From nobody Tue Apr 1 23:19:24 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FB291A0140 for ; Tue, 1 Apr 2014 23:19:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FO69o4rpxzbo for ; Tue, 1 Apr 2014 23:19:19 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0239.outbound.protection.outlook.com [207.46.163.239]) by ietfa.amsl.com (Postfix) with ESMTP id F113E1A013A for ; Tue, 1 Apr 2014 23:19:18 -0700 (PDT) Received: from CO1PR02MB206.namprd02.prod.outlook.com (10.242.165.144) by CO1PR02MB205.namprd02.prod.outlook.com (10.242.165.139) with Microsoft SMTP Server (TLS) id 15.0.898.11; Wed, 2 Apr 2014 06:19:13 +0000 Received: from CO1PR02MB206.namprd02.prod.outlook.com ([10.242.165.144]) by CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.116]) with mapi id 15.00.0898.005; Wed, 2 Apr 2014 06:19:13 +0000 From: Antonio Sanso To: "jose@ietf.org" Thread-Topic: RSASSA-PKCS-v1_5 SHA-256 validation example Thread-Index: AQHPTjt3WJ46n0d+20ui8xGQPXp8Gg== Date: Wed, 2 Apr 2014 06:19:13 +0000 Message-ID: <1D94AAA8-83B4-4BBB-B432-B4965CF00755@adobe.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [192.147.117.11] x-forefront-prvs: 0169092318 x-forefront-antispam-report: SFV:NSPM; SFS:(10019001)(428001)(199002)(189002)(4396001)(51856001)(93136001)(69226001)(83072002)(56776001)(86362001)(59766001)(90146001)(93516002)(54356001)(94946001)(2656002)(83716003)(80022001)(98676001)(81542001)(53806001)(76482001)(54316002)(87936001)(36756003)(15202345003)(77982001)(33656001)(99396002)(46102001)(74502001)(65816001)(76176001)(81342001)(92566001)(16236675002)(56816005)(20776003)(85852003)(82746002)(97336001)(76796001)(76786001)(74662001)(47736001)(63696002)(92726001)(95416001)(97186001)(85306002)(81816001)(47446002)(80976001)(19580395003)(79102001)(87266001)(50986001)(83322001)(66066001)(47976001)(74706001)(99286001)(31966008)(74366001)(94316002)(95666003)(74876001)(15975445006)(49866001)(81686001); DIR:OUT; SFP:1102; SCL:1; SRVR:CO1PR02MB205; H:CO1PR02MB206.namprd02.prod.outlook.com; FPR:3FF2F430.2C350389.A2FC95C8.DEE95C40.20106; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (: adobe.com does not designate permitted sender hosts) Content-Type: multipart/alternative; boundary="_000_1D94AAA883B44BBBB432B4965CF00755adobecom_" MIME-Version: 1.0 X-OriginatorOrg: adobe.com Archived-At: http://mailarchive.ietf.org/arch/msg/jose/f9H3D6cNAuzPDnzqUTA6054vuqk Subject: [jose] RSASSA-PKCS-v1_5 SHA-256 validation example X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2014 06:19:23 -0000 --_000_1D94AAA883B44BBBB432B4965CF00755adobecom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable hi *, IMHO the RSASSA-PKCS-v1_5 SHA-256 validation example n [0] can be a bit bet= ter explained. Indeed it says We pass (n, e), JWS Signature, and the JWS Signing Input to an RSASSA-PKCS-v1_5 signature verifier that has been configured to use the SHA-256 hash function. There is no mention on the fact the JWS Signature should be decoded in orde= r to be verified. IMHO a bit of more wording around this would not harm. WDYT? regards antonio [0] http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-25#append= ix-A.2.2 --_000_1D94AAA883B44BBBB432B4965CF00755adobecom_ Content-Type: text/html; charset="us-ascii" Content-ID: <285FAFE452B3BF438EABE1FE0E05BA21@namprd02.prod.outlook.com> Content-Transfer-Encoding: quoted-printable hi *,

IMHO the RSASSA-PKCS-v1_5 SHA-256 validation example n [0] can be= a bit better explained.
Indeed it says

We pass (n, e), JWS Signature, and th=
e JWS Signing Input to
   an RSASSA-PKCS-v1_5 signature verifier that has been configured to
   use the SHA-256 hash function.

There is no mention on the fact the JWS Signature should be decoded in= order to be verified.
IMHO a bit of more wording around this would not harm.
WDYT?

regards

antonio

--_000_1D94AAA883B44BBBB432B4965CF00755adobecom_-- From nobody Thu Apr 3 08:31:03 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 181D51A0207 for ; Thu, 3 Apr 2014 08:31:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o4Elm2opdSBq for ; Thu, 3 Apr 2014 08:30:58 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0181.outbound.protection.outlook.com [207.46.163.181]) by ietfa.amsl.com (Postfix) with ESMTP id 975CD1A021B for ; Thu, 3 Apr 2014 08:30:57 -0700 (PDT) Received: from CO1PR02MB206.namprd02.prod.outlook.com (10.242.165.144) by CO1PR02MB207.namprd02.prod.outlook.com (10.242.165.145) with Microsoft SMTP Server (TLS) id 15.0.898.11; Thu, 3 Apr 2014 15:30:51 +0000 Received: from CO1PR02MB206.namprd02.prod.outlook.com ([10.242.165.144]) by CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.116]) with mapi id 15.00.0898.005; Thu, 3 Apr 2014 15:30:50 +0000 From: Antonio Sanso To: "jose@ietf.org" Thread-Topic: validation of the crypto examples in the jose specifications Thread-Index: AQHPT1GxlhqCIbSs7kaROCIx8atLrw== Date: Thu, 3 Apr 2014 15:30:50 +0000 Message-ID: <5CAC598B-FC9D-4697-8263-442DC90837C8@adobe.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [178.83.47.250] x-forefront-prvs: 0170DAF08C x-forefront-antispam-report: SFV:NSPM; SFS:(10019001)(428001)(189002)(199002)(74662001)(98676001)(4396001)(99286001)(76796001)(94316002)(86362001)(90146001)(31966008)(92726001)(81816001)(74502001)(36756003)(47446002)(95416001)(95666003)(47976001)(85852003)(76786001)(2656002)(93516002)(15975445006)(47736001)(49866001)(81542001)(93136001)(83322001)(81342001)(74876001)(15202345003)(50986001)(63696002)(83072002)(92566001)(74706001)(56776001)(74366001)(76176001)(97186001)(87936001)(19580395003)(80976001)(80022001)(79102001)(87266001)(54356001)(65816001)(97336001)(56816005)(82746002)(33656001)(69226001)(83716003)(46102001)(81686001)(76482001)(53806001)(99396002)(66066001)(51856001)(59766001)(54316002)(77982001)(85306002); DIR:OUT; SFP:1102; SCL:1; SRVR:CO1PR02MB207; H:CO1PR02MB206.namprd02.prod.outlook.com; FPR:F7F2F4BE.AC372CE5.7BE132BC.84D9F10B.2012E; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (: adobe.com does not designate permitted sender hosts) Content-Type: multipart/alternative; boundary="_000_5CAC598BFC9D46978263442DC90837C8adobecom_" MIME-Version: 1.0 X-OriginatorOrg: adobe.com Archived-At: http://mailarchive.ietf.org/arch/msg/jose/lL0J9RQqGM0BwI-QKsbsDTqFKEA Subject: [jose] validation of the crypto examples in the jose specifications X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2014 15:31:02 -0000 --_000_5CAC598BFC9D46978263442DC90837C8adobecom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable hi *, since release version 1.0 Apache Oltu started some support of the jose spec= ifications (JWT, JWS) for now. We plan to extend the support to all the other specifications JWE, etc.. It would make sense to use the example contained in the specifications in = the unit and integration tests and this is already the case. E.g. if you see unit test [1] contains already tests that validates the exa= mples from the JWS specification [2] and the jose cook book [3]. As said we are planning to extend those coverage to all the jose examples. regards antonio [0] https://oltu.apache.org/ [1] https://github.com/apache/oltu/blob/trunk/jose/jws/src/test/java/org/ap= ache/oltu/jose/jws/signature/impl/SignatureMethodRSAImplTest.java [2] http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-25#append= ix-A.2 [3] http://tools.ietf.org/html/draft-ietf-jose-cookbook-01#section-3.1 --_000_5CAC598BFC9D46978263442DC90837C8adobecom_ Content-Type: text/html; charset="us-ascii" Content-ID: Content-Transfer-Encoding: quoted-printable hi *,

since release version 1.0 Apache Oltu started some support of the jose= specifications (JWT, JWS) for now.
We plan to extend the support to all the other specifications JWE, etc= ..
It would  make sense to use the example contained in the specific= ations in the unit and integration tests and this is already the case.
E.g. if you see unit test [1] contains already tests that validates th= e examples from the JWS specification [2] and the jose cook book [3].

As said we are planning to extend those coverage to all the jose examp= les.

regards

antonio

[3] http://tools.ietf.org/html/draft-ietf-jose-cookbook-01#section-3.1


--_000_5CAC598BFC9D46978263442DC90837C8adobecom_-- From nobody Thu Apr 3 09:23:56 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4012E1A0264 for ; Thu, 3 Apr 2014 09:23:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.9 X-Spam-Level: X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2QEjt8VgS0lr for ; Thu, 3 Apr 2014 09:23:44 -0700 (PDT) Received: from odin.smetech.net (mail.smetech.net [209.135.209.4]) by ietfa.amsl.com (Postfix) with ESMTP id 559EC1A021D for ; Thu, 3 Apr 2014 09:23:44 -0700 (PDT) Received: from localhost (unknown [209.135.209.5]) by odin.smetech.net (Postfix) with ESMTP id 49DA9F2C05C for ; Thu, 3 Apr 2014 12:23:30 -0400 (EDT) X-Virus-Scanned: amavisd-new at smetech.net Received: from odin.smetech.net ([209.135.209.4]) by localhost (ronin.smeinc.net [209.135.209.5]) (amavisd-new, port 10024) with ESMTP id W9TO9Jrzeb3g for ; Thu, 3 Apr 2014 12:23:09 -0400 (EDT) Received: from [192.168.2.100] (pool-96-241-160-129.washdc.fios.verizon.net [96.241.160.129]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id 779519A43D7 for ; Thu, 3 Apr 2014 12:23:09 -0400 (EDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Apple Message framework v1085) From: Russ Housley In-Reply-To: <5312113D.8090101@w3.org> Date: Thu, 3 Apr 2014 12:22:58 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: References: <5312113D.8090101@w3.org> To: jose@ietf.org X-Mailer: Apple Mail (2.1085) Archived-At: http://mailarchive.ietf.org/arch/msg/jose/4oe6p8UL_Du3I17bZlqTe3Ap-9s Subject: [jose] Web Crypto API going for Last Call in W3C X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2014 16:23:51 -0000 FYI - - - - - - - - - The Web Crypto API is going for Last Call in W3C [1]. This is the last = step prior to the test and implementation phase, and thus your last = chance to share your view on its content. For those not familiar with = this specifications, this JavaScript API performs basic cryptographic = operations in web applications, such as hashing, signature generation = and verification, and encryption and decryption. Additionally, it = describes how applications can generate and/or manage the keying = material necessary to perform these operations. The specification is available here : = http://www.w3.org/TR/2014/WD-WebCryptoAPI-20140325/ All constructive comments can be sent before the 20th of May on the W3C = Web Crypto Working Group public list : public-webcrypto-comments@w3.org [1] http://www.w3.org/blog/news/archives/3755 From nobody Thu Apr 3 11:50:28 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 314041A02A0 for ; Thu, 3 Apr 2014 11:50:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HNAJO1De-IlF for ; Thu, 3 Apr 2014 11:50:18 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0235.outbound.protection.outlook.com [207.46.163.235]) by ietfa.amsl.com (Postfix) with ESMTP id 9AF671A028E for ; Thu, 3 Apr 2014 11:50:15 -0700 (PDT) Received: from BLUPR03CA028.namprd03.prod.outlook.com (10.141.30.21) by BLUPR03MB167.namprd03.prod.outlook.com (10.255.212.143) with Microsoft SMTP Server (TLS) id 15.0.908.10; Thu, 3 Apr 2014 18:50:09 +0000 Received: from BN1BFFO11FD043.protection.gbl (2a01:111:f400:7c10::1:190) by BLUPR03CA028.outlook.office365.com (2a01:111:e400:879::21) with Microsoft SMTP Server (TLS) id 15.0.913.9 via Frontend Transport; Thu, 3 Apr 2014 18:50:09 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1BFFO11FD043.mail.protection.outlook.com (10.58.144.106) with Microsoft SMTP Server (TLS) id 15.0.908.10 via Frontend Transport; Thu, 3 Apr 2014 18:50:08 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14HUBC103.redmond.corp.microsoft.com ([157.54.86.9]) with mapi id 14.03.0181.007; Thu, 3 Apr 2014 18:49:34 +0000 From: Mike Jones To: Antonio Sanso , "jose@ietf.org" Thread-Topic: validation of the crypto examples in the jose specifications Thread-Index: AQHPT1GxlhqCIbSs7kaROCIx8atLr5sAO52A Date: Thu, 3 Apr 2014 18:49:34 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A13A08D@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <5CAC598B-FC9D-4697-8263-442DC90837C8@adobe.com> In-Reply-To: <5CAC598B-FC9D-4697-8263-442DC90837C8@adobe.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.32] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A13A08DTK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: =?us-ascii?Q?CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; ?= =?us-ascii?Q?SFS:(10009001)(438001)(377454003)(189002)(199002)(51856001)(?= =?us-ascii?Q?94316002)(83322001)(31966008)(54316002)(55846006)(93516002)(?= =?us-ascii?Q?97336001)(2009001)(50986001)(74706001)(77096001)(92566001)(1?= =?us-ascii?Q?9300405004)(80976001)(19580405001)(19580395003)(71186001)(84?= =?us-ascii?Q?676001)(76482001)(15975445006)(53806001)(86362001)(76786001)?= =?us-ascii?Q?(76796001)(54356001)(44976005)(93136001)(66066001)(152023450?= =?us-ascii?Q?03)(81342001)(90146001)(56776001)(56816005)(97736001)(746620?= =?us-ascii?Q?01)(512954002)(69226001)(84326002)(85306002)(47446002)(95416?= =?us-ascii?Q?001)(74366001)(74502001)(95666003)(97186001)(47976001)(81686?= =?us-ascii?Q?001)(47736001)(81542001)(16297215004)(33656001)(63696002)(43?= =?us-ascii?Q?96001)(87936001)(49866001)(74876001)(77982001)(83072002)(461?= =?us-ascii?Q?02001)(87266001)(80022001)(98676001)(92726001)(6806004)(8585?= =?us-ascii?Q?2003)(65816001)(99396002)(79102001)(59766001)(86612001)(2656?= =?us-ascii?Q?002)(85806002)(81816001);DIR:OUT;SFP:1101;SCL:1;SRVR:BLUPR03?= =?us-ascii?Q?MB167;H:mail.microsoft.com;FPR:F452F4BE.AC371EE5.3AE13EBF.40?= =?us-ascii?Q?D9E12B.201C4;MLV:sfv;PTR:InfoDomainNonexistent;MX:1;A:1;LANG?= =?us-ascii?Q?:en;?= X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0170DAF08C Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/jose/Y0LAjNoeNhjU_UQjc6nM3Bv0j1Y Subject: Re: [jose] validation of the crypto examples in the jose specifications X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2014 18:50:23 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A13A08DTK5EX14MBXC286r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Yes, it makes sense to use the examples in unit and integration tests - bot= h from the JWS, JWE, JWK, and JWA specs - and from the cookbook. It would = be great to have confirmation that your code reproduces those results. -- Mike From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Antonio Sanso Sent: Thursday, April 03, 2014 8:31 AM To: jose@ietf.org Subject: [jose] validation of the crypto examples in the jose specification= s hi *, since release version 1.0 Apache Oltu started some support of the jose spec= ifications (JWT, JWS) for now. We plan to extend the support to all the other specifications JWE, etc.. It would make sense to use the example contained in the specifications in = the unit and integration tests and this is already the case. E.g. if you see unit test [1] contains already tests that validates the exa= mples from the JWS specification [2] and the jose cook book [3]. As said we are planning to extend those coverage to all the jose examples. regards antonio [0] https://oltu.apache.org/ [1] https://github.com/apache/oltu/blob/trunk/jose/jws/src/test/java/org/ap= ache/oltu/jose/jws/signature/impl/SignatureMethodRSAImplTest.java [2] http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-25#append= ix-A.2 [3] http://tools.ietf.org/html/draft-ietf-jose-cookbook-01#section-3.1 --_000_4E1F6AAD24975D4BA5B16804296739439A13A08DTK5EX14MBXC286r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Yes, it makes sense to us= e the examples in unit and integration tests – both from the JWS, JWE= , JWK, and JWA specs – and from the cookbook.  It would be great to have confirmation that your code reproduces those results.

 <= /p>

    &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;     -- Mike

 <= /p>

From: jose [ma= ilto:jose-bounces@ietf.org] On Behalf Of Antonio Sanso
Sent: Thursday, April 03, 2014 8:31 AM
To: jose@ietf.org
Subject: [jose] validation of the crypto examples in the jose specif= ications

 

hi *,

 

since release version 1.0 Apache Oltu started some s= upport of the jose specifications (JWT, JWS) for now.

We plan to extend the support to all the other speci= fications JWE, etc..

It would  make sense to use the example contain= ed in the specifications in the unit and integration tests and this is alre= ady the case.

E.g. if you see unit test [1] contains already tests= that validates the examples from the JWS specification [2] and the jose co= ok book [3].

 

As said we are planning to extend those coverage to = all the jose examples.

 

regards

 

antonio

 

 

 

--_000_4E1F6AAD24975D4BA5B16804296739439A13A08DTK5EX14MBXC286r_-- From nobody Fri Apr 4 06:59:54 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B904B1A0195 for ; Fri, 4 Apr 2014 06:59:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c3l_lXGuVrPz for ; Fri, 4 Apr 2014 06:59:48 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0190.outbound.protection.outlook.com [207.46.163.190]) by ietfa.amsl.com (Postfix) with ESMTP id 4AC251A018B for ; Fri, 4 Apr 2014 06:59:48 -0700 (PDT) Received: from CO1PR02MB206.namprd02.prod.outlook.com (10.242.165.144) by CO1PR02MB207.namprd02.prod.outlook.com (10.242.165.145) with Microsoft SMTP Server (TLS) id 15.0.898.11; Fri, 4 Apr 2014 13:59:42 +0000 Received: from CO1PR02MB206.namprd02.prod.outlook.com ([10.242.165.144]) by CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.116]) with mapi id 15.00.0898.005; Fri, 4 Apr 2014 13:59:41 +0000 From: Antonio Sanso To: Mike Jones Thread-Topic: [jose] validation of the crypto examples in the jose specifications Thread-Index: AQHPT22mbOqL5P2A1kurmuFsfMCOSpsBfXEA Date: Fri, 4 Apr 2014 13:59:40 +0000 Message-ID: <5D3F9537-AE49-464B-A2E3-57AA4ADDCBFA@adobe.com> References: <5CAC598B-FC9D-4697-8263-442DC90837C8@adobe.com> <4E1F6AAD24975D4BA5B16804296739439A13A08D@TK5EX14MBXC286.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A13A08D@TK5EX14MBXC286.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [192.147.117.11] x-forefront-prvs: 01713B2841 x-forefront-antispam-report: SFV:NSPM; SFS:(10019001)(428001)(24454002)(377454003)(199002)(189002)(90146001)(99286001)(76796001)(86362001)(98676001)(74662001)(4396001)(76786001)(93516002)(2656002)(94316002)(85852003)(16236675002)(92726001)(47976001)(47446002)(36756003)(95666003)(95416001)(15975445006)(47736001)(49866001)(94946001)(81542001)(93136001)(83322001)(81342001)(224313003)(74876001)(50986001)(15202345003)(83072002)(63696002)(74502001)(74706001)(56776001)(92566001)(74366001)(20776003)(224303002)(1511001)(97186001)(87936001)(19580395003)(80976001)(80022001)(79102001)(87266001)(54356001)(19580405001)(65816001)(97336001)(51856001)(66066001)(54316002)(46102001)(82746002)(83716003)(56816005)(81816001)(31966008)(33656001)(69226001)(53806001)(59766001)(99396002)(76482001)(77982001)(81686001)(85306002); DIR:OUT; SFP:1102; SCL:1; SRVR:CO1PR02MB207; H:CO1PR02MB206.namprd02.prod.outlook.com; FPR:F452F5BE.AC371EA0.3AE93EBD.40DDE32B.2023B; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (: adobe.com does not designate permitted sender hosts) Content-Type: multipart/alternative; boundary="_000_5D3F9537AE49464BA2E357AA4ADDCBFAadobecom_" MIME-Version: 1.0 X-OriginatorOrg: adobe.com Archived-At: http://mailarchive.ietf.org/arch/msg/jose/dhSf-B0Ehp-pw9TULhZEmokoIJA Cc: "jose@ietf.org" Subject: Re: [jose] validation of the crypto examples in the jose specifications X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Apr 2014 13:59:52 -0000 --_000_5D3F9537AE49464BA2E357AA4ADDCBFAadobecom_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Thanks Mike, On Apr 3, 2014, at 8:49 PM, Mike Jones > wrote: Yes, it makes sense to use the examples in unit and integration tests =96 b= oth from the JWS, JWE, JWK, and JWA specs =96 and from the cookbook. It wo= uld be great to have confirmation that your code reproduces those results. nice. As said we already started with JWS and we will hopefully cover all t= he examples. I will keep the list posted once we completed the validation. regards antonio -- Mike From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Antonio Sanso Sent: Thursday, April 03, 2014 8:31 AM To: jose@ietf.org Subject: [jose] validation of the crypto examples in the jose specification= s hi *, since release version 1.0 Apache Oltu started some support of the jose spec= ifications (JWT, JWS) for now. We plan to extend the support to all the other specifications JWE, etc.. It would make sense to use the example contained in the specifications in = the unit and integration tests and this is already the case. E.g. if you see unit test [1] contains already tests that validates the exa= mples from the JWS specification [2] and the jose cook book [3]. As said we are planning to extend those coverage to all the jose examples. regards antonio [0] https://oltu.apache.org/ [1] https://github.com/apache/oltu/blob/trunk/jose/jws/src/test/java/org/ap= ache/oltu/jose/jws/signature/impl/SignatureMethodRSAImplTest.java [2] http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-25#append= ix-A.2 [3] http://tools.ietf.org/html/draft-ietf-jose-cookbook-01#section-3.1 _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose --_000_5D3F9537AE49464BA2E357AA4ADDCBFAadobecom_ Content-Type: text/html; charset="Windows-1252" Content-ID: <3FE006F457353A4896EC719E2948735F@namprd02.prod.outlook.com> Content-Transfer-Encoding: quoted-printable Thanks Mike,


On Apr 3, 2014, at 8:49 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:

Yes, it makes sense to use the examples in unit and integr= ation tests =96 both from the JWS, JWE, JWK, and JWA specs =96 and from the= cookbook.  It would be great to have confirmation that your code reproduces those results.

nice. As said we already started with JWS and we will hopefully cover = all the examples. I will keep the list posted once we completed the validat= ion.

regards

antonio

 
         &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;            -- = Mike
 
From:<= /span> jose [mailto:jose-bounces@ietf.org] On Behalf Of Antonio Sa= nso
Sent: Thursday, Ap= ril 03, 2014 8:31 AM
To: jose@ietf.org
Subject: [jose] va= lidation of the crypto examples in the jose specifications
 
hi *,
 
since release version 1.0 Apache Oltu started some support of the jose spec= ifications (JWT, JWS) for now.
We plan to extend the support to all the other specifications JWE, etc..
It would  make sense to use the example contained in the specification= s in the unit and integration tests and this is already the case.
E.g. if you see unit test [1] contains already tests that validates the exa= mples from the JWS specification [2] and the jose cook book [3].=
 
As said we are planning to extend those coverage to all the jose examples.<= o:p>
 
regards
 
antonio
 
 
 
_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose=

--_000_5D3F9537AE49464BA2E357AA4ADDCBFAadobecom_-- From nobody Fri Apr 4 17:39:29 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1AA91A02F1 for ; Fri, 4 Apr 2014 17:39:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.201 X-Spam-Level: X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G_Yb9LazmWe7 for ; Fri, 4 Apr 2014 17:39:22 -0700 (PDT) Received: from exprod6og108.obsmtp.com (exprod6og108.obsmtp.com [64.18.1.21]) by ietfa.amsl.com (Postfix) with ESMTP id C35B41A02C3 for ; Fri, 4 Apr 2014 17:39:21 -0700 (PDT) Received: from peregrine.verisign.com ([216.168.239.74]) (using TLSv1) by exprod6ob108.postini.com ([64.18.5.12]) with SMTP ID DSNKUz9QtWxuuHO0XxMHWYZnvh/2M2n12WBn@postini.com; Fri, 04 Apr 2014 17:39:17 PDT Received: from brn1wnexcas01.vcorp.ad.vrsn.com (brn1wnexcas01.vcorp.ad.vrsn.com [10.173.152.205]) by peregrine.verisign.com (8.13.6/8.13.4) with ESMTP id s350dGKS007792 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for ; Fri, 4 Apr 2014 20:39:16 -0400 Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Fri, 4 Apr 2014 20:39:16 -0400 From: "Hollenbeck, Scott" To: "jose@ietf.org" Thread-Topic: WG Last Call Comments Thread-Index: Ac9QZ3hA9unFMyLSR22ENbMIfIxOOg== Date: Sat, 5 Apr 2014 00:39:14 +0000 Message-ID: <831693C2CDA2E849A7D7A712B24E257F49398160@BRN1WNEXMBX01.vcorp.ad.vrsn.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.173.152.4] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/jose/fukpt2ooP_RTVShssWqSWJFun84 Cc: "Kaliski, Burt" Subject: [jose] WG Last Call Comments X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Apr 2014 00:39:27 -0000 Burt Kaliski and I spent a few minutes talking to Kathleen Moriarty while w= e were all in London for IETF-89. She asked us both to review the documents= that are currently in WG last call. We did, and I'd like to share our comm= ents with the WG. I'll start a new thread for each of the documents we're c= ommenting on. Scott From nobody Fri Apr 4 17:43:22 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 811991A030F for ; Fri, 4 Apr 2014 17:43:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.201 X-Spam-Level: X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WSgXwGtQN-5A for ; Fri, 4 Apr 2014 17:43:16 -0700 (PDT) Received: from exprod6og111.obsmtp.com (exprod6og111.obsmtp.com [64.18.1.27]) by ietfa.amsl.com (Postfix) with ESMTP id AC34B1A02F1 for ; Fri, 4 Apr 2014 17:43:15 -0700 (PDT) Received: from peregrine.verisign.com ([216.168.239.74]) (using TLSv1) by exprod6ob111.postini.com ([64.18.5.12]) with SMTP ID DSNKUz9Rnxly5kspjAeExGwAxx+NpXDuBosX@postini.com; Fri, 04 Apr 2014 17:43:11 PDT Received: from brn1wnexcas01.vcorp.ad.vrsn.com (brn1wnexcas01.vcorp.ad.vrsn.com [10.173.152.205]) by peregrine.verisign.com (8.13.6/8.13.4) with ESMTP id s350hA1c007907 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for ; Fri, 4 Apr 2014 20:43:10 -0400 Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Fri, 4 Apr 2014 20:43:10 -0400 From: "Hollenbeck, Scott" To: "jose@ietf.org" Thread-Topic: WG Last Call Comments: draft-ietf-jose-json-web-algorithms-25 Thread-Index: Ac9QaAE5gHZEnqC9QEeRd+6hBwR9wA== Date: Sat, 5 Apr 2014 00:43:09 +0000 Message-ID: <831693C2CDA2E849A7D7A712B24E257F49398196@BRN1WNEXMBX01.vcorp.ad.vrsn.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.173.152.4] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/jose/yrBUVqVChJskOc7h0XZ3ZFWmeXo Cc: "Kaliski, Burt" Subject: [jose] WG Last Call Comments: draft-ietf-jose-json-web-algorithms-25 X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Apr 2014 00:43:20 -0000 Sec. 3.4: For ECDSA P-521 SHA-512, as noted, "R and S will be 521 bits eac= h, resulting in a 132-octet sequence." Unclear how R and S are to be conve= rted into respective 66-octet values (pad with 0 bits on the left versus ri= ght). Should be consistent with practice in other specifications, e.g., IE= EE 1363. Sec. 4.1: Any interest in RSA-KEM as a CEK-determination method, e.g., as = specified in RFC 5990? RFC 5990 only provides a key-wrapping version (outp= ut of KDF, i.e., the KEK, is used to wrap the CEK), but the specification c= ould be adapted to a "direct" version where the output of the KDF itself is= used as a CEK. Sec. 4.3: RSAES-OAEP as defined in RFC 3447 allows other hash functions an= d MGFs than the default (MGF1 with SHA-1). Because SHA1 is being phased ou= t for other purposes (though not necessarily unsuitable for MGF1 or OAEP pu= rposes), should SHA256/384/512 options also be specified here? No algorith= m identifiers / OIDs would need to be defined, just the JWK parameter synta= x, e.g., in additional header parameters, or with a new "alg" header parame= ter. Sec. 4.6.2: The AlgorithmID value is derived from either the "enc" or the = "alg" header parameter value. It is not clear whether the UTF-8 parameter = value includes the tag as well as the value, or just the value. In the lat= ter case, to ensure cryptographic separation between the two cases, it shou= ld be stated elsewhere that the set of allowed "enc" and "alg" header param= eter values should be distinct from one another. Burt and Scott From nobody Fri Apr 4 17:45:28 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C71131A02C3 for ; Fri, 4 Apr 2014 17:45:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.201 X-Spam-Level: X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gmOD7HoFdeRr for ; Fri, 4 Apr 2014 17:45:21 -0700 (PDT) Received: from exprod6og114.obsmtp.com (exprod6og114.obsmtp.com [64.18.1.33]) by ietfa.amsl.com (Postfix) with ESMTP id 8D3641A02F7 for ; Fri, 4 Apr 2014 17:45:21 -0700 (PDT) Received: from peregrine.verisign.com ([216.168.239.74]) (using TLSv1) by exprod6ob114.postini.com ([64.18.5.12]) with SMTP ID DSNKUz9SHRSqAn7IcKMDps4GrTYggX7AG/VU@postini.com; Fri, 04 Apr 2014 17:45:17 PDT Received: from brn1wnexcas01.vcorp.ad.vrsn.com (brn1wnexcas01.vcorp.ad.vrsn.com [10.173.152.205]) by peregrine.verisign.com (8.13.6/8.13.4) with ESMTP id s350jG3g007982 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for ; Fri, 4 Apr 2014 20:45:16 -0400 Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Fri, 4 Apr 2014 20:45:16 -0400 From: "Hollenbeck, Scott" To: "jose@ietf.org" Thread-Topic: WG Last Call Comments: draft-ietf-jose-json-web-key-25 Thread-Index: Ac9QaE8hk+ZxDsXaSeak+JuaSecUJg== Date: Sat, 5 Apr 2014 00:45:15 +0000 Message-ID: <831693C2CDA2E849A7D7A712B24E257F493981C6@BRN1WNEXMBX01.vcorp.ad.vrsn.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.173.152.4] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/jose/t9RbvthIQ-8xSaeevHImtfMrYLQ Cc: "Kaliski, Burt" Subject: [jose] WG Last Call Comments: draft-ietf-jose-json-web-key-25 X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Apr 2014 00:45:27 -0000 Minor editorial nit in Section 3.3: s/operations(s)/operation(s)/ Scott and Burt From nobody Fri Apr 4 17:52:09 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B26A21A031C for ; Fri, 4 Apr 2014 17:52:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.201 X-Spam-Level: X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YW3DPkxLd4YZ for ; Fri, 4 Apr 2014 17:52:03 -0700 (PDT) Received: from exprod6og105.obsmtp.com (exprod6og105.obsmtp.com [64.18.1.189]) by ietfa.amsl.com (Postfix) with ESMTP id 05E291A030F for ; Fri, 4 Apr 2014 17:52:03 -0700 (PDT) Received: from peregrine.verisign.com ([216.168.239.74]) (using TLSv1) by exprod6ob105.postini.com ([64.18.5.12]) with SMTP ID DSNKUz9TrgRMA47Q11zzlc5Kp2jL4XxlDWwj@postini.com; Fri, 04 Apr 2014 17:51:58 PDT Received: from brn1wnexcas02.vcorp.ad.vrsn.com (brn1wnexcas02.vcorp.ad.vrsn.com [10.173.152.206]) by peregrine.verisign.com (8.13.6/8.13.4) with ESMTP id s350pvka008171 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for ; Fri, 4 Apr 2014 20:51:57 -0400 Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas02.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Fri, 4 Apr 2014 20:51:57 -0400 From: "Hollenbeck, Scott" To: "jose@ietf.org" Thread-Topic: WG Last Call Comments: draft-ietf-jose-json-web-signature-25 Thread-Index: Ac9QaT6AwZNLGa1ESQaQtzHTtFacLw== Date: Sat, 5 Apr 2014 00:51:57 +0000 Message-ID: <831693C2CDA2E849A7D7A712B24E257F493981EB@BRN1WNEXMBX01.vcorp.ad.vrsn.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.173.152.4] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/jose/K3ONOcnJcgmRavO2x9tMMDSvuzc Cc: "Kaliski, Burt" Subject: [jose] WG Last Call Comments: draft-ietf-jose-json-web-signature-25 X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Apr 2014 00:52:07 -0000 Section 8: "Whenever TLS is used, a TLS server certificate check MUST be pe= rformed, per RFC 6125 [RFC6125]." I can't find the string "certificate check" in RFC 6125. I *think* the inte= ntion here is that the identity of the service provider MUST be verified us= ing the procedures described in Section 6 of RFC 6125. Proposed text: OLD: "a TLS server certificate check MUST be performed, per RFC 6125" NEW: "the identity of the service provider encoded in the TLS server certificate= MUST be verified using the procedures described in Section 6 of RFC 6125" Scott and Burt From nobody Fri Apr 4 17:55:05 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DAD81A030F for ; Fri, 4 Apr 2014 17:55:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.201 X-Spam-Level: X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5QO6GNvFvchF for ; Fri, 4 Apr 2014 17:54:59 -0700 (PDT) Received: from exprod6og127.obsmtp.com (exprod6og127.obsmtp.com [64.18.1.78]) by ietfa.amsl.com (Postfix) with ESMTP id 97C9C1A031C for ; Fri, 4 Apr 2014 17:54:59 -0700 (PDT) Received: from osprey.verisign.com ([216.168.239.75]) (using TLSv1) by exprod6ob127.postini.com ([64.18.5.12]) with SMTP ID DSNKUz9UX+2OCn+PaE2qsDUqkCiNYEfMGQXP@postini.com; Fri, 04 Apr 2014 17:54:55 PDT Received: from BRN1WNEXCHM01.vcorp.ad.vrsn.com (brn1wnexchm01.vcorp.ad.vrsn.com [10.173.152.255]) by osprey.verisign.com (8.13.6/8.13.4) with ESMTP id s350ssnc015272 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for ; Fri, 4 Apr 2014 20:54:54 -0400 Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by BRN1WNEXCHM01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Fri, 4 Apr 2014 20:54:53 -0400 From: "Hollenbeck, Scott" To: "jose@ietf.org" Thread-Topic: JSON Reference in draft-ietf-jose-use-cases-06 Thread-Index: Ac9QaacYfJ758wsiQlirlY3ri42tGg== Date: Sat, 5 Apr 2014 00:54:52 +0000 Message-ID: <831693C2CDA2E849A7D7A712B24E257F4939820F@BRN1WNEXMBX01.vcorp.ad.vrsn.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.173.152.4] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/jose/NR-pQvKD1TsY4QaoRwqWl7BqMkk Cc: "Kaliski, Burt" Subject: [jose] JSON Reference in draft-ietf-jose-use-cases-06 X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Apr 2014 00:55:04 -0000 draft-ietf-jose-use-cases-06 is in the RFC Editor queue. Someone has probab= ly already caught this, but just in case: references to RFC 4627 should be = replaced with references to RFC 7159. Scott and Burt From nobody Mon Apr 7 13:23:12 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 957771A04B1 for ; Mon, 7 Apr 2014 13:22:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.701 X-Spam-Level: X-Spam-Status: No, score=-0.701 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D0AT3UIlsOcx for ; Mon, 7 Apr 2014 13:22:53 -0700 (PDT) Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) by ietfa.amsl.com (Postfix) with ESMTP id 84F021A07AE for ; Mon, 7 Apr 2014 13:22:53 -0700 (PDT) Received: from Philemon (winery.augustcellars.com [206.212.239.129]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTPSA id AD1CA2CA2A; Mon, 7 Apr 2014 13:22:47 -0700 (PDT) From: "Jim Schaad" To: "'Hollenbeck, Scott'" , References: <831693C2CDA2E849A7D7A712B24E257F4939820F@BRN1WNEXMBX01.vcorp.ad.vrsn.com> In-Reply-To: <831693C2CDA2E849A7D7A712B24E257F4939820F@BRN1WNEXMBX01.vcorp.ad.vrsn.com> Date: Mon, 7 Apr 2014 13:20:53 -0700 Message-ID: <060401cf529e$e0d48c10$a27da430$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQEw7o7fPjeGfNEjsCyrEZwelSXuI5xDYIfw Content-Language: en-us Archived-At: http://mailarchive.ietf.org/arch/msg/jose/ntcD1FNBMAum2d5tHYaJyMiE1sU Cc: "'Kaliski, Burt'" Subject: Re: [jose] JSON Reference in draft-ietf-jose-use-cases-06 X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2014 20:22:58 -0000 This was noted and changed in RFC Editing process. Jim > -----Original Message----- > From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Hollenbeck, Scott > Sent: Friday, April 04, 2014 5:55 PM > To: jose@ietf.org > Cc: Kaliski, Burt > Subject: [jose] JSON Reference in draft-ietf-jose-use-cases-06 > > draft-ietf-jose-use-cases-06 is in the RFC Editor queue. Someone has probably > already caught this, but just in case: references to RFC 4627 should be replaced > with references to RFC 7159. > > Scott and Burt > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose From nobody Mon Apr 7 14:58:40 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F28521A02CB for ; Mon, 7 Apr 2014 14:58:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GyGOd-Rnskdf for ; Mon, 7 Apr 2014 14:58:24 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0140.outbound.protection.outlook.com [207.46.163.140]) by ietfa.amsl.com (Postfix) with ESMTP id 7BE641A0326 for ; Mon, 7 Apr 2014 14:58:08 -0700 (PDT) Received: from BL2PR03CA021.namprd03.prod.outlook.com (10.141.66.29) by BL2PR03MB115.namprd03.prod.outlook.com (10.255.230.26) with Microsoft SMTP Server (TLS) id 15.0.913.9; Mon, 7 Apr 2014 21:58:00 +0000 Received: from BL2FFO11FD037.protection.gbl (2a01:111:f400:7c09::161) by BL2PR03CA021.outlook.office365.com (2a01:111:e400:c1b::29) with Microsoft SMTP Server (TLS) id 15.0.898.11 via Frontend Transport; Mon, 7 Apr 2014 21:58:01 +0000 Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11FD037.mail.protection.outlook.com (10.173.161.133) with Microsoft SMTP Server (TLS) id 15.0.918.6 via Frontend Transport; Mon, 7 Apr 2014 21:58:00 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14HUBC106.redmond.corp.microsoft.com ([157.54.80.61]) with mapi id 14.03.0181.007; Mon, 7 Apr 2014 21:57:22 +0000 From: Mike Jones To: "Hollenbeck, Scott" , "jose@ietf.org" Thread-Topic: WG Last Call Comments: draft-ietf-jose-json-web-algorithms-25 Thread-Index: Ac9QaAE5gHZEnqC9QEeRd+6hBwR9wACMih2A Date: Mon, 7 Apr 2014 21:57:22 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A14AE99@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <831693C2CDA2E849A7D7A712B24E257F49398196@BRN1WNEXMBX01.vcorp.ad.vrsn.com> In-Reply-To: <831693C2CDA2E849A7D7A712B24E257F49398196@BRN1WNEXMBX01.vcorp.ad.vrsn.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.78] Content-Type: multipart/mixed; boundary="_004_4E1F6AAD24975D4BA5B16804296739439A14AE99TK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: =?us-ascii?Q?CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; ?= =?us-ascii?Q?SFS:(10009001)(438001)(377454003)(51914003)(199002)(189002)(?= =?us-ascii?Q?13464003)(83072002)(512954002)(33656001)(54356001)(93516002)?= =?us-ascii?Q?(85852003)(74366001)(76786001)(86362001)(93136001)(76796001)?= =?us-ascii?Q?(94316002)(74876001)(19300405004)(92566001)(54316002)(747060?= =?us-ascii?Q?01)(56776001)(15202345003)(92726001)(76482001)(95666003)(815?= =?us-ascii?Q?42001)(81342001)(71186001)(83322001)(44976005)(55846006)(195?= =?us-ascii?Q?80395003)(19580405001)(47736001)(97186001)(95416001)(9733600?= =?us-ascii?Q?1)(49866001)(6806004)(47976001)(16236675002)(53806001)(50986?= =?us-ascii?Q?001)(84676001)(46102001)(4396001)(47446002)(74502001)(658160?= =?us-ascii?Q?01)(80976001)(97736001)(15975445006)(66066001)(2009001)(8002?= =?us-ascii?Q?2001)(74662001)(85306002)(56816005)(20776003)(63696002)(8432?= =?us-ascii?Q?6002)(568964001)(90146001)(87266001)(79102001)(81686001)(879?= =?us-ascii?Q?36001)(59766001)(81816001)(99396002)(2656002)(77096001)(9867?= =?us-ascii?Q?6001)(69226001)(31966008)(77982001)(94946001);DIR:OUT;SFP:11?= =?us-ascii?Q?01;SCL:1;SRVR:BL2PR03MB115;H:mail.microsoft.com;FPR:EE26F5FD?= =?us-ascii?Q?.ACF2DB13.F0F2BDCB.4EEB7178.204CE;MLV:sfv;PTR:InfoDomainNone?= =?us-ascii?Q?xistent;A:1;MX:1;LANG:en;?= X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0174BD4BDA Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/jose/TjJ5R5E0JpAFvq0BRFb47P1itmY Cc: "Kaliski, Burt" Subject: Re: [jose] WG Last Call Comments: draft-ietf-jose-json-web-algorithms-25 X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2014 21:58:33 -0000 --_004_4E1F6AAD24975D4BA5B16804296739439A14AE99TK5EX14MBXC286r_ Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A14AE99TK5EX14MBXC286r_" --_000_4E1F6AAD24975D4BA5B16804296739439A14AE99TK5EX14MBXC286r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Thanks for the useful reviews, Scott and Burt. Replies are inline. -----Original Message----- From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Hollenbeck, Scott Sent: Friday, April 04, 2014 5:43 PM To: jose@ietf.org Cc: Kaliski, Burt Subject: [jose] WG Last Call Comments: draft-ietf-jose-json-web-algorithms-= 25 Sec. 3.4: For ECDSA P-521 SHA-512, as noted, "R and S will be 521 bits eac= h, resulting in a 132-octet sequence." Unclear how R and S are to be conve= rted into respective 66-octet values (pad with 0 bits on the left versus ri= ght). Should be consistent with practice in other specifications, e.g., IE= EE 1363. Per http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-25#secti= on-6.2.1.2, this is specified by the SEC1 specification, which the "x" and = "y" definitions reference. (SEC1 specifies padding on the left in Section = 2.3.1 - "BitString-to-OctetString Conversion".) Sec. 4.1: Any interest in RSA-KEM as a CEK-determination method, e.g., as = specified in RFC 5990? RFC 5990 only provides a key-wrapping version (outp= ut of KDF, i.e., the KEK, is used to wrap the CEK), but the specification c= ould be adapted to a "direct" version where the output of the KDF itself is= used as a CEK. The set of algorithms included in JWA are based upon a survey done of the a= lgorithms that are actually widely deployed across common development tools= , and will therefore result in interoperable implementations. The results = of that survey are captured in the attached spreadsheet. During the survey= , no one made the case that RSA-KEM was widely deployed, and therefore shou= ld be included in the standard set of algorithms. That being said, there's= nothing stopping people from writing a spec defining an RSA-KEM algorithm = identifier and registering it in the JSON Web Signature and Encryption Algo= rithms Registry if it's useful in their application context. Sec. 4.3: RSAES-OAEP as defined in RFC 3447 allows other hash functions an= d MGFs than the default (MGF1 with SHA-1). Because SHA1 is being phased ou= t for other purposes (though not necessarily unsuitable for MGF1 or OAEP pu= rposes), should SHA256/384/512 options also be specified here? No algorith= m identifiers / OIDs would need to be defined, just the JWK parameter synta= x, e.g., in additional header parameters, or with a new "alg" header parame= ter. This was discussed early in the working group. Again, because the focus of= the algorithms chosen is on ones that are actually widely deployed, the de= fault OAEP settings were chosen. Many implementations don't provide a way = of specifying non-default OAEP parameters, and as you point out, SHA-1 for = OAEP purposes is not unsuitable. Again, if people want to define new algor= ithm identifiers for OAEP with different parameters, they can, but this won= 't necessarily result in widely interoperable implementations. Sec. 4.6.2: The AlgorithmID value is derived from either the "enc" or the = "alg" header parameter value. It is not clear whether the UTF-8 parameter = value includes the tag as well as the value, or just the value. In the lat= ter case, to ensure cryptographic separation between the two cases, it shou= ld be stated elsewhere that the set of allowed "enc" and "alg" header param= eter values should be distinct from one another. The text says: In the Direct Key Agreement case, Data is set to the octets of the UTF-8 representation of the "enc" Header Parameter value. In the Key Agreement with Key Wrapping case, Data is set to the octets of the UTF-8 representation of the "alg" Header Parameter value. "Header Parameter value" as used in JWE is just the value - not also the na= me, which is called "Header Parameter name". Per your second comment, the = "Direct Key Agreement case" only occurs when "alg" is "dir", so there's no = actual ambiguity. Burt and Scott Best wishes= , -- Mike _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose --_000_4E1F6AAD24975D4BA5B16804296739439A14AE99TK5EX14MBXC286r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Thanks for the useful reviews, Scott and Burt.&nb= sp; Replies are inline.

 

-----Original Message-----
From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Hollenbeck, Scott Sent: Friday, April 04, 2014 5:43 PM
To: jose@ietf.org
Cc: Kaliski, Burt
Subject: [jose] WG Last Call Comments: draft-ietf-jose-json-web-algorithms-= 25

 

Sec. 3.4:  For ECDSA P-521 SHA-512, as noted= , "R and S will be 521 bits each, resulting in a 132-octet sequence.&q= uot;  Unclear how R and S are to be converted into respective 66-octet= values (pad with 0 bits on the left versus right).  Should be consistent with practice in other specifications, e.g., IEEE 1363.=

 

Per http://tools.ietf.org/html/draft-iet= f-jose-json-web-algorithms-25#section-6.2.1.2, this is specified by the SEC1 specification, which the “x” and= “y” definitions reference.  (SEC1 specifies padding on th= e left in Section 2.3.1 – “BitString-to-OctetString Conversion&= #8221;.)

 

Sec. 4.1:  Any interest in RSA-KEM as a CEK-= determination method, e.g., as specified in RFC 5990?  RFC 5990 only p= rovides a key-wrapping version (output of KDF, i.e., the KEK, is used to wr= ap the CEK), but the specification could be adapted to a "direct" version where the output of the KDF itself= is used as a CEK.

 

The set of algorith= ms included in JWA are based upon a survey done of the algorithms that are = actually widely deployed across common development tools, and will therefor= e result in interoperable implementations.  The results of that survey are captured in the attached spreadsheet. = During the survey, no one made the case that RSA-KEM was widely deployed, = and therefore should be included in the standard set of algorithms.  T= hat being said, there’s nothing stopping people from writing a spec defining an RSA-KEM algorithm identifier and registeri= ng it in the JSON Web Signature and Encryption Algorithms Registry if it= 217;s useful in their application context.

 

Sec. 4.3:  RSAES-OAEP as defined in RFC 3447= allows other hash functions and MGFs than the default (MGF1 with SHA-1).&n= bsp; Because SHA1 is being phased out for other purposes (though not necess= arily unsuitable for MGF1 or OAEP purposes), should SHA256/384/512 options also be specified here?  No algorithm i= dentifiers / OIDs would need to be defined, just the JWK parameter syntax, = e.g., in additional header parameters, or with a new "alg" header= parameter.

 

This was discussed = early in the working group.  Again, because the focus of the algorithm= s chosen is on ones that are actually widely deployed, the default OAEP set= tings were chosen.  Many implementations don’t provide a way of specifying non-default OAEP parameters, and a= s you point out, SHA-1 for OAEP purposes is not unsuitable.  Again, if= people want to define new algorithm identifiers for OAEP with different pa= rameters, they can, but this won’t necessarily result in widely interoperable implementations.

 

Sec. 4.6.2:  The AlgorithmID value is derive= d from either the "enc" or the "alg" header parameter v= alue.  It is not clear whether the UTF-8 parameter value includes the = tag as well as the value, or just the value.  In the latter case, to ensure cryptographic separation between the two cases, it should be sta= ted elsewhere that the set of allowed "enc" and "alg" h= eader parameter values should be distinct from one another.

 

The text says:=

  = ;    In the Direct Key Agreement case,

  = ;    Data is set to the octets of the UTF-8 representation o= f the "enc"

  = ;    Header Parameter value.  In the Key Agreement with= Key Wrapping

  = ;    case, Data is set to the octets of the UTF-8 representa= tion of the

  = ;    "alg" Header Parameter value.

 

“Header Param= eter value” as used in JWE is just the value – not also the nam= e, which is called “Header Parameter name”.  Per your seco= nd comment, the “Direct Key Agreement case” only occurs when &#= 8220;alg” is “dir”, so there’s no actual ambiguity.

 

Burt and Scott

 

   &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;          Best wishes,

   &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;          -- Mike

_______________________________________________

jose mailing list

jose@ietf.org

https://www.iet= f.org/mailman/listinfo/jose

--_000_4E1F6AAD24975D4BA5B16804296739439A14AE99TK5EX14MBXC286r_-- --_004_4E1F6AAD24975D4BA5B16804296739439A14AE99TK5EX14MBXC286r_ Content-Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet; name="Support for JWA Crypto Algorithms.xlsx" Content-Description: Support for JWA Crypto Algorithms.xlsx Content-Disposition: attachment; filename="Support for JWA Crypto Algorithms.xlsx"; size=18750; creation-date="Mon, 23 Jul 2012 22:38:19 GMT"; modification-date="Sat, 28 Jul 2012 02:24:02 GMT" Content-Transfer-Encoding: base64 UEsDBBQABgAIAAAAIQDF3RNAiwEAAJQGAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAAC AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADM VclqwzAQvRf6D0bXEittoZQSp4cuxzaQ9AMUa2KL2JLQTNPk7ztWFtqQBZNAe7GwpXnLDHruPc7r KplBQONsJq7TrkjA5k4bW2TiY/TauRcJkrJaVc5CJhaA4rF/edEbLTxgwtUWM1ES+QcpMS+hVpg6 D5Z3Ji7Uivg1FNKrfKoKkDfd7p3MnSWw1KEGQ/R7zzBRnxUlL3P+vFQyNlYkT8tzDVUmlPeVyRWx UDmzeouk4yYTk4N2+WfN0Cn6AEpjCUB1lfpgmDEMgYiNoZA7OQNU2I505SrlyigMS+Pxiq3vYWh2 9rta1b3zOILRkAxUoDdVs3c5r+SXC9Oxc9P0MEjb1sQWpbUydq37AH88jDIu12cW0viLwC113PwT Hbd/pIP4zoGMz9NHEmGODABpUQGe2e0S9BhzqQLoIfFtLs4u4Cf2ER2kxtwBGZfTe/47qiLoIX6O uEFwHjlFA7SfwjqymuqOZyAIZGATWrsu/4aRI7g94VYwQ5PxGvQObhn/Kf1vAAAA//8DAFBLAwQU AAYACAAAACEAtVUwI/UAAABMAgAACwAIAl9yZWxzLy5yZWxzIKIEAiigAAIAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIySz07DMAzG70i8Q+T7 6m5ICKGlu0xIuyFUHsAk7h+1jaMkQPf2hAOCSmPb0fbnzz9b3u7maVQfHGIvTsO6KEGxM2J712p4 rZ9WD6BiImdpFMcajhxhV93ebF94pJSbYtf7qLKLixq6lPwjYjQdTxQL8exypZEwUcphaNGTGahl 3JTlPYa/HlAtPNXBaggHeweqPvo8+bK3NE1veC/mfWKXToxAnhM7y3blQ2YLqc/bqJpCy0mDFfOc 0xHJ+yJjA54m2lxP9P+2OHEiS4nQSODzPN+Kc0Dr64Eun2ip+L3OPOKnhOFNZPhhwcUPVF8AAAD/ /wMAUEsDBBQABgAIAAAAIQDeCf0oAgEAANQDAAAaAAgBeGwvX3JlbHMvd29ya2Jvb2sueG1sLnJl bHMgogQBKKAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC8k89qwzAMxu+DvYPRfXGSbmWU Or2MQa9b9wAmUeLQxDaW9idvP5NDukDJLqEXgyT8fT/Qp/3hp+/EFwZqnVWQJSkItKWrWtso+Di9 PjyDINa20p2zqGBAgkNxf7d/w05z/ESm9SSiiiUFhtnvpKTSYK8pcR5tnNQu9JpjGRrpdXnWDco8 Tbcy/NWAYqYpjpWCcKw2IE6Dj87/a7u6bkt8ceVnj5avWMhvF85kEDmK6tAgK5haJMfJJonEIK/D 5DeGyZdgshvDZEsw2zVhyOiA1TuHmEK6rGrWXoJ5WhWGhy6GfgoMjfWS/eOa9hxPCS/uYynHd9qH nN1i8QsAAP//AwBQSwMEFAAGAAgAAAAhALq0cdpiAQAAcQIAAA8AAAB4bC93b3JrYm9vay54bWyM Uk1PwzAMvSPxH6LcWdruQ9u0dhICxC4IibGdQ+Ou0dKkSlK6/XvcTC1DcOBkO3559nvJan2qFPkE 66TRKY1HESWgcyOkPqT0fft0N6fEea4FV0ZDSs/g6Dq7vVm1xh4/jDkSJNAupaX39ZIxl5dQcTcy NWjsFMZW3GNpD8zVFrhwJYCvFEuiaMYqLjW9MCztfzhMUcgcHkzeVKD9hcSC4h7Xd6WsHc1WhVSw uygivK5feIV7nxQlijv/KKQHkdIplqaFHwe2qe8bqbC7GEdjyrJB5KslAgreKL9FeT07+pVMkmTW ITsrdhJa932pK8lpL7UwbUonc7T23FdxglUbWnspfIlU8XSR9GfPIA+lT+ksxlvIzq7og4E4JkSi g7q3ztQYX6qLGxSAuV1KTOxGxB3DLzTOGtCYD+jkT/T4Co35gA4usUCEK+Vc5WhVF8ISk+ksCdNZ /1uyLwAAAP//AwBQSwMEFAAGAAgAAAAhAPtipW2UBgAApxsAABMAAAB4bC90aGVtZS90aGVtZTEu eG1s7FlPb9s2FL8P2HcgdG9tJ7YbB3WK2LGbrU0bxG6HHmmZllhTokDSSX0b2uOAAcO6YZcBu+0w bCvQArt0nyZbh60D+hX2SEqyGMtL0gYb1tWHRCJ/fP/f4yN19dqDiKFDIiTlcdurXa56iMQ+H9M4 aHt3hv1LGx6SCsdjzHhM2t6cSO/a1vvvXcWbKiQRQbA+lpu47YVKJZuVivRhGMvLPCExzE24iLCC VxFUxgIfAd2IVdaq1WYlwjT2UIwjIHt7MqE+QUNN0tvKiPcYvMZK6gGfiYEmTZwVBjue1jRCzmWX CXSIWdsDPmN+NCQPlIcYlgom2l7V/LzK1tUK3kwXMbVibWFd3/zSdemC8XTN8BTBKGda69dbV3Zy +gbA1DKu1+t1e7WcngFg3wdNrSxFmvX+Rq2T0SyA7OMy7W61Ua27+AL99SWZW51Op9FKZbFEDcg+ 1pfwG9VmfXvNwRuQxTeW8PXOdrfbdPAGZPHNJXz/SqtZd/EGFDIaT5fQ2qH9fko9h0w42y2FbwB8 o5rCFyiIhjy6NIsJj9WqWIvwfS76ANBAhhWNkZonZIJ9iOIujkaCYs0AbxJcmLFDvlwa0ryQ9AVN VNv7MMGQEQt6r55//+r5U/Tq+ZPjh8+OH/50/OjR8cMfLS1n4S6Og+LCl99+9ufXH6M/nn7z8vEX 5XhZxP/6wye//Px5ORAyaCHRiy+f/PbsyYuvPv39u8cl8G2BR0X4kEZEolvkCB3wCHQzhnElJyNx vhXDEFNnBQ6Bdgnpngod4K05ZmW4DnGNd1dA8SgDXp/dd2QdhGKmaAnnG2HkAPc4Zx0uSg1wQ/Mq WHg4i4Ny5mJWxB1gfFjGu4tjx7W9WQJVMwtKx/bdkDhi7jMcKxyQmCik5/iUkBLt7lHq2HWP+oJL PlHoHkUdTEtNMqQjJ5AWi3ZpBH6Zl+kMrnZss3cXdTgr03qHHLpISAjMSoQfEuaY8TqeKRyVkRzi iBUNfhOrsEzIwVz4RVxPKvB0QBhHvTGRsmzNbQH6Fpx+A0O9KnX7HptHLlIoOi2jeRNzXkTu8Gk3 xFFShh3QOCxiP5BTCFGM9rkqg+9xN0P0O/gBxyvdfZcSx92nF4I7NHBEWgSInpmJEl9eJ9yJ38Gc TTAxVQZKulOpIxr/XdlmFOq25fCubLe9bdjEypJn90SxXoX7D5boHTyL9wlkxfIW9a5Cv6vQ3ltf oVfl8sXX5UUphiqtGxLba5vOO1rZeE8oYwM1Z+SmNL23hA1o3IdBvc4cOkl+EEtCeNSZDAwcXCCw WYMEVx9RFQ5CnEDfXvM0kUCmpAOJEi7hvGiGS2lrPPT+yp42G/ocYiuHxGqPj+3wuh7Ojhs5GSNV YM60GaN1TeCszNavpERBt9dhVtNCnZlbzYhmiqLDLVdZm9icy8HkuWowmFsTOhsE/RBYuQnHfs0a zjuYkbG2u/VR5hbjhYt0kQzxmKQ+0nov+6hmnJTFypIiWg8bDPrseIrVCtxamuwbcDuLk4rs6ivY Zd57Ey9lEbzwElA7mY4sLiYni9FR22s11hoe8nHS9iZwVIbHKAGvS91MYhbAfZOvhA37U5PZZPnC m61MMTcJanD7Ye2+pLBTBxIh1Q6WoQ0NM5WGAIs1Jyv/WgPMelEKlFSjs0mxvgHB8K9JAXZ0XUsm E+KrorMLI9p29jUtpXymiBiE4yM0YjNxgMH9OlRBnzGVcONhKoJ+ges5bW0z5RbnNOmKl2IGZ8cx S0KclludolkmW7gpSLkM5q0gHuhWKrtR7vyqmJS/IFWKYfw/U0XvJ3AFsT7WHvDhdlhgpDOl7XGh Qg5VKAmp3xfQOJjaAdECV7wwDUEFd9TmvyCH+r/NOUvDpDWcJNUBDZCgsB+pUBCyD2XJRN8pxGrp 3mVJspSQiaiCuDKxYo/IIWFDXQObem/3UAihbqpJWgYM7mT8ue9pBo0C3eQU882pZPnea3Pgn+58 bDKDUm4dNg1NZv9cxLw9WOyqdr1Znu29RUX0xKLNqmdZAcwKW0ErTfvXFOGcW62tWEsarzUy4cCL yxrDYN4QJXCRhPQf2P+o8Jn94KE31CE/gNqK4PuFJgZhA1F9yTYeSBdIOziCxskO2mDSpKxp09ZJ Wy3brC+40835njC2luws/j6nsfPmzGXn5OJFGju1sGNrO7bS1ODZkykKQ5PsIGMcY76UFT9m8dF9 cPQOfDaYMSVNMMGnKoGhhx6YPIDktxzN0q2/AAAA//8DAFBLAwQUAAYACAAAACEAQb/4YNkAAADK AQAAIwAAAHhsL3dvcmtzaGVldHMvX3JlbHMvc2hlZXQxLnhtbC5yZWxzrJHBTsMwDEDvSPxD5DtJ uwNCaOkuCGlXGB/gpW4b0TpRbBD7e4J2odMkLpws2/Lzk73dfS2z+aQiMbGH1jZgiEPqI48e3g7P dw9gRJF7nBOThxMJ7Lrbm+0Lzah1SKaYxVQKi4dJNT86J2GiBcWmTFw7QyoLak3L6DKGdxzJbZrm 3pXfDOhWTLPvPZR9vwFzOOW6+W92GoYY6CmFj4VYr6xwiseZKhDLSOrB2nNFzqG1VRbcdY/2Pz1y iaxUXkm1HlpWRhc9d5G39hj5R9KtPtB9AwAA//8DAFBLAwQUAAYACAAAACEA++hdR2ABAAB1AgAA GAAAAHhsL3dvcmtzaGVldHMvc2hlZXQyLnhtbIySwWrDMAyG74O9g/G9cbp16xqSlEEp62Ewxra7 4yiJaWwF213bt5+SkDLopTcJSZ9//XK6PpmW/YLzGm3G51HMGViFpbZ1xr+/trMXznyQtpQtWsj4 GTxf5/d36RHd3jcAgRHB+ow3IXSJEF41YKSPsANLlQqdkYFSVwvfOZDlMGRa8RDHz8JIbflISNwt DKwqrWCD6mDAhhHioJWB9PtGd36iGXULzki3P3QzhaYjRKFbHc4DlDOjkl1t0cmipb1P84VUE3tI rvBGK4ceqxARToxCr3deiZUgUp6WmjbobWcOqoy/zrnI08GcHw1H/y9mvdcF4r4v7MqMx32ruOrd Dl5/OFZCJQ9t+MTjG+i6CXTYRbQg9f0SSXnegFfkHoGix8urGxkkYTtZw7t0tbaetVANTUvO3MiJ I4oDdv3o8omzAkNAM2UNnRfojD2WVYhhSnq5lw+T/wEAAP//AwBQSwMEFAAGAAgAAAAhAPvoXUdg AQAAdQIAABgAAAB4bC93b3Jrc2hlZXRzL3NoZWV0My54bWyMksFqwzAMhu+DvYPxvXG6desakpRB KethMMa2u+MoiWlsBdtd27efkpAy6KU3CUmff/1yuj6Zlv2C8xptxudRzBlYhaW2dca/v7azF858 kLaULVrI+Bk8X+f3d+kR3d43AIERwfqMNyF0iRBeNWCkj7ADS5UKnZGBUlcL3zmQ5TBkWvEQx8/C SG35SEjcLQysKq1gg+pgwIYR4qCVgfT7Rnd+ohl1C85Itz90M4WmI0ShWx3OA5Qzo5JdbdHJoqW9 T/OFVBN7SK7wRiuHHqsQEU6MQq93XomVIFKelpo26G1nDqqMv865yNPBnB8NR/8vZr3XBeK+L+zK jMd9q7jq3Q5efzhWQiUPbfjE4xvougl02EW0IPX9Ekl53oBX5B6BosfLqxsZJGE7WcO7dLW2nrVQ DU1LztzIiSOKA3b96PKJswJDQDNlDZ0X6Iw9llWIYUp6uZcPk/8BAAD//wMAUEsDBBQABgAIAAAA IQBwba3KEQ4AAP9VAAAYAAAAeGwvd29ya3NoZWV0cy9zaGVldDEueG1srJxbc+o4Esfft2q/A8X7 AOZO6uRMDRgOd8xld585xEmogTgLnNt8+m1Zsix1O2pNLS/gyD+1Wq3+S7JN/On3n+dT6Xt8uR6T t8dyUKmVS/HbIXk6vr08lv+1G/3WLZeut/3b0/6UvMWP5V/xtfz753/+49OP5PLn9TWObyWw8HZ9 LL/ebu8P1er18Bqf99dK8h6/wZnn5HLe3+DPy0v1+n6J909ppfOpWq/V2tXz/vhWlhYeLj42kufn 4yEOk8O3c/x2k0Yu8Wl/A/+vr8f3a2btfPAxd95f/vz2/tshOb+Dia/H0/H2KzVaLp0PD5OXt+Sy /3qCfv8MmvtDZjv9g5g/Hw+X5Jo83ypgriodpX3uVXtVsPT509MReiDCXrrEz4/lP4KHXaNbrn7+ lAbo38f4x9U4Lt32X7fxKT7c4icYp3LpryQ5bw974VsPBk3/uRQBP8lCMUZfk+RPYWwC1WrQ7DU1 IprdH27H7/EgPgH9R70B4/xf6QkcgxtV7Yd5nPk0Ssc1upSe4uf9t9Ntk/wYx8eX1xs416w0IVIi YA9Pv8L4eoCRgsYrqdlDcgIb8Fk6H0XGQaD3P9PvH8en2+tjuVvpdDqNZqPTKpcO36635PwfeSIQ XumKdVURvnXFVqvZ7jL1oJ9pg/Ct6gVBpR5w1aBHaTX4VtWa9UqzGTRr7brbUTib1oRv7ahXD9uq Inyrir1KUOulgbnefomRD+CcI0YdZQG+lYW2tuCoBpJPPYbvrJqzmQDyL60gDnQf+ZgGevDhQNfL uuhwMMgGXxyoih3ds6/x9TY6ikR0e51lQpCnAvTY1WyWBEGeBR2/JAiyLBAHyuNepd3m00cMsQxu ngfdSrfb7rA5G2TjLw5Uo20/dQVZDogDPTQ++gp6mb9wkNUUa4hPwtazTBIHqjL47hiTepZD4iCr 4RVYMeOlgRUHqiZMXbqP7jSqynksnSPD/W3/+dMl+VGCJQzcuL7vxYIYPIheiBmx0ahooepZ8oMp EqY4YeYPYQcmw3IJ6l9h3v7+udH9VP0Oc/FBIX2JQJg10mzZyIAircBGQorUbGJIiSYyMqJID1n5 UoCgDo0pgtqZUKLRtr2dFiAoKrMCpGNbmUtETGg6uA0bWRQgTdSjZUFLyMyKIl3UpYgiHRTdNUUa TdvfDUWaqKEtReq2kR0luj2NVEEDWggwNVtCEIrIpCx3D2lBumNoCX0U7hgyOQhrj2X41MOButen BBr2gSRg7tY2UP/DAgJl4FAi4K42glJnRIkeMvKFIihxxiwxYYkpS8xYYk4J1N0FSyxZYsUSEUus WWLDEluW2LkIK/1hUblj+gtrsI4YWYfTnxI4/SUB+w+dubly0zUnpEQb6X8oEVf6U4KkP0VQUo0p gQQyYYkpS8xYYk4J5OmCJZYssWKJiCXWLLFhiS1L7FyElf4wy94x/YU19+xPCZz+koBPnf4BWkRD irTRaj2UiCv/KUHynyIou8csMWGJKUvMWGJOCZz/LLFkiRVLRCyxZokNS2xZYucirPyHafaO+S+s 2dN/gLYU/QIEzd0DicBnrgCU3iFF2mihGUrEpQBKEAVQBCuAJSYsMWWJGUvMJQEXoTpodbRrXFAj SCRL3siKNRKxxJolNiyxZYmdi7A0ADlyRw0Ia/YaQDRQgGANSARkrIczQAkeUqSN1pKhROBTW0Ej PqIE0QBFsAZYYsISU5aYscRcEk4NUCMoIkveyIo1ErHEmiU2LLFliZ2LsDQAQbujBoQ1Zh0oQLAG JAIy1tkboAQPKdJGs95QIhAIbQWN+IgSRAMUwRpgiQlLTFlixhJzScCn7i5ZB6gRFJElb2TFGolY Ys0SG5bYssTORVgagJuYd9SAsMasAwUI1oBErHUAJXhIkRZKzqFEXBqgRA+58kUi4ka7Tq0eSpyx ZCDiGsHZN5EI3J/QSAdd308lYrqLOjRjiTnvyYJHljyyoq6goES8kTVrZCMJ8dRCxy2ooc31VkJm bIMaGsYdY8hSBLR2R0UIa8yqUIAg/wcSsVYFlB0hRVooxYYSMVMMjdqIEkQREnErQjJORUgEblno kSWKoM6gPs9YYs57suCRJY+sqCsothFvZM0a2UiCUYSEzNhSRTCGLEWIJy13lERqjlklihgsCsVY 6wRK+bCAaaM7S0PFuHRRgBBhKMatDAU5paEYc0broklvWuAQFgePzD28WXgwSw9mVeAOVoiHmTVv ZqMQRiSKMqNMVcKZsmUinr+Zj5dh4v8/nqqJX2CgpaOOUrdfwAREJtKOuXjUUTqFyo7JtNDtp6Fi nDKRTZkIuaooMIMyd8wjEx6Z8siMR+YFCErbBY8sFeKS/Yo3E/HIWiHy51zixwobvtKWR3ZOxJYB SOqeMhDm7NWCyoAyVAaSMVeLOpJKKH6yBG2ZTAsxQ8WYOY4SYlSAUBlQl/EkPy6wg6Qy4ZEpj8x4 ZK4QVwYvCsyg0Cw9zKx4MxGPrBVST3+YKIUgQ+4YuS1vd6eQDwJhK0E8kbvjgiAf8Jn7OqoEylAl SMac7Otosg/F7+5ACRaD7sUOFWNGIkDjPVKMGXO6caI+d9FCNy5oi1xkK0Z86YuKJnJo6gPNfKC5 gszuY5cWHszSg1kpxuwZvlyKPOystR3xa10pChp8sg3a6mp5YAm0K4CMYbSFATPsPYUhzHFLBGWo MCQDnzp/6vjmq/h5KRJGC92cGirGlRkjxVjCQAL7UsCg+X/MIxOF5BPhlK8045G5Qly9XHgwSw9m VeAOEnbEI2uF5JHY6JJ8xPEqvPVgdor5IBZ27sOces/cF+bsG0x0UaAMzX3JwGee+yjEofh9NM59 xAwV80Ek0jlnpBh37su2TIbkPotMVEv5bnha0DayO+ORuUJcvVx4MEsPZlXgDgp6xCNrheSR2OiS fMTxmrL1YHaK+SAWdu7DcN4z94U5bt4vYNCAD8TP+MGONe+TG0mSMfXRQWvDUNkRC6EWEd6AjBQE 5jRDLw5kYyaDfB4rM/lcNvFpfeoDzXyguQ+08IGWCvoggdIpY+VjKPKB1grKA7fxqbbNIDMB8Nju MuiDBLC1AP29pxaEOW4dKGBQXg3Ev6OgOb6BNuNhAdMheyBph9GChMw8p1qgDPJ5rPzJ57aJKnG2 PvWBZj7Q3Ada+EBLBUGf9eyALypWPoYiH2itoDxwG59q2wxya8GdALYWxPO5O14o00eCdE9UwKC8 Gohb+WhdaJA7p5IxQ9FC+/ihsmOlOVpfRkUMuij/ohi4jaGTw7jCSifKsWJcCTTxYKYF/qDwzHhk 7tHSwoNZejArxbiiE3nYWWs7+TWyHGNz/NAObKsqOZCdu21bD+Lp3B31QB8IUj0UMGjAB+KJCl4b 0O3RsIBpkX2StGMGq0f0UMAQPVCfqR4k49YDz0xVv0yfUXhmPDJXiMubhQez9GBWijH3Ijg6kYed tbaT64GODdEDi+zcbVt6EP+reUc9pOaY6wbFmNFroBwdKMac+5t4r6QY89qiixJnqBhXVowUY+Zf D60zXxSTb23HpGTi0dbUg5l5MHMPZuHBLD2YlQcTeTBrxeQx3HjU2nowOzdj57t4jnq/+b/u8SS5 gKH5Tp8kN5EmQmXH1ATNd2nHne+Sced71q9sZhrrXmQlE1Xiamvqwcw8mLkHs/Bglh7MyoOJPJi1 YoxLAI9aWw9m52bsfBdP5u6Y7/JBn7kTJPudumTc87tkzFxukfldMu75XTKuHBwpf9z5Lu3kc9NY 1cpLJqrE1dbUg5l5MHMPZuHBLD2YlQcTeTBrxeQR23jU2nowOzdj57t4iGTmu/vf6wUN2xXzfQdN tO/u1xUkX8QjHu0NaFFIi6aqSPy+Q19VdnLrtt8gBctvcEvc85LvADFeHODuj7ACFU3N9ND9o754 cY+Esql8QItCWjTNivJAzPIio4to8zQHKGtpYRwv88rZ6ZVxOjKO18bxRh7b0YNIWdFzR0nQMOqg eT0uXXQF1K8rKJ++B7QopEULVWSPem7d9hsmE8tvMS5Q9jdHXViB/pgzU1BD02lfnBZU+rKt9I7G gBaFWVHPGDJZETqUDdNSUVYfu+hCZZVDWb0IirLjtXG8ydC2Pr01Tu/ksR05cePAX+fyNoMQpB7x Zj4maTT6EJk0QHm2DmhRSItWqsiKRgfdzdpkkNnFdCjsbomLO/9uyUtBq1tdpL5+XUFmt0hRSKlI FVnd6qEbDpsMMruV5o7VrQa+ynTqM6UhU0GB+WjhbuVQllEDWhRaRbZLYofrHemG3A+LXyhpl7r5 VC4TKIdyl3S9rCik1CYrMoIIRVDD9ljsUUyPxWQBZX9rshg1hJV0bck82lpFdpOwidNNgnjcwyZg NGxtNCn0GxrKmh/QotAqsj0Si3EWBNYjAcsg6VFro1sE/YaGco9IUWhRtkfmys16pNZeM4/a6EKv 39BQ7hEpCi3K9shcDVmP5DpnZXaHjJqGco9IUdgwi2yPxBLiPWpqvTFj1CGjpqHcI1IUNswi2yNz /WBjBLBOoG4+BUqL8o2R8m1o5/jykr5b8lo6JN/E+x878BIzXareeVlvPoj9InhOzrThTDoNkDNd OJMuGORMD86kcy4+02g8CCkVtNOowZla0Zl6B6yly3RVm4M3V77vX+LF/vJyfLuWTvEzdKxWgeBe 5Lsv0+Nb8p6WQqp+TW7wAsvsr1d4/WkM22bxKszSc5Lcsj/AMWF3G9++vZeSyxFemJm+0fSx/J5c bpf98QYtPByfHsuXyVM6IcLrQE9xtL/cdHwDiK8uzen0KqSqT0APqvrVrZ//BwAA//8DAFBLAwQU AAYACAAAACEA1ohQeh4IAAD2WwAADQAAAHhsL3N0eWxlcy54bWzsXO1v2jgY/37S/Q9RvncBBm2p gGnQ5jSp601rJ91XAwZ8TWIuMSvsdP/7PbbjxLyEZLyFdt6kLQl++fl5tx/brQ9z37O+4zAiNGjb 1XcV28LBgA5JMG7b357ci2vbihgKhsijAW7bCxzZHzq//9aK2MLDjxOMmQVNBFHbnjA2vXGcaDDB Pore0SkO4JcRDX3E4DUcO9E0xGgY8Uq+59QqlUvHRySwZQs3/qBIIz4Kn2fTiwH1p4iRPvEIW4i2 bMsf3HwaBzREfQ+gzqt1NFBti5e15n0yCGlER+wdNOfQ0YgM8DrKptN0oKVOa0QDFlkDOgsY0ApI JVq9eQ7oS+Dy3+BrXKzTin5Y35EHX6q202kNqEdDiwFpAJn4EiAfyxI95JF+SHixEfKJt5Cfa/yD oGZczicwNv7R4UAknE6rz0tt6Csc99u2G//htYp1uNT2lnYr4s9p2v0YEuRZ3wICgomtz4+81zVK FQd+Wa1UigPP58AWKjV7QKbLQ3ZGMth9DNHaNLBj9JM1pliEgYKn5Nhl41DiIUQyAlklnpfYjWtu IeBDpwX2i+EwcOHFip+fFlOwDwGYWi4zjiyXU3ocokW11iheIaIeGXIU456wSgmZuUrzZvrxDyQY 4jketu3LumhdA1wUXEZft03+9zR99S7v3N7dgQfgur2rIzQKzfYOjvSu28xuVMgYyGifhkMIAzTv pr51Wh4eMRCLkIwn/H9Gp1xIKGPgNDutIUFjGiAPHh3ZynJNiB8gVGjbPh6SmQ9yJ33hmtQ5vJud e4HeBb7CvYnSOw+GTSBuUUNZ1RNtIArO1vIplELFgf6K/IXKS04dh1EKQC5z0zHuIjtbyaeRG9re UTqXeohls1vjf4U+an2oIefUSAdcsEIeW9dB/SxjcxBrY5R0LB24Uuozg1OQLiVLQGyMwbYPsOc9 ciP81ygx8A2wXvORFcx812efwMfDdIZPK9QjBCXxo7Tp8gUYkVWpDvXjSvCoV7LQdOotHmZ+H4eu mA6K3sTXrnA76ftHj4wDH/MJFgASRb6ElOEBExNUEZ5kIWikCOCxDARXKYJLHQG8bKEBnzqmw92H As20f4ByTAo4ukxJCdOE631lJ+my5qNcMeNiulk2k9qS1hodxXw7S2pqaYPvdZrBi4IjG5Rsqsas dAEEn8nL35QYq/elzjstpKSaL7UwMuDrAgMQciyn8/NRtlpp8GDoKUtz4B0PEHSsGHCO9NLgnQe9 suxiwkAlM8djWZZhTCCAkC1ZYwXpcGIMLSqpgc5SMYaXo2oZBFW29RKi6ROeg5EVlsDZpm9ZQIGN rwMoDOC8gILzU6xf0kh42Qx0S5ABdfLa2lJ7i3uWSEAhhB4cTu6ztD8ZvFK1crxLCRTZj4X71c7i RmIIgRv/zCDc/BLiEZmfwr9nhWwJJMB8ZNucRRVwG1ItypXRLHhnokKaRK7G/MtGZVnDD2diStDh rIAikRgVUCyP2T1RzJwFL5GYcuFpEgOPaSyUwNs6y80yGCAGUt6ObzCyIECuuGwIAO3QEMRUFya3 2jrK0ipKMhO2eIa1bXfRUIHgoe6MeIwEfF5bu+JLiavF/6A0KQ+GVi8vEoer5R/wjIXIU10At/Uq 15u6eOCLLkkNLnMpKCFra32AC1QdgCPSikPWG8aQzv6BKsN5uqpUq8PEHz5AckmkqPsylS0qEe05 YiF5jtPaEgGFXFMQ6Z8gYMfBUKtEZ8wjgV4kmqAhfdGKzOSzSqDx2bYwtPJzH0WYt8CHkOQ24+6z 0/NPxMeR9YBfrK/UR4GozPc4xEBUXyr/DDYuL7WXpt5WMgfriTeZ1tuUeEPJmsKEhuQHkJuvKoxx gIV0rC00WAwI+pUy2DTBt3qAFKTTInjhSOJlqL9nESOjxT2K2D1QS5SNJiEJnp+oS+RSFd/IAXtE /uRJI14AKCoNmaXSQd+moqJ6vYU9EvyDzCZtXEFdIYaeDypUPme9dbX5vPX21fJqtV1RFoacUp4r hSQAPAgFEP8YJq1S8QyZZExV9i4EY6oKmR4tdVaovNGC2Gm8EYeNZoyq1UXjrOMNH0vp5pL9QCGt VJ5dd+yFKqZxgAkDWCGKGQO4uwHUNhSvbaLauMlX38L6c9OV1e17K1qs5isxjHRXn2OM4BkawSIz FhMM7xEMmzDgzAPhQr7paGHAa9StLR7moAtjxtP8amtjRhuyT4AYbTDacP75EuMbTN5EHO3ZutKz S97E+AbjG8ShMpNFfKW5dOMbjG84jm/IyambbQ7Lh7b33eZQ7pKJYTacuRaHWgvx4U0zW63LJWen zJamlQsa9mX/m0oQmDSZ2IDHU3ZmY9+26xpWJ6iFLK0yRqfeK2DCGxPe8JOMZsuuvFXmp5aejGaH v87+7HKZ/WpWME2YZIxpIVU5rzApPm0SnwniLFw+WZJ7IdWGnSq5ddZ3LeZW2TAly62jKL3pRMmr sSunPVf1thPm2omiTXIv5UUp8SHECxYCzjT9vO6u5BW3/ARaqZtfxX24Quj32/wKBsPetrAFZ0RP NaW3yrKuwEsp0/CwYgS5KsChU8bveBZ3miVncWFGNMQjNPPYU/Jj206fP4v7J+FIblzqC/lOmWii bafP9/ySy6o4eQvnJe8jWHyF/61ZSNr2v3fdq+btnVu7uK50ry/q73Hjotno3l406r3u7a3brNQq vf/g4Cy/EPsGLofe48JpcTE2XAtVrd9EHlxLHcaDjcE/pt/atvYi4XNlcAC2/FcMwhH7kcWF3Z3/ AQAA//8DAFBLAwQUAAYACAAAACEAgy/oZb8EAAB4DgAAFAAAAHhsL3NoYXJlZFN0cmluZ3MueG1s vFfdkto2FL7vTN/hjK82nQFjNrvdZsA7xAsh+wMMTnbTq46wBahrS44kQ+jT9Fn6ZD3CkDiSl+aq N8z48/nT4XyfjnvXX/IMNlQqJnjfC9odDyhPRMr4qu99/DBqXXmgNOEpyQSnfW9HlXcd/vxTTykN 6MtV31trXbzxfZWsaU5UWxSU45ulkDnR+ChXviokJalaU6rzzO92Opd+Thj3IBEl133v9TmmKTn7 XNKoQoLOuRf2FAt7OryhKpGs0Fhiz9dhzzdw9YpNYxviIqXtP5UNz8YzG7p9iv3bp6ENk2zlM65t eBx3Ly5t8Pehnd805Y0qSILNwlMrKjfUC9EObN9xfH712gUvgq4NYqE2hEXa0LypwHlTknnckGTY 5D6Z/mKnGTZFHDZFbOjtPB4Ef1zYIRFtTQdD5w8aRjfjltPhcJhlZhoSiEpsLtyw5ZLR1phmWU44 DAscQypJBrEmaGUnGwTdq7snG51MbWSAf7drh+RwDDFg9DZyYPRvgtH6XfTQZN0Az3Z67U79vFzs 7ABvkTfJLiJKZ9R+d0s2BG6jgY0PeCoFS234oyIrJ8ZzurTtoqaJaU+GH2xDM/0tiMuiEFLDomSZ BmSYgIwtJJE7v8iINnphO06m6DcRGlTlS1P0+0+vs0VG+PMrdP3In7nYOqoxI5LkMCG5c8opalcc 39t14AEcHqCgxDS5ZwvbOGoiSNREkKqOR5LZIZAQ2LImSuzftGZ3URy0HhuoZPxwjmDrAw4aLJiG Z+oMS80Kp/SU1R3dwZMkxQ8ErJueiIqkjgcm3KxlrJI9h/GCgXg82CNrotZ2Q2pOKJqWk0GM0z9/ n3C76AaWG2rg3s12Gj8MIlNfvR43dN3qWMCpSC9lwz/UTmaHqZkcM7n11IxeSoUTe7zq4aLt3DJf B/qrUad93u7Y1cx2kdwVSN7D1gDdtnMtHm1e9GUKCCRVHBQBQPJDs9bVdQ2a3Iy4OXmO3Gz0aFgF DkoIpaIK6intyIY5qOo/QIeD1QkmGBmHoP1b+xy2TK9B4nPLbE9KOYqwl/Bf7WpQl65tbDK1oRdX kmtnJ7lG0RxwtaWy6tySSdzzWG42GbMionhrkPRzyRCAXEiKT4oSmTiUNZqJ0Q6qj8ptXIVeY2gu eOubouO2aaLsY6ZwFgmeEA13N6NX7tFMxIl9H2BMUAVNGK4BKa6UfMlWpcS7H+s9QyKfiDiN4RME nfYlnMV4U8A9FQWRqZP5oVsNvV3REW+es8bL+1gNCusNlWxT1TnC27squPHgsbMAPjGeiq0Cjv4b 5x77NIN45jD8keEqbx9hD6J1YL/ADM7ATeLYHNV0vMZeZA3+vTsY4VQsxZfvA8mwJ2f4w3xc2v+C DcnwOyPw8CkRGdJerhZ9bzTCb4Kg0zGwHAmuK7uImA2BGXRJcpbtKrhrgP3nBq2AnHEhDejvU+lw TjNK1KEtpoJDEf9XAc2U+0YHXGOSrEyrfUavsaWyqhjEEpRY6i1BaplbETcjKquO4iFqnz5mar/v tA7NONtYhPQqMmr9Kzp8HMzf7/ey9xwzljJBQu8putSUQ4qjIhk+Y4lIoQNbkVx5wTLEROl8IFUB 7fQVWpMkH78cw38BAAD//wMAUEsDBBQABgAIAAAAIQBgQQnkUQEAAGYCAAARAAgBZG9jUHJvcHMv Y29yZS54bWwgogQBKKAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACEklFLwzAUhd8F/0PJ e5s201lC28EmexAHghPFt5jcbWVNGpJot39v2m61Q8HH3HPy5ZxLstlBVsEXGFvWKkdJFKMAFK9F qbY5elkvwxQF1jElWFUryNERLJoV11cZ15TXBp5MrcG4EmzgScpSrnO0c05TjC3fgWQ28g7lxU1t JHP+aLZYM75nW8AkjqdYgmOCOYZbYKgHIjohBR+Q+tNUHUBwDBVIUM7iJErwj9eBkfbPC50ycsrS HbXvdIo7Zgvei4P7YMvB2DRN1Ey6GD5/gt9Wj89d1bBU7a44oCITnHIDzNWmWLAKPoI524PJ8Gje 7rBi1q38ujcliPmxWJV7CB78pm2Gf6se2nXoySACn4r2Hc7K62Rxv16igsQJCeNpSNJ1klIypbfp e/v4xf02ZT+Qpwj/Eu9aYkwouaExGRHPgKLLffkzim8AAAD//wMAUEsDBBQABgAIAAAAIQDcWXjt 3AsAALQbAAAnAAAAeGwvcHJpbnRlclNldHRpbmdzL3ByaW50ZXJTZXR0aW5nczEuYmlu7Fd5NNTr G3+tpWsva0mKso+d6DbJdCUma5Yxdt80GPsuxrWEEJUllFHWLINCssSPe8kIRdMokSVZsmXf4ved ln/6655z//id8zs+73ne53ne932e830/Z545z4sFWGAAjMBFIAO0gD5sGQB5eM0LQMAR+MMiAxSB HFAAqrDlCH4FHSNgfg/6BI13AD0doANT+9z3OsKaA5jDPj08M8CeHpzNBx4QnPffg+5HCkZY08Py 0/81s4GRjumI3K+r/97n/5aC8wRtAECT72gCyQw/7V/1zw0UHyfA6jKAK1q0r/8OGm+/Qn5UkYEJ XtyB92jyM/7Xc7v+/zcDv/4ymuDrGqNNLtBuzQnKgfm3mnIHAeAIMAPucH25wHUMATe42mg1fAQo AxVYlGHLABjDUXqQnSPOzemcoxMEgIGdE2SMC4LgVR8fyOubbwQ54dzdAED5erhCAT/URXcTX7y9 KwSMIG93V18f2gkVObkAWBw9cLSv+WdA8QEgf9HInHYvVtj+p9jA867vhetgnoUTDqEDe45oHjjE SotGG2v9QdO9LLQZAOnvCjDQfa+rk3IA/lejxdCBcaUfmz8UAnHJzcEd7+EFeXtDjjIoOx87BAJ4 WnBuB7KMK2np/m3J5nrIjCur//F+DQK6gqHznafsU93RodaKuenHA/vyqntF8eiRd7z8hoICbaXH NKpH+xLQayyEKN6HD4owTGlEU+fJD1USuMwPx7kNUDrnJDQr78cUchee5+Tae/8IKsz9sl9IMOGG 6ru6TEpvZvDmYP9c54tM1cfWqk9cJ11lZWzOZH9KzezPsFR/dz1kTZ44cV7kiW+lgMiWSuGQD1OR 5HzoyOFWDJ5dVvNS6RbmUwtZ2OqG5IOrfE/8pXZkF/3DEPluEblr7X2lqhrIyKmDZGIdMyXiOiQv kXoyd3VwOJhDasdAoOhruO7sRdwii1soau2sMCXpCx6PENdeFhrLTL2/QVqgcyOY5L/tkknEefP4 nxQTv5opfaA1qGF1L2LM95z5GCrmGeT3oeHa0ox5rLPwWuD1hUq/4sd1v5cZuykaChmEXl8XliTE mi0a35vKulQ4+GalM36DNUC8Yy2hWsjp+Zza2gfJHYnZTe0xwoutRqiK7b2XTmZHzaY9cX6mZA4i Ezmyi+YnHQQrZ3hNPXISC8Qt6KrbVUvDVYjSs/ENNX5CnklOT63WGU4FFS/oe27iyQiH7dtkZGcI sw8pZAUbsWbVxCFQkS5vg63YTz+iz/moopeP+lW2bq4GQZoWqfN8fXn2TR2PriFbf0KwI3n4aLnl 0vYe/tET05uJGPvAF0UcOjOK7JbLXMWhunsIZYyUOR9DoZUH0i5XKghIUiN6059Vj2sgVMqP7N28 8oQ36cuBv4fV8Z9Kup7J41YmUrqt7ebt0wxUl1+Js/UyMk2MFmrjwjCvVFAOQ5svMfqGyUEKqR1J 9D6fw2Lvi9jq1d1gt+vgU0oTvNdaSfGxOHZcXC9T/GyrStWqWL3vtRSiYyhKndSSSzHRTTDSbrqk RbEME4mv5Y2au5ZXddPtzCazLb7gM1NdeJFees4frZSXggqzvdpZkTuKoblbsoNBSHnU1Wp9BWtK cPD6IDGh5mWX1A7vE751iprkVo+pv0zRGNnd9nT2VtAn6sbo5mcdl/dx22v1CAkCTrkoLWUHsRid vHqp+ckGRWqdasFPx5Q1jpw/et+GsLPcP1soGbozjWQXHvBxORF0RuK2/VC9+xrXwSHmrFkR54gL bR4VPQycpsdQxhw3KDZxLmJ/JaMlc7v3kpDSovtEh2vjgq7IsRXVluQczdCyyfYsjKoo9RiaiiwJ QllrlKK5yvVetBaYP47ykJ3Jmcc+oJvwzGOgogP8hJd71DhnsuugHFN7BhOH4L/EzG4ru8ZN6B4t XuW8YqLuIeYsG+40nkrKb7BfdKpIS9Pw8NWMI17zZdPC9J8zdZ1R6bpWYtnnuwRtxFUJt7Bj0SzB iNUlng3pmf/c9+eqJuQwmGmIVh2spvz2NAHDXew9oZIBxYakPDtPiBogSh3fOB8e8jdeQ3ihNvq0 9pyWNR8nz+BQE9SRJ4IojMnK647bscdqcHtcGuexlJcuYfdDRuVIMWJLeUmXzff3m5grPVxr7mNj K/QfIVc3IsKj5PND12Jt6UkxUboVciR1FqRXhMtp6WnliZtQtSSdWcNY1VT+aphMHXYIc8amIHDe KiEuhuQ7VBvl1iogkJ2KC3mj3yFDjzBMg67+NmktGU20dS3uHXk09mava/X7qcduTgcnXRyb9WNk 9y/xV82/FkWpJZzscVAdODF8okM6w9Ra5Vl5C7Vo+lHsXKi6TrQ00jPkOrFPkqtL/GKuUIzwZsmi eLzULeiD4dmCSdazc6ph+OcLxd2Ayns3kRJwmPhBVUTW8eohq3jzm+aM/pmHuOxvt41DEg2a1KZn fiNXsbeZ04Ku+TyfEv3dyBGd1RZdPMF3tMyqvMyXHSvMFC4SKxb0kMCr4DLPbyHQoINPooZOfGlJ DZEnsT0/1ZPzEK2W/siXPrkX8fA3pxWmoSKvIWeeuaTDZq+H25uPys95rnuIjSdW5G7dXLiF5M3/ mFgRCZvJyC6ddmEH3KI22XNbTVWMEJ/XKSzRtj76IHnrpic+Mo+D/pXcxscThHp1MYIj1rV//y0J I+uFNm5s+3jSlPxbLcZhLvHocQMc+WQyC1///rHpQ5gUL/a8tpQABcPU7vufPcQa98S0B4exVIiT e4PD7LHtgZgX1xvFywIxhheyeB8vKJFdslSQYvpxFoGCY8r6lkm3CuRlNZC9akTDj+r6lnduFUiQ NkSxTzt7yR5ibVGTXxm1rye31JSfEpPVSyz2fTfixcXn9lfKXWprSX3qQgbVr+BjlbPNK9FNsq91 MOGCdUdND1T5xd/+bbfL6pD9h+XDK6MZF56z1GTdrnfADm6yjwauZ7NgdUsDHpD/LLYgaYxxJAdq XosUPykcJKJjTWd+x1nR33GeyrL4cTmEWkEkYgie1O41jahigzWGiMss8wLYRMaNhltH2XpywyDV Zp2mviWfrfG5Ragef3zYOqi8cmDiLdP91WyImf/0gzhIaUDxiF3LWHuiJ0Gfny+dUkMfX5ckJ3uq bolrdDtVjuRnOprF4fzKUyuJHBMZf7dnuetIeoSmjAy3oxuxCmPD6oy7jbSsyPLrdn7foSkTe/mt 2LvpTLuq6HCMQkKH6ECLpkx6K9Tz6WZ2qt6ogkX3K5qeUozX4H19C4dVaqkZpR1QduRfvWCgq6FE jQhRVdJtIO511jn9CaFdxlxVGYcm8dQ7hCfPnFCUYce9vT749Y023crUZT1tLYxKjg1H0sURtckW 9blmaQfFeEvunp4/fRN03Ve0RgNm790pUB01TrtW2fd5NCi6/uJkpqdZuohM5lgVvUuJkP7BWybu +TddzmLudgukHCnXT7rhUF2h9KhoH26Ss1E9ViFAIPICRUSmi+ry9Wh/epugpudOP5cVa70S57ug 6RlvYVRHg9isVSN1Cd3bsB6M5rgza1VNXcqeDLUMQnOkzyZyl03a9TZYLmasZM4m2pdNWuYH+39W RqfPWmVSl3Int9fmM0Jta5GC9fnH8jc9Ol3UnWs5vtbnO+RvyvW4qLvVcug05JvprQ6XUn2afYQl g9En0Kt2T6hL+ZOnTZYz2DNmW6zLJll6Q65MKQupDERTshrxLOdrOklDq8L9fhuv2xmMx0NEbZoU rarUu1TN8yrDbbYb6vqk74grba8jD4ce2ygJGLJpFJT8fM/szBeRFWQ3auz2Mksxu+29Yy9rM80u oRAHrjxMUX2tvEDNm+d50ebN00lpntOdeSpYZiu7bf9VubivkMS4v3eHjn4HBgBK41r6aGV6wA33 sQHAAZ5dgew3GwLwsxPggT1wBqywTQMbOAB3eO57p/b9aO5gResyD4BD8ItWCY6Ug0UFtuXht6ws 3BHLwUMR8MJD/tue2o+ZtqsGv3j54Mwep0NpTfMudhnYZWCXgV0GdhnYZWCXgV0GdhnYZWCXgf8J A/8FAAD//wMAUEsDBBQABgAIAAAAIQCiocrBnAEAAFwDAAAQAAgBZG9jUHJvcHMvYXBwLnhtbCCi BAEooAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJyTQWsbMRCF74X8h0X3WGs7lGK0CsVp yKGlBjvJWdXOekW0ktBMFru/vtpdHMttcultNO/x+DQjidtDZ4seIhrvKjaflawAp31t3L5ij7v7 6y+sQFKuVtY7qNgRkN3Kq09iE32ASAawSBEOK9YShRXnqFvoFM6S7JLS+NgpSse4575pjIY7r187 cMQXZfmZw4HA1VBfh7dANiWuevrf0NrrgQ+fdseQgKX4GoI1WlG6pfxhdPToGyq+HTRYwXNRJLot 6Ndo6ChLwfOj2GplYZ2CZaMsguDnhngANQxto0xEKXpa9aDJxwLN7zS2BSt+KYQBp2K9ikY5SliD bTqMtQ1IUT77+IItAKHgyTA1xzL35rW5kcvRkIpL4xAwgSThEnFnyAL+bDYq0jvEy5x4ZJh4J5zt wDfP+d5IR2nxsTSR5rcaB5X4/iJa+y4od8z2tfYx+DhuUfCTLL4b94KPYefvFMFpM5dNsW1VhDot 86SfG+IhLSXaIWTdKreH+uT5Vxje0dP0WeT8ZlYuy/REsp7g528h/wAAAP//AwBQSwMEFAAGAAgA AAAhADYCE9FAAgAAHwYAABQAAAB4bC90YWJsZXMvdGFibGUxLnhtbHRU23LaMBB970z/QaP3YuQ0 5DJABkhpkyHAxKTtq7AFVkeWPJKA+O+zvhZR9VGrc/bsro52+PCeCXRk2nAlR5j0+hgxGauEy/0I v23mX24xMpbKhAol2QgXzOCH8edPQ0u3giFgSzPCqbX5fRCYOGUZNT2VMwk3O6UzauGo94HJNaOJ SRmzmQjCfn8QZJRLjHgCshhJmkH2TZkUTgk3uaDF0glqthvhCbnfhCFGVlkqzKs6Rak6QeVQdwoC TEPo8X33BFnDK0hELW2PkLeDTJUGbHtT5iuV3Wgfj4f0YNWcC8s0OpcPxnX/MyUOmTQoVgdpQbGk VJnqC7e5N0P3zCmJ3GE3U0WAaupprKmmGSqH4LJufSxo9pz1kwqXdOMjfW1Jj8zEmucWXODSBj7a dUvrLb9tXPy1Dw9zaYr7xWWiTgZOlh8v2oJiyueaMSEiWwiww3elEl++QZtuFaHfrv6VD3/T4vkq cuGhD37Xwp/pkaLn2cTlEB+HdKOcghfiYkaNFRcN9n1E+F/1u01kohVPHC2vP0j3XdY/1g7cawzS TQvgEYsXfOuQvMYgf01Y2PTCFF5PkG7IL+FMF7lVjorXF6Rrfl14OP8aYkq9fiCd+V8P28LR9fqB dAZewaaKooVD8XoCvmrzTlIlrPfHOJRyZbnW/V+l3U9YRq4VK3MEZ8vDNKuk+gtPcqca/WpHVsEX lvBDBtoGduCca2PrtVNtwzK2ABNehMqNaeGnM9jaDbNGdNGzQsYfAAAA//8DAFBLAQItABQABgAI AAAAIQDF3RNAiwEAAJQGAAATAAAAAAAAAAAAAAAAAAAAAABbQ29udGVudF9UeXBlc10ueG1sUEsB Ai0AFAAGAAgAAAAhALVVMCP1AAAATAIAAAsAAAAAAAAAAAAAAAAAxAMAAF9yZWxzLy5yZWxzUEsB Ai0AFAAGAAgAAAAhAN4J/SgCAQAA1AMAABoAAAAAAAAAAAAAAAAA6gYAAHhsL19yZWxzL3dvcmti b29rLnhtbC5yZWxzUEsBAi0AFAAGAAgAAAAhALq0cdpiAQAAcQIAAA8AAAAAAAAAAAAAAAAALAkA AHhsL3dvcmtib29rLnhtbFBLAQItABQABgAIAAAAIQD7YqVtlAYAAKcbAAATAAAAAAAAAAAAAAAA ALsKAAB4bC90aGVtZS90aGVtZTEueG1sUEsBAi0AFAAGAAgAAAAhAEG/+GDZAAAAygEAACMAAAAA AAAAAAAAAAAAgBEAAHhsL3dvcmtzaGVldHMvX3JlbHMvc2hlZXQxLnhtbC5yZWxzUEsBAi0AFAAG AAgAAAAhAPvoXUdgAQAAdQIAABgAAAAAAAAAAAAAAAAAmhIAAHhsL3dvcmtzaGVldHMvc2hlZXQy LnhtbFBLAQItABQABgAIAAAAIQD76F1HYAEAAHUCAAAYAAAAAAAAAAAAAAAAADAUAAB4bC93b3Jr c2hlZXRzL3NoZWV0My54bWxQSwECLQAUAAYACAAAACEAcG2tyhEOAAD/VQAAGAAAAAAAAAAAAAAA AADGFQAAeGwvd29ya3NoZWV0cy9zaGVldDEueG1sUEsBAi0AFAAGAAgAAAAhANaIUHoeCAAA9lsA AA0AAAAAAAAAAAAAAAAADSQAAHhsL3N0eWxlcy54bWxQSwECLQAUAAYACAAAACEAgy/oZb8EAAB4 DgAAFAAAAAAAAAAAAAAAAABWLAAAeGwvc2hhcmVkU3RyaW5ncy54bWxQSwECLQAUAAYACAAAACEA YEEJ5FEBAABmAgAAEQAAAAAAAAAAAAAAAABHMQAAZG9jUHJvcHMvY29yZS54bWxQSwECLQAUAAYA CAAAACEA3Fl47dwLAAC0GwAAJwAAAAAAAAAAAAAAAADPMwAAeGwvcHJpbnRlclNldHRpbmdzL3By aW50ZXJTZXR0aW5nczEuYmluUEsBAi0AFAAGAAgAAAAhAKKhysGcAQAAXAMAABAAAAAAAAAAAAAA AAAA8D8AAGRvY1Byb3BzL2FwcC54bWxQSwECLQAUAAYACAAAACEANgIT0UACAAAfBgAAFAAAAAAA AAAAAAAAAADCQgAAeGwvdGFibGVzL3RhYmxlMS54bWxQSwUGAAAAAA8ADwD0AwAANEUAAAAA --_004_4E1F6AAD24975D4BA5B16804296739439A14AE99TK5EX14MBXC286r_-- From nobody Mon Apr 7 15:00:43 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FFE41A04C8 for ; Mon, 7 Apr 2014 15:00:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wgIv6PdQFftR for ; Mon, 7 Apr 2014 15:00:36 -0700 (PDT) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0204.outbound.protection.outlook.com [207.46.163.204]) by ietfa.amsl.com (Postfix) with ESMTP id F2C281A0326 for ; Mon, 7 Apr 2014 15:00:35 -0700 (PDT) Received: from BY2PR03CA031.namprd03.prod.outlook.com (10.242.234.152) by BY2PR03MB444.namprd03.prod.outlook.com (10.141.141.154) with Microsoft SMTP Server (TLS) id 15.0.913.9; Mon, 7 Apr 2014 22:00:23 +0000 Received: from BN1AFFO11FD040.protection.gbl (2a01:111:f400:7c10::194) by BY2PR03CA031.outlook.office365.com (2a01:111:e400:2c2c::24) with Microsoft SMTP Server (TLS) id 15.0.908.10 via Frontend Transport; Mon, 7 Apr 2014 22:00:23 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD040.mail.protection.outlook.com (10.58.52.251) with Microsoft SMTP Server (TLS) id 15.0.918.6 via Frontend Transport; Mon, 7 Apr 2014 22:00:22 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14HUBC102.redmond.corp.microsoft.com ([157.54.7.154]) with mapi id 14.03.0181.007; Mon, 7 Apr 2014 21:59:48 +0000 From: Mike Jones To: "Hollenbeck, Scott" , "jose@ietf.org" Thread-Topic: WG Last Call Comments: draft-ietf-jose-json-web-key-25 Thread-Index: Ac9QaE8hk+ZxDsXaSeak+JuaSecUJgCRFemA Date: Mon, 7 Apr 2014 21:59:47 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A14AF03@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <831693C2CDA2E849A7D7A712B24E257F493981C6@BRN1WNEXMBX01.vcorp.ad.vrsn.com> In-Reply-To: <831693C2CDA2E849A7D7A712B24E257F493981C6@BRN1WNEXMBX01.vcorp.ad.vrsn.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.78] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: =?us-ascii?Q?CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; ?= =?us-ascii?Q?SFS:(10009001)(6009001)(438001)(377454003)(199002)(13464003)?= =?us-ascii?Q?(189002)(50466002)(94316002)(74366001)(80022001)(65816001)(8?= =?us-ascii?Q?0976001)(2656002)(76786001)(76796001)(81686001)(81816001)(47?= =?us-ascii?Q?736001)(49866001)(66066001)(93516002)(15975445006)(46102001)?= =?us-ascii?Q?(95666003)(97336001)(97186001)(77096001)(87266001)(79102001)?= =?us-ascii?Q?(86362001)(84676001)(77982001)(59766001)(56776001)(74706001)?= =?us-ascii?Q?(69226001)(54316002)(97736001)(74502001)(47446002)(93136001)?= =?us-ascii?Q?(98676001)(83072002)(74876001)(99396002)(20776003)(94946001)?= =?us-ascii?Q?(63696002)(54356001)(81542001)(74662001)(85852003)(2009001)(?= =?us-ascii?Q?92566001)(50986001)(85306002)(56816005)(76482001)(4396001)(2?= =?us-ascii?Q?3726002)(81342001)(90146001)(46406003)(47776003)(33656001)(9?= =?us-ascii?Q?5416001)(19580395003)(83322001)(55846006)(92726001)(6806004)?= =?us-ascii?Q?(47976001)(44976005)(87936001)(19580405001)(31966008)(538060?= =?us-ascii?Q?01)(97756001);DIR:OUT;SFP:1101;SCL:1;SRVR:BY2PR03MB444;H:mai?= =?us-ascii?Q?l.microsoft.com;FPR:BCDE5DBE.2C120ECA.B3D2B9E3.3055DDE8.200F?= =?us-ascii?Q?2;MLV:sfv;PTR:InfoDomainNonexistent;A:1;MX:1;LANG:en;?= X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0174BD4BDA Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/jose/pXwbci3pk85BTnzKUkg7lAr7SPk Cc: "Kaliski, Burt" Subject: Re: [jose] WG Last Call Comments: draft-ietf-jose-json-web-key-25 X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2014 22:00:41 -0000 Thanks - I've corrected this in my editor's draft. -- Mike -----Original Message----- From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Hollenbeck, Scott Sent: Friday, April 04, 2014 5:45 PM To: jose@ietf.org Cc: Kaliski, Burt Subject: [jose] WG Last Call Comments: draft-ietf-jose-json-web-key-25 Minor editorial nit in Section 3.3: s/operations(s)/operation(s)/ Scott and Burt _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose From nobody Mon Apr 7 15:09:39 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6777A1A07C6 for ; Mon, 7 Apr 2014 15:09:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MwELSdzAQi9f for ; Mon, 7 Apr 2014 15:09:31 -0700 (PDT) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0206.outbound.protection.outlook.com [207.46.163.206]) by ietfa.amsl.com (Postfix) with ESMTP id 7583F1A04C1 for ; Mon, 7 Apr 2014 15:09:31 -0700 (PDT) Received: from BLUPR03CA030.namprd03.prod.outlook.com (10.141.30.23) by BLUPR03MB020.namprd03.prod.outlook.com (10.255.208.42) with Microsoft SMTP Server (TLS) id 15.0.913.9; Mon, 7 Apr 2014 22:09:18 +0000 Received: from BY2FFO11FD024.protection.gbl (2a01:111:f400:7c0c::161) by BLUPR03CA030.outlook.office365.com (2a01:111:e400:879::23) with Microsoft SMTP Server (TLS) id 15.0.913.9 via Frontend Transport; Mon, 7 Apr 2014 22:09:18 +0000 Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD024.mail.protection.outlook.com (10.1.15.213) with Microsoft SMTP Server (TLS) id 15.0.918.6 via Frontend Transport; Mon, 7 Apr 2014 22:09:17 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.03.0174.002; Mon, 7 Apr 2014 22:08:38 +0000 From: Mike Jones To: "Hollenbeck, Scott" , "jose@ietf.org" Thread-Topic: WG Last Call Comments: draft-ietf-jose-json-web-signature-25 Thread-Index: Ac9QaT6AwZNLGa1ESQaQtzHTtFacLwCRJSRQ Date: Mon, 7 Apr 2014 22:08:37 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A14AF92@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <831693C2CDA2E849A7D7A712B24E257F493981EB@BRN1WNEXMBX01.vcorp.ad.vrsn.com> In-Reply-To: <831693C2CDA2E849A7D7A712B24E257F493981EB@BRN1WNEXMBX01.vcorp.ad.vrsn.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.78] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: =?us-ascii?Q?CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; ?= =?us-ascii?Q?SFS:(10009001)(6009001)(438001)(13464003)(377454003)(199002)?= =?us-ascii?Q?(189002)(83322001)(77982001)(44976005)(66066001)(85852003)(6?= =?us-ascii?Q?9226001)(74876001)(97756001)(94946001)(80976001)(95666003)(4?= =?us-ascii?Q?6102001)(86362001)(33656001)(83072002)(47776003)(47736001)(1?= =?us-ascii?Q?9580395003)(47446002)(90146001)(63696002)(92566001)(74366001?= =?us-ascii?Q?)(98676001)(31966008)(80022001)(2009001)(81542001)(49866001)?= =?us-ascii?Q?(54356001)(23726002)(74706001)(54316002)(65816001)(79102001)?= =?us-ascii?Q?(50466002)(93516002)(20776003)(19580405001)(59766001)(872660?= =?us-ascii?Q?01)(85306002)(94316002)(15975445006)(81342001)(56816005)(767?= =?us-ascii?Q?96001)(87936001)(50986001)(81816001)(6806004)(93136001)(9939?= =?us-ascii?Q?6002)(74502001)(53806001)(95416001)(76786001)(76482001)(5677?= =?us-ascii?Q?6001)(46406003)(97336001)(47976001)(77096001)(84676001)(5584?= =?us-ascii?Q?6006)(97186001)(81686001)(92726001)(74662001)(4396001)(97736?= =?us-ascii?Q?001)(2656002);DIR:OUT;SFP:1101;SCL:1;SRVR:BLUPR03MB020;H:mai?= =?us-ascii?Q?l.microsoft.com;FPR:BC4A75BE.AC721F22.7E433F6B.46D58559.2019?= =?us-ascii?Q?E;MLV:sfv;PTR:InfoDomainNonexistent;A:1;MX:1;LANG:en;?= X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0174BD4BDA Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/jose/FX8uhNwJzAJEkXLabYC05lOZAbQ Cc: "Kaliski, Burt" Subject: Re: [jose] WG Last Call Comments: draft-ietf-jose-json-web-signature-25 X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2014 22:09:36 -0000 Thanks - I've revised the text to use your proposed wording in my editor's = draft. -----Original Message----- From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Hollenbeck, Scott Sent: Friday, April 04, 2014 5:52 PM To: jose@ietf.org Cc: Kaliski, Burt Subject: [jose] WG Last Call Comments: draft-ietf-jose-json-web-signature-2= 5 Section 8: "Whenever TLS is used, a TLS server certificate check MUST be pe= rformed, per RFC 6125 [RFC6125]." I can't find the string "certificate check" in RFC 6125. I *think* the inte= ntion here is that the identity of the service provider MUST be verified us= ing the procedures described in Section 6 of RFC 6125. Proposed text: OLD: "a TLS server certificate check MUST be performed, per RFC 6125" NEW: "the identity of the service provider encoded in the TLS server certificate= MUST be verified using the procedures described in Section 6 of RFC 6125" Scott and Burt _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose From nobody Tue Apr 8 12:43:18 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 325C81A06FF for ; Tue, 8 Apr 2014 12:43:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.878 X-Spam-Level: X-Spam-Status: No, score=-0.878 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p-0N1n0Uibh6 for ; Tue, 8 Apr 2014 12:43:11 -0700 (PDT) Received: from na6sys009bog020.obsmtp.com (na6sys009bog020.obsmtp.com [74.125.150.80]) by ietfa.amsl.com (Postfix) with ESMTP id 2F97E1A0725 for ; Tue, 8 Apr 2014 12:43:11 -0700 (PDT) Received: from mail-ig0-f169.google.com ([209.85.213.169]) (using TLSv1) by na6sys009bob020.postini.com ([74.125.148.12]) with SMTP ID DSNKU0RRThNvQ69qZmcsqmeld1/cEcA+CGmZ@postini.com; Tue, 08 Apr 2014 12:43:11 PDT Received: by mail-ig0-f169.google.com with SMTP id h18so6236706igc.0 for ; Tue, 08 Apr 2014 12:43:10 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc :content-type; bh=qRHlT/QDQukc3PQT0S55ZAsuPo+uY4+hEoU3u69mNr8=; b=jOgH/lGc/874aaJpTKK52mHhIcoaqfCm6QkcOnbi8PgsIA1UnGj/DLntkagglT8Sav EtNU1DQan+u4VchL9/eU9vcgS0ozGOfn7ad/OvZT77gPL+wwjN11e9EFtC3O8mIK9oyD Qr01s9j4+vlhoR1P7R9k+UYdyT7HX79E9jqJITLbk9C/CdnKGyN6FUFHAFXfmDzhApPK PwcpGqsJ9pW30X2JJUeADT1wRA60f2ngDyUhKstQVB2heH6Otd0xz8XavPat8CFW0QKk 4t7yJNKexUGeHoGiYbpL67FmpGTnhbdIOteox36zs8nJO9+LFNDqU9LzeN72/SfAjbvP qlbg== X-Gm-Message-State: ALoCoQmJpJuUdDY6lZS9vuseEhMYefO6nCIxlyLhXLijbnnmmyCMznk1nH1IkYkdLhiYqSeW8RHC+fPv5mUUOr9q9e8IMyCGjphF6b0EwUc+N+s98pbCxc3F3XFy0+7ty4tXK047pU8a X-Received: by 10.50.109.230 with SMTP id hv6mr6377505igb.9.1396986190483; Tue, 08 Apr 2014 12:43:10 -0700 (PDT) X-Received: by 10.50.109.230 with SMTP id hv6mr6377498igb.9.1396986190395; Tue, 08 Apr 2014 12:43:10 -0700 (PDT) MIME-Version: 1.0 Received: by 10.64.240.201 with HTTP; Tue, 8 Apr 2014 12:42:40 -0700 (PDT) From: Brian Campbell Date: Tue, 8 Apr 2014 13:42:40 -0600 Message-ID: To: Mike Jones Content-Type: multipart/alternative; boundary=089e013a1d8ea2929304f68d3154 Archived-At: http://mailarchive.ietf.org/arch/msg/jose/ciM77gkMiy3EDEpi_fNXshJcDYI Cc: "Hollenbeck, Scott" , "Kaliski, Burt" , "jose@ietf.org" Subject: Re: [jose] WG Last Call Comments: draft-ietf-jose-json-web-algorithms-25 X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2014 19:43:15 -0000 --089e013a1d8ea2929304f68d3154 Content-Type: text/plain; charset=ISO-8859-1 But that section (6.2.1.2) is about the EC parameters x and y in JWK. The comment was about the ECDSA signature values R & S in section 3.4 for JWS. I believe that Scott is correct in saying that it is currently ambiguous and could be clarified. I think that left zero padding is what was intended and what most of us have (eventually) inferred should be done. But it should probably be stated explicitly. On Mon, Apr 7, 2014 at 3:57 PM, Mike Jones wrote: > Thanks for the useful reviews, Scott and Burt. Replies are inline. > > -----Original Message----- > From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Hollenbeck, Scott > Sent: Friday, April 04, 2014 5:43 PM > To: jose@ietf.org > Cc: Kaliski, Burt > Subject: [jose] WG Last Call Comments: > draft-ietf-jose-json-web-algorithms-25 > > Sec. 3.4: For ECDSA P-521 SHA-512, as noted, "R and S will be 521 bits > each, resulting in a 132-octet sequence." Unclear how R and S are to be > converted into respective 66-octet values (pad with 0 bits on the left > versus right). Should be consistent with practice in other specifications, > e.g., IEEE 1363. > > > > Per > http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-25#section-6.2.1.2, > this is specified by the SEC1 specification, which the "x" and "y" > definitions reference. (SEC1 specifies padding on the left in Section > 2.3.1 - "BitString-to-OctetString Conversion".) > --089e013a1d8ea2929304f68d3154 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
But that section (6.2.1.2) is about the EC parameters x an= d y in JWK. The comment was about the ECDSA signature values R & S in s= ection 3.4 for JWS. I believe that Scott is correct in saying that it is cu= rrently ambiguous and could be clarified. I think that left zero padding is= what was intended and what most of us have (eventually) inferred should be= done. But it should probably be stated explicitly.


On = Mon, Apr 7, 2014 at 3:57 PM, Mike Jones <Michael.Jones@microsoft= .com> wrote:

Thanks for the useful reviews, Scott and Burt.  Replies are inline.

-----Original Message-----
From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Hollenbeck, Scott
Sent: Friday, April 04, 2014 5:43 PM
To: jose@ietf.org Cc: Kaliski, Burt
Subject: [jose] WG Last Call Comments: draft-ietf-jose-json-web-algorithms-= 25

Sec. 3.4:  For ECDSA P-521 SHA-512, as noted, "R and S will be= 521 bits each, resulting in a 132-octet sequence."  Unclear how = R and S are to be converted into respective 66-octet values (pad with 0 bit= s on the left versus right).  Should be consistent with practice in other specifications, e.g., IEEE 1363.

 

Per http://tools.ietf.org/html/draft-ietf-jose-js= on-web-algorithms-25#section-6.2.1.2, this is specified by the SEC1 specification, which the “x” and= “y” definitions reference.  (SEC1 specifies padding on th= e left in Section 2.3.1 – “BitString-to-OctetString Conversion&= rdquo;.)

--089e013a1d8ea2929304f68d3154-- From nobody Tue Apr 8 13:14:36 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B14E1A0746 for ; Tue, 8 Apr 2014 13:14:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GajWsPBiHrMf for ; Tue, 8 Apr 2014 13:14:31 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0189.outbound.protection.outlook.com [207.46.163.189]) by ietfa.amsl.com (Postfix) with ESMTP id A52731A0218 for ; Tue, 8 Apr 2014 13:14:30 -0700 (PDT) Received: from BL2PR03CA017.namprd03.prod.outlook.com (10.141.66.25) by BL2PR03MB500.namprd03.prod.outlook.com (10.141.93.152) with Microsoft SMTP Server (TLS) id 15.0.913.9; Tue, 8 Apr 2014 20:14:29 +0000 Received: from BN1BFFO11FD011.protection.gbl (2a01:111:f400:7c10::1:177) by BL2PR03CA017.outlook.office365.com (2a01:111:e400:c1b::25) with Microsoft SMTP Server (TLS) id 15.0.898.11 via Frontend Transport; Tue, 8 Apr 2014 20:14:29 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1BFFO11FD011.mail.protection.outlook.com (10.58.144.74) with Microsoft SMTP Server (TLS) id 15.0.918.6 via Frontend Transport; Tue, 8 Apr 2014 20:14:26 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.03.0174.002; Tue, 8 Apr 2014 20:13:52 +0000 From: Mike Jones To: Brian Campbell Thread-Topic: [jose] WG Last Call Comments: draft-ietf-jose-json-web-algorithms-25 Thread-Index: AQHPU2RzcJshBhie6kap9ZpttPs22psIJ0bA Date: Tue, 8 Apr 2014 20:13:51 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A14BDD3@TK5EX14MBXC286.redmond.corp.microsoft.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.76] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A14BDD3TK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: =?us-ascii?Q?CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; ?= =?us-ascii?Q?SFS:(10009001)(438001)(51914003)(24454002)(51444003)(1346400?= =?us-ascii?Q?3)(52604005)(189002)(199002)(377454003)(6806004)(97186001)(1?= =?us-ascii?Q?5975445006)(44976005)(77982001)(85852003)(81686001)(46102001?= =?us-ascii?Q?)(49866001)(97336001)(76482001)(512954002)(95416001)(9256600?= =?us-ascii?Q?1)(90146001)(97736001)(83072002)(15202345003)(19580395003)(5?= =?us-ascii?Q?4356002)(19580405001)(83322001)(56776002)(63696004)(65816002?= =?us-ascii?Q?)(47976003)(54316003)(47736002)(79102001)(47446003)(74366001?= =?us-ascii?Q?)(85306002)(80976001)(92726001)(16236675002)(74502001)(31966?= =?us-ascii?Q?008)(94946001)(74876001)(66066001)(98676001)(55846006)(86362?= =?us-ascii?Q?001)(2009001)(2656002)(80022001)(99396002)(84676001)(7679600?= =?us-ascii?Q?1)(76786001)(33656001)(20776003)(93136001)(77096001)(9566600?= =?us-ascii?Q?3)(74706001)(87266001)(4396001)(81542001)(74662001)(81816001?= =?us-ascii?Q?)(69226001)(87936001)(84326002)(71186001)(93516002)(81342001?= =?us-ascii?Q?)(53806002)(19300405004)(50986002)(94316002)(59766002)(56816?= =?us-ascii?Q?006);DIR:OUT;SFP:1101;SCL:1;SRVR:BL2PR03MB500;H:mail.microso?= =?us-ascii?Q?ft.com;FPR:DA1EF23F.AFF24009.31E37F49.5327F16A.202E6;MLV:sfv?= =?us-ascii?Q?;PTR:InfoDomainNonexistent;MX:1;A:1;LANG:en;?= X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 017589626D Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/jose/7kyQJWb_fgM376fhOnwlFsCl2zU Cc: "Hollenbeck, Scott" , "Kaliski, Burt" , "jose@ietf.org" Subject: Re: [jose] WG Last Call Comments: draft-ietf-jose-json-web-algorithms-25 X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2014 20:14:34 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A14BDD3TK5EX14MBXC286r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Thanks for pointing that out John. Will do... From: Brian Campbell [mailto:bcampbell@pingidentity.com] Sent: Tuesday, April 08, 2014 12:43 PM To: Mike Jones Cc: Hollenbeck, Scott; jose@ietf.org; Kaliski, Burt Subject: Re: [jose] WG Last Call Comments: draft-ietf-jose-json-web-algorit= hms-25 But that section (6.2.1.2) is about the EC parameters x and y in JWK. The c= omment was about the ECDSA signature values R & S in section 3.4 for JWS. I= believe that Scott is correct in saying that it is currently ambiguous and= could be clarified. I think that left zero padding is what was intended an= d what most of us have (eventually) inferred should be done. But it should = probably be stated explicitly. On Mon, Apr 7, 2014 at 3:57 PM, Mike Jones > wrote: Thanks for the useful reviews, Scott and Burt. Replies are inline. -----Original Message----- From: jose [mailto:jose-bounces@ietf.org] On = Behalf Of Hollenbeck, Scott Sent: Friday, April 04, 2014 5:43 PM To: jose@ietf.org Cc: Kaliski, Burt Subject: [jose] WG Last Call Comments: draft-ietf-jose-json-web-algorithms-= 25 Sec. 3.4: For ECDSA P-521 SHA-512, as noted, "R and S will be 521 bits eac= h, resulting in a 132-octet sequence." Unclear how R and S are to be conve= rted into respective 66-octet values (pad with 0 bits on the left versus ri= ght). Should be consistent with practice in other specifications, e.g., IE= EE 1363. Per http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-25#secti= on-6.2.1.2, this is specified by the SEC1 specification, which the "x" and = "y" definitions reference. (SEC1 specifies padding on the left in Section = 2.3.1 - "BitString-to-OctetString Conversion".) --_000_4E1F6AAD24975D4BA5B16804296739439A14BDD3TK5EX14MBXC286r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Thanks for pointing that = out John.  Will do…

 <= /p>

From: Brian Ca= mpbell [mailto:bcampbell@pingidentity.com]
Sent: Tuesday, April 08, 2014 12:43 PM
To: Mike Jones
Cc: Hollenbeck, Scott; jose@ietf.org; Kaliski, Burt
Subject: Re: [jose] WG Last Call Comments: draft-ietf-jose-json-web-= algorithms-25

 

But that section (6.2.1.2) is about the EC parameter= s x and y in JWK. The comment was about the ECDSA signature values R & = S in section 3.4 for JWS. I believe that Scott is correct in saying that it= is currently ambiguous and could be clarified. I think that left zero padding is what was intended and what most of us ha= ve (eventually) inferred should be done. But it should probably be stated e= xplicitly.

 

On Mon, Apr 7, 2014 at 3:57 PM, Mike Jones <Michael.Jones@m= icrosoft.com> wrote:

Thanks for the useful reviews, Scott and Burt.  Replies are inline.

-----Original Message-----
From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Hollenbeck, Scott
Sent: Friday, April 04, 2014 5:43 PM
To: jose@ietf.org Cc: Kaliski, Burt
Subject: [jose] WG Last Call Comments: draft-ietf-jose-json-web-algorithms-= 25

Sec. 3.4:  For ECDSA P-521 SHA-512, as noted, "R and S will be= 521 bits each, resulting in a 132-octet sequence."  Unclear how = R and S are to be converted into respective 66-octet values (pad with 0 bit= s on the left versus right).  Should be consistent with practice in other specifications, e.g., IEEE 1363.

 

Per http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-25#sec= tion-6.2.1.2, this is specified by the SEC1 specification, which the “x” and= “y” definitions reference.  (SEC1 specifies padding on th= e left in Section 2.3.1 – “BitString-to-OctetString Conversion&= #8221;.)

--_000_4E1F6AAD24975D4BA5B16804296739439A14BDD3TK5EX14MBXC286r_-- From nobody Wed Apr 9 02:33:33 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9C011A07E0 for ; Wed, 9 Apr 2014 02:33:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.555 X-Spam-Level: X-Spam-Status: No, score=0.555 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AtqUSiG2jZxF for ; Wed, 9 Apr 2014 02:33:31 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0141.outbound.protection.outlook.com [207.46.163.141]) by ietfa.amsl.com (Postfix) with ESMTP id 660D71A01BB for ; Wed, 9 Apr 2014 02:33:31 -0700 (PDT) Received: from BY2PR02MB204.namprd02.prod.outlook.com (10.242.232.26) by BY2PR02MB203.namprd02.prod.outlook.com (10.242.232.25) with Microsoft SMTP Server (TLS) id 15.0.913.9; Wed, 9 Apr 2014 09:33:29 +0000 Received: from BY2PR02MB204.namprd02.prod.outlook.com ([169.254.15.102]) by BY2PR02MB204.namprd02.prod.outlook.com ([169.254.15.102]) with mapi id 15.00.0913.002; Wed, 9 Apr 2014 09:33:29 +0000 From: Antonio Sanso To: "jose@ietf.org" Thread-Topic: RSASSA-PKCS-v1_5 SHA-256 validation example Thread-Index: AQHPTjt3WJ46n0d+20ui8xGQPXp8Gg== Date: Wed, 9 Apr 2014 09:33:29 +0000 Message-ID: <3C43D726-AF84-4C6D-B49C-6B7B34E805DF@adobe.com> References: <1D94AAA8-83B4-4BBB-B432-B4965CF00755@adobe.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [192.147.117.11] x-forefront-prvs: 01762B0D64 x-forefront-antispam-report: SFV:NSPM; SFS:(10019001)(428001)(377454003)(199002)(189002)(49866001)(19580395003)(74706001)(16236675002)(77982001)(74366001)(76482001)(76796001)(20776003)(74876001)(33656001)(4396001)(77096001)(53806002)(74502001)(50986002)(59766002)(63696004)(65816002)(56816006)(79102001)(85306002)(86362001)(81816001)(76786001)(99396002)(15975445006)(69226001)(81342001)(85852003)(74662001)(80022001)(87266001)(83716003)(2656002)(82746002)(90146001)(92726001)(93136001)(83072002)(81686001)(97336001)(81542001)(95666003)(87936001)(97186001)(94946001)(94316002)(80976001)(93516002)(31966008)(15202345003)(19580405001)(47976003)(56776002)(47446003)(92566001)(66066001)(46102001)(83322001)(95416001)(47736002)(54356002)(98676001)(36756003)(54316003); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR02MB203; H:BY2PR02MB204.namprd02.prod.outlook.com; FPR:BFFEF530.80370389.B2FC95C8.DEE97F48.2015C; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (: adobe.com does not designate permitted sender hosts) Content-Type: multipart/alternative; boundary="_000_3C43D726AF844C6DB49C6B7B34E805DFadobecom_" MIME-Version: 1.0 X-OriginatorOrg: adobe.com Archived-At: http://mailarchive.ietf.org/arch/msg/jose/D5Cxau5pyjAo2rwqRYeZlYYk4qI Subject: [jose] Fwd: RSASSA-PKCS-v1_5 SHA-256 validation example X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2014 09:33:33 -0000 --_000_3C43D726AF844C6DB49C6B7B34E805DFadobecom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable anyone :)? Begin forwarded message: From: Antonio Sanso > Subject: RSASSA-PKCS-v1_5 SHA-256 validation example Date: April 2, 2014 at 8:19:11 AM GMT+2 To: > hi *, IMHO the RSASSA-PKCS-v1_5 SHA-256 validation example n [0] can be a bit bet= ter explained. Indeed it says We pass (n, e), JWS Signature, and the JWS Signing Input to an RSASSA-PKCS-v1_5 signature verifier that has been configured to use the SHA-256 hash function. There is no mention on the fact the JWS Signature should be decoded in orde= r to be verified. IMHO a bit of more wording around this would not harm. WDYT? regards antonio [0] http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-25#append= ix-A.2.2 --_000_3C43D726AF844C6DB49C6B7B34E805DFadobecom_ Content-Type: text/html; charset="us-ascii" Content-ID: Content-Transfer-Encoding: quoted-printable anyone :)?

Begin forwarded message:

From:= Antonio Sanso <asanso@adobe.com>
Subje= ct: RSASSA-PKCS-v1_5 SHA-256= validation example
Date:= April 2, 2014 at 8:19:= 11 AM GMT+2
To: <= /b><jose@ietf.org>

hi *,

IMHO the RSASSA-PKCS-v1_5 SHA-256 validation example n [0] can be= a bit better explained.
Indeed it says

We pass (n, e), JWS Signature, and th=
e JWS Signing Input to
   an RSASSA-PKCS-v1_5 signature verifier that has been configured to
   use the SHA-256 hash function.

There is no mention on the fact the JWS Signature should be decoded in= order to be verified.
IMHO a bit of more wording around this would not harm.
WDYT?

regards

antonio


--_000_3C43D726AF844C6DB49C6B7B34E805DFadobecom_-- From nobody Wed Apr 9 09:48:25 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9288B1A03E8 for ; Wed, 9 Apr 2014 09:48:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.554 X-Spam-Level: X-Spam-Status: No, score=0.554 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w6DfBmUcm8MG for ; Wed, 9 Apr 2014 09:48:19 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0181.outbound.protection.outlook.com [207.46.163.181]) by ietfa.amsl.com (Postfix) with ESMTP id E08921A03ED for ; Wed, 9 Apr 2014 09:48:07 -0700 (PDT) Received: from BY2PR03CA034.namprd03.prod.outlook.com (10.242.234.155) by BY2PR03MB128.namprd03.prod.outlook.com (10.242.36.28) with Microsoft SMTP Server (TLS) id 15.0.898.11; Wed, 9 Apr 2014 16:48:05 +0000 Received: from BN1AFFO11FD050.protection.gbl (2a01:111:f400:7c10::157) by BY2PR03CA034.outlook.office365.com (2a01:111:e400:2c2c::27) with Microsoft SMTP Server (TLS) id 15.0.908.10 via Frontend Transport; Wed, 9 Apr 2014 16:48:05 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD050.mail.protection.outlook.com (10.58.53.65) with Microsoft SMTP Server (TLS) id 15.0.918.6 via Frontend Transport; Wed, 9 Apr 2014 16:48:05 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14HUBC107.redmond.corp.microsoft.com ([157.54.80.67]) with mapi id 14.03.0181.007; Wed, 9 Apr 2014 16:47:27 +0000 From: Mike Jones To: Antonio Sanso , "jose@ietf.org" Thread-Topic: RSASSA-PKCS-v1_5 SHA-256 validation example Thread-Index: AQHPTjt3WJ46n0d+20ui8xGQPXp8GpsJhH9Q Date: Wed, 9 Apr 2014 16:47:26 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A14D5C3@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <1D94AAA8-83B4-4BBB-B432-B4965CF00755@adobe.com> <3C43D726-AF84-4C6D-B49C-6B7B34E805DF@adobe.com> In-Reply-To: <3C43D726-AF84-4C6D-B49C-6B7B34E805DF@adobe.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.33] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A14D5C3TK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(377454003)(189002)(199002)(92566001)(86362001)(46102001)(77982001)(20776003)(80976001)(81542001)(31966008)(16297215004)(33656001)(19580405001)(71186001)(74502001)(83322001)(19580395003)(76482001)(92726001)(99396002)(97736001)(2009001)(2656002)(50986999)(76176999)(54356999)(84676001)(66066001)(85852003)(16236675002)(80022001)(83072002)(4396001)(84326002)(15202345003)(87936001)(79102001)(44976005)(74662001)(81342001)(19300405004)(512954002)(55846006)(15975445006)(6806004); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR03MB128; H:mail.microsoft.com; FPR:BCFEF650.8E300289.B2FC3588.4EEBFE58.2021B; MLV:sfv; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 01762B0D64 Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/jose/sPG5Akt4hfTfy1H-o0XuVkdm-Os Subject: Re: [jose] RSASSA-PKCS-v1_5 SHA-256 validation example X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2014 16:48:21 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A14D5C3TK5EX14MBXC286r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Antonio, The JWS Signature *is* the decoded signature. The encoded signature is den= oted BASE64URL(JWS Signature) in the spec. The decoding and validation are= described in steps 8 and 9 of http://tools.ietf.org/html/draft-ietf-jose-j= son-web-signature-25#section-5.2. That being said, I will look at ways to make the prose in the example clear= er - for instance, possibly referencing steps 8 and 9 directly. Thanks again, -- Mike From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Antonio Sanso Sent: Wednesday, April 09, 2014 2:33 AM To: jose@ietf.org Subject: [jose] Fwd: RSASSA-PKCS-v1_5 SHA-256 validation example anyone :)? Begin forwarded message: From: Antonio Sanso > Subject: RSASSA-PKCS-v1_5 SHA-256 validation example Date: April 2, 2014 at 8:19:11 AM GMT+2 To: > hi *, IMHO the RSASSA-PKCS-v1_5 SHA-256 validation example n [0] can be a bit bet= ter explained. Indeed it says We pass (n, e), JWS Signature, and the JWS Signing Input to an RSASSA-PKCS-v1_5 signature verifier that has been configured to use the SHA-256 hash function. There is no mention on the fact the JWS Signature should be decoded in orde= r to be verified. IMHO a bit of more wording around this would not harm. WDYT? regards antonio [0] http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-25#append= ix-A.2.2 --_000_4E1F6AAD24975D4BA5B16804296739439A14D5C3TK5EX14MBXC286r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi Antonio,

 <= /p>

The JWS Signature *is<= /b>* the decoded signature.  The encoded signature is denoted BASE64URL(JWS Signature) in the spec.  The decoding and valid= ation are described in steps 8 and 9 of http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-25#section-5.= 2.

 <= /p>

That being said, I will l= ook at ways to make the prose in the example clearer – for instance, = possibly referencing steps 8 and 9 directly.

 <= /p>

    &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;     Thanks again,

    &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;     -- Mike

 <= /p>

From: jose [ma= ilto:jose-bounces@ietf.org] On Behalf Of Antonio Sanso
Sent: Wednesday, April 09, 2014 2:33 AM
To: jose@ietf.org
Subject: [jose] Fwd: RSASSA-PKCS-v1_5 SHA-256 validation example

 

anyone :)?

 

Begin forwarded message:



From: Antonio Sanso <asanso@adobe.com>

Subject: RSASSA-PKCS-v1_5 SHA-256 validation exampl= e

Date: April 2, 2014 at 8:19:11 AM GMT+2

 

hi *,

 

IMHO the RSASSA-PKCS-v1_5 SHA-256 validation ex= ample n [0] can be a bit better explained.

Indeed it says

 

We=
 pass (n, e), JWS Signature, and the JWS Signing Input to=
&n=
bsp;  an RSASSA-PKCS-v1_5 signature verifier that has been configured =
to
&n=
bsp;  use the SHA-256 hash function.

 

There is no mention on the fact the JWS Signature sh= ould be decoded in order to be verified.

IMHO a bit of more wording around this would not har= m.

WDYT?

 

regards

 

antonio

 

 

--_000_4E1F6AAD24975D4BA5B16804296739439A14D5C3TK5EX14MBXC286r_-- From nobody Wed Apr 9 10:41:14 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B6531A02C2 for ; Wed, 9 Apr 2014 10:41:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xBwSTFaVnDHr for ; Wed, 9 Apr 2014 10:41:10 -0700 (PDT) Received: from exprod6og108.obsmtp.com (exprod6og108.obsmtp.com [64.18.1.21]) by ietfa.amsl.com (Postfix) with ESMTP id E8A721A02E8 for ; Wed, 9 Apr 2014 10:41:07 -0700 (PDT) Received: from peregrine.verisign.com ([216.168.239.74]) (using TLSv1) by exprod6ob108.postini.com ([64.18.5.12]) with SMTP ID DSNKU0WGM7IDedlSx/Jm2YtSAfRkP2rLIwQG@postini.com; Wed, 09 Apr 2014 10:41:09 PDT Received: from BRN1WNEXCHM01.vcorp.ad.vrsn.com (brn1wnexchm01.vcorp.ad.vrsn.com [10.173.152.255]) by peregrine.verisign.com (8.13.6/8.13.4) with ESMTP id s39Hf6tR012262 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 9 Apr 2014 13:41:06 -0400 Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by BRN1WNEXCHM01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Wed, 9 Apr 2014 13:41:06 -0400 From: "Hollenbeck, Scott" To: Mike Jones , Brian Campbell Thread-Topic: [jose] WG Last Call Comments: draft-ietf-jose-json-web-algorithms-25 Thread-Index: AQHPU2LILHyLxVaHE0aATF56v+6atpsIamWAgAEkQEA= Date: Wed, 9 Apr 2014 17:41:05 +0000 Message-ID: <831693C2CDA2E849A7D7A712B24E257F4939B5EC@BRN1WNEXMBX01.vcorp.ad.vrsn.com> References: <4E1F6AAD24975D4BA5B16804296739439A14BDD3@TK5EX14MBXC286.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A14BDD3@TK5EX14MBXC286.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.173.152.4] Content-Type: multipart/alternative; boundary="_000_831693C2CDA2E849A7D7A712B24E257F4939B5ECBRN1WNEXMBX01vc_" MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/jose/dNjgMCtl6p0D5NyWhIsMNGTjsns Cc: "Kaliski, Burt" , "jose@ietf.org" Subject: Re: [jose] WG Last Call Comments: draft-ietf-jose-json-web-algorithms-25 X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2014 17:41:12 -0000 --_000_831693C2CDA2E849A7D7A712B24E257F4939B5ECBRN1WNEXMBX01vc_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Thanks for the replies. We're comfortable with the explanations. Scott From: Mike Jones [mailto:Michael.Jones@microsoft.com] Sent: Tuesday, April 08, 2014 4:14 PM To: Brian Campbell Cc: Hollenbeck, Scott; jose@ietf.org; Kaliski, Burt Subject: RE: [jose] WG Last Call Comments: draft-ietf-jose-json-web-algorit= hms-25 Thanks for pointing that out John. Will do... From: Brian Campbell [mailto:bcampbell@pingidentity.com] Sent: Tuesday, April 08, 2014 12:43 PM To: Mike Jones Cc: Hollenbeck, Scott; jose@ietf.org; Kaliski, Burt Subject: Re: [jose] WG Last Call Comments: draft-ietf-jose-json-web-algorit= hms-25 But that section (6.2.1.2) is about the EC parameters x and y in JWK. The c= omment was about the ECDSA signature values R & S in section 3.4 for JWS. I= believe that Scott is correct in saying that it is currently ambiguous and= could be clarified. I think that left zero padding is what was intended an= d what most of us have (eventually) inferred should be done. But it should = probably be stated explicitly. On Mon, Apr 7, 2014 at 3:57 PM, Mike Jones > wrote: Thanks for the useful reviews, Scott and Burt. Replies are inline. -----Original Message----- From: jose [mailto:jose-bounces@ietf.org] On = Behalf Of Hollenbeck, Scott Sent: Friday, April 04, 2014 5:43 PM To: jose@ietf.org Cc: Kaliski, Burt Subject: [jose] WG Last Call Comments: draft-ietf-jose-json-web-algorithms-= 25 Sec. 3.4: For ECDSA P-521 SHA-512, as noted, "R and S will be 521 bits eac= h, resulting in a 132-octet sequence." Unclear how R and S are to be conve= rted into respective 66-octet values (pad with 0 bits on the left versus ri= ght). Should be consistent with practice in other specifications, e.g., IE= EE 1363. Per http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-25#secti= on-6.2.1.2, this is specified by the SEC1 specification, which the "x" and = "y" definitions reference. (SEC1 specifies padding on the left in Section = 2.3.1 - "BitString-to-OctetString Conversion".) --_000_831693C2CDA2E849A7D7A712B24E257F4939B5ECBRN1WNEXMBX01vc_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Thanks for the replies. We’re comfor= table with the explanations.

 

Scott<= o:p>

 

From: Mike Jon= es [mailto:Michael.Jones@microsoft.com]
Sent: Tuesday, April 08, 2014 4:14 PM
To: Brian Campbell
Cc: Hollenbeck, Scott; jose@ietf.org; Kaliski, Burt
Subject: RE: [jose] WG Last Call Comments: draft-ietf-jose-json-web-= algorithms-25

 

Thanks for pointing that = out John.  Will do…

 <= /p>

From: Brian Ca= mpbell [mailto:bcampbell@ping= identity.com]
Sent: Tuesday, April 08, 2014 12:43 PM
To: Mike Jones
Cc: Hollenbeck, Scott; jose@ietf.or= g; Kaliski, Burt
Subject: Re: [jose] WG Last Call Comments: draft-ietf-jose-json-web-= algorithms-25

 

But that section (6.2.1.2) is about the EC parameter= s x and y in JWK. The comment was about the ECDSA signature values R & = S in section 3.4 for JWS. I believe that Scott is correct in saying that it= is currently ambiguous and could be clarified. I think that left zero padding is what was intended and what most of us ha= ve (eventually) inferred should be done. But it should probably be stated e= xplicitly.

 

On Mon, Apr 7, 2014 at 3:57 PM, Mike Jones <Michael.Jones@m= icrosoft.com> wrote:

Thanks for the useful reviews, Scott and Burt.  Replies are inline.

-----Original Message-----
From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Hollenbeck, Scott
Sent: Friday, April 04, 2014 5:43 PM
To: jose@ietf.org Cc: Kaliski, Burt
Subject: [jose] WG Last Call Comments: draft-ietf-jose-json-web-algorithms-= 25

Sec. 3.4:  For ECDSA P-521 SHA-512, as noted, "R and S will be= 521 bits each, resulting in a 132-octet sequence."  Unclear how = R and S are to be converted into respective 66-octet values (pad with 0 bit= s on the left versus right).  Should be consistent with practice in other specifications, e.g., IEEE 1363.

 

Per http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-25#sec= tion-6.2.1.2, this is specified by the SEC1 specification, which the “x” and= “y” definitions reference.  (SEC1 specifies padding on th= e left in Section 2.3.1 – “BitString-to-OctetString Conversion&= #8221;.)

--_000_831693C2CDA2E849A7D7A712B24E257F4939B5ECBRN1WNEXMBX01vc_-- From nobody Wed Apr 9 23:37:14 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 413FB1A0105 for ; Wed, 9 Apr 2014 23:37:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.145 X-Spam-Level: X-Spam-Status: No, score=-0.145 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K170DGuKmKbc for ; Wed, 9 Apr 2014 23:37:10 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0237.outbound.protection.outlook.com [207.46.163.237]) by ietfa.amsl.com (Postfix) with ESMTP id 3E5A41A00B5 for ; Wed, 9 Apr 2014 23:37:09 -0700 (PDT) Received: from CO1PR02MB206.namprd02.prod.outlook.com (10.242.165.144) by CO1PR02MB206.namprd02.prod.outlook.com (10.242.165.144) with Microsoft SMTP Server (TLS) id 15.0.913.9; Thu, 10 Apr 2014 06:37:08 +0000 Received: from CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.210]) by CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.210]) with mapi id 15.00.0913.002; Thu, 10 Apr 2014 06:37:07 +0000 From: Antonio Sanso To: Mike Jones Thread-Topic: RSASSA-PKCS-v1_5 SHA-256 validation example Thread-Index: AQHPTjt3WJ46n0d+20ui8xGQPXp8GpsJhH9QgADtngA= Date: Thu, 10 Apr 2014 06:37:07 +0000 Message-ID: References: <1D94AAA8-83B4-4BBB-B432-B4965CF00755@adobe.com> <3C43D726-AF84-4C6D-B49C-6B7B34E805DF@adobe.com> <4E1F6AAD24975D4BA5B16804296739439A14D5C3@TK5EX14MBXC286.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A14D5C3@TK5EX14MBXC286.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [193.104.215.11] x-forefront-prvs: 0177904E6B x-forefront-antispam-report: SFV:NSPM; SFS:(10019001)(428001)(377454003)(199002)(189002)(24454002)(77982001)(1511001)(79102001)(74502001)(36756003)(81342001)(2656002)(20776003)(83716003)(74662001)(31966008)(33656001)(66066001)(85852003)(83322001)(19580405001)(80022001)(83072002)(86362001)(92726001)(19580395003)(92566001)(87936001)(80976001)(82746002)(15202345003)(15975445006)(46102001)(4396001)(76482001)(99396002)(16236675002)(81542001)(54356999)(50986999)(76176999); DIR:OUT; SFP:1102; SCL:1; SRVR:CO1PR02MB206; H:CO1PR02MB206.namprd02.prod.outlook.com; FPR:BCFEF650.8F320289.B2FC358D.4EEBFE58.2026F; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (: adobe.com does not designate permitted sender hosts) Content-Type: multipart/alternative; boundary="_000_D6609A75D5434F2693FB619801C9A145adobecom_" MIME-Version: 1.0 X-OriginatorOrg: adobe.com Archived-At: http://mailarchive.ietf.org/arch/msg/jose/8yuSmShlmD8yCnaYgFxJqkPR1LQ Cc: "jose@ietf.org" Subject: Re: [jose] RSASSA-PKCS-v1_5 SHA-256 validation example X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2014 06:37:12 -0000 --_000_D6609A75D5434F2693FB619801C9A145adobecom_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable hi Mike On Apr 9, 2014, at 6:47 PM, Mike Jones > wrote: Hi Antonio, The JWS Signature *is* the decoded signature. The encoded signature is den= oted BASE64URL(JWS Signature) in the spec. The decoding and validation are= described in steps 8 and 9 of http://tools.ietf.org/html/draft-ietf-jose-j= son-web-signature-25#section-5.2. That being said, I will look at ways to make the prose in the example clear= er =96 for instance, possibly referencing steps 8 and 9 directly. Thanks again, =97 Mike thanks a lot for the pointer. And yes probably referencing http://tools.ie= tf.org/html/draft-ietf-jose-json-web-signature-25#section-5.2. might help s= ome implementer :) (or at least me :)) regards antonio From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Antonio Sanso Sent: Wednesday, April 09, 2014 2:33 AM To: jose@ietf.org Subject: [jose] Fwd: RSASSA-PKCS-v1_5 SHA-256 validation example anyone :)? Begin forwarded message: From: Antonio Sanso > Subject: RSASSA-PKCS-v1_5 SHA-256 validation example Date: April 2, 2014 at 8:19:11 AM GMT+2 To: > hi *, IMHO the RSASSA-PKCS-v1_5 SHA-256 validation example n [0] can be a bit bet= ter explained. Indeed it says We pass (n, e), JWS Signature, and the JWS Signing Input to an RSASSA-PKCS-v1_5 signature verifier that has been configured to use the SHA-256 hash function. There is no mention on the fact the JWS Signature should be decoded in orde= r to be verified. IMHO a bit of more wording around this would not harm. WDYT? regards antonio [0] http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-25#append= ix-A.2.2 --_000_D6609A75D5434F2693FB619801C9A145adobecom_ Content-Type: text/html; charset="Windows-1252" Content-ID: Content-Transfer-Encoding: quoted-printable hi Mike

On Apr 9, 2014, at 6:47 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:



regards

antonio

 
From:<= /span> jose [mailto:jose-bounces@ietf.org] On Behalf Of Antonio Sa= nso
Sent: Wednesday, A= pril 09, 2014 2:33 AM
To: jose@ietf.org
Subject: [jose] Fw= d: RSASSA-PKCS-v1_5 SHA-256 validation example
 
anyone :)?
 
Begin forwarded message:


From: Antonio Sanso <asanso@adobe.com>
Subject: RSASSA-PKCS= -v1_5 SHA-256 validation example
Date: April 2, 2014 at 8:19:11 AM GMT+2
 
hi *,
 
IMHO the RSASSA-PKCS-v1_5 SHA-256 validation example n [0] can be a bi= t better explained.
Indeed it says
 
We p=
ass (n, e), JWS Signature, and the JWS Signing Input to
&nbs=
p;  an RSASSA-PKCS-v1_5 signature verifier that has been configured to=
&nbs=
p;  use the SHA-256 hash function.
 
There is no mention on the fact the JWS Signature should be decoded in orde= r to be verified.
IMHO a bit of more wording around this would not harm.
WDYT?
 
regards
 
antonio
 

--_000_D6609A75D5434F2693FB619801C9A145adobecom_-- From nobody Thu Apr 10 17:50:29 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1FD11A03A4 for ; Thu, 10 Apr 2014 17:50:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KPn7qnTcz463 for ; Thu, 10 Apr 2014 17:50:11 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0242.outbound.protection.outlook.com [207.46.163.242]) by ietfa.amsl.com (Postfix) with ESMTP id E478D1A03A6 for ; Thu, 10 Apr 2014 17:50:10 -0700 (PDT) Received: from BY2PR03CA033.namprd03.prod.outlook.com (10.242.234.154) by BY2PR03MB173.namprd03.prod.outlook.com (10.242.36.139) with Microsoft SMTP Server (TLS) id 15.0.918.8; Fri, 11 Apr 2014 00:50:08 +0000 Received: from BN1BFFO11FD047.protection.gbl (2a01:111:f400:7c10::1:118) by BY2PR03CA033.outlook.office365.com (2a01:111:e400:2c2c::26) with Microsoft SMTP Server (TLS) id 15.0.908.10 via Frontend Transport; Fri, 11 Apr 2014 00:50:08 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1BFFO11FD047.mail.protection.outlook.com (10.58.145.2) with Microsoft SMTP Server (TLS) id 15.0.918.6 via Frontend Transport; Fri, 11 Apr 2014 00:50:07 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14HUBC101.redmond.corp.microsoft.com ([157.54.7.153]) with mapi id 14.03.0181.007; Fri, 11 Apr 2014 00:49:35 +0000 From: Mike Jones To: "jose@ietf.org" Thread-Topic: JSON Web Key (JWK) Thumbprint Specification Thread-Index: Ac9VH+RUhqq5I/+bRIOzExN4Xqv18A== Date: Fri, 11 Apr 2014 00:49:33 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A150468@TK5EX14MBXC286.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.34] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A150468TK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(199002)(189002)(84326002)(97736001)(2009001)(83072002)(16297215004)(15975445006)(20776003)(84676001)(79102001)(50986999)(54356999)(2656002)(80022001)(92566001)(15202345003)(66066001)(44976005)(85806002)(85852003)(87936001)(83322001)(512954002)(92726001)(77982001)(80976001)(86612001)(31966008)(19580395003)(6806004)(4396001)(46102001)(16236675002)(86362001)(99396002)(55846006)(19300405004)(81342001)(71186001)(74502001)(76482001)(33656001)(74662001)(81542001)(6606295002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR03MB173; H:mail.microsoft.com; FPR:A04270B0.ACF077DA.25E01769.4CEC354D.20215; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0178184651 Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/jose/-s5Zo6aDwisTrqlqvdasVfvE6jE Subject: [jose] JSON Web Key (JWK) Thumbprint Specification X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Apr 2014 00:50:27 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A150468TK5EX14MBXC286r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I created a new simple spec that defines a way to create a thumbprint of an= arbitrary key, based upon its JWK representation. The abstract of the spe= c is: This specification defines a means of computing a thumbprint value (a.k.a. = digest) of JSON Web Key (JWK) objects analogous to the x5t (X.509 Certifica= te SHA-1 Thumbprint) value defined for X.509 certificate objects. This spec= ification also registers the new JSON Web Signature (JWS) and JSON Web Encr= yption (JWE) Header Parameters and the new JSON Web Key (JWK) member name j= kt (JWK SHA-256 Thumbprint) for holding these values. The desire for this came up in an OpenID Connect context, but it's of gener= al applicability, so I decided to submit the spec to the JOSE working group= . Thanks to James Manger, John Bradley, and Nat Sakimura for the discussio= ns that led up to this spec. The specification is available at: * http://tools.ietf.org/html/draft-jones-jose-jwk-thumbprint-00 An HTML formatted version is also available at: * https://self-issued.info/docs/draft-jones-jose-jwk-thumbprint-00.h= tml -- Mike P.S. I also posted this notice at http://self-issued.info/?p=3D1213 and as= @selfissued. --_000_4E1F6AAD24975D4BA5B16804296739439A150468TK5EX14MBXC286r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I created a new simple spec that defines a way to cr= eate a thumbprint of an arbitrary key, based upon its JWK representation.&n= bsp; The abstract of the spec is:

 

This specification defines a means of computing a thumbprint = value (a.k.a. digest) of JSON Web Key (JWK) objects analogous to the x5t (X.509 Certificate SHA-1 Thumbprint) value defined for X.509= certificate objects. This specification also registers the new JSON Web Signature (JWS) and JSON Web Encryption (JWE) Header Paramete= rs and the new JSON Web Key (JWK) member name jkt (JWK SHA-256 Thumbprint) for holding these values.

 

The desire for this came up in an OpenID Connect con= text, but it’s of general applicability, so I decided to submit the s= pec to the JOSE working group.  Thanks to James Manger, John Bradley, = and Nat Sakimura for the discussions that led up to this spec.

 

The specification is available at:

·        http://tools.ietf.org/html/draft-jones-jose-j= wk-thumbprint-00

 

An HTML formatted version is also available at:=

·        https://self-issued.info/docs/draft-j= ones-jose-jwk-thumbprint-00.html

 

        &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p; -- Mike

 

P.S.  I also posted this notice at http://self-issued.info/?p=3D1213 and as @selfissued.

 

--_000_4E1F6AAD24975D4BA5B16804296739439A150468TK5EX14MBXC286r_-- From nobody Thu Apr 10 20:35:08 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E02AD1A0476 for ; Thu, 10 Apr 2014 20:35:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.977 X-Spam-Level: X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dm75UhcbL65p for ; Thu, 10 Apr 2014 20:35:02 -0700 (PDT) Received: from mail-oa0-f41.google.com (mail-oa0-f41.google.com [209.85.219.41]) by ietfa.amsl.com (Postfix) with ESMTP id AA1691A0484 for ; Thu, 10 Apr 2014 20:30:57 -0700 (PDT) Received: by mail-oa0-f41.google.com with SMTP id j17so5599527oag.0 for ; Thu, 10 Apr 2014 20:30:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=QlZ7vWlorQd1Syi+RQ5PMROVYp7J1GnA8/+6QcwXjoY=; b=OKiR8pcF9BJZHh6NOj6vswYa4VHc/GoVEzAA0+nxM6SnGzbdckkKXN/KpWvvswZtbu ER2bO7/MR1TS826ycmNyErd4ktRpnfzimOYFbI5T0SqCrk80bRGpKdaCFXT2iEuZUvtA Zxas5VjqRk/EdpWKZn6Bk3Bm50J0hfwGFeBaAEsWxJ3eSVoML8agvCEa5khCtRQhrwiE 3kN709AHzkY6ISAc4Ym4GUAS2GO5piWENpwG9tmaBq8E/So3jYIOS+oJMI5HT5mknvdX EnTF3sds/AFoyhgH82YxGjtVppdXmvYO5zGCDJ78bcnz+VxpgWw4UwNvRunIPO+3l40p Vcqg== X-Gm-Message-State: ALoCoQmOfGO93AMYgQgPKku37mRm47zbUiktWipEpyna+pj9PyRhFL+n8WXjJ52FhY7eexB+y7MP MIME-Version: 1.0 X-Received: by 10.182.28.195 with SMTP id d3mr17501000obh.19.1397187038467; Thu, 10 Apr 2014 20:30:38 -0700 (PDT) Received: by 10.60.136.231 with HTTP; Thu, 10 Apr 2014 20:30:38 -0700 (PDT) In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A150468@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <4E1F6AAD24975D4BA5B16804296739439A150468@TK5EX14MBXC286.redmond.corp.microsoft.com> Date: Thu, 10 Apr 2014 23:30:38 -0400 Message-ID: From: Richard Barnes To: Mike Jones Content-Type: multipart/alternative; boundary=001a11c2cd181ceefe04f6bbf512 Archived-At: http://mailarchive.ietf.org/arch/msg/jose/wk5pWsbpUKSw2PA1DNjCLfoZ3EI Cc: "jose@ietf.org" Subject: Re: [jose] JSON Web Key (JWK) Thumbprint Specification X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Apr 2014 03:35:07 -0000 --001a11c2cd181ceefe04f6bbf512 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Dear lord, can we just say "fingerprint" like the rest of the universe? On Thu, Apr 10, 2014 at 8:49 PM, Mike Jones wr= ote: > I created a new simple spec that defines a way to create a thumbprint of > an arbitrary key, based upon its JWK representation. The abstract of the > spec is: > > > > This specification defines a means of computing a thumbprint value (a.k.a= . > digest) of JSON Web Key (JWK) objects analogous to the x5t (X.509 > Certificate SHA-1 Thumbprint) value defined for X.509 certificate objects= . > This specification also registers the new JSON Web Signature (JWS) and JS= ON > Web Encryption (JWE) Header Parameters and the new JSON Web Key (JWK) > member name jkt (JWK SHA-256 Thumbprint) for holding these values. > > > > The desire for this came up in an OpenID Connect context, but it's of > general applicability, so I decided to submit the spec to the JOSE workin= g > group. Thanks to James Manger, John Bradley, and Nat Sakimura for the > discussions that led up to this spec. > > > > The specification is available at: > > =B7 http://tools.ietf.org/html/draft-jones-jose-jwk-thumbprint-00 > > > > An HTML formatted version is also available at: > > =B7 > https://self-issued.info/docs/draft-jones-jose-jwk-thumbprint-00.html > > > > -- Mike > > > > P.S. I also posted this notice at http://self-issued.info/?p=3D1213 and = as > @selfissued. > > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > > --001a11c2cd181ceefe04f6bbf512 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Dear lord, can we just say "fingerprint" like th= e rest of the universe?


On Thu, Apr 10, 2014 at 8:49 PM, Mike Jones <Mi= chael.Jones@microsoft.com> wrote:

I created a new simple spec that defines a way to cr= eate a thumbprint of an arbitrary key, based upon its JWK representation.&n= bsp; The abstract of the spec is:

 

This specification defines a means of computing a thumbprint value (a.k.a= . digest) of JSON Web Key (JWK) objects analogous to the x5t (X.509 Certificate SHA-1 Thumbprint) value defined for X.509 certificate= objects. This specification also registers the new JSON Web Signature (JWS) and JSON Web Encryption (JWE) Header Paramete= rs and the new JSON Web Key (JWK) member name jkt (JWK = SHA-256 Thumbprint) for holding these values.

 

The desire for this came up in an OpenID Connect con= text, but it’s of general applicability, so I decided to submit the s= pec to the JOSE working group.  Thanks to James Manger, John Bradley, = and Nat Sakimura for the discussions that led up to this spec.

 

The specification is available at:

=B7       = ; http://tools.ietf.org/html/dra= ft-jones-jose-jwk-thumbprint-00

 

An HTML formatted version is also available at:

=B7       = ; https://self-issued.in= fo/docs/draft-jones-jose-jwk-thumbprint-00.html<= font color=3D"#888888">

 

        &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p; -- Mike

 

P.S.  I also posted this notice at http://self-issued.info/?p=3D1213 and as @selfissued.

 


_______________________________________________
jose mailing list
jose@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/jose


--001a11c2cd181ceefe04f6bbf512-- From nobody Thu Apr 10 21:50:22 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19B2C1A024F for ; Thu, 10 Apr 2014 21:50:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EBF7NqioXMml for ; Thu, 10 Apr 2014 21:50:16 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0184.outbound.protection.outlook.com [207.46.163.184]) by ietfa.amsl.com (Postfix) with ESMTP id 282411A01BA for ; Thu, 10 Apr 2014 21:50:15 -0700 (PDT) Received: from BLUPR03CA030.namprd03.prod.outlook.com (10.141.30.23) by BLUPR03MB167.namprd03.prod.outlook.com (10.255.212.143) with Microsoft SMTP Server (TLS) id 15.0.913.9; Fri, 11 Apr 2014 04:50:13 +0000 Received: from BL2FFO11FD054.protection.gbl (2a01:111:f400:7c09::176) by BLUPR03CA030.outlook.office365.com (2a01:111:e400:879::23) with Microsoft SMTP Server (TLS) id 15.0.913.9 via Frontend Transport; Fri, 11 Apr 2014 04:50:13 +0000 Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11FD054.mail.protection.outlook.com (10.173.161.182) with Microsoft SMTP Server (TLS) id 15.0.918.6 via Frontend Transport; Fri, 11 Apr 2014 04:50:12 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14HUBC102.redmond.corp.microsoft.com ([157.54.7.154]) with mapi id 14.03.0181.007; Fri, 11 Apr 2014 04:49:51 +0000 From: Mike Jones To: Richard Barnes Thread-Topic: [jose] JSON Web Key (JWK) Thumbprint Specification Thread-Index: Ac9VH+RUhqq5I/+bRIOzExN4Xqv18AAFoPAAAAK14IA= Date: Fri, 11 Apr 2014 04:49:50 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A1507A4@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <4E1F6AAD24975D4BA5B16804296739439A150468@TK5EX14MBXC286.redmond.corp.microsoft.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.36] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A1507A4TK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(24454002)(377454003)(199002)(189002)(2656002)(16236675002)(99396002)(15975445006)(66066001)(74502001)(80022001)(31966008)(80976001)(74662001)(81342001)(86612001)(4396001)(46102001)(79102001)(512954002)(77982001)(87936001)(71186001)(19300405004)(97736001)(83072002)(81542001)(20776003)(85852003)(84326002)(84676001)(55846006)(16297215004)(15202345003)(6806004)(19580405001)(44976005)(83322001)(19580395003)(50986999)(33656001)(92726001)(85806002)(76176999)(54356999)(76482001)(86362001)(2009001)(92566001)(6606295002); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR03MB167; H:mail.microsoft.com; FPR:AC4271B0.ACF057D9.71E11769.4CEB354D.202EA; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0178184651 Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/jose/OK7nabBaEMK3Z92RkEytYQavrtc Cc: "jose@ietf.org" Subject: Re: [jose] JSON Web Key (JWK) Thumbprint Specification X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Apr 2014 04:50:21 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A1507A4TK5EX14MBXC286r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable You're living in a different part of the world, apparently. Most of the sp= ecs that I use utilize the term "thumbprint", including ones such as http:/= /msdn.microsoft.com/en-us/library/windows/desktop/aa376544(v=3Dvs.85).aspx. -- Mike From: Richard Barnes [mailto:rlb@ipv.sx] Sent: Thursday, April 10, 2014 8:31 PM To: Mike Jones Cc: jose@ietf.org Subject: Re: [jose] JSON Web Key (JWK) Thumbprint Specification Dear lord, can we just say "fingerprint" like the rest of the universe? On Thu, Apr 10, 2014 at 8:49 PM, Mike Jones > wrote: I created a new simple spec that defines a way to create a thumbprint of an= arbitrary key, based upon its JWK representation. The abstract of the spe= c is: This specification defines a means of computing a thumbprint value (a.k.a. = digest) of JSON Web Key (JWK) objects analogous to the x5t (X.509 Certifica= te SHA-1 Thumbprint) value defined for X.509 certificate objects. This spec= ification also registers the new JSON Web Signature (JWS) and JSON Web Encr= yption (JWE) Header Parameters and the new JSON Web Key (JWK) member name j= kt (JWK SHA-256 Thumbprint) for holding these values. The desire for this came up in an OpenID Connect context, but it's of gener= al applicability, so I decided to submit the spec to the JOSE working group= . Thanks to James Manger, John Bradley, and Nat Sakimura for the discussio= ns that led up to this spec. The specification is available at: * http://tools.ietf.org/html/draft-jones-jose-jwk-thumbprint-00 An HTML formatted version is also available at: * https://self-issued.info/docs/draft-jones-jose-jwk-thumbprint-00.h= tml -- Mike P.S. I also posted this notice at http://self-issued.info/?p=3D1213 and as= @selfissued. _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose --_000_4E1F6AAD24975D4BA5B16804296739439A1507A4TK5EX14MBXC286r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

You’re living in a = different part of the world, apparently.  Most of the specs that I use= utilize the term “thumbprint”, including ones such as http://msdn.microsoft.com/en-us/library/windows/desktop/aa376544(v=3Dvs.85)= .aspx.

 <= /p>

    &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;     -- Mike

 <= /p>

From: Richard = Barnes [mailto:rlb@ipv.sx]
Sent: Thursday, April 10, 2014 8:31 PM
To: Mike Jones
Cc: jose@ietf.org
Subject: Re: [jose] JSON Web Key (JWK) Thumbprint Specification=

 

Dear lord, can we just say "fingerprint" l= ike the rest of the universe?

 

On Thu, Apr 10, 2014 at 8:49 PM, Mike Jones <Michael.Jones@= microsoft.com> wrote:

I created a new simple spec that defines a way to create a thumbpr= int of an arbitrary key, based upon its JWK representation.  The abstr= act of the spec is:

 

This specification defines a means of computing a = thumbprint value (a.k.a. digest) of JSON Web Key (JWK) objects analogous to= the x5t (X.509 Certificate SHA-1 Thumbprint) value defined fo= r X.509 certificate objects. This specification also registers the new JSON Web Signature (JWS) and JSON Web Encryption (JWE) Header Para= meters and the new JSON Web Key (JWK) member name jkt (JWK SHA-256 Thumbprint) for holding these values.

 

The desire for this came up in an OpenID Connect context, but it&#= 8217;s of general applicability, so I decided to submit the spec to the JOS= E working group.  Thanks to James Manger, John Bradley, and Nat Sakimura for the discussions that led up to this spe= c.

 

The specification is available at:

·        http://tools.ietf.org/html/draft-jones-jose-jwk-thu= mbprint-00

 

An HTML formatted version is also available at:

·        https://self-issued.info/docs/draft-jones-j= ose-jwk-thumbprint-00.html

 

      =             &nb= sp;            =             &nb= sp;            =     -- Mike

 

P.S.  I also posted this notice at http://self= -issued.info/?p=3D1213 and as @selfissued.

 


_______________________________________________
jose mailing list
jose@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/jose

 

--_000_4E1F6AAD24975D4BA5B16804296739439A1507A4TK5EX14MBXC286r_-- From nobody Mon Apr 14 05:48:20 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E58611A043C for ; Mon, 14 Apr 2014 05:48:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.451 X-Spam-Level: X-Spam-Status: No, score=0.451 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CVAPAZzjd5St for ; Mon, 14 Apr 2014 05:48:19 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by ietfa.amsl.com (Postfix) with ESMTP id 145181A01CE for ; Mon, 14 Apr 2014 05:48:19 -0700 (PDT) Received: from [217.140.96.21] by 3capp-gmx-bs42 with HTTP; Mon, 14 Apr 2014 14:48:15 +0200 MIME-Version: 1.0 Message-ID: From: "Hannes Tschofenig" To: jose@ietf.org Content-Type: text/html; charset=UTF-8 Date: Mon, 14 Apr 2014 14:48:15 +0200 Importance: normal Sensitivity: Normal X-Priority: 3 X-Provags-ID: V03:K0:wUa1FdBNFDlea0WN3SOCT8J0CCCoIU9xr6kbJPWzUWV dA+zxp0CRZHCVmPMOWLL13XPzwCdPDnnNTGtyEKGecxcrhuMwi 4vqJGZ9OsC+stBGCVW+/FB8LIasgTV+VxCQqOYZy6LujQoDUxX B3acTATZ+9PQttUasbC3EuYZzZs58jpg97hUEfx8QkkTnagDcX DqR2awaz2Q4w1lC2HH5BoyoAVT+laBiF/O0mGephQ3AHCXarCS 5rjE7F7TIkMmtKqR9H8vpNpINYG7+IbtgIzzRDe8i3VnMxiY6y IpEK3M= Archived-At: http://mailarchive.ietf.org/arch/msg/jose/LguZnr1Bb54-FhqhxBxnEzWpVh8 Subject: [jose] Implementation Requirements X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2014 12:48:20 -0000
Hi all, 
 
I am looking at the implementation requirements of the JWA spec and I am wondering to what deployment environment they refer they.
The JW* specs are generic building blocks and I fail to see how one can list mandatory-to-implement algorithsms. 
 
Ciao
Hannes
 
From nobody Mon Apr 14 06:07:23 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D4D21A0469 for ; Mon, 14 Apr 2014 06:07:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.977 X-Spam-Level: X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l6Iw2nvPAKMD for ; Mon, 14 Apr 2014 06:07:05 -0700 (PDT) Received: from mail-ob0-f171.google.com (mail-ob0-f171.google.com [209.85.214.171]) by ietfa.amsl.com (Postfix) with ESMTP id EDDFB1A02CE for ; Mon, 14 Apr 2014 06:07:03 -0700 (PDT) Received: by mail-ob0-f171.google.com with SMTP id uy5so2073821obc.30 for ; Mon, 14 Apr 2014 06:07:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=/PToWb+AyuT2Zyab9xKnDEWdC6zPmhgKtbWwoIR4IQ8=; b=fxnO+hGJAz48gQitq2Ao10LeQW7utfGV3cpQbcZS08iVzkUH1ksqsadfMZ4cIKZiZi PgdlLe2xW5Ac5xT9aGifcWUKroEwswpuKvGxiYQkjwicFf9MRAQ1IAjA0nWcVZ6YDbFz 5RGy9pmR7o9/cAPcnM8M0FJb109m0fr1rhUrV3fE/QDBgAIFGPbo720yO3+vgPETf+l8 ZMi14CIjGfVq9dH+mNIUJIi7bVXdvyXI4h3MIEZC3j+jq+RmAomyMnzXApDYdJcVS9c7 O19qBSR7INZZWxP8yG0oD6oAgjzTiksAXTLhY8Ypvx/OpmctWt3gXviotVuItV2phikv 4K2A== X-Gm-Message-State: ALoCoQnHMYLzjcmw8nhO540pHLRcH3ZQZ/vcwCXuCnNd9Pn1fGlB6rmgOLAiZCxmJ/bL31P2ydx0 MIME-Version: 1.0 X-Received: by 10.60.44.135 with SMTP id e7mr1389934oem.63.1397480820539; Mon, 14 Apr 2014 06:07:00 -0700 (PDT) Received: by 10.60.136.231 with HTTP; Mon, 14 Apr 2014 06:07:00 -0700 (PDT) In-Reply-To: References: Date: Mon, 14 Apr 2014 09:07:00 -0400 Message-ID: From: Richard Barnes To: Hannes Tschofenig Content-Type: multipart/alternative; boundary=001a11333b20e3946c04f7005bc5 Archived-At: http://mailarchive.ietf.org/arch/msg/jose/wJnxo9uR9CQ8Qr3z8mkGKMt75go Cc: "jose@ietf.org" Subject: Re: [jose] Implementation Requirements X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2014 13:07:13 -0000 --001a11333b20e3946c04f7005bc5 Content-Type: text/plain; charset=ISO-8859-1 +1 On Monday, April 14, 2014, Hannes Tschofenig wrote: > Hi all, > > I am looking at the implementation requirements of the JWA spec and I am > wondering to what deployment environment they refer they. > The JW* specs are generic building blocks and I fail to see how one can > list mandatory-to-implement algorithsms. > > Ciao > Hannes > > --001a11333b20e3946c04f7005bc5 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable +1

On Monday, April 14, 2014, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>= wrote:
Hi all,=A0
=A0
I am looking at the implementation requirements of the JWA spec and I = am wondering to what deployment environment they refer they.
The JW* specs are generic building blocks and I fail to see how one ca= n list mandatory-to-implement algorithsms.=A0
=A0
Ciao
Hannes
=A0
--001a11333b20e3946c04f7005bc5-- From nobody Mon Apr 14 06:11:18 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA39C1A046B for ; Mon, 14 Apr 2014 06:11:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2oBErc4S2W-J for ; Mon, 14 Apr 2014 06:11:04 -0700 (PDT) Received: from mail-qa0-f42.google.com (mail-qa0-f42.google.com [209.85.216.42]) by ietfa.amsl.com (Postfix) with ESMTP id 1324C1A03EC for ; Mon, 14 Apr 2014 06:11:04 -0700 (PDT) Received: by mail-qa0-f42.google.com with SMTP id k15so8159748qaq.29 for ; Mon, 14 Apr 2014 06:11:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:content-type:from :in-reply-to:date:cc:message-id:references:to; bh=5mlp52OTJIvq3bXyOlPm0OalroOHxNephzsLAUxiYt0=; b=Ho6Ua5bh2zK4u7iuJ/ur/KoX/9XcsGFKhJUzf9sUU5+RE3Wm+psntCoJnBb9MUzCA+ 1KR+ArYz321e5gHMRNmEVsCpBAr4wSoUl0aHMmS+4dpM9QzHHlZPG1bu3FiXXQXpR38d ywOFK7STxDUDLu3E93qfvL29SEevipklt2s9CrgXYUroDKfGjDmWVya4pw05QNbht+Gf A7b4H69OmZ9Fl4hsUaqYzJH1ZUTfaSxI0wA8dVQZHR9iTAPMvcnVV9vNaB0NylsHUnDT Sf3jhcW7LExnZYwzCphuu5JP2xxeMHLJQXl8t1tV8PzsvbKMLOvWNAGBLb0G/QAdkKY0 MPxA== X-Gm-Message-State: ALoCoQlFgD3Naia+nMI5ul/0dgdcKzNg2Kd63uUBGN84tn0VxyyBxAITPF6O4Ir5kv34p2Nf9JJS X-Received: by 10.140.82.167 with SMTP id h36mr48290764qgd.51.1397481061401; Mon, 14 Apr 2014 06:11:01 -0700 (PDT) Received: from [192.168.1.216] ([190.22.27.139]) by mx.google.com with ESMTPSA id 104sm20442466qgq.1.2014.04.14.06.10.08 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 14 Apr 2014 06:11:01 -0700 (PDT) Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) Content-Type: multipart/alternative; boundary="Apple-Mail=_F5C2C7A7-C055-431B-AB2D-508856CABC08" From: John Bradley X-Priority: 3 In-Reply-To: Date: Mon, 14 Apr 2014 10:09:06 -0300 Message-Id: <2FA2A5F6-0043-43F2-BCD3-04BBBC548889@ve7jtb.com> References: To: Hannes Tschofenig X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/jose/r6Y8vOkSiDKsjpgYzb0d9vbTqDA Cc: jose@ietf.org Subject: Re: [jose] Implementation Requirements X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2014 13:11:13 -0000 --Apple-Mail=_F5C2C7A7-C055-431B-AB2D-508856CABC08 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii The IESG wants to see interoperability between implementations, to do = that without dragging in discovery etc there need to be minimum feature = sets of JOSE libraries that people can count on. A application using JOSE can elect not to support all the algorithms, = but JOSE libraries need to support the mandatory to implement = algorithms. On Apr 14, 2014, at 9:48 AM, Hannes Tschofenig = wrote: > Hi all,=20 > =20 > I am looking at the implementation requirements of the JWA spec and I = am wondering to what deployment environment they refer they. > The JW* specs are generic building blocks and I fail to see how one = can list mandatory-to-implement algorithsms.=20 > =20 > Ciao > Hannes > =20 > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose --Apple-Mail=_F5C2C7A7-C055-431B-AB2D-508856CABC08 Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=us-ascii The IESG wants to see interoperability between implementations, to do that without dragging in discovery etc there need to be minimum feature sets of JOSE libraries that people can count on.

A application using JOSE can elect not to support all the algorithms,  but JOSE libraries need to support the mandatory to implement algorithms.

On Apr 14, 2014, at 9:48 AM, Hannes Tschofenig <Hannes.Tschofenig@gmx.net> wrote:

Hi all, 
 
I am looking at the implementation requirements of the JWA spec and I am wondering to what deployment environment they refer they.
The JW* specs are generic building blocks and I fail to see how one can list mandatory-to-implement algorithsms. 
 
Ciao
Hannes
 
_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose

--Apple-Mail=_F5C2C7A7-C055-431B-AB2D-508856CABC08-- From nobody Mon Apr 14 06:50:48 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 826E31A03D4 for ; Mon, 14 Apr 2014 06:50:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.448 X-Spam-Level: X-Spam-Status: No, score=-1.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kaLId3jJo2ev for ; Mon, 14 Apr 2014 06:50:43 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) by ietfa.amsl.com (Postfix) with ESMTP id 7877C1A03E3 for ; Mon, 14 Apr 2014 06:50:43 -0700 (PDT) Received: from [217.140.96.21] by 3capp-gmx-bs42 with HTTP; Mon, 14 Apr 2014 15:50:40 +0200 MIME-Version: 1.0 Message-ID: From: "Hannes Tschofenig" To: "John Bradley" Content-Type: text/html; charset=UTF-8 Date: Mon, 14 Apr 2014 15:50:40 +0200 Importance: normal Sensitivity: Normal In-Reply-To: <2FA2A5F6-0043-43F2-BCD3-04BBBC548889@ve7jtb.com> References: , <2FA2A5F6-0043-43F2-BCD3-04BBBC548889@ve7jtb.com> X-UI-Message-Type: mail X-Priority: 3 X-Provags-ID: V03:K0:eyRK/lxUGR7Db+7xeaZgpj49qAQd4dd+OhpC3WybRe5 w5K5aOPRpPJ8ee2FpLgMMYYM3gZfM+0BNEIdfN7R7uEa7QwdHy IN8nL3mgXdVlx/o4en2CJXJhrY10LqJD1FJ7wms2ImKrSGaC/g BVcgeZokYxQ4TLon89xz5uDyAbt8n21L+MUNAC6vnzWZQXtSsP ZSf+FyTDjpZ82VXAnYsGEOv6Jn9j4a/SjAVjovKEbY02t9NGXQ 92WdlEXLRWXpa2wWfXZjFbVH0WOnEpd0rb0TT+e0fljE9BkwV5 dVPMt4= Archived-At: http://mailarchive.ietf.org/arch/msg/jose/dxQpzNENrZd1yCljz0cGYlDm89Q Cc: jose@ietf.org Subject: Re: [jose] Implementation Requirements X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2014 13:50:47 -0000
I don't think that's meaningful but I am already happy if there is a section in the JWA document that explains that these interoperability requirements refer to standalone libraries. 
I also think that the table for the IANA consideration section needs to make that clear as well. 
 
Ciao
Hannes
 
Gesendet: Montag, 14. April 2014 um 14:09 Uhr
Von: "John Bradley" <ve7jtb@ve7jtb.com>
An: "Hannes Tschofenig" <Hannes.Tschofenig@gmx.net>
Cc: jose@ietf.org
Betreff: Re: [jose] Implementation Requirements
The IESG wants to see interoperability between implementations, to do that without dragging in discovery etc there need to be minimum feature sets of JOSE libraries that people can count on.
 
A application using JOSE can elect not to support all the algorithms,  but JOSE libraries need to support the mandatory to implement algorithms.
 
On Apr 14, 2014, at 9:48 AM, Hannes Tschofenig <Hannes.Tschofenig@gmx.net> wrote:
 
Hi all, 
 
I am looking at the implementation requirements of the JWA spec and I am wondering to what deployment environment they refer they.
The JW* specs are generic building blocks and I fail to see how one can list mandatory-to-implement algorithsms. 
 
Ciao
Hannes
 
_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose
_______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose
From nobody Mon Apr 14 09:35:58 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC9721A065D for ; Mon, 14 Apr 2014 09:35:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kgtl4-RjogIm for ; Mon, 14 Apr 2014 09:35:51 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0142.outbound.protection.outlook.com [207.46.163.142]) by ietfa.amsl.com (Postfix) with ESMTP id A78361A01CB for ; Mon, 14 Apr 2014 09:35:50 -0700 (PDT) Received: from BY2PR03CA046.namprd03.prod.outlook.com (10.141.249.19) by BY2PR03MB553.namprd03.prod.outlook.com (10.141.141.155) with Microsoft SMTP Server (TLS) id 15.0.913.9; Mon, 14 Apr 2014 16:35:46 +0000 Received: from BL2FFO11FD006.protection.gbl (2a01:111:f400:7c09::145) by BY2PR03CA046.outlook.office365.com (2a01:111:e400:2c5d::19) with Microsoft SMTP Server (TLS) id 15.0.913.9 via Frontend Transport; Mon, 14 Apr 2014 16:35:46 +0000 Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11FD006.mail.protection.outlook.com (10.173.161.2) with Microsoft SMTP Server (TLS) id 15.0.918.6 via Frontend Transport; Mon, 14 Apr 2014 16:35:45 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14HUBC107.redmond.corp.microsoft.com ([157.54.80.67]) with mapi id 14.03.0181.007; Mon, 14 Apr 2014 16:35:06 +0000 From: Mike Jones To: Hannes Tschofenig , John Bradley Thread-Topic: [jose] Implementation Requirements Thread-Index: AQHPV9/SDLC8gJNDGECCrkcNrjq9P5sRFa4AgAALnQCAAC0pUA== Date: Mon, 14 Apr 2014 16:35:05 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A156FC9@TK5EX14MBXC286.redmond.corp.microsoft.com> References: , <2FA2A5F6-0043-43F2-BCD3-04BBBC548889@ve7jtb.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.37] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A156FC9TK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(24454002)(377454003)(189002)(199002)(53754006)(80976001)(2656002)(15202345003)(54356999)(77982001)(86362001)(76482001)(20776003)(512874002)(74502001)(80022001)(71186001)(50986999)(87936001)(92726001)(84676001)(33656001)(76176999)(97736001)(15975445006)(85852003)(83072002)(83322001)(55846006)(86612001)(81342001)(19300405004)(74662001)(85806002)(79102001)(19580405001)(81542001)(2009001)(46102001)(19580395003)(92566001)(6806004)(84326002)(66066001)(44976005)(4396001)(99396002)(31966008)(16236675002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR03MB553; H:mail.microsoft.com; FPR:DCFA41BD.97F443C5.71DBB775.D7E1CB4B.202C1; MLV:sfv; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0181F4652A Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/jose/N6PR7lGQVyPWMUqxtmj90ZfyCJs Cc: "jose@ietf.org" Subject: Re: [jose] Implementation Requirements X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2014 16:35:55 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A156FC9TK5EX14MBXC286r_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SSBhZ3JlZSB3aXRoIEpvaG7igJlzIHN0YXRlbWVudCBvZiB3aHkgdGhlIGltcGxlbWVudGF0aW9u IHJlcXVpcmVtZW50cyBhcmUgdGhlcmUuICBJIGFsc28gYWdyZWUgd2l0aCB0aGUgc3VnZ2VzdGlv biB0aGF0IHdlIGJlIGV4cGxpY2l0IHRoYXQgdGhlIGltcGxlbWVudGF0aW9uIHJlcXVpcmVtZW50 cyBhcHBseSB0byBsaWJyYXJpZXMuICBJ4oCZbGwgYWRkIHRoYXQgdG8gbXkgdG8tZG8gbGlzdC4g IEnigJltIHN1cmUgYW4gb3Bwb3J0dW5pdHkgdG8gYWRkIHRoYXQgd2lsbCBhcmlzZSBzb21ldGlt ZSBkdXJpbmcgSUVTRyBhbmQgSUVURiByZXZpZXcuDQoNCiAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC0tIE1p a2UNCg0KRnJvbTogam9zZSBbbWFpbHRvOmpvc2UtYm91bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxm IE9mIEhhbm5lcyBUc2Nob2ZlbmlnDQpTZW50OiBNb25kYXksIEFwcmlsIDE0LCAyMDE0IDY6NTEg QU0NClRvOiBKb2huIEJyYWRsZXkNCkNjOiBqb3NlQGlldGYub3JnDQpTdWJqZWN0OiBSZTogW2pv c2VdIEltcGxlbWVudGF0aW9uIFJlcXVpcmVtZW50cw0KDQpJIGRvbid0IHRoaW5rIHRoYXQncyBt ZWFuaW5nZnVsIGJ1dCBJIGFtIGFscmVhZHkgaGFwcHkgaWYgdGhlcmUgaXMgYSBzZWN0aW9uIGlu IHRoZSBKV0EgZG9jdW1lbnQgdGhhdCBleHBsYWlucyB0aGF0IHRoZXNlIGludGVyb3BlcmFiaWxp dHkgcmVxdWlyZW1lbnRzIHJlZmVyIHRvIHN0YW5kYWxvbmUgbGlicmFyaWVzLg0KSSBhbHNvIHRo aW5rIHRoYXQgdGhlIHRhYmxlIGZvciB0aGUgSUFOQSBjb25zaWRlcmF0aW9uIHNlY3Rpb24gbmVl ZHMgdG8gbWFrZSB0aGF0IGNsZWFyIGFzIHdlbGwuDQoNCkNpYW8NCkhhbm5lcw0KDQpHZXNlbmRl dDogTW9udGFnLCAxNC4gQXByaWwgMjAxNCB1bSAxNDowOSBVaHINClZvbjogIkpvaG4gQnJhZGxl eSIgPHZlN2p0YkB2ZTdqdGIuY29tPG1haWx0bzp2ZTdqdGJAdmU3anRiLmNvbT4+DQpBbjogIkhh bm5lcyBUc2Nob2ZlbmlnIiA8SGFubmVzLlRzY2hvZmVuaWdAZ214Lm5ldDxtYWlsdG86SGFubmVz LlRzY2hvZmVuaWdAZ214Lm5ldD4+DQpDYzogam9zZUBpZXRmLm9yZzxtYWlsdG86am9zZUBpZXRm Lm9yZz4NCkJldHJlZmY6IFJlOiBbam9zZV0gSW1wbGVtZW50YXRpb24gUmVxdWlyZW1lbnRzDQpU aGUgSUVTRyB3YW50cyB0byBzZWUgaW50ZXJvcGVyYWJpbGl0eSBiZXR3ZWVuIGltcGxlbWVudGF0 aW9ucywgdG8gZG8gdGhhdCB3aXRob3V0IGRyYWdnaW5nIGluIGRpc2NvdmVyeSBldGMgdGhlcmUg bmVlZCB0byBiZSBtaW5pbXVtIGZlYXR1cmUgc2V0cyBvZiBKT1NFIGxpYnJhcmllcyB0aGF0IHBl b3BsZSBjYW4gY291bnQgb24uDQoNCkEgYXBwbGljYXRpb24gdXNpbmcgSk9TRSBjYW4gZWxlY3Qg bm90IHRvIHN1cHBvcnQgYWxsIHRoZSBhbGdvcml0aG1zLCAgYnV0IEpPU0UgbGlicmFyaWVzIG5l ZWQgdG8gc3VwcG9ydCB0aGUgbWFuZGF0b3J5IHRvIGltcGxlbWVudCBhbGdvcml0aG1zLg0KDQpP biBBcHIgMTQsIDIwMTQsIGF0IDk6NDggQU0sIEhhbm5lcyBUc2Nob2ZlbmlnIDxIYW5uZXMuVHNj aG9mZW5pZ0BnbXgubmV0PiB3cm90ZToNCg0KSGkgYWxsLA0KDQpJIGFtIGxvb2tpbmcgYXQgdGhl IGltcGxlbWVudGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgSldBIHNwZWMgYW5kIEkgYW0gd29u ZGVyaW5nIHRvIHdoYXQgZGVwbG95bWVudCBlbnZpcm9ubWVudCB0aGV5IHJlZmVyIHRoZXkuDQpU aGUgSlcqIHNwZWNzIGFyZSBnZW5lcmljIGJ1aWxkaW5nIGJsb2NrcyBhbmQgSSBmYWlsIHRvIHNl ZSBob3cgb25lIGNhbiBsaXN0IG1hbmRhdG9yeS10by1pbXBsZW1lbnQgYWxnb3JpdGhzbXMuDQoN CkNpYW8NCkhhbm5lcw0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fXw0Kam9zZSBtYWlsaW5nIGxpc3QNCmpvc2VAaWV0Zi5vcmcNCmh0dHBzOi8vd3d3Lmll dGYub3JnL21haWxtYW4vbGlzdGluZm8vam9zZQ0KX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX18gam9zZSBtYWlsaW5nIGxpc3Qgam9zZUBpZXRmLm9yZzxtYWls dG86am9zZUBpZXRmLm9yZz4gaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9q b3NlDQo= --_000_4E1F6AAD24975D4BA5B16804296739439A156FC9TK5EX14MBXC286r_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQpA Zm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OlZlcmRhbmE7DQoJcGFub3NlLTE6MiAxMSA2IDQgMyA1 IDQgNCAyIDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29O b3JtYWwsIGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAx cHQ7DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIiwi c2VyaWYiO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXByaW9yaXR5 Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQphOnZpc2l0 ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0K CWNvbG9yOnB1cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnNwYW4uRW1haWxT dHlsZTE3DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJD YWxpYnJpIiwic2Fucy1zZXJpZiI7DQoJY29sb3I6IzFGNDk3RDt9DQouTXNvQ2hwRGVmYXVsdA0K CXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LXNpemU6MTAuMHB0O30NCkBwYWdl IFdvcmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4waW4gMS4waW4g MS4waW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQot LT48L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4 dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3Rl IG1zbyA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpl eHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+ DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSI+ DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90Oywm cXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkkgYWdyZWUgd2l0aCBKb2hu4oCZ cyBzdGF0ZW1lbnQgb2Ygd2h5IHRoZSBpbXBsZW1lbnRhdGlvbiByZXF1aXJlbWVudHMgYXJlIHRo ZXJlLiZuYnNwOyBJIGFsc28gYWdyZWUgd2l0aCB0aGUgc3VnZ2VzdGlvbiB0aGF0IHdlIGJlIGV4 cGxpY2l0IHRoYXQgdGhlIGltcGxlbWVudGF0aW9uDQogcmVxdWlyZW1lbnRzIGFwcGx5IHRvIGxp YnJhcmllcy4mbmJzcDsgSeKAmWxsIGFkZCB0aGF0IHRvIG15IHRvLWRvIGxpc3QuJm5ic3A7IEni gJltIHN1cmUgYW4gb3Bwb3J0dW5pdHkgdG8gYWRkIHRoYXQgd2lsbCBhcmlzZSBzb21ldGltZSBk dXJpbmcgSUVTRyBhbmQgSUVURiByZXZpZXcuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0Qi PjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDss JnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgLS0gTWlrZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjoj MUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0i Ym9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjQjVDNERGIDEuMHB0O3BhZGRpbmc6My4wcHQg MGluIDBpbiAwaW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2Vy aWYmcXVvdDsiPkZyb206PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtm b250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+IGpv c2UgW21haWx0bzpqb3NlLWJvdW5jZXNAaWV0Zi5vcmddDQo8Yj5PbiBCZWhhbGYgT2YgPC9iPkhh bm5lcyBUc2Nob2ZlbmlnPGJyPg0KPGI+U2VudDo8L2I+IE1vbmRheSwgQXByaWwgMTQsIDIwMTQg Njo1MSBBTTxicj4NCjxiPlRvOjwvYj4gSm9obiBCcmFkbGV5PGJyPg0KPGI+Q2M6PC9iPiBqb3Nl QGlldGYub3JnPGJyPg0KPGI+U3ViamVjdDo8L2I+IFJlOiBbam9zZV0gSW1wbGVtZW50YXRpb24g UmVxdWlyZW1lbnRzPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250 LWZhbWlseTomcXVvdDtWZXJkYW5hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPkkgZG9u J3QgdGhpbmsgdGhhdCdzIG1lYW5pbmdmdWwgYnV0IEkgYW0gYWxyZWFkeSBoYXBweSBpZiB0aGVy ZSBpcyBhIHNlY3Rpb24gaW4gdGhlIEpXQSBkb2N1bWVudCB0aGF0IGV4cGxhaW5zIHRoYXQgdGhl c2UgaW50ZXJvcGVyYWJpbGl0eSByZXF1aXJlbWVudHMgcmVmZXIgdG8gc3RhbmRhbG9uZQ0KIGxp YnJhcmllcy4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O1ZlcmRhbmEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+SSBhbHNvIHRoaW5r IHRoYXQgdGhlIHRhYmxlIGZvciB0aGUgSUFOQSBjb25zaWRlcmF0aW9uIHNlY3Rpb24gbmVlZHMg dG8gbWFrZSB0aGF0IGNsZWFyIGFzIHdlbGwuJm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZTo5LjBwdDtmb250LWZhbWlseTomcXVvdDtWZXJkYW5hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYm cXVvdDsiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7VmVyZGFuYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5DaWFvPG86cD48L286 cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZhbWlseTomcXVvdDtWZXJkYW5hJnF1b3Q7LCZx dW90O3NhbnMtc2VyaWYmcXVvdDsiPkhhbm5lczxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VmVyZGFuYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7 Ij4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxl PSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQzNEOUU1IDEuNXB0O3BhZGRpbmc6MGlu IDBpbiAwaW4gOC4wcHQ7bWFyZ2luLWxlZnQ6Ny41cHQ7bWFyZ2luLXRvcDo3LjVwdDttYXJnaW4t cmlnaHQ6My43NXB0O21hcmdpbi1ib3R0b206My43NXB0O3dvcmQtd3JhcDogYnJlYWstd29yZDst d2Via2l0LW5ic3AtbW9kZTogc3BhY2U7LXdlYmtpdC1saW5lLWJyZWFrOiBhZnRlci13aGl0ZS1z cGFjZSIgbmFtZT0icXVvdGUiPg0KPGRpdiBzdHlsZT0ibWFyZ2luLWJvdHRvbTo3LjVwdCI+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+R2VzZW5k ZXQ6PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O1ZlcmRhbmEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+Jm5ic3A7TW9udGFnLCAx NC4gQXByaWwgMjAxNCB1bSAxNDowOSBVaHI8YnI+DQo8Yj5Wb246PC9iPiZuYnNwOyZxdW90O0pv aG4gQnJhZGxleSZxdW90OyAmbHQ7PGEgaHJlZj0ibWFpbHRvOnZlN2p0YkB2ZTdqdGIuY29tIj52 ZTdqdGJAdmU3anRiLmNvbTwvYT4mZ3Q7PGJyPg0KPGI+QW46PC9iPiZuYnNwOyZxdW90O0hhbm5l cyBUc2Nob2ZlbmlnJnF1b3Q7ICZsdDs8YSBocmVmPSJtYWlsdG86SGFubmVzLlRzY2hvZmVuaWdA Z214Lm5ldCI+SGFubmVzLlRzY2hvZmVuaWdAZ214Lm5ldDwvYT4mZ3Q7PGJyPg0KPGI+Q2M6PC9i PiZuYnNwOzxhIGhyZWY9Im1haWx0bzpqb3NlQGlldGYub3JnIj5qb3NlQGlldGYub3JnPC9hPjxi cj4NCjxiPkJldHJlZmY6PC9iPiZuYnNwO1JlOiBbam9zZV0gSW1wbGVtZW50YXRpb24gUmVxdWly ZW1lbnRzPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2IG5hbWU9InF1b3RlZC1j b250ZW50Ij4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVvdDssJnF1b3Q7c2Fucy1zZXJp ZiZxdW90OyI+VGhlIElFU0cgd2FudHMgdG8gc2VlIGludGVyb3BlcmFiaWxpdHkgYmV0d2VlbiBp bXBsZW1lbnRhdGlvbnMsIHRvIGRvIHRoYXQgd2l0aG91dCBkcmFnZ2luZyBpbiBkaXNjb3Zlcnkg ZXRjIHRoZXJlIG5lZWQgdG8gYmUgbWluaW11bSBmZWF0dXJlIHNldHMgb2YgSk9TRSBsaWJyYXJp ZXMgdGhhdCBwZW9wbGUNCiBjYW4gY291bnQgb24uIDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+Jm5i c3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZhbWlseTomcXVvdDtWZXJk YW5hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPkEgYXBwbGljYXRpb24gdXNpbmcgSk9T RSBjYW4gZWxlY3Qgbm90IHRvIHN1cHBvcnQgYWxsIHRoZSBhbGdvcml0aG1zLCAmbmJzcDtidXQg Sk9TRSBsaWJyYXJpZXMgbmVlZCB0byBzdXBwb3J0IHRoZSBtYW5kYXRvcnkgdG8gaW1wbGVtZW50 IGFsZ29yaXRobXMuPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZhbWlseTom cXVvdDtWZXJkYW5hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiZuYnNwOw0KPG86cD48 L286cD48L3NwYW4+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVvdDss JnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+T24gQXByIDE0LCAyMDE0LCBhdCA5OjQ4IEFNLCBIYW5u ZXMgVHNjaG9mZW5pZyAmbHQ7PGEgaHJlZj0iSGFubmVzLlRzY2hvZmVuaWdAZ214Lm5ldCIgdGFy Z2V0PSJfcGFyZW50Ij5IYW5uZXMuVHNjaG9mZW5pZ0BnbXgubmV0PC9hPiZndDsgd3JvdGU6PG86 cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVvdDssJnF1 b3Q7c2Fucy1zZXJpZiZxdW90OyI+Jm5ic3A7DQo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2 Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVvdDssJnF1b3Q7c2Fucy1zZXJp ZiZxdW90OyI+SGkgYWxsLCZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7VmVyZGFuYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4mbmJz cDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1ZlcmRh bmEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+SSBhbSBsb29raW5nIGF0IHRoZSBpbXBs ZW1lbnRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIEpXQSBzcGVjIGFuZCBJIGFtIHdvbmRlcmlu ZyB0byB3aGF0IGRlcGxveW1lbnQgZW52aXJvbm1lbnQgdGhleSByZWZlciB0aGV5LjxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VmVyZGFuYSZxdW90Oywm cXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5UaGUgSlcqIHNwZWNzIGFyZSBnZW5lcmljIGJ1aWxkaW5n IGJsb2NrcyBhbmQgSSBmYWlsIHRvIHNlZSBob3cgb25lIGNhbiBsaXN0IG1hbmRhdG9yeS10by1p bXBsZW1lbnQgYWxnb3JpdGhzbXMuJm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjBw dDtmb250LWZhbWlseTomcXVvdDtWZXJkYW5hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsi PiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 VmVyZGFuYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5DaWFvPG86cD48L286cD48L3Nw YW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZhbWlseTomcXVvdDtWZXJkYW5hJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDsiPkhhbm5lczxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7VmVyZGFuYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4mbmJz cDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O1ZlcmRhbmEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+X19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+DQpqb3NlIG1haWxpbmcgbGlzdDxi cj4NCjxhIGhyZWY9Impvc2VAaWV0Zi5vcmciIHRhcmdldD0iX3BhcmVudCI+am9zZUBpZXRmLm9y ZzwvYT48YnI+DQo8YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZv L2pvc2UiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vam9zZTwvYT48bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZhbWlseTomcXVvdDtWZXJkYW5hJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPl9fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fIGpvc2UgbWFpbGluZyBsaXN0DQo8YSBocmVmPSJtYWlsdG86am9z ZUBpZXRmLm9yZyI+am9zZUBpZXRmLm9yZzwvYT4gPGEgaHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5v cmcvbWFpbG1hbi9saXN0aW5mby9qb3NlIiB0YXJnZXQ9Il9ibGFuayI+DQpodHRwczovL3d3dy5p ZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2pvc2U8L2E+PG86cD48L286cD48L3NwYW4+PC9wPg0K PC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8 L2JvZHk+DQo8L2h0bWw+DQo= --_000_4E1F6AAD24975D4BA5B16804296739439A156FC9TK5EX14MBXC286r_-- From nobody Mon Apr 14 11:27:23 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D4511A0319 for ; Mon, 14 Apr 2014 11:27:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.6 X-Spam-Level: X-Spam-Status: No, score=-0.6 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eH0cKVufcKnb for ; Mon, 14 Apr 2014 11:27:17 -0700 (PDT) Received: from mail-we0-x230.google.com (mail-we0-x230.google.com [IPv6:2a00:1450:400c:c03::230]) by ietfa.amsl.com (Postfix) with ESMTP id A22DF1A0262 for ; Mon, 14 Apr 2014 11:27:16 -0700 (PDT) Received: by mail-we0-f176.google.com with SMTP id x48so8259956wes.7 for ; Mon, 14 Apr 2014 11:27:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=Rn5Vc9sC4RNjnvn3qVresQlzbzFQU65RjU+qVM3bSGA=; b=pxS+FVvNqx/DKVatPpcSICiqchbPF56lN+1kLIiLUbV90vwpUuFGc5d1WFP/Z2JoF/ t6LZ49+4v58VF6p8op2sNchNTl8gdkjq8ZWOFC/FHmy6UV+f/OJALwy2kYt1mwcLOFCo 5+s4jPkrcf+hmeveHfl/HRWOzZGAKT62Y4xKKIvuhb8ZDeBgTrR3lSzsJarAZHAkHUFv /RK2YBgeYXZFQT7E2G9ZB4FDiLuJXJFt+UBWbx6cULDhVNF2pwv5y991hUmLAX+M58WH ufQBqwWDMzeSbQ4ez7HcNSw8qHFvjcgyNfr+UzUAv9JoGno65zbEZj8fLRbxbGO2rFPT 3H8Q== MIME-Version: 1.0 X-Received: by 10.180.8.170 with SMTP id s10mr10706054wia.35.1397500033211; Mon, 14 Apr 2014 11:27:13 -0700 (PDT) Received: by 10.194.91.142 with HTTP; Mon, 14 Apr 2014 11:27:13 -0700 (PDT) In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A150468@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <4E1F6AAD24975D4BA5B16804296739439A150468@TK5EX14MBXC286.redmond.corp.microsoft.com> Date: Mon, 14 Apr 2014 14:27:13 -0400 Message-ID: From: Daniel Holth To: Mike Jones Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: http://mailarchive.ietf.org/arch/msg/jose/BZgt1QgVzgfQvggPMGQVqU7a8bo Cc: "jose@ietf.org" Subject: Re: [jose] JSON Web Key (JWK) Thumbprint Specification X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2014 18:27:21 -0000 Here's a compatible Python implementation I did in March of last year. https://bitbucket.org/dholth/jkf It only lacks support for symmetric keys. On Thu, Apr 10, 2014 at 8:49 PM, Mike Jones w= rote: > I created a new simple spec that defines a way to create a thumbprint of = an > arbitrary key, based upon its JWK representation. The abstract of the sp= ec > is: > > > > This specification defines a means of computing a thumbprint value (a.k.a= . > digest) of JSON Web Key (JWK) objects analogous to the x5t (X.509 > Certificate SHA-1 Thumbprint) value defined for X.509 certificate objects= . > This specification also registers the new JSON Web Signature (JWS) and JS= ON > Web Encryption (JWE) Header Parameters and the new JSON Web Key (JWK) mem= ber > name jkt (JWK SHA-256 Thumbprint) for holding these values. > > > > The desire for this came up in an OpenID Connect context, but it=E2=80=99= s of > general applicability, so I decided to submit the spec to the JOSE workin= g > group. Thanks to James Manger, John Bradley, and Nat Sakimura for the > discussions that led up to this spec. > > > > The specification is available at: > > =C2=B7 http://tools.ietf.org/html/draft-jones-jose-jwk-thumbprint-= 00 > > > > An HTML formatted version is also available at: > > =C2=B7 > https://self-issued.info/docs/draft-jones-jose-jwk-thumbprint-00.html > > > > -- Mike > > > > P.S. I also posted this notice at http://self-issued.info/?p=3D1213 and = as > @selfissued. > > > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > From nobody Mon Apr 14 13:08:45 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33C051A0663 for ; Mon, 14 Apr 2014 13:08:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZFio2RzMXnzt for ; Mon, 14 Apr 2014 13:08:39 -0700 (PDT) Received: from smtp3.pacifier.net (smtp3.pacifier.net [64.255.237.177]) by ietfa.amsl.com (Postfix) with ESMTP id 5D2761A039D for ; Mon, 14 Apr 2014 13:08:39 -0700 (PDT) Received: from Philemon (173-8-216-38-Oregon.hfc.comcastbusiness.net [173.8.216.38]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp3.pacifier.net (Postfix) with ESMTPSA id 70CD138F18; Mon, 14 Apr 2014 13:08:36 -0700 (PDT) From: "Jim Schaad" To: "'Mike Jones'" , References: <4E1F6AAD24975D4BA5B16804296739439A150468@TK5EX14MBXC286.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A150468@TK5EX14MBXC286.redmond.corp.microsoft.com> Date: Mon, 14 Apr 2014 13:06:40 -0700 Message-ID: <052001cf581d$0cde8800$269b9800$@augustcellars.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0521_01CF57E2.60824810" X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQG0HD2WpSh+QoTEegEYy90jeG8UcZtIAV1w Content-Language: en-us Archived-At: http://mailarchive.ietf.org/arch/msg/jose/1ViVUbTua-SdZ-FY-kZjYkVv1QM Subject: Re: [jose] JSON Web Key (JWK) Thumbprint Specification X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2014 20:08:44 -0000 This is a multipart message in MIME format. ------=_NextPart_000_0521_01CF57E2.60824810 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit What are the practical benefits for this over using the kid parameter? Jim From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones Sent: Thursday, April 10, 2014 5:50 PM To: jose@ietf.org Subject: [jose] JSON Web Key (JWK) Thumbprint Specification I created a new simple spec that defines a way to create a thumbprint of an arbitrary key, based upon its JWK representation. The abstract of the spec is: This specification defines a means of computing a thumbprint value (a.k.a. digest) of JSON Web Key (JWK) objects analogous to the x5t (X.509 Certificate SHA-1 Thumbprint) value defined for X.509 certificate objects. This specification also registers the new JSON Web Signature (JWS) and JSON Web Encryption (JWE) Header Parameters and the new JSON Web Key (JWK) member name jkt (JWK SHA-256 Thumbprint) for holding these values. The desire for this came up in an OpenID Connect context, but it's of general applicability, so I decided to submit the spec to the JOSE working group. Thanks to James Manger, John Bradley, and Nat Sakimura for the discussions that led up to this spec. The specification is available at: . http://tools.ietf.org/html/draft-jones-jose-jwk-thumbprint-00 An HTML formatted version is also available at: . https://self-issued.info/docs/draft-jones-jose-jwk-thumbprint-00.html -- Mike P.S. I also posted this notice at http://self-issued.info/?p=1213 and as @selfissued. ------=_NextPart_000_0521_01CF57E2.60824810 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

What are the practical benefits for this over = using the kid parameter?

 

Jim

 

 

From:= = jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike = Jones
Sent: Thursday, April 10, 2014 5:50 PM
To: = jose@ietf.org
Subject: [jose] JSON Web Key (JWK) Thumbprint = Specification

 

I created a = new simple spec that defines a way to create a thumbprint of an = arbitrary key, based upon its JWK representation.  The abstract of = the spec is:

 

This specification defines a means of computing a thumbprint value = (a.k.a. digest) of JSON Web Key (JWK) objects analogous to the = x5t (X.509 Certificate SHA-1 Thumbprint) value defined for X.509 = certificate objects. This specification also registers the new JSON Web = Signature (JWS) and JSON Web Encryption (JWE) Header Parameters and the = new JSON Web Key (JWK) member name jkt (JWK SHA-256 Thumbprint) for holding these values.

 

The desire = for this came up in an OpenID Connect context, but it’s of general = applicability, so I decided to submit the spec to the JOSE working = group.  Thanks to James Manger, John Bradley, and Nat Sakimura for = the discussions that led up to this spec.

 

The = specification is available at:

·         = ht= tp://tools.ietf.org/html/draft-jones-jose-jwk-thumbprint-00

 

An = HTML formatted version is also available at:

·         = https://self-issued.info/docs/draft-jones-jose-jwk-thumbprint-00.ht= ml

 

         &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;            = ;  -- Mike

 

P.S.  I = also posted this notice at http://self-issued.info/?p=3D1= 213 and as @selfissued.

 

------=_NextPart_000_0521_01CF57E2.60824810-- From nobody Mon Apr 14 13:39:10 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CF121A06F9 for ; Mon, 14 Apr 2014 13:39:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pk5SoCNpWnMG for ; Mon, 14 Apr 2014 13:39:02 -0700 (PDT) Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com [IPv6:2a00:1450:400c:c05::232]) by ietfa.amsl.com (Postfix) with ESMTP id 5805E1A0707 for ; Mon, 14 Apr 2014 13:39:02 -0700 (PDT) Received: by mail-wi0-f178.google.com with SMTP id bs8so4667056wib.17 for ; Mon, 14 Apr 2014 13:38:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=deCmzhTvXZfcfUQV+EGCzOOqMU/dSqDHZQYiozW8g4g=; b=zS1zxo4JeWlJEH9bkriwn95eYT9vYCt56SiUYPGSi1YcqcTEL2SfuHKI7qzmK1pGOj GgAKCsVlIHxTGHkCkzWcXvAdE4NlhMZJF31TOet8uUGd7vri5/fQKz8x+vrSCjX+K3TW v2SRWgdZfy29X70yFU57eVHTQTE7ibUG4uDJyOa3B2XoS0OScJru0qKATuaDmMIBvjyi PbRYsk0wkKS8pkV8b49Q6O+Kl8WsCVQBYqUAxT6kcgUK4B7bT/6ST33dmo6KifbC1nxY 29FtXLgiukHtWMaKr3sUzgGGMj5LAfwEN3HNmwXdnbY3TEzedaF39f4950msOsyF/Vm0 T3GA== MIME-Version: 1.0 X-Received: by 10.194.90.39 with SMTP id bt7mr1015wjb.93.1397507939111; Mon, 14 Apr 2014 13:38:59 -0700 (PDT) Received: by 10.194.91.142 with HTTP; Mon, 14 Apr 2014 13:38:59 -0700 (PDT) In-Reply-To: <052001cf581d$0cde8800$269b9800$@augustcellars.com> References: <4E1F6AAD24975D4BA5B16804296739439A150468@TK5EX14MBXC286.redmond.corp.microsoft.com> <052001cf581d$0cde8800$269b9800$@augustcellars.com> Date: Mon, 14 Apr 2014 16:38:59 -0400 Message-ID: From: Daniel Holth To: Jim Schaad Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: http://mailarchive.ietf.org/arch/msg/jose/IpMgErA7o5_EIKe_5t0V95eoPA4 Cc: Mike Jones , jose Subject: Re: [jose] JSON Web Key (JWK) Thumbprint Specification X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2014 20:39:07 -0000 For me the finger/thumbprint is something you could sign as part of an "I trust this key" assertion since it is a property of a specific key rather than an arbitrary association. On Mon, Apr 14, 2014 at 4:06 PM, Jim Schaad wrote: > What are the practical benefits for this over using the kid parameter? > > > > Jim > > > > > > From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones > Sent: Thursday, April 10, 2014 5:50 PM > To: jose@ietf.org > Subject: [jose] JSON Web Key (JWK) Thumbprint Specification > > > > I created a new simple spec that defines a way to create a thumbprint of = an > arbitrary key, based upon its JWK representation. The abstract of the sp= ec > is: > > > > This specification defines a means of computing a thumbprint value (a.k.a= . > digest) of JSON Web Key (JWK) objects analogous to the x5t (X.509 > Certificate SHA-1 Thumbprint) value defined for X.509 certificate objects= . > This specification also registers the new JSON Web Signature (JWS) and JS= ON > Web Encryption (JWE) Header Parameters and the new JSON Web Key (JWK) mem= ber > name jkt (JWK SHA-256 Thumbprint) for holding these values. > > > > The desire for this came up in an OpenID Connect context, but it=E2=80=99= s of > general applicability, so I decided to submit the spec to the JOSE workin= g > group. Thanks to James Manger, John Bradley, and Nat Sakimura for the > discussions that led up to this spec. > > > > The specification is available at: > > =C2=B7 http://tools.ietf.org/html/draft-jones-jose-jwk-thumbprint= -00 > > > > An HTML formatted version is also available at: > > =C2=B7 > https://self-issued.info/docs/draft-jones-jose-jwk-thumbprint-00.html > > > > -- Mike > > > > P.S. I also posted this notice at http://self-issued.info/?p=3D1213 and = as > @selfissued. > > > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > From nobody Mon Apr 14 13:40:55 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABD291A070A for ; Mon, 14 Apr 2014 13:40:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zsNwNpNajCbh for ; Mon, 14 Apr 2014 13:40:50 -0700 (PDT) Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) by ietfa.amsl.com (Postfix) with ESMTP id 83E581A06F8 for ; Mon, 14 Apr 2014 13:40:50 -0700 (PDT) Received: from Philemon (173-8-216-38-Oregon.hfc.comcastbusiness.net [173.8.216.38]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTPSA id DA0152CA2A; Mon, 14 Apr 2014 13:40:47 -0700 (PDT) From: "Jim Schaad" To: "'Daniel Holth'" References: <4E1F6AAD24975D4BA5B16804296739439A150468@TK5EX14MBXC286.redmond.corp.microsoft.com> <052001cf581d$0cde8800$269b9800$@augustcellars.com> In-Reply-To: Date: Mon, 14 Apr 2014 13:38:51 -0700 Message-ID: <054501cf5821$8c1dec10$a459c430$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQG0HD2WpSh+QoTEegEYy90jeG8UcQJyndp/AiNpKhmbI1onUA== Content-Language: en-us Archived-At: http://mailarchive.ietf.org/arch/msg/jose/_WNbkq7_6HWpzC-lv-_9OPbyJKk Cc: 'Mike Jones' , 'jose' Subject: Re: [jose] JSON Web Key (JWK) Thumbprint Specification X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2014 20:40:54 -0000 I would have problems with that if it did not come with additional = restrictions on the key that I might want to additionally state -such as = restricting the key to be used with specific algorithms or key usages. > -----Original Message----- > From: Daniel Holth [mailto:dholth@gmail.com] > Sent: Monday, April 14, 2014 1:39 PM > To: Jim Schaad > Cc: Mike Jones; jose > Subject: Re: [jose] JSON Web Key (JWK) Thumbprint Specification >=20 > For me the finger/thumbprint is something you could sign as part of an = "I trust > this key" assertion since it is a property of a specific key rather = than an > arbitrary association. >=20 > On Mon, Apr 14, 2014 at 4:06 PM, Jim Schaad = wrote: > > What are the practical benefits for this over using the kid = parameter? > > > > > > > > Jim > > > > > > > > > > > > From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones > > Sent: Thursday, April 10, 2014 5:50 PM > > To: jose@ietf.org > > Subject: [jose] JSON Web Key (JWK) Thumbprint Specification > > > > > > > > I created a new simple spec that defines a way to create a = thumbprint > > of an arbitrary key, based upon its JWK representation. The = abstract > > of the spec > > is: > > > > > > > > This specification defines a means of computing a thumbprint value = (a.k.a. > > digest) of JSON Web Key (JWK) objects analogous to the x5t (X.509 > > Certificate SHA-1 Thumbprint) value defined for X.509 certificate = objects. > > This specification also registers the new JSON Web Signature (JWS) = and > > JSON Web Encryption (JWE) Header Parameters and the new JSON Web Key > > (JWK) member name jkt (JWK SHA-256 Thumbprint) for holding these = values. > > > > > > > > The desire for this came up in an OpenID Connect context, but it s = of > > general applicability, so I decided to submit the spec to the JOSE > > working group. Thanks to James Manger, John Bradley, and Nat = Sakimura > > for the discussions that led up to this spec. > > > > > > > > The specification is available at: > > > > = http://tools.ietf.org/html/draft-jones-jose-jwk-thumbprint-00 > > > > > > > > An HTML formatted version is also available at: > > > > > > = https://self-issued.info/docs/draft-jones-jose-jwk-thumbprint-00.html > > > > > > > > -- Mike > > > > > > > > P.S. I also posted this notice at http://self-issued.info/?p=3D1213 = and > > as @selfissued. > > > > > > > > > > _______________________________________________ > > jose mailing list > > jose@ietf.org > > https://www.ietf.org/mailman/listinfo/jose > > From nobody Mon Apr 14 13:50:44 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C15A1A06F4 for ; Mon, 14 Apr 2014 13:50:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fntYSHoNpwAX for ; Mon, 14 Apr 2014 13:50:34 -0700 (PDT) Received: from mail-we0-x230.google.com (mail-we0-x230.google.com [IPv6:2a00:1450:400c:c03::230]) by ietfa.amsl.com (Postfix) with ESMTP id 389F91A0735 for ; Mon, 14 Apr 2014 13:50:34 -0700 (PDT) Received: by mail-we0-f176.google.com with SMTP id x48so8413003wes.7 for ; Mon, 14 Apr 2014 13:50:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=qcdAvqcqYFWBrGv9TYxK7BVROSVp4rVyzc2XATQ3G5s=; b=R/EZ79b0PhvMS0AusyIVGRWwbvOWixIRyqS8iqMnUdy9cDjJGekst3KCBBU7aYHP15 K0zsyB9r1fOanYV055lg8oo2KAV6SXKa1i9YqSHwRrZW38rH/LuICw526h7v9Dr0kbPw 0kOZyNAzOfSejYTV1PZLga2gf0b8hFmYNY6wqsG0r/5RQi0XFAgeRjReYYZ4Nh8q+G87 oCDxZ+2ms6ulpmR7yIiyzPWrAsOLiV3NxgyEu5m0FxT8APXaZgfVEHntSgmn+g3loQbP UIMVNZIq4FtAOc4QxPfY69xRrimT1tuuL+aytnt2gfT2k6EcgOGACRECWNGMvUBp3LKB R8uA== MIME-Version: 1.0 X-Received: by 10.180.106.198 with SMTP id gw6mr11236064wib.50.1397508631129; Mon, 14 Apr 2014 13:50:31 -0700 (PDT) Received: by 10.194.91.142 with HTTP; Mon, 14 Apr 2014 13:50:31 -0700 (PDT) In-Reply-To: <054501cf5821$8c1dec10$a459c430$@augustcellars.com> References: <4E1F6AAD24975D4BA5B16804296739439A150468@TK5EX14MBXC286.redmond.corp.microsoft.com> <052001cf581d$0cde8800$269b9800$@augustcellars.com> <054501cf5821$8c1dec10$a459c430$@augustcellars.com> Date: Mon, 14 Apr 2014 16:50:31 -0400 Message-ID: From: Daniel Holth To: Jim Schaad Content-Type: text/plain; charset=UTF-8 Archived-At: http://mailarchive.ietf.org/arch/msg/jose/40eLmXU9a85MB07myNzw9ZXQK9A Cc: Mike Jones , jose Subject: Re: [jose] JSON Web Key (JWK) Thumbprint Specification X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2014 20:50:39 -0000 The thumbprint includes the algorithm but not the usage restrictions. A practical certificate would certainly include "trusted for ..." constraints. Simply not having to store the kid since a substitute can be computed from the actual key material is advantage enough for me. On Mon, Apr 14, 2014 at 4:38 PM, Jim Schaad wrote: > I would have problems with that if it did not come with additional restrictions on the key that I might want to additionally state -such as restricting the key to be used with specific algorithms or key usages. > > >> -----Original Message----- >> From: Daniel Holth [mailto:dholth@gmail.com] >> Sent: Monday, April 14, 2014 1:39 PM >> To: Jim Schaad >> Cc: Mike Jones; jose >> Subject: Re: [jose] JSON Web Key (JWK) Thumbprint Specification >> >> For me the finger/thumbprint is something you could sign as part of an "I trust >> this key" assertion since it is a property of a specific key rather than an >> arbitrary association. >> >> On Mon, Apr 14, 2014 at 4:06 PM, Jim Schaad wrote: >> > What are the practical benefits for this over using the kid parameter? >> > >> > >> > >> > Jim >> > >> > >> > >> > >> > >> > From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones >> > Sent: Thursday, April 10, 2014 5:50 PM >> > To: jose@ietf.org >> > Subject: [jose] JSON Web Key (JWK) Thumbprint Specification >> > >> > >> > >> > I created a new simple spec that defines a way to create a thumbprint >> > of an arbitrary key, based upon its JWK representation. The abstract >> > of the spec >> > is: >> > >> > >> > >> > This specification defines a means of computing a thumbprint value (a.k.a. >> > digest) of JSON Web Key (JWK) objects analogous to the x5t (X.509 >> > Certificate SHA-1 Thumbprint) value defined for X.509 certificate objects. >> > This specification also registers the new JSON Web Signature (JWS) and >> > JSON Web Encryption (JWE) Header Parameters and the new JSON Web Key >> > (JWK) member name jkt (JWK SHA-256 Thumbprint) for holding these values. >> > >> > >> > >> > The desire for this came up in an OpenID Connect context, but it s of >> > general applicability, so I decided to submit the spec to the JOSE >> > working group. Thanks to James Manger, John Bradley, and Nat Sakimura >> > for the discussions that led up to this spec. >> > >> > >> > >> > The specification is available at: >> > >> > http://tools.ietf.org/html/draft-jones-jose-jwk-thumbprint-00 >> > >> > >> > >> > An HTML formatted version is also available at: >> > >> > >> > https://self-issued.info/docs/draft-jones-jose-jwk-thumbprint-00.html >> > >> > >> > >> > -- Mike >> > >> > >> > >> > P.S. I also posted this notice at http://self-issued.info/?p=1213 and >> > as @selfissued. >> > >> > >> > >> > >> > _______________________________________________ >> > jose mailing list >> > jose@ietf.org >> > https://www.ietf.org/mailman/listinfo/jose >> > > From nobody Mon Apr 14 14:02:10 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08AE41A0636 for ; Mon, 14 Apr 2014 14:02:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JaybZ06hFvi3 for ; Mon, 14 Apr 2014 14:02:04 -0700 (PDT) Received: from mail-qg0-f43.google.com (mail-qg0-f43.google.com [209.85.192.43]) by ietfa.amsl.com (Postfix) with ESMTP id 8AB461A0208 for ; Mon, 14 Apr 2014 14:02:04 -0700 (PDT) Received: by mail-qg0-f43.google.com with SMTP id f51so8796905qge.2 for ; Mon, 14 Apr 2014 14:02:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=34kKnEKfsAKs2H6Kr5OH2SUI90bgaRiuvYWrOFbHZfQ=; b=DJCNvx0DjSFfP7l5Q80tp/HHuFKTHWDkAfPIHW8zdHUgAP3cYo7XmY1dBF7sn3kfQ1 /vJm98EnF0jUtQctrJv7KbmeDxCfjN3447+d3dEmS3tXSAGcSrRWEbsabgZjPd4mNccI Rw5yAdU3HM4x8E6GirKVzkBdQYd0ZLKqJsB9KWtAvMPeK5qyYWjtXP5yDgqnNzG/kmZv 9GQz0VgSW/bDWuSskaPxEIAY950Xl2OPxGpBnh9wZvS7BBVxQbwbk4iPoNitre1m34P0 PcicXcAXAlml+kbrgzWwhnqBfClg+LOQL4gS5JXNrxS0rtgb9mE1FCBbd2XxHUXqXYoT Fi5w== X-Gm-Message-State: ALoCoQnR5iAStsVaCoQQaaX8q8T3lEJrEnp9eKqmkGhrS6bZWHaWBdSPtvtyO8/H3kAr4McOjUqB X-Received: by 10.229.112.5 with SMTP id u5mr54680890qcp.3.1397509321394; Mon, 14 Apr 2014 14:02:01 -0700 (PDT) Received: from [192.168.1.216] ([190.22.109.124]) by mx.google.com with ESMTPSA id t5sm21895748qge.0.2014.04.14.14.01.59 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 14 Apr 2014 14:02:00 -0700 (PDT) Content-Type: multipart/alternative; boundary="Apple-Mail=_25054738-70E9-4567-A720-0DF20C87160F" Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: John Bradley In-Reply-To: <052001cf581d$0cde8800$269b9800$@augustcellars.com> Date: Mon, 14 Apr 2014 18:01:54 -0300 Message-Id: <8AC99548-ED07-49D6-939A-D49EACD3DCD4@ve7jtb.com> References: <4E1F6AAD24975D4BA5B16804296739439A150468@TK5EX14MBXC286.redmond.corp.microsoft.com> <052001cf581d$0cde8800$269b9800$@augustcellars.com> To: Jim Schaad X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/jose/G7ASMVxIwf2wGvQV0cUmhYh3Lho Cc: Michael Jones , jose@ietf.org Subject: Re: [jose] JSON Web Key (JWK) Thumbprint Specification X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2014 21:02:09 -0000 --Apple-Mail=_25054738-70E9-4567-A720-0DF20C87160F Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 kid is just a name for a key. The thumbprint is a way to refer to a = key in a signed message without having to send the entire key. This is useful in OpenID Connect for calculating a synthetic subject = based on the public key of a self signed JWT. It is also useful in proof of possession scenarios where it may be = sufficient to include a hash of the public key needed for the proof in = the assertion rather than the whole key each time. The problem with kid is that in the PoP case you would need a out of = band way to transfer the key sot of defeating the benefit of stateless = tokens. So it is a sort of kid but one that is unique to a given key in a = collision resistant way. John B. On Apr 14, 2014, at 5:06 PM, Jim Schaad wrote: > What are the practical benefits for this over using the kid parameter? > =20 > Jim > =20 > =20 > From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones > Sent: Thursday, April 10, 2014 5:50 PM > To: jose@ietf.org > Subject: [jose] JSON Web Key (JWK) Thumbprint Specification > =20 > I created a new simple spec that defines a way to create a thumbprint = of an arbitrary key, based upon its JWK representation. The abstract of = the spec is: > =20 > This specification defines a means of computing a thumbprint value = (a.k.a. digest) of JSON Web Key (JWK) objects analogous to the x5t = (X.509 Certificate SHA-1 Thumbprint) value defined for X.509 certificate = objects. This specification also registers the new JSON Web Signature = (JWS) and JSON Web Encryption (JWE) Header Parameters and the new JSON = Web Key (JWK) member name jkt(JWK SHA-256 Thumbprint) for holding these = values. > =20 > The desire for this came up in an OpenID Connect context, but it=92s = of general applicability, so I decided to submit the spec to the JOSE = working group. Thanks to James Manger, John Bradley, and Nat Sakimura = for the discussions that led up to this spec. > =20 > The specification is available at: > =B7 = http://tools.ietf.org/html/draft-jones-jose-jwk-thumbprint-00 > =20 > An HTML formatted version is also available at: > =B7 = https://self-issued.info/docs/draft-jones-jose-jwk-thumbprint-00.html > =20 > -- Mike > =20 > P.S. I also posted this notice at http://self-issued.info/?p=3D1213 = and as @selfissued. > =20 > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose --Apple-Mail=_25054738-70E9-4567-A720-0DF20C87160F Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252 kid is = just a name for a key.   The thumbprint is a way to refer to a key = in a signed message without having to send the entire key.
This is = useful in OpenID Connect for calculating a synthetic subject based on = the public key of a self signed JWT.

It is also = useful in proof of possession scenarios where it may be sufficient to = include a hash of the public key needed for the proof in the assertion = rather than the whole key each time.

The = problem with kid is that in the PoP case you would need a out of band = way to transfer the key sot of defeating the benefit of stateless = tokens.

So it is a sort of kid but one that is = unique to a given key in a collision resistant = way.

John = B.

On Apr 14, 2014, at 5:06 PM, Jim = Schaad <ietf@augustcellars.com> = wrote:

What are the practical benefits for this over using = the kid parameter?
 
Jim
 
 
From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike = Jones
Sent: Thursday, April 10, 2014 = 5:50 PM
To: jose@ietf.org
Subject: [jose] JSON Web Key (JWK) = Thumbprint Specification
 
I = created a new simple spec that defines a way to create a thumbprint of = an arbitrary key, based upon its JWK representation.  The abstract = of the spec is:
 
This specification defines a means of computing a = thumbprint value (a.k.a. digest) of JSON Web Key (JWK) objects analogous = to the x5t (X.509 Certificate SHA-1 = Thumbprint) value defined for X.509 certificate objects. This = specification also registers the new JSON Web Signature (JWS) and JSON = Web Encryption (JWE) Header Parameters and the new JSON Web Key (JWK) = member name jkt(JWK = SHA-256 Thumbprint) for holding these values.
 
The desire = for this came up in an OpenID Connect context, but it=92s of general = applicability, so I decided to submit the spec to the JOSE working = group.  Thanks to James Manger, John Bradley, and Nat Sakimura for = the discussions that led up to this spec.
 
The = specification is available at:
 
          &= nbsp;           &nb= sp;            = ;            &= nbsp;            = -- Mike
 
P.S.  = I also posted this notice at http://self-issued.info/?p=3D1213 and as = @selfissued.
 
__________________________= _____________________
jose mailing list
jose@ietf.org
https://www.ietf.org/ma= ilman/listinfo/jose

= --Apple-Mail=_25054738-70E9-4567-A720-0DF20C87160F-- From nobody Mon Apr 14 14:36:27 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 977B71A0235 for ; Mon, 14 Apr 2014 14:36:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qe2YXDE7fNS1 for ; Mon, 14 Apr 2014 14:36:20 -0700 (PDT) Received: from smtp3.pacifier.net (smtp3.pacifier.net [64.255.237.177]) by ietfa.amsl.com (Postfix) with ESMTP id D2B2A1A0231 for ; Mon, 14 Apr 2014 14:36:20 -0700 (PDT) Received: from Philemon (winery.augustcellars.com [206.212.239.129]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp3.pacifier.net (Postfix) with ESMTPSA id 2DC8F38F1C; Mon, 14 Apr 2014 14:36:18 -0700 (PDT) From: "Jim Schaad" To: "'Daniel Holth'" References: <4E1F6AAD24975D4BA5B16804296739439A150468@TK5EX14MBXC286.redmond.corp.microsoft.com> <052001cf581d$0cde8800$269b9800$@augustcellars.com> <054501cf5821$8c1dec10$a459c430$@augustcellars.com> In-Reply-To: Date: Mon, 14 Apr 2014 14:34:18 -0700 Message-ID: <054a01cf5829$4d505f10$e7f11d30$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQG0HD2WpSh+QoTEegEYy90jeG8UcQJyndp/AiNpKhkBaDlAfAHyOIbcmwiWFxA= Content-Language: en-us Archived-At: http://mailarchive.ietf.org/arch/msg/jose/kkip4msYPdB1Of8qxqusM8ziusc Cc: 'Mike Jones' , 'jose' Subject: Re: [jose] JSON Web Key (JWK) Thumbprint Specification X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2014 21:36:25 -0000 No, it includes the key type not the algorithm. It says this is an RSA = key not that this is an RSA key to be used with the RSA-PSS-with-SHA512 = algorithm. > -----Original Message----- > From: Daniel Holth [mailto:dholth@gmail.com] > Sent: Monday, April 14, 2014 1:51 PM > To: Jim Schaad > Cc: Mike Jones; jose > Subject: Re: [jose] JSON Web Key (JWK) Thumbprint Specification >=20 > The thumbprint includes the algorithm but not the usage restrictions. > A practical certificate would certainly include "trusted for ..." > constraints. Simply not having to store the kid since a substitute can = be > computed from the actual key material is advantage enough for me. >=20 > On Mon, Apr 14, 2014 at 4:38 PM, Jim Schaad = wrote: > > I would have problems with that if it did not come with additional = restrictions > on the key that I might want to additionally state -such as = restricting the key to > be used with specific algorithms or key usages. > > > > > >> -----Original Message----- > >> From: Daniel Holth [mailto:dholth@gmail.com] > >> Sent: Monday, April 14, 2014 1:39 PM > >> To: Jim Schaad > >> Cc: Mike Jones; jose > >> Subject: Re: [jose] JSON Web Key (JWK) Thumbprint Specification > >> > >> For me the finger/thumbprint is something you could sign as part of > >> an "I trust this key" assertion since it is a property of a = specific > >> key rather than an arbitrary association. > >> > >> On Mon, Apr 14, 2014 at 4:06 PM, Jim Schaad = > wrote: > >> > What are the practical benefits for this over using the kid = parameter? > >> > > >> > > >> > > >> > Jim > >> > > >> > > >> > > >> > > >> > > >> > From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones > >> > Sent: Thursday, April 10, 2014 5:50 PM > >> > To: jose@ietf.org > >> > Subject: [jose] JSON Web Key (JWK) Thumbprint Specification > >> > > >> > > >> > > >> > I created a new simple spec that defines a way to create a > >> > thumbprint of an arbitrary key, based upon its JWK = representation. > >> > The abstract of the spec > >> > is: > >> > > >> > > >> > > >> > This specification defines a means of computing a thumbprint = value (a.k.a. > >> > digest) of JSON Web Key (JWK) objects analogous to the x5t (X.509 > >> > Certificate SHA-1 Thumbprint) value defined for X.509 certificate = objects. > >> > This specification also registers the new JSON Web Signature = (JWS) > >> > and JSON Web Encryption (JWE) Header Parameters and the new JSON > >> > Web Key > >> > (JWK) member name jkt (JWK SHA-256 Thumbprint) for holding these > values. > >> > > >> > > >> > > >> > The desire for this came up in an OpenID Connect context, but it = s > >> > of general applicability, so I decided to submit the spec to the > >> > JOSE working group. Thanks to James Manger, John Bradley, and = Nat > >> > Sakimura for the discussions that led up to this spec. > >> > > >> > > >> > > >> > The specification is available at: > >> > > >> > > >> > http://tools.ietf.org/html/draft-jones-jose-jwk-thumbprint-00 > >> > > >> > > >> > > >> > An HTML formatted version is also available at: > >> > > >> > > >> > = https://self-issued.info/docs/draft-jones-jose-jwk-thumbprint-00.ht > >> > ml > >> > > >> > > >> > > >> > -- = Mike > >> > > >> > > >> > > >> > P.S. I also posted this notice at = http://self-issued.info/?p=3D1213 > >> > and as @selfissued. > >> > > >> > > >> > > >> > > >> > _______________________________________________ > >> > jose mailing list > >> > jose@ietf.org > >> > https://www.ietf.org/mailman/listinfo/jose > >> > > > From nobody Mon Apr 14 14:40:05 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4A0F1A0755 for ; Mon, 14 Apr 2014 14:40:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gp6mg-LBzD2A for ; Mon, 14 Apr 2014 14:39:59 -0700 (PDT) Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) by ietfa.amsl.com (Postfix) with ESMTP id 6765C1A0757 for ; Mon, 14 Apr 2014 14:39:59 -0700 (PDT) Received: from Philemon (winery.augustcellars.com [206.212.239.129]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTPSA id 43C0E2CA28; Mon, 14 Apr 2014 14:39:56 -0700 (PDT) From: "Jim Schaad" To: "'John Bradley'" References: <4E1F6AAD24975D4BA5B16804296739439A150468@TK5EX14MBXC286.redmond.corp.microsoft.com> <052001cf581d$0cde8800$269b9800$@augustcellars.com> <8AC99548-ED07-49D6-939A-D49EACD3DCD4@ve7jtb.com> In-Reply-To: <8AC99548-ED07-49D6-939A-D49EACD3DCD4@ve7jtb.com> Date: Mon, 14 Apr 2014 14:37:57 -0700 Message-ID: <054b01cf5829$cf5c2660$6e147320$@augustcellars.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_054C_01CF57EF.23014600" X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQG0HD2WpSh+QoTEegEYy90jeG8UcQJyndp/AkHxfVGbInZdcA== Content-Language: en-us Archived-At: http://mailarchive.ietf.org/arch/msg/jose/yV10GGhfnEen9WohQ0vh45nsGhY Cc: 'Michael Jones' , jose@ietf.org Subject: Re: [jose] JSON Web Key (JWK) Thumbprint Specification X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2014 21:40:04 -0000 This is a multipart message in MIME format. ------=_NextPart_000_054C_01CF57EF.23014600 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit And to me all this sounds like is that there should be a document which says - this is one way to compute a kid value and then let the application say that this will be the way to do it. Much like how SPKIs are done for X.509 certificates today. Jim From: John Bradley [mailto:ve7jtb@ve7jtb.com] Sent: Monday, April 14, 2014 2:02 PM To: Jim Schaad Cc: Michael Jones; jose@ietf.org Subject: Re: [jose] JSON Web Key (JWK) Thumbprint Specification kid is just a name for a key. The thumbprint is a way to refer to a key in a signed message without having to send the entire key. This is useful in OpenID Connect for calculating a synthetic subject based on the public key of a self signed JWT. It is also useful in proof of possession scenarios where it may be sufficient to include a hash of the public key needed for the proof in the assertion rather than the whole key each time. The problem with kid is that in the PoP case you would need a out of band way to transfer the key sot of defeating the benefit of stateless tokens. So it is a sort of kid but one that is unique to a given key in a collision resistant way. John B. On Apr 14, 2014, at 5:06 PM, Jim Schaad wrote: What are the practical benefits for this over using the kid parameter? Jim From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones Sent: Thursday, April 10, 2014 5:50 PM To: jose@ietf.org Subject: [jose] JSON Web Key (JWK) Thumbprint Specification I created a new simple spec that defines a way to create a thumbprint of an arbitrary key, based upon its JWK representation. The abstract of the spec is: This specification defines a means of computing a thumbprint value (a.k.a. digest) of JSON Web Key (JWK) objects analogous to the x5t (X.509 Certificate SHA-1 Thumbprint) value defined for X.509 certificate objects. This specification also registers the new JSON Web Signature (JWS) and JSON Web Encryption (JWE) Header Parameters and the new JSON Web Key (JWK) member name jkt(JWK SHA-256 Thumbprint) for holding these values. The desire for this came up in an OpenID Connect context, but it's of general applicability, so I decided to submit the spec to the JOSE working group. Thanks to James Manger, John Bradley, and Nat Sakimura for the discussions that led up to this spec. The specification is available at: . http://tools.ietf.org/html/draft-jones-jose-jwk-thumbprint-00 An HTML formatted version is also available at: . https://self-issued.info/docs/draft-jones-jose-jwk-thumbprint-00.html -- Mike P.S. I also posted this notice at http://self-issued.info/?p=1213 and as @selfissued. _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose ------=_NextPart_000_054C_01CF57EF.23014600 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

And to me all this sounds like is that there should be a document = which says – this is one way to compute a kid value and then let = the application say that this will be the way to do it.  Much like = how SPKIs are done for X.509 certificates today.

 

Jim

 

 

From:= = John Bradley [mailto:ve7jtb@ve7jtb.com]
Sent: Monday, April = 14, 2014 2:02 PM
To: Jim Schaad
Cc: Michael Jones; = jose@ietf.org
Subject: Re: [jose] JSON Web Key (JWK) = Thumbprint Specification

 

kid is just = a name for a key.   The thumbprint is a way to refer to a key in a = signed message without having to send the entire = key.

This is useful in OpenID = Connect for calculating a synthetic subject based on the public key of a = self signed JWT.

 

It is also useful in proof of possession scenarios = where it may be sufficient to include a hash of the public key needed = for the proof in the assertion rather than the whole key each = time.

 

The problem with kid is that in the PoP case you would = need a out of band way to transfer the key sot of defeating the benefit = of stateless tokens.

 

So it is a sort of kid but one that is unique to a = given key in a collision resistant way.

 

John B.

 

On Apr 14, 2014, at 5:06 PM, Jim Schaad <ietf@augustcellars.com> = wrote:



What are the practical benefits for this over using the kid = parameter?=

 =

Jim=

 =

 =

From:=  jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike = Jones
Sent: Thursday, April 10, 2014 5:50 = PM
To: jose@ietf.org
Subject: [jose] JSON Web Key (JWK) = Thumbprint Specification
=

 =

I created = a new simple spec that defines a way to create a thumbprint of an = arbitrary key, based upon its JWK representation.  The abstract of = the spec is:

 =

This = specification defines a means of computing a thumbprint value (a.k.a. = digest) of JSON Web Key (JWK) objects analogous to the x5t (X.509 = Certificate SHA-1 Thumbprint) value defined for X.509 certificate = objects. This specification also registers the new JSON Web Signature = (JWS) and JSON Web Encryption (JWE) Header Parameters and the new JSON = Web Key (JWK) member name jkt(JWK = SHA-256 Thumbprint) for holding these values.=

 =

The desire = for this came up in an OpenID Connect context, but it’s of general = applicability, so I decided to submit the spec to the JOSE working = group.  Thanks to James Manger, John Bradley, and Nat Sakimura for = the discussions that led up to this = spec.

 =

The = specification is available at:

 =

An HTML = formatted version is also available at:

 =

  = ;            =             &= nbsp;           &n= bsp;           &nb= sp;         -- = Mike

 =

P.S.  = I also posted this notice at http://self-issued.info/?p=3D1213 and as = @selfissued.

 =

__________= _____________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/= mailman/listinfo/jose

 

------=_NextPart_000_054C_01CF57EF.23014600-- From prvs=174a3bf4f=maberry@amazon.com Mon Apr 14 14:36:44 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 201531A0757 for ; Mon, 14 Apr 2014 14:36:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -12.073 X-Spam-Level: X-Spam-Status: No, score=-12.073 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xWu_iKxM-pVk for ; Mon, 14 Apr 2014 14:36:39 -0700 (PDT) Received: from smtp-fw-9101.amazon.com (smtp-fw-9101.amazon.com [207.171.184.25]) by ietfa.amsl.com (Postfix) with ESMTP id A13EC1A0231 for ; Mon, 14 Apr 2014 14:36:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1397511397; x=1429047397; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=xsRjMeXXRS2Ibu9EM9vOVl5K69XG9nUFbNOR+SVrfRI=; b=sx0kBJDXS21t2Dz1dWiLZuF6ajbsT513NsCoUzZUpVZ5UQv+Q+XQInHy UCFnBLb67DLUJ9V2nJ1JPYmoV1LAoBzsS8hHQrJDaMohYOq5zns+ZKi9P Vo/A/J9M2zKdpL6Q8k3DtsvTflCo7dXUGdhRDNdklMofxNMtiz6PeXP89 4=; X-IronPort-AV: E=Sophos;i="4.97,859,1389744000"; d="scan'208";a="43664310" Received: from email-inbound-relay-62040.pdx2.amazon.com ([10.241.21.71]) by smtp-border-fw-out-9101.sea19.amazon.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 14 Apr 2014 21:36:35 +0000 Received: from ex10-hub-31002.ant.amazon.com (ex10-hub-31002.sea31.amazon.com [10.185.169.193]) by email-inbound-relay-62040.pdx2.amazon.com (8.14.7/8.14.7) with ESMTP id s3ELaXVk026798 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=OK) for ; Mon, 14 Apr 2014 21:36:35 GMT Received: from EX10-MBX-9003.ant.amazon.com ([fe80::b9e5:5388:f95f:c940]) by ex10-hub-31002.ant.amazon.com ([::1]) with mapi id 14.02.0342.003; Mon, 14 Apr 2014 14:36:00 -0700 From: "Berry, Matt" To: "jose@ietf.org" Thread-Topic: Question about minimual unsigned big endian representation of JWK parameters Thread-Index: Ac9YHWea80dDBOI8TBiaYYSO1eTyJQ== Date: Mon, 14 Apr 2014 21:35:59 +0000 Message-ID: <2FE1ED37161DA34CBBDA0E4C0AFEB1DD011A654D@ex10-mbx-9003.ant.amazon.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.184.49.70] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Precedence: Bulk Archived-At: http://mailarchive.ietf.org/arch/msg/jose/mcNtVqIp3venn768j2Z0dHoobgo Subject: [jose] Question about minimual unsigned big endian representation of JWK parameters X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2014 21:42:21 -0000 Throughout JWA Section 6.3 "Parameters for RSA Keys" the following phase oc= curs repeatedly: > The octet sequence MUST utilize the minimum number of octets to represent= the value. I understand the rationale for such a phase, which is to minimize the overa= ll size of JWKs.=20 This is a core tenant of the JSOE working group. However I have concerns ab= out the practice of striping leading zeroes from RSA parameters. The benefit of stripping these leading zeroes is likely negligible. Conside= r this RSA key I=20 just generated (included below). The total benefit of stripping the leading= zeroes is 5 bytes=20 before base64 encoding. Although I believe the attempt to reduce the overall size of the JWK is com= mendable, I think this will introduce more confusion and non-compliance than anything. An exa= mple would be Google, who currently does not strip the leading zeroes (or even base64url-= encodes). > https://www.googleapis.com/oauth2/v2/certs I suggest rewording relevant sections to the following, to allow for the mi= nimum amount of padding octets required to make the keys unambiguous. > The octet sequence MUST utilize the minimum number of octets to represent= the value=20 > as if it was a signed integer. Sincerely, Matt Berry =3D=3D The referenced RSA Private key. =3D=3D Generating RSA private key, 2048 bit long modulus .........................................................+++ ..................................+++ e is 65537 (0x10001) Private-Key: (2048 bit) modulus: 00:ba:5c:82:f9:26:34:e3:4b:e3:d2:d4:81:5a:c6: ... publicExponent: 65537 (0x10001) privateExponent: 00:9d:23:3c:5c:90:d6:af:81:62:0c:77:9a:ca:cb: ... prime1: 00:ee:b8:c9:5f:ca:8d:9e:1a:a8:9b:6c:34:2f:c4: ... prime2: 00:c7:d9:8d:57:17:6c:a4:46:1a:9a:c0:2d:93:da: ... exponent1: 54:c8:b4:5c:9d:27:e6:fb:38:de:da:73:3e:74:08: ... exponent2: 00:c7:7f:c6:f6:5f:ad:d6:37:1d:2b:ca:18:35:76: ... coefficient: 74:a4:07:7c:4f:04:be:40:62:2e:af:ff:37:b5:9d: ... writing RSA key -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY----- From nobody Mon Apr 14 14:42:34 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F89D1A0755 for ; Mon, 14 Apr 2014 14:42:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YkF7ykXDtoBI for ; Mon, 14 Apr 2014 14:42:23 -0700 (PDT) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0206.outbound.protection.outlook.com [207.46.163.206]) by ietfa.amsl.com (Postfix) with ESMTP id 01FE21A076A for ; Mon, 14 Apr 2014 14:42:22 -0700 (PDT) Received: from BL2PR03CA017.namprd03.prod.outlook.com (10.141.66.25) by BL2PR03MB548.namprd03.prod.outlook.com (10.141.91.140) with Microsoft SMTP Server (TLS) id 15.0.918.8; Mon, 14 Apr 2014 21:42:12 +0000 Received: from BL2FFO11FD033.protection.gbl (2a01:111:f400:7c09::149) by BL2PR03CA017.outlook.office365.com (2a01:111:e400:c1b::25) with Microsoft SMTP Server (TLS) id 15.0.918.8 via Frontend Transport; Mon, 14 Apr 2014 21:42:13 +0000 Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11FD033.mail.protection.outlook.com (10.173.161.129) with Microsoft SMTP Server (TLS) id 15.0.918.6 via Frontend Transport; Mon, 14 Apr 2014 21:42:12 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14HUBC107.redmond.corp.microsoft.com ([157.54.80.67]) with mapi id 14.03.0181.007; Mon, 14 Apr 2014 21:41:38 +0000 From: Mike Jones To: Jim Schaad , 'Daniel Holth' Thread-Topic: [jose] JSON Web Key (JWK) Thumbprint Specification Thread-Index: Ac9VH+RUhqq5I/+bRIOzExN4Xqv18AC/SfsAAAEg74D////2gIAAA0KAgAAMPAD///6wAA== Date: Mon, 14 Apr 2014 21:41:37 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A157F76@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <4E1F6AAD24975D4BA5B16804296739439A150468@TK5EX14MBXC286.redmond.corp.microsoft.com> <052001cf581d$0cde8800$269b9800$@augustcellars.com> <054501cf5821$8c1dec10$a459c430$@augustcellars.com> <054a01cf5829$4d505f10$e7f11d30$@augustcellars.com> In-Reply-To: <054a01cf5829$4d505f10$e7f11d30$@augustcellars.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.72] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(6009001)(438001)(13464003)(377454003)(199002)(189002)(24454002)(51704005)(4396001)(2656002)(86612001)(54356999)(50986999)(87936001)(76176999)(86362001)(6806004)(80976001)(23676002)(92566001)(15975445006)(80022001)(66066001)(81542001)(76482001)(55846006)(92726001)(74502001)(74662001)(2009001)(33656001)(31966008)(85806002)(81342001)(50466002)(84676001)(19580405001)(83322001)(15202345003)(85852003)(19580395003)(44976005)(99396002)(46102001)(47776003)(83072002)(79102001)(77982001)(20776003)(6606295002); DIR:OUT; SFP:1101; SCL:1; SRVR:BL2PR03MB548; H:mail.microsoft.com; FPR:EC4EF1F0.ACFA57C2.35F07169.4CF6F741.2043E; MLV:sfv; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0181F4652A Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/jose/7Iz7TadyVRUH8vGCiQFMYI-XAOs Cc: 'jose' Subject: Re: [jose] JSON Web Key (JWK) Thumbprint Specification X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2014 21:42:25 -0000 SWYgeW91ciBwcm90b2NvbCB3YW50cyB0byBpbXBvc2UgcGFydGljdWxhciBhbGdvcml0aG0gcmVz dHJpY3Rpb25zIGl0IGNhbiBvYnZpb3VzbHkgZG8gdGhhdC4gIEFuZCB0aGUga2V5LCBhcyB0cmFu c21pdHRlZCBieSB5b3VyIHByb3RvY29sLCBjYW4gaW5jbHVkZSwgYW5kIGluIGZhY3QsIGNhbiBy ZXF1aXJlIGFuICJhbGciIGZpZWxkLg0KDQpUaGF0J3Mgc2VwYXJhdGUgZnJvbSB0aGUgdGh1bWJw cmludCB2YWx1ZSBmb3IgdGhlIGtleSwgd2hpY2ggaXMgaW50ZW50aW9uYWxseSBjb21wdXRlZCB3 aXRob3V0IGFueSBvZiB0aGUgb3B0aW9uYWwgZmllbGQgdmFsdWVzLCBzbyB0aGF0IGl0cyB2YWx1 ZSBpcyBpbnZhcmlhbnQgYm90aCBpbiB0aGVpciBwcmVzZW5jZSBhbmQgaW4gdGhlaXIgYWJzZW5j ZS4NCg0KCQkJCS0tIE1pa2UNCg0KLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCkZyb206IEpp bSBTY2hhYWQgW21haWx0bzppZXRmQGF1Z3VzdGNlbGxhcnMuY29tXSANClNlbnQ6IE1vbmRheSwg QXByaWwgMTQsIDIwMTQgMjozNCBQTQ0KVG86ICdEYW5pZWwgSG9sdGgnDQpDYzogTWlrZSBKb25l czsgJ2pvc2UnDQpTdWJqZWN0OiBSRTogW2pvc2VdIEpTT04gV2ViIEtleSAoSldLKSBUaHVtYnBy aW50IFNwZWNpZmljYXRpb24NCg0KTm8sIGl0IGluY2x1ZGVzIHRoZSBrZXkgdHlwZSBub3QgdGhl IGFsZ29yaXRobS4gIEl0IHNheXMgdGhpcyBpcyBhbiBSU0Ega2V5IG5vdCB0aGF0IHRoaXMgaXMg YW4gUlNBIGtleSB0byBiZSB1c2VkIHdpdGggdGhlIFJTQS1QU1Mtd2l0aC1TSEE1MTIgYWxnb3Jp dGhtLg0KDQo+IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQo+IEZyb206IERhbmllbCBIb2x0 aCBbbWFpbHRvOmRob2x0aEBnbWFpbC5jb21dDQo+IFNlbnQ6IE1vbmRheSwgQXByaWwgMTQsIDIw MTQgMTo1MSBQTQ0KPiBUbzogSmltIFNjaGFhZA0KPiBDYzogTWlrZSBKb25lczsgam9zZQ0KPiBT dWJqZWN0OiBSZTogW2pvc2VdIEpTT04gV2ViIEtleSAoSldLKSBUaHVtYnByaW50IFNwZWNpZmlj YXRpb24NCj4gDQo+IFRoZSB0aHVtYnByaW50IGluY2x1ZGVzIHRoZSBhbGdvcml0aG0gYnV0IG5v dCB0aGUgdXNhZ2UgcmVzdHJpY3Rpb25zLg0KPiBBIHByYWN0aWNhbCBjZXJ0aWZpY2F0ZSB3b3Vs ZCBjZXJ0YWlubHkgaW5jbHVkZSAidHJ1c3RlZCBmb3IgLi4uIg0KPiBjb25zdHJhaW50cy4gU2lt cGx5IG5vdCBoYXZpbmcgdG8gc3RvcmUgdGhlIGtpZCBzaW5jZSBhIHN1YnN0aXR1dGUgY2FuIA0K PiBiZSBjb21wdXRlZCBmcm9tIHRoZSBhY3R1YWwga2V5IG1hdGVyaWFsIGlzIGFkdmFudGFnZSBl bm91Z2ggZm9yIG1lLg0KPiANCj4gT24gTW9uLCBBcHIgMTQsIDIwMTQgYXQgNDozOCBQTSwgSmlt IFNjaGFhZCA8aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbT4gd3JvdGU6DQo+ID4gSSB3b3VsZCBoYXZl IHByb2JsZW1zIHdpdGggdGhhdCBpZiBpdCBkaWQgbm90IGNvbWUgd2l0aCBhZGRpdGlvbmFsIA0K PiA+IHJlc3RyaWN0aW9ucw0KPiBvbiB0aGUga2V5IHRoYXQgSSBtaWdodCB3YW50IHRvIGFkZGl0 aW9uYWxseSBzdGF0ZSAtc3VjaCBhcyANCj4gcmVzdHJpY3RpbmcgdGhlIGtleSB0byBiZSB1c2Vk IHdpdGggc3BlY2lmaWMgYWxnb3JpdGhtcyBvciBrZXkgdXNhZ2VzLg0KPiA+DQo+ID4NCj4gPj4g LS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCj4gPj4gRnJvbTogRGFuaWVsIEhvbHRoIFttYWls dG86ZGhvbHRoQGdtYWlsLmNvbV0NCj4gPj4gU2VudDogTW9uZGF5LCBBcHJpbCAxNCwgMjAxNCAx OjM5IFBNDQo+ID4+IFRvOiBKaW0gU2NoYWFkDQo+ID4+IENjOiBNaWtlIEpvbmVzOyBqb3NlDQo+ ID4+IFN1YmplY3Q6IFJlOiBbam9zZV0gSlNPTiBXZWIgS2V5IChKV0spIFRodW1icHJpbnQgU3Bl Y2lmaWNhdGlvbg0KPiA+Pg0KPiA+PiBGb3IgbWUgdGhlIGZpbmdlci90aHVtYnByaW50IGlzIHNv bWV0aGluZyB5b3UgY291bGQgc2lnbiBhcyBwYXJ0IG9mIA0KPiA+PiBhbiAiSSB0cnVzdCB0aGlz IGtleSIgYXNzZXJ0aW9uIHNpbmNlIGl0IGlzIGEgcHJvcGVydHkgb2YgYSANCj4gPj4gc3BlY2lm aWMga2V5IHJhdGhlciB0aGFuIGFuIGFyYml0cmFyeSBhc3NvY2lhdGlvbi4NCj4gPj4NCj4gPj4g T24gTW9uLCBBcHIgMTQsIDIwMTQgYXQgNDowNiBQTSwgSmltIFNjaGFhZCANCj4gPj4gPGlldGZA YXVndXN0Y2VsbGFycy5jb20+DQo+IHdyb3RlOg0KPiA+PiA+IFdoYXQgYXJlIHRoZSBwcmFjdGlj YWwgYmVuZWZpdHMgZm9yIHRoaXMgb3ZlciB1c2luZyB0aGUga2lkIHBhcmFtZXRlcj8NCj4gPj4g Pg0KPiA+PiA+DQo+ID4+ID4NCj4gPj4gPiBKaW0NCj4gPj4gPg0KPiA+PiA+DQo+ID4+ID4NCj4g Pj4gPg0KPiA+PiA+DQo+ID4+ID4gRnJvbTogam9zZSBbbWFpbHRvOmpvc2UtYm91bmNlc0BpZXRm Lm9yZ10gT24gQmVoYWxmIE9mIE1pa2UgSm9uZXMNCj4gPj4gPiBTZW50OiBUaHVyc2RheSwgQXBy aWwgMTAsIDIwMTQgNTo1MCBQTQ0KPiA+PiA+IFRvOiBqb3NlQGlldGYub3JnDQo+ID4+ID4gU3Vi amVjdDogW2pvc2VdIEpTT04gV2ViIEtleSAoSldLKSBUaHVtYnByaW50IFNwZWNpZmljYXRpb24N Cj4gPj4gPg0KPiA+PiA+DQo+ID4+ID4NCj4gPj4gPiBJIGNyZWF0ZWQgYSBuZXcgc2ltcGxlIHNw ZWMgdGhhdCBkZWZpbmVzIGEgd2F5IHRvIGNyZWF0ZSBhIA0KPiA+PiA+IHRodW1icHJpbnQgb2Yg YW4gYXJiaXRyYXJ5IGtleSwgYmFzZWQgdXBvbiBpdHMgSldLIHJlcHJlc2VudGF0aW9uLg0KPiA+ PiA+IFRoZSBhYnN0cmFjdCBvZiB0aGUgc3BlYw0KPiA+PiA+IGlzOg0KPiA+PiA+DQo+ID4+ID4N Cj4gPj4gPg0KPiA+PiA+IFRoaXMgc3BlY2lmaWNhdGlvbiBkZWZpbmVzIGEgbWVhbnMgb2YgY29t cHV0aW5nIGEgdGh1bWJwcmludCB2YWx1ZSAoYS5rLmEuDQo+ID4+ID4gZGlnZXN0KSBvZiBKU09O IFdlYiBLZXkgKEpXSykgb2JqZWN0cyBhbmFsb2dvdXMgdG8gdGhlIHg1dCAoWC41MDkgDQo+ID4+ ID4gQ2VydGlmaWNhdGUgU0hBLTEgVGh1bWJwcmludCkgdmFsdWUgZGVmaW5lZCBmb3IgWC41MDkg Y2VydGlmaWNhdGUgb2JqZWN0cy4NCj4gPj4gPiBUaGlzIHNwZWNpZmljYXRpb24gYWxzbyByZWdp c3RlcnMgdGhlIG5ldyBKU09OIFdlYiBTaWduYXR1cmUgDQo+ID4+ID4gKEpXUykgYW5kIEpTT04g V2ViIEVuY3J5cHRpb24gKEpXRSkgSGVhZGVyIFBhcmFtZXRlcnMgYW5kIHRoZSBuZXcgDQo+ID4+ ID4gSlNPTiBXZWIgS2V5DQo+ID4+ID4gKEpXSykgbWVtYmVyIG5hbWUgamt0IChKV0sgU0hBLTI1 NiBUaHVtYnByaW50KSBmb3IgaG9sZGluZyB0aGVzZQ0KPiB2YWx1ZXMuDQo+ID4+ID4NCj4gPj4g Pg0KPiA+PiA+DQo+ID4+ID4gVGhlIGRlc2lyZSBmb3IgdGhpcyBjYW1lIHVwIGluIGFuIE9wZW5J RCBDb25uZWN0IGNvbnRleHQsIGJ1dCBpdCANCj4gPj4gPiBzIG9mIGdlbmVyYWwgYXBwbGljYWJp bGl0eSwgc28gSSBkZWNpZGVkIHRvIHN1Ym1pdCB0aGUgc3BlYyB0byANCj4gPj4gPiB0aGUgSk9T RSB3b3JraW5nIGdyb3VwLiAgVGhhbmtzIHRvIEphbWVzIE1hbmdlciwgSm9obiBCcmFkbGV5LCAN Cj4gPj4gPiBhbmQgTmF0IFNha2ltdXJhIGZvciB0aGUgZGlzY3Vzc2lvbnMgdGhhdCBsZWQgdXAg dG8gdGhpcyBzcGVjLg0KPiA+PiA+DQo+ID4+ID4NCj4gPj4gPg0KPiA+PiA+IFRoZSBzcGVjaWZp Y2F0aW9uIGlzIGF2YWlsYWJsZSBhdDoNCj4gPj4gPg0KPiA+PiA+DQo+ID4+ID4gaHR0cDovL3Rv b2xzLmlldGYub3JnL2h0bWwvZHJhZnQtam9uZXMtam9zZS1qd2stdGh1bWJwcmludC0wMA0KPiA+ PiA+DQo+ID4+ID4NCj4gPj4gPg0KPiA+PiA+IEFuIEhUTUwgZm9ybWF0dGVkIHZlcnNpb24gaXMg YWxzbyBhdmFpbGFibGUgYXQ6DQo+ID4+ID4NCj4gPj4gPg0KPiA+PiA+IGh0dHBzOi8vc2VsZi1p c3N1ZWQuaW5mby9kb2NzL2RyYWZ0LWpvbmVzLWpvc2UtandrLXRodW1icHJpbnQtMDAuDQo+ID4+ ID4gaHQNCj4gPj4gPiBtbA0KPiA+PiA+DQo+ID4+ID4NCj4gPj4gPg0KPiA+PiA+ICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC0tIA0K PiA+PiA+IE1pa2UNCj4gPj4gPg0KPiA+PiA+DQo+ID4+ID4NCj4gPj4gPiBQLlMuICBJIGFsc28g cG9zdGVkIHRoaXMgbm90aWNlIGF0IA0KPiA+PiA+IGh0dHA6Ly9zZWxmLWlzc3VlZC5pbmZvLz9w PTEyMTMgYW5kIGFzIEBzZWxmaXNzdWVkLg0KPiA+PiA+DQo+ID4+ID4NCj4gPj4gPg0KPiA+PiA+ DQo+ID4+ID4gX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18N Cj4gPj4gPiBqb3NlIG1haWxpbmcgbGlzdA0KPiA+PiA+IGpvc2VAaWV0Zi5vcmcNCj4gPj4gPiBo dHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2pvc2UNCj4gPj4gPg0KPiA+DQoN Cg== From nobody Mon Apr 14 14:49:43 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 207BD1A0730 for ; Mon, 14 Apr 2014 14:49:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Hw9sUdImGBE for ; Mon, 14 Apr 2014 14:49:39 -0700 (PDT) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0206.outbound.protection.outlook.com [207.46.163.206]) by ietfa.amsl.com (Postfix) with ESMTP id 5EF5E1A06B4 for ; Mon, 14 Apr 2014 14:49:39 -0700 (PDT) Received: from BY2PR03CA030.namprd03.prod.outlook.com (10.242.234.151) by BY2PR03MB553.namprd03.prod.outlook.com (10.141.141.155) with Microsoft SMTP Server (TLS) id 15.0.913.9; Mon, 14 Apr 2014 21:49:35 +0000 Received: from BL2FFO11FD029.protection.gbl (2a01:111:f400:7c09::158) by BY2PR03CA030.outlook.office365.com (2a01:111:e400:2c2c::23) with Microsoft SMTP Server (TLS) id 15.0.908.10 via Frontend Transport; Mon, 14 Apr 2014 21:49:35 +0000 Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11FD029.mail.protection.outlook.com (10.173.160.69) with Microsoft SMTP Server (TLS) id 15.0.918.6 via Frontend Transport; Mon, 14 Apr 2014 21:49:34 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.03.0174.002; Mon, 14 Apr 2014 21:48:43 +0000 From: Mike Jones To: "Berry, Matt" , "jose@ietf.org" Thread-Topic: Question about minimual unsigned big endian representation of JWK parameters Thread-Index: Ac9YHWea80dDBOI8TBiaYYSO1eTyJQADWBjg Date: Mon, 14 Apr 2014 21:48:42 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A15801E@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <2FE1ED37161DA34CBBDA0E4C0AFEB1DD011A654D@ex10-mbx-9003.ant.amazon.com> In-Reply-To: <2FE1ED37161DA34CBBDA0E4C0AFEB1DD011A654D@ex10-mbx-9003.ant.amazon.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.72] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(6009001)(438001)(13464003)(377454003)(199002)(189002)(46406003)(19580395003)(50466002)(2009001)(19580405001)(81542001)(97756001)(46102001)(31966008)(92566001)(4396001)(99396002)(44976005)(6806004)(23726002)(66066001)(20776003)(47776003)(74502001)(76482001)(81342001)(80022001)(2656002)(80976001)(86362001)(77982001)(54356999)(55846006)(83322001)(86612001)(85806002)(79102001)(74662001)(76176999)(87936001)(92726001)(50986999)(84676001)(33656001)(15975445006)(85852003)(83072002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR03MB553; H:mail.microsoft.com; FPR:307CF1CC.AEF74792.70D5B947.C6CA1C78.2044F; MLV:sfv; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0181F4652A Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/jose/YGM5H64N9Polg3GBnzsfTRVBpi4 Subject: Re: [jose] Question about minimual unsigned big endian representation of JWK parameters X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2014 21:49:42 -0000 According to a crypto expert who spoke up at an in-person JOSE meeting when= this was discussed (I think it was Russ Housley), the high-order bit of a = correctly formed RSA mantissa must always be 1. (If it weren't then the ke= y pair would contain less than the required number of bits of information.)= Thus, there are no leading zeroes to strip, for what it's worth. Also the value is unsigned, not signed. Best wishes, -- Mike -----Original Message----- From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Berry, Matt Sent: Monday, April 14, 2014 2:36 PM To: jose@ietf.org Subject: [jose] Question about minimual unsigned big endian representation = of JWK parameters Throughout JWA Section 6.3 "Parameters for RSA Keys" the following phase oc= curs repeatedly: > The octet sequence MUST utilize the minimum number of octets to represent= the value. I understand the rationale for such a phase, which is to minimize the overa= ll size of JWKs.=20 This is a core tenant of the JSOE working group. However I have concerns ab= out the practice of striping leading zeroes from RSA parameters. The benefit of stripping these leading zeroes is likely negligible. Conside= r this RSA key I just generated (included below). The total benefit of stri= pping the leading zeroes is 5 bytes before base64 encoding. Although I believe the attempt to reduce the overall size of the JWK is com= mendable, I think this will introduce more confusion and non-compliance tha= n anything. An example would be Google, who currently does not strip the le= ading zeroes (or even base64url-encodes). > https://www.googleapis.com/oauth2/v2/certs I suggest rewording relevant sections to the following, to allow for the mi= nimum amount of padding octets required to make the keys unambiguous. > The octet sequence MUST utilize the minimum number of octets to=20 > represent the value as if it was a signed integer. Sincerely, Matt Berry =3D=3D The referenced RSA Private key. =3D=3D Generating RSA private key, 2048 bit long modulus .........................= ................................+++ ..................................+++ e is 65537 (0x10001) Private-Key: (2048 bit) modulus: 00:ba:5c:82:f9:26:34:e3:4b:e3:d2:d4:81:5a:c6: ... publicExponent: 65537 (0x10001) privateExponent: 00:9d:23:3c:5c:90:d6:af:81:62:0c:77:9a:ca:cb: ... prime1: 00:ee:b8:c9:5f:ca:8d:9e:1a:a8:9b:6c:34:2f:c4: ... prime2: 00:c7:d9:8d:57:17:6c:a4:46:1a:9a:c0:2d:93:da: ... exponent1: 54:c8:b4:5c:9d:27:e6:fb:38:de:da:73:3e:74:08: ... exponent2: 00:c7:7f:c6:f6:5f:ad:d6:37:1d:2b:ca:18:35:76: ... coefficient: 74:a4:07:7c:4f:04:be:40:62:2e:af:ff:37:b5:9d: ... writing RSA key -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY----- _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose From nobody Mon Apr 14 15:04:15 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63BB61A06F0 for ; Mon, 14 Apr 2014 15:04:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SFSvoB9ahtLl for ; Mon, 14 Apr 2014 15:04:06 -0700 (PDT) Received: from mail-qa0-f41.google.com (mail-qa0-f41.google.com [209.85.216.41]) by ietfa.amsl.com (Postfix) with ESMTP id E9BFF1A069D for ; Mon, 14 Apr 2014 15:04:05 -0700 (PDT) Received: by mail-qa0-f41.google.com with SMTP id j5so8723056qaq.28 for ; Mon, 14 Apr 2014 15:04:03 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=PjNE2lwu4segw4a4W6T9oMiMR0xj/YkggGkTCx6xKrU=; b=JQZom3XGlNtJEKLDCDnNeZhrQ8YxWyXoO4A/aiomFWliGlk8Zc3yBS5y6/nvpVoCqH DM4xD6K4pFePbY2ZsFITy3HzkR8ekgmQPJXjMKaknBZFFi3nggK8Ev9w5klSDszuR1pd H+MB7urQHKOmn2UpQqJgpDQ5aOIHsQhlQDQgeSHOG0QjuWmcAFyScxzKk7Hfp7ovmr+1 chUtCY3Yzj1YY+wrxV/++yLUup0tTYFiNKaaCXYXno04dmQu8LiBhTBCykPL28p9xJs6 RYwZ/3BuEE0aXTSGlZhzMh7BOTDjqQvahcORiHWH75h9Ruxvb33lvCKyXfNzDBWav6lF fMbA== X-Gm-Message-State: ALoCoQkFjRxjl6jRQeNlHoxpxCtYZ/XRPHw/xDSODiNlyxeE8VcYioqN/nlEvS4hAYBakkN1y4El X-Received: by 10.224.152.11 with SMTP id e11mr23629895qaw.68.1397513043027; Mon, 14 Apr 2014 15:04:03 -0700 (PDT) Received: from [192.168.1.216] ([190.22.109.124]) by mx.google.com with ESMTPSA id a6sm3006045qaj.15.2014.04.14.15.04.00 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 14 Apr 2014 15:04:02 -0700 (PDT) Content-Type: multipart/alternative; boundary="Apple-Mail=_60ADA9AA-3E71-4110-975A-CD7A3F2F5442" Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: John Bradley In-Reply-To: <054b01cf5829$cf5c2660$6e147320$@augustcellars.com> Date: Mon, 14 Apr 2014 19:03:56 -0300 Message-Id: References: <4E1F6AAD24975D4BA5B16804296739439A150468@TK5EX14MBXC286.redmond.corp.microsoft.com> <052001cf581d$0cde8800$269b9800$@augustcellars.com> <8AC99548-ED07-49D6-939A-D49EACD3DCD4@ve7jtb.com> <054b01cf5829$cf5c2660$6e147320$@augustcellars.com> To: Jim Schaad X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/jose/xYBZoySLKjTiu-uwpEZA55tCaow Cc: Michael Jones , jose@ietf.org Subject: Re: [jose] JSON Web Key (JWK) Thumbprint Specification X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2014 22:04:11 -0000 --Apple-Mail=_60ADA9AA-3E71-4110-975A-CD7A3F2F5442 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 The problem with doing that is that we then have to have structured kid = values or another field to say what method was used to compute the kid. It is simpler to have a separate claim for a well known thumbprint = method. Other claims for other methods could also be defined. Having a well understood method that is resistant to bit stealing and = other sorts of attacks is a good thing, rather than applications rolling = there own. John B. On Apr 14, 2014, at 6:37 PM, Jim Schaad wrote: > And to me all this sounds like is that there should be a document = which says =96 this is one way to compute a kid value and then let the = application say that this will be the way to do it. Much like how SPKIs = are done for X.509 certificates today. > =20 > Jim > =20 > =20 > From: John Bradley [mailto:ve7jtb@ve7jtb.com]=20 > Sent: Monday, April 14, 2014 2:02 PM > To: Jim Schaad > Cc: Michael Jones; jose@ietf.org > Subject: Re: [jose] JSON Web Key (JWK) Thumbprint Specification > =20 > kid is just a name for a key. The thumbprint is a way to refer to a = key in a signed message without having to send the entire key. > This is useful in OpenID Connect for calculating a synthetic subject = based on the public key of a self signed JWT. > =20 > It is also useful in proof of possession scenarios where it may be = sufficient to include a hash of the public key needed for the proof in = the assertion rather than the whole key each time. > =20 > The problem with kid is that in the PoP case you would need a out of = band way to transfer the key sot of defeating the benefit of stateless = tokens. > =20 > So it is a sort of kid but one that is unique to a given key in a = collision resistant way. > =20 > John B. > =20 > On Apr 14, 2014, at 5:06 PM, Jim Schaad = wrote: >=20 >=20 > What are the practical benefits for this over using the kid parameter? > =20 > Jim > =20 > =20 > From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones > Sent: Thursday, April 10, 2014 5:50 PM > To: jose@ietf.org > Subject: [jose] JSON Web Key (JWK) Thumbprint Specification > =20 > I created a new simple spec that defines a way to create a thumbprint = of an arbitrary key, based upon its JWK representation. The abstract of = the spec is: > =20 > This specification defines a means of computing a thumbprint value = (a.k.a. digest) of JSON Web Key (JWK) objects analogous to the x5t = (X.509 Certificate SHA-1 Thumbprint) value defined for X.509 certificate = objects. This specification also registers the new JSON Web Signature = (JWS) and JSON Web Encryption (JWE) Header Parameters and the new JSON = Web Key (JWK) member name jkt(JWK SHA-256 Thumbprint) for holding these = values. > =20 > The desire for this came up in an OpenID Connect context, but it=92s = of general applicability, so I decided to submit the spec to the JOSE = working group. Thanks to James Manger, John Bradley, and Nat Sakimura = for the discussions that led up to this spec. > =20 > The specification is available at: > =B7 = http://tools.ietf.org/html/draft-jones-jose-jwk-thumbprint-00 > =20 > An HTML formatted version is also available at: > =B7 = https://self-issued.info/docs/draft-jones-jose-jwk-thumbprint-00.html > =20 > -- Mike > =20 > P.S. I also posted this notice at http://self-issued.info/?p=3D1213 = and as @selfissued. > =20 > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose --Apple-Mail=_60ADA9AA-3E71-4110-975A-CD7A3F2F5442 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252 The = problem with doing that is that we then have to have structured kid = values or another field to say what method was used to compute the = kid.

It is simpler to have a separate claim for a = well known thumbprint method.   Other claims for other methods = could also be defined.

Having a well understood = method that is resistant to bit stealing and other sorts of attacks is a = good thing, rather than applications rolling there = own.

John B.

On Apr 14, = 2014, at 6:37 PM, Jim Schaad <ietf@augustcellars.com> = wrote:

And to me all this sounds like is that there should = be a document which says =96 this is one way to compute a kid value and = then let the application say that this will be the way to do it.  = Much like how SPKIs are done for X.509 certificates = today.
 
Jim
 
 
From: John Bradley [mailto:ve7jtb@ve7jtb.com] 
Sent: Monday, April 14, 2014 2:02 = PM
To: Jim = Schaad
Cc: Michael Jones; jose@ietf.org
Subject: Re: [jose] JSON Web Key = (JWK) Thumbprint Specification
 
kid = is just a name for a key.   The thumbprint is a way to refer to a = key in a signed message without having to send the entire = key.
This is useful = in OpenID Connect for calculating a synthetic subject based on the = public key of a self signed JWT.
 
It is also useful in proof of possession scenarios = where it may be sufficient to include a hash of the public key needed = for the proof in the assertion rather than the whole key each = time.
 
The = problem with kid is that in the PoP case you would need a out of band = way to transfer the key sot of defeating the benefit of stateless = tokens.
 
So it = is a sort of kid but one that is unique to a given key in a collision = resistant way.
 
John = B.
 
On Apr 14, 2014, at 5:06 PM, Jim Schaad <ietf@augustcellars.com> = wrote:


What are the practical benefits for this over using = the kid parameter?
 
Jim
 
 
From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike = Jones
Sent: Thursday, April 10, 2014 = 5:50 PM
To: jose@ietf.org
Subject: [jose] JSON Web Key (JWK) = Thumbprint Specification
 
I created a new simple spec that defines a way to = create a thumbprint of an arbitrary key, based upon its JWK = representation.  The abstract of the spec = is:
 
This = specification defines a means of computing a thumbprint value (a.k.a. = digest) of JSON Web Key (JWK) objects analogous to the x5t (X.509 Certificate SHA-1 Thumbprint) value defined for = X.509 certificate objects. This specification also registers the new = JSON Web Signature (JWS) and JSON Web Encryption (JWE) Header Parameters = and the new JSON Web Key (JWK) member name jkt(JWK SHA-256 Thumbprint) for holding these = values.
 
The desire for this came up in an OpenID Connect = context, but it=92s of general applicability, so I decided to submit the = spec to the JOSE working group.  Thanks to James Manger, John = Bradley, and Nat Sakimura for the discussions that led up to this = spec.
 
The specification is available = at:
 
An HTML formatted version is also available = at:
 
          &= nbsp;           &nb= sp;            = ;            &= nbsp;            = -- Mike
 
P.S.  I also posted this notice at http://self-issued.info/?p=3D1213 and as = @selfissued.
 
_______________________________________________
jose = mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose

= --Apple-Mail=_60ADA9AA-3E71-4110-975A-CD7A3F2F5442-- From nobody Mon Apr 14 15:52:52 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3094E1A039C for ; Mon, 14 Apr 2014 15:52:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -12.073 X-Spam-Level: X-Spam-Status: No, score=-12.073 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cSE4HG7jVjnf for ; Mon, 14 Apr 2014 15:52:49 -0700 (PDT) Received: from smtp-fw-33001.amazon.com (smtp-fw-33001.amazon.com [207.171.189.228]) by ietfa.amsl.com (Postfix) with ESMTP id 595681A035F for ; Mon, 14 Apr 2014 15:52:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1397515966; x=1429051966; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=E60zQvV3Go4m4YaGXNEmIOiQ7TPvL8Q2gxnTCl7U/2I=; b=rtbRtDbTwwDInq1X1D5hET6s5WgZ4bJ/7yZKQM7IS9YMjZXzus0qDw9S 6Ej++3GtGx2IRnlEsg190vpL7r/4fnC045hoFZiYpbRUTbhNVblQ0b/ME wuLNpZ6cTumy47V3KZV80jlMtkZXVP//VrKkaroui6ycHjq3LYk64mFMK o=; X-IronPort-AV: E=Sophos;i="4.97,860,1389744000"; d="scan'208";a="48221175" Received: from smtp-in-7001.iad7.amazon.com ([10.229.162.11]) by smtp-border-fw-out-33001.sea14.amazon.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 14 Apr 2014 22:52:45 +0000 Received: from ex10-hub-31006.ant.amazon.com (ex10-hub-31006.sea31.amazon.com [10.185.176.13]) by smtp-in-7001.iad7.amazon.com (8.14.7/8.14.7) with ESMTP id s3EMqgZ7008776 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=OK) for ; Mon, 14 Apr 2014 22:52:44 GMT Received: from EX10-MBX-9003.ant.amazon.com ([fe80::b9e5:5388:f95f:c940]) by ex10-hub-31006.ant.amazon.com ([::1]) with mapi id 14.02.0342.003; Mon, 14 Apr 2014 15:52:40 -0700 From: "Berry, Matt" To: "jose@ietf.org" Thread-Topic: Question about minimual unsigned big endian representation of JWK parameters Thread-Index: Ac9YHWea80dDBOI8TBiaYYSO1eTyJQADWBjgAAIBeqA= Date: Mon, 14 Apr 2014 22:52:40 +0000 Message-ID: <2FE1ED37161DA34CBBDA0E4C0AFEB1DD011A6824@ex10-mbx-9003.ant.amazon.com> References: <2FE1ED37161DA34CBBDA0E4C0AFEB1DD011A654D@ex10-mbx-9003.ant.amazon.com> <4E1F6AAD24975D4BA5B16804296739439A15801E@TK5EX14MBXC286.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A15801E@TK5EX14MBXC286.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.184.49.66] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Precedence: Bulk Archived-At: http://mailarchive.ietf.org/arch/msg/jose/XHWKyX8B-FhCCF5qkK0ZeNSaF34 Subject: Re: [jose] Question about minimual unsigned big endian representation of JWK parameters X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2014 22:52:51 -0000 I wholly agree that the value is both unsigned and should have a one in the= highest bit. The trick of it is, when working with unsigned integers, ther= e is a tendency to put and extra zero byte in front so it is not incorrectl= y interpreted by signed libraries. This was the point in adding the OpenSSL= output. These are unsigned values, but OpenSSL still adds a zero to any va= lue with a one in the highest bit. Although the minimal unsigned representation of a 1024 bit RSA modulus is a= lways 1024 bits, many libraries will encode either 1024 bits or 1032 bits i= n the case that the highest byte is 8 through f. I argue that following sui= t costs only a few bytes and that consistency trumps efficiency in this cas= e. It will also reduce the number accidentally incorrect JWKs found in the = wild. If an implementer doesn't carefully read and implement the spec, they= will likely encode 1032 bits in some cases, an example of which is Google. > modulus: > 00:ba:5c:82:f9:26:34:e3:4b:e3:d2:d4:81:5a:c6: > https://www.googleapis.com/oauth2/v2/certs -Matt -----Original Message----- From: Mike Jones [mailto:Michael.Jones@microsoft.com]=20 Sent: Monday, April 14, 2014 2:49 PM To: Berry, Matt; jose@ietf.org Subject: RE: Question about minimual unsigned big endian representation of = JWK parameters According to a crypto expert who spoke up at an in-person JOSE meeting when= this was discussed (I think it was Russ Housley), the high-order bit of a = correctly formed RSA mantissa must always be 1. (If it weren't then the ke= y pair would contain less than the required number of bits of information.)= Thus, there are no leading zeroes to strip, for what it's worth. Also the value is unsigned, not signed. Best wishes, -- Mike -----Original Message----- From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Berry, Matt Sent: Monday, April 14, 2014 2:36 PM To: jose@ietf.org Subject: [jose] Question about minimual unsigned big endian representation = of JWK parameters Throughout JWA Section 6.3 "Parameters for RSA Keys" the following phase oc= curs repeatedly: > The octet sequence MUST utilize the minimum number of octets to represent= the value. I understand the rationale for such a phase, which is to minimize the overa= ll size of JWKs.=20 This is a core tenant of the JSOE working group. However I have concerns ab= out the practice of striping leading zeroes from RSA parameters. The benefit of stripping these leading zeroes is likely negligible. Conside= r this RSA key I just generated (included below). The total benefit of stri= pping the leading zeroes is 5 bytes before base64 encoding. Although I believe the attempt to reduce the overall size of the JWK is com= mendable, I think this will introduce more confusion and non-compliance tha= n anything. An example would be Google, who currently does not strip the le= ading zeroes (or even base64url-encodes). > https://www.googleapis.com/oauth2/v2/certs I suggest rewording relevant sections to the following, to allow for the mi= nimum amount of padding octets required to make the keys unambiguous. > The octet sequence MUST utilize the minimum number of octets to=20 > represent the value as if it was a signed integer. Sincerely, Matt Berry =3D=3D The referenced RSA Private key. =3D=3D Generating RSA private key, 2048 bit long modulus .........................= ................................+++ ..................................+++ e is 65537 (0x10001) Private-Key: (2048 bit) modulus: 00:ba:5c:82:f9:26:34:e3:4b:e3:d2:d4:81:5a:c6: ... publicExponent: 65537 (0x10001) privateExponent: 00:9d:23:3c:5c:90:d6:af:81:62:0c:77:9a:ca:cb: ... prime1: 00:ee:b8:c9:5f:ca:8d:9e:1a:a8:9b:6c:34:2f:c4: ... prime2: 00:c7:d9:8d:57:17:6c:a4:46:1a:9a:c0:2d:93:da: ... exponent1: 54:c8:b4:5c:9d:27:e6:fb:38:de:da:73:3e:74:08: ... exponent2: 00:c7:7f:c6:f6:5f:ad:d6:37:1d:2b:ca:18:35:76: ... coefficient: 74:a4:07:7c:4f:04:be:40:62:2e:af:ff:37:b5:9d: ... writing RSA key -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY----- _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose From nobody Mon Apr 14 15:54:24 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C23B01A03F1 for ; Mon, 14 Apr 2014 15:54:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 3.57 X-Spam-Level: *** X-Spam-Status: No, score=3.57 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, FREEMAIL_FROM=0.001, HTML_IMAGE_ONLY_12=2.059, HTML_MESSAGE=0.001, J_CHICKENPOX_32=0.6, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1TAq_TFTaTzD for ; Mon, 14 Apr 2014 15:54:18 -0700 (PDT) Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com [IPv6:2a00:1450:400c:c05::232]) by ietfa.amsl.com (Postfix) with ESMTP id 6B5F91A035F for ; Mon, 14 Apr 2014 15:54:17 -0700 (PDT) Received: by mail-wi0-f178.google.com with SMTP id bs8so4801818wib.5 for ; Mon, 14 Apr 2014 15:54:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=qRqY9VwNw4mgnkZYsENawr8U8jV4MoagPqGKybTDbhg=; b=wqPzcfRGyK8CRLrBcJ4wQmTLe6Zv2CC/WXNLkFKvoWHNWN49FDd3shsnZPop5Wle1M aljPFbXcBOc6ysEOr8WLbeHV4A2m2iJqmg2AJfiW68IqwQpTl9MGHbR8MAxY3JrHQB5J ljZA6gYIH+ezK1CBCwsQ/jqNm3TA3rQysi4WLEvsHsKE7fE08DC9D0XnnNIStjCZh7dg R5OrzqTFbYiTsnP5jf4xXdt7rkSsYmlTXM15p6W7F8Jp+iZ5PwUljFo0mzQy6MakAM/q FaWD0FJxXThpyLIAY49o33JWUJACk9fNFpYK3QVFhN21yXUn2YKsFMSvGq9BgFarm4gv wx5w== X-Received: by 10.180.80.232 with SMTP id u8mr11501855wix.13.1397516054267; Mon, 14 Apr 2014 15:54:14 -0700 (PDT) MIME-Version: 1.0 Received: by 10.217.95.134 with HTTP; Mon, 14 Apr 2014 15:53:54 -0700 (PDT) From: Matias Woloski Date: Mon, 14 Apr 2014 19:53:54 -0300 Message-ID: To: "jose@ietf.org" Content-Type: multipart/related; boundary=f46d044288cafbb5c204f7088f59 Archived-At: http://mailarchive.ietf.org/arch/msg/jose/WHoSZrkS9hHT81w6JPz_07ml2ro Subject: [jose] jwt.io X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2014 22:54:23 -0000 --f46d044288cafbb5c204f7088f59 Content-Type: multipart/alternative; boundary=f46d044288cafbb5be04f7088f58 --f46d044288cafbb5be04f7088f58 Content-Type: text/plain; charset=UTF-8 Hi guys, I wanted to share with you this little tool that we've built to "debug" JSON Web Tokens jwt.io. It's built in top of jwtjs from Kenji Urushima and it's focused on being an interactive and educational tool. There is also a list of curated libraries that we've been using at Auth0 to sign/verify JWT. This whole site is work in progress and it's completely OSS https://github.com/jsonwebtoken/jsonwebtoken.github.io [image: Inline image 1] Hope you find it useful. Matias --f46d044288cafbb5be04f7088f58 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi guys,

I wanted to share with you thi= s little tool that we've built to "debug" JSON Web Tokens=C2= =A0jwt.io.=C2=A0
It's built in top of jwtjs from Kenji Urushima and it's focus= ed on being an interactive and educational tool.

There is also a list of curated libraries that we'v= e been using at Auth0=C2=A0to sign/verify= JWT. This whole site is work in progress and it's completely OSS https://githu= b.com/jsonwebtoken/jsonwebtoken.github.io
3D"Inline
=
Hope you find it useful.

Matias
--f46d044288cafbb5be04f7088f58-- --f46d044288cafbb5c204f7088f59 Content-Type: image/png; name="Untitled drawing.png" Content-Disposition: inline; filename="Untitled drawing.png" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: ii_145626cc39748cec iVBORw0KGgoAAAANSUhEUgAAA8AAAALQCAYAAABfdxm0AACAAElEQVR42ux9B5hcR5G/wHDH/w6O cGBzBGPSccDdkTnOwJEFNtjGGIzBxgHnJAdsnDDOWc5ZwdbuKlm2JWcFy8phtdJGxQ0zO2l3Zt6b sKtoG+z6d1V3z9b2vjczu1rJFlR9X30vdaiu6tddv1f93hszRkhISEhISEhISEhISEhISEhISEhI SEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhI SEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhI SEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhI SEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhI SEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISGgfp7cICwsLCwsLCwvv0ywkJCQkJGBX WFhYWFhYWFhAsZCQkJCA3aH8VmFhYWFhYWFh4X2KBRQLCQkJ6N0LYHc/YWFhYWFhYWHhPcJ7CxQL CQkJ/U2C3tEGsm8TFhYWFhYWFhbe4zyawFnAsJCQ0N808N0d0CsTjrCwsLCwsLDwvg2ORwqGhYSE hPYZ4DscwFtuQH27w/8gLCwsLCwsLCz8hvLbA3g44Hi4YFhISEhonwO/1YDekYDdfxQWFhYWFhYW Ft6jPBJQXA0YFhAsJCS0T4PfSsA3DPAOB9i+w+H/JywsLCwsLCwsvEf5HQFcLVAOA8QjAcJCQkJC b1rwO1zgOxKg+08V+J+FhYWFhYWFhYWr4kp+VTXAuBwgHgkQFhAsJCT0pgO/1S51dkFvGOANA7l8 gH5nFfwuYWFhYWFhYWHhYXE1PlYYaA4CxmGA2AXDlZZGCwgWEhJ604NfN+IbFO11QW9Y5LYSqP0X YWFhYWFhYWHhPcblwHJYJDkMDLtR4ZFGg4WEhITedOA3LOIbBnqDIrjuAPxuw+9x+L3CwsLCwsLC wsKjyq6/9W7GQQDZjRQHgeGwiLCAYCEhoX0O/L6tAvh1gS+P8AZFdN9dBuS+z+F/FRYWFhYWFhYW HnXm/lYYOH53SLT4nU5kOAgIV4oGCwgWEhLaJ8GvC3x5pDcI8LpA1w7C73f4Aw7vLywsLCwsLCws vFvs+leu/+WCYxcUu4DYjQpbv1BAsJCQ0D4FgKv90JUd5NyIrwt8OejlgDcI4B7A+IMh/G/CwsLC wsLCwsJVcZg/xX2uIIDsAmIOhoOAsPUHy4Hgt1cAwQKAhYSE9goAHi74fYcDfjnwte+PuKCXR3b3 DwG5OEh/iPGHGX9EWFhYWFhYWFh4t5j7Vtzn+rcQcLy/Eyl2wTB/b5gDYXdJ9EhBsJCQkNAejf4O B/z+Uwj4fY8T6d3/wAMP/Nw999zzi7lz5169YMGC25Hnz59/B+d58+bdifzCCy/cxfn555+/u1p+ 9tln7x5OemHhN4r3hb66r91PbxZ5y8khOhWdik5Fp28Wdv0t64ehT6b8tZJ/Zv02de2GKVOmHPuN b3zjywYg88jwe0JA8D+NEARLFFhISGivRH+r+dozB7/2nQ+7/OU9ARFffGL4iVmzZl3seV5W0WuZ TAYsq+NBjOfS6XSJeVqXbXo3v1u2qndQ+mrKKyejW1e546CygvbLyWP14B6H7Ver06D6y7WLn99d nYbpdU/q1C0TdRGmU36+nJxu3uHqlLeJ6zSsHZXaOhydVurz5ewalu5vSadB48sbodPe3t6q7v1K 4yGWU229b7RObR3V6rTacWg0dYrXd0enYeNpNf1kNO/9asreEzrFNrvy7o5Ow/pQub48Ep26fWIk utsb/ZTnG81+qrav53K5XWvXrr3zne9852fHDF4ibSPC72F+ofUTy4Hgcl+HFgAsJCT0hix9rgb8 vjsE+NrlzV9Ug+YyOxAj9/T00MCMW3uMW5uGpw1jm59zUN6g40r18DQ8na0jqOyga0Hlu+mC6g46 7+azOnSv7+s6dWWpVqfl9PpG6pTLZ7laW7xZdRqWJ6ztvB17Q6fuMS+bc7m2uXIF6cJNW8l2QTp1 ZRuOTnn9vNzR0mm5e2UkOq2mn/I2uXbYXZ2W04OrU1c+V45qderqdSQ6DaprpDoNakuQboaj02rm tNHWaZjtR6pTbv9q6h5NnVYzpgxHp8NtSzmdho1vChR3fPzjH/82WyYdBITfvRsgWJZCCwkJ7VUA vDvg174bsv+Ywe/zfk0Nmq+lUilATiaTJbbnLONA6x5jOvc8v84H7aA0btk2rS3Xni9Xjyurzc/L s3LYNIlEYki6oC0vwz0XpBO3vHIyhuk06Dzncjp1212ujpHolOdBOXga1Ckv17VpkByjpdNq2svb 7eavVqfl7gVXp64O3XKwzmp1GtTGkeqU398j0WmQHLYNblvCZByOToNstzs6DWqj255y/Sco7XB1 6t57e0qn5cbw4ejU7dth99Ro6zSsbwxHp0F1jIZOw+4NVz4+p9oyuU4rjVOV5qdq5o4wW4+mTt0+ U27edPVbTRtcnfI+GTbuujKUG3dGotMwXylMzmp8gXI6DeqrQfeGOvf65z//+R+PGfze8AHMD9xd ECwAWEhIaI8B4HLR35GAXx71tR+w+qjib/AJ2jI63mHHuM+Zn3OvB5VdqS7O8Xi87HVXrmrkDUoX do47MGHtCtJBtToN0tlIdRrW/qA6qymnnK52R6fVyGN1H3TNdSoryf9m0yn26eHoNKzskei0mn46 XJ2GXQ8qx9p0uDoNejgXpFP3fi3XD4Zry6D8e1qn5e6zkfTTctff7DqtRr/V6rSavrondVqNzNXo Zm/pNGgerPZ4tHVazr7D1alrn0p9uNI8Ppy5v9z9MVKdcv7sZz97qPHx7Ie03GjwcEFwNVFgISEh oVGL/oYtfQ761VE58GujvvaLzQcq/pjib8VisdLkzBnP263d5+lw35530/NBvVK5vH57rbu7e1B6 e+yWh+e5fGH5g+Tm8rlbzlw2V1ZehivHSHXq1lmNTnn5Vl9BZbg6teXya+V06rbdXsMJ122P63QE 6dTVVbU6dfO77RstnfI+6vap0dBpUN/nOg1qw0h1GtSmIJ2FXQ+qK0z2avpotTrl913Ytd3RqatX LitPX65t3L6jodOg9HtCp9Ve2xM65faspNNy43GYPrkMYTbYHZ2Gpa10LUzv1eo0SG6uU3eu5G21 19w+Wm6uCBuDKo291dwnlXQxXJ0GpQlq52jqNEwHlebfMDlGotOgsfJTn/rUYcq/O8j4evbL0jYa vH8ZEBz2i6RqP4glJCQkNOoAeCTgd/+AqC8C348r/oTi7+AAaplP+EEcjUYHbe2+m8det+fdfPw8 L8uVpdI5Xl4l2TmQw31Xbr7vysTLDrpWTldBcpWrK0inPI0trxqdViNrmE6r6Q9cp0FyV9JbNdfe DDoN6/vl7F+prtHQabV1vhE65fdZtTq1W95+nieovGp1OpL+FlZ3WL+ppNOwfrYndRrWT/e2ToP2 ed3u9dHSqR0PK9lxd3UaJj8fj4ej06C5caT9dDR0ynUYNu9W0kG5MbFcn7F5Xb+jWp1W0kuQ/Lur 07C5Ich3cm3ttom3NUynriyf/OQnjzQ+3seNz/dRA4Q/NAogWACwkJDQGwaA3aXP9qt+YZHfj5gB 8CAzIH5K8acV/yASiZQG1K6uLtriOTvA4r495vv22Oblafh1LJOXa9mec+vh7Jbr7rvHWGaQ7HyS KVcOlzmove45W19QniCdcl0FyeDmDdNrtToNKn9v6tSV2W2Hmx/bXU6nQTrZUzq1cthzmL9SG8P0 G9S/gnTqyliu71XSqa1juDrlba1k15HolMu9t3Tq3q+VdBqUxtVpub4WpNNy91iQrUei07D2ht3/ fLwIkpXnD7rHbN8Ku58r9WXeN4ej06DjsHGL91HeZt4HrU7de2Rv65TLE3Y/V9JDJZ269VcaX928 7n0fplO3rqD50dWzq1O33LBxqhqdusfD1WnQGM3nCHdcLKfToDnbldFt+4YNG+D888+Hc889t8QP PvhgoE+C249//OO/VP7dvxtfzwLhA0cAgt8hAFhISOjNAH7/IQD82v/82l8dcfD7IbbkGcHvJ82A iAPjfygeiwNmZ2dnyQmwx/YcbnFw5cc8Pd/v6OgYct4Ozm5+Xo6dCPh5PkEEyRckKwfceA7lWbVq FaxZswbq6+th9WrLq+nc6vrVtG+3mKbenjNcv7re5NXXMW19/RpzvFqXV2/SmHSrWfpSGl6eKbOe 1b2a1WOPS3KV6rB1u2kZ12u51tTXD6pXn+dycpnWaFlWD5Z/oI2rB9VH8qwy20H6W8PS1Zfy19sy S7qoH9DFGmYPpjMr6yDdYzpsv9P2NWsaYPny5dDW1jaknwX1obD9oH6KfYj3L7tvzwf1U3cbVFcl WcLK4W1y7zv3PnDThbUzTKage5/nH65OrZx8nMDr/Lyr03K6G6lOuUzV6GC0dMr7ZLU6DSozKD/v A1andluNTqvRRzkbhOnUHZODyg8b56vVaTm7VNJp0L0dplOu25HqNEyWcv0vrC+W02mYLV07jVSn 5fwFu88f2ASNjVYWTOeOs3tSp+Xu79HQaTn9lNN7pTGoqakJ6urqYNq0acTPPPNMqK920EEHHWN8 vM+YYMcnQ0CwfSeY/yLJ/ieYvw/8DwKChYSE9gYArubDV//MwK9d+mx/dWQ/ePVhFvn9hBkIcUDE f8R9XvEh7e3tgIwTkJ2E8NgOrLjfrADHxCsuhwu//x24eOwP4ZFrroKWtQ2lPDY/L2vjhjZ44tE7 4LqzD4FLfvNVuP/6M2D1shdhy5Ytg+qzToY998wLT8D515wMR5zyfTj7yuNh1lNTKY8t3wXPvCy+ j3kWLVoE0UgU+rb3Q7G/CH2K+/v6IV/Q+8ViH/T1FRT3wdZCH/T3q2PFeUqrjvu2Ql8Rr6v8W1Xe fIHSFfrVsSqjqPIW1bX+QkGXp64X81hukc4Xi1ivOkdl9VN9/X1F2KrO9+E+XcP0W6FfHRfVNaoH 61R1kLyqvj51HcvAslCuvoK6hmn7dXmYD/NTuZSuCAU8t7Vft09dK2C5WDe2XaUroIzYBpJFXyMd KfkLmKavj9pQ6NP1FrYWlCxapq3UPlV3sUj6wTQkp9pivTqNlgXlwnyFrX2DbFAYrg2K1gZ5xwZ5 ss82dbx06dIhfSuIMY3tUxbk8v5v+4/tb/a8vR94Orc+m8YFPWFyBd1/bnr3ngxK496D1oEPqouz 2267tfcW14FbVpBO+YMDfs+ORKf8fDmdBslSTqdWhjCdBtmW69SVazg6dcex0dSpK3vQMa8b8/IH D9XqlMszGjp1+wCvK0yntn9a+V09hd2f1ejUrb9SOlenbv8Osq/bX1yd8nLdNFynbjmuTnn6IJ3y 9oy2TrkuguoMkoG3x5UjaLwOyxumf9eeXKdBY6mrh3I6df2USjp1bRjUN7hcjz/+OEyYMAGmTp1K QPipp54aIqvN87GPfexY4+N9rgwI/rcKIDgoChz2QSwBwEJCQrsFgMt9+Zm/++tGf/nS52rA738q /m/Fh+GAzHnz5s2lfRxMV8ybCzcecRg8dvSRsPbe26F+/E0w9YhD4bZjjoY1CnDYdJbxuK21CSZd fypMv+RgWPv4JbB5/r2w4N5fwx2nfh3mPvmIqmPToDqQN2xYD/c/Mh5O+vPP4L45f4I5q6bAg8/8 GU665mcw/qFrYb26zvME7XNuaWmBF198EbZu20YAjxjBoQFcCFILha0G6GlQSAAUwVjBgFHMQwBS g8U+Aov9BvgWDHArUnoEg8VigYBhsVCgfcpnwKLd1+n6NdCj86YsA5oRrBJwJqDeb+TtN2k0QNTA daBsykcAW7UJQXWhaMoratBM8veZ+vt1nqJuaz+Vb0C3AbSYr1DID8hvwHlfoWh01Ufl9Pcb0Iwg OF/UujDpCfQW+01+064+A+Ar2KCA1yrZoD8/cK1Py7Np40ZYu3Yt9WHbL+zWnuP9lPd5y0H3Ae+n YfdKWJ5K/dRlV25eNm9LWLncaQu7ztvKr7vnw/QVplMueyWdlrOF205erlvP7uq0XPownfL9Sjp1 2+E6zEHj73B1GqafSu0s1+ag67wcDr73lE7D+sC+qNNysg23n4b1M1fO0dapO1aE6dQdS4La97eu 02rvfVen5ca5W265BSZPngzTp0+HRx55BJ588skhaez2wAMPPF75d19Q/F8GBP+HWfn3yTEDH8f6 8JjBv0jiS6HdKDB/F7jSx7CEhISERh0A8+jvOwOiv+7SZ/vBq0854BcHxi8q/vmmTZto4OXbjQpI IOPxg2ecDi/+5Puw444bYeedNxPj/lPf+zY8cskfS4M2zz+79k6Ycfanob/5atjVdS/s7Lgbdnbe BZ2TfwwPjPseNDetKw34tr4Fi16AQ87+GkxcdRms9qbD0nSt2s6AaY3Xwtizv0SRYTup2rqsjPh+ DHdkkDH66+fyCqT1w9ZinsBbvwFfeYxU9htQrIBaHgFZvwatBNYoommiogpg5ftMlNSAUYpcKpCL ABCBF4K/oonIYhk2GlrM9xmQZwGojQj3Uz4CgQoAFvryGoz2GxCdN0C1v99EdzWA7MM6+zTALCDo tCC6FBHW7SSATRFh3UYExYVSxLZI0eVCQYPQrUWdv2CALwF323ZTb8GWg+n6dER7qwHPBQTeBS0P AWDVlkLB6qCfrlN0V9mgaGyAZef7+krAn2zCbKABso4qh9pg61AbYL2zZs0q9QvsJ42NjbBgwQKY N28ezJ8/H1544QXanzt3LvHzzz9fuoZsz+M5TLts2TJYv349lWn7ndsHcd8yv87TYH+3crnM5UXm zlBQmfwc7//2vOvY2/rdfJztfci3Qe21Wy4jLx/ZymMdO1cXVr7d0anV0+7o1O67crj5eXvDdBqk W96O4erUyszzuyDNnrOyuDrlOgzSaZA8XKdBbQ7K57aBy1tOZ+V0GtZfefvK6dTWz4F7kE5533Db yOcoV59BHKZTLuto6TRsbAmSOajv87qCdBokRzmdumNImE6D+r7LfBwqp1P33g6678LGvHI6ddvL xzG3HdXoFMfD4egUt+vWrRuiH5zbHn744dJKAwTAbt+z249+9KMnKf/uSwEg+NMmIHLQmIGvQ9v3 gf/ViQKP9F1gISEhoVEBwPzjV270990B0V/70asDDfj9pHnyx8EvDoxfUXyUBbsc+CLbQXvSD/4P YmO/DTuPPxpeOfc0eOWcU2DH734JW35wMDzwo+8PcnotT7z+19A2/quwde6xsHPlebBrzUWwfcnp kHvsUHjq8q9A09pVlI7XM33OZDj14Z/A3fXnwNSNV8Os9hthmtres2YcnD75UHho2h2leuyWy2vL QsZ3QVesWAHbt28fiP6aiCiCuWeffXaQvHPmzIF4PFGK5hYMACv2DUQnCYj266XOCPIIiCHQJGCp gTMtczZR10IpAqzBtI2sEhcMsO1D4KfBqo4a60gugd/CwBJjHRXWEdaiBaR9faXlzVqmPsqj0/aV lmHTsYl8o1z9tES5QKyXNPfrczby3G9kLPaZBwImwl3Q+wg4ETzTUmeK1m41aftLkek+06Y+E3UO skGfiTwTmDW6KNpz1gYkcyUbbNU2QDC/dRs0NDQQW+cCQe3mzVugY4tyGjraYUs7LifrhI7OdmjH JXClJWfqfDsuR+s0WzzuUP1jE6xYuZKAtO1jQf2Ob3k/DcrD+557vdy+dabC6uf3MZclLE2le99t G0/HHTO3PW47g/aD0lTSaVibq9WpO25UGkuGq1NXP3tKp+X0VEmn/FolnQblCdOpbQs+LArSqXtu JDoNko3n43IE6TSsPdXoFNsVpB9X33tCp6PZT4NkLMfldGrH2LD2BOnS1Wmlet122D42Ep3yB5lh ttzbOg3SK+5fd911tMQZlzpfffXVcNttt5Xeqy53b9h++pGPfOQU5d99VfGXHRD8GRMQsV+Htkuh 7T+CK0WBBQALCQntcQBswe/bQ5Y/8+iv++Er+7sju/QZn/x93ix7/qIZGL+u+GgEixY04uBpj+1k Mes7B8O2I8YCnPArgLN/r1ntFw7/EdSoazYd5mttbaW8j9xwOMRn/BheWX0K/LX1Anhtwx/hL41n w/aFx8BLd3xLAeCVlBbz2jqnPz0B/vzscTBpwx9gVtfV8HT0Jni86xqYtPFiuHb+CfDg9JtLEwfm tfLyic/K3dzcDGvXNmhAZQCdjYAiIHvmmWdh586dsG3bdrXdRe/WNDU10/uvCNK2FjVAxOgsAcmt Bcj2pKAjEgcvp64bQJZJRqErkjDvzxZK0VF6LxVBL0V3NTijZdAFvVxXR2iLBIwtkCSg26/3413N sLJ5C4FNurZVA8KiiUzr92z79daA5z77frAqN7JhDazd1KXz9uulwygHRqIxikuAt88u19bv3tKy 7n69/JuWURvgTlHs/mJpiTW1g9571su5+/MaNBf686UHAfo95K1UR4GWbVvgO2ADjO7SO8xmSXef BbbMBv3GBgT8t+qy8gacb+3rMwC8OBApNu8NY8TX9uMlS5ZAs7LtejymvqYcoVblvLSqfrte9dkW 1W/aNkLrRnVtvdq2ohOB2/XQqtK3YoRlcztFg/m9gkvsbd/lzjHvi3jNchAY5PntNuycvV9sefYc vx94esu2TgtM3HKD6ray2a2bhreNy8avB7WDyxuUvhqdch0EAd5qdOraMEhGbjs3Da/Ljn2u3jnz MqvVqTsuh/UNV94gnZbrg0E6te3iW15vkH7L6ZS3xbV9tTp1j3dXp7yPh82BYfeU1Smff1yd8vy7 q1M+33H9BemUt4fb19VpUNuwXZgOy7MyhsnEz9uyR6pTPI9123a44N/VqbW9q9Ny7XPH0jCduv0r TKe8v5bTqdUlnq9Wp3iMX3i+4YYb4K677oKJEyfCfffdB+V8NbetH/7wh09X/t3/KP4aiwT/pwmE 8KXQH3WiwHYpdFAU2Pqhb3dAsABgISGhPQKAy3386j0h0V936fPnGPj9igG//6v4NzjxWLYTA3eo nzrrNPBOOR5ev+YygEkPAEy8H16/6nJInvw7eOL8c4c457h9qubP0DrzSPjLxj/A68nx8HqvyhO9 GrY1nAovPHQ0NDeuKZVv63p+4Rz4U93xMGvLVbC89yFo8mbAivQEeLz9Grhy+nHwxPN1pbq4c2qP rdzYDozoptNpHaks6iW5ecX4XiuCwKeeepqALwLgXbt2wWOPPUYA+MknZ0O8O2aW++Yhk2iDE889 D1JbXoRfHv1zuOAPF8AddXMgn03BLeefDr8+dRxccPbJcNhPToRFG2Ow6sk/wRe/cxbE8WNYmWY4 4Yj7wKN3V/OwevI58N0LnoZCLgEXfvUDcPeTayDVvhqOv+FeDfAKxdIS5GUvTIY7a57Wy6dR/qKW P96+Fq655Gz4/TGHwzd/dCiMG3cRzGvYqKPHuEy4oMuZO/1ueGj2IshjXvO+Ly1xRgCc12UWWYRa 58uRnihqW+DvF+sl0YWiidzmNZDHNNNm3AzRtFcC8UUDzoskbxaeebIW0l6xZAMv3gqnnzYDMgUd Ic+bCDPJQ+eMnHkjW17LiWV2drTDgvnzyabdsW6YMWM6ZDIZk7+P7IV67t/WT1+Exocg2C9wKRlG cNtaVR9vU328DR097EfKWW9TfacZQbDqO226/7dguhbc4nm1b/r2qpX6a+JBfY47Um6/DOunnLnz x9MHlcfP23xh1+0+d/qC6nX3y5UXtHXb7o4l1rnmx2Fllyu3Wp1yGYar02p0UK1OsQ9WaiMva3d1 6uqgnE6D2hbWP+112x6u0yC7jFSn7jhujyvpNKhsV6cckIS11dWzm6acTsPatjs6raaMSnrkcgXp FLeuTsPu9SCdBunELasanQbpN0zflcoYqU4r2WpP6tQdG++//3563xe5pqam5KNVq9MPfehDZyn/ 7mADgr9qQPB/m0AIXwrtRoH5u8DlPoYlAFhISGiPAOC3VVj+HPTu7wFjBt79PcgMbvZ3R3bp85cZ +P2m4uM4+LUDKx/Alzw2HRaecyZse3QS/HX+XPjL/Bdg66MTYf7558Cq55+lT/O7IHpt/TJ4dvJx 4LWeB6/23g1/9SbCzui1sHr2UTD3sZtVOg1ObF6K2DY2wG2PXAqPLLoEGnvqYEv+OWjqnQ51K66A myZcAA3r6gdNLpZtGbjFY1z+Onv2bNi2VX8oyb7rmifQp49nz55DAHj79h0KAL8ML7/8CjEeIzDK IxhU4CubbIUTzhgHmxbdA78a92cCfwjyuttmw+lnXQd+Hsstwqrpl8DZN96tAPCVoMwIY2+ZrwBw I5z44wcgg0BT5fO3zIUDP/Vb6Nq8GJSh4ezbH4WmRTPgroeeglS0EQ7+wkHwsc8cAevjGaifNxWu /uMf4VP77QdHnX8r+IU+qidfzEFetaV98Ry44eGZ5r3dPDQ+fRsc+N794LNfPhU6EmlYNGMSTH5y BWxa9SQcd8VDSs5eqPvzEbDfuz8BD73QBslN9XDJ+Ilw/q++BvspwL4h3QfplufgWx/bD/b77p8U QO2DHAJdpb98X74EiCkKrfSSN8u/pzw0HroaZ8NFxz0EGQVSb77sj7Ap2QuLZk6BB8efBG95y1tg v/1+A5s9HXHOxhrgV2dMgLQqr33RRGrfft86DVqTGR29VnXlCxoMkw1yeR1FLujo9qOPPgLPP/s8 TJwwERYuXEgR55yxQSGHMmnA39LcVALB2C8WL14MG1o3QHOL6iut6py63oT9u1k51Oq4tQnPtaq0 eNxE51uaVT/Dvtakjzeu30Dvldv+x+8Td2v7KU/j9lmb3nWcLNs0ll2w6l7j9xKXL6gcft0Fb0Hy 2nO4DNyew/R4zOt1xwHrjHIZrBNn09iy9pZOXVm4vG57XZ1yXfNzrvyuQxpUBq+Dl2Nl3B2d4jW7 5XWH6dvtK+42TKc2zXB0in3GteFo6dTtC1yntt6g9lidBt1vXDdB2z2h0yD7ujrl6blObT7bbl4e z2sfELrjStD4FqQXXu9wdWrTWR3acirplOfj45Hd8ja4bXXHLy63ldXt12+kTjHiO2nSJALAt956 K7z00kuD7qcgnfJ+owDwucq/+5YBwV83gY8vmqXQnzWBEftVaB4F/sCYgXeB+X+B3WXQ/GNYAoCF hIRGBQDvVyUA5tHf/ccMfPn5QCf6a5c+f8ksh/mGAb/fVnw8Rshw0OVsnRqaMDCC9thMWHjbLbB8 /K2wTPHC8bfAqtlPQjNLi+VwR2PNiufgpSf/CMuePhVWPncyLJ59Fix9/n6Vp76Uzq1zzbpVMO25 +2DyU1fDo89eBZPmXAW1T98JqxuWlyYiTGvr4nJaxo8XZdJp/V5q3kQjiwNR0IICTE888SRFfhHw ct6xYwfVg5FETJ/GCPAZ50Ehk4B7rjkHfvj1Q2DS7PkKcN4IF98200Rt+6Bj7ZNwziW3Kp3cDDfe OQuOPPgAmPncPDjl8PsgS5FnjI4m4M/fOwgm3HURnDB+Avzq6pvg8XtOhccXb4KJ474J5176ANxy 2elwY+0CaJw/GX51yo2wObIFTj/4SzCttUeDTxMJ3rzkSbj24alUdyG1Cg79rx9CY6wH5k25AS64 azosnfkAXHv1RfCb446Hhs4ktM2dDB897EyYMflmOPCrl0FH6wL49x8dCXPrW+GOb34GapqSsPz+ n8PXTrgc6tuiFJmlqLDSVctLz8K0GTMpSj7vpQYTLdZfab7xhnGwJdEJFx5/JGxZ/zT897v+Gyav XA+3XXEJbIhugFN+8VPYHO3RelcAOdu1HP7lnTdBvH0JvPOfxkJDNAEb5t8Cp5x2M5VbMJFmXb62 gY0o9ytbbtq8GW677VaYNnUqfdzMRrVJDyZSjnl8PwczZswA27fxa+Br1qwj4NvY2ESglvbRWWhq ITDcpABvIwJhxc2NyMbRaTSOhrqO7xPbfsadf9sHuZNr+yk/dvuqm9fKa/f5MU8f1O/D0vB70zpY PK8rW1AdPH9QurCy+Jjgtte9j8N0ys/vbZ2G6TNMp0Fll9Mpd+CD8oXp1M0TpFOuO1e37nFQmZV0 yut5o3Xqls/zl+uTvPygvh10f7k65ddcnQbZcU/p1L13XDmC2hw2dvC+8GbWqStntToN64vV6rTc /VpuPB6OTp977jnyZezHGPHLz/hwv9ox+IADDjhP+Xf/Z0Dw/xoQbN8HLhcFDloG/a4KAHg/AcBC QkK7A4DfGgCA7UDzDgaA7cevyi1/5u/+2uivXfp8sAG/31V8Ek4KOLDiwIm/kMF9HEDtx4TwOj5d 7O7upmXFPT099LN1TIPpkW0ZyLhM1E40+LXCnp4U5YvFYvR0FK/bcm19tn5k/LBGMpmkPLjFY8xj 67Fs8/HzeIyRwe3btlO0NGcAI0YzcwX9lWCMKs6a9TgBYAS8LiMwKubyFIFMx9bD8WeMU3n7IJ/L QW9kFXzjuNOho/FxOPX8m/R7rSrtuqevhdOvvQdWP34j3P7AKuionwnf/PrX4ZcnTYQsRilzCpip /M/deQIok8Ci9i445Nufg49++rOwOZmB6479EFz36NOweMky2BJNQsO8qfDw1Hmq3jTc+8Nvw0Or Y+Ar+bEdxVwRNi5+Aq6dMI3AfHbTHPjiwWdCXAHEDYumw2+vup8A8IlH/gC+cPDFEMnmYdX02+Hw s26ClUsWwZKVrRBpmgdjr5mhyvNhwhGfg6mNCQKd86ZcAx949ztgUadH7S3kPehoa4AVK5bT15Bb Wjaq8wXo85Ve8zkCwB3xNNx80UVw4dFfgnsemQgHn30FXHLMpZDxknDOcUdAtNcr2aC3axkB4M2r H4d//tK10IuR3cwS+P2xp4NHOkfwig8MctoGCGrzfbTFhxiTJ02CpUuWQm1tHTz7/LOqzGLJBriE mz64peTq39oHy5cvo/d/se+sXLmSvphJIHetcjqaGgkIr1un9tdi31GOw9oWWKvAbmNDizpugga8 HxpVn8K02FdVmsWqPIwm23vF9mG7b/s+HluHK6if2n7Pj/nW3lu8v/NztrywMmyd/Dovw97j3Hm1 5dp2uPLyttp7mB/zLZeRl4dbZD528HvfrQfT7Umd2jpdDtMpb7erU14P33JbVdKp1RNvy0h0ao/D dFpfXz9Ip1y+cjp1Zd+bOuX9lcvK2zUcndp9W5ad83g+tywXWHGZUaeuLCPVqXuN69Qdc4L2eZt5 f+RpOSjkecN0ymXnbbVjCdeprb8anfLxJ0ynto5yfcrtQ25ZLvPyrJyuHkaqU667oPsvTKdBYx/X qa2TjylcLi7n/vvvf6Hx8b5tAh52KTSPAvN3gT9iVhAewKLA7xkz8DEsvgw6DAC/VQCwkJDQaALg oPd/w3599NExA19+5u/+ftlEf//XPBH8juLvKz7ZTkyWcSDmjgny6tWrAwdtm84OukFOMZ/UbZm8 bF4GB9B2MuETKE+PcvJ6kXHZ6+r61Qr4GrCLwAmXyOb0+78I6hBkzZgxMxwAK2CUzyHYzEOmez38 9rTzoXP1NDh73AVw4QVnwNHX3g9eNgrXnXUsHHfWhXDR+afDr350HCxoicKK2TfB7ZPrwfcyMP6i I+HjR2sATO8gKzk2LJ8Gn//y6ZD003D7b74H/3vcVMgq8LbmmQfh2N+dCRf98Up4fnkrrH3hQfjt r46GP1xwLvzkmONhQ1IvyS4U9JLfTUtmw7UPTVUAGUFjHG47/pdw9jkXwEnH/wLqFq6BJTMmQt0z y2HO/ZfCr353M7RtWA0n//4wGHfRH+HCWx6D9ta58ONrpyvg6MGkwz8Hdc3dsGjCFXD+RefBl//n EFisAHAxVzBR1bx+fzpfIJ2gHHnFKMfN14+DLfEsLK29Bt71md/B5th6+MEH3guX1a4Ar+DBuaf9 FM65cAIsfb4WDj/3UUh1LoV/OehG6MlE4ZxjfgjHn3kBnHLkz+HumiUEYvV72lhXjmxAy6HzWncb N+ES5MUU8U2mkjBr1mPQk+qhPAjG6d3mvF5CjTb2PJ+eotu+gcviV6xQ/Xid6k8NyglpWEe8rkH1 n3XWgVCO2Fp1bR32KWR0VlS/XbeWQDJGjvFXFLbvBfXnsH7K+zvv87wP23vP7geVxdNwIMjlsWmC 7mWezj3m6Xnb+NgQlJffg+7Y4OrKvZ/d+oer06CxaCQ6LWcjV6d8fAuT0V4fjk5d0DYaOg3qp0Fb 3rf4WO6WYdvE2+fqrlqdct3uDZ2690wlnbo62ld0ynXFt2Fp3Tp5Hfa825a9oVN3/NodnQbpzZYV NKaWGyer1WnYHDESnbp9O0g+nk4B4D8o/+4HBgS7S6Htu8D8i9D8v8A2CvzeEAD8jwKAhYSE9iQA dj+A9U9mEHLf/620/NlGf//HPAnEZTHfU/xDxadidGzVqlUEcnFwxX13gMZ9vG6v4T6yHWxxH8vB Xw/ZfZvGlmHr4Pncci27ZfMycIvl8/S27JkzZ0Kqp4fAGQK2PgJrOejLmeXDvo7ETps2PRQAI9Dx iz7MevguOOOkb8CJV9yi8uchleqGSDShylFgqy9HEeZULArR7pQBonmKFOeK+VL9OoqaJ3CWK2pZ NIjNUVSzD6OW+SK9w5pLpyHRk1B15/W7xepaTyyhgFxef7wrb5YEY7RTlYsfoqLIcl5HTHtSKcjk 9TJgei9WXffpXdo+KPj4RWrVhmRSyeCrNPggwCeZC36fjtBihLsnCZ7SUY4+SuXTgwN65xfBL+pP 7fsoq+9T9PjqP42FjlhGf505rz9a5VN7jA5UukxPlvKhDeghhK/LLCodZHt7FFD2ST99RV+D2YIG +n6faQMBYHU9Z34jldPvcvdt1TpCHZB+HRvgV7LxvSnsK9iP8OEILidbW6+dhEYFcNfS0/W1BIjX rVMOxFp1XoFgBL5rGtcR+K1XILlhjbq+pgFamhth7gtz6V1gLAP7ne2n/L6x+/x+cdPYe8Hef/zh k70n7H1k87pOm7037JbfFzafe8zvS16HlcU6Um5+KyPPb6/jfc/vb36f8/HAtt86p3zcsW2vRqe2 XHvebZurU6zP1m+Z28/VadC4Zfe5Ix6kU9zacdDKYvNw2d3+wXWKbMtw9crHzDCduo69q1N3bHV1 6tZl+5btH2E6Daq/kk6tfmyfq6RTW9dIdMr7Id/afK5OuUz8PrNl8Xs5SKdBfaScTu397crBdcr7 XpBOrWwWOLny8zz2vrV5uU55e90+yMGy1YPdDkenXBeVdOqOW/y8LZOPabz/c7nsNdcXCdMpHyus TnkbK+nU7RfuuDUSnbr5ePtt2QoAX6z8ux+ZQMf/Gd/vGywK/J8hy6BdAMy/Bl3ud0gCgIWEhEYE fvn7v5X+/xv0/q+7/Nn+9/e/zGDnRn/xyeBYxWfggM1BMHcS7ARt0/B9vuVp+Tmez01jJwOb3nVw +MRpr3OH3ZZp0yEowehcH4ExBE4KHPk58HO41eAtV9Dna2rq1GTWOITXKJDToCY5BG/tLQ3w4uLV kKAlvAi0ENz5FAXFd0wRMBIwpOijrwFvIUcgF6/p60WqE8/lTSQzR3IosOf5dJ4AXi6vQTGCzZyJ sOZyJKtPbbCR7DwBPZQlb89RW/Om3rxuMwJhs59HWe21nN73zTVdjm5TwddAmyKo6pzOZ8BvQX8I C/WCZaQ6G+CKi86DOx+eAhk/b85rGSjKbtqgdR9sg7yvyy6YaDKdIz1YOfUDBFwSTe0o2cAzNsgP 6JjZoGBsgIyOAYJe7DsIgPG/ivPmzYc16MCvazQR4CYCwQ3rBqK9uG1YowFwY4NZ6oZRYLVdsXwl zJ07d0gf5P3b7vMtv794n+f92r23eF/n9417v/K6gu7VoPuTHwfdU0H3exC7Zdsy3Dq4Luy9797b 5XQaVE6YTtHWXB+uPEE6LWdHVwdhOnXb7I5nbnko53B0Wk4X1iHmOrUyuE65W8ZwdWrT4rmgcsrp NGwe2ds6raZ/jUSnbl1uGi7TcHTK58MwvQb19SC9V6tTm97VqT2upo+Otk7D/AMu60h16rbBlu1u w3TK8/Jyg/wprtNy90GYHxZ0z3KdfuADH7hU+Xc/NoEOuxTavgtsvwht/wvMf4nkfg26WgAs7wEL CQmNCPyGAeCw//++1wxO9uvP/2YGr4PMYPbvzvJn/u7v98yTwZ8oPgsH4qVLl9I7nnZgLsd2gMU8 Nq91PNyJEs9jucj4Pqa9bs9Ztufwuj1nB/qg67ZsrNvu46+Pkkm9JDaHXxD29VaDozwtq/XxlzwI PH2MUvrgF3VENu+ZZbQILn3z2yQDCgk45n19nNfRVd8zYFSVheCQfumTyxkAqUFYDoGlAroI1BDs FcxSbIyA+hi19PMEVL28TpfP6WMCvrk8yY8g1qfor08R2wLlz1EbMA9Fco1cmF4DcJ/AppZJ5ff0 +8w5E0XGiCmBS6UDDbJN5JTpSS959jRwzRmd5Ez7EXSi/gwIx3d3cbkz6QrL93Ua1H3RMzYo2CXc xga+Y4O8tgHVUdA6KP26ajds4HkZmDBhAvUTfHfX9pN7770Xbr/9dhg/fjxt77jjDrjtttvoa5u4 Rcbzdt8ypsfysCy3n9q+aM/b+4H3Ye7A8L7PHUt+H9n70pZtnTl7H9jyOSjjgICn5XLZ8qy87jGX i99/tkwrF+oB6+PpuXOM+3jfY3o7Trj3Pm8L1ykfY1yd2jpdpzBMp3Zr7cR1wHVq6wp7CMHLszqw 9dn2cR0NR6d8nLQyVdIpbqvRKe8nQTrFLdcpTx+kU96OIJ3y+aCSTnl9o6FTm8bWa/XEgZCrU9xy nQbNUbz/2X1ed5BO+b3v1r2ndcrL4fJyGwfplN8vfLzg9dr7uZJOcXywY+9wdcrbGuRr8La48roP Glxd2PLccZLrwl3RVkmnbjn8WiWd8jHVfZgTpFM79pbTqQLAVyj/7pCAKPD/mBWBXwhYBv3RMUPf A7bLoF0A/I8VALCAYCEhoVEDwPz/v+Xe/w1a/my//Gzf/cUng4cqPsdO/HwQ5o6IdQrcQdZOgnYw 5mltmTwdZ56Gl+Om505JWP3IGP1FYNO/tV+DNgWKcFsggOcrkKYjkTkvr/cLHgGqgokS5wzQo7wE IHMEHC0YxXO+ue6X0qtzBb3v+zqa6xlASBFLE73V0UvfAMM8AVSK7CJAxny4zenIKdVBMvl0PW8i tLhMOG/qRbnouKABqm/y6vpMlJraqyPVnj8QkfYMICZw7uu2Ijj2fR0FRhDs2Qi3ieba9uqIa0Hn zedKchaMvjTw1vXriK9jg7yJRvtGjjAb+Dq9X7KBb2zgOTbw9bV8sA0wDf6beN7cefQuMO9nuDQa vwyNjB9Nw2OX8TwyT4Nb7Gsj7adcBnu/8XNhaWy5QfcJP+9et4DKpuUOLC+Dy+LK7rbJlZuXZe9r Lm/Y/e/KMBydBpXNgcdwdOrmc3Xt6sTVKS+TX3N16uqpnE653FynlcbUcnYdbZ3y+tzrQToZqU4t 4Hf7lFtOJZ3y43I6dXUfplNXD0H3z+7q1G1jJZ0GzdvV6DTMNq48QTrlfWo4Og2yzUh1yh8+uPdw mE6DxkPux1SjU1f2oHui3LhdSafl/KlyOsXj97///Vcq/+6nJtDB3wX+35Bl0EHvAXMAHPQesABg ISGhUQfAby8DgCu9/8u//vxFM9jZ5c/fNUticFD8meJx6NjjwI+MAyce4xYdfbvFc/bYnrPnMZ89 tmk4MOXlIJiw+fCcBRZ4zi3H5sPzNh8yByNYx4IFC+Chhx6CtrZWHU3NKaCU1UtlsxgR9Sxg8kwE 04N8Vi/vzWWzBtjlB0CtAlJe1qdznioDAaRXyNJ5BGR+1qfoKJWjACHm93Ie5cVIrwWBuMQ55xUI sGW9nLnuGbBXYAAZy9WAj4Ay1un5JjrrEZjHqLFHINMzS5O90jJiAookgz8Aoj1Py4HgGRnzmq3v 8QcEPh1THl9/+Rkjq6QLVUbBwyhqzgBt3WYvq5cq03u6VKenyzRANGvSoQ1yjg0wvbaBTzbwHRv4 FtSG2SBnbODljA38sjbASDP+rmnq1KkEgnnf4o4D9jHe7y3QDTpn+ynvt/besWnsddtX+XVkWx+/ r9w+794LNi2/X21ZdmvvOS4jXnPL5Om4DLxse91tgyubW66rU1dfvL1BOrX12/aE6ZTLjOODWw/X qZUnTKe8LVZfvM3czlynXHZ+HJSXj63D0am9Xo1OrfxhOrW64Gms/oJ0ysfcIFtXo1Pb3ko6xfrK 6dT2cfdeCdOpa4+ge8z2V64jfl/y+6ySTm0+V6e87ko6DeoLXB537gzSqWtXfi+7W65TrnNb9nB1 yscArj93vORjZZBOcb+cTvn9F6ZT3p5KOuXtDbMHv/eDdMllD9Kp1RdvU5hOXZ/Igmu3bXxsdOcf BYD/rPy7w1gU+HtmBeDB5pW4L40Z/DVo93dIBzAA/J4yAPjtAoCFhIRGGwD/AwPAdvmzBcDVvv9r //1rlz9/3wyGh5rB8Tz+AQfi1SH7yGvqh3zgZDDbDz2YrxU611avrpSf1VtlWvxidCKepKWvFMlE QJnxCLARcCMgmi8BMAR0mMbzEFhlDYA0QBRBl4/nfQPKfA0WfVOe59M1AqCejjpq1vV4pcgnAtec BneeBp5YLgHFnJaDwJ5n6/IMwNbpc6VzJo+pw249I1PWs6DQyGLzehbY5igdyYLtymlwbfVgy/SM Dgh4+xrski7oOKt1lrV68EsRV2qn2mYNsLft0LoMt0GpXmw/tSHcBnkTKfe4DTz7oKCSDfSDCPwv NP7fWfeZNUP67Opq+mM154bcB7q+vXEfrA6SaXW18ga3QZc5VP5S29aMtA1rAvU1bBYb7EYbythg 9WjZoH70bBBybY3Tjj1pg8Fz2mjYoL56G6x+g21QP0wb1IsN6gN1HWKD3bznuA3Qp1MA+Crl3x1u osBjTRTYLoO2/wS27wG7v0MKeg/4XWwZNP8StABgISGh3QLAbx0GAK70/1/7/u9/mUHuf9jy5x+Y 5c84KB6h+AJfgTSM6mkAkqWvDmfpXU6ztBVBCqZRQCXraSCSJR4AMX4+S2CS9g1w8krLYT361Y8G e3kT7fQgQ+DQo4ghXTfAicBNNqPTZ7HOjK6bgJaWIW+3uOQV6/SwDWa5sP24FC75VSAM5Sd5sIxM RgMrLFfJn81roEZRxlxWA9asBqIIGjMsCktLbLMaWGKdCD4zGY/0kcnpiCyBRJU2S21AUJiBbBbr zJDOUM8oBwI3z8hHgNrT12jJL6bDZc7WBgTisiSzP0wbUGTU2MAzNrBA0drAK9kgNwA28XqoDTzK kzM2oKXVjg18a5u8sYFpB76Ty22QwfLy5hqzgRdiA8/YwAuzQa4aG+RNX9bgOYv1lWzgl2yQzWob 5HMBNkAZcsYGXn6IDbBf+xnXBlnzICSrH06UbJDR/YDbwLM2yFIbwm1g+kAO2+vawNO2wXvBtUE2 Q+UMsQH2k3wFG+SMDfxc6QFGoA18a4Ms2YDGELKBljFLNtAPrbKZcjbIDbUB9j2rM2MDvWpA2yCb szbImYc4xgb5kdtA213bgHTmlbeBfSBEqyLo+wPMBllmA1tebrANdDnGjl6O5BqwQS7QBr6xgWdf A6lkA5/dB5ls6aGcfoCWp5Uc2WzefKDO3Nee0S2zgWdtmXNskNU2sCtSvFywDbANQ2yQd23gD7YB pjPjum9s4PshNqCxPs9s4JENyA4kA5bnU73WBr61AY2njg18rWOaGwfZwMgSaoPsYBtgmcYGur97 5oGmZzhPK2yyWfPKSRU28IwNcDzVNsgOskHW2MDO9znHBqX7Cu9zZgMsP8gG9hqNuTl9H2YcG+TM g+ZMyQY5ZoMss4GxvZnjwm2gH5JmSzbImwfanraBZ21gvhHBbeAZG9jxNMAG+lUjbgOf5uectUHW p3p9z44LWWaDXBU2yDEbeKE2yOT03xYGbOAZG5g5TW2DbIDpPvjBD16j/Lufm5V+fBm0/Rq0+zsk FwB/cEz4h7DKAWD5EJaQkNCoAeB3VADAHzKD1kFjBv7/6/7+yF3+fJgZHC/MetqRQKc+YyYHPeno gR0nHgJKWT3BeOYanrMASk9iOi3lN+m1k+vRhOiZCc9OnnrS0WXqdBqgoqOvZfJMeZ52/nFrgDhO cnjORmQpT9bs26irZ2QugRY9YVF9Gb2k2St9oVgvncYJM28cmryXK32RmBy3nH1v1xu0XDpnJuRB y4TNEuO8fe/VvqNqgL6OgnrmPVb98Si9DDlfimDmzeSn85n3dNm7ubmcbi8BB/sAwX692QDZnIkC 6zaY92xNZLn0Dq19p9dGpn2zhJm/X2yiwjl/4P1bcpKpvVZ+r/SesG+WY9v3qW17aJm3/RK1jURX aQN/iA3ywTbI744NcvohjWODXJAN8mzJvG/eUzZtKL3TPBwb5Bwb5L1Sm7UNzBJx374z7Q9E4Uvy +6Xl5HZJfOl97xAb5CrZwPavQBvkRmYD83BHv+ut3wXXbSgE2CA3YAM/P9QGPrNBfjRsMNA38nvI Bl6pXQagGxt45iFgzgCovAFwAzbwh9rAL2MDu5LC1BV4H+Td+6CyDXLDsEE+x5x8ZgN7PyGIy5ny 7XcPSm1kNvB81wZ+gA1yAzbI6TF1kA1Kbc8N2KCQK42drg38ITYY6B9ekA1sHfbr/Xndx/TqFdcG nm5r4FhUMG3Ol8YVPp7mTV+qzgZ5o+vdsEHBK82X3Aa2z7k2sH8A8GkuKG8D/cHEfOnXeqU5raRT awPfsUHOscHg+ziXz7EVR2Y1lWuD3IANcoHzgbZBLj/UBvo7Ido/IYBu/Ios+UXm4YwB2llPP9Qg 3yfjlR6eZcyDDMyTzaQNiM+QL6Qfchu/CH0ddd76XL55yJ214NvURXUbYK8A8LXKvzvSRIHtMujv mpWA9ndIXxgz8B6w+yEsBMD2Q1gCgIWEhN5wAPwvIQDYfgHa/QCWff+Xf/35UDMo4uD4BwSd9ESR IhE6ooIDeCadU4NyToNFA2QJVNJxhqIWBDQzWQNwzQDt6UkEI2BpAtY4Mah988Q9nfYMYMWBOq0H 85w6rxifklIdflqDYaw/qyODGsSmNZA1k0E6oyeVNE4e9HQ9Q23A/UwaZUP51XHaM9G/jJ4kVNlP P/MM1NbWQl1NHUyZUgM1dTVQO2UKTMFzdbUwta5OHU+lXybV1E1RW5Wmppa2U8y2VqXDMmpV3pqp WIbaV+nr1Lma2im0raW0tbRfV1dj9tXWpKFy1DGdU/lLrNJNUfXX1iDXUD01tr4pOv2UOqyrTteB 57GMGl12HV7DttXUkUy1U9S+qg/TTJmC6WtM3VO0HpT8UxRTWmqTkQ3bX1NLbcU6KX2NaYtKh7qg Mmum0Lla0w5MP2VKnZEfZa41+qqh9mgd1Q7TBrUhNqgZsMHUIBvoNmCZ2E5uA2zPFKNf3B9kg1pm g1pug5pBNqgt2aCmZAPbhkE2qAm3QZ3pR2SD2qE20Me6H5GcxgZTyAY1VFaQDUh3ZIO6QBvUlrFB 7R61Qc0QG9RVYwOsk3TObTCVdFaH94yVg9lgam0dyW9lmGLuO7JBTQ27BwNsQHodsEENlcdsUDvY BjWDbFBXwQa1JHOtuRfwXtY2qCUb1Dg2wH5EdTC5SzaoHbBBbYANasvYoHa0bVBTzgZTK9igrnob UH+sK9mgpmSDGjM+oR7qzHiqtlOMDUyfrTFtqTV1WxvUWBvUTCmNUdoGeP9aG9QNskFt7fBsQPdy 3UC7df0DYxH2oxojY/U2qNt7NqgNskHdIBtMDbWBntPq6gbmgAEbYFlTw21QM2ADsodjgxo7R9Va G9TQ2FZbxgZW/7V1dhytLdnA3qt27rVz2tSp02Bdw1ryg8ivID9Kr+YgQKz8jnTGRPvVtXTWPHDD QAP6OYoRAKdpVVSW/KKM8U0wDz38Rz8nlyn5Xlh+OmOCASZIkLPpMjoynKbyM3DAAQdcr/y7XzjL oL8/ZvB7wEEfwkJf8sNlAPA/CwAWEhLaUwD4bRUAsP0AlguAgz6A9TUGgL9vBsFDzfJnHBwvyqTN cjwEj5lM6SlmFs/TIK4GVQVUMeqapieVOEin9aCNTxszOppLQJjAKA7+GR2lzWRLoJiixRkNrhHI ZtSA79nraTNJYL6srkufM9HdjAWuGhh7CIQznnnaatKqczQxoFxGPi8zIDfKRsuLFChf/NIiei/0 9ddfByEhISEhISGhaunll1+GppZmSCSS2rfImCiu8YPowb032C/SfozyqdJ2BZ1Xihijj0S+S6+O KlswnLU+DPlgGfJ19Aq4NKXJGp8sm05TEIIAsqpLAeAblH93lFnp91Pz6pt9DxgBsP0fsPshrAMD APB7KwDgtwkAFhIS2psAOOgXSJ8eM/ABLAuADzaDnn3/92dmUMTB8WJapkNPIDW4pME4q4EoDcR4 vjdr9tV5NfDqwVwP8L004GboaSYt3cH9XhyQe9Wgrd+JRECa9tXAT+8s9VKeAVBqADJOFH5GR4rT +ulpJq2XLqMMuJ/BDxoR4O7V74zZ95GMbGmvV7+PaOS0wNrv1WA726uXOb246EUBv0JCQkJCQkIj IvQ7UgoAZ3s98pfSnvafEICiP4U+EQFbz7xvjv5Ib1r7OLhKjSLAWfKLMpleU4an/SXzWlkWfSFP +0XkI5mgBAYH9MN/HfHN4tbTZSAoVgD4RuXf/dL4eoeZV9/wFbjvOACYfwjLBcD7m0CLAGAhIaE3 JQC2v0AK+gL0181gZz+A9RMGgHFw/CMO1BR5zegtglscjGkQRtCJADhtQW0Geil6q7i3l47Tvfo6 ldOrt5m0LSutB/aMfpqJefF8rzrfS+mz5hrWlSFgnOnV4BiPs2kNzNM9vRqgq0kA8/X0ZrRcWc9E rs3HIzA9gXmcHHSetHlimqE8+t2aFxe9JLO3kJCQkJDQPkD4wBqjrq+99tpeqS8SidDvhPr6+kLT 4HvAiVhC+x3Kt0G/RvtFae2v9OqILPpIvb0mgmtWqOHD+66urtJxL73S1Uv+TW/aLIumvMaPom3W +GTaX8Myyf/K6Pp68Hy6l64bAPwr86qb/R0SAuDvjtEfwsJvw/AvQX9mzNBfIQkAFhISelMA4HdV CYA/ZwY1C4DtF6D5B7CONIPjpT29PQREsybq20ODuVl6k9UgGIFpLJ6ERCJFg3yaAG9Gp/V6aXkO AVv6kJUagBVgxcFfA17zNBO3PbrsXgK2vTRY04BvosY0sCMQVjLR1iwL8rJ68vDMQN+r6mhuaYWr rroKjjrqKDjmN7+BSRMnQSKVUuC4F66++hrTHo8mCiy7hyLAafpY1ktLhgLghoYGmDlzZomnTZtG /7oVEhISEhISeuNo586d0NPTUxUA3rVrF6xcuRIeeeQRmDx5Mv0jd9u2bVXXhfnvu+9+2LRpE/2P OBQA53IQVz4RgtPetH6wjw/Ze+ghfi/5OuSv0Go35Xv0aFCMPgl+fK65pQWyGLXtRR8rayK7Om1v IgaZWBdkYxHwiNV+vEttOyGTiCpOmo9q6QBCT6ZHP/Cn4AJFgG9W/t3RYwbeA+YfwuIAGL8V8/kq AfC7AgDwPwgAFhIS2hMAGAea/2cGHfsP4PeaQakSAOa/QPquAcCHGAD8CwOAL+tJ9dKTRwSOaQU8 exUo7VEDcY95aonX5jz1FBx55JFw0oknEhBNY1qKytooK0Zle+g8AlqK+lJ5+jidVuXiPnGGlkE/ 99zzMPeFedDV2UGgGdMi6O1hTzbTBhyne9Lmyaiu955774Gf//znxL/73e/gNwoA/+ywn8ExxxwD l156KXznO9/RExJFpFV7VP26fXp50JKXlg55urxy5Sra/+tfX1P8V/rZ/MaNGxXoT4ROgH99ZQdM vqcOel8Z6WPtV2HppPvgufWeeDhCQkJCQkIObd++HWKxGAHOSoQ+xvTp02HWrFmwZs0aerA9e/Zs +ihkubmcE64swzw7duxQ+aaGgm4NgBPkr5Cf05PWPo/xfXSU1vg++MCfHvTrB//4ZenV9SspnfZN DFju0cGEdRd+CdJnvwWy44Zy+py3wPIzPm0CBujf4EP+NPk6vSaosP/++99iAPBRBgAfagAwfgwV /wpif4VUDQB+n/E9LQD+f8Y3FQAsJCT0hgDg/c0g9eExQ/8BHASAf2QA8OEGAOPgeFlKDbgpAq/4 BDEFSbXFcz29SYryvrhgARx++OFwogK/9957r1m+nKKBuqc3BalUio4RSPdQBDaly0upgb9HAU+1 TREATukBXm3x/eCGtQ1QX78K5s6dC7FkHHpTOEEkCeAimMa8qd60HtzxHILgVBqefupp+NnPfgZn nHkmvPTSS5AvFGgieuihh+Ckk06CE044Hn7729/qSacnpctD2VSdqR79tWtc2uQC4OXLV9D+K6+8 QowAGJdcrVixgn7rEER/2VGEEw49HzpervD0uq8H7rhnOgxJ9vrL8NCxP4dbF8TFyxESEhISEmKE c3BnZyd0dHRQFLgcvfrqqzBnzhx47LHHKF9pnv7LX+C5556jVV1BZdjl1Rj5RW5qaoKWlha69vjj T1D99hovF3+plEgmyTdB/6LH+hu96Guk6Bh9ol51Lqn8KfRp0uYYV5ehH0K+VG+KfJ4M+Uj69bP1 dRdB7J73QeL+9w7h2D3/Ci01F+rXxpSPlEqZJdLk82TI9zIA+NcGAB9hAPDYCgDY/RfwAQEA+J0C gIWEhN4sAPgjBgB/0gHAXzGD3LcYAD7UBcA0SNNTShyczSCeQrDZQ5PJr3/9awK/Dz74ECQSPXrQ TesPWfWk9XsvqV4z2GM5KR3BxX1csoSDfdo+nezJmHeL1bVkD6xd0wDLly2DufPmqkmmQ+cjkIyR XgTiPeYJqgblOMhffvnlcLwCuQtfXEhLmvEaRnjvvfc+OO200+Dss8+GY489VuXPEADu6dHgF+VI 4fs5GQ+WLV02ZAJctmyZWf70spokd1H0d8mSpcT4ywOMCrv02qu7YPasZyGZj8OcuUt0/mwHTLhy CuR2/gVe3bkVnpy7FNY+fRvs/5FvwV0P3gubUmxZ9et/gbXPzYCVnUU6LCZb4forL4aLL7sSGrt9 8X6EhISEhP4uCefceDxOS5Gj0SiBTwS5YRHZ/v5+WvKMfodL+GuiCRMmkG/hUnd3NyxcuBAaGtZS xLixsYmiv0gIVNeta6Rza9euhYkTJ1E9SPj/5WQiqXwTDXoxKJCi1XC99JpWRJV7yy03Q0trC9x0 883K31mr/RXFxUKRfBj0XfDhf2kFXkoHF/Cfx1h3oViEomLa9ilW54rFAv1qEtuC4Bfzop/Ta6LB IQD4pw4Axr+DfDUEANt/AQsAFhIS2qcA8OcDAPD3xgz+BdJRZnC8PIVPMBUYTSYRZCY1UFT7K1eu gJ8fcQSceuqpcNZZZ1EU+Otf/zp8+ctfLvFXvvIVmDlzBj3Z7DVlIHBOYNS3V0eEk+mUKmsZzJwx E2bYd2ynz4Ann3gCFsxfoCaXtbBq1QqYP3+ezp9UEwBOKsleii6n0kl1vpeiyvjhK5TnhBNO0OC6 N0V1T5o0CX7/+9/DxRdfDJdccgmcO26cjgCnVF4FgnFLke6k/kDX0sVLhgBgfNcHJ1ac+DjjhIv/ QsSo8JAnzttzcOQ3fwwr45vhu58+HHpeex1WTzgO3vHeD8HctiykNzwLvznrdlg3ezz868e/CxNq Z0BHDwfAO+GmI74Pp0zbBK9t3Qw/3u/d8Ifra2HWXX+C971tLGzZ/pp4QUJCQkJCf1eEczLO/wh+ OW/ZsqUETl1CwPjAAw8QcMbVYfgOMPJTTz1F5eE1XErt0ubNm+GFF+bSXF+OEIjiu8F2KTYuY04o f0X7KkkCrylcRYcR4ZRe8Yb/DsYH808ofwdf12rv6FBpexWgzcPceS9QxBgDCGl6yK8jyLiceeHF P4H2X7wVOn45lNuPeivMu/AnelVbr16Jl6CVbjpogHUrAHyr8u+OGTPwJWj7KyT7L2AOgP9TALCQ kNDfHQCmD0fhwJnUy5lTaj+pePmypXDyySfDOeecQ4z7GAnmfPzxv6Ofy/cgwERGEJ1MqPwYeU0S mMXBfsWyFbB4yWJYqsrE6OuSZctg+fKlBLLxZ/INCgTjeQTgOAkkUwm9nJqVm+xJ0JPTM888gyK8 SVVPPNFDkwe+80Ifg8DfLpn/6lFbVP0IqnsQ5FM5SXovZ+nS5UMm28UKFCMA3rp12yBG4Pvoo1PK AOAjoLWwDY497GCY1JSBS395Ehx19E/gxplLYMEdv4ZbZy6D/lQzfGPsaTBk8RUDwImFt8Kn/utX kN31Grz+ShHO/P5X4cI5neIJCQkJCQn9XRFGWTH6i9FZBL0Iftvb28t+lXnr1q0EeDGfSwhGJ06c SFuXcIk0LnmeNetxqs8l9AtaWlrpvWKMRFvCV6OSiQT5GT3KZ0mldCQ2qfyMFL0KlqRXyM477zxY sGA+nHvuudDW1kIP7Qv5In0DBdMmUkl6oJ/EcnoSFCXecMshkLnpLZC9bSinb3orNF7zf1ROgh7u W38pRfv4b+L3v18AsJCQkADgsgA4mYgTYMVBPIGDuBrQk/EeWsozY/oMBTjPhNNPP50+ClEoFKG/ r6gmIcXFfugvFunDDhqopiCuQCkC2AQN6gl67yWZStL/6vI5H/JZH/xcHjzfp3/oNTa1wKpVq2CZ AsidXV0qfUJHo+M4maj9RFJPEFSekimVgSuvvBJ++ctfEqBOJuMaMONWXW/f0q4msAik8IvVBMaT NKnQhERtTNAvm5YvHxoBfumlRTTRFVW7OOOyq0mTJpcFwOu3/xWeP+M4+MAF4+GHp14PHesfh5PP HQfnfPATsKK7D/pSjfD1sSfD9oEahwDg2Lwb4T++cB4U/4Iz7g648SffgrMe2yKekJCQkJDQ3yXh e7f4Di5GaX2//GtBCGSfffZZ+ggWfvUZ53VkfO8Xo8B4HssLI/zYFn5LxF1ijf4DRnDd16AIAJsH 69oHUn5IIkUP7XuU37FFAfbTTj0VmluaaRXd6tWrIdmTJH8LI8Dz5s+n6G1PImX8G+WrxLUvhkue d+7YQbxjJ65G2zlwrBh9MfSx4gicExi0UH6c2o/3aN/p/e9/vwBgISEhAcBll0DjwJ1I0vu9+JVE it4iYEyk6EvQc+bMJhCMUdeJkybRgE9pU0nDKXoKmsCILA6+CDoTGmzi8iC8ljRAlNKYyWLFylWw ePEiigJ3RTpLQBbBbpyAL8+vWAF1BMcIxE888QQC5S+++CLJjE98H5n8CPz0pz+Fa6+7Tk8mCQ16 kwaMY7mpuF6WtGz50AjwwoUv0cSXzxcGMU6YEyZMrACAAXJNs0CZDU6+fjpsz0XgO599Lxx48OVQ fPV12O61w3cO/iosbU/DK6/ugmfvOBfm1rcPAsBb25+BT33oyzCnoRO66ufCFz703/DYxj7xgISE hISE/i4Jlx1j5BdfaarmF0i4PPnxxx+nD17hMmhk/CjWgw8+SO8H8wiuSwiaMcqL/oAbPcaPaLmE /gE96I9bH0j5Linj6/RoIJtO6w9i4TvB9HpZQgPUvJJzIfov5KOkyC8inwePVfp1U2+DyO0nQfT2 EyF654kQufMkiNxxEnSrY9w21IwnoI0+k45CW78rSX6WAGAhISEBwJWWQCvwmMABHMFpXEeBKaJq /vuLTyhnzJhBS6CP/vWvzQAbVwO9XmqD0VoEwnF6EpqiAR4Bsl0OHVPAlQb3OF6PUT34kYZ5C+bB 0qVLoGNLh4nU6vLsJEJPN6mshC6brsXo69TXX389HHfccfC9732Pfnn0zYO/SeAXl2XPnv0kxCh9 AnpiNqqd0vUn9L/yEHS7APjFFxcaAFwcxAiAH354QlkA3Iah3Vd74cQD/wMeXdwFr72yDU4/9hC4 +rkuvYTq1e1wz3GHwwf2/xxMf3o93Pe7T8N9jzepihW4PuEouHGenpTXP30ffH7//WH/Az8Dt8xe I96PkJCQkNDfJeG8TL9dVHM2RnerJUzb2NhI3xvBqG99fT09DEcAjBHesN8h4fJn/NAVRnrxY1h3 3XUXgW98N3jKlClDfsOE7xynEhrw4kN48qFS2h9Kol+VSNIxXk/FTXQY/SK19bwsLFm6VPleeBwn 0IqBhzgCWpV/ywWfgK3XjYHtNw1lPN948rvoVbWk8XVSPXHydWIGEAsAFhISEgBcAQB3xxRARZAa i6kBG8GwAppqsI4jsI3HKBqLTy5XrFipJpLVOkocT9By54TNg2XE9cAbx31TZiKuo7M4qMcJyMap bFwq1NnRBV2RLg1+4zp9LBmjdMmYzhOL87I0kI7TO8Y99Puk62+4HsaNGwcXXngh3H///bC6fpVe yh1LGvm1XBqoJxUwTtGXElcsHwqA586dR/8mDmL8/dMgAPz6X2HtwsWwYO5M+OLXfgs9r1YzLb8G L7/yKrzmPF12pnw12b4Cr7z6F/F+hISEhIT+bgkfSCPoHA74LUf4JWh8mL9kyZLA6/gdEPzd0tNP Pw0LFrxIgBiXTs+bNw/WrVunzi0YDIDzBfI3yC8xvhPuo0+UtD6L8qHwS9Hkh8SMX6Wu4bdI6tfU E1iOJWJ0Lan8n1jcPPRvnA/5tfdBft29htV+473EuYb7IL52LpWl/ZsEBSVi5LslqU4BwEJCQgKA qwDAsViCGIEngs6YGvjpAxSxbjofTWhgSmA2oa7hgG3O4VcV490JAtAD4Bf3EzSYd6vzMZVHD+x4 vlsD63i3KrdbTTJxihLH8LypP4rlUfpuKq8b68E6491UXyyq68b3eX01Qfo5j5ZrJ2NJJrdKh3mp fRpEYztwSdLKlUOXQOPkiBNewkSdLWM5+PR48CT8V1g+6z4Ye8hh8NiSzeKpCAkJCQkJjXIEOOj3 g3uKEPw+8MCD9AtETs3NLfDQQw9DJDJ4+XQeI8DKN+gmXyhG/krC+EYUWDA+Efo76IOgf5Po1qvi MCrc1tYG3RRIQL8H/Z9uKgP9l25Mp/J14/numPGRWGAiqnycZIJ8KATUmAfronTdUQHAQkJCAoAr AeCoAn3R7hgN1t24NQCYgCsOvHgegW93zJzrpgE2Tte6aZAmkFq6jhynbTeVqQd0fCoZxYEdQWw0 qvMpgInHcQtWVbk4cXQTQI7RwE9gliYUzGPqxePuOE0YJE8iquuM6TppIrBtUByNGqCuJgd8l2j5 8mVD3vPBiRajvEGM4Pf1spFbISEhISEhob8XyuXyFN3VQYMY+S8J9DvQJ4mbIEK3BafaZyEQa/yq SLSLAgrkp8Stn6SDBeQXxY0vpc5H43Hjw6jzVKYGx1HlE8WUbxSPGl+HAhISARYSEhIAXBEA48CJ IJgG5agGlDioRi34jGkwiqC0O2q3URrk4yZNNGoAakIPxjgIY9o4Dswxk4eArwbQ3dEIPcGkiDIO 5jj4Y/qIBteJWNREYzU4pwklpicDPEYgHDPy2qesmCaCT02VbBZsYztoIunWT1ij6jz+pqB+zWrY vm2bzOBCQkJCQkJCwyJcno0+Cb6D222AJ/pA0Wh3CcxiUCCKfhEFCrRPgz4Q+U4xG1wwQQL0fzCw EDW+WHfcAGB1LRKnv1vQA38MHiRiBIi7o906OIFgmoIB6HdpH0gAsJCQkADgShFgA2ZxgCXwilvF FBmOR+gaDuo6whul8wiA8Vw0EqN8eIwDd3dUR4XjURv5jdJT0ahhXZaZCPBcJG6ud5s03QZcR2mp tJYDJxC9jcc0MNdlRQfKJ/nMNhYx7ek2YBzr0SCdyjLLmte3racPXHR0dEKH2nZ2dNB+J3JnB207 6Jw+jz+wR+5ox+OB9JrbDXdQ3o72TrpO+5ius91s1TnM39lJ+7b8TsPtnTpPuymrXaVr7zT1tGvZ OsxxZ0l2fc6WoWXoLMnfiXW367LbbXvaB+rtGNTO9tIxytk5SMZ2lqdjoD02TbvO115qb2cpTXun vW7kx/a3c5kH28DqcYgNTBs6O8Js0FHGBh1V2UDLF2CDzuHYwPajkdugczdt0NnZPijN7tugfVg2 sPK4NugctA2yQWegDTpG0QYdQ2zQztrQwe7l9pKOrJyDbNA+uF3trM3DswHX496wQftgG3QMtoHV pe5LlW3Q0d5e0veAnoJsYHS2V23QMdQGth7bpvaBMrV92gf6omODzjI26Bxig/Y3zgZD5rROR+ed w7TB4DbYvl2yqWuDjj1og85gG5TaP2Q8HZBniA06AmzAx9POweXo+aAdNm7eBBs3bIJkskf7GLTS TPsa3SYa3B2JKDAb0X4R+SPdJd+E/CZ8SI++DflT2keKUfp4yVeyflGsu4sArwbHOo/214wPFDEr 7LBMdV0AsJCQkADgSgC4Sw24kS56gqgHUjOoRruII7EuOo7gwIxAMqYH3lhEg1QCrBE9IHdHOyEW VftdUf10MqrBa9xMCjEDmCka26XKJrCLWxzsVX3xLgKwkWhE109yqGOVNopbVV8kgmk6Sc5uJTvJ GzHAPdpN7+nEu036OAJnlT7SqeSPQpeZfHCZkZ/NQM7P0e8I8P+CyDnknGIPj9U1xXhM/zD2c3SO 0uR1Ot/39Dbn6TJwP+9Rmfq6Sefl9DWbpnSe1avK8m0+L0cf/yBZTJm5nC1DbfO5kpxUl5HLN+VQ ebYMtZ/P+6YtJi22B8vwPSOLp8tV2xzWlR+QsSSDZ9uXM+229fgl/eH1nK/1mc8Z3eS1fmz7PGqH kd/3g22A5Q+xgUf7nmsDb6gNctYGvmMDX9ss3AY+eHlug4H2e3lbT5U2sP0oNyDvIBv4g22QL8lf jQ38yjYwOqN35ANsYPvB8Gxg7gPeJmsDfw/awK/eBoH3smODfDkb2Pta1YV607rxHBvkBtIF2CDH beAPpKe0uQAb5AbbIMdt4JezwcC54dsgfCzySzbIlbdBbjg28Af1Gd1WrftqbWB1WJ0NvIExNMQG /jBtkCtnAzsuhtiA9w3fD7KBN6jekg38wTbwrQ38YBvkKtwH+UAbmPHU5BlqA2+QDfL5yjZw5zRr A73vaR1Zm7g2yFewAZvTwmwwZE6r0ga2DbnSNavPHOnM9n0PvzvSkyK/gvyXmAkiRCKl1Wnog2i/ qEsD2C4DXDFKjH6ReZWMHtyjzxPXvlSEyuginwv9nSj6YHHtD8XIt0G/Sl3vilL95J8pH4d8KATN yl8SACwkJCQAuAIA1gMnAskuBRC7CEBGaOCOaOBowCgOxF1RndaCYRyo8UvOkagBoSodlkOAOopf eY6UJgg616UH92h3p952deuBmwZwzNtJT1C7CNSa9MRRLU9XJ6XvQvAc0cAd6+yKdpk2dFKdOBGh jNEu3Q4CzbiNdqjzXea8lovaQHLbCQsnKl0uTiRd0WjpwQCC9a4uPaFFolpXWFYn5Y9Q3dFSu7pI d1x+LIPaG9G60fJr3UesDaJmYivZwDwoiHYZWR0bRHW9YTaIMBtEzeQaaAMrxwhtEOE2iDIbRLRO B2zQqdNGXBt0htigM8AGEe0ocBtEhmGDrs5SX8Ftdxkb6DaE2CCKDg+3QcS0wdigyzoxg22g5Ywa vWhZo+Zeq84GOk2kgg2sjEE26Aq0weD7IBpwH0SYDaJBNohaG3QZGxg5AmyAD8zCbBCxNugebIMo t0G3sUFXsA0iUccGUb2aJdoVZINooA0i1gYR1oZubQP8f3kkwm0QKW8Dm5ZkG2yD6CAbRENtEA2w QZTZoKsaG0TMg0O8D0o26Aq0QZdpr2uDaKANokbPYTYwDzu7o2YMNuWbuWKoDbqMXoJs0FXBBlEz p1VnA2pfORtEuszYYGxAq470vTnYBtGSDSLMBl2ODSJhNjD1RKJd5W0QcWwQsWNRBRtQPwqxgX14 bfvuIBt0V7QB3k+hNiBZmV9RskFXBRsMntOG2CDKbEBzWpAN7HgaYIOosQHNadXbwM6X1gZ2rusm /ynqjKddpTlN+yUDbXBtEDHjY3eka6gNusJsEBlkA2yPAGAhISEBwBUAcEtLK7S2NkNTSwttW9pa oaVFbZtb6euHbS1t0KbO4xcLW5BV+uaWJpW2hc61NTdDc6tOT+lUOS2tbeqcKk+da8Fr6hjTN6l8 lN+kb1X7mL6prZnSNrdg3SpfUyulw20ryddEedowfVsrbTFdmyqzuRWvq/pQ5jYtVxPK2WzKIbkw XwulI9mamkmuVrqmymlW5ZPcpg223OYWoxu139aq06C8eJ32W6mMVluvaUMr6Q/br9vdhufVtqUN y1Y6a9N6am4x50k/rg1aHBu0MBu0DbZBi25PqA3a0EbWBs2DbNBibNDMbEBtaGoZsAGWQzZoKWuD lkE2aHVs0DZggzbXBq0VbNDCbNAaaoMWxwaUV+mqFeVsMm1W6bgNsNwWboPmEdigNdgGrcwGrcYG bcYGrWE2aHFt0MJs0Eztdm3Q6tigOcAGzShXSxU2aNU6HWID0lVLyQZ4v7k2aBuxDdqYDXR+bCvV 1apt0NI01AZYbnOzYwMzdtE50k0ryWn7SFkbNGsboF6bbRuajQ0ofwu1iWxg771W004sk9ugVZ9r bhsY00r9iNsA61T3FtZDNnVtgP0C9WJs0Ew2aKMt2sBuXRs0l8bToTZosTZoGXwftA6yQQv1WdRf sA1aTdoBG2DaNtLr8GzQ5NhAy9aq+1FruA1K419rS4ANmhwbNDs2aB5qgxY7p4XYAGVoMfMAjQEB NqB7s5n6kWsDHDPIzmZe1H1N94c2e8+3tgyM1c16zrD392AbtDo2aCa76zm1GhvoOTHIBnrOCLNB m7GB1fVgG7RQPdoGdt62Nmg1NmgKsEFLFTZoaW0r9QM9nwbYwPoVra4NWsx4Ohwb6P5i5zRrAyyn 1bFBS8kGzSW/puQHDLGBvreaW7QNmk2/0jZocWzQEmoDvFdK94G5p/QY2KIA8PsEAAsJCQkALgeA 16xZA8L7Fi9evHifZbGfsLCwsLDwnuP3vU8AsJCQkADgsgB4165d8PLLLwvvQ5xOp/dZlv4mLCws LCy85/iDH/ygAGAhISEBwAKABQALABYWFhYWFhYALABYSEhIALAAEgHAAoCFhYWFhYUFAAsAFhIS EgAsLABYALCwsLCwsLAAYAHAQkJCAoCFBQALABYWFhYWFhYALABYSEhIALCwAGABwMLCwsLCwgKA hYSEhPZJAIzp4vE4dHZ2luXe3l6ZgAQACwAWFhYWFhYWACwkJCS07wLgZDIJxx57LIw97AdwyFE/ DOSxP/sBnHfeeVAsFmUSEgAsAFhYWFhYWFgAsJCQkNC+CYDnz58PYw/5EZw+5TA4a+YRgXzaI4fB jw8ZC5s2bdqnJ4/RAml7CuwJABYWFhYWFhYWACwkJCQAeA8C4NNOOw2OvugnoeDX8i/O+jFFgasd qLcW8xBL+aVjPxmFtoYG6O7JwC6WruD1QltbA7RHk4POJxODj3vVMS+/N9VT2u/3EuDn+mh/R18O ItEe2OnKtCMLM6ZOg2hu+1BAu3MnJGLd0N09wJFIHLYFtW17L0yf9hh09RTffABY6filxWuhZ18A wPkIbOyMwcveZuiMZoaXd2sWVixbB1vFIRIWFhb+m+NM9wZojuaGlSefbIdo2mdzfj+0NG2GHQFp cTXbunXrIJVKwY4dO5QP0kYP+HF/QIbN4OX7R7dtyt9pavcHn1P+R3//VgHAQkJCAoD3FgBetWoV jP3pD+HUCUOjv/M3PQGxfEfp+ITbfwo/HPsDaG1trWqg3rRyEVxx2RTof1lNLi/Wwp+vuQFuv+MO uOGa62DOig4FUHeBH10Ft1xzFdx+++1w03VXw90zlkDfdpS7CHdefgnMWJM0QLYId1x+O+Rs+apt j952FTQWVNpdfTDlyktg8tMv0rWWBXPgimsegeIQAByH66+8Ctantw0F64UemKhkGD/+Nrjy8j/B rUrO8bffCRv6A9q2IwrXXnk9NHZ4ex0Ar1o4DU4/7Qw456xxcMcjT0Ik0TvoeqqrEc47626IvxkB 8LYWqHtqXumhxvbIS/DsknVQbJ4Cz8xbNyw97cxuhnvunQ7+TnEUhYWFhd/MnE+vguturys9UPaT jXDtVQ9CX2ieXbB0Wg2Mf3L9sOrpXvcCrNjUDXk/Bm3RNOwspuDBO6cM8QV834dbb70VLrnkErj8 8sth0qRJcOmll9LxM888U0q37vkpsDFa3bdPtiW74HePboR0386A69tgRUMnxArbIb9hE1z/fGzg 4f72rXB7TROcNLERbnspDjt2CQAWEhISALxHAfC2bdtg3LhxcMQpY+HM6UMjvo2JlYBkj8+Yejgc cvQP4ZZbboGdO3dWnBC21CsAfJWa9HakYfzVf4bHFm6mQb973WL402X3QDIXhzuuuQIeX9iswNPL kOvZALdefhnMW91BgPceBWovufwGaIkV6Pjua+5kE9kueP6xB+Dhl2KwLd0KV6iJ66r/z957gNdx XGfDyfcnX/7Yju24JbGd4sSOrfyx41gkZfVeKVFdoholU4WUxKZe2DspdhLsDewVbCAJsKMSvXcQ vQO3oQOs7z+zuwMMhrN7L1gsUjzned7n3t2dnZlzdtq7Z2Z2/iZ2vh3hO1dj7gE+VbsRMQd2IDg4 GPujstHKCPDk0WOweftOrFu3HiczinuSKqZTS2MDVsxeYhBtU8d25KVGGXFs2RVuEnCJAHsq0rBt 92HWsbNwyRFGuB37I9HU0YqEY+E4Eh2FrRuCERIaAU9L+2UT4OijW5gdT6KytBDb54zAnDXRKEgO x5QpU7B082GUFqdh5LAvsWjuNExbtg1FZflYsiYcFezenIiN2BdTgMwTO1j4mVg0fwbCEgqQcWK7 cRy0YAbCEwtQkBBqxLd8ewQqynKxJGgFFi9agcLSyitKgNuq4xCRmA1f5maWl6WG7U7mFKO1/CRC tmzG+u1xqCnOMc5vDjkIX0c7EiPDsW/reqQknMTmTQfgYQS4LPWwEeZAFH/T34KUQ9uN40PxRT1m EBAIBALh6yHAYz4bg4P5pufz2JrJ+GzMYoMAV+elmf3rnsPGcVVusnE8f8ZULArNgask3epXo7sI tK+hEodi09HW5MLBsEi0tTfheFgY0jKjkFpUitDVczBx1iIkFZZj6YLF2BOyEcGb96HaeqFdVFSE 0aNHG4RXxdSpU7sJcPgabFy7Bus2bUdhQx2O798Pl68VFUUpOJFZLunYiu2b0/H6qjREVTSjzefD /PAyI7/lySXYcKwIz85PwtiwMtRk5WDoqkxM3F2A9Ym1aEjLwYR9JWhracSMTZloaG4nAkxCQkIE +GoS4LS0NAwY8AQGfdVfO+VZJcAcr0x6DC8OfDGgHaG7CHCnFzsWzcb02cuQWlCC6jq3QXhba7Ix bsyXSKps6epEdk0fjV3hKQbhXRy0FvE7ZmPplv2MyDRifg8CzDqnQ7vwxezdyI85gC8mrcbCWbNR 0NyKbUtn4GRVB+L3b8a4KbOwZ/d2RlhHIzIlEVM//xxzVm7Eod3rMW7sbJQonU1roxsrZ3e/mfZU ZWHmpEnYefAoVi+ejanzQ9DYUozJ46YgMbsQyyd+ic3HU1BfloYZEydj274wBM2ajEU7YrFl7SJM /Goh9u3fhenjxuNEeuEVIMBbsfN4gvG/OC6YEf/lGDV8CEKj4zBh2FBsiozFyPffxwFGLNd/OQKT Vu/G8KFBKGPh49d/jmnr9+H9oe/iRGomgj4cijmb9mLokKGIYMeLRr2D+VvDMOStPyEsJhafDX4D O6Mi8Oaf3kFoQhaqa66sB9iXtQnr9h1hv1sQtH4vGhsKMG/eOrgZIV64fjtqPS04cXA7juVUYs/m 5dic6cKudQuwK4kNikrjMWbcNJSXZ+LLMeORmpWCaWPHIyUjBmPHT0NWXhIWLF6B+jYafBIIBMLX S4DjsXrlAkz9aiu8dRmYNHkOFixZh8b2ZoTu3ICo3FJsZtd3ZVRi3ZLZiM6vwZ41QZi/Iwnrls5B WGo+Ni2bh5Asc0p0i7sKSxcGo6I4B9NHj0F8WSmWL9qAjIhVCE3OQWHyPiwKiUJ7YzWWzv8KEdml 2L9qAdYcNV968/HL9OnTLyK/3Au8efNmiQCvxOYjaShIOoZJSw/h2KZFSCyuQszOxThZ1L0Eq7G2 Aa8uTUVGbiXe21GE5oYGvLI4wxhHpO/PwPQjp/DGkmTsy3XDk5uLIZtyUVNfiY9XZuLENtZ3hZUb /eLSrZmobyICTEJCQgT4qhLgnTt34qH+92u9v3YE+N3NA/Dgo/cjPj6+FwS4Ex1N9UiOOY7gpfMw aepX2HosB611JgFOrGjuQYB3WwQ4aMF6tLe5sGr+bJw4VYGgST0JcF12FOuwpmPdhhVYdLgMB3ev xDpGRhfOXApfRxsjS3Mwed5KrN+4EbPGfY7th/dg0phxSK9sREdbM7au+Ao7czyOBLg4ag2W7Dlh ErZT0Rg7eToKawsx5YvRmD1rGuvQN8Hd2Iri2GCMmzYP6zdsYAR4GqbPWYwVqxexDt184x25ZjL2 J2VfUQKcsXcqPnpvJt5/831s3r0bG9avx+HoKIwcHoQqdj03fDbGjV7CCK9JgJM2fY7xbJAwZNRy 43rqhk8xMWgd3h65wjxe/zEmLgrGm6+9jy27dmHdunU4HnOUEeAgw4N8padA+7K2Yr1BgDfgwKFU 49yO5StQmbkBBw+nGdPco8I2Y1PIIWxZuQQb0urYM92AJj4AqkoyCHD6yYMYPXoGDh46hL2hB1BS UYOEqMPYtG4F1m4IgauVBp8EAoHwdcJdG4e9kZHYu2Ai1i1fgrWRuVi9YCV8bU3Gy+itew5h/aL5 2JJQxAhrMOsjOnBy23rM3BCNJdNZ33nkCPaHhiI2p95aAtWEPWuXI2j1EuzbvgZT5y7F2vAk5Eas xUFGgEtyj2L5wRSTAC/YaOwVUXRoDZYfyO/axDI9PR3jxo3rQYAXLVqEhoYG6SX7BhSW1KKpOh+z p61DfuZJLNy0HcsWL0Ott3svkaTUQjy2IBWfbs7Go3OSkVxY00WAsw9mYGZkEd5fmozw0iaDAIsp 0Mu3ZiApNA0zLAK8mBHgOiLAJCQkRICvLgHmmz4MGDAAr80I3AP88oTH8NJLL6GuTr9pUVNNEcqs Ta5y445gzJRNaGpxISkxGZ7WDosYH8SXn09CUWUuJjACHJNvdThtXqybygjw4VSTAM9fh/b2DuSe DMfnn43FF2N7EuBOXwkmfM46rs8nIsvLOprIUKMTm7FyN+sg2xDCCPDUlbsQHhaGsLBwZBSkYNLY 8cisZoS7vRk7gudge6bbkQDnHmadddhJ861z+UmDABfUFDACPBYL5s3GxGmLUO5pQVHMWoybuxKH jLTCcCwyCcFrFyE0z9NFgA8k5Vw2AY45uglLN25HRPg+fPLpxwhNZDp9+Ql2RcQgfPc+ZOWnYeT7 g7H1wHEs/WIEFoacwJgP30HI8WOYO/RtzN18EF+M/BD7jh/FzLffxNwtB/HZiA8Qyo5nvPUnzN8W ji8+GMUGKzEIC9mD7Nw4vDk4KKA1xYEQ4OXBm1GYl4/8/BJ4swUB3oK5KzaitDARi5ZsgZcR4AOH +bT4dmxbHITUkmKsXz6HEeB6gwD7DAKcbBDgispszJo2A0m5BTh55DhKsyMxbdJS5ObFYNzU2Shy t9EAlEAgEL5mAhwSGQ9XQRjGTVwKl68BK+csg6fRhbXzWBt/Kg/LF8zEjvRKbFu1AMfScrFt6Xws 2JmEnWsXIzw1HykxsSiV9uQoiQnBxJkLUOYpx5yxE3AyuxR5kcEGAa4ojsOijaGor69khNp8aVp4 aC0jwAU98pWTk4NJkyYZnt+FCxfC4+n5Qjw5fDlW7T6BpIhQzF4fgXZfJYK+moRVWyKkjbXasW5D GtLr+LiiBXF7MjA+NA/DViRjb3oFpi1OxsLYEkxZmYJ1qXVw5eZ0EWDu8a0pOIXPt+YiPb8In23M g7eVCDAJCQkR4KtKgJubmzF8+HA8OfghvLtpgEFwp4aNxNq4uZh5+BO4WupQ31zdRX6HrBuAx55/ EDNmzLBdA1x8cClmLFiB/LIibF09B7N2p6LDV4aZ48didUg4SirKEL5lNb74fCFq25pxdM1UzFy0 FllFxTi2ZyPriCYgs6qxBwHuaPViT9A4fDZGIcCdrdg360uMnb3e6IxaqlIZAf4cm8KijU7p6M41 mLZoA7ILCnFk90ZkFWRi6udfYN2+oyjMiMDMSZORUN/qSIAbSmMwbdo8nMwtxoFtKzB52ho0NJpT oFPzirFryWQs3h6B6sIITJ++ELE5p5BwPBT7onKw+SoQ4OLCLBw7cgRHjhxDSk6hca4kLxWHw8Nx +HAEisrKEB11AkcOHcLhIzEorapBXko0wg+GIeLoEZbnUuSnRSHsUDjmDnsTC/anIy810jie896f sOhAJopzkoz4jhyJRHFZMU5EpAa0q7RfAtzhRnZGhrGJWkZmPlq95SiprEGbpwyZ7FxqUhJKK+vZ cQmqaswXEzXlRUhKSkVmZhZO1TaioqTEeNYdLS5kZeWhpYM9o7ICpKWmGsdNrS0s/xlITk1DblHV xTuBEwgEAuHPitaWepTX1qO9tQlFJVXoaGtFUUER2jvaUVlSiOTkNGSxNr6kvgmuqhKkJicbfUJh pReN9VXIYO17enomG5NIe3Y01iE3v9joDyoLcxmZboWvjvUdLi9am3zISUtDpduHU4UlRj/QWF2M oirfRZ8z5Ds/b9q0qYfnt2uzrOpTRj7SUtJQ42EEt6UBy2ZPR2xZoxSujfU1HjS3mf1fm9eL9Aov KspcOJZZjfi8Bpyqb0ZNmRtxhQ1ocnuQU2XuLF3EzrW0taPwVB0Op1chr87/TtBEgElISIgAX4Fd oCMjI/HIgAfx1nJzF+iDOdvQ3NmIjrPt8LQ2YEnkpO5doGf3N74XnJKS4hBnM0I3r8K8efOwbO12 eJotglmfh43LgjCfnV+0fC1yJeIZvj3YCL9g8Rpk1gmPXRO2bgplHaTQoQSrl2w03uTK6VUmbsf2 o7HWsQchixfhZEaJedxUhW1LFxhxL1q8CgUVhVizcCGWLF9unNtxNOGi/LexjnPXxp3dn9dpb0V8 2A4j/PzF61Dk5p7qSqxcugr5rJPzNhRjTdAiw6scG7rV1GPBYhzPLMahvVsRWWx2lGmhqxGVXXQN fAe4CqHTJ2HE8OEY9eEUZFdUYd/UCdbxVHZM3wEmEAgEAkFFTMhKzNt0gr4DTEJCQnK9E2D+zbv3 3nsPz4162CC5I7Y/h8lhwzHryKcYs+8tvL/1qS4C/NQ7D+OTTz7xvwM0S7ettZWR14vPt7PzHR0X f/LADH91CJT8XT+RXivPR2/iMPIdmD0vhwj+WT5ZVFONspJSVNZYn1Cqqep5TASYQCAQCISes+Ya G9EWwBcwiACTkJAQAb7GCTDHwYMHDc/um0sexzurB2gxOOhxPNr/kYC/AUy4hgnw1/UdYAKBQCAQ CESASUhIiAB/3QS4srISAwcOxMMDHsAjT+vx8BMPGOuFfT4fdUJEgIkAEwgEAoFABJiEhITk+iTA HKdOncKePXscUV5eTh0QEWAiwAQCgUAgEAEmISEhub4JMIEIMBFgAoFAIBCIABMBJiEhIQJMIAJM BJhAIBAIBCLAJCQkJESACUSAiQATCAQCgUAEmISEhAgwEWACEWACgUAgEAhEgElISIgAEwEmXAz+ feLrFfT8CAQCgUAgAkxCQkIE+GsjwG63Gx6Ph0AgEAgEAoFwHYOP6X7yk58QASYhISEC7ESAL1y4 ABISEhISEhISkutfyANMQkJCBJgIMAkJCQkJCQkJEWAiwCQkJESAiQCTkJCQkJCQkBABJgJMQkJC BJiEhISEhISEhIQIMBFgEhISIsAkJCQkJCQkJCREgIkAk5CQEAEmISEhISEhISEhAkxCQkJCBJiE hISEhISEhIQIMAkJCRFgIsAkJCQkJCQkJCREgElISIgAEwEmISEhISEhISEhAkxCQkIEmAgwCQkJ CQkJCQkRYCLAJCQkRICJAJOQkJCQkJCQEAEmAkxCQkIEmAgwCQkJCQkJCQkRYCLAJCQkRIBJSEhI SEhISEiIABMBJiEhIQJMQkJCQkJCQkJCBJgIMAkJCRFgEhISEhISEhISIsAkJCQkRIBJSEhISEhI SEiIAJOQkBABJgJMQkJCQkJCQkJCBJiEhIQIMBFgEhISEhISEhISIsAkJCREgIkAk5CQkJCQkJAQ ASYCTEJCQgSYCDAJCQkJCQkJCRFgIsAkJCREgElISEhISEhISIgAEwEmISEhAkxCQkJCQkJCQkIE mAgwCQkJEWASEhISEhISEhIiwESASUhIiACTkJCQkJCQkJAQASYhISEhAkxCQkJCQkJCQkIEmISE hAgwEWASEhISEhISEhIiwCQkJESAiQCTkJCQkJCQkJAQASYhISECfB0RYFdNKU6dOoWi8iqc/zqy cK4DJTk5KMrPR1lt8xWIrx0lublGfJX1LdQDk5CQkJCQkBABJiEhIbneCfDZjg60traijf2qd55p azOudZ4/f9F9Hey8ca2z0zheNeE13HvvvXj83bFo6jj75+e/7kzcd/fduPeee9B/0B6cucz4ztYn dcX38rAwBKpRR6MbGcnxiI+OR2ZBCTrPnafem4SEhISEhIQIMAkJCRHga4EAb/nqBdx88814avBI uNu6ad6FTjeGDXjEuPbA6L04J990vgkj777ZuPbh+DU4y5JcMfp54/iRwZ+huePcFWv4XTXlKCkp QU1DozNh9eTiLpb+bbf1wyPv7798AtyQjrv69DHie/GzI10E+Fy7F0VFJSgpKkXT6e7wp30VWDNr DO69xbSLwL3PvI1dh+MZEaap6XbCyyyBQCAQCISLYRHglxieZ3ia4XGGRxjuZ7iL4TaGvgy/Z/gt w28YfsnwC4Z/YfgZwz8y/JjhhwzfZ/iuNQ79ljUu/RsLfy2RYB0RJhBuRJB80whwZMgC9GNEre/D r6Ogtnuqb0tFCvo/cIdJ5Pq9iIpOyTPcEItbLII3cUe2ce5qEeB5nz1leJY/nrXKOeD5s6ivqUFd XS0aGjsun5SdP2PFVwN3U3d8dQlLjfzce+992F/UZqXdiaXjRvYgvjJuufNJRGTWE4ElEAgEAoFA BJhAIAJNBPjrJMDlJ/fjoT/2YUTtXhzMrOg6n3N0M+7u103iNqV1E7iygxO6zh8vadUS4AsXzuPM mTM4d86ZDJ9lYcxw+nx/NepJI95h04Iuk6aZ+eE4fxmzkhsS1nTpHlrSbr4QaK7DsNceNc49/NJI nKrja5BPIz50Ie673Qw7O+QYEV4NzrOHQSAQCAQCQQ9GgGc5EOC7GW5n6Mfwv9Z48SaGXzH8uzWe /Lk1vvyJNd78e2v8+V1rPPota3wqpkILEqwjwgTCjQoixN8kAtxWl4WnH7vbIGmTdiZ2nd+14kP0 kbyYn005bE2DPovdbz5hnX8P9RaZFAT4sXc+Q3FBFIa8/CgefZTjeWw9XnhRup6KPIx+fYAVhuHp 17EzurBrqnV57F68+s47uPO2fka8t93xMN5+5xUs2xmvV6SlHJ/1fwXvvPEihq9J6DFl+4ynGF8O e6srrccHPI1Nx1KdDdNUhE8GvIp3Xn8OX2xJZfT5LPZOfgcDBjzaZZOH+r+MZ18fi+qWVkSE78Gu XbtwMq/7JUKnrwxvv3ifEXbK1sM3JOmlwQuBQCAQCESACQQiyN9cMnz97QJ9xouRz5qE9s4hGy3i 2I4JL9xuejQZYezX52a8MuJztJw+jwud9Rjy6APmtXEHu4imIMB2mLnpmLU79HmUHVmNx2/Vh3tv 5hYjXM7u5T0IuMCUZXv0nmR3VleYO18Rm2BdQEHMHts8DZ6+Gk2denfw2bqkrnBPvMs3wTqLZc/p 4nkKhaf1pq3JPYYBd/IwfTE7JOIbR3h724nz2QAEAoFAIBACh0WAX2Z4geEZhicYHmV4wIYA/5c1 ftRthPVjayOs71tj0O9YY9K/laZCCxKsI8IEAuHSXwx9YwnxdfgZpHM48ZVFXvu+iSq+3NUVhz9a BG/rvrV44I6b0a//2yjztKO1KhGP3G+S49VxpV2xyAT4/sFjkJiejehdy7vO3fPaJ2jtZI15cwUe u+d26/z9OJJUiMqSLHz4mukp7XPLU8huO2fsplxSko+PXrnXOP/KhxON43qXfjOss96eBPicsSy4 E5NHmZt83fzEG0goqEJNZQEWDL7fTOvWu7Ervlofn6snAebxecryEbFhfNf5BeFpKCwsMTYB00SA T++7yyTx9zyOE9m1NwzxvdRO/uzZswQCgUAgECQwAjybje9escZ5fLw3wBr/PchwjzUuvIXhD9ZO 0DIBVtcB/8RaB/z3FgkWu0F/S/IE/420K7RKhAmEGwlXixh/44jwdfkdYE/Ghi5Sd6CwBYXbPzWP HxoHlzsfTzxyDzu+B3uzalEUtQ33/JFdu/1ZZNQ0XUSA7xk4Cu627j2Yty/6zCKB76Cu9QzOt9Vi xvSpmDhxMuaFFXWFy9i93PA033zzHThc1S6tAX7KiHfkjMXOa4l1BPhMO8YOMacsDxq7GJ2Wu7rV k4/RX36JL7+cgNiEmoAJsLkGOLjrfFiFfrOtNk8Fpr/xbFe4iQtC0XH++ia+l0t6aRBDIBAIBAIR YALhBiPJl0uGiQBfLQJ8oaMcz1tkbcz6BMwcOMD4/+6aaHaxFUFP9jeOn1+ZhKM7goxdox989QO4 W89cRIDVXaAjNi40d4y+Z0hXeJ7Hs6dbkZ8ch/379zLsx8Qvh3YRxg053osI8LBpi3pNgC+cO42p Xwy2PMu34dH+T2Dttn0oqKrHGYOYnYedvQIhwKHWBmA9pQNrht6LvkaYfpgevBenz1+4Lolvb8mu UwcuNiDT4fTp0wQCgUAgEDRgBHgOG9+9+hfd3wLm477+1jjwPmsnaPEtYD4N+r+tnaDVdcA/VXaD /oG0Fvg7EhH+W2lN8N8ohJhAuBHx1w64FHJ8KWSYCPCVJsB8GnTQUHMK8suMwD74oOnx3W9N2y3b 97k1jXgsxn/5tvH/nU9noUPauTlQAnzhTCtC1i3CUw/dars290oRYC7egliM/vBt3P1HOY0+eOb1 4dgRmgKbJcCXTIDP1Md1XR80ehlaz3xzPL6BEt5LJbidnZ0EAoFAIBAkWAT4NWkjrKesjbAelgiw +BTSH6xPId1ksw5Y3gzrh9Ja4L+z8G2JBOuIMIFwo+ByCHKgZPgb4xG+TgkwcGCt+Wmjvn37os99 N+PWJ99Bhcec4nuhKRUPsmv33dwX/e7si5v73ozRC2Mgc8dACXBZ5Bbc1q+PRRJfR2RGIWpqahCz YqbhWb7SBBjWWuD6siIc2bYV7zw/oCtcn9seRGhK9RUmwFFd19/fV3rdeX4D9fg6kd5LJbkdHR0E AoFAIBAk/MM//MNchQA/bW2EJe8EfZu1EdbN0kZYv9Z8D/ifpM2wfiRNhf6u5An+tjQlWiXCBMKN hEslyE5k+HKJMBHgK0mAc45txj19u72kr4yYiuYzIq5OzBl0X08vrfRd4N4Q4GPr5plE95bHkVHX vX1y/Lb56NvHgQBP7f0a4NPtFVg6bx7mz5+P5IwqERL58bpR+0cAAIAASURBVFtwpxH2jwjaFn3p BLioQ+tNF53W6XPfHOJrR3gDJbhqh97e3u4XbW1tBAKBQCDc0GAEeB4b370urQN+xloH/Ki1Dvhe aR1wH2sd8H/beIHltcA/kaZCf18iwn8nTYn+tkKICYRvMv42AARKku1IsRMZvm6J8HVLgH3FiXj8 gdu7yN3Hy2J7eHh3rZ4gEeDHUdR24ZII8FFBgPv0w/zwNLSfbkfeyd14/PZbtVOgpw83P9H0x+c+ Qm1LC1paTgdMgM+0NuDtu81zL34yE63WrYXRwbjDCHs7VoWk9YoA18Su6jo/cOZR1LpalPuy8Maj L+KNl15CcFLtdUl+nby9gRJff0RX18m3trY6osV4/gQCgUAg3Dj48Y9/PJ+N796Q1gE/a02D1q0D Fp9D+q3lBVbXAv+ztBZY9gT/QPk80nclMiwTYgLhm4Rv+0FvSLIdIdYR4b/qJREmAny1CPD5lmoM evKRLnK3r6Cpx/WCiB245xZz6vJtg5ajU7l/xejntAT4hEKAG7KP4I5b+1207vfOW27r+u7vzOiG rvu3zP6oR7ipS3cERIDPcsJ3/iy2Lx/bPeW5b1/ce/fdXce39x+G9KqWXhHgM+4UDOiR90dQ2KFf AzwlrOyaJ8C9Jb+9Jb1OBFfX0Tc3NxMIBAKBQLBgEeA/SdOgn1PWAd8vrQMWu0H/zho/ql5geSq0 8ASLTbHk3aG/Z0OECYQbBYGQZTtiHAgZ/utvEgm+bgkwn+a8fdjTFnkbAbeyOVR7XRYee/Au4/rY PVkX3b1i0uvGtSff/QIt0tzf2I2LzW8KP/Ke+XmkC+dRnXMcL93fTSIf+NMk5Bel4I+3mMT4kTkx 3Xsqe0vxxVPdYT+ZvVxPWJsK8IAgwGOPdBHW82dPozhpH55+uNu7fXOfW/DBpGC4Wk7DzlpnfZm4 TxDgGZHSmuILKI7fgf53ijz1RWTNGYkAJ3alMyOi+rrx/F4q8bUjvHYkV3ToTU1NWjQ2NhIIBAKB QLDACPACNr4bzDCI4WWGF6xp0GIdsPgc0u3WOJFPg/695AX+teQFlqdC/9TyAgtPsLw79N9LZFgm xATCjYLv2sAfQbYjxFeCCF+z06GvYwL855VzZzrR5GlEc2tbQOGbfbwjaGVk7dLS40S40eNBo7cR bZ2dl53/M4zkeTxNjACeveZtfankV53u7I/4qqRXfoNtR3R9Pt9F8Hq9BAKBQCAQGBgBXsjGd29a 64Bflb4H/KQ1DhTToO9UdoNW1wL/UpkK/XPJE/wPypToH0pkWCbEBMKNgO9rYEeMdYT425od1Z2I sLo+uLckmAjw9UKASa498uu01ldHfGVvrxPp1ZFduXP3eDw94Ha7CQQCgUAgMDACvIiN796SpkEP lD6H1F/aDfouaTOsm621wGIq9G8kEvwLa5z5L5In+J+kHaJ/InmEf6QQYgLhRsAPFNiRY6elAt/x s6u6PxL8V9cTCSYCTPKNIL/+iK/s7dURXieiKzp1l8t1ERoaGnqgvr6eQCAQCIQbFowAB7Hx3TuS F1jdDVp4ge+V1gKLTyL93oYE/7v0eSQxJVomw/+oeIZ/QiB8w/FjBT/SwGlmxPf9bCL3bZvvbOuI 8HVHgokAk1yzBPhKkl8n4qsjvHZEV+7k6+rqulBbW0sgEAgEwg0PRoAXs/HdUMsLLO8G/Zw1BpQ3 w5LXAoup0L9XdoUWJFhsjCWmRItp0YIIy57hfyQQbhD8g82LHx0xtiPE/ojw1SLBRIBJSALZ7dkf +ZXX+cpTne28vToPr0x2dSS3pqamB6qrqw1UVVURCAQCgXBD40c/+tESNr57T/ICq5thyd8Evk/y AutIsPAE/1raHVpsjvVv0tRomRD/XPIQEwjfVPxU8+Lnn2xmRPhbKvADB6+wPDVaXh8cKAl22h2a CDAJkV9/3l9/633tvL4y+ZW9vZz0cqJbVlaG1NRUJCcnG0hMTDSQkJCA+Pj4LsTFxRk4efKkgdjY 2C7ExMRchOjoaAKBQCAQbih873vf28zGd+MZxjB8wfAJw4cMIxjeV7zDghy/aHmIn7HWCg+w1gs/ ZnmLH7II8/0Wab7Xwt0WgRa408IdBMI3ELdrcJuEWy380cItEvpZL5j6WhxNLDn4V5sd1VWPsM4b fCkk+JrwAhMBJrmmvb+9nfbMya+8wZU61Vmd4lxcXIycnByDMPOwwjssf9JBt/OzDr0Jy/Oi3hPo /Zdyjy6s7ljky1++L0X33uT1asars/2l5OdKlo3Lsf2fQ9crYQNdfnr7fC9Fj68LV9r26vP/c5Tf K2H73jzrK9UmXI7tr3Rbf6VseTm6XMq9l9Le/Dnq6dfdzwbSll9v/ezVeKbUz15b/awuDjbmrWXj 4dVTpkx56Xvf+95/KF7hH2imRutIsL/p0IFMhSYCTELkNxDvr5PnVya/coWXia88vZmTX/6fnxNT nPl0Znk9E5/mzH/Vtb7ivA7yPeqUaRFGjU8cy+f9rS92yoPddTkdfl38ytd16Qair3y/iENc090v n1Pt42T7QODP9rpn0Rvb6+IJxPaqXXTPprfPWY3bn+11x/7CBJoPne2dbHY5tu9tube7R7fM4VJt r97XW9vrbOaUD7uwujJvZ/tA7Xo55UFO2669CaSN1bWbuiUqumcQyLNwykcg7beT7f2V+d6U6Stt +972HU71Rld/1Pion70x+tnLtT31s1e3n2Vj33OlpaX7+vfvf6cyTVqeGi1Pi5Z3iw7UE3xNeoGv OwIsr/EkfDMgPk8k79as+1SR7hNF8sZV6tpd0ZDwjraystJAeXm5MeWZVXiUlJQYU5t5WLkz5v/F ffI6X/W/WPvr75iviZKvyRDXdHGrv7I+ajpywymO7fIhxyvO6fKhQg5vp5cujG7NtGpT0VDLccj5 sLO97r+T7Z3s4WRzkTedvk62F+ecbK/TUZcOL79q3uU4dHGqNvZne125scuXGkZ9Zk7hdbbXlelA bK+WL7nM2dm3t7bX2VW1vZPOdnmR07Vre+x0Ef/t7KMLL9ZoOrVlarnW2cLO9k7tod3zd7K9v/Yz EJvr8ibn3a6O+LO9rrzb1b/etPVy/nS2tyP6TmXxUmzvz+463e3sqOurvon9rNxWXGo/q+pC/Wz1 FRnjUD9b7VSmXe+///5A5RvbP5E8wqo3+GqQYCLAJOT9lb2/lzLtWZ7yrHp95QaUNw58ra+8eYcg yhxy4yeOnSCIthyXfM1poyy7++zOOYVXdRANui6sLs/yfU762l13yr8cvy7MlbK9eu1S9HCyry5v av7V9O3O62zfW+ji6q3t/ZUzp7B291/u5nCyrZ3K/ZWwfSC21YWTy57dM71Stncqg5fa3tg9p0u1 vWwLf2Xan13kQVxvbe/P/oG2dYHU/yvd1qu2d7pf19brbO/U3lxKW+/U5vamrXfqn6ifpX72Wu5n L8X212I/y/HBBx+8qfms2E+kDbN+aEOC/U2HVtcDXzNeYCLAJNfF2l9BgC+V/AqPsNxIcm8w39RK 7YztUFFRYUD3Xw3D0xD/5bCBxKX+t4Oathy3+OU66vLXm7idwviLV5cnXZ51+bc758/2an504ZzC 2OkhbOmUfznMpdpelB2nshFInKq+an782V7UEycbq+VcZ1d/Zf5Sbe9kW1nXQOuTnV6Xa3tdWbDT QbZ9IOXZqb240rb31y5eShuiC3c55d6uDQykbfdnrytt+0Da+kBsfzltfSB16Wq29Zfbz15N21M/ 23vb/zn72cu1PfWzPTF8+PC3rd3U5c+KCW+wPxL8HQcSfM16gYkAk1xz3l/dN39l76/8nV95t2cd +VW9vnKjyadA8x0rRYPFfwX4NGkB+ZwaVh6oiOvyr3xdBzmsmJqtnuP/+XmnvMkQcaj5sfsv68Wh 5ls3KNPpr7MRz4tqIzXvunjVcHa2F786Xe3y7GR7nZ3U8/IzUuNzsr0aVs636DjtnoOd7VV76cqj iEuFk+11eXeyve6Z6uqValN/tlf/C/vKtvNne1UPcb84Vm2vhtHZSL5Htr2qp65s6uykC2NXdnS6 q8/Uyfa6smCXD9W+/tLX1Vu17tvpYle+1PzLg0zxzOXlLfI9cjnTPVc7nf219U5taKC2V8uyXT5U 2/trJ+U+Q9VR18b0xvbyNZEnJ9vbtQvUz9r3s/5sT/0s9bNXo5999913+c7sv5A+KfZzjTfYnydY /U5wIBtifW1eYCLAJNcsAdZ5f+3Ir9jB2Y78yl5fsf63qKgIkZGRxrGA3FCox/LaYfkep/vVa/K9 4r8cXr6uxuOUL12e1MGWvzyLlwIiH/7soEvDX15UXVR9dXHLeZL/yzbT6SrbV2d7u/Dimnr/1bS9 qqddenb3qvbU2drO9rq82tnezo66dHR516Wpe6665+OUv97aXh08+Xs26qBLzk9vbO8vrzpbyvGq /53uU9O2s70a96XaXmcvf7YPpNzIuvqzvb/2prdh1Gdq117p0neKx18/ImwTaHnqTXsj4reru05t /dW0/Y3Wz6p1+FrsZ9Uy7KQr9bNXv5/1l8fL6WeHDBnynvV97V9Y39eWvcFOJPi7l0iCiQATASYC 7DT92W7qc2/Jr3iDJojvqVOnUFBQgBMnThifQhKNg/xfPtaF4b9qeLvrvLHh/3na4rx83S5+f/ni 8dmlLx/r8qlrDJ3SUuMTOqnxCR116Yv86vKk01tnB7tw/uLQpa3moze2d0rfn+2F/eSy4aSrv/hE XPKzUe+5krYPxC5qnvzZ3i5eu7zI8fuzvWoP1fY63fzVAyfby7/+bO9kT7t6qbNxb23vTy9/bZpT femt7f3ZWdfO6Z6fWpd0be6l6m1ne6dnciXb+kDaAqfypZbXQNp6p/R17b9dOeht2+Gvn9U952u5 n70U21M/e/m2vxL9rHzteulnY2JiMHfu3B6YOXOmow0HDx483OJwv5SI8L9a3uDekOBvaQiwTIKv mWnQRIBJrikCHMjUZ7HuV94ZWnzj14n8isapsLAQ+fn5yMvLw9GjR7sIsdyAiXPiv901fo7/l8PK 96hxi45Ljke9X270+XmeX/6rNrJyPkRYOW1xrJ4X57KzsxEWFoaNGzciODgY69at6/pdv3698V8G Py/C2J0T98lxiDDinO68U9w8vN11XXhdntT8qLrJeRa/a9euvei8GvdF8a4Lvui6Px3lX9k+l2p7 kVfdM9Wd1+m0Y8cOxMbG9ijnavkWdUktb3LZlDtaHlZXLkX9EGWY/+cvp+S0BezqpF291dUHuzDy AE69V41fjU+us2pdkwcs6nld3nXXdflV2yA17/JAR4QVz0tne3GfsL1KIHTtiGof0ZapJCQQ2+vK l6qTzvbyoFOXb/WZiHLplJ5TW6/TQdbfyfa6tl62ka6tV/sY1Sb+yo+d3eW8+rO9ro9TB/w629s9 vxuln7V7Lmqbdym2l+0l2la1vQykLdOVRZ3tRdthV5bk+ibXUxWq7YXd7fKu6x+c2kX1vGobJ9vb 2UdXbuS66a+td6qrcnt0pfpZXv4PHjxo9Od8fLdp0yYEBQVdZEfZ9m+88cYoxsl+w/Brhl9ZnM4f CRa7Q4vvBH/HDwkOxAtMBJjkxiXAup2fdVOfBfkVn0OSN7ySya948ye8vpz45ubmGgTw0KFDRiMg D04E5HP8f05GOiJCQxHKSM6+tWtwYt9eZKWl9RhUint4OvL96SkJOBEeggPbViJ8VzBijh9ATnZm Vxg1fREnJ+rxibHYG74Tm9h9Ifu34ET0EZb/nK5wav5Fg2mnE89bGst3dFQ0KpmNWpg929oZ2pht W8xPURmfpGprNdDW3oY26xwP13WeH7ea19rZvS08Dh6uld/bxuI1rxnhW3nc/B7xmasW89eIywzf 1tZifQrLuo/H22rlx0IrT7/VSlfcZ1xrt/JkhRPX2i1ddHq1yXq1mXnrlV4tvdOrTdWr7aro1RqA Xm099Grt0kvo4PM1IjcnBxERJ4xvZdvVCxWCPOnCyXXELg75fh3U+iL/qiRDjVfu7NU4dfVIl2/1 Hvm8LpyaRxXy4MbJdmq91ung73679iKQ56qzeaDPzp/tnfKl2lQNZxdvILa3KzdOetq19Xa2l/Pl z36B2L+3z07Ol5Pt/dXXK2l7f/2sU3z++tne2t6p3dDV9970s6p91PZPZ0uZZKrXndqm3tjeyRZO NlfDBWJ7XbqB2F61sZpvQd4Ctb2/tl4luf7aejubOd2n08Xp2V5OPytmN65Zs8YgwBycADu11YMG DfrQ4m83KST4360p0TIJljfG+oG0Hvi7mqnQTp9FIgJMcmMT4N6s/VW9v/LUZx35FdOeZfLLB/RZ WVnIyMgwPKDCIywadP5fHIsGJiEqEks+GIUJ992FhY88wPAgxt97F4KGv4841tCIe8VgSEZsRDiC Rr+KuW/1xcaP7sTqEbdixhv9EDzvU6QknjTSkhtlcR8/v3v/drw75hW8PPphvD3jSbw2/hE8N/xB LA2eh4zM9K58irzK+dDlh4fn+u/evRuuBpf5EqHJa35fuZn99zSaxz4vvL4mNHHvOrNxI/vfyG3d 5DWOfV4ejv02+ozzTY3WeUacmj3sufD7jGs8bhGukYUzz/m8Znj+7Bq93d919jY1munw+BvNdJuM fJhpNHL45PjM+5u8zSw9M10jbz5TD54fQ0dZL6/Qq9FWL6/Qy7CDmb9uvXiakl7epkvWq1HVyyfp xdOX9PJ6LL0aJb28vdCr0dKrsadeTVwvn6mXz2vlhYVpbm5BQX4eTp48adQbuX7IZUott2p5U8OL 8i5+5XhEeDkdOZzuXrnc+8uLGk6GnJ5cJ3X5UCHXuUBtoepllzf5mlPa6n+d7cVz1N2ntoFyvnTP T9VVTdvJ9nbtlJPt7eJ2KoeqfdVrso1Uu+ueua7s96bc292ns71T+vJLD6d8qHE79RG6ZxQodOF1 ZdtfP2tn+97UAzvby+VKV57typn6TOS8BloGdLa3e0bqObvy7s/2avp2dUini2r73pQzf22GXV/g ry2yG+PYpedUr3W6qra3i7u3bb3aX+ny5U/v3vYtvM+eN2+e4QHmJJj/Llq0yLGfffXVVz+2uNt/ M/yXRYLFlGjVEyzvDt2bqdCBrAUmAkxCBFhe+yvIr+r91U19Frs9y2t+ZfKbmZmJ9PR0wwsaGhpq nBfgnmExPZr/5/dlpKRg2ciRmPaH36F+zjScPZWFc8W5aJj/Feb0+wMWDR2C1MRE4x7RsIg4khNi MOfjJxDyyc1oKlyCc501ONucjvqozzD/xX/G5iVjkZ2V2ZW+fH90bARe/3QAxm74E4o9EWg97UNN cwZWx4/B06Puwqadqy9KT46H51+OU/yPj483yD/3/DYycuVtssgWIz0eRqJ8XvbrM4mdlxPjJk7I mgyy523ipMwkSF7+DDiJauTPoBk+j88gYMaLiUbzmqfJIlM8Ho9JHL2MfDU1mQTTIFxW+gZxM8iZ ec0glD6T9PHw3mZ2jj1rTtSafGb6nKR7eJr8uNHMe2Njs6SXmX5PvZolvZoNvXxCLyvepi69mgLW y8fSalb0apL0apT18lpEt9kix6pejLB269XYQy+eV0HAvZZe3i69fN16cR269GJp8vM8fJPHvM/j NfSU9TJs1tStl6uhwehM5fIjyhafQcHB6xQHPyfOy9c5+Asnfk6Ele/R1Ru5Hspl2S68/Mvjtbuu qyOqbqqeTvfIgxM5jJqmuE9AzY+cjjyYEb+qznI86nn5umjzRFw6W+hsr+qis73ufl2e/Nlevkdn G909KjF0sr3Oxrrzqt3typeuDNqVVTm/ujLh1H7r+iV/YXVl2O7Z2dneyU6q7Z3KlJPt1eesI1CB 2l7X59np68/2antgV0cC6Wd113XlVG5LeF11KqMyEfJne9kWunosj3FUMhRI/VfTV9Ozs7Fd/VLb g0Dael29sGtv7J6ByJOurZePVYIuztnVpUBsr7Y5oh/RlUu7tlZu68U5vgaYe3xXrlyJXbt2Ye/e vZg9e7Ztf8HvHThw4GeMk/2e4X8kEvwbi9f9h+UF/ldpd2h/U6HF94HlzyIRASYCTOKPAKubXwXi /RXrfsWnjsS6CNGoqOQ3OTnZaBjkgakYpMu/Ebt3Yf4dt6LgucfRNv4ztE8Za6Bt/Oc49cKTmHdL HxzdulU78Ny3eSHWDPoZakNeQFvGJLRnTTPQmjoOhUvvxpoP70biyRPa9GctHY+Xpt2NdSljcbh8 OcLLl7HfZdh/agFGrXsaH84cfFHexf0ifXUwxsnIkSNHGLEzvb5NhtfR9ESaU8m9yObkJDfHmAKb m8PuYTC9nZzomaTLIG8GKTNJlkHSGoWH1yRhXsvTaJAs4ZE0vLfCi2ndb0xjtzyXPE6vRWZ5mEbL G2qk02QSN5+Vl0aTpHIC2GR5PX3Cqyn0srzFPss7bZBHi1T7LGLqs7yt3Xo1WnH31KvJ0svXQ69G e72aeqNXcwB6mWmaLwW8Xc+sS69GK98avXySXuY1vV48XoPsW3rxMHHx8UhNTe1Rxk7GnkRcXLzx MiU+IcH4nnZ8fIJ5zBAXHyedS0BCQqIR3rjHwsk4M0xKSkoPAm1XpgXkQYFaZ+Ryb1evndJwuq5r H+QBkq6+yXlSB4lqXsXLBJ0Oavy6dHV5k9PTxRmoXdS0de2N+j9Q2+r0dcqrbE81P2pccljVJrJe 4qWNLu/ipYqOHKl9hT8b+9NT9xwDtb1d/p2eSSDPSldOdHnR2d4uT042UW2vvjTS9bPyM1Tz1xvb 27Urve1n1WcXaH1wsr1aDuzKeaBtmJo/3fNU7am+yNPZVpdnXRt1tdt6f8/X37PW1W/5JatdfIG0 9bJ+ds880Laej+cSExON4+PHj2PLli3G5z35/jaHDx/uIu579uxxtP0LL7zwhcXbdCT4V8pU6J8r U6H9eYF13wUmAkwEmMiv7tu/uunPgXh/1U2v+JQZ0WiLac+C/PJGg78d442C7MmSPVf8+NCK5dh/ Wx94H7kbnS8/jTPvDMKZIa+j85Vn4HvsHoTd+gfsXzCvq1GS79+25AMkTfkdGncPQHvEm+iMG4XO 2OFoOzoIDZsfxN6xfRAXeaDHfTyf/Hf45JfwccizWJQ0HOuyR2Nz3kRsyBmLpakfYsLh1/DW9Md7 3McbSDltWQcRZ1JSkqF3c4uYVtxoehMtb6vL4zYIDLenAN9MgXsBDS+kRA65N9KESXYN4tfkMciU 4dXlHlCP6bXkHlxOGs3pwk2GJ1kQOK/leTXjN6fhmnGZ5M3T1E3UPT7L62yEsQirr7mLGHLS19To vUgvc+qvSeqaDA+vqTsnnz6LnJrebKFfcw+9fIZePkmvJksvi4z20Mtr6eXpntbsFV5in+nNtrzr F+vFj5s1evm69fIFqpd13lavxm69mi29vN168efVzPJQUVFpLBUQA0xenqJYB5vNO84c1inn8Rcm bGCQy+qZ0Umbv7l5rAPP4eHzjHC5uSb4MQ+bZ4TPR0RkpFEuRTmV66H4FeVXPS86dP5iSy3zunqg 1jE1LdlzrXq51TjkgZqcjt19Og+4XXxynRU2sRu82ukowor77fKsXneyoXxejt+uvbGzvZoPu/92 cejut8t/b20vlw+n+1Xbq3kNxPa83DrpcDm2V6+ptlfzqpu54VSXnPSS45Nt59TP6uq6zva6flb3 HAMp9zpddLaTwwTSz8ppq7ZX2xjZVnbtnHrOny2dbO8UH09fLiOXYnu78hNIObKzvWwvXbnW1dne 2F5+pnJ+/D0Pu/ZX11Y72f5y2vpt27Zh+vTpxjiN/3JPL/f+Cs+yTLZlvdQ8PfPMM2MYJ+srkWAx HVqsCRa7Q6tTof15ge2mQf8/XzcJJgJMck16f1UCrPP+qhtfianP4jt7YuqzjvwmWF6rnTt3GoMQ fl38iv+8UeD3HFu1AicfvBNnnusPvPkyMHIIMGoo8ParOPPiE0h86C6EMwIs7hFp8d+QlR8hZ+U9 aI98FefSRuB87hc4n/0pzia/h8ZDL+DwnLsRH3XQCC+nz+P5cNYrmHZsMIJzP0NI8WTsL/sKe0qm YWPBaMyLfw8jFj7TowFT41AHQvx6VFQUuyfb9BJaa3i71oIy8tXACHBKSqpl71bjxQMnPw0NLqSn pRvTZsWaX06Y3A11KC4rY8TPg+L8LERFRuFkQjrq3NxD6UF1+SmcjI5AZHQciipqjGm+bneVQYLq GUHk+XDX16K6ymUSQna9rrIEheW1BlGrrypG9qlqc41rTQUyKmqt6cTmVF2DRHsLsXLRGpS5xdpY c0oz18vdUIvC7AykZ7HnkZHJfrl9ChnRN4lqozWVmRPgmpJk7Nl7CA0+k1ybxNdcK+sVnm9rDa3P Whvd5O32thpTmL3m1GthT58gupbX15y63GjEz69Xleehus7TNaW6Wy/Lg2y8YLA8xpJedcwW5WV1 1lrlxq4p3SaB9nav6/b6ejwvnh+fld8Gl7tLL58xLdtjeb3NFx1NVrjmlmajk+VeYFGu+BtmPpMi i5d5o77kIDODdagZ2cZxNjufmcF+2bmMbHY9i/2mszC8PLIwGVkc7Do7n19QiGPHjhnlU5RXHreo Q/KgTDfw4WVeDqsOiOS6LcKq9VTUXXFdDi/+i/vkOOQ675S+CKu2MeI/j08lNLpw6nkRr3qsntfp oGvvxAwZcd1uMC/b1S5/Otvr9FefjZxX8d8oa1IYOc+y7UVexa+/tEXcds9Sfa5yfCJ+XZurS1e2 sV1fI+sp4tKRUhGHnGe7MheI7eW6INte5Es+p8u7k+11dtDpHojtVZ3lsmBXL9R0dM+Ln5frhkp8 ZMhx+LO5mjddXlXbO123C6fa3q7eqb+6cq+rz7p67pQnu3Ts2j61rbcj2P7GOLr0de2QrjzblVG1 XKh6+WsXnfKka9Odzqv1hf9yzy5f3ztu3DgsX74cy5Ytw/bt223tLacv+ll+7umnnx5ncbZ+CgkW G2P9p7Qz9L9ovMA/UrzA8o7QKgG+JrzARIBJbAnq1z39Wd79WRDgQLy/Ytdneeqz6vnl5Jd/5oUP 7HkjIEMeiHFE7wrBoYHPof39t3Bh8hhg5RJgzTJg2gS0jxiKwwOfRcS2LT0aPoFDIYtwfOlDaEt5 FxdKJuJCzWJcqJqH86e+gCf6DRxYNhCJccd7DO5EZ7Bw3RRM3T0YIYWTEF2zDKkNWxBXtwahpdMR FDUC09Z8cNGgXUAcy79cNz4lhtvL8ED6PKYdrZcJfG2uu8HNbJRi7hJsEOAOgwBz2x07dhxJCUmM BHsMIudhhCkvZhsGjfwIdeUJeOGJO/D28JF4543XEVlYh6K4rXj5wWfw+tARGDFkEJ545A1sTypE Vco6fOf7P8PS7clG2ikRe7Fq1Qlj3auP5Slxwyf4z1eDGUltwM5P+uP//G4CyjwuxAS9hXuXnLRI b/fUZk9NHPr98k7kNXiNOGS9ynLj8NWX72EYe3Z3/OZf8MrbQ9n/2ShyecwNq8TmXSy+/MTteGfI WFS5PaYH1yKkPC6DKHp8RtwGWfSZJNfjM8siJ49en7XxldfyGndtmNUobY7F19aaa4R5uL2bRyMs s9wksJJeXp+5XtlVX47QXRtRyF8Q+NymXgxpR7diw7Yk9tx8RroeKz9G/iy9PJZe4nl5vUKvRpSV lhhTpUpLywzdEpMSjfrg9VhhJL14neMzKfiO6aIs8TVGCaweZWawOpPJOtFM3pkyMNLLN2dLz2Dh 0jkyjGOj/LGw/Jhf4y9TzP+8I89BdFSU4QVWy7I6SFGvOZV7GfwcJ/DygFmNR5eufF6NU1fH7M7L 18WgQ7RJ/uKTSZ9OZzu7yOn0Jn862zs9F3924ueEnna2d4pLkHJ/9pHbTtkGqk1EXKp9ArW9el6X dyfb28Wl5lX3YsDJ9naQXyapcTrpfiVtL9vcrp/1l4adzQWcbC7nzy7/l2t79VjOj79y71RHA7G9 U1lQbX8paai2V+2gi1d3zp/t1TYtkPZIp7Nob1RyG4jtA2krnWykawfEsju7eJ3SsHsxKMBnMa5Y sQKrV682fvmxv/5R9/+pp56awDjZbRZvUz3BuqnQPw/QCyxvhvV/r6Vp0N84Anz+7Gk0N7fi7PmL r5073Y4mNqj/ekj3eWTvCUXr+SsbaxUb1DWcu7Jxnm1zY9XyvWi+Spbwludg2eE07eePajMTUdfW 7f2VP32kfvdX3vlZ5/2Vpz7zBoivNeTkl0/x5YN97sXiJEDtGOROmjdaKfFxCJ0wFkmjhqN97Uqc C9uPc4cOon3DWqR+9iH2jv4cSbExxgBbvpfHlRgXgZClbyDv6CB0lk3FuYZVOFu7GK2nvsTJnc8i fNs0pKUmd3UYHGKgfjzqMKYHD8fWhPFIqdmAfE8oMuq3I7xwDr7a8h52Hlx/UZ55flXw+Pgv15uv EWluMqcKe63puW6DnLkNEuWu9zAikmx+Eqm1zSDAnCC5XG4DBw4cZCSJhfe4jd+86G147b2PUJG6 Ab+97T6kF9fBXVPHwpZj5nP3YtiSGNQ0eNizqsOBeUPx7PAvUJgYDNbU4JcPDUF2WR1Sj+/GqmUn rI2cfKjPOYBvff8JpJUW4rXH7sBf/p8f4ERRKUb3fxa7CxpwKu0wnnjoTvS77VXEFlTDXRePJ37+ OD4dNhi/u+kmrApPM+JyG2SR5ZuRZ09DBWYOfBDxxbVw87zXl2DTxOdx003/jVfemYPiyjqcSt6L T4fMQZWrEivGvo7tUXmMYBZg2tAHcdOdryA8rRI1xZlYGbwWO+e+i5vueAxLj2TA6/bhaPAE3Hnz Teg7aisa+AZWXnM6uFesCfaaHmMPJ7kek1Bzz23o+rk4FnUcb/zPaOS6GLENXYFBk/ahobEaW6bO xprlI/HDH3wX//6rt5De4DWmNRsEOHIDNoQmGjtDn1g/E3cxvW968QuklNdZuzh7uskwJ8nG8/JY z517fxuwY+cObFi/ASeOHsf8+QsYKU0zwvN14Jw8e918CrXpFeafctq/f79BUnk54zMo+GcWshjp TUtn5SyD1RP2m8riSE9jZTKNl0nW4aew8sz+c6RlsnKdag0K0lmZ5GU21STCifEJiIyM7Bq8iHqg GzjrzokyLu4RZd8uvDxIEvfK98iDFbluiV+5rqv13i4P8rFukCqnofsvH8s66+zi1C6oBFyXphxO N4BW20jZJrp2UP11sr1MkHT683ZctbU8yJTD62zbW9vL+oi8qzqq+jrZXm3r1fTk8nc5treLQ65f drbX5V+NX7a9WndE2mp9cupndfaW7dMb2+v6QTvbq2kEUu7t+ll/7ZXaJ+vaKNVuap1U67FOTzW8 HLdsg0DKvVxX1fKq2ke87NLlR34RJscpj3nsnqkuv3b2cLpf6ODU1ju1u+rzsqtDctzqSyQ1f076 6Np6VVeZAHMP8LRp04yxnppXVV+1/D/++OOTLL7GSfAtDH0Y/iCtBxZToZ28wD9UCPDf+ZkG/VdE gC9DKrMLUetiVO3CWaQdWYBbH+iPt4a+jHuefQsZDYLCXUDesbV48O5b8ebgV3DHbc8gs67FuNJc GoVn55zAeSUbR2JPoP10N1t1JR/G2hSXFKITax77IzI9ZyW3ZgP2rzlqk9NObH7hPdQ6kNXckOG4 9dZbGR5Dv1tuwa2PPWYcPzrmCPS3XUD84lXIPH1lCWr2ie3YF3vqovNu7l0trsfJ1dNR09Ktd016 BDaFx0khT2PjqCCsnfcnS5+H0Lcf0+ehh4zjj1fFYf2gVxBV3XkRAS6PPo7yttOOBFie/izv/Cyv /RU79YlpIrzS88G7TH75gJt/IJw3AHxQJRpH+b9ojJJZ2LAZ03Bi2hRkMwKUsz4YETOmI2z6FCRH RHSTZXYv9zKLTo6nnRB7GGGbRyE29E8oiP8IWVHDcWz7awjbNhEpSdFd9/Hw8r08zrATu7FoyxfY EDYJoXELsO3YdMzdOBJbQpcjJa07rEiX/4r41GshISGorqo21866fV27B5tTYD0GsXI3NCAxMamL AMvo6OjEgYMHrbWtJonLtQhwXX0VZg1/FL+7+xkE7z+OilPJeOC25xFV5etaq1qcuguDX3wLaRHL 8W+PBOGjoY9j6MwDSIjcjdWcAHPPq7EetxQf/fRvMXfnfgyfMROz+v8tJmzdhUdfn42auip8OWgQ 5q47gbDgiXjlvWWor0vAfd/9Z3yyIoy1ASvx+//6HySUuaxNrUy9Gj0VmDLwAXa+3kjjyOLJeGHo DFR4avHVxy/ji+W7GAHeg0/eGIMFH/XD/UO2oNZXj53v/yt+++VWRO2YiO/dPxclOTF44r7fYVjQ QRxdORufTQhixLIWHwy9C4v3x6GgsMIi3qaXt76qEnnZ5mZiuTkFxssAr+Eh9hhe1qXTXsfGmBSM +dn/i6DILEx+uj9+8FePIjE7Co88NBmFJXF49fFHcTChgBF30yvNvcjHg6fj49FHUZ+xFf920z2I KShG9Nr3cNfd41Hutoi219zUzPT8mh5nPoXamCJtvdTg3wecMWOGMSPC8Fh7zU8meY3/plfbWKPd 2GKUJ15nRPnihDgllZPbFGPafEYKryvsfyonwqw+sGspjOCmMiLMz3GvLw+XliJ15Ox/KiPPqeyX e5jlQZZalkUdEXWSHwvI9UZXj+Vjua7ojtX6Iw9wRFiZcKvthajHctpyfnXn1ftFvOKaSvLl/7xd U/Mr36vazslGsu1Vm9nZQY1bp6e4n98j21r8l/Ovtr2yDjrby3mTba8rO/7aet01eeCs5ovb3u45 q+VDPVbTkuPV2U5tz9XrgdpenO+N7cW9ujJmVzfkZxyI7f2VN135U+uozvbqfWo/q9YdO/1U2+v6 WV19EunJ9UVne1UX9Tnp2gZVb7W86myv5lPNv53N5Pql2l7Nk2pjVR85T3Jbr2uv7PL352rrdXXZ zvbqM1LroFMfIODU1utsz6dAc+LLd3zmWLBggQG1bdKlzdMSz6N///5TGCe7S0OCZS/wryUvsFgL rNsR+vsaAqx+E5gI8JUiwBVpUViyKxYdFmdt95VgxpAPcKr5PDyZ6zBjVSg6LbfwmeYqLJy9FK6W 02gsPILh4z7B2t1RPUjwnrADaO3spp3nWorw3ODtELSvoz4Dr330CdaEZXeFaUpfhu2RVY4EuC4Q b+2501iy43AgE4mvPAE+48ZXwyfCc/q8LQHOiNmD5Jz6rvPxYQvx7Mdr0SY8yM2VGLPkOEQM51sq MWplbE8vc3MR5o1fh7azPQmw+PyRSoCdpj+L7/7arf0VDSz3WvHNnPj0Tb4Wlnuw1q9f32NQJv7L 4A0Jb2iyeONx5DASQnYifucOpBw+hMxkc/DJw3DI93BvM/9vvIFLjUNK7G4knFiDhIj1SE0IQ2ZG zwZZ3C9++bmMjHQkpp7EsZOhOHhiGw5H78LJ5AiDdMiDX1kHOR8iPq4z/+RTS3Oz4Rn0eM1ps8a0 Z59J2LinsKG+wbCTmHYugz+P/fsPmNN9jQ2dPMiJNAlwTZ0HDTUVOLpqAR779V9i/LZDeOXuB7Eh o8ZIg5OvbEZ8X3hlKLJjl+M/frUU+Snb8MA/3YkRU2Zg5YZoM1+MsPn4dOdZ9+NXtz2C8cu2In3d i/jnW27F8Plr4a4qxBuP/hc+mTgPQQtnIGjdXtTVxuHpXz6N3AauVyE+/vXvcKyg1pzabaxx5d7M Ckx9iRHgknrDO7p46meYtiHcsMPJdVMxaMISRtBD8MLvfoMf/sdAxFa4WD6K8Nm//Rz3jJyFlfPH 4L1hW3Aq6wReGjsd1fVupO9bjSlzg4yp4Ac3zcX7Q17FmyM+RX6N25xSzpCfHIXly4KwKGgxFi5Y iZSiKvMTSW6f4UE3CHD0KaSuegy3PD8Gg0dPxTym33sfj8UXCzejviILI159CjG5lUZezenOjMBv mIFPRh9H+rYR+N+HVqGOe5nrovHcLXchubzBmtZurevlZNtjPi+vmJ7Npz2z58wJ8LZt283p0OWl 1nO1vmdspSeOed3iU+h5ueZlitefsLBww5ObnGJ1sqm8LKYaRDeVgb+kSUnm1/kgOs26ZhLmZF5u jftSDC9yWHiYUU7lwYBMcEVZluuM/KvWBbvwMvyd09VL8V8enMrn5XvV+OVzdu0Nt6+sk6qPLj/y NZFnXfx294g01cG5Ll2d7XX66NqmS7W9aEtV3ZxsLw8YL9f2sp3s2nqRLzWvav7UMiXuU0mp+C/i c9IhEFv66+fs7pXzbffs1fOXYnunMqtC18/K/bDoG3XlQtfP6sq9sL2uPsnx2Nk+0OdkB7s65/S8 emt7OY1AbK9ek8um/AxVG+t+1fbdzvY6ezu19bp2t7d1RNU1UNur8flrH3VtQm9sz+/jXmX1U1Dc 8WPX9qt2EnjsscemMU52D8OdDLcz3GpNhVa9wOpa4ECmQRMBvpoEOD/mJIor3JBja83ej4SqZmwd MhPusz3vq0k8gC05tfDlR2BDgQub5i5GsbvdlgAzVoq9r72MUy1mCllbtyClpRXhG1ZaxPksDr7z Aoqa+TTsTiz87C3cfvvtePuLIHSeu2AQ4E1DhmHDyukYMHAgBg4ZA9fpc7YEeHlIT0/yhfNnkbJ7 CQY+8QSevv9hHE4pZbr2JMCdzfUIWhOC0+x8Tdp+PMbSv/32h7D6RImRxzZ3PaKPHcXkd57E8/c+ iLfnh6P1bE/7u9ODMTu6RpstQYDdeZk4FJ0prIyQj8YhZsFHiK4xM+LKScKhhPzuyd+tlYbXV10D HHFoNco9HT0IcFnEQZQ1mgQ458h6PPzkC+jf/3kEbY+xNgQyCTAnv6lHNuG+ux7Fgw8+iamLD6C4 pNQYpHd5f7MysX35aNx622343/+9E/M37UE0J7+RkdgwdzTu7dsXz/bvbxA+3piIX+4lFg2MOMeP +X+xYYpYiyEPnOSGStwrD3DExgUc4s2bblDFjwXUe0W64pr8y9MT+ZXj5ODkl78Y4N+c9RrfwzVJ ms/NCFWj21gnygmTixFg/qkaOwK8b18oPG5zHSqfSpwXsQXPvvsRKvKTkZpXwuIox5z+f4nngmNw YPb9+KdfDEN6aT0aylMx7F/+FW8tCkd54kpGgBejxu1G1q7p+L8//hUmBkfBxQmX22Pkqz53O376 F7/ErBUnUZezDf/+F/+BBZtj4KqrxJdvvohZ604wElpvvPhw1cThqZ/9J8JSS1GetgW//e/fI63M xXT0dOnlszzAcUX1BjE9sGQiBn00n+niwuwxr+OjZTtQmLQHn749CRumvIzf3fIqMsvrETLq39Bn 1AaU1dShjJWv4uwIvDV5DqprG5CyZyUmzVnI4mtAQV4uSgoi8OB3vovd6TXmNGf+gsHdgFq+m3Zt nTFVn28yxj2rbmZDl88iwDGFcJUdxR//6qf4cvEelB6dir/52S1YFZaMmuocDHrzcYRll6Guuhx7 t4XgVGU1jq3lHuBjrJ5vwC9/fyeSi+qQFvIpbrvrU5TWm0SXE3NOgI3n5TGfl88g5j5juvO8OXMM r6yb5T9k927s2LnTyKfHeAbmFHeuh0nmXXCx8wcPhvWoH1u3bmVlzupcOalNZP8T2SAsiXWqSfw8 G8gYYMSXnU/i15PZvfweRoYTk1OMKfcp7DcxId6YpSCXf7keqWVeraNyPVUJi/gVG+Cp9Vq9R05b VyfFfWIAKGwiwqtEVdZDbW/s8iLrJZ9X8yPSkPMjfu1sZ6eLne3VeMR/rrecD/lX97x4eNnWdrZX z6u66Z63k+3lsDrbq2nKesnPR2d7ta1X86Wzudpu29leLlv+yr2d7eU8yuVZ1ldNV7a3+C9IiQqn FwN2z1YtO7KN5fPiv2x7p35WrWuqzez6WTUfTvXHrp/V2V7YjIfnuvizvay7fE2N265e62yv01Gu M7IuIn21jVSfpZo3tT7r2hd/ttfVI9UWujKvhpfLvciPKPeqXoH0M3IdEOVT6KRzfshjSF17o9pe 1U1t+2T7+WvrVXuqdcaurefnHnnkkemMk91nkWDVC/y/Gi/wL6TvAus2w9KtA/ZHgP8PEeBLIMAd nmIsXR+MlavXI7OwFO1iEfA5D0a9sQWqk7SzNhvrkuoNArwotQattZkYNmICKtvO2xBgoCllBbZG mR7ebTt2oYOlsW3TTrSdO4/zbWV4adBunD7jxpgPxiOhyG2Ea8iJwrvD16ODEdiND92D0JMFJm2s z8XoP33CSPB5/wT4wjnsW78Ma8PywIOfP9uGkAUzsKe4ySDAOacvoDYlHONmLUJedRO8lSlYuC6c 5Yuzzw7EblqCEwmlaCrLx6fvj0ZVY4cRbU70LhyLLuzhUT65ZDHy2uFIgM+11GDymuOmHiUHMHFN Bs7UHcfYOTGG1zct5gjSCz1+CXBOciKKK709CHDu7lXIZwS4s60UCxhB8bW0orWlEdFLx2NvSrU0 /bka24KWsPurUV1Vjsg1E7Fsd2KPza+2rwzC2GW7kMC9v3HRmDL2S4Qfi0DQzHEYOWE5Dhw6grVr 13R9u1Q0DNxLLBohuUMQYeLixDdO43s0sCKMgGhs5HPiPvFfbpDlcHLcIpycD3FdDifHLzdsXJ8D Bw8YdnN3TYn1GFN1ORHzuSyPMLve4HKx8HG2BHjPnr0mqXTXIzsjE4c2zMOgYaNRkrwJffvcjD/8 4Q+45e0g5NW5WfyV2DP3fdzMzv3h5j4YtXQ/Khnprc7ZhadH7ESt4Zl1Y91XQ7B0b7Lp3TSIG89X Kaa8/yccSmek2lWCicOGIiqzgqXrRlHKUQwc8BBu7nMrPp+2FTW16Rh+1214+ukH0KdPXwRHFRik j5NpI06eX28Ngke/j/TKOiN+V2U+vnpzIG5m+Xpp6MfIKa1CefZxRkg3oprptmnKUIyfc4CR1lOY /W5f9GHh+r2xAsVF8Ziyeh3qGcnMPbEbqzZsYfFXYdxLfVl++uCe8RtRanl3PYbH1Zx+3K2X17zG CSb7v3zS89gQXczyW4s541/Gtpg8uKqSMf6tkUgtrkFDfR2WTB3JbDsEMXlpGPXWu4jNKkX8kbWY vymO2diHXUvGMb37oG+/NxCVW2WSXLfp2TdIr9dtEmBrPTAnxi5G/PlO3OLTUy5vAyqrKk3Ca0yd NneI5r9uY7q2uXkWL198qrIod+Hh4Th8+IhZ1hnBTU4QpCPJ2FgrgXfavONNNt9+87ponE/g15ON jbQS+MCB/c/MyDA2peOzM0QZlwcEPG21Lopwos6qA1m1/ol6pl5X67FcT9WBiRqnXEfFr0hLPa/W dTk/8nVVR3/tjTqItYMub2ocqu1F+vI1O9urOsp2lNOU9Vb1EvfINtNdV9tHWR/dr2pXOT+Xa3v5 hYB6n6oLD+tke13Z1dle9EN2ZV7Ot0wsnWyjPi+dznLeVT2cypua3tfRzwo7XEo/q3u2gdheJURy XbLr++3aGyfb29UBXZ22q1s6+9mVeZnI6WyvC2+np5of9R75Py83TrbXtV+q7eX6LusaiO1V24hf UZ7lNOzaU6fy3Ju2XnevTh/1eejalIcffngm42QPWHztbskL3E/yAv9/Nt8F9jcN+lt+PodEBPiy 1gALYtvqQXzEHrz+zMvYn1yB8+e8+PzV7ehQOaa7GDuTXV0E2JC6SIydsRncYasjwEAtdi7czWhi O/YuXWN4VU/t3oj9ZWdQl3oA81OaWLzp6PdoMJJSxVScWLx0512oPWdOgZY3rKo7uQDZdaf9EuAL ZzuwJzq+Z5iOMoz+ihXexQuwNzkO4+Yu7bpUErsWi4OPdr3xOX54BzaFHUFTZRFOHE3uCtdcU4aY 5PQeXu7YzZFdU5ntCDBf47v+vVmovnAex8d8jGSD657B/tGfw9N5Ace3zUZN6zm/BLg8JRGZp6p6 7ACdu8ciwJ3NmPvpIOyLyzc2uxLeX3n9b01VFQpz85CVloWMqA1YsfOksVutmP68eMlcxMSndHV6 Rw8fxdGICMxfPBdhjPzygTzfOIBPu+SNl2g4+BpheXBnBx5O/Bf3iv/8Gv8VxzqIe+XBoXxejVN3 zPOuxikPIHk++AfRY2NPmp8FMryPpufXbZEwTogMcsZ+6+sajLCdneYUdBmnT5/B7t174OJEuqEY K6ZOwhejP8XW8AjjGfFPIlXX1HRNUefnPB4X6mprGUltMMiUScR8hhfW9DK6TA+jkR9z2q3bImtG HEbeeD5dBrHj62CNOFz1qKuvNbySPDz3rLoa6tFQZ6VreZKFXpwQ+9yWN9gihDzturpaQx+jTHGy 5zHDu11eIw5z8yi34b3lZFbWi4c1vatu41xdg6uL3HqEXh5v10sHMy+mXsVJ+zBi2BA898wtOJpV 0aWXqbPbeEbdeXHBVee20pX0Ml5E8GfpNqauu70uSy+3mQevopenWy/+IsFnEWRTL/O/xwor9Oom zlwHNyP+dV11hpcvvpZ+9+7diI/jg6FEg/gmJ1pvzxMtMmwhyXgbzT0iycZu4kliWhYnzuze1NRk Fl8M9u3bZ3TIog7JdVGtH3blXg0r13G53op6LKelDiLENTUtca98j1xH5fNynuX05Ht08Ys6Lutg F7d6n2wjOW2VYMhtmRjk6ewh2061hzwAU+2js73862R7f89VJuBO9hRh5fzLz0nX1sv5lW2vxqs+ S7t2X9jerq1X23ed7XXpyLaR7cPzrNpelCdhd7mvE3EKW+p0lW0i7KmGt6urqu399bNqWbErz1eq n9XV4UD7WTV9YWO13gmb6+qx+hx0ZUmuKzwNtY3yZ0u7ci/HrdZNu3YlUNurhFhne7u2XlfudWMc ta2Xz8l6ybZXX7Ko6TrZXthPEF+d7XVtq0xwdbYU9dWf7QNt69WXJGr+5Lb+oYcemmXxtPulqdDq WuDfStOgfykR4J8FsA74W36+B0wE2J+0NLlwRlqsW55ZiJqGZngbKnBa2vr5/JkW7FkwAiEZFZg8 eC1alXh8uZHYmFLXkwAzOb5lObZkubDvUJiGAAP7D+xAa+kOBO8zp/iedmfhxU+jsH/TQVSfuYAz 9VkYtzsHFeXlxud4OCqrXYxaXrwJli9tK3ICJMDHklN6hjldgc9G7kHc4nlYfewIps6ai0qLuVan 7MCJ9JKu9MvKytHU3mkS4IhuAtzpcyGtoFAhwMe7CHB7Ux06pCnSrvIKlBSZa39rTizB2sQijJ4V 2rUuOvH4DmQW5GHOmB04Iz1WlQCLTyBVJKci41SNDQHuRLPPjYSIw9iycTPmjZ+OzEpX9+7PJUmY MnoGlq/eij17DmDXlpnMZiYBFp8+Wr1uJWITkrveNvMNfCIYAV6ybD4Ohh8yPhzONw0QjY1uoCk3 RnywLwYV/D+/xn/FeTkeXTj1nLhHHqTIcXKonancUKppynmVjzmhKCwoYASSERqXxySLrgZrZ2eT dHosclXDCOH69RuxadMWLYKD1xvkzCCFVVWM8NYz4mnuOOxymeSQEykX/3WZv5xwcVLnZQTNZ2x0 5bJIKTvX4DXDesw1yQbJ415Tl0nI3KyMel0WCbQ82G5piq5BUhk55nq5DL1cF+nFiV+Du8EIw3ds 5r8GaeZ5YsTTIJsut6UXu4fHwQm54RnvqVeDpJfX0MvVQy8+rdmwpatbL3eXXl6L6LN46kqQyJ5R Ru4p1Auya9iqp15eHo9hz269DJLL4/ZyvVwX6eWy9DKOFb0aeuhl6mTkxyPrxfNo6WV8LsrdpVdT YxMOHzls1B1Rlvl/vplcZEQ0kvma+KRUY9pzSmIqklISjbW+SYb3lxHhFD5Fmr+NTzWmSqf8/+y9 B3Rdx5km2N6d0NvbfXame7dnenpnd/rsbPfZs2e3t8fdPZ5ObtsKVpZsy7ItWZaVZVmyrUyJOZMA QZAEATCBGQQzAkkwZwIgiPCQ08s5IYMAo76tv8J79S4uAiXKlqUqnP/ch3vrVtVXt+5//6/+CvV1 fD4w9xA3NODC+Ut8GLR6D6wGMJ3TSYn13bD+tns/9evW//X302rA2r2zKm1VLpWfVTfocfS8rITY WhZ1n/4+62nqdaKXTc/bmq81Pz2+tcPAmq+1HuzqXl2z5q/w6nHs6t5KeNR9Oj5r+hSXRg6o8qrf E9WB0q1Wo3gyXa+nZ/f8VblU3hPV/WS63tou1NFa93r71OtSxaMy2LVX6ztkxWslE/q7oItev3da 91/E76yeN+HX26n+zPX41rrU3w/rc7a+I3q9qvz03/o7bdf+rG3ITl/aPU+rnrHqPv2Z6PmoOtbr SsW3dspY26leNmvd6XWl6t5ON1nbm56mrg+sOthaZ9b60evb+t7btRs7Qm6n6/X32VrHE+lAu2+F KreOS28X+jt+7733rmCc7NtM7pVDob8u+ZuaC/xXli2R/rPNMOg/tlkN+pMQ4K8YAmwTzpzaCXdi NDVkt3L/IbR5B3HyxCE4g4OpOcAff3wb8UtLUFAVRffmF7GNkd2P0xNqUb5tLzp7R8YRYNzqxwcP fh9ZxSUYtZmje+rQASx+7Sl0Dt1MrXi8543XkLVrt5gLPOzG339tHYYVGWd5jXEizQjw974Hv/SM fnz7Fsre/A56Bm9NPQT69nVkz92E+LWbKdy+s2sx63QgNQf4ZrINj33ndURGbyLUWIndjKArvLdv 3cQtVjgrAR5j5KIhgwDfxum5uWi9Ju5sulCEK6xuVZ71ZytxtlbW1Y0evPvSR9hTnfYgRzsbsCnn LWy5HMvcAEojwIr8kjRX16DbnRxHgDv6GfkNXsTxKj8feksrQMcuzMMHO5tSBNhbVYRNJzvE9kd+ HxoOr0R2SXVq+DPNl83LzsPBExdSPYxbctej/OgJzPzlDGzZW4rDhw/zTcNJcRE5pqNSDvRbV/z6 NV3ZqPvoqCsXq6j4RMApPh31vFQ6dmVR+SglSb/1e9VRL6ue3969ewUZSwqPYV9Cei2Vp7BXeA57 E0lOkoT3kMinJGOcYAnSRMSICJSax5pM9EpvZSLlneTkkX7zfBKSsKr7NS9mr7ouSXNClq9XbsWT lHlwctbLvb3x3oQsOxFeQYaFFziNKyG9yymSTOkmZPlscUnPp4ard0pcmkf2DnHx86m0dFwJHi8T V9KCKzEeV9KCKylxqecYFwtyJeU9/Jl9Qlw0dJ5WXadFs1SHErU1Ggq9detWvhplQUEBF3q31P/5 +fmpI523nlP3UBq0VZfe/q3voHpP9Laun9ONMOt5u/RUPPWe6UaGNU+r4T2RYarnO9n/ulFlfed1 bNbz1ut2mJSuUDpF6RCVt1XfWLHalc1OD1rLY617/ZydPtXrXjeurc/Emo5e99Z2oOdtLbudbp+s 7q3xrHHtdL217vX0ptL1ep1Zn4vddSsxt34z9Hapn7e2Ad2oVnmp75Rd3VvLoJ6TXr96Xvr38rfl OztR3Vt/W+verhNAP28th173dmWxa/PWureWVX/++ntkfe8mq3trO7aSrjupe2v9T9Xup7JxrO1S T8uunFZ9oMpiJf/6M5ms7vV6nagdTVX3k+l6ve7Vd9au7vU6s8afSM/btetvfvObKyVHu18OhbZ6 gScbBj3Rdkj/ZgIC/K+nQYC/YgiwJUR7GpE7exEKi4qweuVibNhaxuf7DgW7sLZoHbJWFWDP3j3I zVqJpWt3YfAmX8IZB9avQs6KfOzbtQUrFq3GgYoLuEmksIcRo6ZIJv8ccuGdZdkYsZmfG646gAd+ WZqxLdFI2yYsXX0wXca6rVicswL7D+3HmuW52H6MFqy6ib1Pfw9z569A4e59yGPpF+xst9/eiBHg bYfPZJwa8tVgaXYWNm7Zgg3ZK5C19gCuslTrinagTTqRB0IOLFq+A/3XhrF751qsWLMa2zcUIiun CK7IiBjyfKlxEgIM9NbuwMIjYp7zQKQH+fMXIW9jEfLXLEfe2mIMpLzit1Ey+3XU9STTxR4J4dUf /gp+i1P79kgQc3ddGUeATxwqgK93NGMFaEWAr12NIH/BEixZmYf1hTlYMHc2at3RFAEOu+vw4Xsf YnF2NuZ+OA+z587AokWl6ND2/q06eRCvv/063n77fbzxxut4c/ZyHD9xChV7NuKll1/E62+8gV+8 9hpXFkpBKUPRqjBUHKuBRef1+2llXEUM9GuTyUTx9PLoca3ndANX/01lIc8cecBpLix5R7knlXv5 hFeRPH+9cbHHL3lyY9w7Gxd750qvoCJEPA4thiTJYjxOJC8hiVpcEDm+N3MvP8/v7Y2LIb3cMyvS FIRPeSAT3LPIfycEGU9IkkYLVCVS3klBEOlIaYt7ekV5poUrmcLVJ3H1TogrKXGJ8tExTmWOC090 Bi66Jsk1j6dwJSfGxevGFldyPK54QnrRCVc8jYvKFxfefP15JSbERfXwyXAlJa64xEWrsdMWSOT5 1dshEVcabn/q1KmU0Dm7I4keV79ubff6+6G3f/0dtXsn9I+79V49Pd1AsN6vp2+Xt11c6zuq49Hz teoba1n0/3WjTddFKo6dzrGrl6n0iPUeuzqzqxs7fTQRbms92uHSsVnLavesrHHV/7qBqnTzdHT9 VHWv63qlaydqH3dD19s9U7s8rGTD+u5M1DZ1vBPVmV1dWevc7p1SdTXd76y17q3vn7Xu7drUr/M7 a31/JtI3E7Vj/R2erO4nysdabivZt+oEPT87/WZn4+h1ZW1PE+kbqy0ynbqfStdPJFPpejts02nT k+l6u3wmwmP3jbBrKxPpG2s5Pq2ut6t7RoBzGSd7iMkD0gv8Dbkt0t9LLqeGQVv3BLabB2wlwL+v bYdkJcD/whDgOwxjw8O4dm08Qb3NSNQIuzZ2c/w916+P8O10Pu2842kFRuqGGRG9fstKcW/xMly/ fuvO02TlvsY9otPb9+j2tWusDKN3mEkfFj33Hvq1oc9U12Njt+5KtSjye+u6C8veXY/RW+kFsG7c uMFFzTmlhZj64nHEYgkMDAyKbVnkCtA0JzMc9PGhvU63m6/+TMOfafVnGv5MS8PTdgBE/s6cOcVE KG4yuslbRd7fA3v3YtWqNdzo1hUF/a9+k1GuzpFYP7z0P4lKQ8VR8XSFqtJV91FZ9HvpN+WnPhYq HV2U4lRkQU9LkQid/O7btw+DQwOc8MRZXRIJSjCSQ4SwNy68uXFJ0MgDTGRKECFGfGIxOfxXLJqk yC7NtU0mFDGK8/vjfTF+ncgjJ1qcuDGymYylvbfJuCB8nGRKTygrU19ckFROChXBTYih1cIr25fO P5Ee5txLQ46TcTGcO96bxhXTccUnxpWQQ4iTYugv4RIkUcNF91twJXVciQlwJQiXIKmUdiwhSOuk uOLiSEOP4wpXTHQuxGl+L83zteIiwhqfLq7e8bgkMU7EVcdCTDzvSXD1s3u6u3qwefNmToSt7VM3 BKztW3+P1Dui2rLe7vV3RX8/1Tuj4qh2T0f1nilirdLS3yl1Tjey9PJby6feJ4qn6wI9DWu59XdQ T183XOzKoBu9ell0A0bdp+PT06ejXvf6eVUPet7TrXt1v16n6l7r81H363Vpxa3/b61/9ZvSUvWt 8tbrQ09P5aWXd6L81NFaR2rkgV73uoGo56WO6n4rsbC2D73u9fZkp+P1MlJ6On5r3es41LthTduK czp1r9qw/p1RZdDTU/Wg8rO+U9Z6+6y+szqx+HV+Z/WOP3Wf/luvK1U+uzrX8ahy6s9QlUG1T/39 VM/F+lynqnv1v57fZHVvbUu6rp+o7hUG/bnZ1b213Dp+le6JEydS96v3THWk2ul6u3Y/UXvX61il ay2fXp+qTCpvu2dt1dW6HrE+R72d6fH0clrLcze/s/T7G9/4xirGyR6RPE3NBf66ZUukv5LzgNVq 0GoYtD4P+N9pK0H/W20laDsC/C8NATbhcxU6Lu3CjuONn0nanPyODSBv9hyc8Q9mrABN5Fft/6sI MA1/VnsA6/v/cgJs2f9XEWAa/kxbBam9f9XcGKVEKysrueFOG4ivXr0ahw8d5oT4s5MjOHL4s84j U44wjLR3MR+6mpTeV+41jEvSmPZOJhJpEkYElMhQjBaUIrImPaqCSElPpZpnmxQeQUV2k5Quz0N6 HhNy6DLNPU0IDyj/nRQkk8rBCSUROiLVMUE0k4l4irBx0ibTpvOxZELOhyURxI7jitnhSmbgoryo E2BSXMpDmkxIQqqIv8SVzMSVsODiQ5g1XMkUrkTKC56Uw9HH45L1p+FKKlzJaeJS86AVrnj6+aRw 8fnfmbjiqc4FG1wJC66k2E7J7/XxD+vhX3Pbtnu/fvNlMLgMri82riMGl8H1ORCD67OQQ7Rt62rJ zx6Sc4HVitBqGLRaDfr/lTxPJ8BqP+A/0QjwH05BgP+VIcCGAH/+wsfXsHfdbkQ/IwIc7WxDrSvC ye9UBJjIL4na/5dv1cOMfZqHSAQ4EAjA6/VmbH+k79GrVktUPWDHj4sFfGhhKFq9dnNRkVyRuJ9v CcP3Te0dENu+9PfJVYPVfqhJucKuWjlZrkrcL7e2oWO/mG9J1/rkljf9fQPsWr+4Jr3YaruZPrlC sBpmTHGSPJ1+HofyFosnJcXesqkVftUqvwPyKMtOafeLOZ18ODB5GyWpjMWSKeJHdajIUZx7CGOc pMU54YkxApwUXkh5jpMwRbJiCUkaBYlLaPHIoxvjHkXhwYzGYnyFYvodk8QsnS8R15ggeSz/WEyQ 7jiLG4/1it9x4TWNS4IajctyKI8sj6vIrI4rLnHFU7gSHBcj91ZclAalG9VxJeW1NK74hLjiE+BK TIqLl112QER5ucfjSnJirXAlZRxVB/E0roQ9rsSkuJJanoIYU1lj08TFO1VS7bBfHvtkO+yXK3qn 92Kmhbn61TtFq7n398v3o1/uT9ybWmmbt/lesVUXvVfifRHvF3+3etX71au9X3Lhs37xLlB+qfer Vy4G1ifeLxFHe794Oe3eLwuu/v5UufrlKt+2uPo+Aa7+yXCJOh2PS8xZnxRXcnJcos4GpN4aj0s9 oxSu3mng6pOLtdnh6pW4BibGJYbe2zwvWV+9drh6e+V2Y7L8si2o8vX3pXEN9KuVzfuRHJgAl1q4 rleWoW8CXL0Kl6ij/gHVTvv5AnIT4epVuGQ76Evh6pUr1eu4+tLtXuFKpuu9T+7v3S/bisKl6myg byJcqpyZuPptcPVNB1fvRLjEKvz92vNKtReFoU989/hCgP0T41JtoS+FS8RN4epL4+qbApf6zotv cz9f6Z6fJ/kkuNRK+ipf9W7IRQTH4eqbGFd/Bq7+O8PVZ8Wl0pO4+jJxJfvFO3FnuGQ5kr1ST/Rq tpTUl72ZuPr7rHp2aly9Ml2Ba0DD1ZfC1Stx9Y3D1Zf5vPoUrt7UThR8nQxZ1vG4+lP52+LqnxyX 0rV9aieFfmHjpXGpZ3I3cCUlrqS2joum61PvuRWXsK0ff/zRNYyTPS69wA9oi2H9kzYP+KsaAdbn AdvtB/yH2kJYvy/FEGBDgL/E3FqbAzwZAR4bG7MlwHx4qiTAfAEsjQCr7Y+IADscjtT2R0SA1TAT Gv5M3t+ysjIcOHAAGzdt4gZ/NJrkBJGISCwiPaWMWCQjknAwoz8ai/Lh2MITRgQlxuNH4lFJzKIs LosTZfdFo/x6nJUzxn5zjyq/J8LSSQjCwu+L8utEKCh9IlWUBh3VNZ5mgsWlazwulZcRkEhUEBmK m6B8IjzNmPTqxeICV3QiXDErLknKeHklroQgp3GWf5zjkjiiCld8YlyxWAoXj8fSSNjiSvC6EriI sOm4ohm4khwXyyOa4LjU7wQf/sueS1Tiiktc0enhSmi44rxsCleU5xOXuCI6rmjMgoudi0hclEd0 GrhiGq6EFVfcFhcnqZPgiqdwRW1x8baocElvv44rxnGJNBJRET/K25p4DpGo7DSJCVyqTcapLRGu WETIBLiiGi5evqgg5FZcMVneCOWfkDimwJVguCIxoSNiCcIVscEVE7hoK62oHa7YeFxxHZcYaRCl oe0SF3UiRGMCFx/BELPgioiODI6Lt5FYClcsA5dodzENVzQhymSHi9KJRWK87RGupI4rKXHF0rhi Fly8ncak7sjAFbfgEsPh7XEl+UgGO1wJjisi7pkAF3//NVxRqVsFLpEm6SuFK5kU7w3Xhwnx7sak bqTOtE+EKy7aBO9Ei8VFPUlcoryijqnMUSsuXq9pXBGuDySumOhIiuq4ojH+nnBcUXld4opquOIS V4zjisl3NcrT0nHF6JtowUX/T4aLrycQlXoshSshcMUycSXYN4zKHVF6Lha3xRVP4YqncTE8ycQk uKJ2uGK8c07giqVwReIxe1zRaeCKC1zqW8G/uRIXlTk5IS7xfYgwDKKTNI2L9AY9t2g8jSs+HVyJ iXEpnctH4ChcCYlLfXfkuxOxwxXTcYnOypjClRTfXltcdO84XFI3RaISl/j+qxFiKZuDcPE1IyQu sqV0XOobmcKV4GkpXAkbXEmOS3y/kxquWAauGLdb6DujcMWk3SX0RiIDV5x/k4UtNg4Xfd/Ut1Dh Smi4lI2YwpVI44qkcUUtuHQbMYWL2z9xbiOmcEUnwxXLxBWTejgelzhFOtPHFRXvFrXFmLIRE3j0 0UfzGCd7gsmj2jDob2rDoNV2SH+pzQP+cwsBVvOArStB6wT4dw0BNgTYEOApCDCtAE3kd2hoaEIC 7Ke9iT0eOJ3OFAGm+b80/Fdtf6QWzVDDnysqKvjwZ9puZcP6DUIJkQEnjTBOQOPig8gVUVQY1vxD opSMND6j0mjnCicSk0ooJoww6UnjCp8rITKOZBzKMxqVH4IYV0rxhPS8JaUBmRBKL2XoxsXHh9KO pwxMoei4cRmTeUvSoox9XsYJcMWlx0/HRcPKW1pb0NDggKPRgcaGRl6fjY5G8T8dHQ40NTSx8yQO 1DeJ842NDXA0kFAcuqeBn29i8RuaGrk0NjWI9GSaIr0mnrZD/k/xeVqUn8q7QYtPaanzLA8qD/9f xnewexu09PhR5km4Gi24+P8OEV/H1WDFVd8wCa5MTHRPkwUXlbOxIY2rQcPlkCJwOXgejiaJP4VL 5KHwjMPVMB4Xz5PK2nhnuBonwNWQwtWUStsWV6OGeRJcdN4hy0zP1ZEqu8xPYUrhakjjapS4HBIX PQ9VNwpXoyOFy6Hjcuj1ZIOrScRvmBRXwyfA5cjAlXrHmmxwNU4DV5PCJduiBZdoh45xuNLvlyMD V5PEItrXBO2wId3+MnE1jMPl0HBRnTQ57HE1WnA1NMk0LLgcjoZp4XLouBonw9UwAa6GKXE1qHy0 tpOByzFNXA4Nl3wGOq7GSXDxetXbd0rfZeJyyHYqcDnk/za4HDquxvQ70ZDG5bDB1ShxORxWXNr3 g+vYJom/YQJcWntx1Mt3S8tX6vY0roZJcDmEjm6Q52xwTfW81HfPDleDLS71vBonxeUYh6uRl4PH mQxXow0uhyOlo2j0mx2uBoWrwZH+jn4CXI5G7b67iquR4+Lp1CtcjZm4GibHlfrOqvfiTnDJ+5qk nuLlU+WRNkYaV8N4XOq7JHHRWjThSEjYW7IDMCptxKjqgIyJtVO4jRgTNqLo7BWdfURmRSeItAfj VhtR2obSRozL9T7isrNJOShisiM+ZRfKjlZOoOWItkceeWQt42TfkRztYW0Y9D9btkOy7gdstxCW 3VZIvz/FVkiGAJvw5SLA+hZId0qAiagRAab5v4oAk9IhRakWwFL72NH8X+vwZ1ogirZp4UopJntN 42mCGo8IRRGNxLkHjPecSU8fJ5myp0316sfjEaF0ohFE6D7Zs0q9a5GIHH4bEQRU9NJLLyJ5raRH lvfkxWKyB1b2WEZj8pxIN5by/sjeQd7jSwo2Ikh8VHhddVwxDVdM4opMgKv6UjXvRCDvOnUyBIMh fgyFguL/kPqfiX4tmL6WvmcqCWamN4lMFW/SPIOTnft14wpOgin4a8IVmjau4GeJK/hJcIVscQU/ Fa7QXcM1YfnvCq5gClfw84Qr9HnGpbfZu4BLzzsYnBhXaDJcwUlwBe8aruDdwhX69LhC08Bl1THB 3xAuO733a8cVnPo9+DLgmla8zxkusksb6miv+1oxSkPZk9xGJNssjEhMjVoSI44i0VhqhFSU241p G5GP2IqmbUQxuk0eZdrcRqSReFEx8iBlI8bkCK54XI5OkzZiVNqI0p58+KGH8iU3e1wSYH016H+c YD9gRYD/7C4Q4P/eEOBPSqxuMQJ1e/K0bo6N4tZd5ts3GWkz4bMnwDRngYaYReTQDysB1leAVgS4 mvZBu3AxRYCPHTvGJ/yr4c979uzBuvXr5FBLoTw4OeQkNSIUTzTMlQPly4fnMWUTpnLwYbli6Eok poapxKUXlXrfGFkNi2F8nFhHxDC3iBwOLIbriF4/nldEKjv+vyDRXCnyIZ1ySFJYEm8+pEwOg+YE PSLKLsmtKi9XjDEbXDGFK67hinFcpDgbGuv58zDBBBNMMMEEE0ww4c7C9evXcKnqIl97IyK9vtxG jEmvLA2L5naZnJ4TiXO7ktt/fNh0XEyjYHZiJB7m11M2YjSathHjEWmvRoVTJqqmgKipPMJJwof1 c6+yItixtO3L0nr4wYcLGCd7Ug6DfsSGAKuFsHQCbF0JWifAaiEsQ4A/awLc7+1AfaRv0jjuyv0I Xr+7jbzD0YjPyod98/oIwp44/Kf3IjKS3obo+kgSV2rqdVqJthOX0VS1HYsXL2aSK4654lh4uBOf Fz/7pyHAjsOHcLypSxA8SYDtVoCmoSq0AvT+Naux6cjJ1AJYRIDV/F8a/swJcGGh7A2LCeUTifKe OUFWGXEMyzmspKTCYjgKHelaJBpNKZ2oIufK+xqVJJY8rBERNybncIj5UGKuHKUTJs8u/R8V96me OU6sZT6caEtJ995FOfmNRZXiFOVQBJrPW5F1pbzH9rhEGlx5JmJobW8zXy8TTDDBBBNMMMGET2Lr sr8rtXV8ETPuvIlI2ywmRuYJG5GdD0e4HReJ2dmIUYQiQWEjSntT2YgRuUYC/y1txLDy6lIcsvvo dyQqnSnhFFFWHuSYsnUjYTz44IOFGgG2zgPWF8KaaCVofSukPzYE+HNGgH/repBGe9F62YlQbQHK 6yKp89HuMvy3d/KQ2gX51ihW5B6G4vYfXx/CkuKTn0+lMAkBJvI7GQFuKC9HpUMQYLUCtCLAagVo nQDvzc3F+kPHM/b/VdsfEQHevXs3ChkBJsXEPbpRRVSZsgiTkggzhRIWvxXhDAsFFI6Le6JEHkl5 EdENSQLNlEk4FEU4Iv6PKoLK0qL4QoEx4hsT95HSorjhSDTtUVbpcEUW40eeR0SWKxyWijMs0grT tlCR1HBotQiV8EyncXFP9CS4aMGINlaPJphgggkmmGCCCZ/HQA4TWij1N2HDHjlSib1793FbdbJQ X8cIMC0YyO05Zp+FhNMiEg5zm407JyKRtAOG24hR+X+YO0m6u7qYrShtxLBuI8a4jcjt14hwjnCH C79f2IfhiPhNEgrHpI0oHB88fWn7UhkkAf6+Ng+YtkO637IfsCLAf2lZCdq6FdJ0CfC/MgT4DkPM WYXly5djyZJVcAR6uXczgwDfHERlcRHWrs3Hpm2VuHZDUMW+rhYM8hHLN+HvceLo5gLkrlyJnYfr cePaEI4W5fP/8w82Qg0ADbdexNJVBcjJKUStMzmuLPFQiB+TLh+8iSB2rluDgoULcbYtPP7Fud6H PUUbkJ9fgF0HL06bAF/tdePQ3nPqtcfxj97E9txVqO8Tpbw+GMO+wyfS+dwYQk7JmQnTvTYQwGZW hry8ApSeaFIsGt31V3CptAQr8tYhMngdN0cHsGdDHhYuXIK9p5tt0xr0XMEKhnfhwhWo8wzyc1eT SXi8LhwoWo21S5Zi70Vnauh51FmNZcuWsWeXizpvHDclAU4467BmyRLksLROXXFhVBLgQMsFLFiw AEvn5KB0WzGONAsC3HHpIGa+9x7eeWcWjlW3pgjwpSMleOutt/D26zOwZuFSrGf1oggwXwCL4Zvx i9fx0ksv42e/mMXayFquFIgMxqTHNSwJJ/fg8h4y0ZMWYkqivb2T5eXkiiWszoeVFzftGQ5zLyxT PCHpbeXXhcLh5JQUT1goMlJeNNfFH/BxJUfKMUV2pXc5HA5J77QYTs3n9sqh2FzZkUc8HER1TQ17 Fovw/e9/H9/57nfxztvv4sSJ4/AF/HC6PbztqRVUFS6hXGO8DmhoTkfneAJMS+ZThwHNnSahIeTb t2/nS/ObefwmmGCCCSaYYMKvI5DDhFZeHhkZmVZ8craQjUQ24KZNm7Bx40Y+HY7m65L9eSeBHC7r 16/H8eMn+DozkxLg+gY+BDrERw2Ghb1HDgs1HY7IbygsRhVyR0VYeHrjwm6kkXm0aFcorKbFRYSN SPeFhY0Y9roR6WhApO0Kou11iHQ2INZej1hHHT9G2q8g2NXM7UdyfITlNDlyooS5HSpszAceeGC9 5GXfnYIAf1VbCXo6BPjfyL2A/8AQ4E9JgOM95/HMsn0Y5lxwAIXZv4K/fzSDAJ9f8COUdsQ4Mfad 24M5jNBS6NizDt4xThkx877HcbEzyomfY+sv8NSz7+FMe4z/33boDaws72RMcgDb5i/lc4tvMVK5 8ZH74UhkzvltrL7A82ndtA7/8M2n4OkVPVLZuWtxIwPax6j81T047+vnv1t352L2ycC0CPDt6yPY WlYhXuSRTjz9/EFc9RzBS5vbeN69wSZUHm6fJgH+GKWznkZLnCmOj2+iZs0HWF0V5cR61d/+A7aU 16hEUJL3Jo63xfnvSyvexszDroyh1AOhJry8oAh9VCU3elHwzutoi15F5PIFfPfrj6EpPMTjHdi2 HC2efiTdVfjJshIMkQf4+gDWZ72B7tggot3n8fTP1yE8SB7gEWxc+BFON/sR66nGkz/NRqB3EP1x JxY9/w84VN+C1qr9ePTtdejwBOBzNuDD199ATVM7ak/txj2Pf4SLdY2oqz6B1x/9L9hQVqmtAH0E C7/3N5hTsA179+5F7vuv4sUPlzElSEonJL2qIel5jQhim/LEhrGzuBiPP/44XnzhBTFsJCzIaigk jpzkUlxKQ5Ji1dsX5T1+UsFFRF5CxBxd2rz+EFPItAJhjPfehVNEmCstSdL56tc0NIa8v5S3VIZh psjz1ubhiSeewCOPPIwf/OAH+NGPfoTHHnuMevYwe9ZsvPHGG3jl1VcFeae0KH+GO8S9x+S1DnMC 3MlIvjXQdVo1Ua3cTZ76zZs387nWdG2yMJr0YFNBGeKfdvrBrT6ULVsOR3DIWAAmmGCCCSaY8CUL 5Pklm4dG/5EdMp1AW2Nu2bKFj/yjNWFoZxAaCUg2DI0YvJNAi6jStDpaAKuwcN2kDoD6hnpGgJPS tlSj9ZSNGJbeV2EfRpUtKe0/sseIqFZV1bD7QmlHTYTmA7P7yW5lvzt2LoDnpX+J8M++YiuhV7+C K6/+73yubzgibEZFpEO8DGFuP1oI8OMTrAT9Ncnt/r9PQYDVVkiGAN8pAb5wdB+coeHU/zFfEL2D OgG+jUhnEDdu3cK14TGMDfqRtbVBEOCDigBfRUXBFo2gDqFoWSGup8YUj6B8TQlu3Uoga9ZSuBNX hf097EWwL3PIQ2OtIMBtu4txwHM1db5pz0E0ZkS9hWCLHzdu3sQYlauvG/M3Nk+LABNR3ZVbgl52 rufgBmxrZeT19gDyfvA2kuz9bz20HJe9I9MkwLcQ6Q5zJTI2wsqRbMbavUR4rqHkpbcRuyYq4Vbs PJ565SA8Pi/fZzcQaMFHz72F4dvplGqP70LFSQe/TnLu8F4cq21FpPEy9p9JYwsyJXCp3Yvqk3vR 4R1IDYGO+gOIJgdx6fR+dIf6U0OgB8Jt+KjwHC4erUBthw+Dg4N8CPTlA6WobOjC1oICHDp5AdXV 1bh06RLWLV+EPedrsWvDehy+cJkvT19XV4edWSuxvvxYBgHesrYIe/ftQ/H2YmzbtAov/3IBJ8BB UihcKQURCIe4IgqxIykGIpvUa/jII48wUvk05s2bxz2xdJ2UUIgrLrFKYDgc5OmFggF2PsjjRIMy XkjGi4T4NU6S2XVSaNU11Uwpn+e9kvUNdVIBktdXkGWRV0jkFY1KZRhBICh6AkmRP/zww3juuZ+y 30Vo72jnc6JpvvMrL7+Mp5/+EZOn8dFHM1n+Iu1ISBDnICnFsNhWivZs7bAZAk3zrWmJfzVPm4ao U57UE1tdXcNX6Z4o9Heew9/8xYtoH5v6/R5O+rB7TyVGbt62eSE8eOb3/gDbL0eMFWCCCSaYYIIJ X6JA3lqyh8i2ma73lnYOIY8v2YHkMVad+DR8mogwXaOO/+kEGvKcnZ3Nvc+URm7uKk7GJwq0oCgR 4FA4pNmIZFeSvRUQ58lGpPPKRmS2IW2fRPGpXGfPnua2KZFXTlaDIX49HBROFOfxdfAs/QMEV3zF VvzL/zu0ZH9DDJ1WdmU4KuzAsLB9wyyvb3/7/g2Mk/2Ayfc+AQFWewErAvzvJE/8IwsB/h8NAf4U BLit4RR6r45v9CkC/PEt+OqP4bXvPoMlS9ciZ8lc/GJLtYUAD6Omol7zZg7jcEExbmpFaaw6zYft DiUC2JQ9Fy+9/A4qa7rGrTStCHDL3gOoG00b7YnmS6jTHVW3b6L7/H68/IMXkZOzDjkL38UvSzI9 bR/fupGxSvX1q5IAs+A9tgnFzlEULC2BotldJ7JwnpHZlc/MwYDGFyYlwLdvoLa0CM8/83NRjvk/ x+LDbnZhFPvfWphK54b/DBYUncSF8+f5EGISR4cXes23V+3B4eMXUtfPX6hCbHgUEUcdLjQ7U/FG Qm40+CPoaDzBrt8cNwe4jZ1PDF9LEeCxkSje+H4+LtVVwRdKpghwvZwDXLF/E/btK+NeXBqWW8Lq /kpbOw6WHsTlOrFn3JUrV7BnZS7WV6QJ8JHDh7Axezbu/7tv4sc/fgk//sETePatBXKJ+zBXMJxs MsVEhJUUTJAR2V0lu/Cd73wHzz//PBYtXgyXy51SYqIXLcLvFUQyyBUMV2bBiJgLTFsUSFLNFQ8n vkHZ20ce3CDPr+5KHWqqLqLySCUczY3CUxwR3t8geXwty/UHgxGebmtbK1586SVevpKSEr6oVUju k+x0urBw4UK8+uqr+NnPfoY5s+cgwu4TBF30IEbk7xD3AMfQ1dk1rtkEAkG+5+D16zfYR+A6rl4d xa5dJZwEkxQVbZ5w5ehb16/Cx57/6I1RroBv3LqNj2/fQtIfQnJQsOLrI/3wRAbQeXYn/upvHkd9 ezsivSOZi7d9fAMRdw+GxkQ+t64Nw93dzlf99kV6YceZTTDBBBNMMMGE3/5AU7Fou0siwIqEkkwW aPrbjh07OBEexxuYXUk2Ew2NtgvUsb9zZzE2bNiIdevWcyEPcIqPtLVx22fLlq2MSG/iQ6N7epwa AW5EItnLbT0irQFlI4aFjRgOkic7gIvnL/BpaieOn4LH7ZFOiiDfJeTUqZMsPrPRmD0aCpDjQm7J xNIhB0kiKYaCXx25ymWEH0f4uRH+/wgGBwa5rReU9mQ0EOQ2n7B9hbPn/kwCrK8EbSXAf20hwH+u EeD/Va4EbQjwZ+IBPnUEXaE0s4x7QugfuJoiwLcGvXhv1WEMy3m/t64GsHCX4xMR4Gv93fBGxJDm 29dHcSn/ReyuS0yLAEctBPhmohkvLT2KUZnJzYEOfLg9c7XdvtYS1PjS3u3heDMOHRJk5NZgC345 vxgbK9Iv6mC0HbsKc/HRhuYMojAZAb4RrsKMwvO4Lpn2jWQ9csp6xhHgm+EavJ9dh8lUS9PZQ2js 6R933kqAhxgBrmcEqObsEbR6+1MEOO4NIp4YxIUj+9Dp600R4H5/PT4qOsPOH8KVzrQHuP5gBY40 dmHf9mLUtbn5FkjkeXa5XFwp7igkD3BNigCXZOdiHSPAag/gQ3s34sHnZqN4r1gBesfmVXjxrQWi Jy6o9iUNpvZ0IzJcUlyMp556ipNLIpFz587FkqXLsHjxEkaGF2HhksX8uGXrVqbI/Bl7rxKBVsQ6 ta8cS7ehvh6XLl7ExYuXcPHSRVy6cBHVl6pQXVWNmppqdqziK1Y3M2KnlFMkGEztMxeOKOUV4Yry xPETvHyvMYLb093NPcWkPJuaGvH+++/hmWeeweuvv46f//znmDdvviDuLL2A9EgHw4KsB5lypR5H ewIc4AuLicXJRvniZLQvM8kAU670AZhoQYr+rrO49+s/xmV/C1574ilccfZitM+Lt7/9Vby4mtrp TZzPn4vHFldiz7IX8Hv/0/+NV15/CYVl9cig1Nc9eP7P/wxbqkOs4Saw4eVncN83H8ULT38H//R3 T2DXkY67vs2ZCSaYYIIJJpjwmw1kB9JaL+3tYnQb2X5kD5EH9sYk25Hu3LmTr1lCHfQ0Z5dGDioh 8kwLo1Invl0gBwINlZ7utpA0IpG8yil+4GhAvDcpbKwU6U3biBFmI7a3d+CVV15BMbM1f/WrX2HB /PnoZjYYJ8DMHjt6/Ci/RzlluPOEpyGcLV0Xj6Gn8C14C98UUvCm9vsX8LD/m3dkyaluIemgCXLh 9iq3fYP49v0pAjzRVkj/IPcCVgT4/2HyfxkC/GskwP09l/D0ih0I8HmMPuSvy0GgNz0E+vbVEH7y 8ib0RMQcyZ0Fy/DPD+7ADQsBvpxBgEdwZN2u8R7ga93IWbIFQT5p3It9bz2EMxpB1Qlw6/7SSQnw rYEuPPDkerhp7ihrdKsWfIB7nqjIMPDHGOFelZUvFmAKdSPr0e/BEVf+3pvY9Z1voqS8NRX/9rUB fPTad3DFMvqUCHDunrO29Xcz2YhnXy+Gj5Uj6HVizq9exU9eP8OI7hgOvLs4w5N8OO85lNa0I5lM wN14AmuLWzII8UiYEZpF+fDQljtMzlaWoyc4hEhTPS62uMYR4AF3LX6SvQU+PtzWi8LC5egJD6HP eRHPflCAHkaygozUrstagpoeRsac1fjBO0Xo6HEygtuC5e88hEMNLeiq2otH31mF6sYGNDCFtrGw CDWNrag/vRv3PZ+F4ydPo5KV5c0f/xM2lFemCfD+Lfja119H/qZN2LBuHV5+5nt45In3OPHjvWoB uaE8K2tAzgd+5OGHObkk8kge1GeffRbf//5TePLJJ/F9Jk8++X3uHX7iicfR0dmGMMPg50RaeI+D 7BhgBJsPNWbpU7oVTOGePH0KZ1i5yDtNx7PnTuNS1QXUMTz1VxhBZsSYhkPT/N8gJ6tqU/YgT09t 0h4I+1FxuAIvvvgifvnLX/Lh1Tz/MG3GHoTb5YLX7YWPhql7/PCy+uXzT1jZ/GFJ+jmhFoSYtkHq 7uq2JcA0rFyQ35EMoY8P9YLSomW2vbbtR/HX/+ejqI/34t0f/CMKTzgQbT+M//qvfgf/+usz0Tca x9vP3oOCGi/8V0rx9994Gr5EP0avWT5q15149Hd/HzmnfQiez8Gf/M//HpXNMYxdHcbh3Ffxtz98 D/ERsy+3CSaYYIIJJnyRyC+RXiK/utA56oSfjEeQh5fm/pKdonYVUULEljy627Zts72XOvX37z+A ffv2TzrfmPI/f56GUxfx3TZUcDga+SJYZKsF+ZS4gFjwlNuHITESLxTB+Qvn8dOf/hROl4ev1VKy ezeLE0A8FuPe6SCzv8IRFpdJOBDkNiHdSx5c1/b3kHj3Kxia8zu2Mjjrd9D6yu+J0YfMdiRbMiCd M8r2peN93/72RsbJfmgI8Od6FejbiDkvo6ysHKWlFWjx9nECen14AMlR0UD7/Q5UlB9EeWkpLju6 0VLn4UN3B3xdGL4lyGQy1JuRZtjtz/Ci9sYj/H9XSx1Ky4/gaOVhVHdFxu2n25uIiReUNaY+zf00 1hdD0mKLJ1w1qKgoQ/nBUjR3edBU48n0sLK68DhYfhWVOMLIT0skc7GfPn8dQoPaxOKPb6OtwYVx C7HfvsmI6MRzGgLtFxkJq0B52WF0+wLoaAqyctxGqKUjY+GuG2ODuHDyCE5fOIlDlZcwcM3qD/4Y /cE2VDICdozJ+dpu3Lz9McYG2LMYTM9JvsEISu/IKI8fc9ay51aGgwfL0ehMyFWgbyLhaURFWRkO 7T2AC/VOjDDFMzIyDJ/jAl9uvrh4D86cr0UXe1FpAn/r5ePYvmMLtm3cgAOHzzPy2cUUYhvOl5cg L28tsrNXYuu2Ehw+fTZFgI8cOYKdG3IwY8b7eP/dd7Fo+UosmLuUKxpSAKRkAiGhWAJ+QQ7Js6u8 pyQzZszgqywvWriQC/+9aBE2FxXB7XMzEk2k18/uZ2mwI6UdYkehsJjiYfk4Gh2ovVKLK1fquFxm xJKIb011DWpqLvPfVVXVaGlqFuSUFJbfJ5QllZHSJqIdEGkfO3Ycr732Gp577jm+ZL6fXQ+GA5wo Z+AKCVx+fi8RfXEtFPAj5Kf/A0hEo+i0IcCUZm3tFU54BweHMoQ+DDREaHIC/BiaB69j3byf4aGl +3CxeCaeeWkm/o//8F9wuPYCnn7yNbj6RhFpPoyv3/8MomM2Pa4aAXaVfYg//tPnEZTvWNBxAA88 +CqCA9eMtWCCCSaYYIIJX5BAw3hpFCANY6ZVmIn80qg/WiRqqnD58mW+ABaNGLQGGuVHu1mQ53ai QMT5woWLfBi13XxfKhs5K2hKHhFsPdACW4lEktlrzAZk9pc/5Of2VoAdyYYjG9HpduLdd97m6a/K XYVZs2ajs6ODX6N5u5WVR+HjDhqy54LcfuN2G5FYZlO6a8rg334vQsX/jcnfjZPgjr9H1+63+Mi/ QFA4mcieC4SEkOOHynLft+8zBPi3dR9gE347wnT2AaZhtqOcAI/wXjo1BJqUH837oBWYaQiJdQg0 KcXm5ubUEOiqqio+HEUnwLQoFPUG0hBoGnKSl5cnCGJQKJdAQJJM/lsMMSkp2c175YhkrliRDbfL zefKxuK0z25c7Lcbi3JSKQiwVHRBkYYgoAGh9JjiCctti2iLpIjcH47I9uXLgvhWXaxCW1srX5xA KEp29AeF4uQe6mCKXBNpdTia8fbbb/Ohzlv5UGyfiEfCFOflmlrk5uaio70thYtj9QvFJ9ITxDpB +8712BFgPy8fEd6+voEMoYUhaG7MlAR4+GN0la7Hn33tn/HQfX+LonMtmHHPf8LX/vEePP9GDkZu 3EaYEeB/vP9HjABLZnv7Vnp4k4UA/y//4Qn0yH6WrnOF+NrDP0PIEGATTDDBBBNM+MIFsg/J5iNb j+yb6QxNJrtEeYE9Hg9Pg2wKsmloS8eCggKe1lSBRsCRTWkNTqcTFRUVtnORHU0OxJnNGpRDlmlU XpDbiMGUjdjR2cnv9/g82L1nN7NlO/kIPrLRaHskWr/Gzx0f0nYLCmcFpeMPB/jWm8lkH3p7+9CX 7EVvXz+fK93bm2S/2ZGdozIEguGUI4aw83Sk7Uu23333GQJsCLAJXz4CTJ5VXwC+gFAMvoDwsAZ9 gkD6mVAvIQ1RoaHPMz78UPTEsete7u0NwhdUJNIvyhXypUi13+9lR3beJwgw731jpNbH4nh5T14A Z86dxfETx3D2/Bk0MaVJ8zx8pPDYvX4/i0f3Eull5SQhj3Ag4IOf5sGwvLdu3YIfP/tjPPGdJ5C/ Ng9uj5vvK7x/7z48+uijuOeeezgGTox9YuiMj8ob9PFFGEjB0pF6HLu67Akweaf7+wf43r+60PMq KCicBgEGroWv4C//4k/xH//zj+Acvo26jS/id/6HP8XczdV8NMSgvx6P/d3/hlWH6pBg5Prsmp/g j/7oMbjHMgnw7UQ1/uJ3/y1+uuIAutsv4Cd/8Ed49r0iXL1l3jETTDDBBBNM+KIFsgl7enq4fUZ2 x3QDOSnI3qNFqmhHDxL6TeSXhIZAk405WaB1WWgOsjXQuik0StEuOBqbEUvGOXH1cqdEgHuDyUnh 02xEPmowIIgttxEDYlhyKBrGiZMnmc3m43aocHz4uP3np9/MRmzcsxrNT/8Jup7+Q3T96A8zj0w6 2e/zv7pHjGxk6VK+QbIduVda2INkaxoCbAiwCV82ArwmjxFKHyezXDFxcurjK/IRmQ16BTmklfNo iMqrr72GF154IUV2KR55YgOMoPpZXF9QEOiQX5wL+IW3lRSbz+/jC2VxAuwTBJbypAUOjh4/hvMX zqHV0SKWpg8KkuuThJkPWyay6venz1M+nBj7eO/iqlWredkeeOBBfPMb3+Cklyk1vv3R3HlzmfLu HIdL9Cz6Ze8iI8CxKHq6e8Y9Nyo3bXc0NDSCgYGhDKFnlp9fMCUBbqLRQbcGsPVnL+H57HOgCQtj 3rN48iev4Ip3kMe9fX0QBxfPwH3fugczZp+Fo3whw5OFKEW+GcbyR5/AsXaxmmO44TBevO8efIvF fXrmegQGr5sXzAQTTDDBBBO+gIE8m2Qf3Qn5VYHsE7INiciS0KKeZFPSOixEgskutA5h1u8tKiri 1yn/3bv3cALd2trGy0IeXCLm1kDOjHgyIewsbmcqGzHIhyKL4cjSRmRxvH4vt/G488Pn5Y4Q2h6T 4nmlvRj0Kg+usBGdJXMQm/MvMLD0d2ylb9FX0Pb2v+drv/h4GgHuVOE2K5cgz9MQYEOATfiSEeA1 jAB7SOlQj5xXeFu5l9XrF2SVzpPi8oueukssTZq/6w8Ib6xPKhMezy88ssLTy+73+oRw0ivi0CJU dK+X0gyKc8GAF06nmw+l4fNCeNpepvCE0uOkl9IJiLL4fF6Zro8rVSK1VA6KR8NlVqxYwVcTpEWx aH4yrWJIw2qI5Oq4/BKX8kpT+WlYtx0B9rL8Nm0q4vO37SQ7e8V4Anw9huLVO7E16338x6++hvDN 6baS23y7pVu3p9YNNH+c4hotYoIJJphggglf3ED23ychv5MFSo/mAJODg9K3CzSXl2zH+voGPs2s sdHBCS9tw0mLVJHNSfOMrYF28uAE2OeTjgtpZ/qE3ajsOG47chtREGBuI7J4YgpbDbMJvdxu4/F8 0glCcclW7GJEvmEr+hwbpWzSfm9Eb+MmhBoPcVLNnSl+adOSPSptSsrLEGBDgE34MhJgIpveABMi mn4+3Jjmivj4eR88Xnn0C4UjFJaHD232B7z8SPf4vOweD5FLj0Z+maJx0+rLMh0PKR0isKTkPPwe Unp+lh7NAfGw+ykelcnv9qQIr9utiCs7x87T0Gk3z5/K6+GE2uvxcgVJe+0m4gk+7yMajfEexhQu KqM3E5dbwxWPR+G0mQNMz4DqmRagsAoRdzqO+zDdiiHrhUfxD/d+HwdrPabxm2CCCSaYYIIJnyhM tt3Rp7VLJ9tPmFaaXrlyJV8PRt/uke4jOzMnZyVf0NQampqbkEjGOen0eAX5JbswIG1EP9+Zw8vt RnKOkH1GNq0nIK7RKMFmRr7JxiRb0U12ItmTZBOyNFI2IqXvkTaiX9p4zEb0cBvRx21En7QRvcqG 9Ip0hO3rMwTYEGATvnwEeA0nnm6PIKtEPJWHlZQFXeMKySO8tvy87DHzet1MSRFplff4hVJzU3xS dh5BMIns+jziHo/PLZQTS8NNyofIs4edkyTao3oBvSJNIuKCfAsi7Pf4+DlOlll+XrdHEm+vLBcp Tm9K0Xmmgcuj4YrH4ujqHr8PMD0jeibk5bUTWghrqg3pTTDBBBNMMMEEE74Mtm5zkwMJZlN5vcpG lE4Hbj8KO03Zhz55jtuIvrTTpcft5DaiV44g5KRW2Yjc1vQK+1K3EYlIs3hEmL3MXvTLuMJG9HO7 lduIfmUjGg+wIcAmfCkJMCkCl1soI488eqm3zSN62bzSc8sJqU/EEd5ct/ztlj13Pk6G6bfH7+Jp eFJpCoXjoXt8goB63EI5ed2CSHNl5kkPSaHfdM3Lr7lTXmk3EVp2L1d8PG+ZB1OcfM9fmRaRYrdb HNO42Dl2PY3LmyLIVFbaeL2jow23bt40jdUEE0wwwQQTTDDhDsONG9fhaGjgi2SRDafbiPx/n7Ab yc4TtqBb2Ih0zieP0kb0uF3CrvPJ+33KXvVxm9KnbEQ+vJrZd17hKHFz54awQ71uSYyVjegRpJhs X7IP773XEGBDgE340hFgF1MgYjiJWyoLt6ZUSBm52P9MvDQE2MP3+yXS6+Yk1s2VDCexdI3F87nE sGaK45VkkzzCXiLFnHi6uCIiD7DLJ+KQN5mUmSC6Xu6VFUSX3cPS5OUjUut28hWeObn2iSHIIi3p FWa/XZSHn5TgHeByURouhCMhNDY5+FzkG+yZ0DMyYsSIESNGjBgxMrVcZ+SX7LSm1ha+lSYRUrIR aegxt8Fc5HgQdpuPbEivdGj4ncIW5LaZuE7XhI3IfruI4LqE00N5kslG5Pd4hCPFI2xET8rGc3Nn jscv4pD96vKJEYLKRqQyGA+wIcAmfAkJsNspvLAuryCITrdSGqSYXEIYQaSeMjcf8sx+8943Fs8l vK78HCsHpUO9drRXMO/Rc6eJpyCzbp6Gyy2uud2CDHtdTp4HV3rsnIuEk1N5r0sQYU5YKQ23mI/L /3eLNHlabpGPy0X3ULpT4HJn4vLIBRba29rR2tLKpYXVaVtLC/vdghYmba0t4rx2jh/Z+ebUuWa0 sv/b2LFFpcN+0/VmOtcq72uW6bWqc838fEtrOu30/+z+ZnGepFmmQemp/HkZWkWeXFpb5fk2jqMl db8oTyauVguu5vG4mkU5M3E1ZeAi3ONxSWx3CVerBVfrZLh4OVtkeUV+43G12OBqtsfVkomrVbs+ DlfLeFwt08LVaoMrnVYKl2yLVlypclhwtdjiEu3CFlfLFLiaNVytNrjod7OsTx2XLGtrS5sFl4hr xdUyAa7WKXG1ThtXi4ZLpd8scenxJsbVMgWulkxcreNxtTZr9fhpcDWnnwN/Z624mrX8bXC1TIar tUV7Lp8zXC2ZuHjbnAiXnrY839rcPO3n1TwOV8ukuFp1XK1T4xLtvPXOcEk9wd/35jSulglwtUwD V2tLS6r8E+Nq+eS42kR9TYyr9Q5xtU2Nq9UOV5O8Rnm0pXGlvltWXKoMLRm4VHpt08bVKtKWuFpT OlJ/RhPgGmdztGbgakk9r8lxNVtx6XaNBVdrq0xzCly0v2+I5uHS6DtpI7p1G9EtbUSXN2UjCpvO w200J7fh3NJG9HIb0C3juqSN6JYODD4S0Z22Ed3S3nQp+9PlljaeS9qJLm6jks3JbV8W59577zUE 2BBgE75UBHj1arh6nExROLlC4EqlRyoIUgzSq+uWC0A5WTyXx8kJLCkSr1P0ypGCofNOj4srE6+r RyosmYZTKCY+bNrpFV5cpyDNvBeOlJ9LKC2nUlA8byc/Ol0uHpeIrUuSZa78eLnofypXj0zHyc47 eZ6EyyWVKC/DNHCRAg7QNkm0NRQt7hWQqwXSFko+Mf+En6cVBb1idUO+zzHfWskv9pWjxRjkXnN8 qX2/WAiM71/Ht5ry8iNfPMwnFujyaqsj8iX61VwXudiXyFfOfZErd/OVE1kZgjxdWaaA+B3wywUm Al4+d4YWipgKl38iXH4bXH6BzQ6XT24xIHD5ZBpi1e7JcfnSq3RzXF57XD4LLr5yeZAf6f/U6uFT 4grwe7xqpXJbXH6xCqWOy2/BxWUSXL70quV85XOfwOWXuHzTwOVP4RLbPwhcYvVzwuX/JLh4+9Bx +TRcfhtcAY7JDpdP4vLZ4mK/g3eGy5/CJfYRDyhcfv/kuAJpXH7ZZr1q5U8LLp8NLv90cPF3Rsfl mxSXaPvjcQUULp/CFRBtP6hwifacxuWbAJc/tUWcjssn60K9B2rBk9Pq0wAAgABJREFUmGDqqOGS 29rZ4uLvjmhTavVUr6wLHZdoRxKXL43Lp+OSbVThCqRw+T85Lq+qf3XMxOWVuHiahCugVp4N8Pqn sgYmxOWzwRWcBi7fBLj8Flxy7uIUuLwp/ekXW/jdMS5RxilxBSQu73hcfokr3VYCYsqSTIvP55Tf gfG4fPa4qJ68mbh8Gi6uD21x+W1wqRWC7XH5bXD5bXEFLbjE7hgZuLiu9mk6azJc/kxcfoXLK3Fp ekDhCvi1b7PCFUjj8ltw+SbHJdp0UM6ltcHl03AE0qsy67j8GbiU/g2IevApjAKX1yeGIXt7GPGU NqKT24iCcHpSNqIgqtxuk04Tsik5iXUJ0pyyEZ1pB4my5YQdaLERyfZzCftR5KFsRKewBdX/0kak PO4zBNgQYBO+bB7g1Zw4kufUxRQSKageIqacyDLl4ewRisJFCxGI306uqJxSCbl53B5+nqXjFApL KBpxv8sr7uuRpFPc18PycfKy029aSdnldPP4nIyy8/w65c/SdLqFwnQrhemUZJ3ILcWhNHrovFB4 Lo9blkHicktcXg0XlS2FyyVweYUy5L2HLA1agCGFy2nBRfc5NVy813FiXD2uHn7eqeNyZeKi7aBc rolwOcVwdSsu7uWeHi7+8fBacblFRwE9Fwsu13RxuTVcNFpgClwuO1x8eDvFSeMiLz21STcvq6g/ j0d8OKn8vC4UrtTzcmbi8qRx8fJKXE7qEXYpLJm4CL+T43LLc90aru7xuKh99ghclJaT0rPF1cOf eSau7tQ7wY0EhcvpHofLzetcw9XTzfNM42L3eyUueic5Liev5+ng8ui4nLK3nHC5NFxO1QEmysB1 gsQl6lUYF4TLbYOLl1/20ve4ezJwuTVcbh2X2wYX6SBeLg0Xvfc9dL2HG0W880sztKy4+D1OkZ5b rubuseJy2+Fyi/KNw+W0weUZh4vKRLicGi6XLS6X+E2jZqi8VlyyY8+Vgcs5CS6nBZcwSoVO03C5 XbKdaLjcejt0jcflssHlFG1nYlzuqXH1SFzyGbtdOi6XLIPQAwKXS7QXTVeLTk8LLpd8prIDtId/ VyQuaSzb4eL6UOkw2bHrlu+HwkVGvlviEjpPGvgT4OrJwCXxU1m9mbicEpdrKlxeJ/828++5JAYZ uJwCk1u2Ax2X2xYXYejm8ay4XBm4XJM8Lx1XjzhSXh47XKIe7Z5XJi7nOFwpDC4NF7VZictti8ul 4XJpuGRHukvi8rhSuiaVnlPqlxQu8Uw4LukYSNe5wMPfRfmd4xhTuFy2uNwSl0viUrreLXH1pN6F blkmHZdTXE/hck2AS5Ut05YS3yBpI06By6twyTbBr7smwaW+6x7xbddx0Xde4fJouDwKl9OCy+1K Oz50XPy9zsTlteCishsPsCHAJnzJCPDSpUtRXl7OpAxl8lheUS5+l5WjopT9pmN5BSoqyviG5+Uk 7H9Kq5yd4/FY/IqyUplGuYjLf1egtEKkRXFL6Ry/n/IoSx/L5H08Xqk4X1aeTq9UHEU6Ih6/xuKK spXL/MSxTObNccm87whX+VS4ytO4yjNxlZaXToKrLBNXmcJVoeFicTJwVchnVC7ykbhKbXCVTxcX z4vykfWh4SqrUOWSbSKFK/28ysrSz6OClbWsIo2rbFJcZZbnVTYxLl7HFQJX2XRxVUhc6vkJXBWW ck0PV1kaV5lWxwpX+dS4bNthCpcoY6nCVT4eV5kVV6pNlaWwTYRLvF8VE+Iqt+Iq03CVyjJPias8 A1eZhiv1vMpF+UV8Vp7SyXCVZ+BKPXtelgp5XpRperjKMnHx9qjjkuWTbX08rtIpcMn4FRqu8jSu 8ilwiXcsjSujHUqh+0ozcFXY4CrXcJWPwyXSVbjKNFzlU+Mqs8dVNg5XRbpMFRJXRRpXqQ2usslw laX15lS4KiSuslQ7LE/V/V3BVT4FLvWcNVwVdrjKLbikbuL5VyhcFZm4ytPPNY2rQuAqs8NF95Te Aa5yC670t+aOcWXYEgqXyK80A1fFhLjKp4NL6suJcJVNgqvM+m3m+ct7rXrDFldZ+juk9G9FGle5 bA+ivjJxldvgKrfBJXRiJq5yDRf/5mq4ylL6K9PmGIerXMOlbKqU/TIxrnILrrTNoeOqsMFV9glw lU+Jq1y1qXG4ylO4Ku4AF73DX/va1wwBNgTYhC8TAV69ejX3BBkx8tsk3d3dvJ1/EcQ8TyNGjBgx YuQ3J8YDbAiwCV8yArxu3Tq+h60RI79NQnsvRyKRL4SY52nEiBEjRoz85uSRRx4xBNgQYBMMATZi xBBgQ4CNGDFixIgRQ4ANATYE2ARDgI0YMQTYEGAjRowYMWLEEGBDgA0BNsEQYCNGDAE2BNiIESNG jBgxBNgQYEOATTAE2IgRQ4ANATZixIgRI0YMATYE2ARDgA0BNmLEEGAjRowYMWLEiCHAhgCbYAiw IcBGjBgCbMSIESNGjBgxBNgQYBMMAf71EmAiHrt27UJOTs6UcvDgQR7fKFcjhgAbAmzEiBEjRowY AmwIsCHAhgD/1hFgSv+pp57C/Y99Cw/98N4J5b5Hv4Wf/OQnvFxGuRoxBNgQYCNGjBgxYsQQYEOA DQE2BPi3igBTmbZs2YL7H7oXL29+BD8reWxCoev3P3QfDhw48IVUlvSMPs/pGQJsCLARI0aMGDFi xBBgQ4BNMAT4UxDg3t5ePP/883jyrW9PSn6VfPfn9+Pll1++Y3IXC/jQOzAs/h8dQcTjRGtdHZz+ MK5mxB2Fv6cdra0OeCK9ljS8SPQOpv4f7kvA68skG/FIEP2DIp/R4UEEg+nrI31RHn/UpnxRfzMO X2zA0FV7XAmWt4c9F68mHo8fwxPgpfT2HanC4PDo5/9DcXUAnW1dGB4d+60kwMGeBlyqaULQ3YwT ZxsR+gRphF2NuFDViKAhwEaMGDFi5HMkybAH9d2hO793pA/N9U1I6udGh+FmtmWvtJPsbMKGhgZu i9L/dKT/6Xwq3thV+Hq6kOgb+mwwD/ThQn3QYhuSrXKV2c5DhgAbAmyCIcCfngCfOXMG9z10D17I H+/9XXLsLTQFL+NUZ1nq3HMrH8a9D9yD2traO1Bog9gwcx4qTzdjjP1fVbYeMz74AB9wmYldRy9L 5ZbAkW1r5XkmM2Zg24mOVBpFMz9A/p4j6BsZ40S59tABzJqxBX1aXvtXzsShmkb+29lwCUs++gi1 SUGsL+0owIJFRYjblNHbfQprd1ViYMSOBA5gR6q8unyE+gF7zN6uU5i3soSR/pHf8IezCvNZPc5g Mn9xAdr8feNHAfT6ULx+CyLDVz//BDjUg9xFC3DBlT7XeWEHFq8qQWftTrz86gb4PwFh9dQUY27W drjDhgAbMWLEiJG7LGN9OLJ3ExZtq9bOB5A7NwtXWn2T3DuGxmOHMGf96TvOczTRg4LcQnQwuyYe 9sEXG8DYUAKHdmxBdzAxLr7b7casWbO4fTNz5kxUVFTwI/1P58ku5aPbRvpxvGQLWt3h6ZenP4gH V1zBcffgBHGG4ez0ItTPbORAEM+sbUK/TsxDffhwfR3uZWksOOHFiCHAhgCbYAjwJyXAVI5nf/Is Hn/5fry6/dFxBHj1mTkYu3EVPfHW1LlXtjyKR5+7Dz/96U8xPDw8TeU3gK3z5+LYuRamfNsxd+Yi VFb3cDLsqjuNZbNXwjlyDe01lVi0KBvn28PcK+k4vQfzZs3F2ZYQizuI7fPex/sfLsapZh8ntA1H 92PmnG0Y1PKqPbIBa/af47+vnNqBGe+/j/zjTpZeDDvX5mDF/gZ27SqC7k7U19ejqbUL/SNXOQHO 3bIPjoYG1Dc44A0nefn0nsfh0avoOrUNs+bvRi97nsN8MbAxJKN+OBob0MDu80fFfToB7o/50NTS hWF2z2BfFC2ORp43z2OsH+2NDnR3d7G863m8vrvoNU6EqlC0uwyJ/l40ntqLvI27EO0fRsTbwcvQ 2h3EcJ8fOzcUoaG+DvWNzQgm+3E14YbTE+VY4u5WhmsQyaCb30NtsdUZxujIELrbmtg5B1paWxHr HUZ/2MXjNLc7McLwxoM9aHWwOm3yZtbnpyDAOQvnZxBgv9OB6tpmuK6U4PkXs3HieCUqz16GLxRA 45UaXDhVibPV7fB0t+HY0UocPXEa7T0ehNzNOHXiJI6fqkHA3YRLNQ7uAXa21PD36kyV+N/d1YwT x46y+06izekzBNiIESNGjNwxAa7YswEfvL8YzQlhO/UcX8tsmqWobfFwG9Hd0cK/n23OAB+plgzQ 97QOFcVbMX/zOf7NdXaKOC5/IvVNHeyNocsd4L8D7m7Ek4MYHQyhu6sDbW0diA/1oWxXAVYUV8IT iaFi1xZUVVezdBrhDsZT6ZBNSWT3fWY3WYXO03VBgAdwbPcWnDlzkdlLjfCEY/CxcjmD/ez6ELqa 2Lez72rGyL7Gs114Kr8Osyu9zBZiZY4n0RIY5HlHPHE4OgN4YV0d5p8Nws+wPL3WgZqOGE60xRAe GMOlc01YdcaP0b4wZhWx77V3wBDgLwoB/liSpgxhBOr2pyRn14PVWDRrFm/Alz3Dhq0aApySY8eO 4Z77voVnFj5oO9zZjgCT/HDOA/jWt76Fs2fP3jkBvtqDpR/OwZZ9Z5hSHsXVwX5GojqQuHoNVRWF WLX/onZfAkVzZmLfkTr2MRjEtoVzkLc2D4uyCuAaHEWdDQHuqj+BRSt28t/l65Yie8k8zF6yG7FI B/JWLMDRzgF4Wy8jb9l8rMhbhxXLl2Lj4Qb4GAGeP3sOlq8pRF7OUizL3YnoyHiPqPvMdsyevzc1 9HmoP4xdeVnIXrMO6/OWI2ttMULJAUmAGVEe6Edp4XKs2XkIg6PsI7QxF8tzVmN97nxkrdsNT6AF S2d8iKUrV2FdQS5mzVqMoxdbxw/9+RQEeNuBSgyM0hDwCHav28A+oFdYXqtx4sxx5C5fjctONyPA Wdiw/xQqD+xC/u4z6GssxvaSC7wcV3YuRunJWuzetBJbDp/B/i2FWFx0FsGWI8gv2ooLZ44ga2EW qq40YfPa5dh/8ix2bNqIY84+XDm6ATkbNuP8FfdnRoDbzhdg4coidNTtxTPPvoCiXSVY8It3kVtx CetyZmLe6gIcO1uHXRtXI29XKbZtyMWq3UfgurwZr775NrYcPIvu6nWYs6wQrp46zHr/DWxl79KC GbNR3tSNfZuzsHb7HuzYnI31uysQDBsCbMSIESNG7pQAb0FB/hJsL2c2zZAPOXNmYTWz12qb3RgJ NWDDpm24dP4wlmTlodXjRPH6Fdhx+CyKN6zCvE3nEGo/j407S1B7vgL5G3bB0yc6y+OeFqxfv4v9 HsGOFYtx3NGJeM02bN20GatzVqAx2YfSrauRVbQfvkgcFTuZvbH7EE5V7kPeliPoHxLpkF1Jo8Xs CDCdVzYfJ8B71mDtjjKcPXYQeUWlOF+8EnmbT6E/0oSseQvhiKftp9GBPmTtcuC8N4RF29rQHh9B oK4ZS476uI1xZk89cg534nlGkOdWuhmJJwJ8BXknurFsdxPmnAjiQEkD9tTHeHrFJQ6ccPYZAvyF IMC3R7F51gy88MILmfL883jp5bdw6EInbt7+ZF7l694yfPWrX+Wy80rUsFVDgMX82eFhvPnmm/j2 E/fi1R2P3hEBJm/xvQ/ew4fGEJ47IsDU61lTgYUzP2QK9QMsLyhBT0jMLblUkY/8QzUZQ6eLF8zE /sNXOAHeumgRTta3Ii97EXK3V6O+8uA4AhztacHqBSvgG/Vh5cK1qL1YgY9mzsLFqvNYMS8H7qsD OLEvD8u3neNlbz53GHNnF6KZEeDFeXvQOziCgbAHRTnzUdIcm5IAh+t2YmHhTgR7hzHcG8WuNYuw /bKbE+AFa4pRd6IAsxevgsOZwHDnAcxeugZNPTFe/xuXLMIlxzks/HAWjteL+T2Xty3ApgPsgzR6 9wnw6GAcZVu34uKOLMyes4h9bAsZ4Z6JrYeqGQHejr7hq+j3tWIdI5Ph5u3YXnyef5xqty/E9p1l yFm+hQ87ijSdRdaWs6jdlY3KU038mZ7dlouDrO3N+Wgu1m/agCVLFmLRriZcPrIdtfXOuzoE2kqA W86sxYKc9YwA78LLrxRxr21rxXy8/jb7+DNDwtHqZPHC6GptYCS+EMuXzsOidbvRU52PBQsP8jnD 3RcL2bPJQ035Kvzwhy9j+YqleOml5zFrWxUzPpbjxXeXoPTkRfR4A8YDbMSIESNG7pgAl+3ZhlpX HfLXbUTT+X2YsfosTpRtQW2TG6NXh1F3/jh2lWzF4jnzcfzMaWQt3cG+uWNoPnkECxgBvrh1EZZl rcTGjfmYtTgXtZ3SRhkMonjjRjh6LmLRzNlYvf8EThfMxMGTl7A2Zxla+kdw8WQJNp7qwNhwAhW7 dsIbSmIg4sHWrbuQ6BceabJJs7KybAnwihUruO2qhkAf27Md3e4IRnrD2F1QABfLe+mKHJxkpHru 2mMZ2P09Yby6sQXJkVEU7WjAoY4kAg1NWFwpCPCp3fUoqHFi5uYGbG3rx1AoyAhwM7ezPHUefLe4 CyXb6rGbEWCyN7YZAvxFIsBDWPTkYymiaifPzctHd/TOPbjX/eWpNErqYoatGgKcUnTUo/ftJ+7h w5rvhAC/XPQo7nvoW1jECCnhsM1j9CpGro5mEOCjRIBHh9A/MIDeWAD1l05j+8Y8LMzegPAII8Dl a5FfcTmDAO9kBHifIsALF+JkQxCx1tNYzn6vW5uHj+ZlEuCRBFPoa7Owrngdshkx9ff6sXrODGTn rMKitYdlz+UqfDh/CVZkZyObybLl+TjXfgpr9hzjc4DHBkIoKcrG1ivhKQlw58lC5BWXITHM7htO 4vCuVdh0vhs+RoBnz5iJWR9+gDWF5ZyA9rftwQcfzcKS5SzfnBxkLV+Jk01nMI99sKp8QykCvPnA UR7/bhHgrfsOoZcRbm9bNdblb0I9q+fFDHNDWyeaWJty+93YuXEd2oJ9iLsbsGbVdsRbdmLjtiMY GOrF0bXzsHN3BVZmrUeAfShd1ZVYVnQW9XtzsP/oFVwdSqC0IAfl+/bw4e1VrV1oZe21IzzICXD1 XSfAc3GmO4BgIIBAIKQR4N144ZWl6PT4cGnHArz+4VasYQT4CiPAAWcTsue8hx2VF3CoeD0WrhcE eB4jwEGNANceycczz76FU7V1qD5/AQ2dTlSdrMS5sydQuPw9LC4sZoaDIcBGjBgxYuROCfAWXOkf xNmS1Vg4NwvnQkM4XLiCEWAPPKfzsYp9X5odF7GcCPCFc4yMbkR0YAT1Rw9iPiPANbuzUbS7HB0d nWhuakViUNlYI6gp246Zs9/HvjNXsLlwJebMXIF2b2eKAF84sQfrjzULArxzO1zBBCPAXmzbupcR 4LQjg2zSTZs2pTzBdNzIyDXZqakdLsiO2rsRl5rdGIwzm4vZFe5IL85uX46Zc5bhaEc0A/upMy34 RXEHlh7qxpySFnxU7kaksRmzy10YGOzHrq11WF/jwgxGgDc1JyUBbuLru/gYAf5ecTfOVDqwuSrE yt+P1dscOOPuNwT4C0eA738fp2tqUMPk3LFDePvxb6QI7CNvLkLf6E1DgA0BvitDoCsrK/kQ6KcX 3OEQ6FliCPTFixcnTNt7aT+27ixFL//fj1VzFjJS4cRQ1zFs3LEX3l6x2FS0uwGr5s1hH4VrqD+9 C/NX7sKQIkThBixg5LDsTDufA6wIMCn7y4doLs0HeH9+JgG+NtqHQzvWccVdtPsMhsZGUbtzKf9/ 0/HGFAFeufciAqyu/VyicHafQs6mMj4U6GqfH8Xrl02LAPsuFSF78z72kRrlHtbSzVnYfN7FPcDz V2xH86VizJqXjZo2HyfAcxkhu9zqlvmG0NvXIQiwnM9y9wnwJSxduBj5+flYvSoPZ5tcGO4L4cCG XKzJL8CqFWvR6g9g54blWLoiD2tyc1F85ArG+jtQmLMQa9fmYemsWSg/34wjO/OwYk0+Vi5ZiLkb ziDqvoyCVdkoWJuL+XOX43xDN07tWIucvALkrcpHTfAqLlcyAtxwdwnw2oUf4pfvz8CHtLjX3CI4 zm9kBFgMgf7BD3+Id957H6+/8A4OXmpEPsN0pc2JkK8TG5fMxXszPsSvfvU23lu1UxDgxYIAu6qL GAEuRI+7E1uz38c7LN57b8/BxQ4fDm9diRkfUC/4O8jfewoBMwTaiBEjRox8AgJcHRuEy3EOuQX7 MTJ2DYc3rEJtsweJllIsW5SFvPw8zJk9D+fanTi0ZSX/nuYsWcDnAMfdzdhcsAaF6wqxeft+hAa1 BS87z7Jv1AJ09A2jav8GzF13DkOJLuSvzEbLwBg6a45heVYOznQFULGLEeCQPQHmdhmzR4uKioTd xMgw/Z+xxaO0oxYtX4n8vNUoKjmBPmY7+dvPYWn2VkT69fVhGGHd1IQLbmbjMDu4LxTFLzc70B72 46MNDXhzuwMv59RhW10ApXsc+OmOdtS2e8cR4IArgFlbm/DWTgc+KHUiOjRqCPAXjgD/sBA3Mi6O oWj+T/Ff/5pI7NdQWN2TcfXWtSG0O2px7tw5JhdQ29CB4bEbtgR4R5UTzfV1Mu45dPsS0EsacHdx suXyhjLyGIgF0MjON7W7M+Yk///svXdwW0fY7vfPnckkky+TySSZ/JO5KZNy891k7r3qklUtWV22 imVZkiVb3WqukmVZVu+F6hLF3nsnxSb23gmSIEESJMEKECRAAEQh+pM9ByBAUFSxTfnK9vvMPCPh cM+e3T0F54d9d9cwOoyq0lIU5rH8yqrRr9BgTNmD+tp6NHeNTMjbBkW/GKUFxfxxqxtaobPY0Nkm QqOgEQp2E7tpkkvbgdJSRxmLiisgGVBMHCwNSXs7Ghsa0TeoZDdwJwOxIlRWt8BiJwD+rbNA79y5 Ex/v/QiHQhy9wJfSj6GkIwtB5XdR31fG1ym7Jd49CVbgBqzf+RF279792nylZQk4e+4Cop7nIDH4 Ds7fuI+67hEYlU24fvYs7gVGoKahDjF+D9jD/jF6OFjraoL3rfM4ey8YBfnZuHP1Mq7eegqJxtEb 7AZgI1SDPQi4cxY/nZ0EwMzNWdH8gzu50pF2tCONAcxFFLZK+MkYBEXPceHns4jJL0dWXBCu+uXy Y4DPnToF79QcZCX44+yZq2gc0b4RgFXDInj9ehYBKfkoeh6EX8/cRYtM4RgDfM8xCVZ+6A1ceBTD viC68YjV/XF4Ahqri/H44VM0t9e+UwB+9ZfxGPRTTGKmH3UvMWDgJ/5yf8lo1QpI5eyez07ArfBS jBn0/LWrUEjgf/0Oyp3hWGMsX4Pht0/kNV3rAA/09UHK7qUpZ3uWvF0I8wC7D6VSqetzX58Ekj6a BZpMJpPJ72olBAP77vRciULL3hU9lm7k3iPfegJST+s0b78qhVqtRmxsLP/v6/PUuJadbC6JR3BG IXtveMtZqtn7sHbSu4JWpXnNsk5ajIyo37oOBMB/NQBePxmAAZ20CWtXLOb/Pm9XKEzjADrUhm8O fYEl82e7w6XnLMauH69jyAnB4wC8lHntxk2YP2uWK+3SVZ8gtNINu3dPfor58+fj2MX7mDjkONP3 Juaw7fNW/witi1PluLR344Qw7ZlYs3ErdmxeiTmz5mD53lRnPexoSfPHprXLXGnnLFiMz3d/heVL F2H+gmWIzpW4jtWa+xgb13zoznfmLHy0diMuxQjA9X3bzVr88s1XmD9vPlav34xP16/g03285Tp0 NgLg3wrA3ERYqz/+CF89XMcD7p2cUxDJBFDpFRjU9KNSko/TyV+5AHj37bWs3Ve+tvd3PCSnsSQb 8XGxiI1PREWjexZghUSIzJRExLHyJqSko3HCVPqDYiESE+MRGxOLpNQ89Kjc+ZVnZKClW+H63Cao QHJ6xUvT4av6mlkeiZCoHA9WvU6GnPRc9MudY0Z0StQUZCEuLo61WxKKG7swLBMhneWfkpzIHvpx KKpvhWFsivWMW6uQmlnrnqRqTA+JsBJJ4/Vs6IR+jFuPWISMghqM6gxQyLqQnZLMwJgBXqcAqQnx /LEz8sogV/YiIyUVHUOOL6buykyU1Qn5X4bfry9nA5oLXiAsOAhhkfHsGlFAo5AhIyoMQYEhSGd1 GTH80S//6QHg98H0Mkcmk8nkf4pl9bkIjohHi2TovSkTAfDfAIBh0+HShrXOEOnL0NgdE2fd/v5T x7a5i7Bj9x58ueNTzJ41k9+26lwCjHbPHuAZcz7A1p1fYu+X2zHLmY5zqWSUP4zXDw6g/fqilwcA Zzy95kj74bfg+2otWjzcPwF8N3+OA/v2YMWyha48F+5IgpUDcFUHdq12pl2wFLv2HsDuHZvdZZq9 CNFZXTwoiwuDXdvnrtiMffv3YdMqB/jPXrQCzxulPACf+maXK92sWbOx4qOPsO9MHmwUAv2bAZg7 9oEDB7Dp6EoecI9Gb8SppC9xMf0IzqUdwjexn3qEP39yaCWOHDnylpNfGTHG6jwVSHI9kFwP49jY 1OvecW019o4fjvwxxsamPPbvyett9xu/Fv56IVwGjGrUDOr1rnOj12mhVo96/kJNAEwvRGQymUz+ x9jA3gU0o9r3qkwEwH8HAGZbkr9b74S+3ZBaAHmtH+Y7IfDY5XhoDCZ+cHvIiU+c6RahtN/gAcDf XI+AUsu2GUZREn/btf3c4wQ+XPltAXi4xZ3n7BWn0a7QwGo2orks+iUAros64OzJnYuLPunQm6zQ jyqQ7Pu9BwBbTTpcOPaZY9uyA6jpHobZYkZ/cwk+XzmXbZ+Fk08TJwHwJ0gpqkd3Tw8G5FrYCYB/ MwBzZQoODsZHq5Zj77N1OBi84ZXe670OH61egYSEBHrgk99B+BcBMJlMJpPJZAJgAmDHSF/k/rLB BcAyixWZR9e6YNMvtxHt7e3MYogyH7i2B1QPek6CVa+YOIIXP61bwG8/dPYWrPa3B+C66HvOPOcj sc0wgQSVOOwBwGN4ttXxecGi9egYcU/gpVXUY+0EAB4b6cfepY6028/ch5ivTzvamhvw7V5Hj/Ga M34eALzlbCBNgvUHAZizUCjEtm3bsGbLCqz/4qNXevXmFfjyyy8hFovp4UomACYAJpPJZDKZAJgA +F2FQOtxZ9taFwD3m7S49ekqF9jOW7gUy5YtY/4QS+a6x/hGTAbgSbNA3/vRAbwbj16EmRHw2wJw 2qPLzpDm/ZBOrKplyBOArUM45Py8eIMPdBPSagerPAB4VFaHT+aMh2ovwId8fZiXLsPcWY7tmwmA 3wkAc+DBLXDOrfP2JnPH59LTw5VMAEwATCaTyWQyATAB8DsBYNuYHMfXrXT8fYMfxmxaXN88DsAL sGvPPuzb97ITmodfC8DeF/fz29d+fd4TgC+8HoBTHzoB+KNj8FiZeDIAW+Q46Py8ZG+MR70mA7CG AfCG2c4xxR9vwYEp6nP8WTIB8DsAYDKZAJgAmEwmk8lkAmAC4PcGgNsK47B0jmOm5623X4AhFp4f HO8RnoeyntEpT76VUeyrQ6CBqwcdawzv/+UWSwt4nXKMwd307WVYJ9Qh4+lNDwCuCLjlzPNDVKgn AvCkEGj7KO44w5oXLt4FmXEiAAs8ANig7MOexQ4APvU4CqYp6mOyWAmACYDJBMAEwGQymUwmkwmA /zYAvPUe1E5YGlUrUFeQhh1OiFyw9FMIBjSONXsLHmK2EzYP/BSGYa2RIzEYDVoIq8tQ0aV+aR3g b+8mQa03w2oZQ0tuKBY7t/9w05/v8fXzOuFIu/ZLNPePMIizYFQxgF+/+8oDgLvzQ1x5rjsRDJlG DxtLK65ImzQJlhXZv67jP8+cMx9PU6phYoBo0qmQGXDRcxIs4yhOH3TODr1gD3IaevheaTsDSaVU gpyMbAzrCIAJgMkEwATAZDKZTCaTCYD/PgA8exm2fPYZtm7dis2bPsb8Oe41fu+nVPK9uo59DLh2 xAGXM2bNxydbtmHnzp3YtnULli6ajw9Wn8GQyROAZ81biM1bP8f27Z9hyYT1gJPqZXyWlVEPMGum c43gtRtZuu3Y/MkazBpfssgJwDbTIL5xrdM7E+s2bcWOHZ9jxdJFL80CzYU6rx8fq7zkQ3y+Ywe2 fboJc6ZYBqk5y9u9VvDCVfh8+w7sZGX4ZO1HmMnShWQ0EgATAJMJgAmAyWQymUwmEwD/tQFYywD4 E/fauBO8YNlK7N73DXJqJS/tphloxk/f7MGSeZ77LPpoAw4fvwvZmJUB8Hiv7Ers3b3DtU4wPzHV ivW4HFvHg6pjri0pvj+6D4vnuvOat3wzDuzZ7hzz+x10zrTG4QYc3fbxhOPOxKoNm7Cc22cCAMNu RVb4E2z8cO6EtX8X4/MvtmGZBwA7ZruuT3mAT9ct82yHOQuxaecBJBU1ewDwtvPBBMAEwGQCYAJg MplMJpPJBMB/KQCGDfKuTohEopfc0dMP3ZjplXtajVqIRfXIzy9CRUUpamoE6OqXw+Isg92kcebV D4NOg7amOhQVFSCvqAgdfYOYXFS7WY/2ploesErLqyDuVcBoUDvy6Oj3WGtXr5KjoaaIn0G4uKIW A9JmbJ3QA+way2y3YKinDWUl+Shi8FbXJEZ/d44LgCNcAMyltUEp62GwV4Ty8lKUlJSgqUWM4VG9 49js7wN93Xx5umVKAmACYPLfyNx98ncwnUsymUwmkwmACYD/ZrLbzajOyUNHvwyaUS10agWyw2+6 em03PahkWO+QQtSI3KIaSIeUfC+PVNKCR6cc431nLViC1IbBv3hbvF8A/OTJE4yMjJDJZDKZTCaT yf8oK5VKrFmzhgCYAHj6ZdMIsHrGbCxftQafbNyITZ+sxwLXGsQ70KR19v/arYi4/jNmzpyP1es2 YPOmTVizYokLlJcuvwal2UYAPI0A7OvrCxKJRCKRSCQS6Z+oTz75hACYAHj6ZezNxs6tG/nxvq6x unMX4vOvDiEuq2UCKVsQ7XcNG1Ytd81azXn2klU4ePQmJNq/Q284ATCJRCKRSCQSiUQATAD8N5Yd oyMKdInFaGoSQNDQgBZxF9S6MUyuvdU8hiFZP9pamyEQsLRNTejslcFotv49WoIAmEQikUgkEolE IgAmACb9E0QATCKRSCQSiUQiEQATAJMIgAmASSQSiUQikUgkAmACYBIBMAEwiUQikUgkEolEAPwP A2AOhsh/XavVapc5qJ04DTsHt5zlcjkPuTKZjAfd/v5+HnYlEgm6urogFovR2trKA69QKERDQwNq a2tRVVXFQy+3HjK33vKLFy+QmZmJtLQ0JCUlIS4uDpGRkQgLC0NwcDD8/f35ZZBIJBKJRCKRSCQC YAJg6gEmTbuoB5hEIpFIJBKJRCIAJgAmEQATAJNIJBKJRCKRSATABMAkAmACYBKJRCKRSCQSiQCY AJhEAEwATCKRSCQSiUQiEQATAJMIgN8vALZjZKATDXV1EFRWQabQOTbbLJB2iiDgyl7XAJXe+v6c NLMaTRUVELA2bWqT0kVMIpFIJBKJRABMAEwATPqnArCd1cPAysqVd2zM8obEFqQEXsKK5cux/MO1 eBjaCBu32axFoNdPWM62r/p0NzJFyveHf/tysWLZMlbeD7HiU38Y6DImkUgkEolEIgAmACYAJv0z Abi3MRNrZ8zADOY9P+XA/LrENivivc9izuzZmDN/MW6HuQH4yc1v+TwWrt6M7Jb3B4BNvfmYN3Mm 5syZhXmf+hEAk0gkEolEIhEAEwATAJP+qQDcxwB4vROA914qgPX1DYCupgrERkYiJi4SDV1K2N9z ALbqZUgICWFtFo6EgmZY6TImkUgkEolEIgAmACYAJhEA7z1T8LsA8X0GYBKJRCKRSCQSATABMAEw iQD4dwCwHerBfrQ0CdEsbIBMbXgZgNdsRlq9BC0NApSUlPCubeiE1mxz52I1QdIuRnNzMzq7BqBX y1FbW8HSVmJoVO86lkGtQEt9Dcqc+ZSV16KrfwjWSbfdiLwfQlYmoUCEUe0oWlvqWfpStLG8baxs bfVNfHmbe4Yw+Y61mcfQLxaivLzEWd4KtLL9TBbbS3Uf0yggbKx11auiogbi/kGYrG/7HLDDYjbD YrXRzUT6vU8hxzVkoVgGEolEIpEIgAmASQTA7xaA7Vak+VzGsg8WYcnixbgX1/zSGOClCxfjq68P Yem8ufxn3vM34OKTEMhGHSOMbbp+/HhwNxYvXoL1H2/HieN7nGnXIlPQwx+nrSwdZ789iOXzZrjz mTUXH2/bh4tPM6GbUKznodewiJVp4ZwP8e0P32HF0g9Y+rk4eysOur5irJz1AZYsnIcle4MxNmE/ s06BuICb+HzNQvcxmFds2IErQdkwTkg73FmBU8cPYuH8eR5p12z7EveiMjFmfgPUmlWoLSlEDjuX uXk1Hnn/55MFzWXFqBSIoDX+eVBuMmihVquhNZg8tus1ClSz8lQ0y6flOHr19OY3WTbnDxlW9u+r vgts7PnAPSt+u6wQVRajtFrI2sk5Mt+iQ0ttBXLZNZSTWw6N0QBhRTHKattgsU7/d5FOPYzq0nfX fiQSiUQiEQATAJMIgN9zALYgxveMA/5mL8KtwIaXAHjmBDic6FmzZuNORLoTgHvxzcFtL6dbcgj1 4hFoZa34cdXcV+bFgfDl1E5XsVJDL7ycZvZiVj4BjAO57m3rfTARuXKCvsec2bOmPMbM2XOxL7HD Ca8SHPpg/tRl4eo2Zy4Cy3pfCzOC/Az4PHsGH59nCEkqxx9/chiRHRaIwMBXORSNQ9o35pEZ+Ayh SVkY0lnePW7rhpGbHI2AgAD4+/vz/8aml2LE4Ljqhvs7EMa1UUrTtBxvuG88P+G010U72IOUyGDE l4sQz9o7NK3qpTQaiQgxYcGISyqE/nec31R2rTwLS4V8hIu0sEPSVI0gXx/+GgqKyYLOMIpELk1U Dozm6e8RHuoVI/QdtR+JRCKRSATABMAkAuC/JABPngSLg9NP9v2K8pYeaBT98Ln9E2bPckLm5hNQ WSYD8Hxs2b4Hj73DEBqdjkH2si8uCXLB5eZDVyEZ0sNsGEH8vaNYOMs5Y/Xxe1BZJwPwTKxYtQVX bz1FWHg4KhulrwTgscFibBjf/sFG3Euohko7gpr4e1i3ZA6/fcHCL9E6aoGs/Ikrjw0/PcKg1gKb WYeKkHPuvLeFv7pX1zqKnOdx8PUPhmhIP01Xo5mH6owMh2OCfeHjH4KU1OfObTno1Yy9NwBsNetR khGDZz5BSMnIQmFhIbKeJyKAAVxcdgXGLDbYTEbI+/owpDZNzzGnOb+J6moqhJ9vKMRqG0pTQ/Hs WRgkBpvHvdJSnQc/BpDp1X2/6xi6oQEMyBSO3l27GQ1VL+DzzBcVvaNuyB4cgEyuxh/9KrKOtCEs 2B+J6ZWwTG4/jZke/iQSiUQiACYAJgAmACYAngqA5y3/GHHshX/8zrDoBnBu9Qcu2E3tMXgA8JJP 9qNM5BliqRls5euanPwcVV1q13a5qBx7ljvKuv3gSfTrrR4APGvOPNyPr4fZ5r4vTVMCMIOWy1+4 tn/tWzuh3lZE3jrMb589/wOECRToy73tSrvrZjJcrGhRIYqBdjhvwSvbbqCjHnFRofD1C0SJQAiZ ZnwxJhuGe9pQXlqK0rJKNHdPbAcbulub0Muul46mWpRX1WNk9NWB08LnQfCLSIdSMzmNHZqhPlSV l7FjlKOhrQc213NrEgDbWXn6u9AoaES/2lVJ9LUK+HHYpeU1kKmME8onRL9CCam4ia9DRU0j/wPH VBrTDSPWnx0rtRpjNtfFgdqsCDzzjYFyjN0/Bh3ahU0Qy9yLVdmtajRWV6C0tByN7QOQ9ksgkjja SaschLCpFSrDKFrq2T1TUopGVr/xaG6TfmJ+doxIuyFoEkOhGoKgupKlL0dbrxyWiY9xmxYttZUo KSlDXUs3FEP9EIl7YbVNTGRBQXwgwtLKWCvYIRGW8SCfWN7vvoqMOhSlhDEwjkCvC4wt6BbVO9uy FnIXmFshEbG2HB6CuKGab0eN3oRBcQua23v48HpFTwsy02IZAPshr74JPTIluCL1tzVD1CVjzyPX HYeB9kaU88eognhA5XEtaJUy1Fay9mTPl/qWTpgsVpiNeogqcxDo74PwqFQIWrrYPWRj7adFG2u/ jsEJ58NuQntjLcrY+eauSbna/Tcu76amNowYNGh2no+mdvf5IJFIJBKJAJgAmEQA/LcD4KlmgW6P Pu4CyPAGjQcAr/zyBFoHp+4VNenkqCnMRlx8DHM8HnqddOXz6f6jkDh7psYBePa8BQirHPTMY0oA tiDrxEfucOeNh3H29Gmc5n0eny+Z6czvA4Sy/PQ9LyaEPM/EwiXLcM8vAnXt3TC9+aJBUfQzBkJu l0ikPPR0NhQj0Hfi33yQVCB0ngMDkvzYNh8f/m+BMcnoU429BoCDpwRg9WAzIvw8j++fWO5c79kT gM0mKTu/XJoAtGsdZShNj/bcNyQa7QOal8o3bl8Gs8NTQPCYdgjRXN7huR5tZlBL0dLaBaPV5giB ZiDpNx4CbR5C3KT8OfvFVfEw1yWoQqAPF1Y+MY0/CgXtPBy68xPy7V2fm8Gn8UwfhPq+YSeHqvEi JsLjWFy4sW9ULoymCXfGqAC+rI2qxI6eXf1gFxLC/BEYnIrxn2v0o10IZ/uHZo6Hc+tRmBzmkXdA eDwkci3/twRfd1sGxWdAzp4dqax9fZ0h0IJEzzbIYPBpthuQyKUZD4G2j6E+P40PtXel9fFFQU0n P1TBONKCEJ9JbZlQjhFFL19W9/YoKE1mDPWJEepqP659lHgeNOl8hyZgYETLn4+O+gr+h4DJ56O4 oQPEwCQSiUQiACYAJhEA/2MAWPbiigsgD4SL3gjAo0OduH/+CD6YN+uV427/EABbhnDqow9fmbdr bC8DYP8KKZ9PY9wNfPnZOsyd5Zlm8fJNeBiS8doQYj0DjLSESPj5B6FlQAG9kV0vuiEkh/jAPzwB TV1yDPa2IyUyCH5BEWjpHnEApj+Dj8BIFFbWo629E4bXTLQ1JQAzQHoR4Qu/kChUNPdBpehHXkoM D0gF9f3s3DkAOCz5BYZGRlAUF8iHUZe0ynigGRDVINjPB5HJOejqH0RrXSGCGeCkljXAbNM7ysfy Lq/vglzWy4/v5SCuVPjypEk2sxF1+Snw92V1DoxgdapFe0cXhtV6V7SAYqAD4QwEA9Na+B8pRCVZ PETFZxRjQD6ElspChPn7ICCxki9fZ6MDgMMTsiHukaGvtRaRAT4IjC/ggdAzPwbA+Rn8jwwJLL9e 2RA6G0r5/ILTavn8epurEMSAMiw+i69vR0MlIgN94BedO2GMrRmCtFAERCajT+Hs/bTqUJweD1// QDQ4w5P7q5P5cO+GPg6JbehpLON/7IhJK0D3wCBE1XkIYm2VXi1iR2YAzLVlUBSKqwWsXbphtBjw nJ0bv/A0DKkMMKqHUZaXwodA1zFg1+rGuHnSkRzA0kTnwcTKpxxoY/V/huD45+iQKdDf0YRo9jko jgG1xoSWzFAEhkajRtSDEeUAXqQ6roXqfgOGO6oRHOiLmKQCyJSj/DNuuF+MMK79nouc5yODP79J L8oxrBqBqKoAoaz9QlOqWOsyABY4ADgi8QU6PM5H4RSzqpNIJBKJRABMADxNgDad6UgEwNMBwNJs 91jZwwkdbwBgC1LOuyfIWr7qIELjU/HixQsk+t3FxrnTAMB2Lfy2r3BuX4JbfuGIZ20aM9lxCWgc 1DnPvQ3y7hbkpibA++Z17N60FrNcILwYux8VvrrdbBrkPo+Df0A4Bp3DKdU9pfBlMJMnkrqSjYjy GaD5obC+FVa7A4CjXtRMCr99ewC2KBvhx4AvtUTgCgvX9jbAj0FoYkYR9DYHAPuHRyMjNZHvLUzL r8MYB3s2EwSlz3lASsqrgKCujl2flTwAByUUYsyk5csXnVvnKl9/bQEPmEUC6ZRlNOo1kAhrEBsR 4uilZMeLjEuDsHuQ7yH0AFbrKAoy4uHj4482haNOVgbRudH+LwFwgdg9JrYyIdABrKapAdiHHVPQ 77jeuDGujvyq+DG2TZVZDsCUusN6KxMDPQDYqupACGu/5KwKGCbcLMMthXx9csqFsNg1eB7si6D4 bIzo2RVnNaCqIIWH+dT8SW2ZXAab3QHAMfmNE1vLA4C58jVWZfM9zxLXKfYE4O6GF3yIdPWQO1JA Wl+CwrJ6qLQm6BQy9PSw506XBF3dXSjLT2f5PUNxlw5mhXMMcJp7DPBEALYZR5CdEg1fvyB0qp2z uVtMKM+MYvUOw4DJDcCFE85HRUIA/GO48hEAk0gkEokA+B8JwGN6FTp7e3j44Sxh/zdN2+ydJlzd 9RmqFfo3pruw83M0/gmzvhIA/8UA+NdpAOA1W5DZqp64E0rufuyC0LjWsdcDsKkbu8fBcubHaBye ABmtpdi3cnpCoNMPrHJtf1IqfXlWZu48O++XTqGAPyfVdY3QuZbuMaG9NGACBB9Ar/l1ABzrAGDn 7sMNzxk4hEOs0HjUPYgBZE5NM4MoBwDH5Nf/bgA2dBaxYwSivKnLHYJqliPc3w/x6bkYtToAmOvV 48JWffwCUNupdp7qMVS9iHGGNfvBz2+CY3JhMI06ylcgcK3LLBMUvhqAnffMeE3MDIarc5Phx4XL hqZCbzR7AKtVO4jMhFD4+IZB5nxUcQCcHxvwEgAXSdyLYtUkB70RgBtkY5Pyq2LXMIPU7Gg+JFoy IUbblZ/zOd1dnc/De1nbiGf9rHJEcL2faUVQSqpZPr54Ud4AM6uwzTiKkoyoqdsytpABsI4H4LiS 5rcD4LGpAVhckciOEY5u01TXix0jbUXs+nrGtwF3bF9fR6hyscQBwKFBDIBTpwZg66gM6fGh8AvM gAtv7Va01OXxZeo0uAG4eML5qGbtRwBMIpFIJALgfzAAV2UGYf6iTTjxyy/4+eef8fPp2+h/41Il bw/Av2xajZoh3RvSGXHy47Vo0hIAEwB7AvDuc2lQabXQTmGjyfJ2s0DPW4qfHiVDrh5jbWOCuCwN 68fXBJ67GiXD5jcC8J5xqFz4FYSDalisFqgGJQi4dhILpmUMMCAte4Z549sXfY/s2i5HmCY7n0qZ hMFXLPI7tNyU1Xh6bLczj3UIzqrDeDSnYaQJW1wA/A36rG8PwKrOfL63rlyicP9A1lPF90Dm1Ytc PcB/BIDN8mq+lzmrqtk10ZNpqA0Bfr5IyCiA1tkDHBybiprKAvgzGIpMzMaw1sjYxojaoiQH0HKT T7FrdsBp+bCG77X8LQCs7a1HdmYu+lSezydxcRw/TrRJNeYBrLYxBbJTIhkAB6FvzP7uAZirb2Gi Y/yzzj4lANuMKuSnx+BZUNKUk311FUbBJzASabHh8A0IgUDimIDKzs0YnpvAQ3GpeFJbKjic1E8L AHfVZfARBA2jbtjUyXvR1TOAMV0/Qtj5DY6IQ7WwE3K5DLUlL/hZqj0A+FU9wIZhZCWzZ45fGPr1 dif/mlGXz10jIeg2EwCTSCQSiQCYAHgK1WeGYuFOH4w5wYmzaagWP317AhFPf8GyVZ8irs65nqh+ AJePbMGyZZsQm9vC9+D01KZjw5qV+Gzvd+hwzsZqkgtxZPM6HD/7Kz6c5QRgqx4Z935m+67BueA8 fnkW02AjDm1ah28vnMeyWQTABMAvA/DCZZ9g15dfYvfu3S/ZJ73i7QCYA9GFH2L7rj3Yf2AfPlmx zLWe72c/P+UB9LUAbNfC6zP3GNuPP9/F8tmPLz7f5AZWHoCPMwC2/m4AhlWLB9+7e6YXr9yEffsP 4NCBA9i5bTM+mD8Hq3fcw7DJju7cp650i1Z/gkNHj/MTZu3buQVznNuXfJOIVy4WMwUAj432IoLB RXBMDpTc0lCGEeQlRuKZfyjq22X8+M4/CsCwKRHH8ggMT0Gf1sxOnwGCQsd6xJllbeyZMj4JVjaG tHp0lHJh0H5IyudAzAaxoJQHmoTceow/Lvo7GtEnVWN8jPJbA/CQgAfsiLRCKE1OGDKPID8h0LGE kM7oCax2A8qzU/j88ms7+J5UvVTEjyl9FwDM/V1UW8ADYXJeA7iJm80j3YgN9HUBsErWiWj2ObFu cOqfFtXt/KRbXK9qCANXhcU9M3NLFcubGz9d2ATn5OXobW+CdGj6AHiwp54Pqw7PqILOxvU8K5Ed HoSgqHTIpO0IZOWKzSzEKGt/g7ofmXHh/LXAA/BwKwNgP0Sza8F5W3mOAbYbUfUihQ/zzqsWg+tk Ngy2IirQD75R7PggACaRSCQSATAB8KsAeNkXeOobCD/2YhH9PAeankwGDCvx6+1A3P3lEObPOoR+ nQzfr1mBnT9cRrj3Faxd9hmaRIXYtHg1zj0Kx/0zBzF3xTfoU/Tg62WLsfW7K/C9fQmr5zoAuCDC C3PWHsD9Z4+xbe4c3A5IwFcL5mH7j9fhd+sCVs4hACYAdr6EN2Zh7Rsmg+J8KSKTB+BY319dAHw9 uJEPmZ4IwLNnf4ClSxZh5syZE/afhZWff43i9iEHl00A4FVfnUDbpEmwuqrisGThfBc4O5Y4mo8N qz/H+iWO3uSlWw+gokfrBOCLLgAOr5oEwNJcd5jyRl9MPJJW3oozRz7D/NkzPes7cxbmfbAI6z4+ g27nUIGikB+xZNECVq9JE2Wxci3b/Ata1a9Zc5cB8AvnGGCpE4DtVhMaSlL5EGBfX38EBPjzcBGX muPsXWSAGcABJgfAbz6Pr5oFWirMhb+fL9/7GBwcyIc7BwbHQGZyQNbEWaC5MZ35ccE8FOW2a2Ad HUBKXAT/2T/Qn8GmI1Q6saQRJm4SrIC3B2CbeQxVuQn8+GOunkHBwY6wa18/xOVW873vbmAV8fto umoR6O/rmH2a/9cRsvs6AK5NmQKA+Umc3gTADENlYsRHBDlmR/bzcc1mPA7AnbXprLwxGLRNfUK4 ib5KU0L4fVJKPdvAqu7ll8Li2jIgMMDZlr5IrhCx58k4ALd4AHC6C4DHnOsAZ7P9A9A5AYBT2Dnw dwKw1aBEQXo0fwwu1JoLcfbx8UNmcS0D+hEks3Ponh3ahw+D5v5fKNZyv5AiJiLY8beAWKhMFh6A He3X6sD4YRGCg/xZ/j7sWnK2k38I6vuV/PlwAXC33uMHCQJgEolEIhEA/+MB+GskZ2XxQFNS2ghd bxaW7zyOQa0ZfRXJWD5/N1rbK7Bq2Xzk8y92Ngz29aIp/hQ2HzvN/3qv6S7Hh4vnISIjFUsXzkVm OzeOcAynP3YA8OOft2LGyq049MUXDKhn4fiBg5g3dxbyOkf5dCfWEwATADukkYoReOcO7rzBOYJ2 fp1YYWU27nHb7j9CXrPc0QPMYK4kN5lPFxRSiL62ejy+dwsXL17AeeYbt5+gsc89LthuUiMxJpRP 7x+dCoXOs++UC61sLUvH3euXcPHcRVy6chVPIrIwrNciKy2K349bhkjsnKBKWP2C33b3/gM0DniG 2Fq1EjwZr0dCzUtjnI2jMmSE3MeVKxdx+TI73sWLuHHnMZKK6jERJe02K8R1eXjodZ2V6Rwunmfp r16FT3gGpMo3jLu3G9He0oCKyjqMTiiA1ahBc101CnJzkZtfgNKqRgYe4381o6mqDA0dA3iLDmDI 22pQUdfCzzDt2ZYmdLc2opBdR7l5+Sjm1p+dsC6tqLoMNU1t0PG9snYoB7tRya69mroOvq3MWjlq ykpRmJ+PgoJCVFTXY4hf+9VZvk4pxh+DWlknu27L0SnVTFlGbm1ccVM9iosKkcvqXFBYhOqGVmgM jvNv0ChRX1mGWpE7LFzRJWT3QaGjfUor+B7ZcQBWSHtQWV6GrhH39dMvqkYFu1YtVtuk/Gzo7xCh rLwcUudJsFst6GAQXdnU49pf3d+BkpIix/HKq5AcMt4DrEF6mC9is+tefT7Y/SHra+XbYKqVvczs WqsuLUFhAdeWRaisaYBydIxvy0ZWzkbJxNmz2fVWU4bKWhF0Bgs/3lba24bysiooze40rez8VQk6 2XPI7jzGEGrKS5HP2jefO0adyLVutWG4C2Ws7fNyC1BWUQMRe+Zw7dfSq+bbc6ijEcWFBSgsqoPB YoNeo0BdBdd+7kntjEoJKrjnEss/r7AELRKZc0gAdz66+fwkqgnno4U7H+K3imIgkUgkEokA+O8K wF/4eYRKmvqzsGLHUchHTS4Abu+qxuoPFyCpUcG/5FTlvEBV8nls2P8TNGNWqMRFWLZoLmJys/h/ n7c7QhJ/XusA4KcXdmHBtp+RxqApLSMNBcnBmD93Nl50Otbv/GE1ATAB8LtuLBvMZtYmzL+378dm McNsYrZY33lxLexYnM1mMzu39tdUy8rKZOLLZbFOT7ms7Prh8nqXiGDjjsHa0fZ7ZoDnrnf+WrdN Sxnt7N7h7hmr7U1Xhg2dteWQDI7AZBxDj6CQX5Yp8Hndu7po0d8sQFu/gt3HRgy2VvPL/AQkcMsq GTHQ28OAVf9HHyLT2pavqgd3TVmnCB1wtL0Vr7oM+LK9AVbHz5+FoJZEIpFIBMAEwG9SHQPgD2Zt xM2HD/GQ+e59X/S0JLkAuMcJwNIxFX5atwrrt+/H3Uv7MXfpV2jvbcaWWXNw/EY4zh7fhpkzfoRy bBCffrgEH+8+jHsXP8OcmQ4ALg5+gLlzF+DyE1+cWrECj+MKsX7BPGza+w0eXNjM0hEAEwCTSO+5 LHJE+Ps5lkxymgvfFg2q3s3xrGqkJ0R5HM8/MBxVoh5QAC+JRCKRSATABMC/A4AHWuvw0MsLXuN+ FI7+HiG8wxOgNVqh6Wf/fxgBDTcZ7Wgfgh7cxq2bN5FV0cqH3XXXFeHu7RsMoP0hdi53NDrQgFu3 buHO01iEBQSjT2vi4hZRHPaQ3+7l5Y0OuZblXe/47B2HEP8QyIz0SkcATCK91wQMqbgFtTXV/D1R U1MLiUzpGnP8DggYwz0dqHMej3NbtwwmelSSSCQSiUQATAD8+wB4mjCMrnYCYAJgEolEIpFIJBIB MAHwPwGASQTABMAkEolEIpFIJAJgAmACYBIBMIlEIpFIJBKJRABMAEwATCIAJpFIJBKJRCKRCIAJ gAmASQTAJBKJRCKRSCQSATABMAEw6e8IwFxZ9Xo9mUwmk8lkMpn8p5t7FyUA/psDMAdB5L+uOYAd 99DQEORyOW8OaqVSKW8Obvv7+12AK5FIeMhtb2/nQVckEkEoFKKhoYGH3draWlRWVvLAW1RUhIKC AuTk5CAjIwNpaWlISkpCXFwcoqKiEBYWhqCgIPj7+8PHxwePHj2aNqAnk8lkMplMJpP/bBMA/80B mOsRJFEPMIVAk0gkEolEIpFIFAJNAEwiACYAJpFIJBKJRCKRCIAJgEkEwATAJBKJRCKRSCQSATAB MIkAmEQikUgkEolEIgAmACYAJhEAk0gkEolEIpFIBMAEwATAJAJgEolEIpFIJBKJAJgAmACYRABM IpFIJBKJRCIRABMAv5cAbH8luE0D/eFts5mW4/05SPubykoATCKRSCQSiUQiEQATAP9nAOChjnAU VJ3hXdGWDCsrSmNTBOrUOs+ExjYkl8fCNjkD4zDKq68iu+wUajsa33i89qKjiK2MdX3WD7cgv+Jn 5FZegFTlPqbNokdS0heoVFocn61jEAhuuMraOsK2W7UodH7mXNVVDbvNhGZRNhRWRz59bZGQa4xT F8aq8di/urvJAagWE6TSFgg6u1xJFQP5qOtr5f+v6suAoFfl+ttA4wP4PT8DjZk1nt0MQctjV54l TYHQm+1TA7BZyer+C/KcrmIg+yoAbhVGo6StnQfgtlo/lDZ28AAsbMhDTMp3SM5NQ4vo1QCck52G h0++xBWvrcxXERYVh5hIf5y9tBGXrx2hJx+JRCKRSCQSiQCYAPivC8B2uxU2m5nvYXR8tk3opbS7 thuVQ2jv60NnWw4eph6EkRFwjeAJqjVqj/05AI4ufQQLv83q6CO2a+Hv918gODsGI8PdiMz0dfXu Tjy+3XVMC6wmHbR6syPRWD+u+/yXSK9rQl3hTTzIuDxhXwvUDMJdJWb5DEhZOXv7EJW6BkkdHNSa 0d3Ti8iUlQgta8PAiJbBqw4JyQcgNDj2K3v+KYT9GtfxXeYLyu0vQXD8AkRVtDEA1/P79Nf54Zrv v8G1eG9Xe4prL+KK/0no2W6dlT8gpKTbnafZAIVqHLJtGJQPo7T8Kp5kRaJvcBBmZxM6jm3me3sd EGxEZ6cID0P/NyRWi9A3omfwa2Twa4Ber4VOz8Gvmj/fhVkH8Oujy+hnAFyWtAkhOQ0MgLtw68b/ h9C0JNy+vxjB+aVOAG5AbW0NKivLUVpaygNwYMBe7Pn1DIIiwvDDD/8PbvhGIiYmHPfv38C3Py2h Jx+JRCKRSCQSiQCYAPivCcDKoRIEhB9CTPYxPIneDdGgHtIGH0QX+8DCDqWSZuNuZAQMEw9rascT JwDXCq7DP+0zhKXsxbXA9Wga1PIA7BU0B8GZ38EvZjPSWweg7E7BNZ9jUJo9j68YzGKgNQ+h6cfx LGQZmgZUsBt7EZ92CUExO5BYk86nk7b44UZkOMY4OLQaEBd/GH2MFpsbohCRfo2B4VdoGZtM9hZk 5X/mBGDH54y8zUjuMjo/OgBYNAmAdaPtiMm4iMjnp+Dl978jqWHQub8RiRkrkNHt2Us8MlyKBwkT Afg+/KOWIq682Q3AlmEkpZ5FSMJB+Kbdhm5C97ikyx9B1fnucyIvxpPYr5CafwpPIy+gQ+MMgbZo WL7/Fwp7x/gQaEV/Fe4HLsTD8M/wJOwc7gdvRFVPNwPg8/AOnI/YwlqUOwFYUhWEh5EXUVCUg+zs Ozj1NIgBcBPiI/fi3K1tuP1wA84/OIX8wiIEBezB4Qvr8TQ4BElJE0Kgw3zw/U9L6clHIpFIJBKJ RCIAJgD+awJwdfERpLTVw2w2orXgMOLzi2GDEQFhW6AeM6NecBaJ4i7PnRgAP3b1AJ9BaqeU31yc 8N/hhVDOA3BE4R3YWFGl4kAGvr7o6wjHtZBUWKwKPPL7r3AteCtGWV0K83YhrEk1ZdmMneGIrwrj /y+o/BF3sh1hxXabBekMmAVOcIXNhMyMo66e3IkAnDkJgNM5AO58PQA7/miHpP4GHmU+nZCfEQkc AEveBMCPkdOcDZ+oeagt/NbZA+yQVZYL76RvXwbgKjcA90iCcSP8IiQKLWsvRw/0OAD7cQDc4wDg 4d4XuBuTCnFzKALKK1Hb6IsssYgB8EVkNxbgHjuHxfEbeQDuqPDB46DHOOf1PzBQ9sLPV8+gqioL P136F8QVlKK0shS3rmxHUm4u8vJy8OjWYXz1zb/Brh8PIyg2zgXA3/1BADabzZDL5fx45J6eHjKZ /DvN3UNKpdIdefMHxT1ThoaG6N4kk6fh3uSGIE3XvclFgnHzedC9SSb/8XuTu5f+6L1JAPw3AOCK gqMIyz+F0rprKKu/htbeAT6UWFBzC6ntDUhKPAbFmIlPO6a3uAD46XN3CHSV2nGMluy1LgCOKnnC jwGWtT9mABwAaXcq+3cvFCYbe8mSIy3tCdSsLnkvvkapYuqyqdvcACxvC8GNsHt8WDHXAxwV+zUG nWN3ubG8ac/dAMw1kcVic/UAp0he0QNs1jIA3o0mfj8rsmPnMgBW8elaBDdxL+40FNoxDwBOeqse 4HvI6apCu+AufMP+E0JL3QBs6H8FAE/oAbZbjGhr80Ne6U94GvU5yrtVLgAO4AC4zwHAQxwAJ2ah vTnAAcCCcQD+BdniFuRm/oz7z/4dQnMb0Fnpj0dRD1BZWYb83Ec49SgQ9RVpOHnp3+Jh6HH4hR6B TwgD54JC5OQ6JsFKjI/Ar6f+LX656YXoaeoB5uCXm6BLr9eTyeQ/aA6A1Wr1tLxkcy/sIyMj1K5k 8jSYu5c4T4e470y6N8nk6TF3P3EQTAD8Dwfg1uY7uBZ8BV2KETRVxqNB5hjbqhtqxL2A/xbh+UF8 KLRV140Hwf89ClrbkJvxFaKKgvhJsDgArlA5jiGcAMBe4Z+iU6VAyvPteFjA9dxqEBz4LwjNisHQ oAgB4UcwwurSUPcrrj47gjb5EOoKbqNc5IZFTTsHwOHOrkMpbvn9C55zEzbln8GTzOtuYJwEwCOd oXia9gtkijb4hH0OMc/vJnR0tSM8eTlCSgToVaj5SaiycrfgXlIMGhvicDPk/0aX2gy1/AW8nn2A +j4ZJH09kCoMzv1FCIqbh4iyBvQpuTozmB+WorElHLciLqJT2ge9ycoDcFZHFYyjElbPf4uwylcB sA0Dsn4UlV7A48wgSAZ6YWLb2wWxyGD11Bs1SI//T4it6mIAbEB7ex0ehPwvSKgQoFuhey0AZ7S1 oLctF9ce/jcIy+fGALfistcHyG8QIMh/LZ5k56KlqRIXr/2PuOrzDPkFrFwBT5FXWIQ712fj1O1r CA73w9Hj/zXO3n6ImJgw3L176Q+PAe7r66MHMJk8TdZqtTy4ToekUim1KZk8jeZWYJgOcZEZ3CSX 1KZk8vS4v7+fAPifDsDcpEzC5icorLqCkvoQyLTOQbrmEfiG/k8olijHMRODPcUorr6CotobkKod tDkor4fU2UOslMShe5gBtHUE1Y1PWdprKG5IgsFZZptBiar6a8irvIK6zhpnL6wBTU3cjM1XUCoI wpDW3btqVrWgTdruhkelGCW1LM9aL8jV+gk9s1Z0dhVi2NlBzfUQC4V+yK+8itqOcmcM0SgqBDdQ 7nR9j8DRq60dQFn9DVan62jqkfK936PyClc6Pm1bJ8tT7bG/gJvl2W5BW2fkhLQ+GB7VYmSwHj3q Yb5XuaMjHC1SjTuUSdcDgbgU/GTPdhOa24Nc+1e3RsNgsUOnkaBKcBcFldw5yYHKzM0CrUBZ3XW+ p55zPQNJ7UgnKkQdGBqsY/XpRW9fNUSDUrSLCtAqk0IxLENp6S1UNXfys0DX18QiJvkE4rN80Nwi 4ifBqqvIR2jkcXgHHUZgjC8KGQCnpUbi4dP9uHHvS9x4eAcRcfGIifRjsPw5rt789g89NLjwE3r4 ksnTB8B/9JdsAmAymQCYTCYAJgD+xy+DNCarRUDsDtyMicf0jGAh/V793dYBJgAmkwmAyWQCYAJg MpkAmAD4vQJgnbIDjeIGGKwv469VN4bs2mH2t9930disFljeF6q229DVoYTKMukHAO0oeoaMfzj7 QYkC3SMTp722w2o2Y3Kz2oxmlDQooLP+RgA26lFfK8Ww7i0AuEeM/OIWdBEAk8kEwATAZDIBMJlM AEwA/E8FYLvZhDZhD7yjOqBxUq2pQ4LPIiXQm+0Y7RrB1the92QMnUosfihE3bDpzTMXmpV4HN3J gNfuCKEWduIjryb8B69GpPIzPxtw/D77fLcJ/+52I/7DvSZcKh5ylGtkBPPZtiyx9rUA65cjdu7f hLmPWtCiML+qNCiKbcF33kJ87yOEX5GcD2G+nNqKlkmzR/fIuuEnmDCxjMWMX2JaIda5kBVlyZ24 mDmA/SEt6HOycnaMCOVS96RZKRFC3KxQuGbmKi1sxwJW1qVPWtAqd6fTy7X47KkQRVJHRrpBLTY/ cbbLrQYU9I7BbhzEdyFiKPRmdLdJsfxeM2QGNbY/E6BN7QnA/Z39OO5VjtnXSxFV1gUZB8CSehwI rESH5M0AfO1pOP6PQz74n/c9wf+69wGu+0bxY4DX7LqBj7+/RQBMJhMAk8lkAmAymQCYAPivCcDm USNi6qTY7d0GmW4cgLvwf94W4nmHHioGwGuievmlhrJLZHhUMAD/F/0TeiutkDTJcTtPintFgxhx QrRxRIcfnjVhU0A7TFY7DDIGtHeaUNyvg7JnBF8Hsu2sKgaNAVpZD76L7YZ2VA+D0dEdK6zux/aI VtwvGHL3TMsUeJwvxXXmJidoGseMGOzpxonEXmhZXlYG2wMiOQILpbhTMoTIChnim9T8JFZ+95uR 3KhCV5cagwojP3b4VmobSjoYqLPyB1QrYbQBA6w8t7J6Eci2+ZUPwchAOSSpHfFiPTpFCnSOsLwS 25HZpmIA3IwOJ0A/dwLwiHIEPqyMz/L7IJI7oFbT1of1/u3oUBrQwNp7R5gEVpZvac0gHjrbVDM+ q7XVhlGuXUbUOO4nRI5EzwPwXgbAAx2D+CawGXWsHU0MgI8xAA4p6cGVjC5+AjINO98VtWKk1/Sg WdCGpddL0NDnAOCvvUvgF1ONUxEVKKgXQcjA90p4EWp5AC5HWHgWCgqL+d7f5OgIrDsZgPDwGMTy yyCFYd+x+3j8+CkBMJlMAPzbzV7gR9iLvGJES+eOTAD8ngGwSqWEdPhtZprWQMrqpRql+5hMAEwA /JcPgTbg0jNPAN4XIMLCe60Y6lRirROAW6r6UJLfiRleTehzdgCLG6WYfU+IFwxYE0Nb4F2v4ntI n2S0IqJFg8dxYn65pH4GZ/8+uMd1xAdJLRBqnXUZ68ePib0T435xJ7UVXSYDfgnu4Cemgm0Ux283 wq9SirYaCQLy3WCsVffhdJr7Yq6La8KP8e344XYTLjOInvdEBIXFBG+vRux9JsSt6A70KR0A7M0A ePHTFpRVSPARA+TSPgOkDIAX321Gbv0ADgY048cXMlQywDyQLcWROBEO5khxLrENrSojD8BdkwBY z75IallbPY0QIqRV65whuxNfZMod/cc6PT5nYNttsKCzcQBlxRKsfNiEzrHJ8eJjOBrU7ALgLx80 YK1XAw5nSWHmQqAZAP/AAHgnK0N5bjMW3K9Hu2zEFQItk3Tjg5vFqHcC8LJfX+BqeDlu+L7AmgeF aKqoxH88lYoaHoBLcPpSPHILihwh0M+jsOHnIMQnJjlDoMOw48AdXL52708GYB06mksRnZwDlXOb uleAMO8YdMmlyE+OQlhYmMvxCc9RVlqA4PAwj+1JaXmQ0Ys3mQD4DwOwtLcesWEh/H0VERGN4qo2 6N5iP516CN43voNXWg2dOzIB8DsAYOVwC+LjktEzpOQ/j8o7Ef00DA196jd+z2bEPcH6S2Fvrpeq AR9s2ImIClrRgUwATAD8NwTgr1O78TxBhBsJXVgT7YZTm0qNuQ+EkDkBOCizFc+79BOpDaLSDuzy b0OtYAjfMZAubxlBp0CGueHufO4lidCsmxqA7TY9jjxuxuXcAax/LIRQZeWXLMp+0Y5jEWJczZNC KBt7JQBXxwgR065CCAPaFsUwPuUB2AJBvQKCTjXyK/txJLrb1QNcr3LU+0V4M7K7DehjABxQ7wiB 7izpweqAbgzW92JVUCfOMMj9yqcV24PboB3zBODMSSHQ1eWtiOQB2I6a5x048ELuHEetxza/ZvSM L0/Mbsat/uzzFAB8YgIAr7vdgIt5HfjKrw29GiMPwPsYALeoHCHQtx/XoLpX4QTgIfiGVuNsRrtj DDAD4MN+FRB3daM2v44BfgGaKj0B+Jc3APD2Q3fx0/VHfzIAa5ET9gBLZszAzeh6aLhfqttS8eGa 9aiSdOCbT9ZhxbZ9OHbsGO9z128hJyIA3x0/hi+3b8GiVRtx9OgxXHv4jF+6ih78ZALgPwbAguI4 rPxoA74+chRHvt6Pjz5cjNNBdVNCsEouwen9B1HWPACdZhgPrx3HvUwHAOt0L9dFN2Ud6TyTCYDf BoD7RblYz74rv/dK4n8w1vRVYe3KpUhtHX7NfaZj23TIj3mKLy+GeaSb+jhKiBqbMajQOO9jHYVn kwmACYD/gmOAuQmWbAZc8W7FwKiZ63x1AnA/zOZhbLvTiOVRbji1TgLgkEwRgpv0sNm4CZ6sMFnM qH8uxp3odtyJbMe6u034Nb4XKskw/t/bQkhNNpbOiO+eiWAYr8okADZ1duD7pE5I2mVISRXji8QB vld4dMwKG9u3raIDa/07XOUfVfbhwvMBvgycKmOFiBerEMgB8LADgIeNNmiMVj69RqnG/sAOFwA3 O/k9P9YNwEENI7CxtI0F3VgX3A3DgAz/equR1XUY/g8bsTakE3YGwIeChajWsDpZxvDwaQsqJoB5 Rdk4AAOKmm5sCu/CqNUOee8I1j9tx/hoZa5HeKufG4ANejO0Bgu/RNXXAUIG1UYegPeEiDHM/pb8 XAjvaiUPwPufNUCkZl9C7Avs8qMaVPYqoRoZRoxvJfZFNmFAJodM5gDgY4FV/Bjg+oKJAJyInOo6 lJcV4EcnAOfm5iIrNQqfng5GbEIS4pwAfOCbB/D28fnTATiPAfBS9qX+wdJdyBMPQdWR7gLg0wyA T6e1T7lvVXowPvvZ+616p8hkAuC3A+AmBsCff++FIZUWWvUwoq8fx8xFJ+F39z7y67qg12mRmxyE ZymZCPrhG6xdugIHjzyEROkA4J99w/Hwp59w5k4gOhUqBsZKFMX649TJE7hy9yHEA8PQ9FTh/j1v RNy9ixMnTyM6pwkaHZ1vMgHwmwD4E/ZdOWPGWoTW9UMzUIO1q5bxADyq6EHUrbM4ceIEvGPSoGX5 qYf7EPrkDk6ePIVffvkeWzkAZvdv/YsEnDt1Aucv3kVLr8LzOJo+hNy4i8YeBSS1eTjH7uWTJ2+i pIl6hMkEwATAfyEAbpFIcSa5Hcu8hDiW0IGoBhWMDIAPp/Xza9U+zxNjc+zLADzgBGD5gAL7Hgrx Y4oE3wc3I7NZ5ZH/g1hHCDQXQh2b2YatYWJ8FyiEV7EcrpqMDeB0Yp9rTHGOXxNCGxw9sPq+Yfx7 rxaMqDS44N2Mk2m9OJ/ZidOp/XzPam59H76PasGSJy04k9KFfo0FtU4ADn3YjFYnAA90D+NrBqin n0v4sOLgGuVLAFzsBGAuBPor7xb8zNJu8BOhcMDAqFyJbayN8rp1qMpvxeF0KT8JFx86/awVP0SI sC+uGyqTe4rnivI2FwDDasCdhFYcjO/E4cAWJLS41wa2TeoBbmvrx5chbTiZIMah8A7oWPtxAHwk mAGwzowR9oL44SMhWgcV+PGZAIdChPghpB5fRrVikMF95gsB/vVSKXb7V+N4cBWCyjo8ALiBAfAS BsDNDXU4fD4Rn95Oxa7zsdh7xQHAz0Jise2MP/71sDc2nnqGx8ExPABv2nMLh856/ekA/IIB8N5z d3Bu92z8eNUHw2JPAP7icgTyCvOQl5eFmuZeAmAyAfA7BuC9Jx9gWK1lL8PDCDtxDDNnXMWtU5vx 85NEBsUyXNgyA/cSM5Eb/RSbVqzBjSdx7NnsAOAZ7AX92pNH2L5uAXYFlKA+LwSLZ6zAo5g4fLN9 CbufA6FojuTT7T97EZcPLsdHu79HfbeSzjmZAPg17mMAvHfvUVw4thrrNh9DZ28N1nEA3NyNpxe+ w6wZH+NxwCNsXjkfPySKkBN9H/NmrMSzmFB8sWgGD8BD3SX4mG27dN8Xv+75EEfP38KgesKxVc3Y ve4zxBblY+mSD3DoVjgefr2X5T0DQgWdczIBMAHwX3gZpKknXLbDYLRCNziCOfeFkE9aOsigNeBt ysb1/pr+wApDFoMeJv3Y711Ul+1veOvkRr0OFqvtLdqGW4/3bdaFssM8Ngaz6S2SskbS6cb4Xu03 rQPM/WI7pFD/7nWAK0rLUVVV9Z4ug+QA4F03Y9iXew4+3vYVomJ9XQD8KwPg1bsP4+TJk7wfhdVB SwBMJgB+ZwAsZAC8euEqfH34CPYf2IM9B48grEKCosRHWLLtCtqaUvDJugMoahqASt6HUzsOoqTR HQJ9K6mGPbOUCL55Gpse5SHJayd+uB0A9agOoqJ4bF53Gj3CCGza/x2aZaNQy8qx84tv2f0+TOec TAD8BgD+8vBZtLRX44vNa3H+wVN8tGIp4ipq8POBNfDO62DpVEi99iNmbQyE74XPcOZZAh8GnR1x HzsYANeEHsayzTvwJCQS987txcqDv6JdOvISAMeXFuP43i04dOY+wkIjkZJfjUEVnXMyATAB8N8M gI3DGlwLacWPgSLcKVfhfVnK9++u164D7ATgsbG3WAf4NQD8fq8D7ADgrZejoBsdQeztn7Bx5XKP HuBf0tooBJpMAPwn9gDvOHwRjaI2tIs70DfoAFN5eyn2b92CbdvWY9+Pd9Gn0vJjgCcDsFc6B8Aj iLx5Bps5AL7FANgrGGqtngFwEjavdQDwtkPfol3OAXAVATCZAPgtAXjHgV/RyoC1PvMZti5ZhNmz ZyOunAHwvjV4WiRh6dRIu3KCB2Dvs5/iXECyA4CjH2InA+CKsCNYtW0/IpMy+PeA7Io6DGu0LwFw TEkjSnOeIzElCXd/3IP1n+1Cg5Tm2SATABMA/1UA2M6gisGSXi6HZcw5KtUkw0B0EWz2KdKOqln6 UditrymHfRj9iRl4uah2WDUK6GUymHWv6Yk19EKaXT+p61eNnjOBMEzR0WozjcE6ooRVb3TOGG2B Val0mB3HPqkMNp2W79F+ZS+1Wunen7N6FK9KbbdaHOlHdS/VV5kbiyGR7Pd0t8OmVvPnxMzV6TcC sEo+CKVCyQPw0IAE0j4p+tpEkDDY7RQI0F5bi5aqGjS/AYAjzvyM8Ih4HoCjoyIQFhAAn6dP/hQA rs8Mw5WH0a5JsDgA5meA7q7Dri1rPAB49Q83eTjnHB2Tip7hURcAbyMAJhMAT/8Y4B8cY4A9/qaV w/u7A5gxey4uxAkdk2ANtuPkytX4/kYw+obHAbjKBcBbGADX5QRj8ewtCExMwdmvVmPH5QA+BJoD YLFcwwPwFwTAZALg3wTAWqUUXmcOYuaMGUgVduPxpR8we+ZehIb5YueGZTge14S0sOuYvXQXwhOj cWDjLD4EWt6RgzVzP8Tle0GI83+Km9eCMKQQ48pXu5DfLHUBcHhSCD5atgDfPk1A1I2vMW/+fFQN 0DknEwATAP9FANhQ+RxdX5+BzPsWug5/D62CQbCpHb3n7k7q5bVBE3MVPdceoN/rHKQRSXhlUYzt kPx6bRJk2qBOuYjub09gODQAPXee4VUMbdc3oc83ahIAy9E5fyP0k/YxDtSi99hX6LlxBZKTR6Eb NsE6WIOuPUcwGOSN7h9PQiFzx1yPNadDsnMbtN2aVxTeBkWkD2RPb6Bj8WIMPPSGLC6dHw/9MniP Qv7gPLrv3WZwfgQDzwowkc+11XFQdwz89t72xlxIDp+GzOceuo5+B7Xc9JsAuNv7Ctrq2ngAbg/d BWGyAKLgJ6i9fh5Fs/8jSk5dRMmVO6gXvh6A427+jKjwWB6AI32u4sHePbj304k/BYBFVXl4klDE /zItLMlCQFqZq0e49UUQbnrdRyd7uUh4cBfnz593+Z63L7oVDgDuqC9GQHwuPezJBMDTCMC9okoE RmdANTr5hXwUxd6nMXfedtTLHMuuaEdVyIzxxtmzXuhSqZCdGoHsejEDYA0qnschIE8IrWoYmREB OPfLL7h+zxvCHjk/e613UDikI1qMKsUI9A1Hl1xF55xMAPwaD/c1ITA4HgP8DM3/P3vv/RbVtb7/ /znfXz/nfRKjMUUTjS1qotFYIzZUEBQVkV6kSZGOoAjSBERpIk2Q3nuvw8AMbXovzAzc3732gBUw npOoObPu61pXwjhl7/2s51nPa1U1eJ3lCPb3QdeUEoqZMcQH+MPDzR1RDwshI+dyz3GQdCcUrh4e CI6MRFxBPfM7SrSWPoYf85qHlz8elXdALufjXkgEGjhCaEQ9OMgAcG73JHprHsKLvM/TE9l1/VBS m9NCAZgC8D8FgGf8L0M6JTUH2Zj9mIlow+I8B+PHfsf4zzvAOXIWUpGKPSqJv/sHiCfJ6O88eF4+ WGAIdiY1BjqNeeRY3ZWG2ewOLLIAHMgCsKLyITg3n2NeOQrOVxuhkL05hCtKeQbzil4jpq6dYP7d yABwP8ZtrTG++XuMn3aEXM98xigEZ92/wb14Hpwfv8dc3RC7iZUowBX8biUW9PMvd4E2zbVgIjoF C8Z5iL3dwasTLu22LATf7gomfQ5CyZFjQScFPy75JdzKKx9A1DJh/sMgwPjuvUyitnS9hjlMnPbG pONZcLb9jJl6DjuarNMtLeidn2TA2gZkDyx9XxXGj/wOjg0D4d3jL8Famh+G8R3MPR20hogrhkHM xYSzIzg7fgPvfig4B49BNavA7G17SAZmzM/n/knwfethWlyAqv8FRvdsw8ju/ZisH2PgVw9ZdyEG 936D/u+3YyS3BnIFAWAfBoCHXgPgbvMUaO4AGr7fiPa24aUp0P3oqi5A0S8/Ie+L/4fC2AzU1NSi 0M8ZyT/+gMRdvyL1YfabU6Dvxn/kKdC00ELL5wTAq5XqZ4n4desmnIytY48re/lv5JiUP3GUkYpp q9R0p2daKAD/xwD8p2KGUvWmn5GO8xWOPCK/9/YRZIKhWly1/QNbfjmMiiHB0swPFbujNLU3LRSA KQD/gwDYyIDsJRgUZojTj+eB536PgUkOuH9cgnJaAlnpXXAcckD2vFJW3QJnz1FMOZ3DTMJzdgRY /iASk9XjZN4wJn/9GtIx1dIIsB9kz8PAux4ErW4BuslKjG1OeHn0z8vAHpj2EoAnf/oX5OJ5BoAH MGHvA7VEAXGWHziOFTARAP5qEyTtHGi4XeBe8WFg04A5t2vgebphMpABYe9A6JQmFoA5vxxhXr/O wPLvEIj1zPWpMOtiC1FjH0SPz0E5xjwX5vNCZwdM90hZ4OUe2gm1YGm02DDNAPAeaJTGV39v3QJJ xyBU3RUYv53+5uh2VhgmvdPZUW1yfJGWabAk6d6Yqe1avlOMb/8Fgl4utJwRqKflDFP3YsLJC9Ky QnBDciDNi8NMez/47megF5qniOsmijBxKQzzimFwTu6HuHsEKt4gJG0EgOXg7tuF0Ye1EPPGIKhp h0K+FgD3MwD8NdqbBlgA7uusQcl3/8aLpHzUVhQh9w8rVJS9wPPiQjzNzsZDq/1ISct6A4Bjvawp ANNCCwXgd0p5zj3cepDLnj9KbUMLLZ8nAP83RTDaAk8vfxQ2DNLRXlooAFMA/mePAE+HOkIlULP/ r3jujambtewIMM8jkl0DrO3JBefn+9Brp8H9cSukc3JI6hIxfskFpnkT5meaMf4NA3G9zPtOZ7Og TACY83//B86WH8APMq8FnidQus4burfW3gojk6FdhvEtrwCYH//IPI24JhKcXY9hJAD89UFoTGCu TwPemWvMdzEA7G6NGb75+mfjd0L0bJQFYG5sOjtCq2wKB3fbE4jzfMHZ9hN4DNhxT63HRGwuCPbr RnLB3R0BSVUwJq5XvJrCvAIAcw/YQ7/AXKmUi8kHT16uKdYNVoG7/wpUb9G9ojjmNQBm7qUtBxP7 tmD80BEIR+ZgmO0G90EJdO01mCxugbahgAHgYcxE2kMxbj5OSlEVBJ5jOTT8Uozbh0FveHMKtHqm F6OnfsDA5m8wklsFmVyBiTverwA48eiqANxT/wzF6/6Fwq/Xo2DDV8jZdBjPS1+8nAKdaXP8TQBO v4/w/fsoANNCCwVgWmihxcIAmBZaKABTAP6fAWBpcigmk6qgEU6Ad2IzhC1MwGYAmGvrDLVGB0lW BMb9SjAvGcD45jNQKvRY0EswefUy5tUGQqOYuboX479fwCxX/nIN8LjVVWgUKgjcb2CucwaLBjl4 h7/ATPpzzOuY732cAzVzL8IQV0xzZVD3l2P83/+CYnkE2Os2tAYDhLHuGA9rxgIB4PU/QDolhnqo DtyrATAuLkAc6g5ebg/0ahH4JzdD2jhlBuCge9Br5BDf9wfXuhhaIQ+qnm62TN/cC2Fpjxl2FzTg 2+zA+M6zEElfO9vpPQA8wQKwCaqqRHCP7oSwe5y5XylMrwH+6wC8oOJBnF4FnV4PRfUjcIIfrwrA 8ifRmIwthkYyBd75nZitnYZRPcwA/AGIyGHzognMlXUy9yzG7N0CiAUSSKd70HfyDCTTYkwl30JP ZA54Ix3o2vcNBqqGVwTgfjICvH49yhML0NBYj+eMTWqqa1YF4LSEUNzed4QCMC20UACmhRZaKADT QgsFYArA/0wANqnnMPXHQXDW/R8mHreaz/I1TGLy+K/g7tmOifPXmcBrnhYseR6BiR1bwd3+E2af tL3cGdkkbMaEYyAWDEvbZs3zwQ+5Yx75ne3E5J4jTKLG4jb4Fw+wn+cF3iWDp1DVZTB/b8WEgzum nA5DKZ0HtCOYPH3A/PoVf/MIsUmMyV3M9VjtB/fn3ZB085d+a44B65/M3xlTx06xXhD2Y3LHNuZa t2HyRjBUb527K85xgGr81XPR9z7DZNDDt2aHM7938jS0qqV7Ms6Bf96DXeNrkvMwlV2ERb0Ms47W 7O+w5fhZaGdUK48AG6SY9rNj74n7yxEIumdgEA6A/6gK+oFmTFd3MSD8HIIeDkw6CaYv/MHahJv8 AgumBdYuypYn4PyyFWPbdmKioAHzOgWm0m5heNsWDG7dgpHwp5DJlZBMDaL/91/RsWUzOsMfYWr5 GKSJITTt243O1pGXxyC1V+ei+McNKNiwHrnWzqh+C4CTXwfgxDCEH3GkAEwLLRSAaaGFFgrAtNBC AZgC8D/5HGAjxDEemLx2DQIGyJYHMRcWjEx5+4QeIzsF978519ZoML1xrJDJYGB+8937MpkM7xzF tLhognGFnzeZPp+TidXDbZD192La5gIkHfw3j2AyGtndnP+MTaQJvuA6OGA2qQTGBfMu0AbmWc3P G97YBVqrUbOJ8NvnAAuYRvPPnAPc0dGOpsZm1C/tAl14Px45iXeRsu03ZGQ+/sTnANNCCy0UgGmh hQIwfaa00EIBmALwXwrAS4OUBgJWoPovJW/KA8/uAqZzW2D4L7mcAK7B8GHnAC8DMFkD/GcA+O1j kPL9byBt906kB91FXn4+BWBaaKEATAsttFAApoUWCsAUgP/3AJjq8xOx93L5WAC8PAW6qKgI+X8D AJPAQwsttPz3hc/n/6UATJ8pLbT8deWvBGD6PGmh5a8tFIApAFNRAP6oAExFRfXXiMSCvxKAqaio /jr9lQD8obkfFRXV6qIATAGYigIwBWAqKgrAFICpqCgAU1FRAKYATAGYigIwBWAqKgrAVFRUFICp qCgAUwCmAExFAZgCMBUVBWAqKioKwFRUFIApAFMApqIATAGYiooCMBUVBWAKwFRUFIApAFMApqIA TEVFRQGYiooCMAVgKioKwBSAKQBTUQCmoqKiAExFRQGYAjAVFQVgCsAUgCkAUwCmoqKiAExFRQGY ioqKAjAFYArAFIApAFNRUQCmAExFRQGYioqKAjAFYCoKwBSAqagoAFMApqKiAExFRQGYAjAFYCoK wJ8fAJN7JPem1+tfFvLahycBizAajKCpw98HYH+Nnaj+KQBM4tDbNifx6D/yTaOJ+ib1TQrAfxEA /5W+aaK++bfpr7MTFQVgCsAUgCkA/08BcEFBAft7aWlpLwu5PvI6SQZW02R/I3OtWew1T0m0WFCO w+1GEmQLtC791SL1Li8vD+np6W/Yqa6ujq03KpVq5TptlKGtpRcGEsoWFzDa3wOeUIFFkwE9LS9Y +xUWlUCsmmfeYMBgUzmys5jXGjggXRnikVbk5jxhbdwyNMF+p2CkDwVMHc0vaIDWgmz9KQC4sLDw Hd9sampifXMt/xaMtiI7OwuPHz8GV6jGgpqPIN80iKlv/i1aK4auWmdMCjRUt0K/lGZMcfoxMmmO tyNdtaxv5ublY06uY14xgtNeyfpmQe0g8xcgm+xDYZ7ZN+u7hmBkbCvjjaKI8c0nT6qgtjBbf2wA fvbsGTIyMt6wOWnTnz59ipGRkVU/p5jseumbo7MqLGoFiI/IgoD65t8iYo8PjqELKlSX1EK7VA0k 00PoGeKznRRv5z2MI4PfXcP6Zn5lN9OKAqo5Dsqemn2zqrkTOuMiNEIeSrOzGbu/gNLCbE0BmAIw FQXgzxKAo6Ki2Hta7h2VSqW4cuUKdu7cyV73SjJIOmFjY41n1Y0oywyFo18opFo12tvHzbBF9ZeK 2IQ03KT+LdtJIpHA1tYWu3fvXjX5W9AOwNs1wtzgLhjwMO4WcluGMDfyHNc9PFHT2ILMeB9EZeZD MZYP69NeeFFbDse9x1AwJkN7nAcu3c1DVVU5ujkzWDAJEGTviCdlNWh40fIyQaAA/PcA8M2bN6HR aF7aXC6Xw8XFBT/99BPq6+tX/IxR3o8zVoeQ+6Ie5U+iYX3VFULGv3t6JjBPffNvUXR09KoxdHBw cOUPzY/hyhl3SEzmPyuyI3G/sB7zomZcvnYF5XVNeJoSgJuxiZBMPMfxg44oq62E53FrZAxIMJAd g+tRKaiurkD74DhMCxKE21xEasEL1JY1QGNhtv7YAHz16lU2D1i2OckFAgIC8OOPP7LQtdJ3GJWj OHHwZ2SW1aIyPwGHTl7AtFaPoQEe9BSA/xb5+vq+E0OdnZ3XjKGYn8CZvTaYM5r/7HmRgODEAmjZ vOesOe/JYvIe31AI+PU4sNMWxUw+F2R7Gfe6xeBWPIJ7cBRqairQ3D0IvUmG2LNnEPeoFHXljVBZ mG9SAKYATEUB+LME4PDwcERERLC/TaDKyckJ3377LXsd5Dms2D5Ml+EPK0fwZErMG3VoeF7IJPUd 2PqFIwTzJvRVJWLTlu04+MsJXE0oxmx3NmytbXBw30786hgDgZa29h8iYpfk5GR4e3uzdYUkadbW 1myyRerParGKALDPjVDI9AYY9BpkxPghv2UQ/M4MuPvfgUilgUI6i4bmFvBbCpHTziSRizo8+eNH BFZz8MT7OuJqejHFm4JKZ4BmLB0XrsSgf2gIE9NiGEyW05J/CgD29PTEgwcP2JF/krj5+/tj/fr1 bGwg17Ni59RcDfb+fBocicLsm4VZmJzpx6FtbpieX8Bo82Ns37kD+3afwZXoh9COFzDAfBHHD+/G JusATKmob36olmNoTk4O66uOjo7vjaEEgK+ddoGQ8SuDwYCKzNtIKqyDnpcPuyt+mFGomfZGgYaa SnA7ypHaMM345jyKHQ7BsWQM5XFBiCmowtQkD3INk9zzcnD4RAB6h0cwzhcwtresLPtjA/Dly5fZ WTmJiYlsLhAbG4uNGzciJCSEteeKnVPiVny/YR+GRDLoDYxvPknC6AwHdkd9wdMvgtdbht8P7MGe nRfgEByDueFiHD9ij7NWv+KbEx7gKqhvfqi8vLyQlJTE5lQkV/Pz82NjaEJCwqoxlACw9Z5zmNGa fbO37A5CE/OhIXnPiWuYfC3vGe2pR1wlk2stGlDta4/TuWNozUlERHIOppgcUKrSQT9dgu0/O6N7 hINx3iz0FuabFIApAFNRAP4sATg4OBi3b9/GV199hVOnTmHbtm1s0j05OblWbUd+ZCBCQwIQEBmH 513T0Akb8cUX+zAuGMLFi47oE6owUp6OM1EFmO5MhVPAQyjUUiRc2o8nA2Ja4T4QgEl9II35d999 h2PHjrF2IvVkrcSPAPC1o1ZIz85FzpNHuHbhDAPAo9CrZ5Aa5IOI6DAEx6Wggysxr0FjGvGuqmwc uOwFnlqF/MQYeAffxk2n6/C5X8YAcCZ+PXAF0Xci4W6zC9nVsxazdu1TALCbmxtrd5KwnTt3jrU5 +Xt0dHSNT6lREhOCoMCbuBV5BwXNE9BJu7Hjp2MYlU7D29UZTVwR+G3FsAtNhmb8Eayv3YFYIUO6 9WbcbZ+jDveBItATGhrKxtCTJ0+ydiIdVmvGUAaAL+3dh+RHucjNzYX31dMMALcw/yDHo9t+CAsP RmDUPdQNCsBiz+ICRlqLYXXNC+NKLSpzU+DtH4QALze4386ElJOLbTttEREbDc8LW5DwjGdR60o/ NgDb29sjKyuLjccXL15kbU46Qfr7+9f4lAaV8WEI9PNEcNQdZFWPQaccgdURawypFIgNdkdR2xjE o8244R8O/mAuDpwKxAyTY+Rc2oHAWj51tg+Uu7s77t69y/om6TRejqFjY2Nr+OYEbH/cgvuZZt8M dT/NAHApjItv5z1TWEZo/kAtbJw9MaIwoL0qB94+/ggJ9Iaz5x3wRovx/aYzCIuJgc+l3QjJ4liU b1IApgBMRQH4swTgGCYokzWkYWFh2Lx5M7u2iaxhKi0tXfUzCn4/BsfFUEgFGOqtxA17d4xzG1gA Hh2rx/kb8dATn+CUwS6liAHgdARHdLBBvzH1DFI7RbTCfSAAZ2ZmsnWOTIvdunUrO32ro6ODXc+0 FgB7XPPD+JwAc7NTSGASLDICLOL2YnJKCploGnWl2bgVkQK1cREzvdWwcQrEwJyKHW0Szs5Ab1qE glsHx8SH0Aw+wA2PInYN4nRdLG6GNMNEAfhvA+DlKdDx8fHsiCJZc8jn89kYsWo7NDOCnhERVDIR RvtrcemYDQa4HSwAj0wPwdXzNsQaA7SzHfBIzWAA+CEcXepYyBpK+w236+gO1R8qMvpHYijpSCQx lMRzEvfXiqEEgB2srmKE8U2BQIC8BF92BFg20YXRSQnk4ll0NxfDyzMMIp0JqqluXHZwRwOHqYOL JkhEs9DMG6EVDcEv8Q5m+9Jx+lwWyGp+ZVc87B0rYaQA/LcBsIODA5sPpKamYsOGDayPkg6P+/fv r941JZxA+6AQarkYnKEmnNv5O9q5AywAD0uFuB3gi36+EvPySYSlx4E3mA2rM2VsjJ3IPg7nUnqy w4dqeQp0XFwcG0NJO0piaHZ29poAfPbnU+ifNftm3eNgBoALIOb1Y4CznPdUwcnODTw142WaCVy3 vYqiHtJBwbSX0jkoNHoYtSLE3A9Eb0c29vxyH2Q1v3ogHYetnsFAAZgCMAVgKgrAnxaA79y5wybk 5LobGxvZYFVcXMxe52oSdcTh7DkndA6OYqA1H5euuYM/2cQA8AHwZTy4OzijuGUYZdHB+CMwB9Md DACHt7MAXJtmzQAwHQH+EJE6RqbBEjtxuVzWNsReZJOk1dZpLwPwm2uAA5HDAPBgWQDcbkZhaGwc lYWJCLiTBo1iFNabdiEst4HtAJlikoTbfg5Iru9DdWYSLt3OxYKiB7ZXrqO+rwfxF3biTrnlJGSf AoCDgoJYO5P3k3hBEjcSL6qqqlb9jJQBocOHLqClfwSD7cU4dcoGY5NdDACfwIRShAgfb+RU96I+ 4x5OuyWYAdi5lgXgvvTfGQCepQ73gVqOoSR2/tkYutIa4AQGgOeaQnDZ0Re9wxx01GbBxS8cUhkX dhu+h1tKJYZHR8GdnEVqnDfuFNWirSwXV7wSmKS7H+esz6G0sxvJtttwM5djUTb42ABMRhaXfbOy spJtb8l/SVu+muSjBdiz4xjqe4Yx1FWOg78cxABvmAHgCxhjIC09+haSC+rRWZKNC5dugT/EAPDp UhaAxx6fYACYjgB/qMgMt5ViaHV19ZoA/OYa4HsISszHbEc8zlo7oYPNewpgf9UdM1I+HL/8ArYx JUx7OoYxrgjF2eEIycjHYGsFrl0JxsTsIM4cOcy0vZ3Icj6ESymDFmUDCsAUgKkoAH+WAExGEcla JjLVZ7lUVFSw97sGDqC/uYjtVY29exedEyKYNDO4e/cpA1sLmB2sRGxsPEKd7HAsLB/KuR40tM2w ADzV8xTdsxpa4T5ApA42Nze/YSNSyC7Qq603Y+u0QYSqiibz5keLJvS2NWJ0WgKTUYO68hw2cb+f +hAcgQIm6RA7VWy5FFZNQMzrRkLcHdxJykQvX8b2bve1vWA+F4ukrBaoLWiI6VMAcG9v7zu+ScCK xKG1fHO8q8zsm/HxaBqdg0knQnpqMeSmBQjHm3Av/h4ivG/AyjcR89IePK+ZZH1T3PMYjTwVdbgP 1H8UQ01SlBZUvtxIbry/Fd0j08Tb0V5bwPpm3P1EDExJYZJz3vDNrKIxyGaHkZZ0D3cSUtA8KmTt N97fwNg9FndT66A0WpYNPjYADw0NvWNz0o6T/GB1mdvGZd+sHpiCSS9D3pNySE2LkE51IyUpAdFB Pjh7I5iJE4z/l4yxtpUP5KF8TEGd7QP1H8VQkxwFmc9e7qQu4HaiqXOMsZ4JAy2v5T0M7JpUPNx7 zTcTnwxCKZ7A4/RE3IlPQFXvNMhWGXOcdtY345NfQGawLBtQAKYATEUB+LME4P/6ma3QyHdE3CRB Cz9v+x1plX20cn3Odf79b3onIbTEMxQ/BQD/1/Zd4ZX+lFgc/PUX7N5xALHZdfT8UeqbFID/AwD+ O3yTU5iFU/t/wZ6f9yHwzlPoF6h3/i/5Jiw02lIApgBMRQH4fw6AV5VRDyGT5IvlKotZI0pFAfhz A+CVb2Qe4tkZCCVyGKlZqSgAfxIAXtk3DZAK5jAnlMJATUpFAZgCMAVgKgrA/zAApqKiAPx5AjAV FQXgzxOAqagoAFMApgBMRQGYAjAVFQVgKioqCsBUVBSAKQBTAKaiAPyXAfDz58/ZIxzIcUjLhVwb 2XSJ3N+7WoCovwt8xasNXoRTHIhk+tV/ZMGA1qoXGCAbMOmVqEyPQ8iDCszTavenROoe2biDbIzz up3IJljETqtt6LG4oAGXw2c34SBrkgTTfEgUWuZ1E/icfjQ2NqCruwcqHZkMa8T0cBeaGprRMyZk dwXWKWbR3tiI5vZ+iNWv7KuVcNE5ILKoFU2fAoDJbs9kY5XXbU52L21paVnlWhYhGRkA9zVflM2O Yka09qZzQ601aBueYuqFES25SQi594z65gfow2MoiYlajA6Nw7DkRFLhNObE5vfOTQ6hqakB7e0d kGsMrG/OjfWguaEJ3SMz7LISvUqE7tZmNLV2Y1b+auMlnXwK7X0Ci1tt+LEBmMRe0ka/bvPy8nLW N0kOsJJvyrmjGJW8itVq4TAmZtbedG5qoBHVrSNMPF5AX2k6QmMfQ0PXBv9pkZ25346hNTU1a8RQ YiodhnqGzZtHEjvJZsGfkZg3CpweZX2T5HFSNYmSJoi5vaxvdg7yWd80aGXo72xFY1MH+GLVS1+c VwnQPTBjcb5JAZgCMBUF4M8SgCMjIyGXy9l7IoXci5+fH3bt2oX+/v6VUAAdd87hWmjL0vpeNaKu XEL1oHSNh2vCcN8QpsVqqGZGEeXmiY6xOSzQavenJJVKkZyczNa5ZTuR+ubm5oY9e/asmvy9ewxS EPJbhiCeaICrhwsePnqM6KAbSHpaARW/HJdPX0JaRhLOHrJFp0CM9Bg33IxPxZ1gf4Rnm4+NWNBL ccf/PDYdL7CoNaSf6hxgEl+WbU7OgyZnze7YsYONHyt1TvWlOeOkW82SbTS4b2eF3Na14YA3NgoO 2W14XoH4q3ao7Zuia/c/QGvF0FWPKXvnGKQoJBY2wCDrg8sNByRnZuPe7RsIT82BfKYeNkfOISUj BfanLqN5ToFn6cHwjorHg5gQ3LqXD52RabsMKjyMvYF1+zIsbg3pxwbga9eusXF52ebk/8nuwD/9 9BMKCgpW+I4FjOQHY49t2ZJttHh4/lckVPLXBCIRn4P+0TnmPfN4YHMMxe0T5g5Nqj8lcg7wajGU dGKs7JtvH4OUgJDEQujkw3C+egH30h/hQYQrbkYnQTLXDut9J5CUkQ4nW0fUzGlQ9yweHiFhyEyM hE9IMiQ6E5MC6VH08Ba++e2exXUuUgCmAExFAfizBOCIiAj2t5aP7SBJ9/r163H//n323ld8Vop2 /HbiHKY0JszPvcAZWzdImKg+05TGHjZvG5gCPQO9pdmJcDm/E3ucnyPz7gPU9kwg02Yj1n+1HjaJ tcj2Po76CTLqMYXwMzbgyunWHyuJNNqpqakIDQ1FfX09Ww8dHBzYZ03qDKmvqwHwTQaA1UsA/Cgu gAHgAfDaUuB5Oxl65nWlmIfy6hqIuJ1o7J5h63/egS3I6huHxxUvcLTzmHisHVdnAACAAElEQVRR CueQh+x3DhZnYPeXX1IA/ggA7OXlxcYDEh/IcVdRUVH4knn2ISEhqx6xs6jqxdZd+zCmZHxT2ID9 B89hTr8IQUcOW1/OuEVCYTChtSwDjta/4Du7Ujx/koGnL3pR7PAN45tf4XREPvKdd6F4mHRqzSJ4 3wEMiumY8FoATGIoiefELj4+PtiwYcOaMZQA8FUGgGVLAFydHcEAcC103Me4eOM2VMzrBp0Uz0ue YWaiH1WtPNY3yy4cwf3eGcT4BaB5QgBRfyc83aOg0JvAby/DoXVf4t+/UgD+uwH48uXLKCkpQU5O DhsbSHz++uuv2fOBV52Rox7Buq++RZ/MCIOkHT9s3g+edhHivhLWN49d9gZfrgWnORcOZw7iJ7ts tFflICWzHi/cd2LDunU47puEwmubkNUtJFcL/80/oGNOR51wFRFfzMrKehlDSb5DYiiB4FWPKWMA +CwDwKIl1x16cY8B4DyoeUU4esoVUpN5dlVZXhYmJkdQWs9l60ythwMiemV4dOc2ipqHoBVNwc/e CxNyPWT8dpz+ah3+vTueAjAFYArAVBSAPwcADgwMhKenJwu99vb2+PHHHxEeHg6BQLDGp4zI9LVB XjsPVX47EfBkBPNT9fjii29R3tICnzPHcKdLgkd3A3H7UQWUaiUeRHrjadcYFNwu3A0Og5BJ2Boe +yI6qQLC2mCcuJ7y8tw9qncBmEx/JknX5s2bcf78efzwww/stEvyb6uJALDTidPIeVaKkuJCuNif ZwB4FFo5F7cdziMoMgap+c8xLjBP01LKpvAsMQTfbjyLUYUOFYFO2HotEt6OFxGX24RFzSxCvVzQ UFuATbuzoacA/LcCsIuLC5uofcVAqaOjI7Zs2YKAgID3JBRGFPsdx73KMTRGncDVB70wCDqxY+t2 JilrR7ijDW43TKMqh7FrfA47xbYoPRgpZc0wqaeQ4OoCrsqAkYoA+ATlYK45HrtORUNBfXNV3bp1 Cx4eHh8WQxkAdvj1Nzx6WorS0lIEuJxHUmEL0xCJEXvNBn4hoUh6UoTBKTnrm/M6EUpSo7BzizX6 5fNovh+MPfYBuO1lj4C7THKvFSHa2w5FDDBv3JYOS0Oijw3AdnZ2SEhIwMaNG+Hq6sqO/JJ2lLT7 a0QRNPj9Cv/8AXSkXMXJ6A4YJcM4ceg35Dd2ISnABYGFneivvoer/okQKHVoLYlGWNozmAxiJF48 i16JDoLWEFy6mojZrgys3+vPAhnVyiK2IR3HJIaSUfvlGLryNPVXAHxxy094WGD2zWi/CwhNLIVx UYZEp4vw8vPD/UcF6OZKlmaxKVGWeReH9pxHl8yE/vwk/H7ejclzLuO6XzrUGgkSvK3w8EkJfjn8 EFoKwBSAKQBTUQD+9ABM1sSQaycJ3Hfffcf2ZI+MjLDr2tZSb1UGQkIC8fvGCxhTmzDbFIMv/n0a eaXFzHekoLRHzABwOhpa57Bo0jEA7IsiBoCVU6NIDYuGfH4BwrEmePrfgP+RTUjpkNBKuAYAZ2Zm YnZ2lgUhAr+kvpD6RNYZrgXALnZuaB8YxGB/LyK8Hdkp0LLpUfCnxeCN9SArJQ5BcY+hkMsgkSkx xRlGpNVOBD5vQKCtG6p7uOgsT4FjQDxablph1/5DuHH9Ar5afwIZuW0v1zBSAP7rAZjMxiBTK0kn FUm0SScIn89n48Ramu5/Ch9XD5z82QEDSiNE3Rn4adMp5JaWMLElHYUdQgaA05H3bJx9f1H6baQR ANYrkMbEgRmNCVoJB74eNrh5eg+iGoXUCddQbGwsWzfI6N/333+PtLQ0NoaSNaFrAfClo7ZoJr45 OIjUcBcGgOuhnB7GBF+M6fF+FOY8YOLjPQhlckjkakxzR3HP/gicS7tx19UdhVW9GGguhPvNW6jx t8GWHXvh5GKPdeuO4G5yDTvDgwLw3wPAZAYOaf/J6D/p+AgKCgKXy8WDBw/W/JxOUAVnm6u4eMwZ 3Qoj5KNlOLznJOObpcjKykB+0yQDwOm4m9jHdny0lsQhkgDw4jzS7c9jVG4EjExMcDoGr4vH4F81 Sx1wDZEp0CSGEuglMZRMUycxlIzcrwXA1juPob7f7JuFiV4MAD+FbJYDzqQEsxNDeF70kGmLg8CX KCBVajEzMYZ0d1vYlowiO9iDgd0mjPfX46aHM4oCr+ObTT/Byf0avvvmCEIjS6CxIN+kAEwBmIoC 8GcJwCR5W75fcq3kfskmEauuj1mSerYfV09swq9JnezfRmELvvhiP4YlOsyNDmNGZ1wVgFPColgA XpyXIcTbBv/+903IaRVcVaQBJwBM6iapf+Pj46zNSILd1dW1JgC/uQY4AE9aBtCd6wgX/wRo5k3o b3wCj5B4jL9wwaHjMZDrxAja8gMS6jvgYuuFHpEBU815OOoVD71SBBFzLbyeLHy3KQpineWMM30K ACbrSImdid37+vrYKXxNTU3s1Mu1NK+cg5/tj9gdVWH2TWkvdm47hh6hDuKJcXbpwmoAnOrhzgIw WbOWEu3E+KYzpNQF1xTpmPjgGPrOGuAI3CusxVSlMy5cCYJMZ2DiaAWuON/EcE0Qtm4PgEQnR9yR AwivH0KY201UDYggGanHBddAzAjmIJJIMDVYiK83hECgtaxxpk+xBpjYm7yXxGCSH3R0dODx48dr 5xkLRtxx2oad/o/McUU5Bqsj59A2p4Nsho8puXZVAE61P8cAsHlye0mGH+OblyCm7rem/P39X8ZQ sqcJiaGNjY3syO5aAPzmGuB7uJWYB359IA794QyBeh7KmSZYW9uht+EevvyCeU2nwsPL5+FbP4nU ED88qRqDVjiM605O6ORMQ8TkiNNjVdizMwTTGo1F2YACMAVgKgrAnyUAk51mSa8oSeKWC1kzo3sf 3BjVyHuUiO65VxNhZzqewNXZGa6ukeAqTWiqrcfIpJyFr+rSYnRNiqCTzKG+uBRa4yLZUQm5wZ7w KxuiFXANkUabNNhv24lstrLqOiZSp+en8eRRCXTsLtAmNJQzNuDMwTSvREFGLJwZW3kHBqOXL8Gi UYFncX5wcXaBf3otVEzdn2h7Bg9XF7h4haC27xW0meTD8A1vtqiNkj4FAJM48bbNyWZomvclUAvz qCzOROPoqym4gt4i1jddXG5jSDSPgY56tPWZR3a76itQ3zuBBaMWDY+zISNDh0x9qUyOhE9WHXXA 94jsNPu2nUgcXzOGGueQdi8bqqWRoL7mctR1cIi340X+PXb6u5uXN1rGBIwplKhI8Gd90y+pDArj Amb6qxDg5QYXDz8UN49jeWNgk4oL75B6i9vE7GMDcHt7+zs2J6O/KpXqfZkGOuryUdEx+vIV8XDl km8GoZ0jxdRwPV40mDfHGu+uQWldPxZgRGPyfcxpzZbtLE6HZ1wudb6/I4YaRbgXmgT5km/y+qtR UtXD2qC5LJn1TWdXV1QPTGPBpEZ98i3Gfi64eTcfMiavEY23IsLfk3mPJ7IrBmBY+p4FzTTC7jRY 1N4ZFIApAFNRALaYc4AXl3pb/4z6SmOxx84DoxINrYCfQKSeL7xjv8W330TPxcT/yDnAH2BLXl0i Dlx0QuM4nf78qdqjP+Obq22AZ2n6x58D/AG+KenIwFHby8jvHKeG/4x88w3zUd+kAEwBmIoCsGUB 8Af5jHAGIoUaFK+oKAB/XtKKZjArVVDfpKIA/JlpXjKLKZGUHiNIRQGYAjAFYCoKwP9EAKaiogBM RUVFAZiKigIwBWAKwFQUgCkAU1FRAKaioqIATEVFAZgCMAVgKgrAfyUA19fXIyQkhN0tcbmQjbEm JydX38SFeUZGrR7zSvXqRaXBgnHt7R5Eo43oHJj5oGmWi9J+ZOa0W9RGEqQOVlRUsEdtvG4nssss qWfG1Z7zohFKhWrp+S5Cq1ZBN29k7adSiJmGic/uTmkwLbD/rpYK2LNLSdEbF6DXKJm6LYRcvbzR 1gKUEhGm+XxIlHqLmh77KQC4ra2NPQf4dZuT48mIb5IYtLLNmfqi+xO+aVjbg7T8RjS0TXzYNEvF KB6kN8JgYW0H8cPVYqher1/VN+Uyxcvnq9eqodGZ/UyjkjDtCJ+FsXmj2Tc1sle+qWVem9epIGF8 U6qaf2l4tUyMGcY3RXKdxU1d/9gA3Nvby571/LrNnz17xra7cvnqZxqYiG8y/reWb5rm1/agRWEz ymuGP8w3VTxkP2nEvIXVC5JvvR1DyekJa8dQE2Ri2cvna9BroNKY/VinljHxm29uI5d2t9LJhS99 U2NYZN9PfFOk0L/0TY1CwvqmUGZ5S74oAFMApqIA/FkCcEREBHvt5D5IIUGc7Jq4e/dutpFfEcje B79LxcA05otrbATR/TwF9x8OfFCDYJgqxbbt2RbVkJNjkJKSktjzgF+3E2nY9+7dy54PvJLePQYp GAUtw5DPdMPL/RqCQsPg7WKP7BfNMC7OI+HMFlzz8mOP3+kTqtFZ/RjOVuvgENnEJgO6mRq4XnFi QPwmzpy6iUGpngLw3wjA5BxgYudlm5PkPCUlBbt27WKP2Vk1wf4TvslCsGn1vYJn21MQGNH2QUm2 ca4WX36ZAj0sS2vFUHL0yop65xikaCQVNsKoGoev22X4B9/GTecLuJ9XAf0i47unNsLew5dJ4P3Q MavFUFsJvM59j6NeleyOzwYGilztriIwyA8njrqiS6SzKBt8bAAm57GTuLtsc2J/0nbv3LkTeXl5 K36HST//531zjc5j/VgarrjWfNBO30ZxB3ZtS4HOwnyTnAO8WgwlOdjKvvn2MUj3EZr4DHo1D4Fu F+FzKwR+LjYIT82HZsGIvJNf4rzrTdY3G6d0mByohb/9dmy9VMx21BskXXC9YA//oACcPemGpll6 DBIFYArAVBSAPzkAR0ZGIjs7mz1flBy3Ex0djW+//RZhYWGrHhVgWKsH+63yepIt7H6Go0eP4pJn OPgKLborHuDShWs4dfI43B+UQcO0FqLeIvY9nrFmyNWKmITQ9TKO/2GF/CYOdLPlDADnMEnCNAKu u6FT8r8/3kTANy0tDYmJiexZk2RUiUDqpk2b2NeI3VYDYB8GgNVLAPwoLgB5LQPgtafCLeQ+tAuL EPMHUFBWDq1JhJAjR9A1LYGGqetkw1mjcR6D6Sfh4NPAgtBMdQIyqzmMTTVI2fcdkjosZ4fgTwHA 3t7eKC4uRnV1NRuHSOK2ceNG9nUSe1b0TY32z/vma6PAkqFK1u9snXwxOCvHbPdDnD5xDTbnrGAf lQulgbznBfseZ6buSHUGzCsEiA64wb6WVjEAnaieAeB06LVixPr7o0lkGWPBUVFRb8RQ8jeJoWSE ULvaebwMAF9lAFi2FB6rsyOQWFgLHTcHNteDoDCSUV8ecvNyIJ+XIGjHT2iYFEPD+D7xTZPJgNHc KzhqV8GCkLAxHXeLBpjXdcj+bSNC6ixrmv3HBuDLly+zbTiZkUHyBQK9mzdvxtWrV9l4/d90HJPy +iiwfLwFZ09bwdr+BlrGhNBPPMHvB67hit1pnAhIh0zPvIfTyPrhVZ8w8GVaBrZVSI3yYl+Le9oF rbQLu7YzvjmvREZMBConZBZRL3x8fNj8ajmGkiOQSAwlr68WQwkAn2UAWLQUHgdf3ENIYh7U/GIc PnkdYsMCDFoBHqc/wJxOhlsbv0D5uAgaJj8kvrnAQDG3xBdbDxeyACzuyEPI4y4YTXo8O/8rXJ5b 1vI0CsAUgKkoAH+WAEymBJHGfMOGDXB1dWWhytPTc81pXHq5EAPBAeg84YTeslHMlhRg7FkzprNC MZxXjX73IHTYX0Pn5XtQSswJoEHSjyNHz6F1RoGKlFh4Mo1yd8Ud3AhJglIxDZ8TVihvrcW333yH 2sFhRDtY496gGnkPAhCXXw+VeBBeniEYHirC1v3pyLsTBrs7JRZRN0lCRZJqKysrbNmyhU2ySIJN pl2ude4kAWCXU+dQ/KIG1VUV8Lx2Efkto1BLhuB8aA9uRtzF85Y+SMkUZ8Mo/ti2A7/u+xU/fX0S LUvd3xO5h+Dg3fBqJHDRhNmh59i67zDGlJZz2uinAGByTrOXlxfWrVvHjgb/8MMPaybYbO6mlGAw gvG/E9fRm9sJcX0xhh9WYjrvDvqz6zEcFIaOS47oOHUbkhlz3TEqubh08RLqp1VofZYBT+b9s10p sHUNhVAyjYD9u/G4vgn79+xCeT8Hqb7XEVM3joaCcAQmFUJLzp694oq2gQp8uTUZ5Vn3YR+caTF1 YzmGfv311y9jKLHbWjGUAPC1337H04oadjT/trc9kgpbGP+ag8+RvXALDENRQxdECh0WjVxYbd2G Xxjf3P7tCdRMm+FoqsQWRy9WvBoJXFyAaLwOP/68D/1yyzpt9GMD8MWLF9kOjvXr1yM4OBhbt26F nZ0d+/nVZFDLMBQXavbNtFrIe8sxEFeE6aJkdKc3gXMnBu0Xr6PjgA/mxmVLMVwIP3cnlAzOYaix GJ7xOdCMP8axC67gCWcQsn0j7la148LJwyjqnUBBXADCnjZjtDaOaVtTIFfw4H3GBi9667HrYAqa yh/jknscNPOWEbvJmb0knyExlEDvcgwls6pW980J2DP+lvvc7JsJoZcQmlgK46IIwcd/wTWPmyio acOcTMv45hROs765Dzs2HUfZpHlu2my1J7b+XvjaUq1FyPgdOHD0qEV02lMApgBMRQH4swfgmJgY 9r2k8f7mm2/Y6Xyjo6PsmtPVJB/OROvP3uAkx6Hpl/uQTI2gz9MHzVceQ8zrQa/vQ8iYZ8NLyMBM mzn4KUaKcNAp3dyoG+ahUOnRXfkQSRlD7BToojQmAXx4G99sOIHM3CeIjAxHarMYqdFuqOkRsg2I Tq2Bdqoc33x9CtZn7VE9MGcRdZMAT2ZmJlufrK2t8d133+H+/fvo7u5m69NaAHzd+irK6xvQUFcD fyc7BoCHoRTxMTMtwEDbC9wO9kfIgyLo5oUY6B6BfnEeTcH74PR8YkUAnuqphb2TD56PyS0qPnyq KdBkmuX169fZDqqAgADw+Xx2tGnVdmj8KZq/c8FYSgJaD9+DRDCFIcbGzZfTIZrhYDAsFWKBHLO5 2eAVD7OfUfObcMHDHG8WjQYoVTrMdqfjVmQH65uNaScQln4Pe346gYzcHNy5E40H1RMoSriC7Gpz nNEzMVEzQ0aAz+CyzQXk1I5aTN2IjY1lYyiBIhJDyawaEkNJfF8LgO0PnkFJXQPbHsT6OjAA3ACN iIepaRGGu2pxJ+oWPG8/hEInRk9rP7QLRnTEW+NU3uiKACwe74Kzqw8K+kSwNH1sAHZwcGDjAYGq r776Cm5ubmx8Tk1NXfUzat4LNP7rKkZTk9FxKo6BMAnGYoPRbJcEkXAOY/ceYG54DuLqHHAetLMx Vy8egZt/BORqAxaZGKRWaaHnZuCqaz3774Ppv8AjLQsnfzuBh7m5TN5wBwll/WhOPY/o/BFzVdOo oJ7rwK7ttnC9dBp38zos5gglMgWaxNu3YyjJt9YCYOttB1BYa/bN9PBrDAAXQimZBn9aAk5vIxLv huKK+x0ItVJ0NnRBs2BCf4YL9jwcXBGA1YJR+Hp6I6PJ8s5upgBMAZiKAvBnCcAkeSP3TEYryGYu ZNoz2RhrtTWGLAAPJKPrXDZkY1wIB+cg7+9El783mnYEYWaKAeDwXMwzz2b6fiZmlwDYIOnGkaMX MSLSoSP9Pvzye9BdkY6kVPMa4MK0a8ipKsK3Gw+jT6DEzNgIpjSLyEv2Q+qzVhjkk4j0uI2R3iJs O/AE3U8TcMzqLrQWUDdJbzUBYGInsp6pubmZrY+VlZVsnVoLgF9fA5wRF4AnLQPoe+aNwKgs6IwL GGrJg2dwHNSiNlhfuopppRzJv22DZ/XMOwC8oJ3ElSMXkdM+yf6+yURHgP9OACbJG7E5iTfE1iTm kI2xyGY7q7ZDo0/QdiAVUsY3RYOzUE1w0Bvoiaa9QZgWMAAc/whaoQKivFcAbFRycOniFfQL9Bgu yUFgWjVmuxgADmljfbM+7QzulZVj3+6T6JhRQjA5Dr5Cj4aCEESmPIdJL0SMgzvau8kIcDpGanJh bRUKtQUBMLETaQv+bAxl1wCfdYdkiUQqsiNwr7AW0zW+cPaOh1LP1Lfxaly74QORoAeH/ziJcbkS j88fgW0x710ANszA7fdTSHgxCD3jm0YjHQH+OwGYjCKSPIHYmkyDJjGadEhmZWWtDsATJWjacg+S sQmIh2agYeJJ/y13NB0IAl/CAHBqOuRjQshrXgHwgnYOfh7OaByTYqq1EiFxedCMMwDsWMP+e3/6 QQQw9ea8lQ2appQQT/PAF6swWhsJz9tZ7HKEuDO2qOqox64D6eD31uLySS/MqS1jFJLMziD2JDOl yMZ0JIaSHIzkXGsBMFkDLFhq3npf3ENQYh6mmiJw4fItSLQGaARtuHD2Inhzg9iz9xcMSlUocbPH oRzuuwBsEMBv/yEE5XZArZ9fdckSBWAKwBSAqSgAf0QAJr9LpuuRaULLhYwKr7b+l43nailGAn3R c8YFfRktmC0uxEz1KIR1MRhNLUTveSf0XPdFX0AW87yWg/0CuA3JOH7sGM7cCMWgTIOR9hI8reCa R5mKwlE3oQKvPol9z/HjTsx7AMVMD3ycbHD8xCkkVQ5BK26GnWslTAtqPHK7gbhGwf983SR1jyRW b9vpwYMHq+/UTZ64not7sZnQsJmUEaVPHqKhnw+jXobkKHccY57z2YuX0TwmYGxgQMkDL/a14z7Z EC/lz7N1QQhL7jFvgjVexNjluLmcOIOk3GGL2dHyUwBwaWnpOzZ/37R3o1aOsTDGN0+7ofdBFUS1 z8Ar6IWo+QGG7pVg8IYbuq/5oNcpgYlh+pe+ye94wvrdqSs+aOZLIR4tQcrjQda+/cW+KBySYbrt 0ZJvXkEzVwGNlIsw70tMnTmOiKddUMu6ccK+BMYFLYpCAxBUNWsRdWOlGEqgeK0YCgMfYb5xUCwB cEvFYxTVkg2z5pGb5Mv64YlTZ1DRN8XYwIj6R/7mZ++eAsFSSBW03oF7ZCvrmwb+i1e+yZTQB90W M8r3KQCYrCkla/FftznZpX/VdaXEN3VKcGJ80X3KA71xRZB2FYGb2gpxxyP0R1dg7JYPuuw80X0+ HFLJctfuIuYGymB9+gSsbJ3wfHAG8zOlCE/oZO3LK3FGaqcYgt5nbP04dswe5Z1TMGhFuB9yjfVN n4xmxteHcdm1hN3ssCbpDgKKxiyiXvwnMRTGWfhevfVyg7qxtqfIKGiCadGAikfBrG8eY3ysoH2c sYER3U+Dzb7pHIfZJd8U96Tj4s1atnPKONPwhm+6RbTAZEG+SQGYAjAVBeD/mXOAF00L7GY7Wrnq nc07NNOD6M+sMB/1oJ9nj9x5iySwsPC+7ze9mYSw9qB19O+AOtObTrDmzsCW/qz+CecAk13XiW/q FCroFW/6pk4wgeGcEmglSuh1euqbn7HYNuh9z57qkwHwf+qbRo1uRd/USwTgPC2Egi9hfXPxP/BN 83sW3ojnJhOtL9Q3KQBTAKYATEUB+K98YG88s5dlgXlmunnaGFBRAP4EAPw+3yRHsSwuUN+kogD8 sQF4bd9kcg69nu1cBnVPKgrAFIApAFNRAP5MAZiKigLw5wnAVFQUgD9PAKaiogBMAZgCMBUFYArA VFQUgKmoqCgAU1FRAKYATAGYigLwRwHg9vZ2BAYGsht6LJfl3RLX2uXXqNOb1/mq1CsXtfa960ll kx0YHBd82IwvxQiKK3phSXuckvpIdpf18/N7w06NjY2snT48YSNrw95dZ7ao1793Z2dyLQsLCxYX Hz4FAJO4Qc4Yfd3mT58+XdNGCwbD2n7J/Jtp/j27kCpGUVTe82E+Nq9AW3MHdBYIDyvFULJJ0vti 6Oo+pn/Hx4hvvm9n5+V2iwLw3w/AXC4XoaGhb9i8sLCQ3VyJ5AqrxhH9/Hv9c8HwHs8Td6KR3YDp A6SZRml5BwwWVi9IDCWbk71uJ5JzETv9JzulE998x8f+hG8usuuxLdM3KQBTAKaiAPxZAnBYWBh7 zeT6SSHnjmZnZ2Pv3r3sNa8Kv29tfvVuUUHFfJdRv3rD0F2WjIT0/g8CYAO/BNu2P8K8BdVNUscS EhJY2yzbiUBUUlISaRxWBSpyDNLpbT/D1v4SLtqcQnxuFdQaCZKDLuPsxUuwPXsU4eklzGtzSPS5 jnPM+06dd0fNhBTCgTo4WP0GO7uLuBkWizm1Dt1PEnDF6jzsL/pjysIyqU91DjA5s3LZ5qSQ+EA6 qFa0t9FkTq7f45taIR8q0eq7oBqmSrFlZ/YH+diCegoul5KhtMD1xeHh4avG0L6+vlU6DMZwevNP sLFjfPP8CYSmPoNcLcOjMAectrHHxXN/wDc+FyqtBI/CfWBt74CzF5zxrJux3ewI3E/uwYWLtnDx 9seEXIfBonRcOW6NS3Y+4KgNFmeDjw3ATk5OmJycfGlz8vvl5eXYvXs3cnNzV/wO0vH0/nZTDY1g CjrF6rv760dTccW5+oM6qIziduzalmwRxwa+LnKU3OsxlNiJ5Ft79uxhO6lW9s0JnN64CeeJb144 Ce87jyBSyfH0rgesLtjB7sIpuEekQ6FXoijxNs7YX8F5m2vIrB6ESS9H4KntOGtjCwdHJwxJtBir zMXVI2dwyd4TXVMSCsAUgCkAU1EA/hwAOCoqir0Gcn3kXtPT07F582b4+PiwZwOvmCD/iSR7XiHH ZEkhlPxXfiEdqcWNGzdwKzYNcyo9ul8k44ajPzzcXRCT3wCdiYG9UfN7YrPK2N5qvWwKd6OC4OLq jsoePvSz5QwA52BeK0RCWDQG5f/7Y8ESiYS1S15eHgYHB9m6GBcXhx9//JHtwFjtKCQCwF43QiGf N0EpGIfzlRvo7i/Dlu1HwdcYoVfwEBfqx9TPJnhGFULF2L8pxhdn0zsw2VaG6LgUqBQy89mF8m7s WXcUTRMipt6rYWljwJ8KgFfy64yMjJWv8U8m2PL+DIzkvjoGRS+bRkJ0MFxcXPGii8f4WBW++9ET cZG+uBGVAYke0IknEBzoC2//YPRNydhOq87n6ayvxuW2QqedhotDOrQMAPfUFqO0ZcBi6sbbMTQt LY2NocR+q8VQ9hzg084Q6U3Qa4Twtj6LF52V+OKL7eComDZHNYNIL0d0j/QiJD4PCuMCerPicfHu c0h5nYgKuI05iRQqnR4G5TCObzmFao4QCrkKlrjx78cGYAcHB3R0dLCzcEi+UFFRgR07duDChQss cK0IoVr9n/JPQeMjzLS8uh/VVC+8Pd3hExiOPrJL9MRjHDt+E8EBnnC9/wxKpqFU8btZXwyJS8Wc Us/EAg0KH95hX3tUNQSdtAu7tqdj3qBGUWY6WmcsI18leQzJtcj56SSGkzZ006ZNuH79Omvr1QD4 zB5rzDIJybxGjMCj+/G4pRY7ftqPIYUBBsZfY7yvoX18HHeTnkBmWMR4xRNcvZ0Jg24KkU4uGBdI oGTaZYN6Eg6H7VA2SnxTCaMFdhBSAKYATEUB+LMEYJKknTx5El9//TU7je+bb76Bvb099Hr9qp8x qHjoPGeNxu/Ooa+Th6maAgj6ZiHtfoiR5wPg5USjccNxNO73gmLa7Bcm+TCOHjyKGp4UT6P8Yfeo Bd0V0bgSEAO5dALO+/9AdVcrvv3ma7RPzSHpui3SuXo8TQlE+ONKKOa6YHfRFf2Dz7DtcBGqU2Nw LCjHIuomAWAyykRGe7dt2wYPDw+sX7+ePdNwrel2BIAdbS6he3gQtbmJcHQPh3ReiJtbv8TxCw6o 7J14I9lbmJch0MsOTwZm0V2XiU1ffIEvv/wCZ+zuQsBvxL///QU2frMZX2/4Ao86LCve/TMAWIGR UB80brVCh38WhD356H0yANVECzrSGqAY7UTH8TNo/P/2YvDZ8MvPFaUHIexRBVSiXtjZOKNv8Dm+ 3fQjWjh8xB/7Ha6lI7h32wUptb3gdxQiKPw+pNxC7D92GeNCPq5v+h4xTb1wcX8CjZGPy4fOo4Un s5i6sRxDN27ciICAADaGXrp0ac0YSgDY5vAxtA0Ooq00A+cvuGFGK0boti+Z53oKJe2jWHjNNxdN OiRGuyGptgfTI2X4cck39x+6xSSY3dj64/fYsOFH5re/QFK9AJamjw3Atra2rN2//PJL3L17F1u2 bMGRI0fWPPvZqBWi2+E8GjefQXd2A0TtWRiv5kI+VIKuzA4I6vLRsuMkGr8+g6kOc4xY0IsR4HYF uT3T6HmRDbvgVGjGn+DQWTtwZibh+dV6xt69sD1zGBUTMlQ9uI24kjaMNyfiql8cJDIO7HbvR1FX LXYdysNYVznOXgmBSm8Zi4hIBwDprCB2Im0ogV8rK6tVO42XAdhq+0409g+io+Ixjh04D65KysTC 7di59zfkN/TDYHqzC7gwg4mhueXQy1uxbck3f9jiDO70CI79vhtffbUV3333BaKe9lEApgBMAZiK AvDnAMAxMTHsNZLD3Tds2MBC1djY2KrTLM0ALMJYWTk4KeFoDqwHvzAFc83TkDZGoTe6AD2+D9nn MpqRDMWk2S8UI8U4eP3hEmjpmIZZg+7Kh0jKHGJHk56l2eFBZji+2XAMD9JTmOtwQ0TVHFKjPVDT I2SPj1ArlNDwK7Bxw2GcsLJHw7DQYgA4MzMTvb29+P3339lE+9atW2ydIusP1wLgy0fPIiUjC/G+ 1+HhGYdZiRhzIiUGWytwy88FfzjEYE7PNOZGFfISQuCZUAidcQFy0Tg4PLI+W4UYH3tUNBdi3brb INYUtcZh0/58i1pP9s8AYA0mm+rAy2MS6rC7mKu6i+6oHqhGq9DmX4eJrHBMlA1j7kUIhrJfAXB6 jDsquwg0mX1MzS/Dll/y2SmWvJLLOJpcj6ArJxAaFY/4+Eh43c3FQI49zoQ0mxN7lQxS4QRcHJxw 0+ZnOISUYd6CBjpiY2PfiKFeXl7vjaEEgG33HEbSwywkBrnA8aI/uCIJ5siUSQZWIoI9sdcqAHwy LcaoRkV6BK6HpUOiMUKn5GF4lAfTohopbseRVVvGAPBtkC4HaV8mNv6cZVFLRD4FABOoIm09+e+6 detgZ2eHkZERtu1eHYDlGCkvAzcrFW3BeRDVx4CTOwZ5dxbjn9UYjr0HwYgAvIIITDeaY4RePAo3 v0jI1QYsGg1QyNXQczNw1b2enYUzkL4HHmmPcPK340hKT0NISABu5bShOdUG0Xkj5u9QyqGc6cCu 7WfgcPY47hf2WsxJS2QKNFmvfebMGbbTmExdJ0BG1muvBcDWP+xGQnoWkm574eIRRwwKpRBK1Jjs a0Z8pB92HfHCuIbxTZMWrTmxsLsZB558HguGGQz0jcGwqEGu08+IqajEsYMRIBOfFWOl2HsoBXoK wBSAKQBTUQD+9ABMkjdyz2TaVk5ODqRSKZqbm9dM3lSj+ej1egRReR7aYprAz0/CLAPA08+80R2f i+77xdDLZRjLSINi3OwX88I2HLG6jgmZHgOFObj3YhjdFelISh1YAuBryH6eg283HkP3lBj8kSHw lQvISbqJzLIuJsmeYRL1ZEwMFuOnX9NRkxkN26sPobOAuklsQgCY2IkkWWQjJFIHyRqm9wGwt2sE VMwDNqiFCHS8gfqqZNhcDoZYY4BOOgCrvfsxKJYh3/M6Tng9BE+hhcFgYAC5AA/LapkGXYJbl+1R 29eEH9b9guY5OQYe+2DTpRcWNQ36UwAwSd7eboe6urpY+6+Yt0mG0eeTDFFlA+N7BQzo3kEXA8DS 7iK0hteAk80k1q3TENZHYij1FQDnJ9/Ew5JOmDRzSI9KAnekBFu2PlkC4Os4nt6BKJ/reFzXD7Fw BhO8Wcj64nH0YgTkGiWeMknl0+4huNxIxtz0ILzP2qGpX2QxdWM5hpKYS2IoaROampreC8BXzrpD yjqRDhE2Z/GsIgvHrTwwp2LaG8UYDn7zHToECjy/7Ytfr9zDmNTsm3MjFbib/RR6vQxR544ht70V +7YcQuWUDJzSaGywLoKlbbfzsQH46tWrbJ5AYgKZ8k7az/7+/jUBWDtVhza7BxBVPEdvYgVE1ZEY YwBYUHOX8c8qDDLfo5iUgl8Ui+kac4wwqafh6+mGjgk5BH0tePCoAloCwI41SwB8EH75L2B9/AIa JyWYneRiUqjE0ItbuBld8P+zdx5uUSTd2/6fvg3vRt01Z1cxZ1EwB0BAcjaAIIJESYogYAAVCQIS BMk5D5khDQwwMDnA81U1qKgM6/pu+r1znuvqS5zpboap89Q5d3dXFbQsRlLcfFDRVIqNZnFoKc2A 3VlfjKlM4w4wnziStyePj+TkZEgkEqEO+z0APr71NCSCiTSIPGKGhJdPceaMGwamNNDJ+7B/2U8o GZxGSUwwVlncQotUKXhTIynDzeh4TKtliDq0EVFvanFirwUyelm7vknEhjMpJudNAmACYBIB8L8S gO/du4eTJ0/ixIkT7zY+UyKfJdGYdJIGVC0zR9Wxs6iOLIU0LQWVq46i2scLXa8a0cWOr/jtAqqd b2J65K0vDGjPuYnly5dj3ZHLqJPK0Vicgvtp7QIA5yU7I7tDhs6X/sI+y5cfQq2UwV9fBU4f3orl K1bDP70OipF8bD/2HHrDFCKPH4ZP3uD/fGzyRyn5mN+P24mP/+XxaByA23HNMwzyGT47sBKRt71R 3TOK4mTX+e94OW5n1UMjbcSeHVvevbZ83wNIh5txydJM+L91ZCGU7ByShtS59zc5oUthWv3DPwHA jx49EsYULmxzPnaN9zuLfkaFBC17bFFpaYNq13BMi6pQ9e0+VJ61RU1cMWRVBajaaonqI5boePV+ DPCkuApnjzCP/boSfs9qoZAUYOuRZwIAD+e64tTTHox3FmPP9g2s/dfBPyoPuhktHt86KcTDby4p kKqG4emTIowBbspOwaWAVJOJjcX6UD72cKk+FNpuOJ7zwcR8Nfwo0gFZtWI0ZVx558OrqZXQyLpw zmLve2/uusPafwBeVnOvHfHLxDQ7x0R71tz7G6zRJKVJsP5qAOY5+2Nv2traChcrjUk/0YXq/3cQ lcdZbvRPg6qtGJXLDqLKwRmNj2sxlBCHyq1nUH3uMoab3v49sxDXPMaGtSuxatshPOFj9Psfwen6 GwGAu1KOIKh0BAMVD+ZjxAypb3qgVQzD136/8NqZsHzIJhuw0zwFulkNMvy9cDG52STi4o/2oXMF Tj/O7bWZB2BWm8RdwP0CVsu9Cn7nQ5f7BdAohuBpb/nem2YBUOnlCHI+LPx/i/NjTLBOVNZVOPf+ upMoap8wOW8SABMAkwiA/2fWAeazzWrkKqin3s/4rJyUfzCRh3xSIcwWjY+X2mHf5++tosP3+cB/ QjtQjP6pbcgaQf97fdx8/H94nN4k18n8v7AO8CxvU5Uaisn3PtSwPkolWzADNPtZp1Bh9uMlOT7H Y/N94oJOk/UFM2SmvyAX/a43eVt/1GCzs3qTXKLsnwDgL2pXw4zgPeUHfpxmHn3/f+5d7uHZj9uR tfXvrqKj/6j9eR2jpzWN/3Rv/p7HhO+dvEkATABMIgD+nwPgt8U2L6KNbzOfwC+JRAD81wHwu37M 8DvenCFoJREA/90APJc3Z383b85S3iQRABMAEwCTCID/nQBMIhEA//sAmEQiAP73AjCJRABMAEwA TCIAJgAmkQiASSQSATCJRABMAEwATCIA/nsAmM9cydcxvH379rutoqJC+BsNSww6Mmi00ClVwpim RTc+jsmw9KOW00Mt6BJL/9iSDPJeFJWKTGomRR6PfLZnPhHWwnbiMwLzdvrjBdssa1vtJ8fNaj8a n83aX6elvuGfAmDef0RHR79rb75kGe8zlhpLNsP6K51SbdyX7D2D7ncG+8r7UPim/Y95TCdHU32L SS1/9Dl96JeM+5uZ0X5y3KxW9+EYUMGbBGr/FADzoj42NvaDNs/PzxfWAeazARttW9aOv+dPPsfG kppsRV2z+I/Nwq+SoPhNC0xtKg2+HNnCPpRvJSUlgjf1XzCxyOzsp95kxeGH8yfw8fnkTQJgAmAS AfC/G4ADAgKEzzo8PCxs/PPzRL5t2zbU19cbhV8+uY5CIoV2wQQeH2/CZDtLFID12XGIut/0hwBY J87CmnUpJrWWHo8xXmDzNn3bTjyppKWlCe3E22zRYkvVgoM//4Lftm+HmdlviM+tgUanwosIB2z+ bTt+27wOsRnV0OrG8dDnJLay/XYed0HbuBKj3WWwOrUHZtu2wDE8C9OGuVYSN2Rg97FbJreW4T+1 DjDvQ962OT8uJiZGKOAWbW8ORXIlVNJRKKVTRn3JN16IG/dYNlauTf5DbTyjGIDjhThMzZhe4bdY H8r7du5Nvnb3otJ24sgPP2Prtu3YtnUDQp+WQKVV4fU9V2xi3ty2ZQOCH5cyb07hRbAdtmw3w46j l1DeMwb5aBtcLu7DdubN09cfY0I318eOdZfD8vRVyDSmN2Pg3w3Aly9fRkdHxwdtzi9SsmJdyOOL nWOGgTH3nnJ0DOrJaeP+ZB5eCoI1onuwsi/4QzCrH6vGxrVxUJlYXHzch/J24henuDeNLlPGl0H6 zw/YInhzI64n5kGuVaPikR82bN0mvOYbnwuNXomCe1eYN3dgx8HTyKrtg145jOuXD7Dzb8F+x3sY 1c55Uz7agUsXndE+YHqcQABMAEwiAP5XAnBwcLCQEPiVUv738s+yevVqYUkHXgwsWiDzIntUDFFW AdQT00sX2gtuW0z31yEsLAz3H2djXKVFff49eHhE4E5kOB6/boSG7TotntvnSW65kOC106N4+vA+ wiMiUdMpgWY4F2vXPYFOM4lnSY/Qq/jfvxc8Pj6OhIQEFBUVCXHFY5Iv78Dbyd3dXYhHYwDsZu+H SVYQTww2w87aEU2tuVi1bjd65Toox9pwxc0RHb2N8PNPgoxBUV6AJ26X9aM4NRjBD7Iwo5HA69Bp 1EqUmJ2Rwf/kPny13pcA+G8C4MV8/eDBg8U/o3auwB6peg5xVfeSvuQzzb6r9+RjePYoAeHhEajq 4B7Lx/K1fnjyMA5hD3MwpWX7TA0jIT4W0fcS0DU6t7yPqCJb8GpqYQs0qkE4WiUIyyB11peivKXH ZGKD31Xia6cv1ocajRkGwFbm9hhV6aCS9cHRwhKvGwrx9derIJJpoRrvhpvVKTSLOxEemoQJVkhX xIchOLMaoqJoeAYlQKMew9Wtu5Hfx2sPOaKtj+KrNc4EwH8DAFtZWQm5nV/g4PvzHMrh9/Dhw8Lr i0KoSsN8NI2+opcY7xpZ0p+GBReoVKNdiI6KREx8MrokU9D0PsRRiyDcvxeFiOdvoGTNrZR0CF5M TM3CuFLLYFuNkpdPhNfyavqgmajDxnUJ0OrVKM3NRuuY0mQAmF/Ib2trE7zJL+5zb545c8Z4jcQB ePNxDCqZN6cG4LZ3B55Vv8H6NVvROKGBRiaGp/UJ1A0OIDEuGWOaWbRmpSAoMROypgewcgmGXDUO 319WIlU0yU6owCOnk/hqxQUCYAJgAmASAfC/BYD5QvF8DctNmzYJj9jy5GBhYSH8TUZjvacQtTsu ovp6kgDAsqZqNDq4o3a7E8TtIxA/TkTtWSc0eCZCOT33DK1B3oPzlhZ4XN6E+35ecH5eh/q8EFxw v4GW5jLY7juFspZG7PxtPbKqahFmb4WnA1rkPgqGb9wTtNbmwMbuKkTtGVi7KwPlT2Jx0PMe1Ib/ /TtOHICDgoKwe/du7N27V1j/l68ryAtsmUxm9DgOwPbnLqG1pwuV2Q9h73QDEnk/HFb/gIsuPigX DUIln4KOxbhaM4Xyl2mwM7+IvG4Z+spfwPKUPZLveODMudtCku9IOwGbS3dw6Ew8TGwZ4P8TAKxl INVy0RPVx+3RXy1mhbQUbdeuoPawE1peiTDd0YQmJw/mXSf0i8bfHZf/JATXYx6jrSGXta8P2tpz 8dPytcipqILv/gPwLexFUuRVhD3LR1VOIoIikzA1kI+jxy/iTV0FrNdvxr3aZjg6PWIAPALHY+dQ JJKYTGy87UM3b978rg+1tLRcsg/lAHxm/1E0sBzRVJyO86cuo0c2CLeV/8EJq8t43dwL1bSMAYsB Gs00Kl9lwOv8JTyp6MF4dxnOm59FbLg3DuzxwoBqBn3ZtjhmcQcXHO9hTE0A/FcD8NmzZ+Hr6yu0 dVJSknBHcefOnUL+N3a8criO5UhrVNsHsjYcg3pMjGYPL9TucUJH3TBGX+ei3sYFdScCIB2au8g0 q51EyHVnxOZVI4/lPPuQR1B2P8buo2dQzrx3adkqpFS1w+XSCaSUNeNpuB/uFTRAXJsCO69ANDaV 4MIec+SzfzfuSkVvSzHO2FyDRGEaY1scHByEu/Vr165FXFwcNmzYgD179kAikRhvZwbAR9ZvRXVH F1pKs2Gx2wLN0mH4716PQyfOIK+2A4qpSWiYN7VaOaqL8hDoYI/YFzWszxXB9sBR3A65ii2rrNEt n8FA0RXs2HUHHtfi0Nw/RQBMAEwATCIA/jcAMB9XyMeSbty4Ef/5z39w7tw54XPzu43GxO8ATw91 oDniKVTSaYy9zEDT7eeYrK7H6JAY7XahEBXVQ9LSyYq3uSvZU6Is7LJNnIMJtRKSMTnqCxIRm9wu PAL94v4Z3E0Owk/f70F4ZBj7HKfgnjWA+NvuKKofFZZUmh6fhLw/Dz/85zfs3X8OFZ1Sk4hNDsC8 yOJ3mdatW4fvvvtOgF9+94HH1FIAfNZsP24GhcDr9AE4ecRinMWubEqBmvwnOH/6KPY63Me4Vs8g WIGy3BdwOX0GseX9aEyPhpPDLRRk3sHZC+x3vUnHN9+uQl7lKxzZ64/61kGY0hKT/1fuAKumFRjI CkFvRje0482o2XcDg2X1EPeOYqIkF43+TzDOfTr6Pl8lhLghv04y77EJ5rGXWLX9mfAERl/WBey/ Wwxfm8O46hsIf39vnPW9h6bHVjjuVz7XH8hY/zfcA0cra9jtXwGboCLoTCg2QkNDP+hDz58//7t9 KAfgU+t/w41bIbh64RDOnwvAEOtXpxiYNJW8gL31Caw7GQ6JRs9ykBIV+dm4ZncJIVl1EJel4PJZ b2S/iMXxI8dQ8SYXq3/dgOyaUtic8kdZdY9Jff//BADzO8A8xx85cgTffPONcOeX32Xk+duY+B1g 5dQ0OpPuY6xhBKrectRfjsNoZT0GByQQRyWh9WERpPUtrLaYe1hZI+2As08wZAodZvRajEunoOl5 ABu3N8IY4OaETXBLSIH5zgMIuxMJZ2c72N0rRnn8OdxOEwnnUE1IMTlQg43rDuLk/j2Iy2qDqYSH t7c3WltbYWZmhm+//RYnTpwQgIzXXMa92QvL5WtwPTAE120scHSvC3qnlJArtRBV5sHD8Sx+PXIT g4I3Vah+/Qq3PZzh9yAP052ZsD1ij2fP43Fg+zYUvinGvm078aK+Fj6X/ZGR02xy3iQAJgAmEQD/ KwGYF2/8b+afkd+94ONkqqqqhM+2FACrRjrRGv1cAODpoT6IH2eg404QOmLKMSxqhDg8BS1+dzHe OXenST38Bnst3DA8rUVP8SukVvWhPi8BsfEtQjLOuH8JSRmJ+OmHw6jpHUZPWwv6ZQY8inbHk/wW GJRjyEx5gUEG0qu3RCM9xh+OPs9gCtexJyYmBADm4uPM+KQe/M4vjyEeT0sBsIfzLcjZF6xTSHDd 1gGlr5Ph4h0DmZrF9VQ7jm81Q3VzGQIDnmCKxXpJqDeOPaxBRqgD7j5qwCwD42CHI7gX/UCIyeiY IGzZYIHIhEKoTWg52X8CgHnx9nEeampqEsZ+GwNg/vikpDBiDoAnpegvfY2eyBjUXX6OyWExxGlZ 6LwTzLxa9W6Sq9RYdzzKa8KMehyZyc8x0JWNVasfCwAszrLDgfvVuOVqhYdF9Rga6EM386e0+iYO 2kRBrlaiKDgYRW0dcLSLRnd7MZxP2qGua9KkAHhhH8rzAPflUn0oB2AbCxdMCB5S4dZpS2QWPIWV XTCkKh3rY7ux/6dlKGlpQFToI0zqZ1D3MAKnYnNRmWAH/9ASAYzjL/+Gm+GPEBd1B7H3IrHXzAKB kdlQmthSz383ANvY2Aj78TzPn8jhkMUBOD4+fkkA5o9A9z5JFABYLR2BODsXXXfC0Oj1CmN9HRDf e4r22+EYyO0S8qJe3g9PD3c0D0xjvKsZz3MqoeIAbFskAHBrwi54P86Gxf6TKOkeRn93B3pHptGc 7Y6rkS+h004jJyIGTe3l2LgtEhW5SXCyD8GkiTwlwJ/O4O3EhyfwoQq8vfiFY15vLQXAx7eehkTw kBqRh83wIC8LLm7Bwp1zvVKMI8t+Ql5bJ5JiUiBlRNv56jEuBiehO/0SHD2yoNWp8cz+F7gEpbF9 7uBu4j0cP2gBn4BUKEzMmwTABMAkAuB/JQBHRUUJd335I12nTp0S/uXjSjl0LQ3AXWh98AKq8WlI niWiytIe1dvMIcquQZudG6psPVBtcxNTI/MPy85qUZnqg19XrsL6A9YoGZhEfQED4JQ5AM5iAJze Ooaqhx5YsWo1Vq44ghopK2xEhbA8+BvWrF0Hn+Q3mBrMwdq9qdCqRuG/dx+u5f/vLynD444n77ft dPr0aeHfGzduLNnvCADsdAvTMxyO5Aj2c0Z5ex9e3LHFSvYdr1r5K64/fM3OP4Ykx0NYuXo11h++ jNoRJYZa83ByzyasXr0Kp72SMa42CL7QTffg9IUEqExsqZB/AoDv37//rs3fbnZ2dkY/xzsAfh2N 3vxuKPsrmSdPoPqYFarvlGI09xGqjtui2uw4OvJ73x0n6XiNk4eYx9asgVdiCWRDuVi1Yw6ABxkA H37UiYGGHOwy24zVqzYjIDqPFXjTiLtylMXRKmy6eAfiKTEcXebGAFc+joHNjVSTiY3F+lAPD48l +1AOwNbHXTAuXIWYxf3Ai3he0YHXiU5C/7d61Qo4xeVCpZHh+fXzgjfX7TuHAtEYa59qXDq0WfDm PusoDCvmvKlXjrC+OwHjKp3J5e+/G4AfPnwo3Onnbc0ff+f/8qdy+AXk3wXgF8kYax3BVFMuqg9c QPW+U6h/VI++8BBUXXBG9RE7DDXNz78xa4CoOB4bNqzF2m0HkfBGBHUvA2CPOQAWMQD2KxpA26to llt5n74bqW96oJL1wNNqD4ujlbDwfYrRsRps3JMIrV6Bh55OsHnYYhJxwS9IfOzNpfrQhQA8op/z ZkbIccTktKA87Srz5irBm9ahT6HUKvAqwlXw5tqdx5Ba1QutohNux7diFfPmRvOb6Jue86ZBO43Q oES09slMzpsEwATAJALg/5l1gGd0egGCF07aoWDfw/SC/0+Pj0PNl0L6eKkddqzB8Hvn13241ABf 2kVHMfqntiGH2UXa5pNlkOiL/8cA+A/3YbxNlaoPfKmZkmNaJoNm/v9K7tPFZpn9HI/p9R8uHcLi x6CboeD4K7z58TJIuk+XQdKTN/8xAP4if/L+VPFh3lTJpjA99X4iSfnEBBTKRVZPYG39u6v2CDFi WBhILEZoOZ4/u07ULdI2H3hT+N7JmwTABMAkAuD/OQB+m8w5CC+1zc5Q8iURAP9dAPwWgn/XlwaC VhIB8N8NwHN58zP8OUP+JBEAEwATAJMIgP+VAEwiEQD/+wCYRCIA/vcCMIlEAEwATABMIgAmACaR CIBJJBIBMIlEAEwATABMIgAmACbNiccjjyE+8QqfDfrtxmcd5fH4xws2HuO6Lyr0+PhsUywQCYBJ xsT7ed53L/Qmn62be3PmCx5n/VJvzn48dwIBMAGwiUssFiM1NfUDb/Ily7g3Db83GcmideKXecyU vUkATABMIgAmACZ9kXiMhYWFCfHE2/XtxtcZ3bZtm9EEw2eB3vP118I6ld//tAyPyzsxw+C3IslD eI1vT8rEbE89ct234Ov518JK+tHXkAlzsx/x9enHmJvOQ4V0Xwvh/RUWQZg2sRqRAJhkTP7+/hCJ RB94kxfZ27dvR319/eIHaTtxaN6bfIvJb4aBebMzw+/da/GFPTzyUBJ47J03/dKrMdFfhtO7f8a3 lnHzy8CpkRdqI7z/yyEvSDQGk2sDAmDSYuJrqfMlqhZ6s7u7W1gXOD8/34g3e3H8q/fevPWilmXI WfS9Cn/3WviLRp5hUXPX8d1rbveyoJtuh9W+5fjO/Na8N7UoifcS3l+2yxYtEjkBMAEwATCJAJgA mPQ5Gh8fF2KCr18okUiEuCwoKMC6detgZWUlxKExAHa1u45xlRZjvVWwtnZCq+gVVq41Q5dMg6mB GthaX0C/So3kI5sRXz+ESdkEVLpZ6HQKNKR54rvfkgQAlosyscsyDONqJZ5YW8D2pWnFFwEwyZj4 EmW8n+ftynNHaWkp1q9fLyyPY7StGQBfPGqLEaUW8rE2XDp+EqXNxfj66+VoGVdDPtKMM+YH0aHQ IP2SOcKrByBj3lRqeF5SoyUnGOt2RwtFtrL3NczPhWJUrcHLqw44m9ZOAEwATJoHYA68/E4w9yav wTZu3IjDhw8LF62MAfCxzccglmuhGO+E7a4dyKovx/o1G1E7qoRS2onz5vvQNK1F/nV7+Jf2sxw8 AblaJ9wh7ii5jz2HggRvqodqYXM5BENqPUqj/HExvoQAmACYAJhEAEwATPpcAA4JCRGS9pkzZ3D3 7l2sXbtW+JnHmzFxAHa44IDOATGaXmfCwfEaBsZFsFq9Aj7BkWjoG8H4sBgq7Shst6zH3uN8nUQv 1A+phOPHqsLx/YZkAYB1cim6x1SY0Ujhc/4Q7jab1nqGBMAkY7p69SouXryII0eOCI9YbtmyBYcO HUJPT49xmGIAfO6AJVr7xeioKcSlU5fQJumC9a8/weX6TVR3DmJ8oAcK7QSuHN+PXcf4WrOuKGmd i8HJ5ofYtHPuDrBeKUPvmAKzummEe15AeNUwATABMInJ0dER7u7u2Lt3r/Ao9K5du4QnMzj8Gvdm L45uMENDrxhd9SW4sMccVYO98NixGbbuPihr7cMY8+a0ZhoRTuexw5x70wHZZT1zLNCdh8NHQgVv GtRyiMemMWtQIyXUHYE59QTABMAEwCQCYAJg0ucCMC+sebx8//33+Prrr3H06FE0Nzcbf8RyHoBP btwGZ1cPnP1tBRy8EyHXG6BhcVzyPBbbt66DmcdzyGenUJyWhWGdHjVx3tgSUzEPwLffAfCcSQx4 +eAWztx+bnJtQABMMqbQ0FDhru8PP/wgePPAgQPCXaeSkiXu9jAAPrFqHRxcPHBxxwqcOB+CCR3L N4YZVL1MwqE9W/CLVTJkMwr2/zwMaGfQ9jwCe0Oz5gE4iQFw7Pxjltyb/Li7OHGFQbHB9ACOAJi0 mLy9vYXhCCtWrBC8yQGYA1l2dvYS3uyF5U+/wN7JA9Z7N2D3Xh9ItHPebChMwynzHfiPZQwmZtRo LH6NPs0s+koe47h/wjwA5zAADvnAm93VqThmHwCJwvTWByYAJgAmEQATAJO+SBMTEwIAc/GY4Xec eLzxOKqoqFgSgD2dbzHABXSKEVy3dUBZ6TMEhj+Fgid0eSdObTVD0/AQklncjah0aH92CzvvVn4K wDMqlN0LxlmXMPRMfNkEIgTABMD/qwDMVV5eDk9PT/T19Ql9fW5u7pIAbGPhggmhzFAi6JQlsl5n w8c/CVMa5k1lH478tAwVAxKkP0/DoFKPvsIEHI3K+RSAZzSofRgFiwvX0TgiNzlvEgCTjMnHx0do Tw7Brq6uwnhgvvG7wUsB8PGtpzEqhIEKkYfMkFzwCoG3kzCp1sOgGoLFsp9Q2C9Ffl4G+hR6jNRm 4XxYyqcAPKtF84sHOGTujFKxzCS9SQBMAEwiACYAJn2RlEqlMAkWT+a8wHZxcRGubPOxhzz2lgJg D6dbmJ5hAKeZxq2rTihrakJ8gDUOHjHH0cN74BHFYViB1BBr7Dp0FDsOXsJz0cQcANfG4HuzOQDW j1Zh9VdfYdXWvTA3N8dZzyKYUionACYZE++ruTe5J52cnIR//fz8MDw8vCQAWx93wbhgohnc9T2P 56X1eHT7Eg4I3tyHS4EPMKVVIfueB3Ywb+4+dAEPKvvmALg1DZsO3p17zHKiGbtWLsfyTbtx9Ngx mDu8hJ4AmACYhNjY2Hfe5I9D8zHBfONjgn8PgEcEE83iqf9RxL6sQXqMG/YdPgrzI/tx9moMJjQa FKfegtkhc/b6GUTkNM2xQG8hDp+MELw5M9WF07s344d1O+e8aZdmct4kACYAJhEAEwCT/lVAp/2o j5tlMW6KV6gJgEn/JvH8o/1oyRTyJgEw6V/izY99yLzJ60QSATABMIkAmACYRCIAJgAmkQiASSQC YAJgAmASATABMIlEAEwikQiASSQCYAJgAmASATABMIlEAEwikQiASSQCYAJgAmASATABsOnGJl9T lMdLTk6OsPEZZpdcZ9Q4yn06lpDH+2eMYTLlcU4EwKSlCrz8/PwPvLnkOqNGNfOpx9g5Psebpj4+ mACYtJgkEgkKCwvfeZNv3JsajUao8/6M3KknfxIAEwATABMAEwCT/nzxOIuOjhaWcmhqahK2xsZG REVFCUuuLE6rErhv3Yqt89vufTbo6m+B9ekj2LJlCxyv3oZMqYNyshdXLx0XXnO7XwsdS/JFfofe HZfcOIEZzRTSPJ3YPlvh5f8QqhnTawMCYJIxhYSEoKam5gNvhoeHC33/4sEkxY3DB995bOvWk+gc 6YOX/SnBhxcdvDA0qYZBN47bznOvXQgvg5Z5syLi4rvjYos7MatTITfYFzvYPjaOUcKM7wTABMCk OQUEBKCqquqdN/nGAfjUqVPC2t2LSjcAhwW589SFK+juKMfh/bsEL14JTYTOMIPx/jpcPn1IeC3o eStzpx5Zru+PS+9UwqAcw70Lp9k+OxASnwudCYYWATABMIkAmACY9EUaHx9/tw7wQvHEzmNp8SQ+ CLNvNqJzQgmVUgmlYgqJdzwRmVmCGZ0a8aGeSK3vROOLAAQnFEOnFMNj514U9kmRsn8V7tcNsN87 BoV2FnUvH8DB9z6UzAPKqWmYYo1NAEwyprfrAC8UX2s0MzPTyMWpURxbsxst40qouTfZlpcaCL/4 NOHtFwk3ce9VKYZe34RnUAbz7zC81q7G0/ZRpJ/fi/BKMSYmpJCrDeity4K9UzBG5SwvTcpgovxL AExaVHz5I16f8TqNt2t3dzcHKpiZmQkXqhaVthfHNh9Fv2w+d05L4O9tjYdVHSxPTiDQ+xLyhuR4 leiPxGx2DmUPXC0voHF0Ane3/YhnLUPsd45BpdXjVdxtON3JgJLXjgolTDGyCIAJgEkEwATApD8d gEtKSowC8KFvViCjogpVFRVoEU8g70EQ7OydUFQngri/F+IJOcb7RRiWaWCYFsH60D5UD/bBZtWv uODqjeu+MeiRGfAy+QaOnXFGwA0PxKWkY0ptemU2ATDpjwBwW1ub0K8bA+Bza7bi2bw3G/smUZtz DzYXrPGquhXiwQGIxyYwJW5Fn1QNg6IH57euQUGvGN77duC0C/Pm9Ug0D8pRlxuK/Ucv4YafF8Lj kjCmMM1HLQmASYvJ2dkZV69exdmzZ4VhCkePHsWmTZuEOszoI9AMgE+u24GXlXP+7BiUICXQHQ4e 3iht6oK4pwPiaS1G+rswrtBBL2uCHfNuh7QHlt9+Cxt3H1z3i8fAtBpxQe44a+sDf+bP5BeFUOtN L7YIgAmASQTABMCkvxWALb/+BtHPM5DF4qu0XQq9RoX2ikIE+5zDiv32qBmamk/4w7Dbtx1XskUw zE4iI/YB2iQS5Nyww46kFgbAdxCXVoXJiTGEetuhuH7M5NqAAJj0ZwKw7ZqVCHuWgWy2z+vmERh0 GnTVlSI6wBordp5GTus80OmkuHreHHZpzcyb08hPeYLmkTEUx1zHgZhiBsCx8I8swPjkBBL9TiM1 X0wATABMmpeXl5eQI3/44Qf8+OOPwuPKvCYrKCgwfhAD4DOrVyOe5c5M5s/angnoVAo0FWfjqvMJ rDT3gVg9P+5X3QfzVb8goqQXM7NSPI1IQOfoENIum+NoWgsD4DCkl7ZjVNwKb2cvdAwpCIAJgAmA SQTABMCk/waAy8rKhM0YAO/4ZhvE+pm5eGYFdtmrDHQNjLNg1yM90g/hOXXQykdxx8Mdlx/PXRGf 1UiRm1+EKa0B3Zn+2HKvHnnJkbj3rIodp8P9wGDkVw4TABMAk5YAYN7f877dGAAfW3MAPfPe5Ft9 8Qs0dszFxZvUGAQmvcSMbhrJAb6wjcub86ZWhmKWOyaZNweK43AgthANuXEIjM6Dnnk6K/omkjO6 CIAJgEnz8vHxEf4tLi7GiRMnhLH6HR0dePTo0ZIAfHzrCUjm/alVTuJVVhZGJpWYNahw19MecXUj UI71wc/KFs65XXP+VEuQlVcEhU6P1mR77Euqx/2gYGRUdEGvHEOARzha+02PEwiACYBJBMAEwKQv Eo83Hg980quPt+HhYaMAbP71j7jk7AY3Nzd4eXsh9Wks7B0d4OHhBuvLTijtHEFPaQJ+/XULbJxc 4eZ1EyWVrQh1N8d5RxdYHrNDYssEBkRlsHZyZMe5wN4lHP0TWgJgAmDSvCIjIz/xJYdingOMAbDV mg3MU3Pe5Fv6y2Q4OV2Gp6cnbC/bI7umA1Md6Vi9bB3O2DrBzeMqMguace+mFc44uOLMKXtElfZh YrAZzm6OcHV3hpWVL1qGVQTABMCkRbx548YNIY/eunVLmAhrSQD+eRXLdXPevHHzBpITb8PawQke bs64cNkNLWMqlKcFY9mqHXD28ITblQg0t4ngZ7sHVk7OOHrIDk+7pyGqfokTdg5wZfnT1S8JkyrT W0mBAJgAmEQATABM+mItjMO329LLL8xCp9EIyz283YSr2VoNpljsKnU6vsIKZmf0C/bRsphn8W/Q QcViW6nSzE3awXbU6ZRCvOv0pjnGkACYtFRsfOxNHfPXkt7UfuhNA/Omjh3HPabQ6jDDc9GM4YN9 9IYZ5k091HwfpYrtM3cuvU7F8tEUtDoDTBXdCIBJf8SbS7fxh7mTHzMz78UpuRxqnV7wGffiwtw5 www5o+cTRU5Bpda+y51arZz5U87ytWlOUUcATABMIgAmACaRCIAJgEkkAmASiQCYAJgAmEQATABM IhEAk0gkAmASiQCYAJgAmEQATABMIhEAk0gkAmASiQCYAJgAmEQATABsCrHJY6uurk6Iobcbf+2P F2szn65/yGP+o6G9s4YZUB1IAEz6ffH+v76+/gNv8jzwJd7kcfapNz86D3mTAJj0WeL12dvaa6E3 +Thgo+sA/5HcKdSKlDsJgAmAKdIJgAmASX+65HI54uPjUVRUJKxpyDe+rMO9e/eMw5RBipBz53Bu frtk5wfxcBd8vZxw5swZ3IpKxLRaD5WsBxFX7Nlr5xCV2Qo9DOgujsW5M2dh6xePccP7hN/+0ht3 n7ab5EQ7BMAkY4qNjUVhYeEH3oyJiUFPT4+RYJIhzsnhnTfPnfNEv3QI4QGegjevBYZjbEoDg24M 8f6OOMu8efNxA1jJjv7KZObNM7DxiUDv1PsZn7sLb+JWfCNmTLQNCIBJi4nPAs3X/H3rTb41NTXB w8NDuKC8qPQSBC7InV7X7mCgrwFOl61x9uxZ3EnKgN4wi8mBegS4XRJy58PX3SxzGtCSc5v59Szs gx5jIRFUPvPHs4I+k8ydBMAEwCQCYAJg0hfJ2DrAVVVVQiwtKt0gzL5Zj/YxORQMoOXTk0i844HQ 54WssFYi3NcOj+pEaMrwQ8CdbOjkHbDbfQD1ndVYteJXVA9J8cTZBpdfdnN3QNVfgq+++gZOQRUm WWQTAJOMabF1gFtbW5GZmWmkwObrAO9E46gcSu5NtuWlBuJq3GPh7Yd3vBCVU4yRkgA4X0mGSt6D i6vXorSjGXt3bkXJwCTygq7gckqlsL96uBarVyyDhSvzNgEwATDpnby9vT+YlZ3n0p07d2Lt2rVC LbaotL0w33QYPeNzuVMhG4a/txUSy9qglY/B0/4k8oaYZ+Ov4N4zdg55M5zP2qKzswTf/7AcLSMS RB8/BO+SYSF3Krpy8NV/VuH2g2YCYAJgAmASATABMOnPAGB+RdsYAO//Zi2K20QQtbWhb3QKmfE3 ccU/GA2dA+jvbodoZBLTo2L09g2iu+ENvI9eROtAO85tOISHbyoRccEeQRXDDI4HcPuiE5wdLeEY UG6SRTYBMOmPAHAb8xzv140B8Ok1O1Aw780eiRwVmTHCWr+1on4MiHsgGhiBStqPnr4h9DSVw23r QdSw110Pnsb94mrc9/BGQHYzDOpx3Pf0gtMlCxx3zIfeRNuAAJi0mFxcXHDz5k24uroK9Re/o7t6 9Wrk5OQYfwSaAfCJDftQNu/PgdEx3LvhBv87sWjpHUJvWwNE42pMSlge7ROjq64IvnZX0D/YAPNf 9+F5aTlu7D+J6KYJaCba4HXABtaXLiA4oZEAmACYAJhEAEwATPqrAdjy628QmZaOF8+fMxAeg2J8 BIXPUhB8wxEHbPzQMioHH9fU01aLlFuuMNvnhOFJCfzXrcDFGxEwP3AE2V2TqMyOQ8D9DKg6H8DJ 4w3dASYAJv2XAGy7ZiVCUtORwbxZ0DQM9bQUbzJTERnkiv3n3PGmW8qzEob6WvA41Bsr15xC34QU kQd24MT1GFw8ZYGUii50VabCJyQeU12PYXE6l+4AEwCTFog/6syfxPj++++xfv16bNq0SciZ5eXl xg9iAHxm1WrcfZqO9GfPUN01DtlwP3If34evjx0OOYRjWMMvNenRWvsGD27YwdIqEBNTg3D/8Ts4 3bwNs637UDwwhRcJgQhPr0BnaSKCI+sJgAmACYBJBMAEwKT/FoArKipQWlpqFIB3fGOGwZn5mDbo 0FDxBiPjChbsemTd8UfYyzrI+tsxNKpg+xgQfmEXIlICsGJZCNTsmIEX7vje6ilCD6zHjv37sXbV z/jhx73ILO0iACYAJi0BwM3NzcjKyjIKwMfWHELvzPuc01b9Gj2Dk8Lb5U/vIjDpJRQDregbmha8 mXBiFa4kR2HnxgCoWGkiKQrDBpt4xB9ej+179mD92l/x3fe/ISG9ziSLbAJg0mLy8fER/s3Ozsa2 bdsE+OVj83mdtRQAW2w9hdF5f+pU06h4U44ppRaYUSPB6zJiaocx1tsJqUwt5NPr9qfx5KEbfvwp Fhp2THfiCfxy4RGu7VmPXYcPY9WKn/HzMnNUdEkJgAmACYBJBMAEwKTP7Vv4pDrp6ekfbPfv30df X59RAD789TL4h0chKioKsXExSEkMgpevP2Jjo+Hq5oy8ZjE68sPgbOeJmKhbuGR1DS099XA0P49b kdHwsbWGW1YPtGoFFCz2R2rvwM4jB9oZ07sHTABMMqaIiIhPvHn37l2IRCKjAHx+zSb4hc15k2/P n96B55VriIuLg7eXK9LeNGG0JgaXzzmx94Nx1twBNd2tuGZlj4DIWPg6O8D1SR103JssJ0mb78P8 bBrUBtO8B0wATFpMISEh7zzJc+izZ8+Ef3k9thQAH/91IwIj5ryZkBiHuMjr8A64jZjoCNg5OKFq SI7yJwHwcPdFXNRNuHpFMLCuwIW9p3A7Mgpu587Ar3AQGtVc7qzLjWS5uBQGE4wtAmACYBIBMAEw 6Ytjk8cXb1MOvG83iURifBzTrA4DrAAXzW8dnZ2Qs2Tc29MlzILZKR6C1sDiXKvEQGcbmpvaIR6T Y2Z2BtOj/Whj+7R29LGC+n0/OKOVYXhUaZJtQABMMib+hMbH3hweHl7Cm3oMs9wgWuDPabUKA/3d gjdFfWKodQbMGrQY6m5n3mxDr2SKFc8zUEgH0c69KeqBXGNYYPcpiFlRbqroRgBMWky8PvvYmxzI DEtdKJrVQrzAm92sllMop9DV2YGm5mb0DEkEkOV3hvtErcyzIgxPKJn3DJAN96CV+bOtcwDaBfbX KGUYm1CbZBsQABMAkwiACYBJJAJgAmASiQCYRCIAJgAmACYRABMAk0gEwCQSiQCYRCIAJgAmACYR ABMAk0gEwCQSiQCYRCIAJgAmACYRABMAm0Js8lgTi8VCu77d+GtfcLYvK/DmfUEATABM+lA8H/Ai b6E3eV74Em9+kcd43jJhbxIAk4yJ12uLeZP353+8nb88d5pyTBEAEwCTCIAJgElfJKVSieTkZLx4 8eKDjb9mFMoMMjz084Pf/HYrKB4S6QDuRYfg+vXrSErLhlJjgGZKgid35vaJiI3HMIvr16kxCI6K RV3PxFzfNtqD+5HB7DhfvKwdonWACYBJC8SXKOOzzC70Znx8vJALFtWMHOmhIe+86ecXhRHZGB4n 3sG1a9dw98ETTCp0mNEpkRE7t09QSBj6JuWozHqAkIhQFLdIhAmv1NMjeBwXhuvsuNQ3fbQOMAEw aYF4LfWxN2tqahAeHi7UZot39hN4sCB3Rt9Nw+hwJ0JvBwi5M+1lCQwzs5geFiEhbG6fuJSnmFDI kJsUiqDYJHSPKgRgHu9vwp3gm/C9eRtv2sZoHWACYAJgEgEwATDpczUxwRLygwdCPPLYfLvxNYDL ysoWP0g3iJ3frEFFRz8GWCyIxf1IuXsVgSkZkEoGcdPbGmkNnZgStyHIxxtNnSJ0dPVApdOis70S vmfN8PhVj3Cql+y48IevIe0tg+NZZ3ROaAiACYBJ8+JLrXzszfr6emHt0UWlH4XFGjOUtPdjULgr NYj89FB4R94XvB4X5Iy4vFLoVOMId7JBWWs72kUdUGh16O2qQ9jFNQhNaRGK6ZpnN3A9PB2j/TW4 fOAUakZUBMAEwKR5eXt7f+BNuVyOY8eOYeXKlUL+XFTaXphv2I+6TpY3mT+HxF0I9rNDVE4FRsQi ONlYonBEgeHqV/C7Fc7824nuvgFo9Rq01BfA6eQxlDSyONIrcc/fE8kFjeiqyICzyy1IVXoCYAJg AmASATABMOlzxJdZ4XeZPlZVVRVKSkqMAvDebzaifmgYwwy4xqYUeBp7AyH3UtAvGUe/qAF1Yhaz ncVwsbqMnNxXqG7sfbd0w9NbtnicNQfArbVlEE+ooVcOwMvaBi1jpldkEwCTjCk0NPST19ra2oR+ 3RgAn1yzBzXz3hydUqPkeQR8g6PQOyzFUF8H6rr6oZ5ugdOxU0h/mYey6k6o52/vlkSdRWj8HAD3 1BZBNKLEjFaCqxaH8aZfTgBMAEyal5ubG8LCwnDr1i10d3fj8uXLWL58uVBrGV0KiQHwiU1H0ML9 yeq58Ukp7lxzxd30lxgYm0B3QznqJEq0FD2Gm/t1FLE6rrF9EPoZvsKZBne8XVFSO4oZ9nNtTQ0m FDqM91Szz3INI+xnAmACYAJgEgEwATDpLwRgy6+/Rvjjp3iWmoqiFgnG+9uRcicYwUFXYe8Xh+4J FcaHahAWFI4naYlwOHIGJQPKeQA+/Q6A5843ilv2J+D7qOCDtYEJgAmACYD/OADbrlmJ4Edz3sxr GML0aB/SYsMQHnIdl66Eon5ABq2yDaE3gvAoLQkOZnuR0Tk9D8BH3gHw3PkmEOVlBcfYF1DoTRPe CIBJxgCY11Tfffcddu/ejfXr1wu1Fq/HjIoB8JlVqxHz5CmeMn9WdI5huL0O8aEBCAjwgcOtFEh1 BvQ0FyEiIoadLwEOF93QMqaZB2A7AYDfn28I1x3OI+pllQDJBMAEwATAJAJgAmDSXwjAO74xw8D8 o18GFseipibIpjUw6NTIiAxAWE4d9CopphT8keZZ5D04h9Rm6acArJcjzv4cdsbXCGOfTFEEwKQ/ E4CPrTmEnrePTLOc09NSB8m4kvlUh9LUONxKysGsegwT03NPW1QnHUZk5dCnAGxQI+2GO3aG55us NwmAScbEH4HmHnv06JFw55fXW7w2WiyfLgRgi62nIJn3p06tQFNjG9QaHfTaaSR4OiKmbhhqhRRK tU7IncmJLnjTN/UpAGsnEHB4L06nNgk+N0URABMAkwiACYBJXyQeZ3fv3hWAd+HGk3pnZ6dRAN7/ 9a94kP5SiLGcnCwkRvngZuQ95OW+xHUfVzyv6cZg20tc9vRAVtYT2By2RengXMH9NPgCHr+cA+Dq 51FYZXYRGTxe88owOkGPQBMAk96KT6jzsTcfPnyIxsZGowB8es1WxD+f8ybfniXdwPXAcCEn3L7p jcRX1VBJymFz+RKeZ6TBapsFsnvmHm8uibVAaMIcAHeXPcaGLRZIzmDnyX2N/hF6BJoAmPRWgYGB Qs3FPZmamory8nLBmxUVFUsC8LHV25DyYs6b+XkvEObvgtD7j5D78gVcHO1RyGC3vjgJrv6BePXy MWwvXEPruAazBgbAVxxQUscAeEaHl3euYdlep7ncyTw9raJHoAmACYBJBMAEwKTPEo/Hjo4OIWkv 3FpbW42PY5pRoSYnh4Hv3PYqPx+SiTGUlRQiMzMTxdUNUOr0MOiUaKwoEl4rax2Cbr7bG+xqwIBE MVdc9jW/O09OfgVGJ9UEwATApHnxsYUfe5PDL88diycbDRqLCt97im3DsknUVBQLPiwor4JMpcUs K6DbakuQxV4rrO+Hdt6b0r46dIrnlkCbHG5/f55XJRCPKAiACYBJC+qgj73J6zCdbgkQnVGiaoE3 X78pxah0CIUFr5CZlYXShjboZmahVU2iuiRf8Gxt1yiEkUGzM+hub4ZUpmE/G9Arqnvvz4JaBsA0 CRYBMAEwiQCYAJhEIgAmkUgEwCQSATABMAEwiQCYAJhEIgAmkUgEwCQSATABMAEwiQCYAJhEIgAm kUgEwCQSATABMAEwiQD4jwEw/1sKCwshk8k+KPZramqEv+Gfa5AZ9p3rMPs3/B6dVv+X/Z7ZGQM0 Go3JzgBJAPzlAMz7G95XfPx7m5qaIBKJ/sneknnmb/Dmgt+n1xmgEhapZr/73c9GO3No2T6/9/kM bB/9nzBzMs8Zaq3hT++XNFrDH/yOZ6Fhf5MJrlL2twMwrwt4Lv+4uOf5nvvzn4No7g89/pHfzv5m vX5m0d9NFxUIgAmACYBJBMD/KgDmv/vbb7+FjY2NUFTzWRL55162bJmwbp7xL0wPUWUJ8lslC0t2 FGXkQixVfiZUaKFQaRZNmDNTXXCwjcHkn7BunlQsQkF584JXtKh+9hiV7VIYJtvg452Eqb9kfb4Z NDwJxrWA+xiVKyGfmoae6gAC4M8EYN5X8PUrT58+jZ6eHsGbvK/55ZdfsH379iXjrq+pGvkNfQte 0+DNiwyIBqc/sz/UQ6FUYTE+nFGIcc0rHtI/0zMGBYpbxjGh+fSkivFJ3Emqh196FyZHxxGaWIfA rB68RU6lUob6AcU78JuVSeGV0IThJeeb0SIzuQ7P2ib/64/e0zkA/+yeP7fnGBuCU3wzpH+Eq1mb 5RW0I6x0DAYT8+ffDcDcj99//z2OHTsGsViMsrIy4TOsWLECmzdvhlxufDbuke5mFFSJPojFiudp qO+a+ExwNbDzKxa90DGrkiDsZhIkf1YAsBz9um0Uokm9UeBWKZRQ8os1KgUSM9ugWNBp8O+yqWUE D8vFyOuQmVxckgiACYBJBMD/UgCuq6uDi4uLsEQA62iwatUq2NvbIyAgANHR0cLdy8UrNCXue9ri 103XMTH/kq7vBX5ZcQi5VZ9X4PeJShB47ynUi2TyWZ2Cfbbed7MS/zeqz03E5lXn8fZT6Ucrseb7 H+AZWcPyuxxNzeK/CEy1SDqyBS9bxqDX9OOyrSM6/xrSJv0PAjDvOzw9PfHkyROYmZkJ3rSyssLt 27cRFhZm3JuzOmREXMPq9W54+4l1A6+wcvlvSMzu+rx8Jm3CtduxDEgX8aZeheam97MS/ynSiGEZ 3Yimce0nb3W3DeFq+gAkMjXaGgZwJXMIo1PvL5wNDXfiVv4g3rLzrE6HtiEFNEt+Pg1igioRWPXf tqke4QkNyO3+c/P/LMs3zexv+KPfsUYxDqvAauQNKE3Kn383APP8euXKFTx48AC7du0SvHn27FlE Rkbi1q1bQm1gDBhLU+9gw5pLePuJ9SNvsPrHFQhMbPo8ANb1wt3HH0PKT3MJX4ZH1C7+07wpF4/B MrQSZ9MHjAUqkl63IbZlGgb5NLweNHwAwLqhXtg/aEVxUzcsQupQ1G9acUkiACYAJhEA/0sBeMuW LcIVaw68X331lbDxO0wcgn/++Weh2DYOwA5Y9euPSKyXCncfHlp9h2XrLZBbMQiDZhoBbuexYcNa 2PqnQTbRCauzrvBxOoJVOy0YFIoRd/JX/PDzcqRUD2NyqAN258yxccMa3Ewsglxai1VfXcLw5AA8 HL1xw90cq80O41FZF3SsyAv0shbOfT2xGPJxEU4ct4Kt9WE8ePYKO81cIVmwykFdbhK2/PwjPPPE rH1n8DryIlasXgPPsGpoxsqwY50XpFodmrIisWrdBuy1vIy6IRmaCxNx+ugObLFLx/hIFy5ftGSf by1uJryBSjeJx7dOYe2G9Th1LQoKFjejnTU4fvQAtvy2HfGZtSi7fRq/fPctDrndxjPXffjPf/4D j8iH0BjoNjAB8O9r27Zt2Lhx4wfe5DHk5uaGX3/9FVevXjUKwC8i/LBu+Y8ILx8RluNId9+M5Wv3 IjGzk3lXg6jrl7CexfJJ90RMTA/Ay8kH/h7HmMcOIaW0FakXV+L7H39CdF4TVLIReNmfErzpEZ6F qclW7FnrjIFpKW77+sHP3QJrf9uDqOxa9qvUiLvpiPXr18L5Ti6mZf1wvOQIZ6ttuJ34CqcsrmBQ tzgAH4tiADymQv2rRmwPqcGJu80Y1slxK6IKGwOr4JjZjRvh/OdqeOcPv/8+PwJg/bgEe2/XoEum RMjjOnjE1MCMnS+yQsq+GiXC4muwM6Qaa/0rEV09gPyXzTALrcWx2Aa0j2uglMlwLa4We0Kr4fK8 A6UlXbB+0s3yghrJGY2IaXw/XGRW2oFLaV2YNAAy1s8fCarGYdav7I9rweDwGKyja3EpvAZJVaOo K2zFNvY5DkU1oHlCgwn2vlN0DXaz33Mqsh5llSJsC6jGuYh6FFe0YcutOvSNTsDqXjP44kbSjhFc ftKFrppmmN+uxsHQKpyMa4T7/TqYBVYis23uDmJPZg2c0sUwpV7m7wZgfkFq3bp1gge//vprwZv8 SSoOxRyG+UVlYwD8JjUam5b9CN+iQcGbeYHH8OuazQiMb8TsjBbJwU5Yt34dLByjIFWOI+zGDfi6 zXksIrMCOZfX47vvf8DNhwWY0Slwy+OCkAtt/FIxOdWDs/u80KdU4kFkELwdLbFuy3b4JRdBq9Mg 7Y6ncO5LQU8xJR+Fv7cX3C+uZXkpH852Aej/4PrTDEoqOuCb2oSj4fXoUc1A2dUJi4RO8N3asxpx KaUNF4MqseFWNXLbxhgA18CL+Y37N7Z6HAOv63AtcwDcmuUPq3C7RkrJhACYAJgAmEQA/M8DMH/M ee3atbh27RosLCyEq9m8wD569KiQyI1+DgbAMZ63kVN4D/YO0ZCK87Fshw/CY+8it3QA2sl2xMYl s7/5FY6tXIOKrkbsP3gZjcNTaEgNgeW9QojKU+FwLQJK3Qz628qR/CQDTfVZsLY8h47u16yo2I6+ yT6cP+eKmsEpiPIScf7OM3Tl3YTFBScUFaRh34atKGisxG+brVEhHoNOo2Df/SAW1tg1uS8QE3IT G1cxoB7vhI3TDZS8iYVnYDk0w68Y9B5HT38ldh9zQ49MhaaCLNx/04XanDtwv8WKCpUWBSmeCH/y mp1/DEH2l5D/Ohc/f70aj0qqcTc+ESMaDeLD3PCUwYNc0g5vh6voGBhG/IHfUC5RQy9rxjGzfaiX qMlsBMCftd/+/fuxZs0a+Pj44OTJk4I33d3dBZ+uXr1aAGNjAJwWcRdpT+/A0sIfo8MV2H7sGvNX HBKfiQBlDyLC76K6tgAHv/kGhV0dsLrgJnisIz8ZFyLTMN5dCGt7H0iUekwONiA+MRX1dTk4ZbYb DV1VWL/mALqmR+Ht5oOidgnENTmwC47DRHUE9h45h7z8ZzBjRfrzugZYHnbA6x4JtBolBsRD0MI4 AFfU9GDTzUokve6G610GcsWjEDX1ISC7H4YZA5pre+GfK2Y/zxgFYI1kGDuDq9A2roBvSh1yu2To 6xiA1YM2jBbXweZRJ6TjUngEVCIovwPWcdUILxlCRlknmqQMTEcGcS+vE+XV7Tge2YDixj7sDKpB 88AkPOLr0aV4/7vlzQ1wfNYDNSsXRhsbYJ/aBenEJKKjWLGf1cqOr0VJ7yQm+4awP6wOHVIFako6 cDC+g4F3HUJfD0I9NY6rsfXIZn3HCr8a1LF2kPd1M6hgED88jvPRDQIAS9qHYZ7cgbbKBvjm9EPO QN+W7fO0RYq+Nw24kNQl9HuK9iZYP+6CwoQeNvm7Afjw4cOCB11dXYU7vzt37oSTk5MwXIG/7u3t bRSAX6c+QULcbeza5oqRsWZYWvniZV4cAqPrMKsSIzgwkvngNc6sXYmszgFc9biCwtZhDNbl4XJQ DDTSGpyxuIjuSS0MUx2Ijnkg5Nmjv6xAWVcTDu+1QLtSgchbN/CsVMS8XAs3v5voLo/Dpm2Hkf3q Bfb9/CMe1IjgbOOOXBHzjkaNkaFhLHymxMBqnrDkOpSPTOEp8+K9unEoOkUwjxMJHm5+UQ+rrG5E PGfxWDIKg4LfAa5DYS/rR9rEOJvYjsqUSlxhAMwffS59WI2wmnFKJgTABMAEwCQC4H8egHkx7ujo KIxd2rNnj1Bcr1+/Hjt27BDGHBody8QAONzTFy2ySdy/YgnPU6cQWj+O+wGODIAHMd6WhkuOriir KYYrA+Cyjlrs35soJM6J+gc4GFeErvpMePjHQqWfRVVuFLwDQtHQVIwrFmfR3lUiALB4sgfnTyUK iXlalI2zcS9QFrUH522D8KqwAFk5+ehjBflvmxMWL6yZKnLT8DijAK+cV8LOIwAhKdlofXKcAXA1 A+ACAYA7Wp5h5+WEuVhg7c8n2qnNSUDc/VbhTsrzyLNIfS0W3k8NcUc6K5DbakuQGOOP40esIZIp ERHohBrRBAzqSdz2vo6GTgkSDm5DnZR9Mm0XLHceQOsEjYIiAP48AB4eHoavr6/gTV5gc29u2LAB W7duRW5urvHHLBkAP4yIQGlHF5547oWLtT1Ci0TIirRiANwJZd9LnDlvhdcVxXD+9hu8ErXB6sy8 xzpzcD4uHTIGzZedrkPKyK676gGcvK6jur4Yntt3o7ZzDoB7OQA7J0I6rYVysAoudxPR9mAPDltc RV5RATIys9DZyQr8w8a9OdAxhHGFnlHrAE4xAM7IFWGDfzWev2Gfl33mgnYZOloHEZg3KMBDc70Y gQXDH36fSwJwA0a1M5geksEhuQ31jyrhlc3PpcE9BtqBlcPoYXCams6gMaoO+X0q9NS3wuFBEwqr RLgc0YCqUTkeMwA4Et8I9/ReaBc8wSFvaoDr8z4BPDkA+7Fz83fr0qtx40kDjjGAVvH32N+wJ3Ru HoKJdjG2BzbgYWIN0hrnxiA/eVSPTAbAK/0ahHZQi3s/AeAx0TCOzQNwVIkEM1AimH++MQ2UHS0L ALgZ5xnky0yoq/m7AVgikQiPO/OLxPxusKWlpfAkFc+daWlpH0wq+TEA56cmIbO4Ellum+Dg5IOQ 529QkXiKAXAj81ERzI8dR14py4NrVyNd1IerromQyDRQDTGQvXsfelUbLpy0Qf/0DGQdz2Bt74zS 6mK4MAB+08EB2BKdSjkibyaipUsG7WQvAu6GoTTREtt2uCD3daFQc7R0djMAToBCv/iVEvlYL3YF VOJAVAP2BVXCicW+pKXtHQC3ZzEAftmDqMxGBNbI5gG4AVMzs5gST+AS81t3Vs27O8BlDIDpDjAB MAEwATCJAPhfAcA84fOr2W8fsVy4lZaWGj9QAOBrqBxXoTwjHCu3ukPBLBPve4kB8BC6Mh1gZ/cI dWWZWMEAuLSzngHwXCEsbUjGgbhiDLYXwtnVB+IpNXLuuCAoPBf1RY+x2+IcA+A37DPsnAfgBKEo lHVk48zdTIw0p8HBIwgNbS14k1sC6WgDfts6d+5Z7The5ZVCObsQgFORmP4as5IirF5zEK9qhtCS tB+eQRyACxkAn8DwZBcuWJxCVnkTnvhehcdT1l65DIAT5wC4pjABV0MSIGouxbULl1FcFI91y1xQ 01aJk2dOIHdQhfSkUIQkZaGxNBs+HjcxJFe8B2AMw2nPDuS2D4ImxCQA/hzx/uXChQuLevPZs2dL dGYcgMOQ1yZGd0UyVm2yQa9UicyQM0h83oWhQndYHItHbWUefvzmG+R1iBgAz3usMxfn7r6AYrIJ Tta2aJFMoSbFEZ4+z1FX8hwbBQCuYQB8eA6AnRIEAFYMVsPpbhLUAzm4cMkb1c0teJ2eh9HxTlia z3tTN4U3xRWQL4j/5/drEVI0jOaaNpxObsfAkATHQquQJZKisq4XfaxTmQPggQUAPPTRhYJOeKR1 oPH/s/ce0FVde5pn1UxNV09N1avc07Omq1f3TPWa6e6Znu5++dULfs4Y85wxxgZsjDE2weScg8gg srKEckQBJBQREqCsm3O+uro5BwkBxt/sc3SvOFwLDM+ynyj+31rfAt17zrn7nH3+e+/f2eFYfFAO +WE3Wu4DYDcD4DAD4I2sQR5Tq7GuRA2pwYqlR/txokGHDZkSDDoYMDTKWAPdj746EQ622CAe1OFt HjBvYdSqx6tHB1Am9983tPi2RYP1FwwI3vmKAbAcnxVrIDE7sOvEIHI79fiEATA36/Fu2I/V2SJc UntQcUmFDY3DGOxR4FCjGQaTCcvPSNDSMw7ANwUAPOQPYXuBCOUKD+qaFJhXNA7AmXEAPs2OP8gA OCYAYH+fFJvqrE/VgkPfNwBz8++5kVKTxSa3dsaDj8EBcDGqO8QIGxvxwsuL0c/u9b68j5CaK4er 9zhmv5EBkagTM194Fhf1NgbARTwAjzgk/EOmO3dt2PLJJ+izemFp2ojVq8tZPduIZxgA3zCoGAB/ FgfgIga5IYwFrTiSn45hwxUs+mQ9euQsNutbWZ3nwNZ1cQC+E8Ng3yAiE8m+i97KQZzsdPFl381o GPvyZNCqdfg4Q4Jr2mEcODOArVcsuNCqxJbmIQQCIR6AQwyAgwyAV7N4vm01sLhTQ2IcwqpTYrSY o1SZEAATABMAkwiA//AAzD3Jnj9//tcq8R9zQyM7Oh7ayB681gXH6G3E3Bb0iBX8x/K+azCzxuSX MRsqs7KQVVKDC4VFMDjtqKlX8I2ym24laqVDuBX1oqkyF/3DQfiHFChm55xdcRl1tZfh9NhYQ6Ie kZshNLWO73crYEKjzIC7d26ht60aGenpKC3vQDjqRkXt+DZ3bzpRXFTBz8mbAA6zFgo9dz3uQHKt Bb6RO/Cqm3Ft0IkvozYUlbRhhOW519CFrPQM5FU2wzl6Cy6LAlL1+BPr26NBtFws5X+zUcQNwbwJ eWM20tMzUdzQxzfwR0N2VJflIyM7Dze0XAP1S6hqK+Aa5RLzJWRNBWjsEU/Jq1dI//wBmOtFWr58 +ddik5tzyC2M9ZCnU1CLBmH2hTHGIJUrc8YYoBnEV6EwBlgguVDDxWZRFSpZY11pd6GlLRFjZjTJ 9PjydgwdNedxQ2/HiM+AMhabWWUXUVNeBavbjtLiZoRujeD6dQVGb7FyMupEh0zJP9yRXr/Ex0le XiOC0QDqm8aP/dWYD7UXau5b2Tjk9qPq+hDO37CjfyjCw6Vb70bBNQsKuoYxFPkSAV8Efebx+tXH gLzPen8jOhYLoKrbgULOPQ5IjR5U9TvhY2VTt8qNkS+/YmXNGNpVXCyPoqvfhvPXh1HFbesIQ6tx 4zz7vcJeJ5ysbIgF/ChnaSpg39cMuGENM6wMD+OLLAVk3uS+7CjSSlg54brJ9wAvKdCwY1lRMeBB KBJDvdgdn47xFbwmD39e51k6fbfvYjQaQUPPEEu3AZ+dlbL0OVDU7Qa33u5dBhylfU6Ev7wDq8GD 850WlLH96hQB+BxuiG0x7oU3GBS5WVn1JW4HvGhWBnF3LIoDmf0o18Weqvj8vgGYawtw83wni02u 7r5798Hjzy1aBTRWBpa3RyDq6kDo5pewK1rRJ2e/fduLiyw2MwvKUZ6bB/GwDzduKDAyxsWYC50y Be5+dQe9l/LRLtXh7ii7jxP1bH4hdE4X6qqvIHD7FsSDCngZOH/J6tBemQixW3eh629EJovN7OxL 8MWiuNqhwG1WH3EPp1ou18MzEZu30c/iQRdflI57nZ9E54I5EsXg4DCLVxtq2P143RKBdziAInbP qzwxXFO6+cXnxiI30arys2v5JUQSO/LY/Vul8NMq0ATABMAEwCQC4OkBwNy5Xr9+nZ9byD3RTjg3 N/chw7i+uzz4Lrd/xIM+9Lvk3/xaGibZhkQA/PsAMHcfDQ4OYs+ePffFZlpaGt9Qn+7l6ePE3Nc2 /05j6Ou/91VSGoTpD5tcWJI5iC/qhyZ99YxSasGWShM8EhkONg3jziOWIW6HFxvTJZibIcLKUj3c D1m2+tGu523+NUjL660Map6u+Py+AZjbRqlU8mtnCGPz5MmTj1z3PhGx+YjH+KZjUp1IAEwATABM IgCeVgBMIpGmJwCTpodus/LeYPXiga8V/uo27K4gvhqLIhYde/QD3/0SMa8PZosXY1MCrOwe9YSe Stj4vgGYRCIRABMAEwATABMAk0gEwATAJBIBMIlEIgAmACYRABMAk0gEwATAJBIBMIlEAEwATABM IgAmACaRCIBJJBIBMIlEAEwATABMIgAmACaRCIBJJBIBMIlEAEwATABMIgAmACaRCIBJJBIBMIlE AEwATABMIgAmACaRCIBJJAJgAmASiQCYAJgAmEQATCKRCIBJJAJgAmASiQCYAJgAmACYAJhEIhEA k0gEwCQSiQCYAJgAmAD4iQNgLo1kMvnbm4v1qQRguqZk8tR5KgGYrieZPHUmACYAJhEAf+8AHAgE yGTyFNjv908pANM1JZOnzlMJwHQ9yeSpMwEwATCJAPh7B+CRkREymTwFjkajUwrAdE3J5KnzVAIw V7/TNSWTp8YEwATAJAJgAmAymQCYAJhMJgAmkwmACYAJgEkEwATAZDIBMJlMJgAmkwmACYAJgEkE wATAZDIBMJlMJgAmkwmACYAJgEkEwATAZDIBMJlMAEwATCYTABMAEwCTCIDJZDIBMJlMAEwATCYT ABMAEwCTCIDJZDIBMJlMAEwATCYTABMAEwATAD89AMzOZTQaw00y+Qnw6B+ocfoHAeCnMDZHCT7I TwIAU71JZQCZAJgAmACYAPjJBWCuwrkVIZOfHHP37NMAwE9rbP4h8pdMAPw4AEz1JpUBZAJgAuC4 QqEQ+Qk2B7IJBwIB+P1+3hzccpUiZ66S5cw1YLmgttlssFqtMJlMPOzqdDpoNBoolUrI5XJIJBIM DAygt7d3Anrb29t56G1sbMTFixdRXV2NiooKlJSUoKCgAHl5ecjKysKZM2e+FwAOmfUYutKDoZ5+ +Oyhb6iYIoi5vBgLRb/2XWxYCdn+VCjOXUYkFENI0wnJlpMw9Bm+fpxwEO5rA7D1SeCVmyY93oRD LujzryAwJRVrGFqVDd39VhjtwW/cPuYPIOiNPPbvjDicGBRb0SeywGDxT3xuFKnRrXI/fP9wBG7H /Wkb6lfiisgxfmx2bwY84a/tNxYMQWtwIhaOwWG2w+Ga/PxiBiPONJnvb2yw9GZfkOF0lRa+4Nf3 cWiH0COxol8xBI3ejZvC731DbD8dRqYgf4IOD8QSC3/dzI7gA/NjLBx9KgCYO8/ka+CV1cLQqXmk 6+lXtUB1WfbN24bDiDi8k34XtYog3Z0Kddl1jLB7yzvQAvGGUzAb3L9XHgc0V6C4JJm80ev3YsQb /oPkL5kA+HEAeLLYfKyyTncN0urBR9iW1blO76S/F7MpINuXCmVGE6Kszg2qrkKy+SSrZ8wPPN5w TwOc8qGpA1WvHYamLoz6BfVkyIuoMzBpOeO4cgNOnfMbj0tlAAEwAfATBMAk6gF+EnuAw0oJFPM2 QH6pFV6NHraGNpgzsmEqaEGMnZetsgLG1AJYBywI9l+B/LMU6E9lYqhRCndXO/suB+b8VkS8QUR9 FkjXn0GQVca32HUZLrwAZZv46xVc0AzxWynst5qh2pwOx5AZ1vx8GA4VYNjkwajbDlt+MYz70+CS K6Fekg8/u9Zuds38ZgusRWzbw+dhk5ox6vXAWloG4/F0mLPa4NLJYTqdB3NhE8K++xsNYz4jtuUr cKl7CNfUHsgkNrgZUEV8bkjldqjZOWY0G1DbO4ygyYbjF6TYV6FBRpsVAXcQDR1GZDQZoTN4UN3O /t9sQmmbCYqh+yv76DAHlEqcaDVBYmD3hd6BLLbfzhIxqsRuDMus/HGuSF2ImYdQ1W5i3xvQrvFC KTFg7XkZ8lqMaBsYwsUOE9LLJWgROzFqs+NEjRR7ytXIZGlSixlgO7iHFl5cv6rHjkIR+qw+pKcN 4JLYAV23EacuG9FrCOBmMIAWlubjFRJ8WGlEwOpBSZsRBe0WOF0hjHgcOJenwFDg640Rg9KGQ+el SOu1oV/jhllmY8c1oG7QhajbjKXnFAg6PSi/ZkXQF0LrNRN/fgaWlr5BCy62GpF11QKbywf5De47 AxrjQH8fsNk86BiwoapWhD3VOgy7Q7Cp7HAZXehkUHyM5UdK5Xh+hJ4CAA5IbsCUWQjD9gK4LMOw l1VDs2sXDB0GjNi1MGVXwngsF9Ybuvvv81AQrssN0O7eB2WDCqMuEywXmmE+kwVzTTduhvwYKitn +xZgiMWBr+0SJJ+kwJiRC3unCo6WehiO5cBS3YURXxABhRjy4+X8w5WxoA/mw9lQq4cnefCjhymn ipUJLE0darj7auHhHwB5YS1oxnBLI0tTCuQX5fAPSOB1eOBWqOE1iGHp64Zm9V4od56BsbAbYWo4 kqcxAIc1PTAXsPjbnY5hlQ2utlaYWPyYTl5igCmC8UgGi89ymPIuInDfA15WjnS0sDg4AMkFGW56 hmBjda85ndW5xVcw4vffq3NFQwj0tEK2hNW5LHZtzTK4rrfBcDwb5qIrfJ0bcRkh3ZKOEF/nBmDL rYDqmuJrsTnqMcNysgCqQyfhYHXdrUhAUAa4EbUaWBpyYDx5GT7HMIYvx9sB+fWsHLgKnz8Ij9kK r6QFQ8phDLF2ivF4EZxGPTQpp2BMY9vmNbL6WQvjlr2QrDwO43nWLghF2O+wMuxoFatrQxjOqGEQ bkZAehXOPhM8kk52HFZetIoQsYhhKqqD6VAGLCIb3dcEwATABMAkAuDvDoBvRULQbz4OrY9V+jYJ pG/vhdE0xBreJXCKO9H/4gG4GaQ5hljDYFgP5clChPXDiHr8cOqMCA67oMo4CFc/BzQMJHekjQMw q+hdVfVQdkj4Brm1qgiiTfsg3nMUdokE4he2Q3OtFeL1pxCwDcEq1WO4LRe9Kd1wVuRDnt2KkWEt 7KyBrN5TBmv/BUg31iIc8MA4qIGruxYDh5sQEbdDd6gZ+kOfQd4qg3ZfLqugrfBcrIC5Spr0BDqA 9PMD+KRAAbs/grpWBbp0DPJ7GXC2a7AsVwzpcBB2mxMjgTDamyQo7bXD74qg54YCBV3D8GlVWHNO gkPVKnQWDCC9XoOGAVdSgyOKvut6tKp9uMkaDpkM3AaMPrTUilHJwOCDMxJYWOP/aJvraGQAAIAA SURBVKUcxl4JVpRoYFEZ8dpZJbwmOzaXKeH3hhFmcB7yhSFqkyC/m11f1pjoapHgPEsHlyZZvxIl 3XZEpQpsL1PhQr0UWzJEWJklRkOjDLNOSGHU2bGWQb95QIaDl9j92KHEonItiuvl6NR5IR9Q4Py1 YdyMeJB9fnIA5u6RS9VKdLnZPcLyexODYYsziOwqGQaUGixPkyH7khwNSi/ULE3nrrDrr9dgZTb7 TQb97foAOq4qcKlXjddTB6AeZgBme3APor5Lio0ZUrRKrTiSIWFp1eCixI02lh8VfQ7+3GNPAQDb y89CnXsN3u5syNdeRsjthb3hELTsfolo6tHzW9aY1fZBujgHoaT7b8Tjg7MtDdKzMkSN1zDwq52w 6LXQHimF39YF0YI0+MwW2Gx+RPQDkB6qxIjTPf7QS6FH0GyC/Mw5BPU+RHVqyM9W8gDM9UgNnSmA WvN1AI5om9Dzq+Ow6wchX5oDr+4S1PuvIKSuw2DKDcS8LE3t2RCfkMBeUgmNWATRa6sgzyuCUmyB qfA0bE1qhF2B7z1/yQTAjwPA7sbTkOysgV9ci8HVJVDtPAWzxAhbaTokq7aiv7gTquyDEG88Ae3Q /SOrRnx+uDoLMHBIhNjQICSv7YHJxNoLaSVwyzsxMPMwX+fah7zsezUUJ4oRMTkQ9fpZvBsRsrM6 N/0I3GInxvx2yPZkjQMwi3tnaR1UXcoHjPLwwFSWhuFOG275+iGaf26iDLDkpsF4UQxb3VEoDhVC Mpu1A8w2mLOLMPj+BmhEYoi2Z0K5bzcD9xJo0joR1TdA/HEmFOtOsrLFBut5Bq41MtgvHYQ6q5/B uR/u62lQpFyGvbMQAysuwFxeD0NjJQZePgu7SQTx3HS4bCYYDxZhqDUNA++chUvRgb5PyxGk+5oA mACYAJhEAPxdA7DOywHwIGRZLayyDMGWWQtbnwGmuiLIl+2DIq8bI14b9EW1iDqCGAt6YakqhHLd CShTz8AltfMALNsqAODKeqiuSvj/R71u+Nj18dkdiPiMEM9cB01jM5xGBgMuOeS7WaW5Zz/6z3bB Vp2F4S5zvLEwBNVHmzAwbws0ZawR7dBAtu8A1DsOYfB0CyLy65DsyIZs8x6YNXpoN2yFfPsxKPec hr3LeP9wLdbwCLBKWX5diVlnFLAohpF3xYiSPAnU7JyMIhM2lShx4qIWHgafkuty1AyOw21nmxgr 8uQ4UKnCMQab+VfNkFSI0dRrRqPIhbFwEMNWP2L80/5xAG5jAMwNBStgAOfwRDBwVYayZgXeODmI Q1VqbKvUwtonQUrrEG75h/DhEQkCrHGzh313Xw8sA8K8Ljv/f023HGV940PIAkM+lDdqUZAtQo/a jcs9OlQVyJDeokJp3iDWtbJ9Ah7sK5LjerUIlXIPgjINFhVrkMP+3s7OdV+lGvUSln4GwFkMgG1x AI76ArAPB9jnAgB2xeBR23Hssokfql3PYLpPocGCY/1Yki/HDY0XkmtiLOHAl7tO7DqevKSC1xeB WKrG5b4hqLt02FQsR1qjAaPs2GG3H/b4cOeIJ4CRYBSKdgnOViqwr0yKoyVS7MqUQmoLQnRdgYvi 8fx4GoZA21uzWRxYccvVBdmyC4hxeT5wCpoiDcLqGvQe6Wb5a4Xy01z4JnmQEJKeh/QUB8DtGDh1 HbdCHhh2l8FlZ/8W5kC+6gAUxRIWU2ooMxr4vB4LOKDPy4ByfSpkJ/IYCHvHAfi0AIBPPQiAGZQf vMHSZIN6xXl4A0FoMk5BzmLVYI2nSV4M8TEJ/IMtEB85DtGhUwwgTsEy5IaztQjDN8x/kPwlEwA/ FgBfS4O5lZWDPhkG3jgBRWkloqy8DFxthHjpZogHzDBcLIJibxo0jq9PLQqrGATuH2SA2wdpRhs/ LWjobDWGJWYYqwshX54CRX4vRjwWaAvqEPOEWJ3rgbkin9W5J6FITYNH4RgH4F0CAC5hAHxD+cCH i/bmHAx3sPomFIKhKBfyleNlgDrvBDwGH0bt7ZCtPAlxdgsPzcM57HjH97K0nmSxehoDi09Cc+ko RPO2sTqW1cNn6qAsrMGoNwxP00WYLkgQFuVAUzo+9cKYsRLGHjtLpwj9L52D4QyD3NdXsTKgDn79 dQzOWMEAORWKPQWwXzsLeaGClR969D9/Bj66rwmACYAJgEkEwN8VAHta6iF+YTFE21Nhu3EVsszW cQDOrYO1o5N/sq05fASDWy9iNByANTcH6t3nYCpphGrzMWhTs6E6cioOwCHIN22A+lQDuz4xfqiX ZHMKjMX9988R5YZAz7/XazViasLgazuhP3oI/We64O1sgmzVIehSjsPU2gfFF9lwsmtsPJEJY1Ml +p/dDP3xVIhONSMiaUH/gvUQswaBub0PhvN5UG5Nh/7kefj09/fMRrUapJSqcKhGjm21DMACfhQV SbGhzoybrOFT1qhDWoMWuxmgWZ0hWLQGpBQxIL7MgF1mwIFSJTIv6vjtCq+aeABu6TWhmQFw2GXE piIVPyTZqzdje54Ua0vUqO61obZRiZRqLQ4XilHPtj97XoJDdTpktpjg6ZficAuDHC8DYAYG4aAf hVVyHLqkRwM37JlrRHRLUdA9DsAOdk+lsEZCKktTgDVimhuUWFqqZ6DtRX2XCSPuAG4MqHC5U4Md 6RIcrFYhpU4Ph1aHrQxwT5ZIsO6CHtfZ9ylVGmQ1sMaGzsvnXXG+GPvqjXD7I1AqtdharccID/Rh NNSMA/Cox4vcSpY+dh1SqlTQGfRYniaH0TCEXez6iBRGHCxWIJ19X3nNiPRLShYfDIDFDIA7NEir Ztf4ogpbilX8PdE9oMH2i0YeqPu7NThwgf2dI4FIO4SlGYNokduwnQG11RWGSc3yo1jJn7v3aQDg CwxCVx6Bbvl2aGtV/NzrwMBZaCoZAOsYbD6/Ebo9qZAeqZ90DnZIWghpNgfAHRg4EQfg/eV8r7Fq HzvOvn3o39qG0ZAb+sOp0KRkw1JzGdKPU6A7nQ3FsRwETV7ErCbINm2DJu0KoqyR7agphXjLYVjq pPz9OQHA+iZ0P7cBur0nIDtUx9LEGuQVRejbWc7DuxCAb3rUED/3KdQ9vRBtOoqQg8FDXyvk61nc n2mEnxqO5GkNwJkwt8QB+L0zUOxLgWb/OajXHoXy9AkegPUcAB/OhMY5GQBXY+AkB8ADkKZfGQfg jFoMdV2Dahercw8dxsDWelbn+mFhbQH1nnSYyi4z+D0K3alcVueeGQfgoI/VuRuhPn2ZxWYMniuX WZ27H8aygUnLhAQAjw5L7isDhhvKoNp+HJrPt0Bb0QBpZhyA8y/CcqUGfb/6HKribPTtugCfmMXp 2mPQ7zsBY1sfNNv2Q3vkNEvbcTi5doBfCenSHdCdqIFd1QLZhgPQrNwJWU4frDkXYOnRwVGWCVVO LeRbD0O9IwO6vAZ4e7Mgz48D8Mw0AmACYAJgAmASAfB3uAp0KIwxfwhjgRC/8ERiQaqx0PhiQ6P+ IALs3EYFnwddTsSC7PsgO38GJty/t8JxmPX7EfbF58Sy/cNuF7/t1xdtitw/ZNMXQswXHv99Lh0M TgOs4cD9PbEtlybmmyy9Ee/4tvb2DFhvGDDmVqH/tVXwMHgbC3jZ795L071hYFFE2e8E2f43ue8C HhzKl0Dmjc+TYscLMZCMBu7N2RrvlYzwvWOj/gBC7ii/3c34teKvWXj82Nx8ybHEAh6hcY+Gx7cJ eUL8fty23H7ccLaof/xcRxPXLn6Nb7J/uQWhEp9z+98UnEvUG0AswK5JKIjiS3LciA+xuxlfKGUs /pvccUbYtol9o/4wv18iTdxQvLDn3rFHA2FEEufA8nQkcK/hxh1rbGKOKdvX7YvfE9GJe2M0vs1o IMiuU2TiOt07h/FtQy4fuyfin7Pf4IabJ7bhvhtJHCfp3zE+P/yIcGl7CgDY1pTDj4Tg7tex8L1F 0rjrH5azRunJXpaf4Yn7ZrIF1cbieSSM61vxvA8w3/s8zOKNpYuLsUAiru/FaNTnRSRxP4TjZUDS 70aUDMqPd/H5OZ6mCIZziqG+LOXTcDMShqc3B6Jjknjeh+NlTmQiPiMMQELcPUENR/I0BuDRcDi+ MBUr05xW6MqqEBnysns3HK87ufJsvL4ae4zYHK9zA6zO9fFl7mR1biCpzo2xOjfiD07EUIivc6Nf WwCSeyBlqTk73gMcSSoDwuPTJrg6QtgOuBVP03isCtIcCLA0JernMF/nxgLh+4Z5J9oBo+zfKFev cOnlf2s8nVz5wpU7o6z9FPVF7rsmfBlC9zUBMAEwATCJAPi7AmC+Mo+ySvYJdUg3CM3hdGiOnoN5 0PTI58LB2NUuPS6IHE/suStFBuR32RDlGhNPcB4+qvl3REafnvcAe1Q98Ohdk16L6LAculbttMqf qF0JbYtm4m+v5DK0pxtYQziC0WAA1uJsqNZlwu6cfvlLJgB+HABO1Jv8u2uDPgz3i8Yf4E7XetIk hmbnEWiPX0TAT2U8mQCYAJgAmEQATCaTpyEAk8nk6QvAZDKZAJgAmEQATABMJhMAEwCTyQTAZDKZ AJgAmEQAPL0BmDsXLq0SiYQvrKjQJpOnBwBzsWk2myESib7zh1oxvxcGmx/R7/x6xtg18MIdjNK9 RX5iAZgrE6xWKwYHB/kY5f7+vc+B/eawzQN/KPq1z7kyYCpizmV1w+R6yPz6WAgarRuh2HecXwEf lEbfo7/qzOdh5RK9Go0AmACYAJhEADyFAMxV+EePHsW7776LWbNm4f333+fTcK9SDONqVT7Ot8nH G+RuFdavS8VwOHEMF6oOp2LIP15x916pQvHlbir4yQTA3xKAA4EA0tLS8N577+HVV1/F3Llzcf78 +e/sHL0KFfY3GOGL/j77h3HluhGNhsAjNPYjaOhU4aol+OBzZ41eq8NH9x55WgIwV/cXFhby9eXM mTMxZ84cZGRkPGbvcQxetxtDbgZ37Hgll2T8e+iF21xpVmNVsRzb6g2C9+K6UdJkgtX/OMAdQkWB BDvbH9IuCNux8awYxvB3m1cBrQ7LzqsREsK53QWbd3I498nkOFRvQoTucwJgAmACYBIB8FQBMFdp b968GRs3bsSGDRtw8uRJvPPOO6ivr594Klx9Yjf+6YfzIHKxcx7uw0vPz4UyFG80S7OxbE0lwvGK LGvHbPxkUSpVVmQC4G8JwBUVFVi5ciUfn5s2beIfVL3xxhsoLS2d2CYUjsATiMDlj8AfjiHG0sm9 xor7LBJjDfXQ+HdcbyvXg8K9xoj7m7OX+4z9za2c7mbbc/v6QtHxYwTi24fHPwuw43gTvxOM8L/B 7RON9xaF3B5sL5TAxv2mIE0+blVatq+P79mK8fsGudchcZ9HYwzyWZnCLaDF9vFy27Cyldu3dUCJ FXUm+OmdwORpCMBcvb148WJs27aNj88DBw7wD6iysrLujahgx5mImfB4XLkEceUNhlF6VY4NzUPw B0LIqJaiz+i7F8sGDd7PkkFjsWHd6X6c6XGOvx5tUIKN1QYWP+OxnvgNLt5j0dhE7AXjsRMKcn/7 UZAlwspm60QZ4Y7HnhDIubIgygP+eDkxEePM/mA8prkyIh6nid8Os78DwXux7IvHMvc7kei968Cl yavSYE6aCk5fPN2RIM40SLGtw86XCbFEGcX24f52S6XYzM43HI3Gf+teOeaOl3PRyL20eOJlHcUF ATAB8PcEwH+084/IT7J3JHm7wNvi3sq8hXkz86a4NzKvj3st8xrmVcwrmb9gXs68lPkz5iXMi5k/ Zl7IvIB5HvP7zO8xv8v8DvNbf4RfLfvV9wLA8+fPR11d3X2fcRX6jh07eLjnALjsxDEsX/EZ5mxM x5CphwdgLQfAUQ+OfvQ8KlTe8d5hexe2fboeez77DEXxz8hkAuDfD4AXLVqE3Nzc+xrke/bswbJl y/iHblwDs/qyBKvOy7CvUopNF/QwyjR4M3UAOyvVsFgdOFYsxrZKOZZmSnHV6EFjqwrLS5TYWSTG ojwlPFI53j89iN3VOtikMmyqNcCq1uOtc0oE2O8pmhVYyr7LrBZje6kCO0vEWJ0twb46FTZli3FV Ox7nCqUJ++tNLK0jaGiW4Is8GfZXSbG+Qo1a9u+SMh2CPhe2ZQ+i3uhFeZsClw0elOaLUCNzoreG bVOqhdtsxTvHRUgtEuGdNAnaTEG6/8jTDoA/Y3Uc90BKODw5NTWVh2C3283/rVWZsL1EgaM1Emyr 1cGoMmDGCTn/jmt1uxoLyrU4mjeI91hsXjP4GACLsLlIxmJXiq01RkibpfisQMc/XJZcEGFtC6vT Iz7sP9OPCrUfQaMJs47140CVHIvTRCiReTEwaMB6Fqdc7B1qNMFps+Ngnghby+V493g/tjaZcPWa FqvLVNhbLkV+n/0eLIaGseDYINRuH3IvSBh0arGhWIJOcwBu6zB2l8iQckGGtYUqSFRmzD8zgP2s bFnOyoHMgWHkFYhxRevGjTIR1rNyxGMw4fVjYrQPmrC5TIHDF6RIbTXDqtTileMD2FPB0n1OjMIB C3ZkDeL9bBn6rX60dWrwRakSu8qkONM5BJdEgi3VevT1avF6uhRahx+1TQqsLlex6ytFjdIDVY8M SzLFOFwrwyeZcoiG6VVqBMAEwATAZALgh/iVV17BjRs37vuMa3RzjWyn08kDcOGJ02hmjeOiQ58j LaMIz8cB2K28gGcWZsMfHzJ5/dCrWHO+C6rLh/HSu5WCIVtkMgHw4wLwyy+//LWHU1yv8Lx58/gR JhwAlzVIUCdzIeDx4VAOa2xel2L2OTls/jB0V+X48LwGvmAIPbUSfJ4tx448MRSOIIa0dqwuVMIp lmJtuQ6uYAQ2EQPWGj0sah1ePy3nAVjaqMC8Ch3OsQZxl9EHk2EIW1kDeMgXwpUWMYr6HHwDuu6S BBfE4w3/miYJKkVOhPwBHM8Vo6VXiddPidDRY8KCTBl8kTCK2uSoNwQwyNJ7slmFjWcGsSSbNWbr lZhfpMN1kRKbL5qoJ4c8LQH4xRdfRF5e3n2fXbx4Ea+99ho0Gs14Ty2Dz5oWFUoaZVh2XoEBsQYv HpXyAKxoU+Ptcj3qOuXYxcA2FuJ6gCVo13rhGnZje6EcjaUsJhgAc0OFBxgAb2DbOZVGvHRKzte5 foMBLx6TYtgfQleDAnPKWJwWszJA44Xf6cXBXAmaq8WYn6OGO8CgNl2Ezys02J09gL0VCqSwbecV KVFXrsDnLKY71XrMPjYAjd2NtQzMV1Wo0TxggtUXxrVaEYNXK8IsnVXFg8i4JMc7pySwsHJA3KnD 2yU6tF2RIq9DjRUMypfns/iuleN9Fsu5bPv1hTKcq5LgXVYGDfYpMDtNDgdL90C9FAvZb2ddlmJ/ px0Bh4+VURJonSE4DHasy5LBJJZh9qlBfHBWit7hILxGBz4/O4DDVQpsYnC/sEIPWbcER5osCIZD yD8/iFKpm+KCAJgAmACYTAD8YC9YsAD79+/nGxBcI18ul/OV+M6dOyd6gAtPnMBlqR52VS8+ff4X +OEP50PDGtVVO7ajeMA+DgguKX73k9/ilZkz+TlRLz/7S1x7lPmAZDIB8KT+5JNPsHXrVthsNv73 1WrWaH77baxYsWKiB7isQYoWlRcRFo8n80W40inBnHQl//BJ3SrHR/lafuigvFGCRWdl2JwlgYkb emhyYkOxEg6xZHx4IdveJpLxAGxVcQAsgycShahRjvkVWh6ARazxOWS142i1Du5QDB1XJeMAHLZj X54CClckDsBSXJK5EWOgm1YgQrvOjQs5/XiNNWJTb9j5dQUSAMwtIrQstQ+vFWrRzo736uF+VGoD 6BKrsPmSmQCYPC0B+PPPP+enJxgYhHLbc/9+9NFH/MMpLi3cNk2NIqwrVULEwHcDA+B+EQfAErhZ XEnbVHiHgVvtNQV2tdkmAHhgKICAM4D9xXKImiVYwuI3yOK3q5wDYCPKahVIl4yPuuAA+CUGwNyD KjU73pvFOpwuEKPb4EPIG8DR82JcKBnEhyy2ItEgijNEWFymwdb0AZR369Hbq8Og0g6PzQUHg+6Q 1zoOwAx4DYYhXGXHXHK6H8VSL9qrBnG6naUzFkVDxSDO1cnwNgNgH/ttY48RrzPQ1WhM+JSLZZaO 2mYxZrFYvmgI4lzeAE43a9DDfm9AOgSbXIU5aQr42XXQtSvwUa4cGY0yHLjugN/uxbYcCYa8EXis LmzIlMLIyqhP08VYnj6IJkMYw1o7Fp8ewKV+A38OIo2LB+DT7UP88O2LJSIUSQiACYAJgAmAyQTA D3FHRwc/rJKbd8z1+H7wwQf48MMP+bnKiTnACQAeiQRwqeAg/unnH0NmVGL7nhMY8ofZdlHISg9g 9tbW+FzgCPrylmFzehs/X4cqATIB8OMDcG9vL1JSUvieJu63ly9fzi+2w60fkFghtqxBjBWlamS2 qLCuUA35oGICgCOuYezKFeFEsxYrzrDGsNzBL7Szu06H41VSvJfN9QDfA2CHeByA3U4b1pztx5HL Gmw6M4ClVfcA2MYA+Nh9ADwMVYsUG+tN8djnAFiMZSUq5LSpsTZfBbUrjCGdFnNPitHDGvhCAA56 Akg5P4hcmQ96gxkfnpHAHIpCqTZi9XkZOqw0BJo8/QCYe2MCN++Xm/PLPSjmpgxxD6daWlomtmmp l2ALFzs1UnyQI4dYb8HqU304yOJqa9ogPr5gQHefFssLFOi2eO8D4BQGwGajFbvyxDjZpMbHZ8Wo H7Bie5EM9vi8XSEAqxiscj3KnV0a7KzWIK1JhZ0X9LDojdiQLsIpdowlJ/qx+bKRxacKOy7qkNmq RYPEIRgCbeMBWGF14xCD5zNXzdhSKkE+g0mbwYRdJQxU2zRYlSnHdbEBs+MAbIgDsN/uwabsAZRq g5DKDZh7Vgo3u5Y3unQsLWrkXNWj/LoFNqUWM1IHcKRBg/VnRTjXO4yWdhU+K1Zh0OZDTbOCT18q g/0DjWa4RBJsZWWUVmLE3GMidGicyKli5ViDHmmNalzV+u4D4DoCYAJgAmACYDIB8KO8ZkWn0/GN 6lAohEuXLvE9TvcaATE4WQHmCYbHtw+4oFYZYdXI0NjUxS9AwW3jGzLD4gnfO27ACbPFST04ZALg 3xOAud/kFtLjHlJxcdra2soPfZ6IzfgQ6NJ+B2R6Bx9/XE+wzh6Mx10MbocfUoMDSlsAEfZ3wOOF yOjG1T49PslTIhQIwOIOjy/MwxryZvb/6EgUDjvbz+SGlu1ncodgdwcRiIwv/mdjf3ML4/h8QTgD XlwolqJ7+N5cSG4IdH6PHVKWJv54bFuHWo11VXrYgyztkTByGqS4yI0QYedgcwXh444djsLkDPLb R0KsXGK/PxSgVyWRpx8Ac9twrz7i6k0uTq9fv84veCncl1vFXWZyQsViSG/n4icCJx9XLmjYZ0YW G6FAGGqjC/ZAZCLGuIWshlgccAtKuRw+Pn5VbH+zyYqaruGJhee4laPVtvFYD3lD0LrCfNzoLS6I DE7YfBH2XZQBCDuG0QMNg2urN4Iw+00NS5fc7MKwT/CKJacVMxgAawPsd1lMSo2sXLH6+IXouIWz hmweiFhM652h8XbDcHB8wSx/mB+yzG1jZfAeiI4vvmd0jj+84tJkYGmSGZ18eRBmZZTK5ofC7ITS 6ucXxgr6Q1CwNDtDUf6acOkTs3LKGYzy5RJfRsUiMLHrZucW0/KxY7D0yS1sG1ZGBP3BiXPxuAL8 fhQXBMAEwATAZAJgMpn8BL4H+JveHVrfpsAN46O+LiiK7g49FqYN4oN0MUok7u/kAVVLu4Kfy5j4 e6hfh7ns9/IHx1exVQ8oMC9TDqWTFqohP7nvAf7n5IjHi4MVEizihlzT/UQmACYAJgAmACYAJpPJ 0xKAud6XYBCRyGP0dkTD8Do8cLgCEz1JU20+TeF7aQr7A7DafXxv0fjoED/cniCNDiETAE8XRyNw Ob0IReleIhMAEwATABMAEwCTyeRpDMBkMpkAmEwmACYAJgAmEwATAJPJBMBkMgEwATCZTABMAEwA TCYAJpPJBMBkMgEwATCZTABMAEwATABMAEwmkwmAyWQCYDKZTABMAEwATAD8ZAEw907fcDhMBTCZ PAXmXhHGve9zqhrZFJtk8hQtusZiyefzTUls+v1+PtbpupLJUxObbrebAJgAmEwA/P0B8K1bt/iC hwNhrseJTCb/fuZiiGtg37lzZ0oa2bdv3+YhmGKTTP72scmNzOBiairExTjFJpk8fWKTAJgAmEwA /Nji7mEymfzt/V2IriuZTLFJJlNsEgATAJMJgKcQgEkkEolEIpFIpCdRBMAEwGQCYBKJRCKRSCQS iQCYAJgAmEwATCKRSCQSiUQiEQATABMAkwmASSQSiUQikUgkAmACYAJgMgEwiUQikUgkEolEAEwA TABMAEwATCKRSCQSiUQiEQATABMAEwATAJNIJBKJRCKRSATABMBkAmACYBKJRCKRSCQSiQCYAJhM AEwATCKRSCQSiUQiEQATAJMJgAmASSQSiUQikUgEwATABMBkAmASiUQikUgkEokAmACYAJhMAHyf bt++DbfbjaGhIVitVjKZ/HvaZrPB7/fj7t27U1Kh37lzBx6Phz8uXV8y+dvFps/nm9LY9Hq9FJtk 8rc01/bkYunLL78kAP7nDsCkJ1tcfifMVaZc0HLmKsRbt27xvnnzJkZHRxGLxRCJRBAOhxEMBvkK mAt0l8sFu93OB77FYoHRaIRWq4VKpYJMJoNYLEZ/fz+6urpw7do1XLlyBc3NzWhoaEBtbS2qqqpQ Xl6O4uJiZGZmfqvz4dISCoUwMjJCJpO/pQOBAB9PUyGurODKDbquZPK3NxdL3AOqqRAX55zpupLJ UxOb3MNeAmACYBIB8PcGwNwTbCqAyeSpcTQa5eN8KuRwOOiakslTaK7unQpxjXWufqdrSiZPjYeH hwmACYBJBMDfHwBzaaDCl0yeOgDmYpwAmEwmACaTyQTABMAkAmACYDKZAJgAmEwmACaTyQTABMAk AmACYDKZAJgAmEwmACaTCYAJgAmASQTABMBkMgEwmUwmACaTCYAJgAmASQTABMBkMgEwmUx+sgE4 5PfA46e3MpAJgAmACYBJBMDTC4BjUSjaG9HaraVCm0yeBgDsGBKhLD8X+fn5KCgoQWevFjH2uVnd gerGznuNa5sMuakF0Dkd6LhUzm/PuaSkBmorvW6JTAA81QDs9ypRkYjNomJcFSsRjj54v4u5O/Ds 5hzKKzIBMAEwATCJAHhaAXA0jMJT67G3tOm+Rv+j7MtdDxo2RiYAnloAll6rxMsvv4GVq9dg9RdL 8fILz2BD1gDaa7Iwa/u9xnRI34hfPvMsbhhN2PT+O3j+/c+wZs0arFj8AZ556TU0D9Ar0cgEwFMJ wEPqNsx8fiY+X7EKq1cux6yXnsGmkp4Hbl97fhfe2ZETry8pv8gEwATABMAkAuBp0gMcQeHZTTwA RyMhtFflYN2qL7Bl+2GoLC6IKo4j5VQdvNER+PU3cGD/UaiHA7Aru7B/40qsXLkRl/vNVOCTCYCn CIDlDIDfW30MnmAU0bAPlQe/wI9+tQF1VVlYsPP8PQA2tUwA8G4GwJ9WKMc/d+mx4fVncCS7BRFq dJMJgKcMgG0MgD9cvA06R4DFphe5Kevws/cy4A95cSEvG1fUTlanBtFxPhM5HUYegH89azb2rlyJ DXtPQGwxoz51J3Kr+hBisantvoAD6UVw+MOUn2QCYAJgAmASAfAfAoBtmov42TPvICO/FGte+zG+ 2JsKyaVDeOn12eizBtCW8i5mL1gDs0OJZ5/9DeYtPYQTGz/GD3/4Q9yw0jwnMgHwVAHwwrXH4fAG EPLZkbdmKX7y0wO4VJOF2UsPQ21QQ63WQtaWNQHAexgAr61SIRQKIWiXYsmPnsPx7GuIUB6SCYCn FIDnLlyHQZ0VJp0SW1d9jNePX0Q0YMOeTYtw7roOI1EvMjavwBvZAzwA/+jHP8GhkkosnfNbvLO3 EFdPL8S8L3bA4vYh76MfYiUDY0+Y8pJMAEwATABMIgD+gwAw13NUWZCDgoJCHNm0AJ/tOsrOTY3P fvcKTpU34fMXnsPm8yJEw2501hQgPSsXuSe28QB8xeinQp9MADwFAKxgADzj169g6bIVWPLZJ/h0 2SqU9VnQxQB45ox3sXHjRqzfsAFrli2cAOB9DID/aeY8rFixFAs+WoSNe49ANuSjPCQTAE8hAA8z AH772VewZMUqfLH8c7zy4ks41iqZAOCMLsPXAPitrVls3xgGL+Vi5gvbYdS14tXXF6G+tRav//J5 pF9U8XP8KT/JBMAEwFMNwP9pEgB+Jn4ROQD+HfObzLOZNxEAEwA/DQBcnnoczV3a8TnAqeNzgAfL t2D+4hWoudyGwmNrxgE4GEbT6TV4+eVZ+OlP50LkCMMursHsl3+DA+cvoaX8LH5EAEwmAJ7SHuD3 l+6FUmtgZYkJdvc4yN5gAPzh1ky+/OF6ej3axvuGQC/J6eTLHpN5CL5ghPKPTAD8HfQAf/TJFsgt Lng9w8jauwa/+TALPj8D4A2LsLZWPgHA8xMAvCOX31dyuQCzXtkGW9CF4+sWYNasGXhuxmeQe2j4 M5kAmAB4agD4f4+f+P+RBMD/nfmnzP8kAOAZBMAEwE8jAJccWYAZCzajuqoAb//050ir70Rf0VK8 MnshsnPP4KWf/wyfbj0CZyAKo7SJbfNjzNzbOF6wDRTj2X/6CdYfycDyj97je4Cb1V4q9MkEwFME wHPXjM8BFn7OAfAc4SJYgjnA3BDoJZVKyjMyAfB3DMAfLN4GjSOAkVgI9cd345dzT8AXdOPo7tX4 0XNLkZ1+FG+/+GMsjAPwj3/yMs6VVGDdJ29ixgZuDn8Ebfkn8Nsf/whvpfZQPpIJgAmAvzUA/z3z v44D8L99BAB+Pn4xZ8UB+B0CYALgpwWAXRYFsk8fxd7d+5BVfBEuPzsnuxJZh/Zhb8ox1NSU4Az/ eQQhrx2V+adwXRdvwIcduHT2CPbuSUFRcQH279+PdpWTCn0yAfAUALBNO4DCqhaEIvc3yPWiayi4 dH3i74hLgSPHUmFwenA5JwNVIlr1mUwA/F0CsHdYicLi2viiVTFYB5qRevgsjP4ROI0iHDt0AIeO pyLnzDnkXzNB3FWPU+np2L93L/Yez8SA3snvp2wpxO+eeQsdNnpdGZkAmAD40QD4T+MJ/bN44n8Q B+C/fQQA/m/MP4kD8G/iAPxy/KK+Eb/IawmACYCfmjnA7HyirJEdS3q1UfQRX23EwQHNXSITAE8t AJPJ5OkJwI9Sp056HFaOJOpVu7web816GXN2FSJEeUgmACYA/j0A+M8fEYD/Y/zCJAD4F3EAfi4O wK8yv878NvPHzz777KlQKBQlNCQAfioWwSKTyQTAZDIB8PeSZs2NKuw/nQ29k6YNkQmACYCnFoC5 k/0H5n/P/B8EAMxdoB/HAfjXcQB+SQDA3ErQc5g//eu//uv9f//3f3+c+dTf/d3fnWVOZ87827/9 2xzmPOZ85sK/+Zu/KWEuYy5nrmCuYr7A9q9mrom7lvzEuC7JFzn/1V/9FedLnP/yL/+yPu4G5stx NzI3/eAHP2iOu+Uv/uIv2pivMLczX/3zP//zDuZO5mvMN5i7/uzP/qybuZe5j7mfeWDGjBlDBMBk MgEwmUz+5wfAZDIBMAHwVAPw38VPMhmA/2/m/0cAwNwF+xXzs0mvQkoshMVd8HnMH3I9wsyLmT9j Xsa8gnkVN1SaeR3zBm7eMPf6JOatzNuYtzPvYN4Z9y7yE+PdAu9h3hv3vrhTmPczH2A+yHyI+TDz EeZjzMeZU5lPMp9mPsN8jjmdOZM5mzmX+TxzAXMRcylzOXMFc9Urr7wiJQAmkwmAyWQyATCZTAD8 9ALw//gNAMydzN9MAsD/jvkfmf+v+LuA/7/4hUoA8G+TXoWUmAfMXfAP4gC8kPkT5iXMS5mXM3/B vDoOwesngWAhCCdgmDx9vTPJkwHxHgEIpwhA+GDcD4PgswIIzopDcB5zPnMhc7EAgitnzpwpIQAm kwmAyWQyATCZTABMADwZAP/FAwD438QB+P9MAuAfxleC/qVgJejEQliJecDvMr/PPJ/5o6Re4KXx XuCHQfAWAQQLQZg8Pf0wIBaC8J5JeoMPxJ3oCT4qgOATzKfivcAcBKfFe4GzJukFLmEu43qBGQCL CYDJZAJgMplMAEwmEwATACcA+E+/AYD/t/hJJ78L+P9NehXSbwTzgGfGh0G/lTQMekFSL/DngqHQ K5nXTALBCRDeLABi8vT11iRvm+ThxQ4BEAt7hRMwvH8SEJ6sJ5jrBc54wFBoHoJfffVVEQEwmUwA TCaTCYDJZALgpwuA//gxAPgvBQD8rx4AwMKVoBMLYSXmASeGQSdeh/R2fDGsuUlzgTkI/nQSCF4t mBOcAOGND4Bh8vTzw4B42yTzuoW9wok5wilJ84KPPKAnOE0wFDonPhQ6AcD8UOipAGBuRWoymfzt zVXiUwnAdE3J5KnzVAIwXU8yeWrrTgLgqQPg/0kAwP9zPOEJAE4shPWvkl6FNNlCWIl5wMnDoIWr Qc8WzAVeEB8KvSg+FDq5J/iLJBAWwnACiMnT1xuTvGmShxdbJpnbvTNpePS+JBAW9gQLIfhcvBc4 AcGJXmB+PjAD4MFvC8AkEmlqxL0SbSoBmEQiTZ2mEoC5VyGSSKSpEQHw1AHwnzwEgL/pVUj/OMk8 4J8JhkE/Gx8GLVwMKzEXOBmCP06C4MTCWIne4FVxEF6TBMPk6ev1SZ4Mjjc9AISFvcJ7klaKPjQJ BJ8W9ARPOhSaAfAAATCJRABMIpEIgEkkAmAC4GQATn4V0t/EATgxD/gfBAthJeYB/5f4POCfCIZB J1aDTvQCJ16J9M4kQ6GFPcGfxhfGSvQGJ0BY2Cuc6BkmT1+vSfLaSR5eJA9tT8BwYoh0AoSFvcH7 J+kJPhnvCT77IAieNWtWPwEwiUQATCKRCIBJJALgpwOA/+gbAPhfPACA/+ox5gEL3wf8S8FiWC8K 5gInhkInQ7CwJ/gTQW+wEIQTMLw8CYrJ09NfJHmlwKviFsLxukkWPdsi6BVO9AgnVoxODIlOzAtO TZoTnIBgfjg0A+A+AmASiQCYRCIRAJNIBMBPDwD/0SQrQf/JA16F9L/ET+Sb5gH/4wNeh8QNg/51 /GIm5gLPFAyFToZg4XDohfHe4E+SeoQTMPy5YJg0efp6WZIne3ghBOI1k6z+vVHwHuhEj/CuSXqD ExCcvDDWxOuRfve73/UQAJNIBMAkEokAmEQiACYA/pMkAH7QQliTzQNOvA9YOAw6uRf4WcFQ6AdB cGJO8PwkEP5YMDQ6AcMJLyFPa3+WZOHDi2Qo/mISGJ7sXdBbBcOiE+8P3p+0QvQJwXDoidcjMQDu JgAmkQiASSQSATCJRABMAPwnggT+S8Ew6AQAf9P7gIWrQSd6gYVzgZ8RDIWeIYBg4XDoxMJY7yeB 8IeCodEfC4A40UNMnr5enGThw4tkKJ4MhhMgvG6S3uDtgrnBe5N6goULY51L9AS/9tprXQTAJBIB MIlEIgAmkQiAnz4A/uNJAPhx5gE/bBj0fxG8EzixInRiQaxkCE7MCX4zvjr0bAEIJ4ZFzxPAsBCI ydPfC5MsfIjxSdIQd+F876VJMJzcI5zoDRYOiU68Mzh5OPTpxMJYDIBvEACTSATAJBKJAJhEIgB+ egH4f3hEAE4eBv2/xk/838RXg04shiXsBU6sCP3zSeYDvxgfDp1YGOu1eCYkQDjRIzwnCYYTQDxP AMbk6esFSf5Q8ABjYdIQ92QYnuxVWImVpdcn9QbvSOoJPiToCT6ZgGAGwNcJgEkkAmASiUQATCIR AD/dAPyghbCS3wf8sGHQwl7gxFzg/yoYCp2YD/xrQU/wC4J3BM+cBIQTQ6NnC2B4jgCKE2BMnr5+ P8kfJPXqJw9zT57znRgqnQzCwmHRmwQQvOthw6FZ0HcSAJNIBMAkEokAmEQiACYATgDww94HnOgF /rtJFsNKngv8nwUQ/KNJeoKfiS+MldwbnADhxPxgIQy/LegdToAxeXr73STPSerVnysA43mCnuKP koZKJ4NwYlj0WkFvcGJesHA49H0LY73xxhsd0wWAb926hVgsdp9v3779CHsKGhJf3eWPQ02L30/c 9Z4sD75dY22Sfanx90QB8Le7L+6Pz7Exis/fR3fu3PlaHvBlHcXmUw3A3+6+oNicqjwYGRmh2CQA /mcDwN/0PmDhatCT9QL/W8GK0In3AieGQv83QU9wYk5wYnXoyUB4RhyGXxXA8GtxIH5dAMYJOCZP X7+VZOFDjNlJvfvvCXqK5wl6hhdO0iO8LN4bLFwkK/HO4O1JPcETEMwAuH06ADBXYVRXV6O0tPQ+ 19TUIBQKPXA/v7EfhYX5KCoqgtYRwVcjTpw8XAz3l1QhPK5u3rw5aR5cv34dFRUViEQik1fTd/zo uSHGra/GG1EamQhmVxB379yC6EYTCgrycaGmDt7wGIdSkF9rQGF+Pqo69LjDKnmPuhulJcUoLi7G DYVpvKGplqCyoID9bgdG7hIA/yEBmEsTd1+UlZXdd190dXWhsrISPp/vgfsaxFf5/Ofy1uYbxd2Q Hls25iF0l+LtccWVhcl50N3dzeeB2+1+QOaF0NHShZvxdvOQTgq1aRzi1P1X+LwpLSuHI3CTa8ZD 19PEx2blFQW4R48BsxQXysZj8+qAAnfufoWARYNqFpvFxS2IPmX5OB0BeLL7ore3l78vbDbbg4FB dWOi7jS7Y7gbtWLX1jz4KTYfW7W1tZPmQVVVFSwWy+Q73Y2gpe7KRP3mtSkhVlrA/WmWdU6Um1bv CB+blsE2PjbLmwf52Iw4dLhUOR6bLTf6MXrnK8RcZlwsLGR52ojwU5aPBMDfDQA/6HVID5oL/K8F c4GTh0ILITgxHDqxMNYvBItjJYPwC5PA8Mw4ECegeJYAjsnT168l+fWknv03BVA8GQwnVgNPBuHE HOFEb/BqQU/wZBDMD4d+8803r0wHAOYaFuXl5RgbG+OfnCZ85coViMXiyZ+6hjV4/+1XUd3Rh+v1 OXj3oyWwj47BoLePwxjpsRQIBPjGkDAP/H4/lixZglmzZj2wkX13VIVdW04gwlW4d2+jOO0gqvvU cGqbsG7HTvSIGMxm7UVq0QWE9NVYtHAXrvd2YsPv5qBGF8Bg2nasyqlnQNUJpcWFu1+6cGDZWtS1 92Dg2uBE450A+A8DwNx9kJ6ezj8gSdwX3L2ybNkyvPLKKzAajZPud9vXj8+XfY62nkG0Vx7DxgOp CN0cgUJpwx2Kz8fW6dOn78uDYDCIFStWYMaMGVCr1Q/IPANWL9oGf/yBYFvFSWRfuo5bnm6sWLMa HX1iNBYfwq5TmfCZmjD37fW42nsDuz/4GAUKP1QVZ7DxbAkD7WuQ6qz48isfji7+HMWXr6H3ah9G nrJ8nI4AfPDgwfvuC+6B8erVq/HSSy+hv79/8tgMSPHxRx+g4cYAOmrO4LP12+G9OQqVyobbFJuP rb1792J0dPS+PFi3bh1efPFF/kHh5LFpwaLXPofrzvifsitZOJxThxHfID5dsgjN3YO4WnUCq3cd hGvoGt54aSlaGVQfXfYF0sRemNvKsePYOfT0XINIqcOtLwM4+dGHyKxuR19nP2JPWT4SAH/3ADxZ L/APJukFTqwI/Q+CBbH+QxIEJ4ZD/3fBkOhkEE4Mjf5tHIYT84QTQPxSHIqFnkGe1n4lyTMFDzNm CeZ9vzbJcPd3BSuCJ78fOgHCiWHRK+IQvDY+LzixQvR9q0O/9dZbrdMFgC9cuPC1z7mnqH19fZMD MGtgv/Crd6BweDB6axQ9dUUwOvVY8u4uDI3dhVF0Ce+++ybefn0pVh1Og1fXgPnvL8eSj2fj1/O3 wRSibmKhONjNy8vDjh07UFdXxwPUokWL8MILL6C1tfWBDTYOgHdvPAL/6BjGRqMoOr0XtQyAhyWl 2LrnFJzBCEIBJ3r6BzA8cBm1Yje+ujuKsnnP4dA1Eyp3rcfp1gEY9SYEY2MYMRTh05UnIZbJoDPb MfYU0dJ0BeAzZ87g0KFDfK8SF6sceP32t7/l75O7dyfvarhlb8SiTzbC7A2yPGTxebUFbkc/Zvxi Ezy37mCw8SxeeOV1fPD2AqzObYO1vxQrlizFnNmv4b1N5+Aeoa4ooVJTU3H8+HG+p4l7GLVmzRr8 5je/4XuZHpQHHACvXbgRrpEx/sFWa/FR5DIAHrNdxPKVuzHkC2FkNIye6x2wSNpR3MPumbtjuLhy DjY2G9GSdggnqlpg1BngC49ibOgC3p23F4NyBTSGIYw+ZbQ0HQF43759/AOqgoICvuzYvn07fvGL X/B/c+XJpADs6sDst5ZA6/Lj5m0Wm821sDlkeOOZTXDc+hLKzkK89OoszHnzE6w+W4movhqLFy7D hx+8iRmfH8RwlOpOoXbu3Ins7GycP3+eHxGze/du/PznP0dubu4D84AD4MW/W4zh2HhsSll5eDSn FiOOViyYvxoGTwBjXN5cuQyjogdZnTbgq9to27Mcn9Ya0XchG8eyy2DU6uAOxDDGytuXZ65Hv0IF td6CkaesF4AA+NsD8B8/BIAfthiWsBf4USH4P8cvoHBI9I8nAWEhDP9mEiB+Lt5L/Lygt5g8ff1i kl8SPMiYIXgdVvJw9zcEIDw73is8VwDCiTnCid7gpUnzghMQnOgJ3sNB8Ntvv938pAIwMIqO3DM4 emA3Uo6fROEVHUa5XuHZi6ANB3Bi/za0Si3warux4eBpOLVVmLv4ONzhEKq/eAGHbwxTzZ0EwJmZ mdizZw9+/etfY+7cuXj55Zf5BvfDYIoD4DXvL0BBWRUqK0qxZsnHDID1GIs5UZp6AKdOH0PKyWz0 Gbzjs5pYJT7YWoLZa1NY5R/Fxbw07D95Bge3bsbOrEYGwCV4a84GZOSkY/fyV1HWbn9q5qVNVwA+ ceIEjh49yjfq5s2bx98X3NC7h8c/y9uzx5B6/CB2Hz6BZvEwbrqv4ee/mAOzU45Fi9dD44tB05iL D882wth7HtuPX0BsJIjMtXNxUeunoBToyJEjfD789Kc/xfz58/k84EZsPHCIZRyAv/jdG8gtreJB ecfqhQyAufI0jOrT3PEOY8/RM7iqcPJDL/HVl1D3XMKHG/bCEr2JjtpC7D96Asf27cLWoyUIGKsx 49UvcC4rA/uWv4j0OstTNWd0OgIwB1sZGRn4yU9+goULF/I9v/n5+dDr9Q/ZK4amDJavR1Kwl+Vv TbcFN/2DePaZOTD4LNi0fjMkzgisPXVYmlrCALgEy7fmIhgNonD5y8gTuykgBeIeOuTk5OBnP/sZ Pv74Yz4PuIfJWq32IbFpwdJnn0dm8XhsHt76EQPgJtz5Kor6tOM4fuwAdh85gYaBIcQ7iWFVXMXn m3fDELkNUUcNUg4cwcnj+7Fp+1lYdZfxzG+X4ExmFg6seQ0Hi/V4mh4hEgBPHQA/aB7wvxAAcHIv 8F89YEGsxHzgfxefD/yPgtcj/SdBb3AChIU9wj+NX/CfC4D4l3EnoPjXAjhOADJ5+vq3SX5W8DDj ecHc75cEC6El5n8nw/DspB7hBYJh0Z8KFshaNUlP8E4OghkANz2pABx1GTGg8mA0EsSQcQCfvzoH IrNiHIB9DhzclwKdM4ZbASMOF2bCoS3HoiWt4J7HWsrew/ZWG9XcSQDMzV3i5mPv37+fH77FXX+R SMTPNXwYAG9ftx9Wnw8+jxM5R7fzPcAeowyW4QDCATd6r1zAgdQ8xO58Bbu0HUs2HITOE2M734LH 7cKtu18hYrmO9bnFGFHnYeP2Br7Sd3SlYc/hXjwt/Q3TFYCzsrL4RV6OHTuG5557Du3t7VAqlWhr a3vgfkGLDGqTD9GQDybNNWxZswsW8zgA67VX8OG6bNziUEx3EYvPt8LYU4RTaTIeqDoKPkO5nABY qLNnz/J5wEHws88+i+bmZr6B3dTU9FAAXv3ROhi9Pr5n6mJOCt8DHDCJobP4EQl6oRa3Yuf2o/Dc /BIRmxjLv9iGPvYdB8MBnwujt+7gpleDlNxzcCqK8PGnZXy+RWVZWL7uykTjnAD4DwPA3MgMbvgt 1wvMjQjg5gRzD0W4efsPUnhYDZnOi1jYD4uuG2s+WgG1uZ8B8HvQDUmxdttJRO/cxchwNzYWVCGq K8K2Xd08UMkK38eZHhcFpEDcEGhuGDpXTnIPjxPzr7m1Mx4GwJ/M+hjaeGx2Vx/je4B9VgWURh9i rNw0a29g47LNsEZZlMXMWLNkFZqUdu5JFYtdNyKjt3Bn1IuzOQchH6zA717PBjebf0RdijkLLuH2 U5QHBMDfDwT/6SQQ/INJhkInIDixKFaiJzgxJzjRGzwZCP9XQa/wjwQ9wz+N9w4LoVjYU/z/s/ce UHVmW37nWmOvsd3dz/aMu9vL7umxp9vusbun3b3Wq6pXQVWlUiplqUo5ZwkBCoAkkgQCBCIIJEBI SESRJQQiZ5EzXHLO6QIXbs6R/3zng6u6uuKi0K9fAffb651VD24o6ttnn3N+ZydmLP+xxugS41uj cPfFQt43GbTHMu4TrW+NdXAhR1ifH3zGoEDWJYNWSfaGvYL37duXuxwAmBz6CXyRjXt0dPTNICGW fX19i35G2J+BfbtPorSxDa11OTh88AR6x7opAL6AQakEsUHeiE4rpzaWWJy38ccUAeCL8wDc/+II BcCMB/it5ykUIi4ujtYBeeYkd2l4eJjWgckcQyyWA+xN5wD3FvnhlscDtHZ2I/9VGHyeJEIm7MWZ 77fC70Up2js6MDQ8isC7dggvaUJhbDhsAtOhE7fj0rUbKGY1IMRiB54Wm4+eliMAk2rPJDKAzAuS 70uKopF5kZWVhZaWFtM23RQK60vOqG/tRFPlC1y/5Y3J0SoKgI+CzR+Bo/UNZFa1It3XHUf8sxcA uJUG4OI4KwaAjSQ0NJTWAXn2FRUVGBoaonXAYrGWBmCjHOBwCoA59YGwve6BxrYu1LyOx827weAL BmH51XdwjMhHG2WbfQNsxD/1QHDGa1RnvYCdexREgm5YXbyIrNp6RFhuxd2MIbPSwXIEYBIar983 S0tL6XmRk5NjOveUEn5HHE6dvIKq5g60VKfhovV1jIw1UQB8FKMiDvxdXJFS1oKi8ECcuh07D8Du 8wDcFH+UAmDGA2woJDpDrwNyOUjWydzcXNpOlwLgt3OAw+gc4OmWCFhY3EBtSweaq17i6o3bmOKN wvazz2ARmIm2zk509k0jPyUIvnEpaKnKw/Xr/hid7oXF8SN4XlmHOPtDuBbfa1Y6YAD4DwfA+lxg UwWx9BD85wae4L8waI/0/yw8MGMQ1odGG8PwPxp4h/VQrAdjPRx/YQDJzFi+40uD8ZXRZYaxd98Q hg09w/owab1H+OcFoz2wEBZ9bAGC9XnBlgYQ/JYneP/+/dnLAYDJIZsU7CAHOsNBvL+kxYAJ9MJU TzmdZxNOjereKWiVAmSmlUConQN/og0JsTF4EuCJc873McvpQm7JfMieqDsTFSNiZuc2gq/GxsZ3 dFBbW7tkO6o5DReVZY1vqkB3NTdgcJIPnUaG2tJMOjcq5nkyhmfF0Ar66dAw/cirHANvvAOxkRGI jE9BF1tI3253NZdTnwtHfCoLUo156WC5ATA5qBPQzc7OfmtekMMd8Q4v8V+Dzvp8OjQwnNJ15zgP WtkkYmMLINUR2y2hdByNQAdrHAnOg2CyE6z2Gdo+xzsL0D2jYIzSQFpbW9/RQVlZ2dI60ArwOrfi TSG5kZ5mdAxM0rppqc6ldRMZG4eeSQG0ouG3bDO1cAhCTj9exD1DREwiWEPzKQwj3XXU58IRnVQL sca8dLAcAbijo+OdeUEiM0he6VK2Odj6+o1tNg3PQCufQWJCIcSUbc4M1SKSss0Qdwec9I6Hit+J irr5VJTZzkw0sWWMQRpIV1fXOzogdTOW1IFWhNwUshYuzInRNjS2DVGnGi16WIVvdNM2yoVWMkHn F+ttMy6jD2LeGDJexCEi6hkquyZBHXnAGW6Zt83EcgjV5qUDBoD/eQH4UyHY0BP8FwYh0aZAWJ8j bAjDf28AxP+wCBjr4ZgZy3/81mB8ZnSZ8TsjL/83BkD8vREMG4LwDqOwaH1ItL5S9HkDT7Bhr2Cn AwcOZC4HAP4nH9IX+U1fyjMc3r4VmzfthF94LlRMTZ1fRzfUQW/u/W9650A4Z4Y9D5drH+Dfv/51 qPOyx5YtW7Fp3T68rB1gDGUF2SbMtFvscgTg3//eqUNrqB+2b92KHzf8jIjMBsZQlo1uGNtkAPgP Vw36Qwti6UOhl4Lg/7iIN9gYhP/aAIb/xsAzrPcO/+0CFOvBWA/HhuN/MWNZj8UuMQxD3n9r4Nk3 zAH/xiDf+4eF8GjD0OgdC+2U9CHRhwx6B+vDoS0NegXTnmAKgDNWAwAvThNq8Gc4mJkVQMPspYww ALy8RKPE7NQUeCIpmLspRhgAXk4LkQpcyjZnBWIw9Z4ZYQDYvAB4MQj+l4sUxPoYCDYMif5PBgWy DD3C/3URGNYXzfobAw+xMRgbjr9lxrIef2d0iWF4efEPRsXQfmuU/23YImutUWi0vlDWboOQ6MMG nmDDwlhvIPjgwYNpqxaAGWGEAWBGGGGEAWBGGGEAmAHgTwbgfyoE/4dFvMH/ycAj/H8ZeYX/qxEQ 66HYEIz/u8H4G2asiGF8ifE/jULe/84o5H2xyuD6fGF91W+9N3jLAgTr84IPGHiC9b2CSYska32f 4EOHDr1iAJgRRhgAZoQRRhgAZoQRBoDNE4Dflwv8KRBs2CLJFAgvBsPGQGzoITYef8WMFTP+2ugi w/ASwzAH/G+N8r//0cAr/IVBWLQ+P3gxCNbnBB826BWszwcmEHyFAuDU5QDApIUAKRxB+hmSdg76 QSrOkmI7ixeT0GKioRpsyXwRmDmdBsMDAxDJlijYpJYgLzUH4wo1VAI2UkMCcC+pDmpm/6CL6ZBC HqTi72I6IK02Fn2mWgn6eoehoYtgzYE9OowZoWxeH73NKC0tQV1DI8RyEoiuxmhHPcpKytHYM0Vp cA5ywQSqS0tRXtMMjviXwkfS2X7UtnDMKqNpOQKwTqdDXl6eyXkhFi9WTE6HKVYNRoW/2C17uA+z gqWKwihRWVCInhkRNDI+8iKDcS+2lLHNBSHtjkibFWMdkEEquC+uPBm62nqhXjAi7tQoJjjz750Y bEdZWQmqq2vAl5I1VAN2dyPKS8pQ3zlOh74qxRzUV5WjrLIBE3zpG1uU80dR3TRpdtmGyxGACwsL 6UKDi82LxdcSHWbamzDA/2WtnRnrBntmicJW1N/aWlWCpoEp6DQKVCQ9wb2IPKgYs6SFFB0z1gFZ G4kOOBwTFbN1crQ1dkC5MA3E3HEMj88XmpsZ7aJtk9ahWEnbJqePRdtmXdswndKlkvHQXFeF0rIa DM+I39iiUjSJhpZxs0srYQD49w/A7yuItRQE/7FRn+B/t/Ag9BBsCMJ/vvDADD3DhkBsDMV/aQDH xuO/MGNZj/+6hHffMOT9/zXK+/57o1zhLxaKZX1tEBK93qA4lr4w1t6FFkn6PsFnDfKBLx0+fPjl cgBgskkkJiZCIpHQfWjJIJv3jRs3sGvXLrpH7WIAXOl/FP7P2unFXiEchafDHfRz5Kb3ca0KbU09 EKqoA3rja9zzDcXotIDJQaSEz+cjJibmHR04Ojpi586dJg9/77ZB8kVafQ9mhyvg5OKMl2mZCPV3 Qnh6ASRjBbh8xgYvUuJx/oAFWFOziAl2wt3I5wgP8MH9pJL571TyEOxxAWuPZZhV/vZybYP0+PFj GnT184L0rXR1dcX27dsxMDCwqG2yHp2C04OGhRxCMQJsr6FuULgEaWvQ19kHjkgB4XA7gtzuonNk lrHNBQkODn5HB25ubti2bRtdhXbxWy3jNkjBiMyqgprfCgd7GySkpiM6yBkB0S8gnCjHhUMWSExJ wtVTl1EzJURGrA88Hkci/skDeD95BblGR18ixgbb4/OfE83ucmI5ArCPjw9EItGbeUH2Si8vL2zZ soXuorAYALfHXMN514qFtVWKx9bnkNO61Lozh7GBQYxxxFCJOQi1v4663inGNheE9AEml1B6HZC9 lOhl8+bNNMQubpvGbZDCcS8yEwpBN27YWOBZchriH7ni9oMwcKcacHr3CcSnJMPR+hpKJ2Uoz3yM 2/eDkRr3CG6+UeAqtNT5RomsuLtYsyfM7C4nGAD+dUKhTUHwvzEBwfqwaGOPsCkYNvYQ/2cjMDaE Y2Ys/2F8gbGYd/+vDUD4fxj0ijb0BhtDsL5t0gaDwlj6XsH7jUKhzy2EQlsdOXIkeTkAMDlYkD7A ZCMh/QuJt9HCwoJuKk96Gpo6LMimK2Hh5A6eUgd2RwqcvJ9ATh32GtIe4PPPP8fVkBwoVSJEBj/A zfPf4OzdfNy7+RA9fDECj36Ozz77HJdTehHlbYPuGRlUsm4E2bthRmZ+pT/IwSk2Nhbe3t5vPL7W 1tZYs2YN0tPTTeqAALAHBcDSBQB+EXoX6fVdGGuMgWtADH3DLRWwUUx95+xIKxq65m/EM/ZvwPOO IbjYumFIocZIcT4c7yXQr3Vmx2H7Z79lAHgZADCJDCAATACsuLiYjsZwcHDAV199hYSEBNpDvKiI m3DovDXYlEEqJwtw0e4ORJQyh8vCadu08ImHUqtCWkwo7M/+gF2O+Yi6/xQ1vROIPkNs8zNciKpB /O3jqBsjXuZR+J+zxpjIPH3CQUFBtB6Ix4/o4NatW/jyyy/ptihk3pgCYDsKgAULL5cnByIqqwKK oZe45HAfEkp1Gmp9LC7IBXukC5Ut83OmyPIIItonEeLpjYbRGcx2tsD1VhBESi1l13k4QOnmtz8x ALwcAPju3bv0xSXZJ8llFQEvYjshISGmWwhKO7D15wMYlGih4pTh4PGrmKWIaao+kbbNU9QeKdPN oSIjGranNuMbq3xkxD5DTkUXUi/O2+apoGy8tN+Ggj4+9YVseFPf18MzT5+wu7s7vRZmZmbSOggI CKCfEenRbFIHFACfowB4duHlnuIw+EemQTqWjSNnbs7b7JwCxZnJGBntR3H9OP2+KldbBLYJ8OJx AHLreyHnsuF5+TaGhUoIxhpxitjmjicMADMA/Hv3An8oBBu3SDIGYUOPsDEMG3qG/8wAig3B2BiO jUGZGct3GF9iGIe7/98GMPzXRhXB9d5gQwj+fAGC9VWi9YWxNhuEQu9dyAc+YlAVmg6FPnr06Ivl AsAkvO/KlStYv349zpw5Q/+T9MIjt6kmnUYqMR563kLDEAfpN3cgtmwc8oEcbNy8B6V1FbDe9iPi Wsdwz80FcZUdkIgm4e5wDY18OcYrsxAanUwf4l4+ckfK6zaMZDvDOTh3vqetGQJwaGgo7Ozs8MMP P+DcuXO0DoheiLfJpA4oAL5x/AxeZuYgOysdDpcuUADcD7loFMH2l3GPAqfI5Gz0TYnoMC2xYALZ kffw7Tdn0S+So+iuPX68Hgy3G9Z4nFqDOekE/G47o7YqA2u3J5vVRr5cAZgc6AhwffPNN7h48SI2 bNiAR48emQ7vo0WDOK+ryG0ZR+HNdXiQNQjlaCl+9+V6FNZWwenoPjxp5iDm4V08yqyCRCJAqJ8L CnrGwe+tw9MHjyBQ61Ca6ImwxHJMF7vjgutzyM3U7eTr60sftAn0WllZ0Tp4+PAhpqamllDeAGx+ 2ouk9BwakLwcLlAATLyCPIQ52eCu/z08TXyF9lE+7c1TKWaRGxuMrRvOo1OoQm24H3Zf8UaA2xV4 PcmGWsZBoOsl5Bfm4JtN8TC3Ts3LEYBv376Ne/fu0eBK9s+NGzfi/v377wECDTLvnsWz8kGU+x2A S1I3VJP1+OH7jciproX35bMIqJ9FXuIDeEdnQyxXIjXqLpLKW6DkDiLczR3jMg3a83zgHZiBqapA /GwVTl+omKPcvHmTht3f/e53sLGxoXVAdLLk+YgCYOsNGxGXNm+bJOLJPzIfmjkhYlzs4HHXC6Fx L9E4oI+CEaMg6SkO7ryAFr4WHemROHjxFsL8bHDDMw5S6SxCXU/ieVo+dh9MgJwBYAaA/xkAeDEI /pfvgWDDkGhTIGwMw8ZA/KdGnuLFAJkZy3/8xw8Id/9LAxD+KwMQ1hfO+jujvODPDXKCv1+A4E0G 7ZF+MmqNpC+IdYEC4OfLBYBTU1PpA/X169fpwx3JeWtsbASLxTL9wTktCuMe4fGzYBzZdANshQ5j hTex8UcbZBXkIS4uFtVdoxQAx2NiRg6dYoYC4BvUBiIHu+Y1YuLni2D3V6fAIcAHXvvWILdPZJab OAFg4oUnOiAevnXr1tE5wc3Nzairq1sSgJ2uuKC1rx/9vV3URm5PAXAP+ON9GGdzwR7uwqvEcPg+ fgGRgA+eQIzJkQE8OrUVnnmV8LK8herOUbSVxOOaZyhqXY9iy0/7YWtzjjpQHEVsct2bHEYGgH8d ACaXIOTvcnFxwdq1a/Hy5Ut0d3ejpKRkyc+y8mMREOiD3Z9bYFiuxWRlAAXAF5BZmI/ExHiUdMxQ AByPpg4u5jRSCoBvo5gCYMFAO2JDwiDVzGGquxy37jrjzt5v8LxdAHMVcuGgD3v+/vvvaVvt6+uj PcJLAfDVo5fQ2EvZZn8/EoJuUQBcBdFEN4bHuZga7UVBVjxcKbub4QvAE0oxNTaEqKuHcT23GaFO t5BX0YXexlzccvdGqdsFrNu8A7bXLPHF5wcQEl4ChRlBz3IEYHIxIhAIaE/wt99+i6ioKIyOjtJR O0vJcFMaPG+74PDGq+iTajHTFI3v15xBRmEBnj9PQn4bnwLgeOS9HiMFNigA9kUyAWARB3F3PDEj 10E81Q2P25fgdmwzwhq5ZmubJHKN6MDPz4+OmCL1EsbHx+kzzVIAfG7rMdQu2GbeM3cKgDPBn6R+ HuWBMz6AsqKXuH7tLsZ4QvBEckyPjyDJ1Rrns/vwwvcmBbv1GO2pxR0XB2R62GHN9xtg43AV335z AN7+2ZCZkW0yALw8IfhfLwLChh7h3ywBxIZQbAjGxoDMjJUz/nSRkHc9GBvD8F8ahEf/lYE3eDEI 1hfGMiyKRbzA2wwKYhl6gU+TUOhjx44lLQcAJtBFDtUktI9sJGRDIIWxCAR3dnYu+Vl+XxGO7lqD C2mD9M/qyRLs+MkK/bNCDLKaMC3hGQGwPQ3AExQAP4ufL4Ktk47D5sJBfLcuBFIz3cSJp53kYRMd kHym3t5eWgcFBQVoa2tbEoDfzgG+i5T6brRlOMLZ8yn4YhlaKp7jdkAYhkupA9exYMwIJ3F30yZE 1TTj1mU3NE5IMFSZguPu4VCKueBSf8t4+wt8t/YheEol4wH+FQGYhPQRACbzguS3kXxTEh5PwqEX zzH8RSQTzbh0ZC32J3TPf9dMLb777hA6p4UYaW/HpExhBMBuNADzKQCOCXlKA7BOyYWX03l8/qUP RDBfIeHPRAfk2ZM1kfyTXECQlJGlAPjtHOBAhGVVgF3mAitbH0wLJRjrzMM1Zy/0VQZg8xZPTAo5 CDl8AME1vQh08UBhCxtTHWWwvOWHSWqd5vJ4YPdk4+uv/cGRm5efaTkCMPE0knWaXFSRdVomk6G8 vJy2z6VEIRjFbYsN+PlJFf2zhteKzRuOoJktxERPNybkc0YA7PcGgGMp4JuRaymblSE84Bo+/50r BGZsm+TyQa+DlpYWWgck93fpyynjHOAw+EamUeeSezhy0gHjPDFmRypgcdEGHbWR+OoLe4wLuYi9 chF3a8YQH+CFF0VdEI534IaDE1qHJmnbnBwsw85t/tTaKjMrHTAA/OtB8L94DwQvBsLGXuE/WQSG /61R7vC/XwKOmbEyhvEFxp8aVQU39Awbe4MNc4P/50KV6P+1UBjrs4UWSYah0Pqq0DsNvMD6itB0 b2AKgBOXAwCTjUNfzdJwEAAmry39YT5iIh9jwOB03FP5Am63b8PdPQJskZT6nloIpCq6gEtmShbG ZGoIB7tRU9s0/wGNGI8unUNgk/neYpNcJX01S8NBwrOW0sGcahIZqUVQ0FWgtagrLUT7MAdatRi5 L8PoEL27AYHonOBTByYR8iP8KN24w/95NSQU8I0158PT3Q1ud4NQ3f3LAVMr6offo0azKrSyHAGY HNTLysremRfEw6R83+UEZW9pL6LRzftFixOsV3CnbfMJxsRqVFfUYnRKQheoK83LRzcFx/KZCdQW l0GpnaOrpSZ62MOnfATmLCQv31gHxMNEDt6mjXoGz5+lzefnU9LdWIqa1mGiGJRnP6O9ye5e3mgc mqGruZc986ds0w1+ccUQa3SY6qlEwF0PuN25h4LGEegWmE0rGYF3UC3MrVLCcgTgmpoaOlXIcF6Q 6AD5+y4ntAoU5zwHa+wXdOV05C7YZgiGhDp0sGrR0cejq0A3VZagsW8SGrkIdVlZEKt1pK0C8kJ9 4ZneaNa2SSKkjHVALpOX1IGWi2cP4yBasM2J7koUVXZQ+50Gja8TaNu87eGByp5J6LQy1CXcp3Tj Bt+oHAg1c+CONOGxvxduu3viVVkP1Avfo5NNIiSizuxskwHg5QPBxiBs7BE2BcN/bOQhNvYS/2YJ SGbGyhj/zuhCwxCM9TD85wYgbOgN1ucG/zeDKtF6T/BiodD6gliGXuCDC15gAsGnjx8/nrAcAPif Q+Z0H45OxQl3sf6KD0RaMPL71gN1eNK9oxujwx+lK6Yvpvn0Af4Y22zMuI8tl9wxIWGarjC2yQDw H8I2P/Rv63/9GLusnNA8wWcmxx/INt9SDXmPjqnFzQDw8oHgDymQZQqGl4LiP/mA8RtmLPvxb5fI /9aHSf+ZUVj0f14wrP9i4An+G4M2SX9v4AU2LIil7w28bcEL/LNBGDTdF3g1A/DHCJ8zBaFcyewi jDAAvMxEPDMFnkTGTA5GGABeZiKbnQJHKAFzPcIIA8CrF4AXg+CP8QYvBsNLAbEpMDaEY1Pjj5mx rMefLFEM7f8wAOHFPMH6cGhjLzAJhf6HRXKB9RWhDfsC61sikb7AJykAjmcAmBFGGABmhBFGGABm hBEGgBkA/lQI/hQQNgXEHwPGzFgZ449M5ID/xqhP9P+5CAT/hYEn+K8MKkP/rYlc4LUGxbAMWyLp w6BPUBLHADAjjDAAzAgjjDAAzAgjDAAzAPwxEPwhILwYDBsC8VJg/KGgzIzlP4wvMgxh+DcGIPzv DSD4z4zCof/SIBT6vy9UhdZ7gX+74AX+eiEM+geDlkg7DapB08WwlgsAkyJLpOAVqWjp4+PzZlRV VdEVoU01kyeHCI1MAZVYanKopXLoNEsn9/Y3V6N/7OPymOZmG5CR17Fqik2QZ0wKkfn7+7+lA1LN kuiAVANe/EGowOMKF/KV5iARCiBTqind6CDgTmJwcABsCsaUGh39upAzRs8bMmRqLWQiHtjsMcyK 9CHoOvCn2RgaGMAUT25W4XXLtQhWaWkp3QtYPydI6xXSIstkASZKaVqlCiqJzLRtUq9pVWospeC5 2Uak57Z/nI3JJpH2qhqrLaGBVPYl/V0NbZMUJyO2abLYzpwasxzem+cnlwghls4/GTF/GkNDAxgf n4BCraWVJjawTalKB4VUSM2jcUwL5G9sUzgziWHKNtmzUrMLfV2uRbBID1pD20xJSVmyANMH2Sb1 HizxN87x2pD4kgXNx/yxSi4Kc6tXXf9oUgQrMDDwLdskBSUHKDsRi8UmHqAGnMmZN7apkosgEM2n esiEMxgeHpjfI1XztimdGX9jm2LKNlVyMaYp22RzZQt2SNkvd5q2zYkZkdnZJgPAyxOCFwNhUzD8 T4FiZqyMsVRlcL032DAk2jAc2jgf+K8MQqEXK4alB+CNBmHQPxuEQR+jADh2OQAwaYMUFxdHt+Ih LXjIIL8j7QV27dpF979cTNQy+ZLwawjBS23mmbGxKKz8uAVUNZyMsxcKPu4AsIyFPHvSQ9JYB+RA RXQwNTW16OfebYPkh4z6XggmmuB66zoeBIfA89ZVJBXVQEPBcvjZjXDw9KW/t2tWhtbKV7h16gvY BNXSEK2YKIGzrRN1qPPBuZOu6OQxbZB+TQAmFx/6HrT6eUFGZmamyf7QBGw/xC7J0Ko1S9jYS5yy KvwoG9MKunDsQAxWW4MecsA21AGBqIcPH2LHjh2mW8W90wbpIaKyqqERD8Dd+Sr8Ah/C28UaYSkF UBLbPb0Gth6+8PPzRcu0HL1NBfCwWIsjt0vog7pquhqOl64j4IEfTh1yAIvDtEH6tQHY29ubXjMM bTM3N5cGsEXXa8reVJIPtE2V2vS6MJ6L7fvSof6Iv1UnGYHtxRistox+0geY6FT//Ik+SCXobdu2 0dXbF7dN4zZIEfCPzIaSekaeTla4ez8Yfq6XEBCdAplOg7RTn8Pqtg/u3fND/aQSYz1V8L26FRsv 59Lro3qWBYcLlE0/8IfFSUdUTTJtkBgA/nVAeCkYNgXEHwrHzFjZw/hiwxCG/8gAhH+zSDi0YSi0 PhdY7wXW5wL/44IX+HcLBquvBq0Pg9a3QyJh0EdPnjwZsxwAmBwsnj9/Tve6bGpqoj1LN2/exNq1 a5GQkECDwaJ7yAcesskwPHCwq2Oxd+9eXLkTTvf9zYx7jFvXrmDv/gMISK2CkvrX9ZXH0+/xiC6k N3nxaDMunj2Bo2csUdIxAeVYKs5dKIJK0A+rwxboEq5sFObxePQlxNOnT9HY2Ei3uCEtjL7//nvE xMSY9MITAHanAFi6AMAvQu8ivb4LY42xuHUvEgrdHHiTvcgueg25dgb3Dh1GK5sHGQVWpOCsVqtG b+IZ2LhX0wDMLotAcuUwdDo54vZ8h0jWDAPAvyIAk+gM0gfYWDo6Okz2udQoVB8OwMpfqjuLx1pg df4kjp6+iOI2ysbGs7B921XYWh/H3ptPwVUAopEG7Nu3DxbXXNEzLcYcdTh8GepG26pPYh3kom4K gOOh1CiQFvEQWa2jq2JuBAUF0a1VSN9fohPiDV6zZg2Cg4NNe+IpALajAFiwsHyWJQciMqsCiuFU WN3whVgzRz0vNjIyXkGg4sJn8ybUjFG2SX3/vG1qMJh2DUcuvaYBmFMTj4iCXmh1SqTs+wZ+FWwG gH9lACYXicYyPDyMly9f/pMvpzQGhSFlnH4421rgwOGjSK8dhGKyGD/8YAMn21PYax8EchciYXfg /JkTOHXRBo3DPPpzRXG+tG26RJRBJhuFrSVlm3M6lKZE4UVZ66qYF+7u7vSFIOnLTfZJAr9fffUV PD09IZFITALwOQqAZxe21e7iMNyLTIN0PBeHTtmDp56j1lEuXiXFYFrOx92vP8PrIS7k1L5MbFNH rXujBV7YeCiLBmBuUxrup3VAo1Mh5+JPcCwYNSvbZAB4eYLwPxWGGUBmANgsADg0NBQnTpzAjz/+ iMuXL+O7776jD3cmNxBK5JxRdLh7ofWsM7pe92E0IRnD1W0YjXuEofzXaL7ogWZrB7S4v4BSMb/T KCer8O3GE+ic4eNVgBfcq6coAPZBQEIBpNwB3LJ1RHtLAdau34q6rjbc3LcbiZ2TCPa5hbTGIYx1 VODOwwRwB1Nw/GIiwm46w/Zl84rfQAgAE4/S2bNnsWHDBly9epXWATlomwzjWgBgx1PnKcAtRUlx IVzsrCgA7oeU3weX43vhGfQE2ZVNmBEpMKfux+ltO3Hg0EFsXXMSNZPz/oORVwdh41b9S9uHOQ3G 23Px4/4TGJKYT2+q1QLAaqkQfU+D0XzOCW1P8yEeKEOHfwomchPRFMfCyLMnaLrkhOZdTpjonKHD 9XQqMUL8XJBaP4CJ7mrcCY7D7EAGfj52FYPTU3i8dx3uFTbD6coZpLIGURgXCO/YPHCbw2Ht+hhc CuS8Tp5GTmsDjp2JAqsqAzY37mNasjoiCEg0jJ2dHX2wdnBwoC8HPTw8IBAIllAeBcB79iO9sJQO Y7/nao2orHrKvji4e2o/XLwDkF5aj0m+nDK5EZzdsp22ze3fn0Dx+PzFxESeFY5Yv/4lDJ2Cl+m+ MmzcfQDdQg3MSVYKAI+MjJgEYI1CgsG4CDSfp2wzMBWC3iq0usZhojgdzTF1YL+KBMvSGU0/2mC4 cXI+lHZOi+RwL0TmNkA43QlPr2AM9eZhw7YT6JqYRsz5fXDO6USghw2ii+pRnxcDt8AY8DrjcdTK C5OCKfhQ8+p5Uxtsr0ejt7sENhdvo3dGuirmhZOTEw3BX3zxBVxdXbF+/XraRpdcyykAvrTxR6Tk z9vmU79L8I/Mh2aOi/tnDsDe9Q5SiqoxRlINNGxc2LIN+w8dws71x5EzPL+mTZW5YuOBLIMIGdIf uAH7j59EK19tVrbJAPDKgOEPgeIPGf+CGStymOoV/a8MwqH/2CAU2rBFkr4glmEe8F8ZAbBhNWjD dkj6fsC7Fwph0e2QlhMAp6amYmhoCBcuXKAPd8QbyWKx0NxsGi55jWFoOnoXg2H30XAsEdyhJrRc ojZv73zwBivBsk+GkD+FgTtx4M7Ob7ZcVgTWXMqchzeVAkKJCpkJCXhdyYZOLUd0rAdykm7i+7UW SE5LxYMH95FW3QUfP1+McqR0n0SZVA7FaBq2bTqNQyduoF+48nuUEgBOSkqivQcXL16kPb/Pnj1D S0sLGhoalgTgGxbXUFpLHXxqq+DteIUC4F46n3CSPYOe5nI8fOCLe5FZUKhm0N3eD9WcGnX+e2Bf OLIoAI+1lMHa4Q5Kh0RmtYmvFgCWTVaj7ktb9EZHo8XiEXgCCYajH6DOOhyzfBGG4yPBbhqDsDUD vfcrabjSSDnw8/PB0NS8jclpG3uF05bz8DWUTM2RmExcOX4CCWnpiImJRGROE3qen4BHXMf84V4u hXSmE8cO2MHzxkn4RldQB8rVMTdIGDo55JGLKeL5JT+T/F9Toa56AL584ByKiG3W1yPUy44OgZbO jGCczcVAew0ingTA9V4chAouOljdUOg0aAk7j9Np/YsC8OwAC/bOHsjt5sLcZDUAsGK2FU3b7NH7 LB5tNsHgDHIw/jIEdRdDwJkUYDwtDCPFfZAO56DTMY+OfiJRFlHBLqjp4tKpRAqZHPLxPGzfl0nD 11iWFU4+K4WH9Qk8iUlCQsIzPH1Vjv7Uc7AObpxf2+QSSLjDsLV0wn3nw7hxLwfKVdLCloRAk7nh 6OiIr7/+mlrH/DA+Po60tLQlAfj8jweQVzNvm0nB9hQAZ0HEHcfoBA/DXQ2Iiw6CnfNDcGR8tNa2 QabTouu5M3YmdC8KwNLpPri7uCG5YcTsbJMB4JULw78vKGbG8h/GMGzoDf7XBp7gP16kINafGeQC 6/OA9S2R/sdCHvBiALzOoBDWroVCWCQP+PByAmBSuIMcCsjhgEAXCSUqKipCe3u7yc9x6x+h0y0f otEJCn65mK0sAMvLE43HH2NquAIs92yoKAAeuhML3gIAqziV+PaHkxjmSfH6rhtulk4jMzYer8sn aACOjPVGXX0a1m08hwHqPeNdHZgSC/DQ5xYKqEP7TGctBcPPwO16iXM2BaiNcseWQ89XfGEPkvtL AJjogOQaklB0kv9ZXFy85CWEcQ5wYuhdpNR3oT3TBZ4PEqDQ6NBT/wqufqHUwbsBpywvY0IkQOTu TXAtm3wHgHXyEerQbon0lnEavkyFXjMA/IcFYOMDOynKRMJxFwXgiTLUbQ0Hb4wN/hAHSrEUXT5O qDvkjVERBcAvYsBtZUPWmoa+BQCeU4vwyO8W8hpHwO2ph49PFGb6U3D6bAH9en/yMTik1cLxig0q RsV0MaYxjgD89iewufUUEikXj/YeRGZDPY6dSQR3rBsOJ+zQPSFeNQBMdEAiYkjuNQl7JgXqTOYY LgAwnQO8ABqvkwMRllUBdpkbrt8KgVipxcxgKewc3MHltGDPwSMYEIrw4uwhWOWOvwvAKjYcfj6B qLI+KM3MNpcrABPYMv4uMj8KCgoWB2AOC01Hwij7YEMwNA25QIIeHwfUnfTGMJuL8cwITFYMU3yW RQOwZsED/DLiDhLymiiA7se9m/4Y6MnC9h3p9OvDWVdx7nkzAtwckdk0ColgBqNsDqT9sThh6Q2+ mI+wHdsRT0Gc7bUEyESz8Dh1DpVtnFUxL7y8vGgdkMJjpHCnVCqlL41JLvZSAEznAC/cLLUXh8E3 Mg0TtfdxzsoTXLmaAtoGWJy7hPGpLmzevAVdfAlyHC/hYOrwuwCsnobbzr24l9EKmVJlumglA8AM AK8gKGbG6hrGMGzoDf5XBp7gP1qkIJa+IrRhGLS+GrRxO6TPFypBf7sUAJ86derZcgBgkm/64sUL OmfGcBAgI6+Z/JxgGn2ePmi3uoWejCaMP8/GbPckpoqjMPoqFax9dmi/4Y3uKOoAp9FfN2vRVxyC s2fO4JJXNAhuVBUXgkVCMbVK5OXHU+CrRGdhKP2es2c9MCSmoHCwCjeuXsT5y/bIbh2HklMG30eN 0GmFiLSyQmo7f0VvIAR0iNfAWAfx8fGmcwwJsCpHEBX2EjKaXjUoSn+B2u4JaJQCxId64Az1DK3t 7NEwREJd1SiM86J/d9b7FXgL5+fpmvt4GN8xXwRrOJ8Ow6bHeUvEZvaZTUXL5QjAOp0OGRkZ9CHP cF6QPDdTlWa1SilGou+j/cIddD5Kh7AnH4NhNeB1ZKMjqALDj++i9ZI72k77gTurL9ZC2dhQNext LHH+0g1ktYxRNlYB74cN9LyYLrmDsIYZcPvKcP7sGWoOXUV2VT9lf3Ikh7pQP5+FS2w1xNJR3PEr hJo6tLPSEuGf3rYq5kZWVtY7OggLC4NMtkSxG/UEHvpGQLSw9LFK05BfTbxHKmTG+tJ2eP6iJUq7 2NTT16AmxW9+zfNIwMyCbc6wwuHxmEXrQD1R9ottUiMorh06mI8sRwAm3ROM5wVJHSIQtqg9q+UY fxGG9vOe6LifSNlkEfr8S8HvLUXnwzKMJ95D83kXtB50x/TUL+lHInYb7jhfwdkL1kig7E7OrYeD 5/zl1WxNEPwqpiAYacS1K5bUvLJGYnYTtHNq5MV40LZpG1oMoYKDh6GkpsYcesuycT+xclXMC3JR b6wDUrRuqfQtaKbh6xgA/gIADzblIDm7nn5mpSkPaNs8Q9lYTvMIZWNatOc+mLdN13BML7Atr+M5 bL2r5yNopuvesk13cjZhAJgBYAaKmcEA8PIG4E+VOQoY1FIZ5MJ3C3hIh+vRHF1Jt3TQLFLNck6r w/vOIOT73zqoUDCgM6dd5fcEUG89Mup56rRa5sGsEAD+JLvUUTglV0AplkApMrJNkQgjeWng9XOg oN5D3ms0Yd5vY9Rz0hm+iZ5TTF/VT7FN7fvWPEaWNQB/tG2S1oEKJWWbYihE7+6b7OKXmGplQyFT 0KkIxrb53qWbsU3GNhkAZgCYEUbec9nxvxmFQ//vBqHQ/8YgDFqfC/wfDIph6fOA9e2Q/mbBGP9+ wTg/WzDWNUatkHYutEIiRn5opQPwguNovsWR0ZjTaaEl/S2ZDYMRBoB/JducW3ToNJp3wZcRRhgA Xh62qWVueRlhAJgBYEYYYQB4eQMwI4wwALw8AZgRRhgAXp4AzAgjDAAzAMwIIwwAMwDMCCMMADPC CCMMADPCCAPADAAzwggDwP/sAEwO/qSJ/O3bt3Hz5s03o6amBiKRaMnDAsk1NM5jMhxqqfy9IV1j 3Y0YnRZ+3B/Na0VpdS9WSzYryTkilX3d3NzePP9bt27RPQp1n5D4PDenfLdKrOrDqlOaW3XZ5QzA xPZqa2vpnrOG84K0QFpqXmiVKjr/3qRtUq9p3zcXeG0oqer5OBuTc1Bc0gjVKpsbpKqssQ7y8vI+ yTYB5bt2SP1MCuG9T8ytuuxyB+DW1la66JLhvCBF65aaFzqV+v22qXqPnoU9yClqx0et1Eo+aqoa oVxl84K0hCNFsAzPLsQ2xWLxJ9mLTqek94K3n53yvd9F53eb6d7JADAjjDAAvCIBmMPh0D1nyT9J Cx4ypqamEBoaShYmk1DwPvglQykUQjQxBd0SEJwZE4OCyvGP+ptVQy9w9kI+Vst2IxAI6Mq+hjog z/358+fo7Ow0cRpm48xnX8PK9jrsrlrA1vMpJkQi5Mf54tQlW1y7agkH78fgKxUoe/kUl+1uwOaq LUJTa6GmNvlHZ9bj3KWrdG/TVo4cw1W5sDt8Adevu6Gy3fx6GS5HACaHrocPH9L2aDgvSNV20qd7 0QMcgan32CUZsulRyPimqxirhl/i1MWPszGtoAvH9j+DfJXNjQcPHtA6NdYB6SG6+OI4A9tNW3DR 5hrsbCxhfSsQI0IJKtJCcdzKFtdtL8PeIwBctRZNBQmwsb1G/84vqhBSjRLPzqzBKat526xjyzHR XA7nU9a4fsMVuZUdMEf/5XIEYG9vb7DZ7LfmRXJyMn2ZuahtUoC0JPwuDDlnFJIZ01WM1eM52L7n 1UddNOkkI7C9+AzSVTYvSB9gQx2QeUIuIXbs2GFSD6QN0pk163DJ7jpsr5zH7YeJmBELkPrYGWcv 28Hu8nk4+UdDqBAhM9wfF6854NKlG0go6YRWKYTPma2wvHIV9k430cuTo7cgGXbHLXH9mifa2Hyz s00GgBlhhAHgFQnAZMMghzkCW93d3bQngrQRWL9+PR4/fmzy5vNDDtkK7jj6U/Khlv7yHTMtWbC1 tYXP01T6oJwZ/xQ+Hndge+06YoqaoaJYeZSVTb/nSXoNfQCXTnbjzm1nOLp4oqGfA+VYKs5dKKL+ HaPwdPDAoGRl+4J5PB7ddspYGhsb6d6GpgB47+e7MSbXQq0Q4uGubxFSXotTR0+hTaiGhtqoE4I9 UTM+g+SkZIxw5ZjtrIazWzBEyhk8OHsG7WwexAoFNAoOPK84Iad/BkKBCGqN+RViWc59gBfzehAv 8KLspVB9kG1yWfEYLfnl4kk61QNPt5twvOWBur5pKMczsftnF/h6OcM2+CUE1Glbwu6AnZ0d3P0f YZgrpYvdFbx4TNtqZG4bFKJuHDsQD6VWieLURJT1ro5QcNIH2FjIWpmTk2MSgM9sOopBmQZqpRgR P62B22sW7K9Yo5GvglYlRXpUICqmZMinnlPrCB+y6T6437iNEcE07u/ZidpRLiRyOTQqEZ5Qh/zk hkEI+UKo1OZZxX05ArCvr+87vxseHqZb2i26xqg+7HJK0BGLgczBN59T8EYR5OeB6/aOKCZtACdf Y/2mWwj0uwXb+/HgKQH5zADcXJxx644vOtnzEVW1WZG0bYakNkIhG4WtJWWbczo0FqUhv7F3VcwL d3d3OlKKXEaRNTwlJQXff/89HB0dTa/npA/wzguYUmihkvPhe3QPkusqsGXTXvSK1VDLuXh6xx6s oSGEx7yCUD2HoeJU2AUkUXvtOILsnTDE4UOiVEIjHcGVQ5fxenAWQqEYGjMsMMgAMCOMMAC8YgGY eJl27dqFbdu2wcHBAV9++SXu3r27ZFiegtuHpnMXUfuDFbo7RjGUnwchdWjj1CVjtKYPA+HuqF1z ErXng6GSzQOwerYR3363G6zJWTxztoNN2SQyYz3gGZ0BMacH9hcd0N1VibUbfkTnxAi8Dv6MV9TG EuLjhETqOwdZ+bDxfILZgZc4Y1uAZHcnHImsWfEbyKcD8Ocoae4Aq/gVtn+3B11CEZLtz2LDph+R WFQPnkRh4C3Soa7gCdzCEqBSdGHXV1/hmzXf4MvPLdDFHsc16+PUzzvx46av4BFVyADwigVgHjpu 2aFu83m0RBSC35qAvvx+iPqL0RjdAG59ARr3nkftZ4cxUjVKf2ZOLcFjP2fEV/VguKUINh6PwRnI wK5Dp9EzMQ7fDd8jsLQDN23PIbt3FnWpTxGYVABBVzwsHO6Bwx+B7Y9bkdJUh2PnX2J0oBpWVu6Y ECpWLQD39PQsCcBnN61HAasDzRXZ2PbVdjTxJMi9Z49vvv4Kz3KqMC2QvmWbg40JsL37AGJZH37+ Um+bZ9AyyYPfbSt8/c12bNn8NRwCEszykL1SAHhkZGQJABaix+826raeQ9O9FMy2pqAzrRuS4Rqw omsg6KxF0zEL1P5/u9FL2ey8ceqQEumFRxlV4E+wYHvNA309+Vi3eReaR8bx+OBPuF3Qg2Cva0io 6UZvRTJ8Q+IgGkzFoXOOGOOO4/p33yGioQW2N5LBF/XgygkbtE2KV8W8IOeVa9eu4XNqL/T398fa tWvpXrymejHrAfjk5q2obO1AQ34Sjuy7iGEJHxGndmLnngNILW+BRKH+xT4pHaTF+yAovRhKYSNl z1/T9rlxoz0GJnpx9MAu6lyzDRvWf4kHaW1mZ5sMADPCCAPAKxaAU1NT0d7ejoMHD2LNmjV0yF9z czOd42RKlIIpDOYUoC/MHY33KzGYlAxB3yymi8LQHZ6IJudX4E8NoSs6GSrJPABzWVFYY505fxhQ yMAVKJCZmIDXVWzo1HJExboj97kLvvv+LGISYuHs7ITokg74+PphlDPvcRKLpFCMpmPzukPYe8wB o+KVnxf3qQB84rO1CE9KQfxjP5zdeBINk3zMcMWYGmhDQuR96vncRKdYQx42WJkROOvgh55ZCkp0 HLSzuqDUKVDstBEu2dW4ZvUQM9TXytgNOHc+bNWFsZoPAIsxUFyA4cQkNPkngVcfhJ74Hog601F3 uxb9EY8x2TIBdu49jLyeB2CNlAM/P18MTc3bmEQkoWwsFaeti+kc4MHk/bCJzcTVE8cRlZCA4OAA +D6vRM/z0/CI7Zj/W8VCiKY7cezAJThZHoR/fB1WSwvSTwHgy5t24kliChLCAnHmu4MonxCAyxNi dqQHKfEhOHzaGS0iNUkKRUcRdQi3ckETmzq067horm6BjPp9lc8hWKY2wM/lEXq5Uih5/XC0ewie wvxyDVcHAMswXFmCkRfpaA6IBKciFO2hHZD0FaHBoxrDCUEYLRuk9lAf9KX1L7CXBlHBt1HTxaVb JUkp25SN52L7gSw6Omo0yxInn5XC49IJBD+JxJMnwfCKzkFfqgWsgxrnp6NEAOHMEGwtr1Pv+wkO Qa+hWiW2SUKgyTO3sLCgL+6dnJxoIMvMzFwSgM+v34Xo5ymIC/bE5cPX0DnNwzRXgrGuRkQ+9sWO gzcxICV7pwzVSYG44hWGcZGKOqdMortzEOo5OdIddyCkqARH9weCR32teLAAuw7GQGFmtskAMCOM MAC8ogGYSH9/PwoKCqBQUGBUXLwkAAta4tATkAVeyUs0hVIAnPCcBuCRFF8KeuPAelQO+fQwuiNS qMPxPKQqJorw7ZbLYAvlqA17hKB6LjJj4/G6fIIG4MhYb1RVJmDdRgv0TPMx0tmBST4XQb4uKG1j gz/QiojINPB7XlKH8zTkhbjghE3Oii/swefzaQA2PpiR0C5TuZ7zHuC9GKcjIlWI3/ctgrML4Hjt Fgb5cmhkU7i8bxcKx6RoSonGrgsBaOfK5kPaBU24dfceZqUixB/8AV7F7bh91QZJfVxw2vNx9GoE zC3QcjkDsPG8IJcipi5GFJP1YF15Bl5FBbpjCsCrDqABeLYmDrUBNehNiAS3ZwaTRQ8wkjMPwDqV ECF+LihpGYdgqB0REa/AHUzB6bMF9DwYSD4G+5Qq2FtdRvkQFzOTYxil7HOmMQDX7sRBJhcg6aod SlobcYxa1ka6quFoQc3D6dWRcUgA2FgHpEhgWVmZSQA+s+kEhmhOVSP1wBq4Z1TA57YrBbIyaJU8 uF08iYxhOXqL03DovDeaZqS0bc6JOmBj7wy2RIJXlvtgm9OFEE9XRNQPQjjaAOtrgZAozS8MejkC sJ+f3zvfRS4tSRGmRS+NZzvQdjMG3Mpa9CdmY6Y0hAZgXlM66u5XYuDFQ0yxJsEp90dfkt4DrMWL cHe8fN0OJX8U0UHRGO3LxvYd6TQAj2RdxdmkRty7dR0ZDQPgzUxiZJwDUcdjnLJ5CJFMhGRLS2Q2 d8LWNgYz7B7cPncFjb28VTEvSBEyogOi11evXtFreFNTE7KyspYE4LO7LMGhzUiJpyf3ID4/DRfO O2FMqIRKMopD361B1aQY5U/vY92FEPRReyqxT+V0NXyfREFErXlPD29FRHULLA6dRuYwD2OVcdhq nWx2eycDwIwwwgDwigRguVyOJ0+e4PLly7h06dKbQfJ/CQibEsVwHVg7rNBkcQXtiU2YDA1Dwy4L NPsHYaKxGz2XbNFw0BbNvjFQy/VeWg3aM25j08ZN+OmKP6ao3xSkp6CC2vTnNAq8SA5GJ0eOxpQ7 1Hs2YtMmK/QI5zDdlY8j+3Zgy89HkVg7CAU7G3bu5dBq+PDbuQNRDbMregNRKpU06BjrIDg4mNbP 4ofsaZzdfBbsBWdQ2wsLPEjvxlB9PPXcNmEjNZyeZlAQJUbEfQf6d/TYfwccsQSJAdbzz9guHrPU d0gmWNTr1M/bzyCjxvxabC1HACbVZGNjY9+ZF8TzZCrETysaR+v6i2i0vIEmvxdQspvAWncaLEcX tD5vxkx2Klj7LqPJ+hommvQHF8rGugtxdP9ObPnpCOJrBigby4WNaxl9mJvItIZ32SSm27Kx+Ucy j/YhIb8DOq0UYZ7naHs++6AQAnE/rK+nQD2nQcWzENjH1K2KuZGQkPCODkiKiMkwSy0XtgcvY2Rh 2RtMt8TNmBaMtaa/sU27+7FQ6TRIj7rzi23ucUDXyCxyntjO2+blp5imvkM23Yn9e3dj09bDeEYB sRlGQC9LACaeXuN54eLiQlcgXnRaSKfRdeA6ZZv2aPKMgnSwCU3fnwTLzhnNcXXg17ymbNMaTeet MFQ5/MsF6UgdrE/vxY9bdyGEsjvZdCmOXcqjbXOq8Bau546B21eOg3t2UvNoNx4lVkE7p8KLQCva Ng/cyQBPNgHXOylQUbbemp0Ix0d5q2JeEOg11oGzszPdwcKkqMdhd8IBMwukWhJ3DYnlQ+gre/zG Pt0TK6CSTcHrptUv9nk4CAqNBI/cztH2uc8tDQJq7xQNV8zvnTsvobJfYHa2yQAwI4wwAGxWfYBJ RUulWA6lSF+8QwypQPJ2pVmhjG7JYixzGi3edwYh3//WQYUCFK151n/5JNFQ8LTkI6aere6dtg2a T2ztwgDwPwcAf4rMUfrTyBSU7RkUoxOJqWFglwIp/Z45Y11/iI1Rc+atNiHUd2g1TF/Vj7JN6vl9 iG2+DWqad9uzMAD8qwLwJ9mmXEHtkwadEihQkxvYKvn/atki7QMp3b+3yw5tv1qjecTY5kfpiLQz et8eSK95GqPPme/eyQAwI4wwAGxWAKzf0MlGbXKQDWGO2YAZYQD4D32IW9IuyWDskhEGgBnbZIQR BoAZAGaEAWAGgBlhhAHglQ7AjDDCAPDyBGBGGGEAmAFgRhhhAJgBYEYYYQCYEUYYYQCYEUYYAGYA mBFGGAD+wwAwOfjX1tbSBZdI+yP9IG2QJBLJkocFjUIFtVRuesgXyTM0hoXBDkzOfmRPQmEP6pqH sVoybkjuUENDA92P2VAH9fX1n3RYm5tTvZsvqFaT/xn+S6FR6ZjdexkDMNF9S0sLQkJC3poXpAL0 UvlmOpWaziM0aZfUazr1exIKhb2obRr6OBtTcqm1pAPqVTY3SIs4UgnaUAcVFRWfmPOngsY4mZP6 +S3bpPSuVWmZ7JFlDsCkFVZoaOhb84J0T1jSNim7e59tat9nm+IhlFX3fVy1YZUIzawOqFbZvCCd K4x1UF5eTheo02g+vl0Y2Tvf0Z9K9Xb+NbN3MgDMCCMMAK98ACYHgsjISHoRI4cMMthsNt2Wh1qY 6NcXh18llAIBxJOzbxW+Mh5kQ1/qJJcZ/Qz5FeMfd4QcfI6zF/JWzUFbQD3Hp0+fvqWDqakpPHv2 jD5kLSpqNi789nfYc+AQDu7/GQ4hqeArFGjMeoSdew9Qv9uD2w+TINOoUJcegmNHD+PwsdOIf91B bd5cPHQ9gf0H9mG3VRDG5PNHKa2CB7frV1DWNG12m/hyBGDSdiMoKIi2deN5YapFGTlg04WuONOQ 80RL2qZuiQOiaigZp85/nI1p+Z04tj8aslU2N+7fv4/R0dG3dBAdHU23W1l8cZzBjU2b8DOxzQN7 cPVeHGap9bKjOA7b9xzAIcrunPzCINXq0Fkah7PHKds8chghKXVQKvmI8jqJvfv34+eLfhiUzeto jgKY+zfP4kXhEAPAywSASSXw4eHhd+YFaZG1qG1qtFBJZJDNTEM2K1zaNtWmLU89lo3tP6V+FMzq JCOwtYiGdJXNCw8Pj7d0QNZeckFIzi6kjeDii9sIzn75DfYePIQD+3bjbkweREo5KpO8sWvfQRwk v4vKhVwtxetoT+p9R3DolDVym4ahlk7A2+EYDlA2fNQhEtMLLcnEnB7YXnZG74TY7GyTAWBGGGEA eMX2AU5OTkZRURHdUJ4cuuPj47Fx40Z6gzfVCols0lJ2LzozKpbcyMkwPHAI+irpW9qYtBK6f29m QgQeBj7Bg6Bg5DT0QaMDprqr6Pe8Km+nb7nl3BFEhj3Go6dR6BrnQzmWinMXiii4nkZUSAQmZCu7 OiqPx6MvHIyF9JQ01e+VAPCez3dhWKqGUsrB3W3fIbymAaeOHgeLq4BKOoOHdxxQPy1AbkoKhjhS TLZWIDA4CoL+dBw75wKeXICgr79CeCsBPzkKb1vjt9+dYAB4mQCwvg+wsXR0dKCwsNDExZSKtrnx qlxwutlL2qVhhXYFdxRR4aEIeRKJzjEelOOZ2HvoHmKjH+PBi2JIqPO4fHYIgYGBiIh/iUmhnI7u qCtKpW01s3oASlE3jh2Ih1KnRmNpAZpHuatibhDvr7F0d3cjNzfXJACf2XQYfWLKNmVcBGz/Bn5l LbC/aokajpzSkQDPgu6gckaBypwUtA3OQMLuxgN3X7D78rFttxWmZSJE7t6Be3XEFqn3+Tvit9/8 zADwMgJg0o7MWAiMkfZIi64xKjVtd1P12ZhoHlnSNskFs16Uomm8iItA0MNHaOznQDlZhI3bfJAU R+2biRS8UWas5E8g/OljPImMxdCMZH6dqMykbTO5tJuah6OwtaRsk/pv764vQ2336KoBYHIR1dnZ Sa/h5ByzYcMGuh2SSTAjALzjHNgyNRTiSbgd2ot0VjW2bNqNDoGSet4T8LpuiRbiCIh9Ca6Semb5 yQhKyIWwIxE2Lg8hUfDgt3Y9XvWStkdSPL9xDr9dd4UBYAaAGWGEAeCVBMAkxJLcmB48eBDe3t5Y s2YNbt68SYdAmxJ+RxZYuyzBephLbdgSzFYUoeWKI5qOe2FqaBpDTx+CdeYG2gIzoVHPA6qG346d W/agsK0bj65fhVP1NDJjPeAWmoChzmpct3bFwACL+lt2oaajFV4njiJ/jI+oIDeE5dWi4XUy7Lwj wB18iXN2Jci974G9D/KgXuGNMT8dgL9EdfcAuuqKcPCHXWDNzCL6ynHs3LMfmTUdEInEUGnnoNHI 0FpTjnAPewREFkGtnoTrnp/h4e+Fdb+7gB6xDtN1j/D9piiEhsfgdYP55bCuFgCWz3SieZ8tGq09 wemZpmxzBp2urmDtu4EuSq+8+gq02Dihab8rpkbne2XOUfPj2UN3PM2pAas0FXZeYZgZyMTOfcdR 194Cl/UbEVbdB2+XK3jeMICSpEd4mlYG8UA6Ljl4oaOXhUtbdiOjtR7HzqWCw27BFWsXDM6uNX5/ NQAAc7RJREFUDn/TYgBMIjNycnKWAOBNKOscQA+rDAe/3YKKKT5S79hg4+YteFnWDJ5AtGCbcnQ1 1SIpwBGuPsmQKjnw3r4ZDr4+2LnuItqEWnDbkrBt5xO8SH6GxNwBmGNk9EoBYHKJbAqAlfxBtJ9z QuMZR0y0TFC2OYsuDzewDt5AZ+kghF1NaLvuDNb2Gxjv589/aE6H7IQABCTmoK+1CLb23hjozccP m3agrKUVvvv2wa9sEBGBLogsagCrIB7BES8hGSvAKYvraOppxuW1GxDb1AbbGymQqcZx/cxVNIzw VsW8cHR0xI0bN7Bu3Tp6rdy8eTMOHz4MLneJyzcKgE9u2YnG3gF0VOXgzP7z6OFz8ODgFhw6dQ4F rD7IpWKotTpqr5SiobQQ/jeuITq7GWrJAK4fPoEHge7YtuEaRqQ6jJe44+eDUbjjF4POMREDwAwA M8IIA8ArBYBTU1NRV1eHrVu34quvvqLhl+QetrW1md5DxFIIhxvQcr8QKpEI7JhkdMUWYZbVDt7U MNpP+mKwuBFT3cMUXMzny3BZz7DGKmseOGRiTM3KkJmUiNfVk9Cp5YiMdUNushu+/e4EnoaH4sKF cwjMa4WPrz9GOVLMaTUQ8ESQj2Rg43e7seuoMyalmhW/gXwqAJ/+bA18g5/gvosN9q23QBdfBrFE gdH2GjzwdsCPJ7wwLNdAQz3bjsYaxAd602HRwpEi2PxsjdSsZJzYsRGZFQ2wOX0cL5s7EOLpg8iY GijNLMVpNXmAZZRtDqdGYaqWDRWvFS2XQzFV1UStGVxMp6ShMyIX3IZW8AXzwcoaKQd+fvcwNGVo Y6k4faWYjsAYSN4L27gsXD15DI+pv8fT0xU3wgvQ8/wcPGI75g/3Ai74kx04duA8rh7/CfefN0O7 SkjtUwDYZtNWeAc9QaC7A376+jiauTJIpHJM9TThyQMXbDt5G/1yLWWbCvS2sZAWEQh7jxBMDZfj 0sYTSEx/BctDu/C8ogNethaILqtBwkMf+Ae+hswMe7uuBgAmHmA5ic7IDsVY4Qhlm51oPnUfExUs jI3MgldSgI77qeDVNVNrkWSBfzWICnJHTReXhmExXwDpWC62H84G2flGsixwKqYUHpdP4N6DEPj7 e8I28AV6UyxhHdg4v1UIueBODcLW8iocTvwIp8eVWC1T6M6dO+jt7cWBAwfwxRdfwNLSkgYyk7a5 AMDn126G/8Mn8He0xNlDzhgSSiGSKNHPKoGXqy3WH7+HcQXJzZehuaoMj++4wCehCKK+TFw/5Yzs nESc2vsTXpeX4dDuPUhrrIf7dR+kZ7dCZWbmyQAwI4wwALyiAZgIi8VCbGws7fkl+TMEgpcCYNkY C21BRbQHWDA2iInnOeh7/BgjqS1gd7dgPOoFOu/EQyKcD6OWDWdjzU83MUNBWvurZCR1CpEZG09t IhM0AEfFeqP8dTjWbbBCx/gUBjvaMUEdWB74uqKmexqi8T6kpZdC2PcSJy4kIMnPGdd8KlZ8LjCf z18UgEmhHQLBpgB47+d7MUE715WI2/MtQvJK4OP1ABMiJQVCHNjt243svklkxMVicEaK6Y5KOHgF o7/gFk5fSIJMpUSp09ewuJ+LrIRoJKWl4ZqlBW56JkGiNa9NfDkDsPGBnRStI3PDFADTIdDZz+YB mD+L8fIKDEeFo8WWAt+JYUyk5KE/LAQjKZ10kSudko/ge66o6pyEmD2AtLQSCIZScPpsAQ3Ag8nH cCO5DNctrFHWPwX26BBGJvkUVHvA3i8FCqUY+f730dDdjGMnwtFZnwPnq94Y48lXDQAb64AUrSMF j0x7gE9gmLYhFVL2rYFndg0ePwjEKLUWalV8eFqeQmq/CCUpz9AyMAvpdA9cHG+jscAHO396CjGl +xqfXdjnU4jCpGgkvnoF12sWsHGIBF9pZsa5TAHYz8/vne8ie2Z2drZJAKZDoF+HzQMwn4vxmmqM REWh2SYD/KkxTGQUYiAqGAMRrPkiV3NaJD29jfTyHqjFU8hMzMTkYA6270inAXg06yrOJNTD19EG 6XU9mJoYxfAYBzzWPZxxiIJUIUWRN7WvdnfD9moEhnurcMvSER0jq8NT6enpSeuAhJ6TYljkXEQu 7jMyMpYE4LO7LMGhL3kVeHpiDxKLcuDofB/TElLYcxwnvluD4p7/n73z8Gvq3P/4H3Xb+7sd9naq bbVLraNaWxVcdW/Bhag4UGQoW0CmiojsKXuThDASyCCDJCSE7ASSAJ/fcw5oQcF6rbftLd/37/e8 rg3J4XByPuf5vs94HhnS4zMx4puCrOoBDkTnQFl0BCfOlmCc1Sv5Rz/E6ZgC5KanIPN+JrZv3oHL UQVwL7KTxyTABEEC/D8pwG63m3+ub/v27QgMDERAQAD/b27gF24kxZcLsADiO1Xw2qzQxEajfecx dGw4CFVDB8QbdqN993F0nE2F1zNzlXZqHM3pB/H+kiVYuuUclP4pFOQwAW6eFuBUJsAivQM1KUfZ ez7Akve3oNcyCbUgD998+Sk++vw7JD7pg1v9EAFHKuHz6BG05CPEt5j+pzsQ7jlrbhRubrvPblyB teBt6DMCrJnZtB1Ja3Ehpws91bH8tvuAbeNfwjPgmfCiM/cmvvj0Q3z0xSokV0vg9w/j+u6vsOSD JXj3uwtQOib5ImJqahJ5mdmoadMtugL7ryjA3DrFxcW9sF+EhITAbre/XIDLM2AQ6OAarEf7d9vR vm4nBPd7MZQWj/bAI+hYvQsa4VOpmGT/zse3Kz7Dh8u/QXxVL8t2HrYcmBZgNRPgoHINVK332D7z b7ZvrURqkRgTPguuH1/P70drz+XCZO3DpsAMeCe9KIu+jH1JTX+LfYM7CbFjx44538Hp06dhs9le KsCKmTNz0ox12BfXhv7mDLzHcvkB214BIbdYoTwJSWUa1iz/CP/+dBnC8zoxzj4bf+Bbtk0/wLvf BKPf9jSbU2gsyUFOkQyLkb+iAKelpb2wX3C343InNF8qwLV3oKlXsX6sBe0rt6F90x50pnXCWJiJ 9p8OoGPlz1A0/Tow5PBADX5e9wX+/fFnuPywHQ5dGVZsmhbgISbAgY+U0IlLsfKLz9i+tRwRqbXw T7iQHPojlrD97YvDd2FwqHHwWAbGMYWWnHjsv1H4t9gvuPFKnn4HT2uXQ4cO8XdV/ZYAD8/0nSW3 tyG5QgpB4eWZvvN9HIorwpjfjdqE03wWP/72J+QLNKzmUOHM1i/5DC//ORJDrul8TvocuBWZBana tuiySQJMECTAi2oeYH46B6d7zsAdTtbxO2f9t8NqwTg3mMdz9caUbwIvnUGE71B8cwsVvx9+P4hX gNtuPiZPczb789uPm2rF56ON9RcW4Nf67rnn1lyeObkcs9nhsDme/beL5dLF3jM18VwIXyVjbJ+Z M8UWNyWIj+br+U94lWy+cPxb5Pwd5gHmBo3jZkWYk027g2XTjvGZ/3ZbrXC63CybEy9k8zcP1/x+ 5H/uGE/T9fzHfefzxQl/zMNzxzzqO0mACYIEeFEK8HSxPcGL8ILNPwGazJIgAf7jC21uiqOFc+n/ zfm5CYIE+E/K5gRlkyABJgEmCBLgv6wAEwQJ8F9PgAmCBPivKcAEQQJMAkwQJMAkwARBAkwQBAkw QZAAkwATBAkwCfBiYXJykp/aJjMzkx+Fm2vp6eno7u5+rWJtauq55zRfFd9rfo4EmAT4b4xMJuNH aZ+dTW7E/MnXuo38NTP2/POdJMAkwATUajXu3bv3LJtc47Lp8XheK2dc3/k6uZ7y+V7zeEACTAJM ECTAJMCLFKvVyk/hwE3loNVqnzVuBGCu+J6/jtZh1z/ewnvvv4/333sXZzLqMM46YFXDXbzzHvfa e7icWo5JVuxJCiKx7MN38T5779HIuxhza3B6y1K8/+M52H3cc9petOdF4d33l+CjbwNR3Te86L4D EmBiIcLDwyGXy+dkk5saacF50v0mnFj6KcsTy+H77+FwQik8LJu6jkfT2WSvnY7K5udJVtXnYM3S d/hs7jp7HaP2IVwI/Bz/3nAIchM3Cr8fPZVpWPrJh/jwy/V40KzCYtQ3EmBiPs6fP8/PAzw7mwMD A/juu+/w5MmT+T/EjQL91tvP+s4b+W3wsnzKyqPx7nvTr0XnCzDJ/q8z5ST+9e57fD7PZ5TD5xjA kR8/xjtbbsLLm+8Y6lJC+GV9vO4Iug0OEmASYIIgASYBJl4FbsqG+eYB5uYAbmpqWlCAV729EgrH ONw2DU4s+wDp7QL8vHEDWoZdGGeF9Pmju9Fp86H9zg1ElHTAabfA6eEmwvBD3V2OXYEXYPdOwDuq QNil2xgaA/oK7+JwdB4JMAkwMQMnu88jkUhQUlKyoABvXboeUts4PA49zi57D9FN3Ti2fwdqdU54 XSOIDD2GJssEy1s6buaUwuWwwO7yYHJqAnpFB4L2nIScvdfvMiIu8jb6TG5oW0px4mIivBOLT+BI gImFBJg7ScxdCeauwHLzc3/++edg9RV/0mohAd66ciu0Li9cFiWOrV2NElELPl+6AqIRDzysPzwY sAk9Di+qw47heosGDtZ3usZ8/BVieVMm1v0YyQvwmF6II0GxGB7zoyUpHPvTGkmASYAJggSYBJj4 vQLc2Nj4EgFegnaFBgpxMwI/XYFazRBiftmMwH0H8UQkw4hhiAnuGB5EheC7tT8gYNseZBUJ+StP Y0Yxjuy5Cvs4N5L3GIwWbl7ZKVTdv4nLORUkwCTAxEsEWCqVori4+CUC/AWaZRoM9rVjx8fLUKQ0 IOPsAWwK2I7ydgmGDXrYxv2ovheDVau+Z9ncgfiMerA4wufQIexECORDTkxN+GC22DAxOQXhkzSc i82Af5IEmASY4Dh58iQ/J/eaNWvw4MEDlqVVWL16NRQKxcLfMxPgn7/4Dl2DGsiEddizbgsEBjVC 16zAvpNn0Ng7iFGDFi6vA7dP7sU3m35GQMAhFDUp+I87lFXY/NMtXoAnxl3Qj7pYTseQHXMGkVVi EmASYIIgASYBJv6bArztrf/DiTMXcTJgHZZ9tB9qDzdX5ATkbVUIOvgz3vv5BoZZAa3oaodi1I1R eRMOht6EdWyCCXAXE+ArvADzTE3AoqjAz7tPYWBkjASYBJj4HQJ8aOlSHD11EcG7NuOj/wuAzM1l 0w9NVyMuBm3Hkk0XoPNPYEjWhf4hMzyWAZwKPgPZ6NiMAJ/hBXg6m5NwaOqxcdNutA+5FuV3QAJM zEdoaCj/KMJSlre33noLGzZs4IWsrKxs4Q8xAQ5c8hGCzl7E8c3fYP368zCM+eBlfWdPfQH2bd+A dwISYGZS29PUCM34FDTNDxFwPXNGgCuYAMdM3wI903cOtNxHYNBNmFyLb35gEmCCIAEmASZeC4vF Mq8Ac/Lb1ta2oACvfns1hvhxN8Zx97sPcLuyAXGxdzHi9mFifATHv/8GxYM2tDaUoddghW1QgKCb sbA9L8BTPvRX5mH16v2oUloW5UBYJMDEywT4eWkSCASorKxcUIC3Lt0MFZ9NLx6sfh+XStuRkXIX w04vJn02XNm9FQ/kTvQKatCp0GHcokbY1UuQPy/ArLgebC7HpvUH8LjfvGgHqSMBJubjwoUL/PfJ DRgZEhLCPw/c19eHvLy8lwrwtq93wcTn04P4zauQ86QK127chcXjx4RHh20fvI9ajRmVZY8x6PTD ICjB3lv3XhTgKS/E+XexadtZtA3ZF2U+SYAJggSYBJh4LbgRK2/fvo0zZ87MaZGRkfzV4ZcJsIYf GHYKTZGrcOleB2pzr2PVug34YcNa7A69jVGvH+KadGz4cSPW/rAF1+63wDc5hTFTL44cieCfAZ50 63Hml0146+OvsGHjRvywJwWL7Tw2CTCxEAkJCS9k8/LlyzAajS8VYIVvOptdcatxILEFrSXx+G7t Bmz8YR12nL6OEe8k5J2F2LZ1Izb8sBGnEyrh9E/B5zQg7CyTYb0TU+NWRJ/Zjbc+/HI6m7ti4PQu viKbBJiYj5SUlGeZPHr0KH879NmzZ6HT6X5TgIdn+s7HN7bgTrkIZWnnsIbrO9evwZ6rabB5vWh+ HIWv1/2A1T/sQGJV37QAq2qxeWccL8CTdjl2rF2Jdz77Zjqf+x9gsY3VTgJMECTAJMDEXwKuwPMy oZtT5vl87P99tHFIgIk/Ga/fj0nKJgkw8dfsO5+fzoiJ8GKegowEmCBIgEmACYIEmASYIEiACYIg ASYIEmASYIIgASYBJggSYIIgASYBJggSYBJggiABJgiCBJggSIBJgAmCBJgEeLHDFWTcvIXc1A0l JSXPmlwuf41ibeLFkSgnJzHxCs8wLebnnEiAiZcdaysqKuZkk5sG6T/P5uSLGXvFbC7W0Z9JgImX YTAY+NHYn8/m+Pj4a2Rm/r7TT/kkASYIEmASYOLNY7PZ+JFmuakcuM6baxKJhH9NpVItYKvDOLl8 OZbPtG9X7YFM3YNftm3AsmXLcCQkAlaXD27LIEL2/si/djKlEz74UXNx7bPPZYhHMTlux4NTR9h7 luP05Wy4J0mASYCJp0RFRaGrq2tONrlR27l/z78zmRG2/vtnGVu+fAsGDCqcOrCVz+Guw6ehs3gw 4TXjxrHp13ZGNcHLCvDmmF3PPpdQJ8OUz4OyGxewkr1nz5FY2CcX53dAAkzMx9WrVyEUCp9lk2vc ieOtW7fy0wjOi0+Lw7P6zq27zkHR34z1a77hs3gu8i58E5MwqwU4tG0d/9r1R72s5/Sj6MSvn8sf cGHCPYLkndvYe77CzTtl8C3CXYsEmCBIgEmAideCm+povnmAOzo60NTUtEAnrsOqt7+E3OqGx+2G 22VHZnwIEkoaMekfQ2bsBeR1ydFTfAMxWU3wuYcQ8v161KrMyNnwKTK6dBi1mOH2TkFYlomgaxlw j4/D7XBiMZaHJMDEQnDzAD8PJ8Hc1ab5T05x0yCthcTixhiXTdaqHkbgWno+/+OS7EjcfdICfV0E LsSUsvcM48Lyz/Co34SCvesR1zEEq9UM1/gEVMISHD8VDZPTDZfVhkXqvyTAxLyEhoby05GZzWb+ e5XJZPj666+xZs0a9PT0zP8hrwpbV/4MjW267/Q4jAgPPYQHnXL4PBZEXTqGKp0T1VnXkV3BluFW 4UzgPnQbLUj55j0USPQwj5rh8fpRlRKF04mlcHnG4HG5F2XfSQJMECTAJMDEGxfghc9i67D57Y9Q 0NyK1uZm9GhG8SQ7CgcPHsGTTim0Wg10VhesOgWMdi/8Din2/fgDBHo1Dnz6EXYdP42Q87FQWCdQ nnMVmwOPIexiEBIy8mDzLL4ymwSY+E8EmLvSVFxcvKAA7136FfJmstk1OApR5V0c2L0H5a290Oh0 0JmtcOoGoLWMYcKpwK6vlqJOrUXIhtUIPHYKISHR6NY62OduYd2P+3DpQjAi49OYCC/OWy1JgIn5 CA4OxoULF7B9+3b+MYXNmzdj5cqVEAgEmJycXFCAdyxfhRIun01N6B8y4sHNczgcdAoNYhm0KiV0 Th9MQypY3D74bWIc3n8QcvMgtv3zn9h7kvWdoUnQ2seQEnkGO/af5fOZnl+FsUV4CZgEmCBIgEmA iT9UgAPfehvJBSUoKylBy4AZk34flKImRIXuwvvfH0SHzj7T4etxYM1XuFw1iMkpG8rS7kNps6Hm xnF8k9HDBDgR6YVdcLsciL1wBHUiEwkwCTDxOwT4yNJPEMuyWc6yWd83jMkJPzS9nUgO34/3vw5A ad+M0PnMOL/zR5wolLFsOlGX+xgyqwNtaVexPrGOCfAd3ExuhNPjRk74LuRWLc7jPgkwMR/cFeCW lha8++67+Ne//oWvvvoKSqUSVVVVC3+ICfDuz5ayPq8EpSyfwkELJnxeDLQ9wcWTW/H+pnPQjM3M yz2mwsYl7yGhZYjtN2YUJuVAYx9FUdAWbHrYywQ4FmWdg7AZFbgQHIIBnZMEmASYIEiASYCJ3yPA XMfOtYUEePXb30Drm+TPdE/4xtFcWQCZxgxM+VEQdxWxFSJ4HUbEnjmL4LxO/n1T4yMoKa+EzeuH vOgavkrrQlVOPFLy29nnvLh7IxJP2g0kwCTAxEsEmHsmuLy8fEEB3rp0IwZnssk1Ud1jiKTThWJj XjIisisw6bUj81oYjqc9mc6m14qa2hqMjk9AU3cHG+/UorsqBTcSK+FnmS5OCEdOiZIEmASYmIG7 +svR3NyMX375BSKRCAMDA8jNzX2pAG/7ejuG/dPZ9LosqCwqhN7iwtSEGynnjiJVNAyXcRBhB47i 3BPldD7HDCgoqYTD50dv5lFsyBEjPSoSha1y+N0mXDt3CxKNgwSYBJggSIBJgIlXweVyIT4+nh9Y Z3bjXluw8GMCvPWtd7H3yHEcP34cp06fwqOCuzh89AhOnjyOfcdOolVphLLpLj788EvsOXwMx09d Rl2rBAmh27Dj0FFs2XIU96RW6OXtOHjiGPvcURw7nYAhq5cEmASYmGG+bEZHRy98DGYCfHDp59gz k02uFVU+wMnjhxEUFIQDR4+iUqSAfeAxPlmyFIH7juD4yXMoqOpBZuQhBB46hsDAI0hp1cBqkCD4 zAkcO3EU+w6Eo984RgJMAkzMwA0U+TSTYWFhiImJQXh4OD8Q1ksF+P2Psf/odDYvXrmE+zm3sfcw 6ztZzvYcPwvpqActjyKx5JNvcfRkEI6fiYJYIkPEifX45fBRbNp0DEUqJ+SiKpbXIzh25AhOh9+H zbP4HlEgASYIEmASYOIvwbjXi9+auGHyhWkifPzUEYsVEmDiD8kmy5jvN94z9UI2/fB6xxf1diMB Jv6QfPp8+C2FnWD5nPt8sZfl07totxkJMEGQAJMAEwQJMAkwQZAAEwQJMAkwQZAAkwATBAkwQRAk wARBAkwCTBAkwCTABEECTBAECTBBkACTABMECTAJ8N8driDjpImb9qitrY1v7e3t/Gv/ebE2+eL8 h2wZk8892DQ1MQmqA0mAiVeTps7OzjnZ1Gq1r5XNuc/2Ps3mc8uhbJIAE6+ExWLh5/x9mk2ucbWR z+dbeB7g/6Tv5GZYoL6TBJggSIBJgIk3j8PhQFpaGpqamp5NfcS11NRU6HS6BYzNjIjAQATOtD37 LkCtlyH01GFs27YN126nweHxw2NVIPrcfvZaIG4X9sKPCchr4xG4LQB7LybD7P+1w5cUn0ZirhSL sW8nASYWIjExEQ0NDXOyyb3GzTc6/85kReLhg8+yGRgYDNWIDlGXg/lshlyNgsk+jgmfCXcuHUIA y+aVHCFYyQ5VawafzV/ORkNp8zxbpLz6Mq4ld2FykX4HJMDEfHCjP9fX18/JZl9fHz/aOifG8+If xtVZfeepkFvQqkQ4fOAXBAQE4Fb6Y/gnpmDRChB2Yg/fd2bVyFnP6UdP6Q2W1wDsD8+BfdYiW/Iu Ia9qcFH2nSTABEECTAJMvBYLzQPMXRHmpHhefDqsevtz9JudcDudcDmsyEw4xyS3jhXWHsRfO44H Ihl6S8JxM6kCPqccx9ZtRJesE59+/AkEhlHknTqEY2VcET8Fp7IO//jH2wiKbFuURTYJMLEQ880D LJFIUFJSskCBzc0DvAY9pulsOlmryotAWOr03KS5SReQVNmI4aabOHP5PjxOFQ4uXYYmWQ/Wr/4G zTobqiIv4vi9dj6b7qEOltkPEHC6FhOL9DsgASbmIzQ0FB6P59kMBtz3u3r1anzxxRf8XRvz4lVh 64rNUI2yfpPrO23DCA89gKzWfnhdI7hwcheq9E5UZ1xGemEH4JTg1J4jkMsb8c57H0FiNCE54EeE Nhj4fNqlpfjH/32K6KxeEmASYIIgASYBJt6EADc2Ni4owBvfXoqaXgkkvb1QDttQlh6BkLBwCAfU 0AzKIDfZ4DQPQaXWQiaoxbmfDqBfL8OBLzYis7YJMXuOIqZjGF6HBpH7ghFyZhdOXm9ZlEU2CTDx nwiwVCpFcXHxggK8e+kqVM1kU25woL30DoJPhaBdMoghrQpynRGeUS0G1TrIRY0I+nozRDo1zv24 E3eetCL1TAhuVvTBP2ZG6rnzOHtyJ7adfPKb05uRAJMALyZOnTrFz/t78uRJ/tGEXbt2YdmyZXjy 5MnCt0AzAd7+xXo0cvns6YHGOIL08DMIi4mDWDEE9UAP5JZx2Ew6aFQaDLRXIezIJWgNPQj8aB0e 1jfg8oadSOmzYmy0D2c3HsGxE4cQld69KE8ekwATBAkwCTDxhwpw4FtvI+FRIYoLCtAoHYHHNoLm 0jxEXTmG7/dcQo/RCe65pkGpEPdunsaqDSdhsBpxddnHOBgejy2bNqNUYUVrSTIiMkswJs9E0Nkm ugJMAkz8TgE+svQT3JrJZm2PAeMuKzqqipBwMwhrdgShXj7CXz3Sq/uQeysUnyzdAfWoGXEbV2PH lTvYv3MbclrlkLfl4uLtDDiVuQjYVUlXgEmAiVmEhISgvLwc77zzDpYuXYoVK1bwzwEveOfUjADv /vQzpOYXoojls1M5CueIAbWPc3D5/CGsPRwF/Th3qskPiaAJWdeOIfDADVjsOpx5918IjojBqq/X o15rQ8Hd60go7YCiORNRcV10BZgEmCBIgEmAid8rwFxH3tzcvKAAr377O+gmp/iCbtLvg6i5HroR B6ur/ShJCMftChEsql5ohx3sPX7c3vs94u9H4OMPouFhn9MWnsU7Bx8j/uevwHZIrFj+Id5fshFl rUoSYBJg4iUC3NPTg9LS0gUFeOvSTVDNZJNrkvYaKLSj/I9b8lMQkV0Op6YbSo2Nz2Z64KcIu5eE NV+Gwz3JhK/uNr44nI7MbV9h7Y8/4qsVn+Kdd1chu3hxFtkkwMR8XLhwgf/fiooKfP/993x/yT2b f+/evZcKcMDXO2GayafPY0dzfSOsrnFg0oP088eRLByGUSmFcdTD+lMfLh/bjbwHZ/He+8kYZ59T ZGzHh/tzcfXHr/DDtm34fOmH+PCjAHQMjpIAkwATBAkwCTDxKnDPCCYlJeHhw4fIy8t71riBsbjR ZhcS4M1vfYBLN2/xBXpc3G08yInB2YuXERt7C0GngvFEMgR5XTyCDp/C7VtXcfjQNUhV3TgdsAdX o27hzMGDuFCphnfMDffYGIyiRBwLqYRvcvFdAyYBJhYiLi7uhWwmJydDJpMtKMD7lq7AhZlscq2g IBnnzofyyzp3LhiPW/ow0pWG478cQ8ytcOzedgoiVT+uHT6KsKjbCD1xDCH5YvjGp7Np7svAll/y MTaxOK8BkwATC52ceprN+Ph4PHjwAAkJCfwJqpcJ8LYPP8eVyOls3klNRFrSVZy9fJ31k5E4fCIY AoML7Y9u4kwwy+ytyzh9IREqdQcO/bAD4dExOLn7F9xsMEz3nePj6KpMwPW4Fkwswn2LBJggSIBJ gInXgivIrFYrDAbDnMZdGV6wWJvyw6hWQz3TuP3BPeaBXqflC3PuuSZOZCf9TGw1g5DLVDBa3dxE D3BbDBhk71GqDRifNQXLlM+JEcvYovwOSICJhbDZbC9kk9tXFnzGcIrtS0PaZ9nkmosVyUaDjs+m 2jCMcf8EpiZ9GOGeB5YNQj/qwiTLusdmgorLpmoIHt/krLi7MDziXrTfAQkwMR/cDArPZ9NoNL58 CqQpH4ZnZXOIHa89Yy5otRrI5HIMjVj4LPrHXTColCyzapgdY5hifadzRAcly+eg1ohZ8YRvzAmr fXxRfgckwARBAkwCTBAkwCTABEECTBAkwCTABEECTAJMECTABEGQABMECTAJMEGQAJMAEwQJMEEQ JMAEQQJMAkwQJMAkwH93uIKMe85wcHCQH8HyaeOeC36Npb38+aeFV+L1PkcCTAL8N4d7zlClUs3J 5kufz6dskgATfwgul4t/jnd2Nrnj+B+ZzalFnk0SYIIgASYBJl67E+emQeKmVSkrK3vWsrKy+IJt fmOzIjM0FKEz7cq1JBhGNEi6fYOfGzHtfiFc436M2QzIiZl+T2RcEvR2O2ruxyL8Vhw6FdNTNtiN CtyJDmefO4/ijiGaB5gEmJhFZmYmSkpK5mSTG6F9wcJv0oG8iOvPshkaegt6qwnZKTF8NhPScmBx eTHhc+Fx3PR7rl6PwKDFgebCNFyPikBN9zA/3ZHHrkd2QgRCzp3DvfpBmgeYBJiYxd27d/n5uGdn k5tRgTuZPH823ShLipuVzWjonA4U5iSwbJ5DNOsjDVZuIEg/ypN+7V/7zU4Iqx/gxs0wFLRq+Wz6 vVbkp0bz2bxTPgA/CTAJMEGQAJMAE68OdzWJk13uDPTTeUO5f7e2tr50HuA1by+DUDUMEysOjcNM dO9cwM0H5XBYRxARegAPu2Swa6WIunQJ/RoVVBotxv0+KOVCXNuzCrlV00VCKftc/MNmOPWdOLnr BGSWxTeaJQkwsRDcVCnPZ7O7u/ul8wBvW7oKbYPDGGHZHB42ofpxNC4kZsHtciEtOhhJlY3weUYR F3wEnfJBKAdV8Pj80Ki6EX/gM9y618cX2Z2PruBKfCnsw904sSEQnYbFORI0CTAxH5ycPp9NhUKx 8DzAExYc37QNDcpfsyluTMPxq9EYtTtRePcSwrPyMDE1juQDW1ErUUIul8PlnYBeJ0XWkX/h3O1O /iSxuuY6Tl7MgXlYguNfrkK1ykECTAJMECTAJMDEfyLA3BXg5+no6EBjY+OCArz+7S8g0A5hSKuF 0epCQUo4IpMzMKgfgUbWA/GQGcPyepzcewRFxaVoEcgxPnMJKf/mYeSWTgtwf1cbhqzj8Ls0CDl4 CJKRxTcVEgkw8TIBfh6pVMpfeVpIgHcsXYv2mWwOWz1oKoxH2I1YyIdM0KnlECuHMObow/Gft+Nh YQnqmiUYm8lmY+IvuHV3WoBVXY2QGd2YHDfgQsBmNGudJMAkwMQsAZ6vNpqvP30qwEGbtqNZM51N w6gL/c1ZOH32CvpUOhgNWoj7Zaw/UOPYmvXIflyCqrpuuGcu70qzt+LcjWkBNohrIGZ5nPSaELZ+ BUpkNhJgEmCCIAEmASb+2wIc+NZbiH2Yj4JHj1AnMcEyJEdeSiyiIkKx/0IC5KNuWAxCJN5ORlFJ LoJ+3ol6rWtGgHc9E2AerxFXD2zBtbyGOXMDkwCTAJMA/+cCfGTpJ4jKnc5mtVgPp1mLoowkxMZc xN6zNyHQWuF19yP+ZiwKSh4iePU6FMjsMwL80zMBns76KG6f2oPgtHJWiC9OeSMBJt6UAF/c9D2u P8hHIctmpUCFMacJFTmpiI+5hF9OhqFWasTUpApxVyKRX/wIp5cvR3qPZUaAv38mwNNZtyE9PAh7 bj2Cw7c49ysSYIIgASYBJv5QAV799mo8Va2pST/6u8WwOb3sP/yoSLyBW+VC+D1mONxe/j3VOXuR 1zvyogD7nUg6uAtrMrsX7XdAAky8SQHeunQzZh+hlT1CGEc9/L/bC+4iIqsMU2MjsDqn77YQ3v8J 8e36FwV4Ygy5YcFYHV+/qL8DEmDiTQnw0U17oZj1kravHZrh6TsrZC1FuBKdDq9nBKP26bwO5q7C xRr1iwLM+tnqpBtYG56/qL8DEmCCIAEmASZeC7vdjpSUFDQ1Nc1p3HNM3PNMCwnwxrc+QmpuAQoK ClBU+BhZyWG4disJxUUFuHj+NIpFg9D3V+L4uTPIz8/GwZ+Po9Uw3annR+9Dbvm0AHc8TsAn3+5B XkkJCkrqMDxTqJMAkwATQFxc3AvZzMnJQU9Pz4ICvHvpV0h6MJ1Nrj2+F4FL16P5wbQiroUgp0aA MVM7Dh8/iAePcrBv1Q5UqKbvzmi8E4hbGdMCrGx+gM9XbMXdPLac4moM6hbnc4YkwMR83Lx584Vs cvLLnTxeSIBPb/oJ8fd/zWZV8W2EXLyGwqJixEdfQuKjakw4enFg/3ZkPbyPPUs34OHA9N0Z0nub cC5yWoAtskp8tWw9YjIeoqCwDBKlhQSYBJggSIBJgIlXhRu4gxu1UigUzmnc4BucmM3L1Bi66+pQ N9MaWcc/YhuFoL0F1dXVaBVL4PFNYMLngUQ4/VqnzIind1AOqyUwjEyLrmlo4Nly6ppEMNtpECwS YGL2sfb5bHJXgP3+BcZ9nfJC2tL8a6ZYM9nt6Ba18TlsFojhGPPxd23Ie9rxhL3W0qfH0zsoLUO9 UOmnr0hxI7Q/W05jB/QjNAgWCTDxFJ1OB5FINCeb3Ikpn8+3QDZ9UAg752TT6HRB2tPJZ7OhvROj Lq7/m4Ra2slns65LA+/MLuM0iDGgsvEnp8as6l+X09CyaE9OkQATBAkwCTBBkACTABMECTBBkACT ABMECTAJMEGQABMEQQJMECTAJMAEQQJMAkwQJMAEQZAAEwQJMAkwQZAA/z4BdjgcqKqqgtlsnlPs t7a28s+Y/mlMTWDMM44/pRSZmoRnfL7n96aoOCIB/sME2OPxoLa2FgaDYc7r3HNsfX19f2I2JzE+ Nv7rVB9veNnuMf9vLntqwg+vb5J2TOJPEWDuGVJuQCWVSjXnde75Ui6f3LgNf1o2x7344377FHxe PxweP/9vL/u33eN/ydunMDb+2/n2s+V438B0e9x36WLHkzfabb/iMep5xt7Q30QCTAJMECTAb0CA uak6/vnPf+LgwYOQSCT8tDoymQwffPABvv/++5d0An5ImmpR3j27OPeg6lEJ1CbXq0mF3wune2xe yZ20y3HkQAKsb6on97vxoN0AtWOhznkSDqsDHv8kJiwjuJgtweyhnrweL+oFQ7jboEGz2gEqvUmA /9sC3NbWhv/7v//Dzp07+ZNRDQ0NfIH+4Ycf4ttvv33JJycx2NWKcsHg7PILtXmPINHYX7HG88Pp cmNynnBOOjUIPZMK8xsIgcNhRX6bATkzraZrEMdTujHsf/nnRtmxKrfNSDkk/hQBViqVeOedd7B1 61Zeguvr6/lcf/zxx1ixYgWcTufC+ZeJUd4imfXKOJpy76FzYPQVT/hOsNw4MZ9LTXmGEXUtE8aJ N3nwc6FSaITB8+JCxxwOpD0Q4+KjAditdiTd68KlfBmexnfSZ0OzwvZskKgppw0R93ug9b309AIq 2TJTRebfveoGjR4RpQqMv8H5sSctJpxM/e1j1PPS3N6hRNQTPfyLLJskwARBAvyXFOCuri6cPXsW jx8/5jturgM/dOgQIiMjkZqaivHxBUb8nXQjPeQI/r38IkafSqKqAB98vAmV7a9W4Kuk9bh25yHG 5unJp/weJuQ6vKl+y9ytwidX2xDRZFqgk3cghHW6Dwc98JqGsfFWN7yzftwnHsD5QiUkTET2pUrQ P+qlqpME+L8qwAMDA7hw4QKfza+//hofffQR9uzZg9jYWCQkJGBsbGyBYsuHorgwfLo0GE/3dp+2 Ah9+8A0yyxSvJqYjYoRGJMIyPk82J8Yhl/06KvHvYVAjQwgrmDtkRojkRiiMdsiM7mcF84LHtw4x X0xOTdC+SfzxAsz1r1euXOGnouNORnHZ3LFjB5KTkxEdHc1PXbdAONGcl4DPPzmIp6eO/YYGfPze x4jI7Hk1AfYOIvjsZehck/Nk0wvV4PAbyeavv0+PzdFCtBhfrAWMuhFcy1NjyDoO7aARVx9rYbT/ eueWz6VESMEgHBNP128CGrMH4y9dPy9yYjsRVP97v1M/0tNFuN9nfaN3kk35fZC/wjHqBa0fsyMk QYhHSicJMAkwQZAA/9kCvHLlSl58r1+/jn/84x984zrzo0ePYsmSJXxnvrAAn8SyTz9AusDEF91Z +/6FD1dsR2WbDhPjNoSf2ccOXitw+GouLBYZ9u8OxsXT27B8bSBKezRI2/0Z3v/3x3ggHIZF149j +wLw3Tdf4nr6EzjMQnzyj0MwWIdw7kQIws9vxxff/4x7TTL4nCO4cf4gv+zLd2vgGB3A9q37cezI VuQU1mD92nMw+meffB1HZn4PblZIEJQrh5n1XKbuXlyr0oPrl1seCnAxqxfrb7Thh+QeCKRDTIA7 cOqOEN/FCFCqHEN1kQiPuqbn8cu+J0K1enF1YiTAf7wAs44fX3zxBZ/Nt956i8/mv/71L5w6dYq/ Cnzx4sWXCPA1fPnxEtxqMvB3a+SfXolPvtyIzBI5+2M8iA87wqR6JXacToPZPoTzQedxPZTL2E/I buxF/qFleG/Jv3HnSS88Vj3OH9uNb1k2z94qgs0iwbplQdA6zIi6fAXXQnZixeofEF8iYL/KjaTr J/hlB8eWwmbT4MShEwg+/D1u59Tgl52XoZ919UfJBDiyfgh2jw8e1saH9fg2ohODFifCc0Q4wQrh SCa60k4FVt8WISBZjKYhFzQiMdZHdmJLvABb0iUwuMfQUNyLtbEi/JzUBYnNi2FWeB1LEmJTbAdu 1engn/CjtayLvUeIXWm90Hvp+jEJ8OsJ8HfffYfly5fzGXyaTe5ujdDQUHzyyScIDg5eUICb8pLx 1YdLEPZkiP2uCVTc2IrPvvgGEXe7mSCOITPiJL76+isEnIiDyTWKW1ev4uq56YzFFrWgKngl3nn3 fUQ+rMOk14GIs/v5vvBg2H1Y7IPYvSEEKrcbWfE3ERq8E1+t+h5Xsmrg9XrwIO4sW/ZKHL6RC6vT xPrVEJw9tAIXkmpx5mQEtN75BfgHJsDNehfEDVKsuS3E9pRuSKw2pCQLsDKiA8dLB5GQ1ImVN5m4 lv8qPM8L8IRtFL+wTPY7vcgq6kIw+/eGOAGusoyPjbmRmiHAutsCfH6tDVcbtGiql2JdXBe2Jneh VevE5LgTUXdF2Mg+sydbik6hGsfvyzDBjnGltb2IbzfPulI7iEB2bDCxWsAr78dGdrwIZMeLr26L oRy24EKGCMfjOhHXYIC4WYZV7O/6KbEL9ez3uCxWXEwR4IdYAXaw9SlldcfWWwIcjBehiG2Db9gx SjHqROi9XjjY7mLTWhD6UAZbXx82RQnY7+nEpqRuXMnuwrrIDtwTjfASPlTbg8BsJRbTjdAkwARB AvyXFOD169fj888/R1hYGH8Gm/vvkJAQsN+Pzz77DElJSQsKcHJINKrqM3D8eDxG1FVYsvYy4u6k orJ5CD6bHGl376GzsxJbP1mKNkU3fvgxCL3DDvTk30JAai1krY9wMiwebt8ktAMdeJBXjC5BCQ4G 7oFMWc+Kiu+gtqqxd885dBkckD3Jwt6EfMgrwxGw5ySqq3Kx7vOv8UTchm9WHkHn0Cj8Xjf72w2Y fYeVw2jBkVQxbOzV+LQuNGndMHaJcZl11Fy/XHufdYLNShxmnXmK2ArviJEJsBBdbF3bGmTYcE+B +3c7kcsEeIoX4C7UqF1UdZIA/1cFeNOmTXyRzV0F/uWXX7Bu3TqcP38egYGBWLp0KSIiIhYU4Edx qcgvSMb2bZdh1LXg24CruJeXgszHA4BHjaTEdLR3VOPHt99GrUKGA/tCINI7oKi9h33xjzCqrMWh YxdgdE/Apu9FVvYjCAVl2LVqLcSKDny+dCMUDhNCz1xCo8yEIWEljkWnYLT9FtZv3oPyyjx8+867 eCzsQuDmYDRrTHwBrtcNz7mzQsUEeF+yCKkFfcgo7odELMeKG+0YMDsQkilCjdICu8GMY8mdSHwy iNt5XdhfqOEF+BQrrK12O9JSOpHcrEZGlQRlrWpcY+J8vXMUnW3d2M+KY4FYhociI0YGNPjkajuy a+U4wor1s00jtGOTAL+WAHP947Jly3D69Gns378fa9euxZkzZ7Br1y7+9UuXLi0owHV5D5GZegvr vjkJg5EJ0aFrqKhOQUSSCFNjOsTGJKGloxa7l36CUvkQLoWEob5/GPquahyPSsb4qBC/BOyH0urD hEOB1NQcdLB+dsuHH6NF0YPN6wMw4HYhPvI6ClvlsAyKcPbaDSiak7Dim80orniMdUveQ0ZHP4IP nUeNXI9x7xiMBiO8WFiAnwg02BzTgdQaJcKyhDhSqYderceNx0rWh/uhZut6vUgF36y56Z8XYJ/F jB0JneixeZH0uAv5vaMw6404mdGL/loxtqVJYbRYEB7VgdPlclzMEeJajQ7VHXIIDG74bcNIrRhA Q/sAfmSyXdGjw84E1lebnIhkx4uOWVepXQMS7MwcAHeh3DXQy/7dj2GLDfeS2xHyWIpjd4WoH7TC qjNhLxPsfrMb/UImzWn96KoRIaxcA4fdiihWF2TVMfGPErIaww7nkHb6GDXCHaPEvABbNaM4kNOP kR4xgvKVsFpGcPJ6B+4KTNAJJNiY2M9vW7eiHz+lSmFbRHeukAATBAnwX1KAuQ4/KCgI//73v/ln frdt28aL76pVq5i8dsLtdi8owLEhV9BntyHzUiDOBGxHfI8V6eHHmQDrYJbkYv+xYLQKm3CGCXCz TIgf1mXynYBFnI1NKfVQdJXgXPgdePxTaC+Lxblr0ejpa8TFgF/Qr2jkBVhrHcTenZn887iOgTL8 klKEloR12Hs0CjUNdaiqqYdW2ckEOAML3ZQs7B7AStYZbUoU41vWcUU1mWAU/SrAjQ87Ed8+iKMp AmQMuJkAc7dAi+FhPzOINFidrUD5Q+GsK8BddAWYBPi/LsDc77t27Rp/tZfLY0BAAC++3F0bNTU1 cLlcCwrw/bg4ljkl8kPX4+TeI4hrlKEkbj8TYDlcqhIE7t7LisgmnPrn26gakOLA7pmMySuwN6UQ NkMbjgddhnlsCoq2dBw/e4mJZCNCvlsLoXxagFWcAAdlwuzwwq3rwKnULEiy1uKnwMt40lCPisoq KJW9TIAXziZ3BfhGjRbD9nGMsuXYtdpZAiyGc6a43MsK7/wWGaoaBlDbO8ILMH8LNFuGoEiAmMe9 OJAqRHK5DIn3xbjWbobHaUNj0wDOJ3biTOEguhuVTIA7UdQsQyVbTpPcTjs2CfBrCfDo6CgSExP5 R4a4xxO4bHJ3a3AnrAoKCvjBJRcS4Cd5WShp6EDFuRU4cvw8bhc1oy1jOxPgbriHarBp80+obmnC peWfoXBAjUunM2G0jcOjF+JMagb8Hin27TgEjWMS1oFH2Hv4BFoETTjNBLhRxglwIORuJ+KvZ6BP boPXqsL11NtozgzEt2tOo7qxARUVFayPVTIBzoDLP/+dEEMSLpcsuV4DtjEBzmPiuyGiAwUzOayT WmAYMuEmk17uMSa10oCbZZo54wa8XIDFkJjHMWZ143JOL2rvC7A3lxtUzIsHtzoRVKeDgUl5aWkv DsULkCexwyqRYn+aGJVtMhxlAlyjc6A8txsb0ntw6qGcHa9+NUtXvwS7s2T8cY0T4GNs2dxfqirr xEl2bDl6VwzuCGpVjWBHfM/0yXKVEdtixCjP6URis4k/vlTnCpHOC7AY3EMn4wbdrwKcIZ65AjyK Q/emBTisjKsrPIiOFOCJ3gOPSjZLgAewOUWCkUX0IDAJMEGQAP9lBfjHH398dvvz7MaNcrkgvACH oX3Ug7aSeHz2XQhcrCO4e+UIE2A9lKVBOHw4G231hfiECXCTrAs/rJ8uhM3iHGxMaYCuvw5Bp0Kg snlQmXgaN6JL0F59H2sD9kCqaGLr8P2MAGfwnZhNVobdqSUw9hXg5LkIdHSJUFdaB7NJzA6S08ue GjejrLSeX5cZdUFOpgilA3Zu1C2YVMPYeacXFuUAjuRI0N6vwjEmx2lMdG+mC3G10QCL3sALMKf+ uhkB7hP143KxEn1KJRPlPr7jJkiA/5sCzD1HuG/fvnmzyT0XvCC8AN9GlVQLZfs9LPvqMFQspyW3 diOzQAFD/XkE/HwHrU1leP/tt1EpG2ACPJMxeSX2pBbBZe1F8IFD6DHYIHxwCudCHqKt9hFWMAEW yAVMgH+aFuDgDF6AXTpWsKZmY0xXhQOHz6NZKELVo3IYR+UI3DKTTZ8NdU+a+IJxtgDfajA8e2bR O6ybI8DceydcToTf60JW1wg6JUPo00/fAr0jow/tMi1CYgRIKZbi50gRmtQW9jkhLraNoqm0C7dr dZCyonlbVj9kgzpsjupAiXQEje2DULtoRHcS4NcTYG5sDO6K73zZ5O6aWngZnABnIq9WCIeiHMu/ 3I6OATPaUrcg4k43jG2R+P6b22htrcaKTz/G4wENE+AMXoDdehFOpWbCPzmE4IBtaB40Ql0RhAP7 M9HWUISPmAA3yPqYAO+cFuAbTIAVNoxb1biWFochRQ22bz+Kuk4Rqh+VwWDVI/jIjAD7XWhrboV9 1mo35AgQWqyBUMgE7k4P1EYLjt8R4GHPCFrFGshGfa8kwEczJWiRjUA4OAKlXDtHgPtYP+qxuXEp pw/qbin2sG3QLNXgYEQ7zhbIcCVNhAatC1nV3bjaZISiTIgTeUq0ChRYwQT4iX4MY3oVvr7Wjthm I2ZfWPXrFNh5V4Jh7xQT4D5sSu5B44AeodfbcbNGgRNMgJ18KePApWwRcsQm5Ff2I6hIg8GuPpzN k6FrYBD7bgpwr35agD2zjlEKtt7RD0W4IzKhtKYPP6fOFeAYJsA1hjG4B38VYIuwDwGZikU1EBYJ MEGQAP8lBdhoNM4rwG+zwriuru4lRbYfXc1tGB7zwz2iQYd4elTLPkEz1MMuTLh1eHz3Lu7mFqPw 3gMojQYUl0v4Dmp8RIqSXh28LjOq8zMh1NtgHZLgQVoa0vMrUVpSCaNZh/T0CjjH7XhSO/057kx2 de8gJie86KwrQmpKCvLyG+FwjiC/RMKf3Z0cMyL3QT5sz05qe9EuNsPknu4aJ73jqOs1YcTrQZNA h+w2PUo7hyEdcUMvH0Fuuw5aVnwXi0b4TsptcqBAaoPPM44GIVunRg0a1E4afZYE+L8uwDabDXv3 7n0hm9wzh3l5eS/55CQGurqgGXXA6zBDKBDyo6AOdjdAOmhjVakJRVw2HxTgcXoGpAYTaupmMmZT s4wpMelzo6koC60KPTyWQeRx2cwrQ/GjAmhNBjzMfQK7142WVgk8vgn4nUY09kr56UZ6W8r4bGZl VcPmsqKienrZU95RlBQWwzKrSrU5rBDpXM+K5km3C49YHi0eLyuER55dObaxY8T9Zg1yWofQaxyD wzSCB+165LDXCrvMcLk9aBTrkdGsRV7HMGoHXXDa7Sht1yK9eQjNKge/Dia5EffYZ+6x3OtdlGIS 4NcTYG4AOu725/myyQ1Q97JpkDQyCWRMHCdYxsRtTbCPT8AgqYWgz4wpnxmlLJtp9x7hUWYWxPpR tLVJ4PayjLlMaOpl/dzUBDrLc1DfK2f9nR4FT/vZnHtQGJmMFdXB6vNBLJJg1D6OCdaHdvZ18Y8a KYRVSGPZTE8vg4VlrbFJAh8L35TPgZqqcphnZXPcakVRK+sjW/RoUdn5q6Gj6lE+Pznsde4WbLfT DaHSzo9I7WBCKGQ5m731uFGgC9sNuM+3YXTIzKjoNsLM/uZuxQhGxybY+vnR1j/K1s8DkUjPfh+r Hdj7O3QOqFVmZDerkcM+q7F7McmOJ4/ZMSCH/bywkwmxhR0hHAbs4AbpMjx/UtqNlMwudixwwjnQ i83Jfchix4f77UZY3WOo7xuZeVRqCladhf+7sthxQef2w8eObbWdWtxrV2JflAC5bL0KhNM1wdNj lG1iEgbtKLIb1axuMKC01wKPeQRtKidboh9igRFalx9+uxXF3RZMsGVGZgiR0keDYJEAEwQJ8J8u wFxH3dLSwj/3O7ulsYJ34du4/hq8iTl5p15c6EvfTfMAkwD/UQLM7WsikYgfaGd2NrlbL9/UuvwX w/lfWubUS3/Pi/mcJ7OUYRLg3ynA3HukUimuXr06J5sxMTHQ6XR/o2xOvfj2/3J+Xozr8+vw6384 h8w4lNSJH+4r550WSjuoQ3DmAEbE3TiSOwjfy9Z96tdjhcNmRfAtAVaztoWJ89DY1O+sQybQ3CbH wQIVFtv05STABEEC/JcUYIIg/poCTBDEX1OAib8G/rExqLXmhW8pnvLDZLZhctwFh33sP7DwSXgs FlZHmTH+RoR1EjarHT7f4pu3jQSYIEiASYAJggSYBJggSIAJggSYBJggSIBJgAmCBJggCBJggiAB JgEmCBJgEmCCIAEmCIIEmCBIgEmACYIEmASYIEiACYIEmASYIEiASYAJggSYIAgSYIIgASYBJggS YBJggiABJgiCBJggSIBJgAmCBJgEmCABJgEmCIIEmCBIgAmCIAEmASZIgEmACYIEmASYIEiACYIg ASYIEuC/kADb7XZq1Ki9gWaz2d6oANM2pUbtzbU3KcC0PalRe3ONBJggSID/cAG2Wq3UqFF7A81i sbxRAaZtSo3am2tvUoBpe1Kj9uYaCTBBkAD/4QLsdrupUaP2BprT6XyjAkzblBq1N9fepAC7XC7a ptSovaFGAkwQJMAkwNSokQCTAFOjRgJMjRoJMAkwQZAAkwBTo0YCTI0aNRJgatRIgEmACYIEmASY GjUSYGrUqJEAU6NGAkwCTBAkwCTA1KiRAFOjRgJMAkyNGgkwCTBBkABTo0aNBJgaNRJgEmBq1EiA SYAJggSYGjVqJMDUqJEAkwBTo0YCTAJMkAAvHgFmnb3H6cIYtb9l475b6oT/RwWYskmNcv3XFOC/ YTa5v8dD8k+NBJgEmCABXgwCzHV8Xge1v3Mbo2L5f1KAKZvUKNd/TQH+O2eTJJgaCTAJMEEC/LcX 4P/9DtsBp8GEMasTY2YDFGUNcJvsMz9zwtbbBV1VM8zy4QWXYajOhrbvxZ97RvSQVVTDPWL73es5 2lcOSWn3/AXHiIn9DvvCha55BMrqatiHbS+8bmpuYX+fCE7Lc5+zjWK0rh2GRhGs2hHqiP8HBXjc 7vx1HzFqMFDUNOe1v3uzKVoguNf2Gp91Yrj4PoRnrqO/sottMxc0jaUwSXUv/ZxrSILe3Pbftc5O RTck1cK5OR01QVlRB6fe+srLscoaIMrtmP94MGqEa9jK7wuUzT9HgH9vDq0D9ejK63y1/k1vmvf3 uYZ60X05Cj1xJXDY2DL76iAKioJcoFxweUMtxTB0a178md0G+5CJTqxQIwEmASZIgBeHAA/lZUF2 /S6Ud+KhqRBgqDQfsrA4KB/Uw9BRBo3EyDpFMzSZT2A2DUOdkQHZ5VQY1HroKiqhjI2H/OZ92Ays uLMoobiZC5vOOk9nLcfgzQTIriZhRGbAcEMBZCGxUFf3YbitFLKLsVAkpEAWWwn7nM/aMFxRyNYp FsrsGlgGhVA1qJgQDELd2Aer4AnEAefQfzWG/bwKfVFsfeKTIQ/Pxkh/OwRBd6BLe4C+68VwzlcU WLXo+vEiTCOO59a3CwNnI9EVc5+XU6eyFwq2bNm5VOgG+qERiKcLGXEPjNJ+qNKSIbuQCHW7bM5y xm0WGPLzIQk+h77SXpga2plIWTDcK2UFeTOUzU3o23UWvWduQpbaAvd8hbm8G33Rj+CyzS2CRlrY Noy6D110HCRZ3Rib/TmzDsqMIrZemegpaaeO+H9QgC2Ceshv3YHsWDJ00h70Xk1kOWX7dvRDjA70 QB6bBXlYPFR10hdFTDsA5fU4yMLv8Cd/DLWPIDsfBw1773BrMctbHBSJbNmxVdA3PYE8JgmyE6kY 0dtgaqtk+3kMVAVCuG1WaLIzWW6ToWpVwjPrGGBk7x1paIKqsRyyS8kwibVz933rCNRs35ez3ChS WjE6KIXyFlv/mFxYTCzXNQ/Z5xKgKGqETdaMoXYt3Hr2ntp+mJsqIT11CZ3ZQl4CjJVPWO7LILuS DrNsGPrax2wdEqERqV4o5E0lRej45xoIL6VA29IC+cUE9Fy+xXJqYO8ZhfrRIyhuJUKe2AyLWsaO YXfYMSwHw5ImCHffZNuXHf/yGuG2DmMwmW2X0CRopHq4VHIok9LYcSsZw4OjsPS1s3WI5Y87zlHn tHg/LMbAEzHskmb23aVCFpSEIdkg287s2HGbbe+wuzD1SzB45z7k1+IxWCjgBX1OrmvK2N9+AcLc Lli6umFUDmFYKIZJ2Q1Vcy2ke8+g++h1yJJrYaNs/jlXgM0jUPE5iGb9QgkM/d2s70uEIqkA+u5O ts9FQ347E/KEPIzOOW47Yaou5b9f0cNulic1y0gZlFG3oUgth8vM+toslrcrLG8daliaytC19RwG Im5BXSxiOS7n9zlFSjkcI1Y4hhUQB8XBZuP6Miu0KffRV9/z4klWkxLKa8novRjB1k8BdWYpRgxG GLV6mFoeQHE/D8KfQiCLYceImn44aZ+iRgJMAkyQAP+dBbg34QJ6bl9FV7MI4gtMULuVsA2p0X3r NizCUnRuuQdrfx0El57AUJEBaWIT3IOlEP4ch+5dlzDAZFb3MBvqqn7W0SohjkiBxfDcFVMmgerr 0egtE8OpU0LTUo7OjXEYVg2g91Ii+sID0ZlejJ7C+xCs3AeNca4AD0mVsBsMbD2jMFSWgs6rAriU LRCFP4FnWA1JXAYroA3sPUpID4Whv1sLQ0E2pLEp7O+SoXvfYXTsT4FpHrk0t6RDmNM7zxlxB2yq fvTGPYSL/T0Oow7GQT2UOYfQd6cB0jMZsLJiRp3NClrRIBRCGUzCMrZuhTALitF56Bw6j51CX9UA 3KNWGGpiIY4VQ5t4F9L+Xgi+P47uuET0Ss2QZ8TD0KiEwzz/VWBdSSQGm9Qvvl6bg+6QmxAV5UN8 6MELgj/OmqnoMSu0aqkj/h8UYN29GEhSm2DuSIZoRyLEARch05oxdC8biuwktHwYBb2yE13bkti+ OFs8zRgMi0RfjQSOISWTwBJ0rGV5U/ahh8lc342tENwtQE9xHgTLd0MUHYOBQhFGGlmmDyVAuCsW w3odpDfjYBDUoP2TSzAN6aEfGsFwZSakCUwOVaww35ULxcUbaNmcgmGjGa7Rufvv2IgWnV8cgLJ5 AKNDOiijU9l+LIOtJQ+SS/HoXB0DA5PinphMmOpj0ZPQA4e0HG3nmzFm5UT8IVrOtvHHAMWhM2jd ng3jsBlWeTnaVyZjVNeNrp/uwPb8fm8xQPzFIQxqLGxb2OEwWfjtNdzKXQE2onP5XsjZthkdYoKb kAplNdtOwkfoPRWLzu9vYsigxsCFRBglCqjY8dDQmIW2i3UYrWDbLK4aHu0gDOzY0Hc4CfoRC/RZ 96Ct7Ge/ywr5o0yMKkdgqrzFpLucHRvuoWMN2+bBlyFtVcBYlgVp3B20Lb8JnVaKvqOJ0IkrZo4X pyEq7IXHYoOxORvtFztgLCyFpL4egiVbIM7KQ2+zBOqHkVAVSOA02yibf5IAO3tq0B9aDvmNfRBX 92Eg7A40PRqYK3Ih2nsc7fea0JdyBcITkZCq5/aH/PfblImOMNaPaTohWnkeSg3LR3w2hsW1aP/i Gkb4vLFMDbE+MjoHTi1bL4sVetkg259H0Rd/DUaBAeOjOojPJ04LMOuPDNmP0dc0f3/mZPvq4IM4 DNUNomfbQfQ9LoMg+iH6juzHgEiIrut5LLMWOG0O2qeokQCTABMkwH9vAZZkRUPKBHZgSMtk6ga6 E+MhCY5Bd1QarIPDkIacRNeNJAx0qKDPD4dwSwgkYeGQxhegN6MAHrMDpuIyKB91sY7WglGpAp7n rlSOW0xQpKbBJB3mb+Uarn8IQQ4rbG1GKC5noSdsN8QNYsg6GtC1ci80ow7YZXJYTHb2WT3kaUls nVhBGXUHuspkdF4RwCFvhDCimhUABlbc5sGmNmPMpEJ/9iO4hm0Yra6E9EYM2iJrMdzTju6TWXMk YVrMjZCeioLWtMCtx9zyUvJ5ATZ3VqDn9E0MRJyH9HEfhtLiIX7SiN5rqbAMSSEOZQXu+esQxJRi 3GaGWW9gBboeFst08WMT3YH4VjfMbYXovBAOwdUYdO6NhIYVsbqSbBg6NPPftmYdZPJzGebRF3+m r0qFrKgThr5ydB8thJuJgkXUDbt5+mq2VdKK7ohYWGT/396ZgEd1Xmm6pseJJ3Em6aS7s3W6J5mk 20lnOonttNtJ7HTGidfEIXa8BLwbbCA2XsHYRixm3wUCxC42AWbfEQaDMYhNKtW+l3apVKp9kbCz PJlv/nvrXurXpSRkC8fCfOd5vidWUXWrpNS593vvOf/52QJ9SQLwoZVoPdGIP7aL7/rjJXCs2ye+ Wx2I7KxAYMV8nJl1Cn9MNsH91CrE5XwTOVFbtg7xulzrZPs7m1GzySK+7+0ITlwP16zfw3HMgqD1 FGy3D4dtp8hNewjvNR2F5ZHJsG48IgxzCi0rtqD1TC3q92+C+8XpcC6vROueueKz5M4BwbWnUTd7 BbxNscL5E2uFY2qZas4VKK+bMRGOV+aI1y6At3QJLNvMIsea4F+1C9F3RH4vcyHtrkDVtJPq67P+ fTg9PgfAwdeK4Y/ljpsJCDC+YQQ8M0sEZO5F9rz3TsL5wCg0SjnTsnftOQC2j1+ClPKZ0mnUz5sM x8hZ4jPNR60AWcuig+J3j6OxZBNaqivhmDgL/mmzYF50HB2hBgRmLoRz3FwEdxyGa9irIv8XwzNd wLWzFe+1ueAu2SoAohPRylLUVwTwx4gZ5l+XwL1lO7ItSaROHYFnxnxUzT0qcjuM4Lj1iEbac+cL RYnc+SLj3Y7qyWbx9zgJ+6xZsMwW54tRJWhwNyF2fB0aDwbU5zE3PyIA9ovcGSOuARNmotFfj8DY 8XBNmC++C+L7MHc2rOYG1O4RuTZ5CXxt5y+hyXi2wjytRgBwFezLDqv51ly6A622BtTvFtfEl0S+ rTyJs+IaFFi7G53RtMihCBo2rYVnTKn4ni1F1NWWA+DXJQDeKAD4hLvbFujQwTK0vtOMlh0zYZ4y D5YZC2B+tATtbT64l+1Tb5qyBZoiABOAGQTgjz0AezQA9ouTlHPqdHExnAy/gCbn7JUCgGNIntmH 6hGLkAolkbQchvPFWQhMmI3agyfgLd+bA+ADB1G/x4E/Juwwj5iDeFPScPc5g7Y92+EYMR2+KQvR cFgYy3HT4BszWxjM9fCVvKACcEAB4IEvCCiMonb8DFgONuAP0Xp4hk0Tn2mZMO7LED1zENV3joF7 6jRULz6YM+ob1sI9Zj6CK3fALQyACsBH30Kw/JAw3OPhG10M18oj55sQ32k41hzp2jrcDQBHd5fD OUL87lPGCAD24t02N6p++jACh2pxtvkUqm4cBf9sAcDzKwqvZ9QA+L2IC+brH4f32FHUFC1CZzKL 2Dv74Rw1A/6SCkP7dydix1bDVu5SjYnxmEnLMfF7C/M+eDxqq0MqLFvufApBswCsVgcsAwbCPHgy fIv2IMkL8aUHwNuLYX9G5MzQIng3H4Z77f4cAO8+IEzxYpy+eST8Y2fDPnc/3u1yYyeN0I4tuXyb WorGt0VevTYFvldnwTF5k/iejVABOCAA2H7vCNiWzxLfv9nq+9TuOw3vzGL4xhXDWbQCMZcZ7tfm wjttJmrG70XceuTcOaDheACNs1f1CMDOqatz5jwjPtPOTXAJiAtMX4RQVTUcz06Cd9J81IxejrSj AjX3CIiYPglVS09oAFyB07NyAFz7Wsk5AH436hV/l/HwFpWIv8vJAu+tAPAraJIB+EA52mtyAOwY v1wFYKUqFt63TXym+QhMLUHT0cOwPlQE37Q5cI5fg4TjAMx3jBHQOwPmhceQOPUWvLOWwD3qJXhX VaKudCncryyGf0E5Uo0xhHbNRN2RBvX9okcXwvrEJPhGjIezvBL+LTtyAHz6bXiKS1F112j4J80T f58t6Ehmzz83aQD8XrwOznufh9flhfWVSUjURZH1nYTjuUnwF+9GnLn50QCw+wiqHxwJy+yFqDt0 GnUb1sH18kJxDVgurhmlKgAHFQAWP/vChQB4B8wlCgCbYV+au+HUvGwXmk8eh7tI5NsUcS0eX4F3 Mwk0Ll8GzzjxPuv3i++eyNPiZXDPXJgD4FQCzldHwzMvdyMo+nYFrKMnoXZ9VcHlNDoAn205AvPA CfCUTsPpaUfxXiaK4OxieF9fgoYKC7L8TlEEYAIwgwD8cQbg97LnD9dIx3saypER/979AJB3Ez0N jEohIx27M57qFj6Nx0nHpAqXMAvGoU+ZeKzgBV/9t0S8wPt0oG31HviPdne3PIlMWy3cy7aqAKyu q0x2/3f5Q7f/3iFMTBqRylLYFzu7fX02kUDneY9H4H6gGE09Dd1JJtEpDUjpjCXPB5Esh+VcigDc 8mYZQmeaz2vxVb/Tzp2oWlStfuff7W2+JQrnW9PecmGmw106JJTcfPdcvnUgJb5n7/XyHNCzUl3O L6lYM/xrdqMzJN4vncLZVO8HXZ1NZYRxvxgDt9JdPtMfsvm/k3J8+TN1JBPq0gf5PNGhgnYzqq8Z h4j2ePToYtQfrjvvhpZ6DL+Aj9JK9T0KnbPeE+e3mHkjqqZ0PySpU/z/kcmwVfWjAuDWo0vQeKIO f4z5UX3704iktHxLXITp3uL/11Qq1eWmZzoePfddScW6Pv9sKo2OdKbL9e5sge94pzhu445SFYC7 Hc4Vi4hzHSvAFAGYAMwgAH/c9wEWUvb/+8NlqHQkLMxrpuC/xZ2H4CsqQX2FXQWBD/oeZxNRNJWv Esdag3Dk/b4+hUhjuE+/o7pfaCcvwpciAEd9VYjWRtSWROP/rx0hF4JvBy5KHkScZiSb4x9JDr6b iiFktqrrhy/t84n4PYLt535OBU8j7G4r+NzOcBC1R33dHqt113pxvliJ1nDhf+c+wB89AKcaHQjM Wwn/ghVorKnv99fQdINd7XIILNyPVJLfK4oATABmMAjAFEX1QwCmKKp/AjBFUQRgBoMATACmKAIw AZiiCMAURRGAGQwCcP8H4Ewmg2AwCLPZ3HdwzmYQqIucv49gZ4f6PgVf05kUr4kh08dW3WQijqa2 FDp50aE+JgCczWZRV1eH6upqNDY2nv+cjgxqA2FUeiJoaYkglLjAutBUEjZf5MPf5zOZgNUX7V0u dmbg87cjyVZ96hICYOWc0NDQgKqqKjVHlZ8/tN8xEYOnvu/XyAvnbC/PDcxZigDMYBCAL2UAVi74 06dPxz333IM777wTDzzwADZu3Pg+T3IdaG1qQ2sig2x7BJM3OBCTTXw6i/W73Xh6rQMzDzcirQ/5 CbVi8/EWpBINmLnJh1C2byfaYG0A60+09GASEqhvCCPNdU7UJQDAiUQCixYtwr333os77rgD9913 H8rKyroY9EZfM0YursGiCj82v+lARTDR4zHTAqIfXexA4qL8XbI4erIWe33nv2eqtg4PLXYi1aub Zu14fYUN3nT379PSGEJrMsPvItUvAFi5mbtmzRr1enn77berOVpaWvqhVY8zfh9e2eJHe8cHeX0H TlbXY7e75+3wlJx9sNTZux0DshFMXGmDhzlLEYAZDALwpQjAS5cuRVFREcaOHav+r2K4FaO9Z8+e vPnPCMCNptEczSAh/luZJtmWyKrVnYyA3rAwDa9vsWLiyTCioTBGrbajJZZGk/r8TjTbnBi1LYD2 UBOeW2jBbk9cPe7xIzasPBVCR2cH2uNZ9c5zWhyvKZJGaywjjt+JaDyjAmuneE5UPCcrDEaqy3O6 VstiqSwS4vFoukN87iyaxX+fFa+JiNdEWvx4cLUL5tY0L0xUvwfgN954Ay+++CLGjx+v5uf8+fPV G1UbNmw4Z2xPnazDlAMtaj7GhdlMKBPF0xmEtHxVDHkknsuXSKoDifoG/KrYrv7cHMmIfBK/mzIR Pab8nBb5o1SxOpGIp9XntMVzed6Zlc8BOZOficUxdaMNteI1qVTuPZXXtCfFZwnW4vZih3h+7jyQ EcY9IT5fm/pzWs3P/O/aibDIU2W6ckQ7ryREviaV9+nIIhRux6sbrJh2ul2dVM3vI/VRA/CBAwcw dOhQTJw4EePGjcPs2bPx4IMPqtfTczebtJxQ8iosckLJoZao8lhG/R6nk12vY/nrrJJ3GfX6pfzc Kp6fVbYSVK6R4hhqXms3lpWODz2vlNe1i9cpr1HeR7/Rm00kMW+LDQ6R72np3JBM5XNZybd2bxC3 zXWgqV0/N+TOHVll6J7IQyU3Ozq7z9lkQjuekrPtEby20Yopp5izBGACMINBAO6HAPzII490gV1F CggrF3VlK4azwvgfrfRjzDYfZmyzoeSdJoTsbox4I6BWcmu2WzB6qxcvLjXj8TUuWAMhAcA1mLbV LUyrDTPeasGZ3RbMPdSsAu6bb9RgZU07zmba1TvIJ5oFjKbq8fI6j7hoxzBvjQWv7/TiuTU2HG2N Y4Uw2IcDcSSbgpiy1Y+WcBjTV1kwZZcHQ8XrT4fzd5g9AR8WH23AW5ssmHywEZ6TQdw+3yZeE8Pk dVbs3m3DrxdYsL4mzAsT1e8BePDgwVi9enUXQz5lyhQ888wziMfj6OxIYd1mOx4vs2OTuRXle63Y 7ovDe9qBJ5ZYMH1fHRprmzFxkxPzdzswVuSPz6cAcDUmbXHjxTIbllgisNtqMW6zByUiPybuq0VL azPGLa9Rc2zYagcaBeCeOB3AK1s8mL3djiXHmpESptgfaMC0PXVICoN75IgdI8Rzi3fZ8eJGHxw2 P26ZXY2ZO10YKj7LGnM71u+xYVS5E9O32lG0sxbhlAbBmTCeKa3BCX8Yk9a7EE+nsWK1yFOrMM82 F55dasFTi814stwNTzu3/qE+egBW4Hfu3LnqTVf9sZKSEgwaNAiRSET9+ejbdjyzKpcTL2zwwmEP 4FdzqvG6yCN3sBVzyy0Yt92NF0T+7g1E8c5xH17a6ML0LXYMWelEsMaF+0tqMHmnH80OJ4aLY9SL nLtjXq6Dw3fMj0Gbg9hWYcMrG1yYtdWG3y+zYsYeD4pE/u6ytatg2tjYhKk7g2hPd+L0MTuGKs+p qMebhx3YKnJM+azl4jxy8LgbvxA5O3mrCyOWW7Hc3CyuxzbUNCdR5/Jg0q5aRDRgVnJ2xGKRs4Ew JoucjaVTKBM5W24JI2UXrxc5P3SJGUNEzrqZswRgAjCDQQDubwCstD2fOHGiy2OrVq3C008/jbCA TaV6Ggw2iYusB4u2iwvtjiAarU48vd6vAnDV1hq8djCIeQKO51ZFkBFGZNRqG+rjGQQdTRi63otD 682YowHwfgHAZQKAm0+7MWR9INeuLAD4eQWAkykcP+XDxn0ujFxWg3nCnB865UbpSQHR28yYdkQc I5PEkUqv+pzhC81YdLoRs9Y5MGSdD2YBwAuONiPmFnC8xo5F2xx4eE4Vyt4WBn+9B5loAE+vUUw0 27Ko/g/ASmul8ebUli1b8PDDD59bD2w112H2wSaRFxms2W3FFk8czlM2zH6zQe3WOLKtBkNXCNAV 4DpgoRV7Kj0CgK1oSWTgrfThlgUu1DW3YudBD9bss+M5kSd+bxB3CKM+a68XRxwtiMbSmLfajKIN DszaaMVAkUOhZBZv7rNhQ3VYNdlvviX+u6oNWQGvi4UR3nnEoVaAQ8kMTlW4MHBzAKsEYB/2xRBv i2FymTDY5SJvVzux3RzAYAHA9lAC0zdZRR4H8ZR4/6J9QZwor8acw0FMf8OKEnOE30WqXwDwrbfe qrZAy4/t3bsXAwYMgM/nU38+dNiGdadDak4sFTmxTQDnrXNsau7VnvTi14tdiKcysB1yYdASF4rL raisjSPSEsH4cifc1Q48udqDcCqLqNMlrqUe1AXq1WMoAOx9x49fbghi834b9jsjiIXb8PoqF9zh FOzHRb4cyV1zjx+wYcWJkJqnx4/asEy5gZXtwCGRs1ssuZvBZRtt2HfMhdvm2tScdR5x4zdL3Vhz 0I4yawgHys1YWNmIQ3u8as5urQ5gyOJczs7cZEO1lrNjRM5WrhfnjreCmCFyeX41c5YATABmMAjA /RCAn3jiCUydOhWhUEi9m22xWNSLuNLapVSAO5JpLNxcg5n7Ajh8zI2xAoCbLE4ML/chIZ5/fEsN igQAz1UAuDp6DoCj4tghT6t619rxphWzDzQi25HFtvIarDI3YM4yC7YHktpgnhwABzz1uHNuNTYd C6J4nRWzBCi3BdvwrDAPvy+uwZnWNCJOcdGfV4NdJwKYsLQGy+ztiLS2I9wah0sD4ExnO8bPq8Ld wgw02h24c1Y15r/Tis54EMPXCgCO8I401f8BeNiwYRgzZowKu8r7O51OtQX6+eefVyvAynMs5nrM PtSITpGLMgAv0Mzv3jfMapXpVHUQ1TX1aHDXqgDcns6ioSqIXxTb8cYeC8Zu86KmxotXhMn2tkRh cdRhy24n7i6uxrHaJGasNGP1OwFUiePUuFqRTrRi4gon7OFcLikAvNms3DDLoqzcgh3i5zvEsZX1 hN63PLh/kwLAdhwPxpGKJjBjlRWnvSGRtxEkoy0YIgDYmRBQ/aYHvxW5O3afD6+vr8EAkbtVAgim CjO9oCbK7yLVLwB4xIgRah76/X71+Qr0Pvroo6r0CrACwBur2tScWL3egq2H7AJe7Sq81p7wYcBi twqinrddeGChEzNXW1HVmEQiFMXkDQoA2zFsnU+90Rx1ulUArvcrAGxFONMBx9te3LUxB8CHfDEk Eu2Ys9GLunhWPQcoAJxNt2HCEjuqQ7mbvgoAK1CuwPBbIkfXV7epg/SWbhAQrQFwNJNFbaVXfD4X PPYmPCau1U8ssuKMOEYiHMvlbKQFTwoAdoicPXjQg3tFzhbt9WHiuZyNYtpmG+YzZwnABGAGgwDc HwH4+PHjalulst5Qqfgq1SWl9VIBYdX4CwBeIcznlIpaTNpgxfDNAURa6vHycgtm7/Pg+TlVmHqk Hrv2uTB4gwc1wdZzANwqAHiYAOBoQ6Mwsw4sOODG8JVOHD0ZxKOrXYifm0ybA2C/pxGD5tag+M0A Bi82Y2KlMNTpBBaKi/Nj63Mt1xFnAAPnWVFc4cPvSqqxQKoK5QH4LPbstGDiW00C6sMYtagGO93i QtwRwlhxMV9nZQs01f8BWJn8PG3aNKxdu1Z972effVZtsTx58uS551glAF6753wArhU5NWGjC6WH g1i63486f64FesJOL4rKbJj6Tiv27rGhaIcfxVtFnq1xw2oNYsQCCxa86ceDy6yobEniraM+jN3u Q+lBP7afaYbjoAPP76o7N9BOAeCn1rmw9JAHL652C9j2ngNgzzkAtuK5N7wo2efG6Dd8aNEnVmfC GgCLc4azHr+cK6C7JYFd+124ZYkbyc40tu5yYOgmL1wRdm9QHz0AOxwOzJw5EytXrlRvFE+YMAH3 338/jhw5cu45CgA/uVbLiVUunDF7zwFwRzSMqStrMH2/Dy8ss2GTsx0Vh13qjah5O+0YtMwJjwTA CVcOgFvb2/DKoipMErBZtKwGD23qCsDFXQC4EZ6jbjy1NXguT2UAdlh9GL1BfL4DTjy1yKa1QItj 7/JitMj74pNtyCaimFRmwZCNga4D7UTO5gD4LEIucU4ROftOcwK7Rc7eusSFhJKzu8VxRb472XFF ACYAMxgE4P4GwErVt7a2VgXhdDqNiooK1aDnTUAnYvEkXA3tqG1LqQNtlKFVobYEvC0xNIjHlAE8 ymAqb30YsXQWLZG0ar6VoR5N2iCetrY4XOLfG6MpWKqD2OeO5z9HcwBPKi3QqQ40h2NwN0ZRJ46b M8ji/WPpvFnuyKIhFIWnOYZ65b2T+WE6dosLczQATiSUYTy5gT5h8Xni6tqlTrSG4uoQHl6YqP4O wPo2K8eOHVPzVDHXipmQDXo6lRtIp050j6cRE9/zdCqNsPZYZ0cnQqEYvI0i90QeZDJZ1IVTCLZG EGiJq+t3k8kUPI0iv8XjynPSWWXwlMh58VhQPNahDdxpaI7A1xRBKB7Dzs0OnGzNd1IoAFx2olWc A9rUATvK0J66cPrcoLx6cTylArzXGYFXnEtC2nAt9fWREH630KwCsALyyudTclg5p9RFc+Y5KX43 b3074hyoQ/UDAFaeo1xjKysr1TxVbkopWyHJr1UAeEVlq3pd1HOiti2tfe87kRDXQm9DGP5QElkl l5NJeJqiqPHWY8RKJxrCCTRFcgOvOsVrc9feTkQj4nWNEfUa2Sgei4ncUIZPKYMiw9HcYLvcOSCO fTucONaSz9NkMjcMT732i3NBfXMUXuU4IlcT4t+Ua3ygRZwbWhO54VWxCF4QoL63ztA1FQ1h4CKz CsDMWYoAzGAQgC/JfYA/SqXFyfHZVVZMq2hEpg/HSQQCeHy5DTtsEe4DTH1s9gG+VFRZ6cZBd/ft jopJ3nHIDWtzsuvfNZXCqn0OPLnW17vtVyiqn+wDfCGdPOHGAWdv18B2wl7TiOeWW/CYuI6VnWn7 cPf87c05TwDyhu02PLklcF7OrmHOUgRgBoMATADugzoyaoWqzxf7TApt4YS0TQNFEYD/WsqmU8hk Ono0+BllpoBxD24BG7FIPLflEb9n1McIgC+cEwZ1ZpFoj6nXsWx/uI4p2yC1x5Ey/g7i8XiUOUsR gBkMAjABmKIIwJcxAFMUAZiiKAIwg0EAJgBTFAGYAExRBGCKIgATgBkMAjABmKIIwBRFEYApigBM AGYwCMAEYIoiAFMURQCmKAIwAZjBIAD3LpQ9fTMZ7r9HURdDyl6fyjZhF8tkMzcp6uJIyctEInFR cjOZTKrH49+Vovou5TqnXO8IwAwGAfivBsB/+tOfEIlE1GpTKBSiKOoDSsmheDyOP//5zxfFZCvH UUwBc5Oi+p6bSmcGc5Oi+mduKl6UAMxgEID/agDMYDAYDAaDwWBcqkEAZjAIwAwGg8FgMBgMBgGY AMxgEIAZDAaDwWAwGAwCMAGYwSAAMxgMBoPBYDAYBGACMIPRzwD4bi3Jf0cAZjAYDAaDwWBcrnH3 3XcvVzwxAZjBuDQA+GsFAPj/SAB8g5a0PxP6hZbMd2nJfS8BmMFgMBgMBoNBAFYB+F4DAP9C89A3 ap5aB2DFa3+bAMxg/PUB+CsGAP4XLRl1AL6uAADfTgBmMBgMBoPBYDAKAvBvhH6leWYjAF9nAOB/ kQD4HzVvTgBmMPoIwJ82APAXtKT6ogTA/yz0jfcBwL/SkltJ8gcEAK/mqY/BYDAYDAaDcZkC8DLF E39AAP6G5sV1AP6i5tW/YADgTxOAGQTgngH4Si1BPigAf19L0v8U+onQfwn93ADAv1WSfciQISt4 6mMwGAwGg8FgXI7x29/+tlQDYMUbDxD6peaZf6556J9onvo6zWN/UAD+H5rHJwAzCMAXAODPaInT WwD+rpac1xYA4Nu0pFaSW5kEfb/Q8xs3bjz6l7/85f/xFMhgMBgMBoPBuBxCeN+/lJWVHRJe+DnN E98jAfBtBQD4Ws1jf7eXAPw5zcN/hgDMIAB3D8CfeB8A/GUt2XQA/pbQ1QUA+MdCPxW6WehWLanl rZAeE3pZnAAOr1u37vjatWtPrFmz5uSqVatOC50Rj1etXLmyevny5TWKli1bZl26dKlNyK5oyZIl jsWLFzsVlZaWujS5KYqiKIqiKOpDkOo3df+peFHNlyr+1Cb8qkX3rYqHVbys4mkVb6t4XMXrKp5X vO6g8MAjhR415SdAKx75Ts0z36x56B8XAOCrNe+tePB/0jz5l98HAH+CAMwgAL8/AP4HCYD/yQDA /yb0PaFrhK7XkvYmCYDvNBm2QhJ6SGiw0FNCw4WeEXpW6AXtxDBK6BWhMUJFQuOExgtNEJooNElo stAUTVM1TacoiqIoiqKoiyDdX+p+c7LmQSdqnnS85lGLNM/6iuZhR2qe9lnN4w7XPO9gzQP/rgAA 61sg3aR56es1b/09zWsbAfirmjf/BwIwg3HxAFhJos+bclPlCgHwN025cewyAP+HKbdv2U2mrnsB 3yWvAxYaJPSIVg1+QuhJoaFCvxcaobWGKCeOl7QTyWjtpPKqBMVjtZOODsc6IFMURVEURVFUXzVe gtxxmvfUYfdVzZuO1rzqSxL0jtA87VDN4z6hVX0fFhpoyq//1Qdg3WEA4B9pnloG4H/VvHchAP47 zbMTgBmMbgD4b/oAwF/Vku7rEgArewErG3T/QALgQpOg5XXAA7U7YMrJ4HFDNfjpXkKwDMJjDUBM URRFURRFUX2R7DGLJP/ZHfw+p3nYpw1V38c1z/uQ5oHl9b+FJkDrAPwDzWN/RwLgr18EAP4bAjCD AJwH4E9pSfOZHgBY3gtYB2B9ErSyYXd3g7DkNmjlzteDPVSB9ZZoHYJHFoDg1wwgbIRhiqIoiqIo ivqgKjKA72sF4HekBL96y7Ox+vuY5nkfNOW3P9LbnxWPrK//lQdg/dCUnwCtA7C+B/DXegBg3cd/ igDMIABfGICv7AaAvyAB8FcMACxvhaS0aMhbIemDsAq1QSt3vgZpd8IeKVAFliH4eaEXJQh+WTvx yCD8mgGIKYqiKIqiKKovkj3mq5L/fFmC3xc1ryrD7zBD9fcRQ/VXb3++y5RvfzYOwLpO89byFkgy ACue/EuaR/9CNwB8JQGYQQDuHQBfpSXOZyUA/nstyZRk624StJKkyrQ6eRDW/zXl26Dl7ZD0YVgK BD+stYUod8iGaCeMYVr7iAzBejv0SO3E87JUEZaBmKIoiqIoiqL6Ktljjpb850hTvu1Zht+nJfgd Yuq69neQ5n3vNXXd/khvfzYOwLpW89bGCdDyFkhfMuUHYH1e8+6f0bw8AZhBAO4BgD9xAQD+fAEA 7mkStL4OWKkC/8yUb4OWp0HrVeCBpu5boY2V4OekavBLUkV4lAGIKYqiKIqiKKqvelmq9o6SwFev +hrbnoebum99NlZ/5e2P5P1/5QFY/24qPAFa3wJJB+DPXwCAP0EAZhCA8wB8xQUA+G9N+XXA+l7A xkFYSlLq64CVxfrKmoUbTPk2aHkatLEK/IApPxBLboUeop1AhmknFH0wlrwuWAbhkQYgpiiKoiiK oqi+SPaYOvjK6331gVd62/NQzcMWan1+oED1V57+/FPNO9+geekfmPLrf682FR6A9UVTfv2v4tn/ Zw8AfAUBmEEA7loF1hOk0F7A8iCsL5nyg7CUJDSuA1YW6+vrgPU26J9prR1yFVhfCyy3QstTofVK sN4OrU+HfsYAws+b8u3Reos0RVEURVEURfVVur983lDxHWHKtzwPN+XbnvXKrzz1WW99vq9A9fc2 U376s97+rK//VTz1d01d1/9+3ZQfgKWv/zUC8FWmrhOgrzQV3gKJAMy4bCC4OwA2boV0lanwVkh6 G7Q+CEtvg/62qXAb9I1aS8fNhiqw3gp9r9YOYoTgx0xd1wQP7QaER0hArEMxRVEURVEURfVVz0rA O6Ib8B1q6rrm97EC8Ku3PsuTn+XhV/9l6rr9kbz/77dN+fZneQDWF02Ft0AyAvAnewHADMbHGoI/ CAArd5T0QVh6G7SSfPIgLON+wPJ2SHIV+Fbtjpe+L3B3ECyvCR4sVYNlENZbo2U9Q1EURVEURVEX QUaf+fsC4Puk5lXlNb9G+NW3PdL3/ZXX/urVX3n7I+P+v8YBWHr7sz4A62/7AMAMxmUDwBfaC/jT WhJ9thsAltcBF2qD1qdB68OwlDtb8kRoJfHvMuXXAxshWB6M9bhUDR5iyg/JGibB8HAJiimKoiiK oiiqr5I95jAJfJ+UfKne8qzD74MF4Fdf93uX5oHlyc/y8Ct9+nN37c/G9b8yAH9W8+6fNvVuD2AC MOOyBuArtOTQIVgHYH0Qlt4G/femwvsBf0NLTuM0aLkKfKMpPxH6FlN+W6S7uqkE69OhHy4AwoMl EH7KoKEURVEURVEUdRFk9Jk6+A4uAL4Pm/LTno1tzzr86tse3SJVf280VH/l9uerNY9tbH/+subJ 9QnQnzPlJ0DrAHyl5O+vIAAzLmcA/m+9BOBPFQBguQps3A/4m6Z8G7Q8DEuuAhtboQtBsD4YS58O PcgAwo8aYPgJCYoHS3fjKIqiKIqiKKovGizB7hMG6H3UAL6DTPlpz/f1En5vMnXd+kiv/urTn/9V 89g9tT8bAfhTvQRgrv9lEIALALC+DvhCbdD/y5Rvg75aa9kwVoF/rN3h0rdF+rkEwfqaYHk6tF4N fsDUtS36IQmGZSB+TAJjiqIoiqIoiuqrZI/5qOQ/H9Y8qdzu/ICpa8uzPu1ZX/N7uym/7lff9uhG U37ys77293ual9arv/9b89q9aX++igDMYPQegD9xAQAuNA1a3w5JrgJfbagCX6vd0ZIhWF4PrNwF 07dH0qvBv5GqwfdKFeHfGarCOgzLeoSiKIqiKIqiLoJkj/mQAXoHSuB7nwS+d2teVq/66tsd3WLq uu7XCL/G6u/Vhuqv3v5s3P7ocwUAuND6XwIwgwBsKjwJ+pOmroOwumuD1rdD+kdT4WFYehVYuZN1 nQbBN3RTCdYh+A4Jgn8tgfA9pnxrtF4VloFYh2KKoiiKoiiKutgaaADe+zXprc4y+P5agt87JPgt VPm9QfPI10nVX33rI+Pwq960P8sDsD5p4hZIDMYFAbjQdkifMRVug9aHYRWqAstrgWUIvr4ABP/M lNv/TG6J1kFYb4seUACG9crwfRIYy3BMURRFURRFUX2RDLr3SZVeI/QOMOXbnXXwlVueb9Y8rxF+ rzfAb3drf43VX334ldz+rAOwsfpLAGYQgAsAcE/bIV31PqrAxrXAcit0d5Xgm0z5luibtdaQ2wwV YbkqPMCUH5h1twTF90hwTFEURVEURVF9lewxZe85QILeuyS/qld8b9U87c2mfMvzTReo/Mqtz98y dV3725vqb0/tz/+dAMwgBPfcBn2l6fztkOQqsLwWuFAVWG6FVto4/l2D4GskCFbWO+jTobsD4Vu1 k4heFb5TqgzfJUGxrAEURVEURVEUdRFk9Jm6/9QrvXcaqr09ga8+7fk/DfD7fc0rG1ufL7T2t1D1 91OSj2f7M4PRCwC+ohsAvlAVWIZgfV/gb2ntG0YI1ivBPzR1bYnWQfinBhD+uanrsCwZiHUolvVL iqIoiqIoiroIMvrMOyTg1Su9+nCrnxvA96cS+Motz/rAq0LwK7c+6/v+frWX1V+5/VkH4CsIwAzG hQG4UBv0harA3bVCGyFYXxNsrAbLICy3RsswXAiIb5Hutt0qVYwpiqIoiqIoqq8y+kwddo3AK0Ov 3Oosg69e9b1G88J627MMv9+S4FdvfX4/1d+epj8TgBmXPQBfaDskeRp0obXAxoFYOgR/zdR1KrQM wcq6hu9qd7r04VjXFqgI/8hQFb7JAMQ/0ySD8c0SIFMURVEURVFUXyV7TN136j5UBt6bDNXeHxkq vtdJVd/vaV74u5o3luHXOPXZOPhK3/e30Npf496/F9r+iADMuOwB2NgGfaEqsLEV+otae4YMwXol WGnl0AdjydVgGYSvkUBYXyN8g6Ey/BMJimUw1uGYoiiKoiiKoi62bjKA7o2SL5UrvTeY8mt8fyhV fGXwlau+V2se+Zum84defcXUc+tzT9Xf3rQ/E4AZlzUAX2gYlnEidKFWaCMEy+3Q+vZIejVYBmG5 Ivx9CYav1U4cemX4egMU/0iqFFMURVEURVHUh60fSdVdHXavlyq9+vpeHXq/b6j4yuCrV33lNb/d wW93rc9XdQO/3Q2/IgAzLnsAfr9rgT8oBP+zKd8SXQiEv9MDDMtAfJ10cvkPSdcbIJmiKIqiKIqi +irZY8re84emrq3N10i+tRD0fsdQ8f2WVPX9uuaVPyj8fpC1vwUB+P8DAnxdmnE6pfMAAAAASUVO RK5CYII= --f46d044288cafbb5c204f7088f59-- From nobody Mon Apr 14 17:36:05 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF1421A0680 for ; Mon, 14 Apr 2014 17:36:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MBOBJ0eYbbHM for ; Mon, 14 Apr 2014 17:35:59 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0142.outbound.protection.outlook.com [207.46.163.142]) by ietfa.amsl.com (Postfix) with ESMTP id 841331A0243 for ; Mon, 14 Apr 2014 17:35:59 -0700 (PDT) Received: from BLUPR03CA029.namprd03.prod.outlook.com (10.141.30.22) by BLUPR03MB438.namprd03.prod.outlook.com (10.141.78.149) with Microsoft SMTP Server (TLS) id 15.0.918.8; Tue, 15 Apr 2014 00:35:55 +0000 Received: from BN1AFFO11FD009.protection.gbl (2a01:111:f400:7c10::107) by BLUPR03CA029.outlook.office365.com (2a01:111:e400:879::22) with Microsoft SMTP Server (TLS) id 15.0.921.12 via Frontend Transport; Tue, 15 Apr 2014 00:35:55 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD009.mail.protection.outlook.com (10.58.52.69) with Microsoft SMTP Server (TLS) id 15.0.918.6 via Frontend Transport; Tue, 15 Apr 2014 00:35:55 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.03.0174.002; Tue, 15 Apr 2014 00:35:17 +0000 From: Mike Jones To: "Berry, Matt" , "jose@ietf.org" Thread-Topic: Question about minimual unsigned big endian representation of JWK parameters Thread-Index: Ac9YHWea80dDBOI8TBiaYYSO1eTyJQADWBjgAAIBeqAAA4L80A== Date: Tue, 15 Apr 2014 00:35:16 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A15876F@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <2FE1ED37161DA34CBBDA0E4C0AFEB1DD011A654D@ex10-mbx-9003.ant.amazon.com> <4E1F6AAD24975D4BA5B16804296739439A15801E@TK5EX14MBXC286.redmond.corp.microsoft.com> <2FE1ED37161DA34CBBDA0E4C0AFEB1DD011A6824@ex10-mbx-9003.ant.amazon.com> In-Reply-To: <2FE1ED37161DA34CBBDA0E4C0AFEB1DD011A6824@ex10-mbx-9003.ant.amazon.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.72] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(6009001)(438001)(13464003)(377454003)(199002)(189002)(83322001)(80976001)(44976005)(19580405001)(79102001)(19580395003)(86362001)(55846006)(97756001)(6806004)(31966008)(92726001)(77982001)(74502001)(74662001)(46102001)(2656002)(97736001)(87936001)(76482001)(83072002)(92566001)(47776003)(80022001)(23726002)(50466002)(2009001)(85852003)(76176999)(54356999)(50986999)(99396002)(46406003)(86612001)(66066001)(15975445006)(20776003)(33656001)(81542001)(84676001)(4396001)(81342001); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR03MB438; H:mail.microsoft.com; FPR:307CF1C4.AFF65796.38F5B947.CACA1C78.2062A; MLV:sfv; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0182DBBB05 Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/jose/KtQnKM-N6YvDSOHOUY_ek2h6GmQ Subject: Re: [jose] Question about minimual unsigned big endian representation of JWK parameters X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Apr 2014 00:36:04 -0000 I get your point, but the Google example isn't a good one, because it's not= actually a JWK in one other important way as well - the values are base64 = encoded, rather than base64url encoded. (Note the presence of '+' and '/' = characters.) To me this topic seems like a fine place for Postel's Law: "Be liberal in w= hat you accept, and conservative in what you send." I have no problem with= JWT readers that can read malformed input prefixed with extra zeros. But = anyone emitting a key representation should do it in the standard represent= ation. The standard one is that way both for compactness but also for simplicity. = It would be more complicated to specify rules for when extra zeros need to= be prefixed than to not prefix them at all. For what it's worth, if you're worried about your implementation of a= JWK reader treating the high-order bit incorrectly and you're willing to p= arse extra zeros, you could always prefix anything received with three byte= s of zeros by prefixing the content with "AAAA". Cheers, -- Mike -----Original Message----- From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Berry, Matt Sent: Monday, April 14, 2014 3:53 PM To: jose@ietf.org Subject: Re: [jose] Question about minimual unsigned big endian representat= ion of JWK parameters I wholly agree that the value is both unsigned and should have a one in the= highest bit. The trick of it is, when working with unsigned integers, ther= e is a tendency to put and extra zero byte in front so it is not incorrectl= y interpreted by signed libraries. This was the point in adding the OpenSSL= output. These are unsigned values, but OpenSSL still adds a zero to any va= lue with a one in the highest bit. Although the minimal unsigned representation of a 1024 bit RSA modulus is a= lways 1024 bits, many libraries will encode either 1024 bits or 1032 bits i= n the case that the highest byte is 8 through f. I argue that following sui= t costs only a few bytes and that consistency trumps efficiency in this cas= e. It will also reduce the number accidentally incorrect JWKs found in the = wild. If an implementer doesn't carefully read and implement the spec, they= will likely encode 1032 bits in some cases, an example of which is Google. > modulus: > 00:ba:5c:82:f9:26:34:e3:4b:e3:d2:d4:81:5a:c6: > https://www.googleapis.com/oauth2/v2/certs -Matt -----Original Message----- From: Mike Jones [mailto:Michael.Jones@microsoft.com] Sent: Monday, April 14, 2014 2:49 PM To: Berry, Matt; jose@ietf.org Subject: RE: Question about minimual unsigned big endian representation of = JWK parameters According to a crypto expert who spoke up at an in-person JOSE meeting when= this was discussed (I think it was Russ Housley), the high-order bit of a = correctly formed RSA mantissa must always be 1. (If it weren't then the ke= y pair would contain less than the required number of bits of information.)= Thus, there are no leading zeroes to strip, for what it's worth. Also the value is unsigned, not signed. Best wishes, -- Mike -----Original Message----- From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Berry, Matt Sent: Monday, April 14, 2014 2:36 PM To: jose@ietf.org Subject: [jose] Question about minimual unsigned big endian representation = of JWK parameters Throughout JWA Section 6.3 "Parameters for RSA Keys" the following phase oc= curs repeatedly: > The octet sequence MUST utilize the minimum number of octets to represent= the value. I understand the rationale for such a phase, which is to minimize the overa= ll size of JWKs.=20 This is a core tenant of the JSOE working group. However I have concerns ab= out the practice of striping leading zeroes from RSA parameters. The benefit of stripping these leading zeroes is likely negligible. Conside= r this RSA key I just generated (included below). The total benefit of stri= pping the leading zeroes is 5 bytes before base64 encoding. Although I believe the attempt to reduce the overall size of the JWK is com= mendable, I think this will introduce more confusion and non-compliance tha= n anything. An example would be Google, who currently does not strip the le= ading zeroes (or even base64url-encodes). > https://www.googleapis.com/oauth2/v2/certs I suggest rewording relevant sections to the following, to allow for the mi= nimum amount of padding octets required to make the keys unambiguous. > The octet sequence MUST utilize the minimum number of octets to=20 > represent the value as if it was a signed integer. Sincerely, Matt Berry =3D=3D The referenced RSA Private key. =3D=3D Generating RSA private key, 2048 bit long modulus .........................= ................................+++ ..................................+++ e is 65537 (0x10001) Private-Key: (2048 bit) modulus: 00:ba:5c:82:f9:26:34:e3:4b:e3:d2:d4:81:5a:c6: ... publicExponent: 65537 (0x10001) privateExponent: 00:9d:23:3c:5c:90:d6:af:81:62:0c:77:9a:ca:cb: ... prime1: 00:ee:b8:c9:5f:ca:8d:9e:1a:a8:9b:6c:34:2f:c4: ... prime2: 00:c7:d9:8d:57:17:6c:a4:46:1a:9a:c0:2d:93:da: ... exponent1: 54:c8:b4:5c:9d:27:e6:fb:38:de:da:73:3e:74:08: ... exponent2: 00:c7:7f:c6:f6:5f:ad:d6:37:1d:2b:ca:18:35:76: ... coefficient: 74:a4:07:7c:4f:04:be:40:62:2e:af:ff:37:b5:9d: ... writing RSA key -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY----- _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose From nobody Mon Apr 14 19:23:10 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05BAE1A06B6 for ; Mon, 14 Apr 2014 19:23:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.977 X-Spam-Level: X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xsOvyGDuFPhc for ; Mon, 14 Apr 2014 19:23:04 -0700 (PDT) Received: from mail-oa0-f50.google.com (mail-oa0-f50.google.com [209.85.219.50]) by ietfa.amsl.com (Postfix) with ESMTP id 01E041A0651 for ; Mon, 14 Apr 2014 19:23:03 -0700 (PDT) Received: by mail-oa0-f50.google.com with SMTP id i7so10021947oag.23 for ; Mon, 14 Apr 2014 19:23:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=ay4GzNbakgI0oM/3TJguKhHOMCuuaOGpxckDFMuRxO0=; b=kzKdUJ6WG8irpFRmzMglrW9nOy3sXQaoUQ6sn5v69PHHLDRqA6hbWCfcoZdj4EJgPd jLImwnFr8Itmmz1TUv55J12Se5mvGsPs6kl6aKSiECahNHJR64ddoRkUD9N3OILnZCSf w9NTbQRQnJWyw7K83EMoJzXv1cpbkrzFcL4YZT798bo5bc5KvXRryzhUl6h+VQgALIfe ytk2Y6bBAZyk/fPXaDMusVfPwYi0h8OiMARh/OQkUn2SULyZpZgR7V5vNg2g12tkhDoP lNYDzy4fLfb4jbdELuxKplP+sbttoz44sOOoUJpoUWWcrYTWkcvNnQ5BRzZ/oWiHe4cm w/SQ== X-Gm-Message-State: ALoCoQl2gxjNOCC8LF/7IMRacI/6RladFy9PN/iRHbCraSEADbT94zo0w7ZLyZ8+xD9hk5Whvsk7 MIME-Version: 1.0 X-Received: by 10.182.87.42 with SMTP id u10mr36966130obz.22.1397528581279; Mon, 14 Apr 2014 19:23:01 -0700 (PDT) Received: by 10.60.136.231 with HTTP; Mon, 14 Apr 2014 19:23:01 -0700 (PDT) In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A15876F@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <2FE1ED37161DA34CBBDA0E4C0AFEB1DD011A654D@ex10-mbx-9003.ant.amazon.com> <4E1F6AAD24975D4BA5B16804296739439A15801E@TK5EX14MBXC286.redmond.corp.microsoft.com> <2FE1ED37161DA34CBBDA0E4C0AFEB1DD011A6824@ex10-mbx-9003.ant.amazon.com> <4E1F6AAD24975D4BA5B16804296739439A15876F@TK5EX14MBXC286.redmond.corp.microsoft.com> Date: Mon, 14 Apr 2014 22:23:01 -0400 Message-ID: From: Richard Barnes To: Mike Jones Content-Type: multipart/alternative; boundary=089e013cba62a6a3f404f70b7afb Archived-At: http://mailarchive.ietf.org/arch/msg/jose/LRwy4GX8bpLxbwYhwpPTRu4Jrsg Cc: "Berry, Matt" , "jose@ietf.org" Subject: Re: [jose] Question about minimual unsigned big endian representation of JWK parameters X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Apr 2014 02:23:08 -0000 --089e013cba62a6a3f404f70b7afb Content-Type: text/plain; charset=ISO-8859-1 On Mon, Apr 14, 2014 at 8:35 PM, Mike Jones wrote: > I get your point, but the Google example isn't a good one, because it's > not actually a JWK in one other important way as well - the values are > base64 encoded, rather than base64url encoded. (Note the presence of '+' > and '/' characters.) > > To me this topic seems like a fine place for Postel's Law: "Be liberal in > what you accept, and conservative in what you send." I have no problem > with JWT readers that can read malformed input prefixed with extra zeros. > But anyone emitting a key representation should do it in the standard > representation. > This is the right answer. Note the corresponding text in the WebCrypto spec, which says pretty much the same thing (consume extra 0 octets, but don't produce them): """ The BigInteger typedef is a Uint8Array that holds an arbitrary magnitude unsigned integer in big-endian order. Values read from the API SHALL have minimal typed array length (that is, at most 7 leading zero bits, except the value 0 which shall have length 8 bits). The API SHALL accept values with any number of leading zero bits, including the empty array, which represents zero. """ --Richard > > The standard one is that way both for compactness but also for simplicity. > It would be more complicated to specify rules for when extra zeros need to > be prefixed than to not prefix them at all. > > For what it's worth, if you're worried about your implementation of > a JWK reader treating the high-order bit incorrectly and you're willing to > parse extra zeros, you could always prefix anything received with three > bytes of zeros by prefixing the content with "AAAA". > > Cheers, > -- Mike > > -----Original Message----- > From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Berry, Matt > Sent: Monday, April 14, 2014 3:53 PM > To: jose@ietf.org > Subject: Re: [jose] Question about minimual unsigned big endian > representation of JWK parameters > > I wholly agree that the value is both unsigned and should have a one in > the highest bit. The trick of it is, when working with unsigned integers, > there is a tendency to put and extra zero byte in front so it is not > incorrectly interpreted by signed libraries. This was the point in adding > the OpenSSL output. These are unsigned values, but OpenSSL still adds a > zero to any value with a one in the highest bit. > > Although the minimal unsigned representation of a 1024 bit RSA modulus is > always 1024 bits, many libraries will encode either 1024 bits or 1032 bits > in the case that the highest byte is 8 through f. I argue that following > suit costs only a few bytes and that consistency trumps efficiency in this > case. It will also reduce the number accidentally incorrect JWKs found in > the wild. If an implementer doesn't carefully read and implement the spec, > they will likely encode 1032 bits in some cases, an example of which is > Google. > > > modulus: > > 00:ba:5c:82:f9:26:34:e3:4b:e3:d2:d4:81:5a:c6: > > > https://www.googleapis.com/oauth2/v2/certs > > -Matt > > -----Original Message----- > From: Mike Jones [mailto:Michael.Jones@microsoft.com] > Sent: Monday, April 14, 2014 2:49 PM > To: Berry, Matt; jose@ietf.org > Subject: RE: Question about minimual unsigned big endian representation of > JWK parameters > > According to a crypto expert who spoke up at an in-person JOSE meeting > when this was discussed (I think it was Russ Housley), the high-order bit > of a correctly formed RSA mantissa must always be 1. (If it weren't then > the key pair would contain less than the required number of bits of > information.) Thus, there are no leading zeroes to strip, for what it's > worth. > > Also the value is unsigned, not signed. > > Best wishes, > -- Mike > > -----Original Message----- > From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Berry, Matt > Sent: Monday, April 14, 2014 2:36 PM > To: jose@ietf.org > Subject: [jose] Question about minimual unsigned big endian representation > of JWK parameters > > Throughout JWA Section 6.3 "Parameters for RSA Keys" the following phase > occurs repeatedly: > > > The octet sequence MUST utilize the minimum number of octets to > represent the value. > > I understand the rationale for such a phase, which is to minimize the > overall size of JWKs. > This is a core tenant of the JSOE working group. However I have concerns > about the practice of striping leading zeroes from RSA parameters. > > The benefit of stripping these leading zeroes is likely negligible. > Consider this RSA key I just generated (included below). The total benefit > of stripping the leading zeroes is 5 bytes before base64 encoding. > > Although I believe the attempt to reduce the overall size of the JWK is > commendable, I think this will introduce more confusion and non-compliance > than anything. An example would be Google, who currently does not strip the > leading zeroes (or even base64url-encodes). > > > https://www.googleapis.com/oauth2/v2/certs > > I suggest rewording relevant sections to the following, to allow for the > minimum amount of padding octets required to make the keys unambiguous. > > > The octet sequence MUST utilize the minimum number of octets to > > represent the value as if it was a signed integer. > > Sincerely, > Matt Berry > > == The referenced RSA Private key. == > > Generating RSA private key, 2048 bit long modulus > .........................................................+++ > ..................................+++ > e is 65537 (0x10001) > Private-Key: (2048 bit) > modulus: > 00:ba:5c:82:f9:26:34:e3:4b:e3:d2:d4:81:5a:c6: > ... > publicExponent: 65537 (0x10001) > privateExponent: > 00:9d:23:3c:5c:90:d6:af:81:62:0c:77:9a:ca:cb: > ... > prime1: > 00:ee:b8:c9:5f:ca:8d:9e:1a:a8:9b:6c:34:2f:c4: > ... > prime2: > 00:c7:d9:8d:57:17:6c:a4:46:1a:9a:c0:2d:93:da: > ... > exponent1: > 54:c8:b4:5c:9d:27:e6:fb:38:de:da:73:3e:74:08: > ... > exponent2: > 00:c7:7f:c6:f6:5f:ad:d6:37:1d:2b:ca:18:35:76: > ... > coefficient: > 74:a4:07:7c:4f:04:be:40:62:2e:af:ff:37:b5:9d: > ... > writing RSA key > -----BEGIN RSA PRIVATE KEY----- > ... > -----END RSA PRIVATE KEY----- > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > --089e013cba62a6a3f404f70b7afb Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable



On Mon, Apr 14, 2014 at 8:35 PM, Mike Jones <<= a href=3D"mailto:Michael.Jones@microsoft.com" target=3D"_blank">Michael.Jon= es@microsoft.com> wrote:
I get your point, but the Google example isn't a good = one, because it's not actually a JWK in one other important way as well= - the values are base64 encoded, rather than base64url encoded. =A0(Note t= he presence of '+' and '/' characters.)

To me this topic seems like a fine place for Postel's Law: "Be lib= eral in what you accept, and conservative in what you send." =A0I have= no problem with JWT readers that can read malformed input prefixed with ex= tra zeros. =A0But anyone emitting a key representation should do it in the = standard representation.

This is the right answer. =A0Note the corr= esponding text in the WebCrypto spec, which says pretty much the same thing= (consume extra 0 octets, but don't produce them):
"&quo= t;"
The BigInteger typedef is a Uint8Array that holds an arbitrary magnitu= de unsigned integer in big-endian order. Values read from the API SHALL hav= e minimal typed array length (that is, at most 7 leading zero bits, except = the value 0 which shall have length 8 bits). The API SHALL accept values wi= th any number of leading zero bits, including the empty array, which repres= ents zero.
"""

--Richard
= =A0

The standard one is that way both for compactness but also for simplicity. = =A0It would be more complicated to specify rules for when extra zeros need = to be prefixed than to not prefix them at all.

<hack>For what it's worth, if you're worried about your imple= mentation of a JWK reader treating the high-order bit incorrectly and you&#= 39;re willing to parse extra zeros, you could always prefix anything receiv= ed with three bytes of zeros by prefixing the content with "AAAA"= .</hack>

=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Cheers,
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 -- Mike

-----Original Message-----
From: jose [mailto:jose-bounces@ie= tf.org] On Behalf Of Berry, Matt
Sent: Monday, April 14, 2014 3:53 PM
To: jose@ietf.org
Subject: Re: [jose] Question about minimual unsigned big endian representat= ion of JWK parameters

I wholly agree that the value is both unsigned and should have a one in the= highest bit. The trick of it is, when working with unsigned integers, ther= e is a tendency to put and extra zero byte in front so it is not incorrectl= y interpreted by signed libraries. This was the point in adding the OpenSSL= output. These are unsigned values, but OpenSSL still adds a zero to any va= lue with a one in the highest bit.

Although the minimal unsigned representation of a 1024 bit RSA modulus is a= lways 1024 bits, many libraries will encode either 1024 bits or 1032 bits i= n the case that the highest byte is 8 through f. I argue that following sui= t costs only a few bytes and that consistency trumps efficiency in this cas= e. It will also reduce the number accidentally incorrect JWKs found in the = wild. If an implementer doesn't carefully read and implement the spec, = they will likely encode 1032 bits in some cases, an example of which is Goo= gle.

> modulus:
> =A0 00:ba:5c:82:f9:26:34:e3:4b:e3:d2:d4:81:5a:c6:

> https://www.googleapis.com/oauth2/v2/certs

-Matt

-----Original Message-----
From: Mike Jones [mailto:Mic= hael.Jones@microsoft.com]
Sent: Monday, April 14, 2014 2:49 PM
To: Berry, Matt; jose@ietf.org
Subject: RE: Question about minimual unsigned big endian representation of = JWK parameters

According to a crypto expert who spoke up at an in-person JOSE meeting when= this was discussed (I think it was Russ Housley), the high-order bit of a = correctly formed RSA mantissa must always be 1. =A0(If it weren't then = the key pair would contain less than the required number of bits of informa= tion.) =A0Thus, there are no leading zeroes to strip, for what it's wor= th.

Also the value is unsigned, not signed.

=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Best wishes= ,
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 -- Mike

-----Original Message-----
From: jose [mailto:jose-bounces@ie= tf.org] On Behalf Of Berry, Matt
Sent: Monday, April 14, 2014 2:36 PM
To: jose@ietf.org
Subject: [jose] Question about minimual unsigned big endian representation = of JWK parameters

Throughout JWA Section 6.3 "Parameters for RSA Keys" the followin= g phase occurs repeatedly:

> The octet sequence MUST utilize the minimum number of octets to repres= ent the value.

I understand the rationale for such a phase, which is to minimize the overa= ll size of JWKs.
This is a core tenant of the JSOE working group. However I have concerns ab= out the practice of striping leading zeroes from RSA parameters.

The benefit of stripping these leading zeroes is likely negligible. Conside= r this RSA key I just generated (included below). The total benefit of stri= pping the leading zeroes is 5 bytes before base64 encoding.

Although I believe the attempt to reduce the overall size of the JWK is com= mendable, I think this will introduce more confusion and non-compliance tha= n anything. An example would be Google, who currently does not strip the le= ading zeroes (or even base64url-encodes).

> https://www.googleapis.com/oauth2/v2/certs

I suggest rewording relevant sections to the following, to allow for the mi= nimum amount of padding octets required to make the keys unambiguous.

> The octet sequence MUST utilize the minimum number of octets to
> represent the value as if it was a signed integer.

Sincerely,
Matt Berry

=3D=3D The referenced RSA Private key. =3D=3D

Generating RSA private key, 2048 bit long modulus .........................= ................................+++
..................................+++
e is 65537 (0x10001)
Private-Key: (2048 bit)
modulus:
=A0 =A0 00:ba:5c:82:f9:26:34:e3:4b:e3:d2:d4:81:5a:c6:
=A0 =A0 ...
publicExponent: 65537 (0x10001)
privateExponent:
=A0 =A0 00:9d:23:3c:5c:90:d6:af:81:62:0c:77:9a:ca:cb:
=A0 =A0 ...
prime1:
=A0 =A0 00:ee:b8:c9:5f:ca:8d:9e:1a:a8:9b:6c:34:2f:c4:
=A0 =A0 ...
prime2:
=A0 =A0 00:c7:d9:8d:57:17:6c:a4:46:1a:9a:c0:2d:93:da:
=A0 =A0 ...
exponent1:
=A0 =A0 54:c8:b4:5c:9d:27:e6:fb:38:de:da:73:3e:74:08:
=A0 =A0 ...
exponent2:
=A0 =A0 00:c7:7f:c6:f6:5f:ad:d6:37:1d:2b:ca:18:35:76:
=A0 =A0 ...
coefficient:
=A0 =A0 74:a4:07:7c:4f:04:be:40:62:2e:af:ff:37:b5:9d:
=A0 =A0 ...
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

_______________________________________________
jose mailing list
jose@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/jose

_______________________________________________
jose mailing list
jose@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/jose

_______________________________________________
jose mailing list
jose@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/jose

--089e013cba62a6a3f404f70b7afb-- From nobody Mon Apr 14 21:58:49 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B7E81A063F; Mon, 14 Apr 2014 21:58:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.174 X-Spam-Level: X-Spam-Status: No, score=-2.174 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.272, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W-TFspY5pqnS; Mon, 14 Apr 2014 21:58:42 -0700 (PDT) Received: from rfc-editor.org (rfc-editor.org [IPv6:2001:1900:3001:11::31]) by ietfa.amsl.com (Postfix) with ESMTP id BD2AF1A0304; Mon, 14 Apr 2014 21:58:42 -0700 (PDT) Received: by rfc-editor.org (Postfix, from userid 30) id 3282518000D; Mon, 14 Apr 2014 21:58:18 -0700 (PDT) To: ietf-announce@ietf.org, rfc-dist@rfc-editor.org X-PHP-Originating-Script: 6000:ams_util_lib.php From: rfc-editor@rfc-editor.org Message-Id: <20140415045818.3282518000D@rfc-editor.org> Date: Mon, 14 Apr 2014 21:58:18 -0700 (PDT) Archived-At: http://mailarchive.ietf.org/arch/msg/jose/5OoBWOKHOIaXyp1sz7OOXVJQHPA Cc: drafts-update-ref@iana.org, jose@ietf.org, rfc-editor@rfc-editor.org Subject: [jose] RFC 7165 on Use Cases and Requirements for JSON Object Signing and Encryption (JOSE) X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Apr 2014 04:58:44 -0000 A new Request for Comments is now available in online RFC libraries. RFC 7165 Title: Use Cases and Requirements for JSON Object Signing and Encryption (JOSE) Author: R. Barnes Status: Informational Stream: IETF Date: April 2014 Mailbox: rlb@ipv.sx Pages: 25 Characters: 58324 Updates/Obsoletes/SeeAlso: None I-D Tag: draft-ietf-jose-use-cases-06.txt URL: http://www.rfc-editor.org/rfc/rfc7165.txt Many Internet applications have a need for object-based security mechanisms in addition to security mechanisms at the network layer or transport layer. For many years, the Cryptographic Message Syntax (CMS) has provided a binary secure object format based on ASN.1. Over time, binary object encodings such as ASN.1 have become less common than text-based encodings, such as the JavaScript Object Notation (JSON). This document defines a set of use cases and requirements for a secure object format encoded using JSON, drawn from a variety of application security mechanisms currently in development. This document is a product of the Javascript Object Signing and Encryption Working Group of the IETF. INFORMATIONAL: This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see http://www.ietf.org/mailman/listinfo/ietf-announce http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see http://www.rfc-editor.org/search For downloading RFCs, see http://www.rfc-editor.org/rfc.html Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-editor@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC From nobody Mon Apr 14 22:35:28 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CADA1A0751 for ; Mon, 14 Apr 2014 22:35:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 2.498 X-Spam-Level: ** X-Spam-Status: No, score=2.498 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RCVD_IN_DNSWL_NONE=-0.0001, RELAY_IS_203=0.994] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gh6i985XRANp for ; Mon, 14 Apr 2014 22:35:25 -0700 (PDT) Received: from ipxcvo.tcif.telstra.com.au (ipxcvo.tcif.telstra.com.au [203.35.135.208]) by ietfa.amsl.com (Postfix) with ESMTP id C91381A06B1 for ; Mon, 14 Apr 2014 22:35:24 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.97,862,1389704400"; d="scan'208";a="7507959" Received: from unknown (HELO ipcbvi.tcif.telstra.com.au) ([10.97.217.204]) by ipocvi.tcif.telstra.com.au with ESMTP; 15 Apr 2014 15:26:39 +1000 X-IronPort-AV: E=McAfee;i="5400,1158,7408"; a="215520699" Received: from wsmsg3755.srv.dir.telstra.com ([172.49.40.196]) by ipcbvi.tcif.telstra.com.au with ESMTP; 15 Apr 2014 15:35:20 +1000 Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3755.srv.dir.telstra.com ([172.49.40.196]) with mapi; Tue, 15 Apr 2014 15:35:20 +1000 From: "Manger, James" To: "jose@ietf.org" , John Bradley Date: Tue, 15 Apr 2014 15:35:19 +1000 Thread-Topic: [jose] JSON Web Key (JWK) Thumbprint Specification Thread-Index: Ac9YLXmCLAQ6fUabRA6CnEpe2MK57QADK46A Message-ID: <255B9BB34FB7D647A506DC292726F6E115451248AB@WSMSG3153V.srv.dir.telstra.com> References: <4E1F6AAD24975D4BA5B16804296739439A150468@TK5EX14MBXC286.redmond.corp.microsoft.com> <052001cf581d$0cde8800$269b9800$@augustcellars.com> <8AC99548-ED07-49D6-939A-D49EACD3DCD4@ve7jtb.com> <054b01cf5829$cf5c2660$6e147320$@augustcellars.com> In-Reply-To: Accept-Language: en-US, en-AU Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-AU Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/jose/NLfEAW7cqRqzF7cfcCJJ-0KwzHE Subject: Re: [jose] JSON Web Key (JWK) Thumbprint Specification X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Apr 2014 05:35:27 -0000 Q29tbWVudHMgb24gSldLIHRodW1icHJpbnRzOiBodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9k cmFmdC1qb25lcy1qb3NlLWp3ay10aHVtYnByaW50LTAwDQoNCmRyYWZ0LWpvbmVzLWpvc2Utandr LXRodW1icHJpbnQgbmVlZHMgdG8gYmUgbXVjaCBjbGVhcmVyIGFib3V0IHRoZSBwcm9wZXJ0aWVz IG9mIGEgdGh1bWJwcmludCBhbmQgdGhlIGNpcmN1bXN0YW5jZXMgd2hlcmUgaXQgaXMgYXBwcm9w cmlhdGUgYW5kIGluYXBwcm9wcmlhdGUgdG8gdXNlLiBTdXBlcmZpY2lhbGx5IGEgdGh1bWJwcmlu dCBsb29rcyBsaWtlIGJvdGggYW4gdW5hbWJpZ3VvdXMgaWQgYW5kIGEgdW5pcXVlIGlkIGZvciBh IGtleSwgYnV0IEkgZG91YnQgdGhlIGxhdHRlciBwcm9wZXJ0eSBjYW4gYmUgcmVsaWVkIHVwb24u DQoNCkZvciBpbnN0YW5jZSwgaXQgd291bGQgYmUgZGFuZ2Vyb3VzIHRvIHVzZSB0aGVzZSB0aHVt YnByaW50cyBpbiBhIGJsYWNrbGlzdCBvZiByZXZva2VkIGtleXMuIEl0IGxvb2tzIGZhaXJseSBl YXN5IGZvciBhIG1hbGljaW91cyBwYXJ0eSB0byBtb2RpZnkgdGhlIHJlcHJlc2VudGF0aW9uIG9m IGEga2V5IHRvIGdpdmUgYSBkaWZmZXJlbnQgdGh1bWJwcmludCBmb3IgdGhlIHNhbWUga2V5IChl ZyBjaGFuZ2UgImUiOiJBUUFCIiB0byAiZSI6IkFBRUFBUSIpLg0KDQoiT25seSB0aGUgUkVRVUlS RUQgbWVtYmVycyBvZiBhIGtleSdzIHJlcHJlc2VudGF0aW9uIGFyZSB1c2VkIg0KVGhpcyBydWxl IHNvdW5kcyBsaWtlIHRyb3VibGUuDQpDb25zaWRlciBhIGtleSB0aGF0IGlzIGEgcG9pbnQgb24g YW4gZWxsaXB0aWMgY3VydmUuIFNvbWV0aW1lcyB4ICYgeSBhcmUgc3BlY2lmaWVkOyBzb21ldGlt ZXMgdGhlIGNyeXB0byBvbmx5IHVzZXMgdGhlIHggY29vcmRpbmF0ZTsgc29tZXRpbWVzIHkgaXMg ImNvbXByZXNzZWQiIHRvIGEgZmxhZy4gSXQgc2VlbXMgcXVpdGUgZmVhc2libGUgdGhhdCBhIEpX SyBmb3JtYXQgbWlnaHQgbm90IFJFUVVJUkUgInkiIGluIGl0cyBzeW50YXguDQpDb25zaWRlciBh biBlbGVtZW50IHRoYXQgaGFzIGEgZGVmYXVsdCB2YWx1ZSB3aGVuIGFic2VudC4gSXQgaXMgbm90 IFJFUVVJUkVEIGluIHRoZSBzeW50YXggKHNvIHdvdWxkIGJlIG9taXR0ZWQgZnJvbSB0aGUgdGh1 bWJwcmludCksIGJ1dCBpdCBjYW4gc3RpbGwgYmUgcmVxdWlyZWQgdG8gYmUgdW5kZXJzdG9vZCB3 aGVuIGl0IGlzIHByZXNlbnQuDQoNCkl0IGlzIGEgYml0IG5hc3R5IHRoYXQgeW91IGNhbm5vdCBj YWxjdWxhdGUgYSBrZXnigJlzIHRodW1icHJpbnQgd2l0aG91dCB0eXBlLXNwZWNpZmljIGtub3ds ZWRnZSAoYWJvdXQgd2hpY2ggZWxlbWVudHMgdG8ga2VlcCkuDQpLZWVwaW5nIGFsbCBKV0sgZWxl bWVudHMgaW4gdGhlIHRodW1icHJpbnQgd291bGQgYmUgYmV0dGVyLg0KDQpUaGUgc3BlYyBkZWZp bmVzIGEgY2Fub25pY2FsIEpTT04gZW5jb2Rpbmcgd2l0aG91dCBleHBsaWNpdGx5IGFkbWl0dGlu ZyB0aGF0IChlZyBpdCBkb2Vzbid0IHVzZSB0aGUgd29yZCAiY2Fub25pY2FsIikuDQoNCiJDaGFy YWN0ZXJzIC4uIE1VU1QgYmUgcmVwcmVzZW50ZWQgaW4gdGhlIHNpbXBsZXN0IG1hbm5lciBwb3Nz aWJsZSINCldoYXQgaXMgdGhlICJzaW1wbGVzdCBtYW5uZXIgcG9zc2libGUiPyBJIGd1ZXNzICJh IiBpcyBzaW1wbGVyIHRoYW4gIlx1MDA2MSI7IGxlc3Mgc3VyZSBhYm91dCAiXG4iIHZzICJcdTAw MEEiOyBubyBpZGVhIGZvciAiXHUwMDBiIiB2cyAiXHUwMDBCIjsgZXNjYXBpbmcgIi8iIGFzICJc LyIgaXMgKHVuZm9ydHVuYXRlbHkpIHNpbXBsZXIgaW4gc29tZSBlbnZpcm9ubWVudHM7ICJcdUQ4 MzRcdUREMUUiIHZzIHRoZSA0LWJ5dGVzICI8RjAgOUQgODQgOTM+Ij8NCg0KImFsbCBjaGFyYWN0 ZXJzIHdpdGhpbiB0aGUgQmFzaWMgTXVsdGlsaW5ndWFsIFBsYW5lIC4uIE1VU1QgTk9UIGJlIGVz Y2FwZWQiDQpJcyB0aGlzIGhpbnRpbmcgdGhhdCBVKzFEMTFFIChtdXNpY2FsIHN5bWJvbCBHIGNs ZWYpIHRoYXQgaXMgb3V0c2lkZSB0aGUgQk1QIHNob3VsZCBiZSBlc2NhcGVkPyBTdXJlbHkgaXQg aXMgYmV0dGVyIHRvIFVURi04IGVuY29kZWQgdGhpcyBhcyA0IGJ5dGVzLg0KDQpUaGVyZSBpcyBu byBtZW50aW9uIG9mIGhvdyB0byBoYW5kbGUgZWxlbWVudHMgd2hvc2UgdmFsdWUgaXMgYSBudW1i ZXIuDQpJdCBpcyBlYXN5IHRvIGltYWdpbmUga2V5IGZvcm1hdHMgd2l0aCBpbnRlZ2VyIGZpZWxk cyAoZWcgYSBQQktERiBpdGVyYXRpb24gY291bnQpLiBQcmVzdW1hYmx5IGFuIGVsZW1lbnQgInAy YyI6MWU1IHdvdWxkIGFjdHVhbGx5IGhhdmUgdG8gYmUgc2VyaWFsaXplZCBhcyAicDJjIjoxMDAw MDAuDQpJIGd1ZXNzIHRoaXMgZG9jIGlzIGdvaW5nIGlnbm9yZSBmbG9hdGluZyBwb2ludCBudW1i ZXJzIHVuZGVyIHRoZSAoZmFpcmx5IHJlYXNvbmFibHkpIGFzc3VtcHRpb24gdGhhdCB0aGV5IG1h eSBuZXZlciBiZSBuZWVkZWQgaW4gSldLcy4NCg0KDQpKb2huIEJyYWRsZXkgc2FpZDoNCj4gSGF2 aW5nIGEgd2VsbCB1bmRlcnN0b29kIG1ldGhvZCB0aGF0IGlzIHJlc2lzdGFudCB0byBiaXQgc3Rl YWxpbmcgYW5kIG90aGVyIHNvcnRzIG9mIGF0dGFja3MgaXMgYSBnb29kIHRoaW5nLCByYXRoZXIg dGhhbiBhcHBsaWNhdGlvbnMgcm9sbGluZyB0aGVyZSBvd24uDQoNCldoYXQgaXMgImJpdCBzdGVh bGluZyI/DQoNCj4gVGhpcyBpcyB1c2VmdWwgaW4gT3BlbklEIENvbm5lY3QgZm9yIGNhbGN1bGF0 aW5nIGEgc3ludGhldGljIHN1YmplY3QgYmFzZWQgb24gdGhlIHB1YmxpYyBrZXkgb2YgYSBzZWxm IHNpZ25lZCBKV1QuDQoNCklmIGEga2V5IGFuZCBpdHMgdGh1bWJwcmludCBhcmUgYm90aCBpbiBh IG1lc3NhZ2UgaXQgaXMgYXNraW5nIGZvciB0cm91YmxlIGFzIHNvbWUgY29kZSB3aWxsIGFzc3Vt ZSAod2l0aG91dCBjaGVja2luZykgdGhhdCB0aGV5IG1hdGNoLg0KQSAiamt0IiBtZW1iZXIgaW4g YSBKV0sgaXMgYSBiYWQgaWRlYS4NCg0KLS0NCkphbWVzIE1hbmdlcg0K From nobody Tue Apr 15 14:02:11 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 353F71A038C for ; Tue, 15 Apr 2014 14:02:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JWnaetsfNy7E for ; Tue, 15 Apr 2014 14:02:02 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0141.outbound.protection.outlook.com [207.46.163.141]) by ietfa.amsl.com (Postfix) with ESMTP id 87BB41A01F8 for ; Tue, 15 Apr 2014 14:02:02 -0700 (PDT) Received: from BY2PR03CA055.namprd03.prod.outlook.com (10.141.249.28) by BY2PR03MB443.namprd03.prod.outlook.com (10.141.141.152) with Microsoft SMTP Server (TLS) id 15.0.918.8; Tue, 15 Apr 2014 21:01:58 +0000 Received: from BN1AFFO11FD007.protection.gbl (2a01:111:f400:7c10::165) by BY2PR03CA055.outlook.office365.com (2a01:111:e400:2c5d::28) with Microsoft SMTP Server (TLS) id 15.0.918.8 via Frontend Transport; Tue, 15 Apr 2014 21:01:58 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD007.mail.protection.outlook.com (10.58.52.67) with Microsoft SMTP Server (TLS) id 15.0.918.6 via Frontend Transport; Tue, 15 Apr 2014 21:01:57 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.03.0174.002; Tue, 15 Apr 2014 21:01:19 +0000 From: Mike Jones To: Richard Barnes Thread-Topic: [jose] RFC 7165 on Use Cases and Requirements for JSON Object Signing and Encryption (JOSE) Thread-Index: AQHPWGdkX1zr4jU5pEuVweSdYFaYdZsTKsfw Date: Tue, 15 Apr 2014 21:01:18 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A1598F2@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <20140415045818.3282518000D@rfc-editor.org> In-Reply-To: <20140415045818.3282518000D@rfc-editor.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.74] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(6009001)(438001)(377454003)(189002)(199002)(13464003)(84676001)(6806004)(86362001)(83072002)(23726002)(19580395003)(83322001)(19580405001)(92726001)(44976005)(97736001)(92566001)(97756001)(81542001)(77982001)(85852003)(76482001)(85806002)(79102001)(15202345003)(81342001)(66066001)(15975445006)(20776003)(80976001)(47776003)(33656001)(86612001)(80022001)(87936001)(4396001)(76176999)(2656002)(50466002)(19300405004)(46102001)(50986999)(31966008)(54356999)(74662001)(2009001)(99396002)(55846006)(46406003)(74502001)(562404015); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR03MB443; H:mail.microsoft.com; FPR:EC05D0BB.9BD656D3.37E43F83.88E2C36D.20353; MLV:sfv; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0182DBBB05 Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/jose/m80xSVt_L0Yk-GU3nvIjN2hWgk4 Cc: "jose@ietf.org" Subject: Re: [jose] RFC 7165 on Use Cases and Requirements for JSON Object Signing and Encryption (JOSE) X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Apr 2014 21:02:08 -0000 Congratulations on fishing this, Richard! -----Original Message----- From: jose [mailto:jose-bounces@ietf.org] On Behalf Of rfc-editor@rfc-edito= r.org Sent: Monday, April 14, 2014 9:58 PM To: ietf-announce@ietf.org; rfc-dist@rfc-editor.org Cc: drafts-update-ref@iana.org; jose@ietf.org; rfc-editor@rfc-editor.org Subject: [jose] RFC 7165 on Use Cases and Requirements for JSON Object Sign= ing and Encryption (JOSE) A new Request for Comments is now available in online RFC libraries. =20 RFC 7165 Title: Use Cases and Requirements for=20 JSON Object Signing and Encryption (JOSE)=20 Author: R. Barnes Status: Informational Stream: IETF Date: April 2014 Mailbox: rlb@ipv.sx Pages: 25 Characters: 58324 Updates/Obsoletes/SeeAlso: None I-D Tag: draft-ietf-jose-use-cases-06.txt URL: http://www.rfc-editor.org/rfc/rfc7165.txt Many Internet applications have a need for object-based security mechanisms= in addition to security mechanisms at the network layer or transport layer= . For many years, the Cryptographic Message Syntax (CMS) has provided a binary secure object format based on ASN.1. Over time, binary object encodings such as ASN.1 have become less common th= an text-based encodings, such as the JavaScript Object Notation (JSON). Th= is document defines a set of use cases and requirements for a secure object= format encoded using JSON, drawn from a variety of application security me= chanisms currently in development. This document is a product of the Javascript Object Signing and Encryption = Working Group of the IETF. INFORMATIONAL: This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this = memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see http://www.ietf.org/mailman/listinfo/ietf-announce http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see http://www.rfc-editor.org/search For down= loading RFCs, see http://www.rfc-editor.org/rfc.html Requests for special distribution should be addressed to either the author = of the RFC in question, or to rfc-editor@rfc-editor.org. Unless specifical= ly noted otherwise on the RFC itself, all RFCs are for unlimited distributi= on. The RFC Editor Team Association Management Solutions, LLC _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose From nobody Tue Apr 15 14:16:46 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77CB51A0488 for ; Tue, 15 Apr 2014 14:16:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.977 X-Spam-Level: X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kP3sllQeI9gO for ; Tue, 15 Apr 2014 14:16:41 -0700 (PDT) Received: from mail-oa0-f50.google.com (mail-oa0-f50.google.com [209.85.219.50]) by ietfa.amsl.com (Postfix) with ESMTP id E60AB1A0454 for ; Tue, 15 Apr 2014 14:16:40 -0700 (PDT) Received: by mail-oa0-f50.google.com with SMTP id i7so11638208oag.9 for ; Tue, 15 Apr 2014 14:16:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=fFyoIHxYehxHJJl48t/vh+bbEtzMWQBtDsPRpIdGvDU=; b=Ho0FP6pqU5LP89X3dbnASGX0VHMYulomWOV0cJxMj4db9j7u27XHouFo3/2c0cw/bW xIjIvVJzvRqlg0b97kmzFVUVc9qls3sEPc/c8hxlLi59x8/zLPspMkgFlEXXf2DGT/++ k1RQtqFY9TygN7dtTbbnmkQN3h49P+Gj4HI4B2AdqsXfOPE9qZdpeyOsv9J6HOJikazb vJJg1jRPFE/rcq6nfAXRKHaJyClBnqxa1J2/Ai/z8Gz3Ph4p/5+rN8tQzj+lAuq8ecxl 6d9/35o7xwt18aALWRQUcqCdL4OdCqJHL0Kr+4r3Kkk5anpmXKsx0YMpk0fsVIl3q3rf b9hg== X-Gm-Message-State: ALoCoQn6bjYbjY9GXFu3Id8Vnc/LmeKHYHfBJ1xN81sKCTwoRapym9XGCc2/OTi5Rg9dvRmkJUGC MIME-Version: 1.0 X-Received: by 10.60.95.230 with SMTP id dn6mr3345172oeb.25.1397596597976; Tue, 15 Apr 2014 14:16:37 -0700 (PDT) Received: by 10.60.136.231 with HTTP; Tue, 15 Apr 2014 14:16:37 -0700 (PDT) In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A1598F2@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <20140415045818.3282518000D@rfc-editor.org> <4E1F6AAD24975D4BA5B16804296739439A1598F2@TK5EX14MBXC286.redmond.corp.microsoft.com> Date: Tue, 15 Apr 2014 17:16:37 -0400 Message-ID: From: Richard Barnes To: Mike Jones Content-Type: multipart/alternative; boundary=089e011828e4c312f404f71b50b3 Archived-At: http://mailarchive.ietf.org/arch/msg/jose/dW9zmIYGzzZadK-AEMFJB-7Kf9o Cc: "jose@ietf.org" Subject: Re: [jose] RFC 7165 on Use Cases and Requirements for JSON Object Signing and Encryption (JOSE) X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Apr 2014 21:16:45 -0000 --089e011828e4c312f404f71b50b3 Content-Type: text/plain; charset=ISO-8859-1 Thanks! On Tue, Apr 15, 2014 at 5:01 PM, Mike Jones wrote: > Congratulations on fishing this, Richard! > > -----Original Message----- > From: jose [mailto:jose-bounces@ietf.org] On Behalf Of > rfc-editor@rfc-editor.org > Sent: Monday, April 14, 2014 9:58 PM > To: ietf-announce@ietf.org; rfc-dist@rfc-editor.org > Cc: drafts-update-ref@iana.org; jose@ietf.org; rfc-editor@rfc-editor.org > Subject: [jose] RFC 7165 on Use Cases and Requirements for JSON Object > Signing and Encryption (JOSE) > > A new Request for Comments is now available in online RFC libraries. > > > RFC 7165 > > Title: Use Cases and Requirements for > JSON Object Signing and Encryption (JOSE) > Author: R. Barnes > Status: Informational > Stream: IETF > Date: April 2014 > Mailbox: rlb@ipv.sx > Pages: 25 > Characters: 58324 > Updates/Obsoletes/SeeAlso: None > > I-D Tag: draft-ietf-jose-use-cases-06.txt > > URL: http://www.rfc-editor.org/rfc/rfc7165.txt > > Many Internet applications have a need for object-based security > mechanisms in addition to security mechanisms at the network layer or > transport layer. For many years, the Cryptographic Message Syntax > (CMS) has provided a binary secure object format based on ASN.1. > Over time, binary object encodings such as ASN.1 have become less common > than text-based encodings, such as the JavaScript Object Notation (JSON). > This document defines a set of use cases and requirements for a secure > object format encoded using JSON, drawn from a variety of application > security mechanisms currently in development. > > This document is a product of the Javascript Object Signing and Encryption > Working Group of the IETF. > > > INFORMATIONAL: This memo provides information for the Internet community. > It does not specify an Internet standard of any kind. Distribution of this > memo is unlimited. > > This announcement is sent to the IETF-Announce and rfc-dist lists. > To subscribe or unsubscribe, see > http://www.ietf.org/mailman/listinfo/ietf-announce > http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist > > For searching the RFC series, see http://www.rfc-editor.org/search For > downloading RFCs, see http://www.rfc-editor.org/rfc.html > > Requests for special distribution should be addressed to either the author > of the RFC in question, or to rfc-editor@rfc-editor.org. Unless > specifically noted otherwise on the RFC itself, all RFCs are for unlimited > distribution. > > > The RFC Editor Team > Association Management Solutions, LLC > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > --089e011828e4c312f404f71b50b3 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Thanks!=A0


On Tue, Apr 15, 2014 at 5:01 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:
Congratulations on fishing this, Richard!

-----Original Message-----
From: jose [mailto:jose-bounces@ie= tf.org] On Behalf Of rfc-e= ditor@rfc-editor.org
Sent: Monday, April 14, 2014 9:58 PM
To: ietf-announce@ietf.org; <= a href=3D"mailto:rfc-dist@rfc-editor.org">rfc-dist@rfc-editor.org
Cc: drafts-update-ref@iana.or= g; jose@ietf.org; rfc-editor@rfc-editor.org
Subject: [jose] RFC 7165 on Use Cases and Requirements for JSON Object Sign= ing and Encryption (JOSE)

A new Request for Comments is now available in online RFC libraries.


=A0 =A0 =A0 =A0 RFC 7165

=A0 =A0 =A0 =A0 Title: =A0 =A0 =A0Use Cases and Requirements for
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 JSON Object Signing and Encryption = (JOSE)
=A0 =A0 =A0 =A0 Author: =A0 =A0 R. Barnes
=A0 =A0 =A0 =A0 Status: =A0 =A0 Informational
=A0 =A0 =A0 =A0 Stream: =A0 =A0 IETF
=A0 =A0 =A0 =A0 Date: =A0 =A0 =A0 April 2014
=A0 =A0 =A0 =A0 Mailbox: =A0 =A0rlb@ipv.sx
=A0 =A0 =A0 =A0 Pages: =A0 =A0 =A025
=A0 =A0 =A0 =A0 Characters: 58324
=A0 =A0 =A0 =A0 Updates/Obsoletes/SeeAlso: =A0 None

=A0 =A0 =A0 =A0 I-D Tag: =A0 =A0draft-ietf-jose-use-cases-06.txt

=A0 =A0 =A0 =A0 URL: =A0 =A0 =A0 =A0http://www.rfc-editor.org/rfc/rfc7165.txt<= /a>

Many Internet applications have a need for object-based security mechanisms= in addition to security mechanisms at the network layer or transport layer= . =A0For many years, the Cryptographic Message Syntax
(CMS) has provided a binary secure object format based on ASN.1.
Over time, binary object encodings such as ASN.1 have become less common th= an text-based encodings, such as the JavaScript Object Notation (JSON). =A0= This document defines a set of use cases and requirements for a secure obje= ct format encoded using JSON, drawn from a variety of application security = mechanisms currently in development.

This document is a product of the Javascript Object Signing and Encryption = Working Group of the IETF.


INFORMATIONAL: This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this = memo is unlimited.

This announcement is sent to the IETF-Announce and rfc-dist lists.
To subscribe or unsubscribe, see
=A0
http://www.ietf.org/mailman/listinfo/ietf-announce
=A0 http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist<= br>
For searching the RFC series, see http://www.rfc-editor.org/search For downloading = RFCs, see = http://www.rfc-editor.org/rfc.html

Requests for special distribution should be addressed to either the author = of the RFC in question, or to = rfc-editor@rfc-editor.org. =A0Unless specifically noted otherwise on th= e RFC itself, all RFCs are for unlimited distribution.


The RFC Editor Team
Association Management Solutions, LLC


_______________________________________________
jose mailing list
jose@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/jose

--089e011828e4c312f404f71b50b3-- From nobody Tue Apr 15 15:25:17 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98B5A1A02D0 for ; Tue, 15 Apr 2014 15:25:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9199CpET8oLq for ; Tue, 15 Apr 2014 15:25:11 -0700 (PDT) Received: from mail-qc0-f171.google.com (mail-qc0-f171.google.com [209.85.216.171]) by ietfa.amsl.com (Postfix) with ESMTP id D53771A0186 for ; Tue, 15 Apr 2014 15:25:10 -0700 (PDT) Received: by mail-qc0-f171.google.com with SMTP id c9so11118110qcz.16 for ; Tue, 15 Apr 2014 15:25:07 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=fmCMFhaSLXrpFW5BNZgj2GSb0XjFdhqPK9vVUJppYPM=; b=Vp2MhhwcCdeFEHs8U+EyGDamvOl5db66+GXLrdgS9L9kqyv+9f+yNBfMlORlRn2Bfa pRKz2Jy3AIzeuTkfPYWeNosPhbf/BHTDFmlxyLwT6ywtmB/eZicSahdYee5CIHO9DzTl /GpgmCfNrfSQEz23you1afg+T8GNNs5SXzrnEb17ePjZtfxU/bvidAJwrVIIdVLJfvkV r7jaFLQyq8Fi698W56Vo/bDvc5EpQ5Oij4Q3iyV6BVnkTP1kkjXmqgcSiJGbKlUsG3ve eNY4HcFsPYYbrwo8AeFlBSi9pYILwiwnmtVRqIpYEMHa8WxxpqGu2UqVNttKfQVZmHyJ a+6Q== X-Gm-Message-State: ALoCoQmxogkh9AaXCCv8U4VOxtPeSol1Gy+1txKyh/bNS6fotCe6h06uMw1hhPy2MkfjSyYX1X+y X-Received: by 10.140.28.70 with SMTP id 64mr6099053qgy.36.1397600707647; Tue, 15 Apr 2014 15:25:07 -0700 (PDT) Received: from [192.168.1.216] (186-79-231-93.baf.movistar.cl. [186.79.231.93]) by mx.google.com with ESMTPSA id t5sm26214718qge.0.2014.04.15.15.24.59 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 15 Apr 2014 15:25:07 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: John Bradley In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A1598F2@TK5EX14MBXC286.redmond.corp.microsoft.com> Date: Tue, 15 Apr 2014 19:24:30 -0300 Content-Transfer-Encoding: quoted-printable Message-Id: References: <20140415045818.3282518000D@rfc-editor.org> <4E1F6AAD24975D4BA5B16804296739439A1598F2@TK5EX14MBXC286.redmond.corp.microsoft.com> To: Michael Jones X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/jose/CtlZhvGHtbO-vuNWCCoeJXAq0pI Cc: Richard Barnes , "jose@ietf.org" Subject: Re: [jose] RFC 7165 on Use Cases and Requirements for JSON Object Signing and Encryption (JOSE) X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Apr 2014 22:25:15 -0000 Yes congratulations. On Apr 15, 2014, at 6:01 PM, Mike Jones = wrote: > Congratulations on fishing this, Richard! >=20 > -----Original Message----- > From: jose [mailto:jose-bounces@ietf.org] On Behalf Of = rfc-editor@rfc-editor.org > Sent: Monday, April 14, 2014 9:58 PM > To: ietf-announce@ietf.org; rfc-dist@rfc-editor.org > Cc: drafts-update-ref@iana.org; jose@ietf.org; = rfc-editor@rfc-editor.org > Subject: [jose] RFC 7165 on Use Cases and Requirements for JSON Object = Signing and Encryption (JOSE) >=20 > A new Request for Comments is now available in online RFC libraries. >=20 >=20 > RFC 7165 >=20 > Title: Use Cases and Requirements for=20 > JSON Object Signing and Encryption (JOSE)=20 > Author: R. Barnes > Status: Informational > Stream: IETF > Date: April 2014 > Mailbox: rlb@ipv.sx > Pages: 25 > Characters: 58324 > Updates/Obsoletes/SeeAlso: None >=20 > I-D Tag: draft-ietf-jose-use-cases-06.txt >=20 > URL: http://www.rfc-editor.org/rfc/rfc7165.txt >=20 > Many Internet applications have a need for object-based security = mechanisms in addition to security mechanisms at the network layer or = transport layer. For many years, the Cryptographic Message Syntax > (CMS) has provided a binary secure object format based on ASN.1. > Over time, binary object encodings such as ASN.1 have become less = common than text-based encodings, such as the JavaScript Object Notation = (JSON). This document defines a set of use cases and requirements for a = secure object format encoded using JSON, drawn from a variety of = application security mechanisms currently in development. >=20 > This document is a product of the Javascript Object Signing and = Encryption Working Group of the IETF. >=20 >=20 > INFORMATIONAL: This memo provides information for the Internet = community. > It does not specify an Internet standard of any kind. Distribution of = this memo is unlimited. >=20 > This announcement is sent to the IETF-Announce and rfc-dist lists. > To subscribe or unsubscribe, see > http://www.ietf.org/mailman/listinfo/ietf-announce > http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist >=20 > For searching the RFC series, see http://www.rfc-editor.org/search For = downloading RFCs, see http://www.rfc-editor.org/rfc.html >=20 > Requests for special distribution should be addressed to either the = author of the RFC in question, or to rfc-editor@rfc-editor.org. Unless = specifically noted otherwise on the RFC itself, all RFCs are for = unlimited distribution. >=20 >=20 > The RFC Editor Team > Association Management Solutions, LLC >=20 >=20 > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose >=20 > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose From nobody Wed Apr 16 07:34:53 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 049B21A01C1 for ; Wed, 16 Apr 2014 07:34:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.977 X-Spam-Level: X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qou-Py3GqySf for ; Wed, 16 Apr 2014 07:34:48 -0700 (PDT) Received: from mail-oa0-f43.google.com (mail-oa0-f43.google.com [209.85.219.43]) by ietfa.amsl.com (Postfix) with ESMTP id E0C581A01AA for ; Wed, 16 Apr 2014 07:34:47 -0700 (PDT) Received: by mail-oa0-f43.google.com with SMTP id eb12so12481248oac.2 for ; Wed, 16 Apr 2014 07:34:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=jhl1jUhtHe7ClKjfp1D7/eiKtAW11H1nn7zpLa+3hfw=; b=PYKdHLbbr9LmpMgr7l6OCkJ85jGKe3PrTy+HQ0693C3/tYnAnTbzRV4kch9ydeBSYm Kx+hpA2rV3npeOB3Rs2FhMLqS0Av3TCfKjHbywlUyZyMYiesUHAGPG/wGEPj4fr3p2bQ sj/4Li+ihdunebovYjsYHE1Qw2RXyA5HjD9fFv5pAjC4zDFr+j/fcYfvUGxcDhcMgAaH lv5uJ4CuZvlK678AZ2KafR6RiDXlx2z94KUVxNMYaUDHr2bRDwZKRPRQgwm/+Pe9k1Kd 5Gkhurntjw6oHr8VmRYrNGCRyq2EMGjdpZ0hT9CT4oef+cp/cmaANdDYDOQOgxggZA2o 0HpQ== X-Gm-Message-State: ALoCoQkTbev340VTNIGwXeqEQeBBQomxOmyNkkMYdgYCrlL3oKuMkqwsrqv3fKNmIUarWn6X1JJ/ MIME-Version: 1.0 X-Received: by 10.60.173.147 with SMTP id bk19mr6924815oec.27.1397658884580; Wed, 16 Apr 2014 07:34:44 -0700 (PDT) Received: by 10.60.136.231 with HTTP; Wed, 16 Apr 2014 07:34:44 -0700 (PDT) In-Reply-To: <2FA2A5F6-0043-43F2-BCD3-04BBBC548889@ve7jtb.com> References: <2FA2A5F6-0043-43F2-BCD3-04BBBC548889@ve7jtb.com> Date: Wed, 16 Apr 2014 10:34:44 -0400 Message-ID: From: Richard Barnes To: John Bradley Content-Type: multipart/alternative; boundary=089e01184bae55391504f729d15d Archived-At: http://mailarchive.ietf.org/arch/msg/jose/oWRnD36UC8dDZM_xF3p5umT2o4g Cc: Hannes Tschofenig , "jose@ietf.org" Subject: Re: [jose] Implementation Requirements X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2014 14:34:52 -0000 --089e01184bae55391504f729d15d Content-Type: text/plain; charset=ISO-8859-1 Let me address this in two parts, first with my IESG hat on, and then as an individual. The IESG does NOT think that a set of mandatory algorithms in JWA is a requirement for interoperability. After having discussed this with Kathleen and Sean: There are several different ways to address interoperability with a framework protocol like JOSE. CMS provides a fine example of how algorithms can be left flexible at the security layer, with applications like S/MIME defining algorithm requirements. Algorithm agility is another important consideration in security protocol design, and locking in algorithms too deeply can hinder updates in the future. I continue to be concerned that having mandatory algorithms for JOSE will make two types of applications non-compliant: 1. JOSE implementations are often going to not have any choice in what algorithms they can support. They're going to be built on top of crypto libraries, which either support an algorithm or they don't. It's pointless to levy requirements at the JOSE layer. 2. Constrained devices aren't going to want to implement a whole boatload of algorithms, just the ones they need for their use cases. Limiting the requirement to "standalone JOSE libraries" doesn't address either of these concerns. As a compromise, how about if we define a RECOMMENDED suite of common algorithms? That would help guide implementations toward interop without ruling out the above use cases. Hope that helps clarify things, --Richard On Mon, Apr 14, 2014 at 9:09 AM, John Bradley wrote: > The IESG wants to see interoperability between implementations, to do that > without dragging in discovery etc there need to be minimum feature sets of > JOSE libraries that people can count on. > > A application using JOSE can elect not to support all the algorithms, but > JOSE libraries need to support the mandatory to implement algorithms. > > On Apr 14, 2014, at 9:48 AM, Hannes Tschofenig > wrote: > > Hi all, > > I am looking at the implementation requirements of the JWA spec and I am > wondering to what deployment environment they refer they. > The JW* specs are generic building blocks and I fail to see how one can > list mandatory-to-implement algorithsms. > > Ciao > Hannes > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > > --089e01184bae55391504f729d15d Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Let me address this in two parts, first with my IESG hat o= n, and then as an individual.

<hat type=3D"IESG&= quot;>
The IESG does NOT think that a set of mandatory algorit= hms in JWA is a requirement for interoperability.

After having discussed this with Kathleen and Sean: The= re are several different ways to address interoperability with a framework = protocol like JOSE. =A0CMS provides a fine example of how algorithms can be= left flexible at the security layer, with applications like S/MIME definin= g algorithm requirements. =A0Algorithm agility is another important conside= ration in security protocol design, and locking in algorithms too deeply ca= n hinder updates in the future.
</hat>

<hat type=3D"individual&= quot;>
I continue to be concerned that having mandatory algori= thms for JOSE will make two types of applications non-compliant:
1. JOSE implementations are often going to not have any choice in what algo= rithms they can support. =A0They're going to be built on top of crypto = libraries, which either support an algorithm or they don't. =A0It's= pointless to levy requirements at the JOSE layer.
2. Constrained devices aren't going to want to implement a whole b= oatload of algorithms, just the ones they need for their use cases.

Limiting the requirement to "standalone JOSE lib= raries" doesn't address either of these concerns.

As a compromise, how about if we define a RECOMMENDED s= uite of common algorithms? =A0That would help guide implementations toward = interop without ruling out the above use cases.
</hat>

Hope that helps clarify things,
--Richard


On Mon, Apr= 14, 2014 at 9:09 AM, John Bradley <ve7jtb@ve7jtb.com> wrote= :
The IESG= wants to see interoperability between implementations, to do that without = dragging in discovery etc there need to be minimum feature sets of JOSE lib= raries that people can count on.

A application using JOSE can elect not to support all the al= gorithms, =A0but JOSE libraries need to support the mandatory to implement = algorithms.

On Apr 14, 2014,= at 9:48 AM, Hannes Tschofenig <Hannes.Tschofenig@gmx.net> wrote:

Hi all,=A0
=A0
I am looking at the implementation requirements of the JWA spec and I = am wondering to what deployment environment they refer they.
The JW* specs are generic building blocks and I fail to see how one ca= n list mandatory-to-implement algorithsms.=A0
=A0
Ciao
Hannes
=A0
_______________________________________________
jose mailing list
jose@ietf.org
https://= www.ietf.org/mailman/listinfo/jose


____________________________________= ___________
jose mailing list
jose@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/jose


--089e01184bae55391504f729d15d-- From nobody Wed Apr 16 08:06:37 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 228A91A021C for ; Wed, 16 Apr 2014 08:06:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.448 X-Spam-Level: X-Spam-Status: No, score=-1.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XcTFfNefAsHw for ; Wed, 16 Apr 2014 08:06:31 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) by ietfa.amsl.com (Postfix) with ESMTP id 180A61A0227 for ; Wed, 16 Apr 2014 08:05:59 -0700 (PDT) Received: from [217.140.96.21] by 3capp-gmx-bs28 with HTTP; Wed, 16 Apr 2014 17:05:53 +0200 MIME-Version: 1.0 Message-ID: From: "Hannes Tschofenig" To: "Richard Barnes" Content-Type: text/html; charset=UTF-8 Date: Wed, 16 Apr 2014 17:05:53 +0200 Importance: normal Sensitivity: Normal In-Reply-To: References: <2FA2A5F6-0043-43F2-BCD3-04BBBC548889@ve7jtb.com>, X-UI-Message-Type: mail X-Priority: 3 X-Provags-ID: V03:K0:ZByHQSLWSIEXgOnZ4T/Ke8al6b4K5mJPDC7zffIzHmT n2jKNQQKWSI5hB3y3JIKcEibS4KI9MdGntimz+GbJixbW4lxtu W24Ff4WkZLvwGK4k2I7W6JyfRtcj03yyFRGj2+DgT7dkB0rbt7 ubnwDSfaqSri++74+yXRe4I6PVbQHjesJePEwzfVAwCzeK1cH0 K/uparSkpkPzXK9BKmchwS5zEmsPVRvEZP9y3Qd+dZngNYedDu 1au9nO8Sbqz44KVMa6kflTWUA7nGl17yLJYUFxlnWeKbkXn84E LRU40M= Archived-At: http://mailarchive.ietf.org/arch/msg/jose/evOkyynottX8wk6Mbe856XJN7VM Cc: John Bradley , "jose@ietf.org" Subject: Re: [jose] Implementation Requirements X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2014 15:06:35 -0000
Hi Richard, 
 
 
a short remark below. 
 
Gesendet: Mittwoch, 16. April 2014 um 15:34 Uhr
Von: "Richard Barnes" <rlb@ipv.sx>
An: "John Bradley" <ve7jtb@ve7jtb.com>
Cc: "Hannes Tschofenig" <Hannes.Tschofenig@gmx.net>, "jose@ietf.org" <jose@ietf.org>
Betreff: Re: [jose] Implementation Requirements
Let me address this in two parts, first with my IESG hat on, and then as an individual.
 
<hat type="IESG">
The IESG does NOT think that a set of mandatory algorithms in JWA is a requirement for interoperability.
 
After having discussed this with Kathleen and Sean: There are several different ways to address interoperability with a framework protocol like JOSE.  CMS provides a fine example of how algorithms can be left flexible at the security layer, with applications like S/MIME defining algorithm requirements.  Algorithm agility is another important consideration in security protocol design, and locking in algorithms too deeply can hinder updates in the future.
</hat>
 
[hannes] Sounds reasonable to me. 
 
<hat type="individual">
I continue to be concerned that having mandatory algorithms for JOSE will make two types of applications non-compliant:
1. JOSE implementations are often going to not have any choice in what algorithms they can support.  They're going to be built on top of crypto libraries, which either support an algorithm or they don't.  It's pointless to levy requirements at the JOSE layer.
2. Constrained devices aren't going to want to implement a whole boatload of algorithms, just the ones they need for their use cases.
 
[hannes] Also makes sense to me. 
 
Limiting the requirement to "standalone JOSE libraries" doesn't address either of these concerns.
 
As a compromise, how about if we define a RECOMMENDED suite of common algorithms?  That would help guide implementations toward interop without ruling out the above use cases.
</hat>
 
[hannes]  It makes sense for me to define domain specific recommendations. I will write some of those down for a specific Internet of Things context. For the use of JOSE with OpenID Connect these recommendations are available already. 
 
Ciao
Hannes
 
Hope that helps clarify things,
--Richard
 
On Mon, Apr 14, 2014 at 9:09 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:
The IESG wants to see interoperability between implementations, to do that without dragging in discovery etc there need to be minimum feature sets of JOSE libraries that people can count on.
 
A application using JOSE can elect not to support all the algorithms,  but JOSE libraries need to support the mandatory to implement algorithms.
 
On Apr 14, 2014, at 9:48 AM, Hannes Tschofenig <Hannes.Tschofenig@gmx.net> wrote:
Hi all, 
 
I am looking at the implementation requirements of the JWA spec and I am wondering to what deployment environment they refer they.
The JW* specs are generic building blocks and I fail to see how one can list mandatory-to-implement algorithsms. 
 
Ciao
Hannes
 
_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose

_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose
 
From nobody Wed Apr 16 10:18:06 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C72DD1A0293 for ; Wed, 16 Apr 2014 10:18:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.977 X-Spam-Level: X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gd6P5VPYMk1O for ; Wed, 16 Apr 2014 10:17:59 -0700 (PDT) Received: from mail-oa0-f47.google.com (mail-oa0-f47.google.com [209.85.219.47]) by ietfa.amsl.com (Postfix) with ESMTP id 71ABA1A0267 for ; Wed, 16 Apr 2014 10:17:49 -0700 (PDT) Received: by mail-oa0-f47.google.com with SMTP id i11so12681878oag.20 for ; Wed, 16 Apr 2014 10:17:46 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=TvwBVpfJiQSPCE4UiVDoWzDCAKMpnSGlHdUYuxExbYE=; b=X+cxnrJ/NS1cK+bWC2TOD1UpR4PLPeLdTBfjyC59Xmccj8PBgNTBFUpHWmAnJzlido UXl5fwjIfM/2A11PLNoIOkOu7gNYM5QHWL3c09iNPxAwVregx7Nebw9Tz02/SqRTo6wm qcsnbZz9R+ozJqQGuawSoelJd6Lm8YFDvKuixAOtyJZw81m610degXIvuJUhTgk4Jl3g tM0HeeBnhvx57ZjeoNNr3qZ1Y32n/N0/8MkHV2WujJDzXtFKIfZ9efnxgscnc7ZvGIze DS1Gthx0X+kWd5AHxAqHc8kWf8Bt6dawmk51cOCLjEHqdrnD1H2eTirjsNYZZt3TyIJc CcOw== X-Gm-Message-State: ALoCoQl1Wq40bFoGPkgI9FOQffenYu29ntfRVEKwIMbhvvJVr3AdJzG3/qms1hSolRe8o8Nmt986 MIME-Version: 1.0 X-Received: by 10.60.16.103 with SMTP id f7mr7614131oed.8.1397668666025; Wed, 16 Apr 2014 10:17:46 -0700 (PDT) Received: by 10.60.136.231 with HTTP; Wed, 16 Apr 2014 10:17:45 -0700 (PDT) In-Reply-To: References: <2FA2A5F6-0043-43F2-BCD3-04BBBC548889@ve7jtb.com> Date: Wed, 16 Apr 2014 13:17:45 -0400 Message-ID: From: Richard Barnes To: John Bradley Content-Type: multipart/alternative; boundary=089e0149c04e5a2f8504f72c1873 Archived-At: http://mailarchive.ietf.org/arch/msg/jose/mJmIUNpAF6rfv5kvLN4sUEeNbYo Cc: Hannes Tschofenig , "jose@ietf.org" Subject: Re: [jose] Implementation Requirements X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2014 17:18:04 -0000 --089e0149c04e5a2f8504f72c1873 Content-Type: text/plain; charset=ISO-8859-1 On Wed, Apr 16, 2014 at 10:34 AM, Richard Barnes wrote: > Let me address this in two parts, first with my IESG hat on, and then as > an individual. > > > The IESG does NOT think that a set of mandatory algorithms in JWA is a > requirement for interoperability. > Clarification: I did not mean to imply that the IESG has an opinion one way or another on this issue. It hasn't been brought up. But there are at least a couple of members of the IESG who do not believe that mandatory algorithms are a requirement. In other words: The IESG hasn't made up its collective mind on this yet, so the WG has an opportunity to choose an answer and make an argument for it. > > After having discussed this with Kathleen and Sean: There are several > different ways to address interoperability with a framework protocol like > JOSE. CMS provides a fine example of how algorithms can be left flexible > at the security layer, with applications like S/MIME defining algorithm > requirements. Algorithm agility is another important consideration in > security protocol design, and locking in algorithms too deeply can hinder > updates in the future. > > > > I continue to be concerned that having mandatory algorithms for JOSE will > make two types of applications non-compliant: > 1. JOSE implementations are often going to not have any choice in what > algorithms they can support. They're going to be built on top of crypto > libraries, which either support an algorithm or they don't. It's pointless > to levy requirements at the JOSE layer. > 2. Constrained devices aren't going to want to implement a whole boatload > of algorithms, just the ones they need for their use cases. > > Limiting the requirement to "standalone JOSE libraries" doesn't address > either of these concerns. > > As a compromise, how about if we define a RECOMMENDED suite of common > algorithms? That would help guide implementations toward interop without > ruling out the above use cases. > > > Hope that helps clarify things, > --Richard > > > On Mon, Apr 14, 2014 at 9:09 AM, John Bradley wrote: > >> The IESG wants to see interoperability between implementations, to do >> that without dragging in discovery etc there need to be minimum feature >> sets of JOSE libraries that people can count on. >> >> A application using JOSE can elect not to support all the algorithms, >> but JOSE libraries need to support the mandatory to implement algorithms. >> >> On Apr 14, 2014, at 9:48 AM, Hannes Tschofenig >> wrote: >> >> Hi all, >> >> I am looking at the implementation requirements of the JWA spec and I am >> wondering to what deployment environment they refer they. >> The JW* specs are generic building blocks and I fail to see how one can >> list mandatory-to-implement algorithsms. >> >> Ciao >> Hannes >> >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose >> >> >> >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose >> >> > --089e0149c04e5a2f8504f72c1873 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable



On Wed, Apr 16, 2014 at 10:34 AM, Richard Barnes = <rlb@ipv.sx> wrote:
Let me address this in two = parts, first with my IESG hat on, and then as an individual.

=
<hat type=3D"IESG">
The IESG does NOT think that = a set of mandatory algorithms in JWA is a requirement for interoperability.=

Clarification: I did not mean = to imply that the IESG has an opinion one way or another on this issue. =A0= It hasn't been brought up. =A0But there are at least a couple of member= s of the IESG who do not believe that mandatory algorithms are a requiremen= t. =A0

In other words: The IESG hasn't made up its collect= ive mind on this yet, so the WG has an opportunity to choose an answer and = make an argument for it.
=A0

After having discussed this with Kathleen and Sean: The= re are several different ways to address interoperability with a framework = protocol like JOSE. =A0CMS provides a fine example of how algorithms can be= left flexible at the security layer, with applications like S/MIME definin= g algorithm requirements. =A0Algorithm agility is another important conside= ration in security protocol design, and locking in algorithms too deeply ca= n hinder updates in the future.
</hat>

<hat type=3D"individual&= quot;>
I continue to be concerned that having mandatory algori= thms for JOSE will make two types of applications non-compliant:
1. JOSE implementations are often going to not have any choice in what algo= rithms they can support. =A0They're going to be built on top of crypto = libraries, which either support an algorithm or they don't. =A0It's= pointless to levy requirements at the JOSE layer.
2. Constrained devices aren't going to want to implement a whole b= oatload of algorithms, just the ones they need for their use cases.

Limiting the requirement to "standalone JOSE lib= raries" doesn't address either of these concerns.

As a compromise, how about if we define a RECOMMENDED s= uite of common algorithms? =A0That would help guide implementations toward = interop without ruling out the above use cases.
</hat>

Hope that helps clarify things,
--Richard


On Mon, Apr 14, 2014 at 9:09 AM, John Bradley <ve7jtb@ve7jtb.c= om> wrote:
The IESG= wants to see interoperability between implementations, to do that without = dragging in discovery etc there need to be minimum feature sets of JOSE lib= raries that people can count on.

A application using JOSE can elect not to support all the al= gorithms, =A0but JOSE libraries need to support the mandatory to implement = algorithms.

On Apr 14, 2014, at 9:48 AM, = Hannes Tschofenig <Hannes.Tschofenig@gmx.net> wrote:

Hi all,=A0
=A0
I am looking at the implementation requirements of the JWA spec and I = am wondering to what deployment environment they refer they.
The JW* specs are generic building blocks and I fail to see how one ca= n list mandatory-to-implement algorithsms.=A0
=A0
Ciao
Hannes
=A0
_______________________________________________
jose mailing list
jose@ietf.org
https://= www.ietf.org/mailman/listinfo/jose


____________________________________= ___________
jose mailing list
jose@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/jose



--089e0149c04e5a2f8504f72c1873-- From nobody Wed Apr 16 12:59:56 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 974E61A02DA for ; Wed, 16 Apr 2014 12:59:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qd49eWunNYlB for ; Wed, 16 Apr 2014 12:59:49 -0700 (PDT) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0209.outbound.protection.outlook.com [207.46.163.209]) by ietfa.amsl.com (Postfix) with ESMTP id 1F8341A02E0 for ; Wed, 16 Apr 2014 12:59:48 -0700 (PDT) Received: from DM2PR03CA001.namprd03.prod.outlook.com (10.141.52.149) by BLUPR03MB117.namprd03.prod.outlook.com (10.255.212.15) with Microsoft SMTP Server (TLS) id 15.0.918.8; Wed, 16 Apr 2014 19:59:44 +0000 Received: from BN1BFFO11FD050.protection.gbl (2a01:111:f400:7c10::1:175) by DM2PR03CA001.outlook.office365.com (2a01:111:e400:2414::21) with Microsoft SMTP Server (TLS) id 15.0.918.8 via Frontend Transport; Wed, 16 Apr 2014 19:59:43 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1BFFO11FD050.mail.protection.outlook.com (10.58.145.5) with Microsoft SMTP Server (TLS) id 15.0.918.6 via Frontend Transport; Wed, 16 Apr 2014 19:59:43 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14HUBC102.redmond.corp.microsoft.com ([157.54.7.154]) with mapi id 14.03.0181.007; Wed, 16 Apr 2014 19:59:10 +0000 From: Mike Jones To: Richard Barnes , John Bradley Thread-Topic: [jose] Implementation Requirements Thread-Index: AQHPV9/SDLC8gJNDGECCrkcNrjq9P5sRFa4AgAM8lgCAAC2MgIAAHKWg Date: Wed, 16 Apr 2014 19:59:09 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A15B6B9@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <2FA2A5F6-0043-43F2-BCD3-04BBBC548889@ve7jtb.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.19] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A15B6B9TK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(53754006)(24454002)(377454003)(189002)(199002)(92726001)(46102001)(33656001)(86612001)(79102001)(20776003)(15975445006)(66066001)(4396001)(86362001)(92566001)(55846006)(80022001)(19300405004)(15202345003)(76482001)(85852003)(44976005)(83072002)(2656002)(77982001)(99396002)(81542001)(71186001)(2009001)(54356999)(76176999)(81342001)(87936001)(50986999)(85806002)(84676001)(83322001)(97736001)(512954002)(31966008)(19580405001)(84326002)(19580395003)(80976001)(74502001)(6806004)(16236675002)(74662001); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR03MB117; H:mail.microsoft.com; FPR:EC30C1B6.AFF251C1.F3F2BD77.9AEAD14F.2051E; MLV:sfv; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 01834E39B7 Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/jose/_xxOAJ1GXND6lWniUSvZrg_Vrlw Cc: Hannes Tschofenig , "jose@ietf.org" Subject: Re: [jose] Implementation Requirements X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2014 19:59:55 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A15B6B9TK5EX14MBXC286r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable The case can be made that the working group has had this opportunity to cho= ose an answer during the entire life of the working group and the answer ha= s never varied - there should be a small set of commonly implement required= algorithms to promote interoperability. This has been true in all 26 work= ing group drafts of JWA, going back to draft-ietf-jose-json-web-algorithms-= 00 in January 2012. The +/- notation was added to the Implementation Requirements at the sugges= tion of Sean Turner in JWA draft -03 in January, 2013. The question of required algorithms was explicitly considered as JOSE issue= #10: http://trac.tools.ietf.org/wg/jose/trac/ticket/10. Despite there bei= ng a minority of working group participants (primarily you, Richard, as I r= ecall) who opposed MTI algorithms, most seemed to be in favor. I personally don't see it as being productive to try to re-open this alread= y heavily discussed issue now. -- Mike From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Richard Barnes Sent: Wednesday, April 16, 2014 10:18 AM To: John Bradley Cc: Hannes Tschofenig; jose@ietf.org Subject: Re: [jose] Implementation Requirements On Wed, Apr 16, 2014 at 10:34 AM, Richard Barnes > wrote: Let me address this in two parts, first with my IESG hat on, and then as an= individual. The IESG does NOT think that a set of mandatory algorithms in JWA is a requ= irement for interoperability. Clarification: I did not mean to imply that the IESG has an opinion one way= or another on this issue. It hasn't been brought up. But there are at le= ast a couple of members of the IESG who do not believe that mandatory algor= ithms are a requirement. In other words: The IESG hasn't made up its collective mind on this yet, so= the WG has an opportunity to choose an answer and make an argument for it. After having discussed this with Kathleen and Sean: There are several diffe= rent ways to address interoperability with a framework protocol like JOSE. = CMS provides a fine example of how algorithms can be left flexible at the = security layer, with applications like S/MIME defining algorithm requiremen= ts. Algorithm agility is another important consideration in security proto= col design, and locking in algorithms too deeply can hinder updates in the = future. I continue to be concerned that having mandatory algorithms for JOSE will m= ake two types of applications non-compliant: 1. JOSE implementations are often going to not have any choice in what algo= rithms they can support. They're going to be built on top of crypto librar= ies, which either support an algorithm or they don't. It's pointless to le= vy requirements at the JOSE layer. 2. Constrained devices aren't going to want to implement a whole boatload o= f algorithms, just the ones they need for their use cases. Limiting the requirement to "standalone JOSE libraries" doesn't address eit= her of these concerns. As a compromise, how about if we define a RECOMMENDED suite of common algor= ithms? That would help guide implementations toward interop without ruling= out the above use cases. Hope that helps clarify things, --Richard On Mon, Apr 14, 2014 at 9:09 AM, John Bradley > wrote: The IESG wants to see interoperability between implementations, to do that = without dragging in discovery etc there need to be minimum feature sets of = JOSE libraries that people can count on. A application using JOSE can elect not to support all the algorithms, but = JOSE libraries need to support the mandatory to implement algorithms. On Apr 14, 2014, at 9:48 AM, Hannes Tschofenig > wrote: Hi all, I am looking at the implementation requirements of the JWA spec and I am wo= ndering to what deployment environment they refer they. The JW* specs are generic building blocks and I fail to see how one can lis= t mandatory-to-implement algorithsms. Ciao Hannes _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose --_000_4E1F6AAD24975D4BA5B16804296739439A15B6B9TK5EX14MBXC286r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

The case can be made that= the working group has had this opportunity to choose an answer during the = entire life of the working group and the answer has never varied – there should be a small set of commonly implement required = algorithms to promote interoperability.  This has been true in all 26 = working group drafts of JWA, going back to draft-ietf-jose-json-web-algorit= hms-00 in January 2012.

 <= /p>

The +/- notation was = added to the Implementation Requirements at the suggestion of Sean Turner i= n JWA draft -03 in January, 2013.

 <= /p>

The question of required = algorithms was explicitly considered as JOSE issue #10: http://trac.t= ools.ietf.org/wg/jose/trac/ticket/10.  Despite there being a minor= ity of working group participants (primarily you, Richard, as I recall) who= opposed MTI algorithms, most seemed to be in favor.

 <= /p>

I personally don’t = see it as being productive to try to re-open this already heavily discussed= issue now.

 <= /p>

    &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;         -- Mike

 <= /p>

From: jose [ma= ilto:jose-bounces@ietf.org] On Behalf Of Richard Barnes
Sent: Wednesday, April 16, 2014 10:18 AM
To: John Bradley
Cc: Hannes Tschofenig; jose@ietf.org
Subject: Re: [jose] Implementation Requirements

 

 

 

On Wed, Apr 16, 2014 at 10:34 AM, Richard Barnes <= ;rlb@ipv.sx> wrote:<= o:p>

Let me address this in two parts, first with my IESG= hat on, and then as an individual.

 

<hat type=3D"IESG">

The IESG does NOT think that a set of mandatory algo= rithms in JWA is a requirement for interoperability.

 

Clarification: I did not mean to imply that the IESG= has an opinion one way or another on this issue.  It hasn't been brou= ght up.  But there are at least a couple of members of the IESG who do= not believe that mandatory algorithms are a requirement.  

 

In other words: The IESG hasn't made up its collecti= ve mind on this yet, so the WG has an opportunity to choose an answer and m= ake an argument for it.

 

 

After having discussed this with Kathleen and Sean: = There are several different ways to address interoperability with a framewo= rk protocol like JOSE.  CMS provides a fine example of how algorithms = can be left flexible at the security layer, with applications like S/MIME defining algorithm requirements.  Algor= ithm agility is another important consideration in security protocol design= , and locking in algorithms too deeply can hinder updates in the future.

</hat>

 

<hat type=3D"individual">=

I continue to be concerned that having mandatory alg= orithms for JOSE will make two types of applications non-compliant:

1. JOSE implementations are often going to not have = any choice in what algorithms they can support.  They're going to be b= uilt on top of crypto libraries, which either support an algorithm or they = don't.  It's pointless to levy requirements at the JOSE layer.

2. Constrained devices aren't going to want to imple= ment a whole boatload of algorithms, just the ones they need for their use = cases.

 

Limiting the requirement to "standalone JOSE li= braries" doesn't address either of these concerns.

 

As a compromise, how about if we define a RECOMMENDE= D suite of common algorithms?  That would help guide implementations t= oward interop without ruling out the above use cases.

</hat>

 

Hope that helps clarify things,

--Richard

 

On Mon, Apr 14, 2014 at 9:09 AM, John Bradley <ve7jtb@ve7jtb.com&= gt; wrote:

The IESG wants to see interoperability between imple= mentations, to do that without dragging in discovery etc there need to be m= inimum feature sets of JOSE libraries that people can count on.<= /p>

 

A application using JOSE can elect not to support al= l the algorithms,  but JOSE libraries need to support the mandatory to= implement algorithms.

 

On Apr 14, 2014, at 9:48 AM, Hannes Tschofenig <<= a href=3D"mailto:Hannes.Tschofenig@gmx.net" target=3D"_blank">Hannes.Tschof= enig@gmx.net> wrote:

 

Hi all, 

 

I am looking at the implementation requi= rements of the JWA spec and I am wondering to what deployment environment t= hey refer they.

The JW* specs are generic building block= s and I fail to see how one can list mandatory-to-implement algorithsms.&nb= sp;

 

Ciao

Hannes

 

_______________________________________________
jose mailing list
jose@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/jose

 


_______________________________________________
jose mailing list
jose@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/jose

 

 

--_000_4E1F6AAD24975D4BA5B16804296739439A15B6B9TK5EX14MBXC286r_-- From nobody Wed Apr 16 13:05:45 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 868901A0318 for ; Wed, 16 Apr 2014 13:05:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QxQwBvQXDjGu for ; Wed, 16 Apr 2014 13:05:24 -0700 (PDT) Received: from smtp3.pacifier.net (smtp3.pacifier.net [64.255.237.177]) by ietfa.amsl.com (Postfix) with ESMTP id 6C8A41A031D for ; Wed, 16 Apr 2014 13:05:11 -0700 (PDT) Received: from Philemon (unknown [50.46.144.47]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp3.pacifier.net (Postfix) with ESMTPSA id ECE0738F13; Wed, 16 Apr 2014 13:05:07 -0700 (PDT) From: "Jim Schaad" To: "'Richard Barnes'" , "'John Bradley'" References: <2FA2A5F6-0043-43F2-BCD3-04BBBC548889@ve7jtb.com> In-Reply-To: Date: Wed, 16 Apr 2014 13:03:12 -0700 Message-ID: <06fa01cf59ae$e5e90930$b1bb1b90$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQIiLVUPW6qpicEpvhQVYPoySIpz1QKs8uJpAf8MgKaaSaD1YA== Content-Language: en-us Archived-At: http://mailarchive.ietf.org/arch/msg/jose/VNcxfBTowDBTE5AZc4HiCyzF_yc Cc: 'Hannes Tschofenig' , jose@ietf.org Subject: Re: [jose] Implementation Requirements X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2014 20:05:36 -0000 From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Richard Barnes Sent: Wednesday, April 16, 2014 7:35 AM To: John Bradley Cc: Hannes Tschofenig; jose@ietf.org Subject: Re: [jose] Implementation Requirements Let me address this in two parts, first with my IESG hat on, and then as = an individual. The IESG does NOT think that a set of mandatory algorithms in JWA is a requirement for interoperability. After having discussed this with Kathleen and Sean: There are several different ways to address interoperability with a framework protocol = like JOSE. =A0CMS provides a fine example of how algorithms can be left = flexible at the security layer, with applications like S/MIME defining algorithm requirements. =A0Algorithm agility is another important consideration in security protocol design, and locking in algorithms too deeply can = hinder updates in the future. I continue to be concerned that having mandatory algorithms for JOSE = will make two types of applications non-compliant: 1. JOSE implementations are often going to not have any choice in what algorithms they can support. =A0They're going to be built on top of = crypto libraries, which either support an algorithm or they don't. =A0It's = pointless to levy requirements at the JOSE layer. 2. Constrained devices aren't going to want to implement a whole = boatload of algorithms, just the ones they need for their use cases. [JLS] I am not sure that I understand the reasoning behind this.=20 For point 2 - an application can specify a set of algorithms that are = not even mentioned by the JOSE specifications. This is what I would expect = to potentially happen for the constrained device case, the application = being running here would say we use the following algorithms - independent of = the JOSE specs say. Application specs will always override our specs. For point 1 - that is always true and has always been true for = applications that use system crypto. S/MIME could mandate the use of EC, but if it = is not supported on the OS and the implementation uses the OS for its = crypto - then the application will not be able to do anything with EC algorithms. The same thing is also true with out of date libraries or applications. = The set of required algorithms has changed, but not all of the software installations have been upgraded (can you say RC4 in TLS and SSL 3.x in general). jim Limiting the requirement to "standalone JOSE libraries" doesn't address either of these concerns. As a compromise, how about if we define a RECOMMENDED suite of common algorithms? =A0That would help guide implementations toward interop = without ruling out the above use cases. Hope that helps clarify things, --Richard On Mon, Apr 14, 2014 at 9:09 AM, John Bradley wrote: The IESG wants to see interoperability between implementations, to do = that without dragging in discovery etc there need to be minimum feature sets = of JOSE libraries that people can count on. A application using JOSE can elect not to support all the algorithms, = =A0but JOSE libraries need to support the mandatory to implement algorithms. On Apr 14, 2014, at 9:48 AM, Hannes Tschofenig = wrote: Hi all,=A0 =A0 I am looking at the implementation requirements of the JWA spec and I am wondering to what deployment environment they refer they. The JW* specs are generic building blocks and I fail to see how one can = list mandatory-to-implement algorithsms.=A0 =A0 Ciao Hannes =A0 _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose From nobody Thu Apr 17 01:40:22 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7613E1A0095 for ; Thu, 17 Apr 2014 01:40:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.001 X-Spam-Level: X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_20=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gjuotEtKLGcB for ; Thu, 17 Apr 2014 01:40:17 -0700 (PDT) Received: from n1plwbeout07-05.prod.ams1.secureserver.net (n1plsmtp07-05-02.prod.ams1.secureserver.net [188.121.52.25]) by ietfa.amsl.com (Postfix) with ESMTP id 660521A00CD for ; Thu, 17 Apr 2014 01:40:16 -0700 (PDT) Received: from localhost ([188.121.52.245]) by n1plwbeout07-05.prod.ams1.secureserver.net with bizsmtp id qwgB1n0015HRe2c01wgBzS; Thu, 17 Apr 2014 01:40:11 -0700 X-SID: qwgB1n0015HRe2c01 Received: (qmail 29089 invoked by uid 99); 17 Apr 2014 08:40:11 -0000 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" X-Originating-IP: 95.43.60.39 User-Agent: Workspace Webmail 5.6.47 Message-Id: <20140417014010.3c376e9e86469f12ae2f88da05bfa671.edc1b11eb8.wbe@email07.europe.secureserver.net> From: "Vladimir Dzhuvinov" To: jose@ietf.org Date: Thu, 17 Apr 2014 01:40:10 -0700 Mime-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/jose/FUUHjatyzDHNQcBnfuu-7YpCjMI Subject: [jose] =?utf-8?q?JWK_=22use=22_parameter_strictly_for_public_keys?= =?utf-8?q?=3F?= X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2014 08:40:19 -0000 Hi guys,=0A=0AA recent release of the Nimbus JOSE+JWT library added support= for the=0Anew JWK "key_ops" parameter and we put code in place to prevent = people=0Afrom constructing JWKs with both "use" and "key_ops".=0A=0AI need = help with interpreting the following sentence though:=0A=0Ahttp://tools.iet= f.org/html/draft-ietf-jose-json-web-key-25#section-3.2=0A=0A```=0A[The "use= " parameter] is not intended for use cases in which private or=0Asymmetric = keys may also be present.=0A```=0A=0AIs the meaning of "not intended" a SHO= ULD NOT or a MUST NOT contain=0Aprivate parts?=0A=0AWe make extensive use o= f RSA JWKs with private + public parts that have=0Atheir use encoded in the= "use" parameter, before the public part get=0Aextracted and published to c= lient apps (with the same "use" parameter of=0Acourse). Justin's JWK genera= tor also does that. What is the rationale to=0A=0Awant to limit "use" to pu= blic keys only?=0A=0ACheers,=0A=0AVladimir=0A=0A=0A From nobody Thu Apr 17 07:51:12 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57EBB1A021E for ; Thu, 17 Apr 2014 07:51:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ry_vj4XYL2LI for ; Thu, 17 Apr 2014 07:51:03 -0700 (PDT) Received: from mail-la0-x235.google.com (mail-la0-x235.google.com [IPv6:2a00:1450:4010:c03::235]) by ietfa.amsl.com (Postfix) with ESMTP id EEECC1A0215 for ; Thu, 17 Apr 2014 07:51:01 -0700 (PDT) Received: by mail-la0-f53.google.com with SMTP id b8so461882lan.26 for ; Thu, 17 Apr 2014 07:50:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=HqYxNDWrsiTRHMJu8zyXyrfN0piCk+VQELEyJjDheos=; b=MtYWvVcHrdxDOAI+fnir32TmhSh/Kgpr1/Hs+96vB4uYZDo3V/rWFsvhy1IX8ky3aW d3snzn4uh/Em7uD8CPLgBXii/eNe1fCkEOsLfXnft9R+dE/piwpl27fwRI5nlLwvUHPY mANuDxx72biuRM2i61bD8roO2QS3fwWuglCLq6ki51n4/9tQ+MKGeOL4QA/GbXAI26i8 gb/pbWvFupyKDg63PmYkZDsQoqswT8al+ysHA5x5n8R6Pg0LZUuxZFFNT1CVst85RupS HH4tAUk0gXKBi1RMJD1MxQt/g3uHCc7wsN4EzFL3IEc1wSYXEV7LEIyQymD21PTKQ4ON ql5A== MIME-Version: 1.0 X-Received: by 10.112.94.229 with SMTP id df5mr7315860lbb.36.1397746257610; Thu, 17 Apr 2014 07:50:57 -0700 (PDT) Received: by 10.112.26.142 with HTTP; Thu, 17 Apr 2014 07:50:57 -0700 (PDT) Date: Thu, 17 Apr 2014 10:50:57 -0400 Message-ID: From: Kathleen Moriarty To: jose@ietf.org Content-Type: multipart/alternative; boundary=001a1135f7ac2bcccc04f73e2982 Archived-At: http://mailarchive.ietf.org/arch/msg/jose/IScUly7R-VweT_DPgmRT1IKL3UE Cc: Michael Jones , draft-ietf-jose-json-web-algorithms@tools.ietf.org Subject: [jose] AD review of draft-ietf-jose-json-web-algorithms X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2014 14:51:05 -0000 --001a1135f7ac2bcccc04f73e2982 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hello Mike & JOSE members, I am working my way through the requested reviews to progress the JOSE drafts and can see a lot of work has been done, thank you. As I read through the Algorithms (JWA) draft there are some changes that will need to be made to avoid problems during the IESG review. This is a pretty big change for the draft, but will help make the review and approval faster. Typically, the lists of algorithms are handled through a draft update as opposed to creating an IANA registry. A good example is a recent update of a draft in the IPSECME working group so you can see the structure and the precedence for this model. https://datatracker.ietf.org/doc/draft-ietf-ipsecme-esp-ah-reqts Now for other edits and questions: Section 3.6 - Can you explain why would this be included? If you are not going to sign, I am not sure why one would use JOSE at all. Section 5.2 - The write up of this section seems a bit more complicated than necessary. It seems it would have just been simpler to state that the sizes vary as required by the algorithms and key lengths used rather than providing the differences from one to the next. Can you simplify this? After looking through some of the mailing list discussions, it seems there was already agreement to slim this and other sections down by pointing to the draft-mcgrew-aead-aes-cbc-hmac-sha2 http://www.ietf.org/mail-archive/web/jose/current/msg02276.html Can I get an update as to where that stands, referencing what you can from that draft as opposed to duplicating text? Thanks! Security Considerations: While it is true the content is covered in other places, this section could benefit from improvement before it goes to the SecDir review. The second sentence in the first paragraph says the following: Among these issues are protecting the user's private and symmetric keys, preventing various attacks, and helping the user avoid mistakes such as inadvertently encrypting a message for the wrong recipient. It would be helpful if you could expand the text and make it more descriptive and applicable to this document. For example, shouldn=E2=80=99= t the first section say user=E2=80=99s private asymmetric and symmetric keys? I = assume that is what was intended with private, but it reads funny to me without that. The only =E2=80=98attack=E2=80=99 or caution mentioned in the docume= nt is for the application to prevent a user from selecting the wrong key. Please include some attacks that developers and implementers should be aware and cautioned on, or state that specific attacks and considers are detailed in the subsections to follow. I think that's it for now. Although I do need to look through some more of the previous conversations on the mailing list and in the issue tracker. I see there are some open discussions, like the one Richard raised yesterday that need to be resolved in the document as well before we move forward with this one. Thanks for all of your effort on this draft!! --=20 Best regards, Kathleen --001a1135f7ac2bcccc04f73e2982 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hello Mike & JOSE members,

I am wor= king my way through the requested reviews to progress the JOSE drafts and c= an see a lot of work has been done, thank you. =C2=A0As I read through the = Algorithms (JWA) draft there are some changes that will need to be made to = avoid problems during the IESG review. =C2=A0This is a pretty big change fo= r the draft, but will help make the review and approval faster. =C2=A0Typic= ally, the lists of algorithms are handled through a draft update as opposed= to creating an IANA registry. =C2=A0A good example is a recent update of a= draft in the IPSECME working group so you can see the structure and the pr= ecedence for this model.


Now for other edits and ques= tions:

Section 3.6 - Can you explain why would this be include= d? =C2=A0If you are not going to sign, I am not sure why one would use JOSE= at all.=C2=A0

Section 5.2 - The write up of this = section seems a bit more complicated than necessary.=C2=A0=C2=A0It seems it= would have just been simpler to state that the sizes vary as required by t= he algorithms and key lengths used rather than providing the differences fr= om one to the next. =C2=A0Can you simplify this? =C2=A0
After looking through some of the mailing list discussions, it seems t= here was already agreement to slim this and other sections down by pointing= to the=C2=A0draft-mc= grew-aead-aes-cbc-hmac-sha2

Can I get an update as to where that stands, refere= ncing what you can from that draft as opposed to duplicating text? =C2=A0Th= anks!

Security Considerations: While it is true the cont= ent is covered in other places, this section could benefit from improvement= before it goes to the SecDir review. =C2=A0The second sentence in the firs= t paragraph says the following:
=C2=A0 =C2=A0Among these issues = are
=C2=A0 =C2=A0pro= tecting the user's private and symmetric keys, preventing various
=C2=A0 =C2=A0attacks, and= helping the user avoid mistakes such as inadvertently
=C2=A0 =C2=A0encrypting a messag= e for the wrong recipient.
It would be helpful if you coul= d expand the text and make it more descriptive and applicable to this docum= ent. =C2=A0For example, shouldn=E2=80=99t the first section say user=E2=80= =99s private asymmetric and symmetric keys? =C2=A0I assume that is what was= intended with private, but it reads funny to me without that. =C2=A0The on= ly =E2=80=98attack=E2=80=99 or caution mentioned in the document is for the= application to prevent a user from selecting the wrong key. =C2=A0Please i= nclude some attacks that developers and implementers should be aware and ca= utioned on, or state that specific attacks and considers are detailed in th= e subsections to follow.

I think that's it for now. Although I do need= to look through some more of the previous conversations on the mailing lis= t and in the issue tracker.

I see there are some o= pen discussions, like the one Richard raised yesterday that need to be reso= lved in the document as well before we move forward with this one. =C2=A0Th= anks for all of your effort on this draft!!

--

Best regards,
Kat= hleen
--001a1135f7ac2bcccc04f73e2982-- From nobody Thu Apr 17 08:07:20 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C938A1A0222 for ; Thu, 17 Apr 2014 08:07:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zqdpQObD070b for ; Thu, 17 Apr 2014 08:07:15 -0700 (PDT) Received: from mail-lb0-x231.google.com (mail-lb0-x231.google.com [IPv6:2a00:1450:4010:c04::231]) by ietfa.amsl.com (Postfix) with ESMTP id 785011A01D6 for ; Thu, 17 Apr 2014 08:07:15 -0700 (PDT) Received: by mail-lb0-f177.google.com with SMTP id z11so471334lbi.22 for ; Thu, 17 Apr 2014 08:07:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=jvp0z/qjb35YGLuxLC+aKwtgVJh+kId/C4QnGSFBzmY=; b=GAE9C1SvQRarT5OrHkX6ykp40+IZCBDwEkZlkS7zNaoYngnoWjXPtTzrc0NFS68GuY cWKU34tQjXmyk9wVFKCtAIWPWABnKPm9PLQEbjwjYOdT/Kau/9SG4K9UBu+5+WVMqbjP 5qBY1c5YYnm5bCnAg79+wdWI+7BP73to4DhlIIYDP+jH0hbsdiwCtcdKWlXi98RdZrNw k1QHuVce+wVN+A2QyRaTzXrfj9mdGgTPDdrfN0AAe5/RUSL2IYXjCS7wcoF055GPY7No f/93nHDVwkx/Q8rf29No30q1mXdoy9v6p4syhgAPIUg+WZU0dWQpBweJxMSCdju4VhBD /cSA== MIME-Version: 1.0 X-Received: by 10.153.11.163 with SMTP id ej3mr10165482lad.17.1397747231187; Thu, 17 Apr 2014 08:07:11 -0700 (PDT) Received: by 10.112.26.142 with HTTP; Thu, 17 Apr 2014 08:07:11 -0700 (PDT) In-Reply-To: References: Date: Thu, 17 Apr 2014 11:07:11 -0400 Message-ID: From: Kathleen Moriarty To: jose@ietf.org Content-Type: multipart/alternative; boundary=001a1134635a336aee04f73e6310 Archived-At: http://mailarchive.ietf.org/arch/msg/jose/HHM5cKypqqdyOgoJYFEgs31vA7k Cc: Michael Jones , draft-ietf-jose-json-web-algorithms@tools.ietf.org Subject: Re: [jose] AD review of draft-ietf-jose-json-web-algorithms X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2014 15:07:18 -0000 --001a1134635a336aee04f73e6310 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I'm going to add one more question to the review as I had the same thought as Scott & Burt in their review of JWA (and also in JWS). Why are there no other options in addition to SHA1? The response to Scott pointed back to early WG decisions, but I have heard this concern from others and have it myself, so I am not sure this one is resolved. I'd like to revisit it. http://www.ietf.org/mail-archive/web/jose/current/msg04020.html Thanks! On Thu, Apr 17, 2014 at 10:50 AM, Kathleen Moriarty < kathleen.moriarty.ietf@gmail.com> wrote: > Hello Mike & JOSE members, > > I am working my way through the requested reviews to progress the JOSE > drafts and can see a lot of work has been done, thank you. As I read > through the Algorithms (JWA) draft there are some changes that will need = to > be made to avoid problems during the IESG review. This is a pretty big > change for the draft, but will help make the review and approval faster. > Typically, the lists of algorithms are handled through a draft update as > opposed to creating an IANA registry. A good example is a recent update = of > a draft in the IPSECME working group so you can see the structure and the > precedence for this model. > > https://datatracker.ietf.org/doc/draft-ietf-ipsecme-esp-ah-reqts > > Now for other edits and questions: > > Section 3.6 - Can you explain why would this be included? If you are not > going to sign, I am not sure why one would use JOSE at all. > > Section 5.2 - The write up of this section seems a bit more complicated > than necessary. It seems it would have just been simpler to state that t= he > sizes vary as required by the algorithms and key lengths used rather than > providing the differences from one to the next. Can you simplify this? > After looking through some of the mailing list discussions, it seems ther= e > was already agreement to slim this and other sections down by pointing to > the draft-mcgrew-aead-aes-cbc-hmac-sha2 > > http://www.ietf.org/mail-archive/web/jose/current/msg02276.html > Can I get an update as to where that stands, referencing what you can fro= m > that draft as opposed to duplicating text? Thanks! > > Security Considerations: While it is true the content is covered in other > places, this section could benefit from improvement before it goes to the > SecDir review. The second sentence in the first paragraph says the > following: > Among these issues are > protecting the user's private and symmetric keys, preventing various > attacks, and helping the user avoid mistakes such as inadvertently > encrypting a message for the wrong recipient. > It would be helpful if you could expand the text and make it more > descriptive and applicable to this document. For example, shouldn=E2=80= =99t the > first section say user=E2=80=99s private asymmetric and symmetric keys? = I assume > that is what was intended with private, but it reads funny to me without > that. The only =E2=80=98attack=E2=80=99 or caution mentioned in the docu= ment is for the > application to prevent a user from selecting the wrong key. Please inclu= de > some attacks that developers and implementers should be aware and caution= ed > on, or state that specific attacks and considers are detailed in the > subsections to follow. > > I think that's it for now. Although I do need to look through some more o= f > the previous conversations on the mailing list and in the issue tracker. > > I see there are some open discussions, like the one Richard raised > yesterday that need to be resolved in the document as well before we move > forward with this one. Thanks for all of your effort on this draft!! > > -- > > Best regards, > Kathleen > --=20 Best regards, Kathleen --001a1134635a336aee04f73e6310 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
I'm going to add one more question to the review as I = had the same thought as Scott & Burt in their review of JWA (and also i= n JWS). =C2=A0Why are there no other options in addition to SHA1? =C2=A0The= response to Scott pointed back to early WG decisions, but I have heard thi= s concern from others and have it myself, so I am not sure this one is reso= lved. =C2=A0I'd like to revisit it.


Thanks!


On Thu, Apr 17, 2014 at 10:50 AM, Kathle= en Moriarty <kathleen.moriarty.ietf@gmail.com> wrote:
Hello Mike & JOSE membe= rs,

I am working my way through the requested reviews to= progress the JOSE drafts and can see a lot of work has been done, thank yo= u. =C2=A0As I read through the Algorithms (JWA) draft there are some change= s that will need to be made to avoid problems during the IESG review. =C2= =A0This is a pretty big change for the draft, but will help make the review= and approval faster. =C2=A0Typically, the lists of algorithms are handled = through a draft update as opposed to creating an IANA registry. =C2=A0A goo= d example is a recent update of a draft in the IPSECME working group so you= can see the structure and the precedence for this model.


Now for ot= her edits and questions:

Section 3.6 - Can you explain why would this be include= d? =C2=A0If you are not going to sign, I am not sure why one would use JOSE= at all.=C2=A0

Section 5.2 - The write up of this = section seems a bit more complicated than necessary.=C2=A0=C2=A0It seems it= would have just been simpler to state that the sizes vary as required by t= he algorithms and key lengths used rather than providing the differences fr= om one to the next. =C2=A0Can you simplify this? =C2=A0
After looking through some of the mailing list discussions, it seems t= here was already agreement to slim this and other sections down by pointing= to the=C2=A0draft-mcgrew-aead-aes-cbc= -hmac-sha2

Can I get an update as to where t= hat stands, referencing what you can from that draft as opposed to duplicat= ing text? =C2=A0Thanks!

Security Considerations: While it is true the cont= ent is covered in other places, this section could benefit from improvement= before it goes to the SecDir review. =C2=A0The second sentence in the firs= t paragraph says the following:
=C2=A0 =C2=A0Among these issues = are
=C2=A0 =C2=A0pro= tecting the user's private and symmetric keys, preventing various
=C2=A0 =C2=A0attacks, and= helping the user avoid mistakes such as inadvertently
=C2=A0 =C2=A0encrypting a messag= e for the wrong recipient.
It would be helpful if you coul= d expand the text and make it more descriptive and applicable to this docum= ent. =C2=A0For example, shouldn=E2=80=99t the first section say user=E2=80= =99s private asymmetric and symmetric keys? =C2=A0I assume that is what was= intended with private, but it reads funny to me without that. =C2=A0The on= ly =E2=80=98attack=E2=80=99 or caution mentioned in the document is for the= application to prevent a user from selecting the wrong key. =C2=A0Please i= nclude some attacks that developers and implementers should be aware and ca= utioned on, or state that specific attacks and considers are detailed in th= e subsections to follow.

I think that's it for now. Although I do need= to look through some more of the previous conversations on the mailing lis= t and in the issue tracker.

I see there are some o= pen discussions, like the one Richard raised yesterday that need to be reso= lved in the document as well before we move forward with this one. =C2=A0Th= anks for all of your effort on this draft!!

--

Best regards,
Kat= hleen



--

Best regards,
Kathleen
--001a1134635a336aee04f73e6310-- From nobody Thu Apr 17 09:58:00 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 717A51A02F2 for ; Thu, 17 Apr 2014 09:57:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GrQQJ96X39px for ; Thu, 17 Apr 2014 09:57:54 -0700 (PDT) Received: from n1plwbeout07-06.prod.ams1.secureserver.net (n1plsmtp07-06-02.prod.ams1.secureserver.net [188.121.52.26]) by ietfa.amsl.com (Postfix) with ESMTP id 8535E1A02EB for ; Thu, 17 Apr 2014 09:57:53 -0700 (PDT) Received: from localhost ([188.121.52.245]) by n1plwbeout07-06.prod.ams1.secureserver.net with bizsmtp id r4xo1n0015HRe2c014xoU6; Thu, 17 Apr 2014 09:57:48 -0700 X-SID: r4xo1n0015HRe2c01 Received: (qmail 25411 invoked by uid 99); 17 Apr 2014 16:57:48 -0000 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" X-Originating-IP: 95.43.60.39 User-Agent: Workspace Webmail 5.6.47 Message-Id: <20140417095747.3c376e9e86469f12ae2f88da05bfa671.4635cedd37.wbe@email07.europe.secureserver.net> From: "Vladimir Dzhuvinov" To: "Kathleen Moriarty" , jose@ietf.org Date: Thu, 17 Apr 2014 09:57:47 -0700 Mime-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/jose/BiVGEQhcHFQ2VRqSa2vuFsmJnAY Cc: Michael Jones , draft-ietf-jose-json-web-algorithms@tools.ietf.org Subject: Re: [jose] AD review of draft-ietf-jose-json-web-algorithms X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2014 16:57:55 -0000 Hi Kathleen,=0A=0A=0A> Section 3.6 - Can you explain why would this be incl= uded? If you are not going to sign, I am not sure why one would use JOSE a= t all. =0A> =0A=0APerhaps the most popular application of JWS today is to = construct JSON=0AWeb Tokens (JWT), such as the ID tokens in OpenID Connect.= The JWT spec=0Apermits plain tokens that don't have a signature and this i= s enabled by=0Athe special case "none" alg in JWS.=0A=0APlaintext JWTs are = explained here:=0A=0Ahttp://tools.ietf.org/html/draft-ietf-oauth-json-web-t= oken-19#section-6=0A=0A=0AVladimir=0A From nobody Thu Apr 17 10:21:01 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0A901A0171 for ; Thu, 17 Apr 2014 10:20:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MtqrP60zqbiF for ; Thu, 17 Apr 2014 10:20:53 -0700 (PDT) Received: from mail-la0-x22c.google.com (mail-la0-x22c.google.com [IPv6:2a00:1450:4010:c03::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 7511B1A014B for ; Thu, 17 Apr 2014 10:20:49 -0700 (PDT) Received: by mail-la0-f44.google.com with SMTP id c6so623022lan.17 for ; Thu, 17 Apr 2014 10:20:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=fu5sboFGrRvHxrMhA/gubPey/eSGF59MEfQjc1WAs7g=; b=ltEQ5YhJvvFr8hwnPo/xcPnKQlSCsXVmKMGHEc8giFMl2FsQ5LOeo1uPCuETl+ww+i YdBsDYyZ/dyugbn7lJmi/P+921PVP/KU9UI7GglKy0hxW764XsMsn0zJj1SmQrZPVHlc KaYTZbSfgE6hUwFzg2RlWspIBbk33oWZ6wFPuoC5ZQ96LeIjdXV7rkMWRiUI7wpVjMNY ua2p10Z1Pmiw6uv8gn6R1f8zQAbdgL1xrrNBELn3kKpDGryB7QfQ2ol0eu4pjcjZEvNi QuoxsxN0rKoZPP4oqt1TPEWMClDjPkKHhhP+3Pzn58qMI/rn3sQWiBmTEmjb0ZNNuLEp zQAw== MIME-Version: 1.0 X-Received: by 10.112.50.194 with SMTP id e2mr7814620lbo.4.1397755245254; Thu, 17 Apr 2014 10:20:45 -0700 (PDT) Received: by 10.112.26.142 with HTTP; Thu, 17 Apr 2014 10:20:45 -0700 (PDT) In-Reply-To: <20140417095747.3c376e9e86469f12ae2f88da05bfa671.4635cedd37.wbe@email07.europe.secureserver.net> References: <20140417095747.3c376e9e86469f12ae2f88da05bfa671.4635cedd37.wbe@email07.europe.secureserver.net> Date: Thu, 17 Apr 2014 13:20:45 -0400 Message-ID: From: Kathleen Moriarty To: Vladimir Dzhuvinov Content-Type: multipart/alternative; boundary=001a11336c26e05d3904f740409e Archived-At: http://mailarchive.ietf.org/arch/msg/jose/WmLAhkiRuEm9OQhSCDjRcXvYmzg Cc: Michael Jones , draft-ietf-jose-json-web-algorithms@tools.ietf.org, jose@ietf.org Subject: Re: [jose] AD review of draft-ietf-jose-json-web-algorithms X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2014 17:20:58 -0000 --001a11336c26e05d3904f740409e Content-Type: text/plain; charset=UTF-8 Thanks, Vladimir. How would they be secured then? With the current threat landscape, it seems odd that we would be putting forth a method that is not secured? Does this rely on transport for security? On Thu, Apr 17, 2014 at 12:57 PM, Vladimir Dzhuvinov < vladimir@connect2id.com> wrote: > Hi Kathleen, > > > > Section 3.6 - Can you explain why would this be included? If you are > not going to sign, I am not sure why one would use JOSE at all. > > > > Perhaps the most popular application of JWS today is to construct JSON > Web Tokens (JWT), such as the ID tokens in OpenID Connect. The JWT spec > permits plain tokens that don't have a signature and this is enabled by > the special case "none" alg in JWS. > > Plaintext JWTs are explained here: > > http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-19#section-6 > > > Vladimir > > -- Best regards, Kathleen --001a11336c26e05d3904f740409e Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Thanks, Vladimir.

How would they be sec= ured then? =C2=A0With the current threat landscape, it seems odd that we wo= uld be putting forth a method that is not secured? =C2=A0Does this rely on = transport for security?


On Thu,= Apr 17, 2014 at 12:57 PM, Vladimir Dzhuvinov <vladimir@connect2id.c= om> wrote:
Hi Kathleen,


> Section 3.6 - Can you explain why would this be included? =C2=A0If you= are not going to sign, I am not sure why one would use JOSE at all.
>

Perhaps the most popular application of JWS today is to construct JSO= N
Web Tokens (JWT), such as the ID tokens in OpenID Connect. The JWT spec
permits plain tokens that don't have a signature and this is enabled by=
the special case "none" alg in JWS.

Plaintext JWTs are explained here:

http://tools.ietf.org/html/draft-ietf-oauth-json= -web-token-19#section-6


Vladimir




--

Best regards,
Kathleen
--001a11336c26e05d3904f740409e-- From nobody Thu Apr 17 10:46:40 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B5941A0242 for ; Thu, 17 Apr 2014 10:46:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id miLfUirOb46b for ; Thu, 17 Apr 2014 10:46:25 -0700 (PDT) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0205.outbound.protection.outlook.com [207.46.163.205]) by ietfa.amsl.com (Postfix) with ESMTP id A2BBB1A0226 for ; Thu, 17 Apr 2014 10:46:24 -0700 (PDT) Received: from BY2PR03CA037.namprd03.prod.outlook.com (10.242.234.158) by BY2PR03MB174.namprd03.prod.outlook.com (10.242.36.142) with Microsoft SMTP Server (TLS) id 15.0.918.8; Thu, 17 Apr 2014 17:46:13 +0000 Received: from BN1AFFO11FD055.protection.gbl (2a01:111:f400:7c10::136) by BY2PR03CA037.outlook.office365.com (2a01:111:e400:2c2c::30) with Microsoft SMTP Server (TLS) id 15.0.908.10 via Frontend Transport; Thu, 17 Apr 2014 17:46:13 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD055.mail.protection.outlook.com (10.58.53.70) with Microsoft SMTP Server (TLS) id 15.0.929.8 via Frontend Transport; Thu, 17 Apr 2014 17:46:12 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14HUBC101.redmond.corp.microsoft.com ([157.54.7.153]) with mapi id 14.03.0181.007; Thu, 17 Apr 2014 17:45:35 +0000 From: Mike Jones To: Kathleen Moriarty , "jose@ietf.org" Thread-Topic: AD review of draft-ietf-jose-json-web-algorithms Thread-Index: AQHPWkx0MohT4foJy0+5ox2RzsAQFpsWAxPQ Date: Thu, 17 Apr 2014 17:45:34 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A15D3B1@TK5EX14MBXC286.redmond.corp.microsoft.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.35] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A15D3B1TK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(52604005)(41574002)(377454003)(189002)(199002)(51444003)(69224002)(2656002)(87936001)(16236675002)(81542001)(512874002)(76482001)(92726001)(77982001)(80022001)(66066001)(55846006)(20776003)(50986999)(76176999)(54356999)(84326002)(84676001)(86612001)(71186001)(79102001)(2009001)(15202345003)(81342001)(46102001)(99396002)(74662001)(31966008)(33656001)(6806004)(74502001)(83322001)(19580405001)(19580395003)(15975445006)(80976001)(44976005)(92566001)(86362001)(4396001)(85852003)(83072002)(19300405004)(97736001); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR03MB174; H:mail.microsoft.com; FPR:EE3FDDDF.A3F253C1.7CD33D4B.9AAAC961.207D6; MLV:sfv; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 01842C458A Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/jose/hfcl3qRm9uoFBGM7bA9E5caOfZA Cc: "draft-ietf-jose-json-web-algorithms@tools.ietf.org" Subject: Re: [jose] AD review of draft-ietf-jose-json-web-algorithms X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2014 17:46:35 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A15D3B1TK5EX14MBXC286r_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhhbmtzIGZvciB0YWtpbmcgdGhlIHRpbWUgdG8gZG8gdGhlIHJldmlldywgS2F0aGxlZW4uICBS ZXNwb25zZXMgYXJlIGlubGluZSwgZmxhZ2dlZCBieSDigJxNaWtlPuKAnS4gIEkgYWxzbyBwYXN0 ZWQgeW91ciBmb2xsb3ctb24gbm90ZSBpbiBhbmQgcmVzcG9uZGVkIHRvIGl0IGFzIHdlbGwuDQoN CkZyb206IEthdGhsZWVuIE1vcmlhcnR5IFttYWlsdG86a2F0aGxlZW4ubW9yaWFydHkuaWV0ZkBn bWFpbC5jb21dDQpTZW50OiBUaHVyc2RheSwgQXByaWwgMTcsIDIwMTQgNzo1MSBBTQ0KVG86IGpv c2VAaWV0Zi5vcmcNCkNjOiBNaWtlIEpvbmVzOyBkcmFmdC1pZXRmLWpvc2UtanNvbi13ZWItYWxn b3JpdGhtc0B0b29scy5pZXRmLm9yZw0KU3ViamVjdDogQUQgcmV2aWV3IG9mIGRyYWZ0LWlldGYt am9zZS1qc29uLXdlYi1hbGdvcml0aG1zDQoNCkhlbGxvIE1pa2UgJiBKT1NFIG1lbWJlcnMsDQoN CkkgYW0gd29ya2luZyBteSB3YXkgdGhyb3VnaCB0aGUgcmVxdWVzdGVkIHJldmlld3MgdG8gcHJv Z3Jlc3MgdGhlIEpPU0UgZHJhZnRzIGFuZCBjYW4gc2VlIGEgbG90IG9mIHdvcmsgaGFzIGJlZW4g ZG9uZSwgdGhhbmsgeW91LiAgQXMgSSByZWFkIHRocm91Z2ggdGhlIEFsZ29yaXRobXMgKEpXQSkg ZHJhZnQgdGhlcmUgYXJlIHNvbWUgY2hhbmdlcyB0aGF0IHdpbGwgbmVlZCB0byBiZSBtYWRlIHRv IGF2b2lkIHByb2JsZW1zIGR1cmluZyB0aGUgSUVTRyByZXZpZXcuICBUaGlzIGlzIGEgcHJldHR5 IGJpZyBjaGFuZ2UgZm9yIHRoZSBkcmFmdCwgYnV0IHdpbGwgaGVscCBtYWtlIHRoZSByZXZpZXcg YW5kIGFwcHJvdmFsIGZhc3Rlci4gIFR5cGljYWxseSwgdGhlIGxpc3RzIG9mIGFsZ29yaXRobXMg YXJlIGhhbmRsZWQgdGhyb3VnaCBhIGRyYWZ0IHVwZGF0ZSBhcyBvcHBvc2VkIHRvIGNyZWF0aW5n IGFuIElBTkEgcmVnaXN0cnkuICBBIGdvb2QgZXhhbXBsZSBpcyBhIHJlY2VudCB1cGRhdGUgb2Yg YSBkcmFmdCBpbiB0aGUgSVBTRUNNRSB3b3JraW5nIGdyb3VwIHNvIHlvdSBjYW4gc2VlIHRoZSBz dHJ1Y3R1cmUgYW5kIHRoZSBwcmVjZWRlbmNlIGZvciB0aGlzIG1vZGVsLg0KDQpodHRwczovL2Rh dGF0cmFja2VyLmlldGYub3JnL2RvYy9kcmFmdC1pZXRmLWlwc2VjbWUtZXNwLWFoLXJlcXRzDQoN Ck1pa2U+IFNvIHlvdeKAmXJlIHN1Z2dlc3RpbmcgdGhhdCBmdXR1cmUgSldBIGRyYWZ0cyBtaWdo dCBvYnNvbGV0ZSB0aGUgY3VycmVudCBvbmUsIG11Y2ggbGlrZSBkcmFmdC1pZXRmLWlwc2VjbWUt ZXNwLWFoLXJlcXRzIHdpbGwgb2Jzb2xldGUgUkZDIDQ4MzUsIHdoaWNoIG9ic29sZXRlZCBSRkMg NDMwNSwgZXRjLj8gIElmIHNvLCBjb3VsZCB3b3JrIG9uIHJldmlzaW5nIHRoZSBKV0EgZHJhZnQg YWNjb3JkaW5nbHkgYW5kIHNlbmQgcHJvcG9zZWQgY2hhbmdlcyB0byB0aGUgd29ya2luZyBncm91 cC4NCg0KTm93IGZvciBvdGhlciBlZGl0cyBhbmQgcXVlc3Rpb25zOg0KDQpTZWN0aW9uIDMuNiAt IENhbiB5b3UgZXhwbGFpbiB3aHkgd291bGQgdGhpcyBiZSBpbmNsdWRlZD8gIElmIHlvdSBhcmUg bm90IGdvaW5nIHRvIHNpZ24sIEkgYW0gbm90IHN1cmUgd2h5IG9uZSB3b3VsZCB1c2UgSk9TRSBh dCBhbGwuDQoNCk1pa2U+IFRoaXMgaXMgaW5jbHVkZWQgdG8gZW5hYmxlIHJlcHJlc2VudGluZyBj b250ZW50IHRoYXQgaXMgb3B0aW9uYWxseSBzaWduZWQgaW4gcHJvdG9jb2xzIHVzaW5nIEpXUy4g IEhhdmluZyB0aGlzIG1lYW5zIHRoYXQgd2hldGhlciBvciBub3QgdGhlIGNvbnRlbnQgaXMgc2ln bmVkLCBpdCBjYW4gdXNlIGEgdW5pZm9ybSByZXByZXNlbnRhdGlvbiwgd2hpY2ggaXMgZWFzeSB0 byBwYXJzZS4gIFRoaXMgaXMgaW4gcHJvZHVjdGlvbiB1c2UsIGZvciBpbnN0YW5jZSwgdG8gZW5h YmxlIE9BdXRoIGF1dGhvcml6YXRpb24gcmVxdWVzdCBtZXNzYWdlcyB0aGF0IGFyZSBvcHRpb25h bGx5IHNpZ25lZC4gIFNvbWV0aW1lcyBjb250ZW50IG5lZWQgbm90IGJlIHNpZ25lZCBhdCB0aGUg SldTIGxldmVsIGJlY2F1c2UgaXTigJlzIGludGVncml0eSBwcm90ZWN0ZWQgYnkgb3RoZXIgcHJv dG9jb2wgbGF5ZXJzIOKAkyBpbiBwYXJ0aWN1bGFyLCBvZnRlbiBieSB0aGUgdXNlIG9mIFRMUy4g IEFub3RoZXIgdXNlIGNhc2UgaXMgd2hlcmUgc2lnbmluZyBhZGRzIGFkZGl0aW9uYWwgb3B0aW9u YWwgdmFsdWUsIGJ1dCB3aGVyZSB0aGVyZeKAmXMgbm8gaGFybSBpbiB1c2luZyB1bnNpZ25lZCBj b250ZW50IOKAkyBmb3IgaW5zdGFuY2UsIHdoaWxlIG5vcm1hbCBPQXV0aCByZXF1ZXN0cyBhcmUg aW5saW5lIGFuZCB1bnNpZ25lZCwgYSByZWdpc3RlcmVkIGV4dGVuc2lvbiBlbmFibGVzIHJlcXVl c3QgcGFyYW1ldGVycyB0byBiZSBwYXNzZWQgYnkgcmVmZXJlbmNlLCByYXRoZXIgdGhhbiBieSB2 YWx1ZTsgdGhlIG9iamVjdCByZWZlcmVuY2VkIGNvbnRhaW5pbmcgdGhlIHBhcmFtZXRlcnMgaXMg YSBKV1M7IHRoZSBKV1MgY2FuIG9wdGlvbmFsbHkgYmUgc2lnbmVkLiAgVGhlIGN1cnJlbnQsIGNh cmVmdWxseSByZWZpbmVkIHRyZWF0bWVudCBvZiDigJxub25l4oCdIGlzIHRoZSByZXN1bHQgb2Yg c3Vic3RhbnRpYWwgbWFpbGluZyBsaXN0IGRpc2N1c3Npb25zIGFuZCBkaXNjdXNzaW9ucyBvbiB3 b3JraW5nIGdyb3VwIGNhbGxzLiAgV2hpbGUgYSBsZXNzIHBhcmFsbGVsIHRyZWF0bWVudCBvZiB1 bnNpZ25lZCBKV1NzIHdhcyBwcm9wb3NlZCBpbiBodHRwOi8vdHJhYy50b29scy5pZXRmLm9yZy93 Zy9qb3NlL3RyYWMvdGlja2V0LzM2LCB0aGlzIGFsdGVybmF0aXZlIHN5bnRheCB3YXMgcmVqZWN0 ZWQgYnkgdGhlIHdvcmtpbmcgZ3JvdXAgaW4gZmF2b3Igb2YgdGhlIGN1cnJlbnQgYXBwcm9hY2gu DQoNClNlY3Rpb24gNS4yIC0gVGhlIHdyaXRlIHVwIG9mIHRoaXMgc2VjdGlvbiBzZWVtcyBhIGJp dCBtb3JlIGNvbXBsaWNhdGVkIHRoYW4gbmVjZXNzYXJ5LiAgSXQgc2VlbXMgaXQgd291bGQgaGF2 ZSBqdXN0IGJlZW4gc2ltcGxlciB0byBzdGF0ZSB0aGF0IHRoZSBzaXplcyB2YXJ5IGFzIHJlcXVp cmVkIGJ5IHRoZSBhbGdvcml0aG1zIGFuZCBrZXkgbGVuZ3RocyB1c2VkIHJhdGhlciB0aGFuIHBy b3ZpZGluZyB0aGUgZGlmZmVyZW5jZXMgZnJvbSBvbmUgdG8gdGhlIG5leHQuICBDYW4geW91IHNp bXBsaWZ5IHRoaXM/DQpBZnRlciBsb29raW5nIHRocm91Z2ggc29tZSBvZiB0aGUgbWFpbGluZyBs aXN0IGRpc2N1c3Npb25zLCBpdCBzZWVtcyB0aGVyZSB3YXMgYWxyZWFkeSBhZ3JlZW1lbnQgdG8g c2xpbSB0aGlzIGFuZCBvdGhlciBzZWN0aW9ucyBkb3duIGJ5IHBvaW50aW5nIHRvIHRoZSBkcmFm dC1tY2dyZXctYWVhZC1hZXMtY2JjLWhtYWMtc2hhMg0KDQpodHRwOi8vd3d3LmlldGYub3JnL21h aWwtYXJjaGl2ZS93ZWIvam9zZS9jdXJyZW50L21zZzAyMjc2Lmh0bWwNCkNhbiBJIGdldCBhbiB1 cGRhdGUgYXMgdG8gd2hlcmUgdGhhdCBzdGFuZHMsIHJlZmVyZW5jaW5nIHdoYXQgeW91IGNhbiBm cm9tIHRoYXQgZHJhZnQgYXMgb3Bwb3NlZCB0byBkdXBsaWNhdGluZyB0ZXh0PyAgVGhhbmtzIQ0K DQpNaWtlPiBTdXJlLiAgVGhlIGtleSBwYXJ0IG9mIHRoZSBtZXNzYWdlIHlvdSBjaXRlZCBpcyDi gJxPbmNlIHRoZSBNY0dyZXcgZHJhZnQgaGFzIGJlZW4gcmVmYWN0b3JlZCB0byBzZXBhcmF0ZSB0 aGUgZGVzY3JpcHRpb24gb2YgdGhlIGNhbGN1bGF0aW9uIHN0ZXBzICh3aGljaCBKT1NFIGlzIHVz aW5nKSBmcm9tIHRoZSBBRUFEIHJlcHJlc2VudGF0aW9uIHN0ZXBzICh3aGljaCBKT1NFIGlzIG5v dCB1c2luZyksIGFuZCB0byBpbmNsdWRlIHRlc3QgdmVjdG9yIHZhbHVlcyB0aGF0IHNob3cgcmVz dWx0cyB3aXRob3V0IHBlcmZvcm1pbmcgdGhlIEFFQUQgcmVwcmVzZW50YXRpb24gY29uY2F0ZW5h dGlvbnMsIEkgYWdyZWUgdGhhdCB3ZSdsbCBiZSBhYmxlIHRvIGp1c3QgcmVmZXJlbmNlIGl0LCBy YXRoZXIgdGhhbiBkdXBsaWNhdGluZyBpdC7igJ0gIFRoZSBwcm9ibGVtIGlzIHRoYXQgdGhlIHJl ZmFjdG9yaW5nIHdhcyBuZXZlciBkb25lLiAgVGhlIGFsZ29yaXRobSBkZXNjcmlwdGlvbiBpbiBk cmFmdC1tY2dyZXctYWVhZC1hZXMtY2JjLWhtYWMtc2hhMiBpcyB3cml0dGVuIGluIHN1Y2ggYSB3 YXkgdGhhdCB0aGUgY2lwaGVydGV4dCBDLCBhcyBkZXNjcmliZWQsIGFsc28gaW5jbHVkZXMgdGhl IElWIHZhbHVlIGFzIGEgcHJlZml4IGFuZCB0aGUgYXV0aGVudGljYXRpb24gdGFnIFQgYXMgYSBz dWZmaXgsIHJhdGhlciB0aGFuIHRyZWF0aW5nIGVhY2ggb2YgdGhvc2UgYXMgc2VwYXJhdGUgdmFs dWVzLiAgVGhlIHRlc3QgdmVjdG9ycyBkbyB0aGUgc2FtZS4gIFllcywgRGF2aWQgYWRkZWQgYXBw ZW5kaXggQiBzYXlpbmcgdGhhdCB0aGUgdmFsdWVzIGNvdWxkIGJlIHRyZWF0ZWQgYXMgc2VwYXJh dGUsIGJ1dCB0aGUgd3JpdGUtdXAgZG9lcyBubyBmYXZvcnMgdG8gaW1wbGVtZW50ZXJzLCBhcyBi b3RoIHRoZSBjb3JlIGFsZ29yaXRobSBkZXNjcmlwdGlvbiBhbmQgdGhlIHRlc3QgdmVjdG9ycyBh c3N1bWUgdGhleSBhcmUgY29tYmluZWQuICAoSSBwZXJzb25hbGx5IGtub3cgdGhhdCB3b3JraW5n IG91dCBob3cgdG8gdHJlYXQgdGhlbSBhcyBzZXBhcmF0ZSBmcm9tIERhdmlk4oCZcyBjdXJyZW50 IGRyYWZ0IGlzIGEgdGVkaW91cyBhbmQgZXJyb3ItcHJvbmUgZXhlcmNpc2UsIGhhdmluZyBoYWQg dG8gZG8gc28gdG8gdGVhc2UgdGhlbSBhcGFydCBmb3IgdGhlIGN1cnJlbnQgSldBIHdyaXRlLXVw LikgIERhdmlkIGhhcyBiZWVuIGFza2VkIGFib3V0IGRvaW5nIHRoZSByZWZhY3RvcmluZyBzZXZl cmFsIHRpbWVzIGJ5IG11bHRpcGxlIHBhcnRpZXMsIGJ1dCBoZeKAmXMgYSBidXN5IGd1eSwgYW5k IEkgZG9u4oCZdCB0aGluayBpdOKAmXMgZXZlciByZWFjaGVkIHRoZSB0b3Agb2YgaGlzIHF1ZXVl LiAgQXMgaXQgaXMsIHRoZSBKV0EgZGVzY3JpcHRpb24gaXMgY2xlYXIgYW5kIHNlbWFudGljYWxs eSBlcXVpdmFsZW50IGFuZCBpbXBsZW1lbnRlcnMgaGF2ZSBzaG93biB0aGF0IHRoZXkgY2FuIHN1 Y2Nlc3NmdWxseSBidWlsZCBpdC4gIEZpbmFsbHksIHdlIHdvdWxkbuKAmXQgd2FudCB0byB0YWtl IGEgbm9ybWF0aXZlIGRlcGVuZGVuY3kgdXBvbiBhIGRyYWZ0IHRoYXQgYXBwZWFycyB0byBoYXZl IGJlZW4gbGFyZ2VseSBhYmFuZG9uZWQgKG9yIGF0IGxlYXN0IG5lZ2xlY3RlZCksIGFzIGRvaW5n IHNvIGNvdWxkIGluZGVmaW5pdGVseSBzdGFsbCBwdWJsaWNhdGlvbiBvZiBSRkMgdmVyc2lvbnMg b2YgdGhlIEpPU0Ugc3BlY3MuDQoNClNlY3VyaXR5IENvbnNpZGVyYXRpb25zOiBXaGlsZSBpdCBp cyB0cnVlIHRoZSBjb250ZW50IGlzIGNvdmVyZWQgaW4gb3RoZXIgcGxhY2VzLCB0aGlzIHNlY3Rp b24gY291bGQgYmVuZWZpdCBmcm9tIGltcHJvdmVtZW50IGJlZm9yZSBpdCBnb2VzIHRvIHRoZSBT ZWNEaXIgcmV2aWV3LiAgVGhlIHNlY29uZCBzZW50ZW5jZSBpbiB0aGUgZmlyc3QgcGFyYWdyYXBo IHNheXMgdGhlIGZvbGxvd2luZzoNCiAgIEFtb25nIHRoZXNlIGlzc3VlcyBhcmUNCiAgIHByb3Rl Y3RpbmcgdGhlIHVzZXIncyBwcml2YXRlIGFuZCBzeW1tZXRyaWMga2V5cywgcHJldmVudGluZyB2 YXJpb3VzDQogICBhdHRhY2tzLCBhbmQgaGVscGluZyB0aGUgdXNlciBhdm9pZCBtaXN0YWtlcyBz dWNoIGFzIGluYWR2ZXJ0ZW50bHkNCiAgIGVuY3J5cHRpbmcgYSBtZXNzYWdlIGZvciB0aGUgd3Jv bmcgcmVjaXBpZW50Lg0KSXQgd291bGQgYmUgaGVscGZ1bCBpZiB5b3UgY291bGQgZXhwYW5kIHRo ZSB0ZXh0IGFuZCBtYWtlIGl0IG1vcmUgZGVzY3JpcHRpdmUgYW5kIGFwcGxpY2FibGUgdG8gdGhp cyBkb2N1bWVudC4gIEZvciBleGFtcGxlLCBzaG91bGRu4oCZdCB0aGUgZmlyc3Qgc2VjdGlvbiBz YXkgdXNlcuKAmXMgcHJpdmF0ZSBhc3ltbWV0cmljIGFuZCBzeW1tZXRyaWMga2V5cz8gIEkgYXNz dW1lIHRoYXQgaXMgd2hhdCB3YXMgaW50ZW5kZWQgd2l0aCBwcml2YXRlLCBidXQgaXQgcmVhZHMg ZnVubnkgdG8gbWUgd2l0aG91dCB0aGF0LiAgVGhlIG9ubHkg4oCYYXR0YWNr4oCZIG9yIGNhdXRp b24gbWVudGlvbmVkIGluIHRoZSBkb2N1bWVudCBpcyBmb3IgdGhlIGFwcGxpY2F0aW9uIHRvIHBy ZXZlbnQgYSB1c2VyIGZyb20gc2VsZWN0aW5nIHRoZSB3cm9uZyBrZXkuICBQbGVhc2UgaW5jbHVk ZSBzb21lIGF0dGFja3MgdGhhdCBkZXZlbG9wZXJzIGFuZCBpbXBsZW1lbnRlcnMgc2hvdWxkIGJl IGF3YXJlIGFuZCBjYXV0aW9uZWQgb24sIG9yIHN0YXRlIHRoYXQgc3BlY2lmaWMgYXR0YWNrcyBh bmQgY29uc2lkZXJzIGFyZSBkZXRhaWxlZCBpbiB0aGUgc3Vic2VjdGlvbnMgdG8gZm9sbG93Lg0K DQpNaWtlPiBPSywgSSBjYW4gd29yayBvbiBleHBhbmRpbmcgdGhhdC4gIFRoZXJlIGFyZSBzb21l IG90aGVyIGF0dGFja3MgbWVudGlvbmVkIGluIHRoZSBvdGhlciBkcmFmdHMsIHN1Y2ggYXMgdGlt aW5nIGF0dGFja3MsIHdoaWNoIGNhbiBwcm9iYWJseSBhdCBsZWFzdCBiZSBtZW50aW9uZWQgaGVy ZS4gIEnigJlsbCBzZW5kIGRyYWZ0IHRleHQgdG8gdGhlIGxpc3QgYW5kIGNvbnN1bHQgd2l0aCB5 b3UgYmVmb3JlIGRvaW5nIGFueXRoaW5nIHRvIHRoZSBhY3R1YWwgZHJhZnRzLiAgU3BlY2lmaWMg c3VnZ2VzdGlvbnMgZnJvbSB3b3JraW5nIGdyb3VwIHBhcnRpY2lwYW50cyB3b3VsZCBhbHNvIGJl IGhpZ2hseSBhcHByZWNpYXRlZC4NCg0KSSB0aGluayB0aGF0J3MgaXQgZm9yIG5vdy4gQWx0aG91 Z2ggSSBkbyBuZWVkIHRvIGxvb2sgdGhyb3VnaCBzb21lIG1vcmUgb2YgdGhlIHByZXZpb3VzIGNv bnZlcnNhdGlvbnMgb24gdGhlIG1haWxpbmcgbGlzdCBhbmQgaW4gdGhlIGlzc3VlIHRyYWNrZXIu DQoNCkkgc2VlIHRoZXJlIGFyZSBzb21lIG9wZW4gZGlzY3Vzc2lvbnMsIGxpa2UgdGhlIG9uZSBS aWNoYXJkIHJhaXNlZCB5ZXN0ZXJkYXkgdGhhdCBuZWVkIHRvIGJlIHJlc29sdmVkIGluIHRoZSBk b2N1bWVudCBhcyB3ZWxsIGJlZm9yZSB3ZSBtb3ZlIGZvcndhcmQgd2l0aCB0aGlzIG9uZS4gIFRo YW5rcyBmb3IgYWxsIG9mIHlvdXIgZWZmb3J0IG9uIHRoaXMgZHJhZnQhIQ0KDQpNaWtlPiBQZXIg bXkgbm90ZSBodHRwOi8vd3d3LmlldGYub3JnL21haWwtYXJjaGl2ZS93ZWIvam9zZS9jdXJyZW50 L21zZzA0MDYxLmh0bWwsIEkgZG9u4oCZdCBiZWxpZXZlIHRoYXQgdGhhdCBwYXJ0aWN1bGFyIGlz c3VlIGlzIG9wZW4uICBJdCBoYWQgYmVlbiBleHRlbnNpdmVseSBkaXNjdXNzZWQgd2l0aGluIHRo ZSB3b3JraW5nIGdyb3VwIG11bHRpcGxlIHRpbWVzIGFuZCB0aGUgaXNzdWUgd2FzIGV4cGxpY2l0 bHkgY2xvc2VkIGJ5IHRoZSBjaGFpcnMsIGxlYXZpbmcgdGhlIHN0YXR1cyBxdW8gaW4gcGxhY2Ug aW4gd2hpY2ggdGhlcmUgYXJlIHJlcXVpcmVkIGFsZ29yaXRobXMgZm9yIGludGVyb3BlcmFiaWxp dHkgcmVhc29ucy4NCg0KSSdtIGdvaW5nIHRvIGFkZCBvbmUgbW9yZSBxdWVzdGlvbiB0byB0aGUg cmV2aWV3IGFzIEkgaGFkIHRoZSBzYW1lIHRob3VnaHQgYXMgU2NvdHQgJiBCdXJ0IGluIHRoZWly IHJldmlldyBvZiBKV0EgKGFuZCBhbHNvIGluIEpXUykuICBXaHkgYXJlIHRoZXJlIG5vIG90aGVy IG9wdGlvbnMgaW4gYWRkaXRpb24gdG8gU0hBMT8gIFRoZSByZXNwb25zZSB0byBTY290dCBwb2lu dGVkIGJhY2sgdG8gZWFybHkgV0cgZGVjaXNpb25zLCBidXQgSSBoYXZlIGhlYXJkIHRoaXMgY29u Y2VybiBmcm9tIG90aGVycyBhbmQgaGF2ZSBpdCBteXNlbGYsIHNvIEkgYW0gbm90IHN1cmUgdGhp cyBvbmUgaXMgcmVzb2x2ZWQuICBJJ2QgbGlrZSB0byByZXZpc2l0IGl0Lg0KDQpodHRwOi8vd3d3 LmlldGYub3JnL21haWwtYXJjaGl2ZS93ZWIvam9zZS9jdXJyZW50L21zZzA0MDIwLmh0bWwNCg0K TWlrZT4gSWYgYWRkaW5nIGEgbmV3IOKAnFJTQS1PQUVQLTI1NuKAnSBhbGdvcml0aG0gaWRlbnRp ZmllciBmb3Ig4oCcUlNBRVMgd2l0aCBPcHRpbWFsIEFzeW1tZXRyaWMgRW5jcnlwdGlvbiBQYWRk aW5nIHVzaW5nIHRoZSBNR0YxIG1hc2sgZ2VuZXJhdGlvbiBmdW5jdGlvbiBhbmQgdGhlIFNIQS0y NTYgaGFzaCBmdW5jdGlvbuKAnSB3b3VsZCBtYWtlIGEgbnVtYmVyIG9mIHBlb3BsZSBtb3JlIGNv bWZvcnRhYmxlLCBpbmNsdWRpbmcgeW91LCB0aGVyZeKAmXMgbm90aGluZyB3cm9uZyB3aXRoIGRv aW5nIHNvLiAgSG93ZXZlciwgaXTigJlzIGFsc28gbm90IGNsZWFyIHRoYXQgaXQgd291bGQgYmUg b2YgbXVjaCBzaG9ydC10ZXJtIHByYWN0aWNhbCBiZW5lZml0IGJlY2F1c2UsIGF0IGxlYXN0IGFz IG9mIHRoZSBpbXBsZW1lbnRhdGlvbiBzdXJ2ZXkgZG9uZSBpbiBKdWx5IDIwMTIsIG1hbnkgY3J5 cHRvIGxpYnJhcmllcyBkb27igJl0IGV4cG9zZSBhIHdheSB0byBnZXQgYXQgdGhpcyBhbGdvcml0 aG0gY29tYmluYXRpb24uICBIb3dldmVyLCB0aGUgc2FtZSBhcmd1bWVudCBjb3VsZCBiZSBtYWRl IGFib3V0IFJTQVNTQS1QU1MsIHdoaWNoIHdlIGRpZCBhZGQgaWRlbnRpZmllcnMgZm9yIGluIHRo ZSBlbmQuICBJbiBzaG9ydCwgSSBkb27igJl0IHRoaW5rIGFueW9uZSBpbiB0aGUgd29ya2luZyBn cm91cCB3b3VsZCBzdHJpZGVudGx5IG9iamVjdCBpZiB5b3UgYXNrZWQgZm9yIHRoaXMgYWRkaXRp b25hbCBhbGdvcml0aG0gaWRlbnRpZmllciB0byBiZSBhZGRlZC4gIFlvdXIgY2FsbOKApg0KDQot LQ0KDQpCZXN0IHJlZ2FyZHMsDQpLYXRobGVlbg0KDQogICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUaGFua3MgYSBidW5jaCwNCiAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC0t IE1pa2UNCg0K --_000_4E1F6AAD24975D4BA5B16804296739439A15D3B1TK5EX14MBXC286r_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQov KiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1z b05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp emU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTps aW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6 Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29I eXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxl Ow0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KcHJlDQoJe21zby1zdHlsZS1wcmlvcml0 eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQcmVmb3JtYXR0ZWQgQ2hhciI7DQoJbWFyZ2lu OjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjEwLjBwdDsNCglmb250 LWZhbWlseToiQ291cmllciBOZXciO30NCnNwYW4uRW1haWxTdHlsZTE3DQoJe21zby1zdHlsZS10 eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7 DQoJY29sb3I6IzFGNDk3RDt9DQpzcGFuLkhUTUxQcmVmb3JtYXR0ZWRDaGFyDQoJe21zby1zdHls ZS1uYW1lOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7 DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0dGVkIjsNCglmb250LWZhbWlseToiQ291 cmllciBOZXciO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5 O30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4w aW4gMS4waW4gMS4waW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0 aW9uMTt9DQotLT48L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZh dWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwh LS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86 aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFb ZW5kaWZdLS0+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1ZSIgdmxpbms9 InB1cnBsZSI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJy aSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMwMDcwQzAiPlRoYW5rcyBmb3Ig dGFraW5nIHRoZSB0aW1lIHRvIGRvIHRoZSByZXZpZXcsIEthdGhsZWVuLiZuYnNwOyBSZXNwb25z ZXMgYXJlIGlubGluZSwgZmxhZ2dlZCBieSDigJxNaWtlJmd0O+KAnS4mbmJzcDsgSSBhbHNvIHBh c3RlZCB5b3VyIGZvbGxvdy1vbiBub3RlIGluIGFuZCByZXNwb25kZWQgdG8gaXQNCiBhcyB3ZWxs LjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7 c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBw dDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+ RnJvbTo8L3NwYW4+PC9iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4gS2F0aGxlZW4gTW9y aWFydHkgW21haWx0bzprYXRobGVlbi5tb3JpYXJ0eS5pZXRmQGdtYWlsLmNvbV0NCjxicj4NCjxi PlNlbnQ6PC9iPiBUaHVyc2RheSwgQXByaWwgMTcsIDIwMTQgNzo1MSBBTTxicj4NCjxiPlRvOjwv Yj4gam9zZUBpZXRmLm9yZzxicj4NCjxiPkNjOjwvYj4gTWlrZSBKb25lczsgZHJhZnQtaWV0Zi1q b3NlLWpzb24td2ViLWFsZ29yaXRobXNAdG9vbHMuaWV0Zi5vcmc8YnI+DQo8Yj5TdWJqZWN0Ojwv Yj4gQUQgcmV2aWV3IG9mIGRyYWZ0LWlldGYtam9zZS1qc29uLXdlYi1hbGdvcml0aG1zPG86cD48 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48 L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SGVsbG8gTWlrZSAmYW1wOyBKT1NFIG1l bWJlcnMsPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4m bmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5JIGFt IHdvcmtpbmcgbXkgd2F5IHRocm91Z2ggdGhlIHJlcXVlc3RlZCByZXZpZXdzIHRvIHByb2dyZXNz IHRoZSBKT1NFIGRyYWZ0cyBhbmQgY2FuIHNlZSBhIGxvdCBvZiB3b3JrIGhhcyBiZWVuIGRvbmUs IHRoYW5rIHlvdS4gJm5ic3A7QXMgSSByZWFkIHRocm91Z2ggdGhlIEFsZ29yaXRobXMgKEpXQSkg ZHJhZnQgdGhlcmUgYXJlIHNvbWUgY2hhbmdlcyB0aGF0IHdpbGwgbmVlZCB0byBiZSBtYWRlIHRv IGF2b2lkIHByb2JsZW1zDQogZHVyaW5nIHRoZSBJRVNHIHJldmlldy4gJm5ic3A7VGhpcyBpcyBh IHByZXR0eSBiaWcgY2hhbmdlIGZvciB0aGUgZHJhZnQsIGJ1dCB3aWxsIGhlbHAgbWFrZSB0aGUg cmV2aWV3IGFuZCBhcHByb3ZhbCBmYXN0ZXIuICZuYnNwO1R5cGljYWxseSwgdGhlIGxpc3RzIG9m IGFsZ29yaXRobXMgYXJlIGhhbmRsZWQgdGhyb3VnaCBhIGRyYWZ0IHVwZGF0ZSBhcyBvcHBvc2Vk IHRvIGNyZWF0aW5nIGFuIElBTkEgcmVnaXN0cnkuICZuYnNwO0EgZ29vZCBleGFtcGxlIGlzIGEg cmVjZW50DQogdXBkYXRlIG9mIGEgZHJhZnQgaW4gdGhlIElQU0VDTUUgd29ya2luZyBncm91cCBz byB5b3UgY2FuIHNlZSB0aGUgc3RydWN0dXJlIGFuZCB0aGUgcHJlY2VkZW5jZSBmb3IgdGhpcyBt b2RlbC48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PGEgaHJlZj0iaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJhZnQtaWV0Zi1p cHNlY21lLWVzcC1haC1yZXF0cyI+aHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJh ZnQtaWV0Zi1pcHNlY21lLWVzcC1haC1yZXF0czwvYT4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0 OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzAwNzBDMCI+TWlrZSZndDsgU28geW91 4oCZcmUgc3VnZ2VzdGluZyB0aGF0IGZ1dHVyZSBKV0EgZHJhZnRzIG1pZ2h0IG9ic29sZXRlIHRo ZSBjdXJyZW50IG9uZSwgbXVjaCBsaWtlIGRyYWZ0LWlldGYtaXBzZWNtZS1lc3AtYWgtcmVxdHMg d2lsbCBvYnNvbGV0ZSBSRkMgNDgzNSwgd2hpY2ggb2Jzb2xldGVkDQogUkZDIDQzMDUsIGV0Yy4/ Jm5ic3A7IElmIHNvLCBjb3VsZCB3b3JrIG9uIHJldmlzaW5nIHRoZSBKV0EgZHJhZnQgYWNjb3Jk aW5nbHkgYW5kIHNlbmQgcHJvcG9zZWQgY2hhbmdlcyB0byB0aGUgd29ya2luZyBncm91cC48bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMt c2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Tm93IGZvciBvdGhlciBlZGl0cyBh bmQgcXVlc3Rpb25zOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj5TZWN0aW9uIDMuNiAtIENhbiB5b3UgZXhwbGFpbiB3aHkgd291bGQgdGhpcyBi ZSBpbmNsdWRlZD8gJm5ic3A7SWYgeW91IGFyZSBub3QgZ29pbmcgdG8gc2lnbiwgSSBhbSBub3Qg c3VyZSB3aHkgb25lIHdvdWxkIHVzZSBKT1NFIGF0IGFsbC4mbmJzcDs8bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjoj MUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzAwNzBDMCI+TWlrZSZndDsgVGhp cyBpcyBpbmNsdWRlZCB0byBlbmFibGUgcmVwcmVzZW50aW5nIGNvbnRlbnQgdGhhdCBpcyBvcHRp b25hbGx5IHNpZ25lZCBpbiBwcm90b2NvbHMgdXNpbmcgSldTLiZuYnNwOyBIYXZpbmcgdGhpcyBt ZWFucyB0aGF0IHdoZXRoZXIgb3Igbm90IHRoZSBjb250ZW50IGlzDQogc2lnbmVkLCBpdCBjYW4g dXNlIGEgdW5pZm9ybSByZXByZXNlbnRhdGlvbiwgd2hpY2ggaXMgZWFzeSB0byBwYXJzZS4mbmJz cDsgVGhpcyBpcyBpbiBwcm9kdWN0aW9uIHVzZSwgZm9yIGluc3RhbmNlLCB0byBlbmFibGUgT0F1 dGggYXV0aG9yaXphdGlvbiByZXF1ZXN0IG1lc3NhZ2VzIHRoYXQgYXJlIG9wdGlvbmFsbHkgc2ln bmVkLiZuYnNwOyBTb21ldGltZXMgY29udGVudCBuZWVkIG5vdCBiZSBzaWduZWQgYXQgdGhlIEpX UyBsZXZlbCBiZWNhdXNlIGl04oCZcyBpbnRlZ3JpdHkNCiBwcm90ZWN0ZWQgYnkgb3RoZXIgcHJv dG9jb2wgbGF5ZXJzIOKAkyBpbiBwYXJ0aWN1bGFyLCBvZnRlbiBieSB0aGUgdXNlIG9mIFRMUy4m bmJzcDsgQW5vdGhlciB1c2UgY2FzZSBpcyB3aGVyZSBzaWduaW5nIGFkZHMgYWRkaXRpb25hbCBv cHRpb25hbCB2YWx1ZSwgYnV0IHdoZXJlIHRoZXJl4oCZcyBubyBoYXJtIGluIHVzaW5nIHVuc2ln bmVkIGNvbnRlbnQg4oCTIGZvciBpbnN0YW5jZSwgd2hpbGUgbm9ybWFsIE9BdXRoIHJlcXVlc3Rz IGFyZSBpbmxpbmUgYW5kIHVuc2lnbmVkLA0KIGEgcmVnaXN0ZXJlZCBleHRlbnNpb24gZW5hYmxl cyByZXF1ZXN0IHBhcmFtZXRlcnMgdG8gYmUgcGFzc2VkIGJ5IHJlZmVyZW5jZSwgcmF0aGVyIHRo YW4gYnkgdmFsdWU7IHRoZSBvYmplY3QgcmVmZXJlbmNlZCBjb250YWluaW5nIHRoZSBwYXJhbWV0 ZXJzIGlzIGEgSldTOyB0aGUgSldTIGNhbiBvcHRpb25hbGx5IGJlIHNpZ25lZC4mbmJzcDsgVGhl IGN1cnJlbnQsIGNhcmVmdWxseSByZWZpbmVkIHRyZWF0bWVudCBvZiDigJxub25l4oCdIGlzIHRo ZSByZXN1bHQNCiBvZiBzdWJzdGFudGlhbCBtYWlsaW5nIGxpc3QgZGlzY3Vzc2lvbnMgYW5kIGRp c2N1c3Npb25zIG9uIHdvcmtpbmcgZ3JvdXAgY2FsbHMuJm5ic3A7IFdoaWxlIGEgbGVzcyBwYXJh bGxlbCB0cmVhdG1lbnQgb2YgdW5zaWduZWQgSldTcyB3YXMgcHJvcG9zZWQgaW4NCjwvc3Bhbj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzAwQjA1MCI+PGEgaHJlZj0iaHR0cDov L3RyYWMudG9vbHMuaWV0Zi5vcmcvd2cvam9zZS90cmFjL3RpY2tldC8zNiI+aHR0cDovL3RyYWMu dG9vbHMuaWV0Zi5vcmcvd2cvam9zZS90cmFjL3RpY2tldC8zNjwvYT48L3NwYW4+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVv dDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMwMDcwQzAiPiwNCiB0aGlzIGFsdGVybmF0aXZlIHN5 bnRheCB3YXMgcmVqZWN0ZWQgYnkgdGhlIHdvcmtpbmcgZ3JvdXAgaW4gZmF2b3Igb2YgdGhlIGN1 cnJlbnQgYXBwcm9hY2guPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJy aSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7 PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlNl Y3Rpb24gNS4yIC0gVGhlIHdyaXRlIHVwIG9mIHRoaXMgc2VjdGlvbiBzZWVtcyBhIGJpdCBtb3Jl IGNvbXBsaWNhdGVkIHRoYW4gbmVjZXNzYXJ5LiZuYnNwOyZuYnNwO0l0IHNlZW1zIGl0IHdvdWxk IGhhdmUganVzdCBiZWVuIHNpbXBsZXIgdG8gc3RhdGUgdGhhdCB0aGUgc2l6ZXMgdmFyeSBhcyBy ZXF1aXJlZCBieSB0aGUgYWxnb3JpdGhtcyBhbmQga2V5IGxlbmd0aHMgdXNlZCByYXRoZXIgdGhh biBwcm92aWRpbmcgdGhlDQogZGlmZmVyZW5jZXMgZnJvbSBvbmUgdG8gdGhlIG5leHQuICZuYnNw O0NhbiB5b3Ugc2ltcGxpZnkgdGhpcz8gJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5BZnRlciBsb29raW5nIHRocm91Z2ggc29tZSBvZiB0 aGUgbWFpbGluZyBsaXN0IGRpc2N1c3Npb25zLCBpdCBzZWVtcyB0aGVyZSB3YXMgYWxyZWFkeSBh Z3JlZW1lbnQgdG8gc2xpbSB0aGlzIGFuZCBvdGhlciBzZWN0aW9ucyBkb3duIGJ5IHBvaW50aW5n IHRvIHRoZSZuYnNwOzxzcGFuIHN0eWxlPSJjb2xvcjpibGFjayI+ZHJhZnQtbWNncmV3LWFlYWQt YWVzLWNiYy1obWFjLXNoYTI8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxhIGhyZWY9Imh0dHA6Ly93d3cuaWV0Zi5vcmcvbWFpbC1h cmNoaXZlL3dlYi9qb3NlL2N1cnJlbnQvbXNnMDIyNzYuaHRtbCI+aHR0cDovL3d3dy5pZXRmLm9y Zy9tYWlsLWFyY2hpdmUvd2ViL2pvc2UvY3VycmVudC9tc2cwMjI3Ni5odG1sPC9hPjxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Q2FuIEkgZ2V0IGFu IHVwZGF0ZSBhcyB0byB3aGVyZSB0aGF0IHN0YW5kcywgcmVmZXJlbmNpbmcgd2hhdCB5b3UgY2Fu IGZyb20gdGhhdCBkcmFmdCBhcyBvcHBvc2VkIHRvIGR1cGxpY2F0aW5nIHRleHQ/ICZuYnNwO1Ro YW5rcyE8YnIgY2xlYXI9ImFsbCI+DQo8bzpwPjwvbzpwPjwvcD4NCjxwcmU+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMwMDcwQzAiPk1pa2UmZ3Q7IFN1cmUuJm5ic3A7IFRoZSBr ZXkgcGFydCBvZiB0aGUgbWVzc2FnZSB5b3UgY2l0ZWQgaXMg4oCcPC9zcGFuPk9uY2UgdGhlIE1j R3JldyBkcmFmdCBoYXMgYmVlbiByZWZhY3RvcmVkIHRvIHNlcGFyYXRlIHRoZSBkZXNjcmlwdGlv biBvZiB0aGUgY2FsY3VsYXRpb24gc3RlcHMgKHdoaWNoIEpPU0UgaXMgdXNpbmcpIGZyb20gdGhl IEFFQUQgcmVwcmVzZW50YXRpb24gc3RlcHMgKHdoaWNoIEpPU0UgaXMgbm90IHVzaW5nKSwgYW5k IHRvIGluY2x1ZGUgdGVzdCB2ZWN0b3IgdmFsdWVzIHRoYXQgc2hvdyByZXN1bHRzIHdpdGhvdXQg cGVyZm9ybWluZyB0aGUgQUVBRCByZXByZXNlbnRhdGlvbiBjb25jYXRlbmF0aW9ucywgSSBhZ3Jl ZSB0aGF0IHdlJ2xsIGJlIGFibGUgdG8ganVzdCByZWZlcmVuY2UgaXQsIHJhdGhlciB0aGFuIGR1 cGxpY2F0aW5nIGl0LjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMDA3MEMwIj7i gJ0mbmJzcDsgVGhlIHByb2JsZW0gaXMgdGhhdCB0aGUgcmVmYWN0b3Jpbmcgd2FzIG5ldmVyIGRv bmUuJm5ic3A7IFRoZSBhbGdvcml0aG0gZGVzY3JpcHRpb24gaW4gPC9zcGFuPjxzcGFuIHN0eWxl PSJjb2xvcjojMDA3MEMwIj5kcmFmdC1tY2dyZXctYWVhZC1hZXMtY2JjLWhtYWMtc2hhMjwvc3Bh bj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzAwNzBDMCI+IGlzIHdyaXR0ZW4g aW4gc3VjaCBhIHdheSB0aGF0IHRoZSBjaXBoZXJ0ZXh0IEMsIGFzIGRlc2NyaWJlZCwgYWxzbyBp bmNsdWRlcyB0aGUgSVYgdmFsdWUgYXMgYSBwcmVmaXggYW5kIHRoZSBhdXRoZW50aWNhdGlvbiB0 YWcgVCBhcyBhIHN1ZmZpeCwgcmF0aGVyIHRoYW4gdHJlYXRpbmcgZWFjaCBvZiB0aG9zZSBhcyBz ZXBhcmF0ZSB2YWx1ZXMuJm5ic3A7IFRoZSB0ZXN0IHZlY3RvcnMgZG8gdGhlIHNhbWUuJm5ic3A7 IFllcywgRGF2aWQgYWRkZWQgYXBwZW5kaXggQiBzYXlpbmcgdGhhdCB0aGUgdmFsdWVzIGNvdWxk IGJlIHRyZWF0ZWQgYXMgc2VwYXJhdGUsIGJ1dCB0aGUgd3JpdGUtdXAgZG9lcyBubyBmYXZvcnMg dG8gaW1wbGVtZW50ZXJzLCBhcyBib3RoIHRoZSBjb3JlIGFsZ29yaXRobSBkZXNjcmlwdGlvbiBh bmQgdGhlIHRlc3QgdmVjdG9ycyBhc3N1bWUgdGhleSBhcmUgY29tYmluZWQuJm5ic3A7IChJIHBl cnNvbmFsbHkga25vdyB0aGF0IHdvcmtpbmcgb3V0IGhvdyB0byB0cmVhdCB0aGVtIGFzIHNlcGFy YXRlIGZyb20gRGF2aWTigJlzIGN1cnJlbnQgZHJhZnQgaXMgYSB0ZWRpb3VzIGFuZCBlcnJvci1w cm9uZSBleGVyY2lzZSwgaGF2aW5nIGhhZCB0byBkbyBzbyB0byB0ZWFzZSB0aGVtIGFwYXJ0IGZv ciB0aGUgY3VycmVudCBKV0Egd3JpdGUtdXAuKSZuYnNwOyBEYXZpZCBoYXMgYmVlbiBhc2tlZCBh Ym91dCBkb2luZyB0aGUgcmVmYWN0b3Jpbmcgc2V2ZXJhbCB0aW1lcyBieSBtdWx0aXBsZSBwYXJ0 aWVzLCBidXQgaGXigJlzIGEgYnVzeSBndXksIGFuZCBJIGRvbuKAmXQgdGhpbmsgaXTigJlzIGV2 ZXIgcmVhY2hlZCB0aGUgdG9wIG9mIGhpcyBxdWV1ZS4mbmJzcDsgQXMgaXQgaXMsIHRoZSBKV0Eg ZGVzY3JpcHRpb24gaXMgY2xlYXIgYW5kIHNlbWFudGljYWxseSBlcXVpdmFsZW50IGFuZCBpbXBs ZW1lbnRlcnMgaGF2ZSBzaG93biB0aGF0IHRoZXkgY2FuIHN1Y2Nlc3NmdWxseSBidWlsZCBpdC4m bmJzcDsgRmluYWxseSwgd2Ugd291bGRu4oCZdCB3YW50IHRvIHRha2UgYSBub3JtYXRpdmUgZGVw ZW5kZW5jeSB1cG9uIGEgZHJhZnQgdGhhdCBhcHBlYXJzIHRvIGhhdmUgYmVlbiBsYXJnZWx5IGFi YW5kb25lZCAob3IgYXQgbGVhc3QgbmVnbGVjdGVkKSwgYXMgZG9pbmcgc28gY291bGQgaW5kZWZp bml0ZWx5IHN0YWxsIHB1YmxpY2F0aW9uIG9mIFJGQyB2ZXJzaW9ucyBvZiB0aGUgSk9TRSBzcGVj cy48L3NwYW4+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDcwQzAiPjxvOnA+PC9vOnA+PC9zcGFuPjwv cHJlPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlNlY3VyaXR5IENvbnNp ZGVyYXRpb25zOiBXaGlsZSBpdCBpcyB0cnVlIHRoZSBjb250ZW50IGlzIGNvdmVyZWQgaW4gb3Ro ZXIgcGxhY2VzLCB0aGlzIHNlY3Rpb24gY291bGQgYmVuZWZpdCBmcm9tIGltcHJvdmVtZW50IGJl Zm9yZSBpdCBnb2VzIHRvIHRoZSBTZWNEaXIgcmV2aWV3LiAmbmJzcDtUaGUgc2Vjb25kIHNlbnRl bmNlIGluIHRoZSBmaXJzdCBwYXJhZ3JhcGggc2F5cyB0aGUgZm9sbG93aW5nOjxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7ICZuYnNwOzxz cGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90OyI+QW1vbmcgdGhl c2UgaXNzdWVzIGFyZTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5l dyZxdW90OyI+Jm5ic3A7ICZuYnNwO3Byb3RlY3RpbmcgdGhlIHVzZXIncyBwcml2YXRlIGFuZCBz eW1tZXRyaWMga2V5cywgcHJldmVudGluZyB2YXJpb3VzPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtZmFt aWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij4mbmJzcDsgJm5ic3A7YXR0YWNrcywgYW5kIGhl bHBpbmcgdGhlIHVzZXIgYXZvaWQgbWlzdGFrZXMgc3VjaCBhcyBpbmFkdmVydGVudGx5PC9zcGFu PjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij4mbmJzcDsgJm5i c3A7ZW5jcnlwdGluZyBhIG1lc3NhZ2UgZm9yIHRoZSB3cm9uZyByZWNpcGllbnQuPC9zcGFuPjxv OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SXQgd291 bGQgYmUgaGVscGZ1bCBpZiB5b3UgY291bGQgZXhwYW5kIHRoZSB0ZXh0IGFuZCBtYWtlIGl0IG1v cmUgZGVzY3JpcHRpdmUgYW5kIGFwcGxpY2FibGUgdG8gdGhpcyBkb2N1bWVudC4gJm5ic3A7Rm9y IGV4YW1wbGUsIHNob3VsZG7igJl0IHRoZSBmaXJzdCBzZWN0aW9uIHNheSB1c2Vy4oCZcyBwcml2 YXRlIGFzeW1tZXRyaWMgYW5kIHN5bW1ldHJpYyBrZXlzPyAmbmJzcDtJIGFzc3VtZSB0aGF0IGlz IHdoYXQgd2FzIGludGVuZGVkDQogd2l0aCBwcml2YXRlLCBidXQgaXQgcmVhZHMgZnVubnkgdG8g bWUgd2l0aG91dCB0aGF0LiAmbmJzcDtUaGUgb25seSDigJhhdHRhY2vigJkgb3IgY2F1dGlvbiBt ZW50aW9uZWQgaW4gdGhlIGRvY3VtZW50IGlzIGZvciB0aGUgYXBwbGljYXRpb24gdG8gcHJldmVu dCBhIHVzZXIgZnJvbSBzZWxlY3RpbmcgdGhlIHdyb25nIGtleS4gJm5ic3A7UGxlYXNlIGluY2x1 ZGUgc29tZSBhdHRhY2tzIHRoYXQgZGV2ZWxvcGVycyBhbmQgaW1wbGVtZW50ZXJzIHNob3VsZCBi ZSBhd2FyZQ0KIGFuZCBjYXV0aW9uZWQgb24sIG9yIHN0YXRlIHRoYXQgc3BlY2lmaWMgYXR0YWNr cyBhbmQgY29uc2lkZXJzIGFyZSBkZXRhaWxlZCBpbiB0aGUgc3Vic2VjdGlvbnMgdG8gZm9sbG93 LjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2Nv bG9yOiMwMDcwQzAiPk1pa2UmZ3Q7IE9LLCBJIGNhbiB3b3JrIG9uIGV4cGFuZGluZyB0aGF0LiZu YnNwOyBUaGVyZSBhcmUgc29tZSBvdGhlciBhdHRhY2tzIG1lbnRpb25lZCBpbiB0aGUgb3RoZXIg ZHJhZnRzLCBzdWNoIGFzIHRpbWluZyBhdHRhY2tzLCB3aGljaCBjYW4gcHJvYmFibHkgYXQgbGVh c3QgYmUNCiBtZW50aW9uZWQgaGVyZS4mbmJzcDsgSeKAmWxsIHNlbmQgZHJhZnQgdGV4dCB0byB0 aGUgbGlzdCBhbmQgY29uc3VsdCB3aXRoIHlvdSBiZWZvcmUgZG9pbmcgYW55dGhpbmcgdG8gdGhl IGFjdHVhbCBkcmFmdHMuJm5ic3A7IFNwZWNpZmljIHN1Z2dlc3Rpb25zIGZyb20gd29ya2luZyBn cm91cCBwYXJ0aWNpcGFudHMgd291bGQgYWxzbyBiZSBoaWdobHkgYXBwcmVjaWF0ZWQuPG86cD48 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNl cmlmJnF1b3Q7O2NvbG9yOiMwMDcwQzAiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkkgdGhpbmsgdGhhdCdzIGl0IGZvciBu b3cuIEFsdGhvdWdoIEkgZG8gbmVlZCB0byBsb29rIHRocm91Z2ggc29tZSBtb3JlIG9mIHRoZSBw cmV2aW91cyBjb252ZXJzYXRpb25zIG9uIHRoZSBtYWlsaW5nIGxpc3QgYW5kIGluIHRoZSBpc3N1 ZSB0cmFja2VyLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj5JIHNlZSB0aGVyZSBhcmUgc29tZSBvcGVuIGRpc2N1c3Npb25zLCBsaWtlIHRoZSBv bmUgUmljaGFyZCByYWlzZWQgeWVzdGVyZGF5IHRoYXQgbmVlZCB0byBiZSByZXNvbHZlZCBpbiB0 aGUgZG9jdW1lbnQgYXMgd2VsbCBiZWZvcmUgd2UgbW92ZSBmb3J3YXJkIHdpdGggdGhpcyBvbmUu ICZuYnNwO1RoYW5rcyBmb3IgYWxsIG9mIHlvdXIgZWZmb3J0IG9uIHRoaXMgZHJhZnQhITxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImNvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMDA3MEMwIj5N aWtlJmd0OyBQZXIgbXkgbm90ZQ0KPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztj b2xvcjojMUY0OTdEIj48YSBocmVmPSJodHRwOi8vd3d3LmlldGYub3JnL21haWwtYXJjaGl2ZS93 ZWIvam9zZS9jdXJyZW50L21zZzA0MDYxLmh0bWwiPmh0dHA6Ly93d3cuaWV0Zi5vcmcvbWFpbC1h cmNoaXZlL3dlYi9qb3NlL2N1cnJlbnQvbXNnMDQwNjEuaHRtbDwvYT48L3NwYW4+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVv dDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMwMDcwQzAiPiwNCiBJIGRvbuKAmXQgYmVsaWV2ZSB0 aGF0IHRoYXQgcGFydGljdWxhciBpc3N1ZSBpcyBvcGVuLiZuYnNwOyBJdCBoYWQgYmVlbiBleHRl bnNpdmVseSBkaXNjdXNzZWQgd2l0aGluIHRoZSB3b3JraW5nIGdyb3VwIG11bHRpcGxlIHRpbWVz IGFuZCB0aGUgaXNzdWUgd2FzIGV4cGxpY2l0bHkgY2xvc2VkIGJ5IHRoZSBjaGFpcnMsIGxlYXZp bmcgdGhlIHN0YXR1cyBxdW8gaW4gcGxhY2UgaW4gd2hpY2ggdGhlcmUgYXJlIHJlcXVpcmVkIGFs Z29yaXRobXMgZm9yIGludGVyb3BlcmFiaWxpdHkNCiByZWFzb25zLjxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+SSdtIGdvaW5nIHRvIGFkZCBvbmUgbW9yZSBxdWVzdGlvbiB0byB0aGUg cmV2aWV3IGFzIEkgaGFkIHRoZSBzYW1lIHRob3VnaHQgYXMgU2NvdHQgJmFtcDsgQnVydCBpbiB0 aGVpciByZXZpZXcgb2YgSldBIChhbmQgYWxzbyBpbiBKV1MpLiAmbmJzcDtXaHkgYXJlIHRoZXJl IG5vIG90aGVyIG9wdGlvbnMgaW4gYWRkaXRpb24gdG8gU0hBMT8gJm5ic3A7VGhlIHJlc3BvbnNl IHRvIFNjb3R0IHBvaW50ZWQgYmFjayB0byBlYXJseSBXRyBkZWNpc2lvbnMsDQogYnV0IEkgaGF2 ZSBoZWFyZCB0aGlzIGNvbmNlcm4gZnJvbSBvdGhlcnMgYW5kIGhhdmUgaXQgbXlzZWxmLCBzbyBJ IGFtIG5vdCBzdXJlIHRoaXMgb25lIGlzIHJlc29sdmVkLiAmbmJzcDtJJ2QgbGlrZSB0byByZXZp c2l0IGl0LjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48YSBocmVmPSJodHRwOi8vd3d3LmlldGYu b3JnL21haWwtYXJjaGl2ZS93ZWIvam9zZS9jdXJyZW50L21zZzA0MDIwLmh0bWwiPmh0dHA6Ly93 d3cuaWV0Zi5vcmcvbWFpbC1hcmNoaXZlL3dlYi9qb3NlL2N1cnJlbnQvbXNnMDQwMjAuaHRtbDwv YT48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2Nv bG9yOiMwMDcwQzAiPk1pa2UmZ3Q7IElmIGFkZGluZyBhIG5ldyDigJxSU0EtT0FFUC0yNTbigJ0g YWxnb3JpdGhtIGlkZW50aWZpZXIgZm9yIOKAnFJTQUVTIHdpdGggT3B0aW1hbCBBc3ltbWV0cmlj IEVuY3J5cHRpb24gUGFkZGluZyB1c2luZyB0aGUgTUdGMSBtYXNrIGdlbmVyYXRpb24gZnVuY3Rp b24gYW5kDQogdGhlIFNIQS0yNTYgaGFzaCBmdW5jdGlvbuKAnSB3b3VsZCBtYWtlIGEgbnVtYmVy IG9mIHBlb3BsZSBtb3JlIGNvbWZvcnRhYmxlLCBpbmNsdWRpbmcgeW91LCB0aGVyZeKAmXMgbm90 aGluZyB3cm9uZyB3aXRoIGRvaW5nIHNvLiZuYnNwOyBIb3dldmVyLCBpdOKAmXMgYWxzbyBub3Qg Y2xlYXIgdGhhdCBpdCB3b3VsZCBiZSBvZiBtdWNoIHNob3J0LXRlcm0gcHJhY3RpY2FsIGJlbmVm aXQgYmVjYXVzZSwgYXQgbGVhc3QgYXMgb2YgdGhlIGltcGxlbWVudGF0aW9uIHN1cnZleQ0KIGRv bmUgaW4gSnVseSAyMDEyLCBtYW55IGNyeXB0byBsaWJyYXJpZXMgZG9u4oCZdCBleHBvc2UgYSB3 YXkgdG8gZ2V0IGF0IHRoaXMgYWxnb3JpdGhtIGNvbWJpbmF0aW9uLiZuYnNwOyBIb3dldmVyLCB0 aGUgc2FtZSBhcmd1bWVudCBjb3VsZCBiZSBtYWRlIGFib3V0IFJTQVNTQS1QU1MsIHdoaWNoIHdl IGRpZCBhZGQgaWRlbnRpZmllcnMgZm9yIGluIHRoZSBlbmQuJm5ic3A7IEluIHNob3J0LCBJIGRv buKAmXQgdGhpbmsgYW55b25lIGluIHRoZSB3b3JraW5nIGdyb3VwDQogd291bGQgc3RyaWRlbnRs eSBvYmplY3QgaWYgeW91IGFza2VkIGZvciB0aGlzIGFkZGl0aW9uYWwgYWxnb3JpdGhtIGlkZW50 aWZpZXIgdG8gYmUgYWRkZWQuJm5ic3A7IFlvdXIgY2FsbOKApjxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xv cjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPi0tIDxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkJl c3QgcmVnYXJkcyw8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPkthdGhsZWVuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7 LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48 L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1 b3Q7O2NvbG9yOiMwMDcwQzAiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBUaGFua3MgYSBidW5jaCw8bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYm cXVvdDs7Y29sb3I6IzAwNzBDMCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0tIE1pa2U8bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7 Y29sb3I6IzAwNzBDMCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rp dj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_4E1F6AAD24975D4BA5B16804296739439A15D3B1TK5EX14MBXC286r_-- From nobody Thu Apr 17 11:02:28 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D08231A0149 for ; Thu, 17 Apr 2014 11:02:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NFvbZBEKFFbQ for ; Thu, 17 Apr 2014 11:02:19 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0185.outbound.protection.outlook.com [207.46.163.185]) by ietfa.amsl.com (Postfix) with ESMTP id 038491A022F for ; Thu, 17 Apr 2014 11:02:18 -0700 (PDT) Received: from BLUPR03CA032.namprd03.prod.outlook.com (10.141.30.25) by BLUPR03MB168.namprd03.prod.outlook.com (10.255.212.152) with Microsoft SMTP Server (TLS) id 15.0.918.8; Thu, 17 Apr 2014 18:02:14 +0000 Received: from BL2FFO11FD017.protection.gbl (2a01:111:f400:7c09::165) by BLUPR03CA032.outlook.office365.com (2a01:111:e400:879::25) with Microsoft SMTP Server (TLS) id 15.0.921.12 via Frontend Transport; Thu, 17 Apr 2014 18:02:14 +0000 Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11FD017.mail.protection.outlook.com (10.173.161.35) with Microsoft SMTP Server (TLS) id 15.0.929.8 via Frontend Transport; Thu, 17 Apr 2014 18:02:14 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14HUBC106.redmond.corp.microsoft.com ([157.54.80.61]) with mapi id 14.03.0181.007; Thu, 17 Apr 2014 18:01:39 +0000 From: Mike Jones To: Kathleen Moriarty , Vladimir Dzhuvinov Thread-Topic: [jose] AD review of draft-ietf-jose-json-web-algorithms Thread-Index: AQHPWl4sbVMYAcuvAEqDblxpW9C6T5sWDf+AgAAKL6A= Date: Thu, 17 Apr 2014 18:01:39 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A15D44B@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <20140417095747.3c376e9e86469f12ae2f88da05bfa671.4635cedd37.wbe@email07.europe.secureserver.net> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.35] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A15D44BTK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(164054003)(24454002)(377454003)(199002)(189002)(92726001)(92566001)(84326002)(86612001)(86362001)(97736001)(80976001)(6806004)(19580405001)(44976005)(83322001)(19580395003)(16236675002)(81542001)(87936001)(2656002)(74662001)(55846006)(81342001)(74502001)(46102001)(31966008)(76482001)(4396001)(19300405004)(15202345003)(77982001)(71186001)(76176999)(54356999)(50986999)(512874002)(2009001)(66066001)(80022001)(33656001)(20776003)(79102001)(99396002)(84676001)(83072002)(15975445006)(85852003); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR03MB168; H:mail.microsoft.com; FPR:DCEEC3E4.AE3233E5.3DC79F69.6DBDD70.202B1; MLV:sfv; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 01842C458A Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/jose/E2UJW2aKlnqx7rybInxHQd_CGwI Cc: "draft-ietf-jose-json-web-algorithms@tools.ietf.org" , "jose@ietf.org" Subject: Re: [jose] AD review of draft-ietf-jose-json-web-algorithms X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2014 18:02:24 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A15D44BTK5EX14MBXC286r_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 UGVyIHRoZSByZXBseSBpbiBteSBvdGhlciBub3RlIOKAkyBzb21ldGltZXMgaXTigJlzIGZpbmUg Zm9yIHBhcmFtZXRlcnMgZW5jb2RlZCBpbiBhbiB1bnNpZ25lZCBKV1Mgbm90IHRvIGJlIHNlY3Vy ZWQsIGp1c3QgbGlrZSBpdOKAmXMgZmluZSBmb3IgSFRUUCByZXF1ZXN0IHBhcmFtZXRlcnMgdG8g bm90IGJlIHNlY3VyZWQuICBTaWduaW5nIHRoZSBzZXQgb2YgcmVxdWVzdCBwYXJhbWV0ZXJzIHN0 cmljdGx5IGFkZHMgYWRkaXRpb25hbCB2YWx1ZS4NCg0KSW4gb3RoZXIgdXNlIGNhc2VzLCB0aGUg SldTIHBheWxvYWQgaXMgc2VjdXJlZCBieSBvdGhlciBtZWFucywgc3VjaCBhcyBUTFMuDQoNCuKA nGFsZ+KAnTog4oCcbm9uZeKAnSBpcyBpbiBwcm9kdWN0aW9uIHVzZSBmb3IgYm90aCBvZiB0aGVz ZSBraW5kcyBvZiBzY2VuYXJpb3MuDQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIC0tIE1pa2UNCg0KRnJvbTogS2F0aGxlZW4gTW9y aWFydHkgW21haWx0bzprYXRobGVlbi5tb3JpYXJ0eS5pZXRmQGdtYWlsLmNvbV0NClNlbnQ6IFRo dXJzZGF5LCBBcHJpbCAxNywgMjAxNCAxMDoyMSBBTQ0KVG86IFZsYWRpbWlyIER6aHV2aW5vdg0K Q2M6IGpvc2VAaWV0Zi5vcmc7IE1pa2UgSm9uZXM7IGRyYWZ0LWlldGYtam9zZS1qc29uLXdlYi1h bGdvcml0aG1zQHRvb2xzLmlldGYub3JnDQpTdWJqZWN0OiBSZTogW2pvc2VdIEFEIHJldmlldyBv ZiBkcmFmdC1pZXRmLWpvc2UtanNvbi13ZWItYWxnb3JpdGhtcw0KDQpUaGFua3MsIFZsYWRpbWly Lg0KDQpIb3cgd291bGQgdGhleSBiZSBzZWN1cmVkIHRoZW4/ICBXaXRoIHRoZSBjdXJyZW50IHRo cmVhdCBsYW5kc2NhcGUsIGl0IHNlZW1zIG9kZCB0aGF0IHdlIHdvdWxkIGJlIHB1dHRpbmcgZm9y dGggYSBtZXRob2QgdGhhdCBpcyBub3Qgc2VjdXJlZD8gIERvZXMgdGhpcyByZWx5IG9uIHRyYW5z cG9ydCBmb3Igc2VjdXJpdHk/DQoNCk9uIFRodSwgQXByIDE3LCAyMDE0IGF0IDEyOjU3IFBNLCBW bGFkaW1pciBEemh1dmlub3YgPHZsYWRpbWlyQGNvbm5lY3QyaWQuY29tPG1haWx0bzp2bGFkaW1p ckBjb25uZWN0MmlkLmNvbT4+IHdyb3RlOg0KSGkgS2F0aGxlZW4sDQoNCg0KPiBTZWN0aW9uIDMu NiAtIENhbiB5b3UgZXhwbGFpbiB3aHkgd291bGQgdGhpcyBiZSBpbmNsdWRlZD8gIElmIHlvdSBh cmUgbm90IGdvaW5nIHRvIHNpZ24sIEkgYW0gbm90IHN1cmUgd2h5IG9uZSB3b3VsZCB1c2UgSk9T RSBhdCBhbGwuDQo+DQpQZXJoYXBzIHRoZSBtb3N0IHBvcHVsYXIgYXBwbGljYXRpb24gb2YgSldT IHRvZGF5IGlzIHRvIGNvbnN0cnVjdCBKU09ODQpXZWIgVG9rZW5zIChKV1QpLCBzdWNoIGFzIHRo ZSBJRCB0b2tlbnMgaW4gT3BlbklEIENvbm5lY3QuIFRoZSBKV1Qgc3BlYw0KcGVybWl0cyBwbGFp biB0b2tlbnMgdGhhdCBkb24ndCBoYXZlIGEgc2lnbmF0dXJlIGFuZCB0aGlzIGlzIGVuYWJsZWQg YnkNCnRoZSBzcGVjaWFsIGNhc2UgIm5vbmUiIGFsZyBpbiBKV1MuDQoNClBsYWludGV4dCBKV1Rz IGFyZSBleHBsYWluZWQgaGVyZToNCg0KaHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQt aWV0Zi1vYXV0aC1qc29uLXdlYi10b2tlbi0xOSNzZWN0aW9uLTYNCg0KDQpWbGFkaW1pcg0KDQoN Cg0KLS0NCg0KQmVzdCByZWdhcmRzLA0KS2F0aGxlZW4NCg== --_000_4E1F6AAD24975D4BA5B16804296739439A15D44BTK5EX14MBXC286r_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQov KiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1z b05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp emU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTps aW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6 Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29I eXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxl Ow0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0Kc3Bhbi5ob2VuemINCgl7bXNvLXN0eWxl LW5hbWU6aG9lbnpiO30NCnNwYW4uRW1haWxTdHlsZTE4DQoJe21zby1zdHlsZS10eXBlOnBlcnNv bmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7DQoJY29sb3I6 IzFGNDk3RDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsN Cglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiO30NCkBwYWdlIFdvcmRTZWN0aW9u MQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4waW4gMS4waW4gMS4waW4gMS4waW47 fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxlPjwh LS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIgc3Bp ZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1s Pg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVkaXQiIGRh dGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hlYWQ+DQo8 Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSI+DQo8ZGl2IGNsYXNz PSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNl cmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPlBlciB0aGUgcmVwbHkgaW4gbXkgb3RoZXIgbm90ZSDi gJMgc29tZXRpbWVzIGl04oCZcyBmaW5lIGZvciBwYXJhbWV0ZXJzIGVuY29kZWQgaW4gYW4gdW5z aWduZWQgSldTIG5vdCB0byBiZSBzZWN1cmVkLCBqdXN0IGxpa2UgaXTigJlzIGZpbmUgZm9yIEhU VFAgcmVxdWVzdCBwYXJhbWV0ZXJzDQogdG8gbm90IGJlIHNlY3VyZWQuJm5ic3A7IFNpZ25pbmcg dGhlIHNldCBvZiByZXF1ZXN0IHBhcmFtZXRlcnMgc3RyaWN0bHkgYWRkcyBhZGRpdGlvbmFsIHZh bHVlLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1 b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7 Y29sb3I6IzFGNDk3RCI+SW4gb3RoZXIgdXNlIGNhc2VzLCB0aGUgSldTIHBheWxvYWQgaXMgc2Vj dXJlZCBieSBvdGhlciBtZWFucywgc3VjaCBhcyBUTFMuPG86cD48L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMx RjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkm cXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj7igJxhbGfigJ06IOKA nG5vbmXigJ0gaXMgaW4gcHJvZHVjdGlvbiB1c2UgZm9yIGJvdGggb2YgdGhlc2Uga2luZHMgb2Yg c2NlbmFyaW9zLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVv dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpw Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYm cXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0tIE1pa2U8bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7 Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPkZyb206PC9zcGFuPjwvYj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVv dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+IEthdGhsZWVuIE1vcmlhcnR5IFttYWlsdG86a2F0 aGxlZW4ubW9yaWFydHkuaWV0ZkBnbWFpbC5jb21dDQo8YnI+DQo8Yj5TZW50OjwvYj4gVGh1cnNk YXksIEFwcmlsIDE3LCAyMDE0IDEwOjIxIEFNPGJyPg0KPGI+VG86PC9iPiBWbGFkaW1pciBEemh1 dmlub3Y8YnI+DQo8Yj5DYzo8L2I+IGpvc2VAaWV0Zi5vcmc7IE1pa2UgSm9uZXM7IGRyYWZ0LWll dGYtam9zZS1qc29uLXdlYi1hbGdvcml0aG1zQHRvb2xzLmlldGYub3JnPGJyPg0KPGI+U3ViamVj dDo8L2I+IFJlOiBbam9zZV0gQUQgcmV2aWV3IG9mIGRyYWZ0LWlldGYtam9zZS1qc29uLXdlYi1h bGdvcml0aG1zPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86 cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+VGhhbmtzLCBW bGFkaW1pci48bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpw PiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkhv dyB3b3VsZCB0aGV5IGJlIHNlY3VyZWQgdGhlbj8gJm5ic3A7V2l0aCB0aGUgY3VycmVudCB0aHJl YXQgbGFuZHNjYXBlLCBpdCBzZWVtcyBvZGQgdGhhdCB3ZSB3b3VsZCBiZSBwdXR0aW5nIGZvcnRo IGEgbWV0aG9kIHRoYXQgaXMgbm90IHNlY3VyZWQ/ICZuYnNwO0RvZXMgdGhpcyByZWx5IG9uIHRy YW5zcG9ydCBmb3Igc2VjdXJpdHk/PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+PG86 cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+T24gVGh1LCBB cHIgMTcsIDIwMTQgYXQgMTI6NTcgUE0sIFZsYWRpbWlyIER6aHV2aW5vdiAmbHQ7PGEgaHJlZj0i bWFpbHRvOnZsYWRpbWlyQGNvbm5lY3QyaWQuY29tIiB0YXJnZXQ9Il9ibGFuayI+dmxhZGltaXJA Y29ubmVjdDJpZC5jb208L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPkhpIEthdGhsZWVuLDxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+PGJyPg0KPGJyPg0KJmd0OyBT ZWN0aW9uIDMuNiAtIENhbiB5b3UgZXhwbGFpbiB3aHkgd291bGQgdGhpcyBiZSBpbmNsdWRlZD8g Jm5ic3A7SWYgeW91IGFyZSBub3QgZ29pbmcgdG8gc2lnbiwgSSBhbSBub3Qgc3VyZSB3aHkgb25l IHdvdWxkIHVzZSBKT1NFIGF0IGFsbC48YnI+DQomZ3Q7PG86cD48L286cD48L3A+DQo8L2Rpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+UGVyaGFw cyB0aGUgbW9zdCBwb3B1bGFyIGFwcGxpY2F0aW9uIG9mIEpXUyB0b2RheSBpcyB0byBjb25zdHJ1 Y3QgSlNPTjxicj4NCldlYiBUb2tlbnMgKEpXVCksIHN1Y2ggYXMgdGhlIElEIHRva2VucyBpbiBP cGVuSUQgQ29ubmVjdC4gVGhlIEpXVCBzcGVjPGJyPg0KcGVybWl0cyBwbGFpbiB0b2tlbnMgdGhh dCBkb24ndCBoYXZlIGEgc2lnbmF0dXJlIGFuZCB0aGlzIGlzIGVuYWJsZWQgYnk8YnI+DQp0aGUg c3BlY2lhbCBjYXNlICZxdW90O25vbmUmcXVvdDsgYWxnIGluIEpXUy48YnI+DQo8YnI+DQpQbGFp bnRleHQgSldUcyBhcmUgZXhwbGFpbmVkIGhlcmU6PGJyPg0KPGJyPg0KPGEgaHJlZj0iaHR0cDov L3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0aC1qc29uLXdlYi10b2tlbi0xOSNz ZWN0aW9uLTYiIHRhcmdldD0iX2JsYW5rIj5odHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFm dC1pZXRmLW9hdXRoLWpzb24td2ViLXRva2VuLTE5I3NlY3Rpb24tNjwvYT48YnI+DQo8c3BhbiBz dHlsZT0iY29sb3I6Izg4ODg4OCI+PGJyPg0KPGJyPg0KPHNwYW4gY2xhc3M9ImhvZW56YiI+Vmxh ZGltaXI8L3NwYW4+PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48YnI+DQo8YnIgY2xlYXI9ImFsbCI+DQo8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+LS0gPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ QmVzdCByZWdhcmRzLDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+S2F0aGxlZW48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4N CjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_4E1F6AAD24975D4BA5B16804296739439A15D44BTK5EX14MBXC286r_-- From nobody Thu Apr 17 11:10:44 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AE061A02AD for ; Thu, 17 Apr 2014 11:10:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZO3H8UIwOvZD for ; Thu, 17 Apr 2014 11:10:38 -0700 (PDT) Received: from n1plwbeout07-04.prod.ams1.secureserver.net (n1plsmtp07-04-02.prod.ams1.secureserver.net [188.121.52.8]) by ietfa.amsl.com (Postfix) with ESMTP id 4C4CD1A02A0 for ; Thu, 17 Apr 2014 11:10:38 -0700 (PDT) Received: from localhost ([188.121.52.243]) by n1plwbeout07-04.prod.ams1.secureserver.net with bizsmtp id r6AZ1n0015EqHN4016AZmd; Thu, 17 Apr 2014 11:10:33 -0700 X-SID: r6AZ1n0015EqHN401 Received: (qmail 4825 invoked by uid 99); 17 Apr 2014 18:10:33 -0000 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" X-Originating-IP: 95.43.60.39 User-Agent: Workspace Webmail 5.6.47 Message-Id: <20140417111031.3c376e9e86469f12ae2f88da05bfa671.79baba1ed9.wbe@email07.europe.secureserver.net> From: "Vladimir Dzhuvinov" To: "Kathleen Moriarty" Date: Thu, 17 Apr 2014 11:10:32 -0700 Mime-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/jose/51tu_JQj1-FxQl6hlzxsC5pXkws Cc: Michael Jones , draft-ietf-jose-json-web-algorithms@tools.ietf.org, jose@ietf.org Subject: Re: [jose] AD review of draft-ietf-jose-json-web-algorithms X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2014 18:10:43 -0000 > Thanks, Vladimir.=0A> =0A> How would they be secured then? With the curr= ent threat landscape, it=0A> seems odd that we would be putting forth a met= hod that is not secured?=0A> Does this rely on transport for security?=0A= =0AYes, securing the JWS message with TLS for instance, as Mike just=0Apoin= ted =0Aout in the his response.=0A=0AJWT-encoded ID tokens in OpenID Connec= t is one such example, but only=0Awhen =0Athe token is returned from the OA= uth 2.0 token endpoint where TLS is=0Amandatory, clients can then register = to receive plaintext ID tokens:=0A=0Ahttp://openid.net/specs/openid-connect= -core-1_0.html#IDToken=0A=0A=0AThere is a section in the JWA spec to instru= ct developers of the various=0Asecurity=0Aconsiderations regarding use of "= none" alg JWS:=0A=0Ahttp://tools.ietf.org/html/draft-ietf-jose-json-web-alg= orithms-25#section-8.5=0A=0A=0AVladimir=0A=0A =0A =0A> On Thu, Apr 17, 2014= at 12:57 PM, Vladimir Dzhuvinov <=0A> vladimir@connect2id.com> wrote:=0A> = =0A> > Hi Kathleen,=0A> >=0A> >=0A> > > Section 3.6 - Can you explain why w= ould this be included? If you are=0A> > not going to sign, I am not sure w= hy one would use JOSE at all.=0A> > >=0A> >=0A> > Perhaps the most popular = application of JWS today is to construct JSON=0A> > Web Tokens (JWT), such = as the ID tokens in OpenID Connect. The JWT spec=0A> > permits plain tokens= that don't have a signature and this is enabled by=0A> > the special case = "none" alg in JWS.=0A> >=0A> > Plaintext JWTs are explained here:=0A> >=0A>= > http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-19#section-6= =0A> >=0A> >=0A> > Vladimir=0A> >=0A> >=0A> =0A> =0A> -- =0A> =0A> Best reg= ards,=0A> Kathleen From nobody Thu Apr 17 14:18:06 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7F9F1A00D1 for ; Thu, 17 Apr 2014 14:18:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mrN_eFaS-73A for ; Thu, 17 Apr 2014 14:18:00 -0700 (PDT) Received: from smtp3.pacifier.net (smtp3.pacifier.net [64.255.237.177]) by ietfa.amsl.com (Postfix) with ESMTP id 599E71A0054 for ; Thu, 17 Apr 2014 14:18:00 -0700 (PDT) Received: from Philemon (173-160-246-134-Washington.hfc.comcastbusiness.net [173.160.246.134]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp3.pacifier.net (Postfix) with ESMTPSA id 67F7638E6A; Thu, 17 Apr 2014 14:17:56 -0700 (PDT) From: "Jim Schaad" To: "'Kathleen Moriarty'" , References: In-Reply-To: Date: Thu, 17 Apr 2014 14:16:00 -0700 Message-ID: <00d601cf5a82$3c0c96a0$b425c3e0$@augustcellars.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_00D7_01CF5A47.8FB14110" X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQKZgmin568F+rjxFbD8izXpwB3tspmB+8SA Content-Language: en-us Archived-At: http://mailarchive.ietf.org/arch/msg/jose/-BbrTDSmhmNHdIT6i2BdV4q3bn4 Cc: 'Michael Jones' , draft-ietf-jose-json-web-algorithms@tools.ietf.org Subject: Re: [jose] AD review of draft-ietf-jose-json-web-algorithms X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2014 21:18:05 -0000 This is a multipart message in MIME format. ------=_NextPart_000_00D7_01CF5A47.8FB14110 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable =20 =20 From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Kathleen Moriarty Sent: Thursday, April 17, 2014 7:51 AM To: jose@ietf.org Cc: Michael Jones; draft-ietf-jose-json-web-algorithms@tools.ietf.org Subject: [jose] AD review of draft-ietf-jose-json-web-algorithms =20 Hello Mike & JOSE members, =20 I am working my way through the requested reviews to progress the JOSE = drafts and can see a lot of work has been done, thank you. As I read = through the Algorithms (JWA) draft there are some changes that will need = to be made to avoid problems during the IESG review. This is a pretty = big change for the draft, but will help make the review and approval = faster. Typically, the lists of algorithms are handled through a draft = update as opposed to creating an IANA registry. A good example is a = recent update of a draft in the IPSECME working group so you can see the = structure and the precedence for this model. =20 [JLS] Kathleen, I don=E2=80=99t know that I agree with this statement. = There are a number of different places where IANA registries are used = for the purpose of having lists of algorithms. I would point to the = following as examples: =20 TLS uses registries for all of their algorithm assignments. =20 http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-p= arameters-18 =E2=80=93 The TLS HashAlgorithm Registry =20 Kerberos has their OIDS registered with IANA =20 http://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers= -26 =20 PKIX and CMS have been moving towards keeping their OID trees in IANA = registries =20 RFC 7101 and https://datatracker.ietf.org/doc/draft-housley-pkix-oids/ =20 This is only a small set of the algorithm registries that are kept by = IANA. The only new thing is that the requirements level of algorithm is = now being kept in the registry, however that requires a document of some = type to change the top level requirements. =20 I would note that we already have the following non-IETF document that = is going to make changes to the IANA registry = http://www.w3.org/TR/WebCryptoAPI =20 jim =20 https://datatracker.ietf.org/doc/draft-ietf-ipsecme-esp-ah-reqts=20 =20 Now for other edits and questions: =20 Section 3.6 - Can you explain why would this be included? If you are = not going to sign, I am not sure why one would use JOSE at all.=20 =20 Section 5.2 - The write up of this section seems a bit more complicated = than necessary. It seems it would have just been simpler to state that = the sizes vary as required by the algorithms and key lengths used rather = than providing the differences from one to the next. Can you simplify = this? =20 After looking through some of the mailing list discussions, it seems = there was already agreement to slim this and other sections down by = pointing to the draft-mcgrew-aead-aes-cbc-hmac-sha2 =20 http://www.ietf.org/mail-archive/web/jose/current/msg02276.html Can I get an update as to where that stands, referencing what you can = from that draft as opposed to duplicating text? Thanks! =20 Security Considerations: While it is true the content is covered in = other places, this section could benefit from improvement before it goes = to the SecDir review. The second sentence in the first paragraph says = the following: Among these issues are protecting the user's private and symmetric keys, preventing various attacks, and helping the user avoid mistakes such as inadvertently encrypting a message for the wrong recipient. It would be helpful if you could expand the text and make it more = descriptive and applicable to this document. For example, = shouldn=E2=80=99t the first section say user=E2=80=99s private = asymmetric and symmetric keys? I assume that is what was intended with = private, but it reads funny to me without that. The only = =E2=80=98attack=E2=80=99 or caution mentioned in the document is for the = application to prevent a user from selecting the wrong key. Please = include some attacks that developers and implementers should be aware = and cautioned on, or state that specific attacks and considers are = detailed in the subsections to follow. =20 I think that's it for now. Although I do need to look through some more = of the previous conversations on the mailing list and in the issue = tracker. =20 I see there are some open discussions, like the one Richard raised = yesterday that need to be resolved in the document as well before we = move forward with this one. Thanks for all of your effort on this = draft!! =20 --=20 =20 Best regards, Kathleen ------=_NextPart_000_00D7_01CF5A47.8FB14110 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable

 

 

From:= = jose [mailto:jose-bounces@ietf.org] On Behalf Of Kathleen = Moriarty
Sent: Thursday, April 17, 2014 7:51 AM
To: = jose@ietf.org
Cc: Michael Jones; = draft-ietf-jose-json-web-algorithms@tools.ietf.org
Subject: = [jose] AD review of = draft-ietf-jose-json-web-algorithms

 

Hello = Mike & JOSE members,

 

I = am working my way through the requested reviews to progress the JOSE = drafts and can see a lot of work has been done, thank you.  As I = read through the Algorithms (JWA) draft there are some changes that will = need to be made to avoid problems during the IESG review.  This is = a pretty big change for the draft, but will help make the review and = approval faster.  Typically, the lists of algorithms are handled = through a draft update as opposed to creating an IANA registry.  A = good example is a recent update of a draft in the IPSECME working group = so you can see the structure and the precedence for this = model.

 

[JLS] Kathleen, I don=E2=80=99t know that I agree with this = statement.=C2=A0 There are a number of different places where IANA = registries are used for the purpose of having lists of algorithms.=C2=A0 = I would point to the following as examples:

 

TLS uses registries for all of their algorithm = assignments.

 

http://www.iana.org/assignments/tls-parameters/tls-= parameters.xhtml#tls-parameters-18 =E2=80=93 The TLS HashAlgorithm = Registry

 

Kerberos has their OIDS registered with IANA

 

http://www.iana.org/assignments/smi-numbers/smi-numbers.xhtm= l#smi-numbers-26

 

PKIX and CMS have been moving towards keeping their OID trees in IANA = registries

 

RFC 7101 and https:= //datatracker.ietf.org/doc/draft-housley-pkix-oids/=

 

This is only a small set of the algorithm registries that are kept by = IANA. =C2=A0The only new thing is that the requirements level of = algorithm is now being kept in the registry, however that requires a = document of some type to change the top level = requirements.

 

I would note that we already have the following non-IETF document = that is going to make changes to the IANA registry http://www.w3.org/TR/WebCrypto= API

 

jim

 

 

Now for other edits and = questions:

 

Section 3.6 - Can you explain why would this be = included?  If you are not going to sign, I am not sure why one = would use JOSE at all. 

 

Section 5.2 - The write up of this section seems a bit = more complicated than necessary.  It seems it would have just = been simpler to state that the sizes vary as required by the algorithms = and key lengths used rather than providing the differences from one to = the next.  Can you simplify this? =  

After looking = through some of the mailing list discussions, it seems there was already = agreement to slim this and other sections down by pointing to = the draft-mcgrew-aead-aes-cbc-hmac-sha2

 

Can I get an update as to where = that stands, referencing what you can from that draft as opposed to = duplicating text?  Thanks!

 

Security Considerations: While it is true the content = is covered in other places, this section could benefit from improvement = before it goes to the SecDir review.  The second sentence in the = first paragraph says the following:

   Among these issues are

  =  protecting the user's private and symmetric keys, preventing = various

   attacks, and helping = the user avoid mistakes such as = inadvertently

   encrypting a message = for the wrong recipient.

It would be helpful if you could expand the text and = make it more descriptive and applicable to this document.  For = example, shouldn=E2=80=99t the first section say user=E2=80=99s private = asymmetric and symmetric keys?  I assume that is what was intended = with private, but it reads funny to me without that.  The only = =E2=80=98attack=E2=80=99 or caution mentioned in the document is for the = application to prevent a user from selecting the wrong key.  Please = include some attacks that developers and implementers should be aware = and cautioned on, or state that specific attacks and considers are = detailed in the subsections to follow.

 

I = think that's it for now. Although I do need to look through some more of = the previous conversations on the mailing list and in the issue = tracker.

 

I = see there are some open discussions, like the one Richard raised = yesterday that need to be resolved in the document as well before we = move forward with this one.  Thanks for all of your effort on this = draft!!

 

-- =

 

Best regards,

Kathleen

------=_NextPart_000_00D7_01CF5A47.8FB14110-- From nobody Thu Apr 17 14:22:33 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BA0D1A012A for ; Thu, 17 Apr 2014 14:22:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o6BknTpM-t5Z for ; Thu, 17 Apr 2014 14:22:27 -0700 (PDT) Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) by ietfa.amsl.com (Postfix) with ESMTP id 11E3A1A010C for ; Thu, 17 Apr 2014 14:22:27 -0700 (PDT) Received: from Philemon (173-160-246-134-Washington.hfc.comcastbusiness.net [173.160.246.134]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTPSA id 3FBE02CA0E; Thu, 17 Apr 2014 14:22:23 -0700 (PDT) From: "Jim Schaad" To: "'Mike Jones'" , "'Kathleen Moriarty'" , References: <4E1F6AAD24975D4BA5B16804296739439A15D3B1@TK5EX14MBXC286.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A15D3B1@TK5EX14MBXC286.redmond.corp.microsoft.com> Date: Thu, 17 Apr 2014 14:20:27 -0700 Message-ID: <00db01cf5a82$db1c7f80$91557e80$@augustcellars.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_00DC_01CF5A48.2EC2FEB0" X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQKZgmin568F+rjxFbD8izXpwB3tsgCZC6P7mX036yA= Content-Language: en-us Archived-At: http://mailarchive.ietf.org/arch/msg/jose/91T14aIrWnvLPV-cH1MKBLXakJo Cc: draft-ietf-jose-json-web-algorithms@tools.ietf.org Subject: Re: [jose] AD review of draft-ietf-jose-json-web-algorithms X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2014 21:22:32 -0000 This is a multipart message in MIME format. ------=_NextPart_000_00DC_01CF5A48.2EC2FEB0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable =20 =20 From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones Sent: Thursday, April 17, 2014 10:46 AM To: Kathleen Moriarty; jose@ietf.org Cc: draft-ietf-jose-json-web-algorithms@tools.ietf.org Subject: Re: [jose] AD review of draft-ietf-jose-json-web-algorithms =20 Thanks for taking the time to do the review, Kathleen. Responses are = inline, flagged by =E2=80=9CMike>=E2=80=9D. I also pasted your = follow-on note in and responded to it as well. =20 From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com]=20 Sent: Thursday, April 17, 2014 7:51 AM To: jose@ietf.org Cc: Mike Jones; draft-ietf-jose-json-web-algorithms@tools.ietf.org Subject: AD review of draft-ietf-jose-json-web-algorithms =20 Hello Mike & JOSE members, =20 I am working my way through the requested reviews to progress the JOSE = drafts and can see a lot of work has been done, thank you. As I read = through the Algorithms (JWA) draft there are some changes that will need = to be made to avoid problems during the IESG review. This is a pretty = big change for the draft, but will help make the review and approval = faster. Typically, the lists of algorithms are handled through a draft = update as opposed to creating an IANA registry. A good example is a = recent update of a draft in the IPSECME working group so you can see the = structure and the precedence for this model. =20 https://datatracker.ietf.org/doc/draft-ietf-ipsecme-esp-ah-reqts=20 =20 Mike> So you=E2=80=99re suggesting that future JWA drafts might obsolete = the current one, much like draft-ietf-ipsecme-esp-ah-reqts will obsolete = RFC 4835, which obsoleted RFC 4305, etc.? If so, could work on revising = the JWA draft accordingly and send proposed changes to the working = group. =20 Now for other edits and questions: =20 Section 3.6 - Can you explain why would this be included? If you are = not going to sign, I am not sure why one would use JOSE at all.=20 =20 Mike> This is included to enable representing content that is optionally = signed in protocols using JWS. Having this means that whether or not = the content is signed, it can use a uniform representation, which is = easy to parse. This is in production use, for instance, to enable OAuth = authorization request messages that are optionally signed. Sometimes = content need not be signed at the JWS level because it=E2=80=99s = integrity protected by other protocol layers =E2=80=93 in particular, = often by the use of TLS. Another use case is where signing adds = additional optional value, but where there=E2=80=99s no harm in using = unsigned content =E2=80=93 for instance, while normal OAuth requests are = inline and unsigned, a registered extension enables request parameters = to be passed by reference, rather than by value; the object referenced = containing the parameters is a JWS; the JWS can optionally be signed. = The current, carefully refined treatment of =E2=80=9Cnone=E2=80=9D is = the result of substantial mailing list discussions and discussions on = working group calls. While a less parallel treatment of unsigned JWSs = was proposed in http://trac.tools.ietf.org/wg/jose/trac/ticket/36, this = alternative syntax was rejected by the working group in favor of the = current approach. =20 Section 5.2 - The write up of this section seems a bit more complicated = than necessary. It seems it would have just been simpler to state that = the sizes vary as required by the algorithms and key lengths used rather = than providing the differences from one to the next. Can you simplify = this? =20 After looking through some of the mailing list discussions, it seems = there was already agreement to slim this and other sections down by = pointing to the draft-mcgrew-aead-aes-cbc-hmac-sha2 =20 http://www.ietf.org/mail-archive/web/jose/current/msg02276.html Can I get an update as to where that stands, referencing what you can = from that draft as opposed to duplicating text? Thanks! Mike> Sure. The key part of the message you cited is =E2=80=9COnce the = McGrew draft has been refactored to separate the description of the = calculation steps (which JOSE is using) from the AEAD representation = steps (which JOSE is not using), and to include test vector values that = show results without performing the AEAD representation concatenations, = I agree that we'll be able to just reference it, rather than duplicating = it.=E2=80=9D The problem is that the refactoring was never done. The = algorithm description in draft-mcgrew-aead-aes-cbc-hmac-sha2 is written = in such a way that the ciphertext C, as described, also includes the IV = value as a prefix and the authentication tag T as a suffix, rather than = treating each of those as separate values. The test vectors do the = same. Yes, David added appendix B saying that the values could be = treated as separate, but the write-up does no favors to implementers, as = both the core algorithm description and the test vectors assume they are = combined. (I personally know that working out how to treat them as = separate from David=E2=80=99s current draft is a tedious and error-prone = exercise, having had to do so to tease them apart for the current JWA = write-up.) David has been asked about doing the refactoring several = times by multiple parties, but he=E2=80=99s a busy guy, and I = don=E2=80=99t think it=E2=80=99s ever reached the top of his queue. As = it is, the JWA description is clear and semantically equivalent and = implementers have shown that they can successfully build it. Finally, = we wouldn=E2=80=99t want to take a normative dependency upon a draft = that appears to have been largely abandoned (or at least neglected), as = doing so could indefinitely stall publication of RFC versions of the = JOSE specs. =20 [JLS] I always considered this to be a sufficient refactoring to use = the mcgrew draft as a basis. I did not have the same type of problems = with breaking the test vectors apart that you seem to have had. =20 Security Considerations: While it is true the content is covered in = other places, this section could benefit from improvement before it goes = to the SecDir review. The second sentence in the first paragraph says = the following: Among these issues are protecting the user's private and symmetric keys, preventing various attacks, and helping the user avoid mistakes such as inadvertently encrypting a message for the wrong recipient. It would be helpful if you could expand the text and make it more = descriptive and applicable to this document. For example, = shouldn=E2=80=99t the first section say user=E2=80=99s private = asymmetric and symmetric keys? I assume that is what was intended with = private, but it reads funny to me without that. The only = =E2=80=98attack=E2=80=99 or caution mentioned in the document is for the = application to prevent a user from selecting the wrong key. Please = include some attacks that developers and implementers should be aware = and cautioned on, or state that specific attacks and considers are = detailed in the subsections to follow. =20 Mike> OK, I can work on expanding that. There are some other attacks = mentioned in the other drafts, such as timing attacks, which can = probably at least be mentioned here. I=E2=80=99ll send draft text to = the list and consult with you before doing anything to the actual = drafts. Specific suggestions from working group participants would also = be highly appreciated. =20 I think that's it for now. Although I do need to look through some more = of the previous conversations on the mailing list and in the issue = tracker. =20 I see there are some open discussions, like the one Richard raised = yesterday that need to be resolved in the document as well before we = move forward with this one. Thanks for all of your effort on this = draft!! =20 Mike> Per my note = http://www.ietf.org/mail-archive/web/jose/current/msg04061.html, I = don=E2=80=99t believe that that particular issue is open. It had been = extensively discussed within the working group multiple times and the = issue was explicitly closed by the chairs, leaving the status quo in = place in which there are required algorithms for interoperability = reasons. =20 I'm going to add one more question to the review as I had the same = thought as Scott & Burt in their review of JWA (and also in JWS). Why = are there no other options in addition to SHA1? The response to Scott = pointed back to early WG decisions, but I have heard this concern from = others and have it myself, so I am not sure this one is resolved. I'd = like to revisit it. =20 http://www.ietf.org/mail-archive/web/jose/current/msg04020.html =20 Mike> If adding a new =E2=80=9CRSA-OAEP-256=E2=80=9D algorithm = identifier for =E2=80=9CRSAES with Optimal Asymmetric Encryption Padding = using the MGF1 mask generation function and the SHA-256 hash = function=E2=80=9D would make a number of people more comfortable, = including you, there=E2=80=99s nothing wrong with doing so. However, = it=E2=80=99s also not clear that it would be of much short-term = practical benefit because, at least as of the implementation survey done = in July 2012, many crypto libraries don=E2=80=99t expose a way to get at = this algorithm combination. However, the same argument could be made = about RSASSA-PSS, which we did add identifiers for in the end. In = short, I don=E2=80=99t think anyone in the working group would = stridently object if you asked for this additional algorithm identifier = to be added. Your call=E2=80=A6 =20 --=20 =20 Best regards, Kathleen =20 Thanks a = bunch, -- Mike =20 ------=_NextPart_000_00DC_01CF5A48.2EC2FEB0 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable

 

 

From:= = jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike = Jones
Sent: Thursday, April 17, 2014 10:46 AM
To: = Kathleen Moriarty; jose@ietf.org
Cc: = draft-ietf-jose-json-web-algorithms@tools.ietf.org
Subject: = Re: [jose] AD review of = draft-ietf-jose-json-web-algorithms

 

Thanks for taking the time to do the review, Kathleen.  = Responses are inline, flagged by =E2=80=9CMike>=E2=80=9D.  I = also pasted your follow-on note in and responded to it as = well.

 

From:= = Kathleen Moriarty [mailto:kathleen.moriarty= .ietf@gmail.com]
Sent: Thursday, April 17, 2014 7:51 = AM
To: jose@ietf.org
Cc: Mike = Jones; draft-= ietf-jose-json-web-algorithms@tools.ietf.org
Subject: AD = review of draft-ietf-jose-json-web-algorithms

 

Hello = Mike & JOSE members,

 

I = am working my way through the requested reviews to progress the JOSE = drafts and can see a lot of work has been done, thank you.  As I = read through the Algorithms (JWA) draft there are some changes that will = need to be made to avoid problems during the IESG review.  This is = a pretty big change for the draft, but will help make the review and = approval faster.  Typically, the lists of algorithms are handled = through a draft update as opposed to creating an IANA registry.  A = good example is a recent update of a draft in the IPSECME working group = so you can see the structure and the precedence for this = model.

 

 

Mike> So you=E2=80=99re suggesting that future JWA drafts might = obsolete the current one, much like draft-ietf-ipsecme-esp-ah-reqts will = obsolete RFC 4835, which obsoleted RFC 4305, etc.?  If so, could = work on revising the JWA draft accordingly and send proposed changes to = the working group.

 

Now for = other edits and questions:

 

Section 3.6 - Can you explain why would this be = included?  If you are not going to sign, I am not sure why one = would use JOSE at all. 

 

Mike> This is included to enable representing content that is = optionally signed in protocols using JWS.  Having this means that = whether or not the content is signed, it can use a uniform = representation, which is easy to parse.  This is in production use, = for instance, to enable OAuth authorization request messages that are = optionally signed.  Sometimes content need not be signed at the JWS = level because it=E2=80=99s integrity protected by other protocol layers = =E2=80=93 in particular, often by the use of TLS.  Another use case = is where signing adds additional optional value, but where = there=E2=80=99s no harm in using unsigned content =E2=80=93 for = instance, while normal OAuth requests are inline and unsigned, a = registered extension enables request parameters to be passed by = reference, rather than by value; the object referenced containing the = parameters is a JWS; the JWS can optionally be signed.  The = current, carefully refined treatment of =E2=80=9Cnone=E2=80=9D is the = result of substantial mailing list discussions and discussions on = working group calls.  While a less parallel treatment of unsigned = JWSs was proposed in http://trac.to= ols.ietf.org/wg/jose/trac/ticket/36, this alternative syntax was rejected by the working group in favor = of the current approach.

 

Section = 5.2 - The write up of this section seems a bit more complicated than = necessary.  It seems it would have just been simpler to state = that the sizes vary as required by the algorithms and key lengths used = rather than providing the differences from one to the next.  Can = you simplify this?  

After looking through some of the mailing list = discussions, it seems there was already agreement to slim this and other = sections down by pointing to the draft-mcgrew-aead-aes-cbc-hmac-sha2

 

Can I get an update as to where = that stands, referencing what you can from that draft as opposed to = duplicating text?  Thanks!

Mike> Sure.  The key part of the message you cited is =
=E2=80=9COnce the McGrew draft has been refactored to separate =
the description of the calculation steps (which JOSE is using) from the =
AEAD representation steps (which JOSE is not using), and to include test =
vector values that show results without performing the AEAD =
representation concatenations, I agree that we'll be able to just =
reference it, rather than duplicating it.=E2=80=9D  The problem is that the refactoring was never =
done.  The algorithm description in draft-mcgrew-aead-aes-cbc-hmac-sha2 is written in such a way that the ciphertext C, as described, also =
includes the IV value as a prefix and the authentication tag T as a =
suffix, rather than treating each of those as separate values.  The =
test vectors do the same.  Yes, David added appendix B saying that =
the values could be treated as separate, but the write-up does no favors =
to implementers, as both the core algorithm description and the test =
vectors assume they are combined.  (I personally know that working =
out how to treat them as separate from David=E2=80=99s current draft is =
a tedious and error-prone exercise, having had to do so to tease them =
apart for the current JWA write-up.)  David has been asked about =
doing the refactoring several times by multiple parties, but =
he=E2=80=99s a busy guy, and I don=E2=80=99t think it=E2=80=99s ever =
reached the top of his queue.  As it is, the JWA description is =
clear and semantically equivalent and implementers have shown that they =
can successfully build it.  Finally, we wouldn=E2=80=99t want to =
take a normative dependency upon a draft that appears to have been =
largely abandoned (or at least neglected), as doing so could =
indefinitely stall publication of RFC versions of the JOSE =
specs.
 
[JLS]=C2=A0 I always considered this to be a sufficient refactoring =
to use the mcgrew draft as a basis.=C2=A0 I did not have the same type =
of problems with breaking the test vectors apart that you seem to have =
had.

 

Security Considerations: While it is true the content = is covered in other places, this section could benefit from improvement = before it goes to the SecDir review.  The second sentence in the = first paragraph says the following:

   Among these issues are

  =  protecting the user's private and symmetric keys, preventing = various

   attacks, and helping = the user avoid mistakes such as = inadvertently

   encrypting a message = for the wrong recipient.

It would be helpful if you could expand the text and = make it more descriptive and applicable to this document.  For = example, shouldn=E2=80=99t the first section say user=E2=80=99s private = asymmetric and symmetric keys?  I assume that is what was intended = with private, but it reads funny to me without that.  The only = =E2=80=98attack=E2=80=99 or caution mentioned in the document is for the = application to prevent a user from selecting the wrong key.  Please = include some attacks that developers and implementers should be aware = and cautioned on, or state that specific attacks and considers are = detailed in the subsections to follow.

 

Mike> OK, I can work on expanding that.  There are some other = attacks mentioned in the other drafts, such as timing attacks, which can = probably at least be mentioned here.  I=E2=80=99ll send draft text = to the list and consult with you before doing anything to the actual = drafts.  Specific suggestions from working group participants would = also be highly appreciated.

 

I think = that's it for now. Although I do need to look through some more of the = previous conversations on the mailing list and in the issue = tracker.

 

I = see there are some open discussions, like the one Richard raised = yesterday that need to be resolved in the document as well before we = move forward with this one.  Thanks for all of your effort on this = draft!!

 

Mike> Per my note = http://www.ietf.org/mail-archive/web/jose/current/msg04061.html, I don=E2=80=99t believe that that particular issue is open.  = It had been extensively discussed within the working group multiple = times and the issue was explicitly closed by the chairs, leaving the = status quo in place in which there are required algorithms for = interoperability reasons.

 

I'm going to = add one more question to the review as I had the same thought as Scott = & Burt in their review of JWA (and also in JWS).  Why are there = no other options in addition to SHA1?  The response to Scott = pointed back to early WG decisions, but I have heard this concern from = others and have it myself, so I am not sure this one is resolved. =  I'd like to revisit it.

 

= http://www.ietf.org/mail-archive/web/jose/current/msg04020.html<= /o:p>

 

Mike> If adding a new =E2=80=9CRSA-OAEP-256=E2=80=9D algorithm = identifier for =E2=80=9CRSAES with Optimal Asymmetric Encryption Padding = using the MGF1 mask generation function and the SHA-256 hash = function=E2=80=9D would make a number of people more comfortable, = including you, there=E2=80=99s nothing wrong with doing so.  = However, it=E2=80=99s also not clear that it would be of much short-term = practical benefit because, at least as of the implementation survey done = in July 2012, many crypto libraries don=E2=80=99t expose a way to get at = this algorithm combination.  However, the same argument could be = made about RSASSA-PSS, which we did add identifiers for in the = end.  In short, I don=E2=80=99t think anyone in the working group = would stridently object if you asked for this additional algorithm = identifier to be added.  Your call=E2=80=A6

 

-- =

 

Best regards,

Kathleen

 

           &nbs= p;            = ;            =             &= nbsp;           Thanks = a bunch,

           &nbs= p;            = ;            =             &= nbsp;           -- = Mike

 

------=_NextPart_000_00DC_01CF5A48.2EC2FEB0-- From nobody Thu Apr 17 16:22:31 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 007DA1A0196 for ; Thu, 17 Apr 2014 16:22:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oQvhVG-7gElD for ; Thu, 17 Apr 2014 16:22:24 -0700 (PDT) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0208.outbound.protection.outlook.com [207.46.163.208]) by ietfa.amsl.com (Postfix) with ESMTP id 90AF71A01C3 for ; Thu, 17 Apr 2014 16:22:22 -0700 (PDT) Received: from BLUPR03CA034.namprd03.prod.outlook.com (10.141.30.27) by BN1PR03MB170.namprd03.prod.outlook.com (10.255.200.147) with Microsoft SMTP Server (TLS) id 15.0.918.8; Thu, 17 Apr 2014 23:22:10 +0000 Received: from BN1AFFO11FD021.protection.gbl (2a01:111:f400:7c10::165) by BLUPR03CA034.outlook.office365.com (2a01:111:e400:879::27) with Microsoft SMTP Server (TLS) id 15.0.921.12 via Frontend Transport; Thu, 17 Apr 2014 23:22:10 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD021.mail.protection.outlook.com (10.58.52.81) with Microsoft SMTP Server (TLS) id 15.0.929.8 via Frontend Transport; Thu, 17 Apr 2014 23:22:09 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.03.0174.002; Thu, 17 Apr 2014 23:21:36 +0000 From: Mike Jones To: Jim Schaad , 'Kathleen Moriarty' , "jose@ietf.org" Thread-Topic: [jose] AD review of draft-ietf-jose-json-web-algorithms Thread-Index: AQHPWkx0MohT4foJy0+5ox2RzsAQFpsWT90AgAAgXSA= Date: Thu, 17 Apr 2014 23:21:36 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A15E285@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <00d601cf5a82$3c0c96a0$b425c3e0$@augustcellars.com> In-Reply-To: <00d601cf5a82$3c0c96a0$b425c3e0$@augustcellars.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.76] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A15E285TK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(189002)(199002)(41574002)(377454003)(51444003)(69224002)(84676001)(512874002)(84326002)(2009001)(99396002)(15202345003)(2656002)(77982001)(83072002)(85852003)(79102001)(16236675002)(97736001)(76482001)(46102001)(55846006)(80022001)(74502001)(66066001)(83322001)(19580405001)(44976005)(6806004)(15975445006)(80976001)(31966008)(19580395003)(4396001)(20776003)(87936001)(71186001)(92726001)(76176999)(81342001)(81542001)(92566001)(54356999)(74662001)(50986999)(86362001)(19300405004)(85806002)(33656001)(86612001); DIR:OUT; SFP:1101; SCL:1; SRVR:BN1PR03MB170; H:mail.microsoft.com; FPR:EC5CFDFF.A0E2D381.7DD3B585.8AE8C940.205E7; MLV:sfv; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 01842C458A Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/jose/645BnMMP_4JP1Hh5dTVgWiLwrvQ Cc: "draft-ietf-jose-json-web-algorithms@tools.ietf.org" Subject: Re: [jose] AD review of draft-ietf-jose-json-web-algorithms X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2014 23:22:29 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A15E285TK5EX14MBXC286r_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SSBzdHJvbmdseSBhZ3JlZSB3aXRoIGEgcG9pbnQgdGhhdCBKaW0gaXMgbWFraW5nIGJlbG93OiAg SldBIG11c3QgY29udGludWUgdG8gY3JlYXRlIHRoZSBhbGdvcml0aG1zIHJlZ2lzdHJpZXMgc28g dGhhdCBvdGhlciBzcGVjaWZpY2F0aW9ucyBjYW4gYWRkIGFsZ29yaXRobSBpZGVudGlmaWVycy4g IGh0dHA6Ly93d3cudzMub3JnL1RSL1dlYkNyeXB0b0FQSSBpcyBvbmx5IHRoZSBmaXJzdCBvZiBt YW55IHNwZWNzIHRoYXQgd2UgYW50aWNpcGF0ZSB3aWxsIHVzZSB0aGVzZSByZWdpc3RyaWVzLiAg Rm9yIGluc3RhbmNlLCBpdCB3b3VsZG7igJl0IGJlIGF0IGFsbCBzdXJwcmlzaW5nIHRvIGhhdmUg b3RoZXIgc3BlY3MgcmVnaXN0ZXIgYWRkaXRpb25hbCBFbGxpcHRpYyBDdXJ2ZSDigJxjcnbigJ0g aWRlbnRpZmllcnMgaW4gdGhlIG5lYXIgZnV0dXJlLg0KDQpLYXRobGVlbiwgSSB0b29rIHlvdXIg c3VnZ2VzdGlvbiBhcyBiZWluZyB0aGF0IHRoZSBSZXF1aXJlZC9SZWNvbW1lbmRlZC9PcHRpb25h bC9EZXByZWNhdGVkL1Byb2hpYml0ZWQgc3RhdHVzIG9mIGFsZ29yaXRobXMgZGVmaW5lZCBieSB0 aGUgaW5pdGlhbCBKV0EgUkZDIHdvdWxkIGJlIHVwZGF0ZWQgYnkgbmV3IFJGQ3MgdGhhdCBvYnNv bGV0ZWQgdGhlIGluaXRpYWwgSldBIFJGQyDigJMgbm90IHRoYXQgdGhlIGFsZ29yaXRobSBpZGVu dGlmaWVycyB0aGVtc2VsdmVzIHdvdWxkIG5vdCBiZSByZWdpc3RlcmVkIGluIHRoZSBhcHByb3By aWF0ZSByZWdpc3RyaWVzLiAgVGhhdOKAmXMgdGhlIGNoYW5nZSBJIHdhcyBwbGFubmluZyBvbiB3 b3JraW5nIG9uLCBiYXNlZCB1cG9uIHlvdXIgZmVlZGJhY2suICBQbGVhc2UgY29uZmlybSB0aGF0 IHRoYXTigJlzIHlvdXIgaW50ZW50LCBvciBpZiBub3QsIGxldOKAmXMgdGFsayBmdXJ0aGVyLg0K DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgQmVzdCB3aXNoZXMsDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLS0gTWlrZQ0KDQpGcm9tOiBKaW0gU2NoYWFk IFttYWlsdG86aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbV0NClNlbnQ6IFRodXJzZGF5LCBBcHJpbCAx NywgMjAxNCAyOjE2IFBNDQpUbzogJ0thdGhsZWVuIE1vcmlhcnR5Jzsgam9zZUBpZXRmLm9yZw0K Q2M6IE1pa2UgSm9uZXM7IGRyYWZ0LWlldGYtam9zZS1qc29uLXdlYi1hbGdvcml0aG1zQHRvb2xz LmlldGYub3JnDQpTdWJqZWN0OiBSRTogW2pvc2VdIEFEIHJldmlldyBvZiBkcmFmdC1pZXRmLWpv c2UtanNvbi13ZWItYWxnb3JpdGhtcw0KDQoNCg0KRnJvbTogam9zZSBbbWFpbHRvOmpvc2UtYm91 bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxmIE9mIEthdGhsZWVuIE1vcmlhcnR5DQpTZW50OiBUaHVy c2RheSwgQXByaWwgMTcsIDIwMTQgNzo1MSBBTQ0KVG86IGpvc2VAaWV0Zi5vcmc8bWFpbHRvOmpv c2VAaWV0Zi5vcmc+DQpDYzogTWljaGFlbCBKb25lczsgZHJhZnQtaWV0Zi1qb3NlLWpzb24td2Vi LWFsZ29yaXRobXNAdG9vbHMuaWV0Zi5vcmc8bWFpbHRvOmRyYWZ0LWlldGYtam9zZS1qc29uLXdl Yi1hbGdvcml0aG1zQHRvb2xzLmlldGYub3JnPg0KU3ViamVjdDogW2pvc2VdIEFEIHJldmlldyBv ZiBkcmFmdC1pZXRmLWpvc2UtanNvbi13ZWItYWxnb3JpdGhtcw0KDQpIZWxsbyBNaWtlICYgSk9T RSBtZW1iZXJzLA0KDQpJIGFtIHdvcmtpbmcgbXkgd2F5IHRocm91Z2ggdGhlIHJlcXVlc3RlZCBy ZXZpZXdzIHRvIHByb2dyZXNzIHRoZSBKT1NFIGRyYWZ0cyBhbmQgY2FuIHNlZSBhIGxvdCBvZiB3 b3JrIGhhcyBiZWVuIGRvbmUsIHRoYW5rIHlvdS4gIEFzIEkgcmVhZCB0aHJvdWdoIHRoZSBBbGdv cml0aG1zIChKV0EpIGRyYWZ0IHRoZXJlIGFyZSBzb21lIGNoYW5nZXMgdGhhdCB3aWxsIG5lZWQg dG8gYmUgbWFkZSB0byBhdm9pZCBwcm9ibGVtcyBkdXJpbmcgdGhlIElFU0cgcmV2aWV3LiAgVGhp cyBpcyBhIHByZXR0eSBiaWcgY2hhbmdlIGZvciB0aGUgZHJhZnQsIGJ1dCB3aWxsIGhlbHAgbWFr ZSB0aGUgcmV2aWV3IGFuZCBhcHByb3ZhbCBmYXN0ZXIuICBUeXBpY2FsbHksIHRoZSBsaXN0cyBv ZiBhbGdvcml0aG1zIGFyZSBoYW5kbGVkIHRocm91Z2ggYSBkcmFmdCB1cGRhdGUgYXMgb3Bwb3Nl ZCB0byBjcmVhdGluZyBhbiBJQU5BIHJlZ2lzdHJ5LiAgQSBnb29kIGV4YW1wbGUgaXMgYSByZWNl bnQgdXBkYXRlIG9mIGEgZHJhZnQgaW4gdGhlIElQU0VDTUUgd29ya2luZyBncm91cCBzbyB5b3Ug Y2FuIHNlZSB0aGUgc3RydWN0dXJlIGFuZCB0aGUgcHJlY2VkZW5jZSBmb3IgdGhpcyBtb2RlbC4N Cg0KW0pMU10gS2F0aGxlZW4sIEkgZG9u4oCZdCBrbm93IHRoYXQgSSBhZ3JlZSB3aXRoIHRoaXMg c3RhdGVtZW50LiAgVGhlcmUgYXJlIGEgbnVtYmVyIG9mIGRpZmZlcmVudCBwbGFjZXMgd2hlcmUg SUFOQSByZWdpc3RyaWVzIGFyZSB1c2VkIGZvciB0aGUgcHVycG9zZSBvZiBoYXZpbmcgbGlzdHMg b2YgYWxnb3JpdGhtcy4gIEkgd291bGQgcG9pbnQgdG8gdGhlIGZvbGxvd2luZyBhcyBleGFtcGxl czoNCg0KVExTIHVzZXMgcmVnaXN0cmllcyBmb3IgYWxsIG9mIHRoZWlyIGFsZ29yaXRobSBhc3Np Z25tZW50cy4NCg0KaHR0cDovL3d3dy5pYW5hLm9yZy9hc3NpZ25tZW50cy90bHMtcGFyYW1ldGVy cy90bHMtcGFyYW1ldGVycy54aHRtbCN0bHMtcGFyYW1ldGVycy0xOCDigJMgVGhlIFRMUyBIYXNo QWxnb3JpdGhtIFJlZ2lzdHJ5DQoNCktlcmJlcm9zIGhhcyB0aGVpciBPSURTIHJlZ2lzdGVyZWQg d2l0aCBJQU5BDQoNCmh0dHA6Ly93d3cuaWFuYS5vcmcvYXNzaWdubWVudHMvc21pLW51bWJlcnMv c21pLW51bWJlcnMueGh0bWwjc21pLW51bWJlcnMtMjYNCg0KUEtJWCBhbmQgQ01TIGhhdmUgYmVl biBtb3ZpbmcgdG93YXJkcyBrZWVwaW5nIHRoZWlyIE9JRCB0cmVlcyBpbiBJQU5BIHJlZ2lzdHJp ZXMNCg0KUkZDIDcxMDEgYW5kIGh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0 LWhvdXNsZXktcGtpeC1vaWRzLw0KDQpUaGlzIGlzIG9ubHkgYSBzbWFsbCBzZXQgb2YgdGhlIGFs Z29yaXRobSByZWdpc3RyaWVzIHRoYXQgYXJlIGtlcHQgYnkgSUFOQS4gIFRoZSBvbmx5IG5ldyB0 aGluZyBpcyB0aGF0IHRoZSByZXF1aXJlbWVudHMgbGV2ZWwgb2YgYWxnb3JpdGhtIGlzIG5vdyBi ZWluZyBrZXB0IGluIHRoZSByZWdpc3RyeSwgaG93ZXZlciB0aGF0IHJlcXVpcmVzIGEgZG9jdW1l bnQgb2Ygc29tZSB0eXBlIHRvIGNoYW5nZSB0aGUgdG9wIGxldmVsIHJlcXVpcmVtZW50cy4NCg0K SSB3b3VsZCBub3RlIHRoYXQgd2UgYWxyZWFkeSBoYXZlIHRoZSBmb2xsb3dpbmcgbm9uLUlFVEYg ZG9jdW1lbnQgdGhhdCBpcyBnb2luZyB0byBtYWtlIGNoYW5nZXMgdG8gdGhlIElBTkEgcmVnaXN0 cnkgaHR0cDovL3d3dy53My5vcmcvVFIvV2ViQ3J5cHRvQVBJDQoNCmppbQ0KDQpodHRwczovL2Rh dGF0cmFja2VyLmlldGYub3JnL2RvYy9kcmFmdC1pZXRmLWlwc2VjbWUtZXNwLWFoLXJlcXRzDQoN Ck5vdyBmb3Igb3RoZXIgZWRpdHMgYW5kIHF1ZXN0aW9uczoNCg0KU2VjdGlvbiAzLjYgLSBDYW4g eW91IGV4cGxhaW4gd2h5IHdvdWxkIHRoaXMgYmUgaW5jbHVkZWQ/ICBJZiB5b3UgYXJlIG5vdCBn b2luZyB0byBzaWduLCBJIGFtIG5vdCBzdXJlIHdoeSBvbmUgd291bGQgdXNlIEpPU0UgYXQgYWxs Lg0KDQpTZWN0aW9uIDUuMiAtIFRoZSB3cml0ZSB1cCBvZiB0aGlzIHNlY3Rpb24gc2VlbXMgYSBi aXQgbW9yZSBjb21wbGljYXRlZCB0aGFuIG5lY2Vzc2FyeS4gIEl0IHNlZW1zIGl0IHdvdWxkIGhh dmUganVzdCBiZWVuIHNpbXBsZXIgdG8gc3RhdGUgdGhhdCB0aGUgc2l6ZXMgdmFyeSBhcyByZXF1 aXJlZCBieSB0aGUgYWxnb3JpdGhtcyBhbmQga2V5IGxlbmd0aHMgdXNlZCByYXRoZXIgdGhhbiBw cm92aWRpbmcgdGhlIGRpZmZlcmVuY2VzIGZyb20gb25lIHRvIHRoZSBuZXh0LiAgQ2FuIHlvdSBz aW1wbGlmeSB0aGlzPw0KQWZ0ZXIgbG9va2luZyB0aHJvdWdoIHNvbWUgb2YgdGhlIG1haWxpbmcg bGlzdCBkaXNjdXNzaW9ucywgaXQgc2VlbXMgdGhlcmUgd2FzIGFscmVhZHkgYWdyZWVtZW50IHRv IHNsaW0gdGhpcyBhbmQgb3RoZXIgc2VjdGlvbnMgZG93biBieSBwb2ludGluZyB0byB0aGUgZHJh ZnQtbWNncmV3LWFlYWQtYWVzLWNiYy1obWFjLXNoYTINCg0KaHR0cDovL3d3dy5pZXRmLm9yZy9t YWlsLWFyY2hpdmUvd2ViL2pvc2UvY3VycmVudC9tc2cwMjI3Ni5odG1sDQpDYW4gSSBnZXQgYW4g dXBkYXRlIGFzIHRvIHdoZXJlIHRoYXQgc3RhbmRzLCByZWZlcmVuY2luZyB3aGF0IHlvdSBjYW4g ZnJvbSB0aGF0IGRyYWZ0IGFzIG9wcG9zZWQgdG8gZHVwbGljYXRpbmcgdGV4dD8gIFRoYW5rcyEN Cg0KU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnM6IFdoaWxlIGl0IGlzIHRydWUgdGhlIGNvbnRlbnQg aXMgY292ZXJlZCBpbiBvdGhlciBwbGFjZXMsIHRoaXMgc2VjdGlvbiBjb3VsZCBiZW5lZml0IGZy b20gaW1wcm92ZW1lbnQgYmVmb3JlIGl0IGdvZXMgdG8gdGhlIFNlY0RpciByZXZpZXcuICBUaGUg c2Vjb25kIHNlbnRlbmNlIGluIHRoZSBmaXJzdCBwYXJhZ3JhcGggc2F5cyB0aGUgZm9sbG93aW5n Og0KICAgQW1vbmcgdGhlc2UgaXNzdWVzIGFyZQ0KICAgcHJvdGVjdGluZyB0aGUgdXNlcidzIHBy aXZhdGUgYW5kIHN5bW1ldHJpYyBrZXlzLCBwcmV2ZW50aW5nIHZhcmlvdXMNCiAgIGF0dGFja3Ms IGFuZCBoZWxwaW5nIHRoZSB1c2VyIGF2b2lkIG1pc3Rha2VzIHN1Y2ggYXMgaW5hZHZlcnRlbnRs eQ0KICAgZW5jcnlwdGluZyBhIG1lc3NhZ2UgZm9yIHRoZSB3cm9uZyByZWNpcGllbnQuDQpJdCB3 b3VsZCBiZSBoZWxwZnVsIGlmIHlvdSBjb3VsZCBleHBhbmQgdGhlIHRleHQgYW5kIG1ha2UgaXQg bW9yZSBkZXNjcmlwdGl2ZSBhbmQgYXBwbGljYWJsZSB0byB0aGlzIGRvY3VtZW50LiAgRm9yIGV4 YW1wbGUsIHNob3VsZG7igJl0IHRoZSBmaXJzdCBzZWN0aW9uIHNheSB1c2Vy4oCZcyBwcml2YXRl IGFzeW1tZXRyaWMgYW5kIHN5bW1ldHJpYyBrZXlzPyAgSSBhc3N1bWUgdGhhdCBpcyB3aGF0IHdh cyBpbnRlbmRlZCB3aXRoIHByaXZhdGUsIGJ1dCBpdCByZWFkcyBmdW5ueSB0byBtZSB3aXRob3V0 IHRoYXQuICBUaGUgb25seSDigJhhdHRhY2vigJkgb3IgY2F1dGlvbiBtZW50aW9uZWQgaW4gdGhl IGRvY3VtZW50IGlzIGZvciB0aGUgYXBwbGljYXRpb24gdG8gcHJldmVudCBhIHVzZXIgZnJvbSBz ZWxlY3RpbmcgdGhlIHdyb25nIGtleS4gIFBsZWFzZSBpbmNsdWRlIHNvbWUgYXR0YWNrcyB0aGF0 IGRldmVsb3BlcnMgYW5kIGltcGxlbWVudGVycyBzaG91bGQgYmUgYXdhcmUgYW5kIGNhdXRpb25l ZCBvbiwgb3Igc3RhdGUgdGhhdCBzcGVjaWZpYyBhdHRhY2tzIGFuZCBjb25zaWRlcnMgYXJlIGRl dGFpbGVkIGluIHRoZSBzdWJzZWN0aW9ucyB0byBmb2xsb3cuDQoNCkkgdGhpbmsgdGhhdCdzIGl0 IGZvciBub3cuIEFsdGhvdWdoIEkgZG8gbmVlZCB0byBsb29rIHRocm91Z2ggc29tZSBtb3JlIG9m IHRoZSBwcmV2aW91cyBjb252ZXJzYXRpb25zIG9uIHRoZSBtYWlsaW5nIGxpc3QgYW5kIGluIHRo ZSBpc3N1ZSB0cmFja2VyLg0KDQpJIHNlZSB0aGVyZSBhcmUgc29tZSBvcGVuIGRpc2N1c3Npb25z LCBsaWtlIHRoZSBvbmUgUmljaGFyZCByYWlzZWQgeWVzdGVyZGF5IHRoYXQgbmVlZCB0byBiZSBy ZXNvbHZlZCBpbiB0aGUgZG9jdW1lbnQgYXMgd2VsbCBiZWZvcmUgd2UgbW92ZSBmb3J3YXJkIHdp dGggdGhpcyBvbmUuICBUaGFua3MgZm9yIGFsbCBvZiB5b3VyIGVmZm9ydCBvbiB0aGlzIGRyYWZ0 ISENCg0KLS0NCg0KQmVzdCByZWdhcmRzLA0KS2F0aGxlZW4NCg== --_000_4E1F6AAD24975D4BA5B16804296739439A15E285TK5EX14MBXC286r_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQov KiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1z b05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp emU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTps aW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6 Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29I eXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxl Ow0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KcC5Nc29BY2V0YXRlLCBsaS5Nc29BY2V0 YXRlLCBkaXYuTXNvQWNldGF0ZQ0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxl LWxpbms6IkJhbGxvb24gVGV4dCBDaGFyIjsNCgltYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206 LjAwMDFwdDsNCglmb250LXNpemU6OC4wcHQ7DQoJZm9udC1mYW1pbHk6IlRhaG9tYSIsInNhbnMt c2VyaWYiO30NCnNwYW4uRW1haWxTdHlsZTE3DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0K CWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7DQoJY29sb3I6IzFGNDk3RDt9DQpz cGFuLkVtYWlsU3R5bGUxOA0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250 LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiOw0KCWNvbG9yOiMxRjQ5N0Q7fQ0Kc3Bhbi5C YWxsb29uVGV4dENoYXINCgl7bXNvLXN0eWxlLW5hbWU6IkJhbGxvb24gVGV4dCBDaGFyIjsNCglt c28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkJhbGxvb24gVGV4dCI7DQoJ Zm9udC1mYW1pbHk6IlRhaG9tYSIsInNhbnMtc2VyaWYiO30NCi5Nc29DaHBEZWZhdWx0DQoJe21z by1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtc2l6ZToxMC4wcHQ7fQ0KQHBhZ2UgV29y ZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBpbiAxLjBpbiAxLjBp biAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwv c3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJl ZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNv IDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0i ZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwv aGVhZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVycGxlIj4NCjxk aXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90 O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+SSBzdHJvbmdseSBhZ3JlZSB3aXRoIGEg cG9pbnQgdGhhdCBKaW0gaXMgbWFraW5nIGJlbG93OiAmbmJzcDtKV0EgbXVzdCBjb250aW51ZSB0 byBjcmVhdGUgdGhlIGFsZ29yaXRobXMgcmVnaXN0cmllcyBzbyB0aGF0IG90aGVyIHNwZWNpZmlj YXRpb25zIGNhbiBhZGQgYWxnb3JpdGhtDQogaWRlbnRpZmllcnMuJm5ic3A7IDwvc3Bhbj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7 LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PGEgaHJlZj0iaHR0cDovL3d3 dy53My5vcmcvVFIvV2ViQ3J5cHRvQVBJIj5odHRwOi8vd3d3LnczLm9yZy9UUi9XZWJDcnlwdG9B UEk8L2E+IGlzIG9ubHkgdGhlIGZpcnN0IG9mIG1hbnkgc3BlY3MgdGhhdCB3ZSBhbnRpY2lwYXRl IHdpbGwgdXNlIHRoZXNlIHJlZ2lzdHJpZXMuJm5ic3A7DQogRm9yIGluc3RhbmNlLCBpdCB3b3Vs ZG7igJl0IGJlIGF0IGFsbCBzdXJwcmlzaW5nIHRvIGhhdmUgb3RoZXIgc3BlY3MgcmVnaXN0ZXIg YWRkaXRpb25hbCBFbGxpcHRpYyBDdXJ2ZSDigJxjcnbigJ0gaWRlbnRpZmllcnMgaW4gdGhlIG5l YXIgZnV0dXJlLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVv dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpw Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYm cXVvdDs7Y29sb3I6IzFGNDk3RCI+S2F0aGxlZW4sIEkgdG9vayB5b3VyIHN1Z2dlc3Rpb24gYXMg YmVpbmcgdGhhdCB0aGUgUmVxdWlyZWQvUmVjb21tZW5kZWQvT3B0aW9uYWwvRGVwcmVjYXRlZC9Q cm9oaWJpdGVkIHN0YXR1cyBvZiBhbGdvcml0aG1zIGRlZmluZWQgYnkgdGhlIGluaXRpYWwgSldB IFJGQyB3b3VsZA0KIGJlIHVwZGF0ZWQgYnkgbmV3IFJGQ3MgdGhhdCBvYnNvbGV0ZWQgdGhlIGlu aXRpYWwgSldBIFJGQyDigJMgbm90IHRoYXQgdGhlIGFsZ29yaXRobSBpZGVudGlmaWVycyB0aGVt c2VsdmVzIHdvdWxkIG5vdCBiZSByZWdpc3RlcmVkIGluIHRoZSBhcHByb3ByaWF0ZSByZWdpc3Ry aWVzLiZuYnNwOyBUaGF04oCZcyB0aGUgY2hhbmdlIEkgd2FzIHBsYW5uaW5nIG9uIHdvcmtpbmcg b24sIGJhc2VkIHVwb24geW91ciBmZWVkYmFjay4mbmJzcDsgUGxlYXNlIGNvbmZpcm0gdGhhdA0K IHRoYXTigJlzIHlvdXIgaW50ZW50LCBvciBpZiBub3QsIGxldOKAmXMgdGFsayBmdXJ0aGVyLjxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fu cy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250 LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6 IzFGNDk3RCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IEJlc3Qgd2lzaGVz LDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7 c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgJm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7IC0tIE1pa2U8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMx RjQ5N0QiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDss JnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwv c3Bhbj48L3A+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xp ZCAjQjVDNERGIDEuMHB0O3BhZGRpbmc6My4wcHQgMGluIDBpbiAwaW4iPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPkZyb206PC9zcGFuPjwvYj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVv dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+IEppbSBTY2hhYWQgW21haWx0bzppZXRmQGF1Z3Vz dGNlbGxhcnMuY29tXQ0KPGJyPg0KPGI+U2VudDo8L2I+IFRodXJzZGF5LCBBcHJpbCAxNywgMjAx NCAyOjE2IFBNPGJyPg0KPGI+VG86PC9iPiAnS2F0aGxlZW4gTW9yaWFydHknOyBqb3NlQGlldGYu b3JnPGJyPg0KPGI+Q2M6PC9iPiBNaWtlIEpvbmVzOyBkcmFmdC1pZXRmLWpvc2UtanNvbi13ZWIt YWxnb3JpdGhtc0B0b29scy5pZXRmLm9yZzxicj4NCjxiPlN1YmplY3Q6PC9iPiBSRTogW2pvc2Vd IEFEIHJldmlldyBvZiBkcmFmdC1pZXRmLWpvc2UtanNvbi13ZWItYWxnb3JpdGhtczxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpw PiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZh bWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFG NDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21h JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPkZyb206PC9zcGFuPjwvYj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7 c2Fucy1zZXJpZiZxdW90OyI+IGpvc2UgWzxhIGhyZWY9Im1haWx0bzpqb3NlLWJvdW5jZXNAaWV0 Zi5vcmciPm1haWx0bzpqb3NlLWJvdW5jZXNAaWV0Zi5vcmc8L2E+XQ0KPGI+T24gQmVoYWxmIE9m IDwvYj5LYXRobGVlbiBNb3JpYXJ0eTxicj4NCjxiPlNlbnQ6PC9iPiBUaHVyc2RheSwgQXByaWwg MTcsIDIwMTQgNzo1MSBBTTxicj4NCjxiPlRvOjwvYj4gPGEgaHJlZj0ibWFpbHRvOmpvc2VAaWV0 Zi5vcmciPmpvc2VAaWV0Zi5vcmc8L2E+PGJyPg0KPGI+Q2M6PC9iPiBNaWNoYWVsIEpvbmVzOyA8 YSBocmVmPSJtYWlsdG86ZHJhZnQtaWV0Zi1qb3NlLWpzb24td2ViLWFsZ29yaXRobXNAdG9vbHMu aWV0Zi5vcmciPg0KZHJhZnQtaWV0Zi1qb3NlLWpzb24td2ViLWFsZ29yaXRobXNAdG9vbHMuaWV0 Zi5vcmc8L2E+PGJyPg0KPGI+U3ViamVjdDo8L2I+IFtqb3NlXSBBRCByZXZpZXcgb2YgZHJhZnQt aWV0Zi1qb3NlLWpzb24td2ViLWFsZ29yaXRobXM8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj5IZWxsbyBNaWtlICZhbXA7IEpPU0UgbWVtYmVycyw8bzpwPjwvbzpwPjwvcD4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkkgYW0gd29ya2luZyBteSB3YXkgdGhyb3Vn aCB0aGUgcmVxdWVzdGVkIHJldmlld3MgdG8gcHJvZ3Jlc3MgdGhlIEpPU0UgZHJhZnRzIGFuZCBj YW4gc2VlIGEgbG90IG9mIHdvcmsgaGFzIGJlZW4gZG9uZSwgdGhhbmsgeW91LiAmbmJzcDtBcyBJ IHJlYWQgdGhyb3VnaCB0aGUgQWxnb3JpdGhtcyAoSldBKSBkcmFmdCB0aGVyZSBhcmUgc29tZSBj aGFuZ2VzIHRoYXQgd2lsbCBuZWVkIHRvIGJlIG1hZGUgdG8gYXZvaWQgcHJvYmxlbXMNCiBkdXJp bmcgdGhlIElFU0cgcmV2aWV3LiAmbmJzcDtUaGlzIGlzIGEgcHJldHR5IGJpZyBjaGFuZ2UgZm9y IHRoZSBkcmFmdCwgYnV0IHdpbGwgaGVscCBtYWtlIHRoZSByZXZpZXcgYW5kIGFwcHJvdmFsIGZh c3Rlci4gJm5ic3A7VHlwaWNhbGx5LCB0aGUgbGlzdHMgb2YgYWxnb3JpdGhtcyBhcmUgaGFuZGxl ZCB0aHJvdWdoIGEgZHJhZnQgdXBkYXRlIGFzIG9wcG9zZWQgdG8gY3JlYXRpbmcgYW4gSUFOQSBy ZWdpc3RyeS4gJm5ic3A7QSBnb29kIGV4YW1wbGUgaXMgYSByZWNlbnQNCiB1cGRhdGUgb2YgYSBk cmFmdCBpbiB0aGUgSVBTRUNNRSB3b3JraW5nIGdyb3VwIHNvIHlvdSBjYW4gc2VlIHRoZSBzdHJ1 Y3R1cmUgYW5kIHRoZSBwcmVjZWRlbmNlIGZvciB0aGlzIG1vZGVsLjxvOnA+PC9vOnA+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMx RjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkm cXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5bSkxTXSBLYXRobGVl biwgSSBkb27igJl0IGtub3cgdGhhdCBJIGFncmVlIHdpdGggdGhpcyBzdGF0ZW1lbnQuJm5ic3A7 IFRoZXJlIGFyZSBhIG51bWJlciBvZiBkaWZmZXJlbnQgcGxhY2VzIHdoZXJlIElBTkEgcmVnaXN0 cmllcyBhcmUgdXNlZCBmb3IgdGhlIHB1cnBvc2Ugb2YgaGF2aW5nDQogbGlzdHMgb2YgYWxnb3Jp dGhtcy4mbmJzcDsgSSB3b3VsZCBwb2ludCB0byB0aGUgZm9sbG93aW5nIGFzIGV4YW1wbGVzOjxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fu cy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250 LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6 IzFGNDk3RCI+VExTIHVzZXMgcmVnaXN0cmllcyBmb3IgYWxsIG9mIHRoZWlyIGFsZ29yaXRobSBh c3NpZ25tZW50cy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlm JnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxhIGhyZWY9Imh0dHA6Ly93d3cuaWFuYS5vcmcvYXNzaWdu bWVudHMvdGxzLXBhcmFtZXRlcnMvdGxzLXBhcmFtZXRlcnMueGh0bWwjdGxzLXBhcmFtZXRlcnMt MTgiPmh0dHA6Ly93d3cuaWFuYS5vcmcvYXNzaWdubWVudHMvdGxzLXBhcmFtZXRlcnMvdGxzLXBh cmFtZXRlcnMueGh0bWwjdGxzLXBhcmFtZXRlcnMtMTg8L2E+DQog4oCTIFRoZSBUTFMgSGFzaEFs Z29yaXRobSBSZWdpc3RyeTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGli cmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNw OzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMt c2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+S2VyYmVyb3MgaGFzIHRoZWlyIE9JRFMgcmVnaXN0 ZXJlZCB3aXRoIElBTkE8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNl cmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxhIGhyZWY9Imh0dHA6Ly93d3cuaWFuYS5vcmcvYXNz aWdubWVudHMvc21pLW51bWJlcnMvc21pLW51bWJlcnMueGh0bWwjc21pLW51bWJlcnMtMjYiPmh0 dHA6Ly93d3cuaWFuYS5vcmcvYXNzaWdubWVudHMvc21pLW51bWJlcnMvc21pLW51bWJlcnMueGh0 bWwjc21pLW51bWJlcnMtMjY8L2E+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7 c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5QS0lYIGFuZCBDTVMgaGF2ZSBiZWVuIG1v dmluZyB0b3dhcmRzIGtlZXBpbmcgdGhlaXIgT0lEIHRyZWVzIGluIElBTkEgcmVnaXN0cmllczxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fu cy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250 LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6 IzFGNDk3RCI+UkZDIDcxMDEgYW5kDQo8YSBocmVmPSJodHRwczovL2RhdGF0cmFja2VyLmlldGYu b3JnL2RvYy9kcmFmdC1ob3VzbGV5LXBraXgtb2lkcy8iPmh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0 Zi5vcmcvZG9jL2RyYWZ0LWhvdXNsZXktcGtpeC1vaWRzLzwvYT48bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29s b3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2Fs aWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPlRoaXMgaXMg b25seSBhIHNtYWxsIHNldCBvZiB0aGUgYWxnb3JpdGhtIHJlZ2lzdHJpZXMgdGhhdCBhcmUga2Vw dCBieSBJQU5BLiAmbmJzcDtUaGUgb25seSBuZXcgdGhpbmcgaXMgdGhhdCB0aGUgcmVxdWlyZW1l bnRzIGxldmVsIG9mIGFsZ29yaXRobSBpcyBub3cgYmVpbmcga2VwdA0KIGluIHRoZSByZWdpc3Ry eSwgaG93ZXZlciB0aGF0IHJlcXVpcmVzIGEgZG9jdW1lbnQgb2Ygc29tZSB0eXBlIHRvIGNoYW5n ZSB0aGUgdG9wIGxldmVsIHJlcXVpcmVtZW50cy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3 RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90 OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkkgd291bGQgbm90ZSB0aGF0 IHdlIGFscmVhZHkgaGF2ZSB0aGUgZm9sbG93aW5nIG5vbi1JRVRGIGRvY3VtZW50IHRoYXQgaXMg Z29pbmcgdG8gbWFrZSBjaGFuZ2VzIHRvIHRoZSBJQU5BIHJlZ2lzdHJ5DQo8YSBocmVmPSJodHRw Oi8vd3d3LnczLm9yZy9UUi9XZWJDcnlwdG9BUEkiPmh0dHA6Ly93d3cudzMub3JnL1RSL1dlYkNy eXB0b0FQSTwvYT48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlm JnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPmppbTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGEgaHJlZj0iaHR0cHM6Ly9kYXRhdHJhY2tl ci5pZXRmLm9yZy9kb2MvZHJhZnQtaWV0Zi1pcHNlY21lLWVzcC1haC1yZXF0cyI+aHR0cHM6Ly9k YXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJhZnQtaWV0Zi1pcHNlY21lLWVzcC1haC1yZXF0czwv YT4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+Tm93IGZvciBvdGhlciBlZGl0cyBhbmQgcXVlc3Rpb25zOjxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5TZWN0aW9uIDMuNiAtIENhbiB5 b3UgZXhwbGFpbiB3aHkgd291bGQgdGhpcyBiZSBpbmNsdWRlZD8gJm5ic3A7SWYgeW91IGFyZSBu b3QgZ29pbmcgdG8gc2lnbiwgSSBhbSBub3Qgc3VyZSB3aHkgb25lIHdvdWxkIHVzZSBKT1NFIGF0 IGFsbC4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+U2VjdGlvbiA1LjIgLSBUaGUgd3JpdGUgdXAgb2YgdGhpcyBzZWN0aW9uIHNlZW1z IGEgYml0IG1vcmUgY29tcGxpY2F0ZWQgdGhhbiBuZWNlc3NhcnkuJm5ic3A7Jm5ic3A7SXQgc2Vl bXMgaXQgd291bGQgaGF2ZSBqdXN0IGJlZW4gc2ltcGxlciB0byBzdGF0ZSB0aGF0IHRoZSBzaXpl cyB2YXJ5IGFzIHJlcXVpcmVkIGJ5IHRoZSBhbGdvcml0aG1zIGFuZCBrZXkgbGVuZ3RocyB1c2Vk IHJhdGhlciB0aGFuIHByb3ZpZGluZyB0aGUNCiBkaWZmZXJlbmNlcyBmcm9tIG9uZSB0byB0aGUg bmV4dC4gJm5ic3A7Q2FuIHlvdSBzaW1wbGlmeSB0aGlzPyAmbmJzcDs8bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkFmdGVyIGxvb2tpbmcgdGhyb3Vn aCBzb21lIG9mIHRoZSBtYWlsaW5nIGxpc3QgZGlzY3Vzc2lvbnMsIGl0IHNlZW1zIHRoZXJlIHdh cyBhbHJlYWR5IGFncmVlbWVudCB0byBzbGltIHRoaXMgYW5kIG90aGVyIHNlY3Rpb25zIGRvd24g YnkgcG9pbnRpbmcgdG8gdGhlJm5ic3A7PHNwYW4gc3R5bGU9ImNvbG9yOmJsYWNrIj5kcmFmdC1t Y2dyZXctYWVhZC1hZXMtY2JjLWhtYWMtc2hhMjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGEgaHJlZj0iaHR0cDovL3d3dy5pZXRm Lm9yZy9tYWlsLWFyY2hpdmUvd2ViL2pvc2UvY3VycmVudC9tc2cwMjI3Ni5odG1sIj5odHRwOi8v d3d3LmlldGYub3JnL21haWwtYXJjaGl2ZS93ZWIvam9zZS9jdXJyZW50L21zZzAyMjc2Lmh0bWw8 L2E+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5D YW4gSSBnZXQgYW4gdXBkYXRlIGFzIHRvIHdoZXJlIHRoYXQgc3RhbmRzLCByZWZlcmVuY2luZyB3 aGF0IHlvdSBjYW4gZnJvbSB0aGF0IGRyYWZ0IGFzIG9wcG9zZWQgdG8gZHVwbGljYXRpbmcgdGV4 dD8gJm5ic3A7VGhhbmtzITxiciBjbGVhcj0iYWxsIj4NCjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlNlY3VyaXR5IENvbnNpZGVyYXRpb25zOiBX aGlsZSBpdCBpcyB0cnVlIHRoZSBjb250ZW50IGlzIGNvdmVyZWQgaW4gb3RoZXIgcGxhY2VzLCB0 aGlzIHNlY3Rpb24gY291bGQgYmVuZWZpdCBmcm9tIGltcHJvdmVtZW50IGJlZm9yZSBpdCBnb2Vz IHRvIHRoZSBTZWNEaXIgcmV2aWV3LiAmbmJzcDtUaGUgc2Vjb25kIHNlbnRlbmNlIGluIHRoZSBm aXJzdCBwYXJhZ3JhcGggc2F5cyB0aGUgZm9sbG93aW5nOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7ICZuYnNwOzxzcGFuIHN0eWxlPSJm b250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90OyI+QW1vbmcgdGhlc2UgaXNzdWVzIGFy ZTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90OyI+Jm5i c3A7ICZuYnNwO3Byb3RlY3RpbmcgdGhlIHVzZXIncyBwcml2YXRlIGFuZCBzeW1tZXRyaWMga2V5 cywgcHJldmVudGluZyB2YXJpb3VzPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0Nv dXJpZXIgTmV3JnF1b3Q7Ij4mbmJzcDsgJm5ic3A7YXR0YWNrcywgYW5kIGhlbHBpbmcgdGhlIHVz ZXIgYXZvaWQgbWlzdGFrZXMgc3VjaCBhcyBpbmFkdmVydGVudGx5PC9zcGFuPjxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv bnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij4mbmJzcDsgJm5ic3A7ZW5jcnlwdGlu ZyBhIG1lc3NhZ2UgZm9yIHRoZSB3cm9uZyByZWNpcGllbnQuPC9zcGFuPjxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SXQgd291bGQgYmUgaGVscGZ1 bCBpZiB5b3UgY291bGQgZXhwYW5kIHRoZSB0ZXh0IGFuZCBtYWtlIGl0IG1vcmUgZGVzY3JpcHRp dmUgYW5kIGFwcGxpY2FibGUgdG8gdGhpcyBkb2N1bWVudC4gJm5ic3A7Rm9yIGV4YW1wbGUsIHNo b3VsZG7igJl0IHRoZSBmaXJzdCBzZWN0aW9uIHNheSB1c2Vy4oCZcyBwcml2YXRlIGFzeW1tZXRy aWMgYW5kIHN5bW1ldHJpYyBrZXlzPyAmbmJzcDtJIGFzc3VtZSB0aGF0IGlzIHdoYXQgd2FzIGlu dGVuZGVkDQogd2l0aCBwcml2YXRlLCBidXQgaXQgcmVhZHMgZnVubnkgdG8gbWUgd2l0aG91dCB0 aGF0LiAmbmJzcDtUaGUgb25seSDigJhhdHRhY2vigJkgb3IgY2F1dGlvbiBtZW50aW9uZWQgaW4g dGhlIGRvY3VtZW50IGlzIGZvciB0aGUgYXBwbGljYXRpb24gdG8gcHJldmVudCBhIHVzZXIgZnJv bSBzZWxlY3RpbmcgdGhlIHdyb25nIGtleS4gJm5ic3A7UGxlYXNlIGluY2x1ZGUgc29tZSBhdHRh Y2tzIHRoYXQgZGV2ZWxvcGVycyBhbmQgaW1wbGVtZW50ZXJzIHNob3VsZCBiZSBhd2FyZQ0KIGFu ZCBjYXV0aW9uZWQgb24sIG9yIHN0YXRlIHRoYXQgc3BlY2lmaWMgYXR0YWNrcyBhbmQgY29uc2lk ZXJzIGFyZSBkZXRhaWxlZCBpbiB0aGUgc3Vic2VjdGlvbnMgdG8gZm9sbG93LjxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZu YnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkkgdGhp bmsgdGhhdCdzIGl0IGZvciBub3cuIEFsdGhvdWdoIEkgZG8gbmVlZCB0byBsb29rIHRocm91Z2gg c29tZSBtb3JlIG9mIHRoZSBwcmV2aW91cyBjb252ZXJzYXRpb25zIG9uIHRoZSBtYWlsaW5nIGxp c3QgYW5kIGluIHRoZSBpc3N1ZSB0cmFja2VyLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5JIHNlZSB0aGVyZSBhcmUgc29tZSBvcGVuIGRpc2N1 c3Npb25zLCBsaWtlIHRoZSBvbmUgUmljaGFyZCByYWlzZWQgeWVzdGVyZGF5IHRoYXQgbmVlZCB0 byBiZSByZXNvbHZlZCBpbiB0aGUgZG9jdW1lbnQgYXMgd2VsbCBiZWZvcmUgd2UgbW92ZSBmb3J3 YXJkIHdpdGggdGhpcyBvbmUuICZuYnNwO1RoYW5rcyBmb3IgYWxsIG9mIHlvdXIgZWZmb3J0IG9u IHRoaXMgZHJhZnQhITxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPi0tIDxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkJlc3QgcmVnYXJk cyw8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkth dGhsZWVuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwv ZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_4E1F6AAD24975D4BA5B16804296739439A15E285TK5EX14MBXC286r_-- From nobody Thu Apr 17 17:01:43 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC5D41A0135 for ; Thu, 17 Apr 2014 17:01:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BpvjrJJ0aT5X for ; Thu, 17 Apr 2014 17:01:33 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0183.outbound.protection.outlook.com [207.46.163.183]) by ietfa.amsl.com (Postfix) with ESMTP id 168E01A00E6 for ; Thu, 17 Apr 2014 17:01:32 -0700 (PDT) Received: from CH1PR03CA009.namprd03.prod.outlook.com (10.255.156.154) by BN1PR03MB236.namprd03.prod.outlook.com (10.255.200.28) with Microsoft SMTP Server (TLS) id 15.0.918.8; Fri, 18 Apr 2014 00:01:27 +0000 Received: from BY2FFO11FD003.protection.gbl (10.255.156.132) by CH1PR03CA009.outlook.office365.com (10.255.156.154) with Microsoft SMTP Server (TLS) id 15.0.918.8 via Frontend Transport; Fri, 18 Apr 2014 00:01:27 +0000 Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD003.mail.protection.outlook.com (10.1.14.125) with Microsoft SMTP Server (TLS) id 15.0.929.8 via Frontend Transport; Fri, 18 Apr 2014 00:01:26 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14HUBC103.redmond.corp.microsoft.com ([157.54.86.9]) with mapi id 14.03.0181.007; Fri, 18 Apr 2014 00:00:51 +0000 From: Mike Jones To: Jim Schaad , 'Kathleen Moriarty' , "jose@ietf.org" Thread-Topic: AD review of draft-ietf-jose-json-web-algorithms 5.2 Thread-Index: Ac9amUHN4fSNfBezS/iXE92OvCiicA== Date: Fri, 18 Apr 2014 00:00:50 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A15E40D@TK5EX14MBXC286.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.76] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A15E40DTK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(189002)(199002)(41574002)(83072002)(74662001)(31966008)(81342001)(86362001)(77982001)(86612001)(54356999)(71186001)(92566001)(80976001)(512874002)(50986999)(85852003)(74502001)(15975445006)(33656001)(92726001)(79102001)(99396002)(81542001)(15202345003)(87936001)(2656002)(16236675002)(19580395003)(84326002)(19300405004)(6806004)(85806002)(84676001)(97736001)(55846006)(80022001)(4396001)(46102001)(66066001)(76482001)(20776003)(83322001)(44976005)(2009001); DIR:OUT; SFP:1101; SCL:1; SRVR:BN1PR03MB236; H:mail.microsoft.com; FPR:DE74FDD4.A6FA57D3.B8D19D6B.9EBDB16D.2055D; MLV:sfv; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 018577E36E Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/jose/ZWIywCUkNxsiXpFBC_DdXYkLTb0 Cc: "draft-ietf-jose-json-web-algorithms@tools.ietf.org" Subject: [jose] AD review of draft-ietf-jose-json-web-algorithms 5.2 X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Apr 2014 00:01:38 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A15E40DTK5EX14MBXC286r_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 TWlrZT4gKG5hcnJvd2luZyB0aGUgZGlzY3Vzc2lvbiBzY29wZSB0byBvbmx5IEpXQSA1LjIgYW5k IGRyYWZ0LW1jZ3Jldy1hZWFkLWFlcy1jYmMtaG1hYy1zaGEyKQ0KDQpTZWN0aW9uIDUuMiAtIFRo ZSB3cml0ZSB1cCBvZiB0aGlzIHNlY3Rpb24gc2VlbXMgYSBiaXQgbW9yZSBjb21wbGljYXRlZCB0 aGFuIG5lY2Vzc2FyeS4gIEl0IHNlZW1zIGl0IHdvdWxkIGhhdmUganVzdCBiZWVuIHNpbXBsZXIg dG8gc3RhdGUgdGhhdCB0aGUgc2l6ZXMgdmFyeSBhcyByZXF1aXJlZCBieSB0aGUgYWxnb3JpdGht cyBhbmQga2V5IGxlbmd0aHMgdXNlZCByYXRoZXIgdGhhbiBwcm92aWRpbmcgdGhlIGRpZmZlcmVu Y2VzIGZyb20gb25lIHRvIHRoZSBuZXh0LiAgQ2FuIHlvdSBzaW1wbGlmeSB0aGlzPw0KQWZ0ZXIg bG9va2luZyB0aHJvdWdoIHNvbWUgb2YgdGhlIG1haWxpbmcgbGlzdCBkaXNjdXNzaW9ucywgaXQg c2VlbXMgdGhlcmUgd2FzIGFscmVhZHkgYWdyZWVtZW50IHRvIHNsaW0gdGhpcyBhbmQgb3RoZXIg c2VjdGlvbnMgZG93biBieSBwb2ludGluZyB0byB0aGUgZHJhZnQtbWNncmV3LWFlYWQtYWVzLWNi Yy1obWFjLXNoYTINCg0KaHR0cDovL3d3dy5pZXRmLm9yZy9tYWlsLWFyY2hpdmUvd2ViL2pvc2Uv Y3VycmVudC9tc2cwMjI3Ni5odG1sDQpDYW4gSSBnZXQgYW4gdXBkYXRlIGFzIHRvIHdoZXJlIHRo YXQgc3RhbmRzLCByZWZlcmVuY2luZyB3aGF0IHlvdSBjYW4gZnJvbSB0aGF0IGRyYWZ0IGFzIG9w cG9zZWQgdG8gZHVwbGljYXRpbmcgdGV4dD8gIFRoYW5rcyENCg0KTWlrZT4gU3VyZS4gIFRoZSBr ZXkgcGFydCBvZiB0aGUgbWVzc2FnZSB5b3UgY2l0ZWQgaXMg4oCcT25jZSB0aGUgTWNHcmV3IGRy YWZ0IGhhcyBiZWVuIHJlZmFjdG9yZWQgdG8gc2VwYXJhdGUgdGhlIGRlc2NyaXB0aW9uIG9mIHRo ZSBjYWxjdWxhdGlvbiBzdGVwcyAod2hpY2ggSk9TRSBpcyB1c2luZykgZnJvbSB0aGUgQUVBRCBy ZXByZXNlbnRhdGlvbiBzdGVwcyAod2hpY2ggSk9TRSBpcyBub3QgdXNpbmcpLCBhbmQgdG8gaW5j bHVkZSB0ZXN0IHZlY3RvciB2YWx1ZXMgdGhhdCBzaG93IHJlc3VsdHMgd2l0aG91dCBwZXJmb3Jt aW5nIHRoZSBBRUFEIHJlcHJlc2VudGF0aW9uIGNvbmNhdGVuYXRpb25zLCBJIGFncmVlIHRoYXQg d2UnbGwgYmUgYWJsZSB0byBqdXN0IHJlZmVyZW5jZSBpdCwgcmF0aGVyIHRoYW4gZHVwbGljYXRp bmcgaXQu4oCdICBUaGUgcHJvYmxlbSBpcyB0aGF0IHRoZSByZWZhY3RvcmluZyB3YXMgbmV2ZXIg ZG9uZS4gIFRoZSBhbGdvcml0aG0gZGVzY3JpcHRpb24gaW4gZHJhZnQtbWNncmV3LWFlYWQtYWVz LWNiYy1obWFjLXNoYTIgaXMgd3JpdHRlbiBpbiBzdWNoIGEgd2F5IHRoYXQgdGhlIGNpcGhlcnRl eHQgQywgYXMgZGVzY3JpYmVkLCBhbHNvIGluY2x1ZGVzIHRoZSBJViB2YWx1ZSBhcyBhIHByZWZp eCBhbmQgdGhlIGF1dGhlbnRpY2F0aW9uIHRhZyBUIGFzIGEgc3VmZml4LCByYXRoZXIgdGhhbiB0 cmVhdGluZyBlYWNoIG9mIHRob3NlIGFzIHNlcGFyYXRlIHZhbHVlcy4gIFRoZSB0ZXN0IHZlY3Rv cnMgZG8gdGhlIHNhbWUuICBZZXMsIERhdmlkIGFkZGVkIGFwcGVuZGl4IEIgc2F5aW5nIHRoYXQg dGhlIHZhbHVlcyBjb3VsZCBiZSB0cmVhdGVkIGFzIHNlcGFyYXRlLCBidXQgdGhlIHdyaXRlLXVw IGRvZXMgbm8gZmF2b3JzIHRvIGltcGxlbWVudGVycywgYXMgYm90aCB0aGUgY29yZSBhbGdvcml0 aG0gZGVzY3JpcHRpb24gYW5kIHRoZSB0ZXN0IHZlY3RvcnMgYXNzdW1lIHRoZXkgYXJlIGNvbWJp bmVkLiAgKEkgcGVyc29uYWxseSBrbm93IHRoYXQgd29ya2luZyBvdXQgaG93IHRvIHRyZWF0IHRo ZW0gYXMgc2VwYXJhdGUgZnJvbSBEYXZpZOKAmXMgY3VycmVudCBkcmFmdCBpcyBhIHRlZGlvdXMg YW5kIGVycm9yLXByb25lIGV4ZXJjaXNlLCBoYXZpbmcgaGFkIHRvIGRvIHNvIHRvIHRlYXNlIHRo ZW0gYXBhcnQgZm9yIHRoZSBjdXJyZW50IEpXQSB3cml0ZS11cC4pICBEYXZpZCBoYXMgYmVlbiBh c2tlZCBhYm91dCBkb2luZyB0aGUgcmVmYWN0b3Jpbmcgc2V2ZXJhbCB0aW1lcyBieSBtdWx0aXBs ZSBwYXJ0aWVzLCBidXQgaGXigJlzIGEgYnVzeSBndXksIGFuZCBJIGRvbuKAmXQgdGhpbmsgaXTi gJlzIGV2ZXIgcmVhY2hlZCB0aGUgdG9wIG9mIGhpcyBxdWV1ZS4gIEFzIGl0IGlzLCB0aGUgSldB IGRlc2NyaXB0aW9uIGlzIGNsZWFyIGFuZCBzZW1hbnRpY2FsbHkgZXF1aXZhbGVudCBhbmQgaW1w bGVtZW50ZXJzIGhhdmUgc2hvd24gdGhhdCB0aGV5IGNhbiBzdWNjZXNzZnVsbHkgYnVpbGQgaXQu ICBGaW5hbGx5LCB3ZSB3b3VsZG7igJl0IHdhbnQgdG8gdGFrZSBhIG5vcm1hdGl2ZSBkZXBlbmRl bmN5IHVwb24gYSBkcmFmdCB0aGF0IGFwcGVhcnMgdG8gaGF2ZSBiZWVuIGxhcmdlbHkgYWJhbmRv bmVkIChvciBhdCBsZWFzdCBuZWdsZWN0ZWQpLCBhcyBkb2luZyBzbyBjb3VsZCBpbmRlZmluaXRl bHkgc3RhbGwgcHVibGljYXRpb24gb2YgUkZDIHZlcnNpb25zIG9mIHRoZSBKT1NFIHNwZWNzLg0K DQoNCg0KW0pMU10gIEkgYWx3YXlzIGNvbnNpZGVyZWQgdGhpcyB0byBiZSBhIHN1ZmZpY2llbnQg cmVmYWN0b3JpbmcgdG8gdXNlIHRoZSBtY2dyZXcgZHJhZnQgYXMgYSBiYXNpcy4gIEkgZGlkIG5v dCBoYXZlIHRoZSBzYW1lIHR5cGUgb2YgcHJvYmxlbXMgd2l0aCBicmVha2luZyB0aGUgdGVzdCB2 ZWN0b3JzIGFwYXJ0IHRoYXQgeW91IHNlZW0gdG8gaGF2ZSBoYWQuDQoNCg0KDQpNaWtlPiBJdOKA mXMgbm90IGp1c3QgdGhlIHRlc3QgdmVjdG9ycyDigJMgYSBiaWdnZXIgc291cmNlIG9mIGNvbmZ1 c2lvbiB3aXRoIHRoZSBjdXJyZW50IGRyYWZ0LW1jZ3Jldy1hZWFkLWFlcy1jYmMtaG1hYy1zaGEy IHdyaXRlLXVwIGlzIHRoYXQgaGXigJlzIHVzaW5nIHRlcm1zIHN1Y2ggYXMg4oCcQ2lwaGVydGV4 dOKAnSBpbiB0aGUgbWFpbiBib2R5IG9mIHRoZSBkb2N1bWVudCB0byBtZWFuIHNvbWV0aGluZyBk aWZmZXJlbnQgdGhhbiB3aGF0IGl0IHVzdWFsbHkgbWVhbnMuICBGb3IgaW5zdGFuY2UsIHRoZSBk b2N1bWVudCBzYXlzOg0KDQoNCiAgIDYuICBUaGUgQUVBRCBDaXBoZXJ0ZXh0IGNvbnNpc3RzIG9m IHRoZSBzdHJpbmcgUywgd2l0aCB0aGUgc3RyaW5nIFQNCiAgICAgICBhcHBlbmRlZCB0byBpdC4g IFRoaXMgQ2lwaGVydGV4dCBpcyByZXR1cm5lZCBhcyB0aGUgb3V0cHV0IG9mIHRoZQ0KICAgICAg IEFFQUQgZW5jcnlwdGlvbiBvcGVyYXRpb24uDQoNCg0KDQpDb250cmFzdCB0aGlzIHRvIE5JU1Qg U3BlY2lhbCBQdWJsaWNhdGlvbiA4MDAtMzhEIOKAnFJlY29tbWVuZGF0aW9uIGZvciBCbG9jayBD aXBoZXIgTW9kZXMgb2YgT3BlcmF0aW9uOiBHYWxvaXMvQ291bnRlciBNb2RlIChHQ00pIGFuZCBH TUFD4oCdLCB3aGljaCBzYXlzOg0KDQoNCg0KVGhlIGZvbGxvd2luZyB0d28gYml0IHN0cmluZ3Mg Y29tcHJpc2UgdGhlIG91dHB1dCBkYXRhIG9mIHRoZSBhdXRoZW50aWNhdGVkIGVuY3J5cHRpb24g ZnVuY3Rpb246DQoNCg0KDQogICAgICAgICAgICAgICAgICAgICAgICBBIGNpcGhlcnRleHQsIGRl bm90ZWQgQywgd2hvc2UgYml0IGxlbmd0aCBpcyB0aGUgc2FtZSBhcyB0aGF0IG9mIHRoZSBwbGFp bnRleHQuDQoNCiAgICAgICAgICAgICAgICAgICAgICAgIEFuIGF1dGhlbnRpY2F0aW9uIHRhZywg b3IgdGFnLCBmb3Igc2hvcnQsIGRlbm90ZWQgVC4NCg0KDQoNClRoZSBKT1NFIGRvY3VtZW50cyB1 c2UgdGhlIHRlcm1zIOKAnENpcGhlcnRleHTigJ0gYW5kIOKAnEF1dGhlbnRpY2F0aW9uIFRhZ+KA nSBpbiB0aGUgc2FtZSBtYW5uZXIgYXMgdGhlIEdDTSBkb2MgKGFuZCBtYW55IG90aGVyIGNyeXB0 byBzcGVjcykuDQoNCg0KDQpUaGVyZeKAmXMgZXZlbiBtb3JlIHN1YnRsZSBwcm9ibGVtcy4gIFlv deKAmWxsIGZpbmQgdGhhdCB0aGUg4oCcU+KAnSB2YWx1ZXMgaW4gdGhlIHRlc3QgdmVjdG9ycyBh bHNvIGluY2x1ZGVzIHRoZSBJbml0aWFsaXphdGlvbiBWZWN0b3IgYXMgYSBwcmVmaXgsIHdoZXJl YXMgdGhlIGRlZmluaXRpb24gb2Yg4oCcU+KAnSBpbiB0aGUgYm9keSBvZiB0aGUgZHJhZnQgaXMg ZG9lcyBub3QgaW5jbHVkZSB0aGlzIHByZWZpeDoNCg0KDQogICAgICBTID0gQ0JDLUVOQyhFTkNf S0VZLCBQIHx8IFBTKSwNCg0KDQoNClRoYXTigJlzICp2ZXJ5KiBsaWtlbHkgdG8gcmVzdWx0IGlu IGltcGxlbWVudGVycyBnZXR0aW5nIGl0IHdyb25nLg0KDQoNCg0KQWxsIG9mIHRoaXMgaXMgZml4 YWJsZS4gIChJZiBpdCBiZWNvbWVzIGEgYmxvY2tpbmcgZmFjdG9yIHRvIGNvbXBsZXRpbmcgSldB IGFuZCBKT1NFLCBhbmQgRGF2aWQgaXMgd2lsbGluZywgSeKAmWQgZXZlbiBiZSB3aWxsaW5nIHRv IHRha2UgYSBjcmFjayBhdCBwcm9kdWNpbmcgYW4gdXBkYXRlZCBkcmFmdCBvZiBkcmFmdC1tY2dy ZXctYWVhZC1hZXMtY2JjLWhtYWMtc2hhMiB0aGF0IGZpeGVzIGl0LCBwcm92aWRlZCB0aGF0IHRo ZXJl4oCZcyBhIGNsZWFyIHBhdGggZm9yIG1ha2luZyBpdCBhIHN0YW5kYXJkcy10cmFjayBSRkMg aW4gYSB0aW1lZnJhbWUgdGhhdCBkb2VzbuKAmXQgc2lnbmlmaWNhbnRseSBkZWxheSBKT1NFLikg IEJ1dCBJIGRvbuKAmXQgdGhpbmsgd2UgY2FuIHRha2UgYSBub3JtYXRpdmUgcmVmZXJlbmNlIHRv IGl0IHVubGVzcyB0aGVzZSB0aGluZ3MgYXJlIGluIGZhY3QsIGZpeGVkLg0KDQoNCg0KSSBhbHNv IGRvbuKAmXQgd2FudCB1cyB0byB0YWtlIGEgbm9ybWF0aXZlIGRlcGVuZGVuY3kgdXBvbiBhIGRy YWZ0IHdpdGhvdXQgYSBzaW1pbGFyIHRpbWVsaW5lIHRvIGJlY29taW5nIGFuIFJGQyBhcyB0aGUg Sk9TRSBzcGVjcywgd2hpY2ggaXQgZG9lc27igJl0IGFwcGVhciB0byBiZSBhdCBwcmVzZW50Lg0K DQoNCg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hlZXJzLA0KDQogICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAtLSBNaWtlDQoNCg0KDQpQLlMuICBUaGlzIGlzc3VlIGlzIHRyYWNrZWQgYXQgaHR0 cDovL3RyYWMudG9vbHMuaWV0Zi5vcmcvd2cvam9zZS90cmFjL3RpY2tldC8xNDcuDQoNCg0K --_000_4E1F6AAD24975D4BA5B16804296739439A15E40DTK5EX14MBXC286r_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQov KiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1z b05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp emU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTps aW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6 Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29I eXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxl Ow0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KcHJlDQoJe21zby1zdHlsZS1wcmlvcml0 eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQcmVmb3JtYXR0ZWQgQ2hhciI7DQoJbWFyZ2lu OjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjEwLjBwdDsNCglmb250 LWZhbWlseToiQ291cmllciBOZXciO30NCnAuTXNvQWNldGF0ZSwgbGkuTXNvQWNldGF0ZSwgZGl2 Lk1zb0FjZXRhdGUNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJC YWxsb29uIFRleHQgQ2hhciI7DQoJbWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7 DQoJZm9udC1zaXplOjguMHB0Ow0KCWZvbnQtZmFtaWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIjt9 DQpzcGFuLkhUTUxQcmVmb3JtYXR0ZWRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJIVE1MIFByZWZv cm1hdHRlZCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6 IkhUTUwgUHJlZm9ybWF0dGVkIjsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCnNwYW4u QmFsbG9vblRleHRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJCYWxsb29uIFRleHQgQ2hhciI7DQoJ bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJCYWxsb29uIFRleHQiOw0K CWZvbnQtZmFtaWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIjt9DQpzcGFuLkVtYWlsU3R5bGUyMQ0K CXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMt c2VyaWYiOw0KCWNvbG9yOiMxRjQ5N0Q7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjINCgl7bXNvLXN0eWxl LXR5cGU6cGVyc29uYWw7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjsNCglj b2xvcjojMUY0OTdEO30NCnNwYW4uRW1haWxTdHlsZTIzDQoJe21zby1zdHlsZS10eXBlOnBlcnNv bmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7DQoJY29sb3I6 IzFGNDk3RDt9DQpwLkRlZmF1bHQsIGxpLkRlZmF1bHQsIGRpdi5EZWZhdWx0DQoJe21zby1zdHls ZS1uYW1lOkRlZmF1bHQ7DQoJbWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ dGV4dC1hdXRvc3BhY2U6bm9uZTsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJU aW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7DQoJY29sb3I6YmxhY2s7fQ0KLk1zb0NocERlZmF1bHQN Cgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1zaXplOjEwLjBwdDt9DQpAcGFn ZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2luOjEuMGluIDEuMGlu IDEuMGluIDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0K LyogTGlzdCBEZWZpbml0aW9ucyAqLw0KQGxpc3QgbDANCgl7bXNvLWxpc3QtaWQ6MTA5NTU0OTUz MjsNCgltc28tbGlzdC10eXBlOmh5YnJpZDsNCgltc28tbGlzdC10ZW1wbGF0ZS1pZHM6LTIwNDYx NTYxMzggLTEgLTEgLTEgLTEgLTEgLTEgLTEgLTEgLTE7fQ0KQGxpc3QgbDA6bGV2ZWwxDQoJe21z by1sZXZlbC10ZXh0OiIiOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1u dW1iZXItcG9zaXRpb246bGVmdDsNCgltYXJnaW4tbGVmdDowaW47DQoJdGV4dC1pbmRlbnQ6MGlu O30NCkBsaXN0IGwwOmxldmVsMg0KCXttc28tbGV2ZWwtc3RhcnQtYXQ6MDsNCgltc28tbGV2ZWwt dGV4dDoiIjsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBv c2l0aW9uOmxlZnQ7DQoJbWFyZ2luLWxlZnQ6MGluOw0KCXRleHQtaW5kZW50OjBpbjt9DQpAbGlz dCBsMDpsZXZlbDMNCgl7bXNvLWxldmVsLXN0YXJ0LWF0OjA7DQoJbXNvLWxldmVsLXRleHQ6IiI7 DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjps ZWZ0Ow0KCW1hcmdpbi1sZWZ0OjBpbjsNCgl0ZXh0LWluZGVudDowaW47fQ0KQGxpc3QgbDA6bGV2 ZWw0DQoJe21zby1sZXZlbC1zdGFydC1hdDowOw0KCW1zby1sZXZlbC10ZXh0OiIiOw0KCW1zby1s ZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCglt YXJnaW4tbGVmdDowaW47DQoJdGV4dC1pbmRlbnQ6MGluO30NCkBsaXN0IGwwOmxldmVsNQ0KCXtt c28tbGV2ZWwtc3RhcnQtYXQ6MDsNCgltc28tbGV2ZWwtdGV4dDoiIjsNCgltc28tbGV2ZWwtdGFi LXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJbWFyZ2luLWxl ZnQ6MGluOw0KCXRleHQtaW5kZW50OjBpbjt9DQpAbGlzdCBsMDpsZXZlbDYNCgl7bXNvLWxldmVs LXN0YXJ0LWF0OjA7DQoJbXNvLWxldmVsLXRleHQ6IiI7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5v bmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCW1hcmdpbi1sZWZ0OjBpbjsN Cgl0ZXh0LWluZGVudDowaW47fQ0KQGxpc3QgbDA6bGV2ZWw3DQoJe21zby1sZXZlbC1zdGFydC1h dDowOw0KCW1zby1sZXZlbC10ZXh0OiIiOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1z by1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgltYXJnaW4tbGVmdDowaW47DQoJdGV4dC1p bmRlbnQ6MGluO30NCkBsaXN0IGwwOmxldmVsOA0KCXttc28tbGV2ZWwtc3RhcnQtYXQ6MDsNCglt c28tbGV2ZWwtdGV4dDoiIjsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwt bnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJbWFyZ2luLWxlZnQ6MGluOw0KCXRleHQtaW5kZW50OjBp bjt9DQpAbGlzdCBsMDpsZXZlbDkNCgl7bXNvLWxldmVsLXN0YXJ0LWF0OjA7DQoJbXNvLWxldmVs LXRleHQ6IiI7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1w b3NpdGlvbjpsZWZ0Ow0KCW1hcmdpbi1sZWZ0OjBpbjsNCgl0ZXh0LWluZGVudDowaW47fQ0Kb2wN Cgl7bWFyZ2luLWJvdHRvbTowaW47fQ0KdWwNCgl7bWFyZ2luLWJvdHRvbTowaW47fQ0KLS0+PC9z dHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9ImVk aXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBtc28g OV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0PSJl ZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPg0KPC9o ZWFkPg0KPGJvZHkgbGFuZz0iRU4tVVMiIGxpbms9ImJsdWUiIHZsaW5rPSJwdXJwbGUiPg0KPGRp diBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7 c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMDAyMDYwIj5NaWtlJmd0OyAobmFycm93aW5nIHRoZSBk aXNjdXNzaW9uIHNjb3BlIHRvIG9ubHkgSldBIDUuMiBhbmQgZHJhZnQtbWNncmV3LWFlYWQtYWVz LWNiYy1obWFjLXNoYTIpPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJy aSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMwMDIwNjAiPjxvOnA+Jm5ic3A7 PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+U2Vj dGlvbiA1LjIgLSBUaGUgd3JpdGUgdXAgb2YgdGhpcyBzZWN0aW9uIHNlZW1zIGEgYml0IG1vcmUg Y29tcGxpY2F0ZWQgdGhhbiBuZWNlc3NhcnkuJm5ic3A7Jm5ic3A7SXQgc2VlbXMgaXQgd291bGQg aGF2ZSBqdXN0IGJlZW4gc2ltcGxlciB0byBzdGF0ZSB0aGF0IHRoZSBzaXplcyB2YXJ5IGFzIHJl cXVpcmVkIGJ5IHRoZSBhbGdvcml0aG1zIGFuZCBrZXkgbGVuZ3RocyB1c2VkIHJhdGhlciB0aGFu IHByb3ZpZGluZyB0aGUNCiBkaWZmZXJlbmNlcyBmcm9tIG9uZSB0byB0aGUgbmV4dC4gJm5ic3A7 Q2FuIHlvdSBzaW1wbGlmeSB0aGlzPyAmbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkFmdGVyIGxvb2tpbmcgdGhyb3VnaCBzb21lIG9mIHRo ZSBtYWlsaW5nIGxpc3QgZGlzY3Vzc2lvbnMsIGl0IHNlZW1zIHRoZXJlIHdhcyBhbHJlYWR5IGFn cmVlbWVudCB0byBzbGltIHRoaXMgYW5kIG90aGVyIHNlY3Rpb25zIGRvd24gYnkgcG9pbnRpbmcg dG8gdGhlJm5ic3A7PHNwYW4gc3R5bGU9ImNvbG9yOmJsYWNrIj5kcmFmdC1tY2dyZXctYWVhZC1h ZXMtY2JjLWhtYWMtc2hhMjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PGEgaHJlZj0iaHR0cDovL3d3dy5pZXRmLm9yZy9tYWlsLWFy Y2hpdmUvd2ViL2pvc2UvY3VycmVudC9tc2cwMjI3Ni5odG1sIj5odHRwOi8vd3d3LmlldGYub3Jn L21haWwtYXJjaGl2ZS93ZWIvam9zZS9jdXJyZW50L21zZzAyMjc2Lmh0bWw8L2E+PG86cD48L286 cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5DYW4gSSBnZXQgYW4g dXBkYXRlIGFzIHRvIHdoZXJlIHRoYXQgc3RhbmRzLCByZWZlcmVuY2luZyB3aGF0IHlvdSBjYW4g ZnJvbSB0aGF0IGRyYWZ0IGFzIG9wcG9zZWQgdG8gZHVwbGljYXRpbmcgdGV4dD8gJm5ic3A7VGhh bmtzITxiciBjbGVhcj0iYWxsIj4NCjxvOnA+PC9vOnA+PC9wPg0KPHByZT48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDs7Y29sb3I6IzAwNzBDMCI+TWlrZSZndDsgU3VyZS4mbmJzcDsgVGhlIGtl eSBwYXJ0IG9mIHRoZSBtZXNzYWdlIHlvdSBjaXRlZCBpcyDigJw8L3NwYW4+T25jZSB0aGUgTWNH cmV3IGRyYWZ0IGhhcyBiZWVuIHJlZmFjdG9yZWQgdG8gc2VwYXJhdGUgdGhlIGRlc2NyaXB0aW9u IG9mIHRoZSBjYWxjdWxhdGlvbiBzdGVwcyAod2hpY2ggSk9TRSBpcyB1c2luZykgZnJvbSB0aGUg QUVBRCByZXByZXNlbnRhdGlvbiBzdGVwcyAod2hpY2ggSk9TRSBpcyBub3QgdXNpbmcpLCBhbmQg dG8gaW5jbHVkZSB0ZXN0IHZlY3RvciB2YWx1ZXMgdGhhdCBzaG93IHJlc3VsdHMgd2l0aG91dCBw ZXJmb3JtaW5nIHRoZSBBRUFEIHJlcHJlc2VudGF0aW9uIGNvbmNhdGVuYXRpb25zLCBJIGFncmVl IHRoYXQgd2UnbGwgYmUgYWJsZSB0byBqdXN0IHJlZmVyZW5jZSBpdCwgcmF0aGVyIHRoYW4gZHVw bGljYXRpbmcgaXQuPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMwMDcwQzAiPuKA nSZuYnNwOyBUaGUgcHJvYmxlbSBpcyB0aGF0IHRoZSByZWZhY3RvcmluZyB3YXMgbmV2ZXIgZG9u ZS4mbmJzcDsgVGhlIGFsZ29yaXRobSBkZXNjcmlwdGlvbiBpbiA8L3NwYW4+PHNwYW4gc3R5bGU9 ImNvbG9yOiMwMDcwQzAiPmRyYWZ0LW1jZ3Jldy1hZWFkLWFlcy1jYmMtaG1hYy1zaGEyPC9zcGFu PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkm cXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMDA3MEMwIj4gaXMgd3JpdHRlbiBp biBzdWNoIGEgd2F5IHRoYXQgdGhlIGNpcGhlcnRleHQgQywgYXMgZGVzY3JpYmVkLCBhbHNvIGlu Y2x1ZGVzIHRoZSBJViB2YWx1ZSBhcyBhIHByZWZpeCBhbmQgdGhlIGF1dGhlbnRpY2F0aW9uIHRh ZyBUIGFzIGEgc3VmZml4LCByYXRoZXIgdGhhbiB0cmVhdGluZyBlYWNoIG9mIHRob3NlIGFzIHNl cGFyYXRlIHZhbHVlcy4mbmJzcDsgVGhlIHRlc3QgdmVjdG9ycyBkbyB0aGUgc2FtZS4mbmJzcDsg WWVzLCBEYXZpZCBhZGRlZCBhcHBlbmRpeCBCIHNheWluZyB0aGF0IHRoZSB2YWx1ZXMgY291bGQg YmUgdHJlYXRlZCBhcyBzZXBhcmF0ZSwgYnV0IHRoZSB3cml0ZS11cCBkb2VzIG5vIGZhdm9ycyB0 byBpbXBsZW1lbnRlcnMsIGFzIGJvdGggdGhlIGNvcmUgYWxnb3JpdGhtIGRlc2NyaXB0aW9uIGFu ZCB0aGUgdGVzdCB2ZWN0b3JzIGFzc3VtZSB0aGV5IGFyZSBjb21iaW5lZC4mbmJzcDsgKEkgcGVy c29uYWxseSBrbm93IHRoYXQgd29ya2luZyBvdXQgaG93IHRvIHRyZWF0IHRoZW0gYXMgc2VwYXJh dGUgZnJvbSBEYXZpZOKAmXMgY3VycmVudCBkcmFmdCBpcyBhIHRlZGlvdXMgYW5kIGVycm9yLXBy b25lIGV4ZXJjaXNlLCBoYXZpbmcgaGFkIHRvIGRvIHNvIHRvIHRlYXNlIHRoZW0gYXBhcnQgZm9y IHRoZSBjdXJyZW50IEpXQSB3cml0ZS11cC4pJm5ic3A7IERhdmlkIGhhcyBiZWVuIGFza2VkIGFi b3V0IGRvaW5nIHRoZSByZWZhY3RvcmluZyBzZXZlcmFsIHRpbWVzIGJ5IG11bHRpcGxlIHBhcnRp ZXMsIGJ1dCBoZeKAmXMgYSBidXN5IGd1eSwgYW5kIEkgZG9u4oCZdCB0aGluayBpdOKAmXMgZXZl ciByZWFjaGVkIHRoZSB0b3Agb2YgaGlzIHF1ZXVlLiZuYnNwOyBBcyBpdCBpcywgdGhlIEpXQSBk ZXNjcmlwdGlvbiBpcyBjbGVhciBhbmQgc2VtYW50aWNhbGx5IGVxdWl2YWxlbnQgYW5kIGltcGxl bWVudGVycyBoYXZlIHNob3duIHRoYXQgdGhleSBjYW4gc3VjY2Vzc2Z1bGx5IGJ1aWxkIGl0LiZu YnNwOyBGaW5hbGx5LCB3ZSB3b3VsZG7igJl0IHdhbnQgdG8gdGFrZSBhIG5vcm1hdGl2ZSBkZXBl bmRlbmN5IHVwb24gYSBkcmFmdCB0aGF0IGFwcGVhcnMgdG8gaGF2ZSBiZWVuIGxhcmdlbHkgYWJh bmRvbmVkIChvciBhdCBsZWFzdCBuZWdsZWN0ZWQpLCBhcyBkb2luZyBzbyBjb3VsZCBpbmRlZmlu aXRlbHkgc3RhbGwgcHVibGljYXRpb24gb2YgUkZDIHZlcnNpb25zIG9mIHRoZSBKT1NFIHNwZWNz LjxvOnA+PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHByZT48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVv dDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wcmU+DQo8cHJlPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVv dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojNzc5MzNDIj5bSkxTXSZuYnNwOyBJIGFs d2F5cyBjb25zaWRlcmVkIHRoaXMgdG8gYmUgYSBzdWZmaWNpZW50IHJlZmFjdG9yaW5nIHRvIHVz ZSB0aGUgbWNncmV3IGRyYWZ0IGFzIGEgYmFzaXMuJm5ic3A7IEkgZGlkIG5vdCBoYXZlIHRoZSBz YW1lIHR5cGUgb2YgcHJvYmxlbXMgd2l0aCBicmVha2luZyB0aGUgdGVzdCB2ZWN0b3JzIGFwYXJ0 IHRoYXQgeW91IHNlZW0gdG8gaGF2ZSBoYWQuPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZx dW90Oztjb2xvcjojNEY2MjI4Ij48bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmU+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90Oywm cXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMwMDIwNjAiPjxvOnA+Jm5ic3A7PC9vOnA+PC9z cGFuPjwvcHJlPg0KPHByZT48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzAwMjA2 MCI+TWlrZSZndDsgSXTigJlzIG5vdCBqdXN0IHRoZSB0ZXN0IHZlY3RvcnMg4oCTIGEgYmlnZ2Vy IHNvdXJjZSBvZiBjb25mdXNpb24gd2l0aCB0aGUgY3VycmVudCBkcmFmdC1tY2dyZXctYWVhZC1h ZXMtY2JjLWhtYWMtc2hhMiB3cml0ZS11cCBpcyB0aGF0IGhl4oCZcyB1c2luZyB0ZXJtcyBzdWNo IGFzIOKAnENpcGhlcnRleHTigJ0gaW4gdGhlIG1haW4gYm9keSBvZiB0aGUgZG9jdW1lbnQgdG8g bWVhbiBzb21ldGhpbmcgZGlmZmVyZW50IHRoYW4gd2hhdCBpdCB1c3VhbGx5IG1lYW5zLiZuYnNw OyBGb3IgaW5zdGFuY2UsIHRoZSBkb2N1bWVudCBzYXlzOjxvOnA+PC9vOnA+PC9zcGFuPjwvcHJl Pg0KPHByZT48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD YWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzAwMjA2MCI+PG86cD4m bmJzcDs8L286cD48L3NwYW4+PC9wcmU+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0icGFn ZS1icmVhay1iZWZvcmU6YWx3YXlzIj48c3BhbiBsYW5nPSJFTiIgc3R5bGU9ImZvbnQtZmFtaWx5 OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij4mbmJzcDsmbmJzcDsgNi4mbmJzcDsgVGhlIEFFQUQg Q2lwaGVydGV4dCBjb25zaXN0cyBvZiB0aGUgc3RyaW5nIFMsIHdpdGggdGhlIHN0cmluZyBUPG86 cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9InBhZ2UtYnJl YWstYmVmb3JlOmFsd2F5cyI+PHNwYW4gbGFuZz0iRU4iIHN0eWxlPSJmb250LWZhbWlseTomcXVv dDtDb3VyaWVyIE5ldyZxdW90OyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 IGFwcGVuZGVkIHRvIGl0LiZuYnNwOyBUaGlzIENpcGhlcnRleHQgaXMgcmV0dXJuZWQgYXMgdGhl IG91dHB1dCBvZiB0aGU8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0icGFnZS1icmVhay1iZWZvcmU6YWx3YXlzIj48c3BhbiBsYW5nPSJFTiIgc3R5bGU9 ImZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij4mbmJzcDsmbmJzcDsgJm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7QUVBRCBlbmNyeXB0aW9uIG9wZXJhdGlvbi48bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8cHJlPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMDAyMDYw Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmU+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNl cmlmJnF1b3Q7O2NvbG9yOiMwMDIwNjAiPkNvbnRyYXN0IHRoaXMgdG8gTklTVCBTcGVjaWFsIFB1 YmxpY2F0aW9uIDgwMC0zOEQg4oCcUmVjb21tZW5kYXRpb24gZm9yIEJsb2NrIENpcGhlciBNb2Rl cyBvZiBPcGVyYXRpb246IEdhbG9pcy9Db3VudGVyIE1vZGUgKEdDTSkgYW5kIEdNQUPigJ0sIHdo aWNoIHNheXM6PG86cD48L286cD48L3NwYW4+PC9wcmU+DQo8cHJlPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90Oztjb2xvcjojMDAyMDYwIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3ByZT4N CjxwIGNsYXNzPSJEZWZhdWx0IiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbjt0ZXh0LWFsaWduOmp1 c3RpZnkiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuNXB0Ij5UaGUgZm9sbG93aW5nIHR3byBi aXQgc3RyaW5ncyBjb21wcmlzZSB0aGUgb3V0cHV0IGRhdGEgb2YgdGhlIGF1dGhlbnRpY2F0ZWQg ZW5jcnlwdGlvbiBmdW5jdGlvbjoNCjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJE ZWZhdWx0IiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbjtwYWdlLWJyZWFrLWJlZm9yZTphbHdheXMi PjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5kb3d0ZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iRGVmYXVsdCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW47dGV4dC1pbmRl bnQ6MGluO21zby1saXN0OmwwIGxldmVsMSBsZm8xIj4NCjwhW2lmICFzdXBwb3J0TGlzdHNdPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTEuNXB0O2NvbG9yOndpbmRvd3RleHQiPjxzcGFuIHN0eWxl PSJtc28tbGlzdDpJZ25vcmUiPjxzcGFuIHN0eWxlPSJmb250OjcuMHB0ICZxdW90O1RpbWVzIE5l dyBSb21hbiZxdW90OyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7DQo8L3NwYW4+PC9zcGFuPjwv c3Bhbj48IVtlbmRpZl0+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS41cHQ7Y29sb3I6d2luZG93 dGV4dCI+QSBjaXBoZXJ0ZXh0LCBkZW5vdGVkDQo8aT5DPC9pPiwgd2hvc2UgYml0IGxlbmd0aCBp cyB0aGUgc2FtZSBhcyB0aGF0IG9mIHRoZSBwbGFpbnRleHQuIDxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjxwIGNsYXNzPSJEZWZhdWx0IiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbjt0ZXh0LWluZGVu dDowaW47bXNvLWxpc3Q6bDAgbGV2ZWwxIGxmbzEiPg0KPCFbaWYgIXN1cHBvcnRMaXN0c10+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMS41cHQ7Y29sb3I6d2luZG93dGV4dCI+PHNwYW4gc3R5bGU9 Im1zby1saXN0Oklnbm9yZSI+PHNwYW4gc3R5bGU9ImZvbnQ6Ny4wcHQgJnF1b3Q7VGltZXMgTmV3 IFJvbWFuJnF1b3Q7Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsNCjwvc3Bhbj48L3NwYW4+PC9z cGFuPjwhW2VuZGlmXT48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjVwdDtjb2xvcjp3aW5kb3d0 ZXh0Ij5BbiBhdXRoZW50aWNhdGlvbiB0YWcsIG9yIHRhZywgZm9yIHNob3J0LCBkZW5vdGVkDQo8 aT5UPC9pPi4gPG86cD48L286cD48L3NwYW4+PC9wPg0KPHByZT48c3BhbiBzdHlsZT0iZm9udC1z aXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2Vy aWYmcXVvdDs7Y29sb3I6IzAwMjA2MCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wcmU+DQo8 cHJlPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGli cmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMDAyMDYwIj5UaGUgSk9TRSBk b2N1bWVudHMgdXNlIHRoZSB0ZXJtcyDigJxDaXBoZXJ0ZXh04oCdIGFuZCDigJxBdXRoZW50aWNh dGlvbiBUYWfigJ0gaW4gdGhlIHNhbWUgbWFubmVyIGFzIHRoZSBHQ00gZG9jIChhbmQgbWFueSBv dGhlciBjcnlwdG8gc3BlY3MpLjxvOnA+PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHByZT48c3BhbiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZx dW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzAwMjA2MCI+PG86cD4mbmJzcDs8L286cD48L3Nw YW4+PC9wcmU+DQo8cHJlPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMDAyMDYw Ij5UaGVyZeKAmXMgZXZlbiBtb3JlIHN1YnRsZSBwcm9ibGVtcy4mbmJzcDsgWW914oCZbGwgZmlu ZCB0aGF0IHRoZSDigJxT4oCdIHZhbHVlcyBpbiB0aGUgdGVzdCB2ZWN0b3JzIGFsc28gaW5jbHVk ZXMgdGhlIEluaXRpYWxpemF0aW9uIFZlY3RvciBhcyBhIHByZWZpeCwgd2hlcmVhcyB0aGUgZGVm aW5pdGlvbiBvZiDigJxT4oCdIGluIHRoZSBib2R5IG9mIHRoZSBkcmFmdCBpcyBkb2VzIG5vdCBp bmNsdWRlIHRoaXMgcHJlZml4OjxvOnA+PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHByZT48c3BhbiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZx dW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzAwMjA2MCI+PG86cD4mbmJzcDs8L286cD48L3Nw YW4+PC9wcmU+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0icGFnZS1icmVhay1iZWZvcmU6 YWx3YXlzIj48c3BhbiBsYW5nPSJFTiIgc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIg TmV3JnF1b3Q7Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgUyA9IENCQy1FTkMoRU5D X0tFWSwgUCB8fCBQUyksPG86cD48L286cD48L3NwYW4+PC9wPg0KPHByZT48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDs7Y29sb3I6IzAwMjA2MCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9w cmU+DQo8cHJlPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMDAyMDYwIj5UaGF0 4oCZcyAqPGI+dmVyeTwvYj4qIGxpa2VseSB0byByZXN1bHQgaW4gaW1wbGVtZW50ZXJzIGdldHRp bmcgaXQgd3JvbmcuPG86cD48L286cD48L3NwYW4+PC9wcmU+DQo8cHJlPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fu cy1zZXJpZiZxdW90Oztjb2xvcjojMDAyMDYwIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3By ZT4NCjxwcmU+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMwMDIwNjAiPkFsbCBv ZiB0aGlzIGlzIGZpeGFibGUuJm5ic3A7IChJZiBpdCBiZWNvbWVzIGEgYmxvY2tpbmcgZmFjdG9y IHRvIGNvbXBsZXRpbmcgSldBIGFuZCBKT1NFLCBhbmQgRGF2aWQgaXMgd2lsbGluZywgSeKAmWQg ZXZlbiBiZSB3aWxsaW5nIHRvIHRha2UgYSBjcmFjayBhdCBwcm9kdWNpbmcgYW4gdXBkYXRlZCBk cmFmdCBvZiBkcmFmdC1tY2dyZXctYWVhZC1hZXMtY2JjLWhtYWMtc2hhMiB0aGF0IGZpeGVzIGl0 LCBwcm92aWRlZCB0aGF0IHRoZXJl4oCZcyBhIGNsZWFyIHBhdGggZm9yIG1ha2luZyBpdCBhIHN0 YW5kYXJkcy10cmFjayBSRkMgaW4gYSB0aW1lZnJhbWUgdGhhdCBkb2VzbuKAmXQgc2lnbmlmaWNh bnRseSBkZWxheSBKT1NFLikmbmJzcDsgQnV0IEkgZG9u4oCZdCB0aGluayB3ZSBjYW4gdGFrZSBh IG5vcm1hdGl2ZSByZWZlcmVuY2UgdG8gaXQgdW5sZXNzIHRoZXNlIHRoaW5ncyBhcmUgaW4gZmFj dCwgZml4ZWQuPG86cD48L286cD48L3NwYW4+PC9wcmU+DQo8cHJlPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90Oztjb2xvcjojMDAyMDYwIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3ByZT4N CjxwcmU+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2Fs aWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMwMDIwNjAiPkkgYWxzbyBk b27igJl0IHdhbnQgdXMgdG8gdGFrZSBhIG5vcm1hdGl2ZSBkZXBlbmRlbmN5IHVwb24gYSBkcmFm dCB3aXRob3V0IGEgc2ltaWxhciB0aW1lbGluZSB0byBiZWNvbWluZyBhbiBSRkMgYXMgdGhlIEpP U0Ugc3BlY3MsIHdoaWNoIGl0IGRvZXNu4oCZdCBhcHBlYXIgdG8gYmUgYXQgcHJlc2VudC48bzpw PjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmU+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2Nv bG9yOiMwMDIwNjAiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHByZT48c3BhbiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZx dW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzAwMjA2MCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7IENoZWVycyw8bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmU+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5z LXNlcmlmJnF1b3Q7O2NvbG9yOiMwMDIwNjAiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAtLSBN aWtlPG86cD48L286cD48L3NwYW4+PC9wcmU+DQo8cHJlPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZx dW90Oztjb2xvcjojMDAyMDYwIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmU+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZx dW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMwMDIwNjAiPlAuUy4mbmJzcDsgVGhp cyBpc3N1ZSBpcyB0cmFja2VkIGF0IDwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7 Y29sb3I6IzAwQjA1MCI+PGEgaHJlZj0iaHR0cDovL3RyYWMudG9vbHMuaWV0Zi5vcmcvd2cvam9z ZS90cmFjL3RpY2tldC8xNDciPmh0dHA6Ly90cmFjLnRvb2xzLmlldGYub3JnL3dnL2pvc2UvdHJh Yy90aWNrZXQvMTQ3PC9hPjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250 LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6 IzAwMjA2MCI+LjxvOnA+PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHByZT48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMt c2VyaWYmcXVvdDs7Y29sb3I6IzAwMjA2MCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wcmU+ DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_4E1F6AAD24975D4BA5B16804296739439A15E40DTK5EX14MBXC286r_-- From nobody Fri Apr 18 09:50:24 2014 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0BE21A03F1 for ; Fri, 18 Apr 2014 09:50:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qU_JYfuFFYQF for ; Fri, 18 Apr 2014 09:50:15 -0700 (PDT) Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) by ietfa.amsl.com (Postfix) with ESMTP id 79A881A03E9 for ; Fri, 18 Apr 2014 09:50:15 -0700 (PDT) Received: from Philemon (173-160-246-134-Washington.hfc.comcastbusiness.net [173.160.246.134]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTPSA id 641532CA14; Fri, 18 Apr 2014 09:50:11 -0700 (PDT) From: "Jim Schaad" To: "'Mike Jones'" , "'Kathleen Moriarty'" , References: <4E1F6AAD24975D4BA5B16804296739439A15E40D@TK5EX14MBXC286.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A15E40D@TK5EX14MBXC286.redmond.corp.microsoft.com> Date: Fri, 18 Apr 2014 09:48:15 -0700 Message-ID: <01d601cf5b25$fe59cf90$fb0d6eb0$@augustcellars.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_01D7_01CF5AEB.51FCF360" X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQKf/woyuZL4mRAI1fswWWUSYagL/pl2TJLw Content-Language: en-us Archived-At: http://mailarchive.ietf.org/arch/msg/jose/0K1lVOZdYV8mIMtFxIrV4_S1W-U Cc: draft-ietf-jose-json-web-algorithms@tools.ietf.org Subject: Re: [jose] AD review of draft-ietf-jose-json-web-algorithms 5.2 X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Apr 2014 16:50:19 -0000 This is a multipart message in MIME format. ------=_NextPart_000_01D7_01CF5AEB.51FCF360 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable =20 =20 From: Mike Jones [mailto:Michael.Jones@microsoft.com]=20 Sent: Thursday, April 17, 2014 5:01 PM To: Jim Schaad; 'Kathleen Moriarty'; jose@ietf.org Cc: draft-ietf-jose-json-web-algorithms@tools.ietf.org Subject: AD review of draft-ietf-jose-json-web-algorithms 5.2 =20 Mike> (narrowing the discussion scope to only JWA 5.2 and = draft-mcgrew-aead-aes-cbc-hmac-sha2) =20 Section 5.2 - The write up of this section seems a bit more complicated = than necessary. It seems it would have just been simpler to state that = the sizes vary as required by the algorithms and key lengths used rather = than providing the differences from one to the next. Can you simplify = this? =20 After looking through some of the mailing list discussions, it seems = there was already agreement to slim this and other sections down by = pointing to the draft-mcgrew-aead-aes-cbc-hmac-sha2 =20 http://www.ietf.org/mail-archive/web/jose/current/msg02276.html Can I get an update as to where that stands, referencing what you can = from that draft as opposed to duplicating text? Thanks! Mike> Sure. The key part of the message you cited is =E2=80=9COnce the = McGrew draft has been refactored to separate the description of the = calculation steps (which JOSE is using) from the AEAD representation = steps (which JOSE is not using), and to include test vector values that = show results without performing the AEAD representation concatenations, = I agree that we'll be able to just reference it, rather than duplicating = it.=E2=80=9D The problem is that the refactoring was never done. The = algorithm description in draft-mcgrew-aead-aes-cbc-hmac-sha2 is written = in such a way that the ciphertext C, as described, also includes the IV = value as a prefix and the authentication tag T as a suffix, rather than = treating each of those as separate values. The test vectors do the = same. Yes, David added appendix B saying that the values could be = treated as separate, but the write-up does no favors to implementers, as = both the core algorithm description and the test vectors assume they are = combined. (I personally know that working out how to treat them as = separate from David=E2=80=99s current draft is a tedious and error-prone = exercise, having had to do so to tease them apart for the current JWA = write-up.) David has been asked about doing the refactoring several = times by multiple parties, but he=E2=80=99s a busy guy, and I = don=E2=80=99t think it=E2=80=99s ever reached the top of his queue. As = it is, the JWA description is clear and semantically equivalent and = implementers have shown that they can successfully build it. Finally, = we wouldn=E2=80=99t want to take a normative dependency upon a draft = that appears to have been largely abandoned (or at least neglected), as = doing so could indefinitely stall publication of RFC versions of the = JOSE specs. =20 [JLS] I always considered this to be a sufficient refactoring to use = the mcgrew draft as a basis. I did not have the same type of problems = with breaking the test vectors apart that you seem to have had. =20 Mike> It=E2=80=99s not just the test vectors =E2=80=93 a bigger source = of confusion with the current draft-mcgrew-aead-aes-cbc-hmac-sha2 = write-up is that he=E2=80=99s using terms such as = =E2=80=9CCiphertext=E2=80=9D in the main body of the document to mean = something different than what it usually means. For instance, the = document says: =20 6. The AEAD Ciphertext consists of the string S, with the string T appended to it. This Ciphertext is returned as the output of the AEAD encryption operation. =20 Contrast this to NIST Special Publication 800-38D = =E2=80=9CRecommendation for Block Cipher Modes of Operation: = Galois/Counter Mode (GCM) and GMAC=E2=80=9D, which says: =20 The following two bit strings comprise the output data of the = authenticated encryption function:=20 =20 A ciphertext, denoted C, whose bit length is the = same as that of the plaintext.=20 An authentication tag, or tag, for short, = denoted T.=20 =20 The JOSE documents use the terms =E2=80=9CCiphertext=E2=80=9D and = =E2=80=9CAuthentication Tag=E2=80=9D in the same manner as the GCM doc = (and many other crypto specs). =20 [JLS] And there are two models here. The ciphertext is the output of = the cipher function =E2=80=93 this can include the IV and the = authentication tag depending on the model. This is made clear at the = start of the document so again I do not see where the confusion lies.=20 =20 There=E2=80=99s even more subtle problems. You=E2=80=99ll find that the = =E2=80=9CS=E2=80=9D values in the test vectors also includes the = Initialization Vector as a prefix, whereas the definition of = =E2=80=9CS=E2=80=9D in the body of the draft is does not include this = prefix: =20 S =3D CBC-ENC(ENC_KEY, P || PS), =20 That=E2=80=99s *very* likely to result in implementers getting it wrong. =20 [JLS] Have you sent mail on this? =20 All of this is fixable. (If it becomes a blocking factor to completing = JWA and JOSE, and David is willing, I=E2=80=99d even be willing to take = a crack at producing an updated draft of = draft-mcgrew-aead-aes-cbc-hmac-sha2 that fixes it, provided that = there=E2=80=99s a clear path for making it a standards-track RFC in a = timeframe that doesn=E2=80=99t significantly delay JOSE.) But I = don=E2=80=99t think we can take a normative reference to it unless these = things are in fact, fixed. =20 I also don=E2=80=99t want us to take a normative dependency upon a draft = without a similar timeline to becoming an RFC as the JOSE specs, which = it doesn=E2=80=99t appear to be at present. =20 = Cheers, = -- Mike =20 P.S. This issue is tracked at = http://trac.tools.ietf.org/wg/jose/trac/ticket/147. =20 ------=_NextPart_000_01D7_01CF5AEB.51FCF360 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable

 

 

From:= = Mike Jones [mailto:Michael.Jones@microsoft.com]
Sent: = Thursday, April 17, 2014 5:01 PM
To: Jim Schaad; 'Kathleen = Moriarty'; jose@ietf.org
Cc: = draft-ietf-jose-json-web-algorithms@tools.ietf.org
Subject: AD = review of draft-ietf-jose-json-web-algorithms = 5.2

 

Mike> (narrowing the discussion scope to only JWA 5.2 and = draft-mcgrew-aead-aes-cbc-hmac-sha2)

 

Section = 5.2 - The write up of this section seems a bit more complicated than = necessary.  It seems it would have just been simpler to state = that the sizes vary as required by the algorithms and key lengths used = rather than providing the differences from one to the next.  Can = you simplify this?  

After looking through some of the mailing list = discussions, it seems there was already agreement to slim this and other = sections down by pointing to the draft-mcgrew-aead-aes-cbc-hmac-sha2

 

Can I get an update as to where = that stands, referencing what you can from that draft as opposed to = duplicating text?  Thanks!

Mike> Sure.  The key part of the message you cited is =
=E2=80=9COnce the McGrew draft has been refactored to separate =
the description of the calculation steps (which JOSE is using) from the =
AEAD representation steps (which JOSE is not using), and to include test =
vector values that show results without performing the AEAD =
representation concatenations, I agree that we'll be able to just =
reference it, rather than duplicating it.=E2=80=9D  The problem is that the refactoring was never =
done.  The algorithm description in draft-mcgrew-aead-aes-cbc-hmac-sha2 is written in such a way that the ciphertext C, as described, also =
includes the IV value as a prefix and the authentication tag T as a =
suffix, rather than treating each of those as separate values.  The =
test vectors do the same.  Yes, David added appendix B saying that =
the values could be treated as separate, but the write-up does no favors =
to implementers, as both the core algorithm description and the test =
vectors assume they are combined.  (I personally know that working =
out how to treat them as separate from David=E2=80=99s current draft is =
a tedious and error-prone exercise, having had to do so to tease them =
apart for the current JWA write-up.)  David has been asked about =
doing the refactoring several times by multiple parties, but =
he=E2=80=99s a busy guy, and I don=E2=80=99t think it=E2=80=99s ever =
reached the top of his queue.  As it is, the JWA description is =
clear and semantically equivalent and implementers have shown that they =
can successfully build it.  Finally, we wouldn=E2=80=99t want to =
take a normative dependency upon a draft that appears to have been =
largely abandoned (or at least neglected), as doing so could =
indefinitely stall publication of RFC versions of the JOSE =
specs.
 
[JLS]  I always considered this to be a sufficient refactoring =
to use the mcgrew draft as a basis.  I did not have the same type =
of problems with breaking the test vectors apart that you seem to have =
had.
 
Mike> It=E2=80=99s not just the test vectors =E2=80=93 a bigger =
source of confusion with the current draft-mcgrew-aead-aes-cbc-hmac-sha2 =
write-up is that he=E2=80=99s using terms such as =
=E2=80=9CCiphertext=E2=80=9D in the main body of the document to mean =
something different than what it usually means.  For instance, the =
document says:
 

   6.  The AEAD = Ciphertext consists of the string S, with the string = T

       = appended to it.  This Ciphertext is returned as the output of = the

   =     AEAD encryption = operation.

 
Contrast this to NIST Special Publication 800-38D =
=E2=80=9CRecommendation for Block Cipher Modes of Operation: =
Galois/Counter Mode (GCM) and GMAC=E2=80=9D, which =
says:
 

The following two bit strings comprise the = output data of the authenticated encryption function: =

 

           = ;            = A ciphertext, denoted = C, whose bit length is the same as that of the plaintext. =

           = ;            = An authentication tag, or = tag, for short, denoted T.

 
The JOSE documents use the terms =E2=80=9CCiphertext=E2=80=9D and =
=E2=80=9CAuthentication Tag=E2=80=9D in the same manner as the GCM doc =
(and many other crypto specs).
 
[JLS] And there are two models here.=C2=A0 The ciphertext is the =
output of the cipher function =E2=80=93 this can include the IV and the =
authentication tag depending on the model.=C2=A0 This is made clear at =
the start of the document so again I do not see where the confusion =
lies. 
 
There=E2=80=99s even more subtle problems.  You=E2=80=99ll find =
that the =E2=80=9CS=E2=80=9D values in the test vectors also includes =
the Initialization Vector as a prefix, whereas the definition of =
=E2=80=9CS=E2=80=9D in the body of the draft is does not include this =
prefix:
 

      S =3D = CBC-ENC(ENC_KEY, P || PS),

 
That=E2=80=99s *very* likely to result in implementers getting =
it wrong.
 
[JLS] Have you sent mail on this?
 
All of this is fixable.  (If it becomes a blocking factor to =
completing JWA and JOSE, and David is willing, I=E2=80=99d even be =
willing to take a crack at producing an updated draft of =
draft-mcgrew-aead-aes-cbc-hmac-sha2 that fixes it, provided that =
there=E2=80=99s a clear path for making it a standards-track RFC in a =
timeframe that doesn=E2=80=99t significantly delay JOSE.)  But I =
don=E2=80=99t think we can take a normative reference to it unless these =
things are in fact, fixed.