz/ER5n3D5SpO+1xFfk4Du/Cl62B f66BlbmDeVIwbRDZadLuxoeA4jJ9TYDa8alLghZlT/ly7FA/26cbXxvzBBvqIs8mzPvnV5if GKsCjoL3zoUUm6MY/+kGwTnNeZQ8cr3iRgJHbrSYjnK51rBdG5wHHRcAqc5d+SJv52nniiJ/ PnHNx7iuksnqBleVZ8i+dK5d4f6VvpFYv/iKeGFsCjDxYEzDODbQUgWAuw+W5fUwY9///kvx ytCR4OBxXGU89MijcWpyJhZoY/DFdEEjgI1Ycn52jKY5t2sv6mMZnKdWKXOCgfwOrAJEttLf qUr62JZR63rB35RG2kkmunkImCeYaJ7Wh76f6wrqot/pPIcwZYt3EJTF8fe+fXvid37712Jo 6DszFLNAyODN9yxeIS+L+sM66oDiD0uyf8/yVQH49//+3//AperCefrv/u7v/sD312/8+yGB OXYh/8t/+S/x3HPPxcGDB/nhPRW7du2Kc889Ny655JL41V/91SJAwN+P4tZLUZdAXQJ1CfxI JVADiVysfq9jgV3vU+PEWHSxyUJYJX9+YSpeOfRydPf0hr+bfR2bchHustNFduafC2AXl5xD UUofQywkl9emY2zuSVbDLPQ7L4huHNrnorDANwqgopYHhRM0cDHre409WGN3uOj1KNaVPqtY l3uDy/L8y+K2Bip6n+Wx3gVQ6MJdwLBYwBcFKWTioljlU4XftM0oJYqrZt7swnd4YCiGcYLe je+iFhbTxf2W6O/nQS1TWLX2f/elLCR8pnyKe2vn/Za5p9RT7tkC9gjBRpRnVDn5iWVAQF8C i6swG1dhNq4l4HiKz6dJQ/ReQIZmWWG8ZAa2NAIcEKgEt/s8RVN0X60od5hkEpe0Hc9enU2j gBgDpBFcsp0LIOg71xEAh+fOVV6KmfKLMV1+OebKYwCaRjOnvFRLMLEF4Mle1ICSflH3P41d 7TdQpqK/FH3N+hdHrV/Vvv8w3l87fCLuffxJfJqtxMsT5eg79Hx8pvEV/CZqfgmLD2XPSLnE EEF+lB8FN8Ex+rAm+yqCCCbHmEozNeGrLUQdGUtpklsbD44tPhdpSIE8C9cFG/VFyZRN50YC n3I8kzzzS6l4nWtGEm5gHFUBFddnMSjlfJonYwbLwEzF23Z2lAsoprzzL5+4X9CtAFQKsLP4 br9CGQWkyjxSEaYuaMYqry3IQ3Zz0QWoL+M3zZTpHXyz1tTFuUNQgDLCMBIwLSdrETlQLk0P W2AbWrtk+pG2iTlAn4Trosx8d7LLfkD+vmsSjdCj3N8fLVsGMT/PJ5kyD+vm8/O5glrcn8EP eLffrVgG80RWwAFZ72bmyQ7Ycd0ARhUA49ICPj8BDFroA0qE5AnIqoQLVNIQxRN4KCWRMJpg XjPog6Up4yPuKKDqXa8fi2MwSTs72mIf5b0K5mEPoEsnfcRRVwKkXWIgzM8tAlwQJEFln3rq i3GS688ARjx1Yiz7nPPn2fhNvGjb5vRr10s+1nGxqz+WmB8lVXYK6FA/AegSfdVY8rIR2wV1 SF3mnGb7+r8UsHE2XeW+JfwyanLfBchk4AeIgIB6U7jsXAHkjBiuABJSr9fwDzhOHpvJeSes u3ZANaMsCwqeNzoU3YNdmDcDOgPAyj7TxNngHAswZjUT7aUvdVI/g97MwhzTh2Af/VET3UX6 4JHGtpieXoiz5idiK/U9SF5PlVq4rxGzZyIVY5I9DcA12T8cE/TDXZTj2gHAkVE23H7ml6Nl YJgaCRjRCshhgQA8Lz3+eLSPHYmtBMpYo52fxWSaYR2X4C9x+Oy90Xv+xdEG892+5dA1KFJl bSmeu/feeBK/iiNlfAoyj26hjA8AbD6AAAcBaG7B9Hc7rOVnMTO+j8AlI8jjI20lAqqU40Ei TN+H/0nNtG8eIQgUTFpiZccc4Ogw7LUB+u8inWaCl8C/fhV7aPtxQOwp2kU25ybOVbA2OEJb HFxriYsWJmM35XoM8PIhfCKey+bS7TAIJ+g/X8XX4TKMv5sIuLKXlvoWc+mDsBd3wh69ERNm +/2XACVn8bV4PR57L8XP4ROU76EGfCTCdvxE4wwVb43PE41koolgM40rcRHBXR7muY9UOzOf KwETVyjLwzz/OEDkDbAZz8UdwAHSr9O+H+oAXOQezYLdOKIJYKgiS/pIBZkYmEZ3ho1lTPiZ c5oEvOhr9sw+QOIVgEUB8Hbo8iV+e9xMaAVA17WEawoene2qj1k3TJpwI8AfsmITVbSOe5lp mHNA3kjjXKt5eRX56o4h5+Wcj5yXKB7zmc4CEuDjvLOd85RjvZHAJY0C04DjZe51znLjd3lg UzwyV41npkqxSGW0Bunlh+BjN98Ql+y/kBsFsRviyLHj8fC3HmNNN02d2IBAHgU7kUjwlM/n yIh1vrTfOcfmhjBzWzt9Y9m53POwEnUJ0cIGin0zTfi9n3TOB7k5R7lco1lP+751z3UXz/C3 w8PfJddWyrEdRqQMXcHYqyjzP/mtX41+gg29/Xin39p3Ov/2+/823+uA4t9Gej9G9xptUuXm Bz02b94cY2NjP+jtP5L7VHD+3b/7d3H06NH4T//pP/1Invnj9JA/+qM/in/9r/91gojvVO49 e/bEf/yP/zE++clPvlOS+vm6BOoSqEugLgEkMDk+HodPnozO/m5AHUxKWfAJ7s3NY9YKn+TF 4w/Ept6dMdK3l+idnRsLbFaYLoNZOLpuVM9OcyOUFAOfLK2Nx7Hpp1BK2mLPlitQ/uQ8ADlx zfSCHS43vcedeRejLhZz8c45wQLNr128uuB1QW4y0+fB/bkwB1gqDu5nwVpjDmjOY54uXl3w +ipARc+q8hWLYsFEF9YucGUmtqFwtaGUdAE0jI5sjk1Dw/gWkkvD4QN/io7vb/Fe9IeUEcpS NmmhJtG+mJzBMFqDtbi6DluHEAxr1RmuwmzjmlQyeFX5am7oAsrogYU3RHCGfl70yfVuzqFR Z1v7nO/eDl4tekVRJs1ajWu6vA7AWD6I0vwMQOMrAHSzFFdVDhPIODsu6P5fo7t5u0/6Xo8w xXt+KG/74/OvvxFfB0x4RUDx1OH4hUaAfdg0izCsygAhzaRDP04/ZLoVqMJSEVVynMgSUU6y jrK/U0oBrmwPxaFSSxrHhW1lRHavmYYv/uULf1PZpF0cN4wlAcJUmbk905CXY8xnKC+SwU5D qYTxViUqdAOBXKqa+zFeBcIcl0KX+mnVN6Pns3/xLBmMefhY8/LFuTXyawEIrKZPVxR17lt3 /hANtg/QrlWCNphfGSqczJ5GwMAmTaEpr2lV8JNtQz4V3TpQpmQhouB6rDPmGwTiCFbg/CGg 6hwE6hXNgpZ+plC1oE4ZGAWZVTq6Yh0/ir29KP4UhW5EfexLpuWz31GkzZNiJhApM1E/ZIX5 PWAmQT3aeX43SrYsyxUAvAZYeO0AAA34ajNasUxSfRKmHGUCIR1lZBu3Ue5VwDieBMDMk0lX Ig2IR8xhOnwE0+E2wImO7k42dVqiH/DDegj+vI5PyeNkJDh9PqDo7p42fBUCvhnFWRYWQMbL R47HG4uLMYK/xHY2lrYTlXU78UU6icA8TxvPdQ5mZOghGGL9BHiRibhK2Rdon5ZOnoscNHu2 5Rdo91VAy07YpprsW59VwT7St9FusgaZ9BmlAF+YOS/OL8e20zAVGbmnye8gIJXy3Au4OAKY NYOJ7bPUQx+gF8Jk6wTsHO/uQR6NydDr1kQT2c8CqAiEjNAHDe69yLiYyd8GzJe53gyQNkNf 0fS5rR0m+umJaCb40GOAZs/C7LoUBuAlLTC2EOvD803xPPLeRX33d67HJoAqgdNxzJy3f+zn NoZWMe7KtN+LjzwQS9/4euwHaF0hg/uqbfE6Jsw3Ehn9ItiFzzHLTZ5/UZx/1fUxtGkkx0MT 5a/QN6eOHY2xr30hRmeOx/ETU3GiYyCeXIX5NnMqbutvifcR4OgZzInvXMef4/py3Arrr48y GizmW/zm7sM8+KpegeoufE3SpvSVfmQ7zNhYpg1OAlx7DNM6PYBLE4h/CuZnB/1zC7KSoX2S sTJDnxkERN01PxkvwMrUrFmg8GOty7nR8Of4cZzEJP16WOoXY478yDJlaAJ0hs35mdY5+v56 fHGlIw4BGH4MX49XYUL+BKy3rwNC9tN2v4A/xnb8ZH4Bf4yvMtdfjenzlQ3LAJcN8VezDbGV 6N4/2ynjtSHuWGuNY4CJF5am4nIYlY/SB16iX5zDZHj5AL8a+IwcQgYG8hHgonkJ0tIWx2nz UaJDNzHe2ugrmgM7xisw7AZ02QGwXoZx2QrYuM682AzjttrWESVA+RYjszN+BXr1a5jjkHtl Mxt4RXBckFFT4UYHur99G79PAo+OU4NEOaemWwaF7lClPs57Ob9wylFSuEmgnACdboas4yJB yw2GCptfmnDTTlB5H5iBHQsgayT1n/uZW+OsvecU9/P8Y8fH4ptEcz4+Nkk9ZR76m4G7DMrQ Snrn3zXmxW42MHKeoxwCfwKHzseytwVInX/1H+kGr76jk21LQRw6+lj0dyHXZpRLINbpxzrK snUO9TvDPw/vT0CRvpWbu9xroK2P33Rt/NIvfTq6ZU6bB8/08LNH7Xt+4c+Z52ufv1O6Wvof 9L0OKP6gkvsxu+8nHVB8+OGH49d+7dfilVdeYaD9UvzJn/zJj1kL/XCL+4d/+IfxO7/zO9/2 ECedQXZIv9Mk8F//639NeX7bDfUvdQnUJVCXQF0Cb0rg5NEj8cW/+kq0DrfH9h27Ytfmc1B0 XXxioodPoWPTL8bh2ceiv2NXbOu/DNClJ1kerhhdA7q4S4aPi3QW8hWUelkJS4tT8dqxpzHt 2hy7t5xPcnemXcyz8N44XNQWi8NCka8tFDnLs/E7xiai4KL+kIroscXzisWmi9BiIZrfWYfm Ln/mKTNqw9yQZxW75CgBLNTPXKjWyqLDdNa5PKM5ejq7Yt/Z+2IQVk9qJWoAWdlaqX863mtt caa8rHntfE0KXvcculT2B1Wq1Ak44ec8bCehItgf/Mn06yjatnNG9vUGWWHkpTGvvv28N03A BP24plmZz/D+bA8/vuNhGp9nodCCaHfzRY/JUyVMthcrh2K2chBGykoMNe+HuXNuUX7ApL+r 475Hn4inX3sDv17leO3kcnTPTsUvNr2MiSL+5GClLKPsdaHcGslXVpiKWwJ2jBXl43gULuct D4ZCHsluQ27JnEEIjSrDymZDlBlMRdTEF5k67ouxCRwkOsb/zMqxhWKpr0ABMn0CIuV8djPg EDhAyrhFsFG23WnixAJU6L9PZdWxbCHTV6IlYy7IPqJSTh3SZynAqBHiLaPpk6UHqKSy34RC LLNHIFR/aBQmGY5gCHQfgVTKByupgXI26P9Vc2dkZr0zMAZzQgvgwgrKekYE57yMyjXTALYI IiZoi4yWKJvKfTN9r2ljLmlmXtQEv4rZ6mpvX3RuHY4O0V3lQr24QqWUP58Bq6oCm8qL52jm 68bFKmw5JBIDRFFo5foS7iaqU3PRgomzQVisk4BDmiFSF26HYUm72CYAM5qMNwNmmZ/PkGOJ 6AGNmCMpB9bK2X6r0P+WKG8T83EXQJzyn1hYjd9/+Vg8AQMQHlRcMdQT/+C8HTFMXU7Tr/Sj NgQw0YaJMw8DaCNKMv4K24m03A8LrpnvrwAIPcT9V+wcjbPoh+3MnTIVF/sGkmkouNnRhb0w jDjNrdccdIzBfuZw67WCrJfoH/4KdNJeXdQBo2wiMfPbgdy6+NsPq27pOBtd+Ik7gvy3ImKj C7cCnr8BqHQQAGg7z96Hv94qAOcbm3fBNm2NbZjGUn3MvfWPCGDOc4ZpF81hBQ01c26j3oP0 FX2+jvNd/6mD1NuI1yePjcXdk8sxDVh1C6DZPthyxwH57lpqJFhIMyzAStzQvAK4Nh+HWvpi fGg0zrv66rjsumvtynRtnkU/XZ2fi9N/8bkYhOV/kkHxjXJHHIFxec7KdPzCjhHMuZfjzjWA lJ7+uOKyi+KcD10bTbjWsCHt27b1wkN3xqEnHou/OobZOpGir4GFdxWgaDflfRCM6p6V1tjf Wo5bWxYzyMW9fH+80hHnApJdWpmKLaPb45nWzlgGMBtlHIxiiiwj9ShAoaN5GCC5l345TQc7 Dng2CGC1iT7geB9HVuCHsYkxOEKffW1sIr663Ba9fP5k43QGc/kCAVhexnfjR2IKhmA1XgTc +wsCrvTQT36lAz/KPOfLsAxfgHV+A34dbwIofJn5XxBSE/xP4GtxAHPnOzHXfq5pMN6Pu4wb mpfiBADml2KAfr8aP29L0kf+GrPqscaeuJDvtzWtxX3NHfEojPY9+Nq8FmamLgNe7hyKPe2N cTuoYhPsvhL1QDC4S1Cu5ZgE5BXwYkvUAQIDkT7I3BS4SZC167xWhhXfAYNSwHCBfuYGgBsq zrk0bbLBNd8t3L64XnAuhekISCsZyA0Ef/ycg3PjxPkg1zzMe5xzo8LfomTXc8ky5gYH4J0A pC4szNt5T1DUOUXfjTRfBsVaY002T3leaOqPs6+7ObbtOzsBvgba9Ribwvfd/zCBiWZh5AIi Iv+sE/k47vSfuqYrBUDiTjcxeE6WhXqnj1lBUupTcY7lHosusGy5VwnO5NoprViohse3rQuo t78DbsrW5vnadQHFXBfSBi6yZCn28Pr5T9wSt3/8I3xnl+L7OCx3Le/v47Z3nfQ7YQlvv7lh cnKyOkR0vvrx4yuBtwOKH/zgB2Pfvn3vukJ9fX3x+7//++86/Y864e/93u8lO9Hn1gHFb5f+ 008/HVfhp8SFoEdvb2/823/7b+PXf/3X08fV9PR0/MEf/EH8m3/zb3JiN41s1scxOTjvvPP8 Wj/qEqhLoC6Bn0wJFOu+XCR+v4ut0+On4vOf//N49fAbsFk6UL5YHLOovPJD18X555zPSnYt JmcPx/js8ehs3RSjA7vYYTZ+p4oJl12fs8hzMZ3KM4pa4RcR05zlyTh4+GnMWrbGnm3kBago 6JeLVW504ZymmN7vK3PksgtzvsnY0tVJ+jvk+ptmzCxyZWPVTDRd7Lvw9ZV58IzMj3vMwwWt aWpsRfNWTsU5TUdR7mHxGPVwO47st23Zmtdz8WrWHGfK1fO148zztXM/ivczy1B73vdTlu90 fy0f32t5fa90tXuyCZQLiofHW63pF65uKCde8TA9rfC2z17zVYAztqbgTKZNmdfyMZmf8/a3 /fFk0Tdp8fyceWQn4ZP9ZuPfW/fLEKkVEXUw61Fkbv1rsnjbg97zr//X/7gjJnDp0gaj85WT i9EJoP4PGl5A8V+LRZRfzWXbKI8me3jyczRRBdgz9mXEhspXlKlW5vyKFKmKQFT69qL+AnfW TlBRSRWAm++m5SbaMP2OonjrD0tlkkGZgIdjswR6kmy9fFoh63wU+SkvnfoL1DXzqsL0qmLG 24jpnubZKrl5oOCuCxy+qTijmKt02k6WD8U5oxZbBm6RNV2ikQQ83CBIf2goqAb+KOYB2Zog LUm+RB7ck768UHLLgFvNOiWjbILTmiMSiSqBA8urWaBgg8Ad0gUIpMw8L4FLKpY+IAUFkbCg WxkAoISpZezeHr2dMIoA+GQYpUmyoAF5JuOIRzqVOS9yMsHPFj43WCcCoSwBzDXTxk2An153 7s1ABpQ1+6N5ZR1JDxuOx5oZGzqFDDsA42RhGeRkGQbWJHkKXLXzzH2Y4g7BbG1LFjAgalM7 PvPWYnxmHn95JVhbbdGNOfQ8895SA/AiINbq/GxM4RNzmfvbOruZ6/tjEAi3DzBqjXJMAbiM LWIqDEC5oxOwFvBrlnNTvPfAUuzv7YThbiAXAkMUPQyWMdFkbVeOZQANMRxNLo0iLVi0TEWX qJtV6+ZPE+Vd5dxsZ28cOjERu5fniOQMkAIw9yLg3iT3XES9dtLAWH/Gi/hZ7Nu1PYBWMho5 AbPxFQg7jz5rFGO77gx9ZJWG6KGNOvh9kp83KbuTvIZp91b6/THK8NDhieinD30If69GS34Z IOsp3C4sACB2ww786PbhDMrzEOjkKeS5t689zr/huth57U30V9qIfH3gCj4TZ/70/4nXpsbj wROLsbu/Ny7DbHo3cjzc0BZ3VGHEAY7eCq2wY/uWaPzQrdG7dWdOVwlEUa7DzxyIu++4m36C OTM+BkdaSnEY0Pn5Kow/Rv/FmOp+tA3zbfrSfYCJL+E24iLmiRvb8SEJmP+tjv6ogHnsxTfn APJeB1AbpxkEbTcBwupDU3AK78n030rsALVqYBycpi/NU41B+q5BWcYgkX91DGsFIll/vHkh tgHafW2pBfPjtrgOkPB6gsUcZtB9udSb7lJub5gE2IVhCMvzOUyW95PmFpiHY4Blf7YM5xQz 5VubZmM37X/XWmM8BjvxAkyar4DBOIFd8+PNAxn9++Pkuwez7q/gs/F1YMB9MNrPJ8r1OCDm fYCJI8yRHwZkLdG+98CcXEKuN2xqhrG5Eq2wSIfwO2sQI9cM67A0FyhTYeYLO9jxj/x7mGfW BeuRQ4ndkXWASOAvWItEqyZNC2DYGn5ENaPW/LmBTQ8nFtc3blogOZqbv1g0uMnCbGeXYr7i Oh+YEZi3OLEx/nNu4y6ZhyZ0VKxTLv0MtiSYaPAgWITMBzIE3dh1zQLKl75mBQNbqUvVKOsE amnacyFzUzWOnDgWDz5yAGbiBE9k/LF+W2LebUbW3uOGktGV9Xnous3N2Syog4Mj12G0tdOK 82Hh05rxSRmcZ52/Eui2TqQzDf/57P3OW8jBfKmHvw+Crp43jWtDAU39WxrApR3gv6ezIz51 20fitts+nACjZXi3h8/28DfZz+/1b3MdUHy3LfFjnu7tgKLmr7/5m7/5Y16rt4pfBxTfksXb P+kX8XOf+1yedgK5++6744Ybbnh7svjqV78aH//4x988/9nPfjb+83/+z29+r3+oS6AugboE 6hJ4SwLTk6fjy1/6Yjz/4otxYuxULGLmtoRJ2+hZZ8Vv/tZvxVBfTyzg02tFEz38CraiwKrA +y8XlCh/CSiyuCsWmgVTsSyjBkVubnE8Xnjtsdg8shum4gXp1yqBx42Fqnm40JcR5YLcQ0zD vArGIbvqLMBrO/eF2XThLFyfZ2ceaaK5sdAszhdlqrGtBBaLRaiKRmEO6cJd08A2FOz+3v44 a/sOohBu7OCfmfm7/Pz9LnAtT/343hIo2k1FhUORbXzM7+/w5622KBQcv9fO1d69VXXo3eT3 Do/5vk9/W13evLsa/+FzX0OBw24Q32lvjBOAZXkpfrHyLFFp18C/AOTov40qqPQZTUdbAOgE CjNwCopkKnbUMZU4qgQRi3rxnZf3NMGAs9553ufyWbNggcZkiioElErPy7QSySvAMMXD6FQx RjmVnZhnsiyqqPzzWTJ5Mg8VZsHO4tBMuxEGWnVxKdYBvNj1zWeugy6lz0XS1szoLItgpb4U fYzs4ZwbjAhNHQUN11HgA192BgRpIGgFExQKvmzKQkEHQUxFO4uJMqvvxvQFyQkBSNTpBAx9 gHNOBlJAtgniAYZpplgwjFJsWQ8Va9lInCnAA/Isbx6Jjq2bCFxCPZi0nMsEd50b80hxAjiQ t2aw6waxoR1XpjFvBihq9jkAFKlwc4/i5CH8t5z5JeUqm5fZCpEKCABukK/PWuac7NJJzXQJ 4vHiFL5Lue3qTX3xoe2b8I2Hj0JAsXkqVqHdhEsH9M0IILsM+3GO8zL1egClvkVwlnvxu7ZA 3qOAjDdsH4krtsAUox0WkeFMuQkPeQSzgDm2iX5XYvPlNH7xBDMHiS7TA3BYHt4ai8qPrtMK uNBOemfoVdpmBfkZoKKT/GUx2mcXKesK1zrIv5OEgi8L1gtko40ydnJ3w9REnATEPA6w0ynw RSkEHk8AAB2nRgO93bF7sB+5EMWZc46tPvoMHEnApuaYpT/JVOyzX3HfIs9I9iL9YJBn0Lli mjFwlC7bNnYyLkCqC9T1ABGHxzi3D/DtLIA6GbeHARGfxn2HjXIZ7Lqz+wj+cf3tMXjFNfQZ QWVZa00xN34i7vnTz8fJsfG4gDbYD6tRU/cXGNrPNeErdhW/iMuz8YEdW2JiaCS6L/9g7Lzw 0mzTBKjoQ2NH34jn7/p69L5yMK7C0ePD9JevjC1EP6bdN/a3x6UEPJmDhXYXgUxOAaZd3FyK /Qa+4t47l2BJ4rLjUoKyjOKbUl+V+lCUGTcMYNaJjBdIN4P8DfgzCjtXFwVTyG6RcvbSHkPI cAmQ9IHF5jh1ei6uq8zGLkDW+wABH8UNxfkETrmdMpwAJL6DMpQJjvMx/Cie09EYX19piser 3XEOcvtI6wpgcCm+uNYTiwBcNzQsIJNKPIL/xzuxKN7KWDeis+b69611xCnK+f7ydOynAR8u t8YTcFb3NpTiavwmnuDaXeVumI3V+CC+Je1c+lWcb+2LK1pX4yL65jMNHTHf0x3X9lRjG8O1 ifobxblqfdjw0KTfcWB/RQT4I4SRm9AemWH23AQbVJJolTVHE325GfPqqveDJa7TvxoB6GQd uuHhwajPiPGaSnNDsrSdM72ev+18JtHGy/WHVhyubeirdkj6oJsUFkY3L4LuRqA3uJKM6wrj VQDTOb2F9G6mOA8sYWoel3woTrR2x4OPHoiTjN2cJ9kwcZ423ZKBqGhD59ZiE4m5Dznz+Exj +ayF6YFJeU4xh1kOfQk78WkinWCkdVZgHAkw0m7WK09xv3OerjRcq1ECPrtxpdm0s3YD0Z0J ugbI67yqG5lf+vTtcestN3LOOfV7HylLklkGP9fK8r3v/P5S1AHF709eP7ap64Dij23T/a0K 7uSxZcuWN/0m/qN/9I/ij//4j98xz1/+5V+OP/3TP83r+/fvjwMHDrxj2vqFugTqEqhL4KdZ Aguzs/ElAcUXXsSRN37mMNdahb2zxiLxypuuieuvvyZ62wdhOOBnEFZOOvZmAZ5Rn11xuqDm jWmagwWqiiOfBQlLgIqaz8wvnIqDR5+JzcO7Y8fIOdzBohhFJoFD7kqAke8JTJoN+fg/v5NZ zWSGJ3m6YCySrxm4aM3Fcq51iwWvZVJJLw7L410+x/IVi3oXpC66VXzbqJdBWLaNbovN+OP6 qTwKERVVr4nu3QjizPveTfrvkkal5Lsd302JqF2zj9QO86udr52rfa+9ez7veeu2WtIf6bt+ qv6PP/oy5qI8FgbYIbT9doCiz6wcALBZzjGpIisjxf6syXNrAu2FYqsCKItEcAxOYQJnBm4R uElmovcxJlATGcP84VqyNQUB8wSyJ98ck1xXJsV5x5zXfA6fUU71m6WayAjOv6n4qkBzzbQ5 BxQ5eAesMxku5A1oIcunSjRbtOco///svQd0XNd197sHwMxgBhj0DrCAYBcpUhIpieoiaVmS ZVly+WLHL45lf3mOV5adleKXlbznJCvx9xJ/K1krK704sZ3YcY2bukhJlEhKYhUpilWsYEPv GGAq3u9/Li81hEASlGjZeZ4rgXPvueeesk+55/zvf+8NuFgAECP7Y07FjywcuEn8AgAvbZzF HHTZ6x829plxVL9nzbXsrXc6z9fWedoiqPsV9HZi/24IhGrUAsxfkpGKHMCeHv84oI8KMQnA JCNPMWkE3qjCjkUkhpnKT1ynOq1s9Ry1ZorxbItpE604BMgTa5rrwMxGC5ZKLRGVRWQvUFeb c8kxAyMwA5DonK3IviSgVBH1zmBjUl6PZXdQ85TrepzLk7R2+wGYh2KPaqMv+Yk5NgGKKBnJ +coEQEda7UoeYcL7SFegG49ZDZv1GmzPqT/1AoDsGYzTl5jTcQRTC0PoutoqzARVkgae05GF 1KHJ0g4MjNupDI60SrCZh7OHeuSeoWyHkPfOnkHrhh1XQnnmxKI2u6bKQqVl1AFcF0ah5CWm 2wh2FYsrY1aB6rHspCUpo7xZp3lO9hQFHAqZEbiYQrYCTYv5k+qoGI0J4mcID8MUi8DKSsA+ PIu8uvuHrZ5ytgD4DJLecQC0MdqwGQZbU1WZDZeU2zDXcEWtEnnI4dIw8hsl7SDXZepP1LEf 0AscC1uOaDBRnhT5idGo8VJKnGhPl51EXXQbXpLleX45DqQaAEt3DwFUYb+uoKTKGmFLlgII zq8staFynPOsuc9al69wrFH1OXnF7Tl7xtZ969tW1nXSVuF4JE1aT/WNWweq1DdUl9nizJDT AjgSrrCT5dV2HSzHxcuvc/2R4rg+Fj993EbWPWrxN447VuMealeCHdDbUPFtC0/YSVDCTYEY YF0har+jNg/WZieA0PPjRXgvDtqqupjNr4nZIIzTfo1S+kYt9S2nXfsZgwP0KXBrwDlPDbyH sebARMIEviboa2eJc4R8ro0PWtPoAB6vC21LptjaUAteC6NwiPH1VKrUemCP3hMcs4UFKQC+ InuloBoG6ZitRoV5nLzW4aSlnfA1qD7PC4zbcdTHn0PVuRiW4IPhMUBwyp2J2nCw1JZmBmwV Dla2gkpvTMdsDvJeWTBiZ8lrO+rTvPXtPmw2VvDufhq15F7+bixO27wJPsLgpOclGJwzwPbu AOwNoXpfTV+OUVEBXBnGQ5a26GOuchoJtLnMBwQACbXG8JwKEY8yeyAfIDbPJuk3el5s4ACg pj6QEMmNR00Qmkfcx0za3jl70bxC/xIoyUB08Si+m8+crVWNbcZ/AcChntOcqXWS5k3NAbKH K+dQaT68pDVX0T+DAG9qLzEjXVzNMngK3w0I+0rnqI0zdmW6wSsafZV0k5o/eVZ9SiYU9PFU 1/pQK+Bbatp+GaQFwi3kwLig3JrLBBOK1VjM+sipdJM4URwgWujMMXjzk9aC6vv6uOU0UHhO zv3k9EyJCmiUPVz3IZryx7Dh+Guf+CW7846bXV2JdPlDlVBy/u/ln3hbMfKA4tsS23+/h36a gKIGQ3t7u+3bt88OHDjg9PqvvfZaW7p0qVOvna603k46AwMDjhXypS996bwjlg984AP2d3/3 dy5bqffGYiLvX/mxH9bJnj177MSJEyanNKuw9+Grictb8jBUfh1SBy/Fhoh/SIVY8tahcN2/ 2CFHN5qMdcisQK5NhEE2qyMjI+6ebB1q06YDEwQmm5EqX1tbGy7vr7fW1lZ3b/I/r732mvPe 7If/5Cc/sfe///3+5Vt+5czms5/9rAuX/YaEjHHnj7wE8hLISyAvgbdIIIUZiaeefMq2bttm XXiyHOS9MM4mRGrP4WjYFl+/2G684Rarq63RvpyvyzE2Z2z8WGgK8NMCVEtibYwdO0cLPi2Y +U/gXVLMKn77R87YsTP7rLZypjXVtLGgZVfHClF2efTVXofS88BFb+HqkiJM71WlocW1DoFB CpO9Rn2Bd1/MWczKho9UBnVPK0/9EFVP6B8OP33KzJpfC3c9E4K1UMu7a0YT7EQWvtM5lEcu KJX7jJe/V87c8OmcX/As5Zccf1GPyTKeLG//2v+VnHLPfVn68vPv+b9+uP9cbvyp4uTGf7vn k+vkpzPKmPvTf/6BVdWwaWXDd7KPdmft8oH4bmvATlkC0MhtYtUdGHOy6ye7hfpPo43tmmOV iN2C+w23cVSvD7DJdYA7m0SnGu3i6wbPkZZj5xFfafCP96trDRB+tZFWmTXGJBPZKGRP6DaV PriouSBImR1exDPaZiqOQDvNCwKXVHYvD9IkHW2M0c3DAQl29uIeCBiQPqyelcof5XYeUgHB HAuT8mVFAaNmo3UtlrzrHgvgzCKAncng2Q6PpcjGdwLwo+jEESvs7vJYRIBTJID5TjFhvHw9 YJX8+eABcgC7TLJAkioT81KGjydEdewhiUX1TzvWjqPeOSCQmjl5FETIU7YPSQehgXkyGxIX 4qFlYXqDBLv8lVwAObFbJ195mPacvkjKZEH5SI+8s2zyKYgDJnXDcYeodwj0Ts+nNQnTJnJm IlXsUfIch4UYBmoppeUl6zHm5wRsumMAiRuOn7VhwMRq8ltQV20tgIH1JSGcv8BCIq9RKIb9 tCkTslUwh5YArqgtxyhLLyrYR3EWc4S/GMBsAw4UojDWy3FaUQcqV4D3YnmWHQ5FHBgY4znZ hgxUVePPF/YjFVDfi1JuiF4AjNimOwc+FBNXLFt5Hh8mrpiOEfpchE4peY/QFqOkXUh/juAc IzTUh8p2FluGxVYDcDUHJy+FlKmzrsEyOFSppj4xgaCkpfT0XgnzXkEz24GVQ3p1UAbZaBS4 KQctg9QxQj4VyH4MG6W7uwftBMDsLBhxS3HgQYcDsAnYzpE0gGbS7qim3jAWT8MWPEjpu8uq bOUH7rcFS5a59yCZ8k4J2uCZduv+9tfx8HzGAV6vYW9xkPG3CtXe5dBGuyjXZgw69sWqbO7M emu74XprWrjUG4vIQx/JhtsP24lHf2QHOwZhTxYBZMZtdmLA5qPCfARgcnMCZzuoH68FVG2B wXyIOJvwSh2mP9wIuFdHW43C1OujjpJFObKK0sajgGMDjDuIhFbNn4CnftDGYcC9KmRfTv+R N+4uwKkkbVWBDJrGRm0XHqpfQXrNsADfAztRY/+H48XWiV3EuwJxW4ptw92Ank8TNhvk6/4w TlmQx5OJsJ0MRO0u6r5gYsR2gejuxMMzVDZ7X0nGmlHd/l4iAmAYdAzLpTA/zzKbPT4BMA0T 9v5oynqZFzZhH5KmxHHLEF6+MwCQYTxxhwEfU7YSyuruMcBM1Kcr6Rs3U74kffq1MOrUeOK+ BTOKMYanbLwyaHHCwvyIjHtw5hQCaS5mlAVhMhJMP9Bcyjij3mJv0qBu/EYAhrOo4WdRldc8 GnLjGC0Mt/clPZmBkTyRdwH2MAVcOja1Pp7QNzW1SB5utqaNof0xjJkrABwdA9GNBZWL58hb 840cCmWwFykWH6kzgPhQ4oA/DyAugp07Mpa1DT0p2zMC69h1Wa3JeI5zHQLUPUYkQCXzhtZR GpPOdANtIECRrD1wEZl4azriUEflT5HdoXq60hNO8ZAj8zIhWn9JrMzObk0nEFIyDpOuWJY6 JGtN3XrfCKic0Vhrn/nUL9vyZde4OdRFuoJ/JEcdP413dB5QvIKG+O8c9acFKG7evNk+//nP X5TJds8999i//Mu/2MyZMy8pvrebzqc+9alLMu7+6I/+yP74j//4knlPvrljxw77vd/7PXv2 2Wcn37KWlhb7zne+49SDZYdQx5//+Z+7+H7kRx55xL72ta+5SzlC8cFN/37ub1NTk53lC7GO H//4xxd4V/6t3/ot+6u/+it379///d9t+fLl9tGPftQBty4w5x8BnSqXWIW5h0DPrVu3OlD0 1KlT9tu//dsXgJ+5cXX+xS9+0dlS1PmSJUscoKrz/JGXQF4CeQnkJXChBGQ/Z/OLmzDo/QIq zx0wFEcAFMcBFD3mSYIFaAlG+9sWzLZZ82phi8+2mQ0LWdzLyYq3mNRKUV+mpd6ipZ5j1/DL +totovX1W6owvcOn7FTPQWuuW4TX6Fna9rn4WrX6bEQPuNBezls0aqmq9aMWrfrKLmcxDsR0 mwJtHHUfxgubY0+9B4YLC3B9FVe4FtCeR1oScIcHjEiVMswHJ9lPjPHRbGZTi1XgzXQ6i1RX Hgqk9KeKr/DLHeefI+o5KVzukf9W96cjg+lU6LyciOyf+796Pvd8qmuF5R6T4/v3FH6x9vTj /DR/+wdH7P/92k+soRq7WYynY30C0M3uH9ltc60Tu2gAU4wvp0LGrzz0+na82BI6lpiYYnIo IJVkp37LCCwAIBdzkW0q9RPUp37r9TldC1AQiU9jVexAgVk6nGdTpcNG0We1qFd76SIrbYb5 T3b0HKtGG0rtNEksA9DJntzbeJ7bvKvsPkPFZUC4nhejT3kGYPNNIIMJWIvaNDsgE2AvAKCo w41/5ptCVAuz7NyTpeWWamMeumYZlDOgNMC7TAbvsyVlsABxwLDzJQsL8CK9Qjb7hSB8AUAp vBhoh8uXETzPlwMvMc8UdnZaIR9W1AckPwF1kgU/hFEVGkJyyqKOqPwzzB0CRNyHDNLSXCWv r5prZBNN8pR31RDhYvk5kFLsTIECgrzYbEuWkqvbbLNZ56uGk1kKYFlm3bT5FoMuwKY8SL0p kCUBIdQ3QgBSPYCwz53pt729w7YQD8z3zqyxSoDNcebl0QLmNeC8AgDpFMCQ+kMKdlUhH/RL cAjClR0diNurvf12QOYsKOt9M+pt9Yxa5v2sDcJwS1LGGHWO4JBFQOsg4OIwZUBqVgfoiE9c ex32YgLAYxZgZT3qrShrA3AG7Gx5jbNtXg57sVh2KQG0pN5M0k5duwQQR2JJAG4J4AKVIV3A HcKSyH8Ye4ZJmGnATs5maIL2Ozo0Zh392NWDiTaL3EdgZO0tLLGixgabj+jKyX+MMvYj5yLK XYGcZGt0iPO45IGMK1BzLaSPyqvxML8ltKOUpcexS7cVxLEf+5LX47BpHn2lBwRkI950BwGQ 5kIHvilCurBfX4C9uBu1X3mFXtJYb6334Bxj7nznyVv9R++d0VNHbPTR79kJVNBfGoYhicr6 MmwoLqKMfQVh+0Y3bMW+YXtodr0tAKQsum21xa67ib5A+1J/eoUNdpy2XVtfslewjXcnHWpG oh8nNQnrKKm2I9R7NkDc6lDcaqjD5rGAbUENuRI53l+WAhiesD3YtjyLs5wW2VAEMA0hhwHG hexLltKv6iirWKx9tA2PAxym8ZCNTUtk3uU+VBRYA+y9GHJ6tT9uG0EZW2h3MRFLKN/3EiFr 52x1YNCpdO8CeH06U4ndzoB9NDjsnAX9CFuLrwEg3hTO2gNlyA3g/gUARs07dwAwNlHTdaNJ 21+EyjImSW/HwcxpwPHHAUs1Lu8Ny+ZqwtbDuszi/XsNnqQX4kTriWSR7Q9V2MLUEKrnSdsL mPhqsJb+k7GHwnHHRl0P4zFOu95TkrL6WnoSgKm8RsvGp9h5WfrUKLOinBYlkYu8KLsPCtQx QN/T4Bfjr4iPFGI1hzUgoxXYHQ0yLoOWwC6sPpIIfNeE6sxKMDYcSxmTDAXYCdRcLTuxZODq rPdLVnMscw8RUaPH6RzApOYCOg7SAFinn45RVs09mjuKWZtEYCRrTswArDvbsqxZND8RBcZ3 2roAxzWqNQAAQABJREFURn90JmFvjMM6Vnkpk+Z47uobBz/0S82BDDUxDWP4FxDxZ9St8/Se gQnJHKCPSHosRf4CSF29NIfRB9z7nHQ0D+pcIGiIudnJjKcc65E5Q/O54uhZN7dzzzEX6WMR 1lsl2G1tndFk//NXPwq5aY4KecWHKwtPXexdfsUJ5jyQBxRzhDGdU3WYLlhxp2GJdfT1M0Ai 1gL7oJkv9NJt/3k9fhqA4u/+7u/aX/7lX162ymIJyumHbPlNdbyTdK42oPjMM8/YBz/4Qcd6 nKqsChNzT8Di0aNHXZR3A1CUPcPvfve7JkbmxQ7ZsfrBD35g999//8WiXDJc9r8ESMpTto7P fe5z9td//deXfCZ/My+BvATyEvhFlYAW96/vfs2ehKXYzgeboaFhG4tjmB9vpFJlERAoQFBg XYgv742zZtpNt6yyZUuW8mHHmb3nHl+vWXRqUckPz2mBKa6I959kKyDQqeENH8fmV7vNrFuG KnUt8WWvB9aTFqV6mF8thr1Fo8LchdbGLCBZRLNpSgAKqDzadcvguBbC+uruHDdQVi2alY7e cwIMla7+PABFmz5Undl8iyUphmJDXZ3NaGhy1yrr5Q6VbSoAavJC17++XHrv1v2ft/JMp97+ pmHyr56dKiw3Tf9+bthU5+qlArcuFz9XfpeLO1U+lwrr7O2zP/6XH9qCWeX0w4Cd6Mf+HeS6 VQO77UasxcXp8zI7oDEmu4MFbOg8SIrxwThF2Q4gizqoLtrUaTzol82oQCu3r+RZbwMoTE0Q o8aq2CjaCHsbRQaKho4DyMRe1JhRvVVfbRB1zYWXD3HFqpMKLiPVqdhJLc+zbSqgTUUTkMbB c07KpKUksoA2Xmk9QIniuHhSic4IPEXdO4BjAdlGZOJweZI5ABvl5FKe5TNSVyTvZGWtBdrm ASbiiAI2UGKg1wF7pctvsAI88Qaw/2qAiWFocPrwEGAust4uKzh9zKyvD+CN/Jg3wFa8srra ME8wL5E5MmeuAZTCoBgRkD2sxALCZDdPwKrmLzGaArCB9DFF81EAT6bjYpUC8MnumlOjViXZ hPOYU8uVkxpveqPtJCTYlGKaJgE60oBuhVQ0RPUFLGaLAc9kl5aybcZe4ncPn7L+0YStbqm3 h2fWWXm0GG/AQRxa4IyEdCOklaCdEgBIccKBGXCmkrFIMGunRtP2bwfa7QhqzItiEbu7rsKW sQdM4125m7pIvpXJUdoPkA423GhR1NLYTMQliXP0kuX85EjWqdbWwdyqAQmULLoA304D4jTQ RvUAL8ESykR9BiiTvGWXAvhEBGpwLi/CcfpdjOtSzd+07RDvjUHiy2ZbNffEcRwkrB95ZQir os2qYcudRrV3G6qtsrt4U2MNTD28UfP8IDzNCJ1Lzmgy/PbCNusnvJo+WinWGf26l5EwjByq yLcGGQ+Q9sGCCB+7YA/G+23mRNwOYwPw8WQYkDJtawrHrZM9i1StM1X19kT3iDWkMEVQG7HK 2mqbePBjVtG2CFlRIQ61fceRg/aT//iG7eses1vLwzhPwTP0qbN2pjBqp8ubnLr2Q6FRu6as 2E4BLqUBFGuXrYAMR6GodSHAZ8fJ4/bKY09Y6+njdkMEpzGEbxwXKy9oS5Hj3XBAxbp7Aebe SxNl1gJ78b2lqLjCtNsKAHc4xJ6+oshWlvFxDTn10i+HALcqAa5reOdJbX8AYH6MeaWCdq6l b2KVECcs3kfCBsCsCrr/QdDGZ/HUUjnSZw9Hxpxa/Q+G8d5cWGlrCwbt1oIh24sq9NMTVdhm zNgHuK4P4Zl5LGTbgBXbLG73Y9+xHXDuURyslFcAXKe6bCEM0HWpkG1IVtpSVJxvz5yyoyDO r4UaKFfA7sObdBtl/S8crpxluN420WctOGU5iAw3oEI9j/F3f/GYnaRd1uE5mm5od9K6TcyF m2BEHivC1iTpXoftxWfGCq0nGrP7a0M2lwElFrFj+mruo49JDikGYJQxXDShMQsADkgZBUj2 TUwIjZNKPaY88Qhf7K036MeC4NKUGz8wnooz/cCZmWBeKoziyZvUJgD25eleR4A6ZSOC5Rkz kGXkOEoe7ZmQmV4y2JxGfZl4MvlQCkCnDyEOmCQhvie4j6Ayb+FMRFB+aIRujn0eR0EvDvGR F7aw5hJ5t9c7TY5l9M4oBuSM4dF6aLDfGrH9KrvRnd091t074NZ5mqdVb/VfrZU033tOqRRO epQzDVjvzf3Mb4RJs0R9Vn/6MK1DNlfdu4UIMlnBvxYhb6lby1FqBKcsMxvr7NOoPM9pm61H pnVM9e7130vTSmCakfKA4jQFpWi9dOBvPb/Bjp5jlOU+GgHM+eBtt9oNc+fmBv/cnF9tQPHR Rx+9gE0XZbP06U9/2lasWOG8CW/cuNG++c1vusWUhKBNyDbUwiYz6N5pOlL93bBhg8tr7969 Tt5StxaTT8ftt99ut912mzu/3D9nadcFCxacV2VW/F/6pV+y97znPa4e69evdyzAyem8G4Ci n6fk+JGPfMR5X+7u7rbnn3/+AsbiypUrHSPRjz/dX6k2f/jDH7bHHnvs/CNPPfWUvfe97z1/ nT/JSyAvgbwE8hK4UAJnTp5y7PJDh4/YAA4DxmDJ6G8c1o4AhDSbdP0Kw0uh+sWS3Kpr8CA5 f6EtWLTIZsyc4cxiyEuyM+bNclOLPecIQQtsFsPacMmhitQj+wEUR5ODVl+xyKIwPXT4rEZF 1rNaiOvwAA3vXItTLy2PqSgWpcL0RVxghwM9OFeY1KN1X/lKDVqMJwErAiCDqD+GWJ1rIRxl 0T+zudmqcciitHOPi4FG/uJW9/3zqZ6b6l5uPJ1PjuPnqXD/fPIzUz03VZyfZVhuvS5Vj8uV 0X92ql8/LDeNqcJy7091rmcuJ289d7XqNFUZxlm/bN/7hp3AY+cgNgDPDiRsMFFg84eP2trE Qee5UyrAGj9FoFBSldOuzrEC2edJPc8be9rzqe/AsKM/S6VUm2ENC8EVDF4PXOS+whkgPCfw SmCjl4aTB4CCYyxqLLvNpldq3ROTSptF58lU6Qh4JI0U98ZhnIkRHIGZJlt2BHmgotA6NqAO 2FfBOPSv7muMa5yKoyNgU/VyzD0hqmzs07KJKJYgIAIj2dVhApBOCKB7no2uN0+AgLjHuWYj nQBIK8RcTyHspixqulJ1NjykZgEXmNWs8PhhK+o8QxqEUybVNw24qI8M2vBrc61iq54CXhXq BEm5BewJTtB2G/yMuQ0ZAiKK3ZiibfQ5pQimtADRDOXLwnJS+xQINFK7UF+1pfM6rWQJTDvg ks06+RXSxlkx9QAVJP+Q5i/ijdDs7TA55R17DqBdcTH2EmkP2cnrQ16HOnFiMjRifTA+a7Dt uKIZD8h4YC4XMEoeAhh7AEIEDlSSbiXFwQyfDcBgdKATJorO4qjrDIzPTgDRGTU1OHhptBbA GZVpALGfQSaCnWZR/hrmUTEXpaYq9fZ66hkD3RkFdBmERTpBfcuQYzFgk440gOUI8QVylFDf KCAssDH2+OivyCdKP4pSVzGmZJdRTkaKkSnuYRBa2g6dHbTDqNk2YlNxMUBbEUSYfvqfDCvJ HmAZQkrRaP20p9ROBd1E6TvwT1HtBcQhX6VVQhvLfmIXerAC1+pw7iOv6rtBjLbjwbiNct1U hLdn6rybSu8kz6IIrETsBy4A2IoC9BwrgZH3kf/DqlpbaSN1Db2HzI4f3G/PfvPbVtVz2u6s o//RPtsBcfcBdDXSXjcCs1al43YqUm7tzbOs5drrbC5MW7Hm1TeAt6z3+BEbXr/OmrpP2ymA 2seHUZFGBfx2wLpbS7AjSl02wPbbj63BawAR78Apid6GG3Fk8vp4ga2oL+ePdytzRif9SXYr o8iyDJmk6FNDdFq9M8vJr4y+MAwg1E8l6ApO9Vnq6H3IZivjLwwDbhXv6yLk+CwsuAM4PlmF avKthaPWTtlkI1Eg9D30wpmUbwuqyJuTxQ6cXUu/YRWBh2eAavrErckBGKZjdgiv1C9my7Bd mbQPFYuRl7KnAQYH6YdLxnFmg2r59oJye520rg8m7UYYnkfpI0/hTboaW5p343GaogMmRiwT qbK76S3zUX/eAHi4Ixm0xdhqvDmUtG24LD8QabIZgJq3xHBAVFlmVTgHKQW0ledmegn9BN/O iL4PMC8GCJ5EHuFU3K17GKDA1ADUlEvjOgwop3EfDmt+hSlNv9JfJfWfkAMVxmUKWWueiGKq LEtf1/pJKsxUkr6AhLXmYa0kz9tZPhLoIw/kTWxNYytX8Zi3SphLpHWv6xQfB0phPEqFWA6V VHEBlJpb3LqM670wMl9OouYuj0g0RhKgWJ7hmbg0gZE1M5rWQcxM1ZWMS2QncwI9fQM2MAST m36i+5pQNX9rvSR7oBqHiqt66eMu4jh3X/MUBSS+3jdJgGj1f9nd9QBJ0uda6vsqdwkfYWRH UR+nly1eYJ955JetqbmBlKd3TPXunc47e3qpvxkrDyi+KYtLnh08dcq+9sw6r8NeIuaK+fPt l+++6xIxfja3JgOKd955py1iMzOdQx6UW5n0/UOdRuqwsv+nYz51FjPummuu8aO43yeeeMI+ /vGPn2fV3XzzzfbSSy95CxBiXK10lNnV8PL8yU9+0r7+9a+7souZ8bWvfc3kpCT3+Pa3v22K l2tb8N0CFBsaGmDCPOlUn/0yaYK59957nedmP2zXrl0X2E30wy/2K2biww8/bOvWrTsf5Vd/ 9Vdd/c8H5E/yEshLIC+BvARYFLrtMotBTxjxkWH74Q9+aPv2H8C+ba8N6ys5gGIClqIYimIW apHpqb5oY6dFJ4tWFqFKpBK7XM0zZtrM2a3WMmOG1cH4i8HqLxaTh02iFpjaVMvYt+elGS+F qHAlsI3UgGdQdvquIKxN3aFF67kzt9jWucostWj/XAvpNBucJOo5MlIuUMA9ThSBKVrcevbf yJuyCwJQHC2ii9noF7Ghkr2rqspqm4XZDnl2ditnl8PV/2fy4lfXP8vjZ52/X3cH5vgXU/z6 9137nusgU4VN8ahrb7+e/jNTxcsNu1R83btYOu6eeuC5Pjw5zamem5yXxtoTmzbbCRhog2zk O+OF1jDea/f17wDMYtPNeHGMQm2EGZPatwYpk4Am7fSUNVtCdwgIy/CPGIQU2m30igTkCNji PwcGsoEUCMQWEBadB/joSsCa0nTDUptMt4MlwKWjseWl4+IqU9KVGq+AxSGAtREAwBiAjTaa QcaZ7HG5ZxinqrPAUMfo4lmnFke48tCY5barhzvneRfAj+5LdVZ2FAtk3xvgbwLQTCp/WeYW ATkMeAfKOFuRPDuBrTgQPCczT/4C6Zi7mA7ETtZmXZ5TRf2RrAopMzv/cxt/D0wUQwnIiSpS R+YxlcNtmiV3WESSs0BEinDOHplXFueogLwlQwGC7lnkKoBXao5SVw8ASmWZq/iH/KkkchD7 VEEofQNUMEdRJjlPyfJcXGAt+Ueoe6yQDHleDMIxyZ/nj+JU65n2bkBI7CGWRu2WWtRCS4tx LMGzbPi7yUeW0ZVePc1awQZfnqIHYF/Kvlw5IF3H4KjtGybnMCBkLGQLsN1YjwrtAOXa0TNi hwArNY+3oeZ8PTYZiwFou6hkKQBcBSCZ7PT1UZ5uQKcQcRrLo9hFBBik5GMAHNTQipG5bCUG ABkdA5Kyy9GFbCAKGB+ljMNqN/pJLBh0qpJ6Rw0hkx4cssS6O61+tM9Gi3EIUlEN6xIVZ56P gsDI6cog6JDA4DJAkSgyFXA4SL7i5FYhW4Hnw4BT/bRsEJCyms4z3jtoe0azdhRgdCFqtDdg E1B2FnelCmAFBmDwFdlamIZZgP8O2rsdcHCwqsZuffABq2meQX4wgak73ct69+y0xFOPWzNj VrYIN8HgO4JtxusBE1ehxnt8cMxexclLoq4Z270xnPXebE1L5JTFG490Exvmw0Lni+vt2BtH bPcI7RQfsTacudxTVYp8UHMGKj0F2HZTwagtR314FHltSEVwTAKrGYbmyqYyzAKU2mmcAY0z NgWhy9+T5COgthBAqwLDlrJbOc57fITwQuQttekgbSPHJXLqIwdtC1B7z6K1sBmg7kgmhGxg XgZTdpa+93QShjDtvyo7Yi2AeBuzgJx4eJ5N712BM5VCPt49iX2/DrwS3xMZtwXJIdLA4QoK 7WHyW10ct3KE9hRMyH7UmK+ldsuxCbkbduNmANPZ2I68vWjMTsAC3BXCORx9695Mr5XQV55G 7boX3uBtxJ+VGbHXmCX3wNZsQu53hTPWTrmeRSY19LNbBDkzzg9GKmwOzNAboxNWSt/OUj6p /GoeRJudeQ8VcOaXUpi8SWQi8wKaI0ZA/GSPUIzvbAoOIfKWHcJIlA8XjKvAiIBBGMsC3fiT MymtNWRzVqC6M+miD6CaQqiDofrr1kbM4wnmsSH6yRjze5S+HKGcWjPFYWhrLiuB1VesuYny 6XDOXjSJ0Z8FiOr7zEHa5sU4H04iZc7hzBhgZYr0NDfpObUxSaIVUmRtbbPdfCOQbwiTEDv3 HGCsKS/KzDznveeoItda42n9JCDezd3klRLFmkMycx9siUewm79VJs21mo+lWl7IieIJj9AH FK29rpnfar/y0Q/agvlt3PPzY5ZlDE/1nnSZnfsnN07ueW6cd3KeBxSnIb1RmAb/+3vft2G9 iKdx/I877rCbFy2cRsx3L8pkQPFKchYLUGCgf8gu4Z/8yZ/4l85BSO798zc4+fu//3v7jd/4 jfNBUtsVw07H1UpHab1TQFGgWg1fE8Uq0XEp24df+MIX7C/+4i9cPP3zbgGKAjs/8YlPnM/X PxGwK0/O/iHQU8zK6Rxy/CIW4pYtW85HF0D5wx/+8AIHMedv5k/yEshLIC+BX0QJaNV3blGq FaCWo1rAZfhKvv6Z9c4xS2dnlw3CUomPxvnKPX7ONiHqYmwi0ywIHcPo3KJZdnS0uNQXeAGM srsW4Qt+XUO9NTQ1W/PMWTZjRgsOwRoAGKXKCZuGhWsCtUOpy8j5QgjWQpBFt9gz+t/tyM61 jYqqMrLOdItNd6W8XUQvTAClbP4kpQ6oFbPb4etBbfi1mGWTKjBAi1wWtvrCLwaSwiK41G1u aMSzc40HSJzL94p+VOZpHH6ZBcLofy2Gp3VMM9rF0vLzvdj9n+dwtZm/wfDPc69Vdv96qnro ni/nS8XTs348P53z8XPln9Nu7r5/Tx313DHlJsePRxy1xwVp5zybBOB6/MWN1t7dT3/GFh17 4Ak2hXcP7bS25GlYJLDYGIcB+rzYIfzvRoK8Ocu2ltRqtWsUmOJ5YlZ/F3MMhII/B95pjJCn i8+vC1MqPCvoUNeKrzI65yWMEx8MJIgHxULRBpJ8XB/mmo1zAEBe4FsGNk1SoJ8XQ9k6O2Pa qMqWnx7xAEWvHIWM1wnmAdVEyTtRkYc2pJKlVPvcDd0UGCeAFKDAgahsmieYp4yNt2yhafOs tNyz2rQzV5AUYTyr9HWDxM7tsTmjFsQR0EBtXNkkVLFq9KzAWz2i+up6AmBOYJSLSMJi1Ene CMulw5V20aTKf4TLcUUBSKNATAccEq4NdgZwxH0cEdCAzASmEYo85ZwEthJXsnnHTfeswMVe 5tljMBPHqG8rYMQsgKVxZAF2BKQC24qshwFQu+kjRbCbpEqMAjhFK7BTgBUvdfTagf5B8k7h BTdktzQ3WjMen1PkEyb/UtReBfCNAFoOkmIxaZcBzISQp+wc7sd+357uPudgpbU0YjOrygEv osQI2sBwn/ViPiuF7cU5pKu5NUp7VKtDVVdavLTCMZOKmY8jkiFySCCXMeqrfioGWImqSx8a hSEYZz4P0tbyvCyAdYTzIfp9Me0YAwRS/z/Z0WenARQbKccMWG6yjTjGvD7MeJEtxjKBP6Qr 5qO8PRcj9zIAWIEkPcgjTv4x8oupznS/Ld3DNsizi9Jjdi0ZDQCWbYbtdxIgKY0n8RvRab25 vsReHEzbDhh7dXi5XlJVbE1z2qwb5ypjZXVWVY1zS1ijBUcO2NmnnkRmYzZU1szHgbjVYe9v bYXH0lo/UgTr0Gx5RcTmVUWs4o41VrpgietWHosex5Unj9nmp5+xN050wegrsGsA5+qRUTcy exkQb5iw1Xg3bk2OWCesz414TZbNwKUAZ0vpFH0VFdaOfCLIRarbYfpgEkBXwLCA60pAKr13 E/T1EfqWvFrHaLMCACTJWrvIUu6XsQYYQ14b+wBScZxybWEKtuAozmZgJqZg89GaN+O9eQYA 94bBlG1PwTBkPN1cNMxYLbBXcKJzGpBxWWDEVgQzznnKLhiNIdrjRkDIJeUh+xFo5lFU2G8A GGzNjnIexKNzhWNx3ovjllHKtx4VdNB1uxlYuRmHPNsDpXYAQPW6woRdB3txVzpIXhFrAvy+ CRlovD1LWQqRwRrUsMOwZjfiEXkAWd1YkrVmvPUUA3bXYaMBGM7ZVtSaRGrxclITAmhOo40R g2ktx0NhxkcK8FHAm9Y8Ms+lVQv6ynRc5jjUo+P0C31ZoAjOVqgzL4EMClAvNoBIzQkaf0yS bh7T1JOij48j31HuRWBRx+i3E6yPlIdYi0HyKaatxCJ3cwprLs2f598hZC724RvY9dw0HgM8 pjaMXarg2jQSjrq10Zg+8sDMTmOTsrGu1hpQe44CKB4+0Q6geNCt8xgmDiTV/CU2puZ3fawV +1DzlaftIfYw9SSOxrn3vtP7girSprp2pjaIoXeJZlzFDVEPedYuxTRDXUXU1txxq61Zuwbz tzhqVcbnjjfr5R7zQklE6epw99+Mrun8qh55QHEa4pSa87ZDh6YR04siW4r/zy9/DGRcljd+ Po6rCSh+6EMfcoxE1eyBBx4wqS1f7BCDTmrEx44dc1EE/H35y19251crHSX2TgFFAWiynahD 3ivltToXpHM3zv2jQSMnM5KpjncDUKzgBdeHvZoLJoxz5dGPynPy5EkX8m//9m/2yCOP5Nyd +lSTjNS5c53PyAP09773PTfhT/1UPjQvgbwE8hL4xZWAWwRqJeYvxphH9+zeZevWP2sn209Z Hx9pxGBPsBESyCG7Y2IpanEp4NB5JWRz59Rt2Hw4kJGFcYo4btGrxR+LySJYECWo/VQD2M2Y NctmzW7ldyYbL+w1s8CUl0PZVtSGXaCFvoQLzBDw55KgidzakQu3oKS8+nUggO65cO/ruUDF cRwOaNGrBbEPLCodLWw9RiIbcBa1ctoSdr8RHMQAKKK+fSWHK8uVPHCZuFc7vYtll5vPxd7D F3v2ZxGuMvp/6qzqFzr8svu/uWWbHObXeXJ47jM69+P54ZPj+/dzw3PDdO62T/6Y8hM69+vH 9YNz47p71FVA+6OYv2nvHgKsCqHCOgG4UmRzsh12Z/c2C6LqJ9U0bUgnNG4A7gRguSwZl9po ypaVPCRrzyfGiVSI3UaPXwGEYjS6svJbIHBMhwYJqYhJ6Dww8yuGjeqqP3kC1RgX2CFQT9EZ oW6sO7CSfEAuXdwMm3ABfiqTY/UB4ohNqfqqPETiOW5yysBkM046lNnZ29IO+9yhtnYfCBSm eGTqygBQmHblUhn4c8+QGGBAgI15FjVdeY7OMm85th9lVh3cvORKoedIm0IIlM0KACR9eZjW Rlj1mACoVNnZXQNekS7zUhZ5OICQuqkC2mCrWB7YqOKRJiin5kSn1oh8soSlKR9SdUCEc2Kg NqItxAgUZ64IoIJcADIA1wBMBDgU0ZaCOJPIS05OMoBsPcPYj2P9XEzbtjJ/1pSwQQccCFHX BGkOIReBTGXELwd8kNowErAh4h8fGLNt2PBLAA7W47ShtbLCagDiYoB7JSgvJ/FwfAoG3HEB s6h2XltZak0ALQHS7OUj0bDKyfxagi3KEp4ZwyJjF2XFdKGVEr4PNevDqFuXwPZeVIMDL8Cl IvrnAH3ltJiO2GdsAPGUnbkMINUIqE2cckeQVxQhhpHtMKQnqU4jGivh45CAMHl+7qf5JRsx IMuQrbhRnZTxZDwLA3HC5uFoQw43elH1TNPWsloH1AnQBSgHWDtOOlXIoAyZpDiXLcQE8i3h upw6yEv2q6gj9wPiL0edeTbgW/dYGnXcKGy+rF0bwlnJiCw7Go5ASuxEYcyaAaeuR+05BCPy CM5ItgVwclFRg6MTHI3AyiwBmNvW3mM7YSKugsW5HOCvEs/RA7AdN+ONuZ/WXRlI2LWAaf01 OBNZdbdVY4dRY8q9CynbyeNH7blHn7JZfV0wAgHzYAjup1JHcWAiZzk3FsZtCTYv92IncpNs CPLsLUVxa0ZVeB/teShc4VRbl+IQRd6u+6l7go93AWRVqZ5HO6pW47zHi5F/Of0emAtAlnc9 cSvpRxXk0xFP2bYhnqd9xdqcj8wPU5YtMAFJwlZSjhra61Cg2F7EdmMtjpEeLsVDN+/hzQCO J9CnX4R69NrilB3G4coGYOoy8rox028VzBU7CkrtVaiBS4uzqJgn7Ch9Y1ugCidJcZzRjMCi DNtTcZzUYDtxDU5oFtMeL6I+vR0wsRUHLbegynwEsGx7pAX7mUl7L6rQGvfPAR72Mj++B1Zp KfPmDpitZwrLcY4Tt2swh7oVpzVDkZjdHJtAjgD4yCiL3N2gpo+q/wwCHkpNvAjmrrw8J4Nh S+JEpggQ2pvtAfPoP6UAqFpjJEDxNNMxM8CMpa8yj+goYq0R4NkJyZi+xz+o5JOG5gzmvlHm ngn6TQ2s4jDXzsQDsi+g3xYgZLcmIlWZvPAZh5rDvPehwD+8n0M9XT8UthHkFEY9WizzYvIN MVbCqHjXQjaqw+bnMB8k0rRXI86M+vv7bd+Bw3bqbDfvHtSvKbNAQmmiiIXsWNysA1VmMcM1 /0rrw83DjFPnpZr6SbVZh3AjMSH1kUDGIDTvOodg+pDAR45olD8+hlRhSHXRwkW2eu17bE7r DJ58c97XM7mH3jW674e7dxdx/PepH577zDs5zwOK05DeH/3HN6bNTvSTe+S999jS2bP9y5/5 72RA8dZbQbjXrLlsufRyl7fhGBsb/5Bq8759+9ylvBD/5m/+pn9ryt9HHnnEvob6sI4HH3zQ 2ZvS+dVKR2m9U0DxT//0T+0P//APlZS1traed7jiAqb4R7Yi5Q1ax7sBKC5btsykynyxY+nS pfb666+72//0T/9kcuJyuUOeo6Xa7B8f+9jHTGECVPNHXgJ5CeQl8P93CfgLK9XzbS2utGBj Dddx+rQ9hWOWAwcPYVenD6+yUnkGwGBh6TloEUvRYyI6uzpslLWwFIAngFHqLI49xeJSoKMW gU79hxWhW3yzCAyyOYiVl8FYrLdZbW3WNneeU5EuxjGcVI61SHZOHFikC5Jgve0dSsOlo427 d+7SZ8Pnh3PiFsoCFQV+umqRp/5TXI955aneKK8IG2vlNbN5hrWwuBZzZfKRK9vJ9y56fU6e b7lPuCRxtY7pli23T+Q+4+Tiy5dC5d6bXEalofv+r+776frhk595p9d++vrN/fPz9u9Pzic3 fHKdcu/pOf9+brgf5ueTm/7brWtumrnp5ear8GEckfzo+eftFF5V0ziKGANIwgkvLLxhu3V4 t11nPQ5wSmOrSzYFs2y+tdYRmCA2ncahM9bPZnICVpkPegWRocBA59HYjQltBmlPuqPiSNVS 6snaILL3cxtEMRu1NWaAe+MQ4I1IjkXn18GZFiBdMf90rs0uW2wKrN0mf0qb5ymgi8NOk/va s3v3NDQF3Ln5Qh8CiKsu6X1YIHeBceSpQG8u0dNsaN2DLtAVRWV1KsaE63kx+wJs7ovYaCeG hrA3COdPoCbqhFk22HJYUMg8IfZPkgpPwMBBEJRZYCmbZ+SI1wLUqvH+qjQFqCIfeUCWyqNs yWkPXcCHiRR11bwou5I8DdgAkAAwNg7IkUIGERhMQezDyREEOA8bbhh0OIQKANw4OQDmSLVS 4K7AXoGJAiLlOCRFOgHAqTD3MrS1VJtTzJVyfFNCHQfiw7Yb5uFOOskQibeVldqHWhutClZV nHL1w1jTvCcbgkFABPWBYYBqeT0uw+5eFDDzpa5+e6z9rJ0GMGrGnuwDM+vt9sYqB1Sf4fmx RAYbe4DXAFFR5u8hwsaRYR2QSzltnQJ8OQbGLZuF9QAtTQAvVMPO4shlOFhs5ZS/vhAGXFmV xcuiNiI5085SRcYPrgNt+3h+lLaSunQVS3f1g2Hqi58JwCFs+gEmRqnTaCqA92XliV1G2GKV kMOkPt5Lu6TpwyXUUzYUedSp7OKr1qoBe4oVRpN28U8aYKSOriyV61Ha8jStNgiQOmug22qp 50FQzE2w/SrI4zYctFQCovXh6GLjOHFRTW3A+ck8gMTrcGbzKvb5ftQ5aE3UbXUlMkmPOAc0 O4trrIdnbgokbVG8B3kX2H5Yn3uwKzgOcFsy2mM3AWpVVVXZluIKW4QTygXXLAb8gcWmMYgA e7tO2WvPPmNzjx2ivAX2HycG8C49YdfXV+HkJWMtyGnbGKw74MEKgLU1AHJVAF87xNRD3byU Mbm6PuIYeF307171A2Qkhzlqgm5kPEofKUEWFaSfxeboAEw8OQqqBOgroxyDxNmN851+5HNt athmA1HvzRbbsxjyDCLzBwDjGgD0tmGaYSsOViw+aB+O6R1rAKdR68RO4nzUtFcQ5wyMxqeQ YZixtDaSspmolYvNuClQgQfrEbsLD88n8Fy+HW/NpcjhnixOWKCa/jgRsUNZGLUAlwtgHr4K gPt6uMFq4cauhnnYSx3WYzswwDi7u3DQyWB7oNKOAHCuCo47BuM6PswcBPSdlR0DgEzg4Ab1 4IIKa6Jf3VtOx2BsChRswC6iJhD3UYD+laGPDNDmSfpwFX1TwF0EYFgsYtlZFJBWTBnlNIWJ wc1lMYDBcVS6U3JqR18Ts9FNoJowkLE+1IhP3AmbOEnflQp9gucr62sBuLnHusvNT4CBzt7q uTnYzcOMMTfBKS36iFsjMTekGEtH6YsbYCgOh2IAj0kHIsqki1SNNa+VwQRsmz3TRsm3/cQp fF5hJ9uBhWh2MGDibq3HvEm7S+tDh7CTOLZUvfeXm1kdoEjmbl7W/KX3jg6tBaWh4mSheUzz I/1Kf2rzEmxTMhkRMYWzoGKbv3i5LcJu6J23XEcZNXMiw/MLPqqpeZ/Df3f61y7wp/hPHlC8 jHCl5ixA8UqPe66/3u5dueJKH/upxZ8MKH7lK1+xT3/601ecnzY9csAi5qEOMfseeuihS6Yj 9WipN+sQW/HAgQNu83Q10vEzfqeAotSypZ6t4+67777AJqGfR+6v1La///3vu6B3A1DMBWJz y+GfX09/e/XVV93lP/7jP9pnPvMZ/9ZFfxcvXmz79+939+9ATV9MxTyYeFFx5W/kJZCXQF4C F0qANaoWqWMs5l/c8AKOx3ba6Y6zTuVZQKLek3LQkmGRKfaT3p/688BED9BTHIEC/jtViz8t BN0ik3N/Mciak3MtPoHWuBAzqAy2zey2VrtmyTK76aabLYYacoJNjRarvk0qt6Z24KFXdKWt RT8puV+lp024rgVw6mu78zrIhkBx9dVdzA95GpRdI7ETS1DX6+7qstbWNps/Z47beCufd3rk LoB17svi7aSbm5ae96/fTlqTn3HQi7dmd7feSdp++07Ow7/25eBfX+w3N56fpn5z//Ssf32x dPy6Ta6Tn6b/nH/fD/ev/ft+uH+de3/yPT/OVL+5z+Xen5yGQKj/ev5FO9I1AFCFQw82hB04 Y0ijbjondcreW3DGYmPcw6ZZmk1jhs2h69OMBW3s0mw4xdhLcw2vxTGNxOaT+mgIwEsAOp2I vu79FbEB1LiRV06NSzH2GCKwl9jMEl/XHouRgUEcN1G4DSRbWcaRTArIGYurB5tiTt04Yx/t NpfKS+iFS5swx0JUewICBBybj3FLeo7lp9QVn0MfLFRGgWgCPKUmrEP/ilkoUE+gIynynzfX uL0qacvmmEBRCuiVmblKkGsCb6YBgBJt5wsBFPUk2IQFcV4gde0080MaT79MO1bI3DAh8FBA FLKT+qHK4MBbFVHyh+2leScklUeeYRfu5juBgCpTkZw+EE4UgFblJaYhNtIIFDabgFk2pjy5 L0+spahYFsGkGgE0iwMmq26lgH5FhMtxi9QwZedOqsQ476UWAfvGoRO2qXfU2gACb6uP2Yqa GCqTQYszv52GHFXMPBoBZKLhEQeAXHk1H4fGrQlPtuXUWey9p0/1AKLBNKso5Q8gCnZhP4DL YcR7HLBy35kOOwP4MCNWYivnzbG5sai1ACaKXXUKwPsw2yigarsO+mE9YOIIgOU+ABWoSDYb AKcaFqUYS0dhTiUamrFvl3EOYgoAeKUf1QseAe8K4C9kFXiBFUDby3tnAE/fMZ6rBKSUDbsB +uopwNgoHbQW+3Yl5D8ailoH7VtMX5FX6DDtGueZHu6pL1bDpisl/kimEDuP6j+AbvyVcnOQ fDsBjfSeacRzdHSwzw7QIX6CmYEW0r0n0G2NILcv9I/bd3EEU13TaA/XlVi4r8N6AXCT1bW2 LViJ5+GkPRgBhAMveQ094Q1pnHsxAGaMd2JDMWmL8fL8OK6k1/eN22LsJd4HrbMRMK3DoraO vwzszdtXLAdQarQybBGHUEPVmBo/ecKGHn/MgjAUpe57dCKK2vO4rcYGo1S3X8bb87o0tgph 5b0fFl4MNeCNqSCOWlChxpblw7Vhq4WF2sW47aX9w6RZQ9+gGzqV7xHGWBV9sYI2GCFOH/1c jOdq+m0ZoM+wgFpAQNnxax4fsTB/B0h/ewHMRFrsXrxfl2MzcetowPYXlcHOzNpawNcI974/ WmBnYbHeEBhD9Tlhfagw/zgLFxaV3rUTAzYTheqXsJm4O1hj0dER+1h5Eo/fAfsRwGAhqubv Cw5ZCDX6/cW1OHgJ2TJUuN9LvQ8yBh5NAFLTlrdjR7EOkPkJgMyzRaV2X2gM79cpexK26dYk QCZq2e8rLbQ9AIIbC2sBYAvtPtI9g83AdYU1js39EPYbk6xt9kTrrbSm1FZHU9ZCHxZir37o Pi4AiouxKTXkgkJsADKmhwAT9bHCMWthRMcAIuMFYZiXAgmZWWBDQvvEUzT9TR8o6OuacQRm h2lfqT+fpVxx+nMKEJspzSpwlFKDajNoIh2VRuJPayTN85pH9Q4RgCjmoWY+zfOadpxGBvJo p+8+OYjd1Vgt806h1WBqoJI0NeecYgzLJEEcu7wleFweHcdKKfO7PuRmMnJCFWY+gulMmciG 9wgfXyiCPjCNwkbV/M6ld3Du2N0EnDeFwR29W+R8SH1fc2sRYK1MR2jO1PPyEq30ylE1b53Z ZA2tS625sckeXLsC0zMyekCtGLf+4b8b/Xenf+3f/2n95gHFy0i2A1rr//7u9y4T6623VwKc feyuO99642cUcrUARandytag31HlyGPt2rWXrNXf/u3f2uc+9zkXRwbnOzs7nfru1UjHz/id Aopi6omdp2M6gOKnPvUp++pXv+rivxuAopzDfPOb33T5TfXPlQKKSSZaAbru6zYJylv0XXfd NVXS+bC8BPISyEsgL4GpJMACkv9ZmKbtjYMH7DnMoxw9ftx6e1iA8jFS4KHUn5OAdDJers2+ 2Ihihvigon4VT3OxzvXrFoDnFqL+tTbaLpxVqxhRytd5QGXDHUGDYOVtt9q9978P1ZxaPmSz sNfzoAPnl7NaWLuyekCmnBoIWNTG3oEl3NV7XWVwHqVZxGqFLEBRX8qlriM1nhDMoiCbqzEW y7U1dbZ43jw2lm8uZieLyV8rTA6/GteXSttfRF8qztstg5NpTpXfSR5+OS9WFj/t6cTz4+T+ 6jz3T/n49yfn6Yf7eebe9+/5YX4cP1zX/rkf52r8+vlMTis3L8VRH370hc22/1QnG1o8/LIB 62PjXQS41RpN2uoWVBaP7beigQ7LDg9Yms2xQC92rAwkMRQZh/xK7U6Ak8aoPJlr46nNqMaJ Nn1iNGpb6hiAAhKQr/p/MMQ9wBuxBgUyOkctJC9wz+16z1fAAyEFKHrsRDqSNriMMTJwG2EX lfK7TTB108B1HwGI51A7FUrlIF9tnB0rUEHqky6u4ukZXeiGwEdqRXzVzQWdj+w9JpVlZ/fR RdfzSgw5EFtekVXfAgF+zGeFmq/YRE8ACCkLMa6UXAaQQhv8NMw8ef/VOCkQ4AjI4lSpQQCL YBgq/wBgn5xOQMBzbCbVXTJWXgEcXmRg98jG2gSq02ojJE2aAJTIRUBiAR9pCgU4AOCSqrNZ WwjjrxBwSB6VQTJRj8aDMeCo9tpRwIcgc5rsw/VSxh4AnyrAjAbihygritoODOykfnvoQ2+w 9+sGJBB4eOfcNlteX4Oa6agDiQWtDsA2FKBcDcOtDCGkAAP6YLYOUKch2uQ1nh9t77Q5MMrr sbc4A+y0AsbVKer12OlunLfELQsI/lBLna2e3YStwyJ7Azt7YnDWAVpSSwsUl+C8Q+lNOECt ETVdMFPYh7Bv+ZNtv2r6nOzaSr27hz6rj0GVPFuqvkxduwEEBRSW0ZcrYQcGCZN69EnaSLYX m1DplMoqyq7WjWALkVEDrLMQ/VbOV7qRlfpZJXGCjJdB5NZDHnIc1Ci1dhi/e8702jZsE1Yn R+0BvCjHSHdvEqcj4wCxgF4PllD+MswQYINvD+G7AdcaAbpuw5NwK56NNwEafq9r1BqwFfxw JUyt4UE7AHvRWmbhqRgQBRBxTVTlDdghMF4Bfxrvc1FTbqupsLFoqe3E0csMbETOKwFYAvgd 6+i2XXiUOUk7zU/32WrUpGW372XUsbdmSqwVAOu+wmEL06c24dl5J9Yo6+lJa3BiUo6NzbNl NdYHO1EMzVr6a4aOLUafgOQyQO1KwB7Z6TvD9KFxU81IidIWYpEOMh7QBLaaZNwmAHd3o2K+ L1NqxeODqCaP22zUVzfixOYgQGEzz12HAnUFINKTeKZvD1bYDbA7b8HztEDgp9MxGwAXEwtx OSrYO7FNubuoClXkhN000QEgV2rrUGNGoR+1Zrx3Y5PxVRyybMALdA1q5GuwvzhO+z/H9XhR zO4PdAL8AYajYr0fNqk8QN8AcPkq7byrgL4KsLi6YNBOw+h8GnuNMeq5JjDg5LAROLuffNYG BnG0k7bHYC/2FpbBOk3ZTVBe5Zl+ZjUsYPpQAfVx5goA+eSgZ4gyVKK6G+CDgmQap6/SiO4D R4j+lcAkQCFgId1UHQ7mIIxTxuw440pes/URRON5nLlA9k+l/j/M+BEjtYoyVuFASfOuPqLo cPYWde5dUhYO0tWlpn31aYF7Ajw7Uad/rDdtXSj9F8EglvOThoYaK6sod+sc2UGMYCahDNuf nT19LizNx5Qsc1jPwIhjFiqO5kx9PNa8q/8cyEj6mrv1buDl4M3BXBPVlcn98o/Yjd47hnmf curdozWf1oxyzlUGm3MuDOialjYrLG2yWY019oH33HCOoai0XA1Vy/OH/+7MfVeev/lTOMkD ipcR6jjAy//91a+5TniZqBfcfuCmm2z18mUXhP0sL64WoKjNTQRk3mdTiKUnW4iXOv7gD/7A /uzP/sxFEStu7969btN0NdLx832ngGKug5jLqRcrTzkyeeaZZ1z2lwIUf/3Xf93+4R/+wS/m W35lG1GOUXT8+Mc/dirhfiSpmkulXMfVBhSlHi01aR3F2PqUUxo34bmQ/D95CeQlkJdAXgLT kQDLRccO6u/tsY0vbrRde163zo4uG2BeTwpMZGObAlDUO1N/WvDKlpsPIOoruWMtssjUpl/h /qGFoFucugWqt2j0YEGBN4I2vEWpnpPNoCU3XG/ve/9D1jZzNgtlqf8RTjytNV1abHbeTM/L RwCi0tSvFrRagWsBrAW8ysba1r0bfDuKUuXRu6IYtcbKikqb3dLivp77i1e/7G/n10/Dr/fb SePtPaN6X+rQYj03jjYAby7g/XK/mcKFcb1n9Qxn2uTkHLnp5ASfP82NnpPl+fv+ieL59700 vTLqPPdP8S+Wpx8+uYxTPaM4ufH9c788V+WXOnn9/a2p5eYniar/btiy1XYfacfjaAgHFXgc ZfOdguly57yI3bqwxYbaj9vo7u1WePYYrJlxZ+srSB+XowoBMUnSkKMEATHSsQ0DQAjnE5im 5le/lwq0AH2HE2psKK62c0QUQEZB3MZWYD4njA3issHWVlbMGP0qHTELna1BBpiD3mCZuQ8F Gv88qvpp7DGQvbzUwGzMpWKt+gokczIgP8/OosYwd1z5iKCDPNxBHI1n12bueUpBmGRGIM+w 0SWuxr3XrnoKyWuO4ban2k0p1ebEUWAR4FAKpxMFgG4Z/iZgtAVG4M0BMmXZ4MvjqwCDLJXI arONPOSluYgyypFKFvDRkyFqgtRZTnEc1wZgVsVK6lkko/YRkCVgUazIUeyd4VsW9WZUoQEg JgCMBAYGAFjCpCNWj5iWo4BjCe4J9CwVcwk5otmIXUGxGLGVSB51gFqqk1ScxwAopA7dOzhk jx89bSlUlGvKYrawMmaLBCYACA7z8ebkaMKp7wrQmk8dFlVF6WtFNggbKwXoVsmHGtndG+d6 FBXgBHItB7Qsp2cNIYbvYx9wd8+AXQOodBMsuLlVqFqyBj9CvY7zDunq7bMumF9p6rZy8UJb grOSmTAlpdI9BJsyDnhWhOBi1EFenDXHD9NlhgGx5GG4AgZikLKNct1PuyYps8okRl0S0HIQ lW1IcFZEm1XDGgshr0EA+EFkFwYEqpC8yasP+cWRiRyyxMhffXcI4Fb2BAVE1gBKTRSGbRcm BnZgt3QOYOWdeBkuBTDeMVZgWxPIGLDyVpyJzKaFDgNOPoO67xDqtLeiK1w51mftQ2NW09Bg O7B1Oj48YqtxpTwf79gdqOm+jsrvYewxtgGuLgEYq4+E7NmBlD3WMWRtAD33V/JhKz5kXcGo 7cXJyBDteh92Attw8LF5KGkvQEmtiOFJumjI4v3dMOtxKlJSaUdJexag2Z3YJRSL7oWxIjsM ZDULFetrAclK6AMHy3EUU4LTGhiiNYCreif3kf4446GcsVxBXx7jXB6fmT0cwBhBblQP1Wc+ 8NFz6xg/mjt2jE7g0CeBF+e0XUs9SmmLF5HPAVSW54Wx3RiU53i8WafDsDRxIIOsVgG09pPe djw+DxYW2y0FwzafMste4ivpCKrSAbsTVmEtoNPjsAyP8XdTYNSWAA5KlXtvuA4mptnaIOxI fh+PF+HRucjuBlycMTFmB7GHuIX85mDRc3U4Za9R5hexm1hLXW4FTJR9zKdhdY5g83JtoJ/w uL2QimLzssCWA3beDqL6Is5iDk14wOwKGJcnAdPfKK6yG2MpW1IEuCoVaM0iyEsmEBL0PclR NghlP1QfQfRBR/OnPrhqLnP2Uxmr6WCEezh+0Zijb7r5AwBPHxVGeU5zSogxM0b66peVpOdM UwiNpD+Lue1/ZNF85uwlMva9CZVnOHeAIm0kByoj9M2NI9gDHeRjKvNaKd7XqysAFym35pOa SkDTuXOdmYYTx46znqPNWAedPnvGTrR3YH96nPcHH1Goi9iEbi3FuBTIqNnd5U9e3hyrVwRj TGA8ZfMZ5iqPPjaLca0yi9XtGOaMYclyTmOZ1TbOtmxJE85yymzpnAZ7391LXT2I7r0LJPCc Q+noyH1X5ty+6qd5QHEaIv1f3/o2NO2hacR8M8pn3oddBxbaPy/H1QIUVZ+FCxfawYMHXdXk 7fh3fud3LlnNj3/84/af//mfLs5dd93l2HC6uFrpKK13Cih+4xvfsF/5lV9RUiaQTwZXL3VI dfvQoUMuyqUARTEZ//Vf/3XKpDS5ykaDP+jfTUBx/fr1ziGLCjZjxgznhGbKQuYD8xLISyAv gbwELikBgR76Yr3ntdfslVdesWPHT6Amgy1FjHgnYSYmYfPIULdjKvLrA4c+mKhFqBgQAjV0 T4cWpf5CUO8IbZIFIuqQ+qNACOXrH24RS5w58xfaA5ghWXLNEhalLHC10CWSAA8tpAUGaKGq r+tc6NK9g9zz5KkNqpeu7nkAgxa7MhCur+b603srwoI+FmOz29SM6qJAjjfL4pdJv/77LTfs Z3ruhJFbAieU3IApztmxXFA/XevPO2iZnPpPJz3/yTcX+7ly8ttdsaQeqePNPLz+4cJoF/9Q O755+WZfceAVN5Smn67/6z97pb+Tn88te25aKrN/5PYP//mLPec/c6W/B48ds3WYHegFzIiz SQRKsgLYuq2oVd5/23IADtRfjx22+OvbbPzYEezHxa1Ku37GqAPKkJFU6dijwoBL47gDuADQ QfYN5aBFh8YC/7vNoE7kfINdoXNK4sB2Hla9AoApYsMJAHSe0Rl8YukFNHbZLHrAPOOGZLV5 LNRGkv+0qZTUHCBJvgUqjNqWMG8OID+uFcDw9MIZt74sNc6ZHLzynSsLFwQQqK5DmSH9uPlF 6sQ86iWi9FmTepG8vFz9uO+iUEZlqHK4uQl5uPmI/unYQ1I/hPWp8xDgXpDfCeaJDBXUHCgv 1RESEjgoO4lpWEYBZDwBOBOWOrVYRxQ8DaNQAEIARo7YcipcAnmqflL7g6/IL04eBBjDYBQb MUyawm/JHG+yYcdiTAEIFwPiyF6mhDxC2Q8Pj9veviFn03AZ9miXtdQY5DgYj9jIQ6wlpJui 3P04wEhRdoFp5YBpapmhomJ75mSXvdLR6UDRZthWN+Kooa2lHnZgyDm1kJr0GHXqp53lxKMC L7n1qNCWUI4hAMoOVDtHUcGvA7yqIT84mnZawCz3hvv77McHjlgftLdoKeq4qF3eVV9pC4Vk Al60Ayx1wtarLytBBVX25TCngUwGkVmGBpUjmTIkKPrVAD/9MMzELq8mbhSwV56hu8kvg3xi zOFRzHQgMLw7YweRdMsBw0tRAZacZdNxhL8y+lIZra/27qMLybN0Cc/UCLThvyN4F35tYNTq R/pxlILTGZj6rwA07YGt2Iw6aDVeh4sJi0TL7ElsBR6mjjch6IcaymyAd+IWwk6X4Gka+VwP S66Zcu6FgrkeYGc4VGrvL81YbLDLDgPiWl0z6cIEHhmy+0oLbCYg7wHKvR1PyBX0rebkAP0o buHqRnsRRyRHTpy2DzTF7I5yednGVuFEMarfEVuMk5ObUAGmme15ynkchzQLccZyI2Gy87ke Ymx/tNyuAyieDTAm8Eqq5VjDAxQGpKQ/jtGX+ggTC1f2AYvJf5B2H2KuCXGvQeOZ33Y4kQcB xCp6emw5Ks4aa7uyEdsB43A+TmxWAbaO8GFjJ+BeO6rNAl7vjhRYF/14PXXIMhZuwP7hDbA4 98Ki20hrqK5rCkcpfxKVZkBXHNUsRp377qjZEVinLxAH8dgdE/0wVQ31btTosd24gvxuhZG5 DdboFubFSp6/EwCSqdKekOdoQLzVwI6y7bkRe5XH6fU3wzycPzFiW2HOtqNCPRcpXJsetD0A 6DuQ+yzMA6zE+cs4c+TLBZUMs6CtDdMPmGeL8Uhcj/wiyKwQUFYzh5iFsnlYALOQrwrkSd9F FhP0ZcTo+p7mhhSgN/6Vnb1UmUdIiHk7Qt/k2VFSStNOMcafyDBymiWWoj6muPmTOrsPIIT5 H1MRB4nzP3XVNKHpkP/dhfMITWgX/e35zoSdBLQNMNZKsJtYUhLBXnTIYpgTmDd/nvvI0dN5 lrLisIW8j506afv2H7FxHPApPTlx0a8+Ius9oTWfrlUOlU1rJ40lgaXcdms4MdNVBn1MEkNe LPggYUUAjjK/EeGZmdXMB21zbLSw2ibClbxPInbPytl28/I5rj5K26sZP+7sXEW9y3ft3zyg OA1RP719hz19zgHHNKJbFepH/9f/+Ij78jOd+O9GnKsJKMoT8OMFacsAAEAASURBVGOPPeaK fdddbwKEU9VDzLe2tjan5qz7v/Zrv2b//M//7KJerXSU2DsFFLdv324rV6505dI/l7IN+fLL L9stt9xyPu5kQFH2C/06Pvzww+c9Yp9/4NzJ5DzfTUCxhxfc5s2bXUlKmCwvp7Y+uez567wE 8hLISyAvAU8C3mYe+1OdXfbySy/bq3h97uruseFh2BGouHksRc/js8xNCEh0m3AWkBl9kWfh KSBPH5m04NT6UOdKV+ALP6w+3bLYCyOCFqwurrslJpEW1aTBX8OMWbbm3vtMzteK2UAm2exr 5amFrUAet/RmE6D4ei73T4CGAxVdOOAGC3Y9J2AqxCY7xMZTBsuLYaKE+II/hw9SYa5dGd3C dvq9Qvn6hw8y+deTfxV3qjhXksbkNL1rleHNckwdZ3Ko25ZMDjx3fWXpTVWnCxP22t0LU1vR P84duc9KlNqkeIeALu+5XEBR99T+7v83I597Zvo/ufnqqcltMPl6chxd+2nkxlX4OzmGWG+u 37rD9pw4C4DE5i5UDijFBo6xtHhmrd2xqBngZ8zGB/ttZN9e69q31bKoZIqpFEGuYC+OsSLg LCggDzBKnkRd5yaMaE7Gzpsz144tiBzFMlGrODYKj6kHiKUndTrdE7Dj7DVyro8BYsIV8Vwh m0WB/pKFNpQCIPWsNp66FmtPAbKj5+JwIVaLNueKqxxJzm2guXBApRuvSpMb8tjq2V4kjmLz rPoDA5pwnlVmpKG0paonVo+6kMa/4ihvt/nWuTuUnsqkB70wnSltbeKd2jZAFB4LmNNg+wCO FcM+ctKhLFk+usj2YYHmj3NJqrxBAMgxwgQoFitBzmSnLAMomCC8CMEDEzrHVAL84gIB2ZQX UUd5Js4Cpo0DGqYom7xqh/hYEpZeNPeHKF1cKtHUrXNw2M7SR2oAb6sqKwEKwqQNOEf+2sz3 s7HvBKwoL8bWIXbcSkhH420EoKQX4O9EVy+OYcasGQCwvCRqWbS1BHAWAYid7hu0XdjvPEHd K5hz3zd3Jmq+1IE0u6QKDTgEUmqVsNbrACm6uR4gzRB25xqicC6xRXgQDyu9MBtjsAlnATbJ tp5UvI/A/BokXh3t1BINWhQHMgPUT+q14DKUk/6LPNV6/cgwjqzxVetYaiEAxiGeG0RmIeod Y94OI8MU5RAQpH4U4i8q+QPsDJGewLMYcSpJnCZA7RlmGPLBZwgAPH2H/nyWRm9HHbuSsTQ3 DgED4HBLPGA7YPstxpbknTDf2mEdbsEFdRyQT711EZyya2AyJpD5K4BSZ2HBLYVR2QQYeHZ4 2BJl1XYghFOQ02dsJoy8/zm3Ds/J4/bcMKrXwZjNhlF6ewgWJH1NasrP9Yw7IPj/nFWBw5Zh 29Qdt/GGWe6D14LEoC1BRThOnZ+GD9QFcrYC0PL6KO1J/hvGQnaC3+soz7WoP48iry2oY+8n 3kpsaq6MCgCTIxvZ8KQv0BZieqZ4poOPDhqbNYxTMRr76CMDyLAYGdUSrrHbSbsPRkotRJ+f 0dONTLO2YyJmRwEGG1JDdjumPgUIbwWA7aG15gLcrcQj9RBA+TpUkcWuvQXgUKzJfaiIrwfk E1h5F2rNpbS0VLyPABbOyw7ZSoA/2e58DnuRRfSfNYVD1gqYtxHAdHsyCCiYRIU6ZQcScdtV VM+HkrStZWRo3luXRY2Zjy93o1Jdg0r/HliHRwpLacME6tDjtgm7insDZYC9WbsNdXDgeHsa qLIKudwTGgZ4TqNGDpOSfnMzdiCXAoi+gH3QdEmF3Yya+oKQWN58KEE++kgiD/JyaJOgj5dq vCJTYEVNNd6aCACxkDVRhnE2QV3CjskMODeOl3HkJXutCYBTscfLMEcQA9iTjVP3QZb7AueY pRyb0a2ZCNNcq/WSDs1f3jtH12Iosi6jTbMwgruR/abBgJ1IiFmOvWhsmRYBepZiu7EWc236 oFOGzcIgbFcBimd7umzbjtcpd9KZtikCCNWaSg5jgowR2bPWHB8gfQ0AfYhNU3+BhTIfkeLD gw49EyQfZ4pMc4pfH2Rbh/r9jIZGq2+ZbUMF2HHFcVBDZdQevmOhtc6occ9f7B3qv2NdpHfh nzygOA0ha4H+Vz/8kZ0GhLncoQb8jQffb3Ogcf88HVcTUBSA9vu///vnqyfV3/e85z3nr3NP Jsd98skn7d5773VRJt97u+kosVy1aqlg+w5TcstyuXMBigL5dCxfvty2bNniXsC5z2mTp7rK 5qB/TAYUv/CFL5iYmzpkM1JOaCpZvOQemkA++MEPnvd4rXvvJqCYW5b8eV4CeQnkJZCXwDuV AItdFov7X99vzz7/HKow7XieZcGN99kkmwrZUkzDvJFXUwGMepd4f3x9Z+GoRbA2nz6QqEWi v1B06oqsLbwFohbh3gL5PCBI0QVyaFNPJPZ2GNSvqrQ7sG981113WwmqcoqrQ8a+vXTEPPEA Kj3msxEVT/9JJVLgohbCAj2CbPC1IRWYKIBErKswgGJrS4vz+kwCLv3cf1T+Sy1q/frlPvNO zi+X19T3Ve63lv3S5dBmxNugvDXehelNnedbn7p4iLbiOvwy+r9eqP/vuaY/d+mVT3l7f2pz dQ2vzH64/+yV/Ppp5D5zsXZU3KnuUSonvqnu5aZ7ZecC1GHyHDlq67a+ah0wcQoi1ZZAbbK6 vASHGimb11Buq5c04mwCFsnIoI20H7PeHZss0HsGJpWD6QBQtMFkQypgDDBR41HjSoATA4Ii 6Z4Yi55NUa8qTrjcYVyi2seocvJWbOeghTEnFTlPxRnbd4wndo+kS5oMMPbUws8YX7D2eNaB wKSvca69qFTpPOYyZSKu5CaWoZhp2iC79jzHehGYIeEKxGMf78axIEiVTbecUxnlTxoKU8YO ENUcRL2c51FkoVQ0F1Bq97Si+mNcZfIi8MsJSXkHgIE28QE+YIhdNcEGPTkMVAOYl0X+MvmQ JJ9y4iSYWzIkJEcoafQywa1wDMJmm820bLSmSUpqz6RmRZo7BUaw6ZfarubZKOhvkF8pjCaR rwALgcDFAihoNywpAhzhGIGwMMBgCYUUwJokzxEAQalgSpW3BzXt19nbiWmXoLzz6CtrZzUD 3IUAErFVKAYhZauAMVWMN2d9XBmifAKQYrRpHWqxZ0njR+3dAEuFNh9vzCtgt80rhY2FXA4B 1uzsHLADgJFpQJLbGmptcdsCQD/AJ4CTKCDeMOXqox16UfOtp0azsuMAhFmcghTbQVh4Ui+f V4zckIHUtk8B1hQCPDQSVx6r5fxHgJjyFzOunL4EYY27squYQSUaRhegaG2EuRsgpw87iHI4 GhErkzqGAESkot2nvsRzVeQtoEyyOgt4pl85eBHzTbbrOmjPOF23lLZsGhnAOce4vYx67m7Y fcsL0gBLo+59sQNm2yuAdK21UVsFG64G7+DdAHZPoLq8E9XyhQAsv9EStZOwNn/cOw7wWGd1 MM+uhTk8C3XsYHkE9WBYhKQhFt71eGguoxyvYGtwQwLeKM5gbik1uxG18aPUaUM8jMfhgN1e krUWmKEnAJ5eLKrGWQ+qxSDVizODro7PYUOxP1Riy/CivAQwUarKG2H6nQKsmQFLcE0tMDUO ODoBuuSApZZ3XQX9UgCuANsJ+p1UmkuRZQ/AeQ/tV0H8OuJrzJyGfTkImFSLI5UWnHicQMV9 I/PRSHHMFgMt3klZZOjqMVC4wWAJMovbiqAH5j6RimGnMmCrgO6as8N2BlblVphpsvO5CvCw jLbaRDnP4EzlWux3rgA8TKJ6/pOxMHYw8fCMXclmesMWgMqDBeVWS1+6N0gfZT57MgUQli60 myd6rIH23QKQebiwxO7kI8ui0Li9AJC2F/XpFq7fW5zE8U6JPZ4sw/4n9i6xozgC2L5hogL1 +qR9kP4YAXDeQJq9MOaWUN5rGAsvk+9xytaGPcuF1CuM3c9G/KzUAZjpI1dWYCF9XXi/ZBth nIVQn08z4CeYsGQiIsU4yzIuNDchYuYf1hq0AZRB68aExTAfBSqIV8qcF1E465IM8tHHH2f2 AdlqSprQ3MZ4EINRH1MU6M1V6uXeGsfZzSU8q3mLvxE8rO8EVD2B/d1BGNcDqOVXMSeINay5 bUZjndXU1eNlvNpee32v7dt3yKUlMJACo/4sszZiYjMvid3Mx4MQ84Xm/zAAqEhWYlbKHM4I Y1Al0ZwiVqI+NMsUnN4L49yXCYJZLU1W0rQEB3x1zBnYnKX/LZtTZfetmmcVzDV6F0z1TibZ d/3IA4rTFHk39pC++sw660CN6WKHEOkHV62yW3Fh//N2XE1AUV4rFy1aZCdOnHDVbGxstO98 5zt2++23X1Dtr3/96/bZz37WebnUjVmzZtkbb7zhUHpdX610lNaXvvQl++IXv6hTa21ttddQ PSvVBHAFx1NPPWX33Xff+Sduwg6mVLXnzJnjwk6fPm2f+MQn3uIBejKg+K1vfcvZPPQT+uQn P3negYvC9MKRkxrfq7Qf790EFJ977jn79re/7WftvHA3Nzefv86f5CWQl0BeAr/oEng7i7VB zGVsfGGjvfrqLjvT2YGnvzjGuTESz5+zo8jCU1+mcwFFX/XZgXm8H7TIdR5cARR8gFFsKC0c temXyiSnLMLlOIJFs8J5zgENrJp1rYWzjJwv5z12x5q78cbc5tKUF0KpWwbY8GvlSzT3HFtF l4bS0eGlR5rkI0CxkJV9IZtwOZPQtWwoit0+s6nReT90Cbknz/1Dwl7quYFTn+cuiFWHt3vk pvN207haz/llya2PHzY5D4916Ndbbatthv50eO3hnaut/HBiOPDIv5P7qzTYiXH4efpMRT+W wv17ftilfont2vNKnrlYerkyuVictxve0z9gT27aYrvP4Jm4pM4SgBXvv26GHe1JWDvqrvOb yuz+5bNwBsIYZPwk+3utb8dmyxzZYxE2ymmYYHIqonHigHw2eeqS44w/eYIuYLNXyGZP6reO kacNK7LUtdSf1TzEcurDUonUxrkIVm+YjaXGjdiG8kSrcTzBhjpMnDAb6hAbYzW71/RIm7g+ q0bngnoEbDrZ6Vk3Tgh1wCP5cu09421M1TV0z80plFH9BtzEAYzcUWoAnORBvdyGm/LLuYQD FEnfAZjMBeIO6eOCS59zebd2XVD58+c+YrjUVG9qLjkABnhdkzIx18i5imyTpRGGbB9m5LBk EGYoTCmp/cp2ZR20zRAqlFnkJMaQnOQIXJAzlQnmuAQqxyOwHWWfMEweWJzESQMORlQeyluM l+cwdcFgJeBjEPtveJJmni2j7prbpN4NWQ6PvACR5NcI8DTG5v951JhfjSdtDl5dVwFMzS7D cQSyiQPktQPsJPgYlBnHwRb7HrH4KnBKmQKoaEQTOUY9NSd2Iwd54y2j/o2ACAUZPC0Dpu3H O/Pzx0/jYKTPeXhePavOCisrAAgLbQ4w5VlAta3d/bYTMLOf/D40u84exGOu+syJwoidRWZN gHvNEY9x2TWettewQVhQXmk3VqKSmUZllY9Q/QCJsm1YSueph3EHlgP4gHdmAFKxEKuQY63e E/QxMTB7xbhDLuWAPJoXEgCCUnGWmncV8okBwA5RiFOw6QoZD/LYXCGmI21yGpnE+TDWBkNT dhQHOrthACbtOEDVXYBzy0OMD/J7AcBvB6rgbTDbVgOivcG43Eo9R2tnA16GLdPRbrdVFduq ujLsDMJshG1XgTOeNdAgZ9OWJ4dpG+wjdmBf8Q7Uaq+DqSfg+EVs+b2K+nIr6tS3waKr5710 KBLDTiDlQe732DD2FlHRpV89kyEfgMC7EyM2C0psH7LaBKe1E9XpGwHMlKYYiC9gY/Asfepa 5LacsHR51PbBgdNYr6H/VqIWLgC4A4Ba78wmZBFjjHfSv87Q9wRsNWHjUU5yzmJPrw851SHH Och3gPnn0b4k3rOxc4j6cmt6yGIA2o+Nh+w0YN4t2Eu8gbqcQq5iJg4CQN8GuHg94a9DD92Q LtegtRsB7JaghrsZYHIPdVgcGLYHguN2HNR6A+zFM7AC1+L85jpA15cA77dOlFtZKmG3E0+O e/4LRy1dgKgfwEbiIvrIs6ibbwGYXER5HgI93oKK/MuhBoDclN2alUOijD2KJ+wI4+79MBFD sGs3BKtsAMcua1I9eCsfs+8AQA4EqwESaQsAyZ0A4jsCldYEJ3hVwQgq+oYtzFJnZ/S9mJ0I Y0tUs4TMIGToI3FUhEOsUYpIW6rlGrsJ+laRbCrSFxOslcKAskwq/ALQURbEbiOjeMQG6Ja8 5fwqwXgqwiapQDznqE558KcpSnOos12rC+WuH4W5cz4U8Q4Qu5GOzhMc5DFRWYW3a8DWoYyd 4UOATFJES2PY5Cy3ej4INDc1YD+6zN44fNy2bt/lQEKlqTkz7j4UMe+RpD7k6CNsFABRH2kF KkpjRWsvAab6uOxsUwv4JH4B4zNDnxJztAy0v4W1VaRmNgj/PMBR5lDeFy0wFu9e1mjLFzS5 j7oqsn+4OZpyTHX49/Sr42q8xyfnkwcUJ0vkEtda5D+J+vMr+/fzIsIGwLlDE/JsPHl95I7b rR77ez+Px9UEFFW/H/zgBxc4Y9EGRczAFStW4GBr3DZu3GjyAO0fuv/CCy84FSw/TL9XK52v fOUrTp3aT1tgYj1tIu/NPtDo37vUr+qgMuUeAkJV/qNHj+YGnz//8pe/7FSu/QAxUWSXsLu7 2w8ygXVy5DKELc5nn312ShuN7yag+Dd/8zf2+c9//nz59uzZY0uWLDl/nT/JSyAvgbwE8hK4 QgmwWBNj6Mjhw7Z+/XN2tP0Ec71nS1HvRX2V9kBFj63jFrMAF54KtM9YPAfssch19g+VprcK dpt/rTcEMvnAn78wVBzdkzMWhelPi2uWtjb/mmvsAx/+kM2dM8dtvhMsosVh0ntNhwdoeWk6 IFGLcfLgHwdKKC233id95RFkc6qv7aUlUsdpsFIYkN5KXT/nFqzkoFSmeygP/9npPjM5ntK4 GofK4ad1JeXKjes/P73ySE65slI9/LrQDueP3HAF5t47H4kTL57K4JfDP8+99p/ww/zry/1e afzJ6b3Tdp6cXu61NIq2vLbPntiO8z88pkbZsL7vukZrrKm2jXtP2b6z2HyriNr9K+bA5MJm Hgyu7P/H3psFx3Vl55oLQw5AJhLzDILzPFOiSEmkKKlUg8t1XfeW7Qo7ru+Dww6H2/XQTx3t J4f97PCLw29+cYTDEf3Qt9u32lYNqpJEUpwpzvMAgiQAYk5kJnJCJpD9/fvggEmKoCRKqjEP mcgz7HHtIff+z7/WYmwmb1+2zPnjVhsfdXb5igBDUq8t6gUAQIQcruBLAbYdLBpALqk8amxp LyqQ3fUZXQOGOTYiG2Y5Icm7JoJlx7ghmBsn6qYyHxAQOM9GVk5KBOrJnqAAPjWfJ2O1H+lz D5hwqYfI0cE884xuVAOYCODz24RT7bldeRitwj/YXLsALl31Ms0rDlDUoKZ8VYB8YgUKYCxR TiK7eUKMH09FkFsOWGVTLNCUNKQW7QBPvgnugEXJAPzIk4cLJQm5wnjlY+MsJyraOAMb2Bw2 ZmdZE1cBENSiei6nK1XMLUEAHDlcQYEQZAwVdTblEotYc2LgAVcCgOFIhbJI/bNB8AEAXx4G zwxtNc+8FgOkqKPyVeQ5Tz3jMKBk6SxMmzbwrIa4CUC0POBOABk20161YupRh3HAwCFAxutT kzYMS2kWBybdqEFv6u+wl3DW0AwQqnkyTvGGxQqkkXoBb3pgYgm0nYJVFoc1JiZsNR7FQ4AB TJgOoEQL19binOMRYOY/D07bbdh2K7GLuB9G49fbgalAFq6Bu9wDyIyx55zBG3QVcffg1fUh oFMNjb2BfNoBsIoNzYBaUl1G/ZN2kxfpAIKSevMYMtL83o7MJKMC6U7OByxNO0dopEbA8yrA uKQziYE9O9pa5Q2QfgbAY4a8C/TzXtqjTsCh0kR26k+dvItqpf8+ys7ZB0Ni/dXYofqC7cST spzDfITDkaPQ/lLjj+z7XbATm6L275Np+0li3tZ1tNmh6IJtxV6i+u1J2firbbK12Ph7Cft8 aoebgFsfAK5VASi+DuNuIzYn0wBt78NUvI2X5t2hvB3ivgCcM6j5nia/ZjxBf7cBBx3U4Trt J1Vi2U99lbDrANDuYSvxeBYADBuNr8HY24xjkSEG52kAyxn60ubiDOxEQJ7aOnvQ1gHAhe06 HMK003RZALBRUWjply3IWnYUZbtyjHEUAHztRo56uTBB3VMAYs20RR9zSwpHO//Bi4xRWHWv AfbtQw1clf6/cQByJ19rr+Dx+bUQoCb3jtY0AUqHbXtx1LYjm/vkdxaIuor2OlictJWouh/F 7OUFANW1OHP5GirKstB3BLXx+8hlG+Dqbuw0XgdoO1lqtnY8mrxVPYNa8bz9GJbnXfrZazhy 2VVdALytsSt4Z+4ppu11bF/eoV8dyUesK1xjB0vqr4CxtEkap1bfqplBTTlLmrA6Ye/tAYA8 AAP0R4CYtwALdxF/K/1ZgPIxytaIqv536gTyUTZsM+ZQA34NkLgLULkOEL+dUjuTD4CyWksA n8HShGHInBBFzlXY3qyl3yUZn2LZFhhbAeanImOASdgx9DTpyhYj2vKMWeYfxqL6sl6gau7V ixz3QoRnbnKivTSPut8dzW1cOI0OOrPsu2o+ozAunQXmC1euth47idzOPxwDtFd82h4v5O1t zbZu4xpMKBTs1u27dmfgoXthHOB5mvXdHGVdYF4JM2fl6X9iHnpaIcxtnMsUhOwkMsGqVJRF r5/024DaNiBjPY8aY2HbtG6dVTV0W7KmBSc1mO5gWo5Qx94mAPadfbZ+NWYEKLPmfffb84xv Vevpw8lg8ab/m/F0mBe9rgCKLyi5+OysPYKtGKuvR5+92akAvWBSv5BoXzagqEILlPrrv/5r EHc8uz3niMVijqEnFd9nHV9GOvfu3XNqygLsyg/ZBiwHNsufPetciwTV6e///u+f9djd+/73 v2/nzp2zO2wadfzTP/2T/eAHP3Dn/p9/+Zd/sb/4i79wm0f/3tPf3/nOd5wDGDmE0VEBFJ+W UOW6IoGKBCoS+PWTgBiJp06ctI9OHLfJySmbxZbULGuGLJtjqcYISBSwqDfUBRa0HltRgJ4H KmrR5zMYtWh0TClWvf7i0dk4YxmsRbIDFnmmcPo4FpN7xkMtWXk2R37tPT32DuZGXtqzx2IN Mfe2WwtpBypqkc0C1+VLGZSmNkh65rOTBDBqISyVRLEiBYhE6uqtlxd3Md7eKzd/seoWqiRO qr/QxvuyFsiqx4uk5bePKv354ktO5bLy2s4THpuipaP8vm6WP1sKxMli26uD6Ipvvzzl3/65 H8YF/gx/yuOVB/fb37/3WcP54b+s70eMuf/3wxP2EIZJGDXDP31rq63oaLUhbNz96PwDuzKW tW4AhXe2r7A1LXgUZYNaAojKTuOd/dJJq3p416rik2yk82zyeMa4Koq9yAZ1QQMKQKmKTaPb EPJXNuU0Zpy6HY+l5qw2kE3CeUBCsRLZpsLGQe2NsALkZa/RcWIAQBhtMFTUlvooVa/NNNY0 BnVHgJoOB/5TXrJ3pg0UQ6CidwDocSrQzyE/Son/Upl2h8pGXcToEztSm1kdGuO6L1tkYjVS ae6qVPwFIVMob56hzlwU2YgXADWdB2vKovKWAAPU/uAE3iZZ6RDTqRoqhPLVtdLmmdiFFBy1 dMwxkFMinrIcZQrLkRXzpSuLgiK/ehCIMMwdmYaQinORuWeOPh2iMEE28VJtFCuxqHYgrxBq t/Vs7EsARWBY2GxDgpQtwoYdTIM08B4LNJEgbB3l6MQGouScIr8EYBp8Iew35gCC8laLvbRa HEzUwZ7rJM8IfUIqracmZmwQIDSOGnM/cnu7t9O6GhtsCuBL4EgHIEyIOHOwxWYBHRMAdzHy 7wTWrCbNu3iAvojqr2wSrgPI6UStdBYQ8hbAzC1UqAeTOUujhlxFel0Aapu7WwBjCjgQgY1J ZxijDkMN7XiArcUBShZ2Imwr6jgFDJukc0SYv6WmLC+/WcILtJojrWboi41ihCFPHCFbUc4t AHnF2K0GHANmhAkGlMvvk8A9OdwSuCjwlB5iLcg1DCCZws7eqUzJJrAb/Dpg3hrAtxTg0VEA ugcAY215gKksjGCYjLloyM6jGrtAHq/VzlFfvCEDQp6AxThAqrvwdLwHQLGWfngD24rHsPvX CCB2EKCqGyB0lHY8R730vQc5bSvJNYfZGRyDXAEo7KM8B0i3js53FTDxbJ7fJobgq7D1Vogd CYB2GnuC+AC3XdxbB9g3TB8+DagHn9M2Yb9wA+CeVIbfwytzfU+vradMK6SKSz6jyEr9rpVh JblKbvKCLeZbD+CfZDSOzBP0z0b6dgdyQoB2AaDvaipv63Mpe4n6DdFvLtfGbJg23oE68H76 9T362AnkVQqhDg1Ytx/g8Q7M0J8DfoYYH6/Xpq0dEPA2gN4ZQNZeALuD9KFZ2uEnMCuLYTz+ 1mSRX85u4YX5MPYMqynLN1FRDvObfr06YtdwniNP2YcAHT+cq7GLpNNJnzqEd+YMbf8erljk If3rNQn38uQkQOAkAn4DluTG+pL9GPBwDIB2M56kN+Ll+SZyPwXYuBl15ldgSY7Sr07DmpSE X0OWYvQdA+hNA85uBbzdjSOcU6hB52Ak7ud6NYBoGNlqrbKgsck6AswOMwTg7siziJHUGvqi 7NBWAfLPUx+qJqlaNY6OIkFOKPccQCgTkYUA1cUo18sceUmu5SNQUWso9Vl9NHfo0Bzt5inO yZ54rHcW5yla1M0lmqmqMD8xi1fw0/F5vLIjb8BisZG17hHbXNoB8uIch2ktL/WaT2sor0w6 6Gc3yHyUpm314lVq17rnGONk6kBPzcH807wq0DHMnBGgH6/q6rQI6s01DT14nm+FMU985qZ6 BnIPwGwMgLye/vvmqy9bGy/JdPjrFf/bv6fv5X6D9ezLPiqA4pct0V/R9MSaa8BZjDYxOv7t 3/7tCbXcFy22VJj/6q/+yj766CPHTCxPRyzBP/qjP3L2Fn214fLn5edfRjpiQKosslmoQwNV 7MLBwUF3/Xn+vPvuuyZ7j7KpeOHCBWtvb7f9+/c7leg//dM/ta0wPq5du+aS/Nd//Vf7kz/5 k08kf/r0aceaFPtPA90/etjY/eEf/qGzsygP2f/4j//oHj1tQ7LcLuSf/dmfmViYyx0yvn/8 +HH3WKrmUs1+3vE0o1Pg6Nq1a58XpfKsIoGKBCoS+K2RgD9nv+iCTKrPP3vvZ3b56hWbnorD TseeIvZzxFLU4tcHFmUPzGMqPmYoKm8BGfoNc+csWLWY1iG7hq5sWqBqlcrB2tbdc4CilqmL vzf6cgACC9oF3oyHUFHeDqD4+sE3MOWx1gGDoAmkw5KbjZviaZHvQBTSZV/gFuBuMcwfqVQG xARggRuCVSB7P93YCW7hpSHZLh0ql1+GpZu/gBNfHl91Vk7qnuhdVpJzed6qe/n1ZytPmQCf iFB+vyxTL+cnQj558TisylL+obRL5SsvZ/n5k2k9ebVcuKfbfLlw6ivaTH01hwzt4yjg4g07 fO2ezeC183/71l688WLhDEDj7sik/ef5Ebs7CWCC44VX1rTanlWtqCECxgsAxHFBemjQ0jcu 2fzQLatJwUVigGlzKhuozskJYwZtUncIXBMgprHKf2rFBpZnUoFWHAEfAiR1LbNIAk3E0NOm Wx6cBeSLgagxptgO2ONc7D95Vnd3lR7A05I8AU54CmYBwEZ6Tq3YjWOx0hRuEbxTokrXjW++ EDnDXNm48Sk2nUBFF4QNur4Z8fwnAGUXmqj5QKraroCkR3E59zbiKrvARwcaehXw5iIAAKWr FlZJZKKBDJW4u6d+4j6KSx1LAjJhAFbDFtQ8lYQRKKAgge25athKbcyXtRQ8L5nifGIe1Uk5 Y0GhFXYeaskhQCuYWWFsusm5jliMWcIWAeikS1ZHfgF5YuU7x6ZfwFcewDCDp+MY+bcBeKWx A6fdEQqWsBgBj6lPApAUSBGwznNQIlXi6SwOMZJ5uzkD/EQ+UnVd2VBvdbC1ZRuuij6WTE5b IluwQdiFddF629bbY/0AJVKRTiHTEdSxBYA2Z2fxCKx53+wRkhoORJ2dxASA6gA23OoA+2Qr soq4/dS1F0AojXwytRF7AFgTBTjZhr2/cCFnKcQrz8Oy29hKvGZkpGZMIB95bVZ/6gCkqwco yaF2maPfqI5h5nOxvIp06IL6OW0lgEwem+U8YoL4CVRvgzyT6rSYtHFAvEHkm8Z78ubUGIBe CRt9MABhQI4D8uwB0N0OWCXbi5dQi72IVDsAxQ5wrxvw9h500qN4Np6FybkLgGQnVLMM6X6M 8xE5GmkDnDyAjb4ooNJNwLeLAFjq+y9jG3ALAOoofeMM6rpjqFSvw3nLbpyBhKjHxwB4N0i7 lXivAQhGAK1u0qiXYOPV4HhnP6CjnIsMAI4dB8ECArJXUfFdAcvuER3lEirq92ETvoUDp9Wo bssD8jj2F3P0wRb6WzPySCJU2c+sZq5og7EY5lrgrpypyHGLbBPqxeAI7TQCaFoN8egl6jxB HIGacQDPDXNJ2039ZJ/zo4UIqtwBexWwbgWqw4/wCn20iG9kXgq8GcpZFyrYJ6jX5VwIMBoZ huVB2FD9DtsEYNMuWJ1iJ44BWh8GCNR88A7OUzpgVp5E9nfw8Nw9P4uTnBKA7IL9eB4HK4DS B1BJzlK+IzA+M/SPtwEGI6R/CuBSoPQu7DeuASj+iHwGq/CODSC6k/YT4HsBNuUK0nwFJze3 kO+tqgYAMWxXYidTwPZ7OJ/JAjJuBejswobjMG0i79b9AIF76hgH4Wpr51xe1TXD6ZVJnrkx j8kDvZAY56VCFyrMJAE4KiCQ58zpmjfpJg6sk/OlGhwMLdDfFlDZ17gTK1HMQwF2NYugoph/ zFruN8H/faKI3NNdzzau9yKI+Zuc9HKGbuNkXEUaSViyZwGeL+AAKAlrmaZ1bHWtg/SCKc/Y EFtR6yhn+5Vy1ohhTb7OezONJdMaruDMowIw3XqL8OrTssXbFMXUAHYa6xqarKGl3wrhNvoe 9hGrw5iWgW1dXw3AbsxTgJjpuI3jaf6bh/bbzp1oFdKvNKuqPs89qLOCSAZLvyPPjfD5H1YA xc8vs0qMZ0hAC6dbt27Z1atX3VMBeVu2bHE2lp4RfNlbX0Y6YoKMjo66hVlfX5+zYbBshi/4 oLW11aYX7Wn+8Ic/NHmsXu4Qa/JjvISPj487T9KfBq4ul07lfkUCFQlUJFCRwK+PBAbu3HU2 dwfuDVp8ZsYS/Bbk0lkW/XgvBVgsiK0oUIAFp5iK7o09GwL9DmrhJ2DPgRJ8u5UsVRdwIWBP i0gxF7VZd3bLWJw6sHFRPFo0Kg0XnnMtJrXgFnuqu2+Fvbz/Vdu7f5+1tbY5QEDMJy8OeSpv wipPlUkgh7PbqLz4OJVnNv91eD/savcAxU9d0P4Cmq18oby0eVDdOfxrnZeH07V/+DLzr8u/ n4yj1bk+/qH2+DKPp9P/Ymk/LjutxAbEv9b30rk6iP4vyuuL5fjLjO3tnGZwBvKfx87YuXsT 9gdv7Lb9m1YCINBqjLXbw3H7j4uj9nAmw9YZZw29jXZgczcMEFhuOI6YB+TPEz83ct9ydy5a 6f4dC8AychtQhoXzKMom3DFnGCOCFCVXbUzZ7vMPpg3jyRMow0h3AGlkoJ8374gZYEbsG4qq fil1aHmBBn9xAJtiaIvIyFtMAkCMnbccIqk3lwAuHAuRuDJxQOZuDDsV5MU2FBvGgYWuPVUi 8tRfv9sqnPKgnAuEqcZ2mFg3UqdWvopRzMH+Yy5ygKIiKo6+KKvqoxqK7ahE3T/qr/Qcq1mg Iv9UC310uP6mEyqqOUbAi/LR/WpV0KWIHMSQI/050LEiYE4hSVsA5so7cZS02Ko7ECJJ1lns MwZJq0EyAXwroC6bJH3ZA5QX2SBMrACymAVwjAP6aO6UDcYo6YohPgcLMAuI4BCEHF5sYRUN zGKbEKZiN6SItVHYXPJeQsXHYMjJAUYNAF6YObyOexnAEjlUEeM0CGh5NZ6w49NpywAGRHi+ Hwbsoc6Y82p9H5DxMoDVIwATOUJ5pSFkqxpjdh8GnTwPNzOn9oJoyqmN1GSHAIlQrjfZW1wB aDYKoPEBtgXrWzth1JltgPkVbm+xcdhfk7ST5NBMQaJieSGbMXCOLGWoQ84tAIn1yCRJ+eNo lUVBbuDFOZadXldl1I7Iqc59UL9ETlPcS8LOi3GvCfmqncf5mgZolWOuvpm4tcDEvFGAAQgQ pbY6GJqz9fD54gA9J+brbKBYTTmLeAzOWIzufx324ElU09XX9sG0WteMM5hwEJB2wdncW0k+ OwDWorTJedr/PE5CGgDJ9+HJWHIYQN7HcoCiADa7YOVtRg4JxusxAMZhVHDXAhC+AsBWB9h9 CnDyIoBYNx67Xw5krAVHLQ+QyQkAryQyeBUa4zpsK04CYF9AbXqa+q0uztqB/i5sdtbYKP1R LLRW6q9+l6JPTlF/imP8ajr25xRMxTidOIasWqmTerrYfUl+12UXtGF6xkYBnU4CihYAAF+B YbgFhuU9wh2Zq4fRZnYAVeg1OKEZoq2PYrtvHvbha7R3J+17GibgQE2zrcQBy/5A1rWTQL4x ZPgK19sBQ0eR9fESWgeU4VWYiC2ApsewHzCOyYd1ALk7ACsfUu+jyL6Rch+sy6F2TPtwJTbr Ifi6QcC9owCQmWCDbUf+m/AKfTxfb7eA7Xcg5w04xRmAQngRFetOVNv/Cy9jbjPWjxcj1oon 5h0Am/UI5jxq2o/oHy9R/pV8bmI78jZla8GhzB7ZrESGD1GdXskLnANRXgwwPhcAWWXugQ7m HGKNIb9WwMUSLwhkFkK2A2UqAOIm/RUAUeYQqKPYu3REN9ZLrKtqYRGSGKkwF9B/axhPSlUM RaWvtYz6sA7NfVoPufUVMTQP64nTzGB+0Fyq8wU+KcD7o3G8XeMCnSHIfQGG3kuVIuURUUvF V5pE5aN5lfLSB8RedPOfikYOAhT1O1Bi7ok6sDBkHRCWYh09NhfqYrzGVHqYjWIlwobkd0Kg YoSxEkU9fmZ8CFbwpL1zcK8dAlQUHEsGLm/V61mH6vaL+F2vAIrPkn7l3m+dBDQh9Pf3Wxf2 oDZs2ODYg7KD+KxDTELZQ/SPmzdvujj+deW7IoGKBCoSqEjgt1wCLCjFQrx88aKzKfwAp14z CTwlJqUiA6DIxlXsRKf6zLUPLHpMJzb5LNZ9lqIDGNkUanHsA2MuHAtip6LIfbdgJIDi6Fws QoX1AEmBgtovsrRlYastfhi7h6s3rLc9r7xi3ajZLFCGBOVLYDw/gJrOho2bMMnRTFhFYBPP wlogiBbqYlrJy3O9TL4AKLY2ynD8L7+9yxfNvpzK7z2rhNoEOOAD2Xy+A7ksHQh38fi0/Pxw y397m5svU6BPlskDFP17+i4/V7n86+XL+Kv9xLUnRRwcHrX/671jqOW32++/+RKbUIFWbBL5 jLHRP3xjyi49TOBRM2edOON4e3uPbe1udEzGotSdARrmMynL3L9n2evnrGZ0wDHmcgBV4AwO bNMG1kPZGACAA2J4aVdZJbVo90i5AZLBQpJtPyYFtoD4LeVatrzU69R7PEDN74OkRRpeD4NZ DHgSFDMYUEjzglc/gYBi33A4IE9RtJElLv/lREkApQKAczDupbSpR9r0eh/NB26TrW/Gt2NH MqeoRHrxIPuRC7DBlKbSqFqcgwQGkbkLp9GjEmmCEVtT6TsbjwImSUvq5K6PEdrlTlqSSIGw ylvWFOEluboQkPikpTJSbj0H70CsYibyjN18NgnrDxVHqUPOyR4g6dcyj4oxKtVnAU2KA7xl NYTLsykvAkLNcl+pRAB0BbwJ+ByDIZYHgIO8Zfdm5+zqRBKgpgTDD+YcrKH1AE7tqCMnAS3j hKsC0YjC/AvDdgsSJ44KZxwnKTEYaJ0AMnMARwM49LkHYFIPzWkT7LkumGKS+3XUg98djdsl AMEwDMVdDaiLtkWsBucOet6LZ2N6hGOR5QBkZmDLwWO0DdiU66QjZQFtLsBaHIXBtgHG0jpU eUuoU9+MNNpYY4f1wT7sLQIM0Y5ppCrvzAX6UBv9oFVMUjKJA5JO0LwhgL8u+mItKIjYaerP alOxM8H8XFsmaN9p2r+ZejZTB/2uPAJMmaZNWwBEVjRHrQbtryuwFI/DNpRdwa/hdKQ/AmAE kPKzbBg164DtoZwvB6H/kc5ZAL4ztIwAr4OovnbREx7Bmv840GDxdAFW45wDBAu00VnYfHdg afWhzv0KbME2VJ1vkv8xQLgA9TkEe08OXyZgKf4sU40KOSrOMBBfRUU3SL2Ow+o7lQtYF7ZQ vx2hL/Ii4WNUaW+HUe+lL+zDw/MqPAxfTOftPOUKhvH6DBi3G1N96Z5+u5FKIYgSdikBYxkv ep0g1V79gLYh1whjb4p+NEmbNwLOrqI/qt89BCjKIuwu2qyT8xFeWvwclWGK5+wVtgEMjlOW M4F252l8P7YbV1Pvj3G2ci3YivOTgr0ZBBQkv49Q/b5N2dYCyO7BKYucDh2GDTgCALd7fgaG YAEv2thDBOSrI/83UY9uo4j/H8CfPFar/+0GXJ2mPEdhLwZLeGfGOYrMAAhcTNKWb8I6XA1g /u8OUMVmJXYW+3GKcwbw/AKq0TsBQPfhFOgCoPE12JQd9PMD5P0QWZyCdRiBDXsQsLEaoOxY baOlYAvvzE4gD+LAZhysboBxKk/TOO5hHF3E4mkEBukODHa2w1RswLFQBwC4m1Pog5orC8g2 rfkHIC3MdwhZFtWfAW8XmMfk/VisaDGCZYpgHuBd66E84yHMpOcY0+pwOifNANoUvI1x86Hm Mn8+ky1Z54SKttFco3nMAZGMDYGJmoRkzkLzUZrxcCRdbZfiGgvcp1/Ijq0cdemf5ntlSRMp GnnI6RMGBPR7wFwoczGaB2uQXxhnPSHm8ijOlSLNfVbf3ANDO2ZZ2rpIvAh2GWIR2JfkK+Zw iH7eUifmdcZGBu+4ev7OOwftwOt7VWKXHzWlnM8+XH1VqK/4qACKX7GAK8n/+khAAOLQ0JAr 8J//+Z/bP//zP3+i8Cl+ZOS85MGDB+7Zi6pUfyLhyo2KBCoSqEigIoHfHAlo4Uptsqg5nzh2 wj46fszGcdSVhRmR4m26GIk616JWwKMPJApgFHPH2fYhDVamjsHobbVJk0WsYyLy7S8UtQj2 z7Xx09rSvydAUQtZPVdyDlSkXE51k3gCNgQOauFbZAMuNoC8ve47cMi+/9//GIcRKoIHXAqk VPyAsyMUsogARVSemzCnIozh8x6K4i9zveiPE3ligewHejqDx8Hdk3IgzJO+0l8ushb+i8/K C/J0HsteP85c7LQv93ic9ifTffxMbfp5Dq+6XllVd6/+3vfjay/FJdl8ngx+hcJqUynA7sTF q3b44yv29stbbNf6Na7f17Dple2uPJ57zw9O2sm70zY0hVU9NoUHNnbbga3d2PgS8ySHrTnA EI05AMbUzeuWu3AMrxsoqAJqSI1ZQJ28tqMZ6caYQxFJW3HEjAFVc+OuCEg0R3ip5FUxxtQz FUzgvBiAPGbM6iUAABlP3fjVDEI9nDIyIInHDORbm1QOxdNc4byvc+7SJI4br9qaa+O9eFd2 vMQcZC/s0tZ9B/7xV2wzeV0VlKhwyluAojcncZND4KAAUqkDynacNt/AkK58rpqUab4qRD2k lgjAR17qbyXsxlUxB0ltXOVSOtooF6iwpCC2oeYYlydpSBVcZXNJ68sVSgGVG562YS7l8Co8 hffVVmwBygMvJDhLY5dwFnZiAHnE2ICLHZhBNXeiIWoLvMSJAO6EkaVg2izJJVEbLgIytOXS 1GcO5hpMNYC+CJv9tYACUQCsHGDqKCCGmGP3xxM2BbNwhj7TBqNuex9qzA0R6wakCfEpUO8Z mFMTqOgGARBWcK8O4LEI6Hkf9ue5RM5GsLe2Cfu168Kyu1dlY3V40aXu3fNpuzyZsNOAjVdg YwYBKv8rrNlvtISsAXnNAFJ+jDp0BrXw7fMZnGlQA/rKGVSM7wSjth7m1yYMy9XgTXaGdhsG CJdqch/tGoX5JnuT04Ch0/S/Jjwgt8PUk7fuLB0wIyojQo4AitXSPs6JEGkIrJFHbskDsQK0 YmOSNMXEawcAEiByfGAcNd6AbQmiJgx7SmrWV6n/T/Oyl1i0b+GoZQMg3ywA2BHYiucAhbYw Ht4I5x1D8hblP93UAfMqjP3AFB6t522a38Zj6Rqn+rwTLzyvVs3CNF2wkwBu76OeKzuSv4ct uU6AyhE8Ef8I0Os+7rtfRr326yCf/JKipltn1wA5m9Nj9o1o0FY1R+xkesFOADw204k3zsdt T1OjjeBB+IdTeGzn3wFUfptzcWuDLXY21sOYzrrytNHvUtT5PhoFtQBiPWId0nfHyWcCMClK PVcDWtfS30YA2RS2C3l30qnvAFb+ZBRWIf3tHUDRraDQ1xHwu4B9AcC2faVpexWV+HNSV8aj cgTw81U8WvcxAE4S5jJ2Kncs5FFHTtsE8PJPM4DgtNl+wLq3YFYeyRbtGCzDVtr4EBYg22if nwP8XapugeGYwnFN3u4g8/dIu5q57Ht10BQZ2+/ORxyY+TpxOgH3foIzlfu079fCYiIW7AyM wut4oF5fmAYsnLcPAequk08X7fN7AJLD9L2fLsSsGeD4APmkAahPVTfBaC1h8zFn+wDjj2G3 8TrAptTJ96E6HRfwi1erzkidvYFTlxRz5jnA+MbGOvs2bdkCKM9E4cpX1FyHbVWp5M/S9o5n yBiv4TxHPTS+xPYUqVlMbTHGO2INluIlbYGP+rFb7zDZCVCULdpqbJjKLqtY5JrX9Pugl6hF 5mLNOPq9k91FHe63UPMQY0QvbeZ5RoKwjuvsAwxoXsNrd44xJtu0iMCZgQkxTsLMTXoRpXld 3tcFPEaYKwQ2Mks5Ewa12ICsb2yzupZemwvicAXQXOsHxeHHxpoxv1BPOnOwLfO0yQLt0wI9 s462TMbHYCiO8CI3at/9nXdsx/aNRKLMxFUdnnf468PnhfmizyqA4heVYCX+b4wEvvvd75rU l3XI6LycqnzjG9+wt956y7E9ZE/xb//2b+3DDz90YfTn7/7u7+xv/uZvlq4rJxUJVCRQkUBF AhUJlEtgemLKjh45bB+fO2+TqInNJJJWYIOSQ8VujoWpVJ59O4r+t4yI66OFoBbA/rd/rvS1 8BUYqc24wD63Jl0Mr2dSzZG9Rg8Y0AbfYy76ZVN49oru0DMduhaDqr13jf3v/+f/YQ3YCPNZ j8pAS+4gtoXq6uusjo1gZ3sbgCKKVORbfrgFMjdYzy97OFDCz5f4S2UoO39WZD+cCusDhwq3 dP9ZkRbvuVo+VabyeH65FdwBQs9J66t6VF6G58nP2bDzC0HFnqqW/2SpDcrr6bYgyP5pFWhF Urgnwy4l9Wt3og3kkbPn7c79B/bmS1usFxXRauxiVctmIBtP2VUcT+TtIh53z9ybsskEtsM6 G+ztrSusv42NOBs6bRK1+QzI9l583JIXTtr87YtWDXtRzlTE5NM4mxcgyCCRUwQBjk4d2Y1d SCr0aY9jjAg9DMep8zlVZ26xf3WHZ0+RVLihIaU+6IBDdQo22npey6cKZK+Ka4VxVsLKxoxT UaYknu1CEWQcv4829caL0vZBSbeTZf7QplnPgQX1xyuL5hQVjLwFRuo21aL8KhUjj3sIhjKI Tc01G3DwN4LzR+kpH56Bd3hgJlEdsAjAqJrlBaySqKQmeanPaS4TYOmKoAJx7YBI7ggElhgE OMiCYtVMwrIzSdQEYVzDMIuyIVdaCxRiirLlkFMj1zHKoLLIiUMcoCxFImI5NrHJd8ACqpEz gEWqVTugTwDbhllAnlE4gyOAedfjSVQdsZdY32BN9aSJGnRvqNp6ZP+Qth+DRXQF24pjgBlr KNtOWHoR9hApGIFDwMO1gB4CbpqQLTxOewTQeRemYQvw10qAlJ+Oz9q/A2wFmjrxylywXbi3 fQP94C6QZXxC2MeoT+dATTvTky5POcG6Ang7CGCzB+bXRlhkhfqYDdKvx5FXC0hLt5iUdLQc ZRujObL0jxbK1BIiUUCZPPWT8j3kQwBRgdKQZ5FPVk1HOcOAHEHKn6c+Y4A/RVibTTC9Iqh1 V8Ecu1vVZEfuPLQtlHc/zMQI4OMl1FvfwxlHE2zKr8G66wP8HKKvvAeL7hGg4j6ooK8FAJvJ 73wJ78ywELsBlF5DtVeOVUYBfY7gHXoE8O8gzDnZYtTLrVOAlMfwytHOuPpeNAtYClNxOmu3 YcSV6hpss2PrYUcQ6P3H8ayl6lptG3TLl0spfqNCdhgw9SxuqlfApjuEvFYCcp3Hh/Bh1IlL gHLfbKyBzZeDcWj20yqAvbY2Ww8brI1+I7udYntW0069CCmCHGfoP+P04Qj9a7VYwwBGspmY RH6NjMt2+j8zg/2sELHJiYTtLUxhj7BkV2D9nYVhGKWvvYn35H7U3k+jmnwSm4ntAG2/W5ex eoCoDwBpbwAmbaN/HcDe4Sj9+iiA7Cyt9TJswA2oCV/mPcfRbAC1/HpsJs4Cls/Z+wIGYbnt qkrYDlhuA4BdF6sbYdAiz+oU6tUl+xEq5AuwX/fBY5VzmvcDMbvHvQNc98ynYJHi4bw6hpOd WftOFNnDWz2Bg5g1tMVW7ComqOcH8/V4+Q7bN8J4YGf8HwGgLFCn7QsJ2wLQeY62uggouQFH Ivvxxq1ynK6KAEbDtETdWy51rmKHcYE4O3H8siYK0A0A24DsNAb10lIA7RzrjCx9QrZtQzCF NZdovRNA9gIRmVQY15g8oO+UglhVFSOQl50LrK3k4Zuhz3NNm6QJsF8rVWPSd2sp1lwy56D1 ljMhw1znGOOafwjv/hEHLy+OxejWQKQXZyyfSFXZjThOk3KevUReoVgjLy6yvCTO8NLBvcyi 38phUpD49bEmmIjdVtfYi0OpKHZZKQtpL5BWBoarXgrpBUYDqvnVzKE0kyt7DfII0f61zB1z GZz7TY64B/19vfbdbx2ynu4u1ohuKnW/EZz9Uo8KoPhLFX8l818lCQwMDDgbh75txE8r24ED B+yDDz5w4OOnha08r0igIoGKBCoS+M2RwGd946u1oXb9o0Mj9sGHH9jlG9csjrplGsP7OWyU yY5iBqaiFspiEz7+eICiDyDqW4cHELIBZ9HrrlkQ++rNfhiVTUeN3q4TT2nqnjbr+vaf+9d6 gfY4rsBL3ojXN9v3/sd/t53bNgMghpx3QzGeZO9N+QW0kWJz0dPVYz2oPbsVsMvV+6ONv47n AmIugAv2uf68KNjlx1u2TCrzolxd0TwxfmrZ/HSfDig5L/esPKzfHu4eZSjPdtmyusBen9Cp 4pSDq+7x4p/yNMrLo02Tdly6538Upfy8PJ1f5XOV+Qk5+oWlDTKMs/dOnLXUbNL2begBAI/h LKPJgjDEHFgGGJKHEXKHzf+ZO9M2MDLtmHIvrWm3XThsaYU1In6cNrY65lHJTN+/YxnUoIvD 9yyQSTjmHVCW1w5+OIAGjREKxvjyWgjpYvJA4CJ7VcrsQD/tehlzjE6Cqi14qKbRCZ9aQDCB aTr0kiAIo1hUQY3takAfF564LjhhxJwU5Ob+u3wJzkOGrpORC6/kdINDQaq0oSa9KsAed1tg IPeISAivTE6+AvtURuKAkTiwUuqC/FcJSIu5hjDanEsaAhDlXEbOEzwGEM+Ys6QKLXVB9WBy 4VppkL/K6epKahTElZV0FM7gIJjBAABAAElEQVQDFMWAhIemNGGKJWB8VeHwSrb8XP4ElIpy gTlNHpkjgBgF6pEn/zT2A5lVYf3NWz1tI4/GCcLOsYnHAh3qrZpLUTemLlNs+oNkHiMv8AoA ONh8zIOYNrRmEK0WVJHlUGac0p+cStsY6tjdsJS2REIwGLE/iJOXFGk0k2MvKp9wN51Dj4cA aWlauhvmWQ+Ai+bd87Ce7gJW4zTXNnJfTjMCAN5DsLoGIJVJfXonnweApzPkN4uacxYwYj+s pW7SjhP3KvDhJKDi+rpqW0k5xIqKU/4pAFGJsxOgpZWXQLMAggXaqEi9pcIOCdABdLisQQ44 ZCFdgbtqj3nkNU0bzAKUtuKAKwZzKkvfV7ku4/l2bWrC9ob5zaKNz+Jx+AK2ILvpUrKjKHuC d4swhFGLhQ9pewGotoRhh8K+lJORG4CEawizD1ZheCGLqjCMS4C0JJ5QdtekbR+qy2N40b4E aHobpyCRXAJQrGh9eKc4T5jz0P70UmvzwqxtBYyax57vf+LVfQwAcw8OLNbA4mykLS/i5fgo jplWwLx7FSalVGzHaJefzwNGyuYjDMp+VIfvoQ59FYAyi4OxQ51R68L5hbx+jwLIygHIStok hjzH6LtjgFUR+k4nbMUaGIkjtKHq2IwsWxkUcfrcXUDjeySwPTNpq+hA53COch5nMB2Ae7tx aNKNt+nLgITnYVJiPQ8bkTlsQQJew+wbhgm3HVXlPdiDvAMY9yH1jdCfXoKFuQ5gU85rLmGz sp86SRU6BQh5FeBvGlt/ewFnN4PgHwaovE1+PYBRewEhi/x2/xSmYpC55HVsL6r/y9nIA+S1 F7lsBuw9RrsM0Y82AaauoUxyXnOBdFbRMXcBGj9CFhfxIh3l2V5qLPuLZwEK9YJmL05e+ujr x3j6iHKsIswK2mYccP9OoMU6kcEu2KbjaERcJ4xY190A5OsB32/V1FkNJlj2AEJ34aBH84/m E6kd65NgnJVg50LtxpYnjpgA4UqAdzSHmxNceOZBAXv6PZOzFKkOh5mH1ZeZhdyapYb+WyPH LjyX/UQdzqmVEiKeBygytylByufASa2NACg9e6/KgZcVjIvjeEG6i5d2jQcByjEA4VkAzQBx 6+p4wRpttyBeousbWqyGay4oL3xs8nXzNpOe2JHKpx4AXo5qNMnJkVENfUg2LcP0uRKgcy49 gx3ZMUb+vDU1t9me7Zvstb3bLcyYfIS3+XqA8kYcQ33W9Ybq/VUcFUDxq5BqJc1fWwnIW/UP fvADu3Tp0rJ10GbqL//yL+0f/uEfnEv4ZQNWHlQkUJFARQIVCVQkoGUom+yRkRE7ceKEXbl6 DcdhY3jJTDtAUY7EcixMpe7sqTwLBBRrseAWib4Atfn0AUfd8wEULYAFBmgRrjBa9OrCAYac S31atxzooqeLz8pBGAdeEIb1LYt02ethM93Rhi3FzbZiZb/19vVZa1uLRSPYsAKozKDKff/e fdu4eZsdev01ZzzclUeLc+WhAnKwZ1z20Eb3WQdL+bIUvBCPg3L2+OKJ6Iq3dJSd+ve8W/pL oRbL5ertB9B3ebznlP2JKK7O5Xe+2PkTclEZ1LDPPB7ffyKOwj4d53HQRZDGr6iAJm2gqDr1 8OVRfu4e/rr+Ub3phGN4DP7o/GV2cTnb2F5vsaYWa27rtNqg2IoC1AX+FW06lbcr9yft8lDC Zmax89ZUZztWtdvGnphTXyMgotVGr2R52MbJe9dt7vYlK2Esvxb12WrASefVE1kKHNSm0Qf0 /bGgDa//QsA5J6EzitXiVKgX28m1jiKQjpwuqTnFSFRZvQ2vN46l7lyLnTyCLHZphSdvyumi s0sVoCdvp8B/rl/w2Gtr0tPuXWCnmI+ubshBbD6ngi3gUuJTYRRHFxRkHvBVYKL6yAJy8Lqa e8pz7JKRNwmT8+Jco/IoqtJdHGACs/hPiXhCAg5QdE+98jMJUWZFUlqE0Rzn4oo/twAoxkPK LGAsmExYID3rvDcnARsUVjbowmKXEmdaKu6ANfIAHYLtpY37LNdJ2GtSd20irOwgAlOgWhqw NLYVYwB7LcQHhwTEC2B7EFVXNv4tsPXA7CzLPiCO2mWG+gaZp5uRm4ABsR9l108OI7oAVZoA KsWmGiXbcYAW2UlchcpxM+BYHvbVA6DGYdJWGVZwLwqAMEu9Brg/DaNNIM161GVl620I9thN 7BLKFuh2GHUdpD0O4HgOEEjOaTYDtq1oEKOcvAByUrR5iIZqA5yoI84coMzodAIbbTh84Fqe myUMMEe8ZcNUBIisQ14aCwJkcrRXjnoorLxBx2n3SeSWY8w0jz+yjXhjnqKdjgMEDuIkZCOq rQfr5YcbViVUx7MAZmBu9jUArRUAd2OAhhdCjXYHZtfKuYx9PUIfge14LpGxwToYa/TtdZmk vYTJu4eMm/eTBZvFScg6gNc9sOcgzNlRWJDnYDB2Y3txLyDcatrzAWxPMeAeoS7+MmnuxcNz EtX0s8B+97Fn2QOj7yBsvDpkeQlbjedx3iJA6iAy3IztyRt09hPYFISnaa+tarSd9bU4UKNM 1E19uJf6N1HOOOGG+Z2uo716GRsCzx+i0i/7ih3IqpVBOIvsh4iHyUzr4gVGlH55HdXeqwCF PQyxQ6iBi9F8ChXuQfrJCmwm7kOldQqZHYexqbbbRj9YB8ipfnEKm4PqtweDHih9GbblLeS4 knZ9GbblCN39KmxLgfqbAW27aeuLtMddWIibYYNu43oYYPc8KtRi6r0S9NRvr6Jqm6Q+24C3 WwAbT6OOLLXkTYCR/bBOb1DmAfrbZuxKrqQ8VwHuHyG3DiTyKl6kh+gnp7HL2EJjbxGcSnsp zgPaR4DuBgDT27BSBwA/22m77ZRjijnhY9JsRrNhJ2UXq/k67NsM42cVDMRW7CGu4OVNK+OG JnfgvtYUsu+ak/MkZFMPmF8N0FaP7DOiQ5OvM9/CZFLlHEuB3dE2elmRY6yCd7t5RD1dKs8y 76Lfu3nmTTEExTzXXONeilAnvVBgAiU0h8LwpfGg+CqHXn9oSnoIw/ccTMX7M3nU/2HltrRb LS9hA3V4FAfYz8HyLBBG6XrvlGA+0/4MI6Sgw7NLLXMTmlk1XwcYfzUAzoIt6wFW0d+2VHKK F1hTFkN1Osg8tnZVv73+yg7rYC2m6h+/cMvW9nZaX1ezS/WX+acCKP4ypV/J+1dSAprAfvSj H9nhw4dtEKPDsqsY4cerp6fHduzYYX/8x39s3d3dv5JlrxSqIoGKBCoSqEjgxSSgud8HVJ6X wmcN9zgNt5xl31yy6SmpPx9F/fmcjY6NOmAuCcNGwINARTlnEQDh7CgCcOhb8JxABW3UpaKj bwcckp53sCDlVLYNBTjI9puASWebh4W3PDbLM7PejPtGyLUf9+vqfystnctG4wLAiAyJ16Ca Uw97oAU1sA6cWzQ2NVk9b8a15E6j3rNp63b7/h/8vrW14MBF8tPimH/+oXtf9CgvX3lay91X GJXPK8vjGIvbBMfY8e/6IM/SNfX/PIfK8HQdn1euT0/bB2g+Q8jywkvMzxW1//CT9VN5lz6S 3GIQ/96nl+TFQvhycv3mKbn7MvXDKIdnhfNzft4zCUag2djUjJ25csOq55K2c10vQBzAD4yZ KCySWja58tq8wLjJ46RliI3i3dG0DY4lLA1Dq7cVpw0wFtf0NDv7dwIU5akzDwuuEJ+09IN7 lhu8blUjg1aLKrSgODde2X0qb41BldE1E2NdZRJoo42kAHweInYfNBOYpnHEbcmFEwEb2ucu MA841WnOBSzJwL/4iLKvSDaAgagG0i+0kRWbWECd8yItQJG5QGCoWJFSi5ZsXR5ci3XIoHfl UfsL/IMaSYIAkwpFvk6FWc9Ud4AldRTVSOV222T3TPUVjEdduFbdNHfpEIDg2pO0xRLSNXgV Yfm3KAeJwkuNsJRdZSIZ8nYBXf3ELBSzyOWPDErsrGfjOLuCIdQAE6qOCDWAMQlSSpN3iPN6 QBKUFwHPpLKKrTuiNwAuNAIyBZlv0wByMwJV2f03I6cGgCoxG0dQPc3zrBEV4g5pQFKkCdhn k4CBIeTcylwrD9NyuiEnLynCN3G/A0CyBrAiTV1HYZzJ0UoLoEoXIJxswM0yH98DgMkAGnYB ZnaTQoD8R8E3bgNElGgveejF0porx61Crd0HZJRTjLUwueSMZhCg6BYgj3qNQKguHIrMRKKo U4PIUYd2GFnNgI7qizOAI0lYXPMw43sBbWTDUYCEZJmnPGJQRgBG1G/k8XmBOjiog3KHsLuY xEjoGLb01CS9sDBbANCnUbs9DHg1Th1eAkDaih1F2a48Djj1MU4+YuR7ALaiHJRcnsUDNsBX Hvtva/GkvBGQLxRpsHOkeRNwLUY7bAbgW4OK6Cz7rZ9MzFoaxuNuiGlrYWFGQJcFPv0cxxjd sAwPNuKQA9nPALCeFDsTNdu9ODjZhv2+UfrmVQDOEdkBLGVtL2w/9cjjIFLDhO1BIC9Xp62d /ncB1t1pwL4mAKuD2FFcGcMWJjUfhSEqT9diXMpbeJw+JXV5tWm7eiT97xHjOEM79PC7G6Wf Jlzf4A//pVoeHJ+EdVnjmIIrUP/eC3CY4Pf9MmrVU0h8E0rMa2nPEdr7DOrXYep4AG/YHSR/ nj4mD8lyXCNnMUjersHsm0SmG2HN9mE38yZg8i1sSHZQnz2Ah5oHTuRg6JK2PGC3L+QAJYPE C1kfYfbTFndpx0vkVcvg3InqdxMI13HYk7OwXPcBFIaZ024QZ4wxs5P+t5YOL5XzUZieG5Fl H2kKNDzPvV7aagfq1jI5cK2q2TJ8r8fbcx9s2lu0y0NsQPbSzrtQXx8A3L1RxMkRcuiHRRmn tCO1OIphDO7iOkPdh7Bh2hOFdQqY2s04ETvRm6OYZejL3LFJZN6GwxJIqc5WIm9vYAnKbiFz CGMmjOaEHD4JuHNsP/qCmwupr6YQsb3FPMQLD5ME4wFgeR7gUZ7uBTiqXdW8mtXczEeaOi/S 8XE6bjmA2gwMxZmaRpuobWaOAehD7b46iHMlWKSa0wXQK7x7SUVZtO6SAyQlH1CdGFOavTTF Mqu7sFLnFmO9HvMFESpX4sVXcnqM36Mk662gRaMx62P9JTCxt6vNAZ+3HkzY6Sv37eVNfbZp zfKYhP/bqO/yo/y3tfz+i55XAMUXlVwlXkUCFQlUJFCRQEUCFQn8xkugfCH2RRZhLh0WjfGJ STv+0TE7ceqkjY6Po4qZslw25z4FNhyekxYBgU+Ch4q/BCZK6ovXjxsAlTU2Y2EW+jMz0+65 AAupNAuI9O0tSm1Sb+oL3BPwqDf25fVS2CLqYMpPHhKDLMClXhNrbAJ8wag4AGMjaqM6b25r tz/4/h/axnVrvfyeWrQ+Ltsnz8rlqqflZXg69LOesR5XpKWgfnoK6+4+uX524fRMQMfSQZjy y6X7iyfPyvfpML+I6/K6+fkJZFo6PqUeS+GWOfHrWf7tnytK+fkySXz225TVAVFlbeen/6x6 lif8vOd65lp+mQbV8xkAlZ98dBowDkcO67qshH20ELbx6hpgl8AAUfeVoxWxg7PYN01iG+/O aMquPJxxhvK39bfYvs2oTdfDaBLwz4ZVKrzy2J5PTFv64V2bvXXRakYGLYgtPjFenPovCTs1 OwAXbVQF7AtklL1AlUtAH5jEImhHHMrh2IuKxwfsYIkVqDpqsy2HLrI15savA9zo2+6bsDyr 0TNkIRuLYhwLeNKm1j8kc7Eolw5AKHeoXfQhLfa+xBKopw05m2uulea86g04RwpEUXgecAgo lPy0uVe5Fdt3OuDyUmTdVb1Ud64VzNkdQ45KzsmCecuxOHmocguUVJGk6qzSCPByybvzGthL 5AfrWyrKYeY2gYYZGIgNsOpq8hmYjKiaA8BNASKUAHBCtG8zoKHA1yTg0QwAQxTgqw3HGPIa LYclIzAKS8zHnUi/EWZUFplPA5QkQUHlmEQegIMwxTKAdUPcl3p7N2GbAQhV83GAh0eAhuoj a6pgPAKJyCOtGGOPYPmBlTk7g42UQey8mzDEHvCshRquAVxroafMAuxcAjScBRZcBcgij8Bq JrHBzqMKvBqobNNCGmAI9VxkfhpPvNWwyPfARGsD2BF2PcX9OGXnibVRvigg9BxyzFBHMeeD vDwSk7HIPSwUOvZWjeoGk64aWeawPZeABbiAa/NW+k8UoGngwRiqy2FLkcF2mHEvN4QAWwAS Ud++SXlb52btJQCrDY31dh6vLh/MzDm10B2AJWuph7znvo8X5rvUb30MFV+Aqp45AHyuf4xN vwRj753ORtuOpcd5fhs/wpPxDRyZ1KXi9l9bgnheNruEmvlZHLUUYHW+AuvzFdiZ9+kPP8uF 8AAesq78JLYK8V6NavS7+Rq7g+OdbXg03sgLhQ2o+X40H8W+IuAo/eDNEA5oUL0O9vej6gsY SJqdMPciNOQkY1UOWJoAqzrJdx653Qe8ltOefu410i8nafsJxgsziPVyb4LO+cGtCfpVCOAu DyMP1V/66EcAomKCbqRem2BNSp373DxAGn3jDYC3PGPnPHV9SEpbuN4BU+0O+ZxD/TiIrAXO 9RL/BMy/OwCB22EHbgOEmgIoPJGTE5EqbBtqnKPCjLr4KGCv7EHuhvJ3N7dgp1A/XkGau2mb NHY5z5Cu5rnXYU4KQrsEI1IOhl7GHiJEQDuNk5ckQN9W8u2AgXq71GCDgGobAQ7XU4cbTEz3 amP0zip7E4ctLUwwh6lPHDB4I+xHsQ3vA6DeI9xmyinm5Y0qxgV80Q48eG8EqB9FVndh+3bU hXBYZJapq3cerVW3CPWQyrleguDXnD7GvMZLoFr6thjIacZ3kfGjtVIDY4gqAtAxp9OXNePV oQo/AyM2TPuJ+cebFFiEUaemrzlULzU0Dwvgmxfgjvyduj9BwcspPXYcKVsOte58XbPlIp2o 7ceoGeA780aRdi/QZ6sUlzhu7iI1gYgByqVyK/0QDEOZbJhjfNcALupFseZNZx6CcmleriVO LAy4z8uPmbiYiQnn/KgaYHYnoOHBV7ZZezMMSGQwjqOp//zwJnku2EsbO2z3ppUk582tJLzs oXnXP/zfXP/6i35XAMUvKsFK/IoEKhKoSKAigYoEKhKoSGA5CWihqcWsf3CaTCTsyAeH8f78 kU3Fpy3BdSaT5YU7LBoYUnk2LPNs9ATu6dC3BwBoI87yl4WhbJwJmPBBRn1Xw7rq6OzCzlDa vX3PwAwJsbEW+zGPLSCloY2+U2vkW2CEmI2+WuYSuMGCV2CjSi4bigIRo7BfonjHrANcbIw2 WhPnEWxOfeN3v41Nn70OaHCFLftTvoAtu/3M009b4PrPfUk+c/nMTYEfjt2kBbvq+vRCm0V+ +cG6/wsdn0j/c6b2PBkp7eWesz9ZOp5Xh+Xi+5GfLr9/7X8r3HLnfhr6/rR8ysOWn5en7d9/ 1j098/N4+rnuP33PT8v/Zu9Ij4BphKmB//XzE9bE5nX3OkBFWCpJnLE0d3RbW0cvIdhosgmc x0vvPCwopQ1h0S4/SNrN4YQ1oBL51s4+W9mOHTY2sg5Eg+4lBy8ap/MAWOlHDy195bTNw1qs A5yvFYBPWHlRFyqnOLUAWNq86tCX8/jOfXHDnNMBxrM2vBpYtQBqjFYqoK2vNr+MfTbNoJlW R9qyVehsGwp4Y8OqjayicgLzTfFxwEFw8W28B/Qr/rmxogQVVmmov+l08Vs7XZJcZO6QJmlJ Ho51qICcS23QqSxzrvT0EkPgoWNeEkRApBhA8orqzztqB+XhasO3MpXKucBZlybpeNMciqhs msG7ALxoF8I6cJEyCZDUIZCzBgAJbM1KsFCnYRzN0h7dRIoBHM8RLlUbtWGBuITvJI8QDi/k ECvO3CbQrou6t9KuAm1mmIPHYLIFAAY7ARil0iwHJgOo3wYBCVcUUk5FmqYCNESNGAaiAL1+ nIDUosIKfgEwBlMOZmMvwMdKAI4wDMIc7XcDEEieo1dzvR71UnxnOFDuUk0D5QNoAmxbBaur nrLLs/IZyiEg4hXUhjsAV+Zp2zMAR9d4tpO6bQXyqI+E7ZbAIpx7hEjzTdR+2xthswFEDTOF Z2iXRtqtC6ah8hN0hAk416bO+QrCF+Mzi5zlETqC9+pqQLxa5JVHLinA0kA9ACjPg4AwZycm 7PDAtPU0NeMdGVt5sM5Gkct/JOZsHNXj1zWugEBjtMs5nIT8XAxE+tF/ASyJ5ZOWhJl4GdDx KmrR2wC3XsNmYgbvzvdRlr5CO03jvfkdVHxXwTZ8kMzCqEPlPNBo3ZlpvBvDbES19QPsK14D PO1Bffv12jRyK9llQLV3sa0oe3vvUK71sLsKsMb+F/EHYHjuAyF7sw4tAJCfc+mSfQiYJ17X d2DutdJ9rkFBu9LQbt043tkFMNdAXUfoK+P8FmMVD/kBINHoQ/SbAqBhF+3ShFyHAV4TjMcI dewkPTkD+jEA6mQ87bw2r+e39Bpg5hEg3XbK+21sGMqD9gmYgjcA7DYjg7ewGTlCuY7joTpD P9m8kLGNOAi6lAFMrInZasK8AXsxS2f/gPaXR+U3eL4BUPISINUFAK42+sJBwKipfNY+wMZi CQcgB7F92Atr9wgA5C2Yh+vpW1sBgCcBr6/hGKUJcHh/ddYmUGk+jrOVGP3jJdojCjj3LsCg wOu3ABs1R56hLaepx27sJb7OC5WfY1/xGk5m1tOXX6Z3a2x+UAJkBjB8A/flLQCpZwB8JxgL W0sJVM+xJQmTdJT6bIYNuZl4Z1BJHwMoXkX8ZjxrDxN3GrB9dXsDbYCNUMZViHFfZJ6rQvZB +v80Y7bI2kcMYTk8mi8APBJXDMI55CObnkFAyAh1mId5CgnVtRv8UjenaN6RfWmB5bLtKlZ3 kTliFkdNWcZBhjGTx65jBoc1c7Fuy0c6GHd1lmYcFGS0gDxroEDK07nmgFkG/BxzDhrbDixm gmKe4YLyUFzmH045F4Cp/iNbqZq75jjXfKm5O8DYDhGrARZrKjUDmDjLi1w8t7Oee33naju0 f4fLj1nTZtI5++HRK/ZwdNbam+rt1c3dtmPTCnresw//t1Hf5Yfk8GUeFUDxy5RmJa2KBCoS qEigIoGKBCoS+K2SQPmC7elFmnvGIlD/y8Oxm8YxS8pOHDtuH3542IaGASAyacuykcvLWQtg nj5iFSqeYAYHHGoFy6G1oJaHvnFxn9XDshW7cKhBdeMxtL3VsrzJzgCgZPEoPTMz4zb5eRbO 2vSLOSQbPjJULiDEByZ9lWvPyzSLYsIIRBSgGANAFFuxAYZiU3OTNcQa7c2vf8O+/uZBp0bp CqfKLh5PAKn+zc/wDfTwRCjVdenO4kJ46doPWbZA/sQzP8wLfj/dri+YzBeOpr6wdCxVkpPy +0sBXvzk6fqWX5efL5eDV06V1W+5pcIuRfHT8b/1QOd+HcvvL0X6Qiceq03ppgEFfnbsDH0+ bztWtlkplwH0CqLeGbb6aLOFAdA1PjQm5hg7ediGjDa2vfV28UHaHmAMv7+j0fbCDmkCiHKo lhubUvn1+up8Hrt+gwMWv3reSsN3LUgeVQIVeXEg8ExAnViEYtJISo6RzIbY2VgEUHKMQD2j vGIuO2P+bFZVfrHJSnJEIGYLaVSzQeV0MSXCMGa1wdfmVmO8lvSUF644FsF2PZI8BFNSEB2u ibz+5bMKq9iYC5T0QEK4gZyr4JqPBGg7EBPgSR5T3ZglPX8uci8uVAY24Oym+fbKLlBRWSlN JhfvQ/klE33A8xzYJdtoSkt1c84VFEngggBXBaEM2qRXL6YvT7O5FE4SsKkYI9l6QJtZgKck DLs8bKII+YZBVfG/gROVNOrJzH+AHN2k0061iqhVTiLTGZhvsnHYTtkEws4AOowguRrYSytA CBpwyCJG4TCqn1OwGLthWvEKh7IvOBXrQRyvyPlIP+BgBwCP2nUK0OQeYUGWbTsAXCvQRB5Z jcLkGgCsyAFk7sUjbjP3ctT3LurTNwCFWlGJ3V+VtiD9IkHZPibtSRCSnaiJbkS3W069rqCy e46yrIC5Jht5DYBGE3g6vgsQJjZUB4YMW6mjHF+kkW+WvOSgQqrXIdhokncKWemoo1GDyKRA XeUzW6rcAnAbYI8hPgDDkB0DtFugXx+I4pmWl1RFGFw/BTS6y/1DkXnbAshVDQj7ELD1p2mB tFn7HfSf2ylLnLKfhBV3GwB0JSzM3+2KOYbkrSQOWGoj/E4VbOtcyg61ROz2XA6PuiVLBHBA gnfgg7D82tFW/Z/pKsBD6kvbvALTbhPA2nUYlP+eR5UXEPWbsA37UQHOAdb9P7kwbFCYfHOw FWEngofZKewlfgzwtQK25xs4SGlDPfksYO71QINtwqTBDl4i1CODMeSk8rYivy76XZ52GWaM CxgWCzFGv3qAdoFUcaPIKAp4rFFwBbXjwSkYk8WUc7DzEYDmJfITm1TOV9KgdOdwbjLDfLMN TuhamHsXswUA0jC2GsN4wkbFm7EpVeMh1ITXkepaQMA8ZTiH2nOA/r4XNeha2H0fYlMxjTzX 0R/2AIreBmg8U4riNKgE8CceXdEukP8oAO5O7FhuIq/zALZ3ADdbUD2XTMfoyx8CZPajKb8X xy+TjI/TqLJXA9K9UV9ls/STjwEfaxlfe6uSzqbj6XzIxgHYZCtxG+DtOMzbc4FWC2ICYgdK 1xn62S3KWoL1/RL9uot+dASnN/JqvH4+aQHCDQCix+l7ewAfm2nLKwCjOcZNDzJZhc3KyVDU GvCovhlANMo40FQiCcs79ALhZpjTqli7iBUqD9Fp7FUyUbqXJzSV66966RKNNThWMWR0zB9o niQVzgu0mV4UzDEG5eRonvVNJthoiZoWs3Ar8g7TtoCIjAlEwnwldWnsHAI2iz0tNeUQQKdU q2WKQuOkyFwhdWcmNfcyyJtNNfcy9BlABeY8vSRiVnX1kWq27IyG6It1AN4F+vwCY1pmKuqj EXt15xo7sHuN+w0QCDk8mbIfn7htg4+kCl1tHTG8be9dZ6v62kjx2Yfm+C//t/STeVUAxU/K pHKnIoGKBCoSqEigIoGKBCoS+NwSeBoMcYs5bZ/5/6wjD3Pw3NmP7YP3f2537t62JOBfBtuE cw5QxHA/zwVqiLHkAX3abWsxysJVG3Ce6XwpX1awYgKFYGl0dndZf/8KnL8kbQJ1wFRiFmPz cZeOwAkVSQxFqUcW2ADq0LXy8fJS+u42++CARWCpNDbCSkStug61Op23tXfaO9/8lr198PUy QNGLo7/AC/zzDgcjLCOHxSBLC1/2U8sefn39bz+grj/v8SJxPm8evyrhP7GxUF9Zap0nS/k8 uSz/zGs0ry+qLXT9ZJt4ZfDy8tLxnpen6Z/7/WWpb79A+/pxn6ydd5WHVXL68k17MDJiO1c3 WyMAgUD8Kjb6UdT7ZQRfzDcBe1mcRSRm8P3LvQgMq1E8yp66NWnT6bzt39RlG7qiVodjAZVZ fVeqbDoR0DYHeDX76IHNDly3wsP7Vks6VdmkAxdVe7EJMQDINlebUXaY2gByH0yADSoAJYw2 /VM4Z1sROQjQkpq181rqArPhVjxtVglXC9AmINKBf+xmtQEGi4Htx0fpaIdLjg4EZIzrlYUD +nwZM4cgCAV2aRDYqw/hXJ/hOUmRJ2Eoo8BBAZPuRYXCUhZP5VnJiJ2IXBbTdE5jmM8EFiJg 90zlcEAkgI0YZCXAHLEv3UGdBCgSwqUB7sDGnMdKk/lK7Ef28VaCzZOHphTGTq08NqcoUxyG mtSv63iJAl6CExDAFTEYAcbkDKIFRzo1yDeIp9RZ0oLObW1ZHFUgqDztPg6wlySvNiCFbvKZ BXhLcB0nL9WnGxZrG9QkKTkPw9iapr8Ao1gXarR1yCpPmIdUYxo1zRgCWwWQKAcwWe7fw0HF GPel4rwWUDLG9zT53QZ8HAEK6kHFVE4yQqjfTgA6XoJhJvtwO2VjjvsZQIubhLuBnb4OAJU9 ADuavx8BRN0Ko8YfDNp2wLUmypyj7Gn6dQmZyo4b2JPXx6hjDpnDUYQLKacQANW0i1in+kVA rI4hVs3YSAOG3gNEmh6bsV25pFMRHiLQGZh+U6CSOyn/3igerpHvdcp0S56ryftbsOvkGfsa DMLL5DxPm6wrzNqOhioYYSE7hYOvR4CPrZRlK+zPFQCig4A5h9OMAXkQhoG4BXBW/ek4rLlL 5LkeJObNIC/baNfbsN6OY9MuAIvum/VFnJ+U8JydwxlKvSUAcV8CjNuDivMj+tURwMgkjmHW INtXAeXAh+xDvBtfg4G8pqHOvrmu3eoACcUWjCOXVhD7ZvqowPmJRfXadgAlAfMTdFHZ/mth PKlt04z1CfpcAdXwtpmEjaeydht14THgo220l5in1wE57yKDKOltQ424lfgXAA0f0jZrgLfW AuHKWchFqdqSy1aAJjn3uUZfeQB42Eo7baUjpwHbTwJAytnOVqm804I3aXc5UukBJJRDlgyA +VXkK1b0JtJuoQwX6JXTtPQG+lA/6SrOLdqqN8g1QPk45XhEX+sBwFsLi/cuzMW7AG7tgHcr gddq6VMX6eHqF7tgzc4T5x79NaH2A9x7JYA3aPK9DJuxmf7fj91FzQ/XATBlR3AL7SAW7B3q F6QOK6mP+tkgaYjFLduQ8pQ8DONV81MP6vA94VrnbKaBa2/e0kyA7GmbacZRA+rEevlQQ/+I Mk/keHFTzQuYEvNjgDcCcqCEwU7Yqmhq0E+xVmp56i1biAsRvDBHkCrOVIoA12nup1AVnwOg pvkZEYwN8tDUwBf5ai5ltiJJgYgCA7OojmtcSiaa29yUybdGj2Mh6h5XDCz3AkTjywGJjFm5 fQnRL+BIekxvwFKpaffCft+7qcfW9LdTZ8Bs1np3hqftp2fu2cCjWecAKgrVcVN3g337wCaL 1vsjWhk9eXi/uSqPiiDJeYf/O+tff9HvCqD4RSVYiV+RQEUCFQlUJFCRQEUCvz4S0JrKW199 +WUmbW24/cWaW8wps2fk5zbmlEDMlnt379iRI0fs/IULNj4+YbOAEEU2ZlJTdjYVSVNgx2Ow TxtyUihbIKoyHhDnZSYWSltHu61avdoZHh+8N2iTE+OoVrLYJp7K6ABEFrg698rqLToFVpZY nGtRrftSiw6ymWiIwhqApRjh7XlDY8x6sTn1u9/5ru3fvZs0niHOZ93zgxFhucfLP/EjP/nt wi+X2JNBv9Irv92/SCblbfqZ0lumP5en88zyLPbVZz6jv5Ufatunulr5Y+98MYDXr7Xpe5yG NlEqjz5+26pu3kcbNnZreuL6BJk9oy1fpI2fJwP17+lE2j66cJOxlrK+GHa80IMOBeucwxap 7c4BNgW4DtfjLAKgQU6PgmxMtbHVRvLs7SkbmMxYGxvfrStbUINGNVS0NuKq9k4GbKiFDs5h hiAHmJgGVEzfu2kLE8NWk8GsPyrR1YxzqUFLpVjAouwTylGT5B6AReZ0fiVlrt1ztqJ5AJRq dqaOCciGWmAiI9ptaANi7/DPgW06Q74OyBM4pzTZpGqD7wGKApQ4iOM2y8qUJ8IKFc/JkE15 ibxUKzlscve5UkRn/9BtvsmP9nXeqr2Jw5V3qQ+TriuVm6RIR3MLhXHtqr5BrsrLOY7iGSgB gCoxiFctcBHARuqGkoBCC1CUPTvuOkZmCTk576146C0mknjlrYG5hIMMwBHFwqIlNg1r3Le8 QM/DOg2Q5hTh5ogr0LIfr78xQMICaU+hLpmG1hSFYScHJwJ0BTTJjmIjsmuBIaa2EwtqCIBk nPbqRq4CDR3oiQyHUM+doegdwBhrkK9A0hRA2wAAShIZyVPzBoAe1R2Y2QYAwdLc7waQXA1a oXExTPkeVNdbgHKsAVjrBsCUI4+bMKYygHNt2B7sxHZkjDLe4J68Hsvr8NZOvPCivjuL2vAk /QWynbXzCVNGAd5i3OXUXlzLc3UVv0MFzsVKBDMjP1TZqZteOKEhbAXA1rkQ7PTJKStOjdkd 2RdF3XsONHczTL9tOHsZJpPLgFDTsM86sIu4To48GFeXZ4t2DeAvjLrqhvm0rVabhFFdxh3y I8aUwKsNQGhSIx4C1PpxjnalDxxEBbQfIKtEOY7DxLyKJ+T1CzP2dgMMMNiIN5DtBdRq6+kF LxfitiYWdWzF81ns7MEy3Ans2o+MJ2mHo6hep1EV3xfKU645V+6zyOUuINwmwJ2XWrBT2Bqz OCy6JJ0zhmxaYeimaJcZrmvpjy2UVUxf2UxUH+kAZJX6bILneQosO3gLgIlD8Yxdwct1hDZc C7tSjoJuMl9MIa/VqBlvADibpH43oEzOU9+1tdinxIaj1Ocf0L8aqM8qmJ5ztOctALp5wKt1 yKGVMTgAwDfMvNRJv+lDJV9MV4GUYkeuBUyVDb67ecBtgLN2gNPNdH4xAS/CIgXWs1UwQ6HB 0YcA1anPJsojH9eXkU2JvtMLuN0CA/Me12O84NgAQ7AFWY5QjjHKFgXE3YBaOwZU7Abllcrw Stq5EXX/GVim99HxbQG474A9Gqf84wDO7ZSpFeBshrJP0f8baO9+0pVa/yhl6qbcYXreFAMn hTxi1HMFjL05yjHLy9E+1M1X47272Z976KdF5M/rAGSDHVPOGxm7VYCJNcyleTQ9NPflYM/O Ibt5TLTM4FimSPlKeBQPACIW6jBZEYwCBsJUZJznKbc8Sc8xxgVqisEtr8t6IRFgvGuuUlje gjD30M7IXfNsGgYoUdyhOSRIXTRuHMsbGSFUwhGL9ILYEGX0EUY2FmXGhnleL7FogXpA+97O Flu7osXW8WlkPBEAEx05O3l12I7feGTjcTiTlEWe2psYtG/t6LP9qEQTjMP98Qry1N9n/Q4u zctPhX3Rywqg+KKSq8SrSKAigYoEKhKoSKAigd9eCWh/yL9PXZg9I5wWeIrnrUO9v3E2ahcv XrATx0/arduwFfH+LFVlAYpiEArk81WhffVkpVP+cWlyT2rKfh5R1JK7urudR+kMoEh8eprN vGAJFqD6z+LZj+fqQnwtlgU8yg6a7glQlIdEgYpSxZG6cyM2FPtXr7Xvfe/3bdvGDc9ezrqV 7rMXuu7u0h9PBl6B+OtfLvYuv3zP62yu7IsBVPfyo/xZ+X2dlz97Ot7TYT/LtctZcn2yCEQt u8Hzp4r4nKT9eBKW2tsLulRW7/aT8Qnkx9KDpSB+5MXQ5WH88imINjpPHuUFfjLtpXKU5ehl o3B+On7ZdS1gin/0DYFcHjPO64MCtFRaPStvlyfL8sWu/PI6GI1xkMrk7M6DR3Zr4IE1wHra 3N8FAyRE/tUWjycdS7Cjt4fNpIpGjQQaAMZE2Oiqeo/Y5N0Yy9lkKm9dLfW2HWCxl28Ba278 EM0xFp0sGFcAIbmZuKXHhy078sBywwO2wHk4jQ0+NqQuUfKS7NjDwrxhC8rG1ZWbsSquXha2 1xxgmPMeirDZY2qbCxhH2fgOAHI4oI/yeUxFT54U2x0KH2DTLnlXL45x5adWcvJnQ6wL71pp UAY2sS4jhSeUS0p/lCjPxVZ04KaesMP281dYNw3wrRPfjqI24T5g6cISULJVPQV1Osc1nCsL eYHmhmMFyaYiAd0mXqABu3eFcHkjEGyhYfdvJg2DDk/HAHjgXjhV4D5gl1TO6wEeZJNyCHMQ c4CGaIBaIyBJq8AYQK4R7PnJ43MTqrJtOPuIAH7NwTQbosBxwq7AwUU7rZAHVJqicEnYdAWA RXnS7XIAw7wNcG9O8yX16AFMaQHAyiGfa6B1ccCDFsrQjSdXd582uwxLTY5hOplfVy3AQKLe SYCXixh0y2C7cSPYwkqAKTmWuAfr7AxAXCMA305Yfs2FrCWo2yVYYbdSOOBojNgugDg5Xxmv j9k4gEUQGbVQthaxcJnXZW9OgGIVfSjCPUlQ7C05ohDAGEK+AcowBzCUQRYC1+WRNyw587t0 4sGo3QSIawV53Ab7bRP1eYBM30tii4622oMZgM2AnzGeHwM8PYWzll7a4FXUW/uR5wRA4GEA rRuJrO1vCNjrjLtaWKXXYYedqm6wFCz9b6NuuxEHI4NZVG5h440ACq6Fwfg1WJDyLHx4FnuG qHr3AMwcgG3YDNB6AlXoC9hLbOX3bxeq4psBsc4B+JxAfbyGeu/FXuIagCtcjtj72BWcpT7b awq2hrbLNmEzDwYyViudCi0cVGomj+CAi8gaVx6uLwk8FEAdA2wUPBTnWqqwsj+Ypu+deIg2 QA4HOKjNr6VscUDHO7BLFX8d9+bpUxMAcUOoWffQJmsp9xgA4R0mmBBp9pF/l5y4AL6NUJpu GJ791CPD8wHkhkthl06Ye7dwKjNDvdrIp4fxnGZoXEYm9TToOuRfB8g3jPzFJO2mjF2Ah1OA hmP0wRhjo5N4s9ThHszJOsrRhwkIAaUjgIC1rDlWkrdUnkdpqxL9QrY/axlXYiUm6T8dtGkH wJ/G9V0YlPWYFujFdmKCPj2FlLRm6CWPRvrfHVT2S5S9jzJo/A4BNhZRL+8BNNR7gmnGosC7 FsaF5tkp5FNCHnWUuxUGXkMj4DnP2tUfkbVsi+KfGTBR3p8ByHkBG8UBj0DRIszWKpyvVNc3 YgOU8RmMwDimBSifAViCkjsHLnLwonUVE5ZrU8cCZ3KUKQVxrkvMvfMA5lWUuQh7Uf1B051U kiGkO6dMWcB9hor7aI4KApYqfclEvwEUn/kGO6rcEogopzxVjIs55vAa5NOEZ+vejibr74xa Z0uDxQASxSLPAWxfGxyx41eG7fIQ60DGp+zhhjCE2oCafj/Oib4LO7G7o5nyP/9wcyrl+SqP CqD4VUq3knZFAhUJVCRQkUBFAhUJ/EZKwAcmPhX40GLTbYs9MZSH10JUT91fLvS2eniIt9HH jtkxPqOjo079WXYPi6jxOLuKLPT17as7e2xCvRVn8csGUYeAP4XRGlLASABWVVsH9t6aG21y fMymAC89wNCLpzJ5LDEtjB+XRywuUoCxJe+KbBBY4IfZdDcAJjY3t9qWbdvse//tv1kf6tXe ilr5lS9cBWRou7p4n2d66t1jQ1sW1j0pj+rHUeRftUMiErjkiepx6Sj/E7e0+1g6Hp+XXFzv 2pPIUqAn+srS3cWoS/3ocVJLQXTy+PbjsycCPOficbsrkIBkP7BfqcX6fqLeXl5+fD/W8t9K WP3C+wg0E8vF9cHF+95zD2RcPp0Xe+KXU99OvZM2EmAvcwPnrg/Y2OSkrWVz19faiBoezB+q VwvAKLVHAYMaY4obFrgOY6sAK2ac8RQv1NvgDJ6AsYe2BnbY7tVNMB6xxUgxlY820doJq0to wyi10mI2g92/Gc+Jy80rVhxEiRWD/GI6CTpUO2hTqx23gEIx9qRetwCjLiTQEMYO+1Q2rtSF TXyRskn9V0Ch1K09GUtOUnP20hA4pLb1xp5UpD1WI0ksHnpIGq6MpMFzbZBLbIKdrh6h9Ezp uCiOSUlbaQNOuZ18JVvKqTSJ5Q6Xn8tYYIAHCLpn/FFcHb4jF8UTaCtvqAIpdeiv0hfoqudS Bxdzq4rNv8ZQkbBissGrs/lZAEJkKxXfMdSbs2zcQzi7qodVGMIeYFJgjVihAAoYmbUGNuut gGJx2nsU+36yodiMPEsAGAGA4zHaf4Z27Sb1NoDHJHWPA0xkwjFrBORqxF5hE0BEmlZ6CGgy i0OMLpheUdiDdQA9RVQZb9NmCcCHlbRZE2rMsqNWw4ua8zD6JrjaQkOKUSbApgB4dh7QZgqb gi/hnKQL0Et1fgTj6hxMO3zx2h6AHNV2CjBlCKbVCAyrleS5gXpksMU2Bpw51tJuPTjQWIkc GgGpDGAlDbO1gAxrAVKCyFDtK6AELAwpLuDMAlYi4J5g4zzlk01H7sCuIjfklMAL7/v3pq0z m7KXcTDSgpwGUR99FxXlImDOIRiA8mAs5v0lwK0jAHorkOc3AQKDyPwReNIZ2GKjgFpbCwl7 FTt8GfrARVh1g3ghDgCC7ZtP2RpsHt6AOXYJZzNpgVl4K94HWCO7eXL0MkRem5HXDu5HGCOX AelOAMz2A9q8EQH4ygPsAuAeh5cXAih7G/uBbTABP4aGdq3USJ0KdhDV3zZAsYuA/FOYOdiJ V+o+2Ir6fZpCPupLLfzmidGblJwYwmHaJ8J1iuGZZAxHaPcI4VHutYuJvM1Oz9gOGGxzMF3v oGI8Rduuoq0EtA2DXQ1Qzhj9cCVlEvv4Ps8n6DPd3FsPcy0OC+4mbamXLSvoa7Xcm6KvTdMf egAJ27iehCl4DzmKWboOZmOI/n0LdXkxMAVUh5GJHK0kYOTVAWatBNBO0ffu8GHWQEZ5HLIY QGcAxmzIOYCR46CHqO3PEKYf9uM65HCNTjGEOnMf152Ub5ayXQehjwKq99FH8JNujyiLXni0 0W5NgKej9JcUALycCGkcxanbGCBvhLZrpKflmctyMGtbGHodvKS4T3pyjCQblDHaRN7CZ2Bz Sp07wAvVJPNgkXEZIO0VLVHrp51K9Kt5xpgc4GRJH//czrZibR3zLcCk5m2BsyIUzi7AomW8 y9lKgblEc45ziIV868m/RL4MAufIRS82NArERnTzDpcL9K0wtiMXKFO2lpFHcIUJ0e4B5sQ8 mRDcAYnOe7OS05ym9BnTIUBZsRYDzDUOumTsRfnt6GxtsnV9zYCIMGxhwMu+q9JVvqNTSTt3 7a6dvTxgd0eYVaJdmOCo8ZzNAPz2wKRfg0HRr+3daE28QHje4f/eefP980J+sWcVQPGLya8S uyKBigQqEqhIoCKBigR+CyWghZoWaS+6YPPjPf2tzbFsJ166eNF+8pMf241r11GBBniAqSjA UQyTOTaF8go7r0005dBHZRG4KKBR4KC+xSyUl2fZUWpv60TNDG+U9WEACDbUD4dhYMW1hnXh FV//fFaily5v7rXBZOEeYCMnxkGYDXk0BljS2WmH3nrT3nn7bYviqKW8Hk8vXlUeD0QkB+Wj Vb0yXjy866WrTzzXk/I4T6fvx/S/n0zPv+t/P85Xdx6n5cnRDyUEgztL9Vq6z4lXV20+/HN3 6oXndClNNlfLHWASn+nw0/Llq2v//DMl8BkD+Wk+rltZ2RdlUZ4UXW6xTby7fvzyMM8+V8XL +4H635OAoupY3l+enc7nv1teRp3rI3ui2ggKKJwDIBgZi1siBcgUxfECYIyHBUoF2QPLNK50 CBCUCq58sjwavIsH9DYLN3bYw0TJLsIoyQP07FndYrvXtFqz0iEhgTQOyCcNeSJVHd3GFZBp HhAo9XDQZq5dsNzADatOxQFCgDRgv82DaiIiPJOyC4fpUwtzTOBPUaAY5dJG2AffBCpWsUHX JldsMx3aqtYwBtWibkstQFAPCCMGI3tjFwapu3vuj4fqkSmx1edQ3xR4JxVYtb3qQuH5oLrH l4tLvurXeq4/DmB0ZVc88icddx9ZKI4Of+NOJ3AAgNoEzIRgHnjrheJaYVU34qom7jn3nBo0 6TrP2JINz5V/YSxp97FNGYGlJJZgAAAHGM1GABZu87wd+csuW1U2C8whVWYcQXC+HsbeCkAA SgqLCsAEwCUKitCH44s2QDWgBdh5gBjMhX2AA22AfTHKPo265seAWFV4Z10HMNINaAA3Ctt9 1XYGSiCYgu0UEIMTkXnabBB11wswwxCwvQwTbyW0sllAy/vI6zaecKVa/lqoaH0IaoLfg9uA UzcA0dpJ8wBgG81gt/Awcx11aDSEbQt2CXfj4XmS+l/KAErB6lsJWPFaT6O1ApiJaZYCcBIb C/+9joWoNkvB7MKfCuAIDi6IW0P5M/RPMRgD2Iqkas4RxRz9YDo7h51IbNZNx21jfBLv1QBk AF0/yaMaTDrfxmbjDuqI+yH7KFtj56Uim56yP2mPWAdj4Ga6aIfFqqP/rcvO2O/hVCJFvziK x+ebsPg6OX+9lLQt/E6dgMH2PjYPqwHK3ojAJFxIYaOw2v6zAFsRwO1VWJhv4IRmHjn9zzxO XLD9tyY/ab9DoQTWHoVueQFHKysA9w7NzbiyHgXcHEBe8qC8HdCyEbD3OPeGI032Wm+rrQGc k8prEpmrfzUggyqArEnkVY1MxErUiAI7deri9TwnKUA4OXDhZnzGgryYuE1fGA01w1LEqzKw m1SmL1PHKliomxjC3QCDI9RL3rqbSXEtAF+R3/c7lDxNw65FDp2AdDcoyzjt3g0g2ce1sK8b 1D0DcLYFcDQ2N2v38QT9kLaWGvFGHK8kAP6u///snQd8Zdld349672WkKTt9q7cX79rGrI1p xoBpJjZOgu0UMDhACCVAIJXQP3ECMSExtgHTQzc2tuOKy7qsd719dnrTSBqNem/5fs99R7p6 86TRzGoLMGfm6b57en/3/O7v//8vaEQH8XDWbDug3hkMDT2NWPQ22HEHGKNJgMSz6JesQPR5 N/N9HFbuUFMTa6ss7AYMnqf955ijczBfu6TYscanZfPyHNEwC7jNXOqHXTgPkNzGntTbAIhN H50FrG2FcdjAC5oZ+mWcXUUwbR9Wx0cEkyfQLQog1s4c1jTJcejB9Q3oC0WVivtB3zgAJABe N0zDba2tsCBh8tGOZRiH7mWN9QiDU+aCotaMi3uaO0+mM5YXJu6nlKlxlDL0OxIAm9tnDzLH uS/4cpRo2e8L+7fj7O+Nxqvcj31R4QsTxZnd/N0vy5lD/j6Uw3CUsSjYW+548Jllfc/wqQa4 rSKee1Mdk6KVFwEaPZrmd2BaGjT5bGurCy/a0xn27kDCg7nv1mr+MhndbyamsYz9xInw0GPH wxgs9pOnz0W9sEvtB0IZe776Irv4XdrbVRt6MKN+TU9LuOm6/bH+qR22M+/01xU/N3i/le4q oLiVvfl3MC8nwPvf//7wwQ9+MJw4cQLdTQPxEHINepH27t0bbrvttvDGN74xWnZ8rpr3vve9 LzzyyCOxuDvuuCN8zdd8zXNV9NVyrvbA1R54DnpgozW+UdhzULXnpYhf/dVfRT+XVkRD+I7v +I6wf//+56Uef18K/ehHPxoeeOCB2Jzrr78+vPa1r31WmpYe4PIPbCUL8rmUf3lnmpQu+ft4 l/n5LQMFJ8bGom7FT37yU+HkqVNxnsxy8BBQVBQ6AYiCHJnoDin5nvL2wFiFbi3dAml4dA2d 23tDT093GB8eDf0wIK3bFIBl/gHTB2sBEHXFCfbEB2wODtV8Gjl4NGGQZe++/eGbvuWbwovo 4+x5vdBGHlTjo2pskH8AE0Q38PUZNnuOzfytly7zW9tHWcjavz4bZ0AT/vZhLjgdGnJe63z1 ELLqVtvtmGRgkaHZc3g2TqtxHMuVQL9RH9uSjV0CCZNf4RxjaPwXIxb+rK19CsnySnfrX63F 2nasH7d0SJojxaH625f58Pz3lfiFzrcdqb35sNLtM4ZtzNqZpTN9Nsci14z+1N95tzaeaS/t Sta1RLK0TgQUBeZdP4schP0ucJWpGcCf704GdRouARyYzo+WlwX4WxHHq+UwOg+wMQsgVAVr saK+PTyFudSnzo5yuISJtbsjXL+zmQMhh1bGLZZNHs6LKAIMy6uMw6fMxQUYRlOD/WHk5PEw c/JwWDx5JFSgexHbpnHENcSiyJx5OL9kIsoGLOcgntUbJf8edulD7+1qWYiCjtEisqV6UCat Vpyj2DB+QoxO5Siqzb2zK/alnp7AaWNMZ0Dh8O0+Zb4xihkC+HAXy4w50i7FsA2Pf2hfmfcx jSVm601Q0W+xDpQs8ChDMVZSf8IXAawsV+DQ9qkzchF/WT9ltD2iouZrzWEE9gPYTaLPbjfA B3AjDKEKgCz8AQRaMPQg6DE6ORONrowCDmrEoZtaCA5SElaV0a0IANQKO7wXsGAaoGaYL87y WQAAQABJREFUBX4KUK8e4yt7YH1VAlgi5QvgUReOUocWihYwqoWZeAoQcq62JZxhHjdS1gGY c82wuAZg3Q2il7MP5mQtgM4+WrANpAiNmhiZqCU+Fqnnp8JudCZux0BDP+08BLh2AQBmN+Dy XoDNCsCgLwDynCR+J8DKjegl7AbMGALs+zTo4jlAjOthJN6KrruebZ2wtARZAM2ZMOrzq7E/ uZeZOM0cqVOcGSBRfZCz5CP+oZELRWcrGYtZ5v4F2j7C2LUxULsxYHK+72z40uB4eLy8GcMl S+ErqNeu5ZnwGEyuT80C5MDevBGjIi/mU0XffWwasWwA1B6s6d6GiPJ1rKUJQKI/H50LZxCx vQMg8hYsE7cBfp6FBf++GZiBGDj5+gZEtem3Mfr3EwCtp8n/XuCruyBmnWT8HpqrCScAja+f HQr3oZvQMfoY5Q/CrLsNsPdu4g4DCn8cYGkMJtuLAMy0knye/v44YCLEyPCyvb0YZakBWJsE TFN0twJWGpa1GbcJ5kUdfSBz03kxzD4h2bMJYGqGOXKBcI0lRTbd8AQ6JGERA1ReR9w2xkgr ykcA5roB2g5S9jjz4hQMuwnmwzWENTOPTtG2AfxaAOp6aph/jMlZqXAYQNsNA62JvhpABHaQ cWghnw72ikleQAxTh2WA8B2MnzovzwICaqwHEyOwNtnPmKeDzAWEfJknAKHM1yFAXjZXxJ8x xEOb+km/wD0aBUPF3BSMP+YaRXfWImIMIDnEGHjPVELcn0wAM59Gr185eYFpsU4X6Cf2Qj49 AIHqfVYNQDV6DyvZDxuZU0vskecmAN9hbG/v7AoY9WY9UXfKaKaNVVhXngNgZXoxt5GooN5z zHtVHVBExkJ2nbEOQRSZx3iyqmeZ1yTB33XP+HDD8sJPsI+XNr4EVdTaOM5tgN4FxnWeuS+V uwnx4RrmoC873HuJle0VfKV2+Lnnu4dFj7gdCSj6EsPf+ghfmszfL+pQy/NSLfV3j55EpHmR /bAOZuHB3pZw4562sB0du9Wq0zBP/5GXRqgGUdHw5adPh0MnB8JZ1lQVTOO+08dC38BIaG9C 72PXzRiPaQg7WlCJ0K6YNIA26mvsz/vvu5OXX6jfWMel30N/U9N3o170m71O+s16XwUUN9tT f8/ijY6Ohp/7uZ8Lb3/728M0b+Q2co28ORBU/Omf/unQ29u7UdQtCXvTm94U3v3ud8e83vrW t4Zf+7Vf25J8r2ZytQeu9sALowc2WuMbhb0war/1tdi+fXvo6+uLGQuovvrVr976Qv6e5fil L30pvO1tb4u/FQcOHFjTuh/5kR8Jv/RLvxT9Xve614U/+IM/WBP+bN6kB7b8w5p+yf9SZUdG TyHSShrS9zM/Hnzwi3weDMeOnQgX0IM4jQjfIk/gAh2ynhZ4sNd5H4ExH8D5l4EXggk+aHMw gE3Yw5xrQXRoiQPTiWPHsP48RkwekHnYjg/VPHzyP34Uc/atvmLUtRwAGhqbovj0y1/xivA1 XwU7EcZjTMyjeN7ZB4J/2Wc1zHw9DGzkivuvdNx4TCgdhK/9l/KxD2LbKHalX0uk9JCwniO7 2B/rhUf/Qp+vFydfp+I4pcLsq1iukQvfi9Nt5f1q32R9u3pfuhTDUxz7Ot9Hyd+UaRxiLrGP svyyuZDNEUFn/wmEpfhes+9enZuX7/L1MHW69+q88CO44iFe9q/Ae1xPfJeVIihnuGttkYN9 BjhmgOI0yv/bOMztgK0rg7EKUGYGMT3X8RQitxMYkZgoawjHBzEfwKF9//bmsBdWSbMsKu5l Hi4AEs1ihKkaJrFrU32FAnhxL0Ccevw84OKhJ8JC34mwDLBYhjGRgLhpOSKVMo0jO8e56fGW OgvElXPw1vKp3w0vd5zYHwQgUx+AyUXRPlmHkTlIDnRy7P8I7zmY8fBMPBe4dSJO1LmKeF45 +4IDbj1dNjImzZ/S8TNFWn+Fg6xxLZx+jOAm7efIHVO67rJxIX9zIyN1pOkX60wZETglNlWK ztTuZ0sABhFMpO5L7n0AB7ZnHmCk/PxYaMIi8YRgIpDIFOEdjGEHANgMeQ4QR8MTcwBT3YAw PYhAqnPxOEDAAmm6AcJq6dMWQIEJgMTHQSsEVnYyV2vpQFlMA4BVZwG5FKneV6voJgYxyGMI sGiYujVhSVq9gY30s7rljqIDcRyWVQ+syT2IkjZRlz627kcBSiYAWXYBFu+CsdYFMHEMv89B 9aqkTbeS9w7YbsAV4TP4fxl24g0NteFG2JRtgNCjQM4fwfDJCdho92C05EZYUk3kMdqxHcMY WKRmLtVTluCXYpyzzmvbwd6uheQFyhB6nQfUEoCqx5/FAGhDXwFmasAD3ltoA3Asg9X2mQsY Hukfx6pwWbh2ARFlyjpOvE+jx1BLvjfAljsAKNrGnP4MwM8X0KNo27RGvQuDLSMw794HuHUG hp3i2/c1Au4wRz+PeOxn0XlYhyX0VwEa7qXOZ+jPT6KFcACQ5u7FUaxJV4czDP4DtHcWcHXv 7HC4hTyGAaI+DZiopeTbMOLRCRg8Csj6efTfOXfvAmCsZUIdhuV3EgCvg7bchPhoUzecOeaj sRwnmXpTMsuIq07FctbSFGMJRk0P0Gf0xTR+NAmdnMwI5tXRweHI6muEybeddjbCxBtELFcm axvjX0HbBtXPyYvAVvq0E2BQC+IDzK8q6lvPPlDHulLk2XLafJlHWtmNC/i10r9tsNQM60ec mYoQB2Ypa2SGulxAPL6GOrYypnPM8WH2ljnGuYmxqAPAmsDSsZaRa2ibeVWwfvsB2MrRs7kN kVuxumlBOcqtANTW6r17L7thXGMyWBtYakvOY42eMKaVMPaqmcfLi6oXgBWMXk3wYcR8mVNY Tl8ExJ2nou5BihlXkecSYKMvLdiUEJHnBYvtJa1lsTziPhP1utLvwom+cOF/fCnJkmRvZv4S 121CNqk0v3LqrH5BWYamYegiIDkPc3CRPjAaQx7BRsWz9agjXT3graLLdGvcQpQ6VsScqsa9 pxJAkc2M/DHKRLwMAIS9y3hzw0sK6ks+1ZSrFIYf9doqvizYtx+R5l3djTwjVRfWnX3Eb8PM XBibnA0nsJh+om84HO87HwYvYFip3orOhCcf/WJ4/MlDoamJ3wsIXmUdN4Wu3u6ws6UqtLEm ypcAyQEhu1DL8ZLbrg/7d/fEsuN+ad88D+4qoPg8dPrzXeSTTz4ZD6zHOERcjhNM/JM/+ZNw 7733Xk6yy477DxFQuOxOuprgag/8He6Bjdb4RmF/h5u8YdWvAoobds+aQA//P/ADPxDe8Y53 xMP+U089Fa699to1cZ5PQNGKpIe67ICcDsprqrhyk+KseBS+6J//eHhe4HDX3z8QHn/s0fDQ Qw+Ho0ePh8HB8zycYtVU8INDfBR7pI+SnjezMx9ZQmQRH9F9cG9oaEYvHEr1O1sx0nKecyMW Dnm5OI84k33sw7oPxzIUFXlW3FndiXW8JW9sbA733ndveM1rXhO2YUVacCAmKNQ9AUARGCIP w/TL/AuRLvNiG0zvda2jrptwKb1RL8rCjik4gY3LdqvJ890Qs8mXZdarIEtRKSkPIuXTGCtW aRP1Kk5XVMI6txac1WxthKxf8/1dOv9U8VTv9fJbm/vaOwHFbH54WE/fjZO+R1DaehLvcl2+ DaZN914ToCh7SyA+shIFFAFVMsYiV0HFwppawD8Tkc7WlIaT1Bv34ltuiIC7SvYVwVQH3e// 1nvClx8/FN78vd8XGlq7ARxmw+mhacB5ACN0NO7rbg4dML0UCRTAVIWBh3zzsKlZTzrnWbes /bnJiTB7AYMPZ8+EmbMnwuK5U2F5bCiUcwBV56IMm6g70fUbZ5rQHuuY9JERQxvNjBwj8wdU KZYTAcVYGCGUm3nzxVM4wIR97l7gqb7MurEfROvMgATmF3UlUo75RnDRvPS34sSNH9Iuw+hc 9iBOTHLkighhzKIQ13IEGmw7lYjZxKyIzxgs0/fuYNEfIDDbDyIXiTJgIVGfyMgkb5mky2S+ iIjlJDrtFuhXgckG/Kv5LMCC6wP4WQIAbmG8KgADx+mfWfLtA3mo5roPGloTug4FBYf4aPyi gT65FnZjBXU5C1AxpI5N6tbBeO+yfAo5STXPwYSUwaYVZy02y2w7AYB1mD5ora4P+wBhuvCX LXUKIPAxUKJKQJ47wKY6EGMdoZsGEOt8HGaUBi3urF6MeheHAF8eRwT0BHNuD3W4UwCCuXEM SuFTlVgoBkC7GXDkprqlMDKzQHn0+4GDkeXW1X86gi7qBZxjbJzTkAIj+855PynwQj1rGas6 rgL8E7RrrrAp+ntRS79M0XfnGaSnQF4rYYDejphwI3X8HKDdZyaw5gsw/jKBQEDRYer1QFlj eBTp0+uApl5Zr9B5CEdQRvhgdTui3NPhJbD27kC0+zz9+MgcehNhIXYjrvoyBIurAeUehvNy HN111dTnXvx2YCn3EUCrLy+ow7Qq3AsDspM6PIG15ycAxJqp802ArIojP41o72lKbAPY3MM6 G2PsT8OEgwMX9mDUpJLFUQZjrg7r0G2EVcFqmwfcm2L8qnh5Vod6D68zzM1lfgNrANqqaxgk gX8AQa12t7V2ALDWhzHYeDLdwKjoO34z69GN19gGWGW87AXDwOBgGB3sC3OoGhlk7xifmg4L k2OhFlbzAsAodscpH+AOxqvrbob5McucK0PkvZn2a4hpijJraHcD4WxYjBGsR1iBMiodn2nG a4E5JtBVQz7WZdK1XFkfGlC6qKqFeQDpBeKaRRUsXF92+PzgkpXZBzwGQ5V9BUCtkr6tpExB OhnBMiI1ZoIGyGgcqo51UododxlxxgCTR+ewJe3e4DqmTuparaTusordmdwnZPK5mmeY3xpI kqHsbuXzRjXrwBcg4tmm9/nDtW6cMvpGue/40sKcqJM6ZoUeM2NPsBBpK1MfPaLuXdlrB19O LBB5nrcRFEH72AvIyr23jv24hitdwL39w68QrF/BSVfEIntAZKOzXqIoNXWRjUgtozoZaoA+ XSQ3AFA7WutgYNaGHR2NGFeBjYi4uC93Z1kzw+PT4cLoVDh1fjwcPzsSLmCN/jz3zg3r435Z tzgW+vr7wkc+9NdhiLnS24u0KM+33XvuCtdc0xtaoBfX83JjYca5g7EndGJft7sr3H3zgdDE ywXzsK/yLu7DBY/isHy8Z/r9KqD4THvw71j6p59+Otxzzz1hZGRkpeY+KHzbt31buPvuu8Ot t96KovW2cPz48aDY2Hve854oCpUiq4vpD//wD8M3fdM3Ja8tv/5DBBS2vBOvZni1B17APbDR Gt8o7AXcpGdUtauA4ua7T9HcBkCt5EoBij/+4z8efv7nfz5G+Uf/6B+F3/u930vRn5OrD3D5 h7iVQn345d9GLp8u5RP9eOiM4AdXQb+R4QuoKTkWHn/8ifDUoUPh7JlzsAzHOShkgGCMG4GF 7EE1sp1ECniw11VzkJZN1dTWzAMoD7wYFVhAtGka65qT9LHOB3kPuTIUq3lgruaBuam5Odxx x13xpeQ1u7aTneCAeSZQiMdsHuIjiymGEVR4wL2ch9l8P1gXnenX+tuXa/tzbXipNDGri/6s pFv7LL5SdxNkcYywtsyLMruEh/11qXlQKotYtUJfGr5S51KRn6kf80wXy0h9UqLZmVchgEtq l+myebFakRS26pO+cZIjdjaXsjHLWK3puxUgN+aVrngeXGpe5fspfU9X14kAoUChAKIMRcWe 52Vs8T2yfwWz6I94T7wIKALQy1Sc4JD4VP9s+Op7rg09rU0YA8AgAIdRRcY/+oG/DL/4878Y vurV3xi+GcNF0zCI6lq6wpnhaT6zMd6O7pZwAHG4jqbqKHpnfWxrdFxiH8bbQk/bx9RBRuMs LwKmzgEu9p0Ks+dOh6ULg6FiehJxOYCSSJ2JnUUe9DzpzEYGo0fsKCgIo1LnWvWwLubg1QOu 5drbHpxjLTxtWx8BQkMK+0gMza3vaAiG/C3QvMxJJqNgn2hCBvgxN4giC0lPv9u/cRwtB2f/ ya50FpkdmcU43kQRauMJNJBumYovAAIZNxqRMj/nCknnuJ4bmQkNiLI2AWE0AgLNACqcYiwW 2c866W+NgMwBrvRTnX6YQxgiDl2gDnXUTUMl6qubZM9tR8RT0dclyh5g/KcBmuoBoXrmpqOY o4ZXTgH4jVGXHYhSdsJQnbPRgI6nKHME9lw7c2s3DKglxGRlxEV2I0BjDZaaZTdqFVmG7GlA w+OAYY343wybVcvWI4AkRxENVvxUsO56wLZRAI9T6K07gvi07MwbAH8OwozqA1g8Bjh3CjDt uv3bwy2gJ/WDI2GW9k8z7hq2qaaPtf7sfJ6mPUIkgnZUwwFAFBhghr4FawEAok+Z1xrPOIfo rSKmSF2GegzazGMJ/RDcxc/BvNRwxytgIDYDap7BOvNDgIkDiB7vRV/iS2tZT+T/5GINoGg9 QNJyuHH6fLgZ9tZpAJeHYbdNIQreuzgbbgegsm6fRB75DOLeB1FUumceRhYAjXonBWD3UakD sDDLSfsk4NYxdCbewP01MBVPMl5ntLRNu64HgFLP6VOAmMrj9fB718jvpIZehppaw7U3XBv2 oOOvnbPvIr+Jy/WNobq+IbR2dGDAB3AMALGsSoYajFf6oopzcBmsx7gPkVclaSoB2FxHeeda 9jdUJwDvHAadQhfyPARjWLNTY4itToQnn3g8DCAOvFDdygxVrBodgYwzcDsgnKw65hxja37l gHYoKWCsFN8FMNOP9mVqBRAFZtLLSswMOfmbzDiT4wLzaQ6DNVSdsaMaoIOCbOXoFa2BJTuP Fec5XipG4iPhWiquLpOF6HywVjBjWRPlrBMaH9sO35l0DDRzxT2lkngCduMLGUApcJftzdSW hrgk3WNk8FWTB8TUCFLW0G/lzHufG2T8VjnhTEv93PPjuqYM2dzUPq5te8DtI1vztjcD+xR5 1nDVHHuz+495ZvuI+xupCAePgxEqi5DvzJU6xlbLy+CuAIr0LnNGi8o+My3R39IVI6OaMMek HFC5ijY0sJY6MeLT2d4QuhBF7sQKdTP6IKvZe6k+eWDoZ2w6nGbdnT43Eo6cG4usxHFA9gnY iUx7flPQtQhIuCQTfRbdm1/6FMzDiXDoycdoJ8aYtu8KvTv3hAM33xd27OiEYUx9mLuy4QOG m+oRMd/RURdecsv+sKOn3Q6PZTvnnmt3FVB8rnv8eS7v67/+68MHPvCBlVrcdNNN4Td/8zcj yLjimfuiWJVix3mRsQ422UcffRQdTD25mFv39R8ioLB1vXc1p6s98MLvgY3W+EZhL/yWXVkN rwKKm++3zQCKvjA7e/ZszLSrqyv4ea5cAirStVS5hqXweCjhPrnkX3zvYSJ9MqAD5g2MpVHa KkvxzKlT4fDhI+EU1yF+t6dmMqvQWX7Zg3X8zgNnfAznQVs2RSVizF3dHfGBvAJKwBzpLmCx dhrl4NbNg4CiTpWwLNq7OmEm3hfu/8qvDB0d7fENvm/xFbv0sFXBE7l5ZmCQhysPBKklV34t 7pPVPssOGKVyLk5TKs6V+jF6dmFJ52Et77IDFT6F+LH3Ge8Vf4OK0mTTwaNSFpCCs9auFsx5 fNXZ0Sniqm/2jXilgor7KF+P1bxja1fyiRmRWapjKmp1ClNY9r8QZCUt3et6zgwJ42K/GDte maOrfvo7twy9fHdRW6lwdiiVzZsBijIEM72JHtj8ZCCj6y6GCSYCCGg9XeBesGAGlsinD4+F 665pD/fuaw1zAPMt7T2hGeu6Exit+IN3vzN85BMfg9kLe2xkLHz7698QvvP134XRl+lwbngy HBtQLFoF/nXhQE9j2NEJSAVQtMzBXHAsAgN2js0GlChnkLKuyvohMhsBj+YBduZGUYNw7myY OX0izMJGWxgdDmXoRKviFK0WsUyUnHxMSpvNKQJytFO/yP5Jh2fWsodoAUKOrnznjz1G/5MT 6zzTXaZvpPZwMduMrZzNXftc/WNRbyP7gqBinE0c+AUWNXKRtYLM/S7oknlQF71ioXGyOfrm qs8yAFKMS35OHAGABfvFe76bhznL1lZH5AIiktXoi1cn4BgAyElQhxoatBdwpYo+HiftWUC9 UbqhDt2HvaRfpn1D1Enrug20oY5+3IE+QwGLw8hnjhPeQektiJ13AB4uAho+gXjnKKDHdsCJ XsCKKlhjUwAPT2NsZAiG2S6Ak2sZW4JDPyzIowCMWgreDlPxRmhtdbT/DIyzp4CARunjXbD0 rueFDlKl4ZGxBVh6iAGT3378bwQgvEBnfGZyMZwhwk5ESa9FDFJLwScBNj82zIslQK9bEOe9 CSCihvqfRxR6CeCrjnY1AGpq1keLu4qBC+DW89KoinGRqTbLAPAtiuICncG8DBhEqaB9iEPT H220oYW+HQEQ+VTfaDiE3sC22bHwLYhkau368wB+X8AS8xL9dBPGT14GejMK0PLRmXKsAitq jGEZGIJd1OMLsA0/j2qARtpwB2LSNwBeHQOY/QIg1yQiq7ciunx9+Txi5GXhU+iMHAf0vaOu MuwASDtF/x0hPxl0B/nUoePvEPmNU+FrSFPP+Jwh3Vnq2cxv3XUAh/W8FAs7rwm1vdvDjt17 wu7duzDc0xBqeVHp75jAqSzhxIxzHrsW9eNrATikQ3LOO6drnKGFPWoFJI++zl6dayJbV+Y7 NHQ+fPkJfreH55hztQDXC7DrYBDSdvHJCsZzAX9fBLgoBOFlVS4yZ5HSZ79ij6DghbhXME74 K6LuWic5VrzHQsMSQHJ5C0A4bEXGxjXkPhqXF8zNmvIZgEzgc/Iqh/3pC8TIsBTkI3bU3crc FDgtZ24JqFMNmkJbnBu2j716gbVn/7AhxPUb6xDjwnK0MsSTqSso5/7mWjKdbfI5w/4wjaCi bbd+liPDMRqKsyzmqW2M+g5tM37q39VAlm2aZ/0pBp3t7cxr8hAwJ4m1iuzMGoBAn1u4RJFl LuSXPV9Nsv7clyoEYgEa48sW5qIQYTnPRw3ohdyGpekdnQ2INAMgggrWwhYVJNVAiwDhEKzD p06dD0dODYUzFxBxR9+kYOYkgDaEV0itjCnrow2AfWQSlQIjfWGZfefoyafD5z/64WgUqZw5 WNvQFnp37AxdPXvCtbfdFVrbmiK4O8dcEHSuxmJ7PRTjDsT/77p+Z7jpAC94aZd9WOzs2yv9 7SzOa737q4Diej3z99D/z//8z9cop/8W3pj+/u//fhTT2Ki5TsR/82/+TfiVX/mVlWjf+I3f GP7iL/5i5X4rv/xDBBS2sv+u5nW1B17oPbDRGt8o7IXeriut31VAcfM9txlAcfO5PbOY/jbq 8g9qyS9dS5WwEmZynv1W7rlN30td9YvgBoc+AQ91tU3BKBwdHUNseSgMDpwLZ06fCWfO9oX+ gX70LI4gYYBIFQ/b8RRB/jWwcpRKUIxTlmLUi6jVZnQlL/NQ7aPoPDqeJmUqwurxSdw43Rhx ueueu8Mdd94Ok6OdB2uVi/OmnkNrFQ+/HkIiC4EDQsYk80Gfg0aJPqKITbuUvlSCLMyTzbPj sqpnY7zZEmLsi5/nY3IPN6Wch531XHGafNx82JWUW1xmPu/stFkcozCNcvVN45OuF6fIfAxP 6+RScY2X4mZsV+Ek/8VT6UrYemUl/3w5aS4mP4Et+0yAMK0pQUPXSsZOLACKAix8BBoFrjKR aIBG4slgUQTxMKDg+amy8MrrOhG3nAy1qATYsffauCZGAPs/8L4/D5/59CfRk9vPybU6vOGf /BMOfjBauraFG2+6MYwCSh4ZXAzHzk2G+qbasL+nKezBimdnA0AJIIx19hBt70eQj/7xcOw6 Niw/bjHcAyc6zqZGh8JU/9nIYpzjOtN/JlROoWkPXW2yvxR19mBehqgmLQ8ViHEKDwjKRTDP g7W95DoWqONQbJ+5vmVnml4QMrIaqV52kCUGSEBWt9WDvDtLPP6bxn+CIPQpDYh1EHyJRTHE 5hPLs6zY6lgFomb7iWk56UeRZtMp3izAEkWcBQ8EJwznuwZFyhDRnENv/AxykEOAYoKIMhDr 6ad+enJc8VIYP+2K2AJOTGKp+RjAwBRsrO0wtbajH26R8ZpArPUYzMZ5AKobAQaaAatk+5n+ DCBgGeDPtRi6QEtcmAA8OEaLx5s7QwP76gHYiry2CZPk9wRgwgC69doo6yCcuVYAwiWAmscA ljVOosjstcyjHsC2ZUDHB9ApeJrwvYC9N1DHesZiGhHZTwBUnoadeHvtYthD2Q301gTx/wJL ylDSwsuqZ0M7LL727k70/SGGDYLTSt7t1M+VNAtQknHR0eNIP1UDmGAzHKMhAjEwEEE+wZfi uF3AkMR59ERWM+472HgayAO4OjyJUZMnR6fDromhcA/tVMTzA4CcTy7CSoRZeSdCvLvo635g qffzczJOn760DmvEsN9q6cfPYiH6UxhV2Y/Y88uhPNbC9jyK6PRHsKLdRNxXIdJdA3j/GP18 DIvNdbPTtIu5xLz9NGDMDCyt3bAybwdgfIT1+/gkegap9HbAynIA0uVrDoQ6dNDt5GXYnl07 Q/f2HaERsL9Wi8aALwn8cqLFPYd+iOgpIbo4L10T2cQnDmmMQ//wxRhGi2ldiwbpn/aZtI+t 3BMqOClQNTU1E7745cfCoXOIhsO6HMJojda/FwB/NTKkcY8qWH9zjJOMUEGtBcV7Zc1ZBq8J HB1ZxGW8AKCb47jKIlSywFcB6mkFw4736uEkMumzjyxFGdj2QwV9VsFepjMvSxOkr4AtqO5V NxlKiR/1b3KLI8w2U1JiE5ZhYAaNkDYSfyMx18gv6R/U4rG6DF3LdpaXCvsj5sZfwqIhOPK2 rraTjTde7HJBO/tUIefIni4MjXv4AmCgenB9tolJTct4VTGvlbCoYg577/bhXi8Tsor1qmVm AUGdItBV7B8zVHKB+V5FP/bCANyzvTX0drUBIMJmRM9qZGtSD4F4suLl0Fh4+uSFcPjE+XB6 4HzoQzmmAGxsJ/1XR5dMTC2Fbc0wOGGWywRdnuoPbCfhcx9/XxjsOxOmYCguApaDXIYaWLJt HT2hd/vO0N65Ldxw+12hDsM2y+y3s8swQHmBod7GJtZYExvGzfu3hTtv2gO4yduHvKOt2S8d Tc8mZz50S79fBRS3tDtfuJmpG+nGG28Mx48fj5X08KAuxR07dmyq0j5QqTvxC1/4wkr8hx9+ ONxyyy0r9xp6SZZK29vbUTHBjzTu/Pnz4TOf+Ux44oknovVSLTfv3bt3JV3xl/UAhf7+fha4 GynWpzp54yZ3ewPn5J7hraCuiR+PZt9KXYHzUGXd/ch6OXjwYGz3vn374kPTelluVX8U5+/G efjw4WD/Hz16NPap1rj379//jDeMfJ0Vfa9HB4g/GI8//nj49Kc/HcbHUbxMuxWP3+zcsf7m a32//OUvxzoqWu/c2WhMbGdfX19sfhVvirq7u6OOrw9/+MNx7mqIQQvgefFHI2v5VIMNR45k bB2ZtM79G264IR6aY4aX+GObT548GdvtOlF3mPW9+eabN6yz6RIzygP2NhS161w/Wi53Hdiu 22+/PaoXKK77Jaq1JvhK+8dMtmoOac3NuWgf2d8eImSD3XXXXbG/vS/l1lvjxl0v7Pla/9bp HJZwFa21ncPovmnBwq3z/6UvfSlMLXkKl3auIdeA88o19BVf8RUrLO/1AEXnknNK5zxO4jPr lZbvo9bW1ovWhumudD8rLlNg72//9m/jb4pM9mt4aHcPcm4LNG3GXU6/uoaM72+Ze3Byn/jE J2J/ep/2pDEMjLhX6fwd8vcouWdrjfr74Br3N9Z17+9lqme+Ps4df3+TS+Obrvr7Pd2n7+nq 2k0ffw/nYCfN8hA6iQikzMwL/N6qZ3EAQHEQHTxDQxdgRo1EJqNjZvyFQh4euH1ujw/oPET7 vOnDv/daWvQ3trWtNexlXF/0opvC/oP74/pua8l+G3x4rebBNrI5CumydvmgnT2gp3Y+k2vq i4vzcG1k66M4bP00xTE3uCfr9DC+Qaw1QdlBa9VrTT94ksHpl69fcZrV1MQtal4+7powurso 6ko2a+Kt+F78Zd28jZrri3y8lEu+Pcmv1LVUvGI/+yf1W/zOwTC7OkezeZWupcrQrzjPYr/I EqJRriX3Fq+JkbgA0KUORZmIURSacL8bT6vO6tPyu59ZLAjPcip8GkCwDvGzr9jHsyYsqQkt cG6/JnT07EasEf1uKNl/+MEHwpGnD4fTZ86GM33nwg033x7e+rYfYt/aHq22TyMy+tjJsXAG E6iybJoA+gUW98NcbEJOrxaWcDknZVmCNDAeiumQwnOoB23YPvE3l1nroBMXHy4wd2jTLIzF ibOnw9jJ42H65NGwjC63yrnxUM0zkxZby+oaOSjbx3GwmXse2imKA726DxmFWG5k/hHH7SOy g6gL0BeHctLyPXP+9rt6srwEZjSWIrMwe+FAGvI0b+OBE0TH7pbVgbXiGEf9jGTl91iesbIs Yz84bqIQkSHFxNR6q+CigI1lVgAkCIsOw6AbvTCByPEMFpUXMUyBSC6H+YE6dPMh8tyOOG0L 7RMoeGQOwA+wphsWXcfsDGxG86kLjwB+LQNu7QAy6eAw7/gP0aYRLAxXARi2wTTsYD+cJL8z 6KgbQSS6B+aRFndbqdMSQMHjfPoANXdRz+3LsBsB4QRQHluuCw8hstuDSOPtgGs9sMOmaPPf YrH5cQDF27m/A7V4aNoLZwA8Pwz77wxz8VWNVeFF6HTELgqA5BKWjCvCOHv+Gzsbw87K+TAO wHi2oSUsMHdaAUuiXBllCyQKMgoo8yoJAz+I0dP+aA+bsa2nTrWALwLm09RjErHfSsoTjKxl Tml5+oRqMvheByC+e+wCvxdV4U8Qdz0GcHkzZd2B2LKWhB+qaMCaMjoHMU7zKlhZB+nPYfL9 MCWfATyUwfiK5uowRb2+NFcVDiEi3TUzEr6yoxYdglXhixilsW57qNe2hakwVlUfHppGbyJj cD0iq2WwH881doQ+2nLLDddhUX1vaASsr+N3v43n0drmdtb2dFQTUFWLWgKBc+eQc475E/cS 5pj3NJXe4E/BRYC+EBDnfwooumbTPss0AuyEFz//RtFby6DXJhF7/ewTp8LnnhoE+wX4ZF4M Y2SnEpZnYxjixV89hsrrAbecv75YyHA1q6y+V0aMOU8Z/nOR4vzN1lM+HbsaCRCfZh9ZpFE1 hDnPBBD9GTKtzGzXRmw4a8XFrihwVDdALe2HTOUBq5gEtjHrm8ILBe6qmJeKIs/BOLR9VYxH I2NvvmCjXLMUzjOZrwvUSR2HrlGZg1Se+rK3UK77lLoTaVks1xpEi8/Ml2xwON8xtwT5Fnkp 4mBZJ9vofl/NJlLJC079PX/ZzkVeJmTD6T5vNqR3P6FmNay9OtaaL3fm0Ukq2KkFevVodmFG +ab9nWHf9pbQykueyFylvsvUhShhFv2MA8Pj4YnTQ+HRIzxzoRdxDBF/6wbeGNmIrTAH5xFl 1tJ0FUaIhpHxXp48G8Z4ATzJHvPZD/9BWOJ5bAJVFeZZwTk3Ap7s45XowGxu6wBQ3BGN4d58 x72htqU9jKECYJG61gCSOp6NIJVsAeHWA93hxTfvC3W1q8/e6Tcwzm/mh/fpe5wwW/znKqC4 xR36Qs3uXe96V3jzm9+8Ur3/+l//a1DP1OW4z33uc+HFL37xShLTm09yP/RDPxT+23/7b/H2 t37rt4Igl/qrPEgXOw9ailF7+Cx2pQAFD4ce3H2o0/2X//Jfwk/8xE8UJ1259yHDA+6ZM2ei 33//7/89WgRdibCJLx68bZ/WQgVOip0HdvV0/Yt/8S+Kg+L9VvVHytzNwHb8u3/371YOyynM qwCg/f9PePt9pS5f59/4jd+IwO1b3vKWCKLk8xTge8Mb3hB+4Rd+IQJ9+bD8dwHP7/7u7w6f /OQn897xuxubIvjvfOc7V4CVfCTBkSRWLyDoHP66r/u6NXURKJApK7Bj/8ii9ZNAvXx+lvdV X/VVUcR/165d+aA13z/1qU+Ff/Wv/lW0promoHAjiPm///f/jvOrOFzg1HmhEzQSbNNAxP/6 X/9rBWxPaXzY+OEf/uHwsz/7s/HHL/lv9nq5/WO+WzWHBGydKwJKPlSXcgK+9tP9999/UXCp NZ4ilQp7Pta/ffXrv/7rcb2t90PpGH7f931fHMM8SJTa4vWLX/xi+NEf/dHwkY98JO8dvwu8 /vEf/3G4DzHSBJ4nK88CtHnrxTLMN9Jd63zYuXPnyksXdd1+x3d8x0qZz3Q/Sxk5x3/yJ38y /PZv/3YQKCt2u3fvDj/zMz8T/uk//acXPVAb90r7VSDWvDdy5q3byCjLVq9Rx/fHfuzHwv/7 f//voqo5HkoBOKbpt9Kr8yG5VOfi++TvNX6naR7O/W3LDiYZEBKBDVkNACBzgh3oQZzlEDwD 8CqAOI6uJtfPOPoVx7gKdPjibxp24wwsJtmIsiIUKbIE9SrW8iKpFWXf3RzGenf0hG2A2e3t rQChTVh4buShlYMOJxwBBMWcM4AgtcDn+dUD2arv1n1LfZPlmI35xbmv9V+b5uLYl/LJpy9u Xz7Mw0x2gLk4x+wQmz3U59N4uEsu9zXzyjeDwPwt8E1KFv2dH8mtqSPeKWa+3DVxSJhPn8sq Zpnl7F9yMrPVogrhRR76FqLny4yRi/4IGplnime98nVL9x6VPdRn9/lMUusyv5RPPobfk7/t dKvw2JsBiRk46FqS3aLVZQHFKAoN0KK/gJysllkOgBFo5Lvixr7ANO4k6+7ocEXY3tEc7tmF 3jVZNwx4Beuke+ceAIG6MMaLlyNPPQ6oiN7TJ58IJ0+fDT07d3MwBPAaHg0/xrNdT8/2eDDt H50PXz7JS3qAsGUAqmoMH3S3NPCp4YNVWkAURQM1puAB3LoK1imm5yG90PUr/RjvBR7sKg7g C6z/6WFUG/DiYQbjLrMnjmLABEFbGGDIT0ejI4oIm6egH2fkmFfsQ/YKzuQR7ItAYaE/BV+y kbCcGCMbVw/ihfpFMJTxjXPNU3QcCOru9kNqRsSCYhviUkplmbON8I9X68XCEdw0yORL7EUy lKIXfWBeZexRhtmC2Qn0Vo5iWxjR1VHAg36AnGYK7gHYW6S+aJ4M5zisTzJu22enQgtlT1L3 PsCSaSzklqPb7zpEIWupcx94xjHyKfdlN/NlFyCK4sgnyPcxPpUARNfRBb3lmK6gXidg4z1K mhn87wCwwCY49V4GWCsPTyOGfQFG0nUAkgeXZ6L+twuUeQgg7hzi1bdWz5HXUhSnPoNY9dMY 75hh/t1dOYsY9VJkHh6BxXYEBl8DJIr7EGHdCQD9JKDbQGt3aOpqDzvQxdhNxxANy8QAr/RJ FfdaMKb7EHHOwBfnkzrmZD9NU8aUqBAsWdlR9ajDEEgZpC0j5FPH+PWAzlQiO3ry3Gj4LED4 OZmRNQCKNbAzmWePLNSER2lfB4DeK2FSKq77BPSsQ7CstGx8JwZVeinvMdr5NGBTPS8jb4SV 18m4PQ0T7gQAUht12ov48jK6656kjbMgNtd2tIVb9+4OPHCHbS+6OTR092AUA5FwDGFUAuo6 ExfRJRoZhYyjU0YQyj1YdpcAdGFCxXGQYedUdM6t7sd4+J+AaCSIq898ce6SWsQqbl0kckYn F9cI+UexfMrO8iA6c2mKdXcGnXoPPDEQDvdjDR6guhZQzr1ojrAaGH7q1iuvVGKAtWxp5C8r Th2sMuiE3GbpK5+8IzPQWA4iLq5Byl6gXEE7WmsOsBcBCwG7EqPOOvpiMQGBtsCV4m+6bbL/ 1EVYCXBF4wsdk/VHxuajH9jjBOeIzHdWG2UsMOb6xWcDio/PFe6DrNcq+k7wcZ5xnSfv+fjc Qjq7jrhuTzX0hf1RA8NUZnEyHGMxJI3ti/1FeQKQrnGWG/OKuO7ZVJVpGx3Bse4+ozi4Uf+k QLlqB+gLSK3svYg1A7o31NeidgKjKojEN9WXhW2t9TznAOaSLvuNUGR5OpwfnwuHzwyFY6eH Q9/geBjC6FMF+0cdkh/g6jAR2Y+5l+HYUV+OruvhyMgcGzyFbsvq8MWP/Qn7EMa12KdG+o/H /vD5ST2z1qVcHbw1jahHRLxZIhQvb5ubWyHF3Bauuf4W2MOAtzS4luc0mZVVrL3W2uXw4ht6 w9037WX/t62027YXXPotdczT9xS2ldf1zkn5MspgmC1vloWRT/j38bvjNMDb/jOwAM5dGAYd rotU6h2AXTX+kL9AXf6AJStKRslmWST5JmlNU8Muur1790aGXArPg1GCbB5o88ZfUrx0lf2g 1ehXv/rVySteSwEKBihm/Vd/9VcxjmyzUkBlDOSPLLav/uqvjre+qRBYlOG2WWfeAkcJkNwo 3dd+7dcGAdTi/LeqPyxbZs4//sf/OLZro7oY9rrXvS78n//zfyIr81Jxi8PzdRbkEEReDzAy rcDwhz70oZIH/Xe/+90RxE2s1eKy0r1sU+N+wzd8Q/KK1zxg5sHczbB4PNwcT5w4EQQIPdQL cF7KyRASzHbcip2i/b/8y79c7H3RvczKX/3VX41jkg/MgxXWSRba7/7u7+ajXPT95S9/efjY xz522Rv95fbPVs0hwfyf/umfjj+yFzWmyMPxEVQUlM679da4cdYLey7Xv+Ce660USJRvR/ou 8PfYY49dtKf+zd/8TTR4JZi3nhM0d2ySS4Ci975weeihh2KQ4KB76nrOlwmuX52gtm2QWavb iv3MfGRpCmoewgjIpZy/OcXr8Zn067MBKD7TNfrBv/lg+NZv+9ZMNHidDvF31v3Llyu6PKAY Dx5F6ZJfuqbgdO81fXzQ1XlNfgIL7tnJz+/pPn1PTKwIQvhQThoZTT6ga2VW8SBFo716oJCB qB7FZIE2iqFSrus7/4Ca/x4rdok/xfFTGy+RbN3gtel9WvNzeY7uzbk1Nzn/tV/TYU5fD6x5 lw+zOrnn/JVo+TLp0g3dmvw2jJkFmnfMsqhehq4py/B82dyvJvG4m9059h7O8m7DOsV81saP aXP+a8bNqLl6pDniNf7z1GmUXOWzEA+4JcohbvI31MO1LgJhHEpdA4JS6v+SvePaWERETb+o my8CiwV/wucwmCGgOI9hBeMKNMZ7/AYmeEYZXw4HtjWFe2C3LIwOsg8DGu7YE7bvRE9bC2x2 +m8U9QTHjx4OR3mWPn3qdDh2/CgqCgbCS7/yVeG+l35FfCHQ0dUdGY5nRmbDUUShz2NRdxSR OV8mNHMS7sKIy/ZW9Hm1wiLGEEADh99qDuIy82ITiedQ+Sf21UUT0z6kz+jOMoEFmDSzGHqa OT8Qps+fC4taogVsXEREugz2cwXtFJRwj7DrY970n2BDzNq+5+PoRICg0MfZPf6U4fGflBEs jNeYnn2HMNOY2mwEIRRfFmYR5HB8oQhRlIxG8rAO5CS4E1+uUAFjMYSALKSNFRAYYbQ9XxNf Pa/Lio7yQmwEEKCvAgMpgDed7I9lgAszhA8i4gg6ELrxb4R9N4jo73nAhlmAxxYAsU7Au1ry GgBQw15yaOJQv31xmm8ZqDECWChw2MGh/hrAxwrm0RTtmUQs9whgZS3tOghY1g0QMEgdNd5y DLDNJikevJef6wnYhxcAgY5giGSOOPth5F1XE8IwIIx+J/jU0t4bl/GHnXQEcfXHML5yhrw6 aP3dgDy9WFV5AvTlQVDCxp5t4a62+rCd+guWDwG2ANUEMJPQyMd1MEO/asm5BhBRgyxgLlGH 4gzlV+BfydzSgMoC+v3OAZpArkKsuDxaU3ZtXQD4egr9fCdOngsvmp8IB2BMHibu0fJ6WJb0 xcJkOAggPk27Hkbce5p+2gmwuIuaLNOHT8Hsss3XAMa0AHXKRjwDoLqMQZQbOztCV2dbmG1q CcvdvaGuewf669pCD1IATZy7KxD9Vm+czrngLErOeW/94tU5RjvxYu4yF5wbhYjZfHFaEYhb s58Zzw95e3XOxTjRL0OuYv54yu4vBJI3ufufeOo5HJucDqcGRsPTMNqOY6BDcKmCfqgC3Cpj jyljfEwTwdAK2JyuW4pyv+WVXWTq+cLQOi8yj+cLzDvXSKy1bY3fBAozMNB716veC6SBOA2o J8PNPFTXoCVk1y8xARJpZMzB9pibbLkKxj212TTuGc4PWYUCi2ZPt8Z0Few/GjMxvnmUCzi6 /lzPVpxYiltbrnUzLSuSurB+CTeK9a1hbtSUTQE6YigGEV/rYNzoqLwMQuuQ+VlnU2a7i/u4 5QtgKnJcoQoCKtiArsEWLFzX8UxcreRFk5+G0AQA3QiYWAdgaxpaExvjXjKFYZ8Lo+Ph3NB4 6BuaBPfBuMrQXBhhL27TUBL5Oq4N1LUGHZwjzGPrPjN+IZRVN4VzRx8GA7kQxhBtP/LwZ2Kb hwfOwHKfpZ0+V2XgrX0aP8zjSgDmuqaOUN/aFWp4gVsHg7oGSZBrdmF05RZsnLP+HK9m9LnW 2g908LamivDi63vCrdddE4HS1FnOPd3KvC66j4Fb+OcqoHgZnTnE2/3f++jHwtGCGGY+aR0T 9Ftf9tJwJwfLF6LzEPiXf/mXsWovetGLomjWldQzD0yaXgAlia3mwaiUt29ePQhff/31UfxK y9F5IFDRWUGrvFsPUBB81Bp1cjJDFJ8u5WTpyaDR2XbZPZt1iklbLw3PJCe49trXvjbs2bMn 1v+9731vZJ+l8G/91m8N//f//t90G69b1R9mJuj6/ve/fyV/gQYBj71798ZD/h/90R9FJlSK 8AM/8AMrbNHkt5lrqToLSgjWveIVr0B8biha/s7rz1S0T3HotGlZzgMPPBBZV2lD81D9L//l v4xigB5qP/vZz0bQ07f7OkFuwYoksqhfHjDzPjnLMT9ZozIOBY8//vGPh/vvvz9FiUCeDKne 3t441zVEJJvOA4BOZtjnP//5lfh+cX3kGWCKewuEGdc5IcvScU9tcm6bR55lmwcU85kLvDpH rLvtFGiSPZRcHkRKfpe6Xk7/mNdWzKHTp0/HOZf6UTD4n//zfx77wHmiQQjBWsVQk3PNyNTM i+uut8ZNs17Yc7X+rcP3fM/3RFap33WvetWrIlCvaLJjrOiy7MU8Q++d73znGha44+O4J9Fb 85HV65x13rue8+vIcF1+LvyP//E/IltWf/vXPNN+q1/e3XnnnSus2u/93u8N//N//s8YvFX7 mYdmy1CsN7l77rkn7u++aHKMBePz7GCtK8tST+6Z9KtzThDfl2H/6T/9p5Rl+Nf/+l9HJrUe //bf/tvon/+d8gVL3qjYVq1RwdHrrrtuzfh+53d+Z3yR5R7hvpQvN1U4AYppH0n+6Zr803Uj /wQo+jwdDzCFyKbNPnpk31fz8QEzu4uP4dzEsvBL/jzqx3TlPGD7oEsID+m574WIac9P11RG 8fVS4cXxvc+3vzh9PuyitNkzNK3mRGDHbJHbqMz8AZSzzxpXKszn+tTXayJv4iaf3yaixyjF ddpsuny8fLkpv6yp+ZmXT1H0vbhf0tjgX9y3KzmaxnmZ/YkZOhey+eBVL+Ymn8JZaSWOX0rl a5b6e8iNoCGHZA/KMmfcYwQVpcsZFgF47tUXmL4LKGp4JYpCx/gZS1Gm7wwsxSFAP/UpdjTV hdt2cHgFTPGw3NHZDcsLBhXs3mo+UFGwEM1hFcDxkCpDDj0RrbTXwlTTiuzNt90eXobxIwHP kfFJmHI1oQ+rIcc50A5gyUNLrjLJmrFq21pfEQHG9iYMYjTUhnZE7QQdqwRaWL+22S50PeT7 Uh9d1o0CCtzQNxpMWQBgnBsbDjOISc8MAC4OAjKODIUFQMcwCTMd/YFaHlaLW6YmwZw8+Bf2 EwEY+i0rlowdoEK/xzE0hHvHMIsn2MD3WIUCfB3DMoAwAoLojjPEPSkCmwAHsb7WmeW+yDVa cs1KxQ+wAeArwiQc4Mtgiw7D8jo/OAaoB/BGyDRt7YMVNIborYy97TDmNDjSz6PpEQBFpKMR 810MrQBdrbxgEdA7jV8jafewEBQJVUz8GP7naUAz+R1A92E1acZk2JUjAs3iaebwfxBWYhth g4BBj8M0HBeUJN5BCulBh905ZvJDAG5zGFtowu86xJ97AZtOMwc/B2g4DUPvGkQ0ZTICr4UT MBU/DitQEPkmALv9MKNoZHicF0APYNl6B4DJfXu2hR0M0jRz8wJAhgxElT9V22d8n6FuMtHU K9nAHi/4CsxHTZ0pADuCZI0NYYL1McFzsFaTO+ifFubWGMjQIPeT1LuquSnU8/xXB4vx84iG HwdY7aa/rseKcA91fgTLzkcAuky7U32PtO8YxkeG6KNGSttWB8ACw3C+szc07todGpobwsEd u7By2xtqO7tCJUaNalApUAlxJwPNBZAYiDRpss0gzr9sf3A+Zi6td5rDdBHccn1zE3/b9Mvm bUoXWbQxqbMRFy/uGYW1ohc3fgw0nfklIC3zzvaQAXTrHTk1GI6jZ7V/HOvOoLEa99C68DJs 52XGsox55wu7MsRc6YSYb9IVGH9/4xqGVTovq9X5LHiaVUvA0aY4xxmiTPyXuS6wxv9CnUiA UzdgNUicYsX+PsrsU4+ioJ9rR2dbBI9dX7QsgoZxB2Etyj403Ha7tsQg8aAcY5DeHwbqo2ES X27IjSxnncHj5Rt7KMHzMHJlRQoiCgqal7tEhAUJr5B1Rz4xP3KIq5d4gn1lzFHXm8zsyvg8 oh9C9+ZbqIOApWw/X4Q2AMS1AbZ1Y4F5GyL1bc2AcOh+rkF8v5bNMxsvElO+1fd3YAJLN32j M+Hk+ZlwFgBx8PyFcH4UsWSA+2pYk4u8XFA8GttZvCDgpcPwCOxRyGSLk0iAzIfR4XPh1KGH Q31LV3j4Mx/BaNco4wOYPp5dLcgxE1CMFefq/hnZiexPVayB+pbOqD+xCXUzdTCjqwD0O3r2 h7rdt0Zx8Tr0G7SADrcAklbSz528Hbj7up5w08FdjJe9bpscGtq1nis0e73gK/G/Cihustee 4iD97g9+CH0pwMMbuLs4WL3hFfdvEOP5CRLQE8jQPRODKjLJPPAnp94o89YVg1Eybzw0K/qc nIdSxVbz4n8ycNSpl9x6gIKHcAEndTLqLC9vKCallxFn2YkVJBChAZrNuu///u8Pv/Zrv7YS XRHjf//v/33cfJKnIMGb3/zmKK6Y/P76r/86ivCm+63qDwGG17zmNSnbKCb7cz/3c2wkPspl zn5VTFeQQ2eY+gplcl6OK66zzGRZoYKGyfkDoMhjEuHTX6BNsERnuPETUCw7x3kgkJ13go6O iwdz3Xd913eF3/md31mJUgowEyS0XEWdBacFtAT8fuqnfiqKwZtYMWr7rHgzdQz/w3/4Dyv5 Cxhr5VznRmj9ElNMgMR5k8JTIsfYeibmbTGYWgqscFx+8Rd/cQ17TUDRMU3AnGD1n/7pn6Zi NnW9nP7ZqjkkYOPc06kr0THes2dPvM//kcGYB30EY1/2spetRFlvjRthvbDnav2rI9E5mwBf WauOX7FzrrhvDcAs0SVwO8UTaJUprHM9vuc971lZIymOgKHgv2smuTyg6LwUxEzA+2/+5m+u 2X9TGl/S5Oeq4+JLEd1W7WeChfZFcgJ5qnzI70OCfZZ79OjRGM31od5Q3Vb1q+OS1z3q75rr Ne8uF1C8kjX63d/93XFMLVcVEP42pj0w1UVA1fmcV5nh/mX91nNpLqRripfu0zX5e01+6RrD VqfUygPmShqeM1fi8t1zgM/UHiF16Tk020MNMCSFFa76rESMyQpps/BVn2f+baWul5WVjVrt hNwSW+Ofz9JyVtqUDzDF2gzWhJYC21KEDcOoX+rXFGeeYncAAEAASURBVH+ja2zNJrvX6q4M z2o3XJS9h4/N1MF2rBSdyy/3lbxX71a/XVTkisdKnxI5HYIMTP7WK+9vmOMTP9baBvo/38lZ pFiVNWnpEOvkX/umGFBcUOxf4NCTOnGi9WTuPThnzF7DMcrCc6j7sXoW/f2e5+P69rtg4wLA zTig1QRslcq6ZkSg0cXV2xTF/aawyl6HXj33iwgcAizKsNI4w7nTWGfnt2QW0KCppTXs3rsv dGhMA+vNs3wqOWzOAGRemOQzi4jsLAAWSvCGx2fjAb0KVKCOTy2HzWbApS4Ua23DCqkWSdvR Aaa+LRse+zZOjGw018x3+9b+iz2VfYv64GjbIuCHYtLziEXPRyZjP+LSsG3OD8L6G4bSNgXT EPCAzSQCjOZBeWWANzJqzNg+j1nHIjJQwkM9nc4BmyC73iuXRXQVCk5YX1mJggbCJs7WGIm6 mjTekl5GVzZ+GUDhOMeMyFiNc0sc3GU9CqBNDI2FnZwTlkBETgAOzCIC24E4bBOP1Mu0dQi/ fsQP22jPttkJgFMMlZC2DzDkPGDgLsDFnQCES5Q5ADDcj/gpZlXCAUCybfjLLDwMQHkOQKQZ /Wm7AY06CbN+R4j79BKi1rwUP0AqtPsFsKUwSNwH5hTFRC8gwEkLQEwjrKlRwI+PT9pvS+E2 RYEBULBTkoGJc5WhAZ2Q99QuYSAGdhTt/Bz6B7/AvNgHkPeK3pbQdc2OMDUxFfqmARupYy/9 AbkKHYroRSRbLezKeERqMjoE3iOoKGBTZxcyp8aYoxOAh/WU3URaARGMTmMdmwh8b8BfEczB senwyRP9YRJA8y7EPbcTdwDg9DCw0DBSGtdjIbcZHGWAcocF1WEg3rR7Z9jFea2OZ67abdtD S1dPaEJ9k5ZzqwB6RZ0sLxq3oH3+i/OJ+vvddRoBZoAU51vWjMJf722DfwrOMdAzgs2uA8Y1 A6izuWa0lEd2db7RzHhD2enHMs1DYxsllmV5Wapx1vQTR07CSBwOFyYA78ppC2vYcSxDhcHC zChAGzr3mHtlsZ0aSxOs45PWId8FC+P8Zd75coEKRFDQYiCBxnmvn6BwrAj5CxpbD5mAgnUu fest2GQZ3pMQEM79bB5AvApwMQMRDatmDgP3RcCxmjWicDXTmHQZM9BqZOuQNWD9+Nif+s0D FuqqKU/A0XroI2QYdThSpylA8xlE2XUOAVK8pM/iuIcx7QE5AVhdG1SokvIVlWdpxJcd5jlP JQQlTVXFGpR52NKI2DKgYSPGrFoQX25vrol6aGsRC1bXY9TxaoEFNwdQP0MnXUCM+STiyycH MG43MR9Oj8yHMXRcLqL+oXxOtT68bGDtCbUvASjOYIG7QcvYI6cQaR7HaMr28MDH/hgjWOPo sh4LA6eO0S7E0nkpk70scV4W9jJ71jrwifukY8KnAhaz+j3rWzHihJhzW1sX4s7NgKNYma9v Dk3b9oflrt0RnGzkJYmGWDoa2C/YJzDkHu65YWe48cBOlqMqaFILs2uak2mvL75fG/vK764C ipvou0neyvzCH/1xGM8xijZK9jpEGO+94fqNojynYT7oyLYSdNJdKXvNtAJDeRFlRQJf+cpX GnQRoOgBupQ+Pw/iMseSU8eUzI7k1gMUDP/BH/zB8Pa3vz1GFTSUMZVnPhmg+LHAk07ASTHZ zYp3++CoLsLEKlIsVnZbKSfzx4OsrCydev4Ue0yuGJy70v6QBZNEDAVlZOPFh7BUUOHqJiG4 9uCDD0YfwTpBsctxxXUW8BCQKHb2k+1N9VI8XJBM5yE6f7DW3/BSrtjyeB5cLgbM7Ad19yVj P/n88gzct771rWsA4RRPoFnQUFH7/fv3R2BWEEinzrf/+B//Y4oaQZA8iLoSwBeZX+rNSy6v q64YULTOMro8QBQ7WWQJABaUF5y/HHc5/bMVc8gx19hE+tEQWJS5WsppOEPQJ/1wyd6VoZnc Rmt8o7Bne/1bv7zosHuBjLskOpzqn655gFWDPYL4Og+cgvFJ3N/9SMCplPv2b//2NezmPKBo fBne6lnUudeWEsPO10NgMbGrt3I/y4tfa6DItZoeUGLlCn98AeFLq+QEF/fu3bsl/WqeWw0o Xska9WWVvy3+BujW23MMy4Ob3ieGot/T+vB7cskvXZN/vPL8nI5MeX/jCgWUCjNePi/HLLvP HuizfHwCzZ5CC8+6mffKX8Ebn4E5IazEW/vUWmourCR/lr7k23WpItbGzbf9UikLh6LcUzrd jYt/YmLOZpd0psllkaUrjFtx8s3kd1GBhbnxTMYhOzRflPNFHvkyivsiRc66aLWPkr/X4val sUnXNXGzAqJXKrf4mo8fIbFch+bzjGKLrhLyTB/3SA/DioMKJmZAYwYixkMyTVjixOx3487N cZDkWTrGhz2mGGIEFjmYJ3HoWYC/RcDFYVhuk4u1iGi2hBt3wTrBEkglgMYE4E5tQ2N8Lq9F bVI1Rj20zGr9PJzLwvKQKQhgPorIzcIKnET/3yxAZn1rB4zHnjAtwDg6ibJ/2GqDU+H0GAY0 EKUUfKzmoLkM0CPAt6OtLuzrrg27OpuxUqoYoCBA1gdxPfudPuO8nk1SJmrq49S3sb+8cTyc yPYV7V+UtTYxFqaHBsL8wLkwdfZ0mD/fF+YxNFCFwRpMI0SwsIyDeDTIAlgmqEKJEkEjyBdl Jskv7S+OoZab3dFiOca3XOJEEWe+x7VUWFAy1kwT9V5SxQxnoI4k4T+wBOn05yMzaBkEY/nc cDjGIX+Oft5FWe0wBwVbzgD2ncTScjuWg3cCMi7QBsWWT6HXbI5x0+qzugjnqUMf4tCDgEGt sPI6ARy0fKzuukNAewPku4/6dmMhWn2a9QADj9MbR8pqwg46+iBswkqASUxvoFuxIjwIWNlC vJcDxHUBniwxbl/CwMpjlNsA6PHy8inAwBDGAGIeJv8vIp7dAtD82jbEsQF7+hCV/hy5PQqQ fQd6G1+CSPwi+uAmACeGAPoEIXoBm7E7G6ao2wXEOSsBVNoAW/Sb5Zw4Z2fhapkgWgEXwJoE SZpicjTyUrRFtiffTxN3mokqS7KJPnM0x5hz/Y3t4cgjT4WbAVDH6bvDsDYH6MveqqVw6+7t oQEx/rGm5tB18PrQ07sjdEIMaOYZq1KxZRErf18cZ/JjOPkvCBOrFP84J50HDrv+aU2CAuNH pxrXOIUkcc4Uvrt2vU/nRfUpCi5WMC6CMC6AqO+PxOZvmPMqMvXwc25Y3hJzXiDIumb1KJRG 1fnP88lsePRYXzh06nyA6MZazAx6zMLa87lwGZHwxenx0AC4Wo2xHA1sCN4xfNTFNjt/baf5 ZZVR16E6i7MGWh5jw2TWcFMED2OdqCt1tE72wCIMUaSZs3wEGAmrsH8twIpSxiwMXN5fxPGz byoJT3kQA7BK0WHBRMadAl2z4HL0ifUq5IWf+5SAv/0zSzytQAtMxnhmRFlWRLUqsV8ZqxnW oCs8Wltmv7O9dbCtZTZGHYpkv8BLBdeT+205i1ogOapdYa9sa6kHiG4N3bwwaYUNXo/4v8ZP rL9j5o4gCux3vzq2k7AM+4cnwgnW/hAM3r4LU+H4eFkYwujPDMxR+60BC+JTjBVDEaoXJ0IV BoPKYBljnohpBpsUAy6zzOmTT34pPPLh37J1ob4B8eYTh9irNWmUjUEChuPLEPIVsPX3xfpk gC91ZE1FHY6A8bWA660t3Vgg78aIUCsqy1pCM+LYWqZuqEcvfxtgIhbj1W0KlkgfYbGd35Nm WIrNiHK/+Kbd4eCenjhnae66Lls/zi/HbaOY62axbkA6G64bgYB/8DoUFXP+/KFDG/XRmjB1 Kf7UG16PThNg4xeA09JjXr+fTC0BlCtxed2Epv+zP/uz8M3f/M0xqzwYpQ4v2SrrTVgNpiQg rph186Y3vSm8u3D4Lj6oeYjNi5iWAqsUT0yH7re97W3RkMlm26oYtaBcchuJVRvnne98Z/hn /+yfxei2VQBB8Fa3Ff0h+ylZCjZPD+vFugb1Ty5fH1lWqY9T+KWu+TrLBtUwhABcKee4veUt b4lBAraOtyCSY/aOd7wj+tuXxaLFxXnl54KMrpRnMWAm6y3PMMznkwcEBe+c44J+6kvcjFOU PoGvMgeTeoBSaQXmBSGOHTsWgzWwIFNLVwwoyqC1T0u5fP/ZB+qCvBy32f7ZyjnkfHJO2HZB I0GV9ZwvDRLjUz2Sr3/961eibrTGNwp7tte/FRSwUnzXdgokynhdz2lsRzFenS8XEgvc/cd9 KLk8kzv5pasgeV51QzGgmH+J44sEdQnmVQP4ELdnz56VtS6bMjEJt2o/c9ydo8mpYkEgtJTz cC170fgC5ffff3+0arwV/Wp5zwRQ9CFKMfVkOMn8rmSNyiZOALkMTcck/5LMfC1L575oX1hv nUD8Zo2ypDxiwhJ/Uni6FkdJv7+G+z1/NS5efLI35yltSpPuU7z4VF7wTHHyeebjP1ff12v3 pcsXWlh1xfmkfkoxiu85H/A/G1/jeF66lLsoD9MVxsXzWd5tJr98fL9n0+2ZHRKK61FcRrpP 4x/vi/oixdnoanPz/Zfi2h95l79PfZUPT/VI13xY+r6SR6Ge3rtnxmvhu8CJB13rFEEDwhX7 zcArcxKsyhhmHnI9BLvPKQoddSlyoPe5QFHoTCRapfyyFbmHkTY0zeGeNPt2dobbYZG0YeBi dnKcwzFieRwcK2Uocciu4EAsU9L7apiMsWQXKfWZn8O67fBQ+KsPvD8cPno8fBcSIT3dXeHQ 00fCnj17Qwt6wMZnYdxdmAlP9aFzEf15c7CaMlFhD7MAXgBKvVDE9mE1emdHQ2iGyaNYdMbw LKwJiotMwlg6oAC/Oake+THw4OwScK7G9ETLcAMYejAxZ4cGw0x/HwZfzoap/jNhcQiB3ukx GD9YlOZwXyZySlqtp3IhMYdtM8TZZL9F8CbOCTIHUHCMlmiHoXrHsaVQraPGsWOMTKz4etTD aBxQS7KOcS1Stts8INKhwcnQwHhtBzisBQ2ZBCQaBEzsp+/3Ax50wPwTRDlJrY4jwttMgQcQ cewEeBymmEeIq07Ag4CCvYAutWBM57Ds/CXYV2OM150Aurt4dFaP3Ahz4MvoSuyn7NsAQ26o xDI482hosTocBlA6AzB5AIDx5gqAE1pyCqDn6aVa9DxWh93oaLwNxpjsw4dhvp5Gv94YYpC7 0K34EqmNMPm+NDIVngSoXKhtDNfOj4SXwlCdoF8H9uymJYCBiHF2AZQw3dAVWR4mAUxqAOFa 6FMdhqQj+FRJ33lqrQCUETCdpu5lgh2kqUG/4Rh9fX6GsSOfNj4NgMQaXhmivdPk1QZwXoV+ uXOAzKPtvaF738Gwo6sz7NreEzo4j9SjQzSC5ZSTrUPHcXUtZkZM9Mv2sQQwex8/1C1jJGbp 9dNxx18+8T+NcQLpXyjH79mLglVAkRkS49FEAv2ezXOzLEx5k8Vy3RNi5pQkYGW9zNti/Aga uf7PomvvwcePh9MXZkHjeKHOuEZ1Cc5d2W6oP6ivpN84I84x7lMYsInlkYli8zIGs7XobzJg JOPu+tNScVl8QSCoJ/CZhQtsRnvO9iF5CDAKRjr3MZVD5WyWfhgrson8cxxlnxonM4pCHUQD dZZvXWLZzAMBOepgSpZCBCQr0TFazpryJYt9Yb9YJ4EyX17Yr4uwFOPYEU8AUoNMTKoIqrEF ZWXQrmXWMrnE/GXyzVNJDY7IJoxh1LGZZ/B2DKTs3dEGeMh3QHJZ3rUwGSk2ujiHyCluQJRP VWIdZG2ehzV4+OxYOHzyPEDiaOgfw6gWAL3JFd8fXagPi4C1ZQLLJKyREUnXLbG/V8MgrgYc F3Rexlp7Gfu8rObpRV46HHokPPxX70AlBCogeJkg0Km6gdW5wZix1uk5Jwgf+4vq4qfoOAsr pqlGV3U9qjBaWtsQ82d9sIZlr6vaSIvNqtOrbEIfb+Nu2Oz1kZlontWU2QqYWMta72ypCvfd cjDs7OkojEXWL6X+prWVrqXiXKnfVUBxEz33M7/9O5tmJ6bs3vS1XxNu3rMn3T6vV9kUeQuk AhylRIU3U0kt/6oLLzl14SXLz3kwSlFAD//rOdk8iUXjoTxvKXkjQMH8PHx7CNepR1BGYnIy FrUEmv0AZBZW84f1FG+9q+xHWVA6D52K6W3kBIH25MZZdmACPLeiPz71qU+tERWVMbgRiCNw kZh2bo55gHOjdqSwfJ0FgDYyKOL4OY7JqVdO5pLGcASedbKlFEfeyP3n//yfV5idMt6SSG0x YOY4O96l3Kc//elo6TkfJrD4kpe8JIrYCwrlxerz8fxuPZNuTxlqsng3cvk5mtfRWQwoCjwo zlzKydpLoIxgRF73XKn4xX6b7Z/nYg750kK2qoCaIJbi6HnGpaLsioonl++/4pcGG4WZ/tlc /6l+pa4+MAoy2kbbphi3n8Rm1jBLMlilNfY0hwS1k4h8qXz1k80o8KQrBhQ9yApIpfmRBwyN r/qIxLQV3HIPTC8htmo/K36RZBl5UNN6XKm7nH61jGcCKJp+K9ao4vy+4NDt3bvWOFn0LPrj ixXXhU6G4o//+I/Hg4oP+KsPxYWH+lzadGDKea35eqnwNZELN/4urKbzwd9n3YvLLpU2+eXr nfyey+vl1vfiuvGAn3eeRTyQrOMsz35bcUXxMyDFOMbIxVtJkPXxmjwIS/kWA3keG5MrTpP8 vZbqh43i59OW+l5cj1Jx9CsuI7WjVH1K5uGcKwooTrvmPvW3iUp0b3F9irKO/WR+az7UQMDQ g3UCEQ1P371mhhjsZwuV9ZMBWhEkACAUiFwogIuKQM/CJlT8WSbSPEzGZYCkJQ6k3k/CYptE /FORuf3bu8LBnR0R4FskncAVsBgSoGjmow5RVxo+VYi7dvVu5wxaFQYA597/vr8Kf4sKiSgW 3SQzpyn+Ltx2253h61/1yoiJXLN7L4fWCgzEAIYBmp2fQKQPTf6zgBDzsNpkYynC2ADhqQMZ 322IBXa1NoS2xkqsyyLaB+q0AqhQFyd1Ggv7Ob/2PR8LJtg9/I2DYxLTCDDEbrOPOZwrKj0D yDgNi3F2qA9R6f6whD7iMDMZlrFKX0Y/Cr4JNgoQxDG12yPIkZUkMBFFCPGPYC9hDEKshTWI Y0kFrIPhixHgELKgLtxbRfUGQgsK/YAXtQPDoYu+GAbEOM9BfwrgZRsgYBtMI61Cn0Fn4QTg iOBixyIi32S8AJp2lHhLxN8DYNK6OBOGyRsuUzhBmxUdPkgRTbCZTlEzOeznEEMWnNkPGNkD kDhJHv3kexIAQmxhJ7DfPlAcm3vCfJg304T3Ls+EWzDaobGLB8GongasrGb89kXwEXFN5sUD AEdfHpsJ2+saw92YM9lNWB8ikp8l4+r2tnAHop+dWDsWYrqAOL5ip+pKbKTuDFKYoB/miasF 3mrqYE9DHqPvGGmYacwG0lSHKcLVBamuPy3ZOo9m0Ue3iM63cvW+AYzXoGuxedeusG3/dVFf aHW17DwhUsbGeQBX1DFwDslWiwNVuMR5RdlGSOvUuI5lWpdx/lGvLFaKy5W8zb08AlzmYCuy dGkuxvuY4ap/nNcUIGPMeGZtecUuX4f44sGXD3gKHmlVfGh0LPQPDocjfYi8Aj6XIYIrG02A b4a5JYu5Br2R6jUVBFQs2HFP+4rtWmbuO0ZaNrY12ZZjGbY3m7+ZuLW3xONjveJvRYxjxQv5 Gu5awcdy+Mp4surpp2h9GX+d92JdVejvjH1R6B+GFz8ikK+lxxHkC7tX7Nk0DvaFRTsXjEmx ZOqLGdM6R9wHBBUpm8r6AceL4xS/kThadYYlW0/faCm5lRcjjRiZqkHHYROAWhMvPWrRFxjH iLT2jUzFWIblUK7AoaonZqB5TiIHPjSBDsRzY+E0n7ODo6GPPbCMfdi2YPicCY4RFdaiL33s 7SbyH67sCHOwSUFXkSijruxHjCK6RpXspDxY4oxCWETP5RLM2+H+E+HBP3t7GB84zf6s2DJA JHuC504Z4jJhZXZqeGWZ9gf2EvtI4NfxqKxCHyhrqbIGkeaGOtiIDaEaAywLAM3qefS+kkGo gb272LyLlwWIQKMrt5EXA8vsIdg9iiz0OvaGa7rrw323XRs62iXQuNps6foum7sbx1k/9foh VwHF9fsmhijmLKB4ue5rAL2+7u5Vptvlpt/q+OqcS+CYIsseWq/EyazI6xPLHyzzYFQeZClV Th4UUOwzD1JeClDIH9YFSgVWEitQppiHNV1eBLFUHUr55dl1lwJFTe8Dpiwm31br8kYItqI/ 3g1T0/64UqcIZh70u1Q++Trbjx5+13MyffIMwMQW3bNnz2Wz7VIZeeM2xYCZutjWE0M2/c/+ 7M9G8DL7YUw5rl7VRSeA95a3vCUCnynEscurBNgIBExpBG0Ty1e24pMoVdcVgxV5gDmlTVcN ciR2r+L7SZdkCr/UdbP982zMoWPHjkXRb8dEYNl2b+S2ElB8Ntd/vg2ubZl4GtZwHfnyQL/1 XB5QzOv0zIsgr5fWvSaJSxcDiqbJizQX70v5/bJYP+5W7We+WEiAsA9Mivom5sp6bVrP/5n0 q3luNaB4JWtU9nMyeqOxqrxO4FLtzout5wHFUnGfTb/83pgdVJ55adlhaPXx3hxL5Z0ve71S S6VLcTeTPsVN15TmonzXHEgEMLL6Z5e1bTEvw4vz0G8l5kZIXCFe9vjO3+yLz/38v/jhv1CT QhMKR4OUZqVhsVar5Sd/rukwkeVtQFHiNberNxs1YTX7LL6HyIucFS/lX4iY9W3hZk08arrS kVn46i3fsv+FhOlS8EwJU4XW5FvIqxBHQMkjdhw3/CJgGMHEzC8Bi4ZnYdk1ls/pPqUTTIx5 cc2YjYKKsBX5bRBQzMBEQULEowELF5Ep9KXJLDoIZznAziBqquhdPQYmdvV2YUClLrREK82w bniW9AA6Tz7+1Dg7FgEnzqDf628/+7nwxMMPwIKc5qDOyZ16CmIKVlQSp5PDZC8qSb7ne78f 3VsN8SDqQX8Ottvo+BSkCFiTiNXKYBqFRdaPMQ+v04Tbbc1Q7La11IVuLEd3IC7bgmh0rQAj B+MYIQ1K7HpnVzbXTCv44WE7WyMemu37/EzkruBniIyuKCoNS3N+fCRM80JykevSxHhYGh9G R+NQmMMATDmgXCUdEZPG3sjKMQ/HyzyX7Sjyi+Cv+dIv2Vhlos6Ck+UAOFmarN7L8fBfEcZH pnkhOBUBxRoAkG00tRPDCxMAd0eBEwTRdmIltou+mecZ5zx68E4D+GiVejdgQy0svyke/S/A BqS2oQHG1W4AiFrmmroWTyOuOAFA0QxYtLdsFlFmQEqq+zhsxUk6sIMGCCbuqCYP4n8JhuMI oqq7APYOlAFAcR0UMMR4yQDtvIF4B5F3tH2CoA8hqqmBl1vAQa4HFCoHmL1QVh0+PrsUGrq7 w4t720Pn5EjskxHnMP+6mF+yKSGwRrAU2CfUgjqpH8+nG+0IO0dkEla2tsDCJAaMqfKm1lDN easV/Z4ViOlXIpZZj9h9DX4CIJXoRKxEUsn5Sxb+jx8hr7yOU/1TeBYJQF9Uq+AfLXPTvtX7 bMzpUvHPVRe/Z/GcafZJBBTpU+dhZMitxs7qUsg2zhvCzMK1boUsMs0bwU+RNgE3gUENnMyx jgXytdg8zTp2faNYNL5QGJviSlwZiUsYB5kFpJ2CBSdQO40qBFUgVDAHnPdCcgKe0WI6DVKv pxPZsnX2lcCcY7UU523WaOdxcoVmEMN0Wf/wLd4vxHFGdJnRzABL9hAALbBkIlIuZcoktA+i 3kXS1zF3HP9YhVi44a4vAmmXaYy/4mRIcm+JMn4raUMFa8BxjExF5oDPh5UAahoN0QK94JoG YZoxGtUAQ1u9hnWwa+sADmu4VhfAt6yYVJhzkX2OfrTv3PccG5mV0/SxqiNG0Cl7HtbhwIXx +OlHuecQi3ISNm8rjN8a1u/QDPsYQLsqGiYA5ucnhviOOgaZiQB9Nc2YXQLgW+BlT2QZygyl CtU0Oo6bY2ebWb9McrsE9ROD4bEP/HoYP/VkBDtlSdfAbpZVWM13wdQq2ljBnJgrzIklXiBk BmMwxsQaKqPPyk0HC7GOtaM+TYH8KoB4AUWNx1TUtwF2Yj6KfFoRba5lXCrYY6oBPetoWyPI 4nW7OsJ9twPi1/E2hP7Kxir14cqoPetfrgKKl+jiczDUfuEP/+gSsS4OvhuQ4fX3f+XFAc+T T17/Vf7ge7nVEfBJxiNE1z1YJp0UeTBKHXrvfe97183+mQCKTtq8oQLLSTr78kyzX/qlX4p6 8tatRIkAlfPLAtS99KUvjZaBS0Rb4yVjMC0kD5nqxtNtRX/kmTBrCt3kjfof1QO5WZevczr4 rpfWH0DnQPaDHKLIsHob9dsIeFkvP/3zRhyKATMBnbzYZal81GeoWHRiG5aKY/1k6CoOr5MZ 5himH/QPfehDa8RVS+WhtdmUXnUC1lVXDCjK2jt48GCpLKKF360EFNfrn62cQ/aRa0SR9o3G eO/evSsi4TZ+KwHFZ3P9p4ESZFIM/vjx48nroqvzSBH/BKbm91XnhnNEtxmxf9foBz/4wRi/ FKDoPBK4Tk4Q171OcE0wOrEkiw1QbdV+ltcbqjGeZIgm1Wez12far5az1YDilaxRdWImZvxm AMU3v/nN4V3velfspiTyHA/fPJj6UP53xWWAwWpt056pT3HYaqxn91uqQ3H5yT+VXiqcY1Ls /yxuNg5scdlBKh7MVv0cKZ0P635bk7+H0uwpPuYXIxb+pPG1rEIW+eD43cNZ3q25zYrNBxe+ k3OhTD1imhJxUxTbpYuXiB7CHomp1pSWRSrxN+WTlVSioJhmbV72+Zp+Wq8DstrHHNbLubhK +ZLyaaxn/t4Dls56ZHoSs4O99xE45HQYgUZS5YHECBp6iHceFDL0Ny+1RzDRQ75p/ETxZ4BF 9X1FoJG4AokZmJgxF2XEzEzPhHkAhhkARkXu1NZVz0GwEXZiE4zDKiyGVmEkQTBiZGI6nDp3 IfSdGwgjsvrGYPUhemfdbKeH9mgQBlBQnYP79+0NP/LDPxq6u9rIl9HlsO/B2B7R8MII55mn n3w07NxzEP1tbWGMA/kw7MWh8YUwAMB4YVJddLDr0EfWhqXotgYspMJg7MDYQWM9hmQAGAUX BCqisRazJu/s/5peLywHgYhYgRgz/UlgjyHgZ5mjL5bor2UA01msS0+fRycjoOLSGEZgYDcu jI+FpanxsIzEFSgt+swQDxbA4KOVXAfJaa2VZ0HFCAqZs2BAHKt4k5UV5xs61QBYT8Hua5tC Jy5goOyxSQCjU4oPU689gDL1gAszMIhOjUyGC4CM2wD5dnGgd04cBqUZQDCymv7YBQC4DbFU MNrwNI1SvLmF/HZWLAIkZqDUUYCFE4x3OyDCAeI2YZyDExT5loUnAAgrADhuhMXXDhtyiX4+ DcDxKGxFeE/hFsCDbZQxS/uermkKT87CKmQu3QtrqRsx1AlA6KcQjD5OXo300V037g+9GOMZ uzCK6LKMs/LQTp4a5pi3ntQZPmgETWSQamBmAUCjHKAj6vds7wi1O3aFhu27ok63umYYiACH VYibCp5EPYLZ5Cr0qX3NnuQ0iH/cKXL7q2ExiLHxu6iM96ydQvTsnjT4XjxvMu8Yx3nvtPLj enSOrc4zA8wiWyOCo1bTmmTrWyANUIk2Cw66zgQLZ1hDftdvFoqmRj+M41oWvIpMQ0FC6r3A nNLw0S70V+7qbkdtQSPnYOvDH/uVNsX0pJ2SmYzIubpOp9Atrrit5WsRXqBMhrNx3Qn8L4iY 2hQbSNucy3HNFNob155ttFWJJUi8bF1mTF26iFD9WBNc5wGrFUWWoapuQ/cuy06iys4GfxEE HU3j820lzDvwQIAyDKUAjmWgX8ZGFASMFpdh0VUTrk5Ixa/1N77GVKph/tWRh+Eyny1bkFEQ Mu8cF8W9rc8sL1xm6RsBwcmZOfoPfZyggJMzjAW6DLFTju7YeQBbwHSARNmI3qtuIgNsBcUF bZfRgzqCXPNsGEUX6dDJx0I9TNolGIbnTjwVylgvvbt2A463h7LWHVGPpyxi51FkHMa5HTs5 9msEfuk/ghk/9pjZ8XDsE+8Nk6efoF2yEssjw7KW/ds8NBI1Sz20Pk2riUP7WV+KRqsiTPBP ALESlQL2bQYw87LC/oKVqK2AKsDEifLWMIoteAHsRuTFIWzCLseKPJbT6+nPhtqycO+L9oRb r9/Hmszqm+9bv6ffrNU1Uhxja+4TDrJRbv+gdSj6APCT73q36/yy3Gte/OLwyttuvaw0z2bk PGPGzVjx1GKru5cqX+vKHprTAdpDcN5gSR6MejYBReuZN2SQGJceVu+8887YDDfDvOjfpdqW wvPgi/2jQY2NnA9zLvy0YPMGOraiP4pFzPNWkDeqVwp75StfeZFurxRW6pqvs3PG/ljPyagT 2E0uWfLVL7HttOj9xje+MUW55FWwIhlwKQYU1VO2C3GKzThF4tU9J2tScejEIM2nTeCvhwTH 0Ad/nQYwBJM2cj/xEz+xwt7MG+N5PgHF9fpnK+dQMUPZPlJcV9ac60U2rADL/v08zOZ0KG4l oGiZz9b6N++jR49GUfkEEuvnw4D6ABXpt61eBb9d70mHYh5QzOv0zOtWNK9Szry0eq4rBSjq r0Emxdd1iT2cN4AkKK5YtAzC5LZqP1NXri8LdPaF+156kZTKutR1K/rVMp4tQHHlIT7XkPVY xPnxLWaM5pKvfM0DxsmYUSyPR03/5136Lcn7Pdffn+0Hz2fanlJjVcrvUuXk+9rDl//zfivp eQDMjsMrPvFL9IsPh5wQ13Fr0q33IFk0BzyUZm5tguI6rkQjckyxNvo6NSp4kyDm5yHyMtzF c4MWlii3OF42PkbMDrmpSA9ohdonr01d8/mXHLNcLik8Y7sIEmSMwgzMAGjwOE8jItDBNYGJ +nHuzj7kp4ifLvobn4Ol3xPQuBBZi4pFk4j/PlP47CGLUJbSDODCDCyyKQCsGSwmT00BnnFg lr0ooCEI6GFY5tACIIfg5BzxlhC3W0KH4tIc3wG+1F/m4dtCZAaZt4Yp9u/bF77/bT8Y9u/d G9sYxTOpH9Ajh9Sa8JH3/Wn45V/+lfDqb/628CZ0f89NT4Zpym9t70T/4hLWTqdh+yDCO4kY J+DiDMCYRkwaELtV8X8rp9mulhqsR9dzkM0sEkcLvK4O+yqWZf+k9ZDmsb2WOcctGzuv+KW5 IxoY71Ma+legy4+MMPpokb5bmJ4CYBwPi+grn58chdkI2Dh8ISxgtGaJ+wVZjsQVcFQn4P9n 7zzgLa2qu71v7/1Ob3cKHQaUIiAgKGo+o6YpahK7iSbmy5diEmPUaKK/JBpTTLeSxBhLLNGI wYCgooCIIIiUoQ9Mn7m9t+951nvemTPHe2fuDHcQydkz575t17XLOfv//tdaMoUE3q2S5YW6 JBfTwTrC0zE/+6r24nEXNuQ+Nv7bkD0cvLQMYA9lw7QbVtFuWEz1/E7swIZiKxVWJfghWKF7 kc8SwM12VKRVIx5CzveTVtcMa5lWHQCDk2z6J8hDVeZhKrAaGa0CGJxiDI4COjxQzUtJ6tYN Y+oEGaH0aR9l3YONxr3UpRvQ8Swd6QBm3MeYeACVyH76vAcbiqeiIloJkHE77NP7UcOUhHYy DKYV/ASoOHFjeHeeBr1qQYe1nfoIIo5hh60KNcs6fvM2ARLW47QlNbemGpylNGHmqbEDILER YLspYx3WEF+gwrUmV1OOdSNu0Of2GyH61P7nfz4vBEEcEzEf7As7gJAx5zxmcycDCA+sCzFG qK9Hcxf0is6L1Nl9ISMyKHrO/cJzD9lcFxTM2IJ9w7LZAKZwWiMYJYNQxiE4bgB7shH146vt PkE9wUUmGuMEQI45oF1O1Zv1qtvVUpU2rWxLp61fmlbgHMQxZlAUtinaaZ3Nwn+kHWe+qkbr nBTkFKjUXqrmDSZcI2KdAFyMe7CbWQ9GAdYC1Iy1JFuzcsak5VFU9I1S2t926jKGh2JVzZVI LkOyQx14MlPJ5UlzQ32qY7wBP5IaRivXOoLSu7aAoKzCRkDCGvKJD/dUO46+Ir3goHnbdMeH QLVNtq+UR1YfKlgIObNwjDVtiPHaPzyK9+txwELWGcDDQcBx2dszhfYPw+yUgV1Jf4xzbxRV 8r4pvFFjP9RZ4lo7wcsV83XdBJGjoxAU88o1dIa1Yuyhm3gJUovn5uH0/Rv/B9NvOL+qa02j w0Opi7HeuXJdaurCw3jbmlSNgxyawEfFbiVKe3h5wAnBtgoWUz/WdteQSlSo9/zgq2nk0TuC oWlEPWLLotQO5ChrA0sq17yIASCsAzSUiVilTdKCKnMjLyoEbZVXzBnGnXJs5MWSjrrGatpY G3CsxHjVcVIjNhObALKba1DFRuXZ6q1b1pCec95m2tMakt4//gpyLz4c6llxvKM9LwOKC5Dc u//9E3jJ0nX4wsPrf/J56YTVqxee4BjHlLEloyUPF198cdg5y68XcixWnzP+v/7rvx4EFhWD UccaUHTTrfMMg2i/Ntze8573pHe/+91xT8clOjA50qDH6dx5hOrUOfNnvny0mSZgkIdrr702 PeMZz4jLxZCH+QnQ5EGQo9jBTn5/sY7FddZDt56p5wvf/va399vPNI6yEFRxbOmJ2iBbM1cN jBtH8OexAIrFxaiarQ04x6vASB609ZizwgSLcocaC2G2qv6Z25csnktPREBxscZQqXd2wV2B wgsvvDB+WORyzY+qbwk8GUo9nL/61a9Ol19+eTw7UhuKJjpW89+8BQi165oHbSEKIOnxuTQI DqmObFi//oAtPc045Exl5SAIFj8ySzMoXBeD8PMBih/+8AEHUBs2bAh7jqo45+uc9dT+Z3FY rPWs1F6qTlp0+jRfkCnpmmw9BV+16bgYcrW8xwQo8gOsD0+pxX15NAxFx31uz3UhtnZll1qO YSHM74hY+JOPG38MHuuQl2U5eXmHuzdXnRbjh+ti5DFX3Yrblj+3jYdqbx5v/uOx75s5y2YP tT9EFX7oBo+9d6j6FafZn1shXX59IH2xrPKnP4pj3l9HUnbADzRF1TyBvklApBwMlNlmMN88 72yTJyCStd8pmD/36ObeIHBinkbzPMsz2yROwoTRcYvq0GMY8BodGwlQcRhAbNRNNCDjOHYE BRonsf8lc9E0AmkZ6CAIoSMY8g8wUYcwApmUHXXNGEkNgAMnnnhC+onn/2w695yzY2MOVGKU +Ojw5cufvJz1589SFUyd88+/MDQraEX62w98BHXr2jSALbhaVFfDPh6sLAGYnXhDfXjPUNrZ D/DJhldwoRnQoQVmTDseJpbIYGypSx14Wq2XfaQaH3tvh1zIipOQpwBUBK8ZlRn64o47G6I8 y9YaN+9GzMZt9rdwHRckNih7Zc5RBqLsxmkYYOP9e9MI7MbhHY+koUe3pmnOE2q/FchTzMEy 9KCszTo35EAItHEkbcP7ayWqyO04aVkJ+6caFccHAAJ3ASSsIG4XbaoD2N3L5v4eWIMySdfD DGwAZKigX7cDcjyEbJqozybiNiHXYeT1KHbVttP2Jvr0eJrahb5xHwDTfagq74S91EwNBAG7 sY22h3g3jc6kAeq0HGrYKZUTqRMAaweeu78lYwsbbxuqptJJjIMWAJ4dwAzXoW47jWr1cYCI y8dHsIPId1x3VxpuxckDYFUbwGAzqsvN3UtSzdJVqYXfbR2cN6KyXKuqMi8g7W+BkECHBE/s M0VTCAEA2n/+t/N8yrlQVA6ihRfgwiPZutHJhfQxf8yfFDKxBICycZkx5GJNsdNNzxF8pTAW yD/AKW6YygemNSJl0DzAQNS3AZ5ksw0ho1H6J1OHda5xH1fHQ9jWGwQ4DmcYpM8YsjATzYlh pP1Ius4mIXlAfOipE0xmeMKcA4rCFAXdZ75PALZNwQDuCucges5uY94JFjXKLEZ1WDaenngF ehtglGkyQNHZbl/25rYAKYrgPM5kHXNEyYd8PRae0dTM1qHx+Me1YsqDTDjrXUF8e075uRZ5 L7uMs0ik6rbTxt/lLajUyqrL+lqZm9b/zj9kXTiPspyjEbzK6pvF8xJZIaMR5oCgqH0xxLox ACtzYASvz7zsGBoZ4yPzcCSN0Bdj9JEvW0bQu2+CYVuLPcMR1PctV/XrAB+ZIwJ4s6yHDNQ0 iv3X7aPYIcQbskzIUIGm+MJrlRgPFQD+voyhNWm0b1e65Yt/m6omR3lpAKALONvAb/FqGIra /FzSvTQ1daxMbZ1LUn3nylTRvDT6MTxRx/ikhQjbj6xs9IxD/VnTkgpxmhcA4zvuSqM7boft iH1Vv08oZwgUUVaitlYFZ+sBEDVvUQ8jsY55WhvjBVYi6syZvUVeIiE/VhzKYtzAWqzDW/oM wGnvZC3jVxnjRIkuqMMLdjOOmJoBFavou2q+Fy49+/j0lFM2Rr/xZ+HBrjyS+AvIuQwoLkBI V37n5nRlwaD6AqKnTtDl373sxSDIMfQWkuRxiaODCm2e5cHN5kte8pL88pDHO+64I5g5/lAy qJohC02VvzwUg1HHGlC0HgIaORPOtggm5ozCQ3khzes717HUK2oxQDhX/Pe97337Par6pehG O3dWsBjykHGU52f5xerdc9VHJznKwQ18T09PbOIP5cSlNI/iOgsGuAmej4lUzNKRWSjg5Nsr Hex88IMfjKwF6gQj5svDSKpl2o8607nooouS9jcNCwUUBRgEUrRjKKgpq8j6zBVkduUemX1b JADosRiYufjiQ4PtOjmSgZcz2H7pl34pyQI0PBEBxcUaQ8XglG3NnfB4XhpKX2B85CMfSYKI eXisgOKxmv/WrxhclpWXe//O6158vOyyy8LOovdUx1ft3FAKtmtjr/jFQEQq/NGjtC8lsh+S 8zMUfbkh69PxZxC0FxTXZpdBJ1iy5YrDYq1no2zUXOvzOpYyTovLNI7rj4CiQdVvbQ4uhlzN 7zEBiqRfjDn6ne98J5199tlWJ8Kh7K76net3bx5yhmJ+ncs0vy4+xkYLeT5ewfIM1ik/Ly47 r+tcz0rjueFY7B+sxWU8lvO8HXkexXI+qG3uaQ7avuUpyscnsgRK+7e0rtlzoDQ23hmLMGOe hCohkd2QG4y3/+M4YLPqT2DvBZDF0TxC1S7uHXiWgYrGBwCEHhQMRTbyI7ACJzAVNDwylEaG BRdhJ7K+CiiOo9Y3EYCioKIbVMAiNpuWpcdjmZU5ezLuWyXyd4y2NjemzaedkjactDm9kO8F nS9o70vAgAoHneX7138j/em735Ue2baT8qkHeTtJL7n0OWnd2jXh7PB1v/rG9HTY8EO8iNWG Vx1AiXv7PYMT6UFsOe7sHcNG2Sz2F2FyASYEa4kNPoSmhFY0TEZUcNsbYDI2pnYcgjQAtqju yH9KEihxjTkwqwRCRHWEAfgBqdj3B+fiQfORJ/lczY9FkXnmVfyJ24JcU9hp7H30wdR7711p +KEtaWL3DliMw4CD8JgoTiBlL2DTMB56V8D6m0UmMhB3Ipo+oIt1gHetlYwPwLdtoFIP8awd oONE0Entqz0KqLW9ClVMbBf2CEYS13R3cH8foGQXANMG+m8J4G4/abfQ/u2AB93sD48DoOrC W+sEoNOjgIbfBShuBYA8Ca/RXYAj7iG3AG5dDwCzHFXjk8i7CzbkJADHtwET78UW5zLun46H nQ4EPAZ4uBNPymvQFlm3dnVqh23Y3rU0tcBArUWlvoIxkUlfkStzh0ZIPuQVN+KMJwozntFn AoRc2t/G976gTzYHsjz46+1C/5AJ8aPvIo8se8FjRBKQYFZ44T73LE7wJptLQuEAVcwBmXpj AO2y64YAB8FPYRnCbIOFN0pHySQUpBoCUJymftaxAllUAZICk1IY7eTcGR2jjpOKAJ0oA8C3 UpSZ8ac0rL8fVeZrrAtqrRMA/jFmUWuVvGL+/WBck8JaxKlAjhk4DjCJfGMII68JQCa9h3di OqABAKiO8zqdjOB0ZHlnS+ruqAvTAk3ML9WEa2GRqlkXDD/qko17xz/15Z811L5iBvRlcrOu OUM0gEVvhGBNUYhjem/7R/lTX0MWw3umiAiFu3nKLKcwGUCknFWK6MRyWTsm067+kbRl6x6c n/SlvX1D9AnAHX1SA0DoSw9BNt5jBHGQ2QJwC4RLHd0nVgOiz9A4zSrM4sCqH0Z0NUy+CdbB CcDDBtR6p5A/3YrtznYA4em0ZxImLRnOMm9mq+pJXxUMU1WvK2AKWzEZ23qJ3vXQnenGT7wP M5eDOLfCWQnAXg3AZAMvTOrJr2vJ8lTbwtxo60y1HcuwF7qUeumGxbchyjmzdmk/uH9V7jXM +zC3wJqgdKZH96Ztd14P43E01mbZpXrkrpWFSJ+2teJchf4O9WaQ/sCE6EPX8FkXRNpQyXy3 LypqtEGKXUXm83hqTP0T1QGE6jSmirFTSdlokOOUhTUWdFGm7AnrOtOzzz0ddmkdVT7Qb1Tu sCHm/RGmOVymZUDxcBLiuW8h/+pzn0+PovJ7uODge+MLX5A2YNfqiRYEdlQJzjegbhB1cPCa 17zmkFV1MywbI/cyamQBo9ehMlEcisGoYw0oWq4egWUlGvQ0nasM6oBGgMrF/0iDm3WBgdzj qhvBXM2wNC83+IJuqoIbrIOAXh4WSx7r169PDz74YGRr3QRrioHcvDyPz3rWs/Y7CFAVVYBT dd6FhuI6m+byyy9P2gsrDXqt7enp2a/+/trXvjZ96EMfimiy0V71qlftT6JNyl/7tV/bf118 opq0IGIeBPtUqzUsFFCUgShrM2fDlXoNz/P2WOxcwi9vwQnfEhUzzYwnc1GwZq5QGlfValW7 DYsBVsxV5lz3Fiof0y7GGNI25Tve8Y6oirJT3v4wKA1u0ATiZNrlQcBV4DUPjxVQNJ9jMf/9 gex48GjQ+c7b3va2OC/9oydrvYfn406W4aOPPhrR/LIWIHf+GWRxfv3rX4/z0j8ygWXP5mE+ hqLPnVc5a9i1RzVigzZyNflQGhZzPTvjjDMCRLYM2e6+vMl+9B5cqvNBMxR5UBXflyKLIVfz 9PvLlwB5sB6l5jt+53d+J8k0Ngj66lgnD4s1RwUUBRYNysbvn9LvHMEE1xHHSh5KAUV/y2c/ 6LMYpTKNDVye+Bgf87IP92Mzr1Mev7RakZ4fyf7/cQlztqmkb35c2vK/vZ55X84nh3heGJvu wTOvzZkaqqzAmI884FFsgAM48W6AKBmYYh5+fJZ9X6DGyLVz3o/3PEYaQA8BwnFABu2Ou4aN oHY3xO9NX9bIUtS+2kSAiwBGxJtkw+53qaCY5zofkaUoIDAdTEWPfLgnsOG95Uu70ilnn5d+ 6uKLU1crm9rWbpgx/P4TSKC9k5T58Q/9Q6xVw6gO21bL7uvrBbTR0cRsOpW1TBvnmoq5+JJL 00tf8fI0Cvg4TNqO9s7UCDA1hLroo3tH0vZ9o+HYZQQ24zjA1wifMcABVbVzb8DNMHJa2AB3 t9ZAtsAuIyBjqFuyoa4BRJEtlq0jAltKvABkxNmBP8VrTd6/+b38eCB2lknYGAUJqLSv+Del fPv3wWDcmYYeeRh20aNpYh8OYQB2h/fivAT77G7wt1J/gaQVwAsyDUdhBu4EQ0DpPC2jH1p0 xgIItYufP8MoRncTp5s+m6mCfQjwsUvGH7+RfK3diZo6oyENADo+SJopWI89MhIdI6TvxZHD QwWQYSmyWkp9awBIhgAXtsKYHAIoWdfekdZjD1GP4FONTWkINc2ZzqWAC5V4DAcYaW2lrztS M3YPq2FhNcCEknVomw0Z241h4CXjILsbj+a8iOfKzA9jxN/JAaoIzPEwZ/gJKhIlKydLFACd /eG/sLNoobQb9IR02XwJ5i3tH5fVBYA7BJAuODjCcQimm9fjqI06zsZRHUWksL5kDWaTtgJg XQ6eINosslQuk9jDhLYVc8I5F8Ab5VmHXFXX36tV1ERVeEY7sO4soJ9gODKnv5oA/OoBo5xz 27ZuATzHXml9N2zDWkDErGydl2jCYAI7mzrZmBEhJR9BH+dmsCARykQAXACKOMxpRlWVyZY9 p9Otq6uMaqvaJaymzBaYq430pzb4apkb9QDROixp5n4zpga0UVhL+2RAVtK4asc17RDw116h feJ9222wrTwGvM262O4R4LNPVcnVnuwo8h1lnA/D3pumTrYhPBMD2qn2rZr2KC8OjKcNQ4Hd XlifsvCGoM4NwKatnRkB/vKFiAxO32HAeAXYm50aT3WA5c4JvV1Xoqpfjar/BC9JYt9gHwII 6pxldIB5Bwjnetm7dwc2KZfAtJ1KD265I7V0rUjt3Wuxd4qtUewJVuGwxDE3A8BbIcuYsmro ExX+a2Hv6X19jBo9/IPvpFs+/V5MJEAaQYW/ARBRZmJdvedtqQ2gval9OXYK21JD5wrmEKA7 gKagu+Bp2IBEHq6tfqoYw7WUU0MfWb6OaGRkDj66BU/PW2KtnpaZiNwElnU+08qctQ8FoQW7 ndeOWaFKwVO9p1dWsz7DRpzEPuTEbAPrCnsr1tNgWlKm/VzFC4YApBmrOs9qx9zE6q76dOkF T0mdrcjD2Ua+Cwmla+dC0iw0ThlQXKCkdsNk+uhX/iftwIHDfEFq8wvPOy89/ZST54vyI7+v J9w/+IM/OKge2osTyJF1VRwE5f76r/86vDpnP5iypzqSKFYdzdMUg1GPB6B45513Ju3XlQbZ MLlDhNJnC7nW4YRqmHkQCBF4VXUxD4I5qkYXbxRLQZPFkofsF53h5MHNukBfMQvPRUL2XQ6w Gje3s5anW8ixuM7Gt4zPfOYzAYjk6V003KQLNBv8oXHTTTcFqOG1Y0VHFNoxNKg6LthYyoaV Tah6uOPMoKdl7V7m6ohHApjJavziF78Y+aiCeN111x2k4u8DAWCBHZl1hmIQxh/1J5100n6G mUwwQQjjFwfBHFVZjW8QNLIdgiWGxQIrIrPD/DkS+SzGGCplKBZ7NM+r6g8C5762BYtDqRr5 YgCKx2r+FzPpZPwJFBUDWLZL1pm2PodQW8tDqYmEYo/zxlElWUZzMVvXdcr7xevroQBFWYkX X3xxXuT+o+tT7iRo/83CyWKtZ4Ls2gLMw+tf//pYF4tBNF98aOsxB1bPOeec/S96Fkuulu98 88exIWdAxkXhz+MBKGo/WEA5D75Q8oWFQK9BGQgW5+tkHu+HAMX8wWGO+Q/BuaIVb6gPFW+u tPk9N4D+z0OeT3Hexc9K4+fPPJp2rnTFcRZ6vph5Ha7MHyrLvTD/SkNp23JZlcZ7PK9L++OJ UKfHs/3zlbUQORjHf2GfDOBPBydhf1AAkfuuz4Iybixn2TBGfM8LH58LrgTAxwZXQMJr7eTl IKQbeFWfvTfJ5nsE1WeBmlEARsFEf1OMc65tRV9S6WRgis13pAPACEDRPKifa19WJ+pGWZYh U1Iv0uuOOyk959nPSeedgAdeXry0tHexCXejrGorKrj33pm+i7kaX3YJYI5TpwFAtkFUFAd5 OduPSYghwEN/L3Wy6X7eC56f+vv60yNbH04XXPiM9PyffVFqbkEzibYHC4nyBX2GABv68a66 GyZj7xCgkKCDQClgBPtj4aTE3jo1Aa40c9IJSNKOqnQjXkqbANKaYPRos60OMIWflAGWuFG2 nHwGOsYPXGU9Xjzu7Y/8JafnwimCKlkerklsugvLnBDXLPKawPbiOB6mhwaH0nBvH/JFNR3b bjVDfTiAGQy7h4MAIrOCpDiMqbFNyG0QkLQWgKABhw+JuPb3PoCnMfp/GXuFVsofQSWxGkB3 GNkP0ucttLMTAMXTo5cCAABAAElEQVTXYf2gZKMCCcStZ/x00rJaaJ795FPd2pVmm1qQA45U YB22op5c34b9N8EjfifX4XVZFhSNpU22swDFUqaXjtNYygUwCufgGXGuMLMUBblQnrEjPmf7 xzTpDDGug8nKBfLLbhvPcee8yHLLYmd5CYYoXw6AUowPxyxjd8JxAqtyhE+oJQtS8XxUgMt5 VZhbU+Q5C9hE7pGH5+Yc5RFfdXXBKPNnAgDUwIRDxtUAYYgsgLE6TgTIgiHLgFItWQCunvHl mKji2AA41MqnvVmvu3XEEXzEYQosuS9ddX26A5rqNHbsGumX7QPOPRyXzI4B7lDnigY87/IB AOJ1AWCfdhEF7YzjWiHgj23M6glAwVnayThhPOr4Y4I2TAF8ZeCfYFMGbjJ6w26i9QMapKO4 DxOtmrpqE9FeDrYaEQSaBLVasa9Zy7ioVJ0WsJEmRBtkBVunavuMf/aJtgOnWTv6UT8ege0p u9m+GRhTpgKSxGOgjAOWVgCW0l30m+MGkJX0lofAAQzxvk7eU/Rba+UIavswCTHfYH80YItx Cpa152Ii05MjlK0NSkDJvh2wAzuDpd238+HUvmRNGhvpS1tu/VZau/HE1Nu3Lz18/z1p9ZpN 5E0dRwbS+vWb0qr1JzIPW9NIheMe0A4WIHrBME8dtwB1VEvrs3UweEewPTo205C23X5duv2/ /oa53ctYmWF/2ZKa2paER+e6Zpi7nUtSR9cS5hOAYttSPssBHFsY4siZeiu1OoBev+tdNyro h1BlB9SNfqE/pgS7x4bSTN/9qXJ4O+NDBz4yxlnr6Is6gGodbsmyHYdl3IyDpkrW4onajgy8 xHMzowlHUORFmhnaNc6gkY9KTyPrDCCuh+HagMq1DPAOGOAbVzSmp522Ka3gBVKweqOO2Qwm 0SFDNl/J2UG2yKEMKB6BQF0Qv/ydm9MNAFmjfKHkwS+wHlS8XnzRhRgrbs9vPyGPDiZVVedy tiEQI9PCHyGCLqqwlgbZFgItOehT/LwYjHo8AEXLPg8At5gV6D3VDYvV0bx3JMEfajI5VSHM gzawtMvY09MTDEEBGgGdPMhQu+KKKw6apIslD8soNurvtYw8HVPIFBLEEuy57bbbfBTBegqE HKm9xeI653m5eX/pS18ab61V6RRgzJlXxvmN3/iN9Jd/+Zd59Dj6dltgIV+8vOnYEaBTBVuw US+pObvL54KhAgF5OBLA7Oqrrw6Ax74zyKBzDPqmXYbmfffdly4HhC32TqvMikFOVVuLnbEI /HgtOCqrQDalHqDz4HMBHr2B5+GJCihav8c6huxzPVbnfaaM7U/VxV07lM+12Px84IEHcnHs P/72b//2fsaYNxcDUDSfYzH/fSFRbPdTdp1tlEkreGyfy1rO5WA98uAmTGDR4KbP8ZebYfCe 64rriC8nBJq07VkaDgUoOp/sA8dzHgT0ZI/LSJ4rLNZ6Zt7arS1mnsoM9AWHwLoAr6rtbpIN zjvXAb9TDIslV/PSfmMOWnrteuc65Zrnd9PjASharutDqUq8snBtyNmjxisOxSzs4vv5uX1c /GOveA3N4+TP82f5df58IcfSchaSphxnbgns7wc2AG7ejjSU9l+e3+HyKU5Xmqb42eHymet5 8fhYSN7F8efKr/heaX7Fz/J6HypOcfzHcj5XGd5zzRRQlEkVbEABAu/xbL89s0K8A/GzdBkb zPPsO8D4AS4AJArAubE2X5k6AojjMoRgCwosjnIM9Wfvs8eYAuzT9qKMxikARlWe3YcIWpiP dRJMtA61AAoyJOth3yzd+JT0k08/OZ22tgtGDY47sMtVAztHT886eBno3Zu288Jj9/ZtAImD od48LvNoaABwsS/18puyt7cfViKcPMqQ+VSHI4+zzzk3vew1v4SaYBugAqwmbFA62vVUGgwp LtwQkxUfgAsdLwyOoCJdHWymAfQXwZBCTVVAQrVCwYAMaITJCHDTxEULO2e9TAvyNAM4Biur Itvc2wdutN0OZ3NNkIN79BGV4Lw0HLhXgN0OzFDzPCh6IVeymwHQsH0VAD8xFgAUtWs5CeCr /HVgUUEfaBvP77xw/MJeUHt8dbDOBJd1qlGH/TRBCgHhYJWRTm/OoVDJ/WCSETdYdKpzAl5U 8ttKMDFj+B1cw+LqBmyIPJwzSiVkwMFWOS4yCSkbx6DjBBl5WYhjzCwU1q2IU7glqBFJHWMy 7xyzquTLtAUI5CODjcsAyOx3z+37cQDYcHLC0XMZV/oQ5rQAUFkHZCL6ycexI2CV1yVTXc60 A70nw7QGEK+GMdMAUOPY0WZoANEAhTIMW5vwKMwzGXaCTg38HlD11d8FtlI5M4wDVIxyPOdG fBwHFC+MYy32QJr4wrW3pwcH0GKCOdkIeLxrhH5GzbpuBk4q5fVOoh5b20wZ2MLDrqVgmyqv voxgcoaQ9QjdVTGS2hsAEVFplxkYHshhL+qx2HEB1mRvkScjgnoMjAlkkQUVUb4NtLuO+TsA YC+3rQp2bOxyAFTlWwoUg+NDdWxg3HCPa6ZVyLbShzbMVtGHqhZ3Vg9QJqrCCfAegMr5PToh I08gH7boJHWYgjVHuyqQs3WsJg9NKAjrVgM6VqB+G+sada8Z35vGH70VsLI/LVtzXLwEeeiu W9OKtccD0g/iUfmu1L36+LRn3870CKzBZeuOhxG9J+3d+kDqWLaSOP2pbzuadC1tIXsd39TW AxzC4OvE1ucmfu+uXrcRb8ddOGTpZu5QJ9rOwoYMbb/AGy1E1jIWmZnIoDL1/uDqdOt/f4SX BL3IcYL5BcBKnk2wrFu7V6fOZWvJH5YvKs/1zR2ppnU5+Xdk85o2O2hkrTovlTeQKDIAvEXG zmMBW0oEQAQcH9qbWqf2puZZCAb0TzjTYT4o92rW3Fh3kXf0jZ6qq/Ha7LoBK3SUj1FrsR1Z BWhZyUsIugQHSplKdx1AYjO2E5sYc6o7H7eqJT3t1A2AiZ0xXmx7HmIdYK7k36H5/eJj/p13 qDjF8Y/kvAwoHom0iuL2wkzZDluxlbdFy9nAOBl/nIKgoLbuVBddSHAxVvXv7W9/eyzMc6Up BqMeL0BR9dbcy6p1Kva4O1cdF3pPUERVX0GSwwU32aosCqoUh8WSh3kKhNlf//mf/1lcxJzn 2i+ToaeDlCMNxXU2rRtjf7jOFwSG7AO/tEuDDDZVnXP18dLnxdelgJPPjgRQNH6xPUuv5wuC OTImdaxSGlTPltmZgyKlz/PrVlRMPvrRjx7EHPXZExlQXIwxpHy0eXm44JwQzBZgMpR6Onbc XA7AazgapyyRkD/HYv67JgqCzQWM5uV61LSCKtFvetObAnD23r/9278FkO25QcatLDbNTcwX BKAEBQUrDYcCFH3+rne96yA1bEEtPZMfKizGemb+zkn7TrXmQwXBZvu3eI4tplxlY87FQnfd E+B/vABFf4y7Xrz3ve+dVxyyuVVH11amYS5G5byJeTDXD8C57h0qj/meLVY+8+X/v+V+Lsej bW/pj/uF5lecrjRN8bOjrVeeZ55X6XWer/fzOPm9Qx3zfOaKk+dzqDhzpVvMe3nZHjNgEXYS YJ6gRwYOCrawSecjwJefCyJlaQQgAQ/YKXrPdUJm4jSAQgY4AqoBTqkarFqzjChBw9ERVAdl KwIo+hJz0nsAiwKOUwCPAoqmmwBolGlkvv4+sw6VgFR0QrCOqpq60mlnnZ9ecP6Jad3SjtgU V+ndF3BRO2zT0wCU5D3Chn8Qr8gj2BQcBTzs27s71J9HcKIwMDgQdZI95Wa8hd88pz/lqem0 M8/OADE8GOsIRQimCsBjGtt+37zuG5gMOi5t2Liedo1FurBzxgZZlep+AJk92CHcumc87eN8 irzZsgc4FXKkPSAY7DFg8dEcmYxtDdXYWVNdug57dHWwyQBCAJEEcAL+yfGSGABeHD7YR46z 6Dei52OODAn2ESf0n32lV1aRAEGaCAANypmH2bUHAJfClRdxP/vrqflkR/+SU8SN8vNIPA+m kREIgQN5LNQzbs7xx3zzNmTlFOpuBlGmlXYMx0VRXEGZQj05BJxoWbTTPB23OrEYYcwN4pF3 gPHROwiDdXwWW4aAHQBn4GyISJBQNU/GeuQC+BL3KZV+RHBRpnl6GfYBo2qW44kgWiY7x4LA iirEk4D5VSRqL6gBL2+pSWuW6Fm8mv7HYy5AV4A6AIcBvAL56Am8WvaY7eJ/VU0NLRcwzOqg +JS9/w2ZbKkYdcxves/8rrv+xvSl6x9MY40rAjwV7OsfncVGYEr1k32oH1eh6l6fRqtaKQc7 o9gMFGAORrLrgXPe9tGgzqqR1FYPyI4twDGEZo9YBdmUJAKwrABMAiDFEdAUMheoVfV5lG3X GCq0rTjr4T8q17AwkVU9qsChVo29v0oAzT76R1CtAnun08wbZc0MooRs3AVoazORb930SGqZ 2sWaAguupilENU6+cDwBbbH5SEGy5QbwLFxR10IlZXNmzGLVeJWfjFgZdGFnlsYM7Xow3f7l fwIUfCCtXH9CGmZN2fnwvagpLwu29VDfXswktCJHWNe8vFB9XNB1lrUsegQ5WUfB0CqezcKM rGnqSO1t7WkVZoTWbdiUOpYsxdxAR5psWp5mUXmOcYTswqSBAyvaR3bUy/VKleuhO65MN1/1 CUxLDMaLmWlV0JGTzqmaABC7V21MK3tOTK0deHlubsHLc2eaqgdQhLEoG3QK2QvoW5Z2NlWF lxUMrhdtVxoBstLvwcBlvaub2JdaqnH+RPu0T2tdWKax98jYqKxHZb+aeYNyNmPceaLjH4F+ QUtZtqp58/oiGN1woSkbJ0+M8bY6mKAoSC7DbMR5p61PG9bCpmSsO46KQ6wp5JfP7fzZgTUC ERTmfTb+S3PIUxzdsQwoHp3cnhSpZNO46RMkyDezpQ1T9fM1r3lNeu1rX5vWr19f+vig67e8 5S3hwdKbxs9t6h0UqXDhpk/2ikE1UlXD8lDsTXouoCmP51EAR2ZODnqVstyK4x7puT/WVPkW qCpmw+T5qDIrYOYGO5+k+TOPiyWP4jx1hvCOd7wj2C/Fi4RxdJTjRluZCXYcTSgGFAWFtZ0p s+j+++8/KDvVg7V1+KpXveqg+6UXqjMLQKkeWKwemsdzHMiYncteYS9vlmQz2g/KV8bs4RiX MggFXOayV6d87DP7U9bhfMG54BgUnPBHfXGQfSZbU8++GzZsKH4U5wKRbby9z9UxtR+n86C5 gnVVbdbg3CqV8Vxpiu8djXxM/1jHkA6PtF8oSFUc7COZvMpfkEvmsAzCPOjgR3ad4VBz/FDP 8rzy47Ga/47bt771rbE+Ov6Kg+NIEwSCSJoEkJ185ZVXRpS5XqRYRx0l6fnZNTcPgvXnnntu EniX5Zsz3WTbPvOZz8yj/dBRpmhPT0/MCx/q5VnW4+HCY13PivNXjdo2zbUuOqZ1kuQaURoW S67OL7+XfDGWq/9ZliC/a5IvvnIWvi+G/J7Lw7GYo7LTBVm1qSiz3XFh3wom+/0gk1zbtwZf Pv3iL/5iXp3DHvN1vvg7Zq57h81ojgiLlc8cWT9pbi1URnm8o2l4cd+afqF5FacrTVP8rLhO xfHmi5PHz+MuJN7h4uR5eszzLb6Xn+f5HCpOHvdYHt2YHwgyrmAEcjNnBrqeFn+sb35tHNNr H857mSo08QEYQj25kNa1SyAtBwdVQR4ONWjtKWbMxBEYcdpaFFycDoYYasoFIDJUq2HSadMt PLhaB/NjI9vcvSad/tQz03PPOSGtwEFKbUNLqmnQMQdABs+pWDDuBBYD24ESpa3EfuwpDqL+ uw/b4NOAAIJMddjt6+jsTstXr8HRRwf32MyTRzD4+N6vBsy86bqvpv/3W29OJ566Of3Gr74m PcRvn0e270kvfukv4FG2Pm176N60fBUvz3BuopOajKlIPdjT6pBhx57htANvy7tHpkMFU7tr wDSoXbLZ5rsSbAnQBRVC8L1u2rOivR7HL/XhYVobjbKpzCzrh2xTPd8Yyu8Xj7XsHBCGfva5 QEKATYI1nGawF7cQVgUsLYNqoobcKYexog5xz+c+LcT1lBDlACTkZcdziyJk8Y3jhf/9Q5v8 lz+MR1z7s8RnRjnoWZZRqE3GQ2VMnbktuCb4adnZHcc1TDj6YwSVbO0X9g+Npr2Do6it6zk5 85Is007PtbOAWKGcS5mVAT5GzbI6kKfApTYNlVvGMrSejHnuFJoIC4uOJDgPdDSkLK1XLUws QZtm7Bh24vnX/t20sj3UjWUd1lGe7bBfLLXwP8CdGeaZHspl0TI0AQUBpQB/VB41YjheiRaT 3sILeUS9GF/WThn6Edz576uuTVfc9HCaaFoV87MRwFB25th0dZrofQQGLeMRm3sDqTVNAijW kN80nxmYcM4rwVLBoFqc9DSg8ttQC4sNxzHagBQMrKxpxq4oR1hpI7IDeQErA05wT/alZgE0 F6Acm2HtZmArZeKuwzk3BsNQ+3vT1Y1pB3YeW3DIpGr9GONR+dq/vgCx++0NpSCzsWEKJzO9 2A6dknkHQIr90Lr6ttTKnmX3jofCfmNlU3sarYEJ2NgNoMhkI69aWJIqoFvHkGfICrYp7Rzc tyPd+oX3p133fpfxAVOZAaUXdeOF9O0q8rAyStr6+My2VTBWkHiUoR1JwUY9atdh71BAcs2a DWn5shWprqU9TdbCyGtdHcBpTHUyE/jzxYL/Yu0VmETugoi3fvHv0647b6BA1k2f+wKGtVEb iTp2EQhuX7Iu9Rx3aupauQG7jW1pGllMNa+kP5ChTl+YZIK1XBZY0sgXsFAl98Z6VeQFcAtz iPxllc+yZlbPwmx2PDAWnF/DAPDAwfHSQBkG65l6Tior4lAl+s3VjlmpbJUP/VNPQ1t5odKO hYnOqqF0+nFr0+mnnhwq7lmvhjD3/7FM6+OxOHgvD/mzueLlcY72WAYUj1ZyT7J0spe0fyVI 4BtTnX/InBEMiS+hJ2h7BWFy248uygI4gqCLHWTZqbqY5y+YNBegtNjlzpef4JwbVMEvVfyU QU9PT6irz5dmIfdLAUUZVwZVKrUbp4wFhQQL8oVpIfm6eKkuLVNLUMW6WufDAYQLyXuuOI5n +8oyXbC1hSdj80jGspsCQTA9nBucDzJg53OIM1c9nsj3HssYciPkeiHryi8Rx4SgyeMtm2M9 /533ttFybNtpp50W4+BIxn4+BpS3Y8m8ZBFrc+/xlldel8Vaz+x7TS24Prgeui6UMrXzMouP iyVXZep3lgxPXz7Mp/ZdXPaP4tx62WaDXuhVoT9W4Uh/KB4uvs8NRzPmj1UbH2u+h2vz0eZ/ uHzz56Uyza+Ly1Xe890vjvdEOS+u6+HGSnHc0vqXpp0vbmm84nzmS1McZ6HnpXnlYIbp/W0R gCCb94yNeABA9Jkf008DIvidGWxFNpGhLsgzGYfed4oJvGjkX3DRe8FEhLk4OIhDFD0yw0rM GI0ACmxcA2A0D8AUz/3dbh3crKs2qGplRWNHOmHjuvR/zj81rVq+LNXDFAr1ZByEqGY6C8gw i0p1tIW0cY+96Awb4HGYkoO8DBMCkNnY2NyammApysQyCPcFOgAAN4Gtsz/+oz9MH//0F9mA 63G6JeqvZ+sXvuCFaV3P2jQNUPr6N/4K+WD7jE159ltMiIHNNL8rBSltyzBsuH3Dk2kvdhi3 7gXYGkMFE6BrBBtkmN6D0YXqp+wcZCbQ2AJrTYcvazvrgsXWBYtRBxequzKF3KJTWQVsz9Fm EgpJCX7tDwAjbuQjAc+AAvhrHGIgJ+vqNTllIeKaZ/yPe6GGmWcZ5R54lo+ZbE5bH5Nk4Iw1 tFzHicX5UFVVr6OmgBogIdm5DSqI3edid/az4NwsKuiCodac7vdvADsZaxaoAjBQJpUgt042 tKE3jMONAdmo2jVUvjjVEXxBUTPqZA3NL/4jDOVgG+wnxMJtnnE/qyfX1JWhDqgDTMSniX5t RDUZeCvsE9ah/mlzBY9asZfZ2gADD8CkDcBZ9fYGdH21PRdqpjRC1fIoiETmLVvYDHwZOwXL 1vqocq7dS8H1esDqbI5NEss2A4PxkUmGmKi7gJO9T13tXE48V/78py22aCa956/+KW0fw3RN 22oYgwy68ZGQCiWmwe33oZkIY3YJDLza5TjbwZSAw5jyHVuCRNPY1lNNO1iUeBme3Hdv2rPt YRz14JRo6Trm5bLUML0PWdGv9e2pegYHhzDcpmvbQ76qVctkq4WpWAsjcqKmBTASddup/jSO anE17MGalk48H9fC+EWNubuTvZ/e2G2zYK7dgryoQzAJqZ5y2n77N/hck1Ycdyb1uTdtveuW tGb9yamho5vfJ3v4Xbo8tSztSRUtq/B8jGNZGI/OhSqOAsiCdfGhL2yrrNSxgT3pti/9Y3r0 jm8G6KzXa58p12yNUd6ZrEPO1Cl6QHkrdAE7xolmALSJCNyXarER2rp0RVqzakNqa+9OFdgT bVmyGtAPgompVSMuMBoF56go2bAuuYZx3de7K93w2b9IvffcZMmUwX/mlLKw/xsAA11D6jAD Ud3YkjqXr0k9m05Obcs2pImWtWEfs47flDJHWQoj2JctgN0N3HeeOS5kekPTBpxsjHq5fgs8 T8I0day6UgpIMtVCJnWoNNcJNjIeJ7k/A5AvUCuiqMQco1WuRdS3BnuQsh07GpH5yPa0eeOq dMklzwwTFvN99813P2vBsf9bBhSPvYzLJRxDCRQzUXTMsRCV4GNYnR/7rOcDFH/sG1ZuwJNS AuX5/6Ts1id8o/KXbsuXLw91fp0OzcdELnVmc/fdd0eaY9XI2Gj6i3SB4UjjLzDb/5XRDidL n5eGDGQ4+H7xxqA0TfGz0rx+VNd5u/O65nXM7/9QvWK3md3N0+Rx8rT5denz/H5pvPy+x/nS FMdZjPO8HI8BLgroBKAAoBcbejbXHA8AiBnIKJil04FQewY0Ma0hwEE2qopHAEVARdaLdha1 uShrcRyHB6pH585ZfPEZgCKbWfORnZiBiwB9ASCxKV2yPF141unp9I0rU30d9hRhKqrKK+BS CdNJdM56zqgWyO5bVT/la/keA0hy457hf1G/DDhgIwyQ9fWr/ye9/R1/CCNxd5aPeQnYkda6 taC++MqXvyL95m/8WtjWtW20MMqyDhkYN51u/NY30n//1xfSOec+PV1y6aXhqGYQG4zNeDTW g/TeAdhz/WOpD9Xb7QNjeAHWhplArI5hAKoAU7SrtwSAcQmq0d2oyi7F23VrQ01mi5Em1Nhm 4rlCsqcHEOBDyECPrE45s63CNvAk6guYIjjp0hr97iNT0dYAOHmeTe+ABuKZMSKBx3zuCxZa elyTHlkEmEkUZaa8IbIV6uVz02bynKAsHT9MwCYcAWAeAGgegdXmZxJ1+gmeCSaNo1oZDE8S kyTstcn0FHDWy7TquKoWB7QDqBXMLfo3AFdgIqtmPUYZozUIKet2vNzCmJIoaBCggvcFq01m IcAg7EA9eOOTA9V0HO4AEjbBBNPJjmwrQb2M9Uk6wB+BL+WZiyKbS8rasQhYRcX13mxdZBzK ZnTOeG7/xTkAnQCX6vU1AD2OW0F656AAlW2QHWd8+8pg/T2zTwWZIhAnAvf6UNH9o3f/Rapp wyY1jLjtu/alPY8+gB3AE0KNdce930vdXZ1pNaSbytZVqb9Cxq7toI+QCF2AOq+SVfWVOT28 L91yxQfT/bd+HcJffTrurEvTsp6T05abvhI2/TZsvjg9DJNuvH932nzxz6T+PQ+n+277dtqw +QLsntanO6//77ThlDNTF+U/cPctqW/3o6lnw4mp54SzACNb0z48LXcvXRZ2I8ewx4c2s41j nCtaW2qFOFLFGz/7d+m+G76EecRmXhrAPuZeDay8OoC6JhwwLV3ek5asWJUaWnFe0r4izWDK YMaXD8i1nsYoR8HmOCIrwdOpkX3pnq/9e9py45UBWNt3ERRJoQacZlWwQPrLUOVYIl/+xFpU i8r2LI5uGnGM0tjalGpbeIEBW7KhEQ/m2DnsXLkx6jiJjCtkMVI3x5TpZ/lov9LyXAv27NqW vvv5v0j99+OAk7UtakLZji27SscxtTUNmHHA4zMyrmCM1sHg7tl0SmrZcGYarFnG/MBpD/ZP 6zEV4YuXYCEzF4JZ60sf1kpFzYCj6wESqZM1YBrSWBiNlGtzBfyraWdYXDQfWKtTlY3xrNK1 A7B9hvrHDdLrTboBr84Ns4M4a9qXmivH07lnnp6edu55yIy1mrxjvFl2IcQ4pxyPhmwumWV2 XYh2zA9lQPGYi7hcwLGSgOwzVVf3oJphWKjq37Gqz5Mh3zKg+GToxf8dbSjP//8d/fxEbaUA ojYyDa973evSBz/4wR+qqmxsHdfIljbIcpbZeyyDPyYP+UMy+30dP0zd+h4y7rGs6CLmfdg2 L2JZh8rqcPXIf+gX56H857pfHKf4fKH9VZznQtMUl3Mk53m78zIPKo/xNtc4K46bn1vmQWm5 Ln5WXKfSeMXP5ktTHGcxzy3P+sgIosJxDBVpNtyhNiew4302kHEEcNDeWrAW2ZDmKtJeyz40 noCHU3WaDXL2PGM5GieYioB9cc61AGKAjIKUlumHPAQi9fw8DAAloLRx1dJ04rolac2Kpamr Q4ct9amKjbzMKTfjGfCSwRDuRS2fHsn6xIvYnwr6ZKfG2frQg+m9f/Zn6cqrrgbQAowSVDUZ kYwnU6cOUOCncCL4x2/5vdjM789ZMIBIlIwdx/701+95d5itWLd+fXrxiy9L991/P96lt6WX v/o1aJgch3fqG0Ol+qTNZ6Sde3rTvv5hVCAb076h6fRI3xh25mbSzgHaC3HI6soSk/GmSrRM n45G7DEKLmIDTzZcPahLLQhD5iCGutInOs5Q8jqiEKyyEYIQ7vmVj/Yk7WtZdKaLcwCyAMuI 57Wf4jGYX0f/0zcyVgW+AvwKvIf+okweRToxGQESGU8yCSEShkOQYQzxDaErPgSbcICbEA1h sskqtM+soBXIAFoZZbIE/RgchzwJ8CXAXtplHWVeeR02EakXTaJdZoWjH4BAGYTNsN+069fd Uh8q5+EgBXBWFeNW2F4NqOXWY++yBrCvgnIEAgVZs7GesQqjEvY05cnQCjlxbaAa+wdUyM1r ZTAxGuNY8HzL3XcFNnTcCcfzvbst7dyxPW06HpCPsX/bLd/lu3UtIN86HNZtwYv6RDr+pFNC lVfbojGuKSSz/2dZyh8wR1nZsVaD+aIUH2DMvewXXwmI3ZGau1amLXfelXZt3ZKWAgJW1TYF YLQGr8Nr1qxNDd2r0gjOQqLN9MI0+ZlPDU5LKmGjTen8BJMFt179r+neG74MYEa7AYWqmXOT eDfW/EBdA/YFR/AUzDrQCIg5NQEbGZupdU04PiK+6QXXdKokY1D15J71x6cNx5+RplCdHsCj cTNzWRXmaUAwpa1AwdUzUFEHKshvemIkXfGhd6bebfdHe527jmU/da1LU9vydWn5yp7UBTOw qaUj1bcvSVO1LbABYeWRl3Yip6rwaq0zGeQ0A4imk6mZcbREbroiff8bnw+v8ap7q8Z+oH8V bj5PGDQxPwQUAZhhJlbCnK1rgCkIyDlV3Yy9xZbUBhO6UbuGDEQdo1RTj8ZlAIpL0D5EZuiM 84yPfUewzVPIPdTJae/Orfemmz/7V6kfNqkAnbCd7c1CDio2pqWYpmltRc4xj1kLABk7cSbT vu6MNIODlnHUniu414B9Q4HQYTxI19E2VywBbedxQKwzmMZiDcWoZZTFDIgx7bizhvYKlhNZ j5jgyHsYFmY4t6HiytLKCdBXAx7WzoykquFdqR42as+yDmyCn59OPPlUJR7Vd0wo27lC6f18 DSq9P1faxbhXBhQXQ4rlPB43CWgXSxt12tPTS3Buw0tVO9UJH6+J87g1+HEuqAwoPs4CLxd3 RBIoz/8jElc58jGUwE/91E+F+rJFqLKj0yztR15yySX8WK4Ke4rveMc70rXXXru/Fu985zvD vuP+G+WTBUtg/49jfoL7/4kYrOOhfoPE80L98/bYjkOlOdp2Fuef58G27pjILm93cZnHqk22 IbZ082yq8rbmx+I6eW++epXGy9Mf7VEwxTwjX44COhlQKHDkhlwg0XvZswxchPUDiBR2EAtA Y3adpbUu5idzMBiQbKLNY1IgMYDFTOVOQFHAMpiNAJSClNphHOQjwLSkvQXD/ivSxp51OD5Y nhpRMQzWmAwYN+yEANMK5YGSZO0oyFyMSnBmYGAofeITn0wf/vCH076+PuJk7eEk4ltX21yB vbKLnvOT6b1/+PvYRFtayCuKyf4Qb9+uHemv/uQd6QtXfBlm4hhAA85aAEOV1QmASB0dnel7 t9yWTj/zKennf+EX0/33bsEL9Wj6hVe+KnUDDHz7hhtBPZpSTefqtG2wIm3rHQ1bjOMwG92K m08VYJaeggUCBdICdGFK1KKJG8AaMrQNlfSNIICAgEuN4GEwqriSFeUY0ttsHQw842jjrx7g kiyDPcRlAGKRmpuW73iIvgIg1GHDuP0FIMNBcQVQNQEYMxF9B9uQRBEP9Vlt7wVQE/mQH7LR EQr/I28OEQQ3omjqZ13kHNrfjj09atcCRhwAPknC/Uba0YiniSrAG+u9BGZhm45vAFvbAGJb G1F3Rz25lrbWAyqODPZRKOAXgE8lLNdYUKiAczL627EIoBcMWOowMTqMjGQYArDBhqwDTAsg WxVXq8C9OKHOXitvg3kNDfSnO39wR7rvni3pK1d+JcCvs88+O8xPPfLI1nTSySelfpzo3XzT t1MPY7ln/YZ0953YKiav5z//BenMs89Lm048MdVjA9RCBN08uoY4Hhxj9p9lybT12cMPPZgu eeaz0+59veFscpoxGGxG2trcsSI1L+tJy9fg7Gh9T2rsXpHGaroAn3WyQf/a/6jA1iNXkdkJ AKiZ8eH0/Ws/ke687gs2KmO4Ra9RHMGys3XZlgtqmkkBNEK1txpAy7wExepxVrJsxZp0HEDq 0pVrAbywLdjAiwFlSucFU5ZcZLyGcxKzQi23AgdK/bu2pi/909sBLMeiTNvqfBDYq4CF2L4c E2fHnZ46l67CIQpOUVDpHq4E5KuoY544bkjh+qC8kF2F5hIQp4Dd1u9fl26/5lN4QMfbuS2A zZiBleQdc0ebj9i15HeSH1mjzqOaasBJWZDVDagA004A2+YmADy8Mcs6dNw1osZeiYp3/ZL1 qQH1Z1+MUGrkL7gmA3DciUB9ZN3WV0yk7fd8O13/mb9Po6g+Z05/lC2yiDFGXNYk+725uQkT aSvxP4BXaeqlU59ZxmX7mhPo2014hVoatg/rZ0dCpmM1OGwxD2XAPKWxzAFAT+rgywhVsTlj XiNjvDrLvK5hzFFLpELfAzhOVgA6Ut9q7FLaT865AO+xbzk7vC1NDuxIy1sb07lnPQWb/6dj S3IJaX1JkNXfNviZLxzqmWlivB0i/Xz5LuR+GVBciJTKcZ4wEtDm3u7duw+qjx6Gr7rqqnTR RRcddL98ceQSKAOKRy6zcorHTwLl+f/4ybpc0qElcP/99yc3N7ltxEPHTumCCy5I11xzTYCP h4tbfv7kloA/6ovD4TYBxXGfiOf5JuVYt6u4nIXKLK/T4eLn8ZSvcYuvF0Pm5pd/MnCRrSfA TLDW3GyyyRSHEAhQ9VmAUXt3sthyFWbrISgloJiDk9pwDDCR+Jk9R58DLKISq4q09uVUm9be 7BB2DAcGBvHEOhwb8AbAohXLl6aTN61PmzYAlGDCoRmgKFhbbGPd+IYqdAFscSvvztZN9c69 /enK629Pn/+PT6Z7br0hygxGGpt1muPOlf+0hWtBhs0XPDu983d/K515+sk+LETxiVFRNd27 K334/X+errjiS9QTL9dRd0ECAdgsH5CIWD/b29uiTaq1Pu3c8wFAWtP3br0ZO7pL0qt/6fXp rAueFQy+Qdh8fUN4KsZl7sN7BjmfSIMgdTqEGQP9Eb7xv2CJTEVVVKthltVUQnHkubCiwANo SIAvVLWwsY+zOC9kQbrIijyzODYwk5cQA+Mp2GuAZ/4nront89z5jOwqFCLpf/PmseWaDjBR CZpLDBDkIcsvArf0viv4JzDRVAMjkxPBpSYYg82AHXUBfGI3jmsBNa3i1cMsFFRV7npMzu0W klUAqfWogQr8DPbuBWisCS+4sskEn7Y9sCUN9e9LG0/anCpguO4PAIOOi7shdkwz5tau60k3 AfRNwTI8/4IL0x3YT/8+9pbPedq5adNJpwYrTTBxirjUxKbSZsFs25yN+z279qQ/fdcfp1tu uYXxOxJjyv2eYzqfnyPY+tSeYjV9ZFrr2IhK60knnpSe9cznpIsvfU5atnotwFwGijn2nN8O U213GmKcAoQ6H2/73q3p+S/8GcBqwDFkbRA8rwFwrYc12LH6xNS19rTUzVxpW74aoS/BCQf9 Q3/JtqvACcgkfeZLRUGnqZHedN/NV8Pg+0KaxhajOVpOrDFcFUqg5hmw6XiTuegHWC5sBQYr DdBPG6hLl69Mq9dtwIbjGpyI4KikfVkAYQLlmZOSgCSZjwLjOAhhwNWkiXTnLd9KX//03xfG UohSSYfcahkPNYB4a447I63cKLOzA9B0Qxqubg9AUXAwY7w67rI5K66nAxjr27ttS3rg+s+n wb07o2162K4HpW/ALmYd9lfrOJfNGkxA8ppkkDP0YU9jzxMd8clZ+hTgMuEJuaGOdsIerok0 gIzV3GvrRtYbsK0ImzPmbZZe1f1JOlJ2Yg2AIqtFqgQw3XL959LtV38SVuao3bc/KPP9azt9 Zr82NjamZeAKK7Ax21DfEGNCpucM7M/2Naem6s71nDNfnJ2OT+ovm1Cg3hmqM55q1zknLgDp BH07O0W53CcBcezXbA3E1kTWp1wHoEjfzI7uS+P7HkmT/dvTMkw0nPXU0wESn5pWrlqdapmH jum83jbEFz3zqTz73LiHCgfG9KHjHSqP+Z6VAcX5JFO+/4SUgCrON99880F1+8hHPhKeNA+6 Wb44KgmUAcWjEls50eMkgfL8f5wEXS5mQRLQE/wb3/jGcEwzXwI3Fm94wxvCu3wdP5bLoSyB J6ME3KgcbjPzWNudl5EfjyS/w6XxeR72bzrzG8fgaHl+BMxiw+k5u2zBxrgPGBHgIRtUAUUB xAMqzqrLZqzFYDaSTlBR1WjByHDuQn5T2lAsqEMPw07sHxzARtwAjk8AF4cG4zOKV1/Zbo04 mlAV+pSTT0nr169Pa1cuS0u6OmDuuG0WRKiAVTcTasbfu+PudOU116Y77nkgDWx/GJXN/qhf Bj4iR//HJps2cJyhHqtOfSrr4K+ml/yfiwNgmGHjy9Y48iYyrLaxdO0VX0if/PhH0vbtO7kP WECb3JQLu0zg6EAm5gwbd1Vg3aILZtQKXrCu1gCeLcG23ev/72+npwMkZaqsyJN8BFe0JzmO 6rcejQdx8rJj3xCq4ICL6Ppq46wbr8JNyECQZRKbhP2Dk2kHNhtVN56A5TgJqAqGAMTjpl1A ciZUjyd0hMEzba7NiLJYXyKGp1/igioBGxTu085KVDKFIgSzAlA2Crna91kQ9HMMiD0C9gEe NlRPp+6mqtSO+rHOZvSELHurub4Se4WNgIewq8A6VFX2+yZUeZUvH0ETBkUaAyCrAwAEwkvf uPaaYNWddc7Z6avXXpvuggX4yle8Im259/70JZyGPee5lwLOLk2f+dSn0nlPf3q66JnPSg2o 3YaNQsA8QcBawBcKoMqUQRFKehL7nr/86lemKfry1M2npy/+F2q+gH0XXnRh+u6tt6Z1gNeX XXZZetqFF6eWTplXGbg2iz06x4v2PLXXpzppgOA4BXr/X/5F+txn/4O+Vz/U9ggGCsgAuNk0 ARzKdizU1TbgFK4NlVmceiCX88+7IP30i16Slqxchbwz8MuakgUfBFbIK2pPPsrrQx/6QHrT 776ZmmUAnyCudRNQbAKobO1azVg+D5ALdVk8Edd2riEbKK7KnVS1ANICiToJCbALYP+B78Hg u/YzAIoDxHXU80/WIfVXBv71vjdiDRVMBKzzXi1ju6q2GS/OeGPuwPsxqth1qAdXNnDEzmEj /VQF660WwBTNdMBwckQW2nFULdkx0YCDj2s+/YH0/W99hTHqCFZiFI4cDQLI2hXs7F6Z1p/0 lNS+Yl3qQMW4on0t7aJ86sMgj+52NkadLYMs+B/9PnAfTll23YFtxszxTjt2EFtatEEoI7UO WbAuUacR7J9q63OM+aztzwlARdnRgpYBujMG6jFL0MoYnwVknKrD0zesY71PT9Pn8ZKDfpp2 zlF2DAtqIThdxdwa27c13fSFv08777lVqdq8CMXfTZ7nY1bZ27edODddu3o1TmDa0F4GTAeo Tqkxdaw9NdWsOCFjSQJWy0yuibbDSIxMkAeet6sAEyeFHQXWWYez9R0zA4C6MwLJgL/VAMLU OE3hWGekFzYiHrcn+/empe3N6Zyznhp2Ertx2ChoHuxZxxRlRX2ps2EuQNH7xe3zer5gvQwL jT9fPnPdLwOKc0mlfO8JK4GPfexj4XhFL74yEp/3vOel88477wlb3x+3in33u99NN954Y1R7 8+bN2G94+o9bE8r1fRJLoDz/n8Sd+2PaNH+gffnLX05f+9rX0oPYR9Suot67V65cmVxDX/ay l6FWg+2fcvhfJQHHxbH40b5QIeYbB+MvVj0O1aZDPVtonQ8XLy8jPx4uvs+Nm4dDyaE0Xn69 0DR5GYc7Fte9uAzPral/45zNfrAXuS9QGOeCigBjY4AU3pOpGOxF73Me8bg/zvNJgSw28NpW DLYj6YaGh2BU96YhGIqDgIsDfGQrjuPcYwjV1HFs9E2Moa7H3rUZAGkpLKxuPNQ3t2BLjXrs 2rU7bWWN271jW6bKyuY4gBc2u9bP4DFnWwZgFnWfxKnE8el5v/Cq9PPPvTBtWrey0NYDrDFv 9KL2/NUrPp2u+/o3AqkIO2kwlWoBJMao1wgMS528aDdvFNalZcmAErRoxcHCxk2b0vN+5qVp VU9PAFNiK+FwRLCGCwGjq/7nK+meu3+Q3sCLIG3VbXv4gbRkKczM1o400LcvvGA3o1opS26W uodqOQLRPl5s5qOVgI4864fx2AcgOwihUduGo4CVI3iHESwdGQGMxHuy3wUVgDEjyLYOoKIN VujoGA5VAPgaAE1Us5w2f+QrOGKda6sAgrhe2VmfNi4HOKrFwyzqx6plV9eiMgngph1NQT5m d5SHMDgX7An3D5SZjSPH7xBqwe991x8DHMNWw9bb5z/3WUCe2rA7eOc996Tevb3p+E09jIsh bNLvxYlOM/bllqfVgBvPfu5zkenPAqR1B8gRHUcdxWocqxmmAkTKyfZt29JPPPPitJUjQy+A IsE4x6j27p6y+ZT0hte9Nl188SWpeyVAnA4vyEiQiuaSZwFiJo311/bfVVd+Of3dX/8ldogf AWTEm3MAfBmYbNsEo/TI24osumCoqq5rXbo729MJxx+fzr/wkrS6pydUU6tR2xaosTDLDfA3 Cs5kJSj9+l9+Q/rYxz8eTFgBcgFFQWnHQQNjsQvV+9UnnJ661p2cWrpWpTrApkbYfWYrGFqL Qw3TCPiHqjcg0+5HH0y3fPXTsDvvBE+aBKQHQAMBlvUns1XQiAYjgOlQvVVVVtuYleRbjbOQ 2eom7JC2xTysB8jVxAruaVLnquNTUycqzwKxpHecWWaoJtPCKtpWUwkQPro3ff4D705b770j 2m2fKAEBTOe1PdCGGYRlS5ek5ThlWbLhlFTfgUr30g1prKoF9XVsrSJnexzteIL9QzkOVueW 7R3akyq3fwcADfYzdWlqaEhtrBugnYx1VK5HmK9wJcdgCIc3atPFnJLxB0BMPOvlnK+hn2zj dC0Ob5qXp1kAVc0BTAEiurYoN5nbEzOqPNekqsl+qpG1pf/ur6cbv/iRNMoLFLs4DzFWkHMG sjvOlID9hBxCBrQNJqJ2rmUrCvg6brVJ2wBo3LLuqahcL08NxKmqpv2sr1PUqQZ5VwAikxG9 JwjMs8mBeLGjHCqZb64joMIwfrenfbA5p3p3AzxP8btweTrjjDPSU596JqrsK2Juy7CtJk3G CqW+yD3r26wxZUAx79HysSyBsgTKEihLoCyBsgTKEihL4MdeAm5G8uCP3iMJsZE5wjRHkv+R xP1R1SWXX7HsjkVd8nKUSXFZC5FRnnah6eaq/1z3Dlf2fGny+x7zYN3y+/k9j8VxvM7bUHrf Z8Uhj+e90rjxzD0o/xY7lJaVlx8gHe31ueeZKrSbYQGvgsoz4IuAS6g7wyAznsBj2CFkU6xd RZl9g7ATBbtkKA4ANPWjAq2tuiEALkG7SYA6nWEEcEd6gatM7Ri+nCCJGAIb8axumRzyeuX1 zTxGFwBRQABFVYUdtM3PfmH66ec8Iz3v6U+FFQVbm/bIJIyujPbNpP7d29P3v3t92gVo2d/X G8/q8Uot69L2CTSFV2vAO+vVjBMHmd9LUFtcuXZDOu6U07Dv10ZVqCNxLdueEqTZA2D5ljf9 VvofXv689tWvQa11KH3lK19Jl734xeE866Ybb4BB96J06lnnAQjAgJoct0kAKrCuAA4Mgj9D /X3pE//yUUCWmvTcF74wPfrAA+lbN9yQnnHJM2EONqXrYABuPv106rMWtd+bo77nnX9+2rt7 R/rmN66BiXRBOu2pZwFMABaQZ9Z+ThzHhQoLTFxz1ZXpwQceSj/xky9MN9/wrXQ99bvkWc9M d9x2O95w69OrX/8GVFXxGEsG4Rma3PYvqbab+47X0eHB9Hu/+f/SZ/7jszQAyFFAC3lYsOqT xpHZmo9pWZ/r1qxJz3rmpennXnpZWrN+AyrKeqalrwrLvGkif8oRngIHSd/+5nXppZe9mDE3 Hm0CH4o8zdfx2IY6/ete9fLsJVvPhnDE4Wg6SIVTYRQ+5r9n1850xec/n2741rfSrt27GKM4 agFMEhCtr28EaGtC5qiqAubZT4JRXe2dOLI4GUc+GwEYcfIB6NaAvbwqngVDkLpHmbQnmIEA atm8nk2veuUr0mc+95kA0Kwz+JWNCCCLZADsMNnWrk9LN25OrStPTk2rTsRrLzYakalq8zXo zevQJ6H6XImwxJLGUMPd98jdafsDd+B8aDDGUA1AkWqzjn9VlQVB49qkMDZ1cDQ+K+20HoBJ Bi5sP+ZMPSB0DUzMumbYiqs3UDZMUSrouCQ36mu/cAuwP5iV5Du66+70Xx9+Dx6it8U95WqI I+deVcNEVvV37eqVqQM7is3Lj0vVretSXcdy2IEdGYMw0sQw5YxyABUrHcPkQfenyvHeVDnw YKrGSUkN5dIEQDdedsDelSUMRpcltq/EEylZgNC5JXMyZMKcqqStM8yj8dolAPnYkSQv16Ep 5uPsBLYGYSImHKZgFZR0AuwwAJF3wv7g7V/9ZNp6z+3kLOiJLAOA1AYqNkIB71WNF6xUXvZv /rLGY7xEoL5tjJk1a1anJdhm1Z7ryOg4gCYmWvHq3bVqQ2rkhUNtY0sAkALU9bwo0AanntZn GZtpcoi1FrX8aTzRw0Ds27MjjQ3shck4nlqacAaztDutXbMuXoAIYLYxXuthiPrixPGrLUwd 0lhH163smM1Tx2n+QZqHDDE/FUJJyPs/xnzJs8dyWWYoPhbpldOWJVCWQFkCZQmUJVCWQFkC ZQn82Epgvh/eP7YNehJUfL4+me9+cZOLN0z5uc/Zivkn20gXJyg5L95o5eUdTT4l2R71ZV52 8TE2w2yIvScbStaear0yGAUZZSaO4uXZ+wKQGdAIwAhg6D1VSrUT198/EMw0AUYZgGN8RlH3 Gwe4UYVVoClYkGyUZdoIFgbDKdAiNtCUL7BnfQzxjNOcSSYiE6AMW/zWFRvS0y99brrsuU9P J65flW2M2ZDLqhLgEdiYpbxhbPRpp2+wlw8bcYFOVZ51pCEYoH1IO9I2NWEDrR7woWMJdtDW 4LihuTnyCiZa1CerI5VP3/jatekdb39buuPue6JNWT9jUxDWl5v24zdtSh/8x3/APuAptBs1 XBxsyDoLZxcCNlTQNDu3PZL+6C2/E+aXTj71tPToI9vwLnwfTkJOAbioTt+95dZ0/PHHpQ0b N6RvAwKqgnz++eel3Tu3w2B/OL32l34lvYJPNQCCqprZll+ERTBIIAQgCkDi7XjF/vdPfCJt Pu0M1JHvTTt27giVTPvoxT/7M+lP3vvneORtI43gDo0lOMZpcXZhhbmeROXy7/7yfeljH/t4 6gM8dpwgaQCeHFAzejQu2H5LYaqtgj11ycWXphe/7OdxRtIOGCf4mdUxE4RJsvnktV6N//H9 70/vfvcfB/suWKpkmav0TxmHHC4872npd97024C25+C5GMcu3MvB0KiDQJDVLtRdluuORx9N d33/jvTg/feHDEZgn40D0gmQG808HPOqB7d3doZH8OOOPyktg2HZ1NwAwAzDD8BGNeQARUmU 930mL6UE8Ieq9kte/KL0ta9/I+Jltk4DFaWcbBzVwzDd2NOTVq07DjDxpNS+6oQ0A4tuBoBL 1XlqH/WXaVZJ3wquoeGLLcnxNLrn/jQ1sBumnS0VRARkY+yr6uu5XoBl3glOTRBpfCpgOsYU TEZYa9ohrJGhqPOhFkBSPBRPz2RlqlYvoGjOAdIBKAZASX4P3f619I3PfSCNA6DH2KAcx0wm Y/vd09kAK3sAklcsX5Lq25anFtiX9cuOTxUtsAQZK/AmU93sWHiFT9gYlGGYqVDTA7Q9yp4Y QqW3D5BvFJatdWD8YRbA+ViHTGa1dcg6UoGDkrDLSdnanBxnvlU7F2pakCUgITWdBCwNT+rT owH86St5FlCuHlrnLKrYNJT8YCtjV3EWMHHLtz6XHvzBrZTtnIKZSZ35g4xh/QHU1cB+FCxX pdh1RJDRoebLgwnm26QvUFBf1rRCA+Dtkm5sN2Kf1RcWYzCMR2A06yu9CkC3vllP1G3MP+pL Hgw/+oI1g3ymWTvHRvHcjUMe61iHLnoDLwBaANRVrV6C6v/q1WvTqlWrUwdgdxPjsxaA3E+Y LCiAnwL/Mbppg+PVj+uUIRu/cbr/j31YHOaLM9f94nRHe14GFI9WcuV0ZQmUJVCWQFkCZQmU JVCWQFkCmQTy37Pua+YLxsmf5/GNm9+bL90xvO8P8cf0I7uoTQv5UX8Mm/KkyXq+Ppnv/kEN z/sjPxYe5n2T93V+7eP83kH5FKXLgIfCOJlj3BbnFfk5oOcZ06Vx5ypzznvF7eFccMC8/Ajc yAISgFE9U0AxHLMIKAogslkeATARcBRQyu+NwlYcA3gcBaTSE7TOW0ZQgRa08RhAZbAWYT8C iqhCLHgYXnEtNwDGQj0CKMmEk9fLHXuoR7rBB0RoX7UuPQ0Ppi/6iWektauWoTaZMXJkakUf CAKQZpo6T8NImsBzrOwkN/3j49g1A1ScYMOv6l+oZwNCNLd1wapahtMKVCzzELIHaFA+1FF1 5r99/1+lyy//52BjBtBl3CLZrYNR+KmPfywdf8opwYYyiwxMZGNPeeznCRVpH0zD9//pu9PV V1+FA5lh7gCUWC/qKbigmqJBWQle6OBExpGAQSseZX/3LW9LFz7rJwBUYD4KopC3TKpga9J4 GaCTMKPe+ba3pH/+l39BXXo84tDo6FvQlXTR+eemy//lX1MbNvQCPCUPmqLoSO9fwRYO/Jkc G05XfflL6bOf+Xx6eOsjqLoPxvjIQeBwuAEQWg/TrwPAYymyXI/X5DOfenY6/xkXId9W6iag kQE05FoUkItAGADSm379/6YrvvSlDKih3KiPzzixfQLCXR1t6Vde/8vpJb/4STQa/gAAQABJ REFUctSoMQUSQJTZWdkshJy5VNziXlOM5d7de9IgnsS1BSrAnKvAC4yrGq3srWMLqs/tHV2o wKOyD6DY3N4acq+EgRf1J9esGzMpWaJjxDL7ALB/9qd/Ot3+/TuivwUU8+e2xTrKkO1CRps2 rE/tK9entpUnpfqVJ+KgpjUckYwB8I1PZ+rpQj+y8qbp40rB6XHk3r8bwGmAMkGgyK9ath3H GeaGtgUnAc6DsRgstcymZKjp0jbBpGkYi7N1tAkHMQJO2u503qh+KwgXVRawc76hhDsxMphu vfrj6Z5vX814BKzkn+1XCkgkyg5nKeThPGkESFu5cgWM3yWAXUtTLYBi3aoz0mxNE7YBR1Mt HwE1nZYInmo3cBZnNHZ2SLTQLsFRmYXKMHymUz+chFOGQD3CxAHLDGrKWEkM24oT1K2KeT0N 61EnMvUzmAyoauBa0J1+ALwUEBakBVeNPKphJboODezbk7bc9OW09c7vcW3bs3YpN+disBKZ hwHaobJcG05ftDup+rJz1ZcTrJEwEcdZ42QXCi4GExYgXcZik86qyFamd6y3toF0zh3nUTSJ 9jo+gi3LulajsyReGggm6vylDQBYx1ErVq0Mpyt6p2/gvir7sU5QR+dyMIhtK+eO2WI1Z/t6 3u+qrErUixDjlaOiKA6F+zEObNAihjKguIjCLGdVlkBZAmUJlCVQlkBZAmUJlCUwtwSyzdvi /pCdu6Sju2v9DPP+aD+6bH+0qWiSGwjDk6VdeT/lbfqhcVVoc3F7i9Pk6TweSYhy3KUVDeG8 7NL8zbe4/LycPI/STd1c6fM0hzrm6QpDNwP52OSGuiEb9cxr9HR4TlZteBzwxQ2zoGIAj8HQ 0Ss0G2qe6zk3gEXAm2EBR0AzAcdRjgI4GQsycwKTMRLZZMdGm3EmsADwIRBkELbIN8TKQm+4 1dg8POvMs9LPveBSnL+sCFaWDCfTAcEgM48GJMROPWsXZUgDAlyYsizaJ+BoHL3vVqrOSvoK C7bsGO5ZWtlr11/39fT2t/5Buueee+NRxpzzOR+ie12LzboP/N370/Oe/3zuyboTSBQmcROf zR+ipiGAp0/960fTfwPS9fb2BlPS+1kMC882/bbXdgko6vSira0tdWHb7+WveX3afNbTMiZf JKQMyhcwsh4CQcMwCd/65t9Ln//PL0R/5fW0XgIYy7o706c++Yl00uYzKU55ZeWG/IF6MkAx q5Fsxz07dqYbv3VDuuMHP0g7YToODQ0HcKJsjC4w0tTSDgiH7cTVq9KmjRtQydwIULsUgK4j 5JCVUyiKQ+Qe9QWM27c7vQF15rvuuivrP+5bF2sSY4TIGfAyk87AtvDvvfnN6fSzz8NgZCMj xGBuyi0uDvpjPoKG2sWbAPAJpqzAtvn7DEaaZZi/DFFBJNmrnV1dqAY3c08wMZPPgYwz2XhN FmK16ZvfxMnar/xq2g14qTiNkYE6GXCUgap6+E1pxTKAIZy9tC1bn5pX4/G6dTnAEOzZ6eo0 hiqucbM+gQVH3WoAyGT3jQMYDgEqNpLJNP2tgLTHJ3Ctg58B1OlrYCDq0dk6C1TZfoFnvN2k ivrWVNXQClBVHww/x5cvEBwXMpVNYHk6/6kY2Zv2bL0n3XjVp9LArkezfKiWzNRqZCLQFuAX YKuMvSiPPBzrS5DdCuZmTWNzqunalOpWngIACHBIhasBNRE257CXBQYBAW1tFSxVVelnydd6 zdIeZajoK4hfg33J4KlSP2A31ifnmECz4x9AkQ/0wlQF8FpXidOjmjZUugH9qK+zUHuQiqK2 lnojj4qxQTxM3w8r8Ttpx4N3k9S6W5MQWvR7ruJcC1Aqg1XwLmMDol6MTUyZi7ICTecaJlNx DCbiBOtgANcA+wKMNCfyC2/fAISqT4fTKCpkkfafAGYV/R7q1bIhYSbKfm5pao6xuAybtMtX rAzbtK2Aiw0A+LXUoaaGusRLh2zsOn6zMeva6RqSzRDr6D/7Og9Ze/Or7BhrgJVSDPyLtkU9 lfOh0x6c05FdlQHFI5NXOXZZAmUJlCVQlkBZAmUJlCVQlkBZAmUJPEElkG+c5tpwHarK+zdj 80SK526f3bcWQp4mLzO/73Gu8vN4pc/y+3m64uviPA91bprYQBLJ8xxocR+pAwIdc+jAJXPo coDFGKrNsHQC9AGUUC1Rhp3qz4KL4SUasKO/r7/AEJPZOBZgoOWYTkDDsv3HSQBkmYqem2xB HQEG2TwVgCdVaRnOD170vIvSiRt72DQLVpBSQKKwGY5s+OMWWDttsUMWPON5yAbwQUamDEgK i/ztlmh/oX88aLfuo//0N+kf/umDaQDnEGYY6clT9pw5C0wJVL72ta9Of/ruP4ENpc3Ewtad CPu38cSbQIX4nu/fmq79n6+ke7dsAZyFKWU+ACXWTTaerEqZRgI/2vjr6uoGqFuTemD+nXDq 6TglWRUgBA0v1CWrt/UQ3Hv4gfvSm37j19N3vnMzgItAKtWxRtadRsme+v3f/7306296c9zL EdwYUwHYZPmZzLoJKm7b+jAOdXYECCoz1T4WeJN1pW1C7RIuXboCUHFpakYNs2tJd2qC6VcD EKME/CiRKIMrg4Cv3XXHrTen33rjG7DRqY07y86e255IQ6U9ylJUDfaFL3xBOMbpXLEaEQBQ WdHATTyZK9jngsgZQG77HXOCLbJXDY61cHYCIGObwwkL/ZjXxXplBWWtsUzr5JX2NN/+1rel L37xi5HWNmofUCc2AlDVMNUCgAIoEjSicPq1PtRim1duShXdJxAHFh/2Dmf5VKOWq2OVkSmd 7gCCAfA14mxHRyL7MDXQPNkHqxEwVQ/OMPUEjkbpB4H+SlmIqvQikGB3ZhXHhinsRWRkXWTs +dxxOjk5ZkfQlwB1gniMqZoEgDm6M93xjS+ke79/S8jOtiqjWsCrOoC0/QAblL9qGXx8BBgF bYdhsTag3r1iWScsQSiBbWtS29rTU13bUswhUA+AQJ2PzGLvcILSBN8FDKex+zhNHuaD150Q dCU8xhp5itMwnK234CjHaVmZPDGSzEMBSsHVqomM9TsJE7OaPFk64n41jkysfyWsxuHdj6Te rXfjJXkXdWVNwnO7KvCZyrhy0C6k9hKpl20DUFR12Tbr1dpzbWraZlXVc7uKjjEBxHzd80XK GKDiGOzoCT6Cjo6aGB+Ot8K6FmODvhAgzMvRUVQ79hFXLF8BkCjrE3C+rX1/XbSXqCMYP+GI hbwCwGZ82U7LyD8UGsG1NRuzhet8cBee54dY37gwvSG/jovCn/xZ8b3Hcl4GFB+L9MppyxIo S6AsgbIEyhIoS6AsgbIEyhIoS+AJIQE3T4u9WSptWPEGrbSs/Fnp/TyPwz0vjZdfH+0xL8/0 4CCAZxmby/sBBALyZE4JhPsy0CHAGwAnN+Zu1GOTXVCNHgRs6EP9NGwu6siFDXgAPcQPthRp TJcxbVTLZAvsDcEE2UDYKRPA0inMJOfnPOXkdPGFF4SXXsEFARgJgZmnXDfWVDzyECigAZy7 rbbuXqsiWoXdtVC9LGygTeKmXHDytu/dkv7xb/86XXvtNwFLBKFkOlEAYYrCrB8iCGBt85ln p3/8u79JPet7Ik62HY+olOuRP8Qf7u9Nu7ZtxbPxI9gopP2qTNImgRnB2mGANW1X6rVWtUbV cDsAFbtRJ25pb8scx1A362db8/pYguy2K798Rfqjt70l2ISCTdFWWs1pVEEVzXXr16VPffqz adnqdVYpqicbNAccHH/m6zMxsEnsDvbv3RsqxPZ3MKkAM1Qvl60a4IuehQFFtG/XgCMWHZ0I 2pqPoId5HzSuHVDc+8Q/fzh99AP/GM8oLuJb2egDrunFAP9sm3lZz1e/+lXpZ170InAn7F7S f/RA5GV9I0Rjs/iWGX0RbeIeYLLgkfcDvArZcN+ERIzYkaBQF++bcSFvs3bseGkeXwJI/PM/ /4vUh03RrK2CQ6irAgY3NPKRTQbjTCZZFX1q/gP9/QDHo6mzGybksk2psn1jqkVmbU0Agqi8 TjK2VIGeAeQTSEWQQGEwEVH7bcBxxyyAIohiqpmdgHEHQ1igHXuAKMozBwDckJqM3inSIskA r2px+lLnNKL+As86KpkGUAy7qIB5k5SnInH9JM5A7rom3X/b9eFoKWQqGEndGwHTBL0E1kLl VkCRT73sPUAuQdqRkbG0Y8d2xgrgZxOOXwQIq1vTiuOflhpXrAnwcmSgD+CzPhynMPBTPXYg J2sahQUZ06wx2EDUOUsVTlNA7VIt40jYUJuQtkhmox6fZffZY77soEAG6lCqF2QDrKytgO8J 5mhb0d1PA3u3p50P4i17tC/sD3aiQqyRyv5BWNQAftrBnGCd0o6iQWczjvNanNnUwRa0zbaz OvIXWM1sKjpODZbjx7VNMFE7s5kZiKGY37K4gxFLXxqvivxNK+hcx9xpwulKKyYCOrGNuGr1 alScu5n7naEy7XyqozGCjlW8QMmYjIwnZO65cjcvh22MdwdpIXgdIQZsfrdobB+4FWkdwwbT eZ6nL75flGRRTsuA4qKIsZxJWQJlCZQlUJZAWQJlCZQlUJbAQiRQ/CN3IfF/VHEWUs9j+SP9 idzu4rotVE75xqY47WKdL7QOeXmLUZfiMvNxcLj88zT5MY9feizNr/T5kV7n5bmZF1lRbdgQ gB+gRcCJ7ENjL1rYkAYOwrmAlvEE+XTWIjtR9WiBKAFF7TCqPu1mW/BkCrBHkMD4prVI7wlk adtxjDSDMIt6d+1LbkSbsGu2+dQT0+lnbE7LYS7qbEUnCoKF7LQjL1lYsv+se2yv2SzHhtm2 cEfVSNl7NgCyVtq9ry/deMtt6ZqvfjVd899X4Hh3LIC1LHa20RZczXOcAQBqaO1Ob37r76fL fvr5odZoWYa8L6I85aCNSu07yk7EK6/OHCYAM0J1m/jjnBMNQAPGGnWTJVWPR+J6VHBlAuqI hsqHXGRfRh34o7qp7LC/+av3pU/++8cjfyst6CiAkZdvnQQV/99v/mZ61et/LcA+70WetCnL 2jZSd4vxBufhHATVYVl9AoiCGJlaOcCPwA4y1AGLQGJ2za3IODIPyM9rAaNMJrNp+6MPpfe/ 9z1py10APYVycnBExmAAJ+Qd7EHKFGh27FUDqrzs51+WzrngwlSDYx3zlRUbdQ+GG/2ubOx3 7lcCRIXcANcMsit1ztKIWm60L+76p1Bj0yo4rx035ONpJm2z5po4W2CZfvQjl6OufXeoJDuG rWs9QKKONFpxvCHw1tCYeeKtRUVVJpnq/7v27MK+43YwLWx5dq1JHauOS5WNXdg5xM6gRfMR MJucqUZ1XScl9iM1oO8QfYDY2gysAmTUscsEZWuXUO/NQLjBaJyiT2Tu1gicA9rVVttXZDSl N+WMmTg6ZV8DSAFM1leQw+ADaQ/Am0y7MT4TqPE6/2QJ12NywPborCYHTAXEBNtk7Alq+WJg DBbrbtTjd+MdXc/TynuCOdK6dC22UE9ME7U4hcGWonVTtjWMzxkAxbAPSVkzjPFq8nIcVQCi 1dBG4NXox7CpiQy8Vkz2g2VUYRdR1WY9Zts/YyP9aWRgXxru3ZOmOa/FLuHJJ5yIOj7OYugH xy6jI+aJphzskwDfvc+YMV/73PGY2SkENHUsBoDHA8unHOvjlWPadc6xpmq9Xp6HmI/KcXQU lXvWPOed5heUUx1AZSPzWuZhBw6BugCX2zhvxlZqCw6TlKtjxfFk+RlrkvK5Z/oAEDkaHMP5 J78uXnciUsmf/Pl88fPn+fzIr/P4Jdk9pssyoPiYxFdOXJZAWQJlCZQlUJZAWQJlCZQlUJZA WQJlCZRIgP2sAEbxhi4/N6YbvPz6aDd7eR7F6UtqccjLPJ3H/OMu33q7zc6fc+L/AAUFHGSI BUAIUBJggyAbn1CnBnyQ2VbsKEbwMXs2DXCTqRX27tuHM4xemHg7wylGFWDLMlRtN65fm9at W4sdt5WoCy9BBbc5nF7ILMpARjbf/ot6ZsCALEHtP+7atSfdfufd6cqrr03f+95tgCnDaXZi NItfAJgCtIoNvKIxvZt6WovDiXN/4sXp1175c2nTulVZ2ynDKPZTJgviIQgBC+1JhoMa0mae oY0sG3AigIkGHMUIZgg0yg4TTAsQj/iG6HvlGnWwHtPpLuwcvu9P3vX/2TsTwOuG8o9P9j1C 9ry2RJIoSbQIkZKQFv5okYosbaKiooWiEMoShVJoIUsp+5KIspR9CRGyvvbl/p/P3N9z3ufO 72z33nPve3+/9xl+7zlnlmdmvjN3zsz3PM+MlP3vQjhAQAn5IOFt7SnSy30kmYKYUS8Zdv38 F8Nqa6wVw6FXIOtinhIHNrFNqsXsIl5qFto2QZ9WL4ihuFcksiMc1FFIMCkE7S6B8idXyjtG xj0rhN55fzw7nP7r34hW19RYH8oWSUQhUNDym02036J2mGj50X6Yh0IWo/mK/HXWfXNYedXX RtPw54SkBaOZRHsPbU/IITCKhE9sLykYV8EklkfKpb8fathGtf0v5cSEVughgmK5qQJ1ofxo xz5w/wOC8z/C7XfcJX0H01b5E7N4+u4sQgbNPffcse9xqEY0i40YtfsBBN1TQtTd9597wk03 3xgeFq3d+RdePJ5mPucCS4aZ55o37os428yzxvbl9GD6DxqL7Dc4u5jwUi/Ib04Pfu4l0j/Q 75NCziQam5BNz4um4rNCRs6Kht8sQiaKhiInNGOeP6vIwHx56nMcKvJsmOW5x8NMT9wfFptv prDwAvNF4h7Te8yo4wcAIfHpr5jit8mttnYe+3vqHopow4INv2t+r1OfeCz89977wv1yQjlE d/yAIPtAwozONd8iYdb5Fh7b03FuOaxFtEylri8IMSgZSR+lroI7bSVkImbPENmUFbPnWFdp X5757UjHlfYSTOT+afnNYqYPcS8FEi3JecKKK74yrPzqVcK8sqcnvyXM0dnTkH4QyTlIV9nH MhLXmA9LP6Q+kTyUqzpuKRZajO0xqj1+tQ9ckfJARBKDjhL7C7/OtpYwMviNkF/UYI2m1ELQ St9G65OPBfz2NN/4O+X3ym9YykTbpn/IxNl+zD19xfq1Y3X+q3HsVWPYtFXhmqafqxOK/aDn aR0BR8ARcAQcAUfAEXAEHIHJiAArr2lrsclYw+brBGY4cNP76DH2j8FTF3o2mHv8i5xdKGoc lWPTsQhWB2VV5Ihnw60MCA8qgd+0IkEUqJ/cQy7yN0awQVpwYAGEEaaYLNAhsYgHociJ0xCQ /EEAYvp8/4MPRnLnof89LHv8PSTk1BNYSUZzy4VF62ch0f5ZQEyFuZ9PDjeZS4getH8gu4SP iaQJJpp33HlXuPmmW8Mdt90eHpv6qCzIOaBCFvgQecABGTBGeEXSS4gJrmiRQbBBBsy16JSw /gbrh803WDfMJ+aeQnO0F/aQaBFS+UfBiDjgOQ0n8ITIQftxViHUYnuNkQxpK0xrIwkRWY+J meVpZ54VzvntL8O9//53xJkDINirLZJAEHJR00kIlWg6OXN4tZxKvcUHPhiWlFOqKSBNBuko NIY84zUt19hPqITUFUdILF+sT6xc21fStA8/QdMUhImrOLSJItLdc9cd4UI57fo/99wjBFbb HDQSOVLf2TEvFS0/yKC5hBCeUzS5ZhPtOD0ogzI+KXsXPvLw/8LL5l8grPDK5WUPRzlZWLT7 ZpJ4M4t2p5SuXdZYPrTJ2uWNmqixPJRMy90Oaz+P9U/pd7SpVFKqISdeCwH69FNTw1OiUTt1 6lPhUTFbflq0ziAdI2kZSR8hf+N1LJ2E0rfbJBt9uq2JC0GImTsmsf/5z3/CnXfcLofTiDad aPaxj+IcL11IDjOeRwi1ttafVDeWFQ1eTkBGU5EDSdiWj/zR5IPMox9C8NHmwnCL+bm0tRB4 s8oxyS8RrT/Ix0hqCRjPC1H3JHsyztoKSyw4j5hbs+/hywX3eTONuPg7EXnIVCeSYv/kNxpJ PqkfJDh1QkMzEv9iTv2MmBk/I1hxAvbdd98V7r5LTgmXDwC09YtCCnKgCH2oBdEq5Yc4gyBE c5DfJn2kPVZIXPmdQcJDSjLiUD9+ezQqYwPNqAcu4YfG5DxCyM+/wPxiPrxUWHGllcPishfh TGNEtR6wQr0iXpI3+2Zyz+89HuYioNPfkE1ZYl+nvFLoOKaRrzrKIfi3y0ujtAk90tA2Wt4o R+rWNrUnDW0p9Rc5tB2O7sZf+35avtlzLFA7vOhffsFRaFEE8Y+/Z8mo42oSya8gpp5W7/Yz nuoXIzTwjxOKDYDoIhwBR8ARcAQcAUfAEXAERgcBJtm4oomzTsJHp8T9l2Qy1ql/VIYjQfsb uRX1ubQktr1s+jSefU5lqwy92rjcp/55+SAzz19laZi9Ru0xWbyyaI2Gi3GRjoaccDfCkrQP /RgjFCEphEyIe70JoQiREUlF0QSDVHz8cSGWHnlMyMRHwoP/e1DuH5IDYB5pmxtygIiQOJgZ srBXQor90Szxg3zK1xKzTLmRUqE9KNpGcAbyzFofzSIIBzSJZhNyjsMaOBRhZiFG0GyaRQgb 9q2bc76XhXXWfkNY541rhDlFwy4OJUICxUV+HFbabAE+VFhJK8VnjEuQjCGIwAgfSR3LxZ0k g3HgmbKJZhZaWmefd3H43e/PDI/ce0d4UbT1cJihtg+TELNb2YeNfdo4PRbCDiKUfe+WXW5K eOMb1wwLLrJEJJ0k03aZY85gQcm5at8UMGLeAo7EjWRqjCERaEDKLf8+/8wTorEne9oJQSWZ iQ9lhwhrRSLtASFxH5e99CCgIJXJAKIlamlBagqW8QRbqUNsOyHHkAsZRb1J85ikv/euu+Ke hPMLabzMcsuHpaYsIwfCvDS2U4wvbUs5xyrVTit+ur9jJHJEnjRwjELfxBSffoMW4aOPPBwe FbKP/T/nFnJz/gWE7JN2R9OtvZ9eux+gFclhGfQT/Z2pNm6bZGvvJ4om7jNCqnG4DfvqcXBH 7MNCvP3nnrvCXVIf+vLjQpg+KQeGxC0A6L8qF2ykQ7ZbhapBwEFKid6e1CPiA9JoM8Y0tAjx BAP5Uw24eYRYX3yRRcKyyy8rfWDZsKAcAkK/gMhG85D9+ug7kNAQYlFjDhni4m9FIAPD9lYF YNb+bcaPA0IMxm0MBGdwfEywgzSKv0vZa/Ix+c0+Kdg+KYQqHxDiFgrSrhCuaCZDspE3v1ep QnT4RRN76SiUZxYJnz0SglI+0Takj0AURjNi6QucMD6/fEzgVGS0ROeQ+Ozv2ZbZJiQjmSd4 ggn4tH9v0hViPcVfwmKni50f+MYKE0GIcMod6YjALbi3f7HtR3p8O572iYhglC8BxB3Lty2H UOS1MdY0yMLZZ+5jXipLwtPnmKjgH42bXtPoNlzDbDnUr5+rE4r9oCdp+fFdcskl4ayzzgo3 3XRTVNsH1JfKF7QpU6bEP74ebSkbz6I6PRHcH//4R/kScXdW1O233z4OrpmH3zgCjoAj4Ag4 Ao6AIzDCCDCJxjU9cR7hKnvRBoiALsr6zUL7Zb9y8tJrX9eyal7qr2msv95rWN2rpuMaf2lj v7d4iX5tsiyGyzMaYOypGIlGWTuxpxxkxrNy1f0YnxzT+ELr6yEhgNAge1z+IDPwe2Lqk1E7 ChmQHizd0XKCbHjp/LKPmfxhfgi5oeaVL0J2iKZajC8JOCUXE9y5RPtpDghFIV/QtIL8ijSC xHnq6WfF3PPJsOpKK8iBMWtHbam2me80ckEoizGo2lplIkDqA6lmxh0KKH9KJJIg4iYaXUrc YRr6hGgmnnP+ZeHSCy8KUx/9n7A8Yh5L/YTcQ1NrXtnHb36pG3WcV8gVtP4iuSLkF+V+Tkx1 SbPc8ssJGbdsmHn2uSLepI8uklfQvlJG5EbTXSkCLRcJFiFAYH0ou/xRbCjFF5+dKibjU8Ps sk8hJxhjovzUE9IWQiZFTTNJg/lxJGqFCGoTV21NNfyQH01JaQ/5iwSg9AE9pRntrudEEw4T V06gvvuOO8I999wVTY9ZM1NnSD9Qj9ptY8QlOMc+QNtKYWcWU1vIKPqCknaUD+KYfoCW3vwL LhgWXXyJ+DeP7G83cyQUBT9JF4k2KS8klPZrcAOHdmvyBDTT+jRlp0w4CEMIR0hy8oVkZD+/ Z8b2GtXtAZAH06SEZfva7kfiSy1ju9F/yZd60m9jO8WmEX/Jl3KioTq39IN5Zb8+NEHbJwUL BkLMQbhB2PG7R3psW7m2+57c4CSM8vBve3xo1z32c/HvrGtbc4/yxD4OTy+/Z+qtbUkZI16K UcwCTCGi26RbNPslVowofXMMi0gG0pcok/xFcjUWrv2s/iIoi4NMySo+449r1yO9R0an3zR5 oDwW2I4S/404jT1L6jb+xFRB8Z4IhMaL/jOW13iZMZpJzzOOvFSuvW+Hdv6r5dL4NrQqrY07 iHsnFHtElQ06DznkkLD//vvLV4iHK6VAMG4vxNxOO+0UVlhhhcr4g4xApzvuuOPil4bPf/7z 47LaaKONwh/+8IfMn0GRwdidI+AIOAKOgCPgCDgCo4iATrYpm0641U+fi8o9vSfjReVy/04E pmc7NZW39snOmjXzpP28sqyQE2OLfI3bRLnIX+UUXSEkOsJkTYJSYdsMWkwuI/HIc/vQFzTM 4h5wohX2hJCKj8uJrmiHYR4JETSXaOxBrKCRhbZhWzMJkknIDCEpOL+CvQkhMyFLnkdDUogf TIlnEvKF8jzzjBB4Qg28IOzUMxBconn24AP/C3feeVtYYrFFw/ves1FYZJGFZFxBA44/ZIpg qW+sszy1qQn+jYHiz4m7ZD7mJ4mod+QU5B+hASNZdOOt/w5nnHOh8IvPh6UwV40nxyJXiCMp M1pzaCTGegp5xHosEjAiGbrwBSFlqcOjDz4Ubrn5n3KgzexhDTmtepEllohpIZNmmkVO6qXs 7G8n+YhHLFfsL0IItusC9QQhyqNgJRi9KG3wtBCID4uiDISBFCceNjGH4A0RS9na+yKKlqdo jrW1xZDTJofkJjooGXW0AX/aD6JpNXUQbCB/nxZz94cfEtP3hx4UEvnxGI9y0rZo380pRCP7 1WEaHQ9IEbzivoCypx5lgFSk3aMZrJSPMvHMKeP0+WiiCnDct+mgWB7bd6eVtZPsUf/0GnHE k8Ztdw65HesbsZtM+11kaZO4mb+UiV6jzt6rH9fYq8byIk/qlRc3KxtpiEO+Y84UIfoQpr9N POxzbEHNbyyMOGAa680DjjjRS2RNyyr6xTCJYuWSxJaJZ1sGnlMX60FtrXyJZOWmMu1zioOV b2UUlUPjWJn23sqrc6/5ZDIAO6kbcsbFM8LL6mSiDezWCcUeoL388sujxqHV4qsrhhfBD3/4 w7DDDjvUTdJoPDaf/fSnPx0uvfTS8MlPfjIcccQR4+Q7oTgOEvdwBBwBR8ARcAQcgQmEQNnk ewJVw4s6Igg0tWDTfjnMamUL1bFMtS55ZbFx88K13MQrC9d49mrjs2aOBEP7JhIkQjVF4gHr Q8gI4rfTxEgxepuIIhqETVt6JDWEJFKChNjct7WzskhxkU76uE+caEaiTfbcC2K+yonVctjE 80J0sccjp7lySMfDsr/jnbfdFh7533/DUkssEl7z6hXDK14xJcwtGm4cLIImWMRrTMsvVqld pLFyt33QzIuaXFIf8nxUTqD+9z33hX/efHN4+NEnwpJLLCamqwtHDct5hazDrHnOOSHsIMiE /JN0aIRFzTUhBKPWWiTmxF802CAVIWSnimnvrTfdIHvd3SF7R74op83O1zYZFRNfCEk0NYVn FYJtligDk1YO+Yh7Xkp6tPk4rRpFkiemPiZ7WT4dtdDQAF1yqaVln8OVwgILLRRmZS9ECDzq j8BYf8gqIRJFXptkiq0whkb7Mq3PtNuENuIutuVYTPZWbPuOefRyaXcXFR4lUKZYLqRDeknO 0eycEghW1k0rp8Qa62T0Q/XPu9r0eq9pYiXVU69JGfVRg0Ghna6NUPSPxdbnsd+fPKq1rqZN r+3fUNtXy65x7DP3OOJnZdeIOVeNH9No+Bi2iNLiRi+eTCU1bZqPLSsiNZ6Kt1eb1t4TR+WQ Pg1TGSpb4+JfFj+mi5VSCdX5WNmaSvPVZ42T+mt43WtRPeum7yeeE4pdonfKKaeEbbfdNh4h npeUDWUxceZr2m3yEuLksjz3qU99Khx88MFRPTwvfBB+EKBTpkyJLxHkO6E4CJRdpiPgCDgC joAj4AiMAgIDmWDHdVF7cdlkHeuWtW68bssW5bKCba8pu00+kvGpE67fhVpH5cbaX/10AarP XDU/zd+G1bnX9Bq3VzmaPq+MGjb9rtrR2m2k5RhXVw2W6BoWiSH8k7aQCFGMJmnL5Enzavvo v0SPZB8koxBz0WQVs1qINSEcnxZijX3yHvrfQ+HWW24STb37hUScKcz/UjE1FYLupfPNJ/vA tU8jxrSXfNgjjsMdokO+3EezbohK+Xt86hPhSbnONfd8QiQuFZZaaolIJM4xlxxiEs2vhagU zcl42jGsjDjtD7H+Umg0/CDBKL/V+ItkqexhN/XRR6JWIWbjT4iWH3tXsi8fLC2yo3Ymmnzy x2m5mKLGPQV5Fq0+TMJnl70j5xAtwDnn4aTjeUUjcA4pB+RhLBGFimWb9k+KM8/qtB48p+k0 Tt6VuNCN4uSfsebN8CAsU4MbY9U013Yu7X+nSdbQMYFyiT5jghVnja/9TZ8ny9XWK61znTrW Tj8GN79Xmw/p7XOdPHuJo3loefU5laXh+BOnsHzUJ+1SRlhhOhMnvbV5E1ZUxjRd0XMqryhe v/mkcp1QTBEpeb7wwgvDeuutlxFyGnW55ZaLps9rr712WExOILIOjcCDDjoonHTSSXFzUxu2 4447hh/96EfWa6D3t99+e1h22WWzPIoIxV133TWceeaZMR5fpa6++uq2uniW0m8cAUfAEXAE HAFHwBEYIQTGrxUHUzjJJ10gDSajMalar5KFTBP5x8UQq6UB5xPLOsQ6kV/fi6exNo+yLEbU Q/AqWsTp4pR03bi0vEXyu5IpBY1EXDeJGo5rjTl7LQsyxqXNa4exNusWO+LHNHKNp74KQSgZ Cikn5r9ifj1V9nN8Qg7b4B6NQfaRw2yXOG0nJYwHQVBS+U/IOoi4aIYrZrscOMFJ1fPOJySd WK1pGHH5H5e1v8rU3yTPGidG5B+cBGRx23Ik13YI9THh7ROgCdO/GG3snzEhY2ShyS6TZWPH MluPsvt2ccpidIZpffDtNm2npP6ebDnyJEnZuu1jqRhwHNen00j+3DUChb8jlWTbNuljtk0z OZqu7KoyE3kkUZlWnvrlibTxxoWP5dNrvymVPS6zag8nFKsxijHuv//+8LrXvS4eDa9JeDlA vu23335xQ2D1z7teddVV4d3vfne49957O4LPPvvs8M53vrPDb1APdQnFQeXvch0BR8ARcAQc AUfAEZjQCMhEnkl80xPy6Y0JCxtLasTncVpI07uU3eWvi7Ve20rTa65Rzlj7W7/ceBIh9dc0 Vde0vGVybNyieMQpCqsqy/QOL6qf+vddr6Q9qa/i1aZ55FeRkQN6w2q+fU/+6jvtJkrhn7Yj AkkyJyOIPLNPIte2rGkys2g5N7beet8W3s5Eyal41XyzAo4JjHmO5RfDxn77mt9YULuM0xKn WE/LXxOWXyNW08DsiKyyM+wL4nUkaujB5t2rSJXRTXqL3/RI301ZRzGuxc+WT7EsCte4xLP9 LX3WeN1c6+atMjW+PleVWeNpOi2/+te91s2nrjwnFGsihTbhkUcemcVm34gzzjijKzKQY+Tf /va3h1tvvTWTs4RsmnvdddfFk6wyzwHdOKE4IGBdrCPgCDgCjoAj4Ag4AkNGIC6AYDGmrfmH XILms7MLpealt0m+JhdTsQ0qyA+tk9an10Wgpu/2mtY3LU+RPE1XN36RnH78bRn0Pk9eWkaN m/rnpcWP+Gnc+LOqaNsxRnBMbK+/xcjwUYoxOcUXLaPWryjmGCcYucb4AcSOE1mgpJZ7wmFN s9zbLGdbdBuEomwa869br34yJI8q3PqRX5S2bt00npVTt7yaVuPrs5VV517TE9fKUKJaZRBP wwvTJHE0fiqjKL3Gy7vG3pp12LwYg/XLqws5qr+tU1qSqjiE56WvSmfz0bjWT2UWybdxu713 QrEGYuyDOGXKlLgvokbndOcvfvGL+lj7ev7550dS0SZgL8VddtnFepXe02iXXXZZPHFrmWWW iadGp6bWeQIGTSjSQe+8887wr3/9K9x3331h+eWXD6uuumrghOt+3Q033BBuueWWuCflkksu GVZfffWw8MILdyUW7VDIXHCYQ04KW3nllSN2foJ1VzB6ZEfAEXAEHAFHwBFwBGZ4BHRhli7e dOFmAdI4hOm9DR/k/bjyKIlUkem0srJyh4Wafm5cHXKKYnHV+NYvJ0mH17T6tr1VRkekCfoA DkX1KQsb5epOtHKnfdG2R1oXG9fGq2oPm64qbl64zSuVlYbxnMZRmRqmaYriEV/jcF8Wj3B1 E5lQ1DpQV1t39Y9DbQ5ZqtjkpskStzHUOJqGYPz0WcNNsr5unVCsAR8mzV/96lezmJB3EGds XNuL+8hHPhKOO+64LOlaa60VCcLMQ24wjz7vvPOiFybRv/71r8OBBx4Yjj766HDjjTdmHULT bLzxxmGvvfYK66yzjnpl1y996Uvh0EMPjWmeeuqpzH+WWWaJ+3fgsZCc2kWdcJtttlk455xz 4j3/PPLII6V1RfMScvW0006TE8GezNLpzdJLLx3e+973hm9961tyctnc6j3uautMGU488cRw 8sknh3333Tdce+214+JDLHK4zZ577pn/g5QUnFT205/+NGJ30003jZMBBhCfm2yySdhjjz1K SUrayZaD/S//7//+b5xM93AEHAFHwBFwBByB0UGgcOI+5CI2WY4mZfUDQ5PlaFJWP3Wqm1bL y9W6cYs1gmWBWBTfph3EfVqevHLYxWY3ZVDZKQbdyKgTV/Mpipvmr/FT/6L06q846BV/laVx Bn3V9hl0Pip/2Plpvr1e88qr7TzstuqmDlpGTWPLmtZJ49o4mk6vGodnjad++kyY9eM+L4x4 OBvW9hn714xh6k9cla1+etUwlVeWr8YhbSrPhqnsQV41/9J8DRYaT+tXlF79KXuaxtYnyrHa xCZQZWh6E9RxG2WUtA2Rq2R0CKzx4IRiDZDe9ra3hQsuuCCL+bWvfS3ss88+2XO3N1dccUVY c801O5KhNTdlypTMb/311w9//vOf4/NGG20UVlpppfD9738/C8+7oXNAOu6+++4dwZ/97Gcr 00IoPvDAA1l+f/jDHzIZkHJ5WnycJgbZirZmHpGYCRi74fCaY489Nqy77rppUHy2dd58880D J2bXObRmww03jOQjdbDuOTnVDKJVcbRhefcLLrhgoN5rrLFGXnB47WtfG6655pos7Jhjjgkf /ehHs2e/cQQcAUfAEXAEHAFHYBgI6KJhGHkNLY+xhdrQ8msgozrtYOOk93lFSBd7pOnH9SrP puu3DJS/F3maxuKWh0VaPpsuL36ZX5pWn8vSTOSwKmyHXbeq8sTwAtJl2GWtm19VnZBTJ47N j/ipy+uraTwbx4ZZ/1RufJbsovm88A24vPKqPJWVPseEY2m513ipf16YxhnUNStrRd8qqjd1 yWSMYZRX1rI4Ubbkb3FWGWXpNI5eNa4+c02xtmH93k8XQvHaK28Lf7/8lnDD3/8d/n3rf8Pi Sy8cVlptqfCa1y8X1njzK/utU6Ppn3322bi/odXsu/TSS8Ob3vSmnvOhkZdaaqlwzz33ZDIO P/zwqG2nHpZcUz+9ohnJATGPy0ljmAKnnYZTpS2pWIdQXHHFFaMs8oDArEMoojm49957a7Gy K+VbdNFFw9133z2ubBxk84tf/CJstdVWWXy9Kauzxim65p1Yvd1224Wf/exnHUnmnXfewL6V /Kj+/e9/y0ltT3SEL7PMMtEsOu9H54RiB1T+4Ag4Ao6AI+AIOAIGAeZjefMHE2Vi3k5Aom8Y QOv8u9c27+gvY9xA3kLS1kXztH56H8vRZ1tZ+bZe1l/z0yvxysJtPL3Pi6/7tEVzRo2o1zaH oU9ZfraMWWByY/NK49swm8zWKU1j4/V032cbFZlE9lSWCZiINis1eR37LcELTRSn/bCwrzVZ J5UFOH1gFNshIc5sPez9oNuhibz6kdFN2tK40jZxT9PYNKZxzK1iWSpnLFKdOCqvn+tQCcWp jz0VDtjjpPC7Ey4uLPM7Nl0jfPWQbcMCC85TGGeYAf/4xz/CaqutlmUJWfbYY4/FPfgyzx5u Pvaxj4Wf/OQnWUrMdjEJVldEru2www7hBz/4QXaqNGbKW2yxRfjb3/6mSWMYZtGYBOPQMIQY veOOO+KehhoRc93DDjssPs4+++yZFmIdQvGiiy6Ke0G+8MILKi5qUaJR+MY3vjEgD5w4uGan nXYKDz/8cBYPspHyzTfffJkfN0V13nLLLaM58iqrrBIeeuihaAoOkXnbbbdl6TGlhqDV/Ro5 lXuRRRbJwueff/6o7QhWmDnjwIQ2gHx9+umns7jsc/nWt741e9YbSNy///3v+hiOE7N1SEt3 joAj4Ag4Ao6AIzBjIcBEvXDxN0Gh8Dp113BFi7Ui/1S6xbtuGmTYuCojzy/NT581Ls9pHy4K s/4qx15VTlk8jWPTZfdjC2niICONm/ppPmm8TJ650bjGK7tVYiqNo/5ZxB5v0nL3KKbnZLZe dbCqykjlNSGrKq+i8IipMGF55HsveGudyG+Y9apbVi1ft2WrK78I5yr/PPl5Zc2LVyW7KLxK VlV4kVz888pe5j8uzJKBCdFK3Dxny2vzt/eky4uHf1WfUDnExVXFb8fq/t+hEYp33HRv2HHT A8N990wjloqKC5l42K93C69efZmiKEPzx1wWoksd++3dfPPN+tjzFbPpr3/961l6iCkIKnV5 5Brx8zQC0Z7EtNeaZbNPoyUskVv3UJYqQhEiDhzYO1EdeySy52HeHokQmZQPbUp1n/nMZ8Ih hxyij/GaV2f2ftx555074vGALLRE2d9RHXslbrvttvHxlFNOCe9///s1KBx//PFhm222yZ7t DabLH//4xzOvtC004J///GdmFo4fBGNKimpcvzoCjoAj4Ag4Ao7AjIuAXQBMFhS8Tp0tqYu1 XhdpiqdeO6VPe4rhqBLlaKlMi9W+q5KVxk+fSY9L66T+aXx91vhl8TSOpim7pnLStBqe+ufJ tHH1Pi8efsjTOHVkF8lRf2Q1IUflTbcr3UL63yjUJ5ahgFAEn27bT+OTdnq3VRm+NszeU+7U ldWpLCyVU/acV4Y82XnxyuQWhanssjbqJ68y+UVhqX/6XFQX9df4+myv1FPD8+pcFqZyNI4+ 6zVPnob1ch0KofjiCy+Gbdb7Zrj+qjtql/EVy708nHLZN8Lsc85aO80gInIoiDXPZX+9K6+8 su+sjjjiiPDpT386k7PBBhuEP/7xj9lzSq6tsMIK8fTkmWeeOYtjb/76179GzUD1QyOPPRFV Gw//pghFTphee+21NatIInJ6stUIzALHbqgbh8uoox5oV2J+rC6t8xve8IZw+eWXFw7u6WE5 3/jGN7LDc9IwTJ+LDlCBIJ0yZUpYYIEFwrLLLhs4fOXLX/6yFsuvjoAj4Ag4Ao6AIzBJEGCC rRP1upNqTZMHgZ2w15WXJ6cJv7JypvLL4to6kW561qusnGmdqp6blFWVV1m4xbcOtho/L66G kV9eOP623hq/KC7x1eWl07A0fSrXPls5mr7qatOncbuVF+MXELJV+ZB3Wte0PPpcJEv9NV5d eRq/8esYOVhXbsRPyI3U2Xrl1akoXSqnieeysuSVQ/30qmUok2Pj5NVXw5u62rIg0+aZV24N zwuzZdJ41k/zyguz8fq+N1p8yMryq+iTaZ0w+1fT4A45poDj0piwOreaXrHJS6Plz4tDmMrI S6t+mlbjq7/K1uf0qulS/7LnKpllacvChkIoHnnA6eGwfX9bVo7csA/uuF7Y83tb54YNy/Ok k04KH/rQh7Ls0Eq76qqrsudeb1KtOMyE//KXv2TiUnKtjBDTRBB2lpTklGgOlFHXFKF4wAEH RBNklcvp0t/85jf1sfD6jne8I5x77rlZ+FlnnRX3a1SPtM5lWoWkOfPMM+PpzJqe06y//e1v x0f2gETTUh0HrkDiYj49qB+T5uVXR8ARcAQcAUfAERhdBOpM8m3pu41v047q/WSs06hibcvV C+6kwfUzf+2QUbF41/Lasmp6DbNlqRPPxlEZZVfNz+ZD/G7lZGl6IBTLypcXVlTmvLhlfr3U sUze9AjTOqTXsrIofsSh3TVtmiaNR7jG1WuaJn1WGWn/SuPZZ02DX1n5bJr0vqh8Vram0bJp mD5reHqtG8+m60gzRtLVzQc5ZTiobM3PxtWwqryUOKyMp5nI1crmvk5aTaNi8sqqYfaqstP0 xNEwGz+9t+VLZZSlL0uX5mGfy2TaeN3eD4VQfNuUXcPD/5vabdlEu27m8Jf/Hh5mna29513X AhpIkJrOclLxLbfc0rfkr371q/GEZBW06aabht/97nf6OG4/walTp+aaE2cJ5AZS7ytf+Urm xanQu+22W/bcFKH4nve8J/z+97/P5KIdiTZhlcN8eZdddsmisRfkrrvumj2nhOIll1zSoQmZ RRy7STUlP/e5z4Xvfe97MRQz8Je97GUdeyMSsPjii0eiEbKR/NBKdOcIOAKOgCPgCDgCjkAR Anbynsaxi4BBTdbTPHOfa5JEmnZC1EkLO4NftY/l9S8NA6K8cIVO4xGnrO01vl5tOvVLr3ny bLoYXkDopbJ4Vnl6tXHy/Gx44X1NsqQwfY0AyobLawcNKwqPCSfYP1V16rmtusBBy2Axz/NL RRaVTdMS38rU9DadvdfwXq82X5WR5l+Vn8rIS5fJzPkdFqXTNE1d88qf59eRX8nvVstN/KI6 p/4dss1Dh6wxjCrLJuk1HfnovYpVv17KgIyydFnZxvDRPMuuWp4q2WUyisIGTijef+8jYYNX fq4o/0r/X168d3jVa5eujDeoCJjcYgKrDlPdJ598MjvARP27vaL1iPajuk996lOBk57VWXJt oYUW6ti7T+OkVzT6dA9BwvbYY4/wne98J4vWFKG42GKLhfvuuy+TywEoCy+8cPZcdAMJCRmp rqzOxOGUaGsSren0ygEpaIyq4zTrAw88UB9Duk9lFjB2Q1uuueaasUwc1vLKV47WCeNpef3Z EXAEHAFHwBFwBIaPQDZ5H37WnuOMgECbh5IVZH5lm+x/uugtW6zaUtTJO8bJISoyOdSvoG5Z HHuj8fVqw+S+TpmSJJKI/+tpK41L24VHT2WrIR+51tVtP5ump/uxNhhEvZqqU17Z8vxs/W3e jWPZQF/T8tmy2TrZ+1ivsXaydWzyXsuDTFumbvJQGbXT91unPtOPwzinsjaO1s9iZMNzkmde Nm3mKTdlWBWlsentPQdNqZl4mVybpu79wAnFC8/6R/jMVp2Hb9QtHPG+dth24X3bvqWbJI3G 5eRgPS1ZBXM4x0orraSPPV3R6LN7MbLnn923zxKKq6++escpzkUZYuK83nrrZcHpwSxNEYrs z/joo4/GfDj1mj0I67hrr72245TpDTfcMGCarM7WGb/nn38+FO0ZSXgVoUicI488Mu5VaU+j xj/PcbIzpOxSSy2VF+x+joAj4Ag4Ao6AI+AIjAQCdRcqI1HYSVoIXdB1szibLO2m9dArTWzv u23yqrRV4Xn5xTRlRGdeohH26wUDWx3S46r6q8azaUmj/mXp68Sxcnu5Jw8tA1WSokWneatM jaPPueGSvopo1nSpPJWbXm350rCi56I0mrems2WwYdafuEXyVI6mTdNpeHqtkpfGz3tWGZo3 cdLT1G1YDNfGlQcNKyuz5kHaOk7jq2zSlMkvk2llqJzUryh9zHOsL9o4+KsMLZc+23h6b+Or X95VZeWF9eI3cELx3NOvCrt/+LBeyhbT7HHAh8KHPzXtlOWeBfWY8MUXXwxoCD788LTTqX/9 61+H973vfT1KDAFyiz39lJRD0C9/+cuOw18sufba1742kmdVGab7Bn7iE58IP/7xj7NkTRGK mA3fe++9US6EH8RfHZcSgO9+97vD6aefniW1dcYT7Ms6fCov1VBUwcQDh9/85jfhv//9r3rn XtG0/NWvftWx92RuRPd0BBwBR8ARcAQcgRkaASb2ZfOUiQiO16l+q+nCrps+0CS+01OW5q1X ULP39VFsx6xKWxWelx9pcN20T56cpv16qQtl6DWdlr9XPOrk26tsrRfXXtrJls3ea52LrnXj 1o2X5kM63DDrlJah6HmQdSqTrWF6LSpfkT/pcIqpPtv4Gmb9yu5TGd2mt7LzZKmflat+Nq2G p2H4q19RHCsnvbdaiTZMZVm/fu4HTijecdO94b1rTNvXr9vCHnPWF8Pr11mx22SNxt9xxx2j ppsK5aATtAF7dekJz3PPPXckuriqs+Ta0ksvHe644w4NKrweddRRARJR3d577x2+/vWv62Nj pzxzgAz7Jqp78MEHI0Gqz0VX9ojcbLPNsuBUg9LWmUhNEYqaIfKuuOKKeHDNOeecE9iDMY8M hUCGeJxpppk0qV8dAUfAEXAEHAFHwBFwBBwBR8ARcAQcAUfAEXAExhAYOKH44out8KbFPh2e frKeWaxtGdjTi+8+NMwz35zWe+j3F1xwwTiNNfY//MAHPtB1WR555JGwwgorBEg4dVtvvXU4 4YQT9DFeLbk2yyyzhGeeeaaS4IJA3HfffTM5EJef/OQns+emNBS32WabcOKJJ2ZyMd1eY401 sueim0MOOaTjEJZ0j0dbZ2Q0TSim5UJDFK1OcDr//PM7guseNNORyB8cAUfAEXAEHAFHwBFw BBwBR8ARcAQcAUfAEZgBEBg4oQiGe37sqHDmr/7SNZxvfNvK4cjTez/QpesMCxKgagoJeOut t2Yx2FfxhhtuqDx5OUswdsNJxAcddFCH91lnnRVPHraeKbl20UUXhXXWWcdGGXf/+te/vmOv xauvvjqsttpqWbymCEW0HjnwRB33++yzjz4WXtM6sb/hDjvskMVPw/shFE8++eTAno20ERqH 9sCbLMOxG9qXQ3IwO1eX7mmp/n51BBwBR8ARcAQcAUfAEXAEHAFHwBFwBBwBR2BGR2AohOIj D00N73v9V8NDDzxWG++55p0j/Pryb4TFllqwdppBRjz33HMDhJfasZPXO9/5zvCzn/0svPzl L6/MmnQHH3xw+OIXvxiee+65LP7GG28czjzzzOxZb1JybYMNNoimuhqeXs8444zAnoTqpkyZ Ek2c9ZnrnXfeGfBX97GPfSwcffTR+phdN9poo47DUtCOnG222bJw9iLcfPPNs+f55psv3Hbb baVmz2gAvv3tb8/SYE7MPowWu7TOvRKKYM1eiNq5KTsaofPOO2+Wf3pz7LHHho9+9KOZ9xe+ 8IVwwAEHZM9+4wg4Ao6AI+AIOAKOgCPgCDgCjoAj4Ag4Ao6AI9BGQDmXMjxeImRMi0NE+nGc 9rzbh34oB5K8WCkGU+dv/OgjYdMPv7ky7jAj7LTTTuM03RZZZJEAGQUxWOTYj2/77bcPZ599 dkcUNOfQolt00UU7/HlIyTX8TjnllLDFFltw2+Huv//+8I53vCNcd911mT8nRqNlZ90DDzzQ QeC9613vChCRqasiFCH61lxzzQ5tSDT8wGH22WdPxYX77rsvamD+4x//yMIgFyFprUvr3Cuh iEzIQcqjjn0wf/SjH+njuCt7O7LHozr2o8avB7YAAEAASURBVPz4xz+uj/HK6d5PPvlk5gc5 Sxu6cwQcAUfAEXAEHAFHwBFwBBwBR8ARcAQcAUdgRkJgaIQioF73t9vDl3c4Ktxxc/FJu4st +TIhEz8a1nzrSiPXDlOnTo3EnT2QRAu5ySabRJJt9dVXDyuvvHIk0a666qqA2TEnGUPmWcfp yJwWvemmm1rv7D4l1wiAaMXcmNOMOcAFwu3iiy8O7Gl41113ZWmXWmqpAPk1zzzzZH7cPPXU U2GuuebK/JD3pS99Kbzuda8L7NOoJ1dXEYoI4ECTN7/5zR0am+yjeMwxx4RVV101lhVNzD/9 6U+R3INUVDfrrLPG9Om+i2md+yEU0xOvyRuCEPPsJZZYQosS7rnnnsDekz/5yU8yPzBCmzMl Czlt+5prrsniUVer1ZgF+I0j4Ag4Ao6AI+AIOAKOgCPgCDgCjoAj4Ag4ApMYgaESiuD47NPP hRMOPydcfdkt4YZ/3Bkwh55nvrnCq177irDqmsuGbXd+Z5hbzJ1H1T399NORmLKHknRbVjQS OdTlrW99a2HSlFyzESEj2dMRk2EOFrEOYvC0004r1JhcZpllCk+Mfvjhh8P8888ftQkh5NSl Js/qD0EHqZa6l770pQFS8+abb46HyaTh7CG5++67p97jtDL7IRQRzmE3P//5zzvyATvKRhtA 8kIcpic9f+tb3wp77rlnRzoenFAcB4l7OAKOgCPgCDgCjoAj4Ag4Ao6AI+AIOAKOwAyIwNAJ xRTjF55/Mcw8y0yp98g/H3jggeGb3/xmgITrxm244Ybhpz/9aa6Zs5WTEoo8o+1X5iDyMIsm bpE79NBDwy677JIbfMkll4S11167NqEI4ff9738/fOUrXwkQrVUOrUrMjtGozHNpnfslFCkT puCXXnppXna5frvttlusU16gE4p5qLifI+AIOAKOgCPgCDgCjoAj4Ag4Ao6AI+AIzGgITHdC cSIDzn56xx9/fDjkkEOiiXFRXRZYYIFIon3iE58Iq6yySlG0Dv+UXMN8mH0RMc3lgBHr5pxz zrDddtvFA1/QQKxyHDby3e9+d5wciM5tt902bLnlluHUU0+NYpD9+OOPBzT7ihwnKX/mM5+J xJ3dY1Djo/UIibjrrruG5ZdfXr3HXe0+hpCPmJiXuVtuuSVqamocTJcxCbcO7UMOzmE/SU65 znOLLbZYwPyag1je8pa35EWJfph4W3KSU6G32mqrwvge4Ag4Ao6AI+AIOAKOgCPgCDgCjoAj 4Ag4Ao7AZETACcWGWhWS74477oik1d133x04+ZhDO5Zeeun4x76B3biUUFRtPU4wvvHGGwNk Gnkuu+yycc9CSLtuHPI4xOWhhx4KEJ6veMUr4rUbGWlcZHLaM/sMvvDCCzGY+r/mNa8JEJPT 22EiTp3BjkOG2GOSPS/zDsWZ3mX1/B0BR8ARcAQcAUfAEXAEHAFHwBFwBBwBR8ARGFUEnFAc 0ZYpIhRHtLheLEfAEXAEHAFHwBFwBBwBR8ARcAQcAUfAEXAEHIEZBAEnFEe0oZ1QHNGG8WI5 Ao6AI+AIOAKOgCPgCDgCjoAj4Ag4Ao6AIzCDI+CE4oh2ACcUR7RhvFiOgCPgCDgCjoAj4Ag4 Ao6AI+AIOAKOgCPgCMzgCDihOKIdwAnFEW0YL5Yj4Ag4Ao6AI+AIOAKOgCPgCDgCjoAj4Ag4 AjM4Ak4ojmgHcEJxRBvGi+UIOAKOgCPgCDgCjoAj4Ag4Ao6AI+AIOAKOwAyOgBOKI9oBnFAc 0YbxYjkCjoAj4Ag4Ao6AI+AIOAKOgCPgCDgCjoAjMIMj4ITiiHaA0047LVx77bWxdPPMM0/Y ddddR7SkXixHwBFwBBwBR8ARcAQcAUfAEXAEHAFHwBFwBByBGQkBJxRnpNb2ujoCjoAj4Ag4 Ao6AI+AIOAKOgCPgCDgCjoAj4Ag4An0i4IRinwB6ckfAEXAEHAFHwBFwBBwBR8ARcAQcAUfA EXAEHAFHYEZCwAnFGam1va6OgCPgCDgCjoAj4Ag4Ao6AI+AIOAKOgCPgCDgCjkCfCDih2CeA ntwRcAQcAUfAEXAEHAFHwBFwBBwBR8ARcAQcAUfAEZiREHBCcUZqba+rI+AIOAKOgCPgCDgC joAj4Ag4Ao6AI+AIOAKOgCPQJwJOKPYJoCd3BBwBR8ARcAQcAUfAEXAEHAFHwBFwBBwBR8AR cARmJAScUJyRWtvr6gg4Ao6AI+AIOAKOgCPgCDgCjoAj4Ag4Ao6AI+AI9ImAE4p9AjiRkv/6 178ON910UyzyK17xivDhD3+4q+L/85//DF/4wheyNIcddliYMmVK9jzMmyeeeCL8+Mc/Dmee eWb4z3/+E2aZZZawxBJLhLe85S1hrbXWCpdffnkszqte9aqw2WabDbNoM3Re55133shh/7Of /Sx8/etfDzPNNFO46KKLwqKLLlrZRgcddFB49tlnY7x55pkn7LzzzpVpiiL861//Cn//+9/j 3z/+8Y9w2223hfnnnz+8/OUvD695zWvCJptsEt70pjeFmWeeuUjEOH/6/Lrrrhv9P/WpT4XP f/7z4aGHHgpHHnnkuLh5HmBBGRZYYIGwyCKLhNe//vVhrrnmyoua6/foo4+Gq666KqvXNddc E/GiTvwO3/GOd4R3vetdUXauAPd0BKYTAs8991w48MADs9x32GGHsOCCC2bPE+VmstRjGHiP ElZl78gzzjgjXHvttRGS1VdfPWy44YbDgGdS5fHTn/403HvvvR11+tCHPhSWXnrpDr+qBzsH IO5rX/vasPHGG8dkV155ZfjTn/5UJaJW+NZbbx2WWmqpcOONN4bf/OY3WRrmHMw9+nWDeld/ 6UtfCieffHKYffbZw49+9KNw6aWX9lvUmL4IjyLhc845Z5xnrL322oF1zfRyL7zwQvjJT34S LrzwwnD99deHVqsVVl555bD++uuH7bffPrzkJS9ppGhl40edDPpNXyePbuIwNz777LNjksUW Wyxst9123SRvPG7Z2nLPPfdsPL9hCfzhD38Ypk6dGrN7//vfH5ZbbrlhZe35NIgA4/kRRxyR Sdxll12ytdutt96azRnoqx//+MezeMO4qUMohgcffFDGRncTHYHNN9+8JZ0q/r3tbW8rrI4Q Ba03v/nNrZtvvrkjjpAxWXrkCInQET6shxdffLElJGFHWbReMhlpCbmShW211VbDKpbnIwiM GvZCvLWEOIv94d3vfnetNrrggguy/qP96m9/+1uttDaS/o5URtl1lVVWaZ177rk2eem9TFyz MsoCKsaVBUnmV5ZXXthss83W2mabbVrgVeVOOeWUlhCRlXnNOuusrc997nMteQFWifTwCY7A M88809pvv/1aO+6448jXRCbVHX1XPpSNfJnzCjhZ6pFXt6b9RgmrsnekEA9Z3/z0pz/dNAwD kzdKv3/5OJZhqO+6vffeu6u6//Wvfx0n42Mf+1gm4+CDDx4Xrnl1exUCKsrlvWrT3nPPPVl+ vd4M8l0tBG0s7zLLLNMaBh4Wm6J7yvTb3/62V7h6TnfDDTe05ANAR/vZMrKeuu+++3qWbxOW jR82XtF9v+mL5PbqL4ohGW5veMMbehXTSLqqtWUjmUwnIULWZjjLh6vpVIrJne0w3oN33HFH 1o6MMffff38HqMrzzDvvvK277rqrI2zQD3CFVX9OKA66FYYkXzsanTCPUJQvbC35KtoSTanY YSEorLOEInFE88oGD+3+e9/7XscPyr64v/3tb48cqTU0YEYgo1GbrLzvfe+LfUU0WGv3V/lC Oq5/iRZTV+jyW5Ev5+Pk2L6ad3/sscfWyucDH/hAlC1fvVuijRHT9EMoalkWX3zx1t13351b Bl6Wn/zkJ7uuk2h2tB555JFcme458REQzZTWCiusEPuFaAKNfIVGiVzqB6zJUo9+MKibdpSw KntHTkRCcdR+/3mE4korrVS3q8R4n/3sZ8e95yYSoTjodzVzf50zMCcYFUKRMon1ResHP/hB V+3dT2TRaGvRvxSPoqtot/aTTZa2bPzIIpXc9Ju+RHRPQaNEKFatLXuq4IgkckJxsA0xrPdg FaF4yy23tFAQYRwSK7HBVjqRXkUmEv4S/pmIJkECqDuDwBZbbBEwe8YJoRhQfbfuySefDHPP PXfmhQnGK1/5yuwZ1XT50haIh8N0U75OZuHDullnnXXCJZdcErNbeOGFo7knJpaYNWGCLZOJ sP/++8fwD37wg+EXv/jFsIo2w+eDGcyoYC9f5wOq/TiZ9HaoiRc11OOPPx4wu8DswTp+F5gZ zzfffNY79/6xxx4Lyy67bLDq30K4hI9+9KPRnz4rY2pAPR0TGdEEzuRgun/xxReHN77xjZlf eoNpDabFmDivttpq4eqrr45R2M5gxRVXzKKj7m6fswC54TcsX68CJthXXHGFDYqm1JjtpE40 0MJXv/rVzFs0EAO/L7YZwMwZM+p///vf8bd54oknhueffz6LK9qh4fTTT8+e/WbyIPDFL34x fPe7340VwrTw5z//+UhX7qmnnspMRCioaJcU/k5GuSKTpR7DwHiUsCp7R37kIx8Jxx13XIRE NBQD28qMuhu1379oOQVMklOHKblYAqTe455ljRRNZ+XDWkeYEIrh6KOPjn5isRAOPfTQjnD7 gNm1Ot79mOMWub322ivOs0899dSw5ZZbZtFEQzHIB77suZubQb+rmWPvvvvusUiiERiWXHLJ gePBXM5uyyLaZHEew3yL7ZjAyzreSUKeWa+B3LOdzte+9rVM9ne+851AX/nvf/8bRDM2W3MR gTUXa69+HNtOCfEVRYgFVvjlL3/Zlbiy8acrQQ1FZpsesWyI0vjtinZwQ5K7F1O1tqyzXVL3 uQ4nBWOJbgXB1hpsSeSuOQSG9R688847I8+hJRcNxcCa0rpdd901HHLIIdHrhBNOCGwjMQxn 17yF+UEoupv4CFRpKPKlTTpB9pdqKIKAkAQtVGmJp5pRw0ZGtWEowze/+c1x2T/88MMt2cMk /qXqwOMiu0ejCIwK9kIut2Q/ndhP+VpTV/X7qKOOyvq/7FHYEuIue5YFRC2sDjjggCwNffQr X/lKC+3fPMfvSSakHfGrvipddtllWfw99tgjE5tqKMq+NFlY2c0f//jH1ste9rJMJmX+y1/+ 0pFECMjWQgstlMWRBURLCNGOOPaBMCH3s/jIxIzM3eRDQBY4WTtPBA1FWkDI9/h+mKjmztqL Jks9tD6DvI4KVmXvyImooThqv/88DUXeP3XNnjFBJn76ZzUUq/opW5ho+rrWDU2ZPA/jXf3O d74z1o9tTYTQq4KjNQw8ZM/LFuVR3EUJpgUWg3brrbdelidzRuuw9lCLL8rF3LBf16+GYdn4 02/Zekk/ShqKVWvLXuo3KmlcQ3GwLTGs92CVhiK1ZOuqOeaYI45LtDsa68NwcIVVf27yPIyW GEIeTRCK559/fuykkAtFJMmgqyIbWGcvcPk6N+jsXP4EREA05LI+wr6adZ0c6JOlky/NrU98 4hPZ86tf/epaYiAEdVIrh63USqOm2ZqOSV+Rk6/hmXz54p1F65VQRIBoR2QyKcM+++yTyeUm 3VPqD3/4Q0d43gP7TmJ+pHXabbfd8qK53wRHYFgTqQkOkxffEahEwAnFSogqI1hC0RJMdc2e 2btS31n2OlEIxUG/qyHpdDuXt771rZXtQYRhEIrks++++3a0nVgy4T1Qpx+u6Sv2A69mKodf ZGWCDOzX9Uso9pt/0+lHiVCczGtLJxSb7rmd8oY1D65DKFIysYjLxh323B+GqyITCXeTZ3lT TAZXZPKMCaVsGBwwC8I8Qx1mj5hu4jBpxMwYNWlMDDgBT00eNL69YvrISWeYdXJaLqctc+IZ J+31ctqZTGKCkCwxizXXXDOan/KAyaiehMiJeC996Utj+TBdxXECnGhfxXv+4YQk2U8pPuNP OE46ehDNr8CJvJx+xQmL3ZhzY34hexdEE1JMwZGBOSrXXuobC1Xwj3xtiHlhqge+mJqi8iwT 6SCT5vhckDTzbrp9VDB9owh7jcN1UPlrHrSfmgKfdtpp4T3veY8GFV5pe/qoOkz86S8yaVav eIKfnq6ceSY3yEAWDtVzzIOq3FlnndVhgsBvrchMihOhRYMwngCJ2TOmx7jU5JmT80SToCrr GI55Mr8f+hZu2223DdZs61e/+lWQfRtjGP+ASx3zb0y31YRlgw02CKINmcno9oZxhDalz2Ou jfkJWNPn807DZDwDH5xoqY4zC0jzZ8sEzAfUMebhisYMzEfkAJ84dtJWa6yxRu5J3fR1TJ0w B2ALide97nVxPNV89Cov/Gxcw/Sd07dxtA0mfLJHSzQtw2QKk/fU0Xb0C/BmPGDMZUxAVh1H PTGB58RuxixONV111VUL21n2xYxbA2BexymfuPe+972ZmSb9Q7TZA2OjmtrQVyk7bcMpqYxh yy+/fBzDGZepK04+WMXTQ+NDwT/g+fTTT8dQ8qnTH4lsceYZnPMw6ra/IauOs/nbduY9jFkm 7yEwo5/QBnYbEivfysG/qB6ahjEJ+fRH+Xod302YgHLCbB03zHdcWXl6aZcqrIb1G6deZe/I bkyee50H6O+WsugciG03eAfRLxiz6XdVTuVU/f5TObQFfRAzVX7/5Mk485rXvKb2bziVaZ+t yfOHP/zhuOUNeeKqzJ75DWIayHuA04sZP3V7HWvybPPLu6cu1113XQziFHnMOqtcUybPg35X y8fEsNFGG8XqyJ7lARPaKjcsPNi+hfWBOrY7YluWQTrmlr///e9jFsz36WO6rsBs3o6vmMzT j/pxQlxUmjyn4x350a95r5eNPzZdP++mtH5sIcRWPszdmGcxh+X9xnygG5PnXse8tDz2uZu1 JWtQ4uN0vWll2XvW1IwnOLaMY5xTV/S+6XcdypjKHI7xlbU7axU10+7G5LkXnIv6zqjOX2mL ojJ3Mxfr9T1I/vQRtpbjPUjfgr9g3cHWckXbDNYxeUY26z/Zt5XbIMowcVxqmouIws0/bvIs PWpGcUUaitJBMyZb+kbuPRhx+q28ZFqYhRY5Tn6WBW+uDGTLD6Yli8+i5IX+8iIulKllluPT Y/qyL3hoSWn8n/3sZ/GkaiElMj8N44r6Oyf1ljlZZMUNoNUM3KbnntNw9RTeMjl1wigLX4St CUWanyzOW1ZrLZU7qPbRfMqwJ86g8yePP//5z1l7CsnQEtIB70pnyy4v3xif9uXkQMW5jkmn kEtZfDQekVHlODSAL0qciszBQjLxyk0iA3am9bfpppt2xOlHQxGNSNuv0JSxDrNoxYDrmWee aYML72X/jhYaH7L3Yuv4448vjFcWAH5slk2b2DLovbwkW+uvv35LJlEdYmShk8WnH6BZUeYY l1Sm1cC2Y4bsD9jCJE7IuiyupiEP+ciSZcGp3TKpGxcPrRnwEGIki8uNTEyyuEI8xnDZB7Ml E9fMX/NCW1YWLjG9TP5aQgBnWiMah6t81GhVnVBOX8NUy6bTe7BF4zZvewshP3LTaFrVcuV0 S/VjrL388svHnRLOOMm7RePlbWVhwZIJX0smXll82S/GBpfeVx3Q0Wt/K83UBNp2pn+QH7/7 vHZGw5cv32zhkLqqemh8Wey2ZJGdYaUYc0U+GtzyEUyjj7tSPg45GMY7blzmxqOfdqnCali/ capj3zOyB5qpYatVR0Ox33mAPVjrpJNOav3f//3fuL6RlqujkGMPdX//Nq2QCqWn4crH4Rbz 0X6c1VDcc889W1gJaJ9n3C1z9j2H1YC1NpgoGoq2DtS76Xe1/a1UzY8V62FpKKKRqG3N9Zxz ztEiDOwqezV25PmpT30q5sUWUtYcmvFT9lXsuxxl4wfCGSdlT8KOMrFuEGIn5l2Wvql3k1aS 9xYWNemWOrSN7IcZTcDraCj2O+ZpefKu3awt64zPmofVCPzd736n3vFqf0NNrEPlg3NHX7O/ AcZDtNpseYpOee4HZ9t3JsL8lYawZe51Ltbte5Df5+GHH865JB2/UdtmzMs+85nPtEQ5p6Pf 8FBXQ5H1BfNqlVv3PTAuwy486mgousmzARRq4D5ZfP/t5ptbZ1z+19YF11zbulVOWX06WRya JCNz2y+hSEXKFh6EiZZE1oG1I+dd5ZCG7AVXB6BuBv2yF6YdyDFnnX/++UvLK1+pW0WDL4ts iIy8+qV+TNDly2CdqubGES2AjEhKZafPkADglbpBto/mVYb9MPKnHJArisk222yjRSu9MvGx fZdTHtWxB6LKYz/Gqn05d9pppyw+6ShP0cnJmkfdKyb+WhZeStb1QyjKl/xMLvIh8Kyjr1vC R756tk4++eRaZKmV08u9bHbcUTatf3rlY4XdN5JJlo1TtT2CfBXM4uvHCcprxwxOAGcibOWm 90cccURLtH1yCT4bl9+0dXZyg+nNJptsUpoPkzbIOk6PtHLTe8hRCOM8x6nieURWngyIKevq TqQsocjem5YI1HwYs+RgraweVeaJLBQ1Lf2ym4VaFbnUa3+z2JTdp+0sWlRZXbRO6VUOPhr3 W6uqB2WAQAHbVF76zF6xt99++7hiD/MdNy7zxKOfdqnCali/capU9o6sWrA2MQ+whKJoI+b2 DT5kVLm6v3+VA2me9ru8Zz7MsMju1aWEImS45sOHoDJnzcR4X0xEQnHQ72rGZvBkvsTiuI4b FqFoxwjRCIv7edUpXz9xeLfauSPY8Bvj4772O64//OEP+8kmS1s2fhApNdlnjQK5qa4sfVPv JvLiA65ob3ZgYPHQe+Ynei/axVrM7NrEmJcJy7npZm1ZNT5b8ZbAKyMU+12HMucVK4YMQ8XS Xpmv2+e8NW2/OKd9Z9Tnr7RVWuZe5mLdvAfZ29DOc22b5N0zhqAwYF1dQpE0tr+KhZkVM5B7 JxS7gPVBIYQO/d1prd1/9ONxf3sde1zrSiEZR9kVEYqQKd///vfj4sN2akiVb33rW/GvTr2s ZiKLe17ucqp0i4kZE9R0IZkuUMvyQPtIy2LLyNd19devkWUvTLtwUDloZolZRPySBhmUaizm veQoa7qQFxX+FhtD/+Y3v2mx/56YQHYM4mL+WlbFwjAOFLFkDi9gvryLaUtLzHlbchJkiwWn 1ocrB2LoF0kVPMj20TzKsB9G/pQD0kKxoC3qOOJpGq5oUqoTU/aOMNq2zHHQg20v5DG5RaOQ tkJer86+vFItxl4JRTl9eRyxjhZZ6tBkshhxD6nFOMGkpkoDMJVX51n3bNV80aRjAsiEiHag T1msWUxaJ6ZWWZmZ3Ba5tI2t5kXemEF7itlXHOOov+4ppeVUbU++zPO75/cqJ3h2lJVJIC9g dXZyo3K4MqnYeeedW2hcWu1XwjQf7lk4oA2AhoTdXJww0qaOg3cs2QRZzldR9h9lQc/CBD/S 80d5LTEuJthx7EVbUuOI6WI2Hl900UUxS0soajyu5M0HG+6ZZKX7eJZpVlqtqlRTN61n+lxG LvXb39K88p6L2pk2Yw8u2grtqJS4ThcBZfUgX7TPLN5gDVGOpjDvZCaYNpx2TN8Zw3rH5eFk /fptlyqshvUbp05l70i7AOD3Z11T8wBLKNr2Z0zTZ/3t2vzT+7q/f9IxT1HZXOnbjDVYb6Ch xIc/OxYxrtkxOM277DklFOX0346PsfbdbuWwcNMPzHxk4X02EQlF6jSod7VdzDIG13WDJhQZ U+1+1/Qxay1Qt5y9xmMOZfuv7ev4N3EYi5atbPxgfLd5039lexFNGq9l6Zt6N5GRJXcpE2uS b3zjGy0+Xn/5y18eR8ISJ11rNTXmdQCQPHSztiwbnxOxHRqBZYSitlcv61DmVqnlAKTYMccc 0+LDNnMjlW+v6VyiCZyL+s6ozl9pr6IydzMX6+Y9mGoOM2cXk/8WXAjzbn4zfFCzbUVbWmfH YOKVKbgwLqksPhrX/QBk8+vm3gnFmmjdIKTOl475yTgiMSUXTzz3vJoShx+tiFDUktQ55Vnj plfSYsqnnZeTaFMn+5l1qOCywO7F2Y1zf/vb344TUfbCTBcOfLmRfdk6ZKAqbE0VqJPsp9cR hwFA68qVr++pWRpy7OQd4qOXU0Wt6absjZarSULh0EaxZbKLgmG1TxH2w8o/JdVkb6iOdit6 sF9SZf/FcdGsSSiq8ZhcljleErYt0nvMqJmcHHfccbnmpEWy1eyXF17q0rpjNgrRl/6h+g6h gOaG7Ks6biKMFl6e40u8JY/SOkFYgBManfS9lJzIk1nlx8RT84HcyHsh7rPPPlkc4sreVZlY CH5Nz/hkCbwsktxYGZBi1qVjBuRhutiV/QCzfDQ/FrZM+KxDS0HDudrtCfImN+lXRTC1xLzK SicdjLWQvRqOyZN14GjNYCHh1YTaxoN0tF/a8w44qtqMOo9QpI/xtZbtCNDmlL2v4pdYq61Q tCDEDMR+keejVTeujFzqt7/VKUdeO7MQTL9E87u1ZPlmm23WIb6sHoy3VmuG8SZ9zyGMD4na R7iSp7phvuM0z6Jrv+1ShhV5Dus3Tl5F70jCyhasTcwDyMPOSWhzFjCYyTK28JGq2w3cq37/ jLlWQ4ZxyY7RlAnHIlcJPcpVd7uQdupp/6aEIiH2g2uR2bMlPXWcm6iE4qDe1dY8lQVwXdcE ocgHe6wI7B9tzVzIjpP0HRbmeXOFuuXtNh7ji/14SRn4Y63CFilNuqLxg/el5suV90X6TqEc RekJa+rdhDWS/RjJvDCde0Fi0aa2zCmh2NSYR93quKq1Zdn4nMq386YqQrHXdSiKOoofv4G8 3yTbwaRkd0ooNoFzXt8Z9flrXpl7mYvR9lXvQebk9iMxv8M8h4Y55J+2Kx/breuGUEy3syv6 mGbl93PvhGIN9KbKF569f3Z8JZmo5OJl//xXDanDjzJIQhFtEv0BcH3ggQdyK4gpJaQYpjay WXVunCrPqkG/7IWZLhyK9jfkR23rg7aHdXaxvs466xQSTExqIKhUFpon3Tgm+XavhTLtOL6o 2xcHGj/qhtU+RdgPK3/291SsudbZPzE1Ecrbjw3CxsqFBKlyxLF91aa39+yXwUujSiYvA02H xlrqUkJR43ZzZb8p9mkscryA0ZK0/axIPuQQRHuRuW1RHtbfEr2pxo7Gg2CCMOE3CekIuacO U1j7oQMN0dTxG7V7HR544IEdUeqOGVazmTYt0rCzmtp2a4J0csMiDGIodWgmW8zlIJQ0Sny2 vwUIQ+vYC9LKKDu1m482Nm76caVqIpUSiiuuuGKhNivanJoXk+w8UpoxW+PQx/IWTbau6X0Z udRvf0vzyntO2xk80v00NZ0lf1JzzbJ6pG1m3wUqW69Wk95+TBjWO07LUXbtt13KsCLfYf3G yavoHUlY0YK1qXkAedg+xe8o/RhBnG5c1e9/7733zn6v5Jf3sVnzY3zW3zZXxrpuXR6haOWm vyOVb83d1HpmohKK1GkQ72pdQ/D+L9OMUUz12gShaPtF2T3v4W7KpmXs9Uofte90WzY53Kjw Xddrfnnjh/0Nkj9bLKUKDppfXnoNa+rdhNWY4oDmXZFVDnNaO5e0hGKTY57Wr+pq5+t5yipF 43Oe3G4IxV7Wocx77HY19t2dlgfFAW0PrpZQbArntO9MhPlrWuZe52LgbX+DeXvt24+37G2Y ag7bNrMELx8qrOuGUGQMsFZMTW27YMtj751QtGgU3P9ctA6VLKxzRZMREnLUnE4GGFDQckkd i1c76EBQ1HWQWdZkhkVKntlkXXll8aoG/bIXpl048DW87Cumzcd+tYeksDjp5LOozHaPjnRh X5TG+qOSjyYTZSgiajW+1QSANFA3rPYpwn5Y+dvFC1956rj9998/a0/IpzyMU62oumaWEAXs NcjX4tQ0wfYhvefFn0ciUQ/MZjReXp/rh1B8xSteEU1Vi4iNFEc5lSyarUCW2wmhls9e+YCA 9kcvzrYnbYPWJZOAbhzYa3kgTFOHNqWG85U33Y/Pjhls5VCknQqxp3JSLUebJx8gNB4H8KhL Jzcpsanx0DTT9FyLNPSs1iTao9ZhFq0yWIBXOTsWWhKUdFUTqZRQpE2LXFq3PKLT7kGD2WS3 roxcaqK/VZUnbWe0aIuc/ZDBb9S6snpwgIS2LxP7svccv00msMcee2xLToiMWQz7HWfrlXff b7uUYUV+w/qNk1fRO5KwsgVrE/MA8rCEIouNumM+afNc1e/fzjvZO7vMUZZlllkm67tomnXr 8ghFxiC7sEo1NXjn6uKcbSoUk4lMKCpuTb2rWZyqOV6dd4bmz3WYhCLjHmuRfvbhtGUvu2c+ ouOsXu06CD/20LYObXzmw726dPyw5AP5sX1A3oc4zS9Nr/5cm3o32TlOqqVm8+PemuVaQpGw psY8ZNVxdp4zLEKx13Wond/R7v/6V7EiExY12j+5WkIRXJrAOe07E2H+mpa517kYGFa9B3nH ML9ivl51QIo9IJIPu9Z1QyiSzm4BxpY6g3ROKNZAtxvtRCUcr7n99hqShxvFTuyaJhSpyQYb bNAxaDFw0ZlZ3PAVD5XfJlzVoF/2wrQLB74eljk7CcLUQx0nFdrB+dBDD437grA3SN6fXQxB vhQRRiq/7pWvsJSFRSfaW7pZtpaNE3atG0b7lGE/jPwtUQKpXcfxVUoxK9MgtYe9sDjhJdyN Y0KO+cs+YqKLCaruH6d565WTLvO+LqsZPulYIKcuJRQhIN7+9rfHP/LjxF9rKqr58dssIsnS PPKe0fDkCytfSMlT5dor5i+Y1XXr0lMbkQmxSH0g41JtuTz5mJvYsqRfy+3eS2hCpc6OGZju FDnqr/mk5qk2De2r8fiSry6d3HBaeZ67Xd4tmp5rEQbs7aLxwN86e5gUZux545b1s6bu6aSk aiKVEopVCz1rBpXu04WZFNqfWq8iLVBb1/S+jFxqor+l+aXPaTuX7fN6yimnZHVF48G6snrY A4bqHLBh5XI/Ku84LVe/7VKGFXkM6zdOXmXvyDJCkbR5rtt5gCUU0czu11X9/q3mNttsVDmL Qd0Pd1ZmHqFIuP0QwbYc1vEO1DGF94G6yUAoal249vOuZu6iGLEFQTfOzqXrWibZsY98WWTT TvYPE0/8IdWsJRDxmWvzDhuUgzBRPLjyAZuPM2xrlH48VssItTLhwyXvObvlSd1y2vHD5s89 c6NHH320VJRNn57m3tS7yZ4ui2ZWmcMiSOuREopF6bod84rkpP5Va0s7NhVZzKjMuhqKva5D Dz744Aw3PnRXOXvSdkooFqXtBue070yE+Wta5l7nYuBX9R4swpiPV5DBENisaXjn2PGDPSit 65ZQRIlCf18cOjZI54RiBbqPCausJGE317P+ekWF5OEHD5pQZN8MS85oJ9YrJAwEBxOAMnXf KmSqBv2yF6ZdOFRNVu3CljKrQ5ND69TLNf06rnKrruBL3Vgs8gKpyjslFIfRPmXYDyN/q9pf Ruoo1unCGS0FBvC8vxTvor2YVHbVlUUuX6sswaR5sLeidcTVPWnSPTU0Xkoo2v3QNA4v0HSv TV5edr9NjdvrlQk1h4NYU33qtdxyy5V+OS/KDy2AMi1I9pVk3xPVrkrlQM7aPUm+/vWvZ1EY h+y+XSxiUld3zLCTTYjtIvfOd74z++2WaSim+zSqvHRCkWpUajxMC7U/pRqKmIhrWLdX3iPW VU2kUkKxzOQRuXaizO/RfoBhywctb2oKYstUdl9FLvXb38ryJiydxBa1M3EtGY72uXVl9WBf McWJjfC7ddPrHVdWzn7apQwr8hzWb5y8yt6RdgwpWrD2Ow+whCJjUb+u7PfP2AvJoX2xbMGm 5WB81vjMJ7t1RYSi3dc4lWvnxueee26W5WQjFLOKjd108662+5h2O19oglDkcJ0yx0dRxjqr icpaoc62N2Vy88IgZlWjlb4KeWT364YcsHMW5m584LMYkq5MqywvX/zs+KG/E3stGjdUnk1f RSj28m6CILF1x0KnzDEH1vIXEYr9jnll+duwqrVlnfFZ5dUlFHtdh9q+xAffKofVjOJcRCj2 g3Pdec0ozV/rlhlsy+ZihJe9BwlXh/YwHzpYn/JBz45X2j722i+haA/fy1OY0HI1cXVCsQLF e0WrrhsiUeP+/LzzKyQPP9hOmgahoUiN2H+NvWiU/LA/DHvPpK9bDS9FrGrQL3th2oUD5Sxz RYQikxZbl27v84iesnJgrsaeeVUDjzUVokwpoUgeg26fMuyHkb8l56ymQRG+fLHptv00PhOG PE1C8qLNutnbjUNS7MbinOZrnT2t67vf/a4Nyu7rEIoa2X4Vpj4QbmzgW+W6mZyzd6LdDJ98 etFSpEzgYzVdtA3sFfzy9r8kPScxa1xrQmA1UyBA89rMjhl5e6MgH1d3smkJxTINRdozz6UT Mr4i5zlLKKYailVjiWKVd+WwBOuqJlIpoVjVz5iU2PeH3Wjc9gH24+3FVZFLyOy3v5WVK53E 3nTTTYXRyyaxZfVgmwFtO9WOKcwkJ2DY77icIuR69douZViR0bB+4+RV9o4sG0OamgdYQpH9 cPt1Zb9/5huWXDjnnHMqs8PiQ/tu3W1LrNAiQpGtTOw7Vj9AodGlZqp8nLLa+hOZUGz6Xa17 rfIxu2jeY9vB3g+DUNT8bP+mH9Xpc5q27tWS3uTBKfSp46Oq9mOu9C2rCIBFUS/Ojh8q32o0 8XuzpHiah01fRSj28m7i/a3l4pq3PY8tk7WkSAnFpsY8m1/ZfdXasmx8TuXWJRR7XYeyJlSc GfOqnF0bpYRiEzin85qJMH9Ny9xLf1fcy96DGgeLGk4713bLu/KOsuNEv4Qi2wJpPlh2DdI5 oViB7lPPPNP67I9+3DWp+OerO08FrshmKMHDIBS1IkzS2MMPM0A9mVY7tV7xL9vrQ2Wl16pB v+yFaRcOvQ7k9qQ76gJx180fp5t24+xApdhBfmACi2YWhy+oGafdQzGPUNR8B9U+Zdhr3lwH lT+Ej2JU1b7si2i/Mmu6bq7p11f6F23AS6FqvyiLB/ccKKJ5YzJi3U477ZSFFWm4dkMoItuS bOSL6QUL79Tx5R3tQp20XnnllWmUwmf2UdU6cUX7rB/HF3M0lSAq7eLQ5nH44YePy4ITjG2c v/71rzGOPewh76AbItUdM+pONusSikWTmyYIRTvZ3Wijjboav9J9De34lEe4poRinQ9JVtOY RT3OHuxE2yO3F1dFLlmZvfY3KyO9b2oSW1YPfsva31nYduuG/Y7rtnzdtksZVuQ9rN84eZW9 I8vGEPs707btZR5gCZcmTKBsudLfP/M7q6GYpwEOJtbtueeeWd/lA0K3rohQRI4de9XsmS0Y FE/6gXUTjVAc1LsaLXglhlMNdYtX0f0wCUUILG1Prr18UCmqh/rb9xNbyeQ5SBq7f7MtE/e9 aI6Tjx0/kEOfZU1hzYwhLZjf5jmbfhCEIr95uy2J3cs9rzwcRqjYpISiHVs0Ti9jXl6+eX5V a0s7PjOOljlLCvFh0Lq67xvSFCm22K207Edym4+95yBUxTAlFJvAue68ZpTmr3XLDI5lH3cJ txim70HCb7311tYiiyyStQFtwYd9tEuJj/UNeyuyNRwWkdpW/RKKts/2MnZT9rrOCcUaSO33 8190TSjeIHs9jZobJqGY1h0SZN999x13Ghp7I3Xrqgb9shdmEwM5+57oj51rkclht/XKi49p hc2Lul9wwQWFm+zbffmKTg7Ly6ep9inDPi9f9Wsqf0uS8UWuzNkDD8CYPYKYBJb98TK0kyVI XevsYg0tK15YdZ09HIYXDeVQB6FHGSHhi1y3hCLaeEyGbf/aeuutx4lPCaFuNsqnDnPNNVeW R6+T6HGFEg9IaU6vTSft7NWZ5+xCkz2XmHDb3wubpee5umOGfXGXmR3ZRW2ZhuIgCUW+VGq7 l5ln5+GR+lVNpNL+U4dQtItCfke0tTXx2WSTTdJi1H6uIpeKBHXb34rkNDWJLauHXfCyh3GZ YzHKPldo/ynRPsx3XFnZ6oTVaZcyrMhjWL9x8ip7RxaNIU3OA+w7atCEIvW12+DU0SrmQ6CO TXmWNMgsc3ach5y0joPtVLaaPTOWqF96kOBEIxTTsbapd/Xxxx+fYYTpeLdumIQi73FtT65F Vgvd1sHGt+RM0XyD+I899liuZQXkHxYcvTg7frAXsrp0Plv0XrfpB0EoUh5LnNhtXbSs9mo/ XllCsckxz+ZXdl+1trTjc9nYCamqBDx9cBCE4hFHHJH1czSs7Xohr472I7IlFJvCue68pglC san5a90yg2e/hOKOO+6YtRd9Ytdddy08V4LfjI5hWB5aVxc/TWOVJlBMGaRzQrEGumdfcWVX hOK+J/689YzsHTNqbpCEIhuw7r777lHLCuKwyDF42T3LetGeqBr0y16YdRcOlL/oyxB7ueiP nas1ycurN6aHaKuxsAObvFOE89Lhx14LNi8108mLf/3113fEtSdTD6t9irAfVv6YAytebNJd 5uzBBXzRrXohqyxrOsCkwar2p6bETPLqOkuMQSCqQ+tA61RmotYtoYh8DvSwGiTkk2eiwldh LQMvuLqaxcjXdFxZmNR17J2HNiIHc2BmW2TaizwOCtF8IAnzzL3QVNA4r3rVqyIZqc9le9DU HTPsZHPUCUU2xte6g0VVe2I2seWWW7Y+97nPjZscD4JQpDx2AnzSSSe12DNRy5xqBtftU8Qr Ipea7m9FZWpqEltUD/K1vweIE2vGmZbrhz/8YYYrptK4Yb7j0vKkz020SxlW5Des3zh5Fb0j CSsaQ5qaB5DHsAlF5j76u60iCGknS0bUPcCDeqkrIxTR/rDbKbAXoD7nHVAz0QhFMBjEu5qT g7UNq7as0Haw12ESinYPXsqsH0lsefq958Or4rHQQgvlzjc0Dzt/0zTdWq+oLK5l44c9eIi5 KScBp64sfVPvJmttgzVJmWN+p7hYQrHJMa8sfxtWtba0B/iVHeCYktqDIBRT658yM3f6oCU4 LaHYFM51+05dQqxsy56m5q91y0wf6ZdQtB/WyvoOeb3//e/PfhMcdGldXfw0jT2UZb/99lPv gVydUKwB6/Oy2e/3Tjm1Fqn42R8f2bpVSLNRdFWEIhpLOrBzxUywrkPjR9PyA2Bj3iJnN4xH bbtbVzXol70w6y4cKFMRoUiY3QeB+jIRLnJ6Oi/4MNl78skni6KO87f7sGDmV7QwBG/7pZ28 7JfkYbVPEfbDyh8zb+2HmBwU4XXDDTdk8Yiv5k/jGiDHA3JD8+AKka4ObdU555wzC6cMqdaD xrVXVN11HydkbidbBaizC360iIpcL4QistJDWujPqbkMRJKtM5PAst84ctEcsl/H0OxU03zC qxzprQahPWk9TQupr+Xjd5JXNhaTVh4kpaYp2peSfOqOGUVkQFrWUdBQ5NAfrTtX9i0rcvZ0 T+KiSWudNVFEMy51qdZMHQ1FZKBdo2W0GiGcVpi312Wab9FzEbnUdH8ryr+pSWxRPciXwy8U O65F4wbjo51wWm3GYb3jinBS/ybapQwr8hnWb5y8it6RhBWNIU3NA8ijaUKx6vdvtS3oi2X7 6KZxMYfs1pURisiyBKdq/lOuvfbaa1xWE5FQbPpdzYdWPdSs133/hkUocsiJJVSZi+XNBcY1 dJceBxxwQMf4mr4TrTg797Vjci9rH+SWjR+YVVqLEA5fQ0vSurL0Tb2bjj766A58ik78xQrD 7udsCcUmxzxb/7L7btaW/CaYU6aOd+p73/vejvoPglDkd2nLu+6666ZFyZ4taUsftIRiUzjX 7Tt1CbEyQrGp+WvdMgNkFaFY9h6kT1jLtjJLLYhhu05JrdLq4qeNzwcPHXeskpGGN3l1QrEm mveL6eL+vzq5lFT84lFHty6+7vqaEocfrYpQpER2XzKIjLrO7m9F50W9N0/rxe5XQ7x0oK2T nx1EOU0tdWUvzLoLB2SWEYr2ZDLqwcQz1aBiwLeLYuIxuejGpV+PeE4dOGO6gHz7Z82LhtU+ RdgPK/90sC3S6LQaPGAGwVjXof0GqaFYc29PLUeVXcO4MmFCY42FlNVOpd0gAYlvvx5yb8l8 XQDxQmKT+yLXK6FIfezXM8qMRpp1aCzZiSpxSIMGJmW1v3UmWUxY0kOC0HDr1llCEs3m6667 bpwIJsx2zzh+t0XOnnimbUT7oDld5OqOGUVkQCp3FAhFJjh2fGMvUYjy1DHht5qC9IF0Eo3W tWJJm6dkdK+EIieQqlx77ddso4xcarq/pXjy3NQktqwe5MPBToobk1I2v7eO9xMfUjQOVz5s qGvqHcd+h2gU6F/eb1jzLLr22y5VWA3rN079it6RhBWNIU3NA8ijaUKx6vfPB1SIDe1njCd8 pEgdi0T7MY40vZBBVYSiNd/VMnG171wt2/QkFPndsB1BnT875jb9rmbPZMWJ30kvrglCMQ8P 6nr77be32DoJItUunimz/TCr5W5iPGK+YPfIgwBgbWMdH5dTM0fFUa+pSb5NX3RfNn6Q5sAD D8zai3wog3Vl6Zt6NyHH7ufOmg3crbtLtgXTg34UD0soNjnm2XzL7qvWluwHqWXlynhtHfMq 5vo2DvfpOrfu+wbZdp7G3nrWse+ezYu1hJ2LE5ePxZbMIr4lFJvCuW7fSddo6bpZ61dGKDY1 f61bZspURShWvQftGov1Sp4VFXO0dF9/nq2rix9pUsWZom2UrPx+7p1Q7AK954QAOO0vl7f2 Ova4DmLxc0ce1Tr0d6e17utxT4wuitBX1DqE4hJLLNExQKGlgEZhuojMK4jd14BBix/QPvvs 0+JrFeSWnZxpOANDt65q0C97YTY1kFNma/pKffhixcsE00r2Rlt11VXHYdntfoto89ivFRC+ b3/721sHHXRQi68NmMCmxA1l4Y8JlnXDaJ8y7IeRP/W1ppF5G3JzQqGd7NhJjMWr7N6enAXW LIbU8aJITzfWNuFK/6WMViPRhts9Z9DEmnvuuWN7pqfran567ZVQJD37clpSkwkIL3TrOGna fk22ZaYuvCQhLqy/3rM4ZGHUrcNkx06G6P/bbrtt6wc/+EELjUUIe9We0LzyiDHNlxPWNZ5e GZfKXN0xo4gMSGWPAqFImViE2TYHD/aD4uspB9tAANmxh3A0M1LHoVCKJVcmQGj+6FfYXglF 8rFapJpHvyZsZeRS0/0txYrnpiaxZfUgH3Cy7cvWBpjq8e5gjLFan2D7wQ9+kGQdrol3HPuc attx7UXrrN92qcJqWL9xwC17RxaNIU3OA5omFKt+/9Q57QO8R/gIynjCOMG4Y/sI4RdffDFJ u3ZVhCIar+m7F8Irz9k5q9XezYtr/Zog0CweVfd2L17K0eS7mm1HNH/en724YeNBecmT333q 0r7Yy3iETGs5ovgwpvLeROvbzlsI58PzmmuumWGpabrZ55J8y8YPwiGU0nzsSddl6Zt6N1GO 1JKHjwWsV5i7cQAe22soBnq1c/EmxzzKU8dVrS2Z26flZs3Mfop8MLcH42iduA6KUGQtY9c7 5AVJi/YrYwJ7bNpy6L0lFJvCuW7fqUuIlRGKtGUT89e6ZSa/KkKx6j2YEs30G97FkNScGo8l Yzrf1vayH4zq4keZraYwfMygnROKPSL8kGzof/2dd7bueuCBFkTjRHB1CEV7FL12Zq51Jndo XxWRW1YW97xw77777p5gqxr0y16YdRcOFKzsyxDhkIOpantaT31mXyD2sejFpfvyqcz0iiYb Lzb1T0/+Gkb7lGE/jPzBF9MlxSDvtK3TTjstCydeL5t2X3311R0ymEhax4bbeVqjWq68K3s5 pXtcYCqicTFNKHP9EIrIZSKseXFlQp5qiKC1ZMlYG7/onoNfKFuvjo8RRbKtP4vEspPNyZ8P GOlHk1/96lelRas7ZhSRAanwUSEUKReTGatta/FM79MPFFqv2267rTXffPONayPdML4fQtGe dkd5ejn1Vcup1ypyqcn+pnnaa1OT2Kp6kCfaWHltk7YtJEze4ruJd1xTC/h+2qUKq2H9xmmT sndk2RjS1DygaUKx6vdPnXGUP9VyT/shz/RX+kyvropQRC57WNm8Ic3y3EQlFKlLU+9qTCnB ivertcTIw6vIb9iEIvkVba/S1HiEhjdjUroHte1Xeg/Bx96TEEB2r2zC04P9ijBU/7LxQ+Nw yKEtF9vYqOlzWfqm3k1aDrQl7UctxcNe7ccESygio6kxT8tTda1aW5L+2GOP7cDW1kXvWYvZ fUcHRShSHjQ97e9Ly2CvfNC3W41ZQhEZTeBct+/UJcSqCEXK3e/8tW6ZyauKUKx6D/Ihqw4/ wnycjxX2o5c9p6EufpTZzifY63zQzgnFQSM8QvLt6XkbbbRRbsl44bHfAuSG/cLGIFrHQRqx 8MybOPJiQXOFF1pKVNSRrXEgynSw/MMf/qDe2dXuCZeaPNh9Dqq+OFuTsbITk1m0Ua+8F+e8 884bCa4yU9Ws4CU3kB55gxF5cqjCKaecElPbQRiMUhXnQbdPGfYUcND5k4fFgMUJm/pbZwdZ NN6KVO5tmrx7Dn3RfsiVF0rq0Kxhg11rHmPTcM9XTfop+/+kzh54Qb3KHBNWKxutw24cJGhK FnKSXOp4CfMFtGoSwyQaDdHUBCOVV+cZc/EirU9+Y4QVndKcyrcTarDPMz2waeqOGXahXkS+ IdcuKDhdVx391G45wZfjPIe5lY41jNG0R56zB+LQ/4ocmqN8XU9NLbQvcXhR2b5nyD3//PMj 2Ud59L3BJBaHdrv6Ue5utLSpm9WKzdOQjJl08Q/tbRdbmMylrsn+lsqu286koxzaDoz/1tWp B/GZgPK+txNUlUn/5xAD3vtlrp93HGbUmh/XXjWCKF+v7VKF1bB+49Sh7B3JyayKVd4Y0sQ8 gD1/NY9+tw+gPriy3387Rvtf5iN8aMjri4w/H//4x1vsA9ePUwKMOqqWdCovNfMrytOels7H 9roOYkQx3mWXXWolY5Gvabq92veIzazfdzXp9Z3Eh7Be3SDxYAzjUDW0qTHvpS+WuSbHI/JB ExytMMVJ2453HtpjfOC2e/5yz9qDeJA83a4NysYPW2/maFoWrrpHaFn6pt5Nthys0ew+vVom NP3YuxryU/3yDnBpYsyz5Sm7r1pbalr2RccCTedhWn4sdDA75n3K71790/lT3fcN+dVZh/I7 Za3AXFjz5Mrcifkbc0mrUJS3p2W/ONftO6M0f61bZtqhbC5GOK7qPchcG6UfnQ/btqLtWAfq etQqHsDdqOMDvfY75ND2eY45j1UWyNtmJC9dP351CMWXEEk2upW6u5tREJAv+kEWWkGIxSD7 koRu219IhCBfCIPsgxVEXTeI6XQQTaUgC9tJCyGYUV/RRAwyyQlCMsZ6ixpzI3UGU1kcRlxl EhJkMhJkIhXEJLZr+dO7fQadv2gpBNm3MeIi5shBBuquMWoyAfWlb8jLIsh4GuRLfxBT3SD7 SQWZmASZjOZmJ5rBQfbBiGHyIgryAsmNN708ZXIQxwnZyyjIF7ggL8UgpGTsmzK5arxY4CeT oyDkaRANgSBm1mH55ZfvChf6gux3FMsmZghBSM/GyzkRBcpEIuIqe9xlYzZjGP20rmMMlAlP bI8ll1wyvj/qps2LJyR9HEcJ4zdC2/ObGZZror8Nq6xV+Yh2bhBN4UD7CqET5ICFICfbBll0 VCXNwvt5x9Fu9A3y573Vj5tM7dItDk3OA7rNuyp+3d8/fVHIxXD99ddHkfLxIYj2cU9zmaoy eXgbgV7e1cxTRDsmCmD+zrxqsrgmxyMwkQV8HNuY5/HuExI1zoeK8AJX4giJVRRlUvkLaR/f P6IpGYSAjXPEuhUc1TGPurDO4H1EW/I+nZ6O8ZcxlXmTWMUFsZzqakwdVZzrYNrE/LVOPnXi VL0H5SOIv1dbAABAAElEQVR7XMfTTqzf5cND4B0oRGEd8bXiyJYDQSz0YlzWSWJV16j8vELA S1Q5JxSrEPJwR8ARGCkE5JTTIF/kYplEYyHI15mRKp8XZvogwMcNFhLyZTIWgJcsCyV3o4mA aFkE2ew6Fm7TTTcNYnYymgX1UpUiwMdJFluiMR5EE7qrDwClgj3QEXAEHIEuEfDxqEvAPLoj 4AhMKARkK4EgFnKxzKJ9GsRSbuDld0Jx4BB7Bo6AIzBsBPhaheYf2jA4vhqjkeNuxkZANkAP YmYTQUDbQsykZ2xARrj2aKHSRmj04n7/+9+HTTbZZIRL7EXLQ4B23HjjjYNs6RDELDGICVxe NPdzBBwBR2DgCPh4NHCIPQNHwBGYjgigDYwFI+tg2RItaq0Ow7rNCcXp2OietSPgCAwOAdlX MvsqI3shBZ7dzVgIyL6TQU44jJpRF110UZCN6jMAZB+tICfbZs9+M/0RQBuRbTEwjcUsHVN6 HB8DMOVp0iRk+td2xigBW07I6Z5BDjkLcvpskEORZoyKey0dAUdg5BDw8WjkmsQL5Ag4Ag0i sPXWWwc5sCZKHOY6xwnFBhvRRTkCjsBoISCnOYbf/va3sVCQS2uttdZoFdBLM1AEDj/88CAH D4zLQ07vjOTGML7ajcvcPQoRYL9GObipI1wOUImmG7Jhe4e/P0wMBPhKLqehBvYr7WW/34lR Sy+lI+AITAQEfDyaCK3kZXQEHIFeELjqqquiZQ/jHBY9WPYMyzmhOCykPR9HwBEYOgJyomw8 AICBzvdSHDr80z1DXqbvec97Osohp1OHSy+9tHTD9I4E/jA0BOxhSprpT37yk6jhps9+dQQc AUfAEXAEHAFHwBFwBByBaQisv/76QU7xjgfDsuXXIA7HnJZb550Tip14+JMj4AhMMgROPfXU sP/++8danXzyyfE0rUlWRa9OAQKcbPmtb30rXHvttfEwlo022igSjC972csKUrj39ETghBNO iAevcGoiGolokr7pTW+ankXyvB0BR8ARcAQcAUfAEXAEHIGRRYC9EznZGaue3XffPWy55ZZD LasTikOF2zNzBBwBR8ARcAQcAUfAEXAEHAFHwBFwBBwBR8ARcAQmNgJOKE7s9vPSOwKOgCPg CDgCjoAj4Ag4Ao6AI+AIOAKOgCPgCDgCQ0XACcWhwu2ZOQKOgCPgCDgCjoAj4Ag4Ao6AI+AI OAKOgCPgCDgCExsBJxQndvt56R0BR8ARcAQcAUfAEXAEHAFHwBFwBBwBR8ARcAQcgaEi4ITi UOH2zBwBR8ARcAQcAUfAEXAEHAFHwBFwBBwBR8ARcAQcgYmNgBOKE7v9vPSOgCPgCDgCjoAj 4Ag4Ao6AI+AIOAKOgCPgCDgCjsBQEXBCcahwe2aOgCPgCDgCjoAj4Ag4Ao6AI+AIOAKOgCPg CDgCjsDERsAJxYndfrVLf99994XjjjuuMv7ss88e5plnnvj3qle9Krzuda+rTDORIvz5z38O V1xxRSzyyiuvHDbddNMJU/wnnngi/PjHPw5nnnlm+M9//hNmmWWWsMQSS4S3vOUtYc8992yk HmeccUa49tpro6zVV189bLjhhpncsrAsUh83jz32WDj88MMzCVtssUVYYYUVwkMPPRSOOuqo 0Gq1YtgHP/jBMGXKlCxe3s3NN98cTj311Cxo3nnnDTvttFP2XHTzi1/8Itx5550xeKmllgpb b711vD/mmGPCAw88EO9XW221sNFGGxWJ6PA/77zzwuWXX97ht/3224dFF120w6/owabn97jZ ZpsVRZ3u/hP5t5UH3kEHHRSeffbZGMSYuPPOO+dF6/C78sorw5/+9KcOv14f6Hv0wS9/+cvh 73//exSz9tprx+deZXq6TgT4bTLm3HDDDeHhhx8OCy+8cBxT99lnn3D66adnkXfYYYew4IIL Zs8z+s1EGpcmc1sxLpx99tmxiosttljYbrvtJnN1Y92ee+65cOCBB2b1HMRvcxh5ZBWQm6Jx aN999w0rrriijer3OQhMtrlHThUntVcT/X8Y66NJ3QheOUegTwTqEIrhwQcflLW8u4mMwN/+ 9jfYmK7/Xv3qV7e++93vtmSxNfDqX3XVVa03v/nNLSGD+sqrTM5uu+2WYfDhD3+4r3yGmfjF F19sCZmUld22pRAPjRVFyK4sj09/+tMdcsvCOiL2+CBEXpY39fvd734XJd16660d/t///vcr c/jKV77SkQZ5QsJWphNCIUv3iU98Iou/yiqrZP6ygMn8y25OO+201myzzZalowxgSlvWdZ// /Oez9FtttVXdZAOLNxl/W3lgXXDBBRnu+ltjDK1yBx988Lh0mr7b64UXXhize8c73pHJ3Hzz zauK4OE1Ebjsssta8gEtw9a2zzXXXNPh/89//rOm1MkTrey3Pmrj0uRBvbuayAfGrJ++4Q1v 6C7xBI09derUrM78ZvN+m88880xrv/32a+2444491XIYeWjBysahfufCmsdkuJaNRxN1Xj8Z 2qXfOjTR/4e1Puq3rp7eEZjMCMAVVv05oTgJekCvhKIust70pje1nn766YEg8cILL7RE+6c1 88wzx4nijTfe2FM+deRM1InH9773vY5JtLYL129/+9s94ZWXqIw0LAvLk9WtXxGhiJxlllkm q/+WW25ZKfr1r399Fl+xOvbYY0vTsTDRuFxPOeWULH63hCJkaEomfvazn83k1b0ZlYX7ZP5t 5bWFaPp09AX6Qx0i2QnFPDRHz+/RRx9tLb744uPamHaec845W6It3RGWR1qMXq2aKVGd3/qo jEvN1HjiSnFCcTyheOmll7bEsiH+fj/0oQ/11LhVhGITeVCwqnGI3+KM7uqMRxN1Xj+jt21T /X9Y66MZvb28/o5AGQJVZCLhTiiWIThBwlJCceONN26xaLZ/2267bYsJmJgBZxMyS7AQPggn quodi7deCcU6cibqxAPNTW0LtOj233//lphXtvi6d++99zbWLGWkYVlYEwUoIxQhc7T+Yi5c mt3999/feslLXpLF13RVGn5HHHFElgZy22rldkMo5pGJe+21V2mZiwL32GOPrExi6l0UbeD+ k/m3lYIHmTT33HNnuGv/wY8JcJnjN2nH1PReZXFl0ZuG22cdByHQNV1VHy4rm4dNQ+Ccc87J MAXb973vfa3f/OY3LTQTGVOffPLJjnAxiZ6WeJLf1fmtj8q4NMmborJ6MyKhWPXb/MIXvpD9 dnslFIeRB41bNQ5VdoAZIEKd8WiizutngOYrrWJT/X9Y66PSynigIzCDI+CE4gzSAVJC8ZJL LimtOV8FIa1SLSvMDpp2dSYMdfKsI2eiTjz0izuL329+85t14OgpThlpWBbWU2ZJojJC8Ze/ /GW2SAADzKCL3AknnJDFnWOOObL7BRZYoPX8888XJYtkuhI3aORaV5dQzCMTZR8kK6qre0jN 66+/Pv5BlE4vN5l/Wymmsl9n1mfWXXfd1stf/vLs+dBDD02jd/Vctx+lQhmL6Zu9mvCl8mb0 5xNPPDFrU9kfM1f7/qabboq/uxlJO5F+Uee3Pirj0ozej2dEQpE2L/ttNkEoDiuPOuPQjN7H 64xHE3VeP6O3bVP9f1jroxm9vbz+jkAZAk4olqEzicK6JRS16nZxzYL2sMMO06DGrnUmDHUy qyNnok485HCGbAEMuTYoV0YaloU1UZ4yQlEOROnQOvzpT39amOU222yTYcU+SpZUxFSpyMkB N1k6OZShI1odIiiPTGT/0cngJvNvK22ftdZaK+sH3/nOd1rspalEM3vK9uPq9KNUPh931ltv vVgGTKrd9Y+AHLKUtelKK63Uv8BJJKHOb30SVXdCV2VGJRTLGq0pQnEYefg4VIZyO6zOeDRR 5/XVtZ/cMZrq/8NaH03u1vDaOQL9IVCHUHwJkfyEQ1lSTmAnmoVhjTXWyGogGoqBE0OrHCfb ciLt/7N3LnDbTWX+XzrJKzJGqUgmFM14TRIz6I1JckiJ6Gga54oyGO/fISETUZQYSQYxIYdG CSUUqvFSkXGqXqekw1SEybHa//XdufZc93r22nvte6/nfu/nua/1+TzP3vfea691rd86/9a1 ruWN3pZePVnjzjzzzPLeT3Qdp0eL45TBpz3tafJz4Oq3kJSnaPLwmc98pvNaP06+f/TRR8vT fOUDfxiBe+lLX1r+5BTjNtclnL333tt96lOfKoP0h7I4v0JW3t97773l6c8LFy50njRwXkPN Lbvssm1RV+/Bh29/+MMfujvvvNOtssoqjtOAufrtt5W/Ljcas3XXXbc82ZnvTz311Or0ZU6f fe5zn1tii3+cPCt/1Pwjz8AMR732hFvla8cdd6xOA/cHiDhPICe9qzz1uPnpT3/qXvKSl1Qh eIJu4BRuThyX0249yVOeeF15furGN4du+eWXr05kvuGGG5zfnucuu+yy0sfBBx/sPvKRj4Sf Oa/x6FZdddXqeVg/1lxzTXfzzTeX7zlV8uSTT678cuMPYHHbbbdddSowef7pT3866WTggYCC H5x8/fDDD5dPvW23gTJJWjntG8eJ36QbR95yUrffulnWW3Bba621nN+yW77v8m+21q0YBrfd dpvj9HdxlDe/zdm99rWvlUeO9slrLla/u9y0laO6sPyW5/LEcuqq35LrvO2/Om9l2aO8U5Zp z2i3SYsnzMo2ofajIR+CE2WMOkv7QTvnydLyVOq2ICm3fOc1/8rTlfl+7ty5DmyWXnrp6Oc5 yru0feecc47zdgDLuGjvv/71r1fxCr5St3hB3aKO4WjrvZmJ8l76MvowTvfmtGjakU033bSs b5Qdb4+t9Et/Qh3G8b0/+KfsP+mH6Zu9mYXynf4HTt/0J8Vzet7LXvYyR11O6RMJwx9MUfZJ yESZoG/mFGtvX7YsE2Ff3aWuN7VLWn7uPSHgKC/8ganXJinzmz4+lEF/G8POj0fLto3wKHdr r7228zZ29ae977tiJxFOh8zg9+1vf7vMQ04fZmxCOaDs0Q95reUyen8oi7vuuutElKGuueum 3xHgvBkI5xfy3Iorrug22mijcuwXCgfe1157bSk/ZXT11Vcvy6nUOe1ftwM8l7r5u9/9rixr fhHRnXTSSeUnb37zm6sxDG3LUkstpYOK3k93HKntEHKktjVhYobNy1gZHkWbpdPQpT2aSeN6 SaPG2e+ecXPmzHHkGf0i9YVxH20k9TrW5nfpiyReuQ5bPuR7uQ4TTmr5b5o7dZkfiaxyHbZP kjaGcKQ/9wcnuUsvvbQcB6233nrlWFviabv2CY/yw3yTMSE4McZnHNU0htLyPPHEE67veHGY vEcGqdsiT1fuQL7rU/4pP/Srd999t7v//vvdSiutVI4n6Fv9zkyJovHaNw8aA5+BL+2UZ18j JsENq6EINmhw+LJd/umtoL4iVs9537QlU6+k+wpbQh5qpEkc+pqSN13CCVcyPUlUoHWk4+Te N9CFn4wXbVu8fYNWeIKy8APVKWEQDttsm7TpmtJ3yimn1IapZf3gBz9YBtFFe9A33lW4aNVp 1xRO0zsdxrD3YT6GsumDAGKaYtdff32VNj/RKE9UPuaYY6pnsZMwPUlb+fEE7ZSt0U2aZaFm op8kF2j25nA6zaH9PD8YqWT2A88yrfvuu2/BFk5dRrhHJjQ3/IS0k1hhnoTh8lvcTKpbInN4 1XhzaAeOOu6J7grTYe1yEVZTOeJ9nUM7kfIe2+aPfBgljx0yQlu2ySabFJ6cqgu+07OvfvWr hV/cqLDQ5YEyxonzfkElGqYfwBWeAKr9nrA8EVdQ5upcjvLuSY1o3JIWP7gsmg5l8JOhKgz6 iAULFpTtvHzP1U82CtKq68RZZ51VcHK3J0uq7+UbPwko/KS4SvaVV15ZUKflvVw9iVT4RZHC TwYqv+ENfZYnwKtDzuRbffWkZ+GJyoFPu9R1XU/CdkkCBcODDjooepL2MsssUzAuiDmN3Rln nFHatwRvnQ65Z8tbW18di0c/HxY7CSOnzLTVhx56aFmWJJ1y9eRDcfTRR5f4ybNY3yaytV1z 1U1PfJflc5dddqnti2jL/GJEKQ6nMWObm4OQJB1y9QuyBePW0MXqpl8MnRKGhMU13HUQhqt/ T3ccqe1Ql7ZGy98nL3UZHlWbpWWX+y7tkZbZKwoU4zyul/Rpmf3CQPGlL31pSj9CuaXNx7by r371K/m0ui6K8lFF7m+GLWep5V/HFd53mR/Jt337pPe+971VG+MXJYsddtih+i1tTaw/FBn0 dZjwGAdiikfi01fGeltssUWjXf1c48Vh85709+UOBMNhyj/jyD322KNgzKWxk3vG+swHPekp 0Uy59s2DKQHOkgcpGop2KIvK7D/5+196u2bf/8lPiosXXFdcddN/F3f4QzEeaxjgq88X2W0f QpGBv1Q2tpOK69sodBkwSJx11y7h6E6cw03qDl+QtHL1WkHV4DeM26/YlhN17T92TyfDYQ9d XJcOswvZN1MJxa997WtVOaTjZOIfOuwVSh7Q2eMYXMozSI864psBm/jhgIbQxYggyEQGfPIt h7l4Dd7w86F/N03cNcHClg8G0iJH7Dpv3rySIEsVaLbWrbr0M4GHhBbs9KncH/rQh6rn2JWt K0N1YYbPYuUo9Kd/E5fXVtCPBu7nz59fySay110hyqlDwzqILOpdXdj6GTYn77rrrinRQHZr f7F7BnoQSKHLUd5TJzIxQgGZ9CCW8LSpBEkTOEHg6v6GNgYiSPzUXTkYyms71BIs2j+mHOoc z2njtN/YPTLSx4jrUteb2iXCw+5rHS51srzhDW+onSxr7DA7oMchdeEsvvjixcUXXyzJ6Xzt g51Elktmrz1RbLXVVq35uNxyy1V++hCKuevmlltuWclVl1eQjtQjDgesey/PSJ8+HA2cY3Vz thOKbW2NlMG+eanL8CjaLJE7vHZpj7TM4z6ul3RqmVHUYOwo5b7uyqIJcy7tuvRF8l3f8pEj nNR+WOKqu3aZH/F9jj5JE4BeG7E2v1hISXVdwzvttNNqF2nC8kK7yeJvncsxXuxbhvpyB5Ku ruWfw/Xoe0K86n6jgFHncuRBXbiz4ZkRih1y8TeeEDr+y18p9j7ps1P+Djzt9OJ7nmQcVzcs oRgehoFNMXF9GwUm8J/85CdLjQtdoZnIH3HEEeWfxNV07RKO7sQlTr+tpuCUMLQBOPyAzl3e cWXFos6Fg2E0L4899tjytFBw8tvYBsLZa6+96oKJPmNCKjhoeSDK5DmnpOEmgVDElo4+JKiu w9SnvXE4izg9udXP5b3fMlflFZP60NURQRdeeOEUMvHcc88NP+31u2nirgkWXT4YeHIK6/77 71+eXhuSGF0m3bO1btVlCqf8ahw58VecN2cw8E63g+In5VpXjlK+i/n51re+NSAXK9cMtMlj ZPRbDAvaN0mX3+4aC6rxOavxEgZXyBu0oyHP6SPe9ra3DbxHC0kfgORNAgy8p0x+4AMfKLW3 0VJjoUqTlUyuQo2zHOUdjRvazo033riShwUWaU+5+u3LUdICkPQgVmOC/ODCs9e97nUlnnX9 DTZdN9tss4KBPX1dqJ0lE0u0HOkzDjjggIKTvnU+shDG4E07v819wA+TCr6lTQJ/7B+zoKBl Xnnllat86lLXm9ol8NPlnPjoU+lbKStoiqEhqeXYZpttdFKi2IENp93TV6NlEGosDkuq9cVO hK/L72FkDid95JM31VGcffbZpdanXvgQHIdN+3TWTfJ5zz33LPsiv7V/IM+lnCM/GtTk6fve 976C/kvSxJV+TLsYoYh9ZOovbY9877cAVnX7mmuu0cE03k93HKntUJe2hgTlyMu6MjxdbVZT JnRpj+pkHtdxvaS5TmZwpn2kX7/ggguKN73pTVVZpkxj3xkNM3GLonwQd99yllr+JZ111y7z o1x9kiYApY3hSr7J7y7tTJfwvEmIgTEScyHGUBxswwKsN1E1MD9ijPCzn/1sALoc48W+eY9A fbkDSVSX8s+uDm9Wp8on8ovdNti5RzGEnWzhLh/6W+1y5IEOb7bdG6GYmKO3+8H6/v9+6hQi MSQXv3DlNxNDHK23roQindZ55503oIKP5oOe5OVqFCCKpDHm+qMf/WgocFLCCTtxtMuElJNI UXXWBB0yeVtq8rq8QmZpmVmxYQCkHQ2Y7jAY4Ax7Yqg2OgyRFTotLx1Lk5upGoqkCYJEcGey rB2aDDJJYXKvt4ho7QWtZcv3DEwkTK51W0v1BNnbUCxCMpHv2N7O4TE5XdPEvY5ggeRhG5l2 aKVpMmLrrbfWr5PuZ3PdEgC0RhDbckOnt5mwHbVpS0T4rfwOy5E8H/bKllIpuyxw6MmGhMkE RfxwRWO3iyPvNYHBAou3vTMlCBaHdDyiDckgw9tzrN6xQlwnAySo1kILJ085y7s2Bs/WytDF CAX81Q1i0eTx9gHL06LRMMT0Ai7sbyAPdR+KH297scJG8IP4JR7tTjjhhAF/4ZZliBf5Hi2d u2q0RAkPTVPxxzWcAKXU9aZ2CaJPh098YV1BWx+SVPu75JJLdHKnYEcZCssdfawcWCRhhX31 QKCRH7mwC/N7GJkxGaAXzmh36shjFjAlzVyHIRSns26yyKAdCwy6/xbZqYvasfNAa5GwfV+7 prqJvxyHsowiDmRta4e6tDW58jIsw9PZZoFBm0tpj0KZZ8K4PpSZ3VDe7vUAHPTnjHOlrnCF QBK3KMpHrnJGGtrKv6Sz7do2P8rVJ+n5HHnBbgpvn71clGPewFbZLi41PMqBNjWDhqeYjdDx QXjp+R0maLTrO17Mlfe5uIMu5R+zQLoesZgbztm9DcABUzOMQcXlygMJbzZeKR9tfxO/5fl/ /Yr7h884s5VMFHLxv269bezKSkgoQqqw4h3+oRGx7bbbTlklpiKGRFWuRiFlwJACaEo4YSce s28IGaW3jkGuaqcHvBtuuOGUCZP4pRHSNsPqttOK36ZrW4c5KYQi29KkU2CipR15JO9CQkhr WDHZJl/EobEo33kj//J44KqJIMgVvc1ZvuWK/RId9kAgQ/xomriHBMvLX/7yqG01PXDBhltX N5vrFlhgvkCTrv5AnSkQ6cEveQ1x1NXpcgQx3ddpEjRsnyVstktDAtJmQTpCYHVxkOe6jKM5 EXNaKxuSDffhD3944Ptw0lR6euofWnQ6Lq3xm7O867zsSyhS79iiWudS+xutaUe/Q39d57Sm td6uDFnDhFSwa9KgRVatDRrmZ0pdj7VLyKHtCbOdOebQGtH9Ghhol4oddVfSzZW2vovLiV0O mdGyk/SwQIZ2dJ1Dg1rn4zCE4nTVTdo5ylHoqM+SNq7+0JTQS/kbG8Tij8mzdqMg+0YRB2lq a4fCCXNTW5MrL1PLcN82S+dp031Ke5Qq8ziN60OZjz/++FoYaJ/0fAM7w+IWRfnIVc5IQ1v5 l3S2XXU/Eipc5OyT9Dia9gn5+7jU8NDolPaQqz9ELhptOF7TC2x9x4u58j4Xd9Cl/DPOEwzR XI/N0y666KLKH/7FJniuPIhm3Cx40UYm8n7iCcWzvNahkIUpVzQZISHHyYWEolSs1CsEDRM6 7XI1CikDBh1v7D4lHN2Jh8RSGK6284HRZHEMSjRudVtvxS9XbesjHBxrf033TR0m300KocgK nGDPNgOtjbfzzjtX70LtRRoyTRDrThZiR8KMkTKaCBK/XJk8h2ryqM7ncrGJO+GHBAvb7WNO D9z8aWYxb9Hns7lukWi2Y0q+QhbXaZpCzGmbq2xH6up0OcpBKOoBHnJ/9KMfndJOd5Ux9K/r FfLHBmJ8x3YYtL1OO+20wp9AWAbFdlbB9o1vfGMY/MBvNM60+QG2forLWd51fehLKJIHMaf7 G2xYhpp68h3EimDEYDfmWLwSf0ceeeSANzSt0VpES6Ku/GrPWmOUgbJ2KXU91i75E30r+ZAz RoxKfLpvhBwjbnEaOzRXm8qd7h+7aokQXy7scsis8zjU8hNs5Kq3RA5DKE5X3Yz1gWiYSvnl ykEUdU5r7WJGQLtRkH2jiIM0tbVD4YS5qa3JlZe6DE93m6XzNXaf0h5pmWfKuF7LzELRY489 FoNgoJygvUz5xC2K8pGrnCF/W/nHT4rT7X9IKObskzQByGIP45U+LjU8TEFIu5litkbjoRce +44Xc+V9Lu4gtfyHu9BCBSGdh2gtspWcrdCQi2K/PFce6Lhm270Rigk52kU7UQjHm+66KyHk 0XkZllCkc4ZMq5sI5WoUUgYMKUilhKM7cbZKNTltdJeTnMVxupU07lxZWcTWQuxPN+LhpEnC bLvqDiLsMPl2UghFVhsZ5Ar+2E0Spwngq666Sh5XV71lQNtJZNVfwqvDlgA0ESR+kQNtK4gT sZ3GO4gd2fJYRT7kTWziTnAhwYINwJg7//zzqzSyJaKrm811Cyx0GWjSIuZEUsl/BpQMVLo4 XY5yEIrf+c53KnlELsof2wQhnDRx3kVO7VfbJe1icFzC0Josuh2V9+FVt2WatM1Z3tsmMk2E QjiIrTtARtKk+5tQo1r8cEWbU/KvySQB2iniD022FMehPvRZpJkFkzXWWKMKg7BCm7IpdT3W LpG/Ih8kYJsLxxB6O7jGbq211moMSterppOjGwOpedkVuxwyYzpDMMSMQJNDk1r8DkMoTlfd vOKKK2rFvsuPi0VerrH2iX5d/EGgaNdUN/E3m7c8N7U1ufJSl+FF1Wbp/E5pj7TMM2Vcr2V+ xzveoZM85Z7trVIfuMpiXZe+KFf5yBUOiWzrh6cAEXnQND/K2SdpAhCzN31danjYmJX8x0Zs bK4pz7UdWeypi+s7XsyV92G/33TIIf25pB0zH9qlln/MmkkYXEPbkjrM2H2uPIiFPxueG6HY kosP+RVzIQm7XC+97s82lFqCH9nrkFBEUwTNk/CPLc9oOrENim9kJaxO0FyNQsqAoS7+8FlK OLoTx4ZTk9OHs+iJMNo3unHqeq8Pe2iKX79r6jDxpyfhMS07CU/b2MAYrXZN4TS902EMex+e 6hfKJuFqbR5WkXB6wIXWYN3KoT6plwk8TndIbHl98MEHy+fhPz1hJb+Z9GnSMLTPwdbpWFhh 2E2/YxN3vgkJFj0ZD8MESymnaCd1dbO5boULBM95znPKQyM4UCD8Ewzlin24Lk6XoxyEInGj lai3PopsckWDFtuaMgnpIi9+9SEJmMjo4ljtheAUWZpIbwn3sMMOq/xD9IrLWd7bJjJNpIVu M0hX0xZu3d9oclTSJFfdtrISHnNsIRYsQw1F+YYtOrQbEMF68UW+C685CUW9it9GAiIvC0Ta 1AATInGp2OFf2xM86aSTJIjO177Y9ZWZfkvX5SZNChKHhp/kZ1dCcVHUzXDMqO0c68yiTkm6 TEPRVVjE2pqceZlahnO2WTrvw/vZOvbQOIcHD4UYMJaU+sBVtrym9kW5ykeucCR9bf2w+Gu7 Ns2PcvZJmgBsMufRJq+8Tw0PkzU6/7vco1Wo3bDjxZx5H/YDuQjFWPuI3VHBjPFonYKUxqju Pmce1IU/G54ZodiSi7/wBqK7EIni96xvfqsl5NG+DglFVir6ulyNQsqAIUXWlHB0J/7Od76z MdgYocikWhqnYa5yWEFj5MHLpg4Tr3pwN9sJRTRCBXfR5oFYlGcxu0wcPiB+hKjQdhfZahZz mgjCVll4OADb8cLDATiNtK/rQij++Mc/jkY3akJxJtWtnXbaqSoXUj5Sr5DzDLRSnS5HuQhF 4ub0XL16XCc/xE2dbcg22dFSl/CwcdjFYeRaEyThAVh1Yen6/fznP7/yEhKKfcp720SmC6HI QkjM6f6mSQsltf3WhGKooUgbxIm6cjCV5Fl41VvKeZeTUGSrkMQHoZnitO3HE088sfpEY9fW nvQlFHNh11dmBuSCH9c2cypak68roTiddTN2sF7qmFETiqah+H+EYqytyZmXugxPd5tVVfaG m9k6rtc4xxaHBBbaJ22yR0wFhITidJePnOWMtLX1w5L+tmvT/Chnn6QJQA567OtSw2vr03Wf Ed7rg0VE3mHGiznzPrUfQN4uGoqx8q9tczOeHcblzoNhZBj3b4xQbMmhR/2Jqfuc9NnOpOIV N9zYEvJoX4+CUKRzizl9AmiotpwyYIiFq5+nhKM78bZJSoxQ1A0cjTcTsi5/nAba1TV1mISl J6R0Uk1Oa62EWoA6nJCYbHrXFB/vGBCRbki9WKN/V7AdCntsde62226rJl1oX+H0VkA9KdXf Q/xwKht5BslBB6nLQ5P2VQoRdK8/CV5vVyMejMv3cZNGKI66bmEfBY3EcBDW5XebFpHO/5Ry pP13vUdLlRXoefPmDWh+6fTE6kcsLjTN5PtDDz005q32ORpoWkORrfdtTp9qCUkqblwJxaZt 77p9aepvUtvWJkJRb/WU/IKsY6EDDVXaIjngQ9tQzEko6sU2ynqbw26YJpz1ITyp2BFHX0Ix F3Z9Zaa+aOIgtG8Z4snBUJLXXQnFRVE3UyeSRij+OadDwijW1uTMy9QynKPNCstz3e/ZOq7X OLN7pskxdpZ6zpVxNG7U5SNnOUP+URCKOfskTQCyEN3XpYand5Vtttlmneabos1aJ2uX8WLO vA/7gWG5g9Tyz84YqT8Qg6Slq5uuPOgqxzj7N0IxIXf+9ayzOxOKt3tyYZzcKAjF2GAHHLQd wZlOKGL4XhonrrFtOznzvwuh2NTR0ZDqCdyoCEU0CQUzTmquczfffHPlB7/f+lZcy1efdkrn pA/LuOOOO+qCL59hH0/kuOSSSwomYfKbA19iLpUI0qdJE+6cOXOKW265JRZs6/NJIxRHXbf0 gJb8uvrqq0vyGwI89kd505P+NptNOpNTy5H+Zth7tklhukLXPdL4+te/vlOQ2267bVVHMJHR 5Jj4sHjECvh1111XetX2KTEN0OYg3qRObrTRRpV3IxSLIkYohicd019gR5YyXOe0zdfPf/7z A15SJvCxdokty5J3EPVtDi1T8c9Vt/l6wt1ExhJHH0IxJ3Y5ZF5++eUrTNo0l/QCTFdCEdxG XTfDiWRsq5sRiuROOmGE31x5mVqGZxuhOOqxh8YZ28xNbsGCBVWbQDv5k5/8pPSeSqjgOVf5 yBUOMunxV93haPhJcU3zo5x9UioBmCIzflLDwya29JNNJlFS463zlzJezJX3YT8wLHeQWv61 SSxwRPmjyTFuxnTKZZddVpL2+B1FHjTJNBPeGaGYkEtfu/57nQjFw79wVvF4h21wCSL09jId hGK4atZko2vLLbesGsSZTijed999VVponLDP0OQYHIvNysMPP7z1BM66sJo6TPzvtttulUxN h0pg9086Jq6jIhR32GGHKt7YVgEaby1bU3nShxhgf0a+w+Zdk+MwFvHLpFi0p5ZddtlGuxpd iKB3v/vdVRzExbePPPJIk1jRd7GJOx/kJFiiAjz1IoVk0APkNgIgpv076rqlDxxZeeWVowRM iI/WiIWgj23xC7/rUo7Cb8Pf5AnaiNQttrXEJud8h2FuKfeQSU0nSobx6G8ZUDbZnznhhBOq eGRrCW2fxK0JwjAefrPVWBMqelt4zvLeNpHpsuW5aTCcWif6Ts71pAmsm9pOFjgkP7iGpyKn 1PVYuxSeqKkJwrr81rZnqUfaWHoqdoTbh1DMiV0OmTfffPMqf9A0bnK6Xx2GUBx13QwnkrE2 ywjFP+d66oQZ37nyMrUM922zmsq1fpfSHqXKTLjjMvbQMnPAR5PWlFbIoF+VPnhRlI9c5Yy8 aOuH8ZPimuZHOfukVAIwRWb8pIbHOEj67NVXX72xrBAu27w5I2Dfffet5ng5xou58j4Xd5Ba /pl/aUWacFcGmIljEVab+WFMi8uRBxLHbL0aoZiQs3/44x+LT5x/QRKpuM9nTy7u+MUvEkId rZfpIBTDSReT2zrHoQdaIyIkFB/328qlseTKasIwLiUc3YkPS3ogG+SDyLzSSis1Hl6jbeux BW0Ycqmpw0QePcHD7tj93vZn6BiE6ANNkH9UhOJBBx1U4UVjTdkJnW6wUUt/4IEHQi/V7zPP PLMKDxtLkhfYEGtyGN0Xv7pMth3Q04UIgvgIDfhC+A7jdL5uv/32A0HkJFgGAq75MRvr1u23 316VBcpE27YjDUuoibr33nvr19H7LuUoGshTL1hR1mUYbaWY00apsaVYd2hR7Fu9XQSc0D6s c7QverIm2oxoWUmd48rCQcyFftnSKS5neW+byIR926233ipiJG8z44PU/qbv5Jyt6IIx+SsT zkrop27Id724xzcnn3zygLeUuh5rl8CNxRmRZf311x8IW/946KGHiuWWW67yu9566+nXydjx UR9CMSd2qfndJPMpp5xSYQKOsROT0e7Udp2GIRTD+jbddXMUhKI2mYB29TCuqf4TXo44CKet HUqdMBNWrrxMLcN92yxkTnEp7VGqzMSn+yh92CLvRjmu1zJTz08//XREmOIYB2szRdKv4nFR lI9c5Qz528o/flJc0/woZ5+USgCmyIyf1PAoG9KncsXOdMyxy0b7Peqoo0qvOcaLufI+bF+H 5Q66lH9tuodTsGO7N9i5pvGTBeMceRDLs9ny3AjFxJz8H08SHHXueY2k4vzPnVJ8++bhtzcm ijKUt+kgFBHkZS97WVX5nv3sZxfYt9OObax6gkFFDQlF/OuTHmVFQIeTet8Wju7E+xCK+nRF 0rTFFltM0RCiwZo/f36FD/7aTnOLpbOpw+QbbC3pRpDBnnZMMLGJqP1wPypCERJCx80WD1bM cGhL6YMY8FdnSFinJ1zhkrAvuugi7a32Xp9aK9+12TrsSgSx3VBviyUebR+sVrCah7GJO15z Eiw1UU95NNvqlta8I38gGFMdZVa3a9w/+uijrZ93LUdtAW611VZVvVpmmWUK2tvQQdzowVRd +xt+E/6GGJK6gt1SDoPQjrZOn6KOXwZmOBZQNMGOLRoGvaFjwLbEEktU8fCNJj5zlve2iUw4 4B13QjHUsuN36NCAYVFC8lGuddvQ2+p6U7uEjU4JmysLRWHdYCKw8cYbD/gLic0ufXUfQjEn djlkppxrG5f0/di60o4tW6961asG8BuGUBx13RwFocguECl/HECEndyurqn+E1aOOAinrR3q MmHOlZepZXhUhCI4tbVHqTITVhOhOMpxvZaZ8spCe9gvMkHXCgksIOi2YFGUj1zljLxoK//4 SXFt86NcfVIqAZgiM35Sw2P+pvs4zImwqB06Fpm0rT9MLmnlkr7jxZx5n4M76FL+sSUp/QLX 3XffvWCxQru7vB1/bU5r3XXXrV7nyoMqwFl4Y4Rih0x90g/Iv3LtguLA004fIBb3PflzxfFf /krxywaNqg7RTIvX6SIUjz322IFKSsfPtjY0xdZee+0BNWOpzHUTWl2J8cdKIcSPbgxTgGkL R3fifQhFZNHbHpEZzUBIO06U4gTOuXPnDmBDmoa1t9jWYUJwaDVt5AEL7CmifRceFiJ5MSpC kcZYkynEz6orZUGTCCJXaNerLu9ZZRL/XNFUZCLQ5iib+jvuYwfFSFhadibIKU5vxSYO0ouG ZBfXNHHPSbCkyDSb6hYH9OhJ+zCTcX16IPkb0zDQ2A5TjvT34f3ll18+QFzT/kLWo3mBxiIL GrRLurzXDUTDcMPf2EPUW0YwFfCud72roP1n1RrtMh1HeMI5Nmn0eyZGkFtHH310gdF07DqG 79Fs1y5neW+byDQRCl0Gsan9Td/JOavoWluVcgBhR/6wpRkzE+HpzoI326JC11bXm9ol2nrs YUn4XNkqv88++5SnjDOJ0tvaeY+h+VBjIBU7ZNeTLWwfdXE5scslc6gBTR9JHlKv6b/Cvh4M h2nDwGmUdXMUhCKLg7rsMfleZZVVynYmtVw01X/CyBEH4bS1Q13aGsLLkZepZbhvm4W8qa6t PUqVmfiaCEXej2pcr2WW8kq/ihkD7BDzXo/78cMz7RZF+SD+HOWMcNrKP35SnMbpwgsvnPJJ rj4plQCcIkDkQZfwvvOd7wyMwSgPjJsYP0GYMi/RYwDeM77SLsd4MVfe5+AOupb/cHcG43HG yMzZ6VchYKUu0ufecMMNGr4iRx4MBDjLfhihOGSG3u9XPW+5557i3l//uoBoHHc3XYQi6vgM ZKUS1l2ppExq5F0doVhH8uA/nFS24dwWju7E+xKKkIPhFmJJY3hlAiWGlNvSUPe+rcPkm9NO O62yCRjGL7+xgaFt/I2KUEQ+OrM68lBkk2tIRvBtnePkUvmGKxPoFMfp0fo7JrttbhgiCO0q SHUdFyteWuuqLd6miXtOgqVNDt7PproVloFPf/rTKRAM+GGwofM23LI54PmpH8OUo7pw9DNt h07LE96jQd5kO0aHWXePmQE5JT0MW/9eZ511aol9MNYDNv2NvicOBq2hy1ne2yYyTYRCl0Fs an+TY3IOvhrH2D19AAtN8h5NgdC11fWmdomwWDh5zWteU8UhcdVdkafOvEUqdsTXh1Dk+1zY 5ZT5mGOOmTKBDPHTRPywhKKkfxR1cxSEImWvrp3aZJNNSGqSa6r/BJAjDsJpa4e6tDWEh+vb zqaW4Rxt1p8lbv/f1h6lykxMbYTiqMb1WmbqtTZfENZzfrOgEI4dF0X5kNzqW84Ip638S1xt 15T5UY4+qQsB2CYz77uGx040vTOmrpzIs7qFQuLMMV7Mkfc5uIOu5R//2kaxYBVeWZCNjZVz 5AH5MBudEYqzMVdr0hQaYodgzOVQG8aGWDiIY7WNratsj/vtb39bDY7r7CqhMcTKHFpmeqso JFkX1xaOtn2jbZHUxaG3GjTZJ2OizQq41uCRBmqppZYqDjzwwDL9dXGkPtPq4ahuxxynwaEZ GcrCNsW99tqrAB9NxIU2kzhBTGQPO6SmdzF5wuccXqEPwpC4uDIoYGU21FQJw5DfISn0sY99 TF41XtkCJYexEC+aZm1Ok+bgl+owARCSqB//+MdTPy8OPvjgKj84iEY7tozT8QmGYutD+5F7 feANmkrDuNlUt/RkCAxjhwO04RQSxgxam9yw5agpTN6RvxzgIGVBX2mDeMeBTH0dhADaZJCT Og7u0YI+7rjjyjYmFg9bcpjY132PJtEuu+xSxE5pz1netYkIJpihQ+NbtxFshRGH1rz0UbSz TVrnqf2NnliE7a7Ey1Wf2E1bGTrMKtRpIiInxtzPP//88hN96AV5R75o11bXm9olCQetELQQ Qu0iKTeQgEwoY+19KnbEp7fkp2i3i4z6mgO73DLT12sCRLBDQ5F+5KabbqrqYdsBLjqtdfej qJucqC1jE+oQiwR17sYbb6zShWa/dk11U/xxGNArXvGKsp5KXcWEQqobRRzI0tYOdWlrdNr6 5GVqGc7VZmm5Y/dt7VGqzIQ/LuN6TSii3IC9YA5nkTou1zXWWKNUFqjDZlGUDy1Hn3JGOG3l X8fVdJ86P+rbJzHPlXzZY489mkRKejdMeJh7YtcZ4yWRRV+ZX4XzulCYHOPFvnmPTH25g2HL PxqdsXEJGsraxE2IHb9z5EFduDP9WQqhuBie/GESvsyaMwTiCPjK4Hwj4/xg0HmNPOc1dpwn U+If1LzxK8POT96cJxadN9juhi13ucKpETH6iDh9Q+S8JqLzk2vnSUbntzk7r4Ye/Wa6Xni7 ac6Txs4TJc6TGM4PVKYrqqHC9QRziZUnD5yfMDh/sI3zE0znB/9DhWcfjQ6BSa9bo0O6e0zU d08sO7+F33mixnnbic6ffJ69XvmBufOLA87bbHSeHHR+0lO2MV7LIklovqev8AtdpX8/2Xee AHBLLrlk0vfmKY6At5XoPPHrFi5c6GhnvekQ581DDIVtrrruB/7OH7ZWlk1v46ksK+PWJ4Fo TuziOdT9Df0k9Y1+3dtOLPO0eyhpX8ymukn59VopZfu34oorluPKNBTSfY0ijnRpBn3Oprwk Zbnao0GUmn8R53SM6z2Z5LwJgzJyTyg6f3Baee/JCucXfJxf6CzrOX2rJ+GbhRzyba7ykSuc IZMx1GczpU+KJY75NuM8xmBeSaKcazLn9CZuYp9MeZ5jvJgj73NwB1MSl/CA8ZFflHPUOcYj 1DVvizzhyz97yZEHyZHNAI/g2eaMUGxDyN4bAoaAIWAIGAKGgCFgCBgChoAhYAgYAg0IxAjF hk/slSFgCBgCY4uAEYpjmzUmmCFgCBgChoAhYAgYAoaAIWAIGAKGwGxBwAjF2ZKTlg5DwBAA ASMUrRwYAoaAIWAIGAKGgCFgCBgChoAhYAgYAtOMgBGK0wywBW8IGAIjRcAIxZHCbZEZAoaA IWAIGAKGgCFgCBgChoAhYAhMIgJGKE5irluaDYHZi4ARirM3by1lhoAhYAgYAoaAIWAIGAKG gCFgCBgCY4KAEYpjkhEmhiFgCGRBwAjFLDBaIIaAIWAIGAKGgCFgCBgChoAhYAgYAoZAHIEf /OAHbsGCBaWHuXPnug022CDu2d4YAoaAITDmCBihOOYZZOIZAoaAIWAIGAKGgCFgCBgChoAh YAgYAoaAIWAIGALjhIARiuOUGyaLIdCCwBlnnOEOO+ww97SnPc1dc8017gUveEH5xcUXX+z+ +7//u7xfe+213aabbtoSkr02BAyBcUDgj3/8ozv11FPd1Vdf7W655RZXFIV7xSte4TbZZBP3 T//0T26xxRYbBzEXiQxXXHGFu/7668u4weRNb3rTIpEjV6SLIj1owZx44onu9ttvdw888IB7 3vOe51ZYYQV3+OGHu5e//OW5kjYjwnnyySfdMcccU8m66667ur/8y7+sftvNzEPghBNOcP/7 v/9bCr7ddtu5VVZZZZEmIpc8v//9791nP/tZd8kll7if//zn7hnPeEZZb+fNm+cOOOCARZrG SYs81oYecsgh7qKLLqrgsPakgqK8+eY3v1lpYa6++upu6623HvQwRr/22msv99WvfrXsH6+8 8ko3Z86cMZLORDEExh+BFELR/eY3v/FzHHOGgCGwKBHwg8pimWWWKXyzUrzxjW8cEMUTD+Vz 3r3//e8feGc/DAFDYDwR8CRP4RcAqrpL/dV/fhtU8ctf/nI8hR+BVP/8z/9c4fHOd75zBDFO bxSjTs9//dd/FYsvvniFoS5bP/nJT6Y3sYso9Mcff7z413/912L33XefIoEnngawuPXWW6f4 sQczC4EXvvCFVZ76hdVFLnwOef70pz8Vnnyp0qXr7bve9a5FnsZJEqCpDb3pppsG8mgS2xO/ dbtgnFLXn/zLv/xLhc/2228/1sXmxhtvLLyiRimvt2851rKacIbAOCIAV9j2Z4TiOOacyTRx CLzlLW8pOzu/Ul3cdtttA+k3QnEADvthCIw9Al4DpVhjjTWqAbeeNOr7zTfffOzTMl0CjpqA m650SLijTM+DDz5YvOhFL6otX0sssUThNWNFrFlz/e53v1usttpqZZrf8Y53TEmXEYpTIJnx D3IQeDlByCHPJz7xidp6S79w5JFH5hTXwmpAoK0NfeihhwbyaZIIRfqPPffcs3j6059eYvCj H/1oCpIziVBE+J122qlMC8TitddeOyU99sAQMATiCLSRibw3QjGOn70xBEaCwHnnnVcNXN77 3vdOidMIxSmQ2ANDYKwROPTQQ6s6zUTxYx/7WPHrX/+6uPnmm4ttttlm4J3fOjTWaZku4UZJ wE1XGnS4o0zPN77xjYEyxILUf/7nfxZo1aB1MxvdfvvtV6W5jlB85JFHqvfUOTSEzc1sBHIQ eDkRyCEPGl+yqORNFBRHHXVU8b3vfa+st7/4xS9yimthNSDQ1oZOcnvCgqiUUa51hOL/+3// r/Lz9re/vQHp8Xh13333Fc9+9rNLmb2JlQJtd3OGgCGQhoARimk4mS9DYJEh4O0+FSuttFLZ yT3rWc8q7r333imyGKE4BRJ7YAiMNQL/8A//UA22X/Oa1wzI+rOf/axa+WewfvTRRw+8n5Qf oyTgRoHpKNPzhS98oSpfz3nOc4rHHntsFElcpHG0EYoI9+Mf/7jwtkqLSdImWqSZMs2R5yDw coqYQx7RsqXt/+hHP5pTPAurAwIpbeikticphKK32Vu2tbS3//M//9MB+UXn1dtSrPrNT3/6 04tOEIvZEJhhCBihOMMyzMSdPAT0oCZmP8cIxckrF5bimY2ALBIwaWQlP3T+cIFqYMvWoUl0 oyTgRoHvKNPz7//+71X5YWv9JLgUQnEScJikNOYg8HLilUOeF7/4xVXd/eIXv5hTPAurAwKT 2IamwpNCKKaGNU7+7r777sIfhFfWv7/6q78q/vCHP4yTeCaLITC2CKQQiovhyU7C89O+WeS8 KrdbuHBhefLjHXfcUZ4azOmP66yzjvOTj/J3SnK9Lb/ydOGf/vSnzquKlyfs/c3f/I3zA6KU z53fMuC+/e1vO9+Iu/vvv9/5SXYZxitf+UrntfFaw/DGq8t0/PCHP3R33nln+e3f/u3fltfU 01GRndNVweGJJ55wnEbGiaIveclLkk5Y7ft9WyI5tfmGG24ovX3lK19xW2211ZRPdtxxR3f6 6aeXz/2hLO7f/u3fpviRB5OAWd+0/u53v3N+wFQGs+yyyzpvc8x5o9Pu0ksvLcv5euut59Za a63yfRe/IhdX3ys4yo7XlCnrIfVn7ty5bs0113RLL7209jpwT/75bU/ls2c+85nu+c9/vnv0 0Ufd5ZdfXoaz6qqrlqd8L7nkkgPfxX54O0HVKZl/8Rd/UZ5uh2zI5W2SuYcffti99KUvda9+ 9avLUyZj4QyLA+GBNW0Jf5xo6TU0SiyIlxPNY07LLvmEX99nOb+tswyPUz+pQ35wGAtmynPC pU3x20PLNoC8Jm+a8mVKIC0PqMecKohDRk5pp5zhvIbiQBt6yimnuJ133rl8N+y/6cJq2LxL SYc3ju4+9alPlV79oSzOL66U915Luzz9mT7sr//6r93f//3fO/I/1fmDbpzfolWdfPzc5z63 LNt+q2HSqb/0E7TJ9BnI8oIXvKDsM+g7vTZgVIzpSo+OkLRxcvg555zjPBFdvgKjr3/965U3 b1vR0Y7gV5wnQqJ1jX6aE6Jx0ubId7QV1FkcJ9Euv/zy5T0yUKaph8RFn049Sm2XCCR1fCFt jz+MxZ100kll/G9+85urfpB6u9RSS5VtrsiKJ2RF5jo3bPs8nXiEck5nXLnawBzh0BfRHtNf 0id4je6yzoEHZVn6Q38oi9tiiy1CmKrfOcY+BJZLnkowf6Pr2LrrrlvVqVNPPbXsz/FL20Jb Fbph22CpN4Qn/WdsnBPGmfI7tf7WhbUo619qG4rcsfakyzgtVo89meX8VvdyHLbiiiu6jTba qBzvhXgxn/M2/9x1111XnlLMHIa5XKxtC7/v0h/SruOfMSfjNHFXX311WTf5vcIKK5SPvY3J cvzID8Y2TX30sPk9HeOav/u7v6tOpz733HMdp8ebMwQMgWYE7JRn34pNkuNErte+9rUD2+l8 EalWQ7n3hETRZrPLT4QLP+gZ+E7CwaAtmnSe4ItC6wcyxR577FH4gX5tGJ7MK/xAKmo43nfW hZ9oFn6SUPu9J0aKz3/+89H4eYEtKd9B135PWvzArfCTk2gYfb+PBqxeXHHFFZV8YBXbtpai oTgpmAFf37Rip1LKs5+YFzvssEP1W57LqXVd/ErWehK98XTfTTfdtLjnnnvE+8DVD+YqWbDz smDBgoLyLnJx9QO3gjhSnNaaOvnkk4svfelLU8IjTE8kFO95z3uKX/3qV7XBDoMDhyQcdNBB 0ZNoOdX8s5/9bG18PNSyn3HGGWWdBhONhdyzjYz2r8l5gqhg+7F8o6+sWvvJapHLhtXHP/7x gXje9773laL5yWGht0PTxsUwb0pL+C43Vn3zLpSv7reWmVOesS/p7d7DQwAAKfxJREFUybEB 3Mgj8oZ8b8pf2oQTTzyRxdEp30s+03d94AMfKDyJXidO2a5wYELssBPk2GSTTQpPfNR+nzM9 tRH4h37iGU2fpNMv3hVoYshvrk1b0qiD4tcTgwNR05fLO0/2lBjtu+++Bdus5blcwRctQsx4 NLmu4wu/oDYlLomT6yGHHFJGl3ooS5/2eTrwiGE1HXHlagNzhIPdQN0W6jz1hElZhlM0AvuO BwT/XPJIePrqF40ayzBp/+AHP6g/Kfq2wcP02QMCRH50rb9hMIu6/qW2oU3tSZdxmq7HL3vZ ywq/YFXssssutW0o/Z9fqCkhw8bfP/7jPxYcsqXrBvdesaL4/ve/H0Jb/R62P2RcGsYV/pZI Ug9l6ZPfuk/NMQZEdn0oEvNcc4aAIdCOQIqGoh3K0o7jjPDhV+8LBvRh41/3m4kRA5w6d/DB B1cq4XXfyjOvOVXcddddU4LAEDqdpvhrujL5CB0TeiZtTd/JO0gfTmILHWSn105ICuONb3zj FLX3vt+H8sR+M1iQtLz73e+OeSvaCMVJwixHWvVA22sjVnkgecGVAR+ui1/8M9nW4cTuIZAZ IIVOD1QZ+PrV4CnhUX9jpEYYnh6QeU2vxsUGZIWYg4wIXVccsKtTJ3sdHm94wxtqSTUt+267 7VZAQNZ9L88WX3zxwmuxhKKXv0877bTaAbx8K9fllluuYMLU12FfKGyDwJAFHYmL6wknnNA3 qvL7nFjlyLuURGmZOZzAa7cNYKNx4h6yUCZbOnyvRVK87nWva/xWh0Ue1Blknz9/flIYLEZ9 7Wtf0yJMyYM+6ZkSsHqQOhmeDkKRrZoQvxrLuvt58+aVxKMSu7odZnyRk1Ds2z5rciAHHhUw NTe548rVBuYIh/rTVt+9ZvBAWatr23OMB4A+lzw12Vg+6koo5miDu/bZMdn182Hqr/5+HOpf ahuaSii2jdPCerzlllsOlOuwDWX+xDhw8803b/THWIVxRuj69Ie5CcW++a3HCH3HgIIT81aN ude0lVd2NQQMgQgCRihGgJltjznIw6u/V40kHc0BBxxQeHXuwm+jLfwW2YJBvm5EV1555SlE Gtpa2g8TdFZNzzzzzAJbL29729sG3rOapm1QsPLmt3QO+GEFCG2dL3/5y8UxxxwzRfvj7LPP HsiOsBNFY+LYY48tT7DkpNRXvepVA+FjZDd0WjORyR8TRTSzSANEUUh0hARC3+9DeWK/9cCG Ezpjro1QnCTMcqRVD7R1eZcT4Hh2zTXXlNnRxS91TYc3Z86cUiMKbVq0gCCNIQPFz9Of/vQp WleaUBR/XPmO+sg95Emq0wMyCY90otXzrW99q7jggguKN73pTZVM+PFbQqYQAl1w8NtlCm8a YSBMyExOs6QOEndIrHHycejqZAczThTkFGW0oEONRb91Owym8NuFBnDn8CM01bBfCqnrzQgU PBN8mOhycEpfd9FFFw3EK+FzJT9zHsaSC6tceZeCXZ3M9GOcgkr+Ul4oNxo3tNtDt/vuuw/4 YUEKbVzadfKY9j/Ulsd+lnbUBR0PmqyQAJAY9Dv0CbqPRYMqdLnSE4arf5911lnFEUccUWy8 8caVvGhx8Uz+yMPpIBQ1Piw8YBt0//33LzhhmrZOv68jf4YdX3jTDGXatPaqN1FQpVfa6iYC AAxztM+aHNDpHQYPna919znjytUG5giHPi7cfQJRTZ38zGc+M6U/EpzrylSO8UBOeerykWcs AEr9lPRwZXeEPOfUYVyuNrhLn11G3PJv2PorwY5L/UttQ5vaky7jtFg9Zgy05557lm3o+uuv P9B+Ms6RckJ/Rn/ILgfaGXnOlfY3dH36Q7TLP/nJTxYQxzqeffbZpyqnEl+bhmKO/K7rU4cZ A4rMctXzSObH5gwBQ6AZASMUm/GZNW/pVKTxRzOiTnOQxIadhAzEecdWPK1Rw8TN25Hi1YCj s5G4uGpNDa1Kzjs6oXD7k9+HX7B1SsKAvBDHBFCec2V1K/we0lIPlJjkeZs3EkSZDrZvSjje xlP1Tm7YEqa3kb71rW+VV72/rwJqufE2vioZkdXbtol+0UQoThJmOdIKyLr8gD1kw2WXXVaS 42zlYju+uFS/NLZao4JVZrZwho5Jkda0C8m7uoEqW5FZdWZLvLfzWFx//fVhsNHf4YAMLa+w TrA9hgUIqTNcIWK0S8WBbyD6dFi0O942jw6u1Cym3ml/l1xyyYCfUHbwDdsk2oNw29yNN95Y hUPatPkGSPw6LTcmynp7XeyApCrghBsmJOECC+lFs8nbJEoIId1LDqyILVfepUgeyky7LZNq +Z5yo9s/8NP5S1uuyazYATdoMqFVL+UtJOXZmi/vICkoN6GDCBc/XMP6nSM9YZyx3/pAAba/ hW46CUUWGUMNT8YBmnDdeuutB0TKMb5oO5SliQDI1T7XkQPD4DEATuRHrrhytYG5wmFRV+oR ZSbsa4CDE1j14hv+Q0Ix13gglzyRbJzymPZf0n/hhRdOeZ+rDe7SZ08RInjQt/6OY/1ra0Ob 2pMu47S6eoxyhnYoZmhFBikf4cIX/Z3eAYaJK+1y9Yfkt8jAlflK6JoIxVz5Hfapw4wBQ7n5 rbXe6xaz676xZ4bAJCNAnW77sy3PM7yE0BFpu1FoU8ScNww9MEhDO0kcAxvdgeh34keuenUH skMcExsJAw2CukkZftHcEX9cxR6j7ig33HDDKSSExEO4/iCGKgw0JMRhV0SH/etf/1peDVwh PyFf2fK66667Vu/6fl8F1HLzuc99bkDOmP1EgtETarSptJskzHKkFezCgXY4aNP4pvr98Ic/ PJCfIWmnw2RFVJdRNInFhQPVl7/85QX1dlgXDsiOP/742qBoRzS+2HnULhUHwtHaJ2xnjjk0 MfTkCm1D7ULZY3ZTIYs0nmhSiEMbQb/zh1fIqynXsA3UxNUUzy0PyNNQE1rk8IdX9MrTuqhz YJUz7+pkDJ+lyoyNSW3O47zzzquC0gtcLBJRpmJOL7xB9GrnD9GpyknYxoo/bC+y0EY9gXT0 ByXJq/KaIz0DATb8aJsMTxehSHsEiV/ndBvhDw4Y8BLWrWHGF30IxVztc0gODIvHADiRH7ni ytUG5ggHIlrb39TjxxCGbbfdtqqTtJ0hoaj7q2HHiznlCeWP/dZ9Xkgo5myDdX0Ev6ZxTkxW ed63/o5j/WtrQ7sQik3jtLAes3sDwi50jBlkjMDVHzwVeil/67kDC6Ta5eoP+xKKufI7tU9t GgNqfORey8eOPnOGgCHQjEAbmch7IxSbMZwRb9lOwUEraFbFCDRJiNaiYoAozp8yWnVmdHgx MhD/qLIzOTvN2yXzp/OVQSCD7gz1pE/ikCtah2w5ZCs05CITNSaN+ntWn5uctkmjO1XIF711 FfKTgy1SXd/vU+PRHRqaM00uRihOEma50grOeqDN9onYBLmLX1Y5pfxil7PJEZ8/lbjyz5ZM cSGhSDnp4/SADIKribjWA2y2ADOgFpeKGYbtBQeuTYbDCVvXYzRS9EBby45WZ1ObpCdpWsOU bUIiT902VUmfXHU4yDaM++hHP1rFKXHrNoln2E/VDq3TXMTxsFjlzDudtti9zl8Wd5ryV5uH YDuzOMoLfRAmLUINV/EjVw7hkvyAjNBOt8doSpKHTAS7uBzpSY1P19VRaihifiTmtEwrrbTS gLe+4wsC60Mo5mqfQ3JgWDwGwIn8yBVXrjYwRziQ8FIHuTbZL+MQJu1XE4q5xgO55IlkYe1j 3ceEhGLONji1z64VMnjYt/6OY/3T7VVdG9qFUGwap4X1GNNPdY7dF7q806fVOV1mMYOjXa7+ sC+hmCu/dZ867LhG4yP3etwJ5k0LkfKNXQ2BSUbACMVJzn2fdk525IQtOk60LtZYY42BDus/ /uM/KoSwWyWdmRxIUb1MuGGrmnzPtasNMuTU36NJhX3F2J+eAIZExOtf//qBsAiXCSmDIlYB 2RbQ5Pp+3xS2vNODc0jPJhcjFCcJs5xp1QNttt83uVS/2pYfJ5S3OZ2n2DAUFxKKdQe3iN+U qx6QveMd72j8hK3Aug7KYgEfpeJA2iUMBoBtLtSk0if5atnR6mty2majPjlaH/CEDbZYeyLP tZ02bMR1dUwWJP1cWSxgAQazDFpzk3diu4cT5fnN9j9sxrI41NXlwCpn3qXIr2Vm23qT04cn pdQvSHvICibsRx55ZHmCt8Yf+1Xafec73xnIN/IDYpEtZXyfoq06nenRsnLfNhkO61WOU57B pMnW7/nnn19hiPkA7fqOLwirD6GYq30OyYFh8dDYxO5zxZWrDcwRznHHHVeVEexbt7lll122 8q8JxVzjgVzytKVDv28iFHO2wal9tpYtdt+3/o5j/WtrQ7sQik3jtLAeX3HFFbUw33XX4GEh sT4Hm7K0xfyx8JviuvaHfQnFXPmt+9Rhx4B1+LBTRTDkmnrIYV1Y9swQmAQEjFCchFxWaWTr MHYt6PwZrOkGs+5eE4ra2O9HPvIRFWraLXZwJA4mYqHNtLZQ0HaU74e5MikXBw5sQYiFg1Ya Ru3RWKlbmer7vcjRdNXbeUJ7U+F3mnzS2/EmCbOcadUD7aYtueRDil80binzUt6aJpmSt4cd dljln7IqLiQUm7ZOyzdNVz0gqzPgrb998MEHK5lIi94enIIDYWmivG0AiH+2eGnbaxB74rTs mnSV9/oKESf4U6/FsUVVnne9ssrexbHtRm/ng1TRtlEht7RdMCYDTA60/T5kbNLaicmTA6uc eReTUz/XMms7ttqP3OvDWeoIRcoRZYe2lEUCbdS+Lt9DQpF40ErU+RN+96IXvag8pEwT7SIf 15zp0eHW3bdNhqeLUNSEfygXB68JZuyE0K7v+IKwhiUUc7bPITkwLB4am9h9rrhytYE5wtFt HYs3bQ7TOVKmNKGYazyQS562dOj3TYRizjY4tc/WssXu+9Tfca1/bW1oF0KxaZyWWo/DNhst 3DpHXFInQg1F8d+3P+xDKObMb92nDjsGFEz0lTGWYMi1bSeN/tbuDYFJRMAIxQnJdbaKcVpY 2yRKb7OkEdWEIlvOpIEVzZku8Gm7cITV1UFiSvzDXPXhMMTN4S+cHKhPb60Ll22QdatTfb9v Sz826kSe3XbbrdF7jFCcJMxyplUPtDHO3ORS/FJWNBERHixRFz4auJL/est7SCjec889dZ8n P9MDMjStmhztiLZVp7fcpOBA2JgykHSxsJHitA3YE088sfpEy05dbnIxQrGtTRRZ6676wKim uOWdJokJj5ODQ8dpjTouSCq9+IMW+TAuB1Y58y4lDV1kbiIUmQysvPLKA7hqjLmHtNY41xGK yMwp5Fq7IgxHwuLQiNDlSk8Ybt3vtslwODnNpaH44x//uE6c8lkTodh3fEEEwxKKOdvnkBwY Fo8oiOpFrrhytYE5wmGcKnUqxQSFHidpQjHXeCCXPCrbWm+bCMWcbXBqn90qsPfQp/6Oa/1r a0O7EIpN47SwHtcdcEIepLbZmlCs01DM0R/2IRRz5neXPjU2Bqwr38go7RDXYXaF1IVrzwyB 2YqAEYqzNWeDdOmBtjSSTNLZRsYJhBjxXbhwYfmVtqGoCUW0ieRbJr1dHVpZ8j0DT1bIuji2 Kcr3XJGtyx+n4NY5tK6wFYnxbybvOg6553lM3r7f18nEM7afSvxtZEmMUJwkzHKmVQ+0d9pp p1gWlc9T/FJ2tIYiW//anD5VGQJDXEgo1pHd4jflqgdkH/rQhxo/oQ5JmeSqT4FPwYHA9USP bchtDpuOmozVB9Ro2dvqSGwwqU9u3myzzTq1KVpDsy0dvNdax3U2mfADaYsWncZZ34PfMC4H VjnzLiUNXWSOEYqcyr788ssP4En/g/YTbSyHlGFbETMX2oZijFAUudE8Q2Nx3rx5Axq0Oq80 +c13OdIj8bdd2ybD4eSUdiXmtCF/6pF24WR4WAKt7/gCmfQ4p858Q4wAyNk+58JDYxy7zxVX rjYwRzjaVE1ox7QOB23qQBOKucYDueSpkz32rIlQzNkGp/bZMTn18z71d1zrX1sbGmtPwKXL OC21HodtdmwRqIlQzNUf9iEUc+Z3lz41NgbU5VjuQ6z1DjfxY1dDwBD4PwSMUPw/LGbtXXi6 FYOVq666KmrgHhV5mRTpU1P1ZBhbg00O4oFJCNoc1113Xek1tL927733NgVRcMojE7zLLrus 7JxZIRK5uMbU/RsDTXhJx3H44YdPOYEVG1opru/3Esc+++xTpTc8UVf8yDVGKE4SZjnT2mWg nepXb7HnBPE2B0Em5X2jjTaqvHcZqFYfNdzoAVl4EEj4GYcXiUxc9XbdVBzYdiphsP23zUFQ iH+uWqtPyz4soYgNPAmf7WTT6fTkFzusMffQQw/VasFxSvEDDzwQ+6zxeQ6scuZdo7BPvewi c4xQ3H333av8JZ/32muvqI1cNHSlLKCtn+pYVKK/CongMI9zpCdVprbJcDhhalqY0KTKdBGK fccX4DIsoci3udrnVHKAOJs0Nnnf5nLFlasNzBHOZz7zmaoOclBV00FM4KNJTE0o5hoP5JKn LS/1+yZCMWcbnNpna9li933r7zjWv7Y2dCYSirn6wz6EImUoV3536VO7EIpoccpYgGvbYaax emHPDYFJQcAIxQnIaT0AoWGM2XcCiltuuWWgEdWnoXIAgTSwdAZNNhBPOOGEyq9sb+aEUq1p pLUfw2xgEKm3UBDefffdV4WJHNhkbHKs0nGaLuQnBKF0CBg83nvvvYvNN9+8fB4LAyKWQyMk zaKV2ff7WHzhc064lrjXXnvt8PXA7xihOEmY5UorwHYZaKf6pSxKfmqCcCAjn/rBQFVrVe26 666Vt+kkFLEtx+pxzGligfqp24BUHMJTKjVBWBcv5KvgRvuhD3PKMZgEWwl/9dVXb0w/8rHl DHt+++67b0kI1Mkce/aud72rimu55ZZrPFEbslbkkmvb6eCxeHmeA6ucedckq7zrInOMUNQT l7e85S0SdO11u+22qzDXpxAzeUIbcYcddijY5h7TDCFQ3U+yOKdPTc+RnlrBax62TYZDbeOm ccGWW25Z4TJdhKLGbZjxBRD0IRRztc+5SL6aLJ3yKFdcudrAHOGEi1ZXXnnllHTLA9pIPabU hGKu8UAueUTmlGsToZizDU7ts1Nk7lt/x7H+tbWhM5FQzNEfUh76Eoq58rtLn9qFUNSHsrC7 qG1hI6WOmB9DYDYjYITibM7dp9KmbXJhJ0qTADr5nPKlJw5MYk8++eTKi96yzDu0D+sc4evJ ndZm1Nsi2HIWa6TZgiaTaK6iPaHtYDHho0OPObZzSxhs74bQxHHwhDwnDNIdc9rQNGQKru/3 sbjC5xCuIie2vWL5xncxQpF3k4RZjrSCWZeBdqpfrf1EvqJ5G3Oh30svvbTyOp2EInKdfvrp VVz6Bs04bWNO12v8peJAndUnc66//vo6moF7NPUg3qQeoOGnXY7BJOmV8LliuzLmrr766gG/ Rx11VMxr7fOjjz46+Xvdzmj5pB2qjaDhYQ6scuZdg6jVqy4y6z5HDmWhzdQ2P5u2i0NcaO18 zFyIQwNRv2M7Zczpw8fob3X/0jc9sTjrnnedDEOY1jlOy9Vpny5CMcf4QpuJQGMqdE0EQNjm Dts+5yL5QtnrfueKK1cbmCMcxoSaUHvNa15Tl/TyGQS/bhs1oYiHHOOBnPJEExK80OnnoC7t crbBqX22jj9237f+jmP969qG3nrrrRU8XcZpqfU41CqPLWzFtjzn6g9J5OOPPz5Q99iBFjoO AJX6uf322w+8zpXfXfrULoSitmGuFxcHEmE/DAFDoELACMUKitl7E2oo8jt0aCXR4EvjL9dw ayaTf3nHhIsTSLVj8IUdNvHDFXJQnF714R3q93RM2t11110D243XXXfd6jWHQOiwt9hiiyna Isgwf/78AX/69NpQlR0Z6rSyzjjjjIEw2J6E6/t9lZiWm3Dw0KRB0kQoThJmOdJKtnQZaKf6 hdDWp2CyVQuCKnRMypZYYomq7PGNJiW6DFTDsOt+6wEZdQvNw1AuOgpN0GODLjy9NBUHZMC2 nK7HaLaEp6mTTk5a1/70AgfhaNmH3fLMIFsPNNmGfc455xD8gGPrtd5eN2fOnOjW2YEP1Q+0 njUpC1FDO6MdphzCbUkaA+4hTrq6HFgRZ668S5G/i8x1hCJxaI0MFrS0xqDIQD+mT98G43A7 /lZbbVWVRTTXb775Zvm8ukKA60WzkHzLkZ4qspabtskwn2OjTsoW20vD08NJoyb/8RumKXUy THxtW3z7ji/YiSDpYcv6ww8/TLSVayIUc7XPOfGoBI/c5IorVxuYKxzsmko+csVMQThGY8Kv FwvwFxKKucYDueSJZOOUx02EIp5ztcFd+uwpQtY86FN/x7H+tbWhTe1Jl3Faaj0O5wRdCUWy LFd/SFgsmEk9ZRdZ6JoIxVz53aVP1eM8zGk1ube//e1V2trGlk3h2DtDYFIQMEJxAnIa7T6t YUAnwET92GOPLdjSzCm24enO0kmwrU877CHqLSaogrONj7BYcdI2wgiDRjl0oRYkBzNAAHIK NCfqMVGX+CFWbrjhhoEg9Kl++OME3Pe///3l90cccUQxd+7c6nves0od2lvUtn7wQyd7yCGH FKecckoBiQpRKTLIewbL4vp+L+G0Xddcc81KjqaTtZsIReKYJMxypLXLQLuLX+ys6XIFMQeR j+Ya2lPYXAvfoyGkXZeBqv4udq8HZBI39RrtD+yg8l5PcPDDs9B1wYG6xKEkEh9X6iB2Qzkd l7D0lm/ec2AKiwXaadnbBn1Ng0nso+p2jfjIC/KEyRuEp25DeU+eDeO0OQjC4Y92kzggxcJJ MoQOiyriV660mV1cLqxy5V2K7F1kjhGK9A2CGdcVVlihLF8cxMWp2xDlYd6Kf01IXX755QN5 Qz+KzVG0IdFYJD/oi+RbriExnSM9Kbjhp20yjB/6bS0vacIcA/0wZjbCOoHf6SQU+44vOFxO pwdSeJVVVinrMeltIgB4n6N9TiUHiK+NYMVPk8sZV642MEc4Tz75ZKHHPuTpq171qgLtbMZ4 m2yyyUA+S56HhCLY5RgP5JSnKT/lne5vQw1F/ORqg7v02SJb07Vv/R23+tfWhja1J13Gaan1 OAehmKs/pBzQl0rd48pci11dHHCGayIUeZ8jv7v0qU1jQOTRbsUVV6zSVqeEo/3avSFgCBSF EYoTUgqYpOuGP3aPXQtOtZX3dafsnXnmmcXSSy9d+RG/4XWdddap3ZJMR4v9wtB/+JvJTZ2d RcjBN7/5za3fEx6khD44QrIbe4oxEjWUg4mqtttGGH2/FznargceeGCVzrpTK+X7NkJxkjDL kdYuA+0ufskv6qImzcPyJr+pYwy4QtdloBp+W/dbD8iIG5JTZKi7sgChNSYlzK443HnnnQXb 2eriCJ/RLtUdRqJl70MokgYIplAbK5RDfocLLYJByhVSlEULfeq3hBteIRLvueeegglteOAH RFgXlxOrHHmXInsXmWOEItuVU9p68h6yF009yYfQTq+25yl+6q6EUdd35UhPCm74aZsM44c6 9epXv7pKb11aaKtYeJR300koIlOf8QXlsm5sAgGFayIASg/+X9/2OZUcIL5xIhSRJ1cbmCMc Du1jsVnKXd0V7X1tlqaOUMwxHgCbXPIQVptrIxT5Pkcb3LXPbpOb933qL9+PU/1ra0Ob2pMu 47TUNiMHoZizP2Thqa5eyiJ4G6GYI7+79KmphKLGmXko+WPOEDAEmhEwQrEZn1n19txzz62d WKGFwGEE559/fplebX+DzoKtfqGjwUVjSE++pGPhJNLjjjuunASH3+nfaP6EK1wSBqvK2h6J /k7uGbigfVCnRbHUUksVkHG//e1vxfuUK6QgxEAduUOYhE2HWEeeEFjf76cIVPNA5wUTJQwh 1zlOpxXsmsiOScBM8OmTVg7tETz32GMPCbL22sWvBECdYpJbV3/Qqtlll12KO+64Q7wPXFn9 FS02yikTpj4uHJBhr5HDWST9cl1jjTWK0047LRrVMDigaYGWVKwdYADIoD7UTBQhtM200Kaj +JGr3o6lT6+X91w5qIIDV8Ltr4LBBhts0Gj7UofVdo82B1o3DFglfK7kLdo5tF/aHAT3pBE/ TKKb2ra6uHNj1Tfv6mQMn3WRWW/JD20ckq8slEm90XjTV7znPe+pTGe84Q1vqPKjjqTGtt68 efMqP2FYvLv++uvDpJS/c6WnNvDgIaSOyAbZGnOUK+puSMRBeHMADdvBKWvSz1KPtKNP0mVY 7B1rP3IPdiITJG/M9RlfcMjTK17xijKvJb8hnnBsd9dEPuZV6lyf9nk68KiTkWfTEVeuNjBH OEzkOWiHOirlhiuLXrTFlLVtttmmeseBeTHXZzwgYeaUR8Ksu2pTBJgJirm+bfAwfXZMFv28 T/0lnHGpf21taFN70mWcllqPMZki7TBtW4zouvHGG6s6gYmV0OXqD1noZCfLs571rIG+VcaJ Bx98cCUHfWzM9cnvLn1qyhgQGfWBmF0XbmNptOeGwGxHIIVQXAxP/lAL34+bm+kIeDs0znf2 buHChc5PEpyfmDp/OIpbcsklh0qaH9C4H/3oR87bWnKeHHGedHCejHB+wJccHnLcdNNNzndy 5beE4W1UJX/vVwmdJx+d10R0nsx0ngh0XvXe+W1sSWGACXgQht/iVn7rt2M63xGP5Pu2SLym p/N2G0tv3r6e8x1z2yet72c7ZhqAvmnVYeW+p/74wZTzp6uXQfuJr/OT4aHr4zDy+UmF89s2 y089geK8VlZ5T330hLbzZEHZTlAv/WB2mCiSvvEDcOcNezs/SXTeVmHZFtCWLArnO37nNQPL dk3aBNoVv6U1uzh+UlLGQ/vjt9k4rzHm/AQ6Gg/5gx8/6Yz6GfWLccq7prQjJ2291+4p65gn bh11bphy7e1XlWWVcuIJb+dtJ7pVV13V+Ylekwhj+44yT1vkJ6POa/Y7vw3feZMji1TePuML 2n2vJVTmB/XKT3o7p2Uc2ufOQmf6IFcbmCMc8pI+knorZXPYMWuO8UBOeTJllxvHNrhP/QWX Sa5/ucpFUzi5+kPqg1+cKdtYf4ieG5YvGJf8Zqx7++23l9B5O6zuLW95SxOM9s4QMAQ8AnA5 bc4IxTaE7L0hMI0I+NPznF+FL2PwW0SdPzBjGmOzoCcNgRihOGk4WHoNAUPAEDAEDAFDwBAw BCYTAW8D1m244YZl4lG2YZF7mAXHyUTPUj3JCBihOMm5b2mfEQiwwu8Pmim1mBAYTSZW0MwZ AjkQMEIxB4oWhiFgCBgChoAhYAgYAobATEXAH7TmvHmEUny/5d152/UzNSkmtyEwUgSMUBwp 3BaZITAcAt6+pdtuu+3Kj7fddlvHb3OGQA4EjFDMgaKFYQgYAoaAIWAIGAKGgCEwExG47bbb HGZQ2HqN6SG0E2eqCZOZiL/JPLMRMEJxZuefST9BCGDH48ILLyxTjG07bzB/glJvSZ0uBIxQ nC5kLVxDwBAwBAwBQ8AQMAQMgXFHYOutt3Zf/vKXyzMA/EnVNsca9wwz+cYKASMUxyo7TBhD II6AP823PECHSmu2FOM42ZtuCBih2A0v820IGAKGgCFgCBgChoAhMDsQgEBkXoWbP3++O+qo o2ZHwiwVhsCIEDBCcURAWzSGQA4ELrjggqqjO++888oTSnOEa2FMLgI/+MEP3IIFC0oAsNW5 wQYbTC4YlnJDwBAwBAwBQ8AQMAQMgYlBYP/993dXXnmlW2mlldwXvvAFt/jii09M2i2hsxOB 3//+9+7xxx93yy67bDSB+HnGM56RpbwboRiF2V4YAoaAIWAIGAKGgCFgCBgChoAhYAgYAoaA IWAIGALjjcADDzzg1l13Xbfccss5TKSF7uyzz3YHH3ywu/POO0s7oSiTHHPMMW7jjTcOvSb/ NkIxGSrzaAgYAoaAIWAIGAKGgCFgCBgChoAhYAgYAoaAIWAIjA8CDz30kNtmm23cFVdcUdoB DQlFzmLgTIYll1zSYTf0kUcecV/96lfdYost5q699lr3yle+cqjEGKE4FGz2kSFgCBgChoAh YAgYAoaAIWAIGAKGgCFgCBgChoAhsOgQgBh873vf6+67775SCA5vDQnFTTfd1H3jG99wmE17 61vfWvrDZijb/nfZZRf3uc99bqgEGKE4FGz2kSFgCBgChoAhYAgYAoaAIWAIGAKGgCFgCBgC hoAhsGgQWLhwoVtttdVKm4iHHXaYO+igg2o1FNFAvPHGG90999xT2gxF2u9+97ul/fwtttjC XXzxxUMlwAjFoWCzjwwBQ8AQMAQMAUPAEDAEDAFDwBAwBAwBQ8AQMAQMgUWDwM9+9jN3wAEH lETi6quvXm5hrtNQ3G+//dwnPvEJt8cee7ijjz7a/eEPf3C77bab++IXv1jaUdxnn32GSoAR ikPBZh8ZAoaAIWAIGAKGgCFgCBgChoAhYAgYAoaAIWAIGALjgQA2EesIxQcffNDtuuuu5Zbn pZZaqiQUH330Ubf99tuX252XXnrpoRJghOJQsNlHhoAhYAgYAoaAIWAIGAKGgCFgCBgChoAh YAgYAobAeCAQIxS//vWvu5133rm0s/i85z3PPfbYY+7hhx922FY89dRT3QorrDBUAoxQHAo2 +8gQMAQMAUPAEDAEDAFDwBAwBAwBQ8AQMAQMAUPAEBgPBOoIxaIo3Iorruh+/vOfuzPOOMO9 /e1vd0888YQ7/vjjy+3S6667rluwYMFQCTBCcSjY7CNDwBAwBAwBQ8AQMAQMAUPAEDAEDAFD wBAwBAwBQ2A8EKgjFL///e+7ddZZx2244YbummuuqQT905/+5FZddVV39913l5qLL3zhC6t3 qTdGKKYiZf4MAUPAEDAEDAFDwBAwBAwBQ8AQMAQMAUPAEDAEDIExRKCOUDz//PPddtttVx7I csIJJwxIveWWW7pLLrnEXXXVVW7evHkD71J+GKGYgpL5MQQMAUPAEDAEDAFDwBAwBAwBQ8AQ MAQMAUPAEDAExhSBOkJx4cKFbrXVVnOrrLKK+973vueWWWaZUvpf/vKX7sUvfrFDU/H+++93 z33uczunygjFzpDZB4aAIWAIGAKGgCFgCBgChoAhYAgYAoaAIWAIGAKGwPggUEcoIt2OO+7o Tj/9dDd37ly30047uV/84hfu85//vINU3G+//dzRRx89VCKMUBwKNvvIEDAEDAFDwBAwBAwB Q8AQMAQMAUPAEDAEDAFDwBAYDwSe/vSnu/XWW89997vfHRDo0UcfdYcccog77rjjygNZeDln zhx34IEHuvnz57tnPvOZA/5TfxihmIqU+TMEDAFDwBAwBAwBQ8AQMAQMAUPAEDAEDAFDwBAw BGYgAk8++aS74447HMTjS1/60vLaJxlGKPZBz741BAwBQ8AQMAQMAUPAEDAEDAFDwBAwBAwB Q8AQMAQmDAEjFCcswy25hoAhYAgYAoaAIWAIGAKGgCFgCBgChoAhYAgYAoZAHwSMUOyDnn1r CBgChoAhYAgYAoaAIWAIGAKGgCFgCBgChoAhYAhMGAJGKE5YhltyDQFDwBAwBAwBQ8AQMAQM AUPAEDAEDAFDwBAwBAyBPggYodgHPfvWEDAEDAFDwBAwBAwBQ8AQMAQMAUPAEDAEDAFDwBCY MASMUJywDLfkGgKGgCFgCBgChoAhYAgYAoaAIWAIGAKGgCFgCBgCfRAwQrEPevatIWAIGAKG gCFgCBgChoAhYAgYAoaAIWAIGAKGgCEwYQgYoThhGW7JNQQMAUPAEDAEDAFDwBAwBAwBQ8AQ MAQMAUPAEDAE+iBghGIf9OxbQ8AQMAQMAUPAEDAEDAFDwBAwBAwBQ8AQMAQMAUNgwhBIJhQn DBdLriFgCBgChoAhYAgYAoaAIWAIGAKGgCFgCBgChoAhYAgMicBiv/nNb4ohv7XPDAFDwBAw BAwBQ8AQMAQMAUPAEDAEDAFDwBAwBAwBQ2DCEDBCccIy3JJrCBgChoAhYAgYAoaAIWAIGAKG gCFgCBgChoAhYAj0QcAIxT7o2beGgCFgCBgChoAhYAgYAoaAIWAIGAKGgCFgCBgChsCEIWCE 4oRluCXXEDAEDAFDwBAwBAwBQ8AQMAQMAUPAEDAEDAFDwBDog4ARin3Qs28NAUPAEDAEDAFD wBAwBAwBQ8AQMAQMAUPAEDAEDIEJQ8AIxQnLcEuuIWAIGAKGgCFgCBgChoAhYAgYAoaAIWAI GAKGgCHQBwEjFPugZ98aAoaAIWAIGAKGgCFgCBgChoAhYAgYAoaAIWAIGAIThsD/BwAA//8g FXA+AABAAElEQVTsnQd4FFUXhg8QIA1S6QmEFAKEEnrvRYqgiIigiCgqzV8QCyAiSBVUVCzY RcWCShEQpCtFpPdek5BGS09IAvz3m3jDZDO7O5O6Sc71WWfmzq3vhGz221NKXbt27S5xYQJM gAkwASbABJgAE2ACTIAJMAEmwASYABNgAkyACeggUIoFRR2UuAkTYAJMgAkwASbABJgAE2AC TIAJMAEmwASYABNgAgoBFhT5B4EJMAEmwASYABNgAkyACTABJsAEmAATYAJMgAkwAd0EWFDU jYobMgEmwASYABNgAkyACTABJsAEmAATYAJMgAkwASbAgiL/DDABJsAEmAATYAJMgAkwASbA BJgAE2ACTIAJMAEmoJsAC4q6UXFDJsAEmAATYAJMgAkwASbABJgAE2ACTIAJMAEmwARYUOSf ASbABJgAE2ACTIAJMAEmwASYABNgAkyACTABJsAEdBNgQVE3Km7IBJgAE2ACTIAJMAEmwASY ABNgAkyACTABJsAEmAALivwzwASYABNgAkyACTABJsAEmAATYAJMgAkwASbABJiAbgKKoOju 7q67AzdkAkyACTABJsAEmAATYAJMgAkwASbABEomgdu3b1NcXBw98cQTNGzYMHrooYfIzs6u ZMLgXTOBYkrgxo0bVnemCIoeHh5WG3IDJsAEmAATYAJMgAkwASbABJgAE2ACTIAJgEClSpXo jTfeoHHjxjEQJsAEihmB69evW90RC4pWEXEDJsAEmAATYAJMgAkwASbABJgAE2ACTEBNgAVF NQ0+ZwLFiwALisXrefJumAATYAJMgAkwASbABJgAE2ACTIAJ2AQBFhRt4jHwIphAvhBgQTFf sPKgTIAJMAEmwASYABNgAkyACTABJsAESjYBFhRL9vPn3RdvAiwoFu/ny7tjAkyACTABJsAE mAATYAJMgAkwASZQKARYUCwU7DwpEygQAiwoFghmnoQJMAEmwASYABNgAkyACTABJsAEmEDJ IsCCYsl63rzbkkWABcWS9bx5t0yACTABJsAEmAATYAJMgAkwASbABAqEAAuKBYKZJ2EChUKA BcVCwc6TMgEmwASYABNgAkyACTABJsAEmAATKN4EWFAs3s+Xd1eyCbCgWLKfP++eCTABJsAE mAATYAJMgAkwASbABJhAvhBgQTFfsPKgTMAmCLCgaBOPgRfBBJgAE2ACTIAJMAEmwASYABNg AkygeBFgQbF4PU/eDRNQE2BBUU2Dz5kAE2ACTIAJMAEmwASYABNgAkyACTCBPCHAgmKeYORB mIBNEmBB0SYfCy+KCTABJsAEmAATYAJMgAkwASbABJhA0SbAgmLRfn68eiZgiQALipbo8D0m wASYABNgAkyACTABJsAEmAATYAJMIEcEWFDMETbuxASKBAEWFIvEY+JFMgEmwASYABNgAkyA CTABJsAEmAATKFoEWFAsWs+LV8sEjBBgQdEILW7LBJgAE2ACTIAJMAEmwASYABNgAkyACegi wIKiLkzciAkUSQIsKBbJx8aLZgJMgAkwASbABJgAE2ACTIAJMAEmYNsEWFC07efDq2MCuSHA gmJu6HFfJsAEmAATYAJMgAkwASbABJgAE2ACTECTAAuKmli4kgkUCwIsKBaLx8ibYAJMgAkw ASbABJgAE2ACTIAJMAEmYFsEWFC0rechV3P79m1KTk6msmXLUvny5WV1nh/T0tIoMTGRXFxc qFSpUnk+PgZMT09X9uLg4EB2dnb5MgcPqk2ABUVtLlzLBJgAE2ACTIAJMAEmwASYABNgAkyA CeSCAAuKuYCXT10hJkZGRtLhw4fJ09OTmjRpogiLeT3drVu36OLFi3Tp0iWqVasW1a1bN89F RQiWoaGhdPLkSfLy8qIGDRpQmTJl8norPJ4ZAiwomgHD1UyACTABJsAEmAATYAJMgAkwASbA BJhAzgmwoJhzdvnRE2JieHg4HThwgJKSkqhcuXKKEBcQEEDu7u55NmVqaipduHCBjh07Rjh3 cnKiwMBAql27dp5ZREoxEcJoSkoKwUIR4/v6+lKFChXybC88kHkCLCiaZ8N3mAATYAJMgAkw ASbABJgAE2ACTIAJMIEcEmBBMYfg8qEbxMSoqChFTIyJiVFchWHNB7EP1n3BwcGKwJjbqaWY KIW+u3fvKq7IHh4e5OPjkyeWihATw8LC6ODBg5SQkEB37txRLBPhWu3t7U2NGjViS8XcPkgd /VlQ1AGJmzABJsAEmAATYAJMgAkwASbABJgAE2ACxgiwoGiMV361hpgYERFB+/fvp/j4eEVM lHOVLl2aHB0dFbdkiIqIq5jTAjdnaZkIC0gIfTJ2IuIbVqxYUbFUrFOnTma90bkgJoaEhChi IuJAYm+yQCB1dnYmPz8/atiwYY7nkOPx0TIBFhQt8+G7TIAJMAEmwASYABNgAkyACTABJsAE mEAOCLCgmANoedwFSUsgJsJiMDY2VhET1UIfBD+84DJcs2ZNxVIxJ4laICaeO3eOTpw4oSRJ wRywTpSCopzH1dWV4GJdr149wzuVbs5HjhxRhFGIiXIOHCGOYh64PMP9GaIix1Q0jFl3BxYU daPihkyACTABJsAEmAATYAJMgAkwASbABJiAXgIsKOollT/tILhFR0crlolwc5YCnHo2tRAH 92cf4ZYMIQ7xFfUWiInnz58nCH04x5hS6MMYOEeB4IcXREV/f39D7s9STDx06JCSORqCpVoY xfhyL5gD1pCIpwjhkrM/g07eFxYU854pj8gEmAATYAJMgAkwASbABJgAE2ACTKDEE2BBsfB+ BCAewjIRCVjg5gxBTgp7sOKTgp8U4eQR7s8QFRGHUI+oKN2cjx8/rgh9GAcvFHPzwGoQoiIy P0NYRDtLRbo5Q7BEzES1MKqeQz2ndH/G+EFBQYqQaWkOvmecAAuKxplxDybABJgAE2ACTIAJ MAEmwASYABNgAkzACgEWFK0AyqfbcHOOjIxU3Jxv3ryZJWaiekoIf2pBDud4wVIR7s+wVLS3 t1d3yXIuLRMhJiKeISwGZVGPjTo5D86NWCpKy0SIiXFxcZlzqMczFTDlHGgDS0W4P0NUZEtF kMm7woJi3rHkkZgAE2ACTIAJMAEmwASYABNgAkyACTCB/wiwoFjwPwqw3gsPDye4BiNmIgQ5 Kb7hqC5S9FPX4RyCH+IQQlRs3LixphAnxcRjx45lionoJ92Q5ZwYT84jj6jDfbR3d3dXrBSR qAVrT0xMVCwjEdNRWiZiL0jyAqFUPQfGkUU9tqyTcyD7M0TF+vXrKzEVU1JSFDZVqlSRTfmY AwIsKOYAGndhAkyACTABJsAEmAATYAJMgAkwASbABCwTYEHRMp+8vivFxIMHDyrWfNI1WIpt EPsgyMki63HEC/dkHVyGIerVqlVLcX9WJ2qBmHjx4kXScnOWY6E/zlHkmPJaio04wmoQgp+v rx+VvptCW/78mrx9gui++0cIl+1wkc05I2YixER1MbcX0/nkHMj+jJiKyAB9+ODfdPzgWvKr 14u6dr9fPSyfGyDAgqIBWNyUCTABJsAEmAATYAJMgAkwASbABJgAE9BHgAVFfZzyohXEQ7g5 Q0yUCViktaDW+FrinmwnBUCIgjJRS4MGDRTLQVPLRPRRzyP7qsfCuRQrZb08QvATdyku9iqV Sd1HvTqUpuib9nT0UiC5ePhTWmqGZaJ6DtlXHuU9tVAp78lj2bJ2VL68AyUnRJNz6Z3UpJEd nT5rT/aeD1KnLr1kMz4aIMCCogFY3JQJMAEmwASYABNgAkyACTABJsAEmAAT0EeABUV9nPKi FUS1a9euKUlYoqKiMmMNmhPyMKdaVMQ1BDlTcU5tqYiYinBDhgtyaGgopaamZhsD46CoxT2I nViHrMtoIee7S1ejr1Dp5D30SB8nqlbFgZJS7tC+I8m0eW9F8gloTfblywh36DtKf9nX9Ggq ZOK+ui49XbiCh50hH4/T1L+nKznZl6Frcel09LQD2bk9QF279TYdkq+tEGBB0Qogvs0EmAAT YAJMgAkwASbABJgAE2ACTIAJGCdQ0gVFCG4Q92DVh2zD+VHgCgwhEVaJXl5edOHCBUJcQ8wJ Ac9cMRUTtdqhDbIqw/LRx8eHmjVrRoGBgUodkqRER0croqIUCrXESzmP6T30QQ6XqIgQKp26 lwYJMdGriiPdhXBYuhQlCFHxn/2xtO2AO/kFtiUHezvRPsOFGmuVc+JcziH3q75XqlRpShUi aNjlE1TL4yQ9eJ8nVXAqS+mp6WRXzo6ux6bTkVMQFfsJ9+e+GC5PCp49EuIgKQxcx4tjYUGx OD5V3hMTYAJMgAkwASbABJgAE2ACTIAJMIFCJlCSBUWZnfjo0aOKqzBi90FUhLCWV0W6OcNi EPN5eHgIt97ySmxDCFrI0CzFNiNzSkHuxo0bijUi1tyoUSMlSYu3tzfVqFFDiaEI8VJaNFoa H2uQYh/a4fy2EAevRl0hStpNj/R1ohrVnCgiKpn+2BRFtWs6UvdOlSkuPo127Y+n7QfdyDew vRAVy2QRFdVzms4h50lNS6fQS8epptspeqiPJzk62tGJM7G0eftN6tHBjYLqu9O1G6mKqFjO vT916dZHPWyOziHmgs3Zs2epWrVq2WJQ5mhQG+zEgqINPhReEhNgAkyACTABJsAEmAATYAJM gAkwgaJOoKQKijI7Maz4YOEHAc3V1ZUCAgII2YzV4lpOnzHExIiICCVmYlxcnJIhGe7J5cqV UyzjMC/iH1oSFU1FOKxL1kFM3L9/v5JdGdmRkdAE4zs6OioWdxj/6tWrVLZsWUXENN2THAv7 k2PKvSJXS3RUGJVO+VdYJjpTdWGZeCUqiVasT6SY1Hpkb3eTmte9Ql3aV6WE+HTacyietuwT omIdYanoUFYRMeVY8mg6B+ZPFVaIkVdOCTHxBPXt4SEsExE3MZ6WbxbJYBzrUpn009SrfSo1 qO9J166n0uFT9lS6Ym/q2etBOazho4wxefLkSYUdeEGExbN3c3MzPJ4td2BB0ZafDq+NCTAB JsAEmAATYAJMgAkwASbABJhAESVQEgVFKSbCMhFCH4QuFIhxEJQgzNWtWzdXoiLcnCEmQrCE Wy3ERTkP5sIaEhMTCe0qVKigKSrK9lIIlEf0h5i4d+9eSk5Opnr16ilrRjZmFLTDC2NjDlhC wqUXwpksuC/HR12Wcyol3JxDRQKWvRmWiUJMjIhMpl//TKRbdi2oUqXqdCslka5HHqRmgRF0 X+fqFJeYLtyf4+hv4f7sG9hOiamYZUyVBSTqYVEJMTE89KTi5ty/pwc5OmRYJq7eWoZcqrQR XFwoPu46Jd/cR306pgpLRU+6fiONTpx1oLvOfahrj35yO7qPEBPPnTtHEBPBBtab4AY+cEcP Dg5WnoXuAW28IQuKNv6AeHlMgAkwASbABJgAE2ACTIAJMAEmwASKIoGSJihCyLt8+bIi9EFQ gtCnLlJUhPszYhHmxP1Ziolwc46Pj1cEPfUc8hxCHwRBtIelIkQttQiHdvJaiok4QiTat29f pmUi1gpRTLaV40MswyspKUkRMDE+Xuqx0AfX4IC9IgYiErCUShaWib2Fm3P1DDfnlX8mUAI1 o2o1alEZET8R/RLi4+jm1SPUom4Ede9QleIS0mm3EBX/OpghKmbEVBRBGP8rci7Md+tWmkjA coq83UTMxF4e5CTExJNn42jlplKKmOju7kF3ScRqFP/duB5FKTFCVOyUrlgqQlSEpWJZEVOx Szf9MRWlmHj8+HFKSUnJtKLEuvDc1dmy4ZZeHAoLisXhKfIemAATYAJMgAkwASbABJgAE2AC TIAJ2BiBkiQoQsALCQlREqJIy0SISXipC8Q5d3eRaEQIdXB/NiIqQhwMDw9X4hpiDlxLIU3O IwU9XEPghOAHQQ+CFqwIIQKiyH5ojzqsQ7o5QwyF4Ik1woVaji374Yh+cg4pXEp3aNyXRc6D fCpIwFI2dR8NFAlYaqjcnFPKNKWq1WqJNaBXRiIZjB8bF0Mx0UeoWZ1w6tmlhhBQ0+jfg/H0 l7BUrF2nTWaiFjkH+ty6lUqR4aeppvtJ6tddiIkiZuLx07G0eltpcqvSllxcs7odQ+S8eTOa UmL3U58OcH+upLg/Hz3jQGVc+lI3HZaKMmbiiRMnFJFX7h1HuTbpLl6zZk1Ctmy4ohf1woJi UX+CvH4mwASYABNgAkyACTABJsAEmAATYAI2SKCkCIrSzVnGTIRAByHJtKAOwh3EJcRURJIW CHcQwqwVKSYePnxYyeiMOaQQiHHlfFLoy7AIvKNYMErBD6IiXuiHgj5ybrhOwzJRujnXrl07 0zJRtlHPIfujDmuTc8BKEcKiXAeO6el3RMzEECp/ex891EvETKzsSOGRSfSbiJmYVr4FVa7i RaVFO7ke9TEpMYFirh2jxr6h1KtLNcX9efcBiIpuVDsAomLZzL0jAUuEcHOuXek09e3urrg5 Hz8VR78LN2ePam3IxcVVZJAmsf+Mfct5cB0bc42ShPtz99bJ1KxJFcX9+fg5YdXp1FuIiv0V Xlr/gzUi3JxPnTqliLdqtrK95IdnAv4QFRs0aKBYdMo2RfHIgmJRfGq8ZiaQxwS+evcP+mrh Ot2jvjhrED00vKPu9rbQMOrKTRrYelqeLQXm8eXK22W+HBzLk2dVV6pcTbxquFHdBuKbp5a+ 5FG5Yp7NyQMxASaQewI3rydQv+DJuR4IvwNKC5ec0mVKK8dy5cpQeYdyVF78UevoZE8u7s7k 6uFMVb3dqaZfFQpu5UfVa3rmel4egAkwgaJH4PK5KHqsyyyrC3d2tqcv171CNXwqWW3LDZhA USFQEgRFUzHR1M1Z/aykAAiBCeISYipCVLRmqYgxETMRbs4xMTGK5aFasMMcUhxTz4dzzAnB D5aKODo7O2dax8kxICaqYyZCTESyFUtF9pVt1C7WsL7DPCjI5hwdGapYJg7q40hVhWViuEjA 8vuGJEq421S4OfuIVsL9+D9RVb2PjDlIxCOMoxtRh6lFYDh17yhExf/cn/8+5E61/FuTs/jb KyUlla6EnKSaHicJMROdhWUi3Jx/35IRM9FVWCbevZsxj3oOrBHzQFSMibmqxFREopaGQYip KLI/n3YgO9d+1LV7dvdnaZkIN2dYdaJgbFnkPPKIejx3CK4+Pj7UuHFjq5zlWLZ4ZEHRFp8K r4kJFCAB/HLr0+BVCg+5rnvWwIbetGzXdN3tbaFhROh16lX/lQJfSr3GNemxcT2o98BWZFe2 TIHPzxMyAVsgkJx4iz6bv0aIb6Xo+WkPFeqSrl+Np66+4wt8DRAfO/UOpifH96Lg1v4FPj9P yASYQOERuHQmgh5oNlXXAj5ZMYHadm+gqy03YgJFgUBxEhTxuQnWaHA1lgVCHzIdnz9/Xsnm LK3T5H31UYqJ6joZU9FS9meIgFJMjI2NVURBtUAlx5N1pvOgHgWCH9YvRUVYykFIi4qKogMH DiiCGJLFwM0ZYqLsJ8dXH+Vc6iPOwUMKlxDN7O0dKEqIiXa39gg3Z2fyqupIYcIycaVIwJJS phlVqSpiJoq/D7FmKShiHjmunBNiX1JSAt0UoiLcn3t0rkbxCWm0+0ACbReiYuUaTSj+5iXF zfn+Hu6KmAg35zXb7ETMxNbCGtQdo8rhlLkwhykrXMfFXKekmL3Uu0NaZvbnY2cchftz1kQt UkyEmzMyXmM8dZHXEBDleYZAmhFTEZac+PeBZ4+fAxTch4u5i4tLFh7qcW3pnAVFW3oavBYm UAgEdm85Qc898I7hmX/4ayoFNa1tuF9hdSgsQVHuF5aKjz7XlQY/05Vc3JxkNR+ZQLEmgD+e 1vz8D7039Ve6FhVLjVv60bebpxTqngtLUFRvumHz2jTmtQdZNFBD4XMmUIwJsKBYjB8ub80q geIkKMICbe3atTRv3rzMfUOAcnNzp+497qPq1asrYp2iW6k8mPH3kBTLMoUljCDEIxTp/hxY J1BYKvoLMe+eEQIEusjISIKbM6wIYQ0pi3pcWYcj5sK61OdSyIKYCNdkxBmMiYlVrB0TEuJF 3L84xfUaGaghaMn2GEPOo65TBtf4H9pijRAuYTGYGH+DKtidoIfusyevaiIBS3QSrdiQSAl3 mlDV6rWorF2ZTLHNVNyTw2cyE77K8fGxFHftqJKopWv7KhQrRMVd++Jp6+471DDgLvXr4SKs FcuKTM3CMnFzKapYubV4Ph6KNwnGl2zAXI6LeWR9xh6JbopELbfi9yuiYlA9DxFTMY2OnXWi cu79qFOX3mJvt+jMmfNKvMzklGSFtxwPY8iCOni1CId0ZT4pLpYpXUYRIbdt20KXLl1Q5kcf rKt169b0zjvvKM9BjmOrRxYUbfXJ8LqYQAEReHn4YtqwfK/h2QY80YGmf/Sk4X6F1aGwBUW5 70pVXei9n56nBs2Kjhgr185HJmCEwPEDF2neSz/Qkb0XMruxoJiJQnF3eeOj4fTg4+3vVfIZ E2ACxZIAC4rF8rHypnQSKE6CIiwTv//+exo3blyW3bu5OlPHdkFUuZIr3bmdIeRlaXBPX1KM 5KQdm7q6tBCSKjg7iYQhriLLsQjyJ246VXCl2n4tqYydoxATryvWf2qhEHMogpUQsEyPcn4p ckkhCwtISrpFoZdPUYXSx8ne4Q5t3EXUsHErCvC37uasHlcKZ3IO9XVqajpdCbtADncO0aP9 Xal6VQfh5pxMK0TMxFt2sEysKcSze5Z76r3Ic6xZioByXhzjRaKWuOvHqHlgBHUV2Z+RqCUy MoU83MsJS8Ryws05XsRMLK2IiS4ubkKsU/fWPpf85F3F/flGFKUmHKQebVOpUVCGqLj38B06 dt5REU1v3IwR4mwS3RXWk5kFc6kuM+tR/Z+wjNtYU6J4Dnv2nqELlyMzmyFhT+fOnenzzz8n T09PJd5i5k0bPGFB0QYfCi+JCRQUgZgbCdQ9YCKliV/4RouDUznafHaheKMrGtmpbEVQBGfE Xpy26AnqN6SdUezcngnYPIHr0XH0/hu/0e9Ldyp/OKkXzIKimkbGt+GT3h5Kjz7bNesNvmIC TKBYEWBBsVg9Tt6MQQLFUVAcO3ZsFgqBfi40Z3JLatjAk+6K5CM5LRDQSglhMUMAK0WJKXfp 8LG7dCbSR4h99YSgmJYpSmVY0mUoV6aCHubHfbX4iDYYPz39NoVfOUfu5Y4Ia76KSnzDjdti 6VyUPwU1bCl63lbmkOIXxtI6l3NKoVLOp8whRNXoyDAqo7g5iwQkimViirBMTKbkUsEiAYu3 IibK9WEOKUaamw/1soitCOu+OIq9KrI/C1GxR6dqdDftDlZOJ88l0uqtJMREJGBxy7RMRF9z c+Ce5CP3imNGoparlBZ/kHoJ9+d6gW7CHTqVYpNEwh0hIt4R1qOSA8YwVEQonDBhrfn2ewdo 3bawzK7ghwzQM2fOpJYtW1KVKlUy79niCQuKtvhUeE1MoIAIfP/RRlow6accz/bawsfpkZFd cty/IDvakqAo9z1sXE96ae5geclHJlCkCaSn3aaln2ykxfNWU1J8iuZeWFDUxEIvzh5Ew//X S/sm1zIBJlDkCbCgWOQfIW8gFwRKgqDYsK4bfbagPbVoWplI/D2UsyJM1oTIpKiJGTohpQtR KywymTb9nUxX4oJE8pa6QuTKaggiBS21WIb5TetxH5mWoyIvkKvdIeGCXJE8PRzojpgj6loK bd6ZSGfC/SkgsJFYRkZsQTmm6VhyfHlffQ0RLjoqjOxS94o5HMmruhOFhSfSd79FUGx6I2oU 3EKIcbcVcQ/jYgwctYRJ1Ms2mENd0C9OWCqGX/qHWgVdpV7da9GR4zfppzVJ5OXbk9yFdd/d /9y+0U+9VvU4OMccKGgj1yPXBNEzLOQCRYVuoaceqUSNRaIWkT9GFNEH/f7rixpDRcSNvCC4 TJn+L/267nJmV8xfWyTEGTNmDPXo0YPq1atn00lbWFDMfHR8wgRKHoGBrV6ncyfCc7zxopSc xRYFRYCfOOcReuL5+3L8DLgjE7AFAru3nqA5L35PyGRqqbCgqE0HCVt+3T2D/OrV0G7AtUyA CRRpAiwoFunHx4vPJYGSIChW8nCiXt0ChFtvBSE2/acGGuQGASspCbENbwlRqzRVq+JAQwfU Ih+fihQSlkibdtyi8Nj65B9wT1SUQhjEOOkajDopiuGIgiM80iIjLpB7+SMiA3JFquxWnmJu plB8chp5e7tQZHQybf0nkU6H+VJA3eBsoqLpdqTgJteAI7S1yMjLZH/7ID3Qw4G8hWUiErAs WRZO2w/cJjf3qiI+YCuqXFkIr6LINavHluOp92A6l2wfERFJO7b/ReVLR1G3dq50+EQCnQtz pA4dOymJZdQWkLKPPGJMyUd9Lu/L+RG38p/duwW7y1TVI5UquYl1CwtMMHdydBAJB4V7ek4e uXg0MQmptO3vC3T6/DU5rbKmGjVq0PDhw+n++++noKAgqlBB/FzZaGFB0UYfDC+LCeQ3gaP7 LtDjXWbnepql26YWiXiAtioo2olAxF9vmESNWvjm+lnwAEygsAiMe/h92v7nEavTs6BoHlHP AS1owbejzDfgO0yACRRZAiwoFtlHxwvPAwLFTVD84Ycf6IUXXlDEMClYVatWlQYNGki1atYU bslZLQizIoTAZ6o+ZSTsQOKV/fv2U1p6Gjk6OFL5cqWors8tGjmkGtX2cVFExc07Uig0pp4Q FeuJEIt3sghyEMDkeqRQhrlxniasJiPDz5GH/VHqL9ycPd3L0/nLifTbH3FCEHOg+7sQ1a/n TpFRKbR9dxIdC/GhOvWCMy0Js+4BRnkZYhzmg7CGAmPA6KgQsr+zn/p3dyRvxEwU1pW/bUym xNsNhPv2HQq5fEmJC+jv769kMcY4KPKoXrdyQ+N/cp/gtW/fPiWWoW9tHxE/0UFkfU6li5eu kLOIRVm/fn1FuJRjYyj1euUeMJ5sI+vktBAT9+7dK2I0JpCHh8gcLcZNTU0WMRzjxbypVK1a dapVqxaVgmXpf3uRfQX5/07Vzxt1GdelBLfY2Dha/fsaOnT43t/QWA8ExWHDhlG/fv2UfVSs WPHesDZ2xoKijT0QXg4TKCgCM8Z9Q8uXbM/1dEUlOYutCop4ANW83GnZPzOooqtjrp8HD8AE CoMAC4q5p65YKYrfA3712Uox9zR5BCZgWwRYULSt58GrKVgCxUlQRIbkkJAQWr9+vSJm4RyJ WmBB1r59hyxWcVKckkc1dXUdsv9GR0cLMXEfJYvMyIiZ5+Huobi5xsdGkZvDJRrS34UUUfGK sFTcnmGp6BcQqAh+GBfjoajFMZzjpbg5h58n17KH6cFeFclDWCZCTPx9UzqVcmwmEr4IwTHu AN3XPp0aisQjEBXh/nw2XFgqBgaLMUS8QJXwZ2oNievbwmLvanQYlRVuzgN7OVPVKvYim3My rd6YRAnUlKpUq0W3hVAK8Sk+Pp4cHBzI3d1dSTgix8b6JRdZh/XLehxxDVHw2rVrdODAASWj NlyCvb2R4KWMIuZiDtx3dHRUBEWIcXI8ZTDV/+R8qirlFPPcuHGD9u/fT8js7efnJ7Jv1xEC YjUluzOeV2xsLKUKUbFihYrC8lIkfsnoeW8P4rkiuzOKnAfPWrZDPeZYt24dhYWFkr29vbIH ZNiuWrUqderUibp3765k3kaiFlstLCja6pPhdTGBfCSQnHiLuvpPoKSEW7mexd6xHG05Z/vJ WYwIimXL2dH0j5/MwgZvBDBvxyv1VjqlJKdSQlwK3bwWTxGhN+j0kct0NTI2Sx8jF936N6N3 l44x0oXbMgGbIVBcBUVXd2d6ef6j2TgjJg9iBKWl3qbUlDRKiE+m2BuJdOXSNfr375NmY0hm G8ikovsDzemd70eb1PIlE2ACRZ0AC4pF/Qny+nNDoDgJiuAAl+TLly/Tv//+S+fPn1cEJ3xO gICFvRp1T4Wl3cGDBxWhDKIVLOsCAgKU8cKvhNOhg/9QesI+EY+wPPnWds2wVNyZSldi65Gf f6BQq7JaKmKNEMSwpnTxuSVCScByjB7oWYEqe5QXGYUTaaUQE+0qtCAPz6pC4rpLMTeiKTX+ APVoI7IZN/Cg8Ihk2gb35yu1FVGxjIj3d1skIJFFCn24hpgYHRVK5dMPiDnuuTmv2pBEyaWD RTbnWgSPLOWzlPj7KTk5w60bwiCY4YWC+yhy7eqjckP8D22ioqIUXjiHmFhTWIVCcJP9sU7M gRfGgFDn7OysDCHb4AJCKK5lnXpPEPogWKYIgRdztGjRgoKDg0UGaVeFA0RkWC9CHD1z5oyw WkxVRFJlEp3/wxh47hEREYq4iozOZcuWVURFnNetW5eaNm1KXl5eOkcsnGYsKBYOd56VCRQq gRXfbafpY77JszUUheQsRgTF2nWq0sr9xtzB8WZ0+N/z9Mcv/4rstjsoOTHVMN/fRAw1/yDb ftMwvCnuUCIIFFdBsbq3O607scDQM8QXDnD//nDmcrpwKsJQX/wxu+XCQhFI3HZj5RjaEDdm AkxAIcCCIv8glGQCxU1QxN/8EKsgpEDcgviE92+IShAaIW7BykwKVVrPHu1xX4qJELcaNWpE bdu2VQQsiJIYB/NcEaLirh2bKSZiC93ftXSGqBiKmIpwfw4UFmwNhBiZ3c0a2ZwjhWWip8Mx 6tetguLmfO5SAq3ecpvKVmwprOoqC1Etw14OiVlibl6l1NgD1KVlEjUNriwsFZPpr93JdPxy TRFTsSmVKQ1LxXvWdtiX0ARFkpdL5EiHxBwO5CXcnMMikmilcHNOs2tGHpW9yU6IkZKF3Hda Wpoi1uEoBT+0wQttUNR9ZD+IbxDhUCC8QkwEOxR1e1xD+MULc+B5gCnGgZApx1PPhXO88Fyl mIj4he3atVMERVg6wgoSBaIlrFUxNtZ04cIFYWUYpvSXYyoNNf6H+1JMjImJUfYA8bB27drK OrEfFxcXxe0Za4Y1py0XFhRt+enw2phAPhF4otscOrznfJ6NXhSSs+S3oKiGGXYxmqaM/MIw 435D2tKsz55WD8XnTKBIEGBBMftjggX466O+ok2r9mW/aaFmycbJFNza30ILvsUEmEBRI8CC YlF7YrzevCRQ3ARFsIF4BWEKghJeEIkgXl26dIkuXryoCEZS6JIspVgmBSeIkRCuME7jxo2p Q4cOikUaLPbQBi/0gXB15coV2rJxLV0L2yDiE5al2j6uFAr35/8StSiWiiKmopwjVSRgiYo4 L2ImHhMxE4WYKNyczyluzmnCMrEleVSqKlxv72VWhm3gXeF5ERt7lW4JUbFH21vUSHF/Thbu z0ki+7Mv1QlsLFop6Y2Vtd0W7aMjQ6lc2j7h5uwo3JwdhZgorB//TKLUss2EZSLckO9ZAcp9 gwf2jH3BAhD8sGdT4UzuBe1R4GaMmIkoEBNhuQeLPrRTF3mNo3oOCJfSGlKylWuS19LNGc8S c0BMbNWqlSLwybamc2EO9Dt8+DCFhoZmio7q9cvx0RdWjRBFYeEIS9RmzZopLw8PD0VQRBuI ydgb+mnNiza2UlhQtJUnwetgAgVE4MKpcBrQ4vU8n83Wk7MUpKAIuHCNnvrcV7T25390s7Yr W4bWHZ9Plau56u7DDZmALRBgQVH7KcAt+vEus+j4gUvaDTRqZ33+NPV7tK3GHa5iAkygqBJg QbGoPjled14QKI6CohYXiGQQoqTVIazPICpKYUke0RdtDh06pAzTsGFDRbiCsGTOXRqiVWho mBAV19CN8M10f7cy5Cfdn4WoGHozUAh+QWKu2yKpi7BMFG7OlRyPiXYVqJJIwKK4OW8Wbs7O LYQXRFVhbXjPahCLkGuDNhdzI4rSEg9Rt1Ypwv3ZkyJEluatu5LodLhwf64jsj+Xviss9CAm XqZySjZne6pZTYiJIgHLqk0plFK6CVWq4i2yRGd3K8ZcanENYiKsMKWoKAU/uR65NvCCYAfG 0s1ZWgvKNlJ4M+2LsSFcSrdkJyenzP2q1yPFRLSFZWL79u0Vy0S4Ocux0V6rwGLx6tWrdOTI kUxR0XQd+FnAzwT2ATER7u1t2rRRnr2bm5siRFqbR2vuwq5jQbGwnwDPzwQKmMDbk3+m7z7c oGtWCFzpIiuYnmLryVkKWlAEM8RWG9ZtNp06EqoHodJm+Au96MVZg3S3t9bwVnIaHdh1hiLC RIDiqFjxiqOUpFRycXMi98oVyL1SBapS3Z2atA6g8g5lrQ2XL/dvp9+ho/svUKiw7IwRMSlv XE2gmOvxIutcaaoqEtZUq+khEtd4UHVxrFLdTanPl4WYDFoU2JksOcvl+ZNX6OLpSBE7R7jk hN2kuJuJVEEk/vGs6qK8mrTyJ6/albP0yekFC4rmyR3bf5GGdZ0t/gjO+g26uR6jpvSn0ZMf MHc7x/UnD12mQ/+eo7CLV0X812SqIv5t1fSrTDV9q1BQEx8RlD3DZSjHE4iOabCIuHKDIsXP W0TYNSW+bNSVm8oXLG7Cjdu9kghcLn7n1KjlSY2a+xbYv2Uje7p+NZ5OH75MV0LE+kPwezOO nCqUV77o8RRf9jRq5ku1AqoaGTLP2toyX7j643fOqaMhyu/xeBFjOFHEFk0Wlrrl7MtSBRdH qugmXuJ3kIurM3n7VqKABuID53/udnkGycJA+Lk/L75UvXDqCkVHxIo40ikiPMkt5T0RP/9Y Z3l74Rbn4kBVRbiD6t6eVEesEde5LSwo5pYg9y/KBEqKoCifEQQsuL/C+hCJOyB8QVySBZZ2 uAcRCpaJsIJr3ry5WTFR9oOoGBISSps3rqbYyM1KTMUaNSpSaFiisCIUiVrig8jL21fEdEcC liP0YA9nkZnYni6GJNLarWl0276FiPFYXYhj91yL5bruCVlwCb4tLO4iKT3+oJKoJaiehxAV k2mLEBXPRfhRLd8gunn9CpW5tZceRMzE6o4UIdyjV28WCVjuNlFiJsIyEeIfxsVLziP3Io+o x76SkpKUIwRFvGRftJO80A5Wgz4+PlmEWjkWjhjv3l4yrlGPvlK4hKUiREV1gZiIZ4J1YA4p 9MH1WD2euo/puRQVpaUirAxlwRhwc4bgiIQxyHIN93Y8e/z70DuHHM+Wjiwo2tLT4LUwgXwm gA8j3QMmim+eEqzOhD+gZy0eSS8MWWS1LRrYenKWwhAUwQXuzw80nSreyPQJs55VXGjzuXfR NccFIvDaZf/Q5t8P0u6txwnCmLVS3t6OWnSsTx17NaTeg1rne8ZpiJprhPXmjj+P0p7tJylR fPjUU/Dtnn/96vT4uB7U95E2BNE7L4stsDt7LIymj/va6rYGDO9ID4/olKUdRGNYxa7+YRed PX4lyz2tC7BEQqDHxvRQRGatNqZ1509coWljvspSfelcFCXEJmepM3fRoJmP5q2Hn+5MA4Z1 0LyXl5UQjLr6jtc1ZE5iKGoN/Gj7GXTycIjWrWx19z/ahmZ/PjJbPSqWfLCeNizfq3lPXbng 29FCgPdUqo7uu0DvTllGB/45q26S5RxW0UNGdaOB4ucJXzYYLft3nqEVS7bThpV7df2+wfjO 4j2mVaf61L5nA+o5oAU5V8y9aLP+1z3iC7M/LS4fgtGcL55RvqxQN9zz10n6+fNttG3tQau/ rwOCalAPseZHn+2aI17qefWc2wpf07Xi39Lan3bRHz/vVn7f6H2fk+M4VbSnxi38qWXnujTw yU758r5zWfxuWv/bHtq8aj+dPqr/yz25RnwobtImgDr3bUyd+zQRQmjOvoRhQVES5WNJJFDS BEU8YykqwgoR1mj4+xUiGdycITihIGYiBCUk3jBnmag0VP1PERWFW+22zWvp5pWN1KdLWSWm IkTFjSJRy9lQVwqseYP6dHagyp72dO5SIq3ZIrI5OzUlT8/qmS7IGFIt8klLSjkV1hpzM5rS haVi11YZ7s8QFbf+k0SHTlcg3xpJYg47RUxEzMTVImZicplgqlS5lnDbtVPEUohkcg55rj7K NaANxDgp+MH1GYKf5AWGuC8tEyHUqYVDrXN1nZxHzgErUnXcRoiJcEGGZaJ0c0YSFlgNGhX6 1KIiRGVwRZFuzhCY4eYMwRKCIpKvyDZKwyL4PxYUi+BD4yUzgZwS2LRyP00c9rGu7vhgOfW9 YdQzcKLu7MW2nJylsARFwJ701Ge0TiRr0Vv+OPaWYsGjt7263ZbVB2jh1GUUcuGqutrQOazY Rk/uT4Of6Zrngh1E7V+/2kafzV8rLBHjDK3LtDGsFYc930N8EO1Mjs7lTW8bvrYVdrAiG959 rtX1P/tqPxo79UGlHf5wWvrxJvpg+q90KyV7YG5rg+ELhFHCKm7Ic92sWqod2XtBsbizNqbR +2PEXp4Te8rvUhiC4uSnP6c/lu3WtbXgVn60ZNMUzbZzJi6lnz/bonlPXbly3yyqHViNdmw4 Si8+/pFukQ9WyhtPv6NLJIsVFq+/ff0Xrfh2O4Wcj1ZPb/i8oqsTPTWxNw19rnuuLKW//2gj LZj0k9X5FywZRT0faqG0CzkfRa+O+JROHLxstZ9pA4ivE2Y9TA8KIdzohw7TsUyvbZGvXGNc TBK9M+VnWvOjyDyq88sy2dfcEb/DHxnZhZ4c35vcPDKycZprq6c+OiKGPpq5QiRJ26V8KNXT x1obPOOBIzrShJmDDAvgLChao8v3izOBkigo4nmqRUWIVhAWjx49qrjeNmjQQHGphZuzzECs 92dAioqwVIyJ2CoStWS4P0NUPH8xmer5O1LlykJMvCgSsGy9neHm7FFFCFfCB9lAgWeFIiom HKTubW5Rg/oeQhBNpnMXksirWnny8XaiK8IdeuWmZOHm3FSIiV4i9l9Wa0xMpyXuqd8zcR8F +5KWihAVcQ7xFfVwDzbN5izHlUdlEJP/qe/hHIIfxoX7M0RFjH38+HHFehCJUSDytWzZUsnm rF6jybAWL6WoKN2fMd+pU6cUS0tfX19lDsyDmIlFXUwECBYULf448E0mULwIjH5wIe3afEzX pr7ZMEn5Vn7h67/QN++t19XHlpOzFKagCFfDRzu8qYshGs3+YiTdP7iN7vZoiA94Lz+xWLFI NNTRQmO4Q8798llq0Ky2hVb6b504eIkmPv4xhQs3wrwsEEDnfDaSOvZGsGjjxdbYGRUUr1y+ RlOf/UK4tpu3QNNLpUvfJrTg21FUVny7bK6woGiOjPn6+a/8SEs/2WS+gepOvcY16acdb6hq 7p0aERTxc/HC4EWGBB8vH09ae/StexOaOTu0+xy9MnwxRYXfNNMiZ9Ww0J789mPU/cFmORrA qKC4Voi8s174Vri+3srRfLJTiw6B9N5PzxsWmWR/06Ot8sU6Yck5ZeTnur9oNN2btWvv2pXo iz9eyWZBaq2f+v7ls5E0vOc8uilCaORHgUXvzMVPU+uu9XUPz4KiblTcsBgSKKmCIh4lREUk VEEykTNnzigWikgmAtEqJ2Ki/PFQREW4P29aTTdFTMV+XcuSn68r3UpKFxaCpelciBATN92m Ms7NRQKWakrMROlGDGENBYKZWnBT1+EczXA/5qaIqRh/gHq2S6cG9dwpNVnEYhRhIiKupYg5 4OYcnOnmLMdGfxT1tdZ8Ga3utcO+YCmIF1yEEXMQPz/Vq1dXkpRgDyhS7JPjy2s5nulRtkM9 5oCVIiwiExISFLd0zAGrRLz0xEw0Hd/0Wi0qQkSGtSLcp5s0aaJYJxYHy0S5ZxYUJQk+MoFi TgCCWp8Gr4pv6jPeRCxtF/GtYCWHgphID7WcZql5lnu2mpylMAVFAHqo5euCZXgWVuYuBgnX T1iH6i2RYTdo9IB3RVyoCL1ddLdzcCpHC5eOozbdgnT30Wq4+fcDNHnkZ7otpbTGsFRXrrwd fbLyRWrePtBSs2z3bJGdEUGx35A2NLzHvFxbe6rBdOoTTB/8/Ly6Kss5C4pZcOi6mPj4J7qz Pbfr0ZA+Xq7tkq1XUPxi7cviC4ZPRIwj6+Et1BtQW72q6+U5/iCH2/UHbywX3/Jn/FEv7+XV ER8Knn31fho95YHMDwx6xzYiKCJG4nuv/6p3aKvtIAR/smpirqzrbJ0vwjEM6z5bxB1Mtcoj Nw3wN8gXf7yc6bZvZKxw8VyfFL8T81rsNl0DwoQs2TiF6gXXMr2lec2CoiYWriwhBEqyoIhH DFExPDycTp48qQhZEMdgDafXzdncj4kUFbdt+UMkatlCfTuXIn8/Vzp/IYHWbhNxEu2Dyd2j mngvzYgriPcYS6KenEe2kdf47HhTxFRMFaIi3J+bBVehS5fjafn6OLpj31Jxcy5TJqv1o7m5 MLapKCjnwRH9IMbhhbZ4IduxukhhFPdQ0AcF13Je9bVyU/U/tMEY4Iex4V5dtWpVJZ6lkZiJ qiE1T7EHiG2wToSrOywSkYCnuFgmyk2zoChJ8JEJFHMCn8xdRYvn/K5rl6YfKod0fFO3O5it JmcpbEFx2uivadX3O3TxR3yuX3frs2iEJcbTfebnm7UIFow4hXNFzDHpIqhrE6pGP3++hea9 9IMuMVvVzfCpYwV7+lIIKfVFggk9xVbZ6RUUH3isHe39+ySFh97Qs11DbSxZybKgaAglIVlF r/ov0/VofS7+Dw5rTzM+HqE5iV5BsZpIuBIhvmgwWlbtn0U+dappdoMVH1yD/16fEftJs1Ee VnZ/oLn4vTNSSZShd1i9gmJfYQG+7pfdef47qXadqvTdlqk5SuJh63whTg/tMCNfft9oPV/8 DH+5/lVD4T+uRsYKMXEOhV26pjVkntch7MaPwprYQyQaslZYULRGiO8XZwIlXVDEs4V4BYs7 WMZBtJLZjHP73DEusj9v27KOromYigG1EmjHv0mUUiqImjVvI0S27DOohTcIa6bxE3Ffinbo jevr12/Qzh1byLlcKPXv7kn7j8TToTNO1K5jD6rp7aXsD+20iqnIh7FR5DpwjjWgHhaDcBH2 8/NTXqiHGIcsz1JkRHt1kePLo+k9uT85X2JiomKV6OPjo8RlhMUoEue4u7uru+bJudwT9oVn XrFixWLh5qyGw4KimgafM4FiSgDfLPVt8IruDwKrD80R2T+rZNL48dPNiiCUWWHhBMlZNp99 N89cvyxMZehWYQuKENXmvLhU15oR4+SfiI+VRDeWOiCL9NDOM3Ul37A0jp57cIH9ecc08qtX Q0/zzDZw3Xuq11v5Zs2UOdF/J4hptmTjZCV+nOk99bUts9MrKKr3k9fnyMa74dQCTddnFhSN 0f5FxAyd9cJ3ujuNfLkvPT/tIc32egVFzc5WKi25WqOrkTiQVqbSffu+gS1p/jfP6W6vV1DU PWAOGvYe1IrmffWs4Z62zPeOsEZ9uvd8i4l9DG9YR4e23RvQJysm6GiZ0WRYt9l0ZM8F3e3z ouHwF3rRi7MGWR2KBUWriLhBMSbAgmLGw5WWcRCv8rJIUXGLSNRycN8miryaRg6O7hQUVF+x vMNcUmyTR2vzy3YQ4eB2jAzIEPXsy5emCo5plJxiR6XsKpCXVw0lYzGsLaUIKfviKMU8Wade i+karl69SmfPnqUqVaooyWrgHoz4knAXRjxCCI1yHLUoKcfBPRRzwibuIY4lXM8xLhKjtGrV SnGnlmtFm7wuGBvrBQtLa8vreQtqPBYUC4o0z8MECpHAP5uP06gH9WUObti8Nn2/dWqW1SIr dDf/FwkZcPUUW0zOUtiC4rH9F+mxzrP04FParDv+llV3r1njv6Nfvtyme8zcNqzfpBYtFT8b pUXWSz0FFi2PtHmDEBy/IEuT1v70jRAVLRVbZmcLgiLYvS9iwnXuG5wNIwuK2ZCYrYCL6Ihe 8yheZwZsDGTp92d+CoovzX2Eho27T3Mvq0Um36nPfKl5L78rx898mEaIRB16ii0IiljnnC+f EVnoW+tZstLG1vnu23FaERR1bygPG/76zwwKaOBldcTC+r1ZqaoLbRJfolorLChaI8T3izMB FhTz/+lmiIqhtHPnTsW9GlZ4cOdFPEBLSV8gcKnFOVNRDlaVyIAMURFuwZUrVyFHJ0fxmTCd ypcvl2ltB8s7ZF9GkWNK8cz0GnOgTn2Mjo5WErBgDIh8HTt2VNzCcQ0REIImYlGij+kardGV 8yMxjswYDbEScwQHB4t9lLc2BN+3QIAFRQtw+BYTKC4EXhr2CW1cuU/Xdia/8xg9+mzXbG0n DPmItqw5kK1eq8IWk7MUtqCIxB8dvM3HpTPluGznGxTYqKZpdeb1jj+P0tiH38u81nOCN1Qk WqnTwJvSUm/TqcOXKPKKsaQK46YNoGdevl/PdPSySNqwYfleXW1NGyE5Q0U3RyWBS0qS8Xhd P/w1lYKa1jYdVrm2dXa5/WCM2F51G9Uib9/KImNzGbp4JjxHVjtwC50jXE5NCwuKpkS0r5G8 4tURnxmOb7nm8Fzl2WmNml+CIqyiN4jszhBHTEvYxWga1HZ6rhOXmI6r9xpr+3j5BF1xXPNK UETW6dt3blNiXIreZWZph6zpG069oyv7fFHgO//Vn0QW+Y1Z9mjuAu//94vYrnWCvMnN05lc 3J1F7NxUJabh6aMhtOzzrRRy4aq57tnq+whhdq4QaK0VI3/nYCxYszdq6UeVhdsyfsYQkuB6 VCydEEnU0lLTrU2X5f6fJxdYTSLDgmIWZHxRwgiwoFgwDxyxGiHuQDiLiIhQEpvAXRhio4xD iM8ClooU+dAOIiIEOIiKAQEB1KhRI8UNGcIi7mFMiHEXL14kWBcikYocX46jnstcHdYI0RIW fI0bN6YOHTooQh9iG6Jg/YhBibVcu3ZNmUPOox4fdaZWkvI++mEOZHdGhm2ZzRnu51xyR4AF xdzx495MwOYJwEqse4A+60I7IT5sPv8uuYoPAKZl25pD9MKQRabVZq9tLTlLYQuKt9PvUFM3 6x+KJFAkVWjRsa68zHZ8otscOrznfLZ6cxU9HmxOr3/whPIhSt0GFlSTnv6Uzp3QlzAGSVq2 nn+PHJwsf5sXeiGa+jeZIt7YrScBkuupL4Lbj319ANUTMRDVMalOHb5MC1//zVAG614Pt6K3 vtZ2O7R1djkVFBFuYPAzXQkueGp+4Hv6SIhIivO57sRA6ONXrzot3zMTp1lKyPko+mD68ix1 B3ad0RUjEB/iW3aql6UvLkqJD/TjxLOv5X8v1EK2RnlUcf1qPHX1Ha9rtOre7rTuxAJdbdHo hsgqe/ifc7T8u+309zrjsQa1LMTVk+dWUEScUYgnCSYWk3gmn695ST2Vcg5XV7iRHtt/Kds9 SxX4QqDL/U2ogbB4Dwr2EcJ2aTp+6BIdF+OACzJQGyn4ImTV/tlWraNzIyiCPf7tIKt9NW8P xQLi4ukIwr/Hj2aupGtCbDJSzH05px6jqPDtHSRCpoRcVy892zli7S5cOpY69m6c7Z66Ah8o fxAZzxdM+jnTykR93/S8jLCIX3t0nvJMTO/JayTXQtI5PYmC8IXLy/MepQcea68ZnxPC4g+L N9FX76zLtNqR85g7Llr2P6v7ZkHRHD2uLwkEWFAsmKeM3694QYBDBmMpxF2+fJlgAQjBThZT cU8txqGN2jKxTp06igAHy0EIcBARIV6iD8aEBSHcoZF0BrEC1fNgLDkXjriHoywQE2F9iALB UloNmiaswXywUISoiPmkoCjHluOpr9EG1xC8ICZC8Kxfvz61b98+z7I5y3lL8pEFxZL89Hnv JYLAdx9toLfFH+56Suc+Tej9n8dpNoW7M9ye4f6sp1hKLKCnf163KWxBEftp4fmckqBBz94W /jCWuvZrqtnUiIUYPuRNensoDXqqs+ZYqEQ8wXmv/Ei/ff2X2TbqG28uHqF8GFPXmZ7PnvAd Lftim2m12euho7uJOFSPaMbsk52M/CzjQyiEoCrVXWV3whm3SQAAQABJREFU5VgU2OVEUIRQ 9+nvEy1mHMUH2kdFgiW9GVrxwfvf6MWZf7RlAWlyMe7h92n7n0dMarNfNhYWQd9unpL9RgHW GBEUyzuUpXbdGmZb3W0RCwe/E/FKSkgmWCBfFYJTUnzOLNrkBJMWDKEho7rLy2zHnAiK+IMa Vl6jJvfLjI2LMASbhNX6l+/8oQhl0z9+kgYM65Btvu3rj9C4Qe9nq7dU0b5nI5r9+dOaX0yh H5KPTB/3Df352x5Lw2S7N+OTEfTg4+2z1asrciooDn6mC73y1hAlAZV6PHmOZB8vDv2Q8PtD b/EJqEIrhQgqP/Ro9SsKfPUKYUii8873o7W2qVn3zfvraOHUXzXvqSsRv/eNj4ZTv0fbqquz nC98/Rf65r31Weq0LvClKd5brYme6Pvu1F9oyfvWx0Tbqe8Ps/geizZ6OaIt4kYifiQXJlBc CLCgWDhPEmIaksDAOg8xCGG1qI7faCq+Ses+iImHDx9WhDtYJsKaDy+t7MQYA/0wT2hoqDIP REVL7324hz4QEzEPxkD2Ywh9cEWG+7RWgaiIeIpybWiDsdBfFjmvrIfYBRESYmJQUJCyjxYt WpCbm5vswsdcEmBBMZcAuTsTsHUCD7V8XbdV0jvfj6HuDzQzu6W3XvlBWBZsNntffcPWkrPY gqDYqdYLugVZSx+eX35CuBKv0OdK/NSLfeiFGQPVj0bzHJYyg9vPoDPCYtFaadomgL7eMMls M4gr3eu8KNzc0sy2Ud94ad5gGja2p7rK7DlcSNf/+q/Z++obT47vRRNmZg2Wb+vssH6jgiJE rx//el1XwhyjsdoQG0zLDVbNGefFVVA03Wd+XsNNds2ReWaFOMydE0FxzNQH6blX+2kuHV8m bFi1j7qIL5OchPWiaTES6gJWB/+bPoCeFPEO5R/0puOpr3/5ciu99cpPut1Lq9f0oNWH5poV /TB2TgRFPWIQxoYb7CvDP9Ud+gN9YPWpZZGLeyhFge/+nWeUxFoZKzb//6CmPvTd5tcUa1Tz re7dgdU+LB+jwu+F3XDzcKY6DWsS3KYDG3tTXRGeo3ZgdatjLvlgPW1atV9Y2l+x6Jr/yMjO IkbpsHuLsHCGfxvtvMbp+hLwucn9acyUByyMxoKiRTh8s9gTYEGxcB8xLBVhQQhREUdpQYj3 aikiYoW4hiszBLvY2FhSWybiGVp7b4eoeOnSJUXAQwxHiJdStMRRnmMuuDBjHoyJOIbt2rVT jqaWiWirLtJSEX0hlFoSSGVcRqwLYiIEy2bNmilxJa3tRT0nn1smwIKiZT58lwkUaQJGrLHw YXaLcGUtVz4joK7WxuF6Orj9m1q3NOumvPuY4oKpebOAK21BUNTjNiaxmBPZ8CGsbY2xpCeu oJtnBVorBAotoUDOoz4aCby/9shc8qpdWd0983zr6oM0Xljz6CmNWvgqFmt639hhKdSjzsQs 30aam6fnQy1owZJRmbeLAjss1qigqCWcZm5a42R49zliDn3u8r8fnKPLDZkFRQ3QBqtmCas+ S1ZYGM6ooNi6SxAtXjXB6ocAraXCkrOn+LeWnn5b63a2OlgZvzp/aLZ6SxWL5/1On8xeZalJ lnsf/Pw/6tTHvEutUUGxUUtfRQTLMomFiygRc7ZPw1d1Jyh7Vgi5Y4Wgq1WKCt8Du87SiPvm aW0hW127Hg1pwpsP60qigs5//XGYzp+6osT1RcxgPV9eZJtUVYEPq1cuXVW+GDt9LJTOHA2j s+IIF/uy5crQin2zqUYtT1UPy6cDWkylC6ciLDcSd4eN60kvzR1ssR1bKFrEwzeLOQEWFAv/ AUtREUIcLAOlqChFPhzj4+MVMRCiIsTE1q1bK0KflmWiuR1BvENMRYiXEBXx9z1eGF8WWErC ahAFlomdOnXSJSbK/tJSUbo/y73I+zhKy0S4fks355YtWyou23o/c6jH43PzBFhQNM+G7zCB Ik9g+thvaMW323XtY+CITjRNxNizVga2el13vL06Db3ol10zrA1ZIPdtQVDsKz6Ihl3SFzts 7OsP0rOvZLcqOn7gIg3tNEsXM2vuk1qDjH5wIe3afEzrVpY6SxaUb0/+mb77cEOW9uYu5n39 HPV+uKW525r1j3eZRUf3Xcy8h7iO/vVqKJYtdUQ2UCSdCQjyIojk6lIU2GG9RgRFfAEAK0K4 POstRlz5rCUHknOyoChJ5OzYpW8Teu8n7XAT6hGNCopIZtKuR85cJ/W6pGJ9ThXt6Y+jb1m0 rlTvQ57jixEIdIhbp6cMFgnDpojEYeaKUUHRmgWh1jxv/u9b3eEhWnWuT5+tnqg1DBUVvkga 07fRZM09mKvE7+HuIm5ve/GzVy/YR3xwtZwEwNw4eVWfnHhLCON3sr0nWBv/f4MXCdEz40Ov pbbWfi7RlwVFSwT5XnEnwIKibTxhiIoQ8yD2QVSUYh9WBxER9TjCzRnWfIiZ6OnpmSk+6t2F tFTEeDKmIgRFvGAhCVET59LNGVaD1iwTTeeGqAgXa4iKWLO0hsS4MpuzdHNu06YNQUxkN2dT inlzzYJi3nDkUZiAzRFAnKpuARMsuv+oF/2NcGFtIlxZrRW4Fr372i/WmmXet5XkLLYgKHau PZ5uiqQNeoo5C0UjcQQtZTo2t4ZFby6nLxasNXc7s/6x0d3plflDMq/VJ0M7zaTjBy6pqzTP 4aq7/fIiwtFIgVULEjwECuEQH1y9alt3w8D4RYEd1mlEUGzaVrif/2ne/RzjmZZlX2yl2RO+ N63WvEa8Q8Q9tFZYULRGyPx9/Ax/tuZlgruntWJEUKwisteuF9lncyrmDG43nU4dCbW2JOU+ wiogvEJOym/f/EVvPv+trq41fSvR6sPmreWMCIotOgTSF3+8omtedSNYu/VrPFlXAhAkwdkZ 9qHmMygqfFNvpVPLSqOyWJeoeVg7R8ZsJBhr1i5AvOooX/zk9GfS2lx5cR/hP47su0Ablu+j 35fuoHiTBEZacwx8siNNWzRc61ZmHQuKmSj4pAQSYEHRdh66FBWlpSKEOMRMhPgHIc7f31+x TISgqMfN2dzOpKUi5pGWisgEjWusQYqJTZs2NRsz0dzYsl4tKsJFGwKpFBOTkpKoXr16mQlY ICayZaIkl7dHFhTzliePxgRshsCKb/+m6WOX6FoPXID+OPaWrrbIdNmjzku6sx/aSnIWWxAU W1UZrctVGQ/CXOKTiY9/ImJF7dP1rLaHLqKKro662spGa5ftpilPfy4vzR7NfRhHkopWlUfr cpNs0MyHlm573ewceX3D1tnJ/RoRFB99ritNftu8xZYcU33c/PsBevGxj9RVZs+/FIJLcyG8 WCssKFojpH0fgvAHy17QbTllRFDUa3WuvTIivb+vlHAZ5xZqZsw1N7a6HgJOr/pZY+mp75ue rzv+FlWvqe22akRQzIkFt1zL073nE0JE6ClrDs8lb9/s4SGKEt8nus2hw3v0hUmwxgTWrM3a BorYkuLVsZ4QGL0L9UMe3rNOHw2hgyI7O9y79/x9kuJFHGAjZcATHWj6R09a7MKCokU8fLOY E2BB0bYesBQVISKGhIQocQ9huejl5aVY8sGiD89My5XYyE7UloqwiDxz5owiXgYGBmbGTDSX gEXvPFJUPHbsmJIF+uzZs0psRT8/P8I+mjdvrlgmspiol6jxdiwoGmfGPZhAkSAwrOts3Rkp LcV50trsmIfeo50bj2rdylZnK8lZCltQvHPnLjVxGZmNj7mK9398njrfH5zttqm7b7YGqgq4 JRstpw6H0I+LN1vtBquT7aEfZGsH18WufhOy1WtV6PkQptUvp3W2zk7uy4igOHHOI/TE8/fJ rrqOu7ecoOceeEdXWxYUdWEy3AgWWgOGd6RJC4ZajFtrOrARQXHqe4/ToKe7mA6h6/qGsKTu Iiyq9RSjcQi1xjTynvLF2pcVizetcYwIitbiMWqNL+tef+5L+v2HXfLS4vH7ra9Rw+a+WdoU Nb6/fv0XzRSu3vlRYEmLZHCIeRvc2j8/psgyJoS9g/+eo+P7L9GJg5fo7PEwXYlXsgxicqFH vGdB0QQaX5YoAiwo2t7jhqgI92O4DEOEQ6lbV1iTC/fj3Fgmmu5UiooHDhxQMjQ7Ozsr1omN Gzc27OZsOra8ljEVDx48qMRvLFu2rJKEBdaP7OYsKeXfkQXF/GPLIzOBQiNw/uQVeqjlNN3z rz40h2r6VdHd/s/le0W2y8W629tCcpbCFhQT4pKpXQ3rMdIk1K/Wv6q4h8lreezfZApdPhcl Lwv1+Nfl97PFTLtwKpwGtNBndagnM2ZebtDW2cm9GhEU9STykOPKo5HxWVCU1PLuCKtECIlI QmG0GBEUP101kVp3rW90CqX9sf0X6bHO+mK19nmkNc398pkczSM7zX1pKf306RZ5afE4XyRa uk+IT1rFiKD42+4Z5C9ireakfDhzBX0+f42urlpxLIsaX8QgfLj1NN0xgHWB0WgE9/9hz/cU cXVbiSQqdhotjFeFh1yjbWsP0T/ii5RDu89RXEyi8UGs9Bj0dGea+t4wi61YULSIh28WcwIs KNrmA4YQh0zJiHNYrlw5ReDLD9dgJEaBBSQK5nFxcckzMVGShXCJrM44yjlg/ciWiZJQ/h1Z UMw/tjwyEyg0Agsm/UT4YKW3IBuwkZKamkaJcSm6u9hCcpbCFhSNCG0Aa+7DbqdaL1DMjQTd 7POzIdzkTTNmHvznLD3Z03yMM/V6cmJdp+5v9NzW2cn9GBH8cmJlZUTMYEFRPpWcH/HHbE2/ ytStfzPqNbBFjoREObsRQdHc7xA5lqXjBvGl0cs6vzQyauGuNa+R+KaT3h5KQ57rpjWM8r6H 9z89ZVf4R+QkYhzmpBiJ+6iVeKoo8oXL85M95ukOd5ITrrJPNS93ev2D4TlOKAQ35j9+2U3L Pt+aJYGXHD+vj4Of6UJT3n3c4rAsKFrEwzeLOQEWFG3zASOByZ07d5TFwb05v8Q3zHP79m0l cUp+zoG9YPzcumrb5tOy3VWxoGi7z4ZXxgRyRCAtNZ26B0y0GdFJbkLL7UveK4hjYQuKa37+ h14b+YXurSJzb6WqLtnaN3V9RlcygGwd86Fi+Z43yU9kV1YXWIK88OgidZXZc0vCgNlOubhh 6+zk1owIipbcP+V4psdThy/T4PZvmlZrXpd0QREhG7re31STDSrLlClNZezESxyRXMjByZ6c nMuTq0iw4lnZlarUcKVa/lVFfXmzYxi5YURQ3HbpfV2JXrTmNyJ4TVv0BA18spPWMLrrtq4+ SOOHfqir/XOT+tGY1x7UbGvEQvFw/JeaY+ip3LHhKI0d+J6epsJyLbvreVHlu+7XPQR3b/yd URBl6Ohu9Or8oYamwu+310d9RWeOhRnql5vGQ0Z1U6yOLY3BgqIlOnyvuBNgQbG4P2HeX0km wIJiSX76vPdiSWDjyn300rBPbG5vhZ2cpbAFxbcn/0zffbhB13OBxei2i9k/rMLqopn7s7rG KIhGWlmkt6w+QBOG6kv4UZAWikWBnXxmRgRFvdnZ5dg4nj4SQo+0m6GuMnte0gXF6t7utO7E ArN8CvqGEUFx3/VPc+w2+vsPO4Vw9JWu7eXFFwPI3P6/wdljsmotIC8ExfL2drTn6qdaw+uq Q/KOEffps8R+/YMn6OERWQXXosoXcOA2PPHxjwkJ2gqiTP/4SRowrIOuqX74ZBPhvfa2SPRT kOWx0d3plflDLE7JgqJFPHyzmBNgQbGYP2DeXokmwIJiiX78vPniSGDUA++KWEHHbW5rhZ2c pbAFxZF95tPe7fqygnbt15QW/jBW8xlCUIQ4Zgvly3UiA3D7rBmA9/59ikb21SfAjJrSn0ZP fqDAtmLr7CQII4Lid1teo0YtsiZ8kOOYO7KgGE9dffUlHCmqgiIsJg/EfG7uR8BqvZHEPc+/ MYBGvnS/1TEtNfhx8Saa9/KPlppk3rMkYBqxUDxw83PFujRzYAMnOzceozEPLdTVY4GI+YiE I+pSVPnKPdxKTqMfFm+krxeup9ibibI6X4742+Gnv6dR7cBqFsfHl1kvPvYxwbUut8W3bjWR hboebVyxj5BozFp5fGwPenneoxabsaBoEQ/fLOYEWFAs5g+Yt1eiCbCgWKIfP2++uBFA8PG+ DSeJeBi5/4M6P9gUZnKWwhQUE+NTqKv/BEpJStWF9aV5g2nY2J6abTv7vEA3r9tGDEWtZANn jobSoLbTNdduWjn42a405Z3HTKvz7drW2cmNGxEUl26bSg2a1ZZddR1ZUCz+gqJTRXvadeUj XT8PWo2MxHzNi2zt81/9iZZ+rC/ub14lZVl/Yj5V8/bQ2r7VuvXC9ffVEfosHLWS4xRVvqZg 4Pq87Y9DtOr7nbR764l8c4UObOhNy3ZNN50+8xpi3aMd36TkRH3vsZkdxYmdXRkKaupDTdvV oeBW/tRYZJp2EyELUBBHFO7p1srw/91HL85+xGIzFhQt4uGbxZwAC4rF/AHz9ko0ARYUS/Tj 580XNwIfz1lFn8793Wa3VZjJWQpTUPz58y0058Wlup+Lliux7Nyv8SQKuXBVXpo9Vq3hRrO/ yF3mVbOD/3cjQGRIdXFzytIs6spN6ln3pSx15i5adqxLn6992dztPK+3dXZywywoShL5c7x+ tfgLiu6VKtLWC/os6LQox8cmU3svfVnpYaUMa+XclBcGfyiEqYO6hrAUN9SIheL7Pz5Pne8P 1jWnaaPF836nT2avMq3WvNb6fV5U+Wpu8L/KpIRbtHPTUdq65pAQF4/rsuyzNJ7pvS0X3iOP StoJ5KaN/lqImjtMu5i9dnZxoH5D2lKHno0IWdfNxTgd/+iHtHWt9Z/LJ8f3ogkzB5mdDzdY ULSIh28WcwIsKBbzB8zbK9EEWFAs0Y+fN1+cCMAqsU/QKxQRdsOmt1VYyVkKU1Ac1OYN3QHi HUVChx2hH5p1xRvefQ4d+ve81WcMN7HdkR/nW8Y2cwuAK1zLyqPM3c5S71G5Im05b1z0gMXn 411nCesiT/KvV538g2qIYw3yq1tDSYyRZRLVha2zk0stzoJio5a+9N3m1+RWC+VYEgRFJHRC YqfcFPw7xr9nawVzbTzzTq5+1zzQdApdOhtlbSrlvlZ2ednRiKBoKRajHM/cEXGKEa9YTzG3 3qLIV89+ZZvzJ67QP8Jqce/fp0XcxbO5ThT3yYoJ1LZ7Azl85jHmRgL1qDORUm/pSxQD8W/U pP5mRcTMgcXJ6AELademY+oqzfOnXuxDL8wYqHlPVrKgKEnwsSQSYEGxJD513nNJIcCCYkl5 0rzPYk8Af/Tij19bL4WVnKWwBMW1y3bTlKc/1/1YrGW1nPfyD/Tj4s26xjP3QVZX51w0MiIO /PrPDApo4GVotk0r99PEYR9n61O6dCmqUcuTfIW46F8/49Wma1Cm+1pRYIdNFWtBUcR7RNzH wiwlQVCEhfKfp97OFWa9Fr2YZN7Xz1Hvh1vmaL7t64/QuEHv6+rr5eNJa4++ZbatEUHRV8Tk W7FvltmxzN3Al3fd/F+kG1etx9ar4OpI20M+0BRbiyJfc0z01F8+G0kH/jkjBMYztGPDEcOx F8fPfJhGjO+dbarlS/6mGeOWZKvXqnhsTA965S3LsQ7V/fR+CTXy5b70/LSH1F2znbOgmA0J V5QgAsVZUExJSaWQkCi6GRNPIoiryVMtRU5O9uTlVZlcXZ1N7uX/ZXr6bYqOvkmhYdEaa7M2 fylycXGiOnVqEv6+LoiChFrXr8fRxYvhYjpTlsZW4OzsQH5+XmRvX85Yx1y0TktLp8jIGxQe cV0sX2dyMIG2jOBbWsS+dnGpQH6+NXKxgsLpyoJi4XDnWZlAnhOY+PgntGmVPouJPJ/cwICF lZylMATFi6cjaEgn/XGdkEhhzZG5VL2mp1miq3/cSVOf1Zd99S3xIb+XwQ/5ELMiQm+Qf93q 5FOnao6yxM4Y9w0tX7Ld7B7UN/R8EFO3x/nUZ7+k1T/uMq3WvP7ot/HUvmdD5V5RYIeFFkVB 8flBH9Df6w9rPgN1Zf0mtehHkWChMEtJEBSr1/Sgdcfn5wrz3JeW0k+fbtE1Bub7/eAcw78v IM4NajONzp3Ahwfr5ZGRnem1hcPMNjQiKGKQnFjMI1bgc/3fMbsG9Q1Y1MGyTqsURb7Yxx3x gS/s0lXhwhtJl86JlzjevJZAb3832qxlven+8dx3icQ2b0/5iS6K/npKn0da09wvs4fxeP+N 3+ird/+wOgRiJe4IW6TLMlEO1rn2eLE3IRJYKU+/1Jf+9wYLilYw8e0STKA4C4oQkH76eQsd PnJB/H7MmjSxlBCKvGpUoocf7kTBjf0L/CcgPj6Ztm07SMtX7si2NquLEUJXvUBvmjBhMJUv X9Zq87xoAHF2978naMm3G4yvV7WAUqVKUYB/DRo5si9VqeKuupO/p7GxibRx4z5au26PWL8+ q3kSnMXbE5Uta0eNGtamUaMGFpiAm1c0WFDMK5I8DhMoRAI3xB+8cPnRm/0XQfRbd6mfZyv+ W1iYrP35H93jFUZyloIWFJHteOqzX1CkiCmot/Qe1IrmffWsxeZGrBxq+lWm5Xtm6v6QHxeT RN3rvJjp5giB09u3EvkKV2Jp8QehsVZAVbIrK979zBQjwh0seFYfmptpRWhmyMxqxB7r0+BV iouxnlm0XHk7YR20iCBioxQFdlhnURQU/zd4Ef0lkjNYK3WENeovwiq1MEtJEBS9a1cSX07M yxXm4wcu0tBO+i34Xpr7CA0bd5+hOVct3UHTRn2tu4+1uIdGBcXGLf1oyabJmhaE5hb1XP93 lRiB5u6r6y1lsi8KfEMvRNO+naczxMMzUXT5XASFXryq+beGtWej5iLPD+0+R8N7zJWXFo9d +jah934al63NK09+Sn/+tidbvWmFUYvUy+eiqH+TKabDaF5zUhZNLFzJBDIJFGdBMSQ0mhYt +pW2/XWEbpuISLDs8/X1oheef4jatcv4cjsTSgGcxMQk0MqV2+njxb9Terr1ECbqJeEzQKuW dWnB/HHk4JDxd7T6fn6cJyXdEoLcXpo193u6na5TkMu2kLtCkCtNjRv50YzpTynWodma5FPF jRtx9PPPW+nrJet18xbap1LKi88sHds3otmzRxHYF6XCgmJRelq8ViZghsB3H/5Jb09eZuZu 1mq8ua0/sYCqCJe4vCpXhLVC30aThaW/PvP0wkjOUlCCIj4k/vLlX7Tyux26ecjnsGznGxTY qKa8NHt8qOXrdP5kuNn76huI64T4TnqK3g/jsPToMaC5WfEzUsTx7C3iecIKRU/p2q8pzf/m OV3C56sjPqP1v/6rZ1gl3papdZCts8PGiqKgOGHoR7Rl9QGrzwUu6XDFL8zCgqJ++kbCFyDR xcKlY6llp3q6Jji67wL975FFulyHMWCV6m6KSIovCswVvb/D1P2ffbUfjZ36oLrK7PmK77bT 9DHfmL1veuPLP16h5h0CTaszr22d75fvrKUPpi/PXK+lk469G9OiZf+z1ETzXqsqoyklyXp2 5gcea0dvLn4q2xgj+8ynvdtPZ6s3rcDP547QRbrF42mjvqJVS3eaDqN5PWRUN5q0YKjmPVlp 5Astc/Ei5Vh8ZAJFjUBxFhRDhaD44Ue/0eYtB7IJiqVKlVbcbse/8DC1a1vwgmJsbAKtWLGd PvpkhW6BS/5s4W/9tm0a0FvzxhSY23CGoLiHZs75NheCIim/54MbB9DMN0dSDWEhWlAFguKy ZVvpy6/XGuZdrlw56typMc1hQbGgHhfPwwSYgJrAgOZT6YJwr9VT8iuzrt4/6uUac+JqJvvm 5GhEUKzm5U6zPhtpdhrEJEGygtTUNEoW36bBRThEWDMc239Bd2IB08HbdhOucSu1XeNM2y75 YD29+9ovptWa1w5O5WjxyokU3Nqyq0XI+Sga2nkWxQsrRT3ltYWP0yMju5htaiRrKwZp0MyH 3v3heSEauJod86fPttDciUvN3je9MfX9YTToqc5ZqosCu6IoKE566jNa94t1oRd/oK4+PMei W3+WB5YPFywo6of6xdtraNGMFbo74AurZyf1o+de7W/RZWfpxxvp3am/aFq6mZts6nuP06Cn zf/OQb+cCIroB+vwNz8eQeXstd268GXZ5wvWKJmd9X5R4hNQhVYdmIPhzRZb5xt2MZr6Bb8m vhy6Y3YP6ht6npG6PcbHl5F6ysxPn6L+Q9tla2rkveZdIXh369802ximFX8u30uTxJdXevc9 cEQnmvbBE6bDZLlmQTELDr4oYQRYUGRBUc+PfN4Kiv5CUHymSAmKnTo2prlz2EJRz88Kt2EC TCAPCRzec56e6Gb5Q4t6ujcXj6AHHmuvrsqT8zXC5fm1kV/oHqugk7MYERR1byKPGrq4OdHP wjqxmreHrhGvR8dRz8CXxLdfWWO1mOsM0/9nXr2fRglLHAT9NS34UDd24Hu6xdDq3u5CFJpn 0e3ZiCubXI+bhzONmvIANRKJOwKCvBSLRWTuPHn4Mr0/7Vfav/OMbGr16OruTBtEUoryDlkF giLBTsSxHN5dnxvg0m1ThRhb2yoPdYPTR0LokXYz1FVmz61ZWMmORuJm4vm+Mn8I1Q/2oeMH L9HOTUdp9+bj1POhFoSkCfldWFDUTxjWxggxgEDpRkrz9oH0wLB21KBpbRGLtZoiLuJLi2MH LtG6Zf/qirepng8xGhEawVKoBbTPqaCIvvWDa9HLbw1R/j1JK0gIifiy6D0Rp0+PBS7GkWXS giE0ZFR3eal5LAp89VofY4N4r3nz0xF0/+A2Vi0BoyNiaPSD7+iKn4kvIrZefI8qihAZpuXN /31Lv339l2m15jXeaxFywZyHBuJD/vLVNnrr5R8N/cybi++oXgQLimoafF7SCLCgaLuCIqwo EXPQtOD3ecsWgfT2gucL2OU5bywUGzb0p9kzRxa4y7N1C8VSgjeYZyVuZ2dH7dsF0fy3xrLL c1Y0fMUEmEB+E3hjzNeKe62eeSCubD3/HjlVsNfT3FAbWOx18R9PiXEpuvoVdHIWWxUU8Ya9 eNWL1KqzPjdBCffd15bRkg/+lJe6johfh6zH9Zr4CAsxD7oWGavEAlv+zXbd4iQmmv7RcBrw REerc0LohuCdkwLhAALj9eh43VYi6nnGCBfG54SAqlVsnV1RtFCEtdmS99dr4TZbhz9g1WES Bj7ZkaYtGm62fV7dYEHRGEkjVr1aI8NKupT4PZcUr++9QWuMhT+MJYRGsFZyIyjKsfG7p24j b3IUmTlPCvFdr9W27I+jo3iP3XT6HV3vtbbO18jvI8kgIKgGPTmhNzVq7ktVvTwIAu3t9Dt0 LSqWICz/9s3ftHHFPt3vO5aS2/y4eBPNEwKg3lJBuD6/NO9R6j+kbeYXbKkpafT3n0fowzeX 604So56vWbs69NX6V9VV2c5ZUMyGhCtKEAEWFG1TUCxXrqxIWuJB1atpGzTUCfCisWMHFlhS FhlDcc68pVncx++KjMmWLMbx9yQ+TwlnZ+VfFa6Dgnxp5oynyNu7coH9S7Pq8izW5ezkQLVr Vyd7k0Q3ZcqUoaD6PjRmzID/9lJgy871RBxDMdcIeQAmUHgEEsUHtG4BEyg50Xr8IazyvoEt lVh1+bXiWeO/E/EDt+keviCTs9iqoDh+5sM0Ynxv3cxkw6SEW8IVbbLyAU3WFcSxpkjSsnL/ HF3ZPM+fuEJDOs/MTPJSEOvDHJWrudLyvbMIHxy1iq2zM/IB3lYsFI1+qNd6LpZEA632Oa1j QdE4uecfEVm81x023jEPeiAGLGLB6il5ISjqmcdam2mLnqCBT3ay1izzvq3zHdZtNh3ZcyFz vUZO8MHOsUJ5ShbvWXrdxU3Hn/XZU9RvSHZ3Z7S7cvmaYkVr2sfaNUROJC6DmBh26brFD6vW xtKTVZ0FRWsU+X5xJsCCom0Kivb25almzarkW7talh8/CI0+tapSR+GCC/EL4UwKoqSlpdPZ s2H09/Yj4gvnDM+I1FtpdPpMKP2754T4PZ3dMwvvMZ6ebtRBJDTx9HRRlilsAKlSJVfq1q0Z ubo6F8TSlTmsCYpYq49PdXri8Z7k4ZGxVrk4WChWreou7lfVtBiV7WzxyIKiLT4VXhMT0Elg +ZK/aca4JTpbE33063hqf1/+BQU2mrWyIJOz2KKg2HNAC1rw7Sjdz8+04eb/s3ceAFMTeRsf sID0JiIgRUABCyCoWBDl9ETFdqKenr1gx97FCgpW7L2f2Dsq2FAU7NhoKgooFkBFkCaI+f5P /GZukk2y2U323fI+oy/JTqb+ZtKe/GfmuUnqjINvyfslzZ9ett+4EV770PGxLIV0Ws/89211 0XH36p8F36KMsPjMtop5KbMrR0ERC2wctMOwRO3bsWtL9eR7lyVKI05kCopxKHnDYAX4/be+ SP0g88VWpdtmp03UTU+cHPtlphQExb67dlc3PHpSTphKnS+mSThqt6vVot+W5FSvNALjPnnl /cdEvmAd0X9ETlNipFEuOw0MyZ74w80ZU2zYYSgo2jS4X90IUFAsTUERqwnXqbOWqlfPmk5C tMO64tdvhx7quGPjLViWVn/GqJUVK/5US5f+b0TD74uXqZdffl/ddvtzYrWYuVI1hg936tRG nX7afqpTx9amKKhbXbEGrMoVk+MIio0a1Vfdu3WUYeT/Gy2Id5d1WzRTe+yxdZVaVBpYCXco KCYEyOgkUEwCB+0wVH3+4cxYRWjcrL56fca1ZohPrEh5BNpnyyGx5kTSSVfV4iylJij+69A+ 6oKRh8Sy9NOsgraP3z1ODT3lv0GHUvXD18mLbj5M7XVQ7vNv5jK/XtJCH3n6rmrwxfGsmUqV XTkKihjOuO16JypYf+brYFH69pyb8o0eOx4FxdioPAEnfzRTDdrj6tjTWngi5/Fjs606qRse PznU0jgoyWILirCOfnTixaqJ3G9zdaXOF6Li0QOuVgsXVJ2ouNFm7dS9Y86JFOrAGR8z/7P9 MM8UCrnyTxr+5iflg+0/wz/YUlBMSpjxy5kABcXSFBT/7lOiIFoGiLDuq1e/rtp9197qzDOj V6+vij656Pel6vnnJ6iR18tCbn8GC4pdurRTF5x/iOrSuW1VFCk0j2yCIiJCPMSf7SCKbrBB G3XOWQeoTTeNXkTTjlcq+xQUS6UlWA4SyJHAjClz1D69L4od6z/H7eguhBA7Qp4BH7z5ZXX1 OY/Gjr2nCFSX3np47PD5BiwVQXGdlo3VOVcfmJOVX7Y6P3DjWHXNeY9lC5b3cT3R/u7/3jqv NPDFcaQsqnLfyNzm2Ms1s0NP7q9OG7pvTtFKkV05CoqAfvlp/1WP3jkuJ/7+wO/NvVVhftVC OgqK+dP94duf1flH36UmTfwq/0RixMR9AavmZluExZ9ULoLiacP2Vdee/7g/ibx/t2rbTN05 +gzVqt3aeadR6ny//Pw7sVS8qkpERdwrR40fopqt4x0WFgb35qHPqDtGPB92OC9/tOkqWfzs p+8XZI1/4HH/UGdfGf7yTUExK0IGqGACFBRLWVD0d7waqmHDemrPPbZRp56yv/9glf9etGip eu75t9X1NzwRKih27gxB8WDVVYTFYro4gmJQ+SAobrhhW3Xu2QdSUAwCRD8SIIHCELjy7EfU Q7e8EjvxR966UHWRVSwL7Rb8sljt2Ok09efKzHkugvKuqsVZii0owvpq3yN3UIPOGqDWqlsr CEUiv6cfGK+ukZfjfBYQiMoYQwWG3XW02mXgFlHBYh3DEP1hYk0Zd3XqWIlKoDXWXF2deOFe 6rCTc5+LEnmUGrtyFRTn/vCb+tcWF6jFC5fFbbqMcM9NGqbadmqR4Z+mBwXFZDQxDx4WErnp 0qdjX+fj5ohzefDF/1KHnLRz3CiecLkIip/+frd6QlYHHiZz/+Y7t5/OfP0N11W3P3+GO3+r 9st3W8p8USd8zDxhn5GxRLZ8GWAl+GF3HiVzHK6TUxKXnnS/u+BLTpFCAmOhlWtlMaCXn/pA DTs1+ygALCL2ypfXuPejoCQpKAZRoV91IUBBsbwERcw7uPdefdTgk3L7SF+I/lzpgqLYXLiL sFBQLETvYZokQAKhBFbK/BL/6HhabCsBvOw8/eHQ0PTSPnDaf25Rrz33Uexkq2JxlmIIihgm vImscjnwyL6q/7+2UGvWXiM2k3wCQswdOeRx9ex/JyQe+gXLoN32660OO6W/Wr9zy3yKExhn 9oy5rhDxyjMfJi4jMujRu6OsOn2YareBd0LpwMwjPEuJXbkKisCLYZvH7HlN3qLiHSLK5Lri eUSzBh6ioBiIJWdPWKvdKKLihFc+l3mN/p48PedE/j8CrKB3P2ArhdXZW7Rukm8yKldBERnh fLvkhPvUN1/8mHO+mDvvoBN3Usedu2fqlrWlyFcDwhQHLz35nnrwhrFq+mffae/EW6yOjY9u hw7uH3veTH+mb7/8uRpx5kPq22/m+w/F+t2oST117Hl7qP3kA+Bqq9dU8378Tf1zwzNi3a+G 3nmkCrPkp6AYCz8DVSgBCoqlKij+vTqyHoKLkbiwlmvQQIY877alOvlkWijmckrGsVAE65o1 VxPO/0sZz0CYB/LM0/dX3WR+xXJzHPJcbi3G8pKAEPhq8hw1cKv4w51h8XHk6btVGbu3x36u Thg4MnZ+//yXLE5yf/6Lk8TJ6Jd5i9ROG5ye+MXXzgvWNHXE2rCuvATVa7CWu9+8VRO1cc92 aqMe7V2LUByrajftk9nqpcffU2+8+ImCgJeLwwvdvof3lZfkf6ZibROW9/RPZ6sHbnxFTXz1 cwUxLxdXa6011M4yUf8+Us7uIiim6UqB3bdfz1V79Dg/6wssBOvRnw1XGJaXi8NcaPttc0ms KKPevEBttFn7WGF1oJ/nLlS3yPDDpx94O/bKqU3WbqD67tJNDTp7gGrZJrf66HzjbstZULxd hnSCbTZXlQte/frz72qMXG+ef3iimvrx7GxF8xzH6rh9dt5U/XtQv1Q+XOQjKKJA+Eh397Uv qsfvekOh/2ZzuAb17d9dHXvu7qpDl1bZgic6Xkp8gyrywfjpYrE6VkHIw/QWuTq8XG3Sq736 1+HbqV322TIVYXbFH3+6VrR3XjVa/bEsc86toDK2XK+J2u2ArcXSvb97P7fDHLbTFerjd2fY XoH7e/5nG3XpbUcEHsN155/yDBLHQv/Wp09VWPWejgQqhQAFxVIUFGvIgiy1VecN26iNN1rf nUcRIhfErdq1aqnOnVvLKs89it4F/55D8W2ZQ7H8hzzjfte0aSPVe8uuqn79vxfCcRfQFv+1 127srkrdulX+06YUq7EoKBaLPPMlARIggSogMPurn9TE1ya7w9N+FVEVLzUL5i9Sy5evUGu3 aKxat2umWrZtKn9ri5DTVHXq2toVSKugaG4WeAGd/um36t1xU9T3s39REH5/E4HitwWLFax/ 6tWX1eca1VGNm9ZXXbqtpzbqub7qvGkbtWat1QtexFJnV3AACTPA4g1vi/Xa+29Mc618fp23 0F29DxZATZs3VE2aN1DrtGyktujbRUT49hmTVCfMntGLQABWWNPEYu2nOb+oH2VFaFiGz53z q3zIWaUaNanvtnlTaffWMs/gNiKYtBfr+TRdvoKiLgOGG3/09hfqrbGfueWf98OvsrLxUlVP pqzA9XKdVo3kI0YnERO7pSJ86XzjbovNN6qcv8tUBz/Mnq9+/PZX9f23893r+Y/foh/8rJYv W6Fqr7WmK9TVa1BHNZBregdZ1b1r93buhzd8kCuEW7xomWt5OuurH9WsL39Ss76aq76b+fdH tmbNG0mbNlTrdWjutucGm6xXiCIwTRIgASFAQbE0BcUGDeqpPttuov7Rr+ff/VQERfnftVKs VWsNtXbzxqp9uxauyFisjvy7LMry4osT1XUiKC5f/ofHsg9lgkVlucyhCEERZT3rjANU83Ua 22vhqDXWWF0sQ+upNcVYpdwcBcVyazGWlwRIgARIgARIgARIIINAUkExI0F6kAAJkAAJJCZA QbEUBUUl4tUaat11m6nWrZp72lhbm3fo0FKdcPy/FMTFYrnFS5apl8e+p64d+bhavHhJxsfn chMUN9mko7p86CDVqlVhR+NUZXtRUKxK2syLBEiABEiABEiABEigIAQoKBYEKxMlARIggUQE KCiWpqCIRoUgB8s5v6spizJu0auzuvqqE9VaYmFeLLd06XL1+rgP1TXXPqYwRyGm+7FdOQqK wy47SrVu7RVx7TqV2z4FxXJrMZaXBEiABEiABEiABEgggwAFxQwk9CABEiCBohOgoFi6gmJY 58C0Q1tvtbEaMfx4Vbt28QTFZcuWqzff/Ehdfc1jav7Pv2UMv4ag2KVLO3X+eQerrrItpsu2 KIs7Z7BYKFJQLGYrMW8SIAESIAESIAESIAESCCBAQTEACr1IgARIoMgEKl1QvPGmJ8WKbpLM F/ynhzTErg4dWqtTTi6ioPjMW+rmW55WK1fqBariLZ61+uqru4LilSOKLSj+IYLiJHXV1Y+I oLjAtai0IWMRmY02aq8uEEER8xMW01FQDKdf4+eff3aaNm0aHoJHSIAESIAESIAESIAESKCI BCgoFhE+syYBEiCBEAIVLSjOma9uueUp9eb4zwIExRqqfftW6qQT93bFuRA8BfNetGiJGj16 grrjrtGywvxKEeMwxPl/Q4b1vp4z0S7IajLkefNeXdSllxxdZAvFP9SECZ+qO+9+Xi1cuFgW MkH5HflPKSykJms7qg03aKNOHryv6tSpuItr/frr7+qJJ95Q9z84Rnh7xWWwBe+uXdurSy8+ QoY8l99qzqhDkOOQ5yAq9CMBEiABEiABEiABEigrAhQUy6q5WFgSIIFqQqCSBcVFsgrxpElf qO9kdXvH+cvboiIgNWxYT/XquYEswlH1AtIff6xU33zzvfrssxkivv3lClpaRERBse/aK0KV 8zkca75OI7XtNt0Vhj8Xy61c+af64Yf5atr0WSLSrfr/lZH/FhIhKP4lZW/YsL7q3q2Taty4 frGK6ea7bNkKNX36bDV58szMvvD/JWvarJHars+mqn79OkUta5qZU1BMkybTIgESIAESIAES IAESKAoBCopFwc5MSYAESCCSQCULirDug9AFcSvIQZhbffWaGXP/BYUthN+qVX+J5eQqK+n/ WShangG7jqohC6CsIUOfi+0ghgbz/VtYBGNYVGJbTIe+8Ddvn7BsFQplXGON1YpeVqtIiXcp KCZGyARIgARIgARIgARIgASKTYCCYrFbgPmTAAmQQCaBShYUM2tLHxKoXgQoKFav9mZtSYAE SIAESIAESKAiCVBQrMhmZaVIgATKnAAFxTJvQBafBCIIUFCMgMNDJEACJEACJEACJEAC5UGA gmJ5tBNLSQIkUL0IUFCsXu3N2lYvAhQUq1d7s7YkQAIkQAIkQAIkUJEEKChWZLOyUiRAAmVO gIJimTcgi08CEQQoKEbA4SESIAESIAESIAESIIHyIEBBsTzaiaUkARKoXgQoKFav9mZtqxcB CorVq71ZWxIgARIgARIgARKoSAJxBcW1WzRUr351bUUyYKVIgARIoNQIUFAstRZheUggPQIU FNNjyZRIgARIgARIgARIgASKRGDRb0vVb7/8njX3Rk3rqwaN6mQNxwAkQAIkQALJCVBQTM6Q KZBAqRKgoFiqLcNykQAJkAAJkAAJkAAJkAAJkAAJkEAZE6CgWMaNx6KTQBYCFBSzAOJhEiAB EiABEiABEiABEiABEiABEiCB3AlQUMydGWOQQLkQoKBYLi3FcpIACZAACZAACZAACZAACZAA CZBAGRGgoFhGjcWikkCOBCgo5giMwUmABEiABEiABEiABEiABEiABEiABLIToKCYnRFDkEC5 EqCgWK4tx3KTAAmQAAmQAAmQAAmQAAmQAAmQQAkToKBYwo3DopFAQgIUFBMCZHQSIAESIAES IAESIAESIAESIAESIIFMAhQUM5nQhwQqhQAFxUppSdaDBEiABEiABEiABEiABEiABEiABEqI AAXFEmoMFoUEUiZAQTFloEyOBEiABEiABEiABEiABEiABEiABEhAKQqK7AUkULkEKChWbtuy ZiRAAiRAAiRAAiRAAiRAAiRAAiRQNAIUFIuGnhmTQMEJUFAsOGJmQAIkQAIkQAIkQAIkQAIk QAIkQALVjwAFxerX5qxx9SFAQbH6tDVrSgIkQAIkQAIkQAIkQAIkQAIkQAJVRoCCYpWhZkYk UOUEKChWOXJmSAIkQAIkQAIkQAIkQAIkQAIkQAKVT4CCYuW3MWtYfQlQUKy+bc+akwAJkAAJ kAAJkAAJkAAJkAAJkEDBCFBQLBhaJkwCRSdAQbHoTcACkAAJkAAJkAAJkAAJkAAJkAAJkEDl EaCgWHltyhqRgCZAQVGT4JYESIAESIAESIAESIAESIAESIAESCA1AhQUU0PJhEig5AhQUCy5 JmGBSIAESIAESIAESIAESIAESIAESKD8CVBQLP82ZA1IIIwABcUwMvQnARIgARIgARIgARIg ARIgARIgARLImwAFxbzRMSIJlDwBCool30QsIAmQAAmQAAmQAAmQAAmQAAmQAAmUHwEKiuXX ZiwxCcQlQEExLimGIwESIAESIAESIAESIAESIAESIAESiE2AgmJsVAxIAmVHgIJi2TUZC0wC JEACJEACJEACJEACJEACJEACpU+AgmLptxFLSAL5EqCgmC85xiMBEiABEiABEiABEiABEiAB EiABEgglQEExFA0PkEDZE6CgWPZNyAqQAAmQAAmQAAmQAAmQAAmQAAmQQOkRoKBYem3CEpFA WgQoKKZFkumQAAmQAAmQAAmQAAmQAAmQAAmQAAkYAhQUDQrukEDFEaCgWHFNygqRAAmQAAmQ AAmQAAmQAAmQAAmQQPEJUFAsfhuwBCRQKAIUFAtFlumSAAmQAAmQAAmQAAmQAAmQAAmQQDUm QEGxGjc+q17xBCgoVnwTs4IkQAIkQAIkQAIkQAIkQAIkQAIkUPUEKChWPXPmSAJVRYCCYlWR Zj4kQAIkQAIkQAIkQAIkQAIkQAIkUI0IUFCsRo3NqlY7AhQUq12Ts8IkQAIkQAIkQAIkQAIk QAIkQAIkUHgCFBQLz5g5kECxCFBQLBZ55ksCJEACJEACJEACJEACJEACJEACFUyAgmIFNy6r Vu0JUFCs9l2AAEiABEiABEiABEiABEiABEiABEggfQIUFNNnyhRJoFQIUFAslZZgOUiABEiA BEiABEiABEiABEiABEiggghQUKygxmRVSMBHgIKiDwh/kgAJkAAJkAAJkAAJkAAJkAAJkAAJ JCdAQTE5Q6ZAAqVKgIJiqbYMy0UCJEACJEACJEACJEACJEACJEACZUyAgmIZNx6LTgJZCFBQ zAKIh0mABEiABEiABEiABEiABEiABEiABHInQEExd2aMQQLlQoCCYrm0FMtJAiRAAiRAAiRA AiRAAiRAAiRAAmVEgIJiGTUWi0oCORKgoJgjMAYnARIgARIgARIgARIgARIgARIgARLIToCC YnZGDEEC5UqAgmK5thzLTQIkQAIkQAIkQAIkQAIkQAIkQAIlTICCYgk3DotGAgkJUFBMCJDR SYAESIAESIAESIAESIAESIAESIAEMglQUMxkQh8SqBQCFBQrpSVZDxIgARIgARIgARIgARIg ARIgARIoIQIUFEuoMVgUEkiZAAXFlIEyORIgARIgARIgARIgARIgARIgARIgAaUoKLIXkEDl EqCgWLlty5qRAAmQAAmQAAmQAAmQAAmQAAmQQNEIUFAsGnpmTAIFJ0BBseCImQEJkAAJkAAJ kAAJkAAJkAAJkAAJVD8CFBSrX5uzxtWHAAXF6tPWrCkJkAAJkAAJkAAJkAAJkAAJkAAJVBkB CopVhpoZkUCVE6CgWOXImSEJkAAJkAAJkAAJkAAJkAAJkAAJVD4BCoqV38asYfUlQEGx+rY9 a04CJEACJEACJEACJEACJEACJEACBSNAQbFgaJkwCRSdAAXFojdB6RZg+fLlavHixbELuNpq q6mGDRuqmjVrxo7DgNWbwLJly9SSJUtcCGuuuaZq0KBBWQNZsGCBGjNmjJozZ45brxYtWqjW rVurzTffXK2zzjplXTcWngRIgARIgARIgARIgARyJUBBMVdiDE8C5UOAgmL5tFWVl/Suu+5S Rx99dE751qhRwxUVmzRponr06KH69++vDj30ULXGGmvklA4DVw6Bl19+WXXo0MH989dqiy22 UB988IHrvfPOO7tinD9Mufx+6KGH3PMFIqnf4diBBx7o9y7Z31FtVrKFZsFIgARIgARIgARI gARKjgAFxZJrEhaIBFIjQEExNZSVl1A+gmIQhS5duqiHH35YdevWLegw/SqUwLfffqtOPfVU 9dRTT7lCIQRDv+vcubP64osvXO9yFhQ//PBD1adPHwWr3iD3ySeflEX/j9NmQfWjHwmQAAmQ AAmQAAmQAAkEEaCgGESFfiRQGQQoKFZGOxakFmkJiihcq1at1Pvvv69atmxZkLIy0dIi8Omn n6qtt95aLV261C0YhgFXsqDYs2dPNWnSJNMIGP7ftm1b9/evv/6qfvrpJ1WrVi1zvBR34rZZ KZadZSIBEiABEiABEiABEihNAhQUS7NdWCoSSIMABcU0KFZoGn5B8fzzz1f//ve/Q2uLufBg 4QSLs1tuuUX9+OOPnrD777+/euSRRzx+/FGZBF599VW10047mcpVsqD4559/qtq1a6tVq1a5 9W3UqJGaOHGigmVuObm4bVZOdWJZSYAESIAESIAESIAEikuAgmJx+TN3EigkAQqKhaRb5mn7 BcWbbrpJnXDCCbFqhXnkjjvuOHX//feb8KuvvrqaNWuWa61oPLlTkQTiilOVMOQZC7FgzlDt jjnmGHXbbbfpn2WzjdtmZVMhFpQESIAESIAESIAESKDoBCgoFr0JWAASKBgBCooFQ1v+CScR FFF7zCfXvXt3M0ce/GChCEtFusomEFecqgRBEcOZ1113XdOgw4YNU+edd575XS47cdusXOrD cpIACZAACZAACZAACRSfAAXF4rcBS0AChSJAQbFQZCsg3aSCIhCcfvrp6tprrzU0Lr/8cnXu ueea32E7K1asUFOnTlWfffaZwsrRm266qeratWvW1aIdxzFJIp52EH0++ugjNWfOHHd4aps2 bdRWW23l7uswejt//nx3vkeEbdCggYLohb+11lpLB4m1xdx506ZNU9OnT3fzQR2QTtSK13b5 kYldh6hM7XjZ4uTLNip/fUyX45VXXvHMmfjSSy+Z33b5ogTFGTNmuCtA//777+7cm+CHdsvV Faq+uq7oW/bcoCNGjFBnnnmmKaZdX+P5/zv59BF/GvbvfNLT9YjbZnZ+uewvXLhQTZkyRX3z zTfqjz/+UL169VIbb7yxwnyTcLoc2A9iZh8PCwN/7ezw2dLzH8e5/84776jFixe7i+mgnGuu uaZOmlsSIAESIAESIAESIIGYBCgoxgTFYCRQhgTiCIrq559/lnczuupG4M4774Q6Z/5kyHPO CAYPHmziI61LLrkkMo233nrLEaHBEdHNEw9x5YXe2XbbbR0RGUPT2HDDDU08EUSdRYsWOTLv oyPDrY2/rlPTpk0d1FE7EWOcQw45xM1Hh9FbGdLq3HPPPTpo5PbJJ590OnXqlJGfroMImY6s ChyYxl577eWJN3ny5MBwtufXX3/tiXPaaafZh81+UrYmoYgdGRLvKYvmZ28ffPBBk4LdXrJo iyPinyMitNO4ceOMdET0cbbffntHFg8x8aN2Cl1fWXQlo4x2PbEvgrQjgmhGMZP0kYzExCNJ erm2WVD+UX7ff/+9czj+GVcAAEAASURBVNJJJzl16tTJ4FWvXj3noIMOckS4c+xy4Jz1O3kY NfEPOOAA/+GM33ZbDB06NOO43ffAT0ROtwytW7c2+eg0cO3ZbbfdHJkXNiMdepAACZAACZAA CZAACYQTaNasmXPjjTeGB+AREiCBsiUArTDbHwXFsm3eZAVPQ1D0C2tPPPFEYKEgJInlolOz Zs2Ml3n9Uq+3slquI1aPzl9//ZWRli0SXHnllc7mm28emZ5YRznjxo1zZs6c6bRr1y4yLPIP EiZ0IcSqyenXr1/WNJAOBM4hQ4a4ApqOj+2jjz7qiX/OOefYhwP3L774Yk+cF154wRMuLbae REN+2KKQbi//9pprrjGx7fYSKzBHVob21MUfF79lARRHrOlMGv6dqqpvHEER5bU/yKTRR+z6 ppFerm1m559tH4K4rPCetU3F+tQV7HR74zzyuySC4sknn+xPzrH73tVXX+3IIkJZy7nOOus4 EKrpSIAESIAESIAESIAE4hGgoBiPE0ORQDkSyCYm4jgFxRRadtWqv5zpn852nnpgvDP8zIec 6y96wnn56Q+cOTPnpZB6YZJIKihCONICgd5++eWXgYXdd999M8LKvHRO//793Rd9WAjqNPT2 wgsvzEjLFgl0OL1t2LChIyvvZlg/wlKxffv2Jn1YwuF3kBBSt25dBxZXficr/TrbbLONSUPn ibR33HFH91iQhdahhx7qSUrmnXTsusoQ30Dh1I7UsWNHk68MvXVQFtulxdZOM2wf4maHDh0c lEMzwBZtCX/83X333SZ6VHvBKqxHjx5O8+bNPWkhPbTN0qVLTTr2TlXVF/mgPhCZ7LqizXVd sZVFW9zipdVHdF3TSi/XNtP5Z9vCms/uy2CEcwttvuuuuzpRgmxVC4p2+2Ef4uVGG23k4IOD /xiEbzoSIAESIAESIAESIIF4BCgoxuPEUCRQjgQoKFZBq82e8ZNzUL+hzqb1jgj8u+j4e53F i5ZVQUlyyyJfQRFDcINEnb333juwAK+99prnpR2i3Q033JAhpI0cOdIzdBmWarAstF2QQLXl lls648ePd1auXOkGlZWmnU022cSTpxYN/vnPfzqzZ882SX7++ecZwiLK4XcXXHCBJz2Ih/4h 0no4r85Lb1E225144ometN588037sGd/4sSJnrBnn32253iabD0JZ/kBC0JdP2zHjBkTGCOo vSCQwspyyZIlJs69997roF/YafotMRG4GPWVORQ95brqqqtMue2dNPsI0k07vbhtZtcpav/g gw/2cFlvvfWc999/3xNl7NixDgRYu12xXyxBsWfPns67775ryvjbb785sF70l++NN94wYbhD AiRAAiRAAiRAAiQQTuDZZ591vvrqq/AAPEICJFC2BCgoFrjpYIW4+drHBAqJtsDYv8sZzjfT fyhwaXJL3i8oQujp27dv4B+s8yDSBVmT4WUc1oFhln2w+LFf2CEyhLkXX3zRE3afffbxBPUL VLCM++GHTK6vv/66Jx3k37t37wwRE4nL4gyesJgX0nYQUO2h2hjOPGnSJDuIZ//222/3pAdL KC12IqAsHuM5fvTRR3vi2z+OO+44T1hZBMYchgVbmmxNwjF24opT/vZC/wHPIHfZZZd56uof Dl6s+sYRFNPuI2mnB95x2yyobfx+shCRa42oz2tY/M2bF2yNjY8CmEtRh8W2GIIirm+YRzHI ySI7nvKdddZZQcHoRwIkQAIkQAIkQAIkQAIkQALVhgAFxQI29ZxZ853eLY7LKiZqYXG/rS9y /ly5qoAlyi1pv6Bov/Dnso95FMMW0sAXKzutI488Mmsh99hjD08cW6j0C1SyunBoen6LtwkT JoSGham+LueAAQM84TCEVx/D9phjjvEc9//A3I+bbbaZJ86rr77qCYY55XSaWKAkSOiAnz2k FIKo7dJma6edbT+uOOVvL8QLcxCkNBNsjzjiCE/QYtU3jqCYdh9JOz2AjNtmHughP4YPH+5p K3vezKAofmvLYgiKo0ePDiqa64drjN33/FMVhEbkARIgARIgARIgARIgARIgARKoUAIUFAvY sEf0HxFbTNSi4s3DnilgiXJLOqmg2L17d+fmm28OXOVWl+SKK67wvKhHCUo6zv333++Jg0VV tLMFqrXWWitj0RMdDtsNNtjApIP5+latChdzMfeiFhSw0rDtDj/8cHMMYbBQRjb3zDPPeOL4 V9DGsGqdH7ZPPfVURpLws8PA8tF2abO10862H1ecstsLVqywMoxytiWbfwh9seobR1BMu4+k nR6Yx22zqPbRx/r06WP6Job/L1sWPaUDhhbbK7tXtaCIuRJtK2FdD3trz4EatAq1HZb7JEAC JEACJEACJEACJEACJFDpBOIIijUQSOa5Eu2CLi6BH7/7RfXvelbc4CZcyzZN1UtTrjS/i7lz 1113KRlua4ogK/AqGZ5rfotIoH799Vclc/wpme/O+GNHBDElK6t6/IJ+iEWikrkGzaHTTz9d 1a9f3/wO2pEhkkpERXPojjvuMOXs3Lmz+uKLL9xjMtxXyRyIJpx/R6wE1ccff+x6i7ho4vnD 4bfMraZkGLN7SARFJSKmCSYWmGrGjBnub1mgQ4nAZI6F7Xz77bdKFqUwh0866SQl80aa33LO KVnYRInI4fr961//Uk8++aQ5jh34Pf30066fiKduvg0aNDBh0mZrEo6xIxaXSlbNNSFlDkW1 8847m996x24vEaBNe+jj/q0scqK++eYb13u33XZTYlVmghSrvnPnzlUtWrQw5ZA5FNUZZ5xh fmMn7T6SdnooY9w2Q9hsThbNUTLVgBusa9euasqUKdmiKLttRVBUMh+mJ44Mh1fz5893/Q44 4AA1atQoz3H/D1kAxnjhWoRrku3svifzOyqck1EObYy2hhs4cKB6/PHHo4LzGAmQAAmQAAmQ AAmQAAmQAAlUNIFffvkle/0gKNLlRuD15yblbJ2orRQXLvjfYhS55ZpuaL+Fot+KTucmoqKD eQWlJ3n+Bg0apIOEbm1LJn/8uL8xv5l2tsUb5nWMclhBWOex7bbbRgV1sFiDDuu3ULRXgsUC MHEcrCFtiywsBuN3IhiaPGvVqmVWC0Y4OXEdWFXqMv3nP//xR3fSZpuRQYRHXGs3u7122GGH iBT/PoRVk3WdRVD0hC9WfeNYKKbdR9JODyDjtpkHesAPDOnHPKK6nbCicxwHq0Qdp6otFLOd /yi/vXK5CIpxqsQwJEACJEACJEACJEACJEACJFCxBOJYKCoKirm3/93XvJC3oPjh21/knmEB YsQVFHXW5557rhEEtDAQtCKyDo9tr169MuLouHG3tphmC1RBIp2dty0oQoyKcmGCIsQTDK3W ZQ0SQsLStRewAQe/w5xuOl1s0R7a3XrrrZ5j/jkYES5ttjrvONu44pTdXmLBmDXpKEGxWPXN Jiim3UfSTk9Dj9tmOnzYFqtz2/12l112CQvq8ccQdh0v6DzCwi76uFgoeuIG/dBhsRULxYwg ufY9CooZCOlBAiRAAiRAAiRAAiRAAiRQjQnEERQ55FneSHN1D9/+mhp+RvSQvLA0n3rvUtWh a6uww1Xm7x/yLBaK6oQTTojM/7DDDvMMRxZLKiUrMysR9wLj2UOJEWDIkCGB4aI8u3XrpmS1 ZzeIPYwRQ2wx1DbM2UOeRVBU48ePDwuqRKxSsvqye9w/5FlWkjbDnLfYYgv13nvvhaajD8hc gap27dpKLBVdr/79+ytZQEYfdrc4hqGYP/74o/tbVthWb7zxhrsv1pdq4sSJ7j6GTmMYuD3E EwfSZutmFvOfuMNnc2kvZC0r8SpZ4dgthX/Ic7HqG2fIc9p9JO30ADRum7nws/wjixgpbf6+ 1VZbmb4aFU2se9X777/vBhFBMXLIs8xhqB5++OHQ5JYvX64wDYB22YY8Z7tWIB17GDeHPGuy 3JIACZAACZAACZAACZAACVRXAvqdL7L+tFDMXXL++J2v8rJQ3LzZIGfVn+GLg+Rekvxj5Gqh iJwWL17sYFVn6VDmr1GjRo6IQIEFweIGOqwIYs6iRYsCw8X1zMXqKA0LRZTLHmoLq8M4TgRA U2/U/+CDDw6MdtZZZ5lw4IPVZsFSM8NWRNjAuGmzDcwkxDOutVsu7YWsoiwUi1XfbBaKKHfa fSTt9FDGuG2GsNmciIimj4oQly24e1zmKDRxslkoYjqAKCcivEkL5wgtFKNo8RgJkAAJkAAJ kAAJkAAJkAAJ5E4gjoUihzznztVZuni507PJoJxFxYP7Dcsjt8JEyUdQREkmTJjg1KxZ0/NC HyQQIOyFF17oCScWePCOdPPmzXMeffRRRxZGcWSBDs/qrLkIVGkJikcccYSnDnFWeZYFHTxx IBwGuWnTpnnC3XLLLc6IESOMH0TGMLE2bbZB5QvziytO5dJeyCtKUCxWfeMIimn3kbTTA9u4 bYaw2dwhhxzi6aNTp06NjDJ58mQHfVkL5UHXC7HKNMezDY+XhaJMWAqKkeh5kARIgARIgARI gARIgARIgATyIkBBMS9s8SLdc21u8yh2b3CU8/G7X8VLvApC5Ssoominnnqq54UeL/V33313 RqkfeughT7hsQgES8C8Ac8UVV5h0cxGo0hIUhw8f7qnDMcccY8oTtIM58GSYtifO66+/HhTU 9bOtvWTlZM/ciDIMOjRe2mxDMwo4gDkdtTiErQx7DwjlOLm0FxKIEhSLVd84gmLafSTt9MA2 bpshbDb34IMPetof1qNRTqYs8IQPEhTbt29vwsjQdwfnUZiT1eJNWAqKYZToTwIkQAIkQAIk QAIkQAIkQAL5E6CgmD+7rDFXrfrLOajf0NhWitcNeTxrmlUZIImgiKHP7dq187zUN27c2IH4 YjuEw5BIW3yCMBTmJk2a5FkEBSsl//DDDyZ4LgJVWoIihlc2aNDA1AEr3KKcYc7PFcOkZU7F sODOHXfcYdK2OWH/vvvuC42XNtvQjAIOwErVLuuoUaMCQqUrKBarvnEExbT7SNrpoXHitllg Q/o80Z+7dOli+gAsliEyBjl8aLCtE9FvggRFrNpu96nbbrstKDnXetmfHoc8B6KiJwmQAAmQ AAmQAAmQAAmQAAnkTYCCYt7o4kX89effnVMOuClSVOzR8Cjn5mHPOH+uXBUv0SoK5Re+ZFGW nHKWBVE8AgDEgP322y8jjUceecQTThZycc477zxnxYoVnrBIz17pFenZKzwjcDEEReR79dVX e+pQp06dDLFv5cqVztlnn50hnlx//fVIItQtXLjQQXq2mIL9evXquXNWhkaUA2myjcrHf+zj jz/2lBerZL/11lvO559/7ixYsMAEz6W9ECnKQhHHi1HfOIIiypZ2H0k7vbhthrrEcY899pin D6DPYqj22LFj3akKcD4fdNBBGWEQLkhQtIf6IwxE/GeffdZZunSpWxzML4rVz2vVqpWRJgXF OC3GMCRAAiRAAiRAAiRAAiRAAiQQnwAFxfisEoUc/eg7zqE7Xu70bnGcERe3b3+Kc8I+I52p H89KlHahIicVFFEuCH54+bf/nn/++Ywi77DDDp4wWjDYbrvtHCzA0LVr14zjG2ywgSMr7HrS ykWgSstCEQWA+BlURgigGMaNekAAtDlgX1Yq9pQ/7AcWbfHHPfzww8OCe/zTYutJNMsPiKD+ eTR1+W1xJ5f2QpbZBEWEqer6xhUU0+4jaacXt83AOI7DkOSjjz46o9/qfhC13XHHHTOywM1K VkbPSE9Wc/b0i6B07T6nE86177Vs2dLkLas862S4JQESIAESIAESIAESIAESIIFqSYCCYhU3 O16yv/tmrjP/p9+qOOfcs0tDUMQCKk2bNjUv4njZX2+99TJWc8Zw1eOPPz7Dei9IHIBf27Zt nVmzMoXYXESCNAVF0J0/f74DoSGszH5/iC3Lli2L1TCYY9Eff/z48bHipsU2VmZWoAMPPDCj zKgD5oHULpf2Qpw4gmJV1zeuoIjyp91H0k4vTpuhHrm4G2+80cE0AP7+q39DJMSwZ3uV57BV nO+9917PlAc6DXuL4c7I0z4XKSjm0mIMSwIkQAIkQAIkQAIkQAIkQALZCVBQzM6o2obAvHf2 izpe5vNxmOfPTgf7w4YFr2b92muvOZtttpmDuRH9cfAbosN1111nhjn6y5OLQLXtttuaPPr3 7+9PyvMbQ3Z1ebJZFT788MPu0OsgCz34wWJx9OjRnvSz/YAQ7V+UIlsc//GkbP3pZfv9xx9/ uENa/VZlmFtTu1zaC3E23XRT0w5Bw+d1uthWVX0xhBvD9HX/uOqqq+xiBO6n3UfSSi9OmwVW KIvnBx984Fx88cXOgAED3HMYQ/hx/mHxFAy1hmvSpIlhGGV9+9lnnzlbbrmlhznYQ7Ts1auX O+wd6VFQBAU6EiABEiABEiABEiABEiABEigMgTiCYg0EEiszeWejI4GqISDzDaovv/xSTZ48 WcmQRvdPrNNUmzZtlAgHVVOIhLnI3G5qypQpavbs2UpOXyXDn1Xnzp2ViKIJU04WvarZggPa EfnKsFHVunVrJYJxskrkELuq65tD0VTafSSt9Kq6zUTIdM9xnCdwp5xyipIPB5EoxbpXiRip xEpT1a1bV/Xu3VvJtAKRcXiQBEiABEiABEiABEiABEiABEggHQK//PJL1oQoKGZFxAAkQAIk QAKawKuvvqrOOeccJfOcun8y5FjJKu/6cMb26aefVjLM2fjLQkVq8ODB5jd3SIAESIAESIAE SIAESIAESIAESosABcXSag+WhgRIgATKnsC4ceOUrNRs6gFx8YorrjC/7Z3ffvtNyYJG6scf fzTeU6dOVV26dDG/uUMCJEACJEACJEACJEACJEACJFBaBCgollZ7sDQkQAIkUPYEZJoMd4i/ rgiGJL/99tuqe/fu2svdLlq0SMniROqxxx4z/pjaYMaMGeY3d0iABEiABEiABEiABEiABEiA BEqPAAXF0msTlogESIAEyp7AXnvtpZ599llPPXbYYQfXGrFWrVpqzpw5auzYsWrhwoUmjCxa pGQxHbX99tsbP+6QAAmQAAmQAAmQAAmQAAmQAAmUHgEKiqXXJiwRCZAACZQ9gd9//13Jasxq 2rRpseoCkfHGG290LRZjRWAgEiABEiABEiABEiABEiABEiCBohGgoFg09MyYBEiABCqbwIIF C9QNN9zgCoVhNxus2t6/f3916aWXqh49elQ2ENaOBEiABEiABEiABEiABEiABCqEQNg7nl09 rvJs0+A+CZAACZBATgSWLFmiPvroIzVr1iw1e/ZstXz5ctWiRQvVsmVL1adPH9W8efOc0mNg EiABEiABEiABEiABEiABEiCB4hKgoFhc/sydBEiABEiABEiABEiABEiABEiABEiABEiABMqK AAXFsmouFpYESIAESIAESIAESIAESIAESIAESIAESIAEikuAgmJx+TN3EiABEiABEiABEiAB EiABEiABEiABEiABEigrAhQUy6q5WFgSIAESIAESIAESIAESIAESIAESIAESIAESKC4BCorF 5c/cSYAESIAESIAESIAESIAESIAESIAESIAESKCsCFBQLKvmYmFJgARIgARIgARIgARIgARI gARIgARIgARIoLgEKCgWlz9zJwESIAESIAESIAESIAESIAESIAESIAESIIGyIkBBsayai4Ul ARIgARIgARIgARIgARIgARIgARIgARIggeISoKBYXP7MnQRIgARIgARIgARIgARIgARIgARI gARIgATKigAFxbJqLhaWBEiABEiABEiABEiABEiABEiABEiABEiABIpLgIJicfkzdxIgARIg ARIgARIgARIgARIgARIgARIgARIoKwIUFMuquVhYEiABEiABEiABEiABEiABEiABEiABEiAB EiguAQqKxeXP3EmABEiABEiABEiABEiABEiABEiABEiABEigrAhQUCyr5mJhkxBYsWKFmjp1 qmrQoIFq2bKlql27dpLkGJcESIAESIAEQgnwnhOKhgdIoFoR+P7779XPP//sPns2a9ZM1ahR o1rVn5UtDwK8Z5VHO7GUJFBqBOIIirgJOnQkUK4EJkyY4PTt29cRAdGRE9D8zZ07N1GVXnzx RWf99dd3/+68805PWjvvvLPr361bN2fVqlWeY/n+eOutt0x+AwcONMnsu+++xn/UqFHGP2jn hRdeMGFR9muuuSYomPF7++23Tfi99trL9V+4cKHx23zzzU3YqJ0LLrjAxEG+Z511VlRwcwxt pxkPGTLE+Fflzq+//up89dVXGVmiDXTZFixYkHGcHiSgCYT1IX083+3+++9v+iDv0/lSTD9e 2D1n9OjRpr2KdT1Lv7aZKYb1d/bXTFZp+bz22mumb40YMSKtZEsinTj95v3338+5rHGeL/JJ VxcEz34nn3yy065dO/PciWfQ448/XgepNtsgjuPHjzd99uKLL642LEqxomH3rKTvSaVYV5aJ BEggfQJ4B8n2R0Exfe5MsYoIfPfdd84666zjeZjDA13jxo0Tl+Cxxx4z6Z533nme9Lp27WqO yRc/z7F8f4wdO9akudVWW5lkzjzzTON/+OGHG/+gnUGDBpmw4LDlllsGBTN+l1xyiQmv08bL ohZmV199dRM2bOfcc8814RGvX79+zuLFi8OCe/xfffVVE/e4447zHCv0j7/++su55557nLXX XttBHfwObaA5UMzx0+FvEMjWh5JS2nbbbU0f5IN/UprpxI+65xTzepZO7aJTydbf2V+j+SU5 +vzzz5trQdwPdknyq8q4Uf1m9uzZzt577+3W/Y8//sipWFHnY5J0dSHOP/980yb6WQHb66+/ Xgep+G0UR/uZ9sQTT6x4FqVawah7VqmWmeUiARIoLQLZxEQcp6BYWm3G0uRA4IorrjAPdPXq 1XP2228/ByJZNsu8OFmUiqA4ZswYU8cNNtggsuht27Y1YfFgW7NmTfeLQlgkiH/6QfiRRx5x g+UiKPrFxP79+zvLli0Lyy7DP+qBPyNwyh7PPvusqTsFxZThVpPksvWhpBiiXrSTps34+RGI uucU83qWX21yi5Wtv7O/5sYzl9DVVVDs0aOHuU+nKSgmSRftBnHdHhWz6aabOmeffbZzzjnn OJMnT86lacs6bBRHCoql0bRR96zSKCFLQQIkUOoEKCiWeguxfIkIHHvsseZh87777kuUlj9y qQiKS5YscWrVqmXqOW/ePH9R3d8yf6QJo0VCbB9++OHA8LCsrFOnjhvHFh7jCop4cLbz2XPP PZ1cH/iR1/333+/+ffzxx4HlLJTn008/bcpPQbFQlCs73Wx9KGntKdAkJZh+/Kh7TjGvZ+nX NDPFbP0dH79wPX/wwQdTmwoksxTV06eSBcWofoNpZfRzRprPF0nSRQ/86aefTLkwNUpaU9+U W++O4khBsTRaM+qeVRolZClIgARKnQAFxVJvIZYvEYF99tnHPNRNmjQpUVr+yKUiKKJc22+/ vaknXuqC3LXXXmvCYEiUfgg/5JBDgoI7EydONGF69eplwsQRFP1iIixDV65cadIoh51sL8cc 8lwOrVjcMmbrQ0lLR0ExKcH04xfynpN+adNNsdD9Pd3SVlZqlSwoRrVUlGAVFS/bsaTpfv75 5+b5aY899siWXcUej+JIQbE0mr0637NKowVYChIofwJxBMUaCNS0aVPRH+hIoDwIfPrpp0oE LCWTX6sPPvjALbQIgKp9+/buvgzDUDIkRSEc3LrrrqtatWrl7vv/+fbbb5VY/bnem222mRJr PXf/8ccfVyKUufsyh6IaNmyYibrRRhu5K0rDA6umrbHGGuZYvjsvv/yyksVe3OgiZikR/ExS yFsWPnF/n3HGGeqqq64yx/QO4iINmfdQyddzJV/N1aJFi5TMMal+/PHHjFUHhw8frsQyz41u 108WIFFNmjRx/ZEWONsOcRBXu4MPPljde++9arXVVtNesbe///67+uKLL9zwMpehkiHbJu6c OXPceqy11loKvOVyrL788kuXy9dff626dOmi0F6dO3fOqJtJJGTnk08+UTI8Ucn8lG6Iww47 TJ1wwgnuPvoO6rL11lurd955x/WTa6Rq2LChkqFMbn9Dn0E4hGnRokVILv/zXr58uZoyZYpC vt98843q0KGD6t69u9p4443Vmmuu+b+Aee6JCKymT5/u/oENyo/+3rt3byUP/FlTnTZtmpJJ uxXqJdawqmPHjgp9sE2bNpFxUS95aVAzZsxQWAFsvfXWUxtuuKGSRZKy9ge0L85P/GFFTJQT THGuRjn0g3fffdc9/2bNmqUaNWqkZE5T98/uP/408o3nT0f/jtOHdFhsZbEjJR893HL/8MMP qlOnTkqGybl9G8yDXJ8+fZQsnOQekjkUVfPmzT3B0C/BQDu0G3j4Xa6sC3nu+cuWpA+JVbZ7 TqLvgyF4oh+1bNnSn437G/cEtAEczkGZa1fhGvTee++5f0gD15SePXu657sb8P//iXPPWbp0 aeD17LfffnPPESSFdsd19aWXXnKvByiHzBHntptdPt2WuIbLgl1u+eC3ww47uOeZXTb0jXHj xikROdxzVj4QuXWww/j3c71mxOnvut8gL1zfUM8gV5XtFpR/lN+ff/7pXqP19RT3w/r167t9 a5tttnH7jD++rnca9ypcS9988001c+ZM1bp1a4VrAK5vsuCa2n333d2s5YOhkoVZ/MWI9Tuf 65Cun4xocMuCjHA/e+ONNxT6NsqIe419LwPHjz76yA0j1nvuffof//hHxnmFtHT62Nf9BvdJ 9NEDDzxQyaJpOOTe+/GshWca3GuyuaDni6Tpzp8/X8m8ge65dsQRR7hF2HHHHZUMK3X3ddn0 c2XdunXdZxU8O8iiTe69Tj4UKfQlv0tyXhT6euEvaxyO9jOtzKGobrzxRgV+soCLex1u0KCB +wyFNo/zDI1+ks8zg7/s+rd9vcXzMp570bZ4FkL/xrMdyob+HeTyaeN8zj8771zix7ln5frc nkv+KLfNONd7rl1v7pMACRSXAFd5Ln9RmDUIICCig/k6LKdYxr485DpPPPGE8fcvqmIniZWM dRry8mYOlZKFoggopozy4G7KqHfkRdbM5yMPqq43Vm3W9ZIHex3UbHfZZRdzXF4MjH+UhaLf MvHoo49ONNQnas4x1APl32STTRwRTRwRDk15db2wlZcsRy50pvzZduRFMTAdnaY8MLlJ2BaK 4G9/iddhscWK31HzRj733HOOCEGBeYpg58jLY7Yihx6XB2xHXrgC09Zl3GmnnRx5OQ1MAyzk YTkwvjzgO1goR17KMuLKQ6Jz+eWXu4sf6XzsrYi9DoaxBTmsmH3AAQcE5ok0kCeG+Qc5rCQp gkxoXPSFoMVL8o0XVAb4xe1DCCsv1o68SIWyEuE3lFWUhSImWsdQO80dC0X5654v60Kde+Ch XZI+BP6Yr1XX3b+VF31Hn8c6P2xfeeUVE+fJJ5905EONO8+sP758PHDvH3bcOPecsOuZPffg nXfe6ciLlSkH8pYXawf3Hrt8sAY8/fTTHXnh84RFeBEV3eklMG0FVsj1lx+/DzrooMDrUj7X jLj9fbvttjNlwZBQvytGu/nLEPX7oYcecnA+BvGEH9rp1ltvdefPs9NJ43xBf0VbYvoRf/5Y XO2uu+4y/vksypLkOqTrJ+KKI0JLxqrGKK+IqQ76ORzuaVgYz18PEfodEZlsdO5+UL/BqAd/ fP371FNPzUgjyCPofEya7u233x5aLpTvlFNOcYsiHyXccBj9IR+AM+JcbK16nMZ5UajrRRBX +MXhaFsoygdbB6uTB13PRHR1YIEb5vK9j4Wlp/3t6y2masA1U/cxeysfOh0R53Q0s82ljZOc f8gwn/hx7lmmMll28skfSdqMc73nZikSD5MACVQhgTgWilyUpQobpJSzWiEvvr/ISw1e9Erd Rd0oxSrCFUGiBEG7fvqhAA8QpSoo4maOl1yUUawAMl4UX3zxRfMgdOmll7rVw4uPfijCi7Pt kB5ejnAci9nYK1WHCYp+MfGkk05K3FeCHvh1ObWgh3keo17yUAeIfXFd2FyTmpUWInT+8Ie4 po8HbSFuBM3vBEHAHx68bT+8QOaziBAEJf9LG/qGWKh50kdeEC79Q9LlK7zpA7o8qKdYC3ri 77bbbu7DrM134MCBnjCIL9ZdHj+UxS+Wgr1YlmSEQ1hdBmzFytGdo8rOUyx33BW57XCov/8F HOItXkC0yzeejh+0jduHEBfD4ewyY9+ezF8fw/nld2GC4vfff++IRYpJF/3fP7dqEta676d9 7tn1y7cPffjhh+41UHPDFv3W3w/Q58Wyyc7SsV9wo4RpnfZTTz1l4se554Rdz2xBEfcnnb7e iqWzm49dvrCPEDrOUUcd5QwYMCAjLX0cW/91P99rRtz+HtZfUblitZtpwCw7Yq2ewRLX0qBr /x133OFJLen5gucOiHV220F4CRJfECYfQTHJdUjXD/eGZs2aecpplxnPKLfccouZm9k+pvdl JIKDD762C+o3cQQrO42g/aDzMWm62QRFfR2HCKXrHNSOWlhN67woxPUiiKn2i8PRvp5pFmFb PD9oJjoPbJPcx+x0gvbDyof7s/85BdcC/4f5uG2MvJOcf/nGj3PPCuIS5Jdv+W3Gud5zg8pB PxIggeIQoKBYHO5lleu706Y7Ix573Dn99jucU2+73Tn7rrudG599zpk9d27J1kOGTbjWOBA7 9AOKDPly/SCIwVWSoIj62BaH48ePh5dxgwcPNhxgjQUnQ1KMH6zQbIeHWM0NL6W2CxIU/WIi 5mRJwwU98Ot09UuMLqcMD3ZkyJBrjSjD7xx88dbHsH399dd11MgtxFRYcmERHx3/5JNPdv3g rwV1f/6wKrr33nsdiDkyhNy56KKLPOIbLBFth/6o08cLhQxVN6IP0jjttNPMcQhqfvHDTito HytK6vQhKMnwbBMML2xXXnmlR3jRq3gjECwq7Yc77EP8g7AMCyZYVNgCof0Cfffdd5t88YKJ vgFrJHDFw6O9crgM2fNYsNpzgcLiFIwgdEKMRfu1a9fOpA0rM9vBKkXXF+eCtoDCTW7UqFGO /fAMMV27fOPp+EHbuH3ouuuuM2WG4DVkyBBHhju7ScrQdI9FBFjK8GZPdkEv2oiP1d41C3wQ CbLQTcLa3/fTOvd05fLtQ+i3sMTUdYclLK6F6D+LFy92IADaL9awzrWd/XKDNCAW4byUaRcc 3FNg5YM+q9OH5ZR2ce45YdczW1BE2rge4AUN1wBYYMP6DM5fPoQ9//zzHcwPjPyHDh1qyqbL KEMs3f6P47gu2i9+MpWNLr67zfeaEbe/B/VXZFzMdvMACPmB80cvUAau4KxFLyy2IUPiHYi+ mjmuXbZLer7Ycx7DWuuBBx5wrbTRp2E1KUOuTd4oQ66CYtLrkL9+ED/xfIU+J1POODgPNRu9 heU8VjtGmP/+97+ejyiw2LZdUL/Bhz3cj2W6E5M27k3wC7Kat9PT+0HnY9J0MRoEZcCoDl1X fFCEH/70h0VbbEI43NtwL8KzE8559Ku0zwvkk+b1QnMM2sbhGHQ9k2mK3Gs22lCmcnBwb9Ec ZbqJjKyS3McyEvN5+MuHezA+yMs0HG5IPJPZI1NQPnvxnThtjISSnn/5xse5hz4Z9Z7kQxL4 M9/8kZifcS733MDC0JMESKAoBCgoFgV7eWSKG+NdL41xRUQIif4/CIyvf5Jp5l9KtbMnG8aX TNtVmqB40003mQcvDDe1nRYY8AJpP/Bo0QhWMfoFCfFgEacf4m644QY7KccvKNovoToOrAy0 MOKJnOOPoAd+nYT9EoOhUkEvETL3mKkHLExycdkWGLDzh0gBAcjvZP5Ikz84aYcXcJnPzRwL s0CUuShNGAzXjevwUiPz/bhx8YAmc/kERrUtJG0+Mj+oyRdsbctcnZBtsWML0vYL3tVXX62D my2EPtsK87XXXnOP2XlCtLH7o46MF3ttjYqHewjf2mHomO5/QfWF6KmP20JQvvF0vlHbqD4E prblJcToIGcLnnjRRN/Rzv+iDbb20H9MfxDEMSlru+8X4tzLtw/JPLKmjSEsQnDxO/QNbX2N /oD7gHb+l5ug8xKrzaPv6b7kH34fdc8Ju575BcVLLrlEF8mz9ZcvaKoOu09AmPQPxUN50Wa6 /PoDW9JrBgoa1d9x3C4bXmS1K4V202UJ2mIopuZ1zDHHBAVxhTHbstjuF0nOF3zEsdPFEEG/ g6Bp98lcBMU0rkN2/SBgw9LVdna/B0dYH/udLUrgA6jtwvoNwtiCjhbr7LhR+3a5MJWG7ZKk i3TsRVlgred3ttiE5weIO36X9nmR5vXCX9aw31Ec/dczPI/4HYZ7a6tt9HH7vEp6H/Pn5f/t L99ll13mD+I+G+F5V18f7PMzThsnPf+SxkeFou5ZGRX2eSTN3884n3uur0j8SQIkUAQCFBSL AL1cshzzwYcZIqJfVDxNRMWvxRqrVF3UjbLSBEVZOMM81OCLo3a2JeK///1v7e1ubSs+e/je nnvuadKCdY7tbEFRP0QFbWGJZouXdhpx96Me+O2XGIipQc4efnTkkUcGBQn1y/ZybOePFbSD HOaE0Wzs/G0LUIi9YZzwgqQtqvAwjZf+OA4XdoiRmMMSLyVhzn4gR1/QDlYMutx+axEdBsOG IYrCyku/AMKiQg/fgvCnv+TrOHqLF3Q8bGOuRC0o2sMzYbES5kaOHGnKpoePIaxtqQDrUD9T CHEYMiUL93iG8OcbL6x8tn9UH8IckpoxLHq05asdH/sQBLU4jPA4z7WzX7TxAmtb50HkxcN+ kEvK2u77aZ97SfoQBFTN1L6e+RngxVCHw7x02tkvN7Bo9U8DoMPZ1q5+8STqnhN2PbMFRQwL DcvXLp8sCJDRx1E++wMPPqgEObv9YbUIl/SagTSi+juO2/3VFhRLod1QvjAnC564XPfdd193 jsCwcLYQbgtESc4XCMK6r4JfmLMtT3MRFNO4Dtn1u/nmmzOKiHNa1wFbv8iNCPY9ERbmtgvr NwgTJVjZaQTth52PSdNF/FwERVj8B7k0z4u0rxdB5Q3yi2of+3qGIcNh90B8SNP9x77e2tex fJ4Zgspr+9nlg2gY9IEK4e0PDnju0s4WFMPaOOn5lzQ+yhp1z9J1Cdsmzd9mnO89N6xs9CcB Eqg6AhQUq451WeW0SKwYzrjjzqyCIgTGq594smTrFnWjrDRBEY2gh+NBgNAPZ5izSD+M+a2g MAxXH9NfhxFPCxiyKm5G24YJitdff707FEunh23QF92MBCM8oh747ZcY/1x8Okn7YeWQQw7R 3rG22V6O7fxlRdbANDG8XPOwrRQwBFf7w1oOc++E/WHCfR0WLylJHYZjYzgWHoLtYXq25c2u u+5q8gyy9gsrg11f/5DksDjaX1vRoq6YgD2Mxz333GPKhvNbO1lF0/gjDQiaEFSx+FKQlV7S eDp+1DaqD9nWJ/ZLSFB6tqXrM888Y4LYL9q2yIVhkUEWuzpiUtZ230/73EvSh/T8oFgAQl// dJ3tLayJ9TkFMVc7+3qBhU3CnF1/fLCxXdQ9J+x6ZguKWAQszNnlC7NYhlWwrluQRRLSthc9 8s/7FZR3nGsG4kX1dxy3+6stKJZCu6F8uTp8MMGwXUwXceyxx3osX8FMO7u/5Hq+YHizbk9c s8OcfU/JRVBM4zpk1y+sP2mrdEztEPShCR8udT39fTus34BFlGAVxkr7h52PSdNF/FwERQjW QS7N88LPVOdXiOuFThvbqPaxr2d4zglz9vOIPdIo6X0sLD/tb5cPzxJhzm5r+6O9LSiGtXHS 8y9pfNQp6p4VVmftnzR/m3G+91xdFm5JgASKR4CCYvHYl3TOk2fPjiUmQlCEleIfMs9ZKbqo G2UlCoqHHnqoeSjHaotwtuWCfxgyRAc9qTxWaoT77LPPTBpBD1F+QRGWc/acdPZk3LBWwzw4 +bqoB377JQarPAc5e/VriDK5uGwvx3b+flFB54PhkfolyRYUMaRR++eyjbK60nnaW4gqECsg 7uGB3R7q6c/XFhT1kEi0nz3E1k47aN8eVmyvUhkU1vZDHrof+ssV9RsWktrBYrJv376BXDFk CpaIsKbzC235xtP5Rm2j+pA956k9f2VQerC41Bxs8dF+0dbH9TbMsjQN1nbfT/vcy7cP4dqm 6+6fw87PFBaA2pIWc+Np8dF+uTnssMP80cxvewVp/1QHUfecsOuZLShC7AtzdvkOP/zwwGCw ltYcgqzFEMlerdQvAOV7zUC6Uf0dx+3+qgXFUmk3lC+bw9y2uK7tsssuDj62+Rf60dyxDRMU cz1f7GkpMF9imMP8qjr/XATFNK5D9vVgtjw7Bjl974GlV5DD4li6/H7xK6jf6DSiBCsdJmwb dj4ifJJ0Ed8Wmex7P47B2WKTfxQIjqd9XhTqeoGyRrkojvb1LOqDrz1iRguKadzHosqNY3b5 /AtY2XExX6Tuu1gwTrtsbYxwSc+/pPFRhqh7Fo5HuaT524zzvedGlY/HSIAEqoYABcWq4Vx2 uYz79LPYgiJExe8C5n8phUpH3SjjCoqYaFk/LNhDCKPi20MP7RWSkzCxb7x4gA9yDz74oCkr hvtiyKy2DLDFFzuuHvKJeZpQVnsuRgyJ9Tu/oIgFFGyH49pSEtywGl7QohB2nLD9qAd++yUG F7IgV1WCYlj+YYLioEGDTDvpvhVnGyYQBNUdL3Z2P/SnDysuLCSj/bWgCOsR7QdL1VycvTiP f+7NqHTslyedd5yt/+UU/R1zO0atNIoFAvwvcPnGi6oTjkUJLPa1Kcx6QacfNszbftEGLz2/ JPZhpYiXdL9Lg3Uhz718+xAsxXSfibLy0zy09Q/iaIsp+xp74okn6qAZ20IKiliIJczFKZ8t KNofeuw0wwTFfK8ZOu2o/o4wdn/VgmKptJuuQ9gWgoI956nua9jioxrur/ZCVWGCYti9Iuxe ZV8noj4oYYEIXaZcBEU7/XyvQ3GuB1pQxByLQa46C4r2c6VmU1XnRZLrhS5r1DauoBh1vQ0S FNO4j0WVG8fs623Y1B4Ih+lVcA3A+YcFkrSzBcWgNka4pOdf0vj+MmjBVtch2zZp/jbjqD4Q dc/NVkYeJwESKDwBCoqFZ1yWObwnKzv750uM+r1ALN1K0dk3O/+N0hYE7bnY/PXAF0f9oG4/ FNjx/UPLbCEnrqCoh06FzbXy4osvmnLgxSzI2Q9ZmLMPw6t02e1FN+y4WMBFh8FwQz0cDhY8 EAf9zhYUYfkV5CAE6gcspI0HwnxcpQqKsHLRzGFVCu5x/ubNmxcLI/qpvbIm2hIWqFitGgIw Vt7EvFa2AKAFRWSAxXtQPrQhxLa4DlZxul6YhzGug8WYbaGIRQbi8IBgG+RgvYBh3TgvseiK 3RdRvjZt2gRFc60x84kXmJh42nzPPfdcTzB7/lIMa4xy9gI49kI3tkCDcwxtqj8QoJ4YTq+t 73T6abCOIyCECSS6HGHbfPsQ5qzTfW/99dcPS971x1xYOiw+uGiXxstN1D0n7HpmWyjqqSd0 mextnPLlKxAkvWagnFH9Hcft/qoFxVJpN5QvzGGVbd1fsMV8dBjaCJERddYrytviSVqCov3x Sa/2HVRO+3zLRVBM4zoU53pAQdHbarbY5LeaR8iqOi/yvV54axP+yz4n/M8Sca5nSDlIUEzj PhZe6r+P2OXzL3Rox8Xq4vr6gI+02mVrY4RLev4ljY8yRN2zcDzKJc3fZkxBMYo0j5FAaROg oFja7VO00s0Ri68oAdE+dsF99xetnNkyjrpRYm41/RCAlVSDHF7GGzdubMIVUlDcYostTD5B Vgy2gGkvuuIvt54YHhYTl156qUkTL7NBDkPeNAdYlWEoF36HzWkTR1BEPrC00elim4vFmi5n 2As4jsd5ibFfsgo55DmovVDGMAtFe76rqKE+SAMvGxCKcnH2YjCw1gOHIGcvWnPUUUeZIPa8 jf4hnSaQ7GAoLoa8oK3xUI25JHWbR/GGNcrOO+/sYBjW/ff/ff2w50MKG0KOvGENgGHKQQ5D j/TLvX0c4sWFF15oyoYyQsDXLt94On7YNkpgsa0OUbYoZ69WbouPtkCjBQxYKsH6VLcD5jb1 u6SsC3nuJelD2uoQ4rT/5dVmYC90YYuPabzcRN1zwq5npSAoJr1mgG9Uf8dxu79qQRH+pdBu KEeYsxeFwIe6sI+E9jymuB5ql+R8safH8H+41Olj++ijj5pzPhdBMY3rUJz6UVC0W8s75DlI UEToqjgvylVQBJ+k9zGkEeXs+wGE/TA3fvx4c+5h2hXt4giKSc+/pPFR1qh7lq5L2DZp/jZj CophlOlPAqVPgIJi6bdRUUoIIe36p5+JJSq+8P4HRSljnEyjbpRY+EG/dCNckIMllw6DbSEF RXsuEr3yrV0mWxyEVVuYgxUayqqt0rCPecL0sD5/PLQ1ho4iHB6GsMXfkCFD/EHd33EFReRn v4hhONikSZMC0wzzDHsBR/g4LzFJBEUsfqFZBL2gxck/TFC0RVwI1mGWh3hxhTUdLOxgFTNh woQwVB7/U045xZQd+2HO/vJvz19jD4mEaBjkIOzpocUYCoiFT+xha1itNmwxFIjLfraYN0v7 RVk33nbbbW44iGZYdRUO84XqeR9hIQDrhSBnL0KD6QHyjReUdpBfVB+yLY4xVDlMNJ45c6Zn qKU9jDlMoLnyyisNS5z7EBltl4Q10onT9/M995L0IfujTNgckig/5obVfQ19Xbs0Xm6i7jlh 17NSEBSTXjPAMKq/43hYfy2FdkP5ghzud7aFc9g1Dfc23aewtedKTHK+2HMj4joRdh+3z+mg +1VQ3eCXxnUoTv0KJShiUSXNfenSpWHVDPQPOx8ROEm6iJ/LHIphgmJVnBeFFhSjOMa93trP KfZII7vP5/rMgDbK5uzyYdRGWDv95z//MX3QnmsxjqCY9PxLGh8Mou5Z2Rglzd9mTEExG20e J4HSJUBBsXTbpuglmycCwdl33R0pKmKF5z9FWChVF3WjtMUeiG8ffvihpxqwoID1in5YxbaQ gqIWApHPjjvu6BFFIAjYlpJYuTnM2UKpLjtWyYty9gORjhO2mEpcQRH5YYEXe14pfFEOeygL Kl/UA3+cl5h8RQ2UZcyYMabtg6zt4uRv9zF7YnaIuLYVIISxIKsXPCTr9oBgFhQmiJs9kT9e 4oOc32LPXgwCw351vuh3QRaD9qrKsDbUDiv16bhBYibm09TiH8K98847blTM36XjQaDEkGe/ w4rTthWQnlMSL9n6hRVp+Of1RDpgZw+/glCXbzx/ucJ+R/UhWNDZFhZBUxKgfPbLFOZztV2Y QIMh3z179jQ8+/Tp41p26rhJWCONOH0/ybmXbx+67777TJ0xV5stvuq647qGqRp0X8NK99ql 8XITdc8Ju56VgqCY9JoBhlH9HcfD+msptBvKF+Rwz7cFRbSh30E8xFzBuk9ha8/TmuR8wb3C nus2SDix+y3yzkVQTOM6FKd++vqc9hyKvXv3NtyjrOn9bYbfYecjjiVJF/HTEBSr4rwotKAY xdHut1Fikn0PtAXFpPcxtFOUs8uH8yroHg3rRLw/4Di2X375pUkyjqCY9PxLGh+FjbpnmcqE 7CTN32Yc1Qc4h2JIA9CbBEqEAAXFEmmIUi3GTzK08NonnwoUFUe9Ps5ZKi/Fpeyy3SixGige BPDXVob6wgpw9OjRrnVex44dzTEdppCCIobh2atGQjyA6ANrRG1BiHJA4LGHU/n5o4z2CzPi ZBtujGGnuo7Y4uE/zMorF0ERZbMfWJF2kDjnr4P+HfXAH+clJomoAaFLM8EQymOPPdbBXJva QiVO/mGCIuoH61e7vSEAYdghXkQgiA0YMMDkj3JgaElch1WDddmxhbAHIQVzbGKoP6wR7ePY 32mnnTzJ2+cO+hxEbPRRlPukk04yZcdD9Lhx40zcTz75xBxDuhiui4fG6dOnOxi236lTJ5M3 hHO8MGtnWxxAVISV7MSJEx08tOMl2V50BAv/YC487WyrM/RfDCVHfnjAR/79+vUz+UJY1C7f eDp+1DZbH7KH94IV2hzXH7w0YUEkWxTEi/i0adM82YUJNAiEdrCvA9ddd50nbhLWcfp+knMv 3z6EvmSXDVayGPINi2D0I/Qnmwk+4tgujZcb+7yxX36RT9j1rBQExTSuGdn6e1h/LYV2s/uB f99+TsCUIpjLEPdgXAsxp2n79u3NtUVfV21rcrtPhk2PEXW+4MMcFnvQaeMDIK65+AiKZxZ7 /lmEyUVQRF2TXofi1K9QgiI+ZmkuuF6i7rjHxXFh5yPiJkkX8dMQFKvivLCfz3JdxAn1zOai OMa93oYJisg7yX0sW9nt8uk+hg+vOPdwT/Ev1OT/gBpHUEQZkp5/SeNH3bOyMUpafpsxBcU4 tBmGBEqTAAXF0myXkioVhjZ+9f33DlZ+fmbiO847U6c534uVUTm4bDfKhx56yHxd1A8M9hYC hi3sFFJQBE9b3LDLofcxzNN+UQlrA3toJ+La1hJBcTD/mm2FgeHXYS5XQREPxRCOdB2wxZf3 OC7qgT/OS0zUS1q2/CFW6TmM7LJry804+UcJisgfQq9twWnnY+8ff/zx2YrrOQ4LNfvl3U7L 3tcL8MAPL3z2sNvvvvvOI2jZ8ex9e5EQXQiIn/6XXDsO9tu1a+dOPK/jYAsLRHuYlz+O/o3h R36xBpav9hB7Hda/hRCJRV+0yzeejh+1zdaHEBcfDbSFg7+s+jc+KNhzPuo87Ta256TTxzHn mk4D1w7beiIJ6zh9P8m5h/Ln24cgutoLEun6+7dB51QaLzdR95yw61kpCIppXDOy9feo/lrs dtPnTNAWL+z2/dHfl/AbVtdYBEkfsxdxSON8gTVW1HXCFjVzFRRR5yTXoTj1K5SgOHToUMNc s//HP/4R1IwZfmHnIwImSRfx0xAUkU6hz4tCC4pRHONeb6MExST3MfCNcnb5dN8K2+6yyy7O kiVLPMnFFRQRKcn5lzR+1D3LU6GIH/mW32ZMQTECMA+RQIkToKBY4g3E4iUjYN8ow4bD4Guj bTWFBwaIPBh2h6FMuFHCDw/z9hw99iIp/snS7QeJuMNUUVOIt3iRrlu3ruchGeXBKr0YUhbH 6TKj3BBu4jh7OGjUkGoIMNqyDtY+cRysOZo0aWLqhPqFzRtopwfxTj/A+b/+6pcYlAWLagQ5 W9SwFx0JChvkB/HWP5RND6eNkz9EL13+MMtMzOOHuSuDBDhYxkD0hiibq8MqkVi52f8SCl5o a7xMwWE4vC4jXpxth76LIXb2cHsdFiuZv/LKK3Zwzz7mFNt8880z8kc90Zba0tMTSX5A2MBw 6ubNm5ty6TwRF5Oj2/OT2fHRpwYPHuzUrl07Iy76H64HQf0u33h23mH7UX1Ix0E/hXWNPq90 fdF2sMDAy2mQ0wINxA4I/X6HIdP2KvV46bFdvqzj9P2k5x7KmW8fgjCO4WlBHwRwPg8fPjzw nLJfbqJWW7aHX/mtxaPuOWHXMztf/73Ebi87XFj5MA2A7j/33HOPHd3sY2ERHcYWqtO4ZkT1 92z9tZjtZuCE7ED09T8ngCGEMlhs42MjpmnQXO1FzdI6X2B5Z5/PyAvPBpgyA+2o8w6b/zik asY73+tQnPrpURaYEzjIQRjS5R84cKAnSFS/wTUMFvf2/RPneBwXdj4ibpJ0Ed8WFIPu/foZ Edd4+0Me4vpdIc+LJNcLfzmDfkdxjHM9Q5qYLkb3jaDn+HzvY0Hltf3s8mE1Y4ijsHrXZcEW IwfwvIIy+F0ubYy4+Z5/Ot9840fds3Tacbb55G8zDrunIe+oe26csjEMCZBAYQnGSSvrAABA AElEQVTEERRrIJBYhMi1k44EKpeA9HMlwxiUiF1KhBAlD+pFq6w8nCiZ/0vJMFElC18UvTxF A1EiGctDrJKvz0qsUNz2KESxZIi5EgsyJfNlKhG/lMyb5eYnYlGi7ES4c/uSWBwqsc5TMmRP yUIdOaeJ+PKS5J4XYgHmli1OIvIypEQ0VSK8KJmTVMm8gUoEvzhRlQgcSl6UlVg+KRHG3fg4 P7M5zRLnkIh0SlY8VzKlQbZoKt94WROWAHH6EFiJCK3k5VrJIjwuq6q69+bLOk7dk4ZJ0ofQ b9GH4NAHRKR3+0TSMlVy/DSuGXH6exTDUmw3+eCnZs+e7V5PcY/GtTTOdSWqnrkek49LSkYc uNcT+dCjevXqlfqzSjGvQ7ny0OFF0FUzZ85U9erVc+9zaT2/FSpdXe5ct6V4XsSpQ1VxTPM+ 9vLLLysZsu1WT6znlCz0pXD+4TkIfQ3PJPJhVcn0LHEQxA6T9PxLGj92QUMCFjv/kGLRmwRI oIAEZH78rKlTUMyKiAFIgARIgARIgARIgARIgARIgATKnUCQoFjudWL5SYAESKAQBCgoFoIq 0yQBEiABEiABEiABEiABEiABEig7AhQUy67JWGASIIEiEaCgWCTwzJYESIAESIAESIAESIAE SIAESKC0CFBQLK32YGlIgARKlwAFxdJtG5aMBEiABEiABEiABEiABEiABEigCglQUKxC2MyK BEigrAlQUCzr5mPhSYAESIAESIAESIAESIAESIAE0iLw8ccfqwsvvNBNTlZCVrKaeFpJMx0S IAESqCgCFBQrqjlZGRIgARIgARIgARIgARIgARIgARIgARIgARIoLAEKioXly9RJgARIgARI gARIgARIgARIgARIgARIgARIoKIIUFCsqOZkZUiABEiABEiABEiABEiABEiABEiABEiABEig sAQoKBaWL1MnARIgARIgARIgARIgARIgARIgARIgARIggYoiQEGxopqTlSEBEiABEiABEiAB EiABEiABEiABEiABEiCBwhKgoFhYvkydBEiABEiABEiABEiABEiABEiABEiABEiABCqKAAXF impOVoYESIAESIAESIAESIAESIAESIAESIAESIAECkuAgmJh+TJ1EiABEiABEiABEiABEiAB EiABEiABEiABEqgoAhQUK6o5WRkSIAESIAESIAESIAESIAESIAESIAESIAESKCwBCoqF5cvU SYAESIAESIAESIAESIAESIAESIAESIAESKCiCFBQrKjmZGVIgARIgARIgARIgARIgARIgARI gARIgARIoLAEKCgWli9TJwESIAESIAESIAESIAESIAESIAESIAESIIGKIkBBsaKak5UhARIg ARIgARIgARIgARIgARIgARIgARIggcISoKBYWL5MnQRIgARIgARIgARIgARIgARIgARIgARI gAQqigAFxYpqTlbGJvDbb7+pGTNmuF6dOnVSq6++unrppZfUJ598ojp06KD23ntv1ahRIzuK Wr58uZoyZYob5ptvvnHDde/eXW288cZqzTXX9IT1/5g3b56aMGGCm+eiRYsU8uzatav7V6dO HX/wjN9Tp05VkydPVtOnT1e1atVSm266qerWrZtq2bJlRlh4rFy5Un366afusXXXXVe1atUq MNy3336rUDa4zTbbTNWsWdPd1/5169ZVXbp0cfMePXq0qlGjhtp2223VNtts44az/wGfsWPH unXExWO99dZTG264oerbt69abbXV7KCe/SRcPQmF/Pj1119dbmD39ddfu2UBj969e7sMQ6IZ 73zrhQSmTZvmtjt4ot06duyottpqK9WmTRuTftDOnDlz3PZDG4I52rpHjx4KbRnlHMdR7777 rkJ/mTVrltuHdT9r27ZtVFS3HyTpo5GJ8yAJkAAJkAAJkAAJkAAJkAAJkEC1IRBHUFQ///yz vMPSkUB5EXj22WcdOZPdvzvvvNMREdH8hn+DBg0cEf5MpZ577jmnefPmnjA6vohDzptvvmnC 2jurVq1yTjzxRGeNNdYIjCuipTNq1Cg7imdfRDCnf//+gXGR/xFHHOEsXLjQEwc/nnjiCRPn vPPOyziuPTbffHMTzq5vz549Xf9evXo5V111lQmj63zxxRfrJJy//vrLufzyy53GjRtnhEN4 ESSdMWPGmPD2Tr5c7TTC9kWUcw488MDAMul67LTTTs7MmTMDk0hSL7Rbnz59AvNGXzjuuOOc 33//PSPfBQsWOAcccEBgPJQZ8ZYsWZIRDx7vv/++I0J1aNzdd9/dmTt3bkbcpH00I0F6kAAJ kAAJkAAJkAAJkAAJkAAJVGsC0Aqz/VFQrNZdpHwrbwuKYp2YIcJsvfXWpnKnn356xvF69ep5 /MSyz7nmmmtMHL1z2mmnecKJlZpTv359jx+EIghyfvfhhx86YvnoCQsxCnlpQQxbCJpfffWV J/pjjz1mwkQJilo4RDq2oCjWcCa+WBeafZ3vyy+/bPIbOHBgxnHUU4fFFvXwi65JuJrMQ3a+ ++67DIETZYCAa5cL++AnFp0ZKeVbL7HycwVpOx+0m1gaevLebbfdnD///NPkK1aFjlh1esKg zP4+IFafzk8//WTiYUesbZ21117bExcCr7+vQBSHaGm7JH3UTof7JEACJEACJEACJEACJEAC JEACJAAC2cREHKegyL5SlgRsQRHCD0SzPfbYw4G4sskmmzh33XWXW69x48YZkQZhzjjjDEeG CLvHvv/+eze8Fo4g/NjCngy1NYIOjj3//POuNR8s3z744APnyCOPNGnL0GWPuLRs2TJHhqqa 47DyGz9+vPPHH384ixcvdp566imPxSQs7WyXpqCI+rVr18459dRTnX322cflA6s2uLvvvtuU EYLZOeec44pdEMpk+LPTr18/c7x169aOjpeEq13PsP2zzz7b5CvDhZ133nnHBJXh7s6VV17p EeoeeeQRcxw7+dYL7WZbCWIfQuqKFSscWEzC2tMWW++44w6T7/bbb2/K3LlzZweMIHSizV9/ /XW3DXRfg2Wq7dA2+thee+1lBEdcpGEBK0OlzfFbb73VRE3SR00i3CEBEiABEiABEiABEiAB EiABEiABiwAFRQsGdyuLgF9QvOSSSzIqCFFM5io0QkyQBSIiDR8+3ITBsFLtZM5B43/ooYdq b7OFUNS+fXsTBqKRdhdccIHxh7AIEdHvZF4+jyUcRETt0hQUYdU2f/58nbRnu9FGG5lyXn31 1Z5j+AFLOtua87XXXnOF0yRcMzLxeSxdutRp0qSJWy5YBoJTkLMtJM8880xPkHzqhQQef/xx wwMisW31qTNAXlr8w7BofzwIrxA9/U7moHBk7kc3LsRbWLBqh6HpOs2g+kK41Me32247Hc1J 0kdNItwhARIgARIgARIgARIgARIgARIgAYsABUULBncri4AtKDZs2DBwyCsEGy3CbLDBBsa6 zk8CwqCeXxFCDwQtuDfeeMPEl8U4HFmgwx/VwTDX9957L0OwkwVDTFxYI4a5yy67zITbf//9 TbA0BUVY1QU5WOPp4dAQumTxkqBgzogRIxwMocbcgBAUk3INzMTyxIULIu/RRx/tQJgNc7b4 d8IJJ5hg+dYLCZx//vmmPW688UaTpr2DIccQVGFVOnjwYPfQgAEDTLz//ve/dnDP/siRI004 WINqZ1s3XnTRRRl9FeI4hql/+eWXrrWkjpekj+o0uCUBEiABEiABEiABEiABEiABEiABm0Ac QbEGAjVt2lR0FzoSKB8CshiI2nPPPd0Cy8IkSha0yCj8ww8/rGRRD9dfrLrUddddlxFGexx/ /PFKhEH35+eff+6u/IyVlnFuyOIbrj9WkhaLNCWLrKidd945coVhmf9OYSXqtdZaS8kiHO5K vzove6tXm4YfVpz++OOP3cMilqn99tvP3Zc5FNWwYcPcff8/YtmmPvroI9dbrOmUzO/o7mPF Z53WCy+8oHbddVd/VCXDttUWW2zh+ssQXCXDhDPCBHkk5RqUZlw/sZhUX3zxhdtWIiqriRMn ulGPOeYYddttt7n7+dYLkWVeRPXiiy+66WBlZ6x0HcdhNWwR+9ygMjQ+dPVurPoM1nAy/FzJ 4jvuvgio6txzz3X38Q9WsUaboZ/tuOOOSkRzc8zeSdJH7XS4TwIkQAIkQAIkQAIkQAIkQAIk QAKaAFd5tuVV7lcUAdtCEZZzQQ7DoOVkyPnPtigU8cwzZ56dHobEYtVeWCja7ocffjB5Yi69 KIc59rSVYJ06ddw5GhE+TQtFEeACi2APo7VXfQ4MbHmmwdVKLnQXc1WinTHf4JZbbukZHm63 A/ZFUDTp5FsvJIA2RXpoE3vBFZN4wA7CYWi2v0zZfsPKUTtYPfbt2zcwDSw6BAvGm266KXBl 6Xz6qM6XWxIgARIgARIgARIgARIgARIgARLwE4hjochFWfzU+LssCNiCIhZiCXKDBg0KFGiy CT0333yzJ7m33nrLwVx5/lV+dTrwv/TSS40YOHnyZJOvWE960gr6Ya9crIcdxxUUxRLR5GXP 92ev8mz72/ljyK2uww033GAfitxPi2tUJrNnz/YsaqPLqbdi+el06NDBlN8WFPOtF9jr9DGH Y1xnC8g6fpwtVnW2HYbeY37GZs2amXL408HiPkECca591M6X+yRAAiRAAiRAAiRAAiRAAiRA AiRgE4gjKHLIs7yx05UfAXvIsyzOoWRBkYxKiCWdEss7118WVVEyz15GmCAPWRFZidiTcUiE I/XSSy+pV155xf2TFXY9Ye655x51+OGHQ6Q38ddff3319ddfe8LZPzAcWhY9cb2w1cOr7SHP IpCpK664wo5m9sUC0h0CDI+wIc9IU+dhIsqOWLypk046yfWSuQPV0KFD7cOh+2lz9WeE8opF opI5K91DYi2oZE5KheHdYtXn/m288cZqzJgxau+993bD2EOe860XEhIxT8G0W0RiJQKjktW9 3fSj/hELRSXWpQrDj+EwdB7xszmxanSHufvDyUra6u2331YyZ6L7hyHtcmE3wdq0aaNEcDW/ 7Z24fdSOw30SIAESIAESIAESIAESIAESIAESsAlwyLMtr3K/ogjYFopY7TfIjRo1ylh6HXLI IUFBjJ+IWA4W8/A7EXecWbNmZQx/hf+4ceMcezXhgQMHmuja6hBDYWF5FuZkTj1TRhEfTTCZ W8/4n3rqqcbf3sGQYJmr0YSzLRFtC0XULciJOGriHnzwwUFBXL8ZM2Y4MpefI2Kpc//99ztp cA3NTA48+eSTplyw1nv33XcDg99+++0m3FFHHWXC5FsvJICh1XIRdf9ECDZp+newcMpee+3l wDp2zpw5Dhb90fFkXkx/cPMb/QbDm4PcwoUL3VW1/cfmzp3rXHjhhSZ95AMrWO3y7aM6Prck QAIkQAIkQAIkQAIkQAIkQAIkYBOIY6HIIc82Me6XDYE4gqJYdhkRBsLbvHnzAuu3YsUKR6y+ 3CHNLVq0cCZMmOCGwzDa2rVru2nce++9gXGx8q4WkjAEVztZ7MT4h60WjLBYyVjHP+igg3R0 Rxb2MP6yeIfxt3dk8RETBmnkKihCKNR5Y6VsWUTGTt7sYzi0DnfWWWc5SbmahEN2TjnlFJMf 9sOcLMpjwh122GEmWL71QgJoA11XiIZBDgKeHpYsFowut913393Ew0rRYU4WjnHDYcj2vvvu 6wabMmWKmbsRfQjzaga5rbfe2uTx4IMPukGS9NGgPOhHAiRAAiRAAiRAAiRAAiRAAiRAAhQU 2QcqlkAcQREWfLbFGQQciId+BwFIi0hYlEOHkWHGxr99+/aBQs+jjz5qwtii1n333Wf811ln HQcil99h3jssuKHzlmHcJois0Gz8sUDIhx9+aI5hB1ZrsGjUcbHNVVBEOjvssINJI0i8EzNn I3Yhj3feecedKzIJV+Qb5WBxquu17bbbBgb1W+z5F+bJp17I6I033jB5Q4QOsja0+wUsN+Fk JW0TDyKjrDru+tv/yKrRzrrrrmvC6bk6MXdjgwYNjL+stm1Hc/fRJ7t162bCzJw50/W3y5Jr H83IhB4kQAIkQAIkQAIkQAIkQAIkQAIkIAQoKLIbVCyBOIIiKg8rvpo1axohpmfPnu6Q2s8/ /9yBcDNgwABzDCLWyJEjDTOISRCHtLiFuDLPoCvuYajyiBEjnPr165vjTz/9tIkLMXOrrbYy x2ABeP3117vWfRMnTnSGDBniERNPPvlkE1fvYIVonXfbtm3dhV9Gjx7txu3YsaM5psPkIyh+ 8sknHj4yJ6EzduxYZ/r06e5K0506dTL57LjjjmbhmSRcdf3Cto888ojJE3WD0AnxFYufYCg4 hFtdZ73daaedPMnlWy8kAotQnS5ExVtuucVBe6POMuek4QWhF8PetbOtFNFv0MZo6/Hjxzuw 7GzVqpVJt3Xr1s7ixYt1VI+lKsRFDNHHwjxffvml2x79+vUzcSEsapekj+o0uCUBEiABEiAB EiABEiABEiABEiABmwAFRZsG9yuKQFxBEZXGkN1atWoZQUaLRf7t8ccfn8HItjT0h7d/I65/ qKosKuJgVV47XNB+UL4oyEMPPeRAtAqKAz8IVLYgmo+giHwgomKux7B84C8L1Tjz589HcOOS cDWJBOzIIicOLBOjyoNjsErUYSDC+efAzLde3333nQPxWKcdtpWFgDylhwWiPdQ9LF7Tpk2d qVOneuJinstNNtkka54QImXRF0/cJH3UkxB/kAAJkAAJkAAJkAAJkAAJkAAJkIAQoKDIblCx BGBFpwWb8847L2s9MU9d3759A4UzWAJCvINVYZDDUGRZXdjkp/OF2IdFWR544IGgaK4fRK4z zzzT0Yu06LjYrrfees7w4cND80UCsICzrQQRD+IohvRisRg99BdlWbp0qSmHXpQF/n6hzQSy diZNmuRsvvnmGQImhEZYCIbNr5iEq5V9xi7ES8wP6BdUYW0KC71XX33VjbPrrruadsFiLH6X b70wxBhD4e1Fb3Tbde3a1ZGVvv1Zub8hhmIYcvPmzU25dDywHDRokNtuQZExx+fgwYPNvJ06 HrZNmjRxLSfD5gFN0keDykI/EiABEiABEiABEiABEiABEiCB6ksgjqBYA4HEYkbeWelIoPIJ iBWhkmGk6quvvlIi0ihZBEPJvImqRo0aWSsvIpcSAQ0LGSmxFFMiMqo6depkjacDiOWbktV5 3Z8yhFmJkKlEINOHI7fIUxZDUXXr1lUi/CkRFSPD53tQxEe3jrJysZI5GpWsXqxkYZqsySXh GpW4CJlK5p9UYAfmIuDmxFynnW+9EB95yxB5l7lYnLr9RacbtUV/QXvL0GYlFp4uT7RfNqdZ ot7oH+hn6C9xXNI+GicPhiEBEiABEiABEiABEiABEiABEqhsAv/H3nnASU20Yfyl9967FAHF ghRBBelVsaCo2BBRERFFEAsCilRBRFRQEbGifiIqNopKExABkSKioID03vsB+80z54Ts3u7d 5ja39Znfb0kymUz5T7hMnsy8r/KnkGYDKSimiYgJSIAESIAESIAESIAESIAESIAESIAESIAE SCAxCFBQTIx+ZitJgARIgARIgARIgARIgARIgARIgARIgARIwBUCFBRdwchMSIAESIAESIAE SIAESIAESIAESIAESIAESCAxCFBQTIx+ZitJgARIgARIgARIgARIgARIgARIgARIgARIwBUC FBRdwchMSIAESIAESIAESIAESIAESIAESIAESIAESCAxCFBQTIx+ZitJgARIgARIgARIgARI gARIgARIgARIgARIwBUCFBRdwchMSIAESIAESIAESIAESIAESIAESIAESIAESCAxCFBQTIx+ ZitJgARIgARIgARIgARIgARIgARIgARIgARIwBUCFBRdwchMSIAESIAESIAESIAESIAESIAE SIAESIAESCAxCFBQTIx+ZitJgARIgARIgARIgARIgARIgARIgARIgARIwBUCFBRdwchMSIAE SIAESIAESIAESIAESIAESIAESIAESCAxCFBQTIx+ZitJgARIgARIgARIgARIgARIgARIgARI gARIwBUCFBRdwchMSIAESIAESIAESIAESIAESIAESIAESIAESCAxCFBQTIx+ZitJgARIgARI gARIgARIgARIgARIgARIgARIwBUCFBRdwchMSIAESIAESIAESIAESIAESIAESIAESIAESCAx CFBQTIx+ZitJgARIgARIgARIgARIgARIgARIgARIgARIwBUCFBRdwchMSIAESIAESIAESIAE SIAESIAESIAESIAESCAxCFBQTIx+ZitJgARIgARIgARIgARIgARIgARIgARIgARIwBUCFBRd wchMSIAESIAESIAESIAESIAESIAESIAESIAESCAxCFBQTIx+ZitJgARIgARIgARIgARIgARI gARIgARIgARIwBUCFBRdwchMSIAESIAESIAESIAESIAESIAESIAESIAESCAxCFBQTIx+ZitJ gARIgARIgARIgARIgARIgARIgARIgARIwBUCFBRdwchMSIAESIAESIAESIAESIAESIAESIAE SIAESCAxCFBQTIx+ZitJgARIgARIgARIgARIgARIgARIgARIgARIwBUCFBRdwchMSIAESIAE SIAESIAESIAESIAESIAESIAESCAxCFBQTIx+ZitJgARIgARIgARIgARIgARIgARIgARIgARI wBUCFBRdwchMSIAESIAESIAESIAESIAESIAESIAESIAESCAxCFBQTIx+ZitJgARIgARIgARI gARIgARIgARIgARIgARIwBUCFBRdwchMSIAESIAESIAESIAESIAESIAESIAESIAESCAxCFBQ TIx+ZitJgARIgARIgARIgARIgARIgARIgARIgARIwBUCFBRdwchMSIAESIAESIAESIAESIAE SIAESIAESIAESCAxCFBQTIx+ZitJgARIgARIgARIgARIgARIgARIgARIgARIwBUCFBRdwchM SIAESIAESIAESIAESIAESIAESIAESIAESCAxCFBQTIx+ZitJgARIgARIgARIgARIgARIgARI gARIgARIwBUCFBRdwchMSIAESIAESIAESIAESIAESIAESIAESIAESCAxCFBQTIx+ZitJICoI HD96UiZPnCM/TV8pu3cckCxZM0vxUoWldoPz5b7Hr42KOrISJEACJEACJEACJEACsUlg8dw1 smrpel35ilVLSdN2tWKzIaw1CZAACcQAAQqKMdBJrCIJxAMBj8cjPW8bK3O++y1Fc9p0qCfD Jz6QIp4RJEACJEACJEACJEAC8UHgzxX/ytBek2Tw+C5SvnKJDGnUqL6fyvuvztB5t7ihjrz4 QbcMKYeZkgAJkAAJiFBQ5F1AAiQQFgLvvTJdXnpmst+yHnmuvXTpfY3fc4wkARIgARIgARIg ARKIXQJnz3pkeJ+PZPKEOXL27Fn5atkQqXB+yQxpEAXFDMHKTEmABEjALwEKin6xMJIESMBt Anc3GyorFv+jsy1YOK/c07OV1Gt8oSQlnZEyFYpK0RIF3C6S+ZEACZAACZAACZAACUSYwIlj p6ReiXMzBSkoRrhDWDwJkAAJuESAgqJLIJkNCZBA6gTaXfqUbFq/Wyd6eMCNcn8f2kxMnRjP kgAJkAAJkAAJkEDsE6CgGPt9yBaQAAmQgD8CFBT9UWEcCZCA6wRaVntcdm7br/Md8d6D0qp9 XdfLYIYkQAIkQAIkQAIkQALRRYCCYnT1B2tDAiRAAm4RoKDoFknmQwIBCMAZya7tB/XZLFky WUt7Dx04JivVEuB1qzdLwaL5pELlklKzfhXJnDmT35xgf2b3juR8smbLIkWK5ZOTx5Pk51mr ZcO67VK+Ugm5slkNyZUnR4rrUYftm/fK+jXbVdptkj1HNql6UTk5v0ZZyZs/V4r0gSLgpXn9 X9v0b7dqEwxqV72orJStWNxvvTGAPKjaiXD71c/Lnp3J9X9u3D2qrhfr+NyqvvkKBF8HfRH/ IQESIAESIAESIAFFAGOLjWt3yIa12wRjK4xrSpQqLDWvrCIwsRJsWP/nNln3x1Y1XtojOdQ4 qVzFElKlRhkpWbZwUFmEej3GeZv/2Sl/rdosWzbulnKViku1i8vpbaZM/seG9oolnTota1Zs ks0bdsnOLfukSIn8Url6GalUrbTkzptybGi/1uxjrPjPH9tUHju1SZqK55eSSheUltLli0gw dTD5mO3ZM2dl985Darx6UtrV7GuiZeL0J/XYERElShe04u07Tsec5tpgbCjax+bmuuKlCvht Y3r75fDB43JMjZsRChbKIzlyZdP7+/cekRWL/tb3K+6xC2qWlzLnFdPn+A8JkAAJxBoBCoqx 1mOsb8wRwICiQdmHdb1hJ/Dr5cPk8btfl4U//C4Y0NhD+UrFpHv/9tL65svt0Xp/765D0rTy Y3q/UrVS8vwb90q3G14S5G9CvoK55dVPH5HLrjjfRMlvP6+T4Y9Pkj9Xbrbi7Dv1m9SQ58Z2 klLlitijvfYxqHvrxW/l/VdmCAasviGvEgR7Pn+zdLi3sdepz9+bJwMffs8rzveg44PN5KmR t/tG85gESIAESIAESIAE/BLA+OnTCbPltee/VCLiUb9p8IH2lvubyKPP3ZyqoDZv2gp5Y/hX snrZxhT5II9WN10uPZSplkCiT6jXoy2Txv0gYwd/IceOJAtQ9orgo+sTIzrKdbdfZY+29nE9 vBq//8pM68OtdVLtQAise3V1GaTGjYHE0XW/b5Fhaqz464K19kut/Tz5c8pjGOd1aWLFBbMD gbL1hU+kmnTF4be9zqd3zGkySUtQBK9Bj34gU96Zay6RWleeL29/94RkzpLZigu1X0Y88bFM ev0Hnd/g8fdK9YsryBP3vKE+ym+3yjA7GP+PfL+bVL+0gonilgRIgARiggAFxZjoJlYylgnY BcVs2bOqWYFl5I/f/k21Sf5sDNoFxeKlCmox0sxYNJlh0Dj9jxHWgPHFp/8nH7w205wOuM2d L6f0HXW7tOuYcrD6z5qt0vW6UdbsyICZqBNXNK0hQybcr2dPIh0FxdRo8RwJkAAJkAAJkIBT Ahj79O0yXhbP+zOoS8tVLCZfLB0sGIP5htcGfSETRn6b4gOvb7pCRfLKpLn9tRM5+7lQr8fs yqe7vCWL566xZ+t3v8UNdWTguM6SR43Z7OGlfpPlvTHT7VF+9yEKjny3m1zV4iKv81vVbMg7 mgyR/XsOe8X7O2jY6hJ55X89vIQ3f+lMnFNBMZQxpykzLUFxyGMfKDF6jkkulze6QH+Mz5k7 uxXnRr/YBcWb7rlaZnyxRI7YJgFYhf23g/tz9KTu0rD1Jb6neEwCJEACUUuAgmLUdg0rFi8E 7IKivU2XqeXNHdSX89JqZuDKJf/I+BHfeA00xk7pKQ1aJi8LxnV2QdGeD0RELIHGzMHL1Rfo t77to0/P+Xa5PHrbq1ZSLLW48e6GUqPWeXLyRJIsW7BOpk3+xRpEZ86cWT6e18/r6+gple42 tVT5nzXbrHwuqVtJmra7TEpXKKbit8p3/1uklsYkO1tBoqbX1pLRH3fX6XeoJTfffLJQ7786 8Au9xT/X3HqFVKpeUh9fVKuS1G96oXWOOyRAAiRAAiRAAiQQiMDzj7zvNbsMglCrm+pK8ZIF 5fDh4/KXWpExeeIcOXb4hJUFVmLcePfV1jF2pn+2WJ7s/KYVB0Hn5nsbSY3a50n27Nnkhy9/ lZlKBDKhUvVSMmXR85aYFur1yLfbjaP1ihVTBpY4t7v9CiVcFpON63bIzM+X6GXM5vzt3ZrJ kyPOrepY+tNf0qXtCHNaMLa87s6rpFiJgmr59haZP3OVLFfLa8+opccIF9asIB//NMBKj517 W79gzUyE6Hhz58Zy6eWV5fTpM/Lzj6tVHiu9PipjJczVbS71yiPQwZnTZ+WjN3+Qg/uOyltq nGvCnd1bSKGiycvR73v8Wh0d6pjT5J2aoDi8z0fy8Rs/mqRKXL1YXv6ou2TPmbwc2ZwItV+Q j11QNPlirN38htpSUa00OqAE3CVKFLfPWLzwMtU/87z7x1zLLQmQAAlEIwEKitHYK6xTXBHw Jyi263ilWmZ8jxYCTWP/VQPHB9q9KDu2JjsuOe/8EuqL+hDLNqE/QRH5PKqWoBRQtlnwdRuD sxq1KsqBfUfkxjr9Zd/uQzr78pWLqwHTw1L5wjKmOL39afpKeeq+8ZaQeXGdivLBrGcsGzJD e30o/3trtnXN/U9cKw89c4NVJ5w4qgbs/R+cKD9+9auVbuxnSgxtdU4MxQm7UxbUpYkSJRlI gARIgARIgARIIFgCsJHYvGovbUMa19zdo5X0HnpLissxw+zmegME9uoQ7B9ccQwbz61rPGHN yiul7CSOUTPvql1SHqet8MHYmfLiU/+zjsd9/pie4Rfq9cgQS6V73PKKlfddD7eUxwZ1kCxZ zy27PZ10Ri9F/mxi8vLcLGpJ7meLBqqPsqX1da8M/FzeViZpEK5sfpGM+7ynNYbTkeqfcUO+ lDeHf20O5fNfnrfGg2jHVWUe1uIhErz/Y18tJlqJ1Q6Yt73oCcvETrPrastLkx6yJ0lzH+XU K9HNSvfVsiFS4fzkD8sm0q0xZyBBccSTn6il5d+b4qRx28vkxQ8eTDFz1Y1+QSG+gmLhYvnl jS8f87rH0L8PXj9Klihh2IRPFzzrlcbEc0sCJEAC0UiAgmI09grrFFcEfAXFYiULyHe/j1CO UVIuvflazebrd/85WzLv/fC01KxXRfPwFRQrVCkhkxcOtIw826GNHfyljH/h3ODR3wDRpP9k /CwZ1nuSOZSRygNzS+WBGYa0r1K2H409HyxnfmNqLyudfQdfla+99GnLizNsPGJ5kT1QULTT 4D4JkAAJkAAJkIBTAnaBD7YFZ/09OsXsMpPnywM+k3dGT9OHVS4sLVN+GWROyeyvf5Oet79m HY/68CFpfn1t69i+c1uDgdYsQXzIHTy+S8jXI/92NZ+WTf/s0kXVrFdZ3pn5tNcHW1MH2PJD HYwt7CbXXCYvf5Jsm7tHh1dk3vQVOukt9zWWZ0bfZS6zthjHta/bT7KpcSec6HV6pJXUb5K8 MmTN8n/ltobPW2nnbBwjWN7tG957ZbpMHDVNXV9UO/V79rV7fJOkepyWoOjmmNOfoPjSM5/K e8oOuAlYPv7CO129xFtzzo1+QV6+guKgN+/1awcT4nezKufG16iXP1vqpn7ckgAJkEA0EaCg GE29wbrEJQFfQfGpkR2l44PN/bYVA6prLnlKtm3aq8936d1WHnnuJr3vKyg+8GQ76d7vBr/5 PNZxrMz6Zpk+B3s3r332qN90iMTXUQyeTJmdHm0tvQZ3UHYeN0rHq88Nvj9RS2QuUEtlAgW7 vUQsw160Y5zY7dFQUAxEjvEkQAIkQAIkQALBEIAwtUl5QoapFXhi9l0NYc9j8tuzZXDPD3UU VmrAKZ4Jzz70jnz5wXx9WFl5MZ6iZu1h7OIvwITM8l/+lvOqlpQLldOMqmpZcqjX7919WJpW 6mkVl9YyYvsYC3a0v187Sl9r/4CcNWsWebDvdXLbA80EYmsw4eTxJGlQ7mE5dTLZ4d4Fl5aX Z16+Sy6uUymYy4NOk5ag6OaY01dQLKtsaBphGRVue0t9GaJEYbsDFtMQt/oF+dkFRTgvnL/5 1YD3mH2M/Ny4e+TGuxqaKnFLAiRAAlFNgIJiVHcPKxcPBHwFRX/LPOztfOx2JQZ+nSwG2r9C +wqK8Bjnz4kK8rqxTj/LJkuf4bcJbNWkFvp3fVu++ijZ1iHs4mBg++HY72XkU5/oyzAQWrDl 3Jd8f3lt27RH2tR40jr1v/kDvOwx2gdLXPJsYeIOCZAACZAACZBAiATwcXTz+l2yce0OWb92 m7IJuE5++3mttcoCjlm+WTncKuXuZkNlxeJ/9DHsS8MMjZMQ6vW//bxO7ml5rj742FywaP6A VVj/5zZr5Yn9oy3sI3ZqcU4oRQYQFi+5vJK2w91A2Qj0XcbtW8gD7UbJL3P+8IqGaIkl1Fep X321QiV/wdxe550epCUoujnmtAuKvvUEm7n/jpG8+f0Lrm71C8q1C4pVLyork38e6Fsd67j9 5f0te+X9xtwlHe5tbJ3jDgmQAAlEMwEKitHcO6xbXBCwC4oYBC7e9XrA5TlosN3GCxygwKYh gq+gGGgZMwxgX17sQcsezmhlbLppu1o6j0D/vD5sqrwx9Ct9Gkupv/ptqPqq/4FMfnuOjktr IIREmF1Zp0hXy/D3cLVko83Nl+vr8Q8FRQsFd0iABEiABEiABEIggDHHjC+WyvTJi2Xd6s2y ffM+OXs22fGIv2x9BcV2lz4lm9YnO5Tr9sz18uBT1/m7LGBcqNd/+eF8ebbbOwHzT+vEZ0qc Ol+JVAhvjfxGxg760nKy53tt0RIFpMWNdaS9Ek4xu9I3wMsznJD8+/dO31P6GI5Eal15vlqG W1euv6NBqmNYvxmoyLQERTfHnKkJiqhfoKXhOOdmv9gFRfOxHmX4C7dc+Zz8tWqzPtXv5Tul Q5cm/pIxjgRIgASijgAFxajrElYo3gjYBUV4EFy695xHQX9tHTd0qrw5LFncO79GGWV8O9m2 ja+gOP2PEVJKeYj2DQf3H5VGFR61BpZvTu2dphflj9/4QYb3+VhnBds5sKEz7PFJ8smbs3Qc vP1BwEwrNCz3iDLefVQn6/vSHXLr/U2tSygoWii4QwIkQAIkQAIkkE4CsPvXS9k/3KZExEAB zkty5skuRw8le3r2FRQxToIDO4SnR92hlgmfG68EytMeH+r1bwz/Sl4fMtWepaN94xzGXDRD eYN+Q40f7R6DzTmzBZPHh90qt3dLaXYHY8ehvSbJD1OXalM45hrfLbxEj/74YSmpnNg4CWkJ im6OOf0Jirnz5rBmq+Lj/vivewu8g/sGN/vFLii2vrmestn4gG9x1jEFRQsFd0iABGKMAAXF GOswVjf2CNgFxcyZM8mSPW96eXf2bdHzPd6TKe/O09F2r4S+guKMNSP9Dujw1b5u0XMzFEd9 oAyN3+Df0Lgpe8yzU2TiS9/pQ+NQxT6ogn2hzxefs6dorrNvYX8HMyNhPBzBOHcxaSgoGhLc kgAJkAAJkAAJpIfAlg275M6mQy3vzMgDM+jOq1pCzq9RTqpfUk6qqu0lysnJjCm/WDYUfQXF Dlc8K2t/36Kr0PXp6+Shvtc7qk6o10+eOEcGP/qBVeaQCfdZ+8Hs1Gt0ocDJn2/4c8W/8tPM VbLw+9/1ku4zakzoG3w/+NrPHzl0XObNWKmv/3nWaoHDEN+AGY/f//WiXxuEvmnNcVqCoptj Tl9B8Q4loHbu1VaZA3rG8lRdulxhmbJ4sEBotAc3+4WCop0s90mABOKVAAXFeO1ZtitqCNgF RVTqu1XDpcx5xQLWD8tOFv7wuz7fpkM9GT4x+YtmsIIiLrzusr7W0pVeQzooj36tA5aHE092 Hi/TP/tFp6l9VVWZOP1JmfbZYnmqc/JsylzqK/+iHa+nmgeWyqBcE97+7gmp07CaOeSSZ4sE d0iABEiABEiABNJD4PlH3pcp78y1Lr29WzPp1vcGvzb+3h71rbzy3Oc6benyRWTa6hHWdXZ7 1Tfc1UAGjutsnfPd2b3joExX4mTxUoWkTIWiclHtihLq9Uvm/Sn3XTPSKmrW+pelSLF81rEb OxAHF83+Q77+6GeZ891vVpb1Gl+oZ+hZEansrFOi66xvf5PJE2YLOJjw3vdPS836Vcxhmtu0 BEU3x5x2QRGzEN/65nFdvy/enyfPdX/PqmuHLo2ln3JAYw9u9gsFRTtZ7pMACcQrAQqK8dqz bFfUEPAVFFPz3nbowDFpdWEfOXY4eYnOkyM6WktTnAiKD988Rn5SX5gRjEAYCMjxoyelzUVP Wl/723dqKM++dk8KL8++AqFvfu+9Ml1eemayjsZykhl/viglShe0knGGooWCOyRAAiRAAiRA AukgYP9gandc5y+r3ne+rpfw4lzJMoX0uMSkG91/srz78nR9CNvRX/46RM10zGROe20/fvNH Gf74RzquYOG82qlHqNfv2n5AWlTtbZUz9O375RrlfThQgAOZt0Z8I0WK55fSStS85b4mkitX dvlg7EzZ8NcO5fl6h7wy+VEpXNS/KGmvL8zvLNw2VrLnyKqcsayRudNWyIa127VA2PXJdn6r gJmK19d+Ro4cPK7PO53VmZag6OvlOZQxp11QbHFDHXnxg25Wm+5XIu5iJeYiYKz6xtReUr/J hdZ5N/oFpoMQKChaWLlDAiQQxwQoKMZx57Jp0UHAV1DEshs4PcmsbNn4hnFDvpQ3h39tRduX NTsRFO1f5ZHZG1/2kiua1bDyte/4ph07paf2DAihsUX1x+WwEjkR4DHwgx+THcTYr8f+USWA tqnxhMAGD8JFtc+TSXP6633zDwVFQ4JbEiABEiABEiABpwTOnvVI7UL3K+cryaZVUnOmsnju Gnmo/cuSdOq0LgbLdH/8+yWryFlfL9OzDE3EiPcelFbt65pDa4uyOjUfKiuXrNdxZjZjqNcj szbqA7KxAwnBE6JmrjzeS3BNRe5rO0KW/PSXPsxfMI/8sHaUJCWdlsYVe1ptTM078LefLpK+ Xd7S18OW4uLdb2jzOy8P+EzeGT1Nx6MO3656IaBZHrsjmgeU8Ni93w2memlu0Q9w3GfClEUD pUqNZKcyiHNzzJmaoIgl8+3rDZCTx5N0VUopW5BTlEmfPPlymqqF3C85cmXTeVFQtJByhwRI II4JUFCM485l06KDgK+giFq163ilDHi1k/46bGqJwd7A7u/IyRPJg9+m19ZShq+7m9MpvDzb xUYr0X87GChdX6uvbN+SbLAcX7RHvt9Nz1a0p506ab4MUd6cTZkYWH2zcrg1mPzfW7O0kW5z DWYvPv3iHV4e/iB0PtHpDVk6P3mgi7T9X7lbbu7cyFymtxQUvXDwgARIgARIgARIwCEB+wzF qsrLMT5eYqadPSz/5W958PpRSqQ6ZUX7M91yV7MhsnJxslAIwXHUpIekZr1zy3hhE/q1QV/I hJHfWvmM/Ux9dG11sT4O9fofv1omve4Ya+V9VYuLZfD4Ll6zDFGH0f0/k/fGJM+mROLOj7WR ns/frK/r0eEVmTd9hd7PWyCXvD/zaal8YRl9bP7BR997Wg6zbEZWU56eP134nD4NBze3NXze JJWb1Nit3+g7U3z0/vrjBdLvgYlWujEf95DG19a0joPZqVXwfjE2HZ968Xbp2LWZ12VujTlT ExRR4PuvzhCkMQFtHqDGrSa40S/Ii4KiIcotCZBAPBOgoBjPvcu2RQUBf4IiKlapeilpokTD fGoAuGzBOmtAiHMwEv3l0iFSQn0tNsHJDEVc88PUX6X3nePM5dpoebPrakkNNXvw5IkkXeYv c/7wOj9x+hNy2RXnW3H4Mn9rg+dk7aotVhyWBjVsdYm2I/TPn9sEA6/9ew5b569sdpGM+6Kn XkpiRaodCop2GtwnARIgARIgARJwSmDIYx/IpxPmWJfBMUmjtjWldoNqynb0DvlVzeJb/ss/ 1qw9K6Ha+Xn7OC8nHL//ukHubDLEciaXNWsWaXFjHalRq4LA0RxmIf7+60Yri5ZqBiMczpkQ 6vXIp+t1Lyk7h6tNloLlsqhD5QvKyJFDx5R968WybvVW6zyciXw4d4BlbxE2Ervd8JI1axOz D2F/+wLljRkz5Tav3y1ffThf9u9N9miNjF54p6u0vvlyK8/OrYbLsoXrrGOM83AenpwPHzym lkX/KQu+X+V1PrUl4lZCn53m5/fyssOItmTNlkUmqfbkL5hbt8GNMWdagiKcF97ZdIisXrbR quGbU3tL/abnlj6H2i/ImIKihZc7JEACcUyAgmIcdy6bFh0EfAXFHDmzWjMC/dUQ9nnGfNrD 6ys50jkVFHHNR6//IC8/+5m1tANx/kJutdRj0Ov3SvPra6c4vXXjbnnm/gny26K/U5zzjYDQ OHTC/X6No1NQ9KXFYxIgARIgARIgAScE4GgEHpa3bdqb6mX5lECFJbkvPfOpFgeR2J+dwq8/ WahXYhjb1YEyvVAJdHBY57skOdTr9+4+LAMfflfmfrc8UNFWfCFlH/H9H56W8pVLWHHYsduw 9jrhc4CZnM+OvUeuvfUKrzMQG2+/+vk0meKiS+pWkhc/7O5lI9srs1QOhvaeJP8bPytFindn PmV9zHZjzJmWoIgKwNkMZmaePn1G1wfLvT9fMtha+uxGv1BQTNHVjCABEohDAhQU47BT2aTo IuArKP5v/gA1+JupZvYt9RIW8ZUWBrlh6BpeBH0DHLY0qvCI/oILQ9I//jPa+kLtm9Z+DO/L g9Wy5uWL1lmDanMeS4Ba31RP7nu8rZStWNxEp9hipuKkcTPVkpsZXl+XTUIsn+n4YFO54a6G KWYmmjTtaj6tjIbv0oevf/GYXNn8InOKWxIgARIgARIgARIIigC8Db868HPlvXiBNTPPXIgV Hs3a1ZZeQ2/RS4cfvP4l+XlW8gzA1jfXU7PzHjBJre22TXtk0CMfKNMtf6YYJ2EVSbe+18tt DzSTLFlT2r5GJqFejzwgTL4xZKps/XevNWMS8QhoE5YHd3q0tRQolCc50uffn39cLeNf+FqW /XxupqFJguurX1xeHh9+q5p9WdFEe20hKr794rfy6duzU3yExpizTIUi0lRxfXTgTZZZHK8M gjg4c/qs9H9wosz4fLFglqCxhTnw9c5yw50NrBxCHXNimToc2CDAxBCWkfsLYwd/qZmZc116 t5VHnrvJHOptKP0y5tkpMvGl73Q+xvamV+a2A/vy+UFv3ivX3X6V7Sx3SYAESCB6CVBQjN6+ Yc3ihICvoAiHLFhOcjrpjKz+baNsWr9TSpcrKlWUzZtAA0U3UGDwtnHdDsEyZYRS5YpI5eql U3xtT6ssOF7Bl93tW/ZIsRKFlBBZNFUxMq38eJ4ESIAESIAESIAEnBLAeGTTPztly8Y92uPx +cqmYunyRQJ+2Ewrf4yT4O347zXbJEf2bFJRmaaBIz1/TvT85RXq9cjz2JGTapy2Vf5V7SpQ II+Uq1RMeXUulsJOpL/yEYeZdTs275Htm/Ypwe6s4INvOTWjMZAHa998IPqBKcaKR48clzLl i0m1S8pr8zy+adN7jDZiJmK27FmkoJp1iZU5gUK0jDlD7ZdA7WM8CZAACcQ6AQqKsd6DrH/U EwgkKEZ9xVlBEiABEiABEiABEiABEiABEiABEiABEvBDgIKiHyiMIgE3CVBQdJMm8yIBEiAB EiABEiABEiABEiABEiABEog0AQqKke4Blh/3BCgoxn0Xs4EkQAIkQAIkQAIkQAIkQAIkQAIk kFAEKCgmVHezsZEgQEExEtRZJgmQAAmQAAmQAAmQAAmQAAmQAAmQQEYRoKCYUWSZLwn8R4CC Im8FEiABEiABEiABEiABEiABEiABEiCBeCIQV4LitM8Wy9jnP5csWTPHUx+xLXFA4PDBY+Lx JDckX4Fc6fZAGAco2AQSIIEYJQDvn488d5O0bF83RlsQ/mpv+Gu7PH73ODmddCb8hbNEEiAB EiABEiABEiCBmCOAMXf3Ae2lzc2XR33d40pQfKzjWJn1zTLp+lS7qAfPCpIACZAACZBALBF4 c/jX0vz6OjLqw26xVO2I1vWT8bNkWO9JHJdEtBdYOAmQAAmQAAmQAAnEDgGMuZteW0tGf9w9 6isdd4Ji5iyZ+bIT9bcdK0gCJEACJBBrBPDRjs9YZ70GQfG1QV/I/M2vOruQqUmABEiABEiA BEiABBKSQO87X5ezZ85SUAx37/NlJ9zEWR4JkAAJkECiEOAz1nlPU1B0zoxXkAAJkAAJkAAJ kEAiE6CgGKHe58tOhMCzWBIgARIggbgnwGes8y6moOicGa8gARIgARIgARIggUQmQEExQr3P l50IgWexJEACJEACcU+Az1jnXUxB0TkzXkECJEACJEACJEACiUyAgmKEep8vOxECz2JJgARI gATingCfsc67mIKic2a8ggRIgARIgARIgAQSmQAFxQj1Pl92IgSexZIACZAACcQ9AT5jnXcx BUXnzHgFCZAACZAACZAACSQyAQqKEep9vuxECDyLJQESIAESiHsCfMY672IKis6Z8QoSIAES IAESIAESSGQCFBQj1Pt82YkQeBZLAiRAAiQQ9wT4jHXexRQUnTPjFSRAAiRAAiRAAiSQyAQo KEao9/myEyHwLJYESIAESCDuCfAZ67yLKSg6Z8YrSIAESIAESIAESCCRCVBQjFDvu/myc/bs WVm4cKGsXbtW9u7dK4899phkzZo1Qi1jsSRAAiRAAiQQWQJuPmMj25Lwle62oLh161ZZsmSJ bNy4US677DJp1KhR+BrDkkiABEiABEiABEiABDKcAAXFDEfsvwC3XnZ27twp7dq104N2U9LR o0cld+7c5pBbEiABEiABEkgoAm49YxMJmpuC4rhx46R3795y4sQJjbBPnz4yYsSIRMLJtpIA CZAACZAACZBA3BOgoBihLnbrZeeBBx6Qt956S4oXLy633367tGjRQlq3bi2ZM2eOUMtYLAmQ AAmQAAlEloBbz9jItiK8pbslKG7YsEGqV68up06dkubNm0uHDh2kadOmUqVKlfA2iKWRAAmQ AAmQAAmQAAlkKAEKihmKN3Dmbr3sVKpUSTB4f/fdd6VTp06BC+QZEiABEiABEkgQAm49YxME l26mW4Li+++/r8cjFStWlPXr1ycSQraVBEiABEiABEiABBKKAAXFCHW3Wy87OXLkkKSkJNm/ f78UKFAgQq1hsSRAAiRAAiQQPQTcesZGT4syviZuCYrDhg2Tvn37Sq9evWTUqFEZX3GWQAIk QAIkQAIkQAIkEBECFBQjgl3ErZcd43zl9OnTEWoJiyUBEiABEiCB6CLg1jM2ulqVsbVxS1Ac PHiw9O/fXwYNGiT9+vXL2EozdxIgARIgARIgARIggYgRoKAYIfRuvexQUIxQB7JYEiABEiCB qCXg1jM2ahuYARWjoJgBUJklCZAACZAACZAACcQxAQqKEepcN152Dhw4IIUKFZKyZcvK5s2b I9QSFksCJEACJEAC0UXAjWdsdLUo42vjlqDYs2dPGTNmjEyYMEG6dOmS8RVnCSRAAiRAAiRA AiRAAhEhQEExIthDW/J84sQJ2b59u15O9M4770jHjh3lo48+ilBLWCwJkAAJkAAJRBcBCorO +yMUQfHs2bOCj5xLliyRO+64Q/bt2ydr1qyRatWqOa8IryABEiABEiABEiABEogJAhQUI9RN obzsFC1aVPbu3atr3rZtW5k0aZIULFgwQi1hsSRAAiRAAiQQXQRCecZGV0vCV5tQBMXXXntN evTooSubOXNmmTx5srRv3z58lWdJJEACJEACJEACJEACYSdAQTHsyJMLDOVlB0uIli5dKitX rpTSpUvL22+/La1bt45QS1gsCZAACZAACUQXgVCesdHVkvDVJhRBcdasWQJnLMuXL9czFW+8 8UYtKkJcZCABEiABEiABEiABEohPAhQUI9SvbrzsjB8/Xrp27SqYpfjtt99GqCUslgRIgARI gASii4Abz9joalHG1yYUQdHU7uDBg1K/fn35888/ZfHixVK3bl1zilsSIAESIAESIAESIIE4 I0BBMUId6sbLDmwp5sqVS/LkySNHjhyJUEtYLAmQAAmQAAlEFwE3nrHR1aKMr40bgiJq+dRT T8kLL7wgI0aMkD59+mR8xVkCCZAACZAACZAACZBARAhQUIwI9tCcstirnDVrVjlz5ozAIHqm TJnsp7hPAiRAAiRAAglJgIKi8253S1DE0uf+WXUC6wAAQABJREFU/fvLgAEDZODAgc4rwitI gARIgARIgARIgARiggAFxQh1k1svOxQUI9SBLJYESIAESCBqCbj1jI3aBmZAxSgoZgBUZkkC JEACJEACJEACcUyAgmKEOtetlx0KihHqQBZLAiRAAiQQtQTcesZGbQMzoGIUFDMAKrMkARIg ARIgARIggTgmQEExQp3r1stO7ty55fjx4/Lvv/9K+fLlI9QaFksCJEACJEAC0UPArWds9LQo 42vilqAI24lPPvmkdO7cWSZOnJjxFWcJJEACJEACJEACJEACESFAQTEi2N2zoVijRg35448/ 5MUXX5TevXtHqDUslgRIgARIgASihwAFRed94ZagOHnyZLnlllukcOHCsmPHDsmWLZvzyvAK EiABEiABEiABEiCBqCdAQTFCXeTWy84zzzwjQ4cOFSx9btasmbRt21a6d+8uWbJkiVDLWCwJ kAAJkAAJRJaAW8/YyLYivKW7JSju3r1bqlatKgcOHNArJ2666Sbp2LGj1K1bN7wNYmkkQAIk QAIkQAIkQAIZSoCCYobiDZy5Wy87WO587733yieffGIVdvToUcFSaAYSIAESIAESSEQCbj1j E4mdW4IimH333Xdy3333yfbt2zXCPn36CJZCM5AACZAACZAACZAACcQPAQqKEepLt192du7c KatXr9b2FNu0aSOZM2eOUMtYLAmQAAmQAAlEloDbz9jItiY8pbspKKLGSUlJsmbNGm3juVq1 anrWYnhawlJIgARIgARIgARIgATCQYCCYjgo+ymDLzt+oDCKBEiABEiABFwgwGesc4huC4rO a8ArSIAESIAESIAESIAEYokABcUI9RZfdiIEnsWSAAmQAAnEPQE+Y513MQVF58x4BQmQAAmQ AAmQAAkkMgEKihHqfb7sRAg8iyUBEiABEoh7AnzGOu9iCorOmfEKEiABEiABEiABEkhkAhQU I9T7fNmJEHgWSwIkQAIkEPcE+Ix13sUUFJ0z4xUkQAIkQAIkQAIkkMgEKChGqPf5shMh8CyW BEiABEgg7gnwGeu8iykoOmfGK0iABEiABEiABEggkQlQUIxQ7/NlJ0LgWSwJkAAJkEDcE+Az 1nkXU1B0zoxXkAAJkAAJkAAJkEAiE6CgGKHe58tOhMCzWBIgARIggbgnwGes8y6moOicGa8g ARIgARIgARIggUQmQEExQr0f7pedffv2SVJSkuTJk0fy5s0r+/fvl1OnTkmuXLkkf/78EaIQ XLEnT56UAwcO6MTFixeX06dPC9qDULRoUcmSJYveT+8/brA5ceKEHDx4UHLkyCEFCxZMb1Wi /jqPxyOrVq2ScuXKSaFChcJeXzf6KuyVZoEkQAJhJxDuZ2zYG5gBBVJQzACoCZzlyJEjU7S+ efPmctlll6WIZ4R/Art27RKMu9wY6/ovIbpiTXvttSpcuLBky5bNHhXy/tGjR2XdunVSo0YN 1/MOuXIOMzDvc0WKFJGsWbM6vDo6k5v7IFHu+2jrhZkzZ8qKFSu8qlWqVCm58847veJ4QAKG QLwJirJnzx717I3+0PO21zy97hgXtoqWLVvWozrd06lTJ12mGtDp47Zt26ZaB/VH3XPmzJlU 02T0yQkTJui6ov4bNmzwTJ061TpevHhxyMWnl4294HfffVfXqU2bNvbouNt/6KGHdDvVAM+z c+dO19oX7H3mRl+5VmlmRAIkELUEwv2MjVoQDir28Zs/eq4q+7CDK5iUBAITwJjN9/fqq68G viDBzgQz7lEf/DXD9evXJwSd7Nmzp7hn5s6d62rb1QQAT6VKlXQ5sT5mP3bsmAfj8UyZMun3 I1dBRTCzRLvvI4jab9EPPPBAiv+HF198sd+0jCQBEICmhXF3LARohWn9KCgG6MkLL7xQ/3Ho 0aOHTtG4cWN9fOutt/q9AiLiRRddpNOor19+04Qr8tNPP7X+sO3du9czZ84c63jNmjUhV8Mp G38FJoqgeOmll1rs0Q+hBqf3mRt9FWqdeT0JkED0E6Cg6LyPKCg6Z8YrAhOAmJg5c2bPjz/+ aP02b94c+IIEOeNk3JNowkqXLl08t9xyi/7lzJlTjzfdFhT//fdfaxxboECBmL7r3n77bd2W WBdGfTsh0e573/ZH+hiTd8zf7TFjxuh7jIJipHslusunoBih/gn3y86VV16p/yD069dPt/j6 66/Xx127dvVLQC0r1ucxIIy0oKimXlt1Ucu2Pb/99pt1vH37dr/1dxLplI2/vBNFUPzwww89 5513ngf3j1qK7g+Fozin95kbfeWogkxMAiQQkwTC/YyNSUg+laag6AOEhyERMIJiSJnE4cVO xj2JLKycf/75eqzvtqCIW+r+++/3lC9f3qOW5cf0HWZWm3377bcx3Q7fyifyfe/LItLH5p2b gmKkeyK6y6egGKH+CffLDpY2Y3BnHp5Y+ozjJ554wi8BJwMevxm4GIllzairsv+oc8WXExzj h+n+oQanbPyVF4uCIgRBN0RBfzyCjXN6n7nRV8HWjelIgARil0C4n7GxS+pczSkonmPBvdAJ YIyGGYoM3gScjHsSWVjJSEHRu0di82jBggX6Pahy5cqes2fPxmYjAtQ6ke/7AEgiFk1BMWLo Y6pgCooR6q5wv+zcfvvt+sHz1ltv6RY/+uij+njIkCFeBK666ipPnTp1PLVr19bnMSDEFzDE md9dd91lXXPjjTfq+JdfftmKs+9giTWuGz58uI6eNGmSPn7//fc9K1eu9HTo0MFTpkwZjzL2 6rnjjjs8WNLsG9auXavrgnQImDGJeikjzb5JvY6/+uornW+VKlU8yris1zn7QbBszDXKmY1n xIgRHiwxwBdO5aAkoD2WRo0aeRo2bKjtUA4dOtRTv359j3KK46lXr54HLPyFrVu36q+nWF6c O3duD5b5gvnGjRu9kqeHpcnALPlIbbnH7NmzrT43fW+2WDJvD7ifcG7GjBn2aK992E5CmrFj x3qc3mcmI6d9Za7jlgRIILEIhPsZGw90KSjGQy9GTxsSSVDER+VWrVp5SpQo4VGOJDwYI73x xhtenZGecY8RVlavXq0nAGAcjHEhxuVffvmlV/7mQDkc8Tz55JOeunXr6g/xyvGIB0uJd+zY YZJY29dff12PyyZPnuzZsmWLHntWqFDBU6xYMU/79u0927Zts9Kmdwdi1/jx4z3t2rXzIG/l XNGD2U7du3dPNctgBMV33nnHylc5mfQop4iazejRo1N8MEdaM4Y12wcffNBvHfr06aPH6+AO 8094RwErLNnHShnwwfuTr5AHhmgX+gd9h75Cn+HecDt07NhRvwuNGjUqpKyVcxrNBcuncd/k y5fP07p1aw/eRcARNhqbNWuW4j0q2PssPSzNfY8JJMG+OwVbHwj66P8WLVpobvi/27RpU/1u hr6G3X5/4YsvvtDX4B6GrU/ca7iPP/vsM3/J4yaOgmLcdGWGNoSCYobiDZx5uF92Dh065IEB aBgjRjhy5Ig+9p3hh4GQ8pqsvypjMGgGhIgzv8svv9xqGJZQIw2ENdiFsQcIf8rrsT4/ffp0 feqll17SxxDaIGbhWvPgwP4ll1ziwR97e0C+qLtdbMTx7t277clS7EO8Q5743XfffSnOm4hg 2SA9lljb7Qhi8IiHrynH146JadtNN92k0+AhZOzCwIjyJ598Yqqht/Pnz/coT206Lc6XLFlS G1tG/igH501ID0tzbTCCIgarqKv9Z/oT7bIH46wFQmugAFEU7YCg6PQ+M3k66StzDbckQAKJ RyDcz9h4IExBMR56MXragOd9vM9QhKB02223WWNAjGvx0diMCSHKmZCecY8ZQxonIshbefK1 xohLly412estREOMo82YEcKWqQ/Gln///bdXejOGh+CIj+O4zpSJfVwfSsCYzdhsR34YQxYq VMiqf2p5ByMoVqtWTeeFCQaoP95TUA5+vmIhxqdmPIv0SNOkSRO/VcBkCZy/4IILND+kx3i8 ZcuWWkzCfY3zf/zxh3U93ksgPCIe5WAyAOoHUdGssLISh7iDdxHUCXnv27cvpNww4QJ1NixN /2DMjvcQCLU4D9uWJji5z9LD0tyD6B+Unda7k5P6mBnCeKfq1auXzh8s0WcoC7/PP//cNFVv Bw8ebJ0rXbq0FhIhFCOtWfnndUEcHVBQjKPOzMCmUFDMQLipZR3tLzvmDy7+WKZmQxGz5syD 1Xd2GmZD4np45jVioxHBEI/B1bRp0zSmn376yXpoTZkyJTV0QZ9T7u2tB8ALL7wQ9HWpJTSi GERVMzBD28zDJpCgiPbiWjz4jx8/rmdmIs5ukwL2ITF4Qfx1111nDRI2bdqkv5QivmbNmq6w DEZQ9Mfhzz//1PXzFRTxFRP1s39xhsMclGOCGVTCJqYJwd5nJj23JEACJBAMgWh/xgbThnCn oaAYbuLxXR7GBPEuKMKuNNoJ0W7q1Kl6xhrGhG+++aYl/PmKE07GPUZYQRn4cItJABhXYSyI OF876MY7K8ZbZuyOcacZf0HcsQcjKCIviF7/+9//9Omvv/5a54/4X375xX6Jo/1HHnlE5wOh FaywwgcBghhm/KUWghEUkce8efOsiQiYaGBEItx7mLXmL2CFD9qWlqAIQW3ZsmV6BRXS44eP 7f3799f7mPVowrBhw3QcVngdOHDAROsxu9vOiJ5//nldVmqTJawKpLFjBEW0DZMfzKowHONd B6IwRGzMzDPByX1mBEUnLO33fVrvTqiTk/rY//+hjddee62evQuvr5hJijj7uxzS4/8G4nEP 2wP+bx08eNAeFXf7FBTjrkszpEEUFDMEa9qZRvvLjv0PrhmUBGoVpsbjDy2+0tqDGcD07dvX ijaCIr4M+S5D7ty5s84HWzfC4cOHPa+99prnvffeswYboeSLqfd4IOLBasREk18gG4rmoQib lfYAIRbM8DOiG6bN4xhfkX1njv7zzz/W4BQ2JRFCYem2oPjNN9/oul9zzTW6biZ/fMEzYjLs vKB99qXbTu4znTH/IQESIIEgCET7MzaIJoQ9CQXFsCOP6wLxvI93QRFLJNFOf6sz7r33Xn0O tp/twcm4x4whISbagxGUzLJNnIOYhvEpxqkYM9rDqlWrdF1wHh+vTTCCImYOQpizB8zEQtuw HDo9AculzYSDjz76yHEWwQiK/jLFO4uZVQcx0F8IVlA0gl3Pnj01i+bNm+vsjOfbZ5991sr+ mWee0WmuuOIKazWYddLFHfSf6Zvly5eHnLMRFHFv4D0HYij6HT+zKsrMWkRhTu8zIyg6YWnu +2DenZzWx/7/D8vwcWwCluaj3ZitaQImgYAN4vHRINECBcVE6/H0tZeCYvq4hXxVtL/s2P/g piUo4usr/tBiQGKm3uNrHAY1iId9DhOMCIYvTr7B/CG3D5B800Ty2IhmsL3hG9ISFH0Hd7je DAhgWBnhueee07yw9MRfQLngaWwvOmGJBwLsvpifsZGJ5SEmDtsGDRoE/KKLOgWaoWjiMbhG gE1N1BW/2coWI5YF4f7AzwiMSOfkPkN6BhIgARIIhkC0P2ODaUO401BQDDfx+C4Pz/94FhQh 7Jils/5moJkxI4Qxe3Ay7jHCyvr16+1Z6Fly4AvxygR4Q0YcPtjDnI79B0EP5/Czj8mNoAiv x74Bs7FgJxDju/QEmDpCeTANlJ4QrKAIc0jfffedttMIe4L4GQEs0OzKYAXFH374QVfdzHo0 MxJfeeUV3Ta7oLhw4UJLQMXKLLD9/fff09P0VK/59NNPddkYr7sRjKBo8sOMRPSbfUYi7Cgi DsHpfWYERScszX0fzLuT0/rY///BTqQ9YDIE7nn0rz1gxiLaj/darCD7+OOPU31Xsl8b6/sU FGO9B8NTfwqK4eGcopRof9mx/8FNS1DEoMrYDcGMQAR8rcUfXzgksQcjgt199932aL3/wQcf 6GvsA6QUiSIYYQYQmB7vG9ISFH0Hg7jezNgzS8XNcuoBAwb4Zq+PMfsPTMEQwQlL4w0O16f1 S62/jXCIh709YBkLxEkMZBHQ76YcfJXcuXOnPoZNGXtwcp/Zr+M+CZAACaRGINqfsanVPVLn KChGinx8losxQDwLihA7zDjH/qHU9OaSJUv0ed/xkpNxjxFWfMeQZkmyfbxsxqGmToG2EAhM MIKi7wxIcz6Urfmw7PseEGyewQiKMGdklqP6a2+oguKcOXN0dY2gCIeSCOZ9wC4oIh5LxiGg 2usCO5R2Uz9IF0q4+uqrdf6+NtjTm6cRFLGqDMEIirDbaYJdUHR6nxlB0QnLQPc96mPsiZp3 J6f1sf//g93LYAKWQ998881e/QozB1jSzyXPwRBkmngnQEExQj0c7S879j+4qQlMBp+Z6l+r Vi0dZRyXmK95Jl1qIpixw3frrbea5FG1hViKQQKWePsGtBPn7HY3kCa1h6JxSgNbgwiPPfaY zqNbt2762PcfM4gwS0ecssRXXPMzX5xQPxNntr5e6+z1CCQoIo15yMMrHl4iwAkCI74UG0Hz +uuvt2fHGYpeNHhAAiTgFoFof8a61U4386Gg6CZN5oUxUTwLivalofho6htmzZqlx3RVq1b1 OuVkfB1oDOlPUDRxGFvCI22gn10AyUhBEeaGcA/Ay3R6QlqC4qJFi/T9hY/ZTz/9tAcz4OCk Bj8zySHcgiLaefLkSc0e7zJwmgIGmNmG1TqhhpUrV+r80D5jjzLUPJ0Kik7vM7cFRSMgG4c4 Tutj//8XrKBoGMPcFcwN4J5Gv+JnhFiTJt625n3RbvM/3trI9oROgIJi6AzTlUO0v+xAVDLe 0ozNvtQaCrsbGDjijyu+mmGLrzfwJm0PqYlgmPmH67D0162AgYV56ISaJwZnqN95553nlRUG lcaOTrCCIuqFvLBcxtizgfdjxOFB5SvqwUaIr02YUFgaG4cYeDoJqQmKxpgxls6gHZhxahzj 3HPPPTru8ccf9yrO6X3mdXGQB5g5MHz4cG3Q3K17IciimYwESCBCBKL9GRshLKkWS0ExVTw8 6ZAAxgFOBUUsRYXDi2Bsw8Ee88CBAz0YOwUjrjhNH0xzixUrpsc2xpmJ/Zo+ffroc1giaQ9O xj1OBEUsrwVzeMTFjKpgQkYKij///LOuD8a5/pauplW/tARFOBBBe32Xa4MvlhzjXCQERXu7 IDQbc0V2p4X2NE72jfMRN9+TnAqKTu8zNwVF8+4Em4YQbhGc1icUQdHeVxMnTtT3GO4zvKO5 EZz+jXLy9xL1c5oe11BQBAWGtAhQUEyLUAadj4WXHbMkF0tWjeiVGg4jKGEwgz+wMEjtG4wI 5mtD0XjKy5kzZwqHJ755BHtsZk3iyyDsXYQaYGDa2MsxXvtgMxJe4tBe/AIJivbBFAZ6WKaC 9PaBENIYdvAWZwIemrfccotOD49rRmwMhWVGCIoPP/ywxQG2EvEV/Ntvv7Xi0F54PvQNTu8z 3+vTOjZ2fFA+xGAMJhhIgATim0AsPGOjrQcoKEZbj8R2ffDMdSIoQpTDNfjhYyeWXqYWLrjg Ais9Zg2lFZymTys/nMf4GPWF+IVxlQlwcIIVGjiHcZBvCHbc40RQxNjGtPGGG27wy893/JOR giKcWZiVK1dddZXHbmcS41jMMEwtBCso4oO1CbCJB8cp5j4Kp6DoT8RFOzFuR32wPDaUgNVi mJ2H9xC8j7gVnAqKTu+zUARF+7sTVlHB1jtY2ldyOa0P0pv7I5gZiidOnPDAyadvsL/foG5u BPP/F/VL62+a07+XTtOb9lBQNCS4TY0ABcXU6GTguVh42TGCHP6wwX4GvGHhj3kgpylTpkyx /kjjmp9++ikFQSOCQeTDVzssCTBf73DNiy++mOKa9EbUrVvXqo99wJHe/HDdHXfcofOEYNao USNr1mCzZs10fCBBEfzwlRoM4cUZbS1fvrzlxMbUCcs2cA4/TC/HEmF4SsYxBhL2AVgoLDNC UDRe71BXs7QZswaM7RXE+1vy4fQ+M6yC3Ro7RigfP18P3cHmw3QkQAKxQyAWnrHRRpOCYrT1 SGzXB89bJ4Ii7Eeb5zS2xhyMPwr4yG1W0SBtWqZynKb3V6a/uO3bt1sOQCD+YQwI8cx8fIbd NX8h2HGPE0ER5cARjOGC2ZMYd0L0hKgDscL3Y35GCoqoD5ylmPpglU29evU8GC9jBiHeA+wB NvbsTgKNZ12sADLxaJ8JxgwR+h8iIt5NzEoew98uKKLtJp+KFSvqew18TRwYmZAeEQx9j/Fu 06ZN9f0I795m/A4G9vG7KcfJNqPMQjkVFFFnJ/dZelia+968e0IgL1q0qO4z9J2veOukPk4F RdxD+DuGdzL8f+rYsaMHji3xHoh7D/bt3QhO/0Y5+XuJ+jlNb9pEQdGQ4DY1AhQUU6OTgedi 4WUHX2V69uyply7jj6b5YTDgL+CPofmDb2wp+qYzIpjJCwMKzEqE+Pf999/7Jg/peOTIkbrO GFjAxoYb4dixYx4sszADHQyKYBTa/MGFYGgP5qGI9qKt2MK7M2bz2e3Y2K+Bt2szCEF68MEA 5a+//rIns5yypIfl0aNHPZgVOnXqVK880zow9lv8LZXGwNHUBXmbYJZA49yWLVtMtLV1ep9Z FzrYwQDA1A1LChhIgATim0AsPGOjrQcoKEZbj8R2ffDMdSIorlq1ylOwYEH9rIZdMn+OTuxE zOxAvNj7mwVoT4t9p+l9rw90vGnTJi0qGIEB7TZjQ7OixPfaYMc9xlsxyrCHadOmaU4QL30D hCvMijOimhn7wAwRlpPbgxEZQp09Z8/Tdx/jY6zkMbbvUB+sxkGcPXz11VfWOM3U2XdrnKLg OghDGEsbwRJpq1Spoj1g46M2jn/99VerCLyX+OZnP7Y7IenQoYNOO3/+fH39E088oY+NDfNx 48bp40GDBln54/7yZY5xf/369f1+TLcuDGIH95GZselvskYQWQRMArvn4ABRFgGmqlBvu+3P 4sWLa872TIK9z9LDErPz0F/oW/PuVK5cOW26KNDM5WDrg/vG5IlVZmkF/F1C++33CvbxtwrO evA+5VZw8jfK6d9Lp+lNm8z7LW0oGiLc+iMQb4JiJny1UDPA1P/16A6PdRwrmbNkllEfdovu iqraqRtHlBAk6o+wqMGNqD+ifuu8du1aUfb/dDplR1HUF+MU6dQXNlF/gEV5eRblAU6UCCno L/XQSJHWjQg1E0/UF0tRDwM3srPyUA8Q2bFjh6hlK1acvx0lvIl6+ImyPai5oS5KZPSXNEWc etCJssuhy1ACZorz4WaJCqgvwtKjRw9R3ppFDUJS1CmUiGDvs/SUMXjwYFEDaX2vqb8R6cmC 15AACcQQgVh6xkYL1k/Gz5LXBn0h8ze/Gi1VYj1imIB6aRclKIoSBoNuhRIzRC1bFSWe6GvT ulAtidRjq2DH/U7Tp1W+/Tzaqbwx63Gy+rhuPxVwPyPHPRizoz4oA2N3NWNR0CeRCqiHWqqr 64C6KPHNlaoocVbQr8pRiagZba7kmd5M8E6D+1ctkdX3r5ocEPCdyUkZynSPqBmQohxeirIv 6uTSDE+bkfeZElJFLfUWJUCLMiEQVFsyqj54J0Nd8P6HulSoUCGov1FBVdqWyMnfKKd/L52m R7VwvylP5aIERVGTSmw15S4JnCPQ+87X5eyZszL64+7nIqN0T5koSLNmFBTTRJQxCfBHSs2i E7W8VP/hwdafSGgXwZQHuIypTBTlagRFDOrUNH1Xa5bRLPHQVF+UrTrjwa6+YIpatqzFYojG 0R7U8mZRX/JFLSXXgwD1VVmU7ZVorzbrRwIkECIBCorOAVJQdM6MVwQmkB5BMXBuPEMCiUtA Oa0UNQtX3nrrLVGz2BIXBFsedgIUFMOOPCYLpKAYoW6Ll5ed3r176xmJygOyKIPLAgFNLTEI OHMvo0WwCHVnwGJjWVCEeAhRuEGDBrqP1VITUcuFBbMllac1/aU0YMOj4ATqakRctRRJ+vbt q2cpRvILfRRgYRVIICEIxMszNpydRUExnLTjvyw8a/FTXpitxqplrlK9enXrmDskQAJpE8CY G6udlL1HUWaQ0r6AKUggBAJz586VP/74Q+eAd3vlKJQzFEPgmQiXUlCMUC/Hw8sOli9gOYsJ ymaLTJgwQf/RMXG+WwqKvkTSf5zRLJXXbpk5c6ZXBUuUKKGXPStD417x0XiAKc3KyY9eht+w YUO9PCEa68k6kQAJuE8gHp6x7lNJPUcKiqnz4VlnBPx9vHv11VdF2b1zlhFTkwAJkAAJhI1A 165dRdnz9yqPS569cPDAhwAFRR8g4TqMl5cdZaBY2yiETb1gbN5g6e/vv/+u0yqPc+HCHbFy lKMSwVLh1q1b65l9blYko1nCDgmWrm/YsEGUt2bdZzVr1vRaBu1me5gXCZAACbhFIF6esW7x CCYfCorBUGKaYAkoJxspksIWl3KukCKeESRAAiRAAtFBQHn+FvggsAfYJ8WKNQYS8EeAgqI/ KmGI48tOGCCzCBIgARIggYQkwGes826noOicGa8gARIgARIgARIggUQmQEExQr3Pl50IgWex JEACJEACcU+Az1jnXUxB0TkzXkECJEACJEACJEACiUyAgmKEep8vOxECz2JJgARIgATingCf sc67mIKic2a8ggRIgARIgARIgAQSmQAFxQj1frhfdvbt2ydJSUna/l3evHll//792i5erly5 JH/+/CFROHr0qBw5csQrj+zZs0uhQoW84tJ7cPLkSTlw4IC+vHjx4trjMNqDULRoUe2JWB+k 85+MZJPOKkXNZRnNPmoayoqQAAnEFYFwP2PjAV64BcVof77AdvDGjRvl+PHjUqpUKSlWrJj2 Wmz6mmMHQ4JbEiABEoheAgf/WCOZ1Htp/iqVo7eSrBkJxDCBeBMUZc+ePcr5cPSHnre95ul1 x7iwVbRs2bIedZ96OnXqpMtUhrH1cdu2bUOuw9ChQ3VeyN/8mjRpEnK+JgPlOdrKVzkI8Uyd OtU6Xrx4sUmW7m1GsrFX6syZMx5l5Nazdu1az8GDB+2n/O4fPnzYoxyveJRzFL/nwxGZ0ezD 0QaWQQIkkHgEwv2MjQfCH7/5o+eqsg+HrSnR+nzZtWuX55577vFkyZLFGmtgbHPbbbd5sQnX 2MGrUB6QAAmQAAkERWDHnDme357q65lRt7ZnSY9HgrqGiUiABJwTgKaFcXcsBGiFaf0oKAbo SeWFWQ+Me/TooVM0btxYH996660Brgg+etq0aZ5bbrlF/+rUqaPzdVNQ/PTTT61B/d69ez1z 1APCCJdr1qwJvqIBUjph8+yzz3qyZcsW8Ne3b98UpXz++eeeunXrenLkyGHVG/VXMx48f/zx h1d6iI7Dhw/3XHTRRZ7MmTPr9Ljuvvvu86Dt9gChMbW6dOnSxZ7ca/+vv/7y4F6oX7++p3Tp 0h41o9Rz+eWXe6XBQUazT1EgI0iABEjABQIUFJ1DDLegGK3PlzZt2ljPaoxp7r77bg/GTH36 9PGC6mTs4HUhD0iABEiABDKEQNKhQ56N/5vsWXTvfZ5vqp/nmVq5pP59d8kFnt2/LMmQMpkp CSQ6AQqKEboDwv2yc+WVV+oBcr9+/XSLr7/+en3ctWtXVwlMmjRJ5+umoDhz5kxrcK+WbXt+ ++0363j79u0h198JG/CDGFigQAFPtWrVUvxGjhzpVZ8XX3zRqisExEaNGnmuvvpqT6VKlXS8 fYYlxMRmzZpZ6atUqeK55JJLrOMWLVp45Q1BEXXJlCmTp2LFiil+jz/+uFd6czBw4EB9jRFl ISZWqFDB065dO5PE2mY0e6sg7pAACZCAiwTC/Yx1seoRyyrcgmI0Pl9Wr15tPXO/++67VPvC ydgh1Yx4kgRIgARIICQCB//+2/Pnq2M9c6+7zhIRjZhotjjPQAIk4D4BCoruMw0qx3C/7GBp MwQkI3hh6TOOn3jiiaDqG2yijBAUIbqhrnny5NHVwLJnI4YdO3Ys2KoFTOeEjREU77///oD5 mRPK7qOeQYi6PvLIIx4IhvaA6ba+cZjhWL16dc/KlSutpB988IHV3gULFljxRlA0XKwTqey8 9NJLOi/Meuzdu7deUu1bB/vlGc3eXhb3SYAESMAtAuF+xrpV70jmE25BMRqfL1OmTNHPyBIl SqR4Pvv2jZOxg++1PCYBEiABEgidwM4FCz0r+j/n+f6qKwIKiXPaXuNZM/oVz+ENG0MvkDmQ AAmkIEBBMQWS8ESE+2Xn9ttv14Pkt956Szfw0Ucf1cdDhgxJ0WAIdhDAateu7VGOVfRS3fPO O8/ToUMHz4oVK1Kkt0cEIygqQ+xa2KxVq5ZHOYjRZWAfS4vMTxk7t7KFzUGIcmXKlNFxyqGM PsZy39TCV199pZcVY6ZfavV2wsaJoGhfmr179+7UqmqdO3v2rOfEiRPWsdkxMxpff/11E6Vt K9qFVutEgB0wLViwoGb32WefBUjlHZ1e9t658IgESIAEwksg3M/Y8LYuY0oLt6CYnucL7Apj ZQVMdBQpUsSDsUmrVq08s2bN8oJiVgMoh3H64xlMe+TOndtTs2ZNz+TJk73S2g8wRsJztXXr 1vZov/tOxg4mg2DHJSY9tyRAAiRAAt4ETqv3pH+/mOpZ/OBDnm9rnO9XSPy6ajnPz506e9Z/ 9LHn5L793hnwiARIwFUC8SYoZsKsLzXIVOPB6A7h9kCpHHyIEqq0R2c1O03gmVnN7hN4fIan Z3v45JNPpGPHjjqqcOHC2quhst+nj/Plyye//vqrnH/++fZLrP2PPvpI7rjjDlFLnkUN8K14 +0779u3liy++kJw5c0rDhg1l69atomwJWkngdRqeFY2XaCWyCcpXBtIF9UFQAp2uF7w8BwpX XHGFLFq0SJ9WNghFvSj4TeqETf/+/WXw4MGiZijK+PHj/eZnItXLkqhl0fpw7Nix8tBDD5lT jrfKiY4sX75cxo0bJ926ddPXq5mFkjVrVu2529fLtr8C3n33XencubO0bNlSZsyY4S9Jirj0 sk+RESNIgARIIIwEwv2MDWPTMqyocHt5dvp8wdgEz3KMXxAw1jt06JAoUyiiTHnIgAEDLDbK LIk+p4RHUTMhBWMXXIcyETA2qFevnt5funSpTouDb7/9VtRMfsF1w4YN0+fNP8q2sRQvXtwc ipOxg7ko2HGJSc8tCZAACZBAMoGjmzfLtmkzZOfMGbJv+Xy/WHIWLCVFm7SUUq3Vr1lTv2kY SQIk4C6BePPyTEHRhftD2RCShQsXynXXXSdq2Y8oCVt++eUXufHGG2XHjh3y5JNPinIc4rek tATFn376SZQNQS0mYpB/8cUX6/whtr3xxht6EI+y3Ah33XWXfPjhhzqrF154QdTy7pCzNYKi ckKjhUXfDNUsCC3wmfgGDRqIWqasD2+66SZ56qmnRM3CNKeD2m7btk2UjUNRS5wF/JAnghEU 1UxNUfYSNdOSJUvql6RLL700Rd7KSYtMnDhR1wH5rVq1SpB3uXLlRDln0SKysseY4jpGkAAJ kECsEaCg6LzHwi0oOqnhZvUiqZygCD6eXXvttfrjGp5dEAjx8VKZ/hCIdSYYQRHHvXr1kqFD h4qyuazHMfg498ADD8ibb76pk+P5F8y4QzmREbVSwxSRrm1GjEvSVRFeRAIkQAIxQmDv0l9l 2/SZsvvHGXJk819+a52/0iVSvAWExFZS6OKL/KZhJAmQQMYQoKCYMVzTzDUWX3aefvppLSRC aJw6darfNqYlKL788svy2GOPibI9pGcCmEwgYuLrP8QxtSRazz4059K7xYvHe++9p2cmYNYk ZjiGGoygGCgftZxJlHMT6/TOnTtFeYgUZXzeioOgqOwXivKwHVQ7IUQqT9GCWYrLli2z8jGC ohVh21FepeXLL78UCJwmNG3aVGbPnm0OU2yVF0tdT/QBAwmQAAnEMoFYfMZGmnc0C4r46KhM fkiNGjX0bH3Mzk8tGEFRmW+RMWPGWEmff/55efbZZ0U5ObOey1htsGXLFp0Gz1jMUlQmVuTe e++1rsOOsj0tlStX9opzepAR4xKndWB6EiABEoh6Amoyy1Y1G3H79BmyZ95MOXVkn98qF728 mZRo1VLKtGktOW0zyP0mZiQJkECGEKCgmCFY0840Fl52sLT577//1rMSIV4tWbJEsOSoTZs2 orwf+m1kWoLiq6++Khjg+4pjyO+aa67Rs+U2bdrkN+9oiDSCImYCKg+PKaqEZVcQRn0DBEWI qVhqbJZcQeCDUIgXn0ABLz54AcKy9J9//lnsMw8xc3T69On6UuSJZeCY9amcuOhZHJjNAaHW BLNsGsuwMaMRL1TKw7N88803omxqyvHjx0V5pdZip7mGWxIgARKIRQKx8IyNNq7RLCiapcIQ FR988ME00RlBUdlclIoVK1rp8TH0hhtu0LMZsRLDN0yYMEGbNEltnON7DY9JgARIgATcIXBc TcTAsuYd6n1p7xL/prOy5y0ixRq1lJJqWTOERAYSIIHIEog3QVFgQzEWQjQbjFf2C7VDFnVr auPkvls10A6IOC2nLDCorkQsnW/37t09atmtRwlaHrUEV8c9/PDDAfOOhhNOnLL4q+8///zj UUuPLa7KVqW/ZDpuxIgROp2aWelRS60CpvM9YXcGs2bNGus0jNijL5UtRSvO7MDbN841b97c RHFLAiRAAjFLIJqfsdEKNdxOWZxwMA7Ffvzxx6AuU7aY9TMNYw57+Prrr3W8Eijt0da+ccqS 2jjHSswdEggTgQOr//CsfH6IZ+vMHzxnTiWFqVQWQwLhI7BvxUrP6hdGemY1b+HXycrUyiU9 PzZu7Fk1eJhnz9Jfw1cxlkQCJJAmATplUSpKJEI0z57ATEHMGFTeELXdQeVhWDv/wEy25557 LqQZinDAgplzMKTuG5SnRj1jT3li9D0VNcdmhmIwTllSqzTsOT3zzDOCth48eFDztafHTME+ ffpI5syZ9bLtO++80346zX04tDlw4IAob86CJdMIZun0yJEj9QxFeyawNQnbTr6zGu1puE8C JEACsUIgmp+x0cowmmcoYhyyYcMGUR6a5eabb04TYaAZihjHwCwJZjxyhmKaGJkgSgisGTVa 1r0+QtemYI3LpWjDRlKi0dVSpK4zm9xR0hxWgwQsAtt/mKWXNe+eM1NOHthhxdt3Cl/WUEoq h5Kl1GzEPGXL2k9xnwRIIAoIxNsMRTplCfGm+v3337WjFGQD8c9ugw9ekmHIPLWlQGkteTZ2 GGFHEbaQ/v33X+2psXbt2pazkRCb4HU5lm1DtLvgggu84tN74JagiOXj8CIJu47wPAnP2yao mYna8Q3OwQYk7D86CTA8b/rtr7/+kqpVq+rLwRzLrvEyBVuP9mDKTK1v7em5TwIkQALRTICC ovPeiWZBsXXr1tpkCOwavv3222k2LpoFRbfHJWnCYIKYJuBRJofmqw/D+3/3dliYJXtuKVy7 gRRTjg6LN2kk+atUiel2svKJQ+Dk/v3KyYry1qyWNe/++QfxnDmdovFZc+ZX93YLKansI5ZW QmIWZaKJgQRIIDoJxJugyCXPaU5KTT0BliCrW1X/sPTZBDWA9+TNm1fHp7YUKK0lz2r2o85D zZbzrFy50qOclngOHz6sxktnTFGubdUMQF2W8lzs+fjjj13J18mSZyXmef78888U5aqZgx7l MVvXTdk19DqvvGfreGVw3tEyZ5OJ8oTpUV60dR7KlqOJ1ltlX1HHYwm18jxtnVPCsUcJkPrc 6NGjrXjukAAJkECsEuCSZ+c9F81LnpXjFP2MUrP2PRiP2MOuXbs869ats0d5onXJc0aMS7wa zoO4I3BImcqZ3bp1wGWgWAo6o3ZNz5KHH/Fs/PQzz4ldu+OOARsUHwQOqHeiNaPHeOa0vSbg /fx9gys9KwYM9Oxa+HN8NJqtIIEEIMAlzxESeqN19sSpU6cES4swO7FUqVLSsGFD7VkYzlng /TcpKSnFDEV4MVa2ATVJzI7DsiQ1mLeck5QoUUIvZUaCsWPHirKTmII6ZuMpO4p6KRNmASrx MkUapxGYAYiZgAj33HOPvPPOO06zSJHezFDE7Ac4ZvENWAoND84IWFqsbBMK2o8Zg8oGlF7q rewayrFjx7RDlGnTpgmcsyDs3btXihYtqvfxjxJCrX37DhyvwFO0EgWla9euct5550nOnDll 27Ztuq/gJbtYsWKyaNEi3Zf2azE7EUu+MCOypVo+gNmbcBSD5dHghTzT8p5pz4/7JEACJBCN BKL1GRuNrEydonmGIhyPNWrUSObPn6+ri+ceZt/vVzNdli9fLupjnwwYMMA0RTs7g2kVX6cs kV7ynBHjEqvR3IlbAqfVSpadc+bKrrnzZO+CeXJs54aAbc1brpoUadBIiqsl0SUbN5JMaXhE D5gRT5CASwR2/jRfdqgZibtmzZDjuzf7zbXgRfWkRIvk2Yj51HsoAwmQQOwQiLcZilzy7MK9 B2/CEODWrl2rc4Po1L59e8FSI4hfvktmsVx52bJlAUuGQGkEx3nz5knjxo21WAaxEgIlxDU1 k09OnDih84CtP9j+CzUYO4QQQuFN+dprrw01S4EXZ9iRDBSeeuopGTZsmD6N5d89e/bU3pft 6VEfLN+CjUQwMAEvRoULFzaHAbdLly4VMJ89e7YlRprEEC87deqkhcwiRYqYaGsLwRgenrGU 2tixhL1F9C28SaOvGUiABEgg1glQUHTeg9EsKKI1eH7BPAfMr6jZ+KI++utGlitXTkaNGiUd OnSwGo0PeLBPvGnTJsF5E6ZPn64/iuLZi/GIb1BOy6Rz584pxjm+6dJ7nBHjkvTWhdfFJoFj W7fJjjlzZI8SF/ct/klOHdkXsCGwt1hM2VssrsT4InVrB0zHEyTgNgGI4FuVt2a9rHnB93Lm 1PEURWTJllOKXpm8rBnemrPmC30ySYpCGEECJJDhBCgoZjhi/wXEwssOZikeOXJEqii7LJhB 6EbAwH7Lli0ybtw46datm5UlhEXMMMDLAmbPoVw3ZsrBRmOuXLmkePHiVlnh3sFLjVraLWbm IOoCZyuhBrxM7d69W/bt26eF2fLly+tZGcHki2vBBozL0sBxMMiYhgRIIIYIxMIzNtpwRrug aOeFD5F4ruIjHFYMxFKIhnFJLPFiXQMTUN6f1cxFJS4qcXzfbwvEczalLTpcre0t1vnP3qL6 qJ+/SuXAmfIMCYRA4LBapbZNCYm7vp8h+1ct8ptTriJlpVjTVlKqdUvtXMhvIkaSAAnEDAEK ihHqqkR82bE7C5k5c6a0aNHCiz6WJGOmHAQ3vCgwkAAJkAAJkEB6CCTiMzY9nOzXxJKgaK83 90mABER2LVgou9Sy6D3z58mhdcsDIslZsJQUvqKhFNNLohtLjqIpV7MEvJgnSCAAgd2LFid7 a/5xhhzdnmwGyzdpgaq1pLh69yutVmkVuKC672kekwAJxCgBCooR6rhEfNmBDSTYHcSsOsyK g/fiatWq6R6ArUMIilj2jJmKgwYNilDPsFgSIAESIIFYJ5CIz9hQ+4yCYqgEeT0JRJ4Alpru mJ1sb3HfwrnK3uLGgJXKW666sreovETT3mJARjwRmMBZtboMy5p3KFvse+Z9L0nHD6ZInClz Filav7mUUN6ayyghMUeRtE07pciEESRAAlFNgIJihLonUV92YJ8RsxBhM9E3wJYfbA7C8Ukg hyS+1/CYBEiABEiABHwJJOoz1peDk2MKik5oMS0JRD+BY8p00Q7MWoS9xV/myamj+wNWGk4x ku0tXi1F6tDeYkBQPCGw47lt2nTZMXOG7FuW0hYtEOUoUEKKNW4pJdWy5tItmpMaCZBAHBOg oBihzo2Wl52/Xh0rJ9Ty4uzKDlF29dUoe+Ei+utRTuXQA1+RsiuRL5NL9hPtqH/77TeBt+PD hw9rG0jw8FyjRg3JkyePPRn3SYAESIAESMAxgWh5xjqueAQvoKAYQfgsmgQymMD+31cnL4n+ CfYW5yt7i2f8lphsb1Etib5azVxUXqJpb9EvpoSM3LdsuWyDt+YfZsiRTWv8MshX8SIp3ryl so/YSgpfeonfNIwkARKILwIUFCPUn9HysrOibz/Zt+QXSTq4X5KUpzhfL1yZMmWWrDnzSbb8 hSRbwSKSTQmMEB2Tf4W07ZUcSozMoQTI7BAhIUwWyC9qimGEyLJYEiABEiCBRCcQLc/YWOoH Coqx1FusKwmkn8CuBQtk1+x5yfYW/07F3mIh2Fu8WouLJZW4SHuL6Wcey1dumz4z2T7i3Jly 6vAev00pUreJlGyphETlrTm3Mm/FQAIkkDgEKChGqK+j9WXnzImTcnLfXjm5R/2U9+BT/231 /t69koQ4dT7pgBIgDyrvwkcPyNkzp7woZsqcVbLlLiDZChRWIuR/AmQhCI6YAanER4iOygh0 DsyGLIrjIpI1T26vPHhAAiRAAiRAAuklEK3P2PS2JxzXUVAMB2WWQQLRQ+D0EWVvUXmJ3oUl 0QvnBWdvUQmLEBczYvVS9JBhTU7s3qNmI6plzbCP+MuPIh5PCijZ8hRSzn2UiKjsI5ZWQmKm zJlTpGEECZBA/BOgoBihPo6nl53Th49oEfLEnn16e2qv2irx8RTER7V/an+yEJl0QAmQh9Tv +KEUSy0yZ80h2fKqWZBKhMz+nwiZDcKjXoKdLEriy6gWJLUYWViyZM8eod5jsSRAAiRAAtFM IJ6eseHiTEExXKRZDglEH4GjW7bKTiUuwt7i3sU/qQkDwdhbbKTsLdaKvsawRukmcGD1H3o2 4s7vZ8ihv1f4zSdP2apSvJkSEdWy5iJ16/hNw0gSIIHEIUBBMUJ9ncgvOx7l7fnUgYN6BqQW HiFAqlmPmA15at9+PQMSYmTSfiVGHlBi5OEDcvrk4RRfx7LmyJMsQhZUMyELKfERPyy9hhAZ RnuQEbqFWCwJkAAJkEAAAon8jA2AJM1oCoppImICEkgIAsbe4u55c2X/8gUpJgEYCFmz55FC dRvoJdElGjeWfJUrmVPcxhiB7bPnyA5lH3H37JlyYt82v7UvdOlVelkzZiPmKV/ebxpGkgAJ JB4BCooR6nO+7DgD7zl9WomO+/XMx+Ql2clLr/UMSCU+njQzIZUISXuQztgyNQmQAAnEGwE+ Y533KAVF58x4BQnEO4Fd8xeomYtq1uL8uQFnrIFBzkKllb3FhlJcOXMp0UTZW1Qf+Bmim8Cp g4e0t+adylvz7oU/yNnT3iasUPusOfJK0YYtpKRa1lxGCYlZcuaM7kaxdiRAAmEnQEEx7MiT C+TLTsaDD4s9SMyI9LUHmTtXxjeOJZAACZAACQQkwGdsQDQBT1BQDIiGJ0gg4QnAvNH2OXNl t7a3OFeO7fo3IJO85S+Qog2UM5dGV9PeYkBKkTtxaN3fWkjc9f1MObBmid+K5C5+nhRr1kp5 a24pxa+60m8aRpIACZAACFBQjNB9wJedCIFPo1jn9iAPqqUgZ71yzZItp8BQMRzSZFPLsZM9 YmNrW4r9nx1IbRdSec6mPUgvhDwgARIggZAI8BnrHB8FRefMeAUJJCKBo1u2qFmLc5PtLf6i 7C0eC2xvsdBF9aXo1Y2kuBIXi9SmvcVI3i+7FixM9tb844yAgnDBC+pK8RbJTlbyn18lktVl 2SRAAjFCgIJihDoqlJed7du3y4cffiiFlUBVq1YtueyyyyLUChbrzB7knv/sQR7xtgeZKZPA Dk22fMlOabQzGsseZCG9bCTZOY3yiK1mROaAfciCBelhj7cfCZAACQQgEMozNkCWcR8daUFx 69atsmTJEtm4caMe1zRq1CjumbOBJBDrBPav+l12YebiT/NSt7eo7J4XqgN7i42khPISTXuL 4en5M8dPyNZp/3lrnv+9skl/NEXBcIxZ7MrmUqJlspCYvUD+FGkYQQIkQAKBCFBQDEQmg+ND edlZtGiRXHHFFVYNb7zxRpk8ebJkyZLFiuNO9BI4m5SkPF8re5DKCc1J2H/UW+WQBnYg4Rlb /5QzGnjFPrBfko7skzNJJ7walClTZsmaK79ky28XISE2wimN8optZkDiWAmQOZS37Oz584ko 8ZKBBEiABOKdQCjP2HhnE6h9kRQUx40bJ71795YTJ5KfdX369JERI0YEqirjSYAEopDArvnz Zeds2FucJ4f+8e8hGNXOWVjZW6yv7C2qjwYQF/GhnMFdAkf/3aSFRNhH3L9yod/McxYuI8Wa tNTLmks2aew3DSNJgARIIC0CFBTTIpRB50N52Tl27JjMmDFDpk6dqoVEHL/22mvSvXv3DKot s400AXxhTHZGs1d5X1Oio/aIDe/Yal8JkUn74SEbIqQSIA+q46MH5ewZb+PKmbNkk6y5C0i2 ApjhqERHJTJmK5QsOGI5dg4syaY9yEh3NcsnARJwgUAoz1gXio/JLCIlKG7YsEGqV68up06d kubNm0uHDh2kadOmUqUKl9vF5I3ESic8gWR7i3P+s7c4L+DyWoA6Z2+xkZRUzlwyZc6c8PxC AbBn8VK9rHmXWtZ8dOs6v1nlr1JTSqhlzaVat5KCNS70m4aRJEACJBAsAQqKwZJyOZ1bLzs9 evTQYmL79u1lypQpLteS2cUygaRDh/8TISE8Js+APLkXwmOyCHlKiZBJ2IcAeXC/nD4Ruj1I iJKZs2WLZWysOwmQQBwQcOsZGwcogm5CpATF999/Xzp16iQVK1aU9evXB11fJiQBEoh+Akc3 G3uLc2XvYthbPBCw0oUuVvYWG9LeYkBAAU54zpy1ljXvnjvTL2OsbCpSr1myt+bWrSVHsaIB cmM0CZAACTgjQEHRGS/XUrv1sjNr1ixp1qyZ1KlTR9secq2CzCjhCCTbgzwgJ9WMRy08YquF SIiQaon2f2Jk0n4IkEqMPHxA2WJxwR6kckrDL9IJd7uxwSSQoQTcesZmaCWjLPNICYrDhg2T vn37Sq9evWTUqFFRRoXVIQEScIuAZW9x3lzZv2JBCqeGppysOfIm21tUjly0vcVKlcwpbm0E jm3fIdthH1Eta967dI7tzLndHPmLSdFGycuaS7dqee4E90iABEjAJQIUFF0C6TQbt152VqxY ITVr1tQGzJctW+a0GkxPAiERcMUepFrekjUn7UGG1BG8mARIwIuAW89Yr0zj/CBSguLgwYOl f//+MmjQIOnXr1+cU2bzSIAEQGDXT8re4hzYW5yr7C2uDAgFdv6S7S0mi4u0tyiyb8XK5GXN P8yQwxtW+2WXr8KFUqy5crKiljUXvqym3zSMJAESIAE3CFBQdINiOvJw62WHgmI64POSiBJw bg/ygLIHmeRVZ9iDzJanoLYHmc3HHqS2BfmfPcicsA35n13ILLlyeuXBAxIggfgl4NYzNn4J pWwZBcWUTBhDAiSQsQSSDh+WHbOVl+i5SlxcOE+O7/43YIF5lUhW9KqrpVjjq6WkcuaSaKtb tn3/g+yYPkN2z5kpJw/u8supSG3l6OY/b825S5f2m4aRJEACJOAmAQqKbtJ0kJdbLzt71TLU 4sWL69+2bduUE1968XXQDUwaIwRcsweZt7BAgMxWUDmggedrCI/4/ecJO1l8TBYhs6ul2LQH GSM3CKtJAj4E3HrG+mQb14eREhR79uwpY8aMkQkTJkiXLl3imjEbRwIkEJjA0c2b1azFZHFx X5D2FrEkunCtywJnGuNnYIZo6/TpslM549yz6P/sXQW8FFX7folLXTou3UhIqYTSXRYGYGPh p5+IYne3qBgIBvjZ8AfFQAUuIVyQFFAUUEEEpC7dcKn5v8+5nHF2dzZmc3bve36/3Zk5c/I5 E+c888YMVhM/4dOjNHa4WKFjT6rIKs3V+vSmfAUL+qSRCEFAEBAEYoWAEIqxQjZIudFc7LRq 1Yp++uknZYSfnk8AAEAASURBVH/o9ttvp8qVK1OhQoWCtEBOCwKpi4C3Pcgc5RV75yk7kLvZ MzbbhYQtSHZKo7xi72enNEcPEhnGv6AwOQ87PmklIAkJj9i55GPhciAi2Us2bwuDlAQZiX3e FipdOs99Mf8XMNkTBNyDQDTfse7pVWxbEk9C8eTJk7Rnzx5l+/mqq66iXfwsXrVqFTVo0CC2 nZTSBQFBICkQ2L38V0Uu7piTFdTeYtlW7ZlQY2cuTC6WqFM7KfoXrJF7V/1Om5lI3DYtk/b+ ucw2eXqVepTRrSdVYrXmCme3tk0jkYKAICAIxBoBIRRjjbCf8qO52Pntt9/o6quvJqg/I3Ts 2JFmz57tp2aJFgQEATsEYA8yhxe1IB/19ugp79jKMzY8YvPxsT1MQu7ZTccO7qYTx454FAX1 m4JFSjEByYRjKZaGhPRjmVzSEZKQiow0pSH5mAnJtJIlPMqQA0FAEIgcgWi+YyNvTXKUEE9C ccSIETRkyBAFTH5+bk6YMIEuueSS5ABKWukKBFa8+DJV6tqZyrVq6Yr2SCNih0D2nDm0DfYW mVzctzawvcVybTpQBeXMpTPPscrErlExKjmbVb+3QK15ZiYd3rnRtpYyTduYas3Fa9WyTSOR goAgIAjECwEhFOOFtFc90VzsfPDBB3TLLbewcJVBkFbs1KkTPfvss141yqEgIAhEG4Hjhw4r T9g5O055xD5FRioCktVUju2Gh2z+gYDcu4uOH9or9iCjPQhSniBgg0A037E2xadkVDwJxZkz ZxKcsfz8889KUvHiiy9WpCLIRQmCQCgIZPXtS3tWLGJ1147U6N57hVgMBbQkTwPzN1uVSvTs U/YWN/jtEZySlDtlb7Fyl87ENqH8pk30ieP7D9AmeGuGWvO86T4fq9G+AoWKUYV2PagSqzVX YbXmgunFEt1sqV8QEAQEAYWAEIoJuhCiudiBDUWoDmFifvrppyeoR1KtICAIBEWASf+jPCHO OSX5mMOq15CGPKpUsnfnqmQzCWmqYu9jVewj+9hmzkmPogukFaE0sQfpgYkcCAJWBKL5jrWW m8r78SQUNY579+6lc845h37//XdatGiR+iiqz8lWEAiEgCYUdRohFjUSeWOr7C0qZy6zadfi OXSMP9j6C5DoK8/aWxVZ4MJN9hb3/7WWNjORmD1tqiLH7dpftEINyujakyqzWnNGh/Z2SSRO EBAEBIGEIiCEYoLgj9ZiZ926dVS7dm1q2LChsj8UrDufffaZmrhfeuml1Lx582DJ5bwgIAgk GAHjxAmWcNzDZCNLQYKA5C2kHrF/dJfYg0zw8Ej1LkUgWu9Yl3YvJs1KBKGIjjzwwAP04osv 0ksvvUT3sqSZBEEgFAS8CUWdJxRi8euvv6bdu3dTr169CKT2ggULqBarjnbu3FkX47NdtmwZ zZ8/n3qyB9169eqp89AM+vDDD6lmzZrUpUsXnzzhRKxfv55++OEH5Wzx3HPPpXHjxtGRI0fo oosuotJsp9lpCKevTutIdPp/7S3Opt0/z2ONLc+PsLp9BQuXIGVvkVWilb1FXj8lImyft0Cp NW+bOZUObf3btgmlGrSgij1ypRFLNqhvm2b8+PE0d+5c81zRokXVs9SMcLDjXVZ6ejo9//zz AUuwuycCZpCTYSGQmZlJcLx67bXXJtT56j/sNGnGjBkefbjmmmuoQIECHnHJcIBnKp6tuGcG DBiQUFxjiVe03yf+2iqEoj9kYhwfrcXOypUrqXHjxnTmmWfS0qVLA7YaL4vLLrtMpSlVqhTh wVCihNhvCwianBQEkhCBE0ePstMZlniMhz3IcuWpSPlce5AFSxRPQrSkyamIQLTesamIjb8+ JYpQhOrzo48+So899hg9+eST/poXdvz+v+0X7GEXKBldgcC8fhdTzt5sv20JRCw+8sgjtHbt WnXNbd26ld59911q164dDR482G95ILs3bdpEZ511Ft1zzz0qHZwLwYY5PtDff//9fvPqE9Ak woL8+uuvp7JsV9kugKQZNmyY0jhCO2+77TbltOjVV1+lSpUq2WUJGBdqXw8dOkQgLv78809C v0Cann/++VSkSBFVPtr+448/+q2rR48eVL++PfHlNxOfQH8hnbxlyxblVLJZs2bUpk0bnyzH 2M41iFaMG8asePHiVKdOHerevTuVLFlSpT948CB99+pw2jt/ARXfvJ7SD+zwKUdHHCtckg5V q0X5GzWmWuf2obY9unuQCrgmUKddwBoK4z6HbTsuX76cKlSooEgJnRZ9mThxInXo0IGO8nxs 4cKFVLdmLWp8/IRSa94+Z7rSPtHp9TZ/gTQq36a78tZctXdvtsEdmED+3//+R9OmTSNgn5aW RoULF6b+/fvr4hxtFy9eTH/88YfKM2/ePNXu0aNHByzD7p6IxXXy6aefKk0878ZceOGFVL16 dY9oEEUwqQGBG1wnxYoVUx8LcJ2APIKZMDj/wrE1fPHFFyo9ngG4xiZPnmw97bMPEgrXncYI 5D8EfHQAkb99+3YaNGiQjqJff/1VXetYf+Nebt++PTVp0sQ8728HxC7yAod8+fKpZLiu8CxZ vXq1ej5UqVKFzjvvPKpatao6j3shlL76q9MuHtf6e++9p07t27dP3R+ow9sR7Pfff09/W967 4BqqVaumfDwUZA/kcCSLewJm2lq39nUmBJIcfiH0MwXPJfiLwEcgPI/QR3zYQZ/DDfg49Oab b6rszz33nLpGwi3LSb6//vqLprCzJQTYjYYjXX9BP19w/uabbyZgh4BrfMyYMWrf+w/Pgf/8 5z9mdLTfJ2bBXjtCKHoBEq/DaC12nBCKjz/+OD311FNmF+FREZKNEgQBQUAQcGoP8tjBPayK fdwDuPwFClFaOrxis0Oa0uyYBk5n4JhGecQG6cj75eEdm/fVthwVKFLYoww5EASigUC03rHR aEuylJGqhOI39fxP2JNlbKSd4SNQd9Bd1PgBT8lXLCCxQH3hhRcUkfX6668rguGGG27wWxEI IhAVIBLg/BDBKaGIRSBIgNdee01JINpVBkLviSeeUIvtO++8k+677z7auHEjvf322yZxZpfP X1wofYWUJkiLDRs2KKIDkpfZ2dlUo0YNRbqClJk0aRJBMME7nGAtCgQ4WbIjAr3TW4+hNfXt t98SbKeWL19eETCoG2TBddddZyYFMQTM0D6kBYEHQuPw4cN09913U4sWLRTZC0nnHTt2KJzy 8aI7fcM/VIOJldNOHmOb1pvN8rx3dhZMp+O1TqPzGWttbxGk7/HjnnMc3VeQAK+88gp99NFH JjkA/CCpigBiDh9H0IfGTHqMHjyEKu3MpspHdntXrY4PFShC9c7vR1WZ2KzcrattGrtITSiC /ATBGq0AO/wghDRZ5q9cu3siFtcJPjaBnNPhwIEDhLGAdDsIaB1ArsHhF9Lqa2r//v3qOrnx xhupadOmNHToUEX0/ve//9XZ1Bb3HPKDtAPhBaJMh11smghSeCCSdcB9iWtWE4a4BnEt6oD7 DqQmxgYBxC/KBPkGcg2kIghrtKtr18Bj7k0ooj14duG5AFIT9yfuEZBJqBeE27Zt20Lqq26v 0y00CkAe6z5Z86NtIB+BD56ReL5gvHDfgItAu/EhEcQujr0DxhX4gPDDhxc8B4FVOV5L4KMO Pn6APAen4U0oe5fl7xjPCfQB2D344IOqPH9poxmPewrvEQRoi+JnFzB++EiVk5OjTuNeR58R 8OzDR1gE3At4DuI6wHn80C8dov0+0eV6b4VQ9EYkTsfRWuw4IRQxecLXMthbhFoHJjViAD1O Ay7VCAKphkA49iAPsz1IL1WkAoWK5tqDZM/YaWVyvWIXZk/Y8IpdSG2ZgDwlAQkv2fDamO/U V7pUg1T6Ez0EovWOjV6L3F9SqhKKu5b+7H7wpYWOEZh/1cW2zit0QSXrNqcGLFVYuXs3HWVu QSBCQuaNN95QC3EswvuykxetxWMmDLITC0IRi22QFSAt4XARRAcWhSCvtISKtVlYUILsgPSV XQilr5oYu/zyywlSXyD1QBSABAEmwMYuYA0C8gnSViA9vCWVkAdEAhbAILxAeOigF7ogGbA4 hjo3FtFPP/007WSTLui3lngEobRmzRpF+l511VVq0Yw2on4QDihDky5QwezN0n0In3/+OX35 5Zd0RvUa1I+1ubazB+XNP06nAseP6Gb4bP+1t9iZ7S2eYZ5Hfegr6oQEENZRGjckApmqPdeD UHz9zruoT+UqlL52NR34J1fyzyzs1M7hEhn0B8+B2rNUXNeB13ifDnqcaEIxaANPJQjlOgm1 LKSbMGGCGlcroQipLRB6WOPCPACuY03AwEYvJNtAHoVCKHq3BarGuMZAlFkDiC1NKEJyEESO lhC0Eoog1HBtlClTRl3X2EKFGdc18oEE1W31Lh/r9OHDh3tIKILoRhyuOUg5IkDCEj/93AiH UMQ1rsnTYOYVQiEUNQmGsQGxCtMSuHfQxltvvZVA9o4cOdKDqMWHDBCIEHgCPggYU90etPH9 999XHAYkqK+88kqVJlZ/TjAJ1ga8L0Bk43mNvkPCEh9B7AKuHwh+wfQAnp8aS++0IPDHjh2r MIPEp3dw+j7xzh/qsRCKoSIV5XTRWuzgZY8veRAZxuQoWMDEA+z+aaedJmRiMLDkvCAgCEQV AWUPEqrYbAfyiMUe5FFlF5JtQ8Iu5G54x+bfHv4dYKc0OQc928CTL9hBSitRmgqVZglIkJAg H1kashCTjbkSkLzPZGQuAcnnSpeifDwpk5B3EIjWOzbvIEaUKEIRCxN8iYdEEBYKEgSBUBDw Z0MxEJGoy4VUHCRo7rrrLrWABnkGgqht27Y6ibloNSNO7UDVtU+fPurIjlDEghikGNTzQAhi fg7SAWmxONVBqy7iGNKH2gQRFo8gGFq2bKnm9//3f/+npMVAnngHCApgQQqiDmQXSA/vEKyv kPxBO7FwBfmo2wVpQNQJaUDEewdIzuC+hTQYpIw0+afTQcINhBvUR1EHykWfQBYgQK0b6ngg Exs1aqSzKTuVkEzSKuhLlixR0oBwOgn1bbuAuh5++GFTTdyaBurpIG+0yvjox5+gjaxC2YGl pw7+voRY1cKa3NwvWOSUvUUmPzL42lj41xp1TVjV2zWhCElOLNwhtXh86TL6/f/G044fp1FR w1PCURdevnU3yn/WmfTO/HlUlfuO6wX43H777ep6BN6QxtIBhBjSQAoO16wO8SYUNZGj69db 6z2h4/TW33XitK+6PGztCEUdB7uoIADtQjgkG8oJRihi/HG/aDIPeayEItSfcR9rIhrnEXBN QhoSJBMEfhBwr4AYzMrK8lHztqo8q8SWP5BuIOlgqgCSe077iufEV199paT/dLH6WQBiD9KE 1uCEUEQ+qNSDBAXZCylvXEvTp09XEprduv370UcTZJDuBb9hF0BQQ8IRHw4GDhyokuA5g2cJ iGTrh6G33nqLoMIPVW0QynieAHdrwH1k9zEkFEzwHIOkJmzp6g8+kBYFuY324QOHDnhe47oA BpCGXbFihXpmeD+3Z8+eTe+88476kINnG95V4RKKTt4nup3hbIVQDAe1KOSJ1mIHDyfcJP36 9VMP2Cg0TYoQBAQBQcA1CMAeJDxhwx7kUXMLpzTskIad08AjNrZH9+ymY3tzSciTx3NVBHQn 8uUvQGlFS1JaSahi8w8EZJlc0hFkJIhHRUAyKSn2IDVqyb2N1js2uVFw1vpEEYpYCGKBAUkj rbblrOWSOi8i4E0ogkisz+RRFbaFF40AG14waK8DSCks8iEhB1tlCN6EIsg1LOYh5QObVyAY IE2ERTICFrNY+IKQtKqowv6anYSSyhTgTxMVSHLHHXfQ2WefHSC1/Sn0C6QbbMpplW8s/rGg hQQWSAUQZ96OF7CAnjp1KqHtIJSsAdKE2h4qMICKJ7AByaHtT0JiC+TJqFGjTBITZYCAQjtA 0kDq8JNPPiHYZAMRaSeBgzyzZs1SElB2JASkd4C/Vo2GpBTSg/zLv3oNZbOn6BUT/4/SD/q3 t1ioTGX63chHO8pn0BCWqKpYJ9dWniYUb+A12Mzhr1PzfAYV3bwaTfINTFCuLliMCpzVgoa+ P0YRCyAYQNZo81OaFIMdxIsvvtgsQ6vKQ7rOanMu3oRiKPeE2ehTO/6uE6d9tZar81olFHG9 QTIUBBIkAO2CU5JNlxGMUAQhhvsapCJIM6j6WglFEOSw2afNFsC+IfbxPEDAWGvbl7guEQ/f CFDnhiAQhIdADAUiFKEiDIIf+WDb0klftT3BunXrKhVcqAOjLtyLsPMHlWy8n63BCaGI+xwf SfBcAfEP3w8g0/ARBH20fizB/QA7g96Si7puSDyD98CzWJeFc8AfHxy8Jc21hDZUjUEo4jmE /iLAJis+AOGDkjehGCom+sMIngWaUITgFsbASniiPn0fo98gFFEv5j4gGHWANCuekVCvx/MP 10MkhKIuN9ZbIRRjjbCf8iNZ7ODix0sEzDlYd3zxhB2SK664wk9tEi0ICAKCQN5B4PjBQ0xC Mum4g4lI3h5lMhKkJAhJJQ25G+Qkk5GahDy0V+xBptjlEck7NsWgCLk7iSIUMcGHdBMkLEAi wKYQ5jP+yIOQOyQJUxoBTShGm0j0B5o2bu+PUIQtNK2uC4k/rYpoLU8vKAPZULSmD7YPkgEL Wag7Q1LHqlIcLK8+D2cPWLhiYQuiFEQCnCCAQAAxg8U9VMNBkuigJeb8qTpjoQ/JGiyM4cTG O4BgAPkHpyrAzDuAjEUAqfnyyy8rp5NYuGt1Uu/0kP4CuQpV8TPO+FdNGenQFyzcNdmoCcVO nTopAgB9yV63ntqUKk2t2Q7ZrvlZdHj7P95VmMclajWmcu0gtdiRMpmYWMf1ti2eTofWrzTT WHeKV29IGd17UuVePenVLycqXEAegRQDOQiSUAcQOSCGMzIylBQVyFwQ0pA8wz7IMk1aIE+8 CUXdTr21uyf0OWwDXSdO+2ot145QxD2H9TCuGQQQQlAZ1QFYA1fgDfVnbwdHcKQDRye4/r1D KIQiSGGMjyaRrIQi1PdxH+Fe1XYe0X9I7EJCUUs2ask7q/o82qLV+QMRiqgbTpOAA8rThGIo fdWEp5biRZ2aiLe7p3A+FEIR73WMCbAFMarvQeTHxxhc1yBXMWYg+/AhBh8aILHsLY388ccf qw88+ACCuQIk/7SkOMoLlVBEWh0C9SFUTEIlFHV/8YxG2bqvsLuKa0UHEKBwUqWlvrU9ynAl FHW5sd4KoRhrhP2UH8liBzYItOFjXJh4OOKmkCAICAKCgCAQBgI84Tm6d18u6ahUsXMJyFyp yFxJSEVAsgrbsT1MRO5jVewj+3mi5KkqJfYgw8A+RlkiecfGqEmuLzZRhCKAgQQS1EKx8EDA 132Z1ygo5M8PAssfe5LKd2gXNYlEP9WY0XbkiZZQhAQeyAiQBFgkW1WnzQJ4J9qEorXscPch DQUpGHhUhV1DSGWClIMaJkgFSPNZiQZILUGiCISFXvRa64aDAJCrkHayIwuRFvbDQBr6c8qA uoEtiAbUARLGm9S01gnCEMThQw895OM1F2qVUK/UZIYmFEG0YMxQD9RN0R7YqzvIUmZbWWpx B0tA7Vo0h44d3mutymPfYO2HfCdPeMTpg82FS1PVXudR17uGUjpfHwgguDQmIAZBRlSsWFFn UVtNcmhVcD0+mqiyJnYzoRjsOkE/nPTV2m9vQhGkFQgmqOdDQhAB5B3WyyCvQVrB1p4mcCH9 5U1OQ6oWacMlFGGyA1K0IPlxrYI0Wrcu1ykLrksIA0F6Dm3H2v2mm25S1z+8uGv1fqgcw/GR 93UcjFCE12D0F6QmyHxIE2tCMZS+atIezwGtfqslg0HswdyAd9Bjh3vPW7pPk2BoD+4vfDSE CQhIZUNSWKtPawclWuVbk/94fljVoFE3CEVIgKIckIq4f0GeaondaBOKoWISKqGoJTKtKvm4 x0E06w9Mdve6xlIIRe8rMPxj2OgNFvLxy9yw2p0IliFR5yNZ7OBmgkt13PSwhWj1OpWo/ki9 goAgIAjkJQQSZQ+ycJnSxKIKeQnqsPoayTs2rApTIFMiCUXAh8UcFtwgNLDg8LbJlgIQSxeS GIFAhCIW1Lh+MR+HtIl2IODdXTcSitr+INoKIgL2xyCpCIk4rX4JQg4LeAQs7CdPnmyr6ozz IFFAiICkA1FgF0AAQeoLBBDqsAacg7QlJHdgJ01LClmdtFjTY1+rfkO6SQtc6DRwygISBx8p oA6qCUXUCzVz1AHCA+Pm7TH276w59CkTKhV376CK8NDMbQsUjucrQNnFylHj62+kdxfMo4Gs uu1tB07bzbNTFUfZkFhDGo0fyCkQYyCVtBdp3QY3E4rBrhOnfdV9xtabUEQcJDuhLgqCyxpg 3w7kl5VQ1Nha0+H6AnEdLqEIEgyqyRgTmCGDdCbuBVxvmnRCfbVr11a2MkEk4zzuFX0t6GsT 6a2EZyBCEYQ/VIAhcQnyHd5+ETShGEpfUQbqRttggxD3AzDG8wxtsTPHEAqhqEkw3NNwBIvn CK5h9AdB2xSEpCZsg+JehNo61J21TVmV0OsPJBzKgPozVMfRvmgTiqFioscWhK6WHrZTedY2 I0Ega4L2u+++I/ygkQGTE5DohkQyVKL18xZkIyRX8RyEJDokOa1B25wMZBLCmj5W+yKhGCtk g5Qri50gAMlpQUAQEARSDIETLNmRwx+EomIPshQ7pGF7kLABmWaxB1kEnrGVN+x/vWMXZHWs vBbkHet8xBNNKDpvseQQBOKHQCBCEY46YAsMJArU9mEHzHvhh5ZqQtEq8Re/HtjXBBIGxB8W sCA34NQBASQACDpI8YFsQIAEI2zVgQyB5Iy3ZBLSQOhhMHstbtKkiSoPcXYB2lUgLqCqaSVg vdU+tTqzt200a5lz5sxRthitdiD1eUgE4kMFJI7gVVWTNloaS0sFWZ2t6Lzo49p58+mi2nWo 8M9L6OAmP/YRdQbeHshfmI7Xqk+/MjHQ7bYh1PuSf20hIlkwAgAkCXCHpCfaCKIF5BJIBu/g VkIxlOsEfXHSV2vfNTljtaGnSTdv6b54Eoq4V+BsBmQ8CD4QS7jedHshiQjfB9o0wcyZMwlS elp6VtubxFiD3EPAfQhJNhBm3irPmkzE/Yg0VtuRTghFfY9BghCqyZDUxQc9SF16k+x6HJwQ isiDsUY/0XfggQDpRTx7IM2K+xPPBDw3rDYVVUKbP0iiwiajvq81oejt+Vmn0zYUrUUF6kOo mGhCUZOnKF/bs9RSxegnJNchvWoXIM0NCVuQ2oECritvwjvY8yRQedE8J4RiNNF0UJYsdhyA JUkFAUFAEMijCETFHmTBQpSWXobSSsEpDXvCVh6xQUYy6QgCkknJwuXhJTt3W5i3BfiLbzIH ecc6Hz0hFJ1jJjnyDgLBCEU4RICUCtQPIWH74IMP+hBu48aNo2+++cbHs2m4KGpHDZDQwYJU ExVOy9OOEECgaQJBOyXQi2KQJegTHCfZqTpb64QqIogJLJA1QWk9j329YNflIw6kA7xWQ3JJ O9wAKQNs0UcQSLC7qAPIFizWjxw5QpD8gYQQyBjYykNAOSCa0AbtJMabUEQZKB9emq1ETuab I2gpS7vVYfMmRXLsiQAjf0FWebb35Iz6jXLVqXaf89neYieqxD+EUAgAqL1C/VU7r9CEkyrA 8heMUARhC9uXICJwrQAfEN2QpsWxP40+4ADJVZAwgYLdPeHkOkHZofQVpgSsNjxB2iHOqga/ cOFC5Y0cRBzGU0vqxZNQRH+02jL2QdDheoMzG1zXcJoESUoEjAHuO1zf6AdIdUj+4qMEJNYu uOAClU7fJziwEopwKILxgbYi1JKtpDzSOiEU0SaQiPjQAXMEkIQL9iwJRMbZqelqL8/ephDQ BxCr8GAOct/bEzb64h1AtmOM8TEE5CQkq6FSDik9qzd42IdFO/FccUoohooJpCmhNYqxhIo3 JAxBcsKRin626Y8kIGlBmFoDnMvgWsaHD6hFeweYbMB52F3F/auvC50ulOeJThvLrRCKsUQ3 QNmy2AkAjpwSBAQBQUAQCA8BXhzZ2oPcvoMd0Wh7kOwNezf/YA9y/x4/9iCLUVpxJh/hFbsM k474wRs2k43wiK3JSHjIVj9Wxc7Hkx23BHnHOh8JIRSdYyY58g4CduQJyCx4ONbSbSCnsCjH whjqtZAus3pH1mWA7AC5AMkzEHRQM7ZTKwyGrlb1RTosgMPx8oy8Ws0WpAQcHYBUgAdnSCBq gu6LL74g/BBn52gFjiC0QxQteQUiC+QqsIDkIhb9UD1GgFMCkIYgHlFerVq11CIctuxQDpxB 6KDVZ7GgBvEASUOQCVi0Q3UacdqJBJzJQO0ZJCOcVIC4AeGi7bZ5E4qoQ0s4tm5+Bl1Stx5t ZJuuW+dMoYKGr33Ek0wiHq52GrW95VbKYqmxVd9/R+fWrEX7f14Y0N5imWZtqQJj9DsTN+MX zA/otRpEIKS1cD2B2IEUp9UruMYlEKEIu7Swg4fxhAo7yBYQRSBAQHiAaNNq4Lo8vY2EUHRy naC+YH3FPQYVeIwxpP6WLl2qSDjvawRlaSlFXMe45pAe0pK4H+Oh8ow2wF4jJExx/WlCEeMI MnwdqzjjHoW5MhCgULHWpBPywtkI8qLPkGYEcYa243mhPx7gntISoCgXDky8TZ/BK7N2QBOK yjPaBgIZJgjww7MIbYd6cufOnU1pa1wzMEmCACIMNo+h3o1nHNLq+18TipAWRF/QT0gQor1Q 69XpUI52CoV9lAMV5vT0f7Vq8HwA0QrpS5B1uO9xX4NkszrIAmkIyWjgD4dLUJnGPYD7H0ET iqH2IVRMtP1KPMtRLxyqoK/otx5bLaFqd79pQh3vEai+eweNpVUCEtcWTDkg4HkJCWxc77Dl C0lzq4d47/JidSyEYqyQDVKuLHaCACSnBQFBQBAQBOKCAOxB5jDZmKMd0uyER2z2hK228IzN +yAg+Xd0D28P7KYTRw95tC1fvvxUsEgJSitRmqUgWR0bBCTIx7IgIZmYZAlISD6aBCTOlS5F LDrhUU60DuQd6xxJIRSdYyY58g4CWNhDBdW6iMWi0UooAg2o78EWGOx8YWEPZ0PWgEXu7Nmz lVoc4gMRRtZ8dvtaAgdlgATSDhXs0gaLmzdvniKgQGpAWgmSXnBUgkUqAhb6IBH8BZCiUEvW ASTdxIkTlaQUiASQBXCgAMJEBxCMo0aNUliBEID0HAiMyy+/3LRHptMCM0h3Ig9wB+EBEhLj oW0LQjoMjh3QBxAvUD8H/pCK0kETilCF1A5R9vJYvc0EYZnN66lSjr0Tlv35i9DGEmVpE0v8 7WEVU0ijascVIOlOrt9A236YxQ5dZtK+FQt1dT5bI60orS+YTo0v7UdnX3ctFec+2AXYdISE pfYAbJcmEKEI22yQaANJAVIR5DbwBTkZLULR7p5wep2gX4H6imsH0n2Q3sI1AkIb5CLUcb1J VpzHNQJ7fSCsEfR1AAleSDmCqLUj2SDBCuILY+odUJdW87eeA7FzA9vJhAMR2FDUAbgDfxCB wAMBxBiudZDgaCfOdenSRXlXRxt1ACGFa/TQoUNK6vCSSy5R0rOwz4i2Ia2W9tN5vLdoLz5y hNpXTWqhjyCd0S/cZ8AeEssgtVCvlib0rg/HcEQFKWEETYJhH/c9yEA8T3AtamIf5xCABdSe gQ9IMf3BIfcsqb5bPy6gPDyTQFaCdLUGPA9BtMEOI9oLgg/9wTNXE4qh9iFUTCCRCylSPO/Q BxCyuBaAAe47XHdQd8Z7AU6m8FHEGrQNWxDDUFv3DpCwhITrBywtraVG8XxDmXYBhKJWKbc7 H6s4IRRjhWyQcqO52MGLFRMBfLGA5xp8hfK+YIM0R04LAoKAICAICAIhI6DsQfKE3dMeJB9r MpLPKc/Ye9gz9l4mIQ/uppPHj3qUn489ZKYVK0VpJaGKnUtARsseZDTfsR6NTuEDtxOKWCBC 2gDSC1hIQuIJk3ksGLA4CxYg0QBpMG+Vo2D57M5jQo8FAiRDtPF0u3Q6DmmRBwGSI5C00Ate LHKxSJLgbgQ+++wz+vbbbxUh5u34I5yWQwoQ83dI0oDACzdYVVnDLcOaD+0CaROOxKS1HL2P exRSQ+inv7UJ7mukwf1kJVd0GdYt0kJyK9A9jz5g8R3s3ty+YBFtnTKVts3IpINb1lirMfdL 1T+LMtgDdpXevalUo4ZmfKCd7NlZtG0WqzLOnU37//7Nb9Ki5apR2TYdqULnjkoluhBL1iGg j/CGizUdCAWrgw5rYYEIRaSzqjwDE+CP5yWeP7huIM1pF0KVUIzGPRFqX/W44zoKdo2gTyDk 0OdQn9F2OMQiDv3Ate6tomytC0Qe3g8Yn1D6as3rdB/vJUj2gXSHKQP9LgJ+kNIDsajtFDot O1rpQdQBMzyXMJ7BnpcYd/TDzo5tKG0KBxN9T4E8jfWYhdKHeKcRQjHeiJ+qL1qLHdzo0KfH 1wodcNOFexPpMmQrCAgCgoAgIAhEE4HjBw6yJOROJiGZeFQSkDvpiCkFCQlIloQEaQQpyH38 O7SXjJOeKmf5Q7QH+eawaXSySHF6+tOhSW8PMppjEKgstxOKkJSAnTOoOOJrPdQkoUIKqQdI gwQKUEGCxAYWJlgkQYIskoA6tb0rSKgFC3DGoSXVIJEAKRUtzQWJlFatWgUrQs7HGQGoxoF8 BgmDMYNEGxb5kFLUkm1xbpJUFwUEDCbTNk6eQtms0r09a5p6z3gXi49d5c/pThV79aSqTCTC 1nA44eievZQ9azZtY4Jx1/zZdHjHRr/FlKjdhMq160ilzmlNE1etVOs6Oycz1gKCEYrWtE72 /RGK0b4nsF6FNB7WsMH66qT9kjZ0BCCM9MQTTygzApAUBWmHADIaUptQMYYX6WDkfOg1uj+l YOJ8jIRQdI5ZVHJEi1CE8VLc6PjiDfsQPfgrGnT2g7H3UemEFCIICAKCgCAgCMQKAf5KjwVZ Di/iTXVs3j+6A8RjDO1Bsop2vjwoMeZ2QhEOCmDcHCqTMGIPdbFZs2Yp+3NwdhEoQBVS2xWC SiUM2kcSnBKKEyZMUKptqBNSR1DNQjsQYP8IxtwluAsBqA1CghCScBgzhEsvvVT93NVSaU0o CBzavJk2g0hkleidS2bbZilcqiJLC/agSr17UZUe3W3ThBt5kG3PbWVycQfIxcVz2N6ivaMX lL+lEJsDqd+YLn7kIcpo2cJvlZpQBMGNdR+ESeDcIZwAVWGolSOAOIeEF9RDrSFa9wSkI6GO C8ltSOPBQzokMrVKp7VO2Y8tApCYhEMR2EYE/riWIGG3me8XPP+uu+46xS3EthXuKl0wcT4e Qig6xywqOaJFKMLbGb6c4ms9vtpLEAQEAUFAEBAE8ioCkD7J2b2Hnr7hTSp04jDdcEvH2NuD hLOaUqxyy5PwZA5uJxRhLwnmXeBgAYvmiy66iOCUAnbetJ0qf/hDMhG2qGDX7rXXXvPxlOgv n794p4Qi7F/17NlTFYfFCmyjwV4UAgzbw3mABHchAMP/sMUFKSqopcORAOxcSUguBHYt+5k2 s1rz9umZtH/9StvGQzowo3tPqsxEYtnmzWzTRDNy18+/sEr0bNo+J4t2L5/H7qAN2+ILFilJ 5Vq3p/IdO1FF9hJdvFZNj3SQ7MPHCR2gpg6bkuEEePXGxw0dIKnmLX0drXsCNvpAhkJ9FQ5K REJbo56YLcwSQFIezzu8K2FWBLYAYfM0ErusielNdGoVTJzhKISiM7yiljpahCJeHpicwpYQ HswSBAFBQBAQBASBvI6Ak3dsdOxBFsy1B1kK9iDZCQ2c0ZThn/KIzc5o4ISmPBzT8K88jstR wfRirhqmWBGKJ3ixUoAXp5EGeCqFcfVhw4YpT5GQnPjwww+VN1gY7Y9ncEooYuGPxRkWaliw rWNvnzBSjwBbVbBrJkEQEASih8DmqZm0BUTi7Gl0dN9224LLtepClZjor9ynNxVLEKkPqUXY W9z5Y1Zge4vlT9lbZEcTlZhcVE7NbHslkYKAICAIxBcBIRTji7dZm5PFjpnJZkcbOIYxUAmC gCAgCAgCgoAgQBStd6w/LKNjD7IwpRUvQ2lMQhY6RUKmgXgE6Vgul5QszCQkvGVjW5iNfRfg j4ixCrEiFLPOv4Cqs0mW2ldcHpEUJyRv4AQAZl5gjxAqc6+//rrybvvQQw95wAITMPDYaRfg uA7nEaBCDe0OeIn9/PPP7ZIrtbz27dsrNTBI6EAtzB+hCFXsjz/+WJWDfe28A22pX7++cq4A O5Aw+g7j7SgLkhD+wqRJk5QEJojIL774QqkG+ksr8YJAXkfgyPYdLI04hbYymbhj4QyW/Dvp A0laehmq0KkHVe7Fas1MJOZjVWE3BJj32MomHLZDJXpeFh3eGdjeYnm2t5jRhSUXO3V0Q/Ol DYKAIJCHERBCMUGDH63FjhCKCRpAqVYQEAQEAUHAtQhE6x0btQ6yShtUsbU9yKPsjEY5prGx B3l0z046tn8PHc/Z76MKV7Bwei4JyV6x08ow+YgfVK5BRCppSJCRZakIx2FbCB4H2RZWKCFW hOLkpg3ZXtheKtWgBTV74QUq07RJKM3xSQPPjVCVg007aGdAFRXSffD47C3hB2lAqyogCgNx B5tQr776KoFURIDhedig1pKDKtLrDw5d4AETKmDbtm1TZ+0IxTfffJNuv/12dR5eMWETTAfU Czt8sEumPauibtiqgjqtvwBCcsGCBeo0SFSQqRIEAUHAE4E9K1YqacTsaZm0b83PnidPHaVX q08Z3Xqyt+ZeVK5VS9s0bok8sG69cuayI2s27Vw0l44f8WNvkZ8fZZu1pfIdmFxkqcWyZzR3 SxekHYKAIJCHEBBCMUGDHY3Fjv7CXa1aNfrnn38S1BOpVhAQBAQBQUAQcBcC0XjHJrpHyh4k O59RDmlOecc+qrxjs2Ma5aiGt+wZ+9hu9oi9dzcdO7CLThw97NHsfPnyU8EiJSitJEvDlS7H JOQpdWyoZLPzGSX5CAlIJiCnTV9No9+aTdP/GRWRJKG1AcaJE/RtwxpsIixXUgjeU6tfMpBO f/CBXLuT1sQx3r/iiisIzlushCKqLF26tPJkCYIP5B4cEsCuIUhEeLaEowI4UGnbti1BQhHB m1AcNWoU3XrrreocbDTecccdaj/Sv2uuuYY++eQTVQzUuu+7775Ii5T8gkDKILDlh1m0FWrN P0yjI7s22farTPN2Sq0Z0ojpNWrYpnFzpGlvkclFZW/RT2PTipaissreYkelEp3OUtcSBAFB QBCIBwJCKMYDZZs6Ilns4As9JrswSg6jtpgkQw1IgiAgCAgCgoAgIAjEXuXZrRifOJKjJB9z WPIR0pDwiK2kIrHPEnLHsGVS8tgeJiD3MhF5cA+dPOGpcpsvf/TsQebs2EFTz2nqA1eh4uWo 4QOPUa3L+keNvPSpxCvCH6EIhwA//fQTwc5hy5Yt6cYbb6T333+f3nnnHfrPf/6jCD0Qe7DZ iDkXgpVQxJwM6RAgpTh48GC1H40/2FuEncgSJUooZwuQcJQgCORlBI7u3Wd6a94+bzqdPJ7j A0fBwsWpfPvuVInVmqsykVigaBGfNMkY8a+9xdlsb3GF3y4ULV+dyrZhqUVWh67IatGFxMa+ X6zkhCAgCESOgBCKkWMYVgmREIr4gg7VGQRMaj/99FP1hT2shkgmQUAQEAQEAUEgxRCI5B2b YlAE7c7x/QcUCTlpdCZ9/78p9NTLlympSEhBQjVbSUHy/rE9/NvHv8P72DTZCY9y8xe0twcJ EjN71iSPtNaD0g1bUjOWvCvd+HRrdEz2/RGKOh42FOE5umLFimqO1YmdH8xim2bPP/88wUbj s88+q7ZonCYUu3btSj/88INqL6QU4XFagiAgCEQfgX2r1ygicRurNe9Ztdi2gmIZtagCqzXD W3NGu7a2aVIh8ijbYN36A3uJhr3F+cHsLTZlchUq0Uwuir3FVBh+6YMg4DoEhFBM0JBEstjB 13N8TV++fDlVqVKFxowZQ717905QT6RaQUAQEAQEAUHAXQhE8o51V0/i15pQbSgabA8QDgRC sQe5d/WyoB2AGnSN/tfT6fffx6rZJYKmDzeBJg69VZ4fe+wxpfEBu4dnnnkmdevWTVUB+4Yb Nmyg5557jkAWjh8/nvr3Z4lKDppQVAf8hw+9sNlYKUGeYnU7ZCsIpBoC236cl+uteUYmHdq2 zrZ7pRu1oowebB+RpRFLnlbPNk2qRh5gj/HZ7Cl6RxZ7ig7F3mLHTrn2Fps3S1VIpF+CgCAQ ZwSEUIwz4Lq6aCx23n33XfU1HBPb7777ThctW0FAEBAEBAFBIE8jEI13bF4DMFRC0Qku/0z6 jpbdOShglmIZNan6FddQrauupMJs1zFWwR+hCK/MAwcOpCFDhtAJtvk4cuRIGjBggCIQX3rp Jcrihfq3335Ly5YtozPOOEM1TxOKI0aMoLfffpt+++035YEZ9hZhk1GCICAIhI/ACTYjsGky e2uewt6a505jB1UHfAqDVHSFtt2oYs9cb82FSpX0SZPXInYt+5m28TNoOz+zQrO32OmUvcXk sy2Z18ZW+isIuBkBIRQTNDrRWOzAbg88GwbyTpig7km1goAgIAgIAoJAwhCIxjs2YY1PUMWx IBT/+vAjWvH0/T49gp3GjPY9qda111LFjh3iYkfRH6EIL8rwpnz++efTkiVLqFixYjRlyhQ6 7bTTFIFosIfuX375hWDPEPMtBE0ogozs2LEjnXPOOcq2dfv27SkzM9PH67QPAA4idJsaNWrk IJckFQSSD4GDLBG8GUQi30O7f8l1gOTdiyJlq1KFLj2oEqs1V+7S2fu0HJ9CYCuba9j2A0st /phF+9cFsLdYwWJvkZ1PCTErl5AgIAg4RUAIRaeIRSl9tBY7BQsWVF/UT7IKEtRzJAgCgoAg IAgIAnkdgWi9Y/MSjrEgFFe9+hqtHvmiCSPIgOqXXUW1r7mKimRkmPHx2PFHKMImNVSWdXjw wQeVmnPr1q2VoxbEV65cmTZv3qyTeBCKV199NS1dupRgcxGkI4jJL7/8kjA/izQ88sgjynYj 5ndwvnf55ZdHWqTkFwRch8DOxT/RZvbWvI3Vmg9u/NO2fSXrnUEVWa0Z9hHjYXPVthFJGHl0 N9tbZJXo7Sy5uGv+HDq8c6PfXpSofcreYhe2t8gfSiQIAoKAIBAKAkIohoJSDNJEa7EjhGIM BkeKFAQEAUFAEEhqBKL1jk1qEBw2PhaE4i+PPEYbxo+hci27UK3rrqXK3btRvvz5HbYsOsn9 EYoovWzZsrR7925VkVZthq3Fu+++W8VpBy3qgP+sEoogFBFgeqZv377qIy9UqD/44IOIP/Ra SU2rl2lVofwJAkmMAGyxQhpxy9RMJrsy2eN87v3n0aV8+an82V2Vt+YqbCu+SIV/iX+PdHIQ EgL7/15H25S9xdm0c/FcOn5kv30+xr1s87ZUvgOcuXTifbG3aA+UxAoCggAQEEIxQddBtBY7 QigmaAClWkFAEBAEBAHXIhCtd6xrOxiDhsWCUIRkDJwkFKtaNQYtdlbkpZdeShMnTqThw4fT 0KFDPTKfffbZtGjRIqXm/OefuRJSGzdupBo1ahBUngcNGkTvvfeemefCCy+kSZMm0dixYz2k BuG85dZbb1XpHn30UXrqqafMPOHswFHMvffeS2lpaartkH6UIAgkMwKHtm6lLafUmncuzvWQ 7t2fQiUrUIVOPZQ0YpVePb1Py3EUEIC9Re3MZfev8/yWmFa0FJVt3YHKs4foSkwupvMzUYIg IAgIAlYEhFC0ohHH/WgtdmDr5/Dhw7R+/Xo18Y1jF6QqQUAQEAQEAUHAlQhE6x3rys7FqFGx IBRj1FTHxcIsDNSWt23b5uGt2XFBCciA+R3sZWfEWUU8AV2VKlMYgV2/LFfemrdNz6T9f/9m 29PiNU+njO7srZnVmsuemesAyTahREYPAf5gsoU//GyfFZq9xXJtOjHZyyrRTC6KvcXoDYOU JAgkMwJCKCZo9KK12GncuDGtXLmS8BVbq+YkqEtSrSAgCAgCgoAg4AoEovWOdUVn4tSIVCEU c3JyqECBAh42DGexg4IuXbooJFetWkUNGzaME6pSjSCQtxHYPG268ta8fVYm5ezNtgWjbAuW fjvlrblYlSq2aSQy9gjksNmH7B9gb5HJxflZdGTXJr+VlqzTlMq178Qq0bC3yI61JAgCgkCe RUAIxQQNfbQWOw8//LAyHg7V527duim7PoMHD1aT6QR1TaoVBAQBQUAQEAQSikC03rEJ7USc K08VQnE2Ox+AXcMLLriA6tevT1lZWUo9+fjx49SvXz+aMGFCnJGV6gSBvIVAzs5dtIk9pWez fcQdC6aTcfKEDwBQpa3QsQdVZGnEan16U74oODHyqUQiwkZg/99/K3uL2/n5uWsR21vMsbe3 mI/tLZaBvcWOnZTUYplmTcOuUzIKAoJAciIghGKCxi1aix2oO99www00btw4sycHDx4kqEJL EAQEAUFAEBAE8iIC0XrH5iXsUoVQnDdvHrVv317ZPrSO34ABA2jkyJFUrlw5a7TsCwKCQJQQ 2Lvqd/bWPIW2TZtGe/9caltqeuV6lNGtJ1ViIrHCOa1t00ikuxDYtZTtLc6eRTuYXNz963y/ jUsrxvYWW3U4pRLdme0tVvebVk4IAoJA6iAghGKCxjLai53s7GxasWKFsqfYp08fyp8gL4oJ glOqFQQEAUFAEBAETASi/Y41C07hnVQhFDFEW7ZsocWLFyubiRUqVCCYh6lXr14Kj550TRBI HALZrCK7ZQp7a545lQ7v3GjbkDJNz6GKPXpRZZZGLFG7lm0aiXQ5Aqa9RfYSPTeL9q9f6bfB RSvUoHJtOypysVLnzpRWsoTftHJCEBAEkhsBIRQTNH6y2EkQ8FKtICAICAKCQMojIO9Y50Oc SoSi895LDkFAEHCCwPH9B2gTvDVDrXneNDpx7IhP9gKFilGFdt2pUq9eVIWJxILpoj3lA1KS RuTsYnuLcOYSkr3FZmxvsaPYW0zSsZZmCwLBEBBCMRhCMTovi50YASvFCgKCgCAgCOR5BOQd 6/wSEELROWaSQxDIawjsX7uWNjORmD0tk/b8ttC2+5BOy+jakyqzWnNGh/a2aSQydRBQ9hbh zAX2FhfPYXuLB2w7l4+158o0b0flO+R6iRZ7i7YwSaQgkHQICKGYoCGTxU6CgJdqBQFBQBAQ BFIeAXnHOh9iIRSdYyY5BIG8gsD2+QuUWvM2Vms+tGWtbbdLNWjBas09lTRiyQb1bdNIZGoj sGvpMra3ODtEe4usEg0v0Z07UXp1sbeY2leG9C6VERBCMUGjG+/Fzq5du+jYsWOUnp5OxYsX p927d9PRo0epaNGiVLJkyaAo7Nixg7Zu3UpNmjQJmtZJgtWrVysHMlWrVvWbLScnh/bs2aPO Z2RkEDw1oj8I5cuXj9ijdaTYqIbInyAQZQS2bdvm41SgbNmylJaWFuWaQitO7pPQcJJU7kAg 3u9Yd/Q6slYkE6F48uRJgvOVP//8k3bu3El33nknFRQvsZFdAJJbEPBC4ASvEyCNCLXm7VnT 6PiRfV4piPIXSKPybbpRRVZrrtq7NxUqU9onjUTkQQT4Gb0FKtGzsmjnj6HYW+x0yt5iJ7G3 mAcvF+lyciMghGKCxi/ei53q/OVn48aNdO2119IHH3xAZ511Fi1btozOPfdc+u677wKisJbV G5o3b04HDhyghx9+mJ555hm/6bdv3648KIbiFGb06NF00003qUXArFmzqF27drbljhkzhgYN GqTO/f3337R8+XLq27evOl60aBG1atXKNl+okZFgE2od8Uq3b98+Rb5WrFiRChcubFstCNpN mzYpsqpatWp+09lmdhC5f/9+2rx5syKxK1euHDHx66Bq1yddt24dlS5dWv38NRbjB9LfGmbz V9+OHTtao+K2n0r3SdxAk4oShkC837EJ62gUK04WQhFO6C644ALldEV3/+DBg+rjpD6WrSAg CISPwEFeL2wBkZiZSbuWzbEtqEjpylS+Sw+l1ly5W1fbNBIpCACBXHuLs07ZW5xDR3Zt8gtM ybqwt9gp196iqMv7xUlOCAJuQiDVCEViSTojGcLQy0cYd101Mm5NPf300w2+8IwhQ4aoOjt3 7qyOL7vssqBt+PLLL1Va5Ec+u3DixAmDpRdVOpZ+tEviE3f99deb5Q4fPtznvI4YP368mY4l EQwmH83jVatW6WRhbyPBJlilLP1psESZ+cMxe5s0brjhBoPJtmDZQzrPkmMGE7PGaaedZuTL l8/EpmnTpsbnn39ulsHklNG6dWuDpTjMNEh/5plnGpMmTTLT6R2WBDXbbe2Ddf/w4cM6udqy Z03jtttuM1iS1KwD102hQoWMW265xSNtuAdMiBoff/yxwWS40ahRI6NEiRKqnXZ9CLeOWOTD tXreeecZLGVoYlO/fn1b7FH/jTfeaAwYMED9ihQpovIwoejTtAULFgQdJ4wZyjh06JBP/lAj YnmfhNoGSScIhIpAvN+xobbLzenGvjPDaFftNjc3UbUN7zu8V/CeGTp0qMEfRQ3MQSQIAoJA ZAjs+GmJ8eszzxszeK7/dd1Ktr8fevQwVrz0srFr+a+RVSa58yQC+/5aa6wZ874x/9rrjO9O r2d7jeHa++a0Ksacfv2NVa+/KddanrxSpNPJhAA4Lcy7kyGAKwz2y4cE5cqV47mmu0O8pScg /Qf1oEceeYSefvppuuiii+jrr7+mm2++md5+++2AYEEy8ZJLLqG//vqLXnvtNSUZ4J2BJ/Om uhHUqSF9FSwsXLiQmFRUKtdffPEF+VN7njZtGvXs2VMVB7Xt3377jZgEU8dMYFGlSpWCVRXw fCTYBCyYT0Kl/MiRI1S7dm2lqgrVLPwQoGoOibMzzjhDHYfzt3jxYurXrx9t2LBBZce1Dzxw DAlBJpDpjTfeUOeY/FMSHJA0YyJLqY3/8ssvBNWxAgUK0PTp04kJY7MZ1jGtU6eOraot8mtJ SKjEYlxQN8qDVCtUdKGu/vvvvyvJumDSsGblfnYgoYprYc2aNWaKChUqKDX+9957j7p162bG u2ln8uTJ1L9/f4IUDcwOwHQA1P2BGZO66jro0KGD3yZjvJDeTkKRiUpiotLMi/sVksIIuO6s YcWKFeqatMaFuh/L+yTUNkg6QSBUBOL9jg21XW5OlywSingf4V0AbQtoXUgQBASByBBQ3pqn sFrz7Ew6eiB3jupdYvnWXXPVmtlbcxE2PyRBEIgUgZ1LltE22FucM5t2/7rAb3FpxUpTudYd qHwn2FvszPYWq/lNKycEAUEg/giIhGKCqNR4S09AmosvL2PYsGGqxzwJV8f33XdfVBCANBvK xy9UCcVQK2a1ZlUuEzEqCy8kzLoikbjS9ccSGy1Z9scff+jqDCZEDV4QqT7cf//9ZrzTHUgc 1q1bV5VTq1YtA5JqOjBJaGRmZirJDR2H7T///GM9NCDxyerIqoxrrrnG45x1TFlF2uOc3cG9 996ryoHEIJPPHklQFuqKJOzdu9dgFW1VB5OVqm+s4h1JkXHLyySrUaVKFeOxxx4zMG4ITLQa LVq0UP3pwV/8AwVIn+LespNQ9M4HSUikhVRiNEMs75NotlPKEgSAQLzfsamAerJIKELiHdL1 eIZKEAQEgfAQOJydbaz54EPjxyuu8islNrl5Y+On24caG7+fHF4lkksQCAGBkyxhvnnGTOOX R58wZnTp4vd6hOTitDZnG0vuvtfY8M0k41iSrAFCgECSCAJJjUCqSSgrgdELAABAAElEQVSK yrOfy/HKK69UJANLcakUd9xxhzp+9tlnfXJcccUVRsuWLW1/n376qUd6llpS6TQxAiIDKrTW /N5EVdu2bT3OI+3SpUs9yrUesNF11VaWYFTRICxDIUy++eYbRZbVq1fPYEk6a5Ee+06w8cgY woEdoYhsLCWq+sD28FQpLDmmMLn00kv9lsqSjioN24xUpBRLHqoyihUrFpH6NEhl4MnSfR51 OyUUtRr9rbfe6lFOsAO20WmwpKxSx2YJSwPkaK9evYyZM2d6ZH388cdVO3GtQe05WADxfPvt tyvSrkyZMgZLUqqyWVIw4PUQantQP4jbd99912B7XkbNmjWVCh5UzQcPHuzTPG/1cCT46KOP VJ+guhcoxIpQdNLXWN4ngfou5wSBcBAQQtE5aslCKLIEvIGfBEFAEHCOAFSVobL8Q4+efomb GZ07Gb8+/ZyxY/ES5xVIDkEgAgSO7NhprP98orF4yFBjaquz/F6jIBd/6NnLWP7Us0Z21pwI apSsgoAgECkCQihGimCY+eO92IEkF3uNNUBKIbBapDq2k/ADYQUizPpjJyuK+Hj11Vc9esxe ltXEXp8HMYV9PeHHFnb7rKFUqVJm2drmXyDJK9hGQtutEm44ZrVOa7E+++ecc45qM9rETl18 zusIJ9joPKFu/RGKsKGIdt11112qKPQHx1oK0658SP0hDav4qtMYJ2sZdnlCiRs4cKAq57nn nvNI7pRQBBGN9sDWXrCx0RWNHTtW9Rn58AOhCMk67D/55JM6mdqCsEM8q+57xPs7QNm6XNgt RNn6GFKUIKq9g5P24LrRJCrKBWEJ4hL7uK5DCV999ZVKnwhC0Ulf0ZdY3iehYCVpBAEnCMT7 HeukbW5NK4SiW0dG2iUIRI7A5ukzjCX33G9MbXGmX5JmzqX9jNXvvGcc2OCpzRJ57VKCIOAc gX287lk9+n1j3sBg9harGnP6DzB+f2OE2Ft0DrPkEAQiRkAIxYghDK+AZFvsXH755Yr48CYU de+t5JMTlWcnkle6rlC3V199tUkgvfjii6Fmi2o6TShmZWUZ7GVbSWI+9NBDinCCcxSrmjKI VpBRmowDgQr1aC3Zpp3RQMITge1UqvRsn89Rm0EMwdYopCLZa7dqC9RxIdFnDdYxnTNnjiLg QMLp3/r1663JjSlTpqiy0AeUBwlK1OUvQA24ePHiqg/nn3++gWMEEMhsN9ODOMQ5lIv0IJ+B ISTmcF0+9dRTPirWKAfYQXpw69atOFTShPPnzzfYxqQqy1vd3El7UB6kH9EmjNsnn3xiqjLD Mc2oUaOQJGiANCfK8JYO9c7o5D4JReXZaV+92yPHgoDbEUi2d6wb8EwGQlFrKMD8hQRBQBAI jAB71zXWfjaWHWBcb0yqX92WSPyucX1j0S23Ghu+/No4fiS49kfgGuWsIBAbBHaww6CVrww3 si66yPY61k6Evm/a0Fh4403GAa81SmxaJaUKAoIAEBBCMUHXQbItdpKRUGSnJMaIESOMDz/8 0AA5loigCUWQRt4/b9IJqt9Iw45WVFO1FOM777yjjuHZGOevu+46RTrq8kAgOQns1MSnLbC3 6B2shKKuy7o966yzvLMorOHJWqcDAQivz97kIzL+97//Veng9Zqd7fiUZY0AiajLtNtC7RvS fqGEBx54QJV14YUXeiR30h546NZSuZ999plHOaEeYJxhCwz9YQdJAbNFm1B00teADZOTgoBL EUi2d6wbYHQzoYgPazDRwI7c1DMTEvESBAFBwB6BvWy3e9XwN4xZ557nl3yZ1q6Nslm37cf5 9oVIrCDgQgROHmd7iyxt+8ujj/u1twh1/qNsd12CICAIxAeBVCMUxcszsxOxCDx5p3HjxhFL KNKdd97pU4XVIzBLEITk5RmFBPJe61OJSyLYOQUxQebTGnasobxgW09oL89dunRR3n1ZMpDg aRcemJmQotdff52YcFNZNMaff/658sJdsWJF5RG6U6dOxNKJ9PzzzxNL5hHbvSSWzjM9+LLD F4Wjtd5A+/Dy/fPPPxPGCW1hdWvVFpTLZJuZ1Tqm3bt3V16pzZO8w6rNymO4NQ778DA8cuRI YiKU4IUbgYlFghdmJqbVMf7atGlDLKFJTKzSLbfcYsbb7cAjOTyTswo9MdGqPHs2atRIjQM7 g6EZM2YQ8IIncnhRtoYlS5Yor9AsqUjoEzxj41ru06cPff/992ZSJ+2ZOnUq9e7dW9WJcp0G XD/w6sxOctRYsm3SgEU4uU/gURvYsOo4sQMY23Kd9NW2AIkUBFyOgHh5dj5AbvbyzOZV1PsQ vcI7GM9MltJ33knJIQikMALb5s6lLeyteduMqXR4+wbbnpZu3Joq9uhFVdhbc4m6dWzTSKQg kAwI5OzcRdm8Pto2O4t2zZ9DR3ZvVs2uPfA2avrYw8nQBWmjIJASCIiX5/gQtz61JJv0RDJK KPqAHqWIBg0a2ErL2TlU0RKKVi/PUAOGoxp+gii7e1A/Rnj00UdV3Msvv2wwQWbWAXt88M6s pcrGjx+vJPqgMo0ypk+fHnbPIBmI+lAO6lm+fLlZllVCMRQvz2bGUzsoG058ateurcqHNJ61 fK2yjb4GC0z8qTLgsMU7QDWciVt1fu7cuebpdevWmV6U0T/vHxOKZlrsOGnPa6+9pspjUtCj jFAOgCUcBaE9TOwpe6bB8kVbQtFJX4O1Tc4LAm5EINnesW7A0M0SipDYb9asmXpuwqSGU1Mf bsBX2iAIxAKBYwcPshOLL4yFN91sfNuojq1E4rcNaxkLbhhkrPu/CewZd38smiFlCgIJRWDf mlx7i/Ovu97InhuarfWENlgqFwRSCIFUk1AUL88xujiFUPwXWNjkW7Nmjc9P2+r7N6WhnM+A OLISijiv7UDhHOwTImiPv0OGDDG0bb0BAwaoBdRLL71kwM4g0i9btkyl10Sdt/MSddLhH0u0 qbJHjx5t5oyUUNQFwSZk5cqVVflWxy+6/RMmTNBJ/W5BRKLv/pzW1K1bV50H2aoDS7GouDPO OMOAWjLsVf7000/GE088oeK9CUUn7YEaPdoDdW0nAWQiSxuqvHCqs2fPnpCyR5tQdNLXkBoo iQQBlyEghKLzAXEzoah7AxMgePbi+S5BEMjLCOxnu9d/jHybbcpdbEsiwqZcZuuWxrIHHjK2 zpqdl6GSvgsCgoAgIAjEEAEhFGMIbqCik22xE4xQPHnypPLsjIn+okWLAnXd45wTosQjY4gH IJBWrlwZYuroJ7OTUEQtrDKrFkXAS9tAhMMQHIM4BAEHkmz16tUqDqRY8+bN1T48dCNo78zw tA17keEGjJ32oDxp0iSzmGgRiihQk3twAqNDr169VH8geRIsWAlYVmH2SA5JSHhtBnYLFy5U 53799Vd1jDhv6Uo4akG8N6HopD16rOCRGt63QwlwyqOvd3ggD5VMRNk6XyBv6LoNoThlcdJX XW44WzjYeeGFFxRBnsj7MJy2S57kRiDZ3rFuQDsZCEXYUsTz29/HJTfgKG0QBGKJwLYFC43l TzxtTO/Q3i+ROIs1MFa+OtzYs9KZje1YtlvKFgQEAUFAEEhNBIRQTNC4JttiJxihCBi1lNig QYOCOtnQsDshSnSeULcgr7DwgCrv2LFjQ80W1XR2hCIcekBVFm2rWrWq8j6MSqH6jDj9e/DB B1VbIMmm40A06gAD9dqpBwhHTUzq8z/++KPylqyP7baHDh0y7rnnHlU+nKlo9WukdUooQnVZ k53WuuD9WeNgdT6iiT04NxkzZow1i8F2HRWZao3UpGTfvn1Nj8o4ryUO2Yai6RHbSihC9VkH 1KM9S3sTik7ag0VtnTp1FG7t2rVTKum6DhC0Vu/diIfKulZzbt++fUDv17oc69bJfRIKoeik r9Z2ON3H2OtrF+rquKYkCALxQCDZ3rHxwCRYHclAKKIPbEtXPVfwrJUgCOQFBE7yh9MN30wy Fg8eYnzftIEtkfjNaVWNedcMNP765FPjyI6deQEW6aMgIAgIAoKACxAQQjFBg5Bsi51QCEVN 4IFAKFu2rHHBBRcYbdu2NdhZiYkyOxdRcYjHT9sBbNKkiRn/7bffmukj2bEScfCMnIigiTQQ QugjCETtHRh2/7REnW5bmTJlTAJGqza/8sorZhw7aNFJ1ZadupgYAvdKlSopSUbgj2OoT+vw ySefGPDMDAlI2Hvs2LGjGiekA+lqJfuQx0oogiyG7Ujv35EjR3TxBjwtQ2IPaUCyoXytWos6 QOBZvTlDeg3kGs7hB8IJHqgxbijHW5V73rx5Kh5pGzZsqOxQnn322Sov2m/18pyTk6OwRlqQ sFAd14Qeyka8N6HotD2w66gXthhLtKVbt25GtWrVFJ4mMLwDT9eoU//QXu8fxkWHSO6TUAhF p33V7XK6hSdr3WdsYSpAgiAQDwSS7R0bD0yC1SGEYjCE5LwgEF8EDrKZlNWj3zfmDrjMlkSE WvOUs5oZS+66x9iUOS2+jZPaBAFBQBAQBAQBRkAIxQRdBsm22LnkkksUMTB8+HC/iIFcGjp0 qCkBpokEkCw6fPPNNx4Eg05j3cKWYDTCsGHDVF0gkKyqvNEoO9QytDSc7l+5cuUUqXf33Xcb GzZs8CmmdevWqs0gIHWAdBvIJ5QB6U/vANKGvUibTkWQDkbrQehaSba3337bB3sQmP379zfY 67N3sQZIJ02Y6fZbt2gTJPV00ESgNQ32oU4NKcKDbDjcO4D4Y6/TRo0aNcw+Ik/16tUNqz1E nQ+qxrBbqPEAOduiRQvTDqVOhy0ISG2vEGWC8Lz66quNmTNnKhyAj3dw2h6QvsAe6ne635Aa RZw13HHHHeZ5nc57ayUUI7lPtJo8SM5AwWlfA5UV6Bx7Lzf7bpUWDZRHzgkCkSKQbO/YSPsb jfxCKEYDRSlDEIgcgZ1Llxm/PveiMbNrV79E4kyeW//2wkvGzp9/ibxCKUEQEAQEAUFAEAgT gVQjFPNBZZNJG16ruzvcecVblL9Afnrlk/+6u6HcOlYrIpbyIlZDJSZ5iAmogG3ma5HYXhyx hBsxYUXsUTZg+lieXL9+PTGxQhkZGbGsxjVlszo1MQlIrP7r0yaMY3Z2Nu3atYswRkzaUalS pXzSRRKBMd+yZQvt3buXmFgjltYjJvJCKpLVr1X7WLoyaLuYnCQmZImlGtX4BqqAbSgSq2IT SygqbAKltZ5z0h7gCeyZ6KQKFSoQk9jWoly/76SvTjvzzDPPEHswJzyX+fnsNLukFwTCQiCZ 3rFhdTAGmca9O5NGPP0lzf3nzRiUHr0i8U7hj1mE9zt/jIpewVKSIJBgBDZPzaQtUzJpx+xM ytm33bY15Vp2pko9e1HlPr2pWOVKtmkkUhAQBAQBQUAQiBcCd189ik6eOEnDxw6OV5Vh17Nz 586geYVQDApR4AQstaRIF1ZFNhOy+iWxxJU6ZnVKYnVT85zsCAKCgCBghwCrN9PkyZOJbYES COCRI0fSf//r/g8odn2RuORDQAhF52OWLIQiS6kTO3mil19+mVja33lHJYcg4CIEcrbvoE1T ptLWqVNp58IZ/MH3pE/r0oqVpgqdelKlXr2oap9elI8/HEsQBAQBQUAQEATcgIAQigkaBbcu dtiLLLFaKLE6KLG6KGVlZRGrCytpw379+tGECRMShJhUKwgIAsmCAKs2E9vPVM0tXLgwPfTQ Q0pKERKcEgSBeCDg1ndsPPoebh3JQiiyvWZ67rnnCB8+2aQKscMuGjx4sCMJ9HAxknyCQLQQ OL7/AK1+bzRlZ06lfWt+ti02vepplNGNpRF796LyrVvappFIQUAQEAQEAUEgkQgIoZgg9N26 2GG7c8SOMpRKrBUadmqhJIySQZ3c2m7ZFwQEgfgjAHFySA9Bkog9mhPb0Yx/I6TGPI2AW9+x bh6UZCEUoe58ww030Lhx40w4IQUdqnkNM5PsCAIJRmDe1QNpx4JpPq0o06wtVWS15qqs1pxe U9T6fQCSCEFAEBAEBAHXICCEYoKGws2LHdjAY0cfymYi7MGBFID9OQmCgCAgCAgCgkAyIODm d6xb8UsWQlHjB5vAK1asUPYU+/TpQ+ykS5+SrSCQFAis/fgT+u3Je1VbCxZOp/Lte5hqzQXY /rcEQUAQEAQEAUHA7QgIoZigEZLFToKAl2oFAUFAEBAEUh4Becc6H+JkIxSd91ByCALuQgD2 E3++/34qUrWaUmvOaNfWXQ2U1ggCgoAgIAgIAkEQEEIxCECxOi2LnVghK+UKAoKAICAI5HUE 5B3r/AoQQtE5ZpJDEIgUgZxdu6hw2bKRFiP5BQFBQBAQBASBhCAghGJCYCeSxU6CgJdqBQFB QBAQBFIeAXnHOh9iIRSdYyY5BAFBQBAQBAQBQUAQyMsICKGYoNGXxU6CgJdqBQFBQBAQBFIe AXnHOh9iIRSdYyY5BAFBQBAQBAQBQUAQyMsICKGYoNGXxU6CgJdqBQFBQBAQBFIeAXnHOh9i IRSdYyY5BAFBQBAQBAQBQUAQyMsICKGYoNGXxU6CgJdqBQFBQBAQBFIeAXnHOh9iIRSdYyY5 BAFBQBAQBAQBQUAQyMsICKGYoNGXxU6CgJdqBQFBQBAQBFIeAXnHOh9iIRSdYyY5BAFBQBAQ BAQBQUAQyMsICKGYoNGP92JnF3uRO3bsGKWnp1Px4sVp9+7ddPToUSpatCiVLFnSA4Vt27aR YRhUvnx5KlCggMe5RBzk5OTQnj17VNUZGRl0/PhxQn8QotFGJ9ioSpP4L9ZYJjE00nRBQBBI IQTi/Y5NBehSjVB08m7HHAPvx1KlSlGRIkUSPpyxflc7wSYeYLitPfHos9QhCAgCgoAgIAik AgKpRijSjh07mAtzfxh6+QjjrqtGxq2h1apVM/iCNa699lpV55lnnqmOzz33XJ82MMGozq1d u9bnXLAIJiONEydOBEvm6Pzo0aNVe9D+v//+2/j666/N40WLFjkqyy6xE2zs8ocax4SusWbN GoOJ3JCyAMf169cbf/75p7F3796Q8gRLFGssg9Uv5wUBQUAQiAcC8X7HxqNPsa5j7DszjHbV bot1NXEr38m7vU+fPmpe8fHHHztun8x7AkN28uRJNZfB/Bz7dsHJWNnllzhBQBAQBAQBQUAQ SAwC4LQw706GgLlIsJ8Qin5G8vTTT1eT5SFDhqgUnTt3VseXXXaZT45wCEWQX02aNFFlsvSj T5mRRIwfP16VC0Jx586dxqxZs8zjVatWRVK0yusUm7S0NEP/SpcubTRt2tQAriAL7cKvv/5q dOzY0WCpB9VubNu0aWNkZWXZJTcmTpxotGrVyihcuLDZT/S9cuXKxsqVK1WeBQsWmG3QbbHb oq5Dhw6Z9cQaS7Mi2REEBAFBIIEICKHoHPxUIxSdvNvDIRTzyrzn8ccfDzjfeOihh2wvti++ +ELNfUqUKGHOZVhDxujfv7/HvASZnYyVbWUSKQgIAoKAICAICAIJQUAIxYTAbigWN54Sim3b tlUTukceeUT1uG/fvur45ptv9kEgHEKR1ZDNCWO0CcXMzEyzbEj5LVu2zDzesmWLT/udRjjB RpOCNWrUMBo3bmwUKlTIbAvO/fjjjx7VQ5qS1cpVGhCEIF0LFiyojpEXBJ81vPzyy2Z5IBA7 deqkJuR16tRR8VoiE8Ri7dq1zV+FChXMfNZ47FsJxVhjae2L7AsCgoAgkCgEhFB0jnyqEYpO 3u3hEIp5Zd6DeSM+arI6uNGgQQOf37BhwzwuNuAyePBgc07CpnOMhg0bGtWrVzfy58+v4vFx 2BqcjJU1n+wLAoKAICAICAKCQGIREEIxQfjHe7ED1WZMCPXED6rPOL7vvvt8EHAboQgSDW1l +4+qrVB7xjF+VrLMpyMhRjjBRhOKf/zxhyp93759SqKwRYsWqj1Vq1Y1az18+LCh1Xguuugi 4+DBg+oc22oyOnTooNJXqlTJYFtJZjykDNGv22+/3Ud1HOK5/tTJIamJfMgfKMQay0B1yzlB QBAQBOKFQLzfsfHqVyzrSTVC0cm73W2EYqzf1U6w0YTiTTfdFNLlN2bMGDUfwZzk7rvvNg4c OGDm27p1q4EPp0eOHDHjsOOkPR4Z5UAQEAQEAUFAEBAEEoqAEIoJgj/ei50rr7xSTfDee+89 1eM77rhDHT/77LM+CGhCccWKFYpwBElWrFgxA3YXv/rqK4/07dq1M1q2bGloQg0TSKRDnP5d c801Ks/q1atVHCab999/vwE1mN69exubNm0yhg8fbpQtW9bo1q2b8csvv3jUARuCKFeTdZCA DIU8++abb5SacL169XzKtFbgBBtvQlGXA3VntAm/v/76S0WjTziuUqWKAXLRGtgAuSm5+MEH H6hTVlXu7du3W5MH3Q+VUAwXy6ANkASCgCAgCLgIgXi/Y13U9bCbkmqEopN3uz9C8fXXXzfn MvPmzVPYOpn3TJ48WeU/55xzDHyA9A4wiaLnSlapvXDf1bGY9zghFPGRF3M1zH2GDh3q3V2/ x07Gym8hckIQEAQEAUFAEBAE4o6AEIpxhzy3wngvdjCRheFw/VUYX4xxbCfhpwlFrWYLmzda TTdfvnzGTz/9ZKLGXpYNqLNoNRZMIrGPOP1r3bq1Sg+iEOehMoNtmTJl1BaEI8rVqsEDBgww y8cOpPLQVutkG8fBSDdM4FEPfoMGDfIo03rgBBt/hCLKQ39R1+zZs1XxF154oTrGF3q70K9f P3X+hhtuUKch9ajb+9Zbb9ll8RsXKqEYLpZ+K5YTgoAgIAi4EIF4v2NdCIHjJqUaoejk3W5H KL7xxhvmOxlSdTo4mffAoRo+yOLdrj/o6nKwhZYIzmG+Yg3hvqtjMe9xQih+9913qj+Yz2Vn Z1u7FHDfyVgFLEhOCgKCgCAgCAgCgkBcERBCMa5w/1uZmxc7mlDEJPfWW29VpCO8DZ9xxhlq omhndzEUW0KaUES5l156qfJejH38QDpiQgnismbNmv8CFcHe1VdfrcpG+S+++GIEJf2b1R+h qAk91KXtOsLGIo7hZMUuoE0437NnT/M0JB8Qhx8wWrx4sXku0I6uP5jKc6Ay5JwgIAgIAqmC gJvfsW7FONUIRSc4exOKI0eONN/Fr732mm1Rocx7kBEfDfFOhzM2a4DHY9gVxLl33nnHeirs /VjMezShiI+9kJz0/llVmoEV+nP22WeH3QfJKAgIAoKAICAICALJg4AQigkaKzcvdjShCDLR Gp566ik1UezRo4c1Wu2HMrHWhCJIQ9hBhC1BTDzxmzt3ripHSy36VBBGxP79+40RI0YYH374 oYH2RSN4E4qYSE+aNMlU+e7evbuqBgsFLZWg1aS869d2hpo1a2aegn0hEIwaF2yhDjV27FgD ZfoLQij6Q0biBQFBIC8i4OZ3rFvHQwhFMj7++GMlSQitCfwwh/AXQpn3IO+CBQvMdzre1Tpo MyeQ5oMkYzRCLOY9mlC0zkus+1Cz1kE7Y7nssst0lGwFAUFAEBAEBAFBIIURSDVCMR8cV5Qr V47nOu4Od17xFuUvkJ9e+eS/rmsoe/IjlhaktWvXEnsJNtvHHouJnYsQf2UnJsnMeOyweg4x Uaji2MYhlS5d2uM8DpYvX07Nmzen9u3b05w5c4gnvsTkJbFEIq1bt06lx9ixfUHie04du+2P J/7EauPEdiJVf9EndqqimsmenykrK0v1h8k/Yq/OxAsOmj9/PrEakk9XRo8eTWzkXJW1dOlS j/PsjZn4Sz9NnTqVUBZC165diaUdCePjHX7//Xdq1KgRsYQiHT161Pu0HAsCgoAgkKcQcPM7 1q0DMe7dmTTi6S9p7j9vurWJMWsXOwUhtneo3rM//PCDqmfUqFHEGhl+6wxl3qMzY+6D+QKr OBNrJ6jo//znP8Rq0MRShcREpk7quu2jjz5KzzzzDLETOWJvzD7te/LJJ6lJkyYq/rrrriP+ iEtXXHEFffbZZz5pJUIQEAQEAUFAEBAEUguBu68eRSdPnKThYwe7vmNsQi94G0EoJkNws/SE llBkQtEDSkji8Qj4qO0gUShf6rWEYufOnVW5UHFGebDVqAMcsyDOrUFLKKKN+EEK8ayzzjIe eOABD0+GaL/28MxErG13nnvuOVUGbCn6C3DwcuONN6p0qI8n6bZJRULRFhaJFAQEgTyKgJvf sW4dEpFQzH2v410LO4nafIm/8Qpl3qPzQtIR5TIpZxw7dszgD5GmHekZM2boZK7cagnFULw8 P/7446qf/OHYlX2RRgkCgoAgIAgIAoJAdBEQCUWe4SUiuFl6wp+E4rfffksXXHBBxBKKTCgS JAC0hCITisTEmRqGZJFQZBUmOu2004hVtInVomwvIUhyIh1PsOmJJ57wSdO3b19iVSFij9f0 wgsv+Jy3RjD5SA8//DAxgUmsGmVKg+o0IqGokZCtICAICAJEbn7HunV8REJxMjHxR2+//Tb9 9ttvxOZIiJ2s2WpcYAydSCjivV2lShViR3jqvY+8F198MdWqVUtpg/ibR7jhWtESitCoePfd dwM26aOPPqJrr71WaVL8888/VKJEiYDp5aQgIAgIAoKAICAIJDcCIqEYXYI25NLcLD0RjoQi 7PtpL8eLFi2yxSEREorwSL1y5Urb9oQTqSUU4ZE5WIB3Z348GPXr11eeqq3pIfkAByo4z2pW 1lO2+8AUaYGx9tRtTRhrCUVWyTbgjOfNN9/06Yu1HbIvCAgCgoAbEHDzO9YN+Ni1QSQUc20o wgld5cqVTUk7JgHt4FJ2jYPNe6wZr7/+elVm//79ldM1vNP5Y6M1SVT2oz3vcSKhCIctGpPn n38+Kv3xV4jMS/whI/GCgCAgCAgCgkD8EEg1CUUSlefIL55wCEXUWrduXTVZHjRokFLp8W5J vAlFluhT7YFhdTg1iUZwQijC8YyeWENVCOpRCGxj0mjVqpW5WNHtAknJkob60NzCeQ1LMqj0 bLvRjLfuxJpQZBuQqn4sgNj2o7Vq2RcEBAFBwHUICKHofEiEUMwlFIHckiVLjOLFi6v33vnn n287p0G6YPMepNGB7Smr8jAvwA9zE7YfrU9HZRuLeY8TQhGdwHwHcwU44GN7kQbbdTb7xjay DZZytP0waiYKcUfmJSECJckEAUFAEBAEBIEYIiCEYgzBDVS0mxc74RKKeiKLiSRsIbJ6tMEG vA3tFTrehKIm7dAeNhQeaDhCPueEUEShrCpkEnHAtUWLFqZkImw0QZJAh5deekmlrVixogHi sEuXLiq99hZdqFAhw5+tpVgTilhQAUf82IC8brJsBQFBQBBwJQJufse6EjBulBCK/xKKGCM2 82J+FBw4cKCSSPQeu2DzHu/0TZs2Nd+l3bp18z4d8XEs5j2aUGRzOEaDBg18fi+//LJHu6GB weriZj8xd2GnLcpeNkhGzCPYKLpHnnAOZF4SDmqSRxAQBAQBQUAQiC4CQihGF8+QS3PzYoft AqoJ34YNGzz6A9VcTATbtWvnEa8PoIo7dOhQ86u+JqD0pHnFihUqf/fu3VWWAwcOqC/0UAnW ISMjQ03g9XEk22HDhqn6oFoMhzLRCFpiYc2aNSEXB4m+hg0bGvnz51ftAUF43nnnGWxfyKOM Tz/91KhQoYJKo7HDFu0HOcsepD3SWw9Wr16t8rEXamt01PZBWOr2R4ucjVrjpCBBQBAQBLwQ cPM71quprjnMy4Qi3rF433prM4wcOdJ8J+MDoXcINu/xTj98+HCzPLah7H064uNYzHuglm2d k3jvwymdd4DTGZCtbGvanDsULlzYaNmypcHerQ1/auTe5QQ6lnlJIHTknCAgCAgCgoAgEB8E Uo1QzAeVZzj2cHtIZYPxfOnSxo0biVV8ldOS0qVLJ2w42BYSMclGTFQmrA26YvZqTfzlnurV q0es7qSjfbYw3p6dnU08IScmGFXbmczzSRfPCFZZUobpDx8+TGxHkW677bZ4Vi91CQKCgCDg CIFUfsc6AsJB4rzslMUBTLZJQ533wGEJHJecfvrpyvFLLJyxuGneA7CYdFVzwpo1axJ/ILXF L5xImZeEg5rkEQQEAUFAEBAEootAqjllEUIxuteHlJbHEQAJumzZMoKX6czMTIJH7uXLl1N6 enoeR0a6LwgIAm5GQAhF56MjhKJzzJzkGDduHF155ZUE8nHixInKy7OT/JI2FwGZl8iVIAgI AoKAICAIuAcBIRQTNBay2EkQ8FKtIwRYvZk+/PBDlYftP9IHH3xAbAvJURmSWBAQBASBeCMg 71jniAuh6ByzYDm+//57mjNnDq1cuZLY9IoiEyHhD0l/CeEhIPOS8HCTXIKAICAICAKCQCwQ EEIxFqiGUKYsdkIASZIkHAG266jUr0Eisu1LSrTqdcIBkQYIAoJAUiAg71jnwySEonPMguV4 /PHH6amnnlLJ2KkbsYMTuv/++4mdkwTLKuf9ICDzEj/ASLQgIAgIAoKAIJAABIRQTADoqFIW OwkCXqoVBAQBQUAQSHkE5B3rfIiFUHSOWbAcv/32G/38888E+4Hs4VnZIg6WR84LAoKAICAI CAKCgCCQLAgIoZigkZLFToKAl2oFAUFAEBAEUh4Becc6H2IhFJ1jJjkEAUFAEBAEBAFBQBDI ywgIoZig0ZfFToKAl2oFAUFAEBAEUh4Becc6H2IhFJ1jJjkEAUFAEBAEBAFBQBDIywgIoZig 0ZfFToKAl2oFAUFAEBAEUh4Becc6H2IhFJ1jJjkEAUFAEBAEBAFBQBDIywgIoZig0ZfFToKA l2oFAUFAEBAEUh4Becc6H2IhFJ1jJjkEAUFAEBAEBAFBQBDIywgIoZig0Y/3YmfXrl107Ngx Sk9Pp+LFi9Pu3bvp6NGjVLRoUSpZsqQHCtu2bSPDMKh8+fJUoEABj3OJOMjJyaE9e/aoqjMy Muj48eOE/iBEo43JjI0CIQn+9PVWrly5oN4tcZ1iTOARs1SpUknQu9Rv4sGDB+nAgQMeHS1U qBCVKVPGIy4RB6tXr6ZixYpR1apVY169k+s45o1xUAGe9evWraPDhw9T5cqVqUKFCpQvXz6/ JezYsYM2bNig7r8qVaqo94ROHOvnsa4n0m2837GRttcN+VONUHTybncD/tY2xPo+S2ZsrDjF Yj/W2MeizVKmICAICAKCgCCQKARSjVAkXggxF+b+MPTyEcZdV42MW0OrVatm8EVmXHvttarO M888Ux2fe+65Pm1gglGdW7t2rc+5YBFMRhonTpwIlszR+dGjR6v2oP1///238fXXX5vHixYt clSWXWK3YhMLLO36H+u4Q4cOGWXLljWYwFDjF6y+F154QY3vddddFyypnI8TAs8995x5z+E+ xK9Lly5xqt1/Ne+9955qS8GCBY25c+f6TxiFM06v41CqjPU9jvJxH/GHIY/xu/zyy22b98UX Xxi1a9f2SIux/v333830sX4emxVFuBPvd2yEzXVF9rHvzDDaVbvNFW2JRiOcvNujUV80y4j1 feZWbPbv329g7skfjqMJp6OyYo29o8ZIYkFAEBAEBAFBwOUIgNPCvDsZArjCYD8hFP2M5Omn n64WiUOGDFEpOnfurI4vu+wynxzhEIogEZs0aaLKZCkenzIjiRg/fry5wN25c6cxa9Ys83jV qlWRFK3yug2bWGIZMVhhFDBmzBg1Xn369AmaG32vWbOmSr9w4cKg6SVBfBCYPHmyMWDAAPVr 2bKlGh83EIrXX3+9+SwYPnx4TMFwch0Ha0i87nHcc5oAxrgNHDjQwLP/3nvv9Wni/Pnzjfz5 86v0LBls4N1w0UUXGfj4xNKNZvpYP4/NiiLcEULROYCpRig6ebc7Ryu2OWJ9nznBBnPCtLQ0 81e6dGmjadOmBuaTa9asiRgIPA/xIRFzSP0MKly4sDFo0CADcz5rANFobYv3/o033mhN7rH/ xx9/qDafc845BkteGyxlb7Ru3dojDQ5ijb1PhRIhCAgCgoAgIAgkMQJCKCZo8OK92Gnbtq1a KD7yyCOqx3379lXHN998sw8C4RCKmOTphWu0CcXMzEyzbFaHNZYtW2Yeb9myxaf9TiPchk0s sXSKTTTSa2nY7777LmhxWvq0VatWQdNKgsQg8Omnn6r7zw2E4oIFC4xGjRoZZ599trFx48aY AuLkOg7WkHjc4ytWrDCfk99//32wJhn9+/dX6Tt06GAcOXLEb/pYP4/9VuzwRLzfsQ6b58rk qUYoOnm3u21AYn2fOcGGzY+oZ0ONGjWMxo0bKyJOz/dw7scffwwbPpCJ3bp1M59V9erVM5o1 a2Ye9+jRw6Ns/eyExgOkqb1/99xzj0d6ffDkk08qLQndbpCJ+Hh5wQUX6CTmNtbYmxXJjiAg CAgCgoAgkAIICKGYoEGM92IHqs2YSA0bNkz1GKrPOL7vvvt8EHAboQi1ZrSV7T+qtkLtWU8K oYYYaXAbNnrCjD5Gm5yNFCun+bHQQD/q1q1rnDx5Mmh2LB6Q/sMPPwyaVhIkBgE3EYrxQsDp dRysXfG4x6G+jHupYsWKIZmhgMQR0r/11lsBmx/r53HAyh2cjPc71kHTXJs01QhFJ+92tw1K rO8zJ9hoQhESfgj79u0zJk6caLRo0UI9M9h+bUTwPfTQQ0bDhg2N5cuXm+V8/PHHqmw8k6yE pX526vmgmSHAzquvvqrKgtTj3XffrVSqQWT6C7HG3l+9Ei8ICAKCgCAgCCQjAkIoJmjU4r3Y ufLKK9WECjbHEO644w51/Oyzz/ogoAlFSLiAcMRkkZ0eKNW3r776yiN9u3btDKjS6YklJn+Q 5EGc/l1zzTVmHpARiH/88cfNOL2DdDi3ePFiHaW2f/75p2qrnrSCZEM9UHUJFL755huDHRAY +OL9yy+/+E3qFmzCxfKjjz5SE3FIGAEj9Pmqq67yURXSAHz55ZcGiDt8ncdXeq2+9Pnnn+sk PttQsfTOeMUVV6ixeuWVV7xP+RzDThukDtjRjq2E1KhRo9T1MWHCBCWNdtNNN6k+sIMJ45JL LjE2b97sUyak1gYPHqyuSVzXuI6BUa9evXzShhMxffp04+KLL1bqU2g3pPY++eQTj6Jgp0GP 7YMPPuhxDgePPfaY6lfXrl0Ndp5hnv/f//6npCcwTuw8SY0T7i2o9rLReDMdOyVR+aGSe//9 9xslSpQwevfubWzatEmlhf1KSIBY74FOnToZkETDogr2EaECxs6alKQf7tFAIVRCkR25qPZA 2hSLP0i2QB1t69atgYoP6Ryka/TzRW+XLl0aMO8HH3ygxh0EG8YKqr9vv/12wDz6ZLDrONTr TF8HoT4vUT/GCn3EeFpDVlaWisd9YBe0fUlcC6EE3Bd4rkLqM1AI93kcqMxYnIv3OzYWfYh3 malGKDp5t2usYb8PmhtQhWUnYkatWrXUc2PmzJk6idqG+j6CdDDuXzxjYR/QO4BEw3k8J/fu 3WueDvc+C/Vd7QQbb0JRNxLqznhm4PfXX3/paMdbfGy0k4quU6eOKhtY6+CUUGTnM+rdiTYG muPo8rENF3trGbIvCAgCgoAgIAjkFQSEUEzQSMd7sYMvyjDQrydt7LFVHdtJ+GlCUU/mQDTA 6QEmZCB8fvrpJxM1LMxh8F/bvUEa7CNO/6w2avSXYtjy8g56kT116lSPUyA90HarLR0cb9++ 3SOd9wEm8GgPfrDF4y+4BZtwsQThAJtn6KceO+xDbQiTb2t45plnTExgQwhSSZpI0NKr1vR6 P1QsdXpsoY4O0hckHib1wQLsMaHddqQb8kJdH+dBSlWvXt2nvyDbrAHXCMhV5MGCCDajGjRo oNrjRLrBWqZ1f8SIEaazC5QLKUzUhd/QoUOtSY0333zTPDdlyhTz3OzZs001LG8iEmWiLGCI /loda9xyyy1mGSAKkU6nZ8/L6hgEPe5XkJE4DxuIOujr5NJLL1XnQCzrRSPyjBs3Tif12YZC KII01GprIDgxNniOoB1YpEdqdwvXO9qLH9qLcoGlXcBiFU5IkAY/5NVtwTHI6EAh2HXs5Dpz eo+jXXqsvJ1kTZo0SfWnTZs2ZvPxMWbGjBnqd9ddd6nzeP7qOL3Nzs5WBon1MbZo2/+zdx5w k9T0Gw+cig1pilJEEBCkCUcThEOk9yKC6CnYEKQKgiAqIIpIUakinaMcCiqHBwjIIdJB+gmK Ih2VLkhRhP3Pd/TZf9652d2ZfWffbU8+n93ZnckkmW8yM8mTXxJ4UK7j/VmBsd3ncT2RY/Rj rN+xY3RZHY1m0ATFMu92wE6ePDnt/NCzgmcVz1/+M2Q2dkXfR88++2z9GUwnUdbpPqWzIXbt 3mdF39Vl2OjdIAvFOJ16LzV6/sZ+y/5edtllU/bHH398/dSygiLMyb911123HkarH+2ybxWu j5uACZiACZjAIBKwoNilXO3lxo4asFTCvvSlL9UQHR988MGaKnd58y6qksc5zYbptiMotptF EydOTCuSpOl73/teu8GMOK+TbBRRWZZcH2IAC2fgrr766noDhmGPcoSLkIb/rHiF4BdbR+gc bdth+a1vfSuNq5mYq/Cx3IAtjRPKWp5TA470cx0/+clPUm8SVtgfL+Ty3e9+N40foZpGnRyN hYcfflh/29oy7B4RDvE8ZowFBPv4ZC3msGQkjQi43COI+hLt8xhhlYEVGvmGQ0BX45PwsQDE SVAkbARCWVfwHzGJhiMdAlg6ysXlGOGR/H/ppZfq8+ghNDdyRQTFHXbYIb1WrAD1PCAOLQYF i6rcoosumsbVqEFLWYcFIiJzdCIwUgZ+/OMf1ztKGL7XyLUqx+2Us6L3OGlSXhURFJlLkmtt 9WHRAZ4XrfxxHCG+H10vv2N7leegCYplOD/00EP1joaNN964xn8cz4rLL7+8dt11140Irsz7 iA5U7iWef7FjTmgspjmG8FWFa+dd3SreRoIii+LpGVLFfNZxOrDIVkc2dRo5PTsReul8ROjl WX777bfLy4jtZz/72TSN++67b413KnVaFpuiA5N3WZGpWEYE6D8mYAImYAImYAIjCFhQHIFj 7P70cmNHDVgqXrFTwzo7STZ+VMmjcikBIT5Xv8dSUESkwtqG+fgkyigd7W47yUZpKssSC7B4 OCvhaPVbtnIIRqqgI6yUcWVZ0lDCApLy0KiiH8ePBQJ+qeg3cmrAMQ8SQlvsFBfDoeX233// NEwsuGSZq2Oj3WrKgDxLW1n9HXjggSOiQVBD1OM6GZLOUGx+I97lWQqPOPl/f7i3ZHEowVKC InmL0Il4Srh8rrnmmvRMWS0qTJVj5lKNHav56txGwm4rQRHhk7RgOZgdBnfXXXel4XOcMlKF ayUoavX5ww47bIbo1NhkPrE8V6Qct1POit7jpEl5VURQpGH9jW98I/1stNFGKWsEbO3TFgtR hGf9Z8tzhLxnKGS8/8QTT8xD0/P7evkd26vwhllQ3GmnndLyz9QMRZ5NZd5HvK+4t3gmxium T506Nd3PPa4OotGWjbLv6iLxZQVFOsPoyNOokrXXXrtIMKX8YDkOs+zIg/jZqXeVtgwbz04N wTQkOp63ReSNpxoplUh7NgETMAETMAETqFlQ7FIh6OXGTqMGLPMnUiGLh9gJX1zJ6xVBUWmr cttJNkpnWZbxHJUKAxGAvMqKvxtssEG6n4bNpptumg7xqqoho7jZYgFF/Kuttlq8u+FvGnH4 Z07CRk4NuLw547BCYz5Q5mGUw6IESz7CnX/++dMh09OnT9fhUW3VSEGwZXhw/IErcSIaZt31 119fF3Xxg6UlVh6NHMP8mYOL/GQeSj4SB2WNKUFRrLFIJOzYIpF5FNknp3KcFfw4LnE2nghf 57FtJShiKUhcCFQxF36fc8456TGOM/djFa6ZoIgwoCGLeVapatATRp4rUo7bKWdF73HSpLwq IijG16A5FLnnizhNfaByVeScXvbTy+/YXuU2zIKihgrH8/U1y6ey7yNNSXHwwQfXg2UaCp6F 8RQW9YM99EOCIuIeoh2deqSbDys/xyKpks1zB+vm7IfOuFaOeYUJm86zbIckFoW8E/nw/May EzFY01hkLao1sgb+PBNJK/Mt805V59wRRxzRKkk+bgImYAImYAIm0ICABcUGYDq9u5cbO+00 YIs2kMfSQrETedhJNkpvFSy1QmJW/GWBkK222qreGKDSTkV8t912azrkWWkrup0wYUIaByJS K8dk96Tj/e9/f1OvasBlLWebncSwaA0pIw4+NIouu+yyZqe1PMZE/Qqv0XazzTbLDYfhzTon blxmPTNMX0PU5T/eSviRoKjhdBIUGU4t10hQzIpU+NdckNm5TBVWK0GRxU/idDb6fdtttynI UW2bCYoIpoqfoYtZx5yDHOe+znNFy3HZclb0HidN7TxzOM+C4rFpjyks7IoRGGZBkcXJeBYw f2gRV/Z9hIU04avzgo5XCXXxvNRF4h5rP0qnnqXMizx+/Pgaw4ixVsxzElB1jrZY8Ddz4sT0 J3ToFHW/+c1v6s/6uJOOaT+Im/dS1rHoIMc6YWGZjcv/TcAETMAETGBQCVhQ7FLOWlAsvihL l7IoN9p2GvdlxAMiLeq/mTjLSsBUlLfZZpvc62DII0PYZRmIXwlSuSeU2MmqlYTHgihFhhJp aBPD05u5sg04hcWKyKxsDQsaQqQNC80rr7xSXkpvNdSL+UQJO+8jwS8O/O67765bUpAOFlth UY+sYyEMrCtpVDFPFJabNDr5aKEZhV+1oKgFfuJGWZy+VoKi5rQknDwu2tdszs44vla/mwmK 8fBvFiLJOonZ73vf+7KH0pXTy5TjMuWs6D1Ootp55nCeBUULipSDMm6YBcWFFloofTfE02Y0 Y1f2fcTzR9bSWH8zPQHPl+yQ3mZxduuYBEXeS1jNF5l3kIW5qGdkP+xv5FgYDia8++gULesk CserOat+kbfonDpes1aNZeO1fxMwARMwARMYZgIWFLuU+4MmKFLB1Gp/N910U0OqiEZUGLMr GlLpVGWwkWVUw0CbHECAQcSpyrXTuC/KRmks6r+ZoMik8nDOzuOnOOLtqaeemvrFf7OVs4uy 1IIcReJmGCrlhuGxWNY1c2UbcHlh0ahbYYUV0utlDsNGDtGMeeSyw63kX1aeLJJS1DG3FVaY cN5kk03qqyB/5CMfmWGOT83DmB3eTdlg+DZhdEJQJI8Jm4Zvo3nEWgmKDCsnDBatwSK2rGvF PhteM0ERv+94xzvS9GgRn/j8vffeOz3GMPWsK1OOs+e2KmdF73HC1erLLAwRO62KnrVClp9e ExSZ8xMBnhXP86xFle6qtr38jq3qGqsOZ5gFxfXWWy99FjCvahHXzvtI4hZW9rJ+Pu6444pE V8pP0Xd10UAlKOat8lw0jFb+sMjnvUF9ILtoXKtzOc4wZs7nE6dzjz32SPfxzs06xVl0Wojs +f5vAiZgAiZgAiZQ8xyK3SoEvdzYaUc0g6OGSjKks5EYceGFF6aVOwQLrQrIsMRFFlmkXhms SlDUYglYo02ePLmSrO4kmziBRVhKUMzOoahVbWkEINTKsTAJolbWXXTRRXX2WB/kuaIsGcbF MF3ylwp+K6dwm4l7CqNsAy5PzELI0RAohnnnOYQnNUywsssTOjUXIKJZVughTOLhE7uPf/zj abjMUQhnhDc11Bh6FTsJittvv319N5PNMzRLaatCUIznUIQX4hThZ4XMeiKSH60ERazvJJyy yE4eP/zkuSLss+e1EhQ1xBx/8UIzLJSghUi4B2JXphy3W86K3OOkiaGF5AkCohxD5VUO+kVQ 1Bx1pPvkk0/WpXRs28vv2I5d9CgDHmZBUfMOYx13yimnjCCJFXl2ztey7yMC1MrqzEFIvYQ5 /LCirtLpnVplvUfvqVioqzLNhx56aPo8Y7GuMsOclQY6JiXQsghX7Ojg5pmDUBnPC8z7VPMF M6LDzgRMwARMwARMoD0CtlBsj9uoz+rlxk67opkqslTemLONHuFVV111xMIgNNS1qASV1HXX XTcdhkrlV/urEhSZPFyN7liYGU3mdZJNnK4iLCUowg6rO4b0yvqO685ONI4ARWOJVYWxyNp2 223TVRo1wTqrwjZyRVm2Gmodh88Q0bnnnjvNoyJWpGUbcFgdUA6xAIQNK/lq4QkaFwzfynOa EF5lJ2/oL2KhxDf8rbzyyjVWfEbcXWONNVJr21jMxSoLf+RVXL6POuqoehmNh2nJkpdzEBFZ XEcTyGvYXBWCInwoC9yrc801V5oWJtlnRerYcV3cy3w0NJB7Qfu22GKL2Hs6WT6MST8WgsSB sIc/xMasCK6Ti7BnrizFy5ZGKPHQkNR+JuuXo+NCzxbSTLnAQlocsTbNujLluN1yVuQeJ10H HXRQvYwwNG+ZZZZJ/8tysV8ERVlNk1cTJ07MIq/8fy+/Yyu/2IoCHGZBEatZFraifPJhnlzq J7z7eFZwH8au7PuIc4mDaS4UB++Mql3Rd3WZeDspKNIhIx5seUfmfZjvFnfNNdekU7VQX6Hj jeef6jC8a+JOMl2jnj34411HfUAjYuhgbNQBrvO9NQETMAETMAETaEzAgmJjNh090suNHTW+ H3rooREM1LueHa4sT1jAMbxEq+2pkrjWWmvJS7rFGkhCEn7oJf75z3+eCjL8z7P4GhFAwT+a j4fGAPO6VeE6zUZpLMJSgqI4Uwmn4k+DIo/hXXfdNYK7zqNizdDdZqs9F2GJyCZrsauvvlqX 0nCr+Yuy5aPRCRKbGlkWZs9DwJJopGuFEZZSzeZPhJMaG8wr2Wh45ksvvVTDslBDauM4WBAF CwgccxwqHbGVGcdgpqF2WMvJgg4Lvl122aU+jQBhY8XLSuss9sL/W265hSBqv//979P/mlie SfK5znheQO43BD45CeOEg1+23IfEmTe3oazk8Jf3iReAURwItjTWdO06j+cDw8nzXBH2snJW eHnbSZMmjQieZxkNUDU8OYeh4wx5y1qSli3H7ZazIvc4F0F+ajVY0k2nAA1i8p//jZ7HrH7K 8byhfiPg/O8Pq4LjX+Uqz89o9iHMk3biqKqDp1l6evkd2yzd3Tw2zIIi3OnkwvqXThU9Fymv iIBZy7my7yPl6wEHHJDeA4SLlXTVrsi7umycqtPFnWRlw2jkn84rWLT6MIwbp3lvY/8svMa7 OM9anHPIV9698XuPutxee+3VtN7DuXYmYAImYAImYALNCQyaoDgTFYrE0iapa/S2+/K2x4WZ x80cjjxrp95OaBupS4pceOSRR0IiioSk0hYScWaGUPDzwAMPpH4SMSIkYscMfqrYkQg0IbHs ComgUkVwow6jCJs4kmb+EyuqkAiBIbFyCD/84Q9D0sseKPutWCYV+JBYioZEQAyJiBUSISEk Df042tzfrVj+6le/Com1VvjABz4QkrkHc8OIdybCXkis7EKySEdIhsbGhyr7DZNE2AvJUO/0 GhMLxdzymI0wEXHS8xKBtBCbZAhzSIZ4h6TBEhKBMSSLv2SDbOt/IjqFxOIiJAuxhMSasK0w 8k5KhnKHZChy+MMf/pDy4B4h7Z1wPAeS1aQDZZnnAXySxnrDqMqybxhQzoFEHE7TQjoSC78c HyGULccE0m4549xm9zjH5SjDiTBaeVlQ+J3eJgs0pWUtEeJDYrEbEvG6o1EO8ju2U+DOPXFa OPbgX4RrHj6mU1H0TbgvvvhiSOZCTZ+7PC/7ybV6V/fTtWTTyvMymes5UI/huZuIv6Fo/nAu bBKr9pB0KGWD9n8TMAETMAETMIE2COw18UfhtVdfCz+YvHMbZ4/tKbTZWzkLiq0I+fjAEIgF xTPOOKPr15UMKwqJ9WlIFoMIidVW0/Qk1gYhsaRMGwOITa1E0KaB+WBpAhIUYZ8MYS59/iCf UKYcDzKHqq4N4fq2224LhxxySLjsnj168QAAQABJREFUsssCHUjJSvAhmWu1qihyw7GgmIul 6U4Lik3x+KAJmIAJmIAJmIAJmECGgAXFDJCx+uvGzliRHtx4ek1QRCREPEjmsQvJ0Oum4Okd SIYCp9ZWyZx6Tf36YPUELCg2ZlqmHDcOxUdEIBneHNThsfzyy4fTTz89JPNd6nDHtn7Hlkdr QbE8M59hAiZgAiZgAiZgAsNMwIJil3LfjZ0ugR+gaHtNUBwgtAN/KRYUBz6Le+YCk1XB06Gj iIjJPJ+FphCoIvF+x5anaEGxPDOfYQImYAImYAImYALDTMCCYpdy342dLoEfoGgZrjp9+vTA PH+28hugjB2DS7n44otDsvhIWH/99dP5pMYgSkdhAmNKwO/Y8rgtKJZn5jNMwARMwARMwARM YJgJWFDsUu67sdMl8I7WBEzABExg4An4HVs+iy0olmfmM0zABEzABEzABExgmAlYUOxS7rux 0yXwjtYETMAETGDgCfgdWz6LLSiWZ+YzTMAETMAETMAETGCYCVhQ7FLuu7HTJfCO1gRMwARM YOAJ+B1bPostKJZn5jNMwARMwARMwARMYJgJWFDsUu67sdMl8I7WBEzABExg4An4HVs+iy0o lmfmM0zABEzABEzABExgmAlYUOxS7rux0yXwjtYETMAETGDgCfgdWz6LLSiWZ+YzTMAETMAE TMAETGCYCVhQ7FLuu7HTJfCO1gRMwARMYOAJ+B1bPostKJZn5jNMwARMwARMwARMYJgJWFDs Uu6PdWPn6aefDq+88kp4y1veEt761reGZ555Jvz73/8Ob3rTm8Lb3va2hhReeOGF8Kc//Sks ueSS4fWvf31Df5088K9//Ss8++yzaRRzzz13+M9//hO4Htzb3/72MG7cuPS3v0zABEzABEwA AmP9jh0E6oMmKLZb7ymal50Mv2y95/HHHw+1Wm1E0uecc86u1dtGJKTCPy+++GJ4/vnnW9Zd K4zSQf2PgNkPblGgfcjzjPYU7aqqHW3Jf/7znyOCfcMb3hDmmGOOEfvG4o/Lcecpoy888MAD 4aWXXgrzzDNPeMc73hFmmmmmzkc8hDF0sh5SBuegCYrhySefTOpUve/2+PixtT0/efyYJXT+ +eenplnbbrvt0jiXW2659P+GG27YMA0vv/xy7b3vfW/qb4MNNmjor90DiTBYe+KJJ1qefvLJ J6dpIP33339/bcqUKfX/N910U8vzy3hIXjS15MVX5pSO+U0qzbW//OUvNTgVcbBJhOIiXtvy 0+nwe4l9W4B8kgmYQM8QGOt3bM9c+CgSMvnHV9Q+NP8uowiht05tp95T5go6GX7Zek/SOK/X i6gr8bnqqqtaXk7SyK/94Q9/qD311FMt/eIhES5rr776aiG/nfD0/e9/P722T3/6050Ivu0w qS/fd999tT//+c81fnfCdZI9Yd9zzz21Rx99tPbaa6/lJr9X2ceJ/cc//lF78MEHO5YHcVxV /qa+T/np5L3VjM2NN96Y3lcLL7xwlZdVD+uQQw6Z4fm05ppr1o+P5Y9eL8edbGslwnH6jEoE v44g5zmy/fbb1xJhekR+f/zjH+9IfA60VutkPaQMXzQt6t394NAKW30sKDbIySWWWCK9uXfd ddfUx4c//OH0/zbbbNPgjFr6UlbFdLbZZmvor50DJ510Ui2xjKztvvvuLU//6U9/Wn8wUen9 zW9+U/9PBagKd9ddd9U23XTTeriJdUBusAcccEAtsdRs+El6ZHLPI7wzzzyzhoD7/ve/vzbr rLOmYfzyl78c4Z/KxKGHHlpbaqmlajPPPHOanllmmaX2+c9/PrfCz/VvtNFGtcQSoZ72973v fbVsuCMiSf788Y9/rFEWPvjBD9bmnXfeGo2RlVZaKestrWB2MnwiLMpeiSvKUv69NQETGD4C FhTL5/mgCYrt1HvKUOtk+GXrPZ/73OdqW2+9dfp54xvfmNYHmgmKp512Wg3xQHU8tu9+97tr Rx11VC4C6ibUS/DXquPye9/7XsM6EvWngw8+ODeOIjt7TQygYU7d6XWve12dZWKJU6PTvlU9 jOulk191yn322ScXQRH23/72t9NwEmughp3QdNpSlye+iy++OI3r1FNPrSUjf+ppJ3+TkUy1 XXbZZYY6Z1n2lGFdG1vqmaQPA4XLL798hmu94IILRviPz9VvBNusSyx0al/4whdqiy66aA32 KtNLL7107fzzz69757/CYct1LrPMMrX99tuvRhix++53vzvCL+2V8ePH1xBGfv7zn8deayrv 3HeN2iQ333xzev3Ee9lll9XPP++882qLLbZYPd3JqLEa7bJseuonlPxRlE0ZQbEMGyX3kksu qT+fVlhhhTSPqhQUyZ84b/mfjKyrffazn6099thjSka6LVuOOSkZ2Tci/Dgu8qyZ4cfdd9+d ljWdg3icdUXbcmKPaJfneBYRz0UXXTTiMO2sCRMm1PRuYEv7L/uOaDd8Rca9rfuPfKbjB71h 7733rn3mM59J08Yzp5HTvXTkkUfWn1XHHHNMI+/pu4TrXWWVVWbwwztRzA888MAZjpdJz9FH H52eX6accYKuR+nIbkfzLtQFdbIeojiKbC0oFqHUAT9j3dhZddVV05v861//eno1m222Wfr/ i1/8YtOr4yW9wAIL1A4//PCm/soeJB08dIoIirx89YCid+W2226r///rX/9aNuoR/ukRnDhx Yl28UzyNBEWlGwFvoYUWmuHz8MMPjwifP1gZLrLIIvU0E0di/p2e++tf/7run0rjWmutVffH OVR2lKZ11lmn7pcfVAipEHGc7corr1wXFqlU/fa3vx3hX38OOuigeuWFc6nkvec976ltsskm 8pJuOx1+WfYkqijLERfiPyZgAkNHYKzfsYMAeNAExXbrPUXzspPhj6beg7DCuz3bWNR1/fCH P6zXKxAV6TR817veVd+nxpP8s6XBrLpIK0FR1khvfvObZ6gjUW+isdiua0cMaDeuIuch0sEF MZb6G0KiOoOx0rnyyisbBvOrX/2qzpQw9tprr1y/RdgjGCh/6HTPc7/4xS9SP4gjpBuHiEmn 9YorrlijjjnXXHPVw+F6YleW/bnnnpuGhXiBaEa9V2lki2FB7Kiz4o8PPOVX+9hifRg7RinR RpFf0o+QRKc9+2REwTmLL754ug+LHu6RWASmIx5rXTkEWs5HQCDeZBhwPQ72U1/WfcCoJlkJ bb755gpixBa2nLfGGmvU9+s+YT+iC+0yMaL+36gdUg+gxY8ybMoIimXY5CXx7LPPTllUKShK KOP5Ql7G5Zg8pN0oV7Ycc54swOebb77cZ1ojQZF23Yc+9KERZScrKJZpa4k97dY8p9GHiPNy dGzwLKacIWhRnvWM4rq4T+XaCV/n/v73v69fpzosdIztbrvtlh5v9vxH3CedWOh/9KMfTX9z bzRyH/jAB1I/WWGOjp5kOH16jPB4JmRd2fRwfplyhn/d4514FxI+rpP1kP/GUOzbgmIxTpX7 GuvGDpZx3FQSBukV5X+jHtHKLzgToIS5IoIiL0XSimiGwxyc/3xUKcoEX+jvQw89lD5cCYcK 1eqrr14Pt9GLXOkWx1YRMcRAFQ0efPQaPffccw1P+9rXvpZWeu688866Hywbdb3XXnttfT/p x7rwm9/8Zk3m68lck7Xll18+9Z8VIDlRL1Kul8orAh0vvDzXyfDbYV+WZd41eZ8JmMBwEBjr d+wgUB00QbHT9Z5Ohj+aek8rQVGiBZ2Lsdtqq63SukPeaIUiopbCUiMKgaRqpzpMLw15znYk M5IGSzzqbZ/61KdyESBe0ZGLH4lfoxEUiUSCGQ3lPEdaiO8Tn/hE/TDDvuJ6NMOdGSWjOicd v3Jl2UtQxBIKR9gIO1gTET7lsJHDYgs/CCCNHPVeWdkuuOCCtRtuuKHulbgQ5WNLLfFByMUh CJ5wwgn1az3uuOPq5+cJK9SvYSNRIW6/TJo0qR5OXE8nwCuuuCI9Rkf/LbfcksaRzE1fF6l+ 8pOf1OPFmk7XdOyx7Q8fLMumHUExFrWasalf3P9+dFJQZPSV3PTp0+vTdn31q1/V7no7qMwz RIJiLEzWA2zygzxUWdc9lRUUy7S18splHH1WUKQtK8GdUXhqf3LfS4jCQlnTNJQNP477Zz/7 WXqt73znO3PblVgJwoCRfo3czjvvnPohLD0/6JhhKHXWYa0spvfee++IwwiaHJt99tnrBjRZ 6+Gy6SEC3ftFyhn+O/kuJHxcJ+sh/42h2LcFxWKcKvc11o0dKhDcXOoR5EXI/+985zszXBtD YTBVjj877rjjDP60A4GPCgxCFj0CiFW83D/2sY/V7rjjDnmrnXHGGfUwVdniQRbHw++rr766 fg4/eFCQVnqGcFQC+N+sooG/Cy+8MK3U0dMXp4NjcjxQeSkyVDkeSl2VoMiDk7TCplGYSgtb KkF6sMf7NZflj370o3h3LZnwdsR//qhiA9vYMfSBhyvpiYeBxH6yvzsZfln2ZVlmr8X/TcAE hofAWL9jB4HsoAmKRes9WExQ90BIyw6pxCIK63+O826NXdHw43OK1Evw3269h3ObCYoIWRoW ylC82B1//PFp/YChoXJY13Dt6qik/kCjlX36ZEWzso0o6jWExfDPRx55JB2+itiG4LTllluO GLIoUYtOcSww6Qims5nOVYYBxkNFaTQr/Vi+ZB2dscT7kY98pN4pm/XT7n8662GVtfJTeKqD r7feeqkVHX6zgqLSXpT9N77xjTROrPuyDoFJ9T/mIW/m6LyV9V5cHy/DnvAlCEhQVJzUP7le PnlCAf6KCIpY0hIG1j/ZYa2KK95mBUUdw3qJcL70pS9pV62ZsEI7Cv+0QRAGcdTdKUvsp24b O54r7KfMyv34xz9O9/FsyTpdF/eZHEOmdb/lbbEwjZ3CKMqmkaDIKLC11147jVvDbMuyidPF 7yKCIpac3NsYPPA8oQxhWQsvzs+6PKEHP1iuwZ7hvnJlyzHntSMoIhTSWcDzluc+6eCTFRQJ v2hbqxl7wskKihI0aT9n46DjQ9xOOeUUTm9a7jmeDZ99crov1l9/fe0asVWZ3GOPPUbsj/+o 02PatGkpJ4aTwwyLxaw77LDD0mPxfSI/DGfmvP333z8tO/zOWjGWTQ9hi1csKLI/r5yxv+y7 kHN4ByKscl1Y13IPk3+8K/JcO/WQvHBGu8+C4mgJtnn+WDd26JXgxS2xikol/+OeSV0KNyk3 DR9emNyIzUzTJ0+enPrBH0OBY1NzHqbqOeDmpachnqyVB632aTt16lQlJd3yQiGt8aTh/G+1 oAsvINLEhzkI85ws+zjWCUFRPdDXXXddXvSF9y277LLpdVDhb+Uwdeeas4IiQjH711133VZB ND1eVfhl2VfFsunF+aAJmMBAEBjrd+wgQBs0QbFovQfrGnXarbbaanXrCkQCGtO8NxHZsg2y ouHHZaNIvQT/7dZ7OLeZoMhxDcHDIlF1Qhq5NNa5VkZiyDHUk7qZhshxnN+qr7HNWjSWbURp 5AdzXmmoKw0p4uITNxglBlC/IW6OSyjjd3bqFubfUjiyTOPaECMlrJ511lm63Mq2WD8RLyyy Dks6GCKQ0JmtoXdZQbEse0a26FqxcI2dhlczh6LyPD4e/2bkCuFQf487wsuybyQoMrSZ8GGQ vaeUjiKCIiIa4ey55546rem2kaCIoEw4jBCSaybcMPWSRh7F88EhvhIOH4aX45hvkf+IAggF cuQ1+/MWq9DQUcq13PXXXz/intP9p/j4H7uybPIExb///e/pnO/EwTBZFuzBtcMmTlsRQVH3 v4a9IuhJzOG+pWzFTseyQg9zKJL+uIyULcfE046gKMsxht3T0aG8yhMU42vR77y2VjP2nJcV /BiCT7zMYZjnxBcBDlc2fIRuLHD5wJi4eB9on7aUJY22U1zEhyXilVdeyc/UaTo2WYLSoUSY sMw6vUuxGo4dbUsNd/7d735Xt7hmlGDs2klPmXJGXGXfhWgbMrgiLuZH5N7j+aFRmvE18Lud ekg2jCr+W1CsgmIbYfRLY6fIgx+z8hNPPLH2t7/9LSVBJZyXn+bkiU3NhUoVyHjIgI5VtcXy UA9wJkZt5coIigisVD6wbKBXPe8FQe8U8VNppPKKf3oSqEB861vfSld0a5UmjvMSz+stbnQu vazEm+0Z14t13333rWERgD9eNrzsyGfyrYjrRPit2FfFssj12Y8JmED/E+iXd2wvkR40QbEM WwQYNRrpVMXxntQ7nJWQq3Bl6yXtxNlKUKQRp2tlkTimcFGHHSM68haX6+SQZ9UHYU2jSUNA mfuLfXwQPHASA9hHw4vOWsRXWeKwPzu39hZbbJGGgZUHI1zoUJeA3KizuSx3GnVYRCIGYRWD 6IHV5P3JCJ7YIdBpcRsNaW0kKOq8MuxpfMKAel7sdthhh3R/bCWn4whkpJ26JkOElb5YYMNv WfZ5giJWsZr3jAUcGrkigqKEZBb8KOKygiJ5ccQRR6Rc4jJGWK2EFS0+EYvvnKdpAxAC4KoF ExhhEzvNYwrrbN0bYwnSwwdr0UYO62kZcFDmYleWTVZQJA0qBzwj4nuqXTZKX5F2pQRFGGC1 hiCH+MzIN/bFVtSEK6EHsRrh9tZbb03bXNyHtJ/i4fBlyzHh63kpoYt9zdw555yTppPRejxv 2hEU89pardhnBUXNwy+BO5tm2sbwpOMMVzZ8dUIRRrMPCzTxbMEPIiYO8Zf/lFV1XNC2Zp/e QTJYgn98L/CsUocQHSCx43lAGAz1xike9smimP3tpKdMOSOOsoIii+KQTqzS6eiU4x2XnVpD x3pla0GxSznRL42dIg/+Rgip0HBjMG9D1qkC2UlBEZGPChtDrRtNmBunq5WohV+lm+uKP4iG P/jBD+LgUhEx9pP9TY9DPHHuiJOjP+qhiXvpo8MjfmolOeLKDmvRgzqbDv1n4tvYanBEwP/7 06nwW7FHkFU687ZFWeZdk/eZgAkMHoF+ecf2EvlhFhTJBzU0mbYFMYv3Ou8bLBmqcmXrJe3E 20pQJEwEBKzV4vcpCxrEjZg47jKilhpRjHBh1Er2Q2M/dqpXwT27mByiHGmk4xanPCLMeE4s rO40PC47hx2NeQmmn/zkJ9PhZISJKJE3SidOW9HfjPyIWfI7Xs1X4TBvJccYzikhqUpBEWGJ 8FmYQo7GKPOasT9vsQREWY7FH+bgZrGR2JVlL0GRfEXAlfhFPAhtdBQ3cq0ExVh0i8tBo/DY L0ERYwfKg0ZgIUxk50VvJaxgTct1ZAVaxA2ul2OyDqMMIyrFjkV0ZGFLpz4CCoIJCzVKNCMM LLvyHAKMhlIjBpHHcu2wiQVFRoNJ9EVUzKahXTZKX5F2pQTFLF84wYVPvECPhB4di7fZqaLK lmPSLUGRZ2b2ecaq3LGDv+ap1TOgrKDYqK3Vin1WUNQ7DCOfPMdQZ1ghGuPKhs/QfaZa4MPi XoRFx432actUInrOSLxkyjXlk9rCmt6BDhoc70vlLSKtnDqQstbxHJfxDM9VOQn7sTVjO+lR WpTueJstZ8Rd9l2o5zfzzLayJNe19crWgmKXcqJfGjtFHvxCiGkxFQh63rDcwxKPmy2vF1IV yE4KikpX0W0rUYtw6OmgQsaHCq7mXtJDRT3r+JW5OpUGVsu+5ppr0mHbVKaxHuQcKnnZigbn yjHHD/6oKN9+++3anbvlRavhQlhCZp2GTdODzVwX+GfeGaxLVRGnt7aR62T4rdhXwbLRdXm/ CZjA4BHol3dsL5EfdkGRvGDIrN7nbBEO+s21EhSxnGLkiCw8sArUNdMozBtx0Y6gSL2CoaHZ T7Yuo/og9aSsYzgyDU9ZiEoMyFtQQXWcSy+9NBtMOmpGIz24Vq65kRDFtDs0QPM+msInGwGj Tuj8peOW4djEwZBeLE7ksF5EmKBRGg/NrFJQhK3yktFDOA0xRgjJ6zQmLaSdso8gQboJA1Ey toopy16CItdMXVfljTkLm9V7SXMrQRHLT11nzJJzGzkJigwlj8s87ZysayWsMJ8g8ccLkygM zZ+p9DHdUJ5DXBYT+Y23lBOJztnzd9pppzR+7i2GScauHTYSFCkj48ePT8PGug1xLOtGw4aw irQrJSjGiwIpHepkiDsOJPRw/2288cbpvHla7IjyzNQHcmXLMedJUKQcZ59n2WeRrNARtuTK CIrN2lqt2MeCIs9s3cuIZ3lO8x7KYKVM+NnwFFZemx+/PMMp3xIBVc7Yt/XWW6fB8e7iOR07 CfNY/8ppmoJsm5V3G2WYMK+MhlJLqGP+Ubl20lOmnBGPBMWi70LySXlGOePdqOe40t2rWwuK XcqZfmnsFHnw8/BTr0L8MtTvvIeLKpD9JijmFRce2hII454qrTKFyXvW0QMoEQ+hMc9pwlkE SczFmznMvxmqBHN6NvIqa+rNPP3002cIShUg9RxlPXQ6/FaC4mhZZq/H/03ABAabQL+8Y3sp Fywo/ndCdNVdaJBmrbR6Kb8apaWVoKjOXqxoEN+oL9DgUkNm2223nSHodgTFoqs8qz7IEL9W rpkYoHponqBIuAxvVt5mJ+iP49UwO/mNt1iWtXI0ajWUFsGIuQ2xINPqxtkpeKoUFEmb8h+R E0c9m2soKo4j4mihkrgRX5a9BEXmOsMhEqrTOzskO/UQfbUSFGEsgRirviJOgiLzSXI+Q7rh wpBLTdmkcFoJKxI0vvzlL+uU+hZLQ1moIdTE1oN1T//7wbyLX/nKV1IxF0MALLqo75MuBO08 p7nfsLDMszxrh40EReIVV54JeW40bAivSLtSgmJ2OCvnaxXs+D6X0BOLy1i5aZEPrEYZ1o8r W445R4JiqyHPGm7LdAxMryBXVFBs1dZqxT4WFIlblsmyAFR6tNUQW0Q7XNnwFQ7bVoIilq6U L4xaNE8rC7iQd7SH6cgivQj+sVN5oROAYe/kI+1inq1ZK2fKBHFgDc07Sw6DJ/bzQbPAtZOe MuWMOCQoFn0Xcg6GSco3pZl8lbUrfnrRWVDsUq70S2NHNzK9Po2cJp6ldxiTZOaq4ObVkuyD LijCRfOhwEBOE2TzEMxzeinmiYUMv+BBQgW/1XArXkD0JOOfiZgbDVnS0Ons0A7SpgpKXgWm 0+ETfytBcTQsCd/OBExguAj0yzu2l3LFgmItFV1UiWcbD5HqpbxqlhYJSkwVknXUD2gc0xhj WF3smLZF104DOHb9Ligyd5+G/3GNCFtZyy5dL8NJGaKX99FcX/LbbMswQuJihVKsTMSWxiLD AvXREFnSx77Yiobwy7DHv4QyWR0xlxhxl2mQ0qjlHKxk5MoKMVlBkXC0SAliWJ5YpLhaCYr4 Y4g+acTSr4iLBUX8I/TJqjUrtjYTVrg3NF0A4nOew+KKtBFOWafhnBJ54vMRtJnih7BZ6LKR K8tGgiLtEsor4fPR6r9xPKNlU6Rd2UxQFHvKiFye0MMxRD1di1YsL1uOCaeooKg5NCnfur/Z xgIRFpbsy5adIm0tzXnIvLBZR3lGjON6JbKrfNNpk+eYkgz/Mu4pG34cZitBEeto4mLKAXW4 YOCiNNAORVjk/RU7hGHlL1N5aZh2djV1zok7jbAU10cCP/EzshDXTnqUjli4Jqy8csb+dgRF zuM9w7yXGCnpfuedfWVkdYm/XnIWFLuUG/3S2Gn14Oflxg3Kh4dh7BhKy/48QVHzyOSt3BSH MdrfCJtUJIu4VqJWszC++MUvptca9+zHD5hbbrllxOn0IMocnxd57PRApwem1eqDTD6sxgO9 wI3ERMLfY4890jRmV0HkmOLM5lWnwyduXCv27bL8b+j+NgETGDYC/fKO7aV8GXZBUQ0VGoOy 2uc9rMZZVXlVpl7STpyqE+QJiizIQr0MC46sY3ir6nPZehNDL2HB8ewKwtlwyjaiOm2hiOWL xD3qP1qoACuz2Iolex2j+Q8v5umDF/NxMtyZxnLeR1zxy3GEr9iVYc95WFEpHyXg0aAuc62s XkwYWH3KlRVi8gRFrkXWj9SbG7kigqJW0kZEyRumnw07KyhyXNaA3POxtVMz0UwrNGMskBXe FSdCAPwYrl/GkQaJQtn5RLF8lPFA3urQcTxl2cSCIuFoiChlM7ugx2jZtGpXEn8jQVGWZuQX 7Si5RkKPLNbICwmQZcsxcRQVFGkD5t3jSh/pIO34iY1Fira1ZD3NPZR1WKsSPh9NVaCVl3kn ZO9/prwiLfiXUFU2/DgNrQRF/NJpAovVVlstjZu2neLEWpG0aEh0HLZWf2YYOUPa8XfUUUfF XtLyEM/Tip+8D5bicmXTo3zMCop55Yw4yr4Lla54iyUlnUxcy8477xwfavs3U6/x/GUqgGYW 1GUisKBYhlaFfvulsdPqwR8LijIjBhMVc/UGZ0UqjssiDtP6eNUljlXl9EJE1c/2BOXF0UrU yjuHyhE9LKoQnn/++SO8yXqTh2E8d42sN+m1woRbDmsIHhpwybNclD+2vDA0zJmHsyaxjf3E v2kEEDZpjeceQQjWnCTxwjKdDj9OWxH2ZVnG4fu3CZjAcBHol3dsL+XKMAuKiDBqLGjeO82F RQM/XgBgNHlWtl7STlzNBEVNRE9dIDsMTtOswCHPEk+jKrACiRvz2TSWbUR1WlDUEG/qOUw3 g7Wg8hrhuGrHQi8MY4UxwoiGWjaKp9WQZ84ryl5xqG4oa64dd9xRh1puuRewoCL98bDXskJM nqBI5CyUSNhYZmYNEZS4IoIiFo4SerDEkmCkMKjnXn755fpbX5SFIc9yNKbFapdddtHuGYZ+ IsYgIjAsmbTzyRvtowDKCorMVUjjXtwZqpt1rI5LvIjjrQTUsmyygiJtGxYwIj7uFerocllB sSybVu1K4pGgGM+hyH2kaQOy863qfo6FHgQzFj/iGuDKNeHKlmPOUTlrNeQZv3mu2ZDnMm0t 5v3T1BSTJk2qR0UeSETWAiscpCOD6+fzmc98pt4OhaWmiIg7DcqGX09A8qOIoChradIjgyKm FYnnNEVYzDqMazgHIRYRFAbkb+ywwMYPxjo8g8nv+KN2JpoAAi6ubHrKlDPCL/suzHtXcA2a sixeaIbw23UYIMGKDxbJVTgLilVQbCOMXm7s8CLDlJiPzOZ5uGtfbGpNpVMvQOaMwMxfL2f1 fOQJiijumjiVm5uhuvQ6sBJcPC9GG2jrpxCmbhgmUM5z9FAjfPLhQSX/2seWtMqx+tqECRPS Cay5LvVAcx69lllH5V0c6B2F7corr5zGw3XHFXoeJIqfLcfzPhqmROWnlX+Yxk49O1Tk6Kmn 0sP8MYTDAytuJHQ6/LLsy7CMr9m/TcAEho9AL79jezU3hlVQxEpCgg0NUPXYYxHEHMi8H6lP VLHqYpF6SdnyQUNJ9TO2mgONFVq1n4VGcHRsxo0J6iMM08Ov6hMHHHBA6jf7JTEUf9TfqEMQ PisCx65sI6qTgiIiDemlLhXXLbFu0fVmO4Lja2n1m4YuiwtQt0LwoX4Y120ZotfKFREUi7JX XPvtt1/9+rhOWSDpuLYINNTFmBKHBXlY+VpcOBYLy2WFmEaCImVQDfl4DkIEAeZX46O5FkmL 9rHNCvvko8o7fhlOyQrFygNWUJbLs1DkGCvVci5tAM2lKNGMNgDtIA1LFxuGlUugUvjxtoig SLuE9pKGNBI25ZT9CN+xYxFIxT3HHHOkFktYLcWfadOmxaekFlxF2WQFRQIi79dYY400XtqA Wp29HTZl2pXELUGRfGRILM8aWZ9RdrKWoRJ66EzhWUa7VMIb+RqPBCtbjklPJwXFsm0tLQhE eSD/MVjR+wuDkWw5YF5OlR2EOyy0VS4wamFKqdiVDV/nFhEUNQSb9GAFLRcL9fFIPx3nXRzf g5TLrENkJtxG1ru817Vglqwby6anTDkjfWXfhegKlHmeyTxDEF2lsZC3TClXhZMWAK+8haXa icOCYjvUKjinlxs78cpLegjFW0S/2CH0yAwff7wcKaA81PjPiyDPMZ8Fc7zwAlX4PLSvuOKK PO+l92keQgQ9hpzkOSz7FHejbTzPDpXF2B/p/dCHPlSLezyz8WCGjnm6rpOXHD1Cms9D/uMe rDiO7G9M/nGaaDt7PP6fFRSpIFDB0ssav1ROEEOzk893Ovyy7Lnmoizxa2cCJjC8BHr5Hdur uTKsgqIa/7wX709Wj40d72mNQKjCOqBIvSSOv8jvCy+8cES9JK4D6HdszUKdhgVQYiEDfzTG EVcaOQRVpk5BZFG4bFmULnaydERgK+K++c1vpuEV4SshMF5BVXGos1ZWaXfccUe9QzcWlvCP GLTeeuul8WLRkhWqFGar7QknnDCCBTyoU9H5nF3NulFYGpbIytuNXFH2Oh/xR3mEyCaRXMe1 5Zj8sUVoQHhjfj6sfGJXhj3nIdQSJnW9rNO845RBWdsVKcfxSCiFSSc787yrc5w4sUal7RF3 2ks0z05hAFtxoCziNFqIsKi7M2Qc8YEhhxLWFH/eVtZ9TCfUyFH+aA8gnn74wx9O539rNJ1A PK8hacr7IDpmXVE2TMtEmIi2saNdIiEWMQarsHbYlG1Xxm0UtZ3IU8Q3xKWsyz6TEB+Jk7ZN PJSd88qWY87Rs7LIokz4zzrSrLKUva/KtrUQ5Jk2jOeMygHvKDqrYuE0TgP3s/KRc2gX83yO LTrlv53wOfe0005L09OozY8f7lPFH4vCtNF1LY0W59Jci/g7/vjjCW6E0zyVzUb3SXTUAqRl 01OmnJG4su9CrP9lhCQelH86ARt1Co2AUPAP1twS3BGQq3CDJijOhJVX8iBJ8qG33Ze3PS7M PG7mcORZO/V2QkukLhm6EJLVAkPS4xaSh1vhM5PKREisAEPywA7JCyskFZrC57bymFQSQ9I7 lYbbym+R48nw5DStpDl5sITEQjEkN2WRU0Mi2IXkxRYSi4c0TYVO6pCn5OERYAPrZNLtymPp dPi9xLJyeA7QBExg1AQG8R07aigtAjj3xGnh2IN/Ea55+JgWPn14NASqrpe0mxbe09TbksZu SESNkDTiCwXFecmQsZAMswtJozYkQk6h8wbRUyJMpnXCpHEc4ALHZJhxxy61avbUpRKRKFC3 Jf9Jf5n6e8cutM2AuRbSn4gLbYYwuKf1ExvuoWQap5AMwU2fL7Tjij6fBjcHZ7wynsNwSiwU Q2LBN6OHzJ7E+i8klsNhhx12CEnnUebojH/Lhj9jCN5TlkAyUjB9L6MzoC8kFoqVv2MT0TgN k+d+YsUfEqG+bDJn8L/XxB+F1159Lfxg8s4zHOu1HYkFeMskWVBsicgeTMAETMAETGCwCVhQ LJ+/FhTLM/MZJmACJmAC1RKQoJjMBRmSIefVBj7EoSVz/odkLsVUfEysHEMypDYkC3CFZOGd kMxt2dedCUOcrYUvHfE5mQc0JEOxQzLFREhGnIZkyHtIhsIXDqORRwuKjch0eL8bOx0G7OBN wARMwASGloDfseWz3oJieWY+wwRMwARMoFoCFhSr5anQkqkPQjJFRbjqqqu0q75N5nsNybDi +n//GDwCyfDmkCyKlV5YMvVaQGBOpoKo5EItKFaCsXwgbuyUZ+YzTMAETMAETKAIAb9ji1Aa 6ceC4kge/mcCJmACJjD2BCwodo45Q2qTOTlDss5BSObTTa3Ukjk/QzKvYOcidcg9QQArVKaY Q0Qkv4tO2VYk8RYUi1DqgB83djoA1UGagAmYgAmYQELA79jyxcCCYnlmPsMETMAETKBaAhdf fHFgftL111+/0nn1q02lQzMBExABC4oiMcZbN3bGGLijMwETMAETGBoCfseWz2oLiuWZ+QwT MAETMAETMAETGGYCFhS7lPtu7HQJvKM1ARMwARMYeAJ+x5bPYguK5Zn5DBMwARMwARMwARMY ZgIWFLuU+27sdAm8ozUBEzABExh4An7Hls9iC4rlmfkMEzABEzABEzABExhmAhYUu5T7bux0 CbyjNQETMAETGHgCfseWz2ILiuWZ+QwTMAETMAETMAETGGYCFhS7lPujaez89a9/DWeddVaY c845w/jx48Nyyy3XpatwtCZgAiZgAibQewRG847tvasZmxQNmqD49NNPB1a0fMtb3hLe+ta3 hmeeeSb8+9//Dm9605vC2972tlFD7WT4//rXv8Kzzz6bpnHuuecO//nPfwLx4d7+9reHcePG pb8H9evJJ58Mf/vb39LVKItcI/4feuihwOqw8847b5rHRc4brR/KF/lCfpAvdv9P4MUXXwzP P/98Zffb/4fc3q8XXngh/POf/xxx8hve8IYwxxxzjNjnP/8lUKvVwl133RXe/e53m5ELRc8R 4Jn/6quvplrI61//+p5L31glqJP1kDLXMGiCYkgKWPIM7H23x8ePre35yePbSuj1119fSzK5 /tliiy1qSWWzrbB8kgmYgAmYgAkMGoHRvGMHjUXR65n84ytqH5p/l6Lee97f/PPPn9aTtttu uzStSedr+n/DDTesJO2dDP/kk0+u1/Huv//+2pQpU+r/b7rppobpT1ZGreE/EU8b+un1A/fd d18tEYDT691///2bJvdnP/tZbaGFFqqzUd34D3/4Q9Pzih78+9//XuPTyN14441p3AsvvHAj L0O7//vf/37K5tOf/nRPMDjkkENmKCdrrrlmT6StFxPxpS99KeWVGK80vQc6nfbHH3+8lghH nY6mUPiD8HwtdKFtekKL4PmddNwVDuEf//hH7cEHH6y9/PLLhc/B44ILLpiWT57BVTrenffe e2+NdPWD62Q9pMz1o2lR7+4Hh1bY6jMUgmLSy1b7+c9/XqOS/OY3vzm9oY49tj8ysR8KmtNo AiZgAibQ3wQsKJbPv0ETFJdYYom0frTrrrumMD784Q+n/7fZZpvycHLO6GT4P/3pT9O0IpA9 9dRTtd/85jf1//fcc88MqaHRPXHixNqss85a90eDi7qi3Le//e1aYslRm2eeeRp2QidWZbXE yi/1d/HFF6enHnDAAel/zs37fO1rX1MUuVvqqjpvn332yfUT7/zFL35RvwbyrJGjc33mmWdO /ZJm8nXzzTevIRw/8MADjU5ruZ9GMdecWGbV07HAAgvUKEeJ5eiI83tVUCSdZ555Zg3x/P3v f39aLsiDX/7ylyPSn/1TNq+y58f/ywiKN9xwQ72MqKzkbd/4xjfWKKNl/ZOuSy65pLb11lun nxVWWCHN224JimeccUb9eg888MAYW/r7Qx/6UHr89ttvT/+/9NJLdf95XM4///wZwhjtjg98 4AP18s/zJ3Z6RuQJ9zxzSOPqq68en1L6NyLiUkstlaahaAdJu+W+VeKKPF8Jo51ySTteeZpY zNbe85731NZZZ53aV77ylRrxyrX7/Nb5Rbbf/e5307Rsv/32ud5XWmml9PhFF1004vif/vSn 2rrrrlvvCOI+5d6icyvPJVZ1tS984Qu1RRddtDbTTDPVy9nSSy9dK1qWqxQUH3nkkdonPvGJ lL06pdjSWfWjH/2ofgmkT3nFNhn9UFtmmWVq++23X41rip1Yyn8yKqKWjCqtffzjHx/xXo7P 0W+4URY4l/MSy2odmmHbyXrIDJE12WFBsQmcTh6qqrGzyy67pDfilltu2cnkOmwTMAETMAET 6BsCVb1j++aCK0jooAmKq666alo/+vrXv57S2WyzzdL/X/ziFyugVat1MvzLLrus3shKhtXW brvttvr/ZNqbEemnpz0Z5pseRyykPqi00Sg65ZRTUv/J8MV6GFmBQAFKzMNCEOEGBz/CQURY bLHFZvgcfvjhOn2G7a9+9at6nISx1157zeAnuyMZJps2qN/73vfWLrzwwuzh+v+PfexjadgI F2WtW+qBZH4gSNAQJq18aNzDVP9XW221EY27XhQU//KXv9QWWWSReppJ+zve8Y60cfzrX/86 c8X//7edvPr/s2f8VUZQvPvuu9P00YDnQ3rFXPu0pVyW9Z9N3dlnn52G3y1B8bTTTqtfHxaA WcEA4Ybrv/nmm9OkIyhiiZT9IDjg77zzzste4qj/J1NrpVZgPDezQrqMWfI6NxCESNOKK644 qjQg7KsMFBEU2y33rRJZ9PlKOO2Uy9e97nXpdVK+eeYhJOm6KRt0LuHafX6nJxf8QrQkbjqn 8pys/C+44IL6YUTvZFqO9Lxk2ofa2muvXSPdhMN9nBWdsbCng0bXONdcc9WWXHLJemeYOgDr ETT4UZWgiJV7Mu1BPT38RshGyCONdFLJLb744uk+7kPEUOUd/t73vveNuI/FknB4b8JG18x2 k002aTiSgHdq7LfZ/a13fafqObr2VlsLiq0Ideh4VY2dK664Ii109LbZmYAJmIAJmIAJ1NKh F+1OKzKs/AZNUMQ6i0q5BC+sr/hfxEquSBnoZPg0ukgrFhA4LBbUwJDQpzR+5jOfSY+tvPLK teeee067a9/73vfS/TR+JLipQbTbbrvV/cU/PvWpT6XnYK0hJ0ERi5IyDpEEQY50y3KyiKBY NA6sRQj7uOOOK3pKS3+M9iHMZJ7NWiy+0ahP5klMjx111FH1cHpNUGSYHvnNNWBhhiVRXCbq Cc/86ERelREUM8mpIVRxDQhmRVxZ/70kKHKdsIpdVlCMj8W/sY7i/GaCQ+y/qt+9Jii2W+6L 8CjzfM2GV6RcSpT685//nJ6OkPq73/2u9sEPfjDNW1hjQYdr5/mdnljwSyJYGUERAZEyiIWi 3jOIsLJwja0dGQrN9BD4RxDEolOO4eR0pGWtH3U8u61CUEzm3a2P9Fx22WVrd9xxx4ho6Hg7 /fTT6/vEn84XHEL3CSeckF4P1xS/i/JYJvMi1w499NAaFpz433333ethxz90/0vobDaqopP1 kDhNrX5bUGxFqEPHqxIU6RmgUNJrYGcCJmACJmACJmBBsZ0yMGiCIqIY9aOTTjopxUHlnf/f +c53RuBhHmo6ZX/4wx+O2K8/WExwnIZA7IqGH5+DxR0Wb1iQZRsvsT/mcCKt8803X7qbhgv/ 8wQWWdAxpDN2NN7e+c53pucxByPuG9/4Rvqf4bxZh//ZZ599hH/8tCsoivd6662XDhcm/XmC 4rbbbpvyhXH2g/DTyMGGMONGaSO/RfZjBfaud70rDfPoo4+e4ZR99903PYYVkeZ0ayQoYkVK Q5vriRvUMwRaYMejjz6aDg+kgY64wBA3hN+8Yd0M1YbJ8ssvP4NVWbOoiuQV1nLZ/In/Zy3S JCgiyNx55501LErJM8rrJz/5yXQof6M0FRFi4nPL+i8jKGL5hlUzjXysqRAyKNPTpk2Lk1Bb Y401Uj7kV+x++9vfpvtjQV4Wiro/EYHjeeckKMhCMQ4v/t1MUCQOrKAQ9RHIubdpK/7gBz+Y oWxceeWVDfM2b9qBMoLi3nvvnYpjv//971PLL/KfYaQPP/xwakmNFRvPZAQlHMO9KVeUYcoy H9IdlzXKf+yKlnumcSAcxDosobOOcspxyrLm0CvzfM2GV6RcZgVFhUF5kGjGPYRr5/kNa64J 0RlhknJImYA71uyPPfaYoqzliWD1g8mPrIUieUr+cA3ZuWZl8ITFpYZu81zFP+UnjjeOI+/3 rbfeWtsu6RBkyDD3DBaNs8wySxoWz2BcO3nLFAikh/B4/rdyWUFR/jmfcJh3VK4ZS+ok+Od9 znDx2PFc5xjXR57xmxEDjdLXTj0kjq+q3xYUqyJZMhwLiiWB2bsJmIAJmIAJFCRQ1Tu2YHQD 4W3QBEUss2jIyGoCKyz+Zy38JJgxDEtCkTIUIU8NF1kl6FjR8OWfraxOaCR8/vOfjw+N+E06 SCvzJ8rx/4knntDfdEujmLD4ZIeW4UHDgiWW0mCW/+ziLhryytBmMSMM8YkFEfY3c4h8zG9I Q4gGEhaRxJsnKNJ4x2Ij/mhuxNhyC6sXGqn6aAgZVoXax7ZdgZFGK2mkARxz13VOnz69zg7L FlyeoEjDmnkLCYuhblmBSeEV2V5zzTWpiEVYzDWG4Kk5x7D65HjsEArwe91118W7m/4umlfM WYmVZvZDfHzYHzsJijS2KVP40TBCfiOGYY2V54oIMfF5Zf0XFRQnT56cWgnrGhEUNcz4oIMO ipNQvzYEyNgxbyXnr7LKKvXdEhQRSRCoOX7qqafWj1chKFL2CJf00oEgC1v27bjjjvW4+MEQ 1vj+47eee+RZ1pURFOmwIU7uCZ4HpIdyjEUb95rudYYL47ivSav2cy6/43IHn9gVLfdYiCGu EiZ5kHV77rlnegxRE1f2+ZoNr0i5bCQoEhZiIGnl3YQbzfP7c5/7XH1e2Pg+jA2SmolgxJ8V FHmvkL4NNtiAw3WHtSUiJsf48FzG8aznP5yLOkRI3XOUSab3iMuGBMWyect6FHqWxnMNN0tX I0HxIx/5SHpd8XzCzVgyjYksyeP7nriPOOKINKyNN944Ff717GQ6kjzXTj0kL5zR7rOgOFqC bZ5fVWOHChY3Fg9n9e60mSSfZgImYAImYAIDQaCqd+xAwCh4EYMmKBa87FTwUgPl0ksvHXGa LAmo/GfFxhEeC/5hKJkaWQxJrsLJqlBzbcVh7rzzzml8X/7yl+u7JTRgcRe7HXbYIfWLyBE7 CYpYc2A5mf1k539jvjUtpqAFA5sJinFc+s3E9XCKBUUsMMWu2RYLvnacrEEQuho5iRES7LKC IoKvrh0BJTvfZaNw8/bT6JQwuemmm9Yn/UfMlDDNMD2VS/bDBdHmqquuqtG4xXoFlt/61rfS 1Vez8Yw2r1idFZGNeLMrcktQ5BgikSxor7766rqow/xlea6IEBOfV9Z/EUERnrAk/TTuJSLD +/LLL59BtJVIU0ZQ/OxnP5uWceJArFBeViEoIkZhHSnRlrIpwYznHYJKM0cHBelqJihicY3Q Hn+wgOQ8WaxKUES8QbTHOpXjfBAyZXWXFfiKzqFYttyz6jhxZy0vud9kMRqnpezzNWZapFw2 ExT1fCG/NI9lu89vrpkpNH7yk5+kSZTQzX6Jcs1EME7KCoosHMP5bOXOPffcurjOMT4sQoQT Sz0LdE6jLfwQExGTjznmmBp5hKNzTdbkSjv7y+StOpDgr3AJo5nLCorkiQTAmCNhtGKJCMs5 vF9jx9Ql7Nfcx1jw87/RMPT43G7+tqDYJfpVNnbUC8CLgp5gPXS6dGmO1gRMwARMwAS6SqDK d2xXL2QMIx9WQRHE66+/flppR3yJnVaGji0P4uNlf2PxgshGA0sN/bJhZP1r2BZWLMxBxVC9 ++67Lx3CreF6O+20U/00hB8aKEwiL4eQoca0VnfWMQmKnJP3yS6cguUW/lgsRR3dVQiKCJmI D/poXkZEM+1je+KJJyrppbaacxLLqUZOKz/LokUNfuYFw6pR84YhKmaHADYKs9F+LW6BYJe1 qiV/JUTI0hQRMS9/tA+rsngxBeIdTV7R1pDwxfBuiWG6HgmK5FN2eL/mpdNQTp2jbREhRn7Z lvVfRFDknoEdFpZFBId2BUWeCZorTQKruI5myHPMR7+xuJYojqDSzBURFFW28rZZQVEW2Xvs sUfKlTKDY05Szj8gGa4fu6KCYtlyj8hKfAic8bQBU6dOTfeTj7HYWvb5Gl9DkXKp+1hzKMbn M0RZbJlHF9fu8xvrPq49dlrMS3NwthLBsoIic/uRPp6dPKPUKcU+7m2JYax4jKCta4FLEcd0 EZyTN22EhoPHgmKZvD3nnHPSsLEQliMPeA/Gn3jRWwmKiJlYxcpykrKkuZoVViuWWIxybXEH Hh00hIWAqtEIdBTiD0vFXtZ3LCgq58d4W2Vjh5WfVImh0E2YMGGMr8bRmYAJmIAJmEDvEKjy Hds7V9XZlAyzoIhARP2JRtfTTz+dgmaOLyr37M/Oc9TZnCgXOhY6alyR1rzPIYccUg9Uc2/j D8sinBpirM4Zz+XGMQmKNKJoXGU/1EHlmFOLYYwMmfzjH/+o3U2HPNc9RT/yLBSjw+lPzaEY Nyizfsr8l7jG/HiNnOLUnJQSFOHG/F4wxcJRjcFG4RTZf+CBB6bh0fDMczImQBzDIRYSP41R hqczHBqRE+ForbXWSo/RUJZF6WjzSoIb1rtYDGWdBMXsfHf4Q/Qlreuss072tPR/ESEmPrGs /yKCoqxAsfQr4toVFAlb95hEuKoERfKfDgJ4H3nkkelH4mWr+6aIoMgq2czTGH9koatrkYWi FjmSlaSsADWvXruCYtlyD29Z+R188MH8TZ2Ew+xw8LLPV4XHtki5bCYoIjBxn/CR4Nju8ztv ygpW8mb+Sk2X0UoEywqKYrbLLrvUtEgWVr1nnnlmikHWqAiKCKK6lvjdEPPK/tYzDrE36/TO y5bjonmrZxBW4HIIuHTM0XGkYf2xJasERSyusfbU9egZrHDYtmIpsTS2POQeJcw1kvlY5ehw 4H3K/jwO8tftrQXFLuVAlY0dHspUgqnEMe9DVT3pXULjaE3ABEzABExgVASqfMeOKiF9dPIw C4pYIMmaT8N0DzvssLQSj6VdrztEIgQcrB0Ynsnk8FhB0tCnIZIdDr3oooum+xkKi9OiHHni lcSOvAZpzAULNeaJI77scO4qLBTjuPgtcS/boMz6K/r/5JNPTtNOo7mRo67N9UmIlaDIPgkD 2aG/jcJqtV8rbn/zm9/M9brRRhulaSHfcQhHpIOGdtYhLMkyDaFxtHmFYEBcWOgwt2Kek6DI MMSsmzRpUnp+PK9g7KeIEDMa/0UERQ3P1PxvcXx5v0cjKCLIKn+uTBZIqUJQ5B6MRQ/yK/60 um+KCIrkU9bJsjYrKLJiLk6CImUAN1pBsUy5TyNMvvRs5zmIw3JTog0rLGdd2eerzi9SjvXc kGCoc9mqo4d80yIx7G/n+R0vGEIYea6VCJYVFJWXKlcYN0mcJHw6ZzjGSsm8Y3WtEpfz0hDv o6OG8/PypJGgWDRvua8JGwvqPCcLxjxBkfmGuR70FsLgWfG3v/1tRDCtWGrexXg6EnViMG1A 7HinE0+epWbsr5u/LSh2iX6VjR1WauKlTm+jnQmYgAmYgAkMO4Eq37HDwnKYBUXyWEPJsDTD aeSHLGnSnX30xZBBDWPGqiV2aghJPMMqgwYLQ6azrqigiMhGGHyIF8FPHwlxWK+wD8uTZq4b FopalAbLFFnxxWnUnFtYrWoIsgRFhjxLkOT6Nf9VfH7Z3zQ0CSserh6HwWgkjtPwxWnBBkSk PEca8Y+4PJq8wiJV1juIQY1cM0FRjX4snPJcESEmPq+s/yKC4kILLZTy0nDQOL6836MRFAlP 851uttlmhQVFpi0gT7Np1EI7WKvut99+NQQcRBk+6jgZFEGxTLlXvjEdgYarXnvttbUf//jH KUc9D+Wv2bbZ81XnFSmXEtnyBEU6E8hfrO5i187zu4igqGkfsCrNOjohtBCWBEHd46QRy854 JWKmu2BYMMfkX/dUdkGjbFz6r/jyFtpS2NlyXDRvY+vP7JQMxN9KUMQPTJjHlmvMdsY1ExQZ BaHFVlj4CYclrEZE0Lkw99xz1z/cx8SBwFpk+oU0wDH+sqA4xsAVXVWNHZkQY4ZrZwImYAIm YAImUKtV9Y4dJpbDLihSn9LiLEwsTwUeASxPXBpNuaBRrxVNRxNOq3O/+tWvptfAcNesu+22 29JjXKOGe9M5nTevY1FBkU5tGkJ5HzWIiI/jreqs3RAUGaYsKyWGAmYdw/pIP5Pmy8WCIvsk SnO9jVbl1Lmttscdd1waH3P4aS5KnUNa4Uh6NBceVlb853PLLbfIa7qlEao5J0lzu3mFlZRE rOx8oyMiTP5IbMizUJTFTSPryyJCTBxfWf9FBEVZV7FwShEn8YMFW2K36667pnkSW2PSSUE+ xWGzmAvlhmeQwmo2hyJTMii/tUiQ4v3oRz+aHstaFVOOtLpsVojRudp220KRtOq5oXlClbZ4 W7H6pjMAACgQSURBVKbcx+cxdQP8ENokznPPFXXNnq8Ko0i5bCQoPvbYY/VFgbIjD9t5fhcR FBG3YMIzJ+uwRFZ5o+zhsKZlHyMkNVWIzpN1Jc8dViLGadEUyjdDeVu5Rp16cedNXjkukreI gYssskiafuZ6zLoigiLnaI5DBGpEQblmguJee+2Vxkvnj7hpMSMxbrTNLhyn+Lq9taDYpRyo qrFDpYBCV6ZXpUuX7GhNwARMwARMYEwIVPWOHZPE9kgkwy4okg0SEWggUbeKG/xVZJMEJywR ZJlQRbgKg0nbESG22mqr1NqBRg6N2jynxpQsJbJzh+mcooKi/Odt+2HIM+kmv8l35pmj0S7H EF9Zj8jahmNZQRERRPOGIU5qmKfCKbNl4RWVQ+YgkyOPNXcZQ2NjsXHDDTdM04+VWzwXpuZj xHI0tiJSmPG2WV5JqGLesVaCgATF7ByKEi0QRONFMeI0FBFiRuO/iKCoOdYQ+LIWpwxRzs6r qjk0ERDlmKNPwkArQZFzWGBI/tlKUKQDggWHnn322TRoBBpNU4AoEQ+HxYPyKR4i+eijj9ZY CEXh5wkxaeD/++q2oEgyZFXLgi7NLLPaKfdaNR7rae5tyqP4xhzi32Wer5xXpBxnBUUEUlZi lnU5FqXZ/CXsss/vIoIiea5ONQ1JJy46miQGxnMOckyiHx0MeubQ4YEoSVnjeSKHaK5nGpZ9 2XcT1qKxIC+rXZ5zL7/8choM1rhiRvh55bho3qozjXAQ3+POw6KCYixM0ukklxUUYcjckfE9 Hi/ksuqqq6a8OI9nevbDfKVKp+Lopa0FxS7lRlWNHQuKXcpAR2sCJmACJtCzBKp6x/bsBXYg YRYUazVWWaXSrs/VV19dKWnmFVPYcWN/NJFgjcaQOBqeEr2IgyFh2VV943gYCqm0sMXaJM9J UER4JJ7s54gjjsg7bcS+ZiLVCI//+9MNC0WiRsSDm7gsscQSdYsu9mVXJc4KioSB6LBGMqk+ /hkGKwtCjpV1cR6x6AFCoeaOREjKDgXEUk1DObECRczDopK0UDaalQelrVFe0ZAXFwRXhq1n P9OmTVMwdQtF4l1++eVrrAgbp6VZuSkixNQjSn4U8Q8LGu18NPSS/NG+7DBPhILVVlutfs3M 2cYK4NzDMM4O29SiPjCi3LA4D79lbVhEUIwX3OBcWeapnBEvYZP3yot4wSUxYR5YHUdEZPEb WbSqfOQJMTqfbS8IiuqA4VoY7smcsORXdjGfdso9+atV2wk/z5IWDu0+Xzm3SLmUOEZaJCIq 7xBUG1mzx88G/Ld6fhcRFEmzFgshTO5vnjkSdrEYje9x/LNQiERCVkymU06dVLwrELJjx6re umbiYLEvREnNlxgL8ly7yivzRkqkZIoOzSOZV46L5i3p0mrLpIXr4/7CYlVzqDaaQzG+Jg2Z 5x7TXIoSFBnlwPNG034QDx+sTtUZFC8Ax32X54455pj0vEYjCfLOGct9FhTHknYUV1WNHQuK EVT/NAETMAETMIGEQFXv2GGCaUGxllrBSADQXIpVlgEsEmhM0Ej65S9/WUnQGopGwwURA2GE OepaWaJpTkDSQ6OORliek3WbGkLZ7b777pt32oh9mryfYYJFnIasZSenj8+V8Jcd3hv7aec3 DUIa0WoUc700CPNW+yVujtNwjh3D2LQiKHNhMXyxXYelnERE4sLykQn9G62USnmg4S1xGYsj BL2i4nijvIqHGWbLgP7Hc/nBBhFxrrnmShmRHhrcWBvlzdUZ88H6jzDxX8QV8S8LQqU1u0UM yTrEYawMETDEk/MQf7ILHWHdJMtR/MCd61cZYdFMOS1qs8MOO2hXfbvBBhuk104YWoyCMsl+ iSsco/yfcMIJ9fPiH1hDYS2lIcP4x6INQZmyzf9W943mJuQ+yDrNF5m10sSfVl3W1AAf+9jH 0vhYDAi3zz77pP819+fxxx+f/o9XXE49Jl9Ype2xxx71ob+km0/eNA7tlPsDDjggDY8wGaKb 59p9vhJWkXKpaRZIA78phwimWMXGFnPZtBV9fmsexthSMBtW/B8rQ8RxrQZOuihHCOl54h3n wi5+5iDG8Qx/8skn46Drv7G8xeJOoh1xzDvvvKlgnO30uOiii+pCK+Wf87B0bFWOi+StEoSl IiM9Y9GP+519p556qrzVtIJ5bKXOQcop71CuQ9M4HHroofWyRVgIgVhlYnWZ7WTSPYCY2cjF oqPupUZ+u7F/0ATFmSi8ycsrydPedl/e9rgw87iZw5Fn7TSqhCamwSHpMQvJCzokN/qowvLJ JmACJmACJjAIBKp6xw4Ci6LXcO6J08KxB/8iXPPwMUVPGTh/9957b0gaRiFpkIdkHsWQCAKV X2MyGXxIhJKQCE2Vhz0IASZWGyGxtgzJsNKQiDYhESS6cllJoywkDdeQNHpDL7QrEpEyJEMJ Q2ItFBILn5ZMXnjhhZDM6RUSy7q0vLU8oYMekkVsAumBYyK0dTCmzgXNNSQLPoTEkiokIlvD iJKh4Cl3yjB+q3SJ2BMScTotk5TLVi4ROkJidZveT2XTklg5hsRaLCQiR0iMV1pF1dHj3IuP PPJI+lxOhK70+htF2EvlvlEa+2U/zJPh9ekzJxHbWiYbv4n4HRLrwZCIaC3944HynAiWIbHO bOqfZzHvzKTjrKm/0RxMOtXS+4XylnQahGTxqdEEN1Tn7jXxR+G1V18LP5i8c89f91NPPdUy jUMnKCa9W+Gkk04KyXw5IekZbAnIHkzABEzABExg0AlYUCyfw8MuKCbWICGx/AqJ9URILBPS LQ0du84RSCzA0sZkLJAl8w6GxAoljTQZMhgSS7/OJcAhm4AJpGJvMoy6TgJRPxkqHZJhtGmn Cp0rdiZgAibQiIAFxUZkOrx/NI0desiSFcJCMm9BSOaNCCjpiel4SFYp6nCqHbwJmIAJmIAJ 9D6B0bxje//qOpPCYRUUkxUXU8uXZFXekAwrSq2PkuGAqVVGZ0g7VBG46qqrwsSJE0MyN1pI Vg8OydC5kAwFT/NjNB3lWMokQ4UVTcstlijJHGMt/bXrIVkkoJSVF2JOMjyu3eh8ngmUIkB5 o/MkmTMyvfeSBTlCsmBOagmbDLsOyRx3pcKzZxMwgeEiYEGxS/k9msZOMglzSCb3TVOezCcQ kvklQjJfTpeuxNGagAmYgAmYQG8RGM07treuZOxSM4yCIh2y8RBMpo9J5ooLyQIYYwd+iGOi UxwRg3yIXTIXXUjmlWp7qDHDyhnqW9TNOuus6dC+ov7L+ksWcwmnn3564dOOPPLIkMxlWNi/ PZrAaAgkC2mEZF7LEUEwBJVhzwj7diZgAibQjIAFxWZ0OnhsNI2dZEn5kEzImc6JwTwFzeby 6OAlOGgTMAETMAET6EkCo3nH9uQFjUGihlFQBCsjPJjTkLnCqFPFAuMYYB/6KP7617+mw8uZ MzGZuD6dwzJZQGJUXJIFaQJzjBd1yWII6XzkRf2X9Xfbbbel1q9Fz8M6MVkIpKh3+zOBURFg zlimerj//vsD8zTyHKQMxsOgRxWBTzYBExhoAhYUu5S9bux0CbyjNQETMAETGHgCfseWz+Jh FRTLk/IZJmACJmACJmACJmACELCg2KVy4MZOl8A7WhMwARMwgYEn4Hds+Sy2oFiemc8wARMw ARMwARMwgWEmYEGxS7nvxk6XwDtaEzABEzCBgSfgd2z5LLagWJ6ZzzABEzABEzABEzCBYSZg QbFLue/GTpfAO1oTMAETMIGBJ+B3bPkstqBYnpnPMAETMAETMAETMIFhJmBBsUu578ZOl8A7 WhMwARMwgYEn4Hds+SzuZUGRhTvOOuusMOecc4bx48eH5ZZbrvwF+gwTMAETMAETMAETMIFK CVhQrBRn8cDc2CnOyj5NwARMwARMoAwBv2PL0Pqv314WFG+44Yawyiqr1C9qiy22COedd14Y N25cfZ9/mIAJmIAJmIAJmIAJjC0BC4pjy7semxs7dRT+YQImYAImYAKVEvA7tjzOXhYUX3zx xXDppZeGKVOmpEIi/4899tiw8847l79Qn2ECJmACJmACJmACJlAJAQuKlWAsHwiNnUcefDwc dtqO5U/2GSZgAiZgAiZgAg0J7L3dj8J7FpknHHnWTg39+MBIAr0sKMYp3XXXXVMxccsttww/ +9nP4kP+bQImYAImYAImYAImMIYELCiOIew4qm/udFqYctY18S7/NgETMAETMAETqIjAltut Hg44dvuKQhv8YPpFUJw2bVpYa621wgorrBBuvvnmwc8YX6EJmIAJmIAJmIAJ9CgBC4pdypiX X/x3ePDPf+tS7I7WBEzABEzABAabwHsWeVd445vfMNgXWeHV9YugeMcdd4Rll102XZjl1ltv rZCAgzIBEzABEzABEzABEyhDwIJiGVr2awImYAImYAImYAIDSMCC4gBmqi/JBEzABEzABEzA BDpIwIJiB+E6aBMwARMwARMwARPoBwL9Iig+9dRTYe65504/jz32WJhpppn6Aa/TaAImYAIm YAImYAIDR8CC4sBlqS/IBEzABEzABEzABMoR6BdBkataccUVw+9+97uw5557ht122y3MM888 4Q1v8PD2cjlu3yZgAiZgAiZgAiYwOgIWFEfHz2ebgAmYgAmYgAmYQN8T6CdBcfr06WHixImB +RRxEyZMCFdddVXf54EvwARMwARMwARMwAT6iYAFxX7KLafVBEzABEzABEzABDpAoJ8ExdNP Pz3suOOOoVarpdaKa6yxRvjOd77TASoO0gRMwARMwARMwARMoBEBC4qNyHi/CZiACZiACZiA CQwJgX4SFJlD8dlnnw233357WGKJJYYkh3yZJmACJmACJmACJtBbBCwo9lZ+ODUmYAImYAIm YAImMOYE+kVQfOCBB8JCCy0UFl988XDPPfeMOSdHaAImYAImYAImYAIm8F8CFhRdEkzABEzA BEzABExgyAn0i6B49913hyWXXDIst9xy4dZbbx3yXPPlm4AJmIAJmIAJmED3CFhQ7B57x2wC JmACJmACJmACPUHAgmJPZIMTYQImYAImYAImYAJ9Q8CCYt9klRNqAiZgAiZgAiZgAp0hYEGx M1wdqgmYgAmYgAmYgAkMKgELioOas74uEzABEzABEzABEyhIoF8Excsvvzysu+66YaWVVgo3 3nhjwauzNxMwARMwARMwARMwgaoJWFCsmqjDMwETMAETMAETMIE+I9AvguIOO+wQTjrppLDV VluF8847r88oO7kmYAImYAImYAImMDgELCgOTl76SkzABEzABEzABEygLQK9LCj+/e9/D6ed dlqYOnVquO6660KtVgvnnHNO2Hbbbdu6Vp9kAiZgAiZgAiZgAiYwegIWFEfP0CGYgAmYgAmY gAmYQF8T6GVB8YYbbgirrLJKyvf1r3992GOPPcJhhx3W17ydeBMwARMwARMwARPodwIWFPs9 B51+EzABEzABEzABExglgV4WFJ955plwzTXXhHnmmScsuuiiYbbZZhvl1fp0EzABEzABEzAB EzCB0RKwoDhagj7fBEzABEzABEzABPqcQC8Lin2O1sk3ARMwARMwARMwgYEkYEFxILPVF2UC JmACJmACJmACxQlYUCzOyj5NwARMwARMwARMwARCsKDoUmACJmACJmACJmACQ07AguKQFwBf vgmYgAmYgAmYgAmUJGBBsSQwezcBEzABEzABEzCBQSNgQXHQctTXYwImYAImYAImYAKdJWBB sbN8HboJmIAJmIAJmIAJ9DwBC4o9n0VOoAmYgAmYgAmYgAn0FAELij2VHU6MCZiACZiACZiA CYw9AQuKY8/cMZqACZiACZiACZhAPxOwoNjPuee0m4AJmIAJmIAJmEAFBMZaUDz//PPDww8/ HBZZZJGw+uqrh9lnn72Cq3AQJmACJmACJmACJmACY0XAguJYkXY8JmACJmACJmACJtCjBMZa UFx//fXDpZdemtKYa665wuTJk8M666zTo3ScLBMwARMwARMwARMwgSwBC4pZIv5vAiZgAiZg AiZgAkNGYKwFxenTp4dLLrkknH322eGOO+4I8803X7jvvvvCLLPMMmTkfbkmYAImYAImYAIm 0J8ELCj2Z7451SZgAiZgAiZgAiZQGYGxFhSV8McffzzMO++84dVXXw133nlnWHrppXXIWxMw ARMwARMwARMwgR4mYEGxhzPHSTMBEzABEzABEzCBsSDQLUGRa5swYUK4+uqrw9SpU8NGG200 FpfrOEzABEzABEzABEzABEZJwILiKAH6dBMwARMwARMwARPodwLdFBS32GKLcMEFF4QpU6aE TTfdtN9ROv0mYAImYAImYAImMBQELCgORTb7Ik3ABEzABEzABEygMQELio3Z+IgJmIAJmIAJ mIAJmMCMBCwozsjEe0zABEzABEzABExgqAh0U1Dcfffdw9FHHx2OP/74sNNOOw0Vd1+sCZiA CZiACZiACfQrAQuK/ZpzTrcJmIAJmIAJmIAJVESgm4LiRRddFDbeeOOw4IILhlNOOSWMHz8+ zDbbbGGmmWaq6OocjAmYgAmYgAmYgAmYQNUELChWTdThmYAJmIAJmIAJmECfEeimoPjKK6+E o446Kuy99951atOmTQtrrrlm/b9/mIAJmIAJmIAJmIAJ9BYBC4q9lR9OjQmYgAmYgAmYgAmM OYFuCopPPvlk2HzzzcO1114bFlpoobDYYouFww8/PCy11FJjzsERmoAJmIAJmIAJmIAJFCNg QbEYJ/syARMwARMwARMwgYEl0E1BkbkTd9555zBx4sQwadIkD3Ue2FLmCzMBEzABEzABExgk AhYUByk3fS0mYAImYAImYAIm0AaBbgqK22+/fTjjjDPCueeeG7bZZps2Uu9TTMAETMAETMAE TMAExpqABcWxJu74TMAETMAETMAETKDHCHRTUNx6663DeeedF6ZMmRI23XTTHiPj5JiACZiA CZiACZiACeQRsKCYR8X7TMAETMAETMAETGCICFhQHKLM9qWagAmYgAmYgAmYQAUELChWANFB mIAJmIAJmIAJmEA/E7Cg2M+557SbgAmYgAmYgAmYwNgTsKA49swdowmYgAmYgAmYgAn0FIFu CoqrrbZausLzxRdfHDbYYIOe4uLEmIAJmIAJmIAJmIAJ5BOwoJjPxXtNwARMwARMwARMYGgI dEtQfOSRR8ICCywQarVamD59elhyySWHhrkv1ARMwARMwARMwAT6mYAFxX7OPafdBEzABEzA BEzABCogMNaC4tSpU9NFWFiI5YknnghLLLFEuPPOO8O4ceMquBoHYQImYAImYAImYAIm0GkC FhQ7Tdjhm4AJmIAJmIAJmECPExhrQXH99dcPl156aUoFq8RJkyaF8ePH9zglJ88ETMAETMAE TMAETEAELCiKhLcmYAImYAImYAImMKQExlpQvOGGG8Lzzz8fFl544bDggguGmWeeeUjJ+7JN wARMwARMwARMoD8JWFDsz3xzqk3ABEzABEzABEygMgJjLShWlnAHZAImYAImYAImYAIm0BUC FhS7gt2RmoAJmIAJmIAJmEDvELCg2Dt54ZSYgAmYgAmYgAmYQD8QsKDYD7nkNJqACZiACZiA CZhABwlYUOwgXAdtAiZgAiZgAiZgAgNIwILiAGaqL8kETMAETMAETMAEyhCwoFiGlv2agAmY gAmYgAmYgAlYUHQZMAETMAETMAETMIEhJzBaQfH8888PDz/8cFhkkUXC6quvHmafffYhJ+rL NwETMAETMAETMIHBJmBBcbDz11dnAiZgAiZgAiZgAi0JjFZQXH/99cOll16axjPXXHOFyZMn h3XWWadlvPZgAiZgAiZgAiZgAibQnwQsKPZnvjnVJmACJmACJmACJlAZgdEKitOnTw+XXHJJ OPvss8Mdd9wR5ptvvnDfffeFWWaZpbI0OiATMAETMAETMAETMIHeIWBBsXfywikxARMwARMw ARMwga4QGK2gqEQ//vjjYd555w2vvvpquPPOO8PSSy+tQ96agAmYgAmYgAmYgAkMEAELigOU mb4UEzABEzABEzABE2iHQFWCInFPmDAhXH311WHq1Klho402aic5PscETMAETMAETMAETKDH CVhQ7PEMcvJMwARMwARMwARMoNMEqhQUt9hii3DBBReEKVOmhE033bTTSXf4JmACJmACJmAC JmACXSBgQbEL0B2lCZiACZiACZiACfQSAQuKvZQbTosJmIAJmIAJmIAJ9D4BC4q9n0dOoQmY gAmYgAmYgAl0lECVguLuu+8ejj766HD88ceHnXbaqaPpduAmYAImYAImYAImYALdIWBBsTvc HasJmIAJmIAJmIAJ9AyBKgXFiy66KGy88cZhwQUXDKecckoYP358mG222cJMM83UM9frhJiA CZiACZiACZiACYyOgAXF0fHz2SZgAiZgAiZgAibQ9wSqFBRfeeWVcNRRR4W99967zmXatGlh zTXXrP/3DxMwARMwARMwARMwgf4mYEGxv/PPqTcBEzABEzABEzCBUROoUlB88sknw+abbx6u vfbasNBCC4XFFlssHH744WGppZYadTodgAmYgAmYgAmYgAmYQG8QsKDYG/ngVJiACZiACZiA CZhA1whUKSgyd+LOO+8cJk6cGCZNmuShzl3LVUdsAiZgAiZgAiZgAp0jYEGxc2wdsgmYgAmY gAmYgAn0BYEqBcXtt98+nHHGGeHcc88N22yzTV9cvxNpAiZgAiZgAiZgAiZQjoAFxXK87NsE TMAETMAETMAEBo5AlYLi1ltvHc4777wwZcqUsOmmmw4cK1+QCZiACZiACZiACZhACBYUXQpM wARMwARMwARMYMgJWFAc8gLgyzcBEzABEzABEzCBkgQsKJYEZu8mYAImYAImYAImMGgELCgO Wo76ekzABEzABEzABEygswQsKHaWr0M3ARMwARMwARMwgZ4nUKWguNpqq6UrPF988cVhgw02 6PlrdwJNwARMwARMwARMwATKE7CgWJ6ZzzABEzABEzABEzCBgSJQlaD4yCOPhAUWWCDUarUw ffr0sOSSSw4UJ1+MCZiACZiACZiACZjAfwlYUHRJMAETMAETMAETMIEhJzBaQXHq1KnpIiws xPLEE0+EJZZYItx5551h3LhxQ07Wl28CJmACJmACJmACg0nAguJg5quvygRMwARMwARMwAQK ExitoLj++uuHSy+9NI0Pq8RJkyaF8ePHF47fHk3ABEzABEzABEzABPqLgAXF/sovp9YETMAE TMAETMAEKicwWkHxhhtuCM8//3xYeOGFw4ILLhhmnnnmytPoAE3ABEzABEzABEzABHqHgAXF 3skLp8QETMAETMAETMAEukJgtIJiVxLtSE3ABEzABEzABEzABLpGwIJi19A7YhMwARMwARMw ARPoDQIWFHsjH5wKEzABEzABEzABE+gXAhYU+yWnnE4TMAETMAETMAET6BABC4odAutgTcAE TMAETMAETGBACVhQHNCM9WWZgAmYgAmYgAmYQFECFhSLkrI/EzABEzABEzABEzABCFhQdDkw ARMwARMwARMwgSEnYEFxyAuAL98ETMAETMAETMAEShKwoFgSmL2bgAmYgAmYgAmYwKARsKA4 aDnq6zEBEzABEzABEzCBzhKwoNhZvg7dBEzABEzABEzABHqegAXFns8iJ9AETMAETMAETMAE eoqABcWeyg4nxgRMwARMwARMwATGnoAFxbFn7hhNwARMwARMwARMoJ8JWFDs59xz2k3ABEzA BEzABEygAgIWFCuA6CBMwARMwARMwARMYIgIWFAcosz2pZqACZiACZiACZhAHgELinlUvM8E TMAETMAETMAETKARAQuKjch4vwmYgAmYgAmYgAkMCQELikOS0b5MEzABEzABEzABE6iIgAXF ikA6GBMwARMwARMwARPoVwIWFPs155xuEzABEzABEzABE+gOAQuK3eHuWE3ABEzABEzABEyg ZwhYUOyZrHBCTMAETMAETMAETKAvCFhQ7ItsciJNwARMwARMwARMoHMELCh2jq1DNgETMAET MAETMIFBJGBBcRBz1ddkAiZgAiZgAiZgAiUIWFAsActeTcAETMAETMAETMAEggVFFwITMAET MAETMAETGHICFhSHvAD48k3ABEzABEzABEygJAELiiWB2bsJmIAJmIAJmIAJDBoBC4qDlqO+ HhMwARMwARMwARPoLAELip3l69BNwARMwARMwARMoOcJWFDs+SxyAk3ABEzABEzABEygpwhY UOyp7HBiTMAETMAETMAETGDsCVhQHHvmjtEETMAETMAETMAE+pmABcV+zj2n3QRMwARMwARM wAQqIGBBsQKIDsIETMAETMAETMAEhoiABcUhymxfqgmYgAmYgAmYgAnkEbCgmEfF+0zABEzA BEzABEzABBoRsKDYiIz3m4AJmIAJmIAJmMCQELCgOCQZ7cs0ARMwARMwARMwgYoIWFCsCKSD MQETMAETMAETMIF+JWBBsV9zzuk2ARMwARMwARMwge4QsKDYHe6O1QRMwARMwARMwAR6hoAF xZ7JCifEBEzABEzABEzABPqCgAXFvsgmJ9IETMAETMAETMAEOkfAgmLn2DpkEzABEzABEzAB ExhEAhYUBzFXfU0mYAImYAImYAImUIKABcUSsOzVBEzABEzABEzABEwgWFB0ITABEzABEzAB EzCBISdgQXHIC4Av3wRMwARMwARMwARKErCgWBKYvZuACZiACZiACZjAoBGwoDhoOerrMQET MAETMAETMIHOErCg2Fm+Dt0ETMAETMAETMAEep6ABcWezyIn0ARMwARMwARMwAR6ioAFxZ7K DifGBEzABEzABEzABMaegAXFsWfuGE3ABEzABEzABEygnwlYUOzn3HPaTcAETMAETMAETKAC AhYUK4DoIEzABEzABEzABExgiAhYUByizPalmoAJmIAJmIAJmEAeAQuKeVS8zwRMwARMwARM wARMoBEBC4qNyHi/CZiACZiACZiACQwJAQuKQ5LRvkwTMAETMAETMAETqIiABcWKQDoYEzAB EzABEzABE+hXAhYU+zXnnG4TMAETMAETMAET6A4BC4rd4e5YTcAETMAETMAETKBnCFhQ7Jms cEJMwARMwARMwARMoC8IWFDsi2xyIk3ABEzABEzABEygcwQsKHaOrUM2ARMwARMwARMwgUEk YEFxEHPV12QCJmACJmACJmACJQhYUCwBy15NwARMwARMwARMwASCBUUXAhMwARMwARMwARMY cgIWFIe8APjyTcAETMAETMAETKAkgdEIii+88EL417/+Feacc86GsT7//PPhrW99a5hpppka +il64KmnnmrpdaYnn3yyNtdcc7X0aA8mYAImYAImYAImYAL/JWBB0SXBBEzABEzABEzABEyg DIF2BcVnnnkmrLTSSuHtb397uP7662eI8uSTTw6HHHJIuP/++8O73vWusOGGG4Z99903LLro ojP4LbrDgmJRUvZnAiZgAiZgAiZgAiUIWFAsActeTcAETMAETMAETMAE2hry/Nxzz4Utt9wy XHHFFeGDH/zgDILi4YcfHvbZZ5/wtre9LXz+858P99xzT7jkkktSMfHGG28Mc8wxR1vkLSi2 hc0nmYAJmIAJmIAJmEBzAhYUm/PxURMwARMwARMwARMwgZEEylooTp06Ney4447h0UcfTQPK CorPPvtsmG+++cKLL74Ybr755rDCCiuk/s4999yw7bbbho9+9KPh/PPPH5mIgv8sKBYEZW8m YAImYAImYAImUIaABcUytOzXBEzABEzABEzABEygjKD45z//ObUyfN3rXhcOOuigsP/++89g oXj11VeHCRMmhGWWWSbccccddcDMtfjOd74zvPzyy4Hh0m9605vqx4r+sKBYlJT9mYAJmIAJ mIAJmEAJAhYUS8CyVxMwARMwARMwARMwgVJDnh955JGw3377pULi4osvni60krVQnDJlSth8 883DF77whXDiiSeOILz00kuH6dOnhzvvvDPwu6yzoFiWmP2bgAmYgAmYgAmYQAECFhQLQLIX EzABEzABEzABEzCBOoEyFor1k/73g5Wbs4Li7bffHpZbbrkwzzzzhIcffjiMGzcu9f3ggw+G BRdcMP3929/+Nqy++ur/C6X4xoJicVb2aQImYAImYAImYAKFCVhQLIzKHk3ABEzABEzABEzA BBICVQuKr7zySmp9+Mc//jFst9124Stf+Uo6xPnggw8Ol19+ecqc7dprr12avwXF0sh8ggmY gAmYgAmYgAm0JmBBsTUj+zABEzABEzABEzABE/h/AlULioR83XXXhU022SQ8/fTT9YjmnHPO sNRSSwWsE2+66aaw4oor1o8V/WFBsSgp+zMBEzABEzABEzCBEgQsKJaAZa8mYAImYAImYAIm YAKVWygK6WOPPRbOPPPMcO+996ZDoDfbbLOw5557pis8/+UvfwkLLbSQvBbeWlAsjMoeTcAE TMAETMAETKA4AQTF7+51djjuZ3sUP8k+TcAETMAETMAETMAEhpbA1794Sljug4uGH0zeuTSD vDkUX3311XDDDTeEWWaZJaywwgr1MP/zn/+E+eefP7z22mvh8ccfr+8v88OCYhla9msCJmAC JmACJmACBQncMO3u8MXNjizo295MwARMwARMwARMwARMIITP7bVh2O3Aj5ZGkScoMofioosu Gp577rnAQiyzzjprGu5JJ50Udthhh3ROxcMPP7x0XJxgQbEtbD7JBEzABEzABEzABFoTeOH5 l8Orr77W2qN9mIAJmIAJmIAJmIAJmEBCYNbZ3hQQB8u6PEGRME444YSw0047hQkTJoRPfOIT gQVajj766HQOxRtvvDG1XiwbF/4tKLZDzeeYgAmYgAmYgAmYgAmYgAmYgAmYgAmYgAmYQI8Q GDduXFh55ZX/r707xJEQiIIA2mOQHIOEm3BVroUmQaNms6iROym1qecIgUr/912Zfi5h+TzS fd/PDc/7vj+v53ke27aN35uel2X5/PSrZ4XiV1w+JkCAAAECBAgQIECAAAECBAgQIPC/BK7r GsdxjHVdxzRN8eEVijGhAAIECBAgQIAAAQIECBAgQIAAAQI9AgrFnl2blAABAgQIECBAgAAB AgQIECBAgEAsoFCMCQUQIECAAAECBAgQIECAAAECBAgQ6BFQKPbs2qQECBAgQIAAAQIECBAg QIAAAQIEYgGFYkwogAABAgQIECBAgAABAgQIECBAgECPgEKxZ9cmJUCAAAECBAgQIECAAAEC BAgQIBALKBRjQgEECBAgQIAAAQIECBAgQIAAAQIEegQUij27NikBAgQIECBAgAABAgQIECBA gACBWEChGBMKIECAAAECBAgQIECAAAECBAgQINAj8OdCsYfEpAQIECBAgAABAgQIECBAgAAB AgQIJAKv8zzfSYB/CRAgQIAAAQIECBAgQIAAAQIECBDoEVAo9uzapAQIECBAgAABAgQIECBA gAABAgRiAYViTCiAAAECBAgQIECAAAECBAgQIECAQI+AQrFn1yYlQIAAAQIECBAgQIAAAQIE CBAgEAsoFGNCAQQIECBAgAABAgQIECBAgAABAgR6BBSKPbs2KQECBAgQIECAAAECBAgQIECA AIFY4Ae1cQXjlghPtwAAAABJRU5ErkJggg== --------------VPr2i34iqB700C6BQXejUWSM-- --------------YKDQ47F0NusCo0DHzH3aSpmL-- From nobody Wed Mar 2 07:32:14 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44BAE3A0A27 for ; Wed, 2 Mar 2022 07:32:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ccN4efW_MfUM for ; Wed, 2 Mar 2022 07:31:57 -0800 (PST) Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 166613A0A79 for ; Wed, 2 Mar 2022 07:31:57 -0800 (PST) Received: by mail-lf1-x12a.google.com with SMTP id u20so3482200lff.2 for ; Wed, 02 Mar 2022 07:31:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LnXIJDk0VEAW28KX7ByZ7reJjKcklXcbprjWEism8KY=; b=Jmn+LGsql/1hUUy4+XZPaD4rF/NrEqEDdQvndTcNiN7K3uhU6HbQhXXHoOsQAQjXhZ mNemdHNh9XLQX9aWVwxp6N5hdO/yEPu/ZkHmmhKkuSIgDtAUevB5lx4SCQL9rjQfnm1H AP05vRIgdSRfN35GM6iYn/NOBVbx0ZO8wwXIdKHcI8frtFYdGBHYpmnT6a1xINQYwRlp iCzHJ8in7I+Agfdh3WQ5HQ8UrPvVzBGIxMzv9IbQetyXy1X0Pe648N4xyY59kJxzd9LI qt3xBhaWa8GvQFXcCrl67R7TRvLiEtHuIWmrP/pWxutlEd6oH2GUlzuDiuR6+Uky80pA 1pUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LnXIJDk0VEAW28KX7ByZ7reJjKcklXcbprjWEism8KY=; b=0kDx5RMNjy82gB6phSMkzVvhDw5M02TTudY4ZS0Wj8q3M+kF9n9o/25Gq+uvAZSLBx Q0HmcFnH2l8lq70g5GFGzxSp+fES0qBuU5V/HYSUp2kRFXZMgwcAOVPUVUmcMG9HmUze 31BHr3f/b7R+JwzMxQNoH6RPjFUWw2ObOXXgtxvF0J34ANqc+gNhevJghMmQYV5it8x7 Z1tjnCorml96BUms3K60xwBjPgoQ8RZp9EAwxjhKWgb1qHvzhUw7yg8mlKG+zndVVa2V W56JGh0Ev07qxdi5g2mwkR3EKD1KVe4rkryJk8ioY92IBDmHCnOyHJ/HeIjDThLL8lW3 Qinw== X-Gm-Message-State: AOAM531xCiV3aZpYqFKqKWBOFitfvLrlIwMoMKVDMRYN9oV5SEnrxWVo 6g5DN54g+J1pyh437uqr7EcYsLbSMp38n2HdF8l1297h X-Google-Smtp-Source: ABdhPJwF7h0VJVnNPFWuiPM88ucCOjAu4fv7RmoFhtK73teJc8unX2FcNPz64cmuTgUx2ZXLiTl2krA+InrQ4qAC00o= X-Received: by 2002:ac2:5de4:0:b0:443:5b80:d4c4 with SMTP id z4-20020ac25de4000000b004435b80d4c4mr18656965lfq.373.1646235114842; Wed, 02 Mar 2022 07:31:54 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Sascha Preibisch Date: Wed, 2 Mar 2022 07:31:43 -0800 Message-ID: To: Daniel Fett Cc: oauth Content-Type: multipart/alternative; boundary="0000000000003caf3705d93dfb68" Archived-At: Subject: Re: [OAUTH-WG] OAuth: The frustrating lack of good libraries X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2022 15:32:02 -0000 --0000000000003caf3705d93dfb68 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello Daniel! Some time ago I started an open source project: Loginbuddy. Loginbuddy is a tool that mainly supports OpenID Connect based logins. It can be deployed as a standalone service or be used as a side-car next to other docker containers in the same network. Although it is not necessarily a library, it may be worth looking into it. I could imagine that Loginbuddy would also be a good starting point for extensions that serve more flows and more general features of OAuth/ OpenID Connect. With more contributors I see a chance for Loginbuddy to be more widely used and help address your concerns. Please have a look here: https://loginbuddy.net I just updated the web site. Or visit the GitHub project: https://github.com/SaschaZeGerman/loginbuddy In any case, that is my current contribution to the developer community. Thanks, Sascha On Tue, Mar 1, 2022 at 9:18 AM Daniel Fett wrote: > *Hi all,* > > > > > > > > > > > > > > > > * While helping clients to onboard into the yes ecosystem, in my > consulting work, and in discussions with developers implementing OAuth 2.= 0, > one topic comes up increasingly often: The (somewhat frustrating) lack of > good, modern, and universal OAuth libraries. Many of the libraries out > there have one or more of the following drawbacks: * They are not > maintained any longer * They are not well documented (e.g., it is often > unclear which specifications are supported) * They support only a subset > of the OAuth 2.0 specification * They work only with selected providers > (e.g., Google, Facebook, etc.) * It is unclear whether they follow recen= t > security recommendations * They do not support modern features, such as > PKCE, AS Metadata, MTLS, etc. Exceptions exist, of course, like Filip's > Node.js implementation and the nimbus library for Java. But apart from > those rare cases, when a developer asks me what library to use, my answer > is often: "I don't think there's a good one in your language". It is a > telltale sign that many providers of OAuth protected APIs also provide a > custom OAuth implementation in their SDKs, which they then often have to > maintain for a number of languages. This creates unnecessary costs and > friction, e.g., when introducing new security features. At the same time, > practically every language/framework comes with a TLS stack and making > HTTPS requests is often just a few lines of code. Why aren't we there yet > with OAuth? I'm well aware that OAuth 2.0 is a framework, not a single > protocol like TLS, but the mentioned libraries show that this does not > preclude a comprehensive library support. If I had to speculate about the > reasons for this mess, I'd say that there are three: * The core of OAuth > is easy to implement. The need to create or use a library might not be > obvious to developers. Of course, if you want a proper implementation wit= h > correct error handling, observing all the security recommendations, etc., > the effort is huge. But just getting OAuth to work for one specific use > case is relatively easy. * OAuth is traditionally hard to configure: > authorization and token endpoint URLs, client id and secret, supported > scopes (and claims for OIDC), supported response types and modes, and > required security features are just some of the things a developer has to > figure out - often from the API's documentation - to get everything up an= d > running. Even though configuration is not the same as implementation, I > imagine that this complexity can lead to the perception that there are > barely any commonalities between different OAuth flows. There might be no > value, after all, in an OAuth library, if I have to provide so many detai= ls > myself. * With many extensions and specifications to choose from, it can > be hard to select a reasonable subset to support. What can we do about > this? I'm not sure, but I have a few ideas. * Of course, one step would = be > to increase visibility and documentation for existing implementations: > Beyond listing libraries (like the list on oauth.net ), > it would be great to have a place to go to to find libraries based on the= ir > feature support. I'm sure there are more good libraries out there. * The > OpenID Foundation has a great set of conformance tests for OIDC, FAPI and > other stuff. Creating conformance tests for OAuth would be harder, given > that the framework leaves many options for implementers to choose from. I= =E2=80=99m > not sure if running a conformance programme would be in the scope of IETF= , > but it can be worthwhile to think about if we could support such an > endeavor. * The single most important thing to do would, in my opinion, = be > to set a goal: Tell library developers and language maintainers what can = be > expected from a good, modern, and universal OAuth library. Such a > recommendation would shine a light on the most important extensions for > OAuth like PKCE and might even be a prerequisite for conformance tests. I= t > may turn out to be OAuth 2.1 or something else. For me, this would in any > case include AS Metadata, as that is the single most valuable building > block we have to address configuration complexity. I would be interested > to hear what others think about this. Is this a problem worth addressing? > Are there other solutions? Is this out of scope of our work here? -Danie= l * > > -- https://danielfett.de > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --0000000000003caf3705d93dfb68 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello Daniel!

Some time ago I started a= n open source project: Loginbuddy.
Loginbuddy is a tool that main= ly supports OpenID Connect based logins.=C2=A0

It = can be deployed as a standalone service or be used as a side-car next to ot= her docker containers in the same network.

Althoug= h it is not necessarily a library, it may be worth looking into it. I could= imagine that Loginbuddy would also be a good starting point for extensions= that serve more flows and more general features of OAuth/ OpenID Connect. = With more contributors I see a chance for Loginbuddy to be more widely used= and help address your concerns.

Please have a loo= k here:

I just updated the web site. Or visit the Git= Hub project:

<= div>In any case, that is my current contribution to the developer community= .

Thanks,
Sascha

On Tue, Mar 1, 202= 2 at 9:18 AM Daniel Fett <fett@dan= ielfett.de> wrote:
=20 =20 =20

Hi all,


While helpi= ng clients to onboard into the yes ecosystem, in my consulting work, and in= discussions with developers implementing OAuth 2.0, one topic comes up inc= reasingly often: The (somewhat frustrating) lack of good, modern, and unive= rsal OAuth libraries.=C2=A0


Many of the= libraries out there have one or more of the following drawbacks:

=C2=A0* The= y are not maintained any longer

=C2=A0* The= y are not well documented (e.g., it is often unclear which specifications a= re supported)

=C2=A0* The= y support only a subset of the OAuth 2.0 specification

=C2=A0* The= y work only with selected providers (e.g., Google, Facebook, etc.)

=C2=A0* It = is unclear whether they follow recent security recommendations

=C2=A0* The= y do not support modern features, such as PKCE, AS Metadata, MTLS, etc.


Exceptions = exist, of course, like Filip's Node.js implementation and the nimbus li= brary for Java. But apart from those rare cases, when a developer asks me w= hat library to use, my answer is often: "I don't think there's= a good one in your language". It is a telltale sign that many provide= rs of OAuth protected APIs also provide a custom OAuth implementation in th= eir SDKs, which they then often have to maintain for a number of languages.= This creates unnecessary costs and friction, e.g., when introducing new se= curity features.


At the same= time, practically every language/framework comes with a TLS stack and maki= ng HTTPS requests is often just a few lines of code. Why aren't we ther= e yet with OAuth? I'm well aware that OAuth 2.0 is a framework, not a s= ingle protocol like TLS, but the mentioned libraries show that this does no= t preclude a comprehensive library support.


If I had to= speculate about the reasons for this mess, I'd say that there are thre= e:


=C2=A0* The= core of OAuth is easy to implement. The need to create or use a library mi= ght not be obvious to developers. Of course, if you want a proper implement= ation with correct error handling, observing all the security recommendatio= ns, etc., the effort is huge. But just getting OAuth to work for one specif= ic use case is relatively easy.


=C2=A0* OAu= th is traditionally hard to configure: authorization and token endpoint URL= s, client id and secret, supported scopes (and claims for OIDC), supported = response types and modes, and required security features are just some of t= he things a developer has to figure out - often from the API's document= ation - to get everything up and running. Even though configuration is not = the same as implementation, I imagine that this complexity can lead to the = perception that there are barely any commonalities between different OAuth = flows. There might be no value, after all, in an OAuth library, if I have t= o provide so many details myself.


=C2=A0* Wit= h many extensions and specifications to choose from, it can be hard to sele= ct a reasonable subset to support.=C2=A0


What can we= do about this?


I'm not= sure, but I have a few ideas.


=C2=A0* Of = course, one step would be to increase visibility and documentation for exis= ting implementations: Beyond listing libraries (like the list on oauth.net), it would be great to h= ave a place to go to to find libraries based on their feature support. I= 9;m sure there are more good libraries out there.

=C2=A0* The= OpenID Foundation has a great set of conformance tests for OIDC, FAPI and = other stuff. Creating conformance tests for OAuth would be harder, given th= at the framework leaves many options for implementers to choose from. I=E2= =80=99m not sure if running a conformance programme would be in the scope o= f IETF, but it can be worthwhile to think about if we could support such an= endeavor.

=C2=A0* The= single most important thing to do would, in my opinion, be to set a goal: = Tell library developers and language maintainers what can be expected from = a good, modern, and universal OAuth library. Such a recommendation would sh= ine a light on the most important extensions for OAuth like PKCE and might = even be a prerequisite for conformance tests. It may turn out to be OAuth 2= .1 or something else. For me, this would in any case include AS Metadata, a= s that is the single most valuable building block we have to address config= uration complexity.=C2=A0


I would be = interested to hear what others think about this. Is this a problem worth ad= dressing? Are there other solutions? Is this out of scope of our work here?= =C2=A0


-Daniel

--=20
https://danielfett.de
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--0000000000003caf3705d93dfb68-- From nobody Wed Mar 2 07:58:30 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF5B63A0B32 for ; Wed, 2 Mar 2022 07:58:25 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.11 X-Spam-Level: X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aueb.gr Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W-Oypkx09_Fa for ; Wed, 2 Mar 2022 07:58:21 -0800 (PST) Received: from blade-b3-vm-relay.servers.aueb.gr (blade-b3-vm-relay.servers.aueb.gr [195.251.255.106]) by ietfa.amsl.com (Postfix) with ESMTP id EE9733A0B2F for ; Wed, 2 Mar 2022 07:58:20 -0800 (PST) Received: from blade-a1-vm-smtp.servers.aueb.gr (blade-a1-vm-smtp.servers.aueb.gr [195.251.255.217]) by blade-b3-vm-relay.servers.aueb.gr (Postfix) with ESMTP id F2450F92 for ; Wed, 2 Mar 2022 17:58:17 +0200 (EET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aueb.gr; s=201901; t=1646236697; bh=th6fag8VUhUzsaUSyPauQovvytEVHmAcZtk6fRi798Y=; h=From:Subject:Date:To:From; b=M+MoRWgHYSFPLHZOmPWxB9U5lcgtNryEq6HOPQRqItnbG634mA+andco69HsVCzP5 KfazApEvg1xKgsxj+FDHc4emzVjd1Q+FBNNsje0oonx7SuK4fW3jNUW0LPfSFbBg/n SnFrWTs6djNXJcCVnPICCOZJ3e1CNmPtWsyky4AARS5K+KBe/CYKa29a1xZ1piLfeo irK986HUz6Qnd7Ol5xUQ28K7D46YTObo7ILL8yQCqw1LLA9JWPIjNLrZJbmrmBLqBx lh3C/m4iMXm3P6vXzo+dCKHTH8vuQutJ5t0LMTUGOyfmbwjqxJ/xMaldKLZsCxgN7P 9Acr5Vr3k2ewQ== Received: from smtpclient.apple (athedsl-238105.home.otenet.gr [85.74.249.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: fotiou) by blade-a1-vm-smtp.servers.aueb.gr (Postfix) with ESMTPSA id CD2555AA for ; Wed, 2 Mar 2022 17:58:17 +0200 (EET) From: Nikos Fotiou Content-Type: multipart/signed; boundary="Apple-Mail=_E5EE9DA8-40B7-4ED4-96E8-2C450F177802"; protocol="application/pkcs7-signature"; micalg=sha-256 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\)) Message-Id: <4DBCAEEA-08E0-4E93-AFEC-D990C8729E81@aueb.gr> Date: Wed, 2 Mar 2022 17:58:17 +0200 To: oauth X-Mailer: Apple Mail (2.3693.60.0.1.1) Archived-At: Subject: [OAUTH-WG] proof of access token possession using client secret X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2022 15:58:26 -0000 --Apple-Mail=_E5EE9DA8-40B7-4ED4-96E8-2C450F177802 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hi all, I am working on a use case where the Authorization Server and the = Resource Server are the same entity. I would like to prevent clients = from sharing their access tokens. I am wondering if requiring clients to = include the "client secret" in the resource access request (in addition = to the access token) is a valid strategy. This way clients would have to = share their "client secret" in addition to the access token. Would that = work? Best, Nikos -- Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou Researcher - Mobile Multimedia Laboratory Athens University of Economics and Business https://mm.aueb.gr --Apple-Mail=_E5EE9DA8-40B7-4ED4-96E8-2C450F177802 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCDkgw ggb9MIIE5aADAgECAhB03w2L/8EIPTlhLxNBxWpXMA0GCSqGSIb3DQEBCwUAMIG8MQswCQYDVQQG EwJHUjErMCkGA1UECgwiR3JlZWsgVW5pdmVyc2l0aWVzIE5ldHdvcmsgKEdVbmV0KTEYMBYGA1UE YQwPVkFUR1ItMDk5MDI4MjIwMTcwNQYDVQQLDC5IZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFy Y2ggSW5zdGl0dXRpb25zIENBMS0wKwYDVQQDDCRIQVJJQ0EgSW5zdGl0dXRpb25hbCBDbGllbnQg U3ViQ0EgUjEwHhcNMjExMjE0MjI1NzQ5WhcNMjMxMjE0MjI1NzQ4WjCCAQkxCzAJBgNVBAYTAkdS MQ8wDQYDVQQHDAZBdGhlbnMxNDAyBgNVBAoMK0F0aGVucyBVbml2ZXJzaXR5IG9mIEVjb25vbWlj cyBhbmQgQnVzaW5lc3MxQTA/BgNVBAsMOENsYXNzIEIgLSBQcml2YXRlIEtleSBjcmVhdGVkIGFu ZCBzdG9yZWQgaW4gc29mdHdhcmUgQ1NQMQ8wDQYDVQQEDAZGT1RJT1kxETAPBgNVBCoMCE5JS09M QU9TMRMwEQYDVQQFEwowMjMxNTM3ODc0MRgwFgYDVQQDDA9OSUtPTEFPUyBGT1RJT1kxHTAbBgkq hkiG9w0BCQEWDmZvdGlvdUBhdWViLmdyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA saHvZDJLBwlcUnfeJF9mXR1uQBKDAB/gL2+Wn4Jf/9/r4QbTgPeNHnF2UM6KL7NzufWUvfKYDGet RRSDq4XHybSxCQsQUNRG5rE7GFrR3GuW6T51VrXfoNiCmGBpzGwgVxp5Du10VuzHT1ZSKsGNd/7z AcKF33vHqwP9wo3QPTmvn+bIjMYZ9SUl2Dhy12swetAmGNAtkg6fe09U770xw9aJeYm1EYfU81fw gH8P6uH/miAp1pNH6tQd6t1Z3mG8KFyPHGWywNPrJ19S56dDhzbDMwW860/4WBfXpkJ6JQG8OfCi YPdVGee4XPjphChK82BohwCj717QPxaLebKOtwIDAQABo4IBqTCCAaUwHwYDVR0jBBgwFoAUzelL a10os3qSDYrEX+ROMPWrYWkwXAYIKwYBBQUHAQEEUDBOMEwGCCsGAQUFBzAChkBodHRwOi8vcmVw by5oYXJpY2EuZ3IvY2VydHMvSGFyaWNhSW5zdGl0dXRpb25hbENsaWVudFN1YkNBUjEuY2VyMBkG A1UdEQQSMBCBDmZvdGlvdUBhdWViLmdyMFgGA1UdIARRME8wCAYGBACPegEBMEMGDSsGAQQBgc8R AQECAgEwMjAwBggrBgEFBQcCARYkaHR0cHM6Ly9yZXBvLmhhcmljYS5nci9kb2N1bWVudHMvQ1BT MDQGA1UdJQQtMCsGCCsGAQUFBwMCBggrBgEFBQcDBAYKKwYBBAGCNwoDDAYJKoZIhvcvAQEFMEoG A1UdHwRDMEEwP6A9oDuGOWh0dHA6Ly9jcmwuaGFyaWNhLmdyL0hhcmljYUluc3RpdHV0aW9uYWxD bGllbnRTdWJDQVIxLmNybDAdBgNVHQ4EFgQUtX8CFwz677wBn0res5fQB+dmvtEwDgYDVR0PAQH/ BAQDAgWgMA0GCSqGSIb3DQEBCwUAA4ICAQAqaRWakOgqP6D5M3ka1onuJCt/NzAJrn3QQYuiI9zT bMqAOELMKNiCSzDhVY8sFJJoy0mIK5WUaLOgLp0+DaBG2p9l18PSPUNQZJmBPmXbEl7XVJ1H5lrV PNEh9FNWAS9+CFCuKGX35KQvhzJxyJLbAdFmu74vPR1R/QunEs5owPi0L8WDiCuCHH2Lq6wZpVto us3742MfQP13JQZVk35DD5djyEn9dwCnrGSjl0GPFxPF5epmU1OdLfgEbpGSHoB7IANnJHBWOLOC yAdRReAehFBrExu4F7SIXvLpzYzXy1IpeNBaV3ZFcJGCc0YILD95Dhkh1HQO0BNkTEBaGeoVUzgn Wi/07t9kbNw048WDEqhmqWWpvmrQKtpHqN7+6RZoOkFaqEdkc+EHySd5f76FSy6KAikeh6H0gyC0 3h+k9L61tIlMTkeFBMUIlwwDCqTZ5UP5XwBzHHgmA1QK6XNFDoq9FiQElXWVZrxeRRxuVWFQl7+U /tGIR6TUpTro5Mw3bW7bY69Lt72S6EK5rNhQ8Lrl9gumLA/ZvYwWzsKmSxxzpCC4FtPKN1goVHEc Nwuj/WQD3iaPuKpWx8l9PfxjkmbcuhaKCTmTtnvejmmsc9f4hnJqERfDiJjen1C2mn02YHVH9b0C 32imYiTYW6Bz5nYyupZjEwaU4wARkjnxVTCCB0MwggUroAMCAQICEG9DAB3DIWa/3ymv1zmGsfUw DQYJKoZIhvcNAQELBQAwgaYxCzAJBgNVBAYTAkdSMQ8wDQYDVQQHEwZBdGhlbnMxRDBCBgNVBAoT O0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgQ2VydC4gQXV0aG9y aXR5MUAwPgYDVQQDEzdIZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRpb25z IFJvb3RDQSAyMDE1MB4XDTIwMDcwODA4MTcwM1oXDTM1MDcwNTA4MTcwM1owgbwxCzAJBgNVBAYT AkdSMSswKQYDVQQKDCJHcmVlayBVbml2ZXJzaXRpZXMgTmV0d29yayAoR1VuZXQpMRgwFgYDVQRh DA9WQVRHUi0wOTkwMjgyMjAxNzA1BgNVBAsMLkhlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJj aCBJbnN0aXR1dGlvbnMgQ0ExLTArBgNVBAMMJEhBUklDQSBJbnN0aXR1dGlvbmFsIENsaWVudCBT dWJDQSBSMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIaj4mcvDwQJNHhIQPd5vvpy eZjBRE7YGCa8ACTy91WZA7Tv/sMkkixqHv0t36I+nQDLusvtru9WN3nONKxEqHv4i2353NKDtJTp orup8DYTfgf/rZkTdm4kd9nkVt+mkPTJl52FGrmUdUkPy0WHRXPdOXYUpa9Emz3mjG+yEpVKeE5H cC1cX8ejbEYvRenLxvrj2vcJpK+mhf9JJXeKQvGfYqgyroKFDGiN5yxVN1sumnoxkntS6OoO2UTJ okmdlLT3TNGYvEw9Lfu1pDr+FOJ5jx1Dt1hKoI3QdS2hKCd1VvDotcKDmLK0WPQ1Xr+v7lTN1SVc hD+TPVUG+fYMdGf6YjrmmF0MSmM5qHNot6uBYiLr7jKaG/eQQejkCt5bY77ybDeXtmozD7TMRzOp edlIgsGux0MNqL16rbuGhWSRyulBiXSRtTUo23vxrFgCODhIIFJO281uOAkIQJF0Io+/5OZ2MXjH VgrnwfxqavShziIeNqBA1FA/rWYyTm8gYS9/rIceqLH2dY3uVIXa01h0EhPuPW/tBR7hoEB4PJmG iSXLZYwG7Dt+r0NJ/FJVZ21BavBzPS/MYsSwJR9LZF/9xHzxoPeM5CSp6CxUzvl7DtPjiPvDPd8u XMwg9GuCSMhbdf/V15d/k/Ku1YW+mOiv+GT3IoB0t5DeGkane/TrAgMBAAGjggFTMIIBTzASBgNV HRMBAf8ECDAGAQH/AgEAMB8GA1UdIwQYMBaAFHEVZ8jIyb11XXLQOBhqnfNxJFQLMG8GCCsGAQUF BwEBBGMwYTA8BggrBgEFBQcwAoYwaHR0cDovL3JlcG8uaGFyaWNhLmdyL2NlcnRzL0hhcmljYVJv b3RDQTIwMTUuY3J0MCEGCCsGAQUFBzABhhVodHRwOi8vb2NzcC5oYXJpY2EuZ3IwEQYDVR0gBAow CDAGBgRVHSAAMCkGA1UdJQQiMCAGCCsGAQUFBwMCBggrBgEFBQcDBAYKKwYBBAGCNwoDDDA6BgNV HR8EMzAxMC+gLaArhilodHRwOi8vY3JsLmhhcmljYS5nci9IYXJpY2FSb290Q0EyMDE1LmNybDAd BgNVHQ4EFgQUzelLa10os3qSDYrEX+ROMPWrYWkwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB CwUAA4ICAQBfeK0sLB2Ry8MP64Dv05kDC65BD7pqRqYBjY8Lzwa6Cd/wOpVvzvXzggnRYLlgbORj Cj6EHirbJLpoYiqt4zri1ytEh96DWH4lOgyf3yM9N6xO0k7l9oTWFlCHCJ830juA51iznDl//Xau LmH6VYd1hUkpPMZT8nF7L9EBgiY8qrkGmNt8CQ60P3a6T+2YWdqqWtQYSOLa8LooxjAhbh0V1T4X EZKriP/zD1KEV39Lz44Kmz+EvXrQvMuZlea31b719uoyI6TfFJyRCXrUYVEJre+tnzbHhxHSwsx1 bl/cAVNe67A/1VC9mx1lF4AEiweJoFwBpBogKIQ1PLudULGYPEXo+lej7MlcOZ27ZvwcOWKCl9q1 +seZaubbyulwNcm05Bugmn/tcYDFqAjlCbBzsq3x8OLz/yz31uXtYv5qffSteaiA1+2VzTiYUPW0 NN7Rv50Ny/EktbTAk368oYhzng0s2BoR61AymXbPTJVR6lKLPdp3WxmJhDagOF1NLsoFr5xHIBkW 31wA0MtLFP0u9ZJHwMyhEk1PGCyq+T15wtvIuaYHabM15TQdLLw7a/4THGJNSkEIJc08qTmpVilB tyFtHUYxqDY6GBtW/nC+cQDynkT5DNs94Xw5+qYtohB+Dw8uvB0bsDhEa1GeDG/rWLxaQpWnzDXD qO9De9Qu2zGCBDYwggQyAgEBMIHRMIG8MQswCQYDVQQGEwJHUjErMCkGA1UECgwiR3JlZWsgVW5p dmVyc2l0aWVzIE5ldHdvcmsgKEdVbmV0KTEYMBYGA1UEYQwPVkFUR1ItMDk5MDI4MjIwMTcwNQYD VQQLDC5IZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRpb25zIENBMS0wKwYD VQQDDCRIQVJJQ0EgSW5zdGl0dXRpb25hbCBDbGllbnQgU3ViQ0EgUjECEHTfDYv/wQg9OWEvE0HF alcwDQYJYIZIAWUDBAIBBQCgggI1MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcN AQkFMQ8XDTIyMDMwMjE1NTgxN1owLwYJKoZIhvcNAQkEMSIEIMzQyOtf2Bb/1vnUYFlbwDW8s3yB tt95xMMNwxIE+SgeMIHiBgkrBgEEAYI3EAQxgdQwgdEwgbwxCzAJBgNVBAYTAkdSMSswKQYDVQQK DCJHcmVlayBVbml2ZXJzaXRpZXMgTmV0d29yayAoR1VuZXQpMRgwFgYDVQRhDA9WQVRHUi0wOTkw MjgyMjAxNzA1BgNVBAsMLkhlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlv bnMgQ0ExLTArBgNVBAMMJEhBUklDQSBJbnN0aXR1dGlvbmFsIENsaWVudCBTdWJDQSBSMQIQdN8N i//BCD05YS8TQcVqVzCB5AYLKoZIhvcNAQkQAgsxgdSggdEwgbwxCzAJBgNVBAYTAkdSMSswKQYD VQQKDCJHcmVlayBVbml2ZXJzaXRpZXMgTmV0d29yayAoR1VuZXQpMRgwFgYDVQRhDA9WQVRHUi0w OTkwMjgyMjAxNzA1BgNVBAsMLkhlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1 dGlvbnMgQ0ExLTArBgNVBAMMJEhBUklDQSBJbnN0aXR1dGlvbmFsIENsaWVudCBTdWJDQSBSMQIQ dN8Ni//BCD05YS8TQcVqVzANBgkqhkiG9w0BAQsFAASCAQANXrGV5+Jowk5LqPM8oJClQd54mISR HJZEzBjTLn4zf53hbOPSRzYnQWHSLfVwGEt4BkPqTk7wMYwcJTUNtgnE/DzIrSTDsbVoeJPWQoPk wo2lY2/+apXnQCFp+PuNQtswqYoulpgk21YHq8RPglLaLlqYLRSB+WX1zA6H5njRp+JMon01znBT EpohFCaSinYiPYBsYcIOHe8ev7LqbVhQ+X5ApKZio5gSrGB2+ssBxK23IHZdBx8gmiRZz+zvmzcW zOxo54U6UesqG9QDb+SIyK6qW2JiZdKAnKwncPk+JVRem5oeJ9ZPZz3SuYX2GQ1t55XV+1E4QAfd jg1d51lWAAAAAAAA --Apple-Mail=_E5EE9DA8-40B7-4ED4-96E8-2C450F177802-- From nobody Wed Mar 2 08:05:43 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 412E13A0BB3 for ; Wed, 2 Mar 2022 08:05:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bibi0dPeNvbl for ; Wed, 2 Mar 2022 08:05:35 -0800 (PST) Received: from mail-yb1-xb34.google.com (mail-yb1-xb34.google.com [IPv6:2607:f8b0:4864:20::b34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE5F23A0B8F for ; Wed, 2 Mar 2022 08:05:34 -0800 (PST) Received: by mail-yb1-xb34.google.com with SMTP id e186so4298950ybc.7 for ; Wed, 02 Mar 2022 08:05:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=U83aygZ+iHPyUs0elFe0p4XqwD7Ze+Xcc3tgaNdBOHQ=; b=XPB/HDNzmDJj2JBg8YNVRExAAycaOJ1tvFdwn7c1Vb1hPOAclqT3a88Q+/itOm6ecf AVq8z0ME/6p1YzkM1Fad+yar3TjfqRNIh1wTOM/u7n7AmoUj9CR201R9YBSkGJPWwuBw 7zj+0avpidfbzFNrNnMf2kx99HcOkjn/fhR1JEV1GKP+To/NmNDFfxLNLSgaj53fEx0i yCR08ELAM9PBBNEx96DxJYD4ZQQkHBPCSouMsFRY8XsvJfVgPYfKRwx3/9LLsJNqcqM7 RVpqjqMw+13igI7RHPUeBL6SjAcr+CDTVWER3i8R0GDyCe74vu7bA3MTJZOIpsQCrtkU 2aKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=U83aygZ+iHPyUs0elFe0p4XqwD7Ze+Xcc3tgaNdBOHQ=; b=PbT/0d1EYW7PwDg6JAjD1JpyIzybhgkE3d4teINobqkF/q/CmuIrltmVBImNBSPEMQ CRXEM83gLC74C5fGR/xyOoAxREUGDxWA0+K92waSyvVJnufecIMi75FDgJRqm84KCpLQ aGZMR83ecCAdYzzIxA5E/oGQO8Y+3io25ICNElMH73UthQL3AxSxv/sM/GE1QMivICPs jYlWg3laYjGUlL77/tmliLeGQelwky5BK+WStXGMNIU87q8iXd6AyPwXZRDVfSU3eFb9 xskr1hHz3UjFLvjdFY8DPk1+9ODqrjOHND7Tsfcc9JkZd3OjAcllpoCvvzeSVrKcD61E woTw== X-Gm-Message-State: AOAM5302XREMbrsSOjJt6+Q6ZVzdKQ/gXj3x9Dit27TzqaF2FE0ozLoU FLR3szNuSxfLC7zB0crKSOsi2Vsco2yTdMIfxBXyt4fJQ7j+ X-Google-Smtp-Source: ABdhPJzOI3BOQ6vHvZ/RRscwex/vyRpelik1bLR9ZfDHoG6HFpu5/5lY9leXjNWCFdIYGHVJH67V5kUXzky5dpFlwso= X-Received: by 2002:a25:8748:0:b0:624:783e:d501 with SMTP id e8-20020a258748000000b00624783ed501mr29480371ybn.127.1646237133320; Wed, 02 Mar 2022 08:05:33 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Warren Parad Date: Wed, 2 Mar 2022 17:05:22 +0100 Message-ID: To: Sascha Preibisch Cc: Daniel Fett , oauth Content-Type: multipart/alternative; boundary="0000000000008c46dd05d93e735f" Archived-At: Subject: Re: [OAUTH-WG] OAuth: The frustrating lack of good libraries X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2022 16:05:41 -0000 --0000000000008c46dd05d93e735f Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I don't think flooding this thread with random libraries is going to benefit anyone, so let's not do that. Back to the question, and it is an interesting one. It makes sense to dissect it a bit first. Who is struggling with "OAuth libraries" and what is even the responsibility of one of them. *I'll start with my recommendation:* - 0) We shouldn't build anything, and we shouldn't curate lists of libraries and packages. - 1) We should make this information about libraries discoverable and trackable. For instance with AS discovery docs we can enable adding properties that link to SDKs in languages that the AS decides to support= . - 2) We can document a "discovery doc" for libraries to self publish detailing their features (in case they aren't associated with an AS). Th= en anyone who wants to build lists of libraries with supporting features, c= an easily compile these documents. All we have to do is define "OAuth SDK features", and this will enable everyone else to create SDK listings/feature comparisons. It can even be automated. *My concerns:* I think we have to break it down first into some key areas: - There are OAuth user-agent clients - Mobile app clients for each of the app os, and further for each of the app development frameworks - Web apps - Desktop apps - There are OAuth machine clients - BFF oauth code exchange clients - client credentials clients - third party machine clients - leaf clients that need to validate authorization tokens - [One caveat to this is that these can and will be written in every possible language available] - There are OAuth Authorization servers - Open source ones - SaaS models - AS in a container - embedded cloud native solutions - potentially user controlled Obviously this isn't a full list, but looking at each of these, specialization in the world of software libraries tells us that likely every one of these could and will be its own library. Just looking at this shortlist, and the story of "which library" should you use becomes incredibly complicated. If we have libraries that purport to solve all these problems, then it becomes a gratuitous burden on developers to pick the right library, which isn't interchangeable with others. They aren't pluggable. Additionally, for the purposes of branding and documentation, most of these will be wrapped by brand specific implementations so that careful validation and control over key features can be communicated. Further, since the landscape moves quickly providers want to stay up to date, putting links all over your documentation pages saying "this library does not yet support said feature" is terrible. This is still frequently the case, and so providers are encouraged to lie, "We support this*" - but you have to do these hacks after you download the library to support it. Further, there are sane defaults that make sense for a wrapper for a dedicated and opinionated solution that don't make sense in a generic one. The whole class of AS libraries are hidden from external developers, so there is very little value in a "whole solution" and more value in delivering what these AS need. Since they have their own motivations, they are already either open sourcing their solutions or keeping it closed and won't contribute. This is arguably the set where libraries offer the most value, but because of these reasons it is a lost cause. The second set is machine clients. Most of this is very similar to the last section of AS, but very little of it is OAuth specific. Most of it is "Add an authorization header" or "call this specific endpoint one time". A couple of lines in the documentation is sufficient for handling this. Which leaves "How to verify an OAuth token". Having built a library for tons of languages to handle not just OAuth but other things, the challenge here isn't the OAuth part. Sure there is some knowledge around how to convert the *issuer* to the JWK using the discovery document, but a library only marginally improves the state. And the amount of work for branded libraries to add this in is still trivial. The real problem with these is that the crypto communities in different languages don't make it easy to do this. If you think explaining OAuth is challenging, try to explain libsodium requirements, they don't care, and we can't fix that with a library. We can fix that by contributing to the available crypto tools so OAuth verification can be easier. Thankfully we don't have to, because the branded products will release their open source version implementing or fixing these because they are motivated to do so. Now I get to the OAuth user-agent/facing clients. Web apps complexity here is usually the framework, and dance around, what do I do with the state, and the redirect so the user ends up in the right place. A library isn't going to fix that, and even if it did, it isn't OAuth that is the issue here, it is a lack of good browser apis to support easy navigation. Which leaves us with, are we talking about mobile apps or desktop clients? Because we are talking about one of these other categories, there isn't enough value in there to list them any more than there is value in listing OIDC providers that support OAuth. Being met with a list of hundreds of libraries and packages doesn't make for a good experience, and do those same developers know if they need PKCE, EdDSA signatures, a library that supports mTLS, probably not. - Warren Warren Parad Founder, CTO Secure your user data with IAM authorization as a service. Implement Authress . On Wed, Mar 2, 2022 at 4:33 PM Sascha Preibisch wrote: > Hello Daniel! > > Some time ago I started an open source project: Loginbuddy. > Loginbuddy is a tool that mainly supports OpenID Connect based logins. > > It can be deployed as a standalone service or be used as a side-car next > to other docker containers in the same network. > > Although it is not necessarily a library, it may be worth looking into it= . > I could imagine that Loginbuddy would also be a good starting point for > extensions that serve more flows and more general features of OAuth/ Open= ID > Connect. With more contributors I see a chance for Loginbuddy to be more > widely used and help address your concerns. > > Please have a look here: > https://loginbuddy.net > > I just updated the web site. Or visit the GitHub project: > https://github.com/SaschaZeGerman/loginbuddy > > In any case, that is my current contribution to the developer community. > > Thanks, > Sascha > > On Tue, Mar 1, 2022 at 9:18 AM Daniel Fett wrote: > >> *Hi all,* >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> * While helping clients to onboard into the yes ecosystem, in my >> consulting work, and in discussions with developers implementing OAuth 2= .0, >> one topic comes up increasingly often: The (somewhat frustrating) lack o= f >> good, modern, and universal OAuth libraries. Many of the libraries out >> there have one or more of the following drawbacks: * They are not >> maintained any longer * They are not well documented (e.g., it is often >> unclear which specifications are supported) * They support only a subse= t >> of the OAuth 2.0 specification * They work only with selected providers >> (e.g., Google, Facebook, etc.) * It is unclear whether they follow rece= nt >> security recommendations * They do not support modern features, such as >> PKCE, AS Metadata, MTLS, etc. Exceptions exist, of course, like Filip's >> Node.js implementation and the nimbus library for Java. But apart from >> those rare cases, when a developer asks me what library to use, my answe= r >> is often: "I don't think there's a good one in your language". It is a >> telltale sign that many providers of OAuth protected APIs also provide a >> custom OAuth implementation in their SDKs, which they then often have to >> maintain for a number of languages. This creates unnecessary costs and >> friction, e.g., when introducing new security features. At the same time= , >> practically every language/framework comes with a TLS stack and making >> HTTPS requests is often just a few lines of code. Why aren't we there ye= t >> with OAuth? I'm well aware that OAuth 2.0 is a framework, not a single >> protocol like TLS, but the mentioned libraries show that this does not >> preclude a comprehensive library support. If I had to speculate about th= e >> reasons for this mess, I'd say that there are three: * The core of OAut= h >> is easy to implement. The need to create or use a library might not be >> obvious to developers. Of course, if you want a proper implementation wi= th >> correct error handling, observing all the security recommendations, etc.= , >> the effort is huge. But just getting OAuth to work for one specific use >> case is relatively easy. * OAuth is traditionally hard to configure: >> authorization and token endpoint URLs, client id and secret, supported >> scopes (and claims for OIDC), supported response types and modes, and >> required security features are just some of the things a developer has t= o >> figure out - often from the API's documentation - to get everything up a= nd >> running. Even though configuration is not the same as implementation, I >> imagine that this complexity can lead to the perception that there are >> barely any commonalities between different OAuth flows. There might be n= o >> value, after all, in an OAuth library, if I have to provide so many deta= ils >> myself. * With many extensions and specifications to choose from, it ca= n >> be hard to select a reasonable subset to support. What can we do about >> this? I'm not sure, but I have a few ideas. * Of course, one step would= be >> to increase visibility and documentation for existing implementations: >> Beyond listing libraries (like the list on oauth.net )= , >> it would be great to have a place to go to to find libraries based on th= eir >> feature support. I'm sure there are more good libraries out there. * Th= e >> OpenID Foundation has a great set of conformance tests for OIDC, FAPI an= d >> other stuff. Creating conformance tests for OAuth would be harder, given >> that the framework leaves many options for implementers to choose from. = I=E2=80=99m >> not sure if running a conformance programme would be in the scope of IET= F, >> but it can be worthwhile to think about if we could support such an >> endeavor. * The single most important thing to do would, in my opinion,= be >> to set a goal: Tell library developers and language maintainers what can= be >> expected from a good, modern, and universal OAuth library. Such a >> recommendation would shine a light on the most important extensions for >> OAuth like PKCE and might even be a prerequisite for conformance tests. = It >> may turn out to be OAuth 2.1 or something else. For me, this would in an= y >> case include AS Metadata, as that is the single most valuable building >> block we have to address configuration complexity. I would be intereste= d >> to hear what others think about this. Is this a problem worth addressing= ? >> Are there other solutions? Is this out of scope of our work here? -Dani= el * >> >> -- https://danielfett.de >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --0000000000008c46dd05d93e735f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I don't think flooding this thread with random librari= es is going to benefit anyone, so let's not do that.

Back to the question, and it is an interesting one. It makes sense to diss= ect it a bit first. Who is struggling with "OAuth libraries" and = what is even the responsibility of one of them.

I'= ;ll start with my recommendation:
  • 0) We shouldn't= build anything, and we shouldn't curate lists of libraries and package= s.
  • 1) We should make this information about libraries discoverable = and trackable. For instance with AS discovery docs we can enable adding pro= perties that link to SDKs in languages that the AS decides to support.
    • =
  • 2) We can document a "discovery doc" for libraries to self pu= blish detailing=C2=A0their features (in case they aren't associated wit= h an AS). Then anyone who wants to build lists of libraries with supporting= features, can easily compile these documents. All we have to do is define = "OAuth SDK features", and this will enable everyone else to creat= e SDK listings/feature=C2=A0comparisons. It can even be automated.
My concerns:
I think we have to break it down = first into some key areas:
  • There are OAuth user-agent cli= ents
    • Mobile app clients for each of the app os, and further for= each of the app development frameworks
    • Web apps
    • Desktop ap= ps
  • There are OAuth machine clients
    • BFF oauth c= ode exchange clients
    • client credentials clients
    • third party= machine clients
    • leaf clients that need to validate authorization t= okens
    • [One caveat to this is that these can and will be written in = every possible language available]
  • There are OAuth Authorizati= on servers
    • Open source ones
    • SaaS models
      • AS in a container
    • embedded cloud native solutions
    • potentia= lly user controlled
Obviously this isn't a full list= , but looking at each of these, specialization in the world of software lib= raries tells us that likely every one of these could and will be its own li= brary. Just looking at this shortlist, and the story of "which library= " should you use becomes incredibly complicated. If we have libraries = that purport to solve all these problems, then it becomes a gratuitous burd= en on developers to pick the right library, which isn't interchangeable= with others. They aren't pluggable.

Additiona= lly, for the purposes of branding and documentation, most of these will be = wrapped by brand specific implementations so that careful validation and co= ntrol over key features can be communicated. Further, since the landscape m= oves quickly providers want to stay up to date, putting links all over your= documentation pages saying "this library does not yet support said fe= ature" is terrible. This is still frequently the case, and so provider= s are encouraged to lie, "We support this*" - but you have to do = these hacks after you download the library to support it.

Further, there are sane defaults that make=C2=A0sense for a wrapper= for a dedicated and opinionated solution that don't make sense in a ge= neric one. The whole class of AS libraries are hidden from external develop= ers, so there is very little value in a "whole solution" and more= value in delivering what these AS need. Since they have their own motivati= ons, they are already either open sourcing their solutions or keeping it cl= osed and won't contribute. This is arguably the set where=C2=A0librarie= s offer the most value, but because of these reasons it is a lost cause.

The second set is machine clients. Most of this is v= ery similar to the last section of AS, but very little of it is OAuth speci= fic. Most of it is "Add an authorization header" or "call th= is specific endpoint one time". A couple of lines in the documentation= is sufficient for handling this. Which leaves "How to verify an OAuth= token". Having built a library for tons of languages to handle not ju= st OAuth but other things, the challenge here isn't the OAuth part. Sur= e there is some knowledge around how to convert the issuer=C2=A0to t= he JWK using the discovery document, but a library only marginally=C2=A0imp= roves the state. And the amount of work for branded libraries to add this i= n is still trivial. The real problem with these is that the crypto communit= ies in different languages don't make it easy to do this. If you think = explaining OAuth is challenging, try to explain libsodium requirements, the= y don't care, and we can't fix that with a library. We can fix that= by contributing to the available crypto tools so OAuth verification can be= easier. Thankfully we don't have to, because the branded products will= release their open source version implementing or fixing these because the= y are motivated to do so.

Now I get to the OAuth u= ser-agent/facing clients. Web apps complexity here is usually the framework= , and dance around, what do I do with the state, and the redirect so the us= er ends up in the right place. A library isn't going to fix that, and e= ven if it did, it isn't OAuth that is the issue here, it is a lack of g= ood browser apis to support easy navigation.

Which= leaves us with, are we talking about mobile apps or desktop clients? Becau= se we are talking about one of these other categories, there isn't enou= gh value in there to list them any more than there is value in listing OIDC= providers that support OAuth. Being met with a list of hundreds of librari= es and packages doesn't make for a good experience, and do those same d= evelopers know if they need PKCE, EdDSA signatures, a library that supports= mTLS, probably not.

- Warren

<= p dir=3D"ltr" style=3D"line-height:1.2;border-left:solid #ffffff 1pt;border= -right:solid #ffffff 1pt;border-top:solid #ffffff 1pt;border-bottom:solid #= ffffff 1pt;margin-top:0pt;margin-bottom:0pt">

Warren Parad

Founder, CTO

Secure your user data with IAM authorization as a service. Implement=C2=A0= Authress.


On Wed, Mar 2, 2022 at 4:33 PM Sascha Pr= eibisch <saschapreibisch@gm= ail.com> wrote:
Hello Daniel!

Some time ago I st= arted an open source project: Loginbuddy.
Loginbuddy is a tool th= at mainly supports OpenID Connect based logins.=C2=A0

<= div>It can be deployed as a standalone service or be used as a side-car nex= t to other docker containers in the same network.

= Although it is not necessarily a library, it may be worth looking into it. = I could imagine that Loginbuddy would also be a good starting point for ext= ensions that serve more flows and more general features of OAuth/ OpenID Co= nnect. With more contributors I see a chance for Loginbuddy to be more wide= ly used and help address your concerns.

Please hav= e a look here:

I just updated the w= eb site. Or visit the GitHub project:

In any case, that is my curr= ent contribution to the developer community.

Thank= s,
Sascha

On Tue, Mar 1, 2022 at 9:18 AM Daniel Fett <fett@danielfett.de= > wrote:
=20 =20 =20

Hi a= ll,


While helpi= ng clients to onboard into the yes ecosystem, in my consulting work, and in= discussions with developers implementing OAuth 2.0, one topic comes up inc= reasingly often: The (somewhat frustrating) lack of good, modern, and unive= rsal OAuth libraries.=C2=A0


Many of the= libraries out there have one or more of the following drawbacks:

=C2=A0* The= y are not maintained any longer

=C2=A0* The= y are not well documented (e.g., it is often unclear which specifications a= re supported)

=C2=A0* The= y support only a subset of the OAuth 2.0 specification

=C2=A0* The= y work only with selected providers (e.g., Google, Facebook, etc.)

=C2=A0* It = is unclear whether they follow recent security recommendations

=C2=A0* The= y do not support modern features, such as PKCE, AS Metadata, MTLS, etc.


Exceptions = exist, of course, like Filip's Node.js implementation and the nimbus li= brary for Java. But apart from those rare cases, when a developer asks me w= hat library to use, my answer is often: "I don't think there's= a good one in your language". It is a telltale sign that many provide= rs of OAuth protected APIs also provide a custom OAuth implementation in th= eir SDKs, which they then often have to maintain for a number of languages.= This creates unnecessary costs and friction, e.g., when introducing new se= curity features.


At the same= time, practically every language/framework comes with a TLS stack and maki= ng HTTPS requests is often just a few lines of code. Why aren't we ther= e yet with OAuth? I'm well aware that OAuth 2.0 is a framework, not a s= ingle protocol like TLS, but the mentioned libraries show that this does no= t preclude a comprehensive library support.


If I had to= speculate about the reasons for this mess, I'd say that there are thre= e:


=C2=A0* The= core of OAuth is easy to implement. The need to create or use a library mi= ght not be obvious to developers. Of course, if you want a proper implement= ation with correct error handling, observing all the security recommendatio= ns, etc., the effort is huge. But just getting OAuth to work for one specif= ic use case is relatively easy.


=C2=A0* OAu= th is traditionally hard to configure: authorization and token endpoint URL= s, client id and secret, supported scopes (and claims for OIDC), supported = response types and modes, and required security features are just some of t= he things a developer has to figure out - often from the API's document= ation - to get everything up and running. Even though configuration is not = the same as implementation, I imagine that this complexity can lead to the = perception that there are barely any commonalities between different OAuth = flows. There might be no value, after all, in an OAuth library, if I have t= o provide so many details myself.


=C2=A0* Wit= h many extensions and specifications to choose from, it can be hard to sele= ct a reasonable subset to support.=C2=A0


What can we= do about this?


I'm not= sure, but I have a few ideas.


=C2=A0* Of = course, one step would be to increase visibility and documentation for exis= ting implementations: Beyond listing libraries (like the list on oauth.net), it would be great to h= ave a place to go to to find libraries based on their feature support. I= 9;m sure there are more good libraries out there.

=C2=A0* The= OpenID Foundation has a great set of conformance tests for OIDC, FAPI and = other stuff. Creating conformance tests for OAuth would be harder, given th= at the framework leaves many options for implementers to choose from. I=E2= =80=99m not sure if running a conformance programme would be in the scope o= f IETF, but it can be worthwhile to think about if we could support such an= endeavor.

=C2=A0* The= single most important thing to do would, in my opinion, be to set a goal: = Tell library developers and language maintainers what can be expected from = a good, modern, and universal OAuth library. Such a recommendation would sh= ine a light on the most important extensions for OAuth like PKCE and might = even be a prerequisite for conformance tests. It may turn out to be OAuth 2= .1 or something else. For me, this would in any case include AS Metadata, a= s that is the single most valuable building block we have to address config= uration complexity.=C2=A0


I would be = interested to hear what others think about this. Is this a problem worth ad= dressing? Are there other solutions? Is this out of scope of our work here?= =C2=A0


-Daniel

--=20
https://danielfett.de
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--0000000000008c46dd05d93e735f-- From nobody Wed Mar 2 08:18:58 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3F1A3A0C02 for ; Wed, 2 Mar 2022 08:18:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3efKV6xpS4Mw for ; Wed, 2 Mar 2022 08:18:50 -0800 (PST) Received: from mail-yb1-xb29.google.com (mail-yb1-xb29.google.com [IPv6:2607:f8b0:4864:20::b29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4AB1A3A0BF6 for ; Wed, 2 Mar 2022 08:18:50 -0800 (PST) Received: by mail-yb1-xb29.google.com with SMTP id g1so4431391ybe.4 for ; Wed, 02 Mar 2022 08:18:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WRcx275SsXXgMvtRupIAfdJxDE1Y3O3FYzTyZtAMPD8=; b=f8fp7aie+9V+0lNmuc7YITjalc5l97cmMQz+qdlWIrM27m/wrAddtFzqJsmrH0n1oK AgIw8CNwzvE0th/XSwwmbZd+VbzWO0hnYJ1PZfnZUfU0/BQM5xiGe+qBMAup73uSi87U EiCAbuWbTdL7Pr94Mv4gX6A6cJV/rRkByqe8yFsa6YWR67rjXbMMfBmwfTohaIRDzFg/ pfmOR7I8fAp4oC9zZGoQG6D8UUugLyQaaYHG6FqJGdWMF3Z3MYKgmSV9klv78edNclzX cPnEexZZYSU6DCv70z8IyAqix6R9i1fhZCTYimMO1isGmNr8ycrDmH3xldX+w+25TZ+O xx9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WRcx275SsXXgMvtRupIAfdJxDE1Y3O3FYzTyZtAMPD8=; b=SEbt2yPZ1mz7W65eRzQ9wzrWAwoCTfLLwWlPHRdT+Yit5AOr5627hp1lesC9Tqpjju E6JuYHvDGRUlxy2GUP9rE1+tgHkOhfD9KINDIVOln8ECuRpuACJuTg0jwr0XAtklaSy+ PcqRWN6lGVsA8OipOmebcgOAxldfQGJuEzPRiGtisdoH+kyybbcwSQnZgDf3A0vUpklG eUDWJ5JPrRHVWY83p9HY5ku3GodBwVffA6v6k79IfILRjWucc763lADGidXDEwvMwBEr 9E4A2sqUIn7XEq6mFgURLE44mIPeb+7XVcREqmcSc7kTvEIIqkd4M5T+D61OqC/KLXZn 4s1w== X-Gm-Message-State: AOAM530auMkOZziDLKfXuyd2mxAYNxWdyMKDpkyQOqumkx3rVLj+qkQ9 WjgdAMl0K5jFnqqG4THtCRDvSS2VCTlHjbHXpi7seoOtJcxH X-Google-Smtp-Source: ABdhPJxasl5pkBbf4BgTeBgHgChug3oo6pOZaCLynomTvCU0SNMSZSW6x84kzLZphpvO40pSCCc7FCbnQvgWWErzWTA= X-Received: by 2002:a25:ea49:0:b0:623:1f19:4cf7 with SMTP id o9-20020a25ea49000000b006231f194cf7mr29099448ybe.371.1646237928936; Wed, 02 Mar 2022 08:18:48 -0800 (PST) MIME-Version: 1.0 References: <4DBCAEEA-08E0-4E93-AFEC-D990C8729E81@aueb.gr> In-Reply-To: <4DBCAEEA-08E0-4E93-AFEC-D990C8729E81@aueb.gr> From: Warren Parad Date: Wed, 2 Mar 2022 17:18:38 +0100 Message-ID: To: Nikos Fotiou Cc: oauth Content-Type: multipart/alternative; boundary="000000000000f86f1d05d93ea2cd" Archived-At: Subject: Re: [OAUTH-WG] proof of access token possession using client secret X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2022 16:18:55 -0000 --000000000000f86f1d05d93ea2cd Content-Type: text/plain; charset="UTF-8" Is there a reason you wouldn't want to use the access token to access these resources? That seems like it would be the optimal strategy. Warren Parad Founder, CTO Secure your user data with IAM authorization as a service. Implement Authress . On Wed, Mar 2, 2022 at 4:58 PM Nikos Fotiou wrote: > Hi all, > > I am working on a use case where the Authorization Server and the Resource > Server are the same entity. I would like to prevent clients from sharing > their access tokens. I am wondering if requiring clients to include the > "client secret" in the resource access request (in addition to the access > token) is a valid strategy. This way clients would have to share their > "client secret" in addition to the access token. Would that work? > > Best, > Nikos > -- > Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou > Researcher - Mobile Multimedia Laboratory > Athens University of Economics and Business > https://mm.aueb.gr > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --000000000000f86f1d05d93ea2cd Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Is there a reason you wouldn't want to use the access = token to access these resources? That seems like it would be the optimal st= rategy.

Warren Parad

Founder, CTO

Secure your user data with IAM authorization as a= service. Implement=C2=A0Authress.


On Wed, Mar 2, 2022 at 4:58 = PM Nikos Fotiou <fotiou@aueb.gr>= ; wrote:
Hi all,=

I am working on a use case where the Authorization Server and the Resource = Server are the same entity. I would like to prevent clients from sharing th= eir access tokens. I am wondering if requiring clients to include the "= ;client secret" in the resource access request (in addition to the acc= ess token) is a valid strategy. This way clients would have to share their = "client secret" in addition to the access token. Would that work?=

Best,
Nikos
--
Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou
Researcher - Mobile Multimedia Laboratory
Athens University of Economics and Business
https:/= /mm.aueb.gr

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--000000000000f86f1d05d93ea2cd-- From nobody Wed Mar 2 08:22:48 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41FAD3A0C2A for ; Wed, 2 Mar 2022 08:22:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T3ZAJ_p4t_Wf for ; Wed, 2 Mar 2022 08:22:41 -0800 (PST) Received: from mail-il1-x143.google.com (mail-il1-x143.google.com [IPv6:2607:f8b0:4864:20::143]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 711B43A0B7F for ; Wed, 2 Mar 2022 08:22:41 -0800 (PST) Received: by mail-il1-x143.google.com with SMTP id i1so1791751ila.7 for ; Wed, 02 Mar 2022 08:22:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode.com; s=google; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to; bh=zlPdJoM7WMbNjZQ4r4XKxc+WPRbu3ooUPMjb0bkO9sk=; b=FdPjbtGukmmygNwRZgIh4YVtNggRH5eZ2Fsh699U6RsN/PKV/uya2obPPlrpRvv1bB lDkx9kBtS9W2c6aOSnfXhOZJSdNY6vLplLyePqvL+vf3Wai9vO0THqhV7UgqMaKxyAOQ ja2iOtCmjET1ZkQSFLdcO5XHKwXumv376gAH3uCgfuS6cl8xIQDXHSxBoVu9W26O3aAd ny9M8dIk/MPi6ljkPHyS2Vvy2oQIqZVSqwbiNTAINQuQjOVJfgj8N6QzYyXNNYbWo+5Q CaBweD34Q7Ew/ZhIB5DL3y2lCKncMGnygVTS6n0qMZxw70cdejzAWVAQkmUITsXHrKYo GgDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to; bh=zlPdJoM7WMbNjZQ4r4XKxc+WPRbu3ooUPMjb0bkO9sk=; b=UrVZP0UhKilRdPOZm4XXzX8QtnPVTidm0Lks4rtjflUf6h1Z7nHwt6G43XZwLu72MP F4j93+yqMtlWQW6WIKu86cY9z+7BKDsb32m/dlWulByK0yHjL90fhOOypQR+CMM6cgmf kj+6wRr1oag9+JlXF3SG7TQJd67LQ+2b9Fl3Fvv9Trq+SFpgRm+1JIa3jSNzEzMh1yvV WvcneQ8pBLlzv/xb2n5rox1elM9addGiBEEYYLh59xEppTGi6cUMbUeviBLal+MkHyiG 9wloAz0Kkt1ywV54VuQlAWQtywpbYu+hW6GFGw/FmQw0cHv3QDHqXVN97w3DX7Jq7eph 2Z/g== X-Gm-Message-State: AOAM532QobvduG4UiwKYm+8MNMAQ8RQvRF8LEVJ4Fo1eF7g/bBndEsUM xhMmUYWL1KW40XPx9948gHBpFg== X-Google-Smtp-Source: ABdhPJwDCUNb5Rn92neJidlPAFx5fuO2jO18TwSI8K6fLpPmd97FmnrJNoTm0uH6iFI+dEk6wL8WVw== X-Received: by 2002:a05:6e02:190e:b0:2bf:ac1e:b5b7 with SMTP id w14-20020a056e02190e00b002bfac1eb5b7mr28562964ilu.304.1646238160146; Wed, 02 Mar 2022 08:22:40 -0800 (PST) Received: from ?IPV6:2604:2d80:ed8c:b500:bd1c:9e47:9702:27c1? ([2604:2d80:ed8c:b500:bd1c:9e47:9702:27c1]) by smtp.googlemail.com with ESMTPSA id l13-20020a056e021c0d00b002c1efc8ac4bsm10291921ilh.21.2022.03.02.08.22.39 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 02 Mar 2022 08:22:39 -0800 (PST) Content-Type: multipart/alternative; boundary="------------r22as8tzyLHc0UOrSwTXnYuZ" Message-ID: <8bd92dec-6287-4f63-aebb-3c39427b7cb7@manicode.com> Date: Wed, 2 Mar 2022 08:22:37 -0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.6.1 Content-Language: en-US To: Warren Parad , Nikos Fotiou Cc: oauth References: <4DBCAEEA-08E0-4E93-AFEC-D990C8729E81@aueb.gr> From: Jim Manico In-Reply-To: Archived-At: Subject: Re: [OAUTH-WG] proof of access token possession using client secret X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2022 16:22:47 -0000 This is a multi-part message in MIME format. --------------r22as8tzyLHc0UOrSwTXnYuZ Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit > I would like to prevent clients from sharing their access tokens. I am wondering if requiring clients to include the "client secret" in the resource access request (in addition to the access token) is a valid strategy. Sender-constrained access tokens are suggested in the current security best practice guide here. https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.2 So yes! - Jim Manico On 3/2/22 8:18 AM, Warren Parad wrote: > Is there a reason you wouldn't want to use the access token to access > these resources? That seems like it would be the optimal strategy. > > > > Warren Parad > > Founder, CTO > > Secure your user data with IAM authorization as a service. Implement > Authress . > > > On Wed, Mar 2, 2022 at 4:58 PM Nikos Fotiou wrote: > > Hi all, > > I am working on a use case where the Authorization Server and the > Resource Server are the same entity. I would like to prevent > clients from sharing their access tokens. I am wondering if > requiring clients to include the "client secret" in the resource > access request (in addition to the access token) is a valid > strategy. This way clients would have to share their "client > secret" in addition to the access token. Would that work? > > Best, > Nikos > -- > Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou > Researcher - Mobile Multimedia Laboratory > Athens University of Economics and Business > https://mm.aueb.gr > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- Jim Manico Manicode Security https://www.manicode.com --------------r22as8tzyLHc0UOrSwTXnYuZ Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit

> I would like to prevent clients from sharing their access tokens. I am wondering if requiring clients to include the "client secret" in the resource access request (in addition to the access token) is a valid strategy.

Sender-constrained access tokens are suggested in the current security best practice guide here. https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.2

So yes!

- Jim Manico

On 3/2/22 8:18 AM, Warren Parad wrote:
Is there a reason you wouldn't want to use the access token to access these resources? That seems like it would be the optimal strategy.

Warren Parad

Founder, CTO
Secure your user data with IAM authorization as a service. Implement Authress.


On Wed, Mar 2, 2022 at 4:58 PM Nikos Fotiou <fotiou@aueb.gr> wrote:
Hi all,

I am working on a use case where the Authorization Server and the Resource Server are the same entity. I would like to prevent clients from sharing their access tokens. I am wondering if requiring clients to include the "client secret" in the resource access request (in addition to the access token) is a valid strategy. This way clients would have to share their "client secret" in addition to the access token. Would that work?

Best,
Nikos
--
Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou
Researcher - Mobile Multimedia Laboratory
Athens University of Economics and Business
https://mm.aueb.gr

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

-- 
Jim Manico
Manicode Security
https://www.manicode.com
--------------r22as8tzyLHc0UOrSwTXnYuZ-- From nobody Wed Mar 2 08:23:46 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 096F53A0BC9 for ; Wed, 2 Mar 2022 08:23:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.896 X-Spam-Level: X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=authlete-com.20210112.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KxUU5k5O0kIL for ; Wed, 2 Mar 2022 08:23:39 -0800 (PST) Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED3413A077A for ; Wed, 2 Mar 2022 08:23:38 -0800 (PST) Received: by mail-wr1-x42d.google.com with SMTP id bk29so3631140wrb.4 for ; Wed, 02 Mar 2022 08:23:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=authlete-com.20210112.gappssmtp.com; s=20210112; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=IEMFe1+MnhqL3JpysaDoqhxW3nYaZ/7y95zOhqIIz0U=; b=OFOEs8Ju6TNGFwHOycL2xbLyUhoeV6z0TsH7QPwFWu5NrwM2O4KLhUQsnzKKQ/12VY SOSy28GSxhzgB/45YA2kLPXhLPI7deIivIHTaLuX4+u8c0ygxTZRLffU2EEBNNQGPrBC 4LFB4IxiqwFAcjMk33RVGtr1nEknJ3LhHTZyUcTMsIY1PyWmtwodY5y2lkOOFySTepQa YNgvh5uCe/8wUSM9quBgTdT91rvk7O5m29hqW0nUQxbmRl4u7kR8jlUAz03iJAihgUU6 l0H6yyvk57jeggjLKqOKvWHfpf5EBRMzhLH/OCT0FRnxiquMLULOR2GrTn51EYt7bY98 qzaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=IEMFe1+MnhqL3JpysaDoqhxW3nYaZ/7y95zOhqIIz0U=; b=MMrKiRr4I8sA+CRi1Ty14Bg3fsM2Jx5oTnelytVPcuhGui3anBjY9BurqniKrJxnkr dyxBpovEbyakEy/7VASxet2EW5jrE4B3FGm7imIGKPjYXjYndBBEkpUtm+jJr7P3/Sv7 Lji9qdFjTMfOThV9Iq7Pjxpu+RNzr0DKay0WRdRKUJoK6J8byYtrcX42lIwPJ50FMZrR UUpK5EeTQnebJKeSwcJkWJ4zmlac7z539pSOR1rdvDPcfa0EIpt5+XMvbEK3Y3ItjGNH Rl66csxTLYJ2+z5GgCSaLSbKE6NY7RNElrfpZvQasfE3ktmFV9m63q4xAO7MP9s1lw8P wlcw== X-Gm-Message-State: AOAM533ADldmAiqj+FPQEX5K/hei/Lyi+v3QF5mwvf4bc3x4A6LgNEae 5CM2fS/0TGe2FSfAkUVH6O/ae7NvzJU3Lw== X-Google-Smtp-Source: ABdhPJzlEQj+bmTNSIdY9aKv/SUjQZwDrcySjh6iYcm+ybAKEWAqquRrpVQeqD2EP9cakAiAWkvTSA== X-Received: by 2002:a5d:4528:0:b0:1ee:ea7f:b97d with SMTP id j8-20020a5d4528000000b001eeea7fb97dmr22224588wra.593.1646238216457; Wed, 02 Mar 2022 08:23:36 -0800 (PST) Received: from smtpclient.apple (static-90-250-10-57.vodafonexdsl.co.uk. [90.250.10.57]) by smtp.gmail.com with ESMTPSA id v5-20020adfe4c5000000b001edc1e5053esm16797554wrm.82.2022.03.02.08.23.35 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 02 Mar 2022 08:23:36 -0800 (PST) From: Joseph Heenan Message-Id: <7F0B98D8-8C34-4EC4-A89E-4EA480D9AEE6@authlete.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_C490B0ED-94ED-41BE-9413-DF522BA07CEC" Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\)) Date: Wed, 2 Mar 2022 16:23:35 +0000 In-Reply-To: Cc: oauth To: Daniel Fett References: X-Mailer: Apple Mail (2.3693.60.0.1.1) Archived-At: Subject: Re: [OAUTH-WG] OAuth: The frustrating lack of good libraries X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2022 16:23:44 -0000 --Apple-Mail=_C490B0ED-94ED-41BE-9413-DF522BA07CEC Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi Daniel I do think it=E2=80=99s a problem that=E2=80=99s worth addressing = somehow. I think there=E2=80=99s another factor, which is that the providers of = OAuth2 Authorization Servers (where they don=E2=80=99t have their own = SDKs specific to their server) tend to lead the developer through how to = do a =E2=80=9Cfrom scratch=E2=80=9D implementation of OAuth2 and rarely = if ever mention any libraries. (So a chicken and egg problem, because as = you note there are languages without obvious good libraries to point = people at.) There=E2=80=99s even a set of documentation I=E2=80=99ve seen that links = to an online PKCE generator and appears to imply that the developer = should just generate the values once and hardcode them into every = request=E2=80=A6 I agree that pushing AS metadata will help matters. One of the downsides = of maintaining OAuth2 libraries is dealing with constant =E2=80=9Cbug=E2=80= =9D reports when the library appears to a naive developer not to work = correctly with a particular provider. I=E2=80=99ve found https://jwt.io/libraries a = very useful reference for JWT libraries; anything of a similar nature = for OAuth libraries sounds good to me. Joseph > On 1 Mar 2022, at 17:18, Daniel Fett wrote: >=20 > Hi all, >=20 > While helping clients to onboard into the yes ecosystem, in my = consulting work, and in discussions with developers implementing OAuth = 2.0, one topic comes up increasingly often: The (somewhat frustrating) = lack of good, modern, and universal OAuth libraries.=20 >=20 > Many of the libraries out there have one or more of the following = drawbacks: >=20 > * They are not maintained any longer > * They are not well documented (e.g., it is often unclear which = specifications are supported) > * They support only a subset of the OAuth 2.0 specification > * They work only with selected providers (e.g., Google, Facebook, = etc.) > * It is unclear whether they follow recent security recommendations > * They do not support modern features, such as PKCE, AS Metadata, = MTLS, etc. >=20 > Exceptions exist, of course, like Filip's Node.js implementation and = the nimbus library for Java. But apart from those rare cases, when a = developer asks me what library to use, my answer is often: "I don't = think there's a good one in your language". It is a telltale sign that = many providers of OAuth protected APIs also provide a custom OAuth = implementation in their SDKs, which they then often have to maintain for = a number of languages. This creates unnecessary costs and friction, = e.g., when introducing new security features. >=20 > At the same time, practically every language/framework comes with a = TLS stack and making HTTPS requests is often just a few lines of code. = Why aren't we there yet with OAuth? I'm well aware that OAuth 2.0 is a = framework, not a single protocol like TLS, but the mentioned libraries = show that this does not preclude a comprehensive library support. >=20 > If I had to speculate about the reasons for this mess, I'd say that = there are three: >=20 > * The core of OAuth is easy to implement. The need to create or use a = library might not be obvious to developers. Of course, if you want a = proper implementation with correct error handling, observing all the = security recommendations, etc., the effort is huge. But just getting = OAuth to work for one specific use case is relatively easy. >=20 > * OAuth is traditionally hard to configure: authorization and token = endpoint URLs, client id and secret, supported scopes (and claims for = OIDC), supported response types and modes, and required security = features are just some of the things a developer has to figure out - = often from the API's documentation - to get everything up and running. = Even though configuration is not the same as implementation, I imagine = that this complexity can lead to the perception that there are barely = any commonalities between different OAuth flows. There might be no = value, after all, in an OAuth library, if I have to provide so many = details myself. >=20 > * With many extensions and specifications to choose from, it can be = hard to select a reasonable subset to support.=20 >=20 > What can we do about this? >=20 > I'm not sure, but I have a few ideas. >=20 > * Of course, one step would be to increase visibility and = documentation for existing implementations: Beyond listing libraries = (like the list on oauth.net), it would be great to have a place to go to = to find libraries based on their feature support. I'm sure there are = more good libraries out there. > * The OpenID Foundation has a great set of conformance tests for = OIDC, FAPI and other stuff. Creating conformance tests for OAuth would = be harder, given that the framework leaves many options for implementers = to choose from. I=E2=80=99m not sure if running a conformance programme = would be in the scope of IETF, but it can be worthwhile to think about = if we could support such an endeavor. > * The single most important thing to do would, in my opinion, be to = set a goal: Tell library developers and language maintainers what can be = expected from a good, modern, and universal OAuth library. Such a = recommendation would shine a light on the most important extensions for = OAuth like PKCE and might even be a prerequisite for conformance tests. = It may turn out to be OAuth 2.1 or something else. For me, this would in = any case include AS Metadata, as that is the single most valuable = building block we have to address configuration complexity.=20 >=20 > I would be interested to hear what others think about this. Is this a = problem worth addressing? Are there other solutions? Is this out of = scope of our work here?=20 >=20 > -Daniel >=20 > --=20 > https://danielfett.de = _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_C490B0ED-94ED-41BE-9413-DF522BA07CEC Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Hi = Daniel

I do think = it=E2=80=99s a problem that=E2=80=99s worth addressing = somehow.

I = think there=E2=80=99s another factor, which is that the providers of = OAuth2 Authorization Servers (where they don=E2=80=99t have their own = SDKs specific to their server) tend to lead the developer through how to = do a =E2=80=9Cfrom scratch=E2=80=9D implementation of OAuth2 and rarely = if ever mention any libraries. (So a chicken and egg problem, because as = you note there are languages without obvious good libraries to point = people at.)

There=E2=80=99s even a set of documentation I=E2=80=99ve seen = that links to an online PKCE generator and appears to imply that the = developer should just generate the values once and hardcode them into = every request=E2=80=A6

I agree that pushing AS metadata will help matters. One of = the downsides of maintaining OAuth2 libraries is dealing with constant = =E2=80=9Cbug=E2=80=9D reports when the library appears to a naive = developer not to work correctly with a particular provider.

I=E2=80=99ve found https://jwt.io/libraries a very useful = reference for JWT libraries; anything of a similar nature for OAuth = libraries sounds good to me.

Joseph



On 1 Mar 2022, at 17:18, Daniel Fett <fett@danielfett.de> = wrote:

=20 =20

=

Hi all,
=
While helping clients to onboard into the yes ecosystem, in = my consulting work, and in discussions with developers implementing = OAuth 2.0, one topic comes up increasingly often: The (somewhat = frustrating) lack of good, modern, and universal OAuth = libraries. 

Many of the libraries out there have one or more of the = following drawbacks:

 * They are not maintained any longer
 * They are not well documented (e.g., it is often = unclear which specifications are supported)
 * They support only a subset of the OAuth 2.0 = specification
 * They work only with selected providers (e.g., Google, = Facebook, etc.)
 * It is unclear whether they follow recent security = recommendations
 * They do not support modern features, such as PKCE, AS = Metadata, MTLS, etc.

Exceptions exist, of course, like Filip's Node.js = implementation and the nimbus library for Java. But apart from those = rare cases, when a developer asks me what library to use, my answer is = often: "I don't think there's a good one in your language". It is a = telltale sign that many providers of OAuth protected APIs also provide a = custom OAuth implementation in their SDKs, which they then often have to = maintain for a number of languages. This creates unnecessary costs and = friction, e.g., when introducing new security features.

At the same time, practically every language/framework comes = with a TLS stack and making HTTPS requests is often just a few lines of = code. Why aren't we there yet with OAuth? I'm well aware that OAuth 2.0 = is a framework, not a single protocol like TLS, but the mentioned = libraries show that this does not preclude a comprehensive library = support.

If I had to speculate about the reasons for this mess, I'd = say that there are three:

 * The core of OAuth is easy to implement. The need to = create or use a library might not be obvious to developers. Of course, = if you want a proper implementation with correct error handling, = observing all the security recommendations, etc., the effort is huge. = But just getting OAuth to work for one specific use case is relatively = easy.

 * OAuth is traditionally hard to configure: = authorization and token endpoint URLs, client id and secret, supported = scopes (and claims for OIDC), supported response types and modes, and = required security features are just some of the things a developer has = to figure out - often from the API's documentation - to get everything = up and running. Even though configuration is not the same as = implementation, I imagine that this complexity can lead to the = perception that there are barely any commonalities between different = OAuth flows. There might be no value, after all, in an OAuth library, if = I have to provide so many details myself.

 * With many extensions and specifications to choose = from, it can be hard to select a reasonable subset to = support. 

What can we do about this?

I'm not sure, but I have a few ideas.

 * Of course, one step would be to increase visibility = and documentation for existing implementations: Beyond listing libraries = (like the list on oauth.net), = it would be great to have a place to go to to find libraries based on = their feature support. I'm sure there are more good libraries out = there.
 * The OpenID Foundation has a great set of conformance = tests for OIDC, FAPI and other stuff. Creating conformance tests for = OAuth would be harder, given that the framework leaves many options for = implementers to choose from. I=E2=80=99m not sure if running a = conformance programme would be in the scope of IETF, but it can be = worthwhile to think about if we could support such an = endeavor.
 * The single most important thing to do would, in my = opinion, be to set a goal: Tell library developers and language = maintainers what can be expected from a good, modern, and universal = OAuth library. Such a recommendation would shine a light on the most = important extensions for OAuth like PKCE and might even be a = prerequisite for conformance tests. It may turn out to be OAuth 2.1 or = something else. For me, this would in any case include AS Metadata, as = that is the single most valuable building block we have to address = configuration complexity. 

I would be interested to hear what others think about this. = Is this a problem worth addressing? Are there other solutions? Is this = out of scope of our work here? 

-Daniel

--=20
https://danielfett.de
_______________________________________________
OAuth = mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

= --Apple-Mail=_C490B0ED-94ED-41BE-9413-DF522BA07CEC-- From nobody Wed Mar 2 08:44:53 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBD1E3A0A70 for ; Wed, 2 Mar 2022 08:44:51 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GLQlBkeUzp5D for ; Wed, 2 Mar 2022 08:44:47 -0800 (PST) Received: from sonic314-20.consmr.mail.ne1.yahoo.com (sonic314-20.consmr.mail.ne1.yahoo.com [66.163.189.146]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B4693A0BD6 for ; Wed, 2 Mar 2022 08:44:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1646239486; bh=HgCISOymuWygpBvmqe6LaCE2ejMVXedBAmpV2gddskc=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From:Subject:Reply-To; b=JEIgDJNEX8qNKGubc9rLpXhabSHVmNVbXGOrPn4kgcmPYdnNeDiuKvMD4UjVDxlQomxuRfYH1gbUgxKRnLEutJi1QrvmApSOtJWHM2U+006bCyoz75WZg5rjEAARGe48ZURUkltFmWdwS/Qsy6KDNAxBgsaPaJ3FDdNrEYwieLXHaEEunocmn4sTh++fX8dmrxcBxlW3+DfalgWtvKw6LAiLYW5KwloP7g86PMN386DYyVXdAKa/BXwx4YubupFkWfDXabf8gThfvBtxVQbiAsFoOlF8f3SxFgIWG5U0/IYHVpFhTOWGbyrGHbwr/aChksFyqwk0mRigNdJn3v/NVQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1646239486; bh=xYp6reRQSQegAEHRQbpZu0HPuk/iGTNG5XfL5ixt6cu=; h=X-Sonic-MF:Date:Subject:To:From:From:Subject; b=INiT8XWF+GwBI9NVnuqvMJ40/yyzhX8jDf5U8EH5tORQvlm1464Dqw5EWaHnTkAAU+O7JbtAnT0inNDiBxjJ7ssBCNtgUyuTUGNCbAchzeRyL4M/QLRkCA9mGUkt3gmEKWT2vmaPu2tSnFanRwgyJjJNk3IA/imDpeZQyfTUqJQ/Aabyr19eG6r4h15b1ReMM2OtqGAvzzwGvCcHR0txlPv3UZX/Q8fhbE4idCDH+pwETqWVycx8m3OTxrafMet7C6QKdQyfMvSvlFe+SWaz9w5oEvjryrACl5sPW7VKDj4OGhOrO3syKQ4QYwflNk/LpNnF6srR3ADo/FOkJMxObw== X-YMail-OSG: yP0tq0sVM1nKun7AG.bmtLogo0v8DLz2Uq3oCIbFC1bYx7jXcF0LlbusH32DvfM 9J0IpjGBYbEzwNmlNpCwmp0pRDv5idCv4l.A2B5fuNDLbd9pm_Lip_6s8EZn7RNRDKhD64p.MsDc oQ8oqj4FhRIiKUYEYmtGghmd4g.geRRXbl837SViQCmnCk3UZtR6ewox3kLSvx9mp_5BATiFnqTT ijQXvxY4neV96b_qWvKFS1l3qljT32qK5h3IfDvE1GA21KOoSZlcslIb8LPIkd8RWftWiOYS0Jg7 dS7UgEHNpl0njhr6uErk3lyu0u4vvBVd2YYjr.yoFp4nOIQ486rdtfaL5drdPfGF71vSQeEizESl FMxckX_4yfmnEn5qsHf2fxoGLsbPTFvbhNMn9bTjwr7DFdep0VZ4FPsq0M0U3874WK.ajFpQBK1i Lvsuxz7jFP0GkNi3GjRv4_n7SBgmLz7I8FPzFWEiwkuSYILUhqicOlIBHF2g54m3.0lP58uaLrWL 5197.A4LhgFFChi9tQOQCdp2G.FmM_aFmyBY64nlLPqWubAfBlcaWxqEA804UB2Jipvh8olU5YTf ZINbhIe2elAWO5.qw.O6RHPieP8f7cYG_f26A8GHpdYDozzZDrUe_bhcGRM6xwLJ0sjnMlrRIun4 8v5ofYpRE77yDAK9pSbZ2NA5RxYJb1omEW7BhtydH5dlkqenVs2NFJyThpqwNuUUTavPjIWKzd1s oJIsHTioWSPTH1mJFW.08v6GlFJLScwpoe9RcgiiCROoZeXuqUP6XPD263AnwoD9CtFziTRad0cZ M44BK0nOgAhGlB3FUJbtaO71lE5kP39gQTUiGHOED2iGDvYFaJp.waJsXDF2iXHeZsu0YnqSiCC7 X1036__RTZay6J3ZgbAdSLvCfcOjE551v091JXawkaADQRtx.N_5uVHpnzcL4MN9Gv.jdS_4cQEt NqR8Eu415HJBfamzf4zo7.oCFo_eu2aNyBsLbeUU.AZNX4d5T0qrMFcEnMmPNI8_YAzHBnFd4oih GnnyS5L51ZrczCvhK.4bNzvpSWfT.uspTLk8o_O0GCxzxHN5WMAdmC0oUdlv0Wy1g8CfkVEdOaIl xZyLwXCogUv4fB7HI21Er99yalVP2e0vztv4Mav2gD0ZsyYzohdX.FFew2pKS8XIJrRheTJO_URt 1yxJQR2MkuoulU3B2ZBmQlei4OaVsX8C3aIjMAsCfX_NgkZI9.KGvcVqA3ph3QySNMLsDnwvWc3t 9AONlaqk9pvrPgOrsYPb2zVGv5BzwgqyEDL7AEkuKNChOPCGALQy9DwregLfS2H1YSBCVCr4HvVD az2BCMxBbaqZVBo6ERVx5D4F2x97V44kLzIikVIaBRce3brEKIwZ64.oPj86jEwYv5x7.vLBKEhj ma8MHj2rXCVw.yqKFXLfXiVDcD7cYDlsGYV.gBAe6_9AZcdk_Fisw5lbcz8Em4BZWQ4AOYyw59wK b7_Ni14Qz_.7RLIcFbJX5LZZgCtGyGOLzfhAWUIQSEhe_rNQmfMWg0RNwy0_45pX3GmZL6srwgMD I081bMLzlvl5XPG88aJBzk.C6.ES4xOdgKKH3n2u2d5WItXIfUmCAdOrbosozDDAPkIf028IMxZ8 7Yfomh6pTVUfJpct10JZ1Zszr1MTgf9IDycuJaKiRMvb4AHciEKx_cpsk.SrzmQRWrKpt0rluq0a 4W23Mg5J2bL4f_0EnZEyAlfY99neB3v3gU.PUlWh9pypRQGRdEe0WWhHFmAoh.siiJairvEuzzG3 JqYo2gr6xK.NSwZaZlFFc1d38NqJtSMxSIhqH.aRy9R7Z88OHtCWcnZeoT4.IpTyqndkyXB3oelA A_ScTHRN2rX5t5hLF5BGpjIMHPEFRdd5FM.iZ9Y6pq_QalKYb_y50F90xuX9u8OceQGsUkwQ3vUE Iudb_ahI.Nvbx3bFID95sgiLd0cOxlfQ6Eobx9GdG5spnwwRfq48RDtWc5jdhpDENX_nrCgqemNR iwvRHfjPUTb0o914QKAO0SxYKCVoy.BQufk3ryQByi3eQQ8EZLhv0I.45ZxhRte07TVM0Xy0Qxqa Fgd92cKG.O5tj8P2EZol0Kt2UuK6iclzkEhoDY9Z0J7db5lNvt7dQeh4.NzDeBKI_8W4GNXY4DPG y.ESnMn.Pw8golpn9kQp7Ja_IRanrdTAXr30ATWqn.8xuWs5RuiP_wwAGB8CfpjS9IKbZfNEMjS5 w8Y1DVyf9glwZJUfvGzs- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.ne1.yahoo.com with HTTP; Wed, 2 Mar 2022 16:44:46 +0000 Received: by kubenode516.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 375fc1e5066c9a47547b5781cc280735; Wed, 02 Mar 2022 16:44:42 +0000 (UTC) Content-Type: multipart/alternative; boundary="------------JcJ4gUgVnwt3styyXwPDRaGS" Message-ID: <59edc57e-c647-a58e-1f75-a30441c2baed@aol.com> Date: Wed, 2 Mar 2022 11:44:39 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.6.0 Content-Language: en-US To: Jim Manico , Warren Parad , Nikos Fotiou Cc: oauth References: <4DBCAEEA-08E0-4E93-AFEC-D990C8729E81@aueb.gr> <8bd92dec-6287-4f63-aebb-3c39427b7cb7@manicode.com> From: George Fletcher Organization: AOL LLC In-Reply-To: <8bd92dec-6287-4f63-aebb-3c39427b7cb7@manicode.com> X-Mailer: WebService/1.1.19724 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.aol Archived-At: Subject: Re: [OAUTH-WG] proof of access token possession using client secret X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2022 16:44:52 -0000 This is a multi-part message in MIME format. --------------JcJ4gUgVnwt3styyXwPDRaGS Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit You could require client authentication via the allowed OAuth mechanisms on all resource requests. I think there is some danger in sending the client_secret across the wire on all requests even if the endpoints are all part of the same service. I'd recommend looking at DPoP [1]. Thanks, George [1] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-06 On 3/2/22 11:22 AM, Jim Manico wrote: > > > I would like to prevent clients from sharing their access tokens. I > am wondering if requiring clients to include the "client secret" in > the resource access request (in addition to the access token) is a > valid strategy. > > Sender-constrained access tokens are suggested in the current security > best practice guide here. > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.2 > > So yes! > > - Jim Manico > > On 3/2/22 8:18 AM, Warren Parad wrote: >> Is there a reason you wouldn't want to use the access token to access >> these resources? That seems like it would be the optimal strategy. >> >> >> >> Warren Parad >> >> Founder, CTO >> >> Secure your user data with IAM authorization as a service. Implement >> Authress . >> >> >> On Wed, Mar 2, 2022 at 4:58 PM Nikos Fotiou wrote: >> >> Hi all, >> >> I am working on a use case where the Authorization Server and the >> Resource Server are the same entity. I would like to prevent >> clients from sharing their access tokens. I am wondering if >> requiring clients to include the "client secret" in the resource >> access request (in addition to the access token) is a valid >> strategy. This way clients would have to share their "client >> secret" in addition to the access token. Would that work? >> >> Best, >> Nikos >> -- >> Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou >> Researcher - Mobile Multimedia Laboratory >> Athens University of Economics and Business >> https://mm.aueb.gr >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > -- > Jim Manico > Manicode Security > https://www.manicode.com > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --------------JcJ4gUgVnwt3styyXwPDRaGS Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit You could require client authentication via the allowed OAuth mechanisms on all resource requests. I think there is some danger in sending the client_secret across the wire on all requests even if the endpoints are all part of the same service. I'd recommend looking at DPoP [1].

Thanks,
George

[1] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-06

On 3/2/22 11:22 AM, Jim Manico wrote:

> I would like to prevent clients from sharing their access tokens. I am wondering if requiring clients to include the "client secret" in the resource access request (in addition to the access token) is a valid strategy.

Sender-constrained access tokens are suggested in the current security best practice guide here. https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.2

So yes!

- Jim Manico

On 3/2/22 8:18 AM, Warren Parad wrote:
Is there a reason you wouldn't want to use the access token to access these resources? That seems like it would be the optimal strategy.

Warren Parad

Founder, CTO
Secure your user data with IAM authorization as a service. Implement Authress.


On Wed, Mar 2, 2022 at 4:58 PM Nikos Fotiou <fotiou@aueb.gr> wrote:
Hi all,

I am working on a use case where the Authorization Server and the Resource Server are the same entity. I would like to prevent clients from sharing their access tokens. I am wondering if requiring clients to include the "client secret" in the resource access request (in addition to the access token) is a valid strategy. This way clients would have to share their "client secret" in addition to the access token. Would that work?

Best,
Nikos
--
Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou
Researcher - Mobile Multimedia Laboratory
Athens University of Economics and Business
https://mm.aueb.gr

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

-- 
Jim Manico
Manicode Security
https://www.manicode.com

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--------------JcJ4gUgVnwt3styyXwPDRaGS-- From nobody Wed Mar 2 09:11:34 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F76E3A08A6 for ; Wed, 2 Mar 2022 09:11:32 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=danielfett.de Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2TNVP7W8sc0f for ; Wed, 2 Mar 2022 09:11:27 -0800 (PST) Received: from d3f.me (redstone.d3f.me [5.9.29.41]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A35A63A088F for ; Wed, 2 Mar 2022 09:11:15 -0800 (PST) Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by d3f.me (Postfix) with ESMTPA id BE40718257; Wed, 2 Mar 2022 17:11:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1646241073; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=7BVYBjgb4ktnmWQ7n18NQJ1XeYhdyhxGpAdJGrk5OZI=; b=KBVKsGLM6+kAD6j0k3x/A3ShF6Cf/yqxbyLIj+YBla79QIQvxiSjYitHqVU4srZ5KAPxIl 4PureoWZKy7DeXIGhmjqhLLVdUdGnnrn2KPzjWzMQNep/pSJV9fxc9MrYIzwSPSOLZsCwN yNHi97i6CpodNKhUcKrifl1r6XMtaFc= Content-Type: multipart/alternative; boundary="------------WKOTlbfR6nsdJ0KZzQsdDAhM" Message-ID: Date: Wed, 2 Mar 2022 18:11:12 +0100 MIME-Version: 1.0 Content-Language: de-DE To: Warren Parad , Sascha Preibisch Cc: oauth References: From: Daniel Fett In-Reply-To: ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1646241073; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=7BVYBjgb4ktnmWQ7n18NQJ1XeYhdyhxGpAdJGrk5OZI=; b=s2uukNSvrHQiR0EuQLpXlAqUqLHqqBc7BOfGqgCt3jD/PVqxLKHY+uNoKQyiZfvOmxi2yF aOA7cahGpffxmkWJlDCFHpIpPX4GPtgVKvQRGSQvH3pi7A54rwPFtrTDxeGCDe9Obbxq6+ s1hy15bR4flc4v55LmOFS1CSgbaWSl0= ARC-Seal: i=1; s=dkim; d=danielfett.de; t=1646241073; a=rsa-sha256; cv=none; b=lpDDsJgEf2MZqFYdORaBTqmvkFkIriutncsihrx0FpvJ95p5E7NmzeIEcLjtiyC5SWiKzj VfbPFclGudzyAh4+qrOf9cR4R8IfJJFeX+FvVFL/+UKNQPRgOdXqUtZESjb2Ed9yo1x017 5oL6VAKq0T2DXAMmqSLzFJaw7519qzo= ARC-Authentication-Results: i=1; d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de Authentication-Results: d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de X-Spamd-Bar: ------ Archived-At: Subject: Re: [OAUTH-WG] OAuth: The frustrating lack of good libraries X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2022 17:11:32 -0000 This is a multi-part message in MIME format. --------------WKOTlbfR6nsdJ0KZzQsdDAhM Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Hi Warren, Am 02.03.22 um 17:05 schrieb Warren Parad: > I don't think flooding this thread with random libraries is going to > benefit anyone, so let's not do that. I agree, and that was not the aim of my question. > > Back to the question, and it is an interesting one. It makes sense to > dissect it a bit first. Who is struggling with "OAuth libraries" and > what is even the responsibility of one of them. > > *I'll start with my recommendation:* > > * 0) We shouldn't build anything, and we shouldn't curate lists of > libraries and packages. > I'm not suggesting that we build any libraries, that would be a bad idea. I'm not so sure on curated lists, however. > * 1) We should make this information about libraries discoverable > and trackable. For instance with AS discovery docs we can enable > adding properties that link to SDKs in languages that the AS > decides to support. > I think that this goes into a completely wrong direction. Authorization servers should never be built towards certain libraries, in an ideal world at least. Also, why would I as an API provider even have to know about the SDKs? If my API follows the rules, any client library that follows the same rules should work. > * 2) We can document a "discovery doc" for libraries to self publish > detailing their features (in case they aren't associated with an > AS). Then anyone who wants to build lists of libraries with > supporting features, can easily compile these documents. All we > have to do is define "OAuth SDK features", and this will enable > everyone else to create SDK listings/feature comparisons. It can > even be automated. > I like the idea of a machine-readable feature support document... discovering those documents might still be a problem, though. > *My concerns:* > I think we have to break it down first into some key areas: > > * There are OAuth user-agent clients > o Mobile app clients for each of the app os, and further for > each of the app development frameworks > o Web apps > o Desktop apps > * There are OAuth machine clients > o BFF oauth code exchange clients > o client credentials clients > o third party machine clients > o leaf clients that need to validate authorization tokens > o [One caveat to this is that these can and will be written in > every possible language available] > * There are OAuth Authorization servers > o Open source ones > o SaaS models > o AS in a container > o embedded cloud native solutions > o potentially user controlled > > Obviously this isn't a full list, but looking at each of these, > specialization in the world of software libraries tells us that likely > every one of these could and will be its own library. Just looking at > this shortlist, and the story of "which library" should you use > becomes incredibly complicated. If we have libraries that purport to > solve all these problems, then it becomes a gratuitous burden on > developers to pick the right library, which isn't interchangeable with > others. They aren't pluggable. I don't think that a library which supports only selected scenarios (e.g., a mobile app on Android) is a problem, as long as that is well documented. Also, I wouldn't expect the same library API for each library to make them exchangeable. They don't need to be interchangeable, because that would mean that somebody is doing the same work as someone else. > > Additionally, for the purposes of branding and documentation, most of > these will be wrapped by brand specific implementations so that > careful validation and control over key features can be communicated. > Further, since the landscape moves quickly providers want to stay up > to date, putting links all over your documentation pages saying "this > library does not yet support said feature" is terrible. This is still > frequently the case, and so providers are encouraged to lie, "We > support this*" - but you have to do these hacks after you download the > library to support it. I'm not sure I'm following your thoughts here... could you please expand on that? > > Further, there are sane defaults that make sense for a wrapper for a > dedicated and opinionated solution that don't make sense in a generic > one. The whole class of AS libraries are hidden from external > developers, so there is very little value in a "whole solution" and > more value in delivering what these AS need. Since they have their own > motivations, they are already either open sourcing their solutions or > keeping it closed and won't contribute. This is arguably the set > where libraries offer the most value, but because of these reasons it > is a lost cause. I agree that the problem space is different for servers than it is for clients. Let's focus on clients in this thread. > > The second set is machine clients. Most of this is very similar to the > last section of AS, but very little of it is OAuth specific. Most of > it is "Add an authorization header" or "call this specific endpoint > one time". A couple of lines in the documentation is sufficient for > handling this. Which leaves "How to verify an OAuth token". Having > built a library for tons of languages to handle not just OAuth but > other things, the challenge here isn't the OAuth part. Sure there is > some knowledge around how to convert the *issuer* to the JWK using the > discovery document, but a library only marginally improves the state. > And the amount of work for branded libraries to add this in is still > trivial. The real problem with these is that the crypto communities in > different languages don't make it easy to do this. If you think > explaining OAuth is challenging, try to explain libsodium > requirements, they don't care, and we can't fix that with a library. > We can fix that by contributing to the available crypto tools so OAuth > verification can be easier. Thankfully we don't have to, because the > branded products will release their open source version implementing > or fixing these because they are motivated to do so. Machine clients might need to use MTLS, DPoP, or something similar. There is value in a library for machine clients as well. And since this use case is often more or less a subset of interactive clients, I would expect that most libraries will support both anyway. > > Now I get to the OAuth user-agent/facing clients. Web apps complexity > here is usually the framework, and dance around, what do I do with the > state, and the redirect so the user ends up in the right place. A > library isn't going to fix that, and even if it did, it isn't OAuth > that is the issue here, it is a lack of good browser apis to support > easy navigation. > > Which leaves us with, are we talking about mobile apps or desktop > clients? Because we are talking about one of these other categories, > there isn't enough value in there to list them any more than there is > value in listing OIDC providers that support OAuth. Being met with a > list of hundreds of libraries and packages doesn't make for a good > experience, and do those same developers know if they need PKCE, EdDSA > signatures, a library that supports mTLS, probably not. That's why I'm advocating for a profile that covers many use cases. If I can tell a developer to go and find a library that supports OAuth-Modern-Feature-Set®, and it would be common for libraries to advertise their support for that, the problem would be much smaller. -Daniel > > - Warren > > > > Warren Parad > > Founder, CTO > > Secure your user data with IAM authorization as a service. Implement > Authress . > > > On Wed, Mar 2, 2022 at 4:33 PM Sascha Preibisch > wrote: > > Hello Daniel! > > Some time ago I started an open source project: Loginbuddy. > Loginbuddy is a tool that mainly supports OpenID Connect based > logins. > > It can be deployed as a standalone service or be used as a > side-car next to other docker containers in the same network. > > Although it is not necessarily a library, it may be worth looking > into it. I could imagine that Loginbuddy would also be a good > starting point for extensions that serve more flows and more > general features of OAuth/ OpenID Connect. With more contributors > I see a chance for Loginbuddy to be more widely used and help > address your concerns. > > Please have a look here: > https://loginbuddy.net > > I just updated the web site. Or visit the GitHub project: > https://github.com/SaschaZeGerman/loginbuddy > > In any case, that is my current contribution to the developer > community. > > Thanks, > Sascha > > On Tue, Mar 1, 2022 at 9:18 AM Daniel Fett wrote: > > ** > > *Hi all,* > > * > > While helping clients to onboard into the yes ecosystem, in my > consulting work, and in discussions with developers > implementing OAuth 2.0, one topic comes up increasingly often: > The (somewhat frustrating) lack of good, modern, and universal > OAuth libraries. > > > Many of the libraries out there have one or more of the > following drawbacks: > > >  * They are not maintained any longer > >  * They are not well documented (e.g., it is often unclear > which specifications are supported) > >  * They support only a subset of the OAuth 2.0 specification > >  * They work only with selected providers (e.g., Google, > Facebook, etc.) > >  * It is unclear whether they follow recent security > recommendations > >  * They do not support modern features, such as PKCE, AS > Metadata, MTLS, etc. > > > Exceptions exist, of course, like Filip's Node.js > implementation and the nimbus library for Java. But apart from > those rare cases, when a developer asks me what library to > use, my answer is often: "I don't think there's a good one in > your language". It is a telltale sign that many providers of > OAuth protected APIs also provide a custom OAuth > implementation in their SDKs, which they then often have to > maintain for a number of languages. This creates unnecessary > costs and friction, e.g., when introducing new security features. > > > At the same time, practically every language/framework comes > with a TLS stack and making HTTPS requests is often just a few > lines of code. Why aren't we there yet with OAuth? I'm well > aware that OAuth 2.0 is a framework, not a single protocol > like TLS, but the mentioned libraries show that this does not > preclude a comprehensive library support. > > > If I had to speculate about the reasons for this mess, I'd say > that there are three: > > >  * The core of OAuth is easy to implement. The need to create > or use a library might not be obvious to developers. Of > course, if you want a proper implementation with correct error > handling, observing all the security recommendations, etc., > the effort is huge. But just getting OAuth to work for one > specific use case is relatively easy. > > >  * OAuth is traditionally hard to configure: authorization and > token endpoint URLs, client id and secret, supported scopes > (and claims for OIDC), supported response types and modes, and > required security features are just some of the things a > developer has to figure out - often from the API's > documentation - to get everything up and running. Even though > configuration is not the same as implementation, I imagine > that this complexity can lead to the perception that there are > barely any commonalities between different OAuth flows. There > might be no value, after all, in an OAuth library, if I have > to provide so many details myself. > > >  * With many extensions and specifications to choose from, it > can be hard to select a reasonable subset to support. > > > What can we do about this? > > > I'm not sure, but I have a few ideas. > > >  * Of course, one step would be to increase visibility and > documentation for existing implementations: Beyond listing > libraries (like the list on oauth.net ), it > would be great to have a place to go to to find libraries > based on their feature support. I'm sure there are more good > libraries out there. > >  * The OpenID Foundation has a great set of conformance tests > for OIDC, FAPI and other stuff. Creating conformance tests for > OAuth would be harder, given that the framework leaves many > options for implementers to choose from. I’m not sure if > running a conformance programme would be in the scope of IETF, > but it can be worthwhile to think about if we could support > such an endeavor. > >  * The single most important thing to do would, in my opinion, > be to set a goal: Tell library developers and language > maintainers what can be expected from a good, modern, and > universal OAuth library. Such a recommendation would shine a > light on the most important extensions for OAuth like PKCE and > might even be a prerequisite for conformance tests. It may > turn out to be OAuth 2.1 or something else. For me, this would > in any case include AS Metadata, as that is the single most > valuable building block we have to address configuration > complexity. > > > I would be interested to hear what others think about this. Is > this a problem worth addressing? Are there other solutions? Is > this out of scope of our work here? > > > -Daniel > * > > -- > https://danielfett.de > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- https://danielfett.de --------------WKOTlbfR6nsdJ0KZzQsdDAhM Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

Hi Warren,

Am 02.03.22 um 17:05 schrieb Warren Parad:
I don't think flooding this thread with random libraries is going to benefit anyone, so let's not do that.
=

I agree, and that was not the aim of my question.



Back to the question, and it is an interesting one. It makes sense to dissect it a bit first. Who is struggling with "OAuth libraries" and what is even the responsibility of one of them.

I'll start with my recommendation:
  • 0) We shouldn't build anything, and we shouldn't curate lists of libraries and packages.

I'm not suggesting that we build any libraries, that would be a bad idea. I'm not so sure on curated lists, however.


  • 1) We should make this information about libraries discoverable and trackable. For instance with AS discovery docs we can enable adding properties that link to SDKs in languages that the AS decides to support.
    • =

I think that this goes into a completely wrong direction. Authorization servers should never be built towards certain libraries, in an ideal world at least. Also, why would I as an API provider even have to know about the SDKs? If my API follows the rules, any client library that follows the same rules should work.<= /p>


  • 2) We can document a "discovery doc" for libraries to self publish detailing=C2=A0their features (in case they aren't associated with an AS). Then anyone who wants to build lists of libraries with supporting features, can easily compile these documents. All we have to do is define "OAuth SDK features", and this will enable everyone else to create SDK listings/feature=C2=A0comparisons. It can even be automat= ed.

I like the idea of a machine-readable feature support document... discovering those documents might still be a problem, though.


My concerns:
I think we have to break it down first into some key areas:
  • There are OAuth user-agent clients
    • Mobile app clients for each of the app os, and further for each of the app development frameworks
      • =
    • Web apps
    • Desktop apps
  • There are OAuth machine clients
    • BFF oauth code exchange clients
    • client credentials clients
    • third party machine clients
    • leaf clients that need to validate authorization tokens
    • [One caveat to this is that these can and will be written in every possible language available]
  • There are OAuth Authorization servers
    • Open source ones
    • SaaS models
    • AS in a container
    • embedded cloud native solutions
    • potentially user controlled
Obviously this isn't a full list, but looking at each of these, specialization in the world of software libraries tells us that likely every one of these could and will be its own library. Just looking at this shortlist, and the story of "which library" should you use becomes incredibly complicated. If we have libraries that purport to solve all these problems, then it becomes a gratuitous burden on developers to pick the right library, which isn't interchangeable with others. They aren't pluggable.

I don't think that a library which supports only selected scenarios (e.g., a mobile app on Android) is a problem, as long as that is well documented.

Also, I wouldn't expect the same library API for each library to make them exchangeable. They don't need to be interchangeable, because that would mean that somebody is doing the same work as someone else.



Additionally, for the purposes of branding and documentation, most of these will be wrapped by brand specific implementations so that careful validation and control over key features can be communicated. Further, since the landscape moves quickly providers want to stay up to date, putting links all over your documentation pages saying "this library does not yet support said feature" is terrible. This is still frequently the case, and so providers are encouraged to lie, "We support this*" - but you have to do these hacks after you download the library to support it.

I'm not sure I'm following your thoughts here... could you please expand on that?



Further, there are sane defaults that make=C2=A0sense fo= r a wrapper for a dedicated and opinionated solution that don't make sense in a generic one. The whole class of AS libraries are hidden from external developers, so there is very little value in a "whole solution" and more value in delivering what these AS need. Since they have their own motivations, they are already either open sourcing their solutions or keeping it closed and won't contribute. This is arguably the set where=C2=A0libraries offer the most val= ue, but because of these reasons it is a lost cause.

I agree that the problem space is different for servers than it is for clients. Let's focus on clients in this thread.



The second set is machine clients. Most of this is very similar to the last section of AS, but very little of it is OAuth specific. Most of it is "Add an authorization header" or "call this specific endpoint one time". A couple of lines in the documentation is sufficient for handling this. Which leaves "How to verify an OAuth token". Having built a library for tons of languages to handle not just OAuth but other things, the challenge here isn't the OAuth part. Sure there is some knowledge around how to convert the issuer=C2=A0to the JWK using the discovery document, but a library only marginally=C2=A0impr= oves the state. And the amount of work for branded libraries to add this in is still trivial. The real problem with these is that the crypto communities in different languages don't make it easy to do this. If you think explaining OAuth is challenging, try to explain libsodium requirements, they don't care, and we can't fix that with a library. We can fix that by contributing to the available crypto tools so OAuth verification can be easier. Thankfully we don't have to, because the branded products will release their open source version implementing or fixing these because they are motivated to do so.

Machine clients might need to use MTLS, DPoP, or something similar. There is value in a library for machine clients as well. And since this use case is often more or less a subset of interactive clients, I would expect that most libraries will support both anyway.



Now I get to the OAuth user-agent/facing clients. Web apps complexity here is usually the framework, and dance around, what do I do with the state, and the redirect so the user ends up in the right place. A library isn't going to fix that, and even if it did, it isn't OAuth that is the issue here, it is a lack of good browser apis to support easy navigation.

Which leaves us with, are we talking about mobile apps or desktop clients? Because we are talking about one of these other categories, there isn't enough value in there to list them any more than there is value in listing OIDC providers that support OAuth. Being met with a list of hundreds of libraries and packages doesn't make for a good experience, and do those same developers know if they need PKCE, EdDSA signatures, a library that supports mTLS, probably not.

That's why I'm advocating for a profile that covers many use cases. If I can tell a developer to go and find a library that supports OAuth-Modern-Feature-Set=C2=AE, and it would be common for= libraries to advertise their support for that, the problem would be much smaller.

-Daniel



- Warren

Wa= rren Parad

Founder, CTO
Secure your user data with IAM authorization as a service. Implement=C2=A0Authress.


On Wed, Mar 2, 2022 at 4:33= PM Sascha Preibisch <sasc= hapreibisch@gmail.com> wrote:
=
Hello Daniel!

Some time ago I started an open source project: Loginbuddy.
Loginbuddy is a tool that mainly supports OpenID Connect based logins.=C2=A0

It can be deployed as a standalone service or be used as a side-car next to other docker containers in the same network.

Although it is not necessarily a library, it may be worth looking into it. I could imagine that Loginbuddy would also be a good starting point for extensions that serve more flows and more general features of OAuth/ OpenID Connect. With more contributors I see a chance for Loginbuddy to be more widely used and help address your concerns.

Please have a look here:

I just updated the web site. Or visit the GitHub project:

In any case, that is my current contribution to the developer community.

Thanks,
Sascha

On Tue, Mar 1, 2022 at 9:18 AM Daniel Fett <= fett@danielfett.de> wrote:

Hi all,


Whil= e helping clients to onboard into the yes ecosystem, in my consulting wor= k, and in discussions with developers implementing OAuth 2.0, one topic c= omes up increasingly often: The (somewhat frustrating) lack of good, mode= rn, and universal OAuth libraries.=C2=A0


Many= of the libraries out there have one or more of the following drawbacks:<= /span>


=C2=A0= * They are not maintained any longer

=C2=A0= * They are not well documented (e.g., it is often unclear which specifica= tions are supported)

=C2=A0= * They support only a subset of the OAuth 2.0 specification

=C2=A0= * They work only with selected providers (e.g., Google, Facebook, etc.)

=C2=A0= * It is unclear whether they follow recent security recommendations

=C2=A0= * They do not support modern features, such as PKCE, AS Metadata, MTLS, e= tc.


Exce= ptions exist, of course, like Filip's Node.js implementation and the nimb= us library for Java. But apart from those rare cases, when a developer as= ks me what library to use, my answer is often: "I don't think there's a g= ood one in your language". It is a telltale sign that many providers of O= Auth protected APIs also provide a custom OAuth implementation in their S= DKs, which they then often have to maintain for a number of languages. Th= is creates unnecessary costs and friction, e.g., when introducing new sec= urity features.


At t= he same time, practically every language/framework comes with a TLS stack= and making HTTPS requests is often just a few lines of code. Why aren't = we there yet with OAuth? I'm well aware that OAuth 2.0 is a framework, no= t a single protocol like TLS, but the mentioned libraries show that this = does not preclude a comprehensive library support.


If I= had to speculate about the reasons for this mess, I'd say that there are= three:


=C2=A0= * The core of OAuth is easy to implement. The need to create or use a lib= rary might not be obvious to developers. Of course, if you want a proper = implementation with correct error handling, observing all the security re= commendations, etc., the effort is huge. But just getting OAuth to work f= or one specific use case is relatively easy.


=C2=A0= * OAuth is traditionally hard to configure: authorization and token endpo= int URLs, client id and secret, supported scopes (and claims for OIDC), s= upported response types and modes, and required security features are jus= t some of the things a developer has to figure out - often from the API's= documentation - to get everything up and running. Even though configurat= ion is not the same as implementation, I imagine that this complexity can= lead to the perception that there are barely any commonalities between d= ifferent OAuth flows. There might be no value, after all, in an OAuth lib= rary, if I have to provide so many details myself.


=C2=A0= * With many extensions and specifications to choose from, it can be hard = to select a reasonable subset to support.=C2=A0


What= can we do about this?


I'm = not sure, but I have a few ideas.


=C2=A0= * Of course, one step would be to increase visibility and documentation f= or existing implementations: Beyond listing libraries (like the list on <= a href=3D"http://oauth.net" target=3D"_blank" moz-do-not-send=3D"true">oa= uth.net), it would be great to have a place to go to to find librarie= s based on their feature support. I'm sure there are more good libraries = out there.

=C2=A0= * The OpenID Foundation has a great set of conformance tests for OIDC, FA= PI and other stuff. Creating conformance tests for OAuth would be harder,= given that the framework leaves many options for implementers to choose = from. I=E2=80=99m not sure if running a conformance programme would be in= the scope of IETF, but it can be worthwhile to think about if we could s= upport such an endeavor.

=C2=A0= * The single most important thing to do would, in my opinion, be to set a= goal: Tell library developers and language maintainers what can be expec= ted from a good, modern, and universal OAuth library. Such a recommendati= on would shine a light on the most important extensions for OAuth like PK= CE and might even be a prerequisite for conformance tests. It may turn ou= t to be OAuth 2.1 or something else. For me, this would in any case inclu= de AS Metadata, as that is the single most valuable building block we hav= e to address configuration complexity.=C2=A0


I wo= uld be interested to hear what others think about this. Is this a problem= worth addressing? Are there other solutions? Is this out of scope of our= work here?=C2=A0


-Daniel
 
--=20
https://danielfett.de
_______________________________________________
OAuth mailing list
= OAuth@ietf.org
https://www.ietf.org/mail= man/listinfo/oauth
_______________________________________________
OAuth mailing list
OAut= h@ietf.org
https://www.ietf.org/mailman/= listinfo/oauth
--=20
https:/=
/danielfett.de
--------------WKOTlbfR6nsdJ0KZzQsdDAhM-- From nobody Wed Mar 2 09:19:07 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D21C3A08D7 for ; Wed, 2 Mar 2022 09:19:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.108 X-Spam-Level: X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=danielfett.de Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AiVZXBbqsffY for ; Wed, 2 Mar 2022 09:19:00 -0800 (PST) Received: from d3f.me (redstone.d3f.me [5.9.29.41]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8BED33A08D5 for ; Wed, 2 Mar 2022 09:19:00 -0800 (PST) Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by d3f.me (Postfix) with ESMTPA id 0B02718352 for ; Wed, 2 Mar 2022 17:18:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1646241536; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=omP98fDdNQ8dAxLn2WzwAi6Al6unz6jLlG2zRlHzpeU=; b=W+qhAY0xG0+rlGRn5+V3YKOftYVulOEELMrg1AIksphf4euQCKKkLP6MjKvwqG/6IMFSO4 R9PkOblLVNejA7XQy0TwRokNqMDHRhwsQg9XuwGgoO8RK00moTYODpcj6lZYLs6kOAhyj+ xtRrAyKT+aIOLjP6R0LiMePTcUkLhug= Content-Type: multipart/alternative; boundary="------------WFcmhdwT9kfVNXYb5PkGBlE0" Message-ID: Date: Wed, 2 Mar 2022 18:18:55 +0100 MIME-Version: 1.0 Content-Language: de-DE To: oauth@ietf.org References: <4DBCAEEA-08E0-4E93-AFEC-D990C8729E81@aueb.gr> From: Daniel Fett In-Reply-To: <4DBCAEEA-08E0-4E93-AFEC-D990C8729E81@aueb.gr> ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1646241536; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=omP98fDdNQ8dAxLn2WzwAi6Al6unz6jLlG2zRlHzpeU=; b=CsqRPSWTxFdfnixY9H4RsQs8cenXXQbVQi/bIyAnZUGK3UqvnZg+aWfrHrl1EyxBEuppCw iCd5ojQ6maGGJwUvvYf5wHxg8UO+Rcg8dlDk9O4XlG/eC8M8uDYeYGnQCDFsOzcr6kZlmq IMiQ3pRIsJ5StgWZTFz91/xKNixN3pE= ARC-Seal: i=1; s=dkim; d=danielfett.de; t=1646241536; a=rsa-sha256; cv=none; b=CXdX3sDZzGb6kSYGtxnF7u+T5BYAzInKQ+h3xbKt7wAtTZDw1HAaNcpffrSy5GQ8PKJ7AW 414gZ765HXP11bsstbdy8w+NCieukdeQFN4nTdBiEkXj1aPWPfB2bxq9CNtMPLHsnBOSaP LIlIVmB6Ww2bWN1TKW/MezMZz1YM3/Y= ARC-Authentication-Results: i=1; d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de Authentication-Results: d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de X-Spamd-Bar: --- Archived-At: Subject: Re: [OAUTH-WG] proof of access token possession using client secret X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2022 17:19:05 -0000 This is a multi-part message in MIME format. --------------WFcmhdwT9kfVNXYb5PkGBlE0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit What exactly is the attack that you're trying to prevent? If the clients share the access tokens, they might as well share access to the resource server (forwarding requests and responses). You can't really prevent that. DPoP or MTLS, potentially with non-exportable keys, might be a better approach, but it depends on the attack you have in mind. -Daniel Am 02.03.22 um 16:58 schrieb Nikos Fotiou: > Hi all, > > I am working on a use case where the Authorization Server and the Resource Server are the same entity. I would like to prevent clients from sharing their access tokens. I am wondering if requiring clients to include the "client secret" in the resource access request (in addition to the access token) is a valid strategy. This way clients would have to share their "client secret" in addition to the access token. Would that work? > > Best, > Nikos > -- > Nikos Fotiou -http://pages.cs.aueb.gr/~fotiou > Researcher - Mobile Multimedia Laboratory > Athens University of Economics and Business > https://mm.aueb.gr > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- https://danielfett.de --------------WFcmhdwT9kfVNXYb5PkGBlE0 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit
What exactly is the attack that you're trying to prevent?

If the clients share the access tokens, they might as well share access to the resource server (forwarding requests and responses). You can't really prevent that.

DPoP or MTLS, potentially with non-exportable keys, might be a better approach, but it depends on the attack you have in mind.

-Daniel

Am 02.03.22 um 16:58 schrieb Nikos Fotiou:
Hi all,

I am working on a use case where the Authorization Server and the Resource Server are the same entity. I would like to prevent clients from sharing their access tokens. I am wondering if requiring clients to include the "client secret" in the resource access request (in addition to the access token) is a valid strategy. This way clients would have to share their "client secret" in addition to the access token. Would that work?

Best,
Nikos
--
Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou
Researcher - Mobile Multimedia Laboratory
Athens University of Economics and Business
https://mm.aueb.gr



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

-- 
https://danielfett.de
--------------WFcmhdwT9kfVNXYb5PkGBlE0-- From nobody Wed Mar 2 09:29:49 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13D2D3A0926 for ; Wed, 2 Mar 2022 09:29:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IzLQLDfqnSkD for ; Wed, 2 Mar 2022 09:29:40 -0800 (PST) Received: from mail-yb1-xb33.google.com (mail-yb1-xb33.google.com [IPv6:2607:f8b0:4864:20::b33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70AD03A0920 for ; Wed, 2 Mar 2022 09:29:40 -0800 (PST) Received: by mail-yb1-xb33.google.com with SMTP id h126so4872672ybc.1 for ; Wed, 02 Mar 2022 09:29:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CwjwoT7X9yD1zXTUU/QuVAWaRLQ86LRe1+EBVf0QfmY=; b=bWY3XG1NesnrV5yc29kklaKbbd0fpepuckMiqfCKnRAs8HYO40EbNWbTb2BEtRsZwV uKEtCFTPH+Yy16UQPUYFKKK1OknLqU7G1DO+qI+OV0YslXuWjw2kS5UPRavlNzeqKqXM gZNsZcxDenKwtCQYUbsMo8RT17SBndnr9/xJKGS+4uhmwT94+u9peEKwx4jL9yxFJ/zs W+xvYvtYkTNMALf4xY6vttYJ3P5pmUEcWJJMg5QHWJSCvfrKbF9at9TbR5b57pz6Z1zP KGYyaU0bqsb55Wig47BIt0qp3AvmeOLfDs2R0g57LIzlEy6WdFJ/qDvwcRGIBFEQ6+9p gGiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CwjwoT7X9yD1zXTUU/QuVAWaRLQ86LRe1+EBVf0QfmY=; b=oFlBvsd7fU/W8GPxuOT3rd5vMqeHtwvZpHkTv8RZ7McondCMKa0QJtM3+BW8Y9zSYE 1ys7DEKzscYc+P+B/FzOCkNqZmqLgUG1sNRZd6eqY5zENVD3P1w2bQG81jItb7veylRU 8exWgOAPVYAZviBE92QOgZnHNZro2Y3CHSl7FFO0KHPobhQr46mn3tUEs/OeRZ8U5N+1 TIIV6g/YQnlSQEyhtF+m0OW4mN5pgnnSq0TBs8TUnD+p2Q/dBRdiOPY2ZVn3n7OpmlCm 17vsGBYctd5a3QFjXPmcGqRbBpzciUO1noHiK12879JJaaR73Q9VyaT9zj2VsEegHLS5 z8XA== X-Gm-Message-State: AOAM533r6woipEJYv8EA45CkD7WQAOIGkT9+k7zT+eg58XplsWld5PUK nremNoaV0gIrAA+yOJ+piAxRKtaBDxcNzsPAUCi9 X-Google-Smtp-Source: ABdhPJyvuxC9ChVC6Yyg+5FqMC0AiGxNj3nuY7uIeLdIRAW/cqgI4WDOKvdQOn9ql+Va/b7reccLx64+DtttOy6sBUg= X-Received: by 2002:a25:ef08:0:b0:628:8d01:870 with SMTP id g8-20020a25ef08000000b006288d010870mr6819613ybd.610.1646242179205; Wed, 02 Mar 2022 09:29:39 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Warren Parad Date: Wed, 2 Mar 2022 18:29:28 +0100 Message-ID: To: Daniel Fett Cc: Sascha Preibisch , oauth Content-Type: multipart/alternative; boundary="0000000000004e5d1205d93fa00b" Archived-At: Subject: Re: [OAUTH-WG] OAuth: The frustrating lack of good libraries X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2022 17:29:46 -0000 --0000000000004e5d1205d93fa00b Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable > > I like the idea of a machine-readable feature support document... > discovering those documents might still be a problem, though. Yay! I don't think it is hard to build a bot to iterate github/github and pull these. It gives us a starting point for how to attack this problem. The key components would be: - OAuth WG defines what the existing features are - is this even possible? - We would have to keep track of those and make sure that list is up to date (we already do this for existing discovery documents), is this a burden for us? - .... - Profit I think tools like openapi.tools would start to pop up, and places like oauth.net could choose to host this. Warren Parad Founder, CTO Secure your user data with IAM authorization as a service. Implement Authress . On Wed, Mar 2, 2022 at 6:11 PM Daniel Fett wrote: > Hi Warren, > Am 02.03.22 um 17:05 schrieb Warren Parad: > > I don't think flooding this thread with random libraries is going to > benefit anyone, so let's not do that. > > I agree, and that was not the aim of my question. > > > > Back to the question, and it is an interesting one. It makes sense to > dissect it a bit first. Who is struggling with "OAuth libraries" and what > is even the responsibility of one of them. > > *I'll start with my recommendation:* > > - 0) We shouldn't build anything, and we shouldn't curate lists of > libraries and packages. > > I'm not suggesting that we build any libraries, that would be a bad idea. > I'm not so sure on curated lists, however. > > > > - 1) We should make this information about libraries discoverable and > trackable. For instance with AS discovery docs we can enable adding > properties that link to SDKs in languages that the AS decides to suppo= rt. > > I think that this goes into a completely wrong direction. Authorization > servers should never be built towards certain libraries, in an ideal worl= d > at least. Also, why would I as an API provider even have to know about th= e > SDKs? If my API follows the rules, any client library that follows the sa= me > rules should work. > > > > - 2) We can document a "discovery doc" for libraries to self publish > detailing their features (in case they aren't associated with an AS). = Then > anyone who wants to build lists of libraries with supporting features,= can > easily compile these documents. All we have to do is define "OAuth SDK > features", and this will enable everyone else to create SDK > listings/feature comparisons. It can even be automated. > > I like the idea of a machine-readable feature support document... > discovering those documents might still be a problem, though. > > > *My concerns:* > I think we have to break it down first into some key areas: > > - There are OAuth user-agent clients > - Mobile app clients for each of the app os, and further for each > of the app development frameworks > - Web apps > - Desktop apps > - There are OAuth machine clients > - BFF oauth code exchange clients > - client credentials clients > - third party machine clients > - leaf clients that need to validate authorization tokens > - [One caveat to this is that these can and will be written in > every possible language available] > - There are OAuth Authorization servers > - Open source ones > - SaaS models > - AS in a container > - embedded cloud native solutions > - potentially user controlled > > Obviously this isn't a full list, but looking at each of these, > specialization in the world of software libraries tells us that likely > every one of these could and will be its own library. Just looking at thi= s > shortlist, and the story of "which library" should you use becomes > incredibly complicated. If we have libraries that purport to solve all > these problems, then it becomes a gratuitous burden on developers to pick > the right library, which isn't interchangeable with others. They aren't > pluggable. > > I don't think that a library which supports only selected scenarios (e.g.= , > a mobile app on Android) is a problem, as long as that is well documented= . > > Also, I wouldn't expect the same library API for each library to make the= m > exchangeable. They don't need to be interchangeable, because that would > mean that somebody is doing the same work as someone else. > > > > Additionally, for the purposes of branding and documentation, most of > these will be wrapped by brand specific implementations so that careful > validation and control over key features can be communicated. Further, > since the landscape moves quickly providers want to stay up to date, > putting links all over your documentation pages saying "this library does > not yet support said feature" is terrible. This is still frequently the > case, and so providers are encouraged to lie, "We support this*" - but yo= u > have to do these hacks after you download the library to support it. > > I'm not sure I'm following your thoughts here... could you please expand > on that? > > > > Further, there are sane defaults that make sense for a wrapper for a > dedicated and opinionated solution that don't make sense in a generic one= . > The whole class of AS libraries are hidden from external developers, so > there is very little value in a "whole solution" and more value in > delivering what these AS need. Since they have their own motivations, the= y > are already either open sourcing their solutions or keeping it closed and > won't contribute. This is arguably the set where libraries offer the most > value, but because of these reasons it is a lost cause. > > I agree that the problem space is different for servers than it is for > clients. Let's focus on clients in this thread. > > > > The second set is machine clients. Most of this is very similar to the > last section of AS, but very little of it is OAuth specific. Most of it i= s > "Add an authorization header" or "call this specific endpoint one time". = A > couple of lines in the documentation is sufficient for handling this. Whi= ch > leaves "How to verify an OAuth token". Having built a library for tons of > languages to handle not just OAuth but other things, the challenge here > isn't the OAuth part. Sure there is some knowledge around how to convert > the *issuer* to the JWK using the discovery document, but a library only > marginally improves the state. And the amount of work for branded librari= es > to add this in is still trivial. The real problem with these is that the > crypto communities in different languages don't make it easy to do this. = If > you think explaining OAuth is challenging, try to explain libsodium > requirements, they don't care, and we can't fix that with a library. We c= an > fix that by contributing to the available crypto tools so OAuth > verification can be easier. Thankfully we don't have to, because the > branded products will release their open source version implementing or > fixing these because they are motivated to do so. > > Machine clients might need to use MTLS, DPoP, or something similar. There > is value in a library for machine clients as well. And since this use cas= e > is often more or less a subset of interactive clients, I would expect tha= t > most libraries will support both anyway. > > > > Now I get to the OAuth user-agent/facing clients. Web apps complexity her= e > is usually the framework, and dance around, what do I do with the state, > and the redirect so the user ends up in the right place. A library isn't > going to fix that, and even if it did, it isn't OAuth that is the issue > here, it is a lack of good browser apis to support easy navigation. > > Which leaves us with, are we talking about mobile apps or desktop clients= ? > Because we are talking about one of these other categories, there isn't > enough value in there to list them any more than there is value in listin= g > OIDC providers that support OAuth. Being met with a list of hundreds of > libraries and packages doesn't make for a good experience, and do those > same developers know if they need PKCE, EdDSA signatures, a library that > supports mTLS, probably not. > > That's why I'm advocating for a profile that covers many use cases. If I > can tell a developer to go and find a library that supports > OAuth-Modern-Feature-Set=C2=AE, and it would be common for libraries to > advertise their support for that, the problem would be much smaller. > > -Daniel > > > > - Warren > > Warren Parad > > Founder, CTO > Secure your user data with IAM authorization as a service. Implement > Authress . > > > On Wed, Mar 2, 2022 at 4:33 PM Sascha Preibisch > wrote: > >> Hello Daniel! >> >> Some time ago I started an open source project: Loginbuddy. >> Loginbuddy is a tool that mainly supports OpenID Connect based logins. >> >> It can be deployed as a standalone service or be used as a side-car next >> to other docker containers in the same network. >> >> Although it is not necessarily a library, it may be worth looking into >> it. I could imagine that Loginbuddy would also be a good starting point = for >> extensions that serve more flows and more general features of OAuth/ Ope= nID >> Connect. With more contributors I see a chance for Loginbuddy to be more >> widely used and help address your concerns. >> >> Please have a look here: >> https://loginbuddy.net >> >> I just updated the web site. Or visit the GitHub project: >> https://github.com/SaschaZeGerman/loginbuddy >> >> In any case, that is my current contribution to the developer community. >> >> Thanks, >> Sascha >> >> On Tue, Mar 1, 2022 at 9:18 AM Daniel Fett wrote: >> >>> *Hi all,* >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> * While helping clients to onboard into the yes ecosystem, in my >>> consulting work, and in discussions with developers implementing OAuth = 2.0, >>> one topic comes up increasingly often: The (somewhat frustrating) lack = of >>> good, modern, and universal OAuth libraries. Many of the libraries out >>> there have one or more of the following drawbacks: * They are not >>> maintained any longer * They are not well documented (e.g., it is ofte= n >>> unclear which specifications are supported) * They support only a subs= et >>> of the OAuth 2.0 specification * They work only with selected provider= s >>> (e.g., Google, Facebook, etc.) * It is unclear whether they follow rec= ent >>> security recommendations * They do not support modern features, such a= s >>> PKCE, AS Metadata, MTLS, etc. Exceptions exist, of course, like Filip's >>> Node.js implementation and the nimbus library for Java. But apart from >>> those rare cases, when a developer asks me what library to use, my answ= er >>> is often: "I don't think there's a good one in your language". It is a >>> telltale sign that many providers of OAuth protected APIs also provide = a >>> custom OAuth implementation in their SDKs, which they then often have t= o >>> maintain for a number of languages. This creates unnecessary costs and >>> friction, e.g., when introducing new security features. At the same tim= e, >>> practically every language/framework comes with a TLS stack and making >>> HTTPS requests is often just a few lines of code. Why aren't we there y= et >>> with OAuth? I'm well aware that OAuth 2.0 is a framework, not a single >>> protocol like TLS, but the mentioned libraries show that this does not >>> preclude a comprehensive library support. If I had to speculate about t= he >>> reasons for this mess, I'd say that there are three: * The core of OAu= th >>> is easy to implement. The need to create or use a library might not be >>> obvious to developers. Of course, if you want a proper implementation w= ith >>> correct error handling, observing all the security recommendations, etc= ., >>> the effort is huge. But just getting OAuth to work for one specific use >>> case is relatively easy. * OAuth is traditionally hard to configure: >>> authorization and token endpoint URLs, client id and secret, supported >>> scopes (and claims for OIDC), supported response types and modes, and >>> required security features are just some of the things a developer has = to >>> figure out - often from the API's documentation - to get everything up = and >>> running. Even though configuration is not the same as implementation, I >>> imagine that this complexity can lead to the perception that there are >>> barely any commonalities between different OAuth flows. There might be = no >>> value, after all, in an OAuth library, if I have to provide so many det= ails >>> myself. * With many extensions and specifications to choose from, it c= an >>> be hard to select a reasonable subset to support. What can we do about >>> this? I'm not sure, but I have a few ideas. * Of course, one step woul= d be >>> to increase visibility and documentation for existing implementations: >>> Beyond listing libraries (like the list on oauth.net = ), >>> it would be great to have a place to go to to find libraries based on t= heir >>> feature support. I'm sure there are more good libraries out there. * T= he >>> OpenID Foundation has a great set of conformance tests for OIDC, FAPI a= nd >>> other stuff. Creating conformance tests for OAuth would be harder, give= n >>> that the framework leaves many options for implementers to choose from.= I=E2=80=99m >>> not sure if running a conformance programme would be in the scope of IE= TF, >>> but it can be worthwhile to think about if we could support such an >>> endeavor. * The single most important thing to do would, in my opinion= , be >>> to set a goal: Tell library developers and language maintainers what ca= n be >>> expected from a good, modern, and universal OAuth library. Such a >>> recommendation would shine a light on the most important extensions for >>> OAuth like PKCE and might even be a prerequisite for conformance tests.= It >>> may turn out to be OAuth 2.1 or something else. For me, this would in a= ny >>> case include AS Metadata, as that is the single most valuable building >>> block we have to address configuration complexity. I would be interest= ed >>> to hear what others think about this. Is this a problem worth addressin= g? >>> Are there other solutions? Is this out of scope of our work here? -Dan= iel * >>> >>> -- https://danielfett.de >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > -- https://danielfett.de > > --0000000000004e5d1205d93fa00b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I like t= he idea of a machine-readable feature support document... discovering those= documents might still be a problem, though.

Yay! I don't think it is hard to= build a bot to iterate github/github and pull these. It gives us a startin= g point for how to attack this problem.

The key components would be:
  • OAuth WG defines what= the existing features are - is this even possible?
  • We would have t= o keep track of those and make sure that list is up to date (we already do = this for existing discovery documents), is this a burden for us?
  • ..= ..
  • Profit
I think tools like openapi.tools would star= t to pop up, and places like oauth.net cou= ld choose to host this.

<= img src=3D"https://lh6.googleusercontent.com/DNiDx1QGIrSqMPKDN1oKevxYuyVRXs= qhXdfZOsW56Rf2A74mUKbAPtrJSNw4qynkSjoltWkPYdBhaZJg1BO45YOc1xs6r9KJ1fYsNHogY= -nh6hjuIm9GCeBRRzrSc8kWcUSNtuA" width=3D"199" height=3D"34" style=3D"margin= -left: 0px; margin-top: 0px;">

Warren Parad

Founder, CTO

Secure y= our user data with IAM authorization as a service. Implement=C2=A0Authress.


On Wed, Mar 2, 2022 at 6:11 PM Daniel Fett <fett@danielfett.de> wrote:
=20 =20 =20

Hi Warren,

Am 02.03.22 um 17:05 schrieb Warren Parad:
=20
I don't think flooding this thread with random libraries is going to benefit anyone, so let's not do that.

I agree, and that was not the aim of my question.



Back to the question, and it is an interesting one. It makes sense to dissect it a bit first. Who is struggling with "OAuth libraries" and what is even the responsibility o= f one of them.

I'll start with my recommendation:
  • 0) We shouldn't build anything, and we shouldn't curate lists of libraries and packages.

I'm not suggesting that we build any libraries, that would be a bad idea. I'm not so sure on curated lists, however.


  • 1) We should make this information about libraries discoverable and trackable. For instance with AS discovery docs we can enable adding properties that link to SDKs in languages that the AS decides to support.

I think that this goes into a completely wrong direction. Authorization servers should never be built towards certain libraries, in an ideal world at least. Also, why would I as an API provider even have to know about the SDKs? If my API follows the rules, any client library that follows the same rules should work.


  • 2) We can document a "discovery doc" for librar= ies to self publish detailing=C2=A0their features (in case they aren't associated with an AS). Then anyone who wants to build lists of libraries with supporting features, can easily compile these documents. All we have to do is define "OAuth SDK features", and this will enable everyone else to create SDK listings/feature=C2=A0comparisons. It can even be automated= .

I like the idea of a machine-readable feature support document... discovering those documents might still be a problem, though.


My concerns:
I think we have to break it down first into some key areas:
  • There are OAuth user-agent clients
    • Mobile app clients for each of the app os, and further for each of the app development frameworks
    • Web apps
    • Desktop apps
  • There are OAuth machine clients
    • BFF oauth code exchange clients
    • client credentials clients
    • third party machine clients
    • leaf clients that need to validate authorization tokens
    • [One caveat to this is that these can and will be written in every possible language available]
  • There are OAuth Authorization servers
    • Open source ones
    • SaaS models
    • AS in a container
    • embedded cloud native solutions
    • potentially user controlled
Obviously this isn't a full list, but looking at each of these, specialization in the world of software libraries tells us that likely every one of these could and will be its own library. Just looking at this shortlist, and the story of "which library" should = you use becomes incredibly complicated. If we have libraries that purport to solve all these problems, then it becomes a gratuitous burden on developers to pick the right library, which isn't interchangeable with others. They aren't pluggable.

I don't think that a library which supports only selected scenarios (e.g., a mobile app on Android) is a problem, as long as that is well documented.

Also, I wouldn't expect the same library API for each library to make them exchangeable. They don't need to be interchangeable, because that would mean that somebody is doing the same work as someone else.



Additionally, for the purposes of branding and documentation, most of these will be wrapped by brand specific implementations so that careful validation and control over key features can be communicated. Further, since the landscape moves quickly providers want to stay up to date, putting links all over your documentation pages saying "this library does not yet support said feature" is terrible. This is still frequently the case, and so providers are encouraged to lie, "We support this= *" - but you have to do these hacks after you download the library to support it.

I'm not sure I'm following your thoughts here... could you p= lease expand on that?



Further, there are sane defaults that make=C2=A0sense for = a wrapper for a dedicated and opinionated solution that don't make sense in a generic one. The whole class of AS libraries are hidden from external developers, so there is very little value in a "whole solution" and more va= lue in delivering what these AS need. Since they have their own motivations, they are already either open sourcing their solutions or keeping it closed and won't contribute. This is arguably the set where=C2=A0libraries offer the most value= , but because of these reasons it is a lost cause.

I agree that the problem space is different for servers than it is for clients. Let's focus on clients in this thread.



The second set is machine clients. Most of this is very similar to the last section of AS, but very little of it is OAuth specific. Most of it is "Add an authorization header" or "call this specific endpoint one time&qu= ot;. A couple of lines in the documentation is sufficient for handling this. Which leaves "How to verify an OAuth token". Having built a library for tons of languages to handle not just OAuth but other things, the challenge here isn't the OAuth part. Sure there is some knowledge around how to convert the issuer=C2=A0to the JWK using the discovery document, but a library only marginally=C2=A0improv= es the state. And the amount of work for branded libraries to add this in is still trivial. The real problem with these is that the crypto communities in different languages don't make it easy to do this. If you think explaining OAuth is challenging, try to explain libsodium requirements, they don't care, and we can't fix that = with a library. We can fix that by contributing to the available crypto tools so OAuth verification can be easier. Thankfully we don't have to, because the branded products will release their open source version implementing or fixing these because they are motivated to do so.

Machine clients might need to use MTLS, DPoP, or something similar. There is value in a library for machine clients as well. And since this use case is often more or less a subset of interactive clients, I would expect that most libraries will support both anyway.



Now I get to the OAuth user-agent/facing clients. Web apps complexity here is usually the framework, and dance around, what do I do with the state, and the redirect so the user ends up in the right place. A library isn't goin= g to fix that, and even if it did, it isn't OAuth that is the issue here, it is a lack of good browser apis to support easy navigation.

Which leaves us with, are we talking about mobile apps or desktop clients? Because we are talking about one of these other categories, there isn't enough value in there to list them any more than there is value in listing OIDC providers that support OAuth. Being met with a list of hundreds of libraries and packages doesn't make for a goo= d experience, and do those same developers know if they need PKCE, EdDSA signatures, a library that supports mTLS, probably not.

That's why I'm advocating for a profile that covers many use cases. If I can tell a developer to go and find a library that supports OAuth-Modern-Feature-Set=C2=AE, and it would be common for libraries to advertise their support for that, the problem would be much smaller.

-Daniel



- Warren

Warren = Parad

Founder, CTO
Secure your user data with IAM authorization as a service. Implement=C2=A0Authress.


On Wed, Mar 2, 2022 at 4:33 P= M Sascha Preibisch <saschapreibisch@gmail.com> wrote:
Hello Daniel!

Some time ago I started an open source project: Loginbuddy.
Loginbuddy is a tool that mainly supports OpenID Connect based logins.=C2=A0

It can be deployed as a standalone service or be used as a side-car next to other docker containers in the same network.

Although it is not necessarily a library, it may be worth looking into it. I could imagine that Loginbuddy would also be a good starting point for extensions that serve more flows and more general features of OAuth/ OpenID Connect. With more contributors I see a chance for Loginbuddy to be more widely used and help address your concerns.

Please have a look here:

I just updated the web site. Or visit the GitHub project:

In any case, that is my current contribution to the developer community.

Thanks,
Sascha

On Tue, Mar 1, 2022 at 9:18 AM Daniel Fett <fett@danielfett.de> wrote:

Hi all,


W= hile helping clients to onboard into the yes ecosystem, in my consulting wo= rk, and in discussions with developers implementing OAuth 2.0, one topic co= mes up increasingly often: The (somewhat frustrating) lack of good, modern,= and universal OAuth libraries.=C2=A0


M= any of the libraries out there have one or more of the following drawbacks:=


= =C2=A0* They are not maintained any longer

= =C2=A0* They are not well documented (e.g., it is often unclear which speci= fications are supported)

= =C2=A0* They support only a subset of the OAuth 2.0 specification

= =C2=A0* They work only with selected providers (e.g., Google, Facebook, etc= .)

= =C2=A0* It is unclear whether they follow recent security recommendations

= =C2=A0* They do not support modern features, such as PKCE, AS Metadata, MTL= S, etc.


E= xceptions exist, of course, like Filip's Node.js implementation and the= nimbus library for Java. But apart from those rare cases, when a developer= asks me what library to use, my answer is often: "I don't think t= here's a good one in your language". It is a telltale sign that ma= ny providers of OAuth protected APIs also provide a custom OAuth implementa= tion in their SDKs, which they then often have to maintain for a number of = languages. This creates unnecessary costs and friction, e.g., when introduc= ing new security features.


A= t the same time, practically every language/framework comes with a TLS stac= k and making HTTPS requests is often just a few lines of code. Why aren'= ;t we there yet with OAuth? I'm well aware that OAuth 2.0 is a framewor= k, not a single protocol like TLS, but the mentioned libraries show that th= is does not preclude a comprehensive library support.


I= f I had to speculate about the reasons for this mess, I'd say that ther= e are three:


= =C2=A0* The core of OAuth is easy to implement. The need to create or use a= library might not be obvious to developers. Of course, if you want a prope= r implementation with correct error handling, observing all the security re= commendations, etc., the effort is huge. But just getting OAuth to work for= one specific use case is relatively easy.


= =C2=A0* OAuth is traditionally hard to configure: authorization and token e= ndpoint URLs, client id and secret, supported scopes (and claims for OIDC),= supported response types and modes, and required security features are jus= t some of the things a developer has to figure out - often from the API'= ;s documentation - to get everything up and running. Even though configurat= ion is not the same as implementation, I imagine that this complexity can l= ead to the perception that there are barely any commonalities between diffe= rent OAuth flows. There might be no value, after all, in an OAuth library, = if I have to provide so many details myself.


= =C2=A0* With many extensions and specifications to choose from, it can be h= ard to select a reasonable subset to support.=C2=A0


W= hat can we do about this?


I= 'm not sure, but I have a few ideas.


= =C2=A0* Of course, one step would be to increase visibility and documentati= on for existing implementations: Beyond listing libraries (like the list on= oauth.net), it would be= great to have a place to go to to find libraries based on their feature su= pport. I'm sure there are more good libraries out there.

= =C2=A0* The OpenID Foundation has a great set of conformance tests for OIDC= , FAPI and other stuff. Creating conformance tests for OAuth would be harde= r, given that the framework leaves many options for implementers to choose = from. I=E2=80=99m not sure if running a conformance programme would be in t= he scope of IETF, but it can be worthwhile to think about if we could suppo= rt such an endeavor.

= =C2=A0* The single most important thing to do would, in my opinion, be to s= et a goal: Tell library developers and language maintainers what can be exp= ected from a good, modern, and universal OAuth library. Such a recommendati= on would shine a light on the most important extensions for OAuth like PKCE= and might even be a prerequisite for conformance tests. It may turn out to= be OAuth 2.1 or something else. For me, this would in any case include AS = Metadata, as that is the single most valuable building block we have to add= ress configuration complexity.=C2=A0


I= would be interested to hear what others think about this. Is this a proble= m worth addressing? Are there other solutions? Is this out of scope of our = work here?=C2=A0


-Daniel
 
--=20
https://danielfett.de
_______________________________________________
OAuth mailing list
OAuth@iet= f.org
https://www.ietf.org/mailman/listinfo/oau= th
_______________________________________________
OAuth mailing list
OAuth@ietf.or= g
https://www.ietf.org/mailman/listinfo/oauth= 
--=20
https://danielfett.de
--0000000000004e5d1205d93fa00b-- From nobody Wed Mar 2 09:37:58 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D34D33A0953 for ; Wed, 2 Mar 2022 09:37:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.943 X-Spam-Level: X-Spam-Status: No, score=-0.943 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.186, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aWyAnZ8kd57V for ; Wed, 2 Mar 2022 09:37:52 -0800 (PST) Received: from smtp.smtpout.orange.fr (smtp03.smtpout.orange.fr [80.12.242.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75C713A0949 for ; Wed, 2 Mar 2022 09:37:52 -0800 (PST) Received: from [192.168.1.11] ([82.121.202.228]) by smtp.orange.fr with ESMTPA id PSv4n5BRQhTNkPSv4n0Wdb; Wed, 02 Mar 2022 18:37:50 +0100 X-ME-Helo: [192.168.1.11] X-ME-Auth: OWU3ZmVkYWM0M2UwZWM1YifxM2Q3ZDk1YiUzNWJiZTM2MiliMTI0N2YxZmQ= X-ME-Date: Wed, 02 Mar 2022 18:37:50 +0100 X-ME-IP: 82.121.202.228 Content-Type: multipart/alternative; boundary="------------wovuG35aQNctHSfSWl0VGcRk" Message-ID: <1addc3c4-e535-a8a2-327d-fbc6f9236924@free.fr> Date: Wed, 2 Mar 2022 18:37:47 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.6.1 Content-Language: en-GB To: Daniel Fett , oauth@ietf.org References: <4DBCAEEA-08E0-4E93-AFEC-D990C8729E81@aueb.gr> From: Denis In-Reply-To: Archived-At: Subject: Re: [OAUTH-WG] proof of access token possession using client secret X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2022 17:37:57 -0000 This is a multi-part message in MIME format. --------------wovuG35aQNctHSfSWl0VGcRk Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Nikos, You wrote:     I would like to prevent clients from sharing their access tokens. Proof of access token possession using client secret is unable to prevent clients from sharing their access tokens. When two clients agree to collaborate, one client can perform all the cryptographic computations that the  other client needs (without the need to release the private key to the other client). At the last OAuth security workshop, I have presented a solution. Hereafter is an extract of the abstract;     Access tokens that contain a binding user-identifier (buid) field provide a protection against collusions between two collaborative clients     that key-bound access tokens are unable to provide.     The use of a binding user-identifier (buid) field allows a client to choose between different contexts and between different privacy properties.     More details are present in https://www.ietf.org/id/draft-pinkas-gnap-core-protocol-00.txt Daniel, You wrote: If the clients share the access tokens, they might as well share access to the resource server (forwarding requests and responses). You can't really prevent that. When you consider the existence of user accounts and in the context of some practical cases, you can prevent that. > What exactly is the attack that you're trying to prevent? > > If the clients share the access tokens, they might as well share > access to the resource server (forwarding requests and responses). You > can't really prevent that. > > DPoP or MTLS, potentially with non-exportable keys, might be a better > approach, but it depends on the attack you have in mind. > > -Daniel > > Am 02.03.22 um 16:58 schrieb Nikos Fotiou: >> Hi all, >> >> I am working on a use case where the Authorization Server and the Resource Server are the same entity. I would like to prevent clients from sharing their access tokens. I am wondering if requiring clients to include the "client secret" in the resource access request (in addition to the access token) is a valid strategy. This way clients would have to share their "client secret" in addition to the access token. Would that work? >> >> Best, >> Nikos >> -- >> Nikos Fotiou -http://pages.cs.aueb.gr/~fotiou >> Researcher - Mobile Multimedia Laboratory >> Athens University of Economics and Business >> https://mm.aueb.gr >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > -- > https://danielfett.de > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --------------wovuG35aQNctHSfSWl0VGcRk Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit
Nikos,

You wrote:

    I would like to prevent clients from sharing their access tokens.

Proof of access token possession using client secret is unable to prevent clients from sharing their access tokens.

When two clients agree to collaborate, one client can perform all the cryptographic computations that the  other client
needs (without the need to release the private key to the other client).

At the last OAuth security workshop, I have presented a solution. Hereafter is an extract of the abstract;

    Access tokens that contain a binding user-identifier (buid) field provide a protection against collusions between two collaborative clients
    that key-bound access tokens are unable to provide.

    The use of a binding user-identifier (buid) field allows a client to choose between different contexts and between different privacy properties.

    More details are present in https://www.ietf.org/id/draft-pinkas-gnap-core-protocol-00.txt

Daniel,

You wrote:
If the clients share the access tokens, they might as well share access to the resource server (forwarding requests and responses).
You can't really prevent that.
When you consider the existence of user accounts and in the context of some practical cases, you can prevent that.


What exactly is the attack that you're trying to prevent?

If the clients share the access tokens, they might as well share access to the resource server (forwarding requests and responses). You can't really prevent that.

DPoP or MTLS, potentially with non-exportable keys, might be a better approach, but it depends on the attack you have in mind.

-Daniel

Am 02.03.22 um 16:58 schrieb Nikos Fotiou:
Hi all,

I am working on a use case where the Authorization Server and the Resource Server are the same entity. I would like to prevent clients from sharing their access tokens. I am wondering if requiring clients to include the "client secret" in the resource access request (in addition to the access token) is a valid strategy. This way clients would have to share their "client secret" in addition to the access token. Would that work?

Best,
Nikos
--
Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou
Researcher - Mobile Multimedia Laboratory
Athens University of Economics and Business
https://mm.aueb.gr



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

-- 
https://danielfett.de

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--------------wovuG35aQNctHSfSWl0VGcRk-- From nobody Thu Mar 3 10:56:07 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8448F3A10CD for ; Thu, 3 Mar 2022 10:56:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.11 X-Spam-Level: X-Spam-Status: No, score=-7.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WA-3c7zv9JjD for ; Thu, 3 Mar 2022 10:55:59 -0800 (PST) Received: from na01-obe.outbound.protection.outlook.com (mail-cusazlp170110003.outbound.protection.outlook.com [IPv6:2a01:111:f403:c111::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D7823A12B0 for ; Thu, 3 Mar 2022 10:55:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NkBtKpvfYTh/XA9GtfdGWe7YW0pnu8i+0BjLyDqpiWSZ1p02rWIAGv4NBULPL1r1XNA6J2lPvdx5dWlp4Txp5Qd1/E2menqQSlsMD9K1HaI4XqWsaZv4aeQuQGnaY2jJL50sTF85LAngnnlxIdJpJYbcMfdZ0GctK2Pr6xzEnhquGBadCMpmM1NuCY1neRAyVa8OMplPl5/XwFGDyF38Dbkw7HI9fF5LrncdlZCMgdyJX5VWxe1ZSlARGyVq97S1jCPkRN5dwQGGNW58oDlGGSoURVoCw9Jzf3vxC+vrBPY03BtDgCSEzDU6KDwGut5gK46+mZFPkaOZ0EWmJgewHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=uXffExTaHknmoV4U6uO5DCl3DVFjFILVacM6DCQjUgI=; b=iJTqomTeZmphM0ZdksP2tQ2boayZVzCID9Ja8mGWhVKcjpqk1VHTxHjcKJJuMs03T04BUAjwy5imjQZjlAbqgwFGEjvi5pXDXn1zkue9xX5Vl7gMQKRwXaJA1K2e9R6eDRrZ4GhvPeDI/7e8GMwh66heQ/MOGRoIWYMYo4DU39JW/OcDBzhzvYgUeDxjW85CVVT+5jSwwtABoWNIbrZR82AqDYUPegukVNRmIIQhuyXEmsFXR3rB5XorR8D5hHUIe/7/i1RZVWFc2SGXW8y2Ed5YGFGEFteU9QucwGMOrG2piohubxZuEFb42/xtbUfH7DhtUUhYuV7Y/BPQU1ZSFg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uXffExTaHknmoV4U6uO5DCl3DVFjFILVacM6DCQjUgI=; b=WnV8SzIbhFJivETaRomL4G9+imJerlonGw9n69VCv1BeYtHtiIp35csSCZz1N7IX0phD10eJuylQNEoICEwfJyk+PCee7ziLM+BDsKlLZGprk8vQXlaXKKS2kfG3Uk7T6y6N5JHJlgl00s0HSjUrtFXFRwkb4cHBSg8eEdCL57k= Received: from SJ0PR00MB1005.namprd00.prod.outlook.com (2603:10b6:a03:2d3::18) by SA1PR00MB1138.namprd00.prod.outlook.com (2603:10b6:806:1ad::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5081.0; Thu, 3 Mar 2022 18:55:38 +0000 Received: from SJ0PR00MB1005.namprd00.prod.outlook.com ([fe80::5044:63b:1f97:9084]) by SJ0PR00MB1005.namprd00.prod.outlook.com ([fe80::5044:63b:1f97:9084%7]) with mapi id 15.20.5081.000; Thu, 3 Mar 2022 18:55:38 +0000 From: Mike Jones To: Brian Campbell , "oauth@ietf.org" Thread-Topic: [OAUTH-WG] I-D Action: draft-ietf-oauth-dpop-06.txt Thread-Index: AdgvMEQnbGpTmU0RTceIo4nsQAY5Ew== Date: Thu, 3 Mar 2022 18:55:38 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2022-03-03T18:55:35Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=2e9594df-a735-441e-bf57-150e2d2304c6; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0 authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: f168b6c8-d441-4307-2c75-08d9fd47686a x-ms-traffictypediagnostic: SA1PR00MB1138:EE_ x-ms-exchange-atpmessageproperties: SA|SL x-microsoft-antispam-prvs: x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: ypSHr/XkBQHmU+ZN/ICnZ99OZMO9+ojGdeQjx9EZJBd/UHmVISUMQsNOrUofFRF+Ve16keO29dA3QvF567idhr22F4PV9n3L4KQs4b9aVjGHvlfjxrP5CJ+LtZs9eA4Qa7GHyn+dUkWwzac/KRhE3omINi2NvNJ7xvH0MRrUyhLlhrxAzSBIDl2Y3TpNzqKJsaiOZ43w9iAoEaZSvjHPTzZVEPavIkn8UTwwZalFgV1lVnstNeN0LKe/4hvavazmTTqojikBbAQSJLZOxCPgI/BKizHpbxRWMmS5N4GCEI1CWMbA+LE/R+qC350sYur9ClXmqqMLXj/IbLXxi2/NH65KFkoH+VrL3LDJKvp2j+kY8qCDbsJeUDVnK1MFkNLMrsoy3EgzcKTRxAqUZj6QNS2LPnemLVql9ZRgspJMQc+m2/ZdsMFjVFU3Lzq+DNDQitgKLAjXhVnTvbeJel36fRi42hQsuO609RgoeRnbTTbozz8/Gl7VKlbn0it4b9y9VlKm4SNyev1FvKS4cthYl/1rQbBAJ0MpiZayeKM4OIQqlBmmleAPowoGoicg7f9u139UF8iR//nrz3qnDkyp+W6T1m/TbQ3MJNAPb96Fd/xLNlGFlBxDQxo7TZqyyAF1qQQheWJ5jsc3RvTb3BgleVX49358LtLzj7OoXbkOfysq2LQEYQsNhtAeRD/cQEGA43hk64nyh0a22/YmxnNTpYVaze5UL68xUCYUKWsuDPtTONVP4mq8+5EmKPrDpXVdYLcWcjq+aFboRzFYLe1OJS67d1xyqxxnNr4kq1eVfVUhOGingXlKNrstE7dhy0oE+m6RKnVpAE/HSXFAgdg/q2t/4f09mMeRUV3gycdH45YrwYKncWqoQvfkQ4Davh5C x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR00MB1005.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(21615005)(2906002)(66574015)(82950400001)(66446008)(122000001)(76116006)(66556008)(66946007)(66476007)(64756008)(8676002)(82960400001)(55016003)(7696005)(6506007)(166002)(53546011)(26005)(186003)(8990500004)(8936002)(52536014)(38100700002)(71200400001)(316002)(110136005)(83380400001)(9686003)(38070700005)(86362001)(33656002)(5660300002)(966005)(10290500003)(508600001); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?B?MVF1SHd6UVo3aG9odXRXQ0pPQ2NHSnlmR3FhdWE0M2V2ajh2WEJyUWtTK2FL?= =?utf-8?B?U2lhY0ZIZkFkUVk2TWsvL0JNRjJXSW0vNURSUDZlTzhKbWwrRHI3eEh5MkY5?= =?utf-8?B?VkV6clRpYjRPVUVuQXdPc3NHb0JVdEVJQTExbzEwUFNKeGZQNUNTL01hemdh?= =?utf-8?B?V2VIcko5US94ODUrQVFvWExod0E4MkZWS09pT2FKRW5WeEpkMi8vQy9GRTY0?= =?utf-8?B?aUdSSXV5RDJpM0d0cXlpMlhNb29PTlRXWkJ3OHh1elJ5UVNyRHp5M1FuYmVM?= =?utf-8?B?RDVQaE9iMUVSWFNHeGQxTVAwWnpNMmJCZlBUREs1SDZ6QzNjWEdEaFh1OGhk?= =?utf-8?B?cVpXKzB6SjFXbXFFWnIwVlc3Q0RESHVxZnFnQm5tSVI2anNidFZvbEROUG90?= =?utf-8?B?Q09hVk53SmJGVWt2OWd6OE5KQVVqNkRKUUVUaUhsQ3RsZzF0VlFaSWtXOHJI?= =?utf-8?B?cUVQeFZGeFZiVmRCbWM4RFpUQjd4RXBrbnA1cWxVQ0FKbjVMRWtHUjFGbUZ6?= =?utf-8?B?aVExczlNenpqNy9wMUF1UmZUZ0JySUNyOGZEUHdOSkNnUkhPWEhJdlc2WG5D?= =?utf-8?B?Z0I0MjdOMnJQWFNja1I0eTlrblYvMlZJMjRIK1ZqeXFIWUthcVRIMkhjbVdL?= =?utf-8?B?N3laaUxVSGRWRmJvcTdNcFlhSU5IaGtjVVdoazBPOXVjQmdCaG9ZVWhYVkpZ?= =?utf-8?B?RDRYT3RscEh5VWVyL0ZVRlNQQWZEbVhCY1VVSSt2Z2hmU1RUOEN4QjluK3Nq?= =?utf-8?B?WVRuSmYyVDlIKzR2QzNZRzRIQ3Y5ak52c3l3TnBpSGJDbUZMNXkwWFhsaExi?= =?utf-8?B?SnFDcE11SnJ4c2lLOTBlY2hSRkhxTUxQTTJ1Qm14VlQzRmZGTUtDa2pNU1pY?= =?utf-8?B?Q3BsbGFYR2VKeWNCREMxUjlsWE93QzVwL0dwWW9rcmJCTkFid2d0VURIZW1Y?= =?utf-8?B?OGRHNVZjUUdRZHBRakt3RjZOdUczR0JhLzAydVRkNEpWaUtKc1hIdGc5SFcy?= =?utf-8?B?YVY2QWdqeVNpcjVtbk9NU2F3Y0t0a3FuWnpKYjBraVd1aGFwM3JRRHI4VTVn?= =?utf-8?B?Tll5NkthNnc2dDEyTFk0MVJzOVlQK2c2YytiMm92Q1RFRGlhRTJUM2xWT2s1?= =?utf-8?B?TXE2N3lzdkNNaVFESHNKc0lUU3lJSWFZVWl5YTRrdHRNbk9YNTRQbmh6eC9x?= =?utf-8?B?QUdvR2JyNHJvSHl2QzBkdGJZam9ZSGxlWG5lZW9iU0JkT3ZIU2ZXbU9xZVZ5?= =?utf-8?B?MGRzNGMyOEZxMzJJaStubWM0VXhNRnRUUHRoWnIzcXhzKzhhVFJ3cHRYd3lX?= =?utf-8?B?bDNkZjhNemVGOFhQSWxtaktBZHBMUFBzbXlzeXkxWEk2U3NNWFRROHM5SXh0?= =?utf-8?B?UG90RERoRHBSV3lRblR4RGpzUG9XVkZMSU1ka0Frcjd2RG12aGZ5UjBNUVY5?= =?utf-8?B?T2VkS0xaM0F1OWQzSWRBN2VZbEJCQ3Q3OVFHd1ZmUW5hN2t0eVZaTGhrVHJX?= =?utf-8?B?ektpak90TWFUUS9lRVVLQi9YbE5BOHFuOVMxL0NSOUc2a0FsQjlNUFBsZS83?= =?utf-8?B?UHJQN2lBeDZHc3hROUFkcngra1pGLzVrZmNlNXdidk1ZYytrdmtlZFN5T3hX?= =?utf-8?B?MHVOcG1na1lmZk1Nd3VZZG1jZzFycXd1RUdIYXRuSXJCd1RjQ1VrdWJVeXFx?= =?utf-8?B?Qzk4dUE0d3E4UWlvY210REhvRE1UZmpJSUNodnNjSGp4SFN3eGhBZlZyWjhv?= =?utf-8?B?QWI4RkNaM25yVmlzNkpjV1hMK3VzbllHK2hNSnZDaGswa2VZM2Y1eWl0RlFn?= =?utf-8?B?VHQwa1RlSWZVQVlJRlpHUkl4dTFpM3k0OVlicFZYS3Z4blk4VmJOSElaYndW?= =?utf-8?B?SXhSeTJqaUNsRVFoc0dqV1RkMVNlcEhPMzR1Q0V5S2p3ZCtKQ2ozY2sza0ho?= =?utf-8?Q?gHYfvwgqxGVX18ujO9bqA/gR155xd5y1?= Content-Type: multipart/alternative; boundary="_000_SJ0PR00MB1005B30CC1673F6305480D12F5049SJ0PR00MB1005namp_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SJ0PR00MB1005.namprd00.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: f168b6c8-d441-4307-2c75-08d9fd47686a X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Mar 2022 18:55:38.4579 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 228VPeB0gCYXrEpHh3diB1Fxq7o6NXnz8fVKEzCBN0I6bBHwMZSf13dfwbMZji8tVCAJKmJkomYq0jI71/Gb1Q== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR00MB1138 Archived-At: Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dpop-06.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Mar 2022 18:56:05 -0000 --_000_SJ0PR00MB1005B30CC1673F6305480D12F5049SJ0PR00MB1005namp_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 RllJLCBJIHBvc3RlZCBhYm91dCB0aGlzIHJldmlzaW9uIGF0IGh0dHBzOi8vc2VsZi1pc3N1ZWQu aW5mby8/cD0yMjU4IGFuZCBodHRwczovL3R3aXR0ZXIuY29tL3NlbGZpc3N1ZWQvc3RhdHVzLzE0 OTk0NTc1MzIyMDAzMDg3NTUuDQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAtLSBNaWtlDQoNCkZyb206IE9BdXRoIDxvYXV0aC1ib3VuY2Vz QGlldGYub3JnPiBPbiBCZWhhbGYgT2YgQnJpYW4gQ2FtcGJlbGwNClNlbnQ6IFR1ZXNkYXksIE1h cmNoIDEsIDIwMjIgMToxNCBQTQ0KVG86IG9hdXRoQGlldGYub3JnDQpTdWJqZWN0OiBSZTogW09B VVRILVdHXSBJLUQgQWN0aW9uOiBkcmFmdC1pZXRmLW9hdXRoLWRwb3AtMDYudHh0DQoNClRoaXMg LTA2IHJldmlzb3VuIGhhcyBhIHJlbGF0aXZlbHkgc21hbGwgc2V0IG9mIG1vc3RseSBlZGl0b3Jp YWwgY2hhbmdlcyBhbmQgYSAoaG9wZWZ1bGx5KSBiZXR0ZXIgbmFtZSBmb3IgdGhlIGNsaWVudCBt ZXRhZGF0YSB0aGF0IHdhcyBpbnRyb2R1Y2VkIGluIC0wNS4NCg0KDQpPbiBUdWUsIE1hciAxLCAy MDIyIGF0IDE6MzggUE0gPGludGVybmV0LWRyYWZ0c0BpZXRmLm9yZzxtYWlsdG86aW50ZXJuZXQt ZHJhZnRzQGlldGYub3JnPj4gd3JvdGU6DQoNCkEgTmV3IEludGVybmV0LURyYWZ0IGlzIGF2YWls YWJsZSBmcm9tIHRoZSBvbi1saW5lIEludGVybmV0LURyYWZ0cyBkaXJlY3Rvcmllcy4NClRoaXMg ZHJhZnQgaXMgYSB3b3JrIGl0ZW0gb2YgdGhlIFdlYiBBdXRob3JpemF0aW9uIFByb3RvY29sIFdH IG9mIHRoZSBJRVRGLg0KDQogICAgICAgIFRpdGxlICAgICAgICAgICA6IE9BdXRoIDIuMCBEZW1v bnN0cmF0aW5nIFByb29mLW9mLVBvc3Nlc3Npb24gYXQgdGhlIEFwcGxpY2F0aW9uIExheWVyIChE UG9QKQ0KICAgICAgICBBdXRob3JzICAgICAgICAgOiBEYW5pZWwgRmV0dA0KICAgICAgICAgICAg ICAgICAgICAgICAgICBCcmlhbiBDYW1wYmVsbA0KICAgICAgICAgICAgICAgICAgICAgICAgICBK b2huIEJyYWRsZXkNCiAgICAgICAgICAgICAgICAgICAgICAgICAgVG9yc3RlbiBMb2RkZXJzdGVk dA0KICAgICAgICAgICAgICAgICAgICAgICAgICBNaWNoYWVsIEpvbmVzDQogICAgICAgICAgICAg ICAgICAgICAgICAgIERhdmlkIFdhaXRlDQogICAgICAgIEZpbGVuYW1lICAgICAgICA6IGRyYWZ0 LWlldGYtb2F1dGgtZHBvcC0wNi50eHQNCiAgICAgICAgUGFnZXMgICAgICAgICAgIDogNDINCiAg ICAgICAgRGF0ZSAgICAgICAgICAgIDogMjAyMi0wMy0wMQ0KDQpBYnN0cmFjdDoNCiAgIFRoaXMg ZG9jdW1lbnQgZGVzY3JpYmVzIGEgbWVjaGFuaXNtIGZvciBzZW5kZXItY29uc3RyYWluaW5nIE9B dXRoIDIuMA0KICAgdG9rZW5zIHZpYSBhIHByb29mLW9mLXBvc3Nlc3Npb24gbWVjaGFuaXNtIG9u IHRoZSBhcHBsaWNhdGlvbiBsZXZlbC4NCiAgIFRoaXMgbWVjaGFuaXNtIGFsbG93cyBmb3IgdGhl IGRldGVjdGlvbiBvZiByZXBsYXkgYXR0YWNrcyB3aXRoIGFjY2Vzcw0KICAgYW5kIHJlZnJlc2gg dG9rZW5zLg0KDQoNClRoZSBJRVRGIGRhdGF0cmFja2VyIHN0YXR1cyBwYWdlIGZvciB0aGlzIGRy YWZ0IGlzOg0KaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJhZnQtaWV0Zi1vYXV0 aC1kcG9wLw0KDQpUaGVyZSBpcyBhbHNvIGFuIEhUTUwgdmVyc2lvbiBhdmFpbGFibGUgYXQ6DQpo dHRwczovL3d3dy5pZXRmLm9yZy9hcmNoaXZlL2lkL2RyYWZ0LWlldGYtb2F1dGgtZHBvcC0wNi5o dG1sDQoNCkEgZGlmZiBmcm9tIHRoZSBwcmV2aW91cyB2ZXJzaW9uIGlzIGF2YWlsYWJsZSBhdDoN Cmh0dHBzOi8vd3d3LmlldGYub3JnL3JmY2RpZmY/dXJsMj1kcmFmdC1pZXRmLW9hdXRoLWRwb3At MDYNCg0KDQpJbnRlcm5ldC1EcmFmdHMgYXJlIGFsc28gYXZhaWxhYmxlIGJ5IHJzeW5jIGF0IHJz eW5jLmlldGYub3JnOjppbnRlcm5ldC1kcmFmdHMNCg0KDQpfX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fXw0KT0F1dGggbWFpbGluZyBsaXN0DQpPQXV0aEBpZXRm Lm9yZzxtYWlsdG86T0F1dGhAaWV0Zi5vcmc+DQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFu L2xpc3RpbmZvL29hdXRoDQoNCkNPTkZJREVOVElBTElUWSBOT1RJQ0U6IFRoaXMgZW1haWwgbWF5 IGNvbnRhaW4gY29uZmlkZW50aWFsIGFuZCBwcml2aWxlZ2VkIG1hdGVyaWFsIGZvciB0aGUgc29s ZSB1c2Ugb2YgdGhlIGludGVuZGVkIHJlY2lwaWVudChzKS4gQW55IHJldmlldywgdXNlLCBkaXN0 cmlidXRpb24gb3IgZGlzY2xvc3VyZSBieSBvdGhlcnMgaXMgc3RyaWN0bHkgcHJvaGliaXRlZC4g IElmIHlvdSBoYXZlIHJlY2VpdmVkIHRoaXMgY29tbXVuaWNhdGlvbiBpbiBlcnJvciwgcGxlYXNl IG5vdGlmeSB0aGUgc2VuZGVyIGltbWVkaWF0ZWx5IGJ5IGUtbWFpbCBhbmQgZGVsZXRlIHRoZSBt ZXNzYWdlIGFuZCBhbnkgZmlsZSBhdHRhY2htZW50cyBmcm9tIHlvdXIgY29tcHV0ZXIuIFRoYW5r IHlvdS4NCg== --_000_SJ0PR00MB1005B30CC1673F6305480D12F5049SJ0PR00MB1005namp_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy IDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseToiU2Vnb2UgVUkiOw0KCXBhbm9zZS0xOjIg MTEgNSAyIDQgMiA0IDIgMiAzO30NCi8qIFN0eWxlIERlZmluaXRpb25zICovDQpwLk1zb05vcm1h bCwgbGkuTXNvTm9ybWFsLCBkaXYuTXNvTm9ybWFsDQoJe21hcmdpbjowaW47DQoJZm9udC1zaXpl OjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQphOmxpbmssIHNw YW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpibHVlOw0K CXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTgNCgl7bXNvLXN0 eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2Vy aWY7DQoJY29sb3I6d2luZG93dGV4dDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlw ZTpleHBvcnQtb25seTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQpAcGFn ZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2luOjEuMGluIDEuMGlu IDEuMGluIDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0K LS0+PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpl eHQ9ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0 ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6 ZXh0PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0t Pg0KPC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tVVMiIGxpbms9ImJsdWUiIHZsaW5rPSJwdXJwbGUi IHN0eWxlPSJ3b3JkLXdyYXA6YnJlYWstd29yZCI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEi Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+RllJLCBJIHBvc3RlZCBhYm91dCB0aGlzIHJldmlzaW9u IGF0IDxhIGhyZWY9Imh0dHBzOi8vc2VsZi1pc3N1ZWQuaW5mby8/cD0yMjU4Ij4NCmh0dHBzOi8v c2VsZi1pc3N1ZWQuaW5mby8/cD0yMjU4PC9hPiBhbmQgPGEgaHJlZj0iaHR0cHM6Ly90d2l0dGVy LmNvbS9zZWxmaXNzdWVkL3N0YXR1cy8xNDk5NDU3NTMyMjAwMzA4NzU1Ij4NCmh0dHBzOi8vdHdp dHRlci5jb20vc2VsZmlzc3VlZC9zdGF0dXMvMTQ5OTQ1NzUzMjIwMDMwODc1NTwvYT4uPG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyAtLSBNaWtlPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNw OzwvbzpwPjwvcD4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci10b3A6c29saWQgI0Ux RTFFMSAxLjBwdDtwYWRkaW5nOjMuMHB0IDBpbiAwaW4gMGluIj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxiPkZyb206PC9iPiBPQXV0aCAmbHQ7b2F1dGgtYm91bmNlc0BpZXRmLm9yZyZndDsgPGI+ T24gQmVoYWxmIE9mIDwvYj4NCkJyaWFuIENhbXBiZWxsPGJyPg0KPGI+U2VudDo8L2I+IFR1ZXNk YXksIE1hcmNoIDEsIDIwMjIgMToxNCBQTTxicj4NCjxiPlRvOjwvYj4gb2F1dGhAaWV0Zi5vcmc8 YnI+DQo8Yj5TdWJqZWN0OjwvYj4gUmU6IFtPQVVUSC1XR10gSS1EIEFjdGlvbjogZHJhZnQtaWV0 Zi1vYXV0aC1kcG9wLTA2LnR4dDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+VGhpcyAtMDYgcmV2aXNvdW4gaGFzIGEgcmVsYXRpdmVseSBzbWFsbCBzZXQgb2Yg bW9zdGx5IGVkaXRvcmlhbCBjaGFuZ2VzIGFuZCBhIChob3BlZnVsbHkpIGJldHRlciBuYW1lIGZv ciB0aGUgY2xpZW50IG1ldGFkYXRhIHRoYXQgd2FzIGludHJvZHVjZWQgaW4gLTA1Lg0KPG86cD48 L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNw OzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ T24gVHVlLCBNYXIgMSwgMjAyMiBhdCAxOjM4IFBNICZsdDs8YSBocmVmPSJtYWlsdG86aW50ZXJu ZXQtZHJhZnRzQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+aW50ZXJuZXQtZHJhZnRzQGlldGYu b3JnPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0 eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6 MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXJpZ2h0OjBpbiI+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48YnI+DQpBIE5ldyBJbnRlcm5ldC1EcmFmdCBpcyBhdmFpbGFi bGUgZnJvbSB0aGUgb24tbGluZSBJbnRlcm5ldC1EcmFmdHMgZGlyZWN0b3JpZXMuPGJyPg0KVGhp cyBkcmFmdCBpcyBhIHdvcmsgaXRlbSBvZiB0aGUgV2ViIEF1dGhvcml6YXRpb24gUHJvdG9jb2wg V0cgb2YgdGhlIElFVEYuPGJyPg0KPGJyPg0KJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IFRp dGxlJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDs6IE9BdXRoIDIuMCBE ZW1vbnN0cmF0aW5nIFByb29mLW9mLVBvc3Nlc3Npb24gYXQgdGhlIEFwcGxpY2F0aW9uIExheWVy IChEUG9QKTxicj4NCiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBBdXRob3JzJm5ic3A7ICZu YnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOzogRGFuaWVsIEZldHQ8YnI+DQombmJzcDsgJm5ic3A7 ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsg Jm5ic3A7ICZuYnNwOyAmbmJzcDsgQnJpYW4gQ2FtcGJlbGw8YnI+DQombmJzcDsgJm5ic3A7ICZu YnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5i c3A7ICZuYnNwOyAmbmJzcDsgSm9obiBCcmFkbGV5PGJyPg0KJm5ic3A7ICZuYnNwOyAmbmJzcDsg Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAm bmJzcDsgJm5ic3A7IFRvcnN0ZW4gTG9kZGVyc3RlZHQ8YnI+DQombmJzcDsgJm5ic3A7ICZuYnNw OyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7 ICZuYnNwOyAmbmJzcDsgTWljaGFlbCBKb25lczxicj4NCiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu YnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5i c3A7ICZuYnNwOyBEYXZpZCBXYWl0ZTxicj4NCiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBG aWxlbmFtZSZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyA6IGRyYWZ0LWlldGYtb2F1dGgtZHBv cC0wNi50eHQ8YnI+DQombmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgUGFnZXMmbmJzcDsgJm5i c3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOzogNDI8YnI+DQombmJzcDsgJm5ic3A7ICZu YnNwOyAmbmJzcDsgRGF0ZSZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7 IDogMjAyMi0wMy0wMTxicj4NCjxicj4NCkFic3RyYWN0Ojxicj4NCiZuYnNwOyAmbmJzcDtUaGlz IGRvY3VtZW50IGRlc2NyaWJlcyBhIG1lY2hhbmlzbSBmb3Igc2VuZGVyLWNvbnN0cmFpbmluZyBP QXV0aCAyLjA8YnI+DQombmJzcDsgJm5ic3A7dG9rZW5zIHZpYSBhIHByb29mLW9mLXBvc3Nlc3Np b24gbWVjaGFuaXNtIG9uIHRoZSBhcHBsaWNhdGlvbiBsZXZlbC48YnI+DQombmJzcDsgJm5ic3A7 VGhpcyBtZWNoYW5pc20gYWxsb3dzIGZvciB0aGUgZGV0ZWN0aW9uIG9mIHJlcGxheSBhdHRhY2tz IHdpdGggYWNjZXNzPGJyPg0KJm5ic3A7ICZuYnNwO2FuZCByZWZyZXNoIHRva2Vucy48YnI+DQo8 YnI+DQo8YnI+DQpUaGUgSUVURiBkYXRhdHJhY2tlciBzdGF0dXMgcGFnZSBmb3IgdGhpcyBkcmFm dCBpczo8YnI+DQo8YSBocmVmPSJodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9kcmFm dC1pZXRmLW9hdXRoLWRwb3AvIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly9kYXRhdHJhY2tlci5p ZXRmLm9yZy9kb2MvZHJhZnQtaWV0Zi1vYXV0aC1kcG9wLzwvYT48YnI+DQo8YnI+DQpUaGVyZSBp cyBhbHNvIGFuIEhUTUwgdmVyc2lvbiBhdmFpbGFibGUgYXQ6PGJyPg0KPGEgaHJlZj0iaHR0cHM6 Ly93d3cuaWV0Zi5vcmcvYXJjaGl2ZS9pZC9kcmFmdC1pZXRmLW9hdXRoLWRwb3AtMDYuaHRtbCIg dGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vd3d3LmlldGYub3JnL2FyY2hpdmUvaWQvZHJhZnQtaWV0 Zi1vYXV0aC1kcG9wLTA2Lmh0bWw8L2E+PGJyPg0KPGJyPg0KQSBkaWZmIGZyb20gdGhlIHByZXZp b3VzIHZlcnNpb24gaXMgYXZhaWxhYmxlIGF0Ojxicj4NCjxhIGhyZWY9Imh0dHBzOi8vd3d3Lmll dGYub3JnL3JmY2RpZmY/dXJsMj1kcmFmdC1pZXRmLW9hdXRoLWRwb3AtMDYiIHRhcmdldD0iX2Js YW5rIj5odHRwczovL3d3dy5pZXRmLm9yZy9yZmNkaWZmP3VybDI9ZHJhZnQtaWV0Zi1vYXV0aC1k cG9wLTA2PC9hPjxicj4NCjxicj4NCjxicj4NCkludGVybmV0LURyYWZ0cyBhcmUgYWxzbyBhdmFp bGFibGUgYnkgcnN5bmMgYXQgcnN5bmMuaWV0Zi5vcmc6OmludGVybmV0LWRyYWZ0czxicj4NCjxi cj4NCjxicj4NCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f PGJyPg0KT0F1dGggbWFpbGluZyBsaXN0PGJyPg0KPGEgaHJlZj0ibWFpbHRvOk9BdXRoQGlldGYu b3JnIiB0YXJnZXQ9Il9ibGFuayI+T0F1dGhAaWV0Zi5vcmc8L2E+PGJyPg0KPGEgaHJlZj0iaHR0 cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aCIgdGFyZ2V0PSJfYmxhbmsi Pmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGg8L2E+PG86cD48L286 cD48L3A+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxicj4NCjxiPjxpPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O1NlZ29lIFVJJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzU1 NTU1NTtib3JkZXI6bm9uZSB3aW5kb3d0ZXh0IDEuMHB0O3BhZGRpbmc6MGluIj5DT05GSURFTlRJ QUxJVFkgTk9USUNFOiBUaGlzIGVtYWlsIG1heSBjb250YWluIGNvbmZpZGVudGlhbCBhbmQgcHJp dmlsZWdlZCBtYXRlcmlhbCBmb3IgdGhlIHNvbGUgdXNlIG9mIHRoZSBpbnRlbmRlZCByZWNpcGll bnQocykuDQogQW55IHJldmlldywgdXNlLCBkaXN0cmlidXRpb24gb3IgZGlzY2xvc3VyZSBieSBv dGhlcnMgaXMgc3RyaWN0bHkgcHJvaGliaXRlZC4mbmJzcDsgSWYgeW91IGhhdmUgcmVjZWl2ZWQg dGhpcyBjb21tdW5pY2F0aW9uIGluIGVycm9yLCBwbGVhc2Ugbm90aWZ5IHRoZSBzZW5kZXIgaW1t ZWRpYXRlbHkgYnkgZS1tYWlsIGFuZCBkZWxldGUgdGhlIG1lc3NhZ2UgYW5kIGFueSBmaWxlIGF0 dGFjaG1lbnRzIGZyb20geW91ciBjb21wdXRlci4gVGhhbmsgeW91Ljwvc3Bhbj48L2k+PC9iPjxv OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_SJ0PR00MB1005B30CC1673F6305480D12F5049SJ0PR00MB1005namp_-- From nobody Fri Mar 4 14:29:59 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48F5E3A111D for ; Fri, 4 Mar 2022 14:29:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.397 X-Spam-Level: X-Spam-Status: No, score=-4.397 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alkaline-solutions.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yRKy5XPBPjtT for ; Fri, 4 Mar 2022 14:29:51 -0800 (PST) Received: from caesium6.alkaline.solutions (caesium6.alkaline.solutions [157.230.133.164]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D41173A0443 for ; Fri, 4 Mar 2022 14:29:51 -0800 (PST) Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by caesium6.alkaline.solutions (Postfix) with ESMTPA id 3515E20AA00; Fri, 4 Mar 2022 22:29:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alkaline-solutions.com; s=dkim; t=1646432988; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=BTU9+6KoHRkqyUaw6fz0CZvb7+aLPgrsnTWEbFDJGa8=; b=lGaLjhJZnKNmIKiBuo2mBk3DY43orBecfC6JVXwfL6IeD5S33kbbry6hVRuG929bRqF8gt C3OJ/V6J27VhcMeXwlusi+2LYz6o0AjpfV6VQumJSVB6Q7BSPy3vgW0g2Exn306962loLD CFjUhYLXSKVVUl4ZuWuWj//zGNm5Afk= From: David Waite Message-Id: <2B67EB69-3145-49BF-A209-A6EAD5BE9726@alkaline-solutions.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_E77655AD-DCE6-4414-941C-14E7BD0BE53B" Mime-Version: 1.0 Date: Fri, 4 Mar 2022 15:29:46 -0700 In-Reply-To: Cc: oauth To: Daniel Fett References: Authentication-Results: caesium6.alkaline.solutions; auth=pass smtp.mailfrom=david@alkaline-solutions.com X-Spamd-Bar: / Archived-At: Subject: Re: [OAUTH-WG] OAuth: The frustrating lack of good libraries X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2022 22:29:58 -0000 --Apple-Mail=_E77655AD-DCE6-4414-941C-14E7BD0BE53B Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Mar 1, 2022, at 10:18 AM, Daniel Fett wrote: >=20 > * The core of OAuth is easy to implement. The need to create or use a = library might not be obvious to developers. Of course, if you want a = proper implementation with correct error handling, observing all the = security recommendations, etc., the effort is huge. But just getting = OAuth to work for one specific use case is relatively easy. I=E2=80=99d argue this point - it is not easy to implement. It is far = easier to describe. The separation between codes, refresh and access tokens means that you = have logic from a library being integrated at multiple levels, from API = access to persistence to user presentation. There are also complexities = that arise - any API call could require changes to persistence or new = user interaction. Because of the variability in the kinds of applications which could be = supported, many libraries wind up looking like simple message object = builders, with complex state and processing mechanisms underneath that = do not necessarily map at all into the application architecture. On top = of this you have to extend your own app with the communication and = asynchronicity required. > * OAuth is traditionally hard to configure: authorization and token = endpoint URLs, client id and secret, supported scopes (and claims for = OIDC), supported response types and modes, and required security = features are just some of the things a developer has to figure out - = often from the API's documentation I find the OAuth Server Metadata response to be a good format for the = server configuration (even if not hosted via well-known, or if it is = client-specific), and the client metadata from RFC 7591 to be a good = start. > What can we do about this? > * The OpenID Foundation has a great set of conformance tests for = OIDC, FAPI and other stuff. Creating conformance tests for OAuth would = be harder, given that the framework leaves many options for implementers = to choose from. I=E2=80=99m not sure if running a conformance programme = would be in the scope of IETF, but it can be worthwhile to think about = if we could support such an endeavor. I would suspect it would be adding more constraints to profile behavior = (beyond what we have done already in say the Security BCP) and then = having tooling and conformity assessments based on that profile. My = scope suspicion is that tooling and testing would be external. > * The single most important thing to do would, in my opinion, be to = set a goal: Tell library developers and language maintainers what can be = expected from a good, modern, and universal OAuth library. Such a = recommendation would shine a light on the most important extensions for = OAuth like PKCE and might even be a prerequisite for conformance tests. = It may turn out to be OAuth 2.1 or something else. For me, this would in = any case include AS Metadata, as that is the single most valuable = building block we have to address configuration complexity.=20 The only wrinkle I would add is that pre-established clients may have = per client AS metadata, but the AS metadata format itself (e.g. JSON = with specific keys) is still useful for representing that in a = consistent manner as a format (rather than an endpoint). I have seen = some slight extensions there, such as a parameter to provide JWK = information inline. Client metadata is harder, as there may be information in both the = request and response that needs to be understood, as well as local = configuration and secrets (such as private keys). There is also a chance = for reproduction as well as uncaught differences when supporting = multiple distinct AS as a client. -DW= --Apple-Mail=_E77655AD-DCE6-4414-941C-14E7BD0BE53B Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
On = Mar 1, 2022, at 10:18 AM, Daniel Fett <fett@danielfett.de> = wrote:

 * The core of OAuth is easy to implement. The need to = create or use a library might not be obvious to developers. Of course, = if you want a proper implementation with correct error handling, = observing all the security recommendations, etc., the effort is huge. = But just getting OAuth to work for one specific use case is relatively = easy.

I=E2=80=99d argue this point - it is not easy to = implement. It is far easier to describe.

The separation between codes, refresh and access = tokens means that you have logic from a library being integrated at = multiple levels, from API access to persistence to user presentation. = There are also complexities that arise - any API call could require = changes to persistence or new user interaction.

Because of the variability in the kinds of = applications which could be supported, many libraries wind up looking = like simple message object builders, with complex state and processing = mechanisms underneath that do not necessarily map at all into the = application architecture. On top of this you have to extend your own app = with the communication and asynchronicity required.

=
 * OAuth is traditionally hard to configure: = authorization and token endpoint URLs, client id and secret, supported = scopes (and claims for OIDC), supported response types and modes, and = required security features are just some of the things a developer has = to figure out - often from the API's = documentation

I find the OAuth Server Metadata response to be a good = format for the server configuration (even if not hosted via well-known, = or if it is client-specific), and the client metadata from RFC 7591 = to be a good start.

<snip>

What can we do about this?

<snip>

 * The OpenID Foundation has a great set of conformance = tests for OIDC, FAPI and other stuff. Creating conformance tests for = OAuth would be harder, given that the framework leaves many options for = implementers to choose from. I=E2=80=99m not sure if running a = conformance programme would be in the scope of IETF, but it can be = worthwhile to think about if we could support such an = endeavor.

I would suspect it would be adding more = constraints to profile behavior (beyond what we have done already in say = the Security BCP) and then having tooling and conformity assessments = based on that profile. My scope suspicion is that tooling and testing = would be external.

<snip>

 * The single most important thing to do would, in my = opinion, be to set a goal: Tell library developers and language = maintainers what can be expected from a good, modern, and universal = OAuth library. Such a recommendation would shine a light on the most = important extensions for OAuth like PKCE and might even be a = prerequisite for conformance tests. It may turn out to be OAuth 2.1 or = something else. For me, this would in any case include AS Metadata, as = that is the single most valuable building block we have to address = configuration = complexity. 

The only wrinkle I would add is that pre-established = clients may have per client AS metadata, but the AS metadata format = itself (e.g. JSON with specific keys) is still useful for representing = that in a consistent manner as a format (rather than an endpoint). I = have seen some slight extensions there, such as a parameter to provide = JWK information inline.
Client = metadata is harder, as there may be information in both the request and = response that needs to be understood, as well as local configuration and = secrets (such as private keys). There is also a chance for reproduction = as well as uncaught differences when supporting multiple distinct AS as = a client.

-DW
= --Apple-Mail=_E77655AD-DCE6-4414-941C-14E7BD0BE53B-- From nobody Mon Mar 7 12:37:07 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8AF83A0B8F for ; Mon, 7 Mar 2022 12:37:03 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.106 X-Spam-Level: X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fP6yHixGS8Wc for ; Mon, 7 Mar 2022 12:36:59 -0800 (PST) Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 071823A0D92 for ; Mon, 7 Mar 2022 12:36:59 -0800 (PST) Received: by mail-wr1-x433.google.com with SMTP id q14so9657045wrc.4 for ; Mon, 07 Mar 2022 12:36:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=s9POI53xSYg5y0IL9uNmj09nvvPSleK7SDllQJPa7D4=; b=OFr/ceeTPjbpF6Us73dXwNNh4+bQmTrMIBPAR0q2jFOGvlt4a91+o52hn2xXD0wYN2 4bI0j/8YDDNMSN+P4IQeKyRZyokDH6iQw7F25JKene9Iu5eoBPFetoz6Odvj0sDxmigG pHll8z5R3PT0khW5+x/kBZpiIRKrV9EAssH1oYpVn7MeHLsA3ZvOfOCacx2OilqkQ80G 7lY7953YIkMWhTXrvrP09r5dyHxZskFEp3F8tYl2aXxXXFOaELTqS/cIZpHOzrd+mbMU Ww2cRaCbAp+1OFbNwdqOhETAJ60Llj6Iq1vCVXTIxWmjeAJzpjulPLKBKgZ2FlLco5wc TllQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=s9POI53xSYg5y0IL9uNmj09nvvPSleK7SDllQJPa7D4=; b=ij3877XjJBPxbWzJBwkPc/ryYh+DW2STqistjOxoD4OzY+lR88f+6VLbNuBmEcH8Gx 1z1hf9IBrD4WhfsrR6lvx21xjqVCoKDfL4mNli3ASqSooDJrEc95mXWCBUlGYhtNNNHK zMYa9Dr1ndjVIiZqjc/kfoZsiTZzhLIrwLQZQWMiwlph/cnThMoXG1E0J/fUMucDn+8y arqrgTkcIgwEEYFp7OXURjALxgEwHIkYh7QmiTonYJTTgcDsS7nJkKcMGvMRRP/kEWtn upHFUep9/cVsjI5gQAQiQjZ2q0v+3fBrnW66GoM8iTiaqq6LJBV2aH062dOzFTJWXWGs qtpA== X-Gm-Message-State: AOAM530VGpdBgzaJD3N4a8MsCHF+WmhaONOvJcDawnkcuX07oaRtGLOO IC25oy/5tEjkA1sIvXfBxju0olINYvpmv0g8eIw= X-Google-Smtp-Source: ABdhPJyF8MKiRxbF2j/OQy5CrwskEJpLvhxZQCd1gNXd6d+jX/z8cva69eWSeGVGohAWzxyELVl6WKx7Ds4xCVXSFxw= X-Received: by 2002:adf:ab06:0:b0:1f1:de8b:ecd with SMTP id q6-20020adfab06000000b001f1de8b0ecdmr9087053wrc.156.1646685416647; Mon, 07 Mar 2022 12:36:56 -0800 (PST) MIME-Version: 1.0 References: <3D15DD4D-A18A-4749-8947-BB5B4E0B5B7A@lodderstedt.net> In-Reply-To: <3D15DD4D-A18A-4749-8947-BB5B4E0B5B7A@lodderstedt.net> From: Rifaat Shekh-Yusef Date: Mon, 7 Mar 2022 15:36:45 -0500 Message-ID: To: Torsten Lodderstedt Cc: John Bradley , oauth Content-Type: multipart/alternative; boundary="00000000000050edba05d9a6d32f" Archived-At: Subject: Re: [OAUTH-WG] Second WGLC for JWK Thumbprint URI document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Mar 2022 20:37:04 -0000 --00000000000050edba05d9a6d32f Content-Type: text/plain; charset="UTF-8" Based on the feedback we received on this document, we believe that we have a consensus to move forward with this document. Regards, Rifaat & Hannes On Thu, Feb 24, 2022 at 2:51 PM Torsten Lodderstedt wrote: > I support publication. > > On 24. Feb 2022, at 17:45, John Bradley wrote: > > I support publication. > > ------ Original Message ------ > From: "Rifaat Shekh-Yusef" > To: "oauth" > Sent: 2/21/2022 10:12:00 AM > Subject: [OAUTH-WG] Second WGLC for JWK Thumbprint URI document > > All, > > Mike and Kristina made the necessary changes to address all the great > comments received during the initial WGLC. > > This is a *second* WG Last Call for this document to make sure that the > WG has a chance to review these changes: > https://www.ietf.org/archive/id/draft-ietf-oauth-jwk-thumbprint-uri-00.html > > Please, provide your feedback on the mailing list by *March 7th*. > > Regards, > Rifaat & Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > --00000000000050edba05d9a6d32f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Based on the feedback we received on this document, we bel= ieve that=C2=A0we have a=C2=A0consensus=C2=A0to move=C2=A0forward with this= document.

Regards,
=C2=A0Rifaat & Hannes<= /div>


On Thu, Feb 24, 2022 at 2:51 PM Torsten Lodderstedt <= ;torsten@lodderstedt.net>= wrote:
I support publication.=C2=A0

=
On 24. Feb 2022, at 17:45, John Bradley <= ve7jtb@ve7jtb.com> wrote:

I support public= ation.=C2=A0

------ Original Message ------
<= div style=3D"font-family:"Segoe UI";font-size:16px;font-style:nor= mal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-= align:start;text-indent:0px;text-transform:none;white-space:normal;word-spa= cing:0px;text-decoration:none">To: "oauth" <oauth@ietf.org>
Sent: 2/21/2022 10:12:00 AM
Subject: [OAUTH-WG] Second WGLC for JWK Thumbprint URI document

All,

Mike and Kristina made the nec= essary changes to address all the great comments received during the=C2=A0i= nitial WGLC.

This is a=C2=A0second=C2=A0WG Last Call for this document to make sure that the WG has a chance t= o review these changes:
https://www.ietf.= org/archive/id/draft-ietf-oauth-jwk-thumbprint-uri-00.html

Pleas= e, provide your feedback on the mailing list by=C2=A0March = 7th.

Regards,
=C2=A0Rifaat & Hannes
___= ____________________________________________
OAuth mai= ling list
OAuth@ietf.org
https://www.ietf.org/mailman= /listinfo/oauth

<= /div> --00000000000050edba05d9a6d32f-- From nobody Mon Mar 7 15:08:00 2022 Return-Path: X-Original-To: oauth@ietf.org Delivered-To: oauth@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 716ED3A0E5F; Mon, 7 Mar 2022 15:07:57 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: oauth@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.46.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: oauth@ietf.org Message-ID: <164669447739.25313.14510833549077423621@ietfa.amsl.com> Date: Mon, 07 Mar 2022 15:07:57 -0800 Archived-At: Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-browser-based-apps-09.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Mar 2022 23:07:58 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 for Browser-Based Apps Authors : Aaron Parecki David Waite Filename : draft-ietf-oauth-browser-based-apps-09.txt Pages : 23 Date : 2022-03-07 Abstract: This specification details the security considerations and best practices that must be taken into account when developing browser- based applications that use OAuth 2.0. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps-09 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-browser-based-apps-09 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts From nobody Mon Mar 7 16:01:00 2022 Return-Path: X-Original-To: oauth@ietf.org Delivered-To: oauth@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 93B613A11F5; Mon, 7 Mar 2022 16:00:23 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: oauth@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.46.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: oauth@ietf.org Message-ID: <164669762354.31783.9412115984679191046@ietfa.amsl.com> Date: Mon, 07 Mar 2022 16:00:23 -0800 Archived-At: Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-1-05.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Mar 2022 00:00:24 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : The OAuth 2.1 Authorization Framework Authors : Dick Hardt Aaron Parecki Torsten Lodderstedt Filename : draft-ietf-oauth-v2-1-05.txt Pages : 84 Date : 2022-03-07 Abstract: The OAuth 2.1 authorization framework enables a third-party application to obtain limited access to a protected resource, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and an authorization service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 2.0 Authorization Framework described in RFC 6749. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-05.html A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-v2-1-05 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts From nobody Fri Mar 11 03:06:02 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D49693A10E7; Fri, 11 Mar 2022 03:05:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.108 X-Spam-Level: X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=danielfett.de Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0E4ctDrb60as; Fri, 11 Mar 2022 03:05:37 -0800 (PST) Received: from d3f.me (redstone.d3f.me [5.9.29.41]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57A113A10CE; Fri, 11 Mar 2022 03:05:37 -0800 (PST) Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by d3f.me (Postfix) with ESMTPA id 3A18C1A417; Fri, 11 Mar 2022 11:05:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1646996734; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=jh3QHqjgTp71i+4cPSzl0nqnHnpjrqHQQpvde0B4FYw=; b=ZqDiC7EWSulSZDYmcsgFZkWIaMQgHucGRIQFnP8xJtKWzgKXgDIfKNVrTsYJNto5W/jG34 U8h3o8CHJpDvutk63fCQ59zqyMeyCkYlINg/WeuYxYIN2XuZZzmpLAbaHShcfsj6Aa2+BM quFOasOWlAVjv9qjDX2V+o8e3dO9JNI= Content-Type: multipart/alternative; boundary="------------LJFTjVV6K0ZxZGYGDIwR99JH" Message-ID: <44be7fac-0a09-da49-1891-044ba5bc4d89@danielfett.de> Date: Fri, 11 Mar 2022 12:05:33 +0100 MIME-Version: 1.0 Content-Language: de-DE From: Daniel Fett To: openid-specs-ab@lists.openid.net, openid-specs-ekyc-ida@lists.openid.net, "oauth@ietf.org" , txauth@ietf.org, openid-specs-fapi@lists.openid.net References: <65435b42-3246-a51f-8bfb-eb55374d09da@danielfett.de> In-Reply-To: <65435b42-3246-a51f-8bfb-eb55374d09da@danielfett.de> ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1646996734; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=jh3QHqjgTp71i+4cPSzl0nqnHnpjrqHQQpvde0B4FYw=; b=vr2e6SCJYcxpOBkgDg/aOC86JYikqZaUqR1tXbUSeiKpK3mMOuj4gUGw9WXcvrEZIqluMs 6q4vzE/hm+T8MnpoGzhqs/VxcxW5cv5fWJdDd3Lt8Ak4RDJ0Qi5jfIhHUC1GRdDT4/lz5l DwGebzZMVfXG5Ufx3eKwd+9dYkzKAHc= ARC-Seal: i=1; s=dkim; d=danielfett.de; t=1646996734; a=rsa-sha256; cv=none; b=kWhp5JD+FlrZcaYa49XD1y3gWgGUgFdW0y/n2CfbnYZjkNMw7G7kZ83xY/v4/UYiCyVykO JkTweyQhq31p2ZG91TRJCdW+HbUA1UF3+RYHNrpmGhlrKgdVlSKGqOKmEyUgZbw95Rsanl ZZMyqbRGl4j2vR8Oj8TRkiF0GhnlxIQ= ARC-Authentication-Results: i=1; d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de Authentication-Results: d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de X-Spamd-Bar: - Archived-At: Subject: Re: [OAUTH-WG] OAuth Security Workshop 2022 - Tickets now available X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Mar 2022 11:05:45 -0000 This is a multi-part message in MIME format. --------------LJFTjVV6K0ZxZGYGDIwR99JH Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Hi everyone, as a quick reminder, there's less than a week left to book early bird tickets. If you want to submit a session proposal, please do so until March 23. Thanks, Daniel Am 11.02.22 um 22:27 schrieb Daniel Fett: > > Hi everyone, > > I'm pleased to announce that the website for the OAuth Security > Workshop 2022 is now up: https://oauth.secworkshop.events/osw2022 > > The three-day event takes place in Trondheim, Norway, from May 4 to > May 6, 2022. > > This workshop will *not* be a hybrid event. We might provide > recordings or a live stream, but to ask questions and partake in > discussions, on-site participation is required. > > Please visit the website for > >  * tickets - a limited amount of early bird tickets is available until > no later than March 17 >  * the Call for Sessions >  * venue and schedule information >  * hotel deals >  * travel information >  * sponsoring opportunities > > If you have any questions, feel free to contact me! > > -Daniel > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- https://danielfett.de --------------LJFTjVV6K0ZxZGYGDIwR99JH Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit

Hi everyone,

as a quick reminder, there's less than a week left to book early bird tickets. If you want to submit a session proposal, please do so until March 23.

Thanks,
Daniel

Am 11.02.22 um 22:27 schrieb Daniel Fett:

Hi everyone,

I'm pleased to announce that the website for the OAuth Security Workshop 2022 is now up: https://oauth.secworkshop.events/osw2022

The three-day event takes place in Trondheim, Norway, from May 4 to May 6, 2022.

This workshop will *not* be a hybrid event. We might provide recordings or a live stream, but to ask questions and partake in discussions, on-site participation is required.

Please visit the website for

 * tickets - a limited amount of early bird tickets is available until no later than March 17
 * the Call for Sessions
 * venue and schedule information
 * hotel deals
 * travel information
 * sponsoring opportunities

If you have any questions, feel free to contact me!

-Daniel


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

-- 
https://danielfett.de
--------------LJFTjVV6K0ZxZGYGDIwR99JH-- From nobody Fri Mar 11 07:16:17 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AA023A16B3 for ; Fri, 11 Mar 2022 07:16:15 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.107 X-Spam-Level: X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bSEsB7jbpb0n for ; Fri, 11 Mar 2022 07:16:14 -0800 (PST) Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B28553A1683 for ; Fri, 11 Mar 2022 07:16:13 -0800 (PST) Received: by mail-wr1-x42c.google.com with SMTP id j17so13496778wrc.0 for ; Fri, 11 Mar 2022 07:16:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=4fqiEvZxro5/aG6NA21Q5zPH3KSTi1f/HkmIx+HSnuU=; b=S5/rajiEV5/O76VM5tcebvLHY7r4tPGIkauAEhI1Wq40Pjzzy0Zn193TEj7S3SBdND Iz7Qr/kXTNPn8tEpbsP8zOSPJoUWWq/qdWPKQVSESpubyDe2IUDb/MSXDq80WCMjmz3O 9ovZJtm+p1Am5xhPlg1ya1o5QSSuvdX9fzFbH6sbxum0VUtspfiNdCGRgIZBGtadpxtv c6x0yYAXUiZJ1oh3CoPBUqRyOJJDMf5hvtpVVUddw9pzQ8BH3d1qhEOCnQuQLziCQvzK ohU99WDd0mJQ8eQT33ZwSO/NZDZOVOsiJJ9u2YxWpdO8mu25a32RIGyaXG5yDMg0Jl6C LYLQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=4fqiEvZxro5/aG6NA21Q5zPH3KSTi1f/HkmIx+HSnuU=; b=WDfF57PAwrFT3fgohiI2mxc8uMDG/xWoyIrYmvUeCTDU3Q3uMZsD8Dbh1aXa2j6q3c q3i5RrexT0JZ8iVSkcqRCYCi6e2Jq3gG/HlqMnn5eacubnRMEnLKy3P7h7pSlULSV9F0 +xlYxAzGfD0enJHhgAh2JrudrG+Qqls+pO1yZ2fYZiFfH3NdChruUaw8DuO5Ofm8xgwb 7hyIJsLz3ndaA9wZ8Rvto41H3007DZKQY5lHFOsZ4n/6PgPPd352IMu9lsoCeTyX7BU0 ZfG2V0yUE76/rU5JzEgKB7rtjiIsmnwM6G2oHTNF6aycZs4LTsxCSDH+hQJmc31EGc/X QUEA== X-Gm-Message-State: AOAM5318rUj6H0ATtg8uf+WeESCK4OIA7vINSMhhzOHoMNRodP2feyUN y4gLr7JfaQGnicvMixNF/2pwleQEvP4xA5a48FtIMWjKFfY= X-Google-Smtp-Source: ABdhPJydbgcJWnMWnSP9efk3KOI606LAKz05FuM/qkHMMEV5MRfO22acxUyijLnw9JLmucj1TfnmF61b2Cn0QYJmbX0= X-Received: by 2002:adf:d4c8:0:b0:1f0:22df:d67c with SMTP id w8-20020adfd4c8000000b001f022dfd67cmr7643644wrk.510.1647011770450; Fri, 11 Mar 2022 07:16:10 -0800 (PST) MIME-Version: 1.0 From: Rifaat Shekh-Yusef Date: Fri, 11 Mar 2022 10:15:59 -0500 Message-ID: To: oauth Content-Type: multipart/alternative; boundary="00000000000084c62d05d9f2cf31" Archived-At: Subject: [OAUTH-WG] OAuth WG Agenda @ IETF113 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Mar 2022 15:16:16 -0000 --00000000000084c62d05d9f2cf31 Content-Type: text/plain; charset="UTF-8" All, The OAuth WG has two offical sessions 1. *Monday* at 2:30-4:30 pm Vienna time 2. *Thursday* at 2:30-4:30 Vienna time We also have two side meetings available for in-person attendees: 1. *Tuesday* at 2:00-3:30 pm Vienna time 2. *Wednesday* at 6:00-7:30 pm Vienna time *Monday's agenda:* 1. *Chairs update* - Rifaat/Hannes (15 min) 2. *DPoP* - Mike/Brian (45 min) https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ 3. *Redirection Attacks *- Rifaat (30 min) https://mailarchive.ietf.org/arch/msg/oauth/4-YCJzeDH4NH-ge9OF8bAbqWgIE/ 4. *OAuth 2.1 *- Aaron (30 min) https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/ *Thursday's agenda:* 1. *Device Code Flow *- Pieter (45 min) 2. *Step-up Authentication *- Vittorio (30 min) https://datatracker.ietf.org/doc/html/draft-bertocci-oauth-step-up-authn-challenge 3. *Libraries* - Daniel (45 min) https://mailarchive.ietf.org/arch/msg/oauth/h9_Ki1UYT8sS0xKqGrzWI6yHaNA/ Regards, Rifaat & Hannes --00000000000084c62d05d9f2cf31 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
All,

The OAuth WG has two offical sessi= ons
1. Monday at 2:30-4:30 pm Vienna time
2. = Thursday at 2:30-4:30 Vienna time

We also have= two side meetings available=C2=A0for in-person=C2=A0attendees:
1= . Tuesday at 2:00-3:30 pm Vienna time
2. Wednesday = at 6:00-7:30 pm Vienna time


M= onday's=C2=A0agenda:

1. Chairs upda= te - Rifaat/Hannes (15 min)

2. DPoP - M= ike/Brian (45 min)

3. Redirection Attacks=C2=A0- Ri= faat (30 min)

4. OAut= h 2.1 - Aaron (30 min)


Thursday&#= 39;s=C2=A0agenda:

1. Device Code Fl= ow - Pieter (45 min)

2. Step-up Authenticat= ion - Vittorio (30 min)

Regards,
=C2=A0Rifaat = & Hannes


--00000000000084c62d05d9f2cf31-- From nobody Sat Mar 12 16:33:00 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B75973A0D92 for ; Sat, 12 Mar 2022 16:32:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.108 X-Spam-Level: X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=babelouest.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EAIzzEL0tZBP for ; Sat, 12 Mar 2022 16:32:53 -0800 (PST) Received: from perceval.babelouest.org (perceval.babelouest.org [5.135.181.15]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB60B3A0789 for ; Sat, 12 Mar 2022 16:32:51 -0800 (PST) Received: from [192.168.1.50] (bras-base-qubcpq0634w-grc-16-174-89-201-20.dsl.bell.ca [174.89.201.20]) by perceval.babelouest.org (Postfix) with ESMTPSA id C240823ED2 for ; Sat, 12 Mar 2022 19:32:48 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=babelouest.org; s=mail; t=1647131569; bh=LR4y0oKPCM3uqvAt3892C1h6INf7Pgrc3xTmxNttnnU=; h=Date:To:From:Subject:From; b=FInoLArWKcLab6l0J6uDYzFIBMmmhyNyn4SOB66XFx47brM4RdHQ7X9/PDaPnS5qo Lonvvz0ZS1PnMUSBk+KBdULOFSMPyoS5tx1A8Rn2pRtOQSf1Z5BAUk0d0bRZg1DcYh a5BR7OH6tysa/buEpFdnMosD0uuMLi7xUx6zrPsK6I5182MFCz4rXHuxpGAQ/00YFF Lc+VK7hKkpr0iclcpM0RWRqjbIvwH42IhTTZZwg5G8QFVHAYC1PnSEh96Ixsg51el8 KbkvNKOgG43WRQ14zPEYwmnD/6Lsr6OKMYiCX/Hr1T8e26TTcoeoX7ak/M9TToZrzF /g7/YuTvdxsMg== Message-ID: <0ebbaacb-5403-26bb-ac30-f9f5f3319e86@babelouest.org> Date: Sat, 12 Mar 2022 19:32:47 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.6.2 To: oauth Content-Language: en-US From: Nicolas Mora Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Subject: [OAUTH-WG] DPoP and Client Registration Access Token X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Mar 2022 00:32:59 -0000 Hello, While reading the last DPoP document (draft 6), I was wondering about other access tokens delivered by the AS, especially the Registration Access Token during Dynamic Client Management Registration [1]. The OAuth 2.0 Dynamic Client Registration Management Protocol RFC states that: [2] "(D) The authorization server registers the client and returns: [...] * a registration access token to be used when calling the client configuration endpoint." I'm considering the DPoP objectives would be relevant when using the Dynamic Client Registration Management Protocol, when the AS provides an access token for client. Although, adding the DPoP proof JWT during the client registration would be different than in the /token endpoint. The client registration endpoint can be authorized by an access token, therefore this access token can be enforced using DPoP. A solution I thought of is to add the DPoP proof in the client registration request itself. The following example is a sample showing a client registration authorized through an access token enforced with DPoP, and a DPoP proof inside the registration request. The DPoP jkt will then be attached to the registration access token, so the registered client would have to add a DPoP proof each time it calls the Client Registration Management endpoint. POST /register HTTP/1.1 Content-Type: application/json Accept: application/json Host: server.example.com Authorization: DPoP Kz~8mXK1EalYznwH-LC-1fBAo.4Ljp~zsPE_NeO.gxU DPoP: eyJ0eXAiOiJkcG9[...]xyz { "redirect_uris": [ "https://client.example.org/callback", "https://client.example.org/callback2"], "client_name": "My Example Client", "client_name#ja-Jpan-JP": "\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D", "token_endpoint_auth_method": "client_secret_basic", "logo_uri": "https://client.example.org/logo.png", "jwks_uri": "https://client.example.org/my_public_keys.jwks", "example_extension_parameter": "example_value", "DPoP": "eyJ0eXAiOiJkcG9[...]abc" } The client registration DPoP content should use a different key and a different jti than the one used with the DPoP access token, but the htm and htu values would be the same. Any thought about that? /Nicolas [1] https://datatracker.ietf.org/doc/html/rfc7592 [2] https://datatracker.ietf.org/doc/html/rfc7592#section-1.3 From nobody Thu Mar 17 12:15:24 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 939E93A085E for ; Thu, 17 Mar 2022 12:15:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.906 X-Spam-Level: X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WUqwqZCW7GTr for ; Thu, 17 Mar 2022 12:15:18 -0700 (PDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4F1A3A080F for ; Thu, 17 Mar 2022 12:15:16 -0700 (PDT) Received: from smtpclient.apple (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 22HJF9iN029259 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 17 Mar 2022 15:15:10 -0400 Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\)) From: Justin Richer In-Reply-To: <0ebbaacb-5403-26bb-ac30-f9f5f3319e86@babelouest.org> Date: Thu, 17 Mar 2022 15:15:09 -0400 Cc: oauth Content-Transfer-Encoding: quoted-printable Message-Id: <537735EA-5F6E-422E-871D-EE1750C717DD@mit.edu> References: <0ebbaacb-5403-26bb-ac30-f9f5f3319e86@babelouest.org> To: Nicolas Mora X-Mailer: Apple Mail (2.3693.60.0.1.1) Archived-At: Subject: Re: [OAUTH-WG] DPoP and Client Registration Access Token X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Mar 2022 19:15:23 -0000 Way back when we wrote dynamic registration, we made the decision to = always have the registration token just be a bearer token. Part of this = is because OAuth2 doesn=E2=80=99t really have a separate =E2=80=9Caccess = token=E2=80=9D data structure that we could just replicate in this spot, = so there=E2=80=99s no =E2=80=9Ctoken type=E2=80=9D or other meta = parameters around the token value itself that come back. The other = reason is that without a process to dynamically bind the key during = registration, it didn=E2=80=99t make sense to require other credentials = alongside the token. For another example of where this confusion comes = into play, just see any of the discussion here about whether the DPoP = binding applies to the refresh token, which comes alongside the access = token. I think you=E2=80=99re absolutely right that things like DPoP (and even = MTLS, or alternatives like HTTP Signatures) raise the question of = binding the registration token in the same way that you can bind other = access tokens. To do this, though, you=E2=80=99d need to extend dynamic = registration=E2=80=99s response. I think you=E2=80=99ve got the right = idea here, but you=E2=80=99d need to add a bunch of signaling in the = request and response. I think a dopp-specific flag, or a new field = instead of =E2=80=9Cregistration_access_token=E2=80=9D would both do the = job with different properties. You=E2=80=99d also need to define how to = use the DPoP proof at the registration request. All of that seems like it=E2=80=99d fit neatly into a self-contained = extension of dynamic registration. =E2=80=94 Justin > On Mar 12, 2022, at 7:32 PM, Nicolas Mora = wrote: >=20 > Hello, >=20 > While reading the last DPoP document (draft 6), I was wondering about = other access tokens delivered by the AS, especially the Registration = Access Token during Dynamic Client Management Registration [1]. >=20 > The OAuth 2.0 Dynamic Client Registration Management Protocol RFC = states that: [2] >=20 > "(D) The authorization server registers the client and returns: > [...] > * a registration access token to be used when calling the > client configuration endpoint." >=20 > I'm considering the DPoP objectives would be relevant when using the = Dynamic Client Registration Management Protocol, when the AS provides an = access token for client. >=20 > Although, adding the DPoP proof JWT during the client registration = would be different than in the /token endpoint. The client registration = endpoint can be authorized by an access token, therefore this access = token can be enforced using DPoP. >=20 > A solution I thought of is to add the DPoP proof in the client = registration request itself. >=20 > The following example is a sample showing a client registration = authorized through an access token enforced with DPoP, and a DPoP proof = inside the registration request. The DPoP jkt will then be attached to = the registration access token, so the registered client would have to = add a DPoP proof each time it calls the Client Registration Management = endpoint. >=20 > POST /register HTTP/1.1 > Content-Type: application/json > Accept: application/json > Host: server.example.com > Authorization: DPoP Kz~8mXK1EalYznwH-LC-1fBAo.4Ljp~zsPE_NeO.gxU > DPoP: eyJ0eXAiOiJkcG9[...]xyz >=20 > { > "redirect_uris": [ > "https://client.example.org/callback", > "https://client.example.org/callback2"], > "client_name": "My Example Client", > "client_name#ja-Jpan-JP": > "\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D", > "token_endpoint_auth_method": "client_secret_basic", > "logo_uri": "https://client.example.org/logo.png", > "jwks_uri": "https://client.example.org/my_public_keys.jwks", > "example_extension_parameter": "example_value", > "DPoP": "eyJ0eXAiOiJkcG9[...]abc" > } >=20 > The client registration DPoP content should use a different key and a = different jti than the one used with the DPoP access token, but the htm = and htu values would be the same. >=20 > Any thought about that? >=20 > /Nicolas >=20 > [1] https://datatracker.ietf.org/doc/html/rfc7592 > [2] https://datatracker.ietf.org/doc/html/rfc7592#section-1.3 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Thu Mar 17 14:09:49 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CBAD3A15B8 for ; Thu, 17 Mar 2022 14:09:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.11 X-Spam-Level: X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0jPrPdEezFYQ for ; Thu, 17 Mar 2022 14:09:42 -0700 (PDT) Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on20713.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d00::713]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 928B53A15B9 for ; Thu, 17 Mar 2022 14:09:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Dy4y1Gen4bAXjfSMnrkc5gno5b8W06COWzUOsLm5EPKrtB748B/wGy4GVImfunoseygV9xe4Hgwz36dqCn8VMwTOf3/CG+KV4dD6fIAAa3lMGVt9NsHg17utI76Mfum5WvBzZWPlV4oZvM7rDrTep2WdW5jUts1p/L9hbUzln+NZHIvc1MlyQ6e6cpBGWUauz4s4YvjdpXo2SQDJrPxEfd/pJhwOQw50pYHGzjOCrxGzJgvXdJjqb4X8QzCdfkddcH37zwqnspOLp/40GWduNMIZ3bImfP+hJblmWED5zLGDpuCoSDed4gIiJj2dlu5mrsx29NsrWH+kdXjgjEGiyg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=SCGnejpomJu/GKAgkTr5aR9Zy735M+DYbtMZ/eKkyAM=; b=amUQ++tVjNShwWMVA5PCcjKQzkFaedKeKwDnR0uMfkVnb00kRBWoS3DlMA2q9f6rwmaR2PSqX1/Y63g95RoOZRdYsbHBPa6z+NN3Epie4TI9QUD0xhupCoF8Df/dFoTE51j1Da6LQICijtpRuXjOp/Z1bhElbTTU9JSwLqmfqGX4eAZTM3CqjFhTV4ofea16VztHpuXSPWnXjddMGOlbHCyTwgaOzPwsnBygtJgLeljfYFCszDst8S14ML8mbvPdL+LrhrNNCnr710QE8lPmfG9N5XtP5+M9RuXqJPv/30JVq41O/tX0Ff/MxF6x+Ya4kOEvJc0/9xIKkDK+jKWATg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SCGnejpomJu/GKAgkTr5aR9Zy735M+DYbtMZ/eKkyAM=; b=F/JkJ3ivU3Yuo3+d7rfjcsuXMK4DZmU4AKfyGP7CvQks08SRuN0ScwMJcf4HJOu6IqTCXpfgI9h4dEx0Zx3QQSU1Eqn9O0LRqILCibRWpCOaAV7lWdfUNhsCLRNiyfnx3NJiSW61L3OQEo5oPk+NxoyBFwv+gLWj+ExqhV+s/rk= Received: from AM7PR83MB0452.EURPRD83.prod.outlook.com (2603:10a6:20b:1b6::10) by HE1PR8303MB0089.EURPRD83.prod.outlook.com (2603:10a6:23:17::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5102.6; Thu, 17 Mar 2022 21:09:33 +0000 Received: from AM7PR83MB0452.EURPRD83.prod.outlook.com ([fe80::c48f:8ccc:ec27:b41d]) by AM7PR83MB0452.EURPRD83.prod.outlook.com ([fe80::c48f:8ccc:ec27:b41d%8]) with mapi id 15.20.5102.007; Thu, 17 Mar 2022 21:09:28 +0000 From: Pieter Kasselman To: "oauth@ietf.org" Thread-Topic: Device Authorization Grant and Illicit Consent Exploits Thread-Index: Adg6QbnOrvFCNzXmQH+yf4vBwwXQPw== Date: Thu, 17 Mar 2022 21:09:27 +0000 Message-ID: Accept-Language: en-IE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2022-03-17T20:50:41Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=f024155c-07c1-44bd-a5b6-ba725209344c; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0 authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: e6a14ab4-d10c-4aa8-f498-08da085a6c1a x-ms-traffictypediagnostic: HE1PR8303MB0089:EE_ x-ms-exchange-atpmessageproperties: SA|SL x-microsoft-antispam-prvs: x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: JkuxL4Cb/VT680Bn0n+MDS16DoQjph2WvLITl3hlhB9u4Ca3zoWn7ZPDB5TW1766aD5Egu15vkB9mZ0IuzTfd2SLXtScqFTn7MidvWPBaOBgRKxitPYwSWGwsKYSeVNXOF+ECstjsBJ7EtEhg3wy9DRhd99uqbSJkzWcSh3kWZ8jq3hCynDuuC2D+7x6Bbi0aFN7AhjbcNuu3aDFtavMcafxxS8WHKllcwUu22AJfaa778SoZjD2Iu3UU6QC7MM0y4Nw3H/nS37Csk5pomVXkCoyXYRv+zj3neUtXsUAVg/Tx1ZNCU7RhOcMOWg8AurRXhrXzhFGUPIeIyVirQDTQEM7bTwlxUIGKbL2prEu7RMG2ryPganVQLJyJ5oUWvM1e40Tz7IR6NT3rZbsbkPOl9fnWIv2hB8v4FyeYcvb2U6pZRikvauDB/xyp8ZPuxrh9fIH5nGhavM/ro6ZtWH10mkePDPmiGFDJ/a9EDVj0bAP8zl3KTiqkO3y+CdITk0FByPr1h+QQ5UrxxG7yicWGp5T/3HrHXi59o3BSa0xQWBDozDxzN2oXRrxOlb6u/DmjlX0tom0kwJHRFCugR7qZS7ua3zaFuK9FdtX3L8r5jiBwqrWa5B1NL1AGM0NAs0m6H9Ga/hmoiMC8DHTkM+OrweyfzL9bDB4SZdgoVTxGL5m/emt3ss242Vcp2n8aqIvCxIiR492nfTSFT1xSVLo2FQQ3s6GuSWOXyR6Z/IBpw7yoSqjmv040ssxgvL3J/kAt6UQ54EzPZROM3h8RShj6f9K7GctdbE7hJwr9IipCAx7F1Iv/Ys+cslVPIJ+AXM51XPRAkRFNmUAX1/cuKzK3e4a7GKUIvOCz0p43tevmL378oBSiw/A7kjfKyzaR+jN x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR83MB0452.EURPRD83.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(451199009)(21615005)(38100700002)(8676002)(5660300002)(76116006)(6916009)(66946007)(8990500004)(166002)(52536014)(86362001)(122000001)(9686003)(33656002)(71200400001)(316002)(38070700005)(7696005)(44832011)(10290500003)(8936002)(55016003)(66476007)(83380400001)(6506007)(64756008)(66446008)(66556008)(186003)(2906002)(82960400001)(508600001)(82950400001); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?B?eGF1aU1hL2ZBSElJK0w2MDRsbEF3cVZDdWtvOHpLSThnZUtDbUxaSGFTRzZh?= =?utf-8?B?bTI3TVJXaTFOMWNIREF0OUFnY0lOV1FFQ1VNbzBBT0RER0g5dEIweGwyRjQw?= =?utf-8?B?YWp4Ym9WOW1Mdm9XWExXOXBKQm1LUEJNaTZRanFuK001MzM3elZwMEVTbTNx?= =?utf-8?B?aTFyOVVOK1Q4eEgxTlJYSkx3UnJEeUpnT3YvbHU2S2IrUGhJUDlNNmpRVlhL?= =?utf-8?B?K2YwRnAxWHl2Q0ozS1dETXlHY0JNc05vdzdKbTZNOTM4ZW9ZMm84YjRrWmMz?= =?utf-8?B?NERaTENrWHcyT3RrMHpuOXd0RWt5dzByU015UW9nSVdTeGMzSTg4c2JCa0x1?= =?utf-8?B?d0ltY3JSVFdCNlNTTW5acG8zeklnQ2VDc0t2VE1mbnZCaWFzUjMxWi9lNlcv?= =?utf-8?B?YzJJU3ZMYnVFNG40bmtKcG9HZmZocldXcGJ0NzBzS1dGeUxYNlhxTENVb2ZO?= =?utf-8?B?R09DQWxYQkhRc3VqeU9Ka0JidXdxRzRtMVprN01GWWRFb2VoVnluN3FYcXM4?= =?utf-8?B?cE5DSTg4OGVZVHIzTHVCbGlOWXdyVEViazN2ZXVrMi91aGdaOW9YeEdsZzR1?= =?utf-8?B?clovTXhNd2tCQUNBM05kVTNVdVl0SXpLMjEzSkNkTUE1U3BaZm5pdnlkNzlK?= =?utf-8?B?emJMYlpOWmtpTE1XRXFkbmhuTEE0NVVlQk9aVkVQZ1hhdFBpaGRpRC9PSDBs?= =?utf-8?B?c2pkM0trSnNCdzJlWXZyMGtaeVpFZGQ4TklhbW5JK241aXoyaldQTERpbXUz?= =?utf-8?B?YVE1UFBqMDNMK09kYXJPVUNhcXlhTEMrVG5FVjNwNFIyUzh3eG5ZdTEvYXcy?= =?utf-8?B?ZllIKzRiUFc2ZCtWM1JVQ0NDL011SkJWU1BiOFFSOGV5TGRPYStRVVBoeVRw?= =?utf-8?B?eWJsVEUzblpDTURkajljS3V5WmNsTUdoREcxWTllYnp5b1VxODZQRjZHRWV0?= =?utf-8?B?bXZhdTNrR3lpaEliODRSQVQrSkpvTWh1c3RoZ1JVWGZ4TFFreFR0M1NxdWNQ?= =?utf-8?B?bFc2blBVMm1abWQ4NzlPUWhPeFdzZEFlT0xCcndtRVMzK0hJbUZCajRJdkly?= =?utf-8?B?Qm53a1Z2eUR5K3NrTm1weGs5RmxxRWZKQVBuN3RUME8xam9halZxWDNuaThZ?= =?utf-8?B?SlRqY3VKc2g2S1FSbzVkcnN2Wi9RTDBMYTlWTlA1OXA2VDgzU0tLeDZpVWZY?= =?utf-8?B?QnNXZFpvYTNrN1Ntc3B2SUd0N2Y5QnFzRVdtQzcxNWFaMVU4R0ZFVUVGS3hR?= =?utf-8?B?Vnh4bVZza3puNnJEc3c5MjVhREZpZHdCQ1NOQ3l0Q3dJcVFjeVExWHVnODVi?= =?utf-8?B?aDFOa2k2UEdxVTI1RWthWjI1bDhnMzVkaXU3MWdkc2d3eG5MYkxjaWJhSHBz?= =?utf-8?B?VWZBQVF5N01Vck9pQ0dEL3BxdTFmMFZhZzJvMFRoQXJYL3dCSkRkZExNQlFM?= =?utf-8?B?TEprSnhzM2hUbWR5UngzNVV3ZTlVK3hOaXMyUXBHenVxUTVIRnF6OUVYL2RN?= =?utf-8?B?Q2hlLzY5bzlKKzN1QzZZN3VLQ2VFTU1iSGRncGxSZExQQVJCZjZmUW9YQVlh?= =?utf-8?B?VXIwVzluTXMxdllvNUFKZ1lkdlFzQ0ZzSzRyYU53eHdDbStkTExWZHIvb3pI?= =?utf-8?B?eGhSM0pLcW5VR2RscWVQZzIwazh0Wmg2OWE5NmVqQ0U0c3pSQ1NVRDd3b3I5?= =?utf-8?B?RGg2ZXhvcWpiR2VuaHlFNklza0ppOExLRTh6M0xwR1JjenNpQ09kRGlNdWRC?= =?utf-8?B?SmtuQ1V5aDNCOXBiUnYwd2RpeHEyRldOdW1Jd0d0T3huZlhrMDJhWWJUVlhs?= =?utf-8?B?YnRKaVFYUVJZZWFmR2RCWHlrbTRLMHljNDFiSkpyb01wSU9KTDRvQk1iNTBH?= =?utf-8?B?OE1hYXBhZDRPN2lMZisvdTE3YzRKNXBFSFRBK1UzVEdRcGxEdVl6eG5tUXVP?= =?utf-8?Q?HGJ4xAnPTRsY2qzSFHLmFaeBL+n1TXJX?= Content-Type: multipart/alternative; boundary="_000_AM7PR83MB0452287B78E5B4780304F45891129AM7PR83MB0452EURP_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: AM7PR83MB0452.EURPRD83.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: e6a14ab4-d10c-4aa8-f498-08da085a6c1a X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Mar 2022 21:09:27.8481 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 2HtJUCurfZ5O3Tv3qytTOyLXYXEHbLFXtoQSuf0wKZAL9LSYE7wrWjJZ3Os9Wq0CjduMjeRi8z+JxJ4OrveGFYDGtUdywrU9H+XuFWtIA4w= X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR8303MB0089 Archived-At: Subject: [OAUTH-WG] Device Authorization Grant and Illicit Consent Exploits X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Mar 2022 21:09:48 -0000 --_000_AM7PR83MB0452287B78E5B4780304F45891129AM7PR83MB0452EURP_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SGkgQWxsDQoNCg0KDQpPbmUgb2YgdGhlIGFnZW5kYSBpdGVtcyBmb3IgSUVURiAxMTMgaXMgdGhl IGRldmljZSBhdXRob3JpemF0aW9uIGdyYW50IGZsb3cgKGFrYSBkZXZpY2UgY29kZSBmbG93KSwg c2NoZWR1bGVkIGZvciBUaHVyc2RheSAyNCBNYXJjaCAyMDIyLuKAryBCZWZvcmUgdGhlIG1lZXRp bmcsIEkgd2FudGVkIHRvIHNoYXJlIGEgYml0IG1vcmUgaW5mb3JtYXRpb24gZm9yIHRob3NlIGlu dGVyZXN0ZWQgaW4gdGhlIHRvcGljIGFuZCBhbHNvIGdpdmUgdGhvc2Ugd2hvIGFyZSB1bmFibGUg dG8gYXR0ZW5kIGluIHBlcnNvbiBhbiBvcHBvcnR1bml0eSB0byBwYXJ0aWNpcGF0ZSBpbiB0aGUg Y29udmVyc2F0aW9uLg0KDQoNCg0KVGhlIERldmljZSBBdXRob3JpemF0aW9uIEdyYW50IEZsb3cg KFJGQyA4NjgyKTxodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9odG1sL3JmYzg2Mjg+ IHNvbHZlcyBhbiBpbXBvcnRhbnQgcHJvYmxlbSBieSBlbmFibGluZyBhdXRob3JpemF0aW9uIGZs b3dzIG9uIGRldmljZXMgdGhhdCBhcmUgdW5hYmxlIHRvIHN1cHBvcnQgYSBicm93c2VycyBvciBo YXZlIGxpbWl0ZWQgaW5wdXQgY2FwYWJpbGl0aWVzLiBIb3dldmVyLCBsb29raW5nIGJhY2sgb3Zl ciB0aGUgcGFzdCAxOC0yNCBtb250aHMsIHRoZXJlIGhhdmUgYmVlbiBhIG51bWJlciBvZiBwcmFj dGljYWwgZXhwbG9pdHMgcHVibGlzaGVkIHRoYXQgdXNlIHNvY2lhbCBlbmdpbmVlcmluZyB0ZWNo bmlxdWVzIGFwcGxpZWQgdG8gdGhlIGRldmljZSBhdXRob3JpemF0aW9uIGdyYW50IGZsb3cuDQoN Cg0KDQpUaGUgZ29hbCBvZiB0aGUgc2Vzc2lvbiBhdCBJRVRGIDExMyBpcyB0byBkaXNjdXNzIHRo ZSBwYXR0ZXJucyBvZiB0aGUgZXhwbG9pdHMgdGhhdCBhcmUga25vd24gYW5kIHN0YXJ0IGEgY29u dmVyc2F0aW9uIG9uIHdoYXQgKGlmIGFueXRoaW5nKSB3ZSBzaG91bGQgZG8sIGJhc2VkIG9uIHdo YXQgd2UgYXJlIGxlYXJuaW5nLg0KDQoNCg0KVGhlc2UgZXhwbG9pdHMgZm9sbG93IGEgZ2VuZXJh bCBtYW4taW4tdGhlLW1pZGRsZSAoTUlUTSkgcGF0dGVybiwgd2hlcmUgdGhlIGF0dGFja2VyOg0K DQoNCg0KICAxLiAgSW5pdGlhdGVzIHRoZSBEZXZpY2UgQXV0aG9yaXphdGlvbiBHcmFudCBmbG93 IG9uIGEgZGV2aWNlIHVuZGVyIHRoZWlyIGNvbnRyb2wsDQogIDIuICBQcmVzZW50cyB0aGUgdXNl ciBjb2RlIGluIGEgY29udGV4dCB0aGF0IHRoZSBlbmQtdXNlciBpcyBsaWtlbHkgdG8gYWN0IG9u ICh1c2luZyBzb2NpYWwgZW5naW5lZXJpbmcgdGVjaG5pcXVlcyksIGFuZA0KICAzLiAgT25jZSB0 aGUgdXNlciBncmFudHMgYWNjZXNzLCByZXRyaWV2ZXMgdGhlIGFjY2VzcyBhbmQgcmVmcmVzaCB0 b2tlbnMgYW5kIHVzZXMgdGhlbSB0byBhY2Nlc3MgdGhlIHVzZXLigJlzIHJlc291cmNlcy4NCg0K DQoNClNvbWUgb2YgdGhlIGV4cGxvaXRzIGFyZSBkZXNjcmliZWQgaGVyZSBmb3IgdGhvc2UgaW50 ZXJlc3RlZCBpbiBtb3JlIGRldGFpbDoNCg0KDQoNCiAgMS4gIFRoZSBBcnQgb2YgdGhlIERldmlj ZSBDb2RlIFBoaXNoIC0gQm9rdSAoMHhib2t1LmNvbSk8aHR0cHM6Ly8weGJva3UuY29tLzIwMjEv MDcvMTIvQXJ0T2ZEZXZpY2VDb2RlUGhpc2guaHRtbD4NCiAgMi4gIE1pY3Jvc29mdCAzNjUgT0F1 dGggRGV2aWNlIENvZGUgRmxvdyBhbmQgUGhpc2hpbmcgfCBPcHRpdjxodHRwczovL3d3dy5vcHRp di5jb20vaW5zaWdodHMvc291cmNlLXplcm8vYmxvZy9taWNyb3NvZnQtMzY1LW9hdXRoLWRldmlj ZS1jb2RlLWZsb3ctYW5kLXBoaXNoaW5nPg0KICAgICAqICAgb3B0aXYvTWljcm9zb2Z0MzY1X2Rl dmljZVBoaXNoOiBBIHByb29mLW9mLWNvbmNlcHQgc2NyaXB0IHRvIGNvbmR1Y3QgYSBwaGlzaGlu ZyBhdHRhY2sgYWJ1c2luZyBNaWNyb3NvZnQgMzY1IE9BdXRoIEF1dGhvcml6YXRpb24gRmxvdyAo Z2l0aHViLmNvbSk8aHR0cHM6Ly9naXRodWIuY29tL29wdGl2L01pY3Jvc29mdDM2NV9kZXZpY2VQ aGlzaD4NCiAgMy4gIEludHJvZHVjaW5nIGEgbmV3IHBoaXNoaW5nIHRlY2huaXF1ZSBmb3IgY29t cHJvbWlzaW5nIE9mZmljZSAzNjUgYWNjb3VudHMgKG8zNjVibG9nLmNvbSk8aHR0cHM6Ly9vMzY1 YmxvZy5jb20vcG9zdC9waGlzaGluZy8jbmV3LXBoaXNoaW5nLXRlY2huaXF1ZS1kZXZpY2UtY29k ZS1hdXRoZW50aWNhdGlvbj4NCiAgNC4gIERFRiBDT04gMjkgLSBKZW5rbyBId29uZyAtIE5ldyBQ aGlzaGluZyBBdHRhY2tzIEV4cGxvaXRpbmcgT0F1dGggQXV0aGVudGljYXRpb24gRmxvd3MgLSBZ b3VUdWJlPGh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL3dhdGNoP3Y9OXNsUll2cEtIcDQ+DQoNCg0K DQpJbiB0ZXJtcyBvZiBhIHJlc3BvbnNlLCB0aGVyZSBhcmUgYSBmZXcgb3B0aW9ucyB0aGF0IGNv bWUgdG8gbWluZCAodGhlc2UgYXJlIG5vdCBleGhhdXN0aXZlLCBJIHdvdWxkIGxvdmUgdG8gc2Vl IHdoYXQgb3RoZXJzIGhhdmUgaW4gbWluZCBhcyB3ZWxsKToNCg0KDQoNCiAgMS4gIERvIG5vdGhp bmc6IFdlIGNhbiBjaG9vc2UgdG8gbGVhdmUgZXZlcnl0aGluZyBhcyBpcy4gVGhlIGRvd25zaWRl IG9mIHRoaXMgaXMgdGhhdCB0aGUgbGVzc29ucyB3ZSBhcmUgbGVhcm5pbmcgYXJlIG5vdCBnZXR0 aW5nIGRpc3NlbWluYXRlZCBvciByZXN1bHRpbmcgaW4gcmVkdWNlZCByaXNrcy4NCiAgMi4gIFVw ZGF0ZSB0aGUgcmVjb21tZW5kYXRpb25zOiBXZSBjYW4gZG9jdW1lbnQgdGhlIHNvY2lhbCBlbmdp bmVlcmluZyBleHBsb2l0cyBhbmQgcmVjb21tZW5kIHNvbWUgYWRkaXRpb25hbCBtaXRpZ2F0aW9u cyBhcyB3ZWxsIGFzIHJlY29tbWVuZGF0aW9ucyBpbiB0ZXJtcyBvZiB1c2UgY2FzZXMuIEFsdGhv dWdoIHRoZXNlIHR5cGVzIG9mICJwaGlzaGluZyIvc29jaWFsIGVuZ2luZWVyaW5nIGF0dGFja3Mg YXJlIGNhbGxlZCBvdXQgaW4gdGhlIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIGluIFJGQyA4NjI4 IC0gT0F1dGggMi4wIERldmljZSBBdXRob3JpemF0aW9uIEdyYW50PGh0dHBzOi8vZGF0YXRyYWNr ZXIuaWV0Zi5vcmcvZG9jL2h0bWwvcmZjODYyOD4sIHdlIGNhbiBhZGQgZnVydGhlciBtaXRpZ2F0 aW9ucyB0byBjcmVhdGUgZ3JlYXRlciBkZWZlbmNlIGluIGRlcHRoLiBUaGlzIHdpbGwgaGVscCBm dXR1cmUgaW1wbGVtZW50ZXJzIGFuZCBtYXkgZXZlbiBiZSB1c2VmdWwgZm9yIGZ1dHVyZSBwcm90 b2NvbHMgdGhhdCByZWx5IG9uIGEgc2ltaWxhciBjcm9zcy1kZXZpY2UgYXV0aGVudGljYXRpb24g YW5kIGF1dGhvcml6YXRpb24gZmxvd3MuDQogIDMuICBFeHBsb3JlIGFsdGVybmF0aXZlczogRGV2 ZWxvcCwgYWRvcHQsIG9yIGV2b2x2ZSBuZXcgcHJvdG9jb2xzIHRoYXQgYWRkcmVzcyB0aGUgc2Nl bmFyaW8gd2hpbGUgbWl0aWdhdGluZyBvciBhdm9pZGluZyB0aGUgcmlza3MuDQoNCg0KDQpPcHRp b24gQSBkb2VzIG5vdCBkbyBtdWNoIHRvIGltcHJvdmUgdGhlIHN0YXRlIG9mIHRoZSBhcnQuIE9w dGlvbiBCIGZlZWxzIGxpa2Ugc29tZXRoaW5nIHdlIGNhbiBkbyBub3csIGFuZCB3ZSBtYXkgbGVh cm4gc29tZXRoaW5nIGFsb25nIHRoZSB3YXkgdGhhdCBjYW4gaGVscCBpbmZvcm0gT3B0aW9uIEMs IHdoaWNoIG1heSBiZSBtdWNoIGZ1cnRoZXIgZG93biB0aGUgcm9hZCBhbmQgcmVxdWlyZSBtb3Jl IHJlc2VhcmNoLiBXaGF0IG90aGVyIG9wdGlvbnMgY29tZSB0byBtaW5kPw0KDQoNCg0KSeKAmW0g bG9va2luZyBmb3J3YXJkIHRvIHRoZSBjb252ZXJzYXRpb24gYW5kIGhlYXJpbmcgd2hhdCBvdGhl cnMgYXJlIHRoaW5raW5nIGFib3V0IHRoaXMgdG9waWMuDQoNCg0KDQpDaGVlcnMsDQoNClBpZXRl cg0KDQo= --_000_AM7PR83MB0452287B78E5B4780304F45891129AM7PR83MB0452EURP_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6ZHQ9InV1aWQ6QzJGNDEwMTAtNjVC My0xMWQxLUEyOUYtMDBBQTAwQzE0ODgyIiB4bWxuczptPSJodHRwOi8vc2NoZW1hcy5taWNyb3Nv ZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy9UUi9S RUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250 ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1ldGEgbmFtZT0iR2VuZXJhdG9yIiBj b250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQgbWVkaXVtKSI+DQo8c3R5bGU+PCEt LQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpXaW5n ZGluZ3M7DQoJcGFub3NlLTE6NSAwIDAgMCAwIDAgMCAwIDAgMDt9DQpAZm9udC1mYWNlDQoJe2Zv bnQtZmFtaWx5OiJDYW1icmlhIE1hdGgiOw0KCXBhbm9zZS0xOjIgNCA1IDMgNSA0IDYgMyAyIDQ7 fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDYWxpYnJpOw0KCXBhbm9zZS0xOjIgMTUgNSAy IDIgMiA0IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6IlNlZ29lIFVJIjsNCglw YW5vc2UtMToyIDExIDUgMiA0IDIgNCAyIDIgMzt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0K cC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGNtOw0K CWZvbnQtc2l6ZToxMS4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJ bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVM7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0K CXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6IzA1NjNDMTsNCgl0ZXh0LWRlY29yYXRp b246dW5kZXJsaW5lO30NCnAuTXNvTGlzdFBhcmFncmFwaCwgbGkuTXNvTGlzdFBhcmFncmFwaCwg ZGl2Lk1zb0xpc3RQYXJhZ3JhcGgNCgl7bXNvLXN0eWxlLXByaW9yaXR5OjM0Ow0KCW1hcmdpbi10 b3A6MGNtOw0KCW1hcmdpbi1yaWdodDowY207DQoJbWFyZ2luLWJvdHRvbTowY207DQoJbWFyZ2lu LWxlZnQ6MzYuMHB0Ow0KCWZvbnQtc2l6ZToxMS4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGlicmki LHNhbnMtc2VyaWY7DQoJbXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVM7fQ0Kc3Bhbi5FbWFpbFN0 eWxlMTcNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtY29tcG9zZTsNCglmb250LWZhbWlseToi Q2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCi5Nc29DaHBEZWZhdWx0 DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixz YW5zLXNlcmlmOw0KCW1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTO30NCkBwYWdlIFdvcmRTZWN0 aW9uMQ0KCXtzaXplOjYxMi4wcHQgNzkyLjBwdDsNCgltYXJnaW46NzIuMHB0IDcyLjBwdCA3Mi4w cHQgNzIuMHB0O30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLyog TGlzdCBEZWZpbml0aW9ucyAqLw0KQGxpc3QgbDANCgl7bXNvLWxpc3QtaWQ6MTMwNTU3MzQ5Ow0K CW1zby1saXN0LXR5cGU6aHlicmlkOw0KCW1zby1saXN0LXRlbXBsYXRlLWlkczotOTI5OTQwMzkw IDQwMzI0MzAyMyA0MDMyNDMwMzMgNDAzMjQzMDM1IDQwMzI0MzAyMyA0MDMyNDMwMzMgNDAzMjQz MDM1IDQwMzI0MzAyMyA0MDMyNDMwMzMgNDAzMjQzMDM1O30NCkBsaXN0IGwwOmxldmVsMQ0KCXtt c28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7 DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpAbGlzdCBsMDpsZXZlbDINCgl7bXNvLWxldmVsLW51 bWJlci1mb3JtYXQ6YWxwaGEtbG93ZXI7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNv LWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxp c3QgbDA6bGV2ZWwzDQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OnJvbWFuLWxvd2VyOw0KCW1z by1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246cmlnaHQ7 DQoJdGV4dC1pbmRlbnQ6LTkuMHB0O30NCkBsaXN0IGwwOmxldmVsNA0KCXttc28tbGV2ZWwtdGFi LXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRl bnQ6LTE4LjBwdDt9DQpAbGlzdCBsMDpsZXZlbDUNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6 YWxwaGEtbG93ZXI7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJl ci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDA6bGV2ZWw2 DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OnJvbWFuLWxvd2VyOw0KCW1zby1sZXZlbC10YWIt c3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246cmlnaHQ7DQoJdGV4dC1pbmRl bnQ6LTkuMHB0O30NCkBsaXN0IGwwOmxldmVsNw0KCXttc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsN Cgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDt9 DQpAbGlzdCBsMDpsZXZlbDgNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YWxwaGEtbG93ZXI7 DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjps ZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDA6bGV2ZWw5DQoJe21zby1sZXZl bC1udW1iZXItZm9ybWF0OnJvbWFuLWxvd2VyOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0K CW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246cmlnaHQ7DQoJdGV4dC1pbmRlbnQ6LTkuMHB0O30N CkBsaXN0IGwxDQoJe21zby1saXN0LWlkOjE2OTIyNjcxMzsNCgltc28tbGlzdC10ZW1wbGF0ZS1p ZHM6MTA3NTg3OTEzNDt9DQpAbGlzdCBsMTpsZXZlbDENCgl7bXNvLWxldmVsLW51bWJlci1mb3Jt YXQ6YWxwaGEtdXBwZXI7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjM2LjBwdDsNCgltc28tbGV2ZWwt bnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpAbGlzdCBsMTps ZXZlbDINCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YWxwaGEtdXBwZXI7DQoJbXNvLWxldmVs LXRhYi1zdG9wOjcyLjBwdDsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4 dC1pbmRlbnQ6LTE4LjBwdDt9DQpAbGlzdCBsMTpsZXZlbDMNCgl7bXNvLWxldmVsLW51bWJlci1m b3JtYXQ6YWxwaGEtdXBwZXI7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjEwOC4wcHQ7DQoJbXNvLWxl dmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxpc3Qg bDE6bGV2ZWw0DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmFscGhhLXVwcGVyOw0KCW1zby1s ZXZlbC10YWItc3RvcDoxNDQuMHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsN Cgl0ZXh0LWluZGVudDotMTguMHB0O30NCkBsaXN0IGwxOmxldmVsNQ0KCXttc28tbGV2ZWwtbnVt YmVyLWZvcm1hdDphbHBoYS11cHBlcjsNCgltc28tbGV2ZWwtdGFiLXN0b3A6MTgwLjBwdDsNCglt c28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpA bGlzdCBsMTpsZXZlbDYNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YWxwaGEtdXBwZXI7DQoJ bXNvLWxldmVsLXRhYi1zdG9wOjIxNi4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjps ZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDE6bGV2ZWw3DQoJe21zby1sZXZl bC1udW1iZXItZm9ybWF0OmFscGhhLXVwcGVyOw0KCW1zby1sZXZlbC10YWItc3RvcDoyNTIuMHB0 Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0 O30NCkBsaXN0IGwxOmxldmVsOA0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDphbHBoYS11cHBl cjsNCgltc28tbGV2ZWwtdGFiLXN0b3A6Mjg4LjBwdDsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0 aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpAbGlzdCBsMTpsZXZlbDkNCgl7bXNv LWxldmVsLW51bWJlci1mb3JtYXQ6YWxwaGEtdXBwZXI7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjMy NC4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0x OC4wcHQ7fQ0KQGxpc3QgbDINCgl7bXNvLWxpc3QtaWQ6MTg5ODA0NTU3Ow0KCW1zby1saXN0LXRl bXBsYXRlLWlkczoxMjgyMzE3NzY4O30NCkBsaXN0IGwyOmxldmVsMQ0KCXttc28tbGV2ZWwtc3Rh cnQtYXQ6MzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6MzYuMHB0Ow0KCW1zby1sZXZlbC1udW1iZXIt cG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0O30NCkBsaXN0IGwzDQoJe21zby1s aXN0LWlkOjQ0MzY5NDIwMjsNCgltc28tbGlzdC10ZW1wbGF0ZS1pZHM6LTEwNTk2OTE3NjQ7fQ0K QGxpc3QgbDM6bGV2ZWwxDQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmFscGhhLXVwcGVyOw0K CW1zby1sZXZlbC10YWItc3RvcDozNi4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjps ZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDQNCgl7bXNvLWxpc3QtaWQ6NDk0 NTY2MDMwOw0KCW1zby1saXN0LXR5cGU6aHlicmlkOw0KCW1zby1saXN0LXRlbXBsYXRlLWlkczot MTE4MzU2OTE5MiA0MDMyNDMwMDkgNDAzMjQzMDExIDQwMzI0MzAxMyA0MDMyNDMwMDkgNDAzMjQz MDExIDQwMzI0MzAxMyA0MDMyNDMwMDkgNDAzMjQzMDExIDQwMzI0MzAxMzt9DQpAbGlzdCBsNDps ZXZlbDENCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0 Ou+CtzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0 aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDsNCglmb250LWZhbWlseTpTeW1ib2w7fQ0K QGxpc3QgbDQ6bGV2ZWwyDQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28t bGV2ZWwtdGV4dDpvOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1i ZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0Ow0KCWZvbnQtZmFtaWx5OiJD b3VyaWVyIE5ldyI7fQ0KQGxpc3QgbDQ6bGV2ZWwzDQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0 OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7 DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7 DQoJZm9udC1mYW1pbHk6V2luZ2RpbmdzO30NCkBsaXN0IGw0OmxldmVsNA0KCXttc28tbGV2ZWwt bnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674K3Ow0KCW1zby1sZXZlbC10 YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWlu ZGVudDotMTguMHB0Ow0KCWZvbnQtZmFtaWx5OlN5bWJvbDt9DQpAbGlzdCBsNDpsZXZlbDUNCgl7 bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Om87DQoJbXNv LWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0K CXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijt9DQpAbGlz dCBsNDpsZXZlbDYNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZl bC10ZXh0Ou+CpzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVy LXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDsNCglmb250LWZhbWlseTpXaW5n ZGluZ3M7fQ0KQGxpc3QgbDQ6bGV2ZWw3DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxl dDsNCgltc28tbGV2ZWwtdGV4dDrvgrc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNv LWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJZm9u dC1mYW1pbHk6U3ltYm9sO30NCkBsaXN0IGw0OmxldmVsOA0KCXttc28tbGV2ZWwtbnVtYmVyLWZv cm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ6bzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9u ZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBw dDsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCkBsaXN0IGw0OmxldmVsOQ0KCXttc28t bGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674KnOw0KCW1zby1s ZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0 ZXh0LWluZGVudDotMTguMHB0Ow0KCWZvbnQtZmFtaWx5OldpbmdkaW5nczt9DQpAbGlzdCBsNQ0K CXttc28tbGlzdC1pZDo1NzY5NDEyMDQ7DQoJbXNvLWxpc3QtdGVtcGxhdGUtaWRzOi0xOTQ4MTIy ODg0O30NCkBsaXN0IGw2DQoJe21zby1saXN0LWlkOjc2NDUwMjQzNTsNCgltc28tbGlzdC10ZW1w bGF0ZS1pZHM6MTg1NTAwNjM2O30NCkBsaXN0IGw2OmxldmVsMQ0KCXttc28tbGV2ZWwtc3RhcnQt YXQ6MjsNCgltc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDphbHBoYS11cHBlcjsNCgltc28tbGV2ZWwt dGFiLXN0b3A6MzYuMHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0 LWluZGVudDotMTguMHB0O30NCkBsaXN0IGw2OmxldmVsMg0KCXttc28tbGV2ZWwtbnVtYmVyLWZv cm1hdDphbHBoYS11cHBlcjsNCgltc28tbGV2ZWwtdGFiLXN0b3A6NzIuMHB0Ow0KCW1zby1sZXZl bC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0O30NCkBsaXN0IGw2 OmxldmVsMw0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDphbHBoYS11cHBlcjsNCgltc28tbGV2 ZWwtdGFiLXN0b3A6MTA4LjBwdDsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJ dGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpAbGlzdCBsNjpsZXZlbDQNCgl7bXNvLWxldmVsLW51bWJl ci1mb3JtYXQ6YWxwaGEtdXBwZXI7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjE0NC4wcHQ7DQoJbXNv LWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxp c3QgbDY6bGV2ZWw1DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmFscGhhLXVwcGVyOw0KCW1z by1sZXZlbC10YWItc3RvcDoxODAuMHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVm dDsNCgl0ZXh0LWluZGVudDotMTguMHB0O30NCkBsaXN0IGw2OmxldmVsNg0KCXttc28tbGV2ZWwt bnVtYmVyLWZvcm1hdDphbHBoYS11cHBlcjsNCgltc28tbGV2ZWwtdGFiLXN0b3A6MjE2LjBwdDsN Cgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDt9 DQpAbGlzdCBsNjpsZXZlbDcNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YWxwaGEtdXBwZXI7 DQoJbXNvLWxldmVsLXRhYi1zdG9wOjI1Mi4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlv bjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDY6bGV2ZWw4DQoJe21zby1s ZXZlbC1udW1iZXItZm9ybWF0OmFscGhhLXVwcGVyOw0KCW1zby1sZXZlbC10YWItc3RvcDoyODgu MHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTgu MHB0O30NCkBsaXN0IGw2OmxldmVsOQ0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDphbHBoYS11 cHBlcjsNCgltc28tbGV2ZWwtdGFiLXN0b3A6MzI0LjBwdDsNCgltc28tbGV2ZWwtbnVtYmVyLXBv c2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpAbGlzdCBsNw0KCXttc28tbGlz dC1pZDo5MjEwNjgxNzY7DQoJbXNvLWxpc3QtdGVtcGxhdGUtaWRzOjQxMzI4NTQ2Njt9DQpAbGlz dCBsOA0KCXttc28tbGlzdC1pZDoxMDI2MDU1MjQ0Ow0KCW1zby1saXN0LXRlbXBsYXRlLWlkczo5 NDQxMjc1MjI7fQ0KQGxpc3QgbDkNCgl7bXNvLWxpc3QtaWQ6MTA2NzcyNTg4NzsNCgltc28tbGlz dC10ZW1wbGF0ZS1pZHM6MTE4NTE4MjYwNjt9DQpAbGlzdCBsMTANCgl7bXNvLWxpc3QtaWQ6MTI2 OTAwNTI0MzsNCgltc28tbGlzdC10ZW1wbGF0ZS1pZHM6ODI3Nzg1NDt9DQpAbGlzdCBsMTA6bGV2 ZWwxDQoJe21zby1sZXZlbC1zdGFydC1hdDoyOw0KCW1zby1sZXZlbC10YWItc3RvcDozNi4wcHQ7 DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7 fQ0KQGxpc3QgbDExDQoJe21zby1saXN0LWlkOjE0MzUzOTgwNTY7DQoJbXNvLWxpc3QtdGVtcGxh dGUtaWRzOi0xNDA2NzM4OTI2O30NCkBsaXN0IGwxMTpsZXZlbDENCgl7bXNvLWxldmVsLXN0YXJ0 LWF0OjQ7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjM2LjBwdDsNCgltc28tbGV2ZWwtbnVtYmVyLXBv c2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpAbGlzdCBsMTINCgl7bXNvLWxp c3QtaWQ6MTQ3NjE0MjcyNzsNCgltc28tbGlzdC10ZW1wbGF0ZS1pZHM6LTE5OTE2MDQ5NzQ7fQ0K QGxpc3QgbDEzDQoJe21zby1saXN0LWlkOjE0ODIzMDUyMzg7DQoJbXNvLWxpc3QtdGVtcGxhdGUt aWRzOjU0NDExNTU2MDt9DQpAbGlzdCBsMTQNCgl7bXNvLWxpc3QtaWQ6MTU5MTY5ODc5NTsNCglt c28tbGlzdC10ZW1wbGF0ZS1pZHM6MzM1NjE5NTg7fQ0KQGxpc3QgbDE0OmxldmVsMQ0KCXttc28t bGV2ZWwtc3RhcnQtYXQ6MjsNCgltc28tbGV2ZWwtdGFiLXN0b3A6MzYuMHB0Ow0KCW1zby1sZXZl bC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0O30NCkBsaXN0IGwx NQ0KCXttc28tbGlzdC1pZDoxODE5MTUzMTExOw0KCW1zby1saXN0LXRlbXBsYXRlLWlkczotNDEw MDc2MjQyO30NCkBsaXN0IGwxNTpsZXZlbDENCgl7bXNvLWxldmVsLXN0YXJ0LWF0OjM7DQoJbXNv LWxldmVsLXRhYi1zdG9wOjM2LjBwdDsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7 DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpAbGlzdCBsMTYNCgl7bXNvLWxpc3QtaWQ6MTgyODQw Mzg5MzsNCgltc28tbGlzdC10ZW1wbGF0ZS1pZHM6LTc5NDUxOTQyNDt9DQpAbGlzdCBsMTY6bGV2 ZWwxDQoJe21zby1sZXZlbC1zdGFydC1hdDozOw0KCW1zby1sZXZlbC1udW1iZXItZm9ybWF0OmFs cGhhLXVwcGVyOw0KCW1zby1sZXZlbC10YWItc3RvcDozNi4wcHQ7DQoJbXNvLWxldmVsLW51bWJl ci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDE2OmxldmVs Mg0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDphbHBoYS11cHBlcjsNCgltc28tbGV2ZWwtdGFi LXN0b3A6NzIuMHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWlu ZGVudDotMTguMHB0O30NCkBsaXN0IGwxNjpsZXZlbDMNCgl7bXNvLWxldmVsLW51bWJlci1mb3Jt YXQ6YWxwaGEtdXBwZXI7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjEwOC4wcHQ7DQoJbXNvLWxldmVs LW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDE2 OmxldmVsNA0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDphbHBoYS11cHBlcjsNCgltc28tbGV2 ZWwtdGFiLXN0b3A6MTQ0LjBwdDsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJ dGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpAbGlzdCBsMTY6bGV2ZWw1DQoJe21zby1sZXZlbC1udW1i ZXItZm9ybWF0OmFscGhhLXVwcGVyOw0KCW1zby1sZXZlbC10YWItc3RvcDoxODAuMHB0Ow0KCW1z by1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0O30NCkBs aXN0IGwxNjpsZXZlbDYNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YWxwaGEtdXBwZXI7DQoJ bXNvLWxldmVsLXRhYi1zdG9wOjIxNi4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjps ZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDE2OmxldmVsNw0KCXttc28tbGV2 ZWwtbnVtYmVyLWZvcm1hdDphbHBoYS11cHBlcjsNCgltc28tbGV2ZWwtdGFiLXN0b3A6MjUyLjBw dDsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBw dDt9DQpAbGlzdCBsMTY6bGV2ZWw4DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmFscGhhLXVw cGVyOw0KCW1zby1sZXZlbC10YWItc3RvcDoyODguMHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9z aXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0O30NCkBsaXN0IGwxNjpsZXZlbDkNCgl7 bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YWxwaGEtdXBwZXI7DQoJbXNvLWxldmVsLXRhYi1zdG9w OjMyNC4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50 Oi0xOC4wcHQ7fQ0Kb2wNCgl7bWFyZ2luLWJvdHRvbTowY207fQ0KdWwNCgl7bWFyZ2luLWJvdHRv bTowY207fQ0KLS0+PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVm YXVsdHMgdjpleHQ9ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48 IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxv OmlkbWFwIHY6ZXh0PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwh W2VuZGlmXS0tPg0KPC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tSUUiIGxpbms9IiMwNTYzQzEiIHZs aW5rPSIjOTU0RjcyIiBzdHlsZT0id29yZC13cmFwOmJyZWFrLXdvcmQiPg0KPGRpdiBjbGFzcz0i V29yZFNlY3Rpb24xIj4NCjxwIHN0eWxlPSJtYXJnaW46MGNtIj48c3BhbiBzdHlsZT0iY29sb3I6 YmxhY2siPkhpIEFsbCZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIHN0eWxlPSJtYXJn aW46MGNtIj48c3BhbiBzdHlsZT0iY29sb3I6YmxhY2siPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjxwIHN0eWxlPSJtYXJnaW46MGNtIj48c3BhbiBzdHlsZT0iY29sb3I6YmxhY2siPk9u ZSBvZiB0aGUgYWdlbmRhIGl0ZW1zIGZvciBJRVRGIDExMyBpcyB0aGUgZGV2aWNlIGF1dGhvcml6 YXRpb24gZ3JhbnQgZmxvdyAoYWthIGRldmljZSBjb2RlIGZsb3cpLCBzY2hlZHVsZWQgZm9yIFRo dXJzZGF5IDI0IE1hcmNoIDIwMjIu4oCvIEJlZm9yZSB0aGUgbWVldGluZywgSSB3YW50ZWQgdG8g c2hhcmUgYSBiaXQgbW9yZSBpbmZvcm1hdGlvbiBmb3IgdGhvc2UNCiBpbnRlcmVzdGVkIGluIHRo ZSB0b3BpYyBhbmQgYWxzbyBnaXZlIHRob3NlIHdobyBhcmUgdW5hYmxlIHRvIGF0dGVuZCBpbiBw ZXJzb24gYW4gb3Bwb3J0dW5pdHkgdG8gcGFydGljaXBhdGUgaW4gdGhlIGNvbnZlcnNhdGlvbi4m bmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBzdHlsZT0ibWFyZ2luOjBjbSI+PHNwYW4g c3R5bGU9ImNvbG9yOmJsYWNrIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBzdHls ZT0ibWFyZ2luOjBjbSI+PHNwYW4gc3R5bGU9ImNvbG9yOmJsYWNrIj5UaGUgPC9zcGFuPjxhIGhy ZWY9Imh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2h0bWwvcmZjODYyOCI+RGV2aWNl IEF1dGhvcml6YXRpb24gR3JhbnQgRmxvdyAoUkZDIDg2ODIpPC9hPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O1NlZ29lIFVJJnF1b3Q7LHNhbnMtc2VyaWY7 Y29sb3I6YmxhY2siPiBzPC9zcGFuPjxzcGFuIHN0eWxlPSJjb2xvcjpibGFjayI+b2x2ZXMNCiBh biBpbXBvcnRhbnQgcHJvYmxlbSBieSBlbmFibGluZyBhdXRob3JpemF0aW9uIGZsb3dzIG9uIGRl dmljZXMgdGhhdCBhcmUgdW5hYmxlIHRvIHN1cHBvcnQgYSBicm93c2VycyBvciBoYXZlIGxpbWl0 ZWQgaW5wdXQgY2FwYWJpbGl0aWVzLiBIb3dldmVyLCBsb29raW5nIGJhY2sgb3ZlciB0aGUgcGFz dCAxOC0yNCBtb250aHMsIHRoZXJlIGhhdmUgYmVlbiBhIG51bWJlciBvZiBwcmFjdGljYWwgZXhw bG9pdHMgcHVibGlzaGVkIHRoYXQgdXNlIHNvY2lhbA0KIGVuZ2luZWVyaW5nIHRlY2huaXF1ZXMg YXBwbGllZCB0byB0aGUgZGV2aWNlIGF1dGhvcml6YXRpb24gZ3JhbnQgZmxvdy4mbmJzcDs8L3Nw YW4+PG86cD48L286cD48L3A+DQo8cCBzdHlsZT0ibWFyZ2luOjBjbSI+PHNwYW4gc3R5bGU9ImNv bG9yOmJsYWNrIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBzdHlsZT0ibWFyZ2lu OjBjbSI+PHNwYW4gc3R5bGU9ImNvbG9yOmJsYWNrIj5UaGUgZ29hbCBvZiB0aGUgc2Vzc2lvbiBh dCBJRVRGIDExMyBpcyB0byBkaXNjdXNzIHRoZSBwYXR0ZXJucyBvZiB0aGUgZXhwbG9pdHMgdGhh dCBhcmUga25vd24gYW5kIHN0YXJ0IGEgY29udmVyc2F0aW9uIG9uIHdoYXQgKGlmIGFueXRoaW5n KSB3ZSBzaG91bGQgZG8sIGJhc2VkIG9uIHdoYXQgd2UgYXJlIGxlYXJuaW5nLiZuYnNwOzxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIHN0eWxlPSJtYXJnaW46MGNtIj48c3BhbiBzdHlsZT0iY29s b3I6YmxhY2siPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIHN0eWxlPSJtYXJnaW46 MGNtIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtTZWdv ZSBVSSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOmJsYWNrIj5UaGVzZSBleHBsb2l0cyBmb2xsb3cg YSBnZW5lcmFsIG1hbi1pbi10aGUtbWlkZGxlIChNSVRNKSBwYXR0ZXJuLCB3aGVyZSB0aGUgYXR0 YWNrZXI6Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgc3R5bGU9Im1zby1tYXJnaW4t dG9wLWFsdDowY207bWFyZ2luLXJpZ2h0OjBjbTttYXJnaW4tYm90dG9tOjBjbTttYXJnaW4tbGVm dDoyNy4wcHQiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7U2Vnb2UgVUkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+Jm5ic3A7PG86cD48L286 cD48L3NwYW4+PC9wPg0KPG9sIHN0eWxlPSJtYXJnaW4tdG9wOjBjbSIgc3RhcnQ9IjEiIHR5cGU9 IjEiPg0KPGxpIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJjb2xvcjpibGFjazttc28tbGlzdDps MTIgbGV2ZWwxIGxmbzE0O3ZlcnRpY2FsLWFsaWduOm1pZGRsZSI+DQo8c3BhbiBzdHlsZT0iZm9u dC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtTZWdvZSBVSSZxdW90OyxzYW5zLXNlcmlm Ij5Jbml0aWF0ZXMgdGhlIERldmljZSBBdXRob3JpemF0aW9uIEdyYW50IGZsb3cgb24gYSBkZXZp Y2UgdW5kZXIgdGhlaXIgY29udHJvbCwmbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L2xpPjxsaSBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iY29sb3I6YmxhY2s7bXNvLWxpc3Q6bDEyIGxldmVsMSBs Zm8xNDt2ZXJ0aWNhbC1hbGlnbjptaWRkbGUiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41 cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7U2Vnb2UgVUkmcXVvdDssc2Fucy1zZXJpZiI+UHJlc2VudHMg dGhlIHVzZXIgY29kZSBpbiBhIGNvbnRleHQgdGhhdCB0aGUgZW5kLXVzZXIgaXMgbGlrZWx5IHRv IGFjdCBvbiAodXNpbmcgc29jaWFsIGVuZ2luZWVyaW5nIHRlY2huaXF1ZXMpLCBhbmQmbmJzcDs8 bzpwPjwvbzpwPjwvc3Bhbj48L2xpPjxsaSBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iY29sb3I6 YmxhY2s7bXNvLWxpc3Q6bDEyIGxldmVsMSBsZm8xNDt2ZXJ0aWNhbC1hbGlnbjptaWRkbGUiPg0K PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7U2Vnb2UgVUkm cXVvdDssc2Fucy1zZXJpZiI+T25jZSB0aGUgdXNlciBncmFudHMgYWNjZXNzLCByZXRyaWV2ZXMg dGhlIGFjY2VzcyBhbmQgcmVmcmVzaCB0b2tlbnMgYW5kIHVzZXMgdGhlbSB0byBhY2Nlc3MgdGhl IHVzZXLigJlzIHJlc291cmNlcy4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L2xpPjwvb2w+DQo8 cCBzdHlsZT0ibWFyZ2luOjBjbSI+PHNwYW4gc3R5bGU9ImNvbG9yOmJsYWNrIj4mbmJzcDs8bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBzdHlsZT0ibWFyZ2luOjBjbSI+PHNwYW4gc3R5bGU9ImNv bG9yOmJsYWNrIj5Tb21lIG9mIHRoZSBleHBsb2l0cyBhcmUgZGVzY3JpYmVkIGhlcmUgZm9yIHRo b3NlIGludGVyZXN0ZWQgaW4gbW9yZSBkZXRhaWw6Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9w Pg0KPHAgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDowY207bWFyZ2luLXJpZ2h0OjBjbTttYXJn aW4tYm90dG9tOjBjbTttYXJnaW4tbGVmdDoyNy4wcHQiPg0KPHNwYW4gc3R5bGU9ImNvbG9yOmJs YWNrIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8b2wgc3R5bGU9Im1hcmdpbi10b3A6 MGNtIiBzdGFydD0iMSIgdHlwZT0iMSI+DQo8bGkgY2xhc3M9Ik1zb0xpc3RQYXJhZ3JhcGgiIHN0 eWxlPSJjb2xvcjpibGFjazttYXJnaW4tbGVmdDowY207bXNvLWxpc3Q6bDAgbGV2ZWwxIGxmbzE3 O3ZlcnRpY2FsLWFsaWduOm1pZGRsZSI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdCI+ PGEgaHJlZj0iaHR0cHM6Ly8weGJva3UuY29tLzIwMjEvMDcvMTIvQXJ0T2ZEZXZpY2VDb2RlUGhp c2guaHRtbCI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O1NlZ29lIFVJJnF1b3Q7LHNh bnMtc2VyaWYiPlRoZSBBcnQgb2YgdGhlIERldmljZSBDb2RlIFBoaXNoIC0gQm9rdSAoMHhib2t1 LmNvbSk8L3NwYW4+PC9hPjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250 LWZhbWlseTomcXVvdDtTZWdvZSBVSSZxdW90OyxzYW5zLXNlcmlmIj4mbmJzcDs8L3NwYW4+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQiPjxvOnA+PC9vOnA+PC9zcGFuPjwvbGk+PGxpIGNs YXNzPSJNc29MaXN0UGFyYWdyYXBoIiBzdHlsZT0iY29sb3I6YmxhY2s7bWFyZ2luLWxlZnQ6MGNt O21zby1saXN0OmwwIGxldmVsMSBsZm8xNzt2ZXJ0aWNhbC1hbGlnbjptaWRkbGUiPg0KPHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMC41cHQiPjxhIGhyZWY9Imh0dHBzOi8vd3d3Lm9wdGl2LmNvbS9p bnNpZ2h0cy9zb3VyY2UtemVyby9ibG9nL21pY3Jvc29mdC0zNjUtb2F1dGgtZGV2aWNlLWNvZGUt Zmxvdy1hbmQtcGhpc2hpbmciPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtTZWdvZSBV SSZxdW90OyxzYW5zLXNlcmlmIj5NaWNyb3NvZnQgMzY1IE9BdXRoIERldmljZSBDb2RlIEZsb3cg YW5kIFBoaXNoaW5nIHwgT3B0aXY8L3NwYW4+PC9hPjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtTZWdvZSBVSSZxdW90OyxzYW5zLXNlcmlmIj4m bmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQiPjxvOnA+PC9vOnA+PC9z cGFuPjwvbGk+PG9sIHN0eWxlPSJtYXJnaW4tdG9wOjBjbSIgc3RhcnQ9IjEiIHR5cGU9ImEiPg0K PGxpIGNsYXNzPSJNc29MaXN0UGFyYWdyYXBoIiBzdHlsZT0iY29sb3I6YmxhY2s7bWFyZ2luLWxl ZnQ6MGNtO21zby1saXN0OmwwIGxldmVsMiBsZm8xNzt2ZXJ0aWNhbC1hbGlnbjptaWRkbGUiPg0K PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQiPjxhIGhyZWY9Imh0dHBzOi8vZ2l0aHViLmNv bS9vcHRpdi9NaWNyb3NvZnQzNjVfZGV2aWNlUGhpc2giPjxzcGFuIHN0eWxlPSJmb250LWZhbWls eTomcXVvdDtTZWdvZSBVSSZxdW90OyxzYW5zLXNlcmlmIj5vcHRpdi9NaWNyb3NvZnQzNjVfZGV2 aWNlUGhpc2g6IEEgcHJvb2Ytb2YtY29uY2VwdCBzY3JpcHQgdG8gY29uZHVjdCBhIHBoaXNoaW5n IGF0dGFjayBhYnVzaW5nIE1pY3Jvc29mdCAzNjUgT0F1dGggQXV0aG9yaXphdGlvbg0KIEZsb3cg KGdpdGh1Yi5jb20pPC9zcGFuPjwvYT48L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41 cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7U2Vnb2UgVUkmcXVvdDssc2Fucy1zZXJpZiI+Jm5ic3A7PC9z cGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0Ij48bzpwPjwvbzpwPjwvc3Bhbj48L2xp Pjwvb2w+DQo8bGkgY2xhc3M9Ik1zb0xpc3RQYXJhZ3JhcGgiIHN0eWxlPSJjb2xvcjpibGFjaztt YXJnaW4tbGVmdDowY207bXNvLWxpc3Q6bDAgbGV2ZWwxIGxmbzE3O3ZlcnRpY2FsLWFsaWduOm1p ZGRsZSI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdCI+PGEgaHJlZj0iaHR0cHM6Ly9v MzY1YmxvZy5jb20vcG9zdC9waGlzaGluZy8jbmV3LXBoaXNoaW5nLXRlY2huaXF1ZS1kZXZpY2Ut Y29kZS1hdXRoZW50aWNhdGlvbiI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O1NlZ29l IFVJJnF1b3Q7LHNhbnMtc2VyaWYiPkludHJvZHVjaW5nIGEgbmV3IHBoaXNoaW5nIHRlY2huaXF1 ZSBmb3IgY29tcHJvbWlzaW5nIE9mZmljZSAzNjUgYWNjb3VudHMgKG8zNjVibG9nLmNvbSk8L3Nw YW4+PC9hPjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTom cXVvdDtTZWdvZSBVSSZxdW90OyxzYW5zLXNlcmlmIj4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMC41cHQiPjxvOnA+PC9vOnA+PC9zcGFuPjwvbGk+PGxpIGNsYXNzPSJNc29M aXN0UGFyYWdyYXBoIiBzdHlsZT0iY29sb3I6YmxhY2s7bWFyZ2luLWxlZnQ6MGNtO21zby1saXN0 OmwwIGxldmVsMSBsZm8xNzt2ZXJ0aWNhbC1hbGlnbjptaWRkbGUiPg0KPHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMC41cHQiPjxhIGhyZWY9Imh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL3dhdGNoP3Y9 OXNsUll2cEtIcDQiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtTZWdvZSBVSSZxdW90 OyxzYW5zLXNlcmlmIj5ERUYgQ09OIDI5IC0gSmVua28gSHdvbmcgLSBOZXcgUGhpc2hpbmcgQXR0 YWNrcyBFeHBsb2l0aW5nIE9BdXRoIEF1dGhlbnRpY2F0aW9uIEZsb3dzIC0gWW91VHViZTwvc3Bh bj48L2E+PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZx dW90O1NlZ29lIFVJJnF1b3Q7LHNhbnMtc2VyaWYiPiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjEwLjVwdCI+PG86cD48L286cD48L3NwYW4+PC9saT48L29sPg0KPHAgc3R5bGU9 Im1zby1tYXJnaW4tdG9wLWFsdDowY207bWFyZ2luLXJpZ2h0OjBjbTttYXJnaW4tYm90dG9tOjBj bTttYXJnaW4tbGVmdDoyNy4wcHQiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7U2Vnb2UgVUkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+Jm5i c3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgc3R5bGU9Im1hcmdpbjowY20iPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O1NlZ29lIFVJJnF1b3Q7LHNh bnMtc2VyaWY7Y29sb3I6YmxhY2siPkluIHRlcm1zIG9mIGEgcmVzcG9uc2UsIHRoZXJlIGFyZSBh IGZldyBvcHRpb25zIHRoYXQgY29tZSB0byBtaW5kICh0aGVzZSBhcmUgbm90IGV4aGF1c3RpdmUs IEkgd291bGQgbG92ZSB0byBzZWUgd2hhdCBvdGhlcnMgaGF2ZSBpbiBtaW5kIGFzIHdlbGwpOiZu YnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6 MGNtO21hcmdpbi1yaWdodDowY207bWFyZ2luLWJvdHRvbTowY207bWFyZ2luLWxlZnQ6MjcuMHB0 Ij4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O1NlZ29l IFVJJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2siPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjxvbCBzdHlsZT0ibWFyZ2luLXRvcDowY20iIHN0YXJ0PSIxIiB0eXBlPSJBIj4NCjxs aSBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iY29sb3I6YmxhY2s7bXNvLWxpc3Q6bDMgbGV2ZWwx IGxmbzE4O3ZlcnRpY2FsLWFsaWduOm1pZGRsZSI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOjEw LjVwdDtmb250LWZhbWlseTomcXVvdDtTZWdvZSBVSSZxdW90OyxzYW5zLXNlcmlmIj5EbyBub3Ro aW5nOiBXZSBjYW4gY2hvb3NlIHRvIGxlYXZlIGV2ZXJ5dGhpbmcgYXMgaXMuIFRoZSBkb3duc2lk ZSBvZiB0aGlzIGlzIHRoYXQgdGhlIGxlc3NvbnMgd2UgYXJlIGxlYXJuaW5nIGFyZSBub3QgZ2V0 dGluZyBkaXNzZW1pbmF0ZWQgb3IgcmVzdWx0aW5nIGluIHJlZHVjZWQgcmlza3MuJm5ic3A7PG86 cD48L286cD48L3NwYW4+PC9saT48bGkgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImNvbG9yOmJs YWNrO21zby1saXN0OmwzIGxldmVsMSBsZm8xODt2ZXJ0aWNhbC1hbGlnbjptaWRkbGUiPg0KPHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7U2Vnb2UgVUkmcXVv dDssc2Fucy1zZXJpZiI+VXBkYXRlIHRoZSByZWNvbW1lbmRhdGlvbnM6IFdlIGNhbiBkb2N1bWVu dCB0aGUgc29jaWFsIGVuZ2luZWVyaW5nIGV4cGxvaXRzIGFuZCByZWNvbW1lbmQgc29tZSBhZGRp dGlvbmFsIG1pdGlnYXRpb25zIGFzIHdlbGwgYXMgcmVjb21tZW5kYXRpb25zIGluIHRlcm1zIG9m IHVzZSBjYXNlcy4gQWx0aG91Z2ggdGhlc2UgdHlwZXMgb2YNCiAmcXVvdDtwaGlzaGluZyZxdW90 Oy9zb2NpYWwgZW5naW5lZXJpbmcgYXR0YWNrcyBhcmUgY2FsbGVkIG91dCBpbiB0aGUgc2VjdXJp dHkgY29uc2lkZXJhdGlvbnMgaW4NCjxhIGhyZWY9Imh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5v cmcvZG9jL2h0bWwvcmZjODYyOCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2JhY2tncm91bmQ6I0UxRTNFNiI+ UkZDIDg2MjggLSBPQXV0aCAyLjAgRGV2aWNlIEF1dGhvcml6YXRpb24gR3JhbnQ8L3NwYW4+PC9h Piwgd2UgY2FuIGFkZCBmdXJ0aGVyIG1pdGlnYXRpb25zIHRvIGNyZWF0ZSBncmVhdGVyIGRlZmVu Y2UgaW4NCiBkZXB0aC4gVGhpcyB3aWxsIGhlbHAgZnV0dXJlIGltcGxlbWVudGVycyBhbmQgbWF5 IGV2ZW4gYmUgdXNlZnVsIGZvciBmdXR1cmUgcHJvdG9jb2xzIHRoYXQgcmVseSBvbiBhIHNpbWls YXIgY3Jvc3MtZGV2aWNlIGF1dGhlbnRpY2F0aW9uIGFuZCBhdXRob3JpemF0aW9uIGZsb3dzLiZu YnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvbGk+PGxpIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJj b2xvcjpibGFjazttc28tbGlzdDpsMyBsZXZlbDEgbGZvMTg7dmVydGljYWwtYWxpZ246bWlkZGxl Ij4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O1NlZ29l IFVJJnF1b3Q7LHNhbnMtc2VyaWYiPkV4cGxvcmUgYWx0ZXJuYXRpdmVzOiBEZXZlbG9wLCBhZG9w dCwgb3IgZXZvbHZlIG5ldyBwcm90b2NvbHMgdGhhdCBhZGRyZXNzIHRoZSBzY2VuYXJpbyB3aGls ZSBtaXRpZ2F0aW5nIG9yIGF2b2lkaW5nIHRoZSByaXNrcy4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bh bj48L2xpPjwvb2w+DQo8cCBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OjBjbTttYXJnaW4tcmln aHQ6MGNtO21hcmdpbi1ib3R0b206MGNtO21hcmdpbi1sZWZ0OjI3LjBwdCI+DQo8c3BhbiBzdHls ZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtTZWdvZSBVSSZxdW90OyxzYW5z LXNlcmlmO2NvbG9yOmJsYWNrIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBzdHls ZT0ibWFyZ2luOjBjbSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7U2Vnb2UgVUkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+T3B0aW9uIEEgZG9l cyBub3QgZG8gbXVjaCB0byBpbXByb3ZlIHRoZSBzdGF0ZSBvZiB0aGUgYXJ0LiBPcHRpb24gQiBm ZWVscyBsaWtlIHNvbWV0aGluZyB3ZSBjYW4gZG8gbm93LCBhbmQgd2UgbWF5IGxlYXJuIHNvbWV0 aGluZyBhbG9uZyB0aGUgd2F5IHRoYXQgY2FuIGhlbHANCiBpbmZvcm0gT3B0aW9uIEMsIHdoaWNo IG1heSBiZSBtdWNoIGZ1cnRoZXIgZG93biB0aGUgcm9hZCBhbmQgcmVxdWlyZSBtb3JlIHJlc2Vh cmNoLiZuYnNwO1doYXQgb3RoZXIgb3B0aW9ucyBjb21lIHRvIG1pbmQ/PG86cD48L286cD48L3Nw YW4+PC9wPg0KPHAgc3R5bGU9Im1hcmdpbjowY20iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAu NXB0O2ZvbnQtZmFtaWx5OiZxdW90O1NlZ29lIFVJJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6Ymxh Y2siPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIHN0eWxlPSJtYXJnaW46MGNtIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtTZWdvZSBVSSZx dW90OyxzYW5zLXNlcmlmO2NvbG9yOmJsYWNrIj5J4oCZbSBsb29raW5nIGZvcndhcmQgdG8gdGhl IGNvbnZlcnNhdGlvbiBhbmQgaGVhcmluZyB3aGF0IG90aGVycyBhcmUgdGhpbmtpbmcgYWJvdXQg dGhpcyB0b3BpYy4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBzdHlsZT0ibWFyZ2lu OjBjbSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7U2Vn b2UgVUkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+Jm5ic3A7PG86cD48L286cD48L3Nw YW4+PC9wPg0KPHAgc3R5bGU9Im1hcmdpbjowY20iPjxzcGFuIHN0eWxlPSJjb2xvcjpibGFjayI+ Q2hlZXJzLCZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIHN0eWxlPSJtYXJnaW46MGNt Ij48c3BhbiBzdHlsZT0iY29sb3I6YmxhY2siPlBpZXRlciZuYnNwOzxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+ DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_AM7PR83MB0452287B78E5B4780304F45891129AM7PR83MB0452EURP_-- From nobody Thu Mar 17 14:21:10 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98CD13A15E8; Thu, 17 Mar 2022 14:21:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.005 X-Spam-Level: X-Spam-Status: No, score=-2.005 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ibm.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G3t5A6ZprLjU; Thu, 17 Mar 2022 14:21:05 -0700 (PDT) Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68F783A15E6; Thu, 17 Mar 2022 14:21:02 -0700 (PDT) Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 22HJGexa001204; Thu, 17 Mar 2022 21:21:02 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : date : message-id : references : in-reply-to : content-type : mime-version : subject; s=pp1; bh=dLBfEIcthoG+MVvHmv2PwllMrHncv3XAuHJRhUKl9b8=; b=s8xsaJ1UjNjxltCNK6ZmKn6s4cLg+8F1WxLqa2la3+Chfxg+psJ4WJBrh36JHHK92Z1M CZokhZDnTg+Lbksl7rpkOQquHPYoaop3cFJBNCQnLRGahSCpYdmDpDwNfhlyNNKghphb 94JJ0wrT+fW2MnsWCb5frhkzF+pCy3KzLs4aamLoD/30VipcMUvVOWVSpsGd38EItlzu Jrtk704oRnEmythpj8wLPWQcBwjxN/CvJTSTWCRKoTJJ9VrF30oXOfqtOPUQtXI9gBDq C2rHLfXaYdJo6hdle4z289atI3YMLaJzepSTXHFd8qIW+Irmlmy1hL2CanIrcwhKacep Jg== Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2168.outbound.protection.outlook.com [104.47.57.168]) by mx0a-001b2d01.pphosted.com with ESMTP id 3ev1vq67p8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 17 Mar 2022 21:21:01 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jG1f6/7yq+zggc/mfKzLiwZgqAVlPGFQiTAn7CGcWbYLCapJon8vgOBDacoSXxsgfYP/HamfZg53PB0MKh1/8wcCaVztvAJkPKb7fyVaZ4yAJvQhHyBUBJL9c9MheiEARxwF+MrkH9RXjIDjY2A9dMt0zEz9pfTbWqUyegVdhCj2zOm+h29o4G3e/Vhd83ISYI7vNx9zFJNu5EM5IU6gd7/kSnFJNfGJupU8sFjq2+l7FdkRAa5WIBStZOTyURSJnab4VHRthIdb/UpUa0q7tsL3y9Tkcd5hu3FCvAQIcH7pVe5kha1SV2XCZKrjU/ecKspxaKax6vUPSg/WIIpkkw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dLBfEIcthoG+MVvHmv2PwllMrHncv3XAuHJRhUKl9b8=; b=cRLtOKqD2DZyak4Gk9tjDd/wV0dRdj3hHOs3lJNQTVLHM8V+83n7KOtezZdjBB0Xp4gNSQXUsQsu4UjA5qyTog8x26l2ghWrQmgelyUjcBWhw14MVy8j6DEJLU6dKJL4u4mGyAPrKyQAnZBA0TSrRozqKvINW//jis/0d45CDB960bEvY9bKXlKlfnAhT26aGshlK1wWVZDeYVFY2vRygHy/VHNfcjqGHgOqFh1lAkXMZy3nO2bltLJjRJA+DIFOGvUnP1YBFbFgKGBpfNVYLP5ye3rVi7l+7jQRdFTRaiTZtjsdiuwQWC21CKLqAbNWf5FsohLm2SLCaq6DrtvKqg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=au1.ibm.com; dmarc=pass action=none header.from=au1.ibm.com; dkim=pass header.d=au1.ibm.com; arc=none Received: from DM6PR15MB3689.namprd15.prod.outlook.com (2603:10b6:5:1fb::27) by BY5PR15MB3524.namprd15.prod.outlook.com (2603:10b6:a03:1f5::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5081.17; Thu, 17 Mar 2022 21:21:00 +0000 Received: from DM6PR15MB3689.namprd15.prod.outlook.com ([fe80::c515:6be7:9d80:c1de]) by DM6PR15MB3689.namprd15.prod.outlook.com ([fe80::c515:6be7:9d80:c1de%6]) with mapi id 15.20.5081.017; Thu, 17 Mar 2022 21:21:00 +0000 From: Shane B Weeden To: Pieter Kasselman CC: "oauth@ietf.org" Thread-Topic: [EXTERNAL] [OAUTH-WG] Device Authorization Grant and Illicit Consent Exploits Thread-Index: Adg6QbnOrvFCNzXmQH+yf4vBwwXQPwAAysYA Date: Thu, 17 Mar 2022 21:20:59 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: eafcf8ce-c748-4cac-ef77-08da085c0897 x-ms-traffictypediagnostic: BY5PR15MB3524:EE_ x-microsoft-antispam-prvs: x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: lZR1xi0+1OC7N5XGugAGFQ0T/y5xYrmN/5xl5uP6bX4U1SnjzvzehRdozmjQ3upfcq/thNoYyAD10ZqO6uCDjgMOa00pt87PlQ4GDyRsiKzMnFsalLA/uOzFWUQhDb0BvDW5/+vY4cL9I8VD2b7z9ejus8Co3sQH3BZk7Z7r3xULIxNE7Q2Jcg5A7uiv3PfW2SoR7DHOm92syphUiXOU5cMV4dPhqOi5dHAAfVEQCZeficnUF55//ZLDrhO8fcHeBH2XAK930F1fGZ6TH+TsaclaxFZS2bjklrj/KyMvkykqP/jGYtnDrtGL4W8OR7f1dsPs9QEwr+dt2HqRNrYrscdzp5vkKlERBnAQ7juKHMcFAeyax8TGCB/+qD+p8jXs0vtmzY6nX2Z1NabbSDty/B3IHF2Q4z3Y7ItrY8D/mohq8ivSDk57rVVHlXVHr/9fD5RZSNXTaDcT+8JrxrN9BNSFET9yyfl2PLCv3+YPG4urDurmLDo+oORX2K7GMRtU0ZotcO+v8bHTGmIykRH7ZzktZODC2BrAiJ+PxXFNCXSFjq76OdgJzWB4PZphGYLv5Wly2Y417VovnROCSaXRgGn871C300Q53WJkZnfO6PEJx1KIklz11TH6wRBBV1Dgs35sdsjKbZxzvArY0fotVe9gf2CVXEA9xMn2sO8ouqCOYIgUCbhhAP45rvTaGApS08IdJJUmYu/cESNQjUQZVLX0ImVZB6j0uyBKIprYbRKppjhXqiuPOjbH90ZZL34k x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR15MB3689.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(38070700005)(186003)(26005)(38100700002)(122000001)(8936002)(5660300002)(4744005)(83380400001)(4326008)(66556008)(66946007)(66476007)(66446008)(86362001)(64756008)(8676002)(2906002)(76116006)(508600001)(6512007)(6506007)(53546011)(2616005)(91956017)(316002)(71200400001)(6486002)(33656002)(45980500001); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?B?N2VESkNDVFgzL0dMaDRyYlR2MkNEd203ZTdjWkRhbjZPR3lCRnovMkpJaXow?= =?utf-8?B?NVlPenJiU0xnMUlTSDY3bG5MSXVINGpQNS9lUVJaKzNqZzRzczNybXdOazVP?= =?utf-8?B?dXFLVHhmQmVqUU1hRkhPZUttMnpGcEE4M3FHUVJQWm9MZmFaOFhLSEZMR1RI?= =?utf-8?B?cmNsUEZNdXQzaEJJYWtCWDFaeTFIUkxIVGw1MldOcDhkTXp4ZzZ6VkExUC9F?= =?utf-8?B?dDluZXpWMkh2aE9mRFB4SnY4Y1ByL2JFVzFEQWxpRW9zWGxmMHRDVzdDazNN?= =?utf-8?B?Qm94NTNMakZJWVhiVHpnQTl4aUgxSjBUU2ZCTG1lckQrcW95cktmRFNPN0RI?= =?utf-8?B?V3ppY3poZTI4QnFidUJKeisrYlFOejREWTNDaWI0YlV4dWxyZ1NvQ2UwVWVm?= =?utf-8?B?Vi9BYlJXS2haVmE4UDB6WDFUazNRNlBBYTRUejNHakFrbUxMalVnb0ViamxE?= =?utf-8?B?Y0IwRFhpQUhDeVZPd2ZQWGxnRWdHSzFaSm9HTVpwWjlxa3J6ODlKakZXcDVE?= =?utf-8?B?ajI2bmNqb042SFhQMlc3dlkveEpjS3M5Wi83Ujl3eCsrZTN2NzZPNkVuTEVK?= =?utf-8?B?c1hNMCszQ2NsbGI1SjJ6WktISTRVN1lvdTl0MHQ0bG5jdEdybFRBRnZ1RXFJ?= =?utf-8?B?YU8xVXN3cWFlQklGbW11SWlkKzV1UUtEREZ0MDJqS3BnMlVveENoempiSmU0?= =?utf-8?B?M2xCNFB4WlE4Y3BSZ0VoSEZOU2F0WklVU1Zza3h4WnUrYnptbWE1QitaaFNQ?= =?utf-8?B?ZTdqd3JrS0ROKzZlOVdVU0t0cHJ1dlVoWjZZU3l2L0IyWHArYm13bjZpcVoy?= =?utf-8?B?R2Z4MHEvUm8ybnpnLzFSR0JpWU1EL05xU2l5TEdTMzB2ME1wb2orQkZDUzBX?= =?utf-8?B?bC9nMHNWQ1d6SytxNkFxNVN3OW81YlVORk9UME9aOWNIcFhaYnNkY0draU1Z?= =?utf-8?B?aUg5em9GcjJ3MzFmaElPb0xIUUZXRnVOOEpPSURidDZiRGFJM25FU1BaNE1a?= =?utf-8?B?Nll2eWJOYjF5Z2NlR1Yvd01wTUNrWEkzTDJ6QUFDTmVVcjFIMnZCUGEzcldm?= =?utf-8?B?Y1ovbXY4bDYrSFZLWEFzTUtSeEVNZURrL3FyUUZKQ0ZUL00vV05IUXdaRzl1?= =?utf-8?B?NXF5aCt0SG5Vb1ZSOE9hN0NIaUpWM3l6ekhyTG83WVdDMVJZQVFDYS91bzJu?= =?utf-8?B?OGY5ck4rd1hVbEcxdXFTcmZTWG82Y0U3OXBXaytyTWdOM0tlRk13MDBvWFZE?= =?utf-8?B?eFRnb1p4YnFPYkowZjVzcXhrVGhoRFl3SjB1aGZ4cTlZWWpTb0VKV25DTXh6?= =?utf-8?B?WXBvOEpqWFE1L0FmbmJUNUNsci95YVhJZUlnOEN2cVgzT0s4WlpJYkkzLzEx?= =?utf-8?B?T2l5SzNxVUtIMkNGQlBTRE5tbjdVODNib1NueGFGV3YzeVZ6dlo4YUJXNXNV?= =?utf-8?B?SEZLNzlqeXcwUjd3R0tOaE1sNkpNdFd6VnZhaU5UY29RRkhPT0dKZk5CVzhM?= =?utf-8?B?d3lMTVNtNStVb3FKb0tGQ0Foai9ma1NQcUVlZ2Y3TWIxMVBaWHc3UzZPYWxw?= =?utf-8?B?RHl5c0dCQ0hnOEJ4anV5Si9IZmxPUFFtQ3V0ZHhrbjdEa1NWMHgwM3VGTC9w?= =?utf-8?B?M2NHSlEyS2FsQ1JycU4yL2xaajZ3RW5LUTlwdis4RUVRcURpQllxRTVVNnVE?= =?utf-8?B?TEtjQzl2aWxxK2dmTVI1bG1tYzhvKzhWOXFtb3IwTzBJUG9BcjZ5ZG1TQ2hp?= =?utf-8?B?SWJPQm5nUzJOQ3pkdEdTRkVRSkJ6RFd5b25XZ0JacTVWbXVWbFRuNENhR1J4?= =?utf-8?B?ZUhIaHp6RWJGSnY0NkkraFVia0o2N0h5Tm1ZRjZDdmV0NFNYTkRRdG1sNHh2?= =?utf-8?B?bG82NzhuUkFidjBwbGNtb2cvdks2bTQ1a05UNnpsZEpLUVYvTVF6VGd5SVl0?= =?utf-8?B?dkZmMHVPbmZxYXJzUFdmNGZHZ2VxVlJqSllsbUJQMTY0a3hVVk0xY0dIYUtG?= =?utf-8?B?dExkdlJmNlpRPT0=?= Content-Type: multipart/alternative; boundary="_000_F31B486A5DCD47119584708373185AA4au1ibmcom_" X-OriginatorOrg: au1.ibm.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM6PR15MB3689.namprd15.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: eafcf8ce-c748-4cac-ef77-08da085c0897 X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Mar 2022 21:20:59.9753 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: fcf67057-50c9-4ad4-98f3-ffca64add9e9 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 68sXNOheV4K0nGKYxXvKMzzIPFuIJi0FWdqOu0sugSaWdHwpJzVoMEUClL4ZVTrPjnSdmsPE3+7hEdQVzP6WnA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR15MB3524 X-Proofpoint-GUID: VHeTFsAfGacF4CPIAmdeUQU-Z-MYiX91 X-Proofpoint-ORIG-GUID: VHeTFsAfGacF4CPIAmdeUQU-Z-MYiX91 X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.850,Hydra:6.0.425,FMLib:17.11.64.514 definitions=2022-03-17_07,2022-03-15_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 mlxscore=0 suspectscore=0 spamscore=0 clxscore=1011 impostorscore=0 adultscore=0 priorityscore=1501 bulkscore=0 malwarescore=0 mlxlogscore=999 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2203170116 Archived-At: Subject: Re: [OAUTH-WG] Device Authorization Grant and Illicit Consent Exploits X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Mar 2022 21:21:09 -0000 --_000_F31B486A5DCD47119584708373185AA4au1ibmcom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SXNu4oCZdCB0aGlzIGVzc2VudGlhbGx5IHdoYXQgaXMgbWl0aWdhdGVkIGluIHRoZSBGQVBJLWNv bXBsaWFudCBPSURDIENJQkEgYnk6DQoxLiBSZXF1aXJpbmcgdGhlIGNsaWVudCB0byBpbml0aWF0 ZSB0aGUgZmxvdyB3aXRoIHNpZ25lZCByZXF1ZXN0IHBhcmFtZXRlcnMgd2hpY2ggaW5jbHVkZSwg dmlhIHNvbWUgaGludCwgdGhlIHJlc291cmNlIG93bmVyIGZvciB3aG9tIGF1dGhlbnRpY2F0aW9u IGlzIGJlaW5nIHJlcXVlc3RlZA0KMi4gUmVxdWlyaW5nIHRoYXQgdGhlIE9QIGNoZWNrIHRoYXQg dGhlIHJlc291cmNlIG93bmVyIGFwcHJvdmluZyB0aGUgZ3JhbnQgaXMgdGhlIHNhbWUgYXMgdGhh dCB0aGUgY2xpZW50IGFzc29jaWF0ZWQgd2l0aCB0aGUgcmVxdWVzdCBpbiBzdGVwIDENCg0KSSBy ZWFsaXNlIHRoaXMgcmVxdWlyZXMgdGhhdCB0aGUgY2xpZW50IG9idGFpbnMgYW4gaW5kaWNhdGlv biBvZiB0aGUgdXNlcm5hbWUgb2YgdGhlIHJlc291cmNlIG93bmVyIHVwIGZyb250IHRvIGtpY2sg dGhpbmdzIG9mZiwgYnV0IHNob3J0IG9mIHRoaXMgSSBjYW5ub3QgdGhpbmsgb2YgYW55IHByYWN0 aWNhbCBtaXRpZ2F0aW9uLg0KDQoNCg0KT24gMTggTWFyIDIwMjIsIGF0IDc6MDkgYW0sIFBpZXRl ciBLYXNzZWxtYW4gPHBpZXRlci5rYXNzZWxtYW49NDBtaWNyb3NvZnQuY29tQGRtYXJjLmlldGYu b3JnPG1haWx0bzpwaWV0ZXIua2Fzc2VsbWFuPTQwbWljcm9zb2Z0LmNvbUBkbWFyYy5pZXRmLm9y Zz4+IHdyb3RlOg0KDQphbnQgcHJvYmxlbSBieSBlbmFibGluZyBhdXRob3JpemF0aW9uIGZsb3dz IG9uIGRldmljZXMgdGhhdCBhcmUgdW5hYmxlIHRvIHN1cHBvcnQgYSBicm93c2VycyBvciBoYXZl IGxpbWl0ZWQgaW5wdXQgY2FwYWJpbGl0aWVzLiBIb3dldmVyLCBsb29raW5nIGJhY2sgb3ZlciB0 aGUgcGFzdCAxOC0yNCBtb250aHMsIHRoZXJlIGhhdmUgYmVlbiBhIG51bWJlciBvZiBwcmFjdGlj YWwgZXhwbG9pdHMgcHVibGlzaGVkIHRoYXQgdXNlIHNvY2lhbCBlbg0KDQo= --_000_F31B486A5DCD47119584708373185AA4au1ibmcom_ Content-Type: text/html; charset="utf-8" Content-ID: <7A31B3E564E1D44583E28B1E240F01FB@namprd15.prod.outlook.com> Content-Transfer-Encoding: base64 PGh0bWw+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0i dGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjwvaGVhZD4NCjxib2R5IHN0eWxlPSJ3b3JkLXdy YXA6IGJyZWFrLXdvcmQ7IC13ZWJraXQtbmJzcC1tb2RlOiBzcGFjZTsgbGluZS1icmVhazogYWZ0 ZXItd2hpdGUtc3BhY2U7IiBjbGFzcz0iIj4NCklzbuKAmXQgdGhpcyBlc3NlbnRpYWxseSB3aGF0 IGlzIG1pdGlnYXRlZCBpbiB0aGUgRkFQSS1jb21wbGlhbnQgT0lEQyBDSUJBIGJ5Og0KPGRpdiBj bGFzcz0iIj4xLiBSZXF1aXJpbmcgdGhlIGNsaWVudCB0byBpbml0aWF0ZSB0aGUgZmxvdyB3aXRo IHNpZ25lZCByZXF1ZXN0IHBhcmFtZXRlcnMgd2hpY2ggaW5jbHVkZSwgdmlhIHNvbWUgaGludCwg dGhlIHJlc291cmNlIG93bmVyIGZvciB3aG9tIGF1dGhlbnRpY2F0aW9uIGlzIGJlaW5nIHJlcXVl c3RlZDwvZGl2Pg0KPGRpdiBjbGFzcz0iIj4yLiBSZXF1aXJpbmcgdGhhdCB0aGUgT1AgY2hlY2sg dGhhdCB0aGUgcmVzb3VyY2Ugb3duZXIgYXBwcm92aW5nIHRoZSBncmFudCBpcyB0aGUgc2FtZSBh cyB0aGF0IHRoZSBjbGllbnQgYXNzb2NpYXRlZCB3aXRoIHRoZSByZXF1ZXN0IGluIHN0ZXAgMTwv ZGl2Pg0KPGRpdiBjbGFzcz0iIj48YnIgY2xhc3M9IiI+DQo8L2Rpdj4NCjxkaXYgY2xhc3M9IiI+ SSByZWFsaXNlIHRoaXMgcmVxdWlyZXMgdGhhdCB0aGUgY2xpZW50IG9idGFpbnMgYW4gaW5kaWNh dGlvbiBvZiB0aGUgdXNlcm5hbWUgb2YgdGhlIHJlc291cmNlIG93bmVyIHVwIGZyb250IHRvIGtp Y2sgdGhpbmdzIG9mZiwgYnV0IHNob3J0IG9mIHRoaXMgSSBjYW5ub3QgdGhpbmsgb2YgYW55IHBy YWN0aWNhbCBtaXRpZ2F0aW9uLjwvZGl2Pg0KPGRpdiBjbGFzcz0iIj48YnIgY2xhc3M9IiI+DQo8 L2Rpdj4NCjxkaXYgY2xhc3M9IiI+PGJyIGNsYXNzPSIiPg0KPGRpdiBjbGFzcz0iIj4NCjxkaXY+ PGJyIGNsYXNzPSIiPg0KPGJsb2NrcXVvdGUgdHlwZT0iY2l0ZSIgY2xhc3M9IiI+DQo8ZGl2IGNs YXNzPSIiPk9uIDE4IE1hciAyMDIyLCBhdCA3OjA5IGFtLCBQaWV0ZXIgS2Fzc2VsbWFuICZsdDs8 YSBocmVmPSJtYWlsdG86cGlldGVyLmthc3NlbG1hbj00MG1pY3Jvc29mdC5jb21AZG1hcmMuaWV0 Zi5vcmciIGNsYXNzPSIiPnBpZXRlci5rYXNzZWxtYW49NDBtaWNyb3NvZnQuY29tQGRtYXJjLmll dGYub3JnPC9hPiZndDsgd3JvdGU6PC9kaXY+DQo8YnIgY2xhc3M9IkFwcGxlLWludGVyY2hhbmdl LW5ld2xpbmUiPg0KPGRpdiBjbGFzcz0iIj48c3BhbiBzdHlsZT0iY2FyZXQtY29sb3I6IHJnYigw LCAwLCAwKTsgZm9udC1mYW1pbHk6IEhlbHZldGljYTsgZm9udC1zaXplOiAxMnB4OyBmb250LXN0 eWxlOiBub3JtYWw7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IGZvbnQtd2VpZ2h0OiBub3Jt YWw7IGxldHRlci1zcGFjaW5nOiBub3JtYWw7IHRleHQtYWxpZ246IHN0YXJ0OyB0ZXh0LWluZGVu dDogMHB4OyB0ZXh0LXRyYW5zZm9ybTogbm9uZTsgd2hpdGUtc3BhY2U6IG5vcm1hbDsgd29yZC1z cGFjaW5nOiAwcHg7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgdGV4dC1kZWNvcmF0 aW9uOiBub25lOyBmbG9hdDogbm9uZTsgZGlzcGxheTogaW5saW5lICFpbXBvcnRhbnQ7IiBjbGFz cz0iIj5hbnQNCiBwcm9ibGVtIGJ5IGVuYWJsaW5nIGF1dGhvcml6YXRpb24gZmxvd3Mgb24gZGV2 aWNlcyB0aGF0IGFyZSB1bmFibGUgdG8gc3VwcG9ydCBhIGJyb3dzZXJzIG9yIGhhdmUgbGltaXRl ZCBpbnB1dCBjYXBhYmlsaXRpZXMuIEhvd2V2ZXIsIGxvb2tpbmcgYmFjayBvdmVyIHRoZSBwYXN0 IDE4LTI0IG1vbnRocywgdGhlcmUgaGF2ZSBiZWVuIGEgbnVtYmVyIG9mIHByYWN0aWNhbCBleHBs b2l0cyBwdWJsaXNoZWQgdGhhdCB1c2Ugc29jaWFsIGVuPC9zcGFuPjwvZGl2Pg0KPC9ibG9ja3F1 b3RlPg0KPC9kaXY+DQo8YnIgY2xhc3M9IiI+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9o dG1sPg0K --_000_F31B486A5DCD47119584708373185AA4au1ibmcom_-- From nobody Thu Mar 17 14:24:45 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB7953A0DFD for ; Thu, 17 Mar 2022 14:24:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.107 X-Spam-Level: X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iaMZKdGjdFTh for ; Thu, 17 Mar 2022 14:24:36 -0700 (PDT) Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E4F83A0D89 for ; Thu, 17 Mar 2022 14:24:36 -0700 (PDT) Received: by mail-qk1-x72d.google.com with SMTP id c7so5409117qka.7 for ; Thu, 17 Mar 2022 14:24:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:date:message-id:subject:from:to:in-reply-to:references :user-agent; bh=uzI7gDkF3dmxsKs7Z/PYgXu/xaW3+528IuF5QObjHI0=; b=fSy/YZ1QkUNqp5iPxjJ70nXbfd9/yiyuwx/MoR27WYH63buBj98fu/+77+Wxsu1hIt dRoO7CbMLJJh+qJyn+cWUlwv9dvFmzw5l87Dii5+cxs6A/Qb5WPt251eqMAmf7CQVE/K aI1cJV7bKcmKPxeHOaKz07j23/rFlAM1i9xzbu04o83+shNOS0QTt0e80GfmhSk/r410 2lVxoc6CWOaHlHGG8zVSSUWLE4f6kf26g5uyKEwEXfo3Qzcmtus+VLbJgICWazCPoEUz UP91AhUwbNXFGnwfh7aE+kgkh7DfGW8mkKQVlZOG+6/zOMBgZ0bM46jb2nHBFFnulcHQ h1Dw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :in-reply-to:references:user-agent; bh=uzI7gDkF3dmxsKs7Z/PYgXu/xaW3+528IuF5QObjHI0=; b=TkCGy4qGXNH/sLpaTL6gpvhqJ3xhyFp2s95oemjamC3jD9bXdi89nXVmUaPXJBpjci AINzgDQxNaKhcRVtoUMNLWXhfIvFEnDoBd0LcqD720/ubiCQlOgtVv/+FN0ZQUFZ9oVS PWBSsUw0peJnO8e2yLsRtN5mvw10nDhlNd4/uyRBlZ1wLe21gW9RrGRGHxBVroNOM0Fh yuScDlWmEj2Oy7HcPZY2Wnii5AFVCtO9/zGlWQq9B6KF1JfQfaNUl2H3yfHXHvDy+YFW GmHwRHKX3cMcB8sugzr0Mnybqh2cQe+4o8BxShrjH6h2OordKnHAN/lt6nDOs5WPb1tJ KY3Q== X-Gm-Message-State: AOAM5302oP07DaoL/Oscu3boqK7O5H+wX2KTXsqmvKDSTrvh7o13mW4f lQrmfQK4+GrsnW7FDKxxcMjxPxT/9bM= X-Google-Smtp-Source: ABdhPJwBY7q0SNvkiFidiE8ZxtsbWKcWMbQRLBO30mKJPWVNG9b4RJWD1cdAzFtmK0gPwzuj6oZLlA== X-Received: by 2002:a37:845:0:b0:47e:c3fb:b11c with SMTP id 66-20020a370845000000b0047ec3fbb11cmr4166884qki.92.1647552274547; Thu, 17 Mar 2022 14:24:34 -0700 (PDT) Received: from [10.0.1.3] (pool-74-103-207-160.prvdri.ftas.verizon.net. [74.103.207.160]) by smtp.gmail.com with ESMTPSA id r14-20020ac85c8e000000b002e1d62ba775sm4449531qta.21.2022.03.17.14.24.34 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 17 Mar 2022 14:24:34 -0700 (PDT) Content-Type: multipart/alternative; boundary="----=_NextPart_4997994.091331868931" MIME-Version: 1.0 Date: Thu, 17 Mar 2022 17:24:32 -0400 Message-ID: From: "Brock Allen" To: "Pieter Kasselman" , "" In-Reply-To: References: User-Agent: Mailbird/2.9.61.0 X-Mailbird-ID: Mailbird-07e64951-c8a3-4cf0-853d-2ac710d77abd@gmail.com Archived-At: Subject: Re: [OAUTH-WG] Device Authorization Grant and Illicit Consent Exploits X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Mar 2022 21:24:42 -0000 ------=_NextPart_4997994.091331868931 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable I watched one of those videos and it seems to be that a proper consent scre= en would have been the best and easiest line of defense. Is there something= more to the attacks where a better consent page (or any consent page for t= hat matter) would not have been sufficient? -Brock On 3/17/2022 5:10:35 PM, Pieter Kasselman wrote: Hi All=C2=A0 =C2=A0 One of the agenda items for IETF 113 is the device authorization grant flow= (aka device code flow), scheduled for Thursday 24 March 2022. Before the m= eeting, I wanted to share a bit more information for those interested in th= e topic and also give those who are unable to attend in person an opportuni= ty to participate in the conversation.=C2=A0 =C2=A0 The Device Authorization Grant Flow (RFC 8682) [https://datatracker.ietf.or= g/doc/html/rfc8628] solves an important problem by enabling authorization f= lows on devices that are unable to support a browsers or have limited input= capabilities. However, looking back over the past 18-24 months, there have= been a number of practical exploits published that use social engineering = techniques applied to the device authorization grant flow.=C2=A0 =C2=A0 The goal of the session at IETF 113 is to discuss the patterns of the explo= its that are known and start a conversation on what (if anything) we should= do, based on what we are learning.=C2=A0 =C2=A0 These exploits follow a general man-in-the-middle (MITM) pattern, where the= attacker:=C2=A0 =C2=A0 * Initiates the Device Authorization Grant flow on a device under their con= trol,=C2=A0 * Presents the user code in a context that the end-user is likely to act on= (using social engineering techniques), and=C2=A0 * Once the user grants access, retrieves the access and refresh tokens and = uses them to access the user=E2=80=99s resources.=C2=A0 =C2=A0 Some of the exploits are described here for those interested in more detail= :=C2=A0 =C2=A0 * The Art of the Device Code Phish - Boku (0xboku.com) [https://0xboku.com/= 2021/07/12/ArtOfDeviceCodePhish.html]=C2=A0 * Microsoft 365 OAuth Device Code Flow and Phishing | Optiv [https://www.op= tiv.com/insights/source-zero/blog/microsoft-365-oauth-device-code-flow-and-= phishing]=C2=A0 * optiv/Microsoft365_devicePhish: A proof-of-concept script to conduct a ph= ishing attack abusing Microsoft 365 OAuth Authorization Flow (github.com) [= https://github.com/optiv/Microsoft365_devicePhish]=C2=A0 * Introducing a new phishing technique for compromising Office 365 accounts= (o365blog.com) [https://o365blog.com/post/phishing/#new-phishing-technique= -device-code-authentication]=C2=A0 * DEF CON 29 - Jenko Hwong - New Phishing Attacks Exploiting OAuth Authenti= cation Flows - YouTube [https://www.youtube.com/watch?v=3D9slRYvpKHp4]=C2=A0 =C2=A0 In terms of a response, there are a few options that come to mind (these ar= e not exhaustive, I would love to see what others have in mind as well):=C2= =A0 =C2=A0 * Do nothing: We can choose to leave everything as is. The downside of this= is that the lessons we are learning are not getting disseminated or result= ing in reduced risks.=C2=A0 * Update the recommendations: We can document the social engineering exploi= ts and recommend some additional mitigations as well as recommendations in = terms of use cases. Although these types of "phishing"/social engineering a= ttacks are called out in the security considerations in RFC 8628 - OAuth 2.= 0 Device Authorization Grant [https://datatracker.ietf.org/doc/html/rfc8628= ], we can add further mitigations to create greater defence in depth. This = will help future implementers and may even be useful for future protocols t= hat rely on a similar cross-device authentication and authorization flows.= =C2=A0 * Explore alternatives: Develop, adopt, or evolve new protocols that addres= s the scenario while mitigating or avoiding the risks.=C2=A0 =C2=A0 Option A does not do much to improve the state of the art. Option B feels l= ike something we can do now, and we may learn something along the way that = can help inform Option C, which may be much further down the road and requi= re more research.=C2=A0What other options come to mind? =C2=A0 I=E2=80=99m looking forward to the conversation and hearing what others are= thinking about this topic.=C2=A0 =C2=A0 Cheers,=C2=A0 Pieter=C2=A0 =C2=A0 ------=_NextPart_4997994.091331868931 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable
=0A = =0A =0A = =0A = =0A =0A = I watched one of those videos and it seems to be that a= proper consent screen would have been the best and easiest line of defense= . Is there something more to the attacks where a better consent page (or an= y consent page for that matter) would not have been sufficient?
-Brock
=0A

On 3/17/2022 5:10:35 PM, Pieter Kas= selman <pieter.kasselman=3D40microsoft.com@dmarc.ietf.org> wrote:

=
=0A
=0A

Hi All&nbs= p;

=0A

 

=0A

One of the agenda items for IETF 113 is the device authorizatio= n grant flow (aka device code flow), scheduled for Thursday 24 March 2022.= =E2=80=AF Before the meeting, I wanted to share a bit more information for = those=0A interested in the topic and also give those who are unable to atte= nd in person an opportunity to participate in the conversation. <= /o:p>

=0A

&nbs= p;

=0A

The De= vice Authorization Grant Flow (RFC 8682) solves=0A an important problem by enabling authorizat= ion flows on devices that are unable to support a browsers or have limited = input capabilities. However, looking back over the past 18-24 months, there= have been a number of practical exploits published that use social=0A engi= neering techniques applied to the device authorization grant flow. 

=0A

&= nbsp;

=0A

The goal of the session at IETF 113 is to discuss the patterns of th= e exploits that are known and start a conversation on what (if anything) we= should do, based on what we are learning. 

=0A <= /p>=0A

These exploits follow a gene= ral man-in-the-middle (MITM) pattern, where the attacker: <= /span>

=0A

=0A =0A

    =0A
  1. =0AInitiates the Device Authorization Grant flow on a device under t= heir control, 
  2. =0APresent= s the user code in a context that the end-user is likely to act on (using s= ocial engineering techniques), and 
  3. =0AOnce the user grants access, retrieves the access and refresh= tokens and uses them to access the user=E2=80=99s resources. 
=0A

=  

=0A

Some of the exploits are described here for those interested in mor= e detail: 

=0A

=0A 

=0A
    =0A
  1. =0AThe Art of the Device Code Phish - Boku (0xboku.com)
    2. =0A= Microsoft 365 OAuth Device Code Flow and Phishing | Opt= iv 
      =0A<= li class=3D"MsoListParagraph" style=3D"color:black;margin-left:0cm;mso-list= :l0 level2 lfo17;vertical-align:middle">=0Aoptiv/Microsoft365_deviceP= hish: A proof-of-concept script to conduct a phishing attack abusing Micros= oft 365 OAuth Authorization=0A Flow (github.com) = ;
    =0A=0AIntroducing a new phishing technique for compromising Office 365 a= ccounts (o365blog.com) 
  2. =0ADEF CON 29 - Jenko Hwong - New Phishing Attacks Exploiting OAuth = Authentication Flows - YouTube 
=0A

=0A 

=0A

In terms of a response, there are a few options that come to mi= nd (these are not exhaustive, I would love to see what others have in mind = as well): 

=0A

=0A=  

=0A
    =0A
  1. =0ADo nothing: We can choose to leave ever= ything as is. The downside of this is that the lessons we are learning are = not getting disseminated or resulting in reduced risks. 
  2. =0AUpdate the recommendations: We can docume= nt the social engineering exploits and recommend some additional mitigation= s as well as recommendations in terms of use cases. Although these types of= =0A "phishing"/social engineering attacks are called out in the security co= nsiderations in=0ARFC 8628 - OAuth 2.0 Device Authorization Grant, we can add further mitigations to create greater defence in=0A dep= th. This will help future implementers and may even be useful for future pr= otocols that rely on a similar cross-device authentication and authorizatio= n flows. 
  3. =0AExplore alter= natives: Develop, adopt, or evolve new protocols that address the scenario = while mitigating or avoiding the risks. 
= =0A

=0A 

=0A

Option A does not do much to improve the= state of the art. Option B feels like something we can do now, and we may = learn something along the way that can help=0A inform Option C, which may b= e much further down the road and require more research. What other opt= ions come to mind?

=0A

 

=0A

I=E2=80=99m looking forward to the conversation and hearing what othe= rs are thinking about this topic. 

=0A

 

=0A

Cheers, 

= =0A

Pieter 

=0A

 

=0A
=0A
=0A =0A =
------=_NextPart_4997994.091331868931-- From nobody Fri Mar 18 05:22:15 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7ECE13A0771 for ; Fri, 18 Mar 2022 05:22:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.11 X-Spam-Level: X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jiz78Goe5C0V for ; Fri, 18 Mar 2022 05:22:06 -0700 (PDT) Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-ve1eur02on0721.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe06::721]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05D593A0745 for ; Fri, 18 Mar 2022 05:22:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=f2wZsbr1XD++2gEOE0Yy2S74ucSq3mrKC9af6jDKH/6r1xlfBxhrntVoEgYkmgyzgEu5D9MUoqXAygeLFW0NqsIbcqvukdojrf2EjtNFUcLMkIdSZXSZNzHOxcA/KjW32j+CmKtbGeLPZBakJPfyp0HunRzEMIAsbAPK0Xff8hgkM8MkiZaCf1wWWCSeEtYaQ0oKdVQDRXMo6Tm3a+sltz3xyRw2I2mWjQZPv2ywQupH4EQ0jL9XmUakBkQZLvsn5VLgi8LJHcB2mgTNRxwbNkphKsPER4fw638005MTz7s9nFxBlAwEPrpqzirvsTXWKvA4ea5UoW1b/TevHdeu4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BIDiihBbtq7omPVnaMNp0uvBhieEdiSd0LyGfDwpJ7M=; b=c3f/v5CvZQh4kqHKhQ21smqQ16zJQYR7Wdi+Jq9DlVcvjdZ9LUMPNC6HgeNt9Y+M8rG83JG96+JxdQwxEOxiJuRXIY0pWrZzZYpXBaMzJn7GGPtQkXdcTkwnujrOg2pCPuwhCrq9bUFzRpp2CsICEjW9hb2rxVQtI/w1mgmxBDuI8PtEeOG1VOew3PcZ8JiN9VuTRkzx4lvYR6cY97GIJOQi8aSjggyfVXx2oHJaSwWj6Mecyqwie1ww0Cl3rW8jnNYa92dHa4scTmtI99/obg78hI6fw+mQHu/UmHUa2tl5kj5QWoeNcank5cEu7BMJWkq2eXVAViZYlHHd9Myefg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BIDiihBbtq7omPVnaMNp0uvBhieEdiSd0LyGfDwpJ7M=; b=MzxW+SDv1pm2vqo7dX6FqVqgJqZUDcvJdEPIfd0e6CTVScmNHUNe1OUBeoEbDJBwyefYbUOrzJwvKLz8zR4b9tddQpY2WQOZMrA6AVi7RvGdCa7AY6fd05bY2zt8c6KjjBrCPFAehd50aD4LAakQuQcdNJkTgVSmcndNTbqJQ4c= Received: from AM7PR83MB0452.EURPRD83.prod.outlook.com (2603:10a6:20b:1b6::10) by DB6PR83MB0357.EURPRD83.prod.outlook.com (2603:10a6:6:3f::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5081.5; Fri, 18 Mar 2022 12:21:59 +0000 Received: from AM7PR83MB0452.EURPRD83.prod.outlook.com ([fe80::c48f:8ccc:ec27:b41d]) by AM7PR83MB0452.EURPRD83.prod.outlook.com ([fe80::c48f:8ccc:ec27:b41d%8]) with mapi id 15.20.5102.007; Fri, 18 Mar 2022 12:21:53 +0000 From: Pieter Kasselman To: Brock Allen , "oauth@ietf.org" Thread-Topic: [EXTERNAL] Re: [OAUTH-WG] Device Authorization Grant and Illicit Consent Exploits Thread-Index: Adg6QbnOrvFCNzXmQH+yf4vBwwXQPwAA6qkAAB5GQkA= Date: Fri, 18 Mar 2022 12:21:53 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-IE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2022-03-18T12:21:42Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=6b529830-aa49-40e7-8d21-0bc6eb8733c6; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0 authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 8daabc4b-1753-4021-d83a-08da08d9e340 x-ms-traffictypediagnostic: DB6PR83MB0357:EE_ x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr x-ms-exchange-atpmessageproperties: SA|SL x-microsoft-antispam-prvs: x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: vohZn1VeaEv6Ncp1HnmOvEZuUGW47VHRmk1+QXkpNitJO61+ISuQQnRJt0Ny6fuxtAGOzoUEuvMT0yucuOdKtvemlnAaRWHQO9n0rf8HaylCTQciWXS6xquAQG7ptfdYfFMvYKDYHiQ2o6sombRTdmeOUdUunbKI6FlI9awVIFaWavtQRoYMpI8zhiQ5qHSpwNJOGBSjoMR5pCy67e1BceEXgftlK0yvmqS4CLvW0/SmostKMCWWUMjbL3wzYq3nawwhLwmRSfdNvs7sJ+3FgTJbIoG3qNIQpvQMtbE9sN7jh+CdOVYjj818dwNCieMexPn8C7A4VKAcujyWnut8VHaEZUvqNbnG/JD0ntTI+j+KdMmp8mnm6AengOyWLffwEgNS+uaYUUmcwHp7MISI+S3nlTXwZgjMqstSFMpKsjREYKOeVMao1cSduWMn8rsGiL9Or/J94HRs+c+fC+Jcr2QiyXxeRMAuOxo0Kdt+hfImmFMUK5a14zj0aKjzWujkF+6O4eNIHnEGKbZ68L0deSXm3uMWRLflX9zv7O9yBbWHx/CfmVOBZyMbtRqVet3gun1qLHTvaSLclfKkFB8IGjiryY8ihduIzSL4ifj4vlQA/hJHmMh1GOMQKiahtmLfBcrcb1qcRXzE9WVfCafWx946OE19GtuL5Dc9wEm/bhoN0UGgc8j7Xq9UONvndg1ANSJxnMpmje9m+M6GmHLsiLbfE3Zx/llAwc9PsT3UFisHKGc1yVB/Zz5EgyfWqIfWQ29g0YVfdPG+voPPuD+KR4oiuWwOHCJC6NU7j+mgN19PeuES8g8eRCqH4jV88/zCBHR+MZjI+0yptaUKvcy5w4iEWdHw6aU32QNul+xGUB9lNKPN7SdEydR1dzofVwSy x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR83MB0452.EURPRD83.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(451199009)(316002)(33656002)(5660300002)(76116006)(66446008)(64756008)(66556008)(66476007)(86362001)(66946007)(44832011)(55016003)(10290500003)(71200400001)(38100700002)(110136005)(122000001)(508600001)(52536014)(82950400001)(166002)(2906002)(8676002)(8990500004)(9686003)(7696005)(186003)(38070700005)(26005)(8936002)(82960400001)(6506007)(53546011)(83380400001); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?B?aFkxaGxISHZqVDlIdFRSOGxXVnVLcUJndmNFR3p0blhKMlhkRmhDNU1zc0xL?= =?utf-8?B?eFUweElVZENTL1I5RjVKNFl1WXFXV0Z3NnJUU3hrR3I0UzZDc1ZjWWNrbldO?= =?utf-8?B?NHJPMytpOS9EaVdQeGdsQmFramFaLzRjclNabENpU2JmeGpQMU4rR2RCRURT?= =?utf-8?B?TEY2cHNnRnRjWmxCMERZVDhkalJYb3Z1ZGpqckQyV1RQLzBnMDF0U213SVZ1?= =?utf-8?B?S1B2S0ZqOXh1akJmanUyUEErTWdMS3FocXd2elR1YWRGQWxxMGdvTDF6YXIz?= =?utf-8?B?NndBdVZ6NlZtb1BMSGNBMFVGNDVacnBoRWJQb1QzQ2FFcTEyVVBiejVWc3BF?= =?utf-8?B?bFhGd1ZpWWc0SU5uamI0NzF5QXJJcmhjc0pPeUpMcXNMSTdyaVZ6RWNpYlRt?= =?utf-8?B?SVp1U3p2SVZUQjJ4NTV2Q3hFMy9EcjNtc1RwWWFGa3lKS0ZmdzlEcytlL2Ur?= =?utf-8?B?RXluM2lhOGxpYTBlWjh5T2h0RCtYUE1PR1RFYUErYzBpMnluMkxaS01lcXYv?= =?utf-8?B?eUtteEduT3ZET05CWmprS054bmZwNTh0TzdibktETDYwY2xxK1YxQ2crTGJh?= =?utf-8?B?TjhGV3RUT1RXdk5JamdOSWpXU2JQekdReWpleENHUjBZTThKeExaYjJPNUFy?= =?utf-8?B?UThtTEttdkpueStLMldscFR1QXlHL3FFemlmbXdGSkRhQjMzNEdwam9VUWZw?= =?utf-8?B?blZ0U1B1Vkc3NGtQbGYzeUNPZlFxK0lqb3lLeFlBaGpJV0EzaEcreUFaN3hK?= =?utf-8?B?OUg4Sk4zdGcrYTJRYlBVczdBeDcxenVGRzViWStTYldVSzhNcGdER1RYZE1t?= =?utf-8?B?V211YnhlN2RzSzlSNWJRek1YaDlIUWovUTV5dVpscFgvei9CN29TeGtNOURT?= =?utf-8?B?WCs2Q0w1NHlmc2ovblhBWXEvZnh2eW1CWDBhZ2t1T1pJRUxiTVFpSE4zYTRM?= =?utf-8?B?U1BKNnlNRHlBeG44c2NjSWM1MXN0L3F1ODRndWVNNnNoU1prU3lwM0ZJSXdl?= =?utf-8?B?dHRzME4xOHFNa0J3RExFa25HUnNtazlnYURTRGNNb0dkMzV4aTdFMFlpNDNk?= =?utf-8?B?SEZ2aEJjdGhhaXVXcmJXOVh6YnJSSERxWmZNZ0VBckJiejFuK2FaaTJUZVE0?= =?utf-8?B?U0lDNTl4TkxQRE1QbHZiRmNoaFUxcEFaZUZhcVBpK2hKY2JaOW83TnhIN3NE?= =?utf-8?B?aHFWWUQzUWhBSzlJa3VXQ0M4eis5Vk4vNlJNQTN2UlMzaE1WeE52SXRlbTY3?= =?utf-8?B?T25HNHVWMHM3YVVuRVJoUXFsQWl0ZFBNbUw1RVdWU2t3c0FqOTZnTVcwSGV0?= =?utf-8?B?R0U2RjFVVkZMd0cvSWlSOUI4UEI2bkFPR1hoUHdJMmIrZUdmR0JsMG9QMm1m?= =?utf-8?B?TFg1eXl5bXJZSFBmMzVXVnRXRWtkam8xNEMwdUdXRlRHTUczemw0S2drV3dD?= =?utf-8?B?YjFnQ2tZaFpXN2ZEUUoyWWlJcmtSU2xSQ09BZklVNWppWllzZnV5UW9jWEdK?= =?utf-8?B?RWNXWGxhQUdmaWVzbEp5NmJyMTJKU1YxcjdMN2Y1YThHSndTYTl5aWlrMGdM?= =?utf-8?B?T3ZILzVZU0dhZG5nUllxT0QwNzFZc2YxM1l1Y0Z5TDlSRHFOc0FLL3VvNEIy?= =?utf-8?B?OC9UdHNZZnNsZFB6Q2IxWXEwODdUNDlUK3lIa2puMlRsOG5Mdk52TmJEaEI4?= =?utf-8?B?aFVMMW56ZjE3eGdabzJqQnE5UUl3ZTdxbHFZZVdpTklZdHhwUXJiLzFEa25n?= =?utf-8?B?eUpIMGZML0hGYUVXTzI1MU04UFdKUy85bER6VjVwUUwzM1h0U0hFY1IxcDVH?= =?utf-8?B?NTgvVm1GNHJsM00zd2FYUzJocW9oL2FVUjlEaFIveDFlQ3lVRWRzUXpiNk01?= =?utf-8?Q?Nyd0lbJd6g39J?= Content-Type: multipart/alternative; boundary="_000_AM7PR83MB0452C946A20D116F13D7F28E91139AM7PR83MB0452EURP_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: AM7PR83MB0452.EURPRD83.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8daabc4b-1753-4021-d83a-08da08d9e340 X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Mar 2022 12:21:53.8264 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: uJEtXrxaXVq7jBmlFY5jWaHe8rToqfYUPq3Hpl9kMra91LNo+9UsOB1HzaCDg5s7knaa3c6tiO/5kG78QI3LkEs59yqz9src0CuSReUR8CY= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR83MB0357 Archived-At: Subject: Re: [OAUTH-WG] [EXTERNAL] Re: Device Authorization Grant and Illicit Consent Exploits X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Mar 2022 12:22:12 -0000 --_000_AM7PR83MB0452C946A20D116F13D7F28E91139AM7PR83MB0452EURP_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SGkgQnJvY2sNCg0KR3JlYXQgcG9pbnQsIGFuZCBJIHdvdWxkIGFncmVlIHRoYXQgYmV0dGVyIGNv bnNlbnQgc2NyZWVucyBjb3VsZCBoZWxwLCBidXQgSSBkb27igJl0IHRoaW5rIGl0IGlzIHN1ZmZp Y2llbnQuDQoNCk9uZSBvZiB0aGUgY2hhbGxlbmdlcyB3aXRoIGNvbnNlbnQgc2NyZWVucyBpcyB0 aGF0IGl0IG1ha2VzIGFzc3VtcHRpb25zIGFib3V0IHRoZSB1c2VycyBhYmlsaXRpZXMgd2hlbiB0 aGV5IGFyZSBiZWluZyBhc2tlZCB0byBtYWtlIGRlY2lzaW9ucyBhYm91dCB0aGluZ3MgdGhleSBk byBub3QgZnVsbHkgYXBwcmVjaWF0ZSBvciB1bmRlcnN0YW5kLiBJbiBhZGRpdGlvbiwgdGhleSBh cmUgaW4gYSBydXNoLCBhcmUgb2Z0ZW4gdHJ5aW5nIHRvIGJlIGhlbHBmdWwgYW5kIHByb25lIHRv IGdyYW50IGNvbnNlbnQgKHRoZSBmcmFtaW5nIGluIHRoZXNlIHNvY2lhbCBlbmdpbmVlcmluZyBh dHRhY2tzIGNhbiBiZSB2ZXJ5IHBlcnN1YXNpdmUpLiBFdmVuIHVzZXJzIHdobyBhcmUgYXdhcmUg b2YgdGhlc2UgZXhwbG9pdHMgYW5kIHVuZGVyc3RhbmQgdGhlIHN5c3RlbXMgdGhleSBpbnRlcmFj dCB3aXRoIGFyZSBwcm9uZSB0byBiZSBtaXNsZWQuIEJldHRlciBndWlkYW5jZSBvbiB0aGUgY29u c2VudCBzY3JlZW4gaXMgZGVmaW5pdGVseSBzb21ldGhpbmcgd2Ugc2hvdWxkIHByb3ZpZGUuDQoN CkkgZG8gdGhpbmsgdGhlcmUgaXMgYSBkZWZlbmNlIGluIGRlcHRoIHN0cmF0ZWd5IHRoYXQgY2Fu IHJlZHVjZSByaXNrIGJ5ICgxKSBhdm9pZGluZyBhc2tpbmcgdGhlIHVzZXIgZm9yIGEgZGVjaXNp b24gYnkgbWFraW5nIGJhY2stZW5kIHJpc2sgZGVjaXNpb25zICgyKSBhdWdtZW50aW5nIHRoZSBp bmZvcm1hdGlvbiBwcmVzZW50ZWQgdG8gdGhlIHVzZXIgd2hlbiBtYWtpbmcgdGhlIGRlY2lzaW9u cyBhbmQgKDMpIG1pdGlnYXRpbmcgYWdhaW5zdCBhIGRlY2lzaW9uIG1hZGUgaW4gZXJyb3IuDQoN ClByb3hpbWl0eSBhbmQgbG9jYXRpb24gaW5mb3JtYXRpb24gY2FuIGZvciBpbnN0YW5jZSBiZSB1 c2VkIHRvIGJpbmQgdXNlciBjb2RlcyB0byBzcGVjaWZpYyBsb2NhdGlvbnMgb3IgaW5mb3JtIHRo ZSB1c2VyIG9uIHdoZXJlIHRoZSB1c2VyIGNvZGUgd2FzIGZpcnN0IHByZXNlbnRlZCwgZGV2aWNl IHN0YXR1cyBhbmQvb3IgbG9jYXRpb24gbWF5IGJlIHVzZWQgdG8gbWFrZSBkZWNpc2lvbnMgb24g d2hldGhlciB0byBhbGxvdyBkZXZpY2UgY29kZSBmbG93cyB0byBiZSB1c2VkIGluIHRoZSBmaXJz dCBwbGFjZSBhbmQgdXNlIG9mIHRva2VuIGJpbmRpbmcgKGUuZy4gRFBvUCkgbWF5IGhlbHAgZGVm ZW5kIGFnYWluc3QgYXR0YWNrZXJzIHdobyBhcmUgYWJsZSB0byBleGZpbHRyYXRlIHRva2VucyBm cm9tIGEgZGV2aWNlIGFuZCBtYWtlIGxhdGVyYWwgYXR0YWNrcy4NCg0KQW55dGhpbmcgd2UgY2Fu IGRvIHRvIGVuY291cmFnZSBpbXBsZW1lbnRvciB0byBhc2sgdXNlcnMgdG8gbWFrZSBmZXdlciBk ZWNpc2lvbiwgaGVscCB0aGVtIG1ha2UgYmV0dGVyIGRlY2lzaW9ucyBhbmQgdGhlbiBwcm90ZWN0 aW5nIHRoZW0gaW4gY2FzZSBvZiBhIGJhZCBkZWNpc2lvbiB3aWxsIGhlbHAgZHJpdmUgZG93biBy aXNrLg0KDQpDaGVlcnMNCg0KUGlldGVyDQoNCg0KRnJvbTogQnJvY2sgQWxsZW4gPGJyb2NrYWxs ZW5AZ21haWwuY29tPg0KU2VudDogVGh1cnNkYXkgMTcgTWFyY2ggMjAyMiAyMToyNQ0KVG86IFBp ZXRlciBLYXNzZWxtYW4gPHBpZXRlci5rYXNzZWxtYW5AbWljcm9zb2Z0LmNvbT47IG9hdXRoQGll dGYub3JnDQpTdWJqZWN0OiBbRVhURVJOQUxdIFJlOiBbT0FVVEgtV0ddIERldmljZSBBdXRob3Jp emF0aW9uIEdyYW50IGFuZCBJbGxpY2l0IENvbnNlbnQgRXhwbG9pdHMNCg0KSSB3YXRjaGVkIG9u ZSBvZiB0aG9zZSB2aWRlb3MgYW5kIGl0IHNlZW1zIHRvIGJlIHRoYXQgYSBwcm9wZXIgY29uc2Vu dCBzY3JlZW4gd291bGQgaGF2ZSBiZWVuIHRoZSBiZXN0IGFuZCBlYXNpZXN0IGxpbmUgb2YgZGVm ZW5zZS4gSXMgdGhlcmUgc29tZXRoaW5nIG1vcmUgdG8gdGhlIGF0dGFja3Mgd2hlcmUgYSBiZXR0 ZXIgY29uc2VudCBwYWdlIChvciBhbnkgY29uc2VudCBwYWdlIGZvciB0aGF0IG1hdHRlcikgd291 bGQgbm90IGhhdmUgYmVlbiBzdWZmaWNpZW50Pw0KDQotQnJvY2sNCg0KT24gMy8xNy8yMDIyIDU6 MTA6MzUgUE0sIFBpZXRlciBLYXNzZWxtYW4gPHBpZXRlci5rYXNzZWxtYW49NDBtaWNyb3NvZnQu Y29tQGRtYXJjLmlldGYub3JnPG1haWx0bzpwaWV0ZXIua2Fzc2VsbWFuPTQwbWljcm9zb2Z0LmNv bUBkbWFyYy5pZXRmLm9yZz4+IHdyb3RlOg0KDQpIaSBBbGwNCg0KDQoNCk9uZSBvZiB0aGUgYWdl bmRhIGl0ZW1zIGZvciBJRVRGIDExMyBpcyB0aGUgZGV2aWNlIGF1dGhvcml6YXRpb24gZ3JhbnQg ZmxvdyAoYWthIGRldmljZSBjb2RlIGZsb3cpLCBzY2hlZHVsZWQgZm9yIFRodXJzZGF5IDI0IE1h cmNoIDIwMjIu4oCvIEJlZm9yZSB0aGUgbWVldGluZywgSSB3YW50ZWQgdG8gc2hhcmUgYSBiaXQg bW9yZSBpbmZvcm1hdGlvbiBmb3IgdGhvc2UgaW50ZXJlc3RlZCBpbiB0aGUgdG9waWMgYW5kIGFs c28gZ2l2ZSB0aG9zZSB3aG8gYXJlIHVuYWJsZSB0byBhdHRlbmQgaW4gcGVyc29uIGFuIG9wcG9y dHVuaXR5IHRvIHBhcnRpY2lwYXRlIGluIHRoZSBjb252ZXJzYXRpb24uDQoNCg0KDQpUaGUgRGV2 aWNlIEF1dGhvcml6YXRpb24gR3JhbnQgRmxvdyAoUkZDIDg2ODIpPGh0dHBzOi8vbmFtMDYuc2Fm ZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzQSUyRiUyRmRhdGF0cmFj a2VyLmlldGYub3JnJTJGZG9jJTJGaHRtbCUyRnJmYzg2MjgmZGF0YT0wNCU3QzAxJTdDcGlldGVy Lmthc3NlbG1hbiU0MG1pY3Jvc29mdC5jb20lN0NkYWIxMjlkZjk2ZmI0ZmUwM2M3OTA4ZGEwODVj OGRhZSU3QzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdDMSU3QzAlN0M2Mzc4MzE0 OTA4ODQ0NDAyNjIlN0NVbmtub3duJTdDVFdGcGJHWnNiM2Q4ZXlKV0lqb2lNQzR3TGpBd01EQWlM Q0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4wJTNEJTdDMjAwMCZzZGF0 YT1Fc3djTllLTlpXRUFXTEJ1T3ZReXRkOFRNbGdwZ1V4SWswRSUyRmxmS2tSSWslM0QmcmVzZXJ2 ZWQ9MD4gc29sdmVzIGFuIGltcG9ydGFudCBwcm9ibGVtIGJ5IGVuYWJsaW5nIGF1dGhvcml6YXRp b24gZmxvd3Mgb24gZGV2aWNlcyB0aGF0IGFyZSB1bmFibGUgdG8gc3VwcG9ydCBhIGJyb3dzZXJz IG9yIGhhdmUgbGltaXRlZCBpbnB1dCBjYXBhYmlsaXRpZXMuIEhvd2V2ZXIsIGxvb2tpbmcgYmFj ayBvdmVyIHRoZSBwYXN0IDE4LTI0IG1vbnRocywgdGhlcmUgaGF2ZSBiZWVuIGEgbnVtYmVyIG9m IHByYWN0aWNhbCBleHBsb2l0cyBwdWJsaXNoZWQgdGhhdCB1c2Ugc29jaWFsIGVuZ2luZWVyaW5n IHRlY2huaXF1ZXMgYXBwbGllZCB0byB0aGUgZGV2aWNlIGF1dGhvcml6YXRpb24gZ3JhbnQgZmxv dy4NCg0KDQoNClRoZSBnb2FsIG9mIHRoZSBzZXNzaW9uIGF0IElFVEYgMTEzIGlzIHRvIGRpc2N1 c3MgdGhlIHBhdHRlcm5zIG9mIHRoZSBleHBsb2l0cyB0aGF0IGFyZSBrbm93biBhbmQgc3RhcnQg YSBjb252ZXJzYXRpb24gb24gd2hhdCAoaWYgYW55dGhpbmcpIHdlIHNob3VsZCBkbywgYmFzZWQg b24gd2hhdCB3ZSBhcmUgbGVhcm5pbmcuDQoNCg0KDQpUaGVzZSBleHBsb2l0cyBmb2xsb3cgYSBn ZW5lcmFsIG1hbi1pbi10aGUtbWlkZGxlIChNSVRNKSBwYXR0ZXJuLCB3aGVyZSB0aGUgYXR0YWNr ZXI6DQoNCg0KDQogIDEuICBJbml0aWF0ZXMgdGhlIERldmljZSBBdXRob3JpemF0aW9uIEdyYW50 IGZsb3cgb24gYSBkZXZpY2UgdW5kZXIgdGhlaXIgY29udHJvbCwNCiAgMi4gIFByZXNlbnRzIHRo ZSB1c2VyIGNvZGUgaW4gYSBjb250ZXh0IHRoYXQgdGhlIGVuZC11c2VyIGlzIGxpa2VseSB0byBh Y3Qgb24gKHVzaW5nIHNvY2lhbCBlbmdpbmVlcmluZyB0ZWNobmlxdWVzKSwgYW5kDQogIDMuICBP bmNlIHRoZSB1c2VyIGdyYW50cyBhY2Nlc3MsIHJldHJpZXZlcyB0aGUgYWNjZXNzIGFuZCByZWZy ZXNoIHRva2VucyBhbmQgdXNlcyB0aGVtIHRvIGFjY2VzcyB0aGUgdXNlcuKAmXMgcmVzb3VyY2Vz Lg0KDQoNCg0KU29tZSBvZiB0aGUgZXhwbG9pdHMgYXJlIGRlc2NyaWJlZCBoZXJlIGZvciB0aG9z ZSBpbnRlcmVzdGVkIGluIG1vcmUgZGV0YWlsOg0KDQoNCg0KICAxLiAgVGhlIEFydCBvZiB0aGUg RGV2aWNlIENvZGUgUGhpc2ggLSBCb2t1ICgweGJva3UuY29tKTxodHRwczovL25hbTA2LnNhZmVs aW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM0ElMkYlMkYweGJva3UuY29t JTJGMjAyMSUyRjA3JTJGMTIlMkZBcnRPZkRldmljZUNvZGVQaGlzaC5odG1sJmRhdGE9MDQlN0Mw MSU3Q3BpZXRlci5rYXNzZWxtYW4lNDBtaWNyb3NvZnQuY29tJTdDZGFiMTI5ZGY5NmZiNGZlMDNj NzkwOGRhMDg1YzhkYWUlN0M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3QzElN0Mw JTdDNjM3ODMxNDkwODg0NDQwMjYyJTdDVW5rbm93biU3Q1RXRnBiR1pzYjNkOGV5SldJam9pTUM0 d0xqQXdNREFpTENKUUlqb2lWMmx1TXpJaUxDSkJUaUk2SWsxaGFXd2lMQ0pYVkNJNk1uMCUzRCU3 QzIwMDAmc2RhdGE9JTJCNzFBTXhTMW00YUJUclg4ZTc2VWlYcyUyRmElMkYyMmRmeGVuMXBJOUxu MTdJZyUzRCZyZXNlcnZlZD0wPg0KICAyLiAgTWljcm9zb2Z0IDM2NSBPQXV0aCBEZXZpY2UgQ29k ZSBGbG93IGFuZCBQaGlzaGluZyB8IE9wdGl2PGh0dHBzOi8vbmFtMDYuc2FmZWxpbmtzLnByb3Rl Y3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzQSUyRiUyRnd3dy5vcHRpdi5jb20lMkZpbnNp Z2h0cyUyRnNvdXJjZS16ZXJvJTJGYmxvZyUyRm1pY3Jvc29mdC0zNjUtb2F1dGgtZGV2aWNlLWNv ZGUtZmxvdy1hbmQtcGhpc2hpbmcmZGF0YT0wNCU3QzAxJTdDcGlldGVyLmthc3NlbG1hbiU0MG1p Y3Jvc29mdC5jb20lN0NkYWIxMjlkZjk2ZmI0ZmUwM2M3OTA4ZGEwODVjOGRhZSU3QzcyZjk4OGJm ODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdDMSU3QzAlN0M2Mzc4MzE0OTA4ODQ0NDAyNjIlN0NV bmtub3duJTdDVFdGcGJHWnNiM2Q4ZXlKV0lqb2lNQzR3TGpBd01EQWlMQ0pRSWpvaVYybHVNeklp TENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4wJTNEJTdDMjAwMCZzZGF0YT1JNnRuWnNPZ2o2Zmw5 YVliZlhlOTh3S2YlMkI1TTdYJTJGSEV1OFVtbjNjdWk3USUzRCZyZXNlcnZlZD0wPg0KDQogICAg ICogICBvcHRpdi9NaWNyb3NvZnQzNjVfZGV2aWNlUGhpc2g6IEEgcHJvb2Ytb2YtY29uY2VwdCBz Y3JpcHQgdG8gY29uZHVjdCBhIHBoaXNoaW5nIGF0dGFjayBhYnVzaW5nIE1pY3Jvc29mdCAzNjUg T0F1dGggQXV0aG9yaXphdGlvbiBGbG93IChnaXRodWIuY29tKTxodHRwczovL25hbTA2LnNhZmVs aW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM0ElMkYlMkZnaXRodWIuY29t JTJGb3B0aXYlMkZNaWNyb3NvZnQzNjVfZGV2aWNlUGhpc2gmZGF0YT0wNCU3QzAxJTdDcGlldGVy Lmthc3NlbG1hbiU0MG1pY3Jvc29mdC5jb20lN0NkYWIxMjlkZjk2ZmI0ZmUwM2M3OTA4ZGEwODVj OGRhZSU3QzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdDMSU3QzAlN0M2Mzc4MzE0 OTA4ODQ0NDAyNjIlN0NVbmtub3duJTdDVFdGcGJHWnNiM2Q4ZXlKV0lqb2lNQzR3TGpBd01EQWlM Q0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4wJTNEJTdDMjAwMCZzZGF0 YT1oVlhkVGJMQWtkQlhBZXBJMjZxRzVKM3BvU3pxdW9rMXNnVXdkTEdQTlRnJTNEJnJlc2VydmVk PTA+DQoNCiAgMS4gIEludHJvZHVjaW5nIGEgbmV3IHBoaXNoaW5nIHRlY2huaXF1ZSBmb3IgY29t cHJvbWlzaW5nIE9mZmljZSAzNjUgYWNjb3VudHMgKG8zNjVibG9nLmNvbSk8aHR0cHM6Ly9uYW0w Ni5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNBJTJGJTJGbzM2 NWJsb2cuY29tJTJGcG9zdCUyRnBoaXNoaW5nJTJGJTIzbmV3LXBoaXNoaW5nLXRlY2huaXF1ZS1k ZXZpY2UtY29kZS1hdXRoZW50aWNhdGlvbiZkYXRhPTA0JTdDMDElN0NwaWV0ZXIua2Fzc2VsbWFu JTQwbWljcm9zb2Z0LmNvbSU3Q2RhYjEyOWRmOTZmYjRmZTAzYzc5MDhkYTA4NWM4ZGFlJTdDNzJm OTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN0MxJTdDMCU3QzYzNzgzMTQ5MDg4NDQ5MDIz NCU3Q1Vua25vd24lN0NUV0ZwYkdac2IzZDhleUpXSWpvaU1DNHdMakF3TURBaUxDSlFJam9pVjJs dU16SWlMQ0pCVGlJNklrMWhhV3dpTENKWFZDSTZNbjAlM0QlN0MyMDAwJnNkYXRhPUtYRFhKOGRE QmRLeFQ3MmpJbDhwYTJCa3NBWGlLYzhOMCUyRjBOVGhZaU41USUzRCZyZXNlcnZlZD0wPg0KICAy LiAgREVGIENPTiAyOSAtIEplbmtvIEh3b25nIC0gTmV3IFBoaXNoaW5nIEF0dGFja3MgRXhwbG9p dGluZyBPQXV0aCBBdXRoZW50aWNhdGlvbiBGbG93cyAtIFlvdVR1YmU8aHR0cHM6Ly9uYW0wNi5z YWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNBJTJGJTJGd3d3Lnlv dXR1YmUuY29tJTJGd2F0Y2glM0Z2JTNEOXNsUll2cEtIcDQmZGF0YT0wNCU3QzAxJTdDcGlldGVy Lmthc3NlbG1hbiU0MG1pY3Jvc29mdC5jb20lN0NkYWIxMjlkZjk2ZmI0ZmUwM2M3OTA4ZGEwODVj OGRhZSU3QzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdDMSU3QzAlN0M2Mzc4MzE0 OTA4ODQ0OTAyMzQlN0NVbmtub3duJTdDVFdGcGJHWnNiM2Q4ZXlKV0lqb2lNQzR3TGpBd01EQWlM Q0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4wJTNEJTdDMjAwMCZzZGF0 YT1LV21CQWYzcFlHZFZ6VDZMZU5oZ1Q3dCUyQnliZm5GZEdNVkp4TGJEckQ1dm8lM0QmcmVzZXJ2 ZWQ9MD4NCg0KDQoNCkluIHRlcm1zIG9mIGEgcmVzcG9uc2UsIHRoZXJlIGFyZSBhIGZldyBvcHRp b25zIHRoYXQgY29tZSB0byBtaW5kICh0aGVzZSBhcmUgbm90IGV4aGF1c3RpdmUsIEkgd291bGQg bG92ZSB0byBzZWUgd2hhdCBvdGhlcnMgaGF2ZSBpbiBtaW5kIGFzIHdlbGwpOg0KDQoNCg0KICAx LiAgRG8gbm90aGluZzogV2UgY2FuIGNob29zZSB0byBsZWF2ZSBldmVyeXRoaW5nIGFzIGlzLiBU aGUgZG93bnNpZGUgb2YgdGhpcyBpcyB0aGF0IHRoZSBsZXNzb25zIHdlIGFyZSBsZWFybmluZyBh cmUgbm90IGdldHRpbmcgZGlzc2VtaW5hdGVkIG9yIHJlc3VsdGluZyBpbiByZWR1Y2VkIHJpc2tz Lg0KICAyLiAgVXBkYXRlIHRoZSByZWNvbW1lbmRhdGlvbnM6IFdlIGNhbiBkb2N1bWVudCB0aGUg c29jaWFsIGVuZ2luZWVyaW5nIGV4cGxvaXRzIGFuZCByZWNvbW1lbmQgc29tZSBhZGRpdGlvbmFs IG1pdGlnYXRpb25zIGFzIHdlbGwgYXMgcmVjb21tZW5kYXRpb25zIGluIHRlcm1zIG9mIHVzZSBj YXNlcy4gQWx0aG91Z2ggdGhlc2UgdHlwZXMgb2YgInBoaXNoaW5nIi9zb2NpYWwgZW5naW5lZXJp bmcgYXR0YWNrcyBhcmUgY2FsbGVkIG91dCBpbiB0aGUgc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMg aW4gUkZDIDg2MjggLSBPQXV0aCAyLjAgRGV2aWNlIEF1dGhvcml6YXRpb24gR3JhbnQ8aHR0cHM6 Ly9uYW0wNi5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNBJTJG JTJGZGF0YXRyYWNrZXIuaWV0Zi5vcmclMkZkb2MlMkZodG1sJTJGcmZjODYyOCZkYXRhPTA0JTdD MDElN0NwaWV0ZXIua2Fzc2VsbWFuJTQwbWljcm9zb2Z0LmNvbSU3Q2RhYjEyOWRmOTZmYjRmZTAz Yzc5MDhkYTA4NWM4ZGFlJTdDNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN0MxJTdD MCU3QzYzNzgzMTQ5MDg4NDQ5MDIzNCU3Q1Vua25vd24lN0NUV0ZwYkdac2IzZDhleUpXSWpvaU1D NHdMakF3TURBaUxDSlFJam9pVjJsdU16SWlMQ0pCVGlJNklrMWhhV3dpTENKWFZDSTZNbjAlM0Ql N0MyMDAwJnNkYXRhPTZZWWtOY0cyR0MzMktTRGRXVTc5MmJrWG5yNkdRYVJlbiUyRjAyNTYwYVNS QSUzRCZyZXNlcnZlZD0wPiwgd2UgY2FuIGFkZCBmdXJ0aGVyIG1pdGlnYXRpb25zIHRvIGNyZWF0 ZSBncmVhdGVyIGRlZmVuY2UgaW4gZGVwdGguIFRoaXMgd2lsbCBoZWxwIGZ1dHVyZSBpbXBsZW1l bnRlcnMgYW5kIG1heSBldmVuIGJlIHVzZWZ1bCBmb3IgZnV0dXJlIHByb3RvY29scyB0aGF0IHJl bHkgb24gYSBzaW1pbGFyIGNyb3NzLWRldmljZSBhdXRoZW50aWNhdGlvbiBhbmQgYXV0aG9yaXph dGlvbiBmbG93cy4NCiAgMy4gIEV4cGxvcmUgYWx0ZXJuYXRpdmVzOiBEZXZlbG9wLCBhZG9wdCwg b3IgZXZvbHZlIG5ldyBwcm90b2NvbHMgdGhhdCBhZGRyZXNzIHRoZSBzY2VuYXJpbyB3aGlsZSBt aXRpZ2F0aW5nIG9yIGF2b2lkaW5nIHRoZSByaXNrcy4NCg0KDQoNCk9wdGlvbiBBIGRvZXMgbm90 IGRvIG11Y2ggdG8gaW1wcm92ZSB0aGUgc3RhdGUgb2YgdGhlIGFydC4gT3B0aW9uIEIgZmVlbHMg bGlrZSBzb21ldGhpbmcgd2UgY2FuIGRvIG5vdywgYW5kIHdlIG1heSBsZWFybiBzb21ldGhpbmcg YWxvbmcgdGhlIHdheSB0aGF0IGNhbiBoZWxwIGluZm9ybSBPcHRpb24gQywgd2hpY2ggbWF5IGJl IG11Y2ggZnVydGhlciBkb3duIHRoZSByb2FkIGFuZCByZXF1aXJlIG1vcmUgcmVzZWFyY2guIFdo YXQgb3RoZXIgb3B0aW9ucyBjb21lIHRvIG1pbmQ/DQoNCg0KDQpJ4oCZbSBsb29raW5nIGZvcndh cmQgdG8gdGhlIGNvbnZlcnNhdGlvbiBhbmQgaGVhcmluZyB3aGF0IG90aGVycyBhcmUgdGhpbmtp bmcgYWJvdXQgdGhpcyB0b3BpYy4NCg0KDQoNCkNoZWVycywNCg0KUGlldGVyDQoNCg== --_000_AM7PR83MB0452C946A20D116F13D7F28E91139AM7PR83MB0452EURP_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy IDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseToiU2Vnb2UgVUkiOw0KCXBhbm9zZS0xOjIg MTEgNSAyIDQgMiA0IDIgMiAzO30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Ikx1Y2lkYSBD b25zb2xlIjsNCglwYW5vc2UtMToyIDExIDYgOSA0IDUgNCAyIDIgNDt9DQovKiBTdHlsZSBEZWZp bml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXtt YXJnaW46MGNtOw0KCWZvbnQtc2l6ZToxMS4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNh bnMtc2VyaWY7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3Jp dHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnAuTXNv TGlzdFBhcmFncmFwaCwgbGkuTXNvTGlzdFBhcmFncmFwaCwgZGl2Lk1zb0xpc3RQYXJhZ3JhcGgN Cgl7bXNvLXN0eWxlLXByaW9yaXR5OjM0Ow0KCW1zby1tYXJnaW4tdG9wLWFsdDphdXRvOw0KCW1h cmdpbi1yaWdodDowY207DQoJbXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87DQoJbWFyZ2luLWxl ZnQ6MGNtOw0KCWZvbnQtc2l6ZToxMS4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMt c2VyaWY7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjENCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtcmVw bHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6d2luZG93dGV4 dDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250 LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgltc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1V Uzt9DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo2MTIuMHB0IDc5Mi4wcHQ7DQoJbWFyZ2lu OjcyLjBwdCA3Mi4wcHQgNzIuMHB0IDcyLjBwdDt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6 V29yZFNlY3Rpb24xO30NCi8qIExpc3QgRGVmaW5pdGlvbnMgKi8NCkBsaXN0IGwwDQoJe21zby1s aXN0LWlkOjU2MzU3MDA5NTsNCgltc28tbGlzdC10ZW1wbGF0ZS1pZHM6MTI2MDU2NzI1MDt9DQpA bGlzdCBsMDpsZXZlbDINCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YWxwaGEtbG93ZXI7DQoJ bXNvLWxldmVsLXRhYi1zdG9wOjcyLjBwdDsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxl ZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpAbGlzdCBsMQ0KCXttc28tbGlzdC1pZDo5MTU2 NzQ5NTE7DQoJbXNvLWxpc3QtdGVtcGxhdGUtaWRzOi0yMDMxMzE2NTI4O30NCkBsaXN0IGwyDQoJ e21zby1saXN0LWlkOjEzNDY4NTg4MTQ7DQoJbXNvLWxpc3QtdGVtcGxhdGUtaWRzOi0xMzk0MTY2 NjY7fQ0KQGxpc3QgbDI6bGV2ZWwxDQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmFscGhhLXVw cGVyOw0KCW1zby1sZXZlbC10YWItc3RvcDozNi4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3Np dGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDI6bGV2ZWwyDQoJe21z by1sZXZlbC1udW1iZXItZm9ybWF0OmFscGhhLXVwcGVyOw0KCW1zby1sZXZlbC10YWItc3RvcDo3 Mi4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0x OC4wcHQ7fQ0KQGxpc3QgbDI6bGV2ZWwzDQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmFscGhh LXVwcGVyOw0KCW1zby1sZXZlbC10YWItc3RvcDoxMDguMHB0Ow0KCW1zby1sZXZlbC1udW1iZXIt cG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0O30NCkBsaXN0IGwyOmxldmVsNA0K CXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDphbHBoYS11cHBlcjsNCgltc28tbGV2ZWwtdGFiLXN0 b3A6MTQ0LjBwdDsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRl bnQ6LTE4LjBwdDt9DQpAbGlzdCBsMjpsZXZlbDUNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6 YWxwaGEtdXBwZXI7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjE4MC4wcHQ7DQoJbXNvLWxldmVsLW51 bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDI6bGV2 ZWw2DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmFscGhhLXVwcGVyOw0KCW1zby1sZXZlbC10 YWItc3RvcDoyMTYuMHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0 LWluZGVudDotMTguMHB0O30NCkBsaXN0IGwyOmxldmVsNw0KCXttc28tbGV2ZWwtbnVtYmVyLWZv cm1hdDphbHBoYS11cHBlcjsNCgltc28tbGV2ZWwtdGFiLXN0b3A6MjUyLjBwdDsNCgltc28tbGV2 ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpAbGlzdCBs MjpsZXZlbDgNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YWxwaGEtdXBwZXI7DQoJbXNvLWxl dmVsLXRhYi1zdG9wOjI4OC4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0K CXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDI6bGV2ZWw5DQoJe21zby1sZXZlbC1udW1i ZXItZm9ybWF0OmFscGhhLXVwcGVyOw0KCW1zby1sZXZlbC10YWItc3RvcDozMjQuMHB0Ow0KCW1z by1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0O30NCm9s DQoJe21hcmdpbi1ib3R0b206MGNtO30NCnVsDQoJe21hcmdpbi1ib3R0b206MGNtO30NCi0tPjwv c3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJl ZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNv IDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0i ZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwv aGVhZD4NCjxib2R5IGxhbmc9IkVOLUlFIiBsaW5rPSJibHVlIiB2bGluaz0icHVycGxlIiBzdHls ZT0id29yZC13cmFwOmJyZWFrLXdvcmQiPg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJtc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1V UyI+SGkgQnJvY2s8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJtc28tZmFyZWFz dC1sYW5ndWFnZTpFTi1VUyI+R3JlYXQgcG9pbnQsIGFuZCBJIHdvdWxkIGFncmVlIHRoYXQgYmV0 dGVyIGNvbnNlbnQgc2NyZWVucyBjb3VsZCBoZWxwLCBidXQgSSBkb27igJl0IHRoaW5rIGl0IGlz IHN1ZmZpY2llbnQuDQo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPjxvOnA+Jm5ic3A7PC9v OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJtc28tZmFy ZWFzdC1sYW5ndWFnZTpFTi1VUyI+T25lIG9mIHRoZSBjaGFsbGVuZ2VzIHdpdGggY29uc2VudCBz Y3JlZW5zIGlzIHRoYXQgaXQgbWFrZXMgYXNzdW1wdGlvbnMgYWJvdXQgdGhlIHVzZXJzIGFiaWxp dGllcyB3aGVuIHRoZXkgYXJlIGJlaW5nIGFza2VkIHRvIG1ha2UgZGVjaXNpb25zIGFib3V0IHRo aW5ncyB0aGV5IGRvIG5vdCBmdWxseSBhcHByZWNpYXRlIG9yIHVuZGVyc3RhbmQuDQogSW4gYWRk aXRpb24sIHRoZXkgYXJlIGluIGEgcnVzaCwgYXJlIG9mdGVuIHRyeWluZyB0byBiZSBoZWxwZnVs IGFuZCBwcm9uZSB0byBncmFudCBjb25zZW50ICh0aGUgZnJhbWluZyBpbiB0aGVzZSBzb2NpYWwg ZW5naW5lZXJpbmcgYXR0YWNrcyBjYW4gYmUgdmVyeSBwZXJzdWFzaXZlKS4gRXZlbiB1c2VycyB3 aG8gYXJlIGF3YXJlIG9mIHRoZXNlIGV4cGxvaXRzIGFuZCB1bmRlcnN0YW5kIHRoZSBzeXN0ZW1z IHRoZXkgaW50ZXJhY3Qgd2l0aCBhcmUNCiBwcm9uZSB0byBiZSBtaXNsZWQuIEJldHRlciBndWlk YW5jZSBvbiB0aGUgY29uc2VudCBzY3JlZW4gaXMgZGVmaW5pdGVseSBzb21ldGhpbmcgd2Ugc2hv dWxkIHByb3ZpZGUuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj48bzpwPiZuYnNwOzwvbzpw Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWZhcmVh c3QtbGFuZ3VhZ2U6RU4tVVMiPkkgZG8gdGhpbmsgdGhlcmUgaXMgYSBkZWZlbmNlIGluIGRlcHRo IHN0cmF0ZWd5IHRoYXQgY2FuIHJlZHVjZSByaXNrIGJ5ICgxKSBhdm9pZGluZyBhc2tpbmcgdGhl IHVzZXIgZm9yIGEgZGVjaXNpb24gYnkgbWFraW5nIGJhY2stZW5kIHJpc2sgZGVjaXNpb25zICgy KSBhdWdtZW50aW5nIHRoZSBpbmZvcm1hdGlvbiBwcmVzZW50ZWQgdG8gdGhlDQogdXNlciB3aGVu IG1ha2luZyB0aGUgZGVjaXNpb25zIGFuZCAoMykgbWl0aWdhdGluZyBhZ2FpbnN0IGEgZGVjaXNp b24gbWFkZSBpbiBlcnJvci48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPjxvOnA+Jm5ic3A7 PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJtc28t ZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+UHJveGltaXR5IGFuZCBsb2NhdGlvbiBpbmZvcm1hdGlv biBjYW4gZm9yIGluc3RhbmNlIGJlIHVzZWQgdG8gYmluZCB1c2VyIGNvZGVzIHRvIHNwZWNpZmlj IGxvY2F0aW9ucyBvciBpbmZvcm0gdGhlIHVzZXIgb24gd2hlcmUgdGhlIHVzZXIgY29kZSB3YXMg Zmlyc3QgcHJlc2VudGVkLCBkZXZpY2Ugc3RhdHVzIGFuZC9vciBsb2NhdGlvbiBtYXkNCiBiZSB1 c2VkIHRvIG1ha2UgZGVjaXNpb25zIG9uIHdoZXRoZXIgdG8gYWxsb3cgZGV2aWNlIGNvZGUgZmxv d3MgdG8gYmUgdXNlZCBpbiB0aGUgZmlyc3QgcGxhY2UgYW5kIHVzZSBvZiB0b2tlbiBiaW5kaW5n IChlLmcuIERQb1ApIG1heSBoZWxwIGRlZmVuZCBhZ2FpbnN0IGF0dGFja2VycyB3aG8gYXJlIGFi bGUgdG8gZXhmaWx0cmF0ZSB0b2tlbnMgZnJvbSBhIGRldmljZSBhbmQgbWFrZSBsYXRlcmFsIGF0 dGFja3MuDQo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJtc28tZmFyZWFzdC1s YW5ndWFnZTpFTi1VUyI+QW55dGhpbmcgd2UgY2FuIGRvIHRvIGVuY291cmFnZSBpbXBsZW1lbnRv ciB0byBhc2sgdXNlcnMgdG8gbWFrZSBmZXdlciBkZWNpc2lvbiwgaGVscCB0aGVtIG1ha2UgYmV0 dGVyIGRlY2lzaW9ucyBhbmQgdGhlbiBwcm90ZWN0aW5nIHRoZW0gaW4gY2FzZSBvZiBhIGJhZCBk ZWNpc2lvbiB3aWxsIGhlbHAgZHJpdmUgZG93biByaXNrLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJtc28tZmFyZWFzdC1sYW5ndWFnZTpF Ti1VUyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj5DaGVlcnM8bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWZhcmVh c3QtbGFuZ3VhZ2U6RU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJtc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+UGll dGVyPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3Vh Z2U6RU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXYgc3R5bGU9ImJvcmRl cjpub25lO2JvcmRlci10b3A6c29saWQgI0UxRTFFMSAxLjBwdDtwYWRkaW5nOjMuMHB0IDBjbSAw Y20gMGNtIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiPjxzcGFuIGxhbmc9IkVOLVVTIj5Gcm9t Ojwvc3Bhbj48L2I+PHNwYW4gbGFuZz0iRU4tVVMiPiBCcm9jayBBbGxlbiAmbHQ7YnJvY2thbGxl bkBnbWFpbC5jb20mZ3Q7DQo8YnI+DQo8Yj5TZW50OjwvYj4gVGh1cnNkYXkgMTcgTWFyY2ggMjAy MiAyMToyNTxicj4NCjxiPlRvOjwvYj4gUGlldGVyIEthc3NlbG1hbiAmbHQ7cGlldGVyLmthc3Nl bG1hbkBtaWNyb3NvZnQuY29tJmd0Ozsgb2F1dGhAaWV0Zi5vcmc8YnI+DQo8Yj5TdWJqZWN0Ojwv Yj4gW0VYVEVSTkFMXSBSZTogW09BVVRILVdHXSBEZXZpY2UgQXV0aG9yaXphdGlvbiBHcmFudCBh bmQgSWxsaWNpdCBDb25zZW50IEV4cGxvaXRzPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0x1Y2lkYSBDb25zb2xlJnF1b3Q7O2NvbG9yOmJsYWNrIj5JIHdhdGNoZWQgb25lIG9mIHRob3Nl IHZpZGVvcyBhbmQgaXQgc2VlbXMgdG8gYmUgdGhhdCBhIHByb3BlciBjb25zZW50IHNjcmVlbiB3 b3VsZCBoYXZlIGJlZW4gdGhlIGJlc3QgYW5kIGVhc2llc3QgbGluZSBvZiBkZWZlbnNlLiBJcyB0 aGVyZSBzb21ldGhpbmcgbW9yZSB0byB0aGUgYXR0YWNrcw0KIHdoZXJlIGEgYmV0dGVyIGNvbnNl bnQgcGFnZSAob3IgYW55IGNvbnNlbnQgcGFnZSBmb3IgdGhhdCBtYXR0ZXIpIHdvdWxkIG5vdCBo YXZlIGJlZW4gc3VmZmljaWVudD88bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7THVjaWRhIENvbnNvbGUmcXVvdDs7Y29sb3I6YmxhY2siPjxvOnA+Jm5ic3A7PC9vOnA+ PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0x1Y2lkYSBDb25zb2xlJnF1 b3Q7O2NvbG9yOmJsYWNrIj4tQnJvY2s8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxi bG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCB3aW5kb3d0ZXh0 IDEuMHB0O3BhZGRpbmc6MGNtIDBjbSAwY20gOC4wcHQ7bWFyZ2luLWxlZnQ6MGNtO21hcmdpbi10 b3A6MTUuMHB0O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPHAgc3R5bGU9Im1hcmdpbi10b3A6Ny41 cHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0x1Y2lk YSBDb25zb2xlJnF1b3Q7O2NvbG9yOiNBQUFBQUEiPk9uIDMvMTcvMjAyMiA1OjEwOjM1IFBNLCBQ aWV0ZXIgS2Fzc2VsbWFuICZsdDs8YSBocmVmPSJtYWlsdG86cGlldGVyLmthc3NlbG1hbj00MG1p Y3Jvc29mdC5jb21AZG1hcmMuaWV0Zi5vcmciPnBpZXRlci5rYXNzZWxtYW49NDBtaWNyb3NvZnQu Y29tQGRtYXJjLmlldGYub3JnPC9hPiZndDsNCiB3cm90ZTo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8ZGl2Pg0KPGRpdj4NCjxwIHN0eWxlPSJtYXJnaW46MGNtIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2NvbG9y OmJsYWNrIj5IaSBBbGwmbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBzdHlsZT0ibWFy Z2luOjBjbSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+Jm5ic3A7PG86cD48L286cD48L3Nw YW4+PC9wPg0KPHAgc3R5bGU9Im1hcmdpbjowY20iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2si Pk9uZSBvZiB0aGUgYWdlbmRhIGl0ZW1zIGZvciBJRVRGIDExMyBpcyB0aGUgZGV2aWNlIGF1dGhv cml6YXRpb24gZ3JhbnQgZmxvdyAoYWthIGRldmljZSBjb2RlIGZsb3cpLCBzY2hlZHVsZWQgZm9y IFRodXJzZGF5IDI0IE1hcmNoIDIwMjIu4oCvIEJlZm9yZSB0aGUgbWVldGluZywgSQ0KIHdhbnRl ZCB0byBzaGFyZSBhIGJpdCBtb3JlIGluZm9ybWF0aW9uIGZvciB0aG9zZSBpbnRlcmVzdGVkIGlu IHRoZSB0b3BpYyBhbmQgYWxzbyBnaXZlIHRob3NlIHdobyBhcmUgdW5hYmxlIHRvIGF0dGVuZCBp biBwZXJzb24gYW4gb3Bwb3J0dW5pdHkgdG8gcGFydGljaXBhdGUgaW4gdGhlIGNvbnZlcnNhdGlv bi4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBzdHlsZT0ibWFyZ2luOjBjbSI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDss c2Fucy1zZXJpZjtjb2xvcjpibGFjayI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg c3R5bGU9Im1hcmdpbjowY20iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2siPlRoZQ0KPGEgaHJl Zj0iaHR0cHM6Ly9uYW0wNi5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0 dHBzJTNBJTJGJTJGZGF0YXRyYWNrZXIuaWV0Zi5vcmclMkZkb2MlMkZodG1sJTJGcmZjODYyOCZh bXA7ZGF0YT0wNCU3QzAxJTdDcGlldGVyLmthc3NlbG1hbiU0MG1pY3Jvc29mdC5jb20lN0NkYWIx MjlkZjk2ZmI0ZmUwM2M3OTA4ZGEwODVjOGRhZSU3QzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2Qw MTFkYjQ3JTdDMSU3QzAlN0M2Mzc4MzE0OTA4ODQ0NDAyNjIlN0NVbmtub3duJTdDVFdGcGJHWnNi M2Q4ZXlKV0lqb2lNQzR3TGpBd01EQWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxD SlhWQ0k2TW4wJTNEJTdDMjAwMCZhbXA7c2RhdGE9RXN3Y05ZS05aV0VBV0xCdU92UXl0ZDhUTWxn cGdVeElrMEUlMkZsZktrUklrJTNEJmFtcDtyZXNlcnZlZD0wIj4NCkRldmljZSBBdXRob3JpemF0 aW9uIEdyYW50IEZsb3cgKFJGQyA4NjgyKTwvYT48L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7U2Vnb2UgVUkmcXVvdDssc2Fucy1zZXJpZjtjb2xv cjpibGFjayI+IHM8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+b2x2ZXMgYW4gaW1w b3J0YW50IHByb2JsZW0gYnkgZW5hYmxpbmcgYXV0aG9yaXphdGlvbg0KIGZsb3dzIG9uIGRldmlj ZXMgdGhhdCBhcmUgdW5hYmxlIHRvIHN1cHBvcnQgYSBicm93c2VycyBvciBoYXZlIGxpbWl0ZWQg aW5wdXQgY2FwYWJpbGl0aWVzLiBIb3dldmVyLCBsb29raW5nIGJhY2sgb3ZlciB0aGUgcGFzdCAx OC0yNCBtb250aHMsIHRoZXJlIGhhdmUgYmVlbiBhIG51bWJlciBvZiBwcmFjdGljYWwgZXhwbG9p dHMgcHVibGlzaGVkIHRoYXQgdXNlIHNvY2lhbCBlbmdpbmVlcmluZyB0ZWNobmlxdWVzIGFwcGxp ZWQgdG8gdGhlIGRldmljZQ0KIGF1dGhvcml6YXRpb24gZ3JhbnQgZmxvdy4mbmJzcDs8bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBzdHlsZT0ibWFyZ2luOjBjbSI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xv cjpibGFjayI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgc3R5bGU9Im1hcmdpbjow Y20iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFs JnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2siPlRoZSBnb2FsIG9mIHRoZSBzZXNzaW9uIGF0 IElFVEYgMTEzIGlzIHRvIGRpc2N1c3MgdGhlIHBhdHRlcm5zIG9mIHRoZSBleHBsb2l0cyB0aGF0 IGFyZSBrbm93biBhbmQgc3RhcnQgYSBjb252ZXJzYXRpb24gb24gd2hhdCAoaWYgYW55dGhpbmcp IHdlIHNob3VsZCBkbywgYmFzZWQNCiBvbiB3aGF0IHdlIGFyZSBsZWFybmluZy4mbmJzcDs8bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBzdHlsZT0ibWFyZ2luOjBjbSI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtj b2xvcjpibGFjayI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgc3R5bGU9Im1hcmdp bjowY20iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O1Nl Z29lIFVJJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2siPlRoZXNlIGV4cGxvaXRzIGZvbGxv dyBhIGdlbmVyYWwgbWFuLWluLXRoZS1taWRkbGUgKE1JVE0pIHBhdHRlcm4sIHdoZXJlIHRoZSBh dHRhY2tlcjombmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+PG86cD48L286 cD48L3NwYW4+PC9wPg0KPHAgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDowY207bWFyZ2luLXJp Z2h0OjBjbTttYXJnaW4tYm90dG9tOjBjbTttYXJnaW4tbGVmdDoyNy4wcHQiPg0KPHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7U2Vnb2UgVUkmcXVvdDssc2Fu cy1zZXJpZjtjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6Ymxh Y2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxvbCBzdGFydD0iMSIgdHlwZT0iMSI+DQo8bGkg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImNvbG9yOmJsYWNrO21zby1tYXJnaW4tdG9wLWFsdDph dXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvO21zby1saXN0OmwxIGxldmVsMSBsZm8xO3Zl cnRpY2FsLWFsaWduOm1pZGRsZSI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250 LWZhbWlseTomcXVvdDtTZWdvZSBVSSZxdW90OyxzYW5zLXNlcmlmIj5Jbml0aWF0ZXMgdGhlIERl dmljZSBBdXRob3JpemF0aW9uIEdyYW50IGZsb3cgb24gYSBkZXZpY2UgdW5kZXIgdGhlaXIgY29u dHJvbCwmbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9saT48 bGkgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImNvbG9yOmJsYWNrO21zby1tYXJnaW4tdG9wLWFs dDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvO21zby1saXN0OmwxIGxldmVsMSBsZm8x O3ZlcnRpY2FsLWFsaWduOm1pZGRsZSI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtm b250LWZhbWlseTomcXVvdDtTZWdvZSBVSSZxdW90OyxzYW5zLXNlcmlmIj5QcmVzZW50cyB0aGUg dXNlciBjb2RlIGluIGEgY29udGV4dCB0aGF0IHRoZSBlbmQtdXNlciBpcyBsaWtlbHkgdG8gYWN0 IG9uICh1c2luZyBzb2NpYWwgZW5naW5lZXJpbmcgdGVjaG5pcXVlcyksIGFuZCZuYnNwOzwvc3Bh bj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZx dW90OyxzYW5zLXNlcmlmIj48bzpwPjwvbzpwPjwvc3Bhbj48L2xpPjxsaSBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0iY29sb3I6YmxhY2s7bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdp bi1ib3R0b20tYWx0OmF1dG87bXNvLWxpc3Q6bDEgbGV2ZWwxIGxmbzE7dmVydGljYWwtYWxpZ246 bWlkZGxlIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90 O1NlZ29lIFVJJnF1b3Q7LHNhbnMtc2VyaWYiPk9uY2UgdGhlIHVzZXIgZ3JhbnRzIGFjY2Vzcywg cmV0cmlldmVzIHRoZSBhY2Nlc3MgYW5kIHJlZnJlc2ggdG9rZW5zIGFuZCB1c2VzIHRoZW0gdG8g YWNjZXNzIHRoZSB1c2Vy4oCZcyByZXNvdXJjZXMuJm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWYi PjxvOnA+PC9vOnA+PC9zcGFuPjwvbGk+PC9vbD4NCjxwIHN0eWxlPSJtYXJnaW46MGNtIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90Oyxz YW5zLXNlcmlmO2NvbG9yOmJsYWNrIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBz dHlsZT0ibWFyZ2luOjBjbSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+U29tZSBvZiB0aGUg ZXhwbG9pdHMgYXJlIGRlc2NyaWJlZCBoZXJlIGZvciB0aG9zZSBpbnRlcmVzdGVkIGluIG1vcmUg ZGV0YWlsOiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIHN0eWxlPSJtc28tbWFyZ2lu LXRvcC1hbHQ6MGNtO21hcmdpbi1yaWdodDowY207bWFyZ2luLWJvdHRvbTowY207bWFyZ2luLWxl ZnQ6MjcuMHB0Ij4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2siPiZuYnNwOzxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjxvbCBzdGFydD0iMSIgdHlwZT0iMSI+DQo8bGkgY2xhc3M9Ik1zb0xpc3RQ YXJhZ3JhcGgiIHN0eWxlPSJjb2xvcjpibGFjazttc28tbGlzdDpsMCBsZXZlbDEgbGZvMjt2ZXJ0 aWNhbC1hbGlnbjptaWRkbGUiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1m YW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZiI+PGEgaHJlZj0iaHR0cHM6Ly9uYW0w Ni5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNBJTJGJTJGMHhi b2t1LmNvbSUyRjIwMjElMkYwNyUyRjEyJTJGQXJ0T2ZEZXZpY2VDb2RlUGhpc2guaHRtbCZhbXA7 ZGF0YT0wNCU3QzAxJTdDcGlldGVyLmthc3NlbG1hbiU0MG1pY3Jvc29mdC5jb20lN0NkYWIxMjlk Zjk2ZmI0ZmUwM2M3OTA4ZGEwODVjOGRhZSU3QzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFk YjQ3JTdDMSU3QzAlN0M2Mzc4MzE0OTA4ODQ0NDAyNjIlN0NVbmtub3duJTdDVFdGcGJHWnNiM2Q4 ZXlKV0lqb2lNQzR3TGpBd01EQWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhW Q0k2TW4wJTNEJTdDMjAwMCZhbXA7c2RhdGE9JTJCNzFBTXhTMW00YUJUclg4ZTc2VWlYcyUyRmEl MkYyMmRmeGVuMXBJOUxuMTdJZyUzRCZhbXA7cmVzZXJ2ZWQ9MCI+PHNwYW4gc3R5bGU9ImZvbnQt ZmFtaWx5OiZxdW90O1NlZ29lIFVJJnF1b3Q7LHNhbnMtc2VyaWYiPlRoZQ0KIEFydCBvZiB0aGUg RGV2aWNlIENvZGUgUGhpc2ggLSBCb2t1ICgweGJva3UuY29tKTwvc3Bhbj48L2E+PC9zcGFuPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O1NlZ29lIFVJJnF1 b3Q7LHNhbnMtc2VyaWYiPiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBw dDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmIj48bzpwPjwvbzpwPjwv c3Bhbj48L2xpPjxsaSBjbGFzcz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5bGU9ImNvbG9yOmJsYWNr O21zby1saXN0OmwwIGxldmVsMSBsZm8yO3ZlcnRpY2FsLWFsaWduOm1pZGRsZSI+DQo8c3BhbiBz dHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5z LXNlcmlmIj48YSBocmVmPSJodHRwczovL25hbTA2LnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxv b2suY29tLz91cmw9aHR0cHMlM0ElMkYlMkZ3d3cub3B0aXYuY29tJTJGaW5zaWdodHMlMkZzb3Vy Y2UtemVybyUyRmJsb2clMkZtaWNyb3NvZnQtMzY1LW9hdXRoLWRldmljZS1jb2RlLWZsb3ctYW5k LXBoaXNoaW5nJmFtcDtkYXRhPTA0JTdDMDElN0NwaWV0ZXIua2Fzc2VsbWFuJTQwbWljcm9zb2Z0 LmNvbSU3Q2RhYjEyOWRmOTZmYjRmZTAzYzc5MDhkYTA4NWM4ZGFlJTdDNzJmOTg4YmY4NmYxNDFh ZjkxYWIyZDdjZDAxMWRiNDclN0MxJTdDMCU3QzYzNzgzMTQ5MDg4NDQ0MDI2MiU3Q1Vua25vd24l N0NUV0ZwYkdac2IzZDhleUpXSWpvaU1DNHdMakF3TURBaUxDSlFJam9pVjJsdU16SWlMQ0pCVGlJ NklrMWhhV3dpTENKWFZDSTZNbjAlM0QlN0MyMDAwJmFtcDtzZGF0YT1JNnRuWnNPZ2o2Zmw5YVli ZlhlOTh3S2YlMkI1TTdYJTJGSEV1OFVtbjNjdWk3USUzRCZhbXA7cmVzZXJ2ZWQ9MCI+PHNwYW4g c3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O1NlZ29lIFVJJnF1b3Q7LHNhbnMtc2VyaWYiPk1pY3Jv c29mdA0KIDM2NSBPQXV0aCBEZXZpY2UgQ29kZSBGbG93IGFuZCBQaGlzaGluZyB8IE9wdGl2PC9z cGFuPjwvYT48L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7U2Vnb2UgVUkmcXVvdDssc2Fucy1zZXJpZiI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMtc2Vy aWYiPjxvOnA+PC9vOnA+PC9zcGFuPjwvbGk+PC9vbD4NCjxvbCBzdGFydD0iMiIgdHlwZT0iMSI+ DQo8b2wgc3RhcnQ9IjEiIHR5cGU9ImEiPg0KPGxpIGNsYXNzPSJNc29MaXN0UGFyYWdyYXBoIiBz dHlsZT0iY29sb3I6YmxhY2s7bXNvLWxpc3Q6bDAgbGV2ZWwyIGxmbzI7dmVydGljYWwtYWxpZ246 bWlkZGxlIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90 O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWYiPjxhIGhyZWY9Imh0dHBzOi8vbmFtMDYuc2FmZWxpbmtz LnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzQSUyRiUyRmdpdGh1Yi5jb20lMkZv cHRpdiUyRk1pY3Jvc29mdDM2NV9kZXZpY2VQaGlzaCZhbXA7ZGF0YT0wNCU3QzAxJTdDcGlldGVy Lmthc3NlbG1hbiU0MG1pY3Jvc29mdC5jb20lN0NkYWIxMjlkZjk2ZmI0ZmUwM2M3OTA4ZGEwODVj OGRhZSU3QzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdDMSU3QzAlN0M2Mzc4MzE0 OTA4ODQ0NDAyNjIlN0NVbmtub3duJTdDVFdGcGJHWnNiM2Q4ZXlKV0lqb2lNQzR3TGpBd01EQWlM Q0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4wJTNEJTdDMjAwMCZhbXA7 c2RhdGE9aFZYZFRiTEFrZEJYQWVwSTI2cUc1SjNwb1N6cXVvazFzZ1V3ZExHUE5UZyUzRCZhbXA7 cmVzZXJ2ZWQ9MCI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O1NlZ29lIFVJJnF1b3Q7 LHNhbnMtc2VyaWYiPm9wdGl2L01pY3Jvc29mdDM2NV9kZXZpY2VQaGlzaDoNCiBBIHByb29mLW9m LWNvbmNlcHQgc2NyaXB0IHRvIGNvbmR1Y3QgYSBwaGlzaGluZyBhdHRhY2sgYWJ1c2luZyBNaWNy b3NvZnQgMzY1IE9BdXRoIEF1dGhvcml6YXRpb24gRmxvdyAoZ2l0aHViLmNvbSk8L3NwYW4+PC9h Pjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtT ZWdvZSBVSSZxdW90OyxzYW5zLXNlcmlmIj4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZiI+PG86 cD48L286cD48L3NwYW4+PC9saT48L29sPg0KPC9vbD4NCjxvbCBzdGFydD0iMyIgdHlwZT0iMSI+ DQo8bGkgY2xhc3M9Ik1zb0xpc3RQYXJhZ3JhcGgiIHN0eWxlPSJjb2xvcjpibGFjazttc28tbGlz dDpsMCBsZXZlbDEgbGZvMjt2ZXJ0aWNhbC1hbGlnbjptaWRkbGUiPg0KPHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZiI+ PGEgaHJlZj0iaHR0cHM6Ly9uYW0wNi5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/ dXJsPWh0dHBzJTNBJTJGJTJGbzM2NWJsb2cuY29tJTJGcG9zdCUyRnBoaXNoaW5nJTJGJTIzbmV3 LXBoaXNoaW5nLXRlY2huaXF1ZS1kZXZpY2UtY29kZS1hdXRoZW50aWNhdGlvbiZhbXA7ZGF0YT0w NCU3QzAxJTdDcGlldGVyLmthc3NlbG1hbiU0MG1pY3Jvc29mdC5jb20lN0NkYWIxMjlkZjk2ZmI0 ZmUwM2M3OTA4ZGEwODVjOGRhZSU3QzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdD MSU3QzAlN0M2Mzc4MzE0OTA4ODQ0OTAyMzQlN0NVbmtub3duJTdDVFdGcGJHWnNiM2Q4ZXlKV0lq b2lNQzR3TGpBd01EQWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4w JTNEJTdDMjAwMCZhbXA7c2RhdGE9S1hEWEo4ZERCZEt4VDcyaklsOHBhMkJrc0FYaUtjOE4wJTJG ME5UaFlpTjVRJTNEJmFtcDtyZXNlcnZlZD0wIj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1 b3Q7U2Vnb2UgVUkmcXVvdDssc2Fucy1zZXJpZiI+SW50cm9kdWNpbmcNCiBhIG5ldyBwaGlzaGlu ZyB0ZWNobmlxdWUgZm9yIGNvbXByb21pc2luZyBPZmZpY2UgMzY1IGFjY291bnRzIChvMzY1Ymxv Zy5jb20pPC9zcGFuPjwvYT48L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7U2Vnb2UgVUkmcXVvdDssc2Fucy1zZXJpZiI+Jm5ic3A7PC9zcGFuPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7 LHNhbnMtc2VyaWYiPjxvOnA+PC9vOnA+PC9zcGFuPjwvbGk+PGxpIGNsYXNzPSJNc29MaXN0UGFy YWdyYXBoIiBzdHlsZT0iY29sb3I6YmxhY2s7bXNvLWxpc3Q6bDAgbGV2ZWwxIGxmbzI7dmVydGlj YWwtYWxpZ246bWlkZGxlIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFt aWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWYiPjxhIGhyZWY9Imh0dHBzOi8vbmFtMDYu c2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzQSUyRiUyRnd3dy55 b3V0dWJlLmNvbSUyRndhdGNoJTNGdiUzRDlzbFJZdnBLSHA0JmFtcDtkYXRhPTA0JTdDMDElN0Nw aWV0ZXIua2Fzc2VsbWFuJTQwbWljcm9zb2Z0LmNvbSU3Q2RhYjEyOWRmOTZmYjRmZTAzYzc5MDhk YTA4NWM4ZGFlJTdDNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN0MxJTdDMCU3QzYz NzgzMTQ5MDg4NDQ5MDIzNCU3Q1Vua25vd24lN0NUV0ZwYkdac2IzZDhleUpXSWpvaU1DNHdMakF3 TURBaUxDSlFJam9pVjJsdU16SWlMQ0pCVGlJNklrMWhhV3dpTENKWFZDSTZNbjAlM0QlN0MyMDAw JmFtcDtzZGF0YT1LV21CQWYzcFlHZFZ6VDZMZU5oZ1Q3dCUyQnliZm5GZEdNVkp4TGJEckQ1dm8l M0QmYW1wO3Jlc2VydmVkPTAiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtTZWdvZSBV SSZxdW90OyxzYW5zLXNlcmlmIj5ERUYNCiBDT04gMjkgLSBKZW5rbyBId29uZyAtIE5ldyBQaGlz aGluZyBBdHRhY2tzIEV4cGxvaXRpbmcgT0F1dGggQXV0aGVudGljYXRpb24gRmxvd3MgLSBZb3VU dWJlPC9zcGFuPjwvYT48L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1m YW1pbHk6JnF1b3Q7U2Vnb2UgVUkmcXVvdDssc2Fucy1zZXJpZiI+Jm5ic3A7PC9zcGFuPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNh bnMtc2VyaWYiPjxvOnA+PC9vOnA+PC9zcGFuPjwvbGk+PC9vbD4NCjxwIHN0eWxlPSJtc28tbWFy Z2luLXRvcC1hbHQ6MGNtO21hcmdpbi1yaWdodDowY207bWFyZ2luLWJvdHRvbTowY207bWFyZ2lu LWxlZnQ6MjcuMHB0Ij4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5 OiZxdW90O1NlZ29lIFVJJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bh bj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZx dW90OyxzYW5zLXNlcmlmO2NvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBz dHlsZT0ibWFyZ2luOjBjbSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1p bHk6JnF1b3Q7U2Vnb2UgVUkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+SW4gdGVybXMg b2YgYSByZXNwb25zZSwgdGhlcmUgYXJlIGEgZmV3IG9wdGlvbnMgdGhhdCBjb21lIHRvIG1pbmQg KHRoZXNlIGFyZSBub3QgZXhoYXVzdGl2ZSwgSSB3b3VsZCBsb3ZlIHRvIHNlZSB3aGF0IG90aGVy cyBoYXZlIGluIG1pbmQgYXMgd2VsbCk6Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6 YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1h bHQ6MGNtO21hcmdpbi1yaWdodDowY207bWFyZ2luLWJvdHRvbTowY207bWFyZ2luLWxlZnQ6Mjcu MHB0Ij4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O1Nl Z29lIFVJJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5z LXNlcmlmO2NvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8b2wgc3RhcnQ9IjEi IHR5cGU9IkEiPg0KPGxpIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJjb2xvcjpibGFjazttc28t bWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzttc28tbGlzdDps MiBsZXZlbDEgbGZvMzt2ZXJ0aWNhbC1hbGlnbjptaWRkbGUiPg0KPHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7U2Vnb2UgVUkmcXVvdDssc2Fucy1zZXJpZiI+ RG8gbm90aGluZzogV2UgY2FuIGNob29zZSB0byBsZWF2ZSBldmVyeXRoaW5nIGFzIGlzLiBUaGUg ZG93bnNpZGUgb2YgdGhpcyBpcyB0aGF0IHRoZSBsZXNzb25zIHdlIGFyZSBsZWFybmluZyBhcmUg bm90IGdldHRpbmcgZGlzc2VtaW5hdGVkIG9yIHJlc3VsdGluZyBpbiByZWR1Y2VkIHJpc2tzLiZu YnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVv dDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmIj48bzpwPjwvbzpwPjwvc3Bhbj48L2xpPjxsaSBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0iY29sb3I6YmxhY2s7bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87 bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87bXNvLWxpc3Q6bDIgbGV2ZWwxIGxmbzM7dmVydGlj YWwtYWxpZ246bWlkZGxlIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFt aWx5OiZxdW90O1NlZ29lIFVJJnF1b3Q7LHNhbnMtc2VyaWYiPlVwZGF0ZSB0aGUgcmVjb21tZW5k YXRpb25zOiBXZSBjYW4gZG9jdW1lbnQgdGhlIHNvY2lhbCBlbmdpbmVlcmluZyBleHBsb2l0cyBh bmQgcmVjb21tZW5kIHNvbWUgYWRkaXRpb25hbCBtaXRpZ2F0aW9ucyBhcyB3ZWxsIGFzIHJlY29t bWVuZGF0aW9ucyBpbiB0ZXJtcyBvZiB1c2UgY2FzZXMuIEFsdGhvdWdoIHRoZXNlIHR5cGVzIG9m DQogJnF1b3Q7cGhpc2hpbmcmcXVvdDsvc29jaWFsIGVuZ2luZWVyaW5nIGF0dGFja3MgYXJlIGNh bGxlZCBvdXQgaW4gdGhlIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIGluDQo8YSBocmVmPSJodHRw czovL25hbTA2LnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM0El MkYlMkZkYXRhdHJhY2tlci5pZXRmLm9yZyUyRmRvYyUyRmh0bWwlMkZyZmM4NjI4JmFtcDtkYXRh PTA0JTdDMDElN0NwaWV0ZXIua2Fzc2VsbWFuJTQwbWljcm9zb2Z0LmNvbSU3Q2RhYjEyOWRmOTZm YjRmZTAzYzc5MDhkYTA4NWM4ZGFlJTdDNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDcl N0MxJTdDMCU3QzYzNzgzMTQ5MDg4NDQ5MDIzNCU3Q1Vua25vd24lN0NUV0ZwYkdac2IzZDhleUpX SWpvaU1DNHdMakF3TURBaUxDSlFJam9pVjJsdU16SWlMQ0pCVGlJNklrMWhhV3dpTENKWFZDSTZN bjAlM0QlN0MyMDAwJmFtcDtzZGF0YT02WVlrTmNHMkdDMzJLU0RkV1U3OTJia1hucjZHUWFSZW4l MkYwMjU2MGFTUkElM0QmYW1wO3Jlc2VydmVkPTAiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2JhY2tncm91 bmQ6I0UxRTNFNiI+UkZDIDg2MjggLSBPQXV0aCAyLjAgRGV2aWNlIEF1dGhvcml6YXRpb24gR3Jh bnQ8L3NwYW4+PC9hPiwgd2UgY2FuIGFkZCBmdXJ0aGVyIG1pdGlnYXRpb25zIHRvIGNyZWF0ZSBn cmVhdGVyIGRlZmVuY2UgaW4gZGVwdGguIFRoaXMgd2lsbCBoZWxwIGZ1dHVyZSBpbXBsZW1lbnRl cnMgYW5kIG1heSBldmVuDQogYmUgdXNlZnVsIGZvciBmdXR1cmUgcHJvdG9jb2xzIHRoYXQgcmVs eSBvbiBhIHNpbWlsYXIgY3Jvc3MtZGV2aWNlIGF1dGhlbnRpY2F0aW9uIGFuZCBhdXRob3JpemF0 aW9uIGZsb3dzLiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250 LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmIj48bzpwPjwvbzpwPjwvc3Bhbj48 L2xpPjxsaSBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iY29sb3I6YmxhY2s7bXNvLW1hcmdpbi10 b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87bXNvLWxpc3Q6bDIgbGV2ZWwx IGxmbzM7dmVydGljYWwtYWxpZ246bWlkZGxlIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAu NXB0O2ZvbnQtZmFtaWx5OiZxdW90O1NlZ29lIFVJJnF1b3Q7LHNhbnMtc2VyaWYiPkV4cGxvcmUg YWx0ZXJuYXRpdmVzOiBEZXZlbG9wLCBhZG9wdCwgb3IgZXZvbHZlIG5ldyBwcm90b2NvbHMgdGhh dCBhZGRyZXNzIHRoZSBzY2VuYXJpbyB3aGlsZSBtaXRpZ2F0aW5nIG9yIGF2b2lkaW5nIHRoZSBy aXNrcy4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9saT48 L29sPg0KPHAgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDowY207bWFyZ2luLXJpZ2h0OjBjbTtt YXJnaW4tYm90dG9tOjBjbTttYXJnaW4tbGVmdDoyNy4wcHQiPg0KPHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7U2Vnb2UgVUkmcXVvdDssc2Fucy1zZXJpZjtj b2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2siPjxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIHN0eWxlPSJtYXJnaW46MGNtIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtTZWdvZSBVSSZxdW90OyxzYW5zLXNlcmlm O2NvbG9yOmJsYWNrIj5PcHRpb24gQSBkb2VzIG5vdCBkbyBtdWNoIHRvIGltcHJvdmUgdGhlIHN0 YXRlIG9mIHRoZSBhcnQuIE9wdGlvbiBCIGZlZWxzIGxpa2Ugc29tZXRoaW5nIHdlIGNhbiBkbyBu b3csIGFuZCB3ZSBtYXkgbGVhcm4gc29tZXRoaW5nIGFsb25nIHRoZSB3YXkgdGhhdCBjYW4gaGVs cA0KIGluZm9ybSBPcHRpb24gQywgd2hpY2ggbWF5IGJlIG11Y2ggZnVydGhlciBkb3duIHRoZSBy b2FkIGFuZCByZXF1aXJlIG1vcmUgcmVzZWFyY2guJm5ic3A7V2hhdCBvdGhlciBvcHRpb25zIGNv bWUgdG8gbWluZD88L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+PG86cD48L286cD48 L3NwYW4+PC9wPg0KPHAgc3R5bGU9Im1hcmdpbjowY20iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O1NlZ29lIFVJJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6 YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZh bWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOmJsYWNrIj48bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8cCBzdHlsZT0ibWFyZ2luOjBjbSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7U2Vnb2UgVUkmcXVvdDssc2Fucy1zZXJpZjtjb2xv cjpibGFjayI+SeKAmW0gbG9va2luZyBmb3J3YXJkIHRvIHRoZSBjb252ZXJzYXRpb24gYW5kIGhl YXJpbmcgd2hhdCBvdGhlcnMgYXJlIHRoaW5raW5nIGFib3V0IHRoaXMgdG9waWMuJm5ic3A7PC9z cGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFs JnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxw IHN0eWxlPSJtYXJnaW46MGNtIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZh bWlseTomcXVvdDtTZWdvZSBVSSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOmJsYWNrIj4mbmJzcDs8 L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJp YWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0K PHAgc3R5bGU9Im1hcmdpbjowY20iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2siPkNoZWVycywm bmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBzdHlsZT0ibWFyZ2luOjBjbSI+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fu cy1zZXJpZjtjb2xvcjpibGFjayI+UGlldGVyJm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t YXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250 LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOmJsYWNrIj4mbmJzcDs8 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9k aXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_AM7PR83MB0452C946A20D116F13D7F28E91139AM7PR83MB0452EURP_-- From nobody Fri Mar 18 05:42:57 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36A143A07DF for ; Fri, 18 Mar 2022 05:42:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.111 X-Spam-Level: X-Spam-Status: No, score=-2.111 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J-h5hNC_PVMz for ; Fri, 18 Mar 2022 05:42:53 -0700 (PDT) Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80112.outbound.protection.outlook.com [40.107.8.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 574173A07AE for ; Fri, 18 Mar 2022 05:42:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ADWEX9+iMDA6FwuHUCMjNwuEjL9dw0R3st1mJ5g3zAcFOxNENlf6hQlIr+b44txm445QUQFCllWP65MVGYTwB/2niZfw7xI0bWkpBPeJ7kjYPlcLmoybM4MemUR3PUkKLlC+2PEjSt0SE9vsr/+OdjT8FyJ38eZ1uOmsUtSmgwdhAvfVF9kaLSrVIeamH1B5qLF2xzOwuc2GBf4kzp2e2lGB+2Cjf70oF1nTKTrHGg4YpUPrzI3kPWyoolao+ufF0mcrhJ6s/QUuY7myjl0YjgTh06WDl3PBVLN0giDccGkG9N/fFTDiqKGrLPSAEsasnjPlsGfMKf9raDcv4raf4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0D6QrndBjVvmz676U1OysuL8VyUiILF16dwNkp9ml7o=; b=G2Y6Pf/AP8IZO64AGWattEpE1P6dy34hF05iOb0xYCA3Y/483lzyvzhRLikqDbH+fpHthcsV90qMvrpM6Rzbdo4CUFVlE5w7b3B19qq4G1QG7YIthzwS462ZQuvGg/NRPgmdqO3GJ+gCs85kq3Wl0vbhWX45T8PVegh0V6QFqgxHIu/eD0JfdYSpgSfaX8fj0qEduN8nHvo+SoYeUIDF1nl98+dOEqFIF6Pkz4Eh261TUcpYuQr3mq1kxiKpEh41iEmZtIggS+5Lln1wItpDeWrkjrB5rk/VPNyOpmhbaqkw/5huArlE8H6GgHSkdeJQf90SDogZue2AGGLG5lfkLA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0D6QrndBjVvmz676U1OysuL8VyUiILF16dwNkp9ml7o=; b=ez6xOKwMZudvv0pat31BQK2jTDx9PhiT9wbCinPF5Zx9cjFg3uvt3mdFhO7y+beGj4pxGqf0oGAWAL7Yk0ner+AtAjdwzoyw9XxWyugKit+/Vdvmq/mdM5lNMBpUcymOBamvNlpatmVxUpQC/eEB/GYEs2k48BerVzpO5WjCZ2s= Received: from AM7PR83MB0452.EURPRD83.prod.outlook.com (2603:10a6:20b:1b6::10) by VI1PR83MB0351.EURPRD83.prod.outlook.com (2603:10a6:802:3b::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5102.8; Fri, 18 Mar 2022 12:42:38 +0000 Received: from AM7PR83MB0452.EURPRD83.prod.outlook.com ([fe80::c48f:8ccc:ec27:b41d]) by AM7PR83MB0452.EURPRD83.prod.outlook.com ([fe80::c48f:8ccc:ec27:b41d%8]) with mapi id 15.20.5102.007; Fri, 18 Mar 2022 12:42:38 +0000 From: Pieter Kasselman To: Shane B Weeden CC: "oauth@ietf.org" Thread-Topic: [EXTERNAL] Re: [OAUTH-WG] Device Authorization Grant and Illicit Consent Exploits Thread-Index: Adg6QbnOrvFCNzXmQH+yf4vBwwXQPwAAysYAAB96AfA= Date: Fri, 18 Mar 2022 12:42:38 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-IE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2022-03-18T12:42:27Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=e26c29ce-09cd-4b7f-9967-af7a1e2bebf0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0 authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: afcc6c39-3485-47bd-83d8-08da08dcc943 x-ms-traffictypediagnostic: VI1PR83MB0351:EE_ x-ms-exchange-atpmessageproperties: SA|SL x-microsoft-antispam-prvs: x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: z2DYXo3fbZz6q+FLZ01lWI3KQZa3ehtI/h7nI9KlRnJVsritTyjO55CCCb4iYaYaAq0Lh/EUC4MbnFZVvvbTKa47RZd4FbeOSe5nPBgJew+An/V7319jOQL7BAGywInhabquF0FIF652LPXyXn+o0DXFvVnVx3G43OX5RGKJ9V32TGroPmVxygxZWEWUEfI9qOMjjjeYLvxWxWgxQnncjVPlyGDMcxbuZ0bingwYmjP3ISOGpkYsVStfy8irSeg7Trknh6pkEEhazmuzfcQRHZpq+3/BeVDmRRTEAdTXYvskwczdzyE8pYG/GiTKqrFcDm6vPRwrhzYIAUaA4ZGdzQdvoaL3bZ+GRLTG6Ek29+QHP74muwNAUrvwzJdAvUD9ap/2OhdQA4lX3FFpYbDbwX8wAmKNHixOsLK1Z56mOHanAEzlaE4snjCRqIx0P+dPYPRl5NL64kYn1oL0DOCxkflPPk+eVMXw8Cvw5UlAnkn1e30Sl8dc3SfCLrnL1P0WITMn6Uilab1755PGB+qE4w+6WGCfbMa2sgUlk7dQoiV+a+3eAjbS1NYE7ZjuirYY/GdZeoGRnn33+5v8M1i3oH0mG1ojzyJowUfywVc7lMvA8RLaIMj4GrRjdxapSqlbVSXdSeAzF8puSQZJBVA1IlMQFXVE36PJRr0HtoOlkclwtwnCH0jf70snjTY5Y6gPMVOQTYJ5ZeTx9kfBJGHILgXgo9tkSIzIJfGEa6toaL9asOLcQ0fmto8C3Yw3dpt5 x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR83MB0452.EURPRD83.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(451199009)(38070700005)(186003)(26005)(86362001)(66476007)(76116006)(71200400001)(8676002)(6916009)(64756008)(66946007)(66446008)(66556008)(9686003)(4326008)(44832011)(8990500004)(2906002)(83380400001)(55016003)(8936002)(5660300002)(7696005)(9326002)(316002)(38100700002)(82960400001)(82950400001)(122000001)(33656002)(508600001)(6506007)(52536014)(10290500003)(53546011); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?B?UUFqbHRhaHZZU0pGUm1KM2xLNCtHUEVYUmFXeUhSTUM3aHZJMFd3NngyMitI?= =?utf-8?B?VmE1YVJham0wei90ZGFORDk4S0VUaVpSZmRER3FiNm9DQUVtWHNvU29RaVFy?= =?utf-8?B?SHNHZHMrV2R3d3VCNGFrTDZZZ3hXakJabUliQjIvallidzl2RGVGbG50MDk1?= =?utf-8?B?VFR6bDVmN2FFejZ4eUR5ZzhLZU5GcDRpZ1dMOVVoVWxsVmpPMGdSUlRKNGpq?= =?utf-8?B?NHhPODJXa0tqTUdEYU1zU3lnTldraXhrM0p1blBVT1RJbG9lRlloMit5a21W?= =?utf-8?B?ZjFETExPMGdVSnBibUdHR2xTMUl1YjQvdlJYd3gxWnU3MEo1eDBQMWZSQnR0?= =?utf-8?B?RnBNTzl3M0NSTHlLTldCR3ROSkJGTCt0L1VnenFFUHVxZXRwRmR3L2J1VnVw?= =?utf-8?B?RWx5MU5QWmdHSVk0RzUvWkErMy9hVmdrRXBlTXRkVTUvaXduVEwvMFNUWk5m?= =?utf-8?B?UWt0dEdoVVRscTgwRlV3Q2s0N1QycVhoaG94M3N3VkQ0NGl5TnR3OGlUUEZm?= =?utf-8?B?MkV4VGJxTjZkQ2Q3VTJrZDkvb0Y4ZFFxZFZnYnRxWFN3L1l2T0hSNmpCWDFa?= =?utf-8?B?ZExJZlovQWVnblVnQVl6ZEtRd1lxK2pSTzBDam1EaUtWLzZPSUNoajl2ekV2?= =?utf-8?B?a1pqcjFlUmJydTZoUWN6ZDZaNjQ5ZWpvdzlxdFI0YlFxRE5RbkN4NFJwUWd4?= =?utf-8?B?U3ZHMk5FRjZBWE92b2M1NUk2WjdvTHEyeFc2VDIwNEJucXFDTTRMS1pvQjRq?= =?utf-8?B?am51QS9nSm9zNEthb0ZobXRSSUlYTUQ1TFRsLzA1Vm5nOGZLSURUcmt1L2Za?= =?utf-8?B?OWJ1ZExkTTA0RHlOVk4rMFlNOTAybklMRTNGRFc3UU5oS2N3Zkx6QStDalFi?= =?utf-8?B?VE9GUy81TlFyck9ubm5Ua2w3Z1AyZ2JvcCtOODBnYUNOR3c0N29LYU9Jajlw?= =?utf-8?B?OVlwVUx3cVRKakNJWitjWDNVNi8zZHFYdWRMVG5udk1PR0x5L2hyei9iVEVU?= =?utf-8?B?dzk0elBXakZrRlZObWU3NytuTko4S1ZncXJFS3lIYlR3WVRyY1M5Nm9RejN6?= =?utf-8?B?d1pyZEtubExMREZ0ZzlIK3VVVGMzakpKSk5LSW1NYWVPUVpTK1FmQ1dlMjdr?= =?utf-8?B?L1FTWWtNV0JnbWVPSjRrU01PTVJtbmVSMHpLSlN3SzE0by9LaWE4NkFzU3pY?= =?utf-8?B?RkNVOXcySVptSjRtUXlMYURJczNxZ1pIRHdsRTB0TVNSRmJkc05HeUtYMjRS?= =?utf-8?B?KzRvUHc4VjFadGt3c0gvWG5VdDFoZnFLckZ0N0x4UWNwcGpQeWtadmxxSndJ?= =?utf-8?B?YlRrNVUxc2FhWTJlMytFTUdDcSt1WEJTVHFpWWs2RGNlYkJ1Y1FjWHdQSjB3?= =?utf-8?B?MDlFV3NFZCtmVGMrVkpOVVJMVTZLUWVodVAzbXZRb0RyUFJGWnFWbUh1RnhT?= =?utf-8?B?akV2WnFRRUovMHpoUnVxRUJ5V2FHQXdsUjZpV0tWelhIc3RzMGxqQ3ZERXM1?= =?utf-8?B?TFNKOWhGZ2ZlaUwreXh4YzBMOHhuSUJWaU1IWXYvR0FSTEl4RkVRclRxZWVZ?= =?utf-8?B?QWx5QjVzUm55SFo3anNhemh5UXRERUsyTjVTV3RtWkNQZDAwVlhqamhnY2cx?= =?utf-8?B?ZDRzMWdsUnI0cDg0dkdxbzN4cjhNNVRsZjluZDNMMWU2WVdEMThpQVFDSVVw?= =?utf-8?B?b0U5M1JhYXdWaThnc0ZQZWptT2N0Uld0ODFHWm03cExVSDhkVm93R0N2emhs?= =?utf-8?B?YytwOWxGaGpqTGlQWVVrL2VDQkJJSWJMdGt6elB1ZkNLbkd3THlzRTFzaUhD?= =?utf-8?B?dE9ETWFVd3ZtRVZvVTQ1bXg3QVlZR1V5Zk5HUDF6eE04QUh4cFdLQ3MyZFE5?= =?utf-8?Q?6jcLLcIIbTXDa?= Content-Type: multipart/alternative; boundary="_000_AM7PR83MB04525D9CDC05BA3656DC78FF91139AM7PR83MB0452EURP_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: AM7PR83MB0452.EURPRD83.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: afcc6c39-3485-47bd-83d8-08da08dcc943 X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Mar 2022 12:42:38.7269 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: j88poTU2+eIEzpRQZuSrSIMcxGmVjKMdE2oMnM+KpYxnOd5sHYlz4rC6MhLIj5Zzrte5+mG+Xs7jJtSlrGUXa1vosHkTvOlJ65eXzaqXlMA= X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR83MB0351 Archived-At: Subject: Re: [OAUTH-WG] [EXTERNAL] Re: Device Authorization Grant and Illicit Consent Exploits X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Mar 2022 12:42:56 -0000 --_000_AM7PR83MB04525D9CDC05BA3656DC78FF91139AM7PR83MB0452EURP_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SGkgU2hhbmUsDQoNCkFncmVlZCB0aGF0IENJQkEgaXMgaW50ZXJlc3RpbmcgaW4gdGhpcyBjb250 ZXh0IGFzIGFuIGFsdGVybmF0aXZlIHRvIERldmljZSBBdXRob3JpemF0aW9uIEdyYW50Lg0KDQpI YXZpbmcgdGhlIHVzZXIgaW5pdGlhdGUgdGhlIHJlcXVlc3QgbWFrZXMgaXQgaGFyZGVyIGZvciBh biBhZHZlcnNhcnkgdG8gbWFuaXB1bGF0ZSB0aGUgY29udGV4dCwgYnV0IEkgdGhpbmsgaXQgYWxz byBzaGlmdHMgdGhlIHBvaW50IG9mIGF0dGFjay4gTm93IGluc3RlYWQgb2YgZ2V0dGluZyB0aGUg dXNlciB0byBlbnRlciBhIHVzZXIgY29kZSwgeW91IGhhdmUgdG8gZ2V0IHRoZSB1c2VyIHRvIGVu dGVyIHRoZWlyIOKAnHVzZXJfaGludOKAnS4gVGhpcyBkb2VzIHB1dCBpdCBvbiBwYXIgd2l0aCBh bnkgcmVndWxhciBwaGlzaGluZyBhdHRhY2sgKGF0IGxlYXN0IHRoZSBhdHRhY2sgZGlkIG5vdCBi ZWNvbWUgZWFzaWVyKS4gSSBkbyB0aGluayBtaXRpZ2F0aW9ucyBvbiB0aGUgYmFjay1lbmQgY2Fu IGhlbHAgdG8gZnVydGhlciByZWR1Y2UgdGhlIHJpc2tzIGZvciBib3RoIERldmljZSBBdXRob3Jp emF0aW9uIEdyYW50IGFuZCBDSUJBLg0KDQpTb21ldGhpbmcgZWxzZSB3ZSBtYXkgd2FudCB0byBw cm92aWRlIGlzIHNvbWUgY2xlYXIgcmVjb21tZW5kYXRpb25zIG9uIHdoZW4gdG8gdXNlIENJQkEg dnMgRGV2aWNlIEF1dGhvcml6YXRpb24gR3JhbnQgZXRjIChlLmcuIHVzZSBDSUJBIGlmIHRoZSB1 c2VyIGNhbiBwcm92aWRlIGlucHV0LCB1c2UgRGV2aWNlIEF1dGhvcml6YXRpb24gR3JhbnQgaWYg dGhlcmUgaXMgbm8gaW5wdXQgZGV2aWNlKS4gQWxsIG9mIHRoaXMgbWF5IHNlZW0gb2J2aW91cyBm b3IgZXhwZXJ0cyBmYW1pbGlhciB3aXRoIHRoaXMgc3BhY2UsIGJ1dCBiZWluZyBleHBsaWNpdCB3 aWxsIGhlbHAgaW1wbGVtZW50b3JzIHdobyBoYXMgZXhwZXJ0aXNlIGVsc2V3aGVyZS4NCg0KRnJv bSBsb29raW5nIGF0IHZhcmlvdXMgcHJvdG9jb2xzLCB3aGVuZXZlciB3ZSBhdHRlbXB0IHRvIHVz ZSB0aGUgdXNlciBhcyBhIHNlY3VyZSB0cmFuc3BvcnQgYmV0d2VlbiB0aGVpciBhdXRoZW50aWNh dGlvbiBkZXZpY2UgYW5kIHRoZSBkZXZpY2Ugb24gd2hpY2ggdGhlIHNlcnZpY2Ugd2lsbCBiZSBk ZWxpdmVyZWQsIHdlIG9wZW4gYW4gb3Bwb3J0dW5pdHkgZm9yIHNvY2lhbCBlbmdpbmVlcmluZyBh dHRhY2tzLiBLZWVwaW5nIHRoYXQgb3BlbmluZyBhcyBzbWFsbCBhbmQgY29uc3RyYWluZWQgYXMg cG9zc2libGUgYW5kIHRoZW4gbWl0aWdhdGluZyBhZ2FpbnN0IGVycm9ycyBpbiBqdWRnZW1lbnQg d2lsbCBoZWxwIHRoZSBvdmVyYWxsIHNlY3VyaXR5IHBvc3R1cmUuDQoNCkNoZWVycw0KDQpQaWV0 ZXINCg0KRnJvbTogU2hhbmUgQiBXZWVkZW4gPHN3ZWVkZW5AYXUxLmlibS5jb20+DQpTZW50OiBU aHVyc2RheSAxNyBNYXJjaCAyMDIyIDIxOjIxDQpUbzogUGlldGVyIEthc3NlbG1hbiA8cGlldGVy Lmthc3NlbG1hbkBtaWNyb3NvZnQuY29tPg0KQ2M6IG9hdXRoQGlldGYub3JnDQpTdWJqZWN0OiBb RVhURVJOQUxdIFJlOiBbT0FVVEgtV0ddIERldmljZSBBdXRob3JpemF0aW9uIEdyYW50IGFuZCBJ bGxpY2l0IENvbnNlbnQgRXhwbG9pdHMNCg0KSXNu4oCZdCB0aGlzIGVzc2VudGlhbGx5IHdoYXQg aXMgbWl0aWdhdGVkIGluIHRoZSBGQVBJLWNvbXBsaWFudCBPSURDIENJQkEgYnk6DQoxLiBSZXF1 aXJpbmcgdGhlIGNsaWVudCB0byBpbml0aWF0ZSB0aGUgZmxvdyB3aXRoIHNpZ25lZCByZXF1ZXN0 IHBhcmFtZXRlcnMgd2hpY2ggaW5jbHVkZSwgdmlhIHNvbWUgaGludCwgdGhlIHJlc291cmNlIG93 bmVyIGZvciB3aG9tIGF1dGhlbnRpY2F0aW9uIGlzIGJlaW5nIHJlcXVlc3RlZA0KMi4gUmVxdWly aW5nIHRoYXQgdGhlIE9QIGNoZWNrIHRoYXQgdGhlIHJlc291cmNlIG93bmVyIGFwcHJvdmluZyB0 aGUgZ3JhbnQgaXMgdGhlIHNhbWUgYXMgdGhhdCB0aGUgY2xpZW50IGFzc29jaWF0ZWQgd2l0aCB0 aGUgcmVxdWVzdCBpbiBzdGVwIDENCg0KSSByZWFsaXNlIHRoaXMgcmVxdWlyZXMgdGhhdCB0aGUg Y2xpZW50IG9idGFpbnMgYW4gaW5kaWNhdGlvbiBvZiB0aGUgdXNlcm5hbWUgb2YgdGhlIHJlc291 cmNlIG93bmVyIHVwIGZyb250IHRvIGtpY2sgdGhpbmdzIG9mZiwgYnV0IHNob3J0IG9mIHRoaXMg SSBjYW5ub3QgdGhpbmsgb2YgYW55IHByYWN0aWNhbCBtaXRpZ2F0aW9uLg0KDQoNCg0KDQpPbiAx OCBNYXIgMjAyMiwgYXQgNzowOSBhbSwgUGlldGVyIEthc3NlbG1hbiA8cGlldGVyLmthc3NlbG1h bj00MG1pY3Jvc29mdC5jb21AZG1hcmMuaWV0Zi5vcmc8bWFpbHRvOnBpZXRlci5rYXNzZWxtYW49 NDBtaWNyb3NvZnQuY29tQGRtYXJjLmlldGYub3JnPj4gd3JvdGU6DQoNCmFudCBwcm9ibGVtIGJ5 IGVuYWJsaW5nIGF1dGhvcml6YXRpb24gZmxvd3Mgb24gZGV2aWNlcyB0aGF0IGFyZSB1bmFibGUg dG8gc3VwcG9ydCBhIGJyb3dzZXJzIG9yIGhhdmUgbGltaXRlZCBpbnB1dCBjYXBhYmlsaXRpZXMu IEhvd2V2ZXIsIGxvb2tpbmcgYmFjayBvdmVyIHRoZSBwYXN0IDE4LTI0IG1vbnRocywgdGhlcmUg aGF2ZSBiZWVuIGEgbnVtYmVyIG9mIHByYWN0aWNhbCBleHBsb2l0cyBwdWJsaXNoZWQgdGhhdCB1 c2Ugc29jaWFsIGVuDQoNCg== --_000_AM7PR83MB04525D9CDC05BA3656DC78FF91139AM7PR83MB0452EURP_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6ZHQ9InV1aWQ6QzJGNDEwMTAtNjVC My0xMWQxLUEyOUYtMDBBQTAwQzE0ODgyIiB4bWxuczptPSJodHRwOi8vc2NoZW1hcy5taWNyb3Nv ZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy9UUi9S RUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250 ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1ldGEgbmFtZT0iR2VuZXJhdG9yIiBj b250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQgbWVkaXVtKSI+DQo8c3R5bGU+PCEt LQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpIZWx2 ZXRpY2E7DQoJcGFub3NlLTE6MiAxMSA2IDQgMiAyIDIgMiAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtm b250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2IDMgMiA0 O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUg MiAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxp Lk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGNtOw0KCWZvbnQtc2l6ZToxMS4w cHQ7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0KYTpsaW5rLCBzcGFuLk1z b0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0 LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnNwYW4uRW1haWxTdHlsZTE4DQoJe21zby1zdHlsZS10 eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0K CWNvbG9yOndpbmRvd3RleHQ7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5cGU6ZXhw b3J0LW9ubHk7DQoJZm9udC1zaXplOjEwLjBwdDt9DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6 ZTo2MTIuMHB0IDc5Mi4wcHQ7DQoJbWFyZ2luOjcyLjBwdCA3Mi4wcHQgNzIuMHB0IDcyLjBwdDt9 DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+PCEt LVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlk bWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+ DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0 YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4NCjxi b2R5IGxhbmc9IkVOLUlFIiBsaW5rPSJibHVlIiB2bGluaz0icHVycGxlIiBzdHlsZT0id29yZC13 cmFwOmJyZWFrLXdvcmQiPg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJtc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+SGkgU2hh bmUsPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3Vh Z2U6RU4tVVMiPkFncmVlZCB0aGF0IENJQkEgaXMgaW50ZXJlc3RpbmcgaW4gdGhpcyBjb250ZXh0 IGFzIGFuIGFsdGVybmF0aXZlIHRvIERldmljZSBBdXRob3JpemF0aW9uIEdyYW50Lg0KPG86cD48 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9Im1zby1m YXJlYXN0LWxhbmd1YWdlOkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMi PkhhdmluZyB0aGUgdXNlciBpbml0aWF0ZSB0aGUgcmVxdWVzdCBtYWtlcyBpdCBoYXJkZXIgZm9y IGFuIGFkdmVyc2FyeSB0byBtYW5pcHVsYXRlIHRoZSBjb250ZXh0LCBidXQgSSB0aGluayBpdCBh bHNvIHNoaWZ0cyB0aGUgcG9pbnQgb2YgYXR0YWNrLiBOb3cgaW5zdGVhZCBvZiBnZXR0aW5nIHRo ZSB1c2VyIHRvIGVudGVyIGEgdXNlciBjb2RlLA0KIHlvdSBoYXZlIHRvIGdldCB0aGUgdXNlciB0 byBlbnRlciB0aGVpciDigJx1c2VyX2hpbnTigJ0uIFRoaXMgZG9lcyBwdXQgaXQgb24gcGFyIHdp dGggYW55IHJlZ3VsYXIgcGhpc2hpbmcgYXR0YWNrIChhdCBsZWFzdCB0aGUgYXR0YWNrIGRpZCBu b3QgYmVjb21lIGVhc2llcikuIEkgZG8gdGhpbmsgbWl0aWdhdGlvbnMgb24gdGhlIGJhY2stZW5k IGNhbiBoZWxwIHRvIGZ1cnRoZXIgcmVkdWNlIHRoZSByaXNrcyBmb3IgYm90aCBEZXZpY2UgQXV0 aG9yaXphdGlvbg0KIEdyYW50IGFuZCBDSUJBLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJtc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+ PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj5Tb21ldGhpbmcgZWxzZSB3ZSBtYXkg d2FudCB0byBwcm92aWRlIGlzIHNvbWUgY2xlYXIgcmVjb21tZW5kYXRpb25zIG9uIHdoZW4gdG8g dXNlIENJQkEgdnMgRGV2aWNlIEF1dGhvcml6YXRpb24gR3JhbnQgZXRjIChlLmcuIHVzZSBDSUJB IGlmIHRoZSB1c2VyIGNhbiBwcm92aWRlIGlucHV0LCB1c2UgRGV2aWNlIEF1dGhvcml6YXRpb24g R3JhbnQNCiBpZiB0aGVyZSBpcyBubyBpbnB1dCBkZXZpY2UpLiBBbGwgb2YgdGhpcyBtYXkgc2Vl bSBvYnZpb3VzIGZvciBleHBlcnRzIGZhbWlsaWFyIHdpdGggdGhpcyBzcGFjZSwgYnV0IGJlaW5n IGV4cGxpY2l0IHdpbGwgaGVscCBpbXBsZW1lbnRvcnMgd2hvIGhhcyBleHBlcnRpc2UgZWxzZXdo ZXJlLg0KPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFu Z3VhZ2U6RU4tVVMiPkZyb20gbG9va2luZyBhdCB2YXJpb3VzIHByb3RvY29scywgd2hlbmV2ZXIg d2UgYXR0ZW1wdCB0byB1c2UgdGhlIHVzZXIgYXMgYSBzZWN1cmUgdHJhbnNwb3J0IGJldHdlZW4g dGhlaXIgYXV0aGVudGljYXRpb24gZGV2aWNlIGFuZCB0aGUgZGV2aWNlIG9uIHdoaWNoIHRoZSBz ZXJ2aWNlIHdpbGwgYmUgZGVsaXZlcmVkLCB3ZSBvcGVuIGFuDQogb3Bwb3J0dW5pdHkgZm9yIHNv Y2lhbCBlbmdpbmVlcmluZyBhdHRhY2tzLiBLZWVwaW5nIHRoYXQgb3BlbmluZyBhcyBzbWFsbCBh bmQgY29uc3RyYWluZWQgYXMgcG9zc2libGUgYW5kIHRoZW4gbWl0aWdhdGluZyBhZ2FpbnN0IGVy cm9ycyBpbiBqdWRnZW1lbnQgd2lsbCBoZWxwIHRoZSBvdmVyYWxsIHNlY3VyaXR5IHBvc3R1cmUu PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6 RU4tVVMiPkNoZWVyczxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJtc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+PG86cD4mbmJzcDs8L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9Im1zby1mYXJl YXN0LWxhbmd1YWdlOkVOLVVTIj5QaWV0ZXI8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPjxv OnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9u ZTtib3JkZXItdG9wOnNvbGlkICNFMUUxRTEgMS4wcHQ7cGFkZGluZzozLjBwdCAwY20gMGNtIDBj bSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBsYW5nPSJFTi1VUyI+RnJvbTo8L3Nw YW4+PC9iPjxzcGFuIGxhbmc9IkVOLVVTIj4gU2hhbmUgQiBXZWVkZW4gJmx0O3N3ZWVkZW5AYXUx LmlibS5jb20mZ3Q7DQo8YnI+DQo8Yj5TZW50OjwvYj4gVGh1cnNkYXkgMTcgTWFyY2ggMjAyMiAy MToyMTxicj4NCjxiPlRvOjwvYj4gUGlldGVyIEthc3NlbG1hbiAmbHQ7cGlldGVyLmthc3NlbG1h bkBtaWNyb3NvZnQuY29tJmd0Ozxicj4NCjxiPkNjOjwvYj4gb2F1dGhAaWV0Zi5vcmc8YnI+DQo8 Yj5TdWJqZWN0OjwvYj4gW0VYVEVSTkFMXSBSZTogW09BVVRILVdHXSBEZXZpY2UgQXV0aG9yaXph dGlvbiBHcmFudCBhbmQgSWxsaWNpdCBDb25zZW50IEV4cGxvaXRzPG86cD48L286cD48L3NwYW4+ PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9v OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SXNu4oCZdCB0aGlzIGVzc2VudGlhbGx5IHdo YXQgaXMgbWl0aWdhdGVkIGluIHRoZSBGQVBJLWNvbXBsaWFudCBPSURDIENJQkEgYnk6DQo8bzpw PjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4xLiBSZXF1aXJpbmcgdGhl IGNsaWVudCB0byBpbml0aWF0ZSB0aGUgZmxvdyB3aXRoIHNpZ25lZCByZXF1ZXN0IHBhcmFtZXRl cnMgd2hpY2ggaW5jbHVkZSwgdmlhIHNvbWUgaGludCwgdGhlIHJlc291cmNlIG93bmVyIGZvciB3 aG9tIGF1dGhlbnRpY2F0aW9uIGlzIGJlaW5nIHJlcXVlc3RlZDxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Mi4gUmVxdWlyaW5nIHRoYXQgdGhlIE9Q IGNoZWNrIHRoYXQgdGhlIHJlc291cmNlIG93bmVyIGFwcHJvdmluZyB0aGUgZ3JhbnQgaXMgdGhl IHNhbWUgYXMgdGhhdCB0aGUgY2xpZW50IGFzc29jaWF0ZWQgd2l0aCB0aGUgcmVxdWVzdCBpbiBz dGVwIDE8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+SSByZWFsaXNlIHRoaXMgcmVxdWlyZXMgdGhhdCB0aGUgY2xpZW50IG9idGFpbnMgYW4gaW5k aWNhdGlvbiBvZiB0aGUgdXNlcm5hbWUgb2YgdGhlIHJlc291cmNlIG93bmVyIHVwIGZyb250IHRv IGtpY2sgdGhpbmdzIG9mZiwgYnV0IHNob3J0IG9mIHRoaXMgSSBjYW5ub3QgdGhpbmsgb2YgYW55 IHByYWN0aWNhbCBtaXRpZ2F0aW9uLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PGJyPg0KPGJyPg0KPG86cD48L286cD48L3A+DQo8YmxvY2tx dW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5PbiAxOCBNYXIgMjAyMiwgYXQgNzowOSBhbSwgUGlldGVy IEthc3NlbG1hbiAmbHQ7PGEgaHJlZj0ibWFpbHRvOnBpZXRlci5rYXNzZWxtYW49NDBtaWNyb3Nv ZnQuY29tQGRtYXJjLmlldGYub3JnIj5waWV0ZXIua2Fzc2VsbWFuPTQwbWljcm9zb2Z0LmNvbUBk bWFyYy5pZXRmLm9yZzwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj5hbnQgcHJvYmxlbSBieSBlbmFibGluZyBhdXRo b3JpemF0aW9uIGZsb3dzIG9uIGRldmljZXMgdGhhdCBhcmUgdW5hYmxlIHRvIHN1cHBvcnQgYSBi cm93c2VycyBvciBoYXZlIGxpbWl0ZWQgaW5wdXQgY2FwYWJpbGl0aWVzLiBIb3dldmVyLCBsb29r aW5nIGJhY2sgb3ZlciB0aGUgcGFzdCAxOC0yNA0KIG1vbnRocywgdGhlcmUgaGF2ZSBiZWVuIGEg bnVtYmVyIG9mIHByYWN0aWNhbCBleHBsb2l0cyBwdWJsaXNoZWQgdGhhdCB1c2Ugc29jaWFsIGVu PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4N CjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_AM7PR83MB04525D9CDC05BA3656DC78FF91139AM7PR83MB0452EURP_-- From nobody Fri Mar 18 16:43:52 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DECEC3A137C; Fri, 18 Mar 2022 16:43:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WAlkuC8gNoHB; Fri, 18 Mar 2022 16:43:40 -0700 (PDT) Received: from rfc-editor.org (rfc-editor.org [IPv6:2001:1900:3001:11::31]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 758BD3A1369; Fri, 18 Mar 2022 16:43:38 -0700 (PDT) Received: by rfc-editor.org (Postfix, from userid 499) id CA1622B465; Fri, 18 Mar 2022 16:43:37 -0700 (PDT) To: ietf-announce@ietf.org, rfc-dist@rfc-editor.org From: rfc-editor@rfc-editor.org Cc: rfc-editor@rfc-editor.org, drafts-update-ref@iana.org, oauth@ietf.org Content-type: text/plain; charset=UTF-8 Message-Id: <20220318234337.CA1622B465@rfc-editor.org> Date: Fri, 18 Mar 2022 16:43:37 -0700 (PDT) Archived-At: Subject: [OAUTH-WG] =?utf-8?q?RFC_9207_on_OAuth_2=2E0_Authorization_Serve?= =?utf-8?q?r_Issuer_Identification?= X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Mar 2022 23:43:45 -0000 A new Request for Comments is now available in online RFC libraries. RFC 9207 Title: OAuth 2.0 Authorization Server Issuer Identification Author: K. Meyer zu Selhausen, D. Fett Status: Standards Track Stream: IETF Date: March 2022 Mailbox: karsten.meyerzuselhausen@hackmanit.de, mail@danielfett.de Pages: 9 Updates/Obsoletes/SeeAlso: None I-D Tag: draft-ietf-oauth-iss-auth-resp-05.txt URL: https://www.rfc-editor.org/info/rfc9207 DOI: 10.17487/RFC9207 This document specifies a new parameter called iss. This parameter is used to explicitly include the issuer identifier of the authorization server in the authorization response of an OAuth authorization flow. The iss parameter serves as an effective countermeasure to "mix-up attacks". This document is a product of the Web Authorization Protocol Working Group of the IETF. This is now a Proposed Standard. STANDARDS TRACK: This document specifies an Internet Standards Track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the Official Internet Protocol Standards (https://www.rfc-editor.org/standards) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-editor@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC From nobody Mon Mar 21 01:30:01 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 575E33A07B5 for ; Mon, 21 Mar 2022 01:29:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.108 X-Spam-Level: X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8mrGK71kfhGa for ; Mon, 21 Mar 2022 01:29:52 -0700 (PDT) Received: from mail-ot1-x32f.google.com (mail-ot1-x32f.google.com [IPv6:2607:f8b0:4864:20::32f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA2E33A18DF for ; Mon, 21 Mar 2022 01:29:52 -0700 (PDT) Received: by mail-ot1-x32f.google.com with SMTP id i23-20020a9d6117000000b005cb58c354e6so4564185otj.10 for ; Mon, 21 Mar 2022 01:29:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=RNXA4zWQvpc9yxNH7iHCpjQtyvbi7ZnR9q2BN655rSA=; b=IGGQyrn3DpgZJMRDle2e+sF67rbOwjh279ZW8E/9thWTjyMqh+tIRUrmFjW0nkbMNG 0JxV9N65J5PyEc7DtczqoOZz+hR+QJMb/BPuc87kZ4MTuY6Emc6TCK2tq8q4PDkr+PKF e+tCCz4IQlxnqEvhkx7bBHrtnJ733fw7am4r2HynZFGRkeHCNW2en/B0vsqlDFWtqm02 rfniS3aO48mhGtdrcAxNlXhvhlNZ4Ir/bGoaxqUA8ZUq/z0lLbD/RJb7tvrsnq0s+PO/ gv90WJQt8QkmkSZe/ABQS6b57lWepAmKQ56sRAYx2YbIfF7L1AQLgCiC2fF6gbUHMsPY F4cA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=RNXA4zWQvpc9yxNH7iHCpjQtyvbi7ZnR9q2BN655rSA=; b=lFaRTHZsN4wVcB+VQEW/N8+6h7aN8hgxMevmHB33bI599iKRRiGRNZIRBK8obgzM7n d1b6LkUlXcgwSYpdSHdxwkmjItrmJ8bamPP5wYo/pACI6vaB4i1mM0yKRE3MfF6xUHNG Nus68oaKy0Dyp7LwfGuoH8iqWWgCifuDpPkrqkClsURQVKaBIV214meNxqL8Br4pNzwO WODGbBjG26QKSwDD252gd7Pggi4pl+79SlBxLnqDqO6ZZuPUzLNHGmE2983trbk4YcdY gL2Z/jnxs/cCSNLkJq+GNno6kDECOZY6zaQ+b7K+ClOQB3vdjTrti3Txf5jc6oYF8Qvh 6MYQ== X-Gm-Message-State: AOAM533KaXYsdi6N1v5CQOm5MHlWtd5N2Mopdec9yXleaaeNNyuuGPnF 8c9a27W5y15xlfGG0vMhxMTWztablLDc/7DlCZQKEmbKr4VTkn00XnurDBKGya8ynFb/muqTEZs o2T31cOZ+QITEjCxJJ+uHy3GIdOI= X-Google-Smtp-Source: ABdhPJyrQ/gJ110kQ4rhELm6QFYgEtQHYxWfmVrIN/WUdeCUTxf6c+8IseykGthdAK3dijpjvKs8iRxSXlS4poKhgP8= X-Received: by 2002:a9d:2ae4:0:b0:5b2:4be6:e225 with SMTP id e91-20020a9d2ae4000000b005b24be6e225mr7682786otb.228.1647851391209; Mon, 21 Mar 2022 01:29:51 -0700 (PDT) MIME-Version: 1.0 References: <164669762354.31783.9412115984679191046@ietfa.amsl.com> In-Reply-To: <164669762354.31783.9412115984679191046@ietfa.amsl.com> From: Brian Campbell Date: Mon, 21 Mar 2022 09:29:24 +0100 Message-ID: To: oauth@ietf.org Content-Type: multipart/alternative; boundary="000000000000d0f07405dab64c69" Archived-At: Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-1-05.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Mar 2022 08:30:00 -0000 --000000000000d0f07405dab64c69 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I notice -05 still has the "credentialed" client concept, which I was expecting would go away after this discussion toward the end of last year https://mailarchive.ietf.org/arch/msg/oauth/FZkd5fPolu7PKx5uXV15A79aLTc/ that indicated that the term was confusing and not providing a meaningful distinction around functionality in the document. On Tue, Mar 8, 2022 at 1:02 AM wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Web Authorization Protocol WG of the IET= F. > > Title : The OAuth 2.1 Authorization Framework > Authors : Dick Hardt > Aaron Parecki > Torsten Lodderstedt > Filename : draft-ietf-oauth-v2-1-05.txt > Pages : 84 > Date : 2022-03-07 > > Abstract: > The OAuth 2.1 authorization framework enables a third-party > application to obtain limited access to a protected resource, either > on behalf of a resource owner by orchestrating an approval > interaction between the resource owner and an authorization service, > or by allowing the third-party application to obtain access on its > own behalf. This specification replaces and obsoletes the OAuth 2.0 > Authorization Framework described in RFC 6749. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/ > > There is also an HTML version available at: > https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-05.html > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-v2-1-05 > > > Internet-Drafts are also available by rsync at rsync.ietf.org: > :internet-drafts > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --=20 _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged= =20 material for the sole use of the intended recipient(s). Any review, use,=20 distribution or disclosure by others is strictly prohibited.=C2=A0 If you h= ave=20 received this communication in error, please notify the sender immediately= =20 by e-mail and delete the message and any file attachments from your=20 computer. Thank you._ --000000000000d0f07405dab64c69 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I notice -05 still has the "credentialed" c= lient concept, which I was expecting would go away after this discussion to= ward the end of last year https://mailarchive.ietf.org/arch/msg/o= auth/FZkd5fPolu7PKx5uXV15A79aLTc/ that indicated that the term was conf= using and not providing a meaningful distinction around functionality in th= e document.

On Tue, Mar 8, 2022 at 1:02 AM <internet-drafts@ietf.org> wrote:
=

A New Internet-Draft is available from the on-line Internet-Drafts director= ies.
This draft is a work item of the Web Authorization Protocol WG of the IETF.=

=C2=A0 =C2=A0 =C2=A0 =C2=A0 Title=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:= The OAuth 2.1 Authorization Framework
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Authors=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0: Dick= Hardt
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 Aaron Parecki
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 Torsten Lodderstedt
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Filename=C2=A0 =C2=A0 =C2=A0 =C2=A0 : draft-iet= f-oauth-v2-1-05.txt
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Pages=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:= 84
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Date=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 := 2022-03-07

Abstract:
=C2=A0 =C2=A0The OAuth 2.1 authorization framework enables a third-party =C2=A0 =C2=A0application to obtain limited access to a protected resource, = either
=C2=A0 =C2=A0on behalf of a resource owner by orchestrating an approval
=C2=A0 =C2=A0interaction between the resource owner and an authorization se= rvice,
=C2=A0 =C2=A0or by allowing the third-party application to obtain access on= its
=C2=A0 =C2=A0own behalf.=C2=A0 This specification replaces and obsoletes th= e OAuth 2.0
=C2=A0 =C2=A0Authorization Framework described in RFC 6749.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-o= auth-v2-1/

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-i= etf-oauth-v2-1-05.html

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=3Ddraf= t-ietf-oauth-v2-1-05


Internet-Drafts are also available by rsync at rsync.ietf.org::internet-dra= fts


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

<= span style=3D"margin:0px;padding:0px;border:0px;outline:0px;vertical-align:= baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,= -apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ub= untu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"= >CONFIDENTIALITY NOTICE: This email may contain confidenti= al and privileged material for the sole use of the intended recipient(s). A= ny review, use, distribution or disclosure by others is strictly prohibited= .=C2=A0 If you have received this communication in error, please notify the= sender immediately by e-mail and delete the message and any file attachmen= ts from your computer. Thank you. --000000000000d0f07405dab64c69-- From nobody Mon Mar 21 13:27:02 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C81E3A1B21 for ; Mon, 21 Mar 2022 13:27:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.107 X-Spam-Level: X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HMM4dTp9dLoS for ; Mon, 21 Mar 2022 13:26:55 -0700 (PDT) Received: from mail-wm1-x32e.google.com (mail-wm1-x32e.google.com [IPv6:2a00:1450:4864:20::32e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E90C3A1B3F for ; Mon, 21 Mar 2022 13:26:55 -0700 (PDT) Received: by mail-wm1-x32e.google.com with SMTP id bi13-20020a05600c3d8d00b0038c2c33d8f3so245181wmb.4 for ; Mon, 21 Mar 2022 13:26:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=K2Vx1O0f/a8pv0Ku7tqKo8cNr1nLpxWXKG78EctSIZ8=; b=VZ580Bkm+QQXxVw6AQIUKKKmFw/Y/EDLbtN78UJ9axdJ/JnLt6IfJARo1Jztwyoxhr Z58ZOuC/zuMYK15dPdPmXQBpmuCk4u0JZJkZvG3gK406J6hKdNOZcZ3usdup23j2Bjvk mzwpGHVJbK7FzLrvuw6DKsIB8Zmqm7JoxkUpG+Shf2rMfSHWbZLL5He+qiv4pbupI/iM Rc0CINDi/g0bO6kAqmcb8GAOQOWqNcf0pgwXkr0hXvRG735w5BN/5cb29e2fJRxHXOUF sWuQD45luwvcnVeZFk8NCiWtXF8vV6uZW160Cy0HJb+0PPxVYxsjUVm/xd11T4Sh4KPQ F7lA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=K2Vx1O0f/a8pv0Ku7tqKo8cNr1nLpxWXKG78EctSIZ8=; b=OCMQu7sKHztJ//SGprcBLYJsZgjx98XjYLbHiz7M+/EMokWHWtnyd0k/iiAo1boBx0 4/KqVTkQbzzmny6I2lSGnk1RfImC18GympB3vPghiu9iJTbI8Eusvl2DS2Ctm99QNi/m gZrpV+Cuv1v8I/DxfTpQrLu16IIfgAWdNMf/Zb2466y+BUICVAQSASMlXAUj/KzJTC/7 +zDfzDoT7C6t6AUwTMl18nLz+bs4/2deAOGTurruFFh+hU1ar7C/DRwjVtbngHGQKgZm LVWGRdh6ab745N7HKVyoAaQXj2zBYpEyuLRQD/nrGBOFnOqT8eYrkL/YIMB4B2nlRHVq zthQ== X-Gm-Message-State: AOAM531Q3765JOtITwuRb7iipqcrcltqooybqZCkOhdoS6C4qFAOpGNe RYpYgcqWsW29U0j7PSBt5leX4KWPzKuiKVaV4FTawMx7K9/ZtQMp X-Google-Smtp-Source: ABdhPJxU39n2pG5J5EMRAN3pWZpwm+URgv7h0LXRIJnNXDAGZHENvSodc3e4oDGynMt7QIiI9jkBZCAARFE5OZ1cAuw= X-Received: by 2002:a7b:ce04:0:b0:38c:6c34:9aac with SMTP id m4-20020a7bce04000000b0038c6c349aacmr743472wmc.142.1647894413147; Mon, 21 Mar 2022 13:26:53 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Rifaat Shekh-Yusef Date: Mon, 21 Mar 2022 21:26:42 +0100 Message-ID: To: oauth Content-Type: multipart/alternative; boundary="0000000000001f825005dac051ac" Archived-At: Subject: Re: [OAUTH-WG] OAuth WG Agenda @ IETF113 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Mar 2022 20:27:01 -0000 --0000000000001f825005dac051ac Content-Type: text/plain; charset="UTF-8" All, For people in Vienna that are interested in the side meetings, both are at the *Grand Klimt Hall 3*. Regards, Rifaat On Fri, Mar 11, 2022 at 4:15 PM Rifaat Shekh-Yusef wrote: > All, > > The OAuth WG has two offical sessions > 1. *Monday* at 2:30-4:30 pm Vienna time > 2. *Thursday* at 2:30-4:30 Vienna time > > We also have two side meetings available for in-person attendees: > 1. *Tuesday* at 2:00-3:30 pm Vienna time > 2. *Wednesday* at 6:00-7:30 pm Vienna time > > > *Monday's agenda:* > > 1. *Chairs update* - Rifaat/Hannes (15 min) > > 2. *DPoP* - Mike/Brian (45 min) > https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ > > 3. *Redirection Attacks *- Rifaat (30 min) > https://mailarchive.ietf.org/arch/msg/oauth/4-YCJzeDH4NH-ge9OF8bAbqWgIE/ > > 4. *OAuth 2.1 *- Aaron (30 min) > https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/ > > > *Thursday's agenda:* > > 1. *Device Code Flow *- Pieter (45 min) > > 2. *Step-up Authentication *- Vittorio (30 min) > > https://datatracker.ietf.org/doc/html/draft-bertocci-oauth-step-up-authn-challenge > > 3. *Libraries* - Daniel (45 min) > https://mailarchive.ietf.org/arch/msg/oauth/h9_Ki1UYT8sS0xKqGrzWI6yHaNA/ > > Regards, > Rifaat & Hannes > > > --0000000000001f825005dac051ac Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
All,

For people in Vienna that=C2=A0are= interested in the side meetings, both are at the=C2=A0Grand Klimt Hall = 3.

Regards,
=C2=A0Rifaat
<= br>

On Fri, Mar 11, 2022 at 4:15 PM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> wrote:
<= /div>
All= ,

The OAuth WG has two offical sessions
1. = Monday at 2:30-4:30 pm Vienna time
2. Thursday at 2:30= -4:30 Vienna time

We also have two side meetings a= vailable=C2=A0for in-person=C2=A0attendees:
1. Tuesday at = 2:00-3:30 pm Vienna time
2. Wednesday at 6:00-7:30 pm Vien= na time


Monday's=C2=A0age= nda:

1. Chairs update - Rifaat/Hann= es (15 min)

2. DPoP - Mike/Brian (45 min)

3. Redirection Attacks=C2=A0- Rifa= at (30 min)
Thursday's=C2=A0agenda:
<= br>
1. Device Code Flow - Pieter (45 min)

2. Step-up Authentication - Vittorio (30 min)

3.=C2=A0Libraries - Daniel (45 min)

Regards,
=C2=A0Rifaat &= Hannes


--0000000000001f825005dac051ac-- From nobody Tue Mar 22 06:19:36 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 428F93A12D2 for ; Tue, 22 Mar 2022 06:19:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.108 X-Spam-Level: X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=danielfett.de Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m_KmqXM6lGtF for ; Tue, 22 Mar 2022 06:19:24 -0700 (PDT) Received: from d3f.me (redstone.d3f.me [5.9.29.41]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57F923A12B6 for ; Tue, 22 Mar 2022 06:19:24 -0700 (PDT) Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by d3f.me (Postfix) with ESMTPA id AA86A1CA04 for ; Tue, 22 Mar 2022 13:19:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1647955161; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=B/fomxWGQtrpgKGVTnvpYqv4CFxoIP6bbsAP90RwF6Y=; b=vRmfhO98dypNmVP8uBVOfag7PIFM3ejmuwlM20gwGH8KDwfoRl0wOytM98PFCCGdvx+FC0 LXxRVK58zl8qy9C0cF3on65NbeV3j5BbzuuToOxSvUqSAfv3waOCm429zDmKLIbecYigEa heJ52yq8HAu+MKWb5+uPM9Ux0VShuVg= Content-Type: multipart/alternative; boundary="------------EJ0npnv9jwCDLwktB1XyEUCM" Message-ID: Date: Tue, 22 Mar 2022 14:19:20 +0100 MIME-Version: 1.0 To: oauth Content-Language: de-DE From: Daniel Fett ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1647955161; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=B/fomxWGQtrpgKGVTnvpYqv4CFxoIP6bbsAP90RwF6Y=; b=J83ojGwFVpeiIVxVG8XyXiSYS7xhVUsEuB5mjPrUzEq1Pm6ZPFWIxfjgLGYoyKn0pCi8f3 VLMH/eXMG570gb55hJReGYWGlgaTYRCi1HEXQxjMqK+fR5J6YKBH7dzI+NQBjsD4RR6xPi IKPJkpBltEIDydrAgYCLxmXoCaU0pXs= ARC-Seal: i=1; s=dkim; d=danielfett.de; t=1647955161; a=rsa-sha256; cv=none; b=AetHFiARTC5fseYSGOe2rWjFeHUMzF4UYVdfN4dLrqoQMpl+tnw65BvJmChhpPEumNKLYp GHn8QY8k3d/KEN1//to62EcRbz14V0MkJ0IF1XADZD3xMu52iglBSdqJRucV4jWuJ7XjGW quNBRzjmFt6iPpELv/0bu2pTCp6jddI= ARC-Authentication-Results: i=1; d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de Authentication-Results: d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de X-Spamd-Bar: / Archived-At: Subject: [OAUTH-WG] OAuth Security BCP Github X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Mar 2022 13:19:29 -0000 This is a multi-part message in MIME format. --------------EJ0npnv9jwCDLwktB1XyEUCM Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Since this was asked at the meeting, the OAuth Security BCP lives here: https://github.com/oauthstuff/draft-ietf-oauth-security-topics -Daniel -- https://danielfett.de --------------EJ0npnv9jwCDLwktB1XyEUCM Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit

Since this was asked at the meeting, the OAuth Security BCP lives here:

https://github.com/oauthstuff/draft-ietf-oauth-security-topics

-Daniel

-- 
https://danielfett.de
--------------EJ0npnv9jwCDLwktB1XyEUCM-- From nobody Tue Mar 22 08:07:30 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE8F23A1527 for ; Tue, 22 Mar 2022 08:07:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.76 X-Spam-Level: X-Spam-Status: No, score=-6.76 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=momentumft.co.uk Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kp-4C4fEEUjJ for ; Tue, 22 Mar 2022 08:07:21 -0700 (PDT) Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D6F03A1509 for ; Tue, 22 Mar 2022 08:07:20 -0700 (PDT) Received: by mail-ej1-x62d.google.com with SMTP id dr20so36314131ejc.6 for ; Tue, 22 Mar 2022 08:07:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=momentumft.co.uk; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Jk4hi5jsALFf4+lKqZWAZdNTA+5YLb1+48NCZFhi25U=; b=NglhF/50OUk2VCJKi9OXtbqo/AcyCGdYrbzc2yjMYC+YZgfed07kGg9ldOBgC6MLWp +IF3nRRKABIL3h4HCnt+iGkUObmkcpr2tzU8Uln8iEtqb1szxQ6+Mc4YdVtpisALFmQ2 y74hkZa3ieJ3PA+Ds/FIFRG27nA+UWIWcmj7A= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Jk4hi5jsALFf4+lKqZWAZdNTA+5YLb1+48NCZFhi25U=; b=Vt2xJww565nRv3tmv0vD1SchYaf90IaUI3iFH1BVKb8AQxsUOHMV385ziW6UJy1Uxz IfbrJME9B2YxOt9K/vHGB37YfUn34uQ+s8nrXbB2DFY1q7Wsvku0divrLhiQSwsxD77K 3+/6H4f8pcjQXQSBvwqkDbZJqEX8r0zs6zJtDe8GJRS7Dzyjs9FX8WFxCeuSHKFWrzXh /rApN7AJcb02iNVLk3IFRCo+rxBEOHttDBVrFf5PezbF6hEP0m6qIA9zVBQW07m1aGta /IqMwU1IoMj7cFrSUizrhYGSTkybeBxQVTeZ3WhZCsHlKVNZNtdmfgY592D4bc/YWPOH PYrg== X-Gm-Message-State: AOAM531C3IqqC4TT6TegUmWWYGVDf+cfLad3+SDUvrsASxnvJ90enZLd Tbtr96A22jEgKBc0f6LzgP0ksNbluxpsQG2LZ4tEG9fFzD/5noYMU1pZxmmTyD9B4yL31SH8t9m Sj3MQL4Pr64pkQHgIoY6jWa/v X-Google-Smtp-Source: ABdhPJzD14QHBhcSlbrAcwOs+mZx4GexUrb0nEFGR3X967pideQ512QzyyrCzcb24z15cSYScOnlL/BkUjozy3qmpJY= X-Received: by 2002:a17:906:5597:b0:6ce:f3cc:14e8 with SMTP id y23-20020a170906559700b006cef3cc14e8mr25677153ejp.426.1647961637617; Tue, 22 Mar 2022 08:07:17 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Dave Tonge Date: Tue, 22 Mar 2022 16:07:06 +0100 Message-ID: To: Pieter Kasselman Cc: Shane B Weeden , "oauth@ietf.org" Content-Type: multipart/alternative; boundary="000000000000039bce05dacff8aa" Archived-At: Subject: Re: [OAUTH-WG] [EXTERNAL] Re: Device Authorization Grant and Illicit Consent Exploits X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Mar 2022 15:07:26 -0000 --000000000000039bce05dacff8aa Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable > Something else we may want to provide is some clear recommendations on when to use CIBA vs Device Authorization Grant etc I think this would be really helpful. Both specs support "decoupled" flows, but they were designed for different use cases and have different trade-offs. CIBA provides a few more options when it comes to securing decoupled flows that could make the attacks in the original email harder to implement, e.g. - user code (mainly an "anti-spam" parameter) - binding_message - login_hint_token / id_token_hint to bootstrap the flow I'm looking forward to the discussion around this on Thursday Dave On Fri, 18 Mar 2022 at 13:43, Pieter Kasselman wrote: > Hi Shane, > > > > Agreed that CIBA is interesting in this context as an alternative to > Device Authorization Grant. > > > > Having the user initiate the request makes it harder for an adversary to > manipulate the context, but I think it also shifts the point of attack. N= ow > instead of getting the user to enter a user code, you have to get the use= r > to enter their =E2=80=9Cuser_hint=E2=80=9D. This does put it on par with = any regular > phishing attack (at least the attack did not become easier). I do think > mitigations on the back-end can help to further reduce the risks for both > Device Authorization Grant and CIBA. > > > > Something else we may want to provide is some clear recommendations on > when to use CIBA vs Device Authorization Grant etc (e.g. use CIBA if the > user can provide input, use Device Authorization Grant if there is no inp= ut > device). All of this may seem obvious for experts familiar with this spac= e, > but being explicit will help implementors who has expertise elsewhere. > > > > From looking at various protocols, whenever we attempt to use the user as > a secure transport between their authentication device and the device on > which the service will be delivered, we open an opportunity for social > engineering attacks. Keeping that opening as small and constrained as > possible and then mitigating against errors in judgement will help the > overall security posture. > > > > Cheers > > > > Pieter > > > > *From:* Shane B Weeden > *Sent:* Thursday 17 March 2022 21:21 > *To:* Pieter Kasselman > *Cc:* oauth@ietf.org > *Subject:* [EXTERNAL] Re: [OAUTH-WG] Device Authorization Grant and > Illicit Consent Exploits > > > > Isn=E2=80=99t this essentially what is mitigated in the FAPI-compliant OI= DC CIBA > by: > > 1. Requiring the client to initiate the flow with signed request > parameters which include, via some hint, the resource owner for whom > authentication is being requested > > 2. Requiring that the OP check that the resource owner approving the gran= t > is the same as that the client associated with the request in step 1 > > > > I realise this requires that the client obtains an indication of the > username of the resource owner up front to kick things off, but short of > this I cannot think of any practical mitigation. > > > > > > > > On 18 Mar 2022, at 7:09 am, Pieter Kasselman < > pieter.kasselman=3D40microsoft.com@dmarc.ietf.org> wrote: > > > > ant problem by enabling authorization flows on devices that are unable to > support a browsers or have limited input capabilities. However, looking > back over the past 18-24 months, there have been a number of practical > exploits published that use social en > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- --=20 Moneyhub Enterprise is a trading style of Moneyhub Financial Technology=20 Limited which is authorised and regulated by the Financial Conduct=20 Authority ("FCA"). Moneyhub Financial Technology is entered on the=20 Financial Services Register (FRN 809360) at https://register.fca.org.uk/=20 . Moneyhub Financial Technology is registered= =20 in England & Wales, company registration number 06909772. Moneyhub=20 Financial Technology Limited 2022 =C2=A9 Moneyhub Enterprise, Regus Buildin= g,=20 Temple Quay, 1 Friary, Bristol, BS1 6EA.=C2=A0 DISCLAIMER: This email=20 (including any attachments) is subject to copyright, and the information in= =20 it is confidential. Use of this email or of any information in it other=20 than by the addressee is unauthorised and unlawful. Whilst reasonable=20 efforts are made to ensure that any attachments are virus-free, it is the= =20 recipient's sole responsibility to scan all attachments for viruses. All=20 calls and emails to and from this company may be monitored and recorded for= =20 legitimate purposes relating to this company's business. Any opinions=20 expressed in this email (or in any attachments) are those of the author and= =20 do not necessarily represent the opinions of Moneyhub Financial Technology= =20 Limited or of any other group company. --000000000000039bce05dacff8aa Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
>=C2=A0Something else we may want to p= rovide is some clear recommendations on when to use CIBA vs Device Authoriz= ation Grant etc

I think this would be really helpful. Both s= pecs support "decoupled" flows, but they were designed for differ= ent use cases and have different trade-offs.

CIBA provides a= few more options when it comes to securing decoupled flows that could make= the attacks in the original email harder to implement, e.g.=C2=A0
=C2=A0- user code (mainly an "anti-spam" parameter)
=C2=A0-= =C2=A0binding_message
=C2=A0- login_hint_token / id_token_hint to boot= strap=C2=A0the flow

I'm looking forward to the discussio= n around this on Thursday

Dave



=





On Fri, 18 Mar 2022 at 13:43,= Pieter Kasselman <pieter.kasselman=3D40microsoft.com@dmarc.ietf.org> wr= ote:

Hi Shane,

=C2=A0

Agreed that CIBA is interesting in this contex= t as an alternative to Device Authorization Grant.

=C2=A0

Having the user initiate the request makes it = harder for an adversary to manipulate the context, but I think it also shif= ts the point of attack. Now instead of getting the user to enter a user cod= e, you have to get the user to enter their =E2=80=9Cuser_hint=E2=80=9D. This = does put it on par with any regular phishing attack (at least the attack di= d not become easier). I do think mitigations on the back-end can help to fu= rther reduce the risks for both Device Authorization Grant and CIBA.

=C2=A0

Something else we may want to provide is some = clear recommendations on when to use CIBA vs Device Authorization Grant etc= (e.g. use CIBA if the user can provide input, use Device Authorization Gra= nt if there is no input device). All of this may seem obvious for experts fam= iliar with this space, but being explicit will help implementors who has ex= pertise elsewhere.

=C2=A0

From looking at various protocols, whenever we= attempt to use the user as a secure transport between their authentication= device and the device on which the service will be delivered, we open an opportunity for social engineering attacks. Keeping that opening as small = and constrained as possible and then mitigating against errors in judgement= will help the overall security posture.

=C2=A0

Cheers

=C2=A0

Pieter

=C2=A0

From: Shane B Weeden <sweeden@au1.ibm.com>
Sent: Thursday 17 March 2022 21:21
To: Pieter Kasselman <pieter.kasselman@microsoft.com>
Cc: oauth@ietf.o= rg
Subject: [EXTERNAL] Re: [OAUTH-WG] Device Authorization Grant and Il= licit Consent Exploits

=C2=A0

Isn=E2=80=99t this essentially what is mitigated in = the FAPI-compliant OIDC CIBA by:

1. Requiring the client to initiate the flow with si= gned request parameters which include, via some hint, the resource owner fo= r whom authentication is being requested

2. Requiring that the OP check that the resource own= er approving the grant is the same as that the client associated with the r= equest in step 1

=C2=A0

I realise this requires that the client obtains an i= ndication of the username of the resource owner up front to kick things off= , but short of this I cannot think of any practical mitigation.

=C2=A0

=C2=A0



On 18 Mar 2022, at 7:09 am, Pieter Kasselman <pieter.kasselman=3D40microsoft.com@dmarc.ietf.org> wrote:

=C2=A0

ant problem by enabling authorization flows on devices that are = unable to support a browsers or have limited input capabilities. However, l= ooking back over the past 18-24 months, there have been a number of practical exploits published that use = social en

=C2=A0

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--

=

Moneyhub Enterprise is a trading style of Moneyhub Financi= al Technology Limited which is authorised and regulated by the Financial Co= nduct Authority ("FCA"). Moneyhub Financial Technology is entered= on the Financial Services Register (FRN 809360) at https://register.fca.org.uk/. Moneyhub Financial Technology is registered in England & Wales,= company registration number 06909772. Moneyhub Financial Technology Limite= d 2022 =C2=A9 Moneyhub Enterprise, Regus Building, Temple Quay, 1 Friary, B= ristol, BS1 6EA.=C2=A0

= DISCLAIMER: This email (including any attachments) is subjec= t to copyright, and the information in it is confidential. Use of this emai= l or of any information in it other than by the addressee is unauthorised a= nd unlawful. Whilst reasonable efforts are made to ensure that any attachme= nts are virus-free, it is the recipient's sole responsibility to scan a= ll attachments for viruses. All calls and emails to and from this company m= ay be monitored and recorded for legitimate purposes relating to this compa= ny's business. Any opinions expressed in this email (or in any attachme= nts) are those of the author and do not necessarily represent the opinions = of Moneyhub Financial Technology Limited or of any other group company.


--000000000000039bce05dacff8aa-- From nobody Tue Mar 22 08:19:12 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E532D3A0B1F for ; Tue, 22 Mar 2022 08:19:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.111 X-Spam-Level: X-Spam-Status: No, score=-7.111 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hb2WUN42E2Oo for ; Tue, 22 Mar 2022 08:18:55 -0700 (PDT) Received: from na01-obe.outbound.protection.outlook.com (mail-eus2azlp170100001.outbound.protection.outlook.com [IPv6:2a01:111:f403:c110::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48E4C3A1509 for ; Tue, 22 Mar 2022 08:18:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=erdLpTQhG5FdejRHpHMyWkvujeIS5BwfYcPmVNJ+7BpIwmzoKEB6nmiGbUJAasElXbJuv+be9NVF2dJ+DxgWXiwrg8zzW+r0PvosYpMnv8j73IHwJUK+pmp6JUVO3OLWMjAFTw6umN7qK8binIqcywf4r2o07vVD+IzEmaNkfE4N1ImHX7rFA8Ox1A75lA4wIt3VlVDMVxeLejBj/sZZP/6PWSmEK04gd1PNlX9X72y6h2HJDx4g8IYy7lZIqQCVo+CkegSec5cA4lvedbTcOU2vLB6eztvVKqkK1L/XBzeL3SBshljFyRlwO2K+zH6ma/5shw1bkHhIvLFKEWqSkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rFcCUUI/4DOXFsYY53zLksSqQm04K89i7QFW0nTbehk=; b=ZEtReLjhnTSCWwpD38j2SFYXopaUAAa5tQYh6PWhpNhN3bt3dkakMZ9dSZQzptIORDcolVACWd1yK3cvkG6xZ/9DB/VFroSOF5E0gamI0EU1vtkwEn+p+q0z9txDNaUP69HGNtbyUsmNhbQDjpsvqYRISGHK95fuwD+hvpirCXvWqVeKBo+jrv8+rEvq2Mu+52iT7cUW6aYNwY37mho2qVdgN/VgV8ZItYnFhMCb4xEksL4SuZXWClhP/zQYF2N0f0jffKPGq9ySUfRJBd7qjbLArGGTFekIY36v5aAS9KtV2lGh2sVTcEO7lxsU8ZyUsGrfeusksQUYYS5K+jEtoA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rFcCUUI/4DOXFsYY53zLksSqQm04K89i7QFW0nTbehk=; b=NXiFliihY+K9FoG6/i8pgo+c1pDhk/Zm61Jk4EkjokpxoZllUMkFLAxwOpUnZpLDOGAAGhtJ++Mp9BhB/148hjTAaGxvxQY7uH/+bboeRTwiOkCiANRmePWWHyQBlLi7CVPEFOXSPjlNzlPkqUZVG7iDrwzVuOtm2EbH29hLQUA= Received: from SJ0PR00MB1005.namprd00.prod.outlook.com (2603:10b6:a03:2d3::18) by PH0PR00MB1247.namprd00.prod.outlook.com (2603:10b6:510:9f::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5137.0; Tue, 22 Mar 2022 15:18:39 +0000 Received: from SJ0PR00MB1005.namprd00.prod.outlook.com ([fe80::6cc0:a7fe:49ce:634d]) by SJ0PR00MB1005.namprd00.prod.outlook.com ([fe80::6cc0:a7fe:49ce:634d%7]) with mapi id 15.20.5138.000; Tue, 22 Mar 2022 15:18:39 +0000 From: Mike Jones To: "oauth@ietf.org" Thread-Topic: Registered the application/dpop+jwt media type Thread-Index: Adg+AAzrp2Rna3pMR3iqgnjKaiTMgg== Date: Tue, 22 Mar 2022 15:18:39 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2022-03-22T15:15:48Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=c2301095-b035-4001-87ae-68ac7647a830; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0 authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 6dce342e-bf10-4ace-24e8-08da0c173e60 x-ms-traffictypediagnostic: PH0PR00MB1247:EE_ x-ms-exchange-atpmessageproperties: SA|SL x-microsoft-antispam-prvs: x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: yITGfe+mBgLz3/ouuMfD03K15+Ej91l+u0yfjuxDuP+B5lVC2aYtYVrYuC8Zc/K0Ah8KiDg0XZLBGD1x7ecBog52SqcPsob0PwD3oaYrT7jTm4M2dRGyu8WxFv3ZiSn80wbkBYF0ohncD4mhY4rOLIQPy729byqZcbIMzbJKpfrBqWFa7RzgiVt6wKipJ5XiHjwlqP7CWw+xeLIt2xK1Pzdisokbmju8dQDwEte/adXXGdEq4h5LCnq72DXs+5rb7yNhjRHrPJ2wbm9BJwNt+U3AsJ1L6znxygjlMtCfBkHZCv2190azt7PjaBLtnymczMBm3iH2gw6qjz8HDX5Fvry10tcrYDTSzeii0889ukDhpWadanzpbyREyEIWQJaHM5BvRlE8BYewraxH1NoGBlJ4cMYWcAoHbD0rL5baS0lr9LIIstT0Ma0Ega7Ys53r2PIpsAYU9s0BC9Ueh3NDF9XLVGgqWqcEW+4t1AVRElJaLB5pYya14pJ+hTv0gvLr+jAYdkp3IlFhYAu44jQb0/KyFkz3iLGRtJAtdr3EHfNm1nXhQDuW+Mm93zQpeVH5Mr6/zkBH0YMUrizDRdJYLqbNkr6nCgZvYvI3R3k7GgdzzXQgkedjM2d9LcQWEj0iHNknOAOUkJFwB/mrGFUIqiyj7OFGuqCZutxz4HaRuRkfWqyOJODIm2UblTrvT2P0dQ6SAn3C6ClXh4NH+7XG0YqZaFqHlPP+aegP8JIrC3c9GMy6PVLmBj/bncAum1a0k3NgSgf9bgOs+tkOQC8z2sjxzA3SheJSa6O0bQEbsYcXj36R6GtI/1ly0Mcib9bKLRI1Yh+fIje9rnlS4kQMUQ== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR00MB1005.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(451199009)(558084003)(122000001)(186003)(64756008)(52536014)(6506007)(7696005)(9686003)(82960400001)(82950400001)(38100700002)(66946007)(66556008)(66476007)(33656002)(5660300002)(166002)(66446008)(8676002)(76116006)(10290500003)(6916009)(966005)(2906002)(71200400001)(508600001)(8990500004)(55016003)(316002)(8936002)(38070700005)(86362001); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 2 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?hkfAdZqsexsgkASoonxUBjNb+wECE9GDwPzsLc2Qp0z6zV9GMmmUZzCACtdh?= =?us-ascii?Q?Gn8AYZp6pwaeWRsBI3o5Mg992IJQxShpS9OlAcvZQZDSSn8mkReDIIob39qk?= =?us-ascii?Q?Dwce9BIWYviXt9pgYQvp1FRkIM9LBrHgpHUb4FEfJFmxWHIDX8WvRQfL4nEr?= =?us-ascii?Q?ZQB1w+eGQX96ZZ9iW8uLabywxuUFciQ80/PydaOn8zDl7efofQCV5XRdhr/t?= =?us-ascii?Q?jWsfB/hSfGXCxkHk0adrQ1kPVnw84PwWn/FwKuPvIIdkbSAfziKevbPxIPfj?= =?us-ascii?Q?aoT65rpSaKUCnT22VsM6SoPgDskiAFjP0BqPEWJURY6ti31QfQ6CYoqf8qRj?= =?us-ascii?Q?0vmadKpCzOLl0bdlZiH1/T/hakNNPqDoOgeFid+m+l4Wa+/zaghuqY3rDKSg?= =?us-ascii?Q?cAxNpUgSbSm62nbCltuMebzH6W4brCVF8IVNccR6tAay/2hNUjBY95qEG1G1?= =?us-ascii?Q?vlbDplXZLasfjjQ3jYwbE4M1jCKgmH1UnEI+jpjzPxhVOvW/WEF5pEDnrrHV?= =?us-ascii?Q?bUY31JAaEd9ZICHGYFrM+/h5+xodP9v4bR0MSR2IKwSR5xlqtBhljKsztSK3?= =?us-ascii?Q?TFrb3QKvzNkjdiarfMShaOijpGr4BkTBehritYPkg0SEo7+fClstdX44ywVU?= =?us-ascii?Q?RSKXv+DBsXKN/RKQYyHQt4wRFNY8lWUTZV95Q0H5yQrlnSnPFeMvnNA5XRhQ?= =?us-ascii?Q?lyULJOO4PkyBiE6/opMHCRqjBrLwwc897K7MQTyjUVNQHYUGAOElrkIjonX2?= =?us-ascii?Q?YQRB0q7viLVNiIfHR4BvPl7qDA9M98+WPOVqldNV+eQDNTRFdMQYSxADyPvR?= =?us-ascii?Q?DUXsg/KMlPJtG0ov205NMyFkM7rafS8RpB70K0I7QeQ29MmwbJ+Pvi/0QJVP?= =?us-ascii?Q?XsUJAIADe5ShFY6ju4uOqQP8oVpCuOy88pRj7xqQw5w/ANPKpH0RYtHXae2t?= =?us-ascii?Q?2npKz9Vb9ErFv6g9WaEtaz214zYIjlrqsYkveThbBbDhBy41kbPv8frK2Xdf?= =?us-ascii?Q?nnpMflp5fsv2bMvc0gDx6SMacpAHU1uNlkShitmFBABoakVwpYnu/jRl9mnm?= =?us-ascii?Q?3xOQ1ZTbGSZZDqu1XewGMKmw8+XZL9izIhCLN+9R2rIreOaLAeqHj1PUgZpx?= =?us-ascii?Q?sCxvVXW+Ls+n8xfAWo89etYx+8ZVNnWCleOcJP6UoMw8DuEPBB8p0iOQHN5C?= =?us-ascii?Q?yWxp8d7R5KSnH7jjd/QBXwGQxr/NKm/MRUkW2rZBbFx6GiOlmRo7+LBKS8vZ?= =?us-ascii?Q?oGTHq25RtPMvhB1CWnpV2nmR66A0OBva5FG/lAFEmr2DSyG3GENxukTtf8PQ?= =?us-ascii?Q?O43kQgZAAINozGXCImWuziRGCAmnFjW/iYnOyPhcAvjVHE6NaArgaw7C3Oba?= =?us-ascii?Q?W7IFKSEpFrTpoXl5vS1avuyi3tAtvea0YZK+DUX4BNhOGZkTH7aRj32Oq7D1?= =?us-ascii?Q?IoxgbUzyfcGiQQPWlRlJCrFpxNXmPPiqNw0p+Qnrz7n9b7GfPfsKB97dO0Bo?= =?us-ascii?Q?dYRmh9fEbzW1KdKQAoAkYouTlsGiuOwgcx1tITGd/ninbaar5H0jbiDRqEEW?= =?us-ascii?Q?v5YMDA3qWWgvL5PXB/L5WLE7WMWTbPyxTQjiAqUCUEp0QCYGU2hCwGumIVKF?= =?us-ascii?Q?1ooKfHZ8bTm+ppZVvWJssC4gNExxJ1yVK8ThdTxwWSBObfxMUu7ksvrbMcXh?= =?us-ascii?Q?Pi4QTPvKeW8W4mleuojVBIZHf6mQm8fjrkXKgArJHrvc/EJB1tRJ59P4UKZa?= =?us-ascii?Q?/B8Zho4at/OyBUpzdkIfa+jkZoISmRUHV4Y4w1bVPjhPC/wzP4X93Lz8Ubc6?= x-ms-exchange-antispam-messagedata-1: JhnteKrw/VdMGQ== Content-Type: multipart/alternative; boundary="_000_SJ0PR00MB1005D16BFAD0F17B922EBD4AF5179SJ0PR00MB1005namp_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SJ0PR00MB1005.namprd00.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 6dce342e-bf10-4ace-24e8-08da0c173e60 X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Mar 2022 15:18:39.6016 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: VeQSMeR5LTr8r2hxZWNGvuKUeMIGkbHxKkWlnDy/CS/ukfwH+AeYdOxou9jrruoEi+kGgV4b0udsBXL42rgCOg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR00MB1247 Archived-At: Subject: [OAUTH-WG] Registered the application/dpop+jwt media type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Mar 2022 15:19:10 -0000 --_000_SJ0PR00MB1005D16BFAD0F17B922EBD4AF5179SJ0PR00MB1005namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable https://github.com/danielfett/draft-dpop/pull/126 Publishing a draft with this PR should get us to working group last call fo= r DPoP, as discussed at IETF 113 on March 21, 2022. -- Mike --_000_SJ0PR00MB1005D16BFAD0F17B922EBD4AF5179SJ0PR00MB1005namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

https://github.com/danielfett/draft-dpop/pull/126<= /p>

 

Publishing a draft with this PR should get us to wor= king group last call for DPoP, as discussed at IETF 113 on March 21, 2022.<= o:p>

 

        &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;        -- Mike

 

--_000_SJ0PR00MB1005D16BFAD0F17B922EBD4AF5179SJ0PR00MB1005namp_-- From nobody Tue Mar 22 08:24:23 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 187B33A1552 for ; Tue, 22 Mar 2022 08:24:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.907 X-Spam-Level: X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wire-com.20210112.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JaiaTaBmHfjq for ; Tue, 22 Mar 2022 08:24:16 -0700 (PDT) Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com [IPv6:2607:f8b0:4864:20::52e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D528B3A157A for ; Tue, 22 Mar 2022 08:24:15 -0700 (PDT) Received: by mail-pg1-x52e.google.com with SMTP id s72so10151782pgc.5 for ; Tue, 22 Mar 2022 08:24:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wire-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=i+brSwM7bi/odklRury9WtOOk3TxUjQokhHmK5C+ssQ=; b=awMvI91WoxEg77ZKmuwDs0lJlnGpp6GgbhRSiOGa10SnxE7wb49kEePJPrtOVIeC+t TfJ0oaSn0FmfMUZ1eFgI/6s0mEfyI/a2QHvMYYMXdZuWps11fSiwyxrnnZSdPRxAi6R6 F5ihg4B1DgNVz0X4LKgXO4i8fIwvjFrtjwlajThtQvBwRBA6s0Z2adTK7XUjO5qVk/jO V/BquWHpD41ToW7fSaA2z8ojP3vGdaqcSjEJbhVJBrBuknyOI+Kv69pm2DwC2JKVFLS8 Y7J3CjOejcWXANTKvL+XtBDTFEvXzgEAll+YONQ+eTEU1jkuvDVcz30lwUO/ZsbkQcPl 2r1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=i+brSwM7bi/odklRury9WtOOk3TxUjQokhHmK5C+ssQ=; b=M05pLKnO7By6qi2zY1K5bdEayya6HJP6j0t4RN1LFVa7U6xqBZLKK12uhpgkwT3Ro3 5UdkKlTBob+U6ZbV9IFlgVeKUDFAzsDht7RFiD1X8bn6RJcD7MwNAlskCqZuM19Coogh QXxWtz7eNK65osAR/5gPmFDbYjQxxvJxMy55SkNG7KznOEZZc8oEjRz7aP0rPHgG+fgn 0o1VtxKuG+VDIZN1tPyHmb9kbrmelkb1NgsbXTJ73o/2rm7bYYXOYFS4HvJTs9+MCkNn WU6O7OjRMZzvzQfCG8cnVxgDb+WsuaYjIxv6ycqelg0F4YRxXbuqzkQwt3z/7+ogzURj zM8w== X-Gm-Message-State: AOAM53162pweU/mbZjNHRk/18TG3NCPcyfd/Ooh9PxY9awaJiUT6Pec7 OVywMHUHYNypxbU6YfJb35UWTgfGMmv3fRK4xOGZVb6prrBK4A== X-Google-Smtp-Source: ABdhPJw4CEt+F1dM095KIhA82Vrdoe2Dmcahe5cxKTjSsQ0MRaDDR8FEwt9ql8gUhRvA4fbxDXCpc0ATGWeKgYq2mzM= X-Received: by 2002:a63:fa43:0:b0:382:53c4:ca7c with SMTP id g3-20020a63fa43000000b0038253c4ca7cmr11613391pgk.33.1647962654248; Tue, 22 Mar 2022 08:24:14 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Rohan Mahy Date: Tue, 22 Mar 2022 08:24:03 -0700 Message-ID: To: oauth@ietf.org Content-Type: multipart/alternative; boundary="0000000000009c2abe05dad034c2" Archived-At: Subject: [OAUTH-WG] Comments on ietf-oauth-dpop X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Mar 2022 15:24:22 -0000 --0000000000009c2abe05dad034c2 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, Here are some comments on draft-ietf-oauth-dpop-06: 1) With such a significant attack possible as DPoP proof pre-generation, why isn't using the server nonce a SHOULD? Preventing a significant attack and making lifetime handling sane are two excellent reasons to use a server nonce. If an implementation has a good reason to not use a server nonce, we can give guidance about what additional steps the implementation needs to take. 2) The handling of lifetimes of DPoP proofs is vague: "acceptable timeframe" (Section 4.3), "relatively brief period" (Section 11.1). Is that 1 day,15 minutes, or 30 seconds? The normative text in the two sections seem contradictory. I think you need a lifetime parameter if a server nonce isn't included, or just pick a number (5 minutes?). 3) I had a similar thought to Nicolas Mora about including other assertions/tokens. There should be a way to chain, include, or reference other OAuth assertions and bind them somehow with the DPoP. This will be a common and important model. 4. Right now you describe the access token hash before describing the access token itself. I think it would be very useful to show the a worked example of an access token and then its hash used subsequently. Also Section 4.3 step 11 feels like a circular description. Please rewrite more verbosely to be clearer: Currently: "when presented to a protected resource in conjunction with an access token, ensure that the value of the ath claim equals the hash of that access token and confirm that the public key to which the access token is bound matches the public key from the DPoP proof." 5. Re: IANA registration of the MIME type. TL;DR: Just register application/dpop+jwt. Long version: The semantics of the thing you want to register is application/dpop. The first syntax you are defining is jwt. For example, iCalendar has three formats: text/calendar (iCal), application/calendar+json (jCal), and application/calendar+xml (xCal). NITS: - Spell out first use of acronyms: JWT, JWK, JWS, TLS, JOSE, PKCE, - Add reference to TLS, XSS, Crime/Heartbleed/BREACH/etc., HTTP, JOSE, on first use - First sentence of Section 2 (Objectives): add a comma (access tokens_,_ by binding) to make it clear that "binding a token" is doing the preventing instead of the stealing in the sentence. - Section 2 para 5: s/XXS/XSS/ - Maybe mention why you are using ASCII (7-bit) when the charset in the examples is UTF-8. I hope these comments are useful. Many thanks, -rohan *Rohan Mahy *l Vice President Engineering, Architecture Chat: @rohan_wire on Wire Wire - Secure team messaging. *Zeta Project Germany GmbH *l Rosenthaler Stra=C3=9Fe 40, 10178 Berlin, Germany Gesch=C3=A4ftsf=C3=BChrer/Managing Director: Morten J. Broegger HRB 149847 beim Handelsregister Charlottenburg, Berlin VAT-ID DE288748675 --0000000000009c2abe05dad034c2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,
Here a= re some comments on draft-ietf-oauth-dpop-06:

1) Wi= th such a significant attack possible as DPoP proof pre-generation, why isn= 't using the server nonce a SHOULD? Preventing a significant attack and= making lifetime handling sane are two excellent reasons to use a server no= nce. If an implementation has a good reason to not use a server nonce, we c= an give guidance about what additional steps the implementation needs to ta= ke.

2) The handling of lifetimes of DPoP proofs is = vague: "acceptable timeframe" (Section 4.3), "relatively bri= ef period" (Section 11.1). Is that 1 day,15 minutes, or 30 seconds?
The normative text in the two sections seem contradictory.
I think you need a lifetime parameter if a server nonce isn'= ;t included, or just pick a number (5 minutes?).

3) I had a similar thought to Nicolas Mora about including other asserti= ons/tokens. There should be a way to chain, include, or reference other OAu= th assertions and bind them somehow with the DPoP. This will be a common an= d important model.

4. Right now you describe t= he access token hash before describing the=20 access token itself. I think it would be very useful to show the a worked e= xample of an access token and then its hash used subsequently. Also Section= 4.3 step=20 11 feels like a circular description. Please rewrite more verbosely to=20 be clearer:
Currently:
"when presented to a pr= otected resource in conjunction=20 with an access token, ensure that the value of the ath claim equals the=20 hash of that access token and confirm that the public key to which the=20 access token is bound matches the public key from the DPoP proof."

5. Re: IANA registration of the MIME type. TL;DR: Jus= t register application/dpop+jwt.
Long version: The semantics of the thin= g you want to register is application/dpop. The first syntax you are defini= ng is jwt. For example, iCalendar has three formats: text/calendar (iCal), = application/calendar+json (jCal), and application/calendar+xml (xCal).
<= /div>

NITS:
- Spell out first use of acronyms:= JWT, JWK, JWS, TLS, JOSE, PKCE,
- Add reference to TLS, XSS= , Crime/Heartbleed/BREACH/etc., HTTP, JOSE, on first use
- F= irst sentence of Section 2 (Objectives): add a comma (access tokens_,_ by b= inding) to make it clear that "binding a token" is doing the prev= enting instead of the stealing in the sentence.
- Section 2 para = 5: s/XXS/XSS/
- Maybe mention why you are using ASCII (7-bit) whe= n the charset in the examples is UTF-8.

I hope the= se comments are useful.
Many thanks,
-rohan


Rohan Mahy=C2=A0 l=C2=A0 Vice President Engineering, Architecture

Chat: @rohan_wire on=C2= =A0Wire

=C2=A0

=

Wire= =C2=A0- Secure team messaging.

Z= eta Project Germany GmbH=C2=A0=C2=A0l=C2=A0=C2=A0Rosenthaler Stra=C3=9Fe 40,=C2= =A010178 Berlin,=C2=A0Germany

<= /span>

Gesch=C3=A4ftsf=C3=BChrer/Ma= naging Director: Morten J. Broegger=C2=A0

HRB 149847 = beim Handelsregister Charlottenburg, Berlin

VAT-ID DE288748675

--0000000000009c2abe05dad034c2-- From nobody Tue Mar 22 12:03:41 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6ED273A005F for ; Tue, 22 Mar 2022 12:03:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.109 X-Spam-Level: X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=babelouest.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Q99ov5uGGIt for ; Tue, 22 Mar 2022 12:03:33 -0700 (PDT) Received: from perceval.babelouest.org (perceval.babelouest.org [IPv6:2001:41d0:8:bc0f::1]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3B303A003E for ; Tue, 22 Mar 2022 12:03:07 -0700 (PDT) Received: from webmail.babelouest.org (localhost.localdomain [127.0.0.1]) by perceval.babelouest.org (Postfix) with ESMTPA id 6EC5922C5B for ; Tue, 22 Mar 2022 15:03:04 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=babelouest.org; s=mail; t=1647975784; bh=lhgq6rYlspo+qzFy4Gxpncgt+IfQCUNt+wdfUeptAw0=; h=Date:From:Subject:To:In-Reply-To:References:From; b=O4zzQGhn2B/XKvuQ7eE6ceC5xPgTkOpFK9l3pct/tfPISyCOpHIMFqZFd4022+FVf sLJiVzp2Ojh2DCpcbHkJ9naSnSb/yH9SC+lrmp0nUPJUs7Pcphm4KO6vZb3TrqRU6j ZgWpe995Z6NoNuj2BxKpsLOve5jZSeCaHCD3FZNXkjkSKMH9uHEN2YUjG7PEqLYVxm 9zgDqQul8GoiAmZSmps9f21WF9kyfGbYlKPSxEQxTAmplfDABdLq4V75ICqagJiHSn Vscw5ltcXxoudIR3vifb0rj+ns2T51OGq9710ZmW1ks+ehcDSW5GR3yUJ6I+loNBqI FzP98yDAi0QgQ== MIME-Version: 1.0 Date: Tue, 22 Mar 2022 19:03:04 +0000 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: RainLoop/1.16.0 From: "Nicolas Mora" Message-ID: <2bb4c1f0ca4ece28fa02fa135311b079@babelouest.org> To: oauth@ietf.org In-Reply-To: References: Archived-At: Subject: Re: [OAUTH-WG] Comments on ietf-oauth-dpop X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Mar 2022 19:03:40 -0000 Hello, I would like to add some minor comments to this draft, based on what I've= seen so far. - Resource Server-Provided Nonce Since a client may have to add different nonces for different RS in the D= PoP token, it would be useful to add the issuer in the RS error response,= so the client can differntiate nonces more easily. There may be different RS using the same domain, the client might not kno= w it, and therefore switch nonces again and again between the RS. Instead, if the RS error response looks like this, there will be no ambig= uity: HTTP/1.1 400 Bad Request DPoP-Nonce: eyJ7S_zG.eyJH0-Z.HX4w-7v { "error": "use_dpop_nonce", "error_description": "Authorization server requires nonce in DPoP proof", "iss": "https://resource.tld/person/" } - iat and not synced servers In addition to Rohan's question about the reasonable lifetime to expect f= or a DPoP token, I'm wondering what is reasonable to accept concerning ia= t in the future, where the client's clock may be out of sync. The paragra= ph 11.1 says "the server MAY accept DPoP proofs that carry an iat time in= the reasonably near future". Could we add what a reasonably near future = might be? In my implementation there is no gap allowed, so I'm wondering. /Nicolas From nobody Tue Mar 22 12:17:35 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47C383A09EE for ; Tue, 22 Mar 2022 12:17:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.108 X-Spam-Level: X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IvYbi6CbAZmj for ; Tue, 22 Mar 2022 12:17:29 -0700 (PDT) Received: from mail-pg1-x52d.google.com (mail-pg1-x52d.google.com [IPv6:2607:f8b0:4864:20::52d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 714483A09D1 for ; Tue, 22 Mar 2022 12:17:29 -0700 (PDT) Received: by mail-pg1-x52d.google.com with SMTP id q19so13304156pgm.6 for ; Tue, 22 Mar 2022 12:17:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=du9MFq2E8RsFb82bj++/fRedjl1zDlAxEuvnklI3G9Y=; b=PE6Coidwn5CeKuxGkFGLbiIW8UkPBbubUvTEdJkMGpuuYfvPQLDDAEpXu8QyO8hVwY SGtW0u7M9iAgsdN34P10zmxbYOnlLooID6vGxg7IKjxEZWNOYvcMjExqWqQuwAznP7MG 53tnrRAQaP9JU8MpO4sjI8ZzpnhgMKrleMiAVKCcz145NbLeVAd9I1911WD4SPto9fLf IEP36qKI2TvZQxCaB/0SNUZbYiOcGMU8uOUmJrUl/jqetsxmc4pn6cqSFH95IK+1ueVt w9TX54fpP/03bJGeKLBG1yASQ0Yqei7bg/AzdeG71ViA3BXxJKqgvK44yzCsr9/XTT3q CrGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=du9MFq2E8RsFb82bj++/fRedjl1zDlAxEuvnklI3G9Y=; b=E218G5Totk8od2M4JJGESyuNoGZSClM/29gcZwmqxyLiYEj0OK+0MYigr0VMkkzFCr LQ7AgwrLWH+YO/s9vD7stQBnOtM4AxyrjrkHSParVV0tz+edxCdLOuYFWdg09uDjoaea h0L2XLrv3dKvEnDAuYN2RSOymGFoNZTQPdbGq45U4+s2fJcMM4xWPfn/ZfqWQHoMiRFM AGNr2krtmCMqRDNtXv7KfLW/GZ+w119Tjcv3rypwHSxswcXS81e1ngfqb9awx+3J/nmy 8hfA/x8acvG2xa1rp5adbnwE8Yo8M7pGII0aIEPsOD/a88OWEkdfrlbnrjQbqvrS+NK+ UGfA== X-Gm-Message-State: AOAM532Nj3KUFHOxvGWjh51+sJdU8HV8GlSrYZK+tDCBogqMgD4GmJsu CuY8sjKgpvj1RNvMjKsuNodDqbMRKykI5TZdQjeaRRzYo//Z8A== X-Google-Smtp-Source: ABdhPJy42qxrK410Qd6zcOyI/6MD2OYbkqwTdR80T+bbTMiMc8Lg+v9LsZICQzugO9/xOD7eRgB5VvrM0anVut2vlxM= X-Received: by 2002:a05:6a00:c93:b0:4f7:ad05:2f36 with SMTP id a19-20020a056a000c9300b004f7ad052f36mr30186452pfv.41.1647976647904; Tue, 22 Mar 2022 12:17:27 -0700 (PDT) MIME-Version: 1.0 From: Brittney Boone Date: Tue, 22 Mar 2022 15:17:16 -0400 Message-ID: To: oauth@ietf.org Content-Type: multipart/alternative; boundary="000000000000b24f1005dad3766e" Archived-At: Subject: [OAUTH-WG] (no subject) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Mar 2022 19:17:34 -0000 --000000000000b24f1005dad3766e Content-Type: text/plain; charset="UTF-8" Hi. I am new to this and really need some help. Is there some way to get some guidance ? Thank you --000000000000b24f1005dad3766e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi. I am new to this and really need some help. Is there = some way to get some guidance ?=C2=A0

Thank you
--000000000000b24f1005dad3766e-- From gevik@truesoftware.nl Wed Mar 23 01:37:47 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D94443A14E4 for ; Wed, 23 Mar 2022 01:37:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.108 X-Spam-Level: X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=truesoftware.nl Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GL1ZktR-3x0o for ; Wed, 23 Mar 2022 01:37:42 -0700 (PDT) Received: from mail.truesoftware.io (mail.truesoftware.io [167.172.34.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A75C93A13A7 for ; Wed, 23 Mar 2022 01:37:40 -0700 (PDT) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id ECCC6FD156 for ; Wed, 23 Mar 2022 09:37:36 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=truesoftware.nl; s=dkim; t=1648024658; h=from:subject:date:message-id:to:mime-version:content-type; bh=wDfOYK8TJHVMOnD1aE1x+zULojudbGMUw9dfuqN7ukY=; b=jTPmkenZyIZjS8q9C7nJWYDwGJorFCOZtLIzJZF/nr6y/thCMzIugR8ttyHGl0vUH3MdT7 0JlVlWTDYoC7l1lryMI/Z3uK3HnWH19MueUuRBh9ZC1ZV5yYhPhj6Myr4NSe60HdDD+Ffw IQ2UpFrOKhViVH+miG0LjAYVLkirVTfHDzWUdk+sD0iUIXMb3NOP2ZZX13mxyGfGX9dbuD IQHSpa0W9LzUbB+tesVoi4IbSeEO9GNFiz/FDFumxochHaVo/VmAA3c8N32ld2eR6S3NJg vCB8C0TZ6ye7bL1yusqI3NM7CZJLYxQ1Zx73qQp2Nls7AzBwX8DncD1mQ46lvg== From: Gevik Babakhani Content-Type: multipart/alternative; boundary="Apple-Mail=_FB995B79-7682-4A9E-89BC-C3DF37557E2A" Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.6\)) Message-Id: <2649F472-DE9B-4B78-8F48-F0C12905B7C2@truesoftware.nl> Date: Wed, 23 Mar 2022 09:37:30 +0100 To: oauth@ietf.org X-Last-TLS-Session-Version: TLSv1.2 Archived-At: Subject: [OAUTH-WG] Newbie server implementation question X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Mar 2022 08:39:36 -0000 --Apple-Mail=_FB995B79-7682-4A9E-89BC-C3DF37557E2A Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi all, I would like to implement my own OAuth authorisation server and started = reading "Aaron Parecki=E2=80=9D book. My goal is to implement an OpenID = connect provider at the end. I was wondering if there is a certification or validation/testing = program that can help me verify my implementation similar to OIDC = certification? Regards, Gevik.= --Apple-Mail=_FB995B79-7682-4A9E-89BC-C3DF37557E2A Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
Hi all,

I would like to implement my own OAuth authorisation server = and started reading "Aaron Parecki=E2=80=9D book. My goal is to = implement an OpenID connect provider at the end.
I = was wondering if there is a certification or validation/testing program = that can help me verify my implementation similar to OIDC = certification?

Regards,
Gevik.
= --Apple-Mail=_FB995B79-7682-4A9E-89BC-C3DF37557E2A-- From nobody Wed Mar 23 05:28:09 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 478703A0B58 for ; Wed, 23 Mar 2022 05:28:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.907 X-Spam-Level: X-Spam-Status: No, score=-6.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=authlete-com.20210112.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W-BHvmHEu41s for ; Wed, 23 Mar 2022 05:28:05 -0700 (PDT) Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4132C3A0D84 for ; Wed, 23 Mar 2022 05:28:05 -0700 (PDT) Received: by mail-wr1-x42e.google.com with SMTP id r13so1874267wrr.9 for ; Wed, 23 Mar 2022 05:28:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=authlete-com.20210112.gappssmtp.com; s=20210112; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=sdM1+y9GROJBwdBl70ZWbAYttuUCiS4S+8ak4MnCBh0=; b=RcV89K+0OfyTktNw2qpOSVsTskGTc9/LXWBeepRvk9RWuxbOdbPeZ2yWMYbB3S11Kr 7sZRtSZbuNvm+Lqee61Xh8CKuX2BUo180T942/WYNYoZBJFOOXG5eXxEyzUHnpK50PTU YpuJxIosE1jyfdvAqEDvvguw1o/YWnysy74j4GRG4iJxtC9iQG4M1EPxXcRabQVVTEqW Iw2oRsXbQ/jBCecjqskdSuBWZLTEIeY7KN22kVcKDHCsUYhc5FWwSfQNzj1mDUy8oOsT i5nKWWWxxxSeYuipP3ixzmhfEAPnKRgK/q51e9jkajm7pSY1koahxiTJPDdPn2AMyovq AHIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=sdM1+y9GROJBwdBl70ZWbAYttuUCiS4S+8ak4MnCBh0=; b=HgAGDdyyJyTnJTYcRQh/JqjdCgRptV3jbg/BQofA+corxRBlFyT5nHxLDJyp/L65VB gSU0H+3vX0qKfu1w0dMSk8eQ2BAx+BguwF0r+aoB5CbPgZ7w9JXyXjtoh3W7D4NnuJGu qybtZDm2eHbHndeyI24MLJN6QZPSzi7AYIE/ne0C+WsTCSo7KPqZVRMJ4sdKe8WNkbl8 g//M89Ro7pqwbsS2SC8K9VmAViLpu8460xSILISPVh3Zh2Hvu9wf92sfb5+VY8YNP504 mfizj0eQIERk9CaASlp++y1R4Hy/mi2yrSx3eJNwMJOqQ7zbjFxus16XGj83s1ktoPuk XL/A== X-Gm-Message-State: AOAM532MCwLHoaBNbTUNJVwKAWpiPkj0a0Ez5Jce05cL96nYfHCqzBS9 JUspaSYMsUqSOwkoC5rL70psag== X-Google-Smtp-Source: ABdhPJyPmAZOI8GjmL5M3QUXhffdFH35/Y5aZV+zMI1EFGzaB8W+1NKzkO3husyHe9VXVoTmk9RVJQ== X-Received: by 2002:a05:6000:1561:b0:204:1ba3:3b8b with SMTP id 1-20020a056000156100b002041ba33b8bmr9847016wrz.325.1648038483015; Wed, 23 Mar 2022 05:28:03 -0700 (PDT) Received: from smtpclient.apple (static-90-250-10-57.vodafonexdsl.co.uk. [90.250.10.57]) by smtp.gmail.com with ESMTPSA id u12-20020a5d6dac000000b00204119d37d0sm7656370wrs.26.2022.03.23.05.28.02 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 23 Mar 2022 05:28:02 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\)) From: Joseph Heenan In-Reply-To: Date: Wed, 23 Mar 2022 12:28:01 +0000 Cc: oauth@ietf.org Content-Transfer-Encoding: quoted-printable Message-Id: References: To: Rohan Mahy X-Mailer: Apple Mail (2.3693.60.0.1.1) Archived-At: Subject: Re: [OAUTH-WG] Comments on ietf-oauth-dpop X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Mar 2022 12:28:08 -0000 Hi Rohan, > On 22 Mar 2022, at 15:24, Rohan Mahy = wrote: >=20 > Here are some comments on draft-ietf-oauth-dpop-06: >=20 > 1) With such a significant attack possible as DPoP proof = pre-generation, why isn't using the server nonce a SHOULD? Preventing a = significant attack and making lifetime handling sane are two excellent = reasons to use a server nonce. If an implementation has a good reason to = not use a server nonce, we can give guidance about what additional steps = the implementation needs to take.=20 I think this is a good question, and I=E2=80=99ve been wondering about = it myself. The argument I see for not more strongly requiring nonces is that it = pushes additional and non-trivial implementation complexity onto clients = (and arguably also onto resource servers). There are situations where I am not sure a nonce adds much value - for = example in the case of a confidential client, an attacker with access to = pre-generate DPoP proofs can likely also pre-generate private_key_jwt = client authentication assertions and likely also has access to any = refresh token. I believe this would allow them to obtain access tokens = bound to a DPoP key of their choosing, and a nonce then seems to provide = no additional protection. (There are also cases where the nonce clearly does add a lot of value, = particularly when considering public clients, and there may well be an = argument for a =E2=80=99should=E2=80=99 in those cases. Conversely I = think there=E2=80=99s a potential argument for saying you should not use = nonces in the confidential client situation I outlined, as it adds = little other than complexity.) Thanks Joseph From nobody Wed Mar 23 08:17:51 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 490D93A1732 for ; Wed, 23 Mar 2022 08:17:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.108 X-Spam-Level: X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id szAusBxdfTOQ for ; Wed, 23 Mar 2022 08:17:43 -0700 (PDT) Received: from mail-oi1-x22c.google.com (mail-oi1-x22c.google.com [IPv6:2607:f8b0:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81DE13A1443 for ; Wed, 23 Mar 2022 08:17:43 -0700 (PDT) Received: by mail-oi1-x22c.google.com with SMTP id z8so1952097oix.3 for ; Wed, 23 Mar 2022 08:17:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1GLR4Gzpl+Vbmb8XE8PyiiD9w4czN0t7GVtT7pAOpwI=; b=CmGQf8X9MY1UslV67M/OZcDY6zSdeYQa6R1SlOYbFAbP5/eSrAbqkIKfgxhCLVHbhA /+Czx+Kx4IXffNZJSfNzj2Ks7yzDL7aXeWw2m03rBQgO30pfKQZuP4Zqo1w3P8vGnuWP uVHIxetACXL2yJE62tKbbNJFwHUklD9sYpAGD7bMwGjH3yTg63UhoPOEoVBnszYakBq5 STsCKZn6hsnW6vrGG4gNmkDwZDqtoPJbB8b05Goitk0hTkGdWbIy+zgw13sGl3bWQUX8 iD93EgeBWBjLLBQAPG7CqF7uyBbetxpcU7/XFzaEVFdkyHcbv2dK8wsIK6oWGUvsKRrL 4O3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1GLR4Gzpl+Vbmb8XE8PyiiD9w4czN0t7GVtT7pAOpwI=; b=N8ooD5yVx8/AdkH115bVcXbgOa6dL/YXEGaesVp6ya5QkzkJoCRuoR9DnhiJd70K3K oFXW2vo4tbiG9QlWzc55+Hlczk8ezVxpM0FdEAh/UXRQ6+K2rbaO6PUdKQ9w5s2lEnyZ Jq8dQuchL6ZoT02NLiCEqS7b5QYQgRYSi8uo7k0EZssIUubjPy5PEinzEXrh86mFbSg9 +OTcaoXsfYnsMBBdZCl9niHxlc/mwwL3s1G464GUHZn8YuWiYbfTQnk8OWOexSA/0Ldk I6cAxB4zXRx5wg6LeaEKLkDRXJ6HMkFDhDUC58GtzzuyQhj+TpoN3dw3rn7D7Iehj36d 03Ww== X-Gm-Message-State: AOAM5326gaqNfQ+zFYt0CH/vDwWdmgpEvTPtITbYOJBct/y1MKuzCPMD 36juuWwfVlCxL75zVp0TuHaJD5RYfatQNvZCLQ6/c+vfdsMjMaQXgTUc+EsMNzrqLZj1l9SXMNB Cn2NG4foEqe2G7b1sdBATBpDR X-Google-Smtp-Source: ABdhPJyHTEs5WmDwZKs6qNsH347V4sIPJOR/N22BOQruH5YB/YFKdYSO/27d/odoJLPTLz6KcIK2KThXMaCGSJFQxJk= X-Received: by 2002:a05:6808:58:b0:2ee:f54e:65fe with SMTP id v24-20020a056808005800b002eef54e65femr271732oic.52.1648048662314; Wed, 23 Mar 2022 08:17:42 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Brian Campbell Date: Wed, 23 Mar 2022 16:17:15 +0100 Message-ID: To: Rohan Mahy Cc: oauth@ietf.org Content-Type: multipart/alternative; boundary="00000000000017198605dae43ba4" Archived-At: Subject: Re: [OAUTH-WG] Comments on ietf-oauth-dpop X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Mar 2022 15:17:48 -0000 --00000000000017198605dae43ba4 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Thanks Rohan, Pre-generating a proof requires the ability to execute code on the client, which is already a problematic situation where other (arguably more) serious attacks are possible. Such as driving a whole attack directly from the client. The draft aims to give servers the option to use a nonce but not push it too much or overstate its protections. The vagueness around lifetimes is somewhat intentional. At one point the document (maybe aspirationally) had something like 'no more than a few seconds' but there was some push-back that it was unrealistically short to accommodate real world client clock skew. I'm not sure the draft can make a much more concrete recommendation as I think it really is something that has tradeoffs and will be implementation/deployment specific. Perhaps something like, "(on the order of seconds or minutes)" could be added as a qualifier around lifetime leniency? That maybe gives a general idea of what is acceptable and/or relatively brief without being overly prescriptive. I'm quite hesitant to say anything more specific. An access token and its "ath" hash value are shown as part of the examples https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-06.html#figure-12 and https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-06.html#figure-13 respectively. Perhaps it'd be worthwhile to more explicitly mention the relationship between the two examples? I think I did the calculations correctly but anyone double checking that work would be welcome. The sentence in sec 4.3 step 11 is already pretty darn verbose - probably too much so. I think breaking it up would probably be a better way to make it more clear. The MIME type registration will be in the next revision https://mailarchive.ietf.org/arch/msg/oauth/Vj24ZXU4UuG6Rr04U1Cdrz2rx3o/ I'll work those nits and fix things up as appropriate. On Tue, Mar 22, 2022 at 4:24 PM Rohan Mahy wrote: > Hi, > Here are some comments on draft-ietf-oauth-dpop-06: > > 1) With such a significant attack possible as DPoP proof pre-generation, > why isn't using the server nonce a SHOULD? Preventing a significant attac= k > and making lifetime handling sane are two excellent reasons to use a serv= er > nonce. If an implementation has a good reason to not use a server nonce, = we > can give guidance about what additional steps the implementation needs to > take. > > 2) The handling of lifetimes of DPoP proofs is vague: "acceptable > timeframe" (Section 4.3), "relatively brief period" (Section 11.1). Is th= at > 1 day,15 minutes, or 30 seconds? > The normative text in the two sections seem contradictory. > I think you need a lifetime parameter if a server nonce isn't included, o= r > just pick a number (5 minutes?). > > 3) I had a similar thought to Nicolas Mora about including other > assertions/tokens. There should be a way to chain, include, or reference > other OAuth assertions and bind them somehow with the DPoP. This will be = a > common and important model. > > 4. Right now you describe the access token hash before describing the > access token itself. I think it would be very useful to show the a worked > example of an access token and then its hash used subsequently. Also > Section 4.3 step 11 feels like a circular description. Please rewrite mor= e > verbosely to be clearer: > Currently: > "when presented to a protected resource in conjunction with an access > token, ensure that the value of the ath claim equals the hash of that > access token and confirm that the public key to which the access token is > bound matches the public key from the DPoP proof." > > 5. Re: IANA registration of the MIME type. TL;DR: Just register > application/dpop+jwt. > Long version: The semantics of the thing you want to register is > application/dpop. The first syntax you are defining is jwt. For example, > iCalendar has three formats: text/calendar (iCal), > application/calendar+json (jCal), and application/calendar+xml (xCal). > > NITS: > - Spell out first use of acronyms: JWT, JWK, JWS, TLS, JOSE, PKCE, > - Add reference to TLS, XSS, Crime/Heartbleed/BREACH/etc., HTTP, JOSE, on > first use > - First sentence of Section 2 (Objectives): add a comma (access tokens_,_ > by binding) to make it clear that "binding a token" is doing the preventi= ng > instead of the stealing in the sentence. > - Section 2 para 5: s/XXS/XSS/ > - Maybe mention why you are using ASCII (7-bit) when the charset in the > examples is UTF-8. > > I hope these comments are useful. > Many thanks, > -rohan > > > *Rohan Mahy *l Vice President Engineering, Architecture > > Chat: @rohan_wire on Wire > > > > Wire - Secure team messaging. > > *Zeta Project Germany GmbH *l Rosenthaler Stra=C3=9Fe 40, > 10178 > Berlin, > > Germany > > > Gesch=C3=A4ftsf=C3=BChrer/Managing Director: Morten J. Broegger > > HRB 149847 beim Handelsregister Charlottenburg, Berlin > > VAT-ID DE288748675 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --=20 _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged= =20 material for the sole use of the intended recipient(s). Any review, use,=20 distribution or disclosure by others is strictly prohibited.=C2=A0 If you h= ave=20 received this communication in error, please notify the sender immediately= =20 by e-mail and delete the message and any file attachments from your=20 computer. Thank you._ --00000000000017198605dae43ba4 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Thanks Rohan,

Pre-generating= a proof requires the ability to execute code on the client, which is alrea= dy a problematic situation where other (arguably more) serious attacks are = possible. Such as driving a whole attack directly from the client. The draf= t aims to give servers the option to use a nonce but not push it too much o= r overstate its protections.

The vagueness ar= ound lifetimes is somewhat intentional. At one point the document (maybe as= pirationally) had something like 'no more than a few seconds' but t= here was some push-back that it was unrealistically short to accommodate re= al world client clock skew. I'm not sure the draft can make a much more= concrete recommendation as I think it really is something that has tradeof= fs and will be implementation/deployment specific. Perhaps something like, = "(on the order of seconds or minutes)" could be added as a qualif= ier around lifetime leniency? That maybe gives a general idea of what is ac= ceptable and/or relatively brief without being overly prescriptive. I'm= quite hesitant to say anything more specific.

An access token and its "ath" hash value are shown as part of t= he examples https://www.ietf.org/archive/id/draf= t-ietf-oauth-dpop-06.html#figure-12 and http= s://www.ietf.org/archive/id/draft-ietf-oauth-dpop-06.html#figure-13 res= pectively. Perhaps it'd be worthwhile to more explicitly mention the re= lationship between the two examples? I think I did the calculations correct= ly but anyone double checking that work would be welcome. The sentence in s= ec 4.3 step 11 is already pretty darn verbose - probably too much so. I thi= nk breaking it up would probably be a better way to make it more clear. =C2= =A0

The MIME type registration will be in the= next revision https://mailarchive.ietf.org/arc= h/msg/oauth/Vj24ZXU4UuG6Rr04U1Cdrz2rx3o/

I'= ;ll work those nits and fix things up as appropriate.



=C2=A0


On Tu= e, Mar 22, 2022 at 4:24 PM Rohan Mahy <rohan.mahy=3D40wire.com@dmarc.ietf.org>= ; wrote:
Hi,
Here are some= comments on draft-ietf-oauth-dpop-06:

1) With such= a significant attack possible as DPoP proof pre-generation, why isn't = using the server nonce a SHOULD? Preventing a significant attack and making= lifetime handling sane are two excellent reasons to use a server nonce. If= an implementation has a good reason to not use a server nonce, we can give= guidance about what additional steps the implementation needs to take.

2) The handling of lifetimes of DPoP proofs is vague: = "acceptable timeframe" (Section 4.3), "relatively brief peri= od" (Section 11.1). Is that 1 day,15 minutes, or 30 seconds?
The normative text in the two sections seem contradictory.
=
I think you need a lifetime parameter if a server nonce isn't incl= uded, or just pick a number (5 minutes?).

3) I= had a similar thought to Nicolas Mora about including other assertions/tok= ens. There should be a way to chain, include, or reference other OAuth asse= rtions and bind them somehow with the DPoP. This will be a common and impor= tant model.

4. Right now you describe the acce= ss token hash before describing the=20 access token itself. I think it would be very useful to show the a worked e= xample of an access token and then its hash used subsequently. Also Section= 4.3 step=20 11 feels like a circular description. Please rewrite more verbosely to=20 be clearer:
Currently:
"when presented to a pr= otected resource in conjunction=20 with an access token, ensure that the value of the ath claim equals the=20 hash of that access token and confirm that the public key to which the=20 access token is bound matches the public key from the DPoP proof."

5. Re: IANA registration of the MIME type. TL;DR: Jus= t register application/dpop+jwt.
Long version: The semantics of the thin= g you want to register is application/dpop. The first syntax you are defini= ng is jwt. For example, iCalendar has three formats: text/calendar (iCal), = application/calendar+json (jCal), and application/calendar+xml (xCal).
<= /div>

NITS:
- Spell out first use of acronyms:= JWT, JWK, JWS, TLS, JOSE, PKCE,
- Add reference to TLS, XSS= , Crime/Heartbleed/BREACH/etc., HTTP, JOSE, on first use
- F= irst sentence of Section 2 (Objectives): add a comma (access tokens_,_ by b= inding) to make it clear that "binding a token" is doing the prev= enting instead of the stealing in the sentence.
- Section 2 para = 5: s/XXS/XSS/
- Maybe mention why you are using ASCII (7-bit) whe= n the charset in the examples is UTF-8.

I hope the= se comments are useful.
Many thanks,
-rohan


Rohan Mahy=C2=A0 l=C2=A0 Vice President E= ngineering, Architecture

Chat: @rohan_wire on=C2=A0Wire

=C2=A0

Wire=C2=A0- Secure team messaging.

Zeta Project Germany GmbH=C2=A0=C2=A0l=C2=A0=C2= =A0Rosenthaler Stra=C3=9Fe 40,=C2=A010178 Berlin,=C2=A0= Germany

Gesch=C3=A4ftsf=C3=BChrer/Managing Director: Morten J. Broegger=C2=A0=

HRB 149847 beim Handelsregister Charlottenburg, Berl= in

VAT-ID DE288748675

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

<= span style=3D"margin:0px;padding:0px;border:0px;outline:0px;vertical-align:= baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,= -apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ub= untu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"= >CONFIDENTIALITY NOTICE: This email may contain confidenti= al and privileged material for the sole use of the intended recipient(s). A= ny review, use, distribution or disclosure by others is strictly prohibited= .=C2=A0 If you have received this communication in error, please notify the= sender immediately by e-mail and delete the message and any file attachmen= ts from your computer. Thank you. --00000000000017198605dae43ba4-- From nobody Wed Mar 23 09:01:29 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47C993A177F for ; Wed, 23 Mar 2022 09:01:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.907 X-Spam-Level: X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wire-com.20210112.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MMEJEulXVr_h for ; Wed, 23 Mar 2022 09:01:22 -0700 (PDT) Received: from mail-pf1-x42d.google.com (mail-pf1-x42d.google.com [IPv6:2607:f8b0:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2128A3A177C for ; Wed, 23 Mar 2022 09:01:22 -0700 (PDT) Received: by mail-pf1-x42d.google.com with SMTP id g19so1816477pfc.9 for ; Wed, 23 Mar 2022 09:01:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wire-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=eQy/3YTpDiIP3S10YCAW3mXDp/Jx8zOEt1ssSaHGzZM=; b=h8tz9fhS+nr80FtwnyVkB96Xu6TriMi5YS96ObCZ2XZrdB6LpxqRzPqr2NGelix/i3 kg2uUYTcb+fJqVlVI9DrFba9nb42kVOxK4EVapcVJc/o4WUfWsPvhEJ3busjN1p7QH/V hWIbGTtbJbeEmAdA3WGrIrJ6+s078cDB+JeoYek4G8AhlplpRcuFS7MlpWhlZ81dAd7+ zdaUCc/OThR5LvBVKLUscyZQam89sIR46qr6ugC5uARfw8WdY3tIinqsFrvmgUDn4GLt SkybRcIoJgd+ykG9JZEcfxIUS6dhIe7CCQvHr/VxZcllU6GX0jWkFj5NSPOvh0ADYqs/ EF0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=eQy/3YTpDiIP3S10YCAW3mXDp/Jx8zOEt1ssSaHGzZM=; b=kRb3QlHZAcE8kAyEFPyVqCob0T3Miz5F2ZpPX4xWTneZ/QStNgKmSau/vr/uxYJxWx CDoOZyTwvma0cM41Or0XzFJvn4LBtEOPJtHcRZuutL35Gay8YPuy0QU5eStfriBHGks1 LCMfQNmMHUScux8ErMlhzHuoPnwQMGXGlko/lVAGH5ofeTjD740IK9WTBMLHTVtTJ4Uz muOCf8oZECcAs3mvgUEowUBbuZqdzNdIzbxUZHJrEWB8Y6J2tKhue/e2hURS88B4z5Fa B0L63jmCf1N/Ckx1hNl1GNSnlbWOFNf2PpFEQZiSvaIZ89YLrB+K3ueG0ORLcIdpRN4M v5yw== X-Gm-Message-State: AOAM532HdmakinBhkSZXLqRS88mPiYk+C1/xalxkJ12hsm3MXOx+bTwk mtRUo9V0l6qMPoi7c7ReBc1yK59FHmvlL4LCrlLTWQ== X-Google-Smtp-Source: ABdhPJzs+Q9xYqx8v6wV0DWFeqzuztbipW0H/AuANik8gVDNbr7h38t5QTkzaHgZMR9agzVd6KDiU62Iw7Ukfifm1Ms= X-Received: by 2002:aa7:8d88:0:b0:4f7:a2f1:8e77 with SMTP id i8-20020aa78d88000000b004f7a2f18e77mr270646pfr.48.1648051280855; Wed, 23 Mar 2022 09:01:20 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Rohan Mahy Date: Wed, 23 Mar 2022 09:01:09 -0700 Message-ID: To: Brian Campbell Cc: oauth@ietf.org Content-Type: multipart/alternative; boundary="0000000000002ae13305dae4d737" Archived-At: Subject: Re: [OAUTH-WG] Comments on ietf-oauth-dpop X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Mar 2022 16:01:27 -0000 --0000000000002ae13305dae4d737 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Brian, To be clear, for pre-generated proofs, I am not worried about an attack against the client; I am worried about a malicious client. Imagine a malicious client which pre-generates proofs during a brief window while it has access to a private key stored on the iOS secure enclave, or on a Yubikey, or a non-extractable WebCryptoAPI CryptoKey. The ability to pre-generate proofs with no lifetime effectively makes these non-extractable key protections meaningless for some fixed number of proofs. If the WG does not want to make server nonces a SHOULD, then I suggest the following: "Server implementations need some protection against arbitrary pre-generation. Servers MUST require all client proofs to contain either a server-provided nonce, or a server-provided explicit expiration time, or both." Adding "(on the order of seconds or minutes)" would already be a big improvement to what is in the document. The linkage between Figure 12 and Figure 13 is clear. I was talking about the linkage between Figure 5 (or the refresh response to Figure 6) and the token hash in Figure 12. Many Thanks, -rohan *Rohan Mahy *l Vice President Engineering, Architecture Chat: @rohan_wire on Wire Wire - Secure team messaging. *Zeta Project Germany GmbH *l Rosenthaler Stra=C3=9Fe 40, 10178 Berlin, Germany Gesch=C3=A4ftsf=C3=BChrer/Managing Director: Morten J. Broegger HRB 149847 beim Handelsregister Charlottenburg, Berlin VAT-ID DE288748675 On Wed, Mar 23, 2022 at 8:17 AM Brian Campbell wrote: > Thanks Rohan, > > Pre-generating a proof requires the ability to execute code on the client= , > which is already a problematic situation where other (arguably more) > serious attacks are possible. Such as driving a whole attack directly fro= m > the client. The draft aims to give servers the option to use a nonce but > not push it too much or overstate its protections. > > The vagueness around lifetimes is somewhat intentional. At one point the > document (maybe aspirationally) had something like 'no more than a few > seconds' but there was some push-back that it was unrealistically short t= o > accommodate real world client clock skew. I'm not sure the draft can make= a > much more concrete recommendation as I think it really is something that > has tradeoffs and will be implementation/deployment specific. Perhaps > something like, "(on the order of seconds or minutes)" could be added as = a > qualifier around lifetime leniency? That maybe gives a general idea of wh= at > is acceptable and/or relatively brief without being overly prescriptive. > I'm quite hesitant to say anything more specific. > > An access token and its "ath" hash value are shown as part of the example= s > https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-06.html#figure-12 > and > https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-06.html#figure-13 > respectively. Perhaps it'd be worthwhile to more explicitly mention the > relationship between the two examples? I think I did the calculations > correctly but anyone double checking that work would be welcome. The > sentence in sec 4.3 step 11 is already pretty darn verbose - probably too > much so. I think breaking it up would probably be a better way to make it > more clear. > > The MIME type registration will be in the next revision > https://mailarchive.ietf.org/arch/msg/oauth/Vj24ZXU4UuG6Rr04U1Cdrz2rx3o/ > > I'll work those nits and fix things up as appropriate. > > > > > > > On Tue, Mar 22, 2022 at 4:24 PM Rohan Mahy 40wire.com@dmarc.ietf.org> wrote: > >> Hi, >> Here are some comments on draft-ietf-oauth-dpop-06: >> >> 1) With such a significant attack possible as DPoP proof pre-generation, >> why isn't using the server nonce a SHOULD? Preventing a significant atta= ck >> and making lifetime handling sane are two excellent reasons to use a ser= ver >> nonce. If an implementation has a good reason to not use a server nonce,= we >> can give guidance about what additional steps the implementation needs t= o >> take. >> >> 2) The handling of lifetimes of DPoP proofs is vague: "acceptable >> timeframe" (Section 4.3), "relatively brief period" (Section 11.1). Is t= hat >> 1 day,15 minutes, or 30 seconds? >> The normative text in the two sections seem contradictory. >> I think you need a lifetime parameter if a server nonce isn't included, >> or just pick a number (5 minutes?). >> >> 3) I had a similar thought to Nicolas Mora about including other >> assertions/tokens. There should be a way to chain, include, or reference >> other OAuth assertions and bind them somehow with the DPoP. This will be= a >> common and important model. >> >> 4. Right now you describe the access token hash before describing the >> access token itself. I think it would be very useful to show the a worke= d >> example of an access token and then its hash used subsequently. Also >> Section 4.3 step 11 feels like a circular description. Please rewrite mo= re >> verbosely to be clearer: >> Currently: >> "when presented to a protected resource in conjunction with an access >> token, ensure that the value of the ath claim equals the hash of that >> access token and confirm that the public key to which the access token i= s >> bound matches the public key from the DPoP proof." >> >> 5. Re: IANA registration of the MIME type. TL;DR: Just register >> application/dpop+jwt. >> Long version: The semantics of the thing you want to register is >> application/dpop. The first syntax you are defining is jwt. For example, >> iCalendar has three formats: text/calendar (iCal), >> application/calendar+json (jCal), and application/calendar+xml (xCal). >> >> NITS: >> - Spell out first use of acronyms: JWT, JWK, JWS, TLS, JOSE, PKCE, >> - Add reference to TLS, XSS, Crime/Heartbleed/BREACH/etc., HTTP, JOSE, o= n >> first use >> - First sentence of Section 2 (Objectives): add a comma (access tokens_,= _ >> by binding) to make it clear that "binding a token" is doing the prevent= ing >> instead of the stealing in the sentence. >> - Section 2 para 5: s/XXS/XSS/ >> - Maybe mention why you are using ASCII (7-bit) when the charset in the >> examples is UTF-8. >> >> I hope these comments are useful. >> Many thanks, >> -rohan >> >> >> *Rohan Mahy *l Vice President Engineering, Architecture >> >> Chat: @rohan_wire on Wire >> >> >> >> Wire - Secure team messaging. >> >> *Zeta Project Germany GmbH *l Rosenthaler Stra=C3=9Fe 40, >> 10178 >> Berlin, >> >> Germany >> >> >> Gesch=C3=A4ftsf=C3=BChrer/Managing Director: Morten J. Broegger >> >> HRB 149847 beim Handelsregister Charlottenburg, Berlin >> >> VAT-ID DE288748675 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sende= r > immediately by e-mail and delete the message and any file attachments fro= m > your computer. Thank you.* --0000000000002ae13305dae4d737 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Brian,

To be clear, for p= re-generated proofs, I am not worried about an attack against the client; I= am worried about a malicious client. Imagine a malicious client which pre-= generates proofs during a brief window while it has access to a private key= stored on the iOS secure enclave, or on a Yubikey, or a non-extractable We= bCryptoAPI CryptoKey. The ability to pre-generate proofs with no lifetime e= ffectively makes these non-extractable key protections meaningless for some= fixed number of proofs. If the WG does not want to make server nonces a SH= OULD, then I suggest the following:
"Server implementati= ons need some protection against arbitrary pre-generation. Servers MUST req= uire all client proofs to contain either a server-provided nonce, or a serv= er-provided explicit expiration time, or both."

Adding "(on the order of seconds or minutes)" would alread= y be a big improvement to what is in the document.=C2=A0

The linkage between Figure 12 and Figure 13 is clear. I was talking = about the linkage between Figure 5 (or the refresh response to Figure 6) an= d the token hash in Figure 12.

Many Thanks,
<= div>-rohan


Rohan Mahy=C2= =A0 l=C2=A0 Vice Pr= esident Engineering, Architecture

Chat: @rohan_wire on=C2=A0Wire

=C2=A0

Wire=C2=A0- Secure team messagin= g.

Zeta Project Germany GmbH=C2= =A0=C2=A0= l=C2=A0=C2=A0Rosenthaler Stra=C3=9Fe 40,=C2=A010178 Berlin,=C2= =A0Germany

Gesch=C3=A4ftsf=C3=BChrer/Managing Director: Morten J. Br= oegger=C2=A0

HRB 149847 beim Handelsregister Charlott= enburg, Berlin

VAT-ID DE288748675



On Wed, Mar 23, 2022 at 8:17 AM Brian Campbell <bcam= pbell=3D40pingidentity= .com@dmarc.ietf.org> wrote:
Thanks Rohan,

=
Pre-generating a proof requires the ability to execute code on the cli= ent, which is already a problematic situation where other (arguably more) s= erious attacks are possible. Such as driving a whole attack directly from t= he client. The draft aims to give servers the option to use a nonce but not= push it too much or overstate its protections.

The vagueness around lifetimes is somewhat intentional. At one point the= document (maybe aspirationally) had something like 'no more than a few= seconds' but there was some push-back that it was unrealistically shor= t to accommodate real world client clock skew. I'm not sure the draft c= an make a much more concrete recommendation as I think it really is somethi= ng that has tradeoffs and will be implementation/deployment specific. Perha= ps something like, "(on the order of seconds or minutes)" could b= e added as a qualifier around lifetime leniency? That maybe gives a general= idea of what is acceptable and/or relatively brief without being overly pr= escriptive. I'm quite hesitant to say anything more specific.

An access token and its "ath" hash value are= shown as part of the examples https://www.ietf.= org/archive/id/draft-ietf-oauth-dpop-06.html#figure-12 and https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-06.htm= l#figure-13 respectively. Perhaps it'd be worthwhile to more explic= itly mention the relationship between the two examples? I think I did the c= alculations correctly but anyone double checking that work would be welcome= . The sentence in sec 4.3 step 11 is already pretty darn verbose - probably= too much so. I think breaking it up would probably be a better way to make= it more clear. =C2=A0

The MIME type registra= tion will be in the next revision https://maila= rchive.ietf.org/arch/msg/oauth/Vj24ZXU4UuG6Rr04U1Cdrz2rx3o/
<= br>
I'll work those nits and fix things up as appropriate.



=C2=A0
<= div>

On Tue, Mar 22, 2022 at 4:24 PM Rohan Mahy <rohan.mahy= =3D40wire.co= m@dmarc.ietf.org> wrote:
Hi,
Here are some comments on draft-ietf-oauth-dpop-06:

1) With such a significant attack possible as DPoP proof pre-gen= eration, why isn't using the server nonce a SHOULD? Preventing a signif= icant attack and making lifetime handling sane are two excellent reasons to= use a server nonce. If an implementation has a good reason to not use a se= rver nonce, we can give guidance about what additional steps the implementa= tion needs to take.

2) The handling of lifetimes of= DPoP proofs is vague: "acceptable timeframe" (Section 4.3), &quo= t;relatively brief period" (Section 11.1). Is that 1 day,15 minutes, o= r 30 seconds?
The normative text in the two sections seem co= ntradictory.
I think you need a lifetime parameter if a serv= er nonce isn't included, or just pick a number (5 minutes?).
<= div>
3) I had a similar thought to Nicolas Mora about includi= ng other assertions/tokens. There should be a way to chain, include, or ref= erence other OAuth assertions and bind them somehow with the DPoP. This wil= l be a common and important model.

4. Right no= w you describe the access token hash before describing the=20 access token itself. I think it would be very useful to show the a worked e= xample of an access token and then its hash used subsequently. Also Section= 4.3 step=20 11 feels like a circular description. Please rewrite more verbosely to=20 be clearer:
Currently:
"when presented to a pr= otected resource in conjunction=20 with an access token, ensure that the value of the ath claim equals the=20 hash of that access token and confirm that the public key to which the=20 access token is bound matches the public key from the DPoP proof."

5. Re: IANA registration of the MIME type. TL;DR: Jus= t register application/dpop+jwt.
Long version: The semantics of the thin= g you want to register is application/dpop. The first syntax you are defini= ng is jwt. For example, iCalendar has three formats: text/calendar (iCal), = application/calendar+json (jCal), and application/calendar+xml (xCal).
<= /div>

NITS:
- Spell out first use of acronyms:= JWT, JWK, JWS, TLS, JOSE, PKCE,
- Add reference to TLS, XSS= , Crime/Heartbleed/BREACH/etc., HTTP, JOSE, on first use
- F= irst sentence of Section 2 (Objectives): add a comma (access tokens_,_ by b= inding) to make it clear that "binding a token" is doing the prev= enting instead of the stealing in the sentence.
- Section 2 para = 5: s/XXS/XSS/
- Maybe mention why you are using ASCII (7-bit) whe= n the charset in the examples is UTF-8.

I hope the= se comments are useful.
Many thanks,
-rohan


Rohan Mahy=C2=A0 l=C2=A0 Vice President E= ngineering, Architecture

Chat: @rohan_wire on=C2=A0Wire

=C2=A0

Wire=C2=A0- Secure team messaging.

Zeta Project Germany GmbH=C2=A0=C2=A0l=C2=A0=C2= =A0Rosenthaler Stra=C3=9Fe 40,=C2=A010178 Berlin,=C2=A0= Germany

Gesch=C3=A4ftsf=C3=BChrer/Managing Director: Morten J. Broegger=C2=A0=

HRB 149847 beim Handelsregister Charlottenburg, Berl= in

VAT-ID DE288748675

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

CONFIDENTIALITY NOTICE: This email m= ay contain confidential and privileged material for the sole use of the int= ended recipient(s). Any review, use, distribution or disclosure by others i= s strictly prohibited.=C2=A0 If you have received this communication in err= or, please notify the sender immediately by e-mail and delete the message a= nd any file attachments from your computer. Thank you.
--0000000000002ae13305dae4d737-- From nobody Wed Mar 23 18:10:11 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B7183A077C for ; Wed, 23 Mar 2022 18:10:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.109 X-Spam-Level: X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3htN7FIr1pdu for ; Wed, 23 Mar 2022 18:10:04 -0700 (PDT) Received: from sonic306-22.consmr.mail.ne1.yahoo.com (sonic306-22.consmr.mail.ne1.yahoo.com [66.163.189.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 646723A0780 for ; Wed, 23 Mar 2022 18:10:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1648084200; bh=dLzL8vSDHJcu/0JbEFKsfXZV9lcDRuc+YYJpbohPjuo=; h=Date:Subject:To:References:From:In-Reply-To:From:Subject:Reply-To; b=Js5nbz51vYg8ibHFn9sNYk0N52oFOcEjzonGjjJD+Tg+AnlxGl97jfUZyoYek3o7ibeFGNaaKtH8RZ/2FADU9lxRZOpmYhya9LwN8CCfTY9Ncmcl8DeXr+UpksJKDT8Vgw3QEeOWXpjhjiPa/knn5v+a0bBLcBa0QmkZPH6gyedG9WZYrBaHSFX9XqFvERPq9fe04X2qeET9itWHkZcogJinPOI2nRWMgaM5a4IsFUVQ37JOAaPumYcSSJ6BjiHS6Dn/QWtDRQjGfPAFqCjCwalol4Q2jcIsNwELDkL1pUFdgOtymyypYQ9reGWfkWTQ10p8g6H4vS8kEaPcUJAidA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1648084200; bh=hSngCZkWfm20iJWdROrCh6TMxi7qVkACNJNaj/dsFhZ=; h=X-Sonic-MF:Date:Subject:To:From:From:Subject; b=T04uhbNi/pET8zuvnEmwINGhRTY4scTufQQe3GMoIQ6wicZMzhjSDwaquTHVZbH5+IIUc540+PHueGUzIhLbhobBkbQVVZcHcKIEt6MlRLDblnKG3aj3Mwv79opXd/IRIccjGSIlL4ES2o18lXbMt1CVfvVVAIM14qoYHybPZSTy5KRKyNkoA9yw2YcaR0RimKyKgYdmjZl8PH5FJTTzHek3z+PYR+jNXAJLHuUonTzRJBj9gU3Xa85A9C5V2kzgHqbeM2PvabpiJbYCBq5wuz7dmNTqUDOEejBtvQK1mTL5YdkyuMzVm/eP/zxOqewz2CIPap58sxtTtzj3xzlE9w== X-YMail-OSG: DWC6TvcVM1mEbIibC7JR894amAP4qqtiCY5su_Ajl7jEKgCPrPNOlEsWry79oI2 _bMETPtb4hUffPxmtHXm7q7SMXI8hDKFqEUH4L7YTK7UBbICMcOALPIREoL.vRKSRwFIUp_i_N8S Tra4koz2TDp82T1uqnqm5SlkTL1e_JqViwP7n1cLS81InDGLouaC9IsngdOoXfwHZmuQVyggZo.u baiVMQAoImhhBcY71LU5H.YmKq.YN0u6zt_eRCkqdcPCt9H8HDnT1uUdfFJdtT1TGEGGx7hQ_u1f SuRMyVgGFB._kIFM1ELNc8O5X0iH7xxmr35r8xirmEhnz1UmPT_Vi66DOPX7tyGgUbIcSoOv3bWV BcLQQZAGcca4j9Id0MnZztq6WtOU90HT1DQ5TugHIVCfrRwAr6RGmBJw.0wAHKgHGXZ3eeTYoYpN rf2bY.oTdhaZdr4RpBPlQKpmHUFkpx1U8Lt4ksXS5.Ac.thW2KeO_YZgectMvQRGDyc_1n6XXtyW bkKfyYH_cBOebJ0FSR5sSPJOpTDA1hof5bxRJVJgvFtEtmzjqQzMO8dhhhFQM42IjxG2VRJtXVX3 9NbeLqjEybKmsltQGURjORzPGX0Wmp0NMI7j.8FwPglXlgGZMM7E4HdlWkEbCSBIX5uC.rvvP2ec Y27Ve1HL1uuXbjIdIgP72ZEhm1AzrOxhowNqxp9MUdJ8NFCwC7iOnOBj.hXflLlYT5udpSMM_tFq Hzd4IZd45eQzOHZPbE_v1qHGvhONgFsXtbU9QO5sAPDJnbf21JOYG5yNPG37APbDnA9AJTS32N7v qm8Pseah68vlY_qR2nOYNGie4r_HjrbEVFWn8LMwDyEwpzKYVtdOqh8BL.mSfJozx0V_t51wVzC8 bu.8xp4LSN1iWM8.2ztbOmUKT6fEFnhNzljXw2WWwfXTB9PG.WHl5f9LDgZQ.69FhjjV4XgJlYXz igpc6.poNs6.Q.O20jkSZRCi7lwTVMr1Vgehj64g8api3OX.TVzSZR6bILE_vvqoxGiKUCY3ucSc e1ys0crXaQKSvBnCcDUBvzMq7hoQPFX.7vZw9RD22_caIWYImi4698wZ3HyCQes73jwEtQvNdIE3 MkEoic6PtGIPrstfTN8rYgXz18wOwlRKTQkLwnoTXsCbiBrZ8e5htcv1zrxGcf6Koe5URmXvW3Ws bgmeqicpLeyCjRWxA7U5JCi8v5RKg30OjoXLQFNzrr_te_imCMUfsJx632t09NFEmPPrh2MRo_3B A6MZsStS9p8TCM_oQXtVM0T2jOjTt8NG_IwcQ1SyKiQgbEzyh3V0qGOHPmPDnNe5fGA1N8QdACL4 bQomMVRIJiFmsFql85buY2FaZJTa9Jrij4Bf9NTTXRK6oVmcE5CtXNqbRd087_PKXTg306hTIfmT ssHN2fhmPmKLCv7hlErI3eU3qI_Q0cGwp9ACb2MsruI6seEMbipUKuq.QZ9_vIaRA5jz5Wat42Vr R8MirOgImNmHUBkl820Rextu37QZGKWzEhWeCYE4jWAxusQYKmu9yzSI6FVTLjDbaNg9qV7LQ6vR 71XoJ3fxlb_ZbrrdL94TWlwb1ttmYQITYcCT0CcthZWpN99YnjJ8jzMgeSGvT59vRQp2r9sFZF2G 7noCERcrLI_WGk0j05xGNacGmWGq1ztzaMyQ36jp.6WB6RWLgQRebxFxjkzUumNb9Vf5ZmFL7kga 81DEFIuEv.5Xa_eMSqCU.2Bw_13w7Sj0E0CJpaiG1muPkhXKXSQ2imuswVIROnCci64mqReSgOei ewRufB1JmcaddDHysSmwQ_Eq2sNmPLm3qFnFX7Z2ckr9nBpAnzggFPm51_KzOzWO7xPzUQRg3mxi JIewP.bM0UxWYNbnsBIFT4QKBUqyUfEyyKolrG8QhNRPLZlQidy1MQQl7LUxG0t9La_WGT3y918m 8P2XLeOU2Dh47TMaP74XaAo5X2QR0eh64MLHdKBKSBTlZCMYNFNRRiIZFPyWnz42C3.7DY9Al.Wn 69NUGJpDRxm5IiKo6ANMMAuY.2oUHT3v8uxGFgXybgaAfcVLuE8K9IkZ2wlgpBPVbKaGRHEyOo4W z1ksMheG3xHTPNr4hq4FhNDYeb.Ptkvt_2JgGEcVzWjpknAa3XD7VEGNZnSshdtyJzc_Llc8eoas gzHTOGGBsit.lhvIMWElaQMUpHA5kEa9ujwym5mVYhGZ1sq.1rDchJRZyLzHscZLh9XddoVLSoLr Ux1vY5N5_c4o- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Thu, 24 Mar 2022 01:10:00 +0000 Received: by hermes--canary-production-bf1-665cdb9985-tmblj (VZM Hermes SMTP Server) with ESMTPA ID bec934da4975e51764ce273ace0f63c5; Thu, 24 Mar 2022 01:09:54 +0000 (UTC) Content-Type: multipart/alternative; boundary="------------Y12CwTDvnDvnloZuDaspg4Ay" Message-ID: Date: Wed, 23 Mar 2022 21:09:51 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Content-Language: en-US To: Pieter Kasselman , Brock Allen , "oauth@ietf.org" References: From: George Fletcher Organization: AOL LLC In-Reply-To: X-Mailer: WebService/1.1.19987 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.aol Archived-At: Subject: Re: [OAUTH-WG] [EXTERNAL] Re: Device Authorization Grant and Illicit Consent Exploits X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Mar 2022 01:10:09 -0000 This is a multi-part message in MIME format. --------------Y12CwTDvnDvnloZuDaspg4Ay Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit I just want to make a quick comment on the use of "proximity and location information". I used the device flow to authorize my son's device by having him text me the code so I could login on my device (in a different state) and provide his device access. If we close the door too much we will potentially impact good users :) I agree that consent can be socially engineered... but think that it would be useful to improve that information so that the user authenticating to provide authorization could know where the device their authorizing is located. That could help users detecting that they are authorizing a device in a location that doesn't make sense to them. Thanks, George On 3/18/22 8:21 AM, Pieter Kasselman wrote: > > Hi Brock > > Great point, and I would agree that better consent screens could help, > but I don’t think it is sufficient. > > One of the challenges with consent screens is that it makes > assumptions about the users abilities when they are being asked to > make decisions about things they do not fully appreciate or > understand. In addition, they are in a rush, are often trying to be > helpful and prone to grant consent (the framing in these social > engineering attacks can be very persuasive). Even users who are aware > of these exploits and understand the systems they interact with are > prone to be misled. Better guidance on the consent screen is > definitely something we should provide. > > I do think there is a defence in depth strategy that can reduce risk > by (1) avoiding asking the user for a decision by making back-end risk > decisions (2) augmenting the information presented to the user when > making the decisions and (3) mitigating against a decision made in error. > > Proximity and location information can for instance be used to bind > user codes to specific locations or inform the user on where the user > code was first presented, device status and/or location may be used to > make decisions on whether to allow device code flows to be used in the > first place and use of token binding (e.g. DPoP) may help defend > against attackers who are able to exfiltrate tokens from a device and > make lateral attacks. > > Anything we can do to encourage implementor to ask users to make fewer > decision, help them make better decisions and then protecting them in > case of a bad decision will help drive down risk. > > Cheers > > Pieter > > *From:*Brock Allen > *Sent:* Thursday 17 March 2022 21:25 > *To:* Pieter Kasselman ; oauth@ietf.org > *Subject:* [EXTERNAL] Re: [OAUTH-WG] Device Authorization Grant and > Illicit Consent Exploits > > I watched one of those videos and it seems to be that a proper consent > screen would have been the best and easiest line of defense. Is there > something more to the attacks where a better consent page (or any > consent page for that matter) would not have been sufficient? > > -Brock > > On 3/17/2022 5:10:35 PM, Pieter Kasselman > wrote: > > Hi All > > One of the agenda items for IETF 113 is the device authorization > grant flow (aka device code flow), scheduled for Thursday 24 March > 2022.  Before the meeting, I wanted to share a bit more > information for those interested in the topic and also give those > who are unable to attend in person an opportunity to participate > in the conversation. > > The Device Authorization Grant Flow (RFC 8682) > solves > an important problem by enabling authorization flows on devices > that are unable to support a browsers or have limited input > capabilities. However, looking back over the past 18-24 months, > there have been a number of practical exploits published that use > social engineering techniques applied to the device authorization > grant flow. > > The goal of the session at IETF 113 is to discuss the patterns of > the exploits that are known and start a conversation on what (if > anything) we should do, based on what we are learning. > > These exploits follow a general man-in-the-middle (MITM) pattern, > where the attacker: > > 1. Initiates the Device Authorization Grant flow on a device > under their control, > 2. Presents the user code in a context that the end-user is > likely to act on (using social engineering techniques), and > 3. Once the user grants access, retrieves the access and refresh > tokens and uses them to access the user’s resources. > > Some of the exploits are described here for those interested in > more detail: > > 1. The Art of the Device Code Phish - Boku (0xboku.com) > > 2. Microsoft 365 OAuth Device Code Flow and Phishing | Optiv > > > 1. optiv/Microsoft365_devicePhish: A proof-of-concept script > to conduct a phishing attack abusing Microsoft 365 OAuth > Authorization Flow (github.com) > > > 3. Introducing a new phishing technique for compromising Office > 365 accounts (o365blog.com) > > 4. DEF CON 29 - Jenko Hwong - New Phishing Attacks Exploiting > OAuth Authentication Flows - YouTube > > > In terms of a response, there are a few options that come to mind > (these are not exhaustive, I would love to see what others have in > mind as well): > > 1. Do nothing: We can choose to leave everything as is. The > downside of this is that the lessons we are learning are not > getting disseminated or resulting in reduced risks. > 2. Update the recommendations: We can document the social > engineering exploits and recommend some additional mitigations > as well as recommendations in terms of use cases. Although > these types of "phishing"/social engineering attacks are > called out in the security considerations in RFC 8628 - OAuth > 2.0 Device Authorization Grant > , > we can add further mitigations to create greater defence in > depth. This will help future implementers and may even be > useful for future protocols that rely on a similar > cross-device authentication and authorization flows. > 3. Explore alternatives: Develop, adopt, or evolve new protocols > that address the scenario while mitigating or avoiding the risks. > > Option A does not do much to improve the state of the art. Option > B feels like something we can do now, and we may learn something > along the way that can help inform Option C, which may be much > further down the road and require more research. What other > options come to mind? > > I’m looking forward to the conversation and hearing what others > are thinking about this topic. > > Cheers, > > Pieter > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --------------Y12CwTDvnDvnloZuDaspg4Ay Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit I just want to make a quick comment on the use of "proximity and location information". I used the device flow to authorize my son's device by having him text me the code so I could login on my device (in a different state) and provide his device access. If we close the door too much we will potentially impact good users :)

I agree that consent can be socially engineered... but think that it would be useful to improve that information so that the user authenticating to provide authorization could know where the device their authorizing is located. That could help users detecting that they are authorizing a device in a location that doesn't make sense to them.

Thanks,
George

On 3/18/22 8:21 AM, Pieter Kasselman wrote:

Hi Brock

 

Great point, and I would agree that better consent screens could help, but I don’t think it is sufficient.

 

One of the challenges with consent screens is that it makes assumptions about the users abilities when they are being asked to make decisions about things they do not fully appreciate or understand. In addition, they are in a rush, are often trying to be helpful and prone to grant consent (the framing in these social engineering attacks can be very persuasive). Even users who are aware of these exploits and understand the systems they interact with are prone to be misled. Better guidance on the consent screen is definitely something we should provide.

 

I do think there is a defence in depth strategy that can reduce risk by (1) avoiding asking the user for a decision by making back-end risk decisions (2) augmenting the information presented to the user when making the decisions and (3) mitigating against a decision made in error.

 

Proximity and location information can for instance be used to bind user codes to specific locations or inform the user on where the user code was first presented, device status and/or location may be used to make decisions on whether to allow device code flows to be used in the first place and use of token binding (e.g. DPoP) may help defend against attackers who are able to exfiltrate tokens from a device and make lateral attacks.

 

Anything we can do to encourage implementor to ask users to make fewer decision, help them make better decisions and then protecting them in case of a bad decision will help drive down risk.

 

Cheers

 

Pieter

 

 

From: Brock Allen <brockallen@gmail.com>
Sent: Thursday 17 March 2022 21:25
To: Pieter Kasselman <pieter.kasselman@microsoft.com>; oauth@ietf.org
Subject: [EXTERNAL] Re: [OAUTH-WG] Device Authorization Grant and Illicit Consent Exploits

 

I watched one of those videos and it seems to be that a proper consent screen would have been the best and easiest line of defense. Is there something more to the attacks where a better consent page (or any consent page for that matter) would not have been sufficient?

 

-Brock

On 3/17/2022 5:10:35 PM, Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org> wrote:

Hi All 

 

One of the agenda items for IETF 113 is the device authorization grant flow (aka device code flow), scheduled for Thursday 24 March 2022.  Before the meeting, I wanted to share a bit more information for those interested in the topic and also give those who are unable to attend in person an opportunity to participate in the conversation. 

 

The Device Authorization Grant Flow (RFC 8682) solves an important problem by enabling authorization flows on devices that are unable to support a browsers or have limited input capabilities. However, looking back over the past 18-24 months, there have been a number of practical exploits published that use social engineering techniques applied to the device authorization grant flow. 

 

The goal of the session at IETF 113 is to discuss the patterns of the exploits that are known and start a conversation on what (if anything) we should do, based on what we are learning. 

 

These exploits follow a general man-in-the-middle (MITM) pattern, where the attacker: 

 

  1. Initiates the Device Authorization Grant flow on a device under their control, 
  2. Presents the user code in a context that the end-user is likely to act on (using social engineering techniques), and 
  3. Once the user grants access, retrieves the access and refresh tokens and uses them to access the user’s resources. 

 

Some of the exploits are described here for those interested in more detail: 

 

  1. The Art of the Device Code Phish - Boku (0xboku.com) 
  2. Microsoft 365 OAuth Device Code Flow and Phishing | Optiv 
    1. optiv/Microsoft365_devicePhish: A proof-of-concept script to conduct a phishing attack abusing Microsoft 365 OAuth Authorization Flow (github.com) 
  1. Introducing a new phishing technique for compromising Office 365 accounts (o365blog.com) 
  2. DEF CON 29 - Jenko Hwong - New Phishing Attacks Exploiting OAuth Authentication Flows - YouTube 

 

In terms of a response, there are a few options that come to mind (these are not exhaustive, I would love to see what others have in mind as well): 

 

  1. Do nothing: We can choose to leave everything as is. The downside of this is that the lessons we are learning are not getting disseminated or resulting in reduced risks. 
  2. Update the recommendations: We can document the social engineering exploits and recommend some additional mitigations as well as recommendations in terms of use cases. Although these types of "phishing"/social engineering attacks are called out in the security considerations in RFC 8628 - OAuth 2.0 Device Authorization Grant, we can add further mitigations to create greater defence in depth. This will help future implementers and may even be useful for future protocols that rely on a similar cross-device authentication and authorization flows. 
  3. Explore alternatives: Develop, adopt, or evolve new protocols that address the scenario while mitigating or avoiding the risks. 

 

Option A does not do much to improve the state of the art. Option B feels like something we can do now, and we may learn something along the way that can help inform Option C, which may be much further down the road and require more research. What other options come to mind?

 

I’m looking forward to the conversation and hearing what others are thinking about this topic. 

 

Cheers, 

Pieter 

 


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--------------Y12CwTDvnDvnloZuDaspg4Ay-- From nobody Wed Mar 23 18:25:02 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 368243A08C6 for ; Wed, 23 Mar 2022 18:25:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.107 X-Spam-Level: X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SK3WYyj-yjmM for ; Wed, 23 Mar 2022 18:24:55 -0700 (PDT) Received: from mail-qv1-xf31.google.com (mail-qv1-xf31.google.com [IPv6:2607:f8b0:4864:20::f31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05A5E3A08B1 for ; Wed, 23 Mar 2022 18:24:54 -0700 (PDT) Received: by mail-qv1-xf31.google.com with SMTP id ke15so2643217qvb.11 for ; Wed, 23 Mar 2022 18:24:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:date:message-id:subject:from:to:in-reply-to:references :user-agent; bh=cxwAmXYdM1cQaXSHvqU9AczgGc39omr01stlNpX8t+0=; b=IxcOlEAPyUj8KyGVrzeTCCPTzcFi9EGM/RJVvge9dnreLSqPMWDO9smVpBTN+QEdFU J7ieT6CJ2O+8hD8fLvwMAQ9bdVffdj2jI46pD79s0WYBSakeBvYkNnxkvFZg9eoC/jfn tlntnPgaZpSFgBlxLvecTUn6sPZ0KhaIJM78nfPQ7a5vV2ElRdPPFyyYEpkl+Y8WuTzQ 9t4AYm6oY0C3Lcm+NoYb+1T4gnuDs68fgX+Sa+Fi2Or/CTNwfJrS7t3YFQXPJruBGI0x n4qHo5nHFOIBQpXUrMyTLtPMZYDgwWMdDTEefDgmCJZA7mRmvaeEXM2SRlxwDI/eFICC 2MVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :in-reply-to:references:user-agent; bh=cxwAmXYdM1cQaXSHvqU9AczgGc39omr01stlNpX8t+0=; b=nn15cksNdoHKXPbo1g1Z9ctIxJO9ZSSInjXjL/mjRfwgaoPMLrD1RXAnUA/0PIdFLH N8xlfM7fzGOf6301RKjTuaaPFk+cUhXNli0J/j1j1Dl7E0IVeBmsBrmLXKZ4vowEhHfb CP7xuaFqXatg/Mpq2xZvQmUQj90fSIAAf25LuJhvP+O7hGaYZfN/qBoZlAFbTTuxkpK3 9Gm7otCUoxQyNkQFnQyDHRUQAstQ1YadTw0OzRHhOQ3NOfdBihxIPitU56nEAQUctDIh Xnq61DRjElPA4WHGUs1GT2Vhy+PAeUK7xoeh0F70OVBYIyGd9OY/kZit8alhoapweK/h WlSQ== X-Gm-Message-State: AOAM533SUune6onKyVaSnhugbXpwerfqgJart3G3dNuSyUECYCJYEQ6H hZM/W/6iG4kc8jSWMvfvq8JceMoqUeM= X-Google-Smtp-Source: ABdhPJw/H8l48qIppo4J9M5YJPmD56U0EGMSSzqVDFxSf6sklgkZWZxCQ65E/jWsGSfsbbH2yqqI7Q== X-Received: by 2002:a0c:bf12:0:b0:42c:536d:52d7 with SMTP id m18-20020a0cbf12000000b0042c536d52d7mr2493215qvi.33.1648085093035; Wed, 23 Mar 2022 18:24:53 -0700 (PDT) Received: from [10.0.1.3] (pool-74-103-207-160.prvdri.ftas.verizon.net. [74.103.207.160]) by smtp.gmail.com with ESMTPSA id n131-20020a372789000000b0067bce1ac001sm811206qkn.71.2022.03.23.18.24.51 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 23 Mar 2022 18:24:51 -0700 (PDT) Content-Type: multipart/alternative; boundary="----=_NextPart_60591377.029995769665" MIME-Version: 1.0 Date: Wed, 23 Mar 2022 21:24:51 -0400 Message-ID: From: "Brock Allen" To: "George Fletcher" , "Pieter Kasselman" , "" In-Reply-To: References: User-Agent: Mailbird/2.9.61.0 X-Mailbird-ID: Mailbird-cd9d7a1c-d3ad-4831-b680-0057b53b88c6@gmail.com Archived-At: Subject: Re: [OAUTH-WG] [EXTERNAL] Re: Device Authorization Grant and Illicit Consent Exploits X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Mar 2022 01:25:01 -0000 ------=_NextPart_60591377.029995769665 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable In the case of DEF CON video showing the Microsoft exploit, it worked liked= this (if I recall correctly): The attacker started the device flow from their system, sent the user a lin= k to login with an "promo code" (the user code) to get a discount on their = Microsoft bill, and when the user logged in they were prompted for the code= (which they thought it was a promo code), and thus they granted access to = the attacker waiting for the flow to be complete. The problem was that: 1) The vendor's first party administrative CLI app was designed to use devi= ce flow. 2) The consent screen just said "Do you want to login to your Microsoft acc= ount". So the issues were that for (1) device flow was just the wrong one (the nat= ive apps BCP w/ system browser should have been used), especially for an ap= p with such high/privileged access, and for (2) the consent did not let the= end-user know they were granting the client full administrative access. So several missteps here that the protocol by itself can't completely prote= ct against. -Brock On 3/23/2022 9:10:01 PM, George Fletcher wrote: I just want to make a quick comment on the use of "proximity and location i= nformation". I used the device flow to authorize my son's device by having = him text me the code so I could login on my device (in a different state) a= nd provide his device access. If we close the door too much we will potenti= ally impact good users :) I agree that consent can be socially engineered... but think that it would = be useful to improve that information so that the user authenticating to pr= ovide authorization could know where the device their authorizing is locate= d. That could help users detecting that they are authorizing a device in a = location that doesn't make sense to them. Thanks, George On 3/18/22 8:21 AM, Pieter Kasselman wrote: Hi Brock =C2=A0 Great point, and I would agree that better consent screens could help, but = I don=E2=80=99t think it is sufficient. =C2=A0 One of the challenges with consent screens is that it makes assumptions abo= ut the users abilities when they are being asked to make decisions about th= ings they do not fully appreciate or understand. In addition, they are in a= rush, are often trying to be helpful and prone to grant consent (the frami= ng in these social engineering attacks can be very persuasive). Even users = who are aware of these exploits and understand the systems they interact wi= th are prone to be misled. Better guidance on the consent screen is definit= ely something we should provide. =C2=A0 I do think there is a defence in depth strategy that can reduce risk by (1)= avoiding asking the user for a decision by making back-end risk decisions = (2) augmenting the information presented to the user when making the decisi= ons and (3) mitigating against a decision made in error. =C2=A0 Proximity and location information can for instance be used to bind user co= des to specific locations or inform the user on where the user code was fir= st presented, device status and/or location may be used to make decisions o= n whether to allow device code flows to be used in the first place and use = of token binding (e.g. DPoP) may help defend against attackers who are able= to exfiltrate tokens from a device and make lateral attacks. =C2=A0 Anything we can do to encourage implementor to ask users to make fewer deci= sion, help them make better decisions and then protecting them in case of a= bad decision will help drive down risk. =C2=A0 Cheers =C2=A0 Pieter =C2=A0 =C2=A0 From: Brock Allen [mailto:brockallen@gmail.com] Sent: Thursday 17 March 2022 21:25 To: Pieter Kasselman [mailto:pieter.kassel= man@microsoft.com]; oauth@ietf.org [mailto:oauth@ietf.org] Subject: [EXTERNAL] Re: [OAUTH-WG] Device Authorization Grant and Illicit C= onsent Exploits =C2=A0 I watched one of those videos and it seems to be that a proper consent scre= en would have been the best and easiest line of defense. Is there something= more to the attacks where a better consent page (or any consent page for t= hat matter) would not have been sufficient? =C2=A0 -Brock On 3/17/2022 5:10:35 PM, Pieter Kasselman wrote: Hi All=C2=A0 =C2=A0 One of the agenda items for IETF 113 is the device authorization grant flow= (aka device code flow), scheduled for Thursday 24 March 2022. Before the m= eeting, I wanted to share a bit more information for those interested in th= e topic and also give those who are unable to attend in person an opportuni= ty to participate in the conversation.=C2=A0 =C2=A0 The Device Authorization Grant Flow (RFC 8682) [https://nam06.safelinks.pro= tection.outlook.com/?url=3Dhttps%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%= 2Frfc8628&data=3D04%7C01%7Cpieter.kasselman%40microsoft.com%7Cdab129df9= 6fb4fe03c7908da085c8dae%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637831= 490884440262%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLC= JBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=3DEswcNYKNZWEAWLBuOvQytd8TMlg= pgUxIk0E%2FlfKkRIk%3D&reserved=3D0] solves an important problem by enab= ling authorization flows on devices that are unable to support a browsers o= r have limited input capabilities. However, looking back over the past 18-2= 4 months, there have been a number of practical exploits published that use= social engineering techniques applied to the device authorization grant fl= ow.=C2=A0 =C2=A0 The goal of the session at IETF 113 is to discuss the patterns of the explo= its that are known and start a conversation on what (if anything) we should= do, based on what we are learning.=C2=A0 =C2=A0 These exploits follow a general man-in-the-middle (MITM) pattern, where the= attacker:=C2=A0 =C2=A0 * Initiates the Device Authorization Grant flow on a device under their con= trol,=C2=A0 * Presents the user code in a context that the end-user is likely to act on= (using social engineering techniques), and=C2=A0 * Once the user grants access, retrieves the access and refresh tokens and = uses them to access the user=E2=80=99s resources.=C2=A0 =C2=A0 Some of the exploits are described here for those interested in more detail= :=C2=A0 =C2=A0 * The Art of the Device Code Phish - Boku (0xboku.com) [https://nam06.safel= inks.protection.outlook.com/?url=3Dhttps%3A%2F%2F0xboku.com%2F2021%2F07%2F1= 2%2FArtOfDeviceCodePhish.html&data=3D04%7C01%7Cpieter.kasselman%40micro= soft.com%7Cdab129df96fb4fe03c7908da085c8dae%7C72f988bf86f141af91ab2d7cd011d= b47%7C1%7C0%7C637831490884440262%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMD= AiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=3D%2B71AM= xS1m4aBTrX8e76UiXs%2Fa%2F22dfxen1pI9Ln17Ig%3D&reserved=3D0]=C2=A0 * Microsoft 365 OAuth Device Code Flow and Phishing | Optiv [https://nam06.= safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.optiv.com%2Finsig= hts%2Fsource-zero%2Fblog%2Fmicrosoft-365-oauth-device-code-flow-and-phishin= g&data=3D04%7C01%7Cpieter.kasselman%40microsoft.com%7Cdab129df96fb4fe03= c7908da085c8dae%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63783149088444= 0262%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik= 1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=3DI6tnZsOgj6fl9aYbfXe98wKf%2B5M7X%2FH= Eu8Umn3cui7Q%3D&reserved=3D0]=C2=A0 * optiv/Microsoft365_devicePhish: A proof-of-concept script to conduct a ph= ishing attack abusing Microsoft 365 OAuth Authorization Flow (github.com) [= https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fgithub.= com%2Foptiv%2FMicrosoft365_devicePhish&data=3D04%7C01%7Cpieter.kasselma= n%40microsoft.com%7Cdab129df96fb4fe03c7908da085c8dae%7C72f988bf86f141af91ab= 2d7cd011db47%7C1%7C0%7C637831490884440262%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiM= C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata= =3DhVXdTbLAkdBXAepI26qG5J3poSzquok1sgUwdLGPNTg%3D&reserved=3D0]=C2=A0 * Introducing a new phishing technique for compromising Office 365 accounts= (o365blog.com) [https://nam06.safelinks.protection.outlook.com/?url=3Dhttp= s%3A%2F%2Fo365blog.com%2Fpost%2Fphishing%2F%23new-phishing-technique-device= -code-authentication&data=3D04%7C01%7Cpieter.kasselman%40microsoft.com%= 7Cdab129df96fb4fe03c7908da085c8dae%7C72f988bf86f141af91ab2d7cd011db47%7C1%7= C0%7C637831490884490234%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjo= iV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=3DKXDXJ8dDBdKxT72j= Il8pa2BksAXiKc8N0%2F0NThYiN5Q%3D&reserved=3D0]=C2=A0 * DEF CON 29 - Jenko Hwong - New Phishing Attacks Exploiting OAuth Authenti= cation Flows - YouTube [https://nam06.safelinks.protection.outlook.com/?url= =3Dhttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D9slRYvpKHp4&data=3D04%7C= 01%7Cpieter.kasselman%40microsoft.com%7Cdab129df96fb4fe03c7908da085c8dae%7C= 72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637831490884490234%7CUnknown%7CT= WFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%= 3D%7C2000&sdata=3DKWmBAf3pYGdVzT6LeNhgT7t%2BybfnFdGMVJxLbDrD5vo%3D&= reserved=3D0]=C2=A0 =C2=A0 In terms of a response, there are a few options that come to mind (these ar= e not exhaustive, I would love to see what others have in mind as well):=C2= =A0 =C2=A0 * Do nothing: We can choose to leave everything as is. The downside of this= is that the lessons we are learning are not getting disseminated or result= ing in reduced risks.=C2=A0 * Update the recommendations: We can document the social engineering exploi= ts and recommend some additional mitigations as well as recommendations in = terms of use cases. Although these types of "phishing"/social engineering a= ttacks are called out in the security considerations in RFC 8628 - OAuth 2.= 0 Device Authorization Grant [https://nam06.safelinks.protection.outlook.co= m/?url=3Dhttps%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc8628&data= =3D04%7C01%7Cpieter.kasselman%40microsoft.com%7Cdab129df96fb4fe03c7908da085= c8dae%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637831490884490234%7CUnk= nown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJX= VCI6Mn0%3D%7C2000&sdata=3D6YYkNcG2GC32KSDdWU792bkXnr6GQaRen%2F02560aSRA= %3D&reserved=3D0], we can add further mitigations to create greater def= ence in depth. This will help future implementers and may even be useful fo= r future protocols that rely on a similar cross-device authentication and a= uthorization flows.=C2=A0 * Explore alternatives: Develop, adopt, or evolve new protocols that addres= s the scenario while mitigating or avoiding the risks.=C2=A0 =C2=A0 Option A does not do much to improve the state of the art. Option B feels l= ike something we can do now, and we may learn something along the way that = can help inform Option C, which may be much further down the road and requi= re more research.=C2=A0What other options come to mind? =C2=A0 I=E2=80=99m looking forward to the conversation and hearing what others are= thinking about this topic.=C2=A0 =C2=A0 Cheers,=C2=A0 Pieter=C2=A0 =C2=A0 _______________________________________________ OAuth mailing list OAuth@ie= tf.org [mailto:OAuth@ietf.org] https://www.ietf.org/mailman/listinfo/oauth = [https://www.ietf.org/mailman/listinfo/oauth] ------=_NextPart_60591377.029995769665 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable
=0A = =0A =0A = =0A = =0A =0A = In the case of DEF CON video showing the Microsoft expl= oit, it worked liked this (if I recall correctly):

= The attacker started the device flow from their system, sent the user a lin= k to login with an "promo code" (the user code) to get a discount on their = Microsoft bill, and when the user logged in they were prompted for the code= (which they thought it was a promo code), and thus they granted access to = the attacker waiting for the flow to be complete.

= The problem was that:

1) The vendor's first party administrative CLI= app was designed to use device flow.
2) The consent screen just said "= Do you want to login to your Microsoft account".

S= o the issues were that for (1) device flow was just the wrong one (the nati= ve apps BCP w/ system browser should have been used), especially for an app= with such high/privileged access, and for (2) the consent did not let the = end-user know they were granting the client full administrative access.

So several missteps here that the protocol by itself = can't completely protect against.

-Brock<= /div>
=0A

On 3/23/2022 9:10:01 PM, George Fletcher <gffletch@aol.com&g= t; wrote:

=0A I= just want to make a quick comment on the use of "proximity and=0A locat= ion information". I used the device flow to authorize my son's=0A device= by having him text me the code so I could login on my device=0A (in a d= ifferent state) and provide his device access. If we close=0A the door t= oo much we will potentially impact good users :)
=0A
=0A I agr= ee that consent can be socially engineered... but think that it=0A would= be useful to improve that information so that the user=0A authenticatin= g to provide authorization could know where the device=0A their authoriz= ing is located. That could help users detecting that=0A they are authori= zing a device in a location that doesn't make sense=0A to them.
=0A =
=0A Thanks,
=0A George
=0A
=0A
On 3/18/22 8:21 AM, Pieter Kasselman=0A wrote:
=0A =
=0A
=0A =0A = =0A =0A
=0A

Hi=0A = Brock

=0A

 

=0A

Great=0A = point, and I would agree that better consent screens could=0A = help, but I don=E2=80=99t think it is sufficient.=0A

=0A

 

=0A

One=0A of the chall= enges with consent screens is that it makes=0A assumptions about= the users abilities when they are being=0A asked to make decisi= ons about things they do not fully=0A appreciate or understand. = In addition, they are in a rush,=0A are often trying to be helpf= ul and prone to grant consent=0A (the framing in these social en= gineering attacks can be very=0A persuasive). Even users who are= aware of these exploits and=0A understand the systems they inte= ract with are prone to be=0A misled. Better guidance on the cons= ent screen is definitely=0A something we should provide.

=0A

 

=0A

I=0A do think ther= e is a defence in depth strategy that can=0A reduce risk by (1) = avoiding asking the user for a decision=0A by making back-end ri= sk decisions (2) augmenting the=0A information presented to the = user when making the decisions=0A and (3) mitigating against a d= ecision made in error.

=0A

 

= =0A

Proximity=0A and location information can for instance be used= to bind=0A user codes to specific locations or inform the user = on where=0A the user code was first presented, device status and= /or=0A location may be used to make decisions on whether to allo= w=0A device code flows to be used in the first place and use of= =0A token binding (e.g. DPoP) may help defend against attackers= =0A who are able to exfiltrate tokens from a device and make=0A = lateral attacks.=0A

=0A =

&nbs= p;

=0A

Anything=0A we can do to encourage implemen= tor to ask users to make=0A fewer decision, help them make bette= r decisions and then=0A protecting them in case of a bad decisio= n will help drive=0A down risk.

=0A =

&nbs= p;

=0A

Cheers

=0A

 =

=0A

Pieter

=0A

 

=0A =

&nbs= p;

=0A
=0A

From: B= rock Allen <brockallen@gmail.com>=0A
=0A = Sent: Thursday 17 March 2022 21:25
=0A To:= Pieter Kasselman=0A <pieter.kasselman@microsoft.c= om>; oauth@ietf.org
=0A Subject: [EXTERNAL] Re:= [OAUTH-WG] Device=0A Authorization Grant and Illicit Consent = Exploits

=0A
=0A

 

=0A

I watched one of those videos and=0A it seems to be = that a proper consent screen would have been=0A the best and eas= iest line of defense. Is there something=0A more to the attacks = where a better consent page (or any=0A consent page for that mat= ter) would not have been=0A sufficient?

=0A=
=0A

-Brock

=0A
=0A
=0A

On 3/17/2022 5:10:35 = PM,=0A Pieter Kasselman <pieter.kasselman=3D40microsoft.com@dmarc.ietf.org>= =0A wrote:

=0A
=0A =
=0A

Hi=0A = All 

=0A

 

=0A

One=0A of the agenda items f= or IETF 113 is the device=0A authorization grant flow (aka= device code flow),=0A scheduled for Thursday 24 March 202= 2.=E2=80=AF Before the=0A meeting, I wanted to share a bit= more information for=0A those interested in the topic and= also give those who=0A are unable to attend in person an = opportunity to=0A participate in the conversation. 

=0A

=  

=0A

The=0A =0A = Device Authorization Grant Flow (RFC 8682) solves=0A an = important problem by enabling authorization flows=0A on de= vices that are unable to support a browsers or=0A have lim= ited input capabilities. However, looking back=0A over the= past 18-24 months, there have been a number=0A of practic= al exploits published that use social=0A engineering techn= iques applied to the device=0A authorization grant flow.&n= bsp;

=0A

 

=0A

= The=0A goal of the session at IETF 113 is to= discuss the=0A patterns of the exploits that are known an= d start a=0A conversation on what (if anything) we should = do, based=0A on what we are learning. 

=0A

 

=0A

These exploits follow=0A a general man-i= n-the-middle (MITM) pattern, where the=0A attacker: <= /span>

=0A

<= span style=3D"font-size: 10.5pt;font-family: "Segoe=0A = UI",sans-serif;color: black"> <= /span>

=0A
    =0A =0A Initiates the Dev= ice=0A Authorization Grant flow on a device under their= =0A control, =0A =
  1. =0A Pre= sents the user code in a=0A context that the end-user is= likely to act on (using=0A social engineering technique= s), and 
    2. =0A
  2. =0A Once the user grants access= ,=0A retrieves the access and refresh tokens and uses=0A= them to access the user=E2=80=99s resources. 
    3. =0A
=0A

 

=0A =

Some=0A of the explo= its are described here for those=0A interested in more det= ail: 

=0A

 

=0A
    = =0A
  1. =0A = The Art of= the Device Code=0A Phish - Boku (0xboku.com)=  
    2. = =0A
  2. =0A = Microsoft 365 OAuth Device=0A = Code Flow and Phishing | Optiv 
    3. =0A
=0A =
    =0A
      =0A
    1. = =0A optiv/Micr= osoft365_devicePhish:=0A A proof-of-concept script= to conduct a=0A phishing attack abusing Microsoft= 365 OAuth=0A Authorization Flow (github.com) =0A
    =0A
=0A
    =0A
  1. =0A Introducing a new phishing=0A = technique for compromising Office 365 accounts=0A = (o365blog.com) = ;
    2. =0A
  2. =0A DEF CON 29 - Jenko Hwong -=0A New Phishing Attac= ks Exploiting OAuth=0A Authentication Flows - YouTub= e 
    3. =0A
=0A

 

=0A=

= In terms of a=0A response, there are a few options that co= me to mind=0A (these are not exhaustive, I would love to s= ee what=0A others have in mind as well): 

=0A

 

= =0A
    =0A
  1. =0A Do nothing: We can choose t= o=0A leave everything as is. The downside of this is tha= t=0A the lessons we are learning are not getting=0A = disseminated or resulting in reduced risks. 
    2. =0A
  2. =0A Update the recommendations: We=0A = can document the social engineering exploits and=0A re= commend some additional mitigations as well as=0A recomm= endations in terms of use cases. Although=0A these types= of "phishing"/social engineering attacks=0A are called = out in the security considerations in=0A =0A RFC=0A = 8628 - OAuth 2.0 Device Authorization Grant,=0A = we can add further mitigations to create greater=0A = defence in depth. This will help future implementers=0A = and may even be useful for future protocols that=0A = rely on a similar cross-device authentication and=0A = authorization flows. 
    3. =0A =
  3. =0A Explor= e alternatives: Develop,=0A adopt, or evolve new protoco= ls that address the=0A scenario while mitigating or avoi= ding the risks. 
    4. =0A
= =0A

 =

=0A

Option A does not do=0A = much to improve the state of the art. Option B feels=0A = like something we can do now, and we may learn=0A = something along the way that can help inform Option C,=0A = which may be much further down the road and require=0A m= ore research. What other options come to mind?

=0A

 

=0A =

I= =E2=80=99m looking forward=0A to the conversation and hear= ing what others are=0A thinking about this topic. 

=0A

 =

=0A

Che= ers, 

=0A

Pieter 

=0A

 

=0A
=0A =0A
=0A
=0A
=0A
=0A 
_______________________________________________=0AOAut=
h mailing list=0AOAuth@ietf.org=0Ahttps://www.ietf.org/mailman/l=
istinfo/oauth=0A
=0A
=0A
=0A
=0A =0A =
------=_NextPart_60591377.029995769665-- From nobody Thu Mar 24 02:49:23 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 286313A16E9 for ; Thu, 24 Mar 2022 02:49:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.108 X-Spam-Level: X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nEr7V2TPQVe1 for ; Thu, 24 Mar 2022 02:49:16 -0700 (PDT) Received: from mail-oi1-x22b.google.com (mail-oi1-x22b.google.com [IPv6:2607:f8b0:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0778C3A16B3 for ; Thu, 24 Mar 2022 02:49:15 -0700 (PDT) Received: by mail-oi1-x22b.google.com with SMTP id s207so4327652oie.11 for ; Thu, 24 Mar 2022 02:49:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3PAxgy9v/DM7hK3W2XaOYwgyd/LGM1UynHoqnpXug70=; b=XMTyEgdVak6jkcH247Cs616aMw1yNfl8AEBrDGVg9RdJIw6feUIaBKk9AM5LhODPpO tlmAAy7XtoGgQNWC2oL2j2ThTNgvW7GyVB+H3ea0LDiY/oOEKnRhje2Q70U8RZWHPwTe xSPdb0vMyC388QbhmUwLCr8P/O7jlygVRGSeu4fr19m8WEBocp9/x0xkg01nKg3zGiII S2rwLFpXgwCbBlncPUUmnwc1iSLlnRMg9xDeDmzV5KooqkIlJJEpf+J4Rrxp9tYbvUXx +TBsTPcz047FsX3/SuovCMP5OeNU7WJKibYvOzCuvKQNVp1RZ0MT7yhK/ZTAyrJYSd7a 9aoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3PAxgy9v/DM7hK3W2XaOYwgyd/LGM1UynHoqnpXug70=; b=ocqivh907OBEv3kJJrEQHyNtwX3yvYYlOTDae/KM/V6VYvB3adijpYadbqAy3CJ62s xaRMD4jxRqcxnyw+9/ETXC6+Oi+dCRhn1N04frmtfHz08EOeOaXR8qWFxjkRRsnA5+hd QGPOq4y0CqRSGGC68v/B7RoKsqcHUcCb18lDxVEByg4njbHMVcjUsX+8BHc7ks/rO0Ba GzaBBJfhq8qAJXmavf0Qu4UFLgJGFeaJuDINwewjuc549YTELexARg/CBt9SM6Gp2K8f EmH4RrnHEYNUGT+kZLe2Jlb7tgPVeXsmh+NtmwPmQcGsmdrhVTbKiwQ8nqeC/xiH5Mj8 L6fg== X-Gm-Message-State: AOAM532PjSV+1LzSX+dtseHeU1Ow0DhJ8enBpFRIRWsf57pqYH20mGJP EXWknFpefj2sU521/JcIwR5WGndz4Xc86DzP3VgAeDYz1KdWC646UZ0Hdpaw19Fec4Gz8EkvPVp vJ2VdZtwpGcFlyBJ6JemUqV5iz4s= X-Google-Smtp-Source: ABdhPJyBvjlA4Inxfoufv6OsQBQoYTmX1jn4X1CtH0asvD9PCxosYQ3U4AYxVIJohDFJQnjRGF/+hfa7LUXovS7IREg= X-Received: by 2002:a05:6808:118d:b0:2d9:a01a:48c2 with SMTP id j13-20020a056808118d00b002d9a01a48c2mr6728350oil.269.1648115354872; Thu, 24 Mar 2022 02:49:14 -0700 (PDT) MIME-Version: 1.0 References: <2bb4c1f0ca4ece28fa02fa135311b079@babelouest.org> In-Reply-To: <2bb4c1f0ca4ece28fa02fa135311b079@babelouest.org> From: Brian Campbell Date: Thu, 24 Mar 2022 10:48:47 +0100 Message-ID: To: Nicolas Mora Cc: oauth@ietf.org Content-Type: multipart/alternative; boundary="00000000000046d0a505daf3c2a7" Archived-At: Subject: Re: [OAUTH-WG] Comments on ietf-oauth-dpop X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Mar 2022 09:49:22 -0000 --00000000000046d0a505daf3c2a7 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello Nicolas, The situation you describe of nonce switching with different RSs using the same domain is possible. But I believe in practice it's rather unlikely to occur and is self correcting even if it does occur (though kinda chatty/inefficient). I don't believe it's worthwhile to add stuff to the protocol to optimize for the situation (of course, the WG should chime-in if I'm off base from rough consensus here) . The name "iss" is rather overloaded and would probably not be appropriate, even in the case something was added. Also - the realm parameter , which may "be included to indicate the scope of protection" seems to me like it could serve the purpose. And, I realize it's a bit pedantic, but note that the discussion is about RS-provided nonce but the example shows what would be an AS response. With respect to "iat" and out-of-sync clocks - some leeway (on the order of a few seconds or minutes) in both directions to accommodate reasonable and likely clock skew is probably a good idea. As mentioned to Rohan in a prior reply, I'll look to qualify this a bit better in the next revision of the draft. On Tue, Mar 22, 2022 at 8:03 PM Nicolas Mora wrote= : > Hello, > > I would like to add some minor comments to this draft, based on what I've > seen so far. > > - Resource Server-Provided Nonce > Since a client may have to add different nonces for different RS in the > DPoP token, it would be useful to add the issuer in the RS error response= , > so the client can differntiate nonces more easily. > There may be different RS using the same domain, the client might not kno= w > it, and therefore switch nonces again and again between the RS. > Instead, if the RS error response looks like this, there will be no > ambiguity: > > HTTP/1.1 400 Bad Request > DPoP-Nonce: eyJ7S_zG.eyJH0-Z.HX4w-7v > > { > "error": "use_dpop_nonce", > "error_description": > "Authorization server requires nonce in DPoP proof", > "iss": "https://resource.tld/person/" > } > > - iat and not synced servers > In addition to Rohan's question about the reasonable lifetime to expect > for a DPoP token, I'm wondering what is reasonable to accept concerning i= at > in the future, where the client's clock may be out of sync. The paragraph > 11.1 says "the server MAY accept DPoP proofs that carry an iat time in th= e > reasonably near future". Could we add what a reasonably near future might > be? In my implementation there is no gap allowed, so I'm wondering. > > /Nicolas > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --=20 _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged= =20 material for the sole use of the intended recipient(s). Any review, use,=20 distribution or disclosure by others is strictly prohibited.=C2=A0 If you h= ave=20 received this communication in error, please notify the sender immediately= =20 by e-mail and delete the message and any file attachments from your=20 computer. Thank you._ --00000000000046d0a505daf3c2a7 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello Nicolas,

The situ= ation you describe of nonce switching with different RSs using the same dom= ain is possible. But I believe in practice it's rather unlikely to occu= r and is self correcting even if it does occur (though kinda chatty/ineffic= ient). I don't believe it's worthwhile to add stuff to the protocol= to optimize for the situation (of course, the WG should chime-in if I'= m off base from rough consensus here) . The name "iss" is rather = overloaded and would probably not be appropriate, even in the case somethin= g was added. Also - the realm parameter, which may "be included to indicate the scope of protection" s= eems to me like it could serve the purpose. And, I realize it's a bit p= edantic, but note that the discussion is about RS-provided nonce but the ex= ample shows what would be an AS response.




On Tue, Mar 22, = 2022 at 8:03 PM Nicolas Mora <nicolas@babelouest.org> wrote:
Hello,

I would like to add some minor comments to this draft, based on what I'= ve seen so far.

- Resource Server-Provided Nonce
Since a client may have to add different nonces for different RS in the DPo= P token, it would be useful to add the issuer in the RS error response, so = the client can differntiate nonces more easily.
There may be different RS using the same domain, the client might not know = it, and therefore switch nonces again and again between the RS.
Instead, if the RS error response looks like this, there will be no ambigui= ty:

=C2=A0HTTP/1.1 400 Bad Request
=C2=A0DPoP-Nonce: eyJ7S_zG.eyJH0-Z.HX4w-7v

=C2=A0{
=C2=A0 "error": "use_dpop_nonce",
=C2=A0 "error_description":
=C2=A0 =C2=A0 "Authorization server requires nonce in DPoP proof"= ,
=C2=A0 "iss": "https://resource.tld/person/" =C2=A0}

- iat and not synced servers
In addition to Rohan's question about the reasonable lifetime to expect= for a DPoP token, I'm wondering what is reasonable to accept concernin= g iat in the future, where the client's clock may be out of sync. The p= aragraph 11.1 says "the server MAY accept DPoP proofs that carry an ia= t time in the reasonably near future". Could we add what a reasonably = near future might be? In my implementation there is no gap allowed, so I= 9;m wondering.

/Nicolas

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

<= span style=3D"margin:0px;padding:0px;border:0px;outline:0px;vertical-align:= baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,= -apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ub= untu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"= >CONFIDENTIALITY NOTICE: This email may contain confidenti= al and privileged material for the sole use of the intended recipient(s). A= ny review, use, distribution or disclosure by others is strictly prohibited= .=C2=A0 If you have received this communication in error, please notify the= sender immediately by e-mail and delete the message and any file attachmen= ts from your computer. Thank you. --00000000000046d0a505daf3c2a7-- From nobody Thu Mar 24 03:23:46 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 383453A17B8 for ; Thu, 24 Mar 2022 03:23:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.108 X-Spam-Level: X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MPughR3AqaUx for ; Thu, 24 Mar 2022 03:23:39 -0700 (PDT) Received: from mail-oi1-x22d.google.com (mail-oi1-x22d.google.com [IPv6:2607:f8b0:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE0013A1777 for ; Thu, 24 Mar 2022 03:23:39 -0700 (PDT) Received: by mail-oi1-x22d.google.com with SMTP id o64so4414050oib.7 for ; Thu, 24 Mar 2022 03:23:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ESy32e7EybxOrNIEKOrtsdPKvibJ3POHVWo+7aVrjf0=; b=b7SeAPMTlsUXbl/B/IEaZfD/5FchlpcSrCxPYXuZUZLTXzT6B68sH1OVxSy9j+smwU t7VfqSbOYCQlin9xJw2snjEMZVFf2C3tl9pF6c2zTacbj491Fm5xzaJIpLt5xLbX5wi2 LYwYSBk1LTi5XFecGm23OXIwJtgn0zNglMXerki5NQRi4TzMfce/Gn4Zz2Lxs5KwQlN/ dRwxtXtJnqSKqSLVB2sxgOUV4fz6+fDlxDt4bgJNNIWzt5AviA29pXr0kaTTGFWzIIrZ tZ30hUFv75UUDZ4Z6sIIInmIZWVm3u9JXO8GMbksqbaqZVNuoV5AMpq9UJ/RrqjPXHS7 +RAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ESy32e7EybxOrNIEKOrtsdPKvibJ3POHVWo+7aVrjf0=; b=quky/CZs0Q3tp0Qhb5HmN1xb2ZLS6koGlAFUIeuI09ZJwOjFbTt1hr21uDPgTFp9wl bVv5CRbcoku/9xRicl6HzeSgRbYtYOPW0tsOJxi5FLcbeQYw9loznoDMNGem78u/tpdi ZizReeY5SrEDDeynjwI5oBjuY3xYDTllQsaDXp2zUdsOYsGMpF/Wr3NdPDNBMoPiCvdx uBjO605JZQg8sPbgaVDo25l7IH+q8q9kbw01YRL1HhfRBHZt+icUnQEaiH8lR9Vaanx8 Gps6b303eiOvB0eevt/UyXuqkCT4NHSCSgeKZcMFbvv3NUipO0sfhAqWjHuYjMLl1K+1 DwSw== X-Gm-Message-State: AOAM531g2o0aza26Vd9e/TWzqTA0TZblSRMPwDmpB2uuZXQN77qadBxM 5qFhjXXPxLnGYz2zrjQKjxWnGAskGYhR45qEjAUUAMrphEqzU5ijwgu+LsF3epP/RrkFKUwneut +ThtWi+LR+5ajHHk+mO7XqrB9cmM= X-Google-Smtp-Source: ABdhPJz5UyVNwTKN6kT32rVkJMHzgQRFLFQYeSzN0UseIzfL7XPx66ImwuvLY9c2KClJ4e3YAXlm/S3y3pbZq+x6/Gk= X-Received: by 2002:a05:6808:58:b0:2ee:f54e:65fe with SMTP id v24-20020a056808005800b002eef54e65femr2190353oic.52.1648117418387; Thu, 24 Mar 2022 03:23:38 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Brian Campbell Date: Thu, 24 Mar 2022 11:23:11 +0100 Message-ID: To: Rohan Mahy Cc: oauth@ietf.org Content-Type: multipart/alternative; boundary="00000000000045888105daf43dd8" Archived-At: Subject: Re: [OAUTH-WG] Comments on ietf-oauth-dpop X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Mar 2022 10:23:45 -0000 --00000000000045888105daf43dd8 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Mar 23, 2022 at 5:01 PM Rohan Mahy wrote: > Hi Brian, > > To be clear, for pre-generated proofs, I am not worried about an attack > against the client; I am worried about a malicious client. Imagine a > malicious client which pre-generates proofs during a brief window while i= t > has access to a private key stored on the iOS secure enclave, or on a > Yubikey, or a non-extractable WebCryptoAPI CryptoKey. The ability to > pre-generate proofs with no lifetime effectively makes these > non-extractable key protections meaningless for some fixed number of proo= fs. > Direct usage of everything is also possible during that brief window. Yes, a nonce helps protect against usage after the window has closed. But it's not a panacea of protection. Which is, again, why it's an option provided by the draft to server implementations/deployments that need or want it. But not more. > If the WG does not want to make server nonces a SHOULD, then I suggest th= e > following: > "Server implementations need some protection against arbitrary > pre-generation. Servers MUST require all client proofs to contain either = a > server-provided nonce, or a server-provided explicit expiration time, or > both." > I'm not sure what, other than a nonce, a "server-provided explicit expiration time" would be in the context of DPoP? Any recommendations/requirements the document makes need to be rooted in actual existing pieces of the protocol defined by that document. > Adding "(on the order of seconds or minutes)" would already be a big > improvement to what is in the document. > Will do. Thanks. > The linkage between Figure 12 and Figure 13 is clear. I was talking about > the linkage between Figure 5 (or the refresh response to Figure 6) and th= e > token hash in Figure 12. > The access token returned in Fig 5 is the same one used in Fig 12. But that it's in Fig 5 is not really meaningful to the ath or much else. I'm not sure what could be clarified or better linked? > Many Thanks, > -rohan > > > *Rohan Mahy *l Vice President Engineering, Architecture > > Chat: @rohan_wire on Wire > > > > Wire - Secure team messaging. > > *Zeta Project Germany GmbH *l Rosenthaler Stra=C3=9Fe 40, > 10178 > Berlin, > > Germany > > > Gesch=C3=A4ftsf=C3=BChrer/Managing Director: Morten J. Broegger > > HRB 149847 beim Handelsregister Charlottenburg, Berlin > > VAT-ID DE288748675 > > > On Wed, Mar 23, 2022 at 8:17 AM Brian Campbell 40pingidentity.com@dmarc.ietf.org> wrote: > >> Thanks Rohan, >> >> Pre-generating a proof requires the ability to execute code on the >> client, which is already a problematic situation where other (arguably >> more) serious attacks are possible. Such as driving a whole attack direc= tly >> from the client. The draft aims to give servers the option to use a nonc= e >> but not push it too much or overstate its protections. >> >> The vagueness around lifetimes is somewhat intentional. At one point the >> document (maybe aspirationally) had something like 'no more than a few >> seconds' but there was some push-back that it was unrealistically short = to >> accommodate real world client clock skew. I'm not sure the draft can mak= e a >> much more concrete recommendation as I think it really is something that >> has tradeoffs and will be implementation/deployment specific. Perhaps >> something like, "(on the order of seconds or minutes)" could be added as= a >> qualifier around lifetime leniency? That maybe gives a general idea of w= hat >> is acceptable and/or relatively brief without being overly prescriptive. >> I'm quite hesitant to say anything more specific. >> >> An access token and its "ath" hash value are shown as part of the >> examples >> https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-06.html#figure-12 >> and >> https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-06.html#figure-13 >> respectively. Perhaps it'd be worthwhile to more explicitly mention the >> relationship between the two examples? I think I did the calculations >> correctly but anyone double checking that work would be welcome. The >> sentence in sec 4.3 step 11 is already pretty darn verbose - probably to= o >> much so. I think breaking it up would probably be a better way to make i= t >> more clear. >> >> The MIME type registration will be in the next revision >> https://mailarchive.ietf.org/arch/msg/oauth/Vj24ZXU4UuG6Rr04U1Cdrz2rx3o/ >> >> I'll work those nits and fix things up as appropriate. >> >> >> >> >> >> >> On Tue, Mar 22, 2022 at 4:24 PM Rohan Mahy > 40wire.com@dmarc.ietf.org> wrote: >> >>> Hi, >>> Here are some comments on draft-ietf-oauth-dpop-06: >>> >>> 1) With such a significant attack possible as DPoP proof pre-generation= , >>> why isn't using the server nonce a SHOULD? Preventing a significant att= ack >>> and making lifetime handling sane are two excellent reasons to use a se= rver >>> nonce. If an implementation has a good reason to not use a server nonce= , we >>> can give guidance about what additional steps the implementation needs = to >>> take. >>> >>> 2) The handling of lifetimes of DPoP proofs is vague: "acceptable >>> timeframe" (Section 4.3), "relatively brief period" (Section 11.1). Is = that >>> 1 day,15 minutes, or 30 seconds? >>> The normative text in the two sections seem contradictory. >>> I think you need a lifetime parameter if a server nonce isn't included, >>> or just pick a number (5 minutes?). >>> >>> 3) I had a similar thought to Nicolas Mora about including other >>> assertions/tokens. There should be a way to chain, include, or referenc= e >>> other OAuth assertions and bind them somehow with the DPoP. This will b= e a >>> common and important model. >>> >>> 4. Right now you describe the access token hash before describing the >>> access token itself. I think it would be very useful to show the a work= ed >>> example of an access token and then its hash used subsequently. Also >>> Section 4.3 step 11 feels like a circular description. Please rewrite m= ore >>> verbosely to be clearer: >>> Currently: >>> "when presented to a protected resource in conjunction with an access >>> token, ensure that the value of the ath claim equals the hash of that >>> access token and confirm that the public key to which the access token = is >>> bound matches the public key from the DPoP proof." >>> >>> 5. Re: IANA registration of the MIME type. TL;DR: Just register >>> application/dpop+jwt. >>> Long version: The semantics of the thing you want to register is >>> application/dpop. The first syntax you are defining is jwt. For example= , >>> iCalendar has three formats: text/calendar (iCal), >>> application/calendar+json (jCal), and application/calendar+xml (xCal). >>> >>> NITS: >>> - Spell out first use of acronyms: JWT, JWK, JWS, TLS, JOSE, PKCE, >>> - Add reference to TLS, XSS, Crime/Heartbleed/BREACH/etc., HTTP, JOSE, >>> on first use >>> - First sentence of Section 2 (Objectives): add a comma (access >>> tokens_,_ by binding) to make it clear that "binding a token" is doing = the >>> preventing instead of the stealing in the sentence. >>> - Section 2 para 5: s/XXS/XSS/ >>> - Maybe mention why you are using ASCII (7-bit) when the charset in the >>> examples is UTF-8. >>> >>> I hope these comments are useful. >>> Many thanks, >>> -rohan >>> >>> >>> *Rohan Mahy *l Vice President Engineering, Architecture >>> >>> Chat: @rohan_wire on Wire >>> >>> >>> >>> Wire - Secure team messaging. >>> >>> *Zeta Project Germany GmbH *l Rosenthaler Stra=C3=9Fe 40, >>> 10178 >>> Berlin, >>> >>> Germany >>> >>> >>> Gesch=C3=A4ftsf=C3=BChrer/Managing Director: Morten J. Broegger >>> >>> HRB 149847 beim Handelsregister Charlottenburg, Berlin >>> >>> VAT-ID DE288748675 >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> >> *CONFIDENTIALITY NOTICE: This email may contain confidential and >> privileged material for the sole use of the intended recipient(s). Any >> review, use, distribution or disclosure by others is strictly prohibited= . >> If you have received this communication in error, please notify the send= er >> immediately by e-mail and delete the message and any file attachments fr= om >> your computer. Thank you.* > > --=20 _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged= =20 material for the sole use of the intended recipient(s). Any review, use,=20 distribution or disclosure by others is strictly prohibited.=C2=A0 If you h= ave=20 received this communication in error, please notify the sender immediately= =20 by e-mail and delete the message and any file attachments from your=20 computer. Thank you._ --00000000000045888105daf43dd8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Wed, Mar 23, 2022 at 5:01 PM Rohan= Mahy <rohan.mahy=3D40wire.= com@dmarc.ietf.org> wrote:
Hi Brian,

= To be clear, for pre-generated proofs, I am not worried about an attack aga= inst the client; I am worried about a malicious client. Imagine a malicious= client which pre-generates proofs during a brief window while it has acces= s to a private key stored on the iOS secure enclave, or on a Yubikey, or a = non-extractable WebCryptoAPI CryptoKey. The ability to pre-generate proofs = with no lifetime effectively makes these non-extractable key protections me= aningless for some fixed number of proofs.
Direct usage of everything is also possible during that brief w= indow. Yes, a nonce helps protect against usage after the window has closed= . But it's not a panacea of protection. Which is, again, why it's a= n option provided by the draft to server implementations/deployments that n= eed or want it. But not more.

=C2=A0
If the WG = does not want to make server nonces a SHOULD, then I suggest the following:=
"Server implementations need some protection against ar= bitrary pre-generation. Servers MUST require all client proofs to contain e= ither a server-provided nonce, or a server-provided explicit expiration tim= e, or both."

I'm n= ot sure what, other than a nonce, a "server-provided explicit expirati= on time" would be in the context of DPoP? Any recommendations/requirem= ents the document makes need to be rooted in actual existing pieces of the = protocol defined by that document.
=C2=A0

<= br>
Adding "(on the order of seconds or minutes)" would= already be a big improvement to what is in the document.=C2=A0
=

Will do. Thanks.
=C2=A0


The linkage between Figure 12 and Figure 13 is= clear. I was talking about the linkage between Figure 5 (or the refresh re= sponse to Figure 6) and the token hash in Figure 12.

The access token returned in Fig 5 is the same one us= ed in Fig 12. But that it's in Fig 5 is not really meaningful to the at= h or much else. I'm not sure what could be clarified or better linked? =



Many Thanks,
= -rohan


Roh= an Mahy=C2=A0 l=C2= =A0 Vice President Engineering, Architecture

Chat: @rohan_wire on=C2=A0Wire

=C2=A0

Wire=C2=A0- Secure team= messaging.

= Zeta Project Germany= GmbH=C2=A0=C2=A0l=C2=A0=C2=A0Rosenthaler Stra=C3=9Fe 40,=C2=A010178 Ber= lin,=C2=A0Germany

Gesch=C3=A4ftsf=C3=BChrer/Managing Director: Morten= J. Broegger=C2=A0

=

HRB 149847 beim Handelsregister Ch= arlottenburg, Berlin

VAT-ID DE288748675



On Wed, Mar 23, 2022 at 8:17 AM Brian Campbell &l= t;bcampbell=3D40pingidentity.com@dmarc.ietf.org> wrote:
Thanks R= ohan,

Pre-generating a proof requires the ability = to execute code on the client, which is already a problematic situation whe= re other (arguably more) serious attacks are possible. Such as driving a wh= ole attack directly from the client. The draft aims to give servers the opt= ion to use a nonce but not push it too much or overstate its protections. <= br>

The vagueness around lifetimes is somewhat int= entional. At one point the document (maybe aspirationally) had something li= ke 'no more than a few seconds' but there was some push-back that i= t was unrealistically short to accommodate real world client clock skew. I&= #39;m not sure the draft can make a much more concrete recommendation as I = think it really is something that has tradeoffs and will be implementation/= deployment specific. Perhaps something like, "(on the order of seconds= or minutes)" could be added as a qualifier around lifetime leniency? = That maybe gives a general idea of what is acceptable and/or relatively bri= ef without being overly prescriptive. I'm quite hesitant to say anythin= g more specific.

An access token and its &quo= t;ath" hash value are shown as part of the examples https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-06.html#figu= re-12 and https://www.ietf.org/archive/id/dr= aft-ietf-oauth-dpop-06.html#figure-13 respectively. Perhaps it'd be= worthwhile to more explicitly mention the relationship between the two exa= mples? I think I did the calculations correctly but anyone double checking = that work would be welcome. The sentence in sec 4.3 step 11 is already pret= ty darn verbose - probably too much so. I think breaking it up would probab= ly be a better way to make it more clear. =C2=A0

<= div>The MIME type registration will be in the next revision https://mailarchive.ietf.org/arch/msg/oauth/Vj24ZXU4UuG6Rr04U1= Cdrz2rx3o/

I'll work those nits and fix th= ings up as appropriate.



=C2=A0


On Tue, Mar 22, 2022 at 4:24 PM Roh= an Mahy <rohan.mahy=3D40wire.com@dmarc.ietf.org> wrote:
Hi,
Here are some comments on draft-ietf-oauth-= dpop-06:

1) With such a significant attack possible= as DPoP proof pre-generation, why isn't using the server nonce a SHOUL= D? Preventing a significant attack and making lifetime handling sane are tw= o excellent reasons to use a server nonce. If an implementation has a good = reason to not use a server nonce, we can give guidance about what additiona= l steps the implementation needs to take.

2) The ha= ndling of lifetimes of DPoP proofs is vague: "acceptable timeframe&quo= t; (Section 4.3), "relatively brief period" (Section 11.1). Is th= at 1 day,15 minutes, or 30 seconds?
The normative text in th= e two sections seem contradictory.
I think you need a lifeti= me parameter if a server nonce isn't included, or just pick a number (5= minutes?).

3) I had a similar thought to Nico= las Mora about including other assertions/tokens. There should be a way to = chain, include, or reference other OAuth assertions and bind them somehow w= ith the DPoP. This will be a common and important model.

=
4. Right now you describe the access token hash before describin= g the=20 access token itself. I think it would be very useful to show the a worked e= xample of an access token and then its hash used subsequently. Also Section= 4.3 step=20 11 feels like a circular description. Please rewrite more verbosely to=20 be clearer:
Currently:
"when presented to a pr= otected resource in conjunction=20 with an access token, ensure that the value of the ath claim equals the=20 hash of that access token and confirm that the public key to which the=20 access token is bound matches the public key from the DPoP proof."

5. Re: IANA registration of the MIME type. TL;DR: Jus= t register application/dpop+jwt.
Long version: The semantics of the thin= g you want to register is application/dpop. The first syntax you are defini= ng is jwt. For example, iCalendar has three formats: text/calendar (iCal), = application/calendar+json (jCal), and application/calendar+xml (xCal).
<= /div>

NITS:
- Spell out first use of acronyms:= JWT, JWK, JWS, TLS, JOSE, PKCE,
- Add reference to TLS, XSS= , Crime/Heartbleed/BREACH/etc., HTTP, JOSE, on first use
- F= irst sentence of Section 2 (Objectives): add a comma (access tokens_,_ by b= inding) to make it clear that "binding a token" is doing the prev= enting instead of the stealing in the sentence.
- Section 2 para = 5: s/XXS/XSS/
- Maybe mention why you are using ASCII (7-bit) whe= n the charset in the examples is UTF-8.

I hope the= se comments are useful.
Many thanks,
-rohan


Rohan Mahy=C2=A0 l=C2=A0 Vice President E= ngineering, Architecture

Chat: @rohan_wire on=C2=A0Wire

=C2=A0

Wire=C2=A0- Secure team messaging.

Zeta Project Germany GmbH=C2=A0=C2=A0l=C2=A0=C2= =A0Rosenthaler Stra=C3=9Fe 40,=C2=A010178 Berlin,=C2=A0= Germany

Gesch=C3=A4ftsf=C3=BChrer/Managing Director: Morten J. Broegger=C2=A0=

HRB 149847 beim Handelsregister Charlottenburg, Berl= in

VAT-ID DE288748675

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

CONFIDENTIALITY NOTICE: This email m= ay contain confidential and privileged material for the sole use of the int= ended recipient(s). Any review, use, distribution or disclosure by others i= s strictly prohibited.=C2=A0 If you have received this communication in err= or, please notify the sender immediately by e-mail and delete the message a= nd any file attachments from your computer. Thank you.

<= span style=3D"margin:0px;padding:0px;border:0px;outline:0px;vertical-align:= baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,= -apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ub= untu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"= >CONFIDENTIALITY NOTICE: This email may contain confidenti= al and privileged material for the sole use of the intended recipient(s). A= ny review, use, distribution or disclosure by others is strictly prohibited= .=C2=A0 If you have received this communication in error, please notify the= sender immediately by e-mail and delete the message and any file attachmen= ts from your computer. Thank you. --00000000000045888105daf43dd8-- From nobody Thu Mar 24 05:34:59 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD5893A11F9 for ; Thu, 24 Mar 2022 05:34:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wwQVQ-IxRvmJ for ; Thu, 24 Mar 2022 05:34:49 -0700 (PDT) Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on0701.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe1f::701]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67D003A11EA for ; Thu, 24 Mar 2022 05:34:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TeW3UrRfFZV4pvNMfOVLZaqMwMh/DgOABJT+YqyQlecZLEZ3EJnGR/zqtx2zSnQJEn4NFtQKkaGGk7aknnv/reSOk/BcL3UUNm2SQdaInYqRt06mTX5uA52N9r5k7zfRnMiJ+inM7K+SoIPZbjxnPzfqun5o6fws9eeiE1bCYp+YRxFfmZu/bPZcOptsf+TJSP2W3EbOKmUgwVGzJTRfiJxgpSLWc5S6Etb2AYdYD1fkvgCanImOeWUYQDrN10wWvzwXKAoVU+xV5H7QGc5FWRBa84TPxPn3xyHFxhobJtnhEnJI+FhjIrJmafZKtNqDJC6qWzkBU9bq3QLBiKFRqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3zsrY4ouYbqVH9qsUBKTElVHd6H7YmClnZHnoaQyi4w=; b=VfzIuIRc6wfrUuBxQWgwTdaWflotGXGCrdROrtz1A2zG73mpq4fsSHEj6+DyIyZV/VnI4i9FWtxggIS82ZHw2/EBXFOxAARUq8RP5TXOdoJxs1aFYH6LfgujcfimOU1XMXGBOQ/paFOcWBVJ5nSuhVT5GfR2qkjFQXg4tbftXxiillgfprxVc6IS0FXRyQAb4MXYPNVkga35KdXrAXLSgYbjOmHNmsGEHKvMTGi//rfKQRwrBM4EXP+CC5dqGH0onYf2hjChHijwIhZIJhc1VBSOBsPe/ODHj/YIQRZ7DYs4e9PwzY0lZJWtLhYsKtf/OHs8G1CJJcKOS2ALPFalRg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3zsrY4ouYbqVH9qsUBKTElVHd6H7YmClnZHnoaQyi4w=; b=PBzaiWMKI4RcDP4XEmrKReGQooWQTcnYxEKMXEbENXIrY0tu2rTyhlN+EtCJVA1uuwOPMY6Jm5vk0bhcbclkuE2UrN0N+rmT2YGmJBG0rYGfaEMeiM804ol4udW4FSLfsekguY9uHzvnY6RMhZrIiQo/3QFxkwtSoltCJEqeaKU= Received: from AM7PR83MB0452.EURPRD83.prod.outlook.com (2603:10a6:20b:1b6::10) by DB6PR8303MB0087.EURPRD83.prod.outlook.com (2603:10a6:24:1::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.5; Thu, 24 Mar 2022 12:34:40 +0000 Received: from AM7PR83MB0452.EURPRD83.prod.outlook.com ([fe80::8df6:9cd8:37bb:1f7e]) by AM7PR83MB0452.EURPRD83.prod.outlook.com ([fe80::8df6:9cd8:37bb:1f7e%4]) with mapi id 15.20.5123.010; Thu, 24 Mar 2022 12:34:40 +0000 From: Pieter Kasselman To: George Fletcher , Brock Allen , "oauth@ietf.org" Thread-Topic: [OAUTH-WG] [EXTERNAL] Re: Device Authorization Grant and Illicit Consent Exploits Thread-Index: AQHYPxvrtpgz3MvgSESTQ+uhPlCBKKzOdMKw Date: Thu, 24 Mar 2022 12:34:40 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-IE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2022-03-24T12:34:27Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=7f0b9c27-c643-4b42-a47f-eaad01576b18; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0 authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: bf94c212-3540-4fca-aa7e-08da0d92aa9b x-ms-traffictypediagnostic: DB6PR8303MB0087:EE_ x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr x-ms-exchange-atpmessageproperties: SA|SL x-microsoft-antispam-prvs: x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: Jnk19BsXbEDgSWxidh55uIZ42t0cG36nS46evX85B7cVPEfq1Nreo0yaESznd+28sPgN4ZIcNclD/M81QRIu36hn3EFcrH/0kUczgMb+IOn4Wx1mxwGT/J33uuLLTluKoI4nPC/kYiK+Fu/l/3QNxhm8Dqq8TiyXjnwSntDpV+n3PdGhfln0VJ7qKXgTIgcrf1P1/ZIQ3xhqpBGx0x9+esXNIvKrB51yUxsUtAJ/RpeWzxL+ivAPseyVcnvWT+clI1i6bZ6AfHVQkjPYxIW8aTxsIcuOmWFqxnfNwfYpH6yh3nubQ+NO1AVA9LjWfYKckG+6dtOdDXCRlFLgnjmth/lWfCyCINSid4xEe4BzpiHbZbkQ2tWIYH7XOgJVbwOmceCfQq/VWY0vGKHLquyTXAHDDQPBLj6rFgrhoUQAWlZtuDJ/lKk8J1ThWm3uxJ2TjQ1rgCAydy0XxveSKd9w1s7R7ZM1sud2tADzk3cl5oRC5x2lt5GYYOpVLz8lHDvPSwIezZgv9au12Hmt7aIGy8QKResrj/CnWlrPvAxbQGT0Bqa5tFEWeXWzRmzCxFXSdadxatCq5DcyLFiJB99/7IX0Nv6S16jERctmu/1aprx1cBLkevaPkWJl7yeKUznU524o25HFJY60LW5prhy9lOsuiyCKgM/plR9SxVRubW41uOjLy8LOPy1q8frk3STwgM8t52Ejz8hp1hyOb0hXNrnYXl7/Ww/DlZN7xPJMcRFRW51rwKb0YQ1wnjrDZS5vnd6SU/V0C5SR+iyTnO/yF5rdSTgGVcTckAx0i7vMz3NO8IofXRH1wl6SmVm/6eKwO+7x9rewnlZcpt3oP/gctSeiX9s6YvtTOSZ7UjvMKn4vJqQ3YYQSWrmBy5iJxfpa x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR83MB0452.EURPRD83.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(451199009)(9686003)(966005)(52536014)(33656002)(110136005)(8676002)(8936002)(64756008)(71200400001)(76116006)(66946007)(66556008)(66476007)(66446008)(7696005)(6506007)(122000001)(10290500003)(38070700005)(38100700002)(53546011)(82950400001)(82960400001)(55016003)(166002)(44832011)(508600001)(316002)(86362001)(5660300002)(2906002)(186003)(83380400001)(8990500004); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?B?SC9VL1pVd1JFVTIzS3BoNytlNEE5SllZWjVPNnZIVWhyLzhiR1plbTZEa0hV?= =?utf-8?B?cnVMWUY4WnBEaldvcjZEMzMyT1V0aisxNVFFeWQ3eHllNDB3Um9IbzIxaUJi?= =?utf-8?B?SjcvdVM4cXRNMFFoclRmeXJDcHZ5TzNSaWR2V09qOFZENjFyMkZ5eW5yeVF5?= =?utf-8?B?SFY3OVgrZ2VsYy9YVllDbGhDaVEvdTJUdkp4MlVic3dJeVJ5RWVuSUNjak9u?= =?utf-8?B?UUFOMk16SEpkeXlvVUR5b3VmRGR5V2R3U2NkSkp3Z0ZLQ1RmQ3VIeHJhS3A4?= =?utf-8?B?dWxxOXNTZ0lITDQzZUFaSXpOeWZrTXR4aS9yYzV6bHhWckNEUGN2SWdFalBy?= =?utf-8?B?N3JGVUw3UUIzR2RkcllqbWJVZ085dXlTVHlYMXVUWFRkZktOdi9rcVFVRnYx?= =?utf-8?B?ZmR0R3NZcmphSno5VlpvYjZmaTY5dnh4TnBiZTEwaWs1NEthM2lDeWpqTStW?= =?utf-8?B?RGhOalVJcllHcDduMDRZNFlIVkpsa1ZKMHhsYUcyK2JVckFhYUcyOTNuZ3ZC?= =?utf-8?B?ZTFXTjh6d1JYMXYrdGU3ck43RUdKa2trcE5DSTByT1gvZFMrMjJqRTdxVThC?= =?utf-8?B?WXB6ci80WXU1Y1dkL0hvam1WbnFsZThlMWNLalFHTUN5OEhUTnc0NmJMUHR5?= =?utf-8?B?eDduY0V6NkhubjdydEdxSnZpOVkrNHFkNFBoakRSaXZTNXZET2s3M21UaHJw?= =?utf-8?B?ZHB4emhlYmczVFpOeGZ3ZnNXbHhzK3BYK2ozMmlQbDZtdFEzcm14Y012YW44?= =?utf-8?B?K3MxMVZwcEdVNWhPVkRVZWJqb0ticzh4N0ZCSDRaY09FM1A5MHBtMm1ZbmdI?= =?utf-8?B?RUFCUnI0RUY4OWxFemFrUS9LRWhSZTEwRUJGNTNITjRNWmQxTXlFaER4Q1FK?= =?utf-8?B?SGNZZmJDUjZHdkRZakxLblo0OUo1MnMzWktFQ054a3c4N0VwUDZqL1pZRWZQ?= =?utf-8?B?a0I2cmNpTG9WVWJjc0FPclBFaGpCUE9VYzdRWVgvSURUcDZ0NWZaVExIS3Bn?= =?utf-8?B?VzNPdDhiSjBlTENjd3VTTFMvTkJlNWsrN3RrWTNMZXo0UU1MdUVNaXJEcTBi?= =?utf-8?B?SzAyTzNyUytNTjZJNXlVWmlxUjhGLzJlazlpZWdxZ2hxN1hXUS8yMlNna05W?= =?utf-8?B?dHdyQ2ZiN0VpQzlwNHkwRzQySGZFOXlXZmxzWS83QWlUb3lPbXlqd3I4VUpz?= =?utf-8?B?ckprUTRNN0xpVWJieHJQdXFhVVZVMFExYUk2LzBaQk5UTnkrOVRyTVh4aUV3?= =?utf-8?B?NWovSzZQY3hMVTg4QnlnZmpNRVBGbnFuUGtiSHFQUW1DMVcvdVp1QXkyMzln?= =?utf-8?B?cE1CemFleC9IYkdJWjRpd20veXQ0TGFMQzF4WFJLZkVyRHJmdEVNeWs3RkdW?= =?utf-8?B?TGZnNURrZDE3SlV5OC9uUXk5Szh2enhoM2YwQ2tvZ09YWDRGQk5vMUR1VnVZ?= =?utf-8?B?cVhWdkRXTDJmRnJ4cFlOdVRhN2t6ZEp4ajUrK2xyL1N0OEFZNVdRR1JRUGVp?= =?utf-8?B?YUlzcXFsdVFkczBxbHNxUHoxNzdOa3k0UHV1ZERnakROa3NPYjlCOER2Z2NW?= =?utf-8?B?ZS8wNHNlSFhLT2xiS1VjcVB3VXEvckZ3WGVFaG05M29pZi90R0h1R3VFSzdl?= =?utf-8?B?MVg2SnJYYytDZHg2eXpkcEZDM011d3c0ZXNVSVJhZ1NOZzBGTEdkRkhXNldO?= =?utf-8?B?VzF5eTNFZlFUbUljWmxiUWcvU2pGRW9qU1BiRDJxOERaalJhamFiNDREbGlX?= =?utf-8?B?Q0ptRjV3NHZ2eEU3czhVcTZkSHlxZVIzY2JFaEN4M0VZcUMrS0V4NUJKSGFO?= =?utf-8?B?dURaNFdOQllDb25aMXhGQmhuelVWQWVWWHlEbVNaVFhWUVBhWE4wdFdqeUNj?= =?utf-8?B?dUFiZlJFRVRncEhWMktDT3E1SGdyVTJCajRGRWp0YkdrNGpCSkRRSlUrLzRW?= =?utf-8?B?a3pPVjMyWnRuUzlaU09uQW9Id1dKWkcydUxneVJKb3c2eTg1dHVJRXcycE80?= =?utf-8?B?UDVXc2dtRHFqbXFybWo5dU1TcnltV1FsZE5wT0lIOGUxTFNjSUl5L1ZyYjBl?= =?utf-8?B?VEpUMFFvLytlaVN6eWhTUU1iZDJsa1RwM2E4ZFF2S25JRDB3Unh1bzVDVEtK?= =?utf-8?B?UFBRaHh4K0FXQUk5K2MzL0dXZVhXMStpblV1ZmhHSGJaMFlQRElJbU5oQTU3?= =?utf-8?B?ck5NbGxrenBUWVA5VUVHaDdFTWJiZlQybTVPcDJqT05VU2lEdlhTaE1HSnd1?= =?utf-8?B?Y0hxTnE4ejJOc2hkZVVDVHJQdGJPQnZWUWtTSHN5amlra0kwS05FU0ROV1FB?= =?utf-8?B?TzU5SXJtMkN6R3NCNGlmczcvZ1NIUlpIdWk0anlIVHlsYVVOR3UvZz09?= Content-Type: multipart/alternative; boundary="_000_AM7PR83MB0452F357994512852A3DEA0991199AM7PR83MB0452EURP_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: AM7PR83MB0452.EURPRD83.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: bf94c212-3540-4fca-aa7e-08da0d92aa9b X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Mar 2022 12:34:40.3211 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 0LHaPxIosoUoPHMMf4H7OciXtF0wXeFIaOCHEUTtlDGNxCiboiKGzf4W1qZ+CznYsyZ73BU/w7mnx6ipDzN9zGL9Spi4DBj+4PTSIbdMj8s= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR8303MB0087 Archived-At: Subject: Re: [OAUTH-WG] [EXTERNAL] Re: Device Authorization Grant and Illicit Consent Exploits X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Mar 2022 12:34:56 -0000 --_000_AM7PR83MB0452F357994512852A3DEA0991199AM7PR83MB0452EURP_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhhbmtzIEdlb3JnZSwgSSBhZ3JlZSB0aGF0IHRoZXJlIGFyZSDigJxvbiBiZWhhbGYtb2Zm4oCd IGF1dGhvcml6YXRpb24gdXNlIGNhc2VzIHdoZXJlIHN0cmljdCBwcm94aW1pdHkgZW5mb3JjZW1l bnQgY291bGQgYmUgcHJvYmxlbWF0aWMuDQoNCkkgdGhpbmsgb2YgcHJveGltaXR5IGFzIG9uZSBv ZiB0aGUgY29udHJvbHMgdGhhdCBjYW4gYmUgYXBwbGllZCBhbmQgaW5mbHVlbmNlIHRoZSByaXNr IGFzc2Vzc21lbnQuIEZvciBleGFtcGxlLCB0aGUgYXV0aG9yaXphdGlvbiBzZXJ2ZXIgbWF5IHN0 aWxsIGlzc3VlIGF1dGhvcml6YXRpb24gdG9rZW5zLCBidXQgbWF5IGNob29zZSB0byByZWR1Y2Ug dGhlIHZhbGlkaXR5IHBlcmlvZCBvciByZXF1aXJlIHJlLWF1dGhlbnRpY2F0aW9uIGluIHRoZSBm dXR1cmUgaWYgcHJveGltaXR5IGNhbm5vdCBiZSBlc3RhYmxpc2hlZCAoaS5lLiB5b3UgY2FuIGdl dCBhIHRlbXBvcmFyeSBwYXNzLCB1bnRpbCB5b3UgY2FuIHNhdGlzZnkgdGhlIHByb3hpbWl0eSBy ZXF1aXJlbWVudHMpLg0KDQpBbm90aGVyIHdheSB0byB0aGluayBhYm91dCBpdCBpcyBjb3JyZWxh dGluZyBwcm94aW1pdHkgYXQgZGlmZmVyZW50IGxldmVscyAoc2FtZSByb29tLCBzYW1lIGJ1aWxk aW5nLCBzYW1lIGNpdHksIHNhbWUgY291bnRyeSwgc2FtZSBjb250aW5lbnQpLg0KDQpBIHRoaXJk IHZhcmlhdGlvbiBvZiB0aGlzIG1heSBiZSByZWxhdGVkIHRvIHRoZSB2Y2UgYmVpbmcgcHJvdGVj dGVkIChlLmcuIGFib3ZlIGEgY2VydGFpbiBtb25ldGFyeSB2YWx1ZSBwcm94aW1pdHkgaXMgZW5m b3JjZWQsIGJlbG93IGFub3RoZXIgdmFsdWUsIGl0IGlzIG5vdCkuDQoNCkkgZG9u4oCZdCB0aGlu ayBvZiBpdCBhcyBhIGJpbmFyeSBkZWNpc2lvbiwgYnV0IHJhdGhlciBvbmUgb2YgYSBudW1iZXIg b2Ygc2lnbmFscyB0aGF0IGNhbiBoZWxwIHRvIHJlZHVjZSByaXNrLCBiYXNlZCBvbiB0aGUgZGVw bG95bWVudCBzY2VuYXJpby4NCg0KQ2hlZXJzDQoNClBpZXRlcg0KDQpGcm9tOiBHZW9yZ2UgRmxl dGNoZXIgPGdmZmxldGNoPTQwYW9sLmNvbUBkbWFyYy5pZXRmLm9yZz4NClNlbnQ6IFRodXJzZGF5 IDI0IE1hcmNoIDIwMjIgMDI6MTANClRvOiBQaWV0ZXIgS2Fzc2VsbWFuIDxwaWV0ZXIua2Fzc2Vs bWFuQG1pY3Jvc29mdC5jb20+OyBCcm9jayBBbGxlbiA8YnJvY2thbGxlbkBnbWFpbC5jb20+OyBv YXV0aEBpZXRmLm9yZw0KU3ViamVjdDogUmU6IFtPQVVUSC1XR10gW0VYVEVSTkFMXSBSZTogRGV2 aWNlIEF1dGhvcml6YXRpb24gR3JhbnQgYW5kIElsbGljaXQgQ29uc2VudCBFeHBsb2l0cw0KDQpJ IGp1c3Qgd2FudCB0byBtYWtlIGEgcXVpY2sgY29tbWVudCBvbiB0aGUgdXNlIG9mICJwcm94aW1p dHkgYW5kIGxvY2F0aW9uIGluZm9ybWF0aW9uIi4gSSB1c2VkIHRoZSBkZXZpY2UgZmxvdyB0byBh dXRob3JpemUgbXkgc29uJ3MgZGV2aWNlIGJ5IGhhdmluZyBoaW0gdGV4dCBtZSB0aGUgY29kZSBz byBJIGNvdWxkIGxvZ2luIG9uIG15IGRldmljZSAoaW4gYSBkaWZmZXJlbnQgc3RhdGUpIGFuZCBw cm92aWRlIGhpcyBkZXZpY2UgYWNjZXNzLiBJZiB3ZSBjbG9zZSB0aGUgZG9vciB0b28gbXVjaCB3 ZSB3aWxsIHBvdGVudGlhbGx5IGltcGFjdCBnb29kIHVzZXJzIDopDQoNCkkgYWdyZWUgdGhhdCBj b25zZW50IGNhbiBiZSBzb2NpYWxseSBlbmdpbmVlcmVkLi4uIGJ1dCB0aGluayB0aGF0IGl0IHdv dWxkIGJlIHVzZWZ1bCB0byBpbXByb3ZlIHRoYXQgaW5mb3JtYXRpb24gc28gdGhhdCB0aGUgdXNl ciBhdXRoZW50aWNhdGluZyB0byBwcm92aWRlIGF1dGhvcml6YXRpb24gY291bGQga25vdyB3aGVy ZSB0aGUgZGV2aWNlIHRoZWlyIGF1dGhvcml6aW5nIGlzIGxvY2F0ZWQuIFRoYXQgY291bGQgaGVs cCB1c2VycyBkZXRlY3RpbmcgdGhhdCB0aGV5IGFyZSBhdXRob3JpemluZyBhIGRldmljZSBpbiBh IGxvY2F0aW9uIHRoYXQgZG9lc24ndCBtYWtlIHNlbnNlIHRvIHRoZW0uDQoNClRoYW5rcywNCkdl b3JnZQ0KT24gMy8xOC8yMiA4OjIxIEFNLCBQaWV0ZXIgS2Fzc2VsbWFuIHdyb3RlOg0KSGkgQnJv Y2sNCg0KR3JlYXQgcG9pbnQsIGFuZCBJIHdvdWxkIGFncmVlIHRoYXQgYmV0dGVyIGNvbnNlbnQg c2NyZWVucyBjb3VsZCBoZWxwLCBidXQgSSBkb27igJl0IHRoaW5rIGl0IGlzIHN1ZmZpY2llbnQu DQoNCk9uZSBvZiB0aGUgY2hhbGxlbmdlcyB3aXRoIGNvbnNlbnQgc2NyZWVucyBpcyB0aGF0IGl0 IG1ha2VzIGFzc3VtcHRpb25zIGFib3V0IHRoZSB1c2VycyBhYmlsaXRpZXMgd2hlbiB0aGV5IGFy ZSBiZWluZyBhc2tlZCB0byBtYWtlIGRlY2lzaW9ucyBhYm91dCB0aGluZ3MgdGhleSBkbyBub3Qg ZnVsbHkgYXBwcmVjaWF0ZSBvciB1bmRlcnN0YW5kLiBJbiBhZGRpdGlvbiwgdGhleSBhcmUgaW4g YSBydXNoLCBhcmUgb2Z0ZW4gdHJ5aW5nIHRvIGJlIGhlbHBmdWwgYW5kIHByb25lIHRvIGdyYW50 IGNvbnNlbnQgKHRoZSBmcmFtaW5nIGluIHRoZXNlIHNvY2lhbCBlbmdpbmVlcmluZyBhdHRhY2tz IGNhbiBiZSB2ZXJ5IHBlcnN1YXNpdmUpLiBFdmVuIHVzZXJzIHdobyBhcmUgYXdhcmUgb2YgdGhl c2UgZXhwbG9pdHMgYW5kIHVuZGVyc3RhbmQgdGhlIHN5c3RlbXMgdGhleSBpbnRlcmFjdCB3aXRo IGFyZSBwcm9uZSB0byBiZSBtaXNsZWQuIEJldHRlciBndWlkYW5jZSBvbiB0aGUgY29uc2VudCBz Y3JlZW4gaXMgZGVmaW5pdGVseSBzb21ldGhpbmcgd2Ugc2hvdWxkIHByb3ZpZGUuDQoNCkkgZG8g dGhpbmsgdGhlcmUgaXMgYSBkZWZlbmNlIGluIGRlcHRoIHN0cmF0ZWd5IHRoYXQgY2FuIHJlZHVj ZSByaXNrIGJ5ICgxKSBhdm9pZGluZyBhc2tpbmcgdGhlIHVzZXIgZm9yIGEgZGVjaXNpb24gYnkg bWFraW5nIGJhY2stZW5kIHJpc2sgZGVjaXNpb25zICgyKSBhdWdtZW50aW5nIHRoZSBpbmZvcm1h dGlvbiBwcmVzZW50ZWQgdG8gdGhlIHVzZXIgd2hlbiBtYWtpbmcgdGhlIGRlY2lzaW9ucyBhbmQg KDMpIG1pdGlnYXRpbmcgYWdhaW5zdCBhIGRlY2lzaW9uIG1hZGUgaW4gZXJyb3IuDQoNClByb3hp bWl0eSBhbmQgbG9jYXRpb24gaW5mb3JtYXRpb24gY2FuIGZvciBpbnN0YW5jZSBiZSB1c2VkIHRv IGJpbmQgdXNlciBjb2RlcyB0byBzcGVjaWZpYyBsb2NhdGlvbnMgb3IgaW5mb3JtIHRoZSB1c2Vy IG9uIHdoZXJlIHRoZSB1c2VyIGNvZGUgd2FzIGZpcnN0IHByZXNlbnRlZCwgZGV2aWNlIHN0YXR1 cyBhbmQvb3IgbG9jYXRpb24gbWF5IGJlIHVzZWQgdG8gbWFrZSBkZWNpc2lvbnMgb24gd2hldGhl ciB0byBhbGxvdyBkZXZpY2UgY29kZSBmbG93cyB0byBiZSB1c2VkIGluIHRoZSBmaXJzdCBwbGFj ZSBhbmQgdXNlIG9mIHRva2VuIGJpbmRpbmcgKGUuZy4gRFBvUCkgbWF5IGhlbHAgZGVmZW5kIGFn YWluc3QgYXR0YWNrZXJzIHdobyBhcmUgYWJsZSB0byBleGZpbHRyYXRlIHRva2VucyBmcm9tIGEg ZGV2aWNlIGFuZCBtYWtlIGxhdGVyYWwgYXR0YWNrcy4NCg0KQW55dGhpbmcgd2UgY2FuIGRvIHRv IGVuY291cmFnZSBpbXBsZW1lbnRvciB0byBhc2sgdXNlcnMgdG8gbWFrZSBmZXdlciBkZWNpc2lv biwgaGVscCB0aGVtIG1ha2UgYmV0dGVyIGRlY2lzaW9ucyBhbmQgdGhlbiBwcm90ZWN0aW5nIHRo ZW0gaW4gY2FzZSBvZiBhIGJhZCBkZWNpc2lvbiB3aWxsIGhlbHAgZHJpdmUgZG93biByaXNrLg0K DQpDaGVlcnMNCg0KUGlldGVyDQoNCg0KRnJvbTogQnJvY2sgQWxsZW4gPGJyb2NrYWxsZW5AZ21h aWwuY29tPjxtYWlsdG86YnJvY2thbGxlbkBnbWFpbC5jb20+DQpTZW50OiBUaHVyc2RheSAxNyBN YXJjaCAyMDIyIDIxOjI1DQpUbzogUGlldGVyIEthc3NlbG1hbiA8cGlldGVyLmthc3NlbG1hbkBt aWNyb3NvZnQuY29tPjxtYWlsdG86cGlldGVyLmthc3NlbG1hbkBtaWNyb3NvZnQuY29tPjsgb2F1 dGhAaWV0Zi5vcmc8bWFpbHRvOm9hdXRoQGlldGYub3JnPg0KU3ViamVjdDogW0VYVEVSTkFMXSBS ZTogW09BVVRILVdHXSBEZXZpY2UgQXV0aG9yaXphdGlvbiBHcmFudCBhbmQgSWxsaWNpdCBDb25z ZW50IEV4cGxvaXRzDQoNCkkgd2F0Y2hlZCBvbmUgb2YgdGhvc2UgdmlkZW9zIGFuZCBpdCBzZWVt cyB0byBiZSB0aGF0IGEgcHJvcGVyIGNvbnNlbnQgc2NyZWVuIHdvdWxkIGhhdmUgYmVlbiB0aGUg YmVzdCBhbmQgZWFzaWVzdCBsaW5lIG9mIGRlZmVuc2UuIElzIHRoZXJlIHNvbWV0aGluZyBtb3Jl IHRvIHRoZSBhdHRhY2tzIHdoZXJlIGEgYmV0dGVyIGNvbnNlbnQgcGFnZSAob3IgYW55IGNvbnNl bnQgcGFnZSBmb3IgdGhhdCBtYXR0ZXIpIHdvdWxkIG5vdCBoYXZlIGJlZW4gc3VmZmljaWVudD8N Cg0KLUJyb2NrDQoNCk9uIDMvMTcvMjAyMiA1OjEwOjM1IFBNLCBQaWV0ZXIgS2Fzc2VsbWFuIDxw aWV0ZXIua2Fzc2VsbWFuPTQwbWljcm9zb2Z0LmNvbUBkbWFyYy5pZXRmLm9yZzxtYWlsdG86cGll dGVyLmthc3NlbG1hbj00MG1pY3Jvc29mdC5jb21AZG1hcmMuaWV0Zi5vcmc+PiB3cm90ZToNCg0K SGkgQWxsDQoNCg0KDQpPbmUgb2YgdGhlIGFnZW5kYSBpdGVtcyBmb3IgSUVURiAxMTMgaXMgdGhl IGRldmljZSBhdXRob3JpemF0aW9uIGdyYW50IGZsb3cgKGFrYSBkZXZpY2UgY29kZSBmbG93KSwg c2NoZWR1bGVkIGZvciBUaHVyc2RheSAyNCBNYXJjaCAyMDIyLuKAryBCZWZvcmUgdGhlIG1lZXRp bmcsIEkgd2FudGVkIHRvIHNoYXJlIGEgYml0IG1vcmUgaW5mb3JtYXRpb24gZm9yIHRob3NlIGlu dGVyZXN0ZWQgaW4gdGhlIHRvcGljIGFuZCBhbHNvIGdpdmUgdGhvc2Ugd2hvIGFyZSB1bmFibGUg dG8gYXR0ZW5kIGluIHBlcnNvbiBhbiBvcHBvcnR1bml0eSB0byBwYXJ0aWNpcGF0ZSBpbiB0aGUg Y29udmVyc2F0aW9uLg0KDQoNCg0KVGhlIERldmljZSBBdXRob3JpemF0aW9uIEdyYW50IEZsb3cg KFJGQyA4NjgyKTxodHRwczovL25hbTA2LnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29t Lz91cmw9aHR0cHMlM0ElMkYlMkZkYXRhdHJhY2tlci5pZXRmLm9yZyUyRmRvYyUyRmh0bWwlMkZy ZmM4NjI4JmRhdGE9MDQlN0MwMSU3Q3BpZXRlci5rYXNzZWxtYW4lNDBtaWNyb3NvZnQuY29tJTdD ZTAzYjMyNDIxMWQzNGRjZDZmYjEwOGRhMGQzMzBiNmIlN0M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJk N2NkMDExZGI0NyU3QzElN0MwJTdDNjM3ODM2ODEwMTYxNjI2MDQ4JTdDVW5rbm93biU3Q1RXRnBi R1pzYjNkOGV5SldJam9pTUM0d0xqQXdNREFpTENKUUlqb2lWMmx1TXpJaUxDSkJUaUk2SWsxaGFX d2lMQ0pYVkNJNk1uMCUzRCU3QzMwMDAmc2RhdGE9eVAlMkZSbXI3djkxNlQ4ejF1QThLcFR5c2F2 a2NYWnpCeGoxS0tCJTJGb1dBTmslM0QmcmVzZXJ2ZWQ9MD4gc29sdmVzIGFuIGltcG9ydGFudCBw cm9ibGVtIGJ5IGVuYWJsaW5nIGF1dGhvcml6YXRpb24gZmxvd3Mgb24gZGV2aWNlcyB0aGF0IGFy ZSB1bmFibGUgdG8gc3VwcG9ydCBhIGJyb3dzZXJzIG9yIGhhdmUgbGltaXRlZCBpbnB1dCBjYXBh YmlsaXRpZXMuIEhvd2V2ZXIsIGxvb2tpbmcgYmFjayBvdmVyIHRoZSBwYXN0IDE4LTI0IG1vbnRo cywgdGhlcmUgaGF2ZSBiZWVuIGEgbnVtYmVyIG9mIHByYWN0aWNhbCBleHBsb2l0cyBwdWJsaXNo ZWQgdGhhdCB1c2Ugc29jaWFsIGVuZ2luZWVyaW5nIHRlY2huaXF1ZXMgYXBwbGllZCB0byB0aGUg ZGV2aWNlIGF1dGhvcml6YXRpb24gZ3JhbnQgZmxvdy4NCg0KDQoNClRoZSBnb2FsIG9mIHRoZSBz ZXNzaW9uIGF0IElFVEYgMTEzIGlzIHRvIGRpc2N1c3MgdGhlIHBhdHRlcm5zIG9mIHRoZSBleHBs b2l0cyB0aGF0IGFyZSBrbm93biBhbmQgc3RhcnQgYSBjb252ZXJzYXRpb24gb24gd2hhdCAoaWYg YW55dGhpbmcpIHdlIHNob3VsZCBkbywgYmFzZWQgb24gd2hhdCB3ZSBhcmUgbGVhcm5pbmcuDQoN Cg0KDQpUaGVzZSBleHBsb2l0cyBmb2xsb3cgYSBnZW5lcmFsIG1hbi1pbi10aGUtbWlkZGxlIChN SVRNKSBwYXR0ZXJuLCB3aGVyZSB0aGUgYXR0YWNrZXI6DQoNCg0KDQogIDEuICBJbml0aWF0ZXMg dGhlIERldmljZSBBdXRob3JpemF0aW9uIEdyYW50IGZsb3cgb24gYSBkZXZpY2UgdW5kZXIgdGhl aXIgY29udHJvbCwNCiAgMi4gIFByZXNlbnRzIHRoZSB1c2VyIGNvZGUgaW4gYSBjb250ZXh0IHRo YXQgdGhlIGVuZC11c2VyIGlzIGxpa2VseSB0byBhY3Qgb24gKHVzaW5nIHNvY2lhbCBlbmdpbmVl cmluZyB0ZWNobmlxdWVzKSwgYW5kDQogIDMuICBPbmNlIHRoZSB1c2VyIGdyYW50cyBhY2Nlc3Ms IHJldHJpZXZlcyB0aGUgYWNjZXNzIGFuZCByZWZyZXNoIHRva2VucyBhbmQgdXNlcyB0aGVtIHRv IGFjY2VzcyB0aGUgdXNlcuKAmXMgcmVzb3VyY2VzLg0KDQoNCg0KU29tZSBvZiB0aGUgZXhwbG9p dHMgYXJlIGRlc2NyaWJlZCBoZXJlIGZvciB0aG9zZSBpbnRlcmVzdGVkIGluIG1vcmUgZGV0YWls Og0KDQoNCg0KICAxLiAgVGhlIEFydCBvZiB0aGUgRGV2aWNlIENvZGUgUGhpc2ggLSBCb2t1ICgw eGJva3UuY29tKTxodHRwczovL25hbTA2LnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29t Lz91cmw9aHR0cHMlM0ElMkYlMkYweGJva3UuY29tJTJGMjAyMSUyRjA3JTJGMTIlMkZBcnRPZkRl dmljZUNvZGVQaGlzaC5odG1sJmRhdGE9MDQlN0MwMSU3Q3BpZXRlci5rYXNzZWxtYW4lNDBtaWNy b3NvZnQuY29tJTdDZTAzYjMyNDIxMWQzNGRjZDZmYjEwOGRhMGQzMzBiNmIlN0M3MmY5ODhiZjg2 ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3QzElN0MwJTdDNjM3ODM2ODEwMTYxNjI2MDQ4JTdDVW5r bm93biU3Q1RXRnBiR1pzYjNkOGV5SldJam9pTUM0d0xqQXdNREFpTENKUUlqb2lWMmx1TXpJaUxD SkJUaUk2SWsxaGFXd2lMQ0pYVkNJNk1uMCUzRCU3QzMwMDAmc2RhdGE9Sk1PbVBVdVlQNlhxQURI UDVDYkRJVXBmcGxHUngwdGJLVSUyRko0cFRrNEVRJTNEJnJlc2VydmVkPTA+DQogIDIuICBNaWNy b3NvZnQgMzY1IE9BdXRoIERldmljZSBDb2RlIEZsb3cgYW5kIFBoaXNoaW5nIHwgT3B0aXY8aHR0 cHM6Ly9uYW0wNi5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNB JTJGJTJGd3d3Lm9wdGl2LmNvbSUyRmluc2lnaHRzJTJGc291cmNlLXplcm8lMkZibG9nJTJGbWlj cm9zb2Z0LTM2NS1vYXV0aC1kZXZpY2UtY29kZS1mbG93LWFuZC1waGlzaGluZyZkYXRhPTA0JTdD MDElN0NwaWV0ZXIua2Fzc2VsbWFuJTQwbWljcm9zb2Z0LmNvbSU3Q2UwM2IzMjQyMTFkMzRkY2Q2 ZmIxMDhkYTBkMzMwYjZiJTdDNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN0MxJTdD MCU3QzYzNzgzNjgxMDE2MTYyNjA0OCU3Q1Vua25vd24lN0NUV0ZwYkdac2IzZDhleUpXSWpvaU1D NHdMakF3TURBaUxDSlFJam9pVjJsdU16SWlMQ0pCVGlJNklrMWhhV3dpTENKWFZDSTZNbjAlM0Ql N0MzMDAwJnNkYXRhPWhXa2M2JTJGTzJEc0FGb1FMZW8wSkE3UUI0S2RNM2RDb3lZOE5tNEpldXl0 YyUzRCZyZXNlcnZlZD0wPg0KDQogICAgICogICBvcHRpdi9NaWNyb3NvZnQzNjVfZGV2aWNlUGhp c2g6IEEgcHJvb2Ytb2YtY29uY2VwdCBzY3JpcHQgdG8gY29uZHVjdCBhIHBoaXNoaW5nIGF0dGFj ayBhYnVzaW5nIE1pY3Jvc29mdCAzNjUgT0F1dGggQXV0aG9yaXphdGlvbiBGbG93IChnaXRodWIu Y29tKTxodHRwczovL25hbTA2LnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9 aHR0cHMlM0ElMkYlMkZnaXRodWIuY29tJTJGb3B0aXYlMkZNaWNyb3NvZnQzNjVfZGV2aWNlUGhp c2gmZGF0YT0wNCU3QzAxJTdDcGlldGVyLmthc3NlbG1hbiU0MG1pY3Jvc29mdC5jb20lN0NlMDNi MzI0MjExZDM0ZGNkNmZiMTA4ZGEwZDMzMGI2YiU3QzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2Qw MTFkYjQ3JTdDMSU3QzAlN0M2Mzc4MzY4MTAxNjE2MjYwNDglN0NVbmtub3duJTdDVFdGcGJHWnNi M2Q4ZXlKV0lqb2lNQzR3TGpBd01EQWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxD SlhWQ0k2TW4wJTNEJTdDMzAwMCZzZGF0YT1LcGloaTdkbXpHeWglMkJ0NiUyQkFMV0Q1RXFkU2xn RmpjejNjNUhXa051VjRPZyUzRCZyZXNlcnZlZD0wPg0KDQogIDEuICBJbnRyb2R1Y2luZyBhIG5l dyBwaGlzaGluZyB0ZWNobmlxdWUgZm9yIGNvbXByb21pc2luZyBPZmZpY2UgMzY1IGFjY291bnRz IChvMzY1YmxvZy5jb20pPGh0dHBzOi8vbmFtMDYuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9v ay5jb20vP3VybD1odHRwcyUzQSUyRiUyRm8zNjVibG9nLmNvbSUyRnBvc3QlMkZwaGlzaGluZyUy RiUyM25ldy1waGlzaGluZy10ZWNobmlxdWUtZGV2aWNlLWNvZGUtYXV0aGVudGljYXRpb24mZGF0 YT0wNCU3QzAxJTdDcGlldGVyLmthc3NlbG1hbiU0MG1pY3Jvc29mdC5jb20lN0NlMDNiMzI0MjEx ZDM0ZGNkNmZiMTA4ZGEwZDMzMGI2YiU3QzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3 JTdDMSU3QzAlN0M2Mzc4MzY4MTAxNjE2MjYwNDglN0NVbmtub3duJTdDVFdGcGJHWnNiM2Q4ZXlK V0lqb2lNQzR3TGpBd01EQWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2 TW4wJTNEJTdDMzAwMCZzZGF0YT12eXBYb0wzb2c5bjlyMzhTUnhIam1YRnN5JTJGZ1ZPRFZIRzQ1 NE9lRUtOM3MlM0QmcmVzZXJ2ZWQ9MD4NCiAgMi4gIERFRiBDT04gMjkgLSBKZW5rbyBId29uZyAt IE5ldyBQaGlzaGluZyBBdHRhY2tzIEV4cGxvaXRpbmcgT0F1dGggQXV0aGVudGljYXRpb24gRmxv d3MgLSBZb3VUdWJlPGh0dHBzOi8vbmFtMDYuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5j b20vP3VybD1odHRwcyUzQSUyRiUyRnd3dy55b3V0dWJlLmNvbSUyRndhdGNoJTNGdiUzRDlzbFJZ dnBLSHA0JmRhdGE9MDQlN0MwMSU3Q3BpZXRlci5rYXNzZWxtYW4lNDBtaWNyb3NvZnQuY29tJTdD ZTAzYjMyNDIxMWQzNGRjZDZmYjEwOGRhMGQzMzBiNmIlN0M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJk N2NkMDExZGI0NyU3QzElN0MwJTdDNjM3ODM2ODEwMTYxNjI2MDQ4JTdDVW5rbm93biU3Q1RXRnBi R1pzYjNkOGV5SldJam9pTUM0d0xqQXdNREFpTENKUUlqb2lWMmx1TXpJaUxDSkJUaUk2SWsxaGFX d2lMQ0pYVkNJNk1uMCUzRCU3QzMwMDAmc2RhdGE9SkdNenQlMkZDU0FiS09COUd2cnlCcUVpckZL SFpwRzZKSFVBcDFKUFV1SXZVJTNEJnJlc2VydmVkPTA+DQoNCg0KDQpJbiB0ZXJtcyBvZiBhIHJl c3BvbnNlLCB0aGVyZSBhcmUgYSBmZXcgb3B0aW9ucyB0aGF0IGNvbWUgdG8gbWluZCAodGhlc2Ug YXJlIG5vdCBleGhhdXN0aXZlLCBJIHdvdWxkIGxvdmUgdG8gc2VlIHdoYXQgb3RoZXJzIGhhdmUg aW4gbWluZCBhcyB3ZWxsKToNCg0KDQoNCiAgMS4gIERvIG5vdGhpbmc6IFdlIGNhbiBjaG9vc2Ug dG8gbGVhdmUgZXZlcnl0aGluZyBhcyBpcy4gVGhlIGRvd25zaWRlIG9mIHRoaXMgaXMgdGhhdCB0 aGUgbGVzc29ucyB3ZSBhcmUgbGVhcm5pbmcgYXJlIG5vdCBnZXR0aW5nIGRpc3NlbWluYXRlZCBv ciByZXN1bHRpbmcgaW4gcmVkdWNlZCByaXNrcy4NCiAgMi4gIFVwZGF0ZSB0aGUgcmVjb21tZW5k YXRpb25zOiBXZSBjYW4gZG9jdW1lbnQgdGhlIHNvY2lhbCBlbmdpbmVlcmluZyBleHBsb2l0cyBh bmQgcmVjb21tZW5kIHNvbWUgYWRkaXRpb25hbCBtaXRpZ2F0aW9ucyBhcyB3ZWxsIGFzIHJlY29t bWVuZGF0aW9ucyBpbiB0ZXJtcyBvZiB1c2UgY2FzZXMuIEFsdGhvdWdoIHRoZXNlIHR5cGVzIG9m ICJwaGlzaGluZyIvc29jaWFsIGVuZ2luZWVyaW5nIGF0dGFja3MgYXJlIGNhbGxlZCBvdXQgaW4g dGhlIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIGluIFJGQyA4NjI4IC0gT0F1dGggMi4wIERldmlj ZSBBdXRob3JpemF0aW9uIEdyYW50PGh0dHBzOi8vbmFtMDYuc2FmZWxpbmtzLnByb3RlY3Rpb24u b3V0bG9vay5jb20vP3VybD1odHRwcyUzQSUyRiUyRmRhdGF0cmFja2VyLmlldGYub3JnJTJGZG9j JTJGaHRtbCUyRnJmYzg2MjgmZGF0YT0wNCU3QzAxJTdDcGlldGVyLmthc3NlbG1hbiU0MG1pY3Jv c29mdC5jb20lN0NlMDNiMzI0MjExZDM0ZGNkNmZiMTA4ZGEwZDMzMGI2YiU3QzcyZjk4OGJmODZm MTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdDMSU3QzAlN0M2Mzc4MzY4MTAxNjE2MjYwNDglN0NVbmtu b3duJTdDVFdGcGJHWnNiM2Q4ZXlKV0lqb2lNQzR3TGpBd01EQWlMQ0pRSWpvaVYybHVNeklpTENK QlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4wJTNEJTdDMzAwMCZzZGF0YT15UCUyRlJtcjd2OTE2VDh6 MXVBOEtwVHlzYXZrY1haekJ4ajFLS0IlMkZvV0FOayUzRCZyZXNlcnZlZD0wPiwgd2UgY2FuIGFk ZCBmdXJ0aGVyIG1pdGlnYXRpb25zIHRvIGNyZWF0ZSBncmVhdGVyIGRlZmVuY2UgaW4gZGVwdGgu IFRoaXMgd2lsbCBoZWxwIGZ1dHVyZSBpbXBsZW1lbnRlcnMgYW5kIG1heSBldmVuIGJlIHVzZWZ1 bCBmb3IgZnV0dXJlIHByb3RvY29scyB0aGF0IHJlbHkgb24gYSBzaW1pbGFyIGNyb3NzLWRldmlj ZSBhdXRoZW50aWNhdGlvbiBhbmQgYXV0aG9yaXphdGlvbiBmbG93cy4NCiAgMy4gIEV4cGxvcmUg YWx0ZXJuYXRpdmVzOiBEZXZlbG9wLCBhZG9wdCwgb3IgZXZvbHZlIG5ldyBwcm90b2NvbHMgdGhh dCBhZGRyZXNzIHRoZSBzY2VuYXJpbyB3aGlsZSBtaXRpZ2F0aW5nIG9yIGF2b2lkaW5nIHRoZSBy aXNrcy4NCg0KDQoNCk9wdGlvbiBBIGRvZXMgbm90IGRvIG11Y2ggdG8gaW1wcm92ZSB0aGUgc3Rh dGUgb2YgdGhlIGFydC4gT3B0aW9uIEIgZmVlbHMgbGlrZSBzb21ldGhpbmcgd2UgY2FuIGRvIG5v dywgYW5kIHdlIG1heSBsZWFybiBzb21ldGhpbmcgYWxvbmcgdGhlIHdheSB0aGF0IGNhbiBoZWxw IGluZm9ybSBPcHRpb24gQywgd2hpY2ggbWF5IGJlIG11Y2ggZnVydGhlciBkb3duIHRoZSByb2Fk IGFuZCByZXF1aXJlIG1vcmUgcmVzZWFyY2guIFdoYXQgb3RoZXIgb3B0aW9ucyBjb21lIHRvIG1p bmQ/DQoNCg0KDQpJ4oCZbSBsb29raW5nIGZvcndhcmQgdG8gdGhlIGNvbnZlcnNhdGlvbiBhbmQg aGVhcmluZyB3aGF0IG90aGVycyBhcmUgdGhpbmtpbmcgYWJvdXQgdGhpcyB0b3BpYy4NCg0KDQoN CkNoZWVycywNCg0KUGlldGVyDQoNCg0KDQoNCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fDQoNCk9BdXRoIG1haWxpbmcgbGlzdA0KDQpPQXV0aEBpZXRmLm9y ZzxtYWlsdG86T0F1dGhAaWV0Zi5vcmc+DQoNCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4v bGlzdGluZm8vb2F1dGg8aHR0cHM6Ly9uYW0wNi5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29r LmNvbS8/dXJsPWh0dHBzJTNBJTJGJTJGd3d3LmlldGYub3JnJTJGbWFpbG1hbiUyRmxpc3RpbmZv JTJGb2F1dGgmZGF0YT0wNCU3QzAxJTdDcGlldGVyLmthc3NlbG1hbiU0MG1pY3Jvc29mdC5jb20l N0NlMDNiMzI0MjExZDM0ZGNkNmZiMTA4ZGEwZDMzMGI2YiU3QzcyZjk4OGJmODZmMTQxYWY5MWFi MmQ3Y2QwMTFkYjQ3JTdDMSU3QzAlN0M2Mzc4MzY4MTAxNjE2MjYwNDglN0NVbmtub3duJTdDVFdG cGJHWnNiM2Q4ZXlKV0lqb2lNQzR3TGpBd01EQWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFo YVd3aUxDSlhWQ0k2TW4wJTNEJTdDMzAwMCZzZGF0YT0zeFZsQVBybnRPYTZOMW1ZNlhvJTJCVUZi ZUlzcXZlR0slMkZzdGl0Z0plUHp2cyUzRCZyZXNlcnZlZD0wPg0KDQo= --_000_AM7PR83MB0452F357994512852A3DEA0991199AM7PR83MB0452EURP_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy IDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDb25zb2xhczsNCglwYW5vc2UtMToyIDEx IDYgOSAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiJTZWdvZSBVSSBc LHNhbnMtc2VyaWYiOw0KCXBhbm9zZS0xOjAgMCAwIDAgMCAwIDAgMCAwIDA7fQ0KQGZvbnQtZmFj ZQ0KCXtmb250LWZhbWlseToiTHVjaWRhIENvbnNvbGUgXDtjb2xvclw6YmxhY2siOw0KCXBhbm9z ZS0xOjAgMCAwIDAgMCAwIDAgMCAwIDA7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseToiTHVj aWRhIENvbnNvbGUgXDtjb2xvclw6XCNBQUFBQUEiOw0KCXBhbm9zZS0xOjAgMCAwIDAgMCAwIDAg MCAwIDA7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3Jt YWwsIGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBjbTsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZv bnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxp bmsNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0 aW9uOnVuZGVybGluZTt9DQpwcmUNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHls ZS1saW5rOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltYXJnaW46MGNtOw0KCWZvbnQtc2l6 ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijt9DQpwLk1zb0xpc3RQYXJhZ3Jh cGgsIGxpLk1zb0xpc3RQYXJhZ3JhcGgsIGRpdi5Nc29MaXN0UGFyYWdyYXBoDQoJe21zby1zdHls ZS1wcmlvcml0eTozNDsNCgltc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzsNCgltYXJnaW4tcmlnaHQ6 MGNtOw0KCW1zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvOw0KCW1hcmdpbi1sZWZ0OjBjbTsNCglm b250LXNpemU6MTEuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCnNw YW4uSFRNTFByZWZvcm1hdHRlZENoYXINCgl7bXNvLXN0eWxlLW5hbWU6IkhUTUwgUHJlZm9ybWF0 dGVkIENoYXIiOw0KCW1zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRN TCBQcmVmb3JtYXR0ZWQiOw0KCWZvbnQtZmFtaWx5OkNvbnNvbGFzO30NCnNwYW4uRW1haWxTdHls ZTIzDQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxp YnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0KLk1zb0NocERlZmF1bHQNCgl7 bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1zaXplOjEwLjBwdDt9DQpAcGFnZSBX b3JkU2VjdGlvbjENCgl7c2l6ZTo2MTIuMHB0IDc5Mi4wcHQ7DQoJbWFyZ2luOjcyLjBwdCA3Mi4w cHQgNzIuMHB0IDcyLjBwdDt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24x O30NCi8qIExpc3QgRGVmaW5pdGlvbnMgKi8NCkBsaXN0IGwwDQoJe21zby1saXN0LWlkOjQ0MzMx MTA5Ow0KCW1zby1saXN0LXR5cGU6aHlicmlkOw0KCW1zby1saXN0LXRlbXBsYXRlLWlkczo5MTg5 ODcyNTIgLTQ2ODU3Nzc3MCA0MDMyNDMwMzMgNDAzMjQzMDM1IDQwMzI0MzAyMyA0MDMyNDMwMzMg NDAzMjQzMDM1IDQwMzI0MzAyMyA0MDMyNDMwMzMgNDAzMjQzMDM1O30NCkBsaXN0IGwwOmxldmVs MQ0KCXttc28tbGV2ZWwtdGV4dDoiXCglMVwpIjsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsN Cgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDt9 DQpAbGlzdCBsMDpsZXZlbDINCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YWxwaGEtbG93ZXI7 DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjps ZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDA6bGV2ZWwzDQoJe21zby1sZXZl bC1udW1iZXItZm9ybWF0OnJvbWFuLWxvd2VyOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0K CW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246cmlnaHQ7DQoJdGV4dC1pbmRlbnQ6LTkuMHB0O30N CkBsaXN0IGwwOmxldmVsNA0KCXttc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwt bnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpAbGlzdCBsMDps ZXZlbDUNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YWxwaGEtbG93ZXI7DQoJbXNvLWxldmVs LXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQt aW5kZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDA6bGV2ZWw2DQoJe21zby1sZXZlbC1udW1iZXItZm9y bWF0OnJvbWFuLWxvd2VyOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1u dW1iZXItcG9zaXRpb246cmlnaHQ7DQoJdGV4dC1pbmRlbnQ6LTkuMHB0O30NCkBsaXN0IGwwOmxl dmVsNw0KCXttc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0 aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpAbGlzdCBsMDpsZXZlbDgNCgl7bXNv LWxldmVsLW51bWJlci1mb3JtYXQ6YWxwaGEtbG93ZXI7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5v bmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4w cHQ7fQ0KQGxpc3QgbDA6bGV2ZWw5DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OnJvbWFuLWxv d2VyOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRp b246cmlnaHQ7DQoJdGV4dC1pbmRlbnQ6LTkuMHB0O30NCkBsaXN0IGwxDQoJe21zby1saXN0LWlk OjgzMDU2MzY5NzsNCgltc28tbGlzdC10ZW1wbGF0ZS1pZHM6LTg5NTE4OTg4O30NCkBsaXN0IGwx OmxldmVsMQ0KCXttc28tbGV2ZWwtdGFiLXN0b3A6MzYuMHB0Ow0KCW1zby1sZXZlbC1udW1iZXIt cG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0O30NCkBsaXN0IGwxOmxldmVsMg0K CXttc28tbGV2ZWwtdGFiLXN0b3A6NzIuMHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246 bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0O30NCkBsaXN0IGwxOmxldmVsMw0KCXttc28tbGV2 ZWwtdGFiLXN0b3A6MTA4LjBwdDsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJ dGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpAbGlzdCBsMTpsZXZlbDQNCgl7bXNvLWxldmVsLXRhYi1z dG9wOjE0NC4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5k ZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDE6bGV2ZWw1DQoJe21zby1sZXZlbC10YWItc3RvcDoxODAu MHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTgu MHB0O30NCkBsaXN0IGwxOmxldmVsNg0KCXttc28tbGV2ZWwtdGFiLXN0b3A6MjE2LjBwdDsNCglt c28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpA bGlzdCBsMTpsZXZlbDcNCgl7bXNvLWxldmVsLXRhYi1zdG9wOjI1Mi4wcHQ7DQoJbXNvLWxldmVs LW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDE6 bGV2ZWw4DQoJe21zby1sZXZlbC10YWItc3RvcDoyODguMHB0Ow0KCW1zby1sZXZlbC1udW1iZXIt cG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0O30NCkBsaXN0IGwxOmxldmVsOQ0K CXttc28tbGV2ZWwtdGFiLXN0b3A6MzI0LjBwdDsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9u OmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpAbGlzdCBsMg0KCXttc28tbGlzdC1pZDox NDAzNDEwMTkwOw0KCW1zby1saXN0LXRlbXBsYXRlLWlkczoyOTc4MjA1MjI7fQ0KQGxpc3QgbDI6 bGV2ZWwxDQoJe21zby1sZXZlbC10YWItc3RvcDozNi4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1w b3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDI6bGV2ZWwyDQoJ e21zby1sZXZlbC10YWItc3RvcDo3Mi4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjps ZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDI6bGV2ZWwzDQoJe21zby1sZXZl bC10YWItc3RvcDoxMDguMHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0 ZXh0LWluZGVudDotMTguMHB0O30NCkBsaXN0IGwyOmxldmVsNA0KCXttc28tbGV2ZWwtdGFiLXN0 b3A6MTQ0LjBwdDsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRl bnQ6LTE4LjBwdDt9DQpAbGlzdCBsMjpsZXZlbDUNCgl7bXNvLWxldmVsLXRhYi1zdG9wOjE4MC4w cHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4w cHQ7fQ0KQGxpc3QgbDI6bGV2ZWw2DQoJe21zby1sZXZlbC10YWItc3RvcDoyMTYuMHB0Ow0KCW1z by1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0O30NCkBs aXN0IGwyOmxldmVsNw0KCXttc28tbGV2ZWwtdGFiLXN0b3A6MjUyLjBwdDsNCgltc28tbGV2ZWwt bnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpAbGlzdCBsMjps ZXZlbDgNCgl7bXNvLWxldmVsLXRhYi1zdG9wOjI4OC4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1w b3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDI6bGV2ZWw5DQoJ e21zby1sZXZlbC10YWItc3RvcDozMjQuMHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246 bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0O30NCkBsaXN0IGwzDQoJe21zby1saXN0LWlkOjIx MjU1NDA4MDM7DQoJbXNvLWxpc3QtdGVtcGxhdGUtaWRzOi0xMjg4NzkyMTQ2O30NCkBsaXN0IGwz OmxldmVsMQ0KCXttc28tbGV2ZWwtdGFiLXN0b3A6MzYuMHB0Ow0KCW1zby1sZXZlbC1udW1iZXIt cG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0O30NCkBsaXN0IGwzOmxldmVsMg0K CXttc28tbGV2ZWwtdGFiLXN0b3A6NzIuMHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246 bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0O30NCkBsaXN0IGwzOmxldmVsMw0KCXttc28tbGV2 ZWwtdGFiLXN0b3A6MTA4LjBwdDsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJ dGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpAbGlzdCBsMzpsZXZlbDQNCgl7bXNvLWxldmVsLXRhYi1z dG9wOjE0NC4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5k ZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDM6bGV2ZWw1DQoJe21zby1sZXZlbC10YWItc3RvcDoxODAu MHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTgu MHB0O30NCkBsaXN0IGwzOmxldmVsNg0KCXttc28tbGV2ZWwtdGFiLXN0b3A6MjE2LjBwdDsNCglt c28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpA bGlzdCBsMzpsZXZlbDcNCgl7bXNvLWxldmVsLXRhYi1zdG9wOjI1Mi4wcHQ7DQoJbXNvLWxldmVs LW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDM6 bGV2ZWw4DQoJe21zby1sZXZlbC10YWItc3RvcDoyODguMHB0Ow0KCW1zby1sZXZlbC1udW1iZXIt cG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0O30NCkBsaXN0IGwzOmxldmVsOQ0K CXttc28tbGV2ZWwtdGFiLXN0b3A6MzI0LjBwdDsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9u OmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpvbA0KCXttYXJnaW4tYm90dG9tOjBjbTt9 DQp1bA0KCXttYXJnaW4tYm90dG9tOjBjbTt9DQotLT48L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5 XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4N CjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVsYXlv dXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286 c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1J RSIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSIgc3R5bGU9IndvcmQtd3JhcDpicmVhay13b3Jk Ij4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPlRoYW5rcyBHZW9yZ2UsIEkgYWdy ZWUgdGhhdCB0aGVyZSBhcmUg4oCcb24gYmVoYWxmLW9mZuKAnSBhdXRob3JpemF0aW9uIHVzZSBj YXNlcyB3aGVyZSBzdHJpY3QgcHJveGltaXR5IGVuZm9yY2VtZW50IGNvdWxkIGJlIHByb2JsZW1h dGljLg0KPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFu Z3VhZ2U6RU4tVVMiPkkgdGhpbmsgb2YgcHJveGltaXR5IGFzIG9uZSBvZiB0aGUgY29udHJvbHMg dGhhdCBjYW4gYmUgYXBwbGllZCBhbmQgaW5mbHVlbmNlIHRoZSByaXNrIGFzc2Vzc21lbnQuIEZv ciBleGFtcGxlLCB0aGUgYXV0aG9yaXphdGlvbiBzZXJ2ZXIgbWF5IHN0aWxsIGlzc3VlIGF1dGhv cml6YXRpb24gdG9rZW5zLCBidXQgbWF5IGNob29zZSB0byByZWR1Y2UNCiB0aGUgdmFsaWRpdHkg cGVyaW9kIG9yIHJlcXVpcmUgcmUtYXV0aGVudGljYXRpb24gaW4gdGhlIGZ1dHVyZSBpZiBwcm94 aW1pdHkgY2Fubm90IGJlIGVzdGFibGlzaGVkIChpLmUuIHlvdSBjYW4gZ2V0IGEgdGVtcG9yYXJ5 IHBhc3MsIHVudGlsIHlvdSBjYW4gc2F0aXNmeSB0aGUgcHJveGltaXR5IHJlcXVpcmVtZW50cyku DQo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHls ZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJtc28tZmFyZWFzdC1sYW5ndWFn ZTpFTi1VUyI+QW5vdGhlciB3YXkgdG8gdGhpbmsgYWJvdXQgaXQgaXMgY29ycmVsYXRpbmcgcHJv eGltaXR5IGF0IGRpZmZlcmVudCBsZXZlbHMgKHNhbWUgcm9vbSwgc2FtZSBidWlsZGluZywgc2Ft ZSBjaXR5LCBzYW1lIGNvdW50cnksIHNhbWUgY29udGluZW50KS48bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3Vh Z2U6RU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJtc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+QSB0aGlyZCB2YXJp YXRpb24gb2YgdGhpcyBtYXkgYmUgcmVsYXRlZCB0byB0aGUgdmNlIGJlaW5nIHByb3RlY3RlZCAo ZS5nLiBhYm92ZSBhIGNlcnRhaW4gbW9uZXRhcnkgdmFsdWUgcHJveGltaXR5IGlzIGVuZm9yY2Vk LCBiZWxvdyBhbm90aGVyIHZhbHVlLCBpdCBpcyBub3QpLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJtc28tZmFyZWFzdC1sYW5ndWFnZTpF Ti1VUyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj5JIGRvbuKAmXQgdGhpbmsg b2YgaXQgYXMgYSBiaW5hcnkgZGVjaXNpb24sIGJ1dCByYXRoZXIgb25lIG9mIGEgbnVtYmVyIG9m IHNpZ25hbHMgdGhhdCBjYW4gaGVscCB0byByZWR1Y2UgcmlzaywgYmFzZWQgb24gdGhlIGRlcGxv eW1lbnQgc2NlbmFyaW8uPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PHNwYW4gc3R5bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj48bzpwPiZuYnNwOzwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWZh cmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPkNoZWVyczxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJtc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+ PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj5QaWV0ZXI8bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFu Z3VhZ2U6RU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXY+DQo8ZGl2IHN0 eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNFMUUxRTEgMS4wcHQ7cGFkZGluZzoz LjBwdCAwY20gMGNtIDBjbSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBsYW5nPSJF Ti1VUyI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIGxhbmc9IkVOLVVTIj4gR2VvcmdlIEZsZXRjaGVy ICZsdDtnZmZsZXRjaD00MGFvbC5jb21AZG1hcmMuaWV0Zi5vcmcmZ3Q7DQo8YnI+DQo8Yj5TZW50 OjwvYj4gVGh1cnNkYXkgMjQgTWFyY2ggMjAyMiAwMjoxMDxicj4NCjxiPlRvOjwvYj4gUGlldGVy IEthc3NlbG1hbiAmbHQ7cGlldGVyLmthc3NlbG1hbkBtaWNyb3NvZnQuY29tJmd0OzsgQnJvY2sg QWxsZW4gJmx0O2Jyb2NrYWxsZW5AZ21haWwuY29tJmd0Ozsgb2F1dGhAaWV0Zi5vcmc8YnI+DQo8 Yj5TdWJqZWN0OjwvYj4gUmU6IFtPQVVUSC1XR10gW0VYVEVSTkFMXSBSZTogRGV2aWNlIEF1dGhv cml6YXRpb24gR3JhbnQgYW5kIElsbGljaXQgQ29uc2VudCBFeHBsb2l0czxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNw OzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEy LjBwdCI+SSBqdXN0IHdhbnQgdG8gbWFrZSBhIHF1aWNrIGNvbW1lbnQgb24gdGhlIHVzZSBvZiAm cXVvdDtwcm94aW1pdHkgYW5kIGxvY2F0aW9uIGluZm9ybWF0aW9uJnF1b3Q7LiBJIHVzZWQgdGhl IGRldmljZSBmbG93IHRvIGF1dGhvcml6ZSBteSBzb24ncyBkZXZpY2UgYnkgaGF2aW5nIGhpbSB0 ZXh0IG1lIHRoZSBjb2RlIHNvIEkgY291bGQgbG9naW4gb24gbXkgZGV2aWNlIChpbiBhDQogZGlm ZmVyZW50IHN0YXRlKSBhbmQgcHJvdmlkZSBoaXMgZGV2aWNlIGFjY2Vzcy4gSWYgd2UgY2xvc2Ug dGhlIGRvb3IgdG9vIG11Y2ggd2Ugd2lsbCBwb3RlbnRpYWxseSBpbXBhY3QgZ29vZCB1c2VycyA6 KTxicj4NCjxicj4NCkkgYWdyZWUgdGhhdCBjb25zZW50IGNhbiBiZSBzb2NpYWxseSBlbmdpbmVl cmVkLi4uIGJ1dCB0aGluayB0aGF0IGl0IHdvdWxkIGJlIHVzZWZ1bCB0byBpbXByb3ZlIHRoYXQg aW5mb3JtYXRpb24gc28gdGhhdCB0aGUgdXNlciBhdXRoZW50aWNhdGluZyB0byBwcm92aWRlIGF1 dGhvcml6YXRpb24gY291bGQga25vdyB3aGVyZSB0aGUgZGV2aWNlIHRoZWlyIGF1dGhvcml6aW5n IGlzIGxvY2F0ZWQuIFRoYXQgY291bGQgaGVscCB1c2VycyBkZXRlY3RpbmcNCiB0aGF0IHRoZXkg YXJlIGF1dGhvcml6aW5nIGEgZGV2aWNlIGluIGEgbG9jYXRpb24gdGhhdCBkb2Vzbid0IG1ha2Ug c2Vuc2UgdG8gdGhlbS48YnI+DQo8YnI+DQpUaGFua3MsPGJyPg0KR2VvcmdlPG86cD48L286cD48 L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+T24gMy8xOC8yMiA4OjIxIEFNLCBQaWV0 ZXIgS2Fzc2VsbWFuIHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBz dHlsZT0ibWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJtc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+SGkgQnJv Y2s8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHls ZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJtc28tZmFyZWFzdC1sYW5ndWFn ZTpFTi1VUyI+R3JlYXQgcG9pbnQsIGFuZCBJIHdvdWxkIGFncmVlIHRoYXQgYmV0dGVyIGNvbnNl bnQgc2NyZWVucyBjb3VsZCBoZWxwLCBidXQgSSBkb27igJl0IHRoaW5rIGl0IGlzIHN1ZmZpY2ll bnQuDQo8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJtc28tZmFyZWFzdC1sYW5n dWFnZTpFTi1VUyI+T25lIG9mIHRoZSBjaGFsbGVuZ2VzIHdpdGggY29uc2VudCBzY3JlZW5zIGlz IHRoYXQgaXQgbWFrZXMgYXNzdW1wdGlvbnMgYWJvdXQgdGhlIHVzZXJzIGFiaWxpdGllcyB3aGVu IHRoZXkgYXJlIGJlaW5nIGFza2VkIHRvIG1ha2UgZGVjaXNpb25zIGFib3V0IHRoaW5ncyB0aGV5 IGRvIG5vdCBmdWxseSBhcHByZWNpYXRlIG9yIHVuZGVyc3RhbmQuDQogSW4gYWRkaXRpb24sIHRo ZXkgYXJlIGluIGEgcnVzaCwgYXJlIG9mdGVuIHRyeWluZyB0byBiZSBoZWxwZnVsIGFuZCBwcm9u ZSB0byBncmFudCBjb25zZW50ICh0aGUgZnJhbWluZyBpbiB0aGVzZSBzb2NpYWwgZW5naW5lZXJp bmcgYXR0YWNrcyBjYW4gYmUgdmVyeSBwZXJzdWFzaXZlKS4gRXZlbiB1c2VycyB3aG8gYXJlIGF3 YXJlIG9mIHRoZXNlIGV4cGxvaXRzIGFuZCB1bmRlcnN0YW5kIHRoZSBzeXN0ZW1zIHRoZXkgaW50 ZXJhY3Qgd2l0aCBhcmUNCiBwcm9uZSB0byBiZSBtaXNsZWQuIEJldHRlciBndWlkYW5jZSBvbiB0 aGUgY29uc2VudCBzY3JlZW4gaXMgZGVmaW5pdGVseSBzb21ldGhpbmcgd2Ugc2hvdWxkIHByb3Zp ZGUuPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3Vh Z2U6RU4tVVMiPkkgZG8gdGhpbmsgdGhlcmUgaXMgYSBkZWZlbmNlIGluIGRlcHRoIHN0cmF0ZWd5 IHRoYXQgY2FuIHJlZHVjZSByaXNrIGJ5ICgxKSBhdm9pZGluZyBhc2tpbmcgdGhlIHVzZXIgZm9y IGEgZGVjaXNpb24gYnkgbWFraW5nIGJhY2stZW5kIHJpc2sgZGVjaXNpb25zICgyKSBhdWdtZW50 aW5nIHRoZSBpbmZvcm1hdGlvbiBwcmVzZW50ZWQgdG8gdGhlDQogdXNlciB3aGVuIG1ha2luZyB0 aGUgZGVjaXNpb25zIGFuZCAoMykgbWl0aWdhdGluZyBhZ2FpbnN0IGEgZGVjaXNpb24gbWFkZSBp biBlcnJvci48L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPiZuYnNwOzwvc3Bhbj48bzpwPjwv bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJtc28tZmFyZWFzdC1s YW5ndWFnZTpFTi1VUyI+UHJveGltaXR5IGFuZCBsb2NhdGlvbiBpbmZvcm1hdGlvbiBjYW4gZm9y IGluc3RhbmNlIGJlIHVzZWQgdG8gYmluZCB1c2VyIGNvZGVzIHRvIHNwZWNpZmljIGxvY2F0aW9u cyBvciBpbmZvcm0gdGhlIHVzZXIgb24gd2hlcmUgdGhlIHVzZXIgY29kZSB3YXMgZmlyc3QgcHJl c2VudGVkLCBkZXZpY2Ugc3RhdHVzIGFuZC9vciBsb2NhdGlvbiBtYXkNCiBiZSB1c2VkIHRvIG1h a2UgZGVjaXNpb25zIG9uIHdoZXRoZXIgdG8gYWxsb3cgZGV2aWNlIGNvZGUgZmxvd3MgdG8gYmUg dXNlZCBpbiB0aGUgZmlyc3QgcGxhY2UgYW5kIHVzZSBvZiB0b2tlbiBiaW5kaW5nIChlLmcuIERQ b1ApIG1heSBoZWxwIGRlZmVuZCBhZ2FpbnN0IGF0dGFja2VycyB3aG8gYXJlIGFibGUgdG8gZXhm aWx0cmF0ZSB0b2tlbnMgZnJvbSBhIGRldmljZSBhbmQgbWFrZSBsYXRlcmFsIGF0dGFja3MuDQo8 L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0i bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJtc28tZmFyZWFzdC1sYW5ndWFnZTpF Ti1VUyI+QW55dGhpbmcgd2UgY2FuIGRvIHRvIGVuY291cmFnZSBpbXBsZW1lbnRvciB0byBhc2sg dXNlcnMgdG8gbWFrZSBmZXdlciBkZWNpc2lvbiwgaGVscCB0aGVtIG1ha2UgYmV0dGVyIGRlY2lz aW9ucyBhbmQgdGhlbiBwcm90ZWN0aW5nIHRoZW0gaW4gY2FzZSBvZiBhIGJhZCBkZWNpc2lvbiB3 aWxsIGhlbHAgZHJpdmUgZG93biByaXNrLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJtc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+Jm5i c3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj5DaGVlcnM8L3NwYW4+PG86cD48L286cD48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3Vh Z2U6RU4tVVMiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJtc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+UGlldGVyPC9zcGFu PjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9Im1zby1m YXJlYXN0LWxhbmd1YWdlOkVOLVVTIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMi PiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2Jv cmRlci10b3A6c29saWQgI0UxRTFFMSAxLjBwdDtwYWRkaW5nOjMuMHB0IDBjbSAwY20gMGNtIj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiPjxzcGFuIGxhbmc9IkVOLVVTIj5Gcm9tOjwvc3Bhbj48 L2I+PHNwYW4gbGFuZz0iRU4tVVMiPiBCcm9jayBBbGxlbg0KPGEgaHJlZj0ibWFpbHRvOmJyb2Nr YWxsZW5AZ21haWwuY29tIj4mbHQ7YnJvY2thbGxlbkBnbWFpbC5jb20mZ3Q7PC9hPiA8YnI+DQo8 Yj5TZW50OjwvYj4gVGh1cnNkYXkgMTcgTWFyY2ggMjAyMiAyMToyNTxicj4NCjxiPlRvOjwvYj4g UGlldGVyIEthc3NlbG1hbiA8YSBocmVmPSJtYWlsdG86cGlldGVyLmthc3NlbG1hbkBtaWNyb3Nv ZnQuY29tIj4mbHQ7cGlldGVyLmthc3NlbG1hbkBtaWNyb3NvZnQuY29tJmd0OzwvYT47DQo8YSBo cmVmPSJtYWlsdG86b2F1dGhAaWV0Zi5vcmciPm9hdXRoQGlldGYub3JnPC9hPjxicj4NCjxiPlN1 YmplY3Q6PC9iPiBbRVhURVJOQUxdIFJlOiBbT0FVVEgtV0ddIERldmljZSBBdXRob3JpemF0aW9u IEdyYW50IGFuZCBJbGxpY2l0IENvbnNlbnQgRXhwbG9pdHM8L3NwYW4+PG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7THVjaWRhIENvbnNvbGUgO2NvbG9yOmJsYWNrJnF1b3Q7LHNlcmlmIj5JIHdhdGNo ZWQgb25lIG9mIHRob3NlIHZpZGVvcyBhbmQgaXQgc2VlbXMgdG8gYmUgdGhhdCBhIHByb3BlciBj b25zZW50IHNjcmVlbiB3b3VsZCBoYXZlIGJlZW4gdGhlIGJlc3QgYW5kIGVhc2llc3QgbGluZSBv ZiBkZWZlbnNlLiBJcyB0aGVyZSBzb21ldGhpbmcgbW9yZSB0bw0KIHRoZSBhdHRhY2tzIHdoZXJl IGEgYmV0dGVyIGNvbnNlbnQgcGFnZSAob3IgYW55IGNvbnNlbnQgcGFnZSBmb3IgdGhhdCBtYXR0 ZXIpIHdvdWxkIG5vdCBoYXZlIGJlZW4gc3VmZmljaWVudD88L3NwYW4+PG86cD48L286cD48L3A+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7THVjaWRhIENvbnNvbGUgO2NvbG9yOmJsYWNrJnF1b3Q7LHNl cmlmIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTom cXVvdDtMdWNpZGEgQ29uc29sZSA7Y29sb3I6YmxhY2smcXVvdDssc2VyaWYiPi1Ccm9jazwvc3Bh bj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25l O2JvcmRlci1sZWZ0OnNvbGlkIHdpbmRvd3RleHQgMS4wcHQ7cGFkZGluZzowY20gMGNtIDBjbSA4 LjBwdDttYXJnaW4tbGVmdDowY207bWFyZ2luLXRvcDoxNS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBw dCI+DQo8cCBzdHlsZT0ibWFyZ2luLXRvcDo3LjVwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7THVjaWRhIENvbnNvbGUgO2NvbG9yOiNBQUFBQUEmcXVv dDssc2VyaWYiPk9uIDMvMTcvMjAyMiA1OjEwOjM1IFBNLCBQaWV0ZXIgS2Fzc2VsbWFuICZsdDs8 YSBocmVmPSJtYWlsdG86cGlldGVyLmthc3NlbG1hbj00MG1pY3Jvc29mdC5jb21AZG1hcmMuaWV0 Zi5vcmciPnBpZXRlci5rYXNzZWxtYW49NDBtaWNyb3NvZnQuY29tQGRtYXJjLmlldGYub3JnPC9h PiZndDsNCiB3cm90ZTo8L3NwYW4+PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxwIHN0 eWxlPSJtYXJnaW46MGNtIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWls eTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOmJsYWNrIj5IaSBBbGwmbmJzcDs8 L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBzdHlsZT0ibWFyZ2luOjBjbSI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJp Zjtjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgc3R5bGU9Im1h cmdpbjowY20iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2siPk9uZSBvZiB0aGUgYWdlbmRhIGl0 ZW1zIGZvciBJRVRGIDExMyBpcyB0aGUgZGV2aWNlIGF1dGhvcml6YXRpb24gZ3JhbnQgZmxvdyAo YWthIGRldmljZSBjb2RlIGZsb3cpLCBzY2hlZHVsZWQgZm9yIFRodXJzZGF5IDI0IE1hcmNoIDIw MjIu4oCvIEJlZm9yZSB0aGUgbWVldGluZywgSQ0KIHdhbnRlZCB0byBzaGFyZSBhIGJpdCBtb3Jl IGluZm9ybWF0aW9uIGZvciB0aG9zZSBpbnRlcmVzdGVkIGluIHRoZSB0b3BpYyBhbmQgYWxzbyBn aXZlIHRob3NlIHdobyBhcmUgdW5hYmxlIHRvIGF0dGVuZCBpbiBwZXJzb24gYW4gb3Bwb3J0dW5p dHkgdG8gcGFydGljaXBhdGUgaW4gdGhlIGNvbnZlcnNhdGlvbi4mbmJzcDs8L3NwYW4+PG86cD48 L286cD48L3A+DQo8cCBzdHlsZT0ibWFyZ2luOjBjbSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFj ayI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgc3R5bGU9Im1hcmdpbjowY20iPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7 LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2siPlRoZQ0KPGEgaHJlZj0iaHR0cHM6Ly9uYW0wNi5zYWZl bGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNBJTJGJTJGZGF0YXRyYWNr ZXIuaWV0Zi5vcmclMkZkb2MlMkZodG1sJTJGcmZjODYyOCZhbXA7ZGF0YT0wNCU3QzAxJTdDcGll dGVyLmthc3NlbG1hbiU0MG1pY3Jvc29mdC5jb20lN0NlMDNiMzI0MjExZDM0ZGNkNmZiMTA4ZGEw ZDMzMGI2YiU3QzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdDMSU3QzAlN0M2Mzc4 MzY4MTAxNjE2MjYwNDglN0NVbmtub3duJTdDVFdGcGJHWnNiM2Q4ZXlKV0lqb2lNQzR3TGpBd01E QWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4wJTNEJTdDMzAwMCZh bXA7c2RhdGE9eVAlMkZSbXI3djkxNlQ4ejF1QThLcFR5c2F2a2NYWnpCeGoxS0tCJTJGb1dBTmsl M0QmYW1wO3Jlc2VydmVkPTAiPg0KRGV2aWNlIEF1dGhvcml6YXRpb24gR3JhbnQgRmxvdyAoUkZD IDg2ODIpPC9hPjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdCI+IHM8L3NwYW4+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVv dDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+b2x2ZXMgYW4gaW1wb3J0YW50IHByb2JsZW0gYnkg ZW5hYmxpbmcgYXV0aG9yaXphdGlvbiBmbG93cyBvbiBkZXZpY2VzIHRoYXQgYXJlIHVuYWJsZSB0 byBzdXBwb3J0DQogYSBicm93c2VycyBvciBoYXZlIGxpbWl0ZWQgaW5wdXQgY2FwYWJpbGl0aWVz LiBIb3dldmVyLCBsb29raW5nIGJhY2sgb3ZlciB0aGUgcGFzdCAxOC0yNCBtb250aHMsIHRoZXJl IGhhdmUgYmVlbiBhIG51bWJlciBvZiBwcmFjdGljYWwgZXhwbG9pdHMgcHVibGlzaGVkIHRoYXQg dXNlIHNvY2lhbCBlbmdpbmVlcmluZyB0ZWNobmlxdWVzIGFwcGxpZWQgdG8gdGhlIGRldmljZSBh dXRob3JpemF0aW9uIGdyYW50IGZsb3cuJm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAg c3R5bGU9Im1hcmdpbjowY20iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bh bj48bzpwPjwvbzpwPjwvcD4NCjxwIHN0eWxlPSJtYXJnaW46MGNtIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2Nv bG9yOmJsYWNrIj5UaGUgZ29hbCBvZiB0aGUgc2Vzc2lvbiBhdCBJRVRGIDExMyBpcyB0byBkaXNj dXNzIHRoZSBwYXR0ZXJucyBvZiB0aGUgZXhwbG9pdHMgdGhhdCBhcmUga25vd24gYW5kIHN0YXJ0 IGEgY29udmVyc2F0aW9uIG9uIHdoYXQgKGlmIGFueXRoaW5nKSB3ZSBzaG91bGQgZG8sIGJhc2Vk DQogb24gd2hhdCB3ZSBhcmUgbGVhcm5pbmcuJm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0K PHAgc3R5bGU9Im1hcmdpbjowY20iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2siPiZuYnNwOzwv c3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIHN0eWxlPSJtYXJnaW46MGNtIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjEwLjVwdCI+VGhlc2UgZXhwbG9pdHMgZm9sbG93IGEgZ2VuZXJhbCBtYW4taW4t dGhlLW1pZGRsZSAoTUlUTSkgcGF0dGVybiwgd2hlcmUgdGhlIGF0dGFja2VyOiZuYnNwOzwvc3Bh bj48bzpwPjwvbzpwPjwvcD4NCjxwIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6MGNtO21hcmdp bi1yaWdodDowY207bWFyZ2luLWJvdHRvbTowY207bWFyZ2luLWxlZnQ6MjcuMHB0Ij4NCjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTAuNXB0Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8 b2wgc3RhcnQ9IjEiIHR5cGU9IjEiPg0KPGxpIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJjb2xv cjpibGFjazttc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0 bzttc28tbGlzdDpsMyBsZXZlbDEgbGZvMTt2ZXJ0aWNhbC1hbGlnbjptaWRkbGUiPg0KPHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7U2Vnb2UgVUkgLHNhbnMt c2VyaWYmcXVvdDssc2VyaWYiPkluaXRpYXRlcyB0aGUgRGV2aWNlIEF1dGhvcml6YXRpb24gR3Jh bnQgZmxvdyBvbiBhIGRldmljZSB1bmRlciB0aGVpciBjb250cm9sLCZuYnNwOzwvc3Bhbj48bzpw PjwvbzpwPjwvbGk+PGxpIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJjb2xvcjpibGFjazttc28t bWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzttc28tbGlzdDps MyBsZXZlbDEgbGZvMTt2ZXJ0aWNhbC1hbGlnbjptaWRkbGUiPg0KPHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7U2Vnb2UgVUkgLHNhbnMtc2VyaWYmcXVvdDss c2VyaWYiPlByZXNlbnRzIHRoZSB1c2VyIGNvZGUgaW4gYSBjb250ZXh0IHRoYXQgdGhlIGVuZC11 c2VyIGlzIGxpa2VseSB0byBhY3Qgb24gKHVzaW5nIHNvY2lhbCBlbmdpbmVlcmluZyB0ZWNobmlx dWVzKSwgYW5kJm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9saT48bGkgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9ImNvbG9yOmJsYWNrO21zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4t Ym90dG9tLWFsdDphdXRvO21zby1saXN0OmwzIGxldmVsMSBsZm8xO3ZlcnRpY2FsLWFsaWduOm1p ZGRsZSI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtT ZWdvZSBVSSAsc2Fucy1zZXJpZiZxdW90OyxzZXJpZiI+T25jZSB0aGUgdXNlciBncmFudHMgYWNj ZXNzLCByZXRyaWV2ZXMgdGhlIGFjY2VzcyBhbmQgcmVmcmVzaCB0b2tlbnMgYW5kIHVzZXMgdGhl bSB0byBhY2Nlc3MgdGhlIHVzZXLigJlzIHJlc291cmNlcy4mbmJzcDs8L3NwYW4+PG86cD48L286 cD48L2xpPjwvb2w+DQo8cCBzdHlsZT0ibWFyZ2luOjBjbSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpi bGFjayI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgc3R5bGU9Im1hcmdpbjowY20i PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1 b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2siPlNvbWUgb2YgdGhlIGV4cGxvaXRzIGFyZSBkZXNj cmliZWQgaGVyZSBmb3IgdGhvc2UgaW50ZXJlc3RlZCBpbiBtb3JlIGRldGFpbDombmJzcDs8L3Nw YW4+PG86cD48L286cD48L3A+DQo8cCBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OjBjbTttYXJn aW4tcmlnaHQ6MGNtO21hcmdpbi1ib3R0b206MGNtO21hcmdpbi1sZWZ0OjI3LjBwdCI+DQo8c3Bh biBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90Oyxz YW5zLXNlcmlmO2NvbG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8b2wg c3RhcnQ9IjEiIHR5cGU9IjEiPg0KPGxpIGNsYXNzPSJNc29MaXN0UGFyYWdyYXBoIiBzdHlsZT0i Y29sb3I6YmxhY2s7bXNvLWxpc3Q6bDEgbGV2ZWwxIGxmbzI7dmVydGljYWwtYWxpZ246bWlkZGxl Ij4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFs JnF1b3Q7LHNhbnMtc2VyaWYiPjxhIGhyZWY9Imh0dHBzOi8vbmFtMDYuc2FmZWxpbmtzLnByb3Rl Y3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzQSUyRiUyRjB4Ym9rdS5jb20lMkYyMDIxJTJG MDclMkYxMiUyRkFydE9mRGV2aWNlQ29kZVBoaXNoLmh0bWwmYW1wO2RhdGE9MDQlN0MwMSU3Q3Bp ZXRlci5rYXNzZWxtYW4lNDBtaWNyb3NvZnQuY29tJTdDZTAzYjMyNDIxMWQzNGRjZDZmYjEwOGRh MGQzMzBiNmIlN0M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3QzElN0MwJTdDNjM3 ODM2ODEwMTYxNjI2MDQ4JTdDVW5rbm93biU3Q1RXRnBiR1pzYjNkOGV5SldJam9pTUM0d0xqQXdN REFpTENKUUlqb2lWMmx1TXpJaUxDSkJUaUk2SWsxaGFXd2lMQ0pYVkNJNk1uMCUzRCU3QzMwMDAm YW1wO3NkYXRhPUpNT21QVXVZUDZYcUFESFA1Q2JESVVwZnBsR1J4MHRiS1UlMkZKNHBUazRFUSUz RCZhbXA7cmVzZXJ2ZWQ9MCI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O1NlZ29lIFVJ ICxzYW5zLXNlcmlmJnF1b3Q7LHNlcmlmIj5UaGUNCiBBcnQgb2YgdGhlIERldmljZSBDb2RlIFBo aXNoIC0gQm9rdSAoMHhib2t1LmNvbSk8L3NwYW4+PC9hPjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtTZWdvZSBVSSAsc2Fucy1zZXJpZiZxdW90 OyxzZXJpZiI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9saT48bGkgY2xhc3M9Ik1zb0xpc3RQ YXJhZ3JhcGgiIHN0eWxlPSJjb2xvcjpibGFjazttc28tbGlzdDpsMSBsZXZlbDEgbGZvMjt2ZXJ0 aWNhbC1hbGlnbjptaWRkbGUiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1m YW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZiI+PGEgaHJlZj0iaHR0cHM6Ly9uYW0w Ni5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNBJTJGJTJGd3d3 Lm9wdGl2LmNvbSUyRmluc2lnaHRzJTJGc291cmNlLXplcm8lMkZibG9nJTJGbWljcm9zb2Z0LTM2 NS1vYXV0aC1kZXZpY2UtY29kZS1mbG93LWFuZC1waGlzaGluZyZhbXA7ZGF0YT0wNCU3QzAxJTdD cGlldGVyLmthc3NlbG1hbiU0MG1pY3Jvc29mdC5jb20lN0NlMDNiMzI0MjExZDM0ZGNkNmZiMTA4 ZGEwZDMzMGI2YiU3QzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdDMSU3QzAlN0M2 Mzc4MzY4MTAxNjE2MjYwNDglN0NVbmtub3duJTdDVFdGcGJHWnNiM2Q4ZXlKV0lqb2lNQzR3TGpB d01EQWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4wJTNEJTdDMzAw MCZhbXA7c2RhdGE9aFdrYzYlMkZPMkRzQUZvUUxlbzBKQTdRQjRLZE0zZENveVk4Tm00SmV1eXRj JTNEJmFtcDtyZXNlcnZlZD0wIj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7U2Vnb2Ug VUkgLHNhbnMtc2VyaWYmcXVvdDssc2VyaWYiPk1pY3Jvc29mdA0KIDM2NSBPQXV0aCBEZXZpY2Ug Q29kZSBGbG93IGFuZCBQaGlzaGluZyB8IE9wdGl2PC9zcGFuPjwvYT48L3NwYW4+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7U2Vnb2UgVUkgLHNhbnMtc2Vy aWYmcXVvdDssc2VyaWYiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvbGk+PC9vbD4NCjxvbCBz dGFydD0iMiIgdHlwZT0iMSI+DQo8b2wgc3RhcnQ9IjEiIHR5cGU9IjEiPg0KPGxpIGNsYXNzPSJN c29MaXN0UGFyYWdyYXBoIiBzdHlsZT0iY29sb3I6YmxhY2s7bXNvLWxpc3Q6bDEgbGV2ZWwyIGxm bzI7dmVydGljYWwtYWxpZ246bWlkZGxlIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0 O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWYiPjxhIGhyZWY9Imh0dHBz Oi8vbmFtMDYuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzQSUy RiUyRmdpdGh1Yi5jb20lMkZvcHRpdiUyRk1pY3Jvc29mdDM2NV9kZXZpY2VQaGlzaCZhbXA7ZGF0 YT0wNCU3QzAxJTdDcGlldGVyLmthc3NlbG1hbiU0MG1pY3Jvc29mdC5jb20lN0NlMDNiMzI0MjEx ZDM0ZGNkNmZiMTA4ZGEwZDMzMGI2YiU3QzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3 JTdDMSU3QzAlN0M2Mzc4MzY4MTAxNjE2MjYwNDglN0NVbmtub3duJTdDVFdGcGJHWnNiM2Q4ZXlK V0lqb2lNQzR3TGpBd01EQWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2 TW4wJTNEJTdDMzAwMCZhbXA7c2RhdGE9S3BpaGk3ZG16R3loJTJCdDYlMkJBTFdENUVxZFNsZ0Zq Y3ozYzVIV2tOdVY0T2clM0QmYW1wO3Jlc2VydmVkPTAiPjxzcGFuIHN0eWxlPSJmb250LWZhbWls eTomcXVvdDtTZWdvZSBVSSAsc2Fucy1zZXJpZiZxdW90OyxzZXJpZiI+b3B0aXYvTWljcm9zb2Z0 MzY1X2RldmljZVBoaXNoOg0KIEEgcHJvb2Ytb2YtY29uY2VwdCBzY3JpcHQgdG8gY29uZHVjdCBh IHBoaXNoaW5nIGF0dGFjayBhYnVzaW5nIE1pY3Jvc29mdCAzNjUgT0F1dGggQXV0aG9yaXphdGlv biBGbG93IChnaXRodWIuY29tKTwvc3Bhbj48L2E+PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O1NlZ29lIFVJICxzYW5zLXNlcmlmJnF1b3Q7LHNl cmlmIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L2xpPjwvb2w+DQo8L29sPg0KPG9sIHN0YXJ0 PSIzIiB0eXBlPSIxIj4NCjxsaSBjbGFzcz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5bGU9ImNvbG9y OmJsYWNrO21zby1saXN0OmwxIGxldmVsMSBsZm8yO3ZlcnRpY2FsLWFsaWduOm1pZGRsZSI+DQo8 c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90 OyxzYW5zLXNlcmlmIj48YSBocmVmPSJodHRwczovL25hbTA2LnNhZmVsaW5rcy5wcm90ZWN0aW9u Lm91dGxvb2suY29tLz91cmw9aHR0cHMlM0ElMkYlMkZvMzY1YmxvZy5jb20lMkZwb3N0JTJGcGhp c2hpbmclMkYlMjNuZXctcGhpc2hpbmctdGVjaG5pcXVlLWRldmljZS1jb2RlLWF1dGhlbnRpY2F0 aW9uJmFtcDtkYXRhPTA0JTdDMDElN0NwaWV0ZXIua2Fzc2VsbWFuJTQwbWljcm9zb2Z0LmNvbSU3 Q2UwM2IzMjQyMTFkMzRkY2Q2ZmIxMDhkYTBkMzMwYjZiJTdDNzJmOTg4YmY4NmYxNDFhZjkxYWIy ZDdjZDAxMWRiNDclN0MxJTdDMCU3QzYzNzgzNjgxMDE2MTYyNjA0OCU3Q1Vua25vd24lN0NUV0Zw Ykdac2IzZDhleUpXSWpvaU1DNHdMakF3TURBaUxDSlFJam9pVjJsdU16SWlMQ0pCVGlJNklrMWhh V3dpTENKWFZDSTZNbjAlM0QlN0MzMDAwJmFtcDtzZGF0YT12eXBYb0wzb2c5bjlyMzhTUnhIam1Y RnN5JTJGZ1ZPRFZIRzQ1NE9lRUtOM3MlM0QmYW1wO3Jlc2VydmVkPTAiPjxzcGFuIHN0eWxlPSJm b250LWZhbWlseTomcXVvdDtTZWdvZSBVSSAsc2Fucy1zZXJpZiZxdW90OyxzZXJpZiI+SW50cm9k dWNpbmcNCiBhIG5ldyBwaGlzaGluZyB0ZWNobmlxdWUgZm9yIGNvbXByb21pc2luZyBPZmZpY2Ug MzY1IGFjY291bnRzIChvMzY1YmxvZy5jb20pPC9zcGFuPjwvYT48L3NwYW4+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7U2Vnb2UgVUkgLHNhbnMtc2VyaWYm cXVvdDssc2VyaWYiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvbGk+PGxpIGNsYXNzPSJNc29M aXN0UGFyYWdyYXBoIiBzdHlsZT0iY29sb3I6YmxhY2s7bXNvLWxpc3Q6bDEgbGV2ZWwxIGxmbzI7 dmVydGljYWwtYWxpZ246bWlkZGxlIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2Zv bnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWYiPjxhIGhyZWY9Imh0dHBzOi8v bmFtMDYuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzQSUyRiUy Rnd3dy55b3V0dWJlLmNvbSUyRndhdGNoJTNGdiUzRDlzbFJZdnBLSHA0JmFtcDtkYXRhPTA0JTdD MDElN0NwaWV0ZXIua2Fzc2VsbWFuJTQwbWljcm9zb2Z0LmNvbSU3Q2UwM2IzMjQyMTFkMzRkY2Q2 ZmIxMDhkYTBkMzMwYjZiJTdDNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN0MxJTdD MCU3QzYzNzgzNjgxMDE2MTYyNjA0OCU3Q1Vua25vd24lN0NUV0ZwYkdac2IzZDhleUpXSWpvaU1D NHdMakF3TURBaUxDSlFJam9pVjJsdU16SWlMQ0pCVGlJNklrMWhhV3dpTENKWFZDSTZNbjAlM0Ql N0MzMDAwJmFtcDtzZGF0YT1KR016dCUyRkNTQWJLT0I5R3ZyeUJxRWlyRktIWnBHNkpIVUFwMUpQ VXVJdlUlM0QmYW1wO3Jlc2VydmVkPTAiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtT ZWdvZSBVSSAsc2Fucy1zZXJpZiZxdW90OyxzZXJpZiI+REVGDQogQ09OIDI5IC0gSmVua28gSHdv bmcgLSBOZXcgUGhpc2hpbmcgQXR0YWNrcyBFeHBsb2l0aW5nIE9BdXRoIEF1dGhlbnRpY2F0aW9u IEZsb3dzIC0gWW91VHViZTwvc3Bhbj48L2E+PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O1NlZ29lIFVJICxzYW5zLXNlcmlmJnF1b3Q7LHNlcmlm Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L2xpPjwvb2w+DQo8cCBzdHlsZT0ibXNvLW1hcmdp bi10b3AtYWx0OjBjbTttYXJnaW4tcmlnaHQ6MGNtO21hcmdpbi1ib3R0b206MGNtO21hcmdpbi1s ZWZ0OjI3LjBwdCI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdCI+Jm5ic3A7PC9zcGFu PjxvOnA+PC9vOnA+PC9wPg0KPHAgc3R5bGU9Im1hcmdpbjowY20iPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTAuNXB0Ij5JbiB0ZXJtcyBvZiBhIHJlc3BvbnNlLCB0aGVyZSBhcmUgYSBmZXcgb3B0 aW9ucyB0aGF0IGNvbWUgdG8gbWluZCAodGhlc2UgYXJlIG5vdCBleGhhdXN0aXZlLCBJIHdvdWxk IGxvdmUgdG8gc2VlIHdoYXQgb3RoZXJzIGhhdmUgaW4gbWluZCBhcyB3ZWxsKTombmJzcDs8L3Nw YW4+PG86cD48L286cD48L3A+DQo8cCBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OjBjbTttYXJn aW4tcmlnaHQ6MGNtO21hcmdpbi1ib3R0b206MGNtO21hcmdpbi1sZWZ0OjI3LjBwdCI+DQo8c3Bh biBzdHlsZT0iZm9udC1zaXplOjEwLjVwdCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0K PG9sIHN0YXJ0PSIxIiB0eXBlPSIxIj4NCjxsaSBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iY29s b3I6YmxhY2s7bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1 dG87bXNvLWxpc3Q6bDIgbGV2ZWwxIGxmbzM7dmVydGljYWwtYWxpZ246bWlkZGxlIj4NCjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O1NlZ29lIFVJICxzYW5z LXNlcmlmJnF1b3Q7LHNlcmlmIj5EbyBub3RoaW5nOiBXZSBjYW4gY2hvb3NlIHRvIGxlYXZlIGV2 ZXJ5dGhpbmcgYXMgaXMuIFRoZSBkb3duc2lkZSBvZiB0aGlzIGlzIHRoYXQgdGhlIGxlc3NvbnMg d2UgYXJlIGxlYXJuaW5nIGFyZSBub3QgZ2V0dGluZyBkaXNzZW1pbmF0ZWQgb3IgcmVzdWx0aW5n IGluIHJlZHVjZWQgcmlza3MuJm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9saT48bGkgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9ImNvbG9yOmJsYWNrO21zby1tYXJnaW4tdG9wLWFsdDphdXRvO21z by1tYXJnaW4tYm90dG9tLWFsdDphdXRvO21zby1saXN0OmwyIGxldmVsMSBsZm8zO3ZlcnRpY2Fs LWFsaWduOm1pZGRsZSI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWls eTomcXVvdDtTZWdvZSBVSSAsc2Fucy1zZXJpZiZxdW90OyxzZXJpZiI+VXBkYXRlIHRoZSByZWNv bW1lbmRhdGlvbnM6IFdlIGNhbiBkb2N1bWVudCB0aGUgc29jaWFsIGVuZ2luZWVyaW5nIGV4cGxv aXRzIGFuZCByZWNvbW1lbmQgc29tZSBhZGRpdGlvbmFsIG1pdGlnYXRpb25zIGFzIHdlbGwgYXMg cmVjb21tZW5kYXRpb25zIGluIHRlcm1zIG9mIHVzZSBjYXNlcy4gQWx0aG91Z2ggdGhlc2UgdHlw ZXMNCiBvZiAmcXVvdDtwaGlzaGluZyZxdW90Oy9zb2NpYWwgZW5naW5lZXJpbmcgYXR0YWNrcyBh cmUgY2FsbGVkIG91dCBpbiB0aGUgc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMgaW4NCjxhIGhyZWY9 Imh0dHBzOi8vbmFtMDYuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRw cyUzQSUyRiUyRmRhdGF0cmFja2VyLmlldGYub3JnJTJGZG9jJTJGaHRtbCUyRnJmYzg2MjgmYW1w O2RhdGE9MDQlN0MwMSU3Q3BpZXRlci5rYXNzZWxtYW4lNDBtaWNyb3NvZnQuY29tJTdDZTAzYjMy NDIxMWQzNGRjZDZmYjEwOGRhMGQzMzBiNmIlN0M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDEx ZGI0NyU3QzElN0MwJTdDNjM3ODM2ODEwMTYxNjI2MDQ4JTdDVW5rbm93biU3Q1RXRnBiR1pzYjNk OGV5SldJam9pTUM0d0xqQXdNREFpTENKUUlqb2lWMmx1TXpJaUxDSkJUaUk2SWsxaGFXd2lMQ0pY VkNJNk1uMCUzRCU3QzMwMDAmYW1wO3NkYXRhPXlQJTJGUm1yN3Y5MTZUOHoxdUE4S3BUeXNhdmtj WFp6QnhqMUtLQiUyRm9XQU5rJTNEJmFtcDtyZXNlcnZlZD0wIj4NCjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjti YWNrZ3JvdW5kOiNFMUUzRTYiPlJGQyA4NjI4IC0gT0F1dGggMi4wIERldmljZSBBdXRob3JpemF0 aW9uIEdyYW50PC9zcGFuPjwvYT4sIHdlIGNhbiBhZGQgZnVydGhlciBtaXRpZ2F0aW9ucyB0byBj cmVhdGUgZ3JlYXRlciBkZWZlbmNlIGluIGRlcHRoLiBUaGlzIHdpbGwgaGVscCBmdXR1cmUgaW1w bGVtZW50ZXJzIGFuZCBtYXkgZXZlbg0KIGJlIHVzZWZ1bCBmb3IgZnV0dXJlIHByb3RvY29scyB0 aGF0IHJlbHkgb24gYSBzaW1pbGFyIGNyb3NzLWRldmljZSBhdXRoZW50aWNhdGlvbiBhbmQgYXV0 aG9yaXphdGlvbiBmbG93cy4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L2xpPjxsaSBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0iY29sb3I6YmxhY2s7bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv LW1hcmdpbi1ib3R0b20tYWx0OmF1dG87bXNvLWxpc3Q6bDIgbGV2ZWwxIGxmbzM7dmVydGljYWwt YWxpZ246bWlkZGxlIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5 OiZxdW90O1NlZ29lIFVJICxzYW5zLXNlcmlmJnF1b3Q7LHNlcmlmIj5FeHBsb3JlIGFsdGVybmF0 aXZlczogRGV2ZWxvcCwgYWRvcHQsIG9yIGV2b2x2ZSBuZXcgcHJvdG9jb2xzIHRoYXQgYWRkcmVz cyB0aGUgc2NlbmFyaW8gd2hpbGUgbWl0aWdhdGluZyBvciBhdm9pZGluZyB0aGUgcmlza3MuJm5i c3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9saT48L29sPg0KPHAgc3R5bGU9Im1zby1tYXJnaW4tdG9w LWFsdDowY207bWFyZ2luLXJpZ2h0OjBjbTttYXJnaW4tYm90dG9tOjBjbTttYXJnaW4tbGVmdDoy Ny4wcHQiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQiPiZuYnNwOzwvc3Bhbj48bzpw PjwvbzpwPjwvcD4NCjxwIHN0eWxlPSJtYXJnaW46MGNtIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjEwLjVwdCI+T3B0aW9uIEEgZG9lcyBub3QgZG8gbXVjaCB0byBpbXByb3ZlIHRoZSBzdGF0ZSBv ZiB0aGUgYXJ0LiBPcHRpb24gQiBmZWVscyBsaWtlIHNvbWV0aGluZyB3ZSBjYW4gZG8gbm93LCBh bmQgd2UgbWF5IGxlYXJuIHNvbWV0aGluZyBhbG9uZyB0aGUgd2F5IHRoYXQgY2FuIGhlbHAgaW5m b3JtIE9wdGlvbiBDLCB3aGljaCBtYXkgYmUgbXVjaCBmdXJ0aGVyIGRvd24NCiB0aGUgcm9hZCBh bmQgcmVxdWlyZSBtb3JlIHJlc2VhcmNoLiZuYnNwO1doYXQgb3RoZXIgb3B0aW9ucyBjb21lIHRv IG1pbmQ/PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgc3R5bGU9Im1hcmdpbjowY20iPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTAuNXB0Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8 cCBzdHlsZT0ibWFyZ2luOjBjbSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQiPknigJlt IGxvb2tpbmcgZm9yd2FyZCB0byB0aGUgY29udmVyc2F0aW9uIGFuZCBoZWFyaW5nIHdoYXQgb3Ro ZXJzIGFyZSB0aGlua2luZyBhYm91dCB0aGlzIHRvcGljLiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpw PjwvcD4NCjxwIHN0eWxlPSJtYXJnaW46MGNtIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVw dCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgc3R5bGU9Im1hcmdpbjowY20iPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7 LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2siPkNoZWVycywmbmJzcDs8L3NwYW4+PG86cD48L286cD48 L3A+DQo8cCBzdHlsZT0ibWFyZ2luOjBjbSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+UGll dGVyJm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90 OyxzYW5zLXNlcmlmO2NvbG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGJyPg0K PGJyPg0KPG86cD48L286cD48L3A+DQo8cHJlPl9fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fPG86cD48L286cD48L3ByZT4NCjxwcmU+T0F1dGggbWFpbGluZyBs aXN0PG86cD48L286cD48L3ByZT4NCjxwcmU+PGEgaHJlZj0ibWFpbHRvOk9BdXRoQGlldGYub3Jn Ij5PQXV0aEBpZXRmLm9yZzwvYT48bzpwPjwvbzpwPjwvcHJlPg0KPHByZT48YSBocmVmPSJodHRw czovL25hbTA2LnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM0El MkYlMkZ3d3cuaWV0Zi5vcmclMkZtYWlsbWFuJTJGbGlzdGluZm8lMkZvYXV0aCZhbXA7ZGF0YT0w NCU3QzAxJTdDcGlldGVyLmthc3NlbG1hbiU0MG1pY3Jvc29mdC5jb20lN0NlMDNiMzI0MjExZDM0 ZGNkNmZiMTA4ZGEwZDMzMGI2YiU3QzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdD MSU3QzAlN0M2Mzc4MzY4MTAxNjE2MjYwNDglN0NVbmtub3duJTdDVFdGcGJHWnNiM2Q4ZXlKV0lq b2lNQzR3TGpBd01EQWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4w JTNEJTdDMzAwMCZhbXA7c2RhdGE9M3hWbEFQcm50T2E2TjFtWTZYbyUyQlVGYmVJc3F2ZUdLJTJG c3RpdGdKZVB6dnMlM0QmYW1wO3Jlc2VydmVkPTAiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxt YW4vbGlzdGluZm8vb2F1dGg8L2E+PG86cD48L286cD48L3ByZT4NCjwvYmxvY2txdW90ZT4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2JvZHk+ DQo8L2h0bWw+DQo= --_000_AM7PR83MB0452F357994512852A3DEA0991199AM7PR83MB0452EURP_-- From nobody Thu Mar 24 05:41:26 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 630C93A1259 for ; Thu, 24 Mar 2022 05:41:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.01 X-Spam-Level: X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jr48Y9VrJh30 for ; Thu, 24 Mar 2022 05:41:18 -0700 (PDT) Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-ve1eur03on0716.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe09::716]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E52C33A1233 for ; Thu, 24 Mar 2022 05:41:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PMg41MpFqEG/SdJpSk6E5ltGs3tUN7I59ku2ITe0cWudMdSPR9nYyAtZxz8KeEEf5cByVhnC1ZXFmX2wFGlqqHRPvnbqOx7npF7BCY/lLHL0h9YFqCb9EN3ePXL/BE1DPq8V9lHx7lILTYtbxe/J6yagTopizHxTjlN2I0BHKFyWbyc/nFJQJR4ZLjDOmX40Ot1f+BqQ+mXkxdj1OZYHeT8Y1QZMzfC/4IwuwZ/yzmACNfVr6GAmd3DObEFa7/JLoM4Ga/DkZeD3aPXnSMtWuOLhtMrKx0f2VOUv1njwLwmwOU6EHe0akRm9xtF96hxmbbck5qWODpCPflKpkeYEFg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=r7YdrBPlWnE6PsP5FWf3xyaUjMuvRJZltLaqvxGPVh4=; b=bXIUcOeOeqPwCsZsQMeQCCKetF8E5jY44ivUdvuWwKNIJfE/fywnX0DEnok55c5MoJUmvOz5Ii5RfclZCozjT+dyjL4uQzlLdZauqcKa7PtumSsS9eCCWBFqEa2N3tM2mKA9Q5+A4e/VjAQk3j+SMZkrpboKFKOoiGh7RuwyBdRTgHIRhf4TXYog1mLb8DTtos0bFvTwEDzfyviQNcqKTIcrK6engXPBgZ8+CKw6zXpvHE6tcWL+uc5/8O0BElZ33rXSocrYmdrWDkuhb+4NeE35tSdtLqxcrnw+EwFSTmhNbLgDw4SkcpPYi5LyJhaaAqzjYUKStq/vVEwXY0ru3w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=r7YdrBPlWnE6PsP5FWf3xyaUjMuvRJZltLaqvxGPVh4=; b=SfIemn0E5StgySamy+KfgE+ju5/cIwrVsePnF8ZWDYkPHO1h+TctHOn7YoiQI4F3KTW5Htqd/5mag3dx1Nd6DUJXI/KAoC1wXobPxlpRv5nwJGLeb/ycm4trqK87oCYHcHCrXgY4wiJyOZvO+Al1qtjqCot5xuxw/YcWe2ku6ek= Received: from AM7PR83MB0452.EURPRD83.prod.outlook.com (2603:10a6:20b:1b6::10) by PA4PR83MB0511.EURPRD83.prod.outlook.com (2603:10a6:102:ec::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.4; Thu, 24 Mar 2022 12:41:10 +0000 Received: from AM7PR83MB0452.EURPRD83.prod.outlook.com ([fe80::8df6:9cd8:37bb:1f7e]) by AM7PR83MB0452.EURPRD83.prod.outlook.com ([fe80::8df6:9cd8:37bb:1f7e%4]) with mapi id 15.20.5123.010; Thu, 24 Mar 2022 12:41:10 +0000 From: Pieter Kasselman To: Brock Allen , George Fletcher , "oauth@ietf.org" Thread-Topic: [OAUTH-WG] [EXTERNAL] Re: Device Authorization Grant and Illicit Consent Exploits Thread-Index: AQHYPxvrtpgz3MvgSESTQ+uhPlCBKKzNvbKAgAC7QLA= Date: Thu, 24 Mar 2022 12:41:10 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-IE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2022-03-24T12:40:59Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=b59484d6-4fd2-4edc-ad68-1adf30cdad8f; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0 authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 8d11de3e-10b5-4bc5-77b3-08da0d93932a x-ms-traffictypediagnostic: PA4PR83MB0511:EE_ x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr x-ms-exchange-atpmessageproperties: SA|SL x-microsoft-antispam-prvs: x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: vf9mlgzn7Jk67RSxqLdsDxA3XE4L3bLNgVXhHuqBddQaAD4pSMN88hW8dVlP/KICxxLWBP58J9aWQ7IIeMa4STmRc9oBGsNRlGRYz5MT0BXnuZpHNYnhbJZOKbRMhfjIjquh4WxAAtCT1E+S3j2PSyjqR2i/pC25RXee4Ed9Bgel4dRU2ZrXW7qk4lH0vmQZFaXy/k0E/sLpiP1oCu/k1yab3t1BAg4/pYUbtH6D7Fo1GlPAnisPvfb0JP4kngPjb5e230kRL7FcH5HhRU7rm6fjQRhRo9fuHVNYqOVFJMjWQOnP8UeDxkQnTRszok/CXRglwwZMSYJuByyzOnAx9iabts5i6qJyMOM5uzkpQPZwY/AAX4+WMGXMWMO8w1HoLIeHYlVQ46AS/Nn0Y1IQS7c8wsGKh/7nbrXRKpUEL8bXhMHJU/ZhX3/Fts4hSx4XYDTTWyZJtCnqX+HmLaaPOVUi6Nv3ebioAYI6paIl6Ul82c++whkPgeCCLGssDE/VAj3QLlkkmdUmK2HL3sZ9qdJ9y2nN5adzktHMURAAuLa+qFXAl8S8odSfYwBLAybl0Tyu4H+FJWEDIVZkYFyJs4vKkjWGbW9SE3F1x5wM26SQ2/6Rzx/pynqRvXoUrO/odoUR77o2/MAiYiXoN6WLOLMe65qtO3FNBBAlPNW/bAsUj/e94Y4oQabSgUhLQ38uijmfvsnWomNXU3ncqckE/3jlZlFmbujxih8HM2vPXVWIOhJ31JtXYTmwGppFb2UTiA1Aa4dFzma8oe4NodG6hJgkzG6qzec090noK/RAIOG2THPzG1BkApI09hv5ZDzG20bxMBtuObIO1iyA47SbgoRdZ2EZTYjsFyeKvG54NsUCsf9smXiob+rtSvqSiWS2 x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR83MB0452.EURPRD83.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(47690400004)(451199009)(186003)(110136005)(38100700002)(8990500004)(76116006)(166002)(71200400001)(316002)(38070700005)(82950400001)(82960400001)(8676002)(66946007)(66556008)(66476007)(66446008)(64756008)(122000001)(83380400001)(7696005)(52230400001)(6506007)(55016003)(2906002)(66574015)(53546011)(33656002)(966005)(10290500003)(9686003)(44832011)(8936002)(52536014)(86362001)(508600001)(5660300002); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?B?SktWZnJPeW9LU2ZmelRCaG5zam9xc3N4dEplTzkvemVySGxIZElpZVhQT081?= =?utf-8?B?U0VhSzNBd2lIK0hVVHdvYmRUdS9rdE9hLy9pZC9DMDNHbkN4THAvSnlBYll1?= =?utf-8?B?MFdlbkNOclhEalQyWHNkUm9ISDY2ZHhrWUZ5SHFKeGFtVkI4UVA5Y0dLOEtm?= =?utf-8?B?SnV4ZDVaMUZkVDVvSGVBN2E2eFAxYnZwaUU4bDlBMDMzOWFZL1c3K0NhTm92?= =?utf-8?B?VkxseUNKU0JUN0NmL3NMdWxTMktzYVV6MHFTRUJpMklOLzlvVExwVDdrUlV1?= =?utf-8?B?UFBkQWQ5ODFMRURPY2xKblNRbVZucUgvUTJFZGFhSWRjWkJscFdmMDErYTdQ?= =?utf-8?B?SElqdXpsSDhBK1VERFBPM0c3UWN2VE13M0NMOWVRcUZ4SjZSTXhTWUU5Z2U4?= =?utf-8?B?MTVRVzN2NDM4SUQ2Wi9tL0MzY25DTkVxeGtJc2VSSkpodmRiY0Z2LzVKSWM5?= =?utf-8?B?QnJLc2VyRjlUR2Vjem9OekJHNTZaN1AvR3pFajU1T0taSDJpN3B3MDJMTmRK?= =?utf-8?B?YlhqcTBEMWRCRXg4RVhkSUJSMVJBYkhvekxlQXR1OUNlRmJrT3JsaGdxejBs?= =?utf-8?B?cnd0WHczOUM2WnFFRTdZQ0RabFFCbkJMRENta2RUZFpWZU5VSGY1ZmtpVkM0?= =?utf-8?B?M3luYzBXbCt1b0FqdDRRRktFVGtpLzNLZUdXaWtxSGZpTmhiZFhHUGpqQWJH?= =?utf-8?B?UTArS243VExkc3pwbFBtREViMjZ1eFMrOEZZbUlBU0dLM2lVbVlWcEdpRXdx?= =?utf-8?B?VlNmQXRidThUS2VPRk1vTkxiSEFkWkR3czJEcXpVclVzOXJHQ3QzZjUzWjJS?= =?utf-8?B?ajBWOGlZdk9RVmtBSDI3S0M0RmdLMGFvbDRIYWo3N2RGQXRQdU1BWldzQjNW?= =?utf-8?B?d2pBWElYZEpTSXFPZDRaZnVQMUtoR0c5dVh1eTJvbXo3aVU1dWI0cmdSVkp5?= =?utf-8?B?TkM0Ujh4b1l4TTJLd0dpWnJEQlVvNFB6c0R6ZnBuT3JPL3RPQnNzT3FLV21K?= =?utf-8?B?WGg3ZG5Relk1cFNpenlOaXlXc3dyL3JkVWNwSVBLUlphamtLUG1sRTZDMVhJ?= =?utf-8?B?THFnTWdpUm9Ka0VkR1lQa25rRHFHTnVaMUJaRGUvcUdkUys1ZXdaSVdhRUl1?= =?utf-8?B?YzZWUUcwZ2NielY3WTd1OTRjdUdnQnZpcU5yaXZ1WjllcGxVZFlVem9tdDc2?= =?utf-8?B?WG14MHltZzcrWGxPb3V6M0Zqd3VUUEJDWC9QdlBQUU02MGxZYWdYU0dlcVR3?= =?utf-8?B?dERTbmltVFBOeHJyeUNCaFJGNWpLOTJqRVFTQWY1NTVrTUsxZ2lqL0FxZDdi?= =?utf-8?B?Vm4yekpvdm9TVkNnRG9qVlJTWFFCZ3J3MlhvSDRIUDVXTDFHWHRQUFZVSHRV?= =?utf-8?B?ZVNpMXN0SzlpM1hBQ05kVWI4ZnlQa2xlYnlYa3VlZE1ZeVlRQ20xZUF4alph?= =?utf-8?B?a29sYlNMdW9QT2JNSW1tMUF3c0NFdlVqTlJLU0prTm1ld05TVDVYVk1KVFd4?= =?utf-8?B?WTdKSmxGOWZ3SWNnd0VCdWViMzhMY0xyRVMxbitsZXBpekNCK09EbmpIc3V0?= =?utf-8?B?RnFmWUNLS1dweXdWdkMycHlvTFE5Q0EyaG9OeWxpbFJTems1N0dmZVRDTmhx?= =?utf-8?B?aGVXK0xHRmphNmpabHQ1cU1XemFQRDBHendCMjdGakNRNm5Fb1JicWRKWkxw?= =?utf-8?B?M29STlpSTmJIUkJkeVF4eldJR00rakJTeXJBdkpGa29FTkdtTUFJL09BNVZ5?= =?utf-8?B?eXB3SUhqV094NnZBRmhnSlhoSktFRnh2Wmo4WVlNb3MvcS9qRVpBWS81UWIx?= =?utf-8?B?VEM4VW5iaDdYYkZCMmJQVk9mWm0xSFlud2p2UEVhTk9xNklMMGNCRVdWcnVU?= =?utf-8?B?bVZaYkRYbjBDa0x2Ry9QbDlwUFpDYmxqM0JveGdqZTNKUW9PZ3owcXM3VUt0?= =?utf-8?B?VEJUWTVGenhBRnluNW9TVTcrOGoveHFod3dML05XT3h0R2ZUK2NlZnBRR1dK?= =?utf-8?B?TWUrU1lHN2l4UTYvOHF1eDljbTdBajVmRkJYLzB3bDdWMEFKSGJmUUIzN1g3?= =?utf-8?B?RVhXY05BWkliSXpXMnNTcmdoTVdMTE1zQzEwajBOUy92WFBVaTVTcDlUUnZy?= =?utf-8?B?T2YrSkNTRWIyTzRrTnNHZHB6OXB6N3NQMHc2WTJiTUtENVlNd1ljS0w5dUZT?= =?utf-8?B?T0RBaHdXMmc1dUw3RWcxa3g3ZmlicFB1QWNZQTByMC9hNTBvdXFmOVdWY0Z5?= =?utf-8?B?Z0RnOWloSmZma3hnTGRpdlhUOVF5VDRwbEgvSnhWUVcyRDA1MjdmR1Y1bzNh?= =?utf-8?B?Z0Z1UDdtcFcvdU44amNuaHdDZ0xlZTdZRUN2OUsvc2s2RC8zOWp4Zz09?= Content-Type: multipart/alternative; boundary="_000_AM7PR83MB0452F2813A9D43B565E5A38891199AM7PR83MB0452EURP_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: AM7PR83MB0452.EURPRD83.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8d11de3e-10b5-4bc5-77b3-08da0d93932a X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Mar 2022 12:41:10.5334 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: BH6RdzcR0lev0cspCqNSlwtS0UxHPjJYsCOCnEUIsrtojxp1gdiGgsTIfVx6zKS7OIW2jPQFCOWXz6rY1mITlBcfnxFqHWVRJi+4p0fWHNA= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA4PR83MB0511 Archived-At: Subject: Re: [OAUTH-WG] [EXTERNAL] Re: Device Authorization Grant and Illicit Consent Exploits X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Mar 2022 12:41:24 -0000 --_000_AM7PR83MB0452F2813A9D43B565E5A38891199AM7PR83MB0452EURP_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SGkgQnJvY2ssIG9uZSBvZiB0aGUgb3B0aW9ucyB0byBjb25zaWRlciBoZXJlIGlzIGp1c3QgYmV0 dGVyIGd1aWRhbmNlIGluIHRlcm1zIG9mIGltcGxlbWVudGF0aW9uLCBpbmNsdWRpbmcgZ3VpZGFu Y2Ugb24gc2VsZWN0aW5nIHByb3RvY29scy4gRnJvbSBsb29raW5nIGF0IG51bWVyb3VzIGV4cGxv aXRzIChub3QganVzdCB0aGUgYXV0aHJvaXphdGlvbiBncmFudCBmbG93IGFuZCB0aGUgc29jaWFs IGVuZ2luZWVyaW5nIGV4cGxvaXRzKSwgaW1wbGVtZW50YXRpb24gaXNzdWVzIGlzIGJ5IGZhciB0 aGUgbW9zdCBwcmV2YWxlbnQgY2F1c2Ugb2YgaXNzdWVzLCBtdWNoIG1vcmUgc28gdGhhbiBwcm90 b2NvbCBpc3N1ZXMgdGhlbXNlbHZlcy4NCg0KSSB3b3VsZCBhZGQgdGhhdCBrZWVwaW5nIHByb3Rv Y29scyBhbmQgdGhlIHByaW1pdGl2ZXMgdGhleSBhcmUgYnVpbHQgb24gc2ltcGxlIGlzIGltcG9y dGFudCBpbiByZWR1Y2luZyBpbXBsZW1lbnRhdGlvbiBlcnJvcnMgYXMgd2VsbC4NCg0KVG8gcHV0 IGl0IGFub3RoZXIgd2F5LCBnaXZpbmcgaW1wbGVtZW50b3JzIG1vcmUgY29udGV4dCBhYm91dCB0 aGUgY29uc2VxdWVuY2VzIG9mIHVzaW5nIGEgcHJvdG9jb2wgaW4gYSBjZXJ0YWluIHdheSBpcyBy ZWFsbHkgaW1wb3J0YW50IGlmIHdlIHdhbnQgdG8gbWluaW1pc2Ugc2VjdXJpdHkgaXNzdWVzIHRo YXQgYXJpc2UgZnJvbSBpbXBsZW1lbnRhdGlvbiBpc3N1ZXMgYW5kIHByb3RvY29sIHNlbGVjdGlv bi4NCg0KQ2hlZXJzDQoNClBpZXRlcg0KDQpGcm9tOiBCcm9jayBBbGxlbiA8YnJvY2thbGxlbkBn bWFpbC5jb20+DQpTZW50OiBUaHVyc2RheSAyNCBNYXJjaCAyMDIyIDAyOjI1DQpUbzogR2Vvcmdl IEZsZXRjaGVyIDxnZmZsZXRjaEBhb2wuY29tPjsgUGlldGVyIEthc3NlbG1hbiA8cGlldGVyLmth c3NlbG1hbkBtaWNyb3NvZnQuY29tPjsgb2F1dGhAaWV0Zi5vcmcNClN1YmplY3Q6IFJlOiBbT0FV VEgtV0ddIFtFWFRFUk5BTF0gUmU6IERldmljZSBBdXRob3JpemF0aW9uIEdyYW50IGFuZCBJbGxp Y2l0IENvbnNlbnQgRXhwbG9pdHMNCg0KSW4gdGhlIGNhc2Ugb2YgREVGIENPTiB2aWRlbyBzaG93 aW5nIHRoZSBNaWNyb3NvZnQgZXhwbG9pdCwgaXQgd29ya2VkIGxpa2VkIHRoaXMgKGlmIEkgcmVj YWxsIGNvcnJlY3RseSk6DQoNClRoZSBhdHRhY2tlciBzdGFydGVkIHRoZSBkZXZpY2UgZmxvdyBm cm9tIHRoZWlyIHN5c3RlbSwgc2VudCB0aGUgdXNlciBhIGxpbmsgdG8gbG9naW4gd2l0aCBhbiAi cHJvbW8gY29kZSIgKHRoZSB1c2VyIGNvZGUpIHRvIGdldCBhIGRpc2NvdW50IG9uIHRoZWlyIE1p Y3Jvc29mdCBiaWxsLCBhbmQgd2hlbiB0aGUgdXNlciBsb2dnZWQgaW4gdGhleSB3ZXJlIHByb21w dGVkIGZvciB0aGUgY29kZSAod2hpY2ggdGhleSB0aG91Z2h0IGl0IHdhcyBhIHByb21vIGNvZGUp LCBhbmQgdGh1cyB0aGV5IGdyYW50ZWQgYWNjZXNzIHRvIHRoZSBhdHRhY2tlciB3YWl0aW5nIGZv ciB0aGUgZmxvdyB0byBiZSBjb21wbGV0ZS4NCg0KVGhlIHByb2JsZW0gd2FzIHRoYXQ6DQoNCjEp IFRoZSB2ZW5kb3IncyBmaXJzdCBwYXJ0eSBhZG1pbmlzdHJhdGl2ZSBDTEkgYXBwIHdhcyBkZXNp Z25lZCB0byB1c2UgZGV2aWNlIGZsb3cuDQoyKSBUaGUgY29uc2VudCBzY3JlZW4ganVzdCBzYWlk ICJEbyB5b3Ugd2FudCB0byBsb2dpbiB0byB5b3VyIE1pY3Jvc29mdCBhY2NvdW50Ii4NCg0KU28g dGhlIGlzc3VlcyB3ZXJlIHRoYXQgZm9yICgxKSBkZXZpY2UgZmxvdyB3YXMganVzdCB0aGUgd3Jv bmcgb25lICh0aGUgbmF0aXZlIGFwcHMgQkNQIHcvIHN5c3RlbSBicm93c2VyIHNob3VsZCBoYXZl IGJlZW4gdXNlZCksIGVzcGVjaWFsbHkgZm9yIGFuIGFwcCB3aXRoIHN1Y2ggaGlnaC9wcml2aWxl Z2VkIGFjY2VzcywgYW5kIGZvciAoMikgdGhlIGNvbnNlbnQgZGlkIG5vdCBsZXQgdGhlIGVuZC11 c2VyIGtub3cgdGhleSB3ZXJlIGdyYW50aW5nIHRoZSBjbGllbnQgZnVsbCBhZG1pbmlzdHJhdGl2 ZSBhY2Nlc3MuDQoNClNvIHNldmVyYWwgbWlzc3RlcHMgaGVyZSB0aGF0IHRoZSBwcm90b2NvbCBi eSBpdHNlbGYgY2FuJ3QgY29tcGxldGVseSBwcm90ZWN0IGFnYWluc3QuDQoNCi1Ccm9jaw0KDQpP biAzLzIzLzIwMjIgOToxMDowMSBQTSwgR2VvcmdlIEZsZXRjaGVyIDxnZmZsZXRjaEBhb2wuY29t PG1haWx0bzpnZmZsZXRjaEBhb2wuY29tPj4gd3JvdGU6DQpJIGp1c3Qgd2FudCB0byBtYWtlIGEg cXVpY2sgY29tbWVudCBvbiB0aGUgdXNlIG9mICJwcm94aW1pdHkgYW5kIGxvY2F0aW9uIGluZm9y bWF0aW9uIi4gSSB1c2VkIHRoZSBkZXZpY2UgZmxvdyB0byBhdXRob3JpemUgbXkgc29uJ3MgZGV2 aWNlIGJ5IGhhdmluZyBoaW0gdGV4dCBtZSB0aGUgY29kZSBzbyBJIGNvdWxkIGxvZ2luIG9uIG15 IGRldmljZSAoaW4gYSBkaWZmZXJlbnQgc3RhdGUpIGFuZCBwcm92aWRlIGhpcyBkZXZpY2UgYWNj ZXNzLiBJZiB3ZSBjbG9zZSB0aGUgZG9vciB0b28gbXVjaCB3ZSB3aWxsIHBvdGVudGlhbGx5IGlt cGFjdCBnb29kIHVzZXJzIDopDQoNCkkgYWdyZWUgdGhhdCBjb25zZW50IGNhbiBiZSBzb2NpYWxs eSBlbmdpbmVlcmVkLi4uIGJ1dCB0aGluayB0aGF0IGl0IHdvdWxkIGJlIHVzZWZ1bCB0byBpbXBy b3ZlIHRoYXQgaW5mb3JtYXRpb24gc28gdGhhdCB0aGUgdXNlciBhdXRoZW50aWNhdGluZyB0byBw cm92aWRlIGF1dGhvcml6YXRpb24gY291bGQga25vdyB3aGVyZSB0aGUgZGV2aWNlIHRoZWlyIGF1 dGhvcml6aW5nIGlzIGxvY2F0ZWQuIFRoYXQgY291bGQgaGVscCB1c2VycyBkZXRlY3RpbmcgdGhh dCB0aGV5IGFyZSBhdXRob3JpemluZyBhIGRldmljZSBpbiBhIGxvY2F0aW9uIHRoYXQgZG9lc24n dCBtYWtlIHNlbnNlIHRvIHRoZW0uDQoNClRoYW5rcywNCkdlb3JnZQ0KT24gMy8xOC8yMiA4OjIx IEFNLCBQaWV0ZXIgS2Fzc2VsbWFuIHdyb3RlOg0KSGkgQnJvY2sNCg0KR3JlYXQgcG9pbnQsIGFu ZCBJIHdvdWxkIGFncmVlIHRoYXQgYmV0dGVyIGNvbnNlbnQgc2NyZWVucyBjb3VsZCBoZWxwLCBi dXQgSSBkb27igJl0IHRoaW5rIGl0IGlzIHN1ZmZpY2llbnQuDQoNCk9uZSBvZiB0aGUgY2hhbGxl bmdlcyB3aXRoIGNvbnNlbnQgc2NyZWVucyBpcyB0aGF0IGl0IG1ha2VzIGFzc3VtcHRpb25zIGFi b3V0IHRoZSB1c2VycyBhYmlsaXRpZXMgd2hlbiB0aGV5IGFyZSBiZWluZyBhc2tlZCB0byBtYWtl IGRlY2lzaW9ucyBhYm91dCB0aGluZ3MgdGhleSBkbyBub3QgZnVsbHkgYXBwcmVjaWF0ZSBvciB1 bmRlcnN0YW5kLiBJbiBhZGRpdGlvbiwgdGhleSBhcmUgaW4gYSBydXNoLCBhcmUgb2Z0ZW4gdHJ5 aW5nIHRvIGJlIGhlbHBmdWwgYW5kIHByb25lIHRvIGdyYW50IGNvbnNlbnQgKHRoZSBmcmFtaW5n IGluIHRoZXNlIHNvY2lhbCBlbmdpbmVlcmluZyBhdHRhY2tzIGNhbiBiZSB2ZXJ5IHBlcnN1YXNp dmUpLiBFdmVuIHVzZXJzIHdobyBhcmUgYXdhcmUgb2YgdGhlc2UgZXhwbG9pdHMgYW5kIHVuZGVy c3RhbmQgdGhlIHN5c3RlbXMgdGhleSBpbnRlcmFjdCB3aXRoIGFyZSBwcm9uZSB0byBiZSBtaXNs ZWQuIEJldHRlciBndWlkYW5jZSBvbiB0aGUgY29uc2VudCBzY3JlZW4gaXMgZGVmaW5pdGVseSBz b21ldGhpbmcgd2Ugc2hvdWxkIHByb3ZpZGUuDQoNCkkgZG8gdGhpbmsgdGhlcmUgaXMgYSBkZWZl bmNlIGluIGRlcHRoIHN0cmF0ZWd5IHRoYXQgY2FuIHJlZHVjZSByaXNrIGJ5ICgxKSBhdm9pZGlu ZyBhc2tpbmcgdGhlIHVzZXIgZm9yIGEgZGVjaXNpb24gYnkgbWFraW5nIGJhY2stZW5kIHJpc2sg ZGVjaXNpb25zICgyKSBhdWdtZW50aW5nIHRoZSBpbmZvcm1hdGlvbiBwcmVzZW50ZWQgdG8gdGhl IHVzZXIgd2hlbiBtYWtpbmcgdGhlIGRlY2lzaW9ucyBhbmQgKDMpIG1pdGlnYXRpbmcgYWdhaW5z dCBhIGRlY2lzaW9uIG1hZGUgaW4gZXJyb3IuDQoNClByb3hpbWl0eSBhbmQgbG9jYXRpb24gaW5m b3JtYXRpb24gY2FuIGZvciBpbnN0YW5jZSBiZSB1c2VkIHRvIGJpbmQgdXNlciBjb2RlcyB0byBz cGVjaWZpYyBsb2NhdGlvbnMgb3IgaW5mb3JtIHRoZSB1c2VyIG9uIHdoZXJlIHRoZSB1c2VyIGNv ZGUgd2FzIGZpcnN0IHByZXNlbnRlZCwgZGV2aWNlIHN0YXR1cyBhbmQvb3IgbG9jYXRpb24gbWF5 IGJlIHVzZWQgdG8gbWFrZSBkZWNpc2lvbnMgb24gd2hldGhlciB0byBhbGxvdyBkZXZpY2UgY29k ZSBmbG93cyB0byBiZSB1c2VkIGluIHRoZSBmaXJzdCBwbGFjZSBhbmQgdXNlIG9mIHRva2VuIGJp bmRpbmcgKGUuZy4gRFBvUCkgbWF5IGhlbHAgZGVmZW5kIGFnYWluc3QgYXR0YWNrZXJzIHdobyBh cmUgYWJsZSB0byBleGZpbHRyYXRlIHRva2VucyBmcm9tIGEgZGV2aWNlIGFuZCBtYWtlIGxhdGVy YWwgYXR0YWNrcy4NCg0KQW55dGhpbmcgd2UgY2FuIGRvIHRvIGVuY291cmFnZSBpbXBsZW1lbnRv ciB0byBhc2sgdXNlcnMgdG8gbWFrZSBmZXdlciBkZWNpc2lvbiwgaGVscCB0aGVtIG1ha2UgYmV0 dGVyIGRlY2lzaW9ucyBhbmQgdGhlbiBwcm90ZWN0aW5nIHRoZW0gaW4gY2FzZSBvZiBhIGJhZCBk ZWNpc2lvbiB3aWxsIGhlbHAgZHJpdmUgZG93biByaXNrLg0KDQpDaGVlcnMNCg0KUGlldGVyDQoN Cg0KRnJvbTogQnJvY2sgQWxsZW4gPGJyb2NrYWxsZW5AZ21haWwuY29tPjxtYWlsdG86YnJvY2th bGxlbkBnbWFpbC5jb20+DQpTZW50OiBUaHVyc2RheSAxNyBNYXJjaCAyMDIyIDIxOjI1DQpUbzog UGlldGVyIEthc3NlbG1hbiA8cGlldGVyLmthc3NlbG1hbkBtaWNyb3NvZnQuY29tPjxtYWlsdG86 cGlldGVyLmthc3NlbG1hbkBtaWNyb3NvZnQuY29tPjsgb2F1dGhAaWV0Zi5vcmc8bWFpbHRvOm9h dXRoQGlldGYub3JnPg0KU3ViamVjdDogW0VYVEVSTkFMXSBSZTogW09BVVRILVdHXSBEZXZpY2Ug QXV0aG9yaXphdGlvbiBHcmFudCBhbmQgSWxsaWNpdCBDb25zZW50IEV4cGxvaXRzDQoNCkkgd2F0 Y2hlZCBvbmUgb2YgdGhvc2UgdmlkZW9zIGFuZCBpdCBzZWVtcyB0byBiZSB0aGF0IGEgcHJvcGVy IGNvbnNlbnQgc2NyZWVuIHdvdWxkIGhhdmUgYmVlbiB0aGUgYmVzdCBhbmQgZWFzaWVzdCBsaW5l IG9mIGRlZmVuc2UuIElzIHRoZXJlIHNvbWV0aGluZyBtb3JlIHRvIHRoZSBhdHRhY2tzIHdoZXJl IGEgYmV0dGVyIGNvbnNlbnQgcGFnZSAob3IgYW55IGNvbnNlbnQgcGFnZSBmb3IgdGhhdCBtYXR0 ZXIpIHdvdWxkIG5vdCBoYXZlIGJlZW4gc3VmZmljaWVudD8NCg0KLUJyb2NrDQoNCk9uIDMvMTcv MjAyMiA1OjEwOjM1IFBNLCBQaWV0ZXIgS2Fzc2VsbWFuIDxwaWV0ZXIua2Fzc2VsbWFuPTQwbWlj cm9zb2Z0LmNvbUBkbWFyYy5pZXRmLm9yZzxtYWlsdG86cGlldGVyLmthc3NlbG1hbj00MG1pY3Jv c29mdC5jb21AZG1hcmMuaWV0Zi5vcmc+PiB3cm90ZToNCg0KSGkgQWxsDQoNCg0KDQpPbmUgb2Yg dGhlIGFnZW5kYSBpdGVtcyBmb3IgSUVURiAxMTMgaXMgdGhlIGRldmljZSBhdXRob3JpemF0aW9u IGdyYW50IGZsb3cgKGFrYSBkZXZpY2UgY29kZSBmbG93KSwgc2NoZWR1bGVkIGZvciBUaHVyc2Rh eSAyNCBNYXJjaCAyMDIyLuKAryBCZWZvcmUgdGhlIG1lZXRpbmcsIEkgd2FudGVkIHRvIHNoYXJl IGEgYml0IG1vcmUgaW5mb3JtYXRpb24gZm9yIHRob3NlIGludGVyZXN0ZWQgaW4gdGhlIHRvcGlj IGFuZCBhbHNvIGdpdmUgdGhvc2Ugd2hvIGFyZSB1bmFibGUgdG8gYXR0ZW5kIGluIHBlcnNvbiBh biBvcHBvcnR1bml0eSB0byBwYXJ0aWNpcGF0ZSBpbiB0aGUgY29udmVyc2F0aW9uLg0KDQoNCg0K VGhlIERldmljZSBBdXRob3JpemF0aW9uIEdyYW50IEZsb3cgKFJGQyA4NjgyKTxodHRwczovL25h bTA2LnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM0ElMkYlMkZk YXRhdHJhY2tlci5pZXRmLm9yZyUyRmRvYyUyRmh0bWwlMkZyZmM4NjI4JmRhdGE9MDQlN0MwMSU3 Q3BpZXRlci5rYXNzZWxtYW4lNDBtaWNyb3NvZnQuY29tJTdDNmE2NjQyMmNhOTM1NGE4YzVkODcw OGRhMGQzNTFmNzclN0M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3QzElN0MwJTdD NjM3ODM2ODE5MDg1NDQwNDMxJTdDVW5rbm93biU3Q1RXRnBiR1pzYjNkOGV5SldJam9pTUM0d0xq QXdNREFpTENKUUlqb2lWMmx1TXpJaUxDSkJUaUk2SWsxaGFXd2lMQ0pYVkNJNk1uMCUzRCU3QzMw MDAmc2RhdGE9QnVDb2ZkOEtWZExxYVUzWGNUdU5VUkFxOUdYZk1uMzE5Mm1IMnBzQXRWYyUzRCZy ZXNlcnZlZD0wPiBzb2x2ZXMgYW4gaW1wb3J0YW50IHByb2JsZW0gYnkgZW5hYmxpbmcgYXV0aG9y aXphdGlvbiBmbG93cyBvbiBkZXZpY2VzIHRoYXQgYXJlIHVuYWJsZSB0byBzdXBwb3J0IGEgYnJv d3NlcnMgb3IgaGF2ZSBsaW1pdGVkIGlucHV0IGNhcGFiaWxpdGllcy4gSG93ZXZlciwgbG9va2lu ZyBiYWNrIG92ZXIgdGhlIHBhc3QgMTgtMjQgbW9udGhzLCB0aGVyZSBoYXZlIGJlZW4gYSBudW1i ZXIgb2YgcHJhY3RpY2FsIGV4cGxvaXRzIHB1Ymxpc2hlZCB0aGF0IHVzZSBzb2NpYWwgZW5naW5l ZXJpbmcgdGVjaG5pcXVlcyBhcHBsaWVkIHRvIHRoZSBkZXZpY2UgYXV0aG9yaXphdGlvbiBncmFu dCBmbG93Lg0KDQoNCg0KVGhlIGdvYWwgb2YgdGhlIHNlc3Npb24gYXQgSUVURiAxMTMgaXMgdG8g ZGlzY3VzcyB0aGUgcGF0dGVybnMgb2YgdGhlIGV4cGxvaXRzIHRoYXQgYXJlIGtub3duIGFuZCBz dGFydCBhIGNvbnZlcnNhdGlvbiBvbiB3aGF0IChpZiBhbnl0aGluZykgd2Ugc2hvdWxkIGRvLCBi YXNlZCBvbiB3aGF0IHdlIGFyZSBsZWFybmluZy4NCg0KDQoNClRoZXNlIGV4cGxvaXRzIGZvbGxv dyBhIGdlbmVyYWwgbWFuLWluLXRoZS1taWRkbGUgKE1JVE0pIHBhdHRlcm4sIHdoZXJlIHRoZSBh dHRhY2tlcjoNCg0KDQoNCiAgMS4gIEluaXRpYXRlcyB0aGUgRGV2aWNlIEF1dGhvcml6YXRpb24g R3JhbnQgZmxvdyBvbiBhIGRldmljZSB1bmRlciB0aGVpciBjb250cm9sLA0KICAyLiAgUHJlc2Vu dHMgdGhlIHVzZXIgY29kZSBpbiBhIGNvbnRleHQgdGhhdCB0aGUgZW5kLXVzZXIgaXMgbGlrZWx5 IHRvIGFjdCBvbiAodXNpbmcgc29jaWFsIGVuZ2luZWVyaW5nIHRlY2huaXF1ZXMpLCBhbmQNCiAg My4gIE9uY2UgdGhlIHVzZXIgZ3JhbnRzIGFjY2VzcywgcmV0cmlldmVzIHRoZSBhY2Nlc3MgYW5k IHJlZnJlc2ggdG9rZW5zIGFuZCB1c2VzIHRoZW0gdG8gYWNjZXNzIHRoZSB1c2Vy4oCZcyByZXNv dXJjZXMuDQoNCg0KDQpTb21lIG9mIHRoZSBleHBsb2l0cyBhcmUgZGVzY3JpYmVkIGhlcmUgZm9y IHRob3NlIGludGVyZXN0ZWQgaW4gbW9yZSBkZXRhaWw6DQoNCg0KDQogIDEuICBUaGUgQXJ0IG9m IHRoZSBEZXZpY2UgQ29kZSBQaGlzaCAtIEJva3UgKDB4Ym9rdS5jb20pPGh0dHBzOi8vbmFtMDYu c2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzQSUyRiUyRjB4Ym9r dS5jb20lMkYyMDIxJTJGMDclMkYxMiUyRkFydE9mRGV2aWNlQ29kZVBoaXNoLmh0bWwmZGF0YT0w NCU3QzAxJTdDcGlldGVyLmthc3NlbG1hbiU0MG1pY3Jvc29mdC5jb20lN0M2YTY2NDIyY2E5MzU0 YThjNWQ4NzA4ZGEwZDM1MWY3NyU3QzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdD MSU3QzAlN0M2Mzc4MzY4MTkwODU0NDA0MzElN0NVbmtub3duJTdDVFdGcGJHWnNiM2Q4ZXlKV0lq b2lNQzR3TGpBd01EQWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4w JTNEJTdDMzAwMCZzZGF0YT1kU2VyVk8ydGJzQW9SMGRhSEFKcmdJak83dHdTSzA5TEpQamZGTGNU V0lrJTNEJnJlc2VydmVkPTA+DQogIDIuICBNaWNyb3NvZnQgMzY1IE9BdXRoIERldmljZSBDb2Rl IEZsb3cgYW5kIFBoaXNoaW5nIHwgT3B0aXY8aHR0cHM6Ly9uYW0wNi5zYWZlbGlua3MucHJvdGVj dGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNBJTJGJTJGd3d3Lm9wdGl2LmNvbSUyRmluc2ln aHRzJTJGc291cmNlLXplcm8lMkZibG9nJTJGbWljcm9zb2Z0LTM2NS1vYXV0aC1kZXZpY2UtY29k ZS1mbG93LWFuZC1waGlzaGluZyZkYXRhPTA0JTdDMDElN0NwaWV0ZXIua2Fzc2VsbWFuJTQwbWlj cm9zb2Z0LmNvbSU3QzZhNjY0MjJjYTkzNTRhOGM1ZDg3MDhkYTBkMzUxZjc3JTdDNzJmOTg4YmY4 NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN0MxJTdDMCU3QzYzNzgzNjgxOTA4NTQ0MDQzMSU3Q1Vu a25vd24lN0NUV0ZwYkdac2IzZDhleUpXSWpvaU1DNHdMakF3TURBaUxDSlFJam9pVjJsdU16SWlM Q0pCVGlJNklrMWhhV3dpTENKWFZDSTZNbjAlM0QlN0MzMDAwJnNkYXRhPWw5R1U4a1JqdlRoT0JW YjY0d0xDa0FIOURSdWRtQzJ1MnB3RE1XTTNwV1UlM0QmcmVzZXJ2ZWQ9MD4NCg0KICAgICAqICAg b3B0aXYvTWljcm9zb2Z0MzY1X2RldmljZVBoaXNoOiBBIHByb29mLW9mLWNvbmNlcHQgc2NyaXB0 IHRvIGNvbmR1Y3QgYSBwaGlzaGluZyBhdHRhY2sgYWJ1c2luZyBNaWNyb3NvZnQgMzY1IE9BdXRo IEF1dGhvcml6YXRpb24gRmxvdyAoZ2l0aHViLmNvbSk8aHR0cHM6Ly9uYW0wNi5zYWZlbGlua3Mu cHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNBJTJGJTJGZ2l0aHViLmNvbSUyRm9w dGl2JTJGTWljcm9zb2Z0MzY1X2RldmljZVBoaXNoJmRhdGE9MDQlN0MwMSU3Q3BpZXRlci5rYXNz ZWxtYW4lNDBtaWNyb3NvZnQuY29tJTdDNmE2NjQyMmNhOTM1NGE4YzVkODcwOGRhMGQzNTFmNzcl N0M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3QzElN0MwJTdDNjM3ODM2ODE5MDg1 NDQwNDMxJTdDVW5rbm93biU3Q1RXRnBiR1pzYjNkOGV5SldJam9pTUM0d0xqQXdNREFpTENKUUlq b2lWMmx1TXpJaUxDSkJUaUk2SWsxaGFXd2lMQ0pYVkNJNk1uMCUzRCU3QzMwMDAmc2RhdGE9YnZO YmxVc0Y4cGZEY3FQMjhEazVGYXdnSVBhQTclMkJUSWljR29FVE10anhrJTNEJnJlc2VydmVkPTA+ DQoNCiAgMS4gIEludHJvZHVjaW5nIGEgbmV3IHBoaXNoaW5nIHRlY2huaXF1ZSBmb3IgY29tcHJv bWlzaW5nIE9mZmljZSAzNjUgYWNjb3VudHMgKG8zNjVibG9nLmNvbSk8aHR0cHM6Ly9uYW0wNi5z YWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNBJTJGJTJGbzM2NWJs b2cuY29tJTJGcG9zdCUyRnBoaXNoaW5nJTJGJTIzbmV3LXBoaXNoaW5nLXRlY2huaXF1ZS1kZXZp Y2UtY29kZS1hdXRoZW50aWNhdGlvbiZkYXRhPTA0JTdDMDElN0NwaWV0ZXIua2Fzc2VsbWFuJTQw bWljcm9zb2Z0LmNvbSU3QzZhNjY0MjJjYTkzNTRhOGM1ZDg3MDhkYTBkMzUxZjc3JTdDNzJmOTg4 YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN0MxJTdDMCU3QzYzNzgzNjgxOTA4NTQ0MDQzMSU3 Q1Vua25vd24lN0NUV0ZwYkdac2IzZDhleUpXSWpvaU1DNHdMakF3TURBaUxDSlFJam9pVjJsdU16 SWlMQ0pCVGlJNklrMWhhV3dpTENKWFZDSTZNbjAlM0QlN0MzMDAwJnNkYXRhPWV5SkttMGNUQ0ha VmV5bmdpQkV0OUNieUolMkZkMTZxJTJCOFNHaXRId1VXOU0wJTNEJnJlc2VydmVkPTA+DQogIDIu ICBERUYgQ09OIDI5IC0gSmVua28gSHdvbmcgLSBOZXcgUGhpc2hpbmcgQXR0YWNrcyBFeHBsb2l0 aW5nIE9BdXRoIEF1dGhlbnRpY2F0aW9uIEZsb3dzIC0gWW91VHViZTxodHRwczovL25hbTA2LnNh ZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM0ElMkYlMkZ3d3cueW91 dHViZS5jb20lMkZ3YXRjaCUzRnYlM0Q5c2xSWXZwS0hwNCZkYXRhPTA0JTdDMDElN0NwaWV0ZXIu a2Fzc2VsbWFuJTQwbWljcm9zb2Z0LmNvbSU3QzZhNjY0MjJjYTkzNTRhOGM1ZDg3MDhkYTBkMzUx Zjc3JTdDNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN0MxJTdDMCU3QzYzNzgzNjgx OTA4NTQ0MDQzMSU3Q1Vua25vd24lN0NUV0ZwYkdac2IzZDhleUpXSWpvaU1DNHdMakF3TURBaUxD SlFJam9pVjJsdU16SWlMQ0pCVGlJNklrMWhhV3dpTENKWFZDSTZNbjAlM0QlN0MzMDAwJnNkYXRh PXNZJTJCUHNCUCUyQmR5NEYyTDdiT1ZhbEViYWRnWG1lRzRENERhS0ZpWmVFNlM0JTNEJnJlc2Vy dmVkPTA+DQoNCg0KDQpJbiB0ZXJtcyBvZiBhIHJlc3BvbnNlLCB0aGVyZSBhcmUgYSBmZXcgb3B0 aW9ucyB0aGF0IGNvbWUgdG8gbWluZCAodGhlc2UgYXJlIG5vdCBleGhhdXN0aXZlLCBJIHdvdWxk IGxvdmUgdG8gc2VlIHdoYXQgb3RoZXJzIGhhdmUgaW4gbWluZCBhcyB3ZWxsKToNCg0KDQoNCiAg MS4gIERvIG5vdGhpbmc6IFdlIGNhbiBjaG9vc2UgdG8gbGVhdmUgZXZlcnl0aGluZyBhcyBpcy4g VGhlIGRvd25zaWRlIG9mIHRoaXMgaXMgdGhhdCB0aGUgbGVzc29ucyB3ZSBhcmUgbGVhcm5pbmcg YXJlIG5vdCBnZXR0aW5nIGRpc3NlbWluYXRlZCBvciByZXN1bHRpbmcgaW4gcmVkdWNlZCByaXNr cy4NCiAgMi4gIFVwZGF0ZSB0aGUgcmVjb21tZW5kYXRpb25zOiBXZSBjYW4gZG9jdW1lbnQgdGhl IHNvY2lhbCBlbmdpbmVlcmluZyBleHBsb2l0cyBhbmQgcmVjb21tZW5kIHNvbWUgYWRkaXRpb25h bCBtaXRpZ2F0aW9ucyBhcyB3ZWxsIGFzIHJlY29tbWVuZGF0aW9ucyBpbiB0ZXJtcyBvZiB1c2Ug Y2FzZXMuIEFsdGhvdWdoIHRoZXNlIHR5cGVzIG9mICJwaGlzaGluZyIvc29jaWFsIGVuZ2luZWVy aW5nIGF0dGFja3MgYXJlIGNhbGxlZCBvdXQgaW4gdGhlIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25z IGluIFJGQyA4NjI4IC0gT0F1dGggMi4wIERldmljZSBBdXRob3JpemF0aW9uIEdyYW50PGh0dHBz Oi8vbmFtMDYuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzQSUy RiUyRmRhdGF0cmFja2VyLmlldGYub3JnJTJGZG9jJTJGaHRtbCUyRnJmYzg2MjgmZGF0YT0wNCU3 QzAxJTdDcGlldGVyLmthc3NlbG1hbiU0MG1pY3Jvc29mdC5jb20lN0M2YTY2NDIyY2E5MzU0YThj NWQ4NzA4ZGEwZDM1MWY3NyU3QzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdDMSU3 QzAlN0M2Mzc4MzY4MTkwODU0NDA0MzElN0NVbmtub3duJTdDVFdGcGJHWnNiM2Q4ZXlKV0lqb2lN QzR3TGpBd01EQWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4wJTNE JTdDMzAwMCZzZGF0YT1CdUNvZmQ4S1ZkTHFhVTNYY1R1TlVSQXE5R1hmTW4zMTkybUgycHNBdFZj JTNEJnJlc2VydmVkPTA+LCB3ZSBjYW4gYWRkIGZ1cnRoZXIgbWl0aWdhdGlvbnMgdG8gY3JlYXRl IGdyZWF0ZXIgZGVmZW5jZSBpbiBkZXB0aC4gVGhpcyB3aWxsIGhlbHAgZnV0dXJlIGltcGxlbWVu dGVycyBhbmQgbWF5IGV2ZW4gYmUgdXNlZnVsIGZvciBmdXR1cmUgcHJvdG9jb2xzIHRoYXQgcmVs eSBvbiBhIHNpbWlsYXIgY3Jvc3MtZGV2aWNlIGF1dGhlbnRpY2F0aW9uIGFuZCBhdXRob3JpemF0 aW9uIGZsb3dzLg0KICAzLiAgRXhwbG9yZSBhbHRlcm5hdGl2ZXM6IERldmVsb3AsIGFkb3B0LCBv ciBldm9sdmUgbmV3IHByb3RvY29scyB0aGF0IGFkZHJlc3MgdGhlIHNjZW5hcmlvIHdoaWxlIG1p dGlnYXRpbmcgb3IgYXZvaWRpbmcgdGhlIHJpc2tzLg0KDQoNCg0KT3B0aW9uIEEgZG9lcyBub3Qg ZG8gbXVjaCB0byBpbXByb3ZlIHRoZSBzdGF0ZSBvZiB0aGUgYXJ0LiBPcHRpb24gQiBmZWVscyBs aWtlIHNvbWV0aGluZyB3ZSBjYW4gZG8gbm93LCBhbmQgd2UgbWF5IGxlYXJuIHNvbWV0aGluZyBh bG9uZyB0aGUgd2F5IHRoYXQgY2FuIGhlbHAgaW5mb3JtIE9wdGlvbiBDLCB3aGljaCBtYXkgYmUg bXVjaCBmdXJ0aGVyIGRvd24gdGhlIHJvYWQgYW5kIHJlcXVpcmUgbW9yZSByZXNlYXJjaC4gV2hh dCBvdGhlciBvcHRpb25zIGNvbWUgdG8gbWluZD8NCg0KDQoNCknigJltIGxvb2tpbmcgZm9yd2Fy ZCB0byB0aGUgY29udmVyc2F0aW9uIGFuZCBoZWFyaW5nIHdoYXQgb3RoZXJzIGFyZSB0aGlua2lu ZyBhYm91dCB0aGlzIHRvcGljLg0KDQoNCg0KQ2hlZXJzLA0KDQpQaWV0ZXINCg0KDQoNCg0KX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCg0KT0F1dGggbWFp bGluZyBsaXN0DQoNCk9BdXRoQGlldGYub3JnPG1haWx0bzpPQXV0aEBpZXRmLm9yZz4NCg0KaHR0 cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aDxodHRwczovL25hbTA2LnNh ZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM0ElMkYlMkZ3d3cuaWV0 Zi5vcmclMkZtYWlsbWFuJTJGbGlzdGluZm8lMkZvYXV0aCZkYXRhPTA0JTdDMDElN0NwaWV0ZXIu a2Fzc2VsbWFuJTQwbWljcm9zb2Z0LmNvbSU3QzZhNjY0MjJjYTkzNTRhOGM1ZDg3MDhkYTBkMzUx Zjc3JTdDNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN0MxJTdDMCU3QzYzNzgzNjgx OTA4NTQ0MDQzMSU3Q1Vua25vd24lN0NUV0ZwYkdac2IzZDhleUpXSWpvaU1DNHdMakF3TURBaUxD SlFJam9pVjJsdU16SWlMQ0pCVGlJNklrMWhhV3dpTENKWFZDSTZNbjAlM0QlN0MzMDAwJnNkYXRh PXR5WklPOHdwejZYVGMxSmY4eEtkNUxLMHhNRkhhSWVRMjRaaWg1VXlzOVUlM0QmcmVzZXJ2ZWQ9 MD4NCg0K --_000_AM7PR83MB0452F2813A9D43B565E5A38891199AM7PR83MB0452EURP_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy IDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDb25zb2xhczsNCglwYW5vc2UtMToyIDEx IDYgOSAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiJMdWNpZGEgQ29u c29sZSI7DQoJcGFub3NlLTE6MiAxMSA2IDkgNCA1IDQgMiAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtm b250LWZhbWlseToiTHVjaWRhIENvbnNvbGUgXDtjb2xvclw6IGJsYWNrIjsNCglwYW5vc2UtMTow IDAgMCAwIDAgMCAwIDAgMCAwO30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Ikx1Y2lkYSBD b25zb2xlIFw7Y29sb3JcOiBcI0FBQUFBQSI7DQoJcGFub3NlLTE6MCAwIDAgMCAwIDAgMCAwIDAg MDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiJTZWdvZSBVSSBcLHNhbnMtc2VyaWYiOw0K CXBhbm9zZS0xOjAgMCAwIDAgMCAwIDAgMCAwIDA7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8N CnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWwsIGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBjbTsN Cglmb250LXNpemU6MTEuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30N CmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNv bG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwcmUNCgl7bXNvLXN0eWxl LXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsN CgltYXJnaW46MGNtOw0KCWZvbnQtc2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIg TmV3Ijt9DQpwLk1zb0xpc3RQYXJhZ3JhcGgsIGxpLk1zb0xpc3RQYXJhZ3JhcGgsIGRpdi5Nc29M aXN0UGFyYWdyYXBoDQoJe21zby1zdHlsZS1wcmlvcml0eTozNDsNCgltc28tbWFyZ2luLXRvcC1h bHQ6YXV0bzsNCgltYXJnaW4tcmlnaHQ6MGNtOw0KCW1zby1tYXJnaW4tYm90dG9tLWFsdDphdXRv Ow0KCW1hcmdpbi1sZWZ0OjBjbTsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZvbnQtZmFtaWx5OiJD YWxpYnJpIixzYW5zLXNlcmlmO30NCnNwYW4uSFRNTFByZWZvcm1hdHRlZENoYXINCgl7bXNvLXN0 eWxlLW5hbWU6IkhUTUwgUHJlZm9ybWF0dGVkIENoYXIiOw0KCW1zby1zdHlsZS1wcmlvcml0eTo5 OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQcmVmb3JtYXR0ZWQiOw0KCWZvbnQtZmFtaWx5OkNv bnNvbGFzOw0KCW1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLUlFO30NCnNwYW4uRW1haWxTdHlsZTIz DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJp IixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNv LXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2Vy aWY7DQoJbXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVM7fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJ e3NpemU6NjEyLjBwdCA3OTIuMHB0Ow0KCW1hcmdpbjo3Mi4wcHQgNzIuMHB0IDcyLjBwdCA3Mi4w cHQ7fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQovKiBMaXN0IERl ZmluaXRpb25zICovDQpAbGlzdCBsMA0KCXttc28tbGlzdC1pZDoyMDc4ODE5NDQ7DQoJbXNvLWxp c3QtdGVtcGxhdGUtaWRzOjE2OTg2MDA2NDY7fQ0KQGxpc3QgbDA6bGV2ZWwxDQoJe21zby1sZXZl bC1udW1iZXItZm9ybWF0OmFscGhhLXVwcGVyOw0KCW1zby1sZXZlbC10YWItc3RvcDozNi4wcHQ7 DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7 fQ0KQGxpc3QgbDA6bGV2ZWwyDQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmFscGhhLXVwcGVy Ow0KCW1zby1sZXZlbC10YWItc3RvcDo3Mi4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlv bjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDA6bGV2ZWwzDQoJe21zby1s ZXZlbC1udW1iZXItZm9ybWF0OmFscGhhLXVwcGVyOw0KCW1zby1sZXZlbC10YWItc3RvcDoxMDgu MHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTgu MHB0O30NCkBsaXN0IGwwOmxldmVsNA0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDphbHBoYS11 cHBlcjsNCgltc28tbGV2ZWwtdGFiLXN0b3A6MTQ0LjBwdDsNCgltc28tbGV2ZWwtbnVtYmVyLXBv c2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpAbGlzdCBsMDpsZXZlbDUNCgl7 bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YWxwaGEtdXBwZXI7DQoJbXNvLWxldmVsLXRhYi1zdG9w OjE4MC4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50 Oi0xOC4wcHQ7fQ0KQGxpc3QgbDA6bGV2ZWw2DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmFs cGhhLXVwcGVyOw0KCW1zby1sZXZlbC10YWItc3RvcDoyMTYuMHB0Ow0KCW1zby1sZXZlbC1udW1i ZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0O30NCkBsaXN0IGwwOmxldmVs Nw0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDphbHBoYS11cHBlcjsNCgltc28tbGV2ZWwtdGFi LXN0b3A6MjUyLjBwdDsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1p bmRlbnQ6LTE4LjBwdDt9DQpAbGlzdCBsMDpsZXZlbDgNCgl7bXNvLWxldmVsLW51bWJlci1mb3Jt YXQ6YWxwaGEtdXBwZXI7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjI4OC4wcHQ7DQoJbXNvLWxldmVs LW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDA6 bGV2ZWw5DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmFscGhhLXVwcGVyOw0KCW1zby1sZXZl bC10YWItc3RvcDozMjQuMHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0 ZXh0LWluZGVudDotMTguMHB0O30NCkBsaXN0IGwxDQoJe21zby1saXN0LWlkOjQwODYyNDUzNzsN Cgltc28tbGlzdC10ZW1wbGF0ZS1pZHM6MTEzNzQ1OTA0Mjt9DQpAbGlzdCBsMg0KCXttc28tbGlz dC1pZDoxMzM3ODc5NzQ1Ow0KCW1zby1saXN0LXRlbXBsYXRlLWlkczotMTQxMTE1MTIwO30NCkBs aXN0IGwzDQoJe21zby1saXN0LWlkOjE0NTExMjMzMDg7DQoJbXNvLWxpc3QtdGVtcGxhdGUtaWRz OjU2MDA3MjAwMjt9DQpAbGlzdCBsMzpsZXZlbDENCgl7bXNvLWxldmVsLXN0YXJ0LWF0OjM7DQoJ bXNvLWxldmVsLXRhYi1zdG9wOjM2LjBwdDsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxl ZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpAbGlzdCBsNA0KCXttc28tbGlzdC1pZDoyMDY2 MjUwNDgyOw0KCW1zby1saXN0LXRlbXBsYXRlLWlkczotNzM5MDg4NTY4O30NCkBsaXN0IGw0Omxl dmVsMQ0KCXttc28tbGV2ZWwtc3RhcnQtYXQ6MjsNCgltc28tbGV2ZWwtdGFiLXN0b3A6MzYuMHB0 Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0 O30NCkBsaXN0IGw0OmxldmVsMg0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDphbHBoYS1sb3dl cjsNCgltc28tbGV2ZWwtdGFiLXN0b3A6NzIuMHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRp b246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0O30NCm9sDQoJe21hcmdpbi1ib3R0b206MGNt O30NCnVsDQoJe21hcmdpbi1ib3R0b206MGNtO30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNv IDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAv Pg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxh eW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwv bzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVO LUlFIiBsaW5rPSJibHVlIiB2bGluaz0icHVycGxlIiBzdHlsZT0id29yZC13cmFwOmJyZWFrLXdv cmQiPg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJtc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+SGkgQnJvY2ssIG9uZSBvZiB0 aGUgb3B0aW9ucyB0byBjb25zaWRlciBoZXJlIGlzIGp1c3QgYmV0dGVyIGd1aWRhbmNlIGluIHRl cm1zIG9mIGltcGxlbWVudGF0aW9uLCBpbmNsdWRpbmcgZ3VpZGFuY2Ugb24gc2VsZWN0aW5nIHBy b3RvY29scy4gRnJvbSBsb29raW5nIGF0IG51bWVyb3VzIGV4cGxvaXRzIChub3QganVzdCB0aGUg YXV0aHJvaXphdGlvbg0KIGdyYW50IGZsb3cgYW5kIHRoZSBzb2NpYWwgZW5naW5lZXJpbmcgZXhw bG9pdHMpLCBpbXBsZW1lbnRhdGlvbiBpc3N1ZXMgaXMgYnkgZmFyIHRoZSBtb3N0IHByZXZhbGVu dCBjYXVzZSBvZiBpc3N1ZXMsIG11Y2ggbW9yZSBzbyB0aGFuIHByb3RvY29sIGlzc3VlcyB0aGVt c2VsdmVzLg0KPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3Qt bGFuZ3VhZ2U6RU4tVVMiPkkgd291bGQgYWRkIHRoYXQga2VlcGluZyBwcm90b2NvbHMgYW5kIHRo ZSBwcmltaXRpdmVzIHRoZXkgYXJlIGJ1aWx0IG9uIHNpbXBsZSBpcyBpbXBvcnRhbnQgaW4gcmVk dWNpbmcgaW1wbGVtZW50YXRpb24gZXJyb3JzIGFzIHdlbGwuDQo8bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3Vh Z2U6RU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJtc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+VG8gcHV0IGl0IGFu b3RoZXIgd2F5LCBnaXZpbmcgaW1wbGVtZW50b3JzIG1vcmUgY29udGV4dCBhYm91dCB0aGUgY29u c2VxdWVuY2VzIG9mIHVzaW5nIGEgcHJvdG9jb2wgaW4gYSBjZXJ0YWluIHdheSBpcyByZWFsbHkg aW1wb3J0YW50IGlmIHdlIHdhbnQgdG8gbWluaW1pc2Ugc2VjdXJpdHkgaXNzdWVzIHRoYXQgYXJp c2UgZnJvbSBpbXBsZW1lbnRhdGlvbg0KIGlzc3VlcyBhbmQgcHJvdG9jb2wgc2VsZWN0aW9uLjxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJt c28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVO LVVTIj5DaGVlcnM8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJtc28tZmFyZWFz dC1sYW5ndWFnZTpFTi1VUyI+UGlldGVyPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj48bzpw PiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXIt dG9wOnNvbGlkICNFMUUxRTEgMS4wcHQ7cGFkZGluZzozLjBwdCAwY20gMGNtIDBjbSI+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBsYW5nPSJFTi1VUyI+RnJvbTo8L3NwYW4+PC9iPjxz cGFuIGxhbmc9IkVOLVVTIj4gQnJvY2sgQWxsZW4gJmx0O2Jyb2NrYWxsZW5AZ21haWwuY29tJmd0 Ow0KPGJyPg0KPGI+U2VudDo8L2I+IFRodXJzZGF5IDI0IE1hcmNoIDIwMjIgMDI6MjU8YnI+DQo8 Yj5Ubzo8L2I+IEdlb3JnZSBGbGV0Y2hlciAmbHQ7Z2ZmbGV0Y2hAYW9sLmNvbSZndDs7IFBpZXRl ciBLYXNzZWxtYW4gJmx0O3BpZXRlci5rYXNzZWxtYW5AbWljcm9zb2Z0LmNvbSZndDs7IG9hdXRo QGlldGYub3JnPGJyPg0KPGI+U3ViamVjdDo8L2I+IFJlOiBbT0FVVEgtV0ddIFtFWFRFUk5BTF0g UmU6IERldmljZSBBdXRob3JpemF0aW9uIEdyYW50IGFuZCBJbGxpY2l0IENvbnNlbnQgRXhwbG9p dHM8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxv OnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7THVjaWRhIENvbnNvbGUmcXVvdDs7Y29s b3I6YmxhY2siPkluIHRoZSBjYXNlIG9mIERFRiBDT04gdmlkZW8gc2hvd2luZyB0aGUgTWljcm9z b2Z0IGV4cGxvaXQsIGl0IHdvcmtlZCBsaWtlZCB0aGlzIChpZiBJIHJlY2FsbCBjb3JyZWN0bHkp OjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtMdWNpZGEgQ29uc29s ZSZxdW90Oztjb2xvcjpibGFjayI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0x1Y2lkYSBDb25zb2xlJnF1b3Q7O2NvbG9yOmJs YWNrIj5UaGUgYXR0YWNrZXIgc3RhcnRlZCB0aGUgZGV2aWNlIGZsb3cgZnJvbSB0aGVpciBzeXN0 ZW0sIHNlbnQgdGhlIHVzZXIgYSBsaW5rIHRvIGxvZ2luIHdpdGggYW4gJnF1b3Q7cHJvbW8gY29k ZSZxdW90OyAodGhlIHVzZXIgY29kZSkgdG8gZ2V0IGEgZGlzY291bnQgb24gdGhlaXIgTWljcm9z b2Z0IGJpbGwsDQogYW5kIHdoZW4gdGhlIHVzZXIgbG9nZ2VkIGluIHRoZXkgd2VyZSBwcm9tcHRl ZCBmb3IgdGhlIGNvZGUgKHdoaWNoIHRoZXkgdGhvdWdodCBpdCB3YXMgYSBwcm9tbyBjb2RlKSwg YW5kIHRodXMgdGhleSBncmFudGVkIGFjY2VzcyB0byB0aGUgYXR0YWNrZXIgd2FpdGluZyBmb3Ig dGhlIGZsb3cgdG8gYmUgY29tcGxldGUuPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7THVjaWRhIENvbnNvbGUmcXVvdDs7Y29sb3I6YmxhY2siPjxvOnA+ Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0x1Y2lk YSBDb25zb2xlJnF1b3Q7O2NvbG9yOmJsYWNrIj5UaGUgcHJvYmxlbSB3YXMgdGhhdDo8YnI+DQo8 YnI+DQoxKSBUaGUgdmVuZG9yJ3MgZmlyc3QgcGFydHkgYWRtaW5pc3RyYXRpdmUgQ0xJIGFwcCB3 YXMgZGVzaWduZWQgdG8gdXNlIGRldmljZSBmbG93LjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtm b250LWZhbWlseTomcXVvdDtMdWNpZGEgQ29uc29sZSZxdW90Oztjb2xvcjpibGFjayI+MikgVGhl IGNvbnNlbnQgc2NyZWVuIGp1c3Qgc2FpZCAmcXVvdDtEbyB5b3Ugd2FudCB0byBsb2dpbiB0byB5 b3VyIE1pY3Jvc29mdCBhY2NvdW50JnF1b3Q7LjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0x1Y2lkYSBDb25zb2xlJnF1b3Q7O2NvbG9yOmJsYWNrIj48 bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtM dWNpZGEgQ29uc29sZSZxdW90Oztjb2xvcjpibGFjayI+U28gdGhlIGlzc3VlcyB3ZXJlIHRoYXQg Zm9yICgxKSBkZXZpY2UgZmxvdyB3YXMganVzdCB0aGUgd3Jvbmcgb25lICh0aGUgbmF0aXZlIGFw cHMgQkNQIHcvIHN5c3RlbSBicm93c2VyIHNob3VsZCBoYXZlIGJlZW4gdXNlZCksIGVzcGVjaWFs bHkgZm9yIGFuIGFwcCB3aXRoIHN1Y2ggaGlnaC9wcml2aWxlZ2VkDQogYWNjZXNzLCBhbmQgZm9y ICgyKSB0aGUgY29uc2VudCBkaWQgbm90IGxldCB0aGUgZW5kLXVzZXIga25vdyB0aGV5IHdlcmUg Z3JhbnRpbmcgdGhlIGNsaWVudCBmdWxsIGFkbWluaXN0cmF0aXZlIGFjY2Vzcy48bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtMdWNpZGEgQ29uc29sZSZx dW90Oztjb2xvcjpibGFjayI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7THVjaWRhIENvbnNvbGUmcXVvdDs7Y29sb3I6YmxhY2siPlNvIHNl dmVyYWwgbWlzc3RlcHMgaGVyZSB0aGF0IHRoZSBwcm90b2NvbCBieSBpdHNlbGYgY2FuJ3QgY29t cGxldGVseSBwcm90ZWN0IGFnYWluc3QuPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7THVjaWRhIENvbnNvbGUmcXVvdDs7Y29sb3I6YmxhY2siPjxvOnA+ Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0x1Y2lk YSBDb25zb2xlJnF1b3Q7O2NvbG9yOmJsYWNrIj4tQnJvY2s8bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xp ZCB3aW5kb3d0ZXh0IDEuMHB0O3BhZGRpbmc6MGNtIDBjbSAwY20gOC4wcHQ7bWFyZ2luLWxlZnQ6 MGNtO21hcmdpbi10b3A6MTUuMHB0O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPHAgc3R5bGU9Im1h cmdpbi10b3A6Ny41cHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O0x1Y2lkYSBDb25zb2xlJnF1b3Q7O2NvbG9yOiNBQUFBQUEiPk9uIDMvMjMvMjAyMiA5 OjEwOjAxIFBNLCBHZW9yZ2UgRmxldGNoZXIgJmx0OzxhIGhyZWY9Im1haWx0bzpnZmZsZXRjaEBh b2wuY29tIj5nZmZsZXRjaEBhb2wuY29tPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3NwYW4+ PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEy LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJp YWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+SSBqdXN0IHdhbnQgdG8gbWFrZSBhIHF1 aWNrIGNvbW1lbnQgb24gdGhlIHVzZSBvZiAmcXVvdDtwcm94aW1pdHkgYW5kIGxvY2F0aW9uIGlu Zm9ybWF0aW9uJnF1b3Q7LiBJIHVzZWQgdGhlIGRldmljZSBmbG93IHRvIGF1dGhvcml6ZSBteSBz b24ncw0KIGRldmljZSBieSBoYXZpbmcgaGltIHRleHQgbWUgdGhlIGNvZGUgc28gSSBjb3VsZCBs b2dpbiBvbiBteSBkZXZpY2UgKGluIGEgZGlmZmVyZW50IHN0YXRlKSBhbmQgcHJvdmlkZSBoaXMg ZGV2aWNlIGFjY2Vzcy4gSWYgd2UgY2xvc2UgdGhlIGRvb3IgdG9vIG11Y2ggd2Ugd2lsbCBwb3Rl bnRpYWxseSBpbXBhY3QgZ29vZCB1c2VycyA6KTxicj4NCjxicj4NCkkgYWdyZWUgdGhhdCBjb25z ZW50IGNhbiBiZSBzb2NpYWxseSBlbmdpbmVlcmVkLi4uIGJ1dCB0aGluayB0aGF0IGl0IHdvdWxk IGJlIHVzZWZ1bCB0byBpbXByb3ZlIHRoYXQgaW5mb3JtYXRpb24gc28gdGhhdCB0aGUgdXNlciBh dXRoZW50aWNhdGluZyB0byBwcm92aWRlIGF1dGhvcml6YXRpb24gY291bGQga25vdyB3aGVyZSB0 aGUgZGV2aWNlIHRoZWlyIGF1dGhvcml6aW5nIGlzIGxvY2F0ZWQuIFRoYXQgY291bGQgaGVscCB1 c2VycyBkZXRlY3RpbmcNCiB0aGF0IHRoZXkgYXJlIGF1dGhvcml6aW5nIGEgZGV2aWNlIGluIGEg bG9jYXRpb24gdGhhdCBkb2Vzbid0IG1ha2Ugc2Vuc2UgdG8gdGhlbS48YnI+DQo8YnI+DQpUaGFu a3MsPGJyPg0KR2VvcmdlPG86cD48L286cD48L3NwYW4+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2siPk9uIDMvMTgvMjIgODoyMSBBTSwg UGlldGVyIEthc3NlbG1hbiB3cm90ZTo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxi bG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1ib3R0b206NS4wcHQiPg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0 bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjaztt c28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+SGkgQnJvY2s8L3NwYW4+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtj b2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRv Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZx dW90OyxzYW5zLXNlcmlmO2NvbG9yOmJsYWNrO21zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj4m bmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBw dDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOmJsYWNrO21z by1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj5HcmVhdCBwb2ludCwgYW5kIEkgd291bGQgYWdyZWUg dGhhdCBiZXR0ZXIgY29uc2VudCBzY3JlZW5zIGNvdWxkIGhlbHAsIGJ1dCBJDQogZG9u4oCZdCB0 aGluayBpdCBpcyBzdWZmaWNpZW50LiA8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+ PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1t YXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNl cmlmO2NvbG9yOmJsYWNrO21zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj4mbmJzcDs8L3NwYW4+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVv dDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4t Ym90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWls eTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOmJsYWNrO21zby1mYXJlYXN0LWxh bmd1YWdlOkVOLVVTIj5PbmUgb2YgdGhlIGNoYWxsZW5nZXMgd2l0aCBjb25zZW50IHNjcmVlbnMg aXMgdGhhdCBpdCBtYWtlcyBhc3N1bXB0aW9ucyBhYm91dA0KIHRoZSB1c2VycyBhYmlsaXRpZXMg d2hlbiB0aGV5IGFyZSBiZWluZyBhc2tlZCB0byBtYWtlIGRlY2lzaW9ucyBhYm91dCB0aGluZ3Mg dGhleSBkbyBub3QgZnVsbHkgYXBwcmVjaWF0ZSBvciB1bmRlcnN0YW5kLiBJbiBhZGRpdGlvbiwg dGhleSBhcmUgaW4gYSBydXNoLCBhcmUgb2Z0ZW4gdHJ5aW5nIHRvIGJlIGhlbHBmdWwgYW5kIHBy b25lIHRvIGdyYW50IGNvbnNlbnQgKHRoZSBmcmFtaW5nIGluIHRoZXNlIHNvY2lhbCBlbmdpbmVl cmluZyBhdHRhY2tzDQogY2FuIGJlIHZlcnkgcGVyc3Vhc2l2ZSkuIEV2ZW4gdXNlcnMgd2hvIGFy ZSBhd2FyZSBvZiB0aGVzZSBleHBsb2l0cyBhbmQgdW5kZXJzdGFuZCB0aGUgc3lzdGVtcyB0aGV5 IGludGVyYWN0IHdpdGggYXJlIHByb25lIHRvIGJlIG1pc2xlZC4gQmV0dGVyIGd1aWRhbmNlIG9u IHRoZSBjb25zZW50IHNjcmVlbiBpcyBkZWZpbml0ZWx5IHNvbWV0aGluZyB3ZSBzaG91bGQgcHJv dmlkZS48L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBw dDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOmJsYWNrO21z by1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xv cjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90 OyxzYW5zLXNlcmlmO2NvbG9yOmJsYWNrO21zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj5JIGRv IHRoaW5rIHRoZXJlIGlzIGEgZGVmZW5jZSBpbiBkZXB0aCBzdHJhdGVneSB0aGF0IGNhbiByZWR1 Y2UgcmlzayBieSAoMSkNCiBhdm9pZGluZyBhc2tpbmcgdGhlIHVzZXIgZm9yIGEgZGVjaXNpb24g YnkgbWFraW5nIGJhY2stZW5kIHJpc2sgZGVjaXNpb25zICgyKSBhdWdtZW50aW5nIHRoZSBpbmZv cm1hdGlvbiBwcmVzZW50ZWQgdG8gdGhlIHVzZXIgd2hlbiBtYWtpbmcgdGhlIGRlY2lzaW9ucyBh bmQgKDMpIG1pdGlnYXRpbmcgYWdhaW5zdCBhIGRlY2lzaW9uIG1hZGUgaW4gZXJyb3IuPC9zcGFu PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1 b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu LWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjazttc28tZmFyZWFzdC1s YW5ndWFnZTpFTi1VUyI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2siPjxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFy Z2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJp Zjtjb2xvcjpibGFjazttc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+UHJveGltaXR5IGFuZCBs b2NhdGlvbiBpbmZvcm1hdGlvbiBjYW4gZm9yIGluc3RhbmNlIGJlIHVzZWQgdG8gYmluZCB1c2Vy IGNvZGVzDQogdG8gc3BlY2lmaWMgbG9jYXRpb25zIG9yIGluZm9ybSB0aGUgdXNlciBvbiB3aGVy ZSB0aGUgdXNlciBjb2RlIHdhcyBmaXJzdCBwcmVzZW50ZWQsIGRldmljZSBzdGF0dXMgYW5kL29y IGxvY2F0aW9uIG1heSBiZSB1c2VkIHRvIG1ha2UgZGVjaXNpb25zIG9uIHdoZXRoZXIgdG8gYWxs b3cgZGV2aWNlIGNvZGUgZmxvd3MgdG8gYmUgdXNlZCBpbiB0aGUgZmlyc3QgcGxhY2UgYW5kIHVz ZSBvZiB0b2tlbiBiaW5kaW5nIChlLmcuIERQb1ApIG1heSBoZWxwDQogZGVmZW5kIGFnYWluc3Qg YXR0YWNrZXJzIHdobyBhcmUgYWJsZSB0byBleGZpbHRyYXRlIHRva2VucyBmcm9tIGEgZGV2aWNl IGFuZCBtYWtlIGxhdGVyYWwgYXR0YWNrcy4NCjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOmJs YWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNh bnMtc2VyaWY7Y29sb3I6YmxhY2s7bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPiZuYnNwOzwv c3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlh bCZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h cmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2s7bXNvLWZhcmVh c3QtbGFuZ3VhZ2U6RU4tVVMiPkFueXRoaW5nIHdlIGNhbiBkbyB0byBlbmNvdXJhZ2UgaW1wbGVt ZW50b3IgdG8gYXNrIHVzZXJzIHRvIG1ha2UgZmV3ZXIgZGVjaXNpb24sDQogaGVscCB0aGVtIG1h a2UgYmV0dGVyIGRlY2lzaW9ucyBhbmQgdGhlbiBwcm90ZWN0aW5nIHRoZW0gaW4gY2FzZSBvZiBh IGJhZCBkZWNpc2lvbiB3aWxsIGhlbHAgZHJpdmUgZG93biByaXNrLjwvc3Bhbj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNl cmlmO2NvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0 OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Fy aWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2s7bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4t VVMiPiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWls eTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0 OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6Ymxh Y2s7bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPkNoZWVyczwvc3Bhbj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlm O2NvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1 dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFs JnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2s7bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMi PiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTom cXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1 dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2s7 bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPlBpZXRlcjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2Nv bG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8i PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1 b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2s7bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPiZu YnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVv dDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87 bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2s7bXNv LWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2NvbG9y OmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTti b3JkZXItdG9wOnNvbGlkICNFMUUxRTEgMS4wcHQ7cGFkZGluZzozLjBwdCAwY20gMGNtIDBjbSI+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv LW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9u dC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2Nv bG9yOmJsYWNrIj5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250 LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29s b3I6YmxhY2siPg0KIEJyb2NrIEFsbGVuIDxhIGhyZWY9Im1haWx0bzpicm9ja2FsbGVuQGdtYWls LmNvbSI+Jmx0O2Jyb2NrYWxsZW5AZ21haWwuY29tJmd0OzwvYT4gPGJyPg0KPGI+U2VudDo8L2I+ IFRodXJzZGF5IDE3IE1hcmNoIDIwMjIgMjE6MjU8YnI+DQo8Yj5Ubzo8L2I+IFBpZXRlciBLYXNz ZWxtYW4gPGEgaHJlZj0ibWFpbHRvOnBpZXRlci5rYXNzZWxtYW5AbWljcm9zb2Z0LmNvbSI+Jmx0 O3BpZXRlci5rYXNzZWxtYW5AbWljcm9zb2Z0LmNvbSZndDs8L2E+Ow0KPGEgaHJlZj0ibWFpbHRv Om9hdXRoQGlldGYub3JnIj5vYXV0aEBpZXRmLm9yZzwvYT48YnI+DQo8Yj5TdWJqZWN0OjwvYj4g W0VYVEVSTkFMXSBSZTogW09BVVRILVdHXSBEZXZpY2UgQXV0aG9yaXphdGlvbiBHcmFudCBhbmQg SWxsaWNpdCBDb25zZW50IEV4cGxvaXRzPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2si PjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90 OyxzYW5zLXNlcmlmO2NvbG9yOmJsYWNrIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h cmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O0x1Y2lkYSBDb25zb2xlIDtjb2xvcjogYmxhY2smcXVvdDssc2VyaWY7Y29s b3I6YmxhY2siPkkgd2F0Y2hlZCBvbmUgb2YgdGhvc2UgdmlkZW9zIGFuZCBpdCBzZWVtcyB0byBi ZSB0aGF0IGEgcHJvcGVyIGNvbnNlbnQgc2NyZWVuIHdvdWxkIGhhdmUNCiBiZWVuIHRoZSBiZXN0 IGFuZCBlYXNpZXN0IGxpbmUgb2YgZGVmZW5zZS4gSXMgdGhlcmUgc29tZXRoaW5nIG1vcmUgdG8g dGhlIGF0dGFja3Mgd2hlcmUgYSBiZXR0ZXIgY29uc2VudCBwYWdlIChvciBhbnkgY29uc2VudCBw YWdlIGZvciB0aGF0IG1hdHRlcikgd291bGQgbm90IGhhdmUgYmVlbiBzdWZmaWNpZW50Pzwvc3Bh bj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZx dW90OyxzYW5zLXNlcmlmO2NvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21z by1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtm b250LWZhbWlseTomcXVvdDtMdWNpZGEgQ29uc29sZSA7Y29sb3I6IGJsYWNrJnF1b3Q7LHNlcmlm O2NvbG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+PG86 cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRv Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtMdWNpZGEg Q29uc29sZSA7Y29sb3I6IGJsYWNrJnF1b3Q7LHNlcmlmO2NvbG9yOmJsYWNrIj4tQnJvY2s8L3Nw YW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwm cXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9k aXY+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgd2lu ZG93dGV4dCAxLjBwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDguMHB0O21hcmdpbi1sZWZ0OjBjbTtt YXJnaW4tdG9wOjE1LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxwIHN0eWxlPSJtYXJnaW4t dG9wOjcuNXB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVv dDtMdWNpZGEgQ29uc29sZSA7Y29sb3I6ICNBQUFBQUEmcXVvdDssc2VyaWY7Y29sb3I6YmxhY2si Pk9uIDMvMTcvMjAyMiA1OjEwOjM1IFBNLCBQaWV0ZXIgS2Fzc2VsbWFuICZsdDs8YSBocmVmPSJt YWlsdG86cGlldGVyLmthc3NlbG1hbj00MG1pY3Jvc29mdC5jb21AZG1hcmMuaWV0Zi5vcmciPnBp ZXRlci5rYXNzZWxtYW49NDBtaWNyb3NvZnQuY29tQGRtYXJjLmlldGYub3JnPC9hPiZndDsNCiB3 cm90ZTo8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+ PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBzdHlsZT0ibWFyZ2luOjBjbSI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtj b2xvcjpibGFjayI+SGkgQWxsJm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgc3R5bGU9 Im1hcmdpbjowY20iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2siPiZuYnNwOzxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIHN0eWxlPSJtYXJnaW46MGNtIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOmJs YWNrIj5PbmUgb2YgdGhlIGFnZW5kYSBpdGVtcyBmb3IgSUVURiAxMTMgaXMgdGhlIGRldmljZSBh dXRob3JpemF0aW9uIGdyYW50IGZsb3cgKGFrYSBkZXZpY2UgY29kZSBmbG93KSwgc2NoZWR1bGVk IGZvciBUaHVyc2RheSAyNCBNYXJjaCAyMDIyLuKAryBCZWZvcmUgdGhlIG1lZXRpbmcsIEkNCiB3 YW50ZWQgdG8gc2hhcmUgYSBiaXQgbW9yZSBpbmZvcm1hdGlvbiBmb3IgdGhvc2UgaW50ZXJlc3Rl ZCBpbiB0aGUgdG9waWMgYW5kIGFsc28gZ2l2ZSB0aG9zZSB3aG8gYXJlIHVuYWJsZSB0byBhdHRl bmQgaW4gcGVyc29uIGFuIG9wcG9ydHVuaXR5IHRvIHBhcnRpY2lwYXRlIGluIHRoZSBjb252ZXJz YXRpb24uJm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgc3R5bGU9Im1hcmdpbjowY20i PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1 b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2siPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjxwIHN0eWxlPSJtYXJnaW46MGNtIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250 LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOmJsYWNrIj5UaGUNCjxh IGhyZWY9Imh0dHBzOi8vbmFtMDYuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3Vy bD1odHRwcyUzQSUyRiUyRmRhdGF0cmFja2VyLmlldGYub3JnJTJGZG9jJTJGaHRtbCUyRnJmYzg2 MjgmYW1wO2RhdGE9MDQlN0MwMSU3Q3BpZXRlci5rYXNzZWxtYW4lNDBtaWNyb3NvZnQuY29tJTdD NmE2NjQyMmNhOTM1NGE4YzVkODcwOGRhMGQzNTFmNzclN0M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJk N2NkMDExZGI0NyU3QzElN0MwJTdDNjM3ODM2ODE5MDg1NDQwNDMxJTdDVW5rbm93biU3Q1RXRnBi R1pzYjNkOGV5SldJam9pTUM0d0xqQXdNREFpTENKUUlqb2lWMmx1TXpJaUxDSkJUaUk2SWsxaGFX d2lMQ0pYVkNJNk1uMCUzRCU3QzMwMDAmYW1wO3NkYXRhPUJ1Q29mZDhLVmRMcWFVM1hjVHVOVVJB cTlHWGZNbjMxOTJtSDJwc0F0VmMlM0QmYW1wO3Jlc2VydmVkPTAiPg0KRGV2aWNlIEF1dGhvcml6 YXRpb24gR3JhbnQgRmxvdyAoUkZDIDg2ODIpPC9hPjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2NvbG9y OmJsYWNrIj4gczwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWls eTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOmJsYWNrIj5vbHZlcyBhbiBpbXBv cnRhbnQgcHJvYmxlbSBieSBlbmFibGluZyBhdXRob3JpemF0aW9uDQogZmxvd3Mgb24gZGV2aWNl cyB0aGF0IGFyZSB1bmFibGUgdG8gc3VwcG9ydCBhIGJyb3dzZXJzIG9yIGhhdmUgbGltaXRlZCBp bnB1dCBjYXBhYmlsaXRpZXMuIEhvd2V2ZXIsIGxvb2tpbmcgYmFjayBvdmVyIHRoZSBwYXN0IDE4 LTI0IG1vbnRocywgdGhlcmUgaGF2ZSBiZWVuIGEgbnVtYmVyIG9mIHByYWN0aWNhbCBleHBsb2l0 cyBwdWJsaXNoZWQgdGhhdCB1c2Ugc29jaWFsIGVuZ2luZWVyaW5nIHRlY2huaXF1ZXMgYXBwbGll ZCB0byB0aGUgZGV2aWNlDQogYXV0aG9yaXphdGlvbiBncmFudCBmbG93LiZuYnNwOzxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjxwIHN0eWxlPSJtYXJnaW46MGNtIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2NvbG9y OmJsYWNrIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBzdHlsZT0ibWFyZ2luOjBj bSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwm cXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+VGhlIGdvYWwgb2YgdGhlIHNlc3Npb24gYXQg SUVURiAxMTMgaXMgdG8gZGlzY3VzcyB0aGUgcGF0dGVybnMgb2YgdGhlIGV4cGxvaXRzIHRoYXQg YXJlIGtub3duIGFuZCBzdGFydCBhIGNvbnZlcnNhdGlvbiBvbiB3aGF0IChpZiBhbnl0aGluZykg d2Ugc2hvdWxkIGRvLCBiYXNlZA0KIG9uIHdoYXQgd2UgYXJlIGxlYXJuaW5nLiZuYnNwOzxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIHN0eWxlPSJtYXJnaW46MGNtIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2Nv bG9yOmJsYWNrIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBzdHlsZT0ibWFyZ2lu OjBjbSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJp YWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+VGhlc2UgZXhwbG9pdHMgZm9sbG93IGEg Z2VuZXJhbCBtYW4taW4tdGhlLW1pZGRsZSAoTUlUTSkgcGF0dGVybiwgd2hlcmUgdGhlIGF0dGFj a2VyOiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWls eTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8cCBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OjBjbTttYXJnaW4tcmlnaHQ6 MGNtO21hcmdpbi1ib3R0b206MGNtO21hcmdpbi1sZWZ0OjI3LjBwdCI+DQo8c3BhbiBzdHlsZT0i Zm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlm O2NvbG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+PG86 cD48L286cD48L3NwYW4+PC9wPg0KPG9sIHN0YXJ0PSIxIiB0eXBlPSIxIj4NCjxsaSBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0iY29sb3I6YmxhY2s7bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv LW1hcmdpbi1ib3R0b20tYWx0OmF1dG87bXNvLWxpc3Q6bDIgbGV2ZWwxIGxmbzE7dmVydGljYWwt YWxpZ246bWlkZGxlIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5 OiZxdW90O1NlZ29lIFVJICxzYW5zLXNlcmlmJnF1b3Q7LHNlcmlmIj5Jbml0aWF0ZXMgdGhlIERl dmljZSBBdXRob3JpemF0aW9uIEdyYW50IGZsb3cgb24gYSBkZXZpY2UgdW5kZXIgdGhlaXIgY29u dHJvbCwmbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9saT48 bGkgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImNvbG9yOmJsYWNrO21zby1tYXJnaW4tdG9wLWFs dDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvO21zby1saXN0OmwyIGxldmVsMSBsZm8x O3ZlcnRpY2FsLWFsaWduOm1pZGRsZSI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtm b250LWZhbWlseTomcXVvdDtTZWdvZSBVSSAsc2Fucy1zZXJpZiZxdW90OyxzZXJpZiI+UHJlc2Vu dHMgdGhlIHVzZXIgY29kZSBpbiBhIGNvbnRleHQgdGhhdCB0aGUgZW5kLXVzZXIgaXMgbGlrZWx5 IHRvIGFjdCBvbiAodXNpbmcgc29jaWFsIGVuZ2luZWVyaW5nIHRlY2huaXF1ZXMpLCBhbmQmbmJz cDs8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 QXJpYWwmcXVvdDssc2Fucy1zZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9saT48bGkgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9ImNvbG9yOmJsYWNrO21zby1tYXJnaW4tdG9wLWFsdDphdXRvO21z by1tYXJnaW4tYm90dG9tLWFsdDphdXRvO21zby1saXN0OmwyIGxldmVsMSBsZm8xO3ZlcnRpY2Fs LWFsaWduOm1pZGRsZSI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWls eTomcXVvdDtTZWdvZSBVSSAsc2Fucy1zZXJpZiZxdW90OyxzZXJpZiI+T25jZSB0aGUgdXNlciBn cmFudHMgYWNjZXNzLCByZXRyaWV2ZXMgdGhlIGFjY2VzcyBhbmQgcmVmcmVzaCB0b2tlbnMgYW5k IHVzZXMgdGhlbSB0byBhY2Nlc3MgdGhlIHVzZXLigJlzIHJlc291cmNlcy4mbmJzcDs8L3NwYW4+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVv dDssc2Fucy1zZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9saT48L29sPg0KPHAgc3R5bGU9Im1h cmdpbjowY20iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2siPiZuYnNwOzxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIHN0eWxlPSJtYXJnaW46MGNtIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEw LjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOmJsYWNr Ij5Tb21lIG9mIHRoZSBleHBsb2l0cyBhcmUgZGVzY3JpYmVkIGhlcmUgZm9yIHRob3NlIGludGVy ZXN0ZWQgaW4gbW9yZSBkZXRhaWw6Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgc3R5 bGU9Im1zby1tYXJnaW4tdG9wLWFsdDowY207bWFyZ2luLXJpZ2h0OjBjbTttYXJnaW4tYm90dG9t OjBjbTttYXJnaW4tbGVmdDoyNy4wcHQiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+Jm5i c3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPG9sIHN0YXJ0PSIxIiB0eXBlPSIxIj4NCjxsaSBj bGFzcz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5bGU9ImNvbG9yOmJsYWNrO21zby1saXN0OmwxIGxl dmVsMSBsZm8yO3ZlcnRpY2FsLWFsaWduOm1pZGRsZSI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXpl OjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmIj48YSBocmVm PSJodHRwczovL25hbTA2LnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0 cHMlM0ElMkYlMkYweGJva3UuY29tJTJGMjAyMSUyRjA3JTJGMTIlMkZBcnRPZkRldmljZUNvZGVQ aGlzaC5odG1sJmFtcDtkYXRhPTA0JTdDMDElN0NwaWV0ZXIua2Fzc2VsbWFuJTQwbWljcm9zb2Z0 LmNvbSU3QzZhNjY0MjJjYTkzNTRhOGM1ZDg3MDhkYTBkMzUxZjc3JTdDNzJmOTg4YmY4NmYxNDFh ZjkxYWIyZDdjZDAxMWRiNDclN0MxJTdDMCU3QzYzNzgzNjgxOTA4NTQ0MDQzMSU3Q1Vua25vd24l N0NUV0ZwYkdac2IzZDhleUpXSWpvaU1DNHdMakF3TURBaUxDSlFJam9pVjJsdU16SWlMQ0pCVGlJ NklrMWhhV3dpTENKWFZDSTZNbjAlM0QlN0MzMDAwJmFtcDtzZGF0YT1kU2VyVk8ydGJzQW9SMGRh SEFKcmdJak83dHdTSzA5TEpQamZGTGNUV0lrJTNEJmFtcDtyZXNlcnZlZD0wIj48c3BhbiBzdHls ZT0iZm9udC1mYW1pbHk6JnF1b3Q7U2Vnb2UgVUkgLHNhbnMtc2VyaWYmcXVvdDssc2VyaWYiPlRo ZQ0KIEFydCBvZiB0aGUgRGV2aWNlIENvZGUgUGhpc2ggLSBCb2t1ICgweGJva3UuY29tKTwvc3Bh bj48L2E+PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZx dW90O1NlZ29lIFVJICxzYW5zLXNlcmlmJnF1b3Q7LHNlcmlmIj4mbmJzcDs8L3NwYW4+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fu cy1zZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9saT48bGkgY2xhc3M9Ik1zb0xpc3RQYXJhZ3Jh cGgiIHN0eWxlPSJjb2xvcjpibGFjazttc28tbGlzdDpsMSBsZXZlbDEgbGZvMjt2ZXJ0aWNhbC1h bGlnbjptaWRkbGUiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZiI+PGEgaHJlZj0iaHR0cHM6Ly9uYW0wNi5zYWZl bGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNBJTJGJTJGd3d3Lm9wdGl2 LmNvbSUyRmluc2lnaHRzJTJGc291cmNlLXplcm8lMkZibG9nJTJGbWljcm9zb2Z0LTM2NS1vYXV0 aC1kZXZpY2UtY29kZS1mbG93LWFuZC1waGlzaGluZyZhbXA7ZGF0YT0wNCU3QzAxJTdDcGlldGVy Lmthc3NlbG1hbiU0MG1pY3Jvc29mdC5jb20lN0M2YTY2NDIyY2E5MzU0YThjNWQ4NzA4ZGEwZDM1 MWY3NyU3QzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdDMSU3QzAlN0M2Mzc4MzY4 MTkwODU0NDA0MzElN0NVbmtub3duJTdDVFdGcGJHWnNiM2Q4ZXlKV0lqb2lNQzR3TGpBd01EQWlM Q0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4wJTNEJTdDMzAwMCZhbXA7 c2RhdGE9bDlHVThrUmp2VGhPQlZiNjR3TENrQUg5RFJ1ZG1DMnUycHdETVdNM3BXVSUzRCZhbXA7 cmVzZXJ2ZWQ9MCI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O1NlZ29lIFVJICxzYW5z LXNlcmlmJnF1b3Q7LHNlcmlmIj5NaWNyb3NvZnQNCiAzNjUgT0F1dGggRGV2aWNlIENvZGUgRmxv dyBhbmQgUGhpc2hpbmcgfCBPcHRpdjwvc3Bhbj48L2E+PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O1NlZ29lIFVJICxzYW5zLXNlcmlmJnF1b3Q7 LHNlcmlmIj4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9s aT48L29sPg0KPG9sIHN0YXJ0PSIyIiB0eXBlPSIxIj4NCjxvbCBzdGFydD0iMSIgdHlwZT0iYSI+ DQo8bGkgY2xhc3M9Ik1zb0xpc3RQYXJhZ3JhcGgiIHN0eWxlPSJjb2xvcjpibGFjazttc28tbGlz dDpsNCBsZXZlbDIgbGZvMzt2ZXJ0aWNhbC1hbGlnbjptaWRkbGUiPg0KPHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZiI+ PGEgaHJlZj0iaHR0cHM6Ly9uYW0wNi5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/ dXJsPWh0dHBzJTNBJTJGJTJGZ2l0aHViLmNvbSUyRm9wdGl2JTJGTWljcm9zb2Z0MzY1X2Rldmlj ZVBoaXNoJmFtcDtkYXRhPTA0JTdDMDElN0NwaWV0ZXIua2Fzc2VsbWFuJTQwbWljcm9zb2Z0LmNv bSU3QzZhNjY0MjJjYTkzNTRhOGM1ZDg3MDhkYTBkMzUxZjc3JTdDNzJmOTg4YmY4NmYxNDFhZjkx YWIyZDdjZDAxMWRiNDclN0MxJTdDMCU3QzYzNzgzNjgxOTA4NTQ0MDQzMSU3Q1Vua25vd24lN0NU V0ZwYkdac2IzZDhleUpXSWpvaU1DNHdMakF3TURBaUxDSlFJam9pVjJsdU16SWlMQ0pCVGlJNklr MWhhV3dpTENKWFZDSTZNbjAlM0QlN0MzMDAwJmFtcDtzZGF0YT1idk5ibFVzRjhwZkRjcVAyOERr NUZhd2dJUGFBNyUyQlRJaWNHb0VUTXRqeGslM0QmYW1wO3Jlc2VydmVkPTAiPjxzcGFuIHN0eWxl PSJmb250LWZhbWlseTomcXVvdDtTZWdvZSBVSSAsc2Fucy1zZXJpZiZxdW90OyxzZXJpZiI+b3B0 aXYvTWljcm9zb2Z0MzY1X2RldmljZVBoaXNoOg0KIEEgcHJvb2Ytb2YtY29uY2VwdCBzY3JpcHQg dG8gY29uZHVjdCBhIHBoaXNoaW5nIGF0dGFjayBhYnVzaW5nIE1pY3Jvc29mdCAzNjUgT0F1dGgg QXV0aG9yaXphdGlvbiBGbG93IChnaXRodWIuY29tKTwvc3Bhbj48L2E+PC9zcGFuPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O1NlZ29lIFVJICxzYW5zLXNl cmlmJnF1b3Q7LHNlcmlmIj4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZiI+PG86cD48L286cD48 L3NwYW4+PC9saT48L29sPg0KPC9vbD4NCjxvbCBzdGFydD0iMyIgdHlwZT0iMSI+DQo8bGkgY2xh c3M9Ik1zb0xpc3RQYXJhZ3JhcGgiIHN0eWxlPSJjb2xvcjpibGFjazttc28tbGlzdDpsMyBsZXZl bDEgbGZvNDt2ZXJ0aWNhbC1hbGlnbjptaWRkbGUiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZiI+PGEgaHJlZj0i aHR0cHM6Ly9uYW0wNi5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBz JTNBJTJGJTJGbzM2NWJsb2cuY29tJTJGcG9zdCUyRnBoaXNoaW5nJTJGJTIzbmV3LXBoaXNoaW5n LXRlY2huaXF1ZS1kZXZpY2UtY29kZS1hdXRoZW50aWNhdGlvbiZhbXA7ZGF0YT0wNCU3QzAxJTdD cGlldGVyLmthc3NlbG1hbiU0MG1pY3Jvc29mdC5jb20lN0M2YTY2NDIyY2E5MzU0YThjNWQ4NzA4 ZGEwZDM1MWY3NyU3QzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdDMSU3QzAlN0M2 Mzc4MzY4MTkwODU0NDA0MzElN0NVbmtub3duJTdDVFdGcGJHWnNiM2Q4ZXlKV0lqb2lNQzR3TGpB d01EQWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4wJTNEJTdDMzAw MCZhbXA7c2RhdGE9ZXlKS20wY1RDSFpWZXluZ2lCRXQ5Q2J5SiUyRmQxNnElMkI4U0dpdEh3VVc5 TTAlM0QmYW1wO3Jlc2VydmVkPTAiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtTZWdv ZSBVSSAsc2Fucy1zZXJpZiZxdW90OyxzZXJpZiI+SW50cm9kdWNpbmcNCiBhIG5ldyBwaGlzaGlu ZyB0ZWNobmlxdWUgZm9yIGNvbXByb21pc2luZyBPZmZpY2UgMzY1IGFjY291bnRzIChvMzY1Ymxv Zy5jb20pPC9zcGFuPjwvYT48L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7U2Vnb2UgVUkgLHNhbnMtc2VyaWYmcXVvdDssc2VyaWYiPiZuYnNwOzwv c3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlh bCZxdW90OyxzYW5zLXNlcmlmIj48bzpwPjwvbzpwPjwvc3Bhbj48L2xpPjxsaSBjbGFzcz0iTXNv TGlzdFBhcmFncmFwaCIgc3R5bGU9ImNvbG9yOmJsYWNrO21zby1saXN0OmwzIGxldmVsMSBsZm80 O3ZlcnRpY2FsLWFsaWduOm1pZGRsZSI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtm b250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmIj48YSBocmVmPSJodHRwczov L25hbTA2LnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM0ElMkYl MkZ3d3cueW91dHViZS5jb20lMkZ3YXRjaCUzRnYlM0Q5c2xSWXZwS0hwNCZhbXA7ZGF0YT0wNCU3 QzAxJTdDcGlldGVyLmthc3NlbG1hbiU0MG1pY3Jvc29mdC5jb20lN0M2YTY2NDIyY2E5MzU0YThj NWQ4NzA4ZGEwZDM1MWY3NyU3QzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdDMSU3 QzAlN0M2Mzc4MzY4MTkwODU0NDA0MzElN0NVbmtub3duJTdDVFdGcGJHWnNiM2Q4ZXlKV0lqb2lN QzR3TGpBd01EQWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4wJTNE JTdDMzAwMCZhbXA7c2RhdGE9c1klMkJQc0JQJTJCZHk0RjJMN2JPVmFsRWJhZGdYbWVHNEQ0RGFL RmlaZUU2UzQlM0QmYW1wO3Jlc2VydmVkPTAiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVv dDtTZWdvZSBVSSAsc2Fucy1zZXJpZiZxdW90OyxzZXJpZiI+REVGDQogQ09OIDI5IC0gSmVua28g SHdvbmcgLSBOZXcgUGhpc2hpbmcgQXR0YWNrcyBFeHBsb2l0aW5nIE9BdXRoIEF1dGhlbnRpY2F0 aW9uIEZsb3dzIC0gWW91VHViZTwvc3Bhbj48L2E+PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O1NlZ29lIFVJICxzYW5zLXNlcmlmJnF1b3Q7LHNl cmlmIj4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9saT48 L29sPg0KPHAgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDowY207bWFyZ2luLXJpZ2h0OjBjbTtt YXJnaW4tYm90dG9tOjBjbTttYXJnaW4tbGVmdDoyNy4wcHQiPg0KPHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xv cjpibGFjayI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2siPjxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjxwIHN0eWxlPSJtYXJnaW46MGNtIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2NvbG9y OmJsYWNrIj5JbiB0ZXJtcyBvZiBhIHJlc3BvbnNlLCB0aGVyZSBhcmUgYSBmZXcgb3B0aW9ucyB0 aGF0IGNvbWUgdG8gbWluZCAodGhlc2UgYXJlIG5vdCBleGhhdXN0aXZlLCBJIHdvdWxkIGxvdmUg dG8gc2VlIHdoYXQgb3RoZXJzIGhhdmUgaW4gbWluZCBhcyB3ZWxsKTombmJzcDs8L3NwYW4+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDss c2Fucy1zZXJpZjtjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgc3R5bGU9 Im1zby1tYXJnaW4tdG9wLWFsdDowY207bWFyZ2luLXJpZ2h0OjBjbTttYXJnaW4tYm90dG9tOjBj bTttYXJnaW4tbGVmdDoyNy4wcHQiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+Jm5ic3A7 PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Fy aWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjxvbCBzdGFydD0iMSIgdHlwZT0iQSI+DQo8bGkgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImNv bG9yOmJsYWNrO21zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDph dXRvO21zby1saXN0OmwwIGxldmVsMSBsZm81O3ZlcnRpY2FsLWFsaWduOm1pZGRsZSI+DQo8c3Bh biBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtTZWdvZSBVSSAsc2Fu cy1zZXJpZiZxdW90OyxzZXJpZiI+RG8gbm90aGluZzogV2UgY2FuIGNob29zZSB0byBsZWF2ZSBl dmVyeXRoaW5nIGFzIGlzLiBUaGUgZG93bnNpZGUgb2YgdGhpcyBpcyB0aGF0IHRoZSBsZXNzb25z IHdlIGFyZSBsZWFybmluZyBhcmUgbm90IGdldHRpbmcgZGlzc2VtaW5hdGVkIG9yIHJlc3VsdGlu ZyBpbiByZWR1Y2VkIHJpc2tzLiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEw LjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmIj48bzpwPjwvbzpw Pjwvc3Bhbj48L2xpPjxsaSBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iY29sb3I6YmxhY2s7bXNv LW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87bXNvLWxpc3Q6 bDAgbGV2ZWwxIGxmbzU7dmVydGljYWwtYWxpZ246bWlkZGxlIj4NCjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O1NlZ29lIFVJICxzYW5zLXNlcmlmJnF1b3Q7 LHNlcmlmIj5VcGRhdGUgdGhlIHJlY29tbWVuZGF0aW9uczogV2UgY2FuIGRvY3VtZW50IHRoZSBz b2NpYWwgZW5naW5lZXJpbmcgZXhwbG9pdHMgYW5kIHJlY29tbWVuZCBzb21lIGFkZGl0aW9uYWwg bWl0aWdhdGlvbnMgYXMgd2VsbCBhcyByZWNvbW1lbmRhdGlvbnMgaW4gdGVybXMgb2YgdXNlIGNh c2VzLiBBbHRob3VnaCB0aGVzZSB0eXBlcw0KIG9mICZxdW90O3BoaXNoaW5nJnF1b3Q7L3NvY2lh bCBlbmdpbmVlcmluZyBhdHRhY2tzIGFyZSBjYWxsZWQgb3V0IGluIHRoZSBzZWN1cml0eSBjb25z aWRlcmF0aW9ucyBpbg0KPGEgaHJlZj0iaHR0cHM6Ly9uYW0wNi5zYWZlbGlua3MucHJvdGVjdGlv bi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNBJTJGJTJGZGF0YXRyYWNrZXIuaWV0Zi5vcmclMkZk b2MlMkZodG1sJTJGcmZjODYyOCZhbXA7ZGF0YT0wNCU3QzAxJTdDcGlldGVyLmthc3NlbG1hbiU0 MG1pY3Jvc29mdC5jb20lN0M2YTY2NDIyY2E5MzU0YThjNWQ4NzA4ZGEwZDM1MWY3NyU3QzcyZjk4 OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdDMSU3QzAlN0M2Mzc4MzY4MTkwODU0NDA0MzEl N0NVbmtub3duJTdDVFdGcGJHWnNiM2Q4ZXlKV0lqb2lNQzR3TGpBd01EQWlMQ0pRSWpvaVYybHVN eklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4wJTNEJTdDMzAwMCZhbXA7c2RhdGE9QnVDb2Zk OEtWZExxYVUzWGNUdU5VUkFxOUdYZk1uMzE5Mm1IMnBzQXRWYyUzRCZhbXA7cmVzZXJ2ZWQ9MCI+ DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp JnF1b3Q7LHNhbnMtc2VyaWY7YmFja2dyb3VuZDojRTFFM0U2Ij5SRkMgODYyOCAtIE9BdXRoIDIu MCBEZXZpY2UgQXV0aG9yaXphdGlvbiBHcmFudDwvc3Bhbj48L2E+LCB3ZSBjYW4gYWRkIGZ1cnRo ZXIgbWl0aWdhdGlvbnMgdG8gY3JlYXRlIGdyZWF0ZXIgZGVmZW5jZSBpbiBkZXB0aC4gVGhpcyB3 aWxsIGhlbHAgZnV0dXJlIGltcGxlbWVudGVycyBhbmQgbWF5IGV2ZW4NCiBiZSB1c2VmdWwgZm9y IGZ1dHVyZSBwcm90b2NvbHMgdGhhdCByZWx5IG9uIGEgc2ltaWxhciBjcm9zcy1kZXZpY2UgYXV0 aGVudGljYXRpb24gYW5kIGF1dGhvcml6YXRpb24gZmxvd3MuJm5ic3A7PC9zcGFuPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMt c2VyaWYiPjxvOnA+PC9vOnA+PC9zcGFuPjwvbGk+PGxpIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJjb2xvcjpibGFjazttc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1h bHQ6YXV0bzttc28tbGlzdDpsMCBsZXZlbDEgbGZvNTt2ZXJ0aWNhbC1hbGlnbjptaWRkbGUiPg0K PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7U2Vnb2UgVUkg LHNhbnMtc2VyaWYmcXVvdDssc2VyaWYiPkV4cGxvcmUgYWx0ZXJuYXRpdmVzOiBEZXZlbG9wLCBh ZG9wdCwgb3IgZXZvbHZlIG5ldyBwcm90b2NvbHMgdGhhdCBhZGRyZXNzIHRoZSBzY2VuYXJpbyB3 aGlsZSBtaXRpZ2F0aW5nIG9yIGF2b2lkaW5nIHRoZSByaXNrcy4mbmJzcDs8L3NwYW4+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fu cy1zZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9saT48L29sPg0KPHAgc3R5bGU9Im1zby1tYXJn aW4tdG9wLWFsdDowY207bWFyZ2luLXJpZ2h0OjBjbTttYXJnaW4tYm90dG9tOjBjbTttYXJnaW4t bGVmdDoyNy4wcHQiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7 LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIHN0eWxl PSJtYXJnaW46MGNtIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTom cXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOmJsYWNrIj5PcHRpb24gQSBkb2VzIG5v dCBkbyBtdWNoIHRvIGltcHJvdmUgdGhlIHN0YXRlIG9mIHRoZSBhcnQuIE9wdGlvbiBCIGZlZWxz IGxpa2Ugc29tZXRoaW5nIHdlIGNhbiBkbyBub3csIGFuZCB3ZSBtYXkgbGVhcm4gc29tZXRoaW5n IGFsb25nIHRoZSB3YXkgdGhhdCBjYW4gaGVscCBpbmZvcm0NCiBPcHRpb24gQywgd2hpY2ggbWF5 IGJlIG11Y2ggZnVydGhlciBkb3duIHRoZSByb2FkIGFuZCByZXF1aXJlIG1vcmUgcmVzZWFyY2gu Jm5ic3A7V2hhdCBvdGhlciBvcHRpb25zIGNvbWUgdG8gbWluZD88L3NwYW4+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJp Zjtjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgc3R5bGU9Im1hcmdpbjow Y20iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFs JnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlm O2NvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBzdHlsZT0ibWFyZ2luOjBj bSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwm cXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+SeKAmW0gbG9va2luZyBmb3J3YXJkIHRvIHRo ZSBjb252ZXJzYXRpb24gYW5kIGhlYXJpbmcgd2hhdCBvdGhlcnMgYXJlIHRoaW5raW5nIGFib3V0 IHRoaXMgdG9waWMuJm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2siPjxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIHN0eWxlPSJtYXJnaW46MGNtIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2Nv bG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+PG86cD48 L286cD48L3NwYW4+PC9wPg0KPHAgc3R5bGU9Im1hcmdpbjowY20iPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29s b3I6YmxhY2siPkNoZWVycywmbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBzdHlsZT0i bWFyZ2luOjBjbSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+UGlldGVyJm5ic3A7PG86cD48 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t dG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2Nv bG9yOmJsYWNrIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0K PC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlm O2NvbG9yOmJsYWNrIj48YnI+DQo8YnI+DQo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cHJlPjxz cGFuIHN0eWxlPSJjb2xvcjpibGFjayI+X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX188bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmU+PHNwYW4gc3R5bGU9 ImNvbG9yOmJsYWNrIj5PQXV0aCBtYWlsaW5nIGxpc3Q8bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4N CjxwcmU+PHNwYW4gc3R5bGU9ImNvbG9yOmJsYWNrIj48YSBocmVmPSJtYWlsdG86T0F1dGhAaWV0 Zi5vcmciPk9BdXRoQGlldGYub3JnPC9hPjxvOnA+PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHByZT48 c3BhbiBzdHlsZT0iY29sb3I6YmxhY2siPjxhIGhyZWY9Imh0dHBzOi8vbmFtMDYuc2FmZWxpbmtz LnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzQSUyRiUyRnd3dy5pZXRmLm9yZyUy Rm1haWxtYW4lMkZsaXN0aW5mbyUyRm9hdXRoJmFtcDtkYXRhPTA0JTdDMDElN0NwaWV0ZXIua2Fz c2VsbWFuJTQwbWljcm9zb2Z0LmNvbSU3QzZhNjY0MjJjYTkzNTRhOGM1ZDg3MDhkYTBkMzUxZjc3 JTdDNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN0MxJTdDMCU3QzYzNzgzNjgxOTA4 NTQ0MDQzMSU3Q1Vua25vd24lN0NUV0ZwYkdac2IzZDhleUpXSWpvaU1DNHdMakF3TURBaUxDSlFJ am9pVjJsdU16SWlMQ0pCVGlJNklrMWhhV3dpTENKWFZDSTZNbjAlM0QlN0MzMDAwJmFtcDtzZGF0 YT10eVpJTzh3cHo2WFRjMUpmOHhLZDVMSzB4TUZIYUllUTI0WmloNVV5czlVJTNEJmFtcDtyZXNl cnZlZD0wIj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoPC9hPjxv OnA+PC9vOnA+PC9zcGFuPjwvcHJlPg0KPC9ibG9ja3F1b3RlPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwm cXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9w Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2JvZHk+ DQo8L2h0bWw+DQo= --_000_AM7PR83MB0452F2813A9D43B565E5A38891199AM7PR83MB0452EURP_-- From nobody Thu Mar 24 06:27:22 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 931A43A0CC7 for ; Thu, 24 Mar 2022 06:27:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.007 X-Spam-Level: X-Spam-Status: No, score=-2.007 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OPuAP-J1yD7J for ; Thu, 24 Mar 2022 06:27:14 -0700 (PDT) Received: from mail-qk1-x732.google.com (mail-qk1-x732.google.com [IPv6:2607:f8b0:4864:20::732]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39BAB3A10A4 for ; Thu, 24 Mar 2022 06:27:14 -0700 (PDT) Received: by mail-qk1-x732.google.com with SMTP id 1so3491990qke.1 for ; Thu, 24 Mar 2022 06:27:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:date:message-id:subject:from:to:in-reply-to:references :user-agent; bh=uJnXqblez6AQmZvuU8fHVyMCfndnyQm2/fRmvm/J6zY=; b=lMyl2rkzvki2kQDFqqFhgwL8u9lIL2V3/OLYfWC7y0JL72TeoCoIoEA923STRcmOo3 Rzlh+Y0nPEdygcN9TBAwaq1iUgUAFLcb39IsD9NpdNwsc8vqQLQbqdwWjKB0rwJrhJ9N Pv69AMCB1FS817REwijQqnkcd4D1/ZRLkndftHbo0CytceCGSQXQOz59wbYE22UfnvYo pmRJrMmT81wv9SaExSrMHpYI0+pXX4Ie2O051XqK7JvRE5hliaG5r8ptA7yW0+XhJJit 7V6iBLLXRa+wJqPZJpf5NqCWxfgh9qRfdlDg+6T5HtyQuEiq+QGkZFtU/0aBr5SqQZsh HO3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :in-reply-to:references:user-agent; bh=uJnXqblez6AQmZvuU8fHVyMCfndnyQm2/fRmvm/J6zY=; b=f0LcVGvZbZkgCWT24ig2KL7CvcFm3mXpowcTnlIItOf8H5pSKc1i+lPpazhJkx8YF9 172qIwT8nrxEnP6neW/76JcZBNrXOeo6C+k2WIG7R+2Gy0E8FloHejF3xxMh1Lx42TIB v0VnbqDyhqGnCVc5P1pPGctraG1ubJxypZ1gB2Il6UaY52ihvNJmxVFLC9a41A90RvBZ w4Dy9D8pEytSPfm84Q46i7n8v+WQ7AY4J7God7oTyvbpvenoOzRDHOZLrneDoRZiAavc DBT/QUGlAzleFdbIb04AYnfuKBvW+bjA9DLF8SYj7PIpy4lIIfyVBhDMC+cRi1wMb4HR D6CA== X-Gm-Message-State: AOAM533My4p6PIMTs305ZlHYyp927Z9UmG/qRcWrZNdWRsxOP5aYixRC yO4p7HPvW544cMMYa6V/Y9GZEUXxDaE= X-Google-Smtp-Source: ABdhPJxNLQkX+ATQP4OmTbsE+d5niQFwJ0/Uqx08u1iUV1FX8yBAgNCpOTarLN/777r8Drn69aS9nw== X-Received: by 2002:a05:620a:290c:b0:67e:c51d:40d with SMTP id m12-20020a05620a290c00b0067ec51d040dmr3218586qkp.145.1648128432711; Thu, 24 Mar 2022 06:27:12 -0700 (PDT) Received: from [10.0.1.3] (pool-74-103-207-160.prvdri.ftas.verizon.net. [74.103.207.160]) by smtp.gmail.com with ESMTPSA id j12-20020ae9c20c000000b0067ec380b320sm1652650qkg.64.2022.03.24.06.27.11 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 24 Mar 2022 06:27:11 -0700 (PDT) Content-Type: multipart/alternative; boundary="----=_NextPart_62465436.344968282715" MIME-Version: 1.0 Date: Thu, 24 Mar 2022 09:27:15 -0400 Message-ID: From: "Brock Allen" To: "Pieter Kasselman" , "George Fletcher" , "" In-Reply-To: References: User-Agent: Mailbird/2.9.61.0 X-Mailbird-ID: Mailbird-6ec761d3-1596-4ae0-9326-ceb011843693@gmail.com Archived-At: Subject: Re: [OAUTH-WG] [EXTERNAL] Re: Device Authorization Grant and Illicit Consent Exploits X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Mar 2022 13:27:20 -0000 ------=_NextPart_62465436.344968282715 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Yep +1 But also... in my experience, FWIW, the dev generally wants to do the right= thing and follow the guidance, but then you get the product owner/marketin= g/sales/UX/designer people who then want to make things as friction-less fo= r the end user/customer (which often translates into revenue). And that's o= ften why we end up with so much guidance ignored. Resource owner password g= rant type vs. AppAuth is a great example of this -- about one a month I hav= e to get on a call to have this battle again and again. It's a tough line to walk. -Brock On 3/24/2022 8:41:13 AM, Pieter Kasselman = wrote: Hi Brock, one of the options to consider here is just better guidance in te= rms of implementation, including guidance on selecting protocols. From look= ing at numerous exploits (not just the authroization grant flow and the soc= ial engineering exploits), implementation issues is by far the most prevale= nt cause of issues, much more so than protocol issues themselves. =C2=A0 I would add that keeping protocols and the primitives they are built on sim= ple is important in reducing implementation errors as well. =C2=A0 To put it another way, giving implementors more context about the consequen= ces of using a protocol in a certain way is really important if we want to = minimise security issues that arise from implementation issues and protocol= selection. =C2=A0 Cheers =C2=A0 Pieter =C2=A0 From: Brock Allen Sent: Thursday 24 March 2022 02:25 To: George Fletcher ; Pieter Kasselman ; oauth@ietf.org Subject: Re: [OAUTH-WG] [EXTERNAL] Re: Device Authorization Grant and Illic= it Consent Exploits =C2=A0 In the case of DEF CON video showing the Microsoft exploit, it worked liked= this (if I recall correctly): =C2=A0 The attacker started the device flow from their system, sent the user a lin= k to login with an "promo code" (the user code) to get a discount on their = Microsoft bill, and when the user logged in they were prompted for the code= (which they thought it was a promo code), and thus they granted access to = the attacker waiting for the flow to be complete. =C2=A0 The problem was that: 1) The vendor's first party administrative CLI app was designed to use devi= ce flow. 2) The consent screen just said "Do you want to login to your Microsoft acc= ount". =C2=A0 So the issues were that for (1) device flow was just the wrong one (the nat= ive apps BCP w/ system browser should have been used), especially for an ap= p with such high/privileged access, and for (2) the consent did not let the= end-user know they were granting the client full administrative access. =C2=A0 So several missteps here that the protocol by itself can't completely prote= ct against. =C2=A0 -Brock On 3/23/2022 9:10:01 PM, George Fletcher wrote: I just want to make a quick comment on the use of "proximity and location i= nformation". I used the device flow to authorize my son's device by having = him text me the code so I could login on my device (in a different state) a= nd provide his device access. If we close the door too much we will potenti= ally impact good users :) I agree that consent can be socially engineered... but think that it would = be useful to improve that information so that the user authenticating to pr= ovide authorization could know where the device their authorizing is locate= d. That could help users detecting that they are authorizing a device in a = location that doesn't make sense to them. Thanks, George On 3/18/22 8:21 AM, Pieter Kasselman wrote: Hi Brock =C2=A0 Great point, and I would agree that better consent screens could help, but = I don=E2=80=99t think it is sufficient. =C2=A0 One of the challenges with consent screens is that it makes assumptions abo= ut the users abilities when they are being asked to make decisions about th= ings they do not fully appreciate or understand. In addition, they are in a= rush, are often trying to be helpful and prone to grant consent (the frami= ng in these social engineering attacks can be very persuasive). Even users = who are aware of these exploits and understand the systems they interact wi= th are prone to be misled. Better guidance on the consent screen is definit= ely something we should provide. =C2=A0 I do think there is a defence in depth strategy that can reduce risk by (1)= avoiding asking the user for a decision by making back-end risk decisions = (2) augmenting the information presented to the user when making the decisi= ons and (3) mitigating against a decision made in error. =C2=A0 Proximity and location information can for instance be used to bind user co= des to specific locations or inform the user on where the user code was fir= st presented, device status and/or location may be used to make decisions o= n whether to allow device code flows to be used in the first place and use = of token binding (e.g. DPoP) may help defend against attackers who are able= to exfiltrate tokens from a device and make lateral attacks. =C2=A0 Anything we can do to encourage implementor to ask users to make fewer deci= sion, help them make better decisions and then protecting them in case of a= bad decision will help drive down risk. =C2=A0 Cheers =C2=A0 Pieter =C2=A0 =C2=A0 From: Brock Allen [mailto:brockallen@gmail.com] Sent: Thursday 17 March 2022 21:25 To: Pieter Kasselman [mailto:pieter.kassel= man@microsoft.com]; oauth@ietf.org [mailto:oauth@ietf.org] Subject: [EXTERNAL] Re: [OAUTH-WG] Device Authorization Grant and Illicit C= onsent Exploits =C2=A0 I watched one of those videos and it seems to be that a proper consent scre= en would have been the best and easiest line of defense. Is there something= more to the attacks where a better consent page (or any consent page for t= hat matter) would not have been sufficient? =C2=A0 -Brock On 3/17/2022 5:10:35 PM, Pieter Kasselman wrote: Hi All=C2=A0 =C2=A0 One of the agenda items for IETF 113 is the device authorization grant flow= (aka device code flow), scheduled for Thursday 24 March 2022. Before the m= eeting, I wanted to share a bit more information for those interested in th= e topic and also give those who are unable to attend in person an opportuni= ty to participate in the conversation.=C2=A0 =C2=A0 The Device Authorization Grant Flow (RFC 8682) [https://nam06.safelinks.pro= tection.outlook.com/?url=3Dhttps%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%= 2Frfc8628&data=3D04%7C01%7Cpieter.kasselman%40microsoft.com%7C6a66422ca= 9354a8c5d8708da0d351f77%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637836= 819085440431%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLC= JBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=3DBuCofd8KVdLqaU3XcTuNURAq9GX= fMn3192mH2psAtVc%3D&reserved=3D0] solves an important problem by enabli= ng authorization flows on devices that are unable to support a browsers or = have limited input capabilities. However, looking back over the past 18-24 = months, there have been a number of practical exploits published that use s= ocial engineering techniques applied to the device authorization grant flow= .=C2=A0 =C2=A0 The goal of the session at IETF 113 is to discuss the patterns of the explo= its that are known and start a conversation on what (if anything) we should= do, based on what we are learning.=C2=A0 =C2=A0 These exploits follow a general man-in-the-middle (MITM) pattern, where the= attacker:=C2=A0 =C2=A0 * Initiates the Device Authorization Grant flow on a device under their con= trol,=C2=A0 * Presents the user code in a context that the end-user is likely to act on= (using social engineering techniques), and=C2=A0 * Once the user grants access, retrieves the access and refresh tokens and = uses them to access the user=E2=80=99s resources.=C2=A0 =C2=A0 Some of the exploits are described here for those interested in more detail= :=C2=A0 =C2=A0 * The Art of the Device Code Phish - Boku (0xboku.com) [https://nam06.safel= inks.protection.outlook.com/?url=3Dhttps%3A%2F%2F0xboku.com%2F2021%2F07%2F1= 2%2FArtOfDeviceCodePhish.html&data=3D04%7C01%7Cpieter.kasselman%40micro= soft.com%7C6a66422ca9354a8c5d8708da0d351f77%7C72f988bf86f141af91ab2d7cd011d= b47%7C1%7C0%7C637836819085440431%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMD= AiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=3DdSerVO2= tbsAoR0daHAJrgIjO7twSK09LJPjfFLcTWIk%3D&reserved=3D0]=C2=A0 * Microsoft 365 OAuth Device Code Flow and Phishing | Optiv [https://nam06.= safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.optiv.com%2Finsig= hts%2Fsource-zero%2Fblog%2Fmicrosoft-365-oauth-device-code-flow-and-phishin= g&data=3D04%7C01%7Cpieter.kasselman%40microsoft.com%7C6a66422ca9354a8c5= d8708da0d351f77%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63783681908544= 0431%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik= 1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=3Dl9GU8kRjvThOBVb64wLCkAH9DRudmC2u2pw= DMWM3pWU%3D&reserved=3D0]=C2=A0 * optiv/Microsoft365_devicePhish: A proof-of-concept script to conduct a ph= ishing attack abusing Microsoft 365 OAuth Authorization Flow (github.com) [= https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fgithub.= com%2Foptiv%2FMicrosoft365_devicePhish&data=3D04%7C01%7Cpieter.kasselma= n%40microsoft.com%7C6a66422ca9354a8c5d8708da0d351f77%7C72f988bf86f141af91ab= 2d7cd011db47%7C1%7C0%7C637836819085440431%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiM= C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata= =3DbvNblUsF8pfDcqP28Dk5FawgIPaA7%2BTIicGoETMtjxk%3D&reserved=3D0]=C2=A0 * Introducing a new phishing technique for compromising Office 365 accounts= (o365blog.com) [https://nam06.safelinks.protection.outlook.com/?url=3Dhttp= s%3A%2F%2Fo365blog.com%2Fpost%2Fphishing%2F%23new-phishing-technique-device= -code-authentication&data=3D04%7C01%7Cpieter.kasselman%40microsoft.com%= 7C6a66422ca9354a8c5d8708da0d351f77%7C72f988bf86f141af91ab2d7cd011db47%7C1%7= C0%7C637836819085440431%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjo= iV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=3DeyJKm0cTCHZVeyng= iBEt9CbyJ%2Fd16q%2B8SGitHwUW9M0%3D&reserved=3D0]=C2=A0 * DEF CON 29 - Jenko Hwong - New Phishing Attacks Exploiting OAuth Authenti= cation Flows - YouTube [https://nam06.safelinks.protection.outlook.com/?url= =3Dhttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D9slRYvpKHp4&data=3D04%7C= 01%7Cpieter.kasselman%40microsoft.com%7C6a66422ca9354a8c5d8708da0d351f77%7C= 72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637836819085440431%7CUnknown%7CT= WFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%= 3D%7C3000&sdata=3DsY%2BPsBP%2Bdy4F2L7bOValEbadgXmeG4D4DaKFiZeE6S4%3D&am= p;reserved=3D0]=C2=A0 =C2=A0 In terms of a response, there are a few options that come to mind (these ar= e not exhaustive, I would love to see what others have in mind as well):=C2= =A0 =C2=A0 * Do nothing: We can choose to leave everything as is. The downside of this= is that the lessons we are learning are not getting disseminated or result= ing in reduced risks.=C2=A0 * Update the recommendations: We can document the social engineering exploi= ts and recommend some additional mitigations as well as recommendations in = terms of use cases. Although these types of "phishing"/social engineering a= ttacks are called out in the security considerations in RFC 8628 - OAuth 2.= 0 Device Authorization Grant [https://nam06.safelinks.protection.outlook.co= m/?url=3Dhttps%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc8628&data= =3D04%7C01%7Cpieter.kasselman%40microsoft.com%7C6a66422ca9354a8c5d8708da0d3= 51f77%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637836819085440431%7CUnk= nown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJX= VCI6Mn0%3D%7C3000&sdata=3DBuCofd8KVdLqaU3XcTuNURAq9GXfMn3192mH2psAtVc%3= D&reserved=3D0], we can add further mitigations to create greater defen= ce in depth. This will help future implementers and may even be useful for = future protocols that rely on a similar cross-device authentication and aut= horization flows.=C2=A0 * Explore alternatives: Develop, adopt, or evolve new protocols that addres= s the scenario while mitigating or avoiding the risks.=C2=A0 =C2=A0 Option A does not do much to improve the state of the art. Option B feels l= ike something we can do now, and we may learn something along the way that = can help inform Option C, which may be much further down the road and requi= re more research.=C2=A0What other options come to mind? =C2=A0 I=E2=80=99m looking forward to the conversation and hearing what others are= thinking about this topic.=C2=A0 =C2=A0 Cheers,=C2=A0 Pieter=C2=A0 =C2=A0 _______________________________________________ OAuth mailing list OAuth@ietf.org [mailto:OAuth@ietf.org] https://www.ietf.org/mailman/listinfo/oauth [https://nam06.safelinks.protec= tion.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fo= auth&data=3D04%7C01%7Cpieter.kasselman%40microsoft.com%7C6a66422ca9354a= 8c5d8708da0d351f77%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63783681908= 5440431%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI= 6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=3DtyZIO8wpz6XTc1Jf8xKd5LK0xMFHaIeQ= 24Zih5Uys9U%3D&reserved=3D0] =C2=A0 ------=_NextPart_62465436.344968282715 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable
=0A = =0A =0A = =0A = =0A =0A = Yep +1

But also... in my experience,= FWIW, the dev generally wants to do the right thing and follow the guidanc= e, but then you get the product owner/marketing/sales/UX/designer people wh= o then want to make things as friction-less for the end user/customer (whic= h often translates into revenue). And that's often why we end up with so mu= ch guidance ignored. Resource owner password grant type vs. AppAuth is a gr= eat example of this -- about one a month I have to get on a call to have th= is battle again and again.

It's a tough line to wa= lk.

-Brock
=0A =

On 3/24/2022 8:41:13= AM, Pieter Kasselman <pieter.kasselman@microsoft.com> wrote:

=0A
=0A

= Hi Brock, one of the options to consider here is just better guidance in te= rms of implementation, including guidance on selecting protocols. From look= ing at numerous exploits (not just the authroization=0A grant flow and the = social engineering exploits), implementation issues is by far the most prev= alent cause of issues, much more so than protocol issues themselves.=0A

=0A

 

=0A

I would add that keeping protocols and th= e primitives they are built on simple is important in reducing implementati= on errors as well.=0A

=0A

 

=0A

To put it anothe= r way, giving implementors more context about the consequences of using a p= rotocol in a certain way is really important if we want to minimise securit= y issues that arise from implementation=0A issues and protocol selection.

=0A

 

=0A

Cheers

=0A

 =

=0A

Pieter

=0A

 

=0A
=0A

From: Brock Allen <brockallen@gmail.com>=0A
=0ASent: Thursda= y 24 March 2022 02:25
=0ATo: George Fletcher <gffletch@aol.com= >; Pieter Kasselman <pieter.kasselman@microsoft.com>; oauth@ietf.o= rg
=0ASubject: Re: [OAUTH-WG] [EXTERNAL] Re: Device Authorization= Grant and Illicit Consent Exploits

=0A
=0A

 

=0A

In the case of DEF CON video showing the Microsoft exploit, it worked like= d this (if I recall correctly):

=0A
=0A

 

=0A
=0A
=0A=0A

The attacker started the device flo= w from their system, sent the user a link to login with an "promo code" (th= e user code) to get a discount on their Microsoft bill,=0A and when the use= r logged in they were prompted for the code (which they thought it was a pr= omo code), and thus they granted access to the attacker waiting for the flo= w to be complete.

=0A
=0A
=0A

 

=0A
=0A
=0A

The problem was that:
=0A
=0A1) The vendor= 's first party administrative CLI app was designed to use device flow.=

=0A
=0A

2) The conse= nt screen just said "Do you want to login to your Microsoft account".<= /o:p>

=0A
=0A
=0A

 

=0A
=0A
=0A

So the issues were that for (1) device flow was just the wrong one (the= native apps BCP w/ system browser should have been used), especially for a= n app with such high/privileged=0A access, and for (2) the consent did not = let the end-user know they were granting the client full administrative acc= ess.

=0A
=0A
=0A

 

=0A
=0A
=0A

So several missteps here that the protocol by itself can't co= mpletely protect against.

=0A
=0A
=0A

 

=0A
=0A
=0A=

-Brock

=0A
=0A=
= =0A

On 3/23/2022 9:10:01 PM, Geo= rge Fletcher <gffletch@aol.com&g= t; wrote:

=0A
=0A

I just want to make a quick comment on t= he use of "proximity and location information". I used the device flow to a= uthorize my son's=0A device by having him text me the code so I could login= on my device (in a different state) and provide his device access. If we c= lose the door too much we will potentially impact good users :)
=0A
= =0AI agree that consent can be socially engineered... but think that it wou= ld be useful to improve that information so that the user authenticating to= provide authorization could know where the device their authorizing is loc= ated. That could help users detecting=0A that they are authorizing a device= in a location that doesn't make sense to them.
=0A
=0AThanks,
=0A= George

=0A
=0A

On 3/18/22 8:21 AM, Pieter Kasselman wrote:

=0A=0A
=0A
=0A=

Hi Brock

=0A

 

=0A

Great point, and I would agree that bette= r consent screens could help, but I=0A don=E2=80=99t think it is sufficient= .

=0A

 

= =0A

One of the challenges= with consent screens is that it makes assumptions about=0A the users abili= ties when they are being asked to make decisions about things they do not f= ully appreciate or understand. In addition, they are in a rush, are often t= rying to be helpful and prone to grant consent (the framing in these social= engineering attacks=0A can be very persuasive). Even users who are aware o= f these exploits and understand the systems they interact with are prone to= be misled. Better guidance on the consent screen is definitely something w= e should provide.

=0A

 

=0A

I do thi= nk there is a defence in depth strategy that can reduce risk by (1)=0A avoi= ding asking the user for a decision by making back-end risk decisions (2) a= ugmenting the information presented to the user when making the decisions a= nd (3) mitigating against a decision made in error.

=0A

&n= bsp;

=0A

Proximity and location information can for instan= ce be used to bind user codes=0A to specific locations or inform the user o= n where the user code was first presented, device status and/or location ma= y be used to make decisions on whether to allow device code flows to be use= d in the first place and use of token binding (e.g. DPoP) may help=0A defen= d against attackers who are able to exfiltrate tokens from a device and mak= e lateral attacks.=0A

=0A

 =

=0A

Anyt= hing we can do to encourage implementor to ask users to make fewer decision= ,=0A help them make better decisions and then protecting them in case of a = bad decision will help drive down risk.

=0A

 <= span style=3D"font-size: 10.0pt;font-family: "Arial",sans-serif;c= olor: black">

=0A

Cheers

=0A

 =

=0A

Piet= er

=0A

 

= =0A

 

=0A
=0A

From:=0A Brock Allen <brockallen@gmail.com>
=0A= Sent: Thursday 17 March 2022 21:25
=0ATo: Pieter Kasselman= <pieter.kasselman@mic= rosoft.com>;=0Aoauth@ietf.org<= br>=0ASubject: [EXTERNAL] Re: [OAUTH-WG] Device Authorization Grant = and Illicit Consent Exploits

=0A<= /div>=0A

 

=0A

<= /o:p>

=0A
=0A

 <= /o:p>

=0A
=0A
=0A

-Brock

=0A
=0A
=0A

= On 3/17/2022 5:10:35 PM, Pieter Kasselman <pieter.kasselman=3D40microsoft.com@= dmarc.ietf.org>=0A wrote:

= =0A
=0A
=0A

Hi All <= /o:p>

=0A

 <= /span>

=0A

One of the agenda items = for IETF 113 is the device authorization grant flow (aka device code flow),= scheduled for Thursday 24 March 2022.=E2=80=AF Before the meeting, I=0A wa= nted to share a bit more information for those interested in the topic and = also give those who are unable to attend in person an opportunity to partic= ipate in the conversation. 

=0A

 

=0A

= The=0A=0ADevice Authorization Grant Flow (RFC 8682) solves an important problem by enabli= ng authorization=0A flows on devices that are unable to support a browsers = or have limited input capabilities. However, looking back over the past 18-= 24 months, there have been a number of practical exploits published that us= e social engineering techniques applied to the device=0A authorization gran= t flow. 

=0A

 

=0A

The= goal of the session at IETF 113 is to discuss the patterns of the exploits= that are known and start a conversation on what (if anything) we should do= , based=0A on what we are learning. 

=0A

 

=0A

These exploits follow a general man-in-the-middle (= MITM) pattern, where the attacker: 

=0A

=0A =

=0A
    =0A
  1. =0AInitiates the Devi= ce Authorization Grant flow on a device under their control, <= o:p>
  2. =0APresents the user code in a context that the e= nd-user is likely to act on (using social engineering techniques), and = ;
  3. =0AOnce the user grants access, retriev= es the access and refresh tokens and uses them to access the user=E2=80=99s= resources. 
=0A

 

=0A

<= span style=3D"font-size: 10.0pt;font-family: "Arial",sans-serif;c= olor: black">Some of the exploits are described here for those interested i= n more detail: 

=0A

=0A 

=0A
    =0A
  1. =0AThe=0A Art of the Device Code Phish - Boku (0xboku.= com) 
  2. =0AMicro= soft=0A 365 OAuth Device Code Flow and Phishing | Optiv 
=0A
    =0A
      =0A
    1. =0Aoptiv/Micr= osoft365_devicePhish:=0A A proof-of-concept script to conduct a phishing at= tack abusing Microsoft 365 OAuth Authorization Flow (github.com)=  
    =0A
=0A
    =0A
  1. =0AIntroducing=0A a new phishing technique for compromising = Office 365 accounts (o365blog.com) =0ADEF=0A CON 29 - Jenko Hwong= - New Phishing Attacks Exploiting OAuth Authentication Flows - YouTube 
=0A

=0A =0A

In terms of a response, there are= a few options that come to mind (these are not exhaustive, I would love to= see what others have in mind as well): 

=0A

=0A =

=0A
    =0A
  1. =0ADo nothing: W= e can choose to leave everything as is. The downside of this is that the le= ssons we are learning are not getting disseminated or resulting in reduced = risks. 
  2. =0AUpdate the recommendation= s: We can document the social engineering exploits and recommend some addit= ional mitigations as well as recommendations in terms of use cases. Althoug= h these types=0A of "phishing"/social engineering attacks are called out in= the security considerations in=0A=0ARFC 8628 - OAu= th 2.0 Device Authorization Grant, we can add further mitigation= s to create greater defence in depth. This will help future implementers an= d may even=0A be useful for future protocols that rely on a similar cross-d= evice authentication and authorization flows. 
  3. = =0AExplore alternatives: Develop, adopt, or evolve new protocols= that address the scenario while mitigating or avoiding the risks. 
=0A

=0A <= /span>

=0A

Option A does not do much to improve the state of the art. Option B= feels like something we can do now, and we may learn something along the w= ay that can help inform=0A Option C, which may be much further down the roa= d and require more research. What other options come to mind?

=0A

=  

=0A

I=E2=80=99m looking forward to the conversation and hearing = what others are thinking about this topic. <= /o:p>

=0A

 

=0A

Che= ers, 

=0A

Pi= eter 

=0A

 =

=0A
=0A
=0A
=0A
=0A


=0A
=0A

=0A
_______________________________________________=
=0A
OAuth mailing list
=0A
OAuth@ietf.org
=0A
https://www.ietf.org/mailman/listinfo/oauth
=0A
=0A

 = ;

=0A
=0A
=0A
=0A
=0A
=0A=0A =0A =
------=_NextPart_62465436.344968282715-- From nobody Thu Mar 24 07:59:24 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5AFD3A0EFC for ; Thu, 24 Mar 2022 07:59:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.908 X-Spam-Level: X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9yYFL1nW-QRk for ; Thu, 24 Mar 2022 07:59:19 -0700 (PDT) Received: from p3plsmtpa09-07.prod.phx3.secureserver.net (p3plsmtpa09-07.prod.phx3.secureserver.net [173.201.193.236]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C14F3A0EDB for ; Thu, 24 Mar 2022 07:59:19 -0700 (PDT) Received: from [192.168.1.6] ([46.10.69.234]) by :SMTPAUTH: with ESMTPSA id XOvlnRsoXAY9KXOvmngItc; Thu, 24 Mar 2022 07:59:19 -0700 X-CMAE-Analysis: v=2.4 cv=KIOfsHJo c=1 sm=1 tr=0 ts=623c8747 a=ioewOLxeXCYqVk13xk3wcA==:117 a=ioewOLxeXCYqVk13xk3wcA==:17 a=XFtpF1UGJD8A:10 a=q0rX5H01Qin5IyBaTmIA:9 a=VluqbRpZCyOUp4xK87sA:9 a=QEXdDO2ut3YA:10 a=fSPGTSgBtm4jsw2BxjUA:9 a=ZVk8-NSrHBgA:10 a=30ssDGKg3p0A:10 X-SECURESERVER-ACCT: vladimir@connect2id.com Message-ID: Date: Thu, 24 Mar 2022 16:58:53 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0 Content-Language: en-US To: "oauth@ietf.org" From: Vladimir Dzhuvinov Organization: Connect2id Ltd. Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms020003090607010507000809" X-CMAE-Envelope: MS4xfMyEfOkgoBh79gFwVPwMJxPwwgI0wYBi3s4HnDD77U/odY995R1JirmQjkqROZIVn+C1CsPb6VzkQK0y7iXmh+5/LQmtf6Lz9s5sGVXnp1jlxOcuxWks SnHUauWvaQWdN54RntvAto6eeTG246QiVo8ptjtpd/oBwbnumlLuIlC/EyY2zzYtOW0gqrcuJ5entQ== Archived-At: Subject: [OAUTH-WG] draft-bertocci-oauth-step-up-authn-challenge - how can an RS signal re-authenticate user, without concern for ACR? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Mar 2022 14:59:23 -0000 This is a cryptographically signed message in MIME format. --------------ms020003090607010507000809 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Given the suggested protocol for step up (I just watched the talk in Vienna, thanks Vittorio & Brian) - how could an RS signal that it simply wants the end-user re-authenticated, without being concerned about the ACR? Vladimir -- Vladimir Dzhuvinov --------------ms020003090607010507000809 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CzMwggUbMIIEA6ADAgECAhBnxRI4kQ9lMwCjP3MF4ScYMA0GCSqGSIb3DQEBCwUAMIGWMQsw CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxm b3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENs aWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTIxMTEwMTAwMDAw MFoXDTI0MTAzMTIzNTk1OVowKDEmMCQGCSqGSIb3DQEJARYXdmxhZGltaXJAY29ubmVjdDJp ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/IW32Qipdfg6afeu3m1EX gCX7w/Rpt9i0UNBSUJnRgWMQrYzwEG8+pH6FQvUGVNI5TeUIdXjOENK9qG83JAfwAtGWCy4A c4DuKE/RiBsCfDdBkPmkDe9+rPagORblkWT8DaF0Taw+aitxiMdfnANBMzt8kZ7K1pXF960J UziyZvOvvrs1jNQmfOF47vLd2ADEEtPV1LwZPxVDeyAGi/p9vvlk8eH/g3KoB0RrTFyeAjYH kDuCH9Kqmcz/hAhc8du5EHYnfrlvD0xG8aLXBZ3Jn57H8rXdc7nTueJXHujEwC0W8p1D+0rM VtZzReTAdN5hQ3KYmCRAK4G+oKlGrpvRAgMBAAGjggHQMIIBzDAfBgNVHSMEGDAWgBQJwPL8 C9qU21/+K9+omULPyeCtADAdBgNVHQ4EFgQU5lfSodzgZl2pviF/wXFzhb4g2XYwDgYDVR0P AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMC MEAGA1UdIAQ5MDcwNQYMKwYBBAGyMQECAQEBMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2Vj dGlnby5jb20vQ1BTMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwuc2VjdGlnby5jb20v U2VjdGlnb1JTQUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcmwwgYoG CCsGAQUFBwEBBH4wfDBVBggrBgEFBQcwAoZJaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0 aWdvUlNBQ2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAjBggrBgEF BQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wIgYDVR0RBBswGYEXdmxhZGltaXJAY29u bmVjdDJpZC5jb20wDQYJKoZIhvcNAQELBQADggEBAL5L+hmCNLLBUCgaipUbBmjTZohq9CxA iECpLDEQwAcKl+/tSTWM96wTqDZTtwAHdkiaoTCcEeBeO9LWyLmnf+Xg6rfNR6SpPAe2d7B0 Q/gbVf910Pjtd23rDgb7VxBB3xx9e2LxPOB5oAUUcrOxKL6PhGaXrGVE0PRqDb6L6KrKWdMc 3VqaGnxdwKdSvbHr/fK++ZkQHtX2FXZJwyQkCXHb/TcA/mKargcibOfxssnyc9LOn70ET/JK 7iyiDCvNW/OzORcdZM2TmWRi5zfyfo89IYD4bVe86kByNWLdpM2ybzqTMcOOshrycOylsvSg eVgTb1i5hB8103V68v5HldswggYQMIID+KADAgECAhBNlCwQ1DvglAnFgS06KwZPMA0GCSqG SIb3DQEBDAUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKTmV3IEplcnNleTEUMBIGA1UE BxMLSmVyc2V5IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEuMCwGA1UE AxMlVVNFUlRydXN0IFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xODExMDIwMDAw MDBaFw0zMDEyMzEyMzU5NTlaMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBN YW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQx PjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJl IEVtYWlsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyjztlApB/975Rrno 1jvm2pK/KxBOqhq8gr2+JhwpKirSzZxQgT9tlC7zl6hn1fXjSo5MqXUfItMltrMaXqcESJuK 8dtK56NCSrq4iDKaKq9NxOXFmqXX2zN8HHGjQ2b2Xv0v1L5Nk1MQPKA19xeWQcpGEGFUUd0k N+oHox+L9aV1rjfNiCj3bJk6kJaOPabPi2503nn/ITX5e8WfPnGw4VuZ79Khj1YBrf24k5Ee 1sLTHsLtpiK9OjG4iQRBdq6Z/TlVx/hGAez5h36bBJMxqdHLpdwIUkTqT8se3ed0PewDch/8 kHPo5fZl5u1B0ecpq/sDN/5sCG52Ds+QU5O5EwIDAQABo4IBZDCCAWAwHwYDVR0jBBgwFoAU U3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFAnA8vwL2pTbX/4r36iZQs/J4K0AMA4G A1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMC BggrBgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDov L2NybC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdFJTQUNlcnRpZmljYXRpb25BdXRob3JpdHku Y3JsMHYGCCsGAQUFBwEBBGowaDA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1c3Qu Y29tL1VTRVJUcnVzdFJTQUFkZFRydXN0Q0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2Nz cC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBDAUAA4ICAQBBRHUAqznCFfXejpVtMnFojADd F9d6HBA4kMjjsb0XMZHztuOCtKF+xswhh2GqkW5JQrM8zVlU+A2VP72Ky2nlRA1GwmIPgou7 4TZ/XTarHG8zdMSgaDrkVYzz1g3nIVO9IHk96VwsacIvBF8JfqIs+8aWH2PfSUrNxP6Ys7U0 sZYx4rXD6+cqFq/ZW5BUfClN/rhk2ddQXyn7kkmka2RQb9d90nmNHdgKrwfQ49mQ2hWQNDkJ JIXwKjYA6VUR/fZUFeCUisdDe/0ABLTI+jheXUV1eoYV7lNwNBKpeHdNuO6Aacb533JlfeUH xvBz9OfYWUiXu09sMAviM11Q0DuMZ5760CdO2VnpsXP4KxaYIhvqPqUMWqRdWyn7crItNkZe roXaecG03i3mM7dkiPaCkgocBg0EBYsbZDZ8bsG3a08LwEsL1Ygz3SBsyECa0waq4hOf/Z85 F2w2ZpXfP+w8q4ifwO90SGZZV+HR/Jh6rEaVPDRF/CEGVqR1hiuQOZ1YL5ezMTX0ZSLwrymU E0pwi/KDaiYB15uswgeIAcA6JzPFf9pLkAFFWs1QNyN++niFhsM47qodx/PL+5jR87myx5uY dBEQkkDc+lKB1Wct6ucXqm2EmsaQ0M95QjTmy+rDWjkDYdw3Ms6mSWE3Bn7i5ZgtwCLXgAIe 5W8mybM2JzGCBDIwggQuAgEBMIGrMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRl ciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0 ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2Vj dXJlIEVtYWlsIENBAhBnxRI4kQ9lMwCjP3MF4ScYMA0GCWCGSAFlAwQCAQUAoIICVzAYBgkq hkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMjAzMjQxNDU4NTNaMC8G CSqGSIb3DQEJBDEiBCAgrnL95c5zHMxCweamUR+W2Z5mLOlm3JT68kluxSKFPjBsBgkqhkiG 9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZI hvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIG8Bgkr BgEEAYI3EAQxga4wgaswgZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNo ZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE+MDwG A1UEAxM1U2VjdGlnbyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1h aWwgQ0ECEGfFEjiRD2UzAKM/cwXhJxgwgb4GCyqGSIb3DQEJEAILMYGuoIGrMIGWMQswCQYD VQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3Jk MRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVu dCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhBnxRI4kQ9lMwCjP3MF4ScY MA0GCSqGSIb3DQEBAQUABIIBACo5Nga4KGKEVeWRjJxUv8/8NxKukezJtymH7VHYmUrAfSQD s4TkvVbX7WiAECHcsfrS2STT5ifpm4HulCUBjIHlV1MXxLV6eqelO4oK0MAVdgrrzeYvcw64 jiKpLRYmOeGfEgIFw0EIi0KNwjulmmyvScvrLMyU1zgZPDgSr33KMvf894q1fbfZO8GCGByB L3bCKzevM0FBHlEJbll2iLc0W7KhjQRU3S76mbZRygMrorlVcQKR47nrtBxJesiWiwoVZvSx mDXsvCpxe9mAdgBlOLE3PZCUdeIorJ6UEHAWxk3B4B1GWOzMifl61BHMVxFlPj5Bh8kSvPo8 Y1k6vjUAAAAAAAA= --------------ms020003090607010507000809-- From nobody Thu Mar 24 08:24:23 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D6613A14EC for ; Thu, 24 Mar 2022 08:24:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.108 X-Spam-Level: X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1vz1Q2CKYpC7 for ; Thu, 24 Mar 2022 08:23:58 -0700 (PDT) Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC3183A12AC for ; Thu, 24 Mar 2022 08:23:41 -0700 (PDT) Received: by mail-pl1-x630.google.com with SMTP id n18so5034168plg.5 for ; Thu, 24 Mar 2022 08:23:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=3PysvMWh0WW6UTZFJZ43nb3vxH9iX6NmPgo7nZa9EPo=; b=G6+yXxn5RT/TuBxIxFaSyBszWfI1zdxRTzNZq4Q39JcWsX4csZVG+6egA0o/fpqxeq +JTP7tLjjbxSEMJYVMEjY1npvCX48ZjNAUO61qPaT6vq6wUGpUkLa/jDe9ynXi4bLqjV zqo146U+/SP0lNOSIwht+8tx1Ncji4qcrRs0+liRjaPDjQpa8WFbfXmNKfpDYLoOrIIJ Ht2nUV+uXCjKnYDbS0Ld0s1tSNDn4pz45JkzA13Gnq9LRjm65tryNauAQBMGhKmOuXH5 c/zCYPQmDxHRkDo2mRdtJDM5LcfGogDUh9pfc/o1XKYy+3iSxRllt8o92nuvpgz5dkX6 1tDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=3PysvMWh0WW6UTZFJZ43nb3vxH9iX6NmPgo7nZa9EPo=; b=SHyKuM1UFVxZ4a4Nq/chUINxysfeZy9ItRAGOH5iCRqAo8n8RGtaPwXkaLtXhc9M8F qBEHRMf4/8ynO3Nd+3MMuri+NFTa9dHr1Whru7+xZMZrzYhp+UDiz0jxlmYp40ToHY78 YWr3VGqpA7OCvc4anycrMZJPeBOPIa9hHiQfb1ZuXw9SJberBvs3VBQNVepfG00uaqbN 1JDFyZfuKl4PGMYIJBvAQxkpKiSfuOsoZnYsWeKtdMjEw4WjuJBXYH3al7s2TaPnJM6x zrPf3n/ZVe+wQoehZ/cBXOcLeI1mlw1KBWb//hfZTV/nh7Kp3GguZgRfqUQvzjDan2c/ PtDQ== X-Gm-Message-State: AOAM531aFDaUk64+e7HDF7Xt+aZJpbH4rovkLjLesgGOGxs4L4tiJXqm Gwm96Vqt4FAhG1jwMtcB2AcJoE4DSCSS X-Google-Smtp-Source: ABdhPJxdIXpZDQ/no43toPUcLfQWAOLSd1AQywMdjgHIA9L9hGc0+2UhgjEoR7Pp/6Y3jjP27EkPSQ== X-Received: by 2002:a17:902:e9cd:b0:153:f7db:138 with SMTP id 13-20020a170902e9cd00b00153f7db0138mr6463802plk.174.1648135420447; Thu, 24 Mar 2022 08:23:40 -0700 (PDT) Received: from smtpclient.apple (dhcp-8901.meeting.ietf.org. [31.133.137.1]) by smtp.gmail.com with ESMTPSA id q6-20020a056a00150600b004fab3b767d0sm3719659pfu.30.2022.03.24.08.23.39 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 24 Mar 2022 08:23:39 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Filip Skokan Mime-Version: 1.0 (1.0) Date: Thu, 24 Mar 2022 16:23:36 +0100 Message-Id: <22C726BA-0C25-4D9A-8392-573259E32008@gmail.com> References: Cc: oauth@ietf.org In-Reply-To: To: Vladimir Dzhuvinov X-Mailer: iPhone Mail (19E241) Archived-At: Subject: Re: [OAUTH-WG] draft-bertocci-oauth-step-up-authn-challenge - how can an RS signal re-authenticate user, without concern for ACR? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Mar 2022 15:24:06 -0000 I believe through the use of max_age. - Filip > 24.=E2=80=AF3.=E2=80=AF2022 v 15:59, Vladimir Dzhuvinov : >=20 > =EF=BB=BFGiven the suggested protocol for step up (I just watched the talk= in Vienna, thanks Vittorio & Brian) - how could an RS signal that it simply= wants the end-user re-authenticated, without being concerned about the ACR?= >=20 > Vladimir >=20 > --=20 > Vladimir Dzhuvinov >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Thu Mar 24 16:19:42 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98EB83A0C51 for ; Thu, 24 Mar 2022 16:19:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.907 X-Spam-Level: X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wire-com.20210112.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FN3b_V-9jfRK for ; Thu, 24 Mar 2022 16:19:18 -0700 (PDT) Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB0223A0C43 for ; Thu, 24 Mar 2022 16:19:18 -0700 (PDT) Received: by mail-pl1-x634.google.com with SMTP id p17so6337106plo.9 for ; Thu, 24 Mar 2022 16:19:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wire-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IUUR0fdTcW/ew9P1hx5CTaj+kVv9iqWkiZISOcD/Q1s=; b=nLl/695CM7968tCR72CV273vOsi8MWx5Sr4dHiLJbicL9F434aJqtCoqn8HqYJnWbF +X9XKMXO7WsxFb5PHxmpNDBOn0pEBlkafVtowQqDJkh/ZJcaTr9hs42UmdWZ5NQEZokZ Lk4FSMbH7XORo0VZk6adm69PgfC7SWzH5Grkii0r5kn0f/1OzzQ+02z2Iwnx2gZY190O aKewaCCv6MDIaFxpdSxl8kShCdevxJvddZvPyV5Z4WIp6IflFdwNtgg6MGFDxj44agSw jpKO+w09seb26VdgZ6Jtn6JZgJEmKyL7PppPj8NFwE/DpR76B834UhCDDvea4uTq+/mF 9X1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IUUR0fdTcW/ew9P1hx5CTaj+kVv9iqWkiZISOcD/Q1s=; b=uq05q+UVceoFqrDV4gRIjpKf2/6SSsmZufV669RcDqwYVWPGm/jBVUfqhxk4f8iKvj wrgw9walzhCm3YLsH0rUQQCmlIeHVicCHoS1Ne/xsNbmiVScnwQZXbAS5/oCmTDC8l4x 3iMPA3S34fM/AyQ9t8gdU2VNxl1oAywapd0XQvL1gTtou65+GhHR5Wf6avo+0gp+9A37 bq9v0AQPhjIrJQUZf9s5fdfnGoLxbquSOJOrcc18Lo7XRc/Z6P6k/W7QCeeLNx8CVNDt hlKUqJv+y1WLyh0EY5m31aSGkkvK8wUGT59dFQcIDuZKJu0XblEY0yRiU5vqtehpqQ0g R18Q== X-Gm-Message-State: AOAM533f9paZQtvUfolFa6cKblxjJGqm4y/gESqQSYaxTuUnowEOWRI+ B64MDRFZhUhnnLofkSd4Nrb9006uMJA9mNjgmNjI3Q== X-Google-Smtp-Source: ABdhPJzOVUMCONvQzGjp76+7WeJiwXPA95f57uNq4q3j7j541KIHSHPWpATEJBMH26jViicx36LmyBmyuUaFhRYR370= X-Received: by 2002:a17:903:2351:b0:154:5ab7:8724 with SMTP id c17-20020a170903235100b001545ab78724mr8433408plh.22.1648163957636; Thu, 24 Mar 2022 16:19:17 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Rohan Mahy Date: Thu, 24 Mar 2022 16:19:06 -0700 Message-ID: To: Brian Campbell Cc: oauth@ietf.org Content-Type: multipart/alternative; boundary="0000000000003a1e5d05daff13f7" Archived-At: Subject: Re: [OAUTH-WG] Comments on ietf-oauth-dpop X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Mar 2022 23:19:25 -0000 --0000000000003a1e5d05daff13f7 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Brian, 1) Re: requiring a nonce or an expiration time, I'll propose some specific text. Section 4.2 insert after "* iat: Time at which the JWT was created (REQUIRED)." "The DPoP proof MUST include either one or both of the following: * exp: time after which the proof is no longer valid. * nonce: an Authorization Server-provided nonce as defined in Section 8." Section 4.3, insert between steps 9 and 10: "10. if an exp claim is present, verify that it is in the future and that the resulting duration is acceptable to the server. A proof which contains neither an exp claim nor a server-provided nonce is invalid;" Renumber step 10 -> 11 and 11 -> 12. 2) Regarding linking Figure 5 and Figure 12, perhaps the simplest way to make this linkage clear would be to move Section 7 and Section 7.1 in front of Section 5.1, and then show the calculation of the hash: "In our example, we take the value of the access_token in Figure 5: Kz~8mXK1EalYznwH-LC-1fBAo.4Ljp~zsPE_NeO.gxU and calculate the base64 encoding of the SHA256: fUHyO2r2Z3DZ53EsNrWBb0xWXoaNy59IiKCAqksmQE " One specific question which I could not find the answer to is if the token has been refreshed, is the ath the hash of the original token or the most-recent token? Thanks, -rohan *Rohan Mahy *l Vice President Engineering, Architecture Chat: @rohan_wire on Wire Wire - Secure team messaging. *Zeta Project Germany GmbH *l Rosenthaler Stra=C3=9Fe 40, 10178 Berlin, Germany Gesch=C3=A4ftsf=C3=BChrer/Managing Director: Morten J. Broegger HRB 149847 beim Handelsregister Charlottenburg, Berlin VAT-ID DE288748675 On Thu, Mar 24, 2022 at 3:23 AM Brian Campbell wrote: > > > On Wed, Mar 23, 2022 at 5:01 PM Rohan Mahy 40wire.com@dmarc.ietf.org> wrote: > >> Hi Brian, >> >> To be clear, for pre-generated proofs, I am not worried about an attack >> against the client; I am worried about a malicious client. Imagine a >> malicious client which pre-generates proofs during a brief window while = it >> has access to a private key stored on the iOS secure enclave, or on a >> Yubikey, or a non-extractable WebCryptoAPI CryptoKey. The ability to >> pre-generate proofs with no lifetime effectively makes these >> non-extractable key protections meaningless for some fixed number of pro= ofs. >> > > Direct usage of everything is also possible during that brief window. Yes= , > a nonce helps protect against usage after the window has closed. But it's > not a panacea of protection. Which is, again, why it's an option provided > by the draft to server implementations/deployments that need or want it. > But not more. > > > >> If the WG does not want to make server nonces a SHOULD, then I suggest >> the following: >> "Server implementations need some protection against arbitrary >> pre-generation. Servers MUST require all client proofs to contain either= a >> server-provided nonce, or a server-provided explicit expiration time, or >> both." >> > > I'm not sure what, other than a nonce, a "server-provided explicit > expiration time" would be in the context of DPoP? Any > recommendations/requirements the document makes need to be rooted in actu= al > existing pieces of the protocol defined by that document. > > > >> Adding "(on the order of seconds or minutes)" would already be a big >> improvement to what is in the document. >> > > Will do. Thanks. > > > >> The linkage between Figure 12 and Figure 13 is clear. I was talking abou= t >> the linkage between Figure 5 (or the refresh response to Figure 6) and t= he >> token hash in Figure 12. >> > > The access token returned in Fig 5 is the same one used in Fig 12. But > that it's in Fig 5 is not really meaningful to the ath or much else. I'm > not sure what could be clarified or better linked? > > > >> Many Thanks, >> -rohan >> >> >> *Rohan Mahy *l Vice President Engineering, Architecture >> >> Chat: @rohan_wire on Wire >> >> >> >> Wire - Secure team messaging. >> >> *Zeta Project Germany GmbH *l Rosenthaler Stra=C3=9Fe 40, >> 10178 >> Berlin, >> >> Germany >> >> >> Gesch=C3=A4ftsf=C3=BChrer/Managing Director: Morten J. Broegger >> >> HRB 149847 beim Handelsregister Charlottenburg, Berlin >> >> VAT-ID DE288748675 >> >> >> On Wed, Mar 23, 2022 at 8:17 AM Brian Campbell > 40pingidentity.com@dmarc.ietf.org> wrote: >> >>> Thanks Rohan, >>> >>> Pre-generating a proof requires the ability to execute code on the >>> client, which is already a problematic situation where other (arguably >>> more) serious attacks are possible. Such as driving a whole attack dire= ctly >>> from the client. The draft aims to give servers the option to use a non= ce >>> but not push it too much or overstate its protections. >>> >>> The vagueness around lifetimes is somewhat intentional. At one point th= e >>> document (maybe aspirationally) had something like 'no more than a few >>> seconds' but there was some push-back that it was unrealistically short= to >>> accommodate real world client clock skew. I'm not sure the draft can ma= ke a >>> much more concrete recommendation as I think it really is something tha= t >>> has tradeoffs and will be implementation/deployment specific. Perhaps >>> something like, "(on the order of seconds or minutes)" could be added a= s a >>> qualifier around lifetime leniency? That maybe gives a general idea of = what >>> is acceptable and/or relatively brief without being overly prescriptive= . >>> I'm quite hesitant to say anything more specific. >>> >>> An access token and its "ath" hash value are shown as part of the >>> examples >>> https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-06.html#figure-12 >>> and >>> https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-06.html#figure-13 >>> respectively. Perhaps it'd be worthwhile to more explicitly mention the >>> relationship between the two examples? I think I did the calculations >>> correctly but anyone double checking that work would be welcome. The >>> sentence in sec 4.3 step 11 is already pretty darn verbose - probably t= oo >>> much so. I think breaking it up would probably be a better way to make = it >>> more clear. >>> >>> The MIME type registration will be in the next revision >>> https://mailarchive.ietf.org/arch/msg/oauth/Vj24ZXU4UuG6Rr04U1Cdrz2rx3o= / >>> >>> I'll work those nits and fix things up as appropriate. >>> >>> >>> >>> >>> >>> >>> On Tue, Mar 22, 2022 at 4:24 PM Rohan Mahy >> 40wire.com@dmarc.ietf.org> wrote: >>> >>>> Hi, >>>> Here are some comments on draft-ietf-oauth-dpop-06: >>>> >>>> 1) With such a significant attack possible as DPoP proof >>>> pre-generation, why isn't using the server nonce a SHOULD? Preventing = a >>>> significant attack and making lifetime handling sane are two excellent >>>> reasons to use a server nonce. If an implementation has a good reason = to >>>> not use a server nonce, we can give guidance about what additional ste= ps >>>> the implementation needs to take. >>>> >>>> 2) The handling of lifetimes of DPoP proofs is vague: "acceptable >>>> timeframe" (Section 4.3), "relatively brief period" (Section 11.1). Is= that >>>> 1 day,15 minutes, or 30 seconds? >>>> The normative text in the two sections seem contradictory. >>>> I think you need a lifetime parameter if a server nonce isn't included= , >>>> or just pick a number (5 minutes?). >>>> >>>> 3) I had a similar thought to Nicolas Mora about including other >>>> assertions/tokens. There should be a way to chain, include, or referen= ce >>>> other OAuth assertions and bind them somehow with the DPoP. This will = be a >>>> common and important model. >>>> >>>> 4. Right now you describe the access token hash before describing the >>>> access token itself. I think it would be very useful to show the a wor= ked >>>> example of an access token and then its hash used subsequently. Also >>>> Section 4.3 step 11 feels like a circular description. Please rewrite = more >>>> verbosely to be clearer: >>>> Currently: >>>> "when presented to a protected resource in conjunction with an access >>>> token, ensure that the value of the ath claim equals the hash of that >>>> access token and confirm that the public key to which the access token= is >>>> bound matches the public key from the DPoP proof." >>>> >>>> 5. Re: IANA registration of the MIME type. TL;DR: Just register >>>> application/dpop+jwt. >>>> Long version: The semantics of the thing you want to register is >>>> application/dpop. The first syntax you are defining is jwt. For exampl= e, >>>> iCalendar has three formats: text/calendar (iCal), >>>> application/calendar+json (jCal), and application/calendar+xml (xCal). >>>> >>>> NITS: >>>> - Spell out first use of acronyms: JWT, JWK, JWS, TLS, JOSE, PKCE, >>>> - Add reference to TLS, XSS, Crime/Heartbleed/BREACH/etc., HTTP, JOSE, >>>> on first use >>>> - First sentence of Section 2 (Objectives): add a comma (access >>>> tokens_,_ by binding) to make it clear that "binding a token" is doing= the >>>> preventing instead of the stealing in the sentence. >>>> - Section 2 para 5: s/XXS/XSS/ >>>> - Maybe mention why you are using ASCII (7-bit) when the charset in th= e >>>> examples is UTF-8. >>>> >>>> I hope these comments are useful. >>>> Many thanks, >>>> -rohan >>>> >>>> >>>> *Rohan Mahy *l Vice President Engineering, Architecture >>>> >>>> Chat: @rohan_wire on Wire >>>> >>>> >>>> >>>> Wire - Secure team messaging. >>>> >>>> *Zeta Project Germany GmbH *l Rosenthaler Stra=C3=9Fe 40, >>>> 10178 >>>> Berlin, >>>> >>>> Germany >>>> >>>> >>>> Gesch=C3=A4ftsf=C3=BChrer/Managing Director: Morten J. Broegger >>>> >>>> HRB 149847 beim Handelsregister Charlottenburg, Berlin >>>> >>>> VAT-ID DE288748675 >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> >>> *CONFIDENTIALITY NOTICE: This email may contain confidential and >>> privileged material for the sole use of the intended recipient(s). Any >>> review, use, distribution or disclosure by others is strictly prohibite= d. >>> If you have received this communication in error, please notify the sen= der >>> immediately by e-mail and delete the message and any file attachments f= rom >>> your computer. Thank you.* >> >> > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sende= r > immediately by e-mail and delete the message and any file attachments fro= m > your computer. Thank you.* --0000000000003a1e5d05daff13f7 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Brian,
1) Re: requiring a nonce or an ex= piration time, I'll propose some specific text.=C2=A0
Se= ction 4.2
insert after "* iat: Time at which the JWT was cr= eated (REQUIRED)."

"The DPoP proof MUST = include either one or both of the following:
=C2=A0* exp: time af= ter which the proof is no longer valid.

* nonce: a= n Authorization Server-provided nonce as defined in Section 8."

Section 4.3, insert between steps 9 and 10:
"10.=C2=A0 if an exp claim is present, verify that it is in the futu= re and that the resulting
duration is acceptable to the server. A= proof which contains neither an exp
claim nor a server-provided = nonce is invalid;"=C2=A0

Renumber step 1= 0 -> 11 and 11 -> 12.
=C2=A0
2) Regarding lin= king Figure 5 and Figure 12, perhaps the simplest way to make this linkage = clear would be to move Section 7 and Section 7.1 in front of Section 5.1, a= nd then show the calculation of the hash:

"In= our example, we take the value of the access_token in Figure 5:
=C2=A0= =C2=A0 Kz~8mXK1EalYznwH-LC-1fBAo.4Ljp~zsPE_NeO.gxU
and calcul= ate the base64 encoding of the SHA256:
=C2=A0=C2=A0 fUHyO2r2Z3DZ53EsNrWB= b0xWXoaNy59IiKCAqksmQE "

One specific questi= on which I could not find the answer to is if the token has been refreshed,= is the ath the hash of the original token or the most-recent token?
<= div>
Thanks,
-rohan

Rohan Mahy=C2=A0 l=C2=A0 Vice President Engineering, Architecture

Chat: @rohan_wire on=C2=A0Wire

=C2=A0

Wire=C2=A0- Sec= ure team messaging.

Zeta Project= Germany GmbH=C2=A0=C2=A0l=C2=A0=C2=A0Rosenthaler Stra=C3=9Fe 40,=C2=A01= 0178 Berlin,=C2=A0Germany

Gesch=C3=A4ftsf=C3=BChrer/Managing Director= : Morten J. Broegger=C2=A0

HRB 149847 beim Handelsreg= ister Charlottenburg, Berlin<= /p>

VAT-ID DE288748675

=


On Thu, Mar 24, 2022 at 3:23 AM Brian Cam= pbell <bcampbell=3D= 40pingidentity.com@dmarc.ietf.org> wrote:


On W= ed, Mar 23, 2022 at 5:01 PM Rohan Mahy <rohan.mahy=3D40wire.com@dmarc.ietf.org&g= t; wrote:
Hi Brian,

To be clear, for pre-gen= erated proofs, I am not worried about an attack against the client; I am wo= rried about a malicious client. Imagine a malicious client which pre-genera= tes proofs during a brief window while it has access to a private key store= d on the iOS secure enclave, or on a Yubikey, or a non-extractable WebCrypt= oAPI CryptoKey. The ability to pre-generate proofs with no lifetime effecti= vely makes these non-extractable key protections meaningless for some fixed= number of proofs.

Direct usage= of everything is also possible during that brief window. Yes, a nonce help= s protect against usage after the window has closed. But it's not a pan= acea of protection. Which is, again, why it's an option provided by the= draft to server implementations/deployments that need or want it. But not = more.

=C2=A0
If the WG does not want to make se= rver nonces a SHOULD, then I suggest the following:
"Ser= ver implementations need some protection against arbitrary pre-generation. = Servers MUST require all client proofs to contain either a server-provided = nonce, or a server-provided explicit expiration time, or both."

I'm not sure what, other than= a nonce, a "server-provided explicit expiration time" would be i= n the context of DPoP? Any recommendations/requirements the document makes = need to be rooted in actual existing pieces of the protocol defined by that= document.
=C2=A0


Adding &qu= ot;(on the order of seconds or minutes)" would already be a big improv= ement to what is in the document.=C2=A0

Will do. Thanks.
=C2=A0


<= div>The linkage between Figure 12 and Figure 13 is clear. I was talking abo= ut the linkage between Figure 5 (or the refresh response to Figure 6) and t= he token hash in Figure 12.

The= access token returned in Fig 5 is the same one used in Fig 12. But that it= 's in Fig 5 is not really meaningful to the ath or much else. I'm n= ot sure what could be clarified or better linked?

=


Many Thanks,
-rohan

Rohan Mahy=C2=A0 l=C2=A0 Vice President Engin= eering, Architecture

Chat: @rohan_wire on=C2=A0Wire

=C2=A0

Wire=C2=A0- Secure team messaging.

Zeta Project Germany GmbH=C2=A0=C2=A0= l=C2=A0=C2=A0Rosenthaler Stra=C3=9Fe 40,=C2=A010178 Berlin,=C2=A0Ger= many

Gesch=C3=A4ftsf=C3=BChrer/Managing Director: Morten J. Broegger=C2=A0

HRB 149847 beim Handelsregister Charlottenburg, Berli= n

VAT-ID DE288748675


On Wed, Mar 23, 2022 at 8:17 AM Brian Campbell <bcampbell=3D40pingide= ntity.com@dmarc.ietf.org> wrote:
Thanks Rohan,

<= /div>
Pre-generating a proof requires the ability to execute code on th= e client, which is already a problematic situation where other (arguably mo= re) serious attacks are possible. Such as driving a whole attack directly f= rom the client. The draft aims to give servers the option to use a nonce bu= t not push it too much or overstate its protections.

The vagueness around lifetimes is somewhat intentional. At one poin= t the document (maybe aspirationally) had something like 'no more than = a few seconds' but there was some push-back that it was unrealistically= short to accommodate real world client clock skew. I'm not sure the dr= aft can make a much more concrete recommendation as I think it really is so= mething that has tradeoffs and will be implementation/deployment specific. = Perhaps something like, "(on the order of seconds or minutes)" co= uld be added as a qualifier around lifetime leniency? That maybe gives a ge= neral idea of what is acceptable and/or relatively brief without being over= ly prescriptive. I'm quite hesitant to say anything more specific.
=

An access token and its "ath" hash valu= e are shown as part of the examples https://www.= ietf.org/archive/id/draft-ietf-oauth-dpop-06.html#figure-12 and https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-0= 6.html#figure-13 respectively. Perhaps it'd be worthwhile to more e= xplicitly mention the relationship between the two examples? I think I did = the calculations correctly but anyone double checking that work would be we= lcome. The sentence in sec 4.3 step 11 is already pretty darn verbose - pro= bably too much so. I think breaking it up would probably be a better way to= make it more clear. =C2=A0

The MIME type reg= istration will be in the next revision https://= mailarchive.ietf.org/arch/msg/oauth/Vj24ZXU4UuG6Rr04U1Cdrz2rx3o/
<= div>
I'll work those nits and fix things up as appropriat= e.



=C2=A0


On Tue, Mar 22, 2022 at 4:24 PM Rohan Mahy <rohan.mah= y=3D40wire.c= om@dmarc.ietf.org> wrote:
Hi,
Here are some comments on draft-ietf-oauth-dpop-06:

1) With such a significant attack possible as DPoP proof pre-ge= neration, why isn't using the server nonce a SHOULD? Preventing a signi= ficant attack and making lifetime handling sane are two excellent reasons t= o use a server nonce. If an implementation has a good reason to not use a s= erver nonce, we can give guidance about what additional steps the implement= ation needs to take.

2) The handling of lifetimes o= f DPoP proofs is vague: "acceptable timeframe" (Section 4.3), &qu= ot;relatively brief period" (Section 11.1). Is that 1 day,15 minutes, = or 30 seconds?
The normative text in the two sections seem c= ontradictory.
I think you need a lifetime parameter if a ser= ver nonce isn't included, or just pick a number (5 minutes?).
=

3) I had a similar thought to Nicolas Mora about includ= ing other assertions/tokens. There should be a way to chain, include, or re= ference other OAuth assertions and bind them somehow with the DPoP. This wi= ll be a common and important model.

4. Right n= ow you describe the access token hash before describing the=20 access token itself. I think it would be very useful to show the a worked e= xample of an access token and then its hash used subsequently. Also Section= 4.3 step=20 11 feels like a circular description. Please rewrite more verbosely to=20 be clearer:
Currently:
"when presented to a pr= otected resource in conjunction=20 with an access token, ensure that the value of the ath claim equals the=20 hash of that access token and confirm that the public key to which the=20 access token is bound matches the public key from the DPoP proof."

5. Re: IANA registration of the MIME type. TL;DR: Jus= t register application/dpop+jwt.
Long version: The semantics of the thin= g you want to register is application/dpop. The first syntax you are defini= ng is jwt. For example, iCalendar has three formats: text/calendar (iCal), = application/calendar+json (jCal), and application/calendar+xml (xCal).
<= /div>

NITS:
- Spell out first use of acronyms:= JWT, JWK, JWS, TLS, JOSE, PKCE,
- Add reference to TLS, XSS= , Crime/Heartbleed/BREACH/etc., HTTP, JOSE, on first use
- F= irst sentence of Section 2 (Objectives): add a comma (access tokens_,_ by b= inding) to make it clear that "binding a token" is doing the prev= enting instead of the stealing in the sentence.
- Section 2 para = 5: s/XXS/XSS/
- Maybe mention why you are using ASCII (7-bit) whe= n the charset in the examples is UTF-8.

I hope the= se comments are useful.
Many thanks,
-rohan


Rohan Mahy=C2=A0 l=C2=A0 Vice President E= ngineering, Architecture

Chat: @rohan_wire on=C2=A0Wire

=C2=A0

Wire=C2=A0- Secure team messaging.

Zeta Project Germany GmbH=C2=A0=C2=A0l=C2=A0=C2= =A0Rosenthaler Stra=C3=9Fe 40,=C2=A010178 Berlin,=C2=A0= Germany

Gesch=C3=A4ftsf=C3=BChrer/Managing Director: Morten J. Broegger=C2=A0=

HRB 149847 beim Handelsregister Charlottenburg, Berl= in

VAT-ID DE288748675

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

CONFIDENTIALITY NOTICE: This email m= ay contain confidential and privileged material for the sole use of the int= ended recipient(s). Any review, use, distribution or disclosure by others i= s strictly prohibited.=C2=A0 If you have received this communication in err= or, please notify the sender immediately by e-mail and delete the message a= nd any file attachments from your computer. Thank you.

CONFIDENTIALITY NOTICE: This email m= ay contain confidential and privileged material for the sole use of the int= ended recipient(s). Any review, use, distribution or disclosure by others i= s strictly prohibited.=C2=A0 If you have received this communication in err= or, please notify the sender immediately by e-mail and delete the message a= nd any file attachments from your computer. Thank you.
--0000000000003a1e5d05daff13f7-- From nobody Fri Mar 25 02:27:07 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A64B3A115D for ; Fri, 25 Mar 2022 02:27:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.107 X-Spam-Level: X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 81AD7gfxj5Ie for ; Fri, 25 Mar 2022 02:26:58 -0700 (PDT) Received: from mail-oa1-x2f.google.com (mail-oa1-x2f.google.com [IPv6:2001:4860:4864:20::2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6D993A118A for ; Fri, 25 Mar 2022 02:26:57 -0700 (PDT) Received: by mail-oa1-x2f.google.com with SMTP id 586e51a60fabf-d39f741ba0so7560821fac.13 for ; Fri, 25 Mar 2022 02:26:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3cLK6UGvLI4FxTASe5YTMirTwJqd+BH61inh48MROiQ=; b=HjJlNgFzoG4+ozTJYeiclGE9NkpoCLqyYLgBrMakhZAHh4y24yjkIx8Hb7gGeVkO+v XXic97mlNAfpPGcsO0mPGFnvrdDfLvqsv0df91D0lXZNZkB9HGIMfWl2E/jZe+q1yykd h4nCX2f7vZuC3VQx19FFgKy9BCi5oYhtKH0VwanllHGJas2cSmih1dUFALQp0FPGBSAE YfDHO0Y9dqsFUfJ2XT4R2kEQny6lqz9Dkbmc0/hEz780fh6l1gDEpC65/j0EqqULGX2N AU3OR6f5pnPFi4up1dv8mpmWvn1BUNl/byyUdGgS0z0aQd5lVVSSrKapxjzFQQIN/wLM Xy2w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3cLK6UGvLI4FxTASe5YTMirTwJqd+BH61inh48MROiQ=; b=wAw1u7Ap2cOU0MiLYITTtLAvib97gQNg4ch6+ISKmUTQWl6NZLTxj7WqolEy/Uu/Wd Iu4gdwyXMMFYQ1Ltfw915Jmm+RNxKsneMGLctlMho27aq5hb4Mo9zPa5NufPWyzFmRoX vxZcPY9S6ywm5/G4wI9ek8q7BXbEc//rqKWGNO2hFN/foUYJ9rOcvokNwBYKCg4jc/7O JLOrTRcbM4ZINSeEDOA302rFtbypYqcRFnu3+gs48ZwlhLFJULz2KjtXuKN6DFpPyYnU Lhokk2hgycKzxoEmqVondsCk5lPKwsO5AZTCFjNoyRDYLbi10HGM7VfcTV4Zq0eFup3w mSWQ== X-Gm-Message-State: AOAM5302Oi+lXskPlatjGih0t/CwjFfURGLJ/NwxvqDQJlnCpIbvis79 X+xNn/05CQarDUlMcbtgcnLsNccyasMJyvM89hGi5CA9WQ2U810HsHWpYfsc1fHrAdNd8soXd+R m+JhfnFb9EJwVjQ== X-Google-Smtp-Source: ABdhPJx0YhRD0DeC7oT4ZWWDsaINwMm9D3ZQT3jj781rjHdd3LiLMfYUmyBKLNcXUrsVb0zPwaFYMpfxsn/wOLsl6Ww= X-Received: by 2002:a05:6870:15c9:b0:dd:e6db:cfce with SMTP id k9-20020a05687015c900b000dde6dbcfcemr7840899oad.269.1648200415036; Fri, 25 Mar 2022 02:26:55 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Brian Campbell Date: Fri, 25 Mar 2022 10:26:27 +0100 Message-ID: To: Rohan Mahy Cc: oauth@ietf.org Content-Type: multipart/alternative; boundary="00000000000041e01a05db0790f5" Archived-At: Subject: Re: [OAUTH-WG] Comments on ietf-oauth-dpop X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Mar 2022 09:27:04 -0000 --00000000000041e01a05db0790f5 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello Rohan, The ath claim value in the proof is always the hash of the access token sent in the same request. A decision was made fairly early on to not use `exp` in the proof but rather to rely on the proof's `iat` and give the server some discretion around the window of acceptance. https://github.com/danielfett/draft-dpop/issues/38 has some of the discussion around that. There'd need to be a very compelling reason with WG agreement to change something fundamental like that at this stage in the document lifecycle. Note also that, in the context of the proof, the `exp` value would be something that's set by the client. So it wouldn't be a "server-provided explicit expiration time" that was in the prior suggested text. Similarly, reorganizing the document is not to be undertaken lightly especially at this point. On Fri, Mar 25, 2022 at 12:19 AM Rohan Mahy wrote: > Hi Brian, > 1) Re: requiring a nonce or an expiration time, I'll propose some specifi= c > text. > Section 4.2 > insert after "* iat: Time at which the JWT was created (REQUIRED)." > > "The DPoP proof MUST include either one or both of the following: > * exp: time after which the proof is no longer valid. > > * nonce: an Authorization Server-provided nonce as defined in Section 8." > > Section 4.3, insert between steps 9 and 10: > "10. if an exp claim is present, verify that it is in the future and tha= t > the resulting > duration is acceptable to the server. A proof which contains neither an e= xp > claim nor a server-provided nonce is invalid;" > > Renumber step 10 -> 11 and 11 -> 12. > > 2) Regarding linking Figure 5 and Figure 12, perhaps the simplest way to > make this linkage clear would be to move Section 7 and Section 7.1 in fro= nt > of Section 5.1, and then show the calculation of the hash: > > "In our example, we take the value of the access_token in Figure 5: > Kz~8mXK1EalYznwH-LC-1fBAo.4Ljp~zsPE_NeO.gxU > and calculate the base64 encoding of the SHA256: > fUHyO2r2Z3DZ53EsNrWBb0xWXoaNy59IiKCAqksmQE " > > One specific question which I could not find the answer to is if the toke= n > has been refreshed, is the ath the hash of the original token or the > most-recent token? > > Thanks, > -rohan > > *Rohan Mahy *l Vice President Engineering, Architecture > > Chat: @rohan_wire on Wire > > > > Wire - Secure team messaging. > > *Zeta Project Germany GmbH *l Rosenthaler Stra=C3=9Fe 40, > 10178 > Berlin, > > Germany > > > Gesch=C3=A4ftsf=C3=BChrer/Managing Director: Morten J. Broegger > > HRB 149847 beim Handelsregister Charlottenburg, Berlin > > VAT-ID DE288748675 > > > On Thu, Mar 24, 2022 at 3:23 AM Brian Campbell 40pingidentity.com@dmarc.ietf.org> wrote: > >> >> >> On Wed, Mar 23, 2022 at 5:01 PM Rohan Mahy > 40wire.com@dmarc.ietf.org> wrote: >> >>> Hi Brian, >>> >>> To be clear, for pre-generated proofs, I am not worried about an attack >>> against the client; I am worried about a malicious client. Imagine a >>> malicious client which pre-generates proofs during a brief window while= it >>> has access to a private key stored on the iOS secure enclave, or on a >>> Yubikey, or a non-extractable WebCryptoAPI CryptoKey. The ability to >>> pre-generate proofs with no lifetime effectively makes these >>> non-extractable key protections meaningless for some fixed number of pr= oofs. >>> >> >> Direct usage of everything is also possible during that brief window. >> Yes, a nonce helps protect against usage after the window has closed. Bu= t >> it's not a panacea of protection. Which is, again, why it's an option >> provided by the draft to server implementations/deployments that need or >> want it. But not more. >> >> >> >>> If the WG does not want to make server nonces a SHOULD, then I suggest >>> the following: >>> "Server implementations need some protection against arbitrary >>> pre-generation. Servers MUST require all client proofs to contain eithe= r a >>> server-provided nonce, or a server-provided explicit expiration time, o= r >>> both." >>> >> >> I'm not sure what, other than a nonce, a "server-provided explicit >> expiration time" would be in the context of DPoP? Any >> recommendations/requirements the document makes need to be rooted in act= ual >> existing pieces of the protocol defined by that document. >> >> >> >>> Adding "(on the order of seconds or minutes)" would already be a big >>> improvement to what is in the document. >>> >> >> Will do. Thanks. >> >> >> >>> The linkage between Figure 12 and Figure 13 is clear. I was talking >>> about the linkage between Figure 5 (or the refresh response to Figure 6= ) >>> and the token hash in Figure 12. >>> >> >> The access token returned in Fig 5 is the same one used in Fig 12. But >> that it's in Fig 5 is not really meaningful to the ath or much else. I'm >> not sure what could be clarified or better linked? >> >> >> >>> Many Thanks, >>> -rohan >>> >>> >>> *Rohan Mahy *l Vice President Engineering, Architecture >>> >>> Chat: @rohan_wire on Wire >>> >>> >>> >>> Wire - Secure team messaging. >>> >>> *Zeta Project Germany GmbH *l Rosenthaler Stra=C3=9Fe 40, >>> 10178 >>> Berlin, >>> >>> Germany >>> >>> >>> Gesch=C3=A4ftsf=C3=BChrer/Managing Director: Morten J. Broegger >>> >>> HRB 149847 beim Handelsregister Charlottenburg, Berlin >>> >>> VAT-ID DE288748675 >>> >>> >>> On Wed, Mar 23, 2022 at 8:17 AM Brian Campbell >> 40pingidentity.com@dmarc.ietf.org> wrote: >>> >>>> Thanks Rohan, >>>> >>>> Pre-generating a proof requires the ability to execute code on the >>>> client, which is already a problematic situation where other (arguably >>>> more) serious attacks are possible. Such as driving a whole attack dir= ectly >>>> from the client. The draft aims to give servers the option to use a no= nce >>>> but not push it too much or overstate its protections. >>>> >>>> The vagueness around lifetimes is somewhat intentional. At one point >>>> the document (maybe aspirationally) had something like 'no more than a= few >>>> seconds' but there was some push-back that it was unrealistically shor= t to >>>> accommodate real world client clock skew. I'm not sure the draft can m= ake a >>>> much more concrete recommendation as I think it really is something th= at >>>> has tradeoffs and will be implementation/deployment specific. Perhaps >>>> something like, "(on the order of seconds or minutes)" could be added = as a >>>> qualifier around lifetime leniency? That maybe gives a general idea of= what >>>> is acceptable and/or relatively brief without being overly prescriptiv= e. >>>> I'm quite hesitant to say anything more specific. >>>> >>>> An access token and its "ath" hash value are shown as part of the >>>> examples >>>> https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-06.html#figure-1= 2 >>>> and >>>> https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-06.html#figure-1= 3 >>>> respectively. Perhaps it'd be worthwhile to more explicitly mention th= e >>>> relationship between the two examples? I think I did the calculations >>>> correctly but anyone double checking that work would be welcome. The >>>> sentence in sec 4.3 step 11 is already pretty darn verbose - probably = too >>>> much so. I think breaking it up would probably be a better way to make= it >>>> more clear. >>>> >>>> The MIME type registration will be in the next revision >>>> https://mailarchive.ietf.org/arch/msg/oauth/Vj24ZXU4UuG6Rr04U1Cdrz2rx3= o/ >>>> >>>> I'll work those nits and fix things up as appropriate. >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Tue, Mar 22, 2022 at 4:24 PM Rohan Mahy >>> 40wire.com@dmarc.ietf.org> wrote: >>>> >>>>> Hi, >>>>> Here are some comments on draft-ietf-oauth-dpop-06: >>>>> >>>>> 1) With such a significant attack possible as DPoP proof >>>>> pre-generation, why isn't using the server nonce a SHOULD? Preventing= a >>>>> significant attack and making lifetime handling sane are two excellen= t >>>>> reasons to use a server nonce. If an implementation has a good reason= to >>>>> not use a server nonce, we can give guidance about what additional st= eps >>>>> the implementation needs to take. >>>>> >>>>> 2) The handling of lifetimes of DPoP proofs is vague: "acceptable >>>>> timeframe" (Section 4.3), "relatively brief period" (Section 11.1). I= s that >>>>> 1 day,15 minutes, or 30 seconds? >>>>> The normative text in the two sections seem contradictory. >>>>> I think you need a lifetime parameter if a server nonce isn't >>>>> included, or just pick a number (5 minutes?). >>>>> >>>>> 3) I had a similar thought to Nicolas Mora about including other >>>>> assertions/tokens. There should be a way to chain, include, or refere= nce >>>>> other OAuth assertions and bind them somehow with the DPoP. This will= be a >>>>> common and important model. >>>>> >>>>> 4. Right now you describe the access token hash before describing the >>>>> access token itself. I think it would be very useful to show the a wo= rked >>>>> example of an access token and then its hash used subsequently. Also >>>>> Section 4.3 step 11 feels like a circular description. Please rewrite= more >>>>> verbosely to be clearer: >>>>> Currently: >>>>> "when presented to a protected resource in conjunction with an access >>>>> token, ensure that the value of the ath claim equals the hash of that >>>>> access token and confirm that the public key to which the access toke= n is >>>>> bound matches the public key from the DPoP proof." >>>>> >>>>> 5. Re: IANA registration of the MIME type. TL;DR: Just register >>>>> application/dpop+jwt. >>>>> Long version: The semantics of the thing you want to register is >>>>> application/dpop. The first syntax you are defining is jwt. For examp= le, >>>>> iCalendar has three formats: text/calendar (iCal), >>>>> application/calendar+json (jCal), and application/calendar+xml (xCal)= . >>>>> >>>>> NITS: >>>>> - Spell out first use of acronyms: JWT, JWK, JWS, TLS, JOSE, PKCE, >>>>> - Add reference to TLS, XSS, Crime/Heartbleed/BREACH/etc., HTTP, JOSE= , >>>>> on first use >>>>> - First sentence of Section 2 (Objectives): add a comma (access >>>>> tokens_,_ by binding) to make it clear that "binding a token" is doin= g the >>>>> preventing instead of the stealing in the sentence. >>>>> - Section 2 para 5: s/XXS/XSS/ >>>>> - Maybe mention why you are using ASCII (7-bit) when the charset in >>>>> the examples is UTF-8. >>>>> >>>>> I hope these comments are useful. >>>>> Many thanks, >>>>> -rohan >>>>> >>>>> >>>>> *Rohan Mahy *l Vice President Engineering, Architecture >>>>> >>>>> Chat: @rohan_wire on Wire >>>>> >>>>> >>>>> >>>>> Wire - Secure team messaging. >>>>> >>>>> *Zeta Project Germany GmbH *l Rosenthaler Stra=C3=9Fe 40, >>>>> 10178 >>>>> Berlin, >>>>> >>>>> Germany >>>>> >>>>> >>>>> Gesch=C3=A4ftsf=C3=BChrer/Managing Director: Morten J. Broegger >>>>> >>>>> HRB 149847 beim Handelsregister Charlottenburg, Berlin >>>>> >>>>> VAT-ID DE288748675 >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>> >>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and >>>> privileged material for the sole use of the intended recipient(s). Any >>>> review, use, distribution or disclosure by others is strictly prohibit= ed. >>>> If you have received this communication in error, please notify the se= nder >>>> immediately by e-mail and delete the message and any file attachments = from >>>> your computer. Thank you.* >>> >>> >> *CONFIDENTIALITY NOTICE: This email may contain confidential and >> privileged material for the sole use of the intended recipient(s). Any >> review, use, distribution or disclosure by others is strictly prohibited= . >> If you have received this communication in error, please notify the send= er >> immediately by e-mail and delete the message and any file attachments fr= om >> your computer. Thank you.* > > --=20 _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged= =20 material for the sole use of the intended recipient(s). Any review, use,=20 distribution or disclosure by others is strictly prohibited.=C2=A0 If you h= ave=20 received this communication in error, please notify the sender immediately= =20 by e-mail and delete the message and any file attachments from your=20 computer. Thank you._ --00000000000041e01a05db0790f5 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello Rohan,

The ath claim v= alue in the proof is always the hash of the access token sent in the same r= equest.

A decision was made fairly early on t= o not use `exp` in the proof but rather to rely on the proof's `iat` an= d give the server some discretion around the window of acceptance. h= ttps://github.com/danielfett/draft-dpop/issues/38 has some of the discu= ssion around that. There'd need to be a very compelling reason with WG = agreement to change something fundamental like that at this stage in the do= cument lifecycle. Note also that, in the context of the proof, the `exp` va= lue would be something that's set by the client. So it wouldn't be = a "server-provided explicit expiration time" that was in the prio= r suggested text.

Similarly, reorganizing the docu= ment is not to be undertaken lightly especially at this point.



On Fri, Mar 25, 2022 at 12:19 AM Rohan Mahy &= lt;rohan.mahy=3D40wire.com@dmarc.ietf.org> wrote:
Hi Brian,
1) R= e: requiring a nonce or an expiration time, I'll propose some specific = text.=C2=A0
Section 4.2
insert after "* iat:= Time at which the JWT was created (REQUIRED)."

"The DPoP proof MUST include either one or both of the following:
=C2=A0* exp: time after which the proof is no longer valid.
<= div>
* nonce: an Authorization Server-provided nonce as defin= ed in Section 8."

Section 4.3, insert bet= ween steps 9 and 10:
"10.=C2=A0 if an exp claim is present, = verify that it is in the future and that the resulting
duration i= s acceptable to the server. A proof which contains neither an exp
claim nor a server-provided nonce is invalid;"=C2=A0
<= br>
Renumber step 10 -> 11 and 11 -> 12.
=C2= =A0
2) Regarding linking Figure 5 and Figure 12, perhaps the simp= lest way to make this linkage clear would be to move Section 7 and Section = 7.1 in front of Section 5.1, and then show the calculation of the hash:

"In our example, we take the value of the access= _token in Figure 5:
=C2=A0=C2=A0 Kz~8mXK1EalYznwH-LC-1fBAo.4Ljp~zsPE_NeO= .gxU
and calculate the base64 encoding of the SHA256:
=C2= =A0=C2=A0 fUHyO2r2Z3DZ53EsNrWBb0xWXoaNy59IiKCAqksmQE "

=
One specific question which I could not find the answer to is if= the token has been refreshed, is the ath the hash of the original token or= the most-recent token?

Thanks,
-rohan

Rohan Mahy=C2=A0 l=C2=A0 Vice President Engin= eering, Architecture

Chat: @rohan_wire on=C2=A0Wire

=C2=A0

Wire=C2=A0- Secure team messaging.

Zeta Project Germany GmbH=C2=A0=C2=A0= l=C2=A0=C2=A0Rosenthaler Stra=C3=9Fe 40,=C2=A010178 Berlin,=C2=A0Ger= many

Gesch=C3=A4ftsf=C3=BChrer/Managing Director: Morten J. Broegger=C2=A0

HRB 149847 beim Handelsregister Charlottenburg, Berli= n

VAT-ID DE288748675


On Thu, Mar 24, 2022 at 3:23 AM Brian Campbell <bcampbell=3D40pingide= ntity.com@dmarc.ietf.org> wrote:


On Wed, Mar 2= 3, 2022 at 5:01 PM Rohan Mahy <rohan.mahy=3D40wire.com@dmarc.ietf.org> wrote:=
Hi Brian,

To be clear, for pre-generated pr= oofs, I am not worried about an attack against the client; I am worried abo= ut a malicious client. Imagine a malicious client which pre-generates proof= s during a brief window while it has access to a private key stored on the = iOS secure enclave, or on a Yubikey, or a non-extractable WebCryptoAPI Cryp= toKey. The ability to pre-generate proofs with no lifetime effectively make= s these non-extractable key protections meaningless for some fixed number o= f proofs.

Direct usage of every= thing is also possible during that brief window. Yes, a nonce helps protect= against usage after the window has closed. But it's not a panacea of p= rotection. Which is, again, why it's an option provided by the draft to= server implementations/deployments that need or want it. But not more.

=C2=A0
If the WG does not want to make server no= nces a SHOULD, then I suggest the following:
"Server imp= lementations need some protection against arbitrary pre-generation. Servers= MUST require all client proofs to contain either a server-provided nonce, = or a server-provided explicit expiration time, or both."

I'm not sure what, other than a nonc= e, a "server-provided explicit expiration time" would be in the c= ontext of DPoP? Any recommendations/requirements the document makes need to= be rooted in actual existing pieces of the protocol defined by that docume= nt.
=C2=A0


Adding "(on = the order of seconds or minutes)" would already be a big improvement t= o what is in the document.=C2=A0

Will do. Thanks.
=C2=A0


The= linkage between Figure 12 and Figure 13 is clear. I was talking about the = linkage between Figure 5 (or the refresh response to Figure 6) and the toke= n hash in Figure 12.

The access= token returned in Fig 5 is the same one used in Fig 12. But that it's = in Fig 5 is not really meaningful to the ath or much else. I'm not sure= what could be clarified or better linked?

=

Many Thanks,
-rohan

<= div>
=

Rohan Mahy=C2=A0 l=C2=A0 Vice President Engineering, A= rchitecture

Chat: @rohan_wire on=C2=A0Wire

=C2=A0

Wire=C2=A0- Secure team messaging.

Zeta Project Germany GmbH=C2=A0=C2=A0l=C2=A0=C2=A0Rosentha= ler Stra=C3=9Fe 40,=C2=A010178 Berlin,=C2=A0Germany

Gesch=C3= =A4ftsf=C3=BChrer/Managing Director: Morten J. Broegger=C2=A0

HRB 149847 beim Handelsregister Charlottenburg, Berlin

VAT-ID = DE288748675


=
On Wed= , Mar 23, 2022 at 8:17 AM Brian Campbell <bcampbell=3D40pingidentity.com@dma= rc.ietf.org> wrote:
Thanks Rohan,

Pre= -generating a proof requires the ability to execute code on the client, whi= ch is already a problematic situation where other (arguably more) serious a= ttacks are possible. Such as driving a whole attack directly from the clien= t. The draft aims to give servers the option to use a nonce but not push it= too much or overstate its protections.

The v= agueness around lifetimes is somewhat intentional. At one point the documen= t (maybe aspirationally) had something like 'no more than a few seconds= ' but there was some push-back that it was unrealistically short to acc= ommodate real world client clock skew. I'm not sure the draft can make = a much more concrete recommendation as I think it really is something that = has tradeoffs and will be implementation/deployment specific. Perhaps somet= hing like, "(on the order of seconds or minutes)" could be added = as a qualifier around lifetime leniency? That maybe gives a general idea of= what is acceptable and/or relatively brief without being overly prescripti= ve. I'm quite hesitant to say anything more specific.
An access token and its "ath" hash value are shown a= s part of the examples https://www.ietf.org/arch= ive/id/draft-ietf-oauth-dpop-06.html#figure-12 and https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-06.html#figure= -13 respectively. Perhaps it'd be worthwhile to more explicitly men= tion the relationship between the two examples? I think I did the calculati= ons correctly but anyone double checking that work would be welcome. The se= ntence in sec 4.3 step 11 is already pretty darn verbose - probably too muc= h so. I think breaking it up would probably be a better way to make it more= clear. =C2=A0

The MIME type registration wil= l be in the next revision https://mailarchive.i= etf.org/arch/msg/oauth/Vj24ZXU4UuG6Rr04U1Cdrz2rx3o/

I'll work those nits and fix things up as appropriate.
=



=C2=A0

=

On Tue, Mar 22, 2022 at 4:24 PM Rohan Mahy <rohan.mahy=3D40wire.com@dmarc.ie= tf.org> wrote:
Hi,
= Here are some comments on draft-ietf-oauth-dpop-06:

1) With such a significant attack possible as DPoP proof pre-generation, w= hy isn't using the server nonce a SHOULD? Preventing a significant atta= ck and making lifetime handling sane are two excellent reasons to use a ser= ver nonce. If an implementation has a good reason to not use a server nonce= , we can give guidance about what additional steps the implementation needs= to take.

2) The handling of lifetimes of DPoP proo= fs is vague: "acceptable timeframe" (Section 4.3), "relative= ly brief period" (Section 11.1). Is that 1 day,15 minutes, or 30 secon= ds?
The normative text in the two sections seem contradictor= y.
I think you need a lifetime parameter if a server nonce i= sn't included, or just pick a number (5 minutes?).

3) I had a similar thought to Nicolas Mora about including other a= ssertions/tokens. There should be a way to chain, include, or reference oth= er OAuth assertions and bind them somehow with the DPoP. This will be a com= mon and important model.

4. Right now you desc= ribe the access token hash before describing the=20 access token itself. I think it would be very useful to show the a worked e= xample of an access token and then its hash used subsequently. Also Section= 4.3 step=20 11 feels like a circular description. Please rewrite more verbosely to=20 be clearer:
Currently:
"when presented to a pr= otected resource in conjunction=20 with an access token, ensure that the value of the ath claim equals the=20 hash of that access token and confirm that the public key to which the=20 access token is bound matches the public key from the DPoP proof."

5. Re: IANA registration of the MIME type. TL;DR: Jus= t register application/dpop+jwt.
Long version: The semantics of the thin= g you want to register is application/dpop. The first syntax you are defini= ng is jwt. For example, iCalendar has three formats: text/calendar (iCal), = application/calendar+json (jCal), and application/calendar+xml (xCal).
<= /div>

NITS:
- Spell out first use of acronyms:= JWT, JWK, JWS, TLS, JOSE, PKCE,
- Add reference to TLS, XSS= , Crime/Heartbleed/BREACH/etc., HTTP, JOSE, on first use
- F= irst sentence of Section 2 (Objectives): add a comma (access tokens_,_ by b= inding) to make it clear that "binding a token" is doing the prev= enting instead of the stealing in the sentence.
- Section 2 para = 5: s/XXS/XSS/
- Maybe mention why you are using ASCII (7-bit) whe= n the charset in the examples is UTF-8.

I hope the= se comments are useful.
Many thanks,
-rohan


Rohan Mahy=C2=A0 l=C2=A0 Vice President E= ngineering, Architecture

Chat: @rohan_wire on=C2=A0Wire

=C2=A0

Wire=C2=A0- Secure team messaging.

Zeta Project Germany GmbH=C2=A0=C2=A0l=C2=A0=C2= =A0Rosenthaler Stra=C3=9Fe 40,=C2=A010178 Berlin,=C2=A0= Germany

Gesch=C3=A4ftsf=C3=BChrer/Managing Director: Morten J. Broegger=C2=A0=

HRB 149847 beim Handelsregister Charlottenburg, Berl= in

VAT-ID DE288748675

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

CONFIDENTIALITY NOTICE: This email m= ay contain confidential and privileged material for the sole use of the int= ended recipient(s). Any review, use, distribution or disclosure by others i= s strictly prohibited.=C2=A0 If you have received this communication in err= or, please notify the sender immediately by e-mail and delete the message a= nd any file attachments from your computer. Thank you.

CONFIDENTIALITY NOTICE: This email m= ay contain confidential and privileged material for the sole use of the int= ended recipient(s). Any review, use, distribution or disclosure by others i= s strictly prohibited.=C2=A0 If you have received this communication in err= or, please notify the sender immediately by e-mail and delete the message a= nd any file attachments from your computer. Thank you.

<= span style=3D"margin:0px;padding:0px;border:0px;outline:0px;vertical-align:= baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,= -apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ub= untu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"= >CONFIDENTIALITY NOTICE: This email may contain confidenti= al and privileged material for the sole use of the intended recipient(s). A= ny review, use, distribution or disclosure by others is strictly prohibited= .=C2=A0 If you have received this communication in error, please notify the= sender immediately by e-mail and delete the message and any file attachmen= ts from your computer. Thank you. --00000000000041e01a05db0790f5-- From nobody Fri Mar 25 02:38:57 2022 Return-Path: X-Original-To: oauth@ietf.org Delivered-To: oauth@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BB8E3A02BC; Fri, 25 Mar 2022 02:38:55 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: oauth@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.46.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: oauth@ietf.org Message-ID: <164820113545.30530.9923136490762320454@ietfa.amsl.com> Date: Fri, 25 Mar 2022 02:38:55 -0700 Archived-At: Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-dpop-07.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Mar 2022 09:38:56 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) Authors : Daniel Fett Brian Campbell John Bradley Torsten Lodderstedt Michael Jones David Waite Filename : draft-ietf-oauth-dpop-07.txt Pages : 42 Date : 2022-03-25 Abstract: This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-07.html A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-dpop-07 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts From nobody Fri Mar 25 03:00:43 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 249FB3A07CE for ; Fri, 25 Mar 2022 03:00:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.107 X-Spam-Level: X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9CjIo9XT-6cx for ; Fri, 25 Mar 2022 03:00:34 -0700 (PDT) Received: from mail-oi1-x22f.google.com (mail-oi1-x22f.google.com [IPv6:2607:f8b0:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7630C3A07C0 for ; Fri, 25 Mar 2022 03:00:34 -0700 (PDT) Received: by mail-oi1-x22f.google.com with SMTP id r8so7627775oib.5 for ; Fri, 25 Mar 2022 03:00:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=8iJUKMj81VTk7S2f1Y/yC2Vn4LDzlHay0vNAyzzJ+Xw=; b=Fn2JdJtIUutPkbupdoT7NGU/xnh19UoDgfstVRYO3DyaJauFzIauXb0bACq0zwXPXp pqSmwps1RPzj25QL5FCwZY9NoOQH3obMpyp/lKCgtNJ4BocFO+k6dLM9aQ7ih8mBqijv DAtbAAWyb0TGL1Ftc5t5i2oClpR6U6ZGbjkv6a/jGH6iC/LgT99QdXZAta5jI7JLHjwd OfGb6M4XrdPqfi2P4pWf1JNph6rXLLN77QVSDuWNcu+ASuXbBXr1RHkoIxd5vScUE8m9 aFvLuYdgAArbzPlSFpSSOrCq11HWx+Bgk957Fj3oGLH+wPGF78B3MDHEgyEatK9d+UfY L5AA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=8iJUKMj81VTk7S2f1Y/yC2Vn4LDzlHay0vNAyzzJ+Xw=; b=pjSIeF7ztG1ZoBwxwPIS8dKKf8EWO7UMxUZWciqKssn48qhAl9mZ6Wj5gVkb9mv1bg t7j/CVgaWg0j2pi1+ywWhJFjXprmxImkIvRiM5mlBy8u0ikDMJkE1z80N9vX6djno5iw aQGyrUOzEhFKmcxax1oxoChzmHuUwyThtxJR+E7dnzsmuka8ve6xNxqrtzuShz7POCiI 3SxU2s5XMlGnYey6nZ7Trgnk+78n5ZdxO9dT8NeNq5nP3i0JzjJHGLrnNtw09C4aB+Fm YW2Q/E4bhXTZJmxtvUH2cUa6Cax9c+9ZHx0JOapz6jzgZPllCxNLvdK00TXOW3KdprGV 6fYw== X-Gm-Message-State: AOAM532KWVMppz3Co5rUa+/MZgLP0l2RmX1p9qWqQS9uALyDHrwxVoag CQzPxoypgEgDyCqmPfn3PQGdbmXRWioY8wUB5HJJSkHHcOy1tpc7sO1o05oDHOES8hkbEJAZSSc 9JLVoi+AgLBKyO1/KV5lt4n1/ X-Google-Smtp-Source: ABdhPJyBGLekdg3L+YU4ELbT/NSj3G+oRasSqM1cx02aMLppg79yXcIM1yn4RWHTKbaM7dVp2VWOdgbEBTNHphN1KNk= X-Received: by 2002:a05:6808:58:b0:2ee:f54e:65fe with SMTP id v24-20020a056808005800b002eef54e65femr4770728oic.52.1648202433151; Fri, 25 Mar 2022 03:00:33 -0700 (PDT) MIME-Version: 1.0 References: <164820113545.30530.9923136490762320454@ietfa.amsl.com> In-Reply-To: <164820113545.30530.9923136490762320454@ietfa.amsl.com> From: Brian Campbell Date: Fri, 25 Mar 2022 11:00:05 +0100 Message-ID: To: Rifaat Shekh-Yusef , Hannes Tschofenig , oauth Content-Type: multipart/alternative; boundary="0000000000008be14305db0808c3" Archived-At: Subject: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-dpop-07.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Mar 2022 10:00:39 -0000 --0000000000008be14305db0808c3 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Rifaat, Hannes, and WG, This -07 draft adds the text to request registration of the application/dpop+jwt media type and incorporates some editorial changes aimed at addressing recent feedback/questions. As discussed at the first OAuth session at IETF 113 on March 21, this update gets the draft ready for working group last call. As such, I'd respectfully request that the chairs start WGLC. Thanks, ---------- Forwarded message --------- From: Date: Fri, Mar 25, 2022 at 10:39 AM Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-dpop-07.txt To: Cc: A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) Authors : Daniel Fett Brian Campbell John Bradley Torsten Lodderstedt Michael Jones David Waite Filename : draft-ietf-oauth-dpop-07.txt Pages : 42 Date : 2022-03-25 Abstract: This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-07.html A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-dpop-07 Internet-Drafts are also available by rsync at rsync.ietf.org: :internet-drafts _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --=20 _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged= =20 material for the sole use of the intended recipient(s). Any review, use,=20 distribution or disclosure by others is strictly prohibited.=C2=A0 If you h= ave=20 received this communication in error, please notify the sender immediately= =20 by e-mail and delete the message and any file attachments from your=20 computer. Thank you._ --0000000000008be14305db0808c3 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Rifaat, Hannes, and WG,

= This -07 draft adds the text to request registration of the application/dpo= p+jwt media type and incorporates some editorial changes aimed at addressin= g recent feedback/questions.

As discussed at the = first OAuth session at IETF 113 on March 21, this update gets the draft rea= dy for working group last call. As such, I'd respectfully request that = the chairs start WGLC.

Thanks,

=

---------- Forwarded message ---------
From: <intern= et-drafts@ietf.org>
Date: Fri, Mar 25, 2022 at 10:39 AMSubject: [OAUTH-WG] I-D Action: draft-ietf-oauth-dpop-07.txt
To: <<= a href=3D"mailto:i-d-announce@ietf.org" target=3D"_blank">i-d-announce@ietf= .org>
Cc: <oauth@ietf.org>



A New Internet-Draft is available from the on-line Internet-Drafts director= ies.
This draft is a work item of the Web Authorization Protocol WG of the IETF.=

=C2=A0 =C2=A0 =C2=A0 =C2=A0 Title=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:= OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP= )
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Authors=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0: Dani= el Fett
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 Brian Campbell
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 John Bradley
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 Torsten Lodderstedt
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 Michael Jones
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 David Waite
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Filename=C2=A0 =C2=A0 =C2=A0 =C2=A0 : draft-iet= f-oauth-dpop-07.txt
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Pages=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:= 42
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Date=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 := 2022-03-25

Abstract:
=C2=A0 =C2=A0This document describes a mechanism for sender-constraining OA= uth 2.0
=C2=A0 =C2=A0tokens via a proof-of-possession mechanism on the application = level.
=C2=A0 =C2=A0This mechanism allows for the detection of replay attacks with= access
=C2=A0 =C2=A0and refresh tokens.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-o= auth-dpop/

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-i= etf-oauth-dpop-07.html

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=3Ddraf= t-ietf-oauth-dpop-07


Internet-Drafts are also available by rsync at rsync.ietf.org::internet-dra= fts


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

<= span style=3D"margin:0px;padding:0px;border:0px;outline:0px;vertical-align:= baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,= -apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ub= untu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"= >CONFIDENTIALITY NOTICE: This email may contain confidenti= al and privileged material for the sole use of the intended recipient(s). A= ny review, use, distribution or disclosure by others is strictly prohibited= .=C2=A0 If you have received this communication in error, please notify the= sender immediately by e-mail and delete the message and any file attachmen= ts from your computer. Thank you. --0000000000008be14305db0808c3-- From nobody Fri Mar 25 03:06:41 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 450DB3A0D9E for ; Fri, 25 Mar 2022 03:06:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.907 X-Spam-Level: X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wire-com.20210112.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XF5EYyvAHyew for ; Fri, 25 Mar 2022 03:06:24 -0700 (PDT) Received: from mail-pj1-x102d.google.com (mail-pj1-x102d.google.com [IPv6:2607:f8b0:4864:20::102d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 457813A0EB2 for ; Fri, 25 Mar 2022 03:06:19 -0700 (PDT) Received: by mail-pj1-x102d.google.com with SMTP id o68-20020a17090a0a4a00b001c686a48263so7034604pjo.1 for ; Fri, 25 Mar 2022 03:06:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wire-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fak4Y2yRaAuzEmSXbJgBWnEU6GszqUwvTr3Ib25HAW0=; b=G8hThMSkZJdtBFeFzE3vXnMmt9qYr5priUMIB+2Mb3GgFYRT/UMHRvh15jHFTlFZvh EtOep4j9edGzilcDFI1L+ojNqIjPqMbnYuEoVeL8DUoZGthQBhzKYkwbSRg7QGtyJuz6 IRiz6+RM5OD943+4kMPV2f7kD0ywjskIECd0jt7uMuRqDt/ar0Yx56enu54nvdQGH4H7 eNv87FZLcaEP1fV7ICfgdEjfgX5iCPCxo6uvZnHud+XFUx43raXx0Rs2wSVeCpSGsuA2 J4MPm+5BsuPrJBANiMPml1AJVbQEzh6cuZ553HQhBu4f4lLZGbdD8lQDJ22hlpAgPW4J JsmQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fak4Y2yRaAuzEmSXbJgBWnEU6GszqUwvTr3Ib25HAW0=; b=h+Xy47m8fGnssh1LAj9H/+WbjOcX0o2TGn5TwSPAtDK3PDr90n+s0MYAGKNN+bnwRW vub9dVUAOMSM+Tbc53GmxB2+iJY6zunbILz0z0aYhDecH3DwNtP8m2VkQuKWPmRbngop mDlgcyn3thayy2pt9HnSlBLDthKnlEnDkrHI3ICmrxIs4F1EG5e6wod1L8MI3yPo/9jt tQxxXliB4r/ePXAVb4qVQf0pLNNqLr7tPnzuApCUz81cVQeul2K+YHtPqDE4CRbgb+RH kKU/BhSLxqnLOGCL2gHs3NBCHc3CIov0OxDoILdcLmXUL5/jItUP1OBFIOomE7b05itL tJ9A== X-Gm-Message-State: AOAM531icfOitROZP0KiRC+s+fFnfAZzxYHx0JXFbyYvzlMNQEy7vxA2 uKck/hBkYUu5QCb9pW0omAjo/yOrLLXw1rXJ2S6REMbpGmZPICZX X-Google-Smtp-Source: ABdhPJzGHhPXGiOIvUZ/M8zMGpzzeJ+gXWHa6zpRlU57Zw/t03nV3JLqXFRSsmmLHiA1n4vaP8p6zb2J9s4VDeCza9k= X-Received: by 2002:a17:90b:4b42:b0:1c7:3f6a:5d97 with SMTP id mi2-20020a17090b4b4200b001c73f6a5d97mr11588320pjb.27.1648202778012; Fri, 25 Mar 2022 03:06:18 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Rohan Mahy Date: Fri, 25 Mar 2022 03:06:06 -0700 Message-ID: To: Brian Campbell Cc: oauth@ietf.org Content-Type: multipart/alternative; boundary="0000000000001a061705db081da1" Archived-At: Subject: Re: [OAUTH-WG] Comments on ietf-oauth-dpop X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Mar 2022 10:06:38 -0000 --0000000000001a061705db081da1 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, Sorry, I meant to type server-provided nonce or *server-validated* expiration. Thank you for the pointer to the discussion about exp. Skimming the comments, the discussion seems oriented at what would be easy for the client, rather than a balance of implementable for both client and server. I will raise my concern that requiring the server to remember iat values for an ambiguous period of time is a security concern (resource exhaustion/DoS). I don't think this is wise, but if you still want to allow no server-nonce, and no exp, please include this attack in the security considerations. Thanks, -rohan *Rohan Mahy *l Vice President Engineering, Architecture Chat: @rohan_wire on Wire Wire - Secure team messaging. *Zeta Project Germany GmbH *l Rosenthaler Stra=C3=9Fe 40, 10178 Berlin, Germany Gesch=C3=A4ftsf=C3=BChrer/Managing Director: Morten J. Broegger HRB 149847 beim Handelsregister Charlottenburg, Berlin VAT-ID DE288748675 On Fri, Mar 25, 2022 at 2:27 AM Brian Campbell wrote: > Hello Rohan, > > The ath claim value in the proof is always the hash of the access token > sent in the same request. > > A decision was made fairly early on to not use `exp` in the proof but > rather to rely on the proof's `iat` and give the server some discretion > around the window of acceptance. > https://github.com/danielfett/draft-dpop/issues/38 has some of the > discussion around that. There'd need to be a very compelling reason with = WG > agreement to change something fundamental like that at this stage in the > document lifecycle. Note also that, in the context of the proof, the `exp= ` > value would be something that's set by the client. So it wouldn't be a > "server-provided explicit expiration time" that was in the prior suggeste= d > text. > > Similarly, reorganizing the document is not to be undertaken lightly > especially at this point. > > > > On Fri, Mar 25, 2022 at 12:19 AM Rohan Mahy 40wire.com@dmarc.ietf.org> wrote: > >> Hi Brian, >> 1) Re: requiring a nonce or an expiration time, I'll propose some >> specific text. >> Section 4.2 >> insert after "* iat: Time at which the JWT was created (REQUIRED)." >> >> "The DPoP proof MUST include either one or both of the following: >> * exp: time after which the proof is no longer valid. >> >> * nonce: an Authorization Server-provided nonce as defined in Section 8.= " >> >> Section 4.3, insert between steps 9 and 10: >> "10. if an exp claim is present, verify that it is in the future and >> that the resulting >> duration is acceptable to the server. A proof which contains neither an >> exp >> claim nor a server-provided nonce is invalid;" >> >> Renumber step 10 -> 11 and 11 -> 12. >> >> 2) Regarding linking Figure 5 and Figure 12, perhaps the simplest way to >> make this linkage clear would be to move Section 7 and Section 7.1 in fr= ont >> of Section 5.1, and then show the calculation of the hash: >> >> "In our example, we take the value of the access_token in Figure 5: >> Kz~8mXK1EalYznwH-LC-1fBAo.4Ljp~zsPE_NeO.gxU >> and calculate the base64 encoding of the SHA256: >> fUHyO2r2Z3DZ53EsNrWBb0xWXoaNy59IiKCAqksmQE " >> >> One specific question which I could not find the answer to is if the >> token has been refreshed, is the ath the hash of the original token or t= he >> most-recent token? >> >> Thanks, >> -rohan >> >> *Rohan Mahy *l Vice President Engineering, Architecture >> >> Chat: @rohan_wire on Wire >> >> >> >> Wire - Secure team messaging. >> >> *Zeta Project Germany GmbH *l Rosenthaler Stra=C3=9Fe 40, >> 10178 >> Berlin, >> >> Germany >> >> >> Gesch=C3=A4ftsf=C3=BChrer/Managing Director: Morten J. Broegger >> >> HRB 149847 beim Handelsregister Charlottenburg, Berlin >> >> VAT-ID DE288748675 >> >> >> On Thu, Mar 24, 2022 at 3:23 AM Brian Campbell > 40pingidentity.com@dmarc.ietf.org> wrote: >> >>> >>> >>> On Wed, Mar 23, 2022 at 5:01 PM Rohan Mahy >> 40wire.com@dmarc.ietf.org> wrote: >>> >>>> Hi Brian, >>>> >>>> To be clear, for pre-generated proofs, I am not worried about an attac= k >>>> against the client; I am worried about a malicious client. Imagine a >>>> malicious client which pre-generates proofs during a brief window whil= e it >>>> has access to a private key stored on the iOS secure enclave, or on a >>>> Yubikey, or a non-extractable WebCryptoAPI CryptoKey. The ability to >>>> pre-generate proofs with no lifetime effectively makes these >>>> non-extractable key protections meaningless for some fixed number of p= roofs. >>>> >>> >>> Direct usage of everything is also possible during that brief window. >>> Yes, a nonce helps protect against usage after the window has closed. B= ut >>> it's not a panacea of protection. Which is, again, why it's an option >>> provided by the draft to server implementations/deployments that need o= r >>> want it. But not more. >>> >>> >>> >>>> If the WG does not want to make server nonces a SHOULD, then I suggest >>>> the following: >>>> "Server implementations need some protection against arbitrary >>>> pre-generation. Servers MUST require all client proofs to contain eith= er a >>>> server-provided nonce, or a server-provided explicit expiration time, = or >>>> both." >>>> >>> >>> I'm not sure what, other than a nonce, a "server-provided explicit >>> expiration time" would be in the context of DPoP? Any >>> recommendations/requirements the document makes need to be rooted in ac= tual >>> existing pieces of the protocol defined by that document. >>> >>> >>> >>>> Adding "(on the order of seconds or minutes)" would already be a big >>>> improvement to what is in the document. >>>> >>> >>> Will do. Thanks. >>> >>> >>> >>>> The linkage between Figure 12 and Figure 13 is clear. I was talking >>>> about the linkage between Figure 5 (or the refresh response to Figure = 6) >>>> and the token hash in Figure 12. >>>> >>> >>> The access token returned in Fig 5 is the same one used in Fig 12. But >>> that it's in Fig 5 is not really meaningful to the ath or much else. I'= m >>> not sure what could be clarified or better linked? >>> >>> >>> >>>> Many Thanks, >>>> -rohan >>>> >>>> >>>> *Rohan Mahy *l Vice President Engineering, Architecture >>>> >>>> Chat: @rohan_wire on Wire >>>> >>>> >>>> >>>> Wire - Secure team messaging. >>>> >>>> *Zeta Project Germany GmbH *l Rosenthaler Stra=C3=9Fe 40, >>>> 10178 >>>> Berlin, >>>> >>>> Germany >>>> >>>> >>>> Gesch=C3=A4ftsf=C3=BChrer/Managing Director: Morten J. Broegger >>>> >>>> HRB 149847 beim Handelsregister Charlottenburg, Berlin >>>> >>>> VAT-ID DE288748675 >>>> >>>> >>>> On Wed, Mar 23, 2022 at 8:17 AM Brian Campbell >>> 40pingidentity.com@dmarc.ietf.org> wrote: >>>> >>>>> Thanks Rohan, >>>>> >>>>> Pre-generating a proof requires the ability to execute code on the >>>>> client, which is already a problematic situation where other (arguabl= y >>>>> more) serious attacks are possible. Such as driving a whole attack di= rectly >>>>> from the client. The draft aims to give servers the option to use a n= once >>>>> but not push it too much or overstate its protections. >>>>> >>>>> The vagueness around lifetimes is somewhat intentional. At one point >>>>> the document (maybe aspirationally) had something like 'no more than = a few >>>>> seconds' but there was some push-back that it was unrealistically sho= rt to >>>>> accommodate real world client clock skew. I'm not sure the draft can = make a >>>>> much more concrete recommendation as I think it really is something t= hat >>>>> has tradeoffs and will be implementation/deployment specific. Perhaps >>>>> something like, "(on the order of seconds or minutes)" could be added= as a >>>>> qualifier around lifetime leniency? That maybe gives a general idea o= f what >>>>> is acceptable and/or relatively brief without being overly prescripti= ve. >>>>> I'm quite hesitant to say anything more specific. >>>>> >>>>> An access token and its "ath" hash value are shown as part of the >>>>> examples >>>>> https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-06.html#figure-= 12 >>>>> and >>>>> https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-06.html#figure-= 13 >>>>> respectively. Perhaps it'd be worthwhile to more explicitly mention t= he >>>>> relationship between the two examples? I think I did the calculations >>>>> correctly but anyone double checking that work would be welcome. The >>>>> sentence in sec 4.3 step 11 is already pretty darn verbose - probably= too >>>>> much so. I think breaking it up would probably be a better way to mak= e it >>>>> more clear. >>>>> >>>>> The MIME type registration will be in the next revision >>>>> https://mailarchive.ietf.org/arch/msg/oauth/Vj24ZXU4UuG6Rr04U1Cdrz2rx= 3o/ >>>>> >>>>> I'll work those nits and fix things up as appropriate. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Tue, Mar 22, 2022 at 4:24 PM Rohan Mahy >>>> 40wire.com@dmarc.ietf.org> wrote: >>>>> >>>>>> Hi, >>>>>> Here are some comments on draft-ietf-oauth-dpop-06: >>>>>> >>>>>> 1) With such a significant attack possible as DPoP proof >>>>>> pre-generation, why isn't using the server nonce a SHOULD? Preventin= g a >>>>>> significant attack and making lifetime handling sane are two excelle= nt >>>>>> reasons to use a server nonce. If an implementation has a good reaso= n to >>>>>> not use a server nonce, we can give guidance about what additional s= teps >>>>>> the implementation needs to take. >>>>>> >>>>>> 2) The handling of lifetimes of DPoP proofs is vague: "acceptable >>>>>> timeframe" (Section 4.3), "relatively brief period" (Section 11.1). = Is that >>>>>> 1 day,15 minutes, or 30 seconds? >>>>>> The normative text in the two sections seem contradictory. >>>>>> I think you need a lifetime parameter if a server nonce isn't >>>>>> included, or just pick a number (5 minutes?). >>>>>> >>>>>> 3) I had a similar thought to Nicolas Mora about including other >>>>>> assertions/tokens. There should be a way to chain, include, or refer= ence >>>>>> other OAuth assertions and bind them somehow with the DPoP. This wil= l be a >>>>>> common and important model. >>>>>> >>>>>> 4. Right now you describe the access token hash before describing th= e >>>>>> access token itself. I think it would be very useful to show the a w= orked >>>>>> example of an access token and then its hash used subsequently. Also >>>>>> Section 4.3 step 11 feels like a circular description. Please rewrit= e more >>>>>> verbosely to be clearer: >>>>>> Currently: >>>>>> "when presented to a protected resource in conjunction with an acces= s >>>>>> token, ensure that the value of the ath claim equals the hash of tha= t >>>>>> access token and confirm that the public key to which the access tok= en is >>>>>> bound matches the public key from the DPoP proof." >>>>>> >>>>>> 5. Re: IANA registration of the MIME type. TL;DR: Just register >>>>>> application/dpop+jwt. >>>>>> Long version: The semantics of the thing you want to register is >>>>>> application/dpop. The first syntax you are defining is jwt. For exam= ple, >>>>>> iCalendar has three formats: text/calendar (iCal), >>>>>> application/calendar+json (jCal), and application/calendar+xml (xCal= ). >>>>>> >>>>>> NITS: >>>>>> - Spell out first use of acronyms: JWT, JWK, JWS, TLS, JOSE, PKCE, >>>>>> - Add reference to TLS, XSS, Crime/Heartbleed/BREACH/etc., HTTP, >>>>>> JOSE, on first use >>>>>> - First sentence of Section 2 (Objectives): add a comma (access >>>>>> tokens_,_ by binding) to make it clear that "binding a token" is doi= ng the >>>>>> preventing instead of the stealing in the sentence. >>>>>> - Section 2 para 5: s/XXS/XSS/ >>>>>> - Maybe mention why you are using ASCII (7-bit) when the charset in >>>>>> the examples is UTF-8. >>>>>> >>>>>> I hope these comments are useful. >>>>>> Many thanks, >>>>>> -rohan >>>>>> >>>>>> >>>>>> *Rohan Mahy *l Vice President Engineering, Architecture >>>>>> >>>>>> Chat: @rohan_wire on Wire >>>>>> >>>>>> >>>>>> >>>>>> Wire - Secure team messaging. >>>>>> >>>>>> *Zeta Project Germany GmbH *l Rosenthaler Stra=C3=9Fe 40, >>>>>> 10178 >>>>>> Berlin, >>>>>> >>>>>> Germany >>>>>> >>>>>> >>>>>> Gesch=C3=A4ftsf=C3=BChrer/Managing Director: Morten J. Broegger >>>>>> >>>>>> HRB 149847 beim Handelsregister Charlottenburg, Berlin >>>>>> >>>>>> VAT-ID DE288748675 >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>> >>>>> >>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and >>>>> privileged material for the sole use of the intended recipient(s). An= y >>>>> review, use, distribution or disclosure by others is strictly prohibi= ted. >>>>> If you have received this communication in error, please notify the s= ender >>>>> immediately by e-mail and delete the message and any file attachments= from >>>>> your computer. Thank you.* >>>> >>>> >>> *CONFIDENTIALITY NOTICE: This email may contain confidential and >>> privileged material for the sole use of the intended recipient(s). Any >>> review, use, distribution or disclosure by others is strictly prohibite= d. >>> If you have received this communication in error, please notify the sen= der >>> immediately by e-mail and delete the message and any file attachments f= rom >>> your computer. Thank you.* >> >> > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sende= r > immediately by e-mail and delete the message and any file attachments fro= m > your computer. Thank you.* --0000000000001a061705db081da1 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,
Sorry, I meant to type server-provi= ded nonce or *server-validated* expiration.

Th= ank you for the pointer to the discussion about exp. Skimming the comments,= the discussion seems oriented at what would be easy for the client, rather= than a balance of implementable for both client and server. I will raise m= y concern that requiring the server to remember iat values for an ambiguous= period of time is a security concern (resource exhaustion/DoS). I don'= t think this is wise, but if you still want to allow no server-nonce, and n= o exp, please include this attack in the security considerations.

Thanks,
-rohan

=

Rohan Mahy=C2=A0 = l=C2=A0 Vice President Engineering, Architecture

Chat: @rohan_wire on=C2=A0Wire

=C2=A0

Wire=C2=A0- Secure= team messaging.

Zeta Project Ge= rmany GmbH=C2=A0=C2=A0l=C2=A0=C2=A0Rosenthaler Stra=C3=9Fe 40,=C2=A0101= 78 Berlin,=C2=A0Germany

=

Gesch=C3=A4ftsf=C3=BChrer/Managing Director: = Morten J. Broegger=C2=A0

<= p class=3D"MsoNormal" style=3D"color:rgb(0,0,0)">

HRB 149847 beim Handelsregis= ter Charlottenburg, Berlin

VAT-ID DE288748675



On Fri, Mar 25, 2022 at 2:27 AM Brian Campb= ell <bcampbell=3D40= pingidentity.com@dmarc.ietf.org> wrote:
Hello Rohan,

The ath claim value in the proof is always the hash of th= e access token sent in the same request.

A de= cision was made fairly early on to not use `exp` in the proof but rather to= rely on the proof's `iat` and give the server some discretion around t= he window of acceptance. https://github.com/danielfett/draft-dpop/iss= ues/38 has some of the discussion around that. There'd need to be a= very compelling reason with WG agreement to change something fundamental l= ike that at this stage in the document lifecycle. Note also that, in the co= ntext of the proof, the `exp` value would be something that's set by th= e client. So it wouldn't be a "server-provided explicit expiration= time" that was in the prior suggested text.

= Similarly, reorganizing the document is not to be undertaken lightly especi= ally at this point.



On Fri, Mar 25,= 2022 at 12:19 AM Rohan Mahy <rohan.mahy=3D40wire.com@dmarc.ietf.org> wrote:<= br>
Hi Brian,
1) Re: requiring a nonce or an expiration time, I= 'll propose some specific text.=C2=A0
Section 4.2
<= div>insert after "* iat: Time at which the JWT was created (REQUIRED)= ."

"The DPoP proof MUST include either o= ne or both of the following:
=C2=A0* exp: time after which the pr= oof is no longer valid.

* nonce: an Authorization = Server-provided nonce as defined in Section 8."

Section 4.3, insert between steps 9 and 10:
"10.=C2= =A0 if an exp claim is present, verify that it is in the future and that th= e resulting
duration is acceptable to the server. A proof which c= ontains neither an exp
claim nor a server-provided nonce is inval= id;"=C2=A0

Renumber step 10 -> 11 and= 11 -> 12.
=C2=A0
2) Regarding linking Figure 5 = and Figure 12, perhaps the simplest way to make this linkage clear would be= to move Section 7 and Section 7.1 in front of Section 5.1, and then show t= he calculation of the hash:

"In our example, = we take the value of the access_token in Figure 5:
=C2=A0=C2=A0 Kz~8mXK1= EalYznwH-LC-1fBAo.4Ljp~zsPE_NeO.gxU
and calculate the base64 = encoding of the SHA256:
=C2=A0=C2=A0 fUHyO2r2Z3DZ53EsNrWBb0xWXoaNy59IiKC= AqksmQE "

One specific question which I coul= d not find the answer to is if the token has been refreshed, is the ath the= hash of the original token or the most-recent token?

<= div>Thanks,
-rohan

Rohan Mahy=C2=A0 l=C2=A0 Vice President Engineering, Architecture

Chat: @rohan_wire on=C2=A0Wire

=C2=A0

Wire=C2=A0- Sec= ure team messaging.

Zeta Project= Germany GmbH=C2=A0=C2=A0l=C2=A0=C2=A0Rosenthaler Stra=C3=9Fe 40,=C2=A01= 0178 Berlin,=C2=A0Germany

Gesch=C3=A4ftsf=C3=BChrer/Managing Director= : Morten J. Broegger=C2=A0

HRB 149847 beim Handelsreg= ister Charlottenburg, Berlin<= /p>

VAT-ID DE288748675

=


On Thu, Mar 24, 2022 at 3:23 AM Brian Cam= pbell <bcampbell=3D40pingidentity.com@dmarc.ietf.org> wrote:


On Wed, Mar 23, 2022 at 5:01 PM Rohan Mahy <rohan.mahy= =3D40wire.co= m@dmarc.ietf.org> wrote:
Hi Brian,

To= be clear, for pre-generated proofs, I am not worried about an attack again= st the client; I am worried about a malicious client. Imagine a malicious c= lient which pre-generates proofs during a brief window while it has access = to a private key stored on the iOS secure enclave, or on a Yubikey, or a no= n-extractable WebCryptoAPI CryptoKey. The ability to pre-generate proofs wi= th no lifetime effectively makes these non-extractable key protections mean= ingless for some fixed number of proofs.

<= /div>
Direct usage of everything is also possible during that brief win= dow. Yes, a nonce helps protect against usage after the window has closed. = But it's not a panacea of protection. Which is, again, why it's an = option provided by the draft to server implementations/deployments that nee= d or want it. But not more.

=C2=A0
If the WG do= es not want to make server nonces a SHOULD, then I suggest the following:
"Server implementations need some protection against arbi= trary pre-generation. Servers MUST require all client proofs to contain eit= her a server-provided nonce, or a server-provided explicit expiration time,= or both."

I'm not= sure what, other than a nonce, a "server-provided explicit expiration= time" would be in the context of DPoP? Any recommendations/requiremen= ts the document makes need to be rooted in actual existing pieces of the pr= otocol defined by that document.
=C2=A0

=
Adding "(on the order of seconds or minutes)" would a= lready be a big improvement to what is in the document.=C2=A0

Will do. Thanks.
=C2=A0
<= div>

The linkage between Figure 12 and Figure 13 is cl= ear. I was talking about the linkage between Figure 5 (or the refresh respo= nse to Figure 6) and the token hash in Figure 12.
<= div>
The access token returned in Fig 5 is the same one used = in Fig 12. But that it's in Fig 5 is not really meaningful to the ath o= r much else. I'm not sure what could be clarified or better linked?



Many Thanks,
-ro= han


Rohan= Mahy=C2=A0 l=C2=A0= Vice President Engineering, Architecture

Chat: @rohan_wire on=C2=A0Wire

= =C2=A0

Wire=C2=A0- Secure team me= ssaging.

Zeta Project Germany Gm= bH=C2=A0=C2=A0l=C2=A0=C2=A0Rosenthaler Stra=C3=9Fe 40,=C2=A010178 Berl= in,=C2=A0Germany

Gesch=C3=A4ftsf=C3=BChrer/Managing Director: Morten = J. Broegger=C2=A0

<= /span>

HRB 149847 beim Handelsregister Cha= rlottenburg, Berlin

VAT-ID DE288748675



On Wed, Mar 23, 2022 at 8:17 AM Brian Campbell <= ;bcampbell=3D40pingidentity.com@dmarc.ietf.org> wrote:
Thanks Roha= n,

Pre-generating a proof requires the ability to = execute code on the client, which is already a problematic situation where = other (arguably more) serious attacks are possible. Such as driving a whole= attack directly from the client. The draft aims to give servers the option= to use a nonce but not push it too much or overstate its protections.
=

The vagueness around lifetimes is somewhat intent= ional. At one point the document (maybe aspirationally) had something like = 'no more than a few seconds' but there was some push-back that it w= as unrealistically short to accommodate real world client clock skew. I'= ;m not sure the draft can make a much more concrete recommendation as I thi= nk it really is something that has tradeoffs and will be implementation/dep= loyment specific. Perhaps something like, "(on the order of seconds or= minutes)" could be added as a qualifier around lifetime leniency? Tha= t maybe gives a general idea of what is acceptable and/or relatively brief = without being overly prescriptive. I'm quite hesitant to say anything m= ore specific.

An access token and its "a= th" hash value are shown as part of the examples https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-06.html#figure-= 12 and https://www.ietf.org/archive/id/draft= -ietf-oauth-dpop-06.html#figure-13 respectively. Perhaps it'd be wo= rthwhile to more explicitly mention the relationship between the two exampl= es? I think I did the calculations correctly but anyone double checking tha= t work would be welcome. The sentence in sec 4.3 step 11 is already pretty = darn verbose - probably too much so. I think breaking it up would probably = be a better way to make it more clear. =C2=A0

The MIME type registration will be in the next revision https://mailarchive.ietf.org/arch/msg/oauth/Vj24ZXU4UuG6Rr04U1C= drz2rx3o/

I'll work those nits and fix thi= ngs up as appropriate.



=C2=A0


On Tue, Mar 22, 2022 at 4:24 PM Roha= n Mahy <rohan.mahy=3D40wire.com@dmarc.ietf.org> wrote:
Hi,
Here are some comments on draft-ietf-oauth-d= pop-06:

1) With such a significant attack possible = as DPoP proof pre-generation, why isn't using the server nonce a SHOULD= ? Preventing a significant attack and making lifetime handling sane are two= excellent reasons to use a server nonce. If an implementation has a good r= eason to not use a server nonce, we can give guidance about what additional= steps the implementation needs to take.

2) The han= dling of lifetimes of DPoP proofs is vague: "acceptable timeframe"= ; (Section 4.3), "relatively brief period" (Section 11.1). Is tha= t 1 day,15 minutes, or 30 seconds?
The normative text in the= two sections seem contradictory.
I think you need a lifetim= e parameter if a server nonce isn't included, or just pick a number (5 = minutes?).

3) I had a similar thought to Nicol= as Mora about including other assertions/tokens. There should be a way to c= hain, include, or reference other OAuth assertions and bind them somehow wi= th the DPoP. This will be a common and important model.

<= /div>
4. Right now you describe the access token hash before describing= the=20 access token itself. I think it would be very useful to show the a worked e= xample of an access token and then its hash used subsequently. Also Section= 4.3 step=20 11 feels like a circular description. Please rewrite more verbosely to=20 be clearer:
Currently:
"when presented to a pr= otected resource in conjunction=20 with an access token, ensure that the value of the ath claim equals the=20 hash of that access token and confirm that the public key to which the=20 access token is bound matches the public key from the DPoP proof."

5. Re: IANA registration of the MIME type. TL;DR: Jus= t register application/dpop+jwt.
Long version: The semantics of the thin= g you want to register is application/dpop. The first syntax you are defini= ng is jwt. For example, iCalendar has three formats: text/calendar (iCal), = application/calendar+json (jCal), and application/calendar+xml (xCal).
<= /div>

NITS:
- Spell out first use of acronyms:= JWT, JWK, JWS, TLS, JOSE, PKCE,
- Add reference to TLS, XSS= , Crime/Heartbleed/BREACH/etc., HTTP, JOSE, on first use
- F= irst sentence of Section 2 (Objectives): add a comma (access tokens_,_ by b= inding) to make it clear that "binding a token" is doing the prev= enting instead of the stealing in the sentence.
- Section 2 para = 5: s/XXS/XSS/
- Maybe mention why you are using ASCII (7-bit) whe= n the charset in the examples is UTF-8.

I hope the= se comments are useful.
Many thanks,
-rohan


Rohan Mahy=C2=A0 l=C2=A0 Vice President E= ngineering, Architecture

Chat: @rohan_wire on=C2=A0Wire

=C2=A0

Wire=C2=A0- Secure team messaging.

Zeta Project Germany GmbH=C2=A0=C2=A0l=C2=A0=C2= =A0Rosenthaler Stra=C3=9Fe 40,=C2=A010178 Berlin,=C2=A0= Germany

Gesch=C3=A4ftsf=C3=BChrer/Managing Director: Morten J. Broegger=C2=A0=

HRB 149847 beim Handelsregister Charlottenburg, Berl= in

VAT-ID DE288748675

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

CONFIDENTIALITY NOTICE: This email m= ay contain confidential and privileged material for the sole use of the int= ended recipient(s). Any review, use, distribution or disclosure by others i= s strictly prohibited.=C2=A0 If you have received this communication in err= or, please notify the sender immediately by e-mail and delete the message a= nd any file attachments from your computer. Thank you.

CONFIDENTIALITY NOTICE: This email m= ay contain confidential and privileged material for the sole use of the int= ended recipient(s). Any review, use, distribution or disclosure by others i= s strictly prohibited.=C2=A0 If you have received this communication in err= or, please notify the sender immediately by e-mail and delete the message a= nd any file attachments from your computer. Thank you.
CONFIDENTIALITY NOTICE: This email m= ay contain confidential and privileged material for the sole use of the int= ended recipient(s). Any review, use, distribution or disclosure by others i= s strictly prohibited.=C2=A0 If you have received this communication in err= or, please notify the sender immediately by e-mail and delete the message a= nd any file attachments from your computer. Thank you. --0000000000001a061705db081da1-- From nobody Mon Mar 28 05:01:29 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 343243A12B8 for ; Mon, 28 Mar 2022 05:01:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.107 X-Spam-Level: X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1t5MfycJXHXI for ; Mon, 28 Mar 2022 05:01:25 -0700 (PDT) Received: from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com [IPv6:2a00:1450:4864:20::32f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BE763A12B7 for ; Mon, 28 Mar 2022 05:01:25 -0700 (PDT) Received: by mail-wm1-x32f.google.com with SMTP id l9-20020a05600c4f0900b0038ccd1b8642so5150028wmq.0 for ; Mon, 28 Mar 2022 05:01:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=KNRWfLFgByBOJouEnynWBg6pMoTJRh7ms78xkTxs5YE=; b=KB0uYxTAXVJUqEavzGUo+pzNQ463KuEO3AEa1KB7BCxXHUITt/on0TEEifeIaz+kb9 53v6wYRQq11Ilmy9lK6b417M5W5YI4b3LTqkHNIiyqT0z2SS8KhamJkYA1OhrzhKopfK oHp9WwEyK0cEMg2TLZH6GFkEdC9NT48D9/Kq/cZ1tkMhBK4OlamNJC/bhpIdqk4ONnxN l0d3JBMLYJGAPh46Inuc8IuGiU7xwRYC11r/KyPDK4LRBeqvZt762JpeAfvJHl4miv0P elHwFnIYvREFPNsswIxPjoQMg68HSxhRA4IClNDJC43VoxrSeso2/+NApDyMm0Ler4dT J/pA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=KNRWfLFgByBOJouEnynWBg6pMoTJRh7ms78xkTxs5YE=; b=x8HjPX2echpHJehkMeTejCw5ivssWzWfrWlMWnmvtHheMlYefmKoNlMof9aUnfsokj 0CZq0hvXOIe4/AHX+CpFCoE5C8QKUGQ8ACbc92Pm14RXqDzaVzqthNJ06q0PRbEVhtLi CPm34h6D36icEH2na1MALgLAKn4S/INMSs5LkSt9DRpV7SvZHpgczzjuzYON+0UE67um EXYPSrT3Ls8pw2XqGAAKg27GUZAs+2iPKDavL90zwmyEexFypJIZJ4gCufaAl64Azn20 dB4dhNK9PXwYgW3RIvD2PJSae5P6tL1wFh68AZj1KSz/1QjtTWJDTSeGoGPYobOW7tci npDg== X-Gm-Message-State: AOAM532+/sJqW3hC4UWcYqFMWMcfMhwzXKP88cC93w9jB3I4R/AFYF3e eq3VbCXDuowAIrDquU0xNk0UX2lq8wGy6iFLzf1vDsvH05o= X-Google-Smtp-Source: ABdhPJz7kn5vODQ5PUWh4YPspIX0g/kRs2chAG98bYsPYyL7wPww8YNYWZPM69ETpN7Mjcu+uTXVTdxXMLzEh6s4kb4= X-Received: by 2002:a7b:ce04:0:b0:38c:6c34:9aac with SMTP id m4-20020a7bce04000000b0038c6c349aacmr25619958wmc.142.1648468883004; Mon, 28 Mar 2022 05:01:23 -0700 (PDT) MIME-Version: 1.0 From: Rifaat Shekh-Yusef Date: Mon, 28 Mar 2022 08:01:11 -0400 Message-ID: To: oauth Content-Type: multipart/alternative; boundary="00000000000031df1405db461212" Archived-At: Subject: [OAUTH-WG] WGLC for DPoP Document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Mar 2022 12:01:27 -0000 --00000000000031df1405db461212 Content-Type: text/plain; charset="UTF-8" All, As discussed during the IETF meeting in *Vienna* last week, this is a *WG Last Call *for the *DPoP* document: https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ Please, provide your feedback on the mailing list by April 11th. Regards, Rifaat & Hannes --00000000000031df1405db461212 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
All,

As discussed during the IETF meeting in Vie= nna last week, this is a WG Last Call for the=C2=A0DPoP d= ocument:
https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/

Ple= ase, provide your feedback on the mailing list by April 11th.

Regard= s,
=C2=A0Rifaat & Hannes

--00000000000031df1405db461212-- From nobody Mon Mar 28 07:28:58 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CFB13A1218 for ; Mon, 28 Mar 2022 07:28:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.129 X-Spam-Level: X-Spam-Status: No, score=-6.129 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ewL-L_ECyEWW for ; Mon, 28 Mar 2022 07:28:50 -0700 (PDT) Received: from smtp.smtpout.orange.fr (smtp02.smtpout.orange.fr [80.12.242.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47FE93A1200 for ; Mon, 28 Mar 2022 07:28:50 -0700 (PDT) Received: from [192.168.1.11] ([90.26.93.96]) by smtp.orange.fr with ESMTPA id YqMQnYK2MeHnVYqMRnidgU; Mon, 28 Mar 2022 16:28:48 +0200 X-ME-Helo: [192.168.1.11] X-ME-Auth: OWU3ZmVkYWM0M2UwZWM1YifxM2Q3ZDk1YiUzNWJiZTM2MiliMTI0N2YxZmQ= X-ME-Date: Mon, 28 Mar 2022 16:28:48 +0200 X-ME-IP: 90.26.93.96 Content-Type: multipart/alternative; boundary="------------cTb1Rxv7yNDxk4xL90d30gLa" Message-ID: <73015e12-337d-5853-91cc-455b39c97921@free.fr> Date: Mon, 28 Mar 2022 16:28:47 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Content-Language: en-GB To: oauth References: From: Denis In-Reply-To: Archived-At: Subject: Re: [OAUTH-WG] WGLC for DPoP Document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Mar 2022 14:28:56 -0000 This is a multi-part message in MIME format. --------------cTb1Rxv7yNDxk4xL90d30gLa Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Rifaat & Hannes, Hereafter are my comments: The introduction states :        Recipients of such tokens are then able to verify the binding of the token to the key pair thatthe client has demonstrated        that it holds via the DPoP header, thereby providing some assurance that the client presenting the token also possesses the private key.        In other words, the legitimate presenter of the token is constrained to be the sender that holds and can prove possession of the private part of the key pair. The client presenting the token *does not necessarily possess the private key*. The client presenting the token has been able to use the results of some cryptographic functions using the private part of the key pair. These results may be communicated by one client to another client, if the two clients agree to collaborate. This statement will be added later on. Proposed rewording:        Recipients of such tokens are then able to verify the binding of the token to the key pair thatthe client has demonstrated        that it holds via the DPoP header, thereby providing some assurance that the client presenting the token *either *also possesses        the private key *or* has been able to use the result of cryptographic computations from another client that possesses the private key.        In other words, the presenter of the token can prove that it has been able to use the results of cryptographic computations performed        by using the private part of the key pair. The objectives states        The primary aim of DPoP is to prevent unauthorized or illegitimate parties from using leaked or stolen access tokens,        by binding a token to a public key upon issuance and requiring that the client proves possession of the corresponding        private key when using the token. DPoP does not prevent unauthorized or illegitimate parties from using access tokens, as soon as two clients agree to collaborate. Proposed rewording:        The primary aim of DPoP is to bind a token to a public key upon issuance and requiring that the client proves possession        of the corresponding private key when using the token.This does not demonstrate that the client presenting the token is        necessarily the legitimate client. In the case of non-collaborating clients, DPoP prevents unauthorized or illegitimate parties        from using leaked or stolen access tokens. In the case of collaborating clients, the security of DPoP is ineffective        (see section 11.X). Section 11 is about "Security Considerations" and addresses the following topics: 11.1.DPoP Proof Replay 11.2.DPoP Proof Pre-Generation 11.3.DPoP Nonce Downgrade 11.4.Untrusted Code in the Client Context 11.5.Signed JWT Swapping 11.6.Signature Algorithms 11.7.Message Integrity 11.8.Access Token and Public Key Binding 11.9.Authorization Code and Public Key Binding The case of collaborative clients should be addressed within section 11. Text proposal. 11.X. Collaborative clients             DPoP demonstrates that the client presenting the token has been able to use the results of some cryptographic functions using the private part of the key pair. If a client agrees to collaborate with another client, the security of DPoP is no longer effective.When two clients agree to collaborate, these results of the cryptographic computations performed by one client may be communicated to another client. Even if the private key used for DPoP is stored in such a way that it cannot be exported, e.g., in a hardware or software security module, the client can perform all the cryptographic computations needed by the other client to create DPoP proofs. The client can easily create new DPoP proofs as long as the other client is online. Note: There exist other techniques able to limit, in some cases, the use of a token transmitted voluntarily by a legitimate client                       to an illegitimate client. Denis > All, > > As discussed during the IETF meeting in *Vienna* last week, this is a > *WG Last Call *for the *DPoP* document: > https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ > > Please, provide your feedback on the mailing list by April 11th. > > Regards, >  Rifaat & Hannes > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --------------cTb1Rxv7yNDxk4xL90d30gLa Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit
Rifaat & Hannes,

Hereafter are my comments:

The introduction states :

       Recipients of such tokens are then able to verify the binding of the token to the key pair that  the client has demonstrated
       that it holds via the DPoP header, thereby providing some assurance that the client presenting the token also possesses the private key.

       In other words, the legitimate presenter of the token is constrained to be the sender that holds and can prove possession of the private part of the key pair.

The client presenting the token does not necessarily possess the private key. The client presenting the token has been able to use
the results of some cryptographic functions using the private part of the key pair.

These results may be communicated by one client to another client, if the two clients agree to collaborate. This statement will be added later on.

Proposed rewording:

       Recipients of such tokens are then able to verify the binding of the token to the key pair that  the client has demonstrated
       that it holds via the DPoP header, thereby providing some assurance that the client presenting the token either also possesses
       the private key or has been able to use the result of cryptographic computations from another client that possesses the private key.

       In other words, the presenter of the token can prove that it has been able to use the results of cryptographic computations performed
       by using the private part of the key pair.

The objectives states

       The primary aim of DPoP is to prevent unauthorized or illegitimate parties from using leaked or stolen access tokens,
       by binding a token to a public key upon issuance and requiring that the client proves possession of the corresponding
       private key when using the token.

DPoP does not prevent unauthorized or illegitimate parties from using access tokens, as soon as two clients agree to collaborate.

Proposed rewording:

       The primary aim of DPoP is to bind a token to a public key upon issuance and requiring that the client proves possession
       of the corresponding private key when using the token.  This does not demonstrate that the client presenting the token is
       necessarily the legitimate client. In the case of non-collaborating clients, DPoP prevents unauthorized or illegitimate parties
       from using leaked or stolen access tokens. In the case of collaborating clients, the security of DPoP is ineffective
       (see section 11.X).

Section 11 is about "Security Considerations" and addresses the following topics:

     11.1.  DPoP Proof Replay
     11.2.  DPoP Proof Pre-Generation
     11.3.  DPoP Nonce Downgrade
     11.4.  Untrusted Code in the Client Context
     11.5.  Signed JWT Swapping
     11.6.  Signature Algorithms
     11.7.  Message Integrity
     11.8.  Access Token and Public Key Binding
     11.9.  Authorization Code and Public Key Binding

The case of collaborative clients should be addressed within section 11.

Text proposal.

     11.X. Collaborative clients

            DPoP demonstrates that the client presenting the token has been able to use the results of some cryptographic functions
            using the private part of the key pair.

            If a client agrees to collaborate with another client, the security of DPoP is no longer effective.  When two clients agree to collaborate,
            these results of the cryptographic computations performed by one client may be communicated to another client.

            Even if the private key used for DPoP is stored in such a way that it cannot be exported, e.g., in a hardware or software security module,
            the client can perform all the cryptographic computations needed by the other client to create DPoP proofs.

            The client can easily create new DPoP proofs as long as the other client is online.

            Note: There exist other techniques able to limit, in some cases, the use of a token transmitted voluntarily by a legitimate client
                      to an illegitimate client.

Denis


All,

As discussed during the IETF meeting in Vienna last week, this is a WG Last Call for the DPoP document:
https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/

Please, provide your feedback on the mailing list by April 11th.

Regards,
 Rifaat & Hannes


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--------------cTb1Rxv7yNDxk4xL90d30gLa-- From nobody Mon Mar 28 07:42:10 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A10893A126B for ; Mon, 28 Mar 2022 07:42:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.908 X-Spam-Level: X-Spam-Status: No, score=-6.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wire-com.20210112.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ltb3x7lwPyUD for ; Mon, 28 Mar 2022 07:42:04 -0700 (PDT) Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D49A63A1260 for ; Mon, 28 Mar 2022 07:42:03 -0700 (PDT) Received: by mail-pl1-x632.google.com with SMTP id i11so14961019plr.1 for ; Mon, 28 Mar 2022 07:42:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wire-com.20210112.gappssmtp.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=oi9y5PBhG+8CaAUFSMmzOobFubYrLsm4tQtqjGitMPQ=; b=SetLtznlwX01DdqQFs5KHWHimxs8IpbBJEZl4ZKX0mA3qN/AOall5vW0bnh6I+QG9+ FVmp2jzXqCVbFPPsa9Eoyg3BVpeQIGfGDpiQad8LDsMhVCCifx9ViHiqIkByVoIhKjNu cWkU7Uq6tK28MQEL9nUG6YoxG+9grL7Jp5CVyULKEYRx69PKqhiTh5O+TEi+Gai96ph6 8eFU/+aZwHttJYwIZBug0tmKviRAX6uvsEp5P5iopxU+NZ+I0uyxeLTRO/VnIFLU1GNC 4BrCsot8nxU0PbR86Br9hmChVw5LB9hJUfop7mlRp0LokQlajB56/6XDaB+3Fre+HjLZ TwkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=oi9y5PBhG+8CaAUFSMmzOobFubYrLsm4tQtqjGitMPQ=; b=HGq5znLx4SJOaWcXZZ4WjM631PEShwbM6utHkhbvbe96Aqj2oIhiy/+kwHXZiis+0+ neqzE/A7n/9u1HDb9haUkD3I3i/7HffwuefAHfLc4PKsQyn0mZ9mx46qRnZS5gmWokTh lDbpNDDxoJ1FlG5mWozdoiEKqXHckAA3NlDUA62sEYoCDAQqJLhEAVBtiuyhxZMKaEqG HqN9UkrWx0e6tovXb0g8pvWcLUFT4qUReaSMzfU68RhKJsnx85DIaE/ygMLadV63mLeM 9uXMATOmOkkYHwwES/Xi0w4304j2t5nMb3uvEl5PA5av1K5Dcrck+38xCAo13xj7tzQ2 KpDQ== X-Gm-Message-State: AOAM533euN4N2SQuqsCEu46BsiY7WikMB99VibMsAbQs7/EMYJqu05bJ vyCPIrfkpNVVFv6Lnjurn6MqvsxImzueODGbPQV093W+XOFV1RQ/ X-Google-Smtp-Source: ABdhPJzsHJpn7njbR/vkCLNw48hx9rDewnVYFHA1JrKygMlEoaSf5AsqgJECPjcRybcOxsALIX/HqFRgvWR2YR9pPDE= X-Received: by 2002:a17:90b:4b83:b0:1c9:6d37:38b7 with SMTP id lr3-20020a17090b4b8300b001c96d3738b7mr14444474pjb.21.1648478522331; Mon, 28 Mar 2022 07:42:02 -0700 (PDT) MIME-Version: 1.0 From: Rohan Mahy Date: Mon, 28 Mar 2022 07:41:51 -0700 Message-ID: To: oauth@ietf.org Content-Type: multipart/alternative; boundary="000000000000be6c8105db485033" Archived-At: Subject: [OAUTH-WG] access token hash claim name in oauth-dpop draft X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Mar 2022 14:42:09 -0000 --000000000000be6c8105db485033 Content-Type: text/plain; charset="UTF-8" Hi, Did you consider using the (already IANA registered) at_hash claim defined in: https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken instead of defining a new ath claim? It seems like if we don't use at_hash we should explain why ath is better/different. Thanks, -rohan --000000000000be6c8105db485033 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,
Did you consider usin= g the (already IANA registered) at_hash claim defined in:=C2=A0
instead of defining a ne= w ath claim?

It seems like if we don&= #39;t use at_hash we should explain why ath is better/different.
<= div dir=3D"auto">Thanks,
-rohan
--000000000000be6c8105db485033-- From nobody Mon Mar 28 10:04:45 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A03B3A1753 for ; Mon, 28 Mar 2022 10:04:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.906 X-Spam-Level: X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=udelt-no.20210112.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4EyqMufy1c0L for ; Mon, 28 Mar 2022 10:04:37 -0700 (PDT) Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97D3E3A1756 for ; Mon, 28 Mar 2022 10:04:35 -0700 (PDT) Received: by mail-lf1-x131.google.com with SMTP id m3so25843388lfj.11 for ; Mon, 28 Mar 2022 10:04:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=udelt-no.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=D+i+mCRaDhQpGppE46NVN99ihzqPt0mtEZl7kv4H/Ow=; b=T9o0k6/Rw0YRrUK2pylKx6ecMLx5zBoOshk5GegZg8lOmVpaa2amqA9GxVrlCbpGwE V5xyG280qH0lnYzYL/1Wn866/9fCu/VgUO8wu0UyrRTUL+nv+OLcSPNs3Q+4i+uAAiVB 0AhXm1D1Vvh0RA+fnYGwebhVOz/WtzHk/nGeiHQZodaNtl5A21qx8c+E220SCqM6LjzP wz+thaHg03MdAfKwsTVZenzLUt0DA6d3UKITX2Cd6KiTqrg/hWMe9LciFWs12kybpNJ+ 94R3DmJFiTECCUxWcpGw0SY84kPpYONl7X1TqMOMPgd/O0+5S01gF5Um9hG+GbdJXRJk 4oRA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=D+i+mCRaDhQpGppE46NVN99ihzqPt0mtEZl7kv4H/Ow=; b=syBqRMr49rUDaMvCrJircoTEm48AABP3FAUlxQY33IkFePpQNheLQWcAAy/cmFzcb7 Pn6q+bF9VGusqPRR5yEd90lDuV7WkwEab6nMa7KAYIndVHkeaPrRVKvUa890svYfyG+I 4FNo5DwN290mvqcNfQpVd+kuCIAESzqxfYckd2L71x12kDwp5xfoFpSyg8KiywSKxnXW 26Xzwsq1PmRV7dOBpY1pLr/hA2otAhsk3gBbEasUv73qbA+9mMMrIlyo0RKFApskhV2M aqr/VgLrv7e5VZaC1rVeJ51wdxipfakYdjB6CZu0py5LVdHIl+o2p5DE7rrvEGQnPQSc hpNA== X-Gm-Message-State: AOAM531eMqkfHJyH/SR6Z6B4dMh59qhbH14ZlBYF4BOeIm3iDY9AsDpb eKNC0vbz8F+VS+GxyOhPt7loT+CUr/Dc2ErlunUksg== X-Google-Smtp-Source: ABdhPJzgSqeN4KiBkvQAcEWntQNXmt+6MgZ+1bH+gAAXN8HRiPHQQUkLNK1A5LktEIL5r2dat7mIJAFOIAJUWhJ0WEk= X-Received: by 2002:a05:6512:1193:b0:44a:6936:49b1 with SMTP id g19-20020a056512119300b0044a693649b1mr17906152lfr.414.1648487073700; Mon, 28 Mar 2022 10:04:33 -0700 (PDT) MIME-Version: 1.0 References: <73015e12-337d-5853-91cc-455b39c97921@free.fr> In-Reply-To: <73015e12-337d-5853-91cc-455b39c97921@free.fr> From: Steinar Noem Date: Mon, 28 Mar 2022 19:04:22 +0200 Message-ID: To: Denis Cc: oauth Content-Type: multipart/alternative; boundary="00000000000071f42805db4a4e56" Archived-At: Subject: Re: [OAUTH-WG] WGLC for DPoP Document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Mar 2022 17:04:42 -0000 --00000000000071f42805db4a4e56 Content-Type: text/plain; charset="UTF-8" Interesting, but won't two collaborating clients just pass any data they want to each other? Why would these collaborating clients go through the trouble of exchanging private keys, dpop proofs or tokens? Could you elaborate some more on the scenario? S man. 28. mar. 2022 kl. 16:29 skrev Denis : > Rifaat & Hannes, > > Hereafter are my comments: > > The introduction states : > > Recipients of such tokens are then able to verify the binding of > the token to the key pair that the client has demonstrated > that it holds via the DPoP header, thereby providing some assurance > that the client presenting the token also possesses the private key. > > In other words, the legitimate presenter of the token is > constrained to be the sender that holds and can prove possession of the > private part of the key pair. > > The client presenting the token *does not necessarily possess the private > key*. The client presenting the token has been able to use > the results of some cryptographic functions using the private part of the > key pair. > > These results may be communicated by one client to another client, if the > two clients agree to collaborate. This statement will be added later on. > > Proposed rewording: > > Recipients of such tokens are then able to verify the binding of > the token to the key pair that the client has demonstrated > that it holds via the DPoP header, thereby providing some assurance > that the client presenting the token *either *also possesses > the private key *or* has been able to use the result of > cryptographic computations from another client that possesses the private > key. > > In other words, the presenter of the token can prove that it has > been able to use the results of cryptographic computations performed > by using the private part of the key pair. > > The objectives states > > The primary aim of DPoP is to prevent unauthorized or illegitimate > parties from using leaked or stolen access tokens, > by binding a token to a public key upon issuance and requiring that > the client proves possession of the corresponding > private key when using the token. > > DPoP does not prevent unauthorized or illegitimate parties from using > access tokens, as soon as two clients agree to collaborate. > > Proposed rewording: > > The primary aim of DPoP is to bind a token to a public key upon > issuance and requiring that the client proves possession > of the corresponding private key when using the token. This does > not demonstrate that the client presenting the token is > necessarily the legitimate client. In the case of non-collaborating > clients, DPoP prevents unauthorized or illegitimate parties > from using leaked or stolen access tokens. In the case of > collaborating clients, the security of DPoP is ineffective > (see section 11.X). > > Section 11 is about "Security Considerations" and addresses the following > topics: > > 11.1. DPoP Proof Replay > 11.2. DPoP Proof Pre-Generation > 11.3. DPoP Nonce Downgrade > 11.4. Untrusted Code in the Client Context > 11.5. Signed JWT Swapping > 11.6. Signature Algorithms > 11.7. Message Integrity > 11.8. Access Token and Public Key Binding > 11.9. Authorization Code and Public Key Binding > > The case of collaborative clients should be addressed within section 11. > > Text proposal. > > 11.X. Collaborative clients > > DPoP demonstrates that the client presenting the token has > been able to use the results of some cryptographic functions > using the private part of the key pair. > > If a client agrees to collaborate with another client, the > security of DPoP is no longer effective. When two clients agree to > collaborate, > these results of the cryptographic computations performed by > one client may be communicated to another client. > > Even if the private key used for DPoP is stored in such a way > that it cannot be exported, e.g., in a hardware or software security > module, > the client can perform all the cryptographic computations > needed by the other client to create DPoP proofs. > > The client can easily create new DPoP proofs as long as the > other client is online. > > Note: There exist other techniques able to limit, in some > cases, the use of a token transmitted voluntarily by a legitimate client > to an illegitimate client. > > Denis > > All, > > As discussed during the IETF meeting in *Vienna* last week, this is a *WG > Last Call *for the *DPoP* document: > https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ > > Please, provide your feedback on the mailing list by April 11th. > > Regards, > Rifaat & Hannes > > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Vennlig hilsen Steinar Noem Partner Udelt AS Systemutvikler | steinar@udelt.no | hei@udelt.no | +47 955 21 620 | www.udelt.no | --00000000000071f42805db4a4e56 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Interesting, but won't two collaborating clients just = pass any data they want to each other? Why would these collaborating client= s go through the trouble of exchanging private keys, dpop proofs or tokens?= Could you elaborate some more on the scenario?=C2=A0

S<= /div>

man. 28. mar. 2022 kl. 16:29 skrev Denis <denis.ietf@free.fr>:
=20 =20 =20
Rifaat & Hann= es,

Hereafter are my comments:

The introduction states :

=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 Recipients of such tokens are then able to verify the binding of the token to the key pair that=C2=A0 the client has demonstrated
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 that it holds via the DPoP h= eader, thereby providing some assurance that the client presenting the token also possesses the private key.

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 In other words, the legitima= te presenter of the token is constrained to be the sender that holds and can prove possession of the private part of the key pair.

The client presenting the token does not necessarily possess the private key. The client presenting the token has been able to use
the results of some cryptographic functions using the private part of the key pair.

These results may be communicated by one client to another client, if the two clients agree to collaborate. This statement will be added later on.

Proposed rewording:

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Recipients of such tokens ar= e then able to verify the binding of the token to the key pair that=C2=A0 the client has demonstrated
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 that it holds via the DPoP h= eader, thereby providing some assurance that the client presenting the token either also possesses
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 the private key or has been able to use the result of cryptographic computations from another client that possesses the private key.

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 In other words, the presente= r of the token can prove that it has been able to use the results of cryptographic computations performed
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 by using the private part of the key pair.

The objectives states

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 The primary aim of DPoP is t= o prevent unauthorized or illegitimate parties from using leaked or stolen access tokens,
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 by binding a token to a publ= ic key upon issuance and requiring that the client proves possession of the corresponding
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 private key when using the t= oken.

DPoP does not prevent unauthorized or illegitimate parties from using access tokens, as soon as two clients agree to collaborate.

Proposed rewording:

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 The primary aim of DPoP is t= o bind a token to a public key upon issuance and requiring that the client proves possession
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 of the corresponding private= key when using the token.=C2=A0 This does not demonstrate that the client presenting the token is
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 necessarily the legitimate c= lient. In the case of non-collaborating clients, DPoP prevents unauthorized or illegitimate parties
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 from using leaked or stolen = access tokens. In the case of collaborating clients, the security of DPoP is ineffective
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (see section 11.X).

Section 11 is about "Security Considerations" and addre= sses the following topics:

=C2=A0=C2=A0=C2=A0=C2=A0 11.1.=C2=A0 DP= oP Proof Replay
=C2=A0=C2=A0=C2=A0=C2=A0 11.2.=C2=A0 DP= oP Proof Pre-Generation
=C2=A0=C2=A0=C2=A0=C2=A0 11.3.=C2=A0 DP= oP Nonce Downgrade
=C2=A0=C2=A0=C2=A0=C2=A0 11.4.=C2=A0 Un= trusted Code in the Client Context
=C2=A0=C2=A0=C2=A0=C2=A0 11.5.=C2=A0 Si= gned JWT Swapping
=C2=A0=C2=A0=C2=A0=C2=A0 11.6.=C2=A0 Si= gnature Algorithms
=C2=A0=C2=A0=C2=A0=C2=A0 11.7.=C2=A0 Me= ssage Integrity
=C2=A0=C2=A0=C2=A0=C2=A0 11.8.=C2=A0 Ac= cess Token and Public Key Binding
=C2=A0=C2=A0=C2=A0=C2=A0 11.9.=C2=A0 Au= thorization Code and Public Key Binding

The case of collaborative clients should be addressed within section 11.

Text proposal.

=C2=A0=C2=A0=C2=A0=C2=A0 11.X. Collaborative clients

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 DPoP demonstrates that the client presenting the token has been able to use the results of some cryptographic functions
=C2=A0 =C2=A0 = =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 using the private part of the key pair.

=C2=A0 =C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 If a client agrees to collaborate with another client, the security of DPoP is no longer effective.=C2=A0 When two clients agree to collaborate,
=C2=A0 =C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 these results of the cryptographic computations performed by one client may be communicated to another client.

=C2=A0 =C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Even if the private key used for DPoP is stored in such a way that it cannot be exported, e.g., in a hardware or software security module,
=C2=A0 =C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 the client can perform all the cryptographic computations needed by the other client to create DPoP proofs.

=C2=A0 =C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 The client can easily create new DPoP proofs as long as the other client is online.

=C2=A0 =C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Note: There exist other techniques able to limit, in some cases, the use of a token transmitted voluntarily by a legitimate client
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 to an illeg= itimate client.

Denis


=20
All,

As discussed during the IETF meeting in Vienna last week, this is a WG Last Call for the=C2=A0DPoP document:
https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/<= /a>

Please, provide your feedback on the mailing list by April 11th.
Regards,
=C2=A0Rifaat & Hannes


_______________________________________________
OAuth mailing list
OAuth@ietf.org
h=
ttps://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
Vennlig hilsen=

Steinar Noem
Partner Udelt AS
Systemutvikler<= /div>
=C2=A0
|=C2=A0steinar@udelt.no=C2=A0|=C2=A0hei@udelt.n= o=C2=A0=C2=A0|=C2=A0+47 955 21 620=C2=A0|=C2=A0www.udelt.= no=C2=A0|=C2=A0
--00000000000071f42805db4a4e56-- From nobody Mon Mar 28 10:27:05 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA07C3A1227 for ; Mon, 28 Mar 2022 10:27:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.943 X-Spam-Level: X-Spam-Status: No, score=-0.943 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.186, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rguks6q1REZG for ; Mon, 28 Mar 2022 10:26:59 -0700 (PDT) Received: from smtp.smtpout.orange.fr (smtp08.smtpout.orange.fr [80.12.242.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 838543A11EB for ; Mon, 28 Mar 2022 10:26:58 -0700 (PDT) Received: from [192.168.1.11] ([90.26.93.96]) by smtp.orange.fr with ESMTPA id Yt8onOwlkuvBOYt8onNsub; Mon, 28 Mar 2022 19:26:56 +0200 X-ME-Helo: [192.168.1.11] X-ME-Auth: OWU3ZmVkYWM0M2UwZWM1YifxM2Q3ZDk1YiUzNWJiZTM2MiliMTI0N2YxZmQ= X-ME-Date: Mon, 28 Mar 2022 19:26:56 +0200 X-ME-IP: 90.26.93.96 Content-Type: multipart/alternative; boundary="------------AKWm4i9YK3Srwe97wZkAOgPt" Message-ID: <8372228a-f81e-f2d3-cd77-7ed93b368b26@free.fr> Date: Mon, 28 Mar 2022 19:26:55 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Content-Language: en-GB To: Steinar Noem Cc: oauth References: <73015e12-337d-5853-91cc-455b39c97921@free.fr> From: Denis In-Reply-To: Archived-At: Subject: Re: [OAUTH-WG] WGLC for DPoP Document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Mar 2022 17:27:03 -0000 This is a multi-part message in MIME format. --------------AKWm4i9YK3Srwe97wZkAOgPt Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Steinar, As you have guessed, no data (except the token and some crypto checksums) is passing through the clients. Once the legitimate client has allowed the illegitimate client to use the token, the illegitimate client can do anything it wants with it. The legitimate client can be kept fully ignorant of what illegitimate client is doing. The data flow is minimum: if the token allows to view a 4 Gb movie, that data flow does not flow between the clients. Furthermore, the content of the token may allow the illegitimate client to use it during days or months. Suppose that the token indicates "over 18". If the user is over 18 now, he will certainly be "over 18" the next days, months or years. There is no need to refresh the token as it would be the case if the token included a home address. Denis > Interesting, but won't two collaborating clients just pass any data > they want to each other? Why would these collaborating clients go > through the trouble of exchanging private keys, dpop proofs or tokens? > Could you elaborate some more on the scenario? > > S > > man. 28. mar. 2022 kl. 16:29 skrev Denis : > > Rifaat & Hannes, > > Hereafter are my comments: > > The introduction states : > > Recipients of such tokens are then able to verify the binding of > the token to the key pair thatthe client has demonstrated >        that it holds via the DPoP header, thereby providing some > assurance that the client presenting the token also possesses the > private key. > >        In other words, the legitimate presenter of the token is > constrained to be the sender that holds and can prove possession > of the private part of the key pair. > > The client presenting the token *does not necessarily possess the > private key*. The client presenting the token has been able to use > the results of some cryptographic functions using the private part > of the key pair. > > These results may be communicated by one client to another client, > if the two clients agree to collaborate. This statement will be > added later on. > > Proposed rewording: > >        Recipients of such tokens are then able to verify the > binding of the token to the key pair thatthe client has demonstrated >        that it holds via the DPoP header, thereby providing some > assurance that the client presenting the token *either *also > possesses >        the private key *or* has been able to use the result of > cryptographic computations from another client that possesses the > private key. > >        In other words, the presenter of the token can prove that > it has been able to use the results of cryptographic computations > performed >        by using the private part of the key pair. > > The objectives states > >        The primary aim of DPoP is to prevent unauthorized or > illegitimate parties from using leaked or stolen access tokens, >        by binding a token to a public key upon issuance and > requiring that the client proves possession of the corresponding >        private key when using the token. > > DPoP does not prevent unauthorized or illegitimate parties from > using access tokens, as soon as two clients agree to collaborate. > > Proposed rewording: > >        The primary aim of DPoP is to bind a token to a public key > upon issuance and requiring that the client proves possession >        of the corresponding private key when using the token.This > does not demonstrate that the client presenting the token is >        necessarily the legitimate client. In the case of > non-collaborating clients, DPoP prevents unauthorized or > illegitimate parties >        from using leaked or stolen access tokens. In the case of > collaborating clients, the security of DPoP is ineffective >        (see section 11.X). > > Section 11 is about "Security Considerations" and addresses the > following topics: > > 11.1.DPoP Proof Replay > 11.2.DPoP Proof Pre-Generation > 11.3.DPoP Nonce Downgrade > 11.4.Untrusted Code in the Client Context > 11.5.Signed JWT Swapping > 11.6.Signature Algorithms > 11.7.Message Integrity > 11.8.Access Token and Public Key Binding > 11.9.Authorization Code and Public Key Binding > > The case of collaborative clients should be addressed within > section 11. > > Text proposal. > > 11.X. Collaborative clients > >             DPoP demonstrates that the client presenting the token > has been able to use the results of some cryptographic functions > using the private part of the key pair. > > If a client agrees to collaborate with another client, the > security of DPoP is no longer effective.When two clients agree to > collaborate, > these results of the cryptographic computations performed by one > client may be communicated to another client. > > Even if the private key used for DPoP is stored in such a way that > it cannot be exported, e.g., in a hardware or software security > module, > the client can perform all the cryptographic computations needed > by the other client to create DPoP proofs. > > The client can easily create new DPoP proofs as long as the other > client is online. > > Note: There exist other techniques able to limit, in some cases, > the use of a token transmitted voluntarily by a legitimate client >                       to an illegitimate client. > > Denis > > >> All, >> >> As discussed during the IETF meeting in *Vienna* last week, this >> is a *WG Last Call *for the *DPoP* document: >> https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ >> >> Please, provide your feedback on the mailing list by April 11th. >> >> Regards, >>  Rifaat & Hannes >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > -- > Vennlig hilsen > > Steinar Noem > Partner Udelt AS > Systemutvikler > | steinar@udelt.no  | hei@udelt.no  | +47 955 > 21 620 | www.udelt.no  | --------------AKWm4i9YK3Srwe97wZkAOgPt Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit
Steinar,

As you have guessed, no data (except the token and some crypto checksums) is passing through the clients.

Once the legitimate client has allowed the illegitimate client to use the token, the illegitimate client can do anything it wants with it.
The legitimate client can be kept fully ignorant of what illegitimate client is doing.

The data flow is minimum: if the token allows to view a 4 Gb movie, that data flow does not flow between the clients.

Furthermore, the content of the token may allow the illegitimate client to use it during days or months.
Suppose that the token indicates "over 18". If the user is over 18 now, he will certainly be "over 18" the next days, months or years. 
There is no need to refresh the token as it would be the case if the token included a home address.

Denis

Interesting, but won't two collaborating clients just pass any data they want to each other? Why would these collaborating clients go through the trouble of exchanging private keys, dpop proofs or tokens? Could you elaborate some more on the scenario? 

S

man. 28. mar. 2022 kl. 16:29 skrev Denis <denis.ietf@free.fr>:
Rifaat & Hannes,

Hereafter are my comments:

The introduction states :

       Recipients of such tokens are then able to verify the binding of the token to the key pair that  the client has demonstrated
       that it holds via the DPoP header, thereby providing some assurance that the client presenting the token also possesses the private key.

       In other words, the legitimate presenter of the token is constrained to be the sender that holds and can prove possession of the private part of the key pair.

The client presenting the token does not necessarily possess the private key. The client presenting the token has been able to use
the results of some cryptographic functions using the private part of the key pair.

These results may be communicated by one client to another client, if the two clients agree to collaborate. This statement will be added later on.

Proposed rewording:

       Recipients of such tokens are then able to verify the binding of the token to the key pair that  the client has demonstrated
       that it holds via the DPoP header, thereby providing some assurance that the client presenting the token either also possesses
       the private key or has been able to use the result of cryptographic computations from another client that possesses the private key.

       In other words, the presenter of the token can prove that it has been able to use the results of cryptographic computations performed
       by using the private part of the key pair.

The objectives states

       The primary aim of DPoP is to prevent unauthorized or illegitimate parties from using leaked or stolen access tokens,
       by binding a token to a public key upon issuance and requiring that the client proves possession of the corresponding
       private key when using the token.

DPoP does not prevent unauthorized or illegitimate parties from using access tokens, as soon as two clients agree to collaborate.

Proposed rewording:

       The primary aim of DPoP is to bind a token to a public key upon issuance and requiring that the client proves possession
       of the corresponding private key when using the token.  This does not demonstrate that the client presenting the token is
       necessarily the legitimate client. In the case of non-collaborating clients, DPoP prevents unauthorized or illegitimate parties
       from using leaked or stolen access tokens. In the case of collaborating clients, the security of DPoP is ineffective
       (see section 11.X).

Section 11 is about "Security Considerations" and addresses the following topics:

     11.1.  DPoP Proof Replay
     11.2.  DPoP Proof Pre-Generation
     11.3.  DPoP Nonce Downgrade
     11.4.  Untrusted Code in the Client Context
     11.5.  Signed JWT Swapping
     11.6.  Signature Algorithms
     11.7.  Message Integrity
     11.8.  Access Token and Public Key Binding
     11.9.  Authorization Code and Public Key Binding

The case of collaborative clients should be addressed within section 11.

Text proposal.

     11.X. Collaborative clients

            DPoP demonstrates that the client presenting the token has been able to use the results of some cryptographic functions
            using the private part of the key pair.

            If a client agrees to collaborate with another client, the security of DPoP is no longer effective.  When two clients agree to collaborate,
            these results of the cryptographic computations performed by one client may be communicated to another client.

            Even if the private key used for DPoP is stored in such a way that it cannot be exported, e.g., in a hardware or software security module,
            the client can perform all the cryptographic computations needed by the other client to create DPoP proofs.

            The client can easily create new DPoP proofs as long as the other client is online.

            Note: There exist other techniques able to limit, in some cases, the use of a token transmitted voluntarily by a legitimate client
                      to an illegitimate client.

Denis


All,

As discussed during the IETF meeting in Vienna last week, this is a WG Last Call for the DPoP document:
https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/

Please, provide your feedback on the mailing list by April 11th.

Regards,
 Rifaat & Hannes


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
Vennlig hilsen

Steinar Noem
Partner Udelt AS
Systemutvikler
 


--------------AKWm4i9YK3Srwe97wZkAOgPt-- From nobody Mon Mar 28 14:32:20 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B612C3A157A for ; Mon, 28 Mar 2022 14:32:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.107 X-Spam-Level: X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alkaline-solutions.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3nU76Az5MUko for ; Mon, 28 Mar 2022 14:32:12 -0700 (PDT) Received: from caesium6.alkaline.solutions (caesium6.alkaline.solutions [157.230.133.164]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABBD33A1571 for ; Mon, 28 Mar 2022 14:32:12 -0700 (PDT) Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by caesium6.alkaline.solutions (Postfix) with ESMTPA id 09CAE206E89; Mon, 28 Mar 2022 21:32:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alkaline-solutions.com; s=dkim; t=1648503130; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=ne9IGL1atIEIP/sjm5TBNKxi/YG7sSDj+RQo71v42Yg=; b=uJRiZ5e88lBFwRXBxNS0CZJPIPpaRGs4CrHZEKNvmxx7+8A0E1dVMJWlCp5CUlX8tQx0TZ AvBm2cnv93JJWnXujbqW7fgtlRO3y3a6RsDIWR2mZmmj6YeEVD+ULnzs8JyWqw/MzWh9yM m11YMMnNsKPeAxsrPpMD5/RW/pF+s0Y= From: David Waite Message-Id: <7AC69C40-B544-4A9E-9111-05B9CB6CF776@alkaline-solutions.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_A68409DE-86AD-488E-AF82-A0D59683489E" Mime-Version: 1.0 Date: Mon, 28 Mar 2022 15:32:08 -0600 In-Reply-To: <73015e12-337d-5853-91cc-455b39c97921@free.fr> Cc: oauth To: Denis References: <73015e12-337d-5853-91cc-455b39c97921@free.fr> Authentication-Results: caesium6.alkaline.solutions; auth=pass smtp.mailfrom=david@alkaline-solutions.com X-Spamd-Bar: / Archived-At: Subject: Re: [OAUTH-WG] WGLC for DPoP Document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Mar 2022 21:32:18 -0000 --Apple-Mail=_A68409DE-86AD-488E-AF82-A0D59683489E Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Mar 28, 2022, at 8:28 AM, Denis wrote: > The primary aim of DPoP is to bind a token to a public key upon = issuance and requiring that the client proves possession=20 > of the corresponding private key when using the token. This = does not demonstrate that the client presenting the token is=20 > necessarily the legitimate client. In the case of = non-collaborating clients, DPoP prevents unauthorized or illegitimate = parties=20 > from using leaked or stolen access tokens. In the case of = collaborating clients, the security of DPoP is ineffective=20 > (see section 11.X). >=20 > If a client agrees to collaborate with another client, the = security of DPoP is no longer effective. When two clients agree to = collaborate,=20 > these results of the cryptographic computations performed = by one client may be communicated to another client.=20 >=20 >=20 If a system has shared its tokens and/or credentials with another = system, they are both operating as part of a single client. Neither DPoP = nor OAuth define how two clients can share access, such as by applying = scopes issued against the client with identifier =E2=80=9Cfoo=E2=80=9D = to the client with id =E2=80=9Cbar=E2=80=9D.=20 =46rom an AS or user perspective, multiple parties could collaborate = beyond the expectations and limitations they intended the client to = have. However, sharing across parties or underlying systems could be = entirely within expectations - such as multiple services which together = use information from the resource server to fulfill a request. One could have text such as: DPoP does not prevent sharing of data or access by a client with = additional parties which are not authorized by the AS. In particular, a = client may voluntarily share either private keys or constructed DPoP = proofs. But this is somewhat matter-of-factly stating that the AS should = continue to have the same evaluation process of what parties should be = given access as clients - that DPoP is not a DRM or DLP scheme. > Even if the private key used for DPoP is stored in such a = way that it cannot be exported, e.g., in a hardware or software security = module,=20 > the client can perform all the cryptographic computations = needed by the other client to create DPoP proofs.=20 >=20 This seems unneeded with the text above. In addition, DPoP does not = define a way for an AS to ensure it only issues access tokens against = PoP keys which are non-exportable. -DW= --Apple-Mail=_A68409DE-86AD-488E-AF82-A0D59683489E Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
On = Mar 28, 2022, at 8:28 AM, Denis <denis.ietf@free.fr> wrote:

<snip>

      =  The primary aim of DPoP is to bind a token to a public key upon issuance and requiring that the client proves possession
       of the corresponding = private key when using the token.  This does not demonstrate that the client presenting the token is
       necessarily the = legitimate client. In the case of non-collaborating clients, DPoP prevents unauthorized or illegitimate parties
       from using leaked or = stolen access tokens. In the case of collaborating clients, the security of DPoP is ineffective
       (see section 11.X).


<snip>

            If a client agrees to collaborate with another client, the security = of DPoP is no longer effective.  When = two clients agree to collaborate, 
            these results of the cryptographic computations performed by one = client may be communicated to another client. 

If a system has shared = its tokens and/or credentials with another system, they are both = operating as part of a single client. Neither DPoP nor OAuth define how = two clients can share access, such as by applying scopes issued against = the client with identifier =E2=80=9Cfoo=E2=80=9D to the client with id = =E2=80=9Cbar=E2=80=9D. 

=46r= om an AS or user perspective, multiple parties could collaborate beyond = the expectations and limitations they intended the client to have. = However, sharing across parties or underlying systems could be entirely = within expectations - such as multiple services which together use = information from the resource server to fulfill a request.

One could have text such = as:

DPoP does not prevent sharing of data or = access by a client with additional parties which are not authorized by = the AS. In particular, a client may voluntarily share either private = keys or constructed DPoP proofs.

But this is somewhat = matter-of-factly stating that the AS should continue to have the same = evaluation process of what parties should be given access as clients - = that DPoP is not a DRM or DLP scheme.

<snip>

    =         Even if the private key used for DPoP is stored in such a way that it cannot be exported, e.g., in a hardware or software security module,
    =         the client can perform all the cryptographic computations needed by the other client to create DPoP proofs.

This seems unneeded = with the text above. In addition, DPoP does not define a way for an AS = to ensure it only issues access tokens against PoP keys which are = non-exportable.

-DW
= --Apple-Mail=_A68409DE-86AD-488E-AF82-A0D59683489E-- From nobody Tue Mar 29 06:10:31 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AC623A18B1 for ; Tue, 29 Mar 2022 06:10:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.72 X-Spam-Level: X-Spam-Status: No, score=-1.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.186, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pC1WITAUn3nh for ; Tue, 29 Mar 2022 06:10:24 -0700 (PDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C97813A18AF for ; Tue, 29 Mar 2022 06:10:23 -0700 (PDT) Received: from smtpclient.apple (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 22TDAH5A012196 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 29 Mar 2022 09:10:19 -0400 From: Justin Richer Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_D4C66886-B0B7-4BA1-9017-8A4224B418E4" Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\)) Date: Tue, 29 Mar 2022 09:10:17 -0400 In-Reply-To: Cc: Denis , oauth To: Steinar Noem References: <73015e12-337d-5853-91cc-455b39c97921@free.fr> X-Mailer: Apple Mail (2.3693.60.0.1.1) Archived-At: Subject: Re: [OAUTH-WG] WGLC for DPoP Document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Mar 2022 13:10:28 -0000 --Apple-Mail=_D4C66886-B0B7-4BA1-9017-8A4224B418E4 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 And this is exactly the problem with the =E2=80=9Ccollaborating = clients=E2=80=9D attack, as has been pointed out any number of times = it=E2=80=99s been brought up before. If two clients are willingly = collaborating in this way, they do not need to share any cryptographic = material and impersonate each other. You don=E2=80=99t need to steal my license if I=E2=80=99m willing to = just go buy you beer. The DPoP draft does address signed request re-use, which some see as a = feature to be carefully applied. =E2=80=94 Justin > On Mar 28, 2022, at 1:04 PM, Steinar Noem wrote: >=20 > Interesting, but won't two collaborating clients just pass any data = they want to each other? Why would these collaborating clients go = through the trouble of exchanging private keys, dpop proofs or tokens? = Could you elaborate some more on the scenario?=20 >=20 > S >=20 > man. 28. mar. 2022 kl. 16:29 skrev Denis >: > Rifaat & Hannes, > Hereafter are my comments: >=20 > The introduction states : >=20 > Recipients of such tokens are then able to verify the binding = of the token to the key pair that the client has demonstrated=20 > that it holds via the DPoP header, thereby providing some = assurance that the client presenting the token also possesses the = private key.=20 >=20 > In other words, the legitimate presenter of the token is = constrained to be the sender that holds and can prove possession of the = private part of the key pair. >=20 > The client presenting the token does not necessarily possess the = private key. The client presenting the token has been able to use=20 > the results of some cryptographic functions using the private part of = the key pair.=20 >=20 > These results may be communicated by one client to another client, if = the two clients agree to collaborate. This statement will be added later = on. >=20 > Proposed rewording: >=20 > Recipients of such tokens are then able to verify the binding = of the token to the key pair that the client has demonstrated=20 > that it holds via the DPoP header, thereby providing some = assurance that the client presenting the token either also possesses=20 > the private key or has been able to use the result of = cryptographic computations from another client that possesses the = private key.=20 >=20 > In other words, the presenter of the token can prove that it = has been able to use the results of cryptographic computations performed=20= > by using the private part of the key pair.=20 >=20 > The objectives states >=20 > The primary aim of DPoP is to prevent unauthorized or = illegitimate parties from using leaked or stolen access tokens,=20 > by binding a token to a public key upon issuance and requiring = that the client proves possession of the corresponding=20 > private key when using the token. >=20 > DPoP does not prevent unauthorized or illegitimate parties from using = access tokens, as soon as two clients agree to collaborate. >=20 > Proposed rewording: >=20 > The primary aim of DPoP is to bind a token to a public key upon = issuance and requiring that the client proves possession=20 > of the corresponding private key when using the token. This = does not demonstrate that the client presenting the token is=20 > necessarily the legitimate client. In the case of = non-collaborating clients, DPoP prevents unauthorized or illegitimate = parties=20 > from using leaked or stolen access tokens. In the case of = collaborating clients, the security of DPoP is ineffective=20 > (see section 11.X). >=20 > Section 11 is about "Security Considerations" and addresses the = following topics: >=20 > 11.1. DPoP Proof Replay > 11.2. DPoP Proof Pre-Generation > 11.3. DPoP Nonce Downgrade > 11.4. Untrusted Code in the Client Context > 11.5. Signed JWT Swapping > 11.6. Signature Algorithms > 11.7. Message Integrity > 11.8. Access Token and Public Key Binding > 11.9. Authorization Code and Public Key Binding >=20 > The case of collaborative clients should be addressed within section = 11. >=20 > Text proposal.=20 >=20 > 11.X. Collaborative clients >=20 > DPoP demonstrates that the client presenting the token has = been able to use the results of some cryptographic functions > using the private part of the key pair. >=20 > If a client agrees to collaborate with another client, the = security of DPoP is no longer effective. When two clients = agree to collaborate,=20 > these results of the cryptographic computations performed = by one client may be communicated to another client.=20 >=20 > Even if the private key used for DPoP is stored in such a = way that it cannot be exported, e.g., in a hardware or software security = module,=20 > the client can perform all the cryptographic computations = needed by the other client to create DPoP proofs.=20 >=20 > The client can easily create new DPoP proofs as long as = the other client is online. >=20 > Note: There exist other techniques able to limit, in some = cases, the use of a token transmitted voluntarily by a legitimate client=20= > to an illegitimate client. >=20 > Denis >=20 >=20 >> All, >>=20 >> As discussed during the IETF meeting in Vienna last week, this is a = WG Last Call for the DPoP document: >> https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ = >>=20 >> Please, provide your feedback on the mailing list by April 11th. >>=20 >> Regards, >> Rifaat & Hannes >>=20 >>=20 >>=20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth = >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth = >=20 >=20 > --=20 > Vennlig hilsen >=20 > Steinar Noem > Partner Udelt AS > Systemutvikler > =20 > | steinar@udelt.no | hei@udelt.no = | +47 955 21 620 <> | www.udelt.no = |=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_D4C66886-B0B7-4BA1-9017-8A4224B418E4 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 And = this is exactly the problem with the =E2=80=9Ccollaborating clients=E2=80=9D= attack, as has been pointed out any number of times it=E2=80=99s been = brought up before. If two clients are willingly collaborating in this = way, they do not need to share any cryptographic material and = impersonate each other.

You don=E2=80=99t need to steal my license if I=E2=80=99m = willing to just go buy you beer.

The DPoP draft does address signed = request re-use, which some see as a feature to be carefully = applied.

 =E2=80=94 Justin

On Mar = 28, 2022, at 1:04 PM, Steinar Noem <steinar@udelt.no> wrote:

Interesting, but won't two = collaborating clients just pass any data they want to each other? Why = would these collaborating clients go through the trouble of exchanging = private keys, dpop proofs or tokens? Could you elaborate some more on = the scenario? 

S

man. 28. mar. 2022 kl. 16:29 skrev = Denis <denis.ietf@free.fr>:
=20 =20 =20
Rifaat & Hannes,

Hereafter are my comments:

The introduction states :

       Recipients of such = tokens are then able to verify the binding of the token to the key pair that  the client has demonstrated
       that it holds via the = DPoP header, thereby providing some assurance that the client presenting the token also possesses the private key.

       In other words, the = legitimate presenter of the token is constrained to be the sender that holds and can prove possession of the private part of the key pair.

The client presenting the token does not = necessarily possess the private key. The client presenting the token has been able to use
the results of some cryptographic functions using the private part of the key pair.

These results may = be communicated by one client to another client, if the two clients agree to collaborate. This statement will be added later on.

Proposed rewording:

       Recipients of such tokens = are then able to verify the binding of the token to the key pair that  the client has demonstrated
       that it holds via the = DPoP header, thereby providing some assurance that the client presenting the token either also possesses
       the private key or has been able to use the = result of cryptographic computations from another client that possesses the private key.

       In other words, the = presenter of the token can prove that it has been able to use the results of cryptographic computations performed
       by using the private part of the key pair.

The objectives states

       The primary aim of DPoP = is to prevent unauthorized or illegitimate parties from using leaked or stolen access tokens,
       by binding a token to a = public key upon issuance and requiring that the client proves possession of the corresponding
       private key when using = the token.

DPoP does not prevent unauthorized or illegitimate parties from using access tokens, as soon as two clients agree to collaborate.

Proposed rewording:

       The primary aim of DPoP = is to bind a token to a public key upon issuance and requiring that the client proves possession
       of the corresponding = private key when using the token.  This does not demonstrate that the client presenting the token is
       necessarily the = legitimate client. In the case of non-collaborating clients, DPoP prevents unauthorized or illegitimate parties
       from using leaked or = stolen access tokens. In the case of collaborating clients, the security of DPoP is ineffective
       (see section 11.X).

Section 11 is about "Security Considerations" and addresses the following topics:

     11.1.  DPoP Proof Replay
     11.2.  DPoP Proof Pre-Generation
     11.3.  DPoP Nonce Downgrade
     11.4.  Untrusted Code in the Client Context
     11.5.  Signed JWT Swapping
     11.6.  Signature Algorithms
     11.7.  Message Integrity
     11.8.  Access Token and Public Key Binding
     11.9.  Authorization Code and Public Key Binding

The case of collaborative clients should be addressed within section 11.

Text proposal.

     11.X. Collaborative clients

=             DPoP = demonstrates that the client presenting the token has been able to use the results of some cryptographic functions
            using the = private part of the key pair.

            If = a client agrees to collaborate with another client, the security of DPoP is no longer effective.  When two clients agree to collaborate,
            = these results of the cryptographic computations performed by one client may be communicated to another client.

            = Even if the private key used for DPoP is stored in such a way that it cannot be exported, e.g., in a hardware or software security module,
            the = client can perform all the cryptographic computations needed by the other client to create DPoP proofs.

            The = client can easily create new DPoP proofs as long as the other client is online.

            = Note: There exist other techniques able to limit, in some cases, the use of a token transmitted voluntarily by a legitimate client
=             &n= bsp;         to an illegitimate = client.

Denis


=20
All,

As discussed during the IETF meeting in Vienna = last week, this is a WG Last Call for the DPoP document:
https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/

Please, provide your feedback on the mailing list by April = 11th.

Regards,
 Rifaat & Hannes


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
Vennlig hilsen

Steinar Noem
Partner Udelt AS
Systemutvikler
 
steinar@udelt.no | hei@udelt.no  | +47 955 21 620 | www.udelt.no | 
_______________________________________________
OAuth = mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

= --Apple-Mail=_D4C66886-B0B7-4BA1-9017-8A4224B418E4-- From nobody Tue Mar 29 06:13:45 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92BFC3A077F for ; Tue, 29 Mar 2022 06:13:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.107 X-Spam-Level: X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=danielfett.de Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YdHh0wIUULJH for ; Tue, 29 Mar 2022 06:13:38 -0700 (PDT) Received: from d3f.me (redstone.d3f.me [5.9.29.41]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30E273A183C for ; Tue, 29 Mar 2022 06:13:38 -0700 (PDT) Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by d3f.me (Postfix) with ESMTPA id AC8691E106 for ; Tue, 29 Mar 2022 13:13:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1648559615; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=8kkLIrVAZgYWd4fzHN01CULKcfCr1bXQTR6UpIclwW8=; b=BzaPh0AL1A1HPN0dvCkE9DS29VcVniR6Env6pOGWWeaYxBGwWZBlxJPMz/Cy5jAUJaPtLc 7gGuJnZjVklFiWxvQfwRP3u3+ukEMGejSJOb0pBRyX07m5xHE8RFyoWrL9Y3mbwfQRe7mF dnS+T5GywluTXDbC45tSXcTtyp2c2vg= Content-Type: multipart/alternative; boundary="------------HNNMZBi0P3v0ucWs3t5koYod" Message-ID: <3b0fbfe6-f043-5c93-ace5-ad448c4cdb55@danielfett.de> Date: Tue, 29 Mar 2022 15:13:35 +0200 MIME-Version: 1.0 Content-Language: de-DE To: oauth@ietf.org References: <73015e12-337d-5853-91cc-455b39c97921@free.fr> From: Daniel Fett In-Reply-To: ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1648559615; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=8kkLIrVAZgYWd4fzHN01CULKcfCr1bXQTR6UpIclwW8=; b=f2jqvirJFlmZZc6/26Of+0NpL0N/5PiGisGKnze1ajwuM5iElbZvTE1ng5Jtm80XbD7x90 O6O98lJ0FsyrUTv7fMd7SSWUegcb5aI84l+bNW48kdxbtIWTb7XH+uYlFGYt0DsWWtIqWY UQPF4m+VvRVqrcL1R0tKf0QvgEbm010= ARC-Seal: i=1; s=dkim; d=danielfett.de; t=1648559615; a=rsa-sha256; cv=none; b=E4ksNcRS8jI0tceWriL6txXZt8QrRB/xjWmr8ciAzk00F/jUtbbS/vJrSv0KshbxVkZbtO lBI/qjiOQx5L1kTMWXkODDmHpBS1Y/W/8zEZ9OEml5PWOE0skxDz0vUllszW5PWbsY7KJa f1/iOwsSitKEe7s/w+H3ZALnt91qfsA= ARC-Authentication-Results: i=1; d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de Authentication-Results: d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de X-Spamd-Bar: --- Archived-At: Subject: Re: [OAUTH-WG] WGLC for DPoP Document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Mar 2022 13:13:44 -0000 This is a multi-part message in MIME format. --------------HNNMZBi0P3v0ucWs3t5koYod Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit +1 Am 29.03.22 um 15:10 schrieb Justin Richer: > And this is exactly the problem with the “collaborating clients” > attack, as has been pointed out any number of times it’s been brought > up before. If two clients are willingly collaborating in this way, > they do not need to share any cryptographic material and impersonate > each other. > > You don’t need to steal my license if I’m willing to just go buy you beer. > > The DPoP draft does address signed request re-use, which some see as a > feature to be carefully applied. > >  — Justin > >> On Mar 28, 2022, at 1:04 PM, Steinar Noem wrote: >> >> Interesting, but won't two collaborating clients just pass any data >> they want to each other? Why would these collaborating clients go >> through the trouble of exchanging private keys, dpop proofs or >> tokens? Could you elaborate some more on the scenario? >> >> S >> >> man. 28. mar. 2022 kl. 16:29 skrev Denis : >> >> Rifaat & Hannes, >> >> Hereafter are my comments: >> >> The introduction states : >> >>        Recipients of such tokens are then able to verify the >> binding of the token to the key pair thatthe client has demonstrated >>        that it holds via the DPoP header, thereby providing some >> assurance that the client presenting the token also possesses the >> private key. >> >>        In other words, the legitimate presenter of the token is >> constrained to be the sender that holds and can prove possession >> of the private part of the key pair. >> >> The client presenting the token *does not necessarily possess the >> private key*. The client presenting the token has been able to use >> the results of some cryptographic functions using the private >> part of the key pair. >> >> These results may be communicated by one client to another >> client, if the two clients agree to collaborate. This statement >> will be added later on. >> >> Proposed rewording: >> >>        Recipients of such tokens are then able to verify the >> binding of the token to the key pair thatthe client has demonstrated >>        that it holds via the DPoP header, thereby providing some >> assurance that the client presenting the token *either *also >> possesses >>        the private key *or* has been able to use the result of >> cryptographic computations from another client that possesses the >> private key. >> >>        In other words, the presenter of the token can prove that >> it has been able to use the results of cryptographic computations >> performed >>        by using the private part of the key pair. >> >> The objectives states >> >>        The primary aim of DPoP is to prevent unauthorized or >> illegitimate parties from using leaked or stolen access tokens, >>        by binding a token to a public key upon issuance and >> requiring that the client proves possession of the corresponding >>        private key when using the token. >> >> DPoP does not prevent unauthorized or illegitimate parties from >> using access tokens, as soon as two clients agree to collaborate. >> >> Proposed rewording: >> >>        The primary aim of DPoP is to bind a token to a public key >> upon issuance and requiring that the client proves possession >>        of the corresponding private key when using the token.This >> does not demonstrate that the client presenting the token is >>        necessarily the legitimate client. In the case of >> non-collaborating clients, DPoP prevents unauthorized or >> illegitimate parties >>        from using leaked or stolen access tokens. In the case of >> collaborating clients, the security of DPoP is ineffective >>        (see section 11.X). >> >> Section 11 is about "Security Considerations" and addresses the >> following topics: >> >> 11.1.DPoP Proof Replay >> 11.2.DPoP Proof Pre-Generation >> 11.3.DPoP Nonce Downgrade >> 11.4.Untrusted Code in the Client Context >> 11.5.Signed JWT Swapping >> 11.6.Signature Algorithms >> 11.7.Message Integrity >> 11.8.Access Token and Public Key Binding >> 11.9.Authorization Code and Public Key Binding >> >> The case of collaborative clients should be addressed within >> section 11. >> >> Text proposal. >> >> 11.X. Collaborative clients >> >>             DPoP demonstrates that the client presenting the >> token has been able to use the results of some cryptographic >> functions >> using the private part of the key pair. >> >> If a client agrees to collaborate with another client, the >> security of DPoP is no longer effective.When two clients agree to >> collaborate, >> these results of the cryptographic computations performed by one >> client may be communicated to another client. >> >> Even if the private key used for DPoP is stored in such a way >> that it cannot be exported, e.g., in a hardware or software >> security module, >> the client can perform all the cryptographic computations needed >> by the other client to create DPoP proofs. >> >> The client can easily create new DPoP proofs as long as the other >> client is online. >> >> Note: There exist other techniques able to limit, in some cases, >> the use of a token transmitted voluntarily by a legitimate client >>                       to an illegitimate client. >> >> Denis >> >> >>> All, >>> >>> As discussed during the IETF meeting in *Vienna* last week, this >>> is a *WG Last Call *for the *DPoP* document: >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ >>> >>> Please, provide your feedback on the mailing list by April 11th. >>> >>> Regards, >>>  Rifaat & Hannes >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> -- >> Vennlig hilsen >> >> Steinar Noem >> Partner Udelt AS >> Systemutvikler >> | steinar@udelt.no  | hei@udelt.no  | +47 >> 955 21 620 | www.udelt.no  | >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- https://danielfett.de --------------HNNMZBi0P3v0ucWs3t5koYod Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit

+1

Am 29.03.22 um 15:10 schrieb Justin Richer:
And this is exactly the problem with the “collaborating clients” attack, as has been pointed out any number of times it’s been brought up before. If two clients are willingly collaborating in this way, they do not need to share any cryptographic material and impersonate each other.

You don’t need to steal my license if I’m willing to just go buy you beer.

The DPoP draft does address signed request re-use, which some see as a feature to be carefully applied.

 — Justin

On Mar 28, 2022, at 1:04 PM, Steinar Noem <steinar@udelt.no> wrote:

Interesting, but won't two collaborating clients just pass any data they want to each other? Why would these collaborating clients go through the trouble of exchanging private keys, dpop proofs or tokens? Could you elaborate some more on the scenario? 

S

man. 28. mar. 2022 kl. 16:29 skrev Denis <denis.ietf@free.fr>:
Rifaat & Hannes,

Hereafter are my comments:

The introduction states :

       Recipients of such tokens are then able to verify the binding of the token to the key pair that  the client has demonstrated
       that it holds via the DPoP header, thereby providing some assurance that the client presenting the token also possesses the private key.

       In other words, the legitimate presenter of the token is constrained to be the sender that holds and can prove possession of the private part of the key pair.

The client presenting the token does not necessarily possess the private key. The client presenting the token has been able to use
the results of some cryptographic functions using the private part of the key pair.

These results may be communicated by one client to another client, if the two clients agree to collaborate. This statement will be added later on.

Proposed rewording:

       Recipients of such tokens are then able to verify the binding of the token to the key pair that  the client has demonstrated
       that it holds via the DPoP header, thereby providing some assurance that the client presenting the token either also possesses
       the private key or has been able to use the result of cryptographic computations from another client that possesses the private key.

       In other words, the presenter of the token can prove that it has been able to use the results of cryptographic computations performed
       by using the private part of the key pair.

The objectives states

       The primary aim of DPoP is to prevent unauthorized or illegitimate parties from using leaked or stolen access tokens,
       by binding a token to a public key upon issuance and requiring that the client proves possession of the corresponding
       private key when using the token.

DPoP does not prevent unauthorized or illegitimate parties from using access tokens, as soon as two clients agree to collaborate.

Proposed rewording:

       The primary aim of DPoP is to bind a token to a public key upon issuance and requiring that the client proves possession
       of the corresponding private key when using the token.  This does not demonstrate that the client presenting the token is
       necessarily the legitimate client. In the case of non-collaborating clients, DPoP prevents unauthorized or illegitimate parties
       from using leaked or stolen access tokens. In the case of collaborating clients, the security of DPoP is ineffective
       (see section 11.X).

Section 11 is about "Security Considerations" and addresses the following topics:

     11.1.  DPoP Proof Replay
     11.2.  DPoP Proof Pre-Generation
     11.3.  DPoP Nonce Downgrade
     11.4.  Untrusted Code in the Client Context
     11.5.  Signed JWT Swapping
     11.6.  Signature Algorithms
     11.7.  Message Integrity
     11.8.  Access Token and Public Key Binding
     11.9.  Authorization Code and Public Key Binding

The case of collaborative clients should be addressed within section 11.

Text proposal.

     11.X. Collaborative clients

            DPoP demonstrates that the client presenting the token has been able to use the results of some cryptographic functions
            using the private part of the key pair.

            If a client agrees to collaborate with another client, the security of DPoP is no longer effective.  When two clients agree to collaborate,
            these results of the cryptographic computations performed by one client may be communicated to another client.

            Even if the private key used for DPoP is stored in such a way that it cannot be exported, e.g., in a hardware or software security module,
            the client can perform all the cryptographic computations needed by the other client to create DPoP proofs.

            The client can easily create new DPoP proofs as long as the other client is online.

            Note: There exist other techniques able to limit, in some cases, the use of a token transmitted voluntarily by a legitimate client
                      to an illegitimate client.

Denis


All,

As discussed during the IETF meeting in Vienna last week, this is a WG Last Call for the DPoP document:
https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/

Please, provide your feedback on the mailing list by April 11th.

Regards,
 Rifaat & Hannes


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
Vennlig hilsen

Steinar Noem
Partner Udelt AS
Systemutvikler
 
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

-- 
https://danielfett.de
--------------HNNMZBi0P3v0ucWs3t5koYod-- From nobody Tue Mar 29 06:13:58 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 868E73A18C7; Tue, 29 Mar 2022 06:13:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.72 X-Spam-Level: X-Spam-Status: No, score=-1.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.186, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WemtRRlPB_CS; Tue, 29 Mar 2022 06:13:43 -0700 (PDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03CDA3A18AF; Tue, 29 Mar 2022 06:13:42 -0700 (PDT) Received: from smtpclient.apple (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 22TDDefv013424 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 29 Mar 2022 09:13:41 -0400 From: Justin Richer Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_B96AEA0E-054F-4844-963A-6B277F714052" Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\)) Date: Tue, 29 Mar 2022 09:13:40 -0400 In-Reply-To: Cc: oauth@ietf.org To: Rohan Mahy References: X-Mailer: Apple Mail (2.3693.60.0.1.1) Archived-At: Subject: Re: [OAUTH-WG] access token hash claim name in oauth-dpop draft X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Mar 2022 13:13:56 -0000 --Apple-Mail=_B96AEA0E-054F-4844-963A-6B277F714052 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Yes, it was considered, discussed, and rejected. The reason being = =E2=80=9Cat_hash=E2=80=9D has a somewhat convoluted definition = (left-bits of a hash of an access token in the context of a JOSE object, = etc), to fit some of the design constraints of ID Tokens. DPoP proofs do = not have those same constraints. DPoP opted, correctly in my opinion, to = simplify this by declaring a single hashing algorithm and using its full = output value. Cryptographic agility would be achieved by defining a new = claim with a new hashing algorithm. =E2=80=94 Justin > On Mar 28, 2022, at 10:41 AM, Rohan Mahy = wrote: >=20 > Hi, > Did you consider using the (already IANA registered) at_hash claim = defined in:=20 > https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken = > instead of defining a new ath claim? >=20 > It seems like if we don't use at_hash we should explain why ath is = better/different. > Thanks, > -rohan > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_B96AEA0E-054F-4844-963A-6B277F714052 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Yes, = it was considered, discussed, and rejected. The reason being = =E2=80=9Cat_hash=E2=80=9D has a somewhat convoluted definition = (left-bits of a hash of an access token in the context of a JOSE object, = etc), to fit some of the design constraints of ID Tokens. DPoP proofs do = not have those same constraints. DPoP opted, correctly in my opinion, to = simplify this by declaring a single hashing algorithm and using its full = output value. Cryptographic agility would be achieved by defining a new = claim with a new hashing algorithm.

 =E2=80=94 Justin

On Mar 28, 2022, at 10:41 AM, Rohan Mahy <rohan=3D40wire.com@dmarc.ietf.org> wrote:

Hi,
Did you consider using the = (already IANA registered) at_hash claim defined in: 
https://openid.net/specs/openid-connect-core-1_0.html#CodeIDTok= en
instead of defining a new ath = claim?

It seems like if we don't use at_hash we should explain why = ath is better/different.
Thanks,
-rohan
_______________________________________________
OAuth = mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

= --Apple-Mail=_B96AEA0E-054F-4844-963A-6B277F714052-- From nobody Tue Mar 29 06:19:26 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9483A3A18B4 for ; Tue, 29 Mar 2022 06:19:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.943 X-Spam-Level: X-Spam-Status: No, score=-0.943 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.186, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pdsT_VZbmthK for ; Tue, 29 Mar 2022 06:19:19 -0700 (PDT) Received: from smtp.smtpout.orange.fr (smtp05.smtpout.orange.fr [80.12.242.127]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5CE53A0789 for ; Tue, 29 Mar 2022 06:19:18 -0700 (PDT) Received: from [192.168.1.11] ([90.26.93.96]) by smtp.orange.fr with ESMTPA id ZBkbnmHVYPEU7ZBkfnkuuG; Tue, 29 Mar 2022 15:19:16 +0200 X-ME-Helo: [192.168.1.11] X-ME-Auth: OWU3ZmVkYWM0M2UwZWM1YifxM2Q3ZDk1YiUzNWJiZTM2MiliMTI0N2YxZmQ= X-ME-Date: Tue, 29 Mar 2022 15:19:16 +0200 X-ME-IP: 90.26.93.96 Content-Type: multipart/alternative; boundary="------------Hwhw83fR6sc0rIemCs2fRmqz" Message-ID: Date: Tue, 29 Mar 2022 15:19:09 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Content-Language: en-GB To: oauth@ietf.org References: <73015e12-337d-5853-91cc-455b39c97921@free.fr> <3b0fbfe6-f043-5c93-ace5-ad448c4cdb55@danielfett.de> From: Denis In-Reply-To: <3b0fbfe6-f043-5c93-ace5-ad448c4cdb55@danielfett.de> Archived-At: Subject: Re: [OAUTH-WG] WGLC for DPoP Document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Mar 2022 13:19:24 -0000 This is a multi-part message in MIME format. --------------Hwhw83fR6sc0rIemCs2fRmqz Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Hi  Justin, You broke the thread since you have not re-used the last message which was: Steinar, As you have guessed, no data (except the token and some crypto checksums) is passing through the clients. Once the legitimate client has allowed the illegitimate client to use the token, the illegitimate client can do anything it wants with it. The legitimate client can be kept fully ignorant of what illegitimate client is doing. The data flow is minimum: if the token allows to view a 4 Gb movie, that data flow does not flow between the clients. Furthermore, the content of the token may allow the illegitimate client to use it during days or months. Suppose that the token indicates "over 18". If the user is over 18 now, he will certainly be "over 18" the next days, months or years. There is no need to refresh the token as it would be the case if the token included a home address. This message explains why this collaborative attack is very different from simply forwarding messages between clients. The illegitimate client can do anything it wants without disclosing what it is doing to the legitimate client. The traffic between the clients is kept to the very minimum. Denis > +1 > > Am 29.03.22 um 15:10 schrieb Justin Richer: >> And this is exactly the problem with the “collaborating clients” >> attack, as has been pointed out any number of times it’s been brought >> up before. If two clients are willingly collaborating in this way, >> they do not need to share any cryptographic material and impersonate >> each other. >> >> You don’t need to steal my license if I’m willing to just go buy you >> beer. >> >> The DPoP draft does address signed request re-use, which some see as >> a feature to be carefully applied. >> >>  — Justin >> >>> On Mar 28, 2022, at 1:04 PM, Steinar Noem wrote: >>> >>> Interesting, but won't two collaborating clients just pass any data >>> they want to each other? Why would these collaborating clients go >>> through the trouble of exchanging private keys, dpop proofs or >>> tokens? Could you elaborate some more on the scenario? >>> >>> S >>> >>> man. 28. mar. 2022 kl. 16:29 skrev Denis : >>> >>> Rifaat & Hannes, >>> >>> Hereafter are my comments: >>> >>> The introduction states : >>> >>>        Recipients of such tokens are then able to verify the >>> binding of the token to the key pair thatthe client has >>> demonstrated >>>        that it holds via the DPoP header, thereby providing some >>> assurance that the client presenting the token also possesses >>> the private key. >>> >>>        In other words, the legitimate presenter of the token is >>> constrained to be the sender that holds and can prove possession >>> of the private part of the key pair. >>> >>> The client presenting the token *does not necessarily possess >>> the private key*. The client presenting the token has been able >>> to use >>> the results of some cryptographic functions using the private >>> part of the key pair. >>> >>> These results may be communicated by one client to another >>> client, if the two clients agree to collaborate. This statement >>> will be added later on. >>> >>> Proposed rewording: >>> >>>        Recipients of such tokens are then able to verify the >>> binding of the token to the key pair thatthe client has >>> demonstrated >>>        that it holds via the DPoP header, thereby providing some >>> assurance that the client presenting the token *either *also >>> possesses >>>        the private key *or* has been able to use the result of >>> cryptographic computations from another client that possesses >>> the private key. >>> >>>        In other words, the presenter of the token can prove that >>> it has been able to use the results of cryptographic >>> computations performed >>>        by using the private part of the key pair. >>> >>> The objectives states >>> >>>        The primary aim of DPoP is to prevent unauthorized or >>> illegitimate parties from using leaked or stolen access tokens, >>>        by binding a token to a public key upon issuance and >>> requiring that the client proves possession of the corresponding >>>        private key when using the token. >>> >>> DPoP does not prevent unauthorized or illegitimate parties from >>> using access tokens, as soon as two clients agree to collaborate. >>> >>> Proposed rewording: >>> >>>        The primary aim of DPoP is to bind a token to a public >>> key upon issuance and requiring that the client proves possession >>>        of the corresponding private key when using the >>> token.This does not demonstrate that the client presenting the >>> token is >>>        necessarily the legitimate client. In the case of >>> non-collaborating clients, DPoP prevents unauthorized or >>> illegitimate parties >>>        from using leaked or stolen access tokens. In the case of >>> collaborating clients, the security of DPoP is ineffective >>>        (see section 11.X). >>> >>> Section 11 is about "Security Considerations" and addresses the >>> following topics: >>> >>> 11.1.DPoP Proof Replay >>> 11.2.DPoP Proof Pre-Generation >>> 11.3.DPoP Nonce Downgrade >>> 11.4.Untrusted Code in the Client Context >>> 11.5.Signed JWT Swapping >>> 11.6.Signature Algorithms >>> 11.7.Message Integrity >>> 11.8.Access Token and Public Key Binding >>> 11.9.Authorization Code and Public Key Binding >>> >>> The case of collaborative clients should be addressed within >>> section 11. >>> >>> Text proposal. >>> >>> 11.X. Collaborative clients >>> >>>             DPoP demonstrates that the client presenting the >>> token has been able to use the results of some cryptographic >>> functions >>> using the private part of the key pair. >>> >>> If a client agrees to collaborate with another client, the >>> security of DPoP is no longer effective.When two clients agree >>> to collaborate, >>> these results of the cryptographic computations performed by one >>> client may be communicated to another client. >>> >>> Even if the private key used for DPoP is stored in such a way >>> that it cannot be exported, e.g., in a hardware or software >>> security module, >>> the client can perform all the cryptographic computations needed >>> by the other client to create DPoP proofs. >>> >>> The client can easily create new DPoP proofs as long as the >>> other client is online. >>> >>> Note: There exist other techniques able to limit, in some cases, >>> the use of a token transmitted voluntarily by a legitimate client >>>                       to an illegitimate client. >>> >>> Denis >>> >>> >>>> All, >>>> >>>> As discussed during the IETF meeting in *Vienna* last week, >>>> this is a *WG Last Call *for the *DPoP* document: >>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ >>>> >>>> Please, provide your feedback on the mailing list by April 11th. >>>> >>>> Regards, >>>>  Rifaat & Hannes >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> >>> -- >>> Vennlig hilsen >>> >>> Steinar Noem >>> Partner Udelt AS >>> Systemutvikler >>> | steinar@udelt.no  | hei@udelt.no  | +47 >>> 955 21 620 | www.udelt.no  | >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > -- > https://danielfett.de > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --------------Hwhw83fR6sc0rIemCs2fRmqz Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit
Hi  Justin,

You broke the thread since you have not re-used the last message which was:
Steinar,

As you have guessed, no data (except the token and some crypto checksums) is passing through the clients.

Once the legitimate client has allowed the illegitimate client to use the token, the illegitimate client can do anything it wants with it.
The legitimate client can be kept fully ignorant of what illegitimate client is doing.

The data flow is minimum: if the token allows to view a 4 Gb movie, that data flow does not flow between the clients.

Furthermore, the content of the token may allow the illegitimate client to use it during days or months.
Suppose that the token indicates "over 18". If the user is over 18 now, he will certainly be "over 18" the next days, months or years. 
There is no need to refresh the token as it would be the case if the token included a home address.
This message explains why this collaborative attack is very different from simply forwarding messages between clients.

The illegitimate client can do anything it wants without disclosing what it is doing to the legitimate client.
The traffic between the clients is kept to the very minimum.

Denis

+1

Am 29.03.22 um 15:10 schrieb Justin Richer:
And this is exactly the problem with the “collaborating clients” attack, as has been pointed out any number of times it’s been brought up before. If two clients are willingly collaborating in this way, they do not need to share any cryptographic material and impersonate each other.

You don’t need to steal my license if I’m willing to just go buy you beer.

The DPoP draft does address signed request re-use, which some see as a feature to be carefully applied.

 — Justin

On Mar 28, 2022, at 1:04 PM, Steinar Noem <steinar@udelt.no> wrote:

Interesting, but won't two collaborating clients just pass any data they want to each other? Why would these collaborating clients go through the trouble of exchanging private keys, dpop proofs or tokens? Could you elaborate some more on the scenario? 

S

man. 28. mar. 2022 kl. 16:29 skrev Denis <denis.ietf@free.fr>:
Rifaat & Hannes,

Hereafter are my comments:

The introduction states :

       Recipients of such tokens are then able to verify the binding of the token to the key pair that  the client has demonstrated
       that it holds via the DPoP header, thereby providing some assurance that the client presenting the token also possesses the private key.

       In other words, the legitimate presenter of the token is constrained to be the sender that holds and can prove possession of the private part of the key pair.

The client presenting the token does not necessarily possess the private key. The client presenting the token has been able to use
the results of some cryptographic functions using the private part of the key pair.

These results may be communicated by one client to another client, if the two clients agree to collaborate. This statement will be added later on.

Proposed rewording:

       Recipients of such tokens are then able to verify the binding of the token to the key pair that  the client has demonstrated
       that it holds via the DPoP header, thereby providing some assurance that the client presenting the token either also possesses
       the private key or has been able to use the result of cryptographic computations from another client that possesses the private key.

       In other words, the presenter of the token can prove that it has been able to use the results of cryptographic computations performed
       by using the private part of the key pair.

The objectives states

       The primary aim of DPoP is to prevent unauthorized or illegitimate parties from using leaked or stolen access tokens,
       by binding a token to a public key upon issuance and requiring that the client proves possession of the corresponding
       private key when using the token.

DPoP does not prevent unauthorized or illegitimate parties from using access tokens, as soon as two clients agree to collaborate.

Proposed rewording:

       The primary aim of DPoP is to bind a token to a public key upon issuance and requiring that the client proves possession
       of the corresponding private key when using the token.  This does not demonstrate that the client presenting the token is
       necessarily the legitimate client. In the case of non-collaborating clients, DPoP prevents unauthorized or illegitimate parties
       from using leaked or stolen access tokens. In the case of collaborating clients, the security of DPoP is ineffective
       (see section 11.X).

Section 11 is about "Security Considerations" and addresses the following topics:

     11.1.  DPoP Proof Replay
     11.2.  DPoP Proof Pre-Generation
     11.3.  DPoP Nonce Downgrade
     11.4.  Untrusted Code in the Client Context
     11.5.  Signed JWT Swapping
     11.6.  Signature Algorithms
     11.7.  Message Integrity
     11.8.  Access Token and Public Key Binding
     11.9.  Authorization Code and Public Key Binding

The case of collaborative clients should be addressed within section 11.

Text proposal.

     11.X. Collaborative clients

            DPoP demonstrates that the client presenting the token has been able to use the results of some cryptographic functions
            using the private part of the key pair.

            If a client agrees to collaborate with another client, the security of DPoP is no longer effective.  When two clients agree to collaborate,
            these results of the cryptographic computations performed by one client may be communicated to another client.

            Even if the private key used for DPoP is stored in such a way that it cannot be exported, e.g., in a hardware or software security module,
            the client can perform all the cryptographic computations needed by the other client to create DPoP proofs.

            The client can easily create new DPoP proofs as long as the other client is online.

            Note: There exist other techniques able to limit, in some cases, the use of a token transmitted voluntarily by a legitimate client
                      to an illegitimate client.

Denis


All,

As discussed during the IETF meeting in Vienna last week, this is a WG Last Call for the DPoP document:
https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/

Please, provide your feedback on the mailing list by April 11th.

Regards,
 Rifaat & Hannes


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
Vennlig hilsen

Steinar Noem
Partner Udelt AS
Systemutvikler
 
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

-- 
https://danielfett.de

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--------------Hwhw83fR6sc0rIemCs2fRmqz-- From nobody Tue Mar 29 06:27:44 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C05273A07A0 for ; Tue, 29 Mar 2022 06:27:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.107 X-Spam-Level: X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WmY3YGCIOGWf for ; Tue, 29 Mar 2022 06:27:40 -0700 (PDT) Received: from mail-io1-xd31.google.com (mail-io1-xd31.google.com [IPv6:2607:f8b0:4864:20::d31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B8953A0E0A for ; Tue, 29 Mar 2022 06:27:40 -0700 (PDT) Received: by mail-io1-xd31.google.com with SMTP id z7so20953260iom.1 for ; Tue, 29 Mar 2022 06:27:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BUX0rPgYzPYvEfifF6PDTuwBaucAOC2boT1ofiDF32E=; b=hsUMQ8255P9u52HjkEVwIX1aHBVfBWaNIi6FgyeDiUuDFKlxl6+uZCz2/2gbPytUVj wmXSU4vjq8XbMU8gTclnP58EvCIYYRpKIrqEJkyn/F91RI9jhUCr1MbIN4lV/67PCT2s Ou/N1waThQsIbS0y0f9h1A06WzzKBu7wXNAwMvoYEAc2ibzeF2QSWPAkCaSIwe/nabxx qll0dQGGUB4G3PEfVBPa2jkDhcWq5MJ8bdQ42XrDcTabZzucwVnV1rfD0OZWbjsLosFr HQmNHGmgEHN9vBR9QP9yHaT63/4BuD9V+25saxKLzfxX+gzCKDI297gnP3oLTOF3Dqun sJbw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BUX0rPgYzPYvEfifF6PDTuwBaucAOC2boT1ofiDF32E=; b=741L51q3sed8QpxMRARP/eU/KVZ5nZ826cs4yPw+NCFVlMyEP7lga5Vya9xlczXtsR VjVV4oPS+DkdnjHUMJsn+iYCY5+k1o8CZDEX2E5S1cGMpgZYT7/+Eenojieh56ltflyf Noom3V/dGzqDvLBiQefFlVWMENvQDmnYP/5RbSiyGlg5t3nyIwlDFZfk9fLRu+feavZc KG/JWz/v3n2WJRs7N70dDWqsHpCpNC1fiAYeJ232PkrEkDpoUzbvmBm7ry67afjgdxIo 1amByvXzmII37fQ5c07iCWLXoTwHo8yGpbLRz/ZE6uwo6c9h5TttEygEDr1TWocv2wIv T8CA== X-Gm-Message-State: AOAM533Jsw55HjVX5KJmyS6ogD1xSnbm/5S13l68LKUW1vPIgEzilvGk Pu+PVMvmiC3YzIgM2yTz9AHd9KyLwsf+7mRNAPChn8xdhrE= X-Google-Smtp-Source: ABdhPJyI2qZaWP0Jon3/JfM7OfxxWsYcbR1ihg7ZGtg3vFDx3zeltQERvlin5TL7dEQck7yCmK1gv5cVtjIdiLQpNCA= X-Received: by 2002:a5e:a80a:0:b0:645:b477:bc23 with SMTP id c10-20020a5ea80a000000b00645b477bc23mr8895930ioa.191.1648560458896; Tue, 29 Mar 2022 06:27:38 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Roberto Polli Date: Tue, 29 Mar 2022 15:27:27 +0200 Message-ID: To: Rifaat Shekh-Yusef Cc: oauth Content-Type: multipart/alternative; boundary="0000000000008b195505db5b64f0" Archived-At: Subject: Re: [OAUTH-WG] WGLC for DPoP Document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Mar 2022 13:27:43 -0000 --0000000000008b195505db5b64f0 Content-Type: text/plain; charset="UTF-8" Dear all, thanks for this interesting work! I think that there's some editorial work that should be done on terminology (e.g. a consistent use of JOSE header parameter, HTTP header field, ...) and some simplification will really make the spec more easy to read. For example, once defined that the syntax of DPOP is a JWS, it is redundant to further state that DPOP value MUST be a JWS. Moreover there are security considerations all throughout the document, that should probably be moved to the #Security section. I will provide further feedback in the next few days. I'm providing some PRs on the repo: feel free to comment there. - https://github.com/danielfett/draft-dpop/pulls/ioggstream Kind regards, R. Il giorno lun 28 mar 2022 alle ore 14:01 Rifaat Shekh-Yusef < rifaat.s.ietf@gmail.com> ha scritto: > All, > > As discussed during the IETF meeting in *Vienna* last week, this is a *WG > Last Call *for the *DPoP* document: > https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ > > Please, provide your feedback on the mailing list by April 11th. > > Regards, > Rifaat & Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --0000000000008b195505db5b64f0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Dear all,

thanks for this interesting w= ork! I think that there's some editorial work that should be done
=
on terminology=C2=A0(e.g. a consistent use of JOSE header parameter, H= TTP header field, ...)=C2=A0
and some simplification will really = make the spec more easy to read.

For example, once= defined that the syntax of DPOP is a JWS, it is redundant to=C2=A0
further state that DPOP value MUST be a JWS.
Moreover there ar= e security considerations all throughout the document, that should probably=
be moved to the #Security section.

I wi= ll provide further feedback in the next few days.

= I'm providing some PRs on the repo: feel free to comment there.


Kind regards,
R.

<= div class=3D"gmail_quote">
Il giorno l= un 28 mar 2022 alle ore 14:01 Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> ha s= critto:
All,

As discussed during the IETF meeting in Vienna = last week, this is a WG Last Call for the=C2=A0DPoP document:=
https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/<= br>
Please, provide your feedback on the mailing list by April 11th.
=
Regards,
=C2=A0Rifaat & Hannes

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--0000000000008b195505db5b64f0-- From nobody Tue Mar 29 07:22:37 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35A723A108F for ; Tue, 29 Mar 2022 07:22:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.908 X-Spam-Level: X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=curity-io.20210112.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Ng7shTDgWDn for ; Tue, 29 Mar 2022 07:22:30 -0700 (PDT) Received: from mail-yw1-x112b.google.com (mail-yw1-x112b.google.com [IPv6:2607:f8b0:4864:20::112b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E4203A1994 for ; Tue, 29 Mar 2022 07:22:30 -0700 (PDT) Received: by mail-yw1-x112b.google.com with SMTP id 00721157ae682-2e592e700acso185237507b3.5 for ; Tue, 29 Mar 2022 07:22:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=curity-io.20210112.gappssmtp.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=dpRZQ125gQVEN7xs4XzkVihC9kiOVBivcLU2sa67AKo=; b=JpuNhfgxbQxUZ8qppxpK/TuY7CEcbldiQaG4ioLxam37HDyb2VgUzfO/vJuitkIWUV KnNbKJa6AsDQvO2Bkz0R3N/udLWfnV8oM5B4DCGJb30HWBEXBjQcvu/Vj9UK7hZ19SWn oBrK985ZOxUvoCRKjl3SlI/lz5UW4CtGm0dkLVrDf8VNQ32xo3A3mIys+uZiKaxO+zDP IX6kXU/1Z6bOSjatbMcmu6QBVMkNjeQRDiV7cO9YWIJK6gqTYjPVrdzWCG5L5VnHpPZf Z5av19mES8zFT8bYfPt40jnQ2IU6I3FSsE2+XixCl/OstxIGCuBAe8qAXiIWB3DzDNxE vfhg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=dpRZQ125gQVEN7xs4XzkVihC9kiOVBivcLU2sa67AKo=; b=yhoongNpqH91emGvsQHpBq6G3iy/mRvpeyOnXDlMaNmBdDsllQGB8gleGHNB/PAnpN RMdWPS3aKhcTgtSdnpSnSQRtSDbAH5WoGYtYC2QFJn3Fg6G6jdJ3SWzoMzFaa7F813L6 WlZWO3pFb9lRigmx8K+7Jr+Gf5+0BT78VgtovDr7ers6Q220JvqV7Onk2li40bfNKJ0K VGDzgA4U9ZmqlszuqT9T3noxlDVxzldxnb/5ufNbzitdT4a/eQFtj3QNBZUaVoEQBOls qZ2cqPtXQGD8HT2vc9Vz+93je2W9Ff2BwKVEgMYSWpOmh96lRGEkgDh1R9g2FOyYdeTu GsKQ== X-Gm-Message-State: AOAM532kG8wuMHN/SjphnTj4XQpixq5Vr7mR5TOI8Ir4VzbiEs9JW3UJ csRXcpgrtNEkx5pdlUgqWy4d7rQGsIFcovy3BVEtkRSA4vJT8w== X-Google-Smtp-Source: ABdhPJzYZxswAfGSSQZKI1yE9xZWu9ai0qiPrWibxoNhdLtd6mPTG0dBb2BW0vGbZkChq54Myi+fLNSIQ7rqDyPrX8Q= X-Received: by 2002:a81:7c4:0:b0:2e6:bdd9:f86f with SMTP id 187-20020a8107c4000000b002e6bdd9f86fmr30161359ywh.300.1648563748869; Tue, 29 Mar 2022 07:22:28 -0700 (PDT) MIME-Version: 1.0 From: Jacob Ideskog Date: Tue, 29 Mar 2022 16:22:17 +0200 Message-ID: To: oauth Content-Type: multipart/alternative; boundary="000000000000a4298605db5c2820" Archived-At: Subject: [OAUTH-WG] Regarding iat and nonce in DPoP Proofs X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Mar 2022 14:22:35 -0000 --000000000000a4298605db5c2820 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi all, We have encountered a situation in the wild which I would like to share and discuss with you. We have strict validation of the iat claim as per section 4.3 in the specification where we allow a reasonable skew. The problem we see is that some users (more than a few) have changed the clock on their mobile device. This is commonly done for users playing games where changing the clock gives them more credit in the game. This means that the drift is more than reasonable as per the specification. It can be hours to days. The solution is to use the newer "nonce" parameter (which wasn't in the early drafts) to be able to manage the TTL server side, since the server controls the nonce and can therefore control the TTL of any proof received. However, the wording in section 4.3 states that: the iat claim value is within an acceptable timeframe and, within a reasonable consideration of accuracy and resource utilization, a proof JWT with the same jti value has not previously been received at the same resource during that time period (see Section 11.1 ), And in section 11.1 this limits it to seconds or minutes. So, even though using nonces could solve clock sync issues, it's not possible due to the strictness of the iat claim verification. Could we relax the wording of the iat claim verification to let the nonce be the main solution in some cases: Suggestion: the iat claim value is within an acceptable timeframe and, within a reasonable consideration of accuracy and resource utilization, a proof JWT with the same jti value has not previously been received at the same resource during that time period (see Section 11.1), *unless the clock syncronization can be made to depend on the issuance of the nonce values.* Regards Jacob --=20 Jacob Ideskog CTO Curity AB ------------------------------------------------------------------- Sankt G=C3=B6ransgatan 66, Stockholm, Sweden M: +46 70-2233664 j acob@curity.io curity.io ------------------------------------------------------------------- --000000000000a4298605db5c2820 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi all,

We have encountered = a situation in the wild which I would like to share and discuss with you.

We have strict validation of the iat claim as per s= ection 4.3 in the specification where we allow a reasonable skew.

The problem we see is that some users (more than a few) hav= e changed the clock on their mobile device. This is commonly done for users= playing games where changing the clock gives them more credit in the game.= This means that the drift is more than reasonable as per the specification= . It can be hours to days.

The solution is to = use the newer "nonce" parameter (which wasn't in the early dr= afts) to be able to manage the TTL server side, since the server controls t= he nonce and can therefore control the TTL of any proof received.

However, the wording in section 4.3 states that:
= 
the iat claim value is within an acceptable ti=
meframe and,
        within a reasonable consideration of accuracy and resource
        utilization, a proof JWT with the same jti value has not
        previously been received at the same resource during that time
        period (see Section 11.1),
And in = section 11.1 this limits it to seconds or minutes.

So, even though using nonces could solve clock sync issues, it's not p= ossible due to the strictness of the iat claim verification.

=
Could we relax the wording of the iat claim verification to let = the nonce be the main solution in some cases:

Sugg= estion:
the iat claim value is within an acceptable timeframe and= ,
=C2=A0 =C2=A0 =C2=A0 =C2=A0 within a reasonable consideration of accur= acy and resource
=C2=A0 =C2=A0 =C2=A0 =C2=A0 utilization, a proof JWT wi= th the same jti value has not
=C2=A0 =C2=A0 =C2=A0 =C2=A0 previously bee= n received at the same resource during that time
=C2=A0 =C2=A0 =C2=A0 = =C2=A0 period (see Section 11.1), unless the clock syncronization can be= made to depend on the issuance of the nonce values.

Regards
Jacob

--
Ja= cob Ideskog
CTO
Curity A= B
-------------------------= -----------------------------= -------------
Sank= t G=C3=B6ransgatan 66, Stockholm, Sweden
M:=C2=A0+46 70-2233664
jacob@curity.io
-------------------------------------------------------------------
<= /div>
--000000000000a4298605db5c2820-- From nobody Tue Mar 29 08:21:18 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31E583A1A38 for ; Tue, 29 Mar 2022 08:21:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.72 X-Spam-Level: X-Spam-Status: No, score=-1.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.186, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rGo109u_Bbn3 for ; Tue, 29 Mar 2022 08:21:11 -0700 (PDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FFC93A1A3C for ; Tue, 29 Mar 2022 08:21:10 -0700 (PDT) Received: from smtpclient.apple (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 22TFL5rW026985 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 29 Mar 2022 11:21:06 -0400 From: Justin Richer Message-Id: <02A4AE71-05D0-497C-BF77-FC449256E20C@mit.edu> Content-Type: multipart/alternative; boundary="Apple-Mail=_BCBC6932-7C64-4217-8320-2B700B72A5A9" Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\)) Date: Tue, 29 Mar 2022 11:21:05 -0400 In-Reply-To: Cc: oauth@ietf.org To: Denis References: <73015e12-337d-5853-91cc-455b39c97921@free.fr> <3b0fbfe6-f043-5c93-ace5-ad448c4cdb55@danielfett.de> X-Mailer: Apple Mail (2.3693.60.0.1.1) Archived-At: Subject: Re: [OAUTH-WG] WGLC for DPoP Document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Mar 2022 15:21:15 -0000 --Apple-Mail=_BCBC6932-7C64-4217-8320-2B700B72A5A9 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 If the =E2=80=9Clegitimate=E2=80=9D client willingly gives away its = secrets and tokens to the =E2=80=9Cillegitimate=E2=80=9D client, then = the latter isn=E2=80=99t actually =E2=80=9Cillegitimate=E2=80=9D = anymore. What I was saying is that the =E2=80=9Cattack" is not even necessary if = the clients are in fact working together. If the =E2=80=9Clegitimate=E2=80= =9D client knowing gives away its credentials, it is accepting that the = receiver of those credentials can do anything it wants with those = credentials. That=E2=80=99s why they are credentials. =E2=80=94 Justin PS: I did not =E2=80=9Cbreak=E2=80=9D the thread, I replied to a message = in the thread. That=E2=80=99s how email lists work. > On Mar 29, 2022, at 9:19 AM, Denis wrote: >=20 > Hi Justin, >=20 > You broke the thread since you have not re-used the last message which = was: > Steinar, >=20 > As you have guessed, no data (except the token and some crypto = checksums) is passing through the clients.=20 >=20 > Once the legitimate client has allowed the illegitimate client to use = the token, the illegitimate client can do anything it wants with it. > The legitimate client can be kept fully ignorant of what illegitimate = client is doing. >=20 > The data flow is minimum: if the token allows to view a 4 Gb movie, = that data flow does not flow between the clients. >=20 > Furthermore, the content of the token may allow the illegitimate = client to use it during days or months. > Suppose that the token indicates "over 18". If the user is over 18 = now, he will certainly be "over 18" the next days, months or years. =20 > There is no need to refresh the token as it would be the case if the = token included a home address. > This message explains why this collaborative attack is very different = from simply forwarding messages between clients. >=20 > The illegitimate client can do anything it wants without disclosing = what it is doing to the legitimate client. > The traffic between the clients is kept to the very minimum. >=20 > Denis >=20 >> +1 >>=20 >> Am 29.03.22 um 15:10 schrieb Justin Richer: >>> And this is exactly the problem with the =E2=80=9Ccollaborating = clients=E2=80=9D attack, as has been pointed out any number of times = it=E2=80=99s been brought up before. If two clients are willingly = collaborating in this way, they do not need to share any cryptographic = material and impersonate each other. >>>=20 >>> You don=E2=80=99t need to steal my license if I=E2=80=99m willing to = just go buy you beer. >>>=20 >>> The DPoP draft does address signed request re-use, which some see as = a feature to be carefully applied. >>>=20 >>> =E2=80=94 Justin >>>=20 >>>> On Mar 28, 2022, at 1:04 PM, Steinar Noem > wrote: >>>>=20 >>>> Interesting, but won't two collaborating clients just pass any data = they want to each other? Why would these collaborating clients go = through the trouble of exchanging private keys, dpop proofs or tokens? = Could you elaborate some more on the scenario?=20 >>>>=20 >>>> S >>>>=20 >>>> man. 28. mar. 2022 kl. 16:29 skrev Denis >: >>>> Rifaat & Hannes, >>>> Hereafter are my comments: >>>>=20 >>>> The introduction states : >>>>=20 >>>> Recipients of such tokens are then able to verify the = binding of the token to the key pair that the client has demonstrated=20= >>>> that it holds via the DPoP header, thereby providing some = assurance that the client presenting the token also possesses the = private key.=20 >>>>=20 >>>> In other words, the legitimate presenter of the token is = constrained to be the sender that holds and can prove possession of the = private part of the key pair. >>>>=20 >>>> The client presenting the token does not necessarily possess the = private key. The client presenting the token has been able to use=20 >>>> the results of some cryptographic functions using the private part = of the key pair.=20 >>>>=20 >>>> These results may be communicated by one client to another client, = if the two clients agree to collaborate. This statement will be added = later on. >>>>=20 >>>> Proposed rewording: >>>>=20 >>>> Recipients of such tokens are then able to verify the = binding of the token to the key pair that the client has demonstrated=20= >>>> that it holds via the DPoP header, thereby providing some = assurance that the client presenting the token either also possesses=20 >>>> the private key or has been able to use the result of = cryptographic computations from another client that possesses the = private key.=20 >>>>=20 >>>> In other words, the presenter of the token can prove that it = has been able to use the results of cryptographic computations performed=20= >>>> by using the private part of the key pair.=20 >>>>=20 >>>> The objectives states >>>>=20 >>>> The primary aim of DPoP is to prevent unauthorized or = illegitimate parties from using leaked or stolen access tokens,=20 >>>> by binding a token to a public key upon issuance and = requiring that the client proves possession of the corresponding=20 >>>> private key when using the token. >>>>=20 >>>> DPoP does not prevent unauthorized or illegitimate parties from = using access tokens, as soon as two clients agree to collaborate. >>>>=20 >>>> Proposed rewording: >>>>=20 >>>> The primary aim of DPoP is to bind a token to a public key = upon issuance and requiring that the client proves possession=20 >>>> of the corresponding private key when using the token. This = does not demonstrate that the client presenting the token is=20 >>>> necessarily the legitimate client. In the case of = non-collaborating clients, DPoP prevents unauthorized or illegitimate = parties=20 >>>> from using leaked or stolen access tokens. In the case of = collaborating clients, the security of DPoP is ineffective=20 >>>> (see section 11.X). >>>>=20 >>>> Section 11 is about "Security Considerations" and addresses the = following topics: >>>>=20 >>>> 11.1. DPoP Proof Replay >>>> 11.2. DPoP Proof Pre-Generation >>>> 11.3. DPoP Nonce Downgrade >>>> 11.4. Untrusted Code in the Client Context >>>> 11.5. Signed JWT Swapping >>>> 11.6. Signature Algorithms >>>> 11.7. Message Integrity >>>> 11.8. Access Token and Public Key Binding >>>> 11.9. Authorization Code and Public Key Binding >>>>=20 >>>> The case of collaborative clients should be addressed within = section 11. >>>>=20 >>>> Text proposal.=20 >>>>=20 >>>> 11.X. Collaborative clients >>>>=20 >>>> DPoP demonstrates that the client presenting the token = has been able to use the results of some cryptographic functions >>>> using the private part of the key pair. >>>>=20 >>>> If a client agrees to collaborate with another client, = the security of DPoP is no longer effective. When two clients agree to = collaborate,=20 >>>> these results of the cryptographic computations = performed by one client may be communicated to another client.=20 >>>>=20 >>>> Even if the private key used for DPoP is stored in such = a way that it cannot be exported, e.g., in a hardware or software = security module,=20 >>>> the client can perform all the cryptographic = computations needed by the other client to create DPoP proofs.=20 >>>>=20 >>>> The client can easily create new DPoP proofs as long as = the other client is online. >>>>=20 >>>> Note: There exist other techniques able to limit, in = some cases, the use of a token transmitted voluntarily by a legitimate = client=20 >>>> to an illegitimate client. >>>>=20 >>>> Denis >>>>=20 >>>>=20 >>>>> All, >>>>>=20 >>>>> As discussed during the IETF meeting in Vienna last week, this is = a WG Last Call for the DPoP document: >>>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ = >>>>>=20 >>>>> Please, provide your feedback on the mailing list by April 11th. >>>>>=20 >>>>> Regards, >>>>> Rifaat & Hannes >>>>>=20 >>>>>=20 >>>>>=20 >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth = >>>>=20 >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth = >>>>=20 >>>>=20 >>>> --=20 >>>> Vennlig hilsen >>>>=20 >>>> Steinar Noem >>>> Partner Udelt AS >>>> Systemutvikler >>>> =20 >>>> | steinar@udelt.no | hei@udelt.no = | +47 955 21 620 <> | www.udelt.no = |=20 >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth = >>>=20 >>>=20 >>>=20 >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth = >> --=20 >> https://danielfett.de >>=20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth = >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_BCBC6932-7C64-4217-8320-2B700B72A5A9 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
If the =E2=80=9Clegitimate=E2=80=9D client willingly gives = away its secrets and tokens to the =E2=80=9Cillegitimate=E2=80=9D = client, then the latter isn=E2=80=99t actually =E2=80=9Cillegitimate=E2=80= =9D anymore.

What I was saying is that the =E2=80=9Cattack" is not even = necessary if the clients are in fact working together. If the = =E2=80=9Clegitimate=E2=80=9D client knowing gives away its credentials, = it is accepting that the receiver of those credentials can do anything = it wants with those credentials. That=E2=80=99s why they are = credentials.

 =E2=80=94 Justin

PS: I did not =E2=80=9Cbreak=E2=80=9D the thread, = I replied to a message in the thread. That=E2=80=99s how email lists = work.

On Mar 29, 2022, at 9:19 AM, Denis <denis.ietf@free.fr> = wrote:

=20
Hi  Justin,

You broke the thread since you have not re-used the last message which was:
Steinar,

As you have guessed, no data (except the token and some crypto checksums) is passing through the clients.

Once the legitimate client has allowed the illegitimate client to use the token, the illegitimate client can do anything it wants with it.
The legitimate client can be = kept fully ignorant of what illegitimate client is doing.

The data flow is minimum: if = the token allows to view a 4 Gb movie, that data flow does not flow between the clients.

Furthermore, the content of the token may allow the illegitimate client to use it during days or months.
Suppose that the token = indicates "over 18". If the user is over 18 now, he will certainly be "over 18" the next days, months or years. 
There is no need to refresh the token as it would be the case if the token included a home address.
This message explains why this collaborative attack is very different from simply forwarding messages between clients.

The illegitimate client can do anything it wants without disclosing what it is doing to the legitimate client.
The traffic between the clients is kept to the very = minimum.

Denis

+1

Am 29.03.22 um 15:10 schrieb Justin Richer:
=20 And this is exactly the problem with the =E2=80=9Ccollaborating = clients=E2=80=9D attack, as has been pointed out any number of times it=E2=80=99s = been brought up before. If two clients are willingly collaborating in this way, they do not need to share any cryptographic material and impersonate each other.

You don=E2=80=99t need to steal my license if = I=E2=80=99m willing to just go buy you beer.

The DPoP draft does address signed request = re-use, which some see as a feature to be carefully applied.

 =E2=80=94 Justin

On Mar 28, 2022, at 1:04 PM, Steinar Noem <steinar@udelt.no> wrote:

=20
Interesting, but won't two collaborating clients just pass any data they want to each other? Why would these collaborating clients go through the trouble of exchanging private keys, dpop proofs or tokens? Could you elaborate some more on the scenario? 

S

man. 28. mar. = 2022 kl. 16:29 skrev Denis <denis.ietf@free.fr>:
Rifaat & Hannes,

Hereafter are my = comments:

The introduction states :

       = Recipients of such tokens are then able to verify the binding of the token to the key pair = that  the client has demonstrated
       that it = holds via the DPoP header, thereby providing some assurance that the client presenting the token also possesses the private key.

       In = other words, the legitimate presenter of the token is constrained to be the sender that holds and can prove possession of the private part of the key pair.

The client presenting the token does not necessarily possess the private = key. The client presenting the token has been able to use
the results of some cryptographic functions using the private part of the key pair.

These results may = be communicated by one client to another client, if the two clients agree to collaborate. This statement will be added later on.

Proposed rewording:

       = Recipients of such tokens are then able to verify the binding of the token to the key pair that  = the client has demonstrated
       that it = holds via the DPoP header, thereby providing some assurance that the client presenting the token either also possesses
       the = private key or has been able to use the result of cryptographic computations from another client that possesses the private key.

       In = other words, the presenter of the token can prove that it has been able to use the results of cryptographic computations performed
       by = using the private part of the key pair.

The objectives states

       The = primary aim of DPoP is to prevent unauthorized or illegitimate parties from using leaked or stolen access tokens,
       by = binding a token to a public key upon issuance and requiring that the client proves possession of the corresponding
       private = key when using the token.

DPoP does not prevent unauthorized or illegitimate parties from using access tokens, as soon as two clients agree to collaborate.

Proposed rewording:

       The = primary aim of DPoP is to bind a token to a public key upon issuance and requiring that the client proves possession
       of the = corresponding private key when using the token.  = This does not demonstrate that the client presenting the token is
       = necessarily the legitimate client. In the case of non-collaborating clients, DPoP prevents unauthorized or illegitimate parties
       from = using leaked or stolen access tokens. In the case of collaborating clients, the security of DPoP is ineffective
       (see = section 11.X).

Section 11 is about "Security Considerations" and addresses the following topics:

     = 11.1.  DPoP Proof Replay
     = 11.2.  DPoP Proof Pre-Generation
     = 11.3.  DPoP Nonce Downgrade
     = 11.4.  Untrusted Code in the Client Context
     = 11.5.  Signed JWT Swapping
     = 11.6.  Signature Algorithms
     = 11.7.  Message Integrity
     = 11.8.  Access Token and Public Key Binding
     = 11.9.  Authorization Code and Public Key Binding

The case of collaborative clients should be addressed within section 11.

Text proposal.

     = 11.X. Collaborative clients

=             DPoP = demonstrates that the client presenting the token has been able to use the results of some cryptographic functions
            = using the private part of the key pair.

            = If a client agrees to collaborate with another client, the security of DPoP is no longer effective.  = When two clients agree to collaborate,
            = these results of the cryptographic computations performed by one client may be communicated to another client.

            = Even if the private key used for DPoP is stored in such a way that it cannot be exported, e.g., in a hardware or software security module,
            = the client can perform all the cryptographic computations needed by the other client to create DPoP proofs.

            = The client can easily create new DPoP proofs as long as the other client is online.

            = Note: There exist other techniques able to limit, in some cases, the use of a token transmitted voluntarily by a legitimate client
=             &n= bsp;         to an illegitimate client.

Denis


All,

As discussed during the IETF meeting in Vienna last week, this is a WG Last Call = for the DPoP document:
https://datatracker.ietf.org/doc/draft-ietf-oauth= -dpop/

Please, provide your feedback on the mailing list by April 11th.

Regards,
 Rifaat & Hannes


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
Vennlig hilsen

Steinar Noem
Partner Udelt AS
Systemutvikler
 
steinar@udelt.no | hei@udelt.no  | +47 955 21 620 | www.udelt.no | 
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth 


_______________________________________________
OAuth mailing list
OAuth@ietf.org=

https://www.ietf.org/mailman/listinfo/oauth

--=20
https://danielfett.de

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/=
mailman/listinfo/oauth


_______________________________________________
OAuth = mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

= --Apple-Mail=_BCBC6932-7C64-4217-8320-2B700B72A5A9-- From nobody Tue Mar 29 08:38:46 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 507193A1A45 for ; Tue, 29 Mar 2022 08:38:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.908 X-Spam-Level: X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wire-com.20210112.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SEPe8qpfnBuq for ; Tue, 29 Mar 2022 08:38:39 -0700 (PDT) Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F1983A1A43 for ; Tue, 29 Mar 2022 08:38:39 -0700 (PDT) Received: by mail-pj1-x1031.google.com with SMTP id mp6-20020a17090b190600b001c6841b8a52so2218933pjb.5 for ; Tue, 29 Mar 2022 08:38:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wire-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NzNnYmUcjQzXD4AzOOq1l8b7QfEfA9tCMDofZGgjLqA=; b=kJISUELz1lBc/v4vgmnPfCrYbJHHsBCt3mGdYUZRJCsTCJn6/h23WW1+OXe6zSWWkF mH4Jh9XKUjKJd5x34RZoUG5ER6VMLKNb+9sxjpyRw44KOEjv9wmP6x9vhScNmWfKNqNj R5eyztzwQGg6DKiQalfEtw5syfotoJ+CO2Ds62iXoTw56DF3nKFaBccQE/n+EZZ71qwm 7898xwVvdo3UvHtJTvEQluNkx+BXIfBd1jVHRz0CxSdXXxqRRLDozkdI229U6yfz5bnD +izNZp13EsVeXzMmQ+JUp6+8kL/ejXDbbSLPLL3JDA86y90R/7pu7Qu8Ih6kfsjkErXy EDbg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NzNnYmUcjQzXD4AzOOq1l8b7QfEfA9tCMDofZGgjLqA=; b=TyYPp/mpDnFRbZhfJ9rquCdSc+322uD0+Srn+diAdt7ao5nUYUOSrgDsv/SHZWLCnF tlGHRT/BFoDAUU8+5+etD6e2o8Kga8/QGhY6H8EWYjIYQ5KJGnqg+J25qd2LTVvCufhN /DGbzGhZ5Y8LQQM7qM6r90uhHR6048Kwr5rso/eA6lPOqBIlkkI+Gh6yE2FewIILsufR z2Id9csCuQ5S3x0U1T6iMO0ZVuRhTVO6wxVO+QK152rS3S2QTkikPRklGNhonNHsRjP2 t0U1OsXREqkw0hq2GpzcmntURCVZVRP/8QtWqeFLDp8MdF8BtawB4uNRp3zdcAnSvYUG Sg/A== X-Gm-Message-State: AOAM530d8UABxLXk5VeX8Lu5ePLuIz4xn2o6AANlLYw7ABxNQftyoLR4 yEOok0PoYVAFZBDECJMxNf6zP+4PImQXev8IT9bnVKHSTrSuZQaF X-Google-Smtp-Source: ABdhPJy3MP80ozAZF+BBjSgUjQgKR1aBg071Cba569gb1kmfOACBIDz7i+4bIscLP7F+Ye48RfN/6Z1mmnscNhXK7OY= X-Received: by 2002:a17:903:244b:b0:154:2cb2:86d with SMTP id l11-20020a170903244b00b001542cb2086dmr30364716pls.123.1648568318129; Tue, 29 Mar 2022 08:38:38 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Rohan Mahy Date: Tue, 29 Mar 2022 08:38:27 -0700 Message-ID: To: Justin Richer Cc: oauth@ietf.org Content-Type: multipart/alternative; boundary="000000000000fd963305db5d382e" Archived-At: Subject: Re: [OAUTH-WG] access token hash claim name in oauth-dpop draft X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Mar 2022 15:38:45 -0000 --000000000000fd963305db5d382e Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I agree that the at_hash definition is bizarre. I suggest adding a sentence when introducing the ath claim explaining that this is similar but different from at_hash. Thanks, -rohan On Tue, Mar 29, 2022 at 6:14 AM Justin Richer wrote: > Yes, it was considered, discussed, and rejected. The reason being > =E2=80=9Cat_hash=E2=80=9D has a somewhat convoluted definition (left-bits= of a hash of an > access token in the context of a JOSE object, etc), to fit some of the > design constraints of ID Tokens. DPoP proofs do not have those same > constraints. DPoP opted, correctly in my opinion, to simplify this by > declaring a single hashing algorithm and using its full output value. > Cryptographic agility would be achieved by defining a new claim with a ne= w > hashing algorithm. > > =E2=80=94 Justin > > On Mar 28, 2022, at 10:41 AM, Rohan Mahy > wrote: > > Hi, > Did you consider using the (already IANA registered) at_hash claim define= d > in: > https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken > instead of defining a new ath claim? > > It seems like if we don't use at_hash we should explain why ath is > better/different. > Thanks, > -rohan > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > --000000000000fd963305db5d382e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I agree that the at_hash definition is bizarre. I sug= gest adding a sentence when introducing the ath claim explaining that this = is similar but different from at_hash.
Thanks,
-rohan


On Tue, Mar 29, 2022 at 6:14 AM Justin Richer <jricher@mit.edu> wrote:
Yes, it was considered, discussed, and rejected. The reason being =E2= =80=9Cat_hash=E2=80=9D has a somewhat convoluted definition (left-bits of a= hash of an access token in the context of a JOSE object, etc), to fit some= of the design constraints of ID Tokens. DPoP proofs do not have those same= constraints. DPoP opted, correctly in my opinion, to simplify this by decl= aring a single hashing algorithm and using its full output value. Cryptogra= phic agility would be achieved by defining a new claim with a new hashing a= lgorithm.

--000000000000fd963305db5d382e-- From nobody Tue Mar 29 08:39:49 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89A9B3A1A4B for ; Tue, 29 Mar 2022 08:39:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.943 X-Spam-Level: X-Spam-Status: No, score=-0.943 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.186, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vnPTLyMc2RQs for ; Tue, 29 Mar 2022 08:39:43 -0700 (PDT) Received: from smtp.smtpout.orange.fr (smtp03.smtpout.orange.fr [80.12.242.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B76DF3A1A48 for ; Tue, 29 Mar 2022 08:39:42 -0700 (PDT) Received: from [192.168.1.11] ([90.26.93.96]) by smtp.orange.fr with ESMTPA id ZDwUnwQVqhTNkZDwUnEMIm; Tue, 29 Mar 2022 17:39:38 +0200 X-ME-Helo: [192.168.1.11] X-ME-Auth: OWU3ZmVkYWM0M2UwZWM1YifxM2Q3ZDk1YiUzNWJiZTM2MiliMTI0N2YxZmQ= X-ME-Date: Tue, 29 Mar 2022 17:39:38 +0200 X-ME-IP: 90.26.93.96 Content-Type: multipart/alternative; boundary="------------la1l0eT0f9VimvC2nWmfAbt3" Message-ID: <3c82ae34-41d8-9fc8-3490-5c11d7f29a2c@free.fr> Date: Tue, 29 Mar 2022 17:39:34 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Content-Language: en-GB To: oauth@ietf.org References: <73015e12-337d-5853-91cc-455b39c97921@free.fr> <3b0fbfe6-f043-5c93-ace5-ad448c4cdb55@danielfett.de> <02A4AE71-05D0-497C-BF77-FC449256E20C@mit.edu> From: Denis In-Reply-To: <02A4AE71-05D0-497C-BF77-FC449256E20C@mit.edu> Archived-At: Subject: Re: [OAUTH-WG] WGLC for DPoP Document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Mar 2022 15:39:48 -0000 This is a multi-part message in MIME format. --------------la1l0eT0f9VimvC2nWmfAbt3 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Hi  Justin, In this scenario, the “legitimate” client _never_ gives away its secrets (if it is using a secure platform, it can't). It never give away its credentials either. When using key bound access tokens, a RS can't know whether the access token is presented by the “legitimate” client  or by an“illegitimate” client. One of the goals is also to prevent a client to monetize the selling of "key bound access tokens" to other end-users. As I have already indicated, there exists a solution able to prevent such scenario in some specific cases (i.e. in the case of RS long-term user accounts). Denis > If the “legitimate” client willingly gives away its secrets and tokens > to the “illegitimate” client, then the latter isn’t actually > “illegitimate” anymore. > > What I was saying is that the “attack" is not even necessary if the > clients are in fact working together. > If the “legitimate” client knowing gives away its credentials, it is > accepting that the receiver of those credentials can do anything it > wants with those credentials. That’s why they are credentials. > >  — Justin > > PS: I did not “break” the thread, I replied to a message in the > thread. That’s how email lists work. > >> On Mar 29, 2022, at 9:19 AM, Denis wrote: >> >> Hi  Justin, >> >> You broke the thread since you have not re-used the last message >> which was: >> >> Steinar, >> >> As you have guessed, no data (except the token and some crypto >> checksums) is passing through the clients. >> >> Once the legitimate client has allowed the illegitimate client to >> use the token, the illegitimate client can do anything it wants >> with it. >> The legitimate client can be kept fully ignorant of what >> illegitimate client is doing. >> >> The data flow is minimum: if the token allows to view a 4 Gb >> movie, that data flow does not flow between the clients. >> >> Furthermore, the content of the token may allow the illegitimate >> client to use it during days or months. >> Suppose that the token indicates "over 18". If the user is over >> 18 now, he will certainly be "over 18" the next days, months or >> years. >> There is no need to refresh the token as it would be the case if >> the token included a home address. >> >> This message explains why this collaborative attack is very different >> from simply forwarding messages between clients. >> >> The illegitimate client can do anything it wants without disclosing >> what it is doing to the legitimate client. >> The traffic between the clients is kept to the very minimum. >> >> Denis >> >>> +1 >>> >>> Am 29.03.22 um 15:10 schrieb Justin Richer: >>>> And this is exactly the problem with the “collaborating clients” >>>> attack, as has been pointed out any number of times it’s been >>>> brought up before. If two clients are willingly collaborating in >>>> this way, they do not need to share any cryptographic material and >>>> impersonate each other. >>>> >>>> You don’t need to steal my license if I’m willing to just go buy >>>> you beer. >>>> >>>> The DPoP draft does address signed request re-use, which some see >>>> as a feature to be carefully applied. >>>> >>>>  — Justin >>>> >>>>> On Mar 28, 2022, at 1:04 PM, Steinar Noem wrote: >>>>> >>>>> Interesting, but won't two collaborating clients just pass any >>>>> data they want to each other? Why would these collaborating >>>>> clients go through the trouble of exchanging private keys, dpop >>>>> proofs or tokens? Could you elaborate some more on the scenario? >>>>> >>>>> S >>>>> >>>>> man. 28. mar. 2022 kl. 16:29 skrev Denis : >>>>> >>>>> Rifaat & Hannes, >>>>> >>>>> Hereafter are my comments: >>>>> >>>>> The introduction states : >>>>> >>>>> Recipients of such tokens are then able to verify the binding >>>>> of the token to the key pair thatthe client has demonstrated >>>>>        that it holds via the DPoP header, thereby providing >>>>> some assurance that the client presenting the token also >>>>> possesses the private key. >>>>> >>>>>        In other words, the legitimate presenter of the token >>>>> is constrained to be the sender that holds and can prove >>>>> possession of the private part of the key pair. >>>>> >>>>> The client presenting the token *does not necessarily possess >>>>> the private key*. The client presenting the token has been >>>>> able to use >>>>> the results of some cryptographic functions using the private >>>>> part of the key pair. >>>>> >>>>> These results may be communicated by one client to another >>>>> client, if the two clients agree to collaborate. This >>>>> statement will be added later on. >>>>> >>>>> Proposed rewording: >>>>> >>>>>        Recipients of such tokens are then able to verify the >>>>> binding of the token to the key pair thatthe client has >>>>> demonstrated >>>>>        that it holds via the DPoP header, thereby providing >>>>> some assurance that the client presenting the token *either >>>>> *also possesses >>>>>        the private key *or* has been able to use the result of >>>>> cryptographic computations from another client that possesses >>>>> the private key. >>>>> >>>>>        In other words, the presenter of the token can prove >>>>> that it has been able to use the results of cryptographic >>>>> computations performed >>>>>        by using the private part of the key pair. >>>>> >>>>> The objectives states >>>>> >>>>>        The primary aim of DPoP is to prevent unauthorized or >>>>> illegitimate parties from using leaked or stolen access tokens, >>>>>        by binding a token to a public key upon issuance and >>>>> requiring that the client proves possession of the corresponding >>>>>        private key when using the token. >>>>> >>>>> DPoP does not prevent unauthorized or illegitimate parties >>>>> from using access tokens, as soon as two clients agree to >>>>> collaborate. >>>>> >>>>> Proposed rewording: >>>>> >>>>>        The primary aim of DPoP is to bind a token to a public >>>>> key upon issuance and requiring that the client proves possession >>>>>        of the corresponding private key when using the >>>>> token.This does not demonstrate that the client presenting the >>>>> token is >>>>>        necessarily the legitimate client. In the case of >>>>> non-collaborating clients, DPoP prevents unauthorized or >>>>> illegitimate parties >>>>>        from using leaked or stolen access tokens. In the case >>>>> of collaborating clients, the security of DPoP is ineffective >>>>>        (see section 11.X). >>>>> >>>>> Section 11 is about "Security Considerations" and addresses >>>>> the following topics: >>>>> >>>>> 11.1.DPoP Proof Replay >>>>> 11.2.DPoP Proof Pre-Generation >>>>> 11.3.DPoP Nonce Downgrade >>>>> 11.4.Untrusted Code in the Client Context >>>>> 11.5.Signed JWT Swapping >>>>> 11.6.Signature Algorithms >>>>> 11.7.Message Integrity >>>>> 11.8.Access Token and Public Key Binding >>>>> 11.9.Authorization Code and Public Key Binding >>>>> >>>>> The case of collaborative clients should be addressed within >>>>> section 11. >>>>> >>>>> Text proposal. >>>>> >>>>> 11.X. Collaborative clients >>>>> >>>>>             DPoP demonstrates that the client presenting the >>>>> token has been able to use the results of some cryptographic >>>>> functions >>>>> using the private part of the key pair. >>>>> >>>>> If a client agrees to collaborate with another client, the >>>>> security of DPoP is no longer effective.When two clients agree >>>>> to collaborate, >>>>> these results of the cryptographic computations performed by >>>>> one client may be communicated to another client. >>>>> >>>>> Even if the private key used for DPoP is stored in such a way >>>>> that it cannot be exported, e.g., in a hardware or software >>>>> security module, >>>>> the client can perform all the cryptographic computations >>>>> needed by the other client to create DPoP proofs. >>>>> >>>>> The client can easily create new DPoP proofs as long as the >>>>> other client is online. >>>>> >>>>> Note: There exist other techniques able to limit, in some >>>>> cases, the use of a token transmitted voluntarily by a >>>>> legitimate client >>>>>                       to an illegitimate client. >>>>> >>>>> Denis >>>>> >>>>> >>>>>> All, >>>>>> >>>>>> As discussed during the IETF meeting in *Vienna* last week, >>>>>> this is a *WG Last Call *for the *DPoP* document: >>>>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ >>>>>> >>>>>> Please, provide your feedback on the mailing list by April 11th. >>>>>> >>>>>> Regards, >>>>>>  Rifaat & Hannes >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>>> >>>>> >>>>> -- >>>>> Vennlig hilsen >>>>> >>>>> Steinar Noem >>>>> Partner Udelt AS >>>>> Systemutvikler >>>>> | steinar@udelt.no  | hei@udelt.no  | +47 >>>>> 955 21 620 | www.udelt.no  | >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> -- >>> https://danielfett.de >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > --------------la1l0eT0f9VimvC2nWmfAbt3 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit
Hi  Justin,

In this scenario, the “legitimate” client never gives away its secrets (if it is using a secure platform, it can't). It never give away its credentials either.

When using key bound access tokens, a RS can't know whether the access token is presented by the “legitimate” client  or by an“illegitimate” client.

One of the goals is also to prevent a client to monetize the selling of "key bound access tokens" to other end-users.

As I have already indicated, there exists a solution able to prevent such scenario in some specific cases (i.e. in the case of RS long-term user accounts).

Denis


If the “legitimate” client willingly gives away its secrets and tokens to the “illegitimate” client, then the latter isn’t actually “illegitimate” anymore.

What I was saying is that the “attack" is not even necessary if the clients are in fact working together.
If the “legitimate” client knowing gives away its credentials, it is accepting that the receiver of those credentials can do anything it wants with those credentials. That’s why they are credentials.

 — Justin

PS: I did not “break” the thread, I replied to a message in the thread. That’s how email lists work.

On Mar 29, 2022, at 9:19 AM, Denis <denis.ietf@free.fr> wrote:

Hi  Justin,

You broke the thread since you have not re-used the last message which was:
Steinar,

As you have guessed, no data (except the token and some crypto checksums) is passing through the clients.

Once the legitimate client has allowed the illegitimate client to use the token, the illegitimate client can do anything it wants with it.
The legitimate client can be kept fully ignorant of what illegitimate client is doing.

The data flow is minimum: if the token allows to view a 4 Gb movie, that data flow does not flow between the clients.

Furthermore, the content of the token may allow the illegitimate client to use it during days or months.
Suppose that the token indicates "over 18". If the user is over 18 now, he will certainly be "over 18" the next days, months or years. 
There is no need to refresh the token as it would be the case if the token included a home address.
This message explains why this collaborative attack is very different from simply forwarding messages between clients.

The illegitimate client can do anything it wants without disclosing what it is doing to the legitimate client.
The traffic between the clients is kept to the very minimum.

Denis

+1

Am 29.03.22 um 15:10 schrieb Justin Richer:
And this is exactly the problem with the “collaborating clients” attack, as has been pointed out any number of times it’s been brought up before. If two clients are willingly collaborating in this way, they do not need to share any cryptographic material and impersonate each other.

You don’t need to steal my license if I’m willing to just go buy you beer.

The DPoP draft does address signed request re-use, which some see as a feature to be carefully applied.

 — Justin

On Mar 28, 2022, at 1:04 PM, Steinar Noem <steinar@udelt.no> wrote:

Interesting, but won't two collaborating clients just pass any data they want to each other? Why would these collaborating clients go through the trouble of exchanging private keys, dpop proofs or tokens? Could you elaborate some more on the scenario? 

S

man. 28. mar. 2022 kl. 16:29 skrev Denis <denis.ietf@free.fr>:
Rifaat & Hannes,

Hereafter are my comments:

The introduction states :

       Recipients of such tokens are then able to verify the binding of the token to the key pair that  the client has demonstrated
       that it holds via the DPoP header, thereby providing some assurance that the client presenting the token also possesses the private key.

       In other words, the legitimate presenter of the token is constrained to be the sender that holds and can prove possession of the private part of the key pair.

The client presenting the token does not necessarily possess the private key. The client presenting the token has been able to use
the results of some cryptographic functions using the private part of the key pair.

These results may be communicated by one client to another client, if the two clients agree to collaborate. This statement will be added later on.

Proposed rewording:

       Recipients of such tokens are then able to verify the binding of the token to the key pair that  the client has demonstrated
       that it holds via the DPoP header, thereby providing some assurance that the client presenting the token either also possesses
       the private key or has been able to use the result of cryptographic computations from another client that possesses the private key.

       In other words, the presenter of the token can prove that it has been able to use the results of cryptographic computations performed
       by using the private part of the key pair.

The objectives states

       The primary aim of DPoP is to prevent unauthorized or illegitimate parties from using leaked or stolen access tokens,
       by binding a token to a public key upon issuance and requiring that the client proves possession of the corresponding
       private key when using the token.

DPoP does not prevent unauthorized or illegitimate parties from using access tokens, as soon as two clients agree to collaborate.

Proposed rewording:

       The primary aim of DPoP is to bind a token to a public key upon issuance and requiring that the client proves possession
       of the corresponding private key when using the token.  This does not demonstrate that the client presenting the token is
       necessarily the legitimate client. In the case of non-collaborating clients, DPoP prevents unauthorized or illegitimate parties
       from using leaked or stolen access tokens. In the case of collaborating clients, the security of DPoP is ineffective
       (see section 11.X).

Section 11 is about "Security Considerations" and addresses the following topics:

     11.1.  DPoP Proof Replay
     11.2.  DPoP Proof Pre-Generation
     11.3.  DPoP Nonce Downgrade
     11.4.  Untrusted Code in the Client Context
     11.5.  Signed JWT Swapping
     11.6.  Signature Algorithms
     11.7.  Message Integrity
     11.8.  Access Token and Public Key Binding
     11.9.  Authorization Code and Public Key Binding

The case of collaborative clients should be addressed within section 11.

Text proposal.

     11.X. Collaborative clients

            DPoP demonstrates that the client presenting the token has been able to use the results of some cryptographic functions
            using the private part of the key pair.

            If a client agrees to collaborate with another client, the security of DPoP is no longer effective.  When two clients agree to collaborate,
            these results of the cryptographic computations performed by one client may be communicated to another client.

            Even if the private key used for DPoP is stored in such a way that it cannot be exported, e.g., in a hardware or software security module,
            the client can perform all the cryptographic computations needed by the other client to create DPoP proofs.

            The client can easily create new DPoP proofs as long as the other client is online.

            Note: There exist other techniques able to limit, in some cases, the use of a token transmitted voluntarily by a legitimate client
                      to an illegitimate client.

Denis


All,

As discussed during the IETF meeting in Vienna last week, this is a WG Last Call for the DPoP document:
https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/

Please, provide your feedback on the mailing list by April 11th.

Regards,
 Rifaat & Hannes


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
Vennlig hilsen

Steinar Noem
Partner Udelt AS
Systemutvikler
 
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

-- 
https://danielfett.de

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--------------la1l0eT0f9VimvC2nWmfAbt3-- From nobody Tue Mar 29 10:55:25 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE77A3A1B3B for ; Tue, 29 Mar 2022 10:55:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.905 X-Spam-Level: X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4N6abeIdAmCW for ; Tue, 29 Mar 2022 10:55:16 -0700 (PDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40D243A1B36 for ; Tue, 29 Mar 2022 10:55:15 -0700 (PDT) Received: from smtpclient.apple (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 22THtBbd017958 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 29 Mar 2022 13:55:12 -0400 From: Justin Richer Message-Id: <1E780389-4981-43A8-8928-1CC5B8C91AB9@mit.edu> Content-Type: multipart/alternative; boundary="Apple-Mail=_9344ADD9-0651-47F6-9464-711698AFA66F" Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\)) Date: Tue, 29 Mar 2022 13:55:11 -0400 In-Reply-To: <3c82ae34-41d8-9fc8-3490-5c11d7f29a2c@free.fr> Cc: oauth@ietf.org To: Denis References: <73015e12-337d-5853-91cc-455b39c97921@free.fr> <3b0fbfe6-f043-5c93-ace5-ad448c4cdb55@danielfett.de> <02A4AE71-05D0-497C-BF77-FC449256E20C@mit.edu> <3c82ae34-41d8-9fc8-3490-5c11d7f29a2c@free.fr> X-Mailer: Apple Mail (2.3693.60.0.1.1) Archived-At: Subject: Re: [OAUTH-WG] WGLC for DPoP Document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Mar 2022 17:55:22 -0000 --Apple-Mail=_9344ADD9-0651-47F6-9464-711698AFA66F Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Denis, This is why the use of =E2=80=9Ciat=E2=80=9D and =E2=80=9Cnonce=E2=80=9D = are recommended, to prevent this kind of replay, and these are already = discussed in the draft. Having a highly targeted request with narrow = presentation window is desirable in most cases, but some applications of = DPoP do want to have a pre-generated proof that can be re-used on = multiple requests. In this case, it becomes kind of bearer token in its = own right, since it=E2=80=99s not strictly tied to a single HTTP = request. This isn=E2=80=99t an attack, it=E2=80=99s an artifact of = DPoP=E2=80=99s limited attachment to the HTTP message. If a client = pre-generates a generic proof and gives it to another client, then = that=E2=80=99s exactly the same as the client handing over its access = token (which it would also need to do).=20 The proof and the token are credentials, by definition. Subject identifiers within the token do not prevent this kind of = collusion, as has been previously discussed at length. Nothing stops = Alice from giving her token that says =E2=80=9CThis is Alice=E2=80=9D to = Bob and having Bob use it. The RS will know it=E2=80=99s Alice=E2=80=99s = token, but it=E2=80=99s still valid and Bob can act as Alice. If Alice = is over 18 then Bob will get access to the things that Alice can get = because she=E2=80=99s over 18. The call still works. Please stop = pretending that adding a user identifier to the token solves the problem = you are describing, it simply does not. =E2=80=94 Justin > On Mar 29, 2022, at 11:39 AM, Denis wrote: >=20 > Hi Justin, >=20 > In this scenario, the =E2=80=9Clegitimate=E2=80=9D client never gives = away its secrets (if it is using a secure platform, it can't). It never = give away its credentials either. >=20 > When using key bound access tokens, a RS can't know whether the access = token is presented by the =E2=80=9Clegitimate=E2=80=9D client or by = an=E2=80=9Cillegitimate=E2=80=9D client. >=20 > One of the goals is also to prevent a client to monetize the selling = of "key bound access tokens" to other end-users.=20 >=20 > As I have already indicated, there exists a solution able to prevent = such scenario in some specific cases (i.e. in the case of RS long-term = user accounts). >=20 > Denis >=20 >=20 >> If the =E2=80=9Clegitimate=E2=80=9D client willingly gives away its = secrets and tokens to the =E2=80=9Cillegitimate=E2=80=9D client, then = the latter isn=E2=80=99t actually =E2=80=9Cillegitimate=E2=80=9D = anymore. >>=20 >> What I was saying is that the =E2=80=9Cattack" is not even necessary = if the clients are in fact working together.=20 >> If the =E2=80=9Clegitimate=E2=80=9D client knowing gives away its = credentials, it is accepting that the receiver of those credentials can = do anything it wants with those credentials. That=E2=80=99s why they are = credentials. >>=20 >> =E2=80=94 Justin >>=20 >> PS: I did not =E2=80=9Cbreak=E2=80=9D the thread, I replied to a = message in the thread. That=E2=80=99s how email lists work. >>=20 >>> On Mar 29, 2022, at 9:19 AM, Denis > wrote: >>>=20 >>> Hi Justin, >>>=20 >>> You broke the thread since you have not re-used the last message = which was: >>> Steinar, >>>=20 >>> As you have guessed, no data (except the token and some crypto = checksums) is passing through the clients.=20 >>>=20 >>> Once the legitimate client has allowed the illegitimate client to = use the token, the illegitimate client can do anything it wants with it. >>> The legitimate client can be kept fully ignorant of what = illegitimate client is doing. >>>=20 >>> The data flow is minimum: if the token allows to view a 4 Gb movie, = that data flow does not flow between the clients. >>>=20 >>> Furthermore, the content of the token may allow the illegitimate = client to use it during days or months. >>> Suppose that the token indicates "over 18". If the user is over 18 = now, he will certainly be "over 18" the next days, months or years. =20 >>> There is no need to refresh the token as it would be the case if the = token included a home address. >>> This message explains why this collaborative attack is very = different from simply forwarding messages between clients. >>>=20 >>> The illegitimate client can do anything it wants without disclosing = what it is doing to the legitimate client. >>> The traffic between the clients is kept to the very minimum. >>>=20 >>> Denis >>>=20 >>>> +1 >>>>=20 >>>> Am 29.03.22 um 15:10 schrieb Justin Richer: >>>>> And this is exactly the problem with the =E2=80=9Ccollaborating = clients=E2=80=9D attack, as has been pointed out any number of times = it=E2=80=99s been brought up before. If two clients are willingly = collaborating in this way, they do not need to share any cryptographic = material and impersonate each other. >>>>>=20 >>>>> You don=E2=80=99t need to steal my license if I=E2=80=99m willing = to just go buy you beer. >>>>>=20 >>>>> The DPoP draft does address signed request re-use, which some see = as a feature to be carefully applied. >>>>>=20 >>>>> =E2=80=94 Justin >>>>>=20 >>>>>> On Mar 28, 2022, at 1:04 PM, Steinar Noem > wrote: >>>>>>=20 >>>>>> Interesting, but won't two collaborating clients just pass any = data they want to each other? Why would these collaborating clients go = through the trouble of exchanging private keys, dpop proofs or tokens? = Could you elaborate some more on the scenario?=20 >>>>>>=20 >>>>>> S >>>>>>=20 >>>>>> man. 28. mar. 2022 kl. 16:29 skrev Denis >: >>>>>> Rifaat & Hannes, >>>>>> Hereafter are my comments: >>>>>>=20 >>>>>> The introduction states : >>>>>>=20 >>>>>> Recipients of such tokens are then able to verify the = binding of the token to the key pair that the client has demonstrated=20= >>>>>> that it holds via the DPoP header, thereby providing some = assurance that the client presenting the token also possesses the = private key.=20 >>>>>>=20 >>>>>> In other words, the legitimate presenter of the token is = constrained to be the sender that holds and can prove possession of the = private part of the key pair. >>>>>>=20 >>>>>> The client presenting the token does not necessarily possess the = private key. The client presenting the token has been able to use=20 >>>>>> the results of some cryptographic functions using the private = part of the key pair.=20 >>>>>>=20 >>>>>> These results may be communicated by one client to another = client, if the two clients agree to collaborate. This statement will be = added later on. >>>>>>=20 >>>>>> Proposed rewording: >>>>>>=20 >>>>>> Recipients of such tokens are then able to verify the = binding of the token to the key pair that the client has demonstrated=20= >>>>>> that it holds via the DPoP header, thereby providing some = assurance that the client presenting the token either also possesses=20 >>>>>> the private key or has been able to use the result of = cryptographic computations from another client that possesses the = private key.=20 >>>>>>=20 >>>>>> In other words, the presenter of the token can prove that = it has been able to use the results of cryptographic computations = performed=20 >>>>>> by using the private part of the key pair.=20 >>>>>>=20 >>>>>> The objectives states >>>>>>=20 >>>>>> The primary aim of DPoP is to prevent unauthorized or = illegitimate parties from using leaked or stolen access tokens,=20 >>>>>> by binding a token to a public key upon issuance and = requiring that the client proves possession of the corresponding=20 >>>>>> private key when using the token. >>>>>>=20 >>>>>> DPoP does not prevent unauthorized or illegitimate parties from = using access tokens, as soon as two clients agree to collaborate. >>>>>>=20 >>>>>> Proposed rewording: >>>>>>=20 >>>>>> The primary aim of DPoP is to bind a token to a public key = upon issuance and requiring that the client proves possession=20 >>>>>> of the corresponding private key when using the token. = This does not demonstrate that the client presenting the token is=20 >>>>>> necessarily the legitimate client. In the case of = non-collaborating clients, DPoP prevents unauthorized or illegitimate = parties=20 >>>>>> from using leaked or stolen access tokens. In the case of = collaborating clients, the security of DPoP is ineffective=20 >>>>>> (see section 11.X). >>>>>>=20 >>>>>> Section 11 is about "Security Considerations" and addresses the = following topics: >>>>>>=20 >>>>>> 11.1. DPoP Proof Replay >>>>>> 11.2. DPoP Proof Pre-Generation >>>>>> 11.3. DPoP Nonce Downgrade >>>>>> 11.4. Untrusted Code in the Client Context >>>>>> 11.5. Signed JWT Swapping >>>>>> 11.6. Signature Algorithms >>>>>> 11.7. Message Integrity >>>>>> 11.8. Access Token and Public Key Binding >>>>>> 11.9. Authorization Code and Public Key Binding >>>>>>=20 >>>>>> The case of collaborative clients should be addressed within = section 11. >>>>>>=20 >>>>>> Text proposal.=20 >>>>>>=20 >>>>>> 11.X. Collaborative clients >>>>>>=20 >>>>>> DPoP demonstrates that the client presenting the = token has been able to use the results of some cryptographic functions >>>>>> using the private part of the key pair. >>>>>>=20 >>>>>> If a client agrees to collaborate with another = client, the security of DPoP is no longer effective. When two clients = agree to collaborate,=20 >>>>>> these results of the cryptographic computations = performed by one client may be communicated to another client.=20 >>>>>>=20 >>>>>> Even if the private key used for DPoP is stored in = such a way that it cannot be exported, e.g., in a hardware or software = security module,=20 >>>>>> the client can perform all the cryptographic = computations needed by the other client to create DPoP proofs.=20 >>>>>>=20 >>>>>> The client can easily create new DPoP proofs as long = as the other client is online. >>>>>>=20 >>>>>> Note: There exist other techniques able to limit, in = some cases, the use of a token transmitted voluntarily by a legitimate = client=20 >>>>>> to an illegitimate client. >>>>>>=20 >>>>>> Denis >>>>>>=20 >>>>>>=20 >>>>>>> All, >>>>>>>=20 >>>>>>> As discussed during the IETF meeting in Vienna last week, this = is a WG Last Call for the DPoP document: >>>>>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ = >>>>>>>=20 >>>>>>> Please, provide your feedback on the mailing list by April 11th. >>>>>>>=20 >>>>>>> Regards, >>>>>>> Rifaat & Hannes >>>>>>>=20 >>>>>>>=20 >>>>>>>=20 >>>>>>> _______________________________________________ >>>>>>> OAuth mailing list >>>>>>> OAuth@ietf.org >>>>>>> https://www.ietf.org/mailman/listinfo/oauth = >>>>>>=20 >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth = >>>>>>=20 >>>>>>=20 >>>>>> --=20 >>>>>> Vennlig hilsen >>>>>>=20 >>>>>> Steinar Noem >>>>>> Partner Udelt AS >>>>>> Systemutvikler >>>>>> =20 >>>>>> | steinar@udelt.no | hei@udelt.no = | +47 955 21 620 <> | www.udelt.no = |=20 >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth = >>>>>=20 >>>>>=20 >>>>>=20 >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth = >>>> --=20 >>>> https://danielfett.de >>>>=20 >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth = >>>=20 >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth = >>=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_9344ADD9-0651-47F6-9464-711698AFA66F Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Denis,

This= is why the use of =E2=80=9Ciat=E2=80=9D and =E2=80=9Cnonce=E2=80=9D are = recommended, to prevent this kind of replay, and these are already = discussed in the draft. Having a highly targeted request with narrow = presentation window is desirable in most cases, but some applications of = DPoP do want to have a pre-generated proof that can be re-used on = multiple requests. In this case, it becomes kind of bearer token in its = own right, since it=E2=80=99s not strictly tied to a single HTTP = request. This isn=E2=80=99t an attack, it=E2=80=99s an artifact of = DPoP=E2=80=99s limited attachment to the HTTP message. If a client = pre-generates a generic proof and gives it to another client, then = that=E2=80=99s exactly the same as the client handing over its access = token (which it would also need to do). 

The proof and the token are = credentials, by definition.

Subject identifiers within the token do not prevent this = kind of collusion, as has been previously discussed at length. Nothing = stops Alice from giving her token that says =E2=80=9CThis is Alice=E2=80=9D= to Bob and having Bob use it. The RS will know it=E2=80=99s Alice=E2=80=99= s token, but it=E2=80=99s still valid and Bob can act as Alice. If Alice = is over 18 then Bob will get access to the things that Alice can get = because she=E2=80=99s over 18. The call still works. Please stop = pretending that adding a user identifier to the token solves the problem = you are describing, it simply does not.

 =E2=80=94 Justin

On Mar 29, 2022, at 11:39 AM, Denis <denis.ietf@free.fr> = wrote:

=20
Hi  Justin,

In this scenario, the = =E2=80=9Clegitimate=E2=80=9D client never gives away its secrets (if it is = using a secure platform, it can't). It never give away its credentials either.

When using key bound access tokens, a RS can't know whether the access token is presented by the =E2=80=9Clegitimate=E2=80=9D client  or by = an=E2=80=9Cillegitimate=E2=80=9D client.

One of the goals is also to prevent a client to monetize the selling of "key bound access tokens" to other end-users.

As I have already indicated, there exists a solution able to prevent such scenario in some specific cases (i.e. in the case of RS long-term user accounts).

Denis


=20
If the =E2=80=9Clegitimate=E2=80=9D client = willingly gives away its secrets and tokens to the =E2=80=9Cillegitimate=E2=80=9D client, = then the latter isn=E2=80=99t actually =E2=80=9Cillegitimate=E2=80=9D = anymore.

What I was saying is that the =E2=80=9Cattack" is = not even necessary if the clients are in fact working together.
If the =E2=80=9Clegitimate=E2=80=9D client knowing gives away = its credentials, it is accepting that the receiver of those credentials can do anything it wants with those credentials. That=E2=80=99s why = they are credentials.

 =E2=80=94 Justin

PS: I did not =E2=80=9Cbreak=E2=80=9D the = thread, I replied to a message in the thread. That=E2=80=99s how email lists work.

On Mar 29, 2022, at 9:19 AM, Denis <denis.ietf@free.fr> wrote:

=20
Hi  Justin,

You broke the thread since you have not re-used the last message which was:
Steinar,

As you have = guessed, no data (except the token and some crypto checksums) is passing through the clients.

Once the legitimate client has allowed the illegitimate client to use the token, the illegitimate client can do anything it wants with it.
The legitimate = client can be kept fully ignorant of what illegitimate client is doing.

The data flow is minimum: if the token allows to view a 4 Gb movie, that data flow does not flow between the clients.

Furthermore, the content of the token may allow the illegitimate client to use it during days or months.
Suppose that the token indicates "over 18". If the user is over 18 now, he will certainly be "over 18" the next days, months or years. 
There is no need to refresh the token as it would be the case if the token included a home address.
This message explains why this collaborative attack is very different from simply forwarding messages between = clients.

The illegitimate = client can do anything it wants without disclosing what it is doing to the legitimate client.
= The traffic between the clients is kept to the very minimum.

Denis

+1

Am 29.03.22 um 15:10 schrieb Justin Richer:
= And this is exactly the problem with the =E2=80=9Ccollaborating clients=E2=80=9D attack, as = has been pointed out any number of times it=E2=80=99s been brought up = before. If two clients are willingly collaborating in this way, they do not need to share any cryptographic material and impersonate each other.

You don=E2=80=99t need to steal my = license if I=E2=80=99m willing to just go buy you beer.

The DPoP draft does address signed request re-use, which some see as a feature to be carefully applied.

 =E2=80=94 Justin

On Mar 28, 2022, at 1:04 PM, Steinar Noem <steinar@udelt.no> wrote:

Interesting, but won't two collaborating clients just pass any data they want to each other? Why would these collaborating clients go through the trouble of exchanging private keys, dpop proofs or tokens? Could you elaborate some more on the scenario? 

S

man. = 28. mar. 2022 kl. 16:29 skrev Denis <denis.ietf@free.fr>:
Rifaat & = Hannes,

Hereafter are my comments:

The introduction states :

       Recipients of such tokens are then able to verify the binding of the token to the key pair that  = the client has demonstrated
=        that it holds via the DPoP header, thereby providing some assurance that the client presenting the token also possesses the private key. =

=        In other words, the legitimate presenter of the token is constrained to be the sender that holds and can prove possession of the private part of the key pair.

The client presenting the token does not = necessarily possess the private key. The client presenting the token has been able to use
the results of some cryptographic functions using the private part of the key pair.

These results may be communicated by one client to another client, if the two clients agree to collaborate. This statement will be added later on.

Proposed rewording:
=
=        Recipients of such tokens are then able to verify the binding of the token to the key pair that  = the client has demonstrated
=        that it holds via the DPoP header, thereby providing some assurance that the client presenting the token either also possesses
=        the private key or = has been able to use the result of cryptographic computations from another client that possesses the private key.

=        In other words, the presenter of the token can prove that it has been able to use the results of cryptographic computations performed
=        by using the private part of the key pair.

The objectives states

=        The primary aim of DPoP is to prevent unauthorized or illegitimate parties from using leaked or stolen access tokens,
=        by binding a token to a public key upon issuance and requiring that the client proves possession of the corresponding
=        private key when using the token.

DPoP does not prevent unauthorized or illegitimate parties from using access tokens, as soon as two clients agree to collaborate.

Proposed rewording:
=
=        The primary aim of DPoP is to bind a token to a public key upon issuance and requiring that the client proves possession
=        of the corresponding private key when using the token.  = This does not demonstrate that the client presenting the token is =
=        necessarily the legitimate client. In the case of non-collaborating clients, DPoP prevents unauthorized or illegitimate parties
=        from using leaked or stolen access tokens. In the case of collaborating clients, the security of DPoP is ineffective
=        (see section 11.X).

Section 11 is about "Security Considerations" and addresses the following topics:

     11.1.  = DPoP Proof Replay
     11.2.  = DPoP Proof Pre-Generation
     11.3.  = DPoP Nonce Downgrade
     11.4.  = Untrusted Code in the Client Context
     11.5.  = Signed JWT Swapping
     11.6.  = Signature Algorithms
     11.7.  = Message Integrity
     11.8.  = Access Token and Public Key Binding
     11.9.  = Authorization Code and Public Key Binding

The case of collaborative clients should be addressed within section 11.

Text proposal.

     11.X. Collaborative clients

=             DPoP = demonstrates that the client presenting the token has been able to use the results of some cryptographic functions
    =         using the private part of the key pair.

    =         If a client agrees to collaborate with another client, the security of DPoP is no longer effective.  = When two clients agree to collaborate,
    =         these results of the cryptographic computations performed by one client may be communicated to another client.

    =         Even if the private key used for DPoP is stored in such a way that it cannot be exported, e.g., in a hardware or software security module,
    =         the client can perform all the cryptographic computations needed by the other client to create DPoP proofs.

    =         The client can easily create new DPoP proofs as long as the other client is online.

    =         Note: There exist other techniques able to limit, in some cases, the use of a token transmitted voluntarily by a legitimate client
=             &n= bsp;         to an illegitimate client.

Denis


All,

As discussed during the IETF meeting in Vienna last week, this is a WG Last Call for the DPoP document:
https://datatracker.ietf.org/doc/draft-ietf-oauth= -dpop/

Please, provide your feedback on the mailing list by April 11th.

Regards,
 Rifaat & Hannes


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
Vennlig = hilsen

Steinar Noem
Partner Udelt AS
Systemutvikler
 
steinar@udelt.no | hei@udelt.no  | +47 955 21 620 | www.udelt.no | 
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth 


_______________________________________________
OAuth mailing list
OAuth@ietf.org=

https://www.ietf.org/mailman/listinfo/oauth

--=20
https://danielfett.de

_______________________________________________
OAuth mailing list
OAuth@ietf.org=

https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/= mailman/listinfo/oauth


_______________________________________________
OAuth = mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

= --Apple-Mail=_9344ADD9-0651-47F6-9464-711698AFA66F-- From nobody Tue Mar 29 12:54:10 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A35763A1BAE for ; Tue, 29 Mar 2022 12:54:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.943 X-Spam-Level: X-Spam-Status: No, score=-0.943 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.186, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bzxJ3f7buOiI for ; Tue, 29 Mar 2022 12:54:03 -0700 (PDT) Received: from smtp.smtpout.orange.fr (smtp07.smtpout.orange.fr [80.12.242.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEDDE3A1BAB for ; Tue, 29 Mar 2022 12:54:02 -0700 (PDT) Received: from [192.168.1.11] ([90.26.93.96]) by smtp.orange.fr with ESMTPA id ZHufnDD3RQLa5ZHugn39gr; Tue, 29 Mar 2022 21:54:00 +0200 X-ME-Helo: [192.168.1.11] X-ME-Auth: OWU3ZmVkYWM0M2UwZWM1YifxM2Q3ZDk1YiUzNWJiZTM2MiliMTI0N2YxZmQ= X-ME-Date: Tue, 29 Mar 2022 21:54:00 +0200 X-ME-IP: 90.26.93.96 Content-Type: multipart/alternative; boundary="------------095hMVm8OMgw5X6Bc0E9JpiX" Message-ID: <1098582f-2143-e42b-ab13-11442ac43deb@free.fr> Date: Tue, 29 Mar 2022 21:53:58 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Content-Language: en-GB To: oauth@ietf.org References: <73015e12-337d-5853-91cc-455b39c97921@free.fr> <3b0fbfe6-f043-5c93-ace5-ad448c4cdb55@danielfett.de> <02A4AE71-05D0-497C-BF77-FC449256E20C@mit.edu> <3c82ae34-41d8-9fc8-3490-5c11d7f29a2c@free.fr> <1E780389-4981-43A8-8928-1CC5B8C91AB9@mit.edu> From: Denis In-Reply-To: <1E780389-4981-43A8-8928-1CC5B8C91AB9@mit.edu> Archived-At: Subject: Re: [OAUTH-WG] WGLC for DPoP Document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Mar 2022 19:54:08 -0000 This is a multi-part message in MIME format. --------------095hMVm8OMgw5X6Bc0E9JpiX Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit  Justin, > Denis, > > This is why the use of “iat” and “nonce” are recommended, to prevent > this kind of replay, and these are already discussed in the draft. > Having a highly targeted request with narrow presentation window is > desirable in most cases, but some applications of DPoP do want to have > a pre-generated proof that can be re-used on multiple requests. In > this case, it becomes kind of bearer token in its own right, since > it’s not strictly tied to a single HTTP request. This isn’t an attack, > it’s an artifact of DPoP’s limited attachment to the HTTP message. If > a client pre-generates a generic proof and gives it to another client, > then that’s exactly the same as the client handing over its access > token (which it would also need to do). The topic I am discussing has nothing to do with replay. The legitimate client gives away a token that it will never use. > The proof and the token are credentials, by definition. Well, the term "credentials" is being used with many different semantics in different documents. This is why I prefer not to use it. > Subject identifiers within the token do not prevent this kind of > collusion, as has been previously discussed at length. As it has been presented several times, this other technique provides a solution (only) in the context of long term user accounts, but this is very common case. > Nothing stops Alice from giving her token that says “This is Alice” to > Bob and having Bob use it. Such scenario does not exist in the context of long term user accounts. However, it is important first to understand the concept of long term user accounts. > The RS will know it’s Alice’s token, but it’s still valid and Bob can > act as Alice. When the AS delivers the access token, it includes into that access token an identifier that the client cannot choose which is representative of either Bob or Alice. Alice cannot act on a long term user account that has been previously successfully opened by Bob, because she will get an identifier specific to herself. On the contrary, when using DPoP, the sentence "/*not identified, not catch*/" applies.  Bob can sell such key bound tokens to an unlimited number of users. > If Alice is over 18 then Bob will get access to the things that Alice > can get because she’s over 18. > The call still works. > > Please stop pretending that adding a user identifier to the token > solves the problem you are describing, it simply does not. I would agree that the scenario of mixing user identifiers to the token and giving away access tokens between collaborative clients has not yet been fully explored. If you are willing to discuss long term user accounts in such a context, please open a different thread. However, we should not mix topics since *this current thread is about DPoP*. The key  point is not the existence of an alternative technique at the moment, but the fact that DPoP is currently giving *a false sense of security*. Currently DPoP allows clients to monetize the selling of "key bound access tokens" to other end-users, and this should be advertised in the Security Considerations section. The next question is the following: being informed of that threat, will the community really use DPoP ? I let you answer that question. However, if the community is not informed, it is more likely that it will use it. Ignoring the danger will not stop the threat. Denis > >  — Justin > >> On Mar 29, 2022, at 11:39 AM, Denis wrote: >> >> Hi  Justin, >> >> In this scenario, the “legitimate” client _never_ gives away its >> secrets (if it is using a secure platform, it can't). It never give >> away its credentials either. >> >> When using key bound access tokens, a RS can't know whether the >> access token is presented by the “legitimate” client  or by >> an“illegitimate” client. >> >> One of the goals is also to prevent a client to monetize the selling >> of "key bound access tokens" to other end-users. >> >> As I have already indicated, there exists a solution able to prevent >> such scenario in some specific cases (i.e. in the case of RS >> long-term user accounts). >> >> Denis >> >> >>> If the “legitimate” client willingly gives away its secrets and >>> tokens to the “illegitimate” client, then the latter isn’t actually >>> “illegitimate” anymore. >>> >>> What I was saying is that the “attack" is not even necessary if the >>> clients are in fact working together. >>> If the “legitimate” client knowing gives away its credentials, it is >>> accepting that the receiver of those credentials can do anything it >>> wants with those credentials. That’s why they are credentials. >>> >>>  — Justin >>> >>> PS: I did not “break” the thread, I replied to a message in the >>> thread. That’s how email lists work. >>> >>>> On Mar 29, 2022, at 9:19 AM, Denis wrote: >>>> >>>> Hi  Justin, >>>> >>>> You broke the thread since you have not re-used the last message >>>> which was: >>>> >>>> Steinar, >>>> >>>> As you have guessed, no data (except the token and some crypto >>>> checksums) is passing through the clients. >>>> >>>> Once the legitimate client has allowed the illegitimate client >>>> to use the token, the illegitimate client can do anything it >>>> wants with it. >>>> The legitimate client can be kept fully ignorant of what >>>> illegitimate client is doing. >>>> >>>> The data flow is minimum: if the token allows to view a 4 Gb >>>> movie, that data flow does not flow between the clients. >>>> >>>> Furthermore, the content of the token may allow the >>>> illegitimate client to use it during days or months. >>>> Suppose that the token indicates "over 18". If the user is over >>>> 18 now, he will certainly be "over 18" the next days, months or >>>> years. >>>> There is no need to refresh the token as it would be the case >>>> if the token included a home address. >>>> >>>> This message explains why this collaborative attack is very >>>> different from simply forwarding messages between clients. >>>> >>>> The illegitimate client can do anything it wants without disclosing >>>> what it is doing to the legitimate client. >>>> The traffic between the clients is kept to the very minimum. >>>> >>>> Denis >>>> >>>>> +1 >>>>> >>>>> Am 29.03.22 um 15:10 schrieb Justin Richer: >>>>>> And this is exactly the problem with the “collaborating clients” >>>>>> attack, as has been pointed out any number of times it’s been >>>>>> brought up before. If two clients are willingly collaborating in >>>>>> this way, they do not need to share any cryptographic material >>>>>> and impersonate each other. >>>>>> >>>>>> You don’t need to steal my license if I’m willing to just go buy >>>>>> you beer. >>>>>> >>>>>> The DPoP draft does address signed request re-use, which some see >>>>>> as a feature to be carefully applied. >>>>>> >>>>>>  — Justin >>>>>> >>>>>>> On Mar 28, 2022, at 1:04 PM, Steinar Noem wrote: >>>>>>> >>>>>>> Interesting, but won't two collaborating clients just pass any >>>>>>> data they want to each other? Why would these collaborating >>>>>>> clients go through the trouble of exchanging private keys, dpop >>>>>>> proofs or tokens? Could you elaborate some more on the scenario? >>>>>>> >>>>>>> S >>>>>>> >>>>>>> man. 28. mar. 2022 kl. 16:29 skrev Denis : >>>>>>> >>>>>>> Rifaat & Hannes, >>>>>>> >>>>>>> Hereafter are my comments: >>>>>>> >>>>>>> The introduction states : >>>>>>> >>>>>>> Recipients of such tokens are then able to verify the >>>>>>> binding of the token to the key pair thatthe client has >>>>>>> demonstrated >>>>>>>        that it holds via the DPoP header, thereby providing >>>>>>> some assurance that the client presenting the token also >>>>>>> possesses the private key. >>>>>>> >>>>>>>        In other words, the legitimate presenter of the token >>>>>>> is constrained to be the sender that holds and can prove >>>>>>> possession of the private part of the key pair. >>>>>>> >>>>>>> The client presenting the token *does not necessarily >>>>>>> possess the private key*. The client presenting the token >>>>>>> has been able to use >>>>>>> the results of some cryptographic functions using the >>>>>>> private part of the key pair. >>>>>>> >>>>>>> These results may be communicated by one client to another >>>>>>> client, if the two clients agree to collaborate. This >>>>>>> statement will be added later on. >>>>>>> >>>>>>> Proposed rewording: >>>>>>> >>>>>>>        Recipients of such tokens are then able to verify the >>>>>>> binding of the token to the key pair thatthe client has >>>>>>> demonstrated >>>>>>>        that it holds via the DPoP header, thereby providing >>>>>>> some assurance that the client presenting the token *either >>>>>>> *also possesses >>>>>>>        the private key *or* has been able to use the result >>>>>>> of cryptographic computations from another client that >>>>>>> possesses the private key. >>>>>>> >>>>>>>        In other words, the presenter of the token can prove >>>>>>> that it has been able to use the results of cryptographic >>>>>>> computations performed >>>>>>>        by using the private part of the key pair. >>>>>>> >>>>>>> The objectives states >>>>>>> >>>>>>>        The primary aim of DPoP is to prevent unauthorized or >>>>>>> illegitimate parties from using leaked or stolen access tokens, >>>>>>>        by binding a token to a public key upon issuance and >>>>>>> requiring that the client proves possession of the >>>>>>> corresponding >>>>>>>        private key when using the token. >>>>>>> >>>>>>> DPoP does not prevent unauthorized or illegitimate parties >>>>>>> from using access tokens, as soon as two clients agree to >>>>>>> collaborate. >>>>>>> >>>>>>> Proposed rewording: >>>>>>> >>>>>>>        The primary aim of DPoP is to bind a token to a >>>>>>> public key upon issuance and requiring that the client >>>>>>> proves possession >>>>>>>        of the corresponding private key when using the >>>>>>> token.This does not demonstrate that the client presenting >>>>>>> the token is >>>>>>>        necessarily the legitimate client. In the case of >>>>>>> non-collaborating clients, DPoP prevents unauthorized or >>>>>>> illegitimate parties >>>>>>>        from using leaked or stolen access tokens. In the >>>>>>> case of collaborating clients, the security of DPoP is >>>>>>> ineffective >>>>>>>        (see section 11.X). >>>>>>> >>>>>>> Section 11 is about "Security Considerations" and addresses >>>>>>> the following topics: >>>>>>> >>>>>>> 11.1.DPoP Proof Replay >>>>>>> 11.2.DPoP Proof Pre-Generation >>>>>>> 11.3.DPoP Nonce Downgrade >>>>>>> 11.4.Untrusted Code in the Client Context >>>>>>> 11.5.Signed JWT Swapping >>>>>>> 11.6.Signature Algorithms >>>>>>> 11.7.Message Integrity >>>>>>> 11.8.Access Token and Public Key Binding >>>>>>> 11.9.Authorization Code and Public Key Binding >>>>>>> >>>>>>> The case of collaborative clients should be addressed within >>>>>>> section 11. >>>>>>> >>>>>>> Text proposal. >>>>>>> >>>>>>> 11.X. Collaborative clients >>>>>>> >>>>>>>             DPoP demonstrates that the client presenting the >>>>>>> token has been able to use the results of some cryptographic >>>>>>> functions >>>>>>> using the private part of the key pair. >>>>>>> >>>>>>> If a client agrees to collaborate with another client, the >>>>>>> security of DPoP is no longer effective.When two clients >>>>>>> agree to collaborate, >>>>>>> these results of the cryptographic computations performed by >>>>>>> one client may be communicated to another client. >>>>>>> >>>>>>> Even if the private key used for DPoP is stored in such a >>>>>>> way that it cannot be exported, e.g., in a hardware or >>>>>>> software security module, >>>>>>> the client can perform all the cryptographic computations >>>>>>> needed by the other client to create DPoP proofs. >>>>>>> >>>>>>> The client can easily create new DPoP proofs as long as the >>>>>>> other client is online. >>>>>>> >>>>>>> Note: There exist other techniques able to limit, in some >>>>>>> cases, the use of a token transmitted voluntarily by a >>>>>>> legitimate client >>>>>>>                       to an illegitimate client. >>>>>>> >>>>>>> Denis >>>>>>> >>>>>>> >>>>>>>> All, >>>>>>>> >>>>>>>> As discussed during the IETF meeting in *Vienna* last week, >>>>>>>> this is a *WG Last Call *for the *DPoP* document: >>>>>>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ >>>>>>>> >>>>>>>> Please, provide your feedback on the mailing list by April >>>>>>>> 11th. >>>>>>>> >>>>>>>> Regards, >>>>>>>>  Rifaat & Hannes >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> OAuth mailing list >>>>>>>> OAuth@ietf.org >>>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> OAuth mailing list >>>>>>> OAuth@ietf.org >>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Vennlig hilsen >>>>>>> >>>>>>> Steinar Noem >>>>>>> Partner Udelt AS >>>>>>> Systemutvikler >>>>>>> | steinar@udelt.no  | hei@udelt.no  | >>>>>>> +47 955 21 620 | www.udelt.no  | >>>>>>> _______________________________________________ >>>>>>> OAuth mailing list >>>>>>> OAuth@ietf.org >>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> -- >>>>> https://danielfett.de >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > --------------095hMVm8OMgw5X6Bc0E9JpiX Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit
 Justin,

Denis,

This is why the use of “iat” and “nonce” are recommended, to prevent this kind of replay, and these are already discussed in the draft.
Having a highly targeted request with narrow presentation window is desirable in most cases, but some applications of DPoP do want to have a pre-generated proof that can be re-used on multiple requests. In this case, it becomes kind of bearer token in its own right, since it’s not strictly tied to a single HTTP request. This isn’t an attack, it’s an artifact of DPoP’s limited attachment to the HTTP message. If a client pre-generates a generic proof and gives it to another client, then that’s exactly the same as the client handing over its access token (which it would also need to do).

The topic I am discussing has nothing to do with replay. The legitimate client gives away a token that it will never use.

The proof and the token are credentials, by definition.

Well, the term "credentials" is being used with many different semantics in different documents. This is why I prefer not to use it.

Subject identifiers within the token do not prevent this kind of collusion, as has been previously discussed at length.

As it has been presented several times, this other technique provides a solution (only) in the context of long term user accounts,
but this is very common case.

Nothing stops Alice from giving her token that says “This is Alice” to Bob and having Bob use it.

Such scenario does not exist in the context of long term user accounts. However, it is important first to understand the concept
of long term user accounts.

The RS will know it’s Alice’s token, but it’s still valid and Bob can act as Alice.

When the AS delivers the access token, it includes into that access token an identifier that the client cannot choose which is representative of either Bob or Alice.

Alice cannot act on a long term user account that has been previously successfully opened by Bob, because she will get an identifier specific to herself.

On the contrary, when using DPoP, the sentence "not identified, not catch" applies.  Bob can sell such key bound tokens to an unlimited number of users.

If Alice is over 18 then Bob will get access to the things that Alice can get because she’s over 18.
The call still works.

Please stop pretending that adding a user identifier to the token solves the problem you are describing, it simply does not.

I would agree that the scenario of mixing user identifiers to the token and giving away access tokens between collaborative clients
has not yet been fully explored. If you are willing to discuss long term user accounts in such a context, please open a different thread.

However, we should not mix topics since this current thread is about DPoP.

The key  point is not the existence of an alternative technique at the moment, but the fact that DPoP is currently giving a false sense of security.

Currently DPoP allows clients to monetize the selling of "key bound access tokens" to other end-users, and this should be advertised
in the Security Considerations section.

The next question is the following: being informed of that threat, will the community really use DPoP ? I let you answer that question.
However, if the community is not informed, it is more likely that it will use it. Ignoring the danger will not stop the threat.

Denis


 — Justin

On Mar 29, 2022, at 11:39 AM, Denis <denis.ietf@free.fr> wrote:

Hi  Justin,

In this scenario, the “legitimate” client never gives away its secrets (if it is using a secure platform, it can't). It never give away its credentials either.

When using key bound access tokens, a RS can't know whether the access token is presented by the “legitimate” client  or by an“illegitimate” client.

One of the goals is also to prevent a client to monetize the selling of "key bound access tokens" to other end-users.

As I have already indicated, there exists a solution able to prevent such scenario in some specific cases (i.e. in the case of RS long-term user accounts).

Denis


If the “legitimate” client willingly gives away its secrets and tokens to the “illegitimate” client, then the latter isn’t actually “illegitimate” anymore.

What I was saying is that the “attack" is not even necessary if the clients are in fact working together.
If the “legitimate” client knowing gives away its credentials, it is accepting that the receiver of those credentials can do anything it wants with those credentials. That’s why they are credentials.

 — Justin

PS: I did not “break” the thread, I replied to a message in the thread. That’s how email lists work.

On Mar 29, 2022, at 9:19 AM, Denis <denis.ietf@free.fr> wrote:

Hi  Justin,

You broke the thread since you have not re-used the last message which was:
Steinar,

As you have guessed, no data (except the token and some crypto checksums) is passing through the clients.

Once the legitimate client has allowed the illegitimate client to use the token, the illegitimate client can do anything it wants with it.
The legitimate client can be kept fully ignorant of what illegitimate client is doing.

The data flow is minimum: if the token allows to view a 4 Gb movie, that data flow does not flow between the clients.

Furthermore, the content of the token may allow the illegitimate client to use it during days or months.
Suppose that the token indicates "over 18". If the user is over 18 now, he will certainly be "over 18" the next days, months or years. 
There is no need to refresh the token as it would be the case if the token included a home address.
This message explains why this collaborative attack is very different from simply forwarding messages between clients.

The illegitimate client can do anything it wants without disclosing what it is doing to the legitimate client.
The traffic between the clients is kept to the very minimum.

Denis

+1

Am 29.03.22 um 15:10 schrieb Justin Richer:
And this is exactly the problem with the “collaborating clients” attack, as has been pointed out any number of times it’s been brought up before. If two clients are willingly collaborating in this way, they do not need to share any cryptographic material and impersonate each other.

You don’t need to steal my license if I’m willing to just go buy you beer.

The DPoP draft does address signed request re-use, which some see as a feature to be carefully applied.

 — Justin

On Mar 28, 2022, at 1:04 PM, Steinar Noem <steinar@udelt.no> wrote:

Interesting, but won't two collaborating clients just pass any data they want to each other? Why would these collaborating clients go through the trouble of exchanging private keys, dpop proofs or tokens? Could you elaborate some more on the scenario? 

S

man. 28. mar. 2022 kl. 16:29 skrev Denis <denis.ietf@free.fr>:
Rifaat & Hannes,

Hereafter are my comments:

The introduction states :

       Recipients of such tokens are then able to verify the binding of the token to the key pair that  the client has demonstrated
       that it holds via the DPoP header, thereby providing some assurance that the client presenting the token also possesses the private key.

       In other words, the legitimate presenter of the token is constrained to be the sender that holds and can prove possession of the private part of the key pair.

The client presenting the token does not necessarily possess the private key. The client presenting the token has been able to use
the results of some cryptographic functions using the private part of the key pair.

These results may be communicated by one client to another client, if the two clients agree to collaborate. This statement will be added later on.

Proposed rewording:

       Recipients of such tokens are then able to verify the binding of the token to the key pair that  the client has demonstrated
       that it holds via the DPoP header, thereby providing some assurance that the client presenting the token either also possesses
       the private key or has been able to use the result of cryptographic computations from another client that possesses the private key.

       In other words, the presenter of the token can prove that it has been able to use the results of cryptographic computations performed
       by using the private part of the key pair.

The objectives states

       The primary aim of DPoP is to prevent unauthorized or illegitimate parties from using leaked or stolen access tokens,
       by binding a token to a public key upon issuance and requiring that the client proves possession of the corresponding
       private key when using the token.

DPoP does not prevent unauthorized or illegitimate parties from using access tokens, as soon as two clients agree to collaborate.

Proposed rewording:

       The primary aim of DPoP is to bind a token to a public key upon issuance and requiring that the client proves possession
       of the corresponding private key when using the token.  This does not demonstrate that the client presenting the token is
       necessarily the legitimate client. In the case of non-collaborating clients, DPoP prevents unauthorized or illegitimate parties
       from using leaked or stolen access tokens. In the case of collaborating clients, the security of DPoP is ineffective
       (see section 11.X).

Section 11 is about "Security Considerations" and addresses the following topics:

     11.1.  DPoP Proof Replay
     11.2.  DPoP Proof Pre-Generation
     11.3.  DPoP Nonce Downgrade
     11.4.  Untrusted Code in the Client Context
     11.5.  Signed JWT Swapping
     11.6.  Signature Algorithms
     11.7.  Message Integrity
     11.8.  Access Token and Public Key Binding
     11.9.  Authorization Code and Public Key Binding

The case of collaborative clients should be addressed within section 11.

Text proposal.

     11.X. Collaborative clients

            DPoP demonstrates that the client presenting the token has been able to use the results of some cryptographic functions
            using the private part of the key pair.

            If a client agrees to collaborate with another client, the security of DPoP is no longer effective.  When two clients agree to collaborate,
            these results of the cryptographic computations performed by one client may be communicated to another client.

            Even if the private key used for DPoP is stored in such a way that it cannot be exported, e.g., in a hardware or software security module,
            the client can perform all the cryptographic computations needed by the other client to create DPoP proofs.

            The client can easily create new DPoP proofs as long as the other client is online.

            Note: There exist other techniques able to limit, in some cases, the use of a token transmitted voluntarily by a legitimate client
                      to an illegitimate client.

Denis


All,

As discussed during the IETF meeting in Vienna last week, this is a WG Last Call for the DPoP document:
https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/

Please, provide your feedback on the mailing list by April 11th.

Regards,
 Rifaat & Hannes


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
Vennlig hilsen

Steinar Noem
Partner Udelt AS
Systemutvikler
 
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

-- 
https://danielfett.de

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--------------095hMVm8OMgw5X6Bc0E9JpiX-- From nobody Tue Mar 29 13:07:33 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A95263A1B91 for ; Tue, 29 Mar 2022 13:07:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.108 X-Spam-Level: X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=zmartzone.eu Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5j-PVcI5o-fI for ; Tue, 29 Mar 2022 13:07:26 -0700 (PDT) Received: from mail-vs1-xe2e.google.com (mail-vs1-xe2e.google.com [IPv6:2607:f8b0:4864:20::e2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A45B83A17CA for ; Tue, 29 Mar 2022 13:07:25 -0700 (PDT) Received: by mail-vs1-xe2e.google.com with SMTP id i10so6702500vsr.6 for ; Tue, 29 Mar 2022 13:07:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zmartzone.eu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=x7XCRH8Vbe/cbj0j0D9BQt53K7tj1x3bH5Vz78KvnP8=; b=nDzDQ6Z04TypqJtBMnYz7JVf1qfVMZR9Qj+KMR9xxyM3GSkaNlXgr4wIdFXNYXr8SL IVnhaFQ+6OjVrhWm5BeS8u7aFXZjgZVPXN5X6mwH1JHtT5YnS9XSD38vzEaZRJU6GM63 JUpzky21AdfI0tkUKopxOIz3lOOvmurAnX5wwfQYJry5qAUfmNIO/bq0IOBji91nZVfJ 5bvwrTLXrO5vJESP4EKEjxs9p+jFewp3+NEy0nLkT4XYhOzZik3oGuPfMcQmcREJVmUa eaRlT8Oi2ibnOOhMH23FkaLyY91GKZCcqV6Q2Ay8mfn5XoxyvvkOBP6gYjmi9qetsAY6 Ta2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=x7XCRH8Vbe/cbj0j0D9BQt53K7tj1x3bH5Vz78KvnP8=; b=AHwd3X971GBy+SeaZXuIB2Senz7O4XFTksjSID7z5npCx89089MlC/F+UfU8pxb0Fs URQ/l0yt30me6HRQIhpASEAQc70LnPmRd0XpjX8Dm1un+Aj9M7OL2OtTFaWQyUZYYM9I CbmFK6IsECMO4T3xZ5u/ydNDujgIi+TeczMuJCnH+dr9gqEZkD4YmnKGn1U5DUMA0oUR ht3fkVjyncIArpiiBx0hHEqx8UflNXODm0rvf4j+dSHdIRbzzLvXS7Ifn6aAl2+btAO8 078O1EIWL9hZwpbVJC3z9IysvdhKaSGT+e47g2JmDuxMoTKCbOG+onZ2fFAqWma8uy1L PNGQ== X-Gm-Message-State: AOAM532xHqTvblQC3cejXUzgZmOBQIciRD2y9gWdLV5RGuvcCxaRuc2E yCXXkbLPGVV+m8ka6AMMaXJP0ed9QeMN9GXg7fKboGyp3is= X-Google-Smtp-Source: ABdhPJwO8aQz9oo2mH1rad+foIXpkM5l3hezuQc8HQ9HovCKWJPu9Ddp6M8OsbuRBeM69p8tKAvUOZul1lw3IVG1f4w= X-Received: by 2002:a05:6102:3547:b0:325:5c85:6fcb with SMTP id e7-20020a056102354700b003255c856fcbmr16275207vss.56.1648584444015; Tue, 29 Mar 2022 13:07:24 -0700 (PDT) MIME-Version: 1.0 References: <73015e12-337d-5853-91cc-455b39c97921@free.fr> <3b0fbfe6-f043-5c93-ace5-ad448c4cdb55@danielfett.de> <02A4AE71-05D0-497C-BF77-FC449256E20C@mit.edu> <3c82ae34-41d8-9fc8-3490-5c11d7f29a2c@free.fr> <1E780389-4981-43A8-8928-1CC5B8C91AB9@mit.edu> <1098582f-2143-e42b-ab13-11442ac43deb@free.fr> In-Reply-To: <1098582f-2143-e42b-ab13-11442ac43deb@free.fr> From: Hans Zandbelt Date: Tue, 29 Mar 2022 22:07:13 +0200 Message-ID: To: Denis Cc: oauth Content-Type: multipart/alternative; boundary="0000000000002b07fd05db60fa2a" Archived-At: Subject: Re: [OAUTH-WG] WGLC for DPoP Document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Mar 2022 20:07:32 -0000 --0000000000002b07fd05db60fa2a Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, Mar 29, 2022 at 9:54 PM Denis wrote: > Nothing stops Alice from giving her token that says =E2=80=9CThis is Alic= e=E2=80=9D to Bob > and having Bob use it. > > Such scenario does not exist in the context of long term user accounts. > However, it is important first to understand the concept > of long term user accounts. > nothing stops Alice from logging in on Bob's device, obtaining tokens for access and then leave Bob with the device, even in long term user accounts Hans. --=20 hans.zandbelt@zmartzone.eu ZmartZone IAM - www.zmartzone.eu --0000000000002b07fd05db60fa2a Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Tue, Mar 29, 2022 at 9:54 PM Denis= <denis.ietf@free.fr> wrote= :
=20 =20 =20
Nothing stops Alice from giving her toke= n that says =E2=80=9CThis is Alice=E2=80=9D to Bob and having Bob use it.

Such scenario does not exist in the context of long term user accounts. However, it is important first to understand the concept of long term user accounts.

nothing stops = Alice from logging in on Bob's device, obtaining tokens for access and = then leave Bob with the device, even in long term user accounts
<= br>
Hans.

--
--0000000000002b07fd05db60fa2a-- From nobody Tue Mar 29 13:19:10 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 941AA3A1BB3 for ; Tue, 29 Mar 2022 13:19:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.942 X-Spam-Level: X-Spam-Status: No, score=-0.942 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.186, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qw25Xt1Ul9jP for ; Tue, 29 Mar 2022 13:19:02 -0700 (PDT) Received: from smtp.smtpout.orange.fr (smtp07.smtpout.orange.fr [80.12.242.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 210C33A17D4 for ; Tue, 29 Mar 2022 13:19:01 -0700 (PDT) Received: from [192.168.1.11] ([90.26.93.96]) by smtp.orange.fr with ESMTPA id ZIItnDMyGQLa5ZIIun3DDY; Tue, 29 Mar 2022 22:19:00 +0200 X-ME-Helo: [192.168.1.11] X-ME-Auth: OWU3ZmVkYWM0M2UwZWM1YifxM2Q3ZDk1YiUzNWJiZTM2MiliMTI0N2YxZmQ= X-ME-Date: Tue, 29 Mar 2022 22:19:00 +0200 X-ME-IP: 90.26.93.96 Content-Type: multipart/alternative; boundary="------------E4XSGDRrdmmSX91uXUhAeck3" Message-ID: <488d9ac2-e123-7b90-5890-7e6dec4856f6@free.fr> Date: Tue, 29 Mar 2022 22:19:00 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Content-Language: en-GB To: oauth References: <73015e12-337d-5853-91cc-455b39c97921@free.fr> <3b0fbfe6-f043-5c93-ace5-ad448c4cdb55@danielfett.de> <02A4AE71-05D0-497C-BF77-FC449256E20C@mit.edu> <3c82ae34-41d8-9fc8-3490-5c11d7f29a2c@free.fr> <1E780389-4981-43A8-8928-1CC5B8C91AB9@mit.edu> <1098582f-2143-e42b-ab13-11442ac43deb@free.fr> From: Denis In-Reply-To: Archived-At: Subject: [OAUTH-WG] WGLC for DPoP Document: new thread about subject identifiers X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Mar 2022 20:19:07 -0000 This is a multi-part message in MIME format. --------------E4XSGDRrdmmSX91uXUhAeck3 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Hans, Please do not mix topics. I have changed the title of that thread, for not polluting the original one. > On Tue, Mar 29, 2022 at 9:54 PM Denis wrote: > >> Nothing stops Alice from giving her token that says “This is >> Alice” to Bob and having Bob use it. > > Such scenario does not exist in the context of long term user > accounts. However, it is important first to understand the concept > of long term user accounts. > > nothing stops Alice from logging in on Bob's device, obtaining tokens > for access and then leave Bob with the device, even in long term user > accounts Even so, Alice will be unable to use that long term user account that has been just opened the next time an access token will be requested by the RS, unless she asks again to Bob to use again Bob's device. In such a case, she has better to live very close to Bob. :-) Denis > > Hans. > > -- > hans.zandbelt@zmartzone.eu > ZmartZone IAM - www.zmartzone.eu --------------E4XSGDRrdmmSX91uXUhAeck3 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit
Hans,

Please do not mix topics. I have changed the title of that thread, for not polluting the original one.

On Tue, Mar 29, 2022 at 9:54 PM Denis <denis.ietf@free.fr> wrote:
Nothing stops Alice from giving her token that says “This is Alice” to Bob and having Bob use it.

Such scenario does not exist in the context of long term user accounts. However, it is important first to understand the concept
of long term user accounts.

nothing stops Alice from logging in on Bob's device, obtaining tokens for access and then leave Bob with the device, even in long term user accounts

Even so, Alice will be unable to use that long term user account that has been just opened the next time an access token will be requested by the RS,
unless she asks again to Bob to use again Bob's device. In such a case, she has better to live very close to Bob. :-)

Denis


Hans.

--


--------------E4XSGDRrdmmSX91uXUhAeck3-- From nobody Tue Mar 29 14:10:02 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C19103A0CAB for ; Tue, 29 Mar 2022 14:10:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.108 X-Spam-Level: X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=zmartzone.eu Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MZYQwCi0sCus for ; Tue, 29 Mar 2022 14:09:55 -0700 (PDT) Received: from mail-vs1-xe33.google.com (mail-vs1-xe33.google.com [IPv6:2607:f8b0:4864:20::e33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 627EF3A0D0F for ; Tue, 29 Mar 2022 14:09:54 -0700 (PDT) Received: by mail-vs1-xe33.google.com with SMTP id i186so20542113vsc.9 for ; Tue, 29 Mar 2022 14:09:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zmartzone.eu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jGGo3c0tH+v0MSG8RoM8fh71MMLCMzud6twjG7s604o=; b=M23MWiUd0Bz3WmmSnyKqXmL9iY98P2rqksS0LlnKbXUltNo/2nGoGSrLb5XmYVwNAP dANCZ+nM/XFjhVxobwDo3v0GtyGKbMQV/fEu9VJGCD9I9/ZpPFMJYYQ4L0yOdn+COABj VsxBgeik+Qf6o5VuQ2j9ZVhbY/KoP8PyW0SdPP6bEejrpojBqGmMsAcujBYNkKeujOQW pDrPnCUDhVEO+zMKGinPYqNh4oxxIn73caDCuvFITP5zU+u/Y8bZlVskDBRx1AFWhDhW uluGepfSeFAgEclYfVlRSCrUhXmvy42ccrRBSvGk9SDIN5nkJRJa/GdtajGEcZdBg1Mu HHcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jGGo3c0tH+v0MSG8RoM8fh71MMLCMzud6twjG7s604o=; b=CqPnMSdrt02j4xMJmjDgjZGzMp/SpWdkkMTa+bjljV81zzRHKW1VkjO6DSOuJJfPxj ILCZX4JEhnPuCD3pBpYgNEONDiChlN/v92Z0OaGmDf+hV51Yw5zf/qT21+m6poA+fD/D gQ3bUq0xZTv2IvUOznns7WKr6rfsAilBnaeA799v6fGAbQk95zcfe2sGQrdrZTdNG98j TTGS564GceDiNzQhLW+FBrpz0XmllqnxQcxBKcAmRq8WbpeYDdu1SoB+HxxgY5+mh0xa xSlCmsNdR5GAFPFNzoo0Ya76NYrsmTTHVWvmzZoRGz2z7aeEyHLxKsZg1Jmz4zvqokKu AvMw== X-Gm-Message-State: AOAM530tgiXT/rzmltTsbZD9nqX1rS2LXG5J2dA0c6jF7LUJUTBfG1Bn zwyPdzDT25PPLjmbMpVmXm9NY0/DtLjTp76sfinBb8rktd4= X-Google-Smtp-Source: ABdhPJw4hsBfrdg9trLbT5nrGYD7bf43kS2TUX3gVsXq23xSbxkvZUb3/yXP4S3Uo45kjmBaC0SkgHRtW4CXTC3eQNM= X-Received: by 2002:a05:6102:a12:b0:325:6b89:279a with SMTP id t18-20020a0561020a1200b003256b89279amr15004035vsa.32.1648588193480; Tue, 29 Mar 2022 14:09:53 -0700 (PDT) MIME-Version: 1.0 References: <73015e12-337d-5853-91cc-455b39c97921@free.fr> <3b0fbfe6-f043-5c93-ace5-ad448c4cdb55@danielfett.de> <02A4AE71-05D0-497C-BF77-FC449256E20C@mit.edu> <3c82ae34-41d8-9fc8-3490-5c11d7f29a2c@free.fr> <1E780389-4981-43A8-8928-1CC5B8C91AB9@mit.edu> <1098582f-2143-e42b-ab13-11442ac43deb@free.fr> <488d9ac2-e123-7b90-5890-7e6dec4856f6@free.fr> In-Reply-To: <488d9ac2-e123-7b90-5890-7e6dec4856f6@free.fr> From: Hans Zandbelt Date: Tue, 29 Mar 2022 23:09:38 +0200 Message-ID: To: Denis Cc: oauth Content-Type: multipart/alternative; boundary="000000000000a7592205db61d921" Archived-At: Subject: Re: [OAUTH-WG] WGLC for DPoP Document: new thread about subject identifiers X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Mar 2022 21:10:01 -0000 --000000000000a7592205db61d921 Content-Type: text/plain; charset="UTF-8" Hi Denis, thanks for correcting the thread topic: On Tue, Mar 29, 2022 at 10:19 PM Denis wrote: > nothing stops Alice from logging in on Bob's device, obtaining tokens for > access and then leave Bob with the device, even in long term user accounts > > Even so, Alice will be unable to use that long term user account that has > been just opened the next time an access token will be requested by the RS, > unless she asks again to Bob to use again Bob's device. In such a case, > she has better to live very close to Bob. :-) > so I conclude that the security considerations of the spec on subject identifiers should stipulate that colluding clients must not live close to each other then... (or better, that the spec does not try to address this type of attack, same for DPoP) Hans. -- hans.zandbelt@zmartzone.eu ZmartZone IAM - www.zmartzone.eu --000000000000a7592205db61d921 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Denis,

thanks for c= orrecting the thread topic:

On Tue, Mar 29, 2022 at 10:19 PM Denis <= ;denis.ietf@free.fr> wrote:
=20 =20 =20
<= div>nothing stops Alice from logging in on Bob's device, obtaining tokens for access and then leave Bob with the device, even in long term user accounts

Even so, Alice will be unable to use that long term user account that has been just opened the next time an access token will be requested by the RS,
unless she asks again to Bob to use again Bob's device. In such a case, she has better to live very close to Bob. :-)

so I conclude that the security considerations of the spec on= subject identifiers should stipulate that colluding clients must not live = close to each other then... (or better, that the spec does not try to addre= ss this type of attack, same for DPoP)

Hans.
=

--
--000000000000a7592205db61d921-- From nobody Tue Mar 29 14:13:00 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E34943A0D63 for ; Tue, 29 Mar 2022 14:12:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.11 X-Spam-Level: X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9PzZXbyEm0kE for ; Tue, 29 Mar 2022 14:12:44 -0700 (PDT) Received: from na01-obe.outbound.protection.outlook.com (mail-cusazlp170110003.outbound.protection.outlook.com [IPv6:2a01:111:f403:c111::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F19333A0DA4 for ; Tue, 29 Mar 2022 14:12:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iCFnjhM9EJMRnocoa49xcHaTkFrcEGAp50Z3y3biBLiYrR8xQAj3NaikfKTDcF1wJ4x7ObAinYGxmlJfk7sxXtEYYsuSSTa+xc1QKSkAgeZGr3qZJ3/2fYkF5HTI0QZwsc1jN62zY49RpdVqY79gAWpf5X5TJy6Nmc7Tl9/QizeXu/3P5EQ5EUEPHJReSbimqqYyuFcMIrHg9i6C2Ga+IGTTCEg0LbRC/5P/09VlSlf8pe0UHFAgzS76+rZnpL/WiIJh7uEDpwpujWWjJSbGBLMkFIgsE5+/cXkVez1zw5eOI5xj8152GQFpc9Gl8NAehNLvS0yVWl3XdEIiwvpC+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qS7+JOBfXm96uosbOZQgVokxKNX0nXejX6TrqMiFmXw=; b=VLJoKvCddxeLrRHxwD5jbs7gqF1lA34vIm8yCnT7Egx2wxIg80C8h7m6UpvXVvVzKwYD1G+WV/IZeklFo0dD/PmFRsb+cKd31Ot4tQrkHXVDW6i4ccCXy1TiRVFNZtJzm7+9uq1uM5TmdBlaDiVjV6D4icpcPI8zTQ1Y2H+z1Rd0Ihq5JnfoVnYUZxBRQZq323/TOTHWWmLPQnGcbi1v4Y3ROB8xD96GBTsKEB4xF1xQrKkZfHssUFcwODShG+6YZTYlh9f0KxfnIZIhmt/CJpTSBeJTsPu3cEEi4tnUF1CA1QfTaWAPM1fW7WvE2g5G/VunYSjfRtb5jBkX8cDvnw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qS7+JOBfXm96uosbOZQgVokxKNX0nXejX6TrqMiFmXw=; b=QzFVcJOm4I3N6FQrOyr2H1Inxo+M+IVP4bEtAYpV9kfIVPEGJLhNDE+5FUiMWklqKvs2YF/NuvT+nYzxZZgF20hk5Djna0XqCLXSWn3DqFWGXinfjC0mQ7ML+8uEdn/3hU/E/2uL9NLFMZRGJipCL4cBcLs0U6rDPxQqktwDROw= Received: from SJ0PR00MB1005.namprd00.prod.outlook.com (2603:10b6:a03:2d3::18) by BL0PR00MB0818.namprd00.prod.outlook.com (2603:10b6:208:1c9::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5160.0; Tue, 29 Mar 2022 21:12:38 +0000 Received: from SJ0PR00MB1005.namprd00.prod.outlook.com ([fe80::6cc0:a7fe:49ce:634d]) by SJ0PR00MB1005.namprd00.prod.outlook.com ([fe80::6cc0:a7fe:49ce:634d%8]) with mapi id 15.20.5160.000; Tue, 29 Mar 2022 21:12:38 +0000 From: Mike Jones To: Rifaat Shekh-Yusef , oauth Thread-Topic: [OAUTH-WG] WGLC for DPoP Document Thread-Index: AQHYQpuaQ2rClH/4REmy+fQm0UZoUazW3ifQ Date: Tue, 29 Mar 2022 21:12:38 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2022-03-29T21:12:36Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=1247d419-68f4-4ba5-991c-94b2dfdb95f5; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0 authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 26455c9b-5047-49ce-c463-08da11c8da94 x-ms-traffictypediagnostic: BL0PR00MB0818:EE_ x-ms-exchange-atpmessageproperties: SA|SL x-microsoft-antispam-prvs: x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: zSpWDfvPW6ocvSzAWI0DH7WawTSpLjzPTE9xIYLk7f7dj7sSOpytT4wNBpEzhklCvYUpCDfOBxC7ZmjWtJlfuzB+cjjcbZ72b0NwZ80gDHPwXThQqtNIID7/mtk4d7E3opoLC/UKwkQZqpLnlfmTYCmPB+xAFtYjy9YcI6HvdfduLycADOC0noy6MH/KVveie3WFpNzRbLGO8/8J11m4gVvuYDjFbDd3P8/7K1sGsJJyJo/wkKCvFVly+8srFi6aV5fVWpd/JUsQVIvQzqX/ariAGyGa1x3GUQAhp8/PD0uzeY82w7sGyGCH7aA3VAok3WUhBGOtLtCz8xSuUSyJDA+MUz4CxV7aCQflmL0/oyEojdkeNkAeyyeZRwoC7thWKS3pDuArDoIX5MG1HomeAXUGsrmPO9co139JwMwzkQhVM6kmV+GRotIQtW+a5DQ/M0rW3Se2m4ESa8IXwNJrvh831zQ328L/mZbRDgzkHNDuLOJ9BBZcTEfUOCpBCdQP/IB1eWCcdxcp2Cuf/ykznNLCgNDwzLa9X+Adzjz2axO7Awu5M0e+jG/b9LGMTP/eDharlVHhcvNEdajhVyjC41xOyQKiWQWA2JZ5Xj9mbGqacVmePdrLIn5IGuYX826TV8GjbuU1yMer8k3ybv/3G/di8ISke7JrRkQtngBkWAVbRBJNkzbGLzCvlg6Yxq9cS9E9OtXw6WcceFQI9EUXnmxVrqtkri5F6Uabsy4Ly1sASK01rC5IqTxAXoiLN8cptT1wTc+F3mUh+5riBHXB1iIWSCWElvxzbAHd91om5du4w3pnnmCT0P0TvRcoVpY5/Hjh5QIGY/yF7OPWPvnPCg== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR00MB1005.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(451199009)(186003)(26005)(966005)(38070700005)(5660300002)(8936002)(38100700002)(52536014)(316002)(71200400001)(76116006)(110136005)(86362001)(66946007)(66556008)(66476007)(64756008)(8676002)(66446008)(8990500004)(82960400001)(82950400001)(6506007)(166002)(55016003)(7696005)(9686003)(4744005)(2906002)(122000001)(508600001)(53546011)(10290500003)(33656002); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?B?cHl3YSsyY21VdFZFZmFXc0xEcTJXc2daMmY4ODNWRWRQUy9ZV2JxSFZ5MXBX?= =?utf-8?B?SEhZR2ZkMnAwRmt2L0ZZaUtEOEJDVXlFMUdHS3ZDVEdMbzdHMzVsKyszV2Er?= =?utf-8?B?NGtWRnh2bHhhUHZCcVVOU0xldW5SRmV1a09CUk42WitTUHdsQmNKTWg5NzZO?= =?utf-8?B?M1JCeEROZ09ZaE16UUlPVUFUVTJ3cGM4b0paYVk4RDI3Uyt4OUVlVERJb3Yx?= =?utf-8?B?K0ZEYVpYV0ZvRTE1M1FmcDFKVUpuYUZ6dEZ4WDhUZUxxMVB0QTc0ZCswdXZw?= =?utf-8?B?QUNudDN3cTJXSkVjb3BXOHNZSkhXQW5ydXM4emhJdTlzaEc1UHNuMENxQ3Bz?= =?utf-8?B?Tm0yWmhRcDM2WWpQRGFWaktJNEZMRnNGQk9EaldEVDJZZTk1cFlxL0gvZVVB?= =?utf-8?B?Y1htV2RDR0JiWVJoM3FCd1Z4azlCc1prRTh6clNqcHpLOFNaWE1aeklMT0dy?= =?utf-8?B?NjJnOWpHR2ZaS21EYUFwNk9YTC8zWWZudlErR3QrSkxZQXVnMnY1YXV2ZXpx?= =?utf-8?B?dzVpQW5odDE4Yi9WNzhqNEpoOUV5QzJZU1hON0pDcXNvNTFjZFVlbzI2d3hN?= =?utf-8?B?azNEUGRBWDBCRkpKSUo2ZG9mUTY4Q2g1emp1dWJScHJpanA5NTk1OHhUYWNE?= =?utf-8?B?NmlaMzZhdG0ySjZUZGZmOUxHNHE5dUo1djBVY1VyemxJWUpjYkJuMGdqd2xp?= =?utf-8?B?V2tTZHRLR0tUMDJYaUhhZ28yWk1SZVdZN3F0QURWU0NDNFc2cnZmeHNmcGND?= =?utf-8?B?VXFwTzFGOTdHcUtyYWRmVTg3eHZRWlI1Q01Qbi9XcTMwN05WSXRhMW5NSklN?= =?utf-8?B?NFl5eGg0SnB3Y3cwOGprT2FwZituRXcyR3l4cTBNbksxOEtEb0UwQXhEL28z?= =?utf-8?B?dWllSjJIdHJVQmxGaStDNnNhMUhpTlg3VTdaOUgzZHNYWU9VRFFMVWpPQmVS?= =?utf-8?B?bnArZFpvWllZN3B6VjRrQkVGQXVEZ21KQTNPSmJIWE9pL0FxdW9lSjN5Vy9y?= =?utf-8?B?RFlpWThOYzB4QnNQQ0NnVWc0WEZXM3dzdG8yZk9IRjVLL0ZXUmNjdWI5dEZv?= =?utf-8?B?N1pEN2VyUnQ5YXNjYUwvN3lFTW1TRjFYRjhjTkpiRU56Ti9FL2tKOVBGK2E0?= =?utf-8?B?M2tKSzdHaENjTjdTZmtEYWVZNE9rY3NCSzMrRjdEc09kWklyd1F4a3VhYTNI?= =?utf-8?B?ayt3OWlOZGlkaTBPUDBLcWpzeXBkLzVOeWJzTmhHVzRNMkFnOW5jZXNYQ2No?= =?utf-8?B?WHZwc0ZldmxIMzZGZW83SFpySmlVUkhtMVhFOUZkSG9iVTZxc0d6OUdCUWR4?= =?utf-8?B?SUV6T25SMzdLNThldTdWZ1ppRVhZbU5SRUV5K3NFeUtFYm5IUUJKRlhPUmNj?= =?utf-8?B?SXNqQStNZ2kySEVqYkJLY0Vva3dkNnZobm1XV3NCSlhYSDB4cklTNmZNUHlk?= =?utf-8?B?U3cybHVqMDZBaFFoV1dRcjhoT05ZeGVJYlFwdFc2TGhLUis1V1FWYStHZlBH?= =?utf-8?B?MWhVQWsyNWtNSUt0cXY2TWJXYWRZczJRMzFrT2RXL2docDRWRVZreU9qUFYx?= =?utf-8?B?Vnk5eHk1SDEzd0FnYTFhdDBNeGQvcEF6ejBRd2hCeWRTYkREcllzRTBScnFM?= =?utf-8?B?WWZCcEsySVhGS2d5NmMyeTRtL3pheG9IN2xPWUsreHRxMDZQZld1c2kxcGVz?= =?utf-8?B?NmpPc2JMc2NmeXBacEdyTzBzckJSZkVDOUduZkQ5WFkrdkpQNFJwWkE4SDVs?= =?utf-8?B?bzRYWjZRbHNuaDU0M1g5ejllR1J2V29SNGFIazdGMlBaUDdRRjhLRXpEdk5E?= =?utf-8?B?M3Nlb2pxM28raHp3dVVwZzR4MzRDR2NsYTkrQjBRZXgvbERmQnd6Vm1rZFE2?= =?utf-8?B?WHlFeGVwdEh3em1OWTkzMzBJZTE1amNobnlzT2t1S3ptOVV3ZllpVitGczUv?= =?utf-8?B?cWp3RStFdU1Namxldm1UdWxhaSs0U3A2MjZ0UDVNeFZDWGl1azdWTVNXRUww?= =?utf-8?B?a0FIaFh2UWJOTlZ4YmRvcEdabFdkZ3hjRmNhTHhoalcvS0VKY00zMWluSFI2?= =?utf-8?B?R0RXL0dZQmNMK3BGTDFVcVBBUGVzNXBobU50K0JoZng2b1BoSW9XbDh2eDlj?= =?utf-8?B?ZkdvMG9pS0RKWXdJMzlqN2RrR2pkcGpDSURERGFOZTlDRjd4S1lsb0VKZ24r?= =?utf-8?B?NC9tOGdDSzYrY01ldXl4ekthOWdKbFRpRVZSdlZMSXY3a0Y3ZWkvQ3EwUXZt?= =?utf-8?B?OXFjWDlRbkQvbWJhclNUZUxUcnl4TVpjdGxGZlM5dyt3b1IyOG5RQXpqYURU?= =?utf-8?B?cGVHK1c1MEc4Z1llK1ZtcXpOam5hOUNsbW1WTzRUTWpvOHYrTUVMZz09?= Content-Type: multipart/alternative; boundary="_000_SJ0PR00MB10058BB56F497FDEF5606314F51E9SJ0PR00MB1005namp_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SJ0PR00MB1005.namprd00.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 26455c9b-5047-49ce-c463-08da11c8da94 X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Mar 2022 21:12:38.3960 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: YMSWOGQ881aLSV4bw+0WCBcvWn/puPScNjIbPTRqMmtl21LNcimy9ngG7zm2OjeAcJRESzPmtpnCDS/JkhPQaQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR00MB0818 Archived-At: Subject: Re: [OAUTH-WG] WGLC for DPoP Document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Mar 2022 21:12:57 -0000 --_000_SJ0PR00MB10058BB56F497FDEF5606314F51E9SJ0PR00MB1005namp_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SSBzdXBwb3J0IHB1YmxpY2F0aW9uIG9mIHRoZSBzcGVjaWZpY2F0aW9uLg0KDQogICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLS0gTWlrZQ0KDQpG cm9tOiBPQXV0aCA8b2F1dGgtYm91bmNlc0BpZXRmLm9yZz4gT24gQmVoYWxmIE9mIFJpZmFhdCBT aGVraC1ZdXNlZg0KU2VudDogTW9uZGF5LCBNYXJjaCAyOCwgMjAyMiA1OjAxIEFNDQpUbzogb2F1 dGggPG9hdXRoQGlldGYub3JnPg0KU3ViamVjdDogW09BVVRILVdHXSBXR0xDIGZvciBEUG9QIERv Y3VtZW50DQoNCkFsbCwNCg0KQXMgZGlzY3Vzc2VkIGR1cmluZyB0aGUgSUVURiBtZWV0aW5nIGlu IFZpZW5uYSBsYXN0IHdlZWssIHRoaXMgaXMgYSBXRyBMYXN0IENhbGwgZm9yIHRoZSBEUG9QIGRv Y3VtZW50Og0KaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJhZnQtaWV0Zi1vYXV0 aC1kcG9wLw0KDQpQbGVhc2UsIHByb3ZpZGUgeW91ciBmZWVkYmFjayBvbiB0aGUgbWFpbGluZyBs aXN0IGJ5IEFwcmlsIDExdGguDQoNClJlZ2FyZHMsDQogUmlmYWF0ICYgSGFubmVzDQoNCg== --_000_SJ0PR00MB10058BB56F497FDEF5606314F51E9SJ0PR00MB1005namp_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZvbnQt ZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsN Cgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9u OnVuZGVybGluZTt9DQpzcGFuLkVtYWlsU3R5bGUxOA0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25h bC1yZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5k b3d0ZXh0O30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0K CWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0K CXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4waW4gMS4waW4gMS4waW4gMS4waW47fQ0K ZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxlPjwhLS1b aWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1h eD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0K PG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9 IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hlYWQ+DQo8Ym9k eSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSIgc3R5bGU9IndvcmQtd3Jh cDpicmVhay13b3JkIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj5JIHN1cHBvcnQgcHVibGljYXRpb24gb2YgdGhlIHNwZWNpZmljYXRpb24uPG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyAtLSBNaWtlPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNw OzwvbzpwPjwvcD4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci10b3A6c29saWQgI0Ux RTFFMSAxLjBwdDtwYWRkaW5nOjMuMHB0IDBpbiAwaW4gMGluIj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxiPkZyb206PC9iPiBPQXV0aCAmbHQ7b2F1dGgtYm91bmNlc0BpZXRmLm9yZyZndDsgPGI+ T24gQmVoYWxmIE9mIDwvYj4NClJpZmFhdCBTaGVraC1ZdXNlZjxicj4NCjxiPlNlbnQ6PC9iPiBN b25kYXksIE1hcmNoIDI4LCAyMDIyIDU6MDEgQU08YnI+DQo8Yj5Ubzo8L2I+IG9hdXRoICZsdDtv YXV0aEBpZXRmLm9yZyZndDs8YnI+DQo8Yj5TdWJqZWN0OjwvYj4gW09BVVRILVdHXSBXR0xDIGZv ciBEUG9QIERvY3VtZW50PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkFs bCw8YnI+DQo8YnI+DQpBcyBkaXNjdXNzZWQgZHVyaW5nIHRoZSBJRVRGIG1lZXRpbmcgaW4gPGI+ Vmllbm5hPC9iPiBsYXN0IHdlZWssIHRoaXMgaXMgYSA8Yj5XRyBMYXN0IENhbGwNCjwvYj5mb3Ig dGhlJm5ic3A7PGI+RFBvUDwvYj4gZG9jdW1lbnQ6PGJyPg0KPGEgaHJlZj0iaHR0cHM6Ly9kYXRh dHJhY2tlci5pZXRmLm9yZy9kb2MvZHJhZnQtaWV0Zi1vYXV0aC1kcG9wLyI+aHR0cHM6Ly9kYXRh dHJhY2tlci5pZXRmLm9yZy9kb2MvZHJhZnQtaWV0Zi1vYXV0aC1kcG9wLzwvYT48YnI+DQo8YnI+ DQpQbGVhc2UsIHByb3ZpZGUgeW91ciBmZWVkYmFjayBvbiB0aGUgbWFpbGluZyBsaXN0IGJ5IEFw cmlsIDExdGguPGJyPg0KPGJyPg0KUmVnYXJkcyw8YnI+DQombmJzcDtSaWZhYXQgJmFtcDsgSGFu bmVzPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJz cDs8L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_SJ0PR00MB10058BB56F497FDEF5606314F51E9SJ0PR00MB1005namp_-- From nobody Tue Mar 29 14:16:19 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7CDF3A0D1D for ; Tue, 29 Mar 2022 14:16:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.943 X-Spam-Level: X-Spam-Status: No, score=-0.943 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.186, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IDkquyAifUBk for ; Tue, 29 Mar 2022 14:16:13 -0700 (PDT) Received: from smtp.smtpout.orange.fr (smtp07.smtpout.orange.fr [80.12.242.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 588873A0D0F for ; Tue, 29 Mar 2022 14:16:13 -0700 (PDT) Received: from [192.168.1.11] ([90.26.93.96]) by smtp.orange.fr with ESMTPA id ZJCDnDhfRQLa5ZJCDn3Jgx; Tue, 29 Mar 2022 23:16:11 +0200 X-ME-Helo: [192.168.1.11] X-ME-Auth: OWU3ZmVkYWM0M2UwZWM1YifxM2Q3ZDk1YiUzNWJiZTM2MiliMTI0N2YxZmQ= X-ME-Date: Tue, 29 Mar 2022 23:16:11 +0200 X-ME-IP: 90.26.93.96 Content-Type: multipart/alternative; boundary="------------ihkJoBA0jekQTLBJTMUkgywb" Message-ID: Date: Tue, 29 Mar 2022 23:16:10 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Content-Language: en-GB To: oauth References: <73015e12-337d-5853-91cc-455b39c97921@free.fr> <3b0fbfe6-f043-5c93-ace5-ad448c4cdb55@danielfett.de> <02A4AE71-05D0-497C-BF77-FC449256E20C@mit.edu> <3c82ae34-41d8-9fc8-3490-5c11d7f29a2c@free.fr> <1E780389-4981-43A8-8928-1CC5B8C91AB9@mit.edu> <1098582f-2143-e42b-ab13-11442ac43deb@free.fr> <488d9ac2-e123-7b90-5890-7e6dec4856f6@free.fr> From: Denis In-Reply-To: Archived-At: Subject: Re: [OAUTH-WG] WGLC for DPoP Document: new thread about subject identifiers X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Mar 2022 21:16:18 -0000 This is a multi-part message in MIME format. --------------ihkJoBA0jekQTLBJTMUkgywb Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Hi Hans, > Hi Denis, > > thanks for correcting the thread topic: > > On Tue, Mar 29, 2022 at 10:19 PM Denis wrote: > >> nothing stops Alice from logging in on Bob's device, obtaining >> tokens for access and then leave Bob with the device, even in >> long term user accounts > > Even so, Alice will be unable to use that long term user account > that has been just opened the next time an access token will be > requested by the RS, > unless she asks again to Bob to use again Bob's device. In such a > case, she has better to live very close to Bob. :-) > > so I conclude that the security considerations of the spec on subject > identifiers should stipulate that colluding clients must not live > close to each other then... > (or better, that the spec does not try to address this type of attack, > same for DPoP) I see that you have a good sense of humour. :-) The reality is that the mechanism protects the case when the users are spread all over the world in different locations. Now, I will never allow Alice to use my own device. This has nothing to do with what DPoP can offer. So it is not the same for DPoP. Denis > > Hans. > > -- > hans.zandbelt@zmartzone.eu > ZmartZone IAM - www.zmartzone.eu --------------ihkJoBA0jekQTLBJTMUkgywb Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit
Hi Hans,

Hi Denis,

thanks for correcting the thread topic:

On Tue, Mar 29, 2022 at 10:19 PM Denis <denis.ietf@free.fr> wrote:
nothing stops Alice from logging in on Bob's device, obtaining tokens for access and then leave Bob with the device, even in long term user accounts

Even so, Alice will be unable to use that long term user account that has been just opened the next time an access token will be requested by the RS,
unless she asks again to Bob to use again Bob's device. In such a case, she has better to live very close to Bob. :-)

so I conclude that the security considerations of the spec on subject identifiers should stipulate that colluding clients must not live close to each other then...
(or better, that the spec does not try to address this type of attack, same for DPoP)

I see that you have a good sense of humour. :-)

The reality is that the mechanism protects the case when the users are spread all over the world in different locations.

Now, I will never allow Alice to use my own device.

This has nothing to do with what DPoP can offer. So it is not the same for DPoP.

Denis



Hans.

--


--------------ihkJoBA0jekQTLBJTMUkgywb-- From nobody Tue Mar 29 14:20:39 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D9563A0DF7 for ; Tue, 29 Mar 2022 14:20:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.107 X-Spam-Level: X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alkaline-solutions.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z_nou9qFb3PR for ; Tue, 29 Mar 2022 14:20:32 -0700 (PDT) Received: from caesium6.alkaline.solutions (caesium6.alkaline.solutions [157.230.133.164]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 217123A0DE3 for ; Tue, 29 Mar 2022 14:20:32 -0700 (PDT) Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by caesium6.alkaline.solutions (Postfix) with ESMTPA id 2FC2220A9DD; Tue, 29 Mar 2022 21:20:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alkaline-solutions.com; s=dkim; t=1648588830; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=sbOoo05WPWSs0yPXHaMAZpPLin5VAZWYlYuDt5InRZE=; b=oj5/5sLEp1boWXwJloplhUGVqZToNv0HoyQU8tjOJRODEimvDjbI0U+Q6koP3l+SF6vsK7 lwZJ2Rji0xnZwNloJgU3dxuEkaI4/j4f1GD6OmL64+lKDwT7laHgTp1BN44TFvdfMpiKVo 7IWfmt/PQ0ZQV1olL277pHl8NHHGAak= From: David Waite Message-Id: <37A689BA-6662-4D39-8031-283AC019BC5F@alkaline-solutions.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_3AECBB45-BAED-425C-8F25-AFCFB266F314" Mime-Version: 1.0 Date: Tue, 29 Mar 2022 15:20:29 -0600 In-Reply-To: Cc: Rifaat Shekh-Yusef , oauth To: Mike Jones References: Authentication-Results: caesium6.alkaline.solutions; auth=pass smtp.mailfrom=david@alkaline-solutions.com X-Spamd-Bar: / Archived-At: Subject: Re: [OAUTH-WG] WGLC for DPoP Document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Mar 2022 21:20:37 -0000 --Apple-Mail=_3AECBB45-BAED-425C-8F25-AFCFB266F314 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii I also support publication of this specification -DW > On Mar 29, 2022, at 3:12 PM, Mike Jones = wrote: >=20 > I support publication of the specification. > =20 > -- Mike > =20 > From: OAuth On Behalf Of Rifaat Shekh-Yusef > Sent: Monday, March 28, 2022 5:01 AM > To: oauth > Subject: [OAUTH-WG] WGLC for DPoP Document > =20 > All, >=20 > As discussed during the IETF meeting in Vienna last week, this is a WG = Last Call for the DPoP document: > https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ = >=20 > Please, provide your feedback on the mailing list by April 11th. >=20 > Regards, > Rifaat & Hannes > =20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_3AECBB45-BAED-425C-8F25-AFCFB266F314 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii I = also support publication of this specification

-DW

On Mar = 29, 2022, at 3:12 PM, Mike Jones <Michael.Jones=3D40microsoft.com@dmarc.ietf.org> = wrote:

I support publication of the specification.
 
          &nb= sp;            = ;            &= nbsp;           &nb= sp;       -- Mike
 
From: OAuth <oauth-bounces@ietf.org> On Behalf = Of Rifaat = Shekh-Yusef
Sent: Monday, March 28, 2022 5:01 = AM
To: oauth <oauth@ietf.org>
Subject: [OAUTH-WG] WGLC for DPoP = Document
 
All,

As discussed during the IETF meeting in Vienna last week, this is a WG Last = Call for = the DPoP document:
https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/

Please, provide your feedback on the mailing = list by April 11th.

Regards,
 Rifaat & Hannes
 
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

= --Apple-Mail=_3AECBB45-BAED-425C-8F25-AFCFB266F314-- From nobody Tue Mar 29 22:23:54 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C4AD3A0B72 for ; Tue, 29 Mar 2022 22:23:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.906 X-Spam-Level: X-Spam-Status: No, score=-6.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=udelt-no.20210112.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q1P9JA1etVGe for ; Tue, 29 Mar 2022 22:23:47 -0700 (PDT) Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10DF33A0BA2 for ; Tue, 29 Mar 2022 22:23:46 -0700 (PDT) Received: by mail-lf1-x12e.google.com with SMTP id bq24so17904050lfb.5 for ; Tue, 29 Mar 2022 22:23:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=udelt-no.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=djP6trg0xl4tzn5T3saeg4JFSmoHqf1P1x8zYAeDTxo=; b=2CEi6pnPb8XWS+0nU4dPzmkgC7gLgHWtuEVapeDgyTKMr77Znl0FZr8JfHDeA6ymFx GoBTekrE7OfBYwwmiS8YoOuTmW3ymKNjDbCQ0RR7kN8W9o+DdZbIn2XCGKlrtn1343bU hSGBnCy+b4lUEb3eTpoxGE5h4Br8jTBKxclcFiKjSYohTEkID/aKbfg/8Un8RpJzFO2O 9lvUJk9enNZWmmhMQxo8Bkz9y4ZxpC6+zH4otRtt0ZdJjyPlcW6haMMUphZ2v/VYsxkz RsN+wWYwrkPCydPGDpLmcEM9kYG93KJp+B5atGKVoc4X5GxF5lENiVZt3TV33gjzDdB4 IbrQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=djP6trg0xl4tzn5T3saeg4JFSmoHqf1P1x8zYAeDTxo=; b=a3TwGiOmZJKG7Y1LsS4aAldvlL2Bzq0mlme6VM93bpP9Li/CQDsFc/1Z8CFMjwbLu3 DD9ePFYahAS/vXaVXGC/KLo2izLxSxTte5IFcCry+6TnKNGrQDnMAVliRhgsiMC06qq+ pEi/PZNl+7dozO/rZVGOTDLsoR1W5IR5IZ0UpZmYdI+pZqkxLh7BjMjiGPRMX9z7YpLm +q37ntQGei95Ag8rFt6NcSy+lOd0ZWzW5GBwryQB539R9vpf+jZIrhqBMm+PnNXjrqAX ZLuZFIkthriLNOjcTUgeYjqNBrrdIWYJpPdzbPNMttMpk7RzjUY3eUvevUiKML0jhPRB 7f6Q== X-Gm-Message-State: AOAM530iDhmgU6vsz9WAV1g0XQ6tH69NNEC0z6W1GMAVnWtnE3G+icTq /q1pDvMI7/7aaK97l39msxd+i8yzYtF0RWGqA+B9XrKmyCY= X-Google-Smtp-Source: ABdhPJwgpKEphVDTMHdhtvBJcUGaK7KqORROuM2DKw9suh1bjG7vJHSHujk1w0OiZkY0CzvRt4lzhytrqbe39Ms1Idw= X-Received: by 2002:a05:6512:3b27:b0:44a:c200:61e0 with SMTP id f39-20020a0565123b2700b0044ac20061e0mr458675lfv.648.1648617824524; Tue, 29 Mar 2022 22:23:44 -0700 (PDT) MIME-Version: 1.0 References: <73015e12-337d-5853-91cc-455b39c97921@free.fr> <3b0fbfe6-f043-5c93-ace5-ad448c4cdb55@danielfett.de> <02A4AE71-05D0-497C-BF77-FC449256E20C@mit.edu> <3c82ae34-41d8-9fc8-3490-5c11d7f29a2c@free.fr> <1E780389-4981-43A8-8928-1CC5B8C91AB9@mit.edu> <1098582f-2143-e42b-ab13-11442ac43deb@free.fr> In-Reply-To: From: Steinar Noem Date: Wed, 30 Mar 2022 07:23:33 +0200 Message-ID: To: Hans Zandbelt Cc: Denis , oauth Content-Type: multipart/alternative; boundary="000000000000cd2b3705db68bf88" Archived-At: Subject: Re: [OAUTH-WG] WGLC for DPoP Document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Mar 2022 05:23:52 -0000 --000000000000cd2b3705db68bf88 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I would like to un-ask my question. Is there a =C2=ABretract mail=C2=BB opt= ion somewhere? PS! This is written by my wife, with whom I have colluded many times. She even knows the PIN code on my bank cards. tir. 29. mar. 2022 kl. 22:08 skrev Hans Zandbelt : > > > On Tue, Mar 29, 2022 at 9:54 PM Denis wrote: > >> Nothing stops Alice from giving her token that says =E2=80=9CThis is Ali= ce=E2=80=9D to >> Bob and having Bob use it. >> >> Such scenario does not exist in the context of long term user accounts. >> However, it is important first to the concept >> of long term user accounts. >> > nothing stops Alice from logging in on Bob's device, obtaining tokens for > access and then leave Bob with the device, even in long term user account= s > > Hans. > > -- > hans.zandbelt@zmartzone.eu > ZmartZone IAM - www.zmartzone.eu > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --=20 Vennlig hilsen Steinar Noem Partner Udelt AS Systemutvikler | steinar@udelt.no | hei@udelt.no | +47 955 21 620 | www.udelt.no | --000000000000cd2b3705db68bf88 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

I would like to un-ask my que= stion. Is there a =C2=ABretract mail=C2=BB= option=C2=A0 somewhere?

PS! This is written by my wife, with whom I have colluded many ti= mes. She even knows the PIN code on my bank cards.
<= br>


tir. 29. mar. 2022 kl. 22:08 skrev Hans= Zandbelt <hans.zandbelt@z= martzone.eu>:


On Tue, Mar 29, 2022 at 9:54 PM Denis <denis.ietf@free.fr> wrote:
=20 =20 =20
Nothing stops Alice from gi= ving her token that says =E2=80=9CThis is Alice=E2=80=9D to Bob and having Bob use it.

Such scenario does not exist in the context of long ter= m user accounts. However, it is important first to =C2=A0the concept
of long term user accounts.

nothing stops = Alice from logging in on Bob's device, obtaining tokens for access and = then leave Bob with the device, even in long term user accounts
=
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--
<= div style=3D"color:rgb(80,0,80)">Vennli= g hilsen

Steinar Noem
Partner Udelt AS
Systemutv= ikler
=C2=A0
|=C2=A0steinar@udelt.no=C2=A0|=C2=A0hei@u= delt.no=C2=A0=C2=A0|=C2=A0+47 955 21 620=C2=A0|=C2=A0www.= udelt.no=C2=A0|=C2=A0
--000000000000cd2b3705db68bf88-- From nobody Tue Mar 29 23:54:51 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C0353A0BB0 for ; Tue, 29 Mar 2022 23:54:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.108 X-Spam-Level: X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=danielfett.de Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A6yCQzx9aHGr for ; Tue, 29 Mar 2022 23:54:45 -0700 (PDT) Received: from d3f.me (redstone.d3f.me [5.9.29.41]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C0B03A0BA9 for ; Tue, 29 Mar 2022 23:54:45 -0700 (PDT) Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by d3f.me (Postfix) with ESMTPA id 4E8451E30C for ; Wed, 30 Mar 2022 06:54:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1648623282; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=9vFyMHrfq1eUo2NI2VS3GxYWVrTSkiukcAdJAESYqTo=; b=CyGoE/RoPM611X17Gu578iSG1pVm7yyr0NC9RzFK++JdvCNmfSbnA9GENjMv1ps3ydxZDt U0r7qpFuEPYVMFJXV3O1gSVxJ3t/tpg3Z1COwW3bcV4EsopBuoE6WClk93QsP0l6wwfRra eodxlbCUCnbGC2gT8k5Gy7/DD/FDCH4= Content-Type: multipart/alternative; boundary="------------70HDIellifB25noCSsB6yGFJ" Message-ID: <5b19e3f1-e2b7-a959-dc85-5de00f6833d2@danielfett.de> Date: Wed, 30 Mar 2022 08:54:40 +0200 MIME-Version: 1.0 Content-Language: de-DE To: oauth@ietf.org References: <37A689BA-6662-4D39-8031-283AC019BC5F@alkaline-solutions.com> From: Daniel Fett In-Reply-To: <37A689BA-6662-4D39-8031-283AC019BC5F@alkaline-solutions.com> ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1648623282; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=9vFyMHrfq1eUo2NI2VS3GxYWVrTSkiukcAdJAESYqTo=; b=JZDSZeE+laOV/+VXC7I9H037imGf7OKy1y1zOpShzjAIprXQPQlNBV+TlBRvNJUGtGZBUf +LKmGda0uOHocJIgew17ZD1VhjRDxXz7Zipvc/RRUP8vI9qt6tShJuz0zULZA4Jvp2JCYZ yrNuDxO+cD0Ky+uuMDdQFlg4QOmBxh4= ARC-Seal: i=1; s=dkim; d=danielfett.de; t=1648623282; a=rsa-sha256; cv=none; b=ufEgPt1farCoOVCziRZ80o723Zklz7NTvnFOzELzw4IpSXVfw2yg7dZYyIU721uI0acl6A Ox+8L/gMThvl3q9M/a9RBNoW/vIOUvAY+s3c9WmcC0+7ZVAAxD938NuJ377jeXYUDsEyzF ttMa8i1mMQZptUJv2/uWcfVOMuEwVmA= ARC-Authentication-Results: i=1; d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de Authentication-Results: d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de X-Spamd-Bar: --- Archived-At: Subject: Re: [OAUTH-WG] WGLC for DPoP Document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Mar 2022 06:54:50 -0000 This is a multi-part message in MIME format. --------------70HDIellifB25noCSsB6yGFJ Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit I also support publication. -Daniel Am 29.03.22 um 23:20 schrieb David Waite: > I also support publication of this specification > > -DW > >> On Mar 29, 2022, at 3:12 PM, Mike Jones >> wrote: >> >> I support publication of the specification. >> -- Mike >> *From:*OAuth *On Behalf Of*Rifaat Shekh-Yusef >> *Sent:*Monday, March 28, 2022 5:01 AM >> *To:*oauth >> *Subject:*[OAUTH-WG] WGLC for DPoP Document >> All, >> >> As discussed during the IETF meeting in*Vienna*last week, this is >> a*WG Last Call*for the *DPoP*document: >> https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ >> >> Please, provide your feedback on the mailing list by April 11th. >> >> Regards, >>  Rifaat & Hannes >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- https://danielfett.de --------------70HDIellifB25noCSsB6yGFJ Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit

I also support publication.

-Daniel

Am 29.03.22 um 23:20 schrieb David Waite:
I also support publication of this specification

-DW

On Mar 29, 2022, at 3:12 PM, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org> wrote:

I support publication of the specification.
 
                                                       -- Mike
 
From: OAuth <oauth-bounces@ietf.org> On Behalf Of Rifaat Shekh-Yusef
Sent: Monday, March 28, 2022 5:01 AM
To: oauth <oauth@ietf.org>
Subject: [OAUTH-WG] WGLC for DPoP Document
 
All,

As discussed during the IETF meeting in Vienna last week, this is a WG Last Call for the DPoP document:
https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/

Please, provide your feedback on the mailing list by April 11th.

Regards,
 Rifaat & Hannes
 
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

-- 
https://danielfett.de
--------------70HDIellifB25noCSsB6yGFJ-- From nobody Tue Mar 29 23:56:15 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDBB43A0BD3 for ; Tue, 29 Mar 2022 23:56:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.169 X-Spam-Level: X-Spam-Status: No, score=-1.169 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, WORD_INVIS=0.581] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=momentumft.co.uk Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jwDZKqfpvw23 for ; Tue, 29 Mar 2022 23:56:08 -0700 (PDT) Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3E0E3A0BD1 for ; Tue, 29 Mar 2022 23:56:07 -0700 (PDT) Received: by mail-ej1-x630.google.com with SMTP id yy13so39546792ejb.2 for ; Tue, 29 Mar 2022 23:56:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=momentumft.co.uk; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=SsmQFW2OghsfmTZ8E1AI5pIU8lVKFCjJk0E7RdNtR/Q=; b=J5QV362VYGKvkF+YuYTOJW17HotCV7VIqNfnJLamAB8bk38Sb6QAZXXYTwebfsuiJR twYzRW3d3lL01q4U4xhFZ/LHqNF2HSJaIFVsvOa/D/actmKPsuYIwIyiN+zbxKIiSg8t 07+qCSSL7UW0qD36qEQh8x6YgxhWB513YQFv4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=SsmQFW2OghsfmTZ8E1AI5pIU8lVKFCjJk0E7RdNtR/Q=; b=BiVR7UCYgwNPEa2J8J3ngAi1vd+W6X5xphXV3DxrdTl/vf0uwO9HivF/o8x6kRcbIH w92LbjqRyQDRFgdO3/5loYSay91l1DtWxhRP3tda2546kNATIp/6IQp/0r6g32n3WfTr z7f5RRt5tfFWOFmCH93xLqDP5qjjlyusDs14/j/YgGye4aivAUy8KE8CO1rKL+AMFhFd 07onNEkHhynO2A/YkgMCNXWf5qhFgfukOVFDtQ3+D1dVhYBu5YQb29gA555rjgo5kv9p 0aFmEf5hJnbMI0pn9s0TxJtkTSJqiqOZR5v34KlEJh+AIgImxi+AL7Knw4FKuve14r1R k+Bg== X-Gm-Message-State: AOAM533hrkz/00GJyXNaLuZSaNwz2kh8oAWDM3H6cdFf+kvtyjdG9aV/ yG59P/S58UDq0S9I+U+VFftIxETVG7fPvbHwJDiq/eUIOk1JRVmntIMR5b2mZJN91VY37NAW74T icp25QN2Ss/lxbpG9mVRa4w== X-Google-Smtp-Source: ABdhPJzTGS+dvYcvSBmdD0cGKPZl85O1o+QZAQXv7jXG2HSbGfj7QiqICT5gyf/hKvPrwp5TXfdOuTLohPqeaY9t02k= X-Received: by 2002:a17:906:c145:b0:6da:aaaf:770c with SMTP id dp5-20020a170906c14500b006daaaaf770cmr38257774ejc.504.1648623365905; Tue, 29 Mar 2022 23:56:05 -0700 (PDT) MIME-Version: 1.0 References: <37A689BA-6662-4D39-8031-283AC019BC5F@alkaline-solutions.com> <5b19e3f1-e2b7-a959-dc85-5de00f6833d2@danielfett.de> In-Reply-To: <5b19e3f1-e2b7-a959-dc85-5de00f6833d2@danielfett.de> From: Dave Tonge Date: Wed, 30 Mar 2022 08:55:55 +0200 Message-ID: To: oauth Content-Type: multipart/alternative; boundary="0000000000001800d305db6a0a90" Archived-At: Subject: Re: [OAUTH-WG] WGLC for DPoP Document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Mar 2022 06:56:13 -0000 --0000000000001800d305db6a0a90 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I support publication of the specification On Wed, 30 Mar 2022 at 08:55, Daniel Fett wrote: > I also support publication. > > -Daniel > Am 29.03.22 um 23:20 schrieb David Waite: > > I also support publication of this specification > > -DW > > On Mar 29, 2022, at 3:12 PM, Mike Jones < > Michael.Jones=3D40microsoft.com@dmarc.ietf.org> wrote: > > I support publication of the specification. > > -- Mike > > *From:* OAuth *On Behalf Of *Rifaat Shekh-Yusef > *Sent:* Monday, March 28, 2022 5:01 AM > *To:* oauth > *Subject:* [OAUTH-WG] WGLC for DPoP Document > > All, > > As discussed during the IETF meeting in *Vienna* last week, this is a *WG > Last Call *for the *DPoP* document: > https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ > > Please, provide your feedback on the mailing list by April 11th. > > Regards, > Rifaat & Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oau= th > > -- https://danielfett.de > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --=20 Dave Tonge CTO [image: Moneyhub Enterprise] t: +44 (0)117 280 5120 Moneyhub Enterprise is a trading style of Moneyhub Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on the Financial Services Register (FRN 809360) at fca.org.uk/register. Moneyhub Financial Technology is registered in England & Wales, company registration number 06909772 . Moneyhub Financial Technology Limited 2018 =C2=A9 DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Moneyhub Financial Technology Limited or of any other group company. --=20 Moneyhub Enterprise is a trading style of Moneyhub Financial Technology=20 Limited which is authorised and regulated by the Financial Conduct=20 Authority ("FCA"). Moneyhub Financial Technology is entered on the=20 Financial Services Register (FRN 809360) at https://register.fca.org.uk/=20 . Moneyhub Financial Technology is registered= =20 in England & Wales, company registration number 06909772. Moneyhub=20 Financial Technology Limited 2022 =C2=A9 Moneyhub Enterprise,=C2=A0 DISCLAIMER: This=20 email (including any attachments) is subject to copyright, and the=20 information in it is confidential. Use of this email or of any information= =20 in it other than by the addressee is unauthorised and unlawful. Whilst=20 reasonable efforts are made to ensure that any attachments are virus-free,= =20 it is the recipient's sole responsibility to scan all attachments for=20 viruses. All calls and emails to and from this company may be monitored and= =20 recorded for legitimate purposes relating to this company's business. Any= =20 opinions expressed in this email (or in any attachments) are those of the= =20 author and do not necessarily represent the opinions of Moneyhub Financial= =20 Technology Limited or of any other group company. --0000000000001800d305db6a0a90 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I support publication of the specification

=
On Wed, 30= Mar 2022 at 08:55, Daniel Fett <f= ett@danielfett.de> wrote:
=20 =20 =20

I also support publication.

-Daniel

Am 29.03.22 um 23:20 schrieb David Waite:
=20 I also support publication of this specification

-DW

On Mar 29, 2022, at 3:12 PM, Mike Jones <Micha= el.Jones=3D40microsoft.com@dmarc.ietf.org> wrote:

=20
I support publication of the specification.
=C2=A0
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike
=C2=A0
From:=C2=A0OAuth <oauth-bounces@ietf.org>=C2=A0On Behalf Of=C2=A0Rifaat Shekh-Yusef
Sent:=C2=A0Monday, March 28, 2022 5:01 AM
To:=C2=A0oauth <oauth@ietf.org>
Subject:=C2=A0[OAUTH-WG] WGLC for DPoP Document
=C2=A0
All,

As discussed during the IETF meeting in=C2=A0Vienna=C2=A0last week, this is a=C2=A0WG Last Call=C2=A0= for the=C2=A0DPoP=C2=A0document:
https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/

Please, provide your feedback on the mailing list by April 11th.

Regards,
=C2=A0Rifaat & Hannes
=C2=A0
________________= _______________________________
OAuth mailing li= st
OAuth@ietf.org
https://www.ietf.= org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
h=
ttps://www.ietf.org/mailman/listinfo/oauth

--=20
https://danielfett.de
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
Da= ve Tonge
CTO
3D"Moneyhub
t:=C2=A0+44 (0)= 117 280 5120

Moneyhub Enterprise is a trading style of Moneyhub Financia= l Technology Limited which is authorised and regulated by the Financial Con= duct Authority ("FCA").=C2=A0Moneyhub Financial Technology is ent= ered on the Financial Services Register=C2=A0(FRN=C2=A0809360) at fca.org.uk/register. Moneyhub=C2=A0Financial Technology is r= egistered in England & Wales, company registration number=C2=A0<= span style=3D"color:rgb(51,51,51);font-family:lato,"open sans",ar= ial,sans-serif;background-color:transparent;font-size:0.75em">=C2=A0= 06909772=C2=A0.
Money= hub=C2= =A0Financial Technology Limited 2018=C2=A0=C2=A9

DISCLAIMER: This email (including any at= tachments) is subject to copyright, and the information in it is confidenti= al. Use of this email or of any information in it other than by the address= ee is unauthorised and unlawful. Whilst reasonable efforts are made to ensu= re that any attachments are virus-free, it is the recipient's sole resp= onsibility to scan all attachments for viruses. All calls and emails to and= from this company may be monitored and recorded for legitimate purposes re= lating to this company's business. Any opinions expressed in this email= (or in any attachments) are those of the author and do not necessarily rep= resent the opinions of Moneyhub Financial Technology Limited or of any othe= r group company.

Moneyhub Enterprise is a trading style of Moneyhub Financi= al Technology Limited which is authorised and regulated by the Financial Co= nduct Authority ("FCA"). Moneyhub Financial Technology is entered= on the Financial Services Register (FRN 809360) at https://register.fca.org.uk/. Moneyhub Financial Technology is registered in England & Wales,= company registration number 06909772. Moneyhub Financial Technology Limite= d 2022 =C2=A9 Moneyhub Enterprise,=C2=A0

DISCLAIMER: This email (including any atta= chments) is subject to copyright, and the information in it is confidential= . Use of this email or of any information in it other than by the addressee= is unauthorised and unlawful. Whilst reasonable efforts are made to ensure= that any attachments are virus-free, it is the recipient's sole respon= sibility to scan all attachments for viruses. All calls and emails to and f= rom this company may be monitored and recorded for legitimate purposes rela= ting to this company's business. Any opinions expressed in this email (= or in any attachments) are those of the author and do not necessarily repre= sent the opinions of Moneyhub Financial Technology Limited or of any other = group company.


--0000000000001800d305db6a0a90-- From nobody Wed Mar 30 00:19:17 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AAF13A0417 for ; Wed, 30 Mar 2022 00:19:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.315 X-Spam-Level: X-Spam-Status: No, score=-6.315 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, WORD_INVIS=0.581] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=udelt-no.20210112.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5GBmdFTkK5WX for ; Wed, 30 Mar 2022 00:19:08 -0700 (PDT) Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 492F53A0404 for ; Wed, 30 Mar 2022 00:19:07 -0700 (PDT) Received: by mail-lf1-x12b.google.com with SMTP id z12so20434753lfu.10 for ; Wed, 30 Mar 2022 00:19:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=udelt-no.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=JO1vj/LDoPdkf5klVM9BDhb8SXjJxcI+gMllybw/joU=; b=K9TqcQgpUgcHh/nALzknRJBq2QSGtKGzZYDMiCddDzqHzIjwfubxQi3mq4EwSaQtbY Ur7tHB9npRRfeG9P1cF2DaxfwjDBhn7cZfjJquvnKPj+qmrC2n9i8XCh4zX3X9H/KEhB hfj6h3MAUkhGNCqNf3fFTOsO9tg6xUunmfQOoptsKqhsrHIimcNlC927cCYBYiTZlGdL v7RZsKvGj9iPGivq/gE14542qVGmWTGVXVf8FMcLBhXSEFoHjn4vR0sZwSzsrjArdOIT ZJD65F4jC47BhF679Adxt+1+LtSRkkLIw5lN/AaVsMu5lLWHeY6Vgw8uG/mAR3HXvnaG z7+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=JO1vj/LDoPdkf5klVM9BDhb8SXjJxcI+gMllybw/joU=; b=GTEdytuWw0hJRFUu9izqcmi4kVEsSFJRGyDueBd9BIKEaIXiZrRd0Ucp1RJYBUOv4L lnS5HWdBbyrdMY/i/bJhBqlV2A7Uk1SvPSLHs3+Sa5ePGhH0uHTSeATZIQHHgaOMVTIA ablHoOeZVlThLT8AkDbcAzknpex9Ous33p/NLGbJPHyoFtaEFFo7tIjAa63CwQD+ma9W 3+qNOP/kIDodXsunwf49SLN7KpM5RyPsd9vszWpiWa04PkAyTr3hD4Z/oMtBVA+SEEmS z8qNNAoK8XHLBfBSsPsLy7OhddiFfuoXM8alUbdtKLD+nuMREKfWr/397drAG63qPNxn 17Tg== X-Gm-Message-State: AOAM532ye2CtvQBbz1m6YLUwcPktmyP1qnftVPFWh5eAuCXQTzCaVmFe EjkZvLO7ANgrBWNlBhK0N6i3U/DvCqNhVraw/ngSBaI61IY= X-Google-Smtp-Source: ABdhPJx6al9lH22P7xTj71JU+NeE7laZcyHVQhb5xMo6FuOPNVhJhsVGBHLzz4koJ9JI+to0qtVZz3i6n6cCDhrbElA= X-Received: by 2002:a05:6512:1193:b0:44a:6936:49b1 with SMTP id g19-20020a056512119300b0044a693649b1mr5745756lfr.414.1648624744480; Wed, 30 Mar 2022 00:19:04 -0700 (PDT) MIME-Version: 1.0 References: <37A689BA-6662-4D39-8031-283AC019BC5F@alkaline-solutions.com> <5b19e3f1-e2b7-a959-dc85-5de00f6833d2@danielfett.de> In-Reply-To: From: Steinar Noem Date: Wed, 30 Mar 2022 09:18:53 +0200 Message-ID: To: oauth Content-Type: multipart/alternative; boundary="00000000000043542105db6a5cd9" Archived-At: Subject: Re: [OAUTH-WG] WGLC for DPoP Document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Mar 2022 07:19:15 -0000 --00000000000043542105db6a5cd9 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I support publication of the specification ons. 30. mar. 2022 kl. 08:56 skrev Dave Tonge = : > I support publication of the specification > > On Wed, 30 Mar 2022 at 08:55, Daniel Fett wrote: > >> I also support publication. >> >> -Daniel >> Am 29.03.22 um 23:20 schrieb David Waite: >> >> I also support publication of this specification >> >> -DW >> >> On Mar 29, 2022, at 3:12 PM, Mike Jones < >> Michael.Jones=3D40microsoft.com@dmarc.ietf.org> wrote: >> >> I support publication of the specification. >> >> -- Mike >> >> *From:* OAuth *On Behalf Of *Rifaat Shekh-Yusef >> *Sent:* Monday, March 28, 2022 5:01 AM >> *To:* oauth >> *Subject:* [OAUTH-WG] WGLC for DPoP Document >> >> All, >> >> As discussed during the IETF meeting in *Vienna* last week, this is a *W= G >> Last Call *for the *DPoP* document: >> https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ >> >> Please, provide your feedback on the mailing list by April 11th. >> >> Regards, >> Rifaat & Hannes >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> _______________________________________________ >> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oa= uth >> >> -- https://danielfett.de >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > > -- > Dave Tonge > CTO > [image: Moneyhub Enterprise] > > t: +44 (0)117 280 5120 > > Moneyhub Enterprise is a trading style of Moneyhub Financial Technology > Limited which is authorised and regulated by the Financial Conduct > Authority ("FCA"). Moneyhub Financial Technology is entered on the > Financial Services Register (FRN 809360) at fca.org.uk/register. Moneyhub= Financial > Technology is registered in England & Wales, company registration number > 06909772 . > Moneyhub Financial Technology Limited 2018 =C2=A9 > > DISCLAIMER: This email (including any attachments) is subject to > copyright, and the information in it is confidential. Use of this email o= r > of any information in it other than by the addressee is unauthorised and > unlawful. Whilst reasonable efforts are made to ensure that any attachmen= ts > are virus-free, it is the recipient's sole responsibility to scan all > attachments for viruses. All calls and emails to and from this company ma= y > be monitored and recorded for legitimate purposes relating to this > company's business. Any opinions expressed in this email (or in any > attachments) are those of the author and do not necessarily represent the > opinions of Moneyhub Financial Technology Limited or of any other group > company. > > Moneyhub Enterprise is a trading style of Moneyhub Financial Technology > Limited which is authorised and regulated by the Financial Conduct > Authority ("FCA"). Moneyhub Financial Technology is entered on the > Financial Services Register (FRN 809360) at https://register.fca.org.uk/. > Moneyhub Financial Technology is registered in England & Wales, company > registration number 06909772. Moneyhub Financial Technology Limited 2022 = =C2=A9 > Moneyhub Enterprise, > > DISCLAIMER: This email (including any attachments) is subject to > copyright, and the information in it is confidential. Use of this email o= r > of any information in it other than by the addressee is unauthorised and > unlawful. Whilst reasonable efforts are made to ensure that any attachmen= ts > are virus-free, it is the recipient's sole responsibility to scan all > attachments for viruses. All calls and emails to and from this company ma= y > be monitored and recorded for legitimate purposes relating to this > company's business. Any opinions expressed in this email (or in any > attachments) are those of the author and do not necessarily represent the > opinions of Moneyhub Financial Technology Limited or of any other group > company. > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --=20 Vennlig hilsen Steinar Noem Partner Udelt AS Systemutvikler | steinar@udelt.no | hei@udelt.no | +47 955 21 620 | www.udelt.no | --00000000000043542105db6a5cd9 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I support publication of the specification

ons. 30. mar. 20= 22 kl. 08:56 skrev Dave Tonge <dave.tonge@momentumft.co.uk>:
I support publicati= on of the specification

On Wed, 30 Mar 2022 at 08:55, Daniel Fett <= ;fett@danielfett.de= > wrote:
=20 =20 =20

I also support publication.

-Daniel

Am 29.03.22 um 23:20 schrieb David Waite:
=20 I also support publication of this specification

-DW

On Mar 29, 2022, at 3:12 PM, Mike Jones <Micha= el.Jones=3D40microsoft.com@dmarc.ietf.org> wrote:

=20
I support publication of the specification.
=C2=A0
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike
=C2=A0
From:=C2=A0OAuth <oauth-bounces@ietf.org>=C2=A0On Behalf Of=C2=A0Rifaat Shekh-Yusef
Sent:=C2=A0Monday, March 28, 2022 5:01 AM
To:=C2=A0oauth <oauth@ietf.org>
Subject:=C2=A0[OAUTH-WG] WGLC for DPoP Document
=C2=A0
All,

As discussed during the IETF meeting in=C2=A0Vienna=C2=A0last week, this is a=C2=A0WG Last Call=C2=A0= for the=C2=A0DPoP=C2=A0document:
https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/

Please, provide your feedback on the mailing list by April 11th.

Regards,
=C2=A0Rifaat & Hannes
=C2=A0
________________= _______________________________
OAuth mailing li= st
OAuth@ietf.org
https://www.ietf.= org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
h=
ttps://www.ietf.org/mailman/listinfo/oauth

--=20
https://danielfett.de
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
<= div dir=3D"ltr">
Dave Tonge
CTO
3D"Moneyhub
t:=C2=A0+44 (0)117 280 5120

<= div style=3D"line-height:1.4">Moneyhub En= terprise is a trading style of Moneyhub Financial Technology Limited which = is authorised and regulated by the Financial Conduct Authority ("FCA&q= uot;).=C2=A0Moneyhub Financial Technology is entered on the Financial Servi= ces Register=C2=A0(FRN=C2=A0809360) at fca.or= g.uk/register. Moneyhub=C2=A0Financial Technology is registered in England & = Wales, company registration number=C2=A0=C2=A006909772=C2=A0.
Moneyhub=C2=A0Financial Technology Lim= ited 2018=C2=A0=C2=A9

DISCLAIMER: This email (including any attachments) is subject to copy= right, and the information in it is confidential. Use of this email or of a= ny information in it other than by the addressee is unauthorised and unlawf= ul. Whilst reasonable efforts are made to ensure that any attachments are v= irus-free, it is the recipient's sole responsibility to scan all attach= ments for viruses. All calls and emails to and from this company may be mon= itored and recorded for legitimate purposes relating to this company's = business. Any opinions expressed in this email (or in any attachments) are = those of the author and do not necessarily represent the opinions of Moneyh= ub Financial Technology Limited or of any other group company.
=

Moneyhub Enterprise is a trading style of Moneyhub Financi= al Technology Limited which is authorised and regulated by the Financial Co= nduct Authority ("FCA"). Moneyhub Financial Technology is entered= on the Financial Services Register (FRN 809360) at https://register.fca.org.uk/. Moneyhub Financial Technology is registered in England & Wales,= company registration number 06909772. Moneyhub Financial Technology Limite= d 2022 =C2=A9 Moneyhub Enterprise,=C2=A0

DISCLAIMER: This email (including any atta= chments) is subject to copyright, and the information in it is confidential= . Use of this email or of any information in it other than by the addressee= is unauthorised and unlawful. Whilst reasonable efforts are made to ensure= that any attachments are virus-free, it is the recipient's sole respon= sibility to scan all attachments for viruses. All calls and emails to and f= rom this company may be monitored and recorded for legitimate purposes rela= ting to this company's business. Any opinions expressed in this email (= or in any attachments) are those of the author and do not necessarily repre= sent the opinions of Moneyhub Financial Technology Limited or of any other = group company.


_______________________________________= ________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
Vennlig hilsen=

Steinar Noem
Partner Udelt AS
Systemutvikler<= /div>
=C2=A0
|=C2=A0steinar@udelt.no=C2=A0|=C2=A0hei@udelt.n= o=C2=A0=C2=A0|=C2=A0+47 955 21 620=C2=A0|=C2=A0www.udelt.= no=C2=A0|=C2=A0
--00000000000043542105db6a5cd9-- From nobody Wed Mar 30 05:08:09 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 069243A113A for ; Wed, 30 Mar 2022 05:08:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.098 X-Spam-Level: X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q0a6XggGEfDw for ; Wed, 30 Mar 2022 05:08:02 -0700 (PDT) Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE7483A1134 for ; Wed, 30 Mar 2022 05:08:01 -0700 (PDT) Received: by mail-ed1-x52d.google.com with SMTP id u26so24116391eda.12 for ; Wed, 30 Mar 2022 05:08:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=mdM6suowz7rXX33fh9JapAc0jmXmjyy1ojVaSUiu7Hc=; b=NHGCJKRKFPAg4nfp4yXHHSalWI1SZPpwr51PJH0UM7URIo2uo+hNcf4QjUYmD9J5ym hIcWKdUCKx6JmrUdZI3S2TfVZgkg6hgRu98ktDeIHhWWc7bAJ47EK95cSrykVJctmV1E WLDJtAChpU6+jKmZa3gkYmfXGwcqGbsAIKKLxzGYfjlLG/QNCpctvdZpAbSo42bbUJa6 rIf1ZDZT88WmSRaBSAFR/Sv28+8lpSP3NVzL8EE42eN6nxcBgqa/iamGhNt8J6LmC5/G hE9Apa8l1cKbDPqxcKSk6uWH357MbiKFIep+zZ59sRSTX13r2KURU+MN5FH/GBo+XUxh VkKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=mdM6suowz7rXX33fh9JapAc0jmXmjyy1ojVaSUiu7Hc=; b=G5eyPdfKgQqVp8MZfpTkdxF1XQeNKX8uNzTHO/oIRGIjW87tqOyumdpZPrZLAqOubY CnMG6wGIHOsrrAMGp186/8DG3WWpKHgcHdku8Q+I1bzkYLykJ9yK6kLWsMfzm3nREN+M /fwdQFSTXfscrTQzAiEaz8/woU9iXA5AJacPg8n92Zmt5g6Zj/5PaIWL1+pRiLbP63n5 l0jt5lezZ3qzRGhJh96MPzqWl8n57QkCvFdql+2cI8V67LoneOR/2OLw4eBYwn8xLn3W Qr1kgfugcCcguXY1lD9RJmw5lJsXMGo9lWDwF2liNbrjNLT6Z8ND1ST1IpCKM4KO7ky1 hoxA== X-Gm-Message-State: AOAM530JT+HBXmrIogZCYIZolqLm+zAdB3iSrgtIR757vEXqcIZfN1Li iBPIDUa4P5l3opvhcvaeCEBjIw== X-Google-Smtp-Source: ABdhPJzFhYCaIwDeC6r2iZ0TraH3MwjSi0Mvu/e8CrQNuUZUXxLTkJ8y7HTA60V23kAOpL03HdhBJw== X-Received: by 2002:a05:6402:51d2:b0:419:7d2e:9d0 with SMTP id r18-20020a05640251d200b004197d2e09d0mr10147416edd.82.1648642079532; Wed, 30 Mar 2022 05:07:59 -0700 (PDT) Received: from smtpclient.apple (p5b0d9c96.dip0.t-ipconnect.de. [91.13.156.150]) by smtp.gmail.com with ESMTPSA id r3-20020aa7cb83000000b0041b573e2654sm1589224edt.94.2022.03.30.05.07.58 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 30 Mar 2022 05:07:59 -0700 (PDT) From: Torsten Lodderstedt Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_C39B3047-2E2A-4BE7-9CA9-BB084660A075" Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\)) Date: Wed, 30 Mar 2022 14:07:57 +0200 In-Reply-To: Cc: oauth To: Steinar Noem References: <37A689BA-6662-4D39-8031-283AC019BC5F@alkaline-solutions.com> <5b19e3f1-e2b7-a959-dc85-5de00f6833d2@danielfett.de> X-Mailer: Apple Mail (2.3693.60.0.1.1) Archived-At: Subject: Re: [OAUTH-WG] WGLC for DPoP Document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Mar 2022 12:08:07 -0000 --Apple-Mail=_C39B3047-2E2A-4BE7-9CA9-BB084660A075 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 I support publication of this specification.=20 > Am 30.03.2022 um 09:18 schrieb Steinar Noem : >=20 > I support publication of the specification >=20 > ons. 30. mar. 2022 kl. 08:56 skrev Dave Tonge = >: > I support publication of the specification >=20 > On Wed, 30 Mar 2022 at 08:55, Daniel Fett > wrote: > I also support publication. >=20 > -Daniel >=20 > Am 29.03.22 um 23:20 schrieb David Waite: >> I also support publication of this specification >>=20 >> -DW >>=20 >>> On Mar 29, 2022, at 3:12 PM, Mike Jones = > wrote: >>>=20 >>> I support publication of the specification. >>> =20 >>> -- Mike >>> =20 >>> From: OAuth > = On Behalf Of Rifaat Shekh-Yusef >>> Sent: Monday, March 28, 2022 5:01 AM >>> To: oauth > >>> Subject: [OAUTH-WG] WGLC for DPoP Document >>> =20 >>> All, >>>=20 >>> As discussed during the IETF meeting in Vienna last week, this is a = WG Last Call for the DPoP document: >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ = >>>=20 >>> Please, provide your feedback on the mailing list by April 11th. >>>=20 >>> Regards, >>> Rifaat & Hannes >>> =20 >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth = >>=20 >>=20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth = > --=20 > https://danielfett.de = _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth = >=20 >=20 > --=20 > Dave Tonge > CTO > = > t: +44 (0)117 280 5120 >=20 > Moneyhub Enterprise is a trading style of Moneyhub Financial = Technology Limited which is authorised and regulated by the Financial = Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on = the Financial Services Register (FRN 809360) at fca.org.uk/register = . Moneyhub Financial Technology is = registered in England & Wales, company registration number 06909772 . > Moneyhub Financial Technology Limited 2018 =C2=A9 >=20 > DISCLAIMER: This email (including any attachments) is subject to = copyright, and the information in it is confidential. Use of this email = or of any information in it other than by the addressee is unauthorised = and unlawful. Whilst reasonable efforts are made to ensure that any = attachments are virus-free, it is the recipient's sole responsibility to = scan all attachments for viruses. All calls and emails to and from this = company may be monitored and recorded for legitimate purposes relating = to this company's business. Any opinions expressed in this email (or in = any attachments) are those of the author and do not necessarily = represent the opinions of Moneyhub Financial Technology Limited or of = any other group company. >=20 > Moneyhub Enterprise is a trading style of Moneyhub Financial = Technology Limited which is authorised and regulated by the Financial = Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on = the Financial Services Register (FRN 809360) at = https://register.fca.org.uk/ . Moneyhub = Financial Technology is registered in England & Wales, company = registration number 06909772. Moneyhub Financial Technology Limited 2022 = =C2=A9 Moneyhub Enterprise,=20 >=20 > DISCLAIMER: This email (including any attachments) is subject to = copyright, and the information in it is confidential. Use of this email = or of any information in it other than by the addressee is unauthorised = and unlawful. Whilst reasonable efforts are made to ensure that any = attachments are virus-free, it is the recipient's sole responsibility to = scan all attachments for viruses. All calls and emails to and from this = company may be monitored and recorded for legitimate purposes relating = to this company's business. Any opinions expressed in this email (or in = any attachments) are those of the author and do not necessarily = represent the opinions of Moneyhub Financial Technology Limited or of = any other group company. >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth = >=20 >=20 > --=20 > Vennlig hilsen >=20 > Steinar Noem > Partner Udelt AS > Systemutvikler > =20 > | steinar@udelt.no | hei@udelt.no = | +47 955 21 620 <> | www.udelt.no = |=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_C39B3047-2E2A-4BE7-9CA9-BB084660A075 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 I = support publication of this specification. 

Am = 30.03.2022 um 09:18 schrieb Steinar Noem <steinar@udelt.no>:

I support publication of the specification

ons. 30. mar. 2022 kl. 08:56 skrev Dave Tonge = <dave.tonge@momentumft.co.uk>:
I support publication of the = specification

On Wed, 30 Mar 2022 at 08:55, Daniel = Fett <fett@danielfett.de> wrote:
=20 =20 =20

I also support publication.

-Daniel

Am 29.03.22 um 23:20 schrieb David Waite:
=20 I also support publication of this specification

-DW

On Mar 29, 2022, at 3:12 PM, Mike Jones = <Michael.Jones=3D40microsoft.com@dmarc.ietf.org> wrote:

=20
I support publication of the specification.
 
          &nb= sp;            = ;            &= nbsp;           &nb= sp;       -- Mike
 
From: OAuth = <oauth-bounces@ietf.org> On Behalf Of Rifaat Shekh-Yusef
Sent: Monday, March 28, 2022 5:01 AM
To: oauth <oauth@ietf.org>
Subject: [OAUTH-WG] WGLC for DPoP Document
 
All,

As discussed during the IETF meeting in Vienna last week, this is a WG Last Call for the DPoP document:
https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/

Please, provide your feedback on the mailing list by April 11th.

Regards,
 Rifaat & Hannes
 
_______________________________________________
OAuth mailing = list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--=20
https://danielfett.de
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
Dave Tonge
CTO
3D"Moneyhub
t: +44 (0)117 280 = 5120

Moneyhub = Enterprise is a trading style of Moneyhub Financial Technology Limited = which is authorised and regulated by the Financial Conduct Authority = ("FCA"). Moneyhub Financial Technology is entered on the Financial = Services Register (FRN 809360) at fca.org.uk/register. Moneyhub Financial Technology is registered in England & = Wales, company registration number  06909772 .
Moneyhub Financial Technology Limited 2018 =C2=A9

DISCLAIMER: This email (including any attachments) is = subject to copyright, and the information in it is confidential. Use of = this email or of any information in it other than by the addressee is = unauthorised and unlawful. Whilst reasonable efforts are made to ensure = that any attachments are virus-free, it is the recipient's sole = responsibility to scan all attachments for viruses. All calls and emails = to and from this company may be monitored and recorded for legitimate = purposes relating to this company's business. Any opinions expressed in = this email (or in any attachments) are those of the author and do not = necessarily represent the opinions of Moneyhub Financial Technology = Limited or of any other group = company.

Moneyhub = Enterprise is a trading style of Moneyhub Financial Technology Limited = which is authorised and regulated by the Financial Conduct Authority = ("FCA"). Moneyhub Financial Technology is entered on the Financial = Services Register (FRN 809360) at https://register.fca.org.uk/. Moneyhub Financial = Technology is registered in England & Wales, company registration = number 06909772. Moneyhub Financial Technology Limited 2022 =C2=A9 = Moneyhub Enterprise, 

DISCLAIMER: This email (including = any attachments) is subject to copyright, and the information in it is = confidential. Use of this email or of any information in it other than = by the addressee is unauthorised and unlawful. Whilst reasonable efforts = are made to ensure that any attachments are virus-free, it is the = recipient's sole responsibility to scan all attachments for viruses. All = calls and emails to and from this company may be monitored and recorded = for legitimate purposes relating to this company's business. Any = opinions expressed in this email (or in any attachments) are those of = the author and do not necessarily represent the opinions of Moneyhub = Financial Technology Limited or of any other group = company.


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
Vennlig hilsen

Steinar Noem
Partner Udelt AS
Systemutvikler
 
steinar@udelt.no | hei@udelt.no  | +47 955 21 620 | www.udelt.no | 
_______________________________________________
OAuth = mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

= --Apple-Mail=_C39B3047-2E2A-4BE7-9CA9-BB084660A075-- From nobody Wed Mar 30 05:12:20 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BAF73A116E for ; Wed, 30 Mar 2022 05:12:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.517 X-Spam-Level: X-Spam-Status: No, score=-1.517 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, WORD_INVIS=0.581] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kgnut9geohUM for ; Wed, 30 Mar 2022 05:12:13 -0700 (PDT) Received: from mail-yw1-x1133.google.com (mail-yw1-x1133.google.com [IPv6:2607:f8b0:4864:20::1133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CECE3A1169 for ; Wed, 30 Mar 2022 05:12:13 -0700 (PDT) Received: by mail-yw1-x1133.google.com with SMTP id 00721157ae682-2e5e31c34bfso217039297b3.10 for ; Wed, 30 Mar 2022 05:12:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PRQ4CVqYH0dPNVfZvk8+Kna/o6GVfNCiGcQbWwnEiK8=; b=i7jTTZVYJjcU6bU3FOBmZRJAKNTQmgvJidkVI1/hYYvLlFZt3i27beCfHwE5UGL5/Q lGtJyfrZpHDq0yxx+7YhoKTWIXzcBA0jgyQsyNwUqdTSXvffUlBKGXRVA+rsDG4W73yb zK4LokdEX7MaBa5nHDANL87//b1Ir4smufVXjBInfyz7Y+lhh+Bqt28Gkpkq4wQZL0Nn nShtn4mRLdGdT4oVFYWWydE0dGdfQOxrCKew3FhEoOxwoQfcaWvf1HqZcWgRcsBqbbaw ssBZy/GmyBeqaQIo9JEj0dslOV4zm02Fz4gCtl8GYcJbgmlSl66hs5xQIK++341lQTUx 8dHQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PRQ4CVqYH0dPNVfZvk8+Kna/o6GVfNCiGcQbWwnEiK8=; b=NFjT4/73vV+20QB5LHHvgvEJpmQaGI4piW0azP4jGODhr5GKTPRpHjROCNAlu0KUoP KMb4Qh+DFSzIR51+92XmycHFF04kNWsBvfVM2S/YLbwvzVW9WLhGtWtGTojJFT3TtWTZ 78oMikDY8IQt1Y6NszgxtGLK849tayhbL4F89D/+lwf5RH1hwtGbLWALpdbrjztCJxf8 /3IZjxboIivXYYrg5FqkgbElMXcv/JdKYkymVF3BzhLz2oMyp2wDWpHivOs4awXGsu3/ pRdRCvH5H/bl8CvXZxBth8pYh2z71LuWNy6KCBDQiEhhoaAJ/gNEFSYQYDOhlnmzD++f 5BBg== X-Gm-Message-State: AOAM532T7/81kDsiex+10+P6K8Slqr3F5v251kd0BJhx2HSbXpcozIPM owi9RPm8FrPw2Qvg7NuTVJdbyAPJK2T4BPdfbRiN3rgi+AaLBcE= X-Google-Smtp-Source: ABdhPJzX20BH6CJ7hJ6um0B7UTLhVhnBzFA5V8D9xDDykWbB9BeOs6iwwETnf3GMVegDZWMA3LlyiAE47Z6qj7NzfF0= X-Received: by 2002:a81:34d5:0:b0:2ea:6d46:9100 with SMTP id b204-20020a8134d5000000b002ea6d469100mr15967569ywa.18.1648642332342; Wed, 30 Mar 2022 05:12:12 -0700 (PDT) MIME-Version: 1.0 References: <37A689BA-6662-4D39-8031-283AC019BC5F@alkaline-solutions.com> <5b19e3f1-e2b7-a959-dc85-5de00f6833d2@danielfett.de> In-Reply-To: From: Warren Parad Date: Wed, 30 Mar 2022 14:12:01 +0200 Message-ID: To: Torsten Lodderstedt Cc: Steinar Noem , oauth Content-Type: multipart/alternative; boundary="00000000000094cea405db6e7433" Archived-At: Subject: Re: [OAUTH-WG] WGLC for DPoP Document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Mar 2022 12:12:18 -0000 --00000000000094cea405db6e7433 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I support publication. Warren Parad Founder, CTO Secure your user data with IAM authorization as a service. Implement Authress . On Wed, Mar 30, 2022 at 2:08 PM Torsten Lodderstedt wrote: > I support publication of this specification. > > Am 30.03.2022 um 09:18 schrieb Steinar Noem : > > I support publication of the specification > > ons. 30. mar. 2022 kl. 08:56 skrev Dave Tonge >: > >> I support publication of the specification >> >> On Wed, 30 Mar 2022 at 08:55, Daniel Fett wrote: >> >>> I also support publication. >>> >>> -Daniel >>> Am 29.03.22 um 23:20 schrieb David Waite: >>> >>> I also support publication of this specification >>> >>> -DW >>> >>> On Mar 29, 2022, at 3:12 PM, Mike Jones < >>> Michael.Jones=3D40microsoft.com@dmarc.ietf.org> wrote: >>> >>> I support publication of the specification. >>> >>> -- Mike >>> >>> *From:* OAuth *On Behalf Of *Rifaat Shekh-Yuse= f >>> *Sent:* Monday, March 28, 2022 5:01 AM >>> *To:* oauth >>> *Subject:* [OAUTH-WG] WGLC for DPoP Document >>> >>> All, >>> >>> As discussed during the IETF meeting in *Vienna* last week, this is a *= WG >>> Last Call *for the *DPoP* document: >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ >>> >>> Please, provide your feedback on the mailing list by April 11th. >>> >>> Regards, >>> Rifaat & Hannes >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/o= auth >>> >>> -- https://danielfett.de >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> >> >> -- >> Dave Tonge >> CTO >> [image: Moneyhub Enterprise] >> >> t: +44 (0)117 280 5120 >> >> Moneyhub Enterprise is a trading style of Moneyhub Financial Technology >> Limited which is authorised and regulated by the Financial Conduct >> Authority ("FCA"). Moneyhub Financial Technology is entered on the >> Financial Services Register (FRN 809360) at fca.org.uk/register. Moneyhu= b Financial >> Technology is registered in England & Wales, company registration number >> 06909772 . >> Moneyhub Financial Technology Limited 2018 =C2=A9 >> >> DISCLAIMER: This email (including any attachments) is subject to >> copyright, and the information in it is confidential. Use of this email = or >> of any information in it other than by the addressee is unauthorised and >> unlawful. Whilst reasonable efforts are made to ensure that any attachme= nts >> are virus-free, it is the recipient's sole responsibility to scan all >> attachments for viruses. All calls and emails to and from this company m= ay >> be monitored and recorded for legitimate purposes relating to this >> company's business. Any opinions expressed in this email (or in any >> attachments) are those of the author and do not necessarily represent th= e >> opinions of Moneyhub Financial Technology Limited or of any other group >> company. >> >> Moneyhub Enterprise is a trading style of Moneyhub Financial Technology >> Limited which is authorised and regulated by the Financial Conduct >> Authority ("FCA"). Moneyhub Financial Technology is entered on the >> Financial Services Register (FRN 809360) at https://register.fca.org.uk/= . >> Moneyhub Financial Technology is registered in England & Wales, company >> registration number 06909772. Moneyhub Financial Technology Limited 2022= =C2=A9 >> Moneyhub Enterprise, >> >> DISCLAIMER: This email (including any attachments) is subject to >> copyright, and the information in it is confidential. Use of this email = or >> of any information in it other than by the addressee is unauthorised and >> unlawful. Whilst reasonable efforts are made to ensure that any attachme= nts >> are virus-free, it is the recipient's sole responsibility to scan all >> attachments for viruses. All calls and emails to and from this company m= ay >> be monitored and recorded for legitimate purposes relating to this >> company's business. Any opinions expressed in this email (or in any >> attachments) are those of the author and do not necessarily represent th= e >> opinions of Moneyhub Financial Technology Limited or of any other group >> company. >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > > -- > Vennlig hilsen > > Steinar Noem > Partner Udelt AS > Systemutvikler > > | steinar@udelt.no | hei@udelt.no | +47 955 21 620 | www.udelt.no | > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --00000000000094cea405db6e7433 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I support publication.

<= /tr>

Warren Parad

Founder, CTO

Secure your user data= with IAM authorization as a service. Implement=C2=A0Authress.

=

= On Wed, Mar 30, 2022 at 2:08 PM Torsten Lodderstedt <torsten=3D40lodderstedt.net@dmarc.ietf.o= rg> wrote:
I support publication of this s= pecification.=C2=A0

Am 30.03.202= 2 um 09:18 schrieb Steinar Noem <steinar@udelt.no>:

I s= upport publication of the specification

ons. 30. mar. 2022 kl. 08:56 skrev D= ave Tonge <dave.tonge@momentumft.co.uk>:
I support publication= of the specification

On Wed, 30 Mar 2022 at 08:55, Daniel Fett <fett@danielfett.de> wrote:
=20 =20 =20

I also support publication.

-Daniel

Am 29.03.22 um 23:20 schrieb David Waite:
=20 I also support publication of this specification

-DW

On Mar 29, 2022, at 3:12 PM, Mike Jones <Micha= el.Jones=3D40microsoft.com@dmarc.ietf.org> wrote:

=20
I support publication of the specification.
=C2=A0
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike
=C2=A0
From:=C2=A0OAuth <oauth-bounces@ietf.org>=C2=A0On Behalf Of=C2=A0Rifaat Shekh-Yusef
Sent:=C2=A0Monday, March 28, 2022 5:01 AM
To:=C2=A0oauth <oauth@ietf.org>
Subject:=C2=A0[OAUTH-WG] WGLC for DPoP Document
=C2=A0
All,

As discussed during the IETF meeting in=C2=A0Vienna=C2=A0last week, this is a=C2=A0WG Last Call=C2=A0= for the=C2=A0DPoP=C2=A0document:
https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/

Please, provide your feedback on the mailing list by April 11th.

Regards,
=C2=A0Rifaat & Hannes
=C2=A0
________________= _______________________________
OAuth mailing li= st
OAuth@ietf.org
https://www.ietf.= org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
h=
ttps://www.ietf.org/mailman/listinfo/oauth

--=20
https://danielfett.de<=
/a>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
<= div dir=3D"ltr">
Dave Tonge
CTO
3D"Moneyhub
t:=C2=A0+44 (0)117 280 5120

<= div style=3D"line-height:1.4">Moneyhub En= terprise is a trading style of Moneyhub Financial Technology Limited which = is authorised and regulated by the Financial Conduct Authority ("FCA&q= uot;).=C2=A0Moneyhub Financial Technology is entered on the Financial Servi= ces Register=C2=A0(FRN=C2=A0809360) at fca.or= g.uk/register. Moneyhub=C2=A0Financial Technology is registered in England & = Wales, company registration number=C2=A0=C2=A006909772=C2=A0.
Moneyhub=C2=A0Financial Technology Lim= ited 2018=C2=A0=C2=A9

DISCLAIMER: This email (including any attachments) is subject to copy= right, and the information in it is confidential. Use of this email or of a= ny information in it other than by the addressee is unauthorised and unlawf= ul. Whilst reasonable efforts are made to ensure that any attachments are v= irus-free, it is the recipient's sole responsibility to scan all attach= ments for viruses. All calls and emails to and from this company may be mon= itored and recorded for legitimate purposes relating to this company's = business. Any opinions expressed in this email (or in any attachments) are = those of the author and do not necessarily represent the opinions of Moneyh= ub Financial Technology Limited or of any other group company.
=

Moneyhub Enterprise is a trading style of Moneyhub Fin= ancial Technology Limited which is authorised and regulated by the Financia= l Conduct Authority ("FCA"). Moneyhub Financial Technology is ent= ered on the Financial Services Register (FRN 809360) at https://register.fca.org.uk/<= /span>. Moneyhub Financial Technology is registered in England & Wa= les, company registration number 06909772. Moneyhub Financial Technology Li= mited 2022 =C2=A9 Moneyhub Enterprise,=C2=A0

DISCLAIMER: This email (including any = attachments) is subject to copyright, and the information in it is confiden= tial. Use of this email or of any information in it other than by the addre= ssee is unauthorised and unlawful. Whilst reasonable efforts are made to en= sure that any attachments are virus-free, it is the recipient's sole re= sponsibility to scan all attachments for viruses. All calls and emails to a= nd from this company may be monitored and recorded for legitimate purposes = relating to this company's business. Any opinions expressed in this ema= il (or in any attachments) are those of the author and do not necessarily r= epresent the opinions of Moneyhub Financial Technology Limited or of any ot= her group company.


___________________________________= ____________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
<= span style=3D"color:rgb(34,34,34)">Vennlig hilsen

Ste= inar Noem
Partner Udelt AS
Systemutvikler
=C2=A0
|=C2=A0steinar@= udelt.no=C2=A0|=C2=A0hei@udelt.no=C2=A0=C2=A0|=C2=A0+47 955 21 620=C2=A0|=C2=A0www.udelt.no=C2=A0|=C2=A0
<= /div>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
http= s://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--00000000000094cea405db6e7433-- From nobody Wed Mar 30 05:21:14 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 481893A1220 for ; Wed, 30 Mar 2022 05:21:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.108 X-Spam-Level: X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=avenga.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pyCKigP34FkA for ; Wed, 30 Mar 2022 05:21:04 -0700 (PDT) Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C7973A1214 for ; Wed, 30 Mar 2022 05:21:02 -0700 (PDT) Received: by mail-ed1-x529.google.com with SMTP id c62so24188727edf.5 for ; Wed, 30 Mar 2022 05:21:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=avenga.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=Re+XcMXHZdRiJ3l4C72NEvm9VkIIi4yoyZM3iLjS9ic=; b=emUCmOgmIRZeAILugIKgKD10881EK6CWT5VBkno/XUGDJwl7W4lK8nIpVsfGXB5C6d F8Ae6ClXQTgaPjPIW1t9QCAPwFts3kLCv1/og5arcAxbtdJuBhaRQPs9PgIlnrQi4KLk lAEDfOKcr2Cco3cEfFC+yr98iUxg1U2lexb+w= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Re+XcMXHZdRiJ3l4C72NEvm9VkIIi4yoyZM3iLjS9ic=; b=LWhb1ywK4ahnyMo3hU7yGe7XjdhQ2YGHawzJPTpdM+AZqpDxbqxq6aPp0o+JjeVdlB 0p28T4UtA8GYNZ8IfQEHA16QCmNDxgj+QgtmxUquJW4uwid1u0nw0HbG9HkcKrcXVLl6 WYZRr/DQ9pW6clrHK1bjEh9gr6k/2sZVNOlb5uitWdSAJD/ojlOtRlfoO9j90jiimI7t m+/xP8S4p2qLo+hGQ2LdgUlnvFbA/q/FTlOai+MInvkVS0iivK5uZfRv0ucddqmH86dQ AXQHT8DBLvC9Pw9ieCwZs/l8+3WV4aOlDi+dw1bqTKeLn5u35SjsRx7Mjm1AdTKNYDy+ jJfg== X-Gm-Message-State: AOAM533x7UkuqWhAcTHSQH8xYXquXSI9ogiAcrBWNuX3ymkBM4ZdFRxR hrCu+AjXZB39Sw6MULKFonB0HP/MJpkGPw1JHco7owuzn8g3WA== X-Google-Smtp-Source: ABdhPJx53V8ZOtvZlptGuhLflpFKBnfLsrhLv0V6cs6SAXyzoxyCL4oOt9cRLxlMV7CWuxF0B+97kA2aCQdLZ97inLk= X-Received: by 2002:a05:6402:1941:b0:413:2822:9c8 with SMTP id f1-20020a056402194100b00413282209c8mr10274657edz.13.1648642860316; Wed, 30 Mar 2022 05:21:00 -0700 (PDT) MIME-Version: 1.0 From: Johannes Koch Date: Wed, 30 Mar 2022 14:20:49 +0200 Message-ID: To: oauth@ietf.org Content-Type: multipart/alternative; boundary="0000000000000d112a05db6e9451" Archived-At: Subject: [OAUTH-WG] OAuth2.1: auth-param in WWW-Authenticate optional? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Mar 2022 12:21:10 -0000 --0000000000000d112a05db6e9451 Content-Type: text/plain; charset="UTF-8" Hi, in https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-05 section 5.2.2: All challenges for this token type MUST use the auth-scheme value Bearer. This scheme MUST be followed by one or more auth-param values. Why is at least one auth-param required? It makes WWW-Authenticate: Bearer in response to a request lacking any authentication information (thus not containing an error auth-param attribute) non-compliant. The optional scope attribute is not useful in this case. The optional realm attribute may not be necessary (e.g. if there is only one realm). So to be compliant, you would have to add a non-meaningful auth-param like foo=bar. Note: While in rfc2617 challenge was defined as challenge = auth-scheme 1*SP 1#auth-param (requiring at least one auth-param), rfc7235 does not have this requirement: challenge = auth-scheme [ 1*SP ( token68 / #auth-param ) ] -- Johannes Koch --0000000000000d112a05db6e9451 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,

=
=C2=A0 All challenges for this token type MUST use the auth-= scheme value
=C2=A0 Bearer.=C2=A0 This scheme MUST be followed by one or= more auth-param
=C2=A0 values.


= Why is at least one auth-param required? It makes

= =C2=A0 WWW-Authenticate: Bearer

in response to a r= equest lacking any authentication information (thus not containing an error= auth-param attribute) non-compliant. The optional scope attribute is not u= seful in this case. The optional realm attribute may not be necessary (e.g.= if there is only one realm). So to be compliant, you would have to add a n= on-meaningful auth-param like foo=3Dbar.

Note:= While in rfc2617 challenge was defined as

=C2=A0 challenge =C2=A0 = =3D auth-scheme 1*SP 1#auth-param

(requiring at le= ast one auth-param), rfc7235 does not have this requirement:

=
=C2=A0 challenge =C2=A0 =3D auth-scheme [ 1*SP ( token68 / #auth= -param ) ]

--
Johannes Koch
<= /div> --0000000000000d112a05db6e9451-- From nobody Wed Mar 30 06:01:00 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 544DF3A1761 for ; Wed, 30 Mar 2022 06:00:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.108 X-Spam-Level: X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wvAsRi46DMnr for ; Wed, 30 Mar 2022 06:00:53 -0700 (PDT) Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on0722.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0d::722]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB58D3A175E for ; Wed, 30 Mar 2022 06:00:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hENF/ctg12YiAXBeAP9YlQaGf/tC6FO/uSPm5hfhewOeDBSG1pTojTXCXrnSLbNzEJVERQjYHb1gOmpVFf6FqqrvSdiVqBb+m+gRtJbKSOenBDLljDg0nuFXoteod8KlHEYkoOVm3fwnJgSLJYeaRbcQhaFtRSCX3ZfYtxjx7fXVO4oPcy6pNMiWQfUv2XeHi/GVi0Ra5VRwFVPabkDZOgvqN9c15gA6+iIv6zOsNLfr6vyvGFX+lpwafJlpF305N0wzg1/8e79Qe2ftcUe9VpXhLFjFJ4Xg4Bi67yVnywMALjM7/FHL7IJBTadnvdRb8rdt3bYCbNuOptRPDPf/tg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=sqqsmOcKSpEnpKv/uMCzG/DFODawqLKPQ3suxXJHfgo=; b=UKvMQANyVzJg7FAyYJD9KFhCW8mctjHi3iew7oTAaZfr7+Xbhq6n4OxIeWTMnOLBlUUeF1tF6OGrqMqigr0TUti5/fQ0ggKw8iYoTwpYO5MwcrECpGyhSLarWQ5HqVdQ3fzR/MBy18ZlqFjs6eqBf1Ip5bxBUnWuiNCwjYNfqBVmA61W7sKV/kBb9ndHMqynvveMITyt5dHIVnLbxVrPH37q6AxS/YTPf/Z1xwrWChb1o2mPZEY9O4Ms+eemhyE9WkceokfMQJJt8amTCC+JkADVBAds5CVCSRjyxm61KrHlSmvYLLiccJXw5VDVkE6QxJyoVCilDgwlnC25+5OIBg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sqqsmOcKSpEnpKv/uMCzG/DFODawqLKPQ3suxXJHfgo=; b=PaAPlP51koZuIGrtlLTC2mz+w38bdhPWI1k830qPNuBwhevTQjC5kkuroSo+oq+lGxfrBhri7ExHBKrmY7zN22vdsG7+uWn7hvCxojMKfQIEuo4iFydX8Ybv5wzf9M3ZN8Mh0P1CCv/xh7nOO2yLHT63KeOLa1q325iH6Ecs6is= Received: from AM7PR83MB0452.EURPRD83.prod.outlook.com (2603:10a6:20b:1b6::10) by DB6PR8303MB0069.EURPRD83.prod.outlook.com (2603:10a6:24:1::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.3; Wed, 30 Mar 2022 13:00:47 +0000 Received: from AM7PR83MB0452.EURPRD83.prod.outlook.com ([fe80::8df6:9cd8:37bb:1f7e]) by AM7PR83MB0452.EURPRD83.prod.outlook.com ([fe80::8df6:9cd8:37bb:1f7e%4]) with mapi id 15.20.5123.021; Wed, 30 Mar 2022 13:00:47 +0000 From: Pieter Kasselman To: Warren Parad , Torsten Lodderstedt , oauth Thread-Topic: [OAUTH-WG] WGLC for DPoP Document Thread-Index: AQHYQpu/hIkp2UX4dUGoKw60wRScXazW3jgAgAACMYCAAKBtAIAAAFmAgAAGa4CAAFDEgIAAASOAgAANdMA= Date: Wed, 30 Mar 2022 13:00:47 +0000 Message-ID: References: <37A689BA-6662-4D39-8031-283AC019BC5F@alkaline-solutions.com> <5b19e3f1-e2b7-a959-dc85-5de00f6833d2@danielfett.de> In-Reply-To: Accept-Language: en-IE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2022-03-30T13:00:37Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=1f982398-fa0f-49df-8b15-f581638b69e1; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0 authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 2ebd0f40-b6d5-4cb6-af60-08da124d4f3b x-ms-traffictypediagnostic: DB6PR8303MB0069:EE_ x-ms-exchange-atpmessageproperties: SA|SL x-microsoft-antispam-prvs: x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 4Pt2nQ2OUPxkAxX5NNxin6Ir17YkUQtUgWclieDIZ6eImhuWKlEy9AooKMyyShF6OdtDHdZK9icmX4AByCfv97L5mFI0JA+Sc/STt/Pi9ZZ3aYBN/dxwkAW430Fesx79QUcr0Gt2xoA8XyQVqFoD5Ax/UCyTNcYzQ9sV12ELglDWNwIOfO7ltBSZcqP6mYmP0PmHnYguZ56SQSBPQmBhKOf/128G+/2wEBj3utJES/zwRCWibx1liLtwrnsXj+UCbqsZ4DyIBIChyuK5JQVvhKhV0uWeCq4Z9b7f9GLPVaFTPr66b3ywPq7D/+Gb1DSIHr05Rw9k75MwhyNgRRQkZve/pIrcdKQ65x663cGV4oAbIOuGzgXt/C5Oo4qdgE/l1pgBOVIIcEMNIa6BOsZk/lyUqt5ff9gxHjWOLgXwZVw1rbwsxWqo4JRIsRMqtj+nac8Jqbznzz3o3F3ksXcK2c9y5ykeNDNsOjRI9FjZos2uYvd6qdF5NDzuqbAo/SP8LphOPQEvkqQufX3OZVy+yVKUr1hDJ0dmMAMm/lathaKM0dhkNx32nQwCO34OUbiRc/PoScFdE2YREgHrhCMY3T+bAliXvEhkHcdbM4XnQvWDIGx8+ckaB7dOxmRNr23/cUa70dlV9QiIq2pzsNPAhdH30Zmc+6JtpUPcflqSIL2HBb1bDA2J2Q1/P+7Oj1p/hJQTasKBM20FhvqYc0O5Dah7moFO9oMpQG/GWc/5ghhMMgoXrSExmE33djhKiF8Da0rqfyaM0z2NEReTP6ANO07hFoN7znGYTgRiRC9PRSrDJa5BgFnim+7w11Rl8WI5NEhMmQZqsk74F9oszWxPfA== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR83MB0452.EURPRD83.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(451199009)(66946007)(9686003)(76116006)(64756008)(33656002)(66556008)(508600001)(110136005)(66476007)(8676002)(66446008)(10290500003)(8936002)(82960400001)(84970400001)(186003)(86362001)(2906002)(316002)(82950400001)(71200400001)(166002)(83380400001)(44832011)(53546011)(38100700002)(66574015)(7696005)(5660300002)(8990500004)(40140700001)(966005)(52536014)(122000001)(6506007)(38070700005)(55016003); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?VANkduQXDcCGhNzU74u/k+JHKqy2qduAizF0O2E7MuBjlkbYdaJWC5jwZklg?= =?us-ascii?Q?mcXj2yv10GCYg28ih+oJsAGWWuGBcTMj6jrqEKJse5sXDZ0UmcLOp2HpeRY0?= =?us-ascii?Q?+BKY3TQDoMatXIJwNv0+qE/G+mkcangXV0vzmZsBamiUKR0sBBUYN02jcVNe?= =?us-ascii?Q?8HTZYBF1VAPwwTKq7pVAl8N07lLehsGg0QBiG2KpFFGsDD8J9OteEU9HT1uG?= =?us-ascii?Q?GXWTJA+CafDtpOg7g2Ii/IVsi6TOPGPoOpVOATVIkcHzBNUYdn81nMvu43I4?= =?us-ascii?Q?8Adp2c1AjI3M1hvQWM2Ob0NnhJTNJAEAmcPsuZoF6hxOg8HcHj/saSAEnnjr?= =?us-ascii?Q?A0Z/S19yK9nUx9jZ9qq4mSqFpjekNtZEoNcy72peV694wbM7lHFzpE/nkwBv?= =?us-ascii?Q?p9FboAJrqmeJ38xQyrleWjEwYm7d6QYD3GFXKGLCWTKCDC7c4b+ZF9SZqM5c?= =?us-ascii?Q?2lpEYOgIgiuwkk6xkQxMfK6eNmKSAHrn7axmdhAcFPZNS7tkc7v6+M9IvnNP?= =?us-ascii?Q?8FG9HqmehCjcKQlYHCE2aS26BtfbOY4mi2oXlKi0N4L85Qo8Fr+JQmjXNPMJ?= =?us-ascii?Q?DAe/YaR1d+9cm1Zbx8F2YE6UPalZyh99tIHxHteq64kJ2g8ZCy047A3Ejfe7?= =?us-ascii?Q?UG18TFhRnpdszxr3AGDQ9e9vZfmhlbHVP2dulnGfaqDIzJ4VbleDqt07djSK?= =?us-ascii?Q?tRZg8JPOZIdbB+XL2aKtTEFGOkefh54GCMi53qLMiQJcsLucbFDmBWR/18Yf?= =?us-ascii?Q?HYiR5kz8eNSjHJuq72RUgHIL4Cb/7G6bBvgkBUrZViGORBEiWMGa9OqJeT8R?= =?us-ascii?Q?s1xyZhnfPckb93xsCUki7047dSQrmkxDjFjESbPKjEHQKLOm0tV4KNKpGTBe?= =?us-ascii?Q?FPGPYFg0G8sjmuCJvBJPxAxOO+b94Ua9KnvH9RaZg9W8s6B9MkdMGYM346B0?= =?us-ascii?Q?anF2v689Gqs+uqE6DMDbChM5BG1tCvxsgMJ7y/rrtKntE1ejl6GGfNE34Cs2?= =?us-ascii?Q?qBgEQXybkYuXuk/vHhpghUKInNeK4O/fiuNvWLOQ7cXFpAI8FAX8xpp9+iL8?= =?us-ascii?Q?ssSsYGmtdYprTB/I5N/yuAi3oHwN5a+fG26ujVxF4dbo2hBQEJTiotUpyRhW?= =?us-ascii?Q?Xmm2Lbemi9Q0GwGeCTy2z8pz+d5YJzhJ7FBKiFpp3qV/9gHT46Wx8xIHHGhU?= =?us-ascii?Q?vbwl5ITUVc1tq+DlZr3/3NXN756ZKdkapl6FydoKPv3zpBH3grSVugQhAmGJ?= =?us-ascii?Q?MxLYRQsnfHymkPMS66Lo9w9uYU/6EBfQ6oSerpYVziMZDQZrtTKqXS89i76j?= =?us-ascii?Q?DG9nNq3S/50UpOSD0b5PJaQ9ZFtiVXUoq9eXjxyXrKNVglbS5tLH7yVBW9mr?= =?us-ascii?Q?8di+9Y8fosXocbSTD5nn+rbFJXdz7M7oj6GjWxBRMmmilkt1H7rKgh3BUp4u?= =?us-ascii?Q?sNJDL4yvSD6ZIbxEmbOmoBjqV48+DeUkj0unN+py8xPzgKok1up964VtXN2b?= =?us-ascii?Q?9OKuOn/y7KU9KA0j21Lad9F72Pv19pK3UPmkKfdS0JlelCVcdyoxRfPNkiEu?= =?us-ascii?Q?EghbafkhseUl+HxdPPbifuowXLQX4jEYoSc+GAkqD2cVdvfYq2FjlEwwJ/aq?= =?us-ascii?Q?WzOHTHbhy/8Spty4n8VverrwoomIneA3lbJB2xQL5N56mwtF9Zo1gdle/nSr?= =?us-ascii?Q?Keg4tpi8OBJN/IJ5RMaEoLVQPV1YHWZ4leU03Yzs7NKqLaVnAmFm0iTvJmHX?= =?us-ascii?Q?q6rFThLnAg=3D=3D?= Content-Type: multipart/alternative; boundary="_000_AM7PR83MB0452CF41E7A451C59EA4CD08911F9AM7PR83MB0452EURP_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: AM7PR83MB0452.EURPRD83.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2ebd0f40-b6d5-4cb6-af60-08da124d4f3b X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Mar 2022 13:00:47.5489 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: myovC9RsXo/YwZovhlQBK7C2tilmwAFwVDC8CpD7Qb7ZyTocbz7uczwZ9GflgGrl2KvEdLC+EUVgYZMWpGX9Y2bSJ8KZQIsOFb20r2QOXKg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR8303MB0069 Archived-At: Subject: Re: [OAUTH-WG] WGLC for DPoP Document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Mar 2022 13:00:59 -0000 --_000_AM7PR83MB0452CF41E7A451C59EA4CD08911F9AM7PR83MB0452EURP_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I support publication From: OAuth On Behalf Of Warren Parad Sent: Wednesday 30 March 2022 13:12 To: Torsten Lodderstedt Cc: oauth Subject: Re: [OAUTH-WG] WGLC for DPoP Document I support publication. [https://lh6.googleusercontent.com/DNiDx1QGIrSqMPKDN1oKevxYuyVRXsqhXdfZOsW5= 6Rf2A74mUKbAPtrJSNw4qynkSjoltWkPYdBhaZJg1BO45YOc1xs6r9KJ1fYsNHogY-nh6hjuIm9= GCeBRRzrSc8kWcUSNtuA] Warren Parad Founder, CTO Secure your user data with IAM authorization as a service. Implement Authre= ss. On Wed, Mar 30, 2022 at 2:08 PM Torsten Lodderstedt > wrote: I support publication of this specification. Am 30.03.2022 um 09:18 schrieb Steinar Noem >: I support publication of the specification ons. 30. mar. 2022 kl. 08:56 skrev Dave Tonge >: I support publication of the specification On Wed, 30 Mar 2022 at 08:55, Daniel Fett > wrote: I also support publication. -Daniel Am 29.03.22 um 23:20 schrieb David Waite: I also support publication of this specification -DW On Mar 29, 2022, at 3:12 PM, Mike Jones > wrote: I support publication of the specification. -- Mike From: OAuth > On Beha= lf Of Rifaat Shekh-Yusef Sent: Monday, March 28, 2022 5:01 AM To: oauth > Subject: [OAUTH-WG] WGLC for DPoP Document All, As discussed during the IETF meeting in Vienna last week, this is a WG Last= Call for the DPoP document: https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ Please, provide your feedback on the mailing list by April 11th. Regards, Rifaat & Hannes _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- https://danielfett.de _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- Dave Tonge CTO [Moneyhub Enterprise] t: +44 (0)117 280 5120 Moneyhub Enterprise is a trading style of Moneyhub Financial Technology Lim= ited which is authorised and regulated by the Financial Conduct Authority (= "FCA"). Moneyhub Financial Technology is entered on the Financial Services = Register (FRN 809360) at fca.org.uk/register. Moneyhub Financial Technology is registered in England & Wales, comp= any registration number 06909772 . Moneyhub Financial Technology Limited 2018 (c) DISCLAIMER: This email (including any attachments) is subject to copyright,= and the information in it is confidential. Use of this email or of any inf= ormation in it other than by the addressee is unauthorised and unlawful. Wh= ilst reasonable efforts are made to ensure that any attachments are virus-f= ree, it is the recipient's sole responsibility to scan all attachments for = viruses. All calls and emails to and from this company may be monitored and= recorded for legitimate purposes relating to this company's business. Any = opinions expressed in this email (or in any attachments) are those of the a= uthor and do not necessarily represent the opinions of Moneyhub Financial T= echnology Limited or of any other group company. Moneyhub Enterprise is a trading style of Moneyhub Financial Technology Lim= ited which is authorised and regulated by the Financial Conduct Authority (= "FCA"). Moneyhub Financial Technology is entered on the Financial Services = Register (FRN 809360) at https://register.fca.org.uk/. Moneyhub Financial Technology is registered in England & Wal= es, company registration number 06909772. Moneyhub Financial Technology Lim= ited 2022 (c) Moneyhub Enterprise, DISCLAIMER: This email (including any attachments) is subject to copyright,= and the information in it is confidential. Use of this email or of any inf= ormation in it other than by the addressee is unauthorised and unlawful. Wh= ilst reasonable efforts are made to ensure that any attachments are virus-f= ree, it is the recipient's sole responsibility to scan all attachments for = viruses. All calls and emails to and from this company may be monitored and= recorded for legitimate purposes relating to this company's business. Any = opinions expressed in this email (or in any attachments) are those of the a= uthor and do not necessarily represent the opinions of Moneyhub Financial T= echnology Limited or of any other group company. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- Vennlig hilsen Steinar Noem Partner Udelt AS Systemutvikler | steinar@udelt.no | hei@udelt.no | +47 955 21 620 | www.udelt.no | _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --_000_AM7PR83MB0452CF41E7A451C59EA4CD08911F9AM7PR83MB0452EURP_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I support= publication

&nbs= p;

From: OAuth <oauth-bounces@ietf.org> On Behalf Of Warren Parad
Sent: Wednesday 30 March 2022 13:12
To: Torsten Lodderstedt <torsten=3D40lodderstedt.net@dmarc.ietf.o= rg>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] WGLC for DPoP Document

 

I support publication.

Warren Parad

Founder, CTO

Secure your user da= ta with IAM authorization as a service. Implement Authress.

 

 

On Wed, Mar 30, 2022 at 2:08 PM Torsten Lodderstedt = <torsten=3D40lodders= tedt.net@dmarc.ietf.org> wrote:

I support publication of this specification. 



Am 30.03.2022 um 09:18 schrieb Steinar Noem <steinar@udelt.no>:=

 

I support publication of the specification

 

ons. 30. mar. 2022 kl. 08:56 skrev Dave Tonge <dave.tonge@m= omentumft.co.uk>:

I support publication of the specification

 

On Wed, 30 Mar 2022 at 08:55, Daniel Fett <fett@danielfett.de>= ; wrote:

I also support publication.

-Daniel

Am 29.03.22 um 23:20 schrieb David Waite:=

I also support publication of this specification

 

-DW



On Mar 29, 2022, at 3:12 PM, Mike Jones <Michael.Jones=3D40microsoft.com@dmarc.ietf.org> wrote:<= /p>

 

I support publication of the specification.

 

        &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;        -- Mike

 

From: OAuth <oauth-bounces@ietf.org= On Behalf Of Rifaat Shekh-Yusef
Sent: Monday, March 28, 2022 5:01 AM
To: oauth <oauth@ietf.org>
Subject: [OAUTH-WG] WGLC for DPoP Document

 

All,

As discussed during the IETF meeting in Vienna last week, = this is a WG Last Call for the DPoP docum= ent:
https://datatracker.ietf.org/doc/draft-ietf-= oauth-dpop/

Please, provide your feedback on the mailing list by April 11th.

Regards,
 Rifaat & Hannes

 

_______________________________________________ OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

 

 

_______________________________________________
OAuth mailing list
OAuth@ietf.org=

https://www.ietf.org/mailman/listinfo/oauth
-- 
htt=
ps://danielfett.de

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


 

--

Dave Tonge

CTO

3D"Moneyhub

t: +44 (0)1= 17 280 5120

 

Moneyhub Enterprise is a trading style of= Moneyhub Financial Technology Limited which is authorised and regulated by= the Financial Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on the Financial Services Register (F= RN 809360) at fca.org.uk/register. Moneyhub Financial Technology is registered i= n England & Wales, company registration number  06909772 .<= /o:p>

Moneyhub Financial Technology Limite= d 2018 ©=

 

DISCLAIMER: This email (including any att= achments) is subject to copyright, and the information in it is confidentia= l. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reason= able efforts are made to ensure that any attachments are virus-free, it is = the recipient's sole responsibility to scan all attachments for viruses. Al= l calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to = this company's business. Any opinions expressed in this email (or in any at= tachments) are those of the author and do not necessarily represent the opi= nions of Moneyhub Financial Technology Limited or of any other group company.

 

Moneyhub Enterprise is a trading style of Moneyhub Financial= Technology Limited which is authorised and regulated by the Financial Cond= uct Authority ("FCA"). Moneyhub Financial Technology is entered on the Financial Services Register (FRN 809360) at https://register.fca.org.uk/. Moneyhub Financial Technology is register= ed in England & Wales, company registration number 06909772. Moneyhub F= inancial Technology Limited 2022 © Moneyhub Enterprise, 

DISCLAIMER: This email (including any attachments) is subject t= o copyright, and the information in it is confidential. Use of this email o= r of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made= to ensure that any attachments are virus-free, it is the recipient's sole = responsibility to scan all attachments for viruses. All calls and emails to= and from this company may be monitored and recorded for legitimate purposes relating to this company's business. = Any opinions expressed in this email (or in any attachments) are those of t= he author and do not necessarily represent the opinions of Moneyhub Financi= al Technology Limited or of any other group company.


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


 

--

Vennlig hilsen<= span style=3D"color:#500050">

 

Steinar Noem

Partner Udelt AS<= /o:p>

Systemutvikler

 

steinar@udelt.no | hei@udelt.no  | +47 955 21 620 | www.udelt.no&nbs= p;| 

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

 

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--_000_AM7PR83MB0452CF41E7A451C59EA4CD08911F9AM7PR83MB0452EURP_-- From nobody Wed Mar 30 06:52:15 2022 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93AD13A18E3 for ; Wed, 30 Mar 2022 06:52:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.107 X-Spam-Level: X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oOEBGhjWFJ-i for ; Wed, 30 Mar 2022 06:51:58 -0700 (PDT) Received: from mail-yw1-x1136.google.com (mail-yw1-x1136.google.com [IPv6:2607:f8b0:4864:20::1136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 047FA3A18A8 for ; Wed, 30 Mar 2022 06:51:57 -0700 (PDT) Received: by mail-yw1-x1136.google.com with SMTP id 00721157ae682-2e612af95e3so219981557b3.9 for ; Wed, 30 Mar 2022 06:51:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zmdx7c/vZYlwXN97cZBVe5PlP8HtBEYNxWxITtq6V/Q=; b=imwJVlpArKhpj92Xq6waRpguCXQ76hhZ2jVoLZcICHQ7wdqUTpAP5rmiuKEMx463Fx xMZmIi1N6Rs3rfXzIfkaMwe38AuVPae9uFOL4272FFDQfLmL8kWxKMSCd0dBL3Qkedcg omRlFEQuJO01sqa239nri27f7Ohw5fQ5vVHd1PKLSbkWXYpePgZq11XqIVee0qmkBSsq 3yuEF7ZRQAmq3bgmyshGtN4tanI3rrsXWN3KixZtkiiVdDti9IV9addtaNYz+PspuB7r 8RwPTtoInUAb0hMhVs69TyquFewzwVQLtB6YRvTy8ZTuP2U/BCPPYSmf2ENBfk4dRAGj z1Qg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zmdx7c/vZYlwXN97cZBVe5PlP8HtBEYNxWxITtq6V/Q=; b=QIjITF8NCj4wFVtqL3uIg0Vu+qJnaZmnJOe9byehai+fAK4bZkjvsL4xAMn3+wtlsl /YGyvMiuU+VAjgp8S67ZFK5DMhVe2PSpmPu7HCbVLQTqalGsu8yxG0dcbnalGX0vF92+ Lgds3pzyJZAX/SesCMVhBKtn+9y/Y4QLXErl5Fe5J9f6acOAIRdJICjMwqYOAA+IOps9 3xPqjeMM9lKZ9f5ZroF/VfwFQ5Sur4OdrH3qGvJ1/rQJfXw6hOCWp6PouU5JYJ/ssTUg s0MpLqXSf0oTJXcl6VsOIDVxKUYYXKCLU1h3zZPDumhe/PQNuYGp2oBotyrPl48h1QzY FI6w== X-Gm-Message-State: AOAM530A2NI1suF0ezpPx3aswos8wTaqe08n8sTzxHPamOgfpL6wTCao kX5Z8uPa4kdgN22qI4ZofU17tR2tHJ09zxT9WA== X-Google-Smtp-Source: ABdhPJxR6lIqXdtvmjcgRYH3MHFTaxTuYgJK2wmHgXE/Ya2kbUWDtuJroFFvPDODAfrbNdWFw0W/GUtWN0BXweFhJqY= X-Received: by 2002:a81:71d7:0:b0:2e5:92da:3cec with SMTP id m206-20020a8171d7000000b002e592da3cecmr35572314ywc.473.1648648316478; Wed, 30 Mar 2022 06:51:56 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Filip Skokan Date: Wed, 30 Mar 2022 15:51:20 +0200 Message-ID: To: Jacob Ideskog Cc: oauth Content-Type: multipart/alternative; boundary="00000000000043685805db6fd9c7" Archived-At: Subject: Re: [OAUTH-WG] Regarding iat and nonce in DPoP Proofs X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Mar 2022 13:52:12 -0000 --00000000000043685805db6fd9c7 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello Jacob, dear Authors, If the server (AS or RS) utilizes the `nonce` mechanism to limit the acceptance timeframe of DPoP Proof JWTs it would appear the need to check the `iat` claim for "freshness" is redundant. If we're making the client jump through hoops to enforce fresh proofs via `nonce` it seems counter intuitive that the validation could still fail due to client or server side clock skews (regardless of how unreasonable they may be). Changes would need to be introduced in (source ) - section 4.3. point 11 - the iat claim value is within an acceptable timeframe and, within a reasonable consideration of accuracy and resource utilization, a proof JWT with the same jti value has not previously been received at the same resource during that time period (see Section 11.1) - section 11.1 - To prevent this, servers MUST only accept DPoP proofs for a limited time window after their iat time, preferably only for a relatively br= ief period (on the order of seconds or minutes). Proposal: Section 4.3. point 11 *if the server did not provide a nonce value to the client that was verified in the previous point*, that the iat claim value is within an acceptable timeframe and, within a reasonable consideration of accuracy and resource utilization, a proof JWT with the same jti value has not previously been received at the same resource during that time period (see Section 11.1) Section 11.1 upon a second read may not need an update afteral due to the following language "Server-provided nonces are an effective means of preventing DPoP proof replay.". That being said, server-provided nonces do nothing about replay within a short time window, they ensure freshness, so may need a bit of language afterall. S pozdravem, *Filip Skokan* On Tue, 29 Mar 2022 at 16:23, Jacob Ideskog wrote= : > Hi all, > > We have encountered a situation in the wild which I would like to share > and discuss with you. > > We have strict validation of the iat claim as per section 4.3 in the > specification where we allow a reasonable skew. > > The problem we see is that some users (more than a few) have changed the > clock on their mobile device. This is commonly done for users playing gam= es > where changing the clock gives them more credit in the game. This means > that the drift is more than reasonable as per the specification. It can b= e > hours to days. > > The solution is to use the newer "nonce" parameter (which wasn't in the > early drafts) to be able to manage the TTL server side, since the server > controls the nonce and can therefore control the TTL of any proof receive= d. > > However, the wording in section 4.3 states that: > > the iat claim value is within an acceptable timeframe and, > within a reasonable consideration of accuracy and resource > utilization, a proof JWT with the same jti value has not > previously been received at the same resource during that time > period (see Section 11.1 ), > > And in section 11.1 this limits it to seconds or minutes. > > So, even though using nonces could solve clock sync issues, it's not > possible due to the strictness of the iat claim verification. > > Could we relax the wording of the iat claim verification to let the nonce > be the main solution in some cases: > > Suggestion: > the iat claim value is within an acceptable timeframe and, > within a reasonable consideration of accuracy and resource > utilization, a proof JWT with the same jti value has not > previously been received at the same resource during that time > period (see Section 11.1), *unless the clock syncronization can > be made to depend on the issuance of the nonce values.* > > Regards > Jacob > > -- > Jacob Ideskog > CTO > Curity AB > ------------------------------------------------------------------- > Sankt G=C3=B6ransgatan 66, Stockholm, Sweden > M: +46 70-2233664 > j acob@curity.io > curity.io > ------------------------------------------------------------------- > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --00000000000043685805db6fd9c7 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello Jacob, dear Authors,

I= f the server (AS or RS) utilizes the `nonce` mechanism to limit the accepta= nce timeframe of DPoP Proof JWTs it would appear the need to check the `iat= ` claim for "freshness" is redundant. If we're making the cli= ent jump through hoops to enforce fresh proofs via `nonce` it seems counter= intuitive that the validation could still fail due to client or server sid= e clock skews (regardless of how unreasonable they may be).

<= /div>
Changes would need to be introduced in (source<= /a>)



On Tue, 29 Mar 2022 at 16:23, Jacob Ideskog <jacob.ideskog@curity.io> wrote:
Hi all,

We have encountered a = situation in the wild which I would like to share and discuss with you.

We have strict validation of the iat claim as per sec= tion 4.3 in the specification where we allow a reasonable skew.
<= br>
The problem we see is that some users (more than a few) have = changed the clock on their mobile device. This is commonly done for users p= laying games where changing the clock gives them more credit in the game. T= his means that the drift is more than reasonable as per the specification. = It can be hours to days.

The solution is to us= e the newer "nonce" parameter (which wasn't in the early draf= ts) to be able to manage the TTL server side, since the server controls the= nonce and can therefore control the TTL of any proof received.
<= br>
However, the wording in section 4.3 states that:
And in section 11.1 this limits it to seconds or minutes.
<= div>
So, even though using nonces could solve clock sync issu= es, it's not possible due to the strictness of the iat claim verificati= on.

Could we relax the wording of the iat claim ve= rification to let the nonce be the main solution in some cases:
<= br>
Suggestion:
the iat claim value is within an accept= able timeframe and,
=C2=A0 =C2=A0 =C2=A0 =C2=A0 within a reasonable cons= ideration of accuracy and resource
=C2=A0 =C2=A0 =C2=A0 =C2=A0 utilizati= on, a proof JWT with the same jti value has not
=C2=A0 =C2=A0 =C2=A0 =C2= =A0 previously been received at the same resource during that time
=C2= =A0 =C2=A0 =C2=A0 =C2=A0 period (see Section 11.1), unless the clock syn= cronization can be made to depend on the issuance of the nonce values.<= /div>

Regards
Jacob

--
Jacob Ideskog
CTO
Curity AB
-------------------------------------------------------------------
Sankt G=C3=B6ransgatan 66, Stockholm, SwedenM:=C2=A0+46 70-22= 33664
jacob@curity.io
curity.io
---------------------------= -----------------------------= -----------
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--00000000000043685805db6fd9c7--