<?xml version='1.0' encoding='utf-8'?>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc2629 version  -->
<!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent">
<?rfc toc="yes"?>
<?rfc sortrefs="yes"?>
<?rfc symrefs="yes"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-autocrypt-lamps-protected-headers-02" category="info" obsoletes="" updates="" submissionType="IETF" xml:lang="en" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 2.37.1 -->
  <front>
    <title>Protected Headers for Cryptographic E-mail</title>
    <seriesInfo name="Internet-Draft" value="draft-autocrypt-lamps-protected-headers-02"/>
    <author initials="B.R." surname="Einarsson" fullname="Bjarni Rúnar Einarsson">
      <organization>Mailpile ehf</organization>
      <address>
        <postal>
          <street>Baronsstigur</street>
          <country>Iceland</country>
        </postal>
        <email>bre@mailpile.is</email>
      </address>
    </author>
    <author initials="." surname="juga" fullname="juga">
      <organization>Independent</organization>
      <address>
        <email>juga@riseup.net</email>
      </address>
    </author>
    <author initials="D.K." surname="Gillmor" fullname="Daniel Kahn Gillmor">
      <organization abbrev="ACLU">American Civil Liberties Union</organization>
      <address>
        <postal>
          <street>125 Broad St.</street>
          <city>New York, NY</city>
          <code>10004</code>
          <country>USA</country>
        </postal>
        <email>dkg@fifthhorseman.net</email>
      </address>
    </author>
    <date year="2019" month="December" day="20"/>
    <area>int</area>
    <workgroup>openpgp</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <t>This document describes a common strategy to extend the end-to-end cryptographic protections provided by PGP/MIME, etc. to protect message headers in addition to message bodies.
In addition to protecting the authenticity and integrity of headers via signatures, it also describes how to preserve the confidentiality of the Subject header.</t>
    </abstract>
  </front>
  <middle>
    <section anchor="introduction" numbered="true" toc="default">
      <name>Introduction</name>
      <t>E-mail end-to-end security with OpenPGP and S/MIME standards can provide integrity, authentication, non-repudiation and confidentiality to the body of a MIME e-mail message.
However, PGP/MIME (<xref target="RFC3156" format="default"/>) alone does not protect message headers.
And the structure to protect headers defined in S/MIME 3.1 (<xref target="RFC3851" format="default"/>) has not seen widespread adoption.</t>
      <t>This document defines a scheme, "Protected Headers for Cryptographic E-mail", which has been adopted by multiple existing e-mail clients in order to extend the cryptographic protections provided by PGP/MIME to also protect the message headers.
This scheme is also applicable to S/MIME <xref target="RFC8551" format="default"/>.</t>
      <t>This document describes how these protections can be applied to cryptographically signed messages, and also discusses some of the challenges of encrypting many transit-oriented headers.</t>
      <t>It offers guidance for protecting the confidentiality of non-transit-oriented headers like Subject, and also offers a means to preserve backwards compatibility so that an encrypted Subject remains available to recipients using software that does not implement support for the Protected Headers scheme.</t>
      <t>The document also discusses some of the compatibility constraints and usability concerns which motivated the design of the scheme, as well as limitations and a comparison with other proposals.</t>
      <t>This technique has already proven itself as a useful building block for other improvements to cryptographic e-mail, such as the Autocrypt Level 1.1 (<xref target="Autocrypt" format="default"/>) "Gossip" mechanism.</t>
      <section anchor="requirements-language" numbered="true" toc="default">
        <name>Requirements Language</name>
        <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 <xref target="RFC2119" format="default"/> <xref target="RFC8174" format="default"/> when, and only when, they appear in all capitals, as shown here.</t>
      </section>
      <section anchor="terminology" numbered="true" toc="default">
        <name>Terminology</name>
        <t>For the purposes of this document, we define the following concepts:</t>
        <ul spacing="normal">
          <li>
            <em>MUA</em> is short for Mail User Agent; an e-mail client.</li>
          <li>
            <em>Protection</em> of message data refers to cryptographic encryption and/or signatures, providing confidentiality, authenticity or both.</li>
          <li>
            <em>Cryptographic Layer</em>, <em>Cryptographic Envelope</em> and <em>Cryptographic Payload</em> are defined in <xref target="cryptographic-structure" format="default"/></li>
          <li>
            <em>Original Headers</em> are the <xref target="RFC5322" format="default"/> message headers as known to the sending MUA at the time of message composition.</li>
          <li>
            <em>Protected Headers</em> are any headers protected by the scheme described in this document.</li>
          <li>
            <em>Exposed Headers</em> are any headers outside the Cryptographic Payload (protected or not).</li>
          <li>
            <em>Obscured Headers</em> are any Protected Headers which have been modified or removed from the set of Exposed Headers.</li>
          <li>
            <em>Legacy Display Part</em> is a MIME construct which provides visibility for users of legacy clients of data from the Original Headers which may have been removed or obscured from the Exposed Headers. It is defined in <xref target="legacy-display" format="default"/>.</li>
          <li>
            <em>User-Facing Headers</em> are explained and enumerated in <xref target="user-facing-headers" format="default"/>.</li>
          <li>
            <em>Structural Headers</em> are documented in <xref target="structural-headers" format="default"/>.</li>
        </ul>
        <section anchor="user-facing-headers" numbered="true" toc="default">
          <name>User-Facing Headers</name>
          <t>Of all the headers that an e-mail message may contain, only a handful are typically presented directly to the user.
The user-facing headers are:</t>
          <ul spacing="normal">
            <li>
              <tt>Subject</tt></li>
            <li>
              <tt>From</tt></li>
            <li>
              <tt>To</tt></li>
            <li>
              <tt>Cc</tt></li>
            <li>
              <tt>Date</tt></li>
            <li>
              <tt>Reply-To</tt></li>
            <li>
              <tt>Followup-To</tt></li>
          </ul>
          <t>The above is a complete list.  No other headers are considered "user-facing".</t>
          <t>Other headers may affect the visible rendering of the message (e.g., <tt>References</tt> and <tt>In-Reply-To</tt> may affect the placement of a message in a threaded discussion), but they are not directly displayed to the user and so are not considered "user-facing" for the purposes of this document.</t>
        </section>
        <section anchor="structural-headers" numbered="true" toc="default">
          <name>Structural Headers</name>
          <t>A message header whose name begins with <tt>Content-</tt> is referred to in this document as a "structural" header.</t>
          <t>These headers indicate something about the specific MIME part they are attached to, and cannot be transferred or copied to other parts without endangering the readability of the message.</t>
          <t>This includes (but is not limited to):</t>
          <ul spacing="normal">
            <li>
              <tt>Content-Type</tt></li>
            <li>
              <tt>Content-Transfer-Encoding</tt></li>
            <li>
              <tt>Content-Disposition</tt></li>
          </ul>
          <t>Note that no "user-facing" headers (<xref target="user-facing-headers" format="default"/>) are also "structural" headers.  Of course, many headers are neither "user-facing" nor "structural".</t>
          <t>FIXME: are there any non-<tt>Content-*</tt> headers we should consider as structural?</t>
        </section>
      </section>
    </section>
    <section anchor="protected-headers-summary" numbered="true" toc="default">
      <name>Protected Headers Summary</name>
      <t>The Protected Headers scheme relies on three backward-compatible changes to a cryptographically-protected e-mail message:</t>
      <ul spacing="normal">
        <li>Headers known to the composing MUA at message composition time are (in addition to their typical placement as Exposed Headers on the outside of the message) also present in the MIME header of the root of the Cryptographic Payload.
These Protected Headers share cryptographic properties with the rest of the Cryptographic Payload.</li>
        <li>When the Cryptographic Envelope includes encryption, any Exposed Header MAY be <em>obscured</em> by a transformation (including deletion).</li>
        <li>If the composing MUA intends to obscure any user-facing headers, it MAY add a decorative "Legacy Display" MIME part to the Cryptographic Payload which additionally duplicates the original values of the obscured user-facing headers.</li>
      </ul>
      <t>When a composing MUA encrypts a message, it SHOULD obscure the <tt>Subject:</tt> header, by using the literal string <tt>...</tt> (three U+002E FULL STOP characters) as the value of the exposed <tt>Subject:</tt> header.</t>
      <t>When a receiving MUA encounters a message with a Cryptographic Envelope, it treats the headers of the Cryptographic Payload as belonging to the message itself, not just the subpart.
In particular, when rendering a header for any such message, the renderer SHOULD prefer the header's Protected value over its Exposed value.</t>
      <t>A receiving MUA that understands Protected Headers and discovers a Legacy Display part SHOULD hide the Legacy Display part when rendering the message.</t>
      <t>The following sections contain more detailed discussion.</t>
    </section>
    <section anchor="cryptographic-structure" numbered="true" toc="default">
      <name>Cryptographic MIME Message Structure</name>
      <t>Implementations use the structure of an e-mail message to protect the headers.
This section establishes some conventions about how to think about message structure.</t>
      <section anchor="cryptographic-layer" numbered="true" toc="default">
        <name>Cryptographic Layers</name>
        <t>"Cryptographic Layer" refers to a MIME substructure that supplies some cryptographic protections to an internal MIME subtree.
The internal subtree is known as the "protected part" though of course it may itself be a multipart object.</t>
        <t>In the diagrams below, <u>↧</u> indicates "decrypts to", and <u>⇩</u> indicates "unwraps to".</t>
        <section anchor="pgpmime-cryptographic-layers" numbered="true" toc="default">
          <name>PGP/MIME Cryptographic Layers</name>
          <t>For PGP/MIME <xref target="RFC3156" format="default"/> there are two forms of Cryptographic Layers, signing and encryption.</t>
          <section anchor="pgpmime-multipart-signed" numbered="true" toc="default">
            <name>PGP/MIME Signing Cryptographic Layer (multipart/signed)</name>
            <artwork name="" type="" align="left" alt=""><![CDATA[
└┬╴multipart/signed; protocol="application/pgp-signature"
 ├─╴[protected part]
 └─╴application/pgp-signature
]]></artwork>
          </section>
          <section anchor="pgpmime-multipart-encrypted" numbered="true" toc="default">
            <name>PGP/MIME Encryption Cryptographic Layer (multipart/encrypted)</name>
            <artwork name="" type="" align="left" alt=""><![CDATA[
└┬╴multipart/encrypted
 ├─╴application/pgp-encrypted
 └─╴application/octet-stream
  ↧ (decrypts to)
  └─╴[protected part]
]]></artwork>
          </section>
        </section>
        <section anchor="smime-cryptographic-layers" numbered="true" toc="default">
          <name>S/MIME Cryptographic Layers</name>
          <t>For S/MIME <xref target="RFC8551" format="default"/>, there are four forms of Cryptographic Layers: multipart/signed, PKCS#7 signed-data, PKCS7 enveloped-data, PKCS7 authEnveloped-data.</t>
          <section anchor="smime-multipart-signed" numbered="true" toc="default">
            <name>S/MIME Multipart Signed Cryptographic Layer</name>
            <artwork name="" type="" align="left" alt=""><![CDATA[
└┬╴multipart/signed; protocol="application/pkcs7-signature"
 ├─╴[protected part]
 └─╴application/pkcs7-signature
]]></artwork>
          </section>
          <section anchor="smime-pkcs7-signed-data" numbered="true" toc="default">
            <name>S/MIME PKCS7 signed-data Cryptographic Layer</name>
            <artwork name="" type="" align="left" alt=""><![CDATA[
└─╴application/pkcs7-mime; smime-type="signed-data"
 ⇩ (unwraps to)
 └─╴[protected part]
]]></artwork>
          </section>
          <section anchor="smime-pkcs7-enveloped-data" numbered="true" toc="default">
            <name>S/MIME PKCS7 enveloped-data Cryptographic Layer</name>
            <artwork name="" type="" align="left" alt=""><![CDATA[
└─╴application/pkcs7-mime; smime-type="enveloped-data"
 ↧ (decrypts to)
 └─╴[protected part]
]]></artwork>
          </section>
          <section anchor="smime-pkcs7-authenveloped-data" numbered="true" toc="default">
            <name>S/MIME PKCS7 authEnveloped-data Cryptographic Layer</name>
            <artwork name="" type="" align="left" alt=""><![CDATA[
└─╴application/pkcs7-mime; smime-type="authEnveloped-data"
 ↧ (decrypts to)
 └─╴[protected part]
]]></artwork>
            <t>Note that <tt>enveloped-data</tt> (<xref target="smime-pkcs7-enveloped-data" format="default"/>) and <tt>authEnveloped-data</tt> (<xref target="smime-pkcs7-authenveloped-data" format="default"/>) have identical message structure and semantics.
The only difference between the two is ciphertext malleability.</t>
            <t>The examples in this document only include <tt>enveloped-data</tt>, but the implications for that layer apply to <tt>authEnveloped-data</tt> as well.</t>
          </section>
          <section anchor="pkcs7-compression-is-not-a-cryptographic-layer" numbered="true" toc="default">
            <name>PKCS7 Compression is NOT a Cryptographic Layer</name>
            <t>The Cryptographic Message Syntax (CMS) provides a MIME compression layer (<tt>smime-type="compressed-data"</tt>), as defined in <xref target="RFC3274" format="default"/>.
While the compression layer is technically a part of CMS, it is not considered a Cryptographic Layer for the purposes of this document.</t>
          </section>
        </section>
      </section>
      <section anchor="cryptographic-envelope" numbered="true" toc="default">
        <name>Cryptographic Envelope</name>
        <t>The Cryptographic Envelope is the largest contiguous set of Cryptographic Layers of an e-mail message starting with the outermost MIME type (that is, with the Content-Type of the message itself).</t>
        <t>If the Content-Type of the message itself is not a Cryptographic Layer, then the message has no cryptographic envelope.</t>
        <t>"Contiguous" in the definition above indicates that if a Cryptographic Layer is the protected part of another Cryptographic Layer, the layers together comprise a single Cryptographic Envelope.</t>
        <t>Note that if a non-Cryptographic Layer intervenes, all Cryptographic Layers within the non-Cryptographic Layer <em>are not</em> part of the Cryptographic Envelope (see the example in <xref target="baroque-example" format="default"/>).</t>
        <t>Note also that the ordering of the Cryptographic Layers implies different cryptographic properties.
A signed-then-encrypted message is different than an encrypted-then-signed message.</t>
      </section>
      <section anchor="cryptographic-payload" numbered="true" toc="default">
        <name>Cryptographic Payload</name>
        <t>The Cryptographic Payload of a message is the first non-Cryptographic Layer - the "protected part" - within the Cryptographic Envelope.
Since the Cryptographic Payload itself is a MIME part, it has its own set of headers.</t>
        <t>Protected headers are placed on (and read from) the Cryptographic Payload, and should be considered to have the same cryptographic properties as the message itself.</t>
        <section anchor="simple-cryptographic-payloads" numbered="true" toc="default">
          <name>Simple Cryptographic Payloads</name>
          <t>As described above, if the "protected part" identified in <xref target="pgpmime-multipart-signed" format="default"/> or <xref target="pgpmime-multipart-encrypted" format="default"/> is not itself a Cryptographic Layer, that part <em>is</em> the Cryptographic Payload.</t>
          <t>If the application wants to generate a message that is both encrypted and signed, it MAY use the simple MIME structure from <xref target="pgpmime-multipart-encrypted" format="default"/> by ensuring that the <xref target="RFC4880" format="default"/> Encrypted Message within the <tt>application/octet-stream</tt> part contains an <xref target="RFC4880" format="default"/> Signed Message.</t>
        </section>
        <section anchor="multilayer-cryptographic-envelopes" numbered="true" toc="default">
          <name>Multilayer Cryptographic Envelopes</name>
          <t>It is possible to construct a Cryptographic Envelope consisting of multiple layers for PGP/MIME, typically of the following structure:</t>
          <artwork name="" type="" align="left" alt=""><![CDATA[
A └┬╴multipart/encrypted
B  ├─╴application/pgp-encrypted
C  └─╴application/octet-stream
D   ↧ (decrypts to)
E   └┬╴multipart/signed
F    ├─╴[Cryptographic Payload]
G    └─╴application/pgp-signature
]]></artwork>
          <t>When handling such a message, the properties of the Cryptographic Envelope are derived from the series <tt>A</tt>, <tt>E</tt>.</t>
          <t>As noted in <xref target="simple-cryptographic-payloads" format="default"/>, PGP/MIME applications also have a simpler MIME construction available with the same cryptographic properties.</t>
        </section>
        <section anchor="baroque-example" numbered="true" toc="default">
          <name>A Baroque Example</name>
          <t>Consider a message with the following overcomplicated structure:</t>
          <artwork name="" type="" align="left" alt=""><![CDATA[
H └┬╴multipart/encrypted
I  ├─╴application/pgp-encrypted
J  └─╴application/octet-stream
K   ↧ (decrypts to)
L   └┬╴multipart/signed
M    ├┬╴multipart/mixed
N    │├┬╴multipart/signed
O    ││├─╴text/plain
P    ││└─╴application/pgp-signature
Q    │└─╴text/plain
R    └─╴application/pgp-signature
]]></artwork>
          <t>The 3 Cryptographic Layers in such a message are rooted in parts <tt>H</tt>, <tt>L</tt>, and <tt>N</tt>.
But the Cryptographic Envelope of the message consists only of the properties derived from the series <tt>H</tt>, <tt>L</tt>.
The Cryptographic Payload of the message is part <tt>M</tt>.</t>
          <t>It is NOT RECOMMENDED to generate messages with such complicated structures.
Even if a receiving MUA can parse this structure properly, it is nearly impossible to render in a way that the user can reason about the cryptographic properties of part <tt>O</tt> compared to part <tt>Q</tt>.</t>
        </section>
      </section>
      <section anchor="exposed-headers-are-outside" numbered="true" toc="default">
        <name>Exposed Headers are Outside</name>
        <t>The Cryptographic Envelope fully encloses the Cryptographic Payload, whether the message is signed or encrypted or both.
The Exposed Headers are considered to be outside of both.</t>
      </section>
    </section>
    <section anchor="message-composition" numbered="true" toc="default">
      <name>Message Composition</name>
      <t>This section describes the composition of a cryptographically-protected message with Protected Headers.</t>
      <t>We document legacy composition of cryptographically-protected messages (without protected headers) in <xref target="legacy-composition" format="default"/>, and then describe a revised version of that algorithm in <xref target="protected-header-composition" format="default"/> that produces conformant Protected Headers.</t>
      <section anchor="copying-all-headers" numbered="true" toc="default">
        <name>Copying All Headers</name>
        <t>All non-structural headers known to the composing MUA are copied to the MIME header of the Cryptographic Payload.
The composing MUA SHOULD protect all known non-structural headers in this way.</t>
        <t>If the composing MUA omits protection for some of the headers, the receiving MUA will have difficulty reasoning about the integrity of the headers (see <xref target="signature-replay" format="default"/>).</t>
      </section>
      <section anchor="confidential-subject" numbered="true" toc="default">
        <name>Confidential Subject</name>
        <t>When a message is encrypted, the Subject should be obscured by replacing the Exposed Subject with three periods: <tt>...</tt></t>
        <t>This value (<tt>...</tt>) was chosen because it is believed to be language agnostic and avoids communicating any potentially misleading information to the recipient (see <xref target="misunderstood-obscured-subjects" format="default"/> for a more detailed discussion).</t>
      </section>
      <section anchor="obscured-headers" numbered="true" toc="default">
        <name>Obscured Headers</name>
        <t>Due to compatibility and usability concerns, a Mail User Agent SHOULD NOT obscure any of: <tt>From</tt>, <tt>To</tt>, <tt>Cc</tt>, <tt>Message-ID</tt>, <tt>References</tt>, <tt>Reply-To</tt>, <tt>In-Reply-To</tt>, (FIXME: MORE?) unless the user has indicated they have security constraints which justify the potential downsides (see <xref target="common-pitfalls" format="default"/> for a more detailed discussion).</t>
        <t>Aside from that limitation, this specification does not at this time define or limit the methods a MUA may use to convert Exposed Headers into Obscured Headers.</t>
      </section>
      <section anchor="legacy-composition" numbered="true" toc="default">
        <name>Message Composition without Protected Headers</name>
        <t>This section roughly describes the steps that a legacy MUA might use to compose a cryptographically-protected message <em>without</em> Protected Headers.</t>
        <t>The message composition algorithm takes three parameters:</t>
        <ul spacing="normal">
          <li>
            <tt>origbody</tt>: the traditional unprotected message body as a well-formed MIME tree (possibly just a single MIME leaf part).
As a well-formed MIME tree, <tt>origbody</tt> already has structural headers present (see <xref target="structural-headers" format="default"/>).</li>
          <li>
            <tt>origheaders</tt>: the intended non-structural headers for the message, represented here as a table mapping from header names to header values..
For example, <tt>origheaders['From']</tt> refers to the value of the <tt>From</tt> header that the composing MUA would typically place on the message before sending it.</li>
          <li>
            <tt>crypto</tt>: The series of cryptographic protections to apply (for example, "sign with the secret key corresponding to OpenPGP certificate X, then encrypt to OpenPGP certificates X and Y").
This is a routine that accepts a MIME tree as input (the Cryptographic Payload), wraps the input in the appropriate Cryptographic Envelope, and returns the resultant MIME tree as output,</li>
        </ul>
        <t>The algorithm returns a MIME object that is ready to be injected into the mail system:</t>
        <ul spacing="normal">
          <li>Apply <tt>crypto</tt> to <tt>origbody</tt>, yielding MIME tree <tt>output</tt></li>
          <li>
            <t>For header name <tt>h</tt> in <tt>origheaders</tt>:
            </t>
            <ul spacing="normal">
              <li>Set header <tt>h</tt> of <tt>output</tt> to <tt>origheaders[h]</tt></li>
            </ul>
          </li>
          <li>Return <tt>output</tt></li>
        </ul>
      </section>
      <section anchor="protected-header-composition" numbered="true" toc="default">
        <name>Message Composition with Protected Headers</name>
        <t>A reasonable sequential algorithm for composing a message <em>with</em> protected headers takes two more parameters in addition to <tt>origbody</tt>, <tt>origheaders</tt>, and <tt>crypto</tt>:</t>
        <ul spacing="normal">
          <li>
            <tt>obscures</tt>: a table of headers to be obscured during encryption, mapping header names to their obscuring values.
For example, this document recommends only obscuring the subject, so that would be represented by the single-entry table <tt>obscures = {'Subject': '...'}</tt>.
If header <tt>Foo</tt> is to be deleted entirely, <tt>obscures['Foo']</tt> should be set to the special value <tt>null</tt>.</li>
          <li>
            <tt>legacy</tt>: a boolean value, indicating whether any recipient of the message is believed to have a legacy client (that is, a MUA that is capable of decryption, but does not understand protected headers).</li>
        </ul>
        <t>The revised algorithm for applying cryptographic protection to a message is as follows:</t>
        <ul spacing="normal">
          <li>
            <t>if <tt>crypto</tt> contains encryption, and <tt>legacy</tt> is <tt>true</tt>, and <tt>obscures</tt> contains any user-facing headers (see <xref target="user-facing-headers" format="default"/>), wrap <tt>orig</tt> in a structure that carries a Legacy Display part:
            </t>
            <ul spacing="normal">
              <li>Create a new MIME leaf part <tt>legacydisplay</tt> with header <tt>Content-Type: text/plain; protected-headers="v1"</tt></li>
              <li>
                <t>For each obscured header name <tt>obh</tt> in <tt>obscures</tt>:
                </t>
                <ul spacing="normal">
                  <li>
                    <t>If <tt>obh</tt> is user-facing:
                    </t>
                    <ul spacing="normal">
                      <li>Add <tt>obh: origheaders[ob]</tt> to the body of <tt>legacydisplay</tt>.  For example, if <tt>origheaders['Subject']</tt> is <tt>lunch plans?</tt>, then add the line <tt>Subject: lunch plans?</tt> to the body of <tt>legacydisplay</tt></li>
                    </ul>
                  </li>
                </ul>
              </li>
              <li>Construct a new MIME part <tt>wrapper</tt> with <tt>Content-Type: multipart/mixed</tt></li>
              <li>Give <tt>wrapper</tt> exactly two subparts: <tt>legacydisplay</tt> and <tt>origbody</tt>, in that order.</li>
              <li>Let <tt>payload</tt> be MIME part <tt>wrapper</tt></li>
            </ul>
          </li>
          <li>
            <t>Otherwise:
            </t>
            <ul spacing="normal">
              <li>Let <tt>payload</tt> be MIME part <tt>origbody</tt></li>
            </ul>
          </li>
          <li>
            <t>For each header name <tt>h</tt> in <tt>origheaders</tt>:
            </t>
            <ul spacing="normal">
              <li>Set header <tt>h</tt> of MIME part <tt>payload</tt> to <tt>origheaders[h]</tt></li>
            </ul>
          </li>
          <li>Set the <tt>protected-headers</tt> parameter on the <tt>Content-Type</tt> of <tt>payload</tt> to <tt>v1</tt></li>
          <li>Apply <tt>crypto</tt> to <tt>payload</tt>, producing MIME tree <tt>output</tt></li>
          <li>
            <t>If <tt>crypto</tt> contains encryption:
            </t>
            <ul spacing="normal">
              <li>
                <t>For each obscured header name <tt>obh</tt> in <tt>obscures</tt>:
                </t>
                <ul spacing="normal">
                  <li>
                    <t>If <tt>obscures[obh]</tt> is <tt>null</tt>:
                    </t>
                    <ul spacing="normal">
                      <li>Drop <tt>obh</tt> from <tt>origheaders</tt></li>
                    </ul>
                  </li>
                  <li>
                    <t>Else:
                    </t>
                    <ul spacing="normal">
                      <li>Set <tt>origheaders[obh]</tt> to <tt>obscures[obh]</tt></li>
                    </ul>
                  </li>
                </ul>
              </li>
            </ul>
          </li>
          <li>
            <t>For each header name <tt>h</tt> in <tt>origheaders</tt>:
            </t>
            <ul spacing="normal">
              <li>Set header <tt>h</tt> of <tt>output</tt> to <tt>origheaders[h]</tt></li>
            </ul>
          </li>
          <li>return <tt>output</tt></li>
        </ul>
        <t>Note that both new parameters, <tt>obscured</tt> and <tt>legacy</tt>, are effectively ignored if <tt>crypto</tt> does not contain encryption.
This is by design, because they are irrelevant for signed-only cryptographic protections.</t>
      </section>
    </section>
    <section anchor="legacy-display" numbered="true" toc="default">
      <name>Legacy Display</name>
      <t>MUAs typically display user-facing headers (<xref target="user-facing-headers" format="default"/>) directly to the user.
An encrypted message may be read by a decryption-capable legacy MUA that is unaware of this standard.
The user of such a legacy client risks losing access to any obscured headers.</t>
      <t>This section presents a workaround to mitigate this risk by restructuring the Cryptographic Payload before encrypting to include a "Legacy Display" part.</t>
      <section anchor="message-generation-including-a-legacy-display-part" numbered="true" toc="default">
        <name>Message Generation: Including a Legacy Display Part</name>
        <t>A generating MUA that wants to make an Obscured Subject (or any other user-facing header) visible to a recipient using a legacy MUA SHOULD modify the Cryptographic Payload by wrapping the intended body of the message in a <tt>multipart/mixed</tt> MIME part that prefixes the intended body with a Legacy Display part.</t>
        <t>The Legacy Display part MUST be of Content-Type <tt>text/plain</tt> or <tt>text/rfc822-headers</tt> (<tt>text/plain</tt> is RECOMMENDED), and MUST contain a <tt>protected-headers</tt> parameter whose value is <tt>v1</tt>.
It SHOULD be marked with <tt>Content-Disposition: inline</tt> to encourage recipients to render it.</t>
        <t>The contents of the Legacy Display part MUST be only the user-facing headers that the sending MUA intends to obscure after encryption.</t>
        <t>The original body (now a subpart) SHOULD also be marked with <tt>Content-Disposition: inline</tt> to discourage legacy clients from presenting it as an attachment.</t>
        <section anchor="legacy-display-transformation" numbered="true" toc="default">
          <name>Legacy Display Transformation</name>
          <t>Consider a message whose Cryptographic Payload, before encrypting, that would have a traditional <tt>multipart/alternative</tt> structure:</t>
          <artwork name="" type="" align="left" alt=""><![CDATA[
X └┬╴multipart/alternative
Y  ├─╴text/plain
Z  └─╴text/html
]]></artwork>
          <t>When adding a Legacy Display part, this structure becomes:</t>
          <artwork name="" type="" align="left" alt=""><![CDATA[
V └┬╴multipart/mixed
W  ├─╴text/plain ("Legacy Display" part)
X  └┬╴multipart/alternative ("original body")
Y   ├─╴text/plain
Z   └─╴text/html
]]></artwork>
          <t>Note that with the inclusion of the Legacy Display part, the Cryptographic Payload is the <tt>multipart/mixed</tt> part (part <tt>V</tt> in the example above), so Protected Headers should be placed at that part.</t>
        </section>
        <section anchor="when-to-generate-legacy-display" numbered="true" toc="default">
          <name>When to Generate Legacy Display</name>
          <t>A MUA SHOULD transform a Cryptographic Payload to include a Legacy Display part only when:</t>
          <ul spacing="normal">
            <li>The message is going to be encrypted, and</li>
            <li>At least one user-facing header (see <xref target="user-facing-headers" format="default"/>) is going to be obscured</li>
          </ul>
          <t>Additionally, if the sender knows that the recipient's MUA is capable of interpreting Protected Headers, it SHOULD NOT attempt to include a Legacy Display part.
(Signalling such a capability is out of scope for this document)</t>
        </section>
      </section>
      <section anchor="no-render-legacy-display" numbered="true" toc="default">
        <name>Message Rendering: Omitting a Legacy Display Part</name>
        <t>A MUA that understands Protected Headers may receive an encrypted message that contains a Legacy Display part.
Such an MUA SHOULD avoid rendering the Legacy Display part to the user at all, since it is aware of and can render the actual Protected Headers.</t>
        <t>If a Legacy Display part is detected, the Protected Headers should still be pulled from the Cryptographic Payload (part <tt>V</tt> in the example above), but the body of message SHOULD be rendered as though it were only the original body (part <tt>X</tt> in the example above).</t>
        <section anchor="legacy-display-detection-algorithm" numbered="true" toc="default">
          <name>Legacy Display Detection Algorithm</name>
          <t>A receiving MUA acting on a message SHOULD detect the presence of a Legacy Display part and the corresponding "original body" with the following simple algorithm:</t>
          <ul spacing="normal">
            <li>Check that all of the following are true for the message:</li>
            <li>The Cryptographic Envelope must contain an encrypting Cryptographic Layer</li>
            <li>The Cryptographic Payload must have a <tt>Content-Type</tt> of <tt>multipart/mixed</tt></li>
            <li>The Cryptographic Payload must have exactly two subparts</li>
            <li>The first subpart of the Cryptographic Payload must have a <tt>Content-Type</tt> of <tt>text/plain</tt> or <tt>text/rfc822-headers</tt></li>
            <li>The first subpart of the Cryptographic Payload's <tt>Content-Type</tt> must contain a property of <tt>protected-headers</tt>, and its value must be <tt>v1</tt>.</li>
            <li>If all of the above are true, then the first subpart is the Legacy Display part, and the second subpart is the "original body".  Otherwise, the message does not have a Legacy Display part.</li>
          </ul>
        </section>
      </section>
      <section anchor="legacy-display-is-decorative-and-transitional" numbered="true" toc="default">
        <name>Legacy Display is Decorative and Transitional</name>
        <t>As the above makes clear, the Legacy Display part is strictly decorative, for the benefit of legacy decryption-capable MUAs that may handle the message.
As such, the existence of the Legacy Display part and its <tt>multipart/mixed</tt> wrapper are part of a transition plan.</t>
        <t>As the number of decryption-capable clients that understand Protected Headers grows in comparison to the number of legacy decryption-capable clients, it is expected that some senders will decide to stop generating Legacy Display parts entirely.</t>
        <t>A MUA developer concerned about accessiblity of the Subject header for their users of encrypted mail when Legacy Display parts are omitted SHOULD implement the Protected Headers scheme described in this document.</t>
      </section>
    </section>
    <section anchor="message-interpretation" numbered="true" toc="default">
      <name>Message Interpretation</name>
      <t>This document does not currently provide comprehensive recommendations on how to interpret Protected Headers. This is deliberate; research and development is still ongoing. We also recognize that the tolerance of different user groups for false positives (benign conditions misidentified as security risks), vs. their need for strong protections varies a great deal and different MUAs will take different approaches as a result.</t>
      <t>Some common approaches are discussed below.</t>
      <section anchor="reverse-copying" numbered="true" toc="default">
        <name>Reverse-Copying</name>
        <t>One strategy for interpreting Protected Headers on an incoming message is to simply ignore any Exposed Header for which a Protected counterpart is available.
This is often implemented as a copy operation (copying header back out of the Cryptographic Payload into the main message header) within the code which takes care of parsing the message.</t>
        <t>A MUA implementing this strategy should pay special attention to any user facing headers (<xref target="user-facing-headers" format="default"/>).
If a message has Protected Headers, and a user-facing header is among the Exposed Headers but missing from the Protected Headers, then an MUA implementing this strategy SHOULD delete the identified Exposed Header before presenting the message to the user.</t>
        <t>This strategy does not risk raising a false alarm about harmless deviations, but conversely it does nothing to inform the user if they are under attack.
This strategy does successfully mitigate and thwart some attacks, including signature replay attacks (<xref target="signature-replay" format="default"/>) and participant modification attacks (<xref target="participant-modification" format="default"/>).</t>
      </section>
      <section anchor="signature-invalidation" numbered="true" toc="default">
        <name>Signature Invalidation</name>
        <t>An alternate strategy for interpreting Protected Headers is to consider the cryptographic signature on a message to be invalid if the Exposed Headers deviate from their Protected counterparts.</t>
        <t>This state should be presented to the user using the same interface as other signature verification failures.</t>
        <t>A MUA implementing this strategy MAY want to make a special exception for the <tt>Subject:</tt> header, to avoid invalidating the signature on any signed and encrypted message with a confidential subject.</t>
        <t>Note that simple signature invalidation may be insufficient to defend against a participant modification attack (<xref target="participant-modification" format="default"/>).</t>
      </section>
      <section anchor="the-legacy-display-part" numbered="true" toc="default">
        <name>The Legacy Display Part</name>
        <t>This part is purely decorative, for the benefit of any recipient using a legacy decryption-capable MUA.
See <xref target="no-render-legacy-display" format="default"/> for details and recommendations on how to handle the Legacy Display part.</t>
      </section>
      <section anchor="replying-to-a-message-with-obscured-headers" numbered="true" toc="default">
        <name>Replying to a Message with Obscured Headers</name>
        <t>When replying to a message, many MUAs copy headers from the original message into their reply.</t>
        <t>When replying to an encrypted message, users expect the replying MUA to generate an encrypted message if possible.
If encryption is not possible, and the reply will be cleartext, users typically want the MUA to avoid leaking previously-encrypted content into the cleartext of the reply.</t>
        <t>For this reason, an MUA replying to an encrypted message with Obscured Headers SHOULD NOT leak the cleartext of any Obscured Headers into the cleartext of the reply, whether encrypted or not.</t>
        <t>In particular, the contents of any Obscured Protected Header from the original message SHOULD NOT be placed in the Exposed Headers of the reply message.</t>
      </section>
    </section>
    <section anchor="common-pitfalls" numbered="true" toc="default">
      <name>Common Pitfalls and Guidelines</name>
      <t>Among the MUA authors who already implemented most of this specification,
several alternative or more encompassing specifications were discussed and
sometimes tried out in practice. This section highlights a few "pitfalls" and
guidelines based on these discussions and lessons learned.</t>
      <section anchor="misunderstood-obscured-subjects" numbered="true" toc="default">
        <name>Misunderstood Obscured Subjects</name>
        <t>There were many discussions around what text phrase to use to obscure the <tt>Subject:</tt>.
Text phrases such as <tt>Encrypted Message</tt> were tried but resulted in both localization problems and user confusion.</t>
        <t>If the natural language phrase for the obscured <tt>Subject:</tt> is not localized (e.g. just English <tt>Encrypted Message</tt>), then it may be incomprehensible to a non-English-speaking recipient who uses a legacy MUA that renders the obscured <tt>Subject:</tt> directly.</t>
        <t>On the other hand, if it is localized based on the sender's MUA language settings, there is no guarantee that the recipient prefers the same language as the sender (consider a German speaker sending English text to an Anglophone).
There is no standard way for a sending MUA to infer the language preferred by the recipient (aside from statistical inference of language based on the composed message, which would in turn leak information about the supposedly-confidential message body).</t>
        <t>Furthermore, implementors found that the phrase <tt>Encrypted Message</tt> in the subject line was sometimes understood by users to be an indication from the MUA that the message was actually encrypted.
In practice, when some MUA failed to encrypt a message in a thread that started off with an obscured <tt>Subject:</tt>, the value <tt>Re: Encrypted Message</tt> was retained even on those cleartext replies, resulting in user confusion.</t>
        <t>In contrast, using <tt>...</tt> as the obscured <tt>Subject:</tt> was less likely to be seen as an indicator from the MUA of message encryption, and it also neatly sidesteps the localization problems.</t>
      </section>
      <section anchor="replyforward-losing-subjects" numbered="true" toc="default">
        <name>Reply/Forward Losing Subjects</name>
        <t>When the user of a legacy MUA replies to or forwards a message where the Subject has been obscured, it is likely that the new subject will be <tt>Fwd: ...</tt> or <tt>Re: ...</tt> (or the localized equivalent).
This breaks an important feature: people are used to continuity of subject within a thread.  It is especially unfortunate when a new participant is added to a conversation who never saw the original subject.</t>
        <t>At this time, there is no known workaround for this problem. The only solution is to upgrade the MUA to support Protected Headers.</t>
        <t>The authors consider this to be only a minor concern in cases where encryption is being used because confidentiality is important.
However, in more opportunistic cases, where encryption is being used routinely regardless of the sensitivity of message contents, this cost becomes higher.</t>
      </section>
      <section anchor="usability-impact-of-reduced-metadata" numbered="true" toc="default">
        <name>Usability Impact of Reduced Metadata</name>
        <t>Many mail user agents maintain an index of message metadata (including header data), which is used to rapidly construct mailbox overviews and search result listings.
If the process which generates this index does not have access to the encrypted payload of a message, or does not implement Protected Headers, then the index will only contain the obscured versions Exposed Headers, in particular an obscured Subject of <tt>...</tt>.</t>
        <t>For sensitive message content, especially in a hosted MUA-as-a-service situation ("webmail") where the metadata index is maintained and stored by a third party, this may be considered a feature as the subject is protected from the third-party.
However, for more routine communications, this harms usability and goes against user expectations.</t>
        <t>Two simple workarounds exist for this use case:</t>
        <ol spacing="normal" type="1">
          <li>If the metadata index is considered secure enough to handle confidential data,
the protected content may be stored directly in the index once it has been decrypted.</li>
          <li>If the metadata index is not trusted, the protected content could be re-encrypted
and encrypted versions stored in the index instead, which are then decrypted by
the client at display time.</li>
        </ol>
        <t>In both cases, the process which decrypts the message and processes the Protected Headers must be able to update the metadata index.</t>
        <t>FIXME: add notes about research topics and other non-simple workarounds, like oblivious server-side indexing, or searching on encrypted data.</t>
      </section>
      <section anchor="obscured-message-id" numbered="true" toc="default">
        <name>Usability Impact of Obscured Message-ID</name>
        <t>Current MUA implementations rely on the outermost Message-ID 
for message processing and indexing purposes. This processing
often happens before any decryption is even attempted. 
Attempting to send a message with an obscured Message-ID header
would result in several MUAs not correctly processing the message,
and would likely be seen as a degradation by users.</t>
        <t>Furthermore, a legacy MUA replying to a message with an obscured <tt>Message-ID:</tt> would be likely to produce threading information (<tt>References:</tt>, <tt>In-Reply-To:</tt>) that would be misunderstood by the original sender.
Implementors generally disapprove of breaking threads.</t>
      </section>
      <section anchor="usability-impact-of-obscured-fromtocc" numbered="true" toc="default">
        <name>Usability Impact of Obscured From/To/Cc</name>
        <t>The impact of obscuring <tt>From:</tt>, <tt>To:</tt>, and <tt>Cc:</tt> headers has similar issues as discussed with obscuring the <tt>Message-ID:</tt> header in <xref target="obscured-message-id" format="default"/>.</t>
        <t>In addition, obscuring these headers is likely to cause difficulties for a legacy client attempting formulate a correct reply (or "reply all") to a given message.</t>
      </section>
      <section anchor="mailing-list-header-modifications" numbered="true" toc="default">
        <name>Mailing List Header Modifications</name>
        <t>Some popular mailing-list implementations will modify the Exposed Headers of a message in specific, benign ways. In particular, it is common to add markers to the <tt>Subject</tt> line, and it is also common to modify either <tt>From</tt> or <tt>Reply-To</tt> in order to make sure replies go to the list instead of directly to the author of an individual post.</t>
        <t>Depending on how the MUA resolves discrepancies between the Protected Headers and the Exposed Headers of a received message, these mailing list "features" may either break or the MUA may incorrectly interpret them as a security breach.</t>
        <t>Implementors may for this reason choose to implement slightly different strategies for resolving discrepancies, if a message is known to come from such a mailing list. MUAs should at the very least avoid presenting false alarms in such cases.</t>
      </section>
    </section>
    <section anchor="comparison-with-other-header-protection-schemes" numbered="true" toc="default">
      <name>Comparison with Other Header Protection Schemes</name>
      <t>Other header protection schemes have been proposed (in the IETF and elsewhere) that are distinct from this mechanism.
This section documents the differences between those earlier mechanisms and this one, and hypothesizes why it has seen greater interoperable adoption.</t>
      <t>The distinctions include:</t>
      <ul spacing="normal">
        <li>backward compatibility with legacy clients</li>
        <li>compatibility across PGP/MIME and S/MIME</li>
        <li>protection for both confidentiality and signing</li>
      </ul>
      <section anchor="smime-31" numbered="true" toc="default">
        <name>S/MIME 3.1 Header Protection</name>
        <t>S/MIME 3.1 (<xref target="RFC3851" format="default"/>) introduces header protection via <tt>message/rfc822</tt> header parts.</t>
        <t>The problem with this mechanism is that many legacy clients encountering such a message were likely to interpret it as either a forwarded message, or as an unreadable substructure.</t>
        <t>For signed messages, this is particularly problematic - a message that would otherwise have been easily readable by a client that knows nothing about signed messages suddenly shows up as a message-within-a-message, just by virtue of signing.  This has an impact on <em>all</em> clients, whether they are cryptographically-capable or not.</t>
        <t>For encrypted messages, whose interpretation only matters on the smaller set of cryptographically-capable legacy clients, the resulting message rendering is awkward at best.</t>
        <t>Furthermore, formulating a reply to such a message on a legacy client can also leave the user with badly-structured quoted and attributed content.</t>
        <t>Additionally, a message deliberately forwarded in its own right (without preamble or adjacent explanatory notes) could potentially be confused with a message using the declared structure.</t>
        <t>The mechanism described here allows cryptographically-incapable legacy MUAs to read and handle cleartext signed messages without any modifications, and permits cryptographically-capable legacy MUAs to handle encrypted messages without any modifications.</t>
        <t>In particular, the Legacy Display part described in <xref target="legacy-display" format="default"/> makes it feasible for a conformant MUA to generate messages with obscured Subject lines that nonetheless give access to the obscured Subject header for recipients with legacy MUAs.</t>
      </section>
      <section anchor="the-content-type-property-forwardedno-forwardedno" numbered="true" toc="default">
        <name>The Content-Type Property "forwarded=no" {forwarded=no}</name>
        <t>Section A.1.2 of <xref target="I-D.draft-ietf-lamps-header-protection-requirements-01" format="default"/> refers to a proposal that attempts to mitigate one of the drawbacks of the scheme described in S/MIME 3.1 (<xref target="smime-31" format="default"/>).</t>
        <t>In particular, using the Content-Type property <tt>forwarded="no"</tt> allows <em>non-legacy</em> clients to distinguish between deliberately forwarded messages and those intended to use the defined structure for header protection.</t>
        <t>However, this fix has no impact on the confusion experienced by legacy clients.</t>
      </section>
      <section anchor="pep-header-protection" numbered="true" toc="default">
        <name>pEp Header Protection</name>
        <t><xref target="I-D.draft-luck-lamps-pep-header-protection-03" format="default"/> is applicable only to signed+encrypted mail, and does not contemplate protection of signed-only mail.</t>
        <t>In addition, the pEp header protection involved for "pEp message format 2" has an additional <tt>multipart/mixed</tt>  layer designed to facilitate transfer of OpenPGP Transferable Public Keys, which seems orthogonal to the effort to protect headers.</t>
        <t>Finally, that draft suggests that the exposed Subject header be one of "=?utf-8?Q?p=E2=89=A1p?=", "pEp", or "Encrypted message".
"pEp" is a mysterious choice for most users, and see <xref target="misunderstood-obscured-subjects" format="default"/> for more commentary on why "Encrypted message" is likely to be problematic.</t>
      </section>
      <section anchor="dkim" numbered="true" toc="default">
        <name>DKIM</name>
        <t><xref target="RFC6736" format="default"/> offers DKIM, which is often used to sign headers associated with a message.</t>
        <t>DKIM is orthogonal to the work described in this document, since it is typically done by the domain operator and not the end user generating the original message.
That is, DKIM is not "end-to-end" and does not represent the intent of the entity generating the message.</t>
        <t>Furthermore, a DKIM signer does not have access to headers inside an encrypted Cryptographic Layer, and a DKIM verifier cannot effectively use DKIM to verify such confidential headers.</t>
      </section>
      <section anchor="smime-secure-headers" numbered="true" toc="default">
        <name>S/MIME "Secure Headers"</name>
        <t><xref target="RFC7508" format="default"/> describes a mechanism that embeds message header fields in the S/MIME signature using ASN.1.</t>
        <t>The mechanism proposed in that draft is undefined for use with PGP/MIME.
While all S/MIME clients must be able to handle CMS and ASN.1 as well as MIME, a standard that works at the MIME layer itself should be applicable to any MUA that can work with MIME, regardess of whether end-to-end security layers are provided by S/MIME or PGP/MIME.</t>
        <t>That mechanism also does not propose a means to provide confidentiality protection for headers within an encrypted-but-not-signed message.</t>
        <t>Finally, that mechanism offers no equivalent to the Legacy Display described in <xref target="legacy-display" format="default"/>.
Instead, sender and receiver are expected to negotiate in some unspecified way to ensure that it is safe to remove or modify Exposed Headers in an encrypted message.</t>
      </section>
      <section anchor="triple-wrapping" numbered="true" toc="default">
        <name>Triple-Wrapping</name>
        <t><xref target="RFC2634" format="default"/> defines "Triple Wrapping" as a means of providing cleartext signatures over signed and encrypted material.
This can be used in combination with the mechanism described in <xref target="RFC7508" format="default"/> to authenticate some headers for transport using S/MIME.</t>
        <t>But it does not offer confidentiality protection for the protected headers, and the signer of the outer layer of a triple-wrapped message may not be the originator of the message either.</t>
        <t>In practice on today's Internet, DKIM (<xref target="RFC6736" format="default"/> provides a more widely-accepted cryptographic header-verification-for-transport mechanism  than triple-wrapped messages.</t>
      </section>
    </section>
    <section anchor="test-vectors" numbered="true" toc="default">
      <name>Test Vectors</name>
      <t>The subsections below provide example messages that implement the Protected Header scheme.</t>
      <t>The secret keys and OpenPGP certificates from <xref target="I-D.draft-bre-openpgp-samples-00" format="default"/> can be used to decrypt and verify the PGP/MIME messages.</t>
      <t>The secret keys and X.509 certificates from <xref target="I-D.draft-dkg-lamps-samples-01" format="default"/> can be used to decrypt and verify the S/MIME messages.</t>
      <t>All test vectors are provided in textual source form as <xref target="RFC5322" format="default"/> messages.</t>
      <t>For easy access to these test vectors, they are also available at <tt>imap://bob@protected-headers.cmrg.net/inbox</tt> using any password for authentication.
This IMAP account is read-only, and any flags set or cleared on the messages will persist only for the duration of the specific IMAP session.</t>
      <section anchor="test-vector-pgp-signed-only" numbered="true" toc="default">
        <name>Signed PGP/MIME Message with Protected Headers</name>
        <t>This shows a clearsigned PGP/MIME message.  Its MIME message structure is:</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
└┬╴multipart/signed
 ├─╴text/plain ← Cryptographic Payload
 └─╴application/pgp-signature
]]></artwork>
        <t>Note that if this message had been generated without Protected Headers, then an attacker with access to it could modify the Subject without invalidating the signature.
Such an attacker could cause Bob to think that Alice wanted to cancel the contract with BarCorp instead of FooCorp.</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
Received: from localhost (localhost [127.0.0.1]); Sun, 20 Oct 2019
 09:00:17 -0400 (UTC-04:00)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="fee";
 protocol="application/pgp-signature"; micalg="pgp-sha512"
From: Alice Lovelace <alice@openpgp.example>
To: Bob Babbage <bob@openpgp.example>
Date: Sun, 20 Oct 2019 09:00:00 -0400
Subject: The FooCorp contract
Message-ID: <pgpmime-signed@protected-headers.example>

--fee
Content-Type: text/plain; charset="us-ascii"; protected-headers="v1"
From: Alice Lovelace <alice@openpgp.example>
To: Bob Babbage <bob@openpgp.example>
Date: Sun, 20 Oct 2019 09:00:00 -0400
Subject: The FooCorp contract
Message-ID: <pgpmime-signed@protected-headers.example>

Bob, we need to cancel this contract.

Please start the necessary processes to make that happen today.

(this is the 'pgpmime-signed' message)

Thanks, Alice
-- 
Alice Lovelace
President
Example Corp

--fee
content-type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----

wnUEARYKAB0FAl2sWlAWIQTrhbtfozp14V6UTmPyMVUMT0fjjgAKCRDyMVUMT0fj
jtl0AQDtIsRWZVCjbB3TISlcyxLpBfwjaXXV0is5+c4Gd2NNgwEAipDF3m5zIt7t
29cFwQusmCqKqKfdJUf6HOUPF5L/zAI=
=+M9u
-----END PGP SIGNATURE-----

--fee--
]]></artwork>
      </section>
      <section anchor="test-vector-smime-multipart-signed" numbered="true" toc="default">
        <name>S/MIME multipart/signed Message with Protected Headers</name>
        <t>This shows a signed-only S/MIME message using the <tt>multipart/signed</tt> style (see Section 3.5.3 of <xref target="RFC8551" format="default"/>).  Its MIME message structure is:</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
└┬╴multipart/signed
 ├─╴text/plain ← Cryptographic Payload
 └─╴application/pkcs7-signature
]]></artwork>
        <t>Note that if this message had been generated without Protected Headers, then an attacker with access to it could modify the Subject without invalidating the signature.
Such an attacker could cause Bob to think that Alice wanted to cancel the contract with BarCorp instead of FooCorp.</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
Received: from localhost (localhost [127.0.0.1]); Tue, 26 Nov 2019
 20:03:17 -0400 (UTC-04:00)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="179";
 protocol="application/pkcs7-signature"; micalg="sha-256"
From: Alice Lovelace <alice@smime.example>
To: Bob Babbage <bob@smime.example>
Date: Tue, 26 Nov 2019 20:03:00 -0400
Subject: The FooCorp contract
Message-ID: <smime-multipart-signed@protected-headers.example>

--179
Content-Type: text/plain; charset="us-ascii"; protected-headers="v1"
From: Alice Lovelace <alice@smime.example>
To: Bob Babbage <bob@smime.example>
Date: Tue, 26 Nov 2019 20:03:00 -0400
Subject: The FooCorp contract
Message-ID: <smime-multipart-signed@protected-headers.example>

Bob, we need to cancel this contract.

Please start the necessary processes to make that happen today.

(this is the 'smime-multipart-signed' message)

Thanks, Alice
-- 
Alice Lovelace
President
Example Corp

--179
Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-signature; name="smime.p7s"

MIIFhQYJKoZIhvcNAQcCoIIFdjCCBXICAQExDTALBglghkgBZQMEAgEwCwYJKoZI
hvcNAQcBoIIDcjCCA24wggJWoAMCAQICFGeCtFlzUkvB9HFHGWrw/RGKqkwLMA0G
CSqGSIb3DQEBDQUAMC0xKzApBgNVBAMTIlNhbXBsZSBMQU1QUyBDZXJ0aWZpY2F0
ZSBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMBkx
FzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAw+6t+WXRtiQM8yRjWQ2fbFewCodIZUX6BY02TeZuEXoEAGEsmoON
6LlotcUTdGr39FE2K8IytOKkXVexswgAqBCqv8YjVDrI3yV82wrm5Td32TDlw7IS
igak4ZSu+UowPQs8YO3oxqImP4onZNHvdZ3it9EggmgUyZX0dmQ6z5O9yDzHpLMa
E2rXxfYcPXQwPvx4tcqbTf2htEP7PYnBa8a+sts0F7I7kD5ozGYI9dGg/XGs1lYE
WAoH5YZgNFdbkJdcKG2FPAwFcVZ/hoGm6soxkDKMrYSCtBp+fqH8MV11DP821PoO
vtSEnaF8UURbaths2yKpAB2WUJvgW5xa4QIDAQABo4GXMIGUMAwGA1UdEwEB/wQC
MAAwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggr
BgEFBQcDBDAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBSsLlRapP1VGK8u6GZE
ONEl0dcAeTAfBgNVHSMEGDAWgBS3Uk1zwIg9ssN6WgzzlPf3gKJ32zANBgkqhkiG
9w0BAQ0FAAOCAQEAe+qOGM+8q1UhXKV6i63BrXSOKvd2iglxAggszUC6eMnrIem6
6mmRzSbcGHCeU6m1MpvYSe9IiROIxjTfsgGUdZbbXtBxSmCASjOBCbphvvtoam1G
i8+LZdOgR2kDwr//TYjWO6vUfXPwerNWMx4cKpFobdmvgLYCeAZKRvoPjJmTEFfw
KO0cCxSifTpTFiwZhFxXKSCTdB6T2rE9JxJfzJqLUrvvEZwpQIt8hX8kym/vKw+1
cbsl3rag2enVP/f4qg/0mUuzkCI8sLXd+N5gAs9wdUZRcTB0gOnUAH9m7RrpqkdC
ogKdypGEQHj6GiamJAe2WndOp4BZdBtBRzjfuzGCAdkwggHVAgEBMEUwLTErMCkG
A1UEAxMiU2FtcGxlIExBTVBTIENlcnRpZmljYXRlIEF1dGhvcml0eQIUZ4K0WXNS
S8H0cUcZavD9EYqqTAswCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqG
SIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTkxMTI3MDAwMzAwWjAvBgkqhkiG9w0B
CQQxIgQgGeoQw8WDmjB606EKGR5n1oMuV7Te1VjfA2oB2ebW390wDQYJKoZIhvcN
AQEBBQAEggEABblYEWSnYyzL3jTS3AoPr93YKksIZr5q/b8Y5/1rMxdYxPm+iReO
RHRgpbFQeiqZXzRXtMohfoIkh7RmdQoSV4OpwiUmNU+f0ZEAu8cMVJM6gdyUD+1D
JwDNr+YNLV/1UUGhqx0FExOa/4O92KYBD4eRQw4KDWrkfh9dlSj0Bsl4thrZYGLz
e7ut3FN5TBruZfmqMy50xZ9yUW91YyQUBLiIcuF185y5ZW/aQCxBKBbrNNGXLJbo
8yKFJqSPiWZvwUmVQvfgL182hg823OJTtP4VImcUakTF0+k+BM//qqKXYrlX/tZn
QzG+4ZH/XM1vgHl7ShjHS6TSOHz2ODqD6Q==

--179--
]]></artwork>
      </section>
      <section anchor="test-vector-smime-onepart-signed" numbered="true" toc="default">
        <name>S/MIME application/pkcs7-mime SignedData Message with Protected Headers</name>
        <t>This shows a signed-only S/MIME message using the <tt>multipart/pkcs7-mime</tt> style (see Section 3.5.2 of <xref target="RFC8551" format="default"/>).  Its MIME message structure is:</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
└─╴application/pkcs7-mime smime-type="signed-data"
 ⇩ (unwraps to)
 └─╴text/plain ← Cryptographic Payload
]]></artwork>
        <t>Note that if this message had been generated without Protected Headers, then an attacker with access to it could modify the Subject without invalidating the signature.
Such an attacker could cause Bob to think that Alice wanted to cancel the contract with BarCorp instead of FooCorp.</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
Received: from localhost (localhost [127.0.0.1]); Tue, 26 Nov 2019
 20:06:17 -0400 (UTC-04:00)
Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m";
 smime-type="signed-data"
MIME-Version: 1.0
From: Alice Lovelace <alice@smime.example>
To: Bob Babbage <bob@smime.example>
Date: Tue, 26 Nov 2019 20:06:00 -0400
Subject: The FooCorp contract
Message-ID: <smime-onepart-signed@protected-headers.example>

MIIHhQYJKoZIhvcNAQcCoIIHdjCCB3ICAQExDTALBglghkgBZQMEAgEwggIJBgkq
hkiG9w0BBwGgggH6BIIB9kNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbjsgY2hhcnNl
dD0idXMtYXNjaWkiOyBwcm90ZWN0ZWQtaGVhZGVycz0idjEiDQpGcm9tOiBBbGlj
ZSBMb3ZlbGFjZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4NClRvOiBCb2IgQmFiYmFn
ZSA8Ym9iQHNtaW1lLmV4YW1wbGU+DQpEYXRlOiBUdWUsIDI2IE5vdiAyMDE5IDIw
OjA2OjAwIC0wNDAwDQpTdWJqZWN0OiBUaGUgRm9vQ29ycCBjb250cmFjdA0KTWVz
c2FnZS1JRDogPHNtaW1lLW9uZXBhcnQtc2lnbmVkQHByb3RlY3RlZC1oZWFkZXJz
LmV4YW1wbGU+DQoNCkJvYiwgd2UgbmVlZCB0byBjYW5jZWwgdGhpcyBjb250cmFj
dC4NCg0KUGxlYXNlIHN0YXJ0IHRoZSBuZWNlc3NhcnkgcHJvY2Vzc2VzIHRvIG1h
a2UgdGhhdCBoYXBwZW4gdG9kYXkuDQoNCih0aGlzIGlzIHRoZSAnc21pbWUtb25l
cGFydC1zaWduZWQnIG1lc3NhZ2UpDQoNClRoYW5rcywgQWxpY2UNCi0tIA0KQWxp
Y2UgTG92ZWxhY2UNClByZXNpZGVudA0KRXhhbXBsZSBDb3JwDQqgggNyMIIDbjCC
AlagAwIBAgIUZ4K0WXNSS8H0cUcZavD9EYqqTAswDQYJKoZIhvcNAQENBQAwLTEr
MCkGA1UEAxMiU2FtcGxlIExBTVBTIENlcnRpZmljYXRlIEF1dGhvcml0eTAgFw0x
OTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowGTEXMBUGA1UEAxMOQWxpY2Ug
TG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDD7q35ZdG2
JAzzJGNZDZ9sV7AKh0hlRfoFjTZN5m4RegQAYSyag43ouWi1xRN0avf0UTYrwjK0
4qRdV7GzCACoEKq/xiNUOsjfJXzbCublN3fZMOXDshKKBqThlK75SjA9Czxg7ejG
oiY/iidk0e91neK30SCCaBTJlfR2ZDrPk73IPMeksxoTatfF9hw9dDA+/Hi1yptN
/aG0Q/s9icFrxr6y2zQXsjuQPmjMZgj10aD9cazWVgRYCgflhmA0V1uQl1wobYU8
DAVxVn+GgabqyjGQMoythIK0Gn5+ofwxXXUM/zbU+g6+1ISdoXxRRFtq2GzbIqkA
HZZQm+BbnFrhAgMBAAGjgZcwgZQwDAYDVR0TAQH/BAIwADAeBgNVHREEFzAVgRNh
bGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA8GA1UdDwEB
/wQFAwMHoAAwHQYDVR0OBBYEFKwuVFqk/VUYry7oZkQ40SXR1wB5MB8GA1UdIwQY
MBaAFLdSTXPAiD2yw3paDPOU9/eAonfbMA0GCSqGSIb3DQEBDQUAA4IBAQB76o4Y
z7yrVSFcpXqLrcGtdI4q93aKCXECCCzNQLp4yesh6brqaZHNJtwYcJ5TqbUym9hJ
70iJE4jGNN+yAZR1ltte0HFKYIBKM4EJumG++2hqbUaLz4tl06BHaQPCv/9NiNY7
q9R9c/B6s1YzHhwqkWht2a+AtgJ4BkpG+g+MmZMQV/Ao7RwLFKJ9OlMWLBmEXFcp
IJN0HpPasT0nEl/MmotSu+8RnClAi3yFfyTKb+8rD7VxuyXetqDZ6dU/9/iqD/SZ
S7OQIjywtd343mACz3B1RlFxMHSA6dQAf2btGumqR0KiAp3KkYRAePoaJqYkB7Za
d06ngFl0G0FHON+7MYIB2TCCAdUCAQEwRTAtMSswKQYDVQQDEyJTYW1wbGUgTEFN
UFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5AhRngrRZc1JLwfRxRxlq8P0RiqpMCzAL
BglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3
DQEJBTEPFw0xOTExMjcwMDA2MDBaMC8GCSqGSIb3DQEJBDEiBCAKDM98nuDl98sK
i4SDvP2xlxr2SdV/xNVYs6SeGCBRuTANBgkqhkiG9w0BAQEFAASCAQAcryWkSIbG
rrc/aDF1Z4KRnoRpr+fOutQSLV7k0Tgezt+X/kJCIiuLvjUxLrTux1yUWCKUPb6T
KLYASPJpwDXrNzqmGs1pJmWHTZwUhbFVXt16FaQZkDSATtvhQU39Rsot2j1pP/UV
J7+5FPQwNc4dt7MFW7jU4TBHo2VrzjZ2K8ioELPxsixOCAp3ytkhf1Umw6bC5M/u
oWjsa6xzAl4fw5+pxZw0JdbrYn5kmPiekSsYy2/+yOwzrtIYtHW5dY7DoWWXDXtD
cmCGHkO8qry+MnMy3PwvXiX0warQo1fnhXB5tlk2K9YdiDcOtnAshEBXAudnxlPK
JGzeJVUfbfM0
]]></artwork>
        <t>Unwrapping the PKCS7 SignedData yields the following internal message:</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
Content-Type: text/plain; charset="us-ascii"; protected-headers="v1"
From: Alice Lovelace <alice@smime.example>
To: Bob Babbage <bob@smime.example>
Date: Tue, 26 Nov 2019 20:06:00 -0400
Subject: The FooCorp contract
Message-ID: <smime-onepart-signed@protected-headers.example>

Bob, we need to cancel this contract.

Please start the necessary processes to make that happen today.

(this is the 'smime-onepart-signed' message)

Thanks, Alice
-- 
Alice Lovelace
President
Example Corp
]]></artwork>
      </section>
      <section anchor="pgp-encryptedsigned" numbered="true" toc="default">
        <name>Signed and Encrypted PGP/MIME Message with Protected Headers</name>
        <t>This shows a simple encrypted PGP/MIME message with protected headers.
The encryption also contains a signature in the OpenPGP Message structure.
Its MIME message structure is:</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
└┬╴multipart/encrypted
 ├─╴application/pgp-encrypted
 └─╴application/octet-stream
   ↧ (decrypts to)
   └─╴text/plain ← Cryptographic Payload
]]></artwork>
        <t>The <tt>Subject:</tt> header is successfully obscured.</t>
        <t>Note that if this message had been generated without Protected Headers, then an attacker with access to it could have read the Subject.
Such an attacker would know details about Alice and Bob's business that they wanted to keep confidential.</t>
        <t>The protected headers also protect the authenticity of subject line as well.</t>
        <t>The session key for this message's Cryptographic Layer is an AES-256 key with value <tt>8df4b2d27d5637138ac6de46415661be0bd01ed12ecf8c1db22a33cf3ede82f2</tt> (in hex).</t>
        <t>If Bob's MUA is capable of interpreting these protected headers, it should render the <tt>Subject:</tt> of this message as <tt>BarCorp contract signed, let's go!</tt>.</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
Received: from localhost (localhost [127.0.0.1]); Mon, 21 Oct 2019
 07:09:28 -0700 (UTC-07:00)
MIME-Version: 1.0
Content-Type: multipart/encrypted; boundary="ca4";
 protocol="application/pgp-encrypted"
From: Alice Lovelace <alice@openpgp.example>
To: Bob Babbage <bob@openpgp.example>
Date: Mon, 21 Oct 2019 07:09:00 -0700
Message-ID: <pgpmime-sign+enc@protected-headers.example>
Subject: ...

--ca4
content-type: application/pgp-encrypted

Version: 1

--ca4
content-type: application/octet-stream

-----BEGIN PGP MESSAGE-----

wV4DR2b2udXyHrYSAQdAH1KRyK7qZzNpI7TVprCPo/aOTW9R5hBKcTkKES1Fo3Yw
mtDplfGFN2JMzQ1OVbe2gbcyhrYfs+7Fd4eoZ0geE2cUYn5M951I0se1W+MdMZ/j
wcDMA3wvqk35PDeyAQv/ePyXTBTU98wzM5LcwhWZcCmxCtTgqHmjJmymQKQqJuCA
flrZPG6V6RyidGwmJYf2uDdmlhAHxFbYAalkI+/V3SnO5OSejKvspUtuRnBOW8Ps
luWQ6ANww/o4y/2/SkIodRmwaIBbs/4CaDQivSeBueHnPu0EqxTBNI47dQx9mkdB
Z5PsucuUVSq2SmdIrCM9aLyoUF60NVhdp3mYQaVH12dX19wjZtclTR74t66I/Wsc
FHONiGii/ioJS9LGllnaRiS7carLbtw0s2yJJZPZeRozMPi0o8zgne77wdoF+NyU
LkGtqXvLbPPA9SDGTHgkJ6H+wUhh0OGWebYwpN3F6R7Su1OlYRkQ8kokOmJmZokg
qhDueENW2RsZIg06sydGFaRY5BoGe2EBkcXUVBWqYEMH3Zxz/kAEylVY5sZOqcae
PAlvTF6Y4nNVGVylUvcuJ4DsQbi2AueD7Tl28ha1xJTkzlHlt4UyU878eUfdVLOM
FF+hwbxlo6RBT4uurMee0sHrAUDHma9Kx6XrALINbIl5lfMKKXnKhfQYpfbYbz8J
jVFz0zCxMqmdHZLe/G9mxoksvXrbFf8b5DHfDYGCRvbj+CzERo6KCceaVSpKVGL8
xiwHrjg+vwfn9EG9j+vp3jB39wES/IZZThSnf0JvJA4ePVnfbxcxMqgg/S2isyHf
NAp89ZlX5mznom9efKUoojodNNFsMIt+YNaHEtnjZl+BXstGkXXOiurEt5HuEyRz
+cyjwpnQChz6PuY0Ehsj42mMyGa3167H2kIqtKtxIfl5/qm1df1mlEc7SpmU+uHV
58D22bl/Ukr8vmFu09z7V2U7zXz+FtohuVpeTr3l0UVEFEGIQT4JUqxiavZqMsZE
6DKj6X+fzXdxMyrDd/lD2ikZdllqTuvsuuiFW1OtEbuIKRoYUl6u8t44/KYoHCQK
BWXhyh7lPpfOGkemA3KY0D7yG4caTWmN5GSskGyKqQjiCxa0jKqT1qfNBTxBh4/6
8Ijf/cmlSNjC6ghzuwtNG7wr0mSC0pjQsl7b16Im7FOmP67pputqcFrZOIzVbrS8
vVe0+1X3/5VnmYHCilaI41ln3wGRTlC/j4lIoGNGlJJ9LeOz0DlfIwfIy9aVUDXo
48awW8hYu4Ck42GIJQP9HsQ9fbFzHmyUHhS4h+xGXHTbPFqiPyzsoAT8KDTLMj4y
CKWaqmqXMkuaD7hMc42xW8ziq2ZXZCv1ajDclbkg5rx9R6n4dZL6Cajt7wK2mMHt
giNkCqLU2LuPhw/R9comDDJPFmb6WB/PBrnTrUwrFy4/6du5uK09kwLIUu82UVhm
5xHVqybxIkHGeVNXqRSe3M3w8ERbkXqNp3s7BrGGb1bYdlrPf8h1PTeWi9vfXUdn
wFHr0g3xjeQ9orvJZl5jPuk5NryF2J/iNEh7+sE=
=NT2A
-----END PGP MESSAGE-----

--ca4--
]]></artwork>
        <t>Unwrapping the Cryptographic Layer yields the following content:</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
From: Alice Lovelace <alice@openpgp.example>
To: Bob Babbage <bob@openpgp.example>
Date: Mon, 21 Oct 2019 07:09:00 -0700
Subject: BarCorp contract signed, let's go!
Content-Type: text/plain; charset="us-ascii"; protected-headers="v1"
Message-ID: <pgpmime-sign+enc@protected-headers.example>

Hi Bob!

I just signed the contract with BarCorp and they've set us up with
an account on their system for testing.

The account information is:

        Site: https://barcorp.example/
    Username: examplecorptest
    Password: correct-horse-battery-staple

Please get the account set up and apply the test harness.

Let me know when you've got some results.

(this is the 'pgpmime-sign+enc' message)

Thanks, Alice
-- 
Alice Lovelace
President
Example Corp
]]></artwork>
      </section>
      <section anchor="smime-sign-enc" numbered="true" toc="default">
        <name>Signed and Encrypted S/MIME Message with Protected Headers</name>
        <t>This shows a simple signed and encrypted S/MIME message with protected headers.
Its MIME message structure is:</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
└─╴application/pkcs7-mime smime-type="enveloped-data"
 ↧ (decrypts to)
 └─╴application/pkcs7-mime smime-type="signed-data"
  ⇩ (unwraps to)
  └─╴text/plain ← Cryptographic Payload
]]></artwork>
        <t>The <tt>Subject:</tt> header is successfully obscured.</t>
        <t>Note that if this message had been generated without Protected Headers, then an attacker with access to it could have read the Subject.
Such an attacker would know details about Alice and Bob's business that they wanted to keep confidential.</t>
        <t>The protected headers also protect the authenticity of subject line as well.</t>
        <t>The session key for this message's Cryptographic Layer is an AES-256 key with value <tt>12e2551896f77e24ce080153cda27dddd789d399bdd87757e65655d956f5f0b7</tt> (in hex).</t>
        <t>If Bob's MUA is capable of interpreting these protected headers, it should render the <tt>Subject:</tt> of this message as <tt>BarCorp contract signed, let's go!</tt>.</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
Received: from localhost (localhost [127.0.0.1]); Wed, 27 Nov 2019
 01:15:28 -0700 (UTC-07:00)
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m";
 smime-type="enveloped-data"
From: Alice Lovelace <alice@smime.example>
To: Bob Babbage <bob@smime.example>
Date: Wed, 27 Nov 2019 01:15:00 -0700
Message-ID: <smime-sign+enc@protected-headers.example>
Subject: ...

MIIPVQYJKoZIhvcNAQcDoIIPRjCCD0ICAQAxggLCMIIBXQIBADBFMC0xKzApBgNV
BAMTIlNhbXBsZSBMQU1QUyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkCFCJT7jBtAgsf
As31ycE+Ot95phvCMA0GCSqGSIb3DQEBAQUABIIBAKswTlBs+STeesZIYAf7Gqsj
Za0rdUeDTSxt8RCa010EHb2lqKzHRwwPJkClLm6Glb09nYnQiFrEl6jbWTG3hMRD
OSt9kyqeg+MxXr2g4LoXAT+8hg/qBoF//tX+bzxhx0gx8wjxBc3bvp4esCJro7Aq
tx56BtVsIO6TA0NT0CaOcnMhIo09raR6JQX+DoPynKeXihny6TFDP7eopCgorCfR
o59O3ZMvaui6Q9KixZy3Yae8fa0ZdJu3FahIZTPdBHzbmirLxcYgp+cbTpW+Yno2
X5GJ8eq8Y0qcc/8r6Xd3REarUxO2YbO2D6cgDj+aNnnsoG1/9psaYl8W1MSc2/Qw
ggFdAgEAMEUwLTErMCkGA1UEAxMiU2FtcGxlIExBTVBTIENlcnRpZmljYXRlIEF1
dGhvcml0eQIUZ4K0WXNSS8H0cUcZavD9EYqqTAswDQYJKoZIhvcNAQEBBQAEggEA
RHhTarDqNLzXSaBokp2L3EwDv11KiGtMSMUQuPelNoC2nNYU1yzAF4jd+1UUo4Uu
quiHg5Hn44a9MejrVmQRLd5IEJiZGD8m5JguuOjn0ooyA6EEWUpMn6hOAKlaCiXd
kwTivKfhQFJe9Eb6TKqtvT2IEu3kXFfJKi+VyQw49+RXBmajDKJoHtumMJs8k4Ll
kJah+wD+snwHg2LCiJeSVHmpf4RvSiIJSvk206IeTxN3JecNbBpKLtIoy/CjWEZv
G3Pj/zkBbb+XhHbXo+Zk/e3aLToVG/cldx6Ti8zArOYNAzgt1G7dmJ3mnNPitEwN
O4qIozhT2Qn8P95AEV5PsDCCDHUGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQIUzdf
vwulBs+AggxQMK121v6lO7W1r96RW0rsOHzsIvGyfyRTT1UuZRxVL09BQZstI5ss
5Zv8BogoKA0mLaNBKM755joUbzF5f/jMYhkW3q0Het9/HRH0mOnCSnoT4i2yzNdi
0tj8ixPT4sgPe9FOTkke9CzoJ967kj9D8u7Ik2goojttt3ViJkv3a1qrWDMiJRIJ
gOTTA6ZaQep5L92vtCobhD+i7iaktEpmbYucXs8jjMmwyxCFxHXGD/fwDk3UDgeu
8a5f66YepZdbLKB61A3rBwJMvQubuXEIEb04tG0Fgwx3Ao2NshN+XRk/y+uhQKdC
5ZduTxk5sokA+H4nzVv0IUkAAI+8FwY5ZWFGlncKUM/wvrGHQq3R/utChFauOHxD
7vZQLM91TcQzVWdHfJGPtp+ekjRlu9UqatQgc1ogObw3PGYlJc90Gl7AZHAsYncU
jsMbdsweuFuYNHJ8lR5VMo6L4bCNMy+tQBOfYTF1el+i9S3r3SWdBP+uLiKgDQ52
/o4shxoi+YOf9k8wRR0iDKqwzcJuABplpgA9qjsQNqBKF5t5p3l3ihH1mfh8FaPL
ab0aDC7uunY5g44qXcG9YS+j5wUFuxgYyGkVcJq3xIit9YbEy8uPxJFz4g0vNC+r
uUSsztbLyHkhv7vnCTAlmjgG9eDpW/tEC/85pLOV1HUooD05eRfkjU+1XsccX8DG
iCax2C6W3cc1SC/d3a1+27OcgvPdDcb7zuL3v6qgqbN+7GDrcQHQRFMd2vd6+xGk
NWZQMBZVHmdCcKGl9YaH0RgkGH5beTRKEV1wBafuVOwTEwl/FuZzD4oHrOaP3GLO
cLxi44her/hNxtxDc2Lw0VQcxD8A55OkCt9+u9M5/YPj41FWyH6kdh86p958gzF5
EpwCnQDe+s7OrwFVV00DEJhqtEcxRCSSW8dS4hVEhVxQJ56liJP+VZ+LTUJBelt4
mfSpSqxeJnmyY0nmhEbZKVbK95a1WYMJCEpk2n1g/bQGqJKRryGwbEF9WqqHuvPo
Bv/BfinoUL3Kd3g+hgSCR4mCg5EhEsCx21jEqEggzb2XMcA+knGUYxSWj322pZfW
LDh50gkL3GQSmm9fOvjdK40GwZv8HUdLXuAQ/J19PafMaDkd4jzRi37VBqdDgLY3
u6K+oFKhG4oqQYa/er+ZGAqqldTmu8HGCsjm6kGZvSAocJg0UnLPBNI0/iB0BYGf
KJk302jy8kfAXGSiWrYDNbTuDzFMD0zsbHbM07AOOROGwKv5TxAF1EHHTxGb3IKI
jRkVBL7QdRtDH03zlxv0lnFwiuCrzLrQdUuEG/0wt8RaNr+p8hAo0YEGbB9jmbax
CSLLWeNbMOo8eIi3Mft4qmDXp3TEuHHru8kbvA36vQ8+dunSf2BcecyM6UAYBqaw
SCcxQmEcyMuyjSLVerVfMl5lwlmM+qabxHq0hpJHnCR3Vl2qX3CiRWpVlNaBVyTf
793bAm7DU7G+Tzt5gdgE4s41aZt8fFXyclhH1QLPNSnctxJjuW1gJJ0h51iCQJp2
TgzDw35oqvBxbN3yqCFjScsQXPXYErGWkLrAkUurff4x/ZAizFkmjjdpyaIK9JBw
QRyrYYQ8pJhXJe9BrP3OS6evFlsWZW1MaoQcOUMWsuVucE0e4AQRGlPixDjJWW7L
I6AQ3KUW6ggzDJksaYHDiuEoBa7vcYoTar+/AhNjYMjkQX/3kptQryqy+xke0t8O
EPQER0Wur2IpvM6YsvI/SoeFwxMb4Zm5AFvvibiCCmmoJc4A9E1tZ/sMstHyZ5iu
tJqu1M5B0DIoFdB5pzbZYCkgN2n7EY23JS7E/ozOrzYuOIVUJVtB5awqmuSLmI+N
R91g4FMEfLYC1HYKYlaknX2zmrx8+Z8MEJNM2K0q8wPBnm86OpGeJmlZhFwT2x0R
eJpKcfLGroXYh2Gb6BxwIfKjOOTXCoIFP02JbTJ7clc/2ei0BN6JxywPkH4renaP
SkuNBgbexfZGBhMTlR+CtKLEUmw5bxBTDwjjcvzWDPhy/VurLQxhOqYnbhZW21SV
4qMrJ4uGXEhylnP0FD+HR4mB2epYcW3dFj4cGN3B2Y5NnOTw0Z7fi4S0BPdvYjP9
LL5WZ6p90mII9wcunGCRnLUUYumRnIbhVHIBTTIRI5PUSVFfEuotrDZ9oZcwYkO7
fQX21gJCzvJyp8ft01HX4Kc4mN/FMPgGcmq70N335yQ4mQ/eSvTNn7E+35ZGn9f8
PI7QPJRhdUkBZCnwyv+OwK2VzySxnqNfPaZk168foGRd9eFCw80L4U+SuLDQH6ZT
o++VKk4Ce2jx1khoig16wic0dVFwt4bmybNz4u/qdobYr5fs7dKPHHO02SBvAl60
16foheiBtV2VA8mEBA1BhcNmKYegu+RGhmGfNDuZB8XdbPQ6M+N+ilEj/6rr+wgD
gcmEyAGNwJkmWpbyrm9M4lDtzemv5N5V32ppGizEt6c0xlkiULllwGdWey3+YRez
7b+Kl/uIpDuRbp5Tf43dyPsy/cx4DNm5kAB4CcyyVlXPaqXm0llEPYBmaMW3O+D2
5v4Wj1qwIRO5qgI8FyVnX6sm/oucfg5l172edaCG8f42gIMNfQBgWVMsSG7Nt00x
dJo/OGtACwnY47ohMFG0BejWueAksdnqVWCIto989iBHgegNx5jUCycB/YOm0xh0
pfeNjA9PwZMUpjlqrjDFIan/UFYAZH5ISSV7G30oRKJ3TTEshShXP2K3cn7Fa9W+
H/jyTEQGfCiTq7Xx5FrOIJBmKjylkF7oGlIBxJgKKRm0iD/sGNTaSJ6Pl8/K6dEz
zsMwEFTawnWVq32Xn3d6/+FADZ9lGhC5WwVgaQHRb/9Ejt1mBdptmXjEj5w0YOib
xFer54LrQgvBWEYRqDneh3bI53BudbTl7YitqULVGETe+k1T0NbcyElrr2Y/NKHk
rPMarAfByookkJrDtVh3VrAm2ows7OwvKGyoNybjlyczjt7xosatZ1xkgb9mtR5i
E2l9ajSR4SzQjHoboRyOCwl5ZgLV/+yp3jTkNcUkFDRtkVbGfascBIMe0ifUGfvP
mJ9AQHZxdfm99KlQjCZzR8CBUvR+zsT43jr91CQKSSEvPMl6vVRV2thiWw3VGgP+
c8i5zj6+zCnlEdSWiIeFwOJ9/ewKSdU9pGrA0OQtXbYQlDCKuGK1Vgy6jJCeglDH
T6gVNy5ip593wWWfOVxVEWUygi6JCdS27b5+P/wlNjTrzpZ4yWDCpyogyrT1gf1/
GgvdGuWWinKSLOyh1fJ1p9WoDWcqH98QhJXLV+X3OC+tmMofytmHgXN8jjVsWSRa
VWrFUarMs2hZDWf6e6ncwvMC8QliiszrKXQNckxvBuh5hug9WKurVj4CIWnoqXFh
OqlO+VbqZSj+TT5pCN//370vsIZIn5UbrpDmUP0rUvdTGz9iWQRUl6R2g2h286s6
pAGHv9luXCoPJ5uPTwcbBSl/js6J+K5McyqRl4fucacfVFnMuDpET/tT1eAROP3F
DOBKqV5YOO0rWMexzMLJUEQ/eGSwfp7wv8on7jeGxAexMqyWCrhRk9G2ZwiT4L7Q
rX4NIDj6oujCCkeFUATs0pGKwEFGmpbEUfDOsioWoVYJZPsO9kAGq6bhbKACOkeZ
v95ha/3CleYXGUUNtzLsCx+c9Zp/Wl+0PcT3ZSWhmRbXiIvz+ntHVe47PHxbvH6a
ZG7YGc/9u3jTvJJyYtQO54uGET/eFWSxCUo5/VfsheOuLdXN7JnVi6ooF+c7WUZd
61FwfDwNf8z0GWs3EotozrWyBgKS5VFP99vZM64nSqu9v5PSzmb0AY/Zc5KhVXVY
zQqmO3keXq92Fejtgyd/O9ITZf5GkMQVU7+IT52JxFRQplkbTHJj4HRGtGHtIyPW
Rmf9qSZz8QgVyAUKK1k+kLBJTHN3CWIB6S9hO42HWEFvLVl8wPWW5aLYTsVMGnMU
aZ35M35odjrvY9B0INMpL53Hm7qH1w/h9QCv+xsFmanYsoylwbuKW2TcSnWB74C7
Wy0NmCkaM+JweOgygffWicLGJ3jKWccykTUZtodz1ectNHh24puZICnvfzwjte+n
eSQqJfHMsra6V8BcshpwmvPylHnkU+2KyhQ8430OR/qaXAYJ7EWRBEFe4EIpxzfL
zQF0LwbhpAstpcjOlJfEHmQiWx8ASzE1LMSfZo148sXYEWsJL7t5tWs=
]]></artwork>
        <t>Unwrapping the outer Cryptographic Layer of this message yields the following MIME part (with its own Cryptographic Layer):</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m";
 smime-type="signed-data"

MIIIkwYJKoZIhvcNAQcCoIIIhDCCCIACAQExDTALBglghkgBZQMEAgEwggMXBgkq
hkiG9w0BBwGgggMIBIIDBEZyb206IEFsaWNlIExvdmVsYWNlIDxhbGljZUBzbWlt
ZS5leGFtcGxlPg0KVG86IEJvYiBCYWJiYWdlIDxib2JAc21pbWUuZXhhbXBsZT4N
CkRhdGU6IFdlZCwgMjcgTm92IDIwMTkgMDE6MTU6MDAgLTA3MDANClN1YmplY3Q6
IEJhckNvcnAgY29udHJhY3Qgc2lnbmVkLCBsZXQncyBnbyENCkNvbnRlbnQtVHlw
ZTogdGV4dC9wbGFpbjsgY2hhcnNldD0idXMtYXNjaWkiOyBwcm90ZWN0ZWQtaGVh
ZGVycz0idjEiDQpNZXNzYWdlLUlEOiA8c21pbWUtc2lnbitlbmNAcHJvdGVjdGVk
LWhlYWRlcnMuZXhhbXBsZT4NCg0KSGkgQm9iIQ0KDQpJIGp1c3Qgc2lnbmVkIHRo
ZSBjb250cmFjdCB3aXRoIEJhckNvcnAgYW5kIHRoZXkndmUgc2V0IHVzIHVwIHdp
dGgNCmFuIGFjY291bnQgb24gdGhlaXIgc3lzdGVtIGZvciB0ZXN0aW5nLg0KDQpU
aGUgYWNjb3VudCBpbmZvcm1hdGlvbiBpczoNCg0KICAgICAgICBTaXRlOiBodHRw
czovL2JhcmNvcnAuZXhhbXBsZS8NCiAgICBVc2VybmFtZTogZXhhbXBsZWNvcnB0
ZXN0DQogICAgUGFzc3dvcmQ6IGNvcnJlY3QtaG9yc2UtYmF0dGVyeS1zdGFwbGUN
Cg0KUGxlYXNlIGdldCB0aGUgYWNjb3VudCBzZXQgdXAgYW5kIGFwcGx5IHRoZSB0
ZXN0IGhhcm5lc3MuDQoNCkxldCBtZSBrbm93IHdoZW4geW91J3ZlIGdvdCBzb21l
IHJlc3VsdHMuDQoNCih0aGlzIGlzIHRoZSAnc21pbWUtc2lnbitlbmMnIG1lc3Nh
Z2UpDQoNClRoYW5rcywgQWxpY2UNCi0tIA0KQWxpY2UgTG92ZWxhY2UNClByZXNp
ZGVudA0KRXhhbXBsZSBDb3JwDQqgggNyMIIDbjCCAlagAwIBAgIUZ4K0WXNSS8H0
cUcZavD9EYqqTAswDQYJKoZIhvcNAQENBQAwLTErMCkGA1UEAxMiU2FtcGxlIExB
TVBTIENlcnRpZmljYXRlIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8yMDUy
MDkyNzA2NTQxOFowGTEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDD7q35ZdG2JAzzJGNZDZ9sV7AKh0hlRfoF
jTZN5m4RegQAYSyag43ouWi1xRN0avf0UTYrwjK04qRdV7GzCACoEKq/xiNUOsjf
JXzbCublN3fZMOXDshKKBqThlK75SjA9Czxg7ejGoiY/iidk0e91neK30SCCaBTJ
lfR2ZDrPk73IPMeksxoTatfF9hw9dDA+/Hi1yptN/aG0Q/s9icFrxr6y2zQXsjuQ
PmjMZgj10aD9cazWVgRYCgflhmA0V1uQl1wobYU8DAVxVn+GgabqyjGQMoythIK0
Gn5+ofwxXXUM/zbU+g6+1ISdoXxRRFtq2GzbIqkAHZZQm+BbnFrhAgMBAAGjgZcw
gZQwDAYDVR0TAQH/BAIwADAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxl
MBMGA1UdJQQMMAoGCCsGAQUFBwMEMA8GA1UdDwEB/wQFAwMHoAAwHQYDVR0OBBYE
FKwuVFqk/VUYry7oZkQ40SXR1wB5MB8GA1UdIwQYMBaAFLdSTXPAiD2yw3paDPOU
9/eAonfbMA0GCSqGSIb3DQEBDQUAA4IBAQB76o4Yz7yrVSFcpXqLrcGtdI4q93aK
CXECCCzNQLp4yesh6brqaZHNJtwYcJ5TqbUym9hJ70iJE4jGNN+yAZR1ltte0HFK
YIBKM4EJumG++2hqbUaLz4tl06BHaQPCv/9NiNY7q9R9c/B6s1YzHhwqkWht2a+A
tgJ4BkpG+g+MmZMQV/Ao7RwLFKJ9OlMWLBmEXFcpIJN0HpPasT0nEl/MmotSu+8R
nClAi3yFfyTKb+8rD7VxuyXetqDZ6dU/9/iqD/SZS7OQIjywtd343mACz3B1RlFx
MHSA6dQAf2btGumqR0KiAp3KkYRAePoaJqYkB7Zad06ngFl0G0FHON+7MYIB2TCC
AdUCAQEwRTAtMSswKQYDVQQDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0
aG9yaXR5AhRngrRZc1JLwfRxRxlq8P0RiqpMCzALBglghkgBZQMEAgGgaTAYBgkq
hkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xOTExMjcwODE1
MDBaMC8GCSqGSIb3DQEJBDEiBCC5A+mnkPofr5VZKP+y+n5m21txluYikOynnkYb
tCaH+jANBgkqhkiG9w0BAQEFAASCAQAgfVYYJu+aUcWjlFOT//l8p4LOBcB3WBEa
x7msyZcptuaJtWaLedzgwi+nGHfhl/02wzTvCjx+LTHGouU83ILpEdDAxEDqzNgd
gEJF7wswM7N31PhjpQyH+HbrJTH0tF+/xREgCG14yRs5yAXOkvkFDmd55svukInx
eSb97LhQHQGpJLh5FBstWWBKQitNn8eB3g6h+c43zp4nBXoS2aFiUvYdWugw4QHW
7T7dcSX5gAEHt/dm2q4oH0g9YtHmRpOmqdNQSuMkR7vomEkOkv2XWmlf3znKWe8Q
Pd1ihgrhOASyT1oBmnpEVwvsSkhqoxkGcrrSefUZy5h0wKfNSqRW
]]></artwork>
        <t>Unwrapping the inner Cryptographic Layer yields the Cryptographic Payload:</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
From: Alice Lovelace <alice@smime.example>
To: Bob Babbage <bob@smime.example>
Date: Wed, 27 Nov 2019 01:15:00 -0700
Subject: BarCorp contract signed, let's go!
Content-Type: text/plain; charset="us-ascii"; protected-headers="v1"
Message-ID: <smime-sign+enc@protected-headers.example>

Hi Bob!

I just signed the contract with BarCorp and they've set us up with
an account on their system for testing.

The account information is:

        Site: https://barcorp.example/
    Username: examplecorptest
    Password: correct-horse-battery-staple

Please get the account set up and apply the test harness.

Let me know when you've got some results.

(this is the 'smime-sign+enc' message)

Thanks, Alice
-- 
Alice Lovelace
President
Example Corp
]]></artwork>
      </section>
      <section anchor="signed-and-encrypted-pgpmime-message-with-protected-headers-and-legacy-display-part" numbered="true" toc="default">
        <name>Signed and Encrypted PGP/MIME Message with Protected Headers and Legacy Display Part</name>
        <t>If Alice's MUA wasn't sure whether Bob's MUA would know to render the obscured <tt>Subject:</tt> header correctly, it might include a legacy display part in the cryptographic payload.</t>
        <t>This PGP/MIME message is structured in the following way:</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
└┬╴multipart/encrypted
 ├─╴application/pgp-encrypted
 └─╴application/octet-stream
   ↧ (decrypts to)
   └┬╴multipart/mixed ← Cryptographic Payload
    ├─╴text/plain ← Legacy Display Part
    └─╴text/plain
]]></artwork>
        <t>The example below shows the same message as <xref target="pgp-encryptedsigned" format="default"/>.</t>
        <t>If Bob's MUA is capable of handling protected headers, the two messages should render in the same way as the message in <xref target="pgp-encryptedsigned" format="default"/>, because it will know to omit the Legacy Display part as documented in <xref target="no-render-legacy-display" format="default"/>.</t>
        <t>But if Bob's MUA is capable of decryption but is unaware of protected headers, it will likely render the Legacy Display part for him so that he can at least see the originally-intended <tt>Subject:</tt> line.</t>
        <t>For this message, the session key is an AES-256 key with value <tt>95a71b0e344cce43a4dd52c5fd01deec5118290bfd0792a8a733c653a12d223e</tt> (in hex).</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
Received: from localhost (localhost [127.0.0.1]); Mon, 21 Oct 2019
 07:18:28 -0700 (UTC-07:00)
MIME-Version: 1.0
Content-Type: multipart/encrypted; boundary="924";
 protocol="application/pgp-encrypted"
From: Alice Lovelace <alice@openpgp.example>
To: Bob Babbage <bob@openpgp.example>
Date: Mon, 21 Oct 2019 07:18:00 -0700
Message-ID: <pgpmime-sign+enc+legacy-disp@protected-headers.example>
Subject: ...

--924
content-type: application/pgp-encrypted

Version: 1

--924
content-type: application/octet-stream

-----BEGIN PGP MESSAGE-----

wV4DR2b2udXyHrYSAQdAXX1u0LNgj2o6biKu64RULx3PY/gcetRoyNOWNoXG8zow
LF4DhnBs27vQkh1BIU4KmJFOwwjLwuRvS/J4NvCqqcEYwiPdhp5q5ftn7wrq2W5s
wcDMA3wvqk35PDeyAQv+M8gxGXm9ecpcotEX+9OM9EY5N8V7FmZ6ydRpBXgWvCpB
Nr6qk9OsOvIlhiN1IJbl73mEb5LdMj3wtRwGP3DB4AoPabIMXh/hCcNAhaWusVH0
AK33oDjH3rhntORMveOqq4QhRzUGR1ctYWRNBXgKC/n3Bmp7mHAzfb4RyBGXDXsI
TCXAb2qDnk06vTCVaHJ/ggBInSb12iYPkhDtoxbNFOP7U97lSVgSoDels6TRDfpb
9K667gVyhkTnBvys+EqWbe7Bz5MJqxn9NQxh7HTdY2kXSKGGe1DUrAzLKRpT78fQ
O02DLHR9EUh30hYQEPnuKAdYHJquXB5UiObJpQ5UDEt3MsvObUD7k21MQk5K6iyh
1wcxtXm/kPqQ3eOpVm8iaRve/VrpZEgA0/9PcvQJ0VCWQ/fZEBVmh3ojIoZF9WJE
jB3FwPS2lVLJhaZFTGU7xOKsz/x0K2M8meAsa7nx0TaetmieRA2L+wBaHhoUz77L
9ihYlIBPNvkb49jnF3ft0sI2AYM9DWi3Ki7uWnw/Ue7jiu8dseBTvuxXU7XYPS+l
k3nqqtCKjDziq+ojjw3+ahsfNNIrcFTizjZqGG5AK+dwjiTY3T4fJ4b07513+2uj
/tJE7p6IuuxlE+qlpI1PrX7JFHpihbxsWnwT2RBgo+sdeVko3HbyWtfLnfwI+eNo
njB1DvhWg4C61ilnbRU+osbnZSoSqJSdHCHqn06YfL75sdHrhDiXzV5+LPiaqHoD
S1wOLknIFD91GO3PXaae3ENJgE9CFz4v0jNw2+kASuH80DwnKiMQrmG78rY4u652
HcO2p0ZQAX2QeK0UidSjQQaKRtz5sys6QUbS46lgMSnHljQun4g8hlvoDH/7Zz4a
kMgbZj7TRPU2EaApRX9JZub7nD9ODJkqtLJef9ncmI3QwBjClXy1sL/olUhUjFAZ
VNbbInqEba+LLio4HUozBAjrVVWOrAt776lBSR4n72DdMjMKZ5osxPLtAVce9KeV
s1cdKffbF4VDoe97eRq5ua4KJW/c+8WGW1u/vzPA7Zj6rR+gaWKqw4rnlys4+M2b
LHugg+cF0k/sEfrmEuHyefYvms9Ht2icbiSTbqN+ApXuC9QtNRb/XnEw5lCH+dBO
EYm/W0qSDXMcvoZaZ379uFkXqiECLF11iA3K89BV1VXFXgatnLHbNBdpm+mmJlz+
MY0NTCASFv0Bri4Y7j6kSOZMnfol+84j/nVCpBej8QrXqbpL+/6xrBURcA1Sb+Xu
XRF1Veybr1bj1Tcp7aDLzZtQ8pk+8zyxy9dOePPcBDZlnDXCALf9eXJ/HX/6EYNT
3Oh+kmF7UxghUGUnyTfBMhnBD5oNi+OGVyDWyRv5jfYc5FWwXOmcRjigPlofLmo9
7eLOmYMmp0L2DdNiVer/Dl5g8HRSVaRceHJVUrNM+M2xzCkdrTHJSh7MBU0TwUd+
RXYQgfPu8xbeouLnSTVC5Kuul3VA8Q1/Y6KcjQTgjNvrOzjHTxjKek5fokNxvFQj
1fkAIM9w2k0=
=+l7i
-----END PGP MESSAGE-----

--924--
]]></artwork>
        <t>Decrypting the Cryptographic Layer yields the following content:</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
From: Alice Lovelace <alice@openpgp.example>
To: Bob Babbage <bob@openpgp.example>
Date: Mon, 21 Oct 2019 07:18:00 -0700
Subject: BarCorp contract signed, let's go!
Content-Type: multipart/mixed; boundary="6ae"; protected-headers="v1"
Message-ID: <pgpmime-sign+enc+legacy-disp@protected-headers.example>

--6ae
content-type: text/plain; protected-headers="v1"
Content-Disposition: inline

Subject: BarCorp contract signed, let's go!

--6ae
Content-Type: text/plain; charset="us-ascii"

Hi Bob!

I just signed the contract with BarCorp and they've set us up with
an account on their system for testing.

The account information is:

        Site: https://barcorp.example/
    Username: examplecorptest
    Password: correct-horse-battery-staple

Please get the account set up and apply the test harness.

Let me know when you've got some results.

(this is the 'pgpmime-sign+enc+legacy-disp' message)

Thanks, Alice
-- 
Alice Lovelace
President
Example Corp

--6ae--
]]></artwork>
      </section>
      <section anchor="multilayer-pgpmime-message-with-protected-headers" numbered="true" toc="default">
        <name>Multilayer PGP/MIME Message with Protected Headers</name>
        <t>Some mailers may generate signed and encrypted messages with a multilayer cryptographic envelope.
We show here how such a mailer might generate the same message as <xref target="pgp-encryptedsigned" format="default"/>.</t>
        <t>A typical PGP/MIME message like this has the following structure:</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
└┬╴multipart/encrypted
 ├─╴application/pgp-encrypted
 └─╴application/octet-stream
  ↧ (decrypts to)
  └┬╴multipart/signed
   ├─╴text/plain ← Cryptographic Payload
   └─╴application/pgp-signature
]]></artwork>
        <t>For this message, the session key is an AES-256 key with value <tt>5e67165ed1516333daeba32044f88fd75d4a9485a563d14705e41d31fb61a9e9</tt> (in hex).</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
Received: from localhost (localhost [127.0.0.1]); Mon, 21 Oct 2019
 07:12:28 -0700 (UTC-07:00)
MIME-Version: 1.0
Content-Type: multipart/encrypted; boundary="024";
 protocol="application/pgp-encrypted"
From: Alice Lovelace <alice@openpgp.example>
To: Bob Babbage <bob@openpgp.example>
Date: Mon, 21 Oct 2019 07:12:00 -0700
Message-ID: <pgpmime-layered@protected-headers.example>
Subject: ...

--024
content-type: application/pgp-encrypted

Version: 1

--024
content-type: application/octet-stream

-----BEGIN PGP MESSAGE-----

wV4DR2b2udXyHrYSAQdApTCCVZLqLBNWL55la9dZGbO1aPtMkIFXYo8DOKgIpCcw
gm5VfqOECRjoZqCwveFWGqRknz0lc+eau5fcbenmEW8J1E0FjpoBEnFo9vYb6PrU
wcDMA3wvqk35PDeyAQwAwiuMTVdntVxYn6dnGUoaga2txqCsxioqn4JgfmGrIfBf
+BEHyt/a43rWwfi3QycCKg483Fqx0YG3HHJEiiwdFmE3XdoHmTRKfHuSiyzCNxPz
AK2cwloBtD3w6zs+mOY7Ytq83ghyBeX0aGmgCZqGhL60In5Qu+w3Vmxc19d2+BTs
ZOJzxcHACRvq2tD0RRmyhjWKqVdd2akllMy1pcXLIediUiEI5MA3TaWUk/uVDsUq
S6JtL0dEy0s49Z+flcGfEyGCGU6TqV0Yun0bl3A7/OJjYC+75eCv89s/q4W1UM1M
psO2X7xNlhgREncwvaoQbvfVfSlxHgWGCZDL8+O/7XC5EDyK4LAR912SG4Desr9e
k9Fn3bH6Tt71vpH0nByKCh0m2/apFEMLXSq7DMiJEN4spbc4D3iBnxYqEH99e052
KNjrHaoG59bZ6TNJj/JN+E5sQzDxic00O4Qccg9M7iFh6eBLOuBhBpRxbeoXQkl3
1mzI8XpyFoGu0HH0I0Cs0sJGAUnVvA0LGq7wjKpy0bWQlB2YVCKU6C8GnX6GUcLm
SMovYhGKfpb+LUu+UM1BZ9vd9D/tsMd2WBw5tM1ncfRuSTOhVeFgTEGiCrBn7sdb
UFTV+jb5CktQMwj5vWlVPhMIUeISwoAQJ1ONuOqFnVTJ2bZOdxZeV6NDYPYCERuR
Sh980UxdjGLvw/LtMThKJRUr3S2TcmKSwGen5a96S+lAAmMJN5wLrH+X76UuRvV+
O7m6KDasO+fEIWXKYHGjJI1On8MnkVE4dSDKgUNukVRoBAB9Iqn11zWb6IX7f11M
k8C+8F5Y1xxEG3CCeYdTKSiIkDvBV8oFGrFCYXWO2bLWFpCZ0t2qDfWX5SvXj+EZ
KxAiZobwQEw16WYp4Mk0Ppf0UrBXkfnLBieRgO4o5j5Y//EXKpv8TSBxRbeOVfRk
x11HNbaNeBtID4N2HfjsqUX3y2ZH3m7HWLwkQeX6Yw5qqSWQjC8fklxOku+brAaM
ayudhVFKiD5PVfe1NrVv5dDSbj5VyQkoESi2zLmd4SLoFIMp8/lfSnpl0ZF4krFb
wIF8wd+zT2307fN4DRKjuqFVr0Yl8oh9iPJN0xXSyygeo+JWWfYPu41vf+viRZMh
aj1nhJoa9UghiYfXuDu+VjzZuM22C/9gVbXMSuY1PaKffBleTNhCT7JWlmhNBW6t
ouH6dZ2X6OlXECmByzKy+d8Dun21G2nLuE82QP9y7/QZ2g+OSWZAA2IIDiH2tEIb
8CNSVwZXNpSeqH5u3+aRE1M5EzslbLU78Ryrxt6lNAzEHD42Fif+qaH0WW52wV2H
vnaxJW0yQ1o4W6W+BPtKqtE7t8JgTEtxldKHIdWCMXg2isxWMMIE12QEc26+bQnz
h+kDrTqxtp8rSfhLSQi4TRoudxx8mMjwFEWnRIFRQG7eGNPaqZYF3dz/neN/fy0p
Jbf1gFJAtrSIlOOaZ+iT864OtcaLOHkOLNGEuyJR1dOC9tuyldarvKR0v0i4jhY6
UxDkknDkq0IzTmczFyAH3lBLRPMZNZ1z
=YU4k
-----END PGP MESSAGE-----

--024--
]]></artwork>
        <t>Decrypting the encryption Cryptographic Layer yields the following content:</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
Content-Type: multipart/signed; boundary="80b";
 protocol="application/pgp-signature"; micalg="pgp-sha512"

--80b
From: Alice Lovelace <alice@openpgp.example>
To: Bob Babbage <bob@openpgp.example>
Date: Mon, 21 Oct 2019 07:12:00 -0700
Subject: BarCorp contract signed, let's go!
Content-Type: text/plain; charset="us-ascii"; protected-headers="v1"
Message-ID: <pgpmime-layered@protected-headers.example>

Hi Bob!

I just signed the contract with BarCorp and they've set us up with
an account on their system for testing.

The account information is:

        Site: https://barcorp.example/
    Username: examplecorptest
    Password: correct-horse-battery-staple

Please get the account set up and apply the test harness.

Let me know when you've got some results.

(this is the 'pgpmime-layered' message)

Thanks, Alice
-- 
Alice Lovelace
President
Example Corp

--80b
content-type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----

wnUEARYKAB0FAl2tvLAWIQTrhbtfozp14V6UTmPyMVUMT0fjjgAKCRDyMVUMT0fj
jjiqAPwOjOQI/Sr3vG0hiAKmfBgmB7VhKiUbfFWKRaWKkzJ/kAD/eOjMNvaZ5MG1
fw6xQXpB1vRrY9Ttz3zr+TfLnfHFwQM=
=4v4Q
-----END PGP SIGNATURE-----

--80b--
]]></artwork>
        <t>Note the placement of the Protected Headers on the Cryptographic Payload specifically, which is not the immediate child of the encryption Cryptographic Layer.</t>
      </section>
      <section anchor="pgp-multilayer-legacy-display" numbered="true" toc="default">
        <name>Multilayer PGP/MIME Message with Protected Headers and Legacy Display Part</name>
        <t>And, a mailer that generates a multilayer cryptographic envelope might want to provide a Legacy Display part, if it is unsure of the capabilities of the recipient's MUA.
We show here how such a mailer might generate the same message as <xref target="pgp-encryptedsigned" format="default"/>.</t>
        <t>Such a PGP/MIME message might have the following structure:</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
└┬╴multipart/encrypted
 ├─╴application/pgp-encrypted
 └─╴application/octet-stream
  ↧ (decrypts to)
  └┬╴multipart/signed
   ├┬╴multipart/mixed ← Cryptographic Payload
   │├─╴text/plain ← Legacy Display Part
   │└─╴text/plain
   └─╴application/pgp-signature
]]></artwork>
        <t>For this message, the session key is an AES-256 key with value <tt>b346a2a50fa0cf62895b74e8c0d2ad9e3ee1f02b5d564c77d879caaee7a0aa70</tt> (in hex).</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
Received: from localhost (localhost [127.0.0.1]); Mon, 21 Oct 2019
 07:21:28 -0700 (UTC-07:00)
MIME-Version: 1.0
Content-Type: multipart/encrypted; boundary="32c";
 protocol="application/pgp-encrypted"
From: Alice Lovelace <alice@openpgp.example>
To: Bob Babbage <bob@openpgp.example>
Date: Mon, 21 Oct 2019 07:21:00 -0700
Message-ID: <pgpmime-layered+legacy-disp@protected-headers.example>
Subject: ...

--32c
content-type: application/pgp-encrypted

Version: 1

--32c
content-type: application/octet-stream

-----BEGIN PGP MESSAGE-----

wV4DR2b2udXyHrYSAQdAC1Ly2OZdEVNBoA4HUfvQJgdpSkelPzYiPR/TWOapEx0w
gPck9O1y4gnu01fnptzYiIaZKMWis7jPqmH2jQRhnG1Q0JKS1PeCfTS9207oQiD1
wcDMA3wvqk35PDeyAQwAqIL7jcN2Rm5u4qhMfvT7by7nUKCOaP/H+kMPIsXP2Kxf
MlRVnrrsCgJ6j5htt48HGddpEgLlZceK3vg8WlRWSpMstpdGxxE7HZqXHKMNk8V+
8EVWlHGWBmxisA7/JOOrt4HQJnHm01drIXgWjIA+Vpu/zFA542qQH78jr9Ghhp/C
Q32VOrCY/PsFxabPIYS9wWh1Ym3+VQFndCVSpxCZHs1Qilt9XGj4X712QcvgL2Pp
glaulvNob899dOIo4Noj7p+cx4yMkWpi9dqHuOme23aixieBbzQopzY3gleVgXhc
HFhUzje7DybtVq0em4xpNPWxq2b+WBeu+SvXFo2buHhWmMClbKf6gggod3CRKcPt
h5MLF3dFE1kj3BOLxJqFOIny2EhWZvvmDQgG4uncEGo1siQhEiutQL2WClzuHGzs
T8eEHKeATEPqRQHm395Ivr5btQ8gg4tnIkfBBULPgnEfY07Llc+393a0MgW9bLbn
UZTmNIsS1FKXYzHxpUAD0sKBAe03UKSoYJ5b5yBghMZCCS9L9dm8llJVsMh022DC
lMPpRsSm79hnFww0+Yud+i4z24C8WdivWBNoZz0M1hA5cwoQoXaxalL5GpZ/UWAd
XNC6QwaCB2ioTFueq8SJAHzur2V89FMUuPmSaB3yO72vko/468nLnjwCcZDpbWCS
fVwcTz8bvyZfcYA2ugRPii4NM1+bYJHHtr6CIojN0FkE5tOLAxO4vPAx5CYABTm7
HQn063YJJlTtJB1SJWMzmK5vqxtXFeOByc/msdQX8goxS3G6RNPVHabESaqVrG4i
F+TyzqiMFTZdLjiJXiKcFHwDoLUwA/FxkA5/BwRCM5LX3LITAvvqYy0TkaQH0SeN
bfqCf4kWzuNhTfZM3wFgaA+FvYC8M7PKiE9y1+TiWEUqMa+j0rcrf2+Nzt8mT6WU
eQRwf9XzgmPVNarQpStomff6dJVaxloNCwKKk3LtGRWkV0EIbKtFwPi+M7h3BgWn
NQHVT1MXXV8LyKipH1ZpB3WUHjGqL13esOFwR4W+U9/qzgn6kN7kZP+yj0qXutCR
GsjoVvwN6FU8cjv4nK1H65cobBAqP0iWEvLt1e351cwQWwUL1V/B3jWM3Wqui/hR
lOQ9TW/WdP1/VT2Heb3503IJKJYntOMcT8aYooCLUCQmx1g4Ks1y4hP5mlLurjdv
qBrvDNbRsW27GnyuUm8/oS1qpYS0gIrMe4BMXpwLca6xvXElNcm2Lo1Oqh3MhW5J
IVjGkQDV2vM76qsfBdpHebO0XBKfccyx9wZDO9MOAOXVO8o/yh8H/Mcn/sOpaVsv
gdf6JElYfwCOd7J44ymzonw0kbC6F7UZgpWlY5gGlga2EPwwaFkTH22D8MHOrwKA
JBJCvaGxEmzrV4WlaE77LUJoDs6chIF/GKcntsBvvyvjsrFLPK/2/RtrUEkP2G4e
svWDdqSECPYEFYMvzfJMwa2G0uXCLiATP8NTSleOcZ9sPkE9Ul62JVJ+y/tOz8z/
oZ4SdrgAEdJSbWbyev8bd1WCbRnOyOxuQHmVmhtCm4Ps506+sGWL+PDnywrwvyP7
X1b8YpYCWaHS8md9AW2Jgcdj6p3Hc2Bs7zlMqzsc0pdvXRs=
=Fb+8
-----END PGP MESSAGE-----

--32c--
]]></artwork>
        <t>Unwrapping the encryption Cryptographic Layer yields the following content:</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
Content-Type: multipart/signed; boundary="03a";
 protocol="application/pgp-signature"; micalg="pgp-sha512"

--03a
From: Alice Lovelace <alice@openpgp.example>
To: Bob Babbage <bob@openpgp.example>
Date: Mon, 21 Oct 2019 07:21:00 -0700
Subject: BarCorp contract signed, let's go!
Content-Type: multipart/mixed; boundary="6ae"; protected-headers="v1"
Message-ID: <pgpmime-layered+legacy-disp@protected-headers.example>

--6ae
content-type: text/plain; protected-headers="v1"
Content-Disposition: inline

Subject: BarCorp contract signed, let's go!

--6ae
Content-Type: text/plain; charset="us-ascii"

Hi Bob!

I just signed the contract with BarCorp and they've set us up with
an account on their system for testing.

The account information is:

        Site: https://barcorp.example/
    Username: examplecorptest
    Password: correct-horse-battery-staple

Please get the account set up and apply the test harness.

Let me know when you've got some results.

(this is the 'pgpmime-layered+legacy-disp' message)

Thanks, Alice
-- 
Alice Lovelace
President
Example Corp

--6ae--

--03a
content-type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----

wnUEARYKAB0FAl2tvswWIQTrhbtfozp14V6UTmPyMVUMT0fjjgAKCRDyMVUMT0fj
js14AQD2GOrZXkuKxZPY0l6AJFKiAFphRt+5V9gj3HEXKvQKPAD/bZy+vW9j1+e4
MLiOb1ojjFocLx/6MvQBoI3P9a591Qs=
=l8GL
-----END PGP SIGNATURE-----

--03a--
]]></artwork>
      </section>
      <section anchor="smime-sign-enc-legacy" numbered="true" toc="default">
        <name>Signed and Encrypted S/MIME Message with Protected Headers and Legacy Display</name>
        <t>This shows the same signed and encrypted S/MIME message as <xref target="smime-sign-enc" format="default"/>, but formulated with a Legacy Display part so that
Its MIME message structure is:</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
└─╴application/pkcs7-mime smime-type="enveloped-data"
 ↧ (decrypts to)
 └─╴application/pkcs7-mime smime-type="signed-data"
  ⇩ (unwraps to)
  └┬╴multipart/mixed ← Cryptographic Payload
   ├─╴text/plain ← Legacy Display Part
   └─╴text/plain 445 bytes
]]></artwork>
        <t>The <tt>Subject:</tt> header is successfully obscured.</t>
        <t>Note that if this message had been generated without Protected Headers, then an attacker with access to it could have read the Subject.
Such an attacker would know details about Alice and Bob's business that they wanted to keep confidential.</t>
        <t>The protected headers also protect the authenticity of subject line as well.</t>
        <t>The session key for this message's Cryptographic Layer is an AES-256 key with value <tt>09e8f2a19d9e97deea7d51ee7d401be8763ab0377b6f30a68206e0bed4a0baec</tt> (in hex).</t>
        <t>If Bob's MUA is capable of interpreting these protected headers, it should render the <tt>Subject:</tt> of this message as <tt>BarCorp contract signed, let's go!</tt>.</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
Received: from localhost (localhost [127.0.0.1]); Wed, 27 Nov 2019
 01:24:28 -0700 (UTC-07:00)
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m";
 smime-type="enveloped-data"
From: Alice Lovelace <alice@smime.example>
To: Bob Babbage <bob@smime.example>
Date: Wed, 27 Nov 2019 01:24:00 -0700
Message-ID: <smime-sign+enc+legacy-disp@protected-headers.example>
Subject: ...

MIIQjQYJKoZIhvcNAQcDoIIQfjCCEHoCAQAxggLCMIIBXQIBADBFMC0xKzApBgNV
BAMTIlNhbXBsZSBMQU1QUyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkCFCJT7jBtAgsf
As31ycE+Ot95phvCMA0GCSqGSIb3DQEBAQUABIIBAFbDR6j4ZB/Mo9BQygYItwFc
P+4rO4d1ak51hc1DpSqyhiMcGahA3yxDRbZ4W1rbmC/s3d5+OWXKYgs1nNMQJ48F
f45BtNTNslPZ1+NZVbkoVJO8Bxv1rjB8/qWuSUsroqzn9enS8DUBxxPL5aSWKQQN
G2IaH9BUkMXLPUYA46GATly94IS4fZqwBtNNBP5eiIIPc9Ogjy+7At5GG7rVMN0M
G5FL0oq52SYUe1167jp378JI+2dkA1q5+Cru/ZE2Rdw3DrMDAFO5GwC7fWKg4zPm
IHZj92caVj1IyfTmGogT2o5tLMqn61BkptqxZwHDr3FI/aYo4vcHgmlKR/TdbHww
ggFdAgEAMEUwLTErMCkGA1UEAxMiU2FtcGxlIExBTVBTIENlcnRpZmljYXRlIEF1
dGhvcml0eQIUZ4K0WXNSS8H0cUcZavD9EYqqTAswDQYJKoZIhvcNAQEBBQAEggEA
hXeYVSUsT1EBZ/+AjwyEcnlM0kuFMaNvGlBMhAZzAsy012rrZTWbqWkcA3abgm/M
CuZX7mQL0I79KZdmClGpLx6gQFjLemHaClQV0ZNdX4DxakWuME/kCMqbo4MZXStT
a0MHlKUdoMt72Rz4YBzNQCL7ePaii5w6Nd2KD7yJAirLYUMJEjVweVaMI9y9LmbO
vb0g0iuoUe0vp9B20LRcIX37nN5D1GG4tHLPjBD43gC8iqxZQf0uah2cWD1mAG5R
oBgIDKXPy2eVbcMdSaOirDKYZ49WFe9Lad9q3mHHbFs6K6/yuBm/thMEdCJKZTHo
jiPvYdYF8IJfEd368I+DujCCDa0GCSqGSIb3DQEHATAUBggqhkiG9w0DBwQIsb1a
JX/RU9aAgg2I0VXWfs5fc/Yad2qvawUVNX+LObjA6/+t9WxuV2emOeBYzQGjo7q+
xaIXQwbbF1ej27efGhxUYDwBNS56c0uI0Ta7jxv5OFZhzQGLRzoFp0bbZ+uVC4eP
bFHarRQiPzlg900XASO0RW+UOtqN5raZ3Ry2lKwXxuStZ0pX666Rz4c8PrmMb4/B
aQYn6iKcT6fDU2TpSbWY9iph6kZczSeewK+pIj9nXfjDKXScs8D2Raezev2ciq/V
ZRpRH8JxieimI2yeBmEzTCq11TDYycDfMHB6reGaiCGX//8kAWtskzRyNlV61unY
ZKSNhVKLwKmCQh1V1Nd3oLApT41EeM2oWedUqNBYqB+XGCD4DUYdm1e+4h73d4dn
JTkCdadxEn+9RRvZ4YMlw3mvT997Dy3rTXT29dj14TstZZf2O63pY0TpYy0HZy6Z
Jug1qoe/vdcJ9SPOSfJE6VWCeVjxB+eGgheFLKqzK8Hs/Bm0/wDKpSFgEpOPnkJ4
HJ2Uzgn1Emo6gBDJt+qn3s2UnowcMsTgellhKvgzVq59LTyRyWL5U8XMBsXT4qjm
0LkRvDkOIjMQH7kqvWbpPlnWpLKo/VVoxifldEegWAqFVrP7f5Y+nNQttAYV79uk
MXvR+5YFkvmQAerfllPqXBJdbB65ovikSVsy/kAboGpRG1oAZ4ODdwdGyiGIzyyc
lE0x/8+gY8BqWzRtWX4GySKyZ50/+xkJe5ss0IXPCgq/09bdihsRn57v4V4SpdDO
k3g/Dce+LzCRL8uTbUhrhZnjKSjRc3fFaD/BpLYjEDbnGF0ICslN3vb2xWUK1u4M
uUH9r7lH/DCb0+TxIBtxOnP7W02bz8gGJAxEVEqk6pjxxOYqfS9/uBrrAY8P21Y9
PFLdeHzEdYemq3il+4S7OU3uNUuAYijxmCRs7JQxZ9puA0iaTME9gK1yikzsLtVZ
f+9osk2nYgfXvlL0AiYabd5cU2GNW33TkdDMNBsB7lx77J9erVLZpPKNo4vgHA7b
owrDaYe0AgcZm79fvmR0RdtIZI91MouEhkdhaPiXmypmszjR/M0Ot3Y+oU/ks+yV
Sle0S0h4V8wJRJYG/9VVurm8012ke2U3EGFlVnSv/IYtpssC+U4McRCmakKCrGU7
OhL5JKBQN/DFTu4pV39IQlLLhg3wzA2FSkyIL5gEbS6sP9GTPo5LlNm2nYfJQX9A
sHKSrfh68dvjSNExxi/8hdmFnnRwbAnUCI/WObGOkKdheOfdQ1AAHtLO7G65X1Cx
RctbAJWa93M+iRUN6qnB+vIbPPnI1Mc7i6mPYzgtPrM9bYqEZz69pQtHcGTfxOrU
tm+/h36CRzJBfXodBZbwQ9mZAzfkKdlArlZYIeBUw3ORQnQ7UlJgG8KsZpUhTxCc
gvMoExtlvkXcYLRUBFfZWyOi6FePzQjuCK1w58OdweJgXprEAWSvyxhmVdg4jUpX
MYKE0tZI9xwujyWjACO0myYqTdmsqyds+BgfBn96XiA9OFUH2C0/GAomhNs8uPSO
T3Gt7Ld/FByxEVrtl9A37X6bAwZO01j5tHmdXFPmMVep0R8zsWtPn3RyGAjcgcq6
50wJRwhvofdI7wilZ0KUBsAaPj3MK52cRyD19VXKNNwt2bLDV6gcWQ8+QEMusxfp
1Dc9N9DSs+w3lGsFfpoeQ53/fXcVNJm6Bv89bH9anLGYdCdRGvZsvw+xRuglykqb
xLtL2lB6wzlRFREJoWTzCVsdpIZ8znPmk1cB0wDlbMeu6sddHmv+6fpyuvQfQmdj
D8WLRTuyxax94TmBlhJCFYxmO/y4Ivlx5C60GIRTkHpBYL/M0RjrbIszXEqcogzU
bdwjLIhdEnpJ5vy0uXwhltce8BDpenmHE7y1kHvPBiUG3vB7AIXqhohFsJU3AYUj
d1TvFKS2AsizUTLuq0Ydbnz3AxMfmnZe8qYkNu2zRygL2xTa58f/MwsHKakk3OmS
9JFZLrkkVWZKXoARctuahYtWBAsykaWVNnB6zGcdX1MGVccl930Z6QWHyydtZpQc
ivNdEGdGv9B0K7/ngNdVgD5Wd29AMMFnS8+55mLfRZDCjUmshSySaf6Ein4HD9Hr
vk6dJvBPjnI5UjeUPjmH+wcZKIjLHW/aV/6/zoxzBh61rWFlr/daec+CFZE/+epr
LRRYSmv8oY47fF4duDDhoexcvP/CH+A2Hr40OfciL4vKy3nuUDCNa59xO9JWv4NL
n3MQypC9bcaVPkXa7TK3ECq1Jgv8gwfdh5/ovG5OdZA4uIcO+aqcskt/PD252c63
0Znww3RXXf46KT4GdKO5A377ixkUMkznnCMvottmkPxjnhQjAsQg3bJeQk8EoX8f
Pq0If4i7SRBSDtb2OH1pPmk0RVPtxlRDTVj3vS3Lci4xADFgC09n9nIvPO/55aau
O6StbJtLmpubS5giuDH3uftwuyRiLqm3gtbSKPdoTk+dJhHXbbpBknL4XYTPxSsR
IIaRds6w30vf7/IscyunMcquJlsO929SSa93UevKEIZbqbV9oGIqwkiUMdVZK09g
rW0F//Ts4a5nYdEQth/fq3JnwqeHvvUfKdasK4TtrTnUBX7qZk/K3Y1fZwjKdd/8
t9t1z7Kb2d9hWwtY7xP8liDluVFTsq8NM54ZC2218X5ViWz1yFmF2LXvRixsmYJv
Tz8lUUnC2B/Etm1kkU4zrYK0/L77EikKVl+B7BXfEqx6ow41j7e1YZYaqmZ9mph+
UieSdzqVYxhPwT25DrkU3r74iS28gKsbFhUaNklaFOO5iDWsKgBXT+wdZqlYQ6Fo
oPe66025iJMwK8t+d53jEduHezHO2sTMAuf2hpdaZo7+rP/hRTReAR6CmI7nkWhP
z5Kno9S+XhiSP+WTSpsoA4ubx0T94mL8NOVvSZA76TZ3ObVAP5VI/bwv6Grighor
Kpsjt7dhSJRv+RHv95sAWBeW1Fgv8XOPSAZOmpJV2qc3x3Qmj0MXIR+7+3GlUr8+
Dit3CE1hwtxgOW0tc8kuBTfQD+wNSa9r0eUyFscEBBljpEVbLjgjVdNv4Hc+fsbT
g1JzZuUIDQZoEO2xLjxD+I7vLZKQa0J1JeZ7O+NqmSxsvSnwCWtJEWNMMxYNfwsP
rdj1zPLqn3rzSBqhroNbaDGn86BTwIqfhr+AKbvevxS6bI8IbyKm9u3BFr9cuawx
Sp1QM3NtqNStV67qR4A6U/ZyPUJdO1bxo8F3oRmJqOt7Jc93rFgkhBJ2+eMtrA75
Om5tB9LBVSl5U5yLP0COO1QE5pqk5yuhJLT9Dyss8bWDRbSWKj83e4YXhPnq71Bm
001czylLVNUlDc69Tf7FXjtIxh2yjvOT3zeLBPXOjU0it+gAma4vgrh8/mMXnNiq
OLsVow8aKqm+Ofd6m13K5riDFgXgNI9lbvPKUSWlEqDMEqXk1oAqD4Nb5NTGSFpQ
Q4G+cHAxJCu7vcXBaZnP8uMP5IAkdg5jIPvvMRwg/aqkl/KbL98oYZ5+1xrOMuKA
LT1uCJ4MMB0lWsa1He4jPe8LneSupw7vAXlbo2VzcOI6oCSY5hV+cGQRY+LjW81q
Cu5nLq8bwgnZMSlPmwr0YrKmvh8YKyGOrmTadxykC5IC+XbrLDsw2Jd9mLIjUQ/V
4ibjeb+e0QGob22WOplCLnHGW/SnYei8KG1dxs/ahS+8vQdrI880ZJx2QJnrz0Ej
ux6tKv4mvUkqYA5hlTFeT3PTr54yA+YLcCLMfBDx4ykPQnYUBj7ONHuNSUYt1CJy
faZ7cWAbhgH+wlTFdVBVeW5D4FRbM8dMTPXyfC5ygwTJOiDu3vQKyyDkmiX7sEaC
P1JN2V55uacyR8ZAG5+Mlc4ZMx83kAIZZXTCdqa1EX8yda31FI2rDHmvW/82bmjL
pvI4Nnn9+zzJtDVCJ0B2VAZ3Edov5GzPikm3un4+mvyhUZpH4sbT0+VhPCsr1+zn
bDJyNw4AswxaaJKh2+7wBiU6h+9TP/lI8SAJHtZL7zHBH8tD10ptksLRWDs9vYqp
/3T86S2vxJL5DvLFJSAZrYOE3InS+keGmTMCdAl9I8zIworC/8uQp0N8ESebEVjA
aHotBk59lj/OW4JZ3tQkcdQWkpnUfW/x9xE2wthacHlRzYDDsFByjEqkQr0MU8VF
EGij9RCC97zyFrhv0xJm1C6wX0pcuEcuPTNBf38WyBTIfmVHHz/I5YKk5cdWG7Hq
fmccV5GKrs2BseR683HM+/u50sq0km9UrqjgFR1DjfDoRKp0guP9PqkJAnwG2nv1
hmNtXumzkF0otP5LDKLJ84MGP8Wnb006iEdD48Lra+clRAIIuLX4A0wRQjViDp7n
OByI6ZcQd4DTMHnFPRvMkNMLYn13LghD6P9TTjQZ0KCOCwmc2TMCIhJlvzOYX6Cc
wJZYLO1ltgfnHEuh8ijv0u3d/BUpsknYKBSJGUyMEZ9iUtbFPVfXBGSTi3gcWHtl
IrM7wjswJwHWSvZKWUs+YWWJTwj0apG6ViGllwOAqR9C48uLKgFWPbMoTpolnp69
eiij5ZHxB0i7SI80D+r65b+fqaFzVIJXVEI0zu/mIilbYBnGkhLI/Naw1m2e1qVJ
mi1JBjXLAT3pEJDh8b3Lpgw=
]]></artwork>
        <t>Unwrapping the outer Cryptographic Layer of this message yields the following MIME part (with its own Cryptographic Layer):</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m";
 smime-type="signed-data"

MIIJdQYJKoZIhvcNAQcCoIIJZjCCCWICAQExDTALBglghkgBZQMEAgEwggP5Bgkq
hkiG9w0BBwGgggPqBIID5kZyb206IEFsaWNlIExvdmVsYWNlIDxhbGljZUBzbWlt
ZS5leGFtcGxlPg0KVG86IEJvYiBCYWJiYWdlIDxib2JAc21pbWUuZXhhbXBsZT4N
CkRhdGU6IFdlZCwgMjcgTm92IDIwMTkgMDE6MjQ6MDAgLTA3MDANClN1YmplY3Q6
IEJhckNvcnAgY29udHJhY3Qgc2lnbmVkLCBsZXQncyBnbyENCkNvbnRlbnQtVHlw
ZTogbXVsdGlwYXJ0L21peGVkOyBib3VuZGFyeT0iNmFlIjsgcHJvdGVjdGVkLWhl
YWRlcnM9InYxIg0KTWVzc2FnZS1JRDogPHNtaW1lLXNpZ24rZW5jK2xlZ2FjeS1k
aXNwQHByb3RlY3RlZC1oZWFkZXJzLmV4YW1wbGU+DQoNCi0tNmFlDQpjb250ZW50
LXR5cGU6IHRleHQvcGxhaW47IHByb3RlY3RlZC1oZWFkZXJzPSJ2MSINCkNvbnRl
bnQtRGlzcG9zaXRpb246IGlubGluZQ0KDQpTdWJqZWN0OiBCYXJDb3JwIGNvbnRy
YWN0IHNpZ25lZCwgbGV0J3MgZ28hDQoNCi0tNmFlDQpDb250ZW50LVR5cGU6IHRl
eHQvcGxhaW47IGNoYXJzZXQ9InVzLWFzY2lpIg0KDQpIaSBCb2IhDQoNCkkganVz
dCBzaWduZWQgdGhlIGNvbnRyYWN0IHdpdGggQmFyQ29ycCBhbmQgdGhleSd2ZSBz
ZXQgdXMgdXAgd2l0aA0KYW4gYWNjb3VudCBvbiB0aGVpciBzeXN0ZW0gZm9yIHRl
c3RpbmcuDQoNClRoZSBhY2NvdW50IGluZm9ybWF0aW9uIGlzOg0KDQogICAgICAg
IFNpdGU6IGh0dHBzOi8vYmFyY29ycC5leGFtcGxlLw0KICAgIFVzZXJuYW1lOiBl
eGFtcGxlY29ycHRlc3QNCiAgICBQYXNzd29yZDogY29ycmVjdC1ob3JzZS1iYXR0
ZXJ5LXN0YXBsZQ0KDQpQbGVhc2UgZ2V0IHRoZSBhY2NvdW50IHNldCB1cCBhbmQg
YXBwbHkgdGhlIHRlc3QgaGFybmVzcy4NCg0KTGV0IG1lIGtub3cgd2hlbiB5b3Un
dmUgZ290IHNvbWUgcmVzdWx0cy4NCg0KKHRoaXMgaXMgdGhlICdzbWltZS1zaWdu
K2VuYytsZWdhY3ktZGlzcCcgbWVzc2FnZSkNCg0KVGhhbmtzLCBBbGljZQ0KLS0g
DQpBbGljZSBMb3ZlbGFjZQ0KUHJlc2lkZW50DQpFeGFtcGxlIENvcnANCg0KLS02
YWUtLQ0KoIIDcjCCA24wggJWoAMCAQICFGeCtFlzUkvB9HFHGWrw/RGKqkwLMA0G
CSqGSIb3DQEBDQUAMC0xKzApBgNVBAMTIlNhbXBsZSBMQU1QUyBDZXJ0aWZpY2F0
ZSBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMBkx
FzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAw+6t+WXRtiQM8yRjWQ2fbFewCodIZUX6BY02TeZuEXoEAGEsmoON
6LlotcUTdGr39FE2K8IytOKkXVexswgAqBCqv8YjVDrI3yV82wrm5Td32TDlw7IS
igak4ZSu+UowPQs8YO3oxqImP4onZNHvdZ3it9EggmgUyZX0dmQ6z5O9yDzHpLMa
E2rXxfYcPXQwPvx4tcqbTf2htEP7PYnBa8a+sts0F7I7kD5ozGYI9dGg/XGs1lYE
WAoH5YZgNFdbkJdcKG2FPAwFcVZ/hoGm6soxkDKMrYSCtBp+fqH8MV11DP821PoO
vtSEnaF8UURbaths2yKpAB2WUJvgW5xa4QIDAQABo4GXMIGUMAwGA1UdEwEB/wQC
MAAwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggr
BgEFBQcDBDAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBSsLlRapP1VGK8u6GZE
ONEl0dcAeTAfBgNVHSMEGDAWgBS3Uk1zwIg9ssN6WgzzlPf3gKJ32zANBgkqhkiG
9w0BAQ0FAAOCAQEAe+qOGM+8q1UhXKV6i63BrXSOKvd2iglxAggszUC6eMnrIem6
6mmRzSbcGHCeU6m1MpvYSe9IiROIxjTfsgGUdZbbXtBxSmCASjOBCbphvvtoam1G
i8+LZdOgR2kDwr//TYjWO6vUfXPwerNWMx4cKpFobdmvgLYCeAZKRvoPjJmTEFfw
KO0cCxSifTpTFiwZhFxXKSCTdB6T2rE9JxJfzJqLUrvvEZwpQIt8hX8kym/vKw+1
cbsl3rag2enVP/f4qg/0mUuzkCI8sLXd+N5gAs9wdUZRcTB0gOnUAH9m7RrpqkdC
ogKdypGEQHj6GiamJAe2WndOp4BZdBtBRzjfuzGCAdkwggHVAgEBMEUwLTErMCkG
A1UEAxMiU2FtcGxlIExBTVBTIENlcnRpZmljYXRlIEF1dGhvcml0eQIUZ4K0WXNS
S8H0cUcZavD9EYqqTAswCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqG
SIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTkxMTI3MDgyNDAwWjAvBgkqhkiG9w0B
CQQxIgQgX1r//iHA8sj6FZnDpQl9jK7M6APu04IWNEm5nuSzt7MwDQYJKoZIhvcN
AQEBBQAEggEAaeYcpNS5ON33UDUWO/kaIOKbD1JQRDsoldNC/UNlO1X1PzvL43sR
g77FEV6bcl3kWReTz5aYHr4PFjoQspeGWQvQpeUW8bIlZ5nxb5O/zUcx62mbciHZ
C2quuvTBGoJRfxMTD6pCPoyRW9PF2o9O4eB8lORQ0xML3jXb3oN1EF0nFXXs7Fe7
8KRWA4FVldJDrgRLGdrrF73kvpTZuVGkMYb2sCosRiBO+rk0LFvOcBIQO3DjbBEM
dy5zeex+eN5WMbI+lFJt8eM0fDQencMHIp2AmP4AVAashtXomx7ZIMI/fDdVxlx0
OcDnTZCx0+vVBfM7d6TE91Uky6ELrMbq/Q==
]]></artwork>
        <t>Unwrapping the inner Cryptographic Layer yields the Cryptographic Payload, which includes the Legacy Display part:</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
From: Alice Lovelace <alice@smime.example>
To: Bob Babbage <bob@smime.example>
Date: Wed, 27 Nov 2019 01:24:00 -0700
Subject: BarCorp contract signed, let's go!
Content-Type: multipart/mixed; boundary="6ae"; protected-headers="v1"
Message-ID: <smime-sign+enc+legacy-disp@protected-headers.example>

--6ae
content-type: text/plain; protected-headers="v1"
Content-Disposition: inline

Subject: BarCorp contract signed, let's go!

--6ae
Content-Type: text/plain; charset="us-ascii"

Hi Bob!

I just signed the contract with BarCorp and they've set us up with
an account on their system for testing.

The account information is:

        Site: https://barcorp.example/
    Username: examplecorptest
    Password: correct-horse-battery-staple

Please get the account set up and apply the test harness.

Let me know when you've got some results.

(this is the 'smime-sign+enc+legacy-disp' message)

Thanks, Alice
-- 
Alice Lovelace
President
Example Corp

--6ae--
]]></artwork>
      </section>
      <section anchor="smime-encrypted-only" numbered="true" toc="default">
        <name>Encrypted-only (unsigned) S/MIME Message with Protected Headers and Legacy Display</name>
        <t>This shows the same encrypted message as <xref target="smime-sign-enc-legacy" format="default"/>, but formulated without a signature layer, so it is "encrypted-only".</t>
        <t>Note that the lack of any signature layer means that the only forms of cryptographic protection these header receive is confidentiality.</t>
        <t>An arbitrary adversary could forge a message with arbitrary headers (and content), and package it in this same form.
Consequently, the only thing "protected" about the headers in this example is confidentiality for any obscured headers (just the <tt>Subject</tt> in this case).</t>
        <t>Presenting the cryptographic properties of the headers of such a message in a meaningful way to the end user is a subtle and challenging task, which this document cannot cover.</t>
        <t>Its MIME message structure is:</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
└─╴application/pkcs7-mime smime-type="enveloped-data"
 ↧ (decrypts to)
 └┬╴multipart/mixed ← Cryptographic Payload
  ├─╴text/plain ← Legacy Display
  └─╴text/plain
]]></artwork>
        <t>For this message, the session key is an AES-256 key with value <tt>e94f6aaef7f14d6ceeac770c46d7f4885e81fbeaf1462d0fdadfce6c581525e2</tt> (in hex).</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
Received: from localhost (localhost [127.0.0.1]); Wed, 27 Nov 2019
 01:27:28 -0700 (UTC-07:00)
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m";
 smime-type="enveloped-data"
From: Alice Lovelace <alice@smime.example>
To: Bob Babbage <bob@smime.example>
Date: Wed, 27 Nov 2019 01:27:00 -0700
Message-ID: <smime-enc+legacy-disp@protected-headers.example>
Subject: ...

MIIG5QYJKoZIhvcNAQcDoIIG1jCCBtICAQAxggLCMIIBXQIBADBFMC0xKzApBgNV
BAMTIlNhbXBsZSBMQU1QUyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkCFCJT7jBtAgsf
As31ycE+Ot95phvCMA0GCSqGSIb3DQEBAQUABIIBADEhlzhFzYj6tUAdsRCrSiLl
d9cgKtlAesJ4cDY4szFWAbnwrCmEcFxjFDUOjbfQCYCG80Sxd+xntni73I7PI2rR
QLjk3w9VhLwFRyzy7qyJi2CavjKTxysX9f36+FXA+THfVQRM5ypiyYJg91X51PNX
hJj3DHrnxqKeSl/z1hdt9r+s6XAUCBSvL99BGnODWhNIZtPDzt8fMNcgarfw+D5F
IZJb6+wX30tkztHkpHHKrrDPveyfnlS/p06Gi3ekrrhBtMQMRb9PA/E+ivDPktsm
aKg0Oauw4oZSKW3f4ukYhbnndbbagNsnTfs/QFy/p+hhKTrfCd0h1N8mTzedVX0w
ggFdAgEAMEUwLTErMCkGA1UEAxMiU2FtcGxlIExBTVBTIENlcnRpZmljYXRlIEF1
dGhvcml0eQIUZ4K0WXNSS8H0cUcZavD9EYqqTAswDQYJKoZIhvcNAQEBBQAEggEA
FaK5QaPXJ133D2uybQt//oeDm6PkCAFW9YVOgjnLLz6FD54Dt2i1KCQu1Xlg9W3P
1zJdYXOftDgilylNfmt/muEsvbRfFtMWUq0VGirHz//BWmY2cW/ocinFO514iviL
MLE1umsXRNwVIVIk/uh7AmqXjPkRZgRgIMUbSbtmW4DDja+ZM0vmqFQ1iUIlApth
FpjFfPDHHD8isLTbGi2iK6dEN3DIJFGbg5o3nK6yAhVZ7x3LfFNSNVDDSY5mPFG9
Vm6uRgEE3Y5P6DbXXo6MHTgg0XY2f4y6MEWhOg37NT9aFAfzBBxJ1oSBWpOOfZnV
K1DvAwPaemSRz9oWDcBM8DCCBAUGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQIsFkN
8DEx8muAggPgWGF2WsPq3/a9jUa5GA0YFPiINuETCGTNaEXiVxnT0h0CF+EhZ0T2
HFCiZEM0dzO05zt9WdVvAREaCSh7ZWG9D9wJF9x+tqQbzMuJ2AdKuoOH73kClvkx
pHxANLhkY7hzIqRb/eLG5D7Xh8iCDiFecXDh7EHqD/R+sfLN9aHKOcKyY36kesBQ
R8aHZbbFnnD+oXSDNIPcntGG3BSGMxsWuOp+rpTKeIHWFIungDNKsLIy3kWleENw
FVIcjUF6QhI1HYW6BeXuVq40GV2OOkmB24rYEW1Jg0hAtY+5rn2mRoyxvUC87bjQ
hLu6xgPmhun9J324eM5aYVwkmVBnRW9hyxClZ7Sv0zlL7lGQ0VQG+zWHeJ+h/M2j
mQpLgAUEGxxNCm5ASHuXPIN6pSvrOVplrT8kKLPpmMYEwmTX2/rBO4P8I8uNrqYD
AyX8p0/l2ArczkWzGTz2luBahrD+cTZPApe5SeyXOxWBl1Lmb0G8o4twBeeBLiHP
XwYvttx0JYG/hc/lmMpEemJqwj9uZ3wGD03dIhhDX2Oj4ek/7jT6yqJh8C1H+PqA
+HNfNXsFQDrRORoqJS8YVEiYRDQNyePy2ugzLTh88nPtJp92hY7bk9zl3AYaiVFH
+szlLoyzfM9D+geZemR8XfI2ijGnrWMlnyPah/zA6J6RwemhuiMklZGYG85hMU9H
K4CFVM+m7xYxKpwFVnmkVZjzWInirJhehElhtCXpx/IFGxH9CPbCyEZV1WVStrl/
0fWTGicMXez6hVQCadWCXy96/eLIXOrC54gSoIJX2TD6jdVEu1YptutyGI6KdQ2p
yXwhs98Uj7DM3nmFeAcjjN3e8pPoX7aG8eP+MfmHlWN6jA44jMaJmIdp9J20g74J
MdjvnHa/cGibW/RamPiFObN0F94A83vcpUfU/zZ8cFHi/3/lN6Rm9+3/giGRZa9E
Y6e2/CEq1cUbPQ09fPwRJmjZCfDce71DKe+ZFGdYtFR7JwDEeZ6BB4Ff4rXctcWD
PgUJqUGv/SXBcFn4cNUK9MYYqVu1ovd/T7FMf+i3c5MH6BRCvft/i5aeBR+A26Gk
2awtBPYdHW6+AslrFjncBbtPDlU6vX9AWuC0k0MQYnNkTWS8gTvsriXJZ6Zu5iFE
ExNuFz7YcnMKnguOn2ph5azzeMm83AYzWXzZPu3mdr5Siuu/Ke38oADKP+BZ08Za
XVvKvvfnRPXO9kG9hgvEMRU9KOcxn82XoGPNZib+9SPa2zYx5P6HX1Bqe/cmKAen
FKEiJLSTP2/pc6AWAICqJl978HaUHfMFiN7jEUppAifpAWqNcIGSW5w=
]]></artwork>
        <t>Unwrapping the single-layer Cryptographic Envelope of this message yields the following MIME structure:</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
From: Alice Lovelace <alice@smime.example>
To: Bob Babbage <bob@smime.example>
Date: Wed, 27 Nov 2019 01:27:00 -0700
Subject: BarCorp contract signed, let's go!
Content-Type: multipart/mixed; boundary="6ae"; protected-headers="v1"
Message-ID: <smime-enc+legacy-disp@protected-headers.example>

--6ae
content-type: text/plain; protected-headers="v1"
Content-Disposition: inline

Subject: BarCorp contract signed, let's go!

--6ae
Content-Type: text/plain; charset="us-ascii"

Hi Bob!

I just signed the contract with BarCorp and they've set us up with
an account on their system for testing.

The account information is:

        Site: https://barcorp.example/
    Username: examplecorptest
    Password: correct-horse-battery-staple

Please get the account set up and apply the test harness.

Let me know when you've got some results.

(this is the 'smime-enc+legacy-disp' message)

Thanks, Alice
-- 
Alice Lovelace
President
Example Corp

--6ae--
]]></artwork>
      </section>
      <section anchor="encrypted-only-unsigned-pgpmime-message-with-protected-headers-and-legacy-display" numbered="true" toc="default">
        <name>Encrypted-only (unsigned) PGP/MIME Message with Protected Headers and Legacy Display</name>
        <t>This shows a comparable encrypted-only (unsigned) message, like <xref target="smime-encrypted-only" format="default"/> , but using PGP/MIME instead of S/MIME.</t>
        <t>Note that the lack of any signature layer means that the only forms of cryptographic protection these header receive is confidentiality.</t>
        <t>An arbitrary adversary could forge a message with arbitrary headers (and content), and package it in this same form.
Consequently, the only thing "protected" about the headers in this example is confidentiality for any obscured headers (just the <tt>Subject</tt> in this case).</t>
        <t>Presenting the cryptographic properties of the headers of such a message in a meaningful way to the end user is a subtle and challenging task, which this document cannot cover.</t>
        <t>Its MIME message structure is:</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
└┬╴multipart/encrypted
 ├─╴application/pgp-encrypted
 └─╴application/octet-stream
  ↧ (decrypts to)
  └┬╴multipart/mixed ← Cryptographic Payload
   ├─╴text/plain ← Legacy Display
   └─╴text/plain
]]></artwork>
        <t>For this message, the session key is an AES-256 key with value <tt>4f3e7e3cb4a49747f88d232601fa98a29d7427e8f80882464cfbca3dcb847356</tt> (in hex).</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
Received: from localhost (localhost [127.0.0.1]); Mon, 21 Oct 2019
 07:30:28 -0700 (UTC-07:00)
MIME-Version: 1.0
Content-Type: multipart/encrypted; boundary="c07";
 protocol="application/pgp-encrypted"
From: Alice Lovelace <alice@openpgp.example>
To: Bob Babbage <bob@openpgp.example>
Date: Mon, 21 Oct 2019 07:30:00 -0700
Message-ID: <pgpmime-enc+legacy-disp@protected-headers.example>
Subject: ...

--c07
content-type: application/pgp-encrypted

Version: 1

--c07
content-type: application/octet-stream

-----BEGIN PGP MESSAGE-----

wV4DR2b2udXyHrYSAQdAX8p0+U8WbFNtCeGX5no1X1mSPqdmwrJIVWVZT8LS/yIw
lv+vor/Wsh7cKBofs1yIlPR4u/01EKjj+XkgD+h1BEtHDHp9ckuzBHmOI6YL0AZU
wcDMA3wvqk35PDeyAQwAiGcX6KN1jS+gHFAUcWWvc672CPPOhIhS91BGz4MMiV/G
Prm+dwIE5V7I6Sh7XMEons1Z7EdUbpxP/OufCTQwrkXlzTTIt/0TMZkZxpDvLPpA
EzkdW2edtMhbTtqbGzjXgOsBVqnRZP6CaTfCba5tsVFOJ8XO+WL1ARQSDVKWPuob
uXT+s4sZIam0JjnrxGYCD5NTjQt4UUmxlyXxQLEwN90wMLs8DrQ5kxcMHUU6kjDT
7icQRtsuIXXzrj0AVie0/Vd1ItKjrIo3eMvpi8G3GtB5VXYB2RPGKY6/cMISYGbx
s7aJVlWOTrriO4p4vFiOI6iM1YOdinbgCbzTXK+aYJpw5TmG/V5sHfRQXu77HBll
8BZdC+s6v5MWSdB9qVyvnd/e97mfi+ySa4Lw4yeLJFz7OeuL8C1SeQWhTmWIkwn6
FjiLFoxzkkLUE8vxcAYIUuzFMPCUEeXjH8EoLBwFz4jDOTQ4FJqn61v9AEiJS4P4
mkgKdrvGqCSkZu6DpLgi0sGGAYu7ECCJLDcNTM6/S6o9AU9LcJJPgbd2wIylJyFY
D6ygG0D5skuKRsJ7I/VJLx5SI6rkfTqd+vXcVcEX7vuhFAap988haqxS4fsFb/0L
CeLwZH94Y9hAP7Rz/hDiwHKcV1S0eAFFEfZ3u7kmMM2+o7zePIeimHbjSDjSAts5
GhZV7UDFyy6RnhSYgTNHwOhZToEPPLbHOmTzNZNp3tiS3apvYe6Yx9fCspd63Cet
tW5Y0vCpHO0hJPIIv0ucVZsstn56SDBaYh70Fgq7M5UeK3AZ5KvH4cee4qd0KBgK
JZXBtIsoMICQj6Xw7ecmwPO5huh1EQ0cfqdSuEu+k2ifgnOMAPe85syK/d4yVxUB
wSj7Jk5r2Ytqe8ZXVoM4kYIKxVpuXmxb78KoUPvBUkLzqOMHwYpk2BjPQjZ8xqL7
oKQ8ywpm90SBB7DCgES7oIgrG5ZMovqVkNppdJ3TrvkdgWtctbGe/Pb1WapMamQ/
a99+zfc9k63hDV6GW7mM7AiTO5cqkOvYEYnJShTpszf0eiIe+smM/3As4HJstCx7
Wiej+lM/Rqxp81nP8R78+al6iyIdbHZ6LSxD5vKgZbhT3OQng0goZ3XQZXmIV/cZ
hVpPIEDgUzQi3qJq9POPejosLQZhU41kOcyDdLZmPm7OIRG7+b2X8JRbmhtg8FMA
szxT753uRpiGsKYb3dmOX9JYcDVbe9gFoIj2PktU2L96I9J79IVn9gtEeMYdR6Xn
w9rKgAyGiieepz5ygl9cRaGVFfLnesAB
=zBUs
-----END PGP MESSAGE-----

--c07--
]]></artwork>
        <t>Unwrapping the single-layer Cryptographic Envelope of this message yields the following MIME structure:</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
From: Alice Lovelace <alice@openpgp.example>
To: Bob Babbage <bob@openpgp.example>
Date: Mon, 21 Oct 2019 07:30:00 -0700
Subject: BarCorp contract signed, let's go!
Content-Type: multipart/mixed; boundary="6ae"; protected-headers="v1"
Message-ID: <pgpmime-enc+legacy-disp@protected-headers.example>

--6ae
content-type: text/plain; protected-headers="v1"
Content-Disposition: inline

Subject: BarCorp contract signed, let's go!

--6ae
Content-Type: text/plain; charset="us-ascii"

Hi Bob!

I just signed the contract with BarCorp and they've set us up with
an account on their system for testing.

The account information is:

        Site: https://barcorp.example/
    Username: examplecorptest
    Password: correct-horse-battery-staple

Please get the account set up and apply the test harness.

Let me know when you've got some results.

(this is the 'pgpmime-enc+legacy-disp' message)

Thanks, Alice
-- 
Alice Lovelace
President
Example Corp

--6ae--
]]></artwork>
      </section>
      <section anchor="an-unfortunately-complex-example" numbered="true" toc="default">
        <name>An Unfortunately Complex Example</name>
        <t>For all of the potential complexity of the Cryptographic Envelope, the Cryptographic Payload itself can be complex.
The Cryptographic Envelope in this example is the same as (<xref target="pgp-multilayer-legacy-display" format="default"/>).
The Cryptographic Payload has protected headers and a legacy display part (also the same as <xref target="pgp-multilayer-legacy-display" format="default"/>), but in addition Alice's MUA composes a message with both plaintext and HTML variants, and Alice includes a single attachment as well.</t>
        <t>While this PGP/MIME message is complex, a modern MUA could also plausibly generate such a structure based on reasonable commands from the user composing the message (e.g., Alice composes the message with a rich text editor, and attaches a file to the message).</t>
        <t>The key takeaway of this example is that the complexity of the Cryptographic Payload (which may contain a Legacy Display part) is independent of and distinct from the complexity of the Cryptographic Envelope.</t>
        <t>This message has the following structure:</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
└┬╴multipart/encrypted
 ├─╴application/pgp-encrypted
 └─╴application/octet-stream
  ↧ (decrypts to)
  └┬╴multipart/signed
   ├┬╴multipart/mixed ← Cryptographic Payload
   │├─╴text/plain ← Legacy Display Part
   │└┬╴multipart/mixed
   │ ├┬╴multipart/alternative
   │ │├─╴text/plain
   │ │└─╴text/html
   │ └─╴text/x-diff ← attachment
   └─╴application/pgp-signature
]]></artwork>
        <t>For this message, the session key is an AES-256 key with value <tt>1c489cfad9f3c0bf3214bf34e6da42b7f64005e59726baa1b17ffdefe6ecbb52</tt> (in hex).</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
Received: from localhost (localhost [127.0.0.1]); Mon, 21 Oct 2019
 07:33:28 -0700 (UTC-07:00)
MIME-Version: 1.0
Content-Type: multipart/encrypted; boundary="241";
 protocol="application/pgp-encrypted"
From: Alice Lovelace <alice@openpgp.example>
To: Bob Babbage <bob@openpgp.example>
Date: Mon, 21 Oct 2019 07:33:00 -0700
Message-ID: <unfortunately-complex@protected-headers.example>
Subject: ...

--241
content-type: application/pgp-encrypted

Version: 1

--241
content-type: application/octet-stream

-----BEGIN PGP MESSAGE-----

wV4DR2b2udXyHrYSAQdArYyyCfDzUyr02W1QjJmXivzmT6XooGh6HMhPLmD/pkIw
jPsIvobM6mmvctBWnGsg2IUVx3clXJum+/UmVuk5BQv0xk6x6kDt2WtwE3fWhop3
wcDMA3wvqk35PDeyAQv+JZG91UzU5NJOY1Yxoadl8bNBkTdlBWN8DJEMhJd+Hmm5
KDjxBtAHWcsjzkiEdZcoR9EvrfFWBCTo+AmfnDi5YEJaX6GNr61VHKDcxowCrNsC
lwfdXX+TIe0cwX7RW1yvWGxCs7alVHuxUa/hDe7DklAIxOicdTKz+lpDYFTr8T9E
Q/jtkk95paCzmtZ53RKaEMzizaJXD+B2s0/pBp6aJGxYMRF4yhez+b4HakUz2GK6
tvFoN/qqXT97+cpREAhDFqtgHp6QmW4UUTgWaZ7G7TSDU7AuuizxGCC5yGj0l19B
iwm9xoG6YvjQxKbq6klaRZabUzFxyIKcuU8iDM9eZFlHu0QFhZKYSEmVaVNb9G1C
i30ncaq7Ylkj73o90ogsiLQwqdTRNZKz+65mPSzKj6HI7gu1w9Yf0MHcsHNPG9sI
qTE/a88b17fc5qEEzkk8gmtnKyDI1bRvhxkrRNGWNeW6ZUEFdinYi5fAD5QYXMSW
rIB+ELy/ZUYHHy31UAvS0sPRAXgbRmpFyrfzGgZMfkSbH2n+ngl+21rDjnABUetE
vSdvPCL57jS+w4MaUHz7wSjv1QnzBvRts/AJAvnFYhRYe5vP3wfDIKndpnhCz7EE
QUE5d3upWL2fQ2UP/hLWUjbC6FhD+GFbyw38XomjBvvznT2NAFdZRlqqXfdw+dkG
/daknCkHtyZ3Z1kQkTyyEOkuIopr2cJUWLghOEuv0OEi842NsaDeKa05GepNXlOc
9M9ScoUurCUGCa31tCe54GyceWs390ir6uiTeiJ5m11N0KpuoDfiHKvVdMO5Ge8+
SLxzO3gyXEUPV//lhqqy3DwgYmL4M7SJxpJFLeu/YbguQuu4jpp/XBgZkcOeB//F
FHShbmH6oEIt59auutJ3I/NWI6n8EIOmRex64RYp8Bu3SLvVfsxlkjXHZk3XX52n
vU4oUgHTpzUkJ8NxxmPOZY8tu5MB7wBRp2Cqxq+rOKyHQPOrLU7iej0tXMHyHzwh
QZ3/6BX9GR9ZBovqdZW0IzswjEradRfJXvOdL9QEL6V41m1tnFpeuaeNGCpMVqxN
zvQf1T6z1JnX/hG0XwkKmFYz92MaeofNjx6ke++cAgfdRAqQxp77RkfBZdjtDFVV
DggHI67I7DSs/sF+0ftJRet6E7rJ1XYKJ24aB8ZkplRU/eRVpXTaNnluoI7nMG2p
Uf/lBTS+H+2jd5PB7vcIsvrTRuvCDqktniTk2eF3yYNHVEPlP7TmpqIVlXIFgc2Z
NygSO2HGQ56Cv8/HZKxaJ1tZDbUy9fVRtetj11psol5CfoGi8IVInI6gMWu3IBbb
gqpv00YldQintY/BK49Q0y31Sh/5tgz+n6CZVxPxP1j+kVzOUGNy+SeThDC+H+lY
d6Dd5+M+H5b/+XAnBMKArzQVxDCSPtpVI08qF1bwmZBB/ryylpLLDHpoYgOLC3Dk
X/ICCAyk6n3Rz4IyupFuKNaEaiIwpjZZjqYtHbvMNJj+55crArYLfdadpTPeX5q8
2QUg03J5ShkTlgp/a6qBuoUC3yHDcA0EiqGCMsF4Mmny6MtyzkKQXlgBHCDSGOyO
NTnhfJxiKs1cahWf7ix9pO5dn3lTqr1+t9usJtrZuhugVW0nbzQgfA4DNULbTsu5
odSTwvrBczga7+JcvDJ+QELLiP8n1QcU2VkvCVwy5RHkwWzY0J84jYLh1VZEbbWa
YDFXbQzCWGRcjubwb5Eet6pEPiNnTVvo6gGQx21Bue5kTslIZO1wRLiioU3vP4TO
x4/6AaJt8MmSxXiGd9fjTT5ej7iawzH9qXQ4OUmj3MvWNiOrhRittRZyjXVAxdYG
/F9sj5kkN0zFsSNaK3+Mi96Il6h6h4aYMvbrd1zapA8oqj6MpZRSeLLOHiHqmbcC
IMXywNeKw2ZZSM6FNjU33fEDIQnO+jXLVazdkmqtBB0sUiuBuvMrKoJtr79rmiXC
K77CmcJbikYpM0hnMyDfrtQqCEW4dKZ1c8uuFJQrEhRbQ24KP+Dq70ynNiODalKN
s4RgECgNgjES6ow4eIDS7vTo3xctCtXfzI5pkw8ub1rSM+Q=
=wxHa
-----END PGP MESSAGE-----

--241--
]]></artwork>
        <t>Unwrapping the encryption Cryptographic Layer yields the following content:</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
Content-Type: multipart/signed; boundary="c72";
 protocol="application/pgp-signature"; micalg="pgp-sha512"

--c72
From: Alice Lovelace <alice@openpgp.example>
To: Bob Babbage <bob@openpgp.example>
Date: Mon, 21 Oct 2019 07:33:00 -0700
Subject: BarCorp contract signed, let's go!
Content-Type: multipart/mixed; boundary="6ae"; protected-headers="v1"
Message-ID: <unfortunately-complex@protected-headers.example>

--6ae
content-type: text/plain; protected-headers="v1"
Content-Disposition: inline

Subject: BarCorp contract signed, let's go!

--6ae
Content-Type: multipart/mixed; boundary="8df"

--8df
Content-Type: multipart/alternative; boundary="32c"

--32c
Content-Type: text/plain; charset="us-ascii"

Hi Bob!

I just signed the contract with BarCorp and they've set us up with
an account on their system for testing.

The account information is:

        Site: https://barcorp.example/
    Username: examplecorptest
    Password: correct-horse-battery-staple

Please get the account set up and apply the test harness.

Let me know when you've got some results.

(this is the 'unfortunately-complex' message)

Thanks, Alice
-- 
Alice Lovelace
President
Example Corp

--32c
Content-Type: text/html; charset="us-ascii"

<html><head></head><body><p>Hi Bob!
</p><p>
I just signed the contract with BarCorp and they've set us up with
 an account on their system for testing.
</p><p>
The account information is:
</p><dl>
<dt>Site</dt><dd>
<a href="https://barcorp.example/">https://barcorp.example/</a>
</dd>
<dt>Username</dt><dd><tt>examplecorptest</tt></dd>
<dt>Password</dt><dd>correct-horse-battery-staple</dd>
</dl><p>
Please get the account set up and apply the test harness.
</p><p>
Let me know when you've got some results.
</p><p>
(this is the 'unfortunately-complex' message)
</p><p>
Thanks, Alice<br/>
-- <br/>
Alice Lovelace<br/>
President<br/>
Example Corp<br/>
</p></body></html>

--32c--

--8df
Content-Type: text/x-diff; charset="us-ascii"
Content-Disposition: inline; filename="testharness-config.diff"

diff -ruN a/testharness.cfg b/testharness.cfg
--- a/testharness.cfg
+++ b/testharness.cfg
@@ -13,3 +13,8 @@
 endpoint = https://openpgp.example/test/
 username = testuser
 password = MJVMZlHR75mILg
+
+[barcorp]
+endpoint = https://barcorp.example/
+username = examplecorptest
+password = correct-horse-battery-staple

--8df--

--6ae--

--c72
content-type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----

wnUEARYKAB0FAl2twZwWIQTrhbtfozp14V6UTmPyMVUMT0fjjgAKCRDyMVUMT0fj
jnUTAP9YDBbjItEr14L3f/hpRDdkiexX96wHRZOZlP4VlsPbmgEA/zNQ5GZxOW70
EyF6maqK0Dedw/FXsbL32iFiXMGaTgY=
=EuL1
-----END PGP SIGNATURE-----

--c72--
]]></artwork>
      </section>
    </section>
    <section anchor="iana-considerations" numbered="true" toc="default">
      <name>IANA Considerations</name>
      <t>FIXME: register content-type parameter for legacy-display part</t>
      <t>MAYBE: provide a list of user-facing headers, or a new "user-facing" column in some table of known RFC5322 headers?</t>
      <t>MAYBE: provide a comparable indicator for which headers are "structural" ?</t>
    </section>
    <section anchor="security-considerations" numbered="true" toc="default">
      <name>Security Considerations</name>
      <t>This document describes a technique that can be used to defend against two security vulnerabilities in traditional end-to-end encrypted e-mail.</t>
      <section anchor="subject-leak" numbered="true" toc="default">
        <name>Subject Leak</name>
        <t>While e-mail structure considers the Subject header to be part of the message metadata, nearly all users consider the Subject header to be part of the message content.</t>
        <t>As such, a user sending end-to-end encrypted e-mail may inadvertently leak sensitive material in the Subject line.</t>
        <t>If the user's MUA uses Protected Headers and obscures the Subject header as described in <xref target="confidential-subject" format="default"/> then they can avoid this breach of confidentiality.</t>
      </section>
      <section anchor="signature-replay" numbered="true" toc="default">
        <name>Signature Replay</name>
        <t>A message without Protected Headers may be subject to a signature replay attack, which attempts to violate the recipient's expectations about message authenticity and integrity.
Such an attack works by taking a message delivered in one context (e.g., to someone else, at a different time, with a different subject, in reply to a different message), and replaying it with different message headers.</t>
        <t>A MUA that generates all its signed messages with Protected Headers gives recipients the opportunity to avoid falling victim to this attack.</t>
        <t>Guidance for how a message recipient can use Protected Headers to defend against a signature replay attack are out of scope for this document.</t>
      </section>
      <section anchor="participant-modification" numbered="true" toc="default">
        <name>Participant Modification</name>
        <t>A trivial (if detectable) attack by an active network adversary is to insert an additional e-mail address in a <tt>To</tt> or <tt>Cc</tt> or <tt>Reply-To</tt> or <tt>From</tt> header.
This is a staging attack against message confidentiality - it relies on followup action by the recipient.</t>
        <t>For an encrypted message that is part of an ongoing discussion where users are accustomed to doing "reply all", such an insertion would cause the replying MUA to encrypt the replying message to the additional party, giving them access to the conversation.
If the replying MUA quotes and attributes cleartext from the original message within the reply, then the attacker learns the contents of the encrypted message.</t>
        <t>As certificate discovery becomes more automated and less noticeable to the end user, this is an increasing risk.</t>
        <t>An MUA that rejects Exposed Headers in favor of Protected Headers should be able to avoid this attack when replying to a signed message.</t>
      </section>
    </section>
    <section anchor="privacy-considerations" numbered="true" toc="default">
      <name>Privacy Considerations</name>
      <t>This document only explicitly contemplates confidentiality protection for the Subject header, but not for other headers which may leak associational metadata.
For example, <tt>From</tt> and <tt>To</tt> and <tt>Cc</tt> and <tt>Reply-To</tt> and <tt>Date</tt> and <tt>Message-Id</tt> and <tt>References</tt> and <tt>In-Reply-To</tt> are not explicitly necessary for messages in transit, since the SMTP envelope carries all necessary routing information, but an encrypted <xref target="RFC5322" format="default"/> message as described in this document will contain all this associational metadata in the clear.</t>
      <t>Although this document does not provide guidance for protecting the privacy of this metadata directly, it offers a platform upon which thoughtful implementations may experiment with obscuring additional e-mail headers.</t>
    </section>
    <section anchor="document-considerations" numbered="true" toc="default">
      <name>Document Considerations</name>
      <t>[ RFC Editor: please remove this section before publication ]</t>
      <t>This document is currently edited as markdown.  Minor editorial changes can be suggested via merge requests at https://github.com/autocrypt/protected-headers or by e-mail to the authors.  Please direct all significant commentary to the public IETF LAMPS mailing list: spasm@ietf.org</t>
      <section anchor="document-history" numbered="true" toc="default">
        <name>Document History</name>
        <t>Significant changes between version -01 and -02:</t>
        <ul spacing="normal">
          <li>Added S/MIME test vectors in addition to PGP/MIME</li>
          <li>Legacy Display parts should now be <tt>text/plain</tt> and not <tt>text/rfc822-headers</tt></li>
          <li>Cryptographic Payload must have <tt>protected-headers</tt> parameter set to <tt>v1</tt></li>
          <li>Test vector sample Message-Ids have been normalized</li>
          <li>Added encrypted-only (unsigned) test vectors, at the suggestion of Russ Housley</li>
        </ul>
        <t>Changes between version -00 and -01:</t>
        <ul spacing="normal">
          <li>Credit Randall for "correct horse battery staple".</li>
          <li>Adjust test vectors to ensure no line in the generated .txt format exceeds 72 chars.</li>
          <li>Minor formatting cleanup to appease idnits.</li>
          <li>Update references to more recent documents (RFC 2822 -&gt; 5322, -00 to -01 of draft-ietf-lamps-header-protection-requirements).</li>
        </ul>
      </section>
    </section>
    <section anchor="acknowledgements" numbered="true" toc="default">
      <name>Acknowledgements</name>
      <t>The set of constructs and algorithms in this document has a previous working title of "Memory Hole", but that title is no longer used as different implementations gained experience in working with it.</t>
      <t>These ideas were tested and fine-tuned in part by the loose collaboration of MUA developers known as <xref target="Autocrypt" format="default"/>.</t>
      <t>Additional feedback and useful guidance was contributed by attendees of the OpenPGP e-mail summit (<xref target="OpenPGP-Email-Summit-2019" format="default"/>).</t>
      <t>The following people have contributed implementation experience, documentation, critique, and other feedback:</t>
      <ul spacing="normal">
        <li>Holger Krekel</li>
        <li>Patrick Brunschwig</li>
        <li>Vincent Breitmoser</li>
        <li>Edwin Taylor</li>
        <li>Alexey Melnikov</li>
        <li>Russ Housley</li>
      </ul>
      <t>The password example used in <xref target="test-vectors" format="default"/> comes from <xref target="xkcd936" format="default"/>.</t>
    </section>
  </middle>
  <back>
    <references>
      <name>References</name>
      <references>
        <name>Normative References</name>
        <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <seriesInfo name="DOI" value="10.17487/RFC2119"/>
            <seriesInfo name="RFC" value="2119"/>
            <seriesInfo name="BCP" value="14"/>
            <author initials="S." surname="Bradner" fullname="S. Bradner">
              <organization/>
            </author>
            <date year="1997" month="March"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification.  These words are often capitalized. This document defines these words as they should be interpreted in IETF documents.  This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
        </reference>
        <reference anchor="RFC3156" target="https://www.rfc-editor.org/info/rfc3156">
          <front>
            <title>MIME Security with OpenPGP</title>
            <seriesInfo name="DOI" value="10.17487/RFC3156"/>
            <seriesInfo name="RFC" value="3156"/>
            <author initials="M." surname="Elkins" fullname="M. Elkins">
              <organization/>
            </author>
            <author initials="D." surname="Del Torto" fullname="D. Del Torto">
              <organization/>
            </author>
            <author initials="R." surname="Levien" fullname="R. Levien">
              <organization/>
            </author>
            <author initials="T." surname="Roessler" fullname="T. Roessler">
              <organization/>
            </author>
            <date year="2001" month="August"/>
            <abstract>
              <t>This document describes how the OpenPGP Message Format can be used to provide privacy and authentication using the Multipurpose Internet Mail Extensions (MIME) security content types described in RFC 1847. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
        </reference>
        <reference anchor="RFC4880" target="https://www.rfc-editor.org/info/rfc4880">
          <front>
            <title>OpenPGP Message Format</title>
            <seriesInfo name="DOI" value="10.17487/RFC4880"/>
            <seriesInfo name="RFC" value="4880"/>
            <author initials="J." surname="Callas" fullname="J. Callas">
              <organization/>
            </author>
            <author initials="L." surname="Donnerhacke" fullname="L. Donnerhacke">
              <organization/>
            </author>
            <author initials="H." surname="Finney" fullname="H. Finney">
              <organization/>
            </author>
            <author initials="D." surname="Shaw" fullname="D. Shaw">
              <organization/>
            </author>
            <author initials="R." surname="Thayer" fullname="R. Thayer">
              <organization/>
            </author>
            <date year="2007" month="November"/>
            <abstract>
              <t>This document is maintained in order to publish all necessary information needed to develop interoperable applications based on the OpenPGP format.  It is not a step-by-step cookbook for writing an application.  It describes only the format and methods needed to read, check, generate, and write conforming packets crossing any network.  It does not deal with storage and implementation questions. It does, however, discuss implementation issues necessary to avoid security flaws.</t>
              <t>OpenPGP software uses a combination of strong public-key and symmetric cryptography to provide security services for electronic communications and data storage.  These services include confidentiality, key management, authentication, and digital signatures.  This document specifies the message formats used in OpenPGP.  [STANDARDS-TRACK]</t>
            </abstract>
          </front>
        </reference>
        <reference anchor="RFC5322" target="https://www.rfc-editor.org/info/rfc5322">
          <front>
            <title>Internet Message Format</title>
            <seriesInfo name="DOI" value="10.17487/RFC5322"/>
            <seriesInfo name="RFC" value="5322"/>
            <author initials="P." surname="Resnick" fullname="P. Resnick" role="editor">
              <organization/>
            </author>
            <date year="2008" month="October"/>
            <abstract>
              <t>This document specifies the Internet Message Format (IMF), a syntax for text messages that are sent between computer users, within the framework of "electronic mail" messages.  This specification is a revision of Request For Comments (RFC) 2822, which itself superseded Request For Comments (RFC) 822, "Standard for the Format of ARPA Internet Text Messages", updating it to reflect current practice and incorporating incremental changes that were specified in other RFCs.  [STANDARDS-TRACK]</t>
            </abstract>
          </front>
        </reference>
        <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <seriesInfo name="DOI" value="10.17487/RFC8174"/>
            <seriesInfo name="RFC" value="8174"/>
            <seriesInfo name="BCP" value="14"/>
            <author initials="B." surname="Leiba" fullname="B. Leiba">
              <organization/>
            </author>
            <date year="2017" month="May"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol  specifications.  This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the  defined special meanings.</t>
            </abstract>
          </front>
        </reference>
      </references>
      <references>
        <name>Informative References</name>
        <reference anchor="OpenPGP-Email-Summit-2019" target="https://wiki.gnupg.org/OpenPGPEmailSummit201910">
          <front>
            <title>OpenPGP Email Summit 2019</title>
            <author>
              <organization/>
            </author>
            <date year="2019" month="October" day="13"/>
          </front>
        </reference>
        <reference anchor="Autocrypt" target="https://autocrypt.org/level1.html">
          <front>
            <title>Autocrypt Specification 1.1</title>
            <author>
              <organization/>
            </author>
            <date year="2019" month="October" day="13"/>
          </front>
        </reference>
        <reference anchor="xkcd936" target="https://www.xkcd.com/936/">
          <front>
            <title>xkcd: Password Strength</title>
            <author initials="R." surname="Munroe" fullname="Randall Munroe">
              <organization>xkcd</organization>
            </author>
            <date year="2011" month="August" day="10"/>
          </front>
        </reference>
        <reference anchor="I-D.draft-bre-openpgp-samples-00" target="http://www.ietf.org/internet-drafts/draft-bre-openpgp-samples-00.txt">
          <front>
            <title>OpenPGP Example Keys and Certificates</title>
            <seriesInfo name="Internet-Draft" value="draft-bre-openpgp-samples-00"/>
            <author initials="B" surname="Einarsson" fullname="Bjarni Einarsson">
              <organization/>
            </author>
            <author initials="j" surname="juga" fullname="juga">
              <organization/>
            </author>
            <author initials="D" surname="Gillmor" fullname="Daniel Gillmor">
              <organization/>
            </author>
            <date month="October" day="15" year="2019"/>
            <abstract>
              <t>The OpenPGP development community benefits from sharing samples of signed or encrypted data.  This document facilitates such collaboration by defining a small set of OpenPGP certificates and keys for use when generating such samples.</t>
            </abstract>
          </front>
        </reference>
        <reference anchor="I-D.draft-dkg-lamps-samples-01" target="http://www.ietf.org/internet-drafts/draft-dkg-lamps-samples-01.txt">
          <front>
            <title>S/MIME Example Keys and Certificates</title>
            <seriesInfo name="Internet-Draft" value="draft-dkg-lamps-samples-01"/>
            <author initials="D" surname="Gillmor" fullname="Daniel Gillmor">
              <organization/>
            </author>
            <date month="November" day="20" year="2019"/>
            <abstract>
              <t>The S/MIME development community benefits from sharing samples of signed or encrypted data.  This document facilitates such collaboration by defining a small set of X.509v3 certificates and keys for use when generating such samples.</t>
            </abstract>
          </front>
          <format type="PDF" target="http://www.ietf.org/internet-drafts/draft-dkg-lamps-samples-01.pdf"/>
        </reference>
        <reference anchor="I-D.draft-luck-lamps-pep-header-protection-03" target="http://www.ietf.org/internet-drafts/draft-luck-lamps-pep-header-protection-03.txt">
          <front>
            <title>pretty Easy privacy (pEp): Progressive Header Disclosure</title>
            <seriesInfo name="Internet-Draft" value="draft-luck-lamps-pep-header-protection-03"/>
            <author initials="C" surname="Luck" fullname="Claudio Luck">
              <organization/>
            </author>
            <date month="July" day="5" year="2019"/>
            <abstract>
              <t>Issues with email header protection in S/MIME have been recently raised in the IETF LAMPS Working Group.  The need for amendments to the existing specification regarding header protection was expressed.  The pretty Easy privacy (pEp) implementations currently use a mechanism quite similar to the currently standardized message wrapping for S/MIME.  The main difference is that pEp is using PGP/ MIME instead, and adds space for carrying public keys next to the protected message.  In LAMPS, it has been expressed that whatever mechanism will be chosen, it should not be limited to S/MIME, but also applicable to PGP/MIME.  This document aims to contribute to this discussion and share the pEp implementation experience with email header protection.</t>
            </abstract>
          </front>
        </reference>
        <reference anchor="I-D.draft-ietf-lamps-header-protection-requirements-01" target="http://www.ietf.org/internet-drafts/draft-ietf-lamps-header-protection-requirements-01.txt">
          <front>
            <title>Problem Statement and Requirements for Header Protection</title>
            <seriesInfo name="Internet-Draft" value="draft-ietf-lamps-header-protection-requirements-01"/>
            <author initials="A" surname="Melnikov" fullname="Alexey Melnikov">
              <organization/>
            </author>
            <author initials="B" surname="Hoeneisen" fullname="Bernie Hoeneisen">
              <organization/>
            </author>
            <date month="October" day="29" year="2019"/>
            <abstract>
              <t>Privacy and security issues with email header protection in S/MIME have been identified for some time.  However, the desire to fix these issues has only recently been expressed in the IETF LAMPS Working Group.  The existing S/MIME specification is likely to be updated regarding header protection.  This document describes the problem statement, generic use cases, and requirements of header protection.</t>
            </abstract>
          </front>
        </reference>
        <reference anchor="RFC2634" target="https://www.rfc-editor.org/info/rfc2634">
          <front>
            <title>Enhanced Security Services for S/MIME</title>
            <seriesInfo name="DOI" value="10.17487/RFC2634"/>
            <seriesInfo name="RFC" value="2634"/>
            <author initials="P." surname="Hoffman" fullname="P. Hoffman" role="editor">
              <organization/>
            </author>
            <date year="1999" month="June"/>
            <abstract>
              <t>This document describes four optional security service extensions for S/MIME.  [STANDARDS-TRACK]</t>
            </abstract>
          </front>
        </reference>
        <reference anchor="RFC3274" target="https://www.rfc-editor.org/info/rfc3274">
          <front>
            <title>Compressed Data Content Type for Cryptographic Message Syntax (CMS)</title>
            <seriesInfo name="DOI" value="10.17487/RFC3274"/>
            <seriesInfo name="RFC" value="3274"/>
            <author initials="P." surname="Gutmann" fullname="P. Gutmann">
              <organization/>
            </author>
            <date year="2002" month="June"/>
            <abstract>
              <t>This document defines a format for using compressed data as a Cryptographic Message Syntax (CMS) content type.  Compressing data before transmission provides a number of advantages, including the elimination of data redundancy which could help an attacker, speeding up processing by reducing the amount of data to be processed by later steps (such as signing or encryption), and reducing overall message size. Although there have been proposals for adding compression at other levels (for example at the MIME or SSL level), these don't address the problem of compression of CMS content unless the compression is supplied by an external means (for example by intermixing MIME and CMS). [STANDARDS-TRACK]</t>
            </abstract>
          </front>
        </reference>
        <reference anchor="RFC3851" target="https://www.rfc-editor.org/info/rfc3851">
          <front>
            <title>Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification</title>
            <seriesInfo name="DOI" value="10.17487/RFC3851"/>
            <seriesInfo name="RFC" value="3851"/>
            <author initials="B." surname="Ramsdell" fullname="B. Ramsdell" role="editor">
              <organization/>
            </author>
            <date year="2004" month="July"/>
            <abstract>
              <t>This document defines Secure/Multipurpose Internet Mail Extensions (S/MIME) version 3.1.  S/MIME provides a consistent way to send and receive secure MIME data.  Digital signatures provide authentication, message integrity, and non-repudiation with proof of origin.  Encryption provides data confidentiality.  Compression can be used to reduce data size.  This document obsoletes RFC 2633.  [STANDARDS-TRACK]</t>
            </abstract>
          </front>
        </reference>
        <reference anchor="RFC6736" target="https://www.rfc-editor.org/info/rfc6736">
          <front>
            <title>Diameter Network Address and Port Translation Control Application</title>
            <seriesInfo name="DOI" value="10.17487/RFC6736"/>
            <seriesInfo name="RFC" value="6736"/>
            <author initials="F." surname="Brockners" fullname="F. Brockners">
              <organization/>
            </author>
            <author initials="S." surname="Bhandari" fullname="S. Bhandari">
              <organization/>
            </author>
            <author initials="V." surname="Singh" fullname="V. Singh">
              <organization/>
            </author>
            <author initials="V." surname="Fajardo" fullname="V. Fajardo">
              <organization/>
            </author>
            <date year="2012" month="October"/>
            <abstract>
              <t>This document describes the framework, messages, and procedures for the Diameter Network address and port translation Control Application.  This Diameter application allows per-endpoint control of Network Address Translators and Network Address and Port Translators, which are added to networks to cope with IPv4 address space depletion.  This Diameter application allows external devices to configure and manage a Network Address Translator device -- expanding the existing Diameter-based Authentication, Authorization, and Accounting (AAA) and policy control capabilities with a Network Address Translator and Network Address and Port Translator control component.  These external devices can be network elements in the data plane such as a Network Access Server, or can be more centralized control plane devices such as AAA-servers.  This Diameter application establishes a context to commonly identify and manage endpoints on a gateway or server and a Network Address Translator and Network Address and Port Translator device.  This includes, for example, the control of the total number of Network Address Translator bindings allowed or the allocation of a specific Network Address Translator binding for a particular endpoint.  In addition, it allows Network Address Translator devices to provide information relevant to accounting purposes.  [STANDARDS-TRACK]</t>
            </abstract>
          </front>
        </reference>
        <reference anchor="RFC7508" target="https://www.rfc-editor.org/info/rfc7508">
          <front>
            <title>Securing Header Fields with S/MIME</title>
            <seriesInfo name="DOI" value="10.17487/RFC7508"/>
            <seriesInfo name="RFC" value="7508"/>
            <author initials="L." surname="Cailleux" fullname="L. Cailleux">
              <organization/>
            </author>
            <author initials="C." surname="Bonatti" fullname="C. Bonatti">
              <organization/>
            </author>
            <date year="2015" month="April"/>
            <abstract>
              <t>This document describes how the S/MIME protocol can be extended in order to secure message header fields defined in RFC 5322.  This technology provides security services such as data integrity, non-repudiation, and confidentiality.  This extension is referred to as 'Secure Headers'.</t>
            </abstract>
          </front>
        </reference>
        <reference anchor="RFC8551" target="https://www.rfc-editor.org/info/rfc8551">
          <front>
            <title>Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification</title>
            <seriesInfo name="DOI" value="10.17487/RFC8551"/>
            <seriesInfo name="RFC" value="8551"/>
            <author initials="J." surname="Schaad" fullname="J. Schaad">
              <organization/>
            </author>
            <author initials="B." surname="Ramsdell" fullname="B. Ramsdell">
              <organization/>
            </author>
            <author initials="S." surname="Turner" fullname="S. Turner">
              <organization/>
            </author>
            <date year="2019" month="April"/>
            <abstract>
              <t>This document defines Secure/Multipurpose Internet Mail Extensions (S/MIME) version 4.0.  S/MIME provides a consistent way to send and receive secure MIME data.  Digital signatures provide authentication, message integrity, and non-repudiation with proof of origin. Encryption provides data confidentiality.  Compression can be used to reduce data size.  This document obsoletes RFC 5751.</t>
            </abstract>
          </front>
        </reference>
      </references>
    </references>
  </back>
  <!-- ##markdown-source:
H4sIAJY1/V0AA+y9yZLrWJYgtsdXsD0X8V7Q6ZynlxWdBc7zPJelyUEABEGC
AImBIBkWbbJedG+1KO20b2szLbXSVn+SX6J77oCBpPt7EZXVpW51pEUGnQTu
cO6ZpxuLxThbtTX5W2RgGrYs2rIUaciCJJtWZGOYkbJ5PdqGYgrHrSpGqrGD
oGqcZIi6cEDvSKawsWOCYxsiPBfThMPRih3ZSLEtGSmWSHGSYKMXUolkMZZM
xVIJTkRfKIZ5/RZR9Y3BcerR/BaxTceyU4lEEb0hmLIAP9qca5h7xTSc47eI
cZT1o3Lk9vIVfSt9izR1WzZ12Y5VYC0cZ9mCLv0vgmboaLqrbHFH9Vvkn9AC
XyOWYdqmvLHQp+sBPvyV49Dat4b5jYvEuAj6R9Wtb5HSW2T0FqmqumBalqHj
H8h+SzvB1NXI6P/5v9Fvd08YpvIt0kXgOaqaHJG3G/ythWaUbfSmYBq6Zdmq
4pj4B9FwdBt23xRlDS0ZfykDeL9F1qb8jwc60ptqscWRNewcRQg+DH//o6la
snN8Q3Dw19LUJRlBS5IRBIPbq7xF2m+RuqppB8MMDFwRdFXWIm1hq4d+xYPx
B9lURUGPlNWzqkU66lo2bVW2IlNdpQBgW02mspGSaQhSZGy/kb2qNtpoT3Yj
S3SSr5HekoJAQtMmE4lEJgyS6ZjHXwhrBIkzmrzcmQa3LO2Vf9yoG3uLjs5C
3+l444BG5kGw1bOMzrOPtj6oD2JVeCU2dg4H1Y4B+n3DI9mCqcBit7Z9tL7F
4666V98U3Tkqb2i/cfo2fpm8C68mE+RdQjD0mQh+KEKewgiOHwrieyKWTHMR
npHJ8xV4VIQXoMlnWUu+be2DFpzTGyMyPsqiukFHYiP4R5JvyQ9mvexFqZjO
fbBr132DB95E4xBHT8WDc73AL4gvCJYFpIZO05R1xd6+kLMhhBPBfzAUGiFE
FjQt0nV005DpTxjpEEGFvsRIBROEl52MJQoxAHMzVnkj3AWhQIxSfcxC/EWT
ET9JfAs+gvCBsh7vgWToAc0R94w5yUfKlhifQvCLJdKh51XZ3tDnH5815ZOj
mvIB0RWdaFQrp3LpDPmUTuXZp0KW/prL4xNAn/LZRIF8KmThVz2AsjBMEiMo
vJzM0lcyhUKCfMqmUyn6chImicViiEYQ3Qki4nyTrWpFEGt2YGURSbZEE1Gp
FREQYR0OCEngQcRzrxHbiMgXG7GGiL1FrEqXYrYRgz/FELf392zB57MqIeGw
vkYQ0se7zW71NSLb4huMRp+MHGTLEhQ5Qvk+OvqIIEkqRlH0GPt5bUiIdbxx
zfDPbD5dwesCDEM7UYF7RBBigSiQFRP+MjbeFGdViFiqogu2Y8qItSMaFDTL
COx/a7hkdNmSzbOMxxYNfaMCZ1QFjQ4IX4+d9Q72QQZ/4zCED6okaTKHVmub
huRggHC/BP7hOCIXg5C0ZNHBS3VVe+uxCtjFGMMuguWUYEpWBLgqBa+/xVd/
+5jCXyM6Rr2jI6mE5GGs+22gbcI2EHzxloQInkomq6PQf+Mahou4i/nqHWTk
y6+/UpT77bevESw8ESYh2OmG/dHhvnE8RSCEVwgqCPxBVGDnI8kbVZfh8NjO
029JNiEiEJhwK5CZLFnWEcDQ0aHDQvJDkIwj7PXtEblhUEBtS9wiSnyNvPy4
+vLyGnHRX1s87RqmxPMQ3D44mq0eQYBfVAujIoWeqKlA8LAPxAxl846Ifh/l
wMsYSxm0YIgH+OI9kw1G0Cf8gnA8aggl1hoGNoUoBibwk99+ewKqEB1sERGE
lgfYt5bJuGiRaNDQVhA3v2L6Qr/RBSIiA9wjVKZaomNZaHTLQKukZCRu0WtI
VqCv0TeyjkcEWCJRjZDUFHQLCWPDBIiicb0Nc00bvbCBw1McVRJ0UcaneMcY
nhAvEMdH40Y0de+RdmDtdCYB7Qu9GGIRa0Hcu4Q4jcMR0dtaxTNZQF8C4jA6
2xWahjENE7QTNJBwRvjCTshEUvpIMMexYAOWsbHR0DIZyCMyFeQWPjDLOR6R
ooo3Drt9RGyCEvikZf+gPzuP0CYQ+EASqLAmAIZjCf4vIlKmLUofBwMJJgFm
hkEQIiE0YEMyukMk5MpI4gsAZqQACQSrMJDJvEg1NXTCBg30Jj7No2Gh5TJc
Rdvb6urJkTFFChrQ/hXTDaJN1bZkbQPjC2il8sbRImtH1SSA5VozxD0GFBkZ
ARFewpL5AZMpISPl30F7Q+PBNnx9qgMKF+hRwJu8r4E7vdQNy1KPLwhPEGLr
qnVAC+dGAS0g0hF0xUGkAfLi8R9yUMhiiYAeZUVeutPxBHEh/N9Ir48/j6rD
aXNUrcDncYPvdLwP7Ilxoz/tVPxP/pvlfrdb7VXIy+jbyN1XXX75QhD/pT+Y
NPs9vvMCjMwOcQqBMPA1kUImIgY4esHyWAhm4qXyIJLMEJYD2spvv1H2gzQS
9NlFMotMZeiIc5A/EaSvwGFkZDSBSoDwRRSOCFk0C2OQhViTjsjVBKTmJrJ5
UHVDM5QrF4JijVLE0TERAhHmEtoCYuwylQ34wY2haYYLmIIx+2hb3zjQN3+O
/Nyd8j8DU0VTU1oD0y0yRfQf4RU01p8xkQd5/xt9deBxz59hBYxtIx1WQOSO
ecoj7lEeSOR2HE0X1FmIiKDrDLK217AShF5bI0xnCwkLt45wlc2fX++/ruoI
r5H+/DM+lLsfB8JVQ4baz/jsA5L6119Dy495Ev633+jcfVNVkPmrMaZEhgCg
Y2wATRVhw70+iM56r8NZU0XFQuITto1OIyIQKWirhG+xV4GHGJZK1IDQAfgc
kUwOsoVN5LkgQOr6/CqMyiHcYYNXL4BbnwxtOLYFqhqM+hSakS/+7OjEEHf/
ygbvrxF7Np+N/sjlmY4C4giUlANSmjcqGRPxHcTnpMjGNA4UkCA5I3eLZ9N2
ZEUQr5GKah01Ac0lmDZGfqofEoGADpjOSTUW0K0tJjSAQhD7NTHRaWQ8phKh
bzDye6u5Rw4mT9Dc/n7YHoB7M7B4I9xvJII0A9UKoyhZRUwiuwLVh+wWaDhW
E0RArBCc5Qt6EL8PpCDr6NxNLN7wcLC72Aa/xvxW/phjSgD3CM+whw1iec8F
x+C4P/3pT5En64r8+qdn03Jcf4O5JICC4Z2neIS0eQxUdIA22tgr4bkCArIu
gaDEJHk9Ui0Oazd4qRISXKKtefYCrOENC6nAanyiNWVgm7HIO9V03vEfNXRW
5NPEIP8ti+S/FQRU8mkkH7VrjP1ew+zYOeIv8HTCGqEAwUSgcw1JHKRGWPZb
JNIzqFAPLANjKsJMQJWXwFJfEIj7oYcBKgLS76hqjREZKWQmuMNM2BxVYxgU
v8hvytsrLBjxb8SsZesdI8l7U495m7gfFWGTSHQ2bGuxsUDCod9Bi8GwxhoZ
Yl9fX5HmYlNhiDYDap93EhSLiQbOzgQvAZR++vRH2/d0xQ8l4xtBwUc0Rhj4
BGc5jr/j3YiE0cDYzYPIVwE9F6t072WEe2iC2DscIxZ/JtnEo34Bx/ziz/bi
m9kTbJb4XgMJrF4Z67BoDHRcCFEI6CIW9XsR1oXUywBEBdsWEJ+H6YkOgowb
gBtSabBxQBeHgCUaR2rtUJ0UjUN2BPMgLEEKHUEUmBOOkunIYcRhKqyqi5oD
LPMLHLFKdHqsEONZvlICYsCaXI+UQrxv6PpiVV00QCaGfwbWTaUgIp0ekhWE
H+jGHSYwGH75gKF9JYACW+HJUSBGG0GsRzQc00LK/SEo9zASyioGV3hOHQE0
OBgCSq256Fa/MZ2Ayjgw0rwd/fzujYyUNqSGOZrkIThWCr0B/8Jxj+IR/K2C
eQ05Yn4Je2Umn1hP6Ew1cF+D5wmRqm/yxZixpGE7FhuxYK0/msV+nOOOJ5PD
ZvOFFB6qzfgqzxM1h6hAALovd/4zNIJqMo4eYD8IWncCk+xL9pSVMNZ+Zc4H
LBAIpcqEoCi10+dNw7DZ56e6DpaPhHqfQHqLefa9Z+RIIweYfxDysr47Sywy
R3rwk0eYfuuToK9rv2K0C4MmgowhYAg/M6XjZ1ARBcogiDcWAe8LGQ5OSpKR
XAL+jZfR3Dw5SDCYdAkjCh0Wz/xEmmIHJSwBnSuaVZJFw8T+38hLWEt7CTI4
4xNtk+hWDE2wpJcc7CSyZWLkGkwdOwuaw4SD7GtdT5aJSBjDW7jbKIWt5Ys7
vCFqkLK9w+hMWfjG6PwV4Ex8IPA7YqYyyCFE5vDV+9vb23vkC6HFaTSRSFUj
tSkyfseT/gAIEXzcaGFfmeWO98K2ItMjfpjU3weSs7J6DuwDgk3M/0NoECOk
8AF+4X3aSBLYVkgt+wxvI9jBqBm6gndthFQO4th4xZJi51hUujlrOHHsGocP
quhogvmK7eiA9iIwOgXBD5iGfRreiRCigofRI/Rsjlg2B5b+kxUgWQrNMzhR
bJ+b4K/fQBsIgw/LHgcmwG5s6wnxg/gF3QfGBCDf2SAYr+nStsycevbM3c7v
ZW/QyLc8nybRh5HJhM1a9FkLaWLozfB5YVLr0oMZe+7sX//0kRn8sdgJSaAm
8+pRtxiitDuPOWiODzq9HXYM3zmEyS4jiGkKa6Qsb5mzD+36DK4C7H/D+hKN
fIAKtadfsSm8FTzAAvsRrIe9g3Jq/vbUwcVxL0+GeAk4Q6ihibA7ECsAHAJn
J5bDZAcfOtFhDJ34pYCRsdEg4kwMF+8n+i3oYETyUn7x4ktrwKuXCKh6yhYO
gKg7QN+g4FOHI/jEaTQA0NDAfAVc1EQISaqA1nkg9O2+Rv7B+fd/+0//5R/i
zr/31Fcr8oLYO2GXtkEdcPDcf/6v9885uos2jR+jmroXKXh2OMQV5j0SCN4w
bQvg6xrAHg6YRT0b5RX7oDA7weYwk5pkBYEljOljTwaJfPFAFCdRgq8Ic47K
8YB0mJj3W4z89hv2vkX+9s///Ld//j//9r//X/fv/hmfuSEa2i8vNNABC4rj
0C/zl5HwMxrk//jbP/+vaJB/Ch/sX9nP/0x+/nCc+11WfRfddzbquf6f79X7
+ePteo/c7eV+sQ/PPdmUgbZuA2uShQMNriNMjHwJ4N5X9j17/wFmxDr8HsY9
hpteAwi3QWT0OcZ9i9yf+Gtk0C6P/5SnIaYY+JHId3mEkUTyhr8Fh2g19AvD
V7q6rkezYxK2enaayOr9+2LoXrTyfx8cDY8U3hsBQQBWn27OH4o+Hdzd83nh
vT9HyOvIzpB/eQm8znb1n/9r5IvPsb5y38Et/POTbYTP9wd2En7hj2wmPALb
z3Nq+f0bekTNH9gUcfD/Szf2OPUf3VzQu/AeXtg7eBU+ORBwLoDP7HExD28+
2TXOAwBvoESyHrRHXYX4wyDhCz1gEcGPXZ6SuqF+OySPbVemliKIQKQHiOoR
MSlbvoCA1zSZunKo/ihfSM7Qo8MKD03NygdYeM48HLql52NRTxyCHdaXcFgd
u1mfAoUGTz2Bi7GojAwuZBGDngqLh3DeUzwiq7/TY5kKe0Uq5yXypdwdf/Xd
+Z6735+ArPLLexCX2O8Mkd6/vpIoYMD3TvOcwLk930K+I7OJwwN7wV3igRaI
Sg/SoTvGBhX1lAUcm89p5kccnNxzw+15TDb2DHy+L4HojBqky1l4eZC4aTgW
C7Q8VZmf6vJISzdx5oLn7kBquGweDDQuSQVBQAfDVwBovPqPBX2F9+5qoqN+
BXV084MPM1A/hS8W43o4CwXn5DyEMQmA3kDl94DywjxIGEWIt4p69j0Vl+xv
88HxUniHeRGBJ/HPfrRmgmfA2BQZP4hxULVAeQdXg/bREb8F+RxeF3gnn64N
LAtkWOG8F017fvRwahQIH43zM/Xi/+xt7hNn1hdLlqlnA3MnQnVrwTROjhyj
XyKWybaB/Xl4L8ThE45yPF0yZlvoZBjvtD/01L0h+5+qAYAmvlbqo1hwGLQM
PZQhQ94KJxE9mJ3UZfJZBsVzH0s49kIQaaOalv3hScRizy1C9H3gHD/Cm7EK
YuZjn49PboLvwsPMDkgKvCtglVI+4rvbfA9K0OGOfbyQSxH5ArIPZ8VBkPTr
xwsgdiZ1qK9DMTMkh7CIxS4I4ZnBzXyz1GgOsxAWRMK5Ss8nx/Ek/Hss7D44
0t8htBTMKMF84hUo8OmREGUAh70xBXxoWf4GUZ1nv/vW2G+MBbKUoo+4CqIi
TKI/q9bPnzmlGfMNKGgRV6C5RwriGBBdDiAn5fE4hyOQP4aPi1pD1Dns+YkI
qGnCKNOCcJT8e3tdX9EUlkOdZpQxYMEN+cTogaq3gG7A/0mR//0jC/OdgIZ6
2MDNFxqUmlxdj8gBYbBFRhSC50QFWHPwHrrDHCZzAHVIFsAR8rFofp2fu/CR
45YQAMnlhLwSluBJJccm4El5DUTLKesMeBcZ/EkOUYT/vmFf+mHTvvyjxn3l
Q52++pndip+ohW3Sp1hNrJv6j7pQsHMd0g00DCKcWRf2QweYyucij6Qgmepd
XosJb77zSN9+r76/Ye6BaNjLt/iU1/wWSHEObIKm0mJWKFAaM+9SYbAO4yVy
ekrZp1yTojuPi30gnbFKhfevf7qX3Ej6eaHOcPwhjHTgPceZEViNkh6QsPF9
JGz+MBK2fhQJ2x8iYee7SNj1kDD8yEG90Cd65In/+OShwDh976n/6G0PTLw4
zvHBjwyCj3wXl+HhoffGPz8dcfSjdAHqSvoDvUu/oxOM+RBpJUhNUhHeG4Dx
nXcizd97CPVL1N78gH7utH7K9SxixdIfA8T4IanRid8+V7lC2oFFhMJ79/2N
8ei7LNSQRGR55AThMTCe4jgiqCpOAd48xO9wzYRgYjGpWgHZSHaoXT3rUhZM
sOIPQaFBwkkkUccVrr58xEk3MDZCdYtYMRToH2pKCBZk8/13mu9MFC3y5RAg
wt0H5+HA+yQy/4F1+n0TdeOAlEIErGF7+BN10N0S0+juyKg+jsSfr4p4CaaT
xxy8+wQskiocSDAgb3IcUyfKfkrDs3AZFw5n+XUKgfA6/gUr+J9lX4T450Mk
EkLAgTR5lrsYnuAHhrciX1h+0PFeV/8aykgMjA0iSCAlIv4WMTafVRxgRS/T
JZD8Pk0xTDTLgaq7d5W04aGpqoqLkmQc9cT5C2iTz4BQNo5XIB9e85K/niEf
krDoATCd/AQczyT5LJcFYwfLqvogn+QDRXryMJoXtCZRULC7ydwfLIz57hA1
+3p5eEjjALaXH1TEml+wSsLL0CDh8yC7cVW0AKwvgJkLQXn7SnlEODstVKIW
TBPABj3oK1REQCkXzlr9io/Gz/r2ykl+/VMwGTxmka8/isDSLIcAfXtUTTbE
hvUNQy//Yw17AUuTBdgZ5bN3qGICYVXE9lRDsr6RhA1KwyR74Av+6is6A4SL
kC0IhUWi4JDQqopDpap89liHRosmIoKiG0g/F0nVyNlQSd3NwdGxdMUByivS
+m0CCsT2DqqlIcDCT17Vr5ci5dfcMKijx2mygmFIMbZvBlKkJ5I8ig/zBeCM
7lO3H86B4yoONUmC1TbPK2xewTkQLjiI+FUdoSQiY/ONJtu+4lTbV5xoi/6f
8tlYs/Iezlx9DSTevoZTWF8jX2hqXrc/qv7la8TRNTSML/ywj4J67SSSWYnx
3qtnDFYPkdQjSF5RNyTN3jskxHBdLCo81CdFqLGjam/QGf4Y0HksW6iKItiB
EqNXKvhDVdBeNRUW5+ALUg9eQQiaDL9O5SDi5BJ20SDyhrA/NrkNkkSBJPe9
8EP7NSL3OPD2VNh5aaSPSTG//umJiPhMBXiuFATEpglJDBABCYlPy5aPLGOc
STy8UVXZ2v5WYQ3yDwrXn+mufn4qXCYhzdMHhS/PbGGPF4eZiGAiOwqyr5AZ
E4u8Q4Ia1Ky+fyNhG1NgyWwIPx+XgstbcTYxRE9iQP/gc8DOdBj+C9X1riSv
yvME4ycQ3yAaGy7K4D8c5TWwLK8mbRvKSw1Um5BESsbknxQBoNnoRulXdK8k
cxBN/IFgY4EPz6ZGnNrL4yehd9iCjc3UA7JIgCdigqGSFzK2sUOK/k1yAN9g
8xDSpwbpa2ht//QT8Juf/voeSOF5yLkjPIkN66nQYaHrYmETqEEAfyZLTvXO
U94AD2DFQKqNYUWQEoFp4hsn95raQ44QDrd92QQ3hiPYAQsemayyjavxRMNE
oDwaZFqgb1qmLYJuvyE56AsaG6Hi9IPHrMgCc/rlC0YrkhMOB4Po0yblaECL
Ii5CY45hjKyY3x4Rt/jyoYL0FenwJNiOEQYepm46tF9kiZgqLPSjtEXiN0ZY
pVtUOlpIfQEtMbQItE408GuEFmZ4dMtepWsmeVCeK5OQBasa3BE6xbwSHzBI
OOuKuNEBEzqPj4edLA6LejT2GrmqMinr9Nf1Tlb1jt4FZA2gdOR9+w5QCJMU
An0sMpZZ9Tl+COEMG8abkeH59q8w9Ahv0Z/sQ6b+lKN/qqP/Dt5OsixBpcS0
bMknh4pS/zA2hhkgMCHMnH9+tEsY13UNImZ9xnvfmiF4ECGYUgcEo0bCr4kc
BB7GWE+gIwM1DJmslIgPOpiVzfjUPYuycX47eRN+p7zqnlWFo/RI20OaBU6/
Jq4O73WaUEvKvll8zGXqb5CRsiJBLCdiMnShofvy9hr5JfLrT1Qh/ulb5Cek
6/702zusrbnx0K1mGLgOhoAAJ45DdQA6RlMGn4Q3GuKwhgEM1lfHISLEyiJB
q2H52pF3HZn675gnElGOwb42DCTKdPLMK9PZcKCZ2vugPPqq8KPPJqiOU19o
qLAvEJQW/KxfyKcQjuzMqQMQnyrkQ3gamJ8c/MRapgoDM4LD+I15OK6F/YDT
k4TSwEYEi3pMiTqhbnwW48UpwkUBkgdKeP8diV2ZIbqH28EYx9NUfibun9fZ
EJ5NaOmduJrucl9FwcRC7WluNGFlZcg3h4PRZfdOfWE7oIVj74RBMUQM5gMg
RcPzYv45cs+urF9ezsmXdzwdpjIBqfQe8YY4rrFmPNejf5JNhKsi6M9WEFT0
d/wIL2Hobr9FghzYWP/1/b5tyd3O3u7IH843pKwwqvwrOU3N0aGIFZmX1l/e
qfSGagtSdaAHShMioUe/swxyIIFwk3cm5DjguJF1/H5XF0dO4M7PTQarQ9mH
/x7aICnKRNya1gGAnX13zARJfWaNNQGETTjm/4bH7SBO8k6DIO/AWp6sEtEJ
rph0EQV+++5b3nxcAEn+qDQOjOtN91www7tY1XxA2ndflDFtMlxchw8wNPw5
+f5cBWFPvVJX2ocqSPNzxvLtX0JDjISoeECPUWzGzJ/RUSxSQfoeHQVr+SGI
05GqGjlT8hcA8T1Mctu/UoiHpvt7nO13NC3zXtPyc3BwUBxIytdRfHkpvYeY
9isp58aVuIiGwL+v6AbAOsj7PVnEykGCKe5MQ19faWOTV89ZZbNyUhWZB5p8
BlV5Qzs2IAzESsaHVggSbXfc3LP5WaE6d+8HR7LVCthI9LnnIufDss7nNd18
sFFNsGR8TapaSe2bL8VjTLYHnAZM7Du6gBvXsNQ71sHKrxyHn2hsK6xJmKq1
tyIaVVuRFWTRko7rPZl4TWGYg4MqadhON8y9gAwqHassB6S7KoJNI0AwA3Fk
MinLNMDnISxqcwZ6E+GSZZLrKTwW45GqLM8yqJNYFlB9pOlVCj5Icui08Pvc
O74tQMNloZIrL7vkgPR6yL3wPFLMVfuFFoSRtLlHFPrq1cJjLcrXDx1qUgQO
njokceOJ62ewvGJd58gg7vk0mCQNKZ6gCb3fy8NQNTcOasgb9IP1ZDxapfdE
Z6Jq5bMqMtxpZ41xN5Qq+e6rRu/gISR/mxuxkEr5suZL6DGEbYHI5leiN+IJ
GKMRviOxSC090e6BxyPR9AZxUwrwNZCouUcbDqsSgSJw6IsKugxmtLiY0QTg
BrpNBcKcDDAiGcdLxPgUUMDlGB+550KesyfYv+VZDewGdhuqLMIp26weFZ/n
F91wQTkmGs9XBgScovF7IYELDgko7nqUYGFJeQlxMmHHmU57BgR6JNxBZRKu
C77n5rFw3fAHiR34vD8Izz5wotegoUoNs6BLNEA8goar3kAIvj/khiyeZWIE
3sAPLQPZIXfJDqtAqgP+CTcjpZEm6TnDI7mOdzH5NVjoMu29FJk9W5af/TF/
uqDIl6cc+Svd6Hd2it4O4dzLV7b3zzb/dPe+wuJ5FLHU8KO4T+nq9bOEUcLl
HnkiJsgvRFOevTOfH8sIxpmTX7Fj41npPXMr0AxSgTFWwicB0UlBvcFk2f26
QQYFpICH5w+JdmwfIQH6jLd4HcFIg4RJ2B2hGFQKr+Vg7BK3RkZ6O0TuBegT
oD/jSZ/b4vfDM50DbTFQNu9loVqEb0LAOcDrPN76k0X4XcgR4rVMg1keziNY
JI8LOmxbPhBn8qcge+O+QEYlWl0gvQ7PSsKJKvbbYrVLxEkhOFoQ8I599VWW
Eauh/hbpI93J/lBhQTxON2JEeMTuddc/pMr8YMk46KUk7i6HOyyGEmh9t8xz
iI0xlPQg7uKY8l0R+TMEDbXewVkHUCML6d4kgO3pv7S3DJOw2BWPeB1iL8+C
Y83NBwSBO1qRxwmD+JCQLRsyEICckTkYzNr6qAPZd5gGq11iGhqDsK+B0P4B
EkkFx6XSCAguRJw83eBOkJNJFx9M+ly8VmTm1eOZF/Cx3YBAen8awQwHulIC
P5rcBtJdJAf0FN4Ca9YaCvzcyYZnaZg0D9tzVBIGVt7K4p7l7WiPGcO4Ctt0
5PsgHjGeP8ntOjiWb7X6lPBBDfYHozFcwINRNeKJj+SpZ+pHRnvmrvJeJgUY
9OvPe2R8Z30/oqD/gWkRE7+bLAx0luJHPIGP2jzR+iGjiKjx+G1ENkSXJ+6c
AFKQciiGEIFyq/CKqSrwVIFgyIsMYwMqBsKv3CEx9HFi7r3XkP3leUUoyJ/b
UXffokkqfqcaWMmENNvFovP3JjDwVgAmBxyhEpFwpxVdHzBK6BNDOqV5C3n1
CGuNVJiNagd6Ez5xaRA3C1AraUSoS7Ru0StJQr+DjH2l3Eu1bMZPPloYQ4JH
5Y06WkkVD6tmY72PsWNDE/Q3Dxi6c1gTB8qTlTMj5k6GPhEXigk6C0LgQOtd
KtX8GT4GEZ2IJc/KlyMZnvTqgFw5ohtZJCMOjYBbtyAGYBvHoMfiCawsLw72
xnQCSSYMz2R5UaQgyLGpj0hdf9ycnZ29GuhLGdAYIPKMW8c8XQkW46AEgeeE
CBK/AfMHgvj7DUR9XavJtEHho+xXPwHW79Tt+SsdEwrptKvXFp5U1qLtWEB/
XsSTVjOgM6adXjwt9Ike4iUlSLIGt3cgjf/P4C5DhIcVJokdB14Mpjg4Y0PH
mvNbZE6rDGF2RVdvsq8a24aGxqOk4hcCYj0K39tC8lg26H1IEQMCOONeebIO
uRnAz1SylYNqBUq+BMvPO8MuRKS5nNFOyLHrMihC4Ji1TbTKUC7IWaChNQUi
aGhnEEbHHYnY4jA3wFgMMfLADzinAtoIWiS1huRLoNMdkyY7+CqF4EOQvkbb
bkukHcwbtIeG1F45RrNu71kkx/V12b+QAXbxuQWBlR/ogIMWgDupBwoeDaKf
MC/4s6ZnMAFtFBYYm/bAYizWq3fx3ePGxoYEfEYb5EygKdjxClfxmLRZmkhz
iylpQi89Zph8YvcG0kT0u3aTX4PFaHBPDF09yWcQqRoOFQCPTaEIb/HWTB4g
EoRAm+rUR8QOWKQdDDLdCy7TeG/kR53vb0TFD5ZOPzEBSU/0J7YrgP5g3OXe
snMHTR1RheXldT1lTyzMqX9v757ajHutYveFT293SEM9UwGvWVCRCMUZqM+e
zeKxMuyWNwWVOpcJBxA0AdwIpEUV+ogzUBHzIRdbWMQ6IYmYFg7u+Lxx63nq
sSvCs9aI5U7CNlhAEr/e/u3ZwpCMB+lCKii8MALRr1ygBSzpyAAgCz3/vpe9
TfKlr+wZ3N3iMbMbD0m6uCHVALEW0sKZJqsG3g08Ews+Q7LDx96sTR0pmyph
+x+2NeAh65K4vn4fhyGsxGvBaT9UvfjbD1liLPsLr435UO7RmByvl8sL/Psp
H/LjPzZev+/H8pJ1gla6308QV+bhHW4gxRAy2nAIxF80Qicf+hvE6kiJ0ff5
BVTkQuTFD7x4fEO+QEYfqybAbrzHvofAUrAHQvXOjy06BFHdu2kj0JDrvr5F
CPWIZ/lNoXYG1Fr1B1cDeMOif6puOVDKgIM/4DqXN3CXiaCAb8WmrTo+Qdzv
4+2TWMxn8TB67kwYHR1QFb+n7YdznO5iWM9tgDdujF2FH/q4SGI6yUi3aPrk
RwpXwIp4bkjhzHvKtIRQpfVDNvnvMaOoG94Mje7lCOO+vVjBwYLayyVm4sOz
Ff2gnJd9h4d8ezb+E4/cK9W9iaFA3aT0Fez0C9bBP/PoIW7BCvOwEA3ck0CL
9dnPvgGMZyCqG7Q3AMsRnAJsLX4gndDsVmZLIUSInt+rWF1ELMlwLO0aaGhB
Q2S+buIN77XEpfCpMVcrydl8ZbL3eyB7fvZB5zAs8HFuONKHt76zTL/2L1Ti
h8BKGhkGO4zadwHC0Hz3wuITVApsxI8+UEXuoUlxYK0BBY4rEyV7QEtF8MnX
HRUMFx03C7ivJflOO07E4z39CvsT8d11UL9ieKn9QR0XN+fx0hyCJSavnAWK
PU7K9cNLCKYHGsMDs5soa6H3LOI59e0ECGvg9uYqzn018cUOJLH7CK1uVVGm
FhtLhNiqylaD+g1QwDeyG3lh23/Boyk+gNaCRZqG2Lgzs19TQ0AJ+hZ8BpxB
0uYtggzXYIXUQ1YB7s/wnRqq73EvLA8QCDAcMIMKLYukdbjYogQ0Pm5NgZSp
0GqV572FkX7nP215V/u8PzS3eCcTE0CDfknMOoKbOPdIMxDXUG8CzToxEM85
sAuSiIdig6N8AC5aYIjFK8IFr5KNrpoJKi+3JaAUsN7wZDb0G756gFSqVHUF
Gro+W/5XquHTJqVYgAe8Al5CB5SR0GFiCAMJq/MlJGC8Y2HL+D7Dx6SenY8W
zhKMoBaONhfHrAVEIA6dEZ+Rv7EgFlK/EQ2defCyZByHslgbSQycCPrNRKxb
DngY/B0cWUkK0/n8MkIrGL374veSj9RlKIuNYHiASkizFhi4McIRds2jr4zj
1tAhXjEJrIklO+F6cVK4Fkx+ICYJ1Zp9dPDuQ6AJ5oHKRMEvbQNVFxqUQM87
PArzOnoDhUBJ67YCQpjYxiRhAFgt5NhhKRIsjgxcoQA3jKEBNKhDC+iSwfoq
UOBqjgnHAqzt1eePBq5KwklY7HQo2j+jOsr5KZsg+bdQIOrzvgDfWV+ZDMcm
BfZ3SJ7GzkSOh7FBaxTGJCE4UhVP1kH6aFN+SrtoY+MOxtiQikOSQINre57e
4UF1amjjBmew2VA9XH9GJUSO0rz9kfztscvOO14quAZxNz0ZGhzgg4UUEV+M
g0xUoeUY4VOk0vWeE2EhDkIbgR/rP34ndeFjQob5sckN9+JprHoH371IUmIo
0A0zDPNAmPA+m55duqnLgo3vC5RkVoIoP2eswEWxbhxHihTcuxDpkOxAJnI+
lydUP/XsQOxcD3A0Cj4sOLD3i9zmF0zJkakw8dzK7DZIBjPmBWdgYigHSaqW
VxlNtND3mit9i2DIQ5AKTp40tKeSwOeKcG0cwg+IzVPnxBph2Z4A/gA3/+F8
Uxlbbt8iR9nAkUcTb1SiFjrCB4d6xq1AjXYAa98i9MokmZqqaAcOcAPbwY4B
l9SL04Rbz9ADV5QkkXkE5oOhna22cL7QId4S3LDu5xuhfKDwNszUSfl+IIXT
y1WgKPGGI3g4tmwZmsNsANAAjoop0BbxlNmySxI/qkVlGl7Am+GV5dBLkuCO
OS/wgEMmWIUgiBG2Q9YyYKZD/LskSfj+DkrV8k8vcMMqa0Jv4OU6OmbzZKbX
701FSwc1sHAVhL6YZg0vRQV70SkSBJq+2CSAg/crGjgoibOvsP4om0B33NSr
R28idVXEuu5Ihi4SwKZsAdp+/pg1ijRHUOVwuIWkTSjYgACXLoteI3YiX4Kr
PNApgpdsUFcofP2VCTRSS4Jx0RSOqqSx6nOov4Ap18YFd0g6q7Jr0eawOJpB
mCa+SgrUizemsCFUw7nHZHxmmloEWmSdd/FRL1cZhwQ9Zn580nzwFUj/yYWe
HzlrsfMVz+mSQIvm3eQV5t20ScjDJS+vrF0QseFCIolxNYheAyeiFivDG/ke
ZV6DjALzESSQsNia8jHBigkxuBkVSVHE3JGUJW7/F1de4xt1vwb4qXe6ZG+q
jwzUsYVkPVWJgFmpJvGRXinOUu021BGWckNPw6N7U4P3/HmiCg8Zw0MGCHHD
bDRWkBtoMIF9znhy8EZbgXYNsFwFTpS5xTCOE2+HwPL9J67BXG4+e7NI/Njn
cphpCBZNzky+sYtkHsEV2DqOfgHe4fwb398UUttwd3Ra7kGR3POrEm8GhSkF
vFcpoAZx0KBpTp4YpN4zmdzxk/pkwYDuiCgtL43pcQWiX3V539T+ztnpITtd
bWiRcAYy6WmEY1kE5QJrRVgVgAStPoAAIPXKgVwiahO2+SgjfmQNfmOzgI5J
ixnhMZqZ/iSHjeaBsPt/naMk2M8II3BJliThlnbs1g4vJmsbR1UkfI2YWrhH
wAOmvZILjpEQVbFDK4LvMDZjFrlQHM2Fk4ox9cO4NJXKBzltov9MKnieAL/Z
SOTXP3nWP4VMTJV+ODOQ48okvB32ulMvCfb5+ndXsT7J/uQcJmR6IPQw2BUW
bK9el2jqQfEf40g8cwupGbrFAlzYGSEHpTDWymmSJnaQ8OQz9etZ2FN+55cP
MN/Aeolc44htRsUSdICjXiTspCU1SialysCmAsj3ysEOyTBUIQ0q7Wj9oCMR
vszMKJD1IRvuQUV+8B0/sW38zYDtwOjYtx1o/ymqd9635PkSaEzz7a4bzbf3
r5FwTXbIycSMZl/NxJb9m3+rDmh4RIjTuikclj+TbmQmdX6QdVnfQ3DoZhGf
GPGy+OOYDJqm6g3lF57j1hjfSL+eb6ywuCx+86+8w41E1IMKYlu1LIckG/ju
QXJddqiSPXwQLHQMXcKekeNvhMuxEv/X8GDByxaDdiDRbb0eV2BBEV9HuJxL
8KkBThopH7hImeIw9eeC6fNCPqLjQSoCxjNFBdLyfb3QBAknDIGwZDe0BUJJ
PxAVoZkZR+OItaADGTEGyt8Df8GaVqCg6YlHOuQEYE5cKNPAuSqucIXbaMO+
c2In0tQQ2KYkkboVv3WKd3cqdoF4VrNKe5H679LF0YsWaZMVYlOya0jRunC1
rxePtFhIGg5MMdicBAJEZJLMnHCJIDGSaNt6MPrPqgQ5zAgkYMtV5CP1cLF4
F7W/EBsztLNM8BVNK+giTBy8eeH5fWAfQpxmfQdcWgRJ6VmSnbxQNdB6wQoN
hRCm8wg1s1kzJ/CNmp6Ww3Ki0BMHwi29rCJ4W4SuhSGecqA+vkB8BzqaGcQT
7Wv2FvbHB+6fsFnQmFEOARVsIQSrV9LTMpDE43XWA2ONugVpl9AADN6IwKBR
ceqPQJLkSosjSIQrkLARSLjwO49irQe3nfNyBElQCgOUEqF/y3lkjFPfrB+6
8ywUdQneyRts4EBy6azAZdCQbYvR4gvV95rVSY1ohmgD2LigsoKmW6HdIU5D
lX4wG2S4rFO1Dne3pLHsOqKv+feEBNEVzhXahKqy6Y/DMBaSoBjBbq9HUMQs
9YYdBVemL2MxjDPN2H0BODcKVEBBMoKlb2zlmBnR0g+wCH727h+9ax+HDyZc
ywZP3/WYE00Dqa5+r2O0VnIzDTx71/KQKL537gvWgxx0JI5eapN+Sz5BBnZ7
TTr5ucoXGuYLuTGkAFdGQa9Mm/WsfMSNswrloYQwaJ63J+38BBGZeY1Ytn4Q
BUhONM7z1a/3hYDezY+PDatJiMiXhj7nINWClOMIzJ8Y5FeGSZ2njk5uC9bk
0HV3zP4OXYLAzE6a9kDECVEBYW8C+IpisfsO8kRbwhYBpHcHqAjxABW7i+gC
sIlNZTZ+lZQ0sTwqYm7cLQmtWkKIoeE0OfSwcyQsk+kWxM8YE2Le1nHoCk11
Vk2btAejmPRGG2FtBebdxJqSHvkZKQQ/+8nGgQa1JIPrsR+dV2nFote1UN9a
H56k1FIN5d8S18oBtBb/ZlwLXwVksosYPp4yjD+sOyhzyrOT8YuLcJ0QIWVo
ayBjWRpSw5nORJJViIqEfZohZMQ5VmG9C0qOsLqAuD29xgE7JDANrAUI6HgI
J0VOjsGuF0BbN9W1E7DI3+5r3/yJ/fxg7RpAdVX3Lq8wcRvBQDtcWTjQ0xGk
nSDCWuULJLhDFOFKrNuv1AkQ7ONJHD0bx1N5/VX4mV3INNNwV+UgMU2wacQI
3s/KJi3xcDOgJ2eKOO5DfwNaKi0QSDEHixeIuScPtmns9gwqqkREIL6P+8x+
F5/YzHTCR1z+eKbnyRvPyhNC2epef2I/0YkUX6g43kCCyETdD7QSvk/jCTfv
fvA3kgQEeje5DnSN3daK+uBMfXg1kNcfqGMPCkCAGT37UBX/gNXqvHjo+otu
vER+Df7547WLSHSxmrS35FsK2MOvvzZjlTfJFDZ2TJXtTUwTDkeLdXzzxVfM
hPiOidVDK5ZA4i50CypRc5CKTVQZYkZZoW4WUN9KnfxoOneNc0SZ1/9JDUJY
ynqyGWfg3WGJT1Ih6HmVTu8+uF4Q+N4ZHf0MfidyBD/7tSgGVWYUB2LoTJv6
gHl4WEOUKsajdRpqYvedsDvGAnedGE8USLQ1z7GLBehGvbALq3wpQzOaSKwU
O21NFVQ/7FgIc3U04LF6fNR2PrqNKIgOmiPuKToc5eMTlEikydUz9LoAzCh1
yvIxc4mG61YIIwl1r0Fogm3sgJ5ExSxrSAMv3pv82K2JtvWoZKn6GSw4EoR7
gWcY2yWem0jqhUlt/2LxJ0VO9Jo30kGHHCWktmsqTt4lJeMkOst6Zk7odxgM
A2eNIBJpy1eLuXSRKg33hyJpaSh4UhZ62UDsMhK4GdnvF1NTqQzDVIVPBQlT
Ba5uC9Rvy3dNrVmtgkdyL7/8xUGUXfjL8C/HX6qpXwrFX/jk8S+/vLxiEL1g
Je+les+oX944/DPp93mAbpcmdsMiixHiJSTyQGMHVEr8nrbUOGpB8k9twcTe
UTA9niwk7MtZy0E9Euz5drPLMfxF6ngun4Ybg40N5k/wayDwRhylLPyGW6h6
91JZliGquD90WGbTOfDrDwcIDutPqqfChdaBZkhwONQRKBm4UoTUneA+NxKJ
PeDQHM3TChShPctPBPOQNjVka4UhXtD7MduIof+8hMnPaxNJwxB2oJki6DGI
b95N6UPjzvmKJ8SUYn4YZvQb2mP3fSiD9Ol1VaSqBA9NEtzJDRYwdLBBFnBY
/BCaAz93ZRdvBCJJPklRqfIyJgEo6qx5+Th3G2NUPpsoIIzye1ELAR0NE6J8
QIdv3RX7IPYta5LFQj10bj99ncgtftxD0vhe8/McB6wPHiF/leQVEWkCVAT7
Jy1cqZHMLq6EIl06IxNt9zEcqqKVu2MMbbwQdncn/JdcHSX4OWLUTDMhq4Nm
IOPejeQ+QXL7mF/ZEJALtPjIy3AChR8TDl46mYckA9BcAD+/l6Gv79uiF1wJ
5FYUqCPEko9uNnDtFQYqmMseVLGR4aEohTE+TYE0WvYLE8N+hDtfA8NmlpwS
vBQQmSMxNPrjvYBhdu4vijIqJOP9HBrGXe6U3+/ovZAWRgOJNFuQZvmDE5KU
7Pqlr5D1ohg2rl5RafqYo1PHsEwSAnEOmeV19iRMzBI29LaZg8GShLFv97G3
/NNMcTgWE64qi81pd63HKkJMdqlcOoPJboOV7xfyVoS99cIMeDg7qJrDZ4c7
rIasHOJcxQkVH9ShgH8LHTR1sQFyrmlaEqk4Xqu64DdLtj8w0dgFspRbAM7j
24Bt0nAbAzjU/hxUBpztQxjBmCEtXIgUqA0jCPI9lAzHp707P7zqesKeKYPH
IUhKt7R+Gx8IKe4Od9SDFazloNCxDW8gL3EOu5Coak7zErGuakjC9SeLFA4j
s4lKpy9BQR24xxfrBC7ke19jpKk4WPYh8UD10GDRE/S4j/nQ9M8mgq/sfL43
kAbcBG7BnSGQGbjlNbLmbTQy/jOce0/YMzi+WCUuLoj1+AVrCeLZA4RePq29
pmYPZf1+/3ZiTDxtxk5vSPSV9LUpx5DeoONrush9z7EEXFgYRGJcBUUzQXWJ
iUm8JOZZDQDl2WIWb9lE8TtLkfYKNRe8hSR/eCHjh2XAbT1wHhF6HmF+D1IR
0TdEdSzDMYk6ioMgGLOy6VQK3AD+cKQDqHUNG+tgngXmePVddVhS+BflwaXh
6kE4fovH18b6Hx/6ZryJB1N5QwgeV/W1cXlnJVtwvwvSK5GsI+I6wBH8dp3N
Lj+AdYH/ljWfx9YP1YLQIBtNUOglzSZhb37edMBzgWB2hDwTizalYoxBcmhF
MzO4afiPTG3JFk27pddcemgRqut61iQ+QDExdlUcNd1+b08lVh+JvbMC2aR1
tx4mQSAJlOgnTy5TV6Ej23/4D/+B++TCvmet2P72n/635xXd3I9cjQcThq9e
ps57VjstEV82czhJH1+n4hc9k5JE5gn1UVdlmUeBkG/wUiNScfNRUabfS8ob
n4xGwuQlY03IQ9VpFyBeA3YOZWc0Uxd6ImjMEWEDvycrLAlm2TCPweBszTDg
qzdyJCMaEP1G+AdOH4aEvMgX/+M/JVP5twT6X/KvX/+MtoUs/lQi0kdzpBLJ
IhdJFL8lEt+S+UgskUkkIl+mkzL6hL77ygFGxGYk0+pbJPmW4D5qV00Q4c+R
NaQaIfPzl5eNLL/8mcMy1BAN7ZeXD8/65c+RA5hxyi8v+PutkE2mXjicHEFh
1UHaBr4S5B8E+PsfKY9+o3Li33MT4xsGdElYrwE//gHYysNTFYQo3x5AQCGA
9o4hwHltv4F1U3h7B8N6d0B6ReQf2N26ZPtP+Jg3NaJeBJE7+AUbriMhayKG
9MuLY8UES1TVl4+asP+PBhm0uldkJJFGHUFyIEmOeHC4+Rpi1zKpsIiQBHug
X/B1BLLtaKoDpjOSv0WUJjTAFxZEg5d/Ci/wJ8ZZvmIjR4eCfgxgdG4RLgxq
boD0X6w6cuzmVgAEO2IaOYnZ+Ig/ufwTs+lStd7sAUeOjJv1Hj+ZjqqUfbv6
tMqPlm2+lKjxWsqaa/y8OZyY27W9MW7HZGaWm04Og2t3Nu1OEpvdTuHb5VHF
+5vb2VqCH1bspjWar2bl3bqUnjTHmni9dI6ljbsTFotZQrWyUTFTl1K9nuJW
efVYqaUP2VvTzttcqijW3KFjHcqn9qm9kVrTTa7Rnw5q2U78xjd/4X6JdosO
2Ue1V3m6CwwT9AHzc6aW3LGN3ycXrec3e/+R/smPYjLoKw0rUQG3+Pv9BqCp
6hWhAe4uyYIC6bfsW5oEBZAKVcjioPb/R0TtXrTy/1PY/qsL2wn0cEvlIj3j
TIVtCnHT9N9f2CbzxU+Ebfi0A+IWidpYKpv7XKJgevuOPLl7hkiT+93Tzf8R
afKc5r8jbxFQ/vXl7X+n0Pm3kbnPF/p3kr2h46bho1hVFw0JN7OF2thc5g4h
PiGTP+NbLRCN4MM75q0XDpFos7YdLlttY9XcnsUePxTLBvpO2pXLpUWzzA+r
l8qE75QUTdnuldJq2K3yStUtu+Qdjr5UQi9VRPQSn8q4itKaG3wXvdws1+py
2a5pt+n+XCo2ao363HTjo3r7tHc7XT5R58rjU33cXKcrw2qpMpyi1xKX9o0/
lpTerMR3J02tt10vStZqXOoOp8nh9FqqrBathDBfHZepWoJDP5SkxchYp1tH
qbF3myWx153sL+hVt1tZJnuVama+VQbdHZ9E/2a7O9Ht7aaJLjqZbml/4Wo3
fsZmq+xrljDvac3q5SwdZtYSfUYwKjV3fK+k7E/bvVovuokSgkuN5/toiwUe
gFgqK20AFu9Gc3Z0vhjZ6rBbuI5282Fqs67JbtmQmqvpIldaJlITeeVUF0aV
r1etg9HvcbmOZtjidCLVzXSxVk21C82r3W/vFzP5YrkKfyqVT+fCcjermM30
dVZIueYhO5HSqUlFc/PNMacqwj6zGjvRqeEOhlZh2U8bl1PzMMgY+qrXOEur
tGoXq4pyUKbX1SIhHYa5W7ZfvFZujWOnK3DVlLm4bJbiYDF0B+dLxhZP68km
tbWrg/xgqZeEghC1bCtRyzfz+0rWuNWXzaJUV+KLupXUllVuzhuN7HKl9GrS
et+SxHY9VRvwbk2creJbo37IWcZlX2l3zeW4bJeO0c2pUejOksnKoJBKDow+
d7bHVV2oFabT0Vqwt1bq2j7ypdR82jor8+xFyAybFX7Il4xMfdFt1qdd3q3z
yalUdauluDssc12edxvKsjIbJUalkujWltXJcn5BSDLjxVTyuJ5PndViS5Bp
wk/gyBvjabVS4dslRTG5klKtlYZipVThB/jHYaHEbwrV0rBbKeV4vltK4Bkr
ynBeKo2tjjYSjoPkrN4uOLn6qsr1e1UtIYm8POE3ZPRutV7h50ppnJ7ukze3
qRQtq5ebK7ebNtiklXYrnbr5iMURzEpQzKrycvTUr3ejhVNyul20Zzk1ly6Z
i3G/fZZSqqJdeEWxbtNyTu7qZlM+5Ljc4TC6jddivVGWp7lDsns8L8dysamO
+s3LbrKxlPpUWq3XC7t0GR/K/HjXL5XXx+35bBvCIVnn1EK0s5L6yii1r7hm
PD5Z7ub93Hm6WQxc2ezNu5eM2D7WjLV0OCudZVnmV+3R2RjsWodJtbZxuXY/
IZYvY3UzOU5qqrva1i6L9rg8kUq5ScqsFluX1ubWOnWm5vlcXbnHYdMubBeF
/fUQP7fdaJIT15aWNgUlJeuzQXyTOSnxxGHq3PblZsHqLKRoL6vwVtGVpquR
OCkllL4+5RvFQ35kHk97qcwZSlu6HuvVYWOXq6vCocXLqbku9Y+Z0koq2aXR
bbdxbvUyL+0Rp2rMEDsrdatTtzOpmt3yvs6hM67yl646TdVssX4BXlCazEqT
ZrWnifrouDpou+VihL6vJaU6YoAHLSEPm9NVpp2YL3pjblxoJMSpuBLOlWJ1
eTpNeAszzGVz1eTn00qJb5aM+h7hb5Dx7ivdoVUHdshRftjgJ7wY5Drl4fRS
uXjsLd2t8G73xrvzHX8OPseVh8NLUxkqddkYuoV55bAr5RK5ars+yupJo+vM
8hM5Odtt+JRRSsnrebqYcCsBMcAh7CuVhjziGFW+tEYEPh/ry+utk95Nxmne
GJjF9LK9t5orM3uKrwvLbDxpdi/S8jI4RNWR3OdGjZFyXNeGsnpaLW6jhd01
thujud/mRwdpaIxnmf7RVaeH3jS6SayqvFMQu7NWN6dI12klmqxwLbfSM6PL
XmcWT06n9e3pkqhVL30hnukXU+1lqZKRR0M3067Mzf1mW5S08S5RsrSMvTVX
y3rnxsl5x07XetlJyXRWm8Ope80mLqvidTovJpfX4bTUUZuiU0sWstfsah4X
huVLqV1am71efdFprQ2ucG3XWqfxQJ2vzu70MBueN0onWUhtlUIq3W9N7EFm
1jyIU2E/qSWi+2ipG4+fTu3F0tQWcXulc8NbPZpZNeKLbvKsNLT8eLtrjHOT
cb9xS/Urp0puCHEDLOfv7MlHKQ4yO0K8rxUopfsDBqahy38H8/LvbW/62/vQ
5kz9S2zO55YiBicBC3g1fnmhy4aKwBdkY/7n/xr54uj08lnjK3d3Jcb3jNT/
aX7+tzQ/c8/Nz3+56gz4ca81H8As/RBzHk3e/3amVu5fYGqFecOnhhbSdhtP
TIYGNhnSH5sMitJsgZDimJQquXUFCeBcCanPxX3vvNZH2lof2rOG5q4mhiLV
ZxmpXHTX9dpxvbOUZWq7FfWexkmVhCotuvZy0dsJ873av5Zc8VBMrOY99O/Q
Fuqz7ao+u4o39NyuqlaGxzr63e6rpdK6ru3AZOiu0ysNjbxbjfnCx2piplfW
Rmf0YnmdQgL1UFOXh5rO4ZcORXXY6NnCPKl1DrPMcp5ES51G0WxVUA/QS1Np
PrWalWaqWc2eJZW/divVLPrb5fo7PoX+dZvlhNtDUhy9NJHmrRNsAV4U6lNl
dCieh6niVSyXdutUNiEeajuJT7Qn89mNE1M1fTVOtkYVQxmwVcyLaOklBKSh
LaY0fX2Y7YeN0nWdHmlL9O+qnDRW89oemU83Lrxko1fet85L1VWk1FRBL6KH
S4n1tbRbzrO71Rx9X98exau/Ek4qI+AoifYUqUjoJLRmo5dYIsOs2RgZCMAO
2oompntoNXtFbKDBU7ObiP5Fv5+b9eSWE9BMaNStVC4Zy0XJXc0z6O/ifrnY
O3hF6jYh1LVbE/7Fg/I6PSEbrULjxHrtKpWTN2EuodmGOhoVz7hKTY94AG1k
oOWb4tVFKjsc8RQNmrCbCIjwN4e+UCb1Ymo1v2zxj1oJWUe9I0IeByA9Yngw
LlWQeYlO6YQwtndFJFBZI3RHprygoEMs8Yqv/j3T/ioheqn2kGqF9U0OFM4/
pG9OeKXmJi5cf1K9IKvWs2jrfAFh2RT9u7/2bnyqNxle+jXDrU+qi25pyibr
U3goXGD/iESrKhjlQZucRzY5n2mWKi4Pv7d5A213WKnkT+nsSqqnuBZ/u7Xq
vVVlVbRmeb69TWy10cao7SarXvaQGcnKkF+Or4KSSRvOXE1eRr2EcN4kppOl
6e7aCS5zGkmzfP1W5stGtX2KX9TetG/tNq3FbV121lovvVl1+4uKtW23S6fJ
Vmvns+MdXyzfLkpe3tU5Q13GVVXaJ+RiUpfb6cS4XBZKk5a2GaVWFXOwz6eb
g668ty7GRLA3teLWLUoVPhpvqEkkvXtcXKgnhnGrqIo182LmrqnbcGHtnOHg
sOuulF0yIVSKonCbz5TRsqxstO2BT8ySzlBLusZ6OS1wFX52menRuiKsT9dd
fdg1rva22U7U9WzU2LiXxWLajd/W06iSiyabY8lYXEajmn1K1W/r5mnPc43V
aniIltZ6zdzySrfE8/WdshJdZTV0Kzw2aif8sBFHpoPLV3gZm5ejahV8F8qo
t+WAr62mpdt6rtmrcVaT6wSZuqUuNlpbw2G3yxv1ctmqoyOtldxutcsXiEGL
TGgO2dA1ZE00DDCjh3jGfqm0rNbarjOrnfbx2XRpXvPGaj/MJMaLUdItZbsl
MkDTHS65bkngax1pPFkMeLWSurrpo1AZ9KfFuMwb+mZ9j1gVilj8sJTPGZkl
d8tfzdm4Jh4Xp44p1m2pmTkV00K7vKiWy+Vbb9g5Zq6ytc2tzZOwavRatrsU
W9nJaT29HorbFpdPqK1qZlfv9aJXfjVKarYtJxq19rJZancz1ZZzqEejqS16
XujcMraWyJUawnBQPseLPbW3zHOn4qgoxks5K7m8NbbuaT/f2ikhyttKK1Pa
H+tRJdo9rLrDWZw38iO3U2u3in2tO++UDtUFWjjXbPUSjeNAsCYJvarFuwfD
HjvRwkgva7yavtY210l7HS2Ylfzs4lwXsn2qrHLSNF6Mq6dKfLzixvn+sLm7
uraUzqQPfPmWLiVHWu3SbYz5nDTkN6m1XXcOp1GirfLHdHu/HPHywBBap+W+
lF8JnJTI6UpNS9QTtUa/F8130eZTkzKydqcgmd3RhLe7Y8ttwxEPh5XqtTWh
YkBBFnyPm9a6yjA1u0p17SDMe1sJ/TBczBAnLl6FxSjLb0e6Yo5WYrLVcTej
y+iinQqDxEg9HbvlG9/hwnIfkcSEX4aN2O6FuQ+Z97CLdAGGGxxCjlZpUh0A
fyPsTXSRpZvqVkpCt1wIIlGrVKki2cy3K91iQXcqWrFgtTk1M66cB6mLdjFT
Y2kWv/RmSys3luvl0siZPHPkjRFseNG8zvdo4DpnmmJcqNSSiKWPdGN0NKOb
vmMPx51Zfp+YKPLNji7i+1a5qTqd82566ZgT55JElmW5PR2scxOu3Vny40Hr
6FYWZu92OtSt5LF1mDcmK3e6XddmCzuZqwnD1b4y5if2eTucposjy7BTu+Rx
EJ/OuFY+mq0Nhm5PzEh2vlub53fTzKTUMFIz87ZbpdoF1ah2BhdLvfTLCBGu
9n67SU4Pbm5dznbjDmfMd5aQu9x4LbNxs9HjZeUmWtLaXOrZ/WGgyvuxtbym
4tFr372ZdnNpN+ZZaZmvGPP5orKwK5x4KNcb+37hZF6jXb17TQ/c80JdJFzB
HBrJjb5dlLK2tk+1i0tJrYh9W+etbbW04B1Jv2iDNteq3+TWbLpZb7oJYhBN
9dBtqYN2eZwP2rRXkg0Nv/l3SeGKxkAeO7Xt/jsLg/w30s3/LYMg4WX+PUIg
xCPiJ+T6hR8/nn8GGQpeIu/fw/Px4O7A65UflxZqLPOQeEvujg60wKPdMLwr
/oJN7DGYWb5n997hATfo/qEAfKAflReDv8/uCD3zxJ1ioE3ZUHwrCwdoQPW3
//RfIl/8JlIGvnD0DzhPJtsnNwrg5PLgHRasdOjt38DbgutXaJ9Uz+HyxJtC
qtahAN1vrY/rzwkRAGIjsv0JLjyxII3dr9y6Brwse1k+hjK8/W4AYcQiiMRq
xVi3E5xSetc4E7ekpdUcXlovTvSEvF6/DwiFI1rhkzocXPylR/jqGOLu+EUM
MNoJtiBtMuuUlMpL2Vw6n0wXBDEnyZlcJpnN5ZJrObGWEklZSqZkcVMQk9I6
lRLSaXGTliW5kNqk3nFfjK18+UqukySQ+s4tpCRv90muOzo7Wn0SuL8ygGXG
HeZAQ23mxfJ8W4SJvEY0GS5EVYx/9/6H3VldKFZMJYOpi/lvieK3VAHJirzn
zsr/zmwKj2aDCRWikPk8e9F7618xHe9+w3S/WDai/X6ccAeVop9JPk+ovr29
gUsd7fY7aWs+Y+N8oH7/1RC/u09461bHY77upbvNMpVRap1ypMW1YS7H/FDi
G8n26NrOn1a33rGZn8yOZnlgxIX+ZF4cZbeltjjZt6vjZM1IL13uYFeO2qZe
66Va3dsw2Z+t5ZSyFq9bc7mxovmalJGNVUKRqylxivS6bjGbbCYsOTmPdqXu
Kr7jXLHS5dPu+bRPZwcV+coPz3F5cF1MSpNpseDeutmO6G7nK7F8uJTtiXJq
HHatw/UwbA9PLafMcxvNXA3quVludFWluntoLTcppyIdtC3fuNTWS17Q9s1o
fJYe6/1sfyzv2mfrOLWdkV7qzwsDi9Oc+TDH91w3bmSu8VR8vG8a0ujgCs3S
2opnykJlqJ7HcsmRG/rASVRPl0mp18zkpeGleNhLJW6VHSCO70xn41NqfJCa
ZrlbFDpXY1rLJXqzrXRMH5ZDYdZIpqRFsujuVraoTUb5jJ3LNeNzS+TADFLr
qhpXjda42Klrmi6M1HFeFMzO2nYTVuraaq0GK3lk3LoDNWEUboi+83lXMmrR
3nXKdfZ1+7Q4d9aDAV8cV+qThrJv5RpRpMlvE/36XF4v3WMvXcuN8mMn2deW
o/2wsDf2/UPrsDL2CnfaVhy52punRtaqqSRyFrKtasJomS0ZdTlVLe3FxXRW
mp+W1W4jvbrc4nu+etVmy6y16p9EAalHvHae1HLLjN6b1WdXbXoWnVamYg3X
aop35Ep+oqUKWyF5aU32N62h2ZnpdVrIF+TpRpp1+l2uVotu3fVFM3Kj0iTj
OGZXlhNWw+SnlcZBKLYvuYXJd5q9dVPLaptuu73Q29vNcHncrJfrW6HF7Wa1
W+JWvnRPB6mx6sjxevFwMfbWeWGua5vCOltpbCrLenl0Xu+i5Vt1ZOTaZVEW
ZuNje1bvFLiL6jbMnRI9uxu9WK0Xd9HzMb0rpYtudRxvrlaT7VjfJFrnFp+R
BzN9s76IaDJFiY9TqnVtbLgefywUV9oie7jpxqEob9pTw9gZUq9Xs7pNO7rs
CY2qre9WWrS0sOz6frHoq45ZtbMNp3od3bioeN25R31Y3t5yA2eZqG6tXSZ1
6F7rQjqZyzdS++bJbtuX5kbLxk+HpLRJHrSqmB8fD9Oo05hx2UIllVpr8ene
LJwPNSdRvOVnqWn+trhFa7axdWZHeWKmtcR0Vq0hljCcZFrT00UVzqtT11pV
uVylvcstopvbQrp0r2ZFimuVlLpfSZp2mjhny3HU2jzZt6trp9keGcuplnMK
diYTby+NRnnY5krzxfa6zWuD46Zf38sHPt1eJir5az0jCpP5oZetj619/do+
DXdq+SIkdu3TJHna9EqTS2mbiee4QnO3iYsHbdzblXPK9ua4dq+ed83EYVxO
HHdDS8uvk7nmIV/rHwa5/PHo2CexZq76zdtsbY4L3HkmJ6LJRTqenemHZaOs
akIzk9T0tFsfTbRyfJfRmka9V9darWJH7t8SFW3TdDfNa1GYTSsLg8sUBHde
2C6dTHmfSdWbreGg2LCGxc26dmscrtPGdpzZRi/1RWOyHtRO6uB6swx+UmhX
Jp3uLnPlyu25cDqcFt29I1Ty266YSV3mhZt6Sq0Wq/I5KewqorbeK1nzUhzl
9Iy06uTKws7Ou2102A2bU9TevnzqTFMdZ7B146OiaBwqldagdljn5qX4oGTq
E3PqmrUrgpjkZJ12orh3O82pU0hNZ9sDl700Zqfr+tLcN+ryrLc4jcZyupt2
C9XRer849Y5pK18y6/V1cr2UNHOwKWyTg4k8V4vnzWIq6Zxba5gJJX3ZycOi
YZ5bKy27Gzj7bM+81lKtuNqrbvNRq/oL90tvkuLDychhCYOFFQsd31nXz3S1
pwY2lXXUTPg3E/2eBP++wvX3Mf7/sK7BNVTY9b9DCilpAcV6QHwYAaU1ltef
zvjmj4iDu0vBIxxYCrSwi1RrqWbEglYKB6KAy7jTCGvuzkrAAn1GsYEXof+M
VQD11raPFhSiCaYI0Va68jh+bGqBO+WAHqNfwyMwDf51QGvRvrGeljHoJi/H
1riHFHRZEtArngdBkamJQReGN0f2C0oTiUXjArot3LhjWfiGZajAJAYRbsZ/
NRwAjGLQ+wdJjynr0/oGOKN/XRfD+AcdDJa3JlAp/yW+heeehacFyeMfczH8
vZMkZHpPu58n8Wjt//GkiydZF//Tc/D/W89BMiWnstlkoZjb5PNyKiPKiUIi
mU2LkpDKS+iffKEopYvFtSQV8vlsXs5lc9msVMzmNtlNYp3/H9tzMIdxUvlA
Ikwi+S2Z/d2eg3/d1Jh7fvGv4m+/BwWFxHOfgvUHPQrdZnMwCye9VAz03WhX
LlcSkPTCXxSlU4ZU8MWwWeIrpVowk537kVT2u0z2cq3cmuR3JZtXrA3HW+nk
VaxG+3Yxe9yey8/i9JBJw7ctd6KVrOh4IsvI4Fzym3z9ZO24lZAwpalcmYwv
dmFUFhLJRLWxTmmn9q0xct1Ba1/WOodcXVsnivpSH6o1s6rlduv5pJ7edkcV
rj+2i/vrSVai3cvCTCmZjrHgJ9HCVomfSkYtHrcX0fXtsr0klEvB3V1KYnp9
PmZkq9wyjTx/4uxLNleyZ1azn5vwid4kURb6ot7dNo1E0RRGudZwEa0Yg6ve
lhfqVr/mJrXKIC8bx7JimOXNiDOyxX561T0LjpobFtvqZXVNLwW5sBESK6nl
pGvCtrmaDKRS47Y+qGbnIi6VY1RcT47z6FI3UtwiW28V5FNhmTiJYrxg5hZS
elQVzOmln1qu+6lKTlQqu6jQ03XLqCfjxaMlLLXCPNkdi6n40OUUpSbxSpUP
Jgz/nvwN7lnC8A9kjHjJuNyosZ0IZuXU69wWY6Fk7I+pTrrqVs7JZFut291x
dzp0BrLWM8opvbecJq83vpbZSdHkdGpkpg53ctSGkm3omYxQ7Mo7c3YYjjpS
tlltqat6pXDIthTH6e/0hGFc+Vy1Op8eu3pu2+fbmlBWFxK3dyfqub3ZDmst
uVhd5ybtk32epJpVJ71f1DatthqdXYduphgdLUoHZJC1W0bDdg7dllXYZzoa
t28J26hbiVq621BSnbLaksezxuG4yYzOY7XZGp/3qUSuKU8uvXRLFnvr0rHd
sZvGNV7ezaurM1dPD3bx2760XkcX28Z6YURX+7icFjoTY1aPi5p0yU3Uwo03
+8sef1PsZD0vHVrpg94bqHbV7XH9zKlp3LaT1FAvDIpZvjrLDqwKIuXGNEhU
kIA9LSkKixZXSi46tpu04c6uAzTGK8pl2G0nU8lzTuvn50mzmBvNE6bVb9ys
5rl+3VxHk0ly6qxGl1knUSwNV5bdzFoWl12dCyVDMdp84tAReqV2N5/N7ozp
+lbLbuK77nK7n6dPiYZsF+ONUSNx6OvlsW5MMmrqeutJKpewdwX1MphkLGUg
F2v9yX4vF8s3o1XM5fe7YqXg5Jv7lGIYO9u20zO1tT+nheTJnFe6amvUbHFK
fzLhcythKB+znWLqbJeN9bYSVfOqsLerx8N66YgLq7DbdQ/u9VKuXRqLeiW+
cSv79LSiyA5XELKbXG4pH1fSutMu5ZJ82iy5re556KydRbVZXScydj1RU9xL
mjdSPWvbiy5G+/g16myHbamMYCA5k8s+axl7PtrI6LfZOdGc7nm+GS3U3GV2
Na/VNV1sT7tx92zWG8NTehR37PK2Jjj9xqXC5c+rYadbTE7E4W02lxqbVn1g
H6PyfjfSnOL0JNhDRUwaSn/tpgf1pdYSi4m6ludXDd5a6uKU21ndtWS5slNz
lr1Gq6CNsrOuketk1uVe9xq1h6X+ZjmpJWUtqhbHaTM9nkulQdTpqG2lMsym
uLiRsbYXQ40u+5vivuCORgm10j65N7Hl8KWjdlT44mlnDXunUruWtbPHtJZW
t43kYbMt1IRBhxPWCaFSzjuOvswqmcxpIdaLy3F0l3WnNeeiLK/1/UxsndKX
pmoXl+vqteAMLq3aLaMkzr1y1OSc6di62evOtbHfnvNnvTzhtcNOqRflynEe
t6vleCF77PRnycbUMCqJrDza7HfTaHJhieKiUKlzalm4pMq5eVoUk+NyXEJY
Ek3l+6JyHkgVcZ2/OZ30OXdSTuteNF+vmOKwMRzVulLqLOWil/qe681Xw25p
hShYKovtulZcCo3ESNnXG9m1PBm1q7OkWxI2zqzvTqquFq85q1slYzTMvjBI
1zt9Tuxc1ExmK5vxbe9iXypiquMmZkPxUinw2Wx/X7aLUafYzcaXg10mWZtf
G7m9tC3kjsVsQUH0wlWPblkfVuSole+bbm02SyQq1db2ZFfFy6g8Hs8L0jiz
nVW3s8uwlc1pamsQna2incm0VZI1O8MdNuPj+HSRW/rhukzoh211vWrP1u1i
VkjOl91WuXrcp/SkEl8P66dWe2Re6+66WivOT6eGcx4YXOkcL21U3Zh20m0p
rUS3yrg8yhzKSra6rVrlSyq5q54QA7+tU4uuyEf3en26vIznu3QqdVxt5lyn
ss0mlH0nXR+OD4fipn/eSe1Mou4iPtGYSp2Fww/jrWRxIGy6QmUvZXa3kZrO
z0onqaJ0lmnOybWjRq29rWeM03ApxGUzuqrzp5MmTQ5OoVEvW7tDbl9fnce8
IbaUxFTvDEq9ZiKulhKlZX3DtVv7dCK1uxb2G35RH6tzc1nprSdO5VbrVhI3
a91YdxP5/5e991iWHEuyBPf4itqNjKC7DJyMSC3AuYEa2A6cA2YGZrCW2cw3
zBfOlwzec/eIyEj3KM/Myqrs7lw8kQg3XKZXr0JVoecexjQdU9q1DfdejAgL
suy9pBRVNAVonc5nddLOnYWXIfTdvzaoH8W9WbnnW3/a+W0VpAu0n95Hcn2C
d6pmJigSpJSl2yFNXgDn6npQXFPDnKhCaVCjXLDHwId31BNWWX6uVJduDEps
NgXm6+iWCJsV2WEQNyZiH8kOuFz2sgfh/Kf1aF39dHn90ujxfu8HA3wk6Ut+
QPVdlUfOQf0eeYQo1zjB3e+vCesfXgmQNJoyA8nfSAn03gte5ZWAzRicxAtV
iuGR9efZtXXr6o7Z8lLbNYArVYVqHG44W70jgFe9+R3Fp8fGvtIrejw4sXWz
2Q6tMBKeUtDpT6a7rc+yxF6XmGneYje0bX4/EkWjVXYHbOd4RpFN3dU6PF+v
7NNCTZcoNrGfg/j0Q5LJzsybEcyrv2YCVGCM7Ui91bz4Vg0CUgcUgrFR7RYQ
p7Lxanf6LzLfrMLEJuSWRdPpO4AXpr62kdF2dnhBu/tiP4/HAb66AlooExAs
W3CgYH0iyn0ziGjelIs7FeL+MlIsHnBG3LYmbThuGCY1wxhagJf4MhvzIh8x
3qzAoj5W2MBZiFcmMWfx+zuNI66rrshIChGCqi4pXKa3+XxHq6n4N9VfWDzZ
H8Pq6oMCXgGHhitMNIRSjzhYjrSoT7oxRN7D80WBMWUI6tVANOhB7RY7DhRh
3qVCHfq4FncPeUEOUKh3LSt16TmFUY1IKcG+dqXUWtP0Qm5SRAtC1NRTyazP
LkjRQOyVUF/HbnUydoZ3iQW43Xplq7R4lbHE1obXOyC3aLpwG3Y8Pb07fm/b
bHsHvFUfF3996varNh/RmNZxgMCuD2AP46liqxQK9dGPFiTyoHzaAxYp7lEW
oLnYYpl0RVkkwq+j6e1QTJYN5kKslW9Ra9GAruNBfFo4aFAUes/WUeKcUb/d
onVwRiWtfVlhPU9xFNy6ub5YCuu0PPmYnuJsjzqTBEo7RE7l5N6betypcoFg
OcS0DBuuF9GwKikbHiR0RVH8sLHBvhTu5l3P/QFRPJZGuqQASyFtS3Xq/Nax
MTfuxwaau4b478N9jY9raSVxBxNUOUlOThcit1OQjt1Ad9V5WyZiD5hA0Nc6
jCuQ9gV39dRUMLE3GZT74r5g6XCk1ze2Xh75lEZPvJzJXLNk2YQQl92YnoAA
mCinumjOkAHxGWo4YxyYrbProEVFtYKOVA9SeeXXmKXCPLVswgCvYNML7YV4
PsG94oEqG4SDka672g3BPT2eA21gPb+8i2HDr7iPIve71LyFhcigV981N73v
dykPigMFI6d4A2QKav1lVe786qR33CsxND+s+bhkL4y/DnjHsBiXHYffh1by
CAeo7wUrOp1eI0BNkEcAfMOCFn7simPij0qhxMMfQ2IeLtOalRXewyRS5Akn
USWGVIpxLW22CnxjdiXyukDQC8jV6WJKC8PtY4SRU22IEsQWbbAWTDfn48MP
OGWZaIpuWLkqqusLb2/ckbGXyBygVw0B97K4tgxt7bFxu7f949nyopKMl5sY
nX4QrriuT0ooNDmainqeMNduHVqIhmYjKSZ0AALypT08wZZKrvEeZPjCxaep
qOygtUffieQk9Qr7UitNc4bT97nM0tVLXJWweuqiEbnwBt6zsQuil+xj4D9Q
JBzRnLiAInNqay/VHB7sfpXYspNeaKFd4IHN78sQtsLpA0GR2aTASyyeOHa+
QaqNDYTIefBjUaOpgqPsmqdeT0bN8rjpviR4BdjBHnRNs0Pon08kulw1uQOe
lpE8mZI9pqnr1Ce/+DXqP5kBmfbTY9g3TTqm65G2/ZG924V8TXOyxPCrq1J6
WBy8AQSkp5PWdTD3bbfylE7OYXJ7j8eV7l/A4462XnfNbp3IO0vnp1KZzBmr
GAXUlDep3CxgUGnGluNXXg40rfV2y8Vvh+LY2+aA79nD0PZJw5ytua6wWUZP
bL7jI0vdBDvqS5UFAhnV4O+WAN/c2Au5GzTKaZFNlb4Uu+bmN/ouPRnItJcw
jeye57RV0mC/OohW5Yqq52XAIyr/euDNHafRPQhK03/5Z2x3VA2hcrmLkCkO
Wpe9v7be832PsSPgufsxVcfTg6sSvgBSteXSGgTNqLm6edRwqcJ3Opj4IHvI
NGXXaqj7YIiaHLgMxlQeyyBX4fUMIPw5cJ0E8IOneEuexozUMR+UREGM2b4Z
HGX3TTO/n1poX7PutbFrjddrRQfa+vRbjFOCcXqEYg2Yj94E/fQRuy3oefid
u14uKAltsxIrI35Ln3d+uFnQ87blnvSmm8B2bj3hIBVSIxQxE8CdkeSN7tfz
JWCp+Gp5e5aybn9pZ0IFNdzIjofTY+WaJVnpi6Ox8nfBuyweXDCOaaEiwJus
9vDxyDShZ2AUr7ehqzfhtJ6Su5d3ct+oaSTbQnoxxct4HAH3rJ2OlpB4bzzs
dI2AZ4hdFb4lprXluK4Qb4w3Q3dJOw+INNxT4Vby5txMweRHamzNJt0x0oNI
61RjOLMrYmCj8Tq5oFxfRKF0u12Xt366l2BGx/dL0IOQlXlo7Ab14KRho2xv
cFxkv8BIS36lm0wkQCyRkZRd6PXU2U1Vj2ixTfx8U50LLcTAfXG3Cb/45VwX
5qrn4ZVUR78hpkkEMzK4xTlAwOJe8vu1pN6QFMyoMC3T+xkcbKW5uC9aNL3F
BoGN7mOlN9xy30MKMdElznCt9kM/At72YzDRrggfNCIW7VId+cWkFS8ucakz
bP9GgoqHI+pLdOx736WerLaY7EiLJC/KYQWAM5T0w43flF35B3PTNLgDO51V
PfmKcoHCEi5dmxgiB4K46X5/uglBgCd65M2+IY3GDUhiFDdOLy1vn1tEs5By
Ne46jsoD+ZDh/VLTNreBr1kckjGap6Pf01ULEC9zx4AlMY4EggO6DlyXGKC6
F2Z1VGUZNJkuqWirBVl2dN4tXqb8DRfZcpVrBLuvscKNW/ne26UAR6Bw7Yda
ysb8TAifYrO5vu/DZh29PHY3ENGO2qYwFDKdyyMJmUglhcBhBbHABOX+epf6
KUQR0ve0vjPzcs9as1dLQR7sJnhRjPsWYN1wy3iCMWo+Hc9gVnVywZdg/rfv
fiv+ctvr93L0v89rf/cL8ucnpk/ajU9mlF/YUr7T4f/5+/Lt/0Rs5kcSV+n2
P0MuKjXPcZzC/AFy0Qi/g1w0FFZReFaIj/QjXSX8+c0hCv+qfwvMAX6LzLEq
SPMl6mz4AbxjuShQmyjIPxo1KaJ+F4wIcJ3zgcggFDHvY26vjDarvIFGPkCF
htdVBi8QhncjDJ6pdI/5uCHgyvVXOBrufYTaBHCOVmfddctGpooQes1ltT5/
qL7hBXXuHCm0x+xgx/QQrtzvgJnAHyEzfwaYCfwOmXmNw+v7Y936rRfMhqG+
Qfw+Z9QsfTpcmQ/84Dloe/51gB7UfRQ4fXYa6D9Bap4CdaWusge6UWxIOztX
FekOZ79Z3geO8AP++SugkmPRJHSmP5FLgH8+GIfdmA+3s7EPKfIHctHfFTm/
A7lUXblBXBVJbE8hwqdwqhT5QC/WfRIqVYb273Oqi3KG29kZX59LhJIAH/Xq
c1anAZJu5yjXNkX99ZzBPR3OBwf43Np+Sxv2nr2nz+UoHFN9+WO95AumdMpl
ZwfOBzYdOac8fE75Vzm41JVrPhv457SPdBCXjx375ffg43kWAj6mxNvTZ+83
SXxnaH7OwCYU6eMB9UNZlg/IT4bclmgQoXM5R+HC57LED6zQqYm/hX5KeX8u
A/rdst6nIlV5+FWgZ8NT7fGv8NAvM1CkU3EGvM9Q4wvks3t9dLScDzzTgUZP
aU8fsNAioGEVjT8G2j46ThG4BxRZPRv6cy4b/y5e9FdlMn6BiQI/ixP9EUwU
+Fmc6I9gosDP4kR/9JkB+Fmc6I9gosDP4kR/BBMFfhYn+iOYKPCzONEfwUSB
n8WJ/ggmCvwsTvRHMFHgZ3GiP4KJAj+LE/0RTBT4WZzoj2CiwM/iRH8EEwV+
Fif6I5go8LM40R/BRIGfxYn+CCYK/CxO9EcwUeBncaI/gokCP4sT/RFMFPhZ
nOiPYKLAz+JEfwQTBX4WJ/ojmCjwszjR78FETV6AgR/jRDmcAYexs6byifux
ZoEHOOIDAi+vfo2azjzGsYtSYOESGfzuhW+fONGq9KNIXcHklgVtL5re5dJT
d0w32YxFA1ZIgBc5zEec3Zc1UZcg0Yv8Xe0NOEpyWfcXCNnf3sa1L1D3ZGla
bxSq6HfhtDQvgX+8r1UOVIIqkvu8G+QVha26vduHDMrp8wxxoEUELy9HqDgJ
xg5nxg8mNLutE/khx/F5WztlfJ3xRUqTem3LtnRX9RoX2XkJAlazm+U6UgWL
VkQNZhj6vmMjG04ukojNbYvyYK12zJYDgPTIPHNDvGIEebnkA/LAJhmq6GiR
B+duDo/8arur0TnkNg1Cd84ACYOhL9H3qAUFddrEHG7q6lmbjHt48MQO413w
9212u/oxvTopez7dorzFB15Du1Ze3YcTfDc4acbxB8HJb4KR79aD/URJ69+t
6uS/tpz158tc/lnM+l9TzDr/fUpZ/za47Eer3xEKWWdY/x91U9jvql2V8ssa
v5bl7ck8/h/LF0r3b+xOvxbt/aYW8pNZ6JcivF/YNP+85vMXKvTP+r3hk7v1
K/X0rwyz+W9pQ79Cbf+UUOb+xZr869f63D8D+H6Ulv5KPvu1i1+zI3ty/KNA
cP907E8qwz+6afuz2ffv5v6elvzL95G+v1blfuPA+cKM86XO+fMusvME/7Zy
8n/8j++htv/vP67j/OQq+5D3d6o3Pw/uPv2G6vlPajm/btnnND5IrZL5T6iL
Pmmbvjuj/3Yu5cs1ac3yhVzlm4JOQ7N8j5/rU8uSX9n/vrFCjdN//zKZ//7n
lF1f6J5+vPKvW/1hP9P1KwNcsn9w1HzhvPpOLevnXL8yJv7mLH1vsp9sZs1w
WrOvNwEUX9iYlw8u5o/3RfEn1E9fyIa/Epz+5kh+lAx/Zdn5bULxy978tnj4
j6uCaTwh4RQqUAzLsgJDEyzPcSTDyxyC86LIcBimEBpKz/8naSShEhJFMwJH
ExjJEQQt/qQq+D8QtAtTfxfQLo38g4J2z/X+HGgX/I0+/yUA3nPlfy2A94+b
/o0A3jCEV0i/Vi0yEWmjrQTm3PQXakWXKisWZzquZnCdQol6Tzugixhfj+yM
kJvd1TCr3DBtUEVz31t9X53NvajYdeMej0yI9sbK6zv+wMtlJPfnAwnw+XsA
XtCgqpcUDnSR3bNpEUKQNg1aiPAr5ZPiEBNH7tzZsAo27s4C1yfx6GhzNjel
r5srrKhpT6KDkOJ6brTovji7ZKE8izGTlaSKEdaXmjtjrToJ1tmXIYDRUHTi
Wxl91uNiOsZWmI8HZtfO+yY5cLZEgXM9R9O4y4iyw50cZOZdpphzsFLIh7MC
eFzIpMiDHzuI2DzOT2T1UlWsMropjDSR1dX8Mr3Sq2ha5I0me9ev3Ikv+pnw
HL68pwCtEQRZ+UfdeSO7HTMoPIK0INk3bqiP10hf7VdNyl4eIV3oapJUwPzt
ybx1zbl7JFXagAkhvC47tHCrUaiObMEaV43JI1l9rCGL3xozVe82fuOFBTXm
zUxvPNkhsGF3uEY0Rw3Ae/ZawuHSWQ8bLcy7P1BN4mzFxX/eY6FioAttZZut
Qj4X2JcyFlh/qNGpVaZYpANVAFoWFXfLRXpfV+skFj3pRr5MbX5fXpCGGNRQ
MHNCji/IS4plaAqHQXRwZxO5nm5vktQBuqmjXmGt69alGN2OIlou0KwgTGTQ
fNCgWkOuwbhfbgXZNiuVzwXrbesrvJFhZLlgD3To+HgsnNby7+YBTm27o2BS
z+X1qjwz0WvebfyQJJzRwHxvGy9CPaxUsRQicRgFkbUFLosqkHdCWddXL4CP
/q7A1jMkVVG+N3X6ms/RPcRhqwmc88LvJlROj2Ap9bHcFbC4TsDYsjC/1UGF
cQTc9GPq3MBpTsfYndyH6uYyJz9GiIhKncTnXH7WfBO+fRzUrSZ5yBMPuPBu
6t2oiDwNSyZqhUlSoMJVrQSaE9/YBrXXHQE7xl1lCuL3UWsM+zlIJPWMsJXA
EUDOTOQOxTYTInahQbcmd1vbTjRneeNnlELYt9TFiL4y3FHuW3sdsYqq+23i
5QsZv7EE6IwqjVvSc6wbIiTM3QlpNV5TcuRpk1e7x6KrRUmP2aCg9s62XB8e
8Kxfpv5W31qRiQH/mqbK+BDSBNT1ZsLk2/Rmmfbp+4H5ZBaSJHrWdbCRRPjz
dBpajE/zy9IXxs8KWit8YIazXCvLVMR8fiposnAe+JpgmhpcMpAKpABeL9vb
Ysi4JZ4OWCWB9tix59gfMwYaSAro8lpVYCZC3WUWyucgrPJRlNE2zLS8IE2W
Nq6XPq4gcw9XjraXq5NewlHY8Z6TwZw1ASEaLgH0cPnQyLYpTmKUpFexCx+N
wOkiDDcMqlE068N+KIZVsoy6nF7Z/D6Aw6D2bxAwIujqcYwrbhD7bLCIbInO
NWPjjAJ7kMLay+ifhqtoKfsZPtK7Dl6I15O9ORkDuykYrkDoiLBfHOkTTlvY
y+5kwuvveLGpewdS7+N10LlZWFbG8nE/8iHH6CVdhOpFDi+EEF09ADVrsBtE
8vaq6pt0Gw+vZI3TTPP4dG1AU/IPPjicDW/LKMPFYA/NIXPaprL6qdSHiQbI
QjeHyBjukH5u1LU5Xz8XvscrSnZcP3GyQlb92/NqnBJ/vbkuf3qy6takwd4g
b7/lIOCEkV2V1kq90mJa9dH1fA7X1rVHfYay4UtEaFlre1V73Z7mu5W9V6sV
HV5O3fW1iXYLwGXHKAa9Ix30wVnUk80fw4TPV+I3mDD/1Vv8nwgm/Ftn46/P
q/wu8Pmtm0UkxV+JE/5Z9+bcg3OQ37klv830/GDwb0v4cMmn+ZOP/v86I4YP
bxr4i2TxdQJ/Sarpn7mhfxCg82+V7D+IWubUhW8Gwfg4F1+Yfn8yT/RX5INO
Zf1Y8ZA0/Uei6YM2+Bum9geUy79yln6AaL+c3i+z/NPszDeM4b8CQfGZUzij
uzP0/fiPT5735OugX/M/v4z6lyUemH85j+wHx9Sfp38+wugvMW2d/N5o/pIX
+k/NAH0vAfQH/Gs/zvL8MC/0s3Snf2u4jxcECRN4kcM4TKAomidFmqAIhGEl
RZU5iedYQmMUnuAEmsMYCeEFBucoXKYEnNAF/XcL95G/S7gP/cOG+8i/E+5/
nsw/vpzy9xE+9NdH+H/c9G+M8O8ex/mx/tDZa6DjeJ/QeSylJpxYi9EpYhhN
FG9qlXLnPr67D7hfPkyBc9opfnD7VoiB9HC68Q31GVgkK15maTEOQkCpsACJ
7X1ihVGc6C1KCet5+06EvzN7sxqen4+L/4pGIh+l25RUCbK8Htz8aqbHiKlV
OUhPpWRLAGQF+VguCYY+g71sUPvIOK3CKFR8vKBIQmVZFZpmz8VBQMN8kgfP
0Up5dZvjzV1f1vuM8JFs7yd24dGdeM/gYEZktDwotKoPtgihRBoq7owOa52A
lBG3V3BH/eGVwXSOgKw3A7Gpvl+ZzHDO9kAWHnKc4ajbM/Lw8xxJur43Dvie
hbpS5M2tERT8XLCXBLfusvr8fHsALqEuOpQLBzRjdAyWfSaVwiFx0o3wHj4U
rSOU9ihDXky1jTiQxAtuo+j58sAC+GbABnCfTSQkX9e+rhzho6g4mex0K/3S
7V9yFUhczOsUaF7IkMMF/tAwnXFoGHEljC/mJ10AHS2OaCoT3kLC212GRvbQ
uBoakEtyFwVDD90H+YGbFK7YfE8zjEcbdnxFD0Gm6QI6Y0vt2j7lZJJwOo0J
76q2F/UKCvhsv/lXk0GQidlZVtEG2Yg1UbC6ubI1e3c+/P/Q7noUgIe3QoX3
Q5ykFZJlSIG4GZpVibmN/sZAuvQg91a7H1Aa2D2LRD6n3QiOksaQkG6ZPgCu
MW1RLWnlPQX12wqegmFjestp/rLMRo4E7I4vBjxmpbO6nln7hVh5gtRwT3Yk
5zwFbqLng22Kc91iG3uLb0HvW7Wh3ArF3SfGVmHzupoPcfQ9FUljM3/FhU9c
+ciKOMFZHcCtaQq6vfJW0rf9oi+GV2uqc3uiLuJlg+buUjHiCU24YM8wg6Fe
8V1/ymBIErfV2XwQMMmB0PhkNsFSUIJQi2SpVRXYHClj7HwBy11eq27XtfOd
iWVYWnmMMPwOUkIJyRI+9aCjOJAS8Qh+vQQJ5bgiyj3NbZSO31ifmkTpKXJR
GJhIqgfinYuhBXnwZRDi7ha2oBAD2otp4indbWGHiSC6Y0YHWfcSuj3ZsCtH
nW0KpzKxCW/x6HIRQu2+UZ7Lvpy0MP3S6YAXDMvXNLkW7KLw2BWRy3Z+3EL0
QGIZHUg50PfOLkIi2vHHww3slqPKrn+Z3QqmTyYxgORY89oXtYbHLb8s4OvT
3/Ccd9MW9w+7mwS3Qd76kGOuPomKcacufemO9x6KRax7iimwKyK15+DbQ1CI
LK+nfdPa9SH6TyjqqammG0u9Qq/QPY6qmEA1CMrIWjF4K8GtcWLjdNRbeKzV
KaFvVd1EZbjyK+i373g1EIS70JWfhoa7RrCVaGXJ9oV3rTmPVIN+qK9sQCzA
tMpEHiMhYfahwA3s8dYOMKf4dURgCRn1VaAQ26IP8mLHSAWabhAzDKIofCMj
i6CkAMVdXX//qLBzi4eMryiYOAJs4MJ77lP9RlLO8XwtRH9l3oLMY4jYlOAj
kaEgwJHdR2RgG5OXGkCHDU9YQAQgay3aYxHIhVJPnV9efa7JSh5wRlghzfwK
DEMRYMQWMoQAU3t8AzXY8U/v8Vru1NMta921G8xzpjV/vajBaHdRCEZHER1b
IgvpaiWPOBLR/H0Zi+ulPKA7oKYlXIkqszxdpTfNJAYbjyIwc8kS3ZQ7U79K
wnqoDpybHL2sR386AJvmQBvUYG0dEcDtxXfdyHcPSHl7Q/YWD0ZGe1Z3LCO+
xvAb+LfohnV/HPVDP4z6f3Pv8F+ZAPh5JlcKSv822vRzJWcf/3UOzz/GzWQ/
4WH9M17/r43Xv27Rf1CI/qHzfyfm9WXT/1Lm9bZ5MNZutqatXNwnuklQ3TDa
ULLVwJJ+rTW3tBQDzUkCrXurl47hL4XZGtctiXFDgoFyJ152eGfhzXlGtLe8
0fcT9D6+D8jibhv/BvwbtmH2v8e8fsrkm0X7emtX8S/3Dzl+fEv/AlYpvlPX
8kWBvx/O/st8L7Km/LA7H4Ui+/lT/bGz4/RFg5phOP3Wj4xBVjd9/m2QP7ag
//rXpFV+VH7z9Rb7XzMgv68R+A+szwEAZjwN2i9Jk89P/t9yJvPP5GG+5lk+
7h/7KIQ4zdXWfNbbfKe44L99lDU0X0sWPgt/vkr3s7qh6ZulOQf9+m/noW/u
zbnPX4og/r75ni93sf15sudLp58XuP3Pm+n5i8uA/r//9//5CwuBPlv8eSnQ
f2LqKEUxIkESHCoTKCsJhKLxlMQKKoPOoDSnC7Qo4BJCUjzHCSwjyZwi6SxJ
ioJMoCQhob9X6giB/y6pIxTJ/jFTR+d6fyp19NcWipwL/2vTSH/c9G9MI3Gw
fiBmnAv+lZ0YTL6Vm61W+d3tit56R43lXLzATO7CC9qByso62oQPrBpXCC7H
+3I+oSSxZgTNTLbWY5CR1nbqUYJtSNVc2Cq40nNpBCInu+Hh76aRHopOttkV
cQZ8xR61UW4emR7keNM4M7EuMtgZljJ/gP1fJWD0jj8+nzNXqUSLn44aRslS
nt+FSu/jrNDQraKC3gncuzEv91w6I2xSjh+hrBnXjjqDd0rwg16WAnZ4NTND
XlTTfC6YbKujPEBw/lTCKmgVBvTv6+UtMjiGPGyZpNonLdX1/cIBNor45pOL
LtYsvpLUUiKX3oMajgYU9G1xzDnfvb+4WJ5hu+kXOpRaLCTPsC3bKh2x7kDV
J2u/XaeUouncVCbsOrXkHcxe2GF0wb2h84e8mkOBoEnzago2fdvT/R2hVV/4
VVhngCzWt3dbkPyRLv4DKgbsdb9aweuBpGDAFivobqE4Iekq18FgcH2qlURV
VVOOco6WWQtQ44Z+xoGiAHctypr6S32IpjIeiFAH8bYNvF1J2DpmgjTBc2PX
QrMuto4EXP9eZek9Ax5VCLJWMJ5gPRxbHlAaV7Ynni42VVXYMipdybI33apG
oYwgUu8zEKXRBDKqgE71dARusTdcldmFRS2M3vLrfmN4aNZYpoDQm+ZOkYqn
+MFWtRFznEvrdD5Qfa/6s1FDCMJzQG9Yd2d2B5KuR3HfITBac7DB3gjGUUHe
bAF7neI3ZMA1g2f7ZE9h8kp6HZfu8eUWMDkQXjnC3hOORZrJE9fiQbkqI7/X
J+JTtGjcVmtwExY9TBLZuumCEdSoj+3OZTF/TwPOBUp/z7w3lW5HXGYRg6yV
YzUNdjVgMI1UWV6eBKdM7RUSOwFfTJ15mdhmMS+cixjWG0hAtkeIQCNV7b1F
ZWFXDYz3oOHbGc6HYmGyR3YZ5twOqWp6uahEOFfLl5NUcJOH/5SwBhBB73g/
GkP04lxvGzVstEyUd37SbztzEV8dg1/Y3eEMXA9RXfGYbXtEB+R1iS1DbnEF
0vLBlVgXvNdr7ZWxge5ilTCguEUcZZCW1gj0AYNeEwi3h5GALfTMniUCXt8L
NXhEcAMK29lLOnxXg+Vfk6d9d5dpKEsiV/3k1U9Xbte0DtUXyQk6HxKUVFvE
3WpAg6xRtgpG4GrLvgcbYehT+qE1dxmO7ywa3ORWeugwWsymuDtYAN7oy+Nd
jUR3JbvYAo8WeoTrwjmANLeTv+1XQrxRWbthowbLBJ5NKcs8LOic+aYvcIHi
cLbbwX7TYf/Com1goMFjbS61A/SmTXvBJcgt+OJ7iFykKA6hiqqp0biYRuZR
STRNnH7j7OEFV5g2n+avtvCh19dnm2/Ag31u/DV15gAhpfFYbwN1mVz4cY9c
qFKeRoGxRnjf9SwhXlso9NdsQPQJNh81atQBrgKK30qdzfvIZpDEYy7Z/H7O
woRCViuz7HjRe8ybtGEyZuib1HQ5akq+GNl4mc174s8bUOUloQp9VO6cmZMq
hh3Dexp3qEs5QiRvcXUP+givpL5KEMHa90TsPPk8RZQhm89dYwCVVbktkV7C
8H76WNAnAknqN3XiZyKrFfEiadm4zOy2HVs7P0Xd0i7IxVmeN6GzEAkrgHkL
+PzhCpwVCWJkbO9SNfYEkaA15PSG8Szq6rl9YWYxPVudQN96AlF9FTwui/mm
3hdgijE3f1aMkKtuGqRHsVFpDgdc6ozmYb7W08b4Q71wA2bNOESAsxTooMWP
x/7ct8MigRBOqegecUEiu9SQ00yAqFWWt8QdlTOEncl3bzzecwbd8y105jOO
E1OQ+uO81Pne/cGl9f+ZeSkITf7mvNTZx3+dN/UPUgrzF/pv/6yE+Wdm7a/N
rP3dCmG+HuW/W7pt3v/CdNsMY4zNI5L5jMNu1V6xFUE9waii1jDivXYWEPfp
qkVlIdQ2W7MY/pLGB7gFdAuDBQYYemOm8NS24pTprwthbDY7KahFJzgN2x9m
uqck/d9Lt50y+Wao/waOhO+ktX5Pm/A1o/Ufmcn6778jVPgl//MzhAqfuaHf
MTt8oH3WTzzMaT5/4QL4fmLrG1rmfxUGhr8iY/QXpov+nOYBw/B/SY/TkvyT
1uF/IVoHiC6oEklgOqcLmsyLIiFzHC4KMscgOC0okkCTFEJJMiVKFEoICoGI
AkqLHEugNCmy/w1pHRDsn7QOXwD2pyR+htbhr0slGopit39O8WCXLccJ8vSP
RPEgprxDtFjMXoyJZu2jipRlFzPAArGnieVw0uFwncH83X0cdWNkUlIz6PHi
nTTGAviZDtxlRnMcND+KbKoZHq+GrWKUCJQYzi5X7zr3VgyD19hPu8lXTYp9
bfCzZanLI1jd2/ycHu+RLkaX4m/s62XpeOIGmm1fAQlREplmb50R6tYtYjBC
Yrz+oDHFxcr4sZ+9X1kLLxpFsTLarNoDJJkFlyTy6RtXyAAkXNSh6YEjbnQr
YJgg2ztKUqoCInnHwA8c5J7rJRYQJ99R/mnwjGji0s6RZaBV2NsaAEWOWxrJ
Er+FlaP0BmmqPGTCF914jATMdvfl8Yp3mX+ionJJognbMrkaes25eHkq7/8I
FA91WET+KWYPFtj4AjLtfgjZ2BtQt4pGct2knjVqJn4z8wHByPMZe0H6CLqM
OU1nNVwMgFvjkBxsHVJIWovzgeulu/4iKlts9WKQE663fSi+5iHGv5IuWA3h
0nHGI50wIw7dxQMSyJB77ZZPxkIizhuL2PfV5nSysJKmwXfimiMaTx4q0zz1
6GaoQuvvhZ8YCn3Q+pCawJZCFdSs062AtjvNIpDuZEqIkuMV52FJwhZZt1qW
x9CKo5pzQ+wSWpMayQIeHhgJd4CJrRReC60DKfw0M3I3MZsnr0UxRgdiQetJ
Tj/QQZZTcSY04nKs7HBZakPIOVWLPXkC2sbaojwSKUUthRwlKAXkPy7d5BPo
36V4mFM4AdTw4tzohKkqRIH8MChnvMwuUZIjjy3Zb/41BHUzbRniAi508Fp9
pBjMgo3ettRO5AMEXokS2nuainDRImRRSvXrFvE7e3VxIoNWBfISsn1tuCnG
9dlId96TeIfSNAZXn8MKC0hFOXk6dmO9+4qGoJBxTcgJwJu5PK74M4lR50B6
bQ9fq7vE0D0kCOLcq4yynoORYhcWSOxoJBot84iSvyHe3U2DiG7uNdHF2dst
il0D70pLj2HZnrJ2s5niEScp3sWGZM3j4gOxc3dkSn01RTMoyFGwg/D2uAcM
e3x0ZHxpyCzxLKSk4aTwcqE6Jljm7u0c194n4HWMgFhzr7Wv6bs2cHYN+/A1
RyeduXsYLBQGMp1W/va4stGDBUOJ4zH+FuUDXIBYTaI5lo+A6nVcnuQvYQRp
x9liLDL6HR02j6ZJ/kCfXughdN7CmDcvcVwiJoHeI8i7RwckxwcRA+pawY+p
uGx5ptKuZbqlKhB+wBV++2LBQqrqQtS1x1uj5PnCDtBl57W7K1bC3bTGTsUA
WUVu72qEhWEiKpZXF/AxojNyO/23zJi96nSWam2r3v4Dp3XvcI5Ax29UaLBz
6GGPdgAgvXM2vjOV1rBlsntsQXq3+jG469p08f3p1ZR9LhRVwHyU6VlkiUfg
eLWXhYl8kl47wAg3B8QjsdsGmymeZd9bj5BV85Ql8GlrOtefj0vHpJN0dyR4
YmLM5PM9l45GUt7HkQG9AL0uFFhFFPsI3s4ShJh0uNoR49AFfHVqgc8zpIQW
Vz0uEJ3mTT07I05umI+595w3gQ6tLnxWgPqbc3Rq9dJb/azjsdXc1snQUkz4
C3vXo1bg01ESIYWb+yu6pcgruGnwihnAepPpJ9nLF55LIdB7KezyMkeLDCAk
fVOVpDIvwRceHXFvXy8zepQufVnZ55OJKAuBIxqwRD0v5LeQR8XwQJsexFzS
vKHr9bYyUdO+Bs6ZSdV+xfR9ZaAm8QyBrjT4aLr3rC9+DJQgPc0dMkZVGW69
DjFNlKQ5nt0Q6RqgqNflvHFlZ5bsXySp0sXT1+O7pV3PF0QlM2QKTPuTT6IC
YqosHki63AYHcvJFiRUaNqZVqLu8TqwmHI77ML9b52JA5oJG4HS7dDN4+IDb
F5AL1ZhP7aqjRtKF9v31OVCnDe8K5IYKktj7o7tdlGi5zzMH3jAjc7gh6TTu
Kd1IwKx1XNVY+3rhRW/F7j5KK3av63WF7m8GEd3uUHS8ElKXmC1a8qwJ1/vr
cK65VO2QZoBZ1txnWRNUvrXuVXi9mgtV54M4js6eMuONUy6BmUpmp+V1YZa5
DTOMvOgmKRF4CHMvwMmWlFGDhEYNsHFuV+IxsuCmpJY1KrCRkQ0xWNG7Wqyn
QafRQ4jfBH23FzmTvPJlPm/AMoCXGiU4562yZTjlbJzuNj3EzLs8B+2ZZx9H
SsHedtR07NEmb71aSZQ2x/db7b24DKg2YxJeS791YRbpzo0Vyzg4zIYQC+tt
tyunwTtOmfleqFV4fwpM4G7Hqx78vMLa2z0EjEgToOXctNe+tkfQMpwJDUf0
8PJhfhz5DLJVyY40ETYMbYo3GeGgi8RMQ32dqdVyTcBDpYXU84vIHqfOPpee
ZlAyJFJmj00IbvFFHvJQtAbDL+6QQ73nYLHG01RLTJtV2YMAcOjc/73epjJX
yL3pY0i7sTOTWC1qaDiSOQcP036oXa/7gqQ67xNVFtgUaAvGOr/KOwDzGX2l
eXcGd7SXZrG8T4WNo5cyzPyrOhDsRtGpTCejLkU5lzvSFs/bDr6cteqP7pEC
L33RkZ4l9nfviI6gToH35vw5vysx9R6toYMzFtr5PjWKlZjzXB42kCjvx7rZ
pT3kLcBTge546/FKXjTmDWxfq5wYvQbzcmDK1r9wjoAkxfE6+c5G+nkSnPaZ
KvM7FB7ZVL1vQJrvra7UuTDeVXw7oDXc637JCorl78U4yAJ5wJ28WWxzk9CN
JRklfNRTLc7qDWWiWwvksLeJmoswc/O+efr6gKI8Hd/o6aWVwxgX1CPqrity
vosqHXl5CU6VF2M/D0DSdag5uACtirH+7Do/iLVwYk7NPh2QaAnY06vqksC/
jizxlrI8hA3Jz7KeRqGYsAP5OPIlvtsZ0GzXXJByaaNZSCMvY3XN/YrHgxyh
GcMQT+cYxPFBL52Y59rbMNfu4SYlITQjJvO0/AS2jsjVjbXaUcFvbXGz2kEG
9yzWlFaXg0viX4jLe3q92ZqAn4HYPy/5GQCDnBgLF7C4PwHdcSJ32KgpwshS
xPKV5+upeGWbdeFkkEHkJwaZZdbo2KYd6LjeeO6a4PTLpNVgw646MKKGfdw5
Oj3dZasLE9LTUOF8vavVRlV7mdf4Zdok3MxjBluVzASTRzZ3y8XikVNPCRSA
4nHfUScMS4zQPEzKNRM/TwPZvLqb0b3HkTO2aVmGznq1Y223zGxXaKoWdkcJ
U0iVgPWAlBJrSNdhXX5JEVOG76f+QY5vLa/e4T2/RTcX1bMGezG8WHEQPdKj
slnmBceTZAVMwl1SddGH+5q6eNWsvIyu5bKvh9PojwGtltTVrHzyOjBXazlM
0zvbjToWRp71cmcHUJTEyWdiR6GtJC/KnB3raGSPVe1nk0Zo1z2N3a3YNEGJ
00fq05OkPPauuRm5H2sQXQHPABIvF2/GEnyMcsFe6kv5QNVxfxTytt1KLU9m
DfOWpzfe2JB8xN1FQyO4jPdWy/MLBSz0Ar9JLUVyug72JSJfFtU3fL/6ojc/
qKuBYzGHIDAV4n4TvOFDHEREP32C5jUPkboB3pvqb7eRQ9iLsAxw192w9zPS
oItOkkLTaX4PsiQblsLjRUw7BrdkAUdxlDyGmB7uNQjcmsLN3w8/etXW7iE4
/+xu6JPEGhehKm1OxfqWXLs+EU0Tb/hg1io29MA9jx99ZBPiBExWQRAQgjeq
sWvUAuY42gr5Khdv2URmz2DWEqnveRJPJPi0LrXjOQXjENygkGMX1BbwxrVx
ol0wrBvXAgPPvc/TqXPpC/JobNCpq+lvbsyQhBejZuozFu4rl3TfCOnZVPX0
BLT73C5kXruqs4GOvNH4zARsEcDiqcuhablMbA531UceGfpC7aGFjFBxQBJE
pf72pECAbxaUE+B6X16VGUBLRnUr65U2D+7XUweeUHE7xDk7w7S+vQt+qrdV
6+fXDZMzsJxTD6hg9R2vN4W340kwkZfevnhQITc91uwEUmG1iEkTvD4G9zVv
7rhzwaIKwdUwXtG13GcLeJ5u7NvST+/y+XbZR/2crmnCSyNFsN6uPMr6CTJa
uhXbyyVShVLSQxvoFWXFJ52tyf4C3DtsG+j1jA7cxSfIh4MxxO0SH9ZNzU04
fU2UiE7OoD7MhVQzGn2KVVezKgIWxvJkSBwwB3xhaZ313R6/4YduQZxpwraA
3x8dfqy1qns0f8wzlQa8k54hf0uhBRaFtTU+SJg9XV0Izt5Hr/vXW89nBO2V
pBi2i/KqkaPdTA99FzprhWZ7g5oFrJghOb2rZ01dBiMcr80DMPXZn3Yq0R4D
eDogxACjGv5szpMfVleF7tPN0m5u0AsP3hAeYXd6uw8eu6b41ZNc8W4DNiaB
mcy8VG4ltyxkk3i0qNWwcIXp8gpvFWvbDGevLsmj6y9aqtOn+YxxEH49TWPV
GED34JVTMcNgoT6YE1gusNYqKH0s3PW+kxsT9umE+O/MVIiJcyO89sFMsp0I
1NuAgh9n8I2P+oNK92qMDbe3hv0JRU9t2Goq0g7JfA7eGc8cHYcrHBimT52f
d0TN6UFX2pt9Bl1Yk7ZFChaQLU0pggTmvef0UZaCiztGRUNpEpy/5ktSuyC1
2flToSgoVl+IrY7PNyS0wPoiFm3Dhu3WPSIGr3tPLDzU8p44djBgpGecbpQs
/8KOzrLH6Ma2pHmV16t7ixaYUw+gTGIyC5i0rs4X0tk691m/CHAeE53UoHLD
s8Kj5PCj2j3VbPgV3WztOPhuaEJyFhIOsGD1ivg4vibZ4VDxGdGDRp9hsfGi
0I5R4jj0uPyRwEJIHXmCwqKCPPnTywguFJIOrQ7cNwW7jiMNvt/qwvucCrGI
z8SokE8bLr2tphvQdcTAYTvqW3yXsfMEQqBfW9z8hMH3CKS8elx3jJn3V5Ko
Wo2A5H46E0QN0p516RXKZVR5iXXyLbMytfAwdF+6WXcCfqa36HEHLqhHES6y
vVQd5zddVE8L8oxMAVVGF+wKafAMLmd6WqHeyj49uQu12nfoSglukQp+ywCJ
PC1sh9N9ezEDTI3Rxe6y3A66+3grg8uLfgnIvtRJJvfOO+L5+XQo2zMEsp+Q
caN8ERCkpqUdjqPJ9yE+6w16qQPMEXsI3bNVyFbLu7IlSgUH6ynl4Mvy+6Lg
kdbhWR5IpPwAyiHLfFzSnjPCzoVDUKhsgJcVh+YH1A307floK9GB+bbkJ0e7
Q9Vq0dajU5lxl5Bxg4F6uC7hOrw7EZoWC9d5TVcpzJAsKhhTCCIaIecxSn8m
YNY7jKKseogx0O7Yrd/wd3IETPZQiDizc4z3DHkULWczuquhRyOM6lXNExbt
ea19esCcye1DhpxCVWq1395mFBKnu7+rcaSbcL9U5SgLa0017QataH5hb/e5
GyONdVXpdhhCTDe3JRUtvwxZyfUa9PSZ5aUHlKdB7u28q7t8RgKxFtxmMAoC
1dtbKLlLhN9Ifb+bzMOhOYxada0SAys1Ju8+9eOdoIGiaVo8ll8sdHopCgXx
4JPAU7B8JOLbV9TQFxTovV4GpenTiB2lrtaVyzXZ4QEp4IevAkMDq2wb6oyH
3gWVr6kU1e/V/r87E4ea23/GxKHGLcdxgfIHTBwW/h0mDuvxwcSBd/9wTByt
/Xdm4kjDM2yT+j0KVUg/p1lIfmcebPPBwBBL4lF4UHMdxF5p5+q3JBofHBrA
VxINWhmjl3LKwAvO1xoijrELqw4/VZZ8XZIA7vXweo8R7BkHeKshrz5GxLZw
4Q5Iwutuy+yRos65JueUAzzFgdjFofrWBx/7emE4+IWdAVo+ZsLb90/yjbMz
CNBDB88+hCg7fSHb27kbdRJgpPKDTi1XRQxX+UUWwIcwHKl/ZxL9TkLnniIY
oUj9eu71Gn/hAPHyQH18MJCYH1sbqp8MDR80F2cHxymDK6TIH+vDP7cxlXxI
RY0qRqj6d9Pmv01b93+dNfAn05au0znCB+/FKVT/rQfiO0L6u/KF90NJXJZL
EeVLx11XJeczwAefRRLkaxzYnwQi36b2ZWb5PT813B7Ew0boI+PYOh2+PHe6
7Ejssm/gC8uG8cm0kSM9lDCQFgXYb5k4PkhFoETy71nDvovwg40FquKBPj6X
kKGn4IZs/caFcfZaR8h1y8+1fgjz48E0EKEkoNcPcg3zczlT9Y2dBFDE6/3z
LEg1lMvs22yoLTqnHH1O+deDpu9fKU1E/5SRup768UFpcgrx6wOfDc4pZaj9
jcbEjsLr+4ypj/jUyM/fh1OFT504t/F9amoThc4HmYiKn2oKRR/H88u+2+dW
1hlyO7fyg77ld8uSrx9EI/A3gQJnwz2Vuy878GUGVXIeoPMkvrPjC7mMd+rG
B3mIIi1rimansOv+FCyeorcR+CCKiRH6o+ftNBbVOc13Hrygb421cwbJuUsf
f5+DcPlXFgb4c/sBDfHX6FjmOMhPO9At8Ydac1mV/nIqu8+OfOm0QsPyPu0D
+2nSzuXqLlQB55q//IPLGika96kkfv54++BJQfruQ3XPZ8RvwlaET+Pz2enZ
AXKehduinw1OS8xnH7QlCHZaXDWYGOO0yAonSgW3iP371m0sLYunR/rcL46k
Pbpd//hWCfyetuG3n0d/5uso8LvPo7vCZtfTmL7OprvBR/CVF7CgriyjZeDz
D/+48/8bpYnBdi/gg+fi22h89+fvgY+Pt8p3r/Y3zyVSzMebieUq7eMNxOwg
sYBB6CyNbVCH0wY2UqZisXNTrsS3kGAjCPGKeBXCSWAkYR4m8woQej8t2c3L
pSdKiwKiUcqxmFoX+sVr3ivmwXKPjYpan38q6OFTyP4ccC9HEY/vd1JxgaZK
Oix2V/A27ZY9U5GJTq+HMljYNMZXectjtFlooaqG6nbEIZQPNvHGTfrg3/Jd
NxJAQJ7hq4wyK7R3a3thS/ZIvTP+XgSLtKKRTagEnJcZEkmF7Hh8ekuRQp9W
5hJKM9xHAhAwk4xHcXUV87RT80yTENFidjHz40s9SQMxT6+O14xn5HILez99
IZkyfBjmLQqBrckEtsUVxkSkbjcnTZZ6Rg7tzrBIcFO3KsBfCWYrPGMz7IRJ
oaFIN4PZP/lBhC8EIxxgfLCLVJ/sIg7LZrsYCV70yUTjf+dtzHifNCfuTeB5
RmOr6gmwlSCydsazPGN9/mhTLFNSAmsbPEswzBndfaE0qeyAZd1Z753kbsG+
pFErIcUCYF6FHsozpvCY8kvvhiDxTFCxLnrr4PeuVPQ8X4mger97q0QrTUWR
96+KBXzRLOirZglMAT5MyQCpB3yrQ80nGgJln6FraluONFX/Yv7/9r61WVGk
Wfc7v8LoL3vesFfjDZB9Zua8yE1UFBEV2WdHDHeQq9xEJua/nyrQtVZ3r+65
75kdMf1htSIUVVmZT2ZlZWW6bt7sadwW40ywIxzBo0hudobJz2l7DxbCYlqd
djYp+PJGqM+Kk7v83tIMQy1m9S6iqd15A7RL6lVVkejRkEf8aX+lWRtXHgXM
NUNR5XQ+bvBq76jS1c7WR7GemMuUSwwrqtzVibYpbSlXiXReRArLOVdkuRmY
dL3zHSVVOP+qeVytLne0Ys1wZZSx5KJeOM3istpnVcVq13QrFFNPnQa3CK2W
1/4QMY08HGe6O7Ljg4Q6k4uLDqJ92QS0MM1XqtVfYy6Vk1drr8mmMhu4m3hP
zcmIkLP0Elg0krhL65by7HZ+xnlfjxaUPTrG1iadzDRrVszk5uyUDU9TVgCQ
an4ANuLs9b498ms27t/at0fe2riHVUlOgiZQxz0zo4RZwgeAf19bswEjbvOP
6iPBfWbzNerQ233N1M/wBuxD97ZmqOvxTFWv70Po7RZYZ1tXHYI59OfUND/j
nBYz6TYkz0tCxCmpHEyE45qNsLjcNQUhfhRagLyOLdDtk5mud9hmPR7vmf1x
gwa6sFkazHCxlZk8Ca01je7X4WaoDqWmWk3GuYy4BMGxB9www3FwlG2lwfTT
PJtI3DnZ5sDkPG6rbWrvj1NDCDUsrg1sgzZ7s8ZHkWH6cw2hR5eyrJQZnyxk
B4yWwVNaSm7ykZS4UUJuJvZsGm7k7aAWV+OzaoyT9ZDlBjGnqjnB2QQyXcpH
asIdQmvBZK684q0s44hxUKWKVh74QDwZo5xOctmfbfpZMFhx1cacCdvNmDkb
M1ZErBvW2Hbdt9fYUTSEfsgtiqktDhxma8emOBfSEQUQljpQeu4VahLVhCaI
Auow1qEO6wGyMZlY0eh60K8OM0ckLFxhyeE+uOHsKhONC7r97u0V3W8vX/J8
GL0rWZB/KUX7/3SZk9dRWH/xGYTfFvf1zxGEf44g/MZCLX9uKs7nyPqnJAbD
+KaMu0n+1++PtLc/avoPDrT/SrT9Zxk934qtf4T/vx1iD0Oj9d7z6Yteexjk
PQyx71JHvPt4bO8+iv2GHQETEED/mR7fPm0G9EqPXwKsey3d4fvbtBOf1IHp
6O13EgP48B6DnnVhvm0A8qt4bL+4wcShQNIywwfimd16ulWBaYKfuohx8CJI
kGfSdJHlz7c/Ari/gfN6R6t/vW9nOQVDamuT3GvWQMJDcsOuf4DAktuXEtwO
U5o8jwvcBpTSu2d0e3ePO4c3PN71aO1Rq+XzQbUIAUn5XHnnuZ8tLr0Oof7h
uT0TCC4M2YZyAJu6a8fPKJza2eukH4+m2yj1LrvHS1UWvZ090JRThm3hliK5
nyK0ANjdQ9FhdHsRdmH1AFbD0I7d9u16Hjw0bNvDR0kWWN4EJn8xgejCRC5/
2RGOX3vo4peduUC+UqTn9+bcsMmJg+u67RDOcGLhpm3rJkEMzAluEc5kOsXs
6dAxbB38io+sgWPplmPauIlNh9gIs0d/QM6NtyPoiX8i6O+2G/HVCPrfEzzP
Y58Hz/PDM03PCuHvFDzPsF7YeFxzOuPFnrJymc52/ipELNJ0l0VI2fliYjKn
Sd5wR8oAxjwdsSZXnzlmvzkbzpY+0fx0sKutfh0XsU+MBUISRpmMbFfnYHwl
D97qysm35kZcbgt/ROvVeanUt1wlnTHe51Sqr8ydw1YWsVvq304Llxyq2FBa
q4i3OI+ZeRbXl6W9C9Fm6FkFmfVzXKX29GxXrUhyxscb5uitBa2QmKaYOuLa
dPXMufYZjEMEbWHg/as6HhRBU8yDdD5fZhkjVfbNicMdmg7AKnpsB1nmzQpx
K8oGKVEo2/crRgqKPEL0pTvY6OV1kmi75XHsTMrg5BlxbEFeW+ex4uTolruh
ad/zlkrm0NbAG66nkdLY1kEd/B2C5zl9iW11SV0Mx2NmVN6MbYGiic1EuBTQ
FHckT4eNe45XqwbnGGzCFCN/uKS35VANXfI4lpBhs7BO6sYpGNcPb+HaiQD4
lmxeGbLDFeJxfxkceD+bNyg6O0ankXlEE9OPuQ02nPiVv0LEFTsso1yV19eD
cBACtPQIKrqoZymQNVd2BXFv7IwiOk4Y5qz3NXFQRRduO/T3QkilwDrn0jPn
SMx8zkz9fKUYvD/yl7jFrseMsOB4w8WScbzEb5R30Ih6vHK49W59YJjdCYsk
jieRQ4SXssuy4xMm4YyhqgkuzhXXHainkTO54SJ79DbumFgrpM5RTjOb1Yth
spsd083G0eIDshwyFXWVdDvayQ2ZHBlzJk4ZIMrU/ueD57lgjUwZtp5GJeW6
knvkudExly5jVCfPex3jqcGJk3xhXbIKzStrnVX9Qx0rA29Ac33W0wbKCJlz
tK+x4sBqNgOsKcijdagomdXpnUdoR55kyOuCI+t+cdkajVguRpS1LJPNnBgH
dFgFNZLOa2q98oIT4TXCRTZQe8VjDKF6U59mfM42VcYj2PmFQeV+7qzWpD5f
bszl7TTGAzufbRF5qs81w+DimOkn6o5ZC5IZFzw/nu14sc6P5SbtZ6mytIX5
kRPK2GXWy3wl3MbBMbTZ9RXhDoJ53nP41hOG89MRn9lqebhMBvxhtNkE0Ww0
yU7scbhwBx5VnPpYFo8iObnV1Z6eEsZ5i3irEq9dKfLKmFyMRxNbxPTT4RpE
h1ksH0nvVtOhRuyqQROuiJDfDg5bvt8c5/ai76Hi6IxE23TlUnuWr+s1HWHU
bl6qkrDG012VbQ5pmCnTYLmS0kg8sddIUUdoNttMpKkwLdfZ5cQg1E2dpgM0
HFGZ2QTHhleaUVjOdC9j+qaiSVRqYzv7pm7q4ywcriJjwE+TSXGd2fZs5c8l
RL2eqqKoBzDc2TPRMBJT1o4Wl+uZLLXxlWcGY0vwPEYdbc4TO0CJs4LfLgtv
Sg/nfelCIf352lmrObdlMnkjJ5fFbno6sP5JZrbrmy3dRqXbrBRvOo2lYpGS
I+9EGAHZhGPqpPsHbo70c0Cd5NY4Isn0XVuzI3mqOsLIP/NxdhTD+CbpHtpQ
+AKXrzagtS8Gocaf+CnmiXtyjiwnNHcQ+xFRn+pleuUOcRQctHNzFGI/W3i2
x4ZeQatpjQocX89JWjLoG6sdhsfDrshCFBk4R4X3TVG1G9w7bGndOtLqjcQB
RwrqJqOxibtLhIU6Uhj8bB3YcnhKi7K48QK+tLajFLmpVy8np/szwYjjOOJs
yjyf12N7mkqJSuj81Jb6ohPNw+MaP1OTyVnUF5FgpeRiNHCJyQIRrXMVz3XU
5H3jiMp6JPncxlgPOHJCTceVme6dPdpoU5Ob++gYDde4HJH9Mer6vKzpJIuc
cHuE0uxlaO4NaTsgHekqL6KzRjuMaRNDZmn3NY63TgUnE4srw9oaPptNOGeS
qWZhHhlEcveLy56v0J06M7l4Yq73S1I8nS6HcphUFqoQnOj0/bGJiXN8JtOV
U6A+ptszuU+NcD5ARvq1mEkna37E+1QeZtw5NmcGUILhHq9UkjqW9CAYiNtT
vA6U427qKlWe+epCw7US8zkWLLvXJdcQJzMWl7FbbuJR6mF609hiNAXM0hzV
RpPKcWRl2M4vS3Rpj6cJxSyl/kwbTDUdUQ/VsqqcWJbUDRnwpOdWrCjvSYAa
dTwdqQkvrTXf6JM7SR81pxpA71wdzi42akZLyo4Rbsn6i9VOkUZoauLUkRLo
yyIkielc388dkfPXxJndpynlOyl1vKxNgd8dsS8EiuTgQ3hPjPDJioB9ZGL8
5SEjn2Yv/Evs0b+FL/EfN+I/bsQ/z434F3oQf3sS2j+p/PMrb6EOJiwC8tse
3re/OIRnr0RbcufhRPzEs/lTr3MiwtwJ7suo/Riwpd6m7+18qf94Cf/xEv4V
XsK/S07gPyyJyxfyt/wxHsWJM7YJe2waE31CEhPCmU6t0XiED4aOTk71EWkR
kxFhT53pYDodTfCJ6RimPrZMYzohxhj+Z2XxHQ/+lCy+5oD4e2bxBeP9ehbf
31HqGQz6t2bw/fqjv7fUM1j69vfTo8GtC9rmVSxOhuow2kkXK7pmC+FwPGjK
dLVDb8IVCat+lWToMfcIczlLnHx4E0JJnpToYMguz+e+GrhM3xvO2GLOzFPS
DMpmNo82An5aDSjt7UJQPm+q+HI9PO/67pyj9ubxWJk4MaIlaeMJ3o4czvhm
Ior+AeUBZkZ96yqw2IEQ8J1HqCILAH6oEay1N9JaQjelQyvbaxaoYaMoQoEO
FFELtDplqpWUUgjbBNZxZFuF6BlKcTH45qy6m3x2uMSyJuG0rji0oWNFfuA2
i6m66R9XQ0re7pjD8iiViYGUqtLPJ7km6NFgcY6zmj/RDLZWzttist9HdXhT
6+2Kva7JwVVc5VMm22JBbYrz/R4PzoyCEL65lYu8FFS1yc4D6uDbA/RgDYVi
ec6EZGyLVepP+TFfzLCDepqNZIlfnnDUFIXdiTdqJCf0xSE8bpQs8zeTdFJx
PqCwLw5PG8uPDZc2GkVd9vXTIr1iSsSjByyfO/JWLQliPgtDZDrTLLqf4xUm
HnfWjLwcblVsoTZJRI7fv+30yeo6udmrBVhKbuxyNaWHO3t79JToKATXGEe4
s7/ikroJgtWenVa1SZ2EfdlwokTvWVs9z6dssppduWZyZjbKdsItYFqSiqTA
2nA3kSZIFLhLK6v4C70LtBJn0pXrD3Kep04lwdL0YsWYa0XE0R2ekNSeXJmL
heQa1ugq3MLFjTshDH5z+QGD5UG5lPMFIaCHxarGdgKeBY5ysfqVah5MViWq
0uMoPSWnU0+/1LuJk3MGOlghtL26anNyciI9SiLkBvUY/zpfmofhbmBTHMc6
2rgkgkgUR/2EaGxJsP1obpx3zHlHFTmG8J52IPYMd7vhcuztTq6ynl83nqYk
rCStjPkmUpq1tk7Hhb8b62l1svFTTTp0nlr4mLYLpDhip0FFp/PNwFtIglAN
SvOg5XkRY/iOmeknjxhw7oUQsb29HFMatqzmE9O2JxdrsJy5S2ShqbNCyBNR
oLdnXL0SthldpQ3mld6Q3Q5M52LtSrbsByPfceONSEn2FMtvS9Sa3A71foZc
d2diEWDZ6FRc7KmmHhJxEpyEZX1ISzWqDWK6TPZSNdsHq+ayEefXUxqMZmdp
e9am9WVFIMlyO71d04gc7GYzgqFddkckgpvxmCYm1eUQrNPUWoyVrAos91iY
hcHbqGQMj3oq6tEWRXSS7DeOSQb42GMOOH8kIpGgfGWDmZdgU53YU7zYeUqa
N87A9gW7n0ciOqbyyXyRF3RNIEffPvdDEZUvdTodxtJUJqZ9PcT9m2AZcw1f
7WoGq5auZnjKeLON3YGbaGN1q6mRcEBNDfEOqSSwjLtvtv74sriQ0kayz0m+
2mrefjIMNuaNsVZaJEXERpB5om+M1OlCNiKvcKecSCF5UysENi7l1Ofz5ckY
W9FGJRcnkzkYNulyiXAeSUGxH61IXCAXBCkcYtItWFs8WTKuxsiVzJYudeN9
37bTBru5IWnKOn/gnBVYj1Ez5Ltmts+/nmwWqIgvJJv961wof6p6/pukhf3H
kfKPI+XPTAn7p7tSwJp8DylclDGQOzAKOoG31r37Mz/rFulWP2At+VimpknR
rY9bdwdo6p5/8fMI0Af+vP9K3SK/yO3QgevQnmE/WvzQcsgXwOyNVftznJYO
FuZdOZwv1xn66V9vNf/oD6x+/EbyScgEva6hnvU6Reo3bV7K1x34+fd3rh24
qLesVt67Ob5ngIQ0SPKuTNFrX4mRgD+tJEOZbrs0V8QVWGNmvh4Xeecs6Xjk
OdhWv+uHLm+n1675X3JjHj0/vFd9/qxGUOsMaWejLaSUADrE9/5Bd06XjjPU
y9w3wtdlsDvPxYvfAAacWBAPwPolT+LWOQYajkBn8271ConXujC6kT8U26Mj
39gf3A93MXghzus77hlss9a9AWljA7ImWUeQbuAtKZx2tMnrZ/91RyO4Yi/0
wNaha+WhLj/isLvT7Od4/sFH33TeFlgiHOKo3rpw3gh7/hds3Y8tO4WpO7vy
X7DbgFsAWALwfSbRL5W2D3en5Eue2P/N9bz/B6s8vfGq+89vdUUPC6h8Cr+y
X+5669Uf/fraweQVUfjy4+tfagAWjtP2+UVu/yfLTg3NyZQ0Hd0inbE5MJzx
aDgBfyc2bumTkUE4+GQwwGyMJEa4oetDY0g4jmU7Nm6bhoH9ESFwbzusxn+K
w2o0Gf5NHVbjLzisytc6/ekODb/GXQWG/FvdVV9/9He6q7LT7UY7TLO/ZYPR
cbg9LyLVr5pIwdUk4T18LnrSKmLQNBCuyFnKhSoxRDyKKrOYHWM+d0fC/lCP
zVBdlFEf3UeHMsBm22pQB3iNB0wxOhZXduwcvSQdv+GuqvoLjSeH+2aPrReb
0/BUA1wJp8Z6FihWODuup8yCFb2F1Z9HEYYsmXM9K6j50czPTeCzlmYmMslW
mcMdZ7SS9KnIiRkfO7ELXcX5dYYPD/MlY9bJlc7WOY2EV8dS1b4i2APzqhLy
cXirjnxN54QeHuZlvddRj7EJJggpod74pqUsm36YMidOyaYKySJb9FwEAYml
Ot1EhYaN5aXOio3f6AuV6c9G+QBNZymuL/j6JMrc5ObZTd+YzPVg34z4JY4U
FZes0ctFVUiib6YyS3kMdynceYpvo+Nkv1fco64RPKHsmD1BlaXf1DxNYzf+
PAiH5AzxrxFZJzx+qs7bemlc8CDUZU039g1X34SlWe6nPiOStsaF83Kw5Txt
edqx0UE/rA2SH9KIPx7Epn4hTmFwJsYJOUjc3F9trxdLkdcaGC+ORdKuWZ7x
uUC45fBKnpyBODfz+VriyVxALgqL6tMpRCETu7BsEwRTNyri5Y0RhoZceXWQ
yWv+uLaPuLZnOcuPTz7mUAy2Pani7ohkwqzPrm6otj/N57fxcE9Vu0EuyZTq
GnKUcrfMaXhXE51gZ8xHcR+YVP3RMGPOMTXb2wWLVDurkugVRpx3/etE1Pfz
hrjuztVwGzezSi5ylFpQVcydPPlkY5U0vjqMsIytNPbohmDBNO5ZzBqX6XE1
crajvYR6q+P+DEv0eEyf54zbdTxVk+g8q6omVkZrirM0OQSz5ljXvhXwCGrp
QUwH8+KmjbVhsA2U243dBKWQpNnIXOyPK9fbsGU12LD+dDJa5zpjL/UBxtvp
Wg03JkKK5M5M9mVG73laHw8L2sYm/M20j/mYHPgZXvqK7S+waDhcD5ZpmTCO
P19WB0vcgEamfWS3qpvN2L2p7F46oGjoXS63MXN1T9FqIhK7RZ0uuJVdoifD
LbdlOTmnKarOXC0wN/YMRTmEm+88I5rjCSsUGKmXZbEYC+j6KODxlBU2kWzX
+EQ+pdNZOd6tqoOT14Bj1LkWjFUVG8VItZ8ke3eupM0+WEzXdR1JG+00LUpM
nBHXmZyO6Et96Web5W2+lTbZak/49nlQqOL8Nm+uHrLVxig+U0leJrVZUl0s
7TgQmvx6ZjPdkp2FWm2sFbllV/hhMoyGRcyldqnba55OxcOlXiNNtXWGCt4M
F7GKevxAvQbLiDs15EjU7cRZnwEG2f2+SbmOJVOXbZ0ShBw4M806Fwx3OCCM
684FnBAIZpejOdcfOMVCtgucJbLFUD0tF6OJPptqQRrKe9SWD6mq6Os4LBOB
iEV+lCJ7Bw1nyq4/74/OFibNiMoU8ipT5LKimUtQxL4SjGxufDut5wdWCiVC
idKLcAhVgXPNkYasb+5uM5rzWwynqyk615a1vhgWGmPsb6RzkAG8n4fDNE9C
jHYS3p8KByEWcFc8lmNhZhiIe0mrweAUWluwVDmhs+WE3A6AUO08FCvcph/j
tHaopVoanvvBodns+fWtv7MVj6FBr8MTYuGMhfXF/hwz0L5KxTNxSWXN9lAz
9E4q0oMwmF64oXGNtNkMzW63MF2tmHmanNzNih4zAaKiAk1TtwCPx3IzEW5l
ypXLtc7qvnBNz5p2vpyKuVGJ68W5j2FmBrTOCobxp4pkq9hlioy2e3cwXmA7
L1BCN0V1/DIrkz09vs0Zkxqw/oWnxZybiFF8w8Xi1gTLrRq6sznN7PjNbYOs
ldhzFrW/zIem7h0dwq/JdINZ8ThULtmwX5BlvigyrfRK93AcxEazdR1qwqz3
K0PJSwxJrJ1yrbKZ2bg60V+YFbPoA75b+dI0Hm7N/egQVPThesPkeXA9NqfB
Yjo5n1be8KCxhnHUkRPDqca2oY+8bJ5L42pgLGCjlJX8dawcqgR3+W09Gs5K
GwuUPBS0zfAqr3w/2Y8raaJskHqC4pS+KKZitKtVnwe24FlRMPtM+Pq1mZMX
dTvZ7KPzWKyOa3+TebJfFLJ2O6sHqrZOAJE4Mj9jQbAeNFy+W+vLcV/0SVwI
cQ/3JvpJrIzMGjZ6Sk2TyxkXU03e2avVZu7PL5Fh0oggqrfr2l5eR5q2E3Fu
fd6Pxw7LCNt40z+rq4PeWEF0KWazQb73y1lZidkyAWQlyCzyVRpZEgQdmQvD
D06pOPBi8cY4WbG90OxxYi21oTktS26xzVhPNrajyVLqMxdicIvBcBg9XK6R
fCK7LO2u3TO7g0kHbYHZEZWSjGuzoAvVaQQsDa7T0hhmO7G//Q757lrP9a+7
coH59DeoG2YSo99dNwy08deZw3+xg/hXG+B/T/fwV2gxtZx2lsH/X3zo1SL4
0zK+j9K0/7ij/xe4o9/k5j/IGf0FJoDej7d54Fv40/ffQin4/lu0+89IrNv3
36bfP/jjWzSFX/8INun9Uj55vPNr7NLeY4XfI99axfeQZb5FwYdvLQtc0Xte
ZjvfvfsSD737/ku/fIvq4Hm0bQU09+Cz57a/LYrvP2G5b1Fw7eWRB/M9P/I1
Hrw/hoJxwPH+doZ8UOyX8+XjiV/Hni8z84pLvzUy9HvIqt2Hj/m1u/bMtN3X
15zbXWkbRjvmazn2+5fKn29C4yv33ZvM/RU0/z+tf7o7cgnJeKfiUxuS6H6A
TQLhaB2DT1m57unoq7s+mI7bMz69Ag2Rz+9D+v3+G/f++9+9p+H4/bjXB3+n
vX//G4HBhWkCjPjed8/A94m2blsB6FfeWRLcCa/Ar8C4uDMduCguDqIWzmUC
i4QV6AHS/687k/830n/jNZ/ha//VGz5F1/6rF30dW9sp6+buuWQitGL+rJKJ
V+3XlkyM9wolkSdmZpyFgs2Gk9XYQb1UZqzAt2uVxK9zWdtooTQ5hLlkRC5L
oc16i/FavTkSA4S9cXikX5YDxrauKKfmxmo88jlfFXldcU/AQmXL1fDnSiYC
mjxsVESg1lQPRtkCSclaouTId5//QxBOUEX2P4Esu35etNs5L0SFex1g8uBl
iKkfb4m1GyEIIlKnGXge2EEVeBXcbwPtwL0OOPVPjm5Ce/e56BnclOzF9rX3
7tXP78BLwzKK4eZaCyzFo5IaxJ64J3M0Nh6NHq383zde+iqG248tyAZJ1+du
Q+d5RzCze+8eGyl6+K4H2trZZpnB/Zmfp1ZHMeWjWFzLzs3MN9qtKmAJerF/
Ke+R3fft0TLvquZBTzuEXVeHAeG94poANL6/uypDuBVn+KHfBhfD7dJM7/YZ
9RCK9FORPNkf1Y20nyLdhxuCd3uyt7L14KOd4cdeYXfnq+098z7U/HW5wEe0
OOiqYXf7pPctq8emFGAFHR4afw+mUM+A8oAbzHAi8+cWf12Dd2aDUehtMUUP
7lq2u4o5GCvknK+MvN2m8+M2ZL1oI8kBh+oBfBRiNNBUQMXbGdzzbnefX/oF
gbsr4ffYxbzv4pZwk/Ltcwn3WPI3Kabnz2xgwXf9+OPriPSne43Dn37q6jm2
xRQhb+hV4lvdjo+R2TrgUxjR/1mA/u75QIBsP/KqPC49Ze2lz3OqAIp+tNP6
ZoHJloKG/VyEEUzU62QnXdv34pGPSHSIzVG3F9ir/ASmSmlJAvDbT33Q7/+A
W7ApaK6To3sE/3MGltf1HyFd4ca4m7Uj/bhaZQ/ohgBQpt3ihazwsrNu2SGY
3qwjdhLf+aguHrvOoGsQR+AvdpjbgKlgFheohMFDQGYLPwIX7xvQL5fvZHgP
W4Vjv3UEebnhYbp0e9QdeWDP/Lvd+tmdD+CBDN4yWIsLj233vJUfmCf5bgnf
n8q/dD7GBaPOXyjd8WKSpq2ZBQkK+9sylQNahj2rfBMMtts+h5uHLWVBb/jS
t/TYbI9j9Dxg4L0Q97n5lkeBRLzRkc/R7It802Iu5AB4QMKEoSDPtTwfGAoP
XQBwADyR6uC1YgLoeNfkgNfTl5+eolc/fTmPECR2kfkVlPxvfAdWOoXsCJTD
vx6dMm7dAqKFidguIK+9Ovzid9VVY4AMRXuj9QLFHfaAKxksj9pGCPygJD9A
1fYDbXb/Q0G9PT2uQm/Lo2rsh059dOc+Cr096PEg1J2Ur8Dxo1MtwCoEjJYB
3oenT+K7Owka892RH+P2sSB+uAcBxW8kQupq0+bPoKxDOXIT2Bug3s2y23IG
Vn9m3wEeTiNYRIB1G5CsTp+1t7/rJAXw27v39ziS+E65tok27sTUIR91vQN3
t4GLUBqSR9c+/u25l13Uxyvqw/7e3kNBuLvfolfVcO8LyXYS4f0fHgj/0Usv
ZdKKXhdlAjC7hF9NoDqyFkOeQzeSzAfTA176GkfvmqRt8f0znr8U2IXNxPnz
mraV0rvS+2wWOrVnQkq1TG23tIeHeiAqA5MG9CtKshY0k6jNSQV7HcLhxgkQ
Crs1eD45U/S+91iFtRNhwggeOPbMz4PuuNczEGU2xLu8x9YwPOdFvMEgHYAj
beL3z4X/XrUW6I3H618psgd2Q8I8k/1Zr3w0drCQ8ysY2vGLDK9P7a72vBhQ
NCFUJWEXrwMUU9ji6qei8+pgXIc+n6rwLrgLHqqCvyfghuzZaHyJCWrNC7Bq
SUxfvzPkwyT60MrafY3z/iHzcLpacGg/QHRoP7zAQ/sVuk7vH5+9ldbzra1G
ASx+vyDET68eB8wBO/2KDrENxQGCGBzJs0bpDEpoGL2HwWVmJ407UZF6j4RA
QEqzzL9rpZdmMgDerZJ7cZp01PoIWH788W6lAyvnVba1j8yijw+xXf0wfImy
Ap87/nmTug8DrpVSyMQhtGjcT8/FWYndSsbzwsB9reYeTHD326d37nsJs76/
y/LhWhSKtw+x0WnRD0bNFZAAvTJtkbE7lQc7UcDDfT6cd9iJu9UD2QWaQZl/
HyxQ6J0J2SL+Z/rkxVBgHqP5peuR//dfcIXUY9vwObAo6hw/mR0BJLkfvLzz
vmE7EE7S0nislHv//alcwQjCMss6exqG5EHUgePJAgssxj70eqIfQ1ZvX9cG
lHp6DFnsvtzJSxd8g48BBQyomrU2BVgU5QWEh2dngQtIUhofAMyhEN9aRkI/
c6dDBQoU251KD4UAjMgEEKvXu3u5uilruQjCTAun0IBJonZKsueDl93QewKr
cL0VJUq7HmwXTglctv5nL0/1PPq3bxfOhyRzX03GHPycZJ+fR+7M8+cX3klh
AIsCFnmvuhCc3tNg2Erv02AEndNPPcqyAIHumRVb91sFBpB02PscYAo6/Yjw
hA+9EYj4jMbQSQeI/8OLq77DCygN3cXMMaej0YOuP8AG3w6CjMrWGwiY54fP
puOHVy4B6EoEPfyhGraNKS+jgFG10CX3gmZ516ABiRJDGAn9BgbqPSjx5YPX
r4nTGvJtTFzHY5BGQHxlYK705kmZh/YNQegvzsHgPgfDbg7oDPJwTwYXIeNA
iHh3d0T1WkdU7+6I6nWOqHcfuv52Z4hfz1lrx+RlC8ZdJfs7Xj0sfav3oai7
5JI6RGvTtgFJiFHnbGzb7aSqu6PFKIh1MbDuoPJM05bNfQtY+d3t+9SCBkP2
rB7gfa2xAA97t1jYcW7e+waiwwjMfe/p+x6E6PctLcD9kC0B/axMd4onyPRP
IZi4/D7ZTy9a8wkKMJCxtkEYHUiZ0DUT2pbbXfsMnbr9Gcgi3Zq28z3cza7Q
BchReFH+uVaAca8AbDMbrC3LvF0DtoDtF51H6J0IcA1MyTwBE9LpoS7Kt73B
z9sZAKYs4M/W7wJ10POq7FOQhgY3ZL4WpyEVYX8er7wXsel2mlri220Mdtb5
y+/GmANaeAKrr07Dteb03Q4PE2BTQc9WCFbAHYjDAUDjy7I7jQtYp/NwtQHo
1AMFf/oJUvhFRTiAW4x2hdCZeFDfPGu2q553uyetIWu1KxvAtbFlv5xR36R2
DF2GDz9QGUWA8b/58cf7D08svP60a68/wX3bNt6+ncKXTevUTqBQt4L8+o0f
U/UVNd8/T+vdagCmQAHdY936ubOyHoMDMvkEZxXO3DKzAzsE3yUdvAUMfJYB
QDC9q++CiwdovoDZnGW2X0QJdFo/Ae0H+thTIITBr1Ro1/YNAFAY+0FSgSsf
gUSvHdqzA/oRMt5yTOu/gTP8dBdvYNF0tni7MvjxxzowLXKMw1n6/w9QDNDK
wwEA

-->
</rfc>
