From SChokhani@cygnacom.com Tue Sep 4 18:56:13 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BF9811E80C5 for ; Tue, 4 Sep 2012 18:56:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QsxomDviQI5G for ; Tue, 4 Sep 2012 18:56:12 -0700 (PDT) Received: from ipedge2.cygnacom.com (ipedge2.cygnacom.com [216.191.252.27]) by ietfa.amsl.com (Postfix) with ESMTP id 3F22C11E808D for ; Tue, 4 Sep 2012 18:56:11 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.80,371,1344225600"; d="scan'208,217";a="1859973" Received: from unknown (HELO scygexch7.cygnacom.com) ([10.4.60.22]) by ipedge2.cygnacom.com with ESMTP; 04 Sep 2012 21:56:07 -0400 Received: from scygexch7.cygnacom.com ([::1]) by scygexch7.cygnacom.com ([::1]) with mapi; Tue, 4 Sep 2012 21:56:07 -0400 From: Santosh Chokhani To: "denis.pinkas@bull.net" , IETF PKIX Date: Tue, 4 Sep 2012 21:56:06 -0400 Thread-Topic: [pkix] New version Notification for draft-pinkas-2560bis-certinfo-00 Thread-Index: Ac2HYbvHjBbo8pmdRTav7v4n/QHUMgDpzSPA Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_B83745DA469B7847811819C5005244AF362EC687scygexch7cygnac_" MIME-Version: 1.0 Subject: Re: [pkix] New version Notification for draft-pinkas-2560bis-certinfo-00 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2012 01:56:13 -0000 --_000_B83745DA469B7847811819C5005244AF362EC687scygexch7cygnac_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Denis, I have couple of suggestions for the security considerations section. 1. It is worth pointing out aside from RA corruption and database corru= ption that recommendation here do not fix the situation if the adversary ha= s attacked the CA and pointed to its own OCSP Responder in the OCSP field o= f the AIA extension. 2. It is worth pointing out that the mechanism presented here can be us= ed by the relying party to detect collision if the certificate signature wa= s made using a weak hash, but the hashAlgorithm in the extension is not vul= nerable to successful collision attack. Thanks From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of den= is.pinkas@bull.net Sent: Friday, August 31, 2012 6:17 AM To: IETF PKIX Subject: [pkix] New version Notification for draft-pinkas-2560bis-certinfo-= 00 A new version of I-D, draft-pinkas-2560bis-certinfo-00.txt has been successfully submitted by Denis Pinkas and posted to the IETF repository. Filename: draft-pinkas-2560bis-certinfo Revision: 00 Title: CertInfo single response extension Update to OCSP < draft-pinkas-256= 0bis-certinfo-00.txt > Creation date: 2012-08-31 WG ID: Individual Submission Number of pages: 7 URL: http://www.ietf.org/internet-drafts/draft-pinkas-2560bis-c= ertinfo-00.txt Status: http://datatracker.ietf.org/doc/draft-pinkas-2560bis-certi= nfo Htmlized: http://tools.ietf.org/html/draft-pinkas-2560bis-certinfo-0= 0 Abstract: OCSP [RFC2560] has been designed to allow an OCSP server to use any kind of trustable information to answer to a client varying from CRLs to an access to a database of issued certificates. In its original version, OCSP does not allow taking full advantage of an access to a database of issued certificates. When a database of issued certificates is used by an OCSP server, this document explains how the OCSP server shall respond and how OCSP clients shall react. The proposal is intended to update 2560bis. It defines a new single extension in a single response, called certInfo. The extension is non critical. The meaning of "good", "revoked" and "unknown" are unchanged. The IETF Secretariat --_000_B83745DA469B7847811819C5005244AF362EC687scygexch7cygnac_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Denis,<= /o:p>

 

I have couple of suggestions for the security considerat= ions section.

 

1.     It is worth pointing out aside from RA cor= ruption and database corruption that recommendation here do not fix the sit= uation if the adversary has attacked the CA and pointed to its own OCSP Res= ponder in the OCSP field of the AIA extension.

 

2.     It is w= orth pointing out that the mechanism presented here can be used by the rely= ing party to detect collision if the certificate signature was made using a= weak hash, but the hashAlgorithm in the extension is not vulnerable to suc= cessful collision attack.

=  

Thanks<= /span>

From: pkix-bounces@ietf.org [mailto:pkix-bounc= es@ietf.org] On Behalf Of denis.pinkas@bull.net
Sent: Frid= ay, August 31, 2012 6:17 AM
To: IETF PKIX
Subject: [pki= x] New version Notification for draft-pinkas-2560bis-certinfo-00=

 


A new version of I-D, draft-pinkas-2560bis-certinfo-00.txt
has been= successfully submitted by Denis Pinkas and posted
to the IETF reposito= ry.

Filename: draft-pinkas-2560bis-certinfo
Revision: 00
Title= : CertInfo single response extension Update to OCSP < draft-pinkas-2560b= is-certinfo-00.txt >
Creation date: 2012-08-31
WG ID: Individual S= ubmission
Number of pages: 7
URL:           =   http://www.ietf.org/internet-drafts/draft-pinkas-2560bis-c= ertinfo-00.txt
Status:          http://datat= racker.ietf.org/doc/draft-pinkas-2560bis-certinfo
Htmlized:   &= nbsp;    http://tools.ietf.org/html/draft-pinkas-2560bis-certinfo-00=

Abstract:
   OCSP [RFC2560] has been designed to a= llow an OCSP server to use
   any kind of trustable informatio= n to answer to a client varying
   from CRLs to an access to a= database of issued certificates.

   In its original versi= on, OCSP does not allow taking full advantage
   of an access = to a database of issued certificates.

   When a database o= f issued certificates is used by an OCSP server,
   this docum= ent explains how the OCSP server shall respond and how
   OCSP= clients shall react.

   The proposal is intended to updat= e 2560bis. It defines a new single
   extension in a single re= sponse, called certInfo.  The extension is
   non critica= l.  The meaning of "good", "revoked" and "unk= nown" are
   unchanged.     &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           
=
The IETF Secretariat

= --_000_B83745DA469B7847811819C5005244AF362EC687scygexch7cygnac_-- From turners@ieca.com Wed Sep 5 04:04:20 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F92121F869D for ; Wed, 5 Sep 2012 04:04:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.335 X-Spam-Level: X-Spam-Status: No, score=-101.335 tagged_above=-999 required=5 tests=[AWL=0.929, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NrNCjyiFlNMy for ; Wed, 5 Sep 2012 04:04:20 -0700 (PDT) Received: from gateway02.websitewelcome.com (gateway02.websitewelcome.com [67.18.80.20]) by ietfa.amsl.com (Postfix) with ESMTP id EAA0221F8643 for ; Wed, 5 Sep 2012 04:04:19 -0700 (PDT) Received: by gateway02.websitewelcome.com (Postfix, from userid 5007) id 224411C8ABCE; Wed, 5 Sep 2012 06:04:20 -0500 (CDT) Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway02.websitewelcome.com (Postfix) with ESMTP id 140381C8AB88 for ; Wed, 5 Sep 2012 06:04:20 -0500 (CDT) Received: from [108.18.174.220] (port=50038 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from ) id 1T9DP9-0003Xq-3H for pkix@ietf.org; Wed, 05 Sep 2012 06:04:19 -0500 Message-ID: <504731B1.7090201@ieca.com> Date: Wed, 05 Sep 2012 07:04:17 -0400 From: Sean Turner User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:15.0) Gecko/20120824 Thunderbird/15.0 MIME-Version: 1.0 To: pkix@ietf.org References: <20120828161824.12779.10639.idtracker@ietfa.amsl.com> In-Reply-To: <20120828161824.12779.10639.idtracker@ietfa.amsl.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - gator1743.hostgator.com X-AntiAbuse: Original Domain - ietf.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - ieca.com X-BWhitelist: no X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: (thunderfish.local) [108.18.174.220]:50038 X-Source-Auth: sean.turner@ieca.com X-Email-Count: 1 X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20= Subject: Re: [pkix] I-D Action: draft-ietf-pkix-caa-13.txt X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2012 11:04:20 -0000 At the meeting, I indicated that because of the proposed changes to the CAA record location / tree climbing processing that this draft needed another WGLC. The chairs should feel free to issue the WGLC when they have a chance. spt On 8/28/12 12:18 PM, internet-drafts@ietf.org wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. > > Title : DNS Certification Authority Authorization (CAA) Resource Record > Author(s) : Phillip Hallam-Baker > Rob Stradling > Filename : draft-ietf-pkix-caa-13.txt > Pages : 18 > Date : 2012-08-28 > > Abstract: > The Certification Authority Authorization (CAA) DNS Resource Record > allows a DNS domain name holder to specify one or more Certification > Authorities (CAs) authorized to issue certificates for that domain. > CAA resource records allow a public Certification Authority to > implement additional controls to reduce the risk of unintended > certificate mis-issue. This document defines the syntax of the CAA > record and rules for processing CAA records by certificate issuers. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-pkix-caa > > There's also a htmlized version available at: > http://tools.ietf.org/html/draft-ietf-pkix-caa-13 > > A diff from the previous version is available at: > http://www.ietf.org/rfcdiff?url2=draft-ietf-pkix-caa-13 > > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix > From turners@ieca.com Wed Sep 5 04:13:40 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A9C821F8505 for ; Wed, 5 Sep 2012 04:13:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.5 X-Spam-Level: X-Spam-Status: No, score=-101.5 tagged_above=-999 required=5 tests=[AWL=0.165, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_12=0.6, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F0hw6u3C-6ww for ; Wed, 5 Sep 2012 04:13:36 -0700 (PDT) Received: from gateway03.websitewelcome.com (gateway03.websitewelcome.com [67.18.34.23]) by ietfa.amsl.com (Postfix) with ESMTP id 1ED2921F8514 for ; Wed, 5 Sep 2012 04:13:36 -0700 (PDT) Received: by gateway03.websitewelcome.com (Postfix, from userid 5007) id D7CCE552D44E; Wed, 5 Sep 2012 06:13:36 -0500 (CDT) Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway03.websitewelcome.com (Postfix) with ESMTP id CCBDA552D42E for ; Wed, 5 Sep 2012 06:13:36 -0500 (CDT) Received: from [108.18.174.220] (port=50049 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from ) id 1T9DY7-00016c-3Q; Wed, 05 Sep 2012 06:13:35 -0500 Message-ID: <504733DE.8000309@ieca.com> Date: Wed, 05 Sep 2012 07:13:34 -0400 From: Sean Turner User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:15.0) Gecko/20120824 Thunderbird/15.0 MIME-Version: 1.0 To: denis.pinkas@bull.net References: In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - gator1743.hostgator.com X-AntiAbuse: Original Domain - ietf.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - ieca.com X-BWhitelist: no X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: (thunderfish.local) [108.18.174.220]:50049 X-Source-Auth: sean.turner@ieca.com X-Email-Count: 2 X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20= Cc: pkix@ietf.org Subject: Re: [pkix] Errata in section 5.3 from RFC 5280 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2012 11:13:40 -0000 Denis, I think these proposed changes for s4.2 and s4.2.1 are a bit much. If we need to point out that: A CRL MUST NOT include more than one instance of a particular extension. or A CRL entry MUST NOT include more than one instance of a particular extension. We could just as easily make those statements in s5.2 and s5.3 as opposed to moving text around to have pointers back to the moved text. Further, folks that aren't in 5280-land can profile really whatever they want - and they do. I don't recall anybody asking for clarifications about whether they could include more than one extension in their profile of 5280 for a cert/crl/ocsp/etc because of the location of that MUST NOT (and it's been there since 2002). spt On 8/31/12 6:14 AM, denis.pinkas@bull.net wrote: > Piyush, > I read your arguments. However, when an ASN.1 parameter is defined in an RFC > and when it is imported by another RFC, both the ASN.1 syntax *and its > semantics* > are imported. > > RC 5280 omitted to define the semantics of Extensions independently of > the context of > certificates and CRLs, hence why such a definition is needed, since > Extensions is > imported and used in other RFCs, including OCSP. > > So you are correct: changes are also required in sections 5.1.2.7 and > 5.2, so that > they can refer to the new proposed section “4.2. Extensions”. > > I believe that the following argument you raised is valid: > > A SEQUENCE MUST NOT include more than one instance of a > particular extension. > > There could be scenarios outside 5280 where more than one instance of same > extensions in a sequence are useful. > > So this sentence should be removed from the proposed new section 4.2 and > moved > to section 4.2.1. > > Section 4.2 has been redrafted to include the case indicated by Sharon > which is: > > /Therefore, a critical extension in the/*/crlEntryExtensions/**//*/field > of an entry shall affect > only the certificate specified in that entry, unless there is a related > critical extension > in the*crlExtensions*field that advertises a special treatment for it.”/ > //// > However, this text has been generalized since it is applicable in > general and not only to *crlEntryExtensions.* > > *Here is a new proposed text for sections 4.2 and 4.2.1:* > > The extensions field allows addition of new fields to a structure > without modification to the ASN.1 definition. An extension field > consists of an extension identifier, a criticality flag, and an > encoding of a data value of an ASN.1 type associated with the > identified extension. > > Each extension includes an OID and an ASN.1 structure. When an > extension appears in a structure, the OID appears as the field e > extnID and the corresponding ASN.1 DER encoded structure is the > value of the octet string extnValue. > > For those extensions where ordering of individual extensions within > the SEQUENCE is significant, the specification of those individual > extensions shall include the rules for the significance of the order > therein. > > An extension includes the boolean critical, with a default value of > FALSE. The text for each extension specifies the acceptable values > for the critical field for implementations conforming to this > profile. > > An extension marked critical in a field from a SEQUENCE or > > from a SET OF shall only affect that SEQUENCE or that SET OF, > > unless there is another critical extension in an upper SEQUENCE or > > an upper SET OF which advertises a special treatment for it.In > > such a case, the relying party must be able to process both critical > > extensions. > > A processing system MUST reject the content of the SEQUENCE or > of the SET OFwhere the extension appears if it encounters a critical > extension it does not recognize or a critical extension that contains > information that it cannot process. > > A non-critical extension MUST be processed if it is recognized and > MAY be ignored if it is not recognized. > > Note that any extension that is flagged non-critical will cause > inconsistent behaviour between processing systems that will process > the extension and processing systems that do not recognize the > extension and will ignore it. > > 4.2.1. Standard Extensions > > The following sections present recommended extensions used within > Internet certificates and standard locations for information. > > Communities may elect to use additional extensions; however, > caution ought to be exercised in adopting any critical extensions > in certificates that might prevent use in a general context. > > The extensions defined for X.509 v3 certificates provide methods for > associating additional attributes with users or public keys and for > managing relationships between CAs. The X.509 v3 certificate format > also allows communities to define private extensions to carry > information unique to those communities. > > A certificate NOT include more than one instance of a particular > > extension. > > Conforming CAs MUST support key identifiers (Sections 4.2.1.1 and > 4.2.1.2), basic constraints (Section 4.2.1.9), key usage (Section > 4.2.1.3), and certificate policies (Section 4.2.1.4) extensions. If > the CA issues certificates with an empty sequence for the subject > field, the CA MUST support the subject alternative name extension > (Section 4.2.1.6). Support for the remaining extensions is OPTIONAL. > Conforming CAs MAY support extensions that are not identified within > this specification; certificate issuers are cautioned that marking > such extensions as critical may inhibit interoperability. > > At a minimum, applications conforming to this profile MUST recognize > the following extensions: key usage (Section 4.2.1.3), certificate > policies (Section 4.2.1.4), subject alternative name (Section > 4.2.1.6), basic constraints (Section 4.2.1.9), name constraints > (Section 4.2.1.10), policy constraints (Section 4.2.1.11), extended > key usage (Section 4.2.1.12), and inhibit anyPolicy (Section > 4.2.1.14). > > *Here is a new proposed text for sections 5.1.2.7 and 5.2:* > > > 5.1.2.7. Extensions > > This field may only appear if the version is 2 (Section 5.1.2.1). If > present, this field is a sequence of one or more CRL extensions. CRL > extensions are discussed in Section 5.2. > > 5.2. CRL Extensions > > The extensions field defined in section 4.2 provide a method for > associating > additional attributes with CRLs. The v2 CRL format also allows > communities to define private extensions to carry information unique > to those communities. Each extension in a CRL may be designated as > critical or non-critical. If a CRL contains a critical CRL extension > that the application cannot process, then the application MUST NOT > use that CRL to determine the status of any certificate identified > in that entry. However, applications may ignore unrecognized non- > critical CRL extensions. > > *Here is a new proposed text for sections 5.3:* > > 5.3. CRL Entry Extensions > > The extensions field defined in section 4.2 provide a method for > associating > additional attributes with CRL entries. The v2 CRL format also > allows communities to define private CRL entry extensions to carry > information unique to those communities. Each extension in a CRL > entry may be designated as critical or non-critical. If a CRL > contains a critical CRL entry extension that the application cannot > process, then the application MUST NOT use that CRL entry to > determine the status of the certificate identified in that entry. > > The following subsections present recommended extensions used within > Internet CRL entries and standard locations for information. > Communities may elect to use additional CRL entry extensions; > however, caution should be exercised in adopting any critical CRL > entry extensions in CRLs that might be used in a general context. > > Support for the CRL entry extensions defined in this specification is > optional for conforming CRL issuers and applications. However, CRL > issuers SHOULD include reason codes (Section 5.3.1) and invalidity > dates (Section 5.3.2) whenever this information is available. > > Denis > > -----Piyush Jain a écrit : ----- > > A : Santosh Chokhani , > "denis.pinkas@bull.net" , Sharon Boeyen > > De : Piyush Jain > Date : 30/08/2012 17:39 > Cc : IETF PKIX > Objet : RE: [pkix] Errata in section 5.3 from RFC 5280 > > +1 > > Addresses the case where a RP understands IDP but does not > understand CRLIssuers. > > Santosh’s proposal calls it out explicitly making it clearer. > > *From:*pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] *On > Behalf Of *Santosh Chokhani > *Sent:* Tuesday, August 28, 2012 10:45 AM > *To:* denis.pinkas@bull.net; Sharon Boeyen > *Cc:* IETF PKIX > *Subject:* Re: [pkix] Errata in section 5.3 from RFC 5280 > > Denis and Sharon, > > I would propose the following: > > a)In the penultimate sentence of the first paragraph of 5.3 replace > “status of any certificate” with “status of the certificate > represented by the CRL entry”. > > b)A critical extension in the *crlEntryExtensions* field of an entry > shall affect only the certificate specified in that entry, unless > there is a related critical extension in the *crlExtensions* field > that advertises a special treatment for it.” In order to use such > CRL, the relying party must be able to process both the > *crlEntryExtension *and the related *crlExtension.* > > *From:*pkix-bounces@ietf.org > [mailto:pkix-bounces@ietf.org] > *On Behalf Of > *denis.pinkas@bull.net > *Sent:* Monday, August 27, 2012 1:20 PM > *To:* Sharon Boeyen > *Cc:* IETF PKIX > *Subject:* Re: [pkix] Errata in section 5.3 from RFC 5280 > > Sharon, > > Thank you for the proposal. > > I believe that a simplification would be possible, since we do not > describe all the features of X.509 in RFC 5280: > > a) In the penultimate sentence of the first paragraph of 5.3 > replace “status of any certificate” with “status of this certificate” > b) Add a new second paragraph in 5.3 that states “/Therefore, a > critical extension in the /*/crlEntryExtensions/*/field of an entry > shall affect only the certificate specified in that entry, unless > there is a related critical extension in the *crlExtensions* field > that advertises a special treatment for it.”/ > > Denis > > > > De : Sharon Boeyen > > A : Russ Housley > > Cc : IETF PKIX > > Date : 27/08/2012 19:09 > Objet : Re: [pkix] Errata in section 5.3 from RFC 5280 > Envoyé par : pkix-bounces@ietf.org > > ------------------------------------------------------------------------ > > > > > I think the easiest way to clarify it would be: > > a) In the penultimate sentence of the first paragraph of 5.3 > replace “status of any certificate” with “status of this certificate” > b) Add a new second paragraph in 5.3 that states “/If an > extension affects the treatment of the list (e.g., multiple CRLs > need to be scanned to examine the entire list of revoked > certificates, or an entry may represent a range of certificates), > then either that extension or a related extension shall be indicated > as critical in the /*/crlExtensions/*/field. Therefore, a critical > extension in the /*/crlEntryExtensions/*/field of an entry shall > affect only the certificate specified in that entry, unless there is > a related critical extension in the *crlExtensions* field that > advertises a special treatment for it.”/ > > *From:*Russ Housley [mailto:housley@vigilsec.com] * > Sent:* Monday, August 27, 2012 12:42 PM* > To:* Sharon Boeyen* > Cc:* IETF PKIX* > Subject:* Re: [pkix] Errata in section 5.3 from RFC 5280 > > Sharon: > > Thanks for digging up those words. They support the position that I > have stated. > > How do you believe the clarifications document should change to > express this point? > > Russ > > > On Aug 27, 2012, at 12:39 PM, Sharon Boeyen wrote: > > > Russ, I realize the RFC 5280 references the 2005 edition of X.509. > However the 2009 edition (freely available > athttp://www.x500standard.com/index.php?n=Ig.LatestAvail) revises > this text again slightly and I think makes the intent even clearer. > It states (as part of the main text and no longer a note): > > /If an extension affects the treatment of the list (e.g., multiple > CRLs need to be scanned to examine the entire list of revoked > certificates, or an entry may represent a range of certificates), > then either that extension or a related extension shall be indicated > as critical in the /*/crlExtensions/*/field. Therefore, a critical > extension in the /*/crlEntryExtensions/*/field of an entry shall > affect only the certificate specified in that entry, unless there is > a related critical extension in the *crlExtensions* field that > advertises a special treatment for it. The only example of this > situation defined in this Specification is the > /*/certificateIssuer/*/CRL entry extension and the related > /*/issuingDistributionPoint/*/CRL extension when the*indirectCRL > *Boolean from that extension is set to /*/TRUE/*/./ > > > This is clearly the case for certificateIssuer as you indicate below > and as you note below the only other 2 standard crl entry extensions > are irrelevant as they can only ever be non-critical and affect only > the single identified revoked certificate. Any private extension > that might be defined as a crlEntry extension would also have to > follow that same rule to be compliant with the base standard. I do > believe the 2005 text was clear but offer this 2009 as additional > confirmation of the intent (I personally find this text even clearer). > > Cheers, > Sharon > > > *From:*pkix-bounces@ietf.org > [mailto:pkix-bounces@ietf.org] > *On Behalf Of *Russ Housley* > Sent:* Thursday, August 23, 2012 4:15 PM* > To:* Santosh Chokhani* > Cc:* IETF PKIX* > Subject:* Re: [pkix] Errata in section 5.3 from RFC 5280 > > Santosh: > > > RFC 5280 describes three CRL Entry Extensions, and all of them come > from X.509: > > 5.3.1. Reason Code > 5.3.2. Invalidity Date > 5.3.3. Certificate Issuer > > The first two do not have the concern that you describe, and the > third one should only be present if the CRL includes the > IssuingDistributionPoint CRL extension, and that extension includes > the indirectCRL set to TRUE. The IssuingDistributionPoint CRL > extension must be critical. RFC 5280 says: > > The issuing distribution point is a critical CRL extension that > identifies the CRL distribution point and scope for a particular > CRL, > and it indicates whether the CRL covers revocation for end entity > certificates only, CA certificates only, attribute certificates > only, > or a limited set of reason codes. Although the extension is > critical, conforming implementations are not required to support > this > extension. However, implementations that do not support this > extension MUST either treat the status of any certificate not > listed > on this CRL as unknown or locate another CRL that does not contain > any unrecognized critical extensions. > > To my mind, the support for the critical IssuingDistributionPoint > CRL extension includes the proper support for the Certificate Issuer > CRL entry extension. > > Russ > > > On Aug 23, 2012, at 4:01 PM, Santosh Chokhani wrote: > > > > Russ, > > The problem with Denis’s proposal is that he wants to replace the > text of not using the CRL. > > I have cited a specific example in 5280 itself where an entry > extension scope goes beyond that of the entry. It potentially > impacts subsequent entries. > > Thus, Denis’s proposal is unacceptable. If he just wanted to add > the sentence as opposed to replace, it would be fine. > > In general, unless 5280 and X.509 stated that an entry extension > cannot impact semantics of anything in the CRL other than the entry > itself, what you say is unacceptable and potentially insecure. > > *From:*pkix-bounces@ietf.org > [mailto:pkix-bounces@ietf.org] > *On Behalf Of *Russ Housley* > Sent:* Thursday, August 23, 2012 3:50 PM* > To:* denis.pinkas@bull.net * > Cc:*IETF PKIX* > Subject:* Re: [pkix] Errata in section 5.3 from RFC 5280 > > > I agree with the proposal that Denis makes. I support his proposed > text. > > This validates my text proposal which still is: > > If a CRL contains a critical CRL entry extension that the > application > cannot process, then the application MUST NOT use that CRL entry to > determine the status of this certificate". : > > Russ > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix > > > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix > From turners@ieca.com Wed Sep 5 04:15:10 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E35121F8514 for ; Wed, 5 Sep 2012 04:15:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.958 X-Spam-Level: X-Spam-Status: No, score=-101.958 tagged_above=-999 required=5 tests=[AWL=0.307, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9fPqlHZBM4eB for ; Wed, 5 Sep 2012 04:15:10 -0700 (PDT) Received: from gateway11.websitewelcome.com (gateway11.websitewelcome.com [69.93.154.25]) by ietfa.amsl.com (Postfix) with ESMTP id 0384721F8518 for ; Wed, 5 Sep 2012 04:15:10 -0700 (PDT) Received: by gateway11.websitewelcome.com (Postfix, from userid 5011) id 0AF03FF77BF3F; Wed, 5 Sep 2012 06:15:11 -0500 (CDT) Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway11.websitewelcome.com (Postfix) with ESMTP id D2659FF77BE5B for ; Wed, 5 Sep 2012 06:15:10 -0500 (CDT) Received: from [108.18.174.220] (port=50050 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from ) id 1T9DZd-000276-3C; Wed, 05 Sep 2012 06:15:09 -0500 Message-ID: <5047343C.6030305@ieca.com> Date: Wed, 05 Sep 2012 07:15:08 -0400 From: Sean Turner User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:15.0) Gecko/20120824 Thunderbird/15.0 MIME-Version: 1.0 To: ietf@ietf.org, pkix@ietf.org References: <20120822150543.16802.27813.idtracker@ietfa.amsl.com> In-Reply-To: <20120822150543.16802.27813.idtracker@ietfa.amsl.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - gator1743.hostgator.com X-AntiAbuse: Original Domain - ietf.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - ieca.com X-BWhitelist: no X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: (thunderfish.local) [108.18.174.220]:50050 X-Source-Auth: sean.turner@ieca.com X-Email-Count: 5 X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20= Subject: Re: [pkix] Last Call: (Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile) to Proposed Standard X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2012 11:15:10 -0000 Based on IETF LC comments, I'm returning this draft to the WG. Stay tuned for another IETF LC in a couple of weeks. spt On 8/22/12 11:05 AM, The IESG wrote: > > The IESG has received a request from the Public-Key Infrastructure > (X.509) WG (pkix) to consider the following document: > - 'Updates to the Internet X.509 Public Key Infrastructure Certificate > and Certificate Revocation List (CRL) Profile' > as Proposed Standard > > The IESG plans to make a decision in the next few weeks, and solicits > final comments on this action. Please send substantive comments to the > ietf@ietf.org mailing lists by 2012-09-05. Exceptionally, comments may be > sent to iesg@ietf.org instead. In either case, please retain the > beginning of the Subject line to allow automated sorting. > > Abstract > > > This document updates RFC 5280, the Internet X.509 Public Key > Infrastructure Certificate and Certificate Revocation List (CRL) > Profile. This document changes the set of acceptable encoding > methods for the explicitText field of the user notice policy > qualifier and clarifies the rules for converting internationalized > domain name labels to ASCII. This document also provides some > clarifications on the use of self-signed certificates, trust anchors, > and some updated security considerations. > > > > > > The file can be obtained via > http://datatracker.ietf.org/doc/draft-ietf-pkix-rfc5280-clarifications/ > > IESG discussion can be tracked via > http://datatracker.ietf.org/doc/draft-ietf-pkix-rfc5280-clarifications/ballot/ > > > No IPR declarations have been submitted directly on this I-D. > > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix > From sharon.boeyen@entrust.com Wed Sep 5 04:23:41 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE97121F8628 for ; Wed, 5 Sep 2012 04:23:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_12=0.6] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lbJwnLifAjBx for ; Wed, 5 Sep 2012 04:23:41 -0700 (PDT) Received: from ipedge1.entrust.com (ipedge1.entrust.com [216.191.252.10]) by ietfa.amsl.com (Postfix) with ESMTP id BA18521F8624 for ; Wed, 5 Sep 2012 04:23:40 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.80,372,1344225600"; d="scan'208,217";a="6114709" Received: from unknown (HELO SOTTEXCHCAS2.corp.ad.entrust.com) ([10.4.51.224]) by ipedge1.entrust.com with ESMTP; 05 Sep 2012 07:23:40 -0400 Received: from SOTTEXCH10.corp.ad.entrust.com ([fe80::389b:f45b:7ea1:79b7]) by SOTTEXCHCAS2.corp.ad.entrust.com ([::1]) with mapi id 14.02.0318.001; Wed, 5 Sep 2012 07:23:39 -0400 From: Sharon Boeyen To: "pkix@ietf.org" Thread-Topic: Re: [pkix] Errata in section 5.3 from RFC 5280 Thread-Index: Ac2LWOQXsZ2Jk5v6QnuIB1QrPKUrDQ== Date: Wed, 5 Sep 2012 11:23:38 +0000 Message-ID: <65DA4BEA501AFC409DF274CC71ED01A53A555FF7@SOTTEXCH10.corp.ad.entrust.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.4.161.14] Content-Type: multipart/alternative; boundary="_000_65DA4BEA501AFC409DF274CC71ED01A53A555FF7SOTTEXCH10corpa_" MIME-Version: 1.0 Subject: Re: [pkix] Errata in section 5.3 from RFC 5280 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2012 11:23:41 -0000 --_000_65DA4BEA501AFC409DF274CC71ED01A53A555FF7SOTTEXCH10corpa_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I am fine with Santosh's proposed modifications: Cheers, Sharon On 8/28/12 1:45 PM, Santosh Chokhani wrote: > Denis and Sharon, > > I would propose the following: > > a)In the penultimate sentence of the first paragraph of 5.3 replace > "status of any certificate" with "status of the certificate > represented by the CRL entry". > > b)A critical extension in the *crlEntryExtensions* field of an entry > shall affect only the certificate specified in that entry, unless > there is a related critical extension in the *crlExtensions* field > that advertises a special treatment for it." In order to use such > CRL, the relying party must be able to process both the > *crlEntryExtension *and the related *crlExtension.* --_000_65DA4BEA501AFC409DF274CC71ED01A53A555FF7SOTTEXCH10corpa_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I am fine with Santosh’s proposed modification= s:

 

Cheers,

Sharon

 

On 8/28/12 1:45 PM, Santosh Chokhani wrote:<= /o:p>

> Denis and Sharon,

> 

> I would propose the following:

> 

> a)In the penultimate sentence of the first p= aragraph of 5.3 replace

> “status of any certificate” with= “status of the certificate

> represented by the CRL entry”.

> 

> b)A critical extension in the *crlEntryExten= sions* field of an entry

> shall affect only the certificate specified = in that entry, unless

> there is a related critical extension in the= *crlExtensions* field

> that advertises a special treatment for it.&= #8221;  In order to use such

> CRL, the relying party must be able to proce= ss both the

> *crlEntryExtension *and the related *crlExte= nsion.*

 

--_000_65DA4BEA501AFC409DF274CC71ED01A53A555FF7SOTTEXCH10corpa_-- From turners@ieca.com Wed Sep 5 04:39:08 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6C9521F853B for ; Wed, 5 Sep 2012 04:39:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -100.719 X-Spam-Level: X-Spam-Status: No, score=-100.719 tagged_above=-999 required=5 tests=[AWL=-1.054, BAYES_50=0.001, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kr7k-OH9qTMm for ; Wed, 5 Sep 2012 04:39:08 -0700 (PDT) Received: from gateway02.websitewelcome.com (gateway02.websitewelcome.com [67.18.80.20]) by ietfa.amsl.com (Postfix) with ESMTP id 8325F21F84F2 for ; Wed, 5 Sep 2012 04:39:08 -0700 (PDT) Received: by gateway02.websitewelcome.com (Postfix, from userid 5007) id B64351D5D560; Wed, 5 Sep 2012 06:39:08 -0500 (CDT) Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway02.websitewelcome.com (Postfix) with ESMTP id ABB881D5D540 for ; Wed, 5 Sep 2012 06:39:08 -0500 (CDT) Received: from [108.18.174.220] (port=50069 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from ) id 1T9Dwp-0008HB-SV for pkix@ietf.org; Wed, 05 Sep 2012 06:39:07 -0500 Message-ID: <504739DB.2060708@ieca.com> Date: Wed, 05 Sep 2012 07:39:07 -0400 From: Sean Turner User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:15.0) Gecko/20120824 Thunderbird/15.0 MIME-Version: 1.0 To: pkix@ietf.org Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - gator1743.hostgator.com X-AntiAbuse: Original Domain - ietf.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - ieca.com X-BWhitelist: no X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: (thunderfish.local) [108.18.174.220]:50069 X-Source-Auth: sean.turner@ieca.com X-Email-Count: 7 X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20= Subject: [pkix] returning draft-ietf-pkix-rfc5280-clarifications to the WG X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2012 11:39:09 -0000 During IETF LC, discussions identified an additional change that the WG should consider. Please consider adding the following to the draft (I made shall/SHALL and must/MUST): a) In the penultimate sentence of the first paragraph of 5.3 replace “status of any certificate” with “status of the certificate represented by the CRL entry”. b) Add a new second paragraph in s5.3 that states "A critical extension in the crlEntryExtensions field of an entry SHALL affect only the certificate specified in that entry, unless there is a related critical extension in the crlExtensions field that advertises a special treatment for it. In order to use such CRL, the relying party MUST be able to process both the crlEntryExtension and the related crlExtension." If I missed anything else, please point it out (I know you will :). Now over to you... spt From housley@vigilsec.com Wed Sep 5 06:07:08 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BAF721F861E for ; Wed, 5 Sep 2012 06:07:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.998 X-Spam-Level: X-Spam-Status: No, score=-101.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_12=0.6, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8l4E5uBcEtMm for ; Wed, 5 Sep 2012 06:07:07 -0700 (PDT) Received: from odin.smetech.net (mail.smetech.net [208.254.26.82]) by ietfa.amsl.com (Postfix) with ESMTP id 9578E21F861D for ; Wed, 5 Sep 2012 06:07:07 -0700 (PDT) Received: from localhost (unknown [208.254.26.81]) by odin.smetech.net (Postfix) with ESMTP id EFFE09A4002 for ; Wed, 5 Sep 2012 09:07:40 -0400 (EDT) X-Virus-Scanned: amavisd-new at smetech.net Received: from odin.smetech.net ([208.254.26.82]) by localhost (ronin.smetech.net [208.254.26.81]) (amavisd-new, port 10024) with ESMTP id gCu0mB0rqzYE for ; Wed, 5 Sep 2012 09:07:04 -0400 (EDT) Received: from [10.143.211.215] (host86-189-9-176.range86-189.btcentralplus.com [86.189.9.176]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id B21159A4001 for ; Wed, 5 Sep 2012 09:07:39 -0400 (EDT) From: Russ Housley Content-Type: multipart/alternative; boundary=Apple-Mail-400--823963770 Date: Wed, 5 Sep 2012 09:07:03 -0400 Message-Id: To: "pkix@ietf.org" Mime-Version: 1.0 (Apple Message framework v1084) X-Mailer: Apple Mail (2.1084) Subject: Re: [pkix] Errata in section 5.3 from RFC 5280 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2012 13:07:08 -0000 --Apple-Mail-400--823963770 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Santosh=92s proposed modifications look fine to me =20 -- Russ =20 On 8/28/12 1:45 PM, Santosh Chokhani wrote: >=20 > I would propose the following: >=20 > a)In the penultimate sentence of the first paragraph of 5.3 replace > =93status of any certificate=94 with =93status of the certificate > represented by the CRL entry=94. >=20 > b)A critical extension in the *crlEntryExtensions* field of an entry > shall affect only the certificate specified in that entry, unless > there is a related critical extension in the *crlExtensions* field > that advertises a special treatment for it.=94 In order to use such > CRL, the relying party must be able to process both the > *crlEntryExtension *and the related *crlExtension.* =20= --Apple-Mail-400--823963770 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252

Santosh=92s proposed modifications look fine to = me

 

-- Russ

 

On 8/28/12 1:45 PM, Santosh Chokhani = wrote:

> 

> I would propose the = following:

> 

> a)In the penultimate sentence of the = first paragraph of 5.3 replace

> =93status of any certificate=94 with = =93status of the certificate

> represented by the CRL = entry=94.

> 

> b)A critical extension in the = *crlEntryExtensions* field of an entry

> shall affect only the certificate = specified in that entry, unless

> there is a related critical extension in = the *crlExtensions* field

> that advertises a special treatment for = it.=94  In order to use such

> CRL, the relying party must be able to = process both the

> *crlEntryExtension *and the related = *crlExtension.*

 

= --Apple-Mail-400--823963770-- From kent@bbn.com Wed Sep 5 09:03:25 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB02221F85AA for ; Wed, 5 Sep 2012 09:03:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.599 X-Spam-Level: X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7l4DueZ2oUhS for ; Wed, 5 Sep 2012 09:03:25 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id E5E6321F8498 for ; Wed, 5 Sep 2012 09:03:24 -0700 (PDT) Received: from dommiel.bbn.com ([192.1.122.15]:52302 helo=comsec.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1T9I4U-000Gfx-HH for pkix@ietf.org; Wed, 05 Sep 2012 12:03:18 -0400 Message-ID: <504777C6.9090200@bbn.com> Date: Wed, 05 Sep 2012 12:03:18 -0400 From: Stephen Kent User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: pkix@ietf.org References: <20120828161824.12779.10639.idtracker@ietfa.amsl.com> <504731B1.7090201@ieca.com> In-Reply-To: <504731B1.7090201@ieca.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [pkix] I-D Action: draft-ietf-pkix-caa-13.txt X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2012 16:03:25 -0000 As per Sean's message, we are beginning a second WGLC for CAA (version 13), effective today. Since this is a second WGLC, it will be a bit shorter this time, terminating on 9/15. Steve From SChokhani@cygnacom.com Wed Sep 5 13:47:20 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5D7621F86D4 for ; Wed, 5 Sep 2012 13:47:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yBgvS8sB11a4 for ; Wed, 5 Sep 2012 13:47:16 -0700 (PDT) Received: from ipedge2.cygnacom.com (ipedge2.cygnacom.com [216.191.252.27]) by ietfa.amsl.com (Postfix) with ESMTP id 4740C21F86C9 for ; Wed, 5 Sep 2012 13:47:16 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.80,375,1344225600"; d="scan'208,217";a="1869307" Received: from unknown (HELO scygexch7.cygnacom.com) ([10.4.60.22]) by ipedge2.cygnacom.com with ESMTP; 05 Sep 2012 16:47:11 -0400 Received: from scygexch7.cygnacom.com ([::1]) by scygexch7.cygnacom.com ([::1]) with mapi; Wed, 5 Sep 2012 16:47:11 -0400 From: Santosh Chokhani To: "denis.pinkas@bull.net" , "pkix@ietf.org" Date: Wed, 5 Sep 2012 16:47:11 -0400 Thread-Topic: [pkix] draft-pinkas-rfc2560bis-00 Thread-Index: Ac2FOOqX2IynuUMeRuGLCiVy81d32QGbnTDg Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_B83745DA469B7847811819C5005244AF362EC70Cscygexch7cygnac_" MIME-Version: 1.0 Subject: Re: [pkix] draft-pinkas-rfc2560bis-00 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2012 20:47:21 -0000 --_000_B83745DA469B7847811819C5005244AF362EC70Cscygexch7cygnac_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Denis, Thanks for this. My initial review indicates that this a very good first d= raft. Note that I did not review ASN.1 carefully (I assume it was copied f= rom the existing RFC). I do have the following comment though: Section 2.2: When the CA is signing the response, should it not also use th= e same key to sign the response as the certificate in question? The later = part of the section indicates this as a requirement. In that case, why not= make this explicit like the OCSP Responder. Section 3.1.3, First paragraph, the rational for CA certificates to have di= gital signature bit set because they sign OCSP certificates is incorrect. = May be what you mean is that a CA that signs OCSP responses needs to have d= igital signature bit set in its own certificate (i.e., the certificate for = which the CA is the subject). Section 3.1.3, Note 2, Again there is no requirement for digital signature = bit to be set just because the CA signs certificates and CRLs. Section 3.2: It not clear which accessLocation is being referred to here (c= Aissuers or OCSP). If this is OCSP, the RFC is overly implementation speci= fic. A CA can use the same OCSP location and sign the response with approp= riate key and include the appropriate CA certificate without having to chan= ge the OCSP pointer. General: The I-D does not address how the CA deals with the situation when = status of multiple certificates issued by the CA, but using different keys = is requested. May be the restriction in 3.2 is used to ensure that such si= tuation does not occur. If so, a short discussion would be helpful. General: It not clear which accessLocation is being referred to in most pla= ces. It would be worth stating that it refers to OCSP in all cases unless = otherwise stated. Section 3.3.2 does not fully and explicitly cover the most common implement= ation I have seen and that is short life certificates. In that scenario, t= he CA needs to continue to issue the OCSP Responder certificate using the o= ld CA key until all the certificates issued by the CA using the old key and= for which the OCSP Responder is authoritative expire. The text in 3.3.3 c= an form a model for this when CA rekeys and OCSP Responder has the old keys= . Section 3.3.3, The last sentence is not desirable and can cause problems wi= th some implementations. It is perfrectly ok for a Responder to change its= key independent of certificate it is authoritative for. Note that OCSP fi= eld in a issue certificate cannot be changed just because the Responder rek= yed, be it routine or due to loss or compromise of Responder key. Section 3.4, last paragraph, I would think that expiration checking need no= t be part of OCSP client. Expiration checking should come under 5280 certi= ficate validation. Section 4.1, We should dilute two CAs "never have the same issuerKeyHash" t= o something more akin to statistically infeasible. Titles of subsections under 4.3 could stand improvements. Responders proce= ss request and produce response; they do not process responses. Clients pr= ocess responses. Section 4.3.1.1, The entry should contain method used to gain access and si= gn just like the text in 4.3.1.2 as opposed to the private key. In other w= ords, align the two texts for accessing and using private key to sign OCSP = responses. Section 4.3.1,1, page 18 "defined in entry" could be misinterpreted as meth= od define in request entry. Section 4.3.1.2, Again the same comment, for the delegated OCSP Responder, = changing the URL when key is changed is not required and breaks many implem= entations and hence is unacceptable. Section 4.3.2, the check for thisUpdate is flawed since this value may be d= erived from CRL even for responses that are not pre-generated and hence can= be hours or days off depending on CRL issuance frequency, It is better to= replace it with producedAt field in the response whether it is related to = current time or time in the past. Section 4,3,2 is missing processing signature on the response and processin= g response extension. Section 5.5: Replay attack is also possible when not using pre-computed res= ponses. General: Removal of locally trusted Responder from the I-D is unacceptable. From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of den= is.pinkas@bull.net Sent: Tuesday, August 28, 2012 12:19 PM To: pkix@ietf.org Subject: [pkix] draft-pinkas-rfc2560bis-00 A new Internet-Draft is available from the on-line Internet-Drafts director= ies. Title : X.509 Internet Public Key Infrastructure Online Certific= ate Status Protocol - OCSP Author(s) : D. Pinkas Filename : draft-pinkas-rfc2560bis Pages : 41 Date : Aug. 27, 2012 This document specifies a protocol useful in determining the current status of a digital certificate without requiring CRLs. Additional mechanisms addressing PKIX operational requirements are specified in separate documents. This document obsoletes RFC 2560 and RFC 6277. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-pinkas-rfc2560bis-00.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementa= tion to automatically retrieve the ASCII version of the Internet-Draft. A few explanations about the content of draft-ietf-pinkas-rfc2560bis-00. 25 changes are indicated at the beginning of the document. I will only mention a few of them: A - Explanations were missing to describe: - the building of a request by an OCSP client, - the processing of a request by an OCSP server, - the building of a response by an OCSP server, and - the processing of a response by an OCSP client. These explanations have been added. B - Explanations were missing to address CA key rollover and OCSP key roll= over. These explanations have been added. C - Backwards compatibility has been addressed in the following way: 1) An OCSP response by be signed either by a CA or by an OCSP Respond= er. 2) Besides local configuration settings which are optional, only two = cases SHALL be supported by OCSP clients (and thus OCSP servers) as explai= ned below. The key to be used to verify a SingleResponse (within a BasicOCSPRes= ponse) MUST: (1) either be the same key that the one used to sign the target c= ertificate, (2) or be the public key from an OCSP responder that is contained= in an OCSP certificate that has been signed by the same key that the one used to sig= n the target certificate. . The text allows to use the same general processing for a few other cases, s= ince "escape" sentences are provided to allow for these other cases, but only using "loca= l configuration settings". This means in particular that the Identrust model may be supported and that= the "several many cases" that were detailed in the annexes from draft -04 from David Cooper and Stef= an Santesson (but which were not interoperable with most current implementations) can ta= ke benefit of the description of the general processing. Denis --_000_B83745DA469B7847811819C5005244AF362EC70Cscygexch7cygnac_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Denis,<= /o:p>

 

Thanks for this.  My initial review indicates that = this a very good first draft.  Note that I did not review ASN.1 carefu= lly (I assume it was copied from the existing RFC).   I do have t= he following comment though:

=  

Section 2.2: When the = CA is signing the response, should it not also use the same key to sign the= response as the certificate in question?  The later part of the secti= on indicates this as a requirement.  In that case, why not make this e= xplicit like the OCSP Responder.

=  

Section 3.1.3, Fir= st paragraph, the rational for CA certificates to have digital signature bi= t set because they sign OCSP certificates is incorrect.  May be what y= ou mean is that a CA that signs OCSP responses needs to have digital signat= ure bit set in its own certificate (i.e., the certificate for which the CA = is the subject).

 <= /o:p>

Section 3.1.3, Note 2, Again there= is no requirement for digital signature bit to be set just because the CA = signs certificates and CRLs.

=  

Section 3.2: It not cl= ear which accessLocation is being referred to here (cAissuers or OCSP).&nbs= p; If this is OCSP, the RFC is overly implementation specific.  A CA c= an use the same OCSP location and sign the response with appropriate key an= d include the appropriate CA certificate without having to change the OCSP = pointer.

 

General: The I-D does not address how the = CA deals with the situation when status of multiple certificates issued by = the CA, but using different keys is requested.  May be the restriction= in 3.2 is used to ensure that such situation does not occur.  If so, = a short discussion would be helpful.

 

General: It no= t clear which accessLocation is being referred to in most places.  It = would be worth stating that it refers to OCSP in all cases unless otherwise= stated.

 

Section 3.3.2 does not fully and explicitl= y cover the most common implementation I have seen and that is short life c= ertificates.  In that scenario, the CA needs to continue to issue the = OCSP Responder certificate using the old CA key until all the certificates = issued by the CA using the old key and for which the OCSP Responder is auth= oritative expire.  The text in 3.3.3 can form a model for this when CA= rekeys and OCSP Responder has the old keys.

 

Secti= on 3.3.3, The last sentence is not desirable and can cause problems with so= me implementations.  It is perfrectly ok for a Responder to change its= key independent of certificate it is authoritative for.  Note that OC= SP field in a issue certificate cannot be changed just because the Responde= r rekyed, be it routine or due to loss or compromise of Responder key.=

 

Section 3.4, last paragraph, I would think that expirat= ion checking need not be part of OCSP client.  Expiration checking sho= uld come under 5280 certificate validation.

 

= Section 4.1, We should dilute two CAs “never have the same issuer= KeyHash” to something more akin to statistically infeasible.

 

Titles of subsections under 4.3 could stand improvements.&= nbsp; Responders process request and produce response; they do not process = responses.  Clients process responses.

 

Secti= on 4.3.1.1, The entry should contain method used to gain access and sign ju= st like the text in 4.3.1.2 as opposed to the private key.  In other w= ords, align the two texts for accessing and using private key to sign OCSP = responses.

 <= /span>

Section 4.3.1,1, page 18 “defined = in entry” could be misinterpreted as method define in request entry.<= o:p>

 

<= p class=3DMsoNormal>Section 4.3.1.2, Again the same comment, for the de= legated OCSP Responder, changing the URL when key is changed is not require= d and breaks many implementations and hence is unacceptable.

 

Section 4.3.2, the check for thisUpdate is flawed since this valu= e may be derived from CRL even for responses that are not pre-generated and= hence can be hours or days off depending on CRL issuance frequency,  = It is better to replace it with producedAt field in the response whether it= is related to current time or time in the past.

 

Se= ction 4,3,2 is missing processing signature on the response and processing = response extension.

&n= bsp;

Section 5.5: Replay attack is= also possible when not using pre-computed responses.

=

 

<= span style=3D'font-size:9.0pt;font-family:"Arial","sans-serif";color:#0070C= 0'>General: Removal of locally trusted Responder from the I-D is unacceptab= le.

 <= /p>

From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf= .org] On Behalf Of denis.pinkas@bull.net
Sent: Tuesday, Au= gust 28, 2012 12:19 PM
To: pkix@ietf.org
Subject: [pkix= ] draft-pinkas-rfc2560bis-00

 

A new Internet-Draft is available from the on-= line Internet-Drafts directories.

   Title     &= nbsp;   : X.509 Internet Public Key Infrastructure Online Certificate = Status Protocol - OCSP
   Author(s)     : D. Pinkas<= br>   Filename      : draft-pinkas-rfc2560bis
&= nbsp;  Pages         : 41
   Date &n= bsp;        : Aug. 27, 2012
   
 = This document specifies a protocol useful in determining the current
&n= bsp; status of a digital certificate without requiring CRLs.  Addition= al
  mechanisms addressing PKIX operational requirements are specif= ied in
  separate documents. This document obsoletes RFC 2560 and R= FC 6277.

A URL for this Internet-Draft is:
http://www.ietf.org/= internet-drafts/draft-pinkas-rfc2560bis-00.txt

Internet-Drafts are= also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

Below is the data w= hich will enable a MIME compliant mail reader implementation
to automat= ically retrieve the ASCII version of the Internet-Draft.

<ftp://ftp.iet= f.org/internet-drafts/draft-pinkas-rfc2560bis>

A few explanation= s about the content of draft-ietf-pinkas-rfc2560bis-00.

25 changes ar= e indicated at the beginning of the document.
I will only mention a few o= f them:

A - Explanations were missing to describe:

   = ;  - the building of a request by an OCSP client,
    &nbs= p;- the processing of a request by an OCSP server,
     = - the building of a response  by an OCSP server, and
    &= nbsp;- the processing of a response by an OCSP client.

These explanat= ions have been added.

B - Explanations were missing to  address = CA key rollover and OCSP key rollover.
     These explanat= ions have been added.

C - Backwards compatibility has been addressed = in the following way:

      1) An OCSP response by be = signed either by a CA or by an OCSP Responder.

     = 2) Besides local configuration settings which are optional, only two cases=
       SHALL be supported by OCSP clients (and thu= s OCSP servers) as explained below.


       The ke= y to be used to verify a SingleResponse (within a BasicOCSPResponse) MUST:<= /span>

          (1) either be the same key that th= e one used to sign the target certificate,

       =   (2) or be the public key from an OCSP responder that is contained i= n an OCSP certificate
              = that has been signed by the same key that the one used to sign the target c= ertificate.
   .

The text allows to use the same general pro= cessing for a few other cases, since "escape"
sentences are p= rovided to allow for these other cases, but only using "local configur= ation settings".


This means in particular that the Identrust mod= el may be supported and that the "several many cases"
that we= re detailed in the annexes from draft -04 from David Cooper and Stefan Sant= esson
(but which were not interoperable with most current implementatio= ns) can take benefit of the description
of the general processing.


Denis

= --_000_B83745DA469B7847811819C5005244AF362EC70Cscygexch7cygnac_-- From stephen.farrell@cs.tcd.ie Thu Sep 6 07:42:30 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5ABDA21F8504; Thu, 6 Sep 2012 07:42:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OM0WU6WNxPS6; Thu, 6 Sep 2012 07:42:29 -0700 (PDT) Received: from scss.tcd.ie (hermes.scss.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 43E5A21F8501; Thu, 6 Sep 2012 07:42:29 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id D7F7A17147A; Thu, 6 Sep 2012 15:42:27 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1346942547; bh=FdWuwDOj2gXykg yC9E1/2LnKzVi/Gh71yN4r0Omg7M0=; b=abRor1NzYMABM0jMRYCxD7dW2oXAxX GbpiQH64yTJIUY3Llk46oeosmaBD+GXwP6tF7zGanG+HBVdQkX+c36QdG0B8gwOq BYxZ/+C5KJ4RPYhs2VIBaO0C1ksmfm9Q9fVJNdbXoGb049uylyVW2wOkwfn4sHhZ HHxJStawzphgUra7gd4o/Y0v8jyMlIXRJb5cMoMm4YeB6Yh/udBg9sVVygdUK13K GF777f76YbpQ/paHbX1mQp+v8QV4tvJ1WAQIaWhhxetFjjcEqHQJmpwXdK3x4b14 JtExNJjZSWiJXI+9UQvZh2IqMIId8BNGBfloncX59sZqe6P6BBamXaVA== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id 5NTQ+R1Vsr2i; Thu, 6 Sep 2012 15:42:27 +0100 (IST) Received: from [10.87.48.9] (unknown [86.44.75.103]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 4EAB0171486; Thu, 6 Sep 2012 15:42:27 +0100 (IST) Message-ID: <5048B653.3080902@cs.tcd.ie> Date: Thu, 06 Sep 2012 15:42:27 +0100 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120827 Thunderbird/15.0 MIME-Version: 1.0 To: "saag@ietf.org" , "'wpkops@ietf.org'" , pkix References: In-Reply-To: X-Enigmail-Version: 1.4.4 X-Forwarded-Message-Id: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: [pkix] Fwd: [therightkey] Certificate Transparency Working Group? X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2012 14:42:30 -0000 Hi all, Please see below. Ben Laurie's looking to see if folks are interested in a BoF on Certificate Transparency for the IETF meeting in Altanta. Sean and I would be fine with that, if there's sufficient interest etc. Please follow up on therightkey@ietf.org if this is a topic that's of interest to you. Thanks, Stephen. -------- Original Message -------- Subject: [therightkey] Certificate Transparency Working Group? Date: Thu, 6 Sep 2012 15:32:05 +0100 From: Ben Laurie To: therightkey@ietf.org Would people be interested in starting a WG on Certificate Transparency? If so, how about a BoF in Atlanta? Here's a draft charter... CT IETF WG Draft Charter Objective Specify mechanisms and techniques that allow Internet applications to monitor and verify the issuance of public X.509 certificates such that all public issued certificates are available to applications, and each certificate seen by an application can be efficiently shown to be in the log of issued certificates. Furthermore, it should be possible to cryptographically verify the correct operation of the log. Optionally, do the same for certificate revocations. Problem Statement Currently it is possible for any CA to issue a certificate for any site without any oversight. This has led to some high profile mis-issuance of certificates, such as by DigiNotar, a subsidiary of VASCO Data Security International, in July 2011 (http://www.vasco.com/company/about_vasco/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx). The aim is to make it possible to detect such mis-issuance promptly through the use of a public log of all public issued certificates. Domain owners can then monitor this log and, upon detecting mis-issuance, take appropriate action. This public log must also be able to efficiently demonstrate its own correct operation, rather than introducing yet another party that must be trusted into the equation. Clients should also be able to efficiently verify that certificates they receive have indeed been entered into the public log. For revocations, the aim would be similar: ensure that revocations are as expected, that clients can efficiently obtain the revocation status of a certificate and that the log is operating correctly. Also, in both cases, the solution must be usable by browsers - this means that it cannot add any round trips to page fetches, and that any data transfers that are mandatory are of a reasonable size. _______________________________________________ therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey From denis.pinkas@bull.net Thu Sep 6 07:55:49 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55ED421F857A; Thu, 6 Sep 2012 07:55:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.748 X-Spam-Level: X-Spam-Status: No, score=-1.748 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, MIME_BAD_LINEBREAK=0.5] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lZFNyFpOSV97; Thu, 6 Sep 2012 07:55:48 -0700 (PDT) Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by ietfa.amsl.com (Postfix) with ESMTP id 1475821F8568; Thu, 6 Sep 2012 07:55:48 -0700 (PDT) Received: from MSGC-003.bull.fr (MSGC-003.frcl.bull.fr [129.184.87.131]) by odin2.bull.net (Bull S.A.) with ESMTP id 41C3818170; Thu, 6 Sep 2012 16:55:47 +0200 (CEST) MIME-Version: 1.0 Importance: Normal X-Priority: 3 (Normal) In-Reply-To: <5048B653.3080902@cs.tcd.ie> References: <5048B653.3080902@cs.tcd.ie>, X-Disclaimed: 1 From: denis.pinkas@bull.net To: stephen.farrell@cs.tcd.ie Message-ID: Date: Thu, 6 Sep 2012 16:55:46 +0200 X-Mailer: Lotus Domino Web Server Release 8.5.2FP1 November 29, 2010 X-MIMETrack: Serialize by HTTP Server on MSGC-003/SRV/BULL(Release 8.5.2FP1|November 29, 2010) at 06/09/2012 16:55:46, Serialize complete at 06/09/2012 16:55:46, Itemize by HTTP Server on MSGC-003/SRV/BULL(Release 8.5.2FP1|November 29, 2010) at 06/09/2012 16:55:46, Serialize by Router on MSGC-003/SRV/BULL(Release 8.5.2FP1|November 29, 2010) at 06/09/2012 16:55:47, Serialize complete at 06/09/2012 16:55:47 Content-Type: multipart/alternative; boundary="=_alternative 0052028CC1257A71_=" Cc: pkix@ietf.org, wpkops@ietf.org, saag@ietf.org Subject: Re: [pkix] Fwd: [therightkey] Certificate Transparency Working Group? X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2012 14:55:49 -0000 --=_alternative 0052028CC1257A71_= Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Part of the stated objective (i.e. verify the issuance of public X.509 cert= ificates)=20 is currently addressed, within the context of OCSP, in : https://datatracker.ietf.org/doc/draft-pinkas-2560bis-certinfo/ This draft is being considered within the PKIX WG. The second part of the objective (i.e. making all public issued certificate= s available to applications)=20 may be dangerous in many situations.=20 Denis -----pkix-bounces@ietf.org a =E9crit : -----=20 A : "saag@ietf.org" , "'wpkops@ietf.org'" ,= pkix De : Stephen Farrell=20 Envoy=E9 par : pkix-bounces@ietf.org Date : 06/09/2012 16:42 Objet : [pkix] Fwd: [therightkey] Certificate Transparency Working Group? Hi all, Please see below. Ben Laurie's looking to see if folks are interested in a BoF on Certificate Transparency for the IETF meeting in Altanta. Sean and I would be fine with that, if there's sufficient interest etc. Please follow up on therightkey@ietf.org if this is a topic that's of interest to you. Thanks, Stephen. -------- Original Message -------- Subject: [therightkey] Certificate Transparency Working Group? Date: Thu, 6 Sep 2012 15:32:05 +0100 From: Ben Laurie To: therightkey@ietf.org Would people be interested in starting a WG on Certificate Transparency? If so, how about a BoF in Atlanta? Here's a draft charter... CT IETF WG Draft Charter Objective Specify mechanisms and techniques that allow Internet applications to monitor and verify the issuance of public X.509 certificates such that all public issued certificates are available to applications, and each certificate seen by an application can be efficiently shown to be in the log of issued certificates. Furthermore, it should be possible to cryptographically verify the correct operation of the log. Optionally, do the same for certificate revocations. Problem Statement Currently it is possible for any CA to issue a certificate for any site without any oversight. This has led to some high profile mis-issuance of certificates, such as by DigiNotar, a subsidiary of VASCO Data Security International, in July 2011 (http://www.vasco.com/company/about=5Fvasco/press=5Froom/news=5Farchive/201= 1/news=5Fdiginotar=5Freports=5Fsecurity=5Fincident.aspx). The aim is to make it possible to detect such mis-issuance promptly through the use of a public log of all public issued certificates. Domain owners can then monitor this log and, upon detecting mis-issuance, take appropriate action. This public log must also be able to efficiently demonstrate its own correct operation, rather than introducing yet another party that must be trusted into the equation. Clients should also be able to efficiently verify that certificates they receive have indeed been entered into the public log. For revocations, the aim would be similar: ensure that revocations are as expected, that clients can efficiently obtain the revocation status of a certificate and that the log is operating correctly. Also, in both cases, the solution must be usable by browsers - this means that it cannot add any round trips to page fetches, and that any data transfers that are mandatory are of a reasonable size. =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F pkix mailing list pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix --=_alternative 0052028CC1257A71_= Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=ISO-8859-1
Part of the stated objective (i.e. verify the issuance of publi= c X.509 certificates)
is currently addressed, within the context of OCS= P, in :
=0D
 
=0D=0D

This draft is be= ing considered within the PKIX WG.
=0D
 
=0D
= = The second part of the objective (i.e. making all public issued certificate= s available to applications)
may be dangerous in many situations.
=0D
 
=0D
Denis
=0D

-----pkix-bounces@ietf.org a =E9crit : -----
=0D
=0D=
A : "saag@ietf.org" <= ;saag@ietf.org>, "'wpkops@ietf.org'" <wpkops@ietf.org>, pkix <p= kix@ietf.org>
De : Stephen Farrell
Env= oy=E9 par : pkix-bounces@ietf.org
Date : 06/09/2012 16:42
Objet : [pk= ix] Fwd: [therightkey] Certificate Transparency Working Group?

Hi all,

Pl= ease see below. Ben Laurie's looking to see if folks are
interested in a= BoF on Certificate Transparency for the
IETF meeting in Altanta.
Sean and I would be fine with that, if there's sufficient
interest etc.=

Please follow up on therightkey@ietf.org if this is a
topic that= 's of interest to you.

Thanks,
Stephen.


-------- Origi= nal Message --------
Subject: [therightkey] Certificate Transparency Wor= king Group?
Date: Thu, 6 Sep 2012 15:32:05 +0100
From: Ben Laurie <= ;benl@google.com>
To: therightkey@ietf.org

Would people be int= erested in starting a WG on Certificate
Transparency? If so, how about a= BoF in Atlanta?

Here's a draft charter...


CT IETF WG Dra= ft Charter

Objective

Specify mechanisms and techniques that a= llow Internet applications to
monitor and verify the issuance of public = X.509 certificates such that
all public issued certificates are availabl= e to applications, and each
certificate seen by an application can be ef= ficiently shown to be in
the log of issued certificates. Furthermore, it= should be possible to
cryptographically verify the correct operation of= the log.


Optionally, do the same for certificate revocations.
Problem Statement

Currently it is possible for any CA to issue= a certificate for any
site without any oversight. This has led to some = high profile
mis-issuance of certificates, such as by DigiNotar, a subsi= diary of
VASCO Data Security International, in July 2011
(http://www.vasco.co= m/company/about=5Fvasco/press=5Froom/news=5Farchive/2011/news=5Fdiginotar= =5Freports=5Fsecurity=5Fincident.aspx).


The aim is to make i= t possible to detect such mis-issuance promptly
through the use of a pub= lic log of all public issued certificates.
Domain owners can then monito= r this log and, upon detecting
mis-issuance, take appropriate action.

This public log must also be able to efficiently demonstrate its o= wn
correct operation, rather than introducing yet another party that mus= t
be trusted into the equation.


Clients should also be able t= o efficiently verify that certificates
they receive have indeed been ent= ered into the public log.


For revocations, the aim would be simi= lar: ensure that revocations are
as expected, that clients can efficient= ly obtain the revocation status
of a certificate and that the log is ope= rating correctly.


Also, in both cases, the solution must be usab= le by browsers - this
means that it cannot add any round trips to page f= etches, and that any
data transfers that are mandatory are of a reasonab= le size.
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F
therightkey mailing list
therightkey@ietf.org
https://www.ietf.org/mailman/= listinfo/therightkey




=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F
pkix mailing list
pkix@ietf.org<= BR>https://www.ietf.= org/mailman/listinfo/pkix
=0D
--=_alternative 0052028CC1257A71_=-- From stephen.farrell@cs.tcd.ie Thu Sep 6 07:58:10 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD91B21F8683; Thu, 6 Sep 2012 07:58:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kq4FIW41YCvk; Thu, 6 Sep 2012 07:58:09 -0700 (PDT) Received: from scss.tcd.ie (hermes.scss.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 142F621F866E; Thu, 6 Sep 2012 07:58:09 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 7FC01171486; Thu, 6 Sep 2012 15:58:08 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1346943488; bh=SGDn/Gvpj2skaZ 3O25K8NbvfB1rlHxE3AEcjL9x08IE=; b=oR2zI6AmFJrPfvo2nDdGzSWj9XL0Pf Gfq5Iy83saZFF6b/gWgm555Z/nkrkrSOyV9r3FLCvIknfxg4t58tq8qR2xqhvQt0 PZPP7Q75kzC23ne0Nn8zMhwI2qcZkH6VPFSITQpwkN21esbg/5mJ24m5XHMIcwC5 dqOLQxQWdHIczOrujES9O41ZapiN44SA4AYGIQuwLoTqFvh0XWyKozexpbgghwct W5UvAbXEHpeffocvk5CvkzrodYr/ovTrvO43QM+qEuCJ5CpO+/UpZm0ab73NXVux eL8RKms7Xwv08dugoi/47lOMAxTRKZyWR2XAbNBiImWEzM5k2F4p0e5A== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id ZMb38ijg-nek; Thu, 6 Sep 2012 15:58:08 +0100 (IST) Received: from [10.87.48.9] (unknown [86.44.75.103]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id D42D117147A; Thu, 6 Sep 2012 15:58:07 +0100 (IST) Message-ID: <5048B9FF.50801@cs.tcd.ie> Date: Thu, 06 Sep 2012 15:58:07 +0100 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120827 Thunderbird/15.0 MIME-Version: 1.0 To: denis.pinkas@bull.net References: <5048B653.3080902@cs.tcd.ie>, In-Reply-To: X-Enigmail-Version: 1.4.4 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: pkix@ietf.org, wpkops@ietf.org, saag@ietf.org Subject: Re: [pkix] [wpkops] Fwd: [therightkey] Certificate Transparency Working Group? X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2012 14:58:10 -0000 Denis, all, Please follow-up on therightkey@ietf.org which is where this will be discussed. Thanks, S. On 09/06/2012 03:55 PM, denis.pinkas@bull.net wrote: > Part of the stated objective (i.e. verify the issuance of public X.509 certificates) > is currently addressed, within the context of OCSP, in : > > https://datatracker.ietf.org/doc/draft-pinkas-2560bis-certinfo/ > > This draft is being considered within the PKIX WG. > > The second part of the objective (i.e. making all public issued certificates available to applications) > may be dangerous in many situations. > > Denis > > -----pkix-bounces@ietf.org a écrit : ----- > A : "saag@ietf.org" , "'wpkops@ietf.org'" , pkix > De : Stephen Farrell > Envoyé par : pkix-bounces@ietf.org > Date : 06/09/2012 16:42 > Objet : [pkix] Fwd: [therightkey] Certificate Transparency Working Group? > > Hi all, > > Please see below. Ben Laurie's looking to see if folks are > interested in a BoF on Certificate Transparency for the > IETF meeting in Altanta. > > Sean and I would be fine with that, if there's sufficient > interest etc. > > Please follow up on therightkey@ietf.org if this is a > topic that's of interest to you. > > Thanks, > Stephen. > > > -------- Original Message -------- > Subject: [therightkey] Certificate Transparency Working Group? > Date: Thu, 6 Sep 2012 15:32:05 +0100 > From: Ben Laurie > To: therightkey@ietf.org > > Would people be interested in starting a WG on Certificate > Transparency? If so, how about a BoF in Atlanta? > > Here's a draft charter... > > > CT IETF WG Draft Charter > > Objective > > Specify mechanisms and techniques that allow Internet applications to > monitor and verify the issuance of public X.509 certificates such that > all public issued certificates are available to applications, and each > certificate seen by an application can be efficiently shown to be in > the log of issued certificates. Furthermore, it should be possible to > cryptographically verify the correct operation of the log. > > > Optionally, do the same for certificate revocations. > > Problem Statement > > Currently it is possible for any CA to issue a certificate for any > site without any oversight. This has led to some high profile > mis-issuance of certificates, such as by DigiNotar, a subsidiary of > VASCO Data Security International, in July 2011 > (http://www.vasco.com/company/about_vasco/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx). > > > The aim is to make it possible to detect such mis-issuance promptly > through the use of a public log of all public issued certificates. > Domain owners can then monitor this log and, upon detecting > mis-issuance, take appropriate action. > > > This public log must also be able to efficiently demonstrate its own > correct operation, rather than introducing yet another party that must > be trusted into the equation. > > > Clients should also be able to efficiently verify that certificates > they receive have indeed been entered into the public log. > > > For revocations, the aim would be similar: ensure that revocations are > as expected, that clients can efficiently obtain the revocation status > of a certificate and that the log is operating correctly. > > > Also, in both cases, the solution must be usable by browsers - this > means that it cannot add any round trips to page fetches, and that any > data transfers that are mandatory are of a reasonable size. > _______________________________________________ > therightkey mailing list > therightkey@ietf.org > https://www.ietf.org/mailman/listinfo/therightkey > > > > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix > > > > _______________________________________________ > wpkops mailing list > wpkops@ietf.org > https://www.ietf.org/mailman/listinfo/wpkops > From SChokhani@cygnacom.com Thu Sep 6 14:19:38 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 779CA21F86B5; Thu, 6 Sep 2012 14:19:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rYI3SZWf5mR8; Thu, 6 Sep 2012 14:19:35 -0700 (PDT) Received: from ipedge2.cygnacom.com (ipedge2.cygnacom.com [216.191.252.27]) by ietfa.amsl.com (Postfix) with ESMTP id 7FCF621F867C; Thu, 6 Sep 2012 14:19:34 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.80,381,1344225600"; d="scan'208,217";a="1880458" Received: from unknown (HELO scygexch7.cygnacom.com) ([10.4.60.22]) by ipedge2.cygnacom.com with ESMTP; 06 Sep 2012 17:19:31 -0400 Received: from scygexch7.cygnacom.com ([::1]) by scygexch7.cygnacom.com ([::1]) with mapi; Thu, 6 Sep 2012 17:19:31 -0400 From: Santosh Chokhani To: "denis.pinkas@bull.net" , "stephen.farrell@cs.tcd.ie" Date: Thu, 6 Sep 2012 17:19:30 -0400 Thread-Topic: [pkix] Fwd: [therightkey] Certificate Transparency Working Group? Thread-Index: Ac2MP7aNNCOrJRfXREq4TcOezgbyVAANRC1w Message-ID: References: <5048B653.3080902@cs.tcd.ie>, In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_B83745DA469B7847811819C5005244AF362EC770scygexch7cygnac_" MIME-Version: 1.0 Cc: "pkix@ietf.org" , "wpkops@ietf.org" , "saag@ietf.org" Subject: Re: [pkix] Fwd: [therightkey] Certificate Transparency Working Group? X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2012 21:19:38 -0000 --_000_B83745DA469B7847811819C5005244AF362EC770scygexch7cygnac_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Denis, As you may have seen my comment on this I-D and additions for security cons= ideration, this extension does not provide the requisite transparency since= anyone who has compromised the CA can put in their own OCSP pointer. That is the reason I want you to add the text in the "Security Consideratio= ns" section. From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of den= is.pinkas@bull.net Sent: Thursday, September 06, 2012 10:56 AM To: stephen.farrell@cs.tcd.ie Cc: pkix@ietf.org; wpkops@ietf.org; saag@ietf.org Subject: Re: [pkix] Fwd: [therightkey] Certificate Transparency Working Gro= up? Part of the stated objective (i.e. verify the issuance of public X.509 cert= ificates) is currently addressed, within the context of OCSP, in : https://datatracker.ietf.org/doc/draft-pinkas-2560bis-certinfo/ This draft is being considered within the PKIX WG. The second part of the objective (i.e. making all public issued certificate= s available to applications) may be dangerous in many situations. Denis -----pkix-bounces@ietf.org a =E9crit : -= ---- A : "saag@ietf.org" >, "'wpkops@ietf.org'" >, pkix <= pkix@ietf.org> De : Stephen Farrell Envoy=E9 par : pkix-bounces@ietf.org Date : 06/09/2012 16:42 Objet : [pkix] Fwd: [therightkey] Certificate Transparency Working Group? Hi all, Please see below. Ben Laurie's looking to see if folks are interested in a BoF on Certificate Transparency for the IETF meeting in Altanta. Sean and I would be fine with that, if there's sufficient interest etc. Please follow up on therightkey@ietf.org if th= is is a topic that's of interest to you. Thanks, Stephen. -------- Original Message -------- Subject: [therightkey] Certificate Transparency Working Group? Date: Thu, 6 Sep 2012 15:32:05 +0100 From: Ben Laurie > To: therightkey@ietf.org Would people be interested in starting a WG on Certificate Transparency? If so, how about a BoF in Atlanta? Here's a draft charter... CT IETF WG Draft Charter Objective Specify mechanisms and techniques that allow Internet applications to monitor and verify the issuance of public X.509 certificates such that all public issued certificates are available to applications, and each certificate seen by an application can be efficiently shown to be in the log of issued certificates. Furthermore, it should be possible to cryptographically verify the correct operation of the log. Optionally, do the same for certificate revocations. Problem Statement Currently it is possible for any CA to issue a certificate for any site without any oversight. This has led to some high profile mis-issuance of certificates, such as by DigiNotar, a subsidiary of VASCO Data Security International, in July 2011 (http://www.vasco.com/company/about_vasco/press_room/news_archive/2011/news= _diginotar_reports_security_incident.aspx). The aim is to make it possible to detect such mis-issuance promptly through the use of a public log of all public issued certificates. Domain owners can then monitor this log and, upon detecting mis-issuance, take appropriate action. This public log must also be able to efficiently demonstrate its own correct operation, rather than introducing yet another party that must be trusted into the equation. Clients should also be able to efficiently verify that certificates they receive have indeed been entered into the public log. For revocations, the aim would be similar: ensure that revocations are as expected, that clients can efficiently obtain the revocation status of a certificate and that the log is operating correctly. Also, in both cases, the solution must be usable by browsers - this means that it cannot add any round trips to page fetches, and that any data transfers that are mandatory are of a reasonable size. _______________________________________________ therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey _______________________________________________ pkix mailing list pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix --_000_B83745DA469B7847811819C5005244AF362EC770scygexch7cygnac_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Denis,<= /o:p>

 

As you may have seen my comment on this I-D and addition= s for security consideration, this extension does not provide the requisite= transparency since anyone who has compromised the CA can put in their own = OCSP pointer.

 

That is the reason I want you to add = the text in the “Security Considerations” section. <= /span>

 

From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Beh= alf Of denis.pinkas@bull.net
Sent: Thursday, September 06, 20= 12 10:56 AM
To: stephen.farrell@cs.tcd.ie
Cc: pkix@ietf= .org; wpkops@ietf.org; saag@ietf.org
Subject: Re: [pkix] Fwd: [th= erightkey] Certificate Transparency Working Group?

 

Part of the stated = objective (i.e. verify the issuance of public X.509 certificates)
is cu= rrently addressed, within the context of OCSP, in :

 


This draft is being considered w= ithin the PKIX WG.

 

The second part of the objective (= i.e. making all public issued certificates available to applications)
m= ay be dangerous in many situations.

 

Denis


-----pkix-bounces@ietf.org a= =E9crit : -----

A : "saag@ietf.org"= ; <saag@ietf.org>, "'wpkops= @ietf.org'" <wpkops@ietf.org= >, pkix <pkix@ietf.org>
De= : Stephen Farrell
Envoy=E9 par : pkix-bounces@ietf.org
Date : 06/09/2012 16:42
Objet : [pkix] = Fwd: [therightkey] Certificate Transparency Working Group?

Hi all,

Ple= ase see below. Ben Laurie's looking to see if folks are
interested in a = BoF on Certificate Transparency for the
IETF meeting in Altanta.

= Sean and I would be fine with that, if there's sufficient
interest etc.<= br>
Please follow up on theright= key@ietf.org if this is a
topic that's of interest to you.

Th= anks,
Stephen.


-------- Original Message --------
Subject:= [therightkey] Certificate Transparency Working Group?
Date: Thu, 6 Sep = 2012 15:32:05 +0100
From: Ben Laurie <benl@google.com>
To: = therightkey@ietf.org

Would people be interested in starting a WG= on Certificate
Transparency? If so, how about a BoF in Atlanta?

= Here's a draft charter...


CT IETF WG Draft Charter

Object= ive

Specify mechanisms and techniques that allow Internet applicatio= ns to
monitor and verify the issuance of public X.509 certificates such = that
all public issued certificates are available to applications, and e= ach
certificate seen by an application can be efficiently shown to be in=
the log of issued certificates. Furthermore, it should be possible tocryptographically verify the correct operation of the log.


Opt= ionally, do the same for certificate revocations.

Problem Statement<= br>
Currently it is possible for any CA to issue a certificate for anysite without any oversight. This has led to some high profile
mis-issu= ance of certificates, such as by DigiNotar, a subsidiary of
VASCO Data S= ecurity International, in July 2011
(http://www.vasco.com/company/about_vasco/press_room/news_= archive/2011/news_diginotar_reports_security_incident.aspx).

The aim is to make it possible to detect such mis-issuance promptly
thr= ough the use of a public log of all public issued certificates.
Domain o= wners can then monitor this log and, upon detecting
mis-issuance, take a= ppropriate action.


This public log must also be able to efficien= tly demonstrate its own
correct operation, rather than introducing yet a= nother party that must
be trusted into the equation.


Clients = should also be able to efficiently verify that certificates
they receive= have indeed been entered into the public log.


For revocations, = the aim would be similar: ensure that revocations are
as expected, that = clients can efficiently obtain the revocation status
of a certificate an= d that the log is operating correctly.


Also, in both cases, the = solution must be usable by browsers - this
means that it cannot add any = round trips to page fetches, and that any
data transfers that are mandat= ory are of a reasonable size.
__________________________________________= _____
therightkey mailing list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey
<= br>


_______________________________________________
pkix mail= ing list
pkix@ietf.org
https://www.ietf.org/mailma= n/listinfo/pkix

= --_000_B83745DA469B7847811819C5005244AF362EC770scygexch7cygnac_-- From internet-drafts@ietf.org Thu Sep 6 15:26:23 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 959EA21F862B; Thu, 6 Sep 2012 15:26:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.408 X-Spam-Level: X-Spam-Status: No, score=-102.408 tagged_above=-999 required=5 tests=[AWL=0.191, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T5-ZdhYLblMN; Thu, 6 Sep 2012 15:26:23 -0700 (PDT) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07F1521F8645; Thu, 6 Sep 2012 15:26:23 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 4.34 Message-ID: <20120906222623.14206.59621.idtracker@ietfa.amsl.com> Date: Thu, 06 Sep 2012 15:26:23 -0700 Cc: pkix@ietf.org Subject: [pkix] I-D Action: draft-ietf-pkix-rfc5280-clarifications-09.txt X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2012 22:26:23 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Public-Key Infrastructure (X.509) Working= Group of the IETF. Title : Updates to the Internet X.509 Public Key Infrastructure = Certificate and Certificate Revocation List (CRL) Profile Author(s) : Peter E. Yee Filename : draft-ietf-pkix-rfc5280-clarifications-09.txt Pages : 9 Date : 2012-09-06 Abstract: This document updates RFC 5280, the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. This document changes the set of acceptable encoding methods for the explicitText field of the user notice policy qualifier and clarifies the rules for converting internationalized domain name labels to ASCII. This document also provides some clarifications on the use of self-signed certificates, trust anchors, and some updated security considerations. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-pkix-rfc5280-clarifications There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-pkix-rfc5280-clarifications-09 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-pkix-rfc5280-clarifications-09 Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From denis.pinkas@bull.net Thu Sep 6 23:14:01 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D91A21F85DA for ; Thu, 6 Sep 2012 23:14:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.748 X-Spam-Level: X-Spam-Status: No, score=-1.748 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, MIME_BAD_LINEBREAK=0.5] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MXxCN4D2Q4UY for ; Thu, 6 Sep 2012 23:14:00 -0700 (PDT) Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by ietfa.amsl.com (Postfix) with ESMTP id 166A521F85D5 for ; Thu, 6 Sep 2012 23:13:59 -0700 (PDT) Received: from MSGC-003.bull.fr (MSGC-003.frcl.bull.fr [129.184.87.131]) by odin2.bull.net (Bull S.A.) with ESMTP id 9C9A51815B for ; Fri, 7 Sep 2012 08:13:58 +0200 (CEST) MIME-Version: 1.0 Importance: Normal X-Priority: 3 (Normal) In-Reply-To: References: X-Disclaimed: 1 From: denis.pinkas@bull.net To: pkix@ietf.org Message-ID: Date: Fri, 7 Sep 2012 08:13:57 +0200 X-Mailer: Lotus Domino Web Server Release 8.5.2FP1 November 29, 2010 X-MIMETrack: Serialize by HTTP Server on MSGC-003/SRV/BULL(Release 8.5.2FP1|November 29, 2010) at 07/09/2012 08:13:57, Serialize complete at 07/09/2012 08:13:57, Itemize by HTTP Server on MSGC-003/SRV/BULL(Release 8.5.2FP1|November 29, 2010) at 07/09/2012 08:13:57, Serialize by Router on MSGC-003/SRV/BULL(Release 8.5.2FP1|November 29, 2010) at 07/09/2012 08:13:58, Serialize complete at 07/09/2012 08:13:58 Content-Type: multipart/alternative; boundary="=_alternative 00223CB2C1257A72_=" Subject: Re: [pkix] I-D Action: draft-ietf-pkix-rfc5280-clarifications-09.txt X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Sep 2012 06:14:01 -0000 --=_alternative 00223CB2C1257A72_= Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Thank you Peter for the additional text . =20 However, I have three comments: =20 1) The introduction is missing to advertise the change detailed in section = 4. =20 2) I would think that a small vocabulary ajustement would improve the text: =20 One one side, we have: =20 | If a CRL contains a critical CRL entry extension=20 | that the application cannot process, then the application MUST=20 | NOT use that CRL to determine the status of the certificate =20 | represented by the CRL entry. On the other side, we have: =20 | A critical extension in the crlEntryExtensions field of an entry | SHALL affect only the certificate specified in that entry, unless | there is a related critical extension in the crlExtensions field | that advertises a special treatment for it.=20 =20 The first sentence uses "represented by" while the second uses "specified i= n". The same verb would be better. I would rather prefer to use for both "ident= ified in" My second choice would be "specified in". =20 This would lead in the first sentence to =20 | If a CRL contains a critical CRL entry extension=20 | that the application cannot process, then the application MUST=20 | NOT use that CRL to determine the status of the certificate =20 | identified in the CRL entry. =20 while for the second sentence: =20 | A critical extension in the crlEntryExtensions field of an entry | SHALL affect only the certificate identified in that entry, unless | there is a related critical extension in the crlExtensions field | that advertises a special treatment for it. =20 =20 3) During the discussion, I raised the point that Extensions was defined in= this document and that other RFCs imported not only the ASN.1 syntax, but al= so=20 the semantics. However, the way the document is currently written does = not=20 allow to import the semantics. I have made text proposals so that we ca= n=20 have a clean and separate section to define what an Extension is in ord= er to=20 allow such an import. As an example, OCSP makes such an import and does= =20 it currently in a way which is not fully inappropriate because RFC 5280= is not=20 "clean" in that point. =20 Denis -----pkix-bounces@ietf.org a =E9crit : -----=20 A : i-d-announce@ietf.org De : internet-drafts@ietf.org Envoy=E9 par : pkix-bounces@ietf.org Date : 07/09/2012 00:26 Cc : pkix@ietf.org Objet : [pkix] I-D Action: draft-ietf-pkix-rfc5280-clarifications-09.txt A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Public-Key Infrastructure (X.509) Working= Group of the IETF. Title : Updates to the Internet X.509 Public Key Infrastructure C= ertificate and Certificate Revocation List (CRL) Profile Author(s) : Peter E. Yee Filename : draft-ietf-pkix-rfc5280-clarifications-09.txt Pages : 9 Date : 2012-09-06 Abstract: This document updates RFC 5280, the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. This document changes the set of acceptable encoding methods for the explicitText field of the user notice policy qualifier and clarifies the rules for converting internationalized domain name labels to ASCII. This document also provides some clarifications on the use of self-signed certificates, trust anchors, and some updated security considerations. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-pkix-rfc5280-clarifications There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-pkix-rfc5280-clarifications-09 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-pkix-rfc5280-clarifications-09 Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F pkix mailing list pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix --=_alternative 00223CB2C1257A72_= Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=ISO-8859-1 =0D
Thank you Peter for the additional text .
=0D<= DIV> 
=0D
However, I have three comments:
=0D
 =
=0D
1) The introduction is missing to advertise the change d= etailed in section 4.
=0D
 
=0D
2) I would thin= k that a small vocabulary ajustement would improve the text:
=0D<= DIV> =0D
One one side, we have:
=0D
 
=0D=
|     If a CRL contains a critical CRL entry exten= sion
|     that the application cannot process, the= n the application MUST
|     NOT use that CRL to de= termine the status of the certificate 
|     <= STRONG>represented by the CRL entry.

On th= e other side, we have:
=0D
 
=0D
|   =   A critical extension in the crlEntryExtensions field of an entry
= |     SHALL affect only the certificate specifi= ed in that entry, unless
|   &n= bsp; there is a related critical extension in the crlExtensions field
|&= nbsp;    that advertises a special treatment for it.
= =0D
 
=0D
The first sentence uses "represented by" while = the second uses "specified in".
=0D
The same verb would be better.= I would rather prefer to use for both "identified in"
=0D
My= second choice would be "specified in".
=0D
 
=0D
Th= is would lead in the first sentence to
=0D
 
=0D
|&n= bsp;    If a CRL contains a critical CRL entry extension |     that the application cannot process, then the ap= plication MUST
|     NOT use that CRL to determine = the status of the certificate 
|     i= dentified in the CRL entry.
=0D
&nbs= p;
=0D
while for the second sentence:
=0D
 
=0D=
=0D
|     A critical extension in the crlEntry= Extensions field of an entry
|     SHALL affect only= the certificate identified in that = entry, unless
|     there is a related critical exte= nsion in the crlExtensions field
|     that advertis= es a special treatment for it.  
=0D
 
= =0D
3) During the discussion, I raised the point that Extensions was de= fined in this
=0D
    document and that other RFCs = imported not only the ASN.1 syntax, but also
=0D
  = ;  the semantics. However, the way the document is currently written d= oes not
=0D
    allow to import the semantics. I h= ave made text proposals so that we can
=0D
    hav= e a clean and separate section to define what an Extension is in order= to
=0D
    allow such an import. As an examp= le, OCSP makes such an import and does
    it curre= ntly in a way which is not fully inappropriate because RFC 5280 is not = ;
    "clean" in that point.
=0D
 =0D
Denis
=0D

-----pkix-bounces@ie= tf.org a =E9crit : -----
=0D
=0D
A : i-d-announce@ietf.org
De : internet-drafts= @ietf.org
Envoy=E9 par : pkix-bounces@ietf.org
Date : 07/09/2012 00:2= 6
Cc : pkix@ietf.org
Objet : [pkix] I-D Action: draft-ietf-pkix-rfc52= 80-clarifications-09.txt

A New Internet-Draft is available from the on-= line Internet-Drafts directories.
 This draft is a work item of the= Public-Key Infrastructure (X.509) Working Group of the IETF.

Title =           : Updates to the Internet X.509 Public K= ey Infrastructure Certificate and Certificate Revocation List (CRL) Profile=
Author(s)       : Peter E. Yee
Filename    =    : draft-ietf-pkix-rfc5280-clarifications-09.txt
Pages &nbs= p;         : 9
Date         &nbs= p;  : 2012-09-06

Abstract:
   This document update= s RFC 5280, the Internet X.509 Public Key
   Infrastructure Ce= rtificate and Certificate Revocation List (CRL)
   Profile. &n= bsp;This document changes the set of acceptable encoding
   me= thods for the explicitText field of the user notice policy
   = qualifier and clarifies the rules for converting internationalized
 = ;  domain name labels to ASCII.  This document also provides some=
   clarifications on the use of self-signed certificates, tru= st anchors,
   and some updated security considerations.


The IETF datatracker status page for this draft is:
h= ttps://datatracker.ietf.org/doc/draft-ietf-pkix-rfc5280-clarifications<= BR>
There's also a htmlized version available at:
http://tools.= ietf.org/html/draft-ietf-pkix-rfc5280-clarifications-09

A diff f= rom the previous version is available at:
http://www.ietf.= org/rfcdiff?url2=3Ddraft-ietf-pkix-rfc5280-clarifications-09

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5Fpkix mailing list
pkix@ietf.org
https://www.ietf.org/mailman/listinfo/pkix
=0D
--=_alternative 00223CB2C1257A72_=-- From denis.pinkas@bull.net Thu Sep 6 23:16:55 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED1EA21F86D9 for ; Thu, 6 Sep 2012 23:16:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.748 X-Spam-Level: X-Spam-Status: No, score=-1.748 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, MIME_BAD_LINEBREAK=0.5] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3hu+Fgooza3X for ; Thu, 6 Sep 2012 23:16:55 -0700 (PDT) Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by ietfa.amsl.com (Postfix) with ESMTP id 03F0821F86D7 for ; Thu, 6 Sep 2012 23:16:55 -0700 (PDT) Received: from MSGC-003.bull.fr (MSGC-003.frcl.bull.fr [129.184.87.131]) by odin2.bull.net (Bull S.A.) with ESMTP id 6F9E61815B; Fri, 7 Sep 2012 08:16:54 +0200 (CEST) MIME-Version: 1.0 Importance: Normal X-Priority: 3 (Normal) In-Reply-To: References: X-Disclaimed: 1 From: denis.pinkas@bull.net To: SChokhani@cygnacom.com Message-ID: Date: Fri, 7 Sep 2012 08:16:53 +0200 X-Mailer: Lotus Domino Web Server Release 8.5.2FP1 November 29, 2010 X-MIMETrack: Serialize by HTTP Server on MSGC-003/SRV/BULL(Release 8.5.2FP1|November 29, 2010) at 07/09/2012 08:16:53, Serialize complete at 07/09/2012 08:16:53, Itemize by HTTP Server on MSGC-003/SRV/BULL(Release 8.5.2FP1|November 29, 2010) at 07/09/2012 08:16:53, Serialize by Router on MSGC-003/SRV/BULL(Release 8.5.2FP1|November 29, 2010) at 07/09/2012 08:16:54, Serialize complete at 07/09/2012 08:16:54 Content-Type: multipart/alternative; boundary="=_alternative 00228154C1257A72_=" Cc: pkix@ietf.org Subject: Re: [pkix] New version Notification for draft-pinkas-2560bis-certinfo-00 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Sep 2012 06:16:56 -0000 --=_alternative 00228154C1257A72_= Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Santoh, =20 Thank you for your comments. =20 See my replies in line: >Denis, >=20 >I have couple of suggestions for the security considerations >section. >=20 >1. It is worth pointing out aside from RA corruption and database >corruption that recommendation here do not fix the situation if the >adversary has attacked the CA and pointed to its own OCSP Responder >in the OCSP field of the AIA extension. =20 This attack, as described, would not be succeed. The attacker would also ne= ed=20 to create an OCSP certificate for the OCSP Responder and for this he needs = to=20 be able to corrupt the RA which allows the production of OCSP certificates. =20 >2. It is worth pointing out that the mechanism presented here can >be used by the relying party to detect collision if the certificate >signature was made using a weak hash, but the hashAlgorithm in the >extension is not vulnerable to successful collision attack. =20 This is not a realistic scenario. If the certificate signature was made=20 using a weak hash, the CA will ask to its superior CA to revoke its CA cert= ificate. This is thus outside the scope of this extension. =20 Denis --=_alternative 00228154C1257A72_= Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=ISO-8859-1 =0D
Santoh,
=0D
 
=0D
Thank you = for your comments.
=0D
 
=0D
See my replies in line:=
=0D

>Denis,
>
>I have couple of suggestions f= or the security considerations
>section.
>
>1. &nbs= p;   It is worth pointing out aside from RA corruption and databa= se
>corruption that recommendation here do not fix the situation if t= he
>adversary has attacked the CA and pointed to its own OCSP Respond= er
>in the OCSP field of the AIA extension.
=0D
 =0D
This attack, as described, would not be succeed. The attacker w= ould also need
to create an OCSP certificate for the OCSP Responder and= for this he needs to
=0D
be able to corrupt the RA which allows = the production of OCSP certificates.
=0D
 
>2. &nb= sp;   It is worth pointing out that the mechanism presented here = can
>be used by the relying party to detect collision if the certific= ate
>signature was made using a weak hash, but the hashAlgorithm in t= he
>extension is not vulnerable to successful collision attack.
=0D
 
=0D
This is not a realistic scenario. If the ce= rtificate signature was made
using a weak hash, the CA will ask to its = superior CA to revoke its CA certificate.
=0D
This is thus outside= the scope of this extension.
=0D
 
=0D
Denis
<= /FONT>
=0D
--=_alternative 00228154C1257A72_=-- From SChokhani@cygnacom.com Fri Sep 7 04:26:14 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBC5721F87DE for ; Fri, 7 Sep 2012 04:26:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uCSZT6GLQtIO for ; Fri, 7 Sep 2012 04:26:14 -0700 (PDT) Received: from ipedge2.cygnacom.com (ipedge2.cygnacom.com [216.191.252.27]) by ietfa.amsl.com (Postfix) with ESMTP id D7BBB21F87DA for ; Fri, 7 Sep 2012 04:26:13 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.80,385,1344225600"; d="scan'208,217";a="1883875" Received: from unknown (HELO scygexch7.cygnacom.com) ([10.4.60.22]) by ipedge2.cygnacom.com with ESMTP; 07 Sep 2012 07:26:13 -0400 Received: from scygexch7.cygnacom.com ([::1]) by scygexch7.cygnacom.com ([::1]) with mapi; Fri, 7 Sep 2012 07:26:12 -0400 From: Santosh Chokhani To: "denis.pinkas@bull.net" Date: Fri, 7 Sep 2012 07:26:11 -0400 Thread-Topic: [pkix] New version Notification for draft-pinkas-2560bis-certinfo-00 Thread-Index: Ac2MwHYDG7XYO0XuR7+xDdP49GG9iwAKrPBQ Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_B83745DA469B7847811819C5005244AF362EC77Fscygexch7cygnac_" MIME-Version: 1.0 Cc: "pkix@ietf.org" Subject: Re: [pkix] New version Notification for draft-pinkas-2560bis-certinfo-00 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Sep 2012 11:26:15 -0000 --_000_B83745DA469B7847811819C5005244AF362EC77Fscygexch7cygnac_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Denis, On 1, If the CA has been attacked,, you have no assurance that the adversar= y has not created an OCSP certificate as well. On 2, just like the CA compromise scenario you cite, the mechanism helps de= tect collision. If the CA knew of collision, it would of course change the= cipher suite. Note that 1 still for collision detection trumps 2 since collision creator = could have created OCSP certificate and put the rogue OCSP pointer in AIA. From: denis.pinkas@bull.net [mailto:denis.pinkas@bull.net] Sent: Friday, September 07, 2012 2:17 AM To: Santosh Chokhani Cc: pkix@ietf.org Subject: RE: [pkix] New version Notification for draft-pinkas-2560bis-certi= nfo-00 Santoh, Thank you for your comments. See my replies in line: >Denis, > >I have couple of suggestions for the security considerations >section. > >1. It is worth pointing out aside from RA corruption and database >corruption that recommendation here do not fix the situation if the >adversary has attacked the CA and pointed to its own OCSP Responder >in the OCSP field of the AIA extension. This attack, as described, would not be succeed. The attacker would also ne= ed to create an OCSP certificate for the OCSP Responder and for this he needs = to be able to corrupt the RA which allows the production of OCSP certificates. >2. It is worth pointing out that the mechanism presented here can >be used by the relying party to detect collision if the certificate >signature was made using a weak hash, but the hashAlgorithm in the >extension is not vulnerable to successful collision attack. This is not a realistic scenario. If the certificate signature was made using a weak hash, the CA will ask to its superior CA to revoke its CA cert= ificate. This is thus outside the scope of this extension. Denis --_000_B83745DA469B7847811819C5005244AF362EC77Fscygexch7cygnac_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Denis,<= /o:p>

 

On 1, If the CA has been attacked,, you have no assuranc= e that the adversary has not created an OCSP certificate as well.

 

On 2, just like the CA compromise scenario you cite, the m= echanism helps detect collision.  If the CA knew of collision, it woul= d of course change the cipher suite.

 

Note that 1 st= ill for collision detection trumps 2 since collision creator could have cre= ated OCSP certificate and put the rogue OCSP pointer in AIA.

 

From: denis.pinkas@bull.net [mailto:denis.pinkas@bull.net]
Sent:= Friday, September 07, 2012 2:17 AM
To: Santosh Chokhani
<= b>Cc: pkix@ietf.org
Subject: RE: [pkix] New version Notificat= ion for draft-pinkas-2560bis-certinfo-00

 

Santoh,

 

Thank you for your comments.

 

See my replies i= n line:


>Denis,
>= ;
>I have couple of suggestions for the security considerations
&= gt;section.
>
>1.     It is worth pointing= out aside from RA corruption and database
>corruption that recommend= ation here do not fix the situation if the
>adversary has attacked th= e CA and pointed to its own OCSP Responder
>in the OCSP field of the = AIA extension.

 

This attack, as described, would not= be succeed. The attacker would also need
to create an OCSP certificate= for the OCSP Responder and for this he needs to

be able to corrupt the RA which allows the production = of OCSP certificates.

=  <= br>>2.     It is worth pointing out that the mechani= sm presented here can
>be used by the relying party to detect collisi= on if the certificate
>signature was made using a weak hash, but the = hashAlgorithm in the
>extension is not vulnerable to successful colli= sion attack.

 

This is not a realistic scenario. If t= he certificate signature was made
using a weak hash, the CA will ask to= its superior CA to revoke its CA certificate.

<= div>

This is thus outside the scope of this extension.

 

Denis

= --_000_B83745DA469B7847811819C5005244AF362EC77Fscygexch7cygnac_-- From denis.pinkas@bull.net Fri Sep 7 07:24:31 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83B0E21E80AD for ; Fri, 7 Sep 2012 07:24:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[AWL=0.250, BAYES_00=-2.599, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xdq3igcXGehE for ; Fri, 7 Sep 2012 07:24:30 -0700 (PDT) Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by ietfa.amsl.com (Postfix) with ESMTP id 7FD8C21E80A8 for ; Fri, 7 Sep 2012 07:24:30 -0700 (PDT) Received: from MSGC-003.bull.fr (MSGC-003.frcl.bull.fr [129.184.87.131]) by odin2.bull.net (Bull S.A.) with ESMTP id 9A7711818D; Fri, 7 Sep 2012 16:24:29 +0200 (CEST) In-Reply-To: References: To: Santosh Chokhani MIME-Version: 1.0 X-KeepSent: F96E7F59:52A292D3-C1257A72:004D30E2; type=4; name=$KeepSent X-Mailer: Lotus Notes Release 8.5.2 August 10, 2010 From: denis.pinkas@bull.net Message-ID: Date: Fri, 7 Sep 2012 16:24:28 +0200 X-MIMETrack: Serialize by Router on MSGC-003/SRV/BULL(Release 8.5.2FP1|November 29, 2010) at 07/09/2012 16:24:29, Serialize complete at 07/09/2012 16:24:29 Content-Type: multipart/alternative; boundary="=_alternative 004F2441C1257A72_=" Cc: "pkix@ietf.org" Subject: Re: [pkix] New version Notification for draft-pinkas-2560bis-certinfo-00 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Sep 2012 14:24:31 -0000 Message en plusieurs parties au format MIME --=_alternative 004F2441C1257A72_= Content-Type: text/plain; charset="US-ASCII" Santosh, > Denis, > > On 1, If the CA has been attacked,, you have no assurance that the > adversary has not created an OCSP certificate as well. Rather than arguing we should concentrate to improve the text. What about: When certHashValue is returned and the hashes match, then everything looks fine, but this case does not allow detecting an abnormal situation if the RA software has been corrupted, if the CA itself has been corrupted or if the database to which the OCSP server has access has been maliciously corrupted. > On 2, just like the CA compromise scenario you cite, the mechanism > helps detect collision. If the CA knew of collision, it would of > course change the cipher suite. Maybe, maybe not. A collision may happen without a defect in the cipher suite (e.g. the HSM has been successfully used directly). I believe that the current text is sufficient: When certHashValue is returned and the hashes do not match, this extension allows detecting an abnormal situation : there exists two certificates with the same serial number: one regularly issued by the CA and another one which has either been forged or obtained irregularly. If you don't think so, please make a specific proposal. Denis > Note that 1 still for collision detection trumps 2 since collision > creator could have created OCSP certificate and put the rogue OCSP > pointer in AIA. > > Santoh, > > Thank you for your comments. > > See my replies in line: > > >Denis, > > > >I have couple of suggestions for the security considerations > >section. > > > >1. It is worth pointing out aside from RA corruption and database > >corruption that recommendation here do not fix the situation if the > >adversary has attacked the CA and pointed to its own OCSP Responder > >in the OCSP field of the AIA extension. > > This attack, as described, would not be succeed. The attacker would also need > to create an OCSP certificate for the OCSP Responder and for this heneeds to > be able to corrupt the RA which allows the production of OCSP certificates. > > >2. It is worth pointing out that the mechanism presented here can > >be used by the relying party to detect collision if the certificate > >signature was made using a weak hash, but the hashAlgorithm in the > >extension is not vulnerable to successful collision attack. > > This is not a realistic scenario. If the certificate signature was made > using a weak hash, the CA will ask to its superior CA to revoke its > CA certificate. > This is thus outside the scope of this extension. > > Denis --=_alternative 004F2441C1257A72_= Content-Type: text/html; charset="US-ASCII" Santosh,

> Denis,
>  
> On 1, If the CA has been attacked,, you have no assurance that the
> adversary has not created an OCSP certificate as well.


Rather than arguing we should concentrate to improve the text. What about:

   When certHashValue is returned and the hashes match, then everything
   looks fine, but this case does not allow detecting an abnormal
   situation if the RA software has been corrupted, if the CA itself
   has been corrupted or if the database to which the OCSP server has
   access has been maliciously corrupted.

> On 2, just like the CA compromise scenario you cite, the mechanism
> helps detect collision.  If the CA knew of collision, it would of
> course change the cipher suite.


 Maybe, maybe not. A collision may happen without a defect in the cipher suite
(e.g. the HSM has been successfully used directly).


I believe that the current text is sufficient:

   When certHashValue is returned and the hashes do not match, this
   extension allows detecting an abnormal situation : there exists two
   certificates with the same serial number: one regularly issued by
   the CA and another one which has either been forged or obtained
   irregularly.

If you don't think so, please make a specific proposal.

Denis
 
> Note that 1 still for collision detection trumps 2 since collision
> creator could have created OCSP certificate and put the rogue OCSP
> pointer in AIA.

>  



> Santoh,
>  
> Thank you for your comments.
>  
> See my replies in line:
>
> >Denis,
> >
> >I have couple of suggestions for the security considerations
> >section.
> >
> >1.     It is worth pointing out aside from RA corruption and database
> >corruption that recommendation here do not fix the situation if the
> >adversary has attacked the CA and pointed to its own OCSP Responder
> >in the OCSP field of the AIA extension.

>  
> This attack, as described, would not be succeed. The attacker would also need
> to create an OCSP certificate for the OCSP Responder and for this heneeds to

> be able to corrupt the RA which allows the production of OCSP certificates.
>  
> >2.     It is worth pointing out that the mechanism presented here can
> >be used by the relying party to detect collision if the certificate
> >signature was made using a weak hash, but the hashAlgorithm in the
> >extension is not vulnerable to successful collision attack.

>  
> This is not a realistic scenario. If the certificate signature was made
> using a weak hash, the CA will ask to its superior CA to revoke its
> CA certificate.

> This is thus outside the scope of this extension.
>  
> Denis --=_alternative 004F2441C1257A72_=-- From ajs@anvilwalrusden.com Fri Sep 7 13:15:04 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B758221E80D5 for ; Fri, 7 Sep 2012 13:15:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.79 X-Spam-Level: X-Spam-Status: No, score=-0.79 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, HELO_MISMATCH_INFO=1.448, HOST_MISMATCH_NET=0.311] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7rx2UG-9exnH for ; Fri, 7 Sep 2012 13:15:04 -0700 (PDT) Received: from mx1.yitter.info (ow5p.x.rootbsd.net [208.79.81.114]) by ietfa.amsl.com (Postfix) with ESMTP id 40DBB21E80B8 for ; Fri, 7 Sep 2012 13:15:04 -0700 (PDT) Received: from mx1.yitter.info (nat-05-mht.dyndns.com [216.146.45.244]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.yitter.info (Postfix) with ESMTPSA id 786128A031 for ; Fri, 7 Sep 2012 20:15:03 +0000 (UTC) Date: Fri, 7 Sep 2012 16:15:01 -0400 From: Andrew Sullivan To: pkix@ietf.org Message-ID: <20120907201501.GK16938@mx1.yitter.info> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Subject: [pkix] Review of draft-ietf-pkix-caa-13 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Sep 2012 20:15:04 -0000 Dear colleagues, I have read draft-ietf-pkix-caa-13. Nit: The overwhelming consensus among the DNS weenie crowd seems to be that RRset, not RRSet, is the right spelling. One argument for this is that the term seems to have been introduced in RFC 2136, and only defined in RFC 2181. 2136 uses RRset. Personally, I couldn't care less. The discussion of RRsets probably would benefit from a reference to RFC 2181. The description in section 4 excludes top level domains. My impression in Vancouver was that we didn't have such an exclusion. Rather, we were going to leave the question of what domains one is not allowed to climb into up to CA policy (which will presumably include most TLDs, but possibly other things like delegation-centric domains further down the tree). Also, I don't see in the section 4 processing section the explicit note that a CA can have such a policy. Other than that, I think the updates are fine. Best, A -- Andrew Sullivan ajs@anvilwalrusden.com From hallam@gmail.com Fri Sep 7 20:13:10 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79C5E21F8575 for ; Fri, 7 Sep 2012 20:13:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.549 X-Spam-Level: X-Spam-Status: No, score=-3.549 tagged_above=-999 required=5 tests=[AWL=0.049, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r0ap8u0rfvLh for ; Fri, 7 Sep 2012 20:13:09 -0700 (PDT) Received: from mail-ob0-f172.google.com (mail-ob0-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id 83DAB21F8574 for ; Fri, 7 Sep 2012 20:13:09 -0700 (PDT) Received: by obbwc20 with SMTP id wc20so413795obb.31 for ; Fri, 07 Sep 2012 20:13:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=nkMaxTXOU88qdWrOJuf32ykGh1I541bvqlrzcg3+N+c=; b=A+rR62t5hHNeSAH4RmmYvhP0+zVwyLRkXxryzAfJgbp5aLnjQJTlMqed04LSepQsd5 GkX1EYWreUVa3Sjvs+MJ0XSojLe9MNulQYxOw1c5g6IV7genLsc4v5IHp2wQmKpCWJfr fgWgmPZ2FnTResJYwfxIpigSc0OzvmI00e15amLFEW2cbwkuWYfAld5t8N6ErnQe/ILl ZJc9BR6BVE9OjF7HYwh+B9u07YIi5pxVR32t5t1PXtyBvkwZyTvMmXZmHYH+U+h2zPYS Gk0kTxPOL8SGmI9Kbo/vJPAOexBfKtQgyMUHsFyVhD5bkQ1VFQKCp6kpA9+gsvjo1aJK 3Ywg== MIME-Version: 1.0 Received: by 10.60.170.229 with SMTP id ap5mr7911736oec.101.1347073989112; Fri, 07 Sep 2012 20:13:09 -0700 (PDT) Received: by 10.76.80.10 with HTTP; Fri, 7 Sep 2012 20:13:09 -0700 (PDT) In-Reply-To: <20120907201501.GK16938@mx1.yitter.info> References: <20120907201501.GK16938@mx1.yitter.info> Date: Fri, 7 Sep 2012 23:13:09 -0400 Message-ID: From: Phillip Hallam-Baker To: Andrew Sullivan Content-Type: multipart/alternative; boundary=bcaec54b4ac09b731404c9281a76 Cc: pkix@ietf.org Subject: Re: [pkix] Review of draft-ietf-pkix-caa-13 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Sep 2012 03:13:10 -0000 --bcaec54b4ac09b731404c9281a76 Content-Type: text/plain; charset=ISO-8859-1 Thanks, I have no prob changing the case and adding a reference. What I thought we agreed was that CAs have to process up to the TLD but can decide to ignore the result if doing so is in accordance with their published policy. This actually simplifies processing for CAs since the only time they would need to start making exceptions is in the unlikely event that one of the TLDs did something considered foul play. I have to follow the DNSSEC signature chain up to the root in any case. When a CA gets a CAA rejection they are not going to simply refuse the request and forget all about it. Someone is going to be looking into why there is a discrepancy. Either they are losing a sale or someone is trying to attack them. They want to know what is going on in either case. I don't much care about whether the processing stops when the TLD is reached or is up to and including the TLD but does not include the root. I don't think anything is going to be served by checking the root. On Fri, Sep 7, 2012 at 4:15 PM, Andrew Sullivan wrote: > Dear colleagues, > > I have read draft-ietf-pkix-caa-13. > > Nit: The overwhelming consensus among the DNS weenie crowd seems to be > that RRset, not RRSet, is the right spelling. One argument for this > is that the term seems to have been introduced in RFC 2136, and only > defined in RFC 2181. 2136 uses RRset. Personally, I couldn't care > less. The discussion of RRsets probably would benefit from a > reference to RFC 2181. > > The description in section 4 excludes top level domains. My > impression in Vancouver was that we didn't have such an exclusion. > Rather, we were going to leave the question of what domains one is not > allowed to climb into up to CA policy (which will presumably include > most TLDs, but possibly other things like delegation-centric domains > further down the tree). Also, I don't see in the section 4 processing > section the explicit note that a CA can have such a policy. > > Other than that, I think the updates are fine. > > Best, > > A > > -- > Andrew Sullivan > ajs@anvilwalrusden.com > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix > -- Website: http://hallambaker.com/ --bcaec54b4ac09b731404c9281a76 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Thanks,

I have no prob changing the case and adding a re= ference.

What I thought we agreed was that CAs hav= e to process up to the TLD but can decide to ignore the result if doing so = is in accordance with their published policy.

This actually simplifies processing for CAs since the o= nly time they would need to start making exceptions is in the unlikely even= t that one of the TLDs did something considered foul play. I have to follow= the DNSSEC signature chain up to the root in any case.


When a CA gets a CAA rejection they are = not going to simply refuse the request and forget all about it. Someone is = going to be looking into why there is a discrepancy. Either they are losing= a sale or someone is trying to attack them. They want to know what is goin= g on in either case.

I don't much care about whether the processing stop= s when the TLD is reached or is up to and including the TLD but does not in= clude the root. I don't think anything is going to be served by checkin= g the root.



On Fri, Sep 7, 2012 = at 4:15 PM, Andrew Sullivan <ajs@anvilwalrusden.com> wr= ote:
Dear colleagues,

I have read draft-ietf-pkix-caa-13.

Nit: The overwhelming consensus among the DNS weenie crowd seems to be
that RRset, not RRSet, is the right spelling. =A0One argument for this
is that the term seems to have been introduced in RFC 2136, and only
defined in RFC 2181. =A02136 uses RRset. =A0Personally, I couldn't care=
less. =A0The discussion of RRsets probably would benefit from a
reference to RFC 2181.

The description in section 4 excludes top level domains. =A0My
impression in Vancouver was that we didn't have such an exclusion.
Rather, we were going to leave the question of what domains one is not
allowed to climb into up to CA policy (which will presumably include
most TLDs, but possibly other things like delegation-centric domains
further down the tree). =A0Also, I don't see in the section 4 processin= g
section the explicit note that a CA can have such a policy.

Other than that, I think the updates are fine.

Best,

A

--
Andrew Sullivan
ajs@anvilwalrusden.com
_______________________________________________
pkix mailing list
pkix@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/pkix



-- Website: http://hallambaker.com/<= br>
--bcaec54b4ac09b731404c9281a76-- From md@e-net.lt Sat Sep 8 05:10:00 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8B2721F862A for ; Sat, 8 Sep 2012 05:10:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id busLeAphmZx0 for ; Sat, 8 Sep 2012 05:10:00 -0700 (PDT) Received: from mail.ssc.lt (mail.ssc.lt [212.122.83.205]) by ietfa.amsl.com (Postfix) with ESMTP id BF7A221F8594 for ; Sat, 8 Sep 2012 05:09:59 -0700 (PDT) Received: from [84.240.23.136] (helo=[192.168.1.101]) by mail.ssc.lt with esmtpsa (TLS-1.0:DHE_RSA_AES_256_CBC_SHA:32) (Exim 4.50) id 1TAJrI-0007mX-Ia; Sat, 08 Sep 2012 15:09:56 +0300 Message-ID: <504B358F.2080607@e-net.lt> Date: Sat, 08 Sep 2012 15:09:51 +0300 From: "Moudrick M. Dadashov" User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120824 Thunderbird/15.0 MIME-Version: 1.0 To: Stefan Santesson References: In-Reply-To: Content-Type: multipart/alternative; boundary="------------040309050205000302010908" Cc: pkix Subject: Re: [pkix] Need for an organizationalIdentifier attribute X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Sep 2012 12:10:01 -0000 This is a multi-part message in MIME format. --------------040309050205000302010908 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit On 3/23/2012 7:13 PM, Stefan Santesson wrote: > When a person is associated with an organization in a certificate the > subjects employee number or alike is often stored in the serialNumber > attribute. > > But where do you store an identifier of the organization? > That is, not the name stored in organization name, but the registered > organization number? > > I've seen some odd solutions to this problem but nor clean solution. > X.520 only offer organizationName and orgnizationalUnitName as > organizational attributes > > Have anyone else come across this issue? > How did you solve it? > Do we need to define a clean attribute for an organizationalIdentifier? Definitely yes. M.D. > > /Stefan > > > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix --------------040309050205000302010908 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit
On 3/23/2012 7:13 PM, Stefan Santesson wrote:
When a person is associated with an organization in a certificate the subjects employee number or alike is often stored in the serialNumber attribute.

But where do you store an identifier of the organization? 
That is, not the name stored in organization name, but the registered organization number?

I've seen some odd solutions to this problem but nor clean solution.
X.520 only offer organizationName and orgnizationalUnitName as organizational attributes

Have anyone else come across this issue?
How did you solve it?
Do we need to define a clean attribute for an organizationalIdentifier?
Definitely yes.

M.D.

/Stefan



_______________________________________________
pkix mailing list
pkix@ietf.org
https://www.ietf.org/mailman/listinfo/pkix

--------------040309050205000302010908-- From paul.hoffman@vpnc.org Sat Sep 8 09:17:22 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5779121F8578 for ; Sat, 8 Sep 2012 09:17:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AzMnp+kZ+vl3 for ; Sat, 8 Sep 2012 09:17:22 -0700 (PDT) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id D1C5E21F8549 for ; Sat, 8 Sep 2012 09:17:21 -0700 (PDT) Received: from [10.20.30.108] (50-1-50-97.dsl.dynamic.fusionbroadband.com [50.1.50.97]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id q88GHBbV023096 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Sat, 8 Sep 2012 09:17:12 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 (Mac OS X Mail 6.0 \(1486\)) From: Paul Hoffman In-Reply-To: Date: Sat, 8 Sep 2012 09:17:12 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <666C6056-569B-41C2-94AB-6D74E9C5896A@vpnc.org> References: <20120907201501.GK16938@mx1.yitter.info> To: Phillip Hallam-Baker X-Mailer: Apple Mail (2.1486) Cc: pkix@ietf.org Subject: Re: [pkix] Review of draft-ietf-pkix-caa-13 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Sep 2012 16:17:22 -0000 On Sep 7, 2012, at 8:13 PM, Phillip Hallam-Baker = wrote: > What I thought we agreed was that CAs have to process up to the TLD = but can decide to ignore the result if doing so is in accordance with = their published policy. > On Fri, Sep 7, 2012 at 4:15 PM, Andrew Sullivan = wrote: >=20 > The description in section 4 excludes top level domains. My > impression in Vancouver was that we didn't have such an exclusion. > Rather, we were going to leave the question of what domains one is not > allowed to climb into up to CA policy (which will presumably include > most TLDs, but possibly other things like delegation-centric domains > further down the tree). Also, I don't see in the section 4 processing > section the explicit note that a CA can have such a policy. You both are saying the same thing. I like Andrew's formulation better: = *everything* is up to the CA to decide, so don't call out TLDs as a = special thing to decide about. --Paul Hoffman= From SChokhani@cygnacom.com Sun Sep 9 02:53:43 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75C8421F84D7 for ; Sun, 9 Sep 2012 02:53:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vTtcyGBThE+i for ; Sun, 9 Sep 2012 02:53:42 -0700 (PDT) Received: from ipedge1.cygnacom.com (ipedge1.cygnacom.com [216.191.252.12]) by ietfa.amsl.com (Postfix) with ESMTP id 1EA7A21F84D5 for ; Sun, 9 Sep 2012 02:53:41 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.80,394,1344225600"; d="scan'208,217";a="6155085" Received: from unknown (HELO scygexch7.cygnacom.com) ([10.4.60.22]) by ipedge1.cygnacom.com with ESMTP; 09 Sep 2012 05:53:41 -0400 Received: from scygexch7.cygnacom.com ([::1]) by scygexch7.cygnacom.com ([::1]) with mapi; Sun, 9 Sep 2012 05:53:40 -0400 From: Santosh Chokhani To: "denis.pinkas@bull.net" Date: Sun, 9 Sep 2012 05:53:39 -0400 Thread-Topic: [pkix] New version Notification for draft-pinkas-2560bis-certinfo-00 Thread-Index: Ac2NBH9X28mZbFO2RDeT54Ui1W4LdABa8e6A Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_B83745DA469B7847811819C5005244AF362EC7D9scygexch7cygnac_" MIME-Version: 1.0 Cc: "pkix@ietf.org" Subject: Re: [pkix] New version Notification for draft-pinkas-2560bis-certinfo-00 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Sep 2012 09:53:43 -0000 --_000_B83745DA469B7847811819C5005244AF362EC7D9scygexch7cygnac_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Denis, Thanks. We are almost there. I have suggestions in-line below. From: denis.pinkas@bull.net [mailto:denis.pinkas@bull.net] Sent: Friday, September 07, 2012 10:24 AM To: Santosh Chokhani Cc: pkix@ietf.org Subject: RE: [pkix] New version Notification for draft-pinkas-2560bis-certi= nfo-00 Santosh, > Denis, > > On 1, If the CA has been attacked,, you have no assurance that the > adversary has not created an OCSP certificate as well. Rather than arguing we should concentrate to improve the text. What about: When certHashValue is returned and the hashes match, then everything looks fine, but this case does not allow detecting an abnormal situation if the RA software has been corrupted, if the CA itself has been corrupted or if the database to which the OCSP server has access has been maliciously corrupted. [Santosh] This is almost there. How about the following (added OCSP corrup= tion and cryptographic algorithm) When certHashValue is returned and the hashes match, then everything looks fine, but this case does not allow detecting an abnormal situation if the RA software has been corrupted, if the CA itself has been corrupted, OCSP Server has been corrupted, or if the database t= o which the OCSP server has access has been maliciously corrupted. This may also not detect hashing = algorithm or signature algorithm compromise. > On 2, just like the CA compromise scenario you cite, the mechanism > helps detect collision. If the CA knew of collision, it would of > course change the cipher suite. Maybe, maybe not. A collision may happen without a defect in the cipher su= ite (e.g. the HSM has been successfully used directly). I believe that the current text is sufficient: When certHashValue is returned and the hashes do not match, this extension allows detecting an abnormal situation : there exists two certificates with the same serial number: one regularly issued by the CA and another one which has either been forged or obtained irregularly. If you don't think so, please make a specific proposal. [Santosh] I withdraw the second suggestion since it becomes too convoluted.= I have addressed some of it in item 1. Denis > Note that 1 still for collision detection trumps 2 since collision > creator could have created OCSP certificate and put the rogue OCSP > pointer in AIA. > > Santoh, > > Thank you for your comments. > > See my replies in line: > > >Denis, > > > >I have couple of suggestions for the security considerations > >section. > > > >1. It is worth pointing out aside from RA corruption and database > >corruption that recommendation here do not fix the situation if the > >adversary has attacked the CA and pointed to its own OCSP Responder > >in the OCSP field of the AIA extension. > > This attack, as described, would not be succeed. The attacker would also = need > to create an OCSP certificate for the OCSP Responder and for this heneeds= to > be able to corrupt the RA which allows the production of OCSP certificate= s. > > >2. It is worth pointing out that the mechanism presented here can > >be used by the relying party to detect collision if the certificate > >signature was made using a weak hash, but the hashAlgorithm in the > >extension is not vulnerable to successful collision attack. > > This is not a realistic scenario. If the certificate signature was made > using a weak hash, the CA will ask to its superior CA to revoke its > CA certificate. > This is thus outside the scope of this extension. > > Denis --_000_B83745DA469B7847811819C5005244AF362EC7D9scygexch7cygnac_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Denis,<= /o:p>

 

Thanks.  We are almost there.  I have suggesti= ons in-line below.

 = ;

From: denis.pinkas@bull.net [mailto:de= nis.pinkas@bull.net]
Sent: Friday, September 07, 2012 10:24 AMTo: Santosh Chokhani
Cc: pkix@ietf.org
Subject:
RE: [pkix] New version Notification for draft-pinkas-2560bis-certinfo-00<= o:p>

 

Santosh,=

> Denis, =
>  
> On 1, If the CA has been attacked,, you= have no assurance that the
> adversary has not created an OCSP cert= ificate as well.


Rather than arguing we should concentrate to improve the text.= What about:

   When certHashValue is returned = and the hashes match, then everything
   looks fine, but= this case does not allow detecting an abnormal
   situa= tion if the RA software has been corrupted, if the CA itself =
   has been corrupted or if the database to which t= he OCSP server has
   access has been maliciously corrup= ted.

[Santosh] This is = almost there.  How about the following (added OCSP corruption and cryp= tographic algorithm)

   = When certHashValue is returned and the hashes match, then everything
   looks fine, but this case does not allow detecting an abnor= mal
   situation if the RA software has been corrupted, = if the CA itself
   has been corrupted, or if the database to which the = OCSP server has
   access has been maliciously corrupted= . This may also not detect hashing algorithm or signature algorithm com= promise.



> On 2, just like the CA compromise scenario yo= u cite, the mechanism
> helps detect collision.  If the CA knew= of collision, it would of
> course change the cipher suite= .


&n= bsp;Maybe, maybe not. A collision may happen without a defect in the cipher= suite    = ;When certHashValue is returned and the hashes do not match, this =    extension allows detecting an abnormal situation : there exist= s two
   certificates with the same serial number: one r= egularly issued by
   the CA and another one which has e= ither been forged or obtained
   irregularly.
If you don't think = so, please make a specific proposal.

[Santosh] I withdraw the= second suggestion since it becomes too convoluted.  I have addressed = some of it in item 1.



Denis
<= span style=3D'font-size:10.0pt'> 
> Note that 1 still for collision detection trumps 2 si= nce collision
> creator could have created OCSP certificate and put = the rogue OCSP
> pointer in AIA.

>  



> Santoh,
>  
> Thank you for your comments.
>  
> See my replies in line:
>
> >Denis,
> > <= br>> >I have couple of suggestions for the security consideration= s
> >section.
> >
> >= ;1.     It is worth pointing out aside from RA corruption and dat= abase
> >corruption that recommendation here do not fix t= he situation if the
> >adversary has attacked the CA and = pointed to its own OCSP Responder
> >in the OCSP field of= the AIA extension.

&g= t;  
> This at= tack, as described, would not be succeed. The attacker would also need
= > to create an OCSP certificate for the OCSP Responder and for this hene= eds to

> be able to= corrupt the RA which allows the production of OCSP certificates.
>  
> >2. &nbs= p;   It is worth pointing out that the mechanism presented here can
> >be used by the relying party to detect collision if the = certificate
> >signature was made using a weak hash, but = the hashAlgorithm in the
> >extension is not vulnerable t= o successful collision attack.

>  
&= gt; This is not a realistic scenario. If the certificate signature was made= > using a weak hash, the CA will ask to its superior CA to revoke i= ts
> CA certificate.

> This is thus outside the scope of this extension.
>   > Denis

=
= --_000_B83745DA469B7847811819C5005244AF362EC7D9scygexch7cygnac_-- From era@x500.eu Sun Sep 9 04:51:37 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93B2221F84F8 for ; Sun, 9 Sep 2012 04:51:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.27 X-Spam-Level: X-Spam-Status: No, score=0.27 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, HELO_EQ_DK=1.009, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PSkj1+lUB0Ko for ; Sun, 9 Sep 2012 04:51:37 -0700 (PDT) Received: from mail03.dandomain.dk (mail03.dandomain.dk [194.150.112.203]) by ietfa.amsl.com (Postfix) with ESMTP id E198221F84F1 for ; Sun, 9 Sep 2012 04:51:35 -0700 (PDT) Received: from Morten ([62.44.134.241]) by mail03.dandomain.dk (DanDomain Mailserver) with ASMTP id TUI42731; Sun, 09 Sep 2012 13:51:31 +0200 From: "Erik Andersen" To: "'Moudrick M. Dadashov'" , "'Stefan Santesson'" References: <504B358F.2080607@e-net.lt> In-Reply-To: <504B358F.2080607@e-net.lt> Date: Sun, 9 Sep 2012 13:51:27 +0200 Message-ID: <003501cd8e81$74999500$5dccbf00$@eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0036_01CD8E92.38226500" X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Ac2NuupsG4WoAwCSQRGcQln89nbQMwAxg9vg Content-Language: da Cc: 'pkix' Subject: Re: [pkix] Need for an organizationalIdentifier attribute X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Sep 2012 11:51:37 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_0036_01CD8E92.38226500 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0037_01CD8E92.38228C10" ------=_NextPart_001_0037_01CD8E92.38228C10 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable FYI =20 Erik =20 Fra: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] P=E5 vegne af Moudrick M. Dadashov Sendt: 8. september 2012 14:10 Til: Stefan Santesson Cc: pkix Emne: Re: [pkix] Need for an organizationalIdentifier attribute =20 On 3/23/2012 7:13 PM, Stefan Santesson wrote: When a person is associated with an organization in a certificate the subjects employee number or alike is often stored in the serialNumber attribute. =20 But where do you store an identifier of the organization?=20 That is, not the name stored in organization name, but the registered organization number? =20 I've seen some odd solutions to this problem but nor clean solution. X.520 only offer organizationName and orgnizationalUnitName as organizational attributes =20 Have anyone else come across this issue? How did you solve it? Do we need to define a clean attribute for an organizationalIdentifier? Definitely yes. M.D. =20 /Stefan =20 _______________________________________________ pkix mailing list pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix =20 ------=_NextPart_001_0037_01CD8E92.38228C10 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

FYI

 

Erik

 

Fra: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] P=E5 vegne = af Moudrick M. Dadashov
Sendt: 8. september 2012 = 14:10
Til: Stefan Santesson
Cc: pkix
Emne: = Re: [pkix] Need for an organizationalIdentifier = attribute

 

On = 3/23/2012 7:13 PM, Stefan Santesson = wrote:

When a person is associated with an organization in a = certificate the subjects employee number or alike is often stored in the = serialNumber attribute.

 

But where do you store an identifier of the = organization? 

That = is, not the name stored in organization name, but the registered = organization number?

 

I've seen some odd solutions to this problem but nor = clean solution.

X.520 only = offer organizationName and orgnizationalUnitName as organizational = attributes

 

Have anyone else come across this = issue?

How did you solve = it?

Do we need to define a = clean attribute for an = organizationalIdentifier?

Definitely = yes.

M.D.

 

/Stefan

 




_______________________=
________________________
pkix mailing =
list
pkix@ietf.org
https://www.ietf.org/=
mailman/listinfo/pkix

 

------=_NextPart_001_0037_01CD8E92.38228C10-- ------=_NextPart_000_0036_01CD8E92.38226500 Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document; name="T09-SG17-120829-TD-PLEN-3067!!MSW-E.docx" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="T09-SG17-120829-TD-PLEN-3067!!MSW-E.docx" UEsDBBQABgAIAAAAIQBzqHeLzwEAABMKAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAAC AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADE lk1v2zAMhu8D+h8MXQtbaQcMwxCnh34ctwLLsLMq0bFQ6wMS0zb/fnSUGN2QVu5SoxcDtsT3eUnJ IOcXT6YrHiBE7WzNzqoZK8BKp7Rd1ezX8qb8yoqIwirROQs120BkF4uTT/PlxkMsKNrGmrWI/hvn UbZgRKycB0srjQtGIL2GFfdC3osV8PPZ7AuXziJYLLHXYIv5FTRi3WFx/USfk5MAXWTFZdrYs2om vO+0FEhO+YNV/1DKHaGiyO2e2GofT8kG4wcJ/crLgF3cDypN0AqKWxHwuzBkgz+6oLhycm0oh+p1 mQM+XdNoCUN8r+aDkxAj1dx01bBihLZ7/y/6iLjpIL6/i6Q7Ev9bY3vdNCDpsPP1MLHsk64S4lls ngaIVKQxkL+vYJkretwpZy08wt3PyVw8E88aaZxD63CKsx+ksybAqok87JWzFloQCsLZiHv3xiuR hEfyzz+M3x/WJPkn4Wz+adsE+Y/kp2P6/MH1n4A/Mv+GWuRS3HXw/hUYpLOXAKnvA98+j/8TtzKv IalD3gbnI80R4T/S3g8KfXRJrddDQA3DqHCo1Q5EmkGOrjP0U44C9Va2XEd05mh8kjkA59uRbvEH AAD//wMAUEsDBBQABgAIAAAAIQCZVX4FBAEAAOECAAALAAgCX3JlbHMvLnJlbHMgogQCKKAAAgAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArJLP SsNAEMbvgu+wzL2ZtIqINOlFhN5E4gMMu9MkmP3D7lTbt3ctiAZq0oPHnfnmm9987HpzsIN655h6 7ypYFiUodtqb3rUVvDZPi3tQScgZGrzjCo6cYFNfX61feCDJQ6nrQ1LZxaUKOpHwgJh0x5ZS4QO7 3Nn5aEnyM7YYSL9Ry7gqyzuMvz2gHnmqrakgbs0NqOYY8uZ5b7/b9Zofvd5bdnJmBfJB2Bk2ixAz W5Q+X6Maii1LBcbr51xOSCEUGRvwPNHqcqK/r0XLQoaEUPvI0zxfiimg5eVA8xGNFT/pfPhoMEd0 ynaK5vY/afQ+ibcz8Zw030g4+pj1JwAAAP//AwBQSwMEFAAGAAgAAAAhALPhYYp3AQAAxgcAABwA CAF3b3JkL19yZWxzL2RvY3VtZW50LnhtbC5yZWxzIKIEASigAAEAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAArJXNTsMwEITvSLxD5DtxkkILqEkvgNQrFHF2nXUSkdiRvfz07XFTtXVLMBdfIu1G 2fk0nqzni++ujT5Bm0bJnKRxQiKQXJWNrHLyunq6uiWRQSZL1ioJOdmAIYvi8mL+DC1D+5Gpm95E doo0OakR+3tKDa+hYyZWPUj7RijdMbSlrmjP+DurgGZJMqXanUGKk5nRssyJXpZWf7XprfL/s5UQ DYcHxT86kDgiQWtgJWg7kekK0M4c6iy2kISO66eTkABCSVyxdQtHhkPLRxEUwgCiPV9zZNh3fAiz kD6MH0Tq00+zkABCKXSTsKsnPoC/9LuGa2WUwJirju5CuA3f7DTf1OCmBfPWYP0oBHB0/T9/5eNI Q/qwg3KSMJD45Kch5UGW0h6EY8W+40NIg1ownkVvFG5CerCN3pkJh5bXBburw63G8R/CuxqvQ+p/ wfrl115ymj4n7kKCjBvhX01BnUB7eTr3w1DS4XmAoCe3b/EDAAD//wMAUEsDBBQABgAIAAAAIQAw m3JiDQ8AAL1NAAARAAAAd29yZC9kb2N1bWVudC54bWzcWt1y6kYSvt+qvIOKq6RqMSB+bKiYFAZ8 DlU+tgN4d7N3Qgy29kga1Ugyh9Re7DvkDfMk29MzIyT0AwJjJzkXB+uvp6f76697eubHn745tvZK mG9R97rSuKhXNOKadGm5z9eVp/lt9aqi+YHhLg2buuS6siF+5af+d3/7cd1bUjN0iBtoIML1e2vP vK68BIHXq9V884U4hn/hWCajPl0FFyZ1anS1skxSW1O2rOn1Rh3/8hg1ie/DeEPDfTX8ihTnpKVR j7gw1ooyxwj8C8qea47BvoZeFaR7RmAtLNsKNiC73lFi6HUlZG5PKlSNFOKf9IRC8kd9wVKzyBhX fDmSFsARa4zYoAN1/RfL207jWGkwxRel0mvRJF4dW7239hqt1HjRlA/xwYgZa3DFVmBKXIYxluIj xxZ24P7denVXYqNeNBnpES4i0uEQFZJjKk0cw3IjMceZJm5ciIhT8P2J0dCL1PGs06RN3K+RLB6Y JTSrdzDy4lPzSwlIhe7sxfBIRXPM3uTZpcxY2KDRutHSOCIrfSCLBV1u+G+wsOXPI5N//FNb99bX lW5Xb1bgz2DjwcfLb0alJl+4MzY0DKJHK+sbWUYPh8S2vxgoyyYr/hbIal9mSGLW80v+8xrqFpMG mt5R+hUEvhr2daUO/7jQlcX8YEphELy0jfgVPhxSO3SATKPniRsu/XwDdCofu/Qf6gpmK3SIDPOJ WUtugmf4BRliao1O41JMPnG7qbfqGbfb9U6H3xaSlcCAgSyg/OWUz6ulNzs6Kou3HoEA6/XbVqvZ bPMJ85tzvNe96jRal+jOgAktTcMNZh6wrhxD3g5MdJ0pp2JKF7euMh3DJzLzDBcGQ1PrSmP5vVdS 2+mIrIzQDtKTe+S3YtNYgIN5CpkFBuPQsCK/GA4HoQ9MuO6Z1L7lXof8KC/vwOv8ChGaJQRfdIWQ gIeDEYqXI8snzIzW6k/u5+Pp/WA+ebgf3Gnz8d14+PDly9P9ZIj3NPjr4R5diQ4FzINbPeFcafBM syMIYB6JyOKIOLt9PQGA/5gwOroWY1BaQjxbCBsOffz1HcO2h4Ynr35V3zUVJhBgfNria4x7Cbpj JIER+rP50+gX7dP04elRa1zm25dbDMc7T/hw6Z+J5Cg0VquDCMNxVSRlOrhMXIEjvhD2TJRlGYHy jgXCJ4F5A5kXqkE+zIIGAXXUe65l83cQNtFLeCVUO1+QKldn4iVCiK54bgchWdGp8zCW0emGTokY H7tL+FTQBAI2P56zUZmjL8dhKuATUAQihpHTDM09VXKoBUPVOfIH96PBdDT5tyCY2Xg4f5gmhgUP A8PAf2rwNKlOE1Sm3juYg5PujRMAjL3jzHwT4Cqk53uGCbztAagJeyUVGduP4+nkYaQlJgayMZb6 OmSEKixH9MRjMW/EN76WndAymRV8+QcOoxJcHGFVlBYZ7jgAfMlvwTZ8fZd21DztHoWknZy9B+yp 8frNeifJ6tL1ZQVlK55EVQI2HD3vmjCa7bbiaDm5NyjEVMIQnJGPbL6Et2ERsO75v0JthBwr4xGL S6iiKJSRRhhQpeRWGAbany+R4IJFJhLKbIOvnA+uF7e5RBU3x9ZyhYzzHn4pS/bHkJB+JWGzmxMO IKHkt2Cu/hjAavkvGnXtTQbxv0PC+3gbPEA1brmG3dOkNTIMgYEpyr53pjJc5SKFFta+uB6GoDt+ cSPXgyrdlMXynjSitzhsOSkOfRhCLHDxHsxtB8pZtWqLM4qkGIeQALtzcY5BogVyFWtSpBJeu6cX trial5IWdkg8i7eQ4qIKl7dbumqKGTFlMVH/xZbVJ5uER+jPIaxMoJ36vf9DLx+YnPpEgaZQInsN 2BABDT8aF35URZVBwl7blhHLrdlo1IrWtrlmzKxwS2XrE8OriCbLGAF0ViuNfbgtI5bb9hNxyavx d03vaoPwOfSD6qU2I15AnAVhWvHSAgkOARy5/MAV1kE9OVBvp6nQhBYcEBKOq0ImM4By+rG7zTok g48BhAmbT4RJMhJzWSDXLlQ36ajYy+JO2E+KWDiwAlHnbvuCqsAVHCwbsUrOljhlKkg/wLId0sE+ ZB4/PY7T+SifR/+4OPyrJ3jcqpBp2achM3ENtcXWgUkZ219nh9AMFTwmH1/BMpwHUSIfi72N03r/ Bfmlq98Ob/igvG222/tX2UAQRxnOh1hRH+8L2DJieYhODc+jLCAh035OBGvMs7n5IV2BlR1+T5VQ hiSSbjl3ssokCTDotsOw289+j2VxojBWUCm7vuA9FCj64XNjBemOt1ZkgpFldhknb6GrklB86wvO eiSznOKeQ7a/tmlO7k+eO5vxNHxuJvozQkju5/KiTtLUm0Bo3eP9LQAILmFXrDr8LAvJnVXsXr+X ASw4ILvvCudKYLd/TswX1zINWxtSBu0M4i5DR2tqcEZImxLzItmdjZFoIjS5qUoE0x5LcB6fzJ+q c+1fF229XkjjiQw1Pa9S2Xb8IAtlK/M9bMZc/aD9V5vMHmqT8VDrtrutaqfHbycV5UQW7XzLvMR/ xPGS/btVyfS058RAOqIkWg6MiCyu7W65dhQGFhyrE0sX2bjZsunOKYPtA+yHbls92wddGZfpjbvm qNW5GfKRYxuJ+aaQr8eYxJsFGzvaO4YIu8dmfhQ+ptq6P9Aye7niMIEYconTE2prsyj66jedmy4W pWlrxCjhYBWyMb2D5YRCAsUAZeURXtv9lZ00xSMtY9h15qdcEraIkTO3wuCycdXCIDmvczhRF+nR Hevjy+ggVC5FnwqSdKp4C2x0xg29gUVctALSm5f66KpSFNOiwYF0VI7n9kZzISvkpvrCRM6x0hi0 hvo4m9ZigXzc6CKVF0FkrDfrOi7jC6G6b/g+YkDDHFg0XLvRabVuT55tP51ni0Z9q0liLi8a6G2c iWdcIIRw0yrCJQfLZbPVrJ8NLK44nQ77Fsl6BTieUboaM66L6IH4HhxdxeWXSP3n0LIf8AIZdt6f k7uceepAEXE+ZXLy4+//+017gKP9pxlM8ppKpHml9N4gnBVh842w09/4sDng74yUDZCP8MhBip0b uRPe3Dep6xKTbwMepNNHGAvgu6PbGQJZHdnLDqH5C9FGFgNDUbbpnRhHcL58sL/uOi2ODiyq9g5C bJgzWe7Yv0wg6W8z3Wy/nOaJt8rzgyBg1iIMyAlmeiNdcszE82GSDTOL30z23VktxbqreruuX0V1 Erb/pYTc4ncAbPPtns5xh0/skqpOf04dSdzq00yut9n/AQAA///UWOty4jYUfhWNf7U/kgVzZxZm DDhZ2mw2xdB2f3WELYM6xvLIImy203fps/TJenSBWA5myXYnTZlJxrZ0js7lOxedOz58u+uL4ZyE 65SGOEFjxjldkTTabv7+q/H2jVyV/9VGjuAhp9Fs4NRqnUazUfMdyYBrPglOV7DjHicDh6QXi8B5 o2n18pKbV/Uxk4RZkWFj0myPxs7+0x2Xp7iNjjvpHj5OSIy3iZAr9va7wmbFWZ9pJKNw8q5Px3lB IFAqM5uOHllQ7Bi5NMx3Ibsnp2zktusdr1e0URUrTsF2nOQs2QrKUiQYikhMQgEfM8ZF1SmWlb4s Mvq0Sfp5hkMycDI4jvB74gxRFXdp1Em3PWo2ztHhJFzcVs3tXp3DpluvEueZyg6/txhJhyto7N0t tWuNOn7t6hi+7BWFL/NJMdHQyQLxkBBgqED/juAI/FiXuD9ERf55nO83uM1iSBQQeNZ+Cbm6rdM+ MLU01UcBKV4qqcRwbFkFOOztoc3bG9e6I8vfJ9kOIWEATMs8z1ZIgp3FZfJ/JVIFyMWamJjKTVCR CNHUjjP0TBCftk0JykcReNV0W27nGALtFYVA86kSgSnjG5xQAX+hgdo+yUkaMfSiCGGUkh3CQnC6 3AqCxEMG/xjKt8swwducoPZlE+E0Ql6akk/I61vueaYWrtfyG4e0fpYWJo4aRzUA2S6blkAmCDTC QTquwLeHkIxySMN+21XJRww/8BVO6Wcs82yZT5GoYGtRAalpRFJBY0q4xeiZFjrtZ6VNhQBeWnAj i7UnLVEg53HGYp/LKJeOHjh5RpIkEJgLad8n8d/03G7HKyZqbiU5L7itL1kShWvMjYNMlRWQCx5N W2GbKoH8NDLiKKBWGHwNB+clBQ/5q+zpCh44RdT4LVQggPwDaEdF4VFE45hw8C6KOdsgmTvMevn0 E+Jq7inekEu7xH5TgJgAt0uR9FIxfF7+xH1UVoACefP5bDpazH3U7w/QH5ZZ/ztpKzCDfpnO36Hg 4+3c+xXZP0vwQjRJNPZ6Lc+fmLyzSJdsm0YkmlBZMRl/KJMqKA0DyMvpylp7ffbwf1p4N9P5R/Te m4/fTW+v0Wxx40vLhDgn0xUUIvIei3D9yvUIFqMAcHh7HZQ1edQj2C5z5ZP8f6ERKAOe+Nm7WSh/ PKJ1Plv4r9wd08mjuPYTjS6wuCjm6MoCYxWEYghWBPefL2yUs5o0WXFiliRsJ2+GH8AwcB+kKd3f Dr+6NdNdfrtVq3Xr36jr/Jpi8wJiHCrQ12BHy1dohipaMLuwl/J/se+sAF8l/dkCPMbJh5GF5IP+ P/jjOZpO/Nv59Grqz3TBVUZBvU6ZZN8CPz1/eEagmGu+zaT0sTDEsVf0EEcPClRras2HRt1Wq9M+ QFbLV/pYYG2vKNbmkyyzlU1TyKCjT7dEN6O/h6CJutuH0AsS1fCCWfV128y7CM6Fl1M8cCJ8Mfmx 2BPLum1mTPLQs+nkTe03+2e5ad8P5NBH3FnpztZ6dsxIARDJ5sQbNUedlmpO1jC4IHwGAydoeUM5 z9BXBXJPUgfxPo0GDp9GHW2Uqt2QoORwrkDQ1QQxY2C7L7Lvnd79lH29dlqgmPK8KE7dTGaq5Hmy 39X81QXZ4IBF0R1eGXhkq+AzGGs3cOr1Xk1d4tfw3O42mhKnIYvgvmXUylbvsXSVYJncrnfArHUN zti/LpkQbPP4npC4sKrtPnBabXWS1uLwutoKMDI4Vsuc4YzwgEv8KrWAaUvKxKCwwC540RG2ut1u 5nIAsOvn8k4IS3olZImcW5lhYcc1fCMWXnMawUpCU3JHocUbOA23LYkAlhqR6nHJogf1ACTbDYTP 8B8AAAD//wMAUEsDBBQABgAIAAAAIQD6SjRloQEAAMoEAAAQAAAAd29yZC9oZWFkZXIzLnhtbKSU y07DMBBF90j8Q+R966SqKhQ1rQRVgR3i8QHGcRqrtseynYT+Pc6zhSAE7SaOEs+Ze2c8Xq4/pAhK ZiwHlaBoGqKAKQopV7sEvb1uJzcosI6olAhQLEEHZtF6dX21rOI8NYGPVjauNE1Q7pyOMbY0Z5LY qeTUgIXMTSlIDFnGKcMVmBTPwihs3rQByqz1qe6IKolFHU6OaaCZ8rkyMJI4OwWzw5KYfaEnnq6J 4+9ccHfw7HDRYyBBhVFxJ2gyCKpD4lZQt/QRZuTih7xt5AZoIZlyTUZsmPAaQNmc66ONc2neYt5L Kn8zUUrR76t0NB/lGyz/pQcbQyrfiiNwhPuhGGkbJEVbh7q/x65+J0bhb2a6jtSIQcNfJHzN2SuR hKsBc15pTovrh+GS831voNCDHM0voz2q/cCqZ/IfysJFM3mn1uy/AKPRfcmJZiiQNH7cKTDkXXhF VTQP6hOJVv6e0EEV+/slfU5QGM62i+3NLeo/bVhGCuFO/jQRT6ZZXtxBML+1JCJBD4ykzCC8WmLP rHfUa/P0N9HqEwAA//8DAFBLAwQUAAYACAAAACEAd4XhodIFAACXFgAAEAAAAHdvcmQvZm9vdGVy Mi54bWzsWFuP2jgUfl9p/4OV1+0AYWBaUKE7l0470laaDnT3cWUSZ3AnsSPbwNBfv58dBwgBCp2V dh8qjYbE8TnnO/djv333nKVkzpTmUgyCsNEKCBORjLl4HARfxrdnbwKiDRUxTaVgg2DJdPBu+Osv bxf9xCgCaqH7izwaBFNj8n6zqaMpy6huZDxSUsvENCKZNWWS8Ig1F1LFzXYrbLmnXMmIaQ1R11TM qQ48u6zOTeZMQFYiVUaNbkj12MyoeprlZ+CeU8MnPOVmCd6ti5KNHAQzJfoe0NkKkCXpF4D8T0mh alrskFtQ3sholjFhnMSmYikwSKGnPF+r8aPcoOK0hDQ/pMQ8S8t9izzs1OStVD7GBzeKLuCKNcMa ux3GiAuiLC3sYP279uo2x7B1SBnvEctiheEYCFWZJZKMcrFi82Om2TQukuEl8f1ByVm+gpPzl3G7 E08rXjYnT0DWunCZt6maPolBLXVHU5qzgGRR/+5RSEUnKRAtwg6xERkMUSfMJPU/98o//EUW/cUg 6PVedwM8mmUOoviZBk274WuEtTlNB0GEDGOqWAWbP+hSzsyKIOHPLF5/lPKppGt1LlHIUKK40uZB QlRoX1Pq39Yfr2U6y2zlK7+XC26LkB+vUPsGgX/7s3gLrdCm02yl0gfFYwv+Eb/gAWmQ2m0X8CqL Yfeiu2O5c97r7Fg+74XnO5a7GxhK0ajHiz4qefwAwK3em4uw89qqZZfGqG2rNecFVUC30C4TWBkb nc0dY6AvF60azjpbXoqoMKMcVXevz6yFvBQTOZmRN1fkAyC8CFGuawFgMY1yKkpI3oomukJxQK9y vGRefrYdJEUMLvr6GzzZdk85jRBTzm+RTCXUpzMjC0umLLFR5NQVPC0WJ9IYmdWWFX+cbm+2im1i mfKYfUI78lHhtbT49njj4YYldJaaLZ/khXkk+nGSysX9TESFdS10GCRiN++dtWn8dYZQttDuROyW ND7DDpA5YWiT0D1stwrNvA/UrRRGYwNDGlxqTgfBFUVrfyx26W+l7m1nbyjpCPHrcU2QYbbrjgxV 1iQciREWmUEzCPz7g7yi0ZMXap3kJU8cwsm1LpDuEQSjDq8BkUbGJZdLMVcxin+FcfbBtNT9Cp0F XqSpD76dIejSDspsRXfFv+ZnrJ0Ya9tesrXXBafLOSbOvoxsmNRj7JCrv8PERsB7xZ/IpbBFgolK NCAYNyLyRHxIKuViFxLubj5XGB8XZq6M/wyzf7mkHXZjos5uH14aZjUmNszGLO2T3zpd0m71XpOw 02vtCAmUHzj8v+wAL6r/tpte23bhUrboCdUMrJlm3SqOz7UaE5fGGN/TajWv5m/RUU50PzjbE2bf tkq0q1wxzdScBUNS8V5V0ukyhkzR35+7rVaDzU5ifLK9j1SoUqHwYpx3fnhavHLzRRkY5bi4Wt03 L+6a6h2Ycibc2Z57vfb5EROin5yP69qdkwbE6nT5fdrqHHkqdWXcPI3YGnNzKjURZlJnVDe+wC9u VtsadPwsbL3mDgtbn1fa7CEv8e6md5A8iv/nkFwtketkD998v3EURag+1lZp4ZXhpTE4yeKC6FBN 2yd8f5aPp1wT/AlpCCX5bJLyyN1DkYzGjNA5qqg9kBMjiZkyv+MVmeAQfaAyHa8XjmjcntAFTcnd +MvZmJT3YgfYn66nlYGZLiZSpEuC0w2ZaUYmS6fUJ5ZNcHrFocQwTWRigUDFpQc0YpEBQbFLE5zm yaXWMuJ2+yv3DtNwRdANcuzlc2YvPJPEfcLRERbEtQZ4wNTCSsReiMB+3PkBE+6fnhrkzhA9pWnq fDFhdQcUooA7Bjb7siQSzBTJMavi5pAApI0Rw6HFgpupvelwTlMcnxaK2xgiEbZim9fzbNyoGBr5 tj7yuOJq8788t72H7qtTWzF9+7uZQ4PK/ebNQTnQ1M+v/sv97iNtPjJLxKEfJm6lRNB8vvcp5o6X K+i4Vh7+AwAA//8DAFBLAwQUAAYACAAAACEAl0doHoACAAAgCQAAEAAAAHdvcmQvZm9vdGVyMS54 bWzMVk1v2zAMvQ/YfzB0HJDYLop+CHWKoG2KHoplSXrbRbHlWKgtCZQSN/9+9GfcuuiSNsB2khOS j4+PpOyr65csdTYcjFAyIP7QIw6XoYqEXAXkaTEZXBDHWCYjlirJA7LlhlyPvn+7ymlswcFoaWiu w4Ak1mrquiZMeMbMMBMhKKNiOwxV5qo4FiF3cwWRe+L5XvmkQYXcGEx1w+SGGVLDZX00pbnEXLGC jFkzVLByMwbPaz1AdM2sWIpU2C1ie2cNjArIGiStCQ1aQkUIrQjVRxMBvSreyVtF3qpwnXFpy4wu 8BQ5KGkSoXdlfBYNS0waSpuPithkaeOXa/+0l68teZ8e3ALLsRU7wB7cO2JEVVCWVjoU/d119S2i 731UTN2RAqLlsA+F1zkbJhkTsoX5nDRdcXEZvjLf96DWuqWjxdfQHuRzi1Xs5AHMvLNy87qlmYMA eqs7T5jmxMlC+rCSCtgyRUa5f+oUE0lGeE9oJ6d4v0SzgHje5cWZf3pOmr+muHKed3HiXZ7j3tZ+ tzxm69T23acd5xJ5CuUxt9uUY/SGpQGZKGU5/JoSt7BB5ZIyuWocuBw8zQurW5vx1JVbCbdPSE4t W9YQZZqG+6uC9iXwj9FgoqQ1WAEzocDZHINgeLHkNBlL0/0d4qxUxlLbZaOo11UTXwxpdJMwQGv9 tNhqHIolX+FOHiLacYjl9MPu51RIY2HBX2zx/qFGsxDZauCGw4aTkTMd3985zu8fzuPd7P5u8nP2 OF44xfS0gdUs7TUIx6mpGd1W4rdiG64ZMMtf6d2Zx+PQyKlUU1AqLufhLzLb0Ukhmv3/xOIy2ulU 3AYlRfy+Gf0BAAD//wMAUEsDBBQABgAIAAAAIQCO3RkioQEAAMoEAAAQAAAAd29yZC9mb290ZXIz LnhtbKSU306DMBTG7018B9L7UTBmMWSwRBeMd8bpA3SljGZtT9MWcG9vYYNNWYx/biiBnt/5vnN6 uli+SxE0zFgOKkVxGKGAKQoFV9sUvb3mszsUWEdUQQQolqI9s2iZXV8t2qR0JvDRyiatpimqnNMJ xpZWTBIbSk4NWChdSEFiKEtOGW7BFPgmiqP+TRugzFqf6oGohlh0xMkpDTRTPlcJRhJnQzBbLInZ 1Xrm6Zo4vuGCu71nR/MBAymqjUqOgmajoC4kOQg6LkOEmbi4kPcQuQJaS6ZcnxEbJrwGULbi+mTj rzRvsRokNd+ZaKQY9rU6vp3kGy3/pAcrQ1rfihNwgrtQjOIQJMWhDl1/T139Soyj78wcO9IhRg0/ kfA556BEEq5GzN9Kc15cPwz/Od+PBmo9ytH8f7QntRtZ3Uz+Qlk07yfv3Jr9FWAyuuuKaIYCSZOn rQJDNsIrauPboDuRKPP3hA7axN8vxUuKougmn+d392j4tGIlqYU7+9NHPJt+Wbu9YH5rQ0SKcgDH DMLZAntmt6Nb+6e/ibIPAAAA//8DAFBLAwQUAAYACAAAACEA+ko0ZaEBAADKBAAAEAAAAHdvcmQv aGVhZGVyMi54bWyklMtOwzAQRfdI/EPkfeukqioUNa0EVYEd4vEBxnEaq7bHsp2E/j3Os4UgBO0m jhLPmXtnPF6uP6QISmYsB5WgaBqigCkKKVe7BL29bic3KLCOqJQIUCxBB2bRenV9taziPDWBj1Y2 rjRNUO6cjjG2NGeS2Knk1ICFzE0pSAxZxinDFZgUz8IobN60Acqs9anuiCqJRR1OjmmgmfK5MjCS ODsFs8OSmH2hJ56uiePvXHB38Oxw0WMgQYVRcSdoMgiqQ+JWULf0EWbk4oe8beQGaCGZck1GbJjw GkDZnOujjXNp3mLeSyp/M1FK0e+rdDQf5Rss/6UHG0Mq34ojcIT7oRhpGyRFW4e6v8eufidG4W9m uo7UiEHDXyR8zdkrkYSrAXNeaU6L64fhkvN9b6DQgxzNL6M9qv3AqmfyH8rCRTN5p9bsvwCj0X3J iWYokDR+3Ckw5F14RVU0D+oTiVb+ntBBFfv7JX1OUBjOtovtzS3qP21YRgrhTv40EU+mWV7cQTC/ tSQiQQ+MpMwgvFpiz6x31Gvz9DfR6hMAAP//AwBQSwMEFAAGAAgAAAAhAJRTd5zCAQAAlAUAABEA AAB3b3JkL2VuZG5vdGVzLnhtbKSU30/DIBDH3038HxreN6hZpjbrfHDR+OqPPwApXYnljgBd3X8v 7dpu2mVR90IpcJ/7Hsfd4u5Tl9FGWqcQUhJPGYkkCMwUrFPy9vowuSGR8xwyXiLIlGylI3fLy4tF nUjIAL10UUCAS2ojUlJ4bxJKnSik5m6qlbDoMPdTgZpinishaY02o1csZu3MWBTSueDvnsOGO9Lh 9JiGRkLwlaPV3Lsp2jXV3H5UZhLohnv1rkrlt4HN5j0GU1JZSDpBk0FQY5LsBHWf3sKOojjid2e5 QlFpCb71SK0sgwYEVyizD+O/tBBi0UvanApio8v+XG3i2cjfEPJvcrCyvA6p2ANHuCOXke2MdLm7 hya/+6z+JMbsVDBdRhrEoOE3Er777JVormDA/O9qDi83VMQ57/vRYmUGOUadR3uCj4HVFOYflLF5 W3mHobk/AUal+1JwI0mkRfK0BrT8vQyK6ngWNS+SLPfNIqoTvzVh00nDLfdoSVhSWUomcXvOhN/Q jLLnlDB2ezOPZ9fNiXZpJXNelf5gpyHbZhhwdLmg7VoYTTvv2tQxEQLBK6jaqn35KYido+co+YS2 oLZvp8svAAAA//8DAFBLAwQUAAYACAAAACEA4mzUwckBAACrBQAAEgAAAHdvcmQvZm9vdG5vdGVz LnhtbKSUwW7jIBBA7yvtP1jcE/AqSrtWnB422lWvbfe8ohjHqIZBgOPN33dwYietrahtciCJgTdv GA+ru/+6TnbSeQUmJ+mckUQaAYUy25z8ffo9uyWJD9wUvAYjc7KXntytv39btVkJEAwE6RNkGJ+1 VuSkCsFmlHpRSc39XCvhwEMZ5gI0hbJUQtIWXEF/sJR1v6wDIb3HgL+42XFPjjg9poGVBmOV4DQP fg5uSzV3L42dId3yoJ5VrcIe2WzZYyAnjTPZUWg2CMUt2UHo+NXvcKMsJuIedm5ANFqa0EWkTtbo AMZXyp7S+CoNU6x6pd2lJHa67te1Nl2M4g0pf6QGG8dbLMUJOMJNHEZx2KTrwznE+p6q+p6YskvJ HCsSEYPDRxTexuxNNFdmwHztaM4PF1vimvf7j4PGDjpWXUe7Ny8DK3bmJ8zYsuu889T8pwCj1n2s uJUk0SK73xpw/LlGozZdJPGNJOuz2yJps7C3OOul5Y4HcAQfqSIns7RbaPEvXkfFQ04Y+3m7TBc3 cUX3aCNL3tThbCaiXRzC+t/EZ0XjTBxxEY62G/uba9JLgAnKNF0nP753ZNcoTpLpBTsU7lX9+hUA AP//AwBQSwMEFAAGAAgAAAAhAPpKNGWhAQAAygQAABAAAAB3b3JkL2hlYWRlcjEueG1spJTLTsMw EEX3SPxD5H3rpKoqFDWtBFWBHeLxAcZxGqu2x7KdhP49zrOFIATtJo4Sz5l7Zzxerj+kCEpmLAeV oGgaooApCilXuwS9vW4nNyiwjqiUCFAsQQdm0Xp1fbWs4jw1gY9WNq40TVDunI4xtjRnktip5NSA hcxNKUgMWcYpwxWYFM/CKGzetAHKrPWp7ogqiUUdTo5poJnyuTIwkjg7BbPDkph9oSeeronj71xw d/DscNFjIEGFUXEnaDIIqkPiVlC39BFm5OKHvG3kBmghmXJNRmyY8BpA2Zzro41zad5i3ksqfzNR StHvq3Q0H+UbLP+lBxtDKt+KI3CE+6EYaRskRVuHur/Hrn4nRuFvZrqO1IhBw18kfM3ZK5GEqwFz XmlOi+uH4ZLzfW+g0IMczS+jPar9wKpn8h/KwkUzeafW7L8Ao9F9yYlmKJA0ftwpMORdeEVVNA/q E4lW/p7QQRX7+yV9TlAYzraL7c0t6j9tWEYK4U7+NBFPplle3EEwv7UkIkEPjKTMILxaYs+sd9Rr 8/Q30eoTAAD//wMAUEsDBBQABgAIAAAAIQAw3UMpqAYAAKQbAAAVAAAAd29yZC90aGVtZS90aGVt ZTEueG1s7FlPb9s2FL8P2HcgdG9jJ3YaB3WK2LGbLU0bxG6HHmmJlthQokDSSX0b2uOAAcO6YYcV 2G2HYVuBFtil+zTZOmwd0K+wR1KSxVhekjbYiq0+JBL54/v/Hh+pq9fuxwwdEiEpT9pe/XLNQyTx eUCTsO3dHvYvrXlIKpwEmPGEtL0pkd61jfffu4rXVURigmB9Itdx24uUSteXlqQPw1he5ilJYG7M RYwVvIpwKRD4COjGbGm5VltdijFNPJTgGMjeGo+pT9BQk/Q2cuI9Bq+JknrAZ2KgSRNnhcEGB3WN kFPZZQIdYtb2gE/Aj4bkvvIQw1LBRNurmZ+3tHF1Ca9ni5hasLa0rm9+2bpsQXCwbHiKcFQwrfcb rStbBX0DYGoe1+v1ur16Qc8AsO+DplaWMs1Gf63eyWmWQPZxnna31qw1XHyJ/sqczK1Op9NsZbJY ogZkHxtz+LXaamNz2cEbkMU35/CNzma3u+rgDcjiV+fw/Sut1YaLN6CI0eRgDq0d2u9n1AvImLPt SvgawNdqGXyGgmgookuzGPNELYq1GN/jog8ADWRY0QSpaUrG2Ico7uJ4JCjWDPA6waUZO+TLuSHN C0lf0FS1vQ9TDBkxo/fq+fevnj9Fxw+eHT/46fjhw+MHP1pCzqptnITlVS+//ezPxx+jP55+8/LR F9V4Wcb/+sMnv/z8eTUQ0mcmzosvn/z27MmLrz79/btHFfBNgUdl+JDGRKKb5Ajt8xgUM1ZxJScj cb4VwwjT8orNJJQ4wZpLBf2eihz0zSlmmXccOTrEteAdAeWjCnh9cs8ReBCJiaIVnHei2AHucs46 XFRaYUfzKpl5OEnCauZiUsbtY3xYxbuLE8e/vUkKdTMPS0fxbkQcMfcYThQOSUIU0nP8gJAK7e5S 6th1l/qCSz5W6C5FHUwrTTKkIyeaZou2aQx+mVbpDP52bLN7B3U4q9J6ixy6SMgKzCqEHxLmmPE6 nigcV5Ec4piVDX4Dq6hKyMFU+GVcTyrwdEgYR72ASFm15pYAfUtO38FQsSrdvsumsYsUih5U0byB OS8jt/hBN8JxWoUd0CQqYz+QBxCiGO1xVQXf5W6G6HfwA04WuvsOJY67T68Gt2noiDQLED0zERW+ vE64E7+DKRtjYkoNFHWnVsc0+bvCzShUbsvh4go3lMoXXz+ukPttLdmbsHtV5cz2iUK9CHeyPHe5 COjbX5238CTZI5AQ81vUu+L8rjh7//nivCifL74kz6owFGjdi9hG27Td8cKue0wZG6gpIzekabwl 7D1BHwb1OnPiJMUpLI3gUWcyMHBwocBmDRJcfURVNIhwCk173dNEQpmRDiVKuYTDohmupK3x0Pgr e9Rs6kOIrRwSq10e2OEVPZyfNQoyRqrQHGhzRiuawFmZrVzJiIJur8OsroU6M7e6Ec0URYdbobI2 sTmUg8kL1WCwsCY0NQhaIbDyKpz5NWs47GBGAm1366PcLcYLF+kiGeGAZD7Ses/7qG6clMfKnCJa DxsM+uB4itVK3Fqa7BtwO4uTyuwaC9jl3nsTL+URPPMSUDuZjiwpJydL0FHbazWXmx7ycdr2xnBO hsc4Ba9L3UdiFsJlk6+EDftTk9lk+cybrVwxNwnqcPVh7T6nsFMHUiHVFpaRDQ0zlYUASzQnK/9y E8x6UQpUVKOzSbGyBsHwr0kBdnRdS8Zj4quys0sj2nb2NSulfKKIGETBERqxidjH4H4dqqBPQCVc d5iKoF/gbk5b20y5xTlLuvKNmMHZcczSCGflVqdonskWbgpSIYN5K4kHulXKbpQ7vyom5S9IlXIY /89U0fsJ3D6sBNoDPlwNC4x0prQ9LlTEoQqlEfX7AhoHUzsgWuB+F6YhqOCC2vwX5FD/tzlnaZi0 hkOk2qchEhT2IxUJQvagLJnoO4VYPdu7LEmWETIRVRJXplbsETkkbKhr4Kre2z0UQaibapKVAYM7 GX/ue5ZBo1A3OeV8cypZsffaHPinOx+bzKCUW4dNQ5PbvxCxaA9mu6pdb5bne29ZET0xa7MaeVYA s9JW0MrS/jVFOOdWayvWnMbLzVw48OK8xjBYNEQp3CEh/Qf2Pyp8Zr926A11yPehtiL4eKGJQdhA VF+yjQfSBdIOjqBxsoM2mDQpa9qsddJWyzfrC+50C74njK0lO4u/z2nsojlz2Tm5eJHGzizs2NqO LTQ1ePZkisLQOD/IGMeYz2TlL1l8dA8cvQXfDCZMSRNM8J1KYOihByYPIPktR7N04y8AAAD//wMA UEsDBBQABgAIAAAAIQDyMO7U+QgAADsfAAARAAAAd29yZC9zZXR0aW5ncy54bWzEGdly28jxPVX5 BxWfQwtzAyzLWzgGayVrr8u0s88gMBJRxlUDULT89enBIZpSc3criWufSExPH9P39Lz+6WtdXT0Y 25dtc7Mir7zVlWnytiib+5vV50/p2l9d9UPWFFnVNuZm9Wj61U9v/v6318dNb4YBtvVXQKLpN3V+ s9oPQ7e5vu7zvamz/lXbmQaAd62tswE+7f11ndkvh26dt3WXDeWurMrh8Zp6nlzNZNqb1cE2m5nE ui5z2/bt3eBQNu3dXZmb+WfBsH+G74SZtPmhNs0wcry2pgIZ2qbfl12/UKv/W2pwxP1C5OH3DvFQ V8u+I/F+b+d83GNriyeMPyOeQ+hsm5u+BwPV1XTcOiubJzKEvyD0pOpXoOrrife1IwXoxBv/nSTv qxf4iLUnK/5S7mxmJzODAzgp6nxze9+0NttV4FRHwldvwKO+tW19ddx0xuZgJHBH6q2uHSDLh/LB /GZL53Db4bEysC3ruvdZDejvtr+NGjpuqsy5rWnWP0cr2PFgmqK1t8nNSnL3XVTVv59cnRFPKbfa VPHe5F+AnfsC182/jCzcwg/lDqH1I7h/3jq6f3j2H8H9zq7Tj38Z98KsE/2XcYezx2//j9whgNu7 7ZANztf7zlTVmJPzymQQQMfNvc1qyKY3q2ll8tRhyMCBi0+m7iC3mSu7KYublb0tZlcGGpNz9+P+ 3oXSh6wx6Zii07IajHXOk0F4s9QbIyKrqjEe+iVCDv3Q1ssSFAwXdwME7NnSSLq/bT73EKHjpr3J XFk529Uc6p2xz1cHlxbO9hWlNfkwSelywK/Nx0OzCPQS+CGzGein21/e8n7hPJ/qJZFPToqFgFOy PfGfkYa2Y2/PjzWq7KHsy+dHyJxuG1DUeDCXuYD2nN8Kc5cdqgE4boHkYgC1pL+ifd8Obx+7vXH4 cdZN1itsdgRd/GzL4m1ry29tM2TVtstyWFxoEG9hcdoMOXAo85dbJZvyXVH24D2PJ5rJCVdDr/C4 EF9IT/sXsn+02x1mu8+K0emSbMhGV2zaD4cmHw5jRf4XaAoOMQLyPRgzB93NJ4vhmLatFhlG3cTQ TliodpP8+8IC/c4kk1b7N6/bTe8WZjX3Vw8b8xXqiynKAdqbrizq7CuY1CMMSgJwvT5uXhI5bu7a dmjawXywrigtXyCJC7L1HGLPlkcdAb1lecKFwnQiNH88o3O+upA5Q5y6KCfL9G87dWRAqBkL47Q6 d1nv2sK4WD3Y8kXpvlj6HcKYDAid9XLiCT1jAbo9btyfj6CaZa/nsYTLKJ6s4aAnCHR6npg19Qyi ZDxxmSh+hxNAIxCh1AImgtFiL3EkDySKEzJP+CgkktEFHK2kTjAc4jE/QiUghHGpURxKuBAoxGdS zlF1rh0SeDrBISGPKc4n4pE/x/QzaglJBQ7RMoJmfIy8cxxKRBClKIQx4Y/+8dwKlCmaoLqmXEUh alMqPOrjfIQnL+EQL8YlkESFASq1kolCrUAD4ae4BIFSKa6dUGiGejyNmKdxiPZiGaKypTy9oNFU pj6qNzCCitDzQFLTKeohzOdBgp6UBSqUOLWLsc20F0ToeZimQqBRwjSPwgs4kjBU19CYaB+lxj1B FRqnnDK5lNNzv+acE4pT8+GOgOqaBzSNcUhERYhTi2TCUF3zWPAYhQgiSIpmS0Ek5zgOox5FY0Ew mmo06gWTDI96wYUKcWqKC41GlvC5lqgVRCCEj+YDEXLBcZxQ+AqXOlRRiuZEATEnUSuISGkP11tM GV6zRKJChsuWSp+i1CDtaInqTVJwKlRvEiwnJZYPJKdEoSeVAjwBzS5SCSbQqJeBjPG6IEMipw7o eSaXkVB4pZWJBE9ApdaEEtR7pcsHqB8oRmWE6loxDokU46Mk4QqnJqkKUPso8CnFUWoh8QmqURUq P0G9yqdeoFDL+UIKiVobIEmKSuBLxgnOR5EQz/G+Uk/XhfP85sfkaY7yDKLBr3HZUhpr1HsDShOJ 2jRgMtKojwaSRzifQEGmQC0X+EQzXALfmRuzXBAIhdsHICHevwUhE3jUB4knItQ+gaaK4VJrqvGe Iki5FKhfh57HE7QChlR5AQ7hXojrOuQUOhFMO6EgUGtRiBQsRj0+VAQ6BBTHp4KhWTkEV8T7nTCA fhDHCRhfLqrnPhpGkBTRCA6hu8V1HWoojqh9Io9CRsDOA5AwRXUQMcZiNLYjxRleTyMf2h0cJ/K4 h/pBFNMYt0+UwKQSjYVIswjvkSKtfLzvjSH1UtQPYk4uVEBoUOgFHCXiGD1P7MONBfWd2OcXbkZx wHSMenwMERyheSeOodKiXhUnVOOxHWuShKhXxSmVIXqexOOSoHoDSCA45lUJh3KGemKi1CU+vhen qI8mvow4etIkkaGPRn0C+VWjGk0gxweoRjVhFK+nmtLYR7WjKfPwyNJSUbx70nDPUqjUOiIUv5fo WCShwHStE+YnqBVSDwyHWi71VBCiUZ/C5d3DqXEKlwxMgpTziKNRD5c5eRHi451qCreFBLU2NPGB P8oGcyWXLmEKU2/c+5MbLk3/UpiSXdXT7CbO6p0ts6t37oUKbvb1Zme/RGWzwHcGXujM95DtYbcA 1+sJ0NcwB05hErcAxlJfb9ywEAZtI9nqXWbvT3TnHRZdhVncP59oueceY3+27aGbuB1heHvbFLC8 sCOcz/TKZvilrJf1/rDbLlgNvDJ9Bzo0xa8P1hG8PqnnuBngcRJmj0AFXouWKdPTm5HJ+iHsy+xm 9W2/jt+7AdiuLGBkltn1dg6kvLJb98Rp3sEb1DRs3d2Tm1VV3u+HcQA8wFcBT53jx+6ezjDqyA3w 5WDjR5a7s8Pu+Y/bMP2FXfOf0xpb1thpjS9r4xPXhCKWNXHaJ5c1eGqF8eYjvLK51wCYBS5/3fpd W1Xt0RQwbV7gL5acRuExzc1xb5u8OhQG/KVoc5j2u/eK+Wnhf5vAzhNbGEO3h+FsXuumuW5g252t XhUwSHZTeWftM+RxmjuOf0/zYJDe5CV49Pax3p1mya+mk1VlP2xNB2PnobWgk3EA+o+R8unV+81/ AAAA//8DAFBLAwQUAAYACAAAACEAkhUil/gAAAB9AQAAHAAAAHdvcmQvX3JlbHMvc2V0dGluZ3Mu eG1sLnJlbHOEkEFrwzAMhe+D/Yege2N3h22UOmWsKfTQy5aySy7CVhLTxDa2N9J/P+0QWGEwgUBC vO89tN3N01h8UUzWOwXrUkJBTntjXa/g3BxWz1CkjM7g6B0puFKCXXV/t32jETOL0mBDKpjikoIh 57ARIumBJkylD+T40vk4YeY19iKgvmBP4kHKRxF/M6C6YRZHoyAezRqK5hrY+X+27zqrae/150Qu /2EhMGfkbKahKXB8YjbGnrKCzo7EycXrpj0nfkdbR3tpF1ZqKeLKeJ3aRcqTfJEH+VN77qfT+0dd Gp/nBXryhmPXc6bocARRbcXN06pvAAAA//8DAFBLAwQUAAYACAAAACEAnTZGo+QBAACjDwAAFAAA AHdvcmQvd2ViU2V0dGluZ3MueG1s7FfNjpswEL5X6jsg3zdgAjGgJSutVpUq9dRuH8AxJrGKPch2 QtOn7wD7k+32EA7R5sCJYTzzMePPM4Nv737rJjhI6xSYktBFRAJpBFTKbEvy8/HLTUYC57mpeANG luQoHblbf/502xWd3PyQ3qOlCxDFuEKLkuy8b4swdGInNXcLaKXBxRqs5h5f7TbU3P7atzcCdMu9 2qhG+WMYR9GKPMHYc1CgrpWQDyD2Who/+IdWNogIxu1U657RunPQOrBVa0FI5zAf3Yx4mivzAkOT d0BaCQsOar/AZMIxorCHQncaDZJuSKBF8XVrwPJNgzvY0YSscfsqdXBPz6ArVFWSjC2zLKbpsLyB 6vigDrh04A0yQ8LeGPfum6z9szZ60X5X291/1I/Qvre9B+9B/6PHcO4r23/Dv/oY5JygoftTEjwZ KLRcYA6DLKABpIrvPYxhNCeRTfPcvIlomq89zXyKazhwMCQ9im/ZoFGc5NkypTMdUw7BxejIWUQT luQzHddAR8JYvkqzZK6OSS3yUtWRRSljWYwztG9i8+w4c2Jdig7aTw6WRfncra6iPGiaLvOcsWQ5 18c1TA+6otiw8mU0/grP/eqj+1UesxWlLJ7r48P61XgHwSshCidX6/VfAAAA//8DAFBLAwQUAAYA CAAAACEA3OQBaP80AABIiwEAGgAAAHdvcmQvc3R5bGVzV2l0aEVmZmVjdHMueG1s7H3bctvIkuD7 ROw/MDQR8zJtm3dRntGZkGSrWzFuHbelntk3BUhCFscUwQYpy+5/2q/YH9vMrAvqXgUQkug+2w8t EwUUKu+Xykr8+398u192vublZlGsjg96r7sHnXw1K+aL1efjg9+vz19NDjqbbbaaZ8tilR8ffM83 B//xt//1T//++Haz/b7MNx2YYLV5+7ieHR/cbbfrt2/ebGZ3+X22eX2/mJXFprjdvp4V92+K29vF LH/zWJTzN/1ur0v/WpfFLN9s4G1n2eprtjng093bsxXrfAXvui3K+2y7eV2Un9/cZ+WXh/UrmH2d bRfTxXKx/Q5zd8dimuL44KFcveULeiUXhI+8ZQvif8QTpQWF473syXfF7OE+X23pjW/KfAlrKFab u8W6AqPpbADinVjS1xAQX++X4r7HdW9ovU+CnEKDd2X2CKSoJrSmcyBjzh66XzI8IH0rqpoz9roh YDhFcAq5hpQl6O8UK7nPFis5TTPUqMgFediFv38ui4e1XM56sdtsF6svci4Uyxor645J8lTQNrUm sET36i5b5wed+9nbi8+rosymS1jRY2/YQY48+Buoinkxe5ffZg/L7QZ/lh9L/pP/oj/nxWq76Ty+ zTazBaDn7OfO9eIe1A1cyrPN9mSzyI4P6FLnMn/sfCruM6Dv49u7k9XGuH8GEJl3vsGXLLPVZ3jk a7Y8PshXr36/0mf/8+7V2SVemi7mMGVWvro6OYAH39CaxV9l7WsJCbvLABRUAiiIK6YoAQ357Ydi 9iWfX21h4PgAlC1d/P3iY7koStBe1bWr/H7xy2I+z0Ety/tWd4t5/t93+er3TT6vrv92TkqRX5gV D6vt8UF/fEi4X27m77/N8jUqJ3jdKruHN1/iA6A5Ht/+IZ7tIaCAIdftd3mGFqHTq/1Ev/YTg9pP DGs/Mar9BJiUmrg6rP0EmNqa7zhKfmKWEQPg/RuFs4igDwZbpVP5erFdguQnrvrqYbqt98C2LNAc Jc7//n59l20WpDGS2Pqy6HxYbLb4godFJYJHRwFR+LjMZvldsZznZec6/0YP2xhNnQ1WcLXOZmR0 9UWkE+HD4vPdtgNKGEXUhGXcDcDCnnShYBzSBuyxn8sFWGl90eN+4G2/5vPFw71YKNMlKtrHg/SH Sa1oDw/jDyOgjteOEp+03zmOP4lYcrzzMPFJ+52TxCdJjWoYCnH1O/CknbJwGOKfs2JZlLcPS0FT kx0OQ1wkH3bx32GIkeSTLhY8DHGRJiqdk9kMrLODOiGYK5nxPx8CuxIe//Mh4E0p8s8SQoQxS98/ S7Jc+acICdin/OsCY09kneZqlCT7Y1Zmn8tsDYGTrpUG6Q7Cbw/FlgyaKjn9dDN7sQKHb5N3nPMM yI9LskycPgRXgDjJCshPnGRN5J8iWSX5p0jSTd7Haykp/ywhsZU6h0ji0xzpasu/ipDYOvWXbSPq 6S/7+RAibP1lP99Ef9mzhBDh01/2LLX1lz1FSH85BdWeorag2lPUFlR7itqCak9RS1CtxxsJqj1L iD+dgmpPEWJROQU5b1zW7SlC/OkUVNslqyeo9vMhRNiCaj8fwoIhYj2hsexZQogwZpG2zJ6ltqDa U9QWVHuK2oJqT1FbUO0paguqPUUtQbUebySo9iwh/pRSplpUe4oQi8opVEG1pwjxp1NQyV9UPcDE KFqIiP18CBG2oNrPh7BgiJgUVHuWECKMWaSg2rPUFlR7itqCak9RW1DtKWoLqj1FbUG1p6glqNbj jQTVniXEn1LKVEG1pwixqJxCFVR7ihB/OgWV8rg7CKr9fAgRtqDaz4ewYIiYFFR7lhAijFmkoNqz 1BZUe4ragmpPUVtQ7SlqC6o9RW1BtaeoJajW440E1Z4lxJ9SylRBtacIsaicQhVUe4oQfzoFlbZP dhBU+/kQImxBtZ8PYcEQMSmo9iwhRBizSEG1Z6ktqPYUtQXVnqK2oNpT1BZUe4ragmpPUUtQrccb Cao9S4g/pZSpgmpPEWJROYUqqPYUIf7E7bhl3lF3zVQJ7dXPevqm6qdvZvFFfcpv8xIKkXIrl5s+ lcjF+ueimD4pH3taFF+gHIHvdqpoGlC8kTbJYrpcFJSi/h7Ndw9o/9jemvVv0l///azzC9uoj89O xLVnh8y5DgpUPqhFDFghQHVfcOP2+xoqCdZq1h0KHLDIAwrJaAVY93ABdQq82gAfxvIDeJYKMPhl goi/lf4NxWhzcU+3OzofT/rnbNcLyi1wkm02pToS+CvuW+a3W3znuoDSj8MjrlF9N/R6R1w+vXeM JlwTee84mpDSBQzBLbSeAgrpbpfF48eH1WwrVsZzPNnDtsCt3vzde+/IpTky/5+HzfYT7u9erCqU MFxs2L4xPDLNoSgOSNEbcBW+hX3pk+Xi8wrL08Sc02yTLxerHJ+GNXNUQikOYrQ0im/M4hmYhJfZ mCOMH/Wymp9PkRRV0Q6rtGHvpRfC+4mLIuxE9yADcbbuUUGLykJVYQqtA2Gc/x3LXCwGWwFOXNdr Md6XPF9fwkT0MvzxARC6oV82OYYTTvoF0Q45lLEmIhMQBrv1CqsWD1ukzoevS7FKetqi1JS97U9x V59YHW7bBbF9L2K5DdorxA563Kw1RCyJfhyxBPqOiB14EctB2CvE9iZcKzZErMCYrluQY3dEI6si dAk+V/QGGrm+4DhuRfRt+aTZBRvB3yYabeTlD+7QPz1gwngpdm62zLMy3ZoedcnvBxSIuVT+wVFV 4/G7H9/aGBWqjPinIUbHXoxy4/j0GLUBE47CLoCxak6XDPCo6yUAI5zuKAMTL8W4B+YGjEd5TyTc gqN3odiRFzC+djdgXAe3ApgQyFrCrYu/01c2bnE5y8YttresKgmqjLldlJstelRYyExuzv/MhJuD lVp5ya7a8kWMEmfD2R0EKzOcB6b1xCq8uFsWE6FjbNGR39SRd3XoNlpzFRyKtXOCVuVN7D6t6pbZ SI8JAeqxMlvPmq9xPBhkdegWhj57gaLgNbZCUPDTJQ/BpssLcmsfedU5iwbn3zL2ErjxLF8uf81K CtiKNSDDcys6xmy016USaGOqabHdFvf+50uqf6XpXROgWVIWw34iEPAvD75XD/fTvOTVtB6cXxaY vLE4Q5QUe1ghFdP+tWnxtgyQIPa31ei2mHXcKlSNvH16xmCG3YPywx4XBEUZEe1QGsHjgIrq44N5 UYXxR4d9YTjhEYqw7SjLEWONByMtdmqATNvhRGS6nU3AvcPRhKvchWsBkYYunQz5CxVMagmQ/phl QJDZOeZUbUvDgHQZhU5GRBq4vZG9IwygnKveCSKML9Owc8/EfTrSXDkh/Y52DR1hHnBMiQiNOD0X +cKC0BWFhQrB5ROU8joaD8ipUCieJCu0GFgmzXZ8MIJDQypjHHbFrE0Zw45wkDHc0U0lSS3IjIbz wdGY+1wKBsUdTt3DUa7gU5Ugmq9C23hEqWQpT70upLyZSW+KNzslg3hzp2MAb1y1qsq8VWzqooJs QhbOgU1ix14Piq4ZAoQCstkR6qppEhWx9KDKgfxVO6gmO2uImOQIS1RNgEuO+hY4U8fl/igmF1Wl lgkJiabr5BPpemnCQ3OVEdAkVQJm6qXdDZYdTiNXuEPpViVJaB1Cj3BV3Bh04tx2ilS00YQV3izF 1B/uFNkCJuwECyLOnVx5OsSNel3ujTlUkBNvYYUO89FGHreDFt4qfdZIoZ8XcK6ktKKFW3aZtGBA E8HGwBegKbkSbKYziGSZ8mzil++rApKpQYWmujqZHE5sO67fYkUNwnTwLRLYL2OGqfGGiYOQuA8F l+sQEnPUefmPQ0iewQE+Js03nAwbUxIo6onctQyPjI5RZlYggFUlgBmsoCDiHZ1SFh64aOlMDtGN yW4B33AFHCz4iXwSa64/N3JfrydSq43YVEBMJ5S9wOI+cZRnkyEjxVgFnIoMayavPxKQMc/QEk8F ByKvVwcHM9gyL+6vsPbArkOAw30mNi7xxJ+L2GqYqmpgfMAntu8m3bNz7kT48bG3+nfst6kktFBh IOIaRjwQRKsMAYrlQchxMxvwDwkv/uPTAxIk/wYJWIZu1W0xvHypqp+OF3JI8i3zr3ZwIAdiPBG1 vDZqXI4upR0ARzJ4HBw1cdECbM8hsiNKOeACVcdDFFiVmj2+HyBE26+vtWxmHAR7O52v0p1o0uGr B0K1X1HH4QuA8P6PB2oQZSkgOeCigqqEogAImVRUr65qUlJcHHAtImlgu8dHupp3aYreEfnc2S34 xtCwZqhlbR06oE8xOHBTS/YAApeuRQ6MZnhS2XDJIZpxp1n41d3p44rAdQqCiyyQIKhtq5le35EV J63Mw5vodhtzqYEhhQhLaizYxZYocHJ1aWtguPi6XnoGp5nBRt1i9cBtuWqwcRQNdmtk2u+UjeZt iUScJs76HYddjhhFbWh39Ptjvo3kvWMy4Bld3x2DYZf41r+OYIqWhQwjWeDoKfykKJ4xKJMOi32n pGR3dCtkYAEawd7kRwXCQxtDgajKXM3UqteD7vaP7V4ORVchH5NMRhE+6/VHET7rYeaGaKy8RCYI nIkhe+dE82WG3ZhZ6rUcpoCugmZdWGtuxio4csOGCMZa/EVmVnmYxye1alq5jX5866rMiApbv2VE MblR4DLxxW64oTsS8RY14ra55YW+Anz4Wys78TH7nF9SxYFF7zUMdVg1gjNE9ecjfGD4F6e54lLD Xazm+TfbRIOE5N9q7qEka7mq4j9xtQGv+2QFivayYEc3TPagwRsx+jISdSh8tWYSRQE7oCnij83U yqcQutZrqHex+PBkvb7B6y4UBXiwlbMFaLFbBRBSfE4A8XodAFtgzjX0NJ4v/PzJx4MsqnE4rd92 LRQVybCZoqBCbFJunWxSbn8kNpFK7qy4x5My/vRwtoLkMEXvz5YgVlxUEUhHZFxT4AHiAZhu7wIG AkaS19TzWEHlMZxQZpJ9hkeeOFKdK08cahd4kj8NAtdSLkas2DQIhAEJSsC7qgUlhotqgo+Hj+2B c1JuLwtbp4E0wmWXSlNNsUpJmGhHB1EeekoyZ9CVlp+ekvsebfuIEiST1jAQ4HYfhth1XZ9K1t5D VzrZ8Jfb0mUXAUl43cVEPsO/u108y5ZLi53pomsdYVKxpUfllaULtOyEnnhLSZ02KoO344l+n+8g qarSUBpPlI/DANOhSijurKlL8JlnVSZTYo5nUCkiYb/MP4P7ZjGqGL7h4zGeffl9QpkfYZt8E+ja D4sGORZSYfOo62xrD7cOVENHF9hMLRnu88XnB/jShhvxbDCE9ms8KKGSRTV+qh7x6YvddZu6BNMk 0Vho/eoS6y7dbaUEheEvUI5KEXS9tz+57uEogS2Fr8yFilxmyMdI96LtXB3jOUsH8Msx0VdpyB6B 4gLM/PH9Gx8bSlragpmUodudjcVqr515SjYaDFvDrBxwsD4Ejtwj8MDG9DQUH9ROrQBeWgqyGAYe F9s7CGaYGTSlnSOJ3/MUvmjLqGqBa6je8bePtrzQwA2MxETm5a2lrh+FjdNcR237rJ2qRnuXwpZ9 90YF+kVtMjYc0mRFqDYV8QAnH3PRUR3idNRaptAzSqMU4/cl+601RaFLNiZYKQHQBIJ5qxMKvoE7 OLqZ4L5ji8hin9mxJJ9dprUHkgzqHjZ9pWcJPnXJJOTHEwNXbYMmJ/+YW9V+vQEIEwItvLTNKltf F9Tyiztr3FGwJUA8qnO42efnrHgoF/AlG/igFnnu/FNa+lX8mpZ6I/HtqvhYFsUtkz/DvUKH6ww/ 5UX+ZNsuF09ETi31wwduplEjovpdqiPSwN+q0zMFFEuYHEZzpc4pfGdIoYtzmGkRgw6NugIFcsYc tQsvzhdOnPPHHMdj07DO3XcZmnBub1CDJHP9tKFpl0KyDU1eOhDQyT7OCZZtVBuakgHU1E5/QggS 3AF/PdszWoZfh8iujGQQuQsjVew/BUSjsRaHJUIU4L+PmTPFjZfr5rjxGZnS5OJYK3GLKe4qyBCJ kH3JdwvwTJ+DUCXhTuRwfGjHHF4/BUHtMIg7zCLAFSASQWciEohDL8G1JK0b6wOnB6VJ+JDZ3amp 11uuoPmUz+bwKUpLrcP1Gxpg1qVOW736KBPezd7koIAdxZoqsQ6XxKo5prbLlH97yDd4VshJKTHo J5egMZHS1vY6vXaXRHidYwcBGarmBsI1pZZo1VG/rJYCT3ONnc4W6H13H0zmqjFpgf8DGuskkqQt ZzCbulvBRC3txXyyWh0u7UBiouXU6u3vWupLZHDrICfgFgjmdzCcGPJxHWNTSybEY9Jg7C4Q+pQm bcVoIP8HS5XLgR4rYHdEaCUe5nZ997XKV5nLRPlVFpHIhvCUdDnaleGkNLdhRl1bgy0zJAfYhT2J iETc8djphz20AMxoG9GqjRsM67Fwg6AuQTMg1k1qCKnxVjaobOsSN+EZtSFva6dV/5RDwSU6Zsyi 6P4XLK8aU9fn8llbWaNDv+IKPQYd1idG1NXBE1KDtLIqNptJXVyYfA8c9rdwpwway2tRja5djIdL 86kBH8/BM4LYbSBt42G3zZOz2yyxBPlTvnHVlsLlPa8tXaud8AOqCSBxytOmtjxBVICnRJi/mZIz Cq/KJ0+bhvK0aVGeaC5b1DcN5ImJQCtIu0LPrFjZ5yP4wA233oYSSkm/ceMoTOg+xsZ2rDBmeeca x4NAp7UUC3CU26ldQYvmyd0fkhb1POR2vS+OcoeaE8QQDkKiZPDHpL6TzmOtwL/lzG3LsYMGo6nq BN4UDARQF4219lmtqFsjvaHcPdSjBXMj86RcZEtlq4z9Ju+5Kv4acBWw1D9X8vsVN6FtaSLYPoUv F1kkZJddHn3YIOgZOsn6tvrVUzV9dnC1hjLWkpgtZ5qv1vkMSOSpHOGj0EYbmuuUzqhHHdqdv11F OXphj7PVmH6LaDUW3MNnwCj2ey+LHkZHrLpSA0WvC67TYrZKm0P37jsuXroEm5u6noICsZEYkc3U 6OIaK4Bvy/wPSzxp5IaGXCLqO+1g5piKZVGK9JxSaBRZfmrsQIu8g85xnuXTkGv59GB1SksNfI2h qGzJ/S4BJt+V3/JO0/BXjGis3p+QwdQ4TLshWiHEu376Z0goIeIGJTBHG/0wRo4uBBqssOcf6WQw gBMnYd2R0FNjLDpO+Ygium6AHy7o57ArxoY3kBdq06CbF9/axB+svZfg+FpGp5L89qKBa5Rz4nfT DNPITSUKhhtFw+oRgSR5uFSS8lwcpJiQOArkwl8hHLotSalu13diiCiMDr0j+cNoswYYJbULf1MS BHIjih+JvQa4LFWjnIb1olH1aBJrYxKXGMhhEO3EcX433cWoS0eqa7YUZKVZuRmrFXkMWFM88uRe tjD9GlNGdsKCLnsaOlwpjquGF5yKu9QcKVE235/jJFFrk2BM2jAV3BAA9wvk2QpYLyFx719LvcL1 T+vFzMQidnqFcY47ucKZjYTN4hxR9Jail0JCj1xol7+xZbnL3zgk7mVxJ4Uctse3iEWhsAXe2/Ll cOH2h0bYwvkqTOPEYLUWbuwVsr4bU7gNuKql1Z6UW1SB+FEcU7PC0I0Yo6UZq/bpVXY9ObrdsfSg 5XiW2m64NnlowJuW9uGCntr58BcX/Sr6svdbd7ey0AyGupY4gRcdS3zbXBJtFg+7ucHnfbUAhtoz 0GJpbEF4o7cUNLiaWhcSFL41BjI1QpXU8c0COhDXsthmy8XMFk6ChA+6pLM9OKpQWNOYj28xuazl lgT4LekmOJzwFRq02Ck3HLihERfkqixGaSiMM/wV0OkO/P54NgmOS5VWFXA5nA5P47vk1Gt7xgfp WDrrConCMOTbO/2xaQwY9NOHMmMgXMrXpZ8iXd46FbfoxFh6ShKSDe8sr4HwTKB0b0Q5SGa5j9c2 odE/VLUya64aJ3dqqhWdUovMdNFF3EB+dbOYC5Xb7apnabiPnubopi77zuXX0MWWl63uQt2Wr84/ YbYvjv7UVPEFtmh0yxoNBYo6ajijsF5P/KbhW+aVPkCq0NPsElNZL9LsMuBYmU6p3S6c3dGhKKbT ku6ybTGPfQDbPNHCWd+0xVS0fgDSolapI19BxraFTU9JRgY18pHj67gcJXzUJTXsDrauqOe1UAzc WPdJ/NyXKiUQcjmyYXjVkwyrtfQfy9I0+XAH39SxGLPadJcb+C05+0gbOwtFFHMnoRiJiQ1r8Vqv e9jyhzhwJXamipbuTlQ1XvrwUBSntBRhXp3YTTvw2s7Sbeu6Iy1XLt2fKqnhP4llqsOzwdH1YPzh 9k9FJVbXaO0Ko7IvygErt8Sp17TXvFhZThAN3NzCSAx9atL0L6x5RD5AN24KaUiy45Rx+xy/fF/n JXgXXyxCVCMuQqS6pO+Ujz5xuzxTywC68N/5OaP1g/BkN5BJlbW7EYYDMwK3wpPS/hIHYR8ICyQa 6dCQCyYa9nPS4N1wfHrGlsqJAS+nT2/DX7F2bSfblffQbnB2TtTvcDVO1O+oPscj1qN1jhErI0aC BlDQ4eUKPkyVv3vvHbk0R7S+MsagraXgU1gMTZVeEqUuELSD5221ncH8Ifq4+FhlL+Hb9CxdD/8A jwne+3h8QLu5W2Bb+CD6t4y9B8ZPixI+GcioUazFEjknwc/Nn8cH1GoWlwvP0jTEiscH1c48Irbp swAifFyt6dOkuJs+vFhBHJj/stvj/9XscSCXgf7p8ixfLn/NSnStt0QMD904umG0152gEBt0lSj1 PC+Q5pmALU0uhv1EjoJ/pURmgeBH6TmEUKofd2dDnTPZj8hIjvtVJ+phQQQ2C2Nv3TWDz9Senpzy EXcbeUgYPVPrGit2+vkU6Zhnm+3JZpHBR+1Wr6CGFC5NF/MFiFr56uqES3lEs2sGK0AK8QkjS93D wOuenw4KCckaPCOWp8z8nLEGz1WND6opwQAsNsArZrugPcH5FBrwII08eMfhDo27bK1fCHQyOPwH y5GNMjtbAP3fxC9ogpbYMJvbDgdeaxl6w3uagP/EXtHIe0qVMQAk2zjO8sD1Dg20DKVJ450aDkCl gu5yVkgz2cEtbk+K2jk03XVsz/HLLeN1sy0XX3KaVMPJ+Tk64u3qZQYBqgFLQ7ChDo25IFSBj+oD pkzbgCw1MbaiHoWeTWU22AnsKvtDDIe2a/fwUbUZbmdrmbkMrBsfZrpGdVSqKc+kxxOnmbByXHmJ XXDT1LWnnjFdRAs03TVKMVVLb+Ss4RwMMzrk42G/xxoVyv3/iGZDT0nNT2P3wc6n4j7j+RBbYfHc telxgVi1hzyDxiYKVc7x+1t+k+9mJ84atTEad35J5QiWE5yY4G81wnGqUtE3liwU47e6YCO/8y/Z /frfEjdTfBkyDd/sI2C0O1NJgY50dV+RZz6qoJ/X7YrPYFYhv11fJYWAq2zp67bdkvEUhMIu92FX XfaGZ34ICZztVNzRcFXOHUWOSMPAX8FdL1sPA5pArKki3DS/LUqRCeFUHB2iAgL+gOu9vvi3p26+ IqeAkuOuUlItFxYSIa6dNRI0dMPGXCRWja5KW4UpdLqqtpgzvVY3YSMSe6oDJjgqX7LDOiEDjBJi yjb0DFU76BKaAKtaXTbPoSwieNMPADg2NSKaJG7nUnWw6NzvQZxs3R/VwjoBiB9VplOZUee6APY0 IQOYiSnhryeTlQqzKFn1sou4IcX66EbMgltMJStgfcD7wZoltkpBl+WCyj7RqtlCwHwWdkcTn0Vf uaos+DaH6ej9ki+/onrg3h39ZIqK/u9zR4zShPbSa6n8wavXe6TWSDCscI7f0lHvYaDpDYawwAm2 dngQkSYQKmYt30OYsKqq88k/jwfl3dnmzkIBv0xQ66zhkOjt/982ArUF+zDADCARkopgPwmBNbaI PMJm5IsUuTNH6IWVwyKatCSJHTzbnu252n53lH6yq7RIIzLlwjRNtMGVXy624oQJkW6cqbFOi+JL 52S1XfzxkCkY1C6zlWmmCQjKE9tMpy34L0/CCVNu4nnBAI6Em5X0Tu1MkWowvOnsJ0tksyjI4LRU sFLVN3M1evapRjbQgREXd6keSn1FzaVSIWxikUIqVKBB2RHmnm3ZaewGdUgHRl3AkXfmi+ccBmdf 9bVbhYIw6SGIJegKXQhB7SkxhS6sEsnMY2jE6chqJasXoTKRS8E5iMRKIWlGOHwv+ilUak++S6AD /u7oOl9T7YkJIl29+Wcn5/nEip5RglfdhXBAq4VUgCyzDGWP8w14uFjh0R4v76soFQj3GirLVBvA k98mRQM5cX9S009Crh3ROsYlL3XpsBPn3GrBHTrvPgsMxqSLL3ZKelQz4d1utY/mMNitguYhDAIX IE46eMxTaRe8VFuWLdd3oLyskEJcd1kwVY/4Gc2Kl3S7oJ+PwgYyIJZ3UAoPbjmqUBJMoS2ll2gg KX3fMBUflEOwsMGuunChR5VYy/Upn+dQQcr2OaPocWhPrb5uwBvFACbErU8eZRK0diU3Xe6QL2VZ TI4GPljfZ+PMIkCEv8Ir3w9s2MXhDBvcfLijIz7YGBvPQ+ihm9s7VKfuIzQffBZ+V4+ZDKFToKon 8DeJ5fPgauTBFe8YZbABsQjHlE8RgFzv6AfSW+xAhC7XdATpGU961OEG2hHAoYihk/ypZ2j7TxB9 ym99+IGhWq5yQ9Mnkkw8IgxhpyWGYO686UsyplBcfYNjVfAaq62KLbjFf/7dWRKpi/nxwWm2XBbF 6trVLYuPdWjQZdtVbKi71sqkmN5PdGLNBNd1dgeVFaTN2Mcdqwv4XUf+i9ZVhcw9Xtuu1WXSNeAb 8pb9/JPqzJvgmUyk4q3J5oUHlS40Ho2HpwPebI/HAk+MRpnp273comLCZTH74mZBHEljQJ8BkQdP Hb7Ty8bh5LE63bhXgy432z5Hrz/mdtN3w6RPu/v+d/QGR3RIMHDH0Ti2itFAbAr4HNLuEZdI30IH Yzg1R1Lsu2PY70f6SQ6jR3lGgxgso6MYxsbDowg+DrtjnrD1wXI47kfwMekdxUh7GMPY0UDslPjW cTQ54t63745edziKsVCvG4Om1wO8hsnb6/dGEZz0+of9SNPR3qAPrSSDfNQbTKIQDYcxzPWGR5MY XkYjKNUJr2XcYx/bC4jfeByFCNASQ93hRPicXkpPBpOIgPUmri7LWujZOxrFIIK+3jHU9bvjaANa wFxEyqCuk7WPBWMPUFP6dfOwhk/bbDYnkIKA05N3+Yqd76i8McMJVcOqIyi/Bk0t8tc9JoAwO4/L PbY3qbe7KG1smD1NTdxMi/l3Kzqji8SoAUf3r2RZZQDmFYY+JMABI805Z/+4onK0gAfcfhYMpLlZ mnPKp0tx8v0JrJd1wlQ6WzUPjorB5tSFJ0lNwF9PRiM5AFHxbkUfgpQ7hx78LcyQ6UogIe4I6D6u 6dqMIPha7aTsqUQHd0MCis7F2/0azH1bZvf5xxLzb1fsHDOcL6C8/WOZrY8PVsX2NMezwGhLvp6s ZndFeXywzj7TBSg9Yxe2GIzDHd+PDybCGHqslMWNU1Lmm3sI68+gASz7VVVwkLPQPiMyJPk5sd8W L3Ia1mZGs64IScSTCov7fGOe40jB4m6BcLqoOw5oneKpLZfV3mG/E0GOM4bmbEizApyGHxOzvAvI X9J111LV3JEvk+b//m9SsnV/Kr5ny+xhk7vLM9mYembEhw6d6x0o0MoOKo3Bs4z1SretNJIhJ0kS JBPYnm1JrbqMR72tGYfAofRZATrYVFd0kVgV2tFCaazsnj1zyprKwFHKPC7mxeNZsdqWxRJ1f7bE Hhf0MhGfeB3SaLTf5+GIP5SEKLF6m3i/Fr31sXeRWI/zjgEeBAjfEV3pMLrSYXSlw+hKIddDKwV1 JpBbCUMV5AGUYPDhKA0KBv/BvwWy/YC+CYNWDQOhdQqZcx4HvhqxdI9lhU3hwXJyEP+Zms2urhFS p/R/JZHNcwwNo8JU+zIr7u9dnfDEdbY2vVB8BytjIibgJBoqo6pmMXFU02oF1AIKqAsZ4roLGaoa qL/bq2ls/PEBONKXlxhOBFvrWQeTdVLP66XzCPUrcShMdt2FlhZ5hJ8YRRHlPpu4Ai9uj/gz1qgC PRwfpB0adIGrckHUGLiUEQNFp6spLIlHZ035QCNb/+S25ukFZebhKx6wtjeQYblfOzjE9Ggg7opi TKhxxUa+bNbAb2qrwy7KYjVTq7S6FnDZHME/gRi1LAEF2tBy1CE8fPrbkhUiOwx0/vkvSHegh59m PBOvOQxVu/qwbAfoaKp3UdHzPPSlWgiPcCOV02olohIeMIQC4Yo8vazwB5lARllPzgac3Z6cDb46 RPzrP5psg+sF/gePpJkfphfosg0/S19XxphtjsENkSRwqv5VPCyLQHys8xGdGfJXogLokDLNar3i Oycq8zt31CwUmG4M5eIUb479plVyXm6UGNa8WZmaer+aQ9Y1hzK2vMxXjm8bw9FQvKFTyjtc/p2C 7M+Qyr07h0ghhli+J/g1L1lHTeAfivthIxJaYc7KxZqmqMkRJmTO7RwBFGWSXfCo/qqa9ebowknP opVbsPIdNzLM15kpGT5OO1O7ppCVd7kol7CjUTOJvAszpyqBfPVwv8y/2iXKcsBFfT7IC0DqR60x XQF1Ftw4KTZb0ybD/ihSfjKEahukk6JvVIs6GI7EMDlWfl5MRSW0j7D0KF5zIZC1mmBDbWdrRYKK t+kFwHTP8Ynt/e3isztPDQNqkjoQzjXGiIOv9tjTUz0C6fWFKpe56YcjA8RTRoJLHNVRc+LPVBoC 7Gx7+HDRUx0PIzuyfoUl0gpMzHU217BzTv/hS0EcWvKfgJ8fSkfagl1nAD4Fk/9lIp2XbKEELAjE s4/Ns+sevlWdnsY6SiPfj6WwXuBob6rxvcaz2h/yz/lqbmsiGrxho88kl3tHWH/CMeXz67IYUtex VXDKDE17ypXJoY+gXEoDFNX4gaxlXYFtxSEEHcPyW2ZgwiHwJ78IAGW47vKl1yf0jYge+R5slTHm OQlta2h34G+LxRI2rR35XRzp4FCnhX1xAR2RGH9U+19VMRV8P2Ay6o4oZXDF66om0bIqUUUly6ru sxLOTuMs3+gLF8cHvJUBXIFSK15SvD6dl0ht9mUEFrCzD57AbfiZijHOgOiHnWNaE3kq6mcq5HcR GjwNlJMreLm+EVqsJrt1gFIE0Ako7Ybo9+jx8DpR2DdD+qaJXw9SqV3wLf2+OGjnW0d/JOrtvHfw j9771zGAr8aEoR0MY6d7BkfjyBwJATSUQYTXMYyeDBj1upEwfTSYRE46AHdwneXD6YifLQDeh1tY sT7Il6f9WBU7BDqRmDnHqtgCOJjvIlfXiGum9H/TJMoqP2L7efbq3X8iUmGpLYUhd9B177Yotlbu AQduaIQtT6/BaMWXFdhWCLPX8TZDvO7DGHGiK4qmSpp2KWY7qUguJm5G0CgJTGSs7wfwNLIBJwbE 7TKikwm9/IdQcbFWQfoFLoPccnXv23QAWngSx6nxAnwdJn+Eb0pZUiMHXEKjr05dtypOvlVLl8wh Npo9fImWJAC3Bx142YUMFeTGqAj4b1jWflrm2ZdT6mRNS6i8VpHldCbR1ETvYfeIHD/R+AZ/w1zA QroemLIXyFJ3tkventSfl7Dl40g4sMsxBDfhKdYSDezVuoDj7keHzDUBiAT/VZbQ6p4mU42mIYzX GUjLSxYPSiMNxLIr7SH2FjFon9vgl18YsTVcjN0xyzZNWsas3ZiHMMvdOsNWqTohyrIV+7WKJSnB T8Jo9k4ZoWMYVZEvjo62FRpacDDVU7crAyM3UydSuBHlDNTYcggl5vU9nR/f1N3Tnuvrm8Yt/POb /nitD4fLGaDKUjR73h+KTqXeO45iJ5IHfVkqLiC3jaGsjo80a5LavYpWUmt+NQdL1hJcwOfQv9mi AXY4/+bpc6WqisZMoBp6+MZkkxyWDoPdf4rB4O4/1T4MQ6m0yDsBXZ7i6OowjC2nlsHAo/mAym6H DlBpj/IAa28Ow6EHBi5pTw2DOBGzEwwTDwz8YMZTwCBUg6JnpBe4BH2dw3HROeQKhFM45N1EAE7x qCZSY9a2oOoa2QJpjzxo4QmrHwEtyOGYBxIxhVFs3UhquVn0IIcbW6dB9WmhC9S+kUhaRkGC/Arn 6IbQ1SFHv+O5DO4w1jMmni7uH0ZSmwnJYG72FdGxDTI/Gca3WPh50vihMaF2pJ2eGjFU27WgxCq0 22R7czQW+PQStbxTdqp8jm6iVASOilxcvnv/v6EZjbmZxq5HZcO3sJAMwAbWAs7Co7Q79edIKkQh QA4mYPfo5b6Qw9dUCP6ubzQDyFrCblXOuifbZyxokPdW9mzDrdSvYBL7NfYOtCSP3J2qPuM+Lx5g 9x7RYX7GnTbprP0xdK7hZpZR9z5Ln4O3ntX31uq+mYxps1ejTPOtwaTAd0fXPMQZU0uClu5QzWdZ 1OtRqdKoL6Rkb8xMUH2ryUVerWSpZi2vjrsHQtqfuM7S8TUZuESC+kwulG79n9s/SCacLK1UPVs8 jAByLD246sS3nhV+Oeq+6juaxi9zuuyisiB+Yy2toqdhLB1SOotXeEzC1jz8uguk6uxnY6Ac+kZL zfSqTmziVtuAm2oAGMfnw0FvOCaDKjax+RvAt0eqw0OLnF130WKp0qkxOSrc6j1FBGrgb0q+I8hn DhaLqsWoERPM8cPaLd373Hv1t3CrP3bZzZ+MyFFKqoL5ZGpu42BCkq2NkxU14YpCYAlRT9cvuwvR h8VmCwlpM87Cyx2RqI4u0yEymupNPhAIOkHuKTK9yz8piz94wxWud4UekYGzuX35RGcHtax4QDsh Bt145Xkao3PQ0skutdxvBxn22HGTZwJUMeV159JZ68v2PHvirAFVPRZVjrh0VuXf7CxMY/BnmYsh 6F3JjK9Uoq4bM9JTFFLGXsxH3jjcSbjmQvW+e8ebhaVtl3DNCQq/HOUZVYTat3T3m8/OLmjiumvp tRSXzcCif5gKGJ5eUAO56jSDrhtMQxCotni6zMuv38887bJ+/d4RQzsj7gdOuOj5ch65R416Yl+j KWHW+S24nbM2WvOAgAOwKtZlUdxawi6uu4i/Q++AVfERXwezAhJbKjhmQjzDrw727LIrNtqZ0VcJ O3CDC6JaeiApW8po+3SSy1a8BHNukY5DTGMxYFs5Kr/H7pvumO0eiDDcFtACA319H+rleAz9at5C 2x+hB6MGVVOsIpmvnPPRdxPUcz6ufQxUa7QhIPTb7uha0Z7NZmGHGGyks+nAWAxLUTzYlpmcTz3F II7CCOiku/jUQvoA295BdqluiGFC5RfGigx5UQw5OSW09fQCzILRh12yhVe9FVvbnFft1ddjqs8G n9LRarD9jJ9qVnHV2WZl8z2BQyMuWp9cXfbQjuFrYpTlxyhMP7KW71GxPvvMGADeklFeAQKwK4uN ARzpsCEXChBBMdC5J62SsN8dkiIR0u0nYWpqREJgtwGvQOisnNpLPpsISaXAauXx+8PBRAs2+Bew 2keC7VdJHLg9qufCwADOzQIbtQuxm+Kv3bSupYdFMgT+QpBIBQN77z3pZhTaSmksxw/TCgI4rOoz 9XxBjrNLcfAqE0IjkxknZmNju3dE9teKp6TpeDGhzga+/WnFouzW77uOmrZ3N5Ds7q2NS8kQUafJ QUdtwyAFedCoom5ac+DpvPjE9RuXD/fTvLwAZxU6AZo7LWyww0fddruEujT1hih+0Sn9INuDx7At tmf8zFwv45xc/KgzfmSncne/Y92H4icT/+v+m4SSqCSMX0IrRCJgDOHDkR+hSgGpYn2l8n9iVgXd YAcKdJEAi6IhBrlgNSCmuBV6XDo+tmdZvYbeOMdXozahqYoS77P5SvZTDdRoNcHnHns1avVMakb3 Y7bMtotVQa4P+86SvEQ81/aeU2qgCZ1X7xebjetjRcoQLdGg8A5ZXJPLA5vYLLtdeQVyWzASZ6bC D+nkWT6HtkYWa1cjzwG98sEt3P2JforLyy8VqtpuYfXb7++vri/+fmlhSg64EFUrvKniWLHH6yx2 xPMQgCUqXsZWSFoIJ43IlJZT4aPRicDA1oer139am381MsCDMFVTiaiq1BJxugNkIw99DUCCZWUQ M3AxIkKphgFg/pTf2qET4gIGWPRkKA+VK1RsqNejuEjaSGEK5IkdCgDVc9gEkaCcJXkKNNh0l0KT hCFTGwd2kplIyY+YKbJFWZxWeeri6u+WpgFs3sB1TztLGGXMFuUc4ZXB3z1LowhZhb87Fo4CNs7O Lq6vnUikET8aEfekPaOYtJlPUzntgXFZBACBQVpuQLyikAQ06/6yi1pKKEymRoBns4ZX78+czoG4 HqNPYysg9i313agN9GuAGimQbrNFYXDr0ovPx7dJupQpSEUvUh+N9vTiVT7DD4h6jA0fDZxtVO1r c4w7Ghn9gCKSSNLa5rGiftsdSjbFQzlzJKnZdacK1JuTRJVgpM/G7uqcLdXuwSOuu9TEfsJwN/9s 72oxMGgoAAnf8opSwyFUWgI5lGET1gB9QdCCesLt8W2E0NJsPLHjLPHl4whAJd+iN2z7vjHF1TZb zTNHAz45QAwRpXllZsCg3aFMg9CFSz8D6ZNKF7HoV3bvfNJUoZ3/3zLlZOyhAX8v85+wL/FP229O 9aXaqyjqHOKyx2lEKC2r5FKvM5PSZ9qeqkMrPOru2upNDLUhybIvzzVSrrhlXb/t7TMibKe47dzS Zwl8O2m448PI3tgX2Tuaa9tLwV41R91D2uIE+RZQqBUpepILN/WQ5qJDi5H02t0wE8m2KIsgiub2 EQ2+3r7G4ddtiKqeuRLgw1+AcQ+qGjQiaiYXGnMzjlXWqt3QjzVPqxpjCLDtGPq5dUNlJtpOGgOM Syrkgo9y2bVcNPqaf33LXchJtwi+JBNav1ZPIBr+uvnLRVXddLjIqt9h01WV5kh7FK/Gr/mJtYqQ MvXbUpb3Ggl5vljZeV4auYGhqAX/62h5RWfb0utOwFSkEYcI2rDIgf0J4PZlDpvOZf6HW6Hf8EFX pFLL8dJSZ/Ba6lgPf4WwaQqyOtAk7myAQWE422TuazBuPu7GsSh7Rx1U1eoJr353y32NdKaMkO2I 0RjLB3XcXlj1NIMvCoSLWkBoHmDqjuzuwH27X1rMi9d25lnBfPBXsKmuz5+7/4vf5xiIDjzKWjWR wq6GhBDfDbxhh/8VUMwUmaLHO4MF5uB9Mv139PnB/sAdw9g6+oexOwBdEVgGUYxCeWJsjihOh1Gc Qv4m8pZhFKfwRZLIHHDMOXZHFKeADpqjgd0zY9gzSGIu8hILHg5A8ngUa1ydQYN3tg9JfF0d+8N8 vpBXURi8+fNsI69RQ1VYZkuWgdnBd2X2CBsKliZiox0xvLNSculWmrTKCu3cWhwwZWDXkzKIIzG1 yIZ17aNjSpsZfKjCwiO7oaPc4UIluytmpojwQH/8IjWyRbaZLRbHBzUdaVY28CDYim8nwariWEmt mwBlvcwxou51zyyM0OANjnZ63c6Z094pE8SQwhOIITYCwDw7zqlkxtNHZ3DyyI7zYOR1j75X7Q7y /LVkcJ7liyACzh8DtB3qT4n9bE1jeOw/n6IGa5RKTcbpCoImqDlfbJc54tZiFOpWenNZdP4lu1// G/sg8a5fBqc5+Uu56dDdwpP3vfGQfPC2AlcT40a6mnJC+erVM2B8Oc/WFpbpoksn+TlXx9i7Sffs nDf79vCoYQIdhtHJlXGFlMpr5/DVrbx0chkb2pWv2CxMhJfF7Es+J4h0TJ1MDg/fc4XnwVRNXc54 6/lll29RkU60OIoPdphaZDgxtkfu2NhPPehSBemzfEn4/2kpLjOF+tMF/70tZuJf//f/bB+WBZ/7 J/YsWBHUzT8txT/u2PcuxF3cl/nXDhrOtx251cBeegqnStm/rvBLj51T+oYR9EPorLfsOuiLTnUX xKNl3ulN2dgyZytjYBo7eaki5GAMRtlKT9fSGqC6p4s5uAZZ+erqBJfWnijdr7KvaLwtssuBXZRJ hYndjTbyoUfo2RBRsCbhVKvNZmET6JJ+OhmNRN/ydiS9uYwLRG7+9v8EAAAA//8DAFBLAwQUAAYA CAAAACEANZ2SO3Y0AAALiwEADwAAAHdvcmQvc3R5bGVzLnhtbOR923LcxpLg+0bMPyA4EfOyltR3 kprhmSBp6VixMo8s0rP7xugLKPao2WgDTVHyP+1X7I9tZtYFda8CGk21fPxgqlFAofKelZmV+I// /Pqwyr7kZbUs1mdH/Ze9oyxfz4vFcv3p7Oj3m7cvTo6yajtdL6arYp2fHX3Lq6P//Nu//I//eHpd bb+t8iqDCdbV64f52dH9drt5/epVNb/PH6bVy2KTr2Hwrigfplv4WX569TAtPz9uXsyLh810u5wt V8vtt1eDXm9yxKcpU2Yp7u6W8/znYv74kK+39PyrMl/BjMW6ul9uKjHbU8psT0W52JTFPK8qAPph xeZ7mC7Xcpr+yJroYTkvi6q4274EYF6xFb3CqeDxfo/+9bA6yh7mr999WhfldLYC5D31R0d/A8wt ivnP+d30cbWt8Gf5oeQ/+S/687ZYb6vs6fW0mi+XZ0eXf89ulg+AfbiUT6vtebWcnh3Rpewqf8o+ Fg9TWPHT6/vzdWXcP6/sO1/hS1bT9Sd45Mt0dXaUr1/8fq3P/uf9i8srvDRbLmDKafni+vwIHnxF axZ/lbVvJCTsLgNQIBEQ7JrxDaAhv3tfzD/ni+stDJwdAe/Rxd/ffSiXRQm8UV+7zh+WvywXixy4 VN63vl8u8v99n69/r/JFff23t8Ry/MK8eFxvz44Gk2PC/apavPk6zzfILPC69fQB3nyFDwC5nl7/ IZ7tI6CAIdft9/kUBSTrN35i0PiJYeMnRo2fGDd+AgS2Ia6OGz8BmqfhO06Tn5hPiQHw/krhLCLo o8FW6VS+WW5XefIauNxkH6bl9FM53dxnKPL4+OOyFoAQH14/zraNXnm9LYv1p+QVvnnY3E+rJemc JMG4KrL3y8qC4fQ0IEwfVtN5fl+sFnmZ3eRf6WGbJgpGgrPBCq430zlIp43IVHZ6v/x0v82u70nI zWkmvQAs7EkXCiYhOrLH/l4uF9bbBoG3/Zovlo8PYqFMG6msMxmmP0yKSXt4FH8YAXW8dpz4pP3O SfxJxJLjnceJT9rvPEl8khSxhqEQV/8Mno5TFo5D/HNZrIry7nElaGqyw3GIi+TDLv47DjGSfNLF gschLtJEJTufz8G+O6gTgrmWGf/zIbBr4fE/HwLelCL/LCFEGLMM/LMky5V/ipCAfcy/LNGZR9Zp r0ZJsqVhMtlwOMIrSRbht8diSyZRlZxBuqF+twaXscoz5zxD8gST1sHpQ3AFiJOsgPzESdZE/imS VZJ/iiTd5H28kZLyzxISW6lziCQ+zZGutvyrCImtU3/ZNqKZ/rKfDyHC1l/28230lz1LCBE+/WXP 0lh/2VOE9JdTUO0pGguqPUVjQbWnaCyo9hSNBNV6vJWg2rOE+NMpqPYUIRaVU5DzxmXdniLEn05B tV2yZoJqPx9ChC2o9vMhLBgi1hcay54lhAhjFmnL7FkaC6o9RWNBtadoLKj2FI0F1Z6isaDaUzQS VOvxVoJqzxLiTyllqkW1pwixqJxCFVR7ihB/OgWV/EXVA0zcRQsRsZ8PIcIWVPv5EBYMEZOCas8S QoQxixRUe5bGgmpP0VhQ7SkaC6o9RWNBtadoLKj2FI0E1Xq8laDas4T4U0qZKqj2FCEWlVOogmpP EeJPp6BSJHgHQbWfDyHCFlT7+RAWDBGTgmrPEkKEMYsUVHuWxoJqT9FYUO0pGguqPUVjQbWnaCyo 9hSNBNV6vJWg2rOE+FNKmSqo9hQhFpVTqIJqTxHiT6egUgJmB0G1nw8hwhZU+/kQFgwRk4JqzxJC hDGLFFR7lsaCak/RWFDtKRoLqj1FY0G1p2gsqPYUjQTVeryVoNqzhPhTSpkqqPYUIRaVU6iCak8R 4k9Mx63yTM2aqRLabx719E01SM9J8kV9zO/yEio7ciuWmz6ViMX656I9fVI89qIoPkNBA8+Xqmga 0n4jbZLlbLUsKHf6LRrvHlIG2k7u+tP8N/+4zH5hqf747ERce3YrTg61E2oZBNYYUCEN3Lj9toFa hI1IB+M7oUQCy0SgModWgJUT76DSgdcr4MNYwAA3UgkHv0wQcQTSv6G6ZyHu6fVGg+FkwAMlULCB k2ynM6pEgb/ivlV+t8V3bgooHjk+5RrVd0O/f8rl03vH+IRrIu8dpyekdAFDcAutp4DKpLtV8fTh cT3fipXxpU8ftwWmevOf33hHrsyRxX8/VtuPmN99t65RwjKAFcsbwyOzHIqWgBT9IVfhW8hLn6+W n9ZYcCTmnE2rfLVc5/g0rJmjEop5EKOlUb7jL9QxRxg/6oU5f79AUtRlP6xWh72XXgjvJy6KsBPd gwzE2bpPJTEqC9WlLbQOhHHxDyyUsRhsDThxXW/EeJ/zfHMFE9HL8Md7QGhFv2xyjE446ZdEO+RQ xpqwjHtAGNWsSVYtHrdInfdfVmKV9LRFqRl725/irgGxOty2C2IHXsRyG3RQiB32uVlriVgS/Thi CfQdETv0IpaDcFCI7Z9wrdgSsQJjum5Bjt0RjawO0SX4XNEbaOT6guO4E9G35ZNmF2wEf9totLGX P7hDv3/AhPFS7Nx8lU/LdGt62iO/H1Ag5lL5B0dVjcfvfnptY1SoMuKflhideDHKjeP+MWoDJhyF XQBj9aAuGeC7ru8BGOF0Rxk48VKMe2BuwPgub0/CLTh6F4qdegHja3cDxnVwJ4AJgWwk3Lr4O31l 4xaXs2zcYnvLqpKgypi7ZVlt0aPCUmhyc/57LtwcrNTKS3bVli9ilDgbzu9hszLHeWBaz16Fl7nK YiIqcjV3Lp5aWFpzvTkUa+cErcub2H1a3S6zkR4TAtRjhbqeNd/geHCTldEtDH32AkWJamyFoOBn K74Fm63ekVsLhxaIeGw3uPg6ZS+BGy/z1erXaUkbtmIDyPDcio4xG+33qIjamGpWbLfFg//5kupf aXrXBGiWlMWwnwgE/MuD7/XjwywveVGuB+dXBQZvLAkXJcUeVkjFtH9t2n5bbpBg72+r0W0xz9wq VN15+/SMwQy7b8qP+1wQFGVEtENpBI8DKqrPjhZFvY0/PR4IwwmP0A7b3mU59liT4VjbO7VApu1w IjLdzibg3uFowlXuwnWASEOXnoz4CxVMagGQwYRFQJDZOeZUbUvDgHS5Cz0ZE2ng9lb2jjBg6khE GF+mYeeeift0pMmNtoIz/Y5uDR1hHnBMgQiNOH0X+cKC0BOFhcri5RMU8jqdDMmpUCieJCu0GFgm zXZ2NIZjRypjHPfErG0Zw97hIGO4dze1JHUgMxrOh6cT7nMpGBR3OHUPR7mCT1WCaL4abZMxhZKl PPV7EPJmJr0t3uyQDOLNHY4BvHHVqirzTrGpiwqyCVk4BzaJHft9KLpmCIBbPKob6qppEhWx9KDK gfxVO6gmO2qImOQIS1RNgEuO+g44U8fl4SgmF1WllgkJiabr5BPpeumEb81VRkCTVAuYqZd2N1j2 dhq5wr2V7lSShNYh9AhXxY1BJ85tp0hFG01Y481STIPRTjtbwIQdYEHEuYMr+0PcuN/j3phDBTnx FlboMB8l8rgdtPBW67NWCv1tAedKSmu3cMcukxYMaCJIDHwGmpIrwWa6hJ0sU55t/PJDVUAyNKjQ VFcnJ8cnth3Xb7F2DcJ08BQJ5MuYYWqdMHEQEvNQcLkJITFGnZf/PITkERzgY9J8o5NRa0oCRT07 dy3CI3fHKDNrEMC6EsDcrKAg4h1ZKQsPXLR0BofoxmS3gCdcAQdLfqafxJrrz0rm9foitNqKTQXE dELZCyzmiaM8mwwZKcZ6w6nIsGbyBmMBGfMMLfFUcCDiek1wMIeUefFwjbUHdh0CHO4zsXGFJ/5c xFa3qaoGxgcaiK29DWN54QDcA/I14YaO4M4hoLXKv9iOsBxoAr94aDcccIZXfRfagIN+kNuo4Wkb ZyXAAHzp9t5KDrgQIQBmXKKygnisASo0gHncXLAC/PXoNS3qFwfQTjvzlboDMgIMBmDUo9BAqOP6 TRyjAAhv/nik1jiWoMoBF41UYY0CwBSP5nPrLlFKKIgDrs/CshRNbNzkVFeHwAJ2Yc8p+abTO/Ah oTXMSItuSrem1ptd6w9w8HsWOdDr58FXw3UFr98djuBXd6ePa6eqUxBcSaFEBbUdeBV1ZSpHUzaD bwOiaSnmegJDChGW1Fiyix1p8PPrK1t7w8WX7jAGdQVa2foKp0FdFSUELZt5yvD/SyxxamiOpPMF 3GAnQpF5uPtnMw9XUomOx+5KEzAC7XWwttP0DXDklg3FlI4aeWPKiMRVeTjK9o2qy7gWeHrtypFa 3Dij5SsaonPPCjtSKRCbmGQouaU7EjEaxZct0LzkToDvZ425mgmWrPph+im/otyfxQkbGMpYXpCJ lcG2/p2BDwz/4jRjLxf3br3Iv9pKAFRX/rVhNFM1ls8mZedrEJGrghVRm+xBg7di9NBk7VjYiXay JiLhEVug8WTAQTrfbCAnbXEoXL7F6y7kNedOacd2rAxGxQOc3h3osEF3go7XuwE9UTDDFMrXi6Wf 2zfQaxLGgwyvyQtB1t7E+EFKZrpy62S6cvvXYDqpZi+LB6ya94eKpmsIFNEO5dmCRbXdbhUVCnAq gOn2fGAgYKZ5fa3Dy8cJZVTJZ/rk6QPL77ZLwOxiL/IbgaM72m+KFZsmiTAgQTHMvWpBG0GJ2T41 xMGzf92Bc15urwpbQ4KcwmWXglRBUTUMTLQ351UejUgyqND9kp+xkNHRQcf+qwTW5AIYCMiBD3fs uuIOE+KjjHKAG4AG9qF0WWZAH153MV5zp8RvxjSXOaDvLqerlSUcdNG1wjB5GVBRoorwA/wFwadg vx6qSAk2tSqwtfdHgwFPcKuK11BB0vPrNoJxCVtph2LCy001Ez5zIKppRmzzDApKBD9X+SdwHS0W FsO3fDzGzbtz7f7KVvR0LpxJEvsnIUk2X7tO2vUxQKuaWroAiOnO1r5dfnqETu5ukrDBEEFusGxb JZhqflXd46PW7vpQXYJp+mgstH51iU2XLl1AzeYJCsNft67cH9cZOtkV3dfSmKNxAluK0D5PjfKo quLOd+zGMJ6ztAO/HFMKrWloC2RSdHJ39mWAibCRycBcAsVwc/BbOXB4gMV3JBjRAoxN80JyunFY CTAWiaSkOkIMN0/L7T1ssNxbQI4+fs/zesEdI7EDTqNKrd8+2LJFA7cwEuMvnxaXqvAH0n7dVGol 16wD/XQVin5Xl8IAB89YYZ1NXzyUxsdcFFaHohTWGkTQbEpbCOP3FfuttYCgS7a2ZQlhyERDuMLq +4BvQN60cMi91g7RyD5LYqlhdpnWHgijqHUVLH8Jfv5fsMjRlbvWPAtRO69VFuh3HPd46E1xlLQ7 BoMJuRb+OQYnQ34IwzfHcNSjFLp/juCpClblN5Y9SWqXTlspFd4Sb/jWAQgTBQ9CQ1br6eamoNZH fEvNKxFs2RCP6vrDzGpcFo/lEr7oAZ8moj0D/yiRfhW/S6TeSKteFx/Korijf5uOHdRy/HmJH0Wi XX+/Y2ePB2FnlsriA7ezqEnq0ONr0jvCUkUmOYwmM9kFfG9FoYtzmOkX+H93Co0jcunF8NKJYf4Y L2NojmO+TZBbIM7bLeIxMqtByWO77I0lj7mUB3SzD4bE5LG03mrYCRSQapaAarRatB70DxAbR4cp HSK7zo1B5C5zS9mv7gLReKLt9xIhCkQrP0ydwXy83DRmhs/IQGzUT9E25fgj5I9jML/e1IhQzKFE 9gXgpldCSJQYSeR9fGhvkcdBCuq6YSr3ho9QooCXiBQmVq32ylfgsJLejvGYvnFOwpSMY88M29x1 7uhjPl/ABwEtIwHXb2mAWaYmrcm6RKbwmRT3So91PXdMDVhYrKlWEuFCSnSkhBvVdXHrb495hScx nDQUg35CCuoTkW07mUrJ3eUaFuLIryATNkz83lApJMHTraFIc8Wdzh0Qn38o1DnMJAz+D2hsEiCT 3gSD2bQRCiYa6ULmFTbqLGhvXE60WGGzjLml8kSsuglyAo6JEAsHw4khH9cxNrWkRTymmB8f8+0u KvrLTKqL0UDEE4BQFqpKvXhYehb7g0IuwgQAZV5ZXiLrwlPRRUtHvpGDmJQMkOa6072gZjg6FgKO MBf2JSITcc93jNGyfB7EEObzsE163bILJFYPv7TYyiZoI8S6SQ0hj94qFJXtXYJce3D7lOSN0/v4 mENJL7qWzL7pHiQsvB5TV97MH99dm8IqHXYA1+5xPGDlYkRdNzyhaK29Ypu9x+QVXLKyAkN2YdXK oLFwKfB7XbaLwXHR8u32kuWQseCadfa54srD1tV3ZOu5evQjoFU+5pWr4hku/7AVzxu1V3sYdKdE V40lGnZWeK6K9NdeGc0n0VVLia6k4Ox12W6JrlpINBO1PSP6GnVgsbZPIfGBW+7BGHooJfDqQ7N0 HQ7Z6bF3bxPWl73B8byGW9eA+HJi2OF+QaX2Af+/GJWa7Uy69Vo5MRyKVpBJOEmJ0sQfS9C4UqYa beM6jvN3vBvToDc9O4FRBTcBpP7QTK6m2PojmXPW91/mHvu8XE5XSoKV/SZjUgdeh1xtrPSPffx+ jea9Q+0FSXf47o9FQnaZ1hSgnermNtsISaGwlbkeihv0eEK2jl4HtrpWKK7jKoDrTT4H4nmql/ho plYpGdhTh9pwvl7NkdoY0l9U0u+wuAW4krkN8A9dApKLn1K3CzdYzH1X5n9YnEsjtzTk4t7mx2Bk qIzx1rxYFaXIjijVXh3Femn599CszAMYDbkAowfrw4CqZBpDUbaT6UEBJpfALe8tCn/FiMaOgxOy Mn5mixZj8UaT/hkSqrW4Fg7M0QXLj6EHLZHBj4xoxRccRQrPkVATNhHdPH3rEFVjUjghSGu1vDFr CoC8UCAIHb14Jhh/fHzEFl+C4xu42vAZMlm11Z3hukENQPxu2i4aua1FwdDANKyeA0mShyvInQum 5+IgxUTwgfmVND3xm3KEQU9CUaEHo0P/VP5gdMi/wqcVkHuEroW/jSp6+MnrGzxza2JQOXTtRaO6 y0ws40lcYmCvRbQTJwzMVTO6i1GXjlTXbCnIWrMmMwS9Q2cDW7aG8Dlz4JwDOIVwg9EhO5pAlz09 Ta4VP1DDGE7FNWAUXVvbbuii8dw1EX7bELVQCQaoC/PCy4VBYgTybMbSq3Tc6X5pqLnOSnbEUoOX xDx27IPxlDvywdmQhMfiKV5L6OOpDlQIcq5dycgW7K5k5DC6F8xdHt+CpfeImNcMCIDSlc+IINnf 0GAg8fWZRpBhwQIpNTVKK2/V2zeg3c/LLSph/BKMqdth6FaM0aINeHyavbNN6Y4VIR1vQ6lbjSua TQPeeHYYS8wX9TMy39LZiojrltAGfXe5hYZL1MXHCbXo8CPTCAZ7SHxZDN+MQToAA3oCzov1drl+ tKMu1GLwVg67GJ1aE9KATqjx28nJ4C13CFMcwZAcwhqX2+lqObflEJsg3vLBJutTvysslIemDp9e dxvwhaMjX7DHtAUCDtzSiGv9qojoGFYh4KIgbDP8FbAcqmOT4LfU4UsBly3qPBoHcqAHeJJDnN1Z PaRj6azCJArDkC9/+mPTGDDopw8diQBRUr6BvI+wdOdU3KI/4hZVJCQb3lleAwkYgdKDEeUgmWUm rWtCzwjHShZCnLGJuKqpcVv0Ly0y00UXcXcM1sa5NHXZ9y6vgy52vGw123NXvnj7kVv0CPpTd2vv sH2pW9ZoqCtBqw0HD3uI87EhH1FulUwmTP3oukZNWWyOh6k8bWYxtvZd2swGnC/TIbVbgbM7MsJs 1pFmrAk2y++KEgK9fMMDMhS29HRCAANc6okB5FoIIXeQupRkZFAjl67tgCVHCR91ySS7g60r6tct FfM5YflHgQf4u6N3jR+0sINweNUTg2u09B/LjrHQqAhxnyIb4Q8jxK37MzzLJAgitUZttGQaviOt ibSxQ1xEMXeEi5GY2LARr/V7xx1/ggNXYge7aOnuWFfrpY+OKdIkyLK7nFyf2+1f8NrO0m3rulMt RC+dq9pY+c/LmRufy+HpzXDy/u5PRSXW12jtCqOyr6oBrjri1BtKiy/XlotFA7d3MBJDnxqR/Qtr Hne4XCENSXacMm6f45dvm7wETfbZIkQ94iLEDg6vVpfQg//eUjTo6fWjCE1UEFhl1cFxsMCMwK3w pLS/xEHYA8QCiUYyGnLBRMO7cpJWZ+BKF2k3OHt86ne4Wnzqd9Sf2gFkUGpX6ycksMqDn0pnIe/I lTmidRsyBm0t1RfNXWq9BB9rv2cSjXlaqxkRRkHRnuItQHMRtWrwVfmLooTP5rHENn1VnnqrcE6C FVd/gqdIfAI1BeA1UqqTWFEtFUDECvCaPiu/R9/qzaS42756ua6Wi/yX3R7/r3aPA7m2s5WK/tnq Ml+tfp2W6FpviRhPHOGsc8fi65TxAkc3jPZ7J0gcY1yi1PO8QJpnArY0uRj28wMsC/7l8Y01LRnY /CidqMwMEBvKLmWXKiPE71edqIcFEdgsDE26awafar04v+AjCA0Y5bcQqMek3bSaL5d6NyK4yjc8 EG1Umxl10rbI2jv9/QLpmE+r7Xm1nJ4d5esXqZWgqbgXXyuy9DtlJfyIV2hG6v8Z0Tpj9oY+mKRW GaFeEhRnmwG8YvaGSkQyTDRbLoD80/LF9TkyCPB5xF9rgvMZdFvC+z14x+GMxhmw+rFEP9frZFCT F7T2NtzNFkD/N/HbHUqmC9vDwGsdQ2+4SyfgMLFXtHKXUukNgEwrx4EeuJ7RgAtKCf1+SerFiElr tyztFW8LaNzsSOXxyy6k7SAY1bZcfs5pUg0nb9+iW92tAmAQoIxb4s+GMhpzQagCH+WMGc3QBWSp oeY19aH0pJHZYBbII6dtGLgq6zZzjIaQrcyOvTJbGFg3PswUiep21FNeSv/FoNlo1BefC+BQzYQJ 45oJoZRWThvrTvti+IeWaLpfFDKqF9/K+cI5GG502CejARxD4CNu18voQ4POkBpvxk6S2cfiYcrj G7XKYv2LEk09ILg7VBo0NxGqcpLfufKrMTd7CSzCxkVySC8Bv4YT63BtifkYC9bY3dm5SsJ4qsqh Kh9gMswlO0QXv4gHJQHZv00fNv+emDjxRcM07LNP7dFrawnRWVz1v/g2PJCMtvf+h1V+dgGZHbs2 iF0lPjHUA4WAbijFT8MqVmmsrjKPok0EY+Cv4PDvW3MDGkOsyaabWvo9Pka1BZwDcZL+QPzbyHXA bHq+TULJRbsWPqoptDRb6rYwVaiIPox2pgqjoVuFrgbZVRuuklxhlCi5NSmx8YtN/QGph1BcjxFT r/JhqNpB+dAEWAHrMqAx7WLjTT+U4Mh4RM5Yxs1kKn+Jj0qQ+rS1tvyqRFRtE4YkASw9ozJjMtcJ DUOyJ0QT/nrCXKkwi1pWuVpTssQNKeZKt3qt4PZDNE9s34LOzjsqGUULaJOReTvsjjbejp9iXUQz 3G5NdzzOK9f7pKaI0a3dHr8lU+9xmVKslYI8Dt9jqFq1EYPbGqEuEN37NyChjnta3Vso4JcJaj+9 RRLDPlOkpW/+WXNEYA8JgQ3yQR4Jar/l4kdOjPKfHULYqXr1evvNUUXKrgaEaRazqR4MXRTF5+wc avn/eJyiF8J3Tdpl9lrNjkA8mUesmd5Z8l+eYJMzg9va7UtV6N6o9N7i0TNClcE0XXuzTEn2XfVX 5cN0lcGIi1FU3dpc53L2qT33rpsqb8VZ6L5teWnsFtVBBqMu4Mhx2m0HdhCq12HTXLsD4cbxJI6a K2LKszu7r9CFVRCZfp5GnExWGYGG0NM8ykQxXcXtIythpBnhFL9ozFBXDsh3CXTA3x29WuIjy6rT 1dt/dXKeT6zoGWVfGfUGtF0iICt8Et/lG+gxBGcBiXGLq4LEuMUuIbF5FE8cKzvYPi/LqykV2Im1 VJapNoCHuU2mDUS//eFKPwm5dkRbGJe81KVDzsyZVMFEmzejkp5om5Ee1Qx2r/d8OUQPYRC4AHHS wWN+Sbfgpfpw09XmHpSXpUfEdZcFU/WIn9G4ZqxF0IwaqWXf2IkGXTooYYftFqpQEkyhLaXxMJCU niFMxQdt7y1ssKsuXOgbRCxL+5gvcqj8ZBnNKHoc2lOz7kPecQYwIW7d+4aRoLUrsOly5i7B5mjg g819tsRt5nfDhl3UzbDhrurm2OCDrbHxPIQeubk949tKwzXioPHBZ+F3VU+MoE+fqifwN4nl8+Bq 7MHV2OlvEYtwTPkUwe5+IL3F3ojQ5YaOID0jD/X7lixTJrVqF6eYjkU8JMmf4t1RtC0BoSvumDRS 5x/zOx9+YMhJOtXEtZZfGz98RxjCTkcMwdx505dkTKG4+oZ0dww2t/jPchpR4wjaWr1bnB1dTFer oljfuNpu8bGMBl22XcWGmoFWJsXwO2Mgv7R4wlk303uooFACWfUFLGrlv2hddSijz0+ca+WVHR8a NsEzmUjFW5vkggeVLjSeTkYXQ96173nQaEX6uoqj1iy5Kuaf3QyJI2ns6Oc2vyel75afe1dO/qsI zGou7oth7FO8gwm3ouACO6c4YZ+987+jPzylo36BO04n3JXwvWQwHopov2cZw94pl0/fHMMJnH0j mfbdMRoMIm0qRy7SaRiF7xJHYBmfxjA2GZ1G5jjuTXj41gfL8WQQwcdJ/zRG2uMYxk6Hoh29bx2n J6fcF/fd0e+NxrzAw3tLvxeDpt8HvIbJ2x/0xxGcQGHigDuU3rUMB9ChMshH/eFJFKLRKIa5/uj0 JIaX8RhKbcJrmfRFYaAXoskkChGgJYa64xPhgXpfdDI8iQhY/+R0HOHK/uk4BhH07omhbtCbRPva AuYiUgbVnKwrrRIjqB43mzKvqnMISMAZyPt8XTFPwupFy9lI3WSdQtk1qFkRze4zAYTZuW3xWOKk PuuihLFlLFXz8gInm2bF4pu1V6OLhIaA2/tXsqxyO+YVhgFrad6ecw6PK2pHC3jA7WfBQJqbpbmq fLoUl/9QnTCVzg5NAEKvB2nbUxeeJDUBfz15rtTcwoWKd2svIki580aEv4UZMl0JJOxCArrP0HTd 7yf4yu2ALWKO+NwTtPXub8WMDVj9rpw+5B9K4KD7a3Y2mT51AL+fyunm7GhdbC9yPN+LluXL+Xp+ X5RnR5vpJ7oApRzswhY36nDHt7OjE2EaPWEUizdnzMJBXcHqErq/sl/yYCLz3bpnywEhyc+Xg644 kzuWjVmzYWFRCha73CSnqwHHoa0LPMnlsug7ZEYRAXE20RwRaXKA7/ATYpbnAZFOuu5aqiqFvlDj jl9bPpyy7flq+ljl7ppMNqaeFPGhQ5eB9HJsbtya1V+bx9JbyZMMdXsSmHYMXMpYq1PoGnsG/OR5 ARrZVF50kVgVmtJCZYxspD13yprKwFHKPC0XxdMlHPQvixVagukKmyrQy8BJNQtJtKhGPxoJGPCt ij/KAzvI+m3i/dpbBtidSKzHeccQq/nDd0RXOoqudBRd6Si6UogD0UpBnQnkuowpQMmOyaBg8B/8 8yPb98h+DFp1iwjNUShhz/eIL8YsFGTZZFN4fslXX0D852rcu75GSJ3R/5WQ924Hb1Lty7x4eHD1 uhPX2dr0OrEdrIyJmIADaaiMuu7FxFFDqxVQCyigLmSI6y5kqGqgeV5YKynDH++hhMIXs/A1SzRZ p1UnywBa5qz3iENhUk8SJiZGbKFDHuGnRlFE9ROj+OLuiM+hRBPigzSjwRgXRI2BSxkxUMKRpsTj s6Z8oJE1u5J0hzZY1Bc4YeQ4CosjGQ45GUSVmyjGhBpXAjqHmtapT7goi9VMrdIqW8Blc8TOLdCl I0W+RoNOPqk+FJIXvp9uyQqRHQayf/0L0h3kxk8zHqXXHIa63X1YtgOGcEYKp5ZqUftjRFi6PsTA 6UtVE3YdiaRyWlVFVMIDhlAgXJGn7yv8QSaQu6y9swFnt72zwReHiH/5Z5Nt89uFJJMqiVkyEFhD l/NabLs+jqN4WBaB+Fj2AZ0ZWmpUAB1SplmtFzyrojK/M9tmocD0+SmSoHhz7DetkvNyq72/tuOR oak36wXEYHMoeMvLfO34BjGcB8UbslLeQSvpzp39kpesZ6bYVUOSEppdzsvlhnaYgK9IykCzyCZk zlSPAIriyi54VO9LzfZwdOGkFOAN8g6sfMckh/k6MyTDx1k0v15QMnE8oLlEIiHb0TAEZijmrjIg gY1avn58WOVf7NJmOeDiBT7IS0Wa72FjmgMqMiL1CyOoMWI0UWy8pn1GUJeDdyjaR1W+w9FYDJP6 9XOmJksBVEJHCEur4jUXAln3CDbUdex2xj+UwNvyAmC6fTGYrGsn8G75yR21hgE1ZG1IpKpeWmPE wVcH7PepHWKkDxiqeOZqn33e8Om1Ee4SR3zUCPkzFZEAO9v+Plz0VNXDyI6sX2OJZJ6Juc7mGnbe 0n9cHTSxnQF5B35+LB1BDHbdKfadMPlfZt+DyTZSjjU1A2dKZ4zIHREPWBCIZx+3Z9c9fNs9+X4s hfUdjgSnGt8b7DTwPv8EbqytiWjwlo0+k1weHGH9mb6U77/Lskldx9ZbVWZowNfoVD59BOVSGqCo xg+kZJo6FZ04hKBjWLTL3KZwCPyhMAJAGW66fOn1CXMh9pJc59bxY57rF/nPjrzhu2K5ghS2I9qL IxkOZR1kyQV0RGL8UWfD6kIr+F7Aybg3pgDCNa+5OqGsbKjkSlRYyZKrh2kJZ65xlq/0RYuzI26u 4AqUYfHi483FokRqsy8hOD4OMcEZEP3QbpHWRJ6K+lkK+R2EFk+juy9WYJcJPJc3rO3EZJcPUIqC C7Uboh+3x0PvRGHfDOkpFL8epDK84FsGA3FAz7eOwVjU4nnvOBlGjiwMoclHGNrhKHYOaHg6icyR sIGGoojwOkbRMwTjfi+yTR8PTyJnIoA7uM7y4XTMTyEA78MtVBpTqze5HW7kbZoRyLr0AjiY55Tr a8Q1M/q/aRL1pNpi+uLn/4VI7c5S3kPjvbui2FqxBxy4pRG2PL0ioxNfVmBbIcxzaRj9Pf2Ujjaa hZN7aWOf6NpFU11NtxSznVQkFxM3IzIiCUxkbO4HkEdmRAv2sh92MaGX/xAqLtYqSL/A5bqNpC8F AbTwhJFT9wvwcZj8Cb4hZUmNHHAJjb46dd2qOPlWLV0yh9ho9vB7NO8AuD3owMsuZKggt0ZFwH/D kveLMp9+vqCAJi3BVuvOIJoa6D3u0ec7ZcMc/A1zAQvpe5kZe4Esg2c58+6k/m0JpWKOgAO7HENw G55irdTAXm0KOCZ/esxcE4BI8F8dd7G6rkn1aBrCeNUBeLYgwcLRg0JJA7HsSneIvUMM2mc6+OXv jNhAQKt7zLKkSceYtRv6EGa5W2fYKlUnRFm2Zr9OsSQleC+MZmfKCB2jqIr87ujoWqGhBQdBn7ld GRi5nTmRwo0oZ6DWlkMoMa/v2W2vRP++cSC/j6MsRbPng5HocOq94zR2dnk4kIXjAnLbGMpa+UiT J6nd691KagWw5mDJyoJ38Pnzr7ZogB3Ov3r6Y6mqojUTqIYevimpefigB1OcRB0Gu28Vg8Hdt6p7 GEZSaTWJw+kwTCynlsHAd/MBld0NHaDuHgUf8N8ehmMPDDxWsG8YxPmYnWA48cDAj2nsAwahGhQ9 I73AFejrHI6SLiBWIJzCEe87AnCKRzWRmrAGB9J5NmqMW4nYqQctPGD1I6AFORzjQLIJZwccz82i Bznc2DoNqk8LvUPtywOnUe9DkF/hHD3E4uqlo9/xXAZ3FOsuEw8XD44joc2EYDA3+4ro2AaZnxNT egUA20CJGYT+Q0fIhNqRdnpm7KG6rgwlVqFsk+3N0Vjga0rUKk/JVPlYLVFZBCou3l39/Ob/QBjX TKax61HZ8C1MRgIcMgAJrCWck0dpd+rPsZR88bCDCdg9T69V1QoxfE2F4O/mRjOArBVkq3LWddk+ cUGDvCezJw23Vr+TSezX2jvQgjwyO1V/tn1RPEL2HtFhfradknRWfgyda7iZsmP+Z+nz79azem7N /7T7zWRM270aZZon5pI2vju65iHOmFkStHJv1XyWRb0elSqN+kJKDsbMBNW3Glzk1UqWatbyB5g9 ENK+5zpLxwdl4BIJ6jO5ULr1f27/IJlwsrRSVb94NAHkWHpw9flvPSr8/aj7YuBoNr/K6bKLyoL4 rbW0ip6We+mQ0lm+wEMTtubh110g1SdBWwPl0DdaaKZf92wTt9oG3KEGdGOOfeAAgAPSDR5k5+y6 C9krlRCt8V0jT28hIlADf1OCMkFGcvBQVO9FrZSg/g9rmHSOPHj9tnTrN3bZzZ+MyFFKPoseqxxM SLJVOVlRE64oBJYQ9XX9srsQvV9WW4g4mxspvJyJSLS+zPOL4aD3lgHHTaRDZDTdmnz+D3SCTBqy zTH/DCz+4P1VoD0nvlzoEbkzNrNoezoqqIW9A9oJMejGKw/EGI2CVj+t4AknzzRysh20OGD3TFb+ q7LKq8ulSzaQLXkOxCUDQnnMqhxxKa7ai9ElytGNy0FFTaImrIYNhEDcWQuOqHNTnRWn6zvWIw1S kr6bq1s5vEK45sLloTu51dLSqSu45gSFX44yhSoj3fvlD9UnZ2szcd219EaayeZQ0RRMBQwPIaj7 sfpQgi78proPlKPsL4Dy67dLTw+sX79lYmhnxP3AcRM97M21UNR0Q4OQcpmX2VX+RLxwvq6WZ0fq VYZT+r/zU3A7B1+0jgABM78uNmVR3FnCLq67iK90X/gEnV7v30LZEtMMfhXAazfXxQd8HcwKSOzo hA0T4jl+dLBvV0+x0WxOHyXM4AYXRI30QFLQc0av2Z/kshWTy2X6vhziJHeskxPvB+yf6Z4X8NyO e3aG2wL6WqBHb0kNR70cj/GaGp3Q0hz0oF+auCnRFKuIySvHdfSkgHpcx5UUQLVGcX2h33ZH15pS L9XS3kiwkazKYCyGpSgebMtMUSw9kCBOtAjopLu4byF9hOx1kF3qG2KYUPmF8VpM74Y4JZRB+g7M gtsLu/IKr3oLr7Y5L75rrsdUnw2+naOVUvsZP9Ws4qqn1drmewKHRly0Pr++6qMdw9fEKMstqulH ql4G+qFB36NmffaVMQC8I6O8BgRgcxUbAziSsSEXChBBMdA5U6skHPRGpEiEdPtJmBoAkRDYvb1r ELK1U3vJZ9tAMhqeaDsI/h2r7iGznSUJmNtN2gmsIRxUBYJ3C4abNi/dVGmkMUVcAv6KNPnB+zm6 wYOuThof8dOrggAO+/dMTVaQjezaF7zKxMWILMaJ2dosHhyR/cXZKREzXtSos4EvIazo/t3abTdR qHa2AcnuTjVcSYaIOoAOOjYON7LOEAbuPJ0N91wRcfX4MMvLd+A3wsba2t7RYMZH3Sa0hEov9YYo AnEn8V62346hU+RD/NwqsshiJpeHDmq1aTmhTp1IanB3F2AzgHIiE/+bwauEIqMkjF9Bq0EioEAT /BXGRuPf0diPUAWHinmV2n3PrArCb/vsdJEAi6IhBrlgNSCmuBV6SDo+dGeZtZaOMcdXqzacqZoQ 77P5SvYrDVQ9tcHnAbstjhRPlI4fpqvpdrkuyLdhuxt5iXiu6/RP6p4POps+LKvK9TEgZYiWaFB4 h4CqyeWBrDELNNdmX6bgIlu+VPghsjvPF9AoyGLteuQ5oMewe/YRPrRNHW74BtjsX8oWEuaXGlVd N4X67fc31zfv/nFlYUoOuBDVaP9iW1xnDhVPGIDJoXJgbC6k7dGkEZnRcmp8tDpjF8hCuHrpp7XR V11/PFpSt2mIqkoteqo7QDby0NcAJFjaCTEDFyMilGoYAOaP+Z29N0JcwADbHhnKQ+UKFRvq9Sgu knIaTIHs2aEAUD3HNxAJyumMfaDBprsUmiQMmdo4kNRlIiU/EqbIFsVeOuWpd9f/sDQNYPMWrnsa RMIoY7Yo5wivTHFdD8ThELIKf3fM+gA2Li/f3dw4kUgjfjQi7kl7RjFpM5+mcroD46oIAAKDtNyA eEUhCWjWw2UXtXavLkHy6Xy4W7Zn6NoaXr+5dDoH4nqMPq2tgEgh6omhCjogQLkSeAl4qCk5MeTF 59PrJF3KFOQesZzP8QOdHmNzzUYDpwVV+9oe447WQD+giCSStLF5rKnfdc+PCkp05o4oNLvuVIF6 u4+oEox0rthdnbOl2l1txHWXmjhMGO4Xn+xcFAODhgKQ8ERVlBoOoUqOsAlroBeDydLfCKHlJmrP jrPEl48jAJU8W27Y9kNjiuvtdL2YOlrayQFiiCjNazMDBu0eZVq4hJImpkYKhE9qXcTsveyHuddQ oR3/56V2RpIM+HuV/4Sdfn/afnWqL9VeRVHnEJcD8epdbgVUedXJBL3ky0vpuucpPOrug9p1IFGL AshONzdIueKO9dG282NE2Ky4y+6o0b8vVYYZH0b21r7IwdFcSy8Fu7+c9o4phwnyLaBQi0P0INcQ knpIc9HzxAh67W6YiWRblEUQRTN9RIMvty9x+GUXoqpHrgT48BdgpMYC31dwNSJqJhdaXTOOVdaq 3TAYRBoq160mBNj2Hvq5dUNtJroOGgOMK6qpgs9c2WVVNPqSf8/KXVNJtwi+JBPavGxOIBr+uvnL RVWdA11k1e+w6apKc6ThiFfjmymAWu+bI4SbmpAy9NtRlPcGCfl2ubbjvDRyC0NRC/7X0fKKzral V4uAScrWpBH1/Hv2rYHbVzkkncv8D7dCv+WDxDmGe93I8dJCZ/Ba6gEPf4WwaQqyPlsk7myBQWE4 u2TuGzBuPu7GsSh7Rx1U1eoJr353y32DdKaIkO2I0RiLB2VuL6x+msEXBcJFLSA0r+jQHdndgfv6 sLKYF6/tzLOC+eCvYFNdnz93RxW/zzEUPW2UtWoihX0CCSG+G3iHDP8rIC4QmaLPe20F5uCdJ/13 DPhJ+sAdo9g6BsexOwBdEViGUYxC/WFsjihOR1GcQoVU5C2jKE7hGx+ROeDEceyOKE4BHTRHC7tn Risuo+cMQR7n0DKd5SGJr+sTeGoKQ1T+Vn9eVkKG++R9wzI7sgzMDv5cTp8goWBpIjaaieGdlZJL t9KkdVRo52bdNnY9IYM4ElOLbFgfPDoxVM3h0w8WHtkNmXKHC5XsrpiZIsID/fGAJ7LFtJov4SCr 6S7DSKjKhpUNPAq24ukkWFUcK1rEJFA/Asp6leOOut+7tDBCg7c4mvV72aXT3ikTxJDCD5+E2AgA 82ScU8mMB4Eu4RCQvc+DkZf9jI25KOuvJYMTi58FEXD+GKAe6icrHfVGtlL2/8uK/jZQROSiyngr BTXy9YsdPiqdTIY17LOgDn25XeWIcou3qGXo7VWR/dv0YfPv7KvARBwnlyXSRnkptza6J3n+pj8Z cZx4iNRQRGdEkXpbNfhuGF8tphsLy3SRMY/+7Sc/QnWMqR1KPBhTubVWaOpVA0ep4Z1UXnsLXx3K SyeXsaFd+YrNwhhzVcw/5wuCSMfU+cnx8RuuIz2YasVbxgb9GWSXZ7VIjVocxQczpkkZToyMyj0b +6kPnaQg4pavCP8/rcRlpoN/esd/b4u5+Nf/+7/bx1XB5/6JPQuGB9X5Tyvxj3v20QlxF3d//meG tvZ1JrMT7KUXcCaU/esaP7eYXdCHhKCbQbbZsuugpLL6LtjClnnWn7GxVc5W1lAnRRnD0hojzlwQ WReGxqun4YbZcgHexLR8cX2OD8bdgVRRelhPv6C9t8guB3ZRJrWI7G7nkQ89Qs+GiIINCacaejYL m0An6MXJeCyah3cj6c8v4zzcPXBqTTG4KwrFPJy5fZqz/2Zy0ePN2H9wfLp1psgtdIRP7n96LdHF 8Wj4hmeIDg2fqfsSbKIHHe7NHCBezljne9hdVcuF0Ja9nuqp8J0G7E2CUeDkI1Jq6hzbl5wdfffu hEKDVn/7/wIAAAD//wMAUEsDBBQABgAIAAAAIQBZJx03EQIAAIoEAAAQAAgBZG9jUHJvcHMvYXBw LnhtbCCiBAEooAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKRUXW/aMBR9n7T/EOUdHBjd BzKuEFC10ihohPbZc27AmmNbtotgv37XSQlhmzZpixTpfvn45Pg49PZYqeQAzkujJ+mgn6UJaGEK qXeTdJvf9T6miQ9cF1wZDZP0BD69ZW/f0LUzFlyQ4BOE0H6S7kOwY0K82EPFfR/bGjulcRUPmLod MWUpBcyNeKlABzLMsvcEjgF0AUXPtoBpgzg+hH8FLYyI/PxTfrJImNEcKqt4AJZn0+wui88c3w/L zfOiX5hwpKQdobkJXOWyAnYzxHqb0TXfgWcDSpqAPhtXYH6DlSaksz13XATUkw0GcXWnQKfWKil4 QKnZUgpnvClDsqpFSSIAJd0RikJtQLw4GU4so6Sb0s9SI5VPlDQBUnN857jde4a7djK6EVzBDNVg JVceKLkU6D3weNJrLpEwPYTxAUQwLvHyO571KE2+cg9Rw0l64E5yHVDLONYkdaysD47lMijExl6T 12F3rBvLURQRZzH442CLDer/seOGzffhptdfXrP3qxJ1C78RYtgVoubUyNDQe8i3vTxJvixmq+Vy 8Tif5g+rxy7dVpS/Tl5R/InUzFSW6xNDELTVaxJ98M1vbW7m0d2vJ3xd7JjyWYb9xnIRXfwuwzO4 2LPToht0MRTotzPgpUDv0Q1OxV1xrd5BcZ75tREN/9T8Wthg1I+Xrnb4uYY+be88+wEAAP//AwBQ SwMEFAAGAAgAAAAhAF6R2uDQAQAATQMAABEACAFkb2NQcm9wcy9jb3JlLnhtbCCiBAEooAABAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIyTXW+bMBSG7yv1P1hcD2ySNEssQtUPqnUrSZTS7uOm suzT1BoYZHtN8u9nk8DSbheTuMB+Xz9+zzmQnG+rEr2CNrJWsyCOSIBA8VpItZ4FD8VNOAmQsUwJ VtYKZsEOTHCenp4kvKG81rDUdQPaSjDIkZShvJkFL9Y2FGPDX6BiJnIO5cTnWlfMuqVe44bxn2wN eEDIGFdgmWCWYQ8Mm54YHJCC98jmly5bgOAYSqhAWYPjKMZ/vBZ0Zf55oFWOnJW0u8bVdIh7zBZ8 L/burZG9cbPZRJthG8Plj/G3/O6+LTWUyveKQ5AmglMrbQnpbfEQFgitsqtFnmfz64vidjFPcK97 J9fAbK3T5WJx10rdhhcFGK5lY92E0ov7nCIUk4iMI3f3BK++P20JIeLp9CQT0nsomkbTyElfPvfS KntEISLT0D8T9/rpsr3mGO0nWjJjczf8ZwnicpfOa21rhR4l0+IDyqqKJfhvlz+o4VX6Tygdto5+ 2UGXWioLIvWZfYiYFPEZJWNKyI+e2Zlc0e2o9m0BgVzz6X5UnfJ1eHVd3ASOFw9cReFgVDjY2WjP 61xtF92tPbA61PafxI909I7YAdI29NsfIP0NAAD//wMAUEsDBBQABgAIAAAAIQAV06RctQMAAJET AAASAAAAd29yZC9mb250VGFibGUueG1szJjNbtNAEMfvSLyD5Tv1+qOJEzWtktAAEqoQDQ+wdTbJ Cu+u2XUaypUjR+A1EC/A28AJ8Q7MrpMmjbPFTgPFVqV0vDuxf56Z/0yOTt6y1LkkUlHBO65/gFyH 8ESMKJ903FfDwaPYdVSO+QingpOOe0WUe3L88MHRvD0WPFcO7OeqzZKOO83zrO15KpkShtWByAiH i2MhGc7hXznxGJavZ9mjRLAM5/SCpjS/8gKEGu7CjaziRYzHNCGPRTJjhOdmvydJCh4FV1OaqaW3 eRVvcyFHmRQJUQqemaWFP4Ypv3bjRyVHjCZSKDHOD+BhvOKOPO0KtvvIfGKp67Ck/WzChcQXKbCb +5F7vADnzNscMzD2nzhDyoCqvoLT/AyscPESpx3XXHDOyNx5KRjmrqfXJFMsFcmXaxAqzGPMaHq1 tMrV+ozmyXRpv8SS6psp9ig6gQszdYE6LiqOpltY/GsLRIRZE5Qs4U1LsuanFepdYFn3A7fvFWFT orD5pHpBhrlQxAc/BgYK4GygEB2iCP4C+BT9VSKnQCToDgYrIn2wNOPILxFpLSx2In7hpzqRvphJ SqR++yY0yjSaQKBlqGgaUS0aTIyIXATUjQAZ07dkVI4OKwvzniGCVtHxF1hsRIfTE+mocr6UwQUo BnRNCKJ/EUY6r8JuvKfEqhtGXcj31BJAPUinyASQTi0IoRrppOZUqWL9jfixF5j/IIQsHP5tWdHx AMee4qFuoe2HrWHYeD5+Vzl/KukNnuWiVjQUENCyfKzLxA5yg0xJrl5ce0K8dro8p29m2BIUESRH AAVC600IZ53k2FF9g30ViZbRrOo4hngK/YIFRFElCtnV1aIOiB2qhA+ie7opug102NsU3eBPQuOj 2qL7lKSXJKfJ7SyKanmHislFPpQzMrzKiGnpKlbQ+82ZRUNiiZImKMk+mpFb0Viak/vl8gLr0YML A6ZSsdyxPNybZuissLz29RYi3L043PrW7S3F/b74Hoa5eGLAbMxtP79++vX+80IPS1NMCMqiD6hP xbm17Yr9wnzXua6nvwrGmNUU02g9bjb7g1JBDZeTnm2KiRGqqyznlJ3P+DZGP758+P7to42RbxiF S0Kg79tm37ixjdEeepEgjgea26bm+PBLhRmGbYgi2FSzF+ljdgFNuiXB9KhbaK8efeupb/06o3t0 FKyrr34gFF1bVmPeko2NBHCoGyx9nFJAYSExMNOaUd3aJHbrQ8okuv0tJP7Uh1QhsfhdRB3/BgAA //8DAFBLAwQUAAYACAAAACEAFKJkc6cBAACNAwAAEwAIAWRvY1Byb3BzL2N1c3RvbS54bWwgogQB KKAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC8k91q2zAUx+8He4eDruv4o/MaGzvFtV0w w3aJna29NLKSCCzJSEo2MwZ9h73hnmQy2dZm0JuN7VLnHH7///lQdP2JDXAkUlHBY+QuHASEY9FT vovRpr21lgiU7njfDYKTGE1EoevV61fRnRQjkZoSBQbBVYz2Wo+hbSu8J6xTC5PmJrMVknXaPOXO FtstxSQT+MAI17bnOG9tfFBaMGv8hUMnXnjUf4rsBZ7dqfftNBq7q+gHfIIt07SP0efMT7PMd3zL y4PUch33xgougyvLWTqOd+Olt0GSf0EwzsUeAt4x07rB8gMzuKMOh/Gj0nJ1v/AdF1IhJd0R3h8Y uJH9lI7sn8p/6eHymYe+0+TMhBdA2U1gprn8J+Jvnolrqodz9YKfNmzuBzTBey4GsZvg2+NXqM0F QDMpTZiCgmsiseCcYD3XzgXtnkBGpYkIOYVQip4MCtqZQnE3/IfB+r/35p2NtsnXRd7AfQhZ0iZQ 5e2Hev2uuYD6Lq+geWjavIS0LstNVaRJW9RVA0mVQZOnm3XRPjx199Jm7PlST/9o9R0AAP//AwBQ SwECLQAUAAYACAAAACEAc6h3i88BAAATCgAAEwAAAAAAAAAAAAAAAAAAAAAAW0NvbnRlbnRfVHlw ZXNdLnhtbFBLAQItABQABgAIAAAAIQCZVX4FBAEAAOECAAALAAAAAAAAAAAAAAAAAAgEAABfcmVs cy8ucmVsc1BLAQItABQABgAIAAAAIQCz4WGKdwEAAMYHAAAcAAAAAAAAAAAAAAAAAD0HAAB3b3Jk L19yZWxzL2RvY3VtZW50LnhtbC5yZWxzUEsBAi0AFAAGAAgAAAAhADCbcmINDwAAvU0AABEAAAAA AAAAAAAAAAAA9gkAAHdvcmQvZG9jdW1lbnQueG1sUEsBAi0AFAAGAAgAAAAhAPpKNGWhAQAAygQA ABAAAAAAAAAAAAAAAAAAMhkAAHdvcmQvaGVhZGVyMy54bWxQSwECLQAUAAYACAAAACEAd4XhodIF AACXFgAAEAAAAAAAAAAAAAAAAAABGwAAd29yZC9mb290ZXIyLnhtbFBLAQItABQABgAIAAAAIQCX R2gegAIAACAJAAAQAAAAAAAAAAAAAAAAAAEhAAB3b3JkL2Zvb3RlcjEueG1sUEsBAi0AFAAGAAgA AAAhAI7dGSKhAQAAygQAABAAAAAAAAAAAAAAAAAAryMAAHdvcmQvZm9vdGVyMy54bWxQSwECLQAU AAYACAAAACEA+ko0ZaEBAADKBAAAEAAAAAAAAAAAAAAAAAB+JQAAd29yZC9oZWFkZXIyLnhtbFBL AQItABQABgAIAAAAIQCUU3ecwgEAAJQFAAARAAAAAAAAAAAAAAAAAE0nAAB3b3JkL2VuZG5vdGVz LnhtbFBLAQItABQABgAIAAAAIQDibNTByQEAAKsFAAASAAAAAAAAAAAAAAAAAD4pAAB3b3JkL2Zv b3Rub3Rlcy54bWxQSwECLQAUAAYACAAAACEA+ko0ZaEBAADKBAAAEAAAAAAAAAAAAAAAAAA3KwAA d29yZC9oZWFkZXIxLnhtbFBLAQItABQABgAIAAAAIQAw3UMpqAYAAKQbAAAVAAAAAAAAAAAAAAAA AAYtAAB3b3JkL3RoZW1lL3RoZW1lMS54bWxQSwECLQAUAAYACAAAACEA8jDu1PkIAAA7HwAAEQAA AAAAAAAAAAAAAADhMwAAd29yZC9zZXR0aW5ncy54bWxQSwECLQAUAAYACAAAACEAkhUil/gAAAB9 AQAAHAAAAAAAAAAAAAAAAAAJPQAAd29yZC9fcmVscy9zZXR0aW5ncy54bWwucmVsc1BLAQItABQA BgAIAAAAIQCdNkaj5AEAAKMPAAAUAAAAAAAAAAAAAAAAADs+AAB3b3JkL3dlYlNldHRpbmdzLnht bFBLAQItABQABgAIAAAAIQDc5AFo/zQAAEiLAQAaAAAAAAAAAAAAAAAAAFFAAAB3b3JkL3N0eWxl c1dpdGhFZmZlY3RzLnhtbFBLAQItABQABgAIAAAAIQA1nZI7djQAAAuLAQAPAAAAAAAAAAAAAAAA AIh1AAB3b3JkL3N0eWxlcy54bWxQSwECLQAUAAYACAAAACEAWScdNxECAACKBAAAEAAAAAAAAAAA AAAAAAArqgAAZG9jUHJvcHMvYXBwLnhtbFBLAQItABQABgAIAAAAIQBekdrg0AEAAE0DAAARAAAA AAAAAAAAAAAAAHKtAABkb2NQcm9wcy9jb3JlLnhtbFBLAQItABQABgAIAAAAIQAV06RctQMAAJET AAASAAAAAAAAAAAAAAAAAHmwAAB3b3JkL2ZvbnRUYWJsZS54bWxQSwECLQAUAAYACAAAACEAFKJk c6cBAACNAwAAEwAAAAAAAAAAAAAAAABetAAAZG9jUHJvcHMvY3VzdG9tLnhtbFBLBQYAAAAAFgAW AIcFAAA+twAAAAA= ------=_NextPart_000_0036_01CD8E92.38226500-- From piyush@identicate.com Sun Sep 9 10:43:37 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8379C21F854A for ; Sun, 9 Sep 2012 10:43:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.598 X-Spam-Level: X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3y3O5NqucUxb for ; Sun, 9 Sep 2012 10:43:34 -0700 (PDT) Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe001.messaging.microsoft.com [216.32.181.181]) by ietfa.amsl.com (Postfix) with ESMTP id 662FA21F8487 for ; Sun, 9 Sep 2012 10:43:34 -0700 (PDT) Received: from mail108-ch1-R.bigfish.com (10.43.68.241) by CH1EHSOBE018.bigfish.com (10.43.70.68) with Microsoft SMTP Server id 14.1.225.23; Sun, 9 Sep 2012 17:43:32 +0000 Received: from mail108-ch1 (localhost [127.0.0.1]) by mail108-ch1-R.bigfish.com (Postfix) with ESMTP id 6B92A3000D1; Sun, 9 Sep 2012 17:43:32 +0000 (UTC) X-Forefront-Antispam-Report: CIP:157.56.244.229; KIP:(null); UIP:(null); IPV:NLI; H:CH1PRD0610HT001.namprd06.prod.outlook.com; RD:none; EFVD:NLI X-SpamScore: -23 X-BigFish: PS-23(zz9371Ic85fhfb6I1432Izz1202h1d1ahzz8275ch1033IL17326ah8275bh8275dhz2fh2a8h668h839hd25hf0ah107ah1288h12a5h1155h) Received-SPF: pass (mail108-ch1: domain of identicate.com designates 157.56.244.229 as permitted sender) client-ip=157.56.244.229; envelope-from=piyush@identicate.com; helo=CH1PRD0610HT001.namprd06.prod.outlook.com ; .outlook.com ; Received: from mail108-ch1 (localhost.localdomain [127.0.0.1]) by mail108-ch1 (MessageSwitch) id 1347212609799437_10582; Sun, 9 Sep 2012 17:43:29 +0000 (UTC) Received: from CH1EHSMHS020.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.245]) by mail108-ch1.bigfish.com (Postfix) with ESMTP id C10F2160047; Sun, 9 Sep 2012 17:43:29 +0000 (UTC) Received: from CH1PRD0610HT001.namprd06.prod.outlook.com (157.56.244.229) by CH1EHSMHS020.bigfish.com (10.43.70.20) with Microsoft SMTP Server (TLS) id 14.1.225.23; Sun, 9 Sep 2012 17:43:29 +0000 Received: from CH1PRD0610MB393.namprd06.prod.outlook.com ([169.254.11.123]) by CH1PRD0610HT001.namprd06.prod.outlook.com ([10.255.151.36]) with mapi id 14.16.0190.008; Sun, 9 Sep 2012 17:43:29 +0000 From: Piyush Jain To: Santosh Chokhani , "denis.pinkas@bull.net" Thread-Topic: [pkix] New version Notification for draft-pinkas-2560bis-certinfo-00 Thread-Index: AQHNjnEHgZXkJBUgwk2vcpMVLwEnCJeCRe8A Date: Sun, 9 Sep 2012 17:43:28 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [75.25.128.241] Content-Type: multipart/alternative; boundary="_000_AA6BA445CBFDB84785CC1C45DAAE4C792CEB125DCH1PRD0610MB393_" MIME-Version: 1.0 X-OriginatorOrg: identicate.com Cc: "pkix@ietf.org" Subject: Re: [pkix] New version Notification for draft-pinkas-2560bis-certinfo-00 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Sep 2012 17:43:37 -0000 --_000_AA6BA445CBFDB84785CC1C45DAAE4C792CEB125DCH1PRD0610MB393_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Not sure if I get it completely. In the security section we are saying that it does not detect the 'abnormal= ' scenario where RA ,CA or responder is compromised. And the reason for introducing this extension is (from the draft) - "either= that the target certificate has indeed not been issued and thus is a forge= d certificate", which implies that either the CA or RA is compromised. In summary the extension is used for detecting CA compromise scenarios but = cannot detect the 'abnormal' case when CA is compromised. What am I missing? -Piyush From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of San= tosh Chokhani Sent: Sunday, September 09, 2012 2:54 AM To: denis.pinkas@bull.net Cc: pkix@ietf.org Subject: Re: [pkix] New version Notification for draft-pinkas-2560bis-certi= nfo-00 Denis, Thanks. We are almost there. I have suggestions in-line below. From: denis.pinkas@bull.net [mailto:denis.pin= kas@bull.net] Sent: Friday, September 07, 2012 10:24 AM To: Santosh Chokhani Cc: pkix@ietf.org Subject: RE: [pkix] New version Notification for draft-pinkas-2560bis-certi= nfo-00 Santosh, > Denis, > > On 1, If the CA has been attacked,, you have no assurance that the > adversary has not created an OCSP certificate as well. Rather than arguing we should concentrate to improve the text. What about: When certHashValue is returned and the hashes match, then everything looks fine, but this case does not allow detecting an abnormal situation if the RA software has been corrupted, if the CA itself has been corrupted or if the database to which the OCSP server has access has been maliciously corrupted. [Santosh] This is almost there. How about the following (added OCSP corrup= tion and cryptographic algorithm) When certHashValue is returned and the hashes match, then everything looks fine, but this case does not allow detecting an abnormal situation if the RA software has been corrupted, if the CA itself has been corrupted, OCSP Server has been corrupted, or if the database t= o which the OCSP server has access has been maliciously corrupted. This may also not detect hashing = algorithm or signature algorithm compromise. > On 2, just like the CA compromise scenario you cite, the mechanism > helps detect collision. If the CA knew of collision, it would of > course change the cipher suite. Maybe, maybe not. A collision may happen without a defect in the cipher su= ite (e.g. the HSM has been successfully used directly). I believe that the current text is sufficient: When certHashValue is returned and the hashes do not match, this extension allows detecting an abnormal situation : there exists two certificates with the same serial number: one regularly issued by the CA and another one which has either been forged or obtained irregularly. If you don't think so, please make a specific proposal. [Santosh] I withdraw the second suggestion since it becomes too convoluted.= I have addressed some of it in item 1. Denis > Note that 1 still for collision detection trumps 2 since collision > creator could have created OCSP certificate and put the rogue OCSP > pointer in AIA. > > Santoh, > > Thank you for your comments. > > See my replies in line: > > >Denis, > > > >I have couple of suggestions for the security considerations > >section. > > > >1. It is worth pointing out aside from RA corruption and database > >corruption that recommendation here do not fix the situation if the > >adversary has attacked the CA and pointed to its own OCSP Responder > >in the OCSP field of the AIA extension. > > This attack, as described, would not be succeed. The attacker would also = need > to create an OCSP certificate for the OCSP Responder and for this heneeds= to > be able to corrupt the RA which allows the production of OCSP certificate= s. > > >2. It is worth pointing out that the mechanism presented here can > >be used by the relying party to detect collision if the certificate > >signature was made using a weak hash, but the hashAlgorithm in the > >extension is not vulnerable to successful collision attack. > > This is not a realistic scenario. If the certificate signature was made > using a weak hash, the CA will ask to its superior CA to revoke its > CA certificate. > This is thus outside the scope of this extension. > > Denis --_000_AA6BA445CBFDB84785CC1C45DAAE4C792CEB125DCH1PRD0610MB393_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Not sure if I get it comp= letely.

 <= /p>

In the security section w= e are saying that it does not detect the ‘abnormal’ scenario wh= ere RA ,CA or responder is compromised.

 <= /p>

And the reason for introd= ucing this extension is (from the draft) - “either that the ta= rget certificate has indeed not been issued= and thus is a forged certificate,= which implies that either the CA or RA is compromised.

 <= /p>

In summary the extension = is used for detecting CA compromise scenarios but cannot detect the ‘= abnormal’ case when CA is compromised.

What am I missing?

 <= /p>

-Piyush=

 <= /p>

 <= /p>

From: pkix-bou= nces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Santosh Chokhani
Sent: Sunday, September 09, 2012 2:54 AM
To: denis.pinkas@bull.net
Cc: pkix@ietf.org
Subject: Re: [pkix] New version Notification for draft-pinkas-2560bi= s-certinfo-00

 

Denis,

 

Thanks.  We are almost = there.  I have suggestions in-line below.

 

From: denis.pinkas@bull.net [mailto:denis.pinkas@bull.net]
Sent: Friday, September 07, 2012 10:24 AM
To: Santosh Chokhani
Cc: pkix@ietf.org
Subject: RE: [pkix] New version Notification for draft-pinkas-2560bi= s-certinfo-00

 

S= antosh,

> Denis,
>  
> On 1, If the CA has been attacked= ,, you have no assurance that the
> adversary has not created an OCSP certificate as well.
=

Rather than arguing we s= hould concentrate to improve the text. What about:

   When certHashValue is returned and the hashes match, t= hen everything
   looks fine, but this case does not allow detecting an = abnormal
   situation if the RA software has been corrupted, if the CA itself
   has been corrupted or if the database to which the OCSP server has
   access has been maliciously corrupted.

[Santosh] This is almost the= re.  How about the following (added OCSP corruption and cryptographic = algorithm)

   When certHashValue is returned = and the hashes match, then everything
   looks fine, but this case does not allow detecting an = abnormal
   situation if the RA software has been corrupted, if the CA itself
   has been corrupted, OCSP Server has been corrupted, or if the database to which the OCSP server has
   access has been maliciously corrupted. This may also not detect hashing algorithm or signature algor= ithm compromise.



> On 2, just like the CA compromise= scenario you cite, the mechanism
> helps detect collision.  If the CA knew of collision, it woul= d of
> course change the cipher suite.


 Maybe, maybe not. = A collision may happen without a defect in the cipher suite
(e.g. the HSM has been successfully used directly).


I believe that the curre= nt text is sufficient:

   When certHashValue is returned and the hashes do not m= atch, this
   extension allows detecting an abnormal situation : the= re exists two
   certificates with the same serial number: one regularl= y issued by
   the CA and another one which has either been forged or= obtained
   irregularly.

If you don't think so, p= lease make a specific proposal.

[Santosh] I withdraw the sec= ond suggestion since it becomes too convoluted.  I have addressed some= of it in item 1.



Denis
 
> Note that 1 still for collision d= etection trumps 2 since collision
> creator could have created OCSP certificate and put the rogue OCSP=
> pointer in AIA.

>  



> Santoh,
>  
> Thank you for your comments.
>  
> See my replies in line:
>
> >Denis,
> >
> >I have couple of suggestions for the security considerations
> >section.
> >
> >1.     It is worth pointing out aside from RA corrup= tion and database
> >corruption that recommendation here do not fix the situation i= f the
> >adversary has attacked the CA and pointed to its own OCSP Resp= onder
> >in the OCSP field of the AIA extension.

>  
> This attack, as described, would = not be succeed. The attacker would also need
> to create an OCSP certificate for the OCSP Responder and for this = heneeds to

> be able to corrupt the RA which a= llows the production of OCSP certificates.
>  
> >2.     It is worth pointing out that the mechanism p= resented here can
> >be used by the relying party to detect collision if the certif= icate
> >signature was made using a weak hash, but the hashAlgorithm in= the
> >extension is not vulnerable to successful collision attack.

>  
> This is not a realistic scenario.= If the certificate signature was made
> using a weak hash, the CA will ask to its superior CA to revoke it= s
> CA certificate.

> This is thus outside the scope of= this extension.
>  
> Denis

--_000_AA6BA445CBFDB84785CC1C45DAAE4C792CEB125DCH1PRD0610MB393_-- From SChokhani@cygnacom.com Sun Sep 9 12:03:34 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4523B21F849C for ; Sun, 9 Sep 2012 12:03:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hTCD-yEkd6o1 for ; Sun, 9 Sep 2012 12:03:31 -0700 (PDT) Received: from ipedge2.cygnacom.com (ipedge2.cygnacom.com [216.191.252.27]) by ietfa.amsl.com (Postfix) with ESMTP id 7DAF321F84E6 for ; Sun, 9 Sep 2012 12:03:30 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.80,126,1344225600"; d="scan'208,217";a="1896501" Received: from unknown (HELO scygexch7.cygnacom.com) ([10.4.60.22]) by ipedge2.cygnacom.com with ESMTP; 09 Sep 2012 15:03:29 -0400 Received: from scygexch7.cygnacom.com ([::1]) by scygexch7.cygnacom.com ([::1]) with mapi; Sun, 9 Sep 2012 15:03:29 -0400 From: Santosh Chokhani To: Piyush Jain , "denis.pinkas@bull.net" Date: Sun, 9 Sep 2012 15:03:26 -0400 Thread-Topic: [pkix] New version Notification for draft-pinkas-2560bis-certinfo-00 Thread-Index: AQHNjnEHgZXkJBUgwk2vcpMVLwEnCJeCRe8AgAAX97A= Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_B83745DA469B7847811819C5005244AF362EC7DAscygexch7cygnac_" MIME-Version: 1.0 Cc: "pkix@ietf.org" Subject: Re: [pkix] New version Notification for draft-pinkas-2560bis-certinfo-00 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Sep 2012 19:03:34 -0000 --_000_B83745DA469B7847811819C5005244AF362EC7DAscygexch7cygnac_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Piyush, You are not missing anything. Thus extension does not cover all the situations. That is why I am neither= a fan of it here nor I think CAB Forum got it right. That said, speaking from other side of my mouth, if the attacker is not sma= rt enough or the CA configuration makes it hard to mint OCSP certificate, t= he bogus certificate can be detected. From: Piyush Jain [mailto:piyush@identicate.com] Sent: Sunday, September 09, 2012 1:43 PM To: Santosh Chokhani; denis.pinkas@bull.net Cc: pkix@ietf.org Subject: RE: [pkix] New version Notification for draft-pinkas-2560bis-certi= nfo-00 Not sure if I get it completely. In the security section we are saying that it does not detect the 'abnormal= ' scenario where RA ,CA or responder is compromised. And the reason for introducing this extension is (from the draft) - "either= that the target certificate has indeed not been issued and thus is a forge= d certificate", which implies that either the CA or RA is compromised. In summary the extension is used for detecting CA compromise scenarios but = cannot detect the 'abnormal' case when CA is compromised. What am I missing? -Piyush From: pkix-bounces@ietf.org [mailto:pkix-boun= ces@ietf.org] On Behalf Of Santosh C= hokhani Sent: Sunday, September 09, 2012 2:54 AM To: denis.pinkas@bull.net Cc: pkix@ietf.org Subject: Re: [pkix] New version Notification for draft-pinkas-2560bis-certi= nfo-00 Denis, Thanks. We are almost there. I have suggestions in-line below. From: denis.pinkas@bull.net [mailto:denis.pin= kas@bull.net] Sent: Friday, September 07, 2012 10:24 AM To: Santosh Chokhani Cc: pkix@ietf.org Subject: RE: [pkix] New version Notification for draft-pinkas-2560bis-certi= nfo-00 Santosh, > Denis, > > On 1, If the CA has been attacked,, you have no assurance that the > adversary has not created an OCSP certificate as well. Rather than arguing we should concentrate to improve the text. What about: When certHashValue is returned and the hashes match, then everything looks fine, but this case does not allow detecting an abnormal situation if the RA software has been corrupted, if the CA itself has been corrupted or if the database to which the OCSP server has access has been maliciously corrupted. [Santosh] This is almost there. How about the following (added OCSP corrup= tion and cryptographic algorithm) When certHashValue is returned and the hashes match, then everything looks fine, but this case does not allow detecting an abnormal situation if the RA software has been corrupted, if the CA itself has been corrupted, OCSP Server has been corrupted, or if the database t= o which the OCSP server has access has been maliciously corrupted. This may also not detect hashing = algorithm or signature algorithm compromise. > On 2, just like the CA compromise scenario you cite, the mechanism > helps detect collision. If the CA knew of collision, it would of > course change the cipher suite. Maybe, maybe not. A collision may happen without a defect in the cipher su= ite (e.g. the HSM has been successfully used directly). I believe that the current text is sufficient: When certHashValue is returned and the hashes do not match, this extension allows detecting an abnormal situation : there exists two certificates with the same serial number: one regularly issued by the CA and another one which has either been forged or obtained irregularly. If you don't think so, please make a specific proposal. [Santosh] I withdraw the second suggestion since it becomes too convoluted.= I have addressed some of it in item 1. Denis > Note that 1 still for collision detection trumps 2 since collision > creator could have created OCSP certificate and put the rogue OCSP > pointer in AIA. > > Santoh, > > Thank you for your comments. > > See my replies in line: > > >Denis, > > > >I have couple of suggestions for the security considerations > >section. > > > >1. It is worth pointing out aside from RA corruption and database > >corruption that recommendation here do not fix the situation if the > >adversary has attacked the CA and pointed to its own OCSP Responder > >in the OCSP field of the AIA extension. > > This attack, as described, would not be succeed. The attacker would also = need > to create an OCSP certificate for the OCSP Responder and for this heneeds= to > be able to corrupt the RA which allows the production of OCSP certificate= s. > > >2. It is worth pointing out that the mechanism presented here can > >be used by the relying party to detect collision if the certificate > >signature was made using a weak hash, but the hashAlgorithm in the > >extension is not vulnerable to successful collision attack. > > This is not a realistic scenario. If the certificate signature was made > using a weak hash, the CA will ask to its superior CA to revoke its > CA certificate. > This is thus outside the scope of this extension. > > Denis --_000_B83745DA469B7847811819C5005244AF362EC7DAscygexch7cygnac_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Piyush,=

 

You are not missing anything.

 

T= hus extension does not cover all the situations.  That is why I am nei= ther a fan of it here nor I think CAB Forum got it right.=

 

That said, speaking from other side of my mouth, if the attacker is = not smart enough or the CA configuration makes it hard to mint OCSP certifi= cate, the bogus certificate can be detected.

 

= From: Piyush Jain [mailto:piyush@identicate.com]
Sent: Sunday= , September 09, 2012 1:43 PM
To: Santosh Chokhani; denis.pinkas@b= ull.net
Cc: pkix@ietf.org
Subject: RE: [pkix] New versi= on Notification for draft-pinkas-2560bis-certinfo-00

<= /div>

 

<= span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F= 497D'>Not sure if I get it completely.

 

In t= he security section we are saying that it does not detect the ‘abnorm= al’ scenario where RA ,CA or responder is compromised.

 

And the reason for introducing this extension is (from the = draft) - “either that the target certificate has indeed not be= en issued and th= us is a forged certificate, which implies that either = the CA or RA is compromised.

 

In summary the e= xtension is used for detecting CA compromise scenarios but cannot detect th= e ‘abnormal’ case when CA is compromised.

=

What am I missing?

 

-Piyush

 

 

=

From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Santosh Chokha= ni
Sent: Sunday, September 09, 2012 2:54 AM
To: denis.pinkas@bull.net
Cc: <= a href=3D"mailto:pkix@ietf.org">pkix@ietf.org
Subject: Re: [p= kix] New version Notification for draft-pinkas-2560bis-certinfo-00

 

Denis,

=  

Thanks.  We are almost= there.  I have suggestions in-line below.

 

From:= denis.pinkas@bull.net [mailto:denis.pinkas@bull.net] <= br>Sent: Friday, September 07, 2012 10:24 AM
To: Santosh C= hokhani
Cc: pkix@ietf.orgSubject: RE: [pkix] New version Notification for draft-pinkas-2560b= is-certinfo-00

 <= /p>

= Santosh,

> Deni= s,
>  <= /tt>
> On 1, If the CA has been= attacked,, you have no assurance that the
> adversary has not creat= ed an OCSP certificate as well.


Rather than arguing we should concentrate to im= prove the text. What about:

   When certHashVal= ue is returned and the hashes match, then everything
   = looks fine, but this case does not allow detecting an abnormal
<= span style=3D'font-size:10.0pt;font-family:"Courier New";color:#0000E0'>&nb= sp;  situation if the RA software has been corrupted, if the CA its= elf
   has been corrupted or if the dat= abase to which the OCSP server has
   access has been ma= liciously corrupted.

[S= antosh] This is almost there.  How about the following (added OCSP cor= ruption and cryptographic algorithm)

   looks fine, but this case does not allow det= ecting an abnormal
   situation if the RA software has b= een corrupted, if the CA itself
   has been co= rrupted, OCSP Server has been corrupted, or if the databas= e to which the OCSP server has
   access has been malici= ously corrupted. This may also not detect hashing algorithm or signatur= e algorithm compromise.


<= br>> On 2, just like the CA comprom= ise scenario you cite, the mechanism
> helps detect collision.  = ;If the CA knew of collision, it would of
> course change t= he cipher suite.


 Maybe, maybe not. A collision may happen without a defec= t in the cipher suite
(e.g. the HSM has been successfully= used directly).


I believe that the current text is sufficient:
   When certHashValue is returned and the hashes do not match,= this
   extension allows detecting an abnormal situatio= n : there exists two
   certificates with the same seria= l number: one regularly issued by
   the CA and another = one which has either been forged or obtained
   irregula= rly.

If y= ou don't think so, please make a specific proposal.

[Santos= h] I withdraw the second suggestion since it becomes too convoluted.  = I have addressed some of it in item 1.



Denis
 
> Note that 1 still for collision dete= ction trumps 2 since collision

> creator could have created OCSP cer= tificate and put the rogue OCSP
> pointer in AIA.
>  


> Santoh,
= >  
> Thank you for your comments. >  
> See my replies in line:

<= tt>>

> >Denis,
&g= t; >
> >I have couple of suggestions for the security= considerations
> >section.
> > > >1.     It is worth pointing out aside from RA corr= uption and database
> >corruption that recommendation her= e do not fix the situation if the
> >adversary has attack= ed the CA and pointed to its own OCSP Responder
> >in the= OCSP field of the AIA extension.

>  
> This attack, as described, would not be succeed. The attacker would = also need
> to create an OCSP certificate for the OCSP Responder and= for this heneeds to

&= gt; be able to corrupt the RA which allows the production of OCSP certifica= tes.
>  
&g= t; >2.     It is worth pointing out that the mechanism present= ed here can
> >be used by the relying party to detect col= lision if the certificate
> >signature was made using a w= eak hash, but the hashAlgorithm in the
> >extension is no= t vulnerable to successful collision attack.

>  
> This is not a realistic scenario. If the certificate sign= ature was made
> using a weak hash, the CA will ask to its superior = CA to revoke its
> CA certificate.

> This is thus outside the scope of this ex= tension.
>  
> Denis<= o:p>

= --_000_B83745DA469B7847811819C5005244AF362EC7DAscygexch7cygnac_-- From turners@ieca.com Sun Sep 9 17:41:26 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28EEC21F85F9 for ; Sun, 9 Sep 2012 17:41:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.09 X-Spam-Level: X-Spam-Status: No, score=-102.09 tagged_above=-999 required=5 tests=[AWL=0.176, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ca6ofDFEY7eZ for ; Sun, 9 Sep 2012 17:41:25 -0700 (PDT) Received: from gateway14.websitewelcome.com (gateway14.websitewelcome.com [67.18.68.2]) by ietfa.amsl.com (Postfix) with ESMTP id AF9BD21F8600 for ; Sun, 9 Sep 2012 17:41:25 -0700 (PDT) Received: by gateway14.websitewelcome.com (Postfix, from userid 5007) id 99BC3F989AB; Sun, 9 Sep 2012 19:41:25 -0500 (CDT) Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway14.websitewelcome.com (Postfix) with ESMTP id 88780F98958 for ; Sun, 9 Sep 2012 19:41:25 -0500 (CDT) Received: from [108.18.174.220] (port=57066 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from ) id 1TAs44-0003sP-Mp; Sun, 09 Sep 2012 19:41:24 -0500 Message-ID: <504D3733.5040203@ieca.com> Date: Sun, 09 Sep 2012 20:41:23 -0400 From: Sean Turner User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:15.0) Gecko/20120824 Thunderbird/15.0 MIME-Version: 1.0 To: Erik Andersen References: <504B358F.2080607@e-net.lt> <003501cd8e81$74999500$5dccbf00$@eu> In-Reply-To: <003501cd8e81$74999500$5dccbf00$@eu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - gator1743.hostgator.com X-AntiAbuse: Original Domain - ietf.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - ieca.com X-BWhitelist: no X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: (thunderfish.local) [108.18.174.220]:57066 X-Source-Auth: sean.turner@ieca.com X-Email-Count: 2 X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20= Cc: 'Stefan Santesson' , apps-discuss@ietf.org, 'pkix' Subject: Re: [pkix] Need for an organizationalIdentifier attribute X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Sep 2012 00:41:26 -0000 Erik, I think the apps folks might have some ideas. I cc'ed that list to see if somebody is aware of an attribute that's already been defined for this purpose. spt On 9/9/12 7:51 AM, Erik Andersen wrote: > FYI > > Erik > > *Fra:*pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] *På vegne af > *Moudrick M. Dadashov > *Sendt:* 8. september 2012 14:10 > *Til:* Stefan Santesson > *Cc:* pkix > *Emne:* Re: [pkix] Need for an organizationalIdentifier attribute > > On 3/23/2012 7:13 PM, Stefan Santesson wrote: > > When a person is associated with an organization in a certificate > the subjects employee number or alike is often stored in the > serialNumber attribute. > > But where do you store an identifier of the organization? > > That is, not the name stored in organization name, but the > registered organization number? > > I've seen some odd solutions to this problem but nor clean solution. > > X.520 only offer organizationName and orgnizationalUnitName as > organizational attributes > > Have anyone else come across this issue? > > How did you solve it? > > Do we need to define a clean attribute for an organizationalIdentifier? > > Definitely yes. > > M.D. > > /Stefan > > > > > _______________________________________________ > > pkix mailing list > > pkix@ietf.org > > https://www.ietf.org/mailman/listinfo/pkix > > > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix > From denis.pinkas@bull.net Mon Sep 10 01:04:25 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9D3F21F8518 for ; Mon, 10 Sep 2012 01:04:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.048 X-Spam-Level: X-Spam-Status: No, score=-2.048 tagged_above=-999 required=5 tests=[AWL=0.200, BAYES_00=-2.599, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RPBxkJp+oHjO for ; Mon, 10 Sep 2012 01:04:25 -0700 (PDT) Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by ietfa.amsl.com (Postfix) with ESMTP id 7544321F850D for ; Mon, 10 Sep 2012 01:04:24 -0700 (PDT) Received: from MSGC-003.bull.fr (MSGC-003.frcl.bull.fr [129.184.87.131]) by odin2.bull.net (Bull S.A.) with ESMTP id 0BEE6180DA; Mon, 10 Sep 2012 10:04:23 +0200 (CEST) In-Reply-To: References: To: Santosh Chokhani MIME-Version: 1.0 X-KeepSent: C74A8DD6:A162B10E-C1257A75:002BA094; type=4; name=$KeepSent X-Mailer: Lotus Notes Release 8.5.2 August 10, 2010 From: denis.pinkas@bull.net Message-ID: Date: Mon, 10 Sep 2012 10:04:22 +0200 X-MIMETrack: Serialize by Router on MSGC-003/SRV/BULL(Release 8.5.2FP1|November 29, 2010) at 10/09/2012 10:04:23, Serialize complete at 10/09/2012 10:04:23 Content-Type: multipart/alternative; boundary="=_alternative 002C32FFC1257A75_=" Cc: "pkix@ietf.org" Subject: Re: [pkix] New version Notification for draft-pinkas-2560bis-certinfo-00 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Sep 2012 08:04:25 -0000 Message en plusieurs parties au format MIME --=_alternative 002C32FFC1257A75_= Content-Type: text/plain; charset="US-ASCII" Santosh, A small change without changing the intent. Rather than saying: "This may also not detect hashing algorithm or signature algorithm compromise". I propose: "This case does not either allow detecting hashing algorithm or signature algorithm collisions". Denis De : Santosh Chokhani A : "denis.pinkas@bull.net" Cc : "pkix@ietf.org" Date : 09/09/2012 11:53 Objet : RE: [pkix] New version Notification for draft-pinkas-2560bis-certinfo-00 Denis, Thanks. We are almost there. I have suggestions in-line below. From: denis.pinkas@bull.net [mailto:denis.pinkas@bull.net] Sent: Friday, September 07, 2012 10:24 AM To: Santosh Chokhani Cc: pkix@ietf.org Subject: RE: [pkix] New version Notification for draft-pinkas-2560bis-certinfo-00 Santosh, > Denis, > > On 1, If the CA has been attacked,, you have no assurance that the > adversary has not created an OCSP certificate as well. Rather than arguing we should concentrate to improve the text. What about: When certHashValue is returned and the hashes match, then everything looks fine, but this case does not allow detecting an abnormal situation if the RA software has been corrupted, if the CA itself has been corrupted or if the database to which the OCSP server has access has been maliciously corrupted. [Santosh] This is almost there. How about the following (added OCSP corruption and cryptographic algorithm) When certHashValue is returned and the hashes match, then everything looks fine, but this case does not allow detecting an abnormal situation if the RA software has been corrupted, if the CA itself has been corrupted, OCSP Server has been corrupted, or if the database to which the OCSP server has access has been maliciously corrupted. This may also not detect hashing algorithm or signature algorithm compromise. > On 2, just like the CA compromise scenario you cite, the mechanism > helps detect collision. If the CA knew of collision, it would of > course change the cipher suite. Maybe, maybe not. A collision may happen without a defect in the cipher suite (e.g. the HSM has been successfully used directly). I believe that the current text is sufficient: When certHashValue is returned and the hashes do not match, this extension allows detecting an abnormal situation : there exists two certificates with the same serial number: one regularly issued by the CA and another one which has either been forged or obtained irregularly. If you don't think so, please make a specific proposal. [Santosh] I withdraw the second suggestion since it becomes too convoluted. I have addressed some of it in item 1. Denis > Note that 1 still for collision detection trumps 2 since collision > creator could have created OCSP certificate and put the rogue OCSP > pointer in AIA. > > Santoh, > > Thank you for your comments. > > See my replies in line: > > >Denis, > > > >I have couple of suggestions for the security considerations > >section. > > > >1. It is worth pointing out aside from RA corruption and database > >corruption that recommendation here do not fix the situation if the > >adversary has attacked the CA and pointed to its own OCSP Responder > >in the OCSP field of the AIA extension. > > This attack, as described, would not be succeed. The attacker would also need > to create an OCSP certificate for the OCSP Responder and for this heneeds to > be able to corrupt the RA which allows the production of OCSP certificates. > > >2. It is worth pointing out that the mechanism presented here can > >be used by the relying party to detect collision if the certificate > >signature was made using a weak hash, but the hashAlgorithm in the > >extension is not vulnerable to successful collision attack. > > This is not a realistic scenario. If the certificate signature was made > using a weak hash, the CA will ask to its superior CA to revoke its > CA certificate. > This is thus outside the scope of this extension. > > Denis --=_alternative 002C32FFC1257A75_= Content-Type: text/html; charset="US-ASCII" Santosh,

A small change without changing the intent. Rather than saying:

"This may also not detect hashing algorithm or signature algorithm compromise".

I propose:

"This case does not either allow detecting hashing algorithm or signature algorithm collisions".

Denis



De :        Santosh Chokhani <SChokhani@cygnacom.com>
A :        "denis.pinkas@bull.net" <denis.pinkas@bull.net>
Cc :        "pkix@ietf.org" <pkix@ietf.org>
Date :        09/09/2012 11:53
Objet :        RE: [pkix] New version Notification for draft-pinkas-2560bis-certinfo-00




Denis,
 
Thanks.  We are almost there.  I have suggestions in-line below.
 
From: denis.pinkas@bull.net [mailto:denis.pinkas@bull.net]
Sent:
Friday, September 07, 2012 10:24 AM
To:
Santosh Chokhani
Cc:
pkix@ietf.org
Subject:
RE: [pkix] New version Notification for draft-pinkas-2560bis-certinfo-00

 
Santosh,

> Denis,

>  

> On 1, If the CA has been attacked,, you have no assurance that the
> adversary has not created an OCSP certificate as well.


Rather than arguing we should concentrate to improve the text. What about:


  When certHashValue is returned and the hashes match, then everything
  looks fine, but this case does not allow detecting an abnormal
  situation if the RA software has been corrupted, if the CA itself
  has been corrupted
or if the database to which the OCSP server has
  access has been maliciously corrupted.

[Santosh] This is almost there.  How about the following (added OCSP corruption and cryptographic algorithm)
   When certHashValue is returned and the hashes match, then everything
  looks fine, but this case does not allow detecting an abnormal
  situation if the RA software has been corrupted, if the CA itself
  has been corrupted,
OCSP Server has been corrupted, or if the database to which the OCSP server has
  access has been maliciously corrupted.
This may also not detect hashing algorithm or signature algorithm compromise.


> On 2, just like the CA compromise scenario you cite, the mechanism
> helps detect collision.  If the CA knew of collision, it would of
> course change the cipher suite.


Maybe, maybe not. A collision may happen without a defect in the cipher suite
(e.g. the HSM has been successfully used directly).


I believe that the current text is sufficient:


  When certHashValue is returned and the hashes do not match, this
  extension allows detecting an abnormal situation : there exists two
  certificates with the same serial number: one regularly issued by
  the CA and another one which has either been forged or obtained
  irregularly.


If you don't think so, please make a specific proposal.

[Santosh] I withdraw the second suggestion since it becomes too convoluted.  I have addressed some of it in item 1.


Denis

 
> Note that 1 still for collision detection trumps 2 since collision
> creator could have created OCSP certificate and put the rogue OCSP
> pointer in AIA.

>  




> Santoh,

>  

> Thank you for your comments.

>  

> See my replies in line:

>
> >Denis,
> >
> >I have couple of suggestions for the security considerations
> >section.
> >
> >1.     It is worth pointing out aside from RA corruption and database
> >corruption that recommendation here do not fix the situation if the
> >adversary has attacked the CA and pointed to its own OCSP Responder
> >in the OCSP field of the AIA extension.

>  

> This attack, as described, would not be succeed. The attacker would also need
> to create an OCSP certificate for the OCSP Responder and for this heneeds to
> be able to corrupt the RA which allows the production of OCSP certificates.

>  
> >2.     It is worth pointing out that the mechanism presented here can
> >be used by the relying party to detect collision if the certificate
> >signature was made using a weak hash, but the hashAlgorithm in the
> >extension is not vulnerable to successful collision attack.

>  

> This is not a realistic scenario. If the certificate signature was made
> using a weak hash, the CA will ask to its superior CA to revoke its
> CA certificate.

> This is thus outside the scope of this extension.

>  

> Denis

--=_alternative 002C32FFC1257A75_=-- From SChokhani@cygnacom.com Mon Sep 10 06:55:46 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0966421F86A0 for ; Mon, 10 Sep 2012 06:55:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X5At6hvuHpn4 for ; Mon, 10 Sep 2012 06:55:45 -0700 (PDT) Received: from ipedge1.cygnacom.com (ipedge1.cygnacom.com [216.191.252.12]) by ietfa.amsl.com (Postfix) with ESMTP id D84C921F869F for ; Mon, 10 Sep 2012 06:55:42 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.80,398,1344225600"; d="scan'208,217";a="6165969" Received: from unknown (HELO scygexch7.cygnacom.com) ([10.4.60.22]) by ipedge1.cygnacom.com with ESMTP; 10 Sep 2012 09:55:41 -0400 Received: from scygexch7.cygnacom.com ([::1]) by scygexch7.cygnacom.com ([::1]) with mapi; Mon, 10 Sep 2012 09:55:41 -0400 From: Santosh Chokhani To: "denis.pinkas@bull.net" Date: Mon, 10 Sep 2012 09:55:40 -0400 Thread-Topic: [pkix] New version Notification for draft-pinkas-2560bis-certinfo-00 Thread-Index: Ac2PKu7Ly95J/Np0TzCynFyQ0fy8NAAMQRtA Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_B83745DA469B7847811819C5005244AF362EC7F7scygexch7cygnac_" MIME-Version: 1.0 Cc: "pkix@ietf.org" Subject: Re: [pkix] New version Notification for draft-pinkas-2560bis-certinfo-00 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Sep 2012 13:55:49 -0000 --_000_B83745DA469B7847811819C5005244AF362EC7F7scygexch7cygnac_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable OK From: denis.pinkas@bull.net [mailto:denis.pinkas@bull.net] Sent: Monday, September 10, 2012 4:04 AM To: Santosh Chokhani Cc: pkix@ietf.org Subject: RE: [pkix] New version Notification for draft-pinkas-2560bis-certi= nfo-00 Santosh, A small change without changing the intent. Rather than saying: "This may also not detect hashing algorithm or signature algorithm compromi= se". I propose: "This case does not either allow detecting hashing algorithm or signature a= lgorithm collisions". Denis De : Santosh Chokhani > A : "denis.pinkas@bull.net" > Cc : "pkix@ietf.org" > Date : 09/09/2012 11:53 Objet : RE: [pkix] New version Notification for draft-pinkas-2560bis= -certinfo-00 ________________________________ Denis, Thanks. We are almost there. I have suggestions in-line below. From: denis.pinkas@bull.net [mailto:denis.pin= kas@bull.net] Sent: Friday, September 07, 2012 10:24 AM To: Santosh Chokhani Cc: pkix@ietf.org Subject: RE: [pkix] New version Notification for draft-pinkas-2560bis-certi= nfo-00 Santosh, > Denis, > > On 1, If the CA has been attacked,, you have no assurance that the > adversary has not created an OCSP certificate as well. Rather than arguing we should concentrate to improve the text. What about: When certHashValue is returned and the hashes match, then everything looks fine, but this case does not allow detecting an abnormal situation if the RA software has been corrupted, if the CA itself has been corrupted or if the database to which the OCSP server has access has been maliciously corrupted. [Santosh] This is almost there. How about the following (added OCSP corrup= tion and cryptographic algorithm) When certHashValue is returned and the hashes match, then everything looks fine, but this case does not allow detecting an abnormal situation if the RA software has been corrupted, if the CA itself has been corrupted, OCSP Server has been corrupted, or if the database to= which the OCSP server has access has been maliciously corrupted. This may also not detect hashing a= lgorithm or signature algorithm compromise. > On 2, just like the CA compromise scenario you cite, the mechanism > helps detect collision. If the CA knew of collision, it would of > course change the cipher suite. Maybe, maybe not. A collision may happen without a defect in the cipher sui= te (e.g. the HSM has been successfully used directly). I believe that the current text is sufficient: When certHashValue is returned and the hashes do not match, this extension allows detecting an abnormal situation : there exists two certificates with the same serial number: one regularly issued by the CA and another one which has either been forged or obtained irregularly. If you don't think so, please make a specific proposal. [Santosh] I withdraw the second suggestion since it becomes too convoluted.= I have addressed some of it in item 1. Denis > Note that 1 still for collision detection trumps 2 since collision > creator could have created OCSP certificate and put the rogue OCSP > pointer in AIA. > > Santoh, > > Thank you for your comments. > > See my replies in line: > > >Denis, > > > >I have couple of suggestions for the security considerations > >section. > > > >1. It is worth pointing out aside from RA corruption and database > >corruption that recommendation here do not fix the situation if the > >adversary has attacked the CA and pointed to its own OCSP Responder > >in the OCSP field of the AIA extension. > > This attack, as described, would not be succeed. The attacker would also = need > to create an OCSP certificate for the OCSP Responder and for this heneeds= to > be able to corrupt the RA which allows the production of OCSP certificate= s. > > >2. It is worth pointing out that the mechanism presented here can > >be used by the relying party to detect collision if the certificate > >signature was made using a weak hash, but the hashAlgorithm in the > >extension is not vulnerable to successful collision attack. > > This is not a realistic scenario. If the certificate signature was made > using a weak hash, the CA will ask to its superior CA to revoke its > CA certificate. > This is thus outside the scope of this extension. > > Denis --_000_B83745DA469B7847811819C5005244AF362EC7F7scygexch7cygnac_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

OK

 

From: denis.pinkas@bull.net [mailto:denis.pinkas@bull.net]
<= b>Sent:
Monday, September 10, 2012 4:04 AM
To: Santosh Chokha= ni
Cc: pkix@ietf.org
Subject: RE: [pkix] New version No= tification for draft-pinkas-2560bis-certinfo-00

 

Santosh,

A small chan= ge without changing the intent. Rather than saying:

"This may al= so not detect hashing algorithm or signature algorithm compromise".

I propose:

"This case does not either allow detecting hashin= g algorithm or signature algorithm collisions".

Denis


De :        Santosh Chokhani <SChokhani@cygnacom.com> A :        "denis.pinkas@bull.net" <denis.pinkas@bull.net>
Cc :    = ;    "pkix@ietf.org" = <pkix@ietf.org>
D= ate :        
09/09/2012 11:53
Objet :  = ;      RE: [pkix] New version Notification for draft-pinkas-256= 0bis-certinfo-00





Denis,
=  
Thanks= .  We are almost there.  I have suggestions in-line below.=
 <= /span>
From: denis.pinkas@bull.net [mai= lto:denis.pinkas@bull.net]
Sent:
Friday, September 07, 2012 10:24 AM
To:=
Santosh Chokhani
Cc:
pkix@i= etf.org
Subject:
RE: [pkix] New version Notification for draf= t-pinkas-2560bis-certinfo-00

 
Santosh,

> Denis,

>  
<= br>> On 1, If the CA has been attacked,, you have no assurance that the =
> adversary has not created an OCSP certificate as well.

=
Rather than arg= uing we should concentrate to improve the text. What about:


  When certHas= hValue is returned and the hashes match, then everything
  looks f= ine, but this case does not allow detecting an abnormal
  situatio= n if the RA software has been corrupted, if the CA itself
  has= been corrupted
or if the database to which the OCSP server has
&nb= sp; access has been maliciously corrupted.

[Santosh] This is almost there. &= nbsp;How about the following (added OCSP corruption and cryptographic algor= ithm)
&n= bsp;  When certHashValue is returned and the hashes match, then everyt= hing
  looks fine, but this case does not allow detecting an abnor= mal
  situation if the RA software has been corrupted, if the C= A itself
  has been corrupted,
OCSP Server has been corrupted, <= span style=3D'font-family:"Courier New";color:#0000E0'>or if the database t= o which the OCSP server has
  access has been maliciously corrupte= d.
This may a= lso not detect hashing algorithm or signature algorithm compromise.<= /b>


> On 2, just l= ike the CA compromise scenario you cite, the mechanism
> helps detec= t collision.  If the CA knew of collision, it would of
> course= change the cipher suite.


Maybe, maybe not. A collision may happen without a de= fect in the cipher suite
(e.g. the HSM has been successfully used direc= tly).

I believe that the current text is sufficient:

  When certHashValue is r= eturned and the hashes do not match, this
  extension allows detec= ting an abnormal situation : there exists two
  certificates with = the same serial number: one regularly issued by
  the CA and anoth= er one which has either been forged or obtained
  irregularly.

If you = don't think so, please make a specific proposal.

[Santosh] I withdraw the se= cond suggestion since it becomes too convoluted.  I have addressed som= e of it in item 1.


Denis
<= br> 
> Note that 1 still for collision detection trumps 2 since = collision
> creator could have created OCSP certificate and put the = rogue OCSP
> pointer in AIA.

>  




> Santoh,

>= ; Thank you for your comments.

>  

&= gt; See my replies in line:

>  
> This attack, as desc= ribed, would not be succeed. The attacker would also need
> to creat= e an OCSP certificate for the OCSP Responder and for this heneeds to
&g= t; be able to corrupt the RA which allows the production of OCSP certificat= es.

>  
>= ; >2.     It is worth pointing out that the mechanism presente= d here can
> >be used by the relying party to detect collision if = the certificate
> >signature was made using a weak hash, but the h= ashAlgorithm in the
> >extension is not vulnerable to successful c= ollision attack.

> =  

> This is no= t a realistic scenario. If the certificate signature was made
> usin= g a weak hash, the CA will ask to its superior CA to revoke its
> CA= certificate.

> Thi= s is thus outside the scope of this extension.

>  

> Denis

= --_000_B83745DA469B7847811819C5005244AF362EC7F7scygexch7cygnac_-- From kent@bbn.com Mon Sep 10 09:22:47 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A716721F8627 for ; Mon, 10 Sep 2012 09:22:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.599 X-Spam-Level: X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uAUhpRMB38nk for ; Mon, 10 Sep 2012 09:22:46 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 3A24C21F85B8 for ; Mon, 10 Sep 2012 09:22:36 -0700 (PDT) Received: from dhcp89-089-153.bbn.com ([128.89.89.153]:50867) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1TB6kt-000KWP-Fk for pkix@ietf.org; Mon, 10 Sep 2012 12:22:35 -0400 Message-ID: <504E13CB.8080001@bbn.com> Date: Mon, 10 Sep 2012 12:22:35 -0400 From: Stephen Kent User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:15.0) Gecko/20120824 Thunderbird/15.0 MIME-Version: 1.0 To: pkix Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [pkix] 5280bis, v-09 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Sep 2012 16:22:47 -0000 OK, here we go again! Peter posted the -09 version late last week, and my intent is to conduct a constrained WGLC on the new text, dealing with CRL entry extensions. Denis beat me to the punch! So, the WGLC started on Friday (9/7), and ends on 9/17. As for Denis's comments: 1- yes, the intro needs to be changed to reflect the new section. Peter, please plan to do this for v-10, to be issued after WGLC. 2- I'm comfortable with the current text here, but if Peter want's to change to "identified" I have no problem with that, in v-10. 3- I'm not going to require the change you suggest here. It's too extensive at this point. Steve From wwwrun@rfc-editor.org Mon Sep 10 17:18:11 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD11E21F867B; Mon, 10 Sep 2012 17:18:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.322 X-Spam-Level: X-Spam-Status: No, score=-101.322 tagged_above=-999 required=5 tests=[AWL=0.678, BAYES_00=-2.599, J_CHICKENPOX_93=0.6, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8myetBU4jE1a; Mon, 10 Sep 2012 17:18:11 -0700 (PDT) Received: from rfc-editor.org (rfc-editor.org [IPv6:2001:1890:123a::1:2f]) by ietfa.amsl.com (Postfix) with ESMTP id 735D221F8643; Mon, 10 Sep 2012 17:18:11 -0700 (PDT) Received: by rfc-editor.org (Postfix, from userid 30) id 50D76B1E002; Mon, 10 Sep 2012 17:15:07 -0700 (PDT) To: ietf-announce@ietf.org, rfc-dist@rfc-editor.org From: rfc-editor@rfc-editor.org Message-Id: <20120911001507.50D76B1E002@rfc-editor.org> Date: Mon, 10 Sep 2012 17:15:07 -0700 (PDT) Cc: pkix@ietf.org, rfc-editor@rfc-editor.org Subject: [pkix] RFC 6712 on Internet X.509 Public Key Infrastructure -- HTTP Transfer for the Certificate Management Protocol (CMP) X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 00:18:11 -0000 A new Request for Comments is now available in online RFC libraries. RFC 6712 Title: Internet X.509 Public Key Infrastructure -- HTTP Transfer for the Certificate Management Protocol (CMP) Author: T. Kause, M. Peylo Status: Standards Track Stream: IETF Date: September 2012 Mailbox: toka@ssh.com, martin.peylo@nsn.com Pages: 10 Characters: 21308 Updates: RFC4210 I-D Tag: draft-ietf-pkix-cmp-transport-protocols-20.txt URL: http://www.rfc-editor.org/rfc/rfc6712.txt This document describes how to layer the Certificate Management Protocol (CMP) over HTTP. It is the "CMPtrans" document referenced in RFC 4210; therefore, this document updates the reference given therein. [STANDARDS-TRACK] This document is a product of the Public-Key Infrastructure (X.509) Working Group of the IETF. This is now a Proposed Standard Protocol. STANDARDS TRACK: This document specifies an Internet standards track protocol for the Internet community,and requests discussion and suggestions for improvements. Please refer to the current edition of the Internet Official Protocol Standards (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see http://www.ietf.org/mailman/listinfo/ietf-announce http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see http://www.rfc-editor.org/rfcsearch.html. For downloading RFCs, see http://www.rfc-editor.org/rfc.html. Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-editor@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC From peter@akayla.com Tue Sep 11 00:51:23 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 083C021F8716 for ; Tue, 11 Sep 2012 00:51:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id arY4DkQ2bkOT for ; Tue, 11 Sep 2012 00:51:22 -0700 (PDT) Received: from p3plsmtpa07-04.prod.phx3.secureserver.net (p3plsmtpa07-04.prod.phx3.secureserver.net [173.201.192.233]) by ietfa.amsl.com (Postfix) with SMTP id C9CFC21F86FD for ; Tue, 11 Sep 2012 00:51:14 -0700 (PDT) Received: (qmail 20138 invoked from network); 11 Sep 2012 07:51:13 -0000 Received: from unknown (173.8.184.78) by p3plsmtpa07-04.prod.phx3.secureserver.net (173.201.192.233) with ESMTP; 11 Sep 2012 07:51:13 -0000 From: "Peter Yee" To: "'Stephen Kent'" , "'pkix'" References: <504E13CB.8080001@bbn.com> In-Reply-To: <504E13CB.8080001@bbn.com> Date: Tue, 11 Sep 2012 00:51:29 -0700 Message-ID: <01d801cd8ff2$40f94cf0$c2ebe6d0$@akayla.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQExSM7fNOCIdwq2nbhbb0QsV8xrMpi9UkpQ Content-Language: en-us Subject: Re: [pkix] 5280bis, v-09 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 07:51:23 -0000 I'll have -10 ready with the updated intro and I'm happy to switch to "identified in". -Peter -----Original Message----- From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Stephen Kent Sent: Monday, September 10, 2012 9:23 AM To: pkix Subject: [pkix] 5280bis, v-09 OK, here we go again! Peter posted the -09 version late last week, and my intent is to conduct a constrained WGLC on the new text, dealing with CRL entry extensions. Denis beat me to the punch! So, the WGLC started on Friday (9/7), and ends on 9/17. As for Denis's comments: 1- yes, the intro needs to be changed to reflect the new section. Peter, please plan to do this for v-10, to be issued after WGLC. 2- I'm comfortable with the current text here, but if Peter want's to change to "identified" I have no problem with that, in v-10. 3- I'm not going to require the change you suggest here. It's too extensive at this point. Steve _______________________________________________ pkix mailing list pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix From hallam@gmail.com Wed Sep 12 11:16:39 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6AB921F869F for ; Wed, 12 Sep 2012 11:16:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.581 X-Spam-Level: X-Spam-Status: No, score=-3.581 tagged_above=-999 required=5 tests=[AWL=0.017, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gk+Hddh+SVy5 for ; Wed, 12 Sep 2012 11:16:37 -0700 (PDT) Received: from mail-ob0-f172.google.com (mail-ob0-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id D127621F8699 for ; Wed, 12 Sep 2012 11:16:37 -0700 (PDT) Received: by obbwc20 with SMTP id wc20so3448635obb.31 for ; Wed, 12 Sep 2012 11:16:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=5n8j7DQZkHX0dk37dpXQfOAvJ0vSEyGA/zWtseQx3KQ=; b=FlR1sMF2P3VAmVzz1Wn6hZQVvQ1WrO7HznkQQtI5Nz2WN/Qsm4F+l37pO7C3qg0FIn 4g/0Jkulzzm6c+8OFmpYZocWLUYqyB1U9DFj+u7LJjrIQ8d4V1iBih8JGWNqXF9xvwoJ kGqQGEu5Yxu3GwPWaEdWrNNmXeU8RHH0Lgbg5YPe8uXur2ciurVVoMNf4rcDBSztV7PC tJomRRmPofHjA9eMx+JWgQgD2Lf9GDF5QZ/uSU2k37c3albS5xCso/uc9otvUdS1tRoZ Psy0Kf7hEgMdMlimguHZAvoO7g3UUkaZ418JHJ9PH3ZntUGGP03FUmAGUnf+zs5QQocw 9UTg== MIME-Version: 1.0 Received: by 10.60.11.34 with SMTP id n2mr23802670oeb.18.1347473797499; Wed, 12 Sep 2012 11:16:37 -0700 (PDT) Received: by 10.76.80.10 with HTTP; Wed, 12 Sep 2012 11:16:37 -0700 (PDT) In-Reply-To: <666C6056-569B-41C2-94AB-6D74E9C5896A@vpnc.org> References: <20120907201501.GK16938@mx1.yitter.info> <666C6056-569B-41C2-94AB-6D74E9C5896A@vpnc.org> Date: Wed, 12 Sep 2012 14:16:37 -0400 Message-ID: From: Phillip Hallam-Baker To: Paul Hoffman Content-Type: multipart/alternative; boundary=e89a8fb206e60b4b5204c98531d4 Cc: pkix@ietf.org Subject: Re: [pkix] Review of draft-ietf-pkix-caa-13 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Sep 2012 18:16:39 -0000 --e89a8fb206e60b4b5204c98531d4 Content-Type: text/plain; charset=ISO-8859-1 I would like to have the technical spec to require us to all go through the motions and then decide whether to ignore or accept the result if we don't like it. That way there is only one part of the system that is affected if the CA decides to exercise discretion rather than two. On Sat, Sep 8, 2012 at 12:17 PM, Paul Hoffman wrote: > On Sep 7, 2012, at 8:13 PM, Phillip Hallam-Baker wrote: > > > What I thought we agreed was that CAs have to process up to the TLD but > can decide to ignore the result if doing so is in accordance with their > published policy. > > > On Fri, Sep 7, 2012 at 4:15 PM, Andrew Sullivan > wrote: > > > > The description in section 4 excludes top level domains. My > > impression in Vancouver was that we didn't have such an exclusion. > > Rather, we were going to leave the question of what domains one is not > > allowed to climb into up to CA policy (which will presumably include > > most TLDs, but possibly other things like delegation-centric domains > > further down the tree). Also, I don't see in the section 4 processing > > section the explicit note that a CA can have such a policy. > > You both are saying the same thing. I like Andrew's formulation better: > *everything* is up to the CA to decide, so don't call out TLDs as a special > thing to decide about. > > --Paul Hoffman -- Website: http://hallambaker.com/ --e89a8fb206e60b4b5204c98531d4 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable I would like to have the technical spec to require us to all go through the= motions and then decide whether to ignore or accept the result if we don&#= 39;t like it.

That way there is only one part of the sys= tem that is affected if the CA decides to exercise discretion rather than t= wo.=A0

On Sat, Sep 8, 2012 at 12:17 PM, Paul H= offman <paul.hoffman@vpnc.org> wrote:
On Sep 7, 2012, at 8:13 PM, Phillip Hallam-Baker <hallam@gmail.com> wrote:

> What I thought we agreed was that CAs have to process up to the TLD bu= t can decide to ignore the result if doing so is in accordance with their p= ublished policy.

> On Fri, Sep 7, 2012 at 4:15 PM, Andrew Sulliva= n <ajs@anvilwalrusden.com&= gt; wrote:
>
> The description in section 4 excludes top leve= l domains. =A0My
> impression in Vancouver was that we didn't have such an exclusion.=
> Rather, we were going to leave the question of what domains one is not=
> allowed to climb into up to CA policy (which will presumably include > most TLDs, but possibly other things like delegation-centric domains > further down the tree). =A0Also, I don't see in the section 4 proc= essing
> section the explicit note that a CA can have such a policy.

You both are saying the same thing. I like Andrew's formulation b= etter: *everything* is up to the CA to decide, so don't call out TLDs a= s a special thing to decide about.

--Paul Hoffman


<= br>
--
Website: http://hallamb= aker.com/

--e89a8fb206e60b4b5204c98531d4-- From mrex@sap.com Wed Sep 12 17:24:53 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25AAD21F85B4 for ; Wed, 12 Sep 2012 17:24:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.249 X-Spam-Level: X-Spam-Status: No, score=-10.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wygQtvhYzXqM for ; Wed, 12 Sep 2012 17:24:52 -0700 (PDT) Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id EE6D121F85A2 for ; Wed, 12 Sep 2012 17:24:51 -0700 (PDT) Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id q8D0Oilh002582 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 13 Sep 2012 02:24:45 +0200 (MEST) In-Reply-To: <504E13CB.8080001@bbn.com> To: Stephen Kent Date: Thu, 13 Sep 2012 02:24:44 +0200 (CEST) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20120913002444.80A791A216@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) X-SAP: out Cc: pkix Subject: Re: [pkix] 5280bis, v-09 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: mrex@sap.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Sep 2012 00:24:53 -0000 I'm for long silence, I was on vacation (only told Denis about it). Stephen Kent wrote: > OK, here we go again! > > Peter posted the -09 version late last week, and my intent is to conduct > a constrained WGLC on the new text, dealing with CRL entry extensions. > Denis beat me to the punch! > > So, the WGLC started on Friday (9/7), and ends on 9/17. I object to the proposed new text about CRLEntryExtensions in the clarification document, because as is, would significantly worsen the difference between PKIX and X.509 and make things clearly incompatible rather than slightly less efficient. If anything, the gap should be reduced, compatibility between PKIX and X.509 improved and the original architecture not violated. Please recall the original NOTE 4 & 5 that I quoted from ITU-T Rec. X.509 (08/2005), Section 7.3, top of page 18: (get them here http://www.itu.int/rec/T-REC-X.509): a> NOTE 4 -- When an implementation processing a certificate revocation a> list does not recognize a critical extension in the crlEntryExtensions a> field, it shall assume that, at a minimum, the identified certificate a> has been revoked and is no longer valid and perform additional actions a> concerning that revoked certificate as dictated by local policy. b> When an implementation does not recognize a critical extension in the b> crlExtensions field, it shall assume that identified certificates b> have been revoked and are no longer valid. c> However in the latter case, c> since the list may not be complete, certificates that have not been c> identified as being revoked cannot be assumed to be valid. In this case c> local policy shall dictate the action to be taken. In any case local c> policy may dictate actions in addition to and/or stronger than those c> stated in this Specification. d> NOTE 5 -- If an extension affects the treatment of the list d> (e.g., multiple CRLs need to be scanned to examine the entire list of d> revoked certificates, or an entry may represent a range of certificates), d> then that extension shall be indicated as critical in the crlExtensions d> field regardless of where the extension is placed in the CRL. e> An extension indicated in the crlEntryExtensions field of an entry shall e> be placed in that entry and shall affect only the certificate(s) e> specified in that entry. (I inserted blank lines above for visual clarity of the X.509 requirements). two options, all combinations: (1) cert on CRL, CRL with NO unrecognized critical CRLEntryExtensions (2) cert NOT on CRL, CRL with NO unrecognized critical CRLEntryExtensions (3) cert on CRL, CRL with unrecognized critical CRLEntryExtension (4) cert NOT on CRL, CRL with unrecognized critical CRLEntryExtension I hope we agree that X.509 and rfc5280 agree on (1) and (2) results for CRL checking. rfc5280 currently says that for (3)+(4) the entire CRL ought to be ignored and other CRLs need to be evaluated "UNDETERMINED" X.509 says in (a>) that for (3) the status of the cert is definitely revoked and says in (c>) for (4) that the CRL ought to be ignored and other CRLs need to be evaluated "UNDETERMINED" While both X.509 and rfc5280 agree on the result for (4) "UNDETERMINED", there is the superficial appearance of a difference for a casual implementer for case (3) between X.509 "REVOKED" and rfc5280 "UNDETERMINED" that might lead to a slightly less efficient processing CRLs. The newly proposed text (in -09): | If a CRL contains a critical CRL entry extension | that the application cannot process, then the application MUST | NOT use that CRL to determine the status of the certificate | represented by the CRL entry. creates a significantly distinct behaviour for case (4) where X.509 and rfc5280 agreed on "UNDETERMINED", by redefining the result to be "UNREVOKED", and potentially creates a security problem, and a new, backwards-incompatible behaviour for a situation where X.509 and rfc5280 used to agree. Still, the new text does not do anything about case (3), the only case where X.509 and rfc5280 appear to differ (in a mostly marginal fashion). A careful implementor, that analyzes NOTE 4 and NOTE 5 from X.509 quoted above in its entirety, should realize that the situation where X.509 and rfc5280 differ is marginal. This is because (d>) in NOTE 5 above requires ("shall") that a critical crlEntryExtension with a semantic beyond "this cert is revoked"), MUST be additionally included as a critical crlExtension, with the effect that the entire CRL will have to be ignored by both X.509 and rfc5280 implementations that do not recognize the crlExtension. So all compliant CRLs with a "fancy" unrecognized critical crlEntryExtension, the accompanying unrecognized critical crlExtension will cause X.509 and rfc5280 to agree on (3) to return "UNDETERMINED" and require other CRLs to be checked. -Martin From mrex@sap.com Wed Sep 12 17:33:22 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AC0921F8543 for ; Wed, 12 Sep 2012 17:33:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.249 X-Spam-Level: X-Spam-Status: No, score=-10.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GxyNAql92YSo for ; Wed, 12 Sep 2012 17:33:21 -0700 (PDT) Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 5260921F84EB for ; Wed, 12 Sep 2012 17:33:21 -0700 (PDT) Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id q8D0XEop024432 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 13 Sep 2012 02:33:14 +0200 (MEST) In-Reply-To: <20120913002444.80A791A216@ld9781.wdf.sap.corp> To: mrex@sap.com Date: Thu, 13 Sep 2012 02:33:14 +0200 (CEST) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20120913003314.483731A216@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) X-SAP: out Cc: pkix Subject: Re: [pkix] 5280bis, v-09 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: mrex@sap.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Sep 2012 00:33:22 -0000 correction: the proposed new text in -09 creates the potential security problem here: Martin Rex wrote: > > two options, all combinations: > > (1) cert on CRL, CRL with NO unrecognized critical CRLEntryExtensions > (2) cert NOT on CRL, CRL with NO unrecognized critical CRLEntryExtensions > (3) cert on CRL, CRL with unrecognized critical CRLEntryExtension > (4) cert NOT on CRL, CRL with unrecognized critical CRLEntryExtension > > The newly proposed text (in -09): > > | If a CRL contains a critical CRL entry extension > | that the application cannot process, then the application MUST > | NOT use that CRL to determine the status of the certificate > | represented by the CRL entry. > > creates a significantly distinct behaviour for case (4) where X.509 > and rfc5280 agreed on "UNDETERMINED", by redefining the result to > be "UNREVOKED", and potentially creates a security problem, and a > new, backwards-incompatible behaviour for a situation where > X.509 and rfc5280 used to agree. Still, the new text does not do > anything about case (3), the only case where X.509 and rfc5280 > appear to differ (in a mostly marginal fashion). If the cert under examination is listed on the CRL, and happens to be the entry with the unrecognized critical CRLEntryExtensions, then the new text specifies that the cert status is "UNREVOKED", where X.509 specifies "REVOKED" and rfc5280 specifies "UNDETERMINED". While the latter might be less efficent, it is at least not wrong. I believe the behaviour specified by the new text "UREVOKED" to be dangerously wrong (and completely backwards incompatible). -Martin From wjhns1@hardakers.net Thu Sep 13 10:46:20 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 578D521F859E for ; Thu, 13 Sep 2012 10:46:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.45 X-Spam-Level: X-Spam-Status: No, score=-2.45 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, NO_RELAYS=-0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QVcjkcEUMOVZ for ; Thu, 13 Sep 2012 10:46:19 -0700 (PDT) Received: from mail.hardakers.net (unknown [IPv6:2001:470:1f00:187::1]) by ietfa.amsl.com (Postfix) with ESMTP id B347321F84D6 for ; Thu, 13 Sep 2012 10:46:19 -0700 (PDT) Received: from localhost (unknown [IPv6:2001:470:1f00:187:c004:3973:a15f:f1df]) by mail.hardakers.net (Postfix) with ESMTPSA id 24CB456E; Thu, 13 Sep 2012 10:46:18 -0700 (PDT) From: Wes Hardaker To: Andrew Sullivan References: <20120907201501.GK16938@mx1.yitter.info> Date: Thu, 13 Sep 2012 10:46:18 -0700 In-Reply-To: <20120907201501.GK16938@mx1.yitter.info> (Andrew Sullivan's message of "Fri, 7 Sep 2012 16:15:01 -0400") Message-ID: <0lligderyt.fsf@wjh.hardakers.net> User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/23.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Cc: pkix@ietf.org Subject: Re: [pkix] pkixReview of draft-ietf-pkix-caa-13 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Sep 2012 17:46:20 -0000 Andrew Sullivan writes: > The description in section 4 excludes top level domains. My > impression in Vancouver was that we didn't have such an exclusion. Though each CA could choose their own policy with respect to checking the TLDs, I'm not sure that's helpful. I typically argue for consistency and we know that more TLDs are on their way with unknown usage patterns. Thus, I think all CAs should check the TLDs because we're making assumptions based on the *current* notion of TLDs, which may not be valid soon after more and more TLDs are requested by companies, etc. Things typically work better when everyone does the same, expected thing. Even when it doesn't look like, in today's world, it'll make a difference. I'd like to also point out that there is a missing ) in the line from section for that does talk about TLDs. -- Wes Hardaker My Pictures: http://capturedonearth.com/ My Thoughts: http://pontifications.hardakers.net/ From wjhns1@hardakers.net Thu Sep 13 10:53:08 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 183E121F8611 for ; Thu, 13 Sep 2012 10:53:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K47VGPaTDvN8 for ; Thu, 13 Sep 2012 10:53:08 -0700 (PDT) Received: from mail.hardakers.net (dawn.hardakers.net [IPv6:2001:470:1f00:187::1]) by ietfa.amsl.com (Postfix) with ESMTP id DC5BE21F860E for ; Thu, 13 Sep 2012 10:53:07 -0700 (PDT) Received: from localhost (unknown [IPv6:2001:470:1f00:187:c004:3973:a15f:f1df]) by mail.hardakers.net (Postfix) with ESMTPSA id 82FF05A5; Thu, 13 Sep 2012 10:53:07 -0700 (PDT) From: Wes Hardaker To: Wes Hardaker In-Reply-To: <0lligderyt.fsf@wjh.hardakers.net> (Wes Hardaker's message of "Thu, 13 Sep 2012 10:46:18 -0700") References: <20120907201501.GK16938@mx1.yitter.info> <0lligderyt.fsf@wjh.hardakers.net> User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/23.3 (gnu/linux) Date: Thu, 13 Sep 2012 10:53:07 -0700 Message-ID: <0lfw6lerng.fsf@wjh.hardakers.net> MIME-Version: 1.0 Content-Type: text/plain Cc: pkix@ietf.org Subject: Re: [pkix] pkixReview of draft-ietf-pkix-caa-13 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Sep 2012 17:53:08 -0000 Wes Hardaker writes: >> The description in section 4 excludes top level domains. My >> impression in Vancouver was that we didn't have such an exclusion. > > Though each CA could choose their own policy with respect to checking > the TLDs, I'm not sure that's helpful. Actually, reading the draft section in full this time I agree with Phillip that the only thing excluded is the root. In fact, the example even lists the TLDs. IE, the current text is fine with me because it is checking the TLDs (just not the root; where I don't ever expect CAA records to exist). -- Wes Hardaker My Pictures: http://capturedonearth.com/ My Thoughts: http://pontifications.hardakers.net/ From piyush@identicate.com Fri Sep 14 14:33:05 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4AA521F84E2 for ; Fri, 14 Sep 2012 14:33:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sjVedSiI8cXl for ; Fri, 14 Sep 2012 14:33:05 -0700 (PDT) Received: from co1outboundpool.messaging.microsoft.com (co1ehsobe005.messaging.microsoft.com [216.32.180.188]) by ietfa.amsl.com (Postfix) with ESMTP id 2628A21F84B9 for ; Fri, 14 Sep 2012 14:33:04 -0700 (PDT) Received: from mail70-co1-R.bigfish.com (10.243.78.225) by CO1EHSOBE004.bigfish.com (10.243.66.67) with Microsoft SMTP Server id 14.1.225.23; Fri, 14 Sep 2012 21:33:03 +0000 Received: from mail70-co1 (localhost [127.0.0.1]) by mail70-co1-R.bigfish.com (Postfix) with ESMTP id 7868F2400F9; Fri, 14 Sep 2012 21:33:03 +0000 (UTC) X-Forefront-Antispam-Report: CIP:157.56.244.229; KIP:(null); UIP:(null); IPV:NLI; H:CH1PRD0610HT004.namprd06.prod.outlook.com; RD:none; EFVD:NLI X-SpamScore: -27 X-BigFish: PS-27(zz98dI9371I542M1432Id6f1izz1202h1d1ah1d2ahzz1033IL8275bh8275dhz2fh2a8h668h839h944hd25hf0ah107ah1220h1288h12a5h12a9h12bdh1155h) Received-SPF: pass (mail70-co1: domain of identicate.com designates 157.56.244.229 as permitted sender) client-ip=157.56.244.229; envelope-from=piyush@identicate.com; helo=CH1PRD0610HT004.namprd06.prod.outlook.com ; .outlook.com ; Received: from mail70-co1 (localhost.localdomain [127.0.0.1]) by mail70-co1 (MessageSwitch) id 1347658381148082_17215; Fri, 14 Sep 2012 21:33:01 +0000 (UTC) Received: from CO1EHSMHS023.bigfish.com (unknown [10.243.78.242]) by mail70-co1.bigfish.com (Postfix) with ESMTP id 1517D4C0043; Fri, 14 Sep 2012 21:33:01 +0000 (UTC) Received: from CH1PRD0610HT004.namprd06.prod.outlook.com (157.56.244.229) by CO1EHSMHS023.bigfish.com (10.243.66.33) with Microsoft SMTP Server (TLS) id 14.1.225.23; Fri, 14 Sep 2012 21:32:57 +0000 Received: from CH1PRD0610MB393.namprd06.prod.outlook.com ([169.254.11.24]) by CH1PRD0610HT004.namprd06.prod.outlook.com ([10.255.151.39]) with mapi id 14.16.0175.005; Fri, 14 Sep 2012 21:32:49 +0000 From: Piyush Jain To: "mrex@sap.com" Thread-Topic: [pkix] 5280bis, v-09 Thread-Index: AQHNj4Or+HT2+Q6yxkWqbc8OyTbOnJeHbVEAgAACYACAAu22YA== Date: Fri, 14 Sep 2012 21:32:48 +0000 Message-ID: References: <20120913002444.80A791A216@ld9781.wdf.sap.corp> <20120913003314.483731A216@ld9781.wdf.sap.corp> In-Reply-To: <20120913003314.483731A216@ld9781.wdf.sap.corp> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [75.25.128.241] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: identicate.com Cc: pkix Subject: Re: [pkix] 5280bis, v-09 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Sep 2012 21:33:05 -0000 Please accept my apologies in advance if I did not understand it correctly. Is there a difference between "UNREVOKED" and "UNDETERMINED"? I could not f= ind a definition for these terms either in RFC 5280 or in correction draft = 09. I think you are referring to this text in the section 4 of draft-09 "If a CRL contains a critical CRL entry extension that the application c= annot process, then the application MUST NOT use that CRL to determine the= status of the certificate represented by the CRL entry." I agree that in this case certificated being referred to, by that entry sho= uld be considered revoked.=20 > -----Original Message----- > From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of > Martin Rex > Sent: Wednesday, September 12, 2012 5:33 PM > To: mrex@sap.com > Cc: pkix > Subject: Re: [pkix] 5280bis, v-09 >=20 > correction: the proposed new text in -09 creates the potential security > problem here: >=20 > Martin Rex wrote: > > > > two options, all combinations: > > > > (1) cert on CRL, CRL with NO unrecognized critical CRLEntryExtensi= ons > > (2) cert NOT on CRL, CRL with NO unrecognized critical CRLEntryExtensi= ons > > (3) cert on CRL, CRL with unrecognized critical CRLEntryExtensi= on > > (4) cert NOT on CRL, CRL with unrecognized critical CRLEntryExtensi= on > > > > The newly proposed text (in -09): > > > > | If a CRL contains a critical CRL entry extension > > | that the application cannot process, then the application MUST > > | NOT use that CRL to determine the status of the certificate > > | represented by the CRL entry. > > > > creates a significantly distinct behaviour for case (4) where X.509 > > and rfc5280 agreed on "UNDETERMINED", by redefining the result to be > > "UNREVOKED", and potentially creates a security problem, and a new, > > backwards-incompatible behaviour for a situation where > > X.509 and rfc5280 used to agree. Still, the new text does not do > > anything about case (3), the only case where X.509 and rfc5280 appear > > to differ (in a mostly marginal fashion). >=20 > If the cert under examination is listed on the CRL, and happens to be the > entry with the unrecognized critical CRLEntryExtensions, then the new tex= t > specifies that the cert status is "UNREVOKED", where X.509 specifies > "REVOKED" and rfc5280 specifies "UNDETERMINED". >=20 > While the latter might be less efficent, it is at least not wrong. > I believe the behaviour specified by the new text "UREVOKED" to be > dangerously wrong (and completely backwards incompatible). >=20 > -Martin > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix From SChokhani@cygnacom.com Sun Sep 16 17:33:02 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A426621F84E7 for ; Sun, 16 Sep 2012 17:33:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BSliWt7Oqw9w for ; Sun, 16 Sep 2012 17:33:02 -0700 (PDT) Received: from ipedge2.cygnacom.com (ipedge2.cygnacom.com [216.191.252.27]) by ietfa.amsl.com (Postfix) with ESMTP id CA64C21F84D8 for ; Sun, 16 Sep 2012 17:33:01 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.80,432,1344225600"; d="scan'208";a="1954191" Received: from unknown (HELO scygexch7.cygnacom.com) ([10.4.60.22]) by ipedge2.cygnacom.com with ESMTP; 16 Sep 2012 20:32:49 -0400 Received: from scygexch7.cygnacom.com ([::1]) by scygexch7.cygnacom.com ([::1]) with mapi; Sun, 16 Sep 2012 20:32:48 -0400 From: Santosh Chokhani To: Piyush Jain , "mrex@sap.com" Date: Sun, 16 Sep 2012 20:31:08 -0400 Thread-Topic: [pkix] 5280bis, v-09 Thread-Index: AQHNj4Or+HT2+Q6yxkWqbc8OyTbOnJeHbVEAgAACYACAAu22YIADWl+w Message-ID: References: <20120913002444.80A791A216@ld9781.wdf.sap.corp> <20120913003314.483731A216@ld9781.wdf.sap.corp> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: pkix Subject: Re: [pkix] 5280bis, v-09 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2012 00:33:02 -0000 Piyush, In my analysis, 5280 is not saying that the certificate represented by the = entry should be considered revoked. The relying party can get another CRL or other revocation information or ca= n make a decision it makes in the absence of revocation information. -----Original Message----- From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Piy= ush Jain Sent: Friday, September 14, 2012 5:33 PM To: mrex@sap.com Cc: pkix Subject: Re: [pkix] 5280bis, v-09 Please accept my apologies in advance if I did not understand it correctly. Is there a difference between "UNREVOKED" and "UNDETERMINED"? I could not f= ind a definition for these terms either in RFC 5280 or in correction draft = 09. I think you are referring to this text in the section 4 of draft-09 "If a CRL contains a critical CRL entry extension that the application c= annot process, then the application MUST NOT use that CRL to determine the= status of the certificate represented by the CRL entry." I agree that in this case certificated being referred to, by that entry sho= uld be considered revoked.=20 > -----Original Message----- > From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf=20 > Of Martin Rex > Sent: Wednesday, September 12, 2012 5:33 PM > To: mrex@sap.com > Cc: pkix > Subject: Re: [pkix] 5280bis, v-09 >=20 > correction: the proposed new text in -09 creates the potential=20 > security problem here: >=20 > Martin Rex wrote: > > > > two options, all combinations: > > > > (1) cert on CRL, CRL with NO unrecognized critical CRLEntryExtensi= ons > > (2) cert NOT on CRL, CRL with NO unrecognized critical CRLEntryExtensi= ons > > (3) cert on CRL, CRL with unrecognized critical CRLEntryExtensi= on > > (4) cert NOT on CRL, CRL with unrecognized critical CRLEntryExtensi= on > > > > The newly proposed text (in -09): > > > > | If a CRL contains a critical CRL entry extension > > | that the application cannot process, then the application MUST > > | NOT use that CRL to determine the status of the certificate > > | represented by the CRL entry. > > > > creates a significantly distinct behaviour for case (4) where X.509=20 > > and rfc5280 agreed on "UNDETERMINED", by redefining the result to be=20 > > "UNREVOKED", and potentially creates a security problem, and a new,=20 > > backwards-incompatible behaviour for a situation where > > X.509 and rfc5280 used to agree. Still, the new text does not do=20 > > anything about case (3), the only case where X.509 and rfc5280=20 > > appear to differ (in a mostly marginal fashion). >=20 > If the cert under examination is listed on the CRL, and happens to be=20 > the entry with the unrecognized critical CRLEntryExtensions, then the=20 > new text specifies that the cert status is "UNREVOKED", where X.509=20 > specifies "REVOKED" and rfc5280 specifies "UNDETERMINED". >=20 > While the latter might be less efficent, it is at least not wrong. > I believe the behaviour specified by the new text "UREVOKED" to be=20 > dangerously wrong (and completely backwards incompatible). >=20 > -Martin > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix _______________________________________________ pkix mailing list pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix From piyush@identicate.com Sun Sep 16 18:09:28 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18FA221F8525 for ; Sun, 16 Sep 2012 18:09:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aesCdBHkn-vE for ; Sun, 16 Sep 2012 18:09:27 -0700 (PDT) Received: from co1outboundpool.messaging.microsoft.com (co1ehsobe006.messaging.microsoft.com [216.32.180.189]) by ietfa.amsl.com (Postfix) with ESMTP id 4F63721F8505 for ; Sun, 16 Sep 2012 18:09:26 -0700 (PDT) Received: from mail24-co1-R.bigfish.com (10.243.78.246) by CO1EHSOBE009.bigfish.com (10.243.66.72) with Microsoft SMTP Server id 14.1.225.23; Mon, 17 Sep 2012 01:09:26 +0000 Received: from mail24-co1 (localhost [127.0.0.1]) by mail24-co1-R.bigfish.com (Postfix) with ESMTP id 0975590005C; Mon, 17 Sep 2012 01:09:26 +0000 (UTC) X-Forefront-Antispam-Report: CIP:157.56.244.229; KIP:(null); UIP:(null); IPV:NLI; H:CH1PRD0610HT004.namprd06.prod.outlook.com; RD:none; EFVD:NLI X-SpamScore: -27 X-BigFish: PS-27(zz98dI9371I542M1432Id6f1izz1202h1d1ah1d2ahzz1033IL8275bh8275dhz2fh2a8h668h839h944hd25hf0ah107ah1220h1288h12a5h12a9h12bdh1155h) Received-SPF: pass (mail24-co1: domain of identicate.com designates 157.56.244.229 as permitted sender) client-ip=157.56.244.229; envelope-from=piyush@identicate.com; helo=CH1PRD0610HT004.namprd06.prod.outlook.com ; .outlook.com ; Received: from mail24-co1 (localhost.localdomain [127.0.0.1]) by mail24-co1 (MessageSwitch) id 1347844164185166_9187; Mon, 17 Sep 2012 01:09:24 +0000 (UTC) Received: from CO1EHSMHS024.bigfish.com (unknown [10.243.78.252]) by mail24-co1.bigfish.com (Postfix) with ESMTP id 2B5E6A80054; Mon, 17 Sep 2012 01:09:24 +0000 (UTC) Received: from CH1PRD0610HT004.namprd06.prod.outlook.com (157.56.244.229) by CO1EHSMHS024.bigfish.com (10.243.66.34) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 17 Sep 2012 01:09:23 +0000 Received: from CH1PRD0610MB393.namprd06.prod.outlook.com ([169.254.11.24]) by CH1PRD0610HT004.namprd06.prod.outlook.com ([10.255.151.39]) with mapi id 14.16.0175.005; Mon, 17 Sep 2012 01:09:22 +0000 From: Piyush Jain To: Santosh Chokhani , "mrex@sap.com" Thread-Topic: [pkix] 5280bis, v-09 Thread-Index: AQHNj4Or+HT2+Q6yxkWqbc8OyTbOnJeHbVEAgAACYACAAu22YIADWl+wgAAIyCA= Date: Mon, 17 Sep 2012 01:09:21 +0000 Message-ID: References: <20120913002444.80A791A216@ld9781.wdf.sap.corp> <20120913003314.483731A216@ld9781.wdf.sap.corp> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [75.25.128.241] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: identicate.com Cc: pkix Subject: Re: [pkix] 5280bis, v-09 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2012 01:09:28 -0000 Santosh - I agree with you analysis. However, as Martin pointed out, this behavior is inconsistent with X.509. X.509 says that the certificated specified by the CRL entry should be treat= ed as revoked and it should not affect the processing of other entries in t= he CRL (unless there a CRL extension that dictates it). Given that many deployments treat 'unknown' status as being less severe tha= n 'revoked', 5280 introduces slight vulnerability by requiring the CRL to b= e rejected because of presence of an unknown critical CRL entry extension. -Piyush > -----Original Message----- > From: Santosh Chokhani [mailto:SChokhani@cygnacom.com] > Sent: Sunday, September 16, 2012 5:31 PM > To: Piyush Jain; mrex@sap.com > Cc: pkix > Subject: RE: [pkix] 5280bis, v-09 >=20 > Piyush, >=20 > In my analysis, 5280 is not saying that the certificate represented by th= e entry > should be considered revoked. >=20 > The relying party can get another CRL or other revocation information or = can > make a decision it makes in the absence of revocation information. >=20 > -----Original Message----- > From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of > Piyush Jain > Sent: Friday, September 14, 2012 5:33 PM > To: mrex@sap.com > Cc: pkix > Subject: Re: [pkix] 5280bis, v-09 >=20 > Please accept my apologies in advance if I did not understand it correctl= y. > Is there a difference between "UNREVOKED" and "UNDETERMINED"? I could > not find a definition for these terms either in RFC 5280 or in correction= draft > 09. >=20 > I think you are referring to this text in the section 4 of draft-09 > "If a CRL contains a critical CRL entry extension that the application= cannot > process, then the application MUST NOT use that CRL to determine the > status of the certificate represented by the CRL entry." >=20 > I agree that in this case certificated being referred to, by that entry s= hould be > considered revoked. >=20 > > -----Original Message----- > > From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf > > Of Martin Rex > > Sent: Wednesday, September 12, 2012 5:33 PM > > To: mrex@sap.com > > Cc: pkix > > Subject: Re: [pkix] 5280bis, v-09 > > > > correction: the proposed new text in -09 creates the potential > > security problem here: > > > > Martin Rex wrote: > > > > > > two options, all combinations: > > > > > > (1) cert on CRL, CRL with NO unrecognized critical CRLEntryExten= sions > > > (2) cert NOT on CRL, CRL with NO unrecognized critical > CRLEntryExtensions > > > (3) cert on CRL, CRL with unrecognized critical CRLEntryExten= sion > > > (4) cert NOT on CRL, CRL with unrecognized critical CRLEntryExten= sion > > > > > > The newly proposed text (in -09): > > > > > > | If a CRL contains a critical CRL entry extension > > > | that the application cannot process, then the application MUST > > > | NOT use that CRL to determine the status of the certificate > > > | represented by the CRL entry. > > > > > > creates a significantly distinct behaviour for case (4) where X.509 > > > and rfc5280 agreed on "UNDETERMINED", by redefining the result to be > > > "UNREVOKED", and potentially creates a security problem, and a new, > > > backwards-incompatible behaviour for a situation where > > > X.509 and rfc5280 used to agree. Still, the new text does not do > > > anything about case (3), the only case where X.509 and rfc5280 > > > appear to differ (in a mostly marginal fashion). > > > > If the cert under examination is listed on the CRL, and happens to be > > the entry with the unrecognized critical CRLEntryExtensions, then the > > new text specifies that the cert status is "UNREVOKED", where X.509 > > specifies "REVOKED" and rfc5280 specifies "UNDETERMINED". > > > > While the latter might be less efficent, it is at least not wrong. > > I believe the behaviour specified by the new text "UREVOKED" to be > > dangerously wrong (and completely backwards incompatible). > > > > -Martin > > _______________________________________________ > > pkix mailing list > > pkix@ietf.org > > https://www.ietf.org/mailman/listinfo/pkix >=20 >=20 > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix From denis.pinkas@bull.net Mon Sep 17 00:16:07 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AAB821F84F9 for ; Mon, 17 Sep 2012 00:16:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.152 X-Spam-Level: X-Spam-Status: No, score=-1.152 tagged_above=-999 required=5 tests=[AWL=-0.763, BAYES_20=-0.74, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IdgHXjo0yKp6 for ; Mon, 17 Sep 2012 00:16:06 -0700 (PDT) Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by ietfa.amsl.com (Postfix) with ESMTP id E103B21F84F6 for ; Mon, 17 Sep 2012 00:16:05 -0700 (PDT) Received: from MSGC-003.bull.fr (MSGC-003.frcl.bull.fr [129.184.87.131]) by odin2.bull.net (Bull S.A.) with ESMTP id E19F812020B; Mon, 17 Sep 2012 09:16:04 +0200 (CEST) In-Reply-To: References: To: Piyush Jain MIME-Version: 1.0 X-KeepSent: C7332B2A:09D1A8F9-C1257A7A:006183A2; type=4; name=$KeepSent X-Mailer: Lotus Notes Release 8.5.2 August 10, 2010 From: denis.pinkas@bull.net Message-ID: Date: Mon, 17 Sep 2012 09:16:03 +0200 X-MIMETrack: Serialize by Router on MSGC-003/SRV/BULL(Release 8.5.2FP1|November 29, 2010) at 17/09/2012 09:16:04, Serialize complete at 17/09/2012 09:16:04 Content-Type: multipart/alternative; boundary="=_alternative 0027DCF8C1257A7C_=" Cc: "pkix@ietf.org" Subject: Re: [pkix] New version Notification for draft-pinkas-2560bis-certinfo-00 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2012 07:16:07 -0000 Message en plusieurs parties au format MIME --=_alternative 0027DCF8C1257A7C_= Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: base64 UGl5dXNoLA0KDQpZb3Ugc2FpZCB0aGF0IGlmIHRoZSB0YXJnZXQgY2VydGlmaWNhdGUgaGFzIGlu ZGVlZCBub3QgYmVlbiBpc3N1ZWQgYW5kIA0KdGh1cyBpcyBhIGZvcmdlZCBjZXJ0aWZpY2F0ZSwg DQp0aGlzIGltcGxpZXMgdGhhdCBlaXRoZXIgdGhlIENBIG9yIFJBIGlzIGNvbXByb21pc2VkLg0K DQpUaGlzIG1heSBpbmRlZWQgYmUgdGhlIGNhc2UsIGJ1dCBub3QgbmVjZXNzYXJpbHkuIEhlcmUg YXJlIHR3byBvdGhlciBjYXNlcyANCndoaWNoIGxlYWQgdG8gdGhhdCBzaXR1YXRpb246DQoNCiAg ICAxKSB0aGUga2V5IGhhcyBiZWVuIGRpc2NvdmVyZWQgKGUuZy4gc2luY2UgdGhlIGFsZ29yaXRo bSBoYXMgYmVlbiANCmJyb2tlbiBmb3IgdGhhdCBrZXkgc2l6ZSksDQogICAyKSB0aGUgYmFja3Vw IGtleXMgb2YgdGhlIEhTTSBoYXZlIGJlZW4gcmVpbnN0YWxsZWQgb24gYW5vdGhlciBIU00gYW5k IA0KdXNlZCBkaXJlY3RseSANCiAgICAgICB3aXRob3V0IHVzaW5nIHRoZSBnZW51aW5lIHNvZnR3 YXJlLg0KDQpUaGV5IGFyZSBvdGhlciBjYXNlcyAuTmV2ZXJ0aGVsZXNzLCB5b3Ugd2lsbCBmaW5k IGhlcmVhZnRlciBhIHByb3Bvc2VkIA0KdGV4dCBpbXByb3ZlbWVudDoNCg0KVGhlIHRleHQgd2Fz IDoNCg0KICAgV2hlbiBjZXJ0SGFzaFZhbHVlIGlzIHJldHVybmVkIGFuZCB0aGUgaGFzaGVzIGRv IG5vdCBtYXRjaCwgdGhpcyANCiAgIGV4dGVuc2lvbiBhbGxvd3MgZGV0ZWN0aW5nIGFuIGFibm9y bWFsIHNpdHVhdGlvbiA6IHRoZXJlIGV4aXN0cyB0d28gDQogICBjZXJ0aWZpY2F0ZXMgd2l0aCB0 aGUgc2FtZSBzZXJpYWwgbnVtYmVyOiBvbmUgcmVndWxhcmx5IGlzc3VlZCBieSANCiAgIHRoZSBD QSBhbmQgYW5vdGhlciBvbmUgd2hpY2ggaGFzIGVpdGhlciBiZWVuIGZvcmdlZCBvciBvYnRhaW5l ZCANCiAgIGlycmVndWxhcmx5Lg0KDQogICBXaGVuIGNlcnRIYXNoVmFsdWUgaXMgcmV0dXJuZWQg YW5kIHRoZSBoYXNoZXMgbWF0Y2gsIHRoZW4gZXZlcnl0aGluZyANCiAgIGxvb2tzIGZpbmUsIGJ1 dCB0aGlzIGNhc2UgZG9lcyBub3QgYWxsb3cgZGV0ZWN0aW5nIGFuIGFibm9ybWFsIA0KICAgc2l0 dWF0aW9uIGlmIHRoZSBSQSBzb2Z0d2FyZSBoYXMgYmVlbiBjb3JydXB0ZWQsIGlmIHRoZSBDQSBp dHNlbGYgDQogICBoYXMgYmVlbiBjb3JydXB0ZWQsIE9DU1AgU2VydmVyIGhhcyBiZWVuIGNvcnJ1 cHRlZCwgb3IgaWYgdGhlIA0KICAgZGF0YWJhc2UgdG8gd2hpY2ggdGhlIE9DU1Agc2VydmVyIGhh cyBhY2Nlc3MgaGFzIGJlZW4gbWFsaWNpb3VzbHkgDQogICBjb3JydXB0ZWQuICBUaGlzIGNhc2Ug ZG9lcyBub3QgZWl0aGVyIGFsbG93IGRldGVjdGluZyBoYXNoaW5nIA0KICAgYWxnb3JpdGhtIG9y IHNpZ25hdHVyZSBhbGdvcml0aG0gY29sbGlzaW9ucy4NCg0KVGhlIHByb3Bvc2VkIGNoYW5nZSBp cyB0aGUgZm9sbG93aW5nICA6IA0KDQogICBXaGVuIGNlcnRIYXNoVmFsdWUgaXMgcmV0dXJuZWQg YW5kIHRoZSBoYXNoZXMgZG8gbm90IG1hdGNoLCB0aGlzIA0KICAgZXh0ZW5zaW9uIGFsbG93cyBk ZXRlY3RpbmcgYW4gYWJub3JtYWwgc2l0dWF0aW9uIDogdGhlcmUgZXhpc3RzIHR3byANCiAgIGNl cnRpZmljYXRlcyB3aXRoIHRoZSBzYW1lIHNlcmlhbCBudW1iZXI6IG9uZSByZWd1bGFybHkgaXNz dWVkIGJ5IA0KICAgdGhlIENBIGFuZCBhbm90aGVyIG9uZSB3aGljaCBoYXMgZWl0aGVyIGJlZW4g Zm9yZ2VkIG9yIG9idGFpbmVkIA0KICAgaXJyZWd1bGFybHkuDQoNCiAgIFRoZXJlIGFyZSBkaWZm ZXJlbnQgY2FzZXMgd2hlbiBzdWNoIGEgc2l0dWF0aW9uIG1heSBoYXBwZW4sIGluIA0KICAgcGFy dGljdWxhcjoNCg0KICAgICAgMSkgYm90aCB0aGUgT0NTUCBzZXJ2ZXIgYW5kIHRoZSBkYXRhYmFz ZSB0byB3aGljaCB0aGUgT0NTUCBzZXJ2ZXIgDQogICAgICAgICBoYXMgYWNjZXNzIGhhdmUgbm90 IGJlZW4gY29ycnVwdGVkLCBidXQgdGhlIFJBIHNvZnR3YXJlIA0KICAgICAgICAgb3IgdGhlIENB IHNvZnR3YXJlIGhhcyBiZWVuIHBhcnRpYWxseSBjb3JydXB0ZWQuDQoNCiAgICAgIDIpIHRoZSBi YWNrdXAga2V5cyBvZiB0aGUgSFNNIChIYXJkd2FyZSBTZWN1cml0eSBNb2R1bGUpIGhhdmUgDQog ICAgICAgICBiZWVuIHJlaW5zdGFsbGVkIG9uIGFub3RoZXIgSFNNIGFuZCB1c2VkIGRpcmVjdGx5 IHdpdGhvdXQgDQogICAgICAgICB1c2luZyB0aGUgZ2VudWluZSBzb2Z0d2FyZS4NCg0KICAgICAg MykgYSBjb2xsaXNpb24gY291bGQgYmUgZm91bmQgZm9yIHRoZSBoYXNoIGFuZC9vciB0aGUgc2ln bmF0dXJlIA0KICAgICAgICAgYWxnb3JpdGhtLg0KDQogICAgICA0KSB0aGUga2V5IGhhcyBiZWVu IGRpc2NvdmVyZWQgKGUuZy4gc2luY2UgdGhlIGFsZ29yaXRobSBoYXMgYmVlbiANCiAgICAgICAg IGJyb2tlbiBmb3IgdGhhdCBrZXkgc2l6ZSkuDQoNCiAgIFdoZW4gY2VydEhhc2hWYWx1ZSBpcyBy ZXR1cm5lZCBhbmQgdGhlIGhhc2hlcyBtYXRjaCwgdGhlbiBldmVyeXRoaW5nIA0KICAgbG9va3Mg ZmluZSwgYnV0IHRoaXMgY2FzZSBkb2VzIG5vdCBhbGxvdyBkZXRlY3RpbmcgYWJub3JtYWwgDQog ICBzaXR1YXRpb25zIHN1Y2ggYXM6DQoNCiAgICAgIDEpIHRoZSBSQSBzb2Z0d2FyZSBoYXMgYmVl biBwYXJ0aWFsbHkgb3IgY29tcGxldGVseSBjb3JydXB0ZWQsIA0KDQogICAgICAyKSB0aGUgQ0Eg aGFzIGJlZW4gcGFydGlhbGx5IG9yIGNvbXBsZXRlbHkgY29ycnVwdGVkLCANCg0KICAgICAgMykg dGhlIE9DU1Agc2VydmVyIGhhcyBiZWVuIHBhcnRpYWxseSBvciBjb21wbGV0ZWx5IGNvcnJ1cHRl ZCwgb3INCg0KICAgICAgNCkgdGhlIGRhdGFiYXNlIHRvIHdoaWNoIHRoZSBPQ1NQIHNlcnZlciBo YXMgYWNjZXNzIGhhcyBiZWVuIA0KICAgICAgICAgcGFydGlhbGx5IG9yIGNvbXBsZXRlbHkgbWFs aWNpb3VzbHkgY29ycnVwdGVkLiANCg0KICAgVGhpcyBjYXNlIGRvZXMgbm90IGVpdGhlciBhbGxv dyBkZXRlY3RpbmcgaGFzaGluZyBhbGdvcml0aG0gb3IgDQpzaWduYXR1cmUNCiAgIGFsZ29yaXRo bSBjb2xsaXNpb25zLg0KDQpEZW5pcw0KIA0KPiBOb3Qgc3VyZSBpZiBJIGdldCBpdCBjb21wbGV0 ZWx5Lg0KPiANCj4gSW4gdGhlIHNlY3VyaXR5IHNlY3Rpb24gd2UgYXJlIHNheWluZyB0aGF0IGl0 IGRvZXMgbm90IGRldGVjdCB0aGUgDQo+IOKAmGFibm9ybWFs4oCZIHNjZW5hcmlvIHdoZXJlIFJB ICxDQSBvciByZXNwb25kZXIgaXMgY29tcHJvbWlzZWQuDQo+IA0KPiBBbmQgdGhlIHJlYXNvbiBm b3IgaW50cm9kdWNpbmcgdGhpcyBleHRlbnNpb24gaXMgKGZyb20gdGhlIGRyYWZ0KSAtIOKAnA0K PiBlaXRoZXIgdGhhdCB0aGUgdGFyZ2V0IGNlcnRpZmljYXRlIGhhcyBpbmRlZWQgbm90IGJlZW4g aXNzdWVkIGFuZCANCj4gdGh1cyBpcyBhIGZvcmdlZCBjZXJ0aWZpY2F0ZeKAnSwgd2hpY2ggaW1w bGllcyB0aGF0IGVpdGhlciB0aGUgQ0Egb3IgDQo+IFJBIGlzIGNvbXByb21pc2VkLg0KPiANCj4g SW4gc3VtbWFyeSB0aGUgZXh0ZW5zaW9uIGlzIHVzZWQgZm9yIGRldGVjdGluZyBDQSBjb21wcm9t aXNlIA0KPiBzY2VuYXJpb3MgYnV0IGNhbm5vdCBkZXRlY3QgdGhlIOKAmGFibm9ybWFs4oCZIGNh c2Ugd2hlbiBDQSBpcyBjb21wcm9taXNlZC4NCj4gV2hhdCBhbSBJIG1pc3Npbmc/DQo+IA0KPiAt UGl5dXNoDQo+IA0KPiANCj4gRnJvbTogcGtpeC1ib3VuY2VzQGlldGYub3JnIFttYWlsdG86cGtp eC1ib3VuY2VzQGlldGYub3JnXSBPbiBCZWhhbGYgT2YgDQo+IFNhbnRvc2ggQ2hva2hhbmkNCj4g U2VudDogU3VuZGF5LCBTZXB0ZW1iZXIgMDksIDIwMTIgMjo1NCBBTQ0KPiBUbzogZGVuaXMucGlu a2FzQGJ1bGwubmV0DQo+IENjOiBwa2l4QGlldGYub3JnDQo+IFN1YmplY3Q6IFJlOiBbcGtpeF0g TmV3IHZlcnNpb24gTm90aWZpY2F0aW9uIGZvciBkcmFmdC0NCj4gcGlua2FzLTI1NjBiaXMtY2Vy dGluZm8tMDANCj4gDQo+IERlbmlzLA0KPiANCj4gVGhhbmtzLiAgV2UgYXJlIGFsbW9zdCB0aGVy ZS4gIEkgaGF2ZSBzdWdnZXN0aW9ucyBpbi1saW5lIGJlbG93Lg0KPiANCj4gRnJvbTogZGVuaXMu cGlua2FzQGJ1bGwubmV0IFttYWlsdG86ZGVuaXMucGlua2FzQGJ1bGwubmV0XSANCj4gU2VudDog RnJpZGF5LCBTZXB0ZW1iZXIgMDcsIDIwMTIgMTA6MjQgQU0NCj4gVG86IFNhbnRvc2ggQ2hva2hh bmkNCj4gQ2M6IHBraXhAaWV0Zi5vcmcNCj4gU3ViamVjdDogUkU6IFtwa2l4XSBOZXcgdmVyc2lv biBOb3RpZmljYXRpb24gZm9yIGRyYWZ0LQ0KPiBwaW5rYXMtMjU2MGJpcy1jZXJ0aW5mby0wMA0K PiANCj4gU2FudG9zaCwgDQo+IA0KPiA+IERlbmlzLCANCj4gPiANCj4gPiBPbiAxLCBJZiB0aGUg Q0EgaGFzIGJlZW4gYXR0YWNrZWQsLCB5b3UgaGF2ZSBubyBhc3N1cmFuY2UgdGhhdCB0aGUgDQo+ ID4gYWR2ZXJzYXJ5IGhhcyBub3QgY3JlYXRlZCBhbiBPQ1NQIGNlcnRpZmljYXRlIGFzIHdlbGwu IA0KPiANCj4gUmF0aGVyIHRoYW4gYXJndWluZyB3ZSBzaG91bGQgY29uY2VudHJhdGUgdG8gaW1w cm92ZSB0aGUgdGV4dC4gV2hhdCANCmFib3V0OiANCj4gDQo+ICAgIFdoZW4gY2VydEhhc2hWYWx1 ZSBpcyByZXR1cm5lZCBhbmQgdGhlIGhhc2hlcyBtYXRjaCwgdGhlbiBldmVyeXRoaW5nIA0KPiAg ICBsb29rcyBmaW5lLCBidXQgdGhpcyBjYXNlIGRvZXMgbm90IGFsbG93IGRldGVjdGluZyBhbiBh Ym5vcm1hbCANCj4gICAgc2l0dWF0aW9uIGlmIHRoZSBSQSBzb2Z0d2FyZSBoYXMgYmVlbiBjb3Jy dXB0ZWQsIGlmIHRoZSBDQSBpdHNlbGYgDQo+ICAgIGhhcyBiZWVuIGNvcnJ1cHRlZCBvciBpZiB0 aGUgZGF0YWJhc2UgdG8gd2hpY2ggdGhlIE9DU1Agc2VydmVyIGhhcyANCj4gICAgYWNjZXNzIGhh cyBiZWVuIG1hbGljaW91c2x5IGNvcnJ1cHRlZC4gDQo+IFtTYW50b3NoXSBUaGlzIGlzIGFsbW9z dCB0aGVyZS4gIEhvdyBhYm91dCB0aGUgZm9sbG93aW5nIChhZGRlZCBPQ1NQDQo+IGNvcnJ1cHRp b24gYW5kIGNyeXB0b2dyYXBoaWMgYWxnb3JpdGhtKQ0KPiAgICBXaGVuIGNlcnRIYXNoVmFsdWUg aXMgcmV0dXJuZWQgYW5kIHRoZSBoYXNoZXMgbWF0Y2gsIHRoZW4gZXZlcnl0aGluZyANCj4gICAg bG9va3MgZmluZSwgYnV0IHRoaXMgY2FzZSBkb2VzIG5vdCBhbGxvdyBkZXRlY3RpbmcgYW4gYWJu b3JtYWwgDQo+ICAgIHNpdHVhdGlvbiBpZiB0aGUgUkEgc29mdHdhcmUgaGFzIGJlZW4gY29ycnVw dGVkLCBpZiB0aGUgQ0EgaXRzZWxmIA0KPiAgICBoYXMgYmVlbiBjb3JydXB0ZWQsIE9DU1AgU2Vy dmVyIGhhcyBiZWVuIGNvcnJ1cHRlZCwgb3IgaWYgdGhlIA0KPiBkYXRhYmFzZSB0byB3aGljaCB0 aGUgT0NTUCBzZXJ2ZXIgaGFzIA0KPiAgICBhY2Nlc3MgaGFzIGJlZW4gbWFsaWNpb3VzbHkgY29y cnVwdGVkLiBUaGlzIG1heSBhbHNvIG5vdCBkZXRlY3QgDQo+IGhhc2hpbmcgYWxnb3JpdGhtIG9y IHNpZ25hdHVyZSBhbGdvcml0aG0gY29tcHJvbWlzZS4NCj4gDQo+IA0KPiA+IE9uIDIsIGp1c3Qg bGlrZSB0aGUgQ0EgY29tcHJvbWlzZSBzY2VuYXJpbyB5b3UgY2l0ZSwgdGhlIG1lY2hhbmlzbSAN Cj4gPiBoZWxwcyBkZXRlY3QgY29sbGlzaW9uLiAgSWYgdGhlIENBIGtuZXcgb2YgY29sbGlzaW9u LCBpdCB3b3VsZCBvZiANCj4gPiBjb3Vyc2UgY2hhbmdlIHRoZSBjaXBoZXIgc3VpdGUuIA0KPiAN Cj4gIE1heWJlLCBtYXliZSBub3QuIEEgY29sbGlzaW9uIG1heSBoYXBwZW4gd2l0aG91dCBhIGRl ZmVjdCBpbiB0aGUgDQo+IGNpcGhlciBzdWl0ZSANCj4gKGUuZy4gdGhlIEhTTSBoYXMgYmVlbiBz dWNjZXNzZnVsbHkgdXNlZCBkaXJlY3RseSkuIA0KPiANCj4gSSBiZWxpZXZlIHRoYXQgdGhlIGN1 cnJlbnQgdGV4dCBpcyBzdWZmaWNpZW50OiANCj4gDQo+ICAgIFdoZW4gY2VydEhhc2hWYWx1ZSBp cyByZXR1cm5lZCBhbmQgdGhlIGhhc2hlcyBkbyBub3QgbWF0Y2gsIHRoaXMgDQo+ICAgIGV4dGVu c2lvbiBhbGxvd3MgZGV0ZWN0aW5nIGFuIGFibm9ybWFsIHNpdHVhdGlvbiA6IHRoZXJlIGV4aXN0 cyB0d28gDQo+ICAgIGNlcnRpZmljYXRlcyB3aXRoIHRoZSBzYW1lIHNlcmlhbCBudW1iZXI6IG9u ZSByZWd1bGFybHkgaXNzdWVkIGJ5IA0KPiAgICB0aGUgQ0EgYW5kIGFub3RoZXIgb25lIHdoaWNo IGhhcyBlaXRoZXIgYmVlbiBmb3JnZWQgb3Igb2J0YWluZWQgDQo+ICAgIGlycmVndWxhcmx5LiAN Cj4gDQo+IElmIHlvdSBkb24ndCB0aGluayBzbywgcGxlYXNlIG1ha2UgYSBzcGVjaWZpYyBwcm9w b3NhbC4gDQo+IFtTYW50b3NoXSBJIHdpdGhkcmF3IHRoZSBzZWNvbmQgc3VnZ2VzdGlvbiBzaW5j ZSBpdCBiZWNvbWVzIHRvbyANCj4gY29udm9sdXRlZC4gIEkgaGF2ZSBhZGRyZXNzZWQgc29tZSBv ZiBpdCBpbiBpdGVtIDEuDQo+IA0KPiANCj4gRGVuaXMgDQo+IA0KPiA+IE5vdGUgdGhhdCAxIHN0 aWxsIGZvciBjb2xsaXNpb24gZGV0ZWN0aW9uIHRydW1wcyAyIHNpbmNlIGNvbGxpc2lvbiANCj4g PiBjcmVhdG9yIGNvdWxkIGhhdmUgY3JlYXRlZCBPQ1NQIGNlcnRpZmljYXRlIGFuZCBwdXQgdGhl IHJvZ3VlIE9DU1AgDQo+ID4gcG9pbnRlciBpbiBBSUEuIA0KPiA+IA0KPiANCj4gDQo+IA0KPiA+ IFNhbnRvaCwgDQo+ID4gDQo+ID4gVGhhbmsgeW91IGZvciB5b3VyIGNvbW1lbnRzLiANCj4gPiAN Cj4gPiBTZWUgbXkgcmVwbGllcyBpbiBsaW5lOiANCj4gPiANCj4gPiA+RGVuaXMsDQo+ID4gPiAN Cj4gPiA+SSBoYXZlIGNvdXBsZSBvZiBzdWdnZXN0aW9ucyBmb3IgdGhlIHNlY3VyaXR5IGNvbnNp ZGVyYXRpb25zDQo+ID4gPnNlY3Rpb24uDQo+ID4gPiANCj4gPiA+MS4gICAgIEl0IGlzIHdvcnRo IHBvaW50aW5nIG91dCBhc2lkZSBmcm9tIFJBIGNvcnJ1cHRpb24gYW5kIGRhdGFiYXNlDQo+ID4g PmNvcnJ1cHRpb24gdGhhdCByZWNvbW1lbmRhdGlvbiBoZXJlIGRvIG5vdCBmaXggdGhlIHNpdHVh dGlvbiBpZiB0aGUNCj4gPiA+YWR2ZXJzYXJ5IGhhcyBhdHRhY2tlZCB0aGUgQ0EgYW5kIHBvaW50 ZWQgdG8gaXRzIG93biBPQ1NQIFJlc3BvbmRlcg0KPiA+ID5pbiB0aGUgT0NTUCBmaWVsZCBvZiB0 aGUgQUlBIGV4dGVuc2lvbi4gDQo+ID4gDQo+ID4gVGhpcyBhdHRhY2ssIGFzIGRlc2NyaWJlZCwg d291bGQgbm90IGJlIHN1Y2NlZWQuIFRoZSBhdHRhY2tlciANCj4gd291bGQgYWxzbyBuZWVkIA0K PiA+IHRvIGNyZWF0ZSBhbiBPQ1NQIGNlcnRpZmljYXRlIGZvciB0aGUgT0NTUCBSZXNwb25kZXIg YW5kIGZvciB0aGlzIA0KPiBoZW5lZWRzIHRvIA0KPiA+IGJlIGFibGUgdG8gY29ycnVwdCB0aGUg UkEgd2hpY2ggYWxsb3dzIHRoZSBwcm9kdWN0aW9uIG9mIE9DU1AgDQpjZXJ0aWZpY2F0ZXMuDQo+ ID4gDQo+ID4gPjIuICAgICBJdCBpcyB3b3J0aCBwb2ludGluZyBvdXQgdGhhdCB0aGUgbWVjaGFu aXNtIHByZXNlbnRlZCBoZXJlIGNhbg0KPiA+ID5iZSB1c2VkIGJ5IHRoZSByZWx5aW5nIHBhcnR5 IHRvIGRldGVjdCBjb2xsaXNpb24gaWYgdGhlIGNlcnRpZmljYXRlDQo+ID4gPnNpZ25hdHVyZSB3 YXMgbWFkZSB1c2luZyBhIHdlYWsgaGFzaCwgYnV0IHRoZSBoYXNoQWxnb3JpdGhtIGluIHRoZQ0K PiA+ID5leHRlbnNpb24gaXMgbm90IHZ1bG5lcmFibGUgdG8gc3VjY2Vzc2Z1bCBjb2xsaXNpb24g YXR0YWNrLiANCj4gPiANCj4gPiBUaGlzIGlzIG5vdCBhIHJlYWxpc3RpYyBzY2VuYXJpby4gSWYg dGhlIGNlcnRpZmljYXRlIHNpZ25hdHVyZSB3YXMgDQptYWRlIA0KPiA+IHVzaW5nIGEgd2VhayBo YXNoLCB0aGUgQ0Egd2lsbCBhc2sgdG8gaXRzIHN1cGVyaW9yIENBIHRvIHJldm9rZSBpdHMgDQo+ ID4gQ0EgY2VydGlmaWNhdGUuIA0KPiA+IFRoaXMgaXMgdGh1cyBvdXRzaWRlIHRoZSBzY29wZSBv ZiB0aGlzIGV4dGVuc2lvbi4gDQo+ID4gDQo+ID4gRGVuaXMNCg== --=_alternative 0027DCF8C1257A7C_= Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: base64 PGZvbnQgc2l6ZT0yIGZhY2U9IkFyaWFsIj5QaXl1c2gsPC9mb250Pg0KPGJyPg0KPGJyPjxmb250 IHNpemU9MiBmYWNlPSJBcmlhbCI+WW91IHNhaWQgdGhhdCBpZiB0aGUgdGFyZ2V0IGNlcnRpZmlj YXRlIGhhcw0KaW5kZWVkIG5vdCBiZWVuIGlzc3VlZCBhbmQgdGh1cyBpcyBhIGZvcmdlZCBjZXJ0 aWZpY2F0ZSwgPGJyPg0KdGhpcyBpbXBsaWVzIHRoYXQgZWl0aGVyIHRoZSBDQSBvciBSQSBpcyBj b21wcm9taXNlZC48L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkFyaWFsIj5U aGlzIG1heSBpbmRlZWQgYmUgdGhlIGNhc2UsIGJ1dCBub3QgbmVjZXNzYXJpbHkuDQpIZXJlIGFy ZSB0d28gb3RoZXIgY2FzZXMgd2hpY2ggbGVhZCB0byB0aGF0IHNpdHVhdGlvbjo8L2ZvbnQ+DQo8 YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9InNhbnMtc2VyaWYiPiZuYnNwOyAmbmJzcDsgPC9m b250Pjxmb250IHNpemU9MiBmYWNlPSJBcmlhbCI+MSkNCnRoZSBrZXkgaGFzIGJlZW4gZGlzY292 ZXJlZCAoZS5nLiBzaW5jZSB0aGUgYWxnb3JpdGhtIGhhcyBiZWVuIGJyb2tlbiBmb3INCnRoYXQg a2V5IHNpemUpLDwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQXJpYWwiPiZuYnNwOyAm bmJzcDsyKSB0aGUgYmFja3VwIGtleXMgb2YgdGhlIEhTTQ0KaGF2ZSBiZWVuIHJlaW5zdGFsbGVk IG9uIGFub3RoZXIgSFNNIGFuZCB1c2VkIGRpcmVjdGx5IDxicj4NCiAmbmJzcDsgJm5ic3A7ICZu YnNwOyB3aXRob3V0IHVzaW5nIHRoZSBnZW51aW5lIHNvZnR3YXJlLjwvZm9udD4NCjxicj4NCjxi cj48Zm9udCBzaXplPTIgZmFjZT0iQXJpYWwiPlRoZXkgYXJlIG90aGVyIGNhc2VzIC5OZXZlcnRo ZWxlc3MsIHlvdSB3aWxsDQpmaW5kIGhlcmVhZnRlciBhIHByb3Bvc2VkIHRleHQgaW1wcm92ZW1l bnQ6PC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MyBmYWNlPSJUaW1lcyBOZXcgUm9tYW4i PlRoZSB0ZXh0IHdhcyA6PC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJDb3Vy aWVyIE5ldyI+Jm5ic3A7ICZuYnNwO1doZW4gY2VydEhhc2hWYWx1ZSBpcw0KcmV0dXJuZWQgYW5k IHRoZSBoYXNoZXMgZG8gbm90IG1hdGNoLCB0aGlzIDwvZm9udD4NCjxicj48Zm9udCBzaXplPTIg ZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDtleHRlbnNpb24gYWxsb3dzIGRldGVjdGlu Zw0KYW4gYWJub3JtYWwgc2l0dWF0aW9uIDogdGhlcmUgZXhpc3RzIHR3byA8L2ZvbnQ+DQo8YnI+ PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7Y2VydGlmaWNhdGVz IHdpdGggdGhlDQpzYW1lIHNlcmlhbCBudW1iZXI6IG9uZSByZWd1bGFybHkgaXNzdWVkIGJ5IDwv Zm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDt0 aGUgQ0EgYW5kIGFub3RoZXIgb25lDQp3aGljaCBoYXMgZWl0aGVyIGJlZW4gZm9yZ2VkIG9yIG9i dGFpbmVkIDwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNw OyAmbmJzcDtpcnJlZ3VsYXJseS48L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9 IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7V2hlbiBjZXJ0SGFzaFZhbHVlIGlzDQpyZXR1cm5l ZCBhbmQgdGhlIGhhc2hlcyBtYXRjaCwgdGhlbiBldmVyeXRoaW5nIDwvZm9udD4NCjxicj48Zm9u dCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDtsb29rcyBmaW5lLCBidXQg dGhpcyBjYXNlDQpkb2VzIG5vdCBhbGxvdyBkZXRlY3RpbmcgYW4gYWJub3JtYWwgPC9mb250Pg0K PGJyPjxmb250IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwO3NpdHVhdGlv biBpZiB0aGUgUkEgc29mdHdhcmUNCmhhcyBiZWVuIGNvcnJ1cHRlZCwgaWYgdGhlIENBIGl0c2Vs ZiA8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5i c3A7aGFzIGJlZW4gY29ycnVwdGVkLCBPQ1NQDQpTZXJ2ZXIgaGFzIGJlZW4gY29ycnVwdGVkLCBv ciBpZiB0aGUgPC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5i c3A7ICZuYnNwO2RhdGFiYXNlIHRvIHdoaWNoIHRoZQ0KT0NTUCBzZXJ2ZXIgaGFzIGFjY2VzcyBo YXMgYmVlbiBtYWxpY2lvdXNseSA8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJp ZXIgTmV3Ij4mbmJzcDsgJm5ic3A7Y29ycnVwdGVkLiAmbmJzcDtUaGlzDQpjYXNlIGRvZXMgbm90 IGVpdGhlciBhbGxvdyBkZXRlY3RpbmcgaGFzaGluZyA8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0y IGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7YWxnb3JpdGhtIG9yIHNpZ25hdHVyZQ0K YWxnb3JpdGhtIGNvbGxpc2lvbnMuPC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MyBmYWNl PSJUaW1lcyBOZXcgUm9tYW4iPlRoZSBwcm9wb3NlZCBjaGFuZ2UgaXMgdGhlIGZvbGxvd2luZw0K Jm5ic3A7OiA8L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3 Ij4mbmJzcDsgJm5ic3A7V2hlbiBjZXJ0SGFzaFZhbHVlIGlzDQpyZXR1cm5lZCBhbmQgdGhlIGhh c2hlcyBkbyBub3QgbWF0Y2gsIHRoaXMgPC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJD b3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwO2V4dGVuc2lvbiBhbGxvd3MgZGV0ZWN0aW5nDQphbiBh Ym5vcm1hbCBzaXR1YXRpb24gOiB0aGVyZSBleGlzdHMgdHdvIDwvZm9udD4NCjxicj48Zm9udCBz aXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDtjZXJ0aWZpY2F0ZXMgd2l0aCB0 aGUNCnNhbWUgc2VyaWFsIG51bWJlcjogb25lIHJlZ3VsYXJseSBpc3N1ZWQgYnkgPC9mb250Pg0K PGJyPjxmb250IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwO3RoZSBDQSBh bmQgYW5vdGhlciBvbmUNCndoaWNoIGhhcyBlaXRoZXIgYmVlbiBmb3JnZWQgb3Igb2J0YWluZWQg PC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNw O2lycmVndWxhcmx5LjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmll ciBOZXciPiZuYnNwOyAmbmJzcDtUaGVyZSBhcmUgZGlmZmVyZW50IGNhc2VzDQp3aGVuIHN1Y2gg YSBzaXR1YXRpb24gbWF5IGhhcHBlbiwgaW4gPC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNl PSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwO3BhcnRpY3VsYXI6PC9mb250Pg0KPGJyPg0KPGJy Pjxmb250IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgMSkg Ym90aCB0aGUgT0NTUA0Kc2VydmVyIGFuZCB0aGUgZGF0YWJhc2UgdG8gd2hpY2ggdGhlIE9DU1Ag c2VydmVyIDwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNw OyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDtoYXMNCmFjY2VzcyBoYXZlIG5vdCBiZWVuIGNv cnJ1cHRlZCwgYnV0IHRoZSBSQSBzb2Z0d2FyZSA8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZh Y2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7b3INCnRo ZSBDQSBzb2Z0d2FyZSBoYXMgYmVlbiBwYXJ0aWFsbHkgY29ycnVwdGVkLjwvZm9udD4NCjxicj4N Cjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDsgJm5ic3A7 IDIpIHRoZSBiYWNrdXANCmtleXMgb2YgdGhlIEhTTSAoSGFyZHdhcmUgU2VjdXJpdHkgTW9kdWxl KSBoYXZlIDwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNw OyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDtiZWVuDQpyZWluc3RhbGxlZCBvbiBhbm90aGVy IEhTTSBhbmQgdXNlZCBkaXJlY3RseSB3aXRob3V0IDwvZm9udD4NCjxicj48Zm9udCBzaXplPTIg ZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDt1c2lu Zw0KdGhlIGdlbnVpbmUgc29mdHdhcmUuPC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBm YWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgMykgYSBjb2xsaXNpb24NCmNv dWxkIGJlIGZvdW5kIGZvciB0aGUgaGFzaCBhbmQvb3IgdGhlIHNpZ25hdHVyZSA8L2ZvbnQ+DQo8 YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7ICZuYnNwOyAm bmJzcDsgJm5ic3A7YWxnb3JpdGhtLjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFj ZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDsgJm5ic3A7IDQpIHRoZSBrZXkgaGFzDQpiZWVu IGRpc2NvdmVyZWQgKGUuZy4gc2luY2UgdGhlIGFsZ29yaXRobSBoYXMgYmVlbiA8L2ZvbnQ+DQo8 YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7ICZuYnNwOyAm bmJzcDsgJm5ic3A7YnJva2VuDQpmb3IgdGhhdCBrZXkgc2l6ZSkuPC9mb250Pg0KPGJyPg0KPGJy Pjxmb250IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwO1doZW4gY2VydEhh c2hWYWx1ZSBpcw0KcmV0dXJuZWQgYW5kIHRoZSBoYXNoZXMgbWF0Y2gsIHRoZW4gZXZlcnl0aGlu ZyA8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5i c3A7bG9va3MgZmluZSwgYnV0IHRoaXMgY2FzZQ0KZG9lcyBub3QgYWxsb3cgZGV0ZWN0aW5nIGFi bm9ybWFsIDwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNw OyAmbmJzcDtzaXR1YXRpb25zIHN1Y2ggYXM6PC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9 MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgMSkgdGhlIFJBIHNvZnR3 YXJlDQpoYXMgYmVlbiBwYXJ0aWFsbHkgb3IgY29tcGxldGVseSBjb3JydXB0ZWQsIDwvZm9udD4N Cjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDsg Jm5ic3A7IDIpIHRoZSBDQSBoYXMNCmJlZW4gcGFydGlhbGx5IG9yIGNvbXBsZXRlbHkgY29ycnVw dGVkLCA8L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4m bmJzcDsgJm5ic3A7ICZuYnNwOyAzKSB0aGUgT0NTUCBzZXJ2ZXINCmhhcyBiZWVuIHBhcnRpYWxs eSBvciBjb21wbGV0ZWx5IGNvcnJ1cHRlZCwgb3I8L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6 ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7ICZuYnNwOyA0KSB0aGUgZGF0YWJh c2UNCnRvIHdoaWNoIHRoZSBPQ1NQIHNlcnZlciBoYXMgYWNjZXNzIGhhcyBiZWVuIDwvZm9udD4N Cjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDsgJm5ic3A7 ICZuYnNwOyAmbmJzcDtwYXJ0aWFsbHkNCm9yIGNvbXBsZXRlbHkgbWFsaWNpb3VzbHkgY29ycnVw dGVkLiA8L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4m bmJzcDsgJm5ic3A7VGhpcyBjYXNlIGRvZXMgbm90IGVpdGhlcg0KYWxsb3cgZGV0ZWN0aW5nIGhh c2hpbmcgYWxnb3JpdGhtIG9yIHNpZ25hdHVyZTwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFj ZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDthbGdvcml0aG0gY29sbGlzaW9ucy48L2ZvbnQ+ DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkFyaWFsIj5EZW5pczwvZm9udD4NCjxicj48 dHQ+PGZvbnQgc2l6ZT0yPiZuYnNwOzxicj4NCiZndDsgTm90IHN1cmUgaWYgSSBnZXQgaXQgY29t cGxldGVseS48L2ZvbnQ+PC90dD4NCjxicj48dHQ+PGZvbnQgc2l6ZT0yPiZndDsgJm5ic3A7PC9m b250PjwvdHQ+DQo8YnI+PHR0Pjxmb250IHNpemU9Mj4mZ3Q7IEluIHRoZSBzZWN1cml0eSBzZWN0 aW9uIHdlIGFyZSBzYXlpbmcgdGhhdCBpdA0KZG9lcyBub3QgZGV0ZWN0IHRoZSA8YnI+DQomZ3Q7 IOKAmGFibm9ybWFs4oCZIHNjZW5hcmlvIHdoZXJlIFJBICxDQSBvciByZXNwb25kZXIgaXMgY29t cHJvbWlzZWQuPC9mb250PjwvdHQ+DQo8YnI+PHR0Pjxmb250IHNpemU9Mj4mZ3Q7ICZuYnNwOzwv Zm9udD48L3R0Pg0KPGJyPjx0dD48Zm9udCBzaXplPTI+Jmd0OyBBbmQgdGhlIHJlYXNvbiBmb3Ig aW50cm9kdWNpbmcgdGhpcyBleHRlbnNpb24NCmlzIChmcm9tIHRoZSBkcmFmdCkgLSDigJw8YnI+ DQomZ3Q7IGVpdGhlciB0aGF0IHRoZSB0YXJnZXQgY2VydGlmaWNhdGUgaGFzIGluZGVlZCBub3Qg YmVlbiBpc3N1ZWQgYW5kDQo8YnI+DQomZ3Q7IHRodXMgaXMgYSBmb3JnZWQgY2VydGlmaWNhdGXi gJ0sIHdoaWNoIGltcGxpZXMgdGhhdCBlaXRoZXIgdGhlIENBIG9yDQo8YnI+DQomZ3Q7IFJBIGlz IGNvbXByb21pc2VkLjwvZm9udD48L3R0Pg0KPGJyPjx0dD48Zm9udCBzaXplPTI+Jmd0OyAmbmJz cDs8L2ZvbnQ+PC90dD4NCjxicj48dHQ+PGZvbnQgc2l6ZT0yPiZndDsgSW4gc3VtbWFyeSB0aGUg ZXh0ZW5zaW9uIGlzIHVzZWQgZm9yIGRldGVjdGluZw0KQ0EgY29tcHJvbWlzZSA8YnI+DQomZ3Q7 IHNjZW5hcmlvcyBidXQgY2Fubm90IGRldGVjdCB0aGUg4oCYYWJub3JtYWzigJkgY2FzZSB3aGVu IENBIGlzIGNvbXByb21pc2VkLjwvZm9udD48L3R0Pg0KPGJyPjx0dD48Zm9udCBzaXplPTI+Jmd0 OyBXaGF0IGFtIEkgbWlzc2luZz88L2ZvbnQ+PC90dD4NCjxicj48dHQ+PGZvbnQgc2l6ZT0yPiZn dDsgJm5ic3A7PC9mb250PjwvdHQ+DQo8YnI+PHR0Pjxmb250IHNpemU9Mj4mZ3Q7IC1QaXl1c2g8 L2ZvbnQ+PC90dD4NCjxicj48dHQ+PGZvbnQgc2l6ZT0yPiZndDsgJm5ic3A7PC9mb250PjwvdHQ+ DQo8YnI+PHR0Pjxmb250IHNpemU9Mj4mZ3Q7ICZuYnNwOzwvZm9udD48L3R0Pg0KPGJyPjx0dD48 Zm9udCBzaXplPTI+Jmd0OyBGcm9tOiBwa2l4LWJvdW5jZXNAaWV0Zi5vcmcgWzwvZm9udD48L3R0 PjxhIGhyZWY9Im1haWx0bzpwa2l4LWJvdW5jZXNAaWV0Zi5vcmciPjx0dD48Zm9udCBzaXplPTI+ bWFpbHRvOnBraXgtYm91bmNlc0BpZXRmLm9yZzwvZm9udD48L3R0PjwvYT48dHQ+PGZvbnQgc2l6 ZT0yPl0NCk9uIEJlaGFsZiBPZiA8YnI+DQomZ3Q7IFNhbnRvc2ggQ2hva2hhbmk8YnI+DQomZ3Q7 IFNlbnQ6IFN1bmRheSwgU2VwdGVtYmVyIDA5LCAyMDEyIDI6NTQgQU08YnI+DQomZ3Q7IFRvOiBk ZW5pcy5waW5rYXNAYnVsbC5uZXQ8YnI+DQomZ3Q7IENjOiBwa2l4QGlldGYub3JnPGJyPg0KJmd0 OyBTdWJqZWN0OiBSZTogW3BraXhdIE5ldyB2ZXJzaW9uIE5vdGlmaWNhdGlvbiBmb3IgZHJhZnQt PGJyPg0KJmd0OyBwaW5rYXMtMjU2MGJpcy1jZXJ0aW5mby0wMDwvZm9udD48L3R0Pg0KPGJyPjx0 dD48Zm9udCBzaXplPTI+Jmd0OyAmbmJzcDs8L2ZvbnQ+PC90dD4NCjxicj48dHQ+PGZvbnQgc2l6 ZT0yPiZndDsgRGVuaXMsPC9mb250PjwvdHQ+DQo8YnI+PHR0Pjxmb250IHNpemU9Mj4mZ3Q7ICZu YnNwOzwvZm9udD48L3R0Pg0KPGJyPjx0dD48Zm9udCBzaXplPTI+Jmd0OyBUaGFua3MuICZuYnNw O1dlIGFyZSBhbG1vc3QgdGhlcmUuICZuYnNwO0kgaGF2ZQ0Kc3VnZ2VzdGlvbnMgaW4tbGluZSBi ZWxvdy48L2ZvbnQ+PC90dD4NCjxicj48dHQ+PGZvbnQgc2l6ZT0yPiZndDsgJm5ic3A7PC9mb250 PjwvdHQ+DQo8YnI+PHR0Pjxmb250IHNpemU9Mj4mZ3Q7IEZyb206IGRlbmlzLnBpbmthc0BidWxs Lm5ldCBbPC9mb250PjwvdHQ+PGEgaHJlZj1tYWlsdG86ZGVuaXMucGlua2FzQGJ1bGwubmV0Pjx0 dD48Zm9udCBzaXplPTI+bWFpbHRvOmRlbmlzLnBpbmthc0BidWxsLm5ldDwvZm9udD48L3R0Pjwv YT48dHQ+PGZvbnQgc2l6ZT0yPl0NCjxicj4NCiZndDsgU2VudDogRnJpZGF5LCBTZXB0ZW1iZXIg MDcsIDIwMTIgMTA6MjQgQU08YnI+DQomZ3Q7IFRvOiBTYW50b3NoIENob2toYW5pPGJyPg0KJmd0 OyBDYzogcGtpeEBpZXRmLm9yZzxicj4NCiZndDsgU3ViamVjdDogUkU6IFtwa2l4XSBOZXcgdmVy c2lvbiBOb3RpZmljYXRpb24gZm9yIGRyYWZ0LTxicj4NCiZndDsgcGlua2FzLTI1NjBiaXMtY2Vy dGluZm8tMDA8L2ZvbnQ+PC90dD4NCjxicj48dHQ+PGZvbnQgc2l6ZT0yPiZndDsgJm5ic3A7PC9m b250PjwvdHQ+DQo8YnI+PHR0Pjxmb250IHNpemU9Mj4mZ3Q7IFNhbnRvc2gsIDxicj4NCiZndDsg PGJyPg0KJmd0OyAmZ3Q7IERlbmlzLCA8YnI+DQomZ3Q7ICZndDsgJm5ic3A7IDxicj4NCiZndDsg Jmd0OyBPbiAxLCBJZiB0aGUgQ0EgaGFzIGJlZW4gYXR0YWNrZWQsLCB5b3UgaGF2ZSBubyBhc3N1 cmFuY2UgdGhhdA0KdGhlIDxicj4NCiZndDsgJmd0OyBhZHZlcnNhcnkgaGFzIG5vdCBjcmVhdGVk IGFuIE9DU1AgY2VydGlmaWNhdGUgYXMgd2VsbC4gPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IFJhdGhl ciB0aGFuIGFyZ3Vpbmcgd2Ugc2hvdWxkIGNvbmNlbnRyYXRlIHRvIGltcHJvdmUgdGhlIHRleHQu IFdoYXQNCmFib3V0OiA8YnI+DQomZ3Q7IDxicj4NCiZndDsgJm5ic3A7ICZuYnNwO1doZW4gY2Vy dEhhc2hWYWx1ZSBpcyByZXR1cm5lZCBhbmQgdGhlIGhhc2hlcyBtYXRjaCwNCnRoZW4gZXZlcnl0 aGluZyA8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDtsb29rcyBmaW5lLCBidXQgdGhpcyBjYXNlIGRv ZXMgbm90IGFsbG93IGRldGVjdGluZyBhbg0KYWJub3JtYWwgPGJyPg0KJmd0OyAmbmJzcDsgJm5i c3A7c2l0dWF0aW9uIGlmIHRoZSBSQSBzb2Z0d2FyZSBoYXMgYmVlbiBjb3JydXB0ZWQsIGlmIHRo ZQ0KQ0EgaXRzZWxmIDxicj4NCiZndDsgJm5ic3A7ICZuYnNwO2hhcyBiZWVuIGNvcnJ1cHRlZCBv ciBpZiB0aGUgZGF0YWJhc2UgdG8gd2hpY2ggdGhlIE9DU1ANCnNlcnZlciBoYXMgPGJyPg0KJmd0 OyAmbmJzcDsgJm5ic3A7YWNjZXNzIGhhcyBiZWVuIG1hbGljaW91c2x5IGNvcnJ1cHRlZC4gPC9m b250PjwvdHQ+DQo8YnI+PHR0Pjxmb250IHNpemU9Mj4mZ3Q7IFtTYW50b3NoXSBUaGlzIGlzIGFs bW9zdCB0aGVyZS4gJm5ic3A7SG93IGFib3V0DQp0aGUgZm9sbG93aW5nIChhZGRlZCBPQ1NQPGJy Pg0KJmd0OyBjb3JydXB0aW9uIGFuZCBjcnlwdG9ncmFwaGljIGFsZ29yaXRobSk8L2ZvbnQ+PC90 dD4NCjxicj48dHQ+PGZvbnQgc2l6ZT0yPiZndDsgJm5ic3A7ICZuYnNwO1doZW4gY2VydEhhc2hW YWx1ZSBpcyByZXR1cm5lZCBhbmQNCnRoZSBoYXNoZXMgbWF0Y2gsIHRoZW4gZXZlcnl0aGluZyA8 YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDtsb29rcyBmaW5lLCBidXQgdGhpcyBjYXNlIGRvZXMgbm90 IGFsbG93IGRldGVjdGluZyBhbg0KYWJub3JtYWwgPGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7c2l0 dWF0aW9uIGlmIHRoZSBSQSBzb2Z0d2FyZSBoYXMgYmVlbiBjb3JydXB0ZWQsIGlmIHRoZQ0KQ0Eg aXRzZWxmIDxicj4NCiZndDsgJm5ic3A7ICZuYnNwO2hhcyBiZWVuIGNvcnJ1cHRlZCwgT0NTUCBT ZXJ2ZXIgaGFzIGJlZW4gY29ycnVwdGVkLCBvcg0KaWYgdGhlIDxicj4NCiZndDsgZGF0YWJhc2Ug dG8gd2hpY2ggdGhlIE9DU1Agc2VydmVyIGhhcyA8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDthY2Nl c3MgaGFzIGJlZW4gbWFsaWNpb3VzbHkgY29ycnVwdGVkLiBUaGlzIG1heSBhbHNvDQpub3QgZGV0 ZWN0IDxicj4NCiZndDsgaGFzaGluZyBhbGdvcml0aG0gb3Igc2lnbmF0dXJlIGFsZ29yaXRobSBj b21wcm9taXNlLjwvZm9udD48L3R0Pg0KPGJyPjx0dD48Zm9udCBzaXplPTI+Jmd0OyA8YnI+DQom Z3Q7IDxicj4NCiZndDsgJmd0OyBPbiAyLCBqdXN0IGxpa2UgdGhlIENBIGNvbXByb21pc2Ugc2Nl bmFyaW8geW91IGNpdGUsIHRoZSBtZWNoYW5pc20NCjxicj4NCiZndDsgJmd0OyBoZWxwcyBkZXRl Y3QgY29sbGlzaW9uLiAmbmJzcDtJZiB0aGUgQ0Ega25ldyBvZiBjb2xsaXNpb24sIGl0DQp3b3Vs ZCBvZiA8YnI+DQomZ3Q7ICZndDsgY291cnNlIGNoYW5nZSB0aGUgY2lwaGVyIHN1aXRlLiA8YnI+ DQomZ3Q7IDxicj4NCiZndDsgJm5ic3A7TWF5YmUsIG1heWJlIG5vdC4gQSBjb2xsaXNpb24gbWF5 IGhhcHBlbiB3aXRob3V0IGEgZGVmZWN0IGluDQp0aGUgPGJyPg0KJmd0OyBjaXBoZXIgc3VpdGUg PGJyPg0KJmd0OyAoZS5nLiB0aGUgSFNNIGhhcyBiZWVuIHN1Y2Nlc3NmdWxseSB1c2VkIGRpcmVj dGx5KS4gPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IEkgYmVsaWV2ZSB0aGF0IHRoZSBjdXJyZW50IHRl eHQgaXMgc3VmZmljaWVudDogPGJyPg0KJmd0OyA8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDtXaGVu IGNlcnRIYXNoVmFsdWUgaXMgcmV0dXJuZWQgYW5kIHRoZSBoYXNoZXMgZG8gbm90DQptYXRjaCwg dGhpcyA8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDtleHRlbnNpb24gYWxsb3dzIGRldGVjdGluZyBh biBhYm5vcm1hbCBzaXR1YXRpb24gOiB0aGVyZQ0KZXhpc3RzIHR3byA8YnI+DQomZ3Q7ICZuYnNw OyAmbmJzcDtjZXJ0aWZpY2F0ZXMgd2l0aCB0aGUgc2FtZSBzZXJpYWwgbnVtYmVyOiBvbmUgcmVn dWxhcmx5DQppc3N1ZWQgYnkgPGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7dGhlIENBIGFuZCBhbm90 aGVyIG9uZSB3aGljaCBoYXMgZWl0aGVyIGJlZW4gZm9yZ2VkIG9yDQpvYnRhaW5lZCA8YnI+DQom Z3Q7ICZuYnNwOyAmbmJzcDtpcnJlZ3VsYXJseS4gPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IElmIHlv dSBkb24ndCB0aGluayBzbywgcGxlYXNlIG1ha2UgYSBzcGVjaWZpYyBwcm9wb3NhbC4gPC9mb250 PjwvdHQ+DQo8YnI+PHR0Pjxmb250IHNpemU9Mj4mZ3Q7IFtTYW50b3NoXSBJIHdpdGhkcmF3IHRo ZSBzZWNvbmQgc3VnZ2VzdGlvbiBzaW5jZQ0KaXQgYmVjb21lcyB0b28gPGJyPg0KJmd0OyBjb252 b2x1dGVkLiAmbmJzcDtJIGhhdmUgYWRkcmVzc2VkIHNvbWUgb2YgaXQgaW4gaXRlbSAxLjwvZm9u dD48L3R0Pg0KPGJyPjx0dD48Zm9udCBzaXplPTI+Jmd0OyA8YnI+DQomZ3Q7IDxicj4NCiZndDsg RGVuaXMgPGJyPg0KJmd0OyAmbmJzcDsgPGJyPg0KJmd0OyAmZ3Q7IE5vdGUgdGhhdCAxIHN0aWxs IGZvciBjb2xsaXNpb24gZGV0ZWN0aW9uIHRydW1wcyAyIHNpbmNlIGNvbGxpc2lvbg0KPGJyPg0K Jmd0OyAmZ3Q7IGNyZWF0b3IgY291bGQgaGF2ZSBjcmVhdGVkIE9DU1AgY2VydGlmaWNhdGUgYW5k IHB1dCB0aGUgcm9ndWUNCk9DU1AgPGJyPg0KJmd0OyAmZ3Q7IHBvaW50ZXIgaW4gQUlBLiA8YnI+ DQomZ3Q7ICZndDsgJm5ic3A7IDxicj4NCiZndDsgPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IDxicj4N CiZndDsgJmd0OyBTYW50b2gsIDxicj4NCiZndDsgJmd0OyAmbmJzcDsgPGJyPg0KJmd0OyAmZ3Q7 IFRoYW5rIHlvdSBmb3IgeW91ciBjb21tZW50cy4gPGJyPg0KJmd0OyAmZ3Q7ICZuYnNwOyA8YnI+ DQomZ3Q7ICZndDsgU2VlIG15IHJlcGxpZXMgaW4gbGluZTogPGJyPg0KJmd0OyAmZ3Q7IDxicj4N CiZndDsgJmd0OyAmZ3Q7RGVuaXMsPGJyPg0KJmd0OyAmZ3Q7ICZndDsgPGJyPg0KJmd0OyAmZ3Q7 ICZndDtJIGhhdmUgY291cGxlIG9mIHN1Z2dlc3Rpb25zIGZvciB0aGUgc2VjdXJpdHkgY29uc2lk ZXJhdGlvbnM8YnI+DQomZ3Q7ICZndDsgJmd0O3NlY3Rpb24uPGJyPg0KJmd0OyAmZ3Q7ICZndDsg PGJyPg0KJmd0OyAmZ3Q7ICZndDsxLiAmbmJzcDsgJm5ic3A7IEl0IGlzIHdvcnRoIHBvaW50aW5n IG91dCBhc2lkZSBmcm9tIFJBIGNvcnJ1cHRpb24NCmFuZCBkYXRhYmFzZTxicj4NCiZndDsgJmd0 OyAmZ3Q7Y29ycnVwdGlvbiB0aGF0IHJlY29tbWVuZGF0aW9uIGhlcmUgZG8gbm90IGZpeCB0aGUg c2l0dWF0aW9uDQppZiB0aGU8YnI+DQomZ3Q7ICZndDsgJmd0O2FkdmVyc2FyeSBoYXMgYXR0YWNr ZWQgdGhlIENBIGFuZCBwb2ludGVkIHRvIGl0cyBvd24gT0NTUA0KUmVzcG9uZGVyPGJyPg0KJmd0 OyAmZ3Q7ICZndDtpbiB0aGUgT0NTUCBmaWVsZCBvZiB0aGUgQUlBIGV4dGVuc2lvbi4gPGJyPg0K Jmd0OyAmZ3Q7ICZuYnNwOyA8YnI+DQomZ3Q7ICZndDsgVGhpcyBhdHRhY2ssIGFzIGRlc2NyaWJl ZCwgd291bGQgbm90IGJlIHN1Y2NlZWQuIFRoZSBhdHRhY2tlcg0KPGJyPg0KJmd0OyB3b3VsZCBh bHNvIG5lZWQgPGJyPg0KJmd0OyAmZ3Q7IHRvIGNyZWF0ZSBhbiBPQ1NQIGNlcnRpZmljYXRlIGZv ciB0aGUgT0NTUCBSZXNwb25kZXIgYW5kIGZvcg0KdGhpcyA8YnI+DQomZ3Q7IGhlbmVlZHMgdG8g PGJyPg0KJmd0OyAmZ3Q7IGJlIGFibGUgdG8gY29ycnVwdCB0aGUgUkEgd2hpY2ggYWxsb3dzIHRo ZSBwcm9kdWN0aW9uIG9mIE9DU1ANCmNlcnRpZmljYXRlcy48YnI+DQomZ3Q7ICZndDsgJm5ic3A7 PGJyPg0KJmd0OyAmZ3Q7ICZndDsyLiAmbmJzcDsgJm5ic3A7IEl0IGlzIHdvcnRoIHBvaW50aW5n IG91dCB0aGF0IHRoZSBtZWNoYW5pc20NCnByZXNlbnRlZCBoZXJlIGNhbjxicj4NCiZndDsgJmd0 OyAmZ3Q7YmUgdXNlZCBieSB0aGUgcmVseWluZyBwYXJ0eSB0byBkZXRlY3QgY29sbGlzaW9uIGlm IHRoZSBjZXJ0aWZpY2F0ZTxicj4NCiZndDsgJmd0OyAmZ3Q7c2lnbmF0dXJlIHdhcyBtYWRlIHVz aW5nIGEgd2VhayBoYXNoLCBidXQgdGhlIGhhc2hBbGdvcml0aG0NCmluIHRoZTxicj4NCiZndDsg Jmd0OyAmZ3Q7ZXh0ZW5zaW9uIGlzIG5vdCB2dWxuZXJhYmxlIHRvIHN1Y2Nlc3NmdWwgY29sbGlz aW9uIGF0dGFjay4NCjxicj4NCiZndDsgJmd0OyAmbmJzcDsgPGJyPg0KJmd0OyAmZ3Q7IFRoaXMg aXMgbm90IGEgcmVhbGlzdGljIHNjZW5hcmlvLiBJZiB0aGUgY2VydGlmaWNhdGUgc2lnbmF0dXJl DQp3YXMgbWFkZSA8YnI+DQomZ3Q7ICZndDsgdXNpbmcgYSB3ZWFrIGhhc2gsIHRoZSBDQSB3aWxs IGFzayB0byBpdHMgc3VwZXJpb3IgQ0EgdG8gcmV2b2tlDQppdHMgPGJyPg0KJmd0OyAmZ3Q7IENB IGNlcnRpZmljYXRlLiA8YnI+DQomZ3Q7ICZndDsgVGhpcyBpcyB0aHVzIG91dHNpZGUgdGhlIHNj b3BlIG9mIHRoaXMgZXh0ZW5zaW9uLiA8YnI+DQomZ3Q7ICZndDsgJm5ic3A7IDxicj4NCiZndDsg Jmd0OyBEZW5pczwvZm9udD48L3R0Pg0K --=_alternative 0027DCF8C1257A7C_=-- From denis.pinkas@bull.net Mon Sep 17 00:46:36 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C178E21F84F0 for ; Mon, 17 Sep 2012 00:46:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.972 X-Spam-Level: X-Spam-Status: No, score=-1.972 tagged_above=-999 required=5 tests=[AWL=0.276, BAYES_00=-2.599, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hGx0ZbJ2bJec for ; Mon, 17 Sep 2012 00:46:35 -0700 (PDT) Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by ietfa.amsl.com (Postfix) with ESMTP id 1237021F8495 for ; Mon, 17 Sep 2012 00:46:35 -0700 (PDT) Received: from MSGC-003.bull.fr (MSGC-003.frcl.bull.fr [129.184.87.131]) by odin2.bull.net (Bull S.A.) with ESMTP id E10A412022B; Mon, 17 Sep 2012 09:46:33 +0200 (CEST) In-Reply-To: <20120913002444.80A791A216@ld9781.wdf.sap.corp> References: <504E13CB.8080001@bbn.com> <20120913002444.80A791A216@ld9781.wdf.sap.corp> To: mrex@sap.com, Piyush Jain MIME-Version: 1.0 X-KeepSent: 67F70953:5F42B025-C1257A7C:00290252; type=4; name=$KeepSent X-Mailer: Lotus Notes Release 8.5.2 August 10, 2010 From: denis.pinkas@bull.net Message-ID: Date: Mon, 17 Sep 2012 09:46:32 +0200 X-MIMETrack: Serialize by Router on MSGC-003/SRV/BULL(Release 8.5.2FP1|November 29, 2010) at 17/09/2012 09:46:33, Serialize complete at 17/09/2012 09:46:33 Content-Type: multipart/alternative; boundary="=_alternative 002A2685C1257A7C_=" Cc: pkix Subject: Re: [pkix] 5280bis, v-09 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2012 07:46:36 -0000 Message en plusieurs parties au format MIME --=_alternative 002A2685C1257A7C_= Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: base64 R29vZCBjYXRjaCBNYXJ0aW4sDQoNCllvdSBjYW1lIGJhY2sgZnJvbSB2YWNhdGlvbiBqdXN0IGlu IHRpbWUuIDotKQ0KDQpJIHByb3Bvc2UgdGhlIGZvbGxvd2luZzoNCg0KUmVwbGFjZToNCg0KfCAg ICAgSWYgYSBDUkwgY29udGFpbnMgYSBjcml0aWNhbCBDUkwgZW50cnkgZXh0ZW5zaW9uIA0KfCAg ICAgdGhhdCB0aGUgYXBwbGljYXRpb24gY2Fubm90IHByb2Nlc3MsIHRoZW4gdGhlIGFwcGxpY2F0 aW9uIE1VU1QgDQp8ICAgICBOT1QgdXNlIHRoYXQgQ1JMIHRvIGRldGVybWluZSB0aGUgc3RhdHVz IG9mIGFueSBjZXJ0aWZpY2F0ZXMuDQoNCndpdGgNCg0KfCAgICAgSWYgYSBDUkwgY29udGFpbnMg aW4gYSBDUkwgZW50cnkgYSBjcml0aWNhbCBDUkwgZW50cnkgZXh0ZW5zaW9uIA0KfCAgICAgdGhh dCB0aGUgYXBwbGljYXRpb24gY2Fubm90IHByb2Nlc3MsIHRoZW4gdGhlIGFwcGxpY2F0aW9uIE1V U1QgDQp8ICAgICBjb25zaWRlciB0aGF0IHRoZSBjZXJ0aWZpY2F0ZSBpZGVudGlmaWVkIGluIHRo YXQgQ1JMIGVudHJ5IGlzIA0KfCAgICAgcmV2b2tlZC4gDQoNCkluIG9yZGVyIHRvIGFuc3dlciB0 byBQaXl1c2gsIEkgYmVsaWV2ZSB0aGF0IOKAnHVua25vd27igJ0gc2hvdWxkIGJlIHVzZWQgDQpy YXRoZXIgdGhhbiDigJxyZXZva2Vk4oCdLg0KDQpUaGUgZm9sbG93aW5nIGV4YW1wbGUgaXMgYW4g aWxsdXN0cmF0aW9uOg0KDQpUaGUgc3RhdHVzIG9mIGEgZ2l2ZW4gY2VydGlmaWNhdGUgaXMgaW5k aWNhdGVkIGFzIOKAnGdvb2TigJ0sIGJ1dCB0aGVyZSBpcyBhIA0KQ1JMIGVudHJ5IHdpdGggYSBj cml0aWNhbCANCkNSTCBlbnRyeSBleHRlbnNpb24uIFRoaXMgZW50cnkgbWVhbnMgKGZvciB0aGUg YXBwbGljYXRpb25zIHdoaWNoIA0KdW5kZXJzdGFuZCBpdCkgOiANCg0KIlRoZSBzdGF0dXMgd2hp Y2ggaXMgdXN1YWxseSBvYnRhaW5lZCB1c2luZyBhIGRhdGFiYXNlIG9mIGlzc3VlZCANCmNlcnRp ZmljYXRlcyBoYXMgYmVlbiBvYnRhaW5lZCBmcm9tIENSTHMuIA0KSWYgeW91IHJlYWxseSBuZWVk IHRvIHRha2UgYSBkZWNpc2lvbiBub3csIGl0IGlzIGF0IHlvdXIgb3duIHJpc2suIElmIHlvdSAN CmNhbiB3YWl0LCB5b3UgaGFkIGJldHRlciB0byB0cnkgYWdhaW4gbGF0ZXIgb24iLg0KDQpZb3Vy IG5leHQgcXVlc3Rpb24gd2lsbCBjZXJ0YWlubHkgYmU6IHNvIHdoeSBkb27igJl0IHlvdSB1c2Ug dGhlIHByb3Bvc2VkIA0KY2VydEluZm8gZXh0ZW5zaW9uID8NCg0KRm9yIGFwcGxpY2F0aW9ucyB3 aGljaCBkbyBub3QgdW5kZXJzdGFuZCB0aGlzIGNyaXRpY2FsIENSTCBlbnRyeSANCmV4dGVuc2lv biwgdGhlcmUgaXMgbm8gZGlmZmVyZW5jZS4NClRoZXkgZ2V0IGFuICJ1bmtub3duIiBzdGF0dXMg aW4gYm90aCBjYXNlcy4NCg0KRm9yIGFwcGxpY2F0aW9ucyB3aGljaCB1bmRlcnN0YW5kIHRoaXMg Y3JpdGljYWwgQ1JMIGVudHJ5IGV4dGVuc2lvbiBpdCANCnByb3ZpZGVzIGxlc3MgYmVuZWZpdHMg DQp0aGFuIHRoZSBwcm9wb3NlZCBjZXJ0SW5mbyBleHRlbnNpb24sIGJ1dCBpdCBtaWdodCBiZSBx dWlja2VyIHRvIGltcGxlbWVudCANCmFuZCBpdCBlbmZvcmNlcyBhIHBvbGljeS4NCg0KRGVuaXMN Cg0KIA0KPiBJIG9iamVjdCB0byB0aGUgcHJvcG9zZWQgbmV3IHRleHQgYWJvdXQgQ1JMRW50cnlF eHRlbnNpb25zDQo+IGluIHRoZSBjbGFyaWZpY2F0aW9uIGRvY3VtZW50LCBiZWNhdXNlIGFzIGlz LCB3b3VsZCBzaWduaWZpY2FudGx5DQo+IHdvcnNlbiB0aGUgZGlmZmVyZW5jZSBiZXR3ZWVuIFBL SVggYW5kIFguNTA5IGFuZCBtYWtlIHRoaW5ncw0KPiBjbGVhcmx5IGluY29tcGF0aWJsZSByYXRo ZXIgdGhhbiBzbGlnaHRseSBsZXNzIGVmZmljaWVudC4NCj4gDQo+IElmIGFueXRoaW5nLCB0aGUg Z2FwIHNob3VsZCBiZSByZWR1Y2VkLCBjb21wYXRpYmlsaXR5IGJldHdlZW4NCj4gUEtJWCBhbmQg WC41MDkgaW1wcm92ZWQgYW5kIHRoZSBvcmlnaW5hbCBhcmNoaXRlY3R1cmUgbm90IHZpb2xhdGVk Lg0KPiANCj4gUGxlYXNlIHJlY2FsbCB0aGUgb3JpZ2luYWwgTk9URSA0ICYgNSB0aGF0IEkgcXVv dGVkIGZyb20NCj4gSVRVLVQgUmVjLiBYLjUwOSAoMDgvMjAwNSksIFNlY3Rpb24gNy4zLCB0b3Ag b2YgcGFnZSAxODoNCj4gKGdldCB0aGVtIGhlcmUgaHR0cDovL3d3dy5pdHUuaW50L3JlYy9ULVJF Qy1YLjUwOSk6DQo+IA0KPiBhPiAgTk9URSA0IC0tIFdoZW4gYW4gaW1wbGVtZW50YXRpb24gcHJv Y2Vzc2luZyBhIGNlcnRpZmljYXRlIHJldm9jYXRpb24NCj4gYT4gIGxpc3QgZG9lcyBub3QgcmVj b2duaXplIGEgY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSANCmNybEVudHJ5RXh0ZW5zaW9ucw0K PiBhPiAgZmllbGQsIGl0IHNoYWxsIGFzc3VtZSB0aGF0LCBhdCBhIG1pbmltdW0sIHRoZSBpZGVu dGlmaWVkIA0KY2VydGlmaWNhdGUNCj4gYT4gIGhhcyBiZWVuIHJldm9rZWQgYW5kIGlzIG5vIGxv bmdlciB2YWxpZCBhbmQgcGVyZm9ybSBhZGRpdGlvbmFsIA0KYWN0aW9ucw0KPiBhPiAgY29uY2Vy bmluZyB0aGF0IHJldm9rZWQgY2VydGlmaWNhdGUgYXMgZGljdGF0ZWQgYnkgbG9jYWwgcG9saWN5 Lg0KPiANCj4gYj4gIFdoZW4gYW4gaW1wbGVtZW50YXRpb24gZG9lcyBub3QgcmVjb2duaXplIGEg Y3JpdGljYWwgZXh0ZW5zaW9uIGluIA0KdGhlDQo+IGI+ICBjcmxFeHRlbnNpb25zIGZpZWxkLCBp dCBzaGFsbCBhc3N1bWUgdGhhdCBpZGVudGlmaWVkIGNlcnRpZmljYXRlcw0KPiBiPiAgaGF2ZSBi ZWVuIHJldm9rZWQgYW5kIGFyZSBubyBsb25nZXIgdmFsaWQuDQo+IA0KPiBjPiAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhvd2V2ZXIgaW4gdGhlIGxhdHRlciAN CmNhc2UsDQo+IGM+ICBzaW5jZSB0aGUgbGlzdCBtYXkgbm90IGJlIGNvbXBsZXRlLCBjZXJ0aWZp Y2F0ZXMgdGhhdCBoYXZlIG5vdCBiZWVuDQo+IGM+ICBpZGVudGlmaWVkIGFzIGJlaW5nIHJldm9r ZWQgY2Fubm90IGJlIGFzc3VtZWQgdG8gYmUgdmFsaWQuIEluIHRoaXMgDQpjYXNlDQo+IGM+ICBs b2NhbCBwb2xpY3kgc2hhbGwgZGljdGF0ZSB0aGUgYWN0aW9uIHRvIGJlIHRha2VuLiBJbiBhbnkg Y2FzZSBsb2NhbA0KPiBjPiAgcG9saWN5IG1heSBkaWN0YXRlIGFjdGlvbnMgaW4gYWRkaXRpb24g dG8gYW5kL29yIHN0cm9uZ2VyIHRoYW4gdGhvc2UNCj4gYz4gIHN0YXRlZCBpbiB0aGlzIFNwZWNp ZmljYXRpb24uDQo+IA0KPiBkPiAgTk9URSA1IC0tIElmIGFuIGV4dGVuc2lvbiBhZmZlY3RzIHRo ZSB0cmVhdG1lbnQgb2YgdGhlIGxpc3QNCj4gZD4gIChlLmcuLCBtdWx0aXBsZSBDUkxzIG5lZWQg dG8gYmUgc2Nhbm5lZCB0byBleGFtaW5lIHRoZSBlbnRpcmUgbGlzdCANCm9mDQo+IGQ+ICByZXZv a2VkIGNlcnRpZmljYXRlcywgb3IgYW4gZW50cnkgbWF5IHJlcHJlc2VudCBhIHJhbmdlIG9mIA0K Y2VydGlmaWNhdGVzKSwNCj4gZD4gIHRoZW4gdGhhdCBleHRlbnNpb24gc2hhbGwgYmUgaW5kaWNh dGVkIGFzIGNyaXRpY2FsIGluIHRoZSANCmNybEV4dGVuc2lvbnMNCj4gZD4gIGZpZWxkIHJlZ2Fy ZGxlc3Mgb2Ygd2hlcmUgdGhlIGV4dGVuc2lvbiBpcyBwbGFjZWQgaW4gdGhlIENSTC4NCj4gDQo+ IGU+ICBBbiBleHRlbnNpb24gaW5kaWNhdGVkIGluIHRoZSBjcmxFbnRyeUV4dGVuc2lvbnMgZmll bGQgb2YgYW4gZW50cnkgDQpzaGFsbA0KPiBlPiAgYmUgcGxhY2VkIGluIHRoYXQgZW50cnkgYW5k IHNoYWxsIGFmZmVjdCBvbmx5IHRoZSBjZXJ0aWZpY2F0ZShzKQ0KPiBlPiAgc3BlY2lmaWVkIGlu IHRoYXQgZW50cnkuDQo+IA0KPiANCj4gKEkgaW5zZXJ0ZWQgYmxhbmsgbGluZXMgYWJvdmUgZm9y IHZpc3VhbCBjbGFyaXR5IG9mIHRoZSBYLjUwOSANCnJlcXVpcmVtZW50cykuDQo+IA0KPiB0d28g b3B0aW9ucywgYWxsIGNvbWJpbmF0aW9uczoNCj4gDQo+ICAoMSkgY2VydCAgICAgb24gQ1JMLCBD Ukwgd2l0aCBOTyB1bnJlY29nbml6ZWQgY3JpdGljYWwgDQpDUkxFbnRyeUV4dGVuc2lvbnMgDQo+ ICAoMikgY2VydCBOT1Qgb24gQ1JMLCBDUkwgd2l0aCBOTyB1bnJlY29nbml6ZWQgY3JpdGljYWwg DQpDUkxFbnRyeUV4dGVuc2lvbnMgDQo+ICAoMykgY2VydCAgICAgb24gQ1JMLCBDUkwgd2l0aCAg ICB1bnJlY29nbml6ZWQgY3JpdGljYWwgDQpDUkxFbnRyeUV4dGVuc2lvbg0KPiAgKDQpIGNlcnQg Tk9UIG9uIENSTCwgQ1JMIHdpdGggICAgdW5yZWNvZ25pemVkIGNyaXRpY2FsIA0KQ1JMRW50cnlF eHRlbnNpb24NCj4gDQo+IA0KPiBJIGhvcGUgd2UgYWdyZWUgdGhhdCBYLjUwOSBhbmQgcmZjNTI4 MCBhZ3JlZSBvbiAoMSkgYW5kICgyKSByZXN1bHRzDQo+IGZvciBDUkwgY2hlY2tpbmcuDQo+IA0K PiByZmM1MjgwIGN1cnJlbnRseSBzYXlzIHRoYXQgZm9yICgzKSsoNCkgdGhlIGVudGlyZSBDUkwg b3VnaHQgdG8gYmUgDQppZ25vcmVkDQo+IGFuZCBvdGhlciBDUkxzIG5lZWQgdG8gYmUgZXZhbHVh dGVkICJVTkRFVEVSTUlORUQiDQo+IA0KPiBYLjUwOSBzYXlzIGluIChhPikgdGhhdCBmb3IgKDMp IHRoZSBzdGF0dXMgb2YgdGhlIGNlcnQgaXMgZGVmaW5pdGVseSANCnJldm9rZWQNCj4gYW5kIHNh eXMgaW4gKGM+KSBmb3IgKDQpIHRoYXQgdGhlIENSTCBvdWdodCB0byBiZSBpZ25vcmVkIGFuZCBv dGhlciBDUkxzIA0KbmVlZA0KPiB0byBiZSBldmFsdWF0ZWQgIlVOREVURVJNSU5FRCINCj4gDQo+ IFdoaWxlIGJvdGggWC41MDkgYW5kIHJmYzUyODAgYWdyZWUgb24gdGhlIHJlc3VsdCBmb3IgKDQp ICJVTkRFVEVSTUlORUQiLA0KPiB0aGVyZSBpcyB0aGUgc3VwZXJmaWNpYWwgYXBwZWFyYW5jZSBv ZiBhIGRpZmZlcmVuY2UgZm9yIGEgY2FzdWFsDQo+IGltcGxlbWVudGVyIGZvciBjYXNlICgzKSBi ZXR3ZWVuIFguNTA5ICJSRVZPS0VEIiBhbmQgcmZjNTI4MCANCiJVTkRFVEVSTUlORUQiDQo+IHRo YXQgbWlnaHQgbGVhZCB0byBhIHNsaWdodGx5IGxlc3MgZWZmaWNpZW50IHByb2Nlc3NpbmcgQ1JM cy4NCj4gDQo+IA0KPiBUaGUgbmV3bHkgcHJvcG9zZWQgdGV4dCAoaW4gLTA5KToNCj4gDQo+IHwg ICAgIElmIGEgQ1JMIGNvbnRhaW5zIGEgY3JpdGljYWwgQ1JMIGVudHJ5IGV4dGVuc2lvbg0KPiB8 ICAgICB0aGF0IHRoZSBhcHBsaWNhdGlvbiBjYW5ub3QgcHJvY2VzcywgdGhlbiB0aGUgYXBwbGlj YXRpb24gTVVTVA0KPiB8ICAgICBOT1QgdXNlIHRoYXQgQ1JMIHRvIGRldGVybWluZSB0aGUgc3Rh dHVzIG9mIHRoZSBjZXJ0aWZpY2F0ZQ0KPiB8ICAgICByZXByZXNlbnRlZCBieSB0aGUgQ1JMIGVu dHJ5LiANCj4gDQo+IGNyZWF0ZXMgYSBzaWduaWZpY2FudGx5IGRpc3RpbmN0IGJlaGF2aW91ciBm b3IgY2FzZSAoNCkgd2hlcmUgWC41MDkNCj4gYW5kIHJmYzUyODAgYWdyZWVkIG9uICJVTkRFVEVS TUlORUQiLCBieSByZWRlZmluaW5nIHRoZSByZXN1bHQgdG8NCj4gYmUgIlVOUkVWT0tFRCIsIGFu ZCBwb3RlbnRpYWxseSBjcmVhdGVzIGEgc2VjdXJpdHkgcHJvYmxlbSwgYW5kIGENCj4gbmV3LCBi YWNrd2FyZHMtaW5jb21wYXRpYmxlIGJlaGF2aW91ciBmb3IgYSBzaXR1YXRpb24gd2hlcmUNCj4g WC41MDkgYW5kIHJmYzUyODAgdXNlZCB0byBhZ3JlZS4gU3RpbGwsIHRoZSBuZXcgdGV4dCBkb2Vz IG5vdCBkbw0KPiBhbnl0aGluZyBhYm91dCBjYXNlICgzKSwgdGhlIG9ubHkgY2FzZSB3aGVyZSBY LjUwOSBhbmQgcmZjNTI4MA0KPiBhcHBlYXIgdG8gZGlmZmVyIChpbiBhIG1vc3RseSBtYXJnaW5h bCBmYXNoaW9uKS4NCj4gDQo+IA0KPiBBIGNhcmVmdWwgaW1wbGVtZW50b3IsIHRoYXQgYW5hbHl6 ZXMgTk9URSA0IGFuZCBOT1RFIDUgZnJvbSBYLjUwOQ0KPiBxdW90ZWQgYWJvdmUgaW4gaXRzIGVu dGlyZXR5LCBzaG91bGQgcmVhbGl6ZSB0aGF0IHRoZSBzaXR1YXRpb24NCj4gd2hlcmUgWC41MDkg YW5kIHJmYzUyODAgZGlmZmVyIGlzIG1hcmdpbmFsLg0KPiANCj4gVGhpcyBpcyBiZWNhdXNlIChk PikgaW4gTk9URSA1IGFib3ZlIHJlcXVpcmVzICgic2hhbGwiKSB0aGF0IGENCj4gY3JpdGljYWwg Y3JsRW50cnlFeHRlbnNpb24gd2l0aCBhIHNlbWFudGljIGJleW9uZCAidGhpcyBjZXJ0IGlzDQo+ IHJldm9rZWQiKSwgTVVTVCBiZSBhZGRpdGlvbmFsbHkgaW5jbHVkZWQgYXMgYSBjcml0aWNhbCBj cmxFeHRlbnNpb24sDQo+IHdpdGggdGhlIGVmZmVjdCB0aGF0IHRoZSBlbnRpcmUgQ1JMIHdpbGwg aGF2ZSB0byBiZSBpZ25vcmVkIGJ5DQo+IGJvdGggWC41MDkgYW5kIHJmYzUyODAgaW1wbGVtZW50 YXRpb25zIHRoYXQgZG8gbm90IHJlY29nbml6ZQ0KPiB0aGUgY3JsRXh0ZW5zaW9uLiAgU28gYWxs IGNvbXBsaWFudCBDUkxzIHdpdGggYSAiZmFuY3kiDQo+IHVucmVjb2duaXplZCBjcml0aWNhbCBj cmxFbnRyeUV4dGVuc2lvbiwgdGhlIGFjY29tcGFueWluZw0KPiB1bnJlY29nbml6ZWQgY3JpdGlj YWwgY3JsRXh0ZW5zaW9uIHdpbGwgY2F1c2UgWC41MDkgYW5kIHJmYzUyODANCj4gdG8gYWdyZWUg b24gKDMpIHRvIHJldHVybiAiVU5ERVRFUk1JTkVEIiBhbmQgcmVxdWlyZSBvdGhlcg0KPiBDUkxz IHRvIGJlIGNoZWNrZWQuIA0KPiANCj4gDQo+IC1NYXJ0aW4NCj4gX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCj4gcGtpeCBtYWlsaW5nIGxpc3QNCj4gcGtp eEBpZXRmLm9yZw0KPiBodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3BraXgN Cg0K --=_alternative 002A2685C1257A7C_= Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: base64 PGZvbnQgc2l6ZT0yIGZhY2U9IkFyaWFsIj5Hb29kIGNhdGNoIE1hcnRpbiw8L2ZvbnQ+DQo8YnI+ DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkFyaWFsIj5Zb3UgY2FtZSBiYWNrIGZyb20gdmFjYXRp b24ganVzdCBpbiB0aW1lLg0KOi0pPC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBmYWNl PSJBcmlhbCI+SSBwcm9wb3NlIHRoZSBmb2xsb3dpbmc6PC9mb250Pg0KPGJyPg0KPGJyPjxmb250 IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+UmVwbGFjZTo8L2ZvbnQ+DQo8YnI+DQo8YnI+PGZv bnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij58ICZuYnNwOyAmbmJzcDsgSWYgYSBDUkwgY29u dGFpbnMgYQ0KY3JpdGljYWwgQ1JMIGVudHJ5IGV4dGVuc2lvbiA8L2ZvbnQ+DQo8YnI+PGZvbnQg c2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij58ICZuYnNwOyAmbmJzcDsgdGhhdCB0aGUgYXBwbGlj YXRpb24NCmNhbm5vdCBwcm9jZXNzLCB0aGVuIHRoZSBhcHBsaWNhdGlvbiBNVVNUIDwvZm9udD4N Cjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPnwgJm5ic3A7ICZuYnNwOyBOT1Qg dXNlIHRoYXQgQ1JMIHRvDQpkZXRlcm1pbmUgdGhlIHN0YXR1cyBvZiBhbnkgY2VydGlmaWNhdGVz LjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPndpdGg8 L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij58ICZuYnNw OyAmbmJzcDsgSWYgYSBDUkwgY29udGFpbnMgaW4NCmEgQ1JMIGVudHJ5IGEgY3JpdGljYWwgQ1JM IGVudHJ5IGV4dGVuc2lvbiA8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIg TmV3Ij58ICZuYnNwOyAmbmJzcDsgdGhhdCB0aGUgYXBwbGljYXRpb24NCmNhbm5vdCBwcm9jZXNz LCB0aGVuIHRoZSBhcHBsaWNhdGlvbiBNVVNUIDwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFj ZT0iQ291cmllciBOZXciPnwgJm5ic3A7ICZuYnNwOyBjb25zaWRlciB0aGF0IHRoZSBjZXJ0aWZp Y2F0ZQ0KaWRlbnRpZmllZCBpbiB0aGF0IENSTCBlbnRyeSBpcyA8L2ZvbnQ+DQo8YnI+PGZvbnQg c2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij58ICZuYnNwOyAmbmJzcDsgcmV2b2tlZC4gJm5ic3A7 PC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJBcmlhbCI+SW4gb3JkZXIgdG8g YW5zd2VyIHRvIFBpeXVzaCwgSSBiZWxpZXZlIHRoYXQNCuKAnHVua25vd27igJ0gc2hvdWxkIGJl IHVzZWQgcmF0aGVyIHRoYW4g4oCccmV2b2tlZOKAnS48L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQg c2l6ZT0yIGZhY2U9IkFyaWFsIj5UaGUgZm9sbG93aW5nIGV4YW1wbGUgaXMgYW4gaWxsdXN0cmF0 aW9uOjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQXJpYWwiPlRoZSBzdGF0 dXMgb2YgYSBnaXZlbiBjZXJ0aWZpY2F0ZSBpcyBpbmRpY2F0ZWQNCmFzIOKAnGdvb2TigJ0sIGJ1 dCB0aGVyZSBpcyBhIENSTCBlbnRyeSB3aXRoIGEgY3JpdGljYWwgPGJyPg0KQ1JMIGVudHJ5IGV4 dGVuc2lvbi4gVGhpcyBlbnRyeSBtZWFucyAoZm9yIHRoZSBhcHBsaWNhdGlvbnMgd2hpY2ggdW5k ZXJzdGFuZA0KaXQpIDogPC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJBcmlh bCI+JnF1b3Q7VGhlIHN0YXR1cyB3aGljaCBpcyB1c3VhbGx5IG9idGFpbmVkDQp1c2luZyBhIGRh dGFiYXNlIG9mIGlzc3VlZCBjZXJ0aWZpY2F0ZXMgaGFzIGJlZW4gb2J0YWluZWQgZnJvbSBDUkxz LiA8YnI+DQpJZiB5b3UgcmVhbGx5IG5lZWQgdG8gdGFrZSBhIGRlY2lzaW9uIG5vdywgaXQgaXMg YXQgeW91ciBvd24gcmlzay4gSWYgeW91DQpjYW4gd2FpdCwgeW91IGhhZCBiZXR0ZXIgdG8gdHJ5 IGFnYWluIGxhdGVyIG9uJnF1b3Q7LjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFj ZT0iQXJpYWwiPllvdXIgbmV4dCBxdWVzdGlvbiB3aWxsIGNlcnRhaW5seSBiZTogc28NCndoeSBk b27igJl0IHlvdSB1c2UgdGhlIHByb3Bvc2VkIGNlcnRJbmZvIGV4dGVuc2lvbiA/PC9mb250Pg0K PGJyPg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJBcmlhbCI+Rm9yIGFwcGxpY2F0aW9ucyB3aGlj aCBkbyBub3QgdW5kZXJzdGFuZA0KdGhpcyBjcml0aWNhbCBDUkwgZW50cnkgZXh0ZW5zaW9uLCB0 aGVyZSBpcyBubyBkaWZmZXJlbmNlLjwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQXJp YWwiPlRoZXkgZ2V0IGFuICZxdW90O3Vua25vd24mcXVvdDsgc3RhdHVzIGluDQpib3RoIGNhc2Vz LjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQXJpYWwiPkZvciBhcHBsaWNh dGlvbnMgd2hpY2ggdW5kZXJzdGFuZCB0aGlzIGNyaXRpY2FsDQpDUkwgZW50cnkgZXh0ZW5zaW9u IGl0IHByb3ZpZGVzIGxlc3MgYmVuZWZpdHMgPGJyPg0KdGhhbiB0aGUgcHJvcG9zZWQgY2VydElu Zm8gZXh0ZW5zaW9uLCBidXQgaXQgbWlnaHQgYmUgcXVpY2tlciB0byBpbXBsZW1lbnQNCmFuZCBp dCBlbmZvcmNlcyBhIHBvbGljeS48L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9 IkFyaWFsIj5EZW5pczwvZm9udD4NCjxicj48dHQ+PGZvbnQgc2l6ZT0yPjxicj4NCiA8YnI+DQom Z3Q7IEkgb2JqZWN0IHRvIHRoZSBwcm9wb3NlZCBuZXcgdGV4dCBhYm91dCBDUkxFbnRyeUV4dGVu c2lvbnM8YnI+DQomZ3Q7IGluIHRoZSBjbGFyaWZpY2F0aW9uIGRvY3VtZW50LCBiZWNhdXNlIGFz IGlzLCB3b3VsZCBzaWduaWZpY2FudGx5PGJyPg0KJmd0OyB3b3JzZW4gdGhlIGRpZmZlcmVuY2Ug YmV0d2VlbiBQS0lYIGFuZCBYLjUwOSBhbmQgbWFrZSB0aGluZ3M8YnI+DQomZ3Q7IGNsZWFybHkg aW5jb21wYXRpYmxlIHJhdGhlciB0aGFuIHNsaWdodGx5IGxlc3MgZWZmaWNpZW50Ljxicj4NCiZn dDsgPGJyPg0KJmd0OyBJZiBhbnl0aGluZywgdGhlIGdhcCBzaG91bGQgYmUgcmVkdWNlZCwgY29t cGF0aWJpbGl0eSBiZXR3ZWVuPGJyPg0KJmd0OyBQS0lYIGFuZCBYLjUwOSBpbXByb3ZlZCBhbmQg dGhlIG9yaWdpbmFsIGFyY2hpdGVjdHVyZSBub3QgdmlvbGF0ZWQuPGJyPg0KJmd0OyA8YnI+DQom Z3Q7IFBsZWFzZSByZWNhbGwgdGhlIG9yaWdpbmFsIE5PVEUgNCAmYW1wOyA1IHRoYXQgSSBxdW90 ZWQgZnJvbTxicj4NCiZndDsgSVRVLVQgUmVjLiBYLjUwOSAoMDgvMjAwNSksIFNlY3Rpb24gNy4z LCB0b3Agb2YgcGFnZSAxODo8YnI+DQomZ3Q7IChnZXQgdGhlbSBoZXJlIDwvZm9udD48L3R0Pjxh IGhyZWY9Imh0dHA6Ly93d3cuaXR1LmludC9yZWMvVC1SRUMtWC41MDkiPjx0dD48Zm9udCBzaXpl PTI+aHR0cDovL3d3dy5pdHUuaW50L3JlYy9ULVJFQy1YLjUwOTwvZm9udD48L3R0PjwvYT48dHQ+ PGZvbnQgc2l6ZT0yPik6PGJyPg0KJmd0OyA8YnI+DQomZ3Q7IGEmZ3Q7ICZuYnNwO05PVEUgNCAt LSBXaGVuIGFuIGltcGxlbWVudGF0aW9uIHByb2Nlc3NpbmcgYSBjZXJ0aWZpY2F0ZQ0KcmV2b2Nh dGlvbjxicj4NCiZndDsgYSZndDsgJm5ic3A7bGlzdCBkb2VzIG5vdCByZWNvZ25pemUgYSBjcml0 aWNhbCBleHRlbnNpb24gaW4gdGhlIGNybEVudHJ5RXh0ZW5zaW9uczxicj4NCiZndDsgYSZndDsg Jm5ic3A7ZmllbGQsIGl0IHNoYWxsIGFzc3VtZSB0aGF0LCBhdCBhIG1pbmltdW0sIHRoZSBpZGVu dGlmaWVkDQpjZXJ0aWZpY2F0ZTxicj4NCiZndDsgYSZndDsgJm5ic3A7aGFzIGJlZW4gcmV2b2tl ZCBhbmQgaXMgbm8gbG9uZ2VyIHZhbGlkIGFuZCBwZXJmb3JtIGFkZGl0aW9uYWwNCmFjdGlvbnM8 YnI+DQomZ3Q7IGEmZ3Q7ICZuYnNwO2NvbmNlcm5pbmcgdGhhdCByZXZva2VkIGNlcnRpZmljYXRl IGFzIGRpY3RhdGVkIGJ5IGxvY2FsDQpwb2xpY3kuPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IGImZ3Q7 ICZuYnNwO1doZW4gYW4gaW1wbGVtZW50YXRpb24gZG9lcyBub3QgcmVjb2duaXplIGEgY3JpdGlj YWwgZXh0ZW5zaW9uDQppbiB0aGU8YnI+DQomZ3Q7IGImZ3Q7ICZuYnNwO2NybEV4dGVuc2lvbnMg ZmllbGQsIGl0IHNoYWxsIGFzc3VtZSB0aGF0IGlkZW50aWZpZWQgY2VydGlmaWNhdGVzPGJyPg0K Jmd0OyBiJmd0OyAmbmJzcDtoYXZlIGJlZW4gcmV2b2tlZCBhbmQgYXJlIG5vIGxvbmdlciB2YWxp ZC48YnI+DQomZ3Q7IDxicj4NCiZndDsgYyZndDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7 ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsNCiZuYnNwOyAmbmJzcDsgJm5ic3A7 ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsN CiZuYnNwOyAmbmJzcDsgSG93ZXZlciBpbiB0aGUgbGF0dGVyIGNhc2UsPGJyPg0KJmd0OyBjJmd0 OyAmbmJzcDtzaW5jZSB0aGUgbGlzdCBtYXkgbm90IGJlIGNvbXBsZXRlLCBjZXJ0aWZpY2F0ZXMg dGhhdA0KaGF2ZSBub3QgYmVlbjxicj4NCiZndDsgYyZndDsgJm5ic3A7aWRlbnRpZmllZCBhcyBi ZWluZyByZXZva2VkIGNhbm5vdCBiZSBhc3N1bWVkIHRvIGJlIHZhbGlkLg0KSW4gdGhpcyBjYXNl PGJyPg0KJmd0OyBjJmd0OyAmbmJzcDtsb2NhbCBwb2xpY3kgc2hhbGwgZGljdGF0ZSB0aGUgYWN0 aW9uIHRvIGJlIHRha2VuLiBJbg0KYW55IGNhc2UgbG9jYWw8YnI+DQomZ3Q7IGMmZ3Q7ICZuYnNw O3BvbGljeSBtYXkgZGljdGF0ZSBhY3Rpb25zIGluIGFkZGl0aW9uIHRvIGFuZC9vciBzdHJvbmdl cg0KdGhhbiB0aG9zZTxicj4NCiZndDsgYyZndDsgJm5ic3A7c3RhdGVkIGluIHRoaXMgU3BlY2lm aWNhdGlvbi48YnI+DQomZ3Q7IDxicj4NCiZndDsgZCZndDsgJm5ic3A7Tk9URSA1IC0tIElmIGFu IGV4dGVuc2lvbiBhZmZlY3RzIHRoZSB0cmVhdG1lbnQgb2YgdGhlDQpsaXN0PGJyPg0KJmd0OyBk Jmd0OyAmbmJzcDsoZS5nLiwgbXVsdGlwbGUgQ1JMcyBuZWVkIHRvIGJlIHNjYW5uZWQgdG8gZXhh bWluZSB0aGUNCmVudGlyZSBsaXN0IG9mPGJyPg0KJmd0OyBkJmd0OyAmbmJzcDtyZXZva2VkIGNl cnRpZmljYXRlcywgb3IgYW4gZW50cnkgbWF5IHJlcHJlc2VudCBhIHJhbmdlDQpvZiBjZXJ0aWZp Y2F0ZXMpLDxicj4NCiZndDsgZCZndDsgJm5ic3A7dGhlbiB0aGF0IGV4dGVuc2lvbiBzaGFsbCBi ZSBpbmRpY2F0ZWQgYXMgY3JpdGljYWwgaW4NCnRoZSBjcmxFeHRlbnNpb25zPGJyPg0KJmd0OyBk Jmd0OyAmbmJzcDtmaWVsZCByZWdhcmRsZXNzIG9mIHdoZXJlIHRoZSBleHRlbnNpb24gaXMgcGxh Y2VkIGluIHRoZQ0KQ1JMLjxicj4NCiZndDsgPGJyPg0KJmd0OyBlJmd0OyAmbmJzcDtBbiBleHRl bnNpb24gaW5kaWNhdGVkIGluIHRoZSBjcmxFbnRyeUV4dGVuc2lvbnMgZmllbGQNCm9mIGFuIGVu dHJ5IHNoYWxsPGJyPg0KJmd0OyBlJmd0OyAmbmJzcDtiZSBwbGFjZWQgaW4gdGhhdCBlbnRyeSBh bmQgc2hhbGwgYWZmZWN0IG9ubHkgdGhlIGNlcnRpZmljYXRlKHMpPGJyPg0KJmd0OyBlJmd0OyAm bmJzcDtzcGVjaWZpZWQgaW4gdGhhdCBlbnRyeS48YnI+DQomZ3Q7IDxicj4NCiZndDsgPGJyPg0K Jmd0OyAoSSBpbnNlcnRlZCBibGFuayBsaW5lcyBhYm92ZSBmb3IgdmlzdWFsIGNsYXJpdHkgb2Yg dGhlIFguNTA5IHJlcXVpcmVtZW50cykuPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IHR3byBvcHRpb25z LCBhbGwgY29tYmluYXRpb25zOjxicj4NCiZndDsgPGJyPg0KJmd0OyAmbmJzcDsoMSkgY2VydCAm bmJzcDsgJm5ic3A7IG9uIENSTCwgQ1JMIHdpdGggTk8gdW5yZWNvZ25pemVkIGNyaXRpY2FsDQpD UkxFbnRyeUV4dGVuc2lvbnMgPGJyPg0KJmd0OyAmbmJzcDsoMikgY2VydCBOT1Qgb24gQ1JMLCBD Ukwgd2l0aCBOTyB1bnJlY29nbml6ZWQgY3JpdGljYWwgQ1JMRW50cnlFeHRlbnNpb25zDQo8YnI+ DQomZ3Q7ICZuYnNwOygzKSBjZXJ0ICZuYnNwOyAmbmJzcDsgb24gQ1JMLCBDUkwgd2l0aCAmbmJz cDsgJm5ic3A7dW5yZWNvZ25pemVkDQpjcml0aWNhbCBDUkxFbnRyeUV4dGVuc2lvbjxicj4NCiZn dDsgJm5ic3A7KDQpIGNlcnQgTk9UIG9uIENSTCwgQ1JMIHdpdGggJm5ic3A7ICZuYnNwO3VucmVj b2duaXplZCBjcml0aWNhbA0KQ1JMRW50cnlFeHRlbnNpb248YnI+DQomZ3Q7IDxicj4NCiZndDsg PGJyPg0KJmd0OyBJIGhvcGUgd2UgYWdyZWUgdGhhdCBYLjUwOSBhbmQgcmZjNTI4MCBhZ3JlZSBv biAoMSkgYW5kICgyKSByZXN1bHRzPGJyPg0KJmd0OyBmb3IgQ1JMIGNoZWNraW5nLjxicj4NCiZn dDsgPGJyPg0KJmd0OyByZmM1MjgwIGN1cnJlbnRseSBzYXlzIHRoYXQgZm9yICgzKSsoNCkgdGhl IGVudGlyZSBDUkwgb3VnaHQgdG8gYmUNCmlnbm9yZWQ8YnI+DQomZ3Q7IGFuZCBvdGhlciBDUkxz IG5lZWQgdG8gYmUgZXZhbHVhdGVkICZxdW90O1VOREVURVJNSU5FRCZxdW90Ozxicj4NCiZndDsg PGJyPg0KJmd0OyBYLjUwOSBzYXlzIGluIChhJmd0OykgdGhhdCBmb3IgKDMpIHRoZSBzdGF0dXMg b2YgdGhlIGNlcnQgaXMgZGVmaW5pdGVseQ0KcmV2b2tlZDxicj4NCiZndDsgYW5kIHNheXMgaW4g KGMmZ3Q7KSBmb3IgKDQpIHRoYXQgdGhlIENSTCBvdWdodCB0byBiZSBpZ25vcmVkIGFuZCBvdGhl cg0KQ1JMcyBuZWVkPGJyPg0KJmd0OyB0byBiZSBldmFsdWF0ZWQgJnF1b3Q7VU5ERVRFUk1JTkVE JnF1b3Q7PGJyPg0KJmd0OyA8YnI+DQomZ3Q7IFdoaWxlIGJvdGggWC41MDkgYW5kIHJmYzUyODAg YWdyZWUgb24gdGhlIHJlc3VsdCBmb3IgKDQpICZxdW90O1VOREVURVJNSU5FRCZxdW90Oyw8YnI+ DQomZ3Q7IHRoZXJlIGlzIHRoZSBzdXBlcmZpY2lhbCBhcHBlYXJhbmNlIG9mIGEgZGlmZmVyZW5j ZSBmb3IgYSBjYXN1YWw8YnI+DQomZ3Q7IGltcGxlbWVudGVyIGZvciBjYXNlICgzKSBiZXR3ZWVu IFguNTA5ICZxdW90O1JFVk9LRUQmcXVvdDsgYW5kIHJmYzUyODANCiZxdW90O1VOREVURVJNSU5F RCZxdW90Ozxicj4NCiZndDsgdGhhdCBtaWdodCBsZWFkIHRvIGEgc2xpZ2h0bHkgbGVzcyBlZmZp Y2llbnQgcHJvY2Vzc2luZyBDUkxzLjxicj4NCiZndDsgPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IFRo ZSBuZXdseSBwcm9wb3NlZCB0ZXh0IChpbiAtMDkpOjxicj4NCiZndDsgPGJyPg0KJmd0OyB8ICZu YnNwOyAmbmJzcDsgSWYgYSBDUkwgY29udGFpbnMgYSBjcml0aWNhbCBDUkwgZW50cnkgZXh0ZW5z aW9uPGJyPg0KJmd0OyB8ICZuYnNwOyAmbmJzcDsgdGhhdCB0aGUgYXBwbGljYXRpb24gY2Fubm90 IHByb2Nlc3MsIHRoZW4gdGhlIGFwcGxpY2F0aW9uDQpNVVNUPGJyPg0KJmd0OyB8ICZuYnNwOyAm bmJzcDsgTk9UIHVzZSB0aGF0IENSTCB0byBkZXRlcm1pbmUgdGhlIHN0YXR1cyBvZiB0aGUgY2Vy dGlmaWNhdGU8YnI+DQomZ3Q7IHwgJm5ic3A7ICZuYnNwOyByZXByZXNlbnRlZCBieSB0aGUgQ1JM IGVudHJ5LiAmbmJzcDs8YnI+DQomZ3Q7IDxicj4NCiZndDsgY3JlYXRlcyBhIHNpZ25pZmljYW50 bHkgZGlzdGluY3QgYmVoYXZpb3VyIGZvciBjYXNlICg0KSB3aGVyZSBYLjUwOTxicj4NCiZndDsg YW5kIHJmYzUyODAgYWdyZWVkIG9uICZxdW90O1VOREVURVJNSU5FRCZxdW90OywgYnkgcmVkZWZp bmluZyB0aGUNCnJlc3VsdCB0bzxicj4NCiZndDsgYmUgJnF1b3Q7VU5SRVZPS0VEJnF1b3Q7LCBh bmQgcG90ZW50aWFsbHkgY3JlYXRlcyBhIHNlY3VyaXR5IHByb2JsZW0sDQphbmQgYTxicj4NCiZn dDsgbmV3LCBiYWNrd2FyZHMtaW5jb21wYXRpYmxlIGJlaGF2aW91ciBmb3IgYSBzaXR1YXRpb24g d2hlcmU8YnI+DQomZ3Q7IFguNTA5IGFuZCByZmM1MjgwIHVzZWQgdG8gYWdyZWUuIFN0aWxsLCB0 aGUgbmV3IHRleHQgZG9lcyBub3QgZG88YnI+DQomZ3Q7IGFueXRoaW5nIGFib3V0IGNhc2UgKDMp LCB0aGUgb25seSBjYXNlIHdoZXJlIFguNTA5IGFuZCByZmM1MjgwPGJyPg0KJmd0OyBhcHBlYXIg dG8gZGlmZmVyIChpbiBhIG1vc3RseSBtYXJnaW5hbCBmYXNoaW9uKS48YnI+DQomZ3Q7IDxicj4N CiZndDsgPGJyPg0KJmd0OyBBIGNhcmVmdWwgaW1wbGVtZW50b3IsIHRoYXQgYW5hbHl6ZXMgTk9U RSA0IGFuZCBOT1RFIDUgZnJvbSBYLjUwOTxicj4NCiZndDsgcXVvdGVkIGFib3ZlIGluIGl0cyBl bnRpcmV0eSwgc2hvdWxkIHJlYWxpemUgdGhhdCB0aGUgc2l0dWF0aW9uPGJyPg0KJmd0OyB3aGVy ZSBYLjUwOSBhbmQgcmZjNTI4MCBkaWZmZXIgaXMgbWFyZ2luYWwuPGJyPg0KJmd0OyA8YnI+DQom Z3Q7IFRoaXMgaXMgYmVjYXVzZSAoZCZndDspIGluIE5PVEUgNSBhYm92ZSByZXF1aXJlcyAoJnF1 b3Q7c2hhbGwmcXVvdDspDQp0aGF0IGE8YnI+DQomZ3Q7IGNyaXRpY2FsIGNybEVudHJ5RXh0ZW5z aW9uIHdpdGggYSBzZW1hbnRpYyBiZXlvbmQgJnF1b3Q7dGhpcyBjZXJ0DQppczxicj4NCiZndDsg cmV2b2tlZCZxdW90OyksIE1VU1QgYmUgYWRkaXRpb25hbGx5IGluY2x1ZGVkIGFzIGEgY3JpdGlj YWwgY3JsRXh0ZW5zaW9uLDxicj4NCiZndDsgd2l0aCB0aGUgZWZmZWN0IHRoYXQgdGhlIGVudGly ZSBDUkwgd2lsbCBoYXZlIHRvIGJlIGlnbm9yZWQgYnk8YnI+DQomZ3Q7IGJvdGggWC41MDkgYW5k IHJmYzUyODAgaW1wbGVtZW50YXRpb25zIHRoYXQgZG8gbm90IHJlY29nbml6ZTxicj4NCiZndDsg dGhlIGNybEV4dGVuc2lvbi4gJm5ic3A7U28gYWxsIGNvbXBsaWFudCBDUkxzIHdpdGggYSAmcXVv dDtmYW5jeSZxdW90Ozxicj4NCiZndDsgdW5yZWNvZ25pemVkIGNyaXRpY2FsIGNybEVudHJ5RXh0 ZW5zaW9uLCB0aGUgYWNjb21wYW55aW5nPGJyPg0KJmd0OyB1bnJlY29nbml6ZWQgY3JpdGljYWwg Y3JsRXh0ZW5zaW9uIHdpbGwgY2F1c2UgWC41MDkgYW5kIHJmYzUyODA8YnI+DQomZ3Q7IHRvIGFn cmVlIG9uICgzKSB0byByZXR1cm4gJnF1b3Q7VU5ERVRFUk1JTkVEJnF1b3Q7IGFuZCByZXF1aXJl IG90aGVyPGJyPg0KJmd0OyBDUkxzIHRvIGJlIGNoZWNrZWQuIDxicj4NCiZndDsgPGJyPg0KJmd0 OyA8YnI+DQomZ3Q7IC1NYXJ0aW48YnI+DQomZ3Q7IF9fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fPGJyPg0KJmd0OyBwa2l4IG1haWxpbmcgbGlzdDxicj4NCiZn dDsgcGtpeEBpZXRmLm9yZzxicj4NCiZndDsgPC9mb250PjwvdHQ+PGEgaHJlZj1odHRwczovL3d3 dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3BraXg+PHR0Pjxmb250IHNpemU9Mj5odHRwczov L3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3BraXg8L2ZvbnQ+PC90dD48L2E+PHR0Pjxm b250IHNpemU9Mj48YnI+DQo8L2ZvbnQ+PC90dD4NCg== --=_alternative 002A2685C1257A7C_=-- From denis.pinkas@bull.net Mon Sep 17 00:58:53 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E27921F853F for ; Mon, 17 Sep 2012 00:58:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.007 X-Spam-Level: X-Spam-Status: No, score=-2.007 tagged_above=-999 required=5 tests=[AWL=0.241, BAYES_00=-2.599, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SzafBY3wGYeG for ; Mon, 17 Sep 2012 00:58:51 -0700 (PDT) Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by ietfa.amsl.com (Postfix) with ESMTP id 3687D21F853E for ; Mon, 17 Sep 2012 00:58:50 -0700 (PDT) Received: from MSGC-003.bull.fr (MSGC-003.frcl.bull.fr [129.184.87.131]) by odin2.bull.net (Bull S.A.) with ESMTP id B5A7141800B; Mon, 17 Sep 2012 09:58:47 +0200 (CEST) In-Reply-To: References: To: Santosh Chokhani MIME-Version: 1.0 X-KeepSent: 0D086D60:57976B0C-C1257A7B:00533431; type=4; name=$KeepSent X-Mailer: Lotus Notes Release 8.5.2 August 10, 2010 From: denis.pinkas@bull.net Message-ID: Date: Mon, 17 Sep 2012 09:58:45 +0200 X-MIMETrack: Serialize by Router on MSGC-003/SRV/BULL(Release 8.5.2FP1|November 29, 2010) at 17/09/2012 09:58:47, Serialize complete at 17/09/2012 09:58:47 Content-Type: multipart/alternative; boundary="=_alternative 002BBCFBC1257A7C_=" Cc: "pkix@ietf.org" Subject: Re: [pkix] draft-pinkas-rfc2560bis-00 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2012 07:58:54 -0000 Message en plusieurs parties au format MIME --=_alternative 002BBCFBC1257A7C_= Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: base64 U2FudG9zaCwgDQoNClRoYW5rIHlvdSBmb3IgeW91ciB2ZXJ5IHZhbHVhYmxlIGNvbW1lbnRzLiBJ dCB0b29rIG1lICJzb21lIHRpbWUiIHRvIA0KcHJvY2VzcyB0aGVtLg0KSXQgd2lsbCB0YWtlIHlv dSAic29tZSB0aW1lIiB0byByZXZpZXcgdGhlbS4gOi0pDQoNClNpbmNlIHRoZSBjb21tZW50cyBh bmQgdGhlIGNoYW5nZXMgd2VyZSBudW1lcm91cywgSSBoYXZlIGlzc3VlZCBhIG5ldyANCmRyYWZ0 IHdoaWNoIGlzIGF2YWlsYWJsZSBhdDoNCmh0dHA6Ly93d3cuaWV0Zi5vcmcvaW50ZXJuZXQtZHJh ZnRzL2RyYWZ0LXBpbmthcy1yZmMyNTYwYmlzLTAxLnR4dA0KDQpGb3IgU2FudG9zaCBpbiBwYXJ0 aWN1bGFyLCBzZWUgbXkgcmVzcG9uc2VzIGJlbG93IGluIGxpbmVzLg0KDQpEZW5pcywNCg0KVGhh bmtzIGZvciB0aGlzLiAgTXkgaW5pdGlhbCByZXZpZXcgaW5kaWNhdGVzIHRoYXQgdGhpcyBhIHZl cnkgZ29vZCBmaXJzdCANCmRyYWZ0LiANCk5vdGUgdGhhdCBJIGRpZCBub3QgcmV2aWV3IEFTTi4x IGNhcmVmdWxseSAoSSBhc3N1bWUgaXQgd2FzIGNvcGllZCBmcm9tIA0KdGhlIGV4aXN0aW5nIFJG QykuDQoNCkl0IHdhcyBjb3BpZWQgZnJvbSB0aGUgZHJhZnQgcHJlcGFyZWQgYnkgU3RlZmFuLCBi dXQgdGhlIEFTTi4gMSBtb2R1bGUgDQpuZWVkcyB0byBiZSBtb2RpZmllZCANCnNpbmNlIHRoZSBz eW50YXggb2Ygbm9uY2UgaGFzIGJlZW4gb21pdHRlZC4gDQoNCkkgaGF2ZSBhZGRlZDoNCg0KICAg Tm9uY2UgOjo9IE9DVEVUIFNUUklORw0KDQpTaW5jZSB0aGUgc3ludGF4IG9mIHRoZSBub2NoZWNr IGV4dGVuc2lvbiB3YXMgbWlzc2luZywgSSBoYXZlIGFsc28gYWRkZWQ6DQoNCiAgIE5vQ2hlY2sg Ojo9IE5VTEwNCg0KSW4gdGhlIGludHJvZHVjdGlvbiwgSSBoYXZlIGFsc28gYWRkZWQ6DQoNCiAg ICAgIG8gIFNlY3Rpb24gNC4zLjIgbm93IGluZGljYXRlcyB0aGF0IHRoZSB2YWx1ZSBvZiB0aGUg bm9jaGVjayANCiAgICAgICAgIGV4dGVuc2lvbiBTSEFMTCBiZSBOVUxMLiANCg0KVGhlIEFTTi4x IG1vZHVsZSB0aGF0IGNvbmZvcm1zIHRvIHRoZSAyMDAyIHZlcnNpb24gb2YgQVNOLjEgd2hpY2gg bWF5IGJlIA0KZm91bmQgaW4gU2VjdGlvbiA0IA0Kb2YgUkZDNTkxMiBoYXMgYW5vdGhlciBwcm9i bGVtLCBzaW5jZSB0aGUgbm9jaGVjayBleHRlbnNpb24gaGFzIGJlZW4gDQpvbWl0dGVkLg0KDQpJ IGhhdmUgYWRkZWQ6DQoNCiAgLS0gIENlcnRpZmljYXRlIEV4dGVuc2lvbg0KDQogIG9jc3Atbm9j aGVjayBFWFRFTlNJT04gOjo9IHsgU1lOVEFYIE5VTEwgDQogICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIElERU5USUZJRUQgQlkNCiAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgaWQtcGtpeC1vY3NwLW5vY2hlY2sgfQ0KDQpUaGlzIG1lYW5zIHRo YXQgd2UgY2Fubm90IGtlZXAgdGhlIHNhbWUgT0lEIGZvciB0aGUgdHdvIEFTTi4gMSBtb2R1bGVz IGFuZCANCnRodXMgd2Ugd2lsbCBuZWVkIHR3byBuZXcgb25lcy4NCg0KSSBoYXZlIG5vdyBpbmNs dWRlZCBib3RoIHN5bnRheGVzIGluIGRyYWZ0IC0wMS4NCg0KSW4gdGhlIGludHJvZHVjdGlvbiwg SSBoYXZlIGFsc28gYWRkZWQ6DQoNCiAgICAgIG8gIEFubmV4IEIgaW5jbHVkZXMgYSBuZXcgQVNO LjEgbW9kdWxlIHVzaW5nIHRoZSAxOTg4IHN5bnRheCANCiAgICAgICAgIHNpbmNlIHRoZSBzeW50 YXggb2Ygbm9uY2UgaGFkIGJlZW4gb21pdHRlZC4gIEl0IGFsc28gaW5jbHVkZXMgDQogICAgICAg ICBhIG5ldyBBU04uMSBtb2R1bGUgdXNpbmcgdGhlIDIwMDIgc3ludGF4IHNpbmNlIGluIHRoZSBB U04uMSANCiAgICAgICAgIG1vZHVsZSB3aGljaCBtYXkgYmUgZm91bmQgaW4gU2VjdGlvbiA0IG9m IFJGQzU5MTIgdGhlIG5vY2hlY2sgDQogICAgICAgICBleHRlbnNpb24gaGFkIGJlZW4gb21pdHRl ZC4NCg0KSSBkbyBoYXZlIHRoZSBmb2xsb3dpbmcgY29tbWVudCB0aG91Z2g6DQoNClNlY3Rpb24g Mi4yOiBXaGVuIHRoZSBDQSBpcyBzaWduaW5nIHRoZSByZXNwb25zZSwgc2hvdWxkIGl0IG5vdCBh bHNvIHVzZSANCnRoZSBzYW1lIGtleSB0byBzaWduIHRoZSByZXNwb25zZSANCmFzIHRoZSBjZXJ0 aWZpY2F0ZSBpbiBxdWVzdGlvbj8gIFRoZSBsYXRlciBwYXJ0IG9mIHRoZSBzZWN0aW9uIGluZGlj YXRlcyANCnRoaXMgYXMgYSByZXF1aXJlbWVudC4gDQpJbiB0aGF0IGNhc2UsIHdoeSBub3QgbWFr ZSB0aGlzIGV4cGxpY2l0IGxpa2UgdGhlIE9DU1AgUmVzcG9uZGVyLg0KDQpZb3UgYXJlIGNvcnJl Y3Q6IEkgaGF2ZSBhZGRlZDogDQoNCiAgIEluIHRoZSBmb3JtZXIgY2FzZSwgdGhlIENBIE1VU1Qg dXNlIHRoZSBzYW1lIGtleSBhcyB0aGUgb25lIHRoYXQgd2FzIA0KICAgdXNlZCB0byBpc3N1ZSB0 aGUgdGFyZ2V0IGNlcnRpZmljYXRlLg0KDQpTZWN0aW9uIDMuMS4zLCBGaXJzdCBwYXJhZ3JhcGgs IHRoZSByYXRpb25hbCBmb3IgQ0EgY2VydGlmaWNhdGVzIHRvIGhhdmUgDQpkaWdpdGFsIHNpZ25h dHVyZSBiaXQgc2V0IGJlY2F1c2UgDQp0aGV5IHNpZ24gT0NTUCBjZXJ0aWZpY2F0ZXMgaXMgaW5j b3JyZWN0LiAgTWF5IGJlIHdoYXQgeW91IG1lYW4gaXMgdGhhdCBhIA0KQ0EgdGhhdCBzaWducyBP Q1NQIHJlc3BvbnNlcyANCm5lZWRzIHRvIGhhdmUgZGlnaXRhbCBzaWduYXR1cmUgYml0IHNldCBp biBpdHMgb3duIGNlcnRpZmljYXRlIChpLmUuLCB0aGUgDQpjZXJ0aWZpY2F0ZSBmb3Igd2hpY2gg dGhlIENBIGlzIHRoZSBzdWJqZWN0KS4NCg0KT3VwcyEgVGhlIHRleHQgd2FzOg0KDQogICBUaGVy ZWZvcmUgdGhlIGRpZ2l0YWxTaWduYXR1cmUgYml0IGluIHRoZSBrZXlVc2FnZSBleHRlbnNpb24g TVVTVCANCiAgIGJlIHNldC4gDQoNCk5vdGUgMTogU2luY2UgdGhlIENBIGlzc3VlcyBjZXJ0aWZp Y2F0ZXMsIHRoZSBrZXlDZXJ0U2lnbiBiaXQgTVVTVCBhbHNvIA0KICAgICAgICBiZSBzZXQuDQoN Ck5vdGUgMjogSWYgdGhlIENBIHN1cHBvcnRzIENSTHMsIGluIHBhcnRpY3VsYXIgdG8gcmV2b2tl IHRoZSANCiAgICAgICAgY2VydGlmaWNhdGUgb2YgdGhlIE9DU1AgUmVzcG9uZGVycywgdGhlbiB0 aGUgY1JMU2lnbiBiaXQsIHRoZSANCiAgICAgICAgZGlnaXRhbFNpZ25hdHVyZSBiaXQgYW5kIHRo ZSBrZXlDZXJ0U2lnIGJpdCBNVVNUIGJlIHNldC4NCg0KSSBoYXZlIGNoYW5nZWQgaXQgaW50bzoN Cg0KICAgVGhlcmVmb3JlIHRoZSBrZXlDZXJ0U2lnbiBiaXQgaW4gdGhlIGtleVVzYWdlIGV4dGVu c2lvbiBNVVNUIGJlIHNldC4gDQoNCiAgIElmIHRoZSBDQSBzdXBwb3J0cyBDUkxzLCBpbiBwYXJ0 aWN1bGFyIHRvIHJldm9rZSB0aGUgY2VydGlmaWNhdGUgb2YgDQogICB0aGUgT0NTUCBSZXNwb25k ZXJzLCB0aGVuIGJvdGggdGhlIGNSTFNpZ24gYml0IGFuZCB0aGUga2V5Q2VydFNpZyANCiAgIGJp dCBNVVNUIGJlIHNldC4NCg0KU2VjdGlvbiAzLjEuMywgTm90ZSAyLCBBZ2FpbiB0aGVyZSBpcyBu byByZXF1aXJlbWVudCBmb3IgZGlnaXRhbCBzaWduYXR1cmUgDQpiaXQgdG8gYmUgc2V0IGp1c3Qg YmVjYXVzZSB0aGUgQ0Egc2lnbnMgDQpjZXJ0aWZpY2F0ZXMgYW5kIENSTHMuDQoNCllvdSBhcmUg Y29ycmVjdC4gU2VlIHRoZSBjb3JyZWN0aW9uIHByb3Bvc2VkIGFib3ZlLg0KDQpTZWN0aW9uIDMu MjogSXQgbm90IGNsZWFyIHdoaWNoIGFjY2Vzc0xvY2F0aW9uIGlzIGJlaW5nIHJlZmVycmVkIHRv IGhlcmUgDQooY0Fpc3N1ZXJzIG9yIE9DU1ApLiAgSWYgdGhpcyBpcyBPQ1NQLCANCnRoZSBSRkMg aXMgb3Zlcmx5IGltcGxlbWVudGF0aW9uIHNwZWNpZmljLiAgQSBDQSBjYW4gdXNlIHRoZSBzYW1l IE9DU1AgDQpsb2NhdGlvbiBhbmQgc2lnbiB0aGUgcmVzcG9uc2Ugd2l0aCANCmFwcHJvcHJpYXRl IGtleSBhbmQgaW5jbHVkZSB0aGUgYXBwcm9wcmlhdGUgQ0EgY2VydGlmaWNhdGUgd2l0aG91dCBo YXZpbmcgDQp0byBjaGFuZ2UgdGhlIE9DU1AgcG9pbnRlci4NCg0KU2VjdGlvbiAzLjIgYWRkcmVz c2VzIHRoZSBjYXNlIG9mIENBIHRoYXQgZGlyZWN0bHkgc3VwcG9ydHMgYW4gT0NTUCANCnNlcnZp Y2UgYW5kIHdoaWNoIHBlcmZvcm1zIGEga2V5IHJvbGxvdmVyLiANCklmIHRoZSBDQSBrZXkgY2hh bmdlcywgdGhlIE9DU1AgbG9jYXRpb24gbXVzdCBjaGFuZ2Ugc2luY2UgaXQgaXMgb25seSANCnBv c3NpYmxlIHVzZSBhIHNpbmdsZSBrZXkgdG8gc2lnbiB0aGUgT0NTUCANCnJlc3BvbnNlcy4gTmV2 ZXJ0aGVsZXNzLCBJIHRha2UgeW91ciBvdGhlciBwb2ludCB0byBiZSBtb3JlIHNwZWNpZmljIGFi b3V0IA0KdGhlIGFjY2Vzc0xvY2F0aW9uLiANClRoZSBwb2ludCBpcyBhZGRyZXNzZWQgbGF0ZXIg b24gaW4gYW5vdGhlciBjb21tZW50IGZyb20geW91Lg0KDQpHZW5lcmFsOiBUaGUgSS1EIGRvZXMg bm90IGFkZHJlc3MgaG93IHRoZSBDQSBkZWFscyB3aXRoIHRoZSBzaXR1YXRpb24gd2hlbiANCnN0 YXR1cyBvZiBtdWx0aXBsZSBjZXJ0aWZpY2F0ZXMgaXNzdWVkIGJ5IHRoZSBDQSwgDQpidXQgdXNp bmcgZGlmZmVyZW50IGtleXMgaXMgcmVxdWVzdGVkLiAgTWF5IGJlIHRoZSByZXN0cmljdGlvbiBp biAzLjIgaXMgDQp1c2VkIHRvIGVuc3VyZSB0aGF0IHN1Y2ggc2l0dWF0aW9uIGRvZXMgbm90IG9j Y3VyLiANCklmIHNvLCBhIHNob3J0IGRpc2N1c3Npb24gd291bGQgYmUgaGVscGZ1bC4NCg0KWW91 ciBjb21tZW50IGlzIHJlbGF0ZWQgdG8gc2VjdGlvbiA0LjMuMS4xLiAo4oCcUHJvY2Vzc2luZyBi eSBhIENBIGFjdGluZyBhcyANCmFuIE9DU1AgcmVzcG9uZGVy4oCdKS4gDQpUaGUgY2FzZSBpcyBh bHJlYWR5IGFkZHJlc3NlZCB3aXRoIHRoZSBmb2xsb3dpbmcgdGV4dDoNCg0KICAgRm9yIGVhY2gg dGFyZ2V0IGNlcnRpZmljYXRlLCB0aGUgT0NTUCByZXNwb25kZXIgU0hBTEwgdmVyaWZ5IHdoZXRo ZXIgDQogICBib3RoIHRoZSBoYXNoIG9mIHRoZSBpc3N1ZXIncyBETiBhbmQgdGhlIGhhc2ggb2Yg dGhlIGlzc3VlciBwdWJsaWMgDQogICBrZXkgd2hpY2ggYXJlIHByZXNlbnQgaW4gdGhlIHJlcXVl c3QgbWF0Y2ggcmVzcGVjdGl2ZWx5IHdpdGggdGhlIEROIA0KICAgYW5kIHRoZSBoYXNoIG9mIHRo ZSBwdWJsaWMga2V5IG9mIGNvbnRhaW5lZCBpbiBhbiBlbnRyeSBmcm9tIHRoZSANCiAgIGxpc3Qg b2YgZW50cmllcyBtYWludGFpbmVkIGJ5IHRoaXMgT0NTUCByZXNwb25kZXIuIA0KDQogICBXaGVu IHRoZXJlIGlzIG5vIG1hdGNoLCB0aGVuIHRoZSBPQ1NQIHJlc3BvbmRlciBTSEFMTCBpbmRpY2F0 ZSB0aGUgDQogICAidW5rbm93biIgc3RhdHVzIGFuZCBwcm9jZWVkIHdpdGggdGhlIG5leHQgdGFy Z2V0IGNlcnRpZmljYXRlIGZyb20gDQogICB0aGUgT0NTUCByZXF1ZXN0Lg0KDQpHZW5lcmFsOiBJ dCBub3QgY2xlYXIgd2hpY2ggYWNjZXNzTG9jYXRpb24gaXMgYmVpbmcgcmVmZXJyZWQgdG8gaW4g bW9zdCANCnBsYWNlcy4gDQpJdCB3b3VsZCBiZSB3b3J0aCBzdGF0aW5nIHRoYXQgaXQgcmVmZXJz IHRvIE9DU1AgaW4gYWxsIGNhc2VzIHVubGVzcyANCm90aGVyd2lzZSBzdGF0ZWQuDQoNCkkgaGF2 ZSBhZGRlZCBhIG5vdGUgYWZ0ZXIgdGhlIGZpcnN0IG9jY3VycmVuY2Ugb2YgdGhlIHdvcmQgaW4g c2VjdGlvbiANCjMuMS4xLg0KDQpOb3RlOiBhY2Nlc3NMb2NhdGlvbiBpcyBtZW50aW9uZWQgaW4g c2V2ZXJhbCBwbGFjZXMgb2YgdGhpcyBkb2N1bWVudC4gDQogICAgICBJdCByZWZlcnMgaW4gYWxs IGNhc2VzIHRvIHRoZSBhY2Nlc3NMb2NhdGlvbiBmaWVsZCB0aGF0IGlzIHByZXNlbnQgDQogICAg ICBpbiBhbiBBSUEgZXh0ZW5zaW9uIGZpZWxkIHRvIGRlc2lnbmF0ZSB0aGUgbG9jYXRpb24gb2Yg dGhlIE9DU1AgDQogICAgICByZXNwb25kZXIuICBJbiB0aGF0IGNhc2UsIHRoZSBhY2Nlc3NNZXRo b2QgZmllbGQgY29udGFpbnMgdGhlIA0KICAgICAgaWQtYWQtb2NzcCBPSUQuDQoNClNlY3Rpb24g My4zLjIgZG9lcyBub3QgZnVsbHkgYW5kIGV4cGxpY2l0bHkgY292ZXIgdGhlIG1vc3QgY29tbW9u IA0KaW1wbGVtZW50YXRpb24gSSBoYXZlIHNlZW4gYW5kIHRoYXQgaXMgc2hvcnQgbGlmZSBjZXJ0 aWZpY2F0ZXMuIA0KSW4gdGhhdCBzY2VuYXJpbywgdGhlIENBIG5lZWRzIHRvIGNvbnRpbnVlIHRv IGlzc3VlIHRoZSBPQ1NQIFJlc3BvbmRlciANCmNlcnRpZmljYXRlIHVzaW5nIHRoZSBvbGQgQ0Eg a2V5IHVudGlsIGFsbCB0aGUgY2VydGlmaWNhdGVzIA0KaXNzdWVkIGJ5IHRoZSBDQSB1c2luZyB0 aGUgb2xkIGtleSBhbmQgZm9yIHdoaWNoIHRoZSBPQ1NQIFJlc3BvbmRlciBpcyANCmF1dGhvcml0 YXRpdmUgZXhwaXJlLiANClRoZSB0ZXh0IGluIDMuMy4zIGNhbiBmb3JtIGEgbW9kZWwgZm9yIHRo aXMgd2hlbiBDQSByZWtleXMgYW5kIE9DU1AgDQpSZXNwb25kZXIgaGFzIHRoZSBvbGQga2V5cy4N Cg0KVGhlIHRleHQgaW4gc2VjdGlvbiAzLjMuMiBkb2VzIG5vdCBzYXkgd2hhdCB5b3Ugc2F5LiBQ bGVhc2UgYmUgbW9yZSANCnNwZWNpZmljIG9yIHNpbmNlIHRoZSB0ZXh0IGlzIHNob3J0LCBwcm92 aWRlIGFuIGFsdGVybmF0aXZlDQoNClNlY3Rpb24gMy4zLjMsIHRoZSBsYXN0IHNlbnRlbmNlIGlz IG5vdCBkZXNpcmFibGUgYW5kIGNhbiBjYXVzZSBwcm9ibGVtcyANCndpdGggc29tZSBpbXBsZW1l bnRhdGlvbnMuIA0KIEl0IGlzIHBlcmZlY3RseSBvayBmb3IgYSBSZXNwb25kZXIgdG8gY2hhbmdl IGl0cyBrZXkgaW5kZXBlbmRlbnQgb2YgDQpjZXJ0aWZpY2F0ZSBpdCBpcyBhdXRob3JpdGF0aXZl IGZvci4gDQpOb3RlIHRoYXQgT0NTUCBmaWVsZCBpbiBhIGlzc3VlIGNlcnRpZmljYXRlIGNhbm5v dCBiZSBjaGFuZ2VkIGp1c3QgYmVjYXVzZSANCnRoZSBSZXNwb25kZXIgcmVreWVkLCANCmJlIGl0 IHJvdXRpbmUgb3IgZHVlIHRvIGxvc3Mgb3IgY29tcHJvbWlzZSBvZiBSZXNwb25kZXIga2V5Lg0K DQpUaGUgdGV4dCBpbiBzZWN0aW9uIDMuMy4zIGRvZXMgbm90IHNheSB3aGF0IHlvdSBzYXkuIFBs ZWFzZSBiZSBtb3JlIA0Kc3BlY2lmaWMgb3Igc2luY2UgdGhlIHRleHQgaXMgc2hvcnQsIHByb3Zp ZGUgYW4gYWx0ZXJuYXRpdmUuDQoNClNlY3Rpb24gMy40LCBsYXN0IHBhcmFncmFwaCwgSSB3b3Vs ZCB0aGluayB0aGF0IGV4cGlyYXRpb24gY2hlY2tpbmcgbmVlZCANCm5vdCBiZSBwYXJ0IG9mIE9D U1AgY2xpZW50LiANCkV4cGlyYXRpb24gY2hlY2tpbmcgc2hvdWxkIGNvbWUgdW5kZXIgNTI4MCBj ZXJ0aWZpY2F0ZSB2YWxpZGF0aW9uLg0KDQpUaGUgdGV4dCB3YXM6DQoNCiAgIEZvciBlYWNoIGNh bmRpZGF0ZSBjZXJ0aWZpY2F0ZSwgdGhlIE9DU1AgY2xpZW50IFNIQUxMIHZlcmlmeSB0aGF0IA0K ICAgdGhlIGN1cnJlbnQgdGltZSBpcyB3aXRoaW4gdGhlIHZhbGlkaXR5IHBlcmlvZCBvZiB0aGUg dGFyZ2V0IA0KICAgY2VydGlmaWNhdGUuICBJZiB0aGlzIGlzIG5vdCB0aGUgY2FzZSwgdGhlIGNh bmRpZGF0ZSBjZXJ0aWZpY2F0ZSANCiAgIFNIQUxMIGJlIGRpc2NhcmRlZC4NCg0KSSBoYXZlIGNo YW5nZWQgaXQgaW50bzsNCg0KTm90ZTogIEZvciBlYWNoIGNhbmRpZGF0ZSBjZXJ0aWZpY2F0ZSwg d2hlbiBwZXJmb3JtaW5nIHRoZSBwYXRoIA0KICAgICAgIHZhbGlkYXRpb24gYWxnb3JpdGhtLCB0 aGUgT0NTUCBjbGllbnQgd2lsbCB2ZXJpZnkgdGhhdCB0aGUgDQogICAgICAgY3VycmVudCB0aW1l IGlzIHdpdGhpbiB0aGUgdmFsaWRpdHkgcGVyaW9kIG9mIHRoZSB0YXJnZXQgDQogICAgICAgY2Vy dGlmaWNhdGUuICBUaHVzLCBjZXJ0aWZpY2F0ZXMgd2hpY2ggYXJlIG91dHNpZGUgdGhlaXIgDQog ICAgICAgdmFsaWRpdHkgcGVyaW9kIHdpbGwgbm90IGJlIGluY2x1ZGVkIGluIHRoZSByZXF1ZXN0 IG9yIHdpbGwgDQogICAgICAgYmUgcmVqZWN0ZWQgbGF0ZXIgb24gYnkgdGhlIE9DU1AgcmVzcG9u ZGVyLg0KDQpTZWN0aW9uIDQuMSwgV2Ugc2hvdWxkIGRpbHV0ZSB0d28gQ0FzIOKAnG5ldmVyIGhh dmUgdGhlIHNhbWUgaXNzdWVyS2V5SGFzaOKAnSANCnRvIHNvbWV0aGluZyBtb3JlIGFraW4gDQp0 byBzdGF0aXN0aWNhbGx5IGluZmVhc2libGUuDQoNClRoZSB0ZXh0IHdhczoNCg0KICAgICAgVHdv IENBcyB3aWxsIG5ldmVyLCBob3dldmVyLCBoYXZlIHRoZSBzYW1lIHB1YmxpYyBrZXkgdW5sZXNz IHRoZSANCiAgICAgIENBcyBlaXRoZXIgZXhwbGljaXRseSBkZWNpZGVkIHRvIHNoYXJlIHRoZWly IHByaXZhdGUga2V5LCBvciB0aGUgDQogICAgICBrZXkgb2Ygb25lIG9mIHRoZSBDQXMgd2FzIGNv bXByb21pc2VkLg0KDQpJIGhhdmUgY2hhbmdlZCBpdCBpbnRvOg0KDQogICAgICBIb3dldmVyLCBp dCBpcyBzdGF0aXN0aWNhbGx5IGluZmVhc2libGUgdGhhdCB0d28gQ0FzIHVzZSB0aGUgc2FtZSAN CiAgICAgIHB1YmxpYyBrZXkgdW5sZXNzIHRoZSBDQXMgZWl0aGVyIGV4cGxpY2l0bHkgZGVjaWRl ZCB0byBzaGFyZSANCiAgICAgIHRoZWlyIHByaXZhdGUga2V5LCBvciB0aGUga2V5IG9mIG9uZSBv ZiB0aGUgQ0FzIHdhcyBjb21wcm9taXNlZC4NCg0KVGl0bGVzIG9mIHN1YnNlY3Rpb25zIHVuZGVy IDQuMyBjb3VsZCBzdGFuZCBpbXByb3ZlbWVudHMuICBSZXNwb25kZXJzIA0KcHJvY2VzcyByZXF1 ZXN0IGFuZCBwcm9kdWNlIHJlc3BvbnNlOyANCnRoZXkgZG8gbm90IHByb2Nlc3MgcmVzcG9uc2Vz LiAgQ2xpZW50cyBwcm9jZXNzIHJlc3BvbnNlcy4NCg0KVGhlIHRpdGxlcyB3ZXJlOg0KDQogICAg IDQuMy4gUmVzcG9uc2UgcHJvY2Vzc2luZw0KICAgICAgIDQuMy4xLiBSZXNwb25zZSBwcm9jZXNz aW5nIGJ5IE9DU1Agc2VydmVycyANCiAgICAgICAgIDQuMy4xLjEuIFByb2Nlc3NpbmcgYnkgYSBD QSBhY3RpbmcgYXMgYW4gT0NTUCByZXNwb25kZXINCiAgICAgICAgIDQuMy4xLjIuIFByb2Nlc3Np bmcgYnkgYW4gT0NTUCBSZXNwb25kZXINCiAgICAgICA0LjMuMi4gUmVzcG9uc2UgcHJvY2Vzc2lu ZyBieSBhbiBPQ1NQIGNsaWVudCANCg0KSSBoYXZlIGNoYW5nZWQgdGhlbSBpbnRvOg0KDQogICAg IDQuMy4gUHJvY2Vzc2luZyBvZiByZXF1ZXN0cyBhbmQgcmVzcG9uc2VzDQogICAgICAgNC4zLjEu IFJlcXVlc3QgcHJvY2Vzc2luZyBieSBPQ1NQIHNlcnZlcnMgDQogICAgICAgICA0LjMuMS4xLiBQ cm9jZXNzaW5nIGJ5IGEgQ0EgYWN0aW5nIGFzIGFuIE9DU1AgcmVzcG9uZGVyIA0KICAgICAgICAg NC4zLjEuMi4gUHJvY2Vzc2luZyBieSBhbiBPQ1NQIFJlc3BvbmRlciANCiAgICAgICA0LjMuMi4g UmVzcG9uc2UgcHJvY2Vzc2luZyBieSBhbiBPQ1NQIGNsaWVudCANCg0KU2VjdGlvbiA0LjMuMS4x LCBUaGUgZW50cnkgc2hvdWxkIGNvbnRhaW4gbWV0aG9kIHVzZWQgdG8gZ2FpbiBhY2Nlc3MgYW5k IA0Kc2lnbiBqdXN0IGxpa2UgdGhlIHRleHQgaW4gNC4zLjEuMiANCmFzIG9wcG9zZWQgdG8gdGhl IHByaXZhdGUga2V5LiAgSW4gb3RoZXIgd29yZHMsIGFsaWduIHRoZSB0d28gdGV4dHMgZm9yIA0K YWNjZXNzaW5nIGFuZCB1c2luZyBwcml2YXRlIGtleSANCnRvIHNpZ24gT0NTUCByZXNwb25zZXMu DQoNCkJvdGggc2VjdGlvbnMgaGF2ZSBiZWVuIGFsaWduZWQuDQoNClNlY3Rpb24gNC4zLjEsMSwg cGFnZSAxOCDigJxkZWZpbmVkIGluIGVudHJ54oCdIGNvdWxkIGJlIG1pc2ludGVycHJldGVkIGFz IA0KbWV0aG9kIGRlZmluZSBpbiByZXF1ZXN0IGVudHJ5Lg0KDQpJIGRvbuKAmXQgdGhpbmsgdGhh dCBhIGNoYW5nZSBpcyBuZWNlc3NhcnksIHNpbmNlIGl0IHVzZXMgdGhlIHRlcm0g4oCcZm9yIGVh Y2ggDQp0YXJnZXQgY2VydGlmaWNhdGXigJ0gYW5kIHRoZSBlbnRyeSB0aHVzIA0KcmVmZXJzIHRv IG9uZSBvZiB0aGUgZW50cmllcyBmcm9tIHRoZSB0YWJsZXMgb2YgZW50cmllcyBhZHZlcnRpc2Vk IGF0IHRoZSANCmJlZ2lubmluZyBvZiB0aGUgc2VjdGlvbi4gDQpJZiB5b3UgYmVsaWV2ZSB0aGF0 IGEgY2hhbmdlIGlzIG5lY2Vzc2FyeSwgd291bGQgeW91IGJlIGFibGUgdG8gbWFrZSBhIA0KcHJv cG9zYWwgPw0KDQpTZWN0aW9uIDQuMy4xLjIsIEFnYWluIHRoZSBzYW1lIGNvbW1lbnQsIGZvciB0 aGUgZGVsZWdhdGVkIE9DU1AgUmVzcG9uZGVyLCANCmNoYW5naW5nIHRoZSBVUkwgDQp3aGVuIGtl eSBpcyBjaGFuZ2VkIGlzIG5vdCByZXF1aXJlZCBhbmQgYnJlYWtzIG1hbnkgaW1wbGVtZW50YXRp b25zIGFuZCANCmhlbmNlIGlzIHVuYWNjZXB0YWJsZS4NCg0KV291bGQgeW91IGJlIGFibGUgdG8g YmUgbW9yZSBzcGVjaWZpYywgc2luY2UgSSBkb27igJl0IHNlZSB0aGF0IHRoZSB0ZXh0IA0Kc3Rh dGVzIHdoYXQgeW91IG1lYW4gPw0KDQpTZWN0aW9uIDQuMy4yLCB0aGUgY2hlY2sgZm9yIHRoaXNV cGRhdGUgaXMgZmxhd2VkIHNpbmNlIHRoaXMgdmFsdWUgbWF5IGJlIA0KZGVyaXZlZCBmcm9tIENS TCBldmVuIGZvciByZXNwb25zZXMgDQp0aGF0IGFyZSBub3QgcHJlLWdlbmVyYXRlZCBhbmQgaGVu Y2UgY2FuIGJlIGhvdXJzIG9yIGRheXMgb2ZmIGRlcGVuZGluZyBvbiANCkNSTCBpc3N1YW5jZSBm cmVxdWVuY3ksIA0KIEl0IGlzIGJldHRlciB0byByZXBsYWNlIGl0IHdpdGggcHJvZHVjZWRBdCBm aWVsZCBpbiB0aGUgcmVzcG9uc2Ugd2hldGhlciANCml0IGlzIHJlbGF0ZWQgdG8gY3VycmVudCB0 aW1lIG9yIHRpbWUgaW4gdGhlIHBhc3QuDQoNCkdvb2QgY2F0Y2ggIQ0KDQpUaGUgdGV4dCBoYXMg YmVlbiBjaGFuZ2VkIGludG8gOg0KDQogICBJZiB0aGUgY2hlY2tpbmcgdGltZSBpcyB0aGUgY3Vy cmVudCB0aW1lLCBhbmQgaWYgbm8gbm9uY2UgaGFzIGJlZW4gDQogICB1c2VkIGluIHRoZSByZXF1 ZXN0LCBPQ1NQIGNsaWVudHMgTVVTVCBjaGVjayB0aGF0IHRoZSBwcm9kdWNlZEF0DQogICBmaWVs ZCBpcyB3aXRoaW4gYSB0aW1lIHdpbmRvdyB0aGF0IGlzICJjbG9zZSBlbm91Z2giIHRvIHRoZSBj dXJyZW50IA0KICAgdGltZS4gDQoNCiAgIElmIHRoZSBjaGVja2luZyB0aW1lIGlzIGEgdGltZSBp biB0aGUgcGFzdCwgdmVyaWZpZXJzIE1VU1QgY2hlY2sgDQogICB0aGF0IHRoZSBwcm9kdWNlZEF0 IGZpZWxkIGlzIGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgdmVyaWZpY2F0aW9uIA0KICAgcnVsZXMg KGUuZy4gY2xvc2UgYW5kL29yIGFmdGVyIHRoZSBkYXRlIG9mIGEgdGltZS1zdGFtcCB0b2tlbiku DQoNClNlY3Rpb24gNCwzLDIgaXMgbWlzc2luZyBwcm9jZXNzaW5nIHNpZ25hdHVyZSBvbiB0aGUg cmVzcG9uc2UgYW5kIA0KcHJvY2Vzc2luZyByZXNwb25zZSBleHRlbnNpb24uDQoNCkkgZG9u4oCZ dCB1bmRlcnN0YW5kIHlvdXIgcmVxdWVzdCBhYm91dCDigJxtaXNzaW5nIHByb2Nlc3Npbmcgc2ln bmF0dXJlIG9uIHRoZSANCnJlc3BvbnNl4oCdLCBzaW5jZSB0aGlzIHBvaW50IGlzIGFkZHJlc3Nl ZCANCnVuZGVyIFNURVAgMi4gSWYgeW91IGJlbGlldmUgdGhhdCBhIGNoYW5nZSBpcyBuZWNlc3Nh cnksIHdvdWxkIHlvdSBiZSBhYmxlIA0KdG8gYmUgbW9yZSBzcGVjaWZpYyA/DQoNClByb2Nlc3Np bmcgcmVzcG9uc2UgZXh0ZW5zaW9uIGlzIG9ubHkgY292ZXJlZCBmb3Igc2luZ2xlRXh0ZW5zaW9u cyB3aGVuIA0KdGhlIGNyaXRpY2FsaXR5IGZsYWcgaXMgc2V0IGFuZCANCnRoZSBleHRlbnNpb24g aXMgbm90IHVuZGVyc3Rvb2QuIFNvIHlvdSBhcmUgY29ycmVjdCB0byByZXF1ZXN0IGFkZGl0aW9u YWwgDQp0ZXh0IHRvIGhhbmRsZSB0aGUgb3RoZXIgY2FzZXMuDQoNClRoZSBmb2xsb3dpbmcgdGV4 dCBoYXMgYmVlbiBhZGRlZCBmb3IgdGhlIHByb2Nlc3Npbmcgb2YgDQpyZXNwb25zZUV4dGVuc2lv bnM6DQoNCiAgIE9DU1AgY2xpZW50cyBvciB2ZXJpZmllcnMgU0hBTEwgY2hlY2sgaWYgdGhlIHJl c3BvbnNlIGNvbnRhaW5zIGEgDQogICBjcml0aWNhbCByZXNwb25zZUV4dGVuc2lvbnMuIElmIHN1 Y2ggYW4gZXh0ZW5zaW9uIGlzIGZvdW5kIGFuZCBpcyANCiAgIHJlY29nbml6ZWQsIGl0IE1VU1Qg YmUgcHJvY2Vzc2VkLiAgSWYgc3VjaCBhbiBleHRlbnNpb24gaXMgZm91bmQgYW5kIA0KICAgaXMg bm90IHJlY29nbml6ZWQsIHRoZSB3aG9sZSBPQ1NQIHJlc3BvbnNlIE1VU1QgYmUgY29uc2lkZXJl ZCBhcyANCiAgIGludmFsaWQuDQoNClRoZSBmb2xsb3dpbmcgdGV4dCBoYXMgYmVlbiBhZGRlZCBm b3IgdGhlIHByb2Nlc3Npbmcgb2Ygc2luZ2xlRXh0ZW5zaW9uczoNCg0KICAgSWYgY2hlY2tzIGFy ZSBzdWNjZXNzZnVsLCB0aGVuIE9DU1AgY2xpZW50cyBNVVNUIHByb2Nlc3MgdGhlIA0KICAgc2lu Z2xlRXh0ZW5zaW9ucyBmaWVsZCwgaWYgaXQgaXMgcHJlc2VudC4gDQoNCiAgIElmIHRoZSBjcml0 aWNhbGl0eSBmbGFnIGlzIHNldCBhbmQgdGhlIGV4dGVuc2lvbiBpcyBub3QgdW5kZXJzdG9vZCwg DQogICB0aGVuIHRoZSBzdGF0dXMgb2YgdGhlIGNlcnRpZmljYXRlIHNoYWxsIGJlICJ1bmtub3du IiBhbmQgcHJvY2VlZCB0byANCiAgIHN0ZXAgMy4gIE90aGVyd2lzZSwgcHJvY2VlZCB0byBzdGVw IDIuIA0KDQogICBJZiB0aGUgZXh0ZW5zaW9uIGlzIHVuZGVyc3Rvb2QsIHRoZW4gdGhlIGV4dGVu c2lvbiBNVVNUIGJlIA0KICAgcHJvY2Vzc2VkLiAgQWNjb3JkaW5nIHRvIGl0cyBjb250ZW50IHBy b2NlZWQgZWl0aGVyIHRvIHN0ZXAgMiBvciB0byANCiAgIHN0ZXAgMy4gDQoNClNlY3Rpb24gNS41 OiBSZXBsYXkgYXR0YWNrIGlzIGFsc28gcG9zc2libGUgd2hlbiBub3QgdXNpbmcgcHJlLWNvbXB1 dGVkIA0KcmVzcG9uc2VzLg0KDQpJIGhhdmUgYWRkZWQgaW4gbmV3IHNlY3Rpb24gd2l0aCB0aGUg Zm9sbG93aW5nIHRleHQ6DQoNCjUuNy4gT3RoZXIgcmVwbGF5IGF0dGFja3MNCg0KICAgQXMgYWxy ZWFkeSBtZW50aW9uZWQgaW4gc2VjdGlvbiA1LjUsIHJlcGxheSBhdHRhY2tzIGFyZSBwb3NzaWJs ZSANCiAgIHVzaW5nIHByZWNvbXB1dGVkIHJlc3BvbnNlcy4gIFJlcGxheSBhdHRhY2tzIGFyZSBh bHNvIHBvc3NpYmxlIHdoZW4gDQogICBubyBub25jZSBpcyBiZWluZyB1c2VkIGluIHRoZSBPQ1NQ IHJlcXVlc3QgYW5kIHRoZSB0aW1lIHdpbmRvdyANCiAgIG1lbnRpb25lZCBpbiBzZWN0aW9uIDQu My4yIChTVEVQIDEpaXMgdG9vIGxhcmdlLg0KDQpHZW5lcmFsOiBSZW1vdmFsIG9mIGxvY2FsbHkg dHJ1c3RlZCBSZXNwb25kZXIgZnJvbSB0aGUgSS1EIGlzIA0KdW5hY2NlcHRhYmxlLg0KDQpUaGUg aW50ZW50IHdhcyBub3QgdG8gcmVtb3ZlIHRoZSDigJxsb2NhbGx5IHRydXN0ZWQgUmVzcG9uZGVy 4oCdLiANCk5ldmVydGhlbGVzcywgdGhlIGN1cnJlbnQgdGV4dCBoYXMgYmVlbiBpbXByb3ZlZA0K IGluIHNldmVyYWwgcGxhY2VzLiBGb3IgZXhhbXBsZSwgaW4gdGhlIGludHJvZHVjdGlvbiwgSSBo YXZlIGFkZGVkOg0KDQogICAgICBUaGUgdGVybSDigJxsb2NhbGx5IHRydXN0ZWQgUmVzcG9uZGVy 4oCdIGlzIHVzZWQgdG8gZGVzaWduYXRlIGFuIE9DU1AgDQogICAgICByZXNwb25kZXIgdGhhdCBp cyB0cnVzdGVkIHVzaW5nIGxvY2FsIHJ1bGVzLg0KDQpJbiBzZWN0aW9uIDIuMiwgdGhlIHRleHQg bm93IHN0YXRlczoNCg0KICAgQSByZXNwb25zZSBtZXNzYWdlIE1VU1QgYmUgc2lnbmVkIGVpdGhl ciBieSBhIGNlcnRpZmljYXRlJ3MgaXNzdWVyLCANCiAgIGJ5IGFuIGF1dGhvcml6ZWQgT0NTUCBS ZXNwb25kZXIgb3IgYWNjb3JkaW5nIHRvIGxvY2FsIHJ1bGVzLiANCg0KICAgSW4gdGhlIGZpcnN0 IGNhc2UsIHRoZSBDQSBNVVNUIHVzZSB0aGUgc2FtZSBrZXkgYXMgdGhlIG9uZSB0aGF0IHdhcyAN CiAgIHVzZWQgdG8gaXNzdWUgdGhlIHRhcmdldCBjZXJ0aWZpY2F0ZS4NCg0KICAgSW4gdGhlIHNl Y29uZCBjYXNlLCB0aGUgQ0EgTVVTVCBleHBsaWNpdGx5IGRlc2lnbmF0ZSB0aGUgT0NTUCANCiAg IFJlc3BvbmRlciBieSBpc3N1aW5nIGFuIE9DU1AgY2VydGlmaWNhdGUgdG8gdGhlIE9DU1AgUmVz cG9uZGVyLiANCiAgIE9DU1Agc2lnbmluZyBkZWxlZ2F0aW9uIFNIQUxMIGJlIGluZGljYXRlZCBi eSB0aGUgaW5jbHVzaW9uIG9mIA0KICAgaWQta3AtT0NTUFNpZ25pbmcgaW4gYW4gZXh0ZW5kZWRL ZXlVc2FnZSBjZXJ0aWZpY2F0ZSBleHRlbnNpb24gDQogICBpbmNsdWRlZCBpbiB0aGUgT0NTUCBy ZXNwb25zZSBzaWduZXIncyBjZXJ0aWZpY2F0ZS4gIFRoaXMgDQogICBjZXJ0aWZpY2F0ZSBNVVNU IGJlIGlzc3VlZCBkaXJlY3RseSBieSB0aGUgQ0EgYW5kIHVuZGVyIHRoZSBzYW1lIGtleSANCiAg IHRoYXQgd2FzIHVzZWQgdG8gaXNzdWUgdGhlIHRhcmdldCBjZXJ0aWZpY2F0ZS4NCg0KICAgRm9y IHRoZXNlIHR3byBjYXNlcywgc3lzdGVtcyBvciBhcHBsaWNhdGlvbnMgdGhhdCByZWx5IG9uIE9D U1AgDQogICByZXNwb25zZXMgTVVTVCBiZSBjYXBhYmxlIG9mIGRldGVjdGluZyBhbmQgZW5mb3Jj aW5nIHVzZSBvZiB0aGUgDQogICBpZC1hZC1vY3NwU2lnbmluZyB2YWx1ZSBhcyBkZXNjcmliZWQg YWJvdmUuIA0KDQogICBJbiB0aGUgdGhpcmQgY2FzZSwgdGhlIE9DU1AgY2xpZW50IHVzZXMgYSBs b2NhbGx5IHRydXN0ZWQgUmVzcG9uZGVyLg0KICAgVGhlIGtleSB1c2VkIHRvIHNpZ24gT0NTUCBy ZXNwb25zZXMgbWF5IGJlIGRpcmVjdGx5IHRydXN0ZWQgb3IgYmUgYSANCiAgIGtleSBjb250YWlu ZWQgaW4gYW4gT0NTUCBjZXJ0aWZpY2F0ZSB3aGljaCBpcyB2ZXJpZmllZCBhY2NvcmRpbmcgdG8g DQogICBsb2NhbCBydWxlcywgaW5zdGVhZCBvZiB0aGUgcnVsZXMgZGV0YWlsZWQgaW4gdGhpcyBk b2N1bWVudC4NCg0KSW4gc2VjdGlvbiBJIGhhdmUgY2hhbmdlZCB0aGUgZm9sbG93aW5nIHRleHQg Og0KDQogICBUaGUgT0NTUCBjZXJ0aWZpY2F0ZSBTSEFMTCBiZSBzaWduZWQgYnkgdGhlIENBIGlz c3VpbmcgcHJpdmF0ZSBrZXkgDQogICB3aGljaCBjb3JyZXNwb25kcyB0byB0aGUgaXNzdWluZyBD QSBwdWJsaWMga2V5IHRoYXQgaXMgaW4gdGhpcyANCiAgIGVudHJ5LCB1bmxlc3Mgc29tZSBzcGVj aWZpYyBydWxlcyBhcmUgYWdyZWVkIGJldHdlZW4gdGhlIE9DU1AgDQogICBSZXNwb25kZXIgYW5k IE9DU1AgY2xpZW50cy4gIEluIHRoYXQgbGF0ZXIgY2FzZSwgdGhlIE9DU1AgDQogICBjZXJ0aWZp Y2F0ZSBNQVkgYmUgc2lnbmVkIGJ5IGEgZGlmZmVyZW50IGVudGl0eS4NCg0KaW50bzoNCg0KICAg VGhlIE9DU1AgY2VydGlmaWNhdGUgU0hBTEwgYmUgc2lnbmVkIGJ5IHRoZSBDQSBpc3N1aW5nIHBy aXZhdGUga2V5IA0KICAgd2hpY2ggY29ycmVzcG9uZHMgdG8gdGhlIGlzc3VpbmcgQ0EgcHVibGlj IGtleSB0aGF0IGlzIGluIHRoaXMgDQogICBlbnRyeSwgdW5sZXNzIHNvbWUgc3BlY2lmaWMgcnVs ZXMgYXJlIGFncmVlZCBiZXR3ZWVuIHRoZSBPQ1NQIA0KICAgUmVzcG9uZGVyIGFuZCBPQ1NQIGNs aWVudHMuICBJbiB0aGF0IGxhdGVyIGNhc2UsIHdoaWNoIGNvcnJlc3BvbmRzIA0KICAgdG8gdGhl IGNhc2Ugb2YgYSBsb2NhbGx5IHRydXN0ZWQgUmVzcG9uZGVyLCB0aGUgT0NTUCBjZXJ0aWZpY2F0 ZSBNQVkgDQogICBiZSBzaWduZWQgYnkgYSBkaWZmZXJlbnQgZW50aXR5Lg0KDQpUaGVyZSBpcyBu b3cgYWxzbyBhIGNvbXBsZXRlbHkgbmV3IHNlY3Rpb246IDQuMy4xLjMsIGNhbGxlZCDigJxQcm9j ZXNzaW5nIGJ5IA0KYSBsb2NhbGx5IHRydXN0ZWQgUmVzcG9uZGVy4oCdLg0KDQpXaGVuIHJldmll d2luZyB0aGUgdGV4dCwgSSBmb3VuZCB0aGF0LCBpbiBzZWN0aW9uIDQuMy4xLjIsIHRoZSBsaXN0 IG9ubHkgDQptZW50aW9uZWQ6DQoNCiAgICAgLSB0aGUgbWV0aG9kKHMpIHVzZWQgdG8gb2J0YWlu IHRoZSByZXZvY2F0aW9uIHN0YXR1cyBvZiB0aGUgDQogICAgICAgY2VydGlmaWNhdGVzIGlzc3Vl ZCB1bmRlciB0aGF0IENBIGlzc3VpbmcgcHVibGljIGtleSwNCg0KSW4gcHJhY3RpY2UsIGFuIE9D U1AgcmVzcG9uZGVyIG1heSBub3QgYmUgcmVzcG9uc2libGUgZm9yIGFsbCB0aGUgDQpjZXJ0aWZp Y2F0ZXMgaXNzdWVkIGJ5IGEgQ0EuIA0KU28gaXQgYWxzbyBuZWVkcyB0byBrbm93IHdoaWNoIHN1 YnNldCBvZiB0aGUgY2VydGlmaWNhdGVzIGlzc3VlZCBieSBlYWNoIA0KQ0EgaXQgaXMgcmVzcG9u c2libGUgZm9yLg0KDQpUaHVzIEkgaGF2ZSBjaGFuZ2VkIHRoZSB0ZXh0IGludG86DQoNCiAgICAg LSB0aGUgbWV0aG9kKHMpIHVzZWQgdG8ga25vdyBmb3Igd2hpY2ggc3Vic2V0IG9mIGNlcnRpZmlj YXRlcyANCiAgICAgICBpc3N1ZWQgYnkgdGhlIENBIGl0IGlzIHJlc3BvbnNpYmxlIGZvciwgDQoN CiAgICAgLSB0aGUgbWV0aG9kKHMpIHVzZWQgdG8gb2J0YWluIHRoZSByZXZvY2F0aW9uIHN0YXR1 cyBvZiB0aGF0IA0KICAgICAgIHN1YnNldCBvZiBjZXJ0aWZpY2F0ZXMgaXNzdWVkIHVuZGVyIHRo YXQgQ0EgaXNzdWluZyBwdWJsaWMga2V5LA0KDQoNCkRlbmlzDQogDQo+IEEgbmV3IEludGVybmV0 LURyYWZ0IGlzIGF2YWlsYWJsZSBmcm9tIHRoZSBvbi1saW5lIEludGVybmV0LURyYWZ0cyANCj4g ZGlyZWN0b3JpZXMuDQo+IA0KPiAgICBUaXRsZSAgICAgICAgIDogWC41MDkgSW50ZXJuZXQgUHVi bGljIEtleSBJbmZyYXN0cnVjdHVyZSBPbmxpbmUgDQo+ICAgICAgICAgICAgICAgICAgICBDZXJ0 aWZpY2F0ZSBTdGF0dXMgUHJvdG9jb2wgLSBPQ1NQDQo+ICAgIEF1dGhvcihzKSAgICAgOiBELiBQ aW5rYXMNCj4gICAgRmlsZW5hbWUgICAgICA6IGRyYWZ0LXBpbmthcy1yZmMyNTYwYmlzDQo+ICAg IFBhZ2VzICAgICAgICAgOiA0MSANCj4gICAgRGF0ZSAgICAgICAgICA6IEF1Zy4gMjcsIDIwMTIg DQo+IA0KPiAgIFRoaXMgZG9jdW1lbnQgc3BlY2lmaWVzIGEgcHJvdG9jb2wgdXNlZnVsIGluIGRl dGVybWluaW5nIHRoZSBjdXJyZW50DQo+ICAgc3RhdHVzIG9mIGEgZGlnaXRhbCBjZXJ0aWZpY2F0 ZSB3aXRob3V0IHJlcXVpcmluZyBDUkxzLiAgQWRkaXRpb25hbA0KPiAgIG1lY2hhbmlzbXMgYWRk cmVzc2luZyBQS0lYIG9wZXJhdGlvbmFsIHJlcXVpcmVtZW50cyBhcmUgc3BlY2lmaWVkIGluDQo+ ICAgc2VwYXJhdGUgZG9jdW1lbnRzLiBUaGlzIGRvY3VtZW50IG9ic29sZXRlcyBSRkMgMjU2MCBh bmQgUkZDIDYyNzcuDQo+IA0KPiBBIFVSTCBmb3IgdGhpcyBJbnRlcm5ldC1EcmFmdCBpczoNCj4g aHR0cDovL3d3dy5pZXRmLm9yZy9pbnRlcm5ldC1kcmFmdHMvZHJhZnQtcGlua2FzLXJmYzI1NjBi aXMtMDAudHh0DQo+IA0KPiBJbnRlcm5ldC1EcmFmdHMgYXJlIGFsc28gYXZhaWxhYmxlIGJ5IGFu b255bW91cyBGVFAgYXQ6DQo+IGZ0cDovL2Z0cC5pZXRmLm9yZy9pbnRlcm5ldC1kcmFmdHMvDQo+ IA0KPiBCZWxvdyBpcyB0aGUgZGF0YSB3aGljaCB3aWxsIGVuYWJsZSBhIE1JTUUgY29tcGxpYW50 IG1haWwgcmVhZGVyIA0KPiBpbXBsZW1lbnRhdGlvbiB0byBhdXRvbWF0aWNhbGx5IHJldHJpZXZl IHRoZSBBU0NJSSB2ZXJzaW9uIG9mIHRoZSANCkludGVybmV0LURyYWZ0Lg0KPiANCj4gPGZ0cDov L2Z0cC5pZXRmLm9yZy9pbnRlcm5ldC1kcmFmdHMvZHJhZnQtcGlua2FzLXJmYzI1NjBiaXM+IA0K PiANCj4gQSBmZXcgZXhwbGFuYXRpb25zIGFib3V0IHRoZSBjb250ZW50IG9mIGRyYWZ0LWlldGYt cGlua2FzLXJmYzI1NjBiaXMtMDAuIA0KDQo+IA0KPiAyNSBjaGFuZ2VzIGFyZSBpbmRpY2F0ZWQg YXQgdGhlIGJlZ2lubmluZyBvZiB0aGUgZG9jdW1lbnQuIA0KPiBJIHdpbGwgb25seSBtZW50aW9u IGEgZmV3IG9mIHRoZW06IA0KPiANCj4gQSAtIEV4cGxhbmF0aW9ucyB3ZXJlIG1pc3NpbmcgdG8g ZGVzY3JpYmU6IA0KPiANCj4gICAgICAtIHRoZSBidWlsZGluZyBvZiBhIHJlcXVlc3QgYnkgYW4g T0NTUCBjbGllbnQsIA0KPiAgICAgIC0gdGhlIHByb2Nlc3Npbmcgb2YgYSByZXF1ZXN0IGJ5IGFu IE9DU1Agc2VydmVyLCANCj4gICAgICAtIHRoZSBidWlsZGluZyBvZiBhIHJlc3BvbnNlICBieSBh biBPQ1NQIHNlcnZlciwgYW5kIA0KPiAgICAgIC0gdGhlIHByb2Nlc3Npbmcgb2YgYSByZXNwb25z ZSBieSBhbiBPQ1NQIGNsaWVudC4gDQo+IA0KPiBUaGVzZSBleHBsYW5hdGlvbnMgaGF2ZSBiZWVu IGFkZGVkLiANCj4gDQo+IEIgLSBFeHBsYW5hdGlvbnMgd2VyZSBtaXNzaW5nIHRvIGFkZHJlc3Mg Q0Ega2V5IHJvbGxvdmVyIGFuZCBPQ1NQIA0KPiAgICAga2V5IHJvbGxvdmVyLiBUaGVzZSBleHBs YW5hdGlvbnMgaGF2ZSBiZWVuIGFkZGVkLiANCj4gDQo+IEMgLSBCYWNrd2FyZHMgY29tcGF0aWJp bGl0eSBoYXMgYmVlbiBhZGRyZXNzZWQgaW4gdGhlIGZvbGxvd2luZyB3YXk6IA0KPiANCj4gICAg ICAgMSkgQW4gT0NTUCByZXNwb25zZSBieSBiZSBzaWduZWQgZWl0aGVyIGJ5IGEgQ0Egb3IgYnkg YW4gT0NTUCANClJlc3BvbmRlci4NCj4gDQo+ICAgICAgIDIpIEJlc2lkZXMgbG9jYWwgY29uZmln dXJhdGlvbiBzZXR0aW5ncyB3aGljaCBhcmUgb3B0aW9uYWwsIA0KPiAgICAgICAgICBvbmx5IHR3 byBjYXNlcyBTSEFMTCBiZSBzdXBwb3J0ZWQgYnkgT0NTUCBjbGllbnRzIChhbmQgdGh1cyANCk9D U1Agc2VydmVycykgDQo+ICAgICAgICAgIGFzIGV4cGxhaW5lZCBiZWxvdy4gDQo+IA0KPiAgICAg ICAgVGhlIGtleSB0byBiZSB1c2VkIHRvIHZlcmlmeSBhIFNpbmdsZVJlc3BvbnNlICh3aXRoaW4g YSANCj4gICAgICAgIEJhc2ljT0NTUFJlc3BvbnNlKSBNVVNUOiANCj4gDQo+ICAgICAgICAgICAo MSkgZWl0aGVyIGJlIHRoZSBzYW1lIGtleSB0aGF0IHRoZSBvbmUgdXNlZCB0byBzaWduIHRoZSAN Cj4gICAgICAgICAgICAgICB0YXJnZXQgY2VydGlmaWNhdGUsDQo+IA0KPiAgICAgICAgICAgKDIp IG9yIGJlIHRoZSBwdWJsaWMga2V5IGZyb20gYW4gT0NTUCByZXNwb25kZXIgdGhhdCBpcyANCj4g ICAgICAgICAgICAgICBjb250YWluZWQgaW4gYW4gT0NTUCBjZXJ0aWZpY2F0ZSB0aGF0IGhhcyBi ZWVuIHNpZ25lZCBieSANCnRoZSBzYW1lIGtleSANCj4gICAgICAgICAgICAgICB0aGF0IHRoZSBv bmUgdXNlZCB0byBzaWduIHRoZSB0YXJnZXQgY2VydGlmaWNhdGUuDQo+ICAgIC4gDQo+IFRoZSB0 ZXh0IGFsbG93cyB0byB1c2UgdGhlIHNhbWUgZ2VuZXJhbCBwcm9jZXNzaW5nIGZvciBhIGZldyBv dGhlciANCj4gY2FzZXMsIHNpbmNlICJlc2NhcGUiICBzZW50ZW5jZXMgYXJlIHByb3ZpZGVkIHRv IGFsbG93IGZvciB0aGVzZSBvdGhlciANCmNhc2VzLCANCj4gYnV0IG9ubHkgdXNpbmcgImxvY2Fs IGNvbmZpZ3VyYXRpb24gc2V0dGluZ3MiLiANCj4gDQo+IFRoaXMgbWVhbnMgaW4gcGFydGljdWxh ciB0aGF0IHRoZSBJZGVudHJ1c3QgbW9kZWwgbWF5IGJlIHN1cHBvcnRlZCANCj4gYW5kIHRoYXQg dGhlICJzZXZlcmFsIG1hbnkgY2FzZXMiIHRoYXQgd2VyZSBkZXRhaWxlZCBpbiB0aGUgYW5uZXhl cyBmDQo+IGZyb20gZHJhZnQgLTA0IGZyb20gRGF2aWQgQ29vcGVyIGFuZCBTdGVmYW4gU2FudGVz c29uIChidXQgd2hpY2ggd2VyZSANCm5vdCANCj4gaW50ZXJvcGVyYWJsZSB3aXRoIG1vc3QgY3Vy cmVudCBpbXBsZW1lbnRhdGlvbnMpIGNhbiB0YWtlIGJlbmVmaXQgb2YgdGhlIA0KZGVzY3JpcHRp b24gDQo+IG9mIHRoZSBnZW5lcmFsIHByb2Nlc3NpbmcuIA0KPiANCj4gRGVuaXMgDQo= --=_alternative 002BBCFBC1257A7C_= Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: base64 PGZvbnQgc2l6ZT0yIGZhY2U9IkFyaWFsIj5TYW50b3NoLCA8L2ZvbnQ+DQo8YnI+DQo8YnI+PGZv bnQgc2l6ZT0yIGZhY2U9IkFyaWFsIj5UaGFuayB5b3UgZm9yIHlvdXIgdmVyeSB2YWx1YWJsZSBj b21tZW50cy4NCkl0IHRvb2sgbWUgJnF1b3Q7c29tZSB0aW1lJnF1b3Q7IHRvIHByb2Nlc3MgdGhl bS48L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkFyaWFsIj5JdCB3aWxsIHRha2UgeW91 ICZxdW90O3NvbWUgdGltZSZxdW90OyB0bw0KcmV2aWV3IHRoZW0uIDotKTwvZm9udD4NCjxicj4N Cjxicj48Zm9udCBzaXplPTIgZmFjZT0iQXJpYWwiPlNpbmNlIHRoZSBjb21tZW50cyBhbmQgdGhl IGNoYW5nZXMgd2VyZSBudW1lcm91cywNCkkgaGF2ZSBpc3N1ZWQgYSBuZXcgZHJhZnQgd2hpY2gg aXMgYXZhaWxhYmxlIGF0OjwvZm9udD4NCjxicj48YSBocmVmPSJodHRwOi8vd3d3LmlldGYub3Jn L2ludGVybmV0LWRyYWZ0cy9kcmFmdC1waW5rYXMtcmZjMjU2MGJpcy0wMS50eHQiPjxmb250IHNp emU9MiBmYWNlPSJBcmlhbCI+aHR0cDovL3d3dy5pZXRmLm9yZy9pbnRlcm5ldC1kcmFmdHMvZHJh ZnQtcGlua2FzLXJmYzI1NjBiaXMtMDEudHh0PC9mb250PjwvYT4NCjxicj4NCjxicj48Zm9udCBz aXplPTIgZmFjZT0iQXJpYWwiPkZvciBTYW50b3NoIGluIHBhcnRpY3VsYXIsIHNlZSBteSByZXNw b25zZXMNCmJlbG93IGluIGxpbmVzLjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgY29s b3I9IzAwODJiZiBmYWNlPSJBcmlhbCI+RGVuaXMsPC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNp emU9MiBjb2xvcj0jMDA4MmJmIGZhY2U9IkFyaWFsIj5UaGFua3MgZm9yIHRoaXMuICZuYnNwO015 IGluaXRpYWwNCnJldmlldyBpbmRpY2F0ZXMgdGhhdCB0aGlzIGEgdmVyeSBnb29kIGZpcnN0IGRy YWZ0LiAmbmJzcDs8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGNvbG9yPSMwMDgyYmYgZmFjZT0i QXJpYWwiPk5vdGUgdGhhdCBJIGRpZCBub3QgcmV2aWV3DQpBU04uMSBjYXJlZnVsbHkgKEkgYXNz dW1lIGl0IHdhcyBjb3BpZWQgZnJvbSB0aGUgZXhpc3RpbmcgUkZDKS48L2ZvbnQ+DQo8YnI+DQo8 YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkFyaWFsIj5JdCB3YXMgY29waWVkIGZyb20gdGhlIGRyYWZ0 IHByZXBhcmVkIGJ5DQpTdGVmYW4sIGJ1dCB0aGUgQVNOLiAxIG1vZHVsZSBuZWVkcyB0byBiZSBt b2RpZmllZCA8YnI+DQpzaW5jZSB0aGUgc3ludGF4IG9mIG5vbmNlIGhhcyBiZWVuIG9taXR0ZWQu IDwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQXJpYWwiPkkgaGF2ZSBhZGRl ZDo8L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJz cDsgJm5ic3A7Tm9uY2UgOjo9IE9DVEVUIFNUUklORzwvZm9udD4NCjxicj4NCjxicj48Zm9udCBz aXplPTIgZmFjZT0iQXJpYWwiPlNpbmNlIHRoZSBzeW50YXggb2YgdGhlIG5vY2hlY2sgZXh0ZW5z aW9uDQp3YXMgbWlzc2luZywgSSBoYXZlIGFsc28gYWRkZWQ6PC9mb250Pg0KPGJyPg0KPGJyPjxm b250IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwO05vQ2hlY2sgOjo9IE5V TEw8L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkFyaWFsIj5JbiB0aGUgaW50 cm9kdWN0aW9uLCBJIGhhdmUgYWxzbyBhZGRlZDo8L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6 ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7ICZuYnNwOyBvICZuYnNwO1NlY3Rp b24NCjQuMy4yIG5vdyBpbmRpY2F0ZXMgdGhhdCB0aGUgdmFsdWUgb2YgdGhlIG5vY2hlY2sgPC9m b250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwOyAm bmJzcDsgJm5ic3A7ICZuYnNwO2V4dGVuc2lvbg0KU0hBTEwgYmUgTlVMTC4gPC9mb250Pg0KPGJy Pg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJBcmlhbCI+VGhlIEFTTi4xIG1vZHVsZSB0aGF0IGNv bmZvcm1zIHRvIHRoZSAyMDAyDQp2ZXJzaW9uIG9mIEFTTi4xIHdoaWNoIG1heSBiZSBmb3VuZCBp biBTZWN0aW9uIDQgPGJyPg0Kb2YgUkZDNTkxMiBoYXMgYW5vdGhlciBwcm9ibGVtLCBzaW5jZSB0 aGUgbm9jaGVjayBleHRlbnNpb24gaGFzIGJlZW4gb21pdHRlZC48L2ZvbnQ+DQo8YnI+DQo8YnI+ PGZvbnQgc2l6ZT0yIGZhY2U9IkFyaWFsIj5JIGhhdmUgYWRkZWQ6PC9mb250Pg0KPGJyPg0KPGJy Pjxmb250IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7IC0tICZuYnNwO0NlcnRpZmlj YXRlIEV4dGVuc2lvbjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmll ciBOZXciPiZuYnNwOyBvY3NwLW5vY2hlY2sgRVhURU5TSU9OIDo6PSB7DQpTWU5UQVggTlVMTCA8 L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7 ICZuYnNwOyAmbmJzcDsgJm5ic3A7DQombmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7 ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7DQombmJzcDsgJm5ic3A7 ICZuYnNwOyAmbmJzcDsgJm5ic3A7SURFTlRJRklFRCBCWTwvZm9udD4NCjxicj48Zm9udCBzaXpl PTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsN CiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsg Jm5ic3A7ICZuYnNwOyAmbmJzcDsNCiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDtp ZC1wa2l4LW9jc3Atbm9jaGVjayB9PC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBmYWNl PSJBcmlhbCI+VGhpcyBtZWFucyB0aGF0IHdlIGNhbm5vdCBrZWVwIHRoZSBzYW1lIE9JRA0KZm9y IHRoZSB0d28gQVNOLiAxIG1vZHVsZXMgYW5kIHRodXMgd2Ugd2lsbCBuZWVkIHR3byBuZXcgb25l cy48L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkFyaWFsIj5JIGhhdmUgbm93 IGluY2x1ZGVkIGJvdGggc3ludGF4ZXMgaW4gZHJhZnQNCi0wMS48L2ZvbnQ+DQo8YnI+DQo8YnI+ PGZvbnQgc2l6ZT0yIGZhY2U9IkFyaWFsIj5JbiB0aGUgaW50cm9kdWN0aW9uLCBJIGhhdmUgYWxz byBhZGRlZDo8L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3 Ij4mbmJzcDsgJm5ic3A7ICZuYnNwOyBvICZuYnNwO0FubmV4DQpCIGluY2x1ZGVzIGEgbmV3IEFT Ti4xIG1vZHVsZSB1c2luZyB0aGUgMTk4OCBzeW50YXggPC9mb250Pg0KPGJyPjxmb250IHNpemU9 MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwO3Np bmNlDQp0aGUgc3ludGF4IG9mIG5vbmNlIGhhZCBiZWVuIG9taXR0ZWQuICZuYnNwO0l0IGFsc28g aW5jbHVkZXMgPC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5i c3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwO2ENCm5ldyBBU04uMSBtb2R1bGUgdXNpbmcg dGhlIDIwMDIgc3ludGF4IHNpbmNlIGluIHRoZSBBU04uMSA8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6 ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7 bW9kdWxlDQp3aGljaCBtYXkgYmUgZm91bmQgaW4gU2VjdGlvbiA0IG9mIFJGQzU5MTIgdGhlIG5v Y2hlY2sgPC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7 ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwO2V4dGVuc2lvbg0KaGFkIGJlZW4gb21pdHRlZC48 L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGNvbG9yPSMwMDgyYmYgZmFjZT0iQXJpYWwi PkkgZG8gaGF2ZSB0aGUgZm9sbG93aW5nIGNvbW1lbnQNCnRob3VnaDo8L2ZvbnQ+DQo8YnI+DQo8 YnI+PGZvbnQgc2l6ZT0yIGNvbG9yPSMwMDgyYmYgZmFjZT0iQXJpYWwiPlNlY3Rpb24gMi4yOiBX aGVuIHRoZSBDQSBpcw0Kc2lnbmluZyB0aGUgcmVzcG9uc2UsIHNob3VsZCBpdCBub3QgYWxzbyB1 c2UgdGhlIHNhbWUga2V5IHRvIHNpZ24gdGhlIHJlc3BvbnNlDQo8YnI+DQphcyB0aGUgY2VydGlm aWNhdGUgaW4gcXVlc3Rpb24/ICZuYnNwO1RoZSBsYXRlciBwYXJ0IG9mIHRoZSBzZWN0aW9uIGlu ZGljYXRlcw0KdGhpcyBhcyBhIHJlcXVpcmVtZW50LiAmbmJzcDs8YnI+DQpJbiB0aGF0IGNhc2Us IHdoeSBub3QgbWFrZSB0aGlzIGV4cGxpY2l0IGxpa2UgdGhlIE9DU1AgUmVzcG9uZGVyLjwvZm9u dD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQXJpYWwiPllvdSBhcmUgY29ycmVjdDog SSBoYXZlIGFkZGVkOiA8L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJp ZXIgTmV3Ij4mbmJzcDsgJm5ic3A7SW4gdGhlIGZvcm1lciBjYXNlLCB0aGUNCkNBIE1VU1QgdXNl IHRoZSBzYW1lIGtleSBhcyB0aGUgb25lIHRoYXQgd2FzIDwvZm9udD4NCjxicj48Zm9udCBzaXpl PTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDt1c2VkIHRvIGlzc3VlIHRoZSB0YXJn ZXQNCmNlcnRpZmljYXRlLjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgY29sb3I9IzAw ODJiZiBmYWNlPSJBcmlhbCI+U2VjdGlvbiAzLjEuMywgRmlyc3QgcGFyYWdyYXBoLA0KdGhlIHJh dGlvbmFsIGZvciBDQSBjZXJ0aWZpY2F0ZXMgdG8gaGF2ZSBkaWdpdGFsIHNpZ25hdHVyZSBiaXQg c2V0IGJlY2F1c2UNCjxicj4NCnRoZXkgc2lnbiBPQ1NQIGNlcnRpZmljYXRlcyBpcyBpbmNvcnJl Y3QuICZuYnNwO01heSBiZSB3aGF0IHlvdSBtZWFuIGlzDQp0aGF0IGEgQ0EgdGhhdCBzaWducyBP Q1NQIHJlc3BvbnNlcyA8YnI+DQpuZWVkcyB0byBoYXZlIGRpZ2l0YWwgc2lnbmF0dXJlIGJpdCBz ZXQgaW4gaXRzIG93biBjZXJ0aWZpY2F0ZSAoaS5lLiwgdGhlDQpjZXJ0aWZpY2F0ZSBmb3Igd2hp Y2ggdGhlIENBIGlzIHRoZSBzdWJqZWN0KS48L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0y IGZhY2U9IkFyaWFsIj5PdXBzISBUaGUgdGV4dCB3YXM6PC9mb250Pg0KPGJyPg0KPGJyPjxmb250 IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwO1RoZXJlZm9yZSB0aGUgZGln aXRhbFNpZ25hdHVyZQ0KYml0IGluIHRoZSBrZXlVc2FnZSBleHRlbnNpb24gTVVTVCA8L2ZvbnQ+ DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7YmUgc2V0 LiA8L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij5Ob3Rl IDE6IFNpbmNlIHRoZSBDQSBpc3N1ZXMgY2VydGlmaWNhdGVzLA0KdGhlIGtleUNlcnRTaWduIGJp dCBNVVNUIGFsc28gPC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+ Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IGJlIHNldC48L2ZvbnQ+DQo8YnI+DQo8YnI+PGZv bnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij5Ob3RlIDI6IElmIHRoZSBDQSBzdXBwb3J0cyBD UkxzLCBpbg0KcGFydGljdWxhciB0byByZXZva2UgdGhlIDwvZm9udD4NCjxicj48Zm9udCBzaXpl PTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBjZXJ0aWZp Y2F0ZQ0Kb2YgdGhlIE9DU1AgUmVzcG9uZGVycywgdGhlbiB0aGUgY1JMU2lnbiBiaXQsIHRoZSA8 L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7 ICZuYnNwOyAmbmJzcDsgZGlnaXRhbFNpZ25hdHVyZQ0KYml0IGFuZCB0aGUga2V5Q2VydFNpZyBi aXQgTVVTVCBiZSBzZXQuPC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJBcmlh bCI+SSBoYXZlIGNoYW5nZWQgaXQgaW50bzo8L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0y IGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7VGhlcmVmb3JlIHRoZSBrZXlDZXJ0U2ln bg0KYml0IGluIHRoZSBrZXlVc2FnZSBleHRlbnNpb24gTVVTVCBiZSBzZXQuIDwvZm9udD4NCjxi cj4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDtJZiB0 aGUgQ0Egc3VwcG9ydHMgQ1JMcywNCmluIHBhcnRpY3VsYXIgdG8gcmV2b2tlIHRoZSBjZXJ0aWZp Y2F0ZSBvZiA8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJz cDsgJm5ic3A7dGhlIE9DU1AgUmVzcG9uZGVycywgdGhlbg0KYm90aCB0aGUgY1JMU2lnbiBiaXQg YW5kIHRoZSBrZXlDZXJ0U2lnIDwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmll ciBOZXciPiZuYnNwOyAmbmJzcDtiaXQgTVVTVCBiZSBzZXQuPC9mb250Pg0KPGJyPg0KPGJyPjxm b250IHNpemU9MiBjb2xvcj0jMDA4MmJmIGZhY2U9IkFyaWFsIj5TZWN0aW9uIDMuMS4zLCBOb3Rl IDIsIEFnYWluDQp0aGVyZSBpcyBubyByZXF1aXJlbWVudCBmb3IgZGlnaXRhbCBzaWduYXR1cmUg Yml0IHRvIGJlIHNldCBqdXN0IGJlY2F1c2UNCnRoZSBDQSBzaWducyA8YnI+DQpjZXJ0aWZpY2F0 ZXMgYW5kIENSTHMuPC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJBcmlhbCI+ WW91IGFyZSBjb3JyZWN0LiBTZWUgdGhlIGNvcnJlY3Rpb24gcHJvcG9zZWQNCmFib3ZlLjwvZm9u dD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgY29sb3I9IzAwODJiZiBmYWNlPSJBcmlhbCI+U2Vj dGlvbiAzLjI6IEl0IG5vdCBjbGVhciB3aGljaA0KYWNjZXNzTG9jYXRpb24gaXMgYmVpbmcgcmVm ZXJyZWQgdG8gaGVyZSAoY0Fpc3N1ZXJzIG9yIE9DU1ApLiAmbmJzcDtJZg0KdGhpcyBpcyBPQ1NQ LCA8YnI+DQp0aGUgUkZDIGlzIG92ZXJseSBpbXBsZW1lbnRhdGlvbiBzcGVjaWZpYy4gJm5ic3A7 QSBDQSBjYW4gdXNlIHRoZSBzYW1lDQpPQ1NQIGxvY2F0aW9uIGFuZCBzaWduIHRoZSByZXNwb25z ZSB3aXRoIDxicj4NCmFwcHJvcHJpYXRlIGtleSBhbmQgaW5jbHVkZSB0aGUgYXBwcm9wcmlhdGUg Q0EgY2VydGlmaWNhdGUgd2l0aG91dCBoYXZpbmcNCnRvIGNoYW5nZSB0aGUgT0NTUCBwb2ludGVy LjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQXJpYWwiPlNlY3Rpb24gMy4y IGFkZHJlc3NlcyB0aGUgY2FzZSBvZiBDQSB0aGF0DQpkaXJlY3RseSBzdXBwb3J0cyBhbiBPQ1NQ IHNlcnZpY2UgYW5kIHdoaWNoIHBlcmZvcm1zIGEga2V5IHJvbGxvdmVyLiAmbmJzcDs8YnI+DQpJ ZiB0aGUgQ0Ega2V5IGNoYW5nZXMsIHRoZSBPQ1NQIGxvY2F0aW9uIG11c3QgY2hhbmdlIHNpbmNl IGl0IGlzIG9ubHkgcG9zc2libGUNCnVzZSBhIHNpbmdsZSBrZXkgdG8gc2lnbiB0aGUgT0NTUCA8 YnI+DQpyZXNwb25zZXMuIE5ldmVydGhlbGVzcywgSSB0YWtlIHlvdXIgb3RoZXIgcG9pbnQgdG8g YmUgbW9yZSBzcGVjaWZpYyBhYm91dA0KdGhlIGFjY2Vzc0xvY2F0aW9uLiA8YnI+DQpUaGUgcG9p bnQgaXMgYWRkcmVzc2VkIGxhdGVyIG9uIGluIGFub3RoZXIgY29tbWVudCBmcm9tIHlvdS48L2Zv bnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGNvbG9yPSMwMDgyYmYgZmFjZT0iQXJpYWwiPkdl bmVyYWw6IFRoZSBJLUQgZG9lcyBub3QgYWRkcmVzcw0KaG93IHRoZSBDQSBkZWFscyB3aXRoIHRo ZSBzaXR1YXRpb24gd2hlbiBzdGF0dXMgb2YgbXVsdGlwbGUgY2VydGlmaWNhdGVzDQppc3N1ZWQg YnkgdGhlIENBLCA8YnI+DQpidXQgdXNpbmcgZGlmZmVyZW50IGtleXMgaXMgcmVxdWVzdGVkLiAm bmJzcDtNYXkgYmUgdGhlIHJlc3RyaWN0aW9uIGluDQozLjIgaXMgdXNlZCB0byBlbnN1cmUgdGhh dCBzdWNoIHNpdHVhdGlvbiBkb2VzIG5vdCBvY2N1ci4gJm5ic3A7PGJyPg0KSWYgc28sIGEgc2hv cnQgZGlzY3Vzc2lvbiB3b3VsZCBiZSBoZWxwZnVsLjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBz aXplPTIgZmFjZT0iQXJpYWwiPllvdXIgY29tbWVudCBpcyByZWxhdGVkIHRvIHNlY3Rpb24gNC4z LjEuMS4NCijigJxQcm9jZXNzaW5nIGJ5IGEgQ0EgYWN0aW5nIGFzIGFuIE9DU1AgcmVzcG9uZGVy 4oCdKS4gPGJyPg0KVGhlIGNhc2UgaXMgYWxyZWFkeSBhZGRyZXNzZWQgd2l0aCB0aGUgZm9sbG93 aW5nIHRleHQ6PC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5l dyI+Jm5ic3A7ICZuYnNwO0ZvciBlYWNoIHRhcmdldCBjZXJ0aWZpY2F0ZSwNCnRoZSBPQ1NQIHJl c3BvbmRlciBTSEFMTCB2ZXJpZnkgd2hldGhlciA8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZh Y2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7Ym90aCB0aGUgaGFzaCBvZiB0aGUgaXNzdWVy J3MNCkROIGFuZCB0aGUgaGFzaCBvZiB0aGUgaXNzdWVyIHB1YmxpYyA8L2ZvbnQ+DQo8YnI+PGZv bnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7a2V5IHdoaWNoIGFyZSBw cmVzZW50DQppbiB0aGUgcmVxdWVzdCBtYXRjaCByZXNwZWN0aXZlbHkgd2l0aCB0aGUgRE4gPC9m b250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwO2Fu ZCB0aGUgaGFzaCBvZiB0aGUgcHVibGljDQprZXkgb2YgY29udGFpbmVkIGluIGFuIGVudHJ5IGZy b20gdGhlIDwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNw OyAmbmJzcDtsaXN0IG9mIGVudHJpZXMgbWFpbnRhaW5lZA0KYnkgdGhpcyBPQ1NQIHJlc3BvbmRl ci4gPC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5i c3A7ICZuYnNwO1doZW4gdGhlcmUgaXMgbm8gbWF0Y2gsDQp0aGVuIHRoZSBPQ1NQIHJlc3BvbmRl ciBTSEFMTCBpbmRpY2F0ZSB0aGUgPC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJDb3Vy aWVyIE5ldyI+Jm5ic3A7ICZuYnNwOyZxdW90O3Vua25vd24mcXVvdDsgc3RhdHVzDQphbmQgcHJv Y2VlZCB3aXRoIHRoZSBuZXh0IHRhcmdldCBjZXJ0aWZpY2F0ZSBmcm9tIDwvZm9udD4NCjxicj48 Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDt0aGUgT0NTUCByZXF1 ZXN0LjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgY29sb3I9IzAwODJiZiBmYWNlPSJB cmlhbCI+R2VuZXJhbDogSXQgbm90IGNsZWFyIHdoaWNoDQphY2Nlc3NMb2NhdGlvbiBpcyBiZWlu ZyByZWZlcnJlZCB0byBpbiBtb3N0IHBsYWNlcy4gPGJyPg0KSXQgd291bGQgYmUgd29ydGggc3Rh dGluZyB0aGF0IGl0IHJlZmVycyB0byBPQ1NQIGluIGFsbCBjYXNlcyB1bmxlc3Mgb3RoZXJ3aXNl DQpzdGF0ZWQuPC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJBcmlhbCI+SSBo YXZlIGFkZGVkIGEgbm90ZSBhZnRlciB0aGUgZmlyc3Qgb2NjdXJyZW5jZQ0Kb2YgdGhlIHdvcmQg aW4gc2VjdGlvbiAzLjEuMS48L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNv dXJpZXIgTmV3Ij5Ob3RlOiBhY2Nlc3NMb2NhdGlvbiBpcyBtZW50aW9uZWQgaW4NCnNldmVyYWwg cGxhY2VzIG9mIHRoaXMgZG9jdW1lbnQuIDwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0i Q291cmllciBOZXciPiZuYnNwOyAmbmJzcDsgJm5ic3A7IEl0IHJlZmVycyBpbiBhbGwNCmNhc2Vz IHRvIHRoZSBhY2Nlc3NMb2NhdGlvbiBmaWVsZCB0aGF0IGlzIHByZXNlbnQgPC9mb250Pg0KPGJy Pjxmb250IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgaW4g YW4gQUlBIGV4dGVuc2lvbg0KZmllbGQgdG8gZGVzaWduYXRlIHRoZSBsb2NhdGlvbiBvZiB0aGUg T0NTUCA8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsg Jm5ic3A7ICZuYnNwOyByZXNwb25kZXIuICZuYnNwO0luDQp0aGF0IGNhc2UsIHRoZSBhY2Nlc3NN ZXRob2QgZmllbGQgY29udGFpbnMgdGhlIDwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0i Q291cmllciBOZXciPiZuYnNwOyAmbmJzcDsgJm5ic3A7IGlkLWFkLW9jc3AgT0lELjwvZm9udD4N Cjxicj4NCjxicj48Zm9udCBzaXplPTIgY29sb3I9IzAwODJiZiBmYWNlPSJBcmlhbCI+U2VjdGlv biAzLjMuMiBkb2VzIG5vdCBmdWxseQ0KYW5kIGV4cGxpY2l0bHkgY292ZXIgdGhlIG1vc3QgY29t bW9uIGltcGxlbWVudGF0aW9uIEkgaGF2ZSBzZWVuIGFuZCB0aGF0DQppcyBzaG9ydCBsaWZlIGNl cnRpZmljYXRlcy4gJm5ic3A7PGJyPg0KSW4gdGhhdCBzY2VuYXJpbywgdGhlIENBIG5lZWRzIHRv IGNvbnRpbnVlIHRvIGlzc3VlIHRoZSBPQ1NQIFJlc3BvbmRlcg0KY2VydGlmaWNhdGUgdXNpbmcg dGhlIG9sZCBDQSBrZXkgdW50aWwgYWxsIHRoZSBjZXJ0aWZpY2F0ZXMgPGJyPg0KaXNzdWVkIGJ5 IHRoZSBDQSB1c2luZyB0aGUgb2xkIGtleSBhbmQgZm9yIHdoaWNoIHRoZSBPQ1NQIFJlc3BvbmRl ciBpcw0KYXV0aG9yaXRhdGl2ZSBleHBpcmUuICZuYnNwOzxicj4NClRoZSB0ZXh0IGluIDMuMy4z IGNhbiBmb3JtIGEgbW9kZWwgZm9yIHRoaXMgd2hlbiBDQSByZWtleXMgYW5kIE9DU1AgUmVzcG9u ZGVyDQpoYXMgdGhlIG9sZCBrZXlzLjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFj ZT0iQXJpYWwiPlRoZSB0ZXh0IGluIHNlY3Rpb24gMy4zLjIgZG9lcyBub3Qgc2F5IHdoYXQNCnlv dSBzYXkuIFBsZWFzZSBiZSBtb3JlIHNwZWNpZmljIG9yIHNpbmNlIHRoZSB0ZXh0IGlzIHNob3J0 LCBwcm92aWRlIGFuDQphbHRlcm5hdGl2ZTwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIg Y29sb3I9IzAwODJiZiBmYWNlPSJBcmlhbCI+U2VjdGlvbiAzLjMuMywgdGhlIGxhc3Qgc2VudGVu Y2UNCmlzIG5vdCBkZXNpcmFibGUgYW5kIGNhbiBjYXVzZSBwcm9ibGVtcyB3aXRoIHNvbWUgaW1w bGVtZW50YXRpb25zLiA8YnI+DQogSXQgaXMgcGVyZmVjdGx5IG9rIGZvciBhIFJlc3BvbmRlciB0 byBjaGFuZ2UgaXRzIGtleSBpbmRlcGVuZGVudCBvZiBjZXJ0aWZpY2F0ZQ0KaXQgaXMgYXV0aG9y aXRhdGl2ZSBmb3IuICZuYnNwOzxicj4NCk5vdGUgdGhhdCBPQ1NQIGZpZWxkIGluIGEgaXNzdWUg Y2VydGlmaWNhdGUgY2Fubm90IGJlIGNoYW5nZWQganVzdCBiZWNhdXNlDQp0aGUgUmVzcG9uZGVy IHJla3llZCwgPGJyPg0KYmUgaXQgcm91dGluZSBvciBkdWUgdG8gbG9zcyBvciBjb21wcm9taXNl IG9mIFJlc3BvbmRlciBrZXkuPC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJB cmlhbCI+VGhlIHRleHQgaW4gc2VjdGlvbiAzLjMuMyBkb2VzIG5vdCBzYXkgd2hhdA0KeW91IHNh eS4gUGxlYXNlIGJlIG1vcmUgc3BlY2lmaWMgb3Igc2luY2UgdGhlIHRleHQgaXMgc2hvcnQsIHBy b3ZpZGUgYW4NCmFsdGVybmF0aXZlLjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgY29s b3I9IzAwODJiZiBmYWNlPSJBcmlhbCI+U2VjdGlvbiAzLjQsIGxhc3QgcGFyYWdyYXBoLA0KSSB3 b3VsZCB0aGluayB0aGF0IGV4cGlyYXRpb24gY2hlY2tpbmcgbmVlZCBub3QgYmUgcGFydCBvZiBP Q1NQIGNsaWVudC4NCiZuYnNwOzxicj4NCkV4cGlyYXRpb24gY2hlY2tpbmcgc2hvdWxkIGNvbWUg dW5kZXIgNTI4MCBjZXJ0aWZpY2F0ZSB2YWxpZGF0aW9uLjwvZm9udD4NCjxicj4NCjxicj48Zm9u dCBzaXplPTIgZmFjZT0iQXJpYWwiPlRoZSB0ZXh0IHdhczo8L2ZvbnQ+DQo8YnI+DQo8YnI+PGZv bnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7Rm9yIGVhY2ggY2FuZGlk YXRlIGNlcnRpZmljYXRlLA0KdGhlIE9DU1AgY2xpZW50IFNIQUxMIHZlcmlmeSB0aGF0IDwvZm9u dD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDt0aGUg Y3VycmVudCB0aW1lIGlzIHdpdGhpbg0KdGhlIHZhbGlkaXR5IHBlcmlvZCBvZiB0aGUgdGFyZ2V0 IDwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJz cDtjZXJ0aWZpY2F0ZS4gJm5ic3A7SWYNCnRoaXMgaXMgbm90IHRoZSBjYXNlLCB0aGUgY2FuZGlk YXRlIGNlcnRpZmljYXRlIDwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBO ZXciPiZuYnNwOyAmbmJzcDtTSEFMTCBiZSBkaXNjYXJkZWQuPC9mb250Pg0KPGJyPg0KPGJyPjxm b250IHNpemU9MiBmYWNlPSJBcmlhbCI+SSBoYXZlIGNoYW5nZWQgaXQgaW50bzs8L2ZvbnQ+DQo8 YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij5Ob3RlOiAmbmJzcDtGb3Ig ZWFjaCBjYW5kaWRhdGUgY2VydGlmaWNhdGUsDQp3aGVuIHBlcmZvcm1pbmcgdGhlIHBhdGggPC9m b250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwOyAm bmJzcDsgJm5ic3A7dmFsaWRhdGlvbg0KYWxnb3JpdGhtLCB0aGUgT0NTUCBjbGllbnQgd2lsbCB2 ZXJpZnkgdGhhdCB0aGUgPC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5l dyI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7Y3VycmVudA0KdGltZSBpcyB3aXRoaW4gdGhl IHZhbGlkaXR5IHBlcmlvZCBvZiB0aGUgdGFyZ2V0IDwvZm9udD4NCjxicj48Zm9udCBzaXplPTIg ZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwO2NlcnRpZmljYXRl Lg0KJm5ic3A7VGh1cywgY2VydGlmaWNhdGVzIHdoaWNoIGFyZSBvdXRzaWRlIHRoZWlyIDwvZm9u dD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDsgJm5i c3A7ICZuYnNwO3ZhbGlkaXR5DQpwZXJpb2Qgd2lsbCBub3QgYmUgaW5jbHVkZWQgaW4gdGhlIHJl cXVlc3Qgb3Igd2lsbCA8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3 Ij4mbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDtiZSByZWplY3RlZA0KbGF0ZXIgb24gYnkgdGhl IE9DU1AgcmVzcG9uZGVyLjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgY29sb3I9IzAw ODJiZiBmYWNlPSJBcmlhbCI+U2VjdGlvbiA0LjEsIFdlIHNob3VsZCBkaWx1dGUNCnR3byBDQXMg 4oCcbmV2ZXIgaGF2ZSB0aGUgc2FtZSBpc3N1ZXJLZXlIYXNo4oCdIHRvIHNvbWV0aGluZyBtb3Jl IGFraW4gPGJyPg0KdG8gc3RhdGlzdGljYWxseSBpbmZlYXNpYmxlLjwvZm9udD4NCjxicj4NCjxi cj48Zm9udCBzaXplPTIgZmFjZT0iQXJpYWwiPlRoZSB0ZXh0IHdhczo8L2ZvbnQ+DQo8YnI+DQo8 YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7ICZuYnNwOyBU d28gQ0FzIHdpbGwgbmV2ZXIsDQpob3dldmVyLCBoYXZlIHRoZSBzYW1lIHB1YmxpYyBrZXkgdW5s ZXNzIHRoZSA8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJz cDsgJm5ic3A7ICZuYnNwOyBDQXMgZWl0aGVyIGV4cGxpY2l0bHkNCmRlY2lkZWQgdG8gc2hhcmUg dGhlaXIgcHJpdmF0ZSBrZXksIG9yIHRoZSA8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9 IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7ICZuYnNwOyBrZXkgb2Ygb25lIG9mDQp0aGUgQ0Fz IHdhcyBjb21wcm9taXNlZC48L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkFy aWFsIj5JIGhhdmUgY2hhbmdlZCBpdCBpbnRvOjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXpl PTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDsgJm5ic3A7IEhvd2V2ZXIsIGl0IGlz DQpzdGF0aXN0aWNhbGx5IGluZmVhc2libGUgdGhhdCB0d28gQ0FzIHVzZSB0aGUgc2FtZSA8L2Zv bnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7ICZu YnNwOyBwdWJsaWMga2V5IHVubGVzcw0KdGhlIENBcyBlaXRoZXIgZXhwbGljaXRseSBkZWNpZGVk IHRvIHNoYXJlIDwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZu YnNwOyAmbmJzcDsgJm5ic3A7IHRoZWlyIHByaXZhdGUNCmtleSwgb3IgdGhlIGtleSBvZiBvbmUg b2YgdGhlIENBcyB3YXMgY29tcHJvbWlzZWQuPC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9 MiBjb2xvcj0jMDA4MmJmIGZhY2U9IkFyaWFsIj5UaXRsZXMgb2Ygc3Vic2VjdGlvbnMgdW5kZXIN CjQuMyBjb3VsZCBzdGFuZCBpbXByb3ZlbWVudHMuICZuYnNwO1Jlc3BvbmRlcnMgcHJvY2VzcyBy ZXF1ZXN0IGFuZCBwcm9kdWNlDQpyZXNwb25zZTsgPGJyPg0KdGhleSBkbyBub3QgcHJvY2VzcyBy ZXNwb25zZXMuICZuYnNwO0NsaWVudHMgcHJvY2VzcyByZXNwb25zZXMuPC9mb250Pg0KPGJyPg0K PGJyPjxmb250IHNpemU9MiBmYWNlPSJBcmlhbCI+VGhlIHRpdGxlcyB3ZXJlOjwvZm9udD4NCjxi cj4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDsgJm5i c3A7NC4zLiBSZXNwb25zZSBwcm9jZXNzaW5nPC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNl PSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7NC4zLjEuIFJlc3BvbnNl DQpwcm9jZXNzaW5nIGJ5IE9DU1Agc2VydmVycyA8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZh Y2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7NC4zLjEu MS4NClByb2Nlc3NpbmcgYnkgYSBDQSBhY3RpbmcgYXMgYW4gT0NTUCByZXNwb25kZXI8L2ZvbnQ+ DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7ICZuYnNw OyAmbmJzcDsgJm5ic3A7NC4zLjEuMi4NClByb2Nlc3NpbmcgYnkgYW4gT0NTUCBSZXNwb25kZXI8 L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7 ICZuYnNwOyAmbmJzcDs0LjMuMi4gUmVzcG9uc2UNCnByb2Nlc3NpbmcgYnkgYW4gT0NTUCBjbGll bnQgPC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJBcmlhbCI+SSBoYXZlIGNo YW5nZWQgdGhlbSBpbnRvOjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291 cmllciBOZXciPiZuYnNwOyAmbmJzcDsgJm5ic3A7NC4zLiBQcm9jZXNzaW5nDQpvZiByZXF1ZXN0 cyBhbmQgcmVzcG9uc2VzPC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5l dyI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7NC4zLjEuIFJlcXVlc3QNCnByb2Nlc3Npbmcg YnkgT0NTUCBzZXJ2ZXJzIDwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBO ZXciPiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDs0LjMuMS4xLg0KUHJvY2Vzc2lu ZyBieSBhIENBIGFjdGluZyBhcyBhbiBPQ1NQIHJlc3BvbmRlciA8L2ZvbnQ+DQo8YnI+PGZvbnQg c2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5i c3A7NC4zLjEuMi4NClByb2Nlc3NpbmcgYnkgYW4gT0NTUCBSZXNwb25kZXIgPC9mb250Pg0KPGJy Pjxmb250IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5i c3A7NC4zLjIuIFJlc3BvbnNlDQpwcm9jZXNzaW5nIGJ5IGFuIE9DU1AgY2xpZW50IDwvZm9udD4N Cjxicj4NCjxicj48Zm9udCBzaXplPTIgY29sb3I9IzAwODJiZiBmYWNlPSJBcmlhbCI+U2VjdGlv biA0LjMuMS4xLCBUaGUgZW50cnkNCnNob3VsZCBjb250YWluIG1ldGhvZCB1c2VkIHRvIGdhaW4g YWNjZXNzIGFuZCBzaWduIGp1c3QgbGlrZSB0aGUgdGV4dCBpbg0KNC4zLjEuMiA8YnI+DQphcyBv cHBvc2VkIHRvIHRoZSBwcml2YXRlIGtleS4gJm5ic3A7SW4gb3RoZXIgd29yZHMsIGFsaWduIHRo ZSB0d28gdGV4dHMNCmZvciBhY2Nlc3NpbmcgYW5kIHVzaW5nIHByaXZhdGUga2V5IDxicj4NCnRv IHNpZ24gT0NTUCByZXNwb25zZXMuPC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBmYWNl PSJBcmlhbCI+Qm90aCBzZWN0aW9ucyBoYXZlIGJlZW4gYWxpZ25lZC48L2ZvbnQ+DQo8YnI+DQo8 YnI+PGZvbnQgc2l6ZT0yIGNvbG9yPSMwMDgyYmYgZmFjZT0iQXJpYWwiPlNlY3Rpb24gNC4zLjEs MSwgcGFnZSAxOCDigJxkZWZpbmVkDQppbiBlbnRyeeKAnSBjb3VsZCBiZSBtaXNpbnRlcnByZXRl ZCBhcyBtZXRob2QgZGVmaW5lIGluIHJlcXVlc3QgZW50cnkuPC9mb250Pg0KPGJyPg0KPGJyPjxm b250IHNpemU9MiBmYWNlPSJBcmlhbCI+SSBkb27igJl0IHRoaW5rIHRoYXQgYSBjaGFuZ2UgaXMg bmVjZXNzYXJ5LA0Kc2luY2UgaXQgdXNlcyB0aGUgdGVybSDigJxmb3IgZWFjaCB0YXJnZXQgY2Vy dGlmaWNhdGXigJ0gYW5kIHRoZSBlbnRyeSB0aHVzDQo8YnI+DQpyZWZlcnMgdG8gb25lIG9mIHRo ZSBlbnRyaWVzIGZyb20gdGhlIHRhYmxlcyBvZiBlbnRyaWVzIGFkdmVydGlzZWQgYXQgdGhlDQpi ZWdpbm5pbmcgb2YgdGhlIHNlY3Rpb24uIDxicj4NCklmIHlvdSBiZWxpZXZlIHRoYXQgYSBjaGFu Z2UgaXMgbmVjZXNzYXJ5LCB3b3VsZCB5b3UgYmUgYWJsZSB0byBtYWtlIGENCnByb3Bvc2FsID88 L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGNvbG9yPSMwMDgyYmYgZmFjZT0iQXJpYWwi PlNlY3Rpb24gNC4zLjEuMiwgQWdhaW4gdGhlDQpzYW1lIGNvbW1lbnQsIGZvciB0aGUgZGVsZWdh dGVkIE9DU1AgUmVzcG9uZGVyLCBjaGFuZ2luZyB0aGUgVVJMIDxicj4NCndoZW4ga2V5IGlzIGNo YW5nZWQgaXMgbm90IHJlcXVpcmVkIGFuZCBicmVha3MgbWFueSBpbXBsZW1lbnRhdGlvbnMgYW5k DQpoZW5jZSBpcyB1bmFjY2VwdGFibGUuPC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBm YWNlPSJBcmlhbCI+V291bGQgeW91IGJlIGFibGUgdG8gYmUgbW9yZSBzcGVjaWZpYywgc2luY2UN CkkgZG9u4oCZdCBzZWUgdGhhdCB0aGUgdGV4dCBzdGF0ZXMgd2hhdCB5b3UgbWVhbiA/PC9mb250 Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBjb2xvcj0jMDA4MmJmIGZhY2U9IkFyaWFsIj5TZWN0 aW9uIDQuMy4yLCB0aGUgY2hlY2sgZm9yDQp0aGlzVXBkYXRlIGlzIGZsYXdlZCBzaW5jZSB0aGlz IHZhbHVlIG1heSBiZSBkZXJpdmVkIGZyb20gQ1JMIGV2ZW4gZm9yDQpyZXNwb25zZXMgPGJyPg0K dGhhdCBhcmUgbm90IHByZS1nZW5lcmF0ZWQgYW5kIGhlbmNlIGNhbiBiZSBob3VycyBvciBkYXlz IG9mZiBkZXBlbmRpbmcNCm9uIENSTCBpc3N1YW5jZSBmcmVxdWVuY3ksIDxicj4NCiBJdCBpcyBi ZXR0ZXIgdG8gcmVwbGFjZSBpdCB3aXRoIHByb2R1Y2VkQXQgZmllbGQgaW4gdGhlIHJlc3BvbnNl IHdoZXRoZXINCml0IGlzIHJlbGF0ZWQgdG8gY3VycmVudCB0aW1lIG9yIHRpbWUgaW4gdGhlIHBh c3QuPC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJBcmlhbCI+R29vZCBjYXRj aCAhPC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJBcmlhbCI+VGhlIHRleHQg aGFzIGJlZW4gY2hhbmdlZCBpbnRvIDo8L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZh Y2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7SWYgdGhlIGNoZWNraW5nIHRpbWUgaXMNCnRo ZSBjdXJyZW50IHRpbWUsIGFuZCBpZiBubyBub25jZSBoYXMgYmVlbiA8L2ZvbnQ+DQo8YnI+PGZv bnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7dXNlZCBpbiB0aGUgcmVx dWVzdCwgT0NTUA0KY2xpZW50cyBNVVNUIGNoZWNrIHRoYXQgdGhlIHByb2R1Y2VkQXQ8L2ZvbnQ+ DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7ZmllbGQg aXMgd2l0aGluIGEgdGltZQ0Kd2luZG93IHRoYXQgaXMgJnF1b3Q7Y2xvc2UgZW5vdWdoJnF1b3Q7 IHRvIHRoZSBjdXJyZW50IDwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBO ZXciPiZuYnNwOyAmbmJzcDt0aW1lLiA8L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZh Y2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7SWYgdGhlIGNoZWNraW5nIHRpbWUgaXMNCmEg dGltZSBpbiB0aGUgcGFzdCwgdmVyaWZpZXJzIE1VU1QgY2hlY2sgPC9mb250Pg0KPGJyPjxmb250 IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwO3RoYXQgdGhlIHByb2R1Y2Vk QXQgZmllbGQNCmlzIGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgdmVyaWZpY2F0aW9uIDwvZm9udD4N Cjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDtydWxlcyAo ZS5nLiBjbG9zZSBhbmQvb3INCmFmdGVyIHRoZSBkYXRlIG9mIGEgdGltZS1zdGFtcCB0b2tlbiku PC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBjb2xvcj0jMDA4MmJmIGZhY2U9IkFyaWFs Ij5TZWN0aW9uIDQsMywyIGlzIG1pc3NpbmcgcHJvY2Vzc2luZw0Kc2lnbmF0dXJlIG9uIHRoZSBy ZXNwb25zZSBhbmQgcHJvY2Vzc2luZyByZXNwb25zZSBleHRlbnNpb24uPC9mb250Pg0KPGJyPg0K PGJyPjxmb250IHNpemU9MiBmYWNlPSJBcmlhbCI+SSBkb27igJl0IHVuZGVyc3RhbmQgeW91ciBy ZXF1ZXN0IGFib3V0IOKAnG1pc3NpbmcNCnByb2Nlc3Npbmcgc2lnbmF0dXJlIG9uIHRoZSByZXNw b25zZeKAnSwgc2luY2UgdGhpcyBwb2ludCBpcyBhZGRyZXNzZWQgPGJyPg0KdW5kZXIgU1RFUCAy LiBJZiB5b3UgYmVsaWV2ZSB0aGF0IGEgY2hhbmdlIGlzIG5lY2Vzc2FyeSwgd291bGQgeW91IGJl IGFibGUNCnRvIGJlIG1vcmUgc3BlY2lmaWMgPzwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXpl PTIgZmFjZT0iQXJpYWwiPlByb2Nlc3NpbmcgcmVzcG9uc2UgZXh0ZW5zaW9uIGlzIG9ubHkgY292 ZXJlZA0KZm9yIHNpbmdsZUV4dGVuc2lvbnMgd2hlbiB0aGUgY3JpdGljYWxpdHkgZmxhZyBpcyBz ZXQgYW5kIDxicj4NCnRoZSBleHRlbnNpb24gaXMgbm90IHVuZGVyc3Rvb2QuIFNvIHlvdSBhcmUg Y29ycmVjdCB0byByZXF1ZXN0IGFkZGl0aW9uYWwNCnRleHQgdG8gaGFuZGxlIHRoZSBvdGhlciBj YXNlcy48L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkFyaWFsIj5UaGUgZm9s bG93aW5nIHRleHQgaGFzIGJlZW4gYWRkZWQgZm9yIHRoZQ0KcHJvY2Vzc2luZyBvZiByZXNwb25z ZUV4dGVuc2lvbnM6PC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJDb3VyaWVy IE5ldyI+Jm5ic3A7ICZuYnNwO09DU1AgY2xpZW50cyBvciB2ZXJpZmllcnMNClNIQUxMIGNoZWNr IGlmIHRoZSByZXNwb25zZSBjb250YWlucyBhIDwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFj ZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDtjcml0aWNhbCByZXNwb25zZUV4dGVuc2lvbnMu DQpJZiBzdWNoIGFuIGV4dGVuc2lvbiBpcyBmb3VuZCBhbmQgaXMgPC9mb250Pg0KPGJyPjxmb250 IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwO3JlY29nbml6ZWQsIGl0IE1V U1QgYmUNCnByb2Nlc3NlZC4gJm5ic3A7SWYgc3VjaCBhbiBleHRlbnNpb24gaXMgZm91bmQgYW5k IDwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJz cDtpcyBub3QgcmVjb2duaXplZCwgdGhlDQp3aG9sZSBPQ1NQIHJlc3BvbnNlIE1VU1QgYmUgY29u c2lkZXJlZCBhcyA8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4m bmJzcDsgJm5ic3A7aW52YWxpZC48L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9 IkFyaWFsIj5UaGUgZm9sbG93aW5nIHRleHQgaGFzIGJlZW4gYWRkZWQgZm9yIHRoZQ0KcHJvY2Vz c2luZyBvZiBzaW5nbGVFeHRlbnNpb25zOjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIg ZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDtJZiBjaGVja3MgYXJlIHN1Y2Nlc3NmdWws DQp0aGVuIE9DU1AgY2xpZW50cyBNVVNUIHByb2Nlc3MgdGhlIDwvZm9udD4NCjxicj48Zm9udCBz aXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDtzaW5nbGVFeHRlbnNpb25zIGZp ZWxkLA0KaWYgaXQgaXMgcHJlc2VudC4gPC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBm YWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwO0lmIHRoZSBjcml0aWNhbGl0eSBmbGFnDQpp cyBzZXQgYW5kIHRoZSBleHRlbnNpb24gaXMgbm90IHVuZGVyc3Rvb2QsIDwvZm9udD4NCjxicj48 Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDt0aGVuIHRoZSBzdGF0 dXMgb2YgdGhlDQpjZXJ0aWZpY2F0ZSBzaGFsbCBiZSAmcXVvdDt1bmtub3duJnF1b3Q7IGFuZCBw cm9jZWVkIHRvIDwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZu YnNwOyAmbmJzcDtzdGVwIDMuICZuYnNwO090aGVyd2lzZSwNCnByb2NlZWQgdG8gc3RlcCAyLiA8 L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsg Jm5ic3A7SWYgdGhlIGV4dGVuc2lvbiBpcyB1bmRlcnN0b29kLA0KdGhlbiB0aGUgZXh0ZW5zaW9u IE1VU1QgYmUgPC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5i c3A7ICZuYnNwO3Byb2Nlc3NlZC4gJm5ic3A7QWNjb3JkaW5nDQp0byBpdHMgY29udGVudCBwcm9j ZWVkIGVpdGhlciB0byBzdGVwIDIgb3IgdG8gPC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNl PSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwO3N0ZXAgMy4gPC9mb250Pg0KPGJyPg0KPGJyPjxm b250IHNpemU9MiBjb2xvcj0jMDA4MmJmIGZhY2U9IkFyaWFsIj5TZWN0aW9uIDUuNTogUmVwbGF5 IGF0dGFjaw0KaXMgYWxzbyBwb3NzaWJsZSB3aGVuIG5vdCB1c2luZyBwcmUtY29tcHV0ZWQgcmVz cG9uc2VzLjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQXJpYWwiPkkgaGF2 ZSBhZGRlZCBpbiBuZXcgc2VjdGlvbiB3aXRoIHRoZSBmb2xsb3dpbmcNCnRleHQ6PC9mb250Pg0K PGJyPg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+NS43LiBPdGhlciByZXBs YXkgYXR0YWNrczwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBO ZXciPiZuYnNwOyAmbmJzcDtBcyBhbHJlYWR5IG1lbnRpb25lZCBpbg0Kc2VjdGlvbiA1LjUsIHJl cGxheSBhdHRhY2tzIGFyZSBwb3NzaWJsZSA8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9 IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7dXNpbmcgcHJlY29tcHV0ZWQgcmVzcG9uc2VzLg0K Jm5ic3A7UmVwbGF5IGF0dGFja3MgYXJlIGFsc28gcG9zc2libGUgd2hlbiA8L2ZvbnQ+DQo8YnI+ PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7bm8gbm9uY2UgaXMg YmVpbmcgdXNlZA0KaW4gdGhlIE9DU1AgcmVxdWVzdCBhbmQgdGhlIHRpbWUgd2luZG93IDwvZm9u dD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDttZW50 aW9uZWQgaW4gc2VjdGlvbiA0LjMuMg0KKFNURVAgMSlpcyB0b28gbGFyZ2UuPC9mb250Pg0KPGJy Pg0KPGJyPjxmb250IHNpemU9MiBjb2xvcj0jMDA4MmJmIGZhY2U9IkFyaWFsIj5HZW5lcmFsOiBS ZW1vdmFsIG9mIGxvY2FsbHkNCnRydXN0ZWQgUmVzcG9uZGVyIGZyb20gdGhlIEktRCBpcyB1bmFj Y2VwdGFibGUuPC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJBcmlhbCI+VGhl IGludGVudCB3YXMgbm90IHRvIHJlbW92ZSB0aGUg4oCcbG9jYWxseQ0KdHJ1c3RlZCBSZXNwb25k ZXLigJ0uIE5ldmVydGhlbGVzcywgdGhlIGN1cnJlbnQgdGV4dCBoYXMgYmVlbiBpbXByb3ZlZDxi cj4NCiBpbiBzZXZlcmFsIHBsYWNlcy4gRm9yIGV4YW1wbGUsIGluIHRoZSBpbnRyb2R1Y3Rpb24s IEkgaGF2ZSBhZGRlZDo8L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJp ZXIgTmV3Ij4mbmJzcDsgJm5ic3A7ICZuYnNwOyBUaGUgdGVybSDigJxsb2NhbGx5DQp0cnVzdGVk IFJlc3BvbmRlcuKAnSBpcyB1c2VkIHRvIGRlc2lnbmF0ZSBhbiBPQ1NQIDwvZm9udD4NCjxicj48 Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDsgJm5ic3A7IHJlc3Bv bmRlciB0aGF0DQppcyB0cnVzdGVkIHVzaW5nIGxvY2FsIHJ1bGVzLjwvZm9udD4NCjxicj4NCjxi cj48Zm9udCBzaXplPTIgZmFjZT0iQXJpYWwiPkluIHNlY3Rpb24gMi4yLCB0aGUgdGV4dCBub3cg c3RhdGVzOjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXci PiZuYnNwOyAmbmJzcDtBIHJlc3BvbnNlIG1lc3NhZ2UgTVVTVA0KYmUgc2lnbmVkIGVpdGhlciBi eSBhIGNlcnRpZmljYXRlJ3MgaXNzdWVyLCA8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9 IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7YnkgYW4gYXV0aG9yaXplZCBPQ1NQDQpSZXNwb25k ZXIgb3IgYWNjb3JkaW5nIHRvIGxvY2FsIHJ1bGVzLiA8L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQg c2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7SW4gdGhlIGZpcnN0IGNhc2Us IHRoZQ0KQ0EgTVVTVCB1c2UgdGhlIHNhbWUga2V5IGFzIHRoZSBvbmUgdGhhdCB3YXMgPC9mb250 Pg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwO3VzZWQg dG8gaXNzdWUgdGhlIHRhcmdldA0KY2VydGlmaWNhdGUuPC9mb250Pg0KPGJyPg0KPGJyPjxmb250 IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwO0luIHRoZSBzZWNvbmQgY2Fz ZSwgdGhlDQpDQSBNVVNUIGV4cGxpY2l0bHkgZGVzaWduYXRlIHRoZSBPQ1NQIDwvZm9udD4NCjxi cj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDtSZXNwb25kZXIg YnkgaXNzdWluZyBhbg0KT0NTUCBjZXJ0aWZpY2F0ZSB0byB0aGUgT0NTUCBSZXNwb25kZXIuIDwv Zm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDtP Q1NQIHNpZ25pbmcgZGVsZWdhdGlvbg0KU0hBTEwgYmUgaW5kaWNhdGVkIGJ5IHRoZSBpbmNsdXNp b24gb2YgPC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7 ICZuYnNwO2lkLWtwLU9DU1BTaWduaW5nIGluIGFuDQpleHRlbmRlZEtleVVzYWdlIGNlcnRpZmlj YXRlIGV4dGVuc2lvbiA8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3 Ij4mbmJzcDsgJm5ic3A7aW5jbHVkZWQgaW4gdGhlIE9DU1AgcmVzcG9uc2UNCnNpZ25lcidzIGNl cnRpZmljYXRlLiAmbmJzcDtUaGlzIDwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291 cmllciBOZXciPiZuYnNwOyAmbmJzcDtjZXJ0aWZpY2F0ZSBNVVNUIGJlIGlzc3VlZA0KZGlyZWN0 bHkgYnkgdGhlIENBIGFuZCB1bmRlciB0aGUgc2FtZSBrZXkgPC9mb250Pg0KPGJyPjxmb250IHNp emU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwO3RoYXQgd2FzIHVzZWQgdG8gaXNz dWUNCnRoZSB0YXJnZXQgY2VydGlmaWNhdGUuPC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9 MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwO0ZvciB0aGVzZSB0d28gY2FzZXMsIHN5 c3RlbXMNCm9yIGFwcGxpY2F0aW9ucyB0aGF0IHJlbHkgb24gT0NTUCA8L2ZvbnQ+DQo8YnI+PGZv bnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7cmVzcG9uc2VzIE1VU1Qg YmUgY2FwYWJsZQ0Kb2YgZGV0ZWN0aW5nIGFuZCBlbmZvcmNpbmcgdXNlIG9mIHRoZSA8L2ZvbnQ+ DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7aWQtYWQt b2NzcFNpZ25pbmcgdmFsdWUNCmFzIGRlc2NyaWJlZCBhYm92ZS4gPC9mb250Pg0KPGJyPg0KPGJy Pjxmb250IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwO0luIHRoZSB0aGly ZCBjYXNlLCB0aGUNCk9DU1AgY2xpZW50IHVzZXMgYSBsb2NhbGx5IHRydXN0ZWQgUmVzcG9uZGVy LjwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJz cDtUaGUga2V5IHVzZWQgdG8gc2lnbiBPQ1NQDQpyZXNwb25zZXMgbWF5IGJlIGRpcmVjdGx5IHRy dXN0ZWQgb3IgYmUgYSA8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3 Ij4mbmJzcDsgJm5ic3A7a2V5IGNvbnRhaW5lZCBpbiBhbiBPQ1NQDQpjZXJ0aWZpY2F0ZSB3aGlj aCBpcyB2ZXJpZmllZCBhY2NvcmRpbmcgdG8gPC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNl PSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwO2xvY2FsIHJ1bGVzLCBpbnN0ZWFkIG9mDQp0aGUg cnVsZXMgZGV0YWlsZWQgaW4gdGhpcyBkb2N1bWVudC48L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQg c2l6ZT0yIGZhY2U9IkFyaWFsIj5JbiBzZWN0aW9uIEkgaGF2ZSBjaGFuZ2VkIHRoZSBmb2xsb3dp bmcgdGV4dA0KOjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBO ZXciPiZuYnNwOyAmbmJzcDtUaGUgT0NTUCBjZXJ0aWZpY2F0ZSBTSEFMTA0KYmUgc2lnbmVkIGJ5 IHRoZSBDQSBpc3N1aW5nIHByaXZhdGUga2V5IDwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFj ZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDt3aGljaCBjb3JyZXNwb25kcyB0byB0aGUNCmlz c3VpbmcgQ0EgcHVibGljIGtleSB0aGF0IGlzIGluIHRoaXMgPC9mb250Pg0KPGJyPjxmb250IHNp emU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwO2VudHJ5LCB1bmxlc3Mgc29tZSBz cGVjaWZpYw0KcnVsZXMgYXJlIGFncmVlZCBiZXR3ZWVuIHRoZSBPQ1NQIDwvZm9udD4NCjxicj48 Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDtSZXNwb25kZXIgYW5k IE9DU1AgY2xpZW50cy4NCiZuYnNwO0luIHRoYXQgbGF0ZXIgY2FzZSwgdGhlIE9DU1AgPC9mb250 Pg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwO2NlcnRp ZmljYXRlIE1BWSBiZSBzaWduZWQNCmJ5IGEgZGlmZmVyZW50IGVudGl0eS48L2ZvbnQ+DQo8YnI+ DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkFyaWFsIj5pbnRvOjwvZm9udD4NCjxicj4NCjxicj48 Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDtUaGUgT0NTUCBjZXJ0 aWZpY2F0ZSBTSEFMTA0KYmUgc2lnbmVkIGJ5IHRoZSBDQSBpc3N1aW5nIHByaXZhdGUga2V5IDwv Zm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDt3 aGljaCBjb3JyZXNwb25kcyB0byB0aGUNCmlzc3VpbmcgQ0EgcHVibGljIGtleSB0aGF0IGlzIGlu IHRoaXMgPC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7 ICZuYnNwO2VudHJ5LCB1bmxlc3Mgc29tZSBzcGVjaWZpYw0KcnVsZXMgYXJlIGFncmVlZCBiZXR3 ZWVuIHRoZSBPQ1NQIDwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXci PiZuYnNwOyAmbmJzcDtSZXNwb25kZXIgYW5kIE9DU1AgY2xpZW50cy4NCiZuYnNwO0luIHRoYXQg bGF0ZXIgY2FzZSwgd2hpY2ggY29ycmVzcG9uZHMgPC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBm YWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwO3RvIHRoZSBjYXNlIG9mIGEgbG9jYWxseQ0K dHJ1c3RlZCBSZXNwb25kZXIsIHRoZSBPQ1NQIGNlcnRpZmljYXRlIE1BWSA8L2ZvbnQ+DQo8YnI+ PGZvbnQgc2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7YmUgc2lnbmVkIGJ5 IGEgZGlmZmVyZW50DQplbnRpdHkuPC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBmYWNl PSJBcmlhbCI+VGhlcmUgaXMgbm93IGFsc28gYSBjb21wbGV0ZWx5IG5ldyBzZWN0aW9uOg0KNC4z LjEuMywgY2FsbGVkIOKAnFByb2Nlc3NpbmcgYnkgYSBsb2NhbGx5IHRydXN0ZWQgUmVzcG9uZGVy 4oCdLjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQXJpYWwiPldoZW4gcmV2 aWV3aW5nIHRoZSB0ZXh0LCBJIGZvdW5kIHRoYXQsIGluDQpzZWN0aW9uIDQuMy4xLjIsIHRoZSBs aXN0IG9ubHkgbWVudGlvbmVkOjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0i Q291cmllciBOZXciPiZuYnNwOyAmbmJzcDsgJm5ic3A7LSB0aGUgbWV0aG9kKHMpDQp1c2VkIHRv IG9idGFpbiB0aGUgcmV2b2NhdGlvbiBzdGF0dXMgb2YgdGhlIDwvZm9udD4NCjxicj48Zm9udCBz aXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwO2NlcnRp ZmljYXRlcw0KaXNzdWVkIHVuZGVyIHRoYXQgQ0EgaXNzdWluZyBwdWJsaWMga2V5LDwvZm9udD4N Cjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQXJpYWwiPkluIHByYWN0aWNlLCBhbiBPQ1NQ IHJlc3BvbmRlciBtYXkgbm90IGJlDQpyZXNwb25zaWJsZSBmb3IgYWxsIHRoZSBjZXJ0aWZpY2F0 ZXMgaXNzdWVkIGJ5IGEgQ0EuIDxicj4NClNvIGl0IGFsc28gbmVlZHMgdG8ga25vdyB3aGljaCBz dWJzZXQgb2YgdGhlIGNlcnRpZmljYXRlcyBpc3N1ZWQgYnkgZWFjaA0KQ0EgaXQgaXMgcmVzcG9u c2libGUgZm9yLjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQXJpYWwiPlRo dXMgSSBoYXZlIGNoYW5nZWQgdGhlIHRleHQgaW50bzo8L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQg c2l6ZT0yIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7ICZuYnNwOy0gdGhlIG1ldGhv ZChzKQ0KdXNlZCB0byBrbm93IGZvciB3aGljaCBzdWJzZXQgb2YgY2VydGlmaWNhdGVzIDwvZm9u dD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDsgJm5i c3A7ICZuYnNwO2lzc3VlZCBieQ0KdGhlIENBIGl0IGlzIHJlc3BvbnNpYmxlIGZvciwgPC9mb250 Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNw OyAmbmJzcDstIHRoZSBtZXRob2QocykNCnVzZWQgdG8gb2J0YWluIHRoZSByZXZvY2F0aW9uIHN0 YXR1cyBvZiB0aGF0IDwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQ291cmllciBOZXci PiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwO3N1YnNldCBvZg0KY2VydGlmaWNhdGVzIGlzc3Vl ZCB1bmRlciB0aGF0IENBIGlzc3VpbmcgcHVibGljIGtleSw8L2ZvbnQ+DQo8YnI+DQo8YnI+DQo8 YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkFyaWFsIj5EZW5pczwvZm9udD4NCjxicj48dHQ+PGZvbnQg c2l6ZT0yPiZuYnNwOzwvZm9udD48L3R0Pg0KPGJyPjx0dD48Zm9udCBzaXplPTI+Jmd0OyBBIG5l dyBJbnRlcm5ldC1EcmFmdCBpcyBhdmFpbGFibGUgZnJvbSB0aGUgb24tbGluZQ0KSW50ZXJuZXQt RHJhZnRzIDxicj4NCiZndDsgZGlyZWN0b3JpZXMuPGJyPg0KJmd0OyA8YnI+DQomZ3Q7ICZuYnNw OyAmbmJzcDtUaXRsZSAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgOiBYLjUwOSBJbnRlcm5l dCBQdWJsaWMNCktleSBJbmZyYXN0cnVjdHVyZSBPbmxpbmUgPGJyPg0KJmd0OyAmbmJzcDsgJm5i c3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJz cDtDZXJ0aWZpY2F0ZQ0KU3RhdHVzIFByb3RvY29sIC0gT0NTUDxicj4NCiZndDsgJm5ic3A7ICZu YnNwO0F1dGhvcihzKSAmbmJzcDsgJm5ic3A7IDogRC4gUGlua2FzPGJyPg0KJmd0OyAmbmJzcDsg Jm5ic3A7RmlsZW5hbWUgJm5ic3A7ICZuYnNwOyAmbmJzcDs6IGRyYWZ0LXBpbmthcy1yZmMyNTYw YmlzPGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7UGFnZXMgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5i c3A7IDogNDEgPGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7RGF0ZSAmbmJzcDsgJm5ic3A7ICZuYnNw OyAmbmJzcDsgJm5ic3A7OiBBdWcuIDI3LCAyMDEyDQo8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDs8 YnI+DQomZ3Q7ICZuYnNwOyBUaGlzIGRvY3VtZW50IHNwZWNpZmllcyBhIHByb3RvY29sIHVzZWZ1 bCBpbiBkZXRlcm1pbmluZyB0aGUNCmN1cnJlbnQ8YnI+DQomZ3Q7ICZuYnNwOyBzdGF0dXMgb2Yg YSBkaWdpdGFsIGNlcnRpZmljYXRlIHdpdGhvdXQgcmVxdWlyaW5nIENSTHMuICZuYnNwO0FkZGl0 aW9uYWw8YnI+DQomZ3Q7ICZuYnNwOyBtZWNoYW5pc21zIGFkZHJlc3NpbmcgUEtJWCBvcGVyYXRp b25hbCByZXF1aXJlbWVudHMgYXJlIHNwZWNpZmllZA0KaW48YnI+DQomZ3Q7ICZuYnNwOyBzZXBh cmF0ZSBkb2N1bWVudHMuIFRoaXMgZG9jdW1lbnQgb2Jzb2xldGVzIFJGQyAyNTYwIGFuZCBSRkMN CjYyNzcuPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IEEgVVJMIGZvciB0aGlzIEludGVybmV0LURyYWZ0 IGlzOjxicj4NCiZndDsgPC9mb250PjwvdHQ+PGEgaHJlZj0iaHR0cDovL3d3dy5pZXRmLm9yZy9p bnRlcm5ldC1kcmFmdHMvZHJhZnQtcGlua2FzLXJmYzI1NjBiaXMtMDAudHh0Ij48dHQ+PGZvbnQg c2l6ZT0yPmh0dHA6Ly93d3cuaWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRzL2RyYWZ0LXBpbmthcy1y ZmMyNTYwYmlzLTAwLnR4dDwvZm9udD48L3R0PjwvYT48dHQ+PGZvbnQgc2l6ZT0yPjxicj4NCiZn dDsgPGJyPg0KJmd0OyBJbnRlcm5ldC1EcmFmdHMgYXJlIGFsc28gYXZhaWxhYmxlIGJ5IGFub255 bW91cyBGVFAgYXQ6PGJyPg0KJmd0OyA8L2ZvbnQ+PC90dD48YSBocmVmPSJmdHA6Ly9mdHAuaWV0 Zi5vcmcvaW50ZXJuZXQtZHJhZnRzLyI+PHR0Pjxmb250IHNpemU9Mj5mdHA6Ly9mdHAuaWV0Zi5v cmcvaW50ZXJuZXQtZHJhZnRzLzwvZm9udD48L3R0PjwvYT48dHQ+PGZvbnQgc2l6ZT0yPjxicj4N CiZndDsgPGJyPg0KJmd0OyBCZWxvdyBpcyB0aGUgZGF0YSB3aGljaCB3aWxsIGVuYWJsZSBhIE1J TUUgY29tcGxpYW50IG1haWwgcmVhZGVyIDxicj4NCiZndDsgaW1wbGVtZW50YXRpb24gdG8gYXV0 b21hdGljYWxseSByZXRyaWV2ZSB0aGUgQVNDSUkgdmVyc2lvbiBvZiB0aGUNCkludGVybmV0LURy YWZ0Ljxicj4NCiZndDsgPGJyPg0KJmd0OyAmbHQ7PC9mb250PjwvdHQ+PGEgaHJlZj0iZnRwOi8v ZnRwLmlldGYub3JnL2ludGVybmV0LWRyYWZ0cy9kcmFmdC1waW5rYXMtcmZjMjU2MGJpcyI+PHR0 Pjxmb250IHNpemU9Mj5mdHA6Ly9mdHAuaWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRzL2RyYWZ0LXBp bmthcy1yZmMyNTYwYmlzPC9mb250PjwvdHQ+PC9hPjx0dD48Zm9udCBzaXplPTI+Jmd0Ow0KPGJy Pg0KJmd0OyA8YnI+DQomZ3Q7IEEgZmV3IGV4cGxhbmF0aW9ucyBhYm91dCB0aGUgY29udGVudCBv ZiBkcmFmdC1pZXRmLXBpbmthcy1yZmMyNTYwYmlzLTAwLg0KPGJyPg0KJmd0OyA8YnI+DQomZ3Q7 IDI1IGNoYW5nZXMgYXJlIGluZGljYXRlZCBhdCB0aGUgYmVnaW5uaW5nIG9mIHRoZSBkb2N1bWVu dC4gPGJyPg0KJmd0OyBJIHdpbGwgb25seSBtZW50aW9uIGEgZmV3IG9mIHRoZW06IDxicj4NCiZn dDsgPGJyPg0KJmd0OyBBIC0gRXhwbGFuYXRpb25zIHdlcmUgbWlzc2luZyB0byBkZXNjcmliZTog PGJyPg0KJmd0OyA8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsgJm5ic3A7LSB0aGUgYnVpbGRpbmcg b2YgYSByZXF1ZXN0IGJ5IGFuIE9DU1AgY2xpZW50LA0KPGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7 ICZuYnNwOy0gdGhlIHByb2Nlc3Npbmcgb2YgYSByZXF1ZXN0IGJ5IGFuIE9DU1Agc2VydmVyLA0K PGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7ICZuYnNwOy0gdGhlIGJ1aWxkaW5nIG9mIGEgcmVzcG9u c2UgJm5ic3A7YnkgYW4gT0NTUA0Kc2VydmVyLCBhbmQgPGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7 ICZuYnNwOy0gdGhlIHByb2Nlc3Npbmcgb2YgYSByZXNwb25zZSBieSBhbiBPQ1NQIGNsaWVudC4N Cjxicj4NCiZndDsgPGJyPg0KJmd0OyBUaGVzZSBleHBsYW5hdGlvbnMgaGF2ZSBiZWVuIGFkZGVk LiA8YnI+DQomZ3Q7IDxicj4NCiZndDsgQiAtIEV4cGxhbmF0aW9ucyB3ZXJlIG1pc3NpbmcgdG8g YWRkcmVzcyBDQSBrZXkgcm9sbG92ZXIgYW5kIE9DU1ANCjxicj4NCiZndDsgJm5ic3A7ICZuYnNw OyBrZXkgcm9sbG92ZXIuIFRoZXNlIGV4cGxhbmF0aW9ucyBoYXZlIGJlZW4gYWRkZWQuIDxicj4N CiZndDsgPGJyPg0KJmd0OyBDIC0gQmFja3dhcmRzIGNvbXBhdGliaWxpdHkgaGFzIGJlZW4gYWRk cmVzc2VkIGluIHRoZSBmb2xsb3dpbmcgd2F5Og0KPGJyPg0KJmd0OyA8YnI+DQomZ3Q7ICZuYnNw OyAmbmJzcDsgJm5ic3A7IDEpIEFuIE9DU1AgcmVzcG9uc2UgYnkgYmUgc2lnbmVkIGVpdGhlciBi eSBhDQpDQSBvciBieSBhbiBPQ1NQIFJlc3BvbmRlci48YnI+DQomZ3Q7IDxicj4NCiZndDsgJm5i c3A7ICZuYnNwOyAmbmJzcDsgMikgQmVzaWRlcyBsb2NhbCBjb25maWd1cmF0aW9uIHNldHRpbmdz IHdoaWNoDQphcmUgb3B0aW9uYWwsIDxicj4NCiZndDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5i c3A7ICZuYnNwO29ubHkgdHdvIGNhc2VzIFNIQUxMIGJlIHN1cHBvcnRlZA0KYnkgT0NTUCBjbGll bnRzIChhbmQgdGh1cyBPQ1NQIHNlcnZlcnMpIDxicj4NCiZndDsgJm5ic3A7ICZuYnNwOyAmbmJz cDsgJm5ic3A7ICZuYnNwO2FzIGV4cGxhaW5lZCBiZWxvdy4gPGJyPg0KJmd0OyA8YnI+DQomZ3Q7 ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwO1RoZSBrZXkgdG8gYmUgdXNlZCB0byB2ZXJpZnkg YSBTaW5nbGVSZXNwb25zZQ0KKHdpdGhpbiBhIDxicj4NCiZndDsgJm5ic3A7ICZuYnNwOyAmbmJz cDsgJm5ic3A7QmFzaWNPQ1NQUmVzcG9uc2UpIE1VU1Q6IDxicj4NCiZndDsgPGJyPg0KJmd0OyAm bmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICgxKSBlaXRoZXIgYmUgdGhlIHNhbWUg a2V5IHRoYXQNCnRoZSBvbmUgdXNlZCB0byBzaWduIHRoZSA8YnI+DQomZ3Q7ICZuYnNwOyAmbmJz cDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyB0YXJnZXQgY2VydGlmaWNhdGUs PGJyPg0KJmd0OyA8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsg KDIpIG9yIGJlIHRoZSBwdWJsaWMga2V5IGZyb20gYW4NCk9DU1AgcmVzcG9uZGVyIHRoYXQgaXMg PGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJz cDsgY29udGFpbmVkIGluIGFuIE9DU1ANCmNlcnRpZmljYXRlIHRoYXQgaGFzIGJlZW4gc2lnbmVk IGJ5IHRoZSBzYW1lIGtleSA8L2ZvbnQ+PC90dD4NCjxicj48dHQ+PGZvbnQgc2l6ZT0yPiZndDsg Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7DQp0aGF0IHRo ZSBvbmUgdXNlZCB0byBzaWduIHRoZSB0YXJnZXQgY2VydGlmaWNhdGUuPGJyPg0KJmd0OyAmbmJz cDsgJm5ic3A7LiA8YnI+DQomZ3Q7IFRoZSB0ZXh0IGFsbG93cyB0byB1c2UgdGhlIHNhbWUgZ2Vu ZXJhbCBwcm9jZXNzaW5nIGZvciBhIGZldyBvdGhlcg0KPGJyPg0KJmd0OyBjYXNlcywgc2luY2Ug JnF1b3Q7ZXNjYXBlJnF1b3Q7ICZuYnNwO3NlbnRlbmNlcyBhcmUgcHJvdmlkZWQgdG8gYWxsb3cN CmZvciB0aGVzZSBvdGhlciBjYXNlcywgPGJyPg0KJmd0OyBidXQgb25seSB1c2luZyAmcXVvdDts b2NhbCBjb25maWd1cmF0aW9uIHNldHRpbmdzJnF1b3Q7LiA8YnI+DQomZ3Q7IDxicj4NCiZndDsg VGhpcyBtZWFucyBpbiBwYXJ0aWN1bGFyIHRoYXQgdGhlIElkZW50cnVzdCBtb2RlbCBtYXkgYmUg c3VwcG9ydGVkDQo8YnI+DQomZ3Q7IGFuZCB0aGF0IHRoZSAmcXVvdDtzZXZlcmFsIG1hbnkgY2Fz ZXMmcXVvdDsgdGhhdCB3ZXJlIGRldGFpbGVkIGluDQp0aGUgYW5uZXhlcyBmPGJyPg0KJmd0OyBm cm9tIGRyYWZ0IC0wNCBmcm9tIERhdmlkIENvb3BlciBhbmQgU3RlZmFuIFNhbnRlc3NvbiAoYnV0 IHdoaWNoIHdlcmUNCm5vdCA8YnI+DQomZ3Q7IGludGVyb3BlcmFibGUgd2l0aCBtb3N0IGN1cnJl bnQgaW1wbGVtZW50YXRpb25zKSBjYW4gdGFrZSBiZW5lZml0DQpvZiB0aGUgZGVzY3JpcHRpb24g PGJyPg0KJmd0OyBvZiB0aGUgZ2VuZXJhbCBwcm9jZXNzaW5nLiA8YnI+DQomZ3Q7IDxicj4NCiZn dDsgRGVuaXMgPC9mb250PjwvdHQ+DQo= --=_alternative 002BBCFBC1257A7C_=-- From SChokhani@cygnacom.com Mon Sep 17 07:02:53 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0891621F8460 for ; Mon, 17 Sep 2012 07:02:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wHwMfwepfOA2 for ; Mon, 17 Sep 2012 07:02:52 -0700 (PDT) Received: from ipedge1.cygnacom.com (ipedge1.cygnacom.com [216.191.252.12]) by ietfa.amsl.com (Postfix) with ESMTP id C5B9321F842F for ; Mon, 17 Sep 2012 07:02:51 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.80,435,1344225600"; d="scan'208";a="6241153" Received: from unknown (HELO scygexch7.cygnacom.com) ([10.4.60.22]) by ipedge1.cygnacom.com with ESMTP; 17 Sep 2012 10:02:33 -0400 Received: from scygexch7.cygnacom.com ([::1]) by scygexch7.cygnacom.com ([::1]) with mapi; Mon, 17 Sep 2012 10:02:33 -0400 From: Santosh Chokhani To: Piyush Jain , "mrex@sap.com" Date: Mon, 17 Sep 2012 10:02:32 -0400 Thread-Topic: [pkix] 5280bis, v-09 Thread-Index: AQHNj4Or+HT2+Q6yxkWqbc8OyTbOnJeHbVEAgAACYACAAu22YIADWl+wgAAIyCCAANeH0A== Message-ID: References: <20120913002444.80A791A216@ld9781.wdf.sap.corp> <20120913003314.483731A216@ld9781.wdf.sap.corp> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: pkix Subject: Re: [pkix] 5280bis, v-09 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2012 14:02:53 -0000 Piyush, With the proposed 09 text, 5280 is well-aligned with X.509 and the CRL cann= ot be used. If the CRL entry extension is non-critical and the application can process = it fine. If the application cannot process it, the entry can be used. If the CRL entry extension is critical, the new text requires the applicati= on to be able to process both the related CRL extension and the entry exten= sion or reject the whole CRL since it cannot process the related CRL extens= ion. A simple case in point is indirect CRL and CRL issuer CRL entry extension .= Without understanding the extension, application should not use the seria= l number since it might apply to some other CA. Note that this is what sta= rted the whole discussion. -----Original Message----- From: Piyush Jain [mailto:piyush@identicate.com]=20 Sent: Sunday, September 16, 2012 9:09 PM To: Santosh Chokhani; mrex@sap.com Cc: pkix Subject: RE: [pkix] 5280bis, v-09 Santosh - I agree with you analysis. However, as Martin pointed out, this behavior is inconsistent with X.509. X.509 says that the certificated specified by the CRL entry should be treat= ed as revoked and it should not affect the processing of other entries in t= he CRL (unless there a CRL extension that dictates it). Given that many deployments treat 'unknown' status as being less severe tha= n 'revoked', 5280 introduces slight vulnerability by requiring the CRL to b= e rejected because of presence of an unknown critical CRL entry extension. -Piyush > -----Original Message----- > From: Santosh Chokhani [mailto:SChokhani@cygnacom.com] > Sent: Sunday, September 16, 2012 5:31 PM > To: Piyush Jain; mrex@sap.com > Cc: pkix > Subject: RE: [pkix] 5280bis, v-09 >=20 > Piyush, >=20 > In my analysis, 5280 is not saying that the certificate represented by=20 > the entry should be considered revoked. >=20 > The relying party can get another CRL or other revocation information=20 > or can make a decision it makes in the absence of revocation information. >=20 > -----Original Message----- > From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf=20 > Of Piyush Jain > Sent: Friday, September 14, 2012 5:33 PM > To: mrex@sap.com > Cc: pkix > Subject: Re: [pkix] 5280bis, v-09 >=20 > Please accept my apologies in advance if I did not understand it correctl= y. > Is there a difference between "UNREVOKED" and "UNDETERMINED"? I could=20 > not find a definition for these terms either in RFC 5280 or in=20 > correction draft 09. >=20 > I think you are referring to this text in the section 4 of draft-09 > "If a CRL contains a critical CRL entry extension that the application= cannot > process, then the application MUST NOT use that CRL to determine the > status of the certificate represented by the CRL entry." >=20 > I agree that in this case certificated being referred to, by that=20 > entry should be considered revoked. >=20 > > -----Original Message----- > > From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf=20 > > Of Martin Rex > > Sent: Wednesday, September 12, 2012 5:33 PM > > To: mrex@sap.com > > Cc: pkix > > Subject: Re: [pkix] 5280bis, v-09 > > > > correction: the proposed new text in -09 creates the potential=20 > > security problem here: > > > > Martin Rex wrote: > > > > > > two options, all combinations: > > > > > > (1) cert on CRL, CRL with NO unrecognized critical CRLEntryExten= sions > > > (2) cert NOT on CRL, CRL with NO unrecognized critical > CRLEntryExtensions > > > (3) cert on CRL, CRL with unrecognized critical CRLEntryExten= sion > > > (4) cert NOT on CRL, CRL with unrecognized critical CRLEntryExten= sion > > > > > > The newly proposed text (in -09): > > > > > > | If a CRL contains a critical CRL entry extension > > > | that the application cannot process, then the application MUST > > > | NOT use that CRL to determine the status of the certificate > > > | represented by the CRL entry. > > > > > > creates a significantly distinct behaviour for case (4) where=20 > > > X.509 and rfc5280 agreed on "UNDETERMINED", by redefining the=20 > > > result to be "UNREVOKED", and potentially creates a security=20 > > > problem, and a new, backwards-incompatible behaviour for a=20 > > > situation where > > > X.509 and rfc5280 used to agree. Still, the new text does not do=20 > > > anything about case (3), the only case where X.509 and rfc5280=20 > > > appear to differ (in a mostly marginal fashion). > > > > If the cert under examination is listed on the CRL, and happens to=20 > > be the entry with the unrecognized critical CRLEntryExtensions, then=20 > > the new text specifies that the cert status is "UNREVOKED", where=20 > > X.509 specifies "REVOKED" and rfc5280 specifies "UNDETERMINED". > > > > While the latter might be less efficent, it is at least not wrong. > > I believe the behaviour specified by the new text "UREVOKED" to be=20 > > dangerously wrong (and completely backwards incompatible). > > > > -Martin > > _______________________________________________ > > pkix mailing list > > pkix@ietf.org > > https://www.ietf.org/mailman/listinfo/pkix >=20 >=20 > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix From SChokhani@cygnacom.com Mon Sep 17 07:21:34 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 354A421F8602 for ; Mon, 17 Sep 2012 07:21:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BYeWKmVMklkr for ; Mon, 17 Sep 2012 07:21:32 -0700 (PDT) Received: from ipedge2.cygnacom.com (ipedge2.cygnacom.com [216.191.252.27]) by ietfa.amsl.com (Postfix) with ESMTP id 51C4C21F84B9 for ; Mon, 17 Sep 2012 07:21:32 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.80,435,1344225600"; d="scan'208,217";a="1961155" Received: from unknown (HELO scygexch7.cygnacom.com) ([10.4.60.22]) by ipedge2.cygnacom.com with ESMTP; 17 Sep 2012 10:21:31 -0400 Received: from scygexch7.cygnacom.com ([::1]) by scygexch7.cygnacom.com ([::1]) with mapi; Mon, 17 Sep 2012 10:21:31 -0400 From: Santosh Chokhani To: "denis.pinkas@bull.net" , "mrex@sap.com" , Piyush Jain Date: Mon, 17 Sep 2012 10:21:30 -0400 Thread-Topic: [pkix] 5280bis, v-09 Thread-Index: Ac2UqJS456L89xDwTIGlt5doI1V6yQANiULw Message-ID: References: <504E13CB.8080001@bbn.com> <20120913002444.80A791A216@ld9781.wdf.sap.corp> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_B83745DA469B7847811819C5005244AF362EC9B1scygexch7cygnac_" MIME-Version: 1.0 Cc: pkix Subject: Re: [pkix] 5280bis, v-09 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2012 14:21:34 -0000 --_000_B83745DA469B7847811819C5005244AF362EC9B1scygexch7cygnac_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhpcyBhbHNvIHJlbGF0ZXMgdG8gZWFybGllciBwb3N0IEkgbWFkZSBpbiByZXNwb25zZSB0byBQ aXl1c2guDQoNCkkgYXNzdW1lIHdlIGFyZSBhZGRpbmcgdGhlIGZvbGxvd2luZyB0byB0aGUgUkZD IOKAnEEgY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSBjcmxFbnRyeUV4dGVuc2lvbnMgZmllbGQg b2YgYW4gZW50cnkgc2hhbGwgYWZmZWN0IG9ubHkgdGhlIGNlcnRpZmljYXRlIHNwZWNpZmllZCBp biB0aGF0IGVudHJ5LCB1bmxlc3MgdGhlcmUgaXMgYSByZWxhdGVkIGNyaXRpY2FsIGV4dGVuc2lv biBpbiB0aGUgY3JsRXh0ZW5zaW9ucyBmaWVsZCB0aGF0IGFkdmVydGlzZXMgYSBzcGVjaWFsIHRy ZWF0bWVudCBmb3IgaXQu4oCdICBJbiBvcmRlciB0byB1c2Ugc3VjaCBDUkwsIHRoZSByZWx5aW5n IHBhcnR5IG11c3QgYmUgYWJsZSB0byBwcm9jZXNzIGJvdGggdGhlIGNybEVudHJ5RXh0ZW5zaW9u IGFuZCB0aGUgcmVsYXRlZCBjcmxFeHRlbnNpb24u4oCdDQoNCkluIHRoYXQgY2FzZSwgSSBkbyBu b3QgbWluZCBhZGRpbmcgdGhlIGZvbGxvd2luZyB0byA1MjgwIChhIHNsaWdodCBtb2RpZmljYXRp b24gdG8gd2hhdCBEZW5pcyBoYXM6DQoNCklmIGFuIGFwcGxpY2F0aW9uIGNhbm5vdCBwcm9jZXNz IGEgY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSBjcmxFbnRyeUV4dGVuc2lvbnMgZmllbGQgb2Yg YW4gZW50cnkgdGhhdCBhZmZlY3RzIG9ubHkgdGhlIGNlcnRpZmljYXRlIHNwZWNpZmllZCBpbiB0 aGF0IGVudHJ5LCBhcyBpbmRpY2F0ZWQgYnkgdGhlIGFic2VuY2Ugb2YgYSByZWxhdGVkIGNyaXRp Y2FsIGV4dGVuc2lvbiBpbiB0aGUgY3JsRXh0ZW5zaW9ucyBmaWVsZCwgdGhlbiB0aGUgY2VydGlm aWNhdGUgaWRlbnRpZmllZCBieSB0aGUgQ1JMIGVudHJ5IHNoYWxsIGJlIGNvbnNpZGVyZWQgcmV2 b2tlZC4NCg0KRnJvbTogcGtpeC1ib3VuY2VzQGlldGYub3JnIFttYWlsdG86cGtpeC1ib3VuY2Vz QGlldGYub3JnXSBPbiBCZWhhbGYgT2YgZGVuaXMucGlua2FzQGJ1bGwubmV0DQpTZW50OiBNb25k YXksIFNlcHRlbWJlciAxNywgMjAxMiAzOjQ3IEFNDQpUbzogbXJleEBzYXAuY29tOyBQaXl1c2gg SmFpbg0KQ2M6IHBraXgNClN1YmplY3Q6IFJlOiBbcGtpeF0gNTI4MGJpcywgdi0wOQ0KDQpHb29k IGNhdGNoIE1hcnRpbiwNCg0KWW91IGNhbWUgYmFjayBmcm9tIHZhY2F0aW9uIGp1c3QgaW4gdGlt ZS4gOi0pDQoNCkkgcHJvcG9zZSB0aGUgZm9sbG93aW5nOg0KDQpSZXBsYWNlOg0KDQp8ICAgICBJ ZiBhIENSTCBjb250YWlucyBhIGNyaXRpY2FsIENSTCBlbnRyeSBleHRlbnNpb24NCnwgICAgIHRo YXQgdGhlIGFwcGxpY2F0aW9uIGNhbm5vdCBwcm9jZXNzLCB0aGVuIHRoZSBhcHBsaWNhdGlvbiBN VVNUDQp8ICAgICBOT1QgdXNlIHRoYXQgQ1JMIHRvIGRldGVybWluZSB0aGUgc3RhdHVzIG9mIGFu eSBjZXJ0aWZpY2F0ZXMuDQoNCndpdGgNCg0KfCAgICAgSWYgYSBDUkwgY29udGFpbnMgaW4gYSBD UkwgZW50cnkgYSBjcml0aWNhbCBDUkwgZW50cnkgZXh0ZW5zaW9uDQp8ICAgICB0aGF0IHRoZSBh cHBsaWNhdGlvbiBjYW5ub3QgcHJvY2VzcywgdGhlbiB0aGUgYXBwbGljYXRpb24gTVVTVA0KfCAg ICAgY29uc2lkZXIgdGhhdCB0aGUgY2VydGlmaWNhdGUgaWRlbnRpZmllZCBpbiB0aGF0IENSTCBl bnRyeSBpcw0KfCAgICAgcmV2b2tlZC4NCg0KSW4gb3JkZXIgdG8gYW5zd2VyIHRvIFBpeXVzaCwg SSBiZWxpZXZlIHRoYXQg4oCcdW5rbm93buKAnSBzaG91bGQgYmUgdXNlZCByYXRoZXIgdGhhbiDi gJxyZXZva2Vk4oCdLg0KDQpUaGUgZm9sbG93aW5nIGV4YW1wbGUgaXMgYW4gaWxsdXN0cmF0aW9u Og0KDQpUaGUgc3RhdHVzIG9mIGEgZ2l2ZW4gY2VydGlmaWNhdGUgaXMgaW5kaWNhdGVkIGFzIOKA nGdvb2TigJ0sIGJ1dCB0aGVyZSBpcyBhIENSTCBlbnRyeSB3aXRoIGEgY3JpdGljYWwNCkNSTCBl bnRyeSBleHRlbnNpb24uIFRoaXMgZW50cnkgbWVhbnMgKGZvciB0aGUgYXBwbGljYXRpb25zIHdo aWNoIHVuZGVyc3RhbmQgaXQpIDoNCg0KIlRoZSBzdGF0dXMgd2hpY2ggaXMgdXN1YWxseSBvYnRh aW5lZCB1c2luZyBhIGRhdGFiYXNlIG9mIGlzc3VlZCBjZXJ0aWZpY2F0ZXMgaGFzIGJlZW4gb2J0 YWluZWQgZnJvbSBDUkxzLg0KSWYgeW91IHJlYWxseSBuZWVkIHRvIHRha2UgYSBkZWNpc2lvbiBu b3csIGl0IGlzIGF0IHlvdXIgb3duIHJpc2suIElmIHlvdSBjYW4gd2FpdCwgeW91IGhhZCBiZXR0 ZXIgdG8gdHJ5IGFnYWluIGxhdGVyIG9uIi4NCg0KWW91ciBuZXh0IHF1ZXN0aW9uIHdpbGwgY2Vy dGFpbmx5IGJlOiBzbyB3aHkgZG9u4oCZdCB5b3UgdXNlIHRoZSBwcm9wb3NlZCBjZXJ0SW5mbyBl eHRlbnNpb24gPw0KDQpGb3IgYXBwbGljYXRpb25zIHdoaWNoIGRvIG5vdCB1bmRlcnN0YW5kIHRo aXMgY3JpdGljYWwgQ1JMIGVudHJ5IGV4dGVuc2lvbiwgdGhlcmUgaXMgbm8gZGlmZmVyZW5jZS4N ClRoZXkgZ2V0IGFuICJ1bmtub3duIiBzdGF0dXMgaW4gYm90aCBjYXNlcy4NCg0KRm9yIGFwcGxp Y2F0aW9ucyB3aGljaCB1bmRlcnN0YW5kIHRoaXMgY3JpdGljYWwgQ1JMIGVudHJ5IGV4dGVuc2lv biBpdCBwcm92aWRlcyBsZXNzIGJlbmVmaXRzDQp0aGFuIHRoZSBwcm9wb3NlZCBjZXJ0SW5mbyBl eHRlbnNpb24sIGJ1dCBpdCBtaWdodCBiZSBxdWlja2VyIHRvIGltcGxlbWVudCBhbmQgaXQgZW5m b3JjZXMgYSBwb2xpY3kuDQoNCkRlbmlzDQoNCg0KPiBJIG9iamVjdCB0byB0aGUgcHJvcG9zZWQg bmV3IHRleHQgYWJvdXQgQ1JMRW50cnlFeHRlbnNpb25zDQo+IGluIHRoZSBjbGFyaWZpY2F0aW9u IGRvY3VtZW50LCBiZWNhdXNlIGFzIGlzLCB3b3VsZCBzaWduaWZpY2FudGx5DQo+IHdvcnNlbiB0 aGUgZGlmZmVyZW5jZSBiZXR3ZWVuIFBLSVggYW5kIFguNTA5IGFuZCBtYWtlIHRoaW5ncw0KPiBj bGVhcmx5IGluY29tcGF0aWJsZSByYXRoZXIgdGhhbiBzbGlnaHRseSBsZXNzIGVmZmljaWVudC4N Cj4NCj4gSWYgYW55dGhpbmcsIHRoZSBnYXAgc2hvdWxkIGJlIHJlZHVjZWQsIGNvbXBhdGliaWxp dHkgYmV0d2Vlbg0KPiBQS0lYIGFuZCBYLjUwOSBpbXByb3ZlZCBhbmQgdGhlIG9yaWdpbmFsIGFy Y2hpdGVjdHVyZSBub3QgdmlvbGF0ZWQuDQo+DQo+IFBsZWFzZSByZWNhbGwgdGhlIG9yaWdpbmFs IE5PVEUgNCAmIDUgdGhhdCBJIHF1b3RlZCBmcm9tDQo+IElUVS1UIFJlYy4gWC41MDkgKDA4LzIw MDUpLCBTZWN0aW9uIDcuMywgdG9wIG9mIHBhZ2UgMTg6DQo+IChnZXQgdGhlbSBoZXJlIGh0dHA6 Ly93d3cuaXR1LmludC9yZWMvVC1SRUMtWC41MDkpOg0KPg0KPiBhPiAgTk9URSA0IC0tIFdoZW4g YW4gaW1wbGVtZW50YXRpb24gcHJvY2Vzc2luZyBhIGNlcnRpZmljYXRlIHJldm9jYXRpb24NCj4g YT4gIGxpc3QgZG9lcyBub3QgcmVjb2duaXplIGEgY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSBj cmxFbnRyeUV4dGVuc2lvbnMNCj4gYT4gIGZpZWxkLCBpdCBzaGFsbCBhc3N1bWUgdGhhdCwgYXQg YSBtaW5pbXVtLCB0aGUgaWRlbnRpZmllZCBjZXJ0aWZpY2F0ZQ0KPiBhPiAgaGFzIGJlZW4gcmV2 b2tlZCBhbmQgaXMgbm8gbG9uZ2VyIHZhbGlkIGFuZCBwZXJmb3JtIGFkZGl0aW9uYWwgYWN0aW9u cw0KPiBhPiAgY29uY2VybmluZyB0aGF0IHJldm9rZWQgY2VydGlmaWNhdGUgYXMgZGljdGF0ZWQg YnkgbG9jYWwgcG9saWN5Lg0KPg0KPiBiPiAgV2hlbiBhbiBpbXBsZW1lbnRhdGlvbiBkb2VzIG5v dCByZWNvZ25pemUgYSBjcml0aWNhbCBleHRlbnNpb24gaW4gdGhlDQo+IGI+ICBjcmxFeHRlbnNp b25zIGZpZWxkLCBpdCBzaGFsbCBhc3N1bWUgdGhhdCBpZGVudGlmaWVkIGNlcnRpZmljYXRlcw0K PiBiPiAgaGF2ZSBiZWVuIHJldm9rZWQgYW5kIGFyZSBubyBsb25nZXIgdmFsaWQuDQo+DQo+IGM+ ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG93ZXZlciBpbiB0 aGUgbGF0dGVyIGNhc2UsDQo+IGM+ICBzaW5jZSB0aGUgbGlzdCBtYXkgbm90IGJlIGNvbXBsZXRl LCBjZXJ0aWZpY2F0ZXMgdGhhdCBoYXZlIG5vdCBiZWVuDQo+IGM+ICBpZGVudGlmaWVkIGFzIGJl aW5nIHJldm9rZWQgY2Fubm90IGJlIGFzc3VtZWQgdG8gYmUgdmFsaWQuIEluIHRoaXMgY2FzZQ0K PiBjPiAgbG9jYWwgcG9saWN5IHNoYWxsIGRpY3RhdGUgdGhlIGFjdGlvbiB0byBiZSB0YWtlbi4g SW4gYW55IGNhc2UgbG9jYWwNCj4gYz4gIHBvbGljeSBtYXkgZGljdGF0ZSBhY3Rpb25zIGluIGFk ZGl0aW9uIHRvIGFuZC9vciBzdHJvbmdlciB0aGFuIHRob3NlDQo+IGM+ICBzdGF0ZWQgaW4gdGhp cyBTcGVjaWZpY2F0aW9uLg0KPg0KPiBkPiAgTk9URSA1IC0tIElmIGFuIGV4dGVuc2lvbiBhZmZl Y3RzIHRoZSB0cmVhdG1lbnQgb2YgdGhlIGxpc3QNCj4gZD4gIChlLmcuLCBtdWx0aXBsZSBDUkxz IG5lZWQgdG8gYmUgc2Nhbm5lZCB0byBleGFtaW5lIHRoZSBlbnRpcmUgbGlzdCBvZg0KPiBkPiAg cmV2b2tlZCBjZXJ0aWZpY2F0ZXMsIG9yIGFuIGVudHJ5IG1heSByZXByZXNlbnQgYSByYW5nZSBv ZiBjZXJ0aWZpY2F0ZXMpLA0KPiBkPiAgdGhlbiB0aGF0IGV4dGVuc2lvbiBzaGFsbCBiZSBpbmRp Y2F0ZWQgYXMgY3JpdGljYWwgaW4gdGhlIGNybEV4dGVuc2lvbnMNCj4gZD4gIGZpZWxkIHJlZ2Fy ZGxlc3Mgb2Ygd2hlcmUgdGhlIGV4dGVuc2lvbiBpcyBwbGFjZWQgaW4gdGhlIENSTC4NCj4NCj4g ZT4gIEFuIGV4dGVuc2lvbiBpbmRpY2F0ZWQgaW4gdGhlIGNybEVudHJ5RXh0ZW5zaW9ucyBmaWVs ZCBvZiBhbiBlbnRyeSBzaGFsbA0KPiBlPiAgYmUgcGxhY2VkIGluIHRoYXQgZW50cnkgYW5kIHNo YWxsIGFmZmVjdCBvbmx5IHRoZSBjZXJ0aWZpY2F0ZShzKQ0KPiBlPiAgc3BlY2lmaWVkIGluIHRo YXQgZW50cnkuDQo+DQo+DQo+IChJIGluc2VydGVkIGJsYW5rIGxpbmVzIGFib3ZlIGZvciB2aXN1 YWwgY2xhcml0eSBvZiB0aGUgWC41MDkgcmVxdWlyZW1lbnRzKS4NCj4NCj4gdHdvIG9wdGlvbnMs IGFsbCBjb21iaW5hdGlvbnM6DQo+DQo+ICAoMSkgY2VydCAgICAgb24gQ1JMLCBDUkwgd2l0aCBO TyB1bnJlY29nbml6ZWQgY3JpdGljYWwgQ1JMRW50cnlFeHRlbnNpb25zDQo+ICAoMikgY2VydCBO T1Qgb24gQ1JMLCBDUkwgd2l0aCBOTyB1bnJlY29nbml6ZWQgY3JpdGljYWwgQ1JMRW50cnlFeHRl bnNpb25zDQo+ICAoMykgY2VydCAgICAgb24gQ1JMLCBDUkwgd2l0aCAgICB1bnJlY29nbml6ZWQg Y3JpdGljYWwgQ1JMRW50cnlFeHRlbnNpb24NCj4gICg0KSBjZXJ0IE5PVCBvbiBDUkwsIENSTCB3 aXRoICAgIHVucmVjb2duaXplZCBjcml0aWNhbCBDUkxFbnRyeUV4dGVuc2lvbg0KPg0KPg0KPiBJ IGhvcGUgd2UgYWdyZWUgdGhhdCBYLjUwOSBhbmQgcmZjNTI4MCBhZ3JlZSBvbiAoMSkgYW5kICgy KSByZXN1bHRzDQo+IGZvciBDUkwgY2hlY2tpbmcuDQo+DQo+IHJmYzUyODAgY3VycmVudGx5IHNh eXMgdGhhdCBmb3IgKDMpKyg0KSB0aGUgZW50aXJlIENSTCBvdWdodCB0byBiZSBpZ25vcmVkDQo+ IGFuZCBvdGhlciBDUkxzIG5lZWQgdG8gYmUgZXZhbHVhdGVkICJVTkRFVEVSTUlORUQiDQo+DQo+ IFguNTA5IHNheXMgaW4gKGE+KSB0aGF0IGZvciAoMykgdGhlIHN0YXR1cyBvZiB0aGUgY2VydCBp cyBkZWZpbml0ZWx5IHJldm9rZWQNCj4gYW5kIHNheXMgaW4gKGM+KSBmb3IgKDQpIHRoYXQgdGhl IENSTCBvdWdodCB0byBiZSBpZ25vcmVkIGFuZCBvdGhlciBDUkxzIG5lZWQNCj4gdG8gYmUgZXZh bHVhdGVkICJVTkRFVEVSTUlORUQiDQo+DQo+IFdoaWxlIGJvdGggWC41MDkgYW5kIHJmYzUyODAg YWdyZWUgb24gdGhlIHJlc3VsdCBmb3IgKDQpICJVTkRFVEVSTUlORUQiLA0KPiB0aGVyZSBpcyB0 aGUgc3VwZXJmaWNpYWwgYXBwZWFyYW5jZSBvZiBhIGRpZmZlcmVuY2UgZm9yIGEgY2FzdWFsDQo+ IGltcGxlbWVudGVyIGZvciBjYXNlICgzKSBiZXR3ZWVuIFguNTA5ICJSRVZPS0VEIiBhbmQgcmZj NTI4MCAiVU5ERVRFUk1JTkVEIg0KPiB0aGF0IG1pZ2h0IGxlYWQgdG8gYSBzbGlnaHRseSBsZXNz IGVmZmljaWVudCBwcm9jZXNzaW5nIENSTHMuDQo+DQo+DQo+IFRoZSBuZXdseSBwcm9wb3NlZCB0 ZXh0IChpbiAtMDkpOg0KPg0KPiB8ICAgICBJZiBhIENSTCBjb250YWlucyBhIGNyaXRpY2FsIENS TCBlbnRyeSBleHRlbnNpb24NCj4gfCAgICAgdGhhdCB0aGUgYXBwbGljYXRpb24gY2Fubm90IHBy b2Nlc3MsIHRoZW4gdGhlIGFwcGxpY2F0aW9uIE1VU1QNCj4gfCAgICAgTk9UIHVzZSB0aGF0IENS TCB0byBkZXRlcm1pbmUgdGhlIHN0YXR1cyBvZiB0aGUgY2VydGlmaWNhdGUNCj4gfCAgICAgcmVw cmVzZW50ZWQgYnkgdGhlIENSTCBlbnRyeS4NCj4NCj4gY3JlYXRlcyBhIHNpZ25pZmljYW50bHkg ZGlzdGluY3QgYmVoYXZpb3VyIGZvciBjYXNlICg0KSB3aGVyZSBYLjUwOQ0KPiBhbmQgcmZjNTI4 MCBhZ3JlZWQgb24gIlVOREVURVJNSU5FRCIsIGJ5IHJlZGVmaW5pbmcgdGhlIHJlc3VsdCB0bw0K PiBiZSAiVU5SRVZPS0VEIiwgYW5kIHBvdGVudGlhbGx5IGNyZWF0ZXMgYSBzZWN1cml0eSBwcm9i bGVtLCBhbmQgYQ0KPiBuZXcsIGJhY2t3YXJkcy1pbmNvbXBhdGlibGUgYmVoYXZpb3VyIGZvciBh IHNpdHVhdGlvbiB3aGVyZQ0KPiBYLjUwOSBhbmQgcmZjNTI4MCB1c2VkIHRvIGFncmVlLiBTdGls bCwgdGhlIG5ldyB0ZXh0IGRvZXMgbm90IGRvDQo+IGFueXRoaW5nIGFib3V0IGNhc2UgKDMpLCB0 aGUgb25seSBjYXNlIHdoZXJlIFguNTA5IGFuZCByZmM1MjgwDQo+IGFwcGVhciB0byBkaWZmZXIg KGluIGEgbW9zdGx5IG1hcmdpbmFsIGZhc2hpb24pLg0KPg0KPg0KPiBBIGNhcmVmdWwgaW1wbGVt ZW50b3IsIHRoYXQgYW5hbHl6ZXMgTk9URSA0IGFuZCBOT1RFIDUgZnJvbSBYLjUwOQ0KPiBxdW90 ZWQgYWJvdmUgaW4gaXRzIGVudGlyZXR5LCBzaG91bGQgcmVhbGl6ZSB0aGF0IHRoZSBzaXR1YXRp b24NCj4gd2hlcmUgWC41MDkgYW5kIHJmYzUyODAgZGlmZmVyIGlzIG1hcmdpbmFsLg0KPg0KPiBU aGlzIGlzIGJlY2F1c2UgKGQ+KSBpbiBOT1RFIDUgYWJvdmUgcmVxdWlyZXMgKCJzaGFsbCIpIHRo YXQgYQ0KPiBjcml0aWNhbCBjcmxFbnRyeUV4dGVuc2lvbiB3aXRoIGEgc2VtYW50aWMgYmV5b25k ICJ0aGlzIGNlcnQgaXMNCj4gcmV2b2tlZCIpLCBNVVNUIGJlIGFkZGl0aW9uYWxseSBpbmNsdWRl ZCBhcyBhIGNyaXRpY2FsIGNybEV4dGVuc2lvbiwNCj4gd2l0aCB0aGUgZWZmZWN0IHRoYXQgdGhl IGVudGlyZSBDUkwgd2lsbCBoYXZlIHRvIGJlIGlnbm9yZWQgYnkNCj4gYm90aCBYLjUwOSBhbmQg cmZjNTI4MCBpbXBsZW1lbnRhdGlvbnMgdGhhdCBkbyBub3QgcmVjb2duaXplDQo+IHRoZSBjcmxF eHRlbnNpb24uICBTbyBhbGwgY29tcGxpYW50IENSTHMgd2l0aCBhICJmYW5jeSINCj4gdW5yZWNv Z25pemVkIGNyaXRpY2FsIGNybEVudHJ5RXh0ZW5zaW9uLCB0aGUgYWNjb21wYW55aW5nDQo+IHVu cmVjb2duaXplZCBjcml0aWNhbCBjcmxFeHRlbnNpb24gd2lsbCBjYXVzZSBYLjUwOSBhbmQgcmZj NTI4MA0KPiB0byBhZ3JlZSBvbiAoMykgdG8gcmV0dXJuICJVTkRFVEVSTUlORUQiIGFuZCByZXF1 aXJlIG90aGVyDQo+IENSTHMgdG8gYmUgY2hlY2tlZC4NCj4NCj4NCj4gLU1hcnRpbg0KPiBfX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KPiBwa2l4IG1haWxp bmcgbGlzdA0KPiBwa2l4QGlldGYub3JnPG1haWx0bzpwa2l4QGlldGYub3JnPg0KPiBodHRwczov L3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3BraXgNCg== --_000_B83745DA469B7847811819C5005244AF362EC9B1scygexch7cygnac_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+PGhlYWQ+PG1ldGEgaHR0cC1lcXVpdj1Db250ZW50LVR5cGUgY29udGVu dD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij48bWV0YSBuYW1lPUdlbmVyYXRvciBjb250ZW50 PSJNaWNyb3NvZnQgV29yZCAxNCAoZmlsdGVyZWQgbWVkaXVtKSI+PHN0eWxlPjwhLS0NCi8qIEZv bnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglw YW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5 OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQovKiBTdHlsZSBEZWZp bml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXtt YXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0K CWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTpsaW5rLCBzcGFuLk1z b0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0 LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xs b3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQtZGVj b3JhdGlvbjp1bmRlcmxpbmU7fQ0KdHQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWZvbnQt ZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTgNCgl7bXNvLXN0eWxlLXR5 cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkFyaWFsIiwic2Fucy1zZXJpZiI7DQoJ Y29sb3I6IzFGNDk3RDsNCglmb250LXdlaWdodDpub3JtYWw7DQoJZm9udC1zdHlsZTpub3JtYWw7 DQoJdGV4dC1kZWNvcmF0aW9uOm5vbmUgbm9uZTt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5 bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYi O30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4w aW4gMS4waW4gMS4waW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0 aW9uMTt9DQotLT48L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZh dWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwh LS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86 aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFb ZW5kaWZdLS0+PC9oZWFkPjxib2R5IGxhbmc9RU4tVVMgbGluaz1ibHVlIHZsaW5rPXB1cnBsZT48 ZGl2IGNsYXNzPVdvcmRTZWN0aW9uMT48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2Zv bnQtc2l6ZTo5LjBwdDtmb250LWZhbWlseToiQXJpYWwiLCJzYW5zLXNlcmlmIjtjb2xvcjojMUY0 OTdEJz5UaGlzIGFsc28gcmVsYXRlcyB0byBlYXJsaWVyIHBvc3QgSSBtYWRlIGluIHJlc3BvbnNl IHRvIFBpeXVzaC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFu IHN0eWxlPSdmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6IkFyaWFsIiwic2Fucy1zZXJpZiI7 Y29sb3I6IzFGNDk3RCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05v cm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiJBcmlhbCIsInNh bnMtc2VyaWYiO2NvbG9yOiMxRjQ5N0QnPkkgYXNzdW1lIHdlIGFyZSBhZGRpbmcgdGhlIGZvbGxv d2luZyB0byB0aGUgUkZDIOKAnDwvc3Bhbj48c3BhbiBzdHlsZT0nZm9udC1zaXplOjkuMHB0O2Zv bnQtZmFtaWx5OiJBcmlhbCIsInNhbnMtc2VyaWYiO2NvbG9yOiMxMDQxNjAnPkEgY3JpdGljYWwg ZXh0ZW5zaW9uIGluIHRoZSA8Yj5jcmxFbnRyeUV4dGVuc2lvbnM8L2I+IGZpZWxkIG9mIGFuIGVu dHJ5IHNoYWxsIGFmZmVjdCBvbmx5IHRoZSBjZXJ0aWZpY2F0ZSBzcGVjaWZpZWQgaW4gdGhhdCBl bnRyeSwgdW5sZXNzIHRoZXJlIGlzIGEgcmVsYXRlZCBjcml0aWNhbCBleHRlbnNpb24gaW4gdGhl IDxiPmNybEV4dGVuc2lvbnM8L2I+IGZpZWxkIHRoYXQgYWR2ZXJ0aXNlcyBhIHNwZWNpYWwgdHJl YXRtZW50IGZvciBpdC7igJ0mbmJzcDsgSW4gb3JkZXIgdG8gdXNlIHN1Y2ggQ1JMLCB0aGUgcmVs eWluZyBwYXJ0eSBtdXN0IGJlIGFibGUgdG8gcHJvY2VzcyBib3RoIHRoZSA8Yj5jcmxFbnRyeUV4 dGVuc2lvbiA8L2I+YW5kIHRoZSByZWxhdGVkIDxiPmNybEV4dGVuc2lvbi7igJ08bzpwPjwvbzpw PjwvYj48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48Yj48c3BhbiBzdHlsZT0nZm9udC1z aXplOjkuMHB0O2ZvbnQtZmFtaWx5OiJBcmlhbCIsInNhbnMtc2VyaWYiO2NvbG9yOiMxMDQxNjAn PjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvYj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFu IHN0eWxlPSdmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6IkFyaWFsIiwic2Fucy1zZXJpZiI7 Y29sb3I6IzEwNDE2MCc+SW4gdGhhdCBjYXNlLCBJIGRvIG5vdCBtaW5kIGFkZGluZyB0aGUgZm9s bG93aW5nIHRvIDUyODAgKGEgc2xpZ2h0IG1vZGlmaWNhdGlvbiB0byB3aGF0IERlbmlzIGhhczo8 bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250 LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6IkFyaWFsIiwic2Fucy1zZXJpZiI7Y29sb3I6IzEwNDE2 MCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBz dHlsZT0nZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiJBcmlhbCIsInNhbnMtc2VyaWYiO2Nv bG9yOiMxMDQxNjAnPklmIGFuIGFwcGxpY2F0aW9uIGNhbm5vdCBwcm9jZXNzIGEgY3JpdGljYWwg ZXh0ZW5zaW9uIGluIHRoZSA8Yj5jcmxFbnRyeUV4dGVuc2lvbnM8L2I+IGZpZWxkIG9mIGFuIGVu dHJ5IHRoYXQgYWZmZWN0cyBvbmx5IHRoZSBjZXJ0aWZpY2F0ZSBzcGVjaWZpZWQgaW4gdGhhdCBl bnRyeSwgYXMgaW5kaWNhdGVkIGJ5IHRoZSBhYnNlbmNlIG9mIGEgcmVsYXRlZCBjcml0aWNhbCBl eHRlbnNpb24gaW4gdGhlIDxiPmNybEV4dGVuc2lvbnM8L2I+IGZpZWxkLCB0aGVuIHRoZSBjZXJ0 aWZpY2F0ZSBpZGVudGlmaWVkIGJ5IHRoZSBDUkwgZW50cnkgc2hhbGwgYmUgY29uc2lkZXJlZCBy ZXZva2VkLjwvc3Bhbj48c3BhbiBzdHlsZT0nZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiJB cmlhbCIsInNhbnMtc2VyaWYiO2NvbG9yOiMxRjQ5N0QnPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48 cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZTo5LjBwdDtmb250LWZhbWls eToiQXJpYWwiLCJzYW5zLXNlcmlmIjtjb2xvcjojMUY0OTdEJz48bzpwPiZuYnNwOzwvbzpwPjwv c3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxiPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTAu MHB0O2ZvbnQtZmFtaWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIic+RnJvbTo8L3NwYW4+PC9iPjxz cGFuIHN0eWxlPSdmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiJUYWhvbWEiLCJzYW5zLXNl cmlmIic+IHBraXgtYm91bmNlc0BpZXRmLm9yZyBbbWFpbHRvOnBraXgtYm91bmNlc0BpZXRmLm9y Z10gPGI+T24gQmVoYWxmIE9mIDwvYj5kZW5pcy5waW5rYXNAYnVsbC5uZXQ8YnI+PGI+U2VudDo8 L2I+IE1vbmRheSwgU2VwdGVtYmVyIDE3LCAyMDEyIDM6NDcgQU08YnI+PGI+VG86PC9iPiBtcmV4 QHNhcC5jb207IFBpeXVzaCBKYWluPGJyPjxiPkNjOjwvYj4gcGtpeDxicj48Yj5TdWJqZWN0Ojwv Yj4gUmU6IFtwa2l4XSA1MjgwYmlzLCB2LTA5PG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNz PU1zb05vcm1hbD48bzpwPiZuYnNwOzwvbzpwPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4g c3R5bGU9J2ZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6IkFyaWFsIiwic2Fucy1zZXJpZiIn Pkdvb2QgY2F0Y2ggTWFydGluLDwvc3Bhbj4gPGJyPjxicj48c3BhbiBzdHlsZT0nZm9udC1zaXpl OjEwLjBwdDtmb250LWZhbWlseToiQXJpYWwiLCJzYW5zLXNlcmlmIic+WW91IGNhbWUgYmFjayBm cm9tIHZhY2F0aW9uIGp1c3QgaW4gdGltZS4gOi0pPC9zcGFuPiA8YnI+PGJyPjxzcGFuIHN0eWxl PSdmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiJBcmlhbCIsInNhbnMtc2VyaWYiJz5JIHBy b3Bvc2UgdGhlIGZvbGxvd2luZzo8L3NwYW4+IDxicj48YnI+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6 ZToxMC4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Iic+UmVwbGFjZTo8L3NwYW4+IDxicj48 YnI+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3 Iic+fCAmbmJzcDsgJm5ic3A7IElmIGEgQ1JMIGNvbnRhaW5zIGEgY3JpdGljYWwgQ1JMIGVudHJ5 IGV4dGVuc2lvbiA8L3NwYW4+PGJyPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTAuMHB0O2ZvbnQt ZmFtaWx5OiJDb3VyaWVyIE5ldyInPnwgJm5ic3A7ICZuYnNwOyB0aGF0IHRoZSBhcHBsaWNhdGlv biBjYW5ub3QgcHJvY2VzcywgdGhlbiB0aGUgYXBwbGljYXRpb24gTVVTVCA8L3NwYW4+PGJyPjxz cGFuIHN0eWxlPSdmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyInPnwg Jm5ic3A7ICZuYnNwOyBOT1QgdXNlIHRoYXQgQ1JMIHRvIGRldGVybWluZSB0aGUgc3RhdHVzIG9m IGFueSBjZXJ0aWZpY2F0ZXMuPC9zcGFuPiA8YnI+PGJyPjxzcGFuIHN0eWxlPSdmb250LXNpemU6 MTAuMHB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyInPndpdGg8L3NwYW4+IDxicj48YnI+PHNw YW4gc3R5bGU9J2ZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Iic+fCAm bmJzcDsgJm5ic3A7IElmIGEgQ1JMIGNvbnRhaW5zIGluIGEgQ1JMIGVudHJ5IGEgY3JpdGljYWwg Q1JMIGVudHJ5IGV4dGVuc2lvbiA8L3NwYW4+PGJyPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTAu MHB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyInPnwgJm5ic3A7ICZuYnNwOyB0aGF0IHRoZSBh cHBsaWNhdGlvbiBjYW5ub3QgcHJvY2VzcywgdGhlbiB0aGUgYXBwbGljYXRpb24gTVVTVCA8L3Nw YW4+PGJyPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVy IE5ldyInPnwgJm5ic3A7ICZuYnNwOyBjb25zaWRlciB0aGF0IHRoZSBjZXJ0aWZpY2F0ZSBpZGVu dGlmaWVkIGluIHRoYXQgQ1JMIGVudHJ5IGlzIDwvc3Bhbj48YnI+PHNwYW4gc3R5bGU9J2ZvbnQt c2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Iic+fCAmbmJzcDsgJm5ic3A7IHJl dm9rZWQuICZuYnNwOzwvc3Bhbj4gPGJyPjxicj48c3BhbiBzdHlsZT0nZm9udC1zaXplOjEwLjBw dDtmb250LWZhbWlseToiQXJpYWwiLCJzYW5zLXNlcmlmIic+SW4gb3JkZXIgdG8gYW5zd2VyIHRv IFBpeXVzaCwgSSBiZWxpZXZlIHRoYXQg4oCcdW5rbm93buKAnSBzaG91bGQgYmUgdXNlZCByYXRo ZXIgdGhhbiDigJxyZXZva2Vk4oCdLjwvc3Bhbj4gPGJyPjxicj48c3BhbiBzdHlsZT0nZm9udC1z aXplOjEwLjBwdDtmb250LWZhbWlseToiQXJpYWwiLCJzYW5zLXNlcmlmIic+VGhlIGZvbGxvd2lu ZyBleGFtcGxlIGlzIGFuIGlsbHVzdHJhdGlvbjo8L3NwYW4+IDxicj48YnI+PHNwYW4gc3R5bGU9 J2ZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6IkFyaWFsIiwic2Fucy1zZXJpZiInPlRoZSBz dGF0dXMgb2YgYSBnaXZlbiBjZXJ0aWZpY2F0ZSBpcyBpbmRpY2F0ZWQgYXMg4oCcZ29vZOKAnSwg YnV0IHRoZXJlIGlzIGEgQ1JMIGVudHJ5IHdpdGggYSBjcml0aWNhbCA8YnI+Q1JMIGVudHJ5IGV4 dGVuc2lvbi4gVGhpcyBlbnRyeSBtZWFucyAoZm9yIHRoZSBhcHBsaWNhdGlvbnMgd2hpY2ggdW5k ZXJzdGFuZCBpdCkgOiA8L3NwYW4+PGJyPjxicj48c3BhbiBzdHlsZT0nZm9udC1zaXplOjEwLjBw dDtmb250LWZhbWlseToiQXJpYWwiLCJzYW5zLXNlcmlmIic+JnF1b3Q7VGhlIHN0YXR1cyB3aGlj aCBpcyB1c3VhbGx5IG9idGFpbmVkIHVzaW5nIGEgZGF0YWJhc2Ugb2YgaXNzdWVkIGNlcnRpZmlj YXRlcyBoYXMgYmVlbiBvYnRhaW5lZCBmcm9tIENSTHMuIDxicj5JZiB5b3UgcmVhbGx5IG5lZWQg dG8gdGFrZSBhIGRlY2lzaW9uIG5vdywgaXQgaXMgYXQgeW91ciBvd24gcmlzay4gSWYgeW91IGNh biB3YWl0LCB5b3UgaGFkIGJldHRlciB0byB0cnkgYWdhaW4gbGF0ZXIgb24mcXVvdDsuPC9zcGFu PiA8YnI+PGJyPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiJBcmlh bCIsInNhbnMtc2VyaWYiJz5Zb3VyIG5leHQgcXVlc3Rpb24gd2lsbCBjZXJ0YWlubHkgYmU6IHNv IHdoeSBkb27igJl0IHlvdSB1c2UgdGhlIHByb3Bvc2VkIGNlcnRJbmZvIGV4dGVuc2lvbiA/PC9z cGFuPiA8YnI+PGJyPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiJB cmlhbCIsInNhbnMtc2VyaWYiJz5Gb3IgYXBwbGljYXRpb25zIHdoaWNoIGRvIG5vdCB1bmRlcnN0 YW5kIHRoaXMgY3JpdGljYWwgQ1JMIGVudHJ5IGV4dGVuc2lvbiwgdGhlcmUgaXMgbm8gZGlmZmVy ZW5jZS48L3NwYW4+IDxicj48c3BhbiBzdHlsZT0nZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWls eToiQXJpYWwiLCJzYW5zLXNlcmlmIic+VGhleSBnZXQgYW4gJnF1b3Q7dW5rbm93biZxdW90OyBz dGF0dXMgaW4gYm90aCBjYXNlcy48L3NwYW4+IDxicj48YnI+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6 ZToxMC4wcHQ7Zm9udC1mYW1pbHk6IkFyaWFsIiwic2Fucy1zZXJpZiInPkZvciBhcHBsaWNhdGlv bnMgd2hpY2ggdW5kZXJzdGFuZCB0aGlzIGNyaXRpY2FsIENSTCBlbnRyeSBleHRlbnNpb24gaXQg cHJvdmlkZXMgbGVzcyBiZW5lZml0cyA8YnI+dGhhbiB0aGUgcHJvcG9zZWQgY2VydEluZm8gZXh0 ZW5zaW9uLCBidXQgaXQgbWlnaHQgYmUgcXVpY2tlciB0byBpbXBsZW1lbnQgYW5kIGl0IGVuZm9y Y2VzIGEgcG9saWN5Ljwvc3Bhbj4gPGJyPjxicj48c3BhbiBzdHlsZT0nZm9udC1zaXplOjEwLjBw dDtmb250LWZhbWlseToiQXJpYWwiLCJzYW5zLXNlcmlmIic+RGVuaXM8L3NwYW4+IDxicj48c3Bh biBzdHlsZT0nZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseToiQ291cmllciBOZXciJz48YnI+ PGJyPjx0dD4mZ3Q7IEkgb2JqZWN0IHRvIHRoZSBwcm9wb3NlZCBuZXcgdGV4dCBhYm91dCBDUkxF bnRyeUV4dGVuc2lvbnM8L3R0Pjxicj48dHQ+Jmd0OyBpbiB0aGUgY2xhcmlmaWNhdGlvbiBkb2N1 bWVudCwgYmVjYXVzZSBhcyBpcywgd291bGQgc2lnbmlmaWNhbnRseTwvdHQ+PGJyPjx0dD4mZ3Q7 IHdvcnNlbiB0aGUgZGlmZmVyZW5jZSBiZXR3ZWVuIFBLSVggYW5kIFguNTA5IGFuZCBtYWtlIHRo aW5nczwvdHQ+PGJyPjx0dD4mZ3Q7IGNsZWFybHkgaW5jb21wYXRpYmxlIHJhdGhlciB0aGFuIHNs aWdodGx5IGxlc3MgZWZmaWNpZW50LjwvdHQ+PGJyPjx0dD4mZ3Q7IDwvdHQ+PGJyPjx0dD4mZ3Q7 IElmIGFueXRoaW5nLCB0aGUgZ2FwIHNob3VsZCBiZSByZWR1Y2VkLCBjb21wYXRpYmlsaXR5IGJl dHdlZW48L3R0Pjxicj48dHQ+Jmd0OyBQS0lYIGFuZCBYLjUwOSBpbXByb3ZlZCBhbmQgdGhlIG9y aWdpbmFsIGFyY2hpdGVjdHVyZSBub3QgdmlvbGF0ZWQuPC90dD48YnI+PHR0PiZndDsgPC90dD48 YnI+PHR0PiZndDsgUGxlYXNlIHJlY2FsbCB0aGUgb3JpZ2luYWwgTk9URSA0ICZhbXA7IDUgdGhh dCBJIHF1b3RlZCBmcm9tPC90dD48YnI+PHR0PiZndDsgSVRVLVQgUmVjLiBYLjUwOSAoMDgvMjAw NSksIFNlY3Rpb24gNy4zLCB0b3Agb2YgcGFnZSAxODo8L3R0Pjxicj48dHQ+Jmd0OyAoZ2V0IHRo ZW0gaGVyZSA8L3R0Pjwvc3Bhbj48YSBocmVmPSJodHRwOi8vd3d3Lml0dS5pbnQvcmVjL1QtUkVD LVguNTA5Ij48dHQ+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMC4wcHQnPmh0dHA6Ly93d3cuaXR1 LmludC9yZWMvVC1SRUMtWC41MDk8L3NwYW4+PC90dD48L2E+PHR0PjxzcGFuIHN0eWxlPSdmb250 LXNpemU6MTAuMHB0Jz4pOjwvc3Bhbj48L3R0PjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTAuMHB0 O2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyInPjxicj48dHQ+Jmd0OyA8L3R0Pjxicj48dHQ+Jmd0 OyBhJmd0OyAmbmJzcDtOT1RFIDQgLS0gV2hlbiBhbiBpbXBsZW1lbnRhdGlvbiBwcm9jZXNzaW5n IGEgY2VydGlmaWNhdGUgcmV2b2NhdGlvbjwvdHQ+PGJyPjx0dD4mZ3Q7IGEmZ3Q7ICZuYnNwO2xp c3QgZG9lcyBub3QgcmVjb2duaXplIGEgY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSBjcmxFbnRy eUV4dGVuc2lvbnM8L3R0Pjxicj48dHQ+Jmd0OyBhJmd0OyAmbmJzcDtmaWVsZCwgaXQgc2hhbGwg YXNzdW1lIHRoYXQsIGF0IGEgbWluaW11bSwgdGhlIGlkZW50aWZpZWQgY2VydGlmaWNhdGU8L3R0 Pjxicj48dHQ+Jmd0OyBhJmd0OyAmbmJzcDtoYXMgYmVlbiByZXZva2VkIGFuZCBpcyBubyBsb25n ZXIgdmFsaWQgYW5kIHBlcmZvcm0gYWRkaXRpb25hbCBhY3Rpb25zPC90dD48YnI+PHR0PiZndDsg YSZndDsgJm5ic3A7Y29uY2VybmluZyB0aGF0IHJldm9rZWQgY2VydGlmaWNhdGUgYXMgZGljdGF0 ZWQgYnkgbG9jYWwgcG9saWN5LjwvdHQ+PGJyPjx0dD4mZ3Q7IDwvdHQ+PGJyPjx0dD4mZ3Q7IGIm Z3Q7ICZuYnNwO1doZW4gYW4gaW1wbGVtZW50YXRpb24gZG9lcyBub3QgcmVjb2duaXplIGEgY3Jp dGljYWwgZXh0ZW5zaW9uIGluIHRoZTwvdHQ+PGJyPjx0dD4mZ3Q7IGImZ3Q7ICZuYnNwO2NybEV4 dGVuc2lvbnMgZmllbGQsIGl0IHNoYWxsIGFzc3VtZSB0aGF0IGlkZW50aWZpZWQgY2VydGlmaWNh dGVzPC90dD48YnI+PHR0PiZndDsgYiZndDsgJm5ic3A7aGF2ZSBiZWVuIHJldm9rZWQgYW5kIGFy ZSBubyBsb25nZXIgdmFsaWQuPC90dD48YnI+PHR0PiZndDsgPC90dD48YnI+PHR0PiZndDsgYyZn dDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNw OyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7 ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IEhvd2V2ZXIgaW4gdGhl IGxhdHRlciBjYXNlLDwvdHQ+PGJyPjx0dD4mZ3Q7IGMmZ3Q7ICZuYnNwO3NpbmNlIHRoZSBsaXN0 IG1heSBub3QgYmUgY29tcGxldGUsIGNlcnRpZmljYXRlcyB0aGF0IGhhdmUgbm90IGJlZW48L3R0 Pjxicj48dHQ+Jmd0OyBjJmd0OyAmbmJzcDtpZGVudGlmaWVkIGFzIGJlaW5nIHJldm9rZWQgY2Fu bm90IGJlIGFzc3VtZWQgdG8gYmUgdmFsaWQuIEluIHRoaXMgY2FzZTwvdHQ+PGJyPjx0dD4mZ3Q7 IGMmZ3Q7ICZuYnNwO2xvY2FsIHBvbGljeSBzaGFsbCBkaWN0YXRlIHRoZSBhY3Rpb24gdG8gYmUg dGFrZW4uIEluIGFueSBjYXNlIGxvY2FsPC90dD48YnI+PHR0PiZndDsgYyZndDsgJm5ic3A7cG9s aWN5IG1heSBkaWN0YXRlIGFjdGlvbnMgaW4gYWRkaXRpb24gdG8gYW5kL29yIHN0cm9uZ2VyIHRo YW4gdGhvc2U8L3R0Pjxicj48dHQ+Jmd0OyBjJmd0OyAmbmJzcDtzdGF0ZWQgaW4gdGhpcyBTcGVj aWZpY2F0aW9uLjwvdHQ+PGJyPjx0dD4mZ3Q7IDwvdHQ+PGJyPjx0dD4mZ3Q7IGQmZ3Q7ICZuYnNw O05PVEUgNSAtLSBJZiBhbiBleHRlbnNpb24gYWZmZWN0cyB0aGUgdHJlYXRtZW50IG9mIHRoZSBs aXN0PC90dD48YnI+PHR0PiZndDsgZCZndDsgJm5ic3A7KGUuZy4sIG11bHRpcGxlIENSTHMgbmVl ZCB0byBiZSBzY2FubmVkIHRvIGV4YW1pbmUgdGhlIGVudGlyZSBsaXN0IG9mPC90dD48YnI+PHR0 PiZndDsgZCZndDsgJm5ic3A7cmV2b2tlZCBjZXJ0aWZpY2F0ZXMsIG9yIGFuIGVudHJ5IG1heSBy ZXByZXNlbnQgYSByYW5nZSBvZiBjZXJ0aWZpY2F0ZXMpLDwvdHQ+PGJyPjx0dD4mZ3Q7IGQmZ3Q7 ICZuYnNwO3RoZW4gdGhhdCBleHRlbnNpb24gc2hhbGwgYmUgaW5kaWNhdGVkIGFzIGNyaXRpY2Fs IGluIHRoZSBjcmxFeHRlbnNpb25zPC90dD48YnI+PHR0PiZndDsgZCZndDsgJm5ic3A7ZmllbGQg cmVnYXJkbGVzcyBvZiB3aGVyZSB0aGUgZXh0ZW5zaW9uIGlzIHBsYWNlZCBpbiB0aGUgQ1JMLjwv dHQ+PGJyPjx0dD4mZ3Q7IDwvdHQ+PGJyPjx0dD4mZ3Q7IGUmZ3Q7ICZuYnNwO0FuIGV4dGVuc2lv biBpbmRpY2F0ZWQgaW4gdGhlIGNybEVudHJ5RXh0ZW5zaW9ucyBmaWVsZCBvZiBhbiBlbnRyeSBz aGFsbDwvdHQ+PGJyPjx0dD4mZ3Q7IGUmZ3Q7ICZuYnNwO2JlIHBsYWNlZCBpbiB0aGF0IGVudHJ5 IGFuZCBzaGFsbCBhZmZlY3Qgb25seSB0aGUgY2VydGlmaWNhdGUocyk8L3R0Pjxicj48dHQ+Jmd0 OyBlJmd0OyAmbmJzcDtzcGVjaWZpZWQgaW4gdGhhdCBlbnRyeS48L3R0Pjxicj48dHQ+Jmd0OyA8 L3R0Pjxicj48dHQ+Jmd0OyA8L3R0Pjxicj48dHQ+Jmd0OyAoSSBpbnNlcnRlZCBibGFuayBsaW5l cyBhYm92ZSBmb3IgdmlzdWFsIGNsYXJpdHkgb2YgdGhlIFguNTA5IHJlcXVpcmVtZW50cykuPC90 dD48YnI+PHR0PiZndDsgPC90dD48YnI+PHR0PiZndDsgdHdvIG9wdGlvbnMsIGFsbCBjb21iaW5h dGlvbnM6PC90dD48YnI+PHR0PiZndDsgPC90dD48YnI+PHR0PiZndDsgJm5ic3A7KDEpIGNlcnQg Jm5ic3A7ICZuYnNwOyBvbiBDUkwsIENSTCB3aXRoIE5PIHVucmVjb2duaXplZCBjcml0aWNhbCBD UkxFbnRyeUV4dGVuc2lvbnMgPC90dD48YnI+PHR0PiZndDsgJm5ic3A7KDIpIGNlcnQgTk9UIG9u IENSTCwgQ1JMIHdpdGggTk8gdW5yZWNvZ25pemVkIGNyaXRpY2FsIENSTEVudHJ5RXh0ZW5zaW9u cyA8L3R0Pjxicj48dHQ+Jmd0OyAmbmJzcDsoMykgY2VydCAmbmJzcDsgJm5ic3A7IG9uIENSTCwg Q1JMIHdpdGggJm5ic3A7ICZuYnNwO3VucmVjb2duaXplZCBjcml0aWNhbCBDUkxFbnRyeUV4dGVu c2lvbjwvdHQ+PGJyPjx0dD4mZ3Q7ICZuYnNwOyg0KSBjZXJ0IE5PVCBvbiBDUkwsIENSTCB3aXRo ICZuYnNwOyAmbmJzcDt1bnJlY29nbml6ZWQgY3JpdGljYWwgQ1JMRW50cnlFeHRlbnNpb248L3R0 Pjxicj48dHQ+Jmd0OyA8L3R0Pjxicj48dHQ+Jmd0OyA8L3R0Pjxicj48dHQ+Jmd0OyBJIGhvcGUg d2UgYWdyZWUgdGhhdCBYLjUwOSBhbmQgcmZjNTI4MCBhZ3JlZSBvbiAoMSkgYW5kICgyKSByZXN1 bHRzPC90dD48YnI+PHR0PiZndDsgZm9yIENSTCBjaGVja2luZy48L3R0Pjxicj48dHQ+Jmd0OyA8 L3R0Pjxicj48dHQ+Jmd0OyByZmM1MjgwIGN1cnJlbnRseSBzYXlzIHRoYXQgZm9yICgzKSsoNCkg dGhlIGVudGlyZSBDUkwgb3VnaHQgdG8gYmUgaWdub3JlZDwvdHQ+PGJyPjx0dD4mZ3Q7IGFuZCBv dGhlciBDUkxzIG5lZWQgdG8gYmUgZXZhbHVhdGVkICZxdW90O1VOREVURVJNSU5FRCZxdW90Ozwv dHQ+PGJyPjx0dD4mZ3Q7IDwvdHQ+PGJyPjx0dD4mZ3Q7IFguNTA5IHNheXMgaW4gKGEmZ3Q7KSB0 aGF0IGZvciAoMykgdGhlIHN0YXR1cyBvZiB0aGUgY2VydCBpcyBkZWZpbml0ZWx5IHJldm9rZWQ8 L3R0Pjxicj48dHQ+Jmd0OyBhbmQgc2F5cyBpbiAoYyZndDspIGZvciAoNCkgdGhhdCB0aGUgQ1JM IG91Z2h0IHRvIGJlIGlnbm9yZWQgYW5kIG90aGVyIENSTHMgbmVlZDwvdHQ+PGJyPjx0dD4mZ3Q7 IHRvIGJlIGV2YWx1YXRlZCAmcXVvdDtVTkRFVEVSTUlORUQmcXVvdDs8L3R0Pjxicj48dHQ+Jmd0 OyA8L3R0Pjxicj48dHQ+Jmd0OyBXaGlsZSBib3RoIFguNTA5IGFuZCByZmM1MjgwIGFncmVlIG9u IHRoZSByZXN1bHQgZm9yICg0KSAmcXVvdDtVTkRFVEVSTUlORUQmcXVvdDssPC90dD48YnI+PHR0 PiZndDsgdGhlcmUgaXMgdGhlIHN1cGVyZmljaWFsIGFwcGVhcmFuY2Ugb2YgYSBkaWZmZXJlbmNl IGZvciBhIGNhc3VhbDwvdHQ+PGJyPjx0dD4mZ3Q7IGltcGxlbWVudGVyIGZvciBjYXNlICgzKSBi ZXR3ZWVuIFguNTA5ICZxdW90O1JFVk9LRUQmcXVvdDsgYW5kIHJmYzUyODAgJnF1b3Q7VU5ERVRF Uk1JTkVEJnF1b3Q7PC90dD48YnI+PHR0PiZndDsgdGhhdCBtaWdodCBsZWFkIHRvIGEgc2xpZ2h0 bHkgbGVzcyBlZmZpY2llbnQgcHJvY2Vzc2luZyBDUkxzLjwvdHQ+PGJyPjx0dD4mZ3Q7IDwvdHQ+ PGJyPjx0dD4mZ3Q7IDwvdHQ+PGJyPjx0dD4mZ3Q7IFRoZSBuZXdseSBwcm9wb3NlZCB0ZXh0IChp biAtMDkpOjwvdHQ+PGJyPjx0dD4mZ3Q7IDwvdHQ+PGJyPjx0dD4mZ3Q7IHwgJm5ic3A7ICZuYnNw OyBJZiBhIENSTCBjb250YWlucyBhIGNyaXRpY2FsIENSTCBlbnRyeSBleHRlbnNpb248L3R0Pjxi cj48dHQ+Jmd0OyB8ICZuYnNwOyAmbmJzcDsgdGhhdCB0aGUgYXBwbGljYXRpb24gY2Fubm90IHBy b2Nlc3MsIHRoZW4gdGhlIGFwcGxpY2F0aW9uIE1VU1Q8L3R0Pjxicj48dHQ+Jmd0OyB8ICZuYnNw OyAmbmJzcDsgTk9UIHVzZSB0aGF0IENSTCB0byBkZXRlcm1pbmUgdGhlIHN0YXR1cyBvZiB0aGUg Y2VydGlmaWNhdGU8L3R0Pjxicj48dHQ+Jmd0OyB8ICZuYnNwOyAmbmJzcDsgcmVwcmVzZW50ZWQg YnkgdGhlIENSTCBlbnRyeS4gJm5ic3A7PC90dD48YnI+PHR0PiZndDsgPC90dD48YnI+PHR0PiZn dDsgY3JlYXRlcyBhIHNpZ25pZmljYW50bHkgZGlzdGluY3QgYmVoYXZpb3VyIGZvciBjYXNlICg0 KSB3aGVyZSBYLjUwOTwvdHQ+PGJyPjx0dD4mZ3Q7IGFuZCByZmM1MjgwIGFncmVlZCBvbiAmcXVv dDtVTkRFVEVSTUlORUQmcXVvdDssIGJ5IHJlZGVmaW5pbmcgdGhlIHJlc3VsdCB0bzwvdHQ+PGJy Pjx0dD4mZ3Q7IGJlICZxdW90O1VOUkVWT0tFRCZxdW90OywgYW5kIHBvdGVudGlhbGx5IGNyZWF0 ZXMgYSBzZWN1cml0eSBwcm9ibGVtLCBhbmQgYTwvdHQ+PGJyPjx0dD4mZ3Q7IG5ldywgYmFja3dh cmRzLWluY29tcGF0aWJsZSBiZWhhdmlvdXIgZm9yIGEgc2l0dWF0aW9uIHdoZXJlPC90dD48YnI+ PHR0PiZndDsgWC41MDkgYW5kIHJmYzUyODAgdXNlZCB0byBhZ3JlZS4gU3RpbGwsIHRoZSBuZXcg dGV4dCBkb2VzIG5vdCBkbzwvdHQ+PGJyPjx0dD4mZ3Q7IGFueXRoaW5nIGFib3V0IGNhc2UgKDMp LCB0aGUgb25seSBjYXNlIHdoZXJlIFguNTA5IGFuZCByZmM1MjgwPC90dD48YnI+PHR0PiZndDsg YXBwZWFyIHRvIGRpZmZlciAoaW4gYSBtb3N0bHkgbWFyZ2luYWwgZmFzaGlvbikuPC90dD48YnI+ PHR0PiZndDsgPC90dD48YnI+PHR0PiZndDsgPC90dD48YnI+PHR0PiZndDsgQSBjYXJlZnVsIGlt cGxlbWVudG9yLCB0aGF0IGFuYWx5emVzIE5PVEUgNCBhbmQgTk9URSA1IGZyb20gWC41MDk8L3R0 Pjxicj48dHQ+Jmd0OyBxdW90ZWQgYWJvdmUgaW4gaXRzIGVudGlyZXR5LCBzaG91bGQgcmVhbGl6 ZSB0aGF0IHRoZSBzaXR1YXRpb248L3R0Pjxicj48dHQ+Jmd0OyB3aGVyZSBYLjUwOSBhbmQgcmZj NTI4MCBkaWZmZXIgaXMgbWFyZ2luYWwuPC90dD48YnI+PHR0PiZndDsgPC90dD48YnI+PHR0PiZn dDsgVGhpcyBpcyBiZWNhdXNlIChkJmd0OykgaW4gTk9URSA1IGFib3ZlIHJlcXVpcmVzICgmcXVv dDtzaGFsbCZxdW90OykgdGhhdCBhPC90dD48YnI+PHR0PiZndDsgY3JpdGljYWwgY3JsRW50cnlF eHRlbnNpb24gd2l0aCBhIHNlbWFudGljIGJleW9uZCAmcXVvdDt0aGlzIGNlcnQgaXM8L3R0Pjxi cj48dHQ+Jmd0OyByZXZva2VkJnF1b3Q7KSwgTVVTVCBiZSBhZGRpdGlvbmFsbHkgaW5jbHVkZWQg YXMgYSBjcml0aWNhbCBjcmxFeHRlbnNpb24sPC90dD48YnI+PHR0PiZndDsgd2l0aCB0aGUgZWZm ZWN0IHRoYXQgdGhlIGVudGlyZSBDUkwgd2lsbCBoYXZlIHRvIGJlIGlnbm9yZWQgYnk8L3R0Pjxi cj48dHQ+Jmd0OyBib3RoIFguNTA5IGFuZCByZmM1MjgwIGltcGxlbWVudGF0aW9ucyB0aGF0IGRv IG5vdCByZWNvZ25pemU8L3R0Pjxicj48dHQ+Jmd0OyB0aGUgY3JsRXh0ZW5zaW9uLiAmbmJzcDtT byBhbGwgY29tcGxpYW50IENSTHMgd2l0aCBhICZxdW90O2ZhbmN5JnF1b3Q7PC90dD48YnI+PHR0 PiZndDsgdW5yZWNvZ25pemVkIGNyaXRpY2FsIGNybEVudHJ5RXh0ZW5zaW9uLCB0aGUgYWNjb21w YW55aW5nPC90dD48YnI+PHR0PiZndDsgdW5yZWNvZ25pemVkIGNyaXRpY2FsIGNybEV4dGVuc2lv biB3aWxsIGNhdXNlIFguNTA5IGFuZCByZmM1MjgwPC90dD48YnI+PHR0PiZndDsgdG8gYWdyZWUg b24gKDMpIHRvIHJldHVybiAmcXVvdDtVTkRFVEVSTUlORUQmcXVvdDsgYW5kIHJlcXVpcmUgb3Ro ZXI8L3R0Pjxicj48dHQ+Jmd0OyBDUkxzIHRvIGJlIGNoZWNrZWQuIDwvdHQ+PGJyPjx0dD4mZ3Q7 IDwvdHQ+PGJyPjx0dD4mZ3Q7IDwvdHQ+PGJyPjx0dD4mZ3Q7IC1NYXJ0aW48L3R0Pjxicj48dHQ+ Jmd0OyBfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzwvdHQ+ PGJyPjx0dD4mZ3Q7IHBraXggbWFpbGluZyBsaXN0PC90dD48YnI+PHR0PiZndDsgPGEgaHJlZj0i bWFpbHRvOnBraXhAaWV0Zi5vcmciPnBraXhAaWV0Zi5vcmc8L2E+PC90dD48YnI+PHR0PiZndDsg PC90dD48L3NwYW4+PGEgaHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5m by9wa2l4Ij48dHQ+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMC4wcHQnPmh0dHBzOi8vd3d3Lmll dGYub3JnL21haWxtYW4vbGlzdGluZm8vcGtpeDwvc3Bhbj48L3R0PjwvYT48bzpwPjwvbzpwPjwv cD48L2Rpdj48L2JvZHk+PC9odG1sPg== --_000_B83745DA469B7847811819C5005244AF362EC9B1scygexch7cygnac_-- From denis.pinkas@bull.net Mon Sep 17 07:42:17 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 763DB21F8686 for ; Mon, 17 Sep 2012 07:42:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.034 X-Spam-Level: X-Spam-Status: No, score=-2.034 tagged_above=-999 required=5 tests=[AWL=0.214, BAYES_00=-2.599, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BKP5Fv9sLNe8 for ; Mon, 17 Sep 2012 07:42:16 -0700 (PDT) Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by ietfa.amsl.com (Postfix) with ESMTP id 48B1521F8685 for ; Mon, 17 Sep 2012 07:42:15 -0700 (PDT) Received: from MSGC-003.bull.fr (MSGC-003.frcl.bull.fr [129.184.87.131]) by odin2.bull.net (Bull S.A.) with ESMTP id A580A41802F; Mon, 17 Sep 2012 16:42:14 +0200 (CEST) In-Reply-To: References: <504E13CB.8080001@bbn.com> <20120913002444.80A791A216@ld9781.wdf.sap.corp> To: Santosh Chokhani MIME-Version: 1.0 X-KeepSent: A116B356:8B30C690-C1257A7C:004F95C1; type=4; name=$KeepSent X-Mailer: Lotus Notes Release 8.5.2 August 10, 2010 From: denis.pinkas@bull.net Message-ID: Date: Mon, 17 Sep 2012 16:42:14 +0200 X-MIMETrack: Serialize by Router on MSGC-003/SRV/BULL(Release 8.5.2FP1|November 29, 2010) at 17/09/2012 16:42:14, Serialize complete at 17/09/2012 16:42:14 Content-Type: multipart/alternative; boundary="=_alternative 0050B13FC1257A7C_=" Cc: pkix Subject: Re: [pkix] 5280bis, v-09 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2012 14:42:17 -0000 Message en plusieurs parties au format MIME --=_alternative 0050B13FC1257A7C_= Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: base64 U2FudG9zaCwgUGl5dXNoIGFuZCBNYXJ0aW4sDQoNClNvcnJ5LCBJIG1hZGUgYSBtaXN0YWtlIHdo ZW4gbWFraW5nIG15IHByb3Bvc2FsIHRoaXMgbW9ybmluZy4gDQpJIHdyb3RlICJyZXZva2VkIiwg YnV0IHdhcyBhZHZvY2F0aW5nICJ1bmtub3duIi4NCg0KQmFzZWQgb24gdGhlIGxhdGVzdCB0ZXh0 IHByb3Bvc2VkIGZyb20gU2FudG9zaCwgSSB3b3VsZCByYXRoZXIgcHJlZmVyOg0KDQpJZiBhbiBh cHBsaWNhdGlvbiBjYW5ub3QgcHJvY2VzcyBhIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUgDQpj cmxFbnRyeUV4dGVuc2lvbnMgZmllbGQgb2YgYW4gZW50cnkgDQp0aGF0IGFmZmVjdHMgb25seSB0 aGUgY2VydGlmaWNhdGUgc3BlY2lmaWVkIGluIHRoYXQgZW50cnksIGFzIGluZGljYXRlZCBieSAN CnRoZSBhYnNlbmNlIG9mIGEgcmVsYXRlZCANCmNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUgY3Js RXh0ZW5zaW9ucyBmaWVsZCwgdGhlbiB0aGUgc3RhdHVzIG9mIA0KY2VydGlmaWNhdGUgaWRlbnRp ZmllZCBieSB0aGUgQ1JMIGVudHJ5IA0Kc2hhbGwgYmUgY29uc2lkZXJlZCB1bmtvd24uDQoNCmlu c3RlYWQgb2YgOg0KDQpJZiBhbiBhcHBsaWNhdGlvbiBjYW5ub3QgcHJvY2VzcyBhIGNyaXRpY2Fs IGV4dGVuc2lvbiBpbiB0aGUgDQpjcmxFbnRyeUV4dGVuc2lvbnMgZmllbGQgb2YgYW4gZW50cnkg DQp0aGF0IGFmZmVjdHMgb25seSB0aGUgY2VydGlmaWNhdGUgc3BlY2lmaWVkIGluIHRoYXQgZW50 cnksIGFzIGluZGljYXRlZCBieSANCnRoZSBhYnNlbmNlIG9mIGEgcmVsYXRlZCANCmNyaXRpY2Fs IGV4dGVuc2lvbiBpbiB0aGUgY3JsRXh0ZW5zaW9ucyBmaWVsZCwgdGhlbiB0aGUgY2VydGlmaWNh dGUgDQppZGVudGlmaWVkIGJ5IHRoZSBDUkwgZW50cnkgDQpzaGFsbCBiZSBjb25zaWRlcmVkIHJl dm9rZWQuDQoNCkRlbmlzDQoNCg0KDQoNCg0KDQoNCg0KDQpEZSA6ICAgIFNhbnRvc2ggQ2hva2hh bmkgPFNDaG9raGFuaUBjeWduYWNvbS5jb20+DQpBIDogICAgICJkZW5pcy5waW5rYXNAYnVsbC5u ZXQiIDxkZW5pcy5waW5rYXNAYnVsbC5uZXQ+LCAibXJleEBzYXAuY29tIiANCjxtcmV4QHNhcC5j b20+LCBQaXl1c2ggSmFpbiA8cGl5dXNoQGlkZW50aWNhdGUuY29tPg0KQ2MgOiAgICBwa2l4IDxw a2l4QGlldGYub3JnPg0KRGF0ZSA6ICAxNy8wOS8yMDEyIDE2OjIxDQpPYmpldCA6IFJFOiBbcGtp eF0gNTI4MGJpcywgdi0wOQ0KDQoNCg0KVGhpcyBhbHNvIHJlbGF0ZXMgdG8gZWFybGllciBwb3N0 IEkgbWFkZSBpbiByZXNwb25zZSB0byBQaXl1c2guDQogDQpJIGFzc3VtZSB3ZSBhcmUgYWRkaW5n IHRoZSBmb2xsb3dpbmcgdG8gdGhlIFJGQyDigJxBIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiANCnRo ZSBjcmxFbnRyeUV4dGVuc2lvbnMgZmllbGQgb2YgYW4gZW50cnkgc2hhbGwgYWZmZWN0IG9ubHkg dGhlIGNlcnRpZmljYXRlIA0Kc3BlY2lmaWVkIGluIHRoYXQgZW50cnksIHVubGVzcyB0aGVyZSBp cyBhIHJlbGF0ZWQgY3JpdGljYWwgZXh0ZW5zaW9uIGluIA0KdGhlIGNybEV4dGVuc2lvbnMgZmll bGQgdGhhdCBhZHZlcnRpc2VzIGEgc3BlY2lhbCB0cmVhdG1lbnQgZm9yIGl0LuKAnSAgSW4gDQpv cmRlciB0byB1c2Ugc3VjaCBDUkwsIHRoZSByZWx5aW5nIHBhcnR5IG11c3QgYmUgYWJsZSB0byBw cm9jZXNzIGJvdGggdGhlIA0KY3JsRW50cnlFeHRlbnNpb24gYW5kIHRoZSByZWxhdGVkIGNybEV4 dGVuc2lvbi7igJ0NCiANCkluIHRoYXQgY2FzZSwgSSBkbyBub3QgbWluZCBhZGRpbmcgdGhlIGZv bGxvd2luZyB0byA1MjgwIChhIHNsaWdodCANCm1vZGlmaWNhdGlvbiB0byB3aGF0IERlbmlzIGhh czoNCiANCklmIGFuIGFwcGxpY2F0aW9uIGNhbm5vdCBwcm9jZXNzIGEgY3JpdGljYWwgZXh0ZW5z aW9uIGluIHRoZSANCmNybEVudHJ5RXh0ZW5zaW9ucyBmaWVsZCBvZiBhbiBlbnRyeSB0aGF0IGFm ZmVjdHMgb25seSB0aGUgY2VydGlmaWNhdGUgDQpzcGVjaWZpZWQgaW4gdGhhdCBlbnRyeSwgYXMg aW5kaWNhdGVkIGJ5IHRoZSBhYnNlbmNlIG9mIGEgcmVsYXRlZCBjcml0aWNhbCANCmV4dGVuc2lv biBpbiB0aGUgY3JsRXh0ZW5zaW9ucyBmaWVsZCwgdGhlbiB0aGUgY2VydGlmaWNhdGUgaWRlbnRp ZmllZCBieSANCnRoZSBDUkwgZW50cnkgc2hhbGwgYmUgY29uc2lkZXJlZCByZXZva2VkLg0KIA0K RnJvbTogcGtpeC1ib3VuY2VzQGlldGYub3JnIFttYWlsdG86cGtpeC1ib3VuY2VzQGlldGYub3Jn XSBPbiBCZWhhbGYgT2YgDQpkZW5pcy5waW5rYXNAYnVsbC5uZXQNClNlbnQ6IE1vbmRheSwgU2Vw dGVtYmVyIDE3LCAyMDEyIDM6NDcgQU0NClRvOiBtcmV4QHNhcC5jb207IFBpeXVzaCBKYWluDQpD YzogcGtpeA0KU3ViamVjdDogUmU6IFtwa2l4XSA1MjgwYmlzLCB2LTA5DQogDQpHb29kIGNhdGNo IE1hcnRpbiwgDQoNCllvdSBjYW1lIGJhY2sgZnJvbSB2YWNhdGlvbiBqdXN0IGluIHRpbWUuIDot KSANCg0KSSBwcm9wb3NlIHRoZSBmb2xsb3dpbmc6IA0KDQpSZXBsYWNlOiANCg0KfCAgICAgSWYg YSBDUkwgY29udGFpbnMgYSBjcml0aWNhbCBDUkwgZW50cnkgZXh0ZW5zaW9uIA0KfCAgICAgdGhh dCB0aGUgYXBwbGljYXRpb24gY2Fubm90IHByb2Nlc3MsIHRoZW4gdGhlIGFwcGxpY2F0aW9uIE1V U1QgDQp8ICAgICBOT1QgdXNlIHRoYXQgQ1JMIHRvIGRldGVybWluZSB0aGUgc3RhdHVzIG9mIGFu eSBjZXJ0aWZpY2F0ZXMuIA0KDQp3aXRoIA0KDQp8ICAgICBJZiBhIENSTCBjb250YWlucyBpbiBh IENSTCBlbnRyeSBhIGNyaXRpY2FsIENSTCBlbnRyeSBleHRlbnNpb24gDQp8ICAgICB0aGF0IHRo ZSBhcHBsaWNhdGlvbiBjYW5ub3QgcHJvY2VzcywgdGhlbiB0aGUgYXBwbGljYXRpb24gTVVTVCAN CnwgICAgIGNvbnNpZGVyIHRoYXQgdGhlIGNlcnRpZmljYXRlIGlkZW50aWZpZWQgaW4gdGhhdCBD UkwgZW50cnkgaXMgDQp8ICAgICByZXZva2VkLiAgIA0KDQpJbiBvcmRlciB0byBhbnN3ZXIgdG8g UGl5dXNoLCBJIGJlbGlldmUgdGhhdCDigJx1bmtub3du4oCdIHNob3VsZCBiZSB1c2VkIA0KcmF0 aGVyIHRoYW4g4oCccmV2b2tlZOKAnS4gDQoNClRoZSBmb2xsb3dpbmcgZXhhbXBsZSBpcyBhbiBp bGx1c3RyYXRpb246IA0KDQpUaGUgc3RhdHVzIG9mIGEgZ2l2ZW4gY2VydGlmaWNhdGUgaXMgaW5k aWNhdGVkIGFzIOKAnGdvb2TigJ0sIGJ1dCB0aGVyZSBpcyBhIA0KQ1JMIGVudHJ5IHdpdGggYSBj cml0aWNhbCANCkNSTCBlbnRyeSBleHRlbnNpb24uIFRoaXMgZW50cnkgbWVhbnMgKGZvciB0aGUg YXBwbGljYXRpb25zIHdoaWNoIA0KdW5kZXJzdGFuZCBpdCkgOiANCg0KIlRoZSBzdGF0dXMgd2hp Y2ggaXMgdXN1YWxseSBvYnRhaW5lZCB1c2luZyBhIGRhdGFiYXNlIG9mIGlzc3VlZCANCmNlcnRp ZmljYXRlcyBoYXMgYmVlbiBvYnRhaW5lZCBmcm9tIENSTHMuIA0KSWYgeW91IHJlYWxseSBuZWVk IHRvIHRha2UgYSBkZWNpc2lvbiBub3csIGl0IGlzIGF0IHlvdXIgb3duIHJpc2suIElmIHlvdSAN CmNhbiB3YWl0LCB5b3UgaGFkIGJldHRlciB0byB0cnkgYWdhaW4gbGF0ZXIgb24iLiANCg0KWW91 ciBuZXh0IHF1ZXN0aW9uIHdpbGwgY2VydGFpbmx5IGJlOiBzbyB3aHkgZG9u4oCZdCB5b3UgdXNl IHRoZSBwcm9wb3NlZCANCmNlcnRJbmZvIGV4dGVuc2lvbiA/IA0KDQpGb3IgYXBwbGljYXRpb25z IHdoaWNoIGRvIG5vdCB1bmRlcnN0YW5kIHRoaXMgY3JpdGljYWwgQ1JMIGVudHJ5IA0KZXh0ZW5z aW9uLCB0aGVyZSBpcyBubyBkaWZmZXJlbmNlLiANClRoZXkgZ2V0IGFuICJ1bmtub3duIiBzdGF0 dXMgaW4gYm90aCBjYXNlcy4gDQoNCkZvciBhcHBsaWNhdGlvbnMgd2hpY2ggdW5kZXJzdGFuZCB0 aGlzIGNyaXRpY2FsIENSTCBlbnRyeSBleHRlbnNpb24gaXQgDQpwcm92aWRlcyBsZXNzIGJlbmVm aXRzIA0KdGhhbiB0aGUgcHJvcG9zZWQgY2VydEluZm8gZXh0ZW5zaW9uLCBidXQgaXQgbWlnaHQg YmUgcXVpY2tlciB0byBpbXBsZW1lbnQgDQphbmQgaXQgZW5mb3JjZXMgYSBwb2xpY3kuIA0KDQpE ZW5pcyANCg0KDQo+IEkgb2JqZWN0IHRvIHRoZSBwcm9wb3NlZCBuZXcgdGV4dCBhYm91dCBDUkxF bnRyeUV4dGVuc2lvbnMNCj4gaW4gdGhlIGNsYXJpZmljYXRpb24gZG9jdW1lbnQsIGJlY2F1c2Ug YXMgaXMsIHdvdWxkIHNpZ25pZmljYW50bHkNCj4gd29yc2VuIHRoZSBkaWZmZXJlbmNlIGJldHdl ZW4gUEtJWCBhbmQgWC41MDkgYW5kIG1ha2UgdGhpbmdzDQo+IGNsZWFybHkgaW5jb21wYXRpYmxl IHJhdGhlciB0aGFuIHNsaWdodGx5IGxlc3MgZWZmaWNpZW50Lg0KPiANCj4gSWYgYW55dGhpbmcs IHRoZSBnYXAgc2hvdWxkIGJlIHJlZHVjZWQsIGNvbXBhdGliaWxpdHkgYmV0d2Vlbg0KPiBQS0lY IGFuZCBYLjUwOSBpbXByb3ZlZCBhbmQgdGhlIG9yaWdpbmFsIGFyY2hpdGVjdHVyZSBub3Qgdmlv bGF0ZWQuDQo+IA0KPiBQbGVhc2UgcmVjYWxsIHRoZSBvcmlnaW5hbCBOT1RFIDQgJiA1IHRoYXQg SSBxdW90ZWQgZnJvbQ0KPiBJVFUtVCBSZWMuIFguNTA5ICgwOC8yMDA1KSwgU2VjdGlvbiA3LjMs IHRvcCBvZiBwYWdlIDE4Og0KPiAoZ2V0IHRoZW0gaGVyZSBodHRwOi8vd3d3Lml0dS5pbnQvcmVj L1QtUkVDLVguNTA5KToNCj4gDQo+IGE+ICBOT1RFIDQgLS0gV2hlbiBhbiBpbXBsZW1lbnRhdGlv biBwcm9jZXNzaW5nIGEgY2VydGlmaWNhdGUgcmV2b2NhdGlvbg0KPiBhPiAgbGlzdCBkb2VzIG5v dCByZWNvZ25pemUgYSBjcml0aWNhbCBleHRlbnNpb24gaW4gdGhlIA0KY3JsRW50cnlFeHRlbnNp b25zDQo+IGE+ICBmaWVsZCwgaXQgc2hhbGwgYXNzdW1lIHRoYXQsIGF0IGEgbWluaW11bSwgdGhl IGlkZW50aWZpZWQgDQpjZXJ0aWZpY2F0ZQ0KPiBhPiAgaGFzIGJlZW4gcmV2b2tlZCBhbmQgaXMg bm8gbG9uZ2VyIHZhbGlkIGFuZCBwZXJmb3JtIGFkZGl0aW9uYWwgDQphY3Rpb25zDQo+IGE+ICBj b25jZXJuaW5nIHRoYXQgcmV2b2tlZCBjZXJ0aWZpY2F0ZSBhcyBkaWN0YXRlZCBieSBsb2NhbCBw b2xpY3kuDQo+IA0KPiBiPiAgV2hlbiBhbiBpbXBsZW1lbnRhdGlvbiBkb2VzIG5vdCByZWNvZ25p emUgYSBjcml0aWNhbCBleHRlbnNpb24gaW4gDQp0aGUNCj4gYj4gIGNybEV4dGVuc2lvbnMgZmll bGQsIGl0IHNoYWxsIGFzc3VtZSB0aGF0IGlkZW50aWZpZWQgY2VydGlmaWNhdGVzDQo+IGI+ICBo YXZlIGJlZW4gcmV2b2tlZCBhbmQgYXJlIG5vIGxvbmdlciB2YWxpZC4NCj4gDQo+IGM+ICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG93ZXZlciBpbiB0aGUgbGF0 dGVyIA0KY2FzZSwNCj4gYz4gIHNpbmNlIHRoZSBsaXN0IG1heSBub3QgYmUgY29tcGxldGUsIGNl cnRpZmljYXRlcyB0aGF0IGhhdmUgbm90IGJlZW4NCj4gYz4gIGlkZW50aWZpZWQgYXMgYmVpbmcg cmV2b2tlZCBjYW5ub3QgYmUgYXNzdW1lZCB0byBiZSB2YWxpZC4gSW4gdGhpcyANCmNhc2UNCj4g Yz4gIGxvY2FsIHBvbGljeSBzaGFsbCBkaWN0YXRlIHRoZSBhY3Rpb24gdG8gYmUgdGFrZW4uIElu IGFueSBjYXNlIGxvY2FsDQo+IGM+ICBwb2xpY3kgbWF5IGRpY3RhdGUgYWN0aW9ucyBpbiBhZGRp dGlvbiB0byBhbmQvb3Igc3Ryb25nZXIgdGhhbiB0aG9zZQ0KPiBjPiAgc3RhdGVkIGluIHRoaXMg U3BlY2lmaWNhdGlvbi4NCj4gDQo+IGQ+ICBOT1RFIDUgLS0gSWYgYW4gZXh0ZW5zaW9uIGFmZmVj dHMgdGhlIHRyZWF0bWVudCBvZiB0aGUgbGlzdA0KPiBkPiAgKGUuZy4sIG11bHRpcGxlIENSTHMg bmVlZCB0byBiZSBzY2FubmVkIHRvIGV4YW1pbmUgdGhlIGVudGlyZSBsaXN0IA0Kb2YNCj4gZD4g IHJldm9rZWQgY2VydGlmaWNhdGVzLCBvciBhbiBlbnRyeSBtYXkgcmVwcmVzZW50IGEgcmFuZ2Ug b2YgDQpjZXJ0aWZpY2F0ZXMpLA0KPiBkPiAgdGhlbiB0aGF0IGV4dGVuc2lvbiBzaGFsbCBiZSBp bmRpY2F0ZWQgYXMgY3JpdGljYWwgaW4gdGhlIA0KY3JsRXh0ZW5zaW9ucw0KPiBkPiAgZmllbGQg cmVnYXJkbGVzcyBvZiB3aGVyZSB0aGUgZXh0ZW5zaW9uIGlzIHBsYWNlZCBpbiB0aGUgQ1JMLg0K PiANCj4gZT4gIEFuIGV4dGVuc2lvbiBpbmRpY2F0ZWQgaW4gdGhlIGNybEVudHJ5RXh0ZW5zaW9u cyBmaWVsZCBvZiBhbiBlbnRyeSANCnNoYWxsDQo+IGU+ICBiZSBwbGFjZWQgaW4gdGhhdCBlbnRy eSBhbmQgc2hhbGwgYWZmZWN0IG9ubHkgdGhlIGNlcnRpZmljYXRlKHMpDQo+IGU+ICBzcGVjaWZp ZWQgaW4gdGhhdCBlbnRyeS4NCj4gDQo+IA0KPiAoSSBpbnNlcnRlZCBibGFuayBsaW5lcyBhYm92 ZSBmb3IgdmlzdWFsIGNsYXJpdHkgb2YgdGhlIFguNTA5IA0KcmVxdWlyZW1lbnRzKS4NCj4gDQo+ IHR3byBvcHRpb25zLCBhbGwgY29tYmluYXRpb25zOg0KPiANCj4gICgxKSBjZXJ0ICAgICBvbiBD UkwsIENSTCB3aXRoIE5PIHVucmVjb2duaXplZCBjcml0aWNhbCANCkNSTEVudHJ5RXh0ZW5zaW9u cyANCj4gICgyKSBjZXJ0IE5PVCBvbiBDUkwsIENSTCB3aXRoIE5PIHVucmVjb2duaXplZCBjcml0 aWNhbCANCkNSTEVudHJ5RXh0ZW5zaW9ucyANCj4gICgzKSBjZXJ0ICAgICBvbiBDUkwsIENSTCB3 aXRoICAgIHVucmVjb2duaXplZCBjcml0aWNhbCANCkNSTEVudHJ5RXh0ZW5zaW9uDQo+ICAoNCkg Y2VydCBOT1Qgb24gQ1JMLCBDUkwgd2l0aCAgICB1bnJlY29nbml6ZWQgY3JpdGljYWwgDQpDUkxF bnRyeUV4dGVuc2lvbg0KPiANCj4gDQo+IEkgaG9wZSB3ZSBhZ3JlZSB0aGF0IFguNTA5IGFuZCBy ZmM1MjgwIGFncmVlIG9uICgxKSBhbmQgKDIpIHJlc3VsdHMNCj4gZm9yIENSTCBjaGVja2luZy4N Cj4gDQo+IHJmYzUyODAgY3VycmVudGx5IHNheXMgdGhhdCBmb3IgKDMpKyg0KSB0aGUgZW50aXJl IENSTCBvdWdodCB0byBiZSANCmlnbm9yZWQNCj4gYW5kIG90aGVyIENSTHMgbmVlZCB0byBiZSBl dmFsdWF0ZWQgIlVOREVURVJNSU5FRCINCj4gDQo+IFguNTA5IHNheXMgaW4gKGE+KSB0aGF0IGZv ciAoMykgdGhlIHN0YXR1cyBvZiB0aGUgY2VydCBpcyBkZWZpbml0ZWx5IA0KcmV2b2tlZA0KPiBh bmQgc2F5cyBpbiAoYz4pIGZvciAoNCkgdGhhdCB0aGUgQ1JMIG91Z2h0IHRvIGJlIGlnbm9yZWQg YW5kIG90aGVyIENSTHMgDQpuZWVkDQo+IHRvIGJlIGV2YWx1YXRlZCAiVU5ERVRFUk1JTkVEIg0K PiANCj4gV2hpbGUgYm90aCBYLjUwOSBhbmQgcmZjNTI4MCBhZ3JlZSBvbiB0aGUgcmVzdWx0IGZv ciAoNCkgIlVOREVURVJNSU5FRCIsDQo+IHRoZXJlIGlzIHRoZSBzdXBlcmZpY2lhbCBhcHBlYXJh bmNlIG9mIGEgZGlmZmVyZW5jZSBmb3IgYSBjYXN1YWwNCj4gaW1wbGVtZW50ZXIgZm9yIGNhc2Ug KDMpIGJldHdlZW4gWC41MDkgIlJFVk9LRUQiIGFuZCByZmM1MjgwIA0KIlVOREVURVJNSU5FRCIN Cj4gdGhhdCBtaWdodCBsZWFkIHRvIGEgc2xpZ2h0bHkgbGVzcyBlZmZpY2llbnQgcHJvY2Vzc2lu ZyBDUkxzLg0KPiANCj4gDQo+IFRoZSBuZXdseSBwcm9wb3NlZCB0ZXh0IChpbiAtMDkpOg0KPiAN Cj4gfCAgICAgSWYgYSBDUkwgY29udGFpbnMgYSBjcml0aWNhbCBDUkwgZW50cnkgZXh0ZW5zaW9u DQo+IHwgICAgIHRoYXQgdGhlIGFwcGxpY2F0aW9uIGNhbm5vdCBwcm9jZXNzLCB0aGVuIHRoZSBh cHBsaWNhdGlvbiBNVVNUDQo+IHwgICAgIE5PVCB1c2UgdGhhdCBDUkwgdG8gZGV0ZXJtaW5lIHRo ZSBzdGF0dXMgb2YgdGhlIGNlcnRpZmljYXRlDQo+IHwgICAgIHJlcHJlc2VudGVkIGJ5IHRoZSBD UkwgZW50cnkuIA0KPiANCj4gY3JlYXRlcyBhIHNpZ25pZmljYW50bHkgZGlzdGluY3QgYmVoYXZp b3VyIGZvciBjYXNlICg0KSB3aGVyZSBYLjUwOQ0KPiBhbmQgcmZjNTI4MCBhZ3JlZWQgb24gIlVO REVURVJNSU5FRCIsIGJ5IHJlZGVmaW5pbmcgdGhlIHJlc3VsdCB0bw0KPiBiZSAiVU5SRVZPS0VE IiwgYW5kIHBvdGVudGlhbGx5IGNyZWF0ZXMgYSBzZWN1cml0eSBwcm9ibGVtLCBhbmQgYQ0KPiBu ZXcsIGJhY2t3YXJkcy1pbmNvbXBhdGlibGUgYmVoYXZpb3VyIGZvciBhIHNpdHVhdGlvbiB3aGVy ZQ0KPiBYLjUwOSBhbmQgcmZjNTI4MCB1c2VkIHRvIGFncmVlLiBTdGlsbCwgdGhlIG5ldyB0ZXh0 IGRvZXMgbm90IGRvDQo+IGFueXRoaW5nIGFib3V0IGNhc2UgKDMpLCB0aGUgb25seSBjYXNlIHdo ZXJlIFguNTA5IGFuZCByZmM1MjgwDQo+IGFwcGVhciB0byBkaWZmZXIgKGluIGEgbW9zdGx5IG1h cmdpbmFsIGZhc2hpb24pLg0KPiANCj4gDQo+IEEgY2FyZWZ1bCBpbXBsZW1lbnRvciwgdGhhdCBh bmFseXplcyBOT1RFIDQgYW5kIE5PVEUgNSBmcm9tIFguNTA5DQo+IHF1b3RlZCBhYm92ZSBpbiBp dHMgZW50aXJldHksIHNob3VsZCByZWFsaXplIHRoYXQgdGhlIHNpdHVhdGlvbg0KPiB3aGVyZSBY LjUwOSBhbmQgcmZjNTI4MCBkaWZmZXIgaXMgbWFyZ2luYWwuDQo+IA0KPiBUaGlzIGlzIGJlY2F1 c2UgKGQ+KSBpbiBOT1RFIDUgYWJvdmUgcmVxdWlyZXMgKCJzaGFsbCIpIHRoYXQgYQ0KPiBjcml0 aWNhbCBjcmxFbnRyeUV4dGVuc2lvbiB3aXRoIGEgc2VtYW50aWMgYmV5b25kICJ0aGlzIGNlcnQg aXMNCj4gcmV2b2tlZCIpLCBNVVNUIGJlIGFkZGl0aW9uYWxseSBpbmNsdWRlZCBhcyBhIGNyaXRp Y2FsIGNybEV4dGVuc2lvbiwNCj4gd2l0aCB0aGUgZWZmZWN0IHRoYXQgdGhlIGVudGlyZSBDUkwg d2lsbCBoYXZlIHRvIGJlIGlnbm9yZWQgYnkNCj4gYm90aCBYLjUwOSBhbmQgcmZjNTI4MCBpbXBs ZW1lbnRhdGlvbnMgdGhhdCBkbyBub3QgcmVjb2duaXplDQo+IHRoZSBjcmxFeHRlbnNpb24uICBT byBhbGwgY29tcGxpYW50IENSTHMgd2l0aCBhICJmYW5jeSINCj4gdW5yZWNvZ25pemVkIGNyaXRp Y2FsIGNybEVudHJ5RXh0ZW5zaW9uLCB0aGUgYWNjb21wYW55aW5nDQo+IHVucmVjb2duaXplZCBj cml0aWNhbCBjcmxFeHRlbnNpb24gd2lsbCBjYXVzZSBYLjUwOSBhbmQgcmZjNTI4MA0KPiB0byBh Z3JlZSBvbiAoMykgdG8gcmV0dXJuICJVTkRFVEVSTUlORUQiIGFuZCByZXF1aXJlIG90aGVyDQo+ IENSTHMgdG8gYmUgY2hlY2tlZC4gDQo+IA0KPiANCj4gLU1hcnRpbg0KPiBfX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KPiBwa2l4IG1haWxpbmcgbGlzdA0K PiBwa2l4QGlldGYub3JnDQo+IGh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8v cGtpeA0KDQo= --=_alternative 0050B13FC1257A7C_= Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: base64 PGZvbnQgc2l6ZT0zIGZhY2U9IkFyaWFsIj5TYW50b3NoLCBQaXl1c2ggYW5kIE1hcnRpbiw8L2Zv bnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0zIGZhY2U9IkFyaWFsIj5Tb3JyeSwgSSBtYWRlIGEg bWlzdGFrZSB3aGVuIG1ha2luZyBteSBwcm9wb3NhbA0KdGhpcyBtb3JuaW5nLiA8YnI+DQpJIHdy b3RlICZxdW90O3Jldm9rZWQmcXVvdDssIGJ1dCB3YXMgYWR2b2NhdGluZyAmcXVvdDt1bmtub3du JnF1b3Q7LjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTMgZmFjZT0ic2Fucy1zZXJpZiI+ QmFzZWQgb24gdGhlIGxhdGVzdCB0ZXh0IHByb3Bvc2VkIGZyb20NClNhbnRvc2gsIEkgd291bGQg cmF0aGVyIHByZWZlcjo8L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0zIGNvbG9yPSMxMDQx NjAgZmFjZT0iQXJpYWwiPklmIGFuIGFwcGxpY2F0aW9uIGNhbm5vdCBwcm9jZXNzDQphIGNyaXRp Y2FsIGV4dGVuc2lvbiBpbiB0aGUgPGI+Y3JsRW50cnlFeHRlbnNpb25zPC9iPiBmaWVsZCBvZiBh biBlbnRyeQ0KPGJyPg0KdGhhdCBhZmZlY3RzIG9ubHkgdGhlIGNlcnRpZmljYXRlIHNwZWNpZmll ZCBpbiB0aGF0IGVudHJ5LCBhcyBpbmRpY2F0ZWQNCmJ5IHRoZSBhYnNlbmNlIG9mIGEgcmVsYXRl ZCA8YnI+DQpjcml0aWNhbCBleHRlbnNpb24gaW4gdGhlIDxiPmNybEV4dGVuc2lvbnM8L2I+IGZp ZWxkLCB0aGVuIHRoZSA8L2ZvbnQ+PGZvbnQgc2l6ZT0zIGNvbG9yPSMwMDAwZTAgZmFjZT0iQXJp YWwiPjxiPnN0YXR1cw0Kb2Y8L2I+PC9mb250Pjxmb250IHNpemU9MyBjb2xvcj1ibHVlIGZhY2U9 IkFyaWFsIj48Yj4gPC9iPjwvZm9udD48Zm9udCBzaXplPTMgY29sb3I9IzEwNDE2MCBmYWNlPSJB cmlhbCI+Y2VydGlmaWNhdGUNCmlkZW50aWZpZWQgYnkgdGhlIENSTCBlbnRyeSA8YnI+DQpzaGFs bCBiZSBjb25zaWRlcmVkIDwvZm9udD48Zm9udCBzaXplPTMgY29sb3I9IzAwMjBjMiBmYWNlPSJB cmlhbCI+PGI+dW5rb3duPC9iPjwvZm9udD48Zm9udCBzaXplPTMgY29sb3I9IzEwNDE2MCBmYWNl PSJBcmlhbCI+LjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTMgZmFjZT0ic2Fucy1zZXJp ZiI+aW5zdGVhZCBvZiA6PC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MyBjb2xvcj0jMTA0 MTYwIGZhY2U9IkFyaWFsIj5JZiBhbiBhcHBsaWNhdGlvbiBjYW5ub3QgcHJvY2Vzcw0KYSBjcml0 aWNhbCBleHRlbnNpb24gaW4gdGhlIDxiPmNybEVudHJ5RXh0ZW5zaW9uczwvYj4gZmllbGQgb2Yg YW4gZW50cnkNCjxicj4NCnRoYXQgYWZmZWN0cyBvbmx5IHRoZSBjZXJ0aWZpY2F0ZSBzcGVjaWZp ZWQgaW4gdGhhdCBlbnRyeSwgYXMgaW5kaWNhdGVkDQpieSB0aGUgYWJzZW5jZSBvZiBhIHJlbGF0 ZWQgPGJyPg0KY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSA8Yj5jcmxFeHRlbnNpb25zPC9iPiBm aWVsZCwgdGhlbiB0aGUgY2VydGlmaWNhdGUNCmlkZW50aWZpZWQgYnkgdGhlIENSTCBlbnRyeSA8 YnI+DQpzaGFsbCBiZSBjb25zaWRlcmVkIHJldm9rZWQuPC9mb250Pg0KPGJyPg0KPGJyPjxmb250 IHNpemU9MyBmYWNlPSJzYW5zLXNlcmlmIj5EZW5pczwvZm9udD4NCjxicj4NCjxicj4NCjxicj4N Cjxicj4NCjxicj4NCjxicj4NCjxicj4NCjxicj4NCjxicj4NCjxicj48Zm9udCBzaXplPTEgY29s b3I9IzVmNWY1ZiBmYWNlPSJzYW5zLXNlcmlmIj5EZSA6ICZuYnNwOyAmbmJzcDsgJm5ic3A7DQom bmJzcDs8L2ZvbnQ+PGZvbnQgc2l6ZT0xIGZhY2U9InNhbnMtc2VyaWYiPlNhbnRvc2ggQ2hva2hh bmkgJmx0O1NDaG9raGFuaUBjeWduYWNvbS5jb20mZ3Q7PC9mb250Pg0KPGJyPjxmb250IHNpemU9 MSBjb2xvcj0jNWY1ZjVmIGZhY2U9InNhbnMtc2VyaWYiPkEgOiAmbmJzcDsgJm5ic3A7ICZuYnNw Ow0KJm5ic3A7PC9mb250Pjxmb250IHNpemU9MSBmYWNlPSJzYW5zLXNlcmlmIj4mcXVvdDtkZW5p cy5waW5rYXNAYnVsbC5uZXQmcXVvdDsNCiZsdDtkZW5pcy5waW5rYXNAYnVsbC5uZXQmZ3Q7LCAm cXVvdDttcmV4QHNhcC5jb20mcXVvdDsgJmx0O21yZXhAc2FwLmNvbSZndDssDQpQaXl1c2ggSmFp biAmbHQ7cGl5dXNoQGlkZW50aWNhdGUuY29tJmd0OzwvZm9udD4NCjxicj48Zm9udCBzaXplPTEg Y29sb3I9IzVmNWY1ZiBmYWNlPSJzYW5zLXNlcmlmIj5DYyZuYnNwOzogJm5ic3A7ICZuYnNwOw0K Jm5ic3A7ICZuYnNwOzwvZm9udD48Zm9udCBzaXplPTEgZmFjZT0ic2Fucy1zZXJpZiI+cGtpeCAm bHQ7cGtpeEBpZXRmLm9yZyZndDs8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0xIGNvbG9yPSM1ZjVm NWYgZmFjZT0ic2Fucy1zZXJpZiI+RGF0ZSA6ICZuYnNwOyAmbmJzcDsgJm5ic3A7DQombmJzcDs8 L2ZvbnQ+PGZvbnQgc2l6ZT0xIGZhY2U9InNhbnMtc2VyaWYiPjE3LzA5LzIwMTIgMTY6MjE8L2Zv bnQ+DQo8YnI+PGZvbnQgc2l6ZT0xIGNvbG9yPSM1ZjVmNWYgZmFjZT0ic2Fucy1zZXJpZiI+T2Jq ZXQgOiAmbmJzcDsgJm5ic3A7DQombmJzcDsgJm5ic3A7PC9mb250Pjxmb250IHNpemU9MSBmYWNl PSJzYW5zLXNlcmlmIj5SRTogW3BraXhdIDUyODBiaXMsDQp2LTA5PC9mb250Pg0KPGJyPg0KPGhy IG5vc2hhZGU+DQo8YnI+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0zIGNvbG9yPSMwMDQwODAgZmFj ZT0iQXJpYWwiPlRoaXMgYWxzbyByZWxhdGVzIHRvIGVhcmxpZXINCnBvc3QgSSBtYWRlIGluIHJl c3BvbnNlIHRvIFBpeXVzaC48L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0zIGNvbG9yPSMwMDQwODAg ZmFjZT0iQXJpYWwiPiZuYnNwOzwvZm9udD4NCjxicj48Zm9udCBzaXplPTMgY29sb3I9IzAwNDA4 MCBmYWNlPSJBcmlhbCI+SSBhc3N1bWUgd2UgYXJlIGFkZGluZyB0aGUNCmZvbGxvd2luZyB0byB0 aGUgUkZDIOKAnDwvZm9udD48Zm9udCBzaXplPTMgY29sb3I9IzEwNDE2MCBmYWNlPSJBcmlhbCI+ QQ0KY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSA8Yj5jcmxFbnRyeUV4dGVuc2lvbnM8L2I+IGZp ZWxkIG9mIGFuIGVudHJ5IHNoYWxsDQphZmZlY3Qgb25seSB0aGUgY2VydGlmaWNhdGUgc3BlY2lm aWVkIGluIHRoYXQgZW50cnksIHVubGVzcyB0aGVyZSBpcyBhDQpyZWxhdGVkIGNyaXRpY2FsIGV4 dGVuc2lvbiBpbiB0aGUgPGI+Y3JsRXh0ZW5zaW9uczwvYj4gZmllbGQgdGhhdCBhZHZlcnRpc2Vz DQphIHNwZWNpYWwgdHJlYXRtZW50IGZvciBpdC7igJ0gJm5ic3A7SW4gb3JkZXIgdG8gdXNlIHN1 Y2ggQ1JMLCB0aGUgcmVseWluZw0KcGFydHkgbXVzdCBiZSBhYmxlIHRvIHByb2Nlc3MgYm90aCB0 aGUgPGI+Y3JsRW50cnlFeHRlbnNpb24gPC9iPmFuZCB0aGUNCnJlbGF0ZWQgPGI+Y3JsRXh0ZW5z aW9uLuKAnTwvYj48L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0zIGNvbG9yPSMxMDQxNjAgZmFjZT0i QXJpYWwiPjxiPiZuYnNwOzwvYj48L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0zIGNvbG9yPSMxMDQx NjAgZmFjZT0iQXJpYWwiPkluIHRoYXQgY2FzZSwgSSBkbyBub3QgbWluZA0KYWRkaW5nIHRoZSBm b2xsb3dpbmcgdG8gNTI4MCAoYSBzbGlnaHQgbW9kaWZpY2F0aW9uIHRvIHdoYXQgRGVuaXMgaGFz OjwvZm9udD4NCjxicj48Zm9udCBzaXplPTMgY29sb3I9IzEwNDE2MCBmYWNlPSJBcmlhbCI+Jm5i c3A7PC9mb250Pg0KPGJyPjxmb250IHNpemU9MyBjb2xvcj0jMTA0MTYwIGZhY2U9IkFyaWFsIj5J ZiBhbiBhcHBsaWNhdGlvbiBjYW5ub3QgcHJvY2Vzcw0KYSBjcml0aWNhbCBleHRlbnNpb24gaW4g dGhlIDxiPmNybEVudHJ5RXh0ZW5zaW9uczwvYj4gZmllbGQgb2YgYW4gZW50cnkNCnRoYXQgYWZm ZWN0cyBvbmx5IHRoZSBjZXJ0aWZpY2F0ZSBzcGVjaWZpZWQgaW4gdGhhdCBlbnRyeSwgYXMgaW5k aWNhdGVkDQpieSB0aGUgYWJzZW5jZSBvZiBhIHJlbGF0ZWQgY3JpdGljYWwgZXh0ZW5zaW9uIGlu IHRoZSA8Yj5jcmxFeHRlbnNpb25zPC9iPg0KZmllbGQsIHRoZW4gdGhlIGNlcnRpZmljYXRlIGlk ZW50aWZpZWQgYnkgdGhlIENSTCBlbnRyeSBzaGFsbCBiZSBjb25zaWRlcmVkDQpyZXZva2VkLjwv Zm9udD4NCjxicj48Zm9udCBzaXplPTMgY29sb3I9IzAwNDA4MCBmYWNlPSJBcmlhbCI+Jm5ic3A7 PC9mb250Pg0KPGJyPjxmb250IHNpemU9MyBmYWNlPSJUYWhvbWEiPjxiPkZyb206PC9iPiBwa2l4 LWJvdW5jZXNAaWV0Zi5vcmcgWzwvZm9udD48YSBocmVmPSJtYWlsdG86cGtpeC1ib3VuY2VzQGll dGYub3JnIj48Zm9udCBzaXplPTMgZmFjZT0iVGFob21hIj5tYWlsdG86cGtpeC1ib3VuY2VzQGll dGYub3JnPC9mb250PjwvYT48Zm9udCBzaXplPTMgZmFjZT0iVGFob21hIj5dDQo8Yj5PbiBCZWhh bGYgT2YgPC9iPmRlbmlzLnBpbmthc0BidWxsLm5ldDxiPjxicj4NClNlbnQ6PC9iPiBNb25kYXks IFNlcHRlbWJlciAxNywgMjAxMiAzOjQ3IEFNPGI+PGJyPg0KVG86PC9iPiBtcmV4QHNhcC5jb207 IFBpeXVzaCBKYWluPGI+PGJyPg0KQ2M6PC9iPiBwa2l4PGI+PGJyPg0KU3ViamVjdDo8L2I+IFJl OiBbcGtpeF0gNTI4MGJpcywgdi0wOTwvZm9udD4NCjxicj48Zm9udCBzaXplPTMgZmFjZT0iVGlt ZXMgTmV3IFJvbWFuIj4mbmJzcDs8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0zIGZhY2U9IkFyaWFs Ij5Hb29kIGNhdGNoIE1hcnRpbiw8L2ZvbnQ+PGZvbnQgc2l6ZT0zIGZhY2U9IlRpbWVzIE5ldyBS b21hbiI+DQo8YnI+DQo8L2ZvbnQ+PGZvbnQgc2l6ZT0zIGZhY2U9IkFyaWFsIj48YnI+DQpZb3Ug Y2FtZSBiYWNrIGZyb20gdmFjYXRpb24ganVzdCBpbiB0aW1lLiA6LSk8L2ZvbnQ+PGZvbnQgc2l6 ZT0zIGZhY2U9IlRpbWVzIE5ldyBSb21hbiI+DQo8YnI+DQo8L2ZvbnQ+PGZvbnQgc2l6ZT0zIGZh Y2U9IkFyaWFsIj48YnI+DQpJIHByb3Bvc2UgdGhlIGZvbGxvd2luZzo8L2ZvbnQ+PGZvbnQgc2l6 ZT0zIGZhY2U9IlRpbWVzIE5ldyBSb21hbiI+IDxicj4NCjwvZm9udD48Zm9udCBzaXplPTMgZmFj ZT0iQ291cmllciBOZXciPjxicj4NClJlcGxhY2U6PC9mb250Pjxmb250IHNpemU9MyBmYWNlPSJU aW1lcyBOZXcgUm9tYW4iPiA8YnI+DQo8L2ZvbnQ+PGZvbnQgc2l6ZT0zIGZhY2U9IkNvdXJpZXIg TmV3Ij48YnI+DQp8ICZuYnNwOyAmbmJzcDsgSWYgYSBDUkwgY29udGFpbnMgYSBjcml0aWNhbCBD UkwgZW50cnkgZXh0ZW5zaW9uIDxicj4NCnwgJm5ic3A7ICZuYnNwOyB0aGF0IHRoZSBhcHBsaWNh dGlvbiBjYW5ub3QgcHJvY2VzcywgdGhlbiB0aGUgYXBwbGljYXRpb24NCk1VU1QgPGJyPg0KfCAm bmJzcDsgJm5ic3A7IE5PVCB1c2UgdGhhdCBDUkwgdG8gZGV0ZXJtaW5lIHRoZSBzdGF0dXMgb2Yg YW55IGNlcnRpZmljYXRlcy48L2ZvbnQ+PGZvbnQgc2l6ZT0zIGZhY2U9IlRpbWVzIE5ldyBSb21h biI+DQo8YnI+DQo8L2ZvbnQ+PGZvbnQgc2l6ZT0zIGZhY2U9IkNvdXJpZXIgTmV3Ij48YnI+DQp3 aXRoPC9mb250Pjxmb250IHNpemU9MyBmYWNlPSJUaW1lcyBOZXcgUm9tYW4iPiA8YnI+DQo8L2Zv bnQ+PGZvbnQgc2l6ZT0zIGZhY2U9IkNvdXJpZXIgTmV3Ij48YnI+DQp8ICZuYnNwOyAmbmJzcDsg SWYgYSBDUkwgY29udGFpbnMgaW4gYSBDUkwgZW50cnkgYSBjcml0aWNhbCBDUkwgZW50cnkgZXh0 ZW5zaW9uDQo8YnI+DQp8ICZuYnNwOyAmbmJzcDsgdGhhdCB0aGUgYXBwbGljYXRpb24gY2Fubm90 IHByb2Nlc3MsIHRoZW4gdGhlIGFwcGxpY2F0aW9uDQpNVVNUIDxicj4NCnwgJm5ic3A7ICZuYnNw OyBjb25zaWRlciB0aGF0IHRoZSBjZXJ0aWZpY2F0ZSBpZGVudGlmaWVkIGluIHRoYXQgQ1JMIGVu dHJ5DQppcyA8YnI+DQp8ICZuYnNwOyAmbmJzcDsgcmV2b2tlZC4gJm5ic3A7PC9mb250Pjxmb250 IHNpemU9MyBmYWNlPSJUaW1lcyBOZXcgUm9tYW4iPg0KPGJyPg0KPC9mb250Pjxmb250IHNpemU9 MyBmYWNlPSJBcmlhbCI+PGJyPg0KSW4gb3JkZXIgdG8gYW5zd2VyIHRvIFBpeXVzaCwgSSBiZWxp ZXZlIHRoYXQg4oCcdW5rbm93buKAnSBzaG91bGQgYmUgdXNlZA0KcmF0aGVyIHRoYW4g4oCccmV2 b2tlZOKAnS48L2ZvbnQ+PGZvbnQgc2l6ZT0zIGZhY2U9IlRpbWVzIE5ldyBSb21hbiI+IDxicj4N CjwvZm9udD48Zm9udCBzaXplPTMgZmFjZT0iQXJpYWwiPjxicj4NClRoZSBmb2xsb3dpbmcgZXhh bXBsZSBpcyBhbiBpbGx1c3RyYXRpb246PC9mb250Pjxmb250IHNpemU9MyBmYWNlPSJUaW1lcyBO ZXcgUm9tYW4iPg0KPGJyPg0KPC9mb250Pjxmb250IHNpemU9MyBmYWNlPSJBcmlhbCI+PGJyPg0K VGhlIHN0YXR1cyBvZiBhIGdpdmVuIGNlcnRpZmljYXRlIGlzIGluZGljYXRlZCBhcyDigJxnb29k 4oCdLCBidXQgdGhlcmUgaXMNCmEgQ1JMIGVudHJ5IHdpdGggYSBjcml0aWNhbCA8YnI+DQpDUkwg ZW50cnkgZXh0ZW5zaW9uLiBUaGlzIGVudHJ5IG1lYW5zIChmb3IgdGhlIGFwcGxpY2F0aW9ucyB3 aGljaCB1bmRlcnN0YW5kDQppdCkgOiA8L2ZvbnQ+PGZvbnQgc2l6ZT0zIGZhY2U9IlRpbWVzIE5l dyBSb21hbiI+PGJyPg0KPC9mb250Pjxmb250IHNpemU9MyBmYWNlPSJBcmlhbCI+PGJyPg0KJnF1 b3Q7VGhlIHN0YXR1cyB3aGljaCBpcyB1c3VhbGx5IG9idGFpbmVkIHVzaW5nIGEgZGF0YWJhc2Ug b2YgaXNzdWVkIGNlcnRpZmljYXRlcw0KaGFzIGJlZW4gb2J0YWluZWQgZnJvbSBDUkxzLiA8YnI+ DQpJZiB5b3UgcmVhbGx5IG5lZWQgdG8gdGFrZSBhIGRlY2lzaW9uIG5vdywgaXQgaXMgYXQgeW91 ciBvd24gcmlzay4gSWYgeW91DQpjYW4gd2FpdCwgeW91IGhhZCBiZXR0ZXIgdG8gdHJ5IGFnYWlu IGxhdGVyIG9uJnF1b3Q7LjwvZm9udD48Zm9udCBzaXplPTMgZmFjZT0iVGltZXMgTmV3IFJvbWFu Ij4NCjxicj4NCjwvZm9udD48Zm9udCBzaXplPTMgZmFjZT0iQXJpYWwiPjxicj4NCllvdXIgbmV4 dCBxdWVzdGlvbiB3aWxsIGNlcnRhaW5seSBiZTogc28gd2h5IGRvbuKAmXQgeW91IHVzZSB0aGUg cHJvcG9zZWQNCmNlcnRJbmZvIGV4dGVuc2lvbiA/PC9mb250Pjxmb250IHNpemU9MyBmYWNlPSJU aW1lcyBOZXcgUm9tYW4iPiA8YnI+DQo8L2ZvbnQ+PGZvbnQgc2l6ZT0zIGZhY2U9IkFyaWFsIj48 YnI+DQpGb3IgYXBwbGljYXRpb25zIHdoaWNoIGRvIG5vdCB1bmRlcnN0YW5kIHRoaXMgY3JpdGlj YWwgQ1JMIGVudHJ5IGV4dGVuc2lvbiwNCnRoZXJlIGlzIG5vIGRpZmZlcmVuY2UuPC9mb250Pjxm b250IHNpemU9MyBmYWNlPSJUaW1lcyBOZXcgUm9tYW4iPiA8L2ZvbnQ+PGZvbnQgc2l6ZT0zIGZh Y2U9IkFyaWFsIj48YnI+DQpUaGV5IGdldCBhbiAmcXVvdDt1bmtub3duJnF1b3Q7IHN0YXR1cyBp biBib3RoIGNhc2VzLjwvZm9udD48Zm9udCBzaXplPTMgZmFjZT0iVGltZXMgTmV3IFJvbWFuIj4N Cjxicj4NCjwvZm9udD48Zm9udCBzaXplPTMgZmFjZT0iQXJpYWwiPjxicj4NCkZvciBhcHBsaWNh dGlvbnMgd2hpY2ggdW5kZXJzdGFuZCB0aGlzIGNyaXRpY2FsIENSTCBlbnRyeSBleHRlbnNpb24g aXQNCnByb3ZpZGVzIGxlc3MgYmVuZWZpdHMgPGJyPg0KdGhhbiB0aGUgcHJvcG9zZWQgY2VydElu Zm8gZXh0ZW5zaW9uLCBidXQgaXQgbWlnaHQgYmUgcXVpY2tlciB0byBpbXBsZW1lbnQNCmFuZCBp dCBlbmZvcmNlcyBhIHBvbGljeS48L2ZvbnQ+PGZvbnQgc2l6ZT0zIGZhY2U9IlRpbWVzIE5ldyBS b21hbiI+IDxicj4NCjwvZm9udD48Zm9udCBzaXplPTMgZmFjZT0iQXJpYWwiPjxicj4NCkRlbmlz PC9mb250Pjxmb250IHNpemU9MyBmYWNlPSJUaW1lcyBOZXcgUm9tYW4iPiA8L2ZvbnQ+PGZvbnQg c2l6ZT0zIGZhY2U9IkNvdXJpZXIgTmV3Ij48YnI+DQo8YnI+DQo8YnI+DQomZ3Q7IEkgb2JqZWN0 IHRvIHRoZSBwcm9wb3NlZCBuZXcgdGV4dCBhYm91dCBDUkxFbnRyeUV4dGVuc2lvbnM8YnI+DQom Z3Q7IGluIHRoZSBjbGFyaWZpY2F0aW9uIGRvY3VtZW50LCBiZWNhdXNlIGFzIGlzLCB3b3VsZCBz aWduaWZpY2FudGx5PGJyPg0KJmd0OyB3b3JzZW4gdGhlIGRpZmZlcmVuY2UgYmV0d2VlbiBQS0lY IGFuZCBYLjUwOSBhbmQgbWFrZSB0aGluZ3M8YnI+DQomZ3Q7IGNsZWFybHkgaW5jb21wYXRpYmxl IHJhdGhlciB0aGFuIHNsaWdodGx5IGxlc3MgZWZmaWNpZW50Ljxicj4NCiZndDsgPGJyPg0KJmd0 OyBJZiBhbnl0aGluZywgdGhlIGdhcCBzaG91bGQgYmUgcmVkdWNlZCwgY29tcGF0aWJpbGl0eSBi ZXR3ZWVuPGJyPg0KJmd0OyBQS0lYIGFuZCBYLjUwOSBpbXByb3ZlZCBhbmQgdGhlIG9yaWdpbmFs IGFyY2hpdGVjdHVyZSBub3QgdmlvbGF0ZWQuPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IFBsZWFzZSBy ZWNhbGwgdGhlIG9yaWdpbmFsIE5PVEUgNCAmYW1wOyA1IHRoYXQgSSBxdW90ZWQgZnJvbTxicj4N CiZndDsgSVRVLVQgUmVjLiBYLjUwOSAoMDgvMjAwNSksIFNlY3Rpb24gNy4zLCB0b3Agb2YgcGFn ZSAxODo8YnI+DQomZ3Q7IChnZXQgdGhlbSBoZXJlIDwvZm9udD48YSBocmVmPSJodHRwOi8vd3d3 Lml0dS5pbnQvcmVjL1QtUkVDLVguNTA5Ij48Zm9udCBzaXplPTMgY29sb3I9Ymx1ZSBmYWNlPSJD b3VyaWVyIE5ldyI+PHU+aHR0cDovL3d3dy5pdHUuaW50L3JlYy9ULVJFQy1YLjUwOTwvdT48L2Zv bnQ+PC9hPjxmb250IHNpemU9MyBmYWNlPSJDb3VyaWVyIE5ldyI+KTo8YnI+DQomZ3Q7IDxicj4N CiZndDsgYSZndDsgJm5ic3A7Tk9URSA0IC0tIFdoZW4gYW4gaW1wbGVtZW50YXRpb24gcHJvY2Vz c2luZyBhIGNlcnRpZmljYXRlDQpyZXZvY2F0aW9uPGJyPg0KJmd0OyBhJmd0OyAmbmJzcDtsaXN0 IGRvZXMgbm90IHJlY29nbml6ZSBhIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUgY3JsRW50cnlF eHRlbnNpb25zPGJyPg0KJmd0OyBhJmd0OyAmbmJzcDtmaWVsZCwgaXQgc2hhbGwgYXNzdW1lIHRo YXQsIGF0IGEgbWluaW11bSwgdGhlIGlkZW50aWZpZWQNCmNlcnRpZmljYXRlPGJyPg0KJmd0OyBh Jmd0OyAmbmJzcDtoYXMgYmVlbiByZXZva2VkIGFuZCBpcyBubyBsb25nZXIgdmFsaWQgYW5kIHBl cmZvcm0gYWRkaXRpb25hbA0KYWN0aW9uczxicj4NCiZndDsgYSZndDsgJm5ic3A7Y29uY2Vybmlu ZyB0aGF0IHJldm9rZWQgY2VydGlmaWNhdGUgYXMgZGljdGF0ZWQgYnkgbG9jYWwNCnBvbGljeS48 YnI+DQomZ3Q7IDxicj4NCiZndDsgYiZndDsgJm5ic3A7V2hlbiBhbiBpbXBsZW1lbnRhdGlvbiBk b2VzIG5vdCByZWNvZ25pemUgYSBjcml0aWNhbCBleHRlbnNpb24NCmluIHRoZTxicj4NCiZndDsg YiZndDsgJm5ic3A7Y3JsRXh0ZW5zaW9ucyBmaWVsZCwgaXQgc2hhbGwgYXNzdW1lIHRoYXQgaWRl bnRpZmllZCBjZXJ0aWZpY2F0ZXM8YnI+DQomZ3Q7IGImZ3Q7ICZuYnNwO2hhdmUgYmVlbiByZXZv a2VkIGFuZCBhcmUgbm8gbG9uZ2VyIHZhbGlkLjxicj4NCiZndDsgPGJyPg0KJmd0OyBjJmd0OyAm bmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu YnNwOw0KJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu YnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOw0KJm5ic3A7ICZuYnNwOyBIb3dldmVyIGluIHRoZSBs YXR0ZXIgY2FzZSw8YnI+DQomZ3Q7IGMmZ3Q7ICZuYnNwO3NpbmNlIHRoZSBsaXN0IG1heSBub3Qg YmUgY29tcGxldGUsIGNlcnRpZmljYXRlcyB0aGF0DQpoYXZlIG5vdCBiZWVuPGJyPg0KJmd0OyBj Jmd0OyAmbmJzcDtpZGVudGlmaWVkIGFzIGJlaW5nIHJldm9rZWQgY2Fubm90IGJlIGFzc3VtZWQg dG8gYmUgdmFsaWQuDQpJbiB0aGlzIGNhc2U8YnI+DQomZ3Q7IGMmZ3Q7ICZuYnNwO2xvY2FsIHBv bGljeSBzaGFsbCBkaWN0YXRlIHRoZSBhY3Rpb24gdG8gYmUgdGFrZW4uIEluDQphbnkgY2FzZSBs b2NhbDxicj4NCiZndDsgYyZndDsgJm5ic3A7cG9saWN5IG1heSBkaWN0YXRlIGFjdGlvbnMgaW4g YWRkaXRpb24gdG8gYW5kL29yIHN0cm9uZ2VyDQp0aGFuIHRob3NlPGJyPg0KJmd0OyBjJmd0OyAm bmJzcDtzdGF0ZWQgaW4gdGhpcyBTcGVjaWZpY2F0aW9uLjxicj4NCiZndDsgPGJyPg0KJmd0OyBk Jmd0OyAmbmJzcDtOT1RFIDUgLS0gSWYgYW4gZXh0ZW5zaW9uIGFmZmVjdHMgdGhlIHRyZWF0bWVu dCBvZiB0aGUNCmxpc3Q8YnI+DQomZ3Q7IGQmZ3Q7ICZuYnNwOyhlLmcuLCBtdWx0aXBsZSBDUkxz IG5lZWQgdG8gYmUgc2Nhbm5lZCB0byBleGFtaW5lIHRoZQ0KZW50aXJlIGxpc3Qgb2Y8YnI+DQom Z3Q7IGQmZ3Q7ICZuYnNwO3Jldm9rZWQgY2VydGlmaWNhdGVzLCBvciBhbiBlbnRyeSBtYXkgcmVw cmVzZW50IGEgcmFuZ2UNCm9mIGNlcnRpZmljYXRlcyksPGJyPg0KJmd0OyBkJmd0OyAmbmJzcDt0 aGVuIHRoYXQgZXh0ZW5zaW9uIHNoYWxsIGJlIGluZGljYXRlZCBhcyBjcml0aWNhbCBpbg0KdGhl IGNybEV4dGVuc2lvbnM8YnI+DQomZ3Q7IGQmZ3Q7ICZuYnNwO2ZpZWxkIHJlZ2FyZGxlc3Mgb2Yg d2hlcmUgdGhlIGV4dGVuc2lvbiBpcyBwbGFjZWQgaW4gdGhlDQpDUkwuPGJyPg0KJmd0OyA8YnI+ DQomZ3Q7IGUmZ3Q7ICZuYnNwO0FuIGV4dGVuc2lvbiBpbmRpY2F0ZWQgaW4gdGhlIGNybEVudHJ5 RXh0ZW5zaW9ucyBmaWVsZA0Kb2YgYW4gZW50cnkgc2hhbGw8YnI+DQomZ3Q7IGUmZ3Q7ICZuYnNw O2JlIHBsYWNlZCBpbiB0aGF0IGVudHJ5IGFuZCBzaGFsbCBhZmZlY3Qgb25seSB0aGUgY2VydGlm aWNhdGUocyk8YnI+DQomZ3Q7IGUmZ3Q7ICZuYnNwO3NwZWNpZmllZCBpbiB0aGF0IGVudHJ5Ljxi cj4NCiZndDsgPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IChJIGluc2VydGVkIGJsYW5rIGxpbmVzIGFi b3ZlIGZvciB2aXN1YWwgY2xhcml0eSBvZiB0aGUgWC41MDkgcmVxdWlyZW1lbnRzKS48YnI+DQom Z3Q7IDxicj4NCiZndDsgdHdvIG9wdGlvbnMsIGFsbCBjb21iaW5hdGlvbnM6PGJyPg0KJmd0OyA8 YnI+DQomZ3Q7ICZuYnNwOygxKSBjZXJ0ICZuYnNwOyAmbmJzcDsgb24gQ1JMLCBDUkwgd2l0aCBO TyB1bnJlY29nbml6ZWQgY3JpdGljYWwNCkNSTEVudHJ5RXh0ZW5zaW9ucyA8YnI+DQomZ3Q7ICZu YnNwOygyKSBjZXJ0IE5PVCBvbiBDUkwsIENSTCB3aXRoIE5PIHVucmVjb2duaXplZCBjcml0aWNh bCBDUkxFbnRyeUV4dGVuc2lvbnMNCjxicj4NCiZndDsgJm5ic3A7KDMpIGNlcnQgJm5ic3A7ICZu YnNwOyBvbiBDUkwsIENSTCB3aXRoICZuYnNwOyAmbmJzcDt1bnJlY29nbml6ZWQNCmNyaXRpY2Fs IENSTEVudHJ5RXh0ZW5zaW9uPGJyPg0KJmd0OyAmbmJzcDsoNCkgY2VydCBOT1Qgb24gQ1JMLCBD Ukwgd2l0aCAmbmJzcDsgJm5ic3A7dW5yZWNvZ25pemVkIGNyaXRpY2FsDQpDUkxFbnRyeUV4dGVu c2lvbjxicj4NCiZndDsgPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IEkgaG9wZSB3ZSBhZ3JlZSB0aGF0 IFguNTA5IGFuZCByZmM1MjgwIGFncmVlIG9uICgxKSBhbmQgKDIpIHJlc3VsdHM8YnI+DQomZ3Q7 IGZvciBDUkwgY2hlY2tpbmcuPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IHJmYzUyODAgY3VycmVudGx5 IHNheXMgdGhhdCBmb3IgKDMpKyg0KSB0aGUgZW50aXJlIENSTCBvdWdodCB0byBiZQ0KaWdub3Jl ZDxicj4NCiZndDsgYW5kIG90aGVyIENSTHMgbmVlZCB0byBiZSBldmFsdWF0ZWQgJnF1b3Q7VU5E RVRFUk1JTkVEJnF1b3Q7PGJyPg0KJmd0OyA8YnI+DQomZ3Q7IFguNTA5IHNheXMgaW4gKGEmZ3Q7 KSB0aGF0IGZvciAoMykgdGhlIHN0YXR1cyBvZiB0aGUgY2VydCBpcyBkZWZpbml0ZWx5DQpyZXZv a2VkPGJyPg0KJmd0OyBhbmQgc2F5cyBpbiAoYyZndDspIGZvciAoNCkgdGhhdCB0aGUgQ1JMIG91 Z2h0IHRvIGJlIGlnbm9yZWQgYW5kIG90aGVyDQpDUkxzIG5lZWQ8YnI+DQomZ3Q7IHRvIGJlIGV2 YWx1YXRlZCAmcXVvdDtVTkRFVEVSTUlORUQmcXVvdDs8YnI+DQomZ3Q7IDxicj4NCiZndDsgV2hp bGUgYm90aCBYLjUwOSBhbmQgcmZjNTI4MCBhZ3JlZSBvbiB0aGUgcmVzdWx0IGZvciAoNCkgJnF1 b3Q7VU5ERVRFUk1JTkVEJnF1b3Q7LDxicj4NCiZndDsgdGhlcmUgaXMgdGhlIHN1cGVyZmljaWFs IGFwcGVhcmFuY2Ugb2YgYSBkaWZmZXJlbmNlIGZvciBhIGNhc3VhbDxicj4NCiZndDsgaW1wbGVt ZW50ZXIgZm9yIGNhc2UgKDMpIGJldHdlZW4gWC41MDkgJnF1b3Q7UkVWT0tFRCZxdW90OyBhbmQg cmZjNTI4MA0KJnF1b3Q7VU5ERVRFUk1JTkVEJnF1b3Q7PGJyPg0KJmd0OyB0aGF0IG1pZ2h0IGxl YWQgdG8gYSBzbGlnaHRseSBsZXNzIGVmZmljaWVudCBwcm9jZXNzaW5nIENSTHMuPGJyPg0KJmd0 OyA8YnI+DQomZ3Q7IDxicj4NCiZndDsgVGhlIG5ld2x5IHByb3Bvc2VkIHRleHQgKGluIC0wOSk6 PGJyPg0KJmd0OyA8YnI+DQomZ3Q7IHwgJm5ic3A7ICZuYnNwOyBJZiBhIENSTCBjb250YWlucyBh IGNyaXRpY2FsIENSTCBlbnRyeSBleHRlbnNpb248YnI+DQomZ3Q7IHwgJm5ic3A7ICZuYnNwOyB0 aGF0IHRoZSBhcHBsaWNhdGlvbiBjYW5ub3QgcHJvY2VzcywgdGhlbiB0aGUgYXBwbGljYXRpb24N Ck1VU1Q8YnI+DQomZ3Q7IHwgJm5ic3A7ICZuYnNwOyBOT1QgdXNlIHRoYXQgQ1JMIHRvIGRldGVy bWluZSB0aGUgc3RhdHVzIG9mIHRoZSBjZXJ0aWZpY2F0ZTxicj4NCiZndDsgfCAmbmJzcDsgJm5i c3A7IHJlcHJlc2VudGVkIGJ5IHRoZSBDUkwgZW50cnkuICZuYnNwOzxicj4NCiZndDsgPGJyPg0K Jmd0OyBjcmVhdGVzIGEgc2lnbmlmaWNhbnRseSBkaXN0aW5jdCBiZWhhdmlvdXIgZm9yIGNhc2Ug KDQpIHdoZXJlIFguNTA5PGJyPg0KJmd0OyBhbmQgcmZjNTI4MCBhZ3JlZWQgb24gJnF1b3Q7VU5E RVRFUk1JTkVEJnF1b3Q7LCBieSByZWRlZmluaW5nIHRoZQ0KcmVzdWx0IHRvPGJyPg0KJmd0OyBi ZSAmcXVvdDtVTlJFVk9LRUQmcXVvdDssIGFuZCBwb3RlbnRpYWxseSBjcmVhdGVzIGEgc2VjdXJp dHkgcHJvYmxlbSwNCmFuZCBhPGJyPg0KJmd0OyBuZXcsIGJhY2t3YXJkcy1pbmNvbXBhdGlibGUg YmVoYXZpb3VyIGZvciBhIHNpdHVhdGlvbiB3aGVyZTxicj4NCiZndDsgWC41MDkgYW5kIHJmYzUy ODAgdXNlZCB0byBhZ3JlZS4gU3RpbGwsIHRoZSBuZXcgdGV4dCBkb2VzIG5vdCBkbzxicj4NCiZn dDsgYW55dGhpbmcgYWJvdXQgY2FzZSAoMyksIHRoZSBvbmx5IGNhc2Ugd2hlcmUgWC41MDkgYW5k IHJmYzUyODA8YnI+DQomZ3Q7IGFwcGVhciB0byBkaWZmZXIgKGluIGEgbW9zdGx5IG1hcmdpbmFs IGZhc2hpb24pLjxicj4NCiZndDsgPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IEEgY2FyZWZ1bCBpbXBs ZW1lbnRvciwgdGhhdCBhbmFseXplcyBOT1RFIDQgYW5kIE5PVEUgNSBmcm9tIFguNTA5PGJyPg0K Jmd0OyBxdW90ZWQgYWJvdmUgaW4gaXRzIGVudGlyZXR5LCBzaG91bGQgcmVhbGl6ZSB0aGF0IHRo ZSBzaXR1YXRpb248YnI+DQomZ3Q7IHdoZXJlIFguNTA5IGFuZCByZmM1MjgwIGRpZmZlciBpcyBt YXJnaW5hbC48YnI+DQomZ3Q7IDxicj4NCiZndDsgVGhpcyBpcyBiZWNhdXNlIChkJmd0OykgaW4g Tk9URSA1IGFib3ZlIHJlcXVpcmVzICgmcXVvdDtzaGFsbCZxdW90OykNCnRoYXQgYTxicj4NCiZn dDsgY3JpdGljYWwgY3JsRW50cnlFeHRlbnNpb24gd2l0aCBhIHNlbWFudGljIGJleW9uZCAmcXVv dDt0aGlzIGNlcnQNCmlzPGJyPg0KJmd0OyByZXZva2VkJnF1b3Q7KSwgTVVTVCBiZSBhZGRpdGlv bmFsbHkgaW5jbHVkZWQgYXMgYSBjcml0aWNhbCBjcmxFeHRlbnNpb24sPGJyPg0KJmd0OyB3aXRo IHRoZSBlZmZlY3QgdGhhdCB0aGUgZW50aXJlIENSTCB3aWxsIGhhdmUgdG8gYmUgaWdub3JlZCBi eTxicj4NCiZndDsgYm90aCBYLjUwOSBhbmQgcmZjNTI4MCBpbXBsZW1lbnRhdGlvbnMgdGhhdCBk byBub3QgcmVjb2duaXplPGJyPg0KJmd0OyB0aGUgY3JsRXh0ZW5zaW9uLiAmbmJzcDtTbyBhbGwg Y29tcGxpYW50IENSTHMgd2l0aCBhICZxdW90O2ZhbmN5JnF1b3Q7PGJyPg0KJmd0OyB1bnJlY29n bml6ZWQgY3JpdGljYWwgY3JsRW50cnlFeHRlbnNpb24sIHRoZSBhY2NvbXBhbnlpbmc8YnI+DQom Z3Q7IHVucmVjb2duaXplZCBjcml0aWNhbCBjcmxFeHRlbnNpb24gd2lsbCBjYXVzZSBYLjUwOSBh bmQgcmZjNTI4MDxicj4NCiZndDsgdG8gYWdyZWUgb24gKDMpIHRvIHJldHVybiAmcXVvdDtVTkRF VEVSTUlORUQmcXVvdDsgYW5kIHJlcXVpcmUgb3RoZXI8YnI+DQomZ3Q7IENSTHMgdG8gYmUgY2hl Y2tlZC4gPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IDxicj4NCiZndDsgLU1hcnRpbjxicj4NCiZndDsg X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+DQomZ3Q7 IHBraXggbWFpbGluZyBsaXN0PGJyPg0KJmd0OyA8L2ZvbnQ+PGEgaHJlZj1tYWlsdG86cGtpeEBp ZXRmLm9yZz48Zm9udCBzaXplPTMgY29sb3I9Ymx1ZSBmYWNlPSJDb3VyaWVyIE5ldyI+PHU+cGtp eEBpZXRmLm9yZzwvdT48L2ZvbnQ+PC9hPjxmb250IHNpemU9MyBmYWNlPSJDb3VyaWVyIE5ldyI+ PGJyPg0KJmd0OyA8L2ZvbnQ+PGEgaHJlZj1odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xp c3RpbmZvL3BraXg+PGZvbnQgc2l6ZT0zIGNvbG9yPWJsdWUgZmFjZT0iQ291cmllciBOZXciPjx1 Pmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vcGtpeDwvdT48L2ZvbnQ+PC9h Pg0KPGJyPg0K --=_alternative 0050B13FC1257A7C_=-- From SChokhani@cygnacom.com Mon Sep 17 07:48:26 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4FF621F8644 for ; Mon, 17 Sep 2012 07:48:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DUlBCG-1Zlsq for ; Mon, 17 Sep 2012 07:48:25 -0700 (PDT) Received: from ipedge1.cygnacom.com (ipedge1.cygnacom.com [216.191.252.12]) by ietfa.amsl.com (Postfix) with ESMTP id 8BD3321F869D for ; Mon, 17 Sep 2012 07:48:24 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.80,435,1344225600"; d="scan'208,217";a="6241900" Received: from unknown (HELO scygexch7.cygnacom.com) ([10.4.60.22]) by ipedge1.cygnacom.com with ESMTP; 17 Sep 2012 10:48:21 -0400 Received: from scygexch7.cygnacom.com ([::1]) by scygexch7.cygnacom.com ([::1]) with mapi; Mon, 17 Sep 2012 10:48:21 -0400 From: Santosh Chokhani To: "denis.pinkas@bull.net" Date: Mon, 17 Sep 2012 10:48:20 -0400 Thread-Topic: [pkix] 5280bis, v-09 Thread-Index: Ac2U4qKMucnACW79SDS5snubBBxasgAALMOg Message-ID: References: <504E13CB.8080001@bbn.com> <20120913002444.80A791A216@ld9781.wdf.sap.corp> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_B83745DA469B7847811819C5005244AF362EC9B3scygexch7cygnac_" MIME-Version: 1.0 Cc: pkix Subject: Re: [pkix] 5280bis, v-09 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2012 14:48:26 -0000 --_000_B83745DA469B7847811819C5005244AF362EC9B3scygexch7cygnac_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 RGVuaXMsDQoNCkkgYW0gb2sgZWl0aGVyIHdheSAodW5rbm93biBvciByZXZva2VkKS4gIFRoZSBn b29kIHRoaW5nIGlzIHRoYXQgdGhlIG5ldyB0ZXh0IHNwZWxscyB0aGluZ3Mgb3V0IG1vcmUgY2xl YXJseS4NCg0KRnJvbTogZGVuaXMucGlua2FzQGJ1bGwubmV0IFttYWlsdG86ZGVuaXMucGlua2Fz QGJ1bGwubmV0XQ0KU2VudDogTW9uZGF5LCBTZXB0ZW1iZXIgMTcsIDIwMTIgMTA6NDIgQU0NClRv OiBTYW50b3NoIENob2toYW5pDQpDYzogbXJleEBzYXAuY29tOyBQaXl1c2ggSmFpbjsgcGtpeA0K U3ViamVjdDogUkU6IFtwa2l4XSA1MjgwYmlzLCB2LTA5DQoNClNhbnRvc2gsIFBpeXVzaCBhbmQg TWFydGluLA0KDQpTb3JyeSwgSSBtYWRlIGEgbWlzdGFrZSB3aGVuIG1ha2luZyBteSBwcm9wb3Nh bCB0aGlzIG1vcm5pbmcuDQpJIHdyb3RlICJyZXZva2VkIiwgYnV0IHdhcyBhZHZvY2F0aW5nICJ1 bmtub3duIi4NCg0KQmFzZWQgb24gdGhlIGxhdGVzdCB0ZXh0IHByb3Bvc2VkIGZyb20gU2FudG9z aCwgSSB3b3VsZCByYXRoZXIgcHJlZmVyOg0KDQpJZiBhbiBhcHBsaWNhdGlvbiBjYW5ub3QgcHJv Y2VzcyBhIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUgY3JsRW50cnlFeHRlbnNpb25zIGZpZWxk IG9mIGFuIGVudHJ5DQp0aGF0IGFmZmVjdHMgb25seSB0aGUgY2VydGlmaWNhdGUgc3BlY2lmaWVk IGluIHRoYXQgZW50cnksIGFzIGluZGljYXRlZCBieSB0aGUgYWJzZW5jZSBvZiBhIHJlbGF0ZWQN CmNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUgY3JsRXh0ZW5zaW9ucyBmaWVsZCwgdGhlbiB0aGUg c3RhdHVzIG9mIGNlcnRpZmljYXRlIGlkZW50aWZpZWQgYnkgdGhlIENSTCBlbnRyeQ0Kc2hhbGwg YmUgY29uc2lkZXJlZCB1bmtvd24uDQoNCmluc3RlYWQgb2YgOg0KDQpJZiBhbiBhcHBsaWNhdGlv biBjYW5ub3QgcHJvY2VzcyBhIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUgY3JsRW50cnlFeHRl bnNpb25zIGZpZWxkIG9mIGFuIGVudHJ5DQp0aGF0IGFmZmVjdHMgb25seSB0aGUgY2VydGlmaWNh dGUgc3BlY2lmaWVkIGluIHRoYXQgZW50cnksIGFzIGluZGljYXRlZCBieSB0aGUgYWJzZW5jZSBv ZiBhIHJlbGF0ZWQNCmNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUgY3JsRXh0ZW5zaW9ucyBmaWVs ZCwgdGhlbiB0aGUgY2VydGlmaWNhdGUgaWRlbnRpZmllZCBieSB0aGUgQ1JMIGVudHJ5DQpzaGFs bCBiZSBjb25zaWRlcmVkIHJldm9rZWQuDQoNCkRlbmlzDQoNCg0KDQoNCg0KDQoNCg0KDQpEZSA6 ICAgICAgICBTYW50b3NoIENob2toYW5pIDxTQ2hva2hhbmlAY3lnbmFjb20uY29tPG1haWx0bzpT Q2hva2hhbmlAY3lnbmFjb20uY29tPj4NCkEgOiAgICAgICAgImRlbmlzLnBpbmthc0BidWxsLm5l dDxtYWlsdG86ZGVuaXMucGlua2FzQGJ1bGwubmV0PiIgPGRlbmlzLnBpbmthc0BidWxsLm5ldDxt YWlsdG86ZGVuaXMucGlua2FzQGJ1bGwubmV0Pj4sICJtcmV4QHNhcC5jb208bWFpbHRvOm1yZXhA c2FwLmNvbT4iIDxtcmV4QHNhcC5jb208bWFpbHRvOm1yZXhAc2FwLmNvbT4+LCBQaXl1c2ggSmFp biA8cGl5dXNoQGlkZW50aWNhdGUuY29tPG1haWx0bzpwaXl1c2hAaWRlbnRpY2F0ZS5jb20+Pg0K Q2MgOiAgICAgICAgcGtpeCA8cGtpeEBpZXRmLm9yZzxtYWlsdG86cGtpeEBpZXRmLm9yZz4+DQpE YXRlIDogICAgICAgIDE3LzA5LzIwMTIgMTY6MjENCk9iamV0IDogICAgICAgIFJFOiBbcGtpeF0g NTI4MGJpcywgdi0wOQ0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCg0KDQoNClRo aXMgYWxzbyByZWxhdGVzIHRvIGVhcmxpZXIgcG9zdCBJIG1hZGUgaW4gcmVzcG9uc2UgdG8gUGl5 dXNoLg0KDQpJIGFzc3VtZSB3ZSBhcmUgYWRkaW5nIHRoZSBmb2xsb3dpbmcgdG8gdGhlIFJGQyDi gJxBIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUgY3JsRW50cnlFeHRlbnNpb25zIGZpZWxkIG9m IGFuIGVudHJ5IHNoYWxsIGFmZmVjdCBvbmx5IHRoZSBjZXJ0aWZpY2F0ZSBzcGVjaWZpZWQgaW4g dGhhdCBlbnRyeSwgdW5sZXNzIHRoZXJlIGlzIGEgcmVsYXRlZCBjcml0aWNhbCBleHRlbnNpb24g aW4gdGhlIGNybEV4dGVuc2lvbnMgZmllbGQgdGhhdCBhZHZlcnRpc2VzIGEgc3BlY2lhbCB0cmVh dG1lbnQgZm9yIGl0LuKAnSAgSW4gb3JkZXIgdG8gdXNlIHN1Y2ggQ1JMLCB0aGUgcmVseWluZyBw YXJ0eSBtdXN0IGJlIGFibGUgdG8gcHJvY2VzcyBib3RoIHRoZSBjcmxFbnRyeUV4dGVuc2lvbiBh bmQgdGhlIHJlbGF0ZWQgY3JsRXh0ZW5zaW9uLuKAnQ0KDQpJbiB0aGF0IGNhc2UsIEkgZG8gbm90 IG1pbmQgYWRkaW5nIHRoZSBmb2xsb3dpbmcgdG8gNTI4MCAoYSBzbGlnaHQgbW9kaWZpY2F0aW9u IHRvIHdoYXQgRGVuaXMgaGFzOg0KDQpJZiBhbiBhcHBsaWNhdGlvbiBjYW5ub3QgcHJvY2VzcyBh IGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUgY3JsRW50cnlFeHRlbnNpb25zIGZpZWxkIG9mIGFu IGVudHJ5IHRoYXQgYWZmZWN0cyBvbmx5IHRoZSBjZXJ0aWZpY2F0ZSBzcGVjaWZpZWQgaW4gdGhh dCBlbnRyeSwgYXMgaW5kaWNhdGVkIGJ5IHRoZSBhYnNlbmNlIG9mIGEgcmVsYXRlZCBjcml0aWNh bCBleHRlbnNpb24gaW4gdGhlIGNybEV4dGVuc2lvbnMgZmllbGQsIHRoZW4gdGhlIGNlcnRpZmlj YXRlIGlkZW50aWZpZWQgYnkgdGhlIENSTCBlbnRyeSBzaGFsbCBiZSBjb25zaWRlcmVkIHJldm9r ZWQuDQoNCkZyb206IHBraXgtYm91bmNlc0BpZXRmLm9yZzxtYWlsdG86cGtpeC1ib3VuY2VzQGll dGYub3JnPiBbbWFpbHRvOnBraXgtYm91bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxmIE9mIGRlbmlz LnBpbmthc0BidWxsLm5ldDxtYWlsdG86ZGVuaXMucGlua2FzQGJ1bGwubmV0Pg0KU2VudDogTW9u ZGF5LCBTZXB0ZW1iZXIgMTcsIDIwMTIgMzo0NyBBTQ0KVG86IG1yZXhAc2FwLmNvbTxtYWlsdG86 bXJleEBzYXAuY29tPjsgUGl5dXNoIEphaW4NCkNjOiBwa2l4DQpTdWJqZWN0OiBSZTogW3BraXhd IDUyODBiaXMsIHYtMDkNCg0KR29vZCBjYXRjaCBNYXJ0aW4sDQoNCllvdSBjYW1lIGJhY2sgZnJv bSB2YWNhdGlvbiBqdXN0IGluIHRpbWUuIDotKQ0KDQpJIHByb3Bvc2UgdGhlIGZvbGxvd2luZzoN Cg0KUmVwbGFjZToNCg0KfCAgICAgSWYgYSBDUkwgY29udGFpbnMgYSBjcml0aWNhbCBDUkwgZW50 cnkgZXh0ZW5zaW9uDQp8ICAgICB0aGF0IHRoZSBhcHBsaWNhdGlvbiBjYW5ub3QgcHJvY2Vzcywg dGhlbiB0aGUgYXBwbGljYXRpb24gTVVTVA0KfCAgICAgTk9UIHVzZSB0aGF0IENSTCB0byBkZXRl cm1pbmUgdGhlIHN0YXR1cyBvZiBhbnkgY2VydGlmaWNhdGVzLg0KDQp3aXRoDQoNCnwgICAgIElm IGEgQ1JMIGNvbnRhaW5zIGluIGEgQ1JMIGVudHJ5IGEgY3JpdGljYWwgQ1JMIGVudHJ5IGV4dGVu c2lvbg0KfCAgICAgdGhhdCB0aGUgYXBwbGljYXRpb24gY2Fubm90IHByb2Nlc3MsIHRoZW4gdGhl IGFwcGxpY2F0aW9uIE1VU1QNCnwgICAgIGNvbnNpZGVyIHRoYXQgdGhlIGNlcnRpZmljYXRlIGlk ZW50aWZpZWQgaW4gdGhhdCBDUkwgZW50cnkgaXMNCnwgICAgIHJldm9rZWQuDQoNCkluIG9yZGVy IHRvIGFuc3dlciB0byBQaXl1c2gsIEkgYmVsaWV2ZSB0aGF0IOKAnHVua25vd27igJ0gc2hvdWxk IGJlIHVzZWQgcmF0aGVyIHRoYW4g4oCccmV2b2tlZOKAnS4NCg0KVGhlIGZvbGxvd2luZyBleGFt cGxlIGlzIGFuIGlsbHVzdHJhdGlvbjoNCg0KVGhlIHN0YXR1cyBvZiBhIGdpdmVuIGNlcnRpZmlj YXRlIGlzIGluZGljYXRlZCBhcyDigJxnb29k4oCdLCBidXQgdGhlcmUgaXMgYSBDUkwgZW50cnkg d2l0aCBhIGNyaXRpY2FsDQpDUkwgZW50cnkgZXh0ZW5zaW9uLiBUaGlzIGVudHJ5IG1lYW5zIChm b3IgdGhlIGFwcGxpY2F0aW9ucyB3aGljaCB1bmRlcnN0YW5kIGl0KSA6DQoNCiJUaGUgc3RhdHVz IHdoaWNoIGlzIHVzdWFsbHkgb2J0YWluZWQgdXNpbmcgYSBkYXRhYmFzZSBvZiBpc3N1ZWQgY2Vy dGlmaWNhdGVzIGhhcyBiZWVuIG9idGFpbmVkIGZyb20gQ1JMcy4NCklmIHlvdSByZWFsbHkgbmVl ZCB0byB0YWtlIGEgZGVjaXNpb24gbm93LCBpdCBpcyBhdCB5b3VyIG93biByaXNrLiBJZiB5b3Ug Y2FuIHdhaXQsIHlvdSBoYWQgYmV0dGVyIHRvIHRyeSBhZ2FpbiBsYXRlciBvbiIuDQoNCllvdXIg bmV4dCBxdWVzdGlvbiB3aWxsIGNlcnRhaW5seSBiZTogc28gd2h5IGRvbuKAmXQgeW91IHVzZSB0 aGUgcHJvcG9zZWQgY2VydEluZm8gZXh0ZW5zaW9uID8NCg0KRm9yIGFwcGxpY2F0aW9ucyB3aGlj aCBkbyBub3QgdW5kZXJzdGFuZCB0aGlzIGNyaXRpY2FsIENSTCBlbnRyeSBleHRlbnNpb24sIHRo ZXJlIGlzIG5vIGRpZmZlcmVuY2UuDQpUaGV5IGdldCBhbiAidW5rbm93biIgc3RhdHVzIGluIGJv dGggY2FzZXMuDQoNCkZvciBhcHBsaWNhdGlvbnMgd2hpY2ggdW5kZXJzdGFuZCB0aGlzIGNyaXRp Y2FsIENSTCBlbnRyeSBleHRlbnNpb24gaXQgcHJvdmlkZXMgbGVzcyBiZW5lZml0cw0KdGhhbiB0 aGUgcHJvcG9zZWQgY2VydEluZm8gZXh0ZW5zaW9uLCBidXQgaXQgbWlnaHQgYmUgcXVpY2tlciB0 byBpbXBsZW1lbnQgYW5kIGl0IGVuZm9yY2VzIGEgcG9saWN5Lg0KDQpEZW5pcw0KDQoNCj4gSSBv YmplY3QgdG8gdGhlIHByb3Bvc2VkIG5ldyB0ZXh0IGFib3V0IENSTEVudHJ5RXh0ZW5zaW9ucw0K PiBpbiB0aGUgY2xhcmlmaWNhdGlvbiBkb2N1bWVudCwgYmVjYXVzZSBhcyBpcywgd291bGQgc2ln bmlmaWNhbnRseQ0KPiB3b3JzZW4gdGhlIGRpZmZlcmVuY2UgYmV0d2VlbiBQS0lYIGFuZCBYLjUw OSBhbmQgbWFrZSB0aGluZ3MNCj4gY2xlYXJseSBpbmNvbXBhdGlibGUgcmF0aGVyIHRoYW4gc2xp Z2h0bHkgbGVzcyBlZmZpY2llbnQuDQo+DQo+IElmIGFueXRoaW5nLCB0aGUgZ2FwIHNob3VsZCBi ZSByZWR1Y2VkLCBjb21wYXRpYmlsaXR5IGJldHdlZW4NCj4gUEtJWCBhbmQgWC41MDkgaW1wcm92 ZWQgYW5kIHRoZSBvcmlnaW5hbCBhcmNoaXRlY3R1cmUgbm90IHZpb2xhdGVkLg0KPg0KPiBQbGVh c2UgcmVjYWxsIHRoZSBvcmlnaW5hbCBOT1RFIDQgJiA1IHRoYXQgSSBxdW90ZWQgZnJvbQ0KPiBJ VFUtVCBSZWMuIFguNTA5ICgwOC8yMDA1KSwgU2VjdGlvbiA3LjMsIHRvcCBvZiBwYWdlIDE4Og0K PiAoZ2V0IHRoZW0gaGVyZSBodHRwOi8vd3d3Lml0dS5pbnQvcmVjL1QtUkVDLVguNTA5KToNCj4N Cj4gYT4gIE5PVEUgNCAtLSBXaGVuIGFuIGltcGxlbWVudGF0aW9uIHByb2Nlc3NpbmcgYSBjZXJ0 aWZpY2F0ZSByZXZvY2F0aW9uDQo+IGE+ICBsaXN0IGRvZXMgbm90IHJlY29nbml6ZSBhIGNyaXRp Y2FsIGV4dGVuc2lvbiBpbiB0aGUgY3JsRW50cnlFeHRlbnNpb25zDQo+IGE+ICBmaWVsZCwgaXQg c2hhbGwgYXNzdW1lIHRoYXQsIGF0IGEgbWluaW11bSwgdGhlIGlkZW50aWZpZWQgY2VydGlmaWNh dGUNCj4gYT4gIGhhcyBiZWVuIHJldm9rZWQgYW5kIGlzIG5vIGxvbmdlciB2YWxpZCBhbmQgcGVy Zm9ybSBhZGRpdGlvbmFsIGFjdGlvbnMNCj4gYT4gIGNvbmNlcm5pbmcgdGhhdCByZXZva2VkIGNl cnRpZmljYXRlIGFzIGRpY3RhdGVkIGJ5IGxvY2FsIHBvbGljeS4NCj4NCj4gYj4gIFdoZW4gYW4g aW1wbGVtZW50YXRpb24gZG9lcyBub3QgcmVjb2duaXplIGEgY3JpdGljYWwgZXh0ZW5zaW9uIGlu IHRoZQ0KPiBiPiAgY3JsRXh0ZW5zaW9ucyBmaWVsZCwgaXQgc2hhbGwgYXNzdW1lIHRoYXQgaWRl bnRpZmllZCBjZXJ0aWZpY2F0ZXMNCj4gYj4gIGhhdmUgYmVlbiByZXZva2VkIGFuZCBhcmUgbm8g bG9uZ2VyIHZhbGlkLg0KPg0KPiBjPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIEhvd2V2ZXIgaW4gdGhlIGxhdHRlciBjYXNlLA0KPiBjPiAgc2luY2UgdGhlIGxp c3QgbWF5IG5vdCBiZSBjb21wbGV0ZSwgY2VydGlmaWNhdGVzIHRoYXQgaGF2ZSBub3QgYmVlbg0K PiBjPiAgaWRlbnRpZmllZCBhcyBiZWluZyByZXZva2VkIGNhbm5vdCBiZSBhc3N1bWVkIHRvIGJl IHZhbGlkLiBJbiB0aGlzIGNhc2UNCj4gYz4gIGxvY2FsIHBvbGljeSBzaGFsbCBkaWN0YXRlIHRo ZSBhY3Rpb24gdG8gYmUgdGFrZW4uIEluIGFueSBjYXNlIGxvY2FsDQo+IGM+ICBwb2xpY3kgbWF5 IGRpY3RhdGUgYWN0aW9ucyBpbiBhZGRpdGlvbiB0byBhbmQvb3Igc3Ryb25nZXIgdGhhbiB0aG9z ZQ0KPiBjPiAgc3RhdGVkIGluIHRoaXMgU3BlY2lmaWNhdGlvbi4NCj4NCj4gZD4gIE5PVEUgNSAt LSBJZiBhbiBleHRlbnNpb24gYWZmZWN0cyB0aGUgdHJlYXRtZW50IG9mIHRoZSBsaXN0DQo+IGQ+ ICAoZS5nLiwgbXVsdGlwbGUgQ1JMcyBuZWVkIHRvIGJlIHNjYW5uZWQgdG8gZXhhbWluZSB0aGUg ZW50aXJlIGxpc3Qgb2YNCj4gZD4gIHJldm9rZWQgY2VydGlmaWNhdGVzLCBvciBhbiBlbnRyeSBt YXkgcmVwcmVzZW50IGEgcmFuZ2Ugb2YgY2VydGlmaWNhdGVzKSwNCj4gZD4gIHRoZW4gdGhhdCBl eHRlbnNpb24gc2hhbGwgYmUgaW5kaWNhdGVkIGFzIGNyaXRpY2FsIGluIHRoZSBjcmxFeHRlbnNp b25zDQo+IGQ+ICBmaWVsZCByZWdhcmRsZXNzIG9mIHdoZXJlIHRoZSBleHRlbnNpb24gaXMgcGxh Y2VkIGluIHRoZSBDUkwuDQo+DQo+IGU+ICBBbiBleHRlbnNpb24gaW5kaWNhdGVkIGluIHRoZSBj cmxFbnRyeUV4dGVuc2lvbnMgZmllbGQgb2YgYW4gZW50cnkgc2hhbGwNCj4gZT4gIGJlIHBsYWNl ZCBpbiB0aGF0IGVudHJ5IGFuZCBzaGFsbCBhZmZlY3Qgb25seSB0aGUgY2VydGlmaWNhdGUocykN Cj4gZT4gIHNwZWNpZmllZCBpbiB0aGF0IGVudHJ5Lg0KPg0KPg0KPiAoSSBpbnNlcnRlZCBibGFu ayBsaW5lcyBhYm92ZSBmb3IgdmlzdWFsIGNsYXJpdHkgb2YgdGhlIFguNTA5IHJlcXVpcmVtZW50 cykuDQo+DQo+IHR3byBvcHRpb25zLCBhbGwgY29tYmluYXRpb25zOg0KPg0KPiAgKDEpIGNlcnQg ICAgIG9uIENSTCwgQ1JMIHdpdGggTk8gdW5yZWNvZ25pemVkIGNyaXRpY2FsIENSTEVudHJ5RXh0 ZW5zaW9ucw0KPiAgKDIpIGNlcnQgTk9UIG9uIENSTCwgQ1JMIHdpdGggTk8gdW5yZWNvZ25pemVk IGNyaXRpY2FsIENSTEVudHJ5RXh0ZW5zaW9ucw0KPiAgKDMpIGNlcnQgICAgIG9uIENSTCwgQ1JM IHdpdGggICAgdW5yZWNvZ25pemVkIGNyaXRpY2FsIENSTEVudHJ5RXh0ZW5zaW9uDQo+ICAoNCkg Y2VydCBOT1Qgb24gQ1JMLCBDUkwgd2l0aCAgICB1bnJlY29nbml6ZWQgY3JpdGljYWwgQ1JMRW50 cnlFeHRlbnNpb24NCj4NCj4NCj4gSSBob3BlIHdlIGFncmVlIHRoYXQgWC41MDkgYW5kIHJmYzUy ODAgYWdyZWUgb24gKDEpIGFuZCAoMikgcmVzdWx0cw0KPiBmb3IgQ1JMIGNoZWNraW5nLg0KPg0K PiByZmM1MjgwIGN1cnJlbnRseSBzYXlzIHRoYXQgZm9yICgzKSsoNCkgdGhlIGVudGlyZSBDUkwg b3VnaHQgdG8gYmUgaWdub3JlZA0KPiBhbmQgb3RoZXIgQ1JMcyBuZWVkIHRvIGJlIGV2YWx1YXRl ZCAiVU5ERVRFUk1JTkVEIg0KPg0KPiBYLjUwOSBzYXlzIGluIChhPikgdGhhdCBmb3IgKDMpIHRo ZSBzdGF0dXMgb2YgdGhlIGNlcnQgaXMgZGVmaW5pdGVseSByZXZva2VkDQo+IGFuZCBzYXlzIGlu IChjPikgZm9yICg0KSB0aGF0IHRoZSBDUkwgb3VnaHQgdG8gYmUgaWdub3JlZCBhbmQgb3RoZXIg Q1JMcyBuZWVkDQo+IHRvIGJlIGV2YWx1YXRlZCAiVU5ERVRFUk1JTkVEIg0KPg0KPiBXaGlsZSBi b3RoIFguNTA5IGFuZCByZmM1MjgwIGFncmVlIG9uIHRoZSByZXN1bHQgZm9yICg0KSAiVU5ERVRF Uk1JTkVEIiwNCj4gdGhlcmUgaXMgdGhlIHN1cGVyZmljaWFsIGFwcGVhcmFuY2Ugb2YgYSBkaWZm ZXJlbmNlIGZvciBhIGNhc3VhbA0KPiBpbXBsZW1lbnRlciBmb3IgY2FzZSAoMykgYmV0d2VlbiBY LjUwOSAiUkVWT0tFRCIgYW5kIHJmYzUyODAgIlVOREVURVJNSU5FRCINCj4gdGhhdCBtaWdodCBs ZWFkIHRvIGEgc2xpZ2h0bHkgbGVzcyBlZmZpY2llbnQgcHJvY2Vzc2luZyBDUkxzLg0KPg0KPg0K PiBUaGUgbmV3bHkgcHJvcG9zZWQgdGV4dCAoaW4gLTA5KToNCj4NCj4gfCAgICAgSWYgYSBDUkwg Y29udGFpbnMgYSBjcml0aWNhbCBDUkwgZW50cnkgZXh0ZW5zaW9uDQo+IHwgICAgIHRoYXQgdGhl IGFwcGxpY2F0aW9uIGNhbm5vdCBwcm9jZXNzLCB0aGVuIHRoZSBhcHBsaWNhdGlvbiBNVVNUDQo+ IHwgICAgIE5PVCB1c2UgdGhhdCBDUkwgdG8gZGV0ZXJtaW5lIHRoZSBzdGF0dXMgb2YgdGhlIGNl cnRpZmljYXRlDQo+IHwgICAgIHJlcHJlc2VudGVkIGJ5IHRoZSBDUkwgZW50cnkuDQo+DQo+IGNy ZWF0ZXMgYSBzaWduaWZpY2FudGx5IGRpc3RpbmN0IGJlaGF2aW91ciBmb3IgY2FzZSAoNCkgd2hl cmUgWC41MDkNCj4gYW5kIHJmYzUyODAgYWdyZWVkIG9uICJVTkRFVEVSTUlORUQiLCBieSByZWRl ZmluaW5nIHRoZSByZXN1bHQgdG8NCj4gYmUgIlVOUkVWT0tFRCIsIGFuZCBwb3RlbnRpYWxseSBj cmVhdGVzIGEgc2VjdXJpdHkgcHJvYmxlbSwgYW5kIGENCj4gbmV3LCBiYWNrd2FyZHMtaW5jb21w YXRpYmxlIGJlaGF2aW91ciBmb3IgYSBzaXR1YXRpb24gd2hlcmUNCj4gWC41MDkgYW5kIHJmYzUy ODAgdXNlZCB0byBhZ3JlZS4gU3RpbGwsIHRoZSBuZXcgdGV4dCBkb2VzIG5vdCBkbw0KPiBhbnl0 aGluZyBhYm91dCBjYXNlICgzKSwgdGhlIG9ubHkgY2FzZSB3aGVyZSBYLjUwOSBhbmQgcmZjNTI4 MA0KPiBhcHBlYXIgdG8gZGlmZmVyIChpbiBhIG1vc3RseSBtYXJnaW5hbCBmYXNoaW9uKS4NCj4N Cj4NCj4gQSBjYXJlZnVsIGltcGxlbWVudG9yLCB0aGF0IGFuYWx5emVzIE5PVEUgNCBhbmQgTk9U RSA1IGZyb20gWC41MDkNCj4gcXVvdGVkIGFib3ZlIGluIGl0cyBlbnRpcmV0eSwgc2hvdWxkIHJl YWxpemUgdGhhdCB0aGUgc2l0dWF0aW9uDQo+IHdoZXJlIFguNTA5IGFuZCByZmM1MjgwIGRpZmZl ciBpcyBtYXJnaW5hbC4NCj4NCj4gVGhpcyBpcyBiZWNhdXNlIChkPikgaW4gTk9URSA1IGFib3Zl IHJlcXVpcmVzICgic2hhbGwiKSB0aGF0IGENCj4gY3JpdGljYWwgY3JsRW50cnlFeHRlbnNpb24g d2l0aCBhIHNlbWFudGljIGJleW9uZCAidGhpcyBjZXJ0IGlzDQo+IHJldm9rZWQiKSwgTVVTVCBi ZSBhZGRpdGlvbmFsbHkgaW5jbHVkZWQgYXMgYSBjcml0aWNhbCBjcmxFeHRlbnNpb24sDQo+IHdp dGggdGhlIGVmZmVjdCB0aGF0IHRoZSBlbnRpcmUgQ1JMIHdpbGwgaGF2ZSB0byBiZSBpZ25vcmVk IGJ5DQo+IGJvdGggWC41MDkgYW5kIHJmYzUyODAgaW1wbGVtZW50YXRpb25zIHRoYXQgZG8gbm90 IHJlY29nbml6ZQ0KPiB0aGUgY3JsRXh0ZW5zaW9uLiAgU28gYWxsIGNvbXBsaWFudCBDUkxzIHdp dGggYSAiZmFuY3kiDQo+IHVucmVjb2duaXplZCBjcml0aWNhbCBjcmxFbnRyeUV4dGVuc2lvbiwg dGhlIGFjY29tcGFueWluZw0KPiB1bnJlY29nbml6ZWQgY3JpdGljYWwgY3JsRXh0ZW5zaW9uIHdp bGwgY2F1c2UgWC41MDkgYW5kIHJmYzUyODANCj4gdG8gYWdyZWUgb24gKDMpIHRvIHJldHVybiAi VU5ERVRFUk1JTkVEIiBhbmQgcmVxdWlyZSBvdGhlcg0KPiBDUkxzIHRvIGJlIGNoZWNrZWQuDQo+ DQo+DQo+IC1NYXJ0aW4NCj4gX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX18NCj4gcGtpeCBtYWlsaW5nIGxpc3QNCj4gcGtpeEBpZXRmLm9yZzxtYWlsdG86cGtp eEBpZXRmLm9yZz4NCj4gaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9wa2l4 DQo= --_000_B83745DA469B7847811819C5005244AF362EC9B3scygexch7cygnac_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+PGhlYWQ+PG1ldGEgaHR0cC1lcXVpdj1Db250ZW50LVR5cGUgY29udGVu dD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij48bWV0YSBuYW1lPUdlbmVyYXRvciBjb250ZW50 PSJNaWNyb3NvZnQgV29yZCAxNCAoZmlsdGVyZWQgbWVkaXVtKSI+PCEtLVtpZiAhbXNvXT48c3R5 bGU+dlw6KiB7YmVoYXZpb3I6dXJsKCNkZWZhdWx0I1ZNTCk7fQ0Kb1w6KiB7YmVoYXZpb3I6dXJs KCNkZWZhdWx0I1ZNTCk7fQ0Kd1w6KiB7YmVoYXZpb3I6dXJsKCNkZWZhdWx0I1ZNTCk7fQ0KLnNo YXBlIHtiZWhhdmlvcjp1cmwoI2RlZmF1bHQjVk1MKTt9DQo8L3N0eWxlPjwhW2VuZGlmXS0tPjxz dHlsZT48IS0tDQovKiBGb250IERlZmluaXRpb25zICovDQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFt aWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAyIDQ7fQ0KQGZvbnQtZmFj ZQ0KCXtmb250LWZhbWlseTpUYWhvbWE7DQoJcGFub3NlLTE6MiAxMSA2IDQgMyA1IDQgNCAyIDQ7 fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWwsIGRp di5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9u dC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIiwic2VyaWYiO30N CmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNv bG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQphOnZpc2l0ZWQsIHNwYW4u TXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOnB1 cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnNwYW4uRW1haWxTdHlsZTE3DQoJ e21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJBcmlhbCIsInNh bnMtc2VyaWYiOw0KCWNvbG9yOiMxRjQ5N0Q7DQoJZm9udC13ZWlnaHQ6bm9ybWFsOw0KCWZvbnQt c3R5bGU6bm9ybWFsOw0KCXRleHQtZGVjb3JhdGlvbjpub25lIG5vbmU7fQ0KLk1zb0NocERlZmF1 bHQNCgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmki LCJzYW5zLXNlcmlmIjt9DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4waW47 DQoJbWFyZ2luOjEuMGluIDEuMGluIDEuMGluIDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7 cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4N CjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48 IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0 PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5 b3V0PjwveG1sPjwhW2VuZGlmXS0tPjwvaGVhZD48Ym9keSBsYW5nPUVOLVVTIGxpbms9Ymx1ZSB2 bGluaz1wdXJwbGU+PGRpdiBjbGFzcz1Xb3JkU2VjdGlvbjE+PHAgY2xhc3M9TXNvTm9ybWFsPjxz cGFuIHN0eWxlPSdmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6IkFyaWFsIiwic2Fucy1zZXJp ZiI7Y29sb3I6IzFGNDk3RCc+RGVuaXMsPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1z b05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiJBcmlhbCIs InNhbnMtc2VyaWYiO2NvbG9yOiMxRjQ5N0QnPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48 cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZTo5LjBwdDtmb250LWZhbWls eToiQXJpYWwiLCJzYW5zLXNlcmlmIjtjb2xvcjojMUY0OTdEJz5JIGFtIG9rIGVpdGhlciB3YXkg KHVua25vd24gb3IgcmV2b2tlZCkuwqAgVGhlIGdvb2QgdGhpbmcgaXMgdGhhdCB0aGUgbmV3IHRl eHQgc3BlbGxzIHRoaW5ncyBvdXQgbW9yZSBjbGVhcmx5LjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48 cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZTo5LjBwdDtmb250LWZhbWls eToiQXJpYWwiLCJzYW5zLXNlcmlmIjtjb2xvcjojMUY0OTdEJz48bzpwPiZuYnNwOzwvbzpwPjwv c3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxiPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTAu MHB0O2ZvbnQtZmFtaWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIic+RnJvbTo8L3NwYW4+PC9iPjxz cGFuIHN0eWxlPSdmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiJUYWhvbWEiLCJzYW5zLXNl cmlmIic+IGRlbmlzLnBpbmthc0BidWxsLm5ldCBbbWFpbHRvOmRlbmlzLnBpbmthc0BidWxsLm5l dF0gPGJyPjxiPlNlbnQ6PC9iPiBNb25kYXksIFNlcHRlbWJlciAxNywgMjAxMiAxMDo0MiBBTTxi cj48Yj5Ubzo8L2I+IFNhbnRvc2ggQ2hva2hhbmk8YnI+PGI+Q2M6PC9iPiBtcmV4QHNhcC5jb207 IFBpeXVzaCBKYWluOyBwa2l4PGJyPjxiPlN1YmplY3Q6PC9iPiBSRTogW3BraXhdIDUyODBiaXMs IHYtMDk8bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxvOnA+Jm5ic3A7 PC9vOnA+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1mYW1pbHk6IkFy aWFsIiwic2Fucy1zZXJpZiInPlNhbnRvc2gsIFBpeXVzaCBhbmQgTWFydGluLDwvc3Bhbj4gPGJy Pjxicj48c3BhbiBzdHlsZT0nZm9udC1mYW1pbHk6IkFyaWFsIiwic2Fucy1zZXJpZiInPlNvcnJ5 LCBJIG1hZGUgYSBtaXN0YWtlIHdoZW4gbWFraW5nIG15IHByb3Bvc2FsIHRoaXMgbW9ybmluZy4g PGJyPkkgd3JvdGUgJnF1b3Q7cmV2b2tlZCZxdW90OywgYnV0IHdhcyBhZHZvY2F0aW5nICZxdW90 O3Vua25vd24mcXVvdDsuPC9zcGFuPiA8YnI+PGJyPjxzcGFuIHN0eWxlPSdmb250LWZhbWlseToi QXJpYWwiLCJzYW5zLXNlcmlmIic+QmFzZWQgb24gdGhlIGxhdGVzdCB0ZXh0IHByb3Bvc2VkIGZy b20gU2FudG9zaCwgSSB3b3VsZCByYXRoZXIgcHJlZmVyOjwvc3Bhbj4gPGJyPjxicj48c3BhbiBz dHlsZT0nZm9udC1mYW1pbHk6IkFyaWFsIiwic2Fucy1zZXJpZiI7Y29sb3I6IzEwNDE2MCc+SWYg YW4gYXBwbGljYXRpb24gY2Fubm90IHByb2Nlc3MgYSBjcml0aWNhbCBleHRlbnNpb24gaW4gdGhl IDxiPmNybEVudHJ5RXh0ZW5zaW9uczwvYj4gZmllbGQgb2YgYW4gZW50cnkgPGJyPnRoYXQgYWZm ZWN0cyBvbmx5IHRoZSBjZXJ0aWZpY2F0ZSBzcGVjaWZpZWQgaW4gdGhhdCBlbnRyeSwgYXMgaW5k aWNhdGVkIGJ5IHRoZSBhYnNlbmNlIG9mIGEgcmVsYXRlZCA8YnI+Y3JpdGljYWwgZXh0ZW5zaW9u IGluIHRoZSA8Yj5jcmxFeHRlbnNpb25zPC9iPiBmaWVsZCwgdGhlbiB0aGUgPC9zcGFuPjxiPjxz cGFuIHN0eWxlPSdmb250LWZhbWlseToiQXJpYWwiLCJzYW5zLXNlcmlmIjtjb2xvcjojMDAwMEUw Jz5zdGF0dXMgb2Y8L3NwYW4+PC9iPjxiPjxzcGFuIHN0eWxlPSdmb250LWZhbWlseToiQXJpYWwi LCJzYW5zLXNlcmlmIjtjb2xvcjpibHVlJz4gPC9zcGFuPjwvYj48c3BhbiBzdHlsZT0nZm9udC1m YW1pbHk6IkFyaWFsIiwic2Fucy1zZXJpZiI7Y29sb3I6IzEwNDE2MCc+Y2VydGlmaWNhdGUgaWRl bnRpZmllZCBieSB0aGUgQ1JMIGVudHJ5IDxicj5zaGFsbCBiZSBjb25zaWRlcmVkIDwvc3Bhbj48 Yj48c3BhbiBzdHlsZT0nZm9udC1mYW1pbHk6IkFyaWFsIiwic2Fucy1zZXJpZiI7Y29sb3I6IzAw MjBDMic+dW5rb3duPC9zcGFuPjwvYj48c3BhbiBzdHlsZT0nZm9udC1mYW1pbHk6IkFyaWFsIiwi c2Fucy1zZXJpZiI7Y29sb3I6IzEwNDE2MCc+Ljwvc3Bhbj4gPGJyPjxicj48c3BhbiBzdHlsZT0n Zm9udC1mYW1pbHk6IkFyaWFsIiwic2Fucy1zZXJpZiInPmluc3RlYWQgb2YgOjwvc3Bhbj4gPGJy Pjxicj48c3BhbiBzdHlsZT0nZm9udC1mYW1pbHk6IkFyaWFsIiwic2Fucy1zZXJpZiI7Y29sb3I6 IzEwNDE2MCc+SWYgYW4gYXBwbGljYXRpb24gY2Fubm90IHByb2Nlc3MgYSBjcml0aWNhbCBleHRl bnNpb24gaW4gdGhlIDxiPmNybEVudHJ5RXh0ZW5zaW9uczwvYj4gZmllbGQgb2YgYW4gZW50cnkg PGJyPnRoYXQgYWZmZWN0cyBvbmx5IHRoZSBjZXJ0aWZpY2F0ZSBzcGVjaWZpZWQgaW4gdGhhdCBl bnRyeSwgYXMgaW5kaWNhdGVkIGJ5IHRoZSBhYnNlbmNlIG9mIGEgcmVsYXRlZCA8YnI+Y3JpdGlj YWwgZXh0ZW5zaW9uIGluIHRoZSA8Yj5jcmxFeHRlbnNpb25zPC9iPiBmaWVsZCwgdGhlbiB0aGUg Y2VydGlmaWNhdGUgaWRlbnRpZmllZCBieSB0aGUgQ1JMIGVudHJ5IDxicj5zaGFsbCBiZSBjb25z aWRlcmVkIHJldm9rZWQuPC9zcGFuPiA8YnI+PGJyPjxzcGFuIHN0eWxlPSdmb250LWZhbWlseToi QXJpYWwiLCJzYW5zLXNlcmlmIic+RGVuaXM8L3NwYW4+IDxicj48YnI+PGJyPjxicj48YnI+PGJy Pjxicj48YnI+PGJyPjxicj48c3BhbiBzdHlsZT0nZm9udC1zaXplOjcuNXB0O2ZvbnQtZmFtaWx5 OiJBcmlhbCIsInNhbnMtc2VyaWYiO2NvbG9yOiM1RjVGNUYnPkRlIDogJm5ic3A7ICZuYnNwOyAm bmJzcDsgJm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSdmb250LXNpemU6Ny41cHQ7Zm9udC1mYW1p bHk6IkFyaWFsIiwic2Fucy1zZXJpZiInPlNhbnRvc2ggQ2hva2hhbmkgJmx0OzxhIGhyZWY9Im1h aWx0bzpTQ2hva2hhbmlAY3lnbmFjb20uY29tIj5TQ2hva2hhbmlAY3lnbmFjb20uY29tPC9hPiZn dDs8L3NwYW4+IDxicj48c3BhbiBzdHlsZT0nZm9udC1zaXplOjcuNXB0O2ZvbnQtZmFtaWx5OiJB cmlhbCIsInNhbnMtc2VyaWYiO2NvbG9yOiM1RjVGNUYnPkEgOiAmbmJzcDsgJm5ic3A7ICZuYnNw OyAmbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZTo3LjVwdDtmb250LWZhbWlseToi QXJpYWwiLCJzYW5zLXNlcmlmIic+JnF1b3Q7PGEgaHJlZj0ibWFpbHRvOmRlbmlzLnBpbmthc0Bi dWxsLm5ldCI+ZGVuaXMucGlua2FzQGJ1bGwubmV0PC9hPiZxdW90OyAmbHQ7PGEgaHJlZj0ibWFp bHRvOmRlbmlzLnBpbmthc0BidWxsLm5ldCI+ZGVuaXMucGlua2FzQGJ1bGwubmV0PC9hPiZndDss ICZxdW90OzxhIGhyZWY9Im1haWx0bzptcmV4QHNhcC5jb20iPm1yZXhAc2FwLmNvbTwvYT4mcXVv dDsgJmx0OzxhIGhyZWY9Im1haWx0bzptcmV4QHNhcC5jb20iPm1yZXhAc2FwLmNvbTwvYT4mZ3Q7 LCBQaXl1c2ggSmFpbiAmbHQ7PGEgaHJlZj0ibWFpbHRvOnBpeXVzaEBpZGVudGljYXRlLmNvbSI+ cGl5dXNoQGlkZW50aWNhdGUuY29tPC9hPiZndDs8L3NwYW4+IDxicj48c3BhbiBzdHlsZT0nZm9u dC1zaXplOjcuNXB0O2ZvbnQtZmFtaWx5OiJBcmlhbCIsInNhbnMtc2VyaWYiO2NvbG9yOiM1RjVG NUYnPkNjJm5ic3A7OiAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDs8L3NwYW4+PHNwYW4gc3R5 bGU9J2ZvbnQtc2l6ZTo3LjVwdDtmb250LWZhbWlseToiQXJpYWwiLCJzYW5zLXNlcmlmIic+cGtp eCAmbHQ7PGEgaHJlZj0ibWFpbHRvOnBraXhAaWV0Zi5vcmciPnBraXhAaWV0Zi5vcmc8L2E+Jmd0 Ozwvc3Bhbj4gPGJyPjxzcGFuIHN0eWxlPSdmb250LXNpemU6Ny41cHQ7Zm9udC1mYW1pbHk6IkFy aWFsIiwic2Fucy1zZXJpZiI7Y29sb3I6IzVGNUY1Ric+RGF0ZSA6ICZuYnNwOyAmbmJzcDsgJm5i c3A7ICZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0nZm9udC1zaXplOjcuNXB0O2ZvbnQtZmFtaWx5 OiJBcmlhbCIsInNhbnMtc2VyaWYiJz4xNy8wOS8yMDEyIDE2OjIxPC9zcGFuPiA8YnI+PHNwYW4g c3R5bGU9J2ZvbnQtc2l6ZTo3LjVwdDtmb250LWZhbWlseToiQXJpYWwiLCJzYW5zLXNlcmlmIjtj b2xvcjojNUY1RjVGJz5PYmpldCA6ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOzwvc3Bhbj48 c3BhbiBzdHlsZT0nZm9udC1zaXplOjcuNXB0O2ZvbnQtZmFtaWx5OiJBcmlhbCIsInNhbnMtc2Vy aWYiJz5SRTogW3BraXhdIDUyODBiaXMsIHYtMDk8L3NwYW4+IDxvOnA+PC9vOnA+PC9wPjxkaXYg Y2xhc3M9TXNvTm9ybWFsIGFsaWduPWNlbnRlciBzdHlsZT0ndGV4dC1hbGlnbjpjZW50ZXInPjxo ciBzaXplPTIgd2lkdGg9IjEwMCUiIG5vc2hhZGUgc3R5bGU9J2NvbG9yOiNBQ0E4OTknIGFsaWdu PWNlbnRlcj48L2Rpdj48cCBjbGFzcz1Nc29Ob3JtYWw+PGJyPjxicj48YnI+PHNwYW4gc3R5bGU9 J2ZvbnQtZmFtaWx5OiJBcmlhbCIsInNhbnMtc2VyaWYiO2NvbG9yOiMwMDQwODAnPlRoaXMgYWxz byByZWxhdGVzIHRvIGVhcmxpZXIgcG9zdCBJIG1hZGUgaW4gcmVzcG9uc2UgdG8gUGl5dXNoLjwv c3Bhbj4gPGJyPjxzcGFuIHN0eWxlPSdmb250LWZhbWlseToiQXJpYWwiLCJzYW5zLXNlcmlmIjtj b2xvcjojMDA0MDgwJz4mbmJzcDs8L3NwYW4+IDxicj48c3BhbiBzdHlsZT0nZm9udC1mYW1pbHk6 IkFyaWFsIiwic2Fucy1zZXJpZiI7Y29sb3I6IzAwNDA4MCc+SSBhc3N1bWUgd2UgYXJlIGFkZGlu ZyB0aGUgZm9sbG93aW5nIHRvIHRoZSBSRkMg4oCcPC9zcGFuPjxzcGFuIHN0eWxlPSdmb250LWZh bWlseToiQXJpYWwiLCJzYW5zLXNlcmlmIjtjb2xvcjojMTA0MTYwJz5BIGNyaXRpY2FsIGV4dGVu c2lvbiBpbiB0aGUgPGI+Y3JsRW50cnlFeHRlbnNpb25zPC9iPiBmaWVsZCBvZiBhbiBlbnRyeSBz aGFsbCBhZmZlY3Qgb25seSB0aGUgY2VydGlmaWNhdGUgc3BlY2lmaWVkIGluIHRoYXQgZW50cnks IHVubGVzcyB0aGVyZSBpcyBhIHJlbGF0ZWQgY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSA8Yj5j cmxFeHRlbnNpb25zPC9iPiBmaWVsZCB0aGF0IGFkdmVydGlzZXMgYSBzcGVjaWFsIHRyZWF0bWVu dCBmb3IgaXQu4oCdICZuYnNwO0luIG9yZGVyIHRvIHVzZSBzdWNoIENSTCwgdGhlIHJlbHlpbmcg cGFydHkgbXVzdCBiZSBhYmxlIHRvIHByb2Nlc3MgYm90aCB0aGUgPGI+Y3JsRW50cnlFeHRlbnNp b24gPC9iPmFuZCB0aGUgcmVsYXRlZCA8Yj5jcmxFeHRlbnNpb24u4oCdPC9iPjwvc3Bhbj4gPGJy PjxiPjxzcGFuIHN0eWxlPSdmb250LWZhbWlseToiQXJpYWwiLCJzYW5zLXNlcmlmIjtjb2xvcjoj MTA0MTYwJz4mbmJzcDs8L3NwYW4+PC9iPiA8YnI+PHNwYW4gc3R5bGU9J2ZvbnQtZmFtaWx5OiJB cmlhbCIsInNhbnMtc2VyaWYiO2NvbG9yOiMxMDQxNjAnPkluIHRoYXQgY2FzZSwgSSBkbyBub3Qg bWluZCBhZGRpbmcgdGhlIGZvbGxvd2luZyB0byA1MjgwIChhIHNsaWdodCBtb2RpZmljYXRpb24g dG8gd2hhdCBEZW5pcyBoYXM6PC9zcGFuPiA8YnI+PHNwYW4gc3R5bGU9J2ZvbnQtZmFtaWx5OiJB cmlhbCIsInNhbnMtc2VyaWYiO2NvbG9yOiMxMDQxNjAnPiZuYnNwOzwvc3Bhbj4gPGJyPjxzcGFu IHN0eWxlPSdmb250LWZhbWlseToiQXJpYWwiLCJzYW5zLXNlcmlmIjtjb2xvcjojMTA0MTYwJz5J ZiBhbiBhcHBsaWNhdGlvbiBjYW5ub3QgcHJvY2VzcyBhIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0 aGUgPGI+Y3JsRW50cnlFeHRlbnNpb25zPC9iPiBmaWVsZCBvZiBhbiBlbnRyeSB0aGF0IGFmZmVj dHMgb25seSB0aGUgY2VydGlmaWNhdGUgc3BlY2lmaWVkIGluIHRoYXQgZW50cnksIGFzIGluZGlj YXRlZCBieSB0aGUgYWJzZW5jZSBvZiBhIHJlbGF0ZWQgY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRo ZSA8Yj5jcmxFeHRlbnNpb25zPC9iPiBmaWVsZCwgdGhlbiB0aGUgY2VydGlmaWNhdGUgaWRlbnRp ZmllZCBieSB0aGUgQ1JMIGVudHJ5IHNoYWxsIGJlIGNvbnNpZGVyZWQgcmV2b2tlZC48L3NwYW4+ IDxicj48c3BhbiBzdHlsZT0nZm9udC1mYW1pbHk6IkFyaWFsIiwic2Fucy1zZXJpZiI7Y29sb3I6 IzAwNDA4MCc+Jm5ic3A7PC9zcGFuPiA8YnI+PGI+PHNwYW4gc3R5bGU9J2ZvbnQtZmFtaWx5OiJU YWhvbWEiLCJzYW5zLXNlcmlmIic+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIHN0eWxlPSdmb250LWZh bWlseToiVGFob21hIiwic2Fucy1zZXJpZiInPiA8YSBocmVmPSJtYWlsdG86cGtpeC1ib3VuY2Vz QGlldGYub3JnIj5wa2l4LWJvdW5jZXNAaWV0Zi5vcmc8L2E+IFs8L3NwYW4+PGEgaHJlZj0ibWFp bHRvOnBraXgtYm91bmNlc0BpZXRmLm9yZyI+PHNwYW4gc3R5bGU9J2ZvbnQtZmFtaWx5OiJUYWhv bWEiLCJzYW5zLXNlcmlmIic+bWFpbHRvOnBraXgtYm91bmNlc0BpZXRmLm9yZzwvc3Bhbj48L2E+ PHNwYW4gc3R5bGU9J2ZvbnQtZmFtaWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIic+XSA8Yj5PbiBC ZWhhbGYgT2YgPC9iPjxhIGhyZWY9Im1haWx0bzpkZW5pcy5waW5rYXNAYnVsbC5uZXQiPmRlbmlz LnBpbmthc0BidWxsLm5ldDwvYT48Yj48YnI+U2VudDo8L2I+IE1vbmRheSwgU2VwdGVtYmVyIDE3 LCAyMDEyIDM6NDcgQU08Yj48YnI+VG86PC9iPiA8YSBocmVmPSJtYWlsdG86bXJleEBzYXAuY29t Ij5tcmV4QHNhcC5jb208L2E+OyBQaXl1c2ggSmFpbjxiPjxicj5DYzo8L2I+IHBraXg8Yj48YnI+ U3ViamVjdDo8L2I+IFJlOiBbcGtpeF0gNTI4MGJpcywgdi0wOTwvc3Bhbj4gPGJyPiZuYnNwOyA8 YnI+PHNwYW4gc3R5bGU9J2ZvbnQtZmFtaWx5OiJBcmlhbCIsInNhbnMtc2VyaWYiJz5Hb29kIGNh dGNoIE1hcnRpbiw8L3NwYW4+IDxicj48c3BhbiBzdHlsZT0nZm9udC1mYW1pbHk6IkFyaWFsIiwi c2Fucy1zZXJpZiInPjxicj5Zb3UgY2FtZSBiYWNrIGZyb20gdmFjYXRpb24ganVzdCBpbiB0aW1l LiA6LSk8L3NwYW4+IDxicj48c3BhbiBzdHlsZT0nZm9udC1mYW1pbHk6IkFyaWFsIiwic2Fucy1z ZXJpZiInPjxicj5JIHByb3Bvc2UgdGhlIGZvbGxvd2luZzo8L3NwYW4+IDxicj48c3BhbiBzdHls ZT0nZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Iic+PGJyPlJlcGxhY2U6PC9zcGFuPiA8YnI+PHNw YW4gc3R5bGU9J2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyInPjxicj58ICZuYnNwOyAmbmJzcDsg SWYgYSBDUkwgY29udGFpbnMgYSBjcml0aWNhbCBDUkwgZW50cnkgZXh0ZW5zaW9uIDxicj58ICZu YnNwOyAmbmJzcDsgdGhhdCB0aGUgYXBwbGljYXRpb24gY2Fubm90IHByb2Nlc3MsIHRoZW4gdGhl IGFwcGxpY2F0aW9uIE1VU1QgPGJyPnwgJm5ic3A7ICZuYnNwOyBOT1QgdXNlIHRoYXQgQ1JMIHRv IGRldGVybWluZSB0aGUgc3RhdHVzIG9mIGFueSBjZXJ0aWZpY2F0ZXMuPC9zcGFuPiA8YnI+PHNw YW4gc3R5bGU9J2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyInPjxicj53aXRoPC9zcGFuPiA8YnI+ PHNwYW4gc3R5bGU9J2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyInPjxicj58ICZuYnNwOyAmbmJz cDsgSWYgYSBDUkwgY29udGFpbnMgaW4gYSBDUkwgZW50cnkgYSBjcml0aWNhbCBDUkwgZW50cnkg ZXh0ZW5zaW9uIDxicj58ICZuYnNwOyAmbmJzcDsgdGhhdCB0aGUgYXBwbGljYXRpb24gY2Fubm90 IHByb2Nlc3MsIHRoZW4gdGhlIGFwcGxpY2F0aW9uIE1VU1QgPGJyPnwgJm5ic3A7ICZuYnNwOyBj b25zaWRlciB0aGF0IHRoZSBjZXJ0aWZpY2F0ZSBpZGVudGlmaWVkIGluIHRoYXQgQ1JMIGVudHJ5 IGlzIDxicj58ICZuYnNwOyAmbmJzcDsgcmV2b2tlZC4gJm5ic3A7PC9zcGFuPiA8YnI+PHNwYW4g c3R5bGU9J2ZvbnQtZmFtaWx5OiJBcmlhbCIsInNhbnMtc2VyaWYiJz48YnI+SW4gb3JkZXIgdG8g YW5zd2VyIHRvIFBpeXVzaCwgSSBiZWxpZXZlIHRoYXQg4oCcdW5rbm93buKAnSBzaG91bGQgYmUg dXNlZCByYXRoZXIgdGhhbiDigJxyZXZva2Vk4oCdLjwvc3Bhbj4gPGJyPjxzcGFuIHN0eWxlPSdm b250LWZhbWlseToiQXJpYWwiLCJzYW5zLXNlcmlmIic+PGJyPlRoZSBmb2xsb3dpbmcgZXhhbXBs ZSBpcyBhbiBpbGx1c3RyYXRpb246PC9zcGFuPiA8YnI+PHNwYW4gc3R5bGU9J2ZvbnQtZmFtaWx5 OiJBcmlhbCIsInNhbnMtc2VyaWYiJz48YnI+VGhlIHN0YXR1cyBvZiBhIGdpdmVuIGNlcnRpZmlj YXRlIGlzIGluZGljYXRlZCBhcyDigJxnb29k4oCdLCBidXQgdGhlcmUgaXMgYSBDUkwgZW50cnkg d2l0aCBhIGNyaXRpY2FsIDxicj5DUkwgZW50cnkgZXh0ZW5zaW9uLiBUaGlzIGVudHJ5IG1lYW5z IChmb3IgdGhlIGFwcGxpY2F0aW9ucyB3aGljaCB1bmRlcnN0YW5kIGl0KSA6IDwvc3Bhbj48YnI+ PHNwYW4gc3R5bGU9J2ZvbnQtZmFtaWx5OiJBcmlhbCIsInNhbnMtc2VyaWYiJz48YnI+JnF1b3Q7 VGhlIHN0YXR1cyB3aGljaCBpcyB1c3VhbGx5IG9idGFpbmVkIHVzaW5nIGEgZGF0YWJhc2Ugb2Yg aXNzdWVkIGNlcnRpZmljYXRlcyBoYXMgYmVlbiBvYnRhaW5lZCBmcm9tIENSTHMuIDxicj5JZiB5 b3UgcmVhbGx5IG5lZWQgdG8gdGFrZSBhIGRlY2lzaW9uIG5vdywgaXQgaXMgYXQgeW91ciBvd24g cmlzay4gSWYgeW91IGNhbiB3YWl0LCB5b3UgaGFkIGJldHRlciB0byB0cnkgYWdhaW4gbGF0ZXIg b24mcXVvdDsuPC9zcGFuPiA8YnI+PHNwYW4gc3R5bGU9J2ZvbnQtZmFtaWx5OiJBcmlhbCIsInNh bnMtc2VyaWYiJz48YnI+WW91ciBuZXh0IHF1ZXN0aW9uIHdpbGwgY2VydGFpbmx5IGJlOiBzbyB3 aHkgZG9u4oCZdCB5b3UgdXNlIHRoZSBwcm9wb3NlZCBjZXJ0SW5mbyBleHRlbnNpb24gPzwvc3Bh bj4gPGJyPjxzcGFuIHN0eWxlPSdmb250LWZhbWlseToiQXJpYWwiLCJzYW5zLXNlcmlmIic+PGJy PkZvciBhcHBsaWNhdGlvbnMgd2hpY2ggZG8gbm90IHVuZGVyc3RhbmQgdGhpcyBjcml0aWNhbCBD UkwgZW50cnkgZXh0ZW5zaW9uLCB0aGVyZSBpcyBubyBkaWZmZXJlbmNlLjwvc3Bhbj4gPHNwYW4g c3R5bGU9J2ZvbnQtZmFtaWx5OiJBcmlhbCIsInNhbnMtc2VyaWYiJz48YnI+VGhleSBnZXQgYW4g JnF1b3Q7dW5rbm93biZxdW90OyBzdGF0dXMgaW4gYm90aCBjYXNlcy48L3NwYW4+IDxicj48c3Bh biBzdHlsZT0nZm9udC1mYW1pbHk6IkFyaWFsIiwic2Fucy1zZXJpZiInPjxicj5Gb3IgYXBwbGlj YXRpb25zIHdoaWNoIHVuZGVyc3RhbmQgdGhpcyBjcml0aWNhbCBDUkwgZW50cnkgZXh0ZW5zaW9u IGl0IHByb3ZpZGVzIGxlc3MgYmVuZWZpdHMgPGJyPnRoYW4gdGhlIHByb3Bvc2VkIGNlcnRJbmZv IGV4dGVuc2lvbiwgYnV0IGl0IG1pZ2h0IGJlIHF1aWNrZXIgdG8gaW1wbGVtZW50IGFuZCBpdCBl bmZvcmNlcyBhIHBvbGljeS48L3NwYW4+IDxicj48c3BhbiBzdHlsZT0nZm9udC1mYW1pbHk6IkFy aWFsIiwic2Fucy1zZXJpZiInPjxicj5EZW5pczwvc3Bhbj4gPHNwYW4gc3R5bGU9J2ZvbnQtZmFt aWx5OiJDb3VyaWVyIE5ldyInPjxicj48YnI+PGJyPiZndDsgSSBvYmplY3QgdG8gdGhlIHByb3Bv c2VkIG5ldyB0ZXh0IGFib3V0IENSTEVudHJ5RXh0ZW5zaW9uczxicj4mZ3Q7IGluIHRoZSBjbGFy aWZpY2F0aW9uIGRvY3VtZW50LCBiZWNhdXNlIGFzIGlzLCB3b3VsZCBzaWduaWZpY2FudGx5PGJy PiZndDsgd29yc2VuIHRoZSBkaWZmZXJlbmNlIGJldHdlZW4gUEtJWCBhbmQgWC41MDkgYW5kIG1h a2UgdGhpbmdzPGJyPiZndDsgY2xlYXJseSBpbmNvbXBhdGlibGUgcmF0aGVyIHRoYW4gc2xpZ2h0 bHkgbGVzcyBlZmZpY2llbnQuPGJyPiZndDsgPGJyPiZndDsgSWYgYW55dGhpbmcsIHRoZSBnYXAg c2hvdWxkIGJlIHJlZHVjZWQsIGNvbXBhdGliaWxpdHkgYmV0d2Vlbjxicj4mZ3Q7IFBLSVggYW5k IFguNTA5IGltcHJvdmVkIGFuZCB0aGUgb3JpZ2luYWwgYXJjaGl0ZWN0dXJlIG5vdCB2aW9sYXRl ZC48YnI+Jmd0OyA8YnI+Jmd0OyBQbGVhc2UgcmVjYWxsIHRoZSBvcmlnaW5hbCBOT1RFIDQgJmFt cDsgNSB0aGF0IEkgcXVvdGVkIGZyb208YnI+Jmd0OyBJVFUtVCBSZWMuIFguNTA5ICgwOC8yMDA1 KSwgU2VjdGlvbiA3LjMsIHRvcCBvZiBwYWdlIDE4Ojxicj4mZ3Q7IChnZXQgdGhlbSBoZXJlIDwv c3Bhbj48YSBocmVmPSJodHRwOi8vd3d3Lml0dS5pbnQvcmVjL1QtUkVDLVguNTA5Ij48c3BhbiBz dHlsZT0nZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Iic+aHR0cDovL3d3dy5pdHUuaW50L3JlYy9U LVJFQy1YLjUwOTwvc3Bhbj48L2E+PHNwYW4gc3R5bGU9J2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5l dyInPik6PGJyPiZndDsgPGJyPiZndDsgYSZndDsgJm5ic3A7Tk9URSA0IC0tIFdoZW4gYW4gaW1w bGVtZW50YXRpb24gcHJvY2Vzc2luZyBhIGNlcnRpZmljYXRlIHJldm9jYXRpb248YnI+Jmd0OyBh Jmd0OyAmbmJzcDtsaXN0IGRvZXMgbm90IHJlY29nbml6ZSBhIGNyaXRpY2FsIGV4dGVuc2lvbiBp biB0aGUgY3JsRW50cnlFeHRlbnNpb25zPGJyPiZndDsgYSZndDsgJm5ic3A7ZmllbGQsIGl0IHNo YWxsIGFzc3VtZSB0aGF0LCBhdCBhIG1pbmltdW0sIHRoZSBpZGVudGlmaWVkIGNlcnRpZmljYXRl PGJyPiZndDsgYSZndDsgJm5ic3A7aGFzIGJlZW4gcmV2b2tlZCBhbmQgaXMgbm8gbG9uZ2VyIHZh bGlkIGFuZCBwZXJmb3JtIGFkZGl0aW9uYWwgYWN0aW9uczxicj4mZ3Q7IGEmZ3Q7ICZuYnNwO2Nv bmNlcm5pbmcgdGhhdCByZXZva2VkIGNlcnRpZmljYXRlIGFzIGRpY3RhdGVkIGJ5IGxvY2FsIHBv bGljeS48YnI+Jmd0OyA8YnI+Jmd0OyBiJmd0OyAmbmJzcDtXaGVuIGFuIGltcGxlbWVudGF0aW9u IGRvZXMgbm90IHJlY29nbml6ZSBhIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGU8YnI+Jmd0OyBi Jmd0OyAmbmJzcDtjcmxFeHRlbnNpb25zIGZpZWxkLCBpdCBzaGFsbCBhc3N1bWUgdGhhdCBpZGVu dGlmaWVkIGNlcnRpZmljYXRlczxicj4mZ3Q7IGImZ3Q7ICZuYnNwO2hhdmUgYmVlbiByZXZva2Vk IGFuZCBhcmUgbm8gbG9uZ2VyIHZhbGlkLjxicj4mZ3Q7IDxicj4mZ3Q7IGMmZ3Q7ICZuYnNwOyAm bmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu YnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5i c3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBIb3dldmVyIGluIHRoZSBsYXR0ZXIgY2Fz ZSw8YnI+Jmd0OyBjJmd0OyAmbmJzcDtzaW5jZSB0aGUgbGlzdCBtYXkgbm90IGJlIGNvbXBsZXRl LCBjZXJ0aWZpY2F0ZXMgdGhhdCBoYXZlIG5vdCBiZWVuPGJyPiZndDsgYyZndDsgJm5ic3A7aWRl bnRpZmllZCBhcyBiZWluZyByZXZva2VkIGNhbm5vdCBiZSBhc3N1bWVkIHRvIGJlIHZhbGlkLiBJ biB0aGlzIGNhc2U8YnI+Jmd0OyBjJmd0OyAmbmJzcDtsb2NhbCBwb2xpY3kgc2hhbGwgZGljdGF0 ZSB0aGUgYWN0aW9uIHRvIGJlIHRha2VuLiBJbiBhbnkgY2FzZSBsb2NhbDxicj4mZ3Q7IGMmZ3Q7 ICZuYnNwO3BvbGljeSBtYXkgZGljdGF0ZSBhY3Rpb25zIGluIGFkZGl0aW9uIHRvIGFuZC9vciBz dHJvbmdlciB0aGFuIHRob3NlPGJyPiZndDsgYyZndDsgJm5ic3A7c3RhdGVkIGluIHRoaXMgU3Bl Y2lmaWNhdGlvbi48YnI+Jmd0OyA8YnI+Jmd0OyBkJmd0OyAmbmJzcDtOT1RFIDUgLS0gSWYgYW4g ZXh0ZW5zaW9uIGFmZmVjdHMgdGhlIHRyZWF0bWVudCBvZiB0aGUgbGlzdDxicj4mZ3Q7IGQmZ3Q7 ICZuYnNwOyhlLmcuLCBtdWx0aXBsZSBDUkxzIG5lZWQgdG8gYmUgc2Nhbm5lZCB0byBleGFtaW5l IHRoZSBlbnRpcmUgbGlzdCBvZjxicj4mZ3Q7IGQmZ3Q7ICZuYnNwO3Jldm9rZWQgY2VydGlmaWNh dGVzLCBvciBhbiBlbnRyeSBtYXkgcmVwcmVzZW50IGEgcmFuZ2Ugb2YgY2VydGlmaWNhdGVzKSw8 YnI+Jmd0OyBkJmd0OyAmbmJzcDt0aGVuIHRoYXQgZXh0ZW5zaW9uIHNoYWxsIGJlIGluZGljYXRl ZCBhcyBjcml0aWNhbCBpbiB0aGUgY3JsRXh0ZW5zaW9uczxicj4mZ3Q7IGQmZ3Q7ICZuYnNwO2Zp ZWxkIHJlZ2FyZGxlc3Mgb2Ygd2hlcmUgdGhlIGV4dGVuc2lvbiBpcyBwbGFjZWQgaW4gdGhlIENS TC48YnI+Jmd0OyA8YnI+Jmd0OyBlJmd0OyAmbmJzcDtBbiBleHRlbnNpb24gaW5kaWNhdGVkIGlu IHRoZSBjcmxFbnRyeUV4dGVuc2lvbnMgZmllbGQgb2YgYW4gZW50cnkgc2hhbGw8YnI+Jmd0OyBl Jmd0OyAmbmJzcDtiZSBwbGFjZWQgaW4gdGhhdCBlbnRyeSBhbmQgc2hhbGwgYWZmZWN0IG9ubHkg dGhlIGNlcnRpZmljYXRlKHMpPGJyPiZndDsgZSZndDsgJm5ic3A7c3BlY2lmaWVkIGluIHRoYXQg ZW50cnkuPGJyPiZndDsgPGJyPiZndDsgPGJyPiZndDsgKEkgaW5zZXJ0ZWQgYmxhbmsgbGluZXMg YWJvdmUgZm9yIHZpc3VhbCBjbGFyaXR5IG9mIHRoZSBYLjUwOSByZXF1aXJlbWVudHMpLjxicj4m Z3Q7IDxicj4mZ3Q7IHR3byBvcHRpb25zLCBhbGwgY29tYmluYXRpb25zOjxicj4mZ3Q7IDxicj4m Z3Q7ICZuYnNwOygxKSBjZXJ0ICZuYnNwOyAmbmJzcDsgb24gQ1JMLCBDUkwgd2l0aCBOTyB1bnJl Y29nbml6ZWQgY3JpdGljYWwgQ1JMRW50cnlFeHRlbnNpb25zIDxicj4mZ3Q7ICZuYnNwOygyKSBj ZXJ0IE5PVCBvbiBDUkwsIENSTCB3aXRoIE5PIHVucmVjb2duaXplZCBjcml0aWNhbCBDUkxFbnRy eUV4dGVuc2lvbnMgPGJyPiZndDsgJm5ic3A7KDMpIGNlcnQgJm5ic3A7ICZuYnNwOyBvbiBDUkws IENSTCB3aXRoICZuYnNwOyAmbmJzcDt1bnJlY29nbml6ZWQgY3JpdGljYWwgQ1JMRW50cnlFeHRl bnNpb248YnI+Jmd0OyAmbmJzcDsoNCkgY2VydCBOT1Qgb24gQ1JMLCBDUkwgd2l0aCAmbmJzcDsg Jm5ic3A7dW5yZWNvZ25pemVkIGNyaXRpY2FsIENSTEVudHJ5RXh0ZW5zaW9uPGJyPiZndDsgPGJy PiZndDsgPGJyPiZndDsgSSBob3BlIHdlIGFncmVlIHRoYXQgWC41MDkgYW5kIHJmYzUyODAgYWdy ZWUgb24gKDEpIGFuZCAoMikgcmVzdWx0czxicj4mZ3Q7IGZvciBDUkwgY2hlY2tpbmcuPGJyPiZn dDsgPGJyPiZndDsgcmZjNTI4MCBjdXJyZW50bHkgc2F5cyB0aGF0IGZvciAoMykrKDQpIHRoZSBl bnRpcmUgQ1JMIG91Z2h0IHRvIGJlIGlnbm9yZWQ8YnI+Jmd0OyBhbmQgb3RoZXIgQ1JMcyBuZWVk IHRvIGJlIGV2YWx1YXRlZCAmcXVvdDtVTkRFVEVSTUlORUQmcXVvdDs8YnI+Jmd0OyA8YnI+Jmd0 OyBYLjUwOSBzYXlzIGluIChhJmd0OykgdGhhdCBmb3IgKDMpIHRoZSBzdGF0dXMgb2YgdGhlIGNl cnQgaXMgZGVmaW5pdGVseSByZXZva2VkPGJyPiZndDsgYW5kIHNheXMgaW4gKGMmZ3Q7KSBmb3Ig KDQpIHRoYXQgdGhlIENSTCBvdWdodCB0byBiZSBpZ25vcmVkIGFuZCBvdGhlciBDUkxzIG5lZWQ8 YnI+Jmd0OyB0byBiZSBldmFsdWF0ZWQgJnF1b3Q7VU5ERVRFUk1JTkVEJnF1b3Q7PGJyPiZndDsg PGJyPiZndDsgV2hpbGUgYm90aCBYLjUwOSBhbmQgcmZjNTI4MCBhZ3JlZSBvbiB0aGUgcmVzdWx0 IGZvciAoNCkgJnF1b3Q7VU5ERVRFUk1JTkVEJnF1b3Q7LDxicj4mZ3Q7IHRoZXJlIGlzIHRoZSBz dXBlcmZpY2lhbCBhcHBlYXJhbmNlIG9mIGEgZGlmZmVyZW5jZSBmb3IgYSBjYXN1YWw8YnI+Jmd0 OyBpbXBsZW1lbnRlciBmb3IgY2FzZSAoMykgYmV0d2VlbiBYLjUwOSAmcXVvdDtSRVZPS0VEJnF1 b3Q7IGFuZCByZmM1MjgwICZxdW90O1VOREVURVJNSU5FRCZxdW90Ozxicj4mZ3Q7IHRoYXQgbWln aHQgbGVhZCB0byBhIHNsaWdodGx5IGxlc3MgZWZmaWNpZW50IHByb2Nlc3NpbmcgQ1JMcy48YnI+ Jmd0OyA8YnI+Jmd0OyA8YnI+Jmd0OyBUaGUgbmV3bHkgcHJvcG9zZWQgdGV4dCAoaW4gLTA5KTo8 YnI+Jmd0OyA8YnI+Jmd0OyB8ICZuYnNwOyAmbmJzcDsgSWYgYSBDUkwgY29udGFpbnMgYSBjcml0 aWNhbCBDUkwgZW50cnkgZXh0ZW5zaW9uPGJyPiZndDsgfCAmbmJzcDsgJm5ic3A7IHRoYXQgdGhl IGFwcGxpY2F0aW9uIGNhbm5vdCBwcm9jZXNzLCB0aGVuIHRoZSBhcHBsaWNhdGlvbiBNVVNUPGJy PiZndDsgfCAmbmJzcDsgJm5ic3A7IE5PVCB1c2UgdGhhdCBDUkwgdG8gZGV0ZXJtaW5lIHRoZSBz dGF0dXMgb2YgdGhlIGNlcnRpZmljYXRlPGJyPiZndDsgfCAmbmJzcDsgJm5ic3A7IHJlcHJlc2Vu dGVkIGJ5IHRoZSBDUkwgZW50cnkuICZuYnNwOzxicj4mZ3Q7IDxicj4mZ3Q7IGNyZWF0ZXMgYSBz aWduaWZpY2FudGx5IGRpc3RpbmN0IGJlaGF2aW91ciBmb3IgY2FzZSAoNCkgd2hlcmUgWC41MDk8 YnI+Jmd0OyBhbmQgcmZjNTI4MCBhZ3JlZWQgb24gJnF1b3Q7VU5ERVRFUk1JTkVEJnF1b3Q7LCBi eSByZWRlZmluaW5nIHRoZSByZXN1bHQgdG88YnI+Jmd0OyBiZSAmcXVvdDtVTlJFVk9LRUQmcXVv dDssIGFuZCBwb3RlbnRpYWxseSBjcmVhdGVzIGEgc2VjdXJpdHkgcHJvYmxlbSwgYW5kIGE8YnI+ Jmd0OyBuZXcsIGJhY2t3YXJkcy1pbmNvbXBhdGlibGUgYmVoYXZpb3VyIGZvciBhIHNpdHVhdGlv biB3aGVyZTxicj4mZ3Q7IFguNTA5IGFuZCByZmM1MjgwIHVzZWQgdG8gYWdyZWUuIFN0aWxsLCB0 aGUgbmV3IHRleHQgZG9lcyBub3QgZG88YnI+Jmd0OyBhbnl0aGluZyBhYm91dCBjYXNlICgzKSwg dGhlIG9ubHkgY2FzZSB3aGVyZSBYLjUwOSBhbmQgcmZjNTI4MDxicj4mZ3Q7IGFwcGVhciB0byBk aWZmZXIgKGluIGEgbW9zdGx5IG1hcmdpbmFsIGZhc2hpb24pLjxicj4mZ3Q7IDxicj4mZ3Q7IDxi cj4mZ3Q7IEEgY2FyZWZ1bCBpbXBsZW1lbnRvciwgdGhhdCBhbmFseXplcyBOT1RFIDQgYW5kIE5P VEUgNSBmcm9tIFguNTA5PGJyPiZndDsgcXVvdGVkIGFib3ZlIGluIGl0cyBlbnRpcmV0eSwgc2hv dWxkIHJlYWxpemUgdGhhdCB0aGUgc2l0dWF0aW9uPGJyPiZndDsgd2hlcmUgWC41MDkgYW5kIHJm YzUyODAgZGlmZmVyIGlzIG1hcmdpbmFsLjxicj4mZ3Q7IDxicj4mZ3Q7IFRoaXMgaXMgYmVjYXVz ZSAoZCZndDspIGluIE5PVEUgNSBhYm92ZSByZXF1aXJlcyAoJnF1b3Q7c2hhbGwmcXVvdDspIHRo YXQgYTxicj4mZ3Q7IGNyaXRpY2FsIGNybEVudHJ5RXh0ZW5zaW9uIHdpdGggYSBzZW1hbnRpYyBi ZXlvbmQgJnF1b3Q7dGhpcyBjZXJ0IGlzPGJyPiZndDsgcmV2b2tlZCZxdW90OyksIE1VU1QgYmUg YWRkaXRpb25hbGx5IGluY2x1ZGVkIGFzIGEgY3JpdGljYWwgY3JsRXh0ZW5zaW9uLDxicj4mZ3Q7 IHdpdGggdGhlIGVmZmVjdCB0aGF0IHRoZSBlbnRpcmUgQ1JMIHdpbGwgaGF2ZSB0byBiZSBpZ25v cmVkIGJ5PGJyPiZndDsgYm90aCBYLjUwOSBhbmQgcmZjNTI4MCBpbXBsZW1lbnRhdGlvbnMgdGhh dCBkbyBub3QgcmVjb2duaXplPGJyPiZndDsgdGhlIGNybEV4dGVuc2lvbi4gJm5ic3A7U28gYWxs IGNvbXBsaWFudCBDUkxzIHdpdGggYSAmcXVvdDtmYW5jeSZxdW90Ozxicj4mZ3Q7IHVucmVjb2du aXplZCBjcml0aWNhbCBjcmxFbnRyeUV4dGVuc2lvbiwgdGhlIGFjY29tcGFueWluZzxicj4mZ3Q7 IHVucmVjb2duaXplZCBjcml0aWNhbCBjcmxFeHRlbnNpb24gd2lsbCBjYXVzZSBYLjUwOSBhbmQg cmZjNTI4MDxicj4mZ3Q7IHRvIGFncmVlIG9uICgzKSB0byByZXR1cm4gJnF1b3Q7VU5ERVRFUk1J TkVEJnF1b3Q7IGFuZCByZXF1aXJlIG90aGVyPGJyPiZndDsgQ1JMcyB0byBiZSBjaGVja2VkLiA8 YnI+Jmd0OyA8YnI+Jmd0OyA8YnI+Jmd0OyAtTWFydGluPGJyPiZndDsgX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+Jmd0OyBwa2l4IG1haWxpbmcgbGlz dDxicj4mZ3Q7IDwvc3Bhbj48YSBocmVmPSJtYWlsdG86cGtpeEBpZXRmLm9yZyI+PHNwYW4gc3R5 bGU9J2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyInPnBraXhAaWV0Zi5vcmc8L3NwYW4+PC9hPjxz cGFuIHN0eWxlPSdmb250LWZhbWlseToiQ291cmllciBOZXciJz48YnI+Jmd0OyA8L3NwYW4+PGEg aHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9wa2l4Ij48c3BhbiBz dHlsZT0nZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Iic+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFp bG1hbi9saXN0aW5mby9wa2l4PC9zcGFuPjwvYT4gPG86cD48L286cD48L3A+PC9kaXY+PC9ib2R5 PjwvaHRtbD4= --_000_B83745DA469B7847811819C5005244AF362EC9B3scygexch7cygnac_-- From piyush@identicate.com Mon Sep 17 07:55:52 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2F8721F8533 for ; Mon, 17 Sep 2012 07:55:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.598 X-Spam-Level: X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rkOpE8gK8H8q for ; Mon, 17 Sep 2012 07:55:51 -0700 (PDT) Received: from db3outboundpool.messaging.microsoft.com (db3ehsobe004.messaging.microsoft.com [213.199.154.142]) by ietfa.amsl.com (Postfix) with ESMTP id 28FDD21F8527 for ; Mon, 17 Sep 2012 07:55:49 -0700 (PDT) Received: from mail104-db3-R.bigfish.com (10.3.81.250) by DB3EHSOBE008.bigfish.com (10.3.84.28) with Microsoft SMTP Server id 14.1.225.23; Mon, 17 Sep 2012 14:55:48 +0000 Received: from mail104-db3 (localhost [127.0.0.1]) by mail104-db3-R.bigfish.com (Postfix) with ESMTP id AB2A1480166; Mon, 17 Sep 2012 14:55:48 +0000 (UTC) X-Forefront-Antispam-Report: CIP:157.56.244.229; KIP:(null); UIP:(null); IPV:NLI; H:CH1PRD0610HT002.namprd06.prod.outlook.com; RD:none; EFVD:NLI X-SpamScore: -22 X-BigFish: PS-22(zzbb2dI9371Ic89bh1432Ic857hd6eahd6f1izz1202h1d1ah1d2ahzz8275ch1033IL17326ah8275bh8275dhz2fh2a8h668h839hd25hf0ah107ah1288h12a5h12bdh1155h) Received-SPF: pass (mail104-db3: domain of identicate.com designates 157.56.244.229 as permitted sender) client-ip=157.56.244.229; envelope-from=piyush@identicate.com; helo=CH1PRD0610HT002.namprd06.prod.outlook.com ; .outlook.com ; Received: from mail104-db3 (localhost.localdomain [127.0.0.1]) by mail104-db3 (MessageSwitch) id 134789374635977_17029; Mon, 17 Sep 2012 14:55:46 +0000 (UTC) Received: from DB3EHSMHS009.bigfish.com (unknown [10.3.81.254]) by mail104-db3.bigfish.com (Postfix) with ESMTP id 05DCC1E0097; Mon, 17 Sep 2012 14:55:46 +0000 (UTC) Received: from CH1PRD0610HT002.namprd06.prod.outlook.com (157.56.244.229) by DB3EHSMHS009.bigfish.com (10.3.87.109) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 17 Sep 2012 14:55:43 +0000 Received: from CH1PRD0610MB393.namprd06.prod.outlook.com ([169.254.11.24]) by CH1PRD0610HT002.namprd06.prod.outlook.com ([10.255.151.37]) with mapi id 14.16.0175.005; Mon, 17 Sep 2012 14:55:41 +0000 From: Piyush Jain To: "denis.pinkas@bull.net" , Santosh Chokhani Thread-Topic: [pkix] 5280bis, v-09 Thread-Index: AQHNj4Or+HT2+Q6yxkWqbc8OyTbOnJeHbVEAgAbEwwCAAG5aAIAABcsAgAABQmA= Date: Mon, 17 Sep 2012 14:55:41 +0000 Message-ID: References: <504E13CB.8080001@bbn.com> <20120913002444.80A791A216@ld9781.wdf.sap.corp> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [75.25.128.241] Content-Type: multipart/alternative; boundary="_000_AA6BA445CBFDB84785CC1C45DAAE4C792CEC1E20CH1PRD0610MB393_" MIME-Version: 1.0 X-OriginatorOrg: identicate.com Cc: pkix Subject: Re: [pkix] 5280bis, v-09 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2012 14:55:52 -0000 --_000_AA6BA445CBFDB84785CC1C45DAAE4C792CEC1E20CH1PRD0610MB393_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhhbmtzIERlbmlzLA0KDQpJIGd1ZXNzIHlvdXIgcmVjb21tZW5kYXRpb24gaXMgYWxyZWFkeSBj YXB0dXJlZCBpbiB0aGlzIHRleHQgZnJvbSBkcmFmdC0wOS4NCuKAnElmIGEgQ1JMIGNvbnRhaW5z IGEgY3JpdGljYWwgQ1JMIGVudHJ5IGV4dGVuc2lvbiB0aGF0IHRoZSBhcHBsaWNhdGlvbiBjYW5u b3QgcHJvY2VzcywgdGhlbiB0aGUgYXBwbGljYXRpb24gTVVTVCAgTk9UIHVzZSB0aGF0IENSTCB0 byBkZXRlcm1pbmUgdGhlIHN0YXR1cyBvZiB0aGUgY2VydGlmaWNhdGUgcmVwcmVzZW50ZWQgYnkg dGhlIENSTCBlbnRyeS7igJ0NCg0KSG93ZXZlciwgdGhpcyByZWNvbW1lbmRhdGlvbiBpcyBub3Qg YWxpZ25lZCB3aXRoIFguNTA5IHdoaWNoIHJlY29tbWVuZHMgdGhhdCB0aGUgY2VydGlmaWNhdGUg c2hvdWxkIGJlIGNvbnNpZGVyZWQgcmV2b2tlZC4NClNhbnRvc2jigJlzIHByb3Bvc2VkIGFkZGl0 aW9uIGFsaWducyA1MjgwIHdpdGggWC41MDkuDQoNCknigJlsbCBiZSBpbnRlcmVzdGVkIGluIHVu ZGVyc3RhbmRpbmcgaWYgdGhlcmUgYXJlIGFueSBzdHJvbmcgcmVhc29ucyBmb3IgeW91ciBwcm9w b3NhbCBmb3IgZGV2aWF0aW5nIGZyb20gWC41MDkgb24gdGhpcy4NCg0KLVBpeXVzaA0KDQoNCkZy b206IGRlbmlzLnBpbmthc0BidWxsLm5ldCBbbWFpbHRvOmRlbmlzLnBpbmthc0BidWxsLm5ldF0N ClNlbnQ6IE1vbmRheSwgU2VwdGVtYmVyIDE3LCAyMDEyIDc6NDIgQU0NClRvOiBTYW50b3NoIENo b2toYW5pDQpDYzogbXJleEBzYXAuY29tOyBQaXl1c2ggSmFpbjsgcGtpeA0KU3ViamVjdDogUkU6 IFtwa2l4XSA1MjgwYmlzLCB2LTA5DQoNClNhbnRvc2gsIFBpeXVzaCBhbmQgTWFydGluLA0KDQpT b3JyeSwgSSBtYWRlIGEgbWlzdGFrZSB3aGVuIG1ha2luZyBteSBwcm9wb3NhbCB0aGlzIG1vcm5p bmcuDQpJIHdyb3RlICJyZXZva2VkIiwgYnV0IHdhcyBhZHZvY2F0aW5nICJ1bmtub3duIi4NCg0K QmFzZWQgb24gdGhlIGxhdGVzdCB0ZXh0IHByb3Bvc2VkIGZyb20gU2FudG9zaCwgSSB3b3VsZCBy YXRoZXIgcHJlZmVyOg0KDQpJZiBhbiBhcHBsaWNhdGlvbiBjYW5ub3QgcHJvY2VzcyBhIGNyaXRp Y2FsIGV4dGVuc2lvbiBpbiB0aGUgY3JsRW50cnlFeHRlbnNpb25zIGZpZWxkIG9mIGFuIGVudHJ5 DQp0aGF0IGFmZmVjdHMgb25seSB0aGUgY2VydGlmaWNhdGUgc3BlY2lmaWVkIGluIHRoYXQgZW50 cnksIGFzIGluZGljYXRlZCBieSB0aGUgYWJzZW5jZSBvZiBhIHJlbGF0ZWQNCmNyaXRpY2FsIGV4 dGVuc2lvbiBpbiB0aGUgY3JsRXh0ZW5zaW9ucyBmaWVsZCwgdGhlbiB0aGUgc3RhdHVzIG9mIGNl cnRpZmljYXRlIGlkZW50aWZpZWQgYnkgdGhlIENSTCBlbnRyeQ0Kc2hhbGwgYmUgY29uc2lkZXJl ZCB1bmtvd24uDQoNCmluc3RlYWQgb2YgOg0KDQpJZiBhbiBhcHBsaWNhdGlvbiBjYW5ub3QgcHJv Y2VzcyBhIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUgY3JsRW50cnlFeHRlbnNpb25zIGZpZWxk IG9mIGFuIGVudHJ5DQp0aGF0IGFmZmVjdHMgb25seSB0aGUgY2VydGlmaWNhdGUgc3BlY2lmaWVk IGluIHRoYXQgZW50cnksIGFzIGluZGljYXRlZCBieSB0aGUgYWJzZW5jZSBvZiBhIHJlbGF0ZWQN CmNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUgY3JsRXh0ZW5zaW9ucyBmaWVsZCwgdGhlbiB0aGUg Y2VydGlmaWNhdGUgaWRlbnRpZmllZCBieSB0aGUgQ1JMIGVudHJ5DQpzaGFsbCBiZSBjb25zaWRl cmVkIHJldm9rZWQuDQoNCkRlbmlzDQoNCg0KDQoNCg0KDQoNCg0KDQpEZSA6ICAgICAgICBTYW50 b3NoIENob2toYW5pIDxTQ2hva2hhbmlAY3lnbmFjb20uY29tPG1haWx0bzpTQ2hva2hhbmlAY3ln bmFjb20uY29tPj4NCkEgOiAgICAgICAgImRlbmlzLnBpbmthc0BidWxsLm5ldDxtYWlsdG86ZGVu aXMucGlua2FzQGJ1bGwubmV0PiIgPGRlbmlzLnBpbmthc0BidWxsLm5ldDxtYWlsdG86ZGVuaXMu cGlua2FzQGJ1bGwubmV0Pj4sICJtcmV4QHNhcC5jb208bWFpbHRvOm1yZXhAc2FwLmNvbT4iIDxt cmV4QHNhcC5jb208bWFpbHRvOm1yZXhAc2FwLmNvbT4+LCBQaXl1c2ggSmFpbiA8cGl5dXNoQGlk ZW50aWNhdGUuY29tPG1haWx0bzpwaXl1c2hAaWRlbnRpY2F0ZS5jb20+Pg0KQ2MgOiAgICAgICAg cGtpeCA8cGtpeEBpZXRmLm9yZzxtYWlsdG86cGtpeEBpZXRmLm9yZz4+DQpEYXRlIDogICAgICAg IDE3LzA5LzIwMTIgMTY6MjENCk9iamV0IDogICAgICAgIFJFOiBbcGtpeF0gNTI4MGJpcywgdi0w OQ0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCg0KDQoNClRoaXMgYWxzbyByZWxh dGVzIHRvIGVhcmxpZXIgcG9zdCBJIG1hZGUgaW4gcmVzcG9uc2UgdG8gUGl5dXNoLg0KDQpJIGFz c3VtZSB3ZSBhcmUgYWRkaW5nIHRoZSBmb2xsb3dpbmcgdG8gdGhlIFJGQyDigJxBIGNyaXRpY2Fs IGV4dGVuc2lvbiBpbiB0aGUgY3JsRW50cnlFeHRlbnNpb25zIGZpZWxkIG9mIGFuIGVudHJ5IHNo YWxsIGFmZmVjdCBvbmx5IHRoZSBjZXJ0aWZpY2F0ZSBzcGVjaWZpZWQgaW4gdGhhdCBlbnRyeSwg dW5sZXNzIHRoZXJlIGlzIGEgcmVsYXRlZCBjcml0aWNhbCBleHRlbnNpb24gaW4gdGhlIGNybEV4 dGVuc2lvbnMgZmllbGQgdGhhdCBhZHZlcnRpc2VzIGEgc3BlY2lhbCB0cmVhdG1lbnQgZm9yIGl0 LuKAnSAgSW4gb3JkZXIgdG8gdXNlIHN1Y2ggQ1JMLCB0aGUgcmVseWluZyBwYXJ0eSBtdXN0IGJl IGFibGUgdG8gcHJvY2VzcyBib3RoIHRoZSBjcmxFbnRyeUV4dGVuc2lvbiBhbmQgdGhlIHJlbGF0 ZWQgY3JsRXh0ZW5zaW9uLuKAnQ0KDQpJbiB0aGF0IGNhc2UsIEkgZG8gbm90IG1pbmQgYWRkaW5n IHRoZSBmb2xsb3dpbmcgdG8gNTI4MCAoYSBzbGlnaHQgbW9kaWZpY2F0aW9uIHRvIHdoYXQgRGVu aXMgaGFzOg0KDQpJZiBhbiBhcHBsaWNhdGlvbiBjYW5ub3QgcHJvY2VzcyBhIGNyaXRpY2FsIGV4 dGVuc2lvbiBpbiB0aGUgY3JsRW50cnlFeHRlbnNpb25zIGZpZWxkIG9mIGFuIGVudHJ5IHRoYXQg YWZmZWN0cyBvbmx5IHRoZSBjZXJ0aWZpY2F0ZSBzcGVjaWZpZWQgaW4gdGhhdCBlbnRyeSwgYXMg aW5kaWNhdGVkIGJ5IHRoZSBhYnNlbmNlIG9mIGEgcmVsYXRlZCBjcml0aWNhbCBleHRlbnNpb24g aW4gdGhlIGNybEV4dGVuc2lvbnMgZmllbGQsIHRoZW4gdGhlIGNlcnRpZmljYXRlIGlkZW50aWZp ZWQgYnkgdGhlIENSTCBlbnRyeSBzaGFsbCBiZSBjb25zaWRlcmVkIHJldm9rZWQuDQoNCkZyb206 IHBraXgtYm91bmNlc0BpZXRmLm9yZzxtYWlsdG86cGtpeC1ib3VuY2VzQGlldGYub3JnPiBbbWFp bHRvOnBraXgtYm91bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxmIE9mIGRlbmlzLnBpbmthc0BidWxs Lm5ldDxtYWlsdG86ZGVuaXMucGlua2FzQGJ1bGwubmV0Pg0KU2VudDogTW9uZGF5LCBTZXB0ZW1i ZXIgMTcsIDIwMTIgMzo0NyBBTQ0KVG86IG1yZXhAc2FwLmNvbTxtYWlsdG86bXJleEBzYXAuY29t PjsgUGl5dXNoIEphaW4NCkNjOiBwa2l4DQpTdWJqZWN0OiBSZTogW3BraXhdIDUyODBiaXMsIHYt MDkNCg0KR29vZCBjYXRjaCBNYXJ0aW4sDQoNCllvdSBjYW1lIGJhY2sgZnJvbSB2YWNhdGlvbiBq dXN0IGluIHRpbWUuIDotKQ0KDQpJIHByb3Bvc2UgdGhlIGZvbGxvd2luZzoNCg0KUmVwbGFjZToN Cg0KfCAgICAgSWYgYSBDUkwgY29udGFpbnMgYSBjcml0aWNhbCBDUkwgZW50cnkgZXh0ZW5zaW9u DQp8ICAgICB0aGF0IHRoZSBhcHBsaWNhdGlvbiBjYW5ub3QgcHJvY2VzcywgdGhlbiB0aGUgYXBw bGljYXRpb24gTVVTVA0KfCAgICAgTk9UIHVzZSB0aGF0IENSTCB0byBkZXRlcm1pbmUgdGhlIHN0 YXR1cyBvZiBhbnkgY2VydGlmaWNhdGVzLg0KDQp3aXRoDQoNCnwgICAgIElmIGEgQ1JMIGNvbnRh aW5zIGluIGEgQ1JMIGVudHJ5IGEgY3JpdGljYWwgQ1JMIGVudHJ5IGV4dGVuc2lvbg0KfCAgICAg dGhhdCB0aGUgYXBwbGljYXRpb24gY2Fubm90IHByb2Nlc3MsIHRoZW4gdGhlIGFwcGxpY2F0aW9u IE1VU1QNCnwgICAgIGNvbnNpZGVyIHRoYXQgdGhlIGNlcnRpZmljYXRlIGlkZW50aWZpZWQgaW4g dGhhdCBDUkwgZW50cnkgaXMNCnwgICAgIHJldm9rZWQuDQoNCkluIG9yZGVyIHRvIGFuc3dlciB0 byBQaXl1c2gsIEkgYmVsaWV2ZSB0aGF0IOKAnHVua25vd27igJ0gc2hvdWxkIGJlIHVzZWQgcmF0 aGVyIHRoYW4g4oCccmV2b2tlZOKAnS4NCg0KVGhlIGZvbGxvd2luZyBleGFtcGxlIGlzIGFuIGls bHVzdHJhdGlvbjoNCg0KVGhlIHN0YXR1cyBvZiBhIGdpdmVuIGNlcnRpZmljYXRlIGlzIGluZGlj YXRlZCBhcyDigJxnb29k4oCdLCBidXQgdGhlcmUgaXMgYSBDUkwgZW50cnkgd2l0aCBhIGNyaXRp Y2FsDQpDUkwgZW50cnkgZXh0ZW5zaW9uLiBUaGlzIGVudHJ5IG1lYW5zIChmb3IgdGhlIGFwcGxp Y2F0aW9ucyB3aGljaCB1bmRlcnN0YW5kIGl0KSA6DQoNCiJUaGUgc3RhdHVzIHdoaWNoIGlzIHVz dWFsbHkgb2J0YWluZWQgdXNpbmcgYSBkYXRhYmFzZSBvZiBpc3N1ZWQgY2VydGlmaWNhdGVzIGhh cyBiZWVuIG9idGFpbmVkIGZyb20gQ1JMcy4NCklmIHlvdSByZWFsbHkgbmVlZCB0byB0YWtlIGEg ZGVjaXNpb24gbm93LCBpdCBpcyBhdCB5b3VyIG93biByaXNrLiBJZiB5b3UgY2FuIHdhaXQsIHlv dSBoYWQgYmV0dGVyIHRvIHRyeSBhZ2FpbiBsYXRlciBvbiIuDQoNCllvdXIgbmV4dCBxdWVzdGlv biB3aWxsIGNlcnRhaW5seSBiZTogc28gd2h5IGRvbuKAmXQgeW91IHVzZSB0aGUgcHJvcG9zZWQg Y2VydEluZm8gZXh0ZW5zaW9uID8NCg0KRm9yIGFwcGxpY2F0aW9ucyB3aGljaCBkbyBub3QgdW5k ZXJzdGFuZCB0aGlzIGNyaXRpY2FsIENSTCBlbnRyeSBleHRlbnNpb24sIHRoZXJlIGlzIG5vIGRp ZmZlcmVuY2UuDQpUaGV5IGdldCBhbiAidW5rbm93biIgc3RhdHVzIGluIGJvdGggY2FzZXMuDQoN CkZvciBhcHBsaWNhdGlvbnMgd2hpY2ggdW5kZXJzdGFuZCB0aGlzIGNyaXRpY2FsIENSTCBlbnRy eSBleHRlbnNpb24gaXQgcHJvdmlkZXMgbGVzcyBiZW5lZml0cw0KdGhhbiB0aGUgcHJvcG9zZWQg Y2VydEluZm8gZXh0ZW5zaW9uLCBidXQgaXQgbWlnaHQgYmUgcXVpY2tlciB0byBpbXBsZW1lbnQg YW5kIGl0IGVuZm9yY2VzIGEgcG9saWN5Lg0KDQpEZW5pcw0KDQoNCj4gSSBvYmplY3QgdG8gdGhl IHByb3Bvc2VkIG5ldyB0ZXh0IGFib3V0IENSTEVudHJ5RXh0ZW5zaW9ucw0KPiBpbiB0aGUgY2xh cmlmaWNhdGlvbiBkb2N1bWVudCwgYmVjYXVzZSBhcyBpcywgd291bGQgc2lnbmlmaWNhbnRseQ0K PiB3b3JzZW4gdGhlIGRpZmZlcmVuY2UgYmV0d2VlbiBQS0lYIGFuZCBYLjUwOSBhbmQgbWFrZSB0 aGluZ3MNCj4gY2xlYXJseSBpbmNvbXBhdGlibGUgcmF0aGVyIHRoYW4gc2xpZ2h0bHkgbGVzcyBl ZmZpY2llbnQuDQo+DQo+IElmIGFueXRoaW5nLCB0aGUgZ2FwIHNob3VsZCBiZSByZWR1Y2VkLCBj b21wYXRpYmlsaXR5IGJldHdlZW4NCj4gUEtJWCBhbmQgWC41MDkgaW1wcm92ZWQgYW5kIHRoZSBv cmlnaW5hbCBhcmNoaXRlY3R1cmUgbm90IHZpb2xhdGVkLg0KPg0KPiBQbGVhc2UgcmVjYWxsIHRo ZSBvcmlnaW5hbCBOT1RFIDQgJiA1IHRoYXQgSSBxdW90ZWQgZnJvbQ0KPiBJVFUtVCBSZWMuIFgu NTA5ICgwOC8yMDA1KSwgU2VjdGlvbiA3LjMsIHRvcCBvZiBwYWdlIDE4Og0KPiAoZ2V0IHRoZW0g aGVyZSBodHRwOi8vd3d3Lml0dS5pbnQvcmVjL1QtUkVDLVguNTA5KToNCj4NCj4gYT4gIE5PVEUg NCAtLSBXaGVuIGFuIGltcGxlbWVudGF0aW9uIHByb2Nlc3NpbmcgYSBjZXJ0aWZpY2F0ZSByZXZv Y2F0aW9uDQo+IGE+ICBsaXN0IGRvZXMgbm90IHJlY29nbml6ZSBhIGNyaXRpY2FsIGV4dGVuc2lv biBpbiB0aGUgY3JsRW50cnlFeHRlbnNpb25zDQo+IGE+ICBmaWVsZCwgaXQgc2hhbGwgYXNzdW1l IHRoYXQsIGF0IGEgbWluaW11bSwgdGhlIGlkZW50aWZpZWQgY2VydGlmaWNhdGUNCj4gYT4gIGhh cyBiZWVuIHJldm9rZWQgYW5kIGlzIG5vIGxvbmdlciB2YWxpZCBhbmQgcGVyZm9ybSBhZGRpdGlv bmFsIGFjdGlvbnMNCj4gYT4gIGNvbmNlcm5pbmcgdGhhdCByZXZva2VkIGNlcnRpZmljYXRlIGFz IGRpY3RhdGVkIGJ5IGxvY2FsIHBvbGljeS4NCj4NCj4gYj4gIFdoZW4gYW4gaW1wbGVtZW50YXRp b24gZG9lcyBub3QgcmVjb2duaXplIGEgY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZQ0KPiBiPiAg Y3JsRXh0ZW5zaW9ucyBmaWVsZCwgaXQgc2hhbGwgYXNzdW1lIHRoYXQgaWRlbnRpZmllZCBjZXJ0 aWZpY2F0ZXMNCj4gYj4gIGhhdmUgYmVlbiByZXZva2VkIGFuZCBhcmUgbm8gbG9uZ2VyIHZhbGlk Lg0KPg0KPiBjPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhv d2V2ZXIgaW4gdGhlIGxhdHRlciBjYXNlLA0KPiBjPiAgc2luY2UgdGhlIGxpc3QgbWF5IG5vdCBi ZSBjb21wbGV0ZSwgY2VydGlmaWNhdGVzIHRoYXQgaGF2ZSBub3QgYmVlbg0KPiBjPiAgaWRlbnRp ZmllZCBhcyBiZWluZyByZXZva2VkIGNhbm5vdCBiZSBhc3N1bWVkIHRvIGJlIHZhbGlkLiBJbiB0 aGlzIGNhc2UNCj4gYz4gIGxvY2FsIHBvbGljeSBzaGFsbCBkaWN0YXRlIHRoZSBhY3Rpb24gdG8g YmUgdGFrZW4uIEluIGFueSBjYXNlIGxvY2FsDQo+IGM+ICBwb2xpY3kgbWF5IGRpY3RhdGUgYWN0 aW9ucyBpbiBhZGRpdGlvbiB0byBhbmQvb3Igc3Ryb25nZXIgdGhhbiB0aG9zZQ0KPiBjPiAgc3Rh dGVkIGluIHRoaXMgU3BlY2lmaWNhdGlvbi4NCj4NCj4gZD4gIE5PVEUgNSAtLSBJZiBhbiBleHRl bnNpb24gYWZmZWN0cyB0aGUgdHJlYXRtZW50IG9mIHRoZSBsaXN0DQo+IGQ+ICAoZS5nLiwgbXVs dGlwbGUgQ1JMcyBuZWVkIHRvIGJlIHNjYW5uZWQgdG8gZXhhbWluZSB0aGUgZW50aXJlIGxpc3Qg b2YNCj4gZD4gIHJldm9rZWQgY2VydGlmaWNhdGVzLCBvciBhbiBlbnRyeSBtYXkgcmVwcmVzZW50 IGEgcmFuZ2Ugb2YgY2VydGlmaWNhdGVzKSwNCj4gZD4gIHRoZW4gdGhhdCBleHRlbnNpb24gc2hh bGwgYmUgaW5kaWNhdGVkIGFzIGNyaXRpY2FsIGluIHRoZSBjcmxFeHRlbnNpb25zDQo+IGQ+ICBm aWVsZCByZWdhcmRsZXNzIG9mIHdoZXJlIHRoZSBleHRlbnNpb24gaXMgcGxhY2VkIGluIHRoZSBD UkwuDQo+DQo+IGU+ICBBbiBleHRlbnNpb24gaW5kaWNhdGVkIGluIHRoZSBjcmxFbnRyeUV4dGVu c2lvbnMgZmllbGQgb2YgYW4gZW50cnkgc2hhbGwNCj4gZT4gIGJlIHBsYWNlZCBpbiB0aGF0IGVu dHJ5IGFuZCBzaGFsbCBhZmZlY3Qgb25seSB0aGUgY2VydGlmaWNhdGUocykNCj4gZT4gIHNwZWNp ZmllZCBpbiB0aGF0IGVudHJ5Lg0KPg0KPg0KPiAoSSBpbnNlcnRlZCBibGFuayBsaW5lcyBhYm92 ZSBmb3IgdmlzdWFsIGNsYXJpdHkgb2YgdGhlIFguNTA5IHJlcXVpcmVtZW50cykuDQo+DQo+IHR3 byBvcHRpb25zLCBhbGwgY29tYmluYXRpb25zOg0KPg0KPiAgKDEpIGNlcnQgICAgIG9uIENSTCwg Q1JMIHdpdGggTk8gdW5yZWNvZ25pemVkIGNyaXRpY2FsIENSTEVudHJ5RXh0ZW5zaW9ucw0KPiAg KDIpIGNlcnQgTk9UIG9uIENSTCwgQ1JMIHdpdGggTk8gdW5yZWNvZ25pemVkIGNyaXRpY2FsIENS TEVudHJ5RXh0ZW5zaW9ucw0KPiAgKDMpIGNlcnQgICAgIG9uIENSTCwgQ1JMIHdpdGggICAgdW5y ZWNvZ25pemVkIGNyaXRpY2FsIENSTEVudHJ5RXh0ZW5zaW9uDQo+ICAoNCkgY2VydCBOT1Qgb24g Q1JMLCBDUkwgd2l0aCAgICB1bnJlY29nbml6ZWQgY3JpdGljYWwgQ1JMRW50cnlFeHRlbnNpb24N Cj4NCj4NCj4gSSBob3BlIHdlIGFncmVlIHRoYXQgWC41MDkgYW5kIHJmYzUyODAgYWdyZWUgb24g KDEpIGFuZCAoMikgcmVzdWx0cw0KPiBmb3IgQ1JMIGNoZWNraW5nLg0KPg0KPiByZmM1MjgwIGN1 cnJlbnRseSBzYXlzIHRoYXQgZm9yICgzKSsoNCkgdGhlIGVudGlyZSBDUkwgb3VnaHQgdG8gYmUg aWdub3JlZA0KPiBhbmQgb3RoZXIgQ1JMcyBuZWVkIHRvIGJlIGV2YWx1YXRlZCAiVU5ERVRFUk1J TkVEIg0KPg0KPiBYLjUwOSBzYXlzIGluIChhPikgdGhhdCBmb3IgKDMpIHRoZSBzdGF0dXMgb2Yg dGhlIGNlcnQgaXMgZGVmaW5pdGVseSByZXZva2VkDQo+IGFuZCBzYXlzIGluIChjPikgZm9yICg0 KSB0aGF0IHRoZSBDUkwgb3VnaHQgdG8gYmUgaWdub3JlZCBhbmQgb3RoZXIgQ1JMcyBuZWVkDQo+ IHRvIGJlIGV2YWx1YXRlZCAiVU5ERVRFUk1JTkVEIg0KPg0KPiBXaGlsZSBib3RoIFguNTA5IGFu ZCByZmM1MjgwIGFncmVlIG9uIHRoZSByZXN1bHQgZm9yICg0KSAiVU5ERVRFUk1JTkVEIiwNCj4g dGhlcmUgaXMgdGhlIHN1cGVyZmljaWFsIGFwcGVhcmFuY2Ugb2YgYSBkaWZmZXJlbmNlIGZvciBh IGNhc3VhbA0KPiBpbXBsZW1lbnRlciBmb3IgY2FzZSAoMykgYmV0d2VlbiBYLjUwOSAiUkVWT0tF RCIgYW5kIHJmYzUyODAgIlVOREVURVJNSU5FRCINCj4gdGhhdCBtaWdodCBsZWFkIHRvIGEgc2xp Z2h0bHkgbGVzcyBlZmZpY2llbnQgcHJvY2Vzc2luZyBDUkxzLg0KPg0KPg0KPiBUaGUgbmV3bHkg cHJvcG9zZWQgdGV4dCAoaW4gLTA5KToNCj4NCj4gfCAgICAgSWYgYSBDUkwgY29udGFpbnMgYSBj cml0aWNhbCBDUkwgZW50cnkgZXh0ZW5zaW9uDQo+IHwgICAgIHRoYXQgdGhlIGFwcGxpY2F0aW9u IGNhbm5vdCBwcm9jZXNzLCB0aGVuIHRoZSBhcHBsaWNhdGlvbiBNVVNUDQo+IHwgICAgIE5PVCB1 c2UgdGhhdCBDUkwgdG8gZGV0ZXJtaW5lIHRoZSBzdGF0dXMgb2YgdGhlIGNlcnRpZmljYXRlDQo+ IHwgICAgIHJlcHJlc2VudGVkIGJ5IHRoZSBDUkwgZW50cnkuDQo+DQo+IGNyZWF0ZXMgYSBzaWdu aWZpY2FudGx5IGRpc3RpbmN0IGJlaGF2aW91ciBmb3IgY2FzZSAoNCkgd2hlcmUgWC41MDkNCj4g YW5kIHJmYzUyODAgYWdyZWVkIG9uICJVTkRFVEVSTUlORUQiLCBieSByZWRlZmluaW5nIHRoZSBy ZXN1bHQgdG8NCj4gYmUgIlVOUkVWT0tFRCIsIGFuZCBwb3RlbnRpYWxseSBjcmVhdGVzIGEgc2Vj dXJpdHkgcHJvYmxlbSwgYW5kIGENCj4gbmV3LCBiYWNrd2FyZHMtaW5jb21wYXRpYmxlIGJlaGF2 aW91ciBmb3IgYSBzaXR1YXRpb24gd2hlcmUNCj4gWC41MDkgYW5kIHJmYzUyODAgdXNlZCB0byBh Z3JlZS4gU3RpbGwsIHRoZSBuZXcgdGV4dCBkb2VzIG5vdCBkbw0KPiBhbnl0aGluZyBhYm91dCBj YXNlICgzKSwgdGhlIG9ubHkgY2FzZSB3aGVyZSBYLjUwOSBhbmQgcmZjNTI4MA0KPiBhcHBlYXIg dG8gZGlmZmVyIChpbiBhIG1vc3RseSBtYXJnaW5hbCBmYXNoaW9uKS4NCj4NCj4NCj4gQSBjYXJl ZnVsIGltcGxlbWVudG9yLCB0aGF0IGFuYWx5emVzIE5PVEUgNCBhbmQgTk9URSA1IGZyb20gWC41 MDkNCj4gcXVvdGVkIGFib3ZlIGluIGl0cyBlbnRpcmV0eSwgc2hvdWxkIHJlYWxpemUgdGhhdCB0 aGUgc2l0dWF0aW9uDQo+IHdoZXJlIFguNTA5IGFuZCByZmM1MjgwIGRpZmZlciBpcyBtYXJnaW5h bC4NCj4NCj4gVGhpcyBpcyBiZWNhdXNlIChkPikgaW4gTk9URSA1IGFib3ZlIHJlcXVpcmVzICgi c2hhbGwiKSB0aGF0IGENCj4gY3JpdGljYWwgY3JsRW50cnlFeHRlbnNpb24gd2l0aCBhIHNlbWFu dGljIGJleW9uZCAidGhpcyBjZXJ0IGlzDQo+IHJldm9rZWQiKSwgTVVTVCBiZSBhZGRpdGlvbmFs bHkgaW5jbHVkZWQgYXMgYSBjcml0aWNhbCBjcmxFeHRlbnNpb24sDQo+IHdpdGggdGhlIGVmZmVj dCB0aGF0IHRoZSBlbnRpcmUgQ1JMIHdpbGwgaGF2ZSB0byBiZSBpZ25vcmVkIGJ5DQo+IGJvdGgg WC41MDkgYW5kIHJmYzUyODAgaW1wbGVtZW50YXRpb25zIHRoYXQgZG8gbm90IHJlY29nbml6ZQ0K PiB0aGUgY3JsRXh0ZW5zaW9uLiAgU28gYWxsIGNvbXBsaWFudCBDUkxzIHdpdGggYSAiZmFuY3ki DQo+IHVucmVjb2duaXplZCBjcml0aWNhbCBjcmxFbnRyeUV4dGVuc2lvbiwgdGhlIGFjY29tcGFu eWluZw0KPiB1bnJlY29nbml6ZWQgY3JpdGljYWwgY3JsRXh0ZW5zaW9uIHdpbGwgY2F1c2UgWC41 MDkgYW5kIHJmYzUyODANCj4gdG8gYWdyZWUgb24gKDMpIHRvIHJldHVybiAiVU5ERVRFUk1JTkVE IiBhbmQgcmVxdWlyZSBvdGhlcg0KPiBDUkxzIHRvIGJlIGNoZWNrZWQuDQo+DQo+DQo+IC1NYXJ0 aW4NCj4gX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCj4g cGtpeCBtYWlsaW5nIGxpc3QNCj4gcGtpeEBpZXRmLm9yZzxtYWlsdG86cGtpeEBpZXRmLm9yZz4N Cj4gaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9wa2l4DQo= --_000_AA6BA445CBFDB84785CC1C45DAAE4C792CEC1E20CH1PRD0610MB393_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPCEtLVtp ZiAhbXNvXT48c3R5bGU+dlw6KiB7YmVoYXZpb3I6dXJsKCNkZWZhdWx0I1ZNTCk7fQ0Kb1w6KiB7 YmVoYXZpb3I6dXJsKCNkZWZhdWx0I1ZNTCk7fQ0Kd1w6KiB7YmVoYXZpb3I6dXJsKCNkZWZhdWx0 I1ZNTCk7fQ0KLnNoYXBlIHtiZWhhdmlvcjp1cmwoI2RlZmF1bHQjVk1MKTt9DQo8L3N0eWxlPjwh W2VuZGlmXS0tPjxzdHlsZT48IS0tDQovKiBGb250IERlZmluaXRpb25zICovDQpAZm9udC1mYWNl DQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAyIDQ7 fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpUYWhvbWE7DQoJcGFub3NlLTE6MiAxMSA2IDQg MyA1IDQgNCAyIDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5N c29Ob3JtYWwsIGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4w MDAxcHQ7DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFu Iiwic2VyaWYiO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXByaW9y aXR5Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQphOnZp c2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5 Ow0KCWNvbG9yOnB1cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnNwYW4uRW1h aWxTdHlsZTE3DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5 OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7DQoJY29sb3I6IzFGNDk3RDt9DQouTXNvQ2hwRGVmYXVs dA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTt9DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7 c2l6ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2luOjEuMGluIDEuMGluIDEuMGluIDEuMGluO30NCmRp di5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+PC9zdHlsZT48IS0tW2lm IGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9ImVkaXQiIHNwaWRtYXg9 IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxv OnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0PSJlZGl0IiBkYXRhPSIx IiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPg0KPC9oZWFkPg0KPGJvZHkg bGFuZz0iRU4tVVMiIGxpbms9ImJsdWUiIHZsaW5rPSJwdXJwbGUiPg0KPGRpdiBjbGFzcz0iV29y ZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZx dW90Oztjb2xvcjojMUY0OTdEIj5UaGFua3MgRGVuaXMsPG86cD48L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMx RjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkm cXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5JIGd1ZXNzIHlvdXIg cmVjb21tZW5kYXRpb24gaXMgYWxyZWFkeSBjYXB0dXJlZCBpbiB0aGlzIHRleHQgZnJvbSBkcmFm dC0wOS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZx dW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+4oCcSWYgYSBDUkwgY29udGFpbnMg YSBjcml0aWNhbCBDUkwgZW50cnkgZXh0ZW5zaW9uIHRoYXQgdGhlIGFwcGxpY2F0aW9uIGNhbm5v dCBwcm9jZXNzLCB0aGVuIHRoZSBhcHBsaWNhdGlvbiBNVVNUJm5ic3A7IE5PVCB1c2UgdGhhdCBD UkwgdG8gZGV0ZXJtaW5lIHRoZSBzdGF0dXMgb2YNCiB0aGUgY2VydGlmaWNhdGUgcmVwcmVzZW50 ZWQgYnkgdGhlIENSTCBlbnRyeS7igJ08bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv dDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86 cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVv dDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkhvd2V2ZXIsIHRoaXMgcmVjb21tZW5k YXRpb24gaXMgbm90IGFsaWduZWQgd2l0aCBYLjUwOSB3aGljaCByZWNvbW1lbmRzIHRoYXQgdGhl IGNlcnRpZmljYXRlIHNob3VsZCBiZSBjb25zaWRlcmVkIHJldm9rZWQuPG86cD48L286cD48L3Nw YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7 O2NvbG9yOiMxRjQ5N0QiPlNhbnRvc2jigJlzIHByb3Bvc2VkIGFkZGl0aW9uIGFsaWducyA1Mjgw IHdpdGggWC41MDkuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZx dW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9v OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJp ZiZxdW90Oztjb2xvcjojMUY0OTdEIj5J4oCZbGwgYmUgaW50ZXJlc3RlZCBpbiB1bmRlcnN0YW5k aW5nIGlmIHRoZXJlIGFyZSBhbnkgc3Ryb25nIHJlYXNvbnMgZm9yIHlvdXIgcHJvcG9zYWwgZm9y IGRldmlhdGluZyBmcm9tIFguNTA5IG9uIHRoaXMuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5 N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVv dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4tUGl5dXNoPG86cD48L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlm JnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdE Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTti b3JkZXItbGVmdDpzb2xpZCBibHVlIDEuNXB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNC4wcHQiPg0K PGRpdj4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci10b3A6c29saWQgI0I1QzRERiAx LjBwdDtwYWRkaW5nOjMuMHB0IDBpbiAwaW4gMGluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZx dW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDsiPiBkZW5pcy5waW5rYXNAYnVsbC5uZXQgW21haWx0bzpkZW5pcy5waW5r YXNAYnVsbC5uZXRdDQo8YnI+DQo8Yj5TZW50OjwvYj4gTW9uZGF5LCBTZXB0ZW1iZXIgMTcsIDIw MTIgNzo0MiBBTTxicj4NCjxiPlRvOjwvYj4gU2FudG9zaCBDaG9raGFuaTxicj4NCjxiPkNjOjwv Yj4gbXJleEBzYXAuY29tOyBQaXl1c2ggSmFpbjsgcGtpeDxicj4NCjxiPlN1YmplY3Q6PC9iPiBS RTogW3BraXhdIDUyODBiaXMsIHYtMDk8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwv ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDss JnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+U2FudG9zaCwgUGl5dXNoIGFuZCBNYXJ0aW4sPC9zcGFu Pg0KPGJyPg0KPGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7 LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPlNvcnJ5LCBJIG1hZGUgYSBtaXN0YWtlIHdoZW4gbWFr aW5nIG15IHByb3Bvc2FsIHRoaXMgbW9ybmluZy4NCjxicj4NCkkgd3JvdGUgJnF1b3Q7cmV2b2tl ZCZxdW90OywgYnV0IHdhcyBhZHZvY2F0aW5nICZxdW90O3Vua25vd24mcXVvdDsuPC9zcGFuPiA8 YnI+DQo8YnI+DQo8c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1 b3Q7c2Fucy1zZXJpZiZxdW90OyI+QmFzZWQgb24gdGhlIGxhdGVzdCB0ZXh0IHByb3Bvc2VkIGZy b20gU2FudG9zaCwgSSB3b3VsZCByYXRoZXIgcHJlZmVyOjwvc3Bhbj4NCjxicj4NCjxicj4NCjxz cGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlm JnF1b3Q7O2NvbG9yOiMxMDQxNjAiPklmIGFuIGFwcGxpY2F0aW9uIGNhbm5vdCBwcm9jZXNzIGEg Y3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZQ0KPGI+Y3JsRW50cnlFeHRlbnNpb25zPC9iPiBmaWVs ZCBvZiBhbiBlbnRyeSA8YnI+DQp0aGF0IGFmZmVjdHMgb25seSB0aGUgY2VydGlmaWNhdGUgc3Bl Y2lmaWVkIGluIHRoYXQgZW50cnksIGFzIGluZGljYXRlZCBieSB0aGUgYWJzZW5jZSBvZiBhIHJl bGF0ZWQNCjxicj4NCmNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUgPGI+Y3JsRXh0ZW5zaW9uczwv Yj4gZmllbGQsIHRoZW4gdGhlIDwvc3Bhbj48Yj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1 b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMDAwMEUwIj5zdGF0 dXMgb2Y8L3NwYW4+PC9iPjxiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZx dW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOmJsdWUiPg0KPC9zcGFuPjwvYj48c3Bh biBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZx dW90Oztjb2xvcjojMTA0MTYwIj5jZXJ0aWZpY2F0ZSBpZGVudGlmaWVkIGJ5IHRoZSBDUkwgZW50 cnkNCjxicj4NCnNoYWxsIGJlIGNvbnNpZGVyZWQgPC9zcGFuPjxiPjxzcGFuIHN0eWxlPSJmb250 LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMw MDIwQzIiPnVua293bjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0Fy aWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzEwNDE2MCI+Ljwvc3Bhbj4N Cjxicj4NCjxicj4NCjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90Oywm cXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5pbnN0ZWFkIG9mIDo8L3NwYW4+IDxicj4NCjxicj4NCjxz cGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlm JnF1b3Q7O2NvbG9yOiMxMDQxNjAiPklmIGFuIGFwcGxpY2F0aW9uIGNhbm5vdCBwcm9jZXNzIGEg Y3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZQ0KPGI+Y3JsRW50cnlFeHRlbnNpb25zPC9iPiBmaWVs ZCBvZiBhbiBlbnRyeSA8YnI+DQp0aGF0IGFmZmVjdHMgb25seSB0aGUgY2VydGlmaWNhdGUgc3Bl Y2lmaWVkIGluIHRoYXQgZW50cnksIGFzIGluZGljYXRlZCBieSB0aGUgYWJzZW5jZSBvZiBhIHJl bGF0ZWQNCjxicj4NCmNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUgPGI+Y3JsRXh0ZW5zaW9uczwv Yj4gZmllbGQsIHRoZW4gdGhlIGNlcnRpZmljYXRlIGlkZW50aWZpZWQgYnkgdGhlIENSTCBlbnRy eQ0KPGJyPg0Kc2hhbGwgYmUgY29uc2lkZXJlZCByZXZva2VkLjwvc3Bhbj4gPGJyPg0KPGJyPg0K PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2Vy aWYmcXVvdDsiPkRlbmlzPC9zcGFuPiA8YnI+DQo8YnI+DQo8YnI+DQo8YnI+DQo8YnI+DQo8YnI+ DQo8YnI+DQo8YnI+DQo8YnI+DQo8YnI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOjcuNXB0O2Zv bnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6 IzVGNUY1RiI+RGUgOiAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDs8L3NwYW4+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZTo3LjVwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7Ij5TYW50b3NoIENob2toYW5pICZsdDs8YSBocmVmPSJtYWlsdG86U0No b2toYW5pQGN5Z25hY29tLmNvbSI+U0Nob2toYW5pQGN5Z25hY29tLmNvbTwvYT4mZ3Q7PC9zcGFu Pg0KPGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo3LjVwdDtmb250LWZhbWlseTomcXVvdDtB cmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiM1RjVGNUYiPkEgOiAmbmJz cDsgJm5ic3A7ICZuYnNwOyAmbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo3LjVw dDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4m cXVvdDs8YSBocmVmPSJtYWlsdG86ZGVuaXMucGlua2FzQGJ1bGwubmV0Ij5kZW5pcy5waW5rYXNA YnVsbC5uZXQ8L2E+JnF1b3Q7ICZsdDs8YSBocmVmPSJtYWlsdG86ZGVuaXMucGlua2FzQGJ1bGwu bmV0Ij5kZW5pcy5waW5rYXNAYnVsbC5uZXQ8L2E+Jmd0OywNCiAmcXVvdDs8YSBocmVmPSJtYWls dG86bXJleEBzYXAuY29tIj5tcmV4QHNhcC5jb208L2E+JnF1b3Q7ICZsdDs8YSBocmVmPSJtYWls dG86bXJleEBzYXAuY29tIj5tcmV4QHNhcC5jb208L2E+Jmd0OywgUGl5dXNoIEphaW4gJmx0Ozxh IGhyZWY9Im1haWx0bzpwaXl1c2hAaWRlbnRpY2F0ZS5jb20iPnBpeXVzaEBpZGVudGljYXRlLmNv bTwvYT4mZ3Q7PC9zcGFuPg0KPGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo3LjVwdDtmb250 LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiM1 RjVGNUYiPkNjJm5ic3A7OiAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDs8L3NwYW4+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZTo3LjVwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVv dDtzYW5zLXNlcmlmJnF1b3Q7Ij5wa2l4ICZsdDs8YSBocmVmPSJtYWlsdG86cGtpeEBpZXRmLm9y ZyI+cGtpeEBpZXRmLm9yZzwvYT4mZ3Q7PC9zcGFuPg0KPGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQt c2l6ZTo3LjVwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlm JnF1b3Q7O2NvbG9yOiM1RjVGNUYiPkRhdGUgOiAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDs8 L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo3LjVwdDtmb250LWZhbWlseTomcXVvdDtBcmlh bCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4xNy8wOS8yMDEyIDE2OjIxPC9zcGFuPg0K PGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo3LjVwdDtmb250LWZhbWlseTomcXVvdDtBcmlh bCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiM1RjVGNUYiPk9iamV0IDogJm5i c3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6Ny41 cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+ UkU6IFtwa2l4XSA1MjgwYmlzLCB2LTA5PC9zcGFuPg0KPG86cD48L286cD48L3A+DQo8ZGl2IGNs YXNzPSJNc29Ob3JtYWwiIGFsaWduPSJjZW50ZXIiIHN0eWxlPSJ0ZXh0LWFsaWduOmNlbnRlciI+ DQo8aHIgc2l6ZT0iMiIgd2lkdGg9IjEwMCUiIG5vc2hhZGU9IiIgc3R5bGU9ImNvbG9yOiNBMEEw QTAiIGFsaWduPSJjZW50ZXIiPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48YnI+DQo8 YnI+DQo8YnI+DQo8c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1 b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMDA0MDgwIj5UaGlzIGFsc28gcmVsYXRlcyB0byBl YXJsaWVyIHBvc3QgSSBtYWRlIGluIHJlc3BvbnNlIHRvIFBpeXVzaC48L3NwYW4+DQo8YnI+DQo8 c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJp ZiZxdW90Oztjb2xvcjojMDA0MDgwIj4mbmJzcDs8L3NwYW4+IDxicj4NCjxzcGFuIHN0eWxlPSJm b250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9y OiMwMDQwODAiPkkgYXNzdW1lIHdlIGFyZSBhZGRpbmcgdGhlIGZvbGxvd2luZyB0byB0aGUgUkZD IOKAnDwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1 b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMTA0MTYwIj5BIGNyaXRpY2FsIGV4dGVuc2lvbiBp biB0aGUNCjxiPmNybEVudHJ5RXh0ZW5zaW9uczwvYj4gZmllbGQgb2YgYW4gZW50cnkgc2hhbGwg YWZmZWN0IG9ubHkgdGhlIGNlcnRpZmljYXRlIHNwZWNpZmllZCBpbiB0aGF0IGVudHJ5LCB1bmxl c3MgdGhlcmUgaXMgYSByZWxhdGVkIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUNCjxiPmNybEV4 dGVuc2lvbnM8L2I+IGZpZWxkIHRoYXQgYWR2ZXJ0aXNlcyBhIHNwZWNpYWwgdHJlYXRtZW50IGZv ciBpdC7igJ0gJm5ic3A7SW4gb3JkZXIgdG8gdXNlIHN1Y2ggQ1JMLCB0aGUgcmVseWluZyBwYXJ0 eSBtdXN0IGJlIGFibGUgdG8gcHJvY2VzcyBib3RoIHRoZQ0KPGI+Y3JsRW50cnlFeHRlbnNpb24g PC9iPmFuZCB0aGUgcmVsYXRlZCA8Yj5jcmxFeHRlbnNpb24u4oCdPC9iPjwvc3Bhbj4gPGJyPg0K PGI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMt c2VyaWYmcXVvdDs7Y29sb3I6IzEwNDE2MCI+Jm5ic3A7PC9zcGFuPjwvYj4gPGJyPg0KPHNwYW4g c3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVv dDs7Y29sb3I6IzEwNDE2MCI+SW4gdGhhdCBjYXNlLCBJIGRvIG5vdCBtaW5kIGFkZGluZyB0aGUg Zm9sbG93aW5nIHRvIDUyODAgKGEgc2xpZ2h0IG1vZGlmaWNhdGlvbiB0byB3aGF0IERlbmlzIGhh czo8L3NwYW4+DQo8YnI+DQo8c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVv dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMTA0MTYwIj4mbmJzcDs8L3NwYW4+IDxi cj4NCjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5z LXNlcmlmJnF1b3Q7O2NvbG9yOiMxMDQxNjAiPklmIGFuIGFwcGxpY2F0aW9uIGNhbm5vdCBwcm9j ZXNzIGEgY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZQ0KPGI+Y3JsRW50cnlFeHRlbnNpb25zPC9i PiBmaWVsZCBvZiBhbiBlbnRyeSB0aGF0IGFmZmVjdHMgb25seSB0aGUgY2VydGlmaWNhdGUgc3Bl Y2lmaWVkIGluIHRoYXQgZW50cnksIGFzIGluZGljYXRlZCBieSB0aGUgYWJzZW5jZSBvZiBhIHJl bGF0ZWQgY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZQ0KPGI+Y3JsRXh0ZW5zaW9uczwvYj4gZmll bGQsIHRoZW4gdGhlIGNlcnRpZmljYXRlIGlkZW50aWZpZWQgYnkgdGhlIENSTCBlbnRyeSBzaGFs bCBiZSBjb25zaWRlcmVkIHJldm9rZWQuPC9zcGFuPg0KPGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQt ZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzAw NDA4MCI+Jm5ic3A7PC9zcGFuPiA8YnI+DQo8Yj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1 b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPkZyb206PC9zcGFuPjwvYj48 c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2Vy aWYmcXVvdDsiPg0KPGEgaHJlZj0ibWFpbHRvOnBraXgtYm91bmNlc0BpZXRmLm9yZyI+cGtpeC1i b3VuY2VzQGlldGYub3JnPC9hPiBbPC9zcGFuPjxhIGhyZWY9Im1haWx0bzpwa2l4LWJvdW5jZXNA aWV0Zi5vcmciPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1 b3Q7c2Fucy1zZXJpZiZxdW90OyI+bWFpbHRvOnBraXgtYm91bmNlc0BpZXRmLm9yZzwvc3Bhbj48 L2E+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5z LXNlcmlmJnF1b3Q7Ij5dDQo8Yj5PbiBCZWhhbGYgT2YgPC9iPjxhIGhyZWY9Im1haWx0bzpkZW5p cy5waW5rYXNAYnVsbC5uZXQiPmRlbmlzLnBpbmthc0BidWxsLm5ldDwvYT48Yj48YnI+DQpTZW50 OjwvYj4gTW9uZGF5LCBTZXB0ZW1iZXIgMTcsIDIwMTIgMzo0NyBBTTxiPjxicj4NClRvOjwvYj4g PGEgaHJlZj0ibWFpbHRvOm1yZXhAc2FwLmNvbSI+bXJleEBzYXAuY29tPC9hPjsgUGl5dXNoIEph aW48Yj48YnI+DQpDYzo8L2I+IHBraXg8Yj48YnI+DQpTdWJqZWN0OjwvYj4gUmU6IFtwa2l4XSA1 MjgwYmlzLCB2LTA5PC9zcGFuPiA8YnI+DQombmJzcDsgPGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQt ZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPkdvb2QgY2F0 Y2ggTWFydGluLDwvc3Bhbj4gPGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0Fy aWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPjxicj4NCllvdSBjYW1lIGJhY2sgZnJv bSB2YWNhdGlvbiBqdXN0IGluIHRpbWUuIDotKTwvc3Bhbj4gPGJyPg0KPHNwYW4gc3R5bGU9ImZv bnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPjxicj4N CkkgcHJvcG9zZSB0aGUgZm9sbG93aW5nOjwvc3Bhbj4gPGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQt ZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij48YnI+DQpSZXBsYWNlOjwvc3Bhbj4gPGJy Pg0KPHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij48YnI+ DQp8ICZuYnNwOyAmbmJzcDsgSWYgYSBDUkwgY29udGFpbnMgYSBjcml0aWNhbCBDUkwgZW50cnkg ZXh0ZW5zaW9uIDxicj4NCnwgJm5ic3A7ICZuYnNwOyB0aGF0IHRoZSBhcHBsaWNhdGlvbiBjYW5u b3QgcHJvY2VzcywgdGhlbiB0aGUgYXBwbGljYXRpb24gTVVTVCA8YnI+DQp8ICZuYnNwOyAmbmJz cDsgTk9UIHVzZSB0aGF0IENSTCB0byBkZXRlcm1pbmUgdGhlIHN0YXR1cyBvZiBhbnkgY2VydGlm aWNhdGVzLjwvc3Bhbj4gPGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NvdXJp ZXIgTmV3JnF1b3Q7Ij48YnI+DQp3aXRoPC9zcGFuPiA8YnI+DQo8c3BhbiBzdHlsZT0iZm9udC1m YW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDsiPjxicj4NCnwgJm5ic3A7ICZuYnNwOyBJZiBh IENSTCBjb250YWlucyBpbiBhIENSTCBlbnRyeSBhIGNyaXRpY2FsIENSTCBlbnRyeSBleHRlbnNp b24gPGJyPg0KfCAmbmJzcDsgJm5ic3A7IHRoYXQgdGhlIGFwcGxpY2F0aW9uIGNhbm5vdCBwcm9j ZXNzLCB0aGVuIHRoZSBhcHBsaWNhdGlvbiBNVVNUIDxicj4NCnwgJm5ic3A7ICZuYnNwOyBjb25z aWRlciB0aGF0IHRoZSBjZXJ0aWZpY2F0ZSBpZGVudGlmaWVkIGluIHRoYXQgQ1JMIGVudHJ5IGlz IDxicj4NCnwgJm5ic3A7ICZuYnNwOyByZXZva2VkLiAmbmJzcDs8L3NwYW4+IDxicj4NCjxzcGFu IHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1 b3Q7Ij48YnI+DQpJbiBvcmRlciB0byBhbnN3ZXIgdG8gUGl5dXNoLCBJIGJlbGlldmUgdGhhdCDi gJx1bmtub3du4oCdIHNob3VsZCBiZSB1c2VkIHJhdGhlciB0aGFuIOKAnHJldm9rZWTigJ0uPC9z cGFuPg0KPGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZx dW90O3NhbnMtc2VyaWYmcXVvdDsiPjxicj4NClRoZSBmb2xsb3dpbmcgZXhhbXBsZSBpcyBhbiBp bGx1c3RyYXRpb246PC9zcGFuPiA8YnI+DQo8c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7 QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+PGJyPg0KVGhlIHN0YXR1cyBvZiBh IGdpdmVuIGNlcnRpZmljYXRlIGlzIGluZGljYXRlZCBhcyDigJxnb29k4oCdLCBidXQgdGhlcmUg aXMgYSBDUkwgZW50cnkgd2l0aCBhIGNyaXRpY2FsDQo8YnI+DQpDUkwgZW50cnkgZXh0ZW5zaW9u LiBUaGlzIGVudHJ5IG1lYW5zIChmb3IgdGhlIGFwcGxpY2F0aW9ucyB3aGljaCB1bmRlcnN0YW5k IGl0KSA6DQo8L3NwYW4+PGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFs JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPjxicj4NCiZxdW90O1RoZSBzdGF0dXMgd2hp Y2ggaXMgdXN1YWxseSBvYnRhaW5lZCB1c2luZyBhIGRhdGFiYXNlIG9mIGlzc3VlZCBjZXJ0aWZp Y2F0ZXMgaGFzIGJlZW4gb2J0YWluZWQgZnJvbSBDUkxzLg0KPGJyPg0KSWYgeW91IHJlYWxseSBu ZWVkIHRvIHRha2UgYSBkZWNpc2lvbiBub3csIGl0IGlzIGF0IHlvdXIgb3duIHJpc2suIElmIHlv dSBjYW4gd2FpdCwgeW91IGhhZCBiZXR0ZXIgdG8gdHJ5IGFnYWluIGxhdGVyIG9uJnF1b3Q7Ljwv c3Bhbj4NCjxicj4NCjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90Oywm cXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij48YnI+DQpZb3VyIG5leHQgcXVlc3Rpb24gd2lsbCBjZXJ0 YWlubHkgYmU6IHNvIHdoeSBkb27igJl0IHlvdSB1c2UgdGhlIHByb3Bvc2VkIGNlcnRJbmZvIGV4 dGVuc2lvbiA/PC9zcGFuPg0KPGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0Fy aWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPjxicj4NCkZvciBhcHBsaWNhdGlvbnMg d2hpY2ggZG8gbm90IHVuZGVyc3RhbmQgdGhpcyBjcml0aWNhbCBDUkwgZW50cnkgZXh0ZW5zaW9u LCB0aGVyZSBpcyBubyBkaWZmZXJlbmNlLjwvc3Bhbj4NCjxzcGFuIHN0eWxlPSJmb250LWZhbWls eTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij48YnI+DQpUaGV5IGdl dCBhbiAmcXVvdDt1bmtub3duJnF1b3Q7IHN0YXR1cyBpbiBib3RoIGNhc2VzLjwvc3Bhbj4gPGJy Pg0KPHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMt c2VyaWYmcXVvdDsiPjxicj4NCkZvciBhcHBsaWNhdGlvbnMgd2hpY2ggdW5kZXJzdGFuZCB0aGlz IGNyaXRpY2FsIENSTCBlbnRyeSBleHRlbnNpb24gaXQgcHJvdmlkZXMgbGVzcyBiZW5lZml0cw0K PGJyPg0KdGhhbiB0aGUgcHJvcG9zZWQgY2VydEluZm8gZXh0ZW5zaW9uLCBidXQgaXQgbWlnaHQg YmUgcXVpY2tlciB0byBpbXBsZW1lbnQgYW5kIGl0IGVuZm9yY2VzIGEgcG9saWN5Ljwvc3Bhbj4N Cjxicj4NCjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7Ij48YnI+DQpEZW5pczwvc3Bhbj4gPHNwYW4gc3R5bGU9ImZvbnQtZmFt aWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij48YnI+DQo8YnI+DQo8YnI+DQomZ3Q7IEkgb2Jq ZWN0IHRvIHRoZSBwcm9wb3NlZCBuZXcgdGV4dCBhYm91dCBDUkxFbnRyeUV4dGVuc2lvbnM8YnI+ DQomZ3Q7IGluIHRoZSBjbGFyaWZpY2F0aW9uIGRvY3VtZW50LCBiZWNhdXNlIGFzIGlzLCB3b3Vs ZCBzaWduaWZpY2FudGx5PGJyPg0KJmd0OyB3b3JzZW4gdGhlIGRpZmZlcmVuY2UgYmV0d2VlbiBQ S0lYIGFuZCBYLjUwOSBhbmQgbWFrZSB0aGluZ3M8YnI+DQomZ3Q7IGNsZWFybHkgaW5jb21wYXRp YmxlIHJhdGhlciB0aGFuIHNsaWdodGx5IGxlc3MgZWZmaWNpZW50Ljxicj4NCiZndDsgPGJyPg0K Jmd0OyBJZiBhbnl0aGluZywgdGhlIGdhcCBzaG91bGQgYmUgcmVkdWNlZCwgY29tcGF0aWJpbGl0 eSBiZXR3ZWVuPGJyPg0KJmd0OyBQS0lYIGFuZCBYLjUwOSBpbXByb3ZlZCBhbmQgdGhlIG9yaWdp bmFsIGFyY2hpdGVjdHVyZSBub3QgdmlvbGF0ZWQuPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IFBsZWFz ZSByZWNhbGwgdGhlIG9yaWdpbmFsIE5PVEUgNCAmYW1wOyA1IHRoYXQgSSBxdW90ZWQgZnJvbTxi cj4NCiZndDsgSVRVLVQgUmVjLiBYLjUwOSAoMDgvMjAwNSksIFNlY3Rpb24gNy4zLCB0b3Agb2Yg cGFnZSAxODo8YnI+DQomZ3Q7IChnZXQgdGhlbSBoZXJlIDwvc3Bhbj48YSBocmVmPSJodHRwOi8v d3d3Lml0dS5pbnQvcmVjL1QtUkVDLVguNTA5Ij48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1 b3Q7Q291cmllciBOZXcmcXVvdDsiPmh0dHA6Ly93d3cuaXR1LmludC9yZWMvVC1SRUMtWC41MDk8 L3NwYW4+PC9hPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90 OyI+KTo8YnI+DQomZ3Q7IDxicj4NCiZndDsgYSZndDsgJm5ic3A7Tk9URSA0IC0tIFdoZW4gYW4g aW1wbGVtZW50YXRpb24gcHJvY2Vzc2luZyBhIGNlcnRpZmljYXRlIHJldm9jYXRpb248YnI+DQom Z3Q7IGEmZ3Q7ICZuYnNwO2xpc3QgZG9lcyBub3QgcmVjb2duaXplIGEgY3JpdGljYWwgZXh0ZW5z aW9uIGluIHRoZSBjcmxFbnRyeUV4dGVuc2lvbnM8YnI+DQomZ3Q7IGEmZ3Q7ICZuYnNwO2ZpZWxk LCBpdCBzaGFsbCBhc3N1bWUgdGhhdCwgYXQgYSBtaW5pbXVtLCB0aGUgaWRlbnRpZmllZCBjZXJ0 aWZpY2F0ZTxicj4NCiZndDsgYSZndDsgJm5ic3A7aGFzIGJlZW4gcmV2b2tlZCBhbmQgaXMgbm8g bG9uZ2VyIHZhbGlkIGFuZCBwZXJmb3JtIGFkZGl0aW9uYWwgYWN0aW9uczxicj4NCiZndDsgYSZn dDsgJm5ic3A7Y29uY2VybmluZyB0aGF0IHJldm9rZWQgY2VydGlmaWNhdGUgYXMgZGljdGF0ZWQg YnkgbG9jYWwgcG9saWN5Ljxicj4NCiZndDsgPGJyPg0KJmd0OyBiJmd0OyAmbmJzcDtXaGVuIGFu IGltcGxlbWVudGF0aW9uIGRvZXMgbm90IHJlY29nbml6ZSBhIGNyaXRpY2FsIGV4dGVuc2lvbiBp biB0aGU8YnI+DQomZ3Q7IGImZ3Q7ICZuYnNwO2NybEV4dGVuc2lvbnMgZmllbGQsIGl0IHNoYWxs IGFzc3VtZSB0aGF0IGlkZW50aWZpZWQgY2VydGlmaWNhdGVzPGJyPg0KJmd0OyBiJmd0OyAmbmJz cDtoYXZlIGJlZW4gcmV2b2tlZCBhbmQgYXJlIG5vIGxvbmdlciB2YWxpZC48YnI+DQomZ3Q7IDxi cj4NCiZndDsgYyZndDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsg Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAm bmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IEhv d2V2ZXIgaW4gdGhlIGxhdHRlciBjYXNlLDxicj4NCiZndDsgYyZndDsgJm5ic3A7c2luY2UgdGhl IGxpc3QgbWF5IG5vdCBiZSBjb21wbGV0ZSwgY2VydGlmaWNhdGVzIHRoYXQgaGF2ZSBub3QgYmVl bjxicj4NCiZndDsgYyZndDsgJm5ic3A7aWRlbnRpZmllZCBhcyBiZWluZyByZXZva2VkIGNhbm5v dCBiZSBhc3N1bWVkIHRvIGJlIHZhbGlkLiBJbiB0aGlzIGNhc2U8YnI+DQomZ3Q7IGMmZ3Q7ICZu YnNwO2xvY2FsIHBvbGljeSBzaGFsbCBkaWN0YXRlIHRoZSBhY3Rpb24gdG8gYmUgdGFrZW4uIElu IGFueSBjYXNlIGxvY2FsPGJyPg0KJmd0OyBjJmd0OyAmbmJzcDtwb2xpY3kgbWF5IGRpY3RhdGUg YWN0aW9ucyBpbiBhZGRpdGlvbiB0byBhbmQvb3Igc3Ryb25nZXIgdGhhbiB0aG9zZTxicj4NCiZn dDsgYyZndDsgJm5ic3A7c3RhdGVkIGluIHRoaXMgU3BlY2lmaWNhdGlvbi48YnI+DQomZ3Q7IDxi cj4NCiZndDsgZCZndDsgJm5ic3A7Tk9URSA1IC0tIElmIGFuIGV4dGVuc2lvbiBhZmZlY3RzIHRo ZSB0cmVhdG1lbnQgb2YgdGhlIGxpc3Q8YnI+DQomZ3Q7IGQmZ3Q7ICZuYnNwOyhlLmcuLCBtdWx0 aXBsZSBDUkxzIG5lZWQgdG8gYmUgc2Nhbm5lZCB0byBleGFtaW5lIHRoZSBlbnRpcmUgbGlzdCBv Zjxicj4NCiZndDsgZCZndDsgJm5ic3A7cmV2b2tlZCBjZXJ0aWZpY2F0ZXMsIG9yIGFuIGVudHJ5 IG1heSByZXByZXNlbnQgYSByYW5nZSBvZiBjZXJ0aWZpY2F0ZXMpLDxicj4NCiZndDsgZCZndDsg Jm5ic3A7dGhlbiB0aGF0IGV4dGVuc2lvbiBzaGFsbCBiZSBpbmRpY2F0ZWQgYXMgY3JpdGljYWwg aW4gdGhlIGNybEV4dGVuc2lvbnM8YnI+DQomZ3Q7IGQmZ3Q7ICZuYnNwO2ZpZWxkIHJlZ2FyZGxl c3Mgb2Ygd2hlcmUgdGhlIGV4dGVuc2lvbiBpcyBwbGFjZWQgaW4gdGhlIENSTC48YnI+DQomZ3Q7 IDxicj4NCiZndDsgZSZndDsgJm5ic3A7QW4gZXh0ZW5zaW9uIGluZGljYXRlZCBpbiB0aGUgY3Js RW50cnlFeHRlbnNpb25zIGZpZWxkIG9mIGFuIGVudHJ5IHNoYWxsPGJyPg0KJmd0OyBlJmd0OyAm bmJzcDtiZSBwbGFjZWQgaW4gdGhhdCBlbnRyeSBhbmQgc2hhbGwgYWZmZWN0IG9ubHkgdGhlIGNl cnRpZmljYXRlKHMpPGJyPg0KJmd0OyBlJmd0OyAmbmJzcDtzcGVjaWZpZWQgaW4gdGhhdCBlbnRy eS48YnI+DQomZ3Q7IDxicj4NCiZndDsgPGJyPg0KJmd0OyAoSSBpbnNlcnRlZCBibGFuayBsaW5l cyBhYm92ZSBmb3IgdmlzdWFsIGNsYXJpdHkgb2YgdGhlIFguNTA5IHJlcXVpcmVtZW50cykuPGJy Pg0KJmd0OyA8YnI+DQomZ3Q7IHR3byBvcHRpb25zLCBhbGwgY29tYmluYXRpb25zOjxicj4NCiZn dDsgPGJyPg0KJmd0OyAmbmJzcDsoMSkgY2VydCAmbmJzcDsgJm5ic3A7IG9uIENSTCwgQ1JMIHdp dGggTk8gdW5yZWNvZ25pemVkIGNyaXRpY2FsIENSTEVudHJ5RXh0ZW5zaW9ucyA8YnI+DQomZ3Q7 ICZuYnNwOygyKSBjZXJ0IE5PVCBvbiBDUkwsIENSTCB3aXRoIE5PIHVucmVjb2duaXplZCBjcml0 aWNhbCBDUkxFbnRyeUV4dGVuc2lvbnMgPGJyPg0KJmd0OyAmbmJzcDsoMykgY2VydCAmbmJzcDsg Jm5ic3A7IG9uIENSTCwgQ1JMIHdpdGggJm5ic3A7ICZuYnNwO3VucmVjb2duaXplZCBjcml0aWNh bCBDUkxFbnRyeUV4dGVuc2lvbjxicj4NCiZndDsgJm5ic3A7KDQpIGNlcnQgTk9UIG9uIENSTCwg Q1JMIHdpdGggJm5ic3A7ICZuYnNwO3VucmVjb2duaXplZCBjcml0aWNhbCBDUkxFbnRyeUV4dGVu c2lvbjxicj4NCiZndDsgPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IEkgaG9wZSB3ZSBhZ3JlZSB0aGF0 IFguNTA5IGFuZCByZmM1MjgwIGFncmVlIG9uICgxKSBhbmQgKDIpIHJlc3VsdHM8YnI+DQomZ3Q7 IGZvciBDUkwgY2hlY2tpbmcuPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IHJmYzUyODAgY3VycmVudGx5 IHNheXMgdGhhdCBmb3IgKDMpJiM0MzsoNCkgdGhlIGVudGlyZSBDUkwgb3VnaHQgdG8gYmUgaWdu b3JlZDxicj4NCiZndDsgYW5kIG90aGVyIENSTHMgbmVlZCB0byBiZSBldmFsdWF0ZWQgJnF1b3Q7 VU5ERVRFUk1JTkVEJnF1b3Q7PGJyPg0KJmd0OyA8YnI+DQomZ3Q7IFguNTA5IHNheXMgaW4gKGEm Z3Q7KSB0aGF0IGZvciAoMykgdGhlIHN0YXR1cyBvZiB0aGUgY2VydCBpcyBkZWZpbml0ZWx5IHJl dm9rZWQ8YnI+DQomZ3Q7IGFuZCBzYXlzIGluIChjJmd0OykgZm9yICg0KSB0aGF0IHRoZSBDUkwg b3VnaHQgdG8gYmUgaWdub3JlZCBhbmQgb3RoZXIgQ1JMcyBuZWVkPGJyPg0KJmd0OyB0byBiZSBl dmFsdWF0ZWQgJnF1b3Q7VU5ERVRFUk1JTkVEJnF1b3Q7PGJyPg0KJmd0OyA8YnI+DQomZ3Q7IFdo aWxlIGJvdGggWC41MDkgYW5kIHJmYzUyODAgYWdyZWUgb24gdGhlIHJlc3VsdCBmb3IgKDQpICZx dW90O1VOREVURVJNSU5FRCZxdW90Oyw8YnI+DQomZ3Q7IHRoZXJlIGlzIHRoZSBzdXBlcmZpY2lh bCBhcHBlYXJhbmNlIG9mIGEgZGlmZmVyZW5jZSBmb3IgYSBjYXN1YWw8YnI+DQomZ3Q7IGltcGxl bWVudGVyIGZvciBjYXNlICgzKSBiZXR3ZWVuIFguNTA5ICZxdW90O1JFVk9LRUQmcXVvdDsgYW5k IHJmYzUyODAgJnF1b3Q7VU5ERVRFUk1JTkVEJnF1b3Q7PGJyPg0KJmd0OyB0aGF0IG1pZ2h0IGxl YWQgdG8gYSBzbGlnaHRseSBsZXNzIGVmZmljaWVudCBwcm9jZXNzaW5nIENSTHMuPGJyPg0KJmd0 OyA8YnI+DQomZ3Q7IDxicj4NCiZndDsgVGhlIG5ld2x5IHByb3Bvc2VkIHRleHQgKGluIC0wOSk6 PGJyPg0KJmd0OyA8YnI+DQomZ3Q7IHwgJm5ic3A7ICZuYnNwOyBJZiBhIENSTCBjb250YWlucyBh IGNyaXRpY2FsIENSTCBlbnRyeSBleHRlbnNpb248YnI+DQomZ3Q7IHwgJm5ic3A7ICZuYnNwOyB0 aGF0IHRoZSBhcHBsaWNhdGlvbiBjYW5ub3QgcHJvY2VzcywgdGhlbiB0aGUgYXBwbGljYXRpb24g TVVTVDxicj4NCiZndDsgfCAmbmJzcDsgJm5ic3A7IE5PVCB1c2UgdGhhdCBDUkwgdG8gZGV0ZXJt aW5lIHRoZSBzdGF0dXMgb2YgdGhlIGNlcnRpZmljYXRlPGJyPg0KJmd0OyB8ICZuYnNwOyAmbmJz cDsgcmVwcmVzZW50ZWQgYnkgdGhlIENSTCBlbnRyeS4gJm5ic3A7PGJyPg0KJmd0OyA8YnI+DQom Z3Q7IGNyZWF0ZXMgYSBzaWduaWZpY2FudGx5IGRpc3RpbmN0IGJlaGF2aW91ciBmb3IgY2FzZSAo NCkgd2hlcmUgWC41MDk8YnI+DQomZ3Q7IGFuZCByZmM1MjgwIGFncmVlZCBvbiAmcXVvdDtVTkRF VEVSTUlORUQmcXVvdDssIGJ5IHJlZGVmaW5pbmcgdGhlIHJlc3VsdCB0bzxicj4NCiZndDsgYmUg JnF1b3Q7VU5SRVZPS0VEJnF1b3Q7LCBhbmQgcG90ZW50aWFsbHkgY3JlYXRlcyBhIHNlY3VyaXR5 IHByb2JsZW0sIGFuZCBhPGJyPg0KJmd0OyBuZXcsIGJhY2t3YXJkcy1pbmNvbXBhdGlibGUgYmVo YXZpb3VyIGZvciBhIHNpdHVhdGlvbiB3aGVyZTxicj4NCiZndDsgWC41MDkgYW5kIHJmYzUyODAg dXNlZCB0byBhZ3JlZS4gU3RpbGwsIHRoZSBuZXcgdGV4dCBkb2VzIG5vdCBkbzxicj4NCiZndDsg YW55dGhpbmcgYWJvdXQgY2FzZSAoMyksIHRoZSBvbmx5IGNhc2Ugd2hlcmUgWC41MDkgYW5kIHJm YzUyODA8YnI+DQomZ3Q7IGFwcGVhciB0byBkaWZmZXIgKGluIGEgbW9zdGx5IG1hcmdpbmFsIGZh c2hpb24pLjxicj4NCiZndDsgPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IEEgY2FyZWZ1bCBpbXBsZW1l bnRvciwgdGhhdCBhbmFseXplcyBOT1RFIDQgYW5kIE5PVEUgNSBmcm9tIFguNTA5PGJyPg0KJmd0 OyBxdW90ZWQgYWJvdmUgaW4gaXRzIGVudGlyZXR5LCBzaG91bGQgcmVhbGl6ZSB0aGF0IHRoZSBz aXR1YXRpb248YnI+DQomZ3Q7IHdoZXJlIFguNTA5IGFuZCByZmM1MjgwIGRpZmZlciBpcyBtYXJn aW5hbC48YnI+DQomZ3Q7IDxicj4NCiZndDsgVGhpcyBpcyBiZWNhdXNlIChkJmd0OykgaW4gTk9U RSA1IGFib3ZlIHJlcXVpcmVzICgmcXVvdDtzaGFsbCZxdW90OykgdGhhdCBhPGJyPg0KJmd0OyBj cml0aWNhbCBjcmxFbnRyeUV4dGVuc2lvbiB3aXRoIGEgc2VtYW50aWMgYmV5b25kICZxdW90O3Ro aXMgY2VydCBpczxicj4NCiZndDsgcmV2b2tlZCZxdW90OyksIE1VU1QgYmUgYWRkaXRpb25hbGx5 IGluY2x1ZGVkIGFzIGEgY3JpdGljYWwgY3JsRXh0ZW5zaW9uLDxicj4NCiZndDsgd2l0aCB0aGUg ZWZmZWN0IHRoYXQgdGhlIGVudGlyZSBDUkwgd2lsbCBoYXZlIHRvIGJlIGlnbm9yZWQgYnk8YnI+ DQomZ3Q7IGJvdGggWC41MDkgYW5kIHJmYzUyODAgaW1wbGVtZW50YXRpb25zIHRoYXQgZG8gbm90 IHJlY29nbml6ZTxicj4NCiZndDsgdGhlIGNybEV4dGVuc2lvbi4gJm5ic3A7U28gYWxsIGNvbXBs aWFudCBDUkxzIHdpdGggYSAmcXVvdDtmYW5jeSZxdW90Ozxicj4NCiZndDsgdW5yZWNvZ25pemVk IGNyaXRpY2FsIGNybEVudHJ5RXh0ZW5zaW9uLCB0aGUgYWNjb21wYW55aW5nPGJyPg0KJmd0OyB1 bnJlY29nbml6ZWQgY3JpdGljYWwgY3JsRXh0ZW5zaW9uIHdpbGwgY2F1c2UgWC41MDkgYW5kIHJm YzUyODA8YnI+DQomZ3Q7IHRvIGFncmVlIG9uICgzKSB0byByZXR1cm4gJnF1b3Q7VU5ERVRFUk1J TkVEJnF1b3Q7IGFuZCByZXF1aXJlIG90aGVyPGJyPg0KJmd0OyBDUkxzIHRvIGJlIGNoZWNrZWQu IDxicj4NCiZndDsgPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IC1NYXJ0aW48YnI+DQomZ3Q7IF9fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fPGJyPg0KJmd0OyBwa2l4 IG1haWxpbmcgbGlzdDxicj4NCiZndDsgPC9zcGFuPjxhIGhyZWY9Im1haWx0bzpwa2l4QGlldGYu b3JnIj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDsiPnBr aXhAaWV0Zi5vcmc8L3NwYW4+PC9hPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDb3Vy aWVyIE5ldyZxdW90OyI+PGJyPg0KJmd0OyA8L3NwYW4+PGEgaHJlZj0iaHR0cHM6Ly93d3cuaWV0 Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9wa2l4Ij48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1 b3Q7Q291cmllciBOZXcmcXVvdDsiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGlu Zm8vcGtpeDwvc3Bhbj48L2E+DQo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jv ZHk+DQo8L2h0bWw+DQo= --_000_AA6BA445CBFDB84785CC1C45DAAE4C792CEC1E20CH1PRD0610MB393_-- From piyush@identicate.com Mon Sep 17 07:58:14 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34A5321F853A for ; Mon, 17 Sep 2012 07:58:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.598 X-Spam-Level: X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N1Aa6q4joBHJ for ; Mon, 17 Sep 2012 07:58:12 -0700 (PDT) Received: from db3outboundpool.messaging.microsoft.com (db3ehsobe005.messaging.microsoft.com [213.199.154.143]) by ietfa.amsl.com (Postfix) with ESMTP id 9988921F8533 for ; Mon, 17 Sep 2012 07:58:11 -0700 (PDT) Received: from mail80-db3-R.bigfish.com (10.3.81.227) by DB3EHSOBE006.bigfish.com (10.3.84.26) with Microsoft SMTP Server id 14.1.225.23; Mon, 17 Sep 2012 14:58:09 +0000 Received: from mail80-db3 (localhost [127.0.0.1]) by mail80-db3-R.bigfish.com (Postfix) with ESMTP id 04589C0224; Mon, 17 Sep 2012 14:58:09 +0000 (UTC) X-Forefront-Antispam-Report: CIP:157.56.244.229; KIP:(null); UIP:(null); IPV:NLI; H:CH1PRD0610HT001.namprd06.prod.outlook.com; RD:none; EFVD:NLI X-SpamScore: -21 X-BigFish: PS-21(zz9371Ic89bh1432Ic857hd6f1izz1202h1d1ah1d2ahzz8275ch1033IL17326ah8275bh8275dhz2fh2a8h668h839hd25hf0ah107ah1288h12a5h12bdh1155h) Received-SPF: pass (mail80-db3: domain of identicate.com designates 157.56.244.229 as permitted sender) client-ip=157.56.244.229; envelope-from=piyush@identicate.com; helo=CH1PRD0610HT001.namprd06.prod.outlook.com ; .outlook.com ; Received: from mail80-db3 (localhost.localdomain [127.0.0.1]) by mail80-db3 (MessageSwitch) id 1347893885131245_31351; Mon, 17 Sep 2012 14:58:05 +0000 (UTC) Received: from DB3EHSMHS019.bigfish.com (unknown [10.3.81.234]) by mail80-db3.bigfish.com (Postfix) with ESMTP id 112A380068; Mon, 17 Sep 2012 14:58:05 +0000 (UTC) Received: from CH1PRD0610HT001.namprd06.prod.outlook.com (157.56.244.229) by DB3EHSMHS019.bigfish.com (10.3.87.119) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 17 Sep 2012 14:58:03 +0000 Received: from CH1PRD0610MB393.namprd06.prod.outlook.com ([169.254.11.24]) by CH1PRD0610HT001.namprd06.prod.outlook.com ([10.255.151.36]) with mapi id 14.16.0190.008; Mon, 17 Sep 2012 14:58:02 +0000 From: Piyush Jain To: Santosh Chokhani , "denis.pinkas@bull.net" , "mrex@sap.com" Thread-Topic: [pkix] 5280bis, v-09 Thread-Index: AQHNj4Or+HT2+Q6yxkWqbc8OyTbOnJeHbVEAgAbEwwCAAG5aAIAACaaA Date: Mon, 17 Sep 2012 14:58:01 +0000 Message-ID: References: <504E13CB.8080001@bbn.com> <20120913002444.80A791A216@ld9781.wdf.sap.corp> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [75.25.128.241] Content-Type: multipart/alternative; boundary="_000_AA6BA445CBFDB84785CC1C45DAAE4C792CEC1E34CH1PRD0610MB393_" MIME-Version: 1.0 X-OriginatorOrg: identicate.com Cc: pkix Subject: Re: [pkix] 5280bis, v-09 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2012 14:58:14 -0000 --_000_AA6BA445CBFDB84785CC1C45DAAE4C792CEC1E34CH1PRD0610MB393_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhhbmtzIFNhbnRvc2gsIHlvdXIgcHJvcG9zZWQgYWRkaXRpb24gd2lsbCBhbGlnbiA1MjgwIHdp dGggWC41MDkuDQpXZSBzaG91bGQgYWxzbyByZW1vdmUgdGhpcyB0ZXh0IGZyb20gZHJhZnQtMDku DQoNCuKAnElmIGEgQ1JMIGNvbnRhaW5zIGEgY3JpdGljYWwgQ1JMIGVudHJ5IGV4dGVuc2lvbiB0 aGF0IHRoZSBhcHBsaWNhdGlvbiBjYW5ub3QgcHJvY2VzcywgdGhlbiB0aGUgYXBwbGljYXRpb24g TVVTVCAgTk9UIHVzZSB0aGF0IENSTCB0byBkZXRlcm1pbmUgdGhlIHN0YXR1cyBvZiB0aGUgY2Vy dGlmaWNhdGUgcmVwcmVzZW50ZWQgYnkgdGhlIENSTCBlbnRyeS7igJ0NCg0KQXMgdGhpcyBvYnZp b3VzbHkgY29udHJhZGljdHMgd2l0aCB5b3VyIHByb3Bvc2VkIHRleHQuDQoNCkZyb206IFNhbnRv c2ggQ2hva2hhbmkgW21haWx0bzpTQ2hva2hhbmlAY3lnbmFjb20uY29tXQ0KU2VudDogTW9uZGF5 LCBTZXB0ZW1iZXIgMTcsIDIwMTIgNzoyMiBBTQ0KVG86IGRlbmlzLnBpbmthc0BidWxsLm5ldDsg bXJleEBzYXAuY29tOyBQaXl1c2ggSmFpbg0KQ2M6IHBraXgNClN1YmplY3Q6IFJFOiBbcGtpeF0g NTI4MGJpcywgdi0wOQ0KDQpUaGlzIGFsc28gcmVsYXRlcyB0byBlYXJsaWVyIHBvc3QgSSBtYWRl IGluIHJlc3BvbnNlIHRvIFBpeXVzaC4NCg0KSSBhc3N1bWUgd2UgYXJlIGFkZGluZyB0aGUgZm9s bG93aW5nIHRvIHRoZSBSRkMg4oCcQSBjcml0aWNhbCBleHRlbnNpb24gaW4gdGhlIGNybEVudHJ5 RXh0ZW5zaW9ucyBmaWVsZCBvZiBhbiBlbnRyeSBzaGFsbCBhZmZlY3Qgb25seSB0aGUgY2VydGlm aWNhdGUgc3BlY2lmaWVkIGluIHRoYXQgZW50cnksIHVubGVzcyB0aGVyZSBpcyBhIHJlbGF0ZWQg Y3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSBjcmxFeHRlbnNpb25zIGZpZWxkIHRoYXQgYWR2ZXJ0 aXNlcyBhIHNwZWNpYWwgdHJlYXRtZW50IGZvciBpdC7igJ0gIEluIG9yZGVyIHRvIHVzZSBzdWNo IENSTCwgdGhlIHJlbHlpbmcgcGFydHkgbXVzdCBiZSBhYmxlIHRvIHByb2Nlc3MgYm90aCB0aGUg Y3JsRW50cnlFeHRlbnNpb24gYW5kIHRoZSByZWxhdGVkIGNybEV4dGVuc2lvbi7igJ0NCg0KSW4g dGhhdCBjYXNlLCBJIGRvIG5vdCBtaW5kIGFkZGluZyB0aGUgZm9sbG93aW5nIHRvIDUyODAgKGEg c2xpZ2h0IG1vZGlmaWNhdGlvbiB0byB3aGF0IERlbmlzIGhhczoNCg0KSWYgYW4gYXBwbGljYXRp b24gY2Fubm90IHByb2Nlc3MgYSBjcml0aWNhbCBleHRlbnNpb24gaW4gdGhlIGNybEVudHJ5RXh0 ZW5zaW9ucyBmaWVsZCBvZiBhbiBlbnRyeSB0aGF0IGFmZmVjdHMgb25seSB0aGUgY2VydGlmaWNh dGUgc3BlY2lmaWVkIGluIHRoYXQgZW50cnksIGFzIGluZGljYXRlZCBieSB0aGUgYWJzZW5jZSBv ZiBhIHJlbGF0ZWQgY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSBjcmxFeHRlbnNpb25zIGZpZWxk LCB0aGVuIHRoZSBjZXJ0aWZpY2F0ZSBpZGVudGlmaWVkIGJ5IHRoZSBDUkwgZW50cnkgc2hhbGwg YmUgY29uc2lkZXJlZCByZXZva2VkLg0KDQpGcm9tOiBwa2l4LWJvdW5jZXNAaWV0Zi5vcmc8bWFp bHRvOnBraXgtYm91bmNlc0BpZXRmLm9yZz4gW21haWx0bzpwa2l4LWJvdW5jZXNAaWV0Zi5vcmdd PG1haWx0bzpbbWFpbHRvOnBraXgtYm91bmNlc0BpZXRmLm9yZ10+IE9uIEJlaGFsZiBPZiBkZW5p cy5waW5rYXNAYnVsbC5uZXQ8bWFpbHRvOmRlbmlzLnBpbmthc0BidWxsLm5ldD4NClNlbnQ6IE1v bmRheSwgU2VwdGVtYmVyIDE3LCAyMDEyIDM6NDcgQU0NClRvOiBtcmV4QHNhcC5jb208bWFpbHRv Om1yZXhAc2FwLmNvbT47IFBpeXVzaCBKYWluDQpDYzogcGtpeA0KU3ViamVjdDogUmU6IFtwa2l4 XSA1MjgwYmlzLCB2LTA5DQoNCkdvb2QgY2F0Y2ggTWFydGluLA0KDQpZb3UgY2FtZSBiYWNrIGZy b20gdmFjYXRpb24ganVzdCBpbiB0aW1lLiA6LSkNCg0KSSBwcm9wb3NlIHRoZSBmb2xsb3dpbmc6 DQoNClJlcGxhY2U6DQoNCnwgICAgIElmIGEgQ1JMIGNvbnRhaW5zIGEgY3JpdGljYWwgQ1JMIGVu dHJ5IGV4dGVuc2lvbg0KfCAgICAgdGhhdCB0aGUgYXBwbGljYXRpb24gY2Fubm90IHByb2Nlc3Ms IHRoZW4gdGhlIGFwcGxpY2F0aW9uIE1VU1QNCnwgICAgIE5PVCB1c2UgdGhhdCBDUkwgdG8gZGV0 ZXJtaW5lIHRoZSBzdGF0dXMgb2YgYW55IGNlcnRpZmljYXRlcy4NCg0Kd2l0aA0KDQp8ICAgICBJ ZiBhIENSTCBjb250YWlucyBpbiBhIENSTCBlbnRyeSBhIGNyaXRpY2FsIENSTCBlbnRyeSBleHRl bnNpb24NCnwgICAgIHRoYXQgdGhlIGFwcGxpY2F0aW9uIGNhbm5vdCBwcm9jZXNzLCB0aGVuIHRo ZSBhcHBsaWNhdGlvbiBNVVNUDQp8ICAgICBjb25zaWRlciB0aGF0IHRoZSBjZXJ0aWZpY2F0ZSBp ZGVudGlmaWVkIGluIHRoYXQgQ1JMIGVudHJ5IGlzDQp8ICAgICByZXZva2VkLg0KDQpJbiBvcmRl ciB0byBhbnN3ZXIgdG8gUGl5dXNoLCBJIGJlbGlldmUgdGhhdCDigJx1bmtub3du4oCdIHNob3Vs ZCBiZSB1c2VkIHJhdGhlciB0aGFuIOKAnHJldm9rZWTigJ0uDQoNClRoZSBmb2xsb3dpbmcgZXhh bXBsZSBpcyBhbiBpbGx1c3RyYXRpb246DQoNClRoZSBzdGF0dXMgb2YgYSBnaXZlbiBjZXJ0aWZp Y2F0ZSBpcyBpbmRpY2F0ZWQgYXMg4oCcZ29vZOKAnSwgYnV0IHRoZXJlIGlzIGEgQ1JMIGVudHJ5 IHdpdGggYSBjcml0aWNhbA0KQ1JMIGVudHJ5IGV4dGVuc2lvbi4gVGhpcyBlbnRyeSBtZWFucyAo Zm9yIHRoZSBhcHBsaWNhdGlvbnMgd2hpY2ggdW5kZXJzdGFuZCBpdCkgOg0KDQoiVGhlIHN0YXR1 cyB3aGljaCBpcyB1c3VhbGx5IG9idGFpbmVkIHVzaW5nIGEgZGF0YWJhc2Ugb2YgaXNzdWVkIGNl cnRpZmljYXRlcyBoYXMgYmVlbiBvYnRhaW5lZCBmcm9tIENSTHMuDQpJZiB5b3UgcmVhbGx5IG5l ZWQgdG8gdGFrZSBhIGRlY2lzaW9uIG5vdywgaXQgaXMgYXQgeW91ciBvd24gcmlzay4gSWYgeW91 IGNhbiB3YWl0LCB5b3UgaGFkIGJldHRlciB0byB0cnkgYWdhaW4gbGF0ZXIgb24iLg0KDQpZb3Vy IG5leHQgcXVlc3Rpb24gd2lsbCBjZXJ0YWlubHkgYmU6IHNvIHdoeSBkb27igJl0IHlvdSB1c2Ug dGhlIHByb3Bvc2VkIGNlcnRJbmZvIGV4dGVuc2lvbiA/DQoNCkZvciBhcHBsaWNhdGlvbnMgd2hp Y2ggZG8gbm90IHVuZGVyc3RhbmQgdGhpcyBjcml0aWNhbCBDUkwgZW50cnkgZXh0ZW5zaW9uLCB0 aGVyZSBpcyBubyBkaWZmZXJlbmNlLg0KVGhleSBnZXQgYW4gInVua25vd24iIHN0YXR1cyBpbiBi b3RoIGNhc2VzLg0KDQpGb3IgYXBwbGljYXRpb25zIHdoaWNoIHVuZGVyc3RhbmQgdGhpcyBjcml0 aWNhbCBDUkwgZW50cnkgZXh0ZW5zaW9uIGl0IHByb3ZpZGVzIGxlc3MgYmVuZWZpdHMNCnRoYW4g dGhlIHByb3Bvc2VkIGNlcnRJbmZvIGV4dGVuc2lvbiwgYnV0IGl0IG1pZ2h0IGJlIHF1aWNrZXIg dG8gaW1wbGVtZW50IGFuZCBpdCBlbmZvcmNlcyBhIHBvbGljeS4NCg0KRGVuaXMNCg0KDQo+IEkg b2JqZWN0IHRvIHRoZSBwcm9wb3NlZCBuZXcgdGV4dCBhYm91dCBDUkxFbnRyeUV4dGVuc2lvbnMN Cj4gaW4gdGhlIGNsYXJpZmljYXRpb24gZG9jdW1lbnQsIGJlY2F1c2UgYXMgaXMsIHdvdWxkIHNp Z25pZmljYW50bHkNCj4gd29yc2VuIHRoZSBkaWZmZXJlbmNlIGJldHdlZW4gUEtJWCBhbmQgWC41 MDkgYW5kIG1ha2UgdGhpbmdzDQo+IGNsZWFybHkgaW5jb21wYXRpYmxlIHJhdGhlciB0aGFuIHNs aWdodGx5IGxlc3MgZWZmaWNpZW50Lg0KPg0KPiBJZiBhbnl0aGluZywgdGhlIGdhcCBzaG91bGQg YmUgcmVkdWNlZCwgY29tcGF0aWJpbGl0eSBiZXR3ZWVuDQo+IFBLSVggYW5kIFguNTA5IGltcHJv dmVkIGFuZCB0aGUgb3JpZ2luYWwgYXJjaGl0ZWN0dXJlIG5vdCB2aW9sYXRlZC4NCj4NCj4gUGxl YXNlIHJlY2FsbCB0aGUgb3JpZ2luYWwgTk9URSA0ICYgNSB0aGF0IEkgcXVvdGVkIGZyb20NCj4g SVRVLVQgUmVjLiBYLjUwOSAoMDgvMjAwNSksIFNlY3Rpb24gNy4zLCB0b3Agb2YgcGFnZSAxODoN Cj4gKGdldCB0aGVtIGhlcmUgaHR0cDovL3d3dy5pdHUuaW50L3JlYy9ULVJFQy1YLjUwOSk6DQo+ DQo+IGE+ICBOT1RFIDQgLS0gV2hlbiBhbiBpbXBsZW1lbnRhdGlvbiBwcm9jZXNzaW5nIGEgY2Vy dGlmaWNhdGUgcmV2b2NhdGlvbg0KPiBhPiAgbGlzdCBkb2VzIG5vdCByZWNvZ25pemUgYSBjcml0 aWNhbCBleHRlbnNpb24gaW4gdGhlIGNybEVudHJ5RXh0ZW5zaW9ucw0KPiBhPiAgZmllbGQsIGl0 IHNoYWxsIGFzc3VtZSB0aGF0LCBhdCBhIG1pbmltdW0sIHRoZSBpZGVudGlmaWVkIGNlcnRpZmlj YXRlDQo+IGE+ICBoYXMgYmVlbiByZXZva2VkIGFuZCBpcyBubyBsb25nZXIgdmFsaWQgYW5kIHBl cmZvcm0gYWRkaXRpb25hbCBhY3Rpb25zDQo+IGE+ICBjb25jZXJuaW5nIHRoYXQgcmV2b2tlZCBj ZXJ0aWZpY2F0ZSBhcyBkaWN0YXRlZCBieSBsb2NhbCBwb2xpY3kuDQo+DQo+IGI+ICBXaGVuIGFu IGltcGxlbWVudGF0aW9uIGRvZXMgbm90IHJlY29nbml6ZSBhIGNyaXRpY2FsIGV4dGVuc2lvbiBp biB0aGUNCj4gYj4gIGNybEV4dGVuc2lvbnMgZmllbGQsIGl0IHNoYWxsIGFzc3VtZSB0aGF0IGlk ZW50aWZpZWQgY2VydGlmaWNhdGVzDQo+IGI+ICBoYXZlIGJlZW4gcmV2b2tlZCBhbmQgYXJlIG5v IGxvbmdlciB2YWxpZC4NCj4NCj4gYz4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICBIb3dldmVyIGluIHRoZSBsYXR0ZXIgY2FzZSwNCj4gYz4gIHNpbmNlIHRoZSBs aXN0IG1heSBub3QgYmUgY29tcGxldGUsIGNlcnRpZmljYXRlcyB0aGF0IGhhdmUgbm90IGJlZW4N Cj4gYz4gIGlkZW50aWZpZWQgYXMgYmVpbmcgcmV2b2tlZCBjYW5ub3QgYmUgYXNzdW1lZCB0byBi ZSB2YWxpZC4gSW4gdGhpcyBjYXNlDQo+IGM+ICBsb2NhbCBwb2xpY3kgc2hhbGwgZGljdGF0ZSB0 aGUgYWN0aW9uIHRvIGJlIHRha2VuLiBJbiBhbnkgY2FzZSBsb2NhbA0KPiBjPiAgcG9saWN5IG1h eSBkaWN0YXRlIGFjdGlvbnMgaW4gYWRkaXRpb24gdG8gYW5kL29yIHN0cm9uZ2VyIHRoYW4gdGhv c2UNCj4gYz4gIHN0YXRlZCBpbiB0aGlzIFNwZWNpZmljYXRpb24uDQo+DQo+IGQ+ICBOT1RFIDUg LS0gSWYgYW4gZXh0ZW5zaW9uIGFmZmVjdHMgdGhlIHRyZWF0bWVudCBvZiB0aGUgbGlzdA0KPiBk PiAgKGUuZy4sIG11bHRpcGxlIENSTHMgbmVlZCB0byBiZSBzY2FubmVkIHRvIGV4YW1pbmUgdGhl IGVudGlyZSBsaXN0IG9mDQo+IGQ+ICByZXZva2VkIGNlcnRpZmljYXRlcywgb3IgYW4gZW50cnkg bWF5IHJlcHJlc2VudCBhIHJhbmdlIG9mIGNlcnRpZmljYXRlcyksDQo+IGQ+ICB0aGVuIHRoYXQg ZXh0ZW5zaW9uIHNoYWxsIGJlIGluZGljYXRlZCBhcyBjcml0aWNhbCBpbiB0aGUgY3JsRXh0ZW5z aW9ucw0KPiBkPiAgZmllbGQgcmVnYXJkbGVzcyBvZiB3aGVyZSB0aGUgZXh0ZW5zaW9uIGlzIHBs YWNlZCBpbiB0aGUgQ1JMLg0KPg0KPiBlPiAgQW4gZXh0ZW5zaW9uIGluZGljYXRlZCBpbiB0aGUg Y3JsRW50cnlFeHRlbnNpb25zIGZpZWxkIG9mIGFuIGVudHJ5IHNoYWxsDQo+IGU+ICBiZSBwbGFj ZWQgaW4gdGhhdCBlbnRyeSBhbmQgc2hhbGwgYWZmZWN0IG9ubHkgdGhlIGNlcnRpZmljYXRlKHMp DQo+IGU+ICBzcGVjaWZpZWQgaW4gdGhhdCBlbnRyeS4NCj4NCj4NCj4gKEkgaW5zZXJ0ZWQgYmxh bmsgbGluZXMgYWJvdmUgZm9yIHZpc3VhbCBjbGFyaXR5IG9mIHRoZSBYLjUwOSByZXF1aXJlbWVu dHMpLg0KPg0KPiB0d28gb3B0aW9ucywgYWxsIGNvbWJpbmF0aW9uczoNCj4NCj4gICgxKSBjZXJ0 ICAgICBvbiBDUkwsIENSTCB3aXRoIE5PIHVucmVjb2duaXplZCBjcml0aWNhbCBDUkxFbnRyeUV4 dGVuc2lvbnMNCj4gICgyKSBjZXJ0IE5PVCBvbiBDUkwsIENSTCB3aXRoIE5PIHVucmVjb2duaXpl ZCBjcml0aWNhbCBDUkxFbnRyeUV4dGVuc2lvbnMNCj4gICgzKSBjZXJ0ICAgICBvbiBDUkwsIENS TCB3aXRoICAgIHVucmVjb2duaXplZCBjcml0aWNhbCBDUkxFbnRyeUV4dGVuc2lvbg0KPiAgKDQp IGNlcnQgTk9UIG9uIENSTCwgQ1JMIHdpdGggICAgdW5yZWNvZ25pemVkIGNyaXRpY2FsIENSTEVu dHJ5RXh0ZW5zaW9uDQo+DQo+DQo+IEkgaG9wZSB3ZSBhZ3JlZSB0aGF0IFguNTA5IGFuZCByZmM1 MjgwIGFncmVlIG9uICgxKSBhbmQgKDIpIHJlc3VsdHMNCj4gZm9yIENSTCBjaGVja2luZy4NCj4N Cj4gcmZjNTI4MCBjdXJyZW50bHkgc2F5cyB0aGF0IGZvciAoMykrKDQpIHRoZSBlbnRpcmUgQ1JM IG91Z2h0IHRvIGJlIGlnbm9yZWQNCj4gYW5kIG90aGVyIENSTHMgbmVlZCB0byBiZSBldmFsdWF0 ZWQgIlVOREVURVJNSU5FRCINCj4NCj4gWC41MDkgc2F5cyBpbiAoYT4pIHRoYXQgZm9yICgzKSB0 aGUgc3RhdHVzIG9mIHRoZSBjZXJ0IGlzIGRlZmluaXRlbHkgcmV2b2tlZA0KPiBhbmQgc2F5cyBp biAoYz4pIGZvciAoNCkgdGhhdCB0aGUgQ1JMIG91Z2h0IHRvIGJlIGlnbm9yZWQgYW5kIG90aGVy IENSTHMgbmVlZA0KPiB0byBiZSBldmFsdWF0ZWQgIlVOREVURVJNSU5FRCINCj4NCj4gV2hpbGUg Ym90aCBYLjUwOSBhbmQgcmZjNTI4MCBhZ3JlZSBvbiB0aGUgcmVzdWx0IGZvciAoNCkgIlVOREVU RVJNSU5FRCIsDQo+IHRoZXJlIGlzIHRoZSBzdXBlcmZpY2lhbCBhcHBlYXJhbmNlIG9mIGEgZGlm ZmVyZW5jZSBmb3IgYSBjYXN1YWwNCj4gaW1wbGVtZW50ZXIgZm9yIGNhc2UgKDMpIGJldHdlZW4g WC41MDkgIlJFVk9LRUQiIGFuZCByZmM1MjgwICJVTkRFVEVSTUlORUQiDQo+IHRoYXQgbWlnaHQg bGVhZCB0byBhIHNsaWdodGx5IGxlc3MgZWZmaWNpZW50IHByb2Nlc3NpbmcgQ1JMcy4NCj4NCj4N Cj4gVGhlIG5ld2x5IHByb3Bvc2VkIHRleHQgKGluIC0wOSk6DQo+DQo+IHwgICAgIElmIGEgQ1JM IGNvbnRhaW5zIGEgY3JpdGljYWwgQ1JMIGVudHJ5IGV4dGVuc2lvbg0KPiB8ICAgICB0aGF0IHRo ZSBhcHBsaWNhdGlvbiBjYW5ub3QgcHJvY2VzcywgdGhlbiB0aGUgYXBwbGljYXRpb24gTVVTVA0K PiB8ICAgICBOT1QgdXNlIHRoYXQgQ1JMIHRvIGRldGVybWluZSB0aGUgc3RhdHVzIG9mIHRoZSBj ZXJ0aWZpY2F0ZQ0KPiB8ICAgICByZXByZXNlbnRlZCBieSB0aGUgQ1JMIGVudHJ5Lg0KPg0KPiBj cmVhdGVzIGEgc2lnbmlmaWNhbnRseSBkaXN0aW5jdCBiZWhhdmlvdXIgZm9yIGNhc2UgKDQpIHdo ZXJlIFguNTA5DQo+IGFuZCByZmM1MjgwIGFncmVlZCBvbiAiVU5ERVRFUk1JTkVEIiwgYnkgcmVk ZWZpbmluZyB0aGUgcmVzdWx0IHRvDQo+IGJlICJVTlJFVk9LRUQiLCBhbmQgcG90ZW50aWFsbHkg Y3JlYXRlcyBhIHNlY3VyaXR5IHByb2JsZW0sIGFuZCBhDQo+IG5ldywgYmFja3dhcmRzLWluY29t cGF0aWJsZSBiZWhhdmlvdXIgZm9yIGEgc2l0dWF0aW9uIHdoZXJlDQo+IFguNTA5IGFuZCByZmM1 MjgwIHVzZWQgdG8gYWdyZWUuIFN0aWxsLCB0aGUgbmV3IHRleHQgZG9lcyBub3QgZG8NCj4gYW55 dGhpbmcgYWJvdXQgY2FzZSAoMyksIHRoZSBvbmx5IGNhc2Ugd2hlcmUgWC41MDkgYW5kIHJmYzUy ODANCj4gYXBwZWFyIHRvIGRpZmZlciAoaW4gYSBtb3N0bHkgbWFyZ2luYWwgZmFzaGlvbikuDQo+ DQo+DQo+IEEgY2FyZWZ1bCBpbXBsZW1lbnRvciwgdGhhdCBhbmFseXplcyBOT1RFIDQgYW5kIE5P VEUgNSBmcm9tIFguNTA5DQo+IHF1b3RlZCBhYm92ZSBpbiBpdHMgZW50aXJldHksIHNob3VsZCBy ZWFsaXplIHRoYXQgdGhlIHNpdHVhdGlvbg0KPiB3aGVyZSBYLjUwOSBhbmQgcmZjNTI4MCBkaWZm ZXIgaXMgbWFyZ2luYWwuDQo+DQo+IFRoaXMgaXMgYmVjYXVzZSAoZD4pIGluIE5PVEUgNSBhYm92 ZSByZXF1aXJlcyAoInNoYWxsIikgdGhhdCBhDQo+IGNyaXRpY2FsIGNybEVudHJ5RXh0ZW5zaW9u IHdpdGggYSBzZW1hbnRpYyBiZXlvbmQgInRoaXMgY2VydCBpcw0KPiByZXZva2VkIiksIE1VU1Qg YmUgYWRkaXRpb25hbGx5IGluY2x1ZGVkIGFzIGEgY3JpdGljYWwgY3JsRXh0ZW5zaW9uLA0KPiB3 aXRoIHRoZSBlZmZlY3QgdGhhdCB0aGUgZW50aXJlIENSTCB3aWxsIGhhdmUgdG8gYmUgaWdub3Jl ZCBieQ0KPiBib3RoIFguNTA5IGFuZCByZmM1MjgwIGltcGxlbWVudGF0aW9ucyB0aGF0IGRvIG5v dCByZWNvZ25pemUNCj4gdGhlIGNybEV4dGVuc2lvbi4gIFNvIGFsbCBjb21wbGlhbnQgQ1JMcyB3 aXRoIGEgImZhbmN5Ig0KPiB1bnJlY29nbml6ZWQgY3JpdGljYWwgY3JsRW50cnlFeHRlbnNpb24s IHRoZSBhY2NvbXBhbnlpbmcNCj4gdW5yZWNvZ25pemVkIGNyaXRpY2FsIGNybEV4dGVuc2lvbiB3 aWxsIGNhdXNlIFguNTA5IGFuZCByZmM1MjgwDQo+IHRvIGFncmVlIG9uICgzKSB0byByZXR1cm4g IlVOREVURVJNSU5FRCIgYW5kIHJlcXVpcmUgb3RoZXINCj4gQ1JMcyB0byBiZSBjaGVja2VkLg0K Pg0KPg0KPiAtTWFydGluDQo+IF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fDQo+IHBraXggbWFpbGluZyBsaXN0DQo+IHBraXhAaWV0Zi5vcmc8bWFpbHRvOnBr aXhAaWV0Zi5vcmc+DQo+IGh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vcGtp eA0K --_000_AA6BA445CBFDB84785CC1C45DAAE4C792CEC1E34CH1PRD0610MB393_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQov KiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1z b05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp emU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTps aW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6 Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29I eXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxl Ow0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KdHQNCgl7bXNvLXN0eWxlLXByaW9yaXR5 Ojk5Ow0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KcC5Nc29BY2V0YXRlLCBsaS5Nc29B Y2V0YXRlLCBkaXYuTXNvQWNldGF0ZQ0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0 eWxlLWxpbms6IkJhbGxvb24gVGV4dCBDaGFyIjsNCgltYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0 b206LjAwMDFwdDsNCglmb250LXNpemU6OC4wcHQ7DQoJZm9udC1mYW1pbHk6IlRhaG9tYSIsInNh bnMtc2VyaWYiO30NCnNwYW4uRW1haWxTdHlsZTE4DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFs Ow0KCWZvbnQtZmFtaWx5OiJBcmlhbCIsInNhbnMtc2VyaWYiOw0KCWNvbG9yOiMxRjQ5N0Q7DQoJ Zm9udC13ZWlnaHQ6bm9ybWFsOw0KCWZvbnQtc3R5bGU6bm9ybWFsOw0KCXRleHQtZGVjb3JhdGlv bjpub25lIG5vbmU7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTkNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29u YWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjsNCgljb2xvcjoj MUY0OTdEO30NCnNwYW4uQmFsbG9vblRleHRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJCYWxsb29u IFRleHQgQ2hhciI7DQoJbXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJC YWxsb29uIFRleHQiOw0KCWZvbnQtZmFtaWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIjt9DQouTXNv Q2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LXNpemU6MTAu MHB0O30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46 MS4waW4gMS4waW4gMS4waW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRT ZWN0aW9uMTt9DQotLT48L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVk ZWZhdWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0t PjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0K PG86aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+ PCFbZW5kaWZdLS0+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1ZSIgdmxp bms9InB1cnBsZSI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2Fs aWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPlRoYW5rcyBT YW50b3NoLCB5b3VyIHByb3Bvc2VkIGFkZGl0aW9uIHdpbGwgYWxpZ24gNTI4MCB3aXRoIFguNTA5 Lg0KPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVv dDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPldlIHNob3VsZCBhbHNvIHJlbW92ZSB0 aGlzIHRleHQgZnJvbSBkcmFmdC0wOS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv dDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86 cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVv dDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPuKAnElmIGEgQ1JMIGNvbnRhaW5zIGEg Y3JpdGljYWwgQ1JMIGVudHJ5IGV4dGVuc2lvbiB0aGF0IHRoZSBhcHBsaWNhdGlvbiBjYW5ub3Qg cHJvY2VzcywgdGhlbiB0aGUgYXBwbGljYXRpb24gTVVTVCZuYnNwOyBOT1QgdXNlIHRoYXQgQ1JM IHRvIGRldGVybWluZSB0aGUgc3RhdHVzIG9mDQogdGhlIGNlcnRpZmljYXRlIHJlcHJlc2VudGVk IGJ5IHRoZSBDUkwgZW50cnku4oCdPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7 c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5BcyB0aGlzIG9idmlvdXNseSBjb250cmFk aWN0cyB3aXRoIHlvdXIgcHJvcG9zZWQgdGV4dC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3 RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7 Ym9yZGVyLWxlZnQ6c29saWQgYmx1ZSAxLjVwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDQuMHB0Ij4N CjxkaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNCNUM0REYg MS4wcHQ7cGFkZGluZzozLjBwdCAwaW4gMGluIDBpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEm cXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7Ij4gU2FudG9zaCBDaG9raGFuaSBbbWFpbHRvOlNDaG9raGFuaUBjeWdu YWNvbS5jb21dDQo8YnI+DQo8Yj5TZW50OjwvYj4gTW9uZGF5LCBTZXB0ZW1iZXIgMTcsIDIwMTIg NzoyMiBBTTxicj4NCjxiPlRvOjwvYj4gZGVuaXMucGlua2FzQGJ1bGwubmV0OyBtcmV4QHNhcC5j b207IFBpeXVzaCBKYWluPGJyPg0KPGI+Q2M6PC9iPiBwa2l4PGJyPg0KPGI+U3ViamVjdDo8L2I+ IFJFOiBbcGtpeF0gNTI4MGJpcywgdi0wOTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0K PC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5U aGlzIGFsc28gcmVsYXRlcyB0byBlYXJsaWVyIHBvc3QgSSBtYWRlIGluIHJlc3BvbnNlIHRvIFBp eXVzaC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90 O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtm b250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9y OiMxRjQ5N0QiPkkgYXNzdW1lIHdlIGFyZSBhZGRpbmcgdGhlIGZvbGxvd2luZyB0byB0aGUgUkZD IOKAnDwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzEwNDE2MCI+QSBjcml0 aWNhbCBleHRlbnNpb24gaW4gdGhlDQo8Yj5jcmxFbnRyeUV4dGVuc2lvbnM8L2I+IGZpZWxkIG9m IGFuIGVudHJ5IHNoYWxsIGFmZmVjdCBvbmx5IHRoZSBjZXJ0aWZpY2F0ZSBzcGVjaWZpZWQgaW4g dGhhdCBlbnRyeSwgdW5sZXNzIHRoZXJlIGlzIGEgcmVsYXRlZCBjcml0aWNhbCBleHRlbnNpb24g aW4gdGhlDQo8Yj5jcmxFeHRlbnNpb25zPC9iPiBmaWVsZCB0aGF0IGFkdmVydGlzZXMgYSBzcGVj aWFsIHRyZWF0bWVudCBmb3IgaXQu4oCdJm5ic3A7IEluIG9yZGVyIHRvIHVzZSBzdWNoIENSTCwg dGhlIHJlbHlpbmcgcGFydHkgbXVzdCBiZSBhYmxlIHRvIHByb2Nlc3MgYm90aCB0aGUNCjxiPmNy bEVudHJ5RXh0ZW5zaW9uIDwvYj5hbmQgdGhlIHJlbGF0ZWQgPGI+Y3JsRXh0ZW5zaW9uLuKAnTxv OnA+PC9vOnA+PC9iPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90 O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzEwNDE2MCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+ PC9iPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztj b2xvcjojMTA0MTYwIj5JbiB0aGF0IGNhc2UsIEkgZG8gbm90IG1pbmQgYWRkaW5nIHRoZSBmb2xs b3dpbmcgdG8gNTI4MCAoYSBzbGlnaHQgbW9kaWZpY2F0aW9uIHRvIHdoYXQgRGVuaXMgaGFzOjxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90Oztjb2xvcjojMTA0MTYwIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzEwNDE2 MCI+SWYgYW4gYXBwbGljYXRpb24gY2Fubm90IHByb2Nlc3MgYSBjcml0aWNhbCBleHRlbnNpb24g aW4gdGhlDQo8Yj5jcmxFbnRyeUV4dGVuc2lvbnM8L2I+IGZpZWxkIG9mIGFuIGVudHJ5IHRoYXQg YWZmZWN0cyBvbmx5IHRoZSBjZXJ0aWZpY2F0ZSBzcGVjaWZpZWQgaW4gdGhhdCBlbnRyeSwgYXMg aW5kaWNhdGVkIGJ5IHRoZSBhYnNlbmNlIG9mIGEgcmVsYXRlZCBjcml0aWNhbCBleHRlbnNpb24g aW4gdGhlDQo8Yj5jcmxFeHRlbnNpb25zPC9iPiBmaWVsZCwgdGhlbiB0aGUgY2VydGlmaWNhdGUg aWRlbnRpZmllZCBieSB0aGUgQ1JMIGVudHJ5IHNoYWxsIGJlIGNvbnNpZGVyZWQgcmV2b2tlZC48 L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlh bCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 OS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90 Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTom cXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+RnJvbTo8L3NwYW4+PC9i PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZx dW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4NCjxhIGhyZWY9Im1haWx0bzpwa2l4LWJvdW5j ZXNAaWV0Zi5vcmciPnBraXgtYm91bmNlc0BpZXRmLm9yZzwvYT4gPGEgaHJlZj0ibWFpbHRvOltt YWlsdG86cGtpeC1ib3VuY2VzQGlldGYub3JnXSI+DQpbbWFpbHRvOnBraXgtYm91bmNlc0BpZXRm Lm9yZ108L2E+IDxiPk9uIEJlaGFsZiBPZiA8L2I+PGEgaHJlZj0ibWFpbHRvOmRlbmlzLnBpbmth c0BidWxsLm5ldCI+ZGVuaXMucGlua2FzQGJ1bGwubmV0PC9hPjxicj4NCjxiPlNlbnQ6PC9iPiBN b25kYXksIFNlcHRlbWJlciAxNywgMjAxMiAzOjQ3IEFNPGJyPg0KPGI+VG86PC9iPiA8YSBocmVm PSJtYWlsdG86bXJleEBzYXAuY29tIj5tcmV4QHNhcC5jb208L2E+OyBQaXl1c2ggSmFpbjxicj4N CjxiPkNjOjwvYj4gcGtpeDxicj4NCjxiPlN1YmplY3Q6PC9iPiBSZTogW3BraXhdIDUyODBiaXMs IHYtMDk8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZu YnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYm cXVvdDsiPkdvb2QgY2F0Y2ggTWFydGluLDwvc3Bhbj4NCjxicj4NCjxicj4NCjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDsiPllvdSBjYW1lIGJhY2sgZnJvbSB2YWNhdGlvbiBqdXN0IGluIHRpbWUu IDotKTwvc3Bhbj4NCjxicj4NCjxicj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPkkgcHJv cG9zZSB0aGUgZm9sbG93aW5nOjwvc3Bhbj4NCjxicj4NCjxicj4NCjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij5SZXBsYWNl Ojwvc3Bhbj4gPGJyPg0KPGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDsiPnwgJm5ic3A7ICZuYnNwOyBJZiBhIENSTCBj b250YWlucyBhIGNyaXRpY2FsIENSTCBlbnRyeSBleHRlbnNpb24NCjwvc3Bhbj48YnI+DQo8c3Bh biBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZx dW90OyI+fCAmbmJzcDsgJm5ic3A7IHRoYXQgdGhlIGFwcGxpY2F0aW9uIGNhbm5vdCBwcm9jZXNz LCB0aGVuIHRoZSBhcHBsaWNhdGlvbiBNVVNUDQo8L3NwYW4+PGJyPg0KPHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDsiPnwgJm5i c3A7ICZuYnNwOyBOT1QgdXNlIHRoYXQgQ1JMIHRvIGRldGVybWluZSB0aGUgc3RhdHVzIG9mIGFu eSBjZXJ0aWZpY2F0ZXMuPC9zcGFuPg0KPGJyPg0KPGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDsiPndpdGg8L3NwYW4+ IDxicj4NCjxicj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij58ICZuYnNwOyAmbmJzcDsgSWYgYSBDUkwgY29udGFpbnMg aW4gYSBDUkwgZW50cnkgYSBjcml0aWNhbCBDUkwgZW50cnkgZXh0ZW5zaW9uDQo8L3NwYW4+PGJy Pg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmll ciBOZXcmcXVvdDsiPnwgJm5ic3A7ICZuYnNwOyB0aGF0IHRoZSBhcHBsaWNhdGlvbiBjYW5ub3Qg cHJvY2VzcywgdGhlbiB0aGUgYXBwbGljYXRpb24gTVVTVA0KPC9zcGFuPjxicj4NCjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7 Ij58ICZuYnNwOyAmbmJzcDsgY29uc2lkZXIgdGhhdCB0aGUgY2VydGlmaWNhdGUgaWRlbnRpZmll ZCBpbiB0aGF0IENSTCBlbnRyeSBpcw0KPC9zcGFuPjxicj4NCjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij58ICZuYnNwOyAm bmJzcDsgcmV2b2tlZC4gJm5ic3A7PC9zcGFuPiA8YnI+DQo8YnI+DQo8c3BhbiBzdHlsZT0iZm9u dC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNl cmlmJnF1b3Q7Ij5JbiBvcmRlciB0byBhbnN3ZXIgdG8gUGl5dXNoLCBJIGJlbGlldmUgdGhhdCDi gJx1bmtub3du4oCdIHNob3VsZCBiZSB1c2VkIHJhdGhlciB0aGFuIOKAnHJldm9rZWTigJ0uPC9z cGFuPg0KPGJyPg0KPGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+VGhlIGZvbGxvd2lu ZyBleGFtcGxlIGlzIGFuIGlsbHVzdHJhdGlvbjo8L3NwYW4+DQo8YnI+DQo8YnI+DQo8c3BhbiBz dHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVv dDtzYW5zLXNlcmlmJnF1b3Q7Ij5UaGUgc3RhdHVzIG9mIGEgZ2l2ZW4gY2VydGlmaWNhdGUgaXMg aW5kaWNhdGVkIGFzIOKAnGdvb2TigJ0sIGJ1dCB0aGVyZSBpcyBhIENSTCBlbnRyeSB3aXRoIGEg Y3JpdGljYWwNCjxicj4NCkNSTCBlbnRyeSBleHRlbnNpb24uIFRoaXMgZW50cnkgbWVhbnMgKGZv ciB0aGUgYXBwbGljYXRpb25zIHdoaWNoIHVuZGVyc3RhbmQgaXQpIDoNCjwvc3Bhbj48YnI+DQo8 YnI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlh bCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4mcXVvdDtUaGUgc3RhdHVzIHdoaWNoIGlz IHVzdWFsbHkgb2J0YWluZWQgdXNpbmcgYSBkYXRhYmFzZSBvZiBpc3N1ZWQgY2VydGlmaWNhdGVz IGhhcyBiZWVuIG9idGFpbmVkIGZyb20gQ1JMcy4NCjxicj4NCklmIHlvdSByZWFsbHkgbmVlZCB0 byB0YWtlIGEgZGVjaXNpb24gbm93LCBpdCBpcyBhdCB5b3VyIG93biByaXNrLiBJZiB5b3UgY2Fu IHdhaXQsIHlvdSBoYWQgYmV0dGVyIHRvIHRyeSBhZ2FpbiBsYXRlciBvbiZxdW90Oy48L3NwYW4+ DQo8YnI+DQo8YnI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTom cXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5Zb3VyIG5leHQgcXVlc3Rp b24gd2lsbCBjZXJ0YWlubHkgYmU6IHNvIHdoeSBkb27igJl0IHlvdSB1c2UgdGhlIHByb3Bvc2Vk IGNlcnRJbmZvIGV4dGVuc2lvbiA/PC9zcGFuPg0KPGJyPg0KPGJyPg0KPHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90OyI+Rm9yIGFwcGxpY2F0aW9ucyB3aGljaCBkbyBub3QgdW5kZXJzdGFuZCB0aGlz IGNyaXRpY2FsIENSTCBlbnRyeSBleHRlbnNpb24sIHRoZXJlIGlzIG5vIGRpZmZlcmVuY2UuPC9z cGFuPg0KPGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+VGhleSBnZXQgYW4gJnF1b3Q7 dW5rbm93biZxdW90OyBzdGF0dXMgaW4gYm90aCBjYXNlcy48L3NwYW4+DQo8YnI+DQo8YnI+DQo8 c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90 OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5Gb3IgYXBwbGljYXRpb25zIHdoaWNoIHVuZGVyc3Rh bmQgdGhpcyBjcml0aWNhbCBDUkwgZW50cnkgZXh0ZW5zaW9uIGl0IHByb3ZpZGVzIGxlc3MgYmVu ZWZpdHMNCjxicj4NCnRoYW4gdGhlIHByb3Bvc2VkIGNlcnRJbmZvIGV4dGVuc2lvbiwgYnV0IGl0 IG1pZ2h0IGJlIHF1aWNrZXIgdG8gaW1wbGVtZW50IGFuZCBpdCBlbmZvcmNlcyBhIHBvbGljeS48 L3NwYW4+DQo8YnI+DQo8YnI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZh bWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5EZW5pczwvc3Bh bj4gPGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q291cmllciBOZXcmcXVvdDsiPjxicj4NCjxicj4NCjx0dD4mZ3Q7IEkgb2JqZWN0IHRvIHRoZSBw cm9wb3NlZCBuZXcgdGV4dCBhYm91dCBDUkxFbnRyeUV4dGVuc2lvbnM8L3R0Pjxicj4NCjx0dD4m Z3Q7IGluIHRoZSBjbGFyaWZpY2F0aW9uIGRvY3VtZW50LCBiZWNhdXNlIGFzIGlzLCB3b3VsZCBz aWduaWZpY2FudGx5PC90dD48YnI+DQo8dHQ+Jmd0OyB3b3JzZW4gdGhlIGRpZmZlcmVuY2UgYmV0 d2VlbiBQS0lYIGFuZCBYLjUwOSBhbmQgbWFrZSB0aGluZ3M8L3R0Pjxicj4NCjx0dD4mZ3Q7IGNs ZWFybHkgaW5jb21wYXRpYmxlIHJhdGhlciB0aGFuIHNsaWdodGx5IGxlc3MgZWZmaWNpZW50Ljwv dHQ+PGJyPg0KPHR0PiZndDsgPC90dD48YnI+DQo8dHQ+Jmd0OyBJZiBhbnl0aGluZywgdGhlIGdh cCBzaG91bGQgYmUgcmVkdWNlZCwgY29tcGF0aWJpbGl0eSBiZXR3ZWVuPC90dD48YnI+DQo8dHQ+ Jmd0OyBQS0lYIGFuZCBYLjUwOSBpbXByb3ZlZCBhbmQgdGhlIG9yaWdpbmFsIGFyY2hpdGVjdHVy ZSBub3QgdmlvbGF0ZWQuPC90dD48YnI+DQo8dHQ+Jmd0OyA8L3R0Pjxicj4NCjx0dD4mZ3Q7IFBs ZWFzZSByZWNhbGwgdGhlIG9yaWdpbmFsIE5PVEUgNCAmYW1wOyA1IHRoYXQgSSBxdW90ZWQgZnJv bTwvdHQ+PGJyPg0KPHR0PiZndDsgSVRVLVQgUmVjLiBYLjUwOSAoMDgvMjAwNSksIFNlY3Rpb24g Ny4zLCB0b3Agb2YgcGFnZSAxODo8L3R0Pjxicj4NCjx0dD4mZ3Q7IChnZXQgdGhlbSBoZXJlIDwv dHQ+PC9zcGFuPjxhIGhyZWY9Imh0dHA6Ly93d3cuaXR1LmludC9yZWMvVC1SRUMtWC41MDkiPjx0 dD48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdCI+aHR0cDovL3d3dy5pdHUuaW50L3JlYy9U LVJFQy1YLjUwOTwvc3Bhbj48L3R0PjwvYT48dHQ+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4w cHQiPik6PC9zcGFuPjwvdHQ+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDsiPjxicj4NCjx0dD4mZ3Q7IDwvdHQ+PGJyPg0KPHR0 PiZndDsgYSZndDsgJm5ic3A7Tk9URSA0IC0tIFdoZW4gYW4gaW1wbGVtZW50YXRpb24gcHJvY2Vz c2luZyBhIGNlcnRpZmljYXRlIHJldm9jYXRpb248L3R0Pjxicj4NCjx0dD4mZ3Q7IGEmZ3Q7ICZu YnNwO2xpc3QgZG9lcyBub3QgcmVjb2duaXplIGEgY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSBj cmxFbnRyeUV4dGVuc2lvbnM8L3R0Pjxicj4NCjx0dD4mZ3Q7IGEmZ3Q7ICZuYnNwO2ZpZWxkLCBp dCBzaGFsbCBhc3N1bWUgdGhhdCwgYXQgYSBtaW5pbXVtLCB0aGUgaWRlbnRpZmllZCBjZXJ0aWZp Y2F0ZTwvdHQ+PGJyPg0KPHR0PiZndDsgYSZndDsgJm5ic3A7aGFzIGJlZW4gcmV2b2tlZCBhbmQg aXMgbm8gbG9uZ2VyIHZhbGlkIGFuZCBwZXJmb3JtIGFkZGl0aW9uYWwgYWN0aW9uczwvdHQ+PGJy Pg0KPHR0PiZndDsgYSZndDsgJm5ic3A7Y29uY2VybmluZyB0aGF0IHJldm9rZWQgY2VydGlmaWNh dGUgYXMgZGljdGF0ZWQgYnkgbG9jYWwgcG9saWN5LjwvdHQ+PGJyPg0KPHR0PiZndDsgPC90dD48 YnI+DQo8dHQ+Jmd0OyBiJmd0OyAmbmJzcDtXaGVuIGFuIGltcGxlbWVudGF0aW9uIGRvZXMgbm90 IHJlY29nbml6ZSBhIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGU8L3R0Pjxicj4NCjx0dD4mZ3Q7 IGImZ3Q7ICZuYnNwO2NybEV4dGVuc2lvbnMgZmllbGQsIGl0IHNoYWxsIGFzc3VtZSB0aGF0IGlk ZW50aWZpZWQgY2VydGlmaWNhdGVzPC90dD48YnI+DQo8dHQ+Jmd0OyBiJmd0OyAmbmJzcDtoYXZl IGJlZW4gcmV2b2tlZCBhbmQgYXJlIG5vIGxvbmdlciB2YWxpZC48L3R0Pjxicj4NCjx0dD4mZ3Q7 IDwvdHQ+PGJyPg0KPHR0PiZndDsgYyZndDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu YnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5i c3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJz cDsgJm5ic3A7IEhvd2V2ZXIgaW4gdGhlIGxhdHRlciBjYXNlLDwvdHQ+PGJyPg0KPHR0PiZndDsg YyZndDsgJm5ic3A7c2luY2UgdGhlIGxpc3QgbWF5IG5vdCBiZSBjb21wbGV0ZSwgY2VydGlmaWNh dGVzIHRoYXQgaGF2ZSBub3QgYmVlbjwvdHQ+PGJyPg0KPHR0PiZndDsgYyZndDsgJm5ic3A7aWRl bnRpZmllZCBhcyBiZWluZyByZXZva2VkIGNhbm5vdCBiZSBhc3N1bWVkIHRvIGJlIHZhbGlkLiBJ biB0aGlzIGNhc2U8L3R0Pjxicj4NCjx0dD4mZ3Q7IGMmZ3Q7ICZuYnNwO2xvY2FsIHBvbGljeSBz aGFsbCBkaWN0YXRlIHRoZSBhY3Rpb24gdG8gYmUgdGFrZW4uIEluIGFueSBjYXNlIGxvY2FsPC90 dD48YnI+DQo8dHQ+Jmd0OyBjJmd0OyAmbmJzcDtwb2xpY3kgbWF5IGRpY3RhdGUgYWN0aW9ucyBp biBhZGRpdGlvbiB0byBhbmQvb3Igc3Ryb25nZXIgdGhhbiB0aG9zZTwvdHQ+PGJyPg0KPHR0PiZn dDsgYyZndDsgJm5ic3A7c3RhdGVkIGluIHRoaXMgU3BlY2lmaWNhdGlvbi48L3R0Pjxicj4NCjx0 dD4mZ3Q7IDwvdHQ+PGJyPg0KPHR0PiZndDsgZCZndDsgJm5ic3A7Tk9URSA1IC0tIElmIGFuIGV4 dGVuc2lvbiBhZmZlY3RzIHRoZSB0cmVhdG1lbnQgb2YgdGhlIGxpc3Q8L3R0Pjxicj4NCjx0dD4m Z3Q7IGQmZ3Q7ICZuYnNwOyhlLmcuLCBtdWx0aXBsZSBDUkxzIG5lZWQgdG8gYmUgc2Nhbm5lZCB0 byBleGFtaW5lIHRoZSBlbnRpcmUgbGlzdCBvZjwvdHQ+PGJyPg0KPHR0PiZndDsgZCZndDsgJm5i c3A7cmV2b2tlZCBjZXJ0aWZpY2F0ZXMsIG9yIGFuIGVudHJ5IG1heSByZXByZXNlbnQgYSByYW5n ZSBvZiBjZXJ0aWZpY2F0ZXMpLDwvdHQ+PGJyPg0KPHR0PiZndDsgZCZndDsgJm5ic3A7dGhlbiB0 aGF0IGV4dGVuc2lvbiBzaGFsbCBiZSBpbmRpY2F0ZWQgYXMgY3JpdGljYWwgaW4gdGhlIGNybEV4 dGVuc2lvbnM8L3R0Pjxicj4NCjx0dD4mZ3Q7IGQmZ3Q7ICZuYnNwO2ZpZWxkIHJlZ2FyZGxlc3Mg b2Ygd2hlcmUgdGhlIGV4dGVuc2lvbiBpcyBwbGFjZWQgaW4gdGhlIENSTC48L3R0Pjxicj4NCjx0 dD4mZ3Q7IDwvdHQ+PGJyPg0KPHR0PiZndDsgZSZndDsgJm5ic3A7QW4gZXh0ZW5zaW9uIGluZGlj YXRlZCBpbiB0aGUgY3JsRW50cnlFeHRlbnNpb25zIGZpZWxkIG9mIGFuIGVudHJ5IHNoYWxsPC90 dD48YnI+DQo8dHQ+Jmd0OyBlJmd0OyAmbmJzcDtiZSBwbGFjZWQgaW4gdGhhdCBlbnRyeSBhbmQg c2hhbGwgYWZmZWN0IG9ubHkgdGhlIGNlcnRpZmljYXRlKHMpPC90dD48YnI+DQo8dHQ+Jmd0OyBl Jmd0OyAmbmJzcDtzcGVjaWZpZWQgaW4gdGhhdCBlbnRyeS48L3R0Pjxicj4NCjx0dD4mZ3Q7IDwv dHQ+PGJyPg0KPHR0PiZndDsgPC90dD48YnI+DQo8dHQ+Jmd0OyAoSSBpbnNlcnRlZCBibGFuayBs aW5lcyBhYm92ZSBmb3IgdmlzdWFsIGNsYXJpdHkgb2YgdGhlIFguNTA5IHJlcXVpcmVtZW50cyku PC90dD48YnI+DQo8dHQ+Jmd0OyA8L3R0Pjxicj4NCjx0dD4mZ3Q7IHR3byBvcHRpb25zLCBhbGwg Y29tYmluYXRpb25zOjwvdHQ+PGJyPg0KPHR0PiZndDsgPC90dD48YnI+DQo8dHQ+Jmd0OyAmbmJz cDsoMSkgY2VydCAmbmJzcDsgJm5ic3A7IG9uIENSTCwgQ1JMIHdpdGggTk8gdW5yZWNvZ25pemVk IGNyaXRpY2FsIENSTEVudHJ5RXh0ZW5zaW9ucyA8L3R0Pg0KPGJyPg0KPHR0PiZndDsgJm5ic3A7 KDIpIGNlcnQgTk9UIG9uIENSTCwgQ1JMIHdpdGggTk8gdW5yZWNvZ25pemVkIGNyaXRpY2FsIENS TEVudHJ5RXh0ZW5zaW9ucyA8L3R0Pg0KPGJyPg0KPHR0PiZndDsgJm5ic3A7KDMpIGNlcnQgJm5i c3A7ICZuYnNwOyBvbiBDUkwsIENSTCB3aXRoICZuYnNwOyAmbmJzcDt1bnJlY29nbml6ZWQgY3Jp dGljYWwgQ1JMRW50cnlFeHRlbnNpb248L3R0Pjxicj4NCjx0dD4mZ3Q7ICZuYnNwOyg0KSBjZXJ0 IE5PVCBvbiBDUkwsIENSTCB3aXRoICZuYnNwOyAmbmJzcDt1bnJlY29nbml6ZWQgY3JpdGljYWwg Q1JMRW50cnlFeHRlbnNpb248L3R0Pjxicj4NCjx0dD4mZ3Q7IDwvdHQ+PGJyPg0KPHR0PiZndDsg PC90dD48YnI+DQo8dHQ+Jmd0OyBJIGhvcGUgd2UgYWdyZWUgdGhhdCBYLjUwOSBhbmQgcmZjNTI4 MCBhZ3JlZSBvbiAoMSkgYW5kICgyKSByZXN1bHRzPC90dD48YnI+DQo8dHQ+Jmd0OyBmb3IgQ1JM IGNoZWNraW5nLjwvdHQ+PGJyPg0KPHR0PiZndDsgPC90dD48YnI+DQo8dHQ+Jmd0OyByZmM1Mjgw IGN1cnJlbnRseSBzYXlzIHRoYXQgZm9yICgzKSYjNDM7KDQpIHRoZSBlbnRpcmUgQ1JMIG91Z2h0 IHRvIGJlIGlnbm9yZWQ8L3R0Pjxicj4NCjx0dD4mZ3Q7IGFuZCBvdGhlciBDUkxzIG5lZWQgdG8g YmUgZXZhbHVhdGVkICZxdW90O1VOREVURVJNSU5FRCZxdW90OzwvdHQ+PGJyPg0KPHR0PiZndDsg PC90dD48YnI+DQo8dHQ+Jmd0OyBYLjUwOSBzYXlzIGluIChhJmd0OykgdGhhdCBmb3IgKDMpIHRo ZSBzdGF0dXMgb2YgdGhlIGNlcnQgaXMgZGVmaW5pdGVseSByZXZva2VkPC90dD48YnI+DQo8dHQ+ Jmd0OyBhbmQgc2F5cyBpbiAoYyZndDspIGZvciAoNCkgdGhhdCB0aGUgQ1JMIG91Z2h0IHRvIGJl IGlnbm9yZWQgYW5kIG90aGVyIENSTHMgbmVlZDwvdHQ+PGJyPg0KPHR0PiZndDsgdG8gYmUgZXZh bHVhdGVkICZxdW90O1VOREVURVJNSU5FRCZxdW90OzwvdHQ+PGJyPg0KPHR0PiZndDsgPC90dD48 YnI+DQo8dHQ+Jmd0OyBXaGlsZSBib3RoIFguNTA5IGFuZCByZmM1MjgwIGFncmVlIG9uIHRoZSBy ZXN1bHQgZm9yICg0KSAmcXVvdDtVTkRFVEVSTUlORUQmcXVvdDssPC90dD48YnI+DQo8dHQ+Jmd0 OyB0aGVyZSBpcyB0aGUgc3VwZXJmaWNpYWwgYXBwZWFyYW5jZSBvZiBhIGRpZmZlcmVuY2UgZm9y IGEgY2FzdWFsPC90dD48YnI+DQo8dHQ+Jmd0OyBpbXBsZW1lbnRlciBmb3IgY2FzZSAoMykgYmV0 d2VlbiBYLjUwOSAmcXVvdDtSRVZPS0VEJnF1b3Q7IGFuZCByZmM1MjgwICZxdW90O1VOREVURVJN SU5FRCZxdW90OzwvdHQ+PGJyPg0KPHR0PiZndDsgdGhhdCBtaWdodCBsZWFkIHRvIGEgc2xpZ2h0 bHkgbGVzcyBlZmZpY2llbnQgcHJvY2Vzc2luZyBDUkxzLjwvdHQ+PGJyPg0KPHR0PiZndDsgPC90 dD48YnI+DQo8dHQ+Jmd0OyA8L3R0Pjxicj4NCjx0dD4mZ3Q7IFRoZSBuZXdseSBwcm9wb3NlZCB0 ZXh0IChpbiAtMDkpOjwvdHQ+PGJyPg0KPHR0PiZndDsgPC90dD48YnI+DQo8dHQ+Jmd0OyB8ICZu YnNwOyAmbmJzcDsgSWYgYSBDUkwgY29udGFpbnMgYSBjcml0aWNhbCBDUkwgZW50cnkgZXh0ZW5z aW9uPC90dD48YnI+DQo8dHQ+Jmd0OyB8ICZuYnNwOyAmbmJzcDsgdGhhdCB0aGUgYXBwbGljYXRp b24gY2Fubm90IHByb2Nlc3MsIHRoZW4gdGhlIGFwcGxpY2F0aW9uIE1VU1Q8L3R0Pjxicj4NCjx0 dD4mZ3Q7IHwgJm5ic3A7ICZuYnNwOyBOT1QgdXNlIHRoYXQgQ1JMIHRvIGRldGVybWluZSB0aGUg c3RhdHVzIG9mIHRoZSBjZXJ0aWZpY2F0ZTwvdHQ+PGJyPg0KPHR0PiZndDsgfCAmbmJzcDsgJm5i c3A7IHJlcHJlc2VudGVkIGJ5IHRoZSBDUkwgZW50cnkuICZuYnNwOzwvdHQ+PGJyPg0KPHR0PiZn dDsgPC90dD48YnI+DQo8dHQ+Jmd0OyBjcmVhdGVzIGEgc2lnbmlmaWNhbnRseSBkaXN0aW5jdCBi ZWhhdmlvdXIgZm9yIGNhc2UgKDQpIHdoZXJlIFguNTA5PC90dD48YnI+DQo8dHQ+Jmd0OyBhbmQg cmZjNTI4MCBhZ3JlZWQgb24gJnF1b3Q7VU5ERVRFUk1JTkVEJnF1b3Q7LCBieSByZWRlZmluaW5n IHRoZSByZXN1bHQgdG88L3R0Pjxicj4NCjx0dD4mZ3Q7IGJlICZxdW90O1VOUkVWT0tFRCZxdW90 OywgYW5kIHBvdGVudGlhbGx5IGNyZWF0ZXMgYSBzZWN1cml0eSBwcm9ibGVtLCBhbmQgYTwvdHQ+ PGJyPg0KPHR0PiZndDsgbmV3LCBiYWNrd2FyZHMtaW5jb21wYXRpYmxlIGJlaGF2aW91ciBmb3Ig YSBzaXR1YXRpb24gd2hlcmU8L3R0Pjxicj4NCjx0dD4mZ3Q7IFguNTA5IGFuZCByZmM1MjgwIHVz ZWQgdG8gYWdyZWUuIFN0aWxsLCB0aGUgbmV3IHRleHQgZG9lcyBub3QgZG88L3R0Pjxicj4NCjx0 dD4mZ3Q7IGFueXRoaW5nIGFib3V0IGNhc2UgKDMpLCB0aGUgb25seSBjYXNlIHdoZXJlIFguNTA5 IGFuZCByZmM1MjgwPC90dD48YnI+DQo8dHQ+Jmd0OyBhcHBlYXIgdG8gZGlmZmVyIChpbiBhIG1v c3RseSBtYXJnaW5hbCBmYXNoaW9uKS48L3R0Pjxicj4NCjx0dD4mZ3Q7IDwvdHQ+PGJyPg0KPHR0 PiZndDsgPC90dD48YnI+DQo8dHQ+Jmd0OyBBIGNhcmVmdWwgaW1wbGVtZW50b3IsIHRoYXQgYW5h bHl6ZXMgTk9URSA0IGFuZCBOT1RFIDUgZnJvbSBYLjUwOTwvdHQ+PGJyPg0KPHR0PiZndDsgcXVv dGVkIGFib3ZlIGluIGl0cyBlbnRpcmV0eSwgc2hvdWxkIHJlYWxpemUgdGhhdCB0aGUgc2l0dWF0 aW9uPC90dD48YnI+DQo8dHQ+Jmd0OyB3aGVyZSBYLjUwOSBhbmQgcmZjNTI4MCBkaWZmZXIgaXMg bWFyZ2luYWwuPC90dD48YnI+DQo8dHQ+Jmd0OyA8L3R0Pjxicj4NCjx0dD4mZ3Q7IFRoaXMgaXMg YmVjYXVzZSAoZCZndDspIGluIE5PVEUgNSBhYm92ZSByZXF1aXJlcyAoJnF1b3Q7c2hhbGwmcXVv dDspIHRoYXQgYTwvdHQ+PGJyPg0KPHR0PiZndDsgY3JpdGljYWwgY3JsRW50cnlFeHRlbnNpb24g d2l0aCBhIHNlbWFudGljIGJleW9uZCAmcXVvdDt0aGlzIGNlcnQgaXM8L3R0Pjxicj4NCjx0dD4m Z3Q7IHJldm9rZWQmcXVvdDspLCBNVVNUIGJlIGFkZGl0aW9uYWxseSBpbmNsdWRlZCBhcyBhIGNy aXRpY2FsIGNybEV4dGVuc2lvbiw8L3R0Pjxicj4NCjx0dD4mZ3Q7IHdpdGggdGhlIGVmZmVjdCB0 aGF0IHRoZSBlbnRpcmUgQ1JMIHdpbGwgaGF2ZSB0byBiZSBpZ25vcmVkIGJ5PC90dD48YnI+DQo8 dHQ+Jmd0OyBib3RoIFguNTA5IGFuZCByZmM1MjgwIGltcGxlbWVudGF0aW9ucyB0aGF0IGRvIG5v dCByZWNvZ25pemU8L3R0Pjxicj4NCjx0dD4mZ3Q7IHRoZSBjcmxFeHRlbnNpb24uICZuYnNwO1Nv IGFsbCBjb21wbGlhbnQgQ1JMcyB3aXRoIGEgJnF1b3Q7ZmFuY3kmcXVvdDs8L3R0Pjxicj4NCjx0 dD4mZ3Q7IHVucmVjb2duaXplZCBjcml0aWNhbCBjcmxFbnRyeUV4dGVuc2lvbiwgdGhlIGFjY29t cGFueWluZzwvdHQ+PGJyPg0KPHR0PiZndDsgdW5yZWNvZ25pemVkIGNyaXRpY2FsIGNybEV4dGVu c2lvbiB3aWxsIGNhdXNlIFguNTA5IGFuZCByZmM1MjgwPC90dD48YnI+DQo8dHQ+Jmd0OyB0byBh Z3JlZSBvbiAoMykgdG8gcmV0dXJuICZxdW90O1VOREVURVJNSU5FRCZxdW90OyBhbmQgcmVxdWly ZSBvdGhlcjwvdHQ+PGJyPg0KPHR0PiZndDsgQ1JMcyB0byBiZSBjaGVja2VkLiA8L3R0Pjxicj4N Cjx0dD4mZ3Q7IDwvdHQ+PGJyPg0KPHR0PiZndDsgPC90dD48YnI+DQo8dHQ+Jmd0OyAtTWFydGlu PC90dD48YnI+DQo8dHQ+Jmd0OyBfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fXzwvdHQ+PGJyPg0KPHR0PiZndDsgcGtpeCBtYWlsaW5nIGxpc3Q8L3R0Pjxicj4N Cjx0dD4mZ3Q7IDxhIGhyZWY9Im1haWx0bzpwa2l4QGlldGYub3JnIj5wa2l4QGlldGYub3JnPC9h PjwvdHQ+PGJyPg0KPHR0PiZndDsgPC90dD48L3NwYW4+PGEgaHJlZj0iaHR0cHM6Ly93d3cuaWV0 Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9wa2l4Ij48dHQ+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MC4wcHQiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vcGtpeDwvc3Bhbj48 L3R0PjwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+ DQo= --_000_AA6BA445CBFDB84785CC1C45DAAE4C792CEC1E34CH1PRD0610MB393_-- From SChokhani@cygnacom.com Mon Sep 17 07:59:16 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 536C521F853A for ; Mon, 17 Sep 2012 07:59:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hNcjGGOZNMGG for ; Mon, 17 Sep 2012 07:59:14 -0700 (PDT) Received: from ipedge2.cygnacom.com (ipedge2.cygnacom.com [216.191.252.27]) by ietfa.amsl.com (Postfix) with ESMTP id 3E5B321F8533 for ; Mon, 17 Sep 2012 07:59:14 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.80,435,1344225600"; d="scan'208,217";a="1961578" Received: from unknown (HELO scygexch7.cygnacom.com) ([10.4.60.22]) by ipedge2.cygnacom.com with ESMTP; 17 Sep 2012 10:59:11 -0400 Received: from scygexch7.cygnacom.com ([::1]) by scygexch7.cygnacom.com ([::1]) with mapi; Mon, 17 Sep 2012 10:59:11 -0400 From: Santosh Chokhani To: Piyush Jain , "denis.pinkas@bull.net" , "mrex@sap.com" Date: Mon, 17 Sep 2012 10:59:10 -0400 Thread-Topic: [pkix] 5280bis, v-09 Thread-Index: AQHNj4Or+HT2+Q6yxkWqbc8OyTbOnJeHbVEAgAbEwwCAAG5aAIAACaaAgAAA1XA= Message-ID: References: <504E13CB.8080001@bbn.com> <20120913002444.80A791A216@ld9781.wdf.sap.corp> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_B83745DA469B7847811819C5005244AF362EC9B6scygexch7cygnac_" MIME-Version: 1.0 Cc: pkix Subject: Re: [pkix] 5280bis, v-09 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2012 14:59:16 -0000 --_000_B83745DA469B7847811819C5005244AF362EC9B6scygexch7cygnac_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SSBhZ3JlZQ0KDQpGcm9tOiBQaXl1c2ggSmFpbiBbbWFpbHRvOnBpeXVzaEBpZGVudGljYXRlLmNv bV0NClNlbnQ6IE1vbmRheSwgU2VwdGVtYmVyIDE3LCAyMDEyIDEwOjU4IEFNDQpUbzogU2FudG9z aCBDaG9raGFuaTsgZGVuaXMucGlua2FzQGJ1bGwubmV0OyBtcmV4QHNhcC5jb20NCkNjOiBwa2l4 DQpTdWJqZWN0OiBSRTogW3BraXhdIDUyODBiaXMsIHYtMDkNCg0KVGhhbmtzIFNhbnRvc2gsIHlv dXIgcHJvcG9zZWQgYWRkaXRpb24gd2lsbCBhbGlnbiA1MjgwIHdpdGggWC41MDkuDQpXZSBzaG91 bGQgYWxzbyByZW1vdmUgdGhpcyB0ZXh0IGZyb20gZHJhZnQtMDkuDQoNCuKAnElmIGEgQ1JMIGNv bnRhaW5zIGEgY3JpdGljYWwgQ1JMIGVudHJ5IGV4dGVuc2lvbiB0aGF0IHRoZSBhcHBsaWNhdGlv biBjYW5ub3QgcHJvY2VzcywgdGhlbiB0aGUgYXBwbGljYXRpb24gTVVTVCAgTk9UIHVzZSB0aGF0 IENSTCB0byBkZXRlcm1pbmUgdGhlIHN0YXR1cyBvZiB0aGUgY2VydGlmaWNhdGUgcmVwcmVzZW50 ZWQgYnkgdGhlIENSTCBlbnRyeS7igJ0NCg0KQXMgdGhpcyBvYnZpb3VzbHkgY29udHJhZGljdHMg d2l0aCB5b3VyIHByb3Bvc2VkIHRleHQuDQoNCkZyb206IFNhbnRvc2ggQ2hva2hhbmkgW21haWx0 bzpTQ2hva2hhbmlAY3lnbmFjb20uY29tXTxtYWlsdG86W21haWx0bzpTQ2hva2hhbmlAY3lnbmFj b20uY29tXT4NClNlbnQ6IE1vbmRheSwgU2VwdGVtYmVyIDE3LCAyMDEyIDc6MjIgQU0NClRvOiBk ZW5pcy5waW5rYXNAYnVsbC5uZXQ8bWFpbHRvOmRlbmlzLnBpbmthc0BidWxsLm5ldD47IG1yZXhA c2FwLmNvbTxtYWlsdG86bXJleEBzYXAuY29tPjsgUGl5dXNoIEphaW4NCkNjOiBwa2l4DQpTdWJq ZWN0OiBSRTogW3BraXhdIDUyODBiaXMsIHYtMDkNCg0KVGhpcyBhbHNvIHJlbGF0ZXMgdG8gZWFy bGllciBwb3N0IEkgbWFkZSBpbiByZXNwb25zZSB0byBQaXl1c2guDQoNCkkgYXNzdW1lIHdlIGFy ZSBhZGRpbmcgdGhlIGZvbGxvd2luZyB0byB0aGUgUkZDIOKAnEEgY3JpdGljYWwgZXh0ZW5zaW9u IGluIHRoZSBjcmxFbnRyeUV4dGVuc2lvbnMgZmllbGQgb2YgYW4gZW50cnkgc2hhbGwgYWZmZWN0 IG9ubHkgdGhlIGNlcnRpZmljYXRlIHNwZWNpZmllZCBpbiB0aGF0IGVudHJ5LCB1bmxlc3MgdGhl cmUgaXMgYSByZWxhdGVkIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUgY3JsRXh0ZW5zaW9ucyBm aWVsZCB0aGF0IGFkdmVydGlzZXMgYSBzcGVjaWFsIHRyZWF0bWVudCBmb3IgaXQu4oCdICBJbiBv cmRlciB0byB1c2Ugc3VjaCBDUkwsIHRoZSByZWx5aW5nIHBhcnR5IG11c3QgYmUgYWJsZSB0byBw cm9jZXNzIGJvdGggdGhlIGNybEVudHJ5RXh0ZW5zaW9uIGFuZCB0aGUgcmVsYXRlZCBjcmxFeHRl bnNpb24u4oCdDQoNCkluIHRoYXQgY2FzZSwgSSBkbyBub3QgbWluZCBhZGRpbmcgdGhlIGZvbGxv d2luZyB0byA1MjgwIChhIHNsaWdodCBtb2RpZmljYXRpb24gdG8gd2hhdCBEZW5pcyBoYXM6DQoN CklmIGFuIGFwcGxpY2F0aW9uIGNhbm5vdCBwcm9jZXNzIGEgY3JpdGljYWwgZXh0ZW5zaW9uIGlu IHRoZSBjcmxFbnRyeUV4dGVuc2lvbnMgZmllbGQgb2YgYW4gZW50cnkgdGhhdCBhZmZlY3RzIG9u bHkgdGhlIGNlcnRpZmljYXRlIHNwZWNpZmllZCBpbiB0aGF0IGVudHJ5LCBhcyBpbmRpY2F0ZWQg YnkgdGhlIGFic2VuY2Ugb2YgYSByZWxhdGVkIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUgY3Js RXh0ZW5zaW9ucyBmaWVsZCwgdGhlbiB0aGUgY2VydGlmaWNhdGUgaWRlbnRpZmllZCBieSB0aGUg Q1JMIGVudHJ5IHNoYWxsIGJlIGNvbnNpZGVyZWQgcmV2b2tlZC4NCg0KRnJvbTogcGtpeC1ib3Vu Y2VzQGlldGYub3JnPG1haWx0bzpwa2l4LWJvdW5jZXNAaWV0Zi5vcmc+IFttYWlsdG86cGtpeC1i b3VuY2VzQGlldGYub3JnXTxtYWlsdG86W21haWx0bzpwa2l4LWJvdW5jZXNAaWV0Zi5vcmddPiBP biBCZWhhbGYgT2YgZGVuaXMucGlua2FzQGJ1bGwubmV0PG1haWx0bzpkZW5pcy5waW5rYXNAYnVs bC5uZXQ+DQpTZW50OiBNb25kYXksIFNlcHRlbWJlciAxNywgMjAxMiAzOjQ3IEFNDQpUbzogbXJl eEBzYXAuY29tPG1haWx0bzptcmV4QHNhcC5jb20+OyBQaXl1c2ggSmFpbg0KQ2M6IHBraXgNClN1 YmplY3Q6IFJlOiBbcGtpeF0gNTI4MGJpcywgdi0wOQ0KDQpHb29kIGNhdGNoIE1hcnRpbiwNCg0K WW91IGNhbWUgYmFjayBmcm9tIHZhY2F0aW9uIGp1c3QgaW4gdGltZS4gOi0pDQoNCkkgcHJvcG9z ZSB0aGUgZm9sbG93aW5nOg0KDQpSZXBsYWNlOg0KDQp8ICAgICBJZiBhIENSTCBjb250YWlucyBh IGNyaXRpY2FsIENSTCBlbnRyeSBleHRlbnNpb24NCnwgICAgIHRoYXQgdGhlIGFwcGxpY2F0aW9u IGNhbm5vdCBwcm9jZXNzLCB0aGVuIHRoZSBhcHBsaWNhdGlvbiBNVVNUDQp8ICAgICBOT1QgdXNl IHRoYXQgQ1JMIHRvIGRldGVybWluZSB0aGUgc3RhdHVzIG9mIGFueSBjZXJ0aWZpY2F0ZXMuDQoN CndpdGgNCg0KfCAgICAgSWYgYSBDUkwgY29udGFpbnMgaW4gYSBDUkwgZW50cnkgYSBjcml0aWNh bCBDUkwgZW50cnkgZXh0ZW5zaW9uDQp8ICAgICB0aGF0IHRoZSBhcHBsaWNhdGlvbiBjYW5ub3Qg cHJvY2VzcywgdGhlbiB0aGUgYXBwbGljYXRpb24gTVVTVA0KfCAgICAgY29uc2lkZXIgdGhhdCB0 aGUgY2VydGlmaWNhdGUgaWRlbnRpZmllZCBpbiB0aGF0IENSTCBlbnRyeSBpcw0KfCAgICAgcmV2 b2tlZC4NCg0KSW4gb3JkZXIgdG8gYW5zd2VyIHRvIFBpeXVzaCwgSSBiZWxpZXZlIHRoYXQg4oCc dW5rbm93buKAnSBzaG91bGQgYmUgdXNlZCByYXRoZXIgdGhhbiDigJxyZXZva2Vk4oCdLg0KDQpU aGUgZm9sbG93aW5nIGV4YW1wbGUgaXMgYW4gaWxsdXN0cmF0aW9uOg0KDQpUaGUgc3RhdHVzIG9m IGEgZ2l2ZW4gY2VydGlmaWNhdGUgaXMgaW5kaWNhdGVkIGFzIOKAnGdvb2TigJ0sIGJ1dCB0aGVy ZSBpcyBhIENSTCBlbnRyeSB3aXRoIGEgY3JpdGljYWwNCkNSTCBlbnRyeSBleHRlbnNpb24uIFRo aXMgZW50cnkgbWVhbnMgKGZvciB0aGUgYXBwbGljYXRpb25zIHdoaWNoIHVuZGVyc3RhbmQgaXQp IDoNCg0KIlRoZSBzdGF0dXMgd2hpY2ggaXMgdXN1YWxseSBvYnRhaW5lZCB1c2luZyBhIGRhdGFi YXNlIG9mIGlzc3VlZCBjZXJ0aWZpY2F0ZXMgaGFzIGJlZW4gb2J0YWluZWQgZnJvbSBDUkxzLg0K SWYgeW91IHJlYWxseSBuZWVkIHRvIHRha2UgYSBkZWNpc2lvbiBub3csIGl0IGlzIGF0IHlvdXIg b3duIHJpc2suIElmIHlvdSBjYW4gd2FpdCwgeW91IGhhZCBiZXR0ZXIgdG8gdHJ5IGFnYWluIGxh dGVyIG9uIi4NCg0KWW91ciBuZXh0IHF1ZXN0aW9uIHdpbGwgY2VydGFpbmx5IGJlOiBzbyB3aHkg ZG9u4oCZdCB5b3UgdXNlIHRoZSBwcm9wb3NlZCBjZXJ0SW5mbyBleHRlbnNpb24gPw0KDQpGb3Ig YXBwbGljYXRpb25zIHdoaWNoIGRvIG5vdCB1bmRlcnN0YW5kIHRoaXMgY3JpdGljYWwgQ1JMIGVu dHJ5IGV4dGVuc2lvbiwgdGhlcmUgaXMgbm8gZGlmZmVyZW5jZS4NClRoZXkgZ2V0IGFuICJ1bmtu b3duIiBzdGF0dXMgaW4gYm90aCBjYXNlcy4NCg0KRm9yIGFwcGxpY2F0aW9ucyB3aGljaCB1bmRl cnN0YW5kIHRoaXMgY3JpdGljYWwgQ1JMIGVudHJ5IGV4dGVuc2lvbiBpdCBwcm92aWRlcyBsZXNz IGJlbmVmaXRzDQp0aGFuIHRoZSBwcm9wb3NlZCBjZXJ0SW5mbyBleHRlbnNpb24sIGJ1dCBpdCBt aWdodCBiZSBxdWlja2VyIHRvIGltcGxlbWVudCBhbmQgaXQgZW5mb3JjZXMgYSBwb2xpY3kuDQoN CkRlbmlzDQoNCg0KPiBJIG9iamVjdCB0byB0aGUgcHJvcG9zZWQgbmV3IHRleHQgYWJvdXQgQ1JM RW50cnlFeHRlbnNpb25zDQo+IGluIHRoZSBjbGFyaWZpY2F0aW9uIGRvY3VtZW50LCBiZWNhdXNl IGFzIGlzLCB3b3VsZCBzaWduaWZpY2FudGx5DQo+IHdvcnNlbiB0aGUgZGlmZmVyZW5jZSBiZXR3 ZWVuIFBLSVggYW5kIFguNTA5IGFuZCBtYWtlIHRoaW5ncw0KPiBjbGVhcmx5IGluY29tcGF0aWJs ZSByYXRoZXIgdGhhbiBzbGlnaHRseSBsZXNzIGVmZmljaWVudC4NCj4NCj4gSWYgYW55dGhpbmcs IHRoZSBnYXAgc2hvdWxkIGJlIHJlZHVjZWQsIGNvbXBhdGliaWxpdHkgYmV0d2Vlbg0KPiBQS0lY IGFuZCBYLjUwOSBpbXByb3ZlZCBhbmQgdGhlIG9yaWdpbmFsIGFyY2hpdGVjdHVyZSBub3Qgdmlv bGF0ZWQuDQo+DQo+IFBsZWFzZSByZWNhbGwgdGhlIG9yaWdpbmFsIE5PVEUgNCAmIDUgdGhhdCBJ IHF1b3RlZCBmcm9tDQo+IElUVS1UIFJlYy4gWC41MDkgKDA4LzIwMDUpLCBTZWN0aW9uIDcuMywg dG9wIG9mIHBhZ2UgMTg6DQo+IChnZXQgdGhlbSBoZXJlIGh0dHA6Ly93d3cuaXR1LmludC9yZWMv VC1SRUMtWC41MDkpOg0KPg0KPiBhPiAgTk9URSA0IC0tIFdoZW4gYW4gaW1wbGVtZW50YXRpb24g cHJvY2Vzc2luZyBhIGNlcnRpZmljYXRlIHJldm9jYXRpb24NCj4gYT4gIGxpc3QgZG9lcyBub3Qg cmVjb2duaXplIGEgY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSBjcmxFbnRyeUV4dGVuc2lvbnMN Cj4gYT4gIGZpZWxkLCBpdCBzaGFsbCBhc3N1bWUgdGhhdCwgYXQgYSBtaW5pbXVtLCB0aGUgaWRl bnRpZmllZCBjZXJ0aWZpY2F0ZQ0KPiBhPiAgaGFzIGJlZW4gcmV2b2tlZCBhbmQgaXMgbm8gbG9u Z2VyIHZhbGlkIGFuZCBwZXJmb3JtIGFkZGl0aW9uYWwgYWN0aW9ucw0KPiBhPiAgY29uY2Vybmlu ZyB0aGF0IHJldm9rZWQgY2VydGlmaWNhdGUgYXMgZGljdGF0ZWQgYnkgbG9jYWwgcG9saWN5Lg0K Pg0KPiBiPiAgV2hlbiBhbiBpbXBsZW1lbnRhdGlvbiBkb2VzIG5vdCByZWNvZ25pemUgYSBjcml0 aWNhbCBleHRlbnNpb24gaW4gdGhlDQo+IGI+ICBjcmxFeHRlbnNpb25zIGZpZWxkLCBpdCBzaGFs bCBhc3N1bWUgdGhhdCBpZGVudGlmaWVkIGNlcnRpZmljYXRlcw0KPiBiPiAgaGF2ZSBiZWVuIHJl dm9rZWQgYW5kIGFyZSBubyBsb25nZXIgdmFsaWQuDQo+DQo+IGM+ICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgSG93ZXZlciBpbiB0aGUgbGF0dGVyIGNhc2UsDQo+ IGM+ICBzaW5jZSB0aGUgbGlzdCBtYXkgbm90IGJlIGNvbXBsZXRlLCBjZXJ0aWZpY2F0ZXMgdGhh dCBoYXZlIG5vdCBiZWVuDQo+IGM+ICBpZGVudGlmaWVkIGFzIGJlaW5nIHJldm9rZWQgY2Fubm90 IGJlIGFzc3VtZWQgdG8gYmUgdmFsaWQuIEluIHRoaXMgY2FzZQ0KPiBjPiAgbG9jYWwgcG9saWN5 IHNoYWxsIGRpY3RhdGUgdGhlIGFjdGlvbiB0byBiZSB0YWtlbi4gSW4gYW55IGNhc2UgbG9jYWwN Cj4gYz4gIHBvbGljeSBtYXkgZGljdGF0ZSBhY3Rpb25zIGluIGFkZGl0aW9uIHRvIGFuZC9vciBz dHJvbmdlciB0aGFuIHRob3NlDQo+IGM+ICBzdGF0ZWQgaW4gdGhpcyBTcGVjaWZpY2F0aW9uLg0K Pg0KPiBkPiAgTk9URSA1IC0tIElmIGFuIGV4dGVuc2lvbiBhZmZlY3RzIHRoZSB0cmVhdG1lbnQg b2YgdGhlIGxpc3QNCj4gZD4gIChlLmcuLCBtdWx0aXBsZSBDUkxzIG5lZWQgdG8gYmUgc2Nhbm5l ZCB0byBleGFtaW5lIHRoZSBlbnRpcmUgbGlzdCBvZg0KPiBkPiAgcmV2b2tlZCBjZXJ0aWZpY2F0 ZXMsIG9yIGFuIGVudHJ5IG1heSByZXByZXNlbnQgYSByYW5nZSBvZiBjZXJ0aWZpY2F0ZXMpLA0K PiBkPiAgdGhlbiB0aGF0IGV4dGVuc2lvbiBzaGFsbCBiZSBpbmRpY2F0ZWQgYXMgY3JpdGljYWwg aW4gdGhlIGNybEV4dGVuc2lvbnMNCj4gZD4gIGZpZWxkIHJlZ2FyZGxlc3Mgb2Ygd2hlcmUgdGhl IGV4dGVuc2lvbiBpcyBwbGFjZWQgaW4gdGhlIENSTC4NCj4NCj4gZT4gIEFuIGV4dGVuc2lvbiBp bmRpY2F0ZWQgaW4gdGhlIGNybEVudHJ5RXh0ZW5zaW9ucyBmaWVsZCBvZiBhbiBlbnRyeSBzaGFs bA0KPiBlPiAgYmUgcGxhY2VkIGluIHRoYXQgZW50cnkgYW5kIHNoYWxsIGFmZmVjdCBvbmx5IHRo ZSBjZXJ0aWZpY2F0ZShzKQ0KPiBlPiAgc3BlY2lmaWVkIGluIHRoYXQgZW50cnkuDQo+DQo+DQo+ IChJIGluc2VydGVkIGJsYW5rIGxpbmVzIGFib3ZlIGZvciB2aXN1YWwgY2xhcml0eSBvZiB0aGUg WC41MDkgcmVxdWlyZW1lbnRzKS4NCj4NCj4gdHdvIG9wdGlvbnMsIGFsbCBjb21iaW5hdGlvbnM6 DQo+DQo+ICAoMSkgY2VydCAgICAgb24gQ1JMLCBDUkwgd2l0aCBOTyB1bnJlY29nbml6ZWQgY3Jp dGljYWwgQ1JMRW50cnlFeHRlbnNpb25zDQo+ICAoMikgY2VydCBOT1Qgb24gQ1JMLCBDUkwgd2l0 aCBOTyB1bnJlY29nbml6ZWQgY3JpdGljYWwgQ1JMRW50cnlFeHRlbnNpb25zDQo+ICAoMykgY2Vy dCAgICAgb24gQ1JMLCBDUkwgd2l0aCAgICB1bnJlY29nbml6ZWQgY3JpdGljYWwgQ1JMRW50cnlF eHRlbnNpb24NCj4gICg0KSBjZXJ0IE5PVCBvbiBDUkwsIENSTCB3aXRoICAgIHVucmVjb2duaXpl ZCBjcml0aWNhbCBDUkxFbnRyeUV4dGVuc2lvbg0KPg0KPg0KPiBJIGhvcGUgd2UgYWdyZWUgdGhh dCBYLjUwOSBhbmQgcmZjNTI4MCBhZ3JlZSBvbiAoMSkgYW5kICgyKSByZXN1bHRzDQo+IGZvciBD UkwgY2hlY2tpbmcuDQo+DQo+IHJmYzUyODAgY3VycmVudGx5IHNheXMgdGhhdCBmb3IgKDMpKyg0 KSB0aGUgZW50aXJlIENSTCBvdWdodCB0byBiZSBpZ25vcmVkDQo+IGFuZCBvdGhlciBDUkxzIG5l ZWQgdG8gYmUgZXZhbHVhdGVkICJVTkRFVEVSTUlORUQiDQo+DQo+IFguNTA5IHNheXMgaW4gKGE+ KSB0aGF0IGZvciAoMykgdGhlIHN0YXR1cyBvZiB0aGUgY2VydCBpcyBkZWZpbml0ZWx5IHJldm9r ZWQNCj4gYW5kIHNheXMgaW4gKGM+KSBmb3IgKDQpIHRoYXQgdGhlIENSTCBvdWdodCB0byBiZSBp Z25vcmVkIGFuZCBvdGhlciBDUkxzIG5lZWQNCj4gdG8gYmUgZXZhbHVhdGVkICJVTkRFVEVSTUlO RUQiDQo+DQo+IFdoaWxlIGJvdGggWC41MDkgYW5kIHJmYzUyODAgYWdyZWUgb24gdGhlIHJlc3Vs dCBmb3IgKDQpICJVTkRFVEVSTUlORUQiLA0KPiB0aGVyZSBpcyB0aGUgc3VwZXJmaWNpYWwgYXBw ZWFyYW5jZSBvZiBhIGRpZmZlcmVuY2UgZm9yIGEgY2FzdWFsDQo+IGltcGxlbWVudGVyIGZvciBj YXNlICgzKSBiZXR3ZWVuIFguNTA5ICJSRVZPS0VEIiBhbmQgcmZjNTI4MCAiVU5ERVRFUk1JTkVE Ig0KPiB0aGF0IG1pZ2h0IGxlYWQgdG8gYSBzbGlnaHRseSBsZXNzIGVmZmljaWVudCBwcm9jZXNz aW5nIENSTHMuDQo+DQo+DQo+IFRoZSBuZXdseSBwcm9wb3NlZCB0ZXh0IChpbiAtMDkpOg0KPg0K PiB8ICAgICBJZiBhIENSTCBjb250YWlucyBhIGNyaXRpY2FsIENSTCBlbnRyeSBleHRlbnNpb24N Cj4gfCAgICAgdGhhdCB0aGUgYXBwbGljYXRpb24gY2Fubm90IHByb2Nlc3MsIHRoZW4gdGhlIGFw cGxpY2F0aW9uIE1VU1QNCj4gfCAgICAgTk9UIHVzZSB0aGF0IENSTCB0byBkZXRlcm1pbmUgdGhl IHN0YXR1cyBvZiB0aGUgY2VydGlmaWNhdGUNCj4gfCAgICAgcmVwcmVzZW50ZWQgYnkgdGhlIENS TCBlbnRyeS4NCj4NCj4gY3JlYXRlcyBhIHNpZ25pZmljYW50bHkgZGlzdGluY3QgYmVoYXZpb3Vy IGZvciBjYXNlICg0KSB3aGVyZSBYLjUwOQ0KPiBhbmQgcmZjNTI4MCBhZ3JlZWQgb24gIlVOREVU RVJNSU5FRCIsIGJ5IHJlZGVmaW5pbmcgdGhlIHJlc3VsdCB0bw0KPiBiZSAiVU5SRVZPS0VEIiwg YW5kIHBvdGVudGlhbGx5IGNyZWF0ZXMgYSBzZWN1cml0eSBwcm9ibGVtLCBhbmQgYQ0KPiBuZXcs IGJhY2t3YXJkcy1pbmNvbXBhdGlibGUgYmVoYXZpb3VyIGZvciBhIHNpdHVhdGlvbiB3aGVyZQ0K PiBYLjUwOSBhbmQgcmZjNTI4MCB1c2VkIHRvIGFncmVlLiBTdGlsbCwgdGhlIG5ldyB0ZXh0IGRv ZXMgbm90IGRvDQo+IGFueXRoaW5nIGFib3V0IGNhc2UgKDMpLCB0aGUgb25seSBjYXNlIHdoZXJl IFguNTA5IGFuZCByZmM1MjgwDQo+IGFwcGVhciB0byBkaWZmZXIgKGluIGEgbW9zdGx5IG1hcmdp bmFsIGZhc2hpb24pLg0KPg0KPg0KPiBBIGNhcmVmdWwgaW1wbGVtZW50b3IsIHRoYXQgYW5hbHl6 ZXMgTk9URSA0IGFuZCBOT1RFIDUgZnJvbSBYLjUwOQ0KPiBxdW90ZWQgYWJvdmUgaW4gaXRzIGVu dGlyZXR5LCBzaG91bGQgcmVhbGl6ZSB0aGF0IHRoZSBzaXR1YXRpb24NCj4gd2hlcmUgWC41MDkg YW5kIHJmYzUyODAgZGlmZmVyIGlzIG1hcmdpbmFsLg0KPg0KPiBUaGlzIGlzIGJlY2F1c2UgKGQ+ KSBpbiBOT1RFIDUgYWJvdmUgcmVxdWlyZXMgKCJzaGFsbCIpIHRoYXQgYQ0KPiBjcml0aWNhbCBj cmxFbnRyeUV4dGVuc2lvbiB3aXRoIGEgc2VtYW50aWMgYmV5b25kICJ0aGlzIGNlcnQgaXMNCj4g cmV2b2tlZCIpLCBNVVNUIGJlIGFkZGl0aW9uYWxseSBpbmNsdWRlZCBhcyBhIGNyaXRpY2FsIGNy bEV4dGVuc2lvbiwNCj4gd2l0aCB0aGUgZWZmZWN0IHRoYXQgdGhlIGVudGlyZSBDUkwgd2lsbCBo YXZlIHRvIGJlIGlnbm9yZWQgYnkNCj4gYm90aCBYLjUwOSBhbmQgcmZjNTI4MCBpbXBsZW1lbnRh dGlvbnMgdGhhdCBkbyBub3QgcmVjb2duaXplDQo+IHRoZSBjcmxFeHRlbnNpb24uICBTbyBhbGwg Y29tcGxpYW50IENSTHMgd2l0aCBhICJmYW5jeSINCj4gdW5yZWNvZ25pemVkIGNyaXRpY2FsIGNy bEVudHJ5RXh0ZW5zaW9uLCB0aGUgYWNjb21wYW55aW5nDQo+IHVucmVjb2duaXplZCBjcml0aWNh bCBjcmxFeHRlbnNpb24gd2lsbCBjYXVzZSBYLjUwOSBhbmQgcmZjNTI4MA0KPiB0byBhZ3JlZSBv biAoMykgdG8gcmV0dXJuICJVTkRFVEVSTUlORUQiIGFuZCByZXF1aXJlIG90aGVyDQo+IENSTHMg dG8gYmUgY2hlY2tlZC4NCj4NCj4NCj4gLU1hcnRpbg0KPiBfX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fXw0KPiBwa2l4IG1haWxpbmcgbGlzdA0KPiBwa2l4QGll dGYub3JnPG1haWx0bzpwa2l4QGlldGYub3JnPg0KPiBodHRwczovL3d3dy5pZXRmLm9yZy9tYWls bWFuL2xpc3RpbmZvL3BraXgNCg== --_000_B83745DA469B7847811819C5005244AF362EC9B6scygexch7cygnac_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+PGhlYWQ+PG1ldGEgaHR0cC1lcXVpdj1Db250ZW50LVR5cGUgY29udGVu dD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij48bWV0YSBuYW1lPUdlbmVyYXRvciBjb250ZW50 PSJNaWNyb3NvZnQgV29yZCAxNCAoZmlsdGVyZWQgbWVkaXVtKSI+PHN0eWxlPjwhLS0NCi8qIEZv bnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglw YW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5 OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQovKiBTdHlsZSBEZWZp bml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXtt YXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0K CWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTpsaW5rLCBzcGFuLk1z b0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0 LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xs b3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQtZGVj b3JhdGlvbjp1bmRlcmxpbmU7fQ0KdHQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWZvbnQt ZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KcC5Nc29BY2V0YXRlLCBsaS5Nc29BY2V0YXRlLCBkaXYu TXNvQWNldGF0ZQ0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkJh bGxvb24gVGV4dCBDaGFyIjsNCgltYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsN Cglmb250LXNpemU6OC4wcHQ7DQoJZm9udC1mYW1pbHk6IlRhaG9tYSIsInNhbnMtc2VyaWYiO30N CnNwYW4uQmFsbG9vblRleHRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJCYWxsb29uIFRleHQgQ2hh ciI7DQoJbXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJCYWxsb29uIFRl eHQiOw0KCWZvbnQtZmFtaWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIjt9DQpzcGFuLkVtYWlsU3R5 bGUyMA0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZhbWlseToiQXJpYWwiLCJz YW5zLXNlcmlmIjsNCgljb2xvcjojMUY0OTdEOw0KCWZvbnQtd2VpZ2h0Om5vcm1hbDsNCglmb250 LXN0eWxlOm5vcm1hbDsNCgl0ZXh0LWRlY29yYXRpb246bm9uZSBub25lO30NCnNwYW4uRW1haWxT dHlsZTIxDQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJp Iiwic2Fucy1zZXJpZiI7DQoJY29sb3I6IzFGNDk3RDt9DQpzcGFuLkVtYWlsU3R5bGUyMg0KCXtt c28tc3R5bGUtdHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZhbWlseToiQXJpYWwiLCJzYW5z LXNlcmlmIjsNCgljb2xvcjojMUY0OTdEOw0KCWZvbnQtd2VpZ2h0Om5vcm1hbDsNCglmb250LXN0 eWxlOm5vcm1hbDsNCgl0ZXh0LWRlY29yYXRpb246bm9uZSBub25lO30NCi5Nc29DaHBEZWZhdWx0 DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtc2l6ZToxMC4wcHQ7fQ0KQHBh Z2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBpbiAxLjBp biAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30N Ci0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6 ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBn dGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2 OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0t LT48L2hlYWQ+PGJvZHkgbGFuZz1FTi1VUyBsaW5rPWJsdWUgdmxpbms9cHVycGxlPjxkaXYgY2xh c3M9V29yZFNlY3Rpb24xPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXpl OjkuMHB0O2ZvbnQtZmFtaWx5OiJBcmlhbCIsInNhbnMtc2VyaWYiO2NvbG9yOiMxRjQ5N0QnPkkg YWdyZWU8bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxl PSdmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6IkFyaWFsIiwic2Fucy1zZXJpZiI7Y29sb3I6 IzFGNDk3RCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxkaXY+PGRpdiBzdHlsZT0nYm9y ZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjQjVDNERGIDEuMHB0O3BhZGRpbmc6My4wcHQgMGlu IDBpbiAwaW4nPjxwIGNsYXNzPU1zb05vcm1hbD48Yj48c3BhbiBzdHlsZT0nZm9udC1zaXplOjEw LjBwdDtmb250LWZhbWlseToiVGFob21hIiwic2Fucy1zZXJpZiInPkZyb206PC9zcGFuPjwvYj48 c3BhbiBzdHlsZT0nZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseToiVGFob21hIiwic2Fucy1z ZXJpZiInPiBQaXl1c2ggSmFpbiBbbWFpbHRvOnBpeXVzaEBpZGVudGljYXRlLmNvbV0gPGJyPjxi PlNlbnQ6PC9iPiBNb25kYXksIFNlcHRlbWJlciAxNywgMjAxMiAxMDo1OCBBTTxicj48Yj5Ubzo8 L2I+IFNhbnRvc2ggQ2hva2hhbmk7IGRlbmlzLnBpbmthc0BidWxsLm5ldDsgbXJleEBzYXAuY29t PGJyPjxiPkNjOjwvYj4gcGtpeDxicj48Yj5TdWJqZWN0OjwvYj4gUkU6IFtwa2l4XSA1MjgwYmlz LCB2LTA5PG86cD48L286cD48L3NwYW4+PC9wPjwvZGl2PjwvZGl2PjxwIGNsYXNzPU1zb05vcm1h bD48bzpwPiZuYnNwOzwvbzpwPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2Zv bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjtjb2xvcjoj MUY0OTdEJz5UaGFua3MgU2FudG9zaCwgeW91ciBwcm9wb3NlZCBhZGRpdGlvbiB3aWxsIGFsaWdu IDUyODAgd2l0aCBYLjUwOS4gPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1h bD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseToiQ2FsaWJyaSIsInNh bnMtc2VyaWYiO2NvbG9yOiMxRjQ5N0QnPldlIHNob3VsZCBhbHNvIHJlbW92ZSB0aGlzIHRleHQg ZnJvbSBkcmFmdC0wOS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxz cGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1z ZXJpZiI7Y29sb3I6IzFGNDk3RCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNz PU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseToiQ2Fs aWJyaSIsInNhbnMtc2VyaWYiO2NvbG9yOiMxRjQ5N0QnPuKAnElmIGEgQ1JMIGNvbnRhaW5zIGEg Y3JpdGljYWwgQ1JMIGVudHJ5IGV4dGVuc2lvbiB0aGF0IHRoZSBhcHBsaWNhdGlvbiBjYW5ub3Qg cHJvY2VzcywgdGhlbiB0aGUgYXBwbGljYXRpb24gTVVTVCZuYnNwOyBOT1QgdXNlIHRoYXQgQ1JM IHRvIGRldGVybWluZSB0aGUgc3RhdHVzIG9mIHRoZSBjZXJ0aWZpY2F0ZSByZXByZXNlbnRlZCBi eSB0aGUgQ1JMIGVudHJ5LuKAnTxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3Jt YWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNhbGlicmkiLCJz YW5zLXNlcmlmIjtjb2xvcjojMUY0OTdEJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAg Y2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5 OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7Y29sb3I6IzFGNDk3RCc+QXMgdGhpcyBvYnZpb3VzbHkg Y29udHJhZGljdHMgd2l0aCB5b3VyIHByb3Bvc2VkIHRleHQuPG86cD48L286cD48L3NwYW4+PC9w PjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250LWZh bWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiO2NvbG9yOiMxRjQ5N0QnPjxvOnA+Jm5ic3A7PC9v OnA+PC9zcGFuPjwvcD48ZGl2IHN0eWxlPSdib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCBi bHVlIDEuNXB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNC4wcHQnPjxkaXY+PGRpdiBzdHlsZT0nYm9y ZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjQjVDNERGIDEuMHB0O3BhZGRpbmc6My4wcHQgMGlu IDBpbiAwaW4nPjxwIGNsYXNzPU1zb05vcm1hbD48Yj48c3BhbiBzdHlsZT0nZm9udC1zaXplOjEw LjBwdDtmb250LWZhbWlseToiVGFob21hIiwic2Fucy1zZXJpZiInPkZyb206PC9zcGFuPjwvYj48 c3BhbiBzdHlsZT0nZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseToiVGFob21hIiwic2Fucy1z ZXJpZiInPiBTYW50b3NoIENob2toYW5pIDxhIGhyZWY9Im1haWx0bzpbbWFpbHRvOlNDaG9raGFu aUBjeWduYWNvbS5jb21dIj5bbWFpbHRvOlNDaG9raGFuaUBjeWduYWNvbS5jb21dPC9hPiA8YnI+ PGI+U2VudDo8L2I+IE1vbmRheSwgU2VwdGVtYmVyIDE3LCAyMDEyIDc6MjIgQU08YnI+PGI+VG86 PC9iPiA8YSBocmVmPSJtYWlsdG86ZGVuaXMucGlua2FzQGJ1bGwubmV0Ij5kZW5pcy5waW5rYXNA YnVsbC5uZXQ8L2E+OyA8YSBocmVmPSJtYWlsdG86bXJleEBzYXAuY29tIj5tcmV4QHNhcC5jb208 L2E+OyBQaXl1c2ggSmFpbjxicj48Yj5DYzo8L2I+IHBraXg8YnI+PGI+U3ViamVjdDo8L2I+IFJF OiBbcGtpeF0gNTI4MGJpcywgdi0wOTxvOnA+PC9vOnA+PC9zcGFuPjwvcD48L2Rpdj48L2Rpdj48 cCBjbGFzcz1Nc29Ob3JtYWw+PG86cD4mbmJzcDs8L286cD48L3A+PHAgY2xhc3M9TXNvTm9ybWFs PjxzcGFuIHN0eWxlPSdmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6IkFyaWFsIiwic2Fucy1z ZXJpZiI7Y29sb3I6IzFGNDk3RCc+VGhpcyBhbHNvIHJlbGF0ZXMgdG8gZWFybGllciBwb3N0IEkg bWFkZSBpbiByZXNwb25zZSB0byBQaXl1c2guPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNz PU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiJBcmlh bCIsInNhbnMtc2VyaWYiO2NvbG9yOiMxRjQ5N0QnPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwv cD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZTo5LjBwdDtmb250LWZh bWlseToiQXJpYWwiLCJzYW5zLXNlcmlmIjtjb2xvcjojMUY0OTdEJz5JIGFzc3VtZSB3ZSBhcmUg YWRkaW5nIHRoZSBmb2xsb3dpbmcgdG8gdGhlIFJGQyDigJw8L3NwYW4+PHNwYW4gc3R5bGU9J2Zv bnQtc2l6ZTo5LjBwdDtmb250LWZhbWlseToiQXJpYWwiLCJzYW5zLXNlcmlmIjtjb2xvcjojMTA0 MTYwJz5BIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUgPGI+Y3JsRW50cnlFeHRlbnNpb25zPC9i PiBmaWVsZCBvZiBhbiBlbnRyeSBzaGFsbCBhZmZlY3Qgb25seSB0aGUgY2VydGlmaWNhdGUgc3Bl Y2lmaWVkIGluIHRoYXQgZW50cnksIHVubGVzcyB0aGVyZSBpcyBhIHJlbGF0ZWQgY3JpdGljYWwg ZXh0ZW5zaW9uIGluIHRoZSA8Yj5jcmxFeHRlbnNpb25zPC9iPiBmaWVsZCB0aGF0IGFkdmVydGlz ZXMgYSBzcGVjaWFsIHRyZWF0bWVudCBmb3IgaXQu4oCdJm5ic3A7IEluIG9yZGVyIHRvIHVzZSBz dWNoIENSTCwgdGhlIHJlbHlpbmcgcGFydHkgbXVzdCBiZSBhYmxlIHRvIHByb2Nlc3MgYm90aCB0 aGUgPGI+Y3JsRW50cnlFeHRlbnNpb24gPC9iPmFuZCB0aGUgcmVsYXRlZCA8Yj5jcmxFeHRlbnNp b24u4oCdPG86cD48L286cD48L2I+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PGI+PHNw YW4gc3R5bGU9J2ZvbnQtc2l6ZTo5LjBwdDtmb250LWZhbWlseToiQXJpYWwiLCJzYW5zLXNlcmlm Ijtjb2xvcjojMTA0MTYwJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L2I+PC9wPjxwIGNsYXNz PU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiJBcmlh bCIsInNhbnMtc2VyaWYiO2NvbG9yOiMxMDQxNjAnPkluIHRoYXQgY2FzZSwgSSBkbyBub3QgbWlu ZCBhZGRpbmcgdGhlIGZvbGxvd2luZyB0byA1MjgwIChhIHNsaWdodCBtb2RpZmljYXRpb24gdG8g d2hhdCBEZW5pcyBoYXM6PG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48 c3BhbiBzdHlsZT0nZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiJBcmlhbCIsInNhbnMtc2Vy aWYiO2NvbG9yOiMxMDQxNjAnPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1N c29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZTo5LjBwdDtmb250LWZhbWlseToiQXJpYWwi LCJzYW5zLXNlcmlmIjtjb2xvcjojMTA0MTYwJz5JZiBhbiBhcHBsaWNhdGlvbiBjYW5ub3QgcHJv Y2VzcyBhIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUgPGI+Y3JsRW50cnlFeHRlbnNpb25zPC9i PiBmaWVsZCBvZiBhbiBlbnRyeSB0aGF0IGFmZmVjdHMgb25seSB0aGUgY2VydGlmaWNhdGUgc3Bl Y2lmaWVkIGluIHRoYXQgZW50cnksIGFzIGluZGljYXRlZCBieSB0aGUgYWJzZW5jZSBvZiBhIHJl bGF0ZWQgY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSA8Yj5jcmxFeHRlbnNpb25zPC9iPiBmaWVs ZCwgdGhlbiB0aGUgY2VydGlmaWNhdGUgaWRlbnRpZmllZCBieSB0aGUgQ1JMIGVudHJ5IHNoYWxs IGJlIGNvbnNpZGVyZWQgcmV2b2tlZC48L3NwYW4+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZTo5LjBw dDtmb250LWZhbWlseToiQXJpYWwiLCJzYW5zLXNlcmlmIjtjb2xvcjojMUY0OTdEJz48bzpwPjwv bzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6 OS4wcHQ7Zm9udC1mYW1pbHk6IkFyaWFsIiwic2Fucy1zZXJpZiI7Y29sb3I6IzFGNDk3RCc+PG86 cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48Yj48c3BhbiBzdHls ZT0nZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseToiVGFob21hIiwic2Fucy1zZXJpZiInPkZy b206PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0nZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseToi VGFob21hIiwic2Fucy1zZXJpZiInPiA8YSBocmVmPSJtYWlsdG86cGtpeC1ib3VuY2VzQGlldGYu b3JnIj5wa2l4LWJvdW5jZXNAaWV0Zi5vcmc8L2E+IDxhIGhyZWY9Im1haWx0bzpbbWFpbHRvOnBr aXgtYm91bmNlc0BpZXRmLm9yZ10iPlttYWlsdG86cGtpeC1ib3VuY2VzQGlldGYub3JnXTwvYT4g PGI+T24gQmVoYWxmIE9mIDwvYj48YSBocmVmPSJtYWlsdG86ZGVuaXMucGlua2FzQGJ1bGwubmV0 Ij5kZW5pcy5waW5rYXNAYnVsbC5uZXQ8L2E+PGJyPjxiPlNlbnQ6PC9iPiBNb25kYXksIFNlcHRl bWJlciAxNywgMjAxMiAzOjQ3IEFNPGJyPjxiPlRvOjwvYj4gPGEgaHJlZj0ibWFpbHRvOm1yZXhA c2FwLmNvbSI+bXJleEBzYXAuY29tPC9hPjsgUGl5dXNoIEphaW48YnI+PGI+Q2M6PC9iPiBwa2l4 PGJyPjxiPlN1YmplY3Q6PC9iPiBSZTogW3BraXhdIDUyODBiaXMsIHYtMDk8bzpwPjwvbzpwPjwv c3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPjxwIGNsYXNz PU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseToiQXJp YWwiLCJzYW5zLXNlcmlmIic+R29vZCBjYXRjaCBNYXJ0aW4sPC9zcGFuPiA8YnI+PGJyPjxzcGFu IHN0eWxlPSdmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiJBcmlhbCIsInNhbnMtc2VyaWYi Jz5Zb3UgY2FtZSBiYWNrIGZyb20gdmFjYXRpb24ganVzdCBpbiB0aW1lLiA6LSk8L3NwYW4+IDxi cj48YnI+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6IkFyaWFsIiwi c2Fucy1zZXJpZiInPkkgcHJvcG9zZSB0aGUgZm9sbG93aW5nOjwvc3Bhbj4gPGJyPjxicj48c3Bh biBzdHlsZT0nZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseToiQ291cmllciBOZXciJz5SZXBs YWNlOjwvc3Bhbj4gPGJyPjxicj48c3BhbiBzdHlsZT0nZm9udC1zaXplOjEwLjBwdDtmb250LWZh bWlseToiQ291cmllciBOZXciJz58ICZuYnNwOyAmbmJzcDsgSWYgYSBDUkwgY29udGFpbnMgYSBj cml0aWNhbCBDUkwgZW50cnkgZXh0ZW5zaW9uIDwvc3Bhbj48YnI+PHNwYW4gc3R5bGU9J2ZvbnQt c2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Iic+fCAmbmJzcDsgJm5ic3A7IHRo YXQgdGhlIGFwcGxpY2F0aW9uIGNhbm5vdCBwcm9jZXNzLCB0aGVuIHRoZSBhcHBsaWNhdGlvbiBN VVNUIDwvc3Bhbj48YnI+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6 IkNvdXJpZXIgTmV3Iic+fCAmbmJzcDsgJm5ic3A7IE5PVCB1c2UgdGhhdCBDUkwgdG8gZGV0ZXJt aW5lIHRoZSBzdGF0dXMgb2YgYW55IGNlcnRpZmljYXRlcy48L3NwYW4+IDxicj48YnI+PHNwYW4g c3R5bGU9J2ZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Iic+d2l0aDwv c3Bhbj4gPGJyPjxicj48c3BhbiBzdHlsZT0nZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseToi Q291cmllciBOZXciJz58ICZuYnNwOyAmbmJzcDsgSWYgYSBDUkwgY29udGFpbnMgaW4gYSBDUkwg ZW50cnkgYSBjcml0aWNhbCBDUkwgZW50cnkgZXh0ZW5zaW9uIDwvc3Bhbj48YnI+PHNwYW4gc3R5 bGU9J2ZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Iic+fCAmbmJzcDsg Jm5ic3A7IHRoYXQgdGhlIGFwcGxpY2F0aW9uIGNhbm5vdCBwcm9jZXNzLCB0aGVuIHRoZSBhcHBs aWNhdGlvbiBNVVNUIDwvc3Bhbj48YnI+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMC4wcHQ7Zm9u dC1mYW1pbHk6IkNvdXJpZXIgTmV3Iic+fCAmbmJzcDsgJm5ic3A7IGNvbnNpZGVyIHRoYXQgdGhl IGNlcnRpZmljYXRlIGlkZW50aWZpZWQgaW4gdGhhdCBDUkwgZW50cnkgaXMgPC9zcGFuPjxicj48 c3BhbiBzdHlsZT0nZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseToiQ291cmllciBOZXciJz58 ICZuYnNwOyAmbmJzcDsgcmV2b2tlZC4gJm5ic3A7PC9zcGFuPiA8YnI+PGJyPjxzcGFuIHN0eWxl PSdmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiJBcmlhbCIsInNhbnMtc2VyaWYiJz5JbiBv cmRlciB0byBhbnN3ZXIgdG8gUGl5dXNoLCBJIGJlbGlldmUgdGhhdCDigJx1bmtub3du4oCdIHNo b3VsZCBiZSB1c2VkIHJhdGhlciB0aGFuIOKAnHJldm9rZWTigJ0uPC9zcGFuPiA8YnI+PGJyPjxz cGFuIHN0eWxlPSdmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiJBcmlhbCIsInNhbnMtc2Vy aWYiJz5UaGUgZm9sbG93aW5nIGV4YW1wbGUgaXMgYW4gaWxsdXN0cmF0aW9uOjwvc3Bhbj4gPGJy Pjxicj48c3BhbiBzdHlsZT0nZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseToiQXJpYWwiLCJz YW5zLXNlcmlmIic+VGhlIHN0YXR1cyBvZiBhIGdpdmVuIGNlcnRpZmljYXRlIGlzIGluZGljYXRl ZCBhcyDigJxnb29k4oCdLCBidXQgdGhlcmUgaXMgYSBDUkwgZW50cnkgd2l0aCBhIGNyaXRpY2Fs IDxicj5DUkwgZW50cnkgZXh0ZW5zaW9uLiBUaGlzIGVudHJ5IG1lYW5zIChmb3IgdGhlIGFwcGxp Y2F0aW9ucyB3aGljaCB1bmRlcnN0YW5kIGl0KSA6IDwvc3Bhbj48YnI+PGJyPjxzcGFuIHN0eWxl PSdmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiJBcmlhbCIsInNhbnMtc2VyaWYiJz4mcXVv dDtUaGUgc3RhdHVzIHdoaWNoIGlzIHVzdWFsbHkgb2J0YWluZWQgdXNpbmcgYSBkYXRhYmFzZSBv ZiBpc3N1ZWQgY2VydGlmaWNhdGVzIGhhcyBiZWVuIG9idGFpbmVkIGZyb20gQ1JMcy4gPGJyPklm IHlvdSByZWFsbHkgbmVlZCB0byB0YWtlIGEgZGVjaXNpb24gbm93LCBpdCBpcyBhdCB5b3VyIG93 biByaXNrLiBJZiB5b3UgY2FuIHdhaXQsIHlvdSBoYWQgYmV0dGVyIHRvIHRyeSBhZ2FpbiBsYXRl ciBvbiZxdW90Oy48L3NwYW4+IDxicj48YnI+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMC4wcHQ7 Zm9udC1mYW1pbHk6IkFyaWFsIiwic2Fucy1zZXJpZiInPllvdXIgbmV4dCBxdWVzdGlvbiB3aWxs IGNlcnRhaW5seSBiZTogc28gd2h5IGRvbuKAmXQgeW91IHVzZSB0aGUgcHJvcG9zZWQgY2VydElu Zm8gZXh0ZW5zaW9uID88L3NwYW4+IDxicj48YnI+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMC4w cHQ7Zm9udC1mYW1pbHk6IkFyaWFsIiwic2Fucy1zZXJpZiInPkZvciBhcHBsaWNhdGlvbnMgd2hp Y2ggZG8gbm90IHVuZGVyc3RhbmQgdGhpcyBjcml0aWNhbCBDUkwgZW50cnkgZXh0ZW5zaW9uLCB0 aGVyZSBpcyBubyBkaWZmZXJlbmNlLjwvc3Bhbj4gPGJyPjxzcGFuIHN0eWxlPSdmb250LXNpemU6 MTAuMHB0O2ZvbnQtZmFtaWx5OiJBcmlhbCIsInNhbnMtc2VyaWYiJz5UaGV5IGdldCBhbiAmcXVv dDt1bmtub3duJnF1b3Q7IHN0YXR1cyBpbiBib3RoIGNhc2VzLjwvc3Bhbj4gPGJyPjxicj48c3Bh biBzdHlsZT0nZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseToiQXJpYWwiLCJzYW5zLXNlcmlm Iic+Rm9yIGFwcGxpY2F0aW9ucyB3aGljaCB1bmRlcnN0YW5kIHRoaXMgY3JpdGljYWwgQ1JMIGVu dHJ5IGV4dGVuc2lvbiBpdCBwcm92aWRlcyBsZXNzIGJlbmVmaXRzIDxicj50aGFuIHRoZSBwcm9w b3NlZCBjZXJ0SW5mbyBleHRlbnNpb24sIGJ1dCBpdCBtaWdodCBiZSBxdWlja2VyIHRvIGltcGxl bWVudCBhbmQgaXQgZW5mb3JjZXMgYSBwb2xpY3kuPC9zcGFuPiA8YnI+PGJyPjxzcGFuIHN0eWxl PSdmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiJBcmlhbCIsInNhbnMtc2VyaWYiJz5EZW5p czwvc3Bhbj4gPGJyPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiJD b3VyaWVyIE5ldyInPjxicj48YnI+PHR0PiZndDsgSSBvYmplY3QgdG8gdGhlIHByb3Bvc2VkIG5l dyB0ZXh0IGFib3V0IENSTEVudHJ5RXh0ZW5zaW9uczwvdHQ+PGJyPjx0dD4mZ3Q7IGluIHRoZSBj bGFyaWZpY2F0aW9uIGRvY3VtZW50LCBiZWNhdXNlIGFzIGlzLCB3b3VsZCBzaWduaWZpY2FudGx5 PC90dD48YnI+PHR0PiZndDsgd29yc2VuIHRoZSBkaWZmZXJlbmNlIGJldHdlZW4gUEtJWCBhbmQg WC41MDkgYW5kIG1ha2UgdGhpbmdzPC90dD48YnI+PHR0PiZndDsgY2xlYXJseSBpbmNvbXBhdGli bGUgcmF0aGVyIHRoYW4gc2xpZ2h0bHkgbGVzcyBlZmZpY2llbnQuPC90dD48YnI+PHR0PiZndDsg PC90dD48YnI+PHR0PiZndDsgSWYgYW55dGhpbmcsIHRoZSBnYXAgc2hvdWxkIGJlIHJlZHVjZWQs IGNvbXBhdGliaWxpdHkgYmV0d2VlbjwvdHQ+PGJyPjx0dD4mZ3Q7IFBLSVggYW5kIFguNTA5IGlt cHJvdmVkIGFuZCB0aGUgb3JpZ2luYWwgYXJjaGl0ZWN0dXJlIG5vdCB2aW9sYXRlZC48L3R0Pjxi cj48dHQ+Jmd0OyA8L3R0Pjxicj48dHQ+Jmd0OyBQbGVhc2UgcmVjYWxsIHRoZSBvcmlnaW5hbCBO T1RFIDQgJmFtcDsgNSB0aGF0IEkgcXVvdGVkIGZyb208L3R0Pjxicj48dHQ+Jmd0OyBJVFUtVCBS ZWMuIFguNTA5ICgwOC8yMDA1KSwgU2VjdGlvbiA3LjMsIHRvcCBvZiBwYWdlIDE4OjwvdHQ+PGJy Pjx0dD4mZ3Q7IChnZXQgdGhlbSBoZXJlIDwvdHQ+PC9zcGFuPjxhIGhyZWY9Imh0dHA6Ly93d3cu aXR1LmludC9yZWMvVC1SRUMtWC41MDkiPjx0dD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjEwLjBw dCc+aHR0cDovL3d3dy5pdHUuaW50L3JlYy9ULVJFQy1YLjUwOTwvc3Bhbj48L3R0PjwvYT48dHQ+ PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMC4wcHQnPik6PC9zcGFuPjwvdHQ+PHNwYW4gc3R5bGU9 J2ZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Iic+PGJyPjx0dD4mZ3Q7 IDwvdHQ+PGJyPjx0dD4mZ3Q7IGEmZ3Q7ICZuYnNwO05PVEUgNCAtLSBXaGVuIGFuIGltcGxlbWVu dGF0aW9uIHByb2Nlc3NpbmcgYSBjZXJ0aWZpY2F0ZSByZXZvY2F0aW9uPC90dD48YnI+PHR0PiZn dDsgYSZndDsgJm5ic3A7bGlzdCBkb2VzIG5vdCByZWNvZ25pemUgYSBjcml0aWNhbCBleHRlbnNp b24gaW4gdGhlIGNybEVudHJ5RXh0ZW5zaW9uczwvdHQ+PGJyPjx0dD4mZ3Q7IGEmZ3Q7ICZuYnNw O2ZpZWxkLCBpdCBzaGFsbCBhc3N1bWUgdGhhdCwgYXQgYSBtaW5pbXVtLCB0aGUgaWRlbnRpZmll ZCBjZXJ0aWZpY2F0ZTwvdHQ+PGJyPjx0dD4mZ3Q7IGEmZ3Q7ICZuYnNwO2hhcyBiZWVuIHJldm9r ZWQgYW5kIGlzIG5vIGxvbmdlciB2YWxpZCBhbmQgcGVyZm9ybSBhZGRpdGlvbmFsIGFjdGlvbnM8 L3R0Pjxicj48dHQ+Jmd0OyBhJmd0OyAmbmJzcDtjb25jZXJuaW5nIHRoYXQgcmV2b2tlZCBjZXJ0 aWZpY2F0ZSBhcyBkaWN0YXRlZCBieSBsb2NhbCBwb2xpY3kuPC90dD48YnI+PHR0PiZndDsgPC90 dD48YnI+PHR0PiZndDsgYiZndDsgJm5ic3A7V2hlbiBhbiBpbXBsZW1lbnRhdGlvbiBkb2VzIG5v dCByZWNvZ25pemUgYSBjcml0aWNhbCBleHRlbnNpb24gaW4gdGhlPC90dD48YnI+PHR0PiZndDsg YiZndDsgJm5ic3A7Y3JsRXh0ZW5zaW9ucyBmaWVsZCwgaXQgc2hhbGwgYXNzdW1lIHRoYXQgaWRl bnRpZmllZCBjZXJ0aWZpY2F0ZXM8L3R0Pjxicj48dHQ+Jmd0OyBiJmd0OyAmbmJzcDtoYXZlIGJl ZW4gcmV2b2tlZCBhbmQgYXJlIG5vIGxvbmdlciB2YWxpZC48L3R0Pjxicj48dHQ+Jmd0OyA8L3R0 Pjxicj48dHQ+Jmd0OyBjJmd0OyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu YnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5i c3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJz cDsgSG93ZXZlciBpbiB0aGUgbGF0dGVyIGNhc2UsPC90dD48YnI+PHR0PiZndDsgYyZndDsgJm5i c3A7c2luY2UgdGhlIGxpc3QgbWF5IG5vdCBiZSBjb21wbGV0ZSwgY2VydGlmaWNhdGVzIHRoYXQg aGF2ZSBub3QgYmVlbjwvdHQ+PGJyPjx0dD4mZ3Q7IGMmZ3Q7ICZuYnNwO2lkZW50aWZpZWQgYXMg YmVpbmcgcmV2b2tlZCBjYW5ub3QgYmUgYXNzdW1lZCB0byBiZSB2YWxpZC4gSW4gdGhpcyBjYXNl PC90dD48YnI+PHR0PiZndDsgYyZndDsgJm5ic3A7bG9jYWwgcG9saWN5IHNoYWxsIGRpY3RhdGUg dGhlIGFjdGlvbiB0byBiZSB0YWtlbi4gSW4gYW55IGNhc2UgbG9jYWw8L3R0Pjxicj48dHQ+Jmd0 OyBjJmd0OyAmbmJzcDtwb2xpY3kgbWF5IGRpY3RhdGUgYWN0aW9ucyBpbiBhZGRpdGlvbiB0byBh bmQvb3Igc3Ryb25nZXIgdGhhbiB0aG9zZTwvdHQ+PGJyPjx0dD4mZ3Q7IGMmZ3Q7ICZuYnNwO3N0 YXRlZCBpbiB0aGlzIFNwZWNpZmljYXRpb24uPC90dD48YnI+PHR0PiZndDsgPC90dD48YnI+PHR0 PiZndDsgZCZndDsgJm5ic3A7Tk9URSA1IC0tIElmIGFuIGV4dGVuc2lvbiBhZmZlY3RzIHRoZSB0 cmVhdG1lbnQgb2YgdGhlIGxpc3Q8L3R0Pjxicj48dHQ+Jmd0OyBkJmd0OyAmbmJzcDsoZS5nLiwg bXVsdGlwbGUgQ1JMcyBuZWVkIHRvIGJlIHNjYW5uZWQgdG8gZXhhbWluZSB0aGUgZW50aXJlIGxp c3Qgb2Y8L3R0Pjxicj48dHQ+Jmd0OyBkJmd0OyAmbmJzcDtyZXZva2VkIGNlcnRpZmljYXRlcywg b3IgYW4gZW50cnkgbWF5IHJlcHJlc2VudCBhIHJhbmdlIG9mIGNlcnRpZmljYXRlcyksPC90dD48 YnI+PHR0PiZndDsgZCZndDsgJm5ic3A7dGhlbiB0aGF0IGV4dGVuc2lvbiBzaGFsbCBiZSBpbmRp Y2F0ZWQgYXMgY3JpdGljYWwgaW4gdGhlIGNybEV4dGVuc2lvbnM8L3R0Pjxicj48dHQ+Jmd0OyBk Jmd0OyAmbmJzcDtmaWVsZCByZWdhcmRsZXNzIG9mIHdoZXJlIHRoZSBleHRlbnNpb24gaXMgcGxh Y2VkIGluIHRoZSBDUkwuPC90dD48YnI+PHR0PiZndDsgPC90dD48YnI+PHR0PiZndDsgZSZndDsg Jm5ic3A7QW4gZXh0ZW5zaW9uIGluZGljYXRlZCBpbiB0aGUgY3JsRW50cnlFeHRlbnNpb25zIGZp ZWxkIG9mIGFuIGVudHJ5IHNoYWxsPC90dD48YnI+PHR0PiZndDsgZSZndDsgJm5ic3A7YmUgcGxh Y2VkIGluIHRoYXQgZW50cnkgYW5kIHNoYWxsIGFmZmVjdCBvbmx5IHRoZSBjZXJ0aWZpY2F0ZShz KTwvdHQ+PGJyPjx0dD4mZ3Q7IGUmZ3Q7ICZuYnNwO3NwZWNpZmllZCBpbiB0aGF0IGVudHJ5Ljwv dHQ+PGJyPjx0dD4mZ3Q7IDwvdHQ+PGJyPjx0dD4mZ3Q7IDwvdHQ+PGJyPjx0dD4mZ3Q7IChJIGlu c2VydGVkIGJsYW5rIGxpbmVzIGFib3ZlIGZvciB2aXN1YWwgY2xhcml0eSBvZiB0aGUgWC41MDkg cmVxdWlyZW1lbnRzKS48L3R0Pjxicj48dHQ+Jmd0OyA8L3R0Pjxicj48dHQ+Jmd0OyB0d28gb3B0 aW9ucywgYWxsIGNvbWJpbmF0aW9uczo8L3R0Pjxicj48dHQ+Jmd0OyA8L3R0Pjxicj48dHQ+Jmd0 OyAmbmJzcDsoMSkgY2VydCAmbmJzcDsgJm5ic3A7IG9uIENSTCwgQ1JMIHdpdGggTk8gdW5yZWNv Z25pemVkIGNyaXRpY2FsIENSTEVudHJ5RXh0ZW5zaW9ucyA8L3R0Pjxicj48dHQ+Jmd0OyAmbmJz cDsoMikgY2VydCBOT1Qgb24gQ1JMLCBDUkwgd2l0aCBOTyB1bnJlY29nbml6ZWQgY3JpdGljYWwg Q1JMRW50cnlFeHRlbnNpb25zIDwvdHQ+PGJyPjx0dD4mZ3Q7ICZuYnNwOygzKSBjZXJ0ICZuYnNw OyAmbmJzcDsgb24gQ1JMLCBDUkwgd2l0aCAmbmJzcDsgJm5ic3A7dW5yZWNvZ25pemVkIGNyaXRp Y2FsIENSTEVudHJ5RXh0ZW5zaW9uPC90dD48YnI+PHR0PiZndDsgJm5ic3A7KDQpIGNlcnQgTk9U IG9uIENSTCwgQ1JMIHdpdGggJm5ic3A7ICZuYnNwO3VucmVjb2duaXplZCBjcml0aWNhbCBDUkxF bnRyeUV4dGVuc2lvbjwvdHQ+PGJyPjx0dD4mZ3Q7IDwvdHQ+PGJyPjx0dD4mZ3Q7IDwvdHQ+PGJy Pjx0dD4mZ3Q7IEkgaG9wZSB3ZSBhZ3JlZSB0aGF0IFguNTA5IGFuZCByZmM1MjgwIGFncmVlIG9u ICgxKSBhbmQgKDIpIHJlc3VsdHM8L3R0Pjxicj48dHQ+Jmd0OyBmb3IgQ1JMIGNoZWNraW5nLjwv dHQ+PGJyPjx0dD4mZ3Q7IDwvdHQ+PGJyPjx0dD4mZ3Q7IHJmYzUyODAgY3VycmVudGx5IHNheXMg dGhhdCBmb3IgKDMpKyg0KSB0aGUgZW50aXJlIENSTCBvdWdodCB0byBiZSBpZ25vcmVkPC90dD48 YnI+PHR0PiZndDsgYW5kIG90aGVyIENSTHMgbmVlZCB0byBiZSBldmFsdWF0ZWQgJnF1b3Q7VU5E RVRFUk1JTkVEJnF1b3Q7PC90dD48YnI+PHR0PiZndDsgPC90dD48YnI+PHR0PiZndDsgWC41MDkg c2F5cyBpbiAoYSZndDspIHRoYXQgZm9yICgzKSB0aGUgc3RhdHVzIG9mIHRoZSBjZXJ0IGlzIGRl ZmluaXRlbHkgcmV2b2tlZDwvdHQ+PGJyPjx0dD4mZ3Q7IGFuZCBzYXlzIGluIChjJmd0OykgZm9y ICg0KSB0aGF0IHRoZSBDUkwgb3VnaHQgdG8gYmUgaWdub3JlZCBhbmQgb3RoZXIgQ1JMcyBuZWVk PC90dD48YnI+PHR0PiZndDsgdG8gYmUgZXZhbHVhdGVkICZxdW90O1VOREVURVJNSU5FRCZxdW90 OzwvdHQ+PGJyPjx0dD4mZ3Q7IDwvdHQ+PGJyPjx0dD4mZ3Q7IFdoaWxlIGJvdGggWC41MDkgYW5k IHJmYzUyODAgYWdyZWUgb24gdGhlIHJlc3VsdCBmb3IgKDQpICZxdW90O1VOREVURVJNSU5FRCZx dW90Oyw8L3R0Pjxicj48dHQ+Jmd0OyB0aGVyZSBpcyB0aGUgc3VwZXJmaWNpYWwgYXBwZWFyYW5j ZSBvZiBhIGRpZmZlcmVuY2UgZm9yIGEgY2FzdWFsPC90dD48YnI+PHR0PiZndDsgaW1wbGVtZW50 ZXIgZm9yIGNhc2UgKDMpIGJldHdlZW4gWC41MDkgJnF1b3Q7UkVWT0tFRCZxdW90OyBhbmQgcmZj NTI4MCAmcXVvdDtVTkRFVEVSTUlORUQmcXVvdDs8L3R0Pjxicj48dHQ+Jmd0OyB0aGF0IG1pZ2h0 IGxlYWQgdG8gYSBzbGlnaHRseSBsZXNzIGVmZmljaWVudCBwcm9jZXNzaW5nIENSTHMuPC90dD48 YnI+PHR0PiZndDsgPC90dD48YnI+PHR0PiZndDsgPC90dD48YnI+PHR0PiZndDsgVGhlIG5ld2x5 IHByb3Bvc2VkIHRleHQgKGluIC0wOSk6PC90dD48YnI+PHR0PiZndDsgPC90dD48YnI+PHR0PiZn dDsgfCAmbmJzcDsgJm5ic3A7IElmIGEgQ1JMIGNvbnRhaW5zIGEgY3JpdGljYWwgQ1JMIGVudHJ5 IGV4dGVuc2lvbjwvdHQ+PGJyPjx0dD4mZ3Q7IHwgJm5ic3A7ICZuYnNwOyB0aGF0IHRoZSBhcHBs aWNhdGlvbiBjYW5ub3QgcHJvY2VzcywgdGhlbiB0aGUgYXBwbGljYXRpb24gTVVTVDwvdHQ+PGJy Pjx0dD4mZ3Q7IHwgJm5ic3A7ICZuYnNwOyBOT1QgdXNlIHRoYXQgQ1JMIHRvIGRldGVybWluZSB0 aGUgc3RhdHVzIG9mIHRoZSBjZXJ0aWZpY2F0ZTwvdHQ+PGJyPjx0dD4mZ3Q7IHwgJm5ic3A7ICZu YnNwOyByZXByZXNlbnRlZCBieSB0aGUgQ1JMIGVudHJ5LiAmbmJzcDs8L3R0Pjxicj48dHQ+Jmd0 OyA8L3R0Pjxicj48dHQ+Jmd0OyBjcmVhdGVzIGEgc2lnbmlmaWNhbnRseSBkaXN0aW5jdCBiZWhh dmlvdXIgZm9yIGNhc2UgKDQpIHdoZXJlIFguNTA5PC90dD48YnI+PHR0PiZndDsgYW5kIHJmYzUy ODAgYWdyZWVkIG9uICZxdW90O1VOREVURVJNSU5FRCZxdW90OywgYnkgcmVkZWZpbmluZyB0aGUg cmVzdWx0IHRvPC90dD48YnI+PHR0PiZndDsgYmUgJnF1b3Q7VU5SRVZPS0VEJnF1b3Q7LCBhbmQg cG90ZW50aWFsbHkgY3JlYXRlcyBhIHNlY3VyaXR5IHByb2JsZW0sIGFuZCBhPC90dD48YnI+PHR0 PiZndDsgbmV3LCBiYWNrd2FyZHMtaW5jb21wYXRpYmxlIGJlaGF2aW91ciBmb3IgYSBzaXR1YXRp b24gd2hlcmU8L3R0Pjxicj48dHQ+Jmd0OyBYLjUwOSBhbmQgcmZjNTI4MCB1c2VkIHRvIGFncmVl LiBTdGlsbCwgdGhlIG5ldyB0ZXh0IGRvZXMgbm90IGRvPC90dD48YnI+PHR0PiZndDsgYW55dGhp bmcgYWJvdXQgY2FzZSAoMyksIHRoZSBvbmx5IGNhc2Ugd2hlcmUgWC41MDkgYW5kIHJmYzUyODA8 L3R0Pjxicj48dHQ+Jmd0OyBhcHBlYXIgdG8gZGlmZmVyIChpbiBhIG1vc3RseSBtYXJnaW5hbCBm YXNoaW9uKS48L3R0Pjxicj48dHQ+Jmd0OyA8L3R0Pjxicj48dHQ+Jmd0OyA8L3R0Pjxicj48dHQ+ Jmd0OyBBIGNhcmVmdWwgaW1wbGVtZW50b3IsIHRoYXQgYW5hbHl6ZXMgTk9URSA0IGFuZCBOT1RF IDUgZnJvbSBYLjUwOTwvdHQ+PGJyPjx0dD4mZ3Q7IHF1b3RlZCBhYm92ZSBpbiBpdHMgZW50aXJl dHksIHNob3VsZCByZWFsaXplIHRoYXQgdGhlIHNpdHVhdGlvbjwvdHQ+PGJyPjx0dD4mZ3Q7IHdo ZXJlIFguNTA5IGFuZCByZmM1MjgwIGRpZmZlciBpcyBtYXJnaW5hbC48L3R0Pjxicj48dHQ+Jmd0 OyA8L3R0Pjxicj48dHQ+Jmd0OyBUaGlzIGlzIGJlY2F1c2UgKGQmZ3Q7KSBpbiBOT1RFIDUgYWJv dmUgcmVxdWlyZXMgKCZxdW90O3NoYWxsJnF1b3Q7KSB0aGF0IGE8L3R0Pjxicj48dHQ+Jmd0OyBj cml0aWNhbCBjcmxFbnRyeUV4dGVuc2lvbiB3aXRoIGEgc2VtYW50aWMgYmV5b25kICZxdW90O3Ro aXMgY2VydCBpczwvdHQ+PGJyPjx0dD4mZ3Q7IHJldm9rZWQmcXVvdDspLCBNVVNUIGJlIGFkZGl0 aW9uYWxseSBpbmNsdWRlZCBhcyBhIGNyaXRpY2FsIGNybEV4dGVuc2lvbiw8L3R0Pjxicj48dHQ+ Jmd0OyB3aXRoIHRoZSBlZmZlY3QgdGhhdCB0aGUgZW50aXJlIENSTCB3aWxsIGhhdmUgdG8gYmUg aWdub3JlZCBieTwvdHQ+PGJyPjx0dD4mZ3Q7IGJvdGggWC41MDkgYW5kIHJmYzUyODAgaW1wbGVt ZW50YXRpb25zIHRoYXQgZG8gbm90IHJlY29nbml6ZTwvdHQ+PGJyPjx0dD4mZ3Q7IHRoZSBjcmxF eHRlbnNpb24uICZuYnNwO1NvIGFsbCBjb21wbGlhbnQgQ1JMcyB3aXRoIGEgJnF1b3Q7ZmFuY3km cXVvdDs8L3R0Pjxicj48dHQ+Jmd0OyB1bnJlY29nbml6ZWQgY3JpdGljYWwgY3JsRW50cnlFeHRl bnNpb24sIHRoZSBhY2NvbXBhbnlpbmc8L3R0Pjxicj48dHQ+Jmd0OyB1bnJlY29nbml6ZWQgY3Jp dGljYWwgY3JsRXh0ZW5zaW9uIHdpbGwgY2F1c2UgWC41MDkgYW5kIHJmYzUyODA8L3R0Pjxicj48 dHQ+Jmd0OyB0byBhZ3JlZSBvbiAoMykgdG8gcmV0dXJuICZxdW90O1VOREVURVJNSU5FRCZxdW90 OyBhbmQgcmVxdWlyZSBvdGhlcjwvdHQ+PGJyPjx0dD4mZ3Q7IENSTHMgdG8gYmUgY2hlY2tlZC4g PC90dD48YnI+PHR0PiZndDsgPC90dD48YnI+PHR0PiZndDsgPC90dD48YnI+PHR0PiZndDsgLU1h cnRpbjwvdHQ+PGJyPjx0dD4mZ3Q7IF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fPC90dD48YnI+PHR0PiZndDsgcGtpeCBtYWlsaW5nIGxpc3Q8L3R0Pjxicj48 dHQ+Jmd0OyA8YSBocmVmPSJtYWlsdG86cGtpeEBpZXRmLm9yZyI+cGtpeEBpZXRmLm9yZzwvYT48 L3R0Pjxicj48dHQ+Jmd0OyA8L3R0Pjwvc3Bhbj48YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9y Zy9tYWlsbWFuL2xpc3RpbmZvL3BraXgiPjx0dD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjEwLjBw dCc+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9wa2l4PC9zcGFuPjwvdHQ+ PC9hPjxvOnA+PC9vOnA+PC9wPjwvZGl2PjwvZGl2PjwvYm9keT48L2h0bWw+ --_000_B83745DA469B7847811819C5005244AF362EC9B6scygexch7cygnac_-- From piyush@identicate.com Mon Sep 17 08:06:20 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8339121F86DF for ; Mon, 17 Sep 2012 08:06:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.098 X-Spam-Level: X-Spam-Status: No, score=-5.098 tagged_above=-999 required=5 tests=[AWL=1.500, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fmz4xfAnLTUD for ; Mon, 17 Sep 2012 08:06:07 -0700 (PDT) Received: from tx2outboundpool.messaging.microsoft.com (tx2ehsobe005.messaging.microsoft.com [65.55.88.15]) by ietfa.amsl.com (Postfix) with ESMTP id A512721F8669 for ; Mon, 17 Sep 2012 08:06:07 -0700 (PDT) Received: from mail14-tx2-R.bigfish.com (10.9.14.246) by TX2EHSOBE014.bigfish.com (10.9.40.34) with Microsoft SMTP Server id 14.1.225.23; Mon, 17 Sep 2012 15:06:07 +0000 Received: from mail14-tx2 (localhost [127.0.0.1]) by mail14-tx2-R.bigfish.com (Postfix) with ESMTP id 112F516008A; Mon, 17 Sep 2012 15:06:07 +0000 (UTC) X-Forefront-Antispam-Report: CIP:157.56.244.229; KIP:(null); UIP:(null); IPV:NLI; H:CH1PRD0610HT001.namprd06.prod.outlook.com; RD:none; EFVD:NLI X-SpamScore: -22 X-BigFish: PS-22(zzbb2dI9371Ic89bh1432Ic857hd6eahd6f1izz1202h1d1ah1d2ahzz8275ch1033IL17326ah8275bh8275dhz2fh2a8h668h839hd25hf0ah107ah1288h12a5h12bdh1155h) Received-SPF: pass (mail14-tx2: domain of identicate.com designates 157.56.244.229 as permitted sender) client-ip=157.56.244.229; envelope-from=piyush@identicate.com; helo=CH1PRD0610HT001.namprd06.prod.outlook.com ; .outlook.com ; Received: from mail14-tx2 (localhost.localdomain [127.0.0.1]) by mail14-tx2 (MessageSwitch) id 1347894363343790_29801; Mon, 17 Sep 2012 15:06:03 +0000 (UTC) Received: from TX2EHSMHS040.bigfish.com (unknown [10.9.14.237]) by mail14-tx2.bigfish.com (Postfix) with ESMTP id 4FD7618006D; Mon, 17 Sep 2012 15:06:03 +0000 (UTC) Received: from CH1PRD0610HT001.namprd06.prod.outlook.com (157.56.244.229) by TX2EHSMHS040.bigfish.com (10.9.99.140) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 17 Sep 2012 15:06:01 +0000 Received: from CH1PRD0610MB393.namprd06.prod.outlook.com ([169.254.11.24]) by CH1PRD0610HT001.namprd06.prod.outlook.com ([10.255.151.36]) with mapi id 14.16.0190.008; Mon, 17 Sep 2012 15:06:01 +0000 From: Piyush Jain To: Santosh Chokhani , "denis.pinkas@bull.net" Thread-Topic: [pkix] 5280bis, v-09 Thread-Index: AQHNj4Or+HT2+Q6yxkWqbc8OyTbOnJeHbVEAgAbEwwCAAG5aAIAABcsAgAABtACAAAK74A== Date: Mon, 17 Sep 2012 15:06:00 +0000 Message-ID: References: <504E13CB.8080001@bbn.com> <20120913002444.80A791A216@ld9781.wdf.sap.corp> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [75.25.128.241] Content-Type: multipart/alternative; boundary="_000_AA6BA445CBFDB84785CC1C45DAAE4C792CEC1E56CH1PRD0610MB393_" MIME-Version: 1.0 X-OriginatorOrg: identicate.com Cc: pkix Subject: Re: [pkix] 5280bis, v-09 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2012 15:06:20 -0000 --_000_AA6BA445CBFDB84785CC1C45DAAE4C792CEC1E56CH1PRD0610MB393_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 TXkgcmVjb21tZW5kYXRpb24gd291bGQgYmUgdG8gZ28gd2l0aCDigJhyZXZva2Vk4oCZIG9uIHRo aXMgdW5sZXNzIHdlIGNhbiBleHBsaWNpdGx5IHNwZWxsIG91dCB3aHkgd2UgY2hvc2Ug4oCYdW5r bm93buKAmSB0byBvdmVycmlkZSBYLjUwOS4NCg0KSSBqdXN0IHdhbnQgdG8gYXZvaWQgdGhlIHNp dHVhdGlvbiB3aGVyZSBzb21lb25lIHJhaXNlcyB0aGlzIGlzc3VlIGFnYWluIGluIGEgZmV3IHll YXJzIHRoYXQgNTI4MCBpcyBpbmNvbnNpc3RlbnQgd2l0aCBYLjUwOSB3aXRob3V0IGFueSBhcHBh cmVudCByZWFzb24uDQoNCkZyb206IFNhbnRvc2ggQ2hva2hhbmkgW21haWx0bzpTQ2hva2hhbmlA Y3lnbmFjb20uY29tXQ0KU2VudDogTW9uZGF5LCBTZXB0ZW1iZXIgMTcsIDIwMTIgNzo0OCBBTQ0K VG86IGRlbmlzLnBpbmthc0BidWxsLm5ldA0KQ2M6IG1yZXhAc2FwLmNvbTsgUGl5dXNoIEphaW47 IHBraXgNClN1YmplY3Q6IFJFOiBbcGtpeF0gNTI4MGJpcywgdi0wOQ0KDQpEZW5pcywNCg0KSSBh bSBvayBlaXRoZXIgd2F5ICh1bmtub3duIG9yIHJldm9rZWQpLiAgVGhlIGdvb2QgdGhpbmcgaXMg dGhhdCB0aGUgbmV3IHRleHQgc3BlbGxzIHRoaW5ncyBvdXQgbW9yZSBjbGVhcmx5Lg0KDQpGcm9t OiBkZW5pcy5waW5rYXNAYnVsbC5uZXQ8bWFpbHRvOmRlbmlzLnBpbmthc0BidWxsLm5ldD4gW21h aWx0bzpkZW5pcy5waW5rYXNAYnVsbC5uZXRdPG1haWx0bzpbbWFpbHRvOmRlbmlzLnBpbmthc0Bi dWxsLm5ldF0+DQpTZW50OiBNb25kYXksIFNlcHRlbWJlciAxNywgMjAxMiAxMDo0MiBBTQ0KVG86 IFNhbnRvc2ggQ2hva2hhbmkNCkNjOiBtcmV4QHNhcC5jb208bWFpbHRvOm1yZXhAc2FwLmNvbT47 IFBpeXVzaCBKYWluOyBwa2l4DQpTdWJqZWN0OiBSRTogW3BraXhdIDUyODBiaXMsIHYtMDkNCg0K U2FudG9zaCwgUGl5dXNoIGFuZCBNYXJ0aW4sDQoNClNvcnJ5LCBJIG1hZGUgYSBtaXN0YWtlIHdo ZW4gbWFraW5nIG15IHByb3Bvc2FsIHRoaXMgbW9ybmluZy4NCkkgd3JvdGUgInJldm9rZWQiLCBi dXQgd2FzIGFkdm9jYXRpbmcgInVua25vd24iLg0KDQpCYXNlZCBvbiB0aGUgbGF0ZXN0IHRleHQg cHJvcG9zZWQgZnJvbSBTYW50b3NoLCBJIHdvdWxkIHJhdGhlciBwcmVmZXI6DQoNCklmIGFuIGFw cGxpY2F0aW9uIGNhbm5vdCBwcm9jZXNzIGEgY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSBjcmxF bnRyeUV4dGVuc2lvbnMgZmllbGQgb2YgYW4gZW50cnkNCnRoYXQgYWZmZWN0cyBvbmx5IHRoZSBj ZXJ0aWZpY2F0ZSBzcGVjaWZpZWQgaW4gdGhhdCBlbnRyeSwgYXMgaW5kaWNhdGVkIGJ5IHRoZSBh YnNlbmNlIG9mIGEgcmVsYXRlZA0KY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSBjcmxFeHRlbnNp b25zIGZpZWxkLCB0aGVuIHRoZSBzdGF0dXMgb2YgY2VydGlmaWNhdGUgaWRlbnRpZmllZCBieSB0 aGUgQ1JMIGVudHJ5DQpzaGFsbCBiZSBjb25zaWRlcmVkIHVua293bi4NCg0KaW5zdGVhZCBvZiA6 DQoNCklmIGFuIGFwcGxpY2F0aW9uIGNhbm5vdCBwcm9jZXNzIGEgY3JpdGljYWwgZXh0ZW5zaW9u IGluIHRoZSBjcmxFbnRyeUV4dGVuc2lvbnMgZmllbGQgb2YgYW4gZW50cnkNCnRoYXQgYWZmZWN0 cyBvbmx5IHRoZSBjZXJ0aWZpY2F0ZSBzcGVjaWZpZWQgaW4gdGhhdCBlbnRyeSwgYXMgaW5kaWNh dGVkIGJ5IHRoZSBhYnNlbmNlIG9mIGEgcmVsYXRlZA0KY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRo ZSBjcmxFeHRlbnNpb25zIGZpZWxkLCB0aGVuIHRoZSBjZXJ0aWZpY2F0ZSBpZGVudGlmaWVkIGJ5 IHRoZSBDUkwgZW50cnkNCnNoYWxsIGJlIGNvbnNpZGVyZWQgcmV2b2tlZC4NCg0KRGVuaXMNCg0K DQoNCg0KDQoNCg0KDQoNCkRlIDogICAgICAgIFNhbnRvc2ggQ2hva2hhbmkgPFNDaG9raGFuaUBj eWduYWNvbS5jb208bWFpbHRvOlNDaG9raGFuaUBjeWduYWNvbS5jb20+Pg0KQSA6ICAgICAgICAi ZGVuaXMucGlua2FzQGJ1bGwubmV0PG1haWx0bzpkZW5pcy5waW5rYXNAYnVsbC5uZXQ+IiA8ZGVu aXMucGlua2FzQGJ1bGwubmV0PG1haWx0bzpkZW5pcy5waW5rYXNAYnVsbC5uZXQ+PiwgIm1yZXhA c2FwLmNvbTxtYWlsdG86bXJleEBzYXAuY29tPiIgPG1yZXhAc2FwLmNvbTxtYWlsdG86bXJleEBz YXAuY29tPj4sIFBpeXVzaCBKYWluIDxwaXl1c2hAaWRlbnRpY2F0ZS5jb208bWFpbHRvOnBpeXVz aEBpZGVudGljYXRlLmNvbT4+DQpDYyA6ICAgICAgICBwa2l4IDxwa2l4QGlldGYub3JnPG1haWx0 bzpwa2l4QGlldGYub3JnPj4NCkRhdGUgOiAgICAgICAgMTcvMDkvMjAxMiAxNjoyMQ0KT2JqZXQg OiAgICAgICAgUkU6IFtwa2l4XSA1MjgwYmlzLCB2LTA5DQpfX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fXw0KDQoNCg0KVGhpcyBhbHNvIHJlbGF0ZXMgdG8gZWFybGllciBwb3N0IEkgbWFk ZSBpbiByZXNwb25zZSB0byBQaXl1c2guDQoNCkkgYXNzdW1lIHdlIGFyZSBhZGRpbmcgdGhlIGZv bGxvd2luZyB0byB0aGUgUkZDIOKAnEEgY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSBjcmxFbnRy eUV4dGVuc2lvbnMgZmllbGQgb2YgYW4gZW50cnkgc2hhbGwgYWZmZWN0IG9ubHkgdGhlIGNlcnRp ZmljYXRlIHNwZWNpZmllZCBpbiB0aGF0IGVudHJ5LCB1bmxlc3MgdGhlcmUgaXMgYSByZWxhdGVk IGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUgY3JsRXh0ZW5zaW9ucyBmaWVsZCB0aGF0IGFkdmVy dGlzZXMgYSBzcGVjaWFsIHRyZWF0bWVudCBmb3IgaXQu4oCdICBJbiBvcmRlciB0byB1c2Ugc3Vj aCBDUkwsIHRoZSByZWx5aW5nIHBhcnR5IG11c3QgYmUgYWJsZSB0byBwcm9jZXNzIGJvdGggdGhl IGNybEVudHJ5RXh0ZW5zaW9uIGFuZCB0aGUgcmVsYXRlZCBjcmxFeHRlbnNpb24u4oCdDQoNCklu IHRoYXQgY2FzZSwgSSBkbyBub3QgbWluZCBhZGRpbmcgdGhlIGZvbGxvd2luZyB0byA1MjgwIChh IHNsaWdodCBtb2RpZmljYXRpb24gdG8gd2hhdCBEZW5pcyBoYXM6DQoNCklmIGFuIGFwcGxpY2F0 aW9uIGNhbm5vdCBwcm9jZXNzIGEgY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSBjcmxFbnRyeUV4 dGVuc2lvbnMgZmllbGQgb2YgYW4gZW50cnkgdGhhdCBhZmZlY3RzIG9ubHkgdGhlIGNlcnRpZmlj YXRlIHNwZWNpZmllZCBpbiB0aGF0IGVudHJ5LCBhcyBpbmRpY2F0ZWQgYnkgdGhlIGFic2VuY2Ug b2YgYSByZWxhdGVkIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUgY3JsRXh0ZW5zaW9ucyBmaWVs ZCwgdGhlbiB0aGUgY2VydGlmaWNhdGUgaWRlbnRpZmllZCBieSB0aGUgQ1JMIGVudHJ5IHNoYWxs IGJlIGNvbnNpZGVyZWQgcmV2b2tlZC4NCg0KRnJvbTogcGtpeC1ib3VuY2VzQGlldGYub3JnPG1h aWx0bzpwa2l4LWJvdW5jZXNAaWV0Zi5vcmc+IFttYWlsdG86cGtpeC1ib3VuY2VzQGlldGYub3Jn XSBPbiBCZWhhbGYgT2YgZGVuaXMucGlua2FzQGJ1bGwubmV0PG1haWx0bzpkZW5pcy5waW5rYXNA YnVsbC5uZXQ+DQpTZW50OiBNb25kYXksIFNlcHRlbWJlciAxNywgMjAxMiAzOjQ3IEFNDQpUbzog bXJleEBzYXAuY29tPG1haWx0bzptcmV4QHNhcC5jb20+OyBQaXl1c2ggSmFpbg0KQ2M6IHBraXgN ClN1YmplY3Q6IFJlOiBbcGtpeF0gNTI4MGJpcywgdi0wOQ0KDQpHb29kIGNhdGNoIE1hcnRpbiwN Cg0KWW91IGNhbWUgYmFjayBmcm9tIHZhY2F0aW9uIGp1c3QgaW4gdGltZS4gOi0pDQoNCkkgcHJv cG9zZSB0aGUgZm9sbG93aW5nOg0KDQpSZXBsYWNlOg0KDQp8ICAgICBJZiBhIENSTCBjb250YWlu cyBhIGNyaXRpY2FsIENSTCBlbnRyeSBleHRlbnNpb24NCnwgICAgIHRoYXQgdGhlIGFwcGxpY2F0 aW9uIGNhbm5vdCBwcm9jZXNzLCB0aGVuIHRoZSBhcHBsaWNhdGlvbiBNVVNUDQp8ICAgICBOT1Qg dXNlIHRoYXQgQ1JMIHRvIGRldGVybWluZSB0aGUgc3RhdHVzIG9mIGFueSBjZXJ0aWZpY2F0ZXMu DQoNCndpdGgNCg0KfCAgICAgSWYgYSBDUkwgY29udGFpbnMgaW4gYSBDUkwgZW50cnkgYSBjcml0 aWNhbCBDUkwgZW50cnkgZXh0ZW5zaW9uDQp8ICAgICB0aGF0IHRoZSBhcHBsaWNhdGlvbiBjYW5u b3QgcHJvY2VzcywgdGhlbiB0aGUgYXBwbGljYXRpb24gTVVTVA0KfCAgICAgY29uc2lkZXIgdGhh dCB0aGUgY2VydGlmaWNhdGUgaWRlbnRpZmllZCBpbiB0aGF0IENSTCBlbnRyeSBpcw0KfCAgICAg cmV2b2tlZC4NCg0KSW4gb3JkZXIgdG8gYW5zd2VyIHRvIFBpeXVzaCwgSSBiZWxpZXZlIHRoYXQg 4oCcdW5rbm93buKAnSBzaG91bGQgYmUgdXNlZCByYXRoZXIgdGhhbiDigJxyZXZva2Vk4oCdLg0K DQpUaGUgZm9sbG93aW5nIGV4YW1wbGUgaXMgYW4gaWxsdXN0cmF0aW9uOg0KDQpUaGUgc3RhdHVz IG9mIGEgZ2l2ZW4gY2VydGlmaWNhdGUgaXMgaW5kaWNhdGVkIGFzIOKAnGdvb2TigJ0sIGJ1dCB0 aGVyZSBpcyBhIENSTCBlbnRyeSB3aXRoIGEgY3JpdGljYWwNCkNSTCBlbnRyeSBleHRlbnNpb24u IFRoaXMgZW50cnkgbWVhbnMgKGZvciB0aGUgYXBwbGljYXRpb25zIHdoaWNoIHVuZGVyc3RhbmQg aXQpIDoNCg0KIlRoZSBzdGF0dXMgd2hpY2ggaXMgdXN1YWxseSBvYnRhaW5lZCB1c2luZyBhIGRh dGFiYXNlIG9mIGlzc3VlZCBjZXJ0aWZpY2F0ZXMgaGFzIGJlZW4gb2J0YWluZWQgZnJvbSBDUkxz Lg0KSWYgeW91IHJlYWxseSBuZWVkIHRvIHRha2UgYSBkZWNpc2lvbiBub3csIGl0IGlzIGF0IHlv dXIgb3duIHJpc2suIElmIHlvdSBjYW4gd2FpdCwgeW91IGhhZCBiZXR0ZXIgdG8gdHJ5IGFnYWlu IGxhdGVyIG9uIi4NCg0KWW91ciBuZXh0IHF1ZXN0aW9uIHdpbGwgY2VydGFpbmx5IGJlOiBzbyB3 aHkgZG9u4oCZdCB5b3UgdXNlIHRoZSBwcm9wb3NlZCBjZXJ0SW5mbyBleHRlbnNpb24gPw0KDQpG b3IgYXBwbGljYXRpb25zIHdoaWNoIGRvIG5vdCB1bmRlcnN0YW5kIHRoaXMgY3JpdGljYWwgQ1JM IGVudHJ5IGV4dGVuc2lvbiwgdGhlcmUgaXMgbm8gZGlmZmVyZW5jZS4NClRoZXkgZ2V0IGFuICJ1 bmtub3duIiBzdGF0dXMgaW4gYm90aCBjYXNlcy4NCg0KRm9yIGFwcGxpY2F0aW9ucyB3aGljaCB1 bmRlcnN0YW5kIHRoaXMgY3JpdGljYWwgQ1JMIGVudHJ5IGV4dGVuc2lvbiBpdCBwcm92aWRlcyBs ZXNzIGJlbmVmaXRzDQp0aGFuIHRoZSBwcm9wb3NlZCBjZXJ0SW5mbyBleHRlbnNpb24sIGJ1dCBp dCBtaWdodCBiZSBxdWlja2VyIHRvIGltcGxlbWVudCBhbmQgaXQgZW5mb3JjZXMgYSBwb2xpY3ku DQoNCkRlbmlzDQoNCg0KPiBJIG9iamVjdCB0byB0aGUgcHJvcG9zZWQgbmV3IHRleHQgYWJvdXQg Q1JMRW50cnlFeHRlbnNpb25zDQo+IGluIHRoZSBjbGFyaWZpY2F0aW9uIGRvY3VtZW50LCBiZWNh dXNlIGFzIGlzLCB3b3VsZCBzaWduaWZpY2FudGx5DQo+IHdvcnNlbiB0aGUgZGlmZmVyZW5jZSBi ZXR3ZWVuIFBLSVggYW5kIFguNTA5IGFuZCBtYWtlIHRoaW5ncw0KPiBjbGVhcmx5IGluY29tcGF0 aWJsZSByYXRoZXIgdGhhbiBzbGlnaHRseSBsZXNzIGVmZmljaWVudC4NCj4NCj4gSWYgYW55dGhp bmcsIHRoZSBnYXAgc2hvdWxkIGJlIHJlZHVjZWQsIGNvbXBhdGliaWxpdHkgYmV0d2Vlbg0KPiBQ S0lYIGFuZCBYLjUwOSBpbXByb3ZlZCBhbmQgdGhlIG9yaWdpbmFsIGFyY2hpdGVjdHVyZSBub3Qg dmlvbGF0ZWQuDQo+DQo+IFBsZWFzZSByZWNhbGwgdGhlIG9yaWdpbmFsIE5PVEUgNCAmIDUgdGhh dCBJIHF1b3RlZCBmcm9tDQo+IElUVS1UIFJlYy4gWC41MDkgKDA4LzIwMDUpLCBTZWN0aW9uIDcu MywgdG9wIG9mIHBhZ2UgMTg6DQo+IChnZXQgdGhlbSBoZXJlIGh0dHA6Ly93d3cuaXR1LmludC9y ZWMvVC1SRUMtWC41MDkpOg0KPg0KPiBhPiAgTk9URSA0IC0tIFdoZW4gYW4gaW1wbGVtZW50YXRp b24gcHJvY2Vzc2luZyBhIGNlcnRpZmljYXRlIHJldm9jYXRpb24NCj4gYT4gIGxpc3QgZG9lcyBu b3QgcmVjb2duaXplIGEgY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSBjcmxFbnRyeUV4dGVuc2lv bnMNCj4gYT4gIGZpZWxkLCBpdCBzaGFsbCBhc3N1bWUgdGhhdCwgYXQgYSBtaW5pbXVtLCB0aGUg aWRlbnRpZmllZCBjZXJ0aWZpY2F0ZQ0KPiBhPiAgaGFzIGJlZW4gcmV2b2tlZCBhbmQgaXMgbm8g bG9uZ2VyIHZhbGlkIGFuZCBwZXJmb3JtIGFkZGl0aW9uYWwgYWN0aW9ucw0KPiBhPiAgY29uY2Vy bmluZyB0aGF0IHJldm9rZWQgY2VydGlmaWNhdGUgYXMgZGljdGF0ZWQgYnkgbG9jYWwgcG9saWN5 Lg0KPg0KPiBiPiAgV2hlbiBhbiBpbXBsZW1lbnRhdGlvbiBkb2VzIG5vdCByZWNvZ25pemUgYSBj cml0aWNhbCBleHRlbnNpb24gaW4gdGhlDQo+IGI+ICBjcmxFeHRlbnNpb25zIGZpZWxkLCBpdCBz aGFsbCBhc3N1bWUgdGhhdCBpZGVudGlmaWVkIGNlcnRpZmljYXRlcw0KPiBiPiAgaGF2ZSBiZWVu IHJldm9rZWQgYW5kIGFyZSBubyBsb25nZXIgdmFsaWQuDQo+DQo+IGM+ICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG93ZXZlciBpbiB0aGUgbGF0dGVyIGNhc2Us DQo+IGM+ICBzaW5jZSB0aGUgbGlzdCBtYXkgbm90IGJlIGNvbXBsZXRlLCBjZXJ0aWZpY2F0ZXMg dGhhdCBoYXZlIG5vdCBiZWVuDQo+IGM+ICBpZGVudGlmaWVkIGFzIGJlaW5nIHJldm9rZWQgY2Fu bm90IGJlIGFzc3VtZWQgdG8gYmUgdmFsaWQuIEluIHRoaXMgY2FzZQ0KPiBjPiAgbG9jYWwgcG9s aWN5IHNoYWxsIGRpY3RhdGUgdGhlIGFjdGlvbiB0byBiZSB0YWtlbi4gSW4gYW55IGNhc2UgbG9j YWwNCj4gYz4gIHBvbGljeSBtYXkgZGljdGF0ZSBhY3Rpb25zIGluIGFkZGl0aW9uIHRvIGFuZC9v ciBzdHJvbmdlciB0aGFuIHRob3NlDQo+IGM+ICBzdGF0ZWQgaW4gdGhpcyBTcGVjaWZpY2F0aW9u Lg0KPg0KPiBkPiAgTk9URSA1IC0tIElmIGFuIGV4dGVuc2lvbiBhZmZlY3RzIHRoZSB0cmVhdG1l bnQgb2YgdGhlIGxpc3QNCj4gZD4gIChlLmcuLCBtdWx0aXBsZSBDUkxzIG5lZWQgdG8gYmUgc2Nh bm5lZCB0byBleGFtaW5lIHRoZSBlbnRpcmUgbGlzdCBvZg0KPiBkPiAgcmV2b2tlZCBjZXJ0aWZp Y2F0ZXMsIG9yIGFuIGVudHJ5IG1heSByZXByZXNlbnQgYSByYW5nZSBvZiBjZXJ0aWZpY2F0ZXMp LA0KPiBkPiAgdGhlbiB0aGF0IGV4dGVuc2lvbiBzaGFsbCBiZSBpbmRpY2F0ZWQgYXMgY3JpdGlj YWwgaW4gdGhlIGNybEV4dGVuc2lvbnMNCj4gZD4gIGZpZWxkIHJlZ2FyZGxlc3Mgb2Ygd2hlcmUg dGhlIGV4dGVuc2lvbiBpcyBwbGFjZWQgaW4gdGhlIENSTC4NCj4NCj4gZT4gIEFuIGV4dGVuc2lv biBpbmRpY2F0ZWQgaW4gdGhlIGNybEVudHJ5RXh0ZW5zaW9ucyBmaWVsZCBvZiBhbiBlbnRyeSBz aGFsbA0KPiBlPiAgYmUgcGxhY2VkIGluIHRoYXQgZW50cnkgYW5kIHNoYWxsIGFmZmVjdCBvbmx5 IHRoZSBjZXJ0aWZpY2F0ZShzKQ0KPiBlPiAgc3BlY2lmaWVkIGluIHRoYXQgZW50cnkuDQo+DQo+ DQo+IChJIGluc2VydGVkIGJsYW5rIGxpbmVzIGFib3ZlIGZvciB2aXN1YWwgY2xhcml0eSBvZiB0 aGUgWC41MDkgcmVxdWlyZW1lbnRzKS4NCj4NCj4gdHdvIG9wdGlvbnMsIGFsbCBjb21iaW5hdGlv bnM6DQo+DQo+ICAoMSkgY2VydCAgICAgb24gQ1JMLCBDUkwgd2l0aCBOTyB1bnJlY29nbml6ZWQg Y3JpdGljYWwgQ1JMRW50cnlFeHRlbnNpb25zDQo+ICAoMikgY2VydCBOT1Qgb24gQ1JMLCBDUkwg d2l0aCBOTyB1bnJlY29nbml6ZWQgY3JpdGljYWwgQ1JMRW50cnlFeHRlbnNpb25zDQo+ICAoMykg Y2VydCAgICAgb24gQ1JMLCBDUkwgd2l0aCAgICB1bnJlY29nbml6ZWQgY3JpdGljYWwgQ1JMRW50 cnlFeHRlbnNpb24NCj4gICg0KSBjZXJ0IE5PVCBvbiBDUkwsIENSTCB3aXRoICAgIHVucmVjb2du aXplZCBjcml0aWNhbCBDUkxFbnRyeUV4dGVuc2lvbg0KPg0KPg0KPiBJIGhvcGUgd2UgYWdyZWUg dGhhdCBYLjUwOSBhbmQgcmZjNTI4MCBhZ3JlZSBvbiAoMSkgYW5kICgyKSByZXN1bHRzDQo+IGZv ciBDUkwgY2hlY2tpbmcuDQo+DQo+IHJmYzUyODAgY3VycmVudGx5IHNheXMgdGhhdCBmb3IgKDMp Kyg0KSB0aGUgZW50aXJlIENSTCBvdWdodCB0byBiZSBpZ25vcmVkDQo+IGFuZCBvdGhlciBDUkxz IG5lZWQgdG8gYmUgZXZhbHVhdGVkICJVTkRFVEVSTUlORUQiDQo+DQo+IFguNTA5IHNheXMgaW4g KGE+KSB0aGF0IGZvciAoMykgdGhlIHN0YXR1cyBvZiB0aGUgY2VydCBpcyBkZWZpbml0ZWx5IHJl dm9rZWQNCj4gYW5kIHNheXMgaW4gKGM+KSBmb3IgKDQpIHRoYXQgdGhlIENSTCBvdWdodCB0byBi ZSBpZ25vcmVkIGFuZCBvdGhlciBDUkxzIG5lZWQNCj4gdG8gYmUgZXZhbHVhdGVkICJVTkRFVEVS TUlORUQiDQo+DQo+IFdoaWxlIGJvdGggWC41MDkgYW5kIHJmYzUyODAgYWdyZWUgb24gdGhlIHJl c3VsdCBmb3IgKDQpICJVTkRFVEVSTUlORUQiLA0KPiB0aGVyZSBpcyB0aGUgc3VwZXJmaWNpYWwg YXBwZWFyYW5jZSBvZiBhIGRpZmZlcmVuY2UgZm9yIGEgY2FzdWFsDQo+IGltcGxlbWVudGVyIGZv ciBjYXNlICgzKSBiZXR3ZWVuIFguNTA5ICJSRVZPS0VEIiBhbmQgcmZjNTI4MCAiVU5ERVRFUk1J TkVEIg0KPiB0aGF0IG1pZ2h0IGxlYWQgdG8gYSBzbGlnaHRseSBsZXNzIGVmZmljaWVudCBwcm9j ZXNzaW5nIENSTHMuDQo+DQo+DQo+IFRoZSBuZXdseSBwcm9wb3NlZCB0ZXh0IChpbiAtMDkpOg0K Pg0KPiB8ICAgICBJZiBhIENSTCBjb250YWlucyBhIGNyaXRpY2FsIENSTCBlbnRyeSBleHRlbnNp b24NCj4gfCAgICAgdGhhdCB0aGUgYXBwbGljYXRpb24gY2Fubm90IHByb2Nlc3MsIHRoZW4gdGhl IGFwcGxpY2F0aW9uIE1VU1QNCj4gfCAgICAgTk9UIHVzZSB0aGF0IENSTCB0byBkZXRlcm1pbmUg dGhlIHN0YXR1cyBvZiB0aGUgY2VydGlmaWNhdGUNCj4gfCAgICAgcmVwcmVzZW50ZWQgYnkgdGhl IENSTCBlbnRyeS4NCj4NCj4gY3JlYXRlcyBhIHNpZ25pZmljYW50bHkgZGlzdGluY3QgYmVoYXZp b3VyIGZvciBjYXNlICg0KSB3aGVyZSBYLjUwOQ0KPiBhbmQgcmZjNTI4MCBhZ3JlZWQgb24gIlVO REVURVJNSU5FRCIsIGJ5IHJlZGVmaW5pbmcgdGhlIHJlc3VsdCB0bw0KPiBiZSAiVU5SRVZPS0VE IiwgYW5kIHBvdGVudGlhbGx5IGNyZWF0ZXMgYSBzZWN1cml0eSBwcm9ibGVtLCBhbmQgYQ0KPiBu ZXcsIGJhY2t3YXJkcy1pbmNvbXBhdGlibGUgYmVoYXZpb3VyIGZvciBhIHNpdHVhdGlvbiB3aGVy ZQ0KPiBYLjUwOSBhbmQgcmZjNTI4MCB1c2VkIHRvIGFncmVlLiBTdGlsbCwgdGhlIG5ldyB0ZXh0 IGRvZXMgbm90IGRvDQo+IGFueXRoaW5nIGFib3V0IGNhc2UgKDMpLCB0aGUgb25seSBjYXNlIHdo ZXJlIFguNTA5IGFuZCByZmM1MjgwDQo+IGFwcGVhciB0byBkaWZmZXIgKGluIGEgbW9zdGx5IG1h cmdpbmFsIGZhc2hpb24pLg0KPg0KPg0KPiBBIGNhcmVmdWwgaW1wbGVtZW50b3IsIHRoYXQgYW5h bHl6ZXMgTk9URSA0IGFuZCBOT1RFIDUgZnJvbSBYLjUwOQ0KPiBxdW90ZWQgYWJvdmUgaW4gaXRz IGVudGlyZXR5LCBzaG91bGQgcmVhbGl6ZSB0aGF0IHRoZSBzaXR1YXRpb24NCj4gd2hlcmUgWC41 MDkgYW5kIHJmYzUyODAgZGlmZmVyIGlzIG1hcmdpbmFsLg0KPg0KPiBUaGlzIGlzIGJlY2F1c2Ug KGQ+KSBpbiBOT1RFIDUgYWJvdmUgcmVxdWlyZXMgKCJzaGFsbCIpIHRoYXQgYQ0KPiBjcml0aWNh bCBjcmxFbnRyeUV4dGVuc2lvbiB3aXRoIGEgc2VtYW50aWMgYmV5b25kICJ0aGlzIGNlcnQgaXMN Cj4gcmV2b2tlZCIpLCBNVVNUIGJlIGFkZGl0aW9uYWxseSBpbmNsdWRlZCBhcyBhIGNyaXRpY2Fs IGNybEV4dGVuc2lvbiwNCj4gd2l0aCB0aGUgZWZmZWN0IHRoYXQgdGhlIGVudGlyZSBDUkwgd2ls bCBoYXZlIHRvIGJlIGlnbm9yZWQgYnkNCj4gYm90aCBYLjUwOSBhbmQgcmZjNTI4MCBpbXBsZW1l bnRhdGlvbnMgdGhhdCBkbyBub3QgcmVjb2duaXplDQo+IHRoZSBjcmxFeHRlbnNpb24uICBTbyBh bGwgY29tcGxpYW50IENSTHMgd2l0aCBhICJmYW5jeSINCj4gdW5yZWNvZ25pemVkIGNyaXRpY2Fs IGNybEVudHJ5RXh0ZW5zaW9uLCB0aGUgYWNjb21wYW55aW5nDQo+IHVucmVjb2duaXplZCBjcml0 aWNhbCBjcmxFeHRlbnNpb24gd2lsbCBjYXVzZSBYLjUwOSBhbmQgcmZjNTI4MA0KPiB0byBhZ3Jl ZSBvbiAoMykgdG8gcmV0dXJuICJVTkRFVEVSTUlORUQiIGFuZCByZXF1aXJlIG90aGVyDQo+IENS THMgdG8gYmUgY2hlY2tlZC4NCj4NCj4NCj4gLU1hcnRpbg0KPiBfX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KPiBwa2l4IG1haWxpbmcgbGlzdA0KPiBwa2l4 QGlldGYub3JnPG1haWx0bzpwa2l4QGlldGYub3JnPg0KPiBodHRwczovL3d3dy5pZXRmLm9yZy9t YWlsbWFuL2xpc3RpbmZvL3BraXgNCg== --_000_AA6BA445CBFDB84785CC1C45DAAE4C792CEC1E56CH1PRD0610MB393_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPCEtLVtp ZiAhbXNvXT48c3R5bGU+dlw6KiB7YmVoYXZpb3I6dXJsKCNkZWZhdWx0I1ZNTCk7fQ0Kb1w6KiB7 YmVoYXZpb3I6dXJsKCNkZWZhdWx0I1ZNTCk7fQ0Kd1w6KiB7YmVoYXZpb3I6dXJsKCNkZWZhdWx0 I1ZNTCk7fQ0KLnNoYXBlIHtiZWhhdmlvcjp1cmwoI2RlZmF1bHQjVk1MKTt9DQo8L3N0eWxlPjwh W2VuZGlmXS0tPjxzdHlsZT48IS0tDQovKiBGb250IERlZmluaXRpb25zICovDQpAZm9udC1mYWNl DQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAyIDQ7 fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpUYWhvbWE7DQoJcGFub3NlLTE6MiAxMSA2IDQg MyA1IDQgNCAyIDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5N c29Ob3JtYWwsIGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4w MDAxcHQ7DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFu Iiwic2VyaWYiO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXByaW9y aXR5Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQphOnZp c2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5 Ow0KCWNvbG9yOnB1cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnAuTXNvQWNl dGF0ZSwgbGkuTXNvQWNldGF0ZSwgZGl2Lk1zb0FjZXRhdGUNCgl7bXNvLXN0eWxlLXByaW9yaXR5 Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJCYWxsb29uIFRleHQgQ2hhciI7DQoJbWFyZ2luOjBpbjsN CgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjguMHB0Ow0KCWZvbnQtZmFtaWx5 OiJUYWhvbWEiLCJzYW5zLXNlcmlmIjt9DQpzcGFuLkVtYWlsU3R5bGUxNw0KCXttc28tc3R5bGUt dHlwZTpwZXJzb25hbDsNCglmb250LWZhbWlseToiQXJpYWwiLCJzYW5zLXNlcmlmIjsNCgljb2xv cjojMUY0OTdEOw0KCWZvbnQtd2VpZ2h0Om5vcm1hbDsNCglmb250LXN0eWxlOm5vcm1hbDsNCgl0 ZXh0LWRlY29yYXRpb246bm9uZSBub25lO30NCnNwYW4uRW1haWxTdHlsZTE4DQoJe21zby1zdHls ZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJp ZiI7DQoJY29sb3I6IzFGNDk3RDt9DQpzcGFuLkJhbGxvb25UZXh0Q2hhcg0KCXttc28tc3R5bGUt bmFtZToiQmFsbG9vbiBUZXh0IENoYXIiOw0KCW1zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28t c3R5bGUtbGluazoiQmFsbG9vbiBUZXh0IjsNCglmb250LWZhbWlseToiVGFob21hIiwic2Fucy1z ZXJpZiI7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJ Zm9udC1zaXplOjEwLjBwdDt9DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4w aW47DQoJbWFyZ2luOjEuMGluIDEuMGluIDEuMGluIDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjEN Cgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHht bD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3ht bD48IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6 ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBl bGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPg0KPC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tVVMiIGxp bms9ImJsdWUiIHZsaW5rPSJwdXJwbGUiPg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0 OTdEIj5NeSByZWNvbW1lbmRhdGlvbiB3b3VsZCBiZSB0byBnbyB3aXRoIOKAmHJldm9rZWTigJkg b24gdGhpcyB1bmxlc3Mgd2UgY2FuIGV4cGxpY2l0bHkgc3BlbGwgb3V0IHdoeSB3ZSBjaG9zZSDi gJh1bmtub3du4oCZIHRvIG92ZXJyaWRlIFguNTA5LjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0 OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+SSBqdXN0IHdhbnQgdG8g YXZvaWQgdGhlIHNpdHVhdGlvbiB3aGVyZSBzb21lb25lIHJhaXNlcyB0aGlzIGlzc3VlIGFnYWlu IGluIGEgZmV3IHllYXJzIHRoYXQgNTI4MCBpcyBpbmNvbnNpc3RlbnQgd2l0aCBYLjUwOSB3aXRo b3V0IGFueSBhcHBhcmVudCByZWFzb24uPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxv OnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRl ci1sZWZ0OnNvbGlkIGJsdWUgMS41cHQ7cGFkZGluZzowaW4gMGluIDBpbiA0LjBwdCI+DQo8ZGl2 Pg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjQjVDNERGIDEuMHB0 O3BhZGRpbmc6My4wcHQgMGluIDBpbiAwaW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7 LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPkZyb206PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90OyI+IFNhbnRvc2ggQ2hva2hhbmkgW21haWx0bzpTQ2hva2hhbmlAY3lnbmFjb20u Y29tXQ0KPGJyPg0KPGI+U2VudDo8L2I+IE1vbmRheSwgU2VwdGVtYmVyIDE3LCAyMDEyIDc6NDgg QU08YnI+DQo8Yj5Ubzo8L2I+IGRlbmlzLnBpbmthc0BidWxsLm5ldDxicj4NCjxiPkNjOjwvYj4g bXJleEBzYXAuY29tOyBQaXl1c2ggSmFpbjsgcGtpeDxicj4NCjxiPlN1YmplY3Q6PC9iPiBSRTog W3BraXhdIDUyODBiaXMsIHYtMDk8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+RGVuaXMs PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5z LXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0 OTdEIj5JIGFtIG9rIGVpdGhlciB3YXkgKHVua25vd24gb3IgcmV2b2tlZCkuJm5ic3A7IFRoZSBn b29kIHRoaW5nIGlzIHRoYXQgdGhlIG5ldyB0ZXh0IHNwZWxscyB0aGluZ3Mgb3V0IG1vcmUgY2xl YXJseS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90 O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsi PkZyb206PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWls eTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+DQo8YSBocmVmPSJt YWlsdG86ZGVuaXMucGlua2FzQGJ1bGwubmV0Ij5kZW5pcy5waW5rYXNAYnVsbC5uZXQ8L2E+IDxh IGhyZWY9Im1haWx0bzpbbWFpbHRvOmRlbmlzLnBpbmthc0BidWxsLm5ldF0iPg0KW21haWx0bzpk ZW5pcy5waW5rYXNAYnVsbC5uZXRdPC9hPiA8YnI+DQo8Yj5TZW50OjwvYj4gTW9uZGF5LCBTZXB0 ZW1iZXIgMTcsIDIwMTIgMTA6NDIgQU08YnI+DQo8Yj5Ubzo8L2I+IFNhbnRvc2ggQ2hva2hhbmk8 YnI+DQo8Yj5DYzo8L2I+IDxhIGhyZWY9Im1haWx0bzptcmV4QHNhcC5jb20iPm1yZXhAc2FwLmNv bTwvYT47IFBpeXVzaCBKYWluOyBwa2l4PGJyPg0KPGI+U3ViamVjdDo8L2I+IFJFOiBbcGtpeF0g NTI4MGJpcywgdi0wOTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPlNh bnRvc2gsIFBpeXVzaCBhbmQgTWFydGluLDwvc3Bhbj4NCjxicj4NCjxicj4NCjxzcGFuIHN0eWxl PSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5T b3JyeSwgSSBtYWRlIGEgbWlzdGFrZSB3aGVuIG1ha2luZyBteSBwcm9wb3NhbCB0aGlzIG1vcm5p bmcuDQo8YnI+DQpJIHdyb3RlICZxdW90O3Jldm9rZWQmcXVvdDssIGJ1dCB3YXMgYWR2b2NhdGlu ZyAmcXVvdDt1bmtub3duJnF1b3Q7Ljwvc3Bhbj4gPGJyPg0KPGJyPg0KPHNwYW4gc3R5bGU9ImZv bnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPkJhc2Vk IG9uIHRoZSBsYXRlc3QgdGV4dCBwcm9wb3NlZCBmcm9tIFNhbnRvc2gsIEkgd291bGQgcmF0aGVy IHByZWZlcjo8L3NwYW4+DQo8YnI+DQo8YnI+DQo8c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1 b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMTA0MTYwIj5JZiBh biBhcHBsaWNhdGlvbiBjYW5ub3QgcHJvY2VzcyBhIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUN CjxiPmNybEVudHJ5RXh0ZW5zaW9uczwvYj4gZmllbGQgb2YgYW4gZW50cnkgPGJyPg0KdGhhdCBh ZmZlY3RzIG9ubHkgdGhlIGNlcnRpZmljYXRlIHNwZWNpZmllZCBpbiB0aGF0IGVudHJ5LCBhcyBp bmRpY2F0ZWQgYnkgdGhlIGFic2VuY2Ugb2YgYSByZWxhdGVkDQo8YnI+DQpjcml0aWNhbCBleHRl bnNpb24gaW4gdGhlIDxiPmNybEV4dGVuc2lvbnM8L2I+IGZpZWxkLCB0aGVuIHRoZSA8L3NwYW4+ PGI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMt c2VyaWYmcXVvdDs7Y29sb3I6IzAwMDBFMCI+c3RhdHVzIG9mPC9zcGFuPjwvYj48Yj48c3BhbiBz dHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90 Oztjb2xvcjpibHVlIj4NCjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90 O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzEwNDE2MCI+Y2VydGlm aWNhdGUgaWRlbnRpZmllZCBieSB0aGUgQ1JMIGVudHJ5DQo8YnI+DQpzaGFsbCBiZSBjb25zaWRl cmVkIDwvc3Bhbj48Yj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDss JnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMDAyMEMyIj51bmtvd248L3NwYW4+PC9iPjxz cGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlm JnF1b3Q7O2NvbG9yOiMxMDQxNjAiPi48L3NwYW4+DQo8YnI+DQo8YnI+DQo8c3BhbiBzdHlsZT0i Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+aW5z dGVhZCBvZiA6PC9zcGFuPiA8YnI+DQo8YnI+DQo8c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1 b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMTA0MTYwIj5JZiBh biBhcHBsaWNhdGlvbiBjYW5ub3QgcHJvY2VzcyBhIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUN CjxiPmNybEVudHJ5RXh0ZW5zaW9uczwvYj4gZmllbGQgb2YgYW4gZW50cnkgPGJyPg0KdGhhdCBh ZmZlY3RzIG9ubHkgdGhlIGNlcnRpZmljYXRlIHNwZWNpZmllZCBpbiB0aGF0IGVudHJ5LCBhcyBp bmRpY2F0ZWQgYnkgdGhlIGFic2VuY2Ugb2YgYSByZWxhdGVkDQo8YnI+DQpjcml0aWNhbCBleHRl bnNpb24gaW4gdGhlIDxiPmNybEV4dGVuc2lvbnM8L2I+IGZpZWxkLCB0aGVuIHRoZSBjZXJ0aWZp Y2F0ZSBpZGVudGlmaWVkIGJ5IHRoZSBDUkwgZW50cnkNCjxicj4NCnNoYWxsIGJlIGNvbnNpZGVy ZWQgcmV2b2tlZC48L3NwYW4+IDxicj4NCjxicj4NCjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTom cXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5EZW5pczwvc3Bhbj4gPGJy Pg0KPGJyPg0KPGJyPg0KPGJyPg0KPGJyPg0KPGJyPg0KPGJyPg0KPGJyPg0KPGJyPg0KPGJyPg0K PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo3LjVwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90 OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiM1RjVGNUYiPkRlIDogJm5ic3A7ICZuYnNw OyAmbmJzcDsgJm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6Ny41cHQ7Zm9udC1m YW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+U2FudG9zaCBD aG9raGFuaSAmbHQ7PGEgaHJlZj0ibWFpbHRvOlNDaG9raGFuaUBjeWduYWNvbS5jb20iPlNDaG9r aGFuaUBjeWduYWNvbS5jb208L2E+Jmd0Ozwvc3Bhbj4NCjxicj4NCjxzcGFuIHN0eWxlPSJmb250 LXNpemU6Ny41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJp ZiZxdW90Oztjb2xvcjojNUY1RjVGIj5BIDogJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7PC9z cGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6Ny41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwm cXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+JnF1b3Q7PGEgaHJlZj0ibWFpbHRvOmRlbmlz LnBpbmthc0BidWxsLm5ldCI+ZGVuaXMucGlua2FzQGJ1bGwubmV0PC9hPiZxdW90OyAmbHQ7PGEg aHJlZj0ibWFpbHRvOmRlbmlzLnBpbmthc0BidWxsLm5ldCI+ZGVuaXMucGlua2FzQGJ1bGwubmV0 PC9hPiZndDssDQogJnF1b3Q7PGEgaHJlZj0ibWFpbHRvOm1yZXhAc2FwLmNvbSI+bXJleEBzYXAu Y29tPC9hPiZxdW90OyAmbHQ7PGEgaHJlZj0ibWFpbHRvOm1yZXhAc2FwLmNvbSI+bXJleEBzYXAu Y29tPC9hPiZndDssIFBpeXVzaCBKYWluICZsdDs8YSBocmVmPSJtYWlsdG86cGl5dXNoQGlkZW50 aWNhdGUuY29tIj5waXl1c2hAaWRlbnRpY2F0ZS5jb208L2E+Jmd0Ozwvc3Bhbj4NCjxicj4NCjxz cGFuIHN0eWxlPSJmb250LXNpemU6Ny41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDss JnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojNUY1RjVGIj5DYyZuYnNwOzogJm5ic3A7ICZu YnNwOyAmbmJzcDsgJm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6Ny41cHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+cGtpeCAm bHQ7PGEgaHJlZj0ibWFpbHRvOnBraXhAaWV0Zi5vcmciPnBraXhAaWV0Zi5vcmc8L2E+Jmd0Ozwv c3Bhbj4NCjxicj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6Ny41cHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojNUY1RjVGIj5EYXRl IDogJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNp emU6Ny41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZx dW90OyI+MTcvMDkvMjAxMiAxNjoyMTwvc3Bhbj4NCjxicj4NCjxzcGFuIHN0eWxlPSJmb250LXNp emU6Ny41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZx dW90Oztjb2xvcjojNUY1RjVGIj5PYmpldCA6ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOzwv c3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjcuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFs JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPlJFOiBbcGtpeF0gNTI4MGJpcywgdi0wOTwv c3Bhbj4NCjxvOnA+PC9vOnA+PC9wPg0KPGRpdiBjbGFzcz0iTXNvTm9ybWFsIiBhbGlnbj0iY2Vu dGVyIiBzdHlsZT0idGV4dC1hbGlnbjpjZW50ZXIiPg0KPGhyIHNpemU9IjIiIHdpZHRoPSIxMDAl IiBub3NoYWRlPSIiIHN0eWxlPSJjb2xvcjojQUNBODk5IiBhbGlnbj0iY2VudGVyIj4NCjwvZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGJyPg0KPGJyPg0KPGJyPg0KPHNwYW4gc3R5bGU9ImZv bnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6 IzAwNDA4MCI+VGhpcyBhbHNvIHJlbGF0ZXMgdG8gZWFybGllciBwb3N0IEkgbWFkZSBpbiByZXNw b25zZSB0byBQaXl1c2guPC9zcGFuPg0KPGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZx dW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzAwNDA4MCI+Jm5i c3A7PC9zcGFuPiA8YnI+DQo8c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVv dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMDA0MDgwIj5JIGFzc3VtZSB3ZSBhcmUg YWRkaW5nIHRoZSBmb2xsb3dpbmcgdG8gdGhlIFJGQyDigJw8L3NwYW4+PHNwYW4gc3R5bGU9ImZv bnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6 IzEwNDE2MCI+QSBjcml0aWNhbCBleHRlbnNpb24gaW4gdGhlDQo8Yj5jcmxFbnRyeUV4dGVuc2lv bnM8L2I+IGZpZWxkIG9mIGFuIGVudHJ5IHNoYWxsIGFmZmVjdCBvbmx5IHRoZSBjZXJ0aWZpY2F0 ZSBzcGVjaWZpZWQgaW4gdGhhdCBlbnRyeSwgdW5sZXNzIHRoZXJlIGlzIGEgcmVsYXRlZCBjcml0 aWNhbCBleHRlbnNpb24gaW4gdGhlDQo8Yj5jcmxFeHRlbnNpb25zPC9iPiBmaWVsZCB0aGF0IGFk dmVydGlzZXMgYSBzcGVjaWFsIHRyZWF0bWVudCBmb3IgaXQu4oCdICZuYnNwO0luIG9yZGVyIHRv IHVzZSBzdWNoIENSTCwgdGhlIHJlbHlpbmcgcGFydHkgbXVzdCBiZSBhYmxlIHRvIHByb2Nlc3Mg Ym90aCB0aGUNCjxiPmNybEVudHJ5RXh0ZW5zaW9uIDwvYj5hbmQgdGhlIHJlbGF0ZWQgPGI+Y3Js RXh0ZW5zaW9uLuKAnTwvYj48L3NwYW4+IDxicj4NCjxiPjxzcGFuIHN0eWxlPSJmb250LWZhbWls eTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxMDQxNjAi PiZuYnNwOzwvc3Bhbj48L2I+IDxicj4NCjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtB cmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxMDQxNjAiPkluIHRoYXQg Y2FzZSwgSSBkbyBub3QgbWluZCBhZGRpbmcgdGhlIGZvbGxvd2luZyB0byA1MjgwIChhIHNsaWdo dCBtb2RpZmljYXRpb24gdG8gd2hhdCBEZW5pcyBoYXM6PC9zcGFuPg0KPGJyPg0KPHNwYW4gc3R5 bGU9ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7 Y29sb3I6IzEwNDE2MCI+Jm5ic3A7PC9zcGFuPiA8YnI+DQo8c3BhbiBzdHlsZT0iZm9udC1mYW1p bHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMTA0MTYw Ij5JZiBhbiBhcHBsaWNhdGlvbiBjYW5ub3QgcHJvY2VzcyBhIGNyaXRpY2FsIGV4dGVuc2lvbiBp biB0aGUNCjxiPmNybEVudHJ5RXh0ZW5zaW9uczwvYj4gZmllbGQgb2YgYW4gZW50cnkgdGhhdCBh ZmZlY3RzIG9ubHkgdGhlIGNlcnRpZmljYXRlIHNwZWNpZmllZCBpbiB0aGF0IGVudHJ5LCBhcyBp bmRpY2F0ZWQgYnkgdGhlIGFic2VuY2Ugb2YgYSByZWxhdGVkIGNyaXRpY2FsIGV4dGVuc2lvbiBp biB0aGUNCjxiPmNybEV4dGVuc2lvbnM8L2I+IGZpZWxkLCB0aGVuIHRoZSBjZXJ0aWZpY2F0ZSBp ZGVudGlmaWVkIGJ5IHRoZSBDUkwgZW50cnkgc2hhbGwgYmUgY29uc2lkZXJlZCByZXZva2VkLjwv c3Bhbj4NCjxicj4NCjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90Oywm cXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMwMDQwODAiPiZuYnNwOzwvc3Bhbj4gPGJyPg0K PGI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5z LXNlcmlmJnF1b3Q7Ij5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZx dW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4NCjxhIGhyZWY9Im1haWx0 bzpwa2l4LWJvdW5jZXNAaWV0Zi5vcmciPnBraXgtYm91bmNlc0BpZXRmLm9yZzwvYT4gWzwvc3Bh bj48YSBocmVmPSJtYWlsdG86cGtpeC1ib3VuY2VzQGlldGYub3JnIj48c3BhbiBzdHlsZT0iZm9u dC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPm1haWx0 bzpwa2l4LWJvdW5jZXNAaWV0Zi5vcmc8L3NwYW4+PC9hPjxzcGFuIHN0eWxlPSJmb250LWZhbWls eTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+XQ0KPGI+T24gQmVo YWxmIE9mIDwvYj48YSBocmVmPSJtYWlsdG86ZGVuaXMucGlua2FzQGJ1bGwubmV0Ij5kZW5pcy5w aW5rYXNAYnVsbC5uZXQ8L2E+PGI+PGJyPg0KU2VudDo8L2I+IE1vbmRheSwgU2VwdGVtYmVyIDE3 LCAyMDEyIDM6NDcgQU08Yj48YnI+DQpUbzo8L2I+IDxhIGhyZWY9Im1haWx0bzptcmV4QHNhcC5j b20iPm1yZXhAc2FwLmNvbTwvYT47IFBpeXVzaCBKYWluPGI+PGJyPg0KQ2M6PC9iPiBwa2l4PGI+ PGJyPg0KU3ViamVjdDo8L2I+IFJlOiBbcGtpeF0gNTI4MGJpcywgdi0wOTwvc3Bhbj4gPGJyPg0K Jm5ic3A7IDxicj4NCjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90Oywm cXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5Hb29kIGNhdGNoIE1hcnRpbiw8L3NwYW4+IDxicj4NCjxz cGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlm JnF1b3Q7Ij48YnI+DQpZb3UgY2FtZSBiYWNrIGZyb20gdmFjYXRpb24ganVzdCBpbiB0aW1lLiA6 LSk8L3NwYW4+IDxicj4NCjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90 OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij48YnI+DQpJIHByb3Bvc2UgdGhlIGZvbGxvd2luZzo8 L3NwYW4+IDxicj4NCjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZx dW90OyI+PGJyPg0KUmVwbGFjZTo8L3NwYW4+IDxicj4NCjxzcGFuIHN0eWxlPSJmb250LWZhbWls eTomcXVvdDtDb3VyaWVyIE5ldyZxdW90OyI+PGJyPg0KfCAmbmJzcDsgJm5ic3A7IElmIGEgQ1JM IGNvbnRhaW5zIGEgY3JpdGljYWwgQ1JMIGVudHJ5IGV4dGVuc2lvbiA8YnI+DQp8ICZuYnNwOyAm bmJzcDsgdGhhdCB0aGUgYXBwbGljYXRpb24gY2Fubm90IHByb2Nlc3MsIHRoZW4gdGhlIGFwcGxp Y2F0aW9uIE1VU1QgPGJyPg0KfCAmbmJzcDsgJm5ic3A7IE5PVCB1c2UgdGhhdCBDUkwgdG8gZGV0 ZXJtaW5lIHRoZSBzdGF0dXMgb2YgYW55IGNlcnRpZmljYXRlcy48L3NwYW4+IDxicj4NCjxzcGFu IHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90OyI+PGJyPg0Kd2l0aDwv c3Bhbj4gPGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1 b3Q7Ij48YnI+DQp8ICZuYnNwOyAmbmJzcDsgSWYgYSBDUkwgY29udGFpbnMgaW4gYSBDUkwgZW50 cnkgYSBjcml0aWNhbCBDUkwgZW50cnkgZXh0ZW5zaW9uIDxicj4NCnwgJm5ic3A7ICZuYnNwOyB0 aGF0IHRoZSBhcHBsaWNhdGlvbiBjYW5ub3QgcHJvY2VzcywgdGhlbiB0aGUgYXBwbGljYXRpb24g TVVTVCA8YnI+DQp8ICZuYnNwOyAmbmJzcDsgY29uc2lkZXIgdGhhdCB0aGUgY2VydGlmaWNhdGUg aWRlbnRpZmllZCBpbiB0aGF0IENSTCBlbnRyeSBpcyA8YnI+DQp8ICZuYnNwOyAmbmJzcDsgcmV2 b2tlZC4gJm5ic3A7PC9zcGFuPiA8YnI+DQo8c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7 QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+PGJyPg0KSW4gb3JkZXIgdG8gYW5z d2VyIHRvIFBpeXVzaCwgSSBiZWxpZXZlIHRoYXQg4oCcdW5rbm93buKAnSBzaG91bGQgYmUgdXNl ZCByYXRoZXIgdGhhbiDigJxyZXZva2Vk4oCdLjwvc3Bhbj4NCjxicj4NCjxzcGFuIHN0eWxlPSJm b250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij48YnI+ DQpUaGUgZm9sbG93aW5nIGV4YW1wbGUgaXMgYW4gaWxsdXN0cmF0aW9uOjwvc3Bhbj4gPGJyPg0K PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2Vy aWYmcXVvdDsiPjxicj4NClRoZSBzdGF0dXMgb2YgYSBnaXZlbiBjZXJ0aWZpY2F0ZSBpcyBpbmRp Y2F0ZWQgYXMg4oCcZ29vZOKAnSwgYnV0IHRoZXJlIGlzIGEgQ1JMIGVudHJ5IHdpdGggYSBjcml0 aWNhbA0KPGJyPg0KQ1JMIGVudHJ5IGV4dGVuc2lvbi4gVGhpcyBlbnRyeSBtZWFucyAoZm9yIHRo ZSBhcHBsaWNhdGlvbnMgd2hpY2ggdW5kZXJzdGFuZCBpdCkgOg0KPC9zcGFuPjxicj4NCjxzcGFu IHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1 b3Q7Ij48YnI+DQomcXVvdDtUaGUgc3RhdHVzIHdoaWNoIGlzIHVzdWFsbHkgb2J0YWluZWQgdXNp bmcgYSBkYXRhYmFzZSBvZiBpc3N1ZWQgY2VydGlmaWNhdGVzIGhhcyBiZWVuIG9idGFpbmVkIGZy b20gQ1JMcy4NCjxicj4NCklmIHlvdSByZWFsbHkgbmVlZCB0byB0YWtlIGEgZGVjaXNpb24gbm93 LCBpdCBpcyBhdCB5b3VyIG93biByaXNrLiBJZiB5b3UgY2FuIHdhaXQsIHlvdSBoYWQgYmV0dGVy IHRvIHRyeSBhZ2FpbiBsYXRlciBvbiZxdW90Oy48L3NwYW4+DQo8YnI+DQo8c3BhbiBzdHlsZT0i Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+PGJy Pg0KWW91ciBuZXh0IHF1ZXN0aW9uIHdpbGwgY2VydGFpbmx5IGJlOiBzbyB3aHkgZG9u4oCZdCB5 b3UgdXNlIHRoZSBwcm9wb3NlZCBjZXJ0SW5mbyBleHRlbnNpb24gPzwvc3Bhbj4NCjxicj4NCjxz cGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlm JnF1b3Q7Ij48YnI+DQpGb3IgYXBwbGljYXRpb25zIHdoaWNoIGRvIG5vdCB1bmRlcnN0YW5kIHRo aXMgY3JpdGljYWwgQ1JMIGVudHJ5IGV4dGVuc2lvbiwgdGhlcmUgaXMgbm8gZGlmZmVyZW5jZS48 L3NwYW4+DQo8c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7 c2Fucy1zZXJpZiZxdW90OyI+PGJyPg0KVGhleSBnZXQgYW4gJnF1b3Q7dW5rbm93biZxdW90OyBz dGF0dXMgaW4gYm90aCBjYXNlcy48L3NwYW4+IDxicj4NCjxzcGFuIHN0eWxlPSJmb250LWZhbWls eTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij48YnI+DQpGb3IgYXBw bGljYXRpb25zIHdoaWNoIHVuZGVyc3RhbmQgdGhpcyBjcml0aWNhbCBDUkwgZW50cnkgZXh0ZW5z aW9uIGl0IHByb3ZpZGVzIGxlc3MgYmVuZWZpdHMNCjxicj4NCnRoYW4gdGhlIHByb3Bvc2VkIGNl cnRJbmZvIGV4dGVuc2lvbiwgYnV0IGl0IG1pZ2h0IGJlIHF1aWNrZXIgdG8gaW1wbGVtZW50IGFu ZCBpdCBlbmZvcmNlcyBhIHBvbGljeS48L3NwYW4+DQo8YnI+DQo8c3BhbiBzdHlsZT0iZm9udC1m YW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+PGJyPg0KRGVu aXM8L3NwYW4+IDxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90 OyI+PGJyPg0KPGJyPg0KPGJyPg0KJmd0OyBJIG9iamVjdCB0byB0aGUgcHJvcG9zZWQgbmV3IHRl eHQgYWJvdXQgQ1JMRW50cnlFeHRlbnNpb25zPGJyPg0KJmd0OyBpbiB0aGUgY2xhcmlmaWNhdGlv biBkb2N1bWVudCwgYmVjYXVzZSBhcyBpcywgd291bGQgc2lnbmlmaWNhbnRseTxicj4NCiZndDsg d29yc2VuIHRoZSBkaWZmZXJlbmNlIGJldHdlZW4gUEtJWCBhbmQgWC41MDkgYW5kIG1ha2UgdGhp bmdzPGJyPg0KJmd0OyBjbGVhcmx5IGluY29tcGF0aWJsZSByYXRoZXIgdGhhbiBzbGlnaHRseSBs ZXNzIGVmZmljaWVudC48YnI+DQomZ3Q7IDxicj4NCiZndDsgSWYgYW55dGhpbmcsIHRoZSBnYXAg c2hvdWxkIGJlIHJlZHVjZWQsIGNvbXBhdGliaWxpdHkgYmV0d2Vlbjxicj4NCiZndDsgUEtJWCBh bmQgWC41MDkgaW1wcm92ZWQgYW5kIHRoZSBvcmlnaW5hbCBhcmNoaXRlY3R1cmUgbm90IHZpb2xh dGVkLjxicj4NCiZndDsgPGJyPg0KJmd0OyBQbGVhc2UgcmVjYWxsIHRoZSBvcmlnaW5hbCBOT1RF IDQgJmFtcDsgNSB0aGF0IEkgcXVvdGVkIGZyb208YnI+DQomZ3Q7IElUVS1UIFJlYy4gWC41MDkg KDA4LzIwMDUpLCBTZWN0aW9uIDcuMywgdG9wIG9mIHBhZ2UgMTg6PGJyPg0KJmd0OyAoZ2V0IHRo ZW0gaGVyZSA8L3NwYW4+PGEgaHJlZj0iaHR0cDovL3d3dy5pdHUuaW50L3JlYy9ULVJFQy1YLjUw OSI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij5odHRw Oi8vd3d3Lml0dS5pbnQvcmVjL1QtUkVDLVguNTA5PC9zcGFuPjwvYT48c3BhbiBzdHlsZT0iZm9u dC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDsiPik6PGJyPg0KJmd0OyA8YnI+DQomZ3Q7 IGEmZ3Q7ICZuYnNwO05PVEUgNCAtLSBXaGVuIGFuIGltcGxlbWVudGF0aW9uIHByb2Nlc3Npbmcg YSBjZXJ0aWZpY2F0ZSByZXZvY2F0aW9uPGJyPg0KJmd0OyBhJmd0OyAmbmJzcDtsaXN0IGRvZXMg bm90IHJlY29nbml6ZSBhIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUgY3JsRW50cnlFeHRlbnNp b25zPGJyPg0KJmd0OyBhJmd0OyAmbmJzcDtmaWVsZCwgaXQgc2hhbGwgYXNzdW1lIHRoYXQsIGF0 IGEgbWluaW11bSwgdGhlIGlkZW50aWZpZWQgY2VydGlmaWNhdGU8YnI+DQomZ3Q7IGEmZ3Q7ICZu YnNwO2hhcyBiZWVuIHJldm9rZWQgYW5kIGlzIG5vIGxvbmdlciB2YWxpZCBhbmQgcGVyZm9ybSBh ZGRpdGlvbmFsIGFjdGlvbnM8YnI+DQomZ3Q7IGEmZ3Q7ICZuYnNwO2NvbmNlcm5pbmcgdGhhdCBy ZXZva2VkIGNlcnRpZmljYXRlIGFzIGRpY3RhdGVkIGJ5IGxvY2FsIHBvbGljeS48YnI+DQomZ3Q7 IDxicj4NCiZndDsgYiZndDsgJm5ic3A7V2hlbiBhbiBpbXBsZW1lbnRhdGlvbiBkb2VzIG5vdCBy ZWNvZ25pemUgYSBjcml0aWNhbCBleHRlbnNpb24gaW4gdGhlPGJyPg0KJmd0OyBiJmd0OyAmbmJz cDtjcmxFeHRlbnNpb25zIGZpZWxkLCBpdCBzaGFsbCBhc3N1bWUgdGhhdCBpZGVudGlmaWVkIGNl cnRpZmljYXRlczxicj4NCiZndDsgYiZndDsgJm5ic3A7aGF2ZSBiZWVuIHJldm9rZWQgYW5kIGFy ZSBubyBsb25nZXIgdmFsaWQuPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IGMmZ3Q7ICZuYnNwOyAmbmJz cDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNw OyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7 ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBIb3dldmVyIGluIHRoZSBsYXR0ZXIgY2FzZSw8 YnI+DQomZ3Q7IGMmZ3Q7ICZuYnNwO3NpbmNlIHRoZSBsaXN0IG1heSBub3QgYmUgY29tcGxldGUs IGNlcnRpZmljYXRlcyB0aGF0IGhhdmUgbm90IGJlZW48YnI+DQomZ3Q7IGMmZ3Q7ICZuYnNwO2lk ZW50aWZpZWQgYXMgYmVpbmcgcmV2b2tlZCBjYW5ub3QgYmUgYXNzdW1lZCB0byBiZSB2YWxpZC4g SW4gdGhpcyBjYXNlPGJyPg0KJmd0OyBjJmd0OyAmbmJzcDtsb2NhbCBwb2xpY3kgc2hhbGwgZGlj dGF0ZSB0aGUgYWN0aW9uIHRvIGJlIHRha2VuLiBJbiBhbnkgY2FzZSBsb2NhbDxicj4NCiZndDsg YyZndDsgJm5ic3A7cG9saWN5IG1heSBkaWN0YXRlIGFjdGlvbnMgaW4gYWRkaXRpb24gdG8gYW5k L29yIHN0cm9uZ2VyIHRoYW4gdGhvc2U8YnI+DQomZ3Q7IGMmZ3Q7ICZuYnNwO3N0YXRlZCBpbiB0 aGlzIFNwZWNpZmljYXRpb24uPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IGQmZ3Q7ICZuYnNwO05PVEUg NSAtLSBJZiBhbiBleHRlbnNpb24gYWZmZWN0cyB0aGUgdHJlYXRtZW50IG9mIHRoZSBsaXN0PGJy Pg0KJmd0OyBkJmd0OyAmbmJzcDsoZS5nLiwgbXVsdGlwbGUgQ1JMcyBuZWVkIHRvIGJlIHNjYW5u ZWQgdG8gZXhhbWluZSB0aGUgZW50aXJlIGxpc3Qgb2Y8YnI+DQomZ3Q7IGQmZ3Q7ICZuYnNwO3Jl dm9rZWQgY2VydGlmaWNhdGVzLCBvciBhbiBlbnRyeSBtYXkgcmVwcmVzZW50IGEgcmFuZ2Ugb2Yg Y2VydGlmaWNhdGVzKSw8YnI+DQomZ3Q7IGQmZ3Q7ICZuYnNwO3RoZW4gdGhhdCBleHRlbnNpb24g c2hhbGwgYmUgaW5kaWNhdGVkIGFzIGNyaXRpY2FsIGluIHRoZSBjcmxFeHRlbnNpb25zPGJyPg0K Jmd0OyBkJmd0OyAmbmJzcDtmaWVsZCByZWdhcmRsZXNzIG9mIHdoZXJlIHRoZSBleHRlbnNpb24g aXMgcGxhY2VkIGluIHRoZSBDUkwuPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IGUmZ3Q7ICZuYnNwO0Fu IGV4dGVuc2lvbiBpbmRpY2F0ZWQgaW4gdGhlIGNybEVudHJ5RXh0ZW5zaW9ucyBmaWVsZCBvZiBh biBlbnRyeSBzaGFsbDxicj4NCiZndDsgZSZndDsgJm5ic3A7YmUgcGxhY2VkIGluIHRoYXQgZW50 cnkgYW5kIHNoYWxsIGFmZmVjdCBvbmx5IHRoZSBjZXJ0aWZpY2F0ZShzKTxicj4NCiZndDsgZSZn dDsgJm5ic3A7c3BlY2lmaWVkIGluIHRoYXQgZW50cnkuPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IDxi cj4NCiZndDsgKEkgaW5zZXJ0ZWQgYmxhbmsgbGluZXMgYWJvdmUgZm9yIHZpc3VhbCBjbGFyaXR5 IG9mIHRoZSBYLjUwOSByZXF1aXJlbWVudHMpLjxicj4NCiZndDsgPGJyPg0KJmd0OyB0d28gb3B0 aW9ucywgYWxsIGNvbWJpbmF0aW9uczo8YnI+DQomZ3Q7IDxicj4NCiZndDsgJm5ic3A7KDEpIGNl cnQgJm5ic3A7ICZuYnNwOyBvbiBDUkwsIENSTCB3aXRoIE5PIHVucmVjb2duaXplZCBjcml0aWNh bCBDUkxFbnRyeUV4dGVuc2lvbnMgPGJyPg0KJmd0OyAmbmJzcDsoMikgY2VydCBOT1Qgb24gQ1JM LCBDUkwgd2l0aCBOTyB1bnJlY29nbml6ZWQgY3JpdGljYWwgQ1JMRW50cnlFeHRlbnNpb25zIDxi cj4NCiZndDsgJm5ic3A7KDMpIGNlcnQgJm5ic3A7ICZuYnNwOyBvbiBDUkwsIENSTCB3aXRoICZu YnNwOyAmbmJzcDt1bnJlY29nbml6ZWQgY3JpdGljYWwgQ1JMRW50cnlFeHRlbnNpb248YnI+DQom Z3Q7ICZuYnNwOyg0KSBjZXJ0IE5PVCBvbiBDUkwsIENSTCB3aXRoICZuYnNwOyAmbmJzcDt1bnJl Y29nbml6ZWQgY3JpdGljYWwgQ1JMRW50cnlFeHRlbnNpb248YnI+DQomZ3Q7IDxicj4NCiZndDsg PGJyPg0KJmd0OyBJIGhvcGUgd2UgYWdyZWUgdGhhdCBYLjUwOSBhbmQgcmZjNTI4MCBhZ3JlZSBv biAoMSkgYW5kICgyKSByZXN1bHRzPGJyPg0KJmd0OyBmb3IgQ1JMIGNoZWNraW5nLjxicj4NCiZn dDsgPGJyPg0KJmd0OyByZmM1MjgwIGN1cnJlbnRseSBzYXlzIHRoYXQgZm9yICgzKSYjNDM7KDQp IHRoZSBlbnRpcmUgQ1JMIG91Z2h0IHRvIGJlIGlnbm9yZWQ8YnI+DQomZ3Q7IGFuZCBvdGhlciBD UkxzIG5lZWQgdG8gYmUgZXZhbHVhdGVkICZxdW90O1VOREVURVJNSU5FRCZxdW90Ozxicj4NCiZn dDsgPGJyPg0KJmd0OyBYLjUwOSBzYXlzIGluIChhJmd0OykgdGhhdCBmb3IgKDMpIHRoZSBzdGF0 dXMgb2YgdGhlIGNlcnQgaXMgZGVmaW5pdGVseSByZXZva2VkPGJyPg0KJmd0OyBhbmQgc2F5cyBp biAoYyZndDspIGZvciAoNCkgdGhhdCB0aGUgQ1JMIG91Z2h0IHRvIGJlIGlnbm9yZWQgYW5kIG90 aGVyIENSTHMgbmVlZDxicj4NCiZndDsgdG8gYmUgZXZhbHVhdGVkICZxdW90O1VOREVURVJNSU5F RCZxdW90Ozxicj4NCiZndDsgPGJyPg0KJmd0OyBXaGlsZSBib3RoIFguNTA5IGFuZCByZmM1Mjgw IGFncmVlIG9uIHRoZSByZXN1bHQgZm9yICg0KSAmcXVvdDtVTkRFVEVSTUlORUQmcXVvdDssPGJy Pg0KJmd0OyB0aGVyZSBpcyB0aGUgc3VwZXJmaWNpYWwgYXBwZWFyYW5jZSBvZiBhIGRpZmZlcmVu Y2UgZm9yIGEgY2FzdWFsPGJyPg0KJmd0OyBpbXBsZW1lbnRlciBmb3IgY2FzZSAoMykgYmV0d2Vl biBYLjUwOSAmcXVvdDtSRVZPS0VEJnF1b3Q7IGFuZCByZmM1MjgwICZxdW90O1VOREVURVJNSU5F RCZxdW90Ozxicj4NCiZndDsgdGhhdCBtaWdodCBsZWFkIHRvIGEgc2xpZ2h0bHkgbGVzcyBlZmZp Y2llbnQgcHJvY2Vzc2luZyBDUkxzLjxicj4NCiZndDsgPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IFRo ZSBuZXdseSBwcm9wb3NlZCB0ZXh0IChpbiAtMDkpOjxicj4NCiZndDsgPGJyPg0KJmd0OyB8ICZu YnNwOyAmbmJzcDsgSWYgYSBDUkwgY29udGFpbnMgYSBjcml0aWNhbCBDUkwgZW50cnkgZXh0ZW5z aW9uPGJyPg0KJmd0OyB8ICZuYnNwOyAmbmJzcDsgdGhhdCB0aGUgYXBwbGljYXRpb24gY2Fubm90 IHByb2Nlc3MsIHRoZW4gdGhlIGFwcGxpY2F0aW9uIE1VU1Q8YnI+DQomZ3Q7IHwgJm5ic3A7ICZu YnNwOyBOT1QgdXNlIHRoYXQgQ1JMIHRvIGRldGVybWluZSB0aGUgc3RhdHVzIG9mIHRoZSBjZXJ0 aWZpY2F0ZTxicj4NCiZndDsgfCAmbmJzcDsgJm5ic3A7IHJlcHJlc2VudGVkIGJ5IHRoZSBDUkwg ZW50cnkuICZuYnNwOzxicj4NCiZndDsgPGJyPg0KJmd0OyBjcmVhdGVzIGEgc2lnbmlmaWNhbnRs eSBkaXN0aW5jdCBiZWhhdmlvdXIgZm9yIGNhc2UgKDQpIHdoZXJlIFguNTA5PGJyPg0KJmd0OyBh bmQgcmZjNTI4MCBhZ3JlZWQgb24gJnF1b3Q7VU5ERVRFUk1JTkVEJnF1b3Q7LCBieSByZWRlZmlu aW5nIHRoZSByZXN1bHQgdG88YnI+DQomZ3Q7IGJlICZxdW90O1VOUkVWT0tFRCZxdW90OywgYW5k IHBvdGVudGlhbGx5IGNyZWF0ZXMgYSBzZWN1cml0eSBwcm9ibGVtLCBhbmQgYTxicj4NCiZndDsg bmV3LCBiYWNrd2FyZHMtaW5jb21wYXRpYmxlIGJlaGF2aW91ciBmb3IgYSBzaXR1YXRpb24gd2hl cmU8YnI+DQomZ3Q7IFguNTA5IGFuZCByZmM1MjgwIHVzZWQgdG8gYWdyZWUuIFN0aWxsLCB0aGUg bmV3IHRleHQgZG9lcyBub3QgZG88YnI+DQomZ3Q7IGFueXRoaW5nIGFib3V0IGNhc2UgKDMpLCB0 aGUgb25seSBjYXNlIHdoZXJlIFguNTA5IGFuZCByZmM1MjgwPGJyPg0KJmd0OyBhcHBlYXIgdG8g ZGlmZmVyIChpbiBhIG1vc3RseSBtYXJnaW5hbCBmYXNoaW9uKS48YnI+DQomZ3Q7IDxicj4NCiZn dDsgPGJyPg0KJmd0OyBBIGNhcmVmdWwgaW1wbGVtZW50b3IsIHRoYXQgYW5hbHl6ZXMgTk9URSA0 IGFuZCBOT1RFIDUgZnJvbSBYLjUwOTxicj4NCiZndDsgcXVvdGVkIGFib3ZlIGluIGl0cyBlbnRp cmV0eSwgc2hvdWxkIHJlYWxpemUgdGhhdCB0aGUgc2l0dWF0aW9uPGJyPg0KJmd0OyB3aGVyZSBY LjUwOSBhbmQgcmZjNTI4MCBkaWZmZXIgaXMgbWFyZ2luYWwuPGJyPg0KJmd0OyA8YnI+DQomZ3Q7 IFRoaXMgaXMgYmVjYXVzZSAoZCZndDspIGluIE5PVEUgNSBhYm92ZSByZXF1aXJlcyAoJnF1b3Q7 c2hhbGwmcXVvdDspIHRoYXQgYTxicj4NCiZndDsgY3JpdGljYWwgY3JsRW50cnlFeHRlbnNpb24g d2l0aCBhIHNlbWFudGljIGJleW9uZCAmcXVvdDt0aGlzIGNlcnQgaXM8YnI+DQomZ3Q7IHJldm9r ZWQmcXVvdDspLCBNVVNUIGJlIGFkZGl0aW9uYWxseSBpbmNsdWRlZCBhcyBhIGNyaXRpY2FsIGNy bEV4dGVuc2lvbiw8YnI+DQomZ3Q7IHdpdGggdGhlIGVmZmVjdCB0aGF0IHRoZSBlbnRpcmUgQ1JM IHdpbGwgaGF2ZSB0byBiZSBpZ25vcmVkIGJ5PGJyPg0KJmd0OyBib3RoIFguNTA5IGFuZCByZmM1 MjgwIGltcGxlbWVudGF0aW9ucyB0aGF0IGRvIG5vdCByZWNvZ25pemU8YnI+DQomZ3Q7IHRoZSBj cmxFeHRlbnNpb24uICZuYnNwO1NvIGFsbCBjb21wbGlhbnQgQ1JMcyB3aXRoIGEgJnF1b3Q7ZmFu Y3kmcXVvdDs8YnI+DQomZ3Q7IHVucmVjb2duaXplZCBjcml0aWNhbCBjcmxFbnRyeUV4dGVuc2lv biwgdGhlIGFjY29tcGFueWluZzxicj4NCiZndDsgdW5yZWNvZ25pemVkIGNyaXRpY2FsIGNybEV4 dGVuc2lvbiB3aWxsIGNhdXNlIFguNTA5IGFuZCByZmM1MjgwPGJyPg0KJmd0OyB0byBhZ3JlZSBv biAoMykgdG8gcmV0dXJuICZxdW90O1VOREVURVJNSU5FRCZxdW90OyBhbmQgcmVxdWlyZSBvdGhl cjxicj4NCiZndDsgQ1JMcyB0byBiZSBjaGVja2VkLiA8YnI+DQomZ3Q7IDxicj4NCiZndDsgPGJy Pg0KJmd0OyAtTWFydGluPGJyPg0KJmd0OyBfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fXzxicj4NCiZndDsgcGtpeCBtYWlsaW5nIGxpc3Q8YnI+DQomZ3Q7IDwv c3Bhbj48YSBocmVmPSJtYWlsdG86cGtpeEBpZXRmLm9yZyI+PHNwYW4gc3R5bGU9ImZvbnQtZmFt aWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij5wa2l4QGlldGYub3JnPC9zcGFuPjwvYT48c3Bh biBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDsiPjxicj4NCiZndDsg PC9zcGFuPjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vcGtp eCI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij5odHRw czovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3BraXg8L3NwYW4+PC9hPg0KPG86cD48 L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_AA6BA445CBFDB84785CC1C45DAAE4C792CEC1E56CH1PRD0610MB393_-- From mrex@sap.com Mon Sep 17 08:16:52 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8123721F8716 for ; Mon, 17 Sep 2012 08:16:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.199 X-Spam-Level: X-Spam-Status: No, score=-10.199 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wLzLTT31jhjF for ; Mon, 17 Sep 2012 08:16:51 -0700 (PDT) Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 5EC0821F8714 for ; Mon, 17 Sep 2012 08:16:51 -0700 (PDT) Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id q8HFGknK022877 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 17 Sep 2012 17:16:47 +0200 (MEST) In-Reply-To: To: Piyush Jain Date: Mon, 17 Sep 2012 17:16:45 +0200 (CEST) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20120917151645.D0DF01A22C@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) X-SAP: out Cc: pkix Subject: Re: [pkix] 5280bis, v-09 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: mrex@sap.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2012 15:16:52 -0000 Piyush Jain wrote: > > Is there a difference between "UNREVOKED" and "UNDETERMINED"? > I could not find a definition for these terms either in RFC 5280 > or in correction draft 09. The meaning of these are described in rfc5280, section 6.3.2 (b) http://tools.ietf.org/html/rfc5280#section-6.3.2 (b) cert_status: This variable contains the status of the certificate. This variable may be assigned one of the following values: unspecified, keyCompromise, cACompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, removeFromCRL, privilegeWithdrawn, aACompromise, the special value UNREVOKED, or the special value UNDETERMINED. This variable is initialized to the special value UNREVOKED. UNDETERMINED means that the status of a certificate could not yet be determined because no CRL that has been confirmed to be authoritative and which the implementation could successfully process has been processed yet. UNREVOKED means that an authoritative CRL for the cert has been successfully processed, and the cert was not listed on this CRL (successfully processed included that no unknown critical crlExtensions and crlEntryExtensions were encountered). Side note, I'm wondering what ReasonCode "removeFromCRL" is supposed to mean with respect to X.509's "it shall assume that, at a minimum, the identified certificate has been revoked and is no longer valid". I assumed that "removedFromCRL" is an explicit UNREVOKED status. -Martin From mrex@sap.com Mon Sep 17 08:31:27 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DF1F21F867C for ; Mon, 17 Sep 2012 08:31:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.206 X-Spam-Level: X-Spam-Status: No, score=-10.206 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c4mm45oHdO9m for ; Mon, 17 Sep 2012 08:31:26 -0700 (PDT) Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 1886921F8610 for ; Mon, 17 Sep 2012 08:31:25 -0700 (PDT) Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id q8HFVIeT027005 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 17 Sep 2012 17:31:18 +0200 (MEST) In-Reply-To: <20120913002444.80A791A216@ld9781.wdf.sap.corp> To: mrex@sap.com Date: Mon, 17 Sep 2012 17:31:18 +0200 (CEST) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20120917153118.085CF1A22C@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) X-SAP: out Cc: pkix Subject: Re: [pkix] 5280bis, v-09 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: mrex@sap.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2012 15:31:27 -0000 Evidently, I am not a (carful) implementor myself. With my mind focused on the crlEntryExtension requirements, I missed the NOTE 4 (b>) requirement that applies to the processing of unrecognized critical crlExtensions: Martin Rex wrote: > > Please recall the original NOTE 4 & 5 that I quoted from > ITU-T Rec. X.509 (08/2005), Section 7.3, top of page 18: > (get them here http://www.itu.int/rec/T-REC-X.509): > > b> When an implementation does not recognize a critical extension in the > b> crlExtensions field, it shall assume that identified certificates > b> have been revoked and are no longer valid. > > d> NOTE 5 -- If an extension affects the treatment of the list > d> (e.g., multiple CRLs need to be scanned to examine the entire list of > d> revoked certificates, or an entry may represent a range of certificates), > d> then that extension shall be indicated as critical in the crlExtensions > d> field regardless of where the extension is placed in the CRL. which means that there is another difference between X.509 and rfc5280 with respect to processing of CRLs that contain an unrecognized critical crlExtension. > > A careful implementor, that analyzes NOTE 4 and NOTE 5 from X.509 > quoted above in its entirety, should realize that the situation > where X.509 and rfc5280 differ is marginal. > > This is because (d>) in NOTE 5 above requires ("shall") that a > critical crlEntryExtension with a semantic beyond "this cert is > revoked"), MUST be additionally included as a critical crlExtension, > with the effect that the entire CRL will have to be ignored by > both X.509 and rfc5280 implementations that do not recognize > the crlExtension. So all compliant CRLs with a "fancy" > unrecognized critical crlEntryExtension, the accompanying > unrecognized critical crlExtension will cause X.509 and rfc5280 > to agree on (3) to return "UNDETERMINED" and require other > CRLs to be checked. I agree with Santosh that these X.509 requirements interfere quite badly with the "compression scheme" for the issuer name of indirect CRLs. So the X.509 semantics are somewhat from the problem space rather than the solution space, and the rfc5280 semantics (unconditionally ignore CRL) are _theoretically_ safer. In practice, however, X.509 factors in common "local policies", one of which is "best effort, soft fail revocation check", and rfc5280 is ignorant of / defying that fairly common "local policy" (which sometimes is an implementation characteristic rather than something the consumer of the technology consciously asks for). -Martin From denis.pinkas@bull.net Mon Sep 17 12:57:15 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46B0C21E803C for ; Mon, 17 Sep 2012 12:57:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.055 X-Spam-Level: X-Spam-Status: No, score=-2.055 tagged_above=-999 required=5 tests=[AWL=0.193, BAYES_00=-2.599, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J64BVsZxJaTJ for ; Mon, 17 Sep 2012 12:57:12 -0700 (PDT) Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by ietfa.amsl.com (Postfix) with ESMTP id 07CB521F8496 for ; Mon, 17 Sep 2012 12:57:07 -0700 (PDT) Received: from MSGC-003.bull.fr (MSGC-003.frcl.bull.fr [129.184.87.131]) by odin2.bull.net (Bull S.A.) with ESMTP id 181D9120259; Mon, 17 Sep 2012 21:57:07 +0200 (CEST) In-Reply-To: References: <504E13CB.8080001@bbn.com> <20120913002444.80A791A216@ld9781.wdf.sap.corp> To: Piyush Jain MIME-Version: 1.0 X-KeepSent: EF93074E:2992958A-C1257A7C:0069C349; type=4; name=$KeepSent X-Mailer: Lotus Notes Release 8.5.2 August 10, 2010 From: denis.pinkas@bull.net Message-ID: Date: Mon, 17 Sep 2012 21:57:06 +0200 X-MIMETrack: Serialize by Router on MSGC-003/SRV/BULL(Release 8.5.2FP1|November 29, 2010) at 17/09/2012 21:57:07, Serialize complete at 17/09/2012 21:57:07 Content-Type: multipart/alternative; boundary="=_alternative 006D8CC8C1257A7C_=" Cc: pkix Subject: Re: [pkix] 5280bis, v-09 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2012 19:57:15 -0000 Message en plusieurs parties au format MIME --=_alternative 006D8CC8C1257A7C_= Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: base64 UGl5dXNoLA0KDQpJIGhhdmUgYmVlbiBpbnZvbHZlZCBpbiB0aGUgd3JpdGluZyBvZiBJU08gc3Rh bmRhcmRzLCBpbmNsdWRpbmcgWC41MDkuIA0KDQpTaGFyb24gaGFzIGJlZW4gZXZlbiBtb3JlIGlu dm9sdmVkIHRoYW4gbXlzZWxmLCBzaW5jZSBzaGUgaGFzIGJlZW4gDQp0aGUgZWRpdG9yIGR1cmlu ZyBzb21lIHBlcmlvZCBvZiB0aW1lIC4NCg0KVGhlcmUgaXMgc29tZXRoaW5nIGltcG9ydGFudCB0 byBrbm93IGFib3V0IElTTyBzdGFuZGFyZHM6DQogDQpUaGUgdGV4dCBwbGFjZWQgdW5kZXIgYSBO T1RFIGlzICpub3QqIG5vcm1hdGl2ZS4NCg0KSSBjb3BpZWQgYW5kIHBhc3RlZCB0aGUgdGV4dCBm cm9tIFguNTA5IGFuZCB3ZSBoYXZlIHRoZSBmb2xsb3dpbmc6DQoNCk5PVEUgNCDigJMgV2hlbiBh biBpbXBsZW1lbnRhdGlvbiBwcm9jZXNzaW5nIGEgY2VydGlmaWNhdGUgcmV2b2NhdGlvbiBsaXN0 IA0KZG9lcyBub3QgcmVjb2duaXplIGEgY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZQ0KY3JsRW50 cnlFeHRlbnNpb25zIGZpZWxkLCBpdCBzaGFsbCBhc3N1bWUgdGhhdCwgYXQgYSBtaW5pbXVtLCB0 aGUgDQppZGVudGlmaWVkIGNlcnRpZmljYXRlIGhhcyBiZWVuIHJldm9rZWQgYW5kIGlzIG5vIGxv bmdlciB2YWxpZA0KYW5kIHBlcmZvcm0gYWRkaXRpb25hbCBhY3Rpb25zIGNvbmNlcm5pbmcgdGhh dCByZXZva2VkIGNlcnRpZmljYXRlIGFzIA0KZGljdGF0ZWQgYnkgbG9jYWwgcG9saWN5LiBXaGVu IGFuIGltcGxlbWVudGF0aW9uIGRvZXMgbm90DQpyZWNvZ25pemUgYSBjcml0aWNhbCBleHRlbnNp b24gaW4gdGhlIGNybEV4dGVuc2lvbnMgZmllbGQsIGl0IHNoYWxsIGFzc3VtZSANCnRoYXQgaWRl bnRpZmllZCBjZXJ0aWZpY2F0ZXMgaGF2ZSBiZWVuIHJldm9rZWQgYW5kIGFyZQ0Kbm8gbG9uZ2Vy IHZhbGlkLiBIb3dldmVyIGluIHRoZSBsYXR0ZXIgY2FzZSwgc2luY2UgdGhlIGxpc3QgbWF5IG5v dCBiZSANCmNvbXBsZXRlLCBjZXJ0aWZpY2F0ZXMgdGhhdCBoYXZlIG5vdCBiZWVuIGlkZW50aWZp ZWQgYXMgYmVpbmcNCnJldm9rZWQgY2Fubm90IGJlIGFzc3VtZWQgdG8gYmUgdmFsaWQuIEluIHRo aXMgY2FzZSBsb2NhbCBwb2xpY3kgc2hhbGwgDQpkaWN0YXRlIHRoZSBhY3Rpb24gdG8gYmUgdGFr ZW4uIEluIGFueSBjYXNlIGxvY2FsIHBvbGljeSBtYXkNCmRpY3RhdGUgYWN0aW9ucyBpbiBhZGRp dGlvbiB0byBhbmQvb3Igc3Ryb25nZXIgdGhhbiB0aG9zZSBzdGF0ZWQgaW4gdGhpcyANClNwZWNp ZmljYXRpb24uDQoNClNvIHRoaXMgdGV4dCBpcyBub3Qgbm9ybWF0aXZlLiAgV2UgY2FuIHNheSBz b21ldGhpbmcgZGlmZmVyZW50IGluIFJGQyA1MjgwIA0KYW5kIHRoaXMgd2lsbCAqbm90KiBiZSBh IGNvbnRyYWRpY3Rpb24uDQoNClNvIHRoZSByZWFsIHF1ZXN0aW9uIGlzIHNpbXBseSA6IHdoYXQg bWFrZXMgc2Vuc2UgdG8gc2F5IGFib3V0IHRoZSANCnRyZWF0bWVudCBvZiB0aGUgY3JsRW50cnlF eHRlbnNpb25zIGZpZWxkID8NCg0KSSBiZWxpZXZlIChvciBJIGhvcGUpIHdlIGFyZSBjbG9zZSB0 byBhIGFncmVlbWVudCwgZXhjZXB0IHdoZXRoZXIgd2UgDQpzaG91bGQgdXNlIHRoZSB3b3JkICJy ZXZva2VkIiBvciAidW5rbm93biIgDQppbiB0aGUgbGFzdCB3b3JkIG9uIHRoZSBzZW50ZW5jZSBw cm9wb3NlZCB0b2RheS4NCg0KU28gdGhlIHR3byBvcHRpb25zIGFyZToNCg0KQSkgIElmIGFuIGFw cGxpY2F0aW9uIGNhbm5vdCBwcm9jZXNzIGEgY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSANCmNy bEVudHJ5RXh0ZW5zaW9ucyBmaWVsZCBvZiBhbiBlbnRyeSANCnRoYXQgYWZmZWN0cyBvbmx5IHRo ZSBjZXJ0aWZpY2F0ZSBzcGVjaWZpZWQgaW4gdGhhdCBlbnRyeSwgYXMgaW5kaWNhdGVkIGJ5IA0K dGhlIGFic2VuY2Ugb2YgYSByZWxhdGVkIA0KY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSBjcmxF eHRlbnNpb25zIGZpZWxkLCB0aGVuIHRoZSBzdGF0dXMgb2YgDQpjZXJ0aWZpY2F0ZSBpZGVudGlm aWVkIGJ5IHRoZSBDUkwgZW50cnkgDQpzaGFsbCBiZSBjb25zaWRlcmVkIGFzIHVua293bi4gDQoN CkIpIElmIGFuIGFwcGxpY2F0aW9uIGNhbm5vdCBwcm9jZXNzIGEgY3JpdGljYWwgZXh0ZW5zaW9u IGluIHRoZSANCmNybEVudHJ5RXh0ZW5zaW9ucyBmaWVsZCBvZiBhbiBlbnRyeSANCnRoYXQgYWZm ZWN0cyBvbmx5IHRoZSBjZXJ0aWZpY2F0ZSBzcGVjaWZpZWQgaW4gdGhhdCBlbnRyeSwgYXMgaW5k aWNhdGVkIGJ5IA0KdGhlIGFic2VuY2Ugb2YgYSByZWxhdGVkIA0KY3JpdGljYWwgZXh0ZW5zaW9u IGluIHRoZSBjcmxFeHRlbnNpb25zIGZpZWxkLCB0aGVuIHRoZSBzdGF0dXMgb2YgDQpjZXJ0aWZp Y2F0ZSBpZGVudGlmaWVkIGJ5IHRoZSBDUkwgZW50cnkgDQpzaGFsbCBiZSBjb25zaWRlcmVkIGFz IHJldm9rZWQuIA0KDQpJIGJlbGlldmUgdGhhdCBBKSBpcyBiZXR0ZXIsIGJ1dCB0aGUgZGlmZmVy ZW5jZSBpcyB0ZW51b3VzLiBTZWUgYSBuZXcgDQpleGFtcGxlIGJlbG93LiANCg0KV2hhdCBkbyB5 b3UgKGFuZCBvdGhlcnMpIHRoaW5rID8NCg0KRGVuaXMNCg0KPT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT0NCg0KVGhlIHN0YXR1cyBvZiBhIGdpdmVuIGNlcnRpZmljYXRlIGlzIGluZGljYXRlZCBh cyDigJxnb29k4oCdLCBidXQgdGhlcmUgaXMgYSANCkNSTCBlbnRyeSB3aXRoIGEgY3JpdGljYWwg DQpDUkwgZW50cnkgZXh0ZW5zaW9uLiANCg0KV2hhdGV2ZXIsIHRoaXMgY3JsRW50cnlFeHRlbnNp b24gbWVhbnMsIGlmIGFuIGFwcGxpY2F0aW9uIGNvbnNpZGVycyB0aGF0IA0KdGhlIHN0YXR1cyBv ZiB0aGUgY2VydGlmaWNhdGUgZm9yIHRoZSBlbnRyeSANCmlzICAidW5rbm93biIsIGl0IGNhbiBh dHRlbXB0IHRvIHVzZSBhbiBPQ1NQIHNlcnZpY2UsIGlmIGF2YWlsYWJsZTsgYnV0IGlmIA0KYW4g YXBwbGljYXRpb24gY29uc2lkZXJzIHRoYXQgdGhlIHN0YXR1cyBvZiANCnRoZSBjZXJ0aWZpY2F0 ZSBmb3IgdGhlIGVudHJ5IGlzICJyZXZva2VkICIsIGl0IHdpbGwgbm90IGF0dGVtcHQgdG8gY2Fs bCANCml0Lg0KDQpBcyBhbiBleGFtcGxlLCB0aGlzIGNyaXRpY2FsIENSTCBlbnRyeSBleHRlbnNp b24gbWVhbnMgKG9ubHkgZm9yIA0KYXBwbGljYXRpb25zIHdoaWNoIHVuZGVyc3RhbmQgaXQpIDog DQoNCiJUaGUgQ1JMIGlzc3VlciBvZiB0aGlzIENSTCBoYXMgbm90IGJlZW4gYWJsZSB0byBvYnRh aW4gaW4gcmVhbCB0aW1lIHRoZSANCnN0YXR1cyBvZiB0aGUgY2VydGlmaWNhdGVzIHVzaW5nIGEg ZGF0YWJhc2UgDQpvZiBpc3N1ZWQgY2VydGlmaWNhdGVzLiBSYXRoZXIgdGhhbiBub3QgaXNzdWlu ZyB0aGUgQ1JMIGFuZCBjcmVhdGluZyBhIA0KZGVuaWFsIG9mIHNlcnZpY2UgZm9yIGFsbCB2ZXJp ZmllcnMsIHRoaXMgQ1JMIGhhcyANCmJlZW4gaXNzdWVkLCAgYnV0IGlzIG5vdCAiZnJlc2giLiBJ ZiB5b3UgcmVhbGx5IG5lZWQgdG8gdGFrZSBhIGRlY2lzaW9uIA0Kbm93LCB5b3UgY2FuIHVzZSB0 aGlzIENSTCBidXQgYXQgeW91ciBvd24gcmlzay4gDQpJZiB5b3UgY2FuIGFjY2VzcyBhbiBPQ1NQ IHNlcnZlciwgeW91IG1pZ2h0IGJlIGFibGUgdG8gZ2V0IGEgZnJlc2hlciANCnN0YXR1cy4gT3Ro ZXJ3aXNlLCBpZiB5b3UgY2FuIHdhaXQsIHlvdSBjYW4gDQp0cnkgYWdhaW4gbGF0ZXIgb24iLiAN CiANCg0KDQoNCkRlIDogICAgUGl5dXNoIEphaW4gPHBpeXVzaEBpZGVudGljYXRlLmNvbT4NCkEg OiAgICAgU2FudG9zaCBDaG9raGFuaSA8U0Nob2toYW5pQGN5Z25hY29tLmNvbT4sICJkZW5pcy5w aW5rYXNAYnVsbC5uZXQiIA0KPGRlbmlzLnBpbmthc0BidWxsLm5ldD4NCkNjIDogICAgIm1yZXhA c2FwLmNvbSIgPG1yZXhAc2FwLmNvbT4sIHBraXggPHBraXhAaWV0Zi5vcmc+DQpEYXRlIDogIDE3 LzA5LzIwMTIgMTc6MDYNCk9iamV0IDogUkU6IFtwa2l4XSA1MjgwYmlzLCB2LTA5DQoNCg0KDQpN eSByZWNvbW1lbmRhdGlvbiB3b3VsZCBiZSB0byBnbyB3aXRoIOKAmHJldm9rZWTigJkgb24gdGhp cyB1bmxlc3Mgd2UgY2FuIA0KZXhwbGljaXRseSBzcGVsbCBvdXQgd2h5IHdlIGNob3NlIOKAmHVu a25vd27igJkgdG8gb3ZlcnJpZGUgWC41MDkuDQogDQpJIGp1c3Qgd2FudCB0byBhdm9pZCB0aGUg c2l0dWF0aW9uIHdoZXJlIHNvbWVvbmUgcmFpc2VzIHRoaXMgaXNzdWUgYWdhaW4gDQppbiBhIGZl dyB5ZWFycyB0aGF0IDUyODAgaXMgaW5jb25zaXN0ZW50IHdpdGggWC41MDkgd2l0aG91dCBhbnkg YXBwYXJlbnQgDQpyZWFzb24uDQogDQpGcm9tOiBTYW50b3NoIENob2toYW5pIFttYWlsdG86U0No b2toYW5pQGN5Z25hY29tLmNvbV0gDQpTZW50OiBNb25kYXksIFNlcHRlbWJlciAxNywgMjAxMiA3 OjQ4IEFNDQpUbzogZGVuaXMucGlua2FzQGJ1bGwubmV0DQpDYzogbXJleEBzYXAuY29tOyBQaXl1 c2ggSmFpbjsgcGtpeA0KU3ViamVjdDogUkU6IFtwa2l4XSA1MjgwYmlzLCB2LTA5DQogDQpEZW5p cywNCiANCkkgYW0gb2sgZWl0aGVyIHdheSAodW5rbm93biBvciByZXZva2VkKS4gIFRoZSBnb29k IHRoaW5nIGlzIHRoYXQgdGhlIG5ldyANCnRleHQgc3BlbGxzIHRoaW5ncyBvdXQgbW9yZSBjbGVh cmx5Lg0KIA0KRnJvbTogZGVuaXMucGlua2FzQGJ1bGwubmV0IFttYWlsdG86ZGVuaXMucGlua2Fz QGJ1bGwubmV0XSANClNlbnQ6IE1vbmRheSwgU2VwdGVtYmVyIDE3LCAyMDEyIDEwOjQyIEFNDQpU bzogU2FudG9zaCBDaG9raGFuaQ0KQ2M6IG1yZXhAc2FwLmNvbTsgUGl5dXNoIEphaW47IHBraXgN ClN1YmplY3Q6IFJFOiBbcGtpeF0gNTI4MGJpcywgdi0wOQ0KIA0KU2FudG9zaCwgUGl5dXNoIGFu ZCBNYXJ0aW4sIA0KDQpTb3JyeSwgSSBtYWRlIGEgbWlzdGFrZSB3aGVuIG1ha2luZyBteSBwcm9w b3NhbCB0aGlzIG1vcm5pbmcuIA0KSSB3cm90ZSAicmV2b2tlZCIsIGJ1dCB3YXMgYWR2b2NhdGlu ZyAidW5rbm93biIuIA0KDQpCYXNlZCBvbiB0aGUgbGF0ZXN0IHRleHQgcHJvcG9zZWQgZnJvbSBT YW50b3NoLCBJIHdvdWxkIHJhdGhlciBwcmVmZXI6IA0KDQpJZiBhbiBhcHBsaWNhdGlvbiBjYW5u b3QgcHJvY2VzcyBhIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUgDQpjcmxFbnRyeUV4dGVuc2lv bnMgZmllbGQgb2YgYW4gZW50cnkgDQp0aGF0IGFmZmVjdHMgb25seSB0aGUgY2VydGlmaWNhdGUg c3BlY2lmaWVkIGluIHRoYXQgZW50cnksIGFzIGluZGljYXRlZCBieSANCnRoZSBhYnNlbmNlIG9m IGEgcmVsYXRlZCANCmNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUgY3JsRXh0ZW5zaW9ucyBmaWVs ZCwgdGhlbiB0aGUgc3RhdHVzIG9mIA0KY2VydGlmaWNhdGUgaWRlbnRpZmllZCBieSB0aGUgQ1JM IGVudHJ5IA0Kc2hhbGwgYmUgY29uc2lkZXJlZCB1bmtvd24uIA0KDQppbnN0ZWFkIG9mIDogDQoN CklmIGFuIGFwcGxpY2F0aW9uIGNhbm5vdCBwcm9jZXNzIGEgY3JpdGljYWwgZXh0ZW5zaW9uIGlu IHRoZSANCmNybEVudHJ5RXh0ZW5zaW9ucyBmaWVsZCBvZiBhbiBlbnRyeSANCnRoYXQgYWZmZWN0 cyBvbmx5IHRoZSBjZXJ0aWZpY2F0ZSBzcGVjaWZpZWQgaW4gdGhhdCBlbnRyeSwgYXMgaW5kaWNh dGVkIGJ5IA0KdGhlIGFic2VuY2Ugb2YgYSByZWxhdGVkIA0KY3JpdGljYWwgZXh0ZW5zaW9uIGlu IHRoZSBjcmxFeHRlbnNpb25zIGZpZWxkLCB0aGVuIHRoZSBjZXJ0aWZpY2F0ZSANCmlkZW50aWZp ZWQgYnkgdGhlIENSTCBlbnRyeSANCnNoYWxsIGJlIGNvbnNpZGVyZWQgcmV2b2tlZC4gDQoNCkRl bmlzIA0KDQoNCg0KDQoNCg0KDQoNCg0KRGUgOiAgICAgICAgU2FudG9zaCBDaG9raGFuaSA8U0No b2toYW5pQGN5Z25hY29tLmNvbT4gDQpBIDogICAgICAgICJkZW5pcy5waW5rYXNAYnVsbC5uZXQi IDxkZW5pcy5waW5rYXNAYnVsbC5uZXQ+LCAibXJleEBzYXAuY29tIiANCjxtcmV4QHNhcC5jb20+ LCBQaXl1c2ggSmFpbiA8cGl5dXNoQGlkZW50aWNhdGUuY29tPiANCkNjIDogICAgICAgIHBraXgg PHBraXhAaWV0Zi5vcmc+IA0KRGF0ZSA6ICAgICAgICAxNy8wOS8yMDEyIDE2OjIxIA0KT2JqZXQg OiAgICAgICAgUkU6IFtwa2l4XSA1MjgwYmlzLCB2LTA5IA0KDQoNCg0KDQpUaGlzIGFsc28gcmVs YXRlcyB0byBlYXJsaWVyIHBvc3QgSSBtYWRlIGluIHJlc3BvbnNlIHRvIFBpeXVzaC4gDQogIA0K SSBhc3N1bWUgd2UgYXJlIGFkZGluZyB0aGUgZm9sbG93aW5nIHRvIHRoZSBSRkMg4oCcQSBjcml0 aWNhbCBleHRlbnNpb24gaW4gDQp0aGUgY3JsRW50cnlFeHRlbnNpb25zIGZpZWxkIG9mIGFuIGVu dHJ5IHNoYWxsIGFmZmVjdCBvbmx5IHRoZSBjZXJ0aWZpY2F0ZSANCnNwZWNpZmllZCBpbiB0aGF0 IGVudHJ5LCB1bmxlc3MgdGhlcmUgaXMgYSByZWxhdGVkIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiAN CnRoZSBjcmxFeHRlbnNpb25zIGZpZWxkIHRoYXQgYWR2ZXJ0aXNlcyBhIHNwZWNpYWwgdHJlYXRt ZW50IGZvciBpdC7igJ0gIEluIA0Kb3JkZXIgdG8gdXNlIHN1Y2ggQ1JMLCB0aGUgcmVseWluZyBw YXJ0eSBtdXN0IGJlIGFibGUgdG8gcHJvY2VzcyBib3RoIHRoZSANCmNybEVudHJ5RXh0ZW5zaW9u IGFuZCB0aGUgcmVsYXRlZCBjcmxFeHRlbnNpb24u4oCdIA0KICANCkluIHRoYXQgY2FzZSwgSSBk byBub3QgbWluZCBhZGRpbmcgdGhlIGZvbGxvd2luZyB0byA1MjgwIChhIHNsaWdodCANCm1vZGlm aWNhdGlvbiB0byB3aGF0IERlbmlzIGhhczogDQogIA0KSWYgYW4gYXBwbGljYXRpb24gY2Fubm90 IHByb2Nlc3MgYSBjcml0aWNhbCBleHRlbnNpb24gaW4gdGhlIA0KY3JsRW50cnlFeHRlbnNpb25z IGZpZWxkIG9mIGFuIGVudHJ5IHRoYXQgYWZmZWN0cyBvbmx5IHRoZSBjZXJ0aWZpY2F0ZSANCnNw ZWNpZmllZCBpbiB0aGF0IGVudHJ5LCBhcyBpbmRpY2F0ZWQgYnkgdGhlIGFic2VuY2Ugb2YgYSBy ZWxhdGVkIGNyaXRpY2FsIA0KZXh0ZW5zaW9uIGluIHRoZSBjcmxFeHRlbnNpb25zIGZpZWxkLCB0 aGVuIHRoZSBjZXJ0aWZpY2F0ZSBpZGVudGlmaWVkIGJ5IA0KdGhlIENSTCBlbnRyeSBzaGFsbCBi ZSBjb25zaWRlcmVkIHJldm9rZWQuIA0KICANCkZyb206IHBraXgtYm91bmNlc0BpZXRmLm9yZyBb bWFpbHRvOnBraXgtYm91bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxmIE9mIA0KZGVuaXMucGlua2Fz QGJ1bGwubmV0DQpTZW50OiBNb25kYXksIFNlcHRlbWJlciAxNywgMjAxMiAzOjQ3IEFNDQpUbzog bXJleEBzYXAuY29tOyBQaXl1c2ggSmFpbg0KQ2M6IHBraXgNClN1YmplY3Q6IFJlOiBbcGtpeF0g NTI4MGJpcywgdi0wOSANCiAgDQpHb29kIGNhdGNoIE1hcnRpbiwgDQoNCllvdSBjYW1lIGJhY2sg ZnJvbSB2YWNhdGlvbiBqdXN0IGluIHRpbWUuIDotKSANCg0KSSBwcm9wb3NlIHRoZSBmb2xsb3dp bmc6IA0KDQpSZXBsYWNlOiANCg0KfCAgICAgSWYgYSBDUkwgY29udGFpbnMgYSBjcml0aWNhbCBD UkwgZW50cnkgZXh0ZW5zaW9uIA0KfCAgICAgdGhhdCB0aGUgYXBwbGljYXRpb24gY2Fubm90IHBy b2Nlc3MsIHRoZW4gdGhlIGFwcGxpY2F0aW9uIE1VU1QgDQp8ICAgICBOT1QgdXNlIHRoYXQgQ1JM IHRvIGRldGVybWluZSB0aGUgc3RhdHVzIG9mIGFueSBjZXJ0aWZpY2F0ZXMuIA0KDQp3aXRoIA0K DQp8ICAgICBJZiBhIENSTCBjb250YWlucyBpbiBhIENSTCBlbnRyeSBhIGNyaXRpY2FsIENSTCBl bnRyeSBleHRlbnNpb24gDQp8ICAgICB0aGF0IHRoZSBhcHBsaWNhdGlvbiBjYW5ub3QgcHJvY2Vz cywgdGhlbiB0aGUgYXBwbGljYXRpb24gTVVTVCANCnwgICAgIGNvbnNpZGVyIHRoYXQgdGhlIGNl cnRpZmljYXRlIGlkZW50aWZpZWQgaW4gdGhhdCBDUkwgZW50cnkgaXMgDQp8ICAgICByZXZva2Vk LiAgIA0KDQpJbiBvcmRlciB0byBhbnN3ZXIgdG8gUGl5dXNoLCBJIGJlbGlldmUgdGhhdCDigJx1 bmtub3du4oCdIHNob3VsZCBiZSB1c2VkIA0KcmF0aGVyIHRoYW4g4oCccmV2b2tlZOKAnS4gDQoN ClRoZSBmb2xsb3dpbmcgZXhhbXBsZSBpcyBhbiBpbGx1c3RyYXRpb246IA0KDQpUaGUgc3RhdHVz IG9mIGEgZ2l2ZW4gY2VydGlmaWNhdGUgaXMgaW5kaWNhdGVkIGFzIOKAnGdvb2TigJ0sIGJ1dCB0 aGVyZSBpcyBhIA0KQ1JMIGVudHJ5IHdpdGggYSBjcml0aWNhbCANCkNSTCBlbnRyeSBleHRlbnNp b24uIFRoaXMgZW50cnkgbWVhbnMgKGZvciB0aGUgYXBwbGljYXRpb25zIHdoaWNoIA0KdW5kZXJz dGFuZCBpdCkgOiANCg0KIlRoZSBzdGF0dXMgd2hpY2ggaXMgdXN1YWxseSBvYnRhaW5lZCB1c2lu ZyBhIGRhdGFiYXNlIG9mIGlzc3VlZCANCmNlcnRpZmljYXRlcyBoYXMgYmVlbiBvYnRhaW5lZCBm cm9tIENSTHMuIA0KSWYgeW91IHJlYWxseSBuZWVkIHRvIHRha2UgYSBkZWNpc2lvbiBub3csIGl0 IGlzIGF0IHlvdXIgb3duIHJpc2suIElmIHlvdSANCmNhbiB3YWl0LCB5b3UgaGFkIGJldHRlciB0 byB0cnkgYWdhaW4gbGF0ZXIgb24iLiANCg0KWW91ciBuZXh0IHF1ZXN0aW9uIHdpbGwgY2VydGFp bmx5IGJlOiBzbyB3aHkgZG9u4oCZdCB5b3UgdXNlIHRoZSBwcm9wb3NlZCANCmNlcnRJbmZvIGV4 dGVuc2lvbiA/IA0KDQpGb3IgYXBwbGljYXRpb25zIHdoaWNoIGRvIG5vdCB1bmRlcnN0YW5kIHRo aXMgY3JpdGljYWwgQ1JMIGVudHJ5IA0KZXh0ZW5zaW9uLCB0aGVyZSBpcyBubyBkaWZmZXJlbmNl LiANClRoZXkgZ2V0IGFuICJ1bmtub3duIiBzdGF0dXMgaW4gYm90aCBjYXNlcy4gDQoNCkZvciBh cHBsaWNhdGlvbnMgd2hpY2ggdW5kZXJzdGFuZCB0aGlzIGNyaXRpY2FsIENSTCBlbnRyeSBleHRl bnNpb24gaXQgDQpwcm92aWRlcyBsZXNzIGJlbmVmaXRzIA0KdGhhbiB0aGUgcHJvcG9zZWQgY2Vy dEluZm8gZXh0ZW5zaW9uLCBidXQgaXQgbWlnaHQgYmUgcXVpY2tlciB0byBpbXBsZW1lbnQgDQph bmQgaXQgZW5mb3JjZXMgYSBwb2xpY3kuIA0KDQpEZW5pcyANCg0KDQo+IEkgb2JqZWN0IHRvIHRo ZSBwcm9wb3NlZCBuZXcgdGV4dCBhYm91dCBDUkxFbnRyeUV4dGVuc2lvbnMNCj4gaW4gdGhlIGNs YXJpZmljYXRpb24gZG9jdW1lbnQsIGJlY2F1c2UgYXMgaXMsIHdvdWxkIHNpZ25pZmljYW50bHkN Cj4gd29yc2VuIHRoZSBkaWZmZXJlbmNlIGJldHdlZW4gUEtJWCBhbmQgWC41MDkgYW5kIG1ha2Ug dGhpbmdzDQo+IGNsZWFybHkgaW5jb21wYXRpYmxlIHJhdGhlciB0aGFuIHNsaWdodGx5IGxlc3Mg ZWZmaWNpZW50Lg0KPiANCj4gSWYgYW55dGhpbmcsIHRoZSBnYXAgc2hvdWxkIGJlIHJlZHVjZWQs IGNvbXBhdGliaWxpdHkgYmV0d2Vlbg0KPiBQS0lYIGFuZCBYLjUwOSBpbXByb3ZlZCBhbmQgdGhl IG9yaWdpbmFsIGFyY2hpdGVjdHVyZSBub3QgdmlvbGF0ZWQuDQo+IA0KPiBQbGVhc2UgcmVjYWxs IHRoZSBvcmlnaW5hbCBOT1RFIDQgJiA1IHRoYXQgSSBxdW90ZWQgZnJvbQ0KPiBJVFUtVCBSZWMu IFguNTA5ICgwOC8yMDA1KSwgU2VjdGlvbiA3LjMsIHRvcCBvZiBwYWdlIDE4Og0KPiAoZ2V0IHRo ZW0gaGVyZSBodHRwOi8vd3d3Lml0dS5pbnQvcmVjL1QtUkVDLVguNTA5KToNCj4gDQo+IGE+ICBO T1RFIDQgLS0gV2hlbiBhbiBpbXBsZW1lbnRhdGlvbiBwcm9jZXNzaW5nIGEgY2VydGlmaWNhdGUg cmV2b2NhdGlvbg0KPiBhPiAgbGlzdCBkb2VzIG5vdCByZWNvZ25pemUgYSBjcml0aWNhbCBleHRl bnNpb24gaW4gdGhlIA0KY3JsRW50cnlFeHRlbnNpb25zDQo+IGE+ICBmaWVsZCwgaXQgc2hhbGwg YXNzdW1lIHRoYXQsIGF0IGEgbWluaW11bSwgdGhlIGlkZW50aWZpZWQgDQpjZXJ0aWZpY2F0ZQ0K PiBhPiAgaGFzIGJlZW4gcmV2b2tlZCBhbmQgaXMgbm8gbG9uZ2VyIHZhbGlkIGFuZCBwZXJmb3Jt IGFkZGl0aW9uYWwgDQphY3Rpb25zDQo+IGE+ICBjb25jZXJuaW5nIHRoYXQgcmV2b2tlZCBjZXJ0 aWZpY2F0ZSBhcyBkaWN0YXRlZCBieSBsb2NhbCBwb2xpY3kuDQo+IA0KPiBiPiAgV2hlbiBhbiBp bXBsZW1lbnRhdGlvbiBkb2VzIG5vdCByZWNvZ25pemUgYSBjcml0aWNhbCBleHRlbnNpb24gaW4g DQp0aGUNCj4gYj4gIGNybEV4dGVuc2lvbnMgZmllbGQsIGl0IHNoYWxsIGFzc3VtZSB0aGF0IGlk ZW50aWZpZWQgY2VydGlmaWNhdGVzDQo+IGI+ICBoYXZlIGJlZW4gcmV2b2tlZCBhbmQgYXJlIG5v IGxvbmdlciB2YWxpZC4NCj4gDQo+IGM+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgSG93ZXZlciBpbiB0aGUgbGF0dGVyIA0KY2FzZSwNCj4gYz4gIHNpbmNlIHRo ZSBsaXN0IG1heSBub3QgYmUgY29tcGxldGUsIGNlcnRpZmljYXRlcyB0aGF0IGhhdmUgbm90IGJl ZW4NCj4gYz4gIGlkZW50aWZpZWQgYXMgYmVpbmcgcmV2b2tlZCBjYW5ub3QgYmUgYXNzdW1lZCB0 byBiZSB2YWxpZC4gSW4gdGhpcyANCmNhc2UNCj4gYz4gIGxvY2FsIHBvbGljeSBzaGFsbCBkaWN0 YXRlIHRoZSBhY3Rpb24gdG8gYmUgdGFrZW4uIEluIGFueSBjYXNlIGxvY2FsDQo+IGM+ICBwb2xp Y3kgbWF5IGRpY3RhdGUgYWN0aW9ucyBpbiBhZGRpdGlvbiB0byBhbmQvb3Igc3Ryb25nZXIgdGhh biB0aG9zZQ0KPiBjPiAgc3RhdGVkIGluIHRoaXMgU3BlY2lmaWNhdGlvbi4NCj4gDQo+IGQ+ICBO T1RFIDUgLS0gSWYgYW4gZXh0ZW5zaW9uIGFmZmVjdHMgdGhlIHRyZWF0bWVudCBvZiB0aGUgbGlz dA0KPiBkPiAgKGUuZy4sIG11bHRpcGxlIENSTHMgbmVlZCB0byBiZSBzY2FubmVkIHRvIGV4YW1p bmUgdGhlIGVudGlyZSBsaXN0IA0Kb2YNCj4gZD4gIHJldm9rZWQgY2VydGlmaWNhdGVzLCBvciBh biBlbnRyeSBtYXkgcmVwcmVzZW50IGEgcmFuZ2Ugb2YgDQpjZXJ0aWZpY2F0ZXMpLA0KPiBkPiAg dGhlbiB0aGF0IGV4dGVuc2lvbiBzaGFsbCBiZSBpbmRpY2F0ZWQgYXMgY3JpdGljYWwgaW4gdGhl IA0KY3JsRXh0ZW5zaW9ucw0KPiBkPiAgZmllbGQgcmVnYXJkbGVzcyBvZiB3aGVyZSB0aGUgZXh0 ZW5zaW9uIGlzIHBsYWNlZCBpbiB0aGUgQ1JMLg0KPiANCj4gZT4gIEFuIGV4dGVuc2lvbiBpbmRp Y2F0ZWQgaW4gdGhlIGNybEVudHJ5RXh0ZW5zaW9ucyBmaWVsZCBvZiBhbiBlbnRyeSANCnNoYWxs DQo+IGU+ICBiZSBwbGFjZWQgaW4gdGhhdCBlbnRyeSBhbmQgc2hhbGwgYWZmZWN0IG9ubHkgdGhl IGNlcnRpZmljYXRlKHMpDQo+IGU+ICBzcGVjaWZpZWQgaW4gdGhhdCBlbnRyeS4NCj4gDQo+IA0K PiAoSSBpbnNlcnRlZCBibGFuayBsaW5lcyBhYm92ZSBmb3IgdmlzdWFsIGNsYXJpdHkgb2YgdGhl IFguNTA5IA0KcmVxdWlyZW1lbnRzKS4NCj4gDQo+IHR3byBvcHRpb25zLCBhbGwgY29tYmluYXRp b25zOg0KPiANCj4gICgxKSBjZXJ0ICAgICBvbiBDUkwsIENSTCB3aXRoIE5PIHVucmVjb2duaXpl ZCBjcml0aWNhbCANCkNSTEVudHJ5RXh0ZW5zaW9ucyANCj4gICgyKSBjZXJ0IE5PVCBvbiBDUkws IENSTCB3aXRoIE5PIHVucmVjb2duaXplZCBjcml0aWNhbCANCkNSTEVudHJ5RXh0ZW5zaW9ucyAN Cj4gICgzKSBjZXJ0ICAgICBvbiBDUkwsIENSTCB3aXRoICAgIHVucmVjb2duaXplZCBjcml0aWNh bCANCkNSTEVudHJ5RXh0ZW5zaW9uDQo+ICAoNCkgY2VydCBOT1Qgb24gQ1JMLCBDUkwgd2l0aCAg ICB1bnJlY29nbml6ZWQgY3JpdGljYWwgDQpDUkxFbnRyeUV4dGVuc2lvbg0KPiANCj4gDQo+IEkg aG9wZSB3ZSBhZ3JlZSB0aGF0IFguNTA5IGFuZCByZmM1MjgwIGFncmVlIG9uICgxKSBhbmQgKDIp IHJlc3VsdHMNCj4gZm9yIENSTCBjaGVja2luZy4NCj4gDQo+IHJmYzUyODAgY3VycmVudGx5IHNh eXMgdGhhdCBmb3IgKDMpKyg0KSB0aGUgZW50aXJlIENSTCBvdWdodCB0byBiZSANCmlnbm9yZWQN Cj4gYW5kIG90aGVyIENSTHMgbmVlZCB0byBiZSBldmFsdWF0ZWQgIlVOREVURVJNSU5FRCINCj4g DQo+IFguNTA5IHNheXMgaW4gKGE+KSB0aGF0IGZvciAoMykgdGhlIHN0YXR1cyBvZiB0aGUgY2Vy dCBpcyBkZWZpbml0ZWx5IA0KcmV2b2tlZA0KPiBhbmQgc2F5cyBpbiAoYz4pIGZvciAoNCkgdGhh dCB0aGUgQ1JMIG91Z2h0IHRvIGJlIGlnbm9yZWQgYW5kIG90aGVyIENSTHMgDQpuZWVkDQo+IHRv IGJlIGV2YWx1YXRlZCAiVU5ERVRFUk1JTkVEIg0KPiANCj4gV2hpbGUgYm90aCBYLjUwOSBhbmQg cmZjNTI4MCBhZ3JlZSBvbiB0aGUgcmVzdWx0IGZvciAoNCkgIlVOREVURVJNSU5FRCIsDQo+IHRo ZXJlIGlzIHRoZSBzdXBlcmZpY2lhbCBhcHBlYXJhbmNlIG9mIGEgZGlmZmVyZW5jZSBmb3IgYSBj YXN1YWwNCj4gaW1wbGVtZW50ZXIgZm9yIGNhc2UgKDMpIGJldHdlZW4gWC41MDkgIlJFVk9LRUQi IGFuZCByZmM1MjgwIA0KIlVOREVURVJNSU5FRCINCj4gdGhhdCBtaWdodCBsZWFkIHRvIGEgc2xp Z2h0bHkgbGVzcyBlZmZpY2llbnQgcHJvY2Vzc2luZyBDUkxzLg0KPiANCj4gDQo+IFRoZSBuZXds eSBwcm9wb3NlZCB0ZXh0IChpbiAtMDkpOg0KPiANCj4gfCAgICAgSWYgYSBDUkwgY29udGFpbnMg YSBjcml0aWNhbCBDUkwgZW50cnkgZXh0ZW5zaW9uDQo+IHwgICAgIHRoYXQgdGhlIGFwcGxpY2F0 aW9uIGNhbm5vdCBwcm9jZXNzLCB0aGVuIHRoZSBhcHBsaWNhdGlvbiBNVVNUDQo+IHwgICAgIE5P VCB1c2UgdGhhdCBDUkwgdG8gZGV0ZXJtaW5lIHRoZSBzdGF0dXMgb2YgdGhlIGNlcnRpZmljYXRl DQo+IHwgICAgIHJlcHJlc2VudGVkIGJ5IHRoZSBDUkwgZW50cnkuIA0KPiANCj4gY3JlYXRlcyBh IHNpZ25pZmljYW50bHkgZGlzdGluY3QgYmVoYXZpb3VyIGZvciBjYXNlICg0KSB3aGVyZSBYLjUw OQ0KPiBhbmQgcmZjNTI4MCBhZ3JlZWQgb24gIlVOREVURVJNSU5FRCIsIGJ5IHJlZGVmaW5pbmcg dGhlIHJlc3VsdCB0bw0KPiBiZSAiVU5SRVZPS0VEIiwgYW5kIHBvdGVudGlhbGx5IGNyZWF0ZXMg YSBzZWN1cml0eSBwcm9ibGVtLCBhbmQgYQ0KPiBuZXcsIGJhY2t3YXJkcy1pbmNvbXBhdGlibGUg YmVoYXZpb3VyIGZvciBhIHNpdHVhdGlvbiB3aGVyZQ0KPiBYLjUwOSBhbmQgcmZjNTI4MCB1c2Vk IHRvIGFncmVlLiBTdGlsbCwgdGhlIG5ldyB0ZXh0IGRvZXMgbm90IGRvDQo+IGFueXRoaW5nIGFi b3V0IGNhc2UgKDMpLCB0aGUgb25seSBjYXNlIHdoZXJlIFguNTA5IGFuZCByZmM1MjgwDQo+IGFw cGVhciB0byBkaWZmZXIgKGluIGEgbW9zdGx5IG1hcmdpbmFsIGZhc2hpb24pLg0KPiANCj4gDQo+ IEEgY2FyZWZ1bCBpbXBsZW1lbnRvciwgdGhhdCBhbmFseXplcyBOT1RFIDQgYW5kIE5PVEUgNSBm cm9tIFguNTA5DQo+IHF1b3RlZCBhYm92ZSBpbiBpdHMgZW50aXJldHksIHNob3VsZCByZWFsaXpl IHRoYXQgdGhlIHNpdHVhdGlvbg0KPiB3aGVyZSBYLjUwOSBhbmQgcmZjNTI4MCBkaWZmZXIgaXMg bWFyZ2luYWwuDQo+IA0KPiBUaGlzIGlzIGJlY2F1c2UgKGQ+KSBpbiBOT1RFIDUgYWJvdmUgcmVx dWlyZXMgKCJzaGFsbCIpIHRoYXQgYQ0KPiBjcml0aWNhbCBjcmxFbnRyeUV4dGVuc2lvbiB3aXRo IGEgc2VtYW50aWMgYmV5b25kICJ0aGlzIGNlcnQgaXMNCj4gcmV2b2tlZCIpLCBNVVNUIGJlIGFk ZGl0aW9uYWxseSBpbmNsdWRlZCBhcyBhIGNyaXRpY2FsIGNybEV4dGVuc2lvbiwNCj4gd2l0aCB0 aGUgZWZmZWN0IHRoYXQgdGhlIGVudGlyZSBDUkwgd2lsbCBoYXZlIHRvIGJlIGlnbm9yZWQgYnkN Cj4gYm90aCBYLjUwOSBhbmQgcmZjNTI4MCBpbXBsZW1lbnRhdGlvbnMgdGhhdCBkbyBub3QgcmVj b2duaXplDQo+IHRoZSBjcmxFeHRlbnNpb24uICBTbyBhbGwgY29tcGxpYW50IENSTHMgd2l0aCBh ICJmYW5jeSINCj4gdW5yZWNvZ25pemVkIGNyaXRpY2FsIGNybEVudHJ5RXh0ZW5zaW9uLCB0aGUg YWNjb21wYW55aW5nDQo+IHVucmVjb2duaXplZCBjcml0aWNhbCBjcmxFeHRlbnNpb24gd2lsbCBj YXVzZSBYLjUwOSBhbmQgcmZjNTI4MA0KPiB0byBhZ3JlZSBvbiAoMykgdG8gcmV0dXJuICJVTkRF VEVSTUlORUQiIGFuZCByZXF1aXJlIG90aGVyDQo+IENSTHMgdG8gYmUgY2hlY2tlZC4gDQo+IA0K PiANCj4gLU1hcnRpbg0KPiBfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fXw0KPiBwa2l4IG1haWxpbmcgbGlzdA0KPiBwa2l4QGlldGYub3JnDQo+IGh0dHBzOi8v d3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vcGtpeCANCg0K --=_alternative 006D8CC8C1257A7C_= Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: base64 PGZvbnQgc2l6ZT0yIGZhY2U9IkFyaWFsIj5QaXl1c2gsPC9mb250Pg0KPGJyPg0KPGJyPjxmb250 IHNpemU9MiBmYWNlPSJBcmlhbCI+SSBoYXZlIGJlZW4gaW52b2x2ZWQgaW4gdGhlIHdyaXRpbmcg b2YgSVNPDQpzdGFuZGFyZHMsIGluY2x1ZGluZyBYLjUwOS4gPGJyPg0KPC9mb250Pg0KPGJyPjxm b250IHNpemU9MiBmYWNlPSJBcmlhbCI+U2hhcm9uIGhhcyBiZWVuIGV2ZW4gbW9yZSBpbnZvbHZl ZCB0aGFuIG15c2VsZiwNCnNpbmNlIHNoZSBoYXMgYmVlbiA8YnI+DQp0aGUgZWRpdG9yIGR1cmlu ZyBzb21lIHBlcmlvZCBvZiB0aW1lIC48L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZh Y2U9IkFyaWFsIj5UaGVyZSBpcyBzb21ldGhpbmcgaW1wb3J0YW50IHRvIGtub3cgYWJvdXQNCklT TyBzdGFuZGFyZHM6PC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJBcmlhbCI+Jm5ic3A7 PGJyPg0KPC9mb250Pjxmb250IHNpemU9MiBjb2xvcj0jMDAwMGUwIGZhY2U9IkFyaWFsIj48Yj5U aGUgdGV4dCBwbGFjZWQgdW5kZXINCmEgTk9URSBpcyAqbm90KiBub3JtYXRpdmUuPC9iPjwvZm9u dD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQXJpYWwiPkkgY29waWVkIGFuZCBwYXN0 ZWQgdGhlIHRleHQgZnJvbSBYLjUwOSBhbmQNCndlIGhhdmUgdGhlIGZvbGxvd2luZzo8L2ZvbnQ+ DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkFyaWFsIj5OT1RFIDQg4oCTIFdoZW4gYW4g aW1wbGVtZW50YXRpb24gcHJvY2Vzc2luZw0KYSBjZXJ0aWZpY2F0ZSByZXZvY2F0aW9uIGxpc3Qg ZG9lcyBub3QgcmVjb2duaXplIGEgY3JpdGljYWwgZXh0ZW5zaW9uIGluDQp0aGU8L2ZvbnQ+DQo8 YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkFyaWFsIj48Yj5jcmxFbnRyeUV4dGVuc2lvbnMgPC9iPmZp ZWxkLCBpdCBzaGFsbA0KYXNzdW1lIHRoYXQsIGF0IGEgbWluaW11bSwgdGhlIGlkZW50aWZpZWQg Y2VydGlmaWNhdGUgaGFzIGJlZW4gcmV2b2tlZA0KYW5kIGlzIG5vIGxvbmdlciB2YWxpZDwvZm9u dD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQXJpYWwiPmFuZCBwZXJmb3JtIGFkZGl0aW9uYWwg YWN0aW9ucyBjb25jZXJuaW5nDQp0aGF0IHJldm9rZWQgY2VydGlmaWNhdGUgYXMgZGljdGF0ZWQg YnkgbG9jYWwgcG9saWN5LiBXaGVuIGFuIGltcGxlbWVudGF0aW9uDQpkb2VzIG5vdDwvZm9udD4N Cjxicj48Zm9udCBzaXplPTIgZmFjZT0iQXJpYWwiPnJlY29nbml6ZSBhIGNyaXRpY2FsIGV4dGVu c2lvbiBpbiB0aGUgPGI+Y3JsRXh0ZW5zaW9ucw0KPC9iPmZpZWxkLCBpdCBzaGFsbCBhc3N1bWUg dGhhdCBpZGVudGlmaWVkIGNlcnRpZmljYXRlcyBoYXZlIGJlZW4gcmV2b2tlZA0KYW5kIGFyZTwv Zm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQXJpYWwiPm5vIGxvbmdlciB2YWxpZC4gSG93 ZXZlciBpbiB0aGUgbGF0dGVyIGNhc2UsDQpzaW5jZSB0aGUgbGlzdCBtYXkgbm90IGJlIGNvbXBs ZXRlLCBjZXJ0aWZpY2F0ZXMgdGhhdCBoYXZlIG5vdCBiZWVuIGlkZW50aWZpZWQNCmFzIGJlaW5n PC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJBcmlhbCI+cmV2b2tlZCBjYW5ub3QgYmUg YXNzdW1lZCB0byBiZSB2YWxpZC4gSW4NCnRoaXMgY2FzZSBsb2NhbCBwb2xpY3kgc2hhbGwgZGlj dGF0ZSB0aGUgYWN0aW9uIHRvIGJlIHRha2VuLiBJbiBhbnkgY2FzZQ0KbG9jYWwgcG9saWN5IG1h eTwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQXJpYWwiPmRpY3RhdGUgYWN0aW9ucyBp biBhZGRpdGlvbiB0byBhbmQvb3Igc3Ryb25nZXINCnRoYW4gdGhvc2Ugc3RhdGVkIGluIHRoaXMg U3BlY2lmaWNhdGlvbi48L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkFyaWFs Ij5TbyB0aGlzIHRleHQgaXMgbm90IG5vcm1hdGl2ZS4gJm5ic3A7V2UgY2FuDQpzYXkgc29tZXRo aW5nIGRpZmZlcmVudCBpbiBSRkMgNTI4MCBhbmQgdGhpcyB3aWxsICpub3QqIGJlIGEgY29udHJh ZGljdGlvbi48L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkFyaWFsIj5TbyB0 aGUgcmVhbCBxdWVzdGlvbiBpcyBzaW1wbHkgOiB3aGF0IG1ha2VzDQpzZW5zZSB0byBzYXkgYWJv dXQgdGhlIHRyZWF0bWVudCBvZiB0aGUgPGI+Y3JsRW50cnlFeHRlbnNpb25zIDwvYj5maWVsZA0K PzwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQXJpYWwiPkkgYmVsaWV2ZSAo b3IgSSBob3BlKSB3ZSBhcmUgY2xvc2UgdG8gYSBhZ3JlZW1lbnQsDQpleGNlcHQgd2hldGhlciB3 ZSBzaG91bGQgdXNlIHRoZSB3b3JkICZxdW90O3Jldm9rZWQmcXVvdDsgb3IgJnF1b3Q7dW5rbm93 biZxdW90Ow0KPGJyPg0KaW4gdGhlIGxhc3Qgd29yZCBvbiB0aGUgc2VudGVuY2UgcHJvcG9zZWQg dG9kYXkuPC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJBcmlhbCI+U28gdGhl IHR3byBvcHRpb25zIGFyZTo8L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkFy aWFsIj5BKSAmbmJzcDtJZiBhbiBhcHBsaWNhdGlvbiBjYW5ub3QgcHJvY2Vzcw0KYSBjcml0aWNh bCBleHRlbnNpb24gaW4gdGhlIDxiPmNybEVudHJ5RXh0ZW5zaW9uczwvYj4gZmllbGQgb2YgYW4g ZW50cnkNCjxicj4NCnRoYXQgYWZmZWN0cyBvbmx5IHRoZSBjZXJ0aWZpY2F0ZSBzcGVjaWZpZWQg aW4gdGhhdCBlbnRyeSwgYXMgaW5kaWNhdGVkDQpieSB0aGUgYWJzZW5jZSBvZiBhIHJlbGF0ZWQg PGJyPg0KY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSA8Yj5jcmxFeHRlbnNpb25zPC9iPiBmaWVs ZCwgdGhlbiB0aGUgPGI+c3RhdHVzDQpvZiA8L2I+Y2VydGlmaWNhdGUgaWRlbnRpZmllZCBieSB0 aGUgQ1JMIGVudHJ5IDxicj4NCnNoYWxsIGJlIGNvbnNpZGVyZWQgPC9mb250Pjxmb250IHNpemU9 MiBjb2xvcj0jMDAyMGMyIGZhY2U9IkFyaWFsIj48Yj5hcw0KdW5rb3duPC9iPjwvZm9udD48Zm9u dCBzaXplPTIgY29sb3I9IzEwNDE2MCBmYWNlPSJBcmlhbCI+LjwvZm9udD48Zm9udCBzaXplPTIg ZmFjZT0iVGltZXMgTmV3IFJvbWFuIj4NCjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIg ZmFjZT0iQXJpYWwiPkIpIElmIGFuIGFwcGxpY2F0aW9uIGNhbm5vdCBwcm9jZXNzIGEgY3JpdGlj YWwNCmV4dGVuc2lvbiBpbiB0aGUgPGI+Y3JsRW50cnlFeHRlbnNpb25zPC9iPiBmaWVsZCBvZiBh biBlbnRyeSA8YnI+DQp0aGF0IGFmZmVjdHMgb25seSB0aGUgY2VydGlmaWNhdGUgc3BlY2lmaWVk IGluIHRoYXQgZW50cnksIGFzIGluZGljYXRlZA0KYnkgdGhlIGFic2VuY2Ugb2YgYSByZWxhdGVk IDxicj4NCmNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUgPGI+Y3JsRXh0ZW5zaW9uczwvYj4gZmll bGQsIHRoZW4gdGhlIDxiPnN0YXR1cw0Kb2YgPC9iPmNlcnRpZmljYXRlIGlkZW50aWZpZWQgYnkg dGhlIENSTCBlbnRyeSA8YnI+DQpzaGFsbCBiZSBjb25zaWRlcmVkIDwvZm9udD48Zm9udCBzaXpl PTIgY29sb3I9IzAwMjBjMiBmYWNlPSJBcmlhbCI+PGI+YXMNCnJldm9rZWQ8L2I+PC9mb250Pjxm b250IHNpemU9MiBjb2xvcj0jMTA0MTYwIGZhY2U9IkFyaWFsIj4uPC9mb250Pjxmb250IHNpemU9 MiBmYWNlPSJUaW1lcyBOZXcgUm9tYW4iPg0KPC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9 MiBmYWNlPSJBcmlhbCI+SSBiZWxpZXZlIHRoYXQgQSkgaXMgYmV0dGVyLCBidXQgdGhlIGRpZmZl cmVuY2UNCmlzIHRlbnVvdXMuIFNlZSBhIG5ldyBleGFtcGxlIGJlbG93LiA8L2ZvbnQ+DQo8YnI+ DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkFyaWFsIj5XaGF0IGRvIHlvdSAoYW5kIG90aGVycykg dGhpbmsgPzwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iQXJpYWwiPkRlbmlz PC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MiBmYWNlPSJBcmlhbCI+PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT08L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9IkFyaWFs Ij5UaGUgc3RhdHVzIG9mIGEgZ2l2ZW4gY2VydGlmaWNhdGUgaXMgaW5kaWNhdGVkDQphcyDigJxn b29k4oCdLCBidXQgdGhlcmUgaXMgYSBDUkwgZW50cnkgd2l0aCBhIGNyaXRpY2FsIDxicj4NCkNS TCBlbnRyeSBleHRlbnNpb24uIDwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0i QXJpYWwiPldoYXRldmVyLCB0aGlzIDxiPmNybEVudHJ5RXh0ZW5zaW9uPC9iPiBtZWFucywNCmlm IGFuIGFwcGxpY2F0aW9uIGNvbnNpZGVycyB0aGF0IHRoZSBzdGF0dXMgb2YgdGhlIGNlcnRpZmlj YXRlIGZvciB0aGUNCmVudHJ5IDxicj4NCmlzICZuYnNwOyZxdW90O3Vua25vd24mcXVvdDssIGl0 IGNhbiBhdHRlbXB0IHRvIHVzZSBhbiBPQ1NQIHNlcnZpY2UsIGlmDQphdmFpbGFibGU7IGJ1dCBp ZiBhbiBhcHBsaWNhdGlvbiBjb25zaWRlcnMgdGhhdCB0aGUgc3RhdHVzIG9mIDxicj4NCnRoZSBj ZXJ0aWZpY2F0ZSBmb3IgdGhlIGVudHJ5IGlzICZxdW90O3Jldm9rZWQgJnF1b3Q7LCBpdCB3aWxs IG5vdCBhdHRlbXB0DQp0byBjYWxsIGl0LjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIg ZmFjZT0iQXJpYWwiPkFzIGFuIGV4YW1wbGUsIHRoaXMgY3JpdGljYWwgQ1JMIGVudHJ5IGV4dGVu c2lvbg0KbWVhbnMgKG9ubHkgZm9yIGFwcGxpY2F0aW9ucyB3aGljaCB1bmRlcnN0YW5kIGl0KSA6 IDxicj4NCjxicj4NCiZxdW90O1RoZSBDUkwgaXNzdWVyIG9mIHRoaXMgQ1JMIGhhcyBub3QgYmVl biBhYmxlIHRvIG9idGFpbiBpbiByZWFsIHRpbWUNCnRoZSBzdGF0dXMgb2YgdGhlIGNlcnRpZmlj YXRlcyB1c2luZyBhIGRhdGFiYXNlIDxicj4NCm9mIGlzc3VlZCBjZXJ0aWZpY2F0ZXMuIFJhdGhl ciB0aGFuIG5vdCBpc3N1aW5nIHRoZSBDUkwgYW5kIGNyZWF0aW5nIGENCmRlbmlhbCBvZiBzZXJ2 aWNlIGZvciBhbGwgdmVyaWZpZXJzLCB0aGlzIENSTCBoYXMgPGJyPg0KYmVlbiBpc3N1ZWQsICZu YnNwO2J1dCBpcyBub3QgJnF1b3Q7ZnJlc2gmcXVvdDsuIElmIHlvdSByZWFsbHkgbmVlZCB0bw0K dGFrZSBhIGRlY2lzaW9uIG5vdywgeW91IGNhbiB1c2UgdGhpcyBDUkwgYnV0IGF0IHlvdXIgb3du IHJpc2suIDxicj4NCklmIHlvdSBjYW4gYWNjZXNzIGFuIE9DU1Agc2VydmVyLCB5b3UgbWlnaHQg YmUgYWJsZSB0byBnZXQgYSBmcmVzaGVyIHN0YXR1cy4NCk90aGVyd2lzZSwgaWYgeW91IGNhbiB3 YWl0LCB5b3UgY2FuIDxicj4NCnRyeSBhZ2FpbiBsYXRlciBvbiZxdW90Oy4gPGJyPg0KIDwvZm9u dD4NCjxicj4NCjxicj4NCjxicj4NCjxicj48Zm9udCBzaXplPTEgY29sb3I9IzVmNWY1ZiBmYWNl PSJzYW5zLXNlcmlmIj5EZSA6ICZuYnNwOyAmbmJzcDsgJm5ic3A7DQombmJzcDs8L2ZvbnQ+PGZv bnQgc2l6ZT0xIGZhY2U9InNhbnMtc2VyaWYiPlBpeXVzaCBKYWluICZsdDtwaXl1c2hAaWRlbnRp Y2F0ZS5jb20mZ3Q7PC9mb250Pg0KPGJyPjxmb250IHNpemU9MSBjb2xvcj0jNWY1ZjVmIGZhY2U9 InNhbnMtc2VyaWYiPkEgOiAmbmJzcDsgJm5ic3A7ICZuYnNwOw0KJm5ic3A7PC9mb250Pjxmb250 IHNpemU9MSBmYWNlPSJzYW5zLXNlcmlmIj5TYW50b3NoIENob2toYW5pICZsdDtTQ2hva2hhbmlA Y3lnbmFjb20uY29tJmd0OywNCiZxdW90O2RlbmlzLnBpbmthc0BidWxsLm5ldCZxdW90OyAmbHQ7 ZGVuaXMucGlua2FzQGJ1bGwubmV0Jmd0OzwvZm9udD4NCjxicj48Zm9udCBzaXplPTEgY29sb3I9 IzVmNWY1ZiBmYWNlPSJzYW5zLXNlcmlmIj5DYyZuYnNwOzogJm5ic3A7ICZuYnNwOw0KJm5ic3A7 ICZuYnNwOzwvZm9udD48Zm9udCBzaXplPTEgZmFjZT0ic2Fucy1zZXJpZiI+JnF1b3Q7bXJleEBz YXAuY29tJnF1b3Q7DQombHQ7bXJleEBzYXAuY29tJmd0OywgcGtpeCAmbHQ7cGtpeEBpZXRmLm9y ZyZndDs8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0xIGNvbG9yPSM1ZjVmNWYgZmFjZT0ic2Fucy1z ZXJpZiI+RGF0ZSA6ICZuYnNwOyAmbmJzcDsgJm5ic3A7DQombmJzcDs8L2ZvbnQ+PGZvbnQgc2l6 ZT0xIGZhY2U9InNhbnMtc2VyaWYiPjE3LzA5LzIwMTIgMTc6MDY8L2ZvbnQ+DQo8YnI+PGZvbnQg c2l6ZT0xIGNvbG9yPSM1ZjVmNWYgZmFjZT0ic2Fucy1zZXJpZiI+T2JqZXQgOiAmbmJzcDsgJm5i c3A7DQombmJzcDsgJm5ic3A7PC9mb250Pjxmb250IHNpemU9MSBmYWNlPSJzYW5zLXNlcmlmIj5S RTogW3BraXhdIDUyODBiaXMsDQp2LTA5PC9mb250Pg0KPGJyPg0KPGhyIG5vc2hhZGU+DQo8YnI+ DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0zIGNvbG9yPSMwMDQwODAgZmFjZT0ic2Fucy1zZXJpZiI+ TXkgcmVjb21tZW5kYXRpb24gd291bGQNCmJlIHRvIGdvIHdpdGgg4oCYcmV2b2tlZOKAmSBvbiB0 aGlzIHVubGVzcyB3ZSBjYW4gZXhwbGljaXRseSBzcGVsbCBvdXQgd2h5DQp3ZSBjaG9zZSDigJh1 bmtub3du4oCZIHRvIG92ZXJyaWRlIFguNTA5LjwvZm9udD4NCjxicj48Zm9udCBzaXplPTMgY29s b3I9IzAwNDA4MCBmYWNlPSJzYW5zLXNlcmlmIj4mbmJzcDs8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6 ZT0zIGNvbG9yPSMwMDQwODAgZmFjZT0ic2Fucy1zZXJpZiI+SSBqdXN0IHdhbnQgdG8gYXZvaWQg dGhlDQpzaXR1YXRpb24gd2hlcmUgc29tZW9uZSByYWlzZXMgdGhpcyBpc3N1ZSBhZ2FpbiBpbiBh IGZldyB5ZWFycyB0aGF0IDUyODANCmlzIGluY29uc2lzdGVudCB3aXRoIFguNTA5IHdpdGhvdXQg YW55IGFwcGFyZW50IHJlYXNvbi48L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0zIGNvbG9yPSMwMDQw ODAgZmFjZT0ic2Fucy1zZXJpZiI+Jm5ic3A7PC9mb250Pg0KPGJyPjxmb250IHNpemU9MyBmYWNl PSJUYWhvbWEiPjxiPkZyb206PC9iPiBTYW50b3NoIENob2toYW5pIFs8L2ZvbnQ+PGEgaHJlZj1t YWlsdG86U0Nob2toYW5pQGN5Z25hY29tLmNvbT48Zm9udCBzaXplPTMgZmFjZT0iVGFob21hIj5t YWlsdG86U0Nob2toYW5pQGN5Z25hY29tLmNvbTwvZm9udD48L2E+PGZvbnQgc2l6ZT0zIGZhY2U9 IlRhaG9tYSI+XQ0KPGI+PGJyPg0KU2VudDo8L2I+IE1vbmRheSwgU2VwdGVtYmVyIDE3LCAyMDEy IDc6NDggQU08Yj48YnI+DQpUbzo8L2I+IGRlbmlzLnBpbmthc0BidWxsLm5ldDxiPjxicj4NCkNj OjwvYj4gbXJleEBzYXAuY29tOyBQaXl1c2ggSmFpbjsgcGtpeDxiPjxicj4NClN1YmplY3Q6PC9i PiBSRTogW3BraXhdIDUyODBiaXMsIHYtMDk8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0zIGZhY2U9 IlRpbWVzIE5ldyBSb21hbiI+Jm5ic3A7PC9mb250Pg0KPGJyPjxmb250IHNpemU9MyBjb2xvcj0j MDA0MDgwIGZhY2U9IkFyaWFsIj5EZW5pcyw8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0zIGNvbG9y PSMwMDQwODAgZmFjZT0iQXJpYWwiPiZuYnNwOzwvZm9udD4NCjxicj48Zm9udCBzaXplPTMgY29s b3I9IzAwNDA4MCBmYWNlPSJBcmlhbCI+SSBhbSBvayBlaXRoZXIgd2F5ICh1bmtub3duDQpvciBy ZXZva2VkKS4gJm5ic3A7VGhlIGdvb2QgdGhpbmcgaXMgdGhhdCB0aGUgbmV3IHRleHQgc3BlbGxz IHRoaW5ncyBvdXQNCm1vcmUgY2xlYXJseS48L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0zIGNvbG9y PSMwMDQwODAgZmFjZT0iQXJpYWwiPiZuYnNwOzwvZm9udD4NCjxicj48Zm9udCBzaXplPTMgZmFj ZT0iVGFob21hIj48Yj5Gcm9tOjwvYj4gPC9mb250PjxhIGhyZWY9bWFpbHRvOmRlbmlzLnBpbmth c0BidWxsLm5ldD48Zm9udCBzaXplPTMgY29sb3I9Ymx1ZSBmYWNlPSJUYWhvbWEiPjx1PmRlbmlz LnBpbmthc0BidWxsLm5ldDwvdT48L2ZvbnQ+PC9hPjxmb250IHNpemU9MyBmYWNlPSJUYWhvbWEi Pg0KPC9mb250PjxhIGhyZWY9bWFpbHRvOlttYWlsdG86ZGVuaXMucGlua2FzQGJ1bGwubmV0XT48 Zm9udCBzaXplPTMgY29sb3I9Ymx1ZSBmYWNlPSJUYWhvbWEiPjx1PlttYWlsdG86ZGVuaXMucGlu a2FzQGJ1bGwubmV0XTwvdT48L2ZvbnQ+PC9hPjxmb250IHNpemU9MyBmYWNlPSJUYWhvbWEiPg0K PGI+PGJyPg0KU2VudDo8L2I+IE1vbmRheSwgU2VwdGVtYmVyIDE3LCAyMDEyIDEwOjQyIEFNPGI+ PGJyPg0KVG86PC9iPiBTYW50b3NoIENob2toYW5pPGI+PGJyPg0KQ2M6PC9iPiA8L2ZvbnQ+PGEg aHJlZj1tYWlsdG86bXJleEBzYXAuY29tPjxmb250IHNpemU9MyBjb2xvcj1ibHVlIGZhY2U9IlRh aG9tYSI+PHU+bXJleEBzYXAuY29tPC91PjwvZm9udD48L2E+PGZvbnQgc2l6ZT0zIGZhY2U9IlRh aG9tYSI+Ow0KUGl5dXNoIEphaW47IHBraXg8Yj48YnI+DQpTdWJqZWN0OjwvYj4gUkU6IFtwa2l4 XSA1MjgwYmlzLCB2LTA5PC9mb250Pg0KPGJyPjxmb250IHNpemU9MyBmYWNlPSJUaW1lcyBOZXcg Um9tYW4iPiZuYnNwOzwvZm9udD4NCjxicj48Zm9udCBzaXplPTMgZmFjZT0iQXJpYWwiPlNhbnRv c2gsIFBpeXVzaCBhbmQgTWFydGluLDwvZm9udD48Zm9udCBzaXplPTMgZmFjZT0iVGltZXMgTmV3 IFJvbWFuIj4NCjxicj4NCjwvZm9udD48Zm9udCBzaXplPTMgZmFjZT0iQXJpYWwiPjxicj4NClNv cnJ5LCBJIG1hZGUgYSBtaXN0YWtlIHdoZW4gbWFraW5nIG15IHByb3Bvc2FsIHRoaXMgbW9ybmlu Zy4gPGJyPg0KSSB3cm90ZSAmcXVvdDtyZXZva2VkJnF1b3Q7LCBidXQgd2FzIGFkdm9jYXRpbmcg JnF1b3Q7dW5rbm93biZxdW90Oy48L2ZvbnQ+PGZvbnQgc2l6ZT0zIGZhY2U9IlRpbWVzIE5ldyBS b21hbiI+DQo8YnI+DQo8L2ZvbnQ+PGZvbnQgc2l6ZT0zIGZhY2U9IkFyaWFsIj48YnI+DQpCYXNl ZCBvbiB0aGUgbGF0ZXN0IHRleHQgcHJvcG9zZWQgZnJvbSBTYW50b3NoLCBJIHdvdWxkIHJhdGhl ciBwcmVmZXI6PC9mb250Pjxmb250IHNpemU9MyBmYWNlPSJUaW1lcyBOZXcgUm9tYW4iPg0KPGJy Pg0KPC9mb250Pjxmb250IHNpemU9MyBjb2xvcj0jMTA0MTYwIGZhY2U9IkFyaWFsIj48YnI+DQpJ ZiBhbiBhcHBsaWNhdGlvbiBjYW5ub3QgcHJvY2VzcyBhIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0 aGUgPGI+Y3JsRW50cnlFeHRlbnNpb25zPC9iPg0KZmllbGQgb2YgYW4gZW50cnkgPGJyPg0KdGhh dCBhZmZlY3RzIG9ubHkgdGhlIGNlcnRpZmljYXRlIHNwZWNpZmllZCBpbiB0aGF0IGVudHJ5LCBh cyBpbmRpY2F0ZWQNCmJ5IHRoZSBhYnNlbmNlIG9mIGEgcmVsYXRlZCA8YnI+DQpjcml0aWNhbCBl eHRlbnNpb24gaW4gdGhlIDxiPmNybEV4dGVuc2lvbnM8L2I+IGZpZWxkLCB0aGVuIHRoZSA8L2Zv bnQ+PGZvbnQgc2l6ZT0zIGNvbG9yPSMwMDAwZTAgZmFjZT0iQXJpYWwiPjxiPnN0YXR1cw0Kb2Y8 L2I+PC9mb250Pjxmb250IHNpemU9MyBjb2xvcj1ibHVlIGZhY2U9IkFyaWFsIj48Yj4gPC9iPjwv Zm9udD48Zm9udCBzaXplPTMgY29sb3I9IzEwNDE2MCBmYWNlPSJBcmlhbCI+Y2VydGlmaWNhdGUN CmlkZW50aWZpZWQgYnkgdGhlIENSTCBlbnRyeSA8YnI+DQpzaGFsbCBiZSBjb25zaWRlcmVkIDwv Zm9udD48Zm9udCBzaXplPTMgY29sb3I9IzAwMjBjMiBmYWNlPSJBcmlhbCI+PGI+dW5rb3duPC9i PjwvZm9udD48Zm9udCBzaXplPTMgY29sb3I9IzEwNDE2MCBmYWNlPSJBcmlhbCI+LjwvZm9udD48 Zm9udCBzaXplPTMgZmFjZT0iVGltZXMgTmV3IFJvbWFuIj4NCjxicj4NCjwvZm9udD48Zm9udCBz aXplPTMgZmFjZT0iQXJpYWwiPjxicj4NCmluc3RlYWQgb2YgOjwvZm9udD48Zm9udCBzaXplPTMg ZmFjZT0iVGltZXMgTmV3IFJvbWFuIj4gPGJyPg0KPC9mb250Pjxmb250IHNpemU9MyBjb2xvcj0j MTA0MTYwIGZhY2U9IkFyaWFsIj48YnI+DQpJZiBhbiBhcHBsaWNhdGlvbiBjYW5ub3QgcHJvY2Vz cyBhIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUgPGI+Y3JsRW50cnlFeHRlbnNpb25zPC9iPg0K ZmllbGQgb2YgYW4gZW50cnkgPGJyPg0KdGhhdCBhZmZlY3RzIG9ubHkgdGhlIGNlcnRpZmljYXRl IHNwZWNpZmllZCBpbiB0aGF0IGVudHJ5LCBhcyBpbmRpY2F0ZWQNCmJ5IHRoZSBhYnNlbmNlIG9m IGEgcmVsYXRlZCA8YnI+DQpjcml0aWNhbCBleHRlbnNpb24gaW4gdGhlIDxiPmNybEV4dGVuc2lv bnM8L2I+IGZpZWxkLCB0aGVuIHRoZSBjZXJ0aWZpY2F0ZQ0KaWRlbnRpZmllZCBieSB0aGUgQ1JM IGVudHJ5IDxicj4NCnNoYWxsIGJlIGNvbnNpZGVyZWQgcmV2b2tlZC48L2ZvbnQ+PGZvbnQgc2l6 ZT0zIGZhY2U9IlRpbWVzIE5ldyBSb21hbiI+DQo8YnI+DQo8L2ZvbnQ+PGZvbnQgc2l6ZT0zIGZh Y2U9IkFyaWFsIj48YnI+DQpEZW5pczwvZm9udD48Zm9udCBzaXplPTMgZmFjZT0iVGltZXMgTmV3 IFJvbWFuIj4gPGJyPg0KPGJyPg0KPGJyPg0KPGJyPg0KPGJyPg0KPGJyPg0KPGJyPg0KPGJyPg0K PGJyPg0KPC9mb250Pjxmb250IHNpemU9MyBjb2xvcj0jNWY1ZjVmIGZhY2U9IkFyaWFsIj48YnI+ DQpEZSA6ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOzwvZm9udD48Zm9udCBzaXplPTMgZmFj ZT0iQXJpYWwiPlNhbnRvc2gNCkNob2toYW5pICZsdDs8L2ZvbnQ+PGEgaHJlZj1tYWlsdG86U0No b2toYW5pQGN5Z25hY29tLmNvbT48Zm9udCBzaXplPTMgY29sb3I9Ymx1ZSBmYWNlPSJBcmlhbCI+ PHU+U0Nob2toYW5pQGN5Z25hY29tLmNvbTwvdT48L2ZvbnQ+PC9hPjxmb250IHNpemU9MyBmYWNl PSJBcmlhbCI+Jmd0OzwvZm9udD48Zm9udCBzaXplPTMgZmFjZT0iVGltZXMgTmV3IFJvbWFuIj4N CjwvZm9udD48Zm9udCBzaXplPTMgY29sb3I9IzVmNWY1ZiBmYWNlPSJBcmlhbCI+PGJyPg0KQSA6 ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOzwvZm9udD48Zm9udCBzaXplPTMgZmFjZT0iQXJp YWwiPiZxdW90OzwvZm9udD48YSBocmVmPW1haWx0bzpkZW5pcy5waW5rYXNAYnVsbC5uZXQ+PGZv bnQgc2l6ZT0zIGNvbG9yPWJsdWUgZmFjZT0iQXJpYWwiPjx1PmRlbmlzLnBpbmthc0BidWxsLm5l dDwvdT48L2ZvbnQ+PC9hPjxmb250IHNpemU9MyBmYWNlPSJBcmlhbCI+JnF1b3Q7DQombHQ7PC9m b250PjxhIGhyZWY9bWFpbHRvOmRlbmlzLnBpbmthc0BidWxsLm5ldD48Zm9udCBzaXplPTMgY29s b3I9Ymx1ZSBmYWNlPSJBcmlhbCI+PHU+ZGVuaXMucGlua2FzQGJ1bGwubmV0PC91PjwvZm9udD48 L2E+PGZvbnQgc2l6ZT0zIGZhY2U9IkFyaWFsIj4mZ3Q7LA0KJnF1b3Q7PC9mb250PjxhIGhyZWY9 bWFpbHRvOm1yZXhAc2FwLmNvbT48Zm9udCBzaXplPTMgY29sb3I9Ymx1ZSBmYWNlPSJBcmlhbCI+ PHU+bXJleEBzYXAuY29tPC91PjwvZm9udD48L2E+PGZvbnQgc2l6ZT0zIGZhY2U9IkFyaWFsIj4m cXVvdDsNCiZsdDs8L2ZvbnQ+PGEgaHJlZj1tYWlsdG86bXJleEBzYXAuY29tPjxmb250IHNpemU9 MyBjb2xvcj1ibHVlIGZhY2U9IkFyaWFsIj48dT5tcmV4QHNhcC5jb208L3U+PC9mb250PjwvYT48 Zm9udCBzaXplPTMgZmFjZT0iQXJpYWwiPiZndDssDQpQaXl1c2ggSmFpbiAmbHQ7PC9mb250Pjxh IGhyZWY9bWFpbHRvOnBpeXVzaEBpZGVudGljYXRlLmNvbT48Zm9udCBzaXplPTMgY29sb3I9Ymx1 ZSBmYWNlPSJBcmlhbCI+PHU+cGl5dXNoQGlkZW50aWNhdGUuY29tPC91PjwvZm9udD48L2E+PGZv bnQgc2l6ZT0zIGZhY2U9IkFyaWFsIj4mZ3Q7PC9mb250Pjxmb250IHNpemU9MyBmYWNlPSJUaW1l cyBOZXcgUm9tYW4iPg0KPC9mb250Pjxmb250IHNpemU9MyBjb2xvcj0jNWY1ZjVmIGZhY2U9IkFy aWFsIj48YnI+DQpDYyA6ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOzwvZm9udD48Zm9udCBz aXplPTMgZmFjZT0iQXJpYWwiPnBraXggJmx0OzwvZm9udD48YSBocmVmPW1haWx0bzpwa2l4QGll dGYub3JnPjxmb250IHNpemU9MyBjb2xvcj1ibHVlIGZhY2U9IkFyaWFsIj48dT5wa2l4QGlldGYu b3JnPC91PjwvZm9udD48L2E+PGZvbnQgc2l6ZT0zIGZhY2U9IkFyaWFsIj4mZ3Q7PC9mb250Pjxm b250IHNpemU9MyBmYWNlPSJUaW1lcyBOZXcgUm9tYW4iPg0KPC9mb250Pjxmb250IHNpemU9MyBj b2xvcj0jNWY1ZjVmIGZhY2U9IkFyaWFsIj48YnI+DQpEYXRlIDogJm5ic3A7ICZuYnNwOyAmbmJz cDsgJm5ic3A7PC9mb250Pjxmb250IHNpemU9MyBmYWNlPSJBcmlhbCI+MTcvMDkvMjAxMg0KMTY6 MjE8L2ZvbnQ+PGZvbnQgc2l6ZT0zIGZhY2U9IlRpbWVzIE5ldyBSb21hbiI+IDwvZm9udD48Zm9u dCBzaXplPTMgY29sb3I9IzVmNWY1ZiBmYWNlPSJBcmlhbCI+PGJyPg0KT2JqZXQgOiAmbmJzcDsg Jm5ic3A7ICZuYnNwOyAmbmJzcDs8L2ZvbnQ+PGZvbnQgc2l6ZT0zIGZhY2U9IkFyaWFsIj5SRToN Cltwa2l4XSA1MjgwYmlzLCB2LTA5PC9mb250Pjxmb250IHNpemU9MyBmYWNlPSJUaW1lcyBOZXcg Um9tYW4iPiA8L2ZvbnQ+DQo8ZGl2IGFsaWduPWNlbnRlcj4NCjxicj4NCjxociBub3NoYWRlPjwv ZGl2Pg0KPGJyPjxmb250IHNpemU9MyBmYWNlPSJUaW1lcyBOZXcgUm9tYW4iPjxicj4NCjxicj4N CjwvZm9udD48Zm9udCBzaXplPTMgY29sb3I9IzAwNDA4MCBmYWNlPSJBcmlhbCI+PGJyPg0KVGhp cyBhbHNvIHJlbGF0ZXMgdG8gZWFybGllciBwb3N0IEkgbWFkZSBpbiByZXNwb25zZSB0byBQaXl1 c2guPC9mb250Pjxmb250IHNpemU9MyBmYWNlPSJUaW1lcyBOZXcgUm9tYW4iPg0KPC9mb250Pjxm b250IHNpemU9MyBjb2xvcj0jMDA0MDgwIGZhY2U9IkFyaWFsIj48YnI+DQogPC9mb250Pjxmb250 IHNpemU9MyBmYWNlPSJUaW1lcyBOZXcgUm9tYW4iPiZuYnNwOzwvZm9udD48Zm9udCBzaXplPTMg Y29sb3I9IzAwNDA4MCBmYWNlPSJBcmlhbCI+PGJyPg0KSSBhc3N1bWUgd2UgYXJlIGFkZGluZyB0 aGUgZm9sbG93aW5nIHRvIHRoZSBSRkMg4oCcPC9mb250Pjxmb250IHNpemU9MyBjb2xvcj0jMTA0 MTYwIGZhY2U9IkFyaWFsIj5BDQpjcml0aWNhbCBleHRlbnNpb24gaW4gdGhlIDxiPmNybEVudHJ5 RXh0ZW5zaW9uczwvYj4gZmllbGQgb2YgYW4gZW50cnkgc2hhbGwNCmFmZmVjdCBvbmx5IHRoZSBj ZXJ0aWZpY2F0ZSBzcGVjaWZpZWQgaW4gdGhhdCBlbnRyeSwgdW5sZXNzIHRoZXJlIGlzIGENCnJl bGF0ZWQgY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSA8Yj5jcmxFeHRlbnNpb25zPC9iPiBmaWVs ZCB0aGF0IGFkdmVydGlzZXMNCmEgc3BlY2lhbCB0cmVhdG1lbnQgZm9yIGl0LuKAnSAmbmJzcDtJ biBvcmRlciB0byB1c2Ugc3VjaCBDUkwsIHRoZSByZWx5aW5nDQpwYXJ0eSBtdXN0IGJlIGFibGUg dG8gcHJvY2VzcyBib3RoIHRoZSA8Yj5jcmxFbnRyeUV4dGVuc2lvbiA8L2I+YW5kIHRoZQ0KcmVs YXRlZCA8Yj5jcmxFeHRlbnNpb24u4oCdPC9iPjwvZm9udD48Zm9udCBzaXplPTMgZmFjZT0iVGlt ZXMgTmV3IFJvbWFuIj4NCjwvZm9udD48Zm9udCBzaXplPTMgY29sb3I9IzEwNDE2MCBmYWNlPSJB cmlhbCI+PGI+PGJyPg0KIDwvYj48L2ZvbnQ+PGZvbnQgc2l6ZT0zIGZhY2U9IlRpbWVzIE5ldyBS b21hbiI+Jm5ic3A7PC9mb250Pjxmb250IHNpemU9MyBjb2xvcj0jMTA0MTYwIGZhY2U9IkFyaWFs Ij48YnI+DQpJbiB0aGF0IGNhc2UsIEkgZG8gbm90IG1pbmQgYWRkaW5nIHRoZSBmb2xsb3dpbmcg dG8gNTI4MCAoYSBzbGlnaHQgbW9kaWZpY2F0aW9uDQp0byB3aGF0IERlbmlzIGhhczo8L2ZvbnQ+ PGZvbnQgc2l6ZT0zIGZhY2U9IlRpbWVzIE5ldyBSb21hbiI+IDwvZm9udD48Zm9udCBzaXplPTMg Y29sb3I9IzEwNDE2MCBmYWNlPSJBcmlhbCI+PGJyPg0KIDwvZm9udD48Zm9udCBzaXplPTMgZmFj ZT0iVGltZXMgTmV3IFJvbWFuIj4mbmJzcDs8L2ZvbnQ+PGZvbnQgc2l6ZT0zIGNvbG9yPSMxMDQx NjAgZmFjZT0iQXJpYWwiPjxicj4NCklmIGFuIGFwcGxpY2F0aW9uIGNhbm5vdCBwcm9jZXNzIGEg Y3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSA8Yj5jcmxFbnRyeUV4dGVuc2lvbnM8L2I+DQpmaWVs ZCBvZiBhbiBlbnRyeSB0aGF0IGFmZmVjdHMgb25seSB0aGUgY2VydGlmaWNhdGUgc3BlY2lmaWVk IGluIHRoYXQgZW50cnksDQphcyBpbmRpY2F0ZWQgYnkgdGhlIGFic2VuY2Ugb2YgYSByZWxhdGVk IGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUgPGI+Y3JsRXh0ZW5zaW9uczwvYj4NCmZpZWxkLCB0 aGVuIHRoZSBjZXJ0aWZpY2F0ZSBpZGVudGlmaWVkIGJ5IHRoZSBDUkwgZW50cnkgc2hhbGwgYmUg Y29uc2lkZXJlZA0KcmV2b2tlZC48L2ZvbnQ+PGZvbnQgc2l6ZT0zIGZhY2U9IlRpbWVzIE5ldyBS b21hbiI+IDwvZm9udD48Zm9udCBzaXplPTMgY29sb3I9IzAwNDA4MCBmYWNlPSJBcmlhbCI+PGJy Pg0KIDwvZm9udD48Zm9udCBzaXplPTMgZmFjZT0iVGltZXMgTmV3IFJvbWFuIj4mbmJzcDs8L2Zv bnQ+PGZvbnQgc2l6ZT0zIGZhY2U9IlRhaG9tYSI+PGI+PGJyPg0KRnJvbTo8L2I+IDwvZm9udD48 YSBocmVmPSJtYWlsdG86cGtpeC1ib3VuY2VzQGlldGYub3JnIj48Zm9udCBzaXplPTMgY29sb3I9 Ymx1ZSBmYWNlPSJUYWhvbWEiPjx1PnBraXgtYm91bmNlc0BpZXRmLm9yZzwvdT48L2ZvbnQ+PC9h Pjxmb250IHNpemU9MyBmYWNlPSJUYWhvbWEiPg0KWzwvZm9udD48YSBocmVmPSJtYWlsdG86cGtp eC1ib3VuY2VzQGlldGYub3JnIj48Zm9udCBzaXplPTMgY29sb3I9Ymx1ZSBmYWNlPSJUYWhvbWEi Pjx1Pm1haWx0bzpwa2l4LWJvdW5jZXNAaWV0Zi5vcmc8L3U+PC9mb250PjwvYT48Zm9udCBzaXpl PTMgZmFjZT0iVGFob21hIj5dDQo8Yj5PbiBCZWhhbGYgT2YgPC9iPjwvZm9udD48YSBocmVmPW1h aWx0bzpkZW5pcy5waW5rYXNAYnVsbC5uZXQ+PGZvbnQgc2l6ZT0zIGNvbG9yPWJsdWUgZmFjZT0i VGFob21hIj48dT5kZW5pcy5waW5rYXNAYnVsbC5uZXQ8L3U+PC9mb250PjwvYT48Zm9udCBzaXpl PTMgZmFjZT0iVGFob21hIj48Yj48YnI+DQpTZW50OjwvYj4gTW9uZGF5LCBTZXB0ZW1iZXIgMTcs IDIwMTIgMzo0NyBBTTxiPjxicj4NClRvOjwvYj4gPC9mb250PjxhIGhyZWY9bWFpbHRvOm1yZXhA c2FwLmNvbT48Zm9udCBzaXplPTMgY29sb3I9Ymx1ZSBmYWNlPSJUYWhvbWEiPjx1Pm1yZXhAc2Fw LmNvbTwvdT48L2ZvbnQ+PC9hPjxmb250IHNpemU9MyBmYWNlPSJUYWhvbWEiPjsNClBpeXVzaCBK YWluPGI+PGJyPg0KQ2M6PC9iPiBwa2l4PGI+PGJyPg0KU3ViamVjdDo8L2I+IFJlOiBbcGtpeF0g NTI4MGJpcywgdi0wOTwvZm9udD48Zm9udCBzaXplPTMgZmFjZT0iVGltZXMgTmV3IFJvbWFuIj4N Cjxicj4NCiAmbmJzcDs8L2ZvbnQ+PGZvbnQgc2l6ZT0zIGZhY2U9IkFyaWFsIj48YnI+DQpHb29k IGNhdGNoIE1hcnRpbiw8L2ZvbnQ+PGZvbnQgc2l6ZT0zIGZhY2U9IlRpbWVzIE5ldyBSb21hbiI+ IDwvZm9udD48Zm9udCBzaXplPTMgZmFjZT0iQXJpYWwiPjxicj4NCjxicj4NCllvdSBjYW1lIGJh Y2sgZnJvbSB2YWNhdGlvbiBqdXN0IGluIHRpbWUuIDotKTwvZm9udD48Zm9udCBzaXplPTMgZmFj ZT0iVGltZXMgTmV3IFJvbWFuIj4NCjwvZm9udD48Zm9udCBzaXplPTMgZmFjZT0iQXJpYWwiPjxi cj4NCjxicj4NCkkgcHJvcG9zZSB0aGUgZm9sbG93aW5nOjwvZm9udD48Zm9udCBzaXplPTMgZmFj ZT0iVGltZXMgTmV3IFJvbWFuIj4gPC9mb250Pjxmb250IHNpemU9MyBmYWNlPSJDb3VyaWVyIE5l dyI+PGJyPg0KPGJyPg0KUmVwbGFjZTo8L2ZvbnQ+PGZvbnQgc2l6ZT0zIGZhY2U9IlRpbWVzIE5l dyBSb21hbiI+IDwvZm9udD48Zm9udCBzaXplPTMgZmFjZT0iQ291cmllciBOZXciPjxicj4NCjxi cj4NCnwgJm5ic3A7ICZuYnNwOyBJZiBhIENSTCBjb250YWlucyBhIGNyaXRpY2FsIENSTCBlbnRy eSBleHRlbnNpb24gPGJyPg0KfCAmbmJzcDsgJm5ic3A7IHRoYXQgdGhlIGFwcGxpY2F0aW9uIGNh bm5vdCBwcm9jZXNzLCB0aGVuIHRoZSBhcHBsaWNhdGlvbg0KTVVTVCA8YnI+DQp8ICZuYnNwOyAm bmJzcDsgTk9UIHVzZSB0aGF0IENSTCB0byBkZXRlcm1pbmUgdGhlIHN0YXR1cyBvZiBhbnkgY2Vy dGlmaWNhdGVzLjwvZm9udD48Zm9udCBzaXplPTMgZmFjZT0iVGltZXMgTmV3IFJvbWFuIj4NCjwv Zm9udD48Zm9udCBzaXplPTMgZmFjZT0iQ291cmllciBOZXciPjxicj4NCjxicj4NCndpdGg8L2Zv bnQ+PGZvbnQgc2l6ZT0zIGZhY2U9IlRpbWVzIE5ldyBSb21hbiI+IDwvZm9udD48Zm9udCBzaXpl PTMgZmFjZT0iQ291cmllciBOZXciPjxicj4NCjxicj4NCnwgJm5ic3A7ICZuYnNwOyBJZiBhIENS TCBjb250YWlucyBpbiBhIENSTCBlbnRyeSBhIGNyaXRpY2FsIENSTCBlbnRyeSBleHRlbnNpb24N Cjxicj4NCnwgJm5ic3A7ICZuYnNwOyB0aGF0IHRoZSBhcHBsaWNhdGlvbiBjYW5ub3QgcHJvY2Vz cywgdGhlbiB0aGUgYXBwbGljYXRpb24NCk1VU1QgPGJyPg0KfCAmbmJzcDsgJm5ic3A7IGNvbnNp ZGVyIHRoYXQgdGhlIGNlcnRpZmljYXRlIGlkZW50aWZpZWQgaW4gdGhhdCBDUkwgZW50cnkNCmlz IDxicj4NCnwgJm5ic3A7ICZuYnNwOyByZXZva2VkLiAmbmJzcDs8L2ZvbnQ+PGZvbnQgc2l6ZT0z IGZhY2U9IlRpbWVzIE5ldyBSb21hbiI+DQo8L2ZvbnQ+PGZvbnQgc2l6ZT0zIGZhY2U9IkFyaWFs Ij48YnI+DQo8YnI+DQpJbiBvcmRlciB0byBhbnN3ZXIgdG8gUGl5dXNoLCBJIGJlbGlldmUgdGhh dCDigJx1bmtub3du4oCdIHNob3VsZCBiZSB1c2VkDQpyYXRoZXIgdGhhbiDigJxyZXZva2Vk4oCd LjwvZm9udD48Zm9udCBzaXplPTMgZmFjZT0iVGltZXMgTmV3IFJvbWFuIj4gPC9mb250Pjxmb250 IHNpemU9MyBmYWNlPSJBcmlhbCI+PGJyPg0KPGJyPg0KVGhlIGZvbGxvd2luZyBleGFtcGxlIGlz IGFuIGlsbHVzdHJhdGlvbjo8L2ZvbnQ+PGZvbnQgc2l6ZT0zIGZhY2U9IlRpbWVzIE5ldyBSb21h biI+DQo8L2ZvbnQ+PGZvbnQgc2l6ZT0zIGZhY2U9IkFyaWFsIj48YnI+DQo8YnI+DQpUaGUgc3Rh dHVzIG9mIGEgZ2l2ZW4gY2VydGlmaWNhdGUgaXMgaW5kaWNhdGVkIGFzIOKAnGdvb2TigJ0sIGJ1 dCB0aGVyZSBpcw0KYSBDUkwgZW50cnkgd2l0aCBhIGNyaXRpY2FsIDxicj4NCkNSTCBlbnRyeSBl eHRlbnNpb24uIFRoaXMgZW50cnkgbWVhbnMgKGZvciB0aGUgYXBwbGljYXRpb25zIHdoaWNoIHVu ZGVyc3RhbmQNCml0KSA6IDxicj4NCjxicj4NCiZxdW90O1RoZSBzdGF0dXMgd2hpY2ggaXMgdXN1 YWxseSBvYnRhaW5lZCB1c2luZyBhIGRhdGFiYXNlIG9mIGlzc3VlZCBjZXJ0aWZpY2F0ZXMNCmhh cyBiZWVuIG9idGFpbmVkIGZyb20gQ1JMcy4gPGJyPg0KSWYgeW91IHJlYWxseSBuZWVkIHRvIHRh a2UgYSBkZWNpc2lvbiBub3csIGl0IGlzIGF0IHlvdXIgb3duIHJpc2suIElmIHlvdQ0KY2FuIHdh aXQsIHlvdSBoYWQgYmV0dGVyIHRvIHRyeSBhZ2FpbiBsYXRlciBvbiZxdW90Oy48L2ZvbnQ+PGZv bnQgc2l6ZT0zIGZhY2U9IlRpbWVzIE5ldyBSb21hbiI+DQo8L2ZvbnQ+PGZvbnQgc2l6ZT0zIGZh Y2U9IkFyaWFsIj48YnI+DQo8YnI+DQpZb3VyIG5leHQgcXVlc3Rpb24gd2lsbCBjZXJ0YWlubHkg YmU6IHNvIHdoeSBkb27igJl0IHlvdSB1c2UgdGhlIHByb3Bvc2VkDQpjZXJ0SW5mbyBleHRlbnNp b24gPzwvZm9udD48Zm9udCBzaXplPTMgZmFjZT0iVGltZXMgTmV3IFJvbWFuIj4gPC9mb250Pjxm b250IHNpemU9MyBmYWNlPSJBcmlhbCI+PGJyPg0KPGJyPg0KRm9yIGFwcGxpY2F0aW9ucyB3aGlj aCBkbyBub3QgdW5kZXJzdGFuZCB0aGlzIGNyaXRpY2FsIENSTCBlbnRyeSBleHRlbnNpb24sDQp0 aGVyZSBpcyBubyBkaWZmZXJlbmNlLjwvZm9udD48Zm9udCBzaXplPTMgZmFjZT0iVGltZXMgTmV3 IFJvbWFuIj4gPC9mb250Pjxmb250IHNpemU9MyBmYWNlPSJBcmlhbCI+PGJyPg0KVGhleSBnZXQg YW4gJnF1b3Q7dW5rbm93biZxdW90OyBzdGF0dXMgaW4gYm90aCBjYXNlcy48L2ZvbnQ+PGZvbnQg c2l6ZT0zIGZhY2U9IlRpbWVzIE5ldyBSb21hbiI+DQo8L2ZvbnQ+PGZvbnQgc2l6ZT0zIGZhY2U9 IkFyaWFsIj48YnI+DQo8YnI+DQpGb3IgYXBwbGljYXRpb25zIHdoaWNoIHVuZGVyc3RhbmQgdGhp cyBjcml0aWNhbCBDUkwgZW50cnkgZXh0ZW5zaW9uIGl0DQpwcm92aWRlcyBsZXNzIGJlbmVmaXRz IDxicj4NCnRoYW4gdGhlIHByb3Bvc2VkIGNlcnRJbmZvIGV4dGVuc2lvbiwgYnV0IGl0IG1pZ2h0 IGJlIHF1aWNrZXIgdG8gaW1wbGVtZW50DQphbmQgaXQgZW5mb3JjZXMgYSBwb2xpY3kuPC9mb250 Pjxmb250IHNpemU9MyBmYWNlPSJUaW1lcyBOZXcgUm9tYW4iPiA8L2ZvbnQ+PGZvbnQgc2l6ZT0z IGZhY2U9IkFyaWFsIj48YnI+DQo8YnI+DQpEZW5pczwvZm9udD48Zm9udCBzaXplPTMgZmFjZT0i VGltZXMgTmV3IFJvbWFuIj4gPC9mb250Pjxmb250IHNpemU9MyBmYWNlPSJDb3VyaWVyIE5ldyI+ PGJyPg0KPGJyPg0KPGJyPg0KJmd0OyBJIG9iamVjdCB0byB0aGUgcHJvcG9zZWQgbmV3IHRleHQg YWJvdXQgQ1JMRW50cnlFeHRlbnNpb25zPGJyPg0KJmd0OyBpbiB0aGUgY2xhcmlmaWNhdGlvbiBk b2N1bWVudCwgYmVjYXVzZSBhcyBpcywgd291bGQgc2lnbmlmaWNhbnRseTxicj4NCiZndDsgd29y c2VuIHRoZSBkaWZmZXJlbmNlIGJldHdlZW4gUEtJWCBhbmQgWC41MDkgYW5kIG1ha2UgdGhpbmdz PGJyPg0KJmd0OyBjbGVhcmx5IGluY29tcGF0aWJsZSByYXRoZXIgdGhhbiBzbGlnaHRseSBsZXNz IGVmZmljaWVudC48YnI+DQomZ3Q7IDxicj4NCiZndDsgSWYgYW55dGhpbmcsIHRoZSBnYXAgc2hv dWxkIGJlIHJlZHVjZWQsIGNvbXBhdGliaWxpdHkgYmV0d2Vlbjxicj4NCiZndDsgUEtJWCBhbmQg WC41MDkgaW1wcm92ZWQgYW5kIHRoZSBvcmlnaW5hbCBhcmNoaXRlY3R1cmUgbm90IHZpb2xhdGVk Ljxicj4NCiZndDsgPGJyPg0KJmd0OyBQbGVhc2UgcmVjYWxsIHRoZSBvcmlnaW5hbCBOT1RFIDQg JmFtcDsgNSB0aGF0IEkgcXVvdGVkIGZyb208YnI+DQomZ3Q7IElUVS1UIFJlYy4gWC41MDkgKDA4 LzIwMDUpLCBTZWN0aW9uIDcuMywgdG9wIG9mIHBhZ2UgMTg6PGJyPg0KJmd0OyAoZ2V0IHRoZW0g aGVyZSA8L2ZvbnQ+PGEgaHJlZj0iaHR0cDovL3d3dy5pdHUuaW50L3JlYy9ULVJFQy1YLjUwOSI+ PGZvbnQgc2l6ZT0zIGNvbG9yPWJsdWUgZmFjZT0iQ291cmllciBOZXciPjx1Pmh0dHA6Ly93d3cu aXR1LmludC9yZWMvVC1SRUMtWC41MDk8L3U+PC9mb250PjwvYT48Zm9udCBzaXplPTMgZmFjZT0i Q291cmllciBOZXciPik6PGJyPg0KJmd0OyA8YnI+DQomZ3Q7IGEmZ3Q7ICZuYnNwO05PVEUgNCAt LSBXaGVuIGFuIGltcGxlbWVudGF0aW9uIHByb2Nlc3NpbmcgYSBjZXJ0aWZpY2F0ZQ0KcmV2b2Nh dGlvbjxicj4NCiZndDsgYSZndDsgJm5ic3A7bGlzdCBkb2VzIG5vdCByZWNvZ25pemUgYSBjcml0 aWNhbCBleHRlbnNpb24gaW4gdGhlIGNybEVudHJ5RXh0ZW5zaW9uczxicj4NCiZndDsgYSZndDsg Jm5ic3A7ZmllbGQsIGl0IHNoYWxsIGFzc3VtZSB0aGF0LCBhdCBhIG1pbmltdW0sIHRoZSBpZGVu dGlmaWVkDQpjZXJ0aWZpY2F0ZTxicj4NCiZndDsgYSZndDsgJm5ic3A7aGFzIGJlZW4gcmV2b2tl ZCBhbmQgaXMgbm8gbG9uZ2VyIHZhbGlkIGFuZCBwZXJmb3JtIGFkZGl0aW9uYWwNCmFjdGlvbnM8 YnI+DQomZ3Q7IGEmZ3Q7ICZuYnNwO2NvbmNlcm5pbmcgdGhhdCByZXZva2VkIGNlcnRpZmljYXRl IGFzIGRpY3RhdGVkIGJ5IGxvY2FsDQpwb2xpY3kuPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IGImZ3Q7 ICZuYnNwO1doZW4gYW4gaW1wbGVtZW50YXRpb24gZG9lcyBub3QgcmVjb2duaXplIGEgY3JpdGlj YWwgZXh0ZW5zaW9uDQppbiB0aGU8YnI+DQomZ3Q7IGImZ3Q7ICZuYnNwO2NybEV4dGVuc2lvbnMg ZmllbGQsIGl0IHNoYWxsIGFzc3VtZSB0aGF0IGlkZW50aWZpZWQgY2VydGlmaWNhdGVzPGJyPg0K Jmd0OyBiJmd0OyAmbmJzcDtoYXZlIGJlZW4gcmV2b2tlZCBhbmQgYXJlIG5vIGxvbmdlciB2YWxp ZC48YnI+DQomZ3Q7IDxicj4NCiZndDsgYyZndDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7 ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsNCiZuYnNwOyAmbmJzcDsgJm5ic3A7 ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsN CiZuYnNwOyAmbmJzcDsgSG93ZXZlciBpbiB0aGUgbGF0dGVyIGNhc2UsPGJyPg0KJmd0OyBjJmd0 OyAmbmJzcDtzaW5jZSB0aGUgbGlzdCBtYXkgbm90IGJlIGNvbXBsZXRlLCBjZXJ0aWZpY2F0ZXMg dGhhdA0KaGF2ZSBub3QgYmVlbjxicj4NCiZndDsgYyZndDsgJm5ic3A7aWRlbnRpZmllZCBhcyBi ZWluZyByZXZva2VkIGNhbm5vdCBiZSBhc3N1bWVkIHRvIGJlIHZhbGlkLg0KSW4gdGhpcyBjYXNl PGJyPg0KJmd0OyBjJmd0OyAmbmJzcDtsb2NhbCBwb2xpY3kgc2hhbGwgZGljdGF0ZSB0aGUgYWN0 aW9uIHRvIGJlIHRha2VuLiBJbg0KYW55IGNhc2UgbG9jYWw8YnI+DQomZ3Q7IGMmZ3Q7ICZuYnNw O3BvbGljeSBtYXkgZGljdGF0ZSBhY3Rpb25zIGluIGFkZGl0aW9uIHRvIGFuZC9vciBzdHJvbmdl cg0KdGhhbiB0aG9zZTxicj4NCiZndDsgYyZndDsgJm5ic3A7c3RhdGVkIGluIHRoaXMgU3BlY2lm aWNhdGlvbi48YnI+DQomZ3Q7IDxicj4NCiZndDsgZCZndDsgJm5ic3A7Tk9URSA1IC0tIElmIGFu IGV4dGVuc2lvbiBhZmZlY3RzIHRoZSB0cmVhdG1lbnQgb2YgdGhlDQpsaXN0PGJyPg0KJmd0OyBk Jmd0OyAmbmJzcDsoZS5nLiwgbXVsdGlwbGUgQ1JMcyBuZWVkIHRvIGJlIHNjYW5uZWQgdG8gZXhh bWluZSB0aGUNCmVudGlyZSBsaXN0IG9mPGJyPg0KJmd0OyBkJmd0OyAmbmJzcDtyZXZva2VkIGNl cnRpZmljYXRlcywgb3IgYW4gZW50cnkgbWF5IHJlcHJlc2VudCBhIHJhbmdlDQpvZiBjZXJ0aWZp Y2F0ZXMpLDxicj4NCiZndDsgZCZndDsgJm5ic3A7dGhlbiB0aGF0IGV4dGVuc2lvbiBzaGFsbCBi ZSBpbmRpY2F0ZWQgYXMgY3JpdGljYWwgaW4NCnRoZSBjcmxFeHRlbnNpb25zPGJyPg0KJmd0OyBk Jmd0OyAmbmJzcDtmaWVsZCByZWdhcmRsZXNzIG9mIHdoZXJlIHRoZSBleHRlbnNpb24gaXMgcGxh Y2VkIGluIHRoZQ0KQ1JMLjxicj4NCiZndDsgPGJyPg0KJmd0OyBlJmd0OyAmbmJzcDtBbiBleHRl bnNpb24gaW5kaWNhdGVkIGluIHRoZSBjcmxFbnRyeUV4dGVuc2lvbnMgZmllbGQNCm9mIGFuIGVu dHJ5IHNoYWxsPGJyPg0KJmd0OyBlJmd0OyAmbmJzcDtiZSBwbGFjZWQgaW4gdGhhdCBlbnRyeSBh bmQgc2hhbGwgYWZmZWN0IG9ubHkgdGhlIGNlcnRpZmljYXRlKHMpPGJyPg0KJmd0OyBlJmd0OyAm bmJzcDtzcGVjaWZpZWQgaW4gdGhhdCBlbnRyeS48YnI+DQomZ3Q7IDxicj4NCiZndDsgPGJyPg0K Jmd0OyAoSSBpbnNlcnRlZCBibGFuayBsaW5lcyBhYm92ZSBmb3IgdmlzdWFsIGNsYXJpdHkgb2Yg dGhlIFguNTA5IHJlcXVpcmVtZW50cykuPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IHR3byBvcHRpb25z LCBhbGwgY29tYmluYXRpb25zOjxicj4NCiZndDsgPGJyPg0KJmd0OyAmbmJzcDsoMSkgY2VydCAm bmJzcDsgJm5ic3A7IG9uIENSTCwgQ1JMIHdpdGggTk8gdW5yZWNvZ25pemVkIGNyaXRpY2FsDQpD UkxFbnRyeUV4dGVuc2lvbnMgPGJyPg0KJmd0OyAmbmJzcDsoMikgY2VydCBOT1Qgb24gQ1JMLCBD Ukwgd2l0aCBOTyB1bnJlY29nbml6ZWQgY3JpdGljYWwgQ1JMRW50cnlFeHRlbnNpb25zDQo8YnI+ DQomZ3Q7ICZuYnNwOygzKSBjZXJ0ICZuYnNwOyAmbmJzcDsgb24gQ1JMLCBDUkwgd2l0aCAmbmJz cDsgJm5ic3A7dW5yZWNvZ25pemVkDQpjcml0aWNhbCBDUkxFbnRyeUV4dGVuc2lvbjxicj4NCiZn dDsgJm5ic3A7KDQpIGNlcnQgTk9UIG9uIENSTCwgQ1JMIHdpdGggJm5ic3A7ICZuYnNwO3VucmVj b2duaXplZCBjcml0aWNhbA0KQ1JMRW50cnlFeHRlbnNpb248YnI+DQomZ3Q7IDxicj4NCiZndDsg PGJyPg0KJmd0OyBJIGhvcGUgd2UgYWdyZWUgdGhhdCBYLjUwOSBhbmQgcmZjNTI4MCBhZ3JlZSBv biAoMSkgYW5kICgyKSByZXN1bHRzPGJyPg0KJmd0OyBmb3IgQ1JMIGNoZWNraW5nLjxicj4NCiZn dDsgPGJyPg0KJmd0OyByZmM1MjgwIGN1cnJlbnRseSBzYXlzIHRoYXQgZm9yICgzKSsoNCkgdGhl IGVudGlyZSBDUkwgb3VnaHQgdG8gYmUNCmlnbm9yZWQ8YnI+DQomZ3Q7IGFuZCBvdGhlciBDUkxz IG5lZWQgdG8gYmUgZXZhbHVhdGVkICZxdW90O1VOREVURVJNSU5FRCZxdW90Ozxicj4NCiZndDsg PGJyPg0KJmd0OyBYLjUwOSBzYXlzIGluIChhJmd0OykgdGhhdCBmb3IgKDMpIHRoZSBzdGF0dXMg b2YgdGhlIGNlcnQgaXMgZGVmaW5pdGVseQ0KcmV2b2tlZDxicj4NCiZndDsgYW5kIHNheXMgaW4g KGMmZ3Q7KSBmb3IgKDQpIHRoYXQgdGhlIENSTCBvdWdodCB0byBiZSBpZ25vcmVkIGFuZCBvdGhl cg0KQ1JMcyBuZWVkPGJyPg0KJmd0OyB0byBiZSBldmFsdWF0ZWQgJnF1b3Q7VU5ERVRFUk1JTkVE JnF1b3Q7PGJyPg0KJmd0OyA8YnI+DQomZ3Q7IFdoaWxlIGJvdGggWC41MDkgYW5kIHJmYzUyODAg YWdyZWUgb24gdGhlIHJlc3VsdCBmb3IgKDQpICZxdW90O1VOREVURVJNSU5FRCZxdW90Oyw8YnI+ DQomZ3Q7IHRoZXJlIGlzIHRoZSBzdXBlcmZpY2lhbCBhcHBlYXJhbmNlIG9mIGEgZGlmZmVyZW5j ZSBmb3IgYSBjYXN1YWw8YnI+DQomZ3Q7IGltcGxlbWVudGVyIGZvciBjYXNlICgzKSBiZXR3ZWVu IFguNTA5ICZxdW90O1JFVk9LRUQmcXVvdDsgYW5kIHJmYzUyODANCiZxdW90O1VOREVURVJNSU5F RCZxdW90Ozxicj4NCiZndDsgdGhhdCBtaWdodCBsZWFkIHRvIGEgc2xpZ2h0bHkgbGVzcyBlZmZp Y2llbnQgcHJvY2Vzc2luZyBDUkxzLjxicj4NCiZndDsgPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IFRo ZSBuZXdseSBwcm9wb3NlZCB0ZXh0IChpbiAtMDkpOjxicj4NCiZndDsgPGJyPg0KJmd0OyB8ICZu YnNwOyAmbmJzcDsgSWYgYSBDUkwgY29udGFpbnMgYSBjcml0aWNhbCBDUkwgZW50cnkgZXh0ZW5z aW9uPGJyPg0KJmd0OyB8ICZuYnNwOyAmbmJzcDsgdGhhdCB0aGUgYXBwbGljYXRpb24gY2Fubm90 IHByb2Nlc3MsIHRoZW4gdGhlIGFwcGxpY2F0aW9uDQpNVVNUPGJyPg0KJmd0OyB8ICZuYnNwOyAm bmJzcDsgTk9UIHVzZSB0aGF0IENSTCB0byBkZXRlcm1pbmUgdGhlIHN0YXR1cyBvZiB0aGUgY2Vy dGlmaWNhdGU8YnI+DQomZ3Q7IHwgJm5ic3A7ICZuYnNwOyByZXByZXNlbnRlZCBieSB0aGUgQ1JM IGVudHJ5LiAmbmJzcDs8YnI+DQomZ3Q7IDxicj4NCiZndDsgY3JlYXRlcyBhIHNpZ25pZmljYW50 bHkgZGlzdGluY3QgYmVoYXZpb3VyIGZvciBjYXNlICg0KSB3aGVyZSBYLjUwOTxicj4NCiZndDsg YW5kIHJmYzUyODAgYWdyZWVkIG9uICZxdW90O1VOREVURVJNSU5FRCZxdW90OywgYnkgcmVkZWZp bmluZyB0aGUNCnJlc3VsdCB0bzxicj4NCiZndDsgYmUgJnF1b3Q7VU5SRVZPS0VEJnF1b3Q7LCBh bmQgcG90ZW50aWFsbHkgY3JlYXRlcyBhIHNlY3VyaXR5IHByb2JsZW0sDQphbmQgYTxicj4NCiZn dDsgbmV3LCBiYWNrd2FyZHMtaW5jb21wYXRpYmxlIGJlaGF2aW91ciBmb3IgYSBzaXR1YXRpb24g d2hlcmU8YnI+DQomZ3Q7IFguNTA5IGFuZCByZmM1MjgwIHVzZWQgdG8gYWdyZWUuIFN0aWxsLCB0 aGUgbmV3IHRleHQgZG9lcyBub3QgZG88YnI+DQomZ3Q7IGFueXRoaW5nIGFib3V0IGNhc2UgKDMp LCB0aGUgb25seSBjYXNlIHdoZXJlIFguNTA5IGFuZCByZmM1MjgwPGJyPg0KJmd0OyBhcHBlYXIg dG8gZGlmZmVyIChpbiBhIG1vc3RseSBtYXJnaW5hbCBmYXNoaW9uKS48YnI+DQomZ3Q7IDxicj4N CiZndDsgPGJyPg0KJmd0OyBBIGNhcmVmdWwgaW1wbGVtZW50b3IsIHRoYXQgYW5hbHl6ZXMgTk9U RSA0IGFuZCBOT1RFIDUgZnJvbSBYLjUwOTxicj4NCiZndDsgcXVvdGVkIGFib3ZlIGluIGl0cyBl bnRpcmV0eSwgc2hvdWxkIHJlYWxpemUgdGhhdCB0aGUgc2l0dWF0aW9uPGJyPg0KJmd0OyB3aGVy ZSBYLjUwOSBhbmQgcmZjNTI4MCBkaWZmZXIgaXMgbWFyZ2luYWwuPGJyPg0KJmd0OyA8YnI+DQom Z3Q7IFRoaXMgaXMgYmVjYXVzZSAoZCZndDspIGluIE5PVEUgNSBhYm92ZSByZXF1aXJlcyAoJnF1 b3Q7c2hhbGwmcXVvdDspDQp0aGF0IGE8YnI+DQomZ3Q7IGNyaXRpY2FsIGNybEVudHJ5RXh0ZW5z aW9uIHdpdGggYSBzZW1hbnRpYyBiZXlvbmQgJnF1b3Q7dGhpcyBjZXJ0DQppczxicj4NCiZndDsg cmV2b2tlZCZxdW90OyksIE1VU1QgYmUgYWRkaXRpb25hbGx5IGluY2x1ZGVkIGFzIGEgY3JpdGlj YWwgY3JsRXh0ZW5zaW9uLDxicj4NCiZndDsgd2l0aCB0aGUgZWZmZWN0IHRoYXQgdGhlIGVudGly ZSBDUkwgd2lsbCBoYXZlIHRvIGJlIGlnbm9yZWQgYnk8YnI+DQomZ3Q7IGJvdGggWC41MDkgYW5k IHJmYzUyODAgaW1wbGVtZW50YXRpb25zIHRoYXQgZG8gbm90IHJlY29nbml6ZTxicj4NCiZndDsg dGhlIGNybEV4dGVuc2lvbi4gJm5ic3A7U28gYWxsIGNvbXBsaWFudCBDUkxzIHdpdGggYSAmcXVv dDtmYW5jeSZxdW90Ozxicj4NCiZndDsgdW5yZWNvZ25pemVkIGNyaXRpY2FsIGNybEVudHJ5RXh0 ZW5zaW9uLCB0aGUgYWNjb21wYW55aW5nPGJyPg0KJmd0OyB1bnJlY29nbml6ZWQgY3JpdGljYWwg Y3JsRXh0ZW5zaW9uIHdpbGwgY2F1c2UgWC41MDkgYW5kIHJmYzUyODA8YnI+DQomZ3Q7IHRvIGFn cmVlIG9uICgzKSB0byByZXR1cm4gJnF1b3Q7VU5ERVRFUk1JTkVEJnF1b3Q7IGFuZCByZXF1aXJl IG90aGVyPGJyPg0KJmd0OyBDUkxzIHRvIGJlIGNoZWNrZWQuIDxicj4NCiZndDsgPGJyPg0KJmd0 OyA8YnI+DQomZ3Q7IC1NYXJ0aW48YnI+DQomZ3Q7IF9fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fPGJyPg0KJmd0OyBwa2l4IG1haWxpbmcgbGlzdDxicj4NCiZn dDsgPC9mb250PjxhIGhyZWY9bWFpbHRvOnBraXhAaWV0Zi5vcmc+PGZvbnQgc2l6ZT0zIGNvbG9y PWJsdWUgZmFjZT0iQ291cmllciBOZXciPjx1PnBraXhAaWV0Zi5vcmc8L3U+PC9mb250PjwvYT48 Zm9udCBzaXplPTMgZmFjZT0iQ291cmllciBOZXciPjxicj4NCiZndDsgPC9mb250PjxhIGhyZWY9 aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9wa2l4Pjxmb250IHNpemU9MyBj b2xvcj1ibHVlIGZhY2U9IkNvdXJpZXIgTmV3Ij48dT5odHRwczovL3d3dy5pZXRmLm9yZy9tYWls bWFuL2xpc3RpbmZvL3BraXg8L3U+PC9mb250PjwvYT48Zm9udCBzaXplPTMgZmFjZT0iVGltZXMg TmV3IFJvbWFuIj4NCjwvZm9udD4NCjxicj4NCg== --=_alternative 006D8CC8C1257A7C_=-- From peter@akayla.com Mon Sep 17 13:06:39 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFF2F21E803C for ; Mon, 17 Sep 2012 13:06:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.202 X-Spam-Level: X-Spam-Status: No, score=-1.202 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ef5dPuUCNuVv for ; Mon, 17 Sep 2012 13:06:31 -0700 (PDT) Received: from p3plsmtpa08-03.prod.phx3.secureserver.net (p3plsmtpa08-03.prod.phx3.secureserver.net [173.201.193.104]) by ietfa.amsl.com (Postfix) with SMTP id BAE5F21F84FD for ; Mon, 17 Sep 2012 13:06:30 -0700 (PDT) Received: (qmail 1501 invoked from network); 17 Sep 2012 20:06:29 -0000 Received: from unknown (12.31.178.2) by p3plsmtpa08-03.prod.phx3.secureserver.net (173.201.193.104) with ESMTP; 17 Sep 2012 20:06:27 -0000 User-Agent: Microsoft-MacOutlook/14.2.3.120616 Date: Mon, 17 Sep 2012 13:06:32 -0700 From: Peter Yee To: , Piyush Jain Message-ID: Thread-Topic: [pkix] 5280bis, v-09 In-Reply-To: Mime-version: 1.0 Content-type: multipart/alternative; boundary="B_3430731996_965168" Cc: pkix Subject: Re: [pkix] 5280bis, v-09 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2012 20:06:39 -0000 > This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --B_3430731996_965168 Content-type: text/plain; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable Denis, I much prefer to return a status of "unknown" which is, as you point out in your example below, more accurate. Returning a status of "revoked" while certainly preventing the relying party from mistakenly trusting the certificate, might have unintended consequences as well. An unknown status should suffice to prevent using the certificate without having immediate implications beyond that. -Peter On 9/17/12 12:57 PM, "denis.pinkas@bull.net" wrote: Piyush, I have been involved in the writing of ISO standards, including X.509. Sharon has been even more involved than myself, since she has been the editor during some period of time . There is something important to know about ISO standards: =20 The text placed under a NOTE is *not* normative. I copied and pasted the text from X.509 and we have the following: NOTE 4 =AD When an implementation processing a certificate revocation list does not recognize a critical extension in the crlEntryExtensions field, it shall assume that, at a minimum, the identifie= d certificate has been revoked and is no longer valid and perform additional actions concerning that revoked certificate as dictated by local policy. When an implementation does not recognize a critical extension in the crlExtensions field, it shall assume that identified certificates have been revoked and are no longer valid. However in the latter case, since the list may not be complete, certificates that have not been identified as being revoked cannot be assumed to be valid. In this case local policy shall dictate the action to be taken. In any case local policy may dictate actions in addition to and/or stronger than those stated in this Specification. So this text is not normative. We can say something different in RFC 5280 and this will *not* be a contradiction. So the real question is simply : what makes sense to say about the treatmen= t of the crlEntryExtensions field ? I believe (or I hope) we are close to a agreement, except whether we should use the word "revoked" or "unknown" in the last word on the sentence proposed today. So the two options are: A) If an application cannot process a critical extension in the crlEntryExtensions field of an entry that affects only the certificate specified in that entry, as indicated by the absence of a related critical extension in the crlExtensions field, then the status of certificate identified by the CRL entry shall be considered as unkown. B) If an application cannot process a critical extension in the crlEntryExtensions field of an entry that affects only the certificate specified in that entry, as indicated by the absence of a related critical extension in the crlExtensions field, then the status of certificate identified by the CRL entry shall be considered as revoked. I believe that A) is better, but the difference is tenuous. See a new example below.=20 What do you (and others) think ? Denis =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D =3D=3D=3D=3D=3D=3D=3D The status of a given certificate is indicated as =B3good=B2, but there is a CR= L entry with a critical CRL entry extension. Whatever, this crlEntryExtension means, if an application considers that th= e status of the certificate for the entry is "unknown", it can attempt to use an OCSP service, if available; but if an application considers that the status of the certificate for the entry is "revoked ", it will not attempt to call it= . As an example, this critical CRL entry extension means (only for applications which understand it) : "The CRL issuer of this CRL has not been able to obtain in real time the status of the certificates using a database of issued certificates. Rather than not issuing the CRL and creating a denial of service for all verifiers, this CRL has been issued, but is not "fresh". If you really need to take a decision now= , you can use this CRL but at your own risk. If you can access an OCSP server, you might be able to get a fresher status= . Otherwise, if you can wait, you can try again later on". =20 De : Piyush Jain A : Santosh Chokhani , "denis.pinkas@bull.net= " Cc : "mrex@sap.com" , pkix Date : 17/09/2012 17:06 Objet : RE: [pkix] 5280bis, v-09 My recommendation would be to go with =8Crevoked=B9 on this unless we can explicitly spell out why we chose =8Cunknown=B9 to override X.509. =20 I just want to avoid the situation where someone raises this issue again in a few years that 5280 is inconsistent with X.509 without any apparent reason. =20 From: Santosh Chokhani [mailto:SChokhani@cygnacom.com ] Sent: Monday, September 17, 2012 7:48 AM To: denis.pinkas@bull.net Cc: mrex@sap.com; Piyush Jain; pkix Subject: RE: [pkix] 5280bis, v-09 =20 Denis, =20 I am ok either way (unknown or revoked). The good thing is that the new text spells things out more clearly. =20 From: denis.pinkas@bull.net [mailto:denis.pinkas@bull.net] Sent: Monday, September 17, 2012 10:42 AM To: Santosh Chokhani Cc: mrex@sap.com ; Piyush Jain; pkix Subject: RE: [pkix] 5280bis, v-09 =20 Santosh, Piyush and Martin, Sorry, I made a mistake when making my proposal this morning. I wrote "revoked", but was advocating "unknown". Based on the latest text proposed from Santosh, I would rather prefer: If an application cannot process a critical extension in the crlEntryExtensions field of an entry that affects only the certificate specified in that entry, as indicated by the absence of a related critical extension in the crlExtensions field, then the status of certificate identified by the CRL entry shall be considered unkown. instead of :=20 If an application cannot process a critical extension in the crlEntryExtensions field of an entry that affects only the certificate specified in that entry, as indicated by the absence of a related critical extension in the crlExtensions field, then the certificate identified by the CRL entry shall be considered revoked. Denis=20 De : Santosh Chokhani > A : "denis.pinkas@bull.net " >, "mrex@sap.com " >, Piyush Jain > Cc : pkix > Date : 17/09/2012 16:21 Objet : RE: [pkix] 5280bis, v-09 This also relates to earlier post I made in response to Piyush. =20 I assume we are adding the following to the RFC =B3A critical extension in th= e crlEntryExtensions field of an entry shall affect only the certificate specified in that entry, unless there is a related critical extension in th= e crlExtensions field that advertises a special treatment for it.=B2 In order to use such CRL, the relying party must be able to process both the crlEntryExtension and the related crlExtension.=B2 =20 In that case, I do not mind adding the following to 5280 (a slight modification to what Denis has: =20 If an application cannot process a critical extension in the crlEntryExtensions field of an entry that affects only the certificate specified in that entry, as indicated by the absence of a related critical extension in the crlExtensions field, then the certificate identified by th= e CRL entry shall be considered revoked. =20 From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org ] On Behalf Of denis.pinkas@bull.net Sent: Monday, September 17, 2012 3:47 AM To: mrex@sap.com ; Piyush Jain Cc: pkix Subject: Re: [pkix] 5280bis, v-09 =20 Good catch Martin,=20 You came back from vacation just in time. :-) I propose the following: Replace:=20 | If a CRL contains a critical CRL entry extension | that the application cannot process, then the application MUST | NOT use that CRL to determine the status of any certificates. with=20 | If a CRL contains in a CRL entry a critical CRL entry extension | that the application cannot process, then the application MUST | consider that the certificate identified in that CRL entry is | revoked. =20 In order to answer to Piyush, I believe that =B3unknown=B2 should be used rathe= r than =B3revoked=B2.=20 The following example is an illustration: The status of a given certificate is indicated as =B3good=B2, but there is a CR= L entry with a critical CRL entry extension. This entry means (for the applications which understan= d it) :=20 "The status which is usually obtained using a database of issued certificates has been obtained from CRLs. If you really need to take a decision now, it is at your own risk. If you can wait, you had better to try again later on". Your next question will certainly be: so why don=B9t you use the proposed certInfo extension ? For applications which do not understand this critical CRL entry extension, there is no difference. They get an "unknown" status in both cases. For applications which understand this critical CRL entry extension it provides less benefits than the proposed certInfo extension, but it might be quicker to implement and it enforces a policy. Denis=20 > I object to the proposed new text about CRLEntryExtensions > in the clarification document, because as is, would significantly > worsen the difference between PKIX and X.509 and make things > clearly incompatible rather than slightly less efficient. >=20 > If anything, the gap should be reduced, compatibility between > PKIX and X.509 improved and the original architecture not violated. >=20 > Please recall the original NOTE 4 & 5 that I quoted from > ITU-T Rec. X.509 (08/2005), Section 7.3, top of page 18: > (get them here http://www.itu.int/rec/T-REC-X.509 ): >=20 > a> NOTE 4 -- When an implementation processing a certificate revocation > a> list does not recognize a critical extension in the crlEntryExtension= s > a> field, it shall assume that, at a minimum, the identified certificate > a> has been revoked and is no longer valid and perform additional action= s > a> concerning that revoked certificate as dictated by local policy. >=20 > b> When an implementation does not recognize a critical extension in the > b> crlExtensions field, it shall assume that identified certificates > b> have been revoked and are no longer valid. >=20 > c> However in the latter case, > c> since the list may not be complete, certificates that have not been > c> identified as being revoked cannot be assumed to be valid. In this ca= se > c> local policy shall dictate the action to be taken. In any case local > c> policy may dictate actions in addition to and/or stronger than those > c> stated in this Specification. >=20 > d> NOTE 5 -- If an extension affects the treatment of the list > d> (e.g., multiple CRLs need to be scanned to examine the entire list of > d> revoked certificates, or an entry may represent a range of certificat= es), > d> then that extension shall be indicated as critical in the crlExtensio= ns > d> field regardless of where the extension is placed in the CRL. >=20 > e> An extension indicated in the crlEntryExtensions field of an entry sh= all > e> be placed in that entry and shall affect only the certificate(s) > e> specified in that entry. >=20 >=20 > (I inserted blank lines above for visual clarity of the X.509 requirement= s). >=20 > two options, all combinations: >=20 > (1) cert on CRL, CRL with NO unrecognized critical CRLEntryExtension= s > (2) cert NOT on CRL, CRL with NO unrecognized critical CRLEntryExtension= s > (3) cert on CRL, CRL with unrecognized critical CRLEntryExtension > (4) cert NOT on CRL, CRL with unrecognized critical CRLEntryExtension >=20 >=20 > I hope we agree that X.509 and rfc5280 agree on (1) and (2) results > for CRL checking. >=20 > rfc5280 currently says that for (3)+(4) the entire CRL ought to be ignore= d > and other CRLs need to be evaluated "UNDETERMINED" >=20 > X.509 says in (a>) that for (3) the status of the cert is definitely revo= ked > and says in (c>) for (4) that the CRL ought to be ignored and other CRLs = need > to be evaluated "UNDETERMINED" >=20 > While both X.509 and rfc5280 agree on the result for (4) "UNDETERMINED", > there is the superficial appearance of a difference for a casual > implementer for case (3) between X.509 "REVOKED" and rfc5280 "UNDETERMINE= D" > that might lead to a slightly less efficient processing CRLs. >=20 >=20 > The newly proposed text (in -09): >=20 > | If a CRL contains a critical CRL entry extension > | that the application cannot process, then the application MUST > | NOT use that CRL to determine the status of the certificate > | represented by the CRL entry. >=20 > creates a significantly distinct behaviour for case (4) where X.509 > and rfc5280 agreed on "UNDETERMINED", by redefining the result to > be "UNREVOKED", and potentially creates a security problem, and a > new, backwards-incompatible behaviour for a situation where > X.509 and rfc5280 used to agree. Still, the new text does not do > anything about case (3), the only case where X.509 and rfc5280 > appear to differ (in a mostly marginal fashion). >=20 >=20 > A careful implementor, that analyzes NOTE 4 and NOTE 5 from X.509 > quoted above in its entirety, should realize that the situation > where X.509 and rfc5280 differ is marginal. >=20 > This is because (d>) in NOTE 5 above requires ("shall") that a > critical crlEntryExtension with a semantic beyond "this cert is > revoked"), MUST be additionally included as a critical crlExtension, > with the effect that the entire CRL will have to be ignored by > both X.509 and rfc5280 implementations that do not recognize > the crlExtension. So all compliant CRLs with a "fancy" > unrecognized critical crlEntryExtension, the accompanying > unrecognized critical crlExtension will cause X.509 and rfc5280 > to agree on (3) to return "UNDETERMINED" and require other > CRLs to be checked. >=20 >=20 > -Martin > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix _______________________________________________ pkix mailing list pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix --B_3430731996_965168 Content-type: text/html; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable
Denis,
I much prefer to return a = status of "unknown" which is, as you point out in your example below, m= ore accurate.  Returning a status of "revoked" while certainly preventi= ng the relying party from mistakenly trusting the certificate, might have un= intended consequences as well.  An unknown status should suffice to pre= vent using the certificate without having immediate implications beyond that= .

-Peter

On 9/17/12 12:57 PM, "denis.pin= kas@bull.net" <denis.pinkas@bu= ll.net> wrote:

= Piyush,

I have been involved in th= e writing of ISO standards, including X.509.

Shar= on has been even more involved than myself, since she has been
the editor during some period of time .


There is something important to know about ISO standards:
 
The text placed under a NOTE is *not* normative.


I = copied and pasted the text from X.509 and we have the following:

NOTE 4 = 211; When an implementation processing a certificate revocation list does not recognize a critical extension in the
crlEntryExtensions field, = it shall assume that, at a minimum, the identified certificate has been revoked and is no longer valid
and perform ad= ditional actions concerning that revoked certificate as dictated by local policy. When an implementatio= n does not
recognize a critical extensi= on in the crlExtensions field, it shall assume that identified certificates have been revoked and are
no longer valid. However in t= he latter case, since the list may not be complete, certificates that have not been identif= ied as being
revoked cannot be assumed to= be valid. In this case local policy shall dictate the action to be taken. In any case local policy may
dictate actions in a= ddition to and/or stronger than those stated in this Specification.

So this text is not normative.  We can say something different in RFC 5280 and this will *not* be a contradiction.=

So the real question is simply : = what makes sense to say about the treatment of the crlEntryExtensions field ?

I believe (or I hope) we are cl= ose to a agreement, except whether we should use the word "revoked" or "unknown"
in the last word on the sentence proposed today.


So the two options are:

A)  If an application cannot process a critical extension in the crlEntryExtensions field of an entry
that affects only the certificate specified in that entry, as indicated by the absence of a related
critical extension in the crlExtensions field, then the status of certificate identified by the CRL entry
shall be considered
a= s unkown.

B= ) If an application cannot process a critical extension in the crlEntryExtensions field of an entry
that affects only the certificate specified in that entry, as indicated by the absence of a related
critical extension in the crlExtensions field, then the status of certificate identified by the CRL entry
shall be considered
a= s revoked.


= I believe that A) is better, but the difference is tenuous. See a new example below.

What do you (and others) think ?

Denis

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

The status of a given certificate is indicated as “good”, but there is a CRL entry with a critical
CRL entry extension.


Whatever, t= his crlEntryExtension means, if an application considers that the status of the certificate for the entry
is  "unknown", it can attempt to use an OCSP service, if available; but if an application considers that the status of
the certificate for the entry is "revoked ", it will not attempt to call it.


As an example, this c= ritical CRL entry extension means (only for applications which understand it) :

"The CRL issuer of this CRL has not been able to obtain in real time the status of the certificates using a database
of issued certificates. Rather than not issuing the CRL and creating a denial of service for all verifiers, this CRL has
been issued,  but is not "fresh". If you really need to take a decision now, you can use this CRL but at your own risk.
If you can access an OCSP server, you might be able to get a fresher status= . Otherwise, if you can wait, you can
try again later on".




De= :        Piyush Jain <piyush@identicate.com>
A :        Santosh Chokhani <SChokhani@cygnacom.com>, "denis.pinkas@bull.net" <denis.pinkas@bull.net>
<= font size=3D"1" color=3D"#5f5f5f" face=3D"sans-serif">Cc :        "mrex@sap.com" <mrex@sap.com>, pkix <pkix@ietf.org>
Date :        17/09/2012 17:06
Objet :        RE: [pkix] 5280bis, v-09




My recommendation would be to go with ‘revoked’ on this unless we can explicitly spell = out why we chose ‘unknown’ to override X.509.
 
I just want to avoid the situation where someone raises this issue again in a few years that 5280 is inconsistent with X.509 without any apparent reason.
 
From: Santosh Chokhani [mailto:SChokhani@cygnacom.com]
Sent:
Monday, September 17, 2012 7:48 AM
To:
denis.pinkas@bull.net=
Cc:
mrex@sap.com; Piyush Jain; pkix
Subject:
RE: [pkix] 5280bis, v-09
 
Deni= s,
 
I am ok either way (unknown or revoked).  The good thing is that the new text spells things out more clearly.

 <= /font>
From: denis.pin= kas@bull.net[mailto:denis.pinkas@bull.net]
Sent:
Monday, September 17, 2012 10:42 AM
To:
Santosh Chokhani
Cc:
mrex@sap.com; Piyush Jain; pkix
Subject:
RE: [pkix] 5280bis, v-09

 
Santosh, Piyush and = Martin,

Sorry, I made a mistake when making my proposal this morning.
I wrote "revoked", but was advocating "unknown".


Based on the latest text proposed from Santosh, I would rather prefer:

If an application cannot process a critical extension in the crlEntryExt= ensions field of an entry
that affects only the certificate specified in that entry, as indicated by the absence of a related
critical extension in the crlExtensions field, then the
status of
certificate identified by the CRL entry
shall be considered
u= nkown.

instead of :


If an application cannot process a critical extension in the crlEntryExt= ensions field of an entry
that affects only the certificate specified in that entry, as indicated by the absence of a related
critical extension in the crlExtensions field, then the certificate identified by the CRL entry
shall be considered revoked.

Denis






=



De :        
Santosh Chokhani <SChokhani@cygnacom.com>
A :        
"<= a href=3D"mailto:denis.pinkas@bull.net">denis.pinkas@bull.net" <denis.pinkas@bull.net>, "mrex@sap.com" <mrex@sap.com>, Piyush Jain <piyush@identicate.com><= font size=3D"3" color=3D"#5f5f5f" face=3D"Arial">
Cc :        pkix <= ;pkix@ietf.org>
Date :        
17/09/= 2012 16:21
Objet :        
RE: [pkix] 5280bis, v-09





This also relates to earlier post I made in response to Piyush.

 
I assume we are adding the following to the RFC “
A critical extension in the crlEntryExtensions field of an entry shall= affect only the certificate specified in that entry, unless there is a related critical extension in the crlExtensions field that advertise= s a special treatment for it.”  In order to use such CRL, the rely= ing party must be able to process both the crlEntryExtension and the related crlExtension.”
 
In that case, I do not mind adding the following to 5280 (a slight modifica= tion to what Denis has:

 
If an application cannot process a critical extension in the crlEntryExt= ensions field of an entry that affects only the certificate specified in that entry= , as indicated by the absence of a related critical extension in the crlEx= tensions field, then the certificate identified by the CRL entry shall be considered= revoked.

 
From:
pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of denis.pinkas@bull.net
Sent:
Monday, September 17, 2012 3:47 AM
To:
mrex@sap.com; Piyush Jain
Cc:
pkix
Subject:
Re: [pkix] 5280bis, v-09

 

Good catch Martin,


You came back from vacation just in time. :-)

I propose the following:


Replace:


|     If a CRL contains a critical CRL entry extension
|     that the application cannot process, then the application MUST
|     NOT use that CRL to determine the status of any certificate= s.


with


|     If a CRL contains in a CRL entry a critical CRL entry exten= sion
|     that the application cannot process, then the application MUST
|     consider that the certificate identified in that CRL entry is
|     revoked.  


In order to answer to Piyush, I believe that “unknown” should b= e used rather than “revoked”.


The following example is an illustration:


The status of a given certificate is indicated as “good”, but t= here is a CRL entry with a critical
CRL entry extension. This entry means (for the applications which understan= d it) :

"The status which is usually obtained using a database of issued certificat= es has been obtained from CRLs.
If you really need to take a decision now, it is at your own risk. If you can wait, you had better to try again later on".


Your next question will certainly be: so why don’t you use the propos= ed certInfo extension ?


For applications which do not understand this critical CRL entry extension,= there is no difference.

They get an "unknown" status in both cases.


For applications which understand this critical CRL entry extension it provides less benefits
than the proposed certInfo extension, but it might be quicker to implement and it enforces a policy.


Denis



> I object to the proposed new text about CRLEntryExtensions
> in the clarification document, because as is, would significantly
> worsen the difference between PKIX and X.509 and make things
> clearly incompatible rather than slightly less efficient.
>
> If anything, the gap should be reduced, compatibility between
> PKIX and X.509 improved and the original architecture not violated. >
> Please recall the original NOTE 4 & 5 that I quoted from
> ITU-T Rec. X.509 (08/2005), Section 7.3, top of page 18:
> (get them here
http://www.itu.int/rec/T-REC-= X.509
):
>
> a>  NOTE 4 -- When an implementation processing a certificate revocation
> a>  list does not recognize a critical extension in the crlEnt= ryExtensions
> a>  field, it shall assume that, at a minimum, the identified certificate
> a>  has been revoked and is no longer valid and perform additi= onal actions
> a>  concerning that revoked certificate as dictated by local policy.
>
> b>  When an implementation does not recognize a critical exten= sion in the
> b>  crlExtensions field, it shall assume that identified certi= ficates
> b>  have been revoked and are no longer valid.
>
> c>                                        = ;     However in the latter case,
> c>  since the list may not be complete, certificates that have not been
> c>  identified as being revoked cannot be assumed to be valid.= In this case
> c>  local policy shall dictate the action to be taken. In any case local
> c>  policy may dictate actions in addition to and/or stronger than those
> c>  stated in this Specification.
>
> d>  NOTE 5 -- If an extension affects the treatment of the list
> d>  (e.g., multiple CRLs need to be scanned to examine the entire list of
> d>  revoked certificates, or an entry may represent a range of certificates),
> d>  then that extension shall be indicated as critical in the crlExtensions
> d>  field regardless of where the extension is placed in the CRL.
>
> e>  An extension indicated in the crlEntryExtensions field of an entry shall
> e>  be placed in that entry and shall affect only the certific= ate(s)
> e>  specified in that entry.
>
>
> (I inserted blank lines above for visual clarity of the X.509 requirem= ents).
>
> two options, all combinations:
>
>  (1) cert     on CRL, CRL with NO unrecognized critical= CRLEntryExtensions
>  (2) cert NOT on CRL, CRL with NO unrecognized critical CRLEntryE= xtensions
>  (3) cert     on CRL, CRL with    unrecognize= d critical CRLEntryExtension
>  (4) cert NOT on CRL, CRL with    unrecognized critical= CRLEntryExtension
>
>
> I hope we agree that X.509 and rfc5280 agree on (1) and (2) results > for CRL checking.
>
> rfc5280 currently says that for (3)+(4) the entire CRL ought to be ignored
> and other CRLs need to be evaluated "UNDETERMINED"
>
> X.509 says in (a>) that for (3) the status of the cert is definitel= y revoked
> and says in (c>) for (4) that the CRL ought to be ignored and other= CRLs need
> to be evaluated "UNDETERMINED"
>
> While both X.509 and rfc5280 agree on the result for (4) "UNDETERMINED= ",
> there is the superficial appearance of a difference for a casual
> implementer for case (3) between X.509 "REVOKED" and rfc5280 "UNDETERMINED"
> that might lead to a slightly less efficient processing CRLs.
>
>
> The newly proposed text (in -09):
>
> |     If a CRL contains a critical CRL entry extension
> |     that the application cannot process, then the applicat= ion MUST
> |     NOT use that CRL to determine the status of the certif= icate
> |     represented by the CRL entry.  
>
> creates a significantly distinct behaviour for case (4) where X.509 > and rfc5280 agreed on "UNDETERMINED", by redefining the result to
> be "UNREVOKED", and potentially creates a security problem, and a
> new, backwards-incompatible behaviour for a situation where
> X.509 and rfc5280 used to agree. Still, the new text does not do
> anything about case (3), the only case where X.509 and rfc5280
> appear to differ (in a mostly marginal fashion).
>
>
> A careful implementor, that analyzes NOTE 4 and NOTE 5 from X.509
> quoted above in its entirety, should realize that the situation
> where X.509 and rfc5280 differ is marginal.
>
> This is because (d>) in NOTE 5 above requires ("shall") that a
> critical crlEntryExtension with a semantic beyond "this cert is
> revoked"), MUST be additionally included as a critical crlExtension, > with the effect that the entire CRL will have to be ignored by
> both X.509 and rfc5280 implementations that do not recognize
> the crlExtension.  So all compliant CRLs with a "fancy"
> unrecognized critical crlEntryExtension, the accompanying
> unrecognized critical crlExtension will cause X.509 and rfc5280
> to agree on (3) to return "UNDETERMINED" and require other
> CRLs to be checked.
>
>
> -Martin
> _______________________________________________
> pkix mailing list
>
pkix@ietf.org
>
https://www.ietf.org/mailman/listinf= o/pkix
_______________________________________________ pkix mailing list pkix@ietf.org https://www.ietf.org/m= ailman/listinfo/pkix --B_3430731996_965168-- From mrex@sap.com Mon Sep 17 13:58:38 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 150E121E8047 for ; Mon, 17 Sep 2012 13:58:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.212 X-Spam-Level: X-Spam-Status: No, score=-10.212 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0YcnK7PlPS+9 for ; Mon, 17 Sep 2012 13:58:37 -0700 (PDT) Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 254D521F871A for ; Mon, 17 Sep 2012 13:58:36 -0700 (PDT) Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id q8HKwVq4012826 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 17 Sep 2012 22:58:31 +0200 (MEST) In-Reply-To: To: denis.pinkas@bull.net Date: Mon, 17 Sep 2012 22:58:30 +0200 (CEST) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20120917205830.C12731A22F@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) X-SAP: out Cc: pkix Subject: Re: [pkix] 5280bis, v-09 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: mrex@sap.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2012 20:58:38 -0000 denis.pinkas@bull.net wrote: > > So the two options are: > > A) If an application cannot process ... critical crlEntryExtension > ... then the status of certificate identified by the CRL entry > shall be considered as unkown. > > B) If an application cannot process ... critical crlEntryExtension > then the status of certificate identified by the CRL entry > shall be considered as revoked. > > I believe that A) is better, but the difference is tenuous. See a new > example below. rfc5280 currently specifies (A), X.509 explicitly assumes (B). Personally, I'm OK with (A), I agree with Santosh that the issuer name compression scheme for crlEntryExtensions interferes with (B). But what REALLY concerns me is, what about the status of certs that are *NOT* listed on the CRL. It is for this situation where the guidance in NOTE 4 and NOTE 5 in X.509 creates a problem, in where the proposed addition in -09 (ignore only that crlEntry with the unrecognized critical crlEntryExtension) would create a problem. rfc5280 says (and agrees with X.509) that CRL with an unrecognized critical crlExtension *or* unrecognized critical crlEntryExtension shall not be used to determine the status of a certificate that is *NOT* listed on the CRL. > > I have been involved in the writing of ISO standards, including X.509. > > Sharon has been even more involved than myself, since she has been > the editor during some period of time . > > There is something important to know about ISO standards: > > The text placed under a NOTE is *not* normative. Now that you mentioned this, what is stated in the beginning of the document (page ii) is this: NOTE [...] Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure e.g., interoperability or applicability) and *> compliance with the Recommendation is achieved when all of *> these mandatory provisions are met. The words "shall" or some *> other obligatory language such as "must" and the negative *> equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. I don't see where this document says that explicit requirements ("shall") placed under a NOTE would not be normative. If it was meant non-normative, then "should" rather than "shall" would have to be used. You seem to say that a NOTE within normative sections of an ISO spec always is non-normative, even when it uses normative language (= absolute requirements "shall" and "must not")? To me, such an interpretation appears neither intuitive nor reasonable, and actually amounts to logical nonsense. The semantics of the criticality flag for a (certificate) extension seems to be first defined in Section 7 of ITU-T T-REC X.509 08/2005, bottom of page 12: When an implementation processing a certificate does not recognize an extension, if the criticality flag is FALSE, it may ignore that extension. If the criticality flag is TRUE, unrecognized extensions shall cause the structure to be considered invalid, i.e., in a certificate, an unrecognized critical extension would cause validation of a signature using that certificate to fail. if NOTE 4 was really non-normative, then it could not possibly change the semantics of an unrecognized critical crlEntryExtension to be treated differently ("shall assume the identified certificate to be ignored") -- in which case a non-normative statement to that effect would be a clear logical contradiction. The processing of unrecognized critical crlEntryExtensions and unrecognized critical crlExtensions is mis-specified, and any presumption "Text under NOTE in an ISO-Standard are not meant to be normative" is *NOT* going to help in this situation in determining what should be the correct behaviour. -Martin From mrex@sap.com Mon Sep 17 14:04:40 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36E2E21F871E for ; Mon, 17 Sep 2012 14:04:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.216 X-Spam-Level: X-Spam-Status: No, score=-10.216 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B1+z0xEmGV-D for ; Mon, 17 Sep 2012 14:04:39 -0700 (PDT) Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 54AA921F844C for ; Mon, 17 Sep 2012 14:04:39 -0700 (PDT) Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id q8HL4X6W024317 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 17 Sep 2012 23:04:33 +0200 (MEST) In-Reply-To: <20120917205830.C12731A22F@ld9781.wdf.sap.corp> To: mrex@sap.com Date: Mon, 17 Sep 2012 23:04:33 +0200 (CEST) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20120917210433.4FBCB1A22F@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) X-SAP: out Cc: pkix Subject: Re: [pkix] 5280bis, v-09 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: mrex@sap.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2012 21:04:40 -0000 Ooops, corrected paragraph (from my previous posting) below: Martin Rex wrote: > > denis.pinkas@bull.net wrote: > > > > So the two options are: > > > > A) If an application cannot process ... critical crlEntryExtension > > ... then the status of certificate identified by the CRL entry > > shall be considered as unkown. > > > > B) If an application cannot process ... critical crlEntryExtension > > then the status of certificate identified by the CRL entry > > shall be considered as revoked. > > > > I believe that A) is better, but the difference is tenuous. See a new > > example below. > > rfc5280 currently specifies (A), X.509 explicitly assumes (B). > Personally, I'm OK with (A), I agree with Santosh that the issuer name > compression scheme for crlEntryExtensions interferes with (B). > But what REALLY concerns me is, what about the status of certs that are *NOT* listed on the CRL. It is for this situation where the guidance in NOTE 4 and NOTE 5 in X.509 creates _no_ problem, whereas the proposed addition in -09 (ignore only that crlEntry with the unrecognized critical crlEntryExtension) will create a problem. > rfc5280 says (and agrees with X.509) that CRL with an unrecognized > critical crlExtension *or* unrecognized critical crlEntryExtension > shall not be used to determine the status of a certificate that > is *NOT* listed on the CRL. -Martin From kent@bbn.com Mon Sep 17 14:30:21 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CB1121F865E for ; Mon, 17 Sep 2012 14:30:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.524 X-Spam-Level: X-Spam-Status: No, score=-106.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zo9ht3fTW5Gc for ; Mon, 17 Sep 2012 14:30:20 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id 8BA8821F8616 for ; Mon, 17 Sep 2012 14:30:20 -0700 (PDT) Received: from dhcp89-089-176.bbn.com ([128.89.89.176]:51098) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1TDitT-0005RB-2I for pkix@ietf.org; Mon, 17 Sep 2012 17:30:15 -0400 Message-ID: <50579666.3040705@bbn.com> Date: Mon, 17 Sep 2012 17:30:14 -0400 From: Stephen Kent User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:15.0) Gecko/20120907 Thunderbird/15.0.1 MIME-Version: 1.0 To: pkix Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [pkix] 5280bis X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2012 21:30:21 -0000 I am in favor of discussing how to improve the CRL extension text that we just added. I am not as concerned about whether we are in perfect alignment with X.509. In general it is preferable to not introduce differences between the IETF and ITU-T standards. But we have had such differences in the past, when there were good reasons. For example, PKIX has always required the next update field to be present, since it's omission was a serious error in the X.509 standard. I believe that the example provided by indirect CRL entries is the principle motivation to clarify the wording in 5280. The "safe" interpretation is to treat the serial number of the cert in a CRL as being from the set of certs issued by the CA that issued the CRL. Unfortunately, this is also a bad interpretation when the cert serial number is supposed to be associated with a different CA, as indicated by this CRL entry extension. Perhaps this should be viewed as a good reason to NOT use this "feature" unless the CA knows that all RPs can interpret the critical CRL entry extension in question. Anyway, I'd like to see this discussion focus on what appears to be the principle issue, i.e., the merits of playing it safe vs. shooting ones self in the foot, rather than a discussion of whether a rewording will cause 5280 to deviate from the current version of X.509. Steve From piyush@identicate.com Mon Sep 17 14:39:35 2012 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D79421E8086 for ; Mon, 17 Sep 2012 14:39:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.348 X-Spam-Level: X-Spam-Status: No, score=-5.348 tagged_above=-999 required=5 tests=[AWL=1.250, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qLcS8wgd+kQE for ; Mon, 17 Sep 2012 14:39:33 -0700 (PDT) Received: from tx2outboundpool.messaging.microsoft.com (tx2ehsobe002.messaging.microsoft.com [65.55.88.12]) by ietfa.amsl.com (Postfix) with ESMTP id 06B4A21E8087 for ; Mon, 17 Sep 2012 14:39:32 -0700 (PDT) Received: from mail17-tx2-R.bigfish.com (10.9.14.254) by TX2EHSOBE008.bigfish.com (10.9.40.28) with Microsoft SMTP Server id 14.1.225.23; Mon, 17 Sep 2012 21:39:32 +0000 Received: from mail17-tx2 (localhost [127.0.0.1]) by mail17-tx2-R.bigfish.com (Postfix) with ESMTP id D6227460298; Mon, 17 Sep 2012 21:39:31 +0000 (UTC) X-Forefront-Antispam-Report: CIP:157.56.244.229; KIP:(null); UIP:(null); IPV:NLI; H:CH1PRD0610HT002.namprd06.prod.outlook.com; RD:none; EFVD:NLI X-SpamScore: -23 X-BigFish: PS-23(zzbb2dI9371Ic89bh1432Ic857hd6eah1447Id6f1izz1202h1d1ah1d2ahzz8275ch1033IL17326ah8275bh8275dhz2fh2a8h668h839hd25hf0ah107ah1288h12a5h12bdh1155h) Received-SPF: pass (mail17-tx2: domain of identicate.com designates 157.56.244.229 as permitted sender) client-ip=157.56.244.229; envelope-from=piyush@identicate.com; helo=CH1PRD0610HT002.namprd06.prod.outlook.com ; .outlook.com ; Received: from mail17-tx2 (localhost.localdomain [127.0.0.1]) by mail17-tx2 (MessageSwitch) id 1347917656429183_23968; Mon, 17 Sep 2012 21:34:16 +0000 (UTC) Received: from TX2EHSMHS028.bigfish.com (unknown [10.9.14.235]) by mail17-tx2.bigfish.com (Postfix) with ESMTP id 805B640051; Mon, 17 Sep 2012 21:34:15 +0000 (UTC) Received: from CH1PRD0610HT002.namprd06.prod.outlook.com (157.56.244.229) by TX2EHSMHS028.bigfish.com (10.9.99.128) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 17 Sep 2012 21:34:14 +0000 Received: from CH1PRD0610MB393.namprd06.prod.outlook.com ([169.254.11.24]) by CH1PRD0610HT002.namprd06.prod.outlook.com ([10.255.151.37]) with mapi id 14.16.0175.005; Mon, 17 Sep 2012 21:34:11 +0000 From: Piyush Jain To: "denis.pinkas@bull.net" Thread-Topic: [pkix] 5280bis, v-09 Thread-Index: AQHNj4Or+HT2+Q6yxkWqbc8OyTbOnJeHbVEAgAbEwwCAAG5aAIAABcsAgAABtACAAAK74IAAU4oAgAAXXJA= Date: Mon, 17 Sep 2012 21:34:11 +0000 Message-ID: References: <504E13CB.8080001@bbn.com> <20120913002444.80A791A216@ld9781.wdf.sap.corp> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [75.25.128.241] Content-Type: multipart/alternative; boundary="_000_AA6BA445CBFDB84785CC1C45DAAE4C792CEC217FCH1PRD0610MB393_" MIME-Version: 1.0 X-OriginatorOrg: identicate.com Cc: pkix Subject: Re: [pkix] 5280bis, v-09 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2012 21:39:35 -0000 --_000_AA6BA445CBFDB84785CC1C45DAAE4C792CEC217FCH1PRD0610MB393_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 RGVuaXMsDQoNClRoYW5rcyBmb3IgdGhlIGxpdHRsZSBwcmltZXIgb24gSVNPIHN0YW5kYXJkcy4N CkkganVzdCBhc3N1bWVkIHRoYXQgU0hBTEwgaW4gdGhlIG5vdGUgaW1wbGllcyB0aGF0IHRoZSB0 ZXh0IGluIG5vcm1hdGl2ZS4NCg0KQ29tcGxldGVseSBhZ3JlZSB0aGF0IHRoZSBkaWZmZXJlbmNl IGlzIHRlbnVvdXMuIEFzIEkgc2FpZCwgbXkgb25seSByZWFzb24gZm9yIHByb3Bvc2luZyDigJhy ZXZva2Vk4oCZIHdhcyB0byBzdGF5IGFsaWduZWQgd2l0aCBYLjUwOSBiZWNhdXNlIGEgZGV2aWF0 aW9uIG1pZ2h0IGNhdXNlIGltcGxlbWVudGVycyB0byB3b25kZXIgYWJvdXQgdGhlIHJlYXNvbnMg d2h5IDUyODAgY2hvc2UgdG8gZGV2aWF0ZSBmcm9tIFguNTA5Lg0KSSBkbyBub3QgdGhpbmsgdGhh dCB0aGlzIGlzIGEgc3Ryb25nIHJlYXNvbiBzbyBJIGRvIG5vdCBoYXZlIGFueSBvYmplY3Rpb24g dG8gb3B0aW9uIEIgdGhhdCB5b3UgcHJvcG9zZWQgYmVsb3cuDQoNCi1QaXl1c2gNCg0KRnJvbTog ZGVuaXMucGlua2FzQGJ1bGwubmV0IFttYWlsdG86ZGVuaXMucGlua2FzQGJ1bGwubmV0XQ0KU2Vu dDogTW9uZGF5LCBTZXB0ZW1iZXIgMTcsIDIwMTIgMTI6NTcgUE0NClRvOiBQaXl1c2ggSmFpbg0K Q2M6IG1yZXhAc2FwLmNvbTsgcGtpeDsgU2FudG9zaCBDaG9raGFuaQ0KU3ViamVjdDogUkU6IFtw a2l4XSA1MjgwYmlzLCB2LTA5DQoNClBpeXVzaCwNCg0KSSBoYXZlIGJlZW4gaW52b2x2ZWQgaW4g dGhlIHdyaXRpbmcgb2YgSVNPIHN0YW5kYXJkcywgaW5jbHVkaW5nIFguNTA5Lg0KDQpTaGFyb24g aGFzIGJlZW4gZXZlbiBtb3JlIGludm9sdmVkIHRoYW4gbXlzZWxmLCBzaW5jZSBzaGUgaGFzIGJl ZW4NCnRoZSBlZGl0b3IgZHVyaW5nIHNvbWUgcGVyaW9kIG9mIHRpbWUgLg0KDQpUaGVyZSBpcyBz b21ldGhpbmcgaW1wb3J0YW50IHRvIGtub3cgYWJvdXQgSVNPIHN0YW5kYXJkczoNCg0KVGhlIHRl eHQgcGxhY2VkIHVuZGVyIGEgTk9URSBpcyAqbm90KiBub3JtYXRpdmUuDQoNCkkgY29waWVkIGFu ZCBwYXN0ZWQgdGhlIHRleHQgZnJvbSBYLjUwOSBhbmQgd2UgaGF2ZSB0aGUgZm9sbG93aW5nOg0K DQpOT1RFIDQg4oCTIFdoZW4gYW4gaW1wbGVtZW50YXRpb24gcHJvY2Vzc2luZyBhIGNlcnRpZmlj YXRlIHJldm9jYXRpb24gbGlzdCBkb2VzIG5vdCByZWNvZ25pemUgYSBjcml0aWNhbCBleHRlbnNp b24gaW4gdGhlDQpjcmxFbnRyeUV4dGVuc2lvbnMgZmllbGQsIGl0IHNoYWxsIGFzc3VtZSB0aGF0 LCBhdCBhIG1pbmltdW0sIHRoZSBpZGVudGlmaWVkIGNlcnRpZmljYXRlIGhhcyBiZWVuIHJldm9r ZWQgYW5kIGlzIG5vIGxvbmdlciB2YWxpZA0KYW5kIHBlcmZvcm0gYWRkaXRpb25hbCBhY3Rpb25z IGNvbmNlcm5pbmcgdGhhdCByZXZva2VkIGNlcnRpZmljYXRlIGFzIGRpY3RhdGVkIGJ5IGxvY2Fs IHBvbGljeS4gV2hlbiBhbiBpbXBsZW1lbnRhdGlvbiBkb2VzIG5vdA0KcmVjb2duaXplIGEgY3Jp dGljYWwgZXh0ZW5zaW9uIGluIHRoZSBjcmxFeHRlbnNpb25zIGZpZWxkLCBpdCBzaGFsbCBhc3N1 bWUgdGhhdCBpZGVudGlmaWVkIGNlcnRpZmljYXRlcyBoYXZlIGJlZW4gcmV2b2tlZCBhbmQgYXJl DQpubyBsb25nZXIgdmFsaWQuIEhvd2V2ZXIgaW4gdGhlIGxhdHRlciBjYXNlLCBzaW5jZSB0aGUg bGlzdCBtYXkgbm90IGJlIGNvbXBsZXRlLCBjZXJ0aWZpY2F0ZXMgdGhhdCBoYXZlIG5vdCBiZWVu IGlkZW50aWZpZWQgYXMgYmVpbmcNCnJldm9rZWQgY2Fubm90IGJlIGFzc3VtZWQgdG8gYmUgdmFs aWQuIEluIHRoaXMgY2FzZSBsb2NhbCBwb2xpY3kgc2hhbGwgZGljdGF0ZSB0aGUgYWN0aW9uIHRv IGJlIHRha2VuLiBJbiBhbnkgY2FzZSBsb2NhbCBwb2xpY3kgbWF5DQpkaWN0YXRlIGFjdGlvbnMg aW4gYWRkaXRpb24gdG8gYW5kL29yIHN0cm9uZ2VyIHRoYW4gdGhvc2Ugc3RhdGVkIGluIHRoaXMg U3BlY2lmaWNhdGlvbi4NCg0KU28gdGhpcyB0ZXh0IGlzIG5vdCBub3JtYXRpdmUuICBXZSBjYW4g c2F5IHNvbWV0aGluZyBkaWZmZXJlbnQgaW4gUkZDIDUyODAgYW5kIHRoaXMgd2lsbCAqbm90KiBi ZSBhIGNvbnRyYWRpY3Rpb24uDQoNClNvIHRoZSByZWFsIHF1ZXN0aW9uIGlzIHNpbXBseSA6IHdo YXQgbWFrZXMgc2Vuc2UgdG8gc2F5IGFib3V0IHRoZSB0cmVhdG1lbnQgb2YgdGhlIGNybEVudHJ5 RXh0ZW5zaW9ucyBmaWVsZCA/DQoNCkkgYmVsaWV2ZSAob3IgSSBob3BlKSB3ZSBhcmUgY2xvc2Ug dG8gYSBhZ3JlZW1lbnQsIGV4Y2VwdCB3aGV0aGVyIHdlIHNob3VsZCB1c2UgdGhlIHdvcmQgInJl dm9rZWQiIG9yICJ1bmtub3duIg0KaW4gdGhlIGxhc3Qgd29yZCBvbiB0aGUgc2VudGVuY2UgcHJv cG9zZWQgdG9kYXkuDQoNClNvIHRoZSB0d28gb3B0aW9ucyBhcmU6DQoNCkEpICBJZiBhbiBhcHBs aWNhdGlvbiBjYW5ub3QgcHJvY2VzcyBhIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUgY3JsRW50 cnlFeHRlbnNpb25zIGZpZWxkIG9mIGFuIGVudHJ5DQp0aGF0IGFmZmVjdHMgb25seSB0aGUgY2Vy dGlmaWNhdGUgc3BlY2lmaWVkIGluIHRoYXQgZW50cnksIGFzIGluZGljYXRlZCBieSB0aGUgYWJz ZW5jZSBvZiBhIHJlbGF0ZWQNCmNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUgY3JsRXh0ZW5zaW9u cyBmaWVsZCwgdGhlbiB0aGUgc3RhdHVzIG9mIGNlcnRpZmljYXRlIGlkZW50aWZpZWQgYnkgdGhl IENSTCBlbnRyeQ0Kc2hhbGwgYmUgY29uc2lkZXJlZCBhcyB1bmtvd24uDQoNCkIpIElmIGFuIGFw cGxpY2F0aW9uIGNhbm5vdCBwcm9jZXNzIGEgY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSBjcmxF bnRyeUV4dGVuc2lvbnMgZmllbGQgb2YgYW4gZW50cnkNCnRoYXQgYWZmZWN0cyBvbmx5IHRoZSBj ZXJ0aWZpY2F0ZSBzcGVjaWZpZWQgaW4gdGhhdCBlbnRyeSwgYXMgaW5kaWNhdGVkIGJ5IHRoZSBh YnNlbmNlIG9mIGEgcmVsYXRlZA0KY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSBjcmxFeHRlbnNp b25zIGZpZWxkLCB0aGVuIHRoZSBzdGF0dXMgb2YgY2VydGlmaWNhdGUgaWRlbnRpZmllZCBieSB0 aGUgQ1JMIGVudHJ5DQpzaGFsbCBiZSBjb25zaWRlcmVkIGFzIHJldm9rZWQuDQoNCkkgYmVsaWV2 ZSB0aGF0IEEpIGlzIGJldHRlciwgYnV0IHRoZSBkaWZmZXJlbmNlIGlzIHRlbnVvdXMuIFNlZSBh IG5ldyBleGFtcGxlIGJlbG93Lg0KDQpXaGF0IGRvIHlvdSAoYW5kIG90aGVycykgdGhpbmsgPw0K DQpEZW5pcw0KDQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQ0KDQpUaGUgc3RhdHVzIG9mIGEg Z2l2ZW4gY2VydGlmaWNhdGUgaXMgaW5kaWNhdGVkIGFzIOKAnGdvb2TigJ0sIGJ1dCB0aGVyZSBp cyBhIENSTCBlbnRyeSB3aXRoIGEgY3JpdGljYWwNCkNSTCBlbnRyeSBleHRlbnNpb24uDQoNCldo YXRldmVyLCB0aGlzIGNybEVudHJ5RXh0ZW5zaW9uIG1lYW5zLCBpZiBhbiBhcHBsaWNhdGlvbiBj b25zaWRlcnMgdGhhdCB0aGUgc3RhdHVzIG9mIHRoZSBjZXJ0aWZpY2F0ZSBmb3IgdGhlIGVudHJ5 DQppcyAgInVua25vd24iLCBpdCBjYW4gYXR0ZW1wdCB0byB1c2UgYW4gT0NTUCBzZXJ2aWNlLCBp ZiBhdmFpbGFibGU7IGJ1dCBpZiBhbiBhcHBsaWNhdGlvbiBjb25zaWRlcnMgdGhhdCB0aGUgc3Rh dHVzIG9mDQp0aGUgY2VydGlmaWNhdGUgZm9yIHRoZSBlbnRyeSBpcyAicmV2b2tlZCAiLCBpdCB3 aWxsIG5vdCBhdHRlbXB0IHRvIGNhbGwgaXQuDQoNCkFzIGFuIGV4YW1wbGUsIHRoaXMgY3JpdGlj YWwgQ1JMIGVudHJ5IGV4dGVuc2lvbiBtZWFucyAob25seSBmb3IgYXBwbGljYXRpb25zIHdoaWNo IHVuZGVyc3RhbmQgaXQpIDoNCg0KIlRoZSBDUkwgaXNzdWVyIG9mIHRoaXMgQ1JMIGhhcyBub3Qg YmVlbiBhYmxlIHRvIG9idGFpbiBpbiByZWFsIHRpbWUgdGhlIHN0YXR1cyBvZiB0aGUgY2VydGlm aWNhdGVzIHVzaW5nIGEgZGF0YWJhc2UNCm9mIGlzc3VlZCBjZXJ0aWZpY2F0ZXMuIFJhdGhlciB0 aGFuIG5vdCBpc3N1aW5nIHRoZSBDUkwgYW5kIGNyZWF0aW5nIGEgZGVuaWFsIG9mIHNlcnZpY2Ug Zm9yIGFsbCB2ZXJpZmllcnMsIHRoaXMgQ1JMIGhhcw0KYmVlbiBpc3N1ZWQsICBidXQgaXMgbm90 ICJmcmVzaCIuIElmIHlvdSByZWFsbHkgbmVlZCB0byB0YWtlIGEgZGVjaXNpb24gbm93LCB5b3Ug Y2FuIHVzZSB0aGlzIENSTCBidXQgYXQgeW91ciBvd24gcmlzay4NCklmIHlvdSBjYW4gYWNjZXNz IGFuIE9DU1Agc2VydmVyLCB5b3UgbWlnaHQgYmUgYWJsZSB0byBnZXQgYSBmcmVzaGVyIHN0YXR1 cy4gT3RoZXJ3aXNlLCBpZiB5b3UgY2FuIHdhaXQsIHlvdSBjYW4NCnRyeSBhZ2FpbiBsYXRlciBv biIuDQoNCg0KDQoNCkRlIDogICAgICAgIFBpeXVzaCBKYWluIDxwaXl1c2hAaWRlbnRpY2F0ZS5j b208bWFpbHRvOnBpeXVzaEBpZGVudGljYXRlLmNvbT4+DQpBIDogICAgICAgIFNhbnRvc2ggQ2hv a2hhbmkgPFNDaG9raGFuaUBjeWduYWNvbS5jb208bWFpbHRvOlNDaG9raGFuaUBjeWduYWNvbS5j b20+PiwgImRlbmlzLnBpbmthc0BidWxsLm5ldDxtYWlsdG86ZGVuaXMucGlua2FzQGJ1bGwubmV0 PiIgPGRlbmlzLnBpbmthc0BidWxsLm5ldDxtYWlsdG86ZGVuaXMucGlua2FzQGJ1bGwubmV0Pj4N CkNjIDogICAgICAgICJtcmV4QHNhcC5jb208bWFpbHRvOm1yZXhAc2FwLmNvbT4iIDxtcmV4QHNh cC5jb208bWFpbHRvOm1yZXhAc2FwLmNvbT4+LCBwa2l4IDxwa2l4QGlldGYub3JnPG1haWx0bzpw a2l4QGlldGYub3JnPj4NCkRhdGUgOiAgICAgICAgMTcvMDkvMjAxMiAxNzowNg0KT2JqZXQgOiAg ICAgICAgUkU6IFtwa2l4XSA1MjgwYmlzLCB2LTA5DQpfX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fXw0KDQoNCg0KTXkgcmVjb21tZW5kYXRpb24gd291bGQgYmUgdG8gZ28gd2l0aCDigJhy ZXZva2Vk4oCZIG9uIHRoaXMgdW5sZXNzIHdlIGNhbiBleHBsaWNpdGx5IHNwZWxsIG91dCB3aHkg d2UgY2hvc2Ug4oCYdW5rbm93buKAmSB0byBvdmVycmlkZSBYLjUwOS4NCg0KSSBqdXN0IHdhbnQg dG8gYXZvaWQgdGhlIHNpdHVhdGlvbiB3aGVyZSBzb21lb25lIHJhaXNlcyB0aGlzIGlzc3VlIGFn YWluIGluIGEgZmV3IHllYXJzIHRoYXQgNTI4MCBpcyBpbmNvbnNpc3RlbnQgd2l0aCBYLjUwOSB3 aXRob3V0IGFueSBhcHBhcmVudCByZWFzb24uDQoNCkZyb206IFNhbnRvc2ggQ2hva2hhbmkgW21h aWx0bzpTQ2hva2hhbmlAY3lnbmFjb20uY29tXQ0KU2VudDogTW9uZGF5LCBTZXB0ZW1iZXIgMTcs IDIwMTIgNzo0OCBBTQ0KVG86IGRlbmlzLnBpbmthc0BidWxsLm5ldDxtYWlsdG86ZGVuaXMucGlu a2FzQGJ1bGwubmV0Pg0KQ2M6IG1yZXhAc2FwLmNvbTxtYWlsdG86bXJleEBzYXAuY29tPjsgUGl5 dXNoIEphaW47IHBraXgNClN1YmplY3Q6IFJFOiBbcGtpeF0gNTI4MGJpcywgdi0wOQ0KDQpEZW5p cywNCg0KSSBhbSBvayBlaXRoZXIgd2F5ICh1bmtub3duIG9yIHJldm9rZWQpLiAgVGhlIGdvb2Qg dGhpbmcgaXMgdGhhdCB0aGUgbmV3IHRleHQgc3BlbGxzIHRoaW5ncyBvdXQgbW9yZSBjbGVhcmx5 Lg0KDQpGcm9tOiBkZW5pcy5waW5rYXNAYnVsbC5uZXQ8bWFpbHRvOmRlbmlzLnBpbmthc0BidWxs Lm5ldD4gW21haWx0bzpkZW5pcy5waW5rYXNAYnVsbC5uZXRdPG1haWx0bzpbbWFpbHRvOmRlbmlz LnBpbmthc0BidWxsLm5ldF0+DQpTZW50OiBNb25kYXksIFNlcHRlbWJlciAxNywgMjAxMiAxMDo0 MiBBTQ0KVG86IFNhbnRvc2ggQ2hva2hhbmkNCkNjOiBtcmV4QHNhcC5jb208bWFpbHRvOm1yZXhA c2FwLmNvbT47IFBpeXVzaCBKYWluOyBwa2l4DQpTdWJqZWN0OiBSRTogW3BraXhdIDUyODBiaXMs IHYtMDkNCg0KU2FudG9zaCwgUGl5dXNoIGFuZCBNYXJ0aW4sDQoNClNvcnJ5LCBJIG1hZGUgYSBt aXN0YWtlIHdoZW4gbWFraW5nIG15IHByb3Bvc2FsIHRoaXMgbW9ybmluZy4NCkkgd3JvdGUgInJl dm9rZWQiLCBidXQgd2FzIGFkdm9jYXRpbmcgInVua25vd24iLg0KDQpCYXNlZCBvbiB0aGUgbGF0 ZXN0IHRleHQgcHJvcG9zZWQgZnJvbSBTYW50b3NoLCBJIHdvdWxkIHJhdGhlciBwcmVmZXI6DQoN CklmIGFuIGFwcGxpY2F0aW9uIGNhbm5vdCBwcm9jZXNzIGEgY3JpdGljYWwgZXh0ZW5zaW9uIGlu IHRoZSBjcmxFbnRyeUV4dGVuc2lvbnMgZmllbGQgb2YgYW4gZW50cnkNCnRoYXQgYWZmZWN0cyBv bmx5IHRoZSBjZXJ0aWZpY2F0ZSBzcGVjaWZpZWQgaW4gdGhhdCBlbnRyeSwgYXMgaW5kaWNhdGVk IGJ5IHRoZSBhYnNlbmNlIG9mIGEgcmVsYXRlZA0KY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSBj cmxFeHRlbnNpb25zIGZpZWxkLCB0aGVuIHRoZSBzdGF0dXMgb2YgY2VydGlmaWNhdGUgaWRlbnRp ZmllZCBieSB0aGUgQ1JMIGVudHJ5DQpzaGFsbCBiZSBjb25zaWRlcmVkIHVua293bi4NCg0KaW5z dGVhZCBvZiA6DQoNCklmIGFuIGFwcGxpY2F0aW9uIGNhbm5vdCBwcm9jZXNzIGEgY3JpdGljYWwg ZXh0ZW5zaW9uIGluIHRoZSBjcmxFbnRyeUV4dGVuc2lvbnMgZmllbGQgb2YgYW4gZW50cnkNCnRo YXQgYWZmZWN0cyBvbmx5IHRoZSBjZXJ0aWZpY2F0ZSBzcGVjaWZpZWQgaW4gdGhhdCBlbnRyeSwg YXMgaW5kaWNhdGVkIGJ5IHRoZSBhYnNlbmNlIG9mIGEgcmVsYXRlZA0KY3JpdGljYWwgZXh0ZW5z aW9uIGluIHRoZSBjcmxFeHRlbnNpb25zIGZpZWxkLCB0aGVuIHRoZSBjZXJ0aWZpY2F0ZSBpZGVu dGlmaWVkIGJ5IHRoZSBDUkwgZW50cnkNCnNoYWxsIGJlIGNvbnNpZGVyZWQgcmV2b2tlZC4NCg0K RGVuaXMNCg0KDQoNCg0KDQoNCg0KDQoNCkRlIDogICAgICAgIFNhbnRvc2ggQ2hva2hhbmkgPFND aG9raGFuaUBjeWduYWNvbS5jb208bWFpbHRvOlNDaG9raGFuaUBjeWduYWNvbS5jb20+Pg0KQSA6 ICAgICAgICAiZGVuaXMucGlua2FzQGJ1bGwubmV0PG1haWx0bzpkZW5pcy5waW5rYXNAYnVsbC5u ZXQ+IiA8ZGVuaXMucGlua2FzQGJ1bGwubmV0PG1haWx0bzpkZW5pcy5waW5rYXNAYnVsbC5uZXQ+ PiwgIm1yZXhAc2FwLmNvbTxtYWlsdG86bXJleEBzYXAuY29tPiIgPG1yZXhAc2FwLmNvbTxtYWls dG86bXJleEBzYXAuY29tPj4sIFBpeXVzaCBKYWluIDxwaXl1c2hAaWRlbnRpY2F0ZS5jb208bWFp bHRvOnBpeXVzaEBpZGVudGljYXRlLmNvbT4+DQpDYyA6ICAgICAgICBwa2l4IDxwa2l4QGlldGYu b3JnPG1haWx0bzpwa2l4QGlldGYub3JnPj4NCkRhdGUgOiAgICAgICAgMTcvMDkvMjAxMiAxNjoy MQ0KT2JqZXQgOiAgICAgICAgUkU6IFtwa2l4XSA1MjgwYmlzLCB2LTA5DQoNCl9fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fDQoNCg0KDQoNClRoaXMgYWxzbyByZWxhdGVzIHRvIGVhcmxp ZXIgcG9zdCBJIG1hZGUgaW4gcmVzcG9uc2UgdG8gUGl5dXNoLg0KDQpJIGFzc3VtZSB3ZSBhcmUg YWRkaW5nIHRoZSBmb2xsb3dpbmcgdG8gdGhlIFJGQyDigJxBIGNyaXRpY2FsIGV4dGVuc2lvbiBp biB0aGUgY3JsRW50cnlFeHRlbnNpb25zIGZpZWxkIG9mIGFuIGVudHJ5IHNoYWxsIGFmZmVjdCBv bmx5IHRoZSBjZXJ0aWZpY2F0ZSBzcGVjaWZpZWQgaW4gdGhhdCBlbnRyeSwgdW5sZXNzIHRoZXJl IGlzIGEgcmVsYXRlZCBjcml0aWNhbCBleHRlbnNpb24gaW4gdGhlIGNybEV4dGVuc2lvbnMgZmll bGQgdGhhdCBhZHZlcnRpc2VzIGEgc3BlY2lhbCB0cmVhdG1lbnQgZm9yIGl0LuKAnSAgSW4gb3Jk ZXIgdG8gdXNlIHN1Y2ggQ1JMLCB0aGUgcmVseWluZyBwYXJ0eSBtdXN0IGJlIGFibGUgdG8gcHJv Y2VzcyBib3RoIHRoZSBjcmxFbnRyeUV4dGVuc2lvbiBhbmQgdGhlIHJlbGF0ZWQgY3JsRXh0ZW5z aW9uLuKAnQ0KDQpJbiB0aGF0IGNhc2UsIEkgZG8gbm90IG1pbmQgYWRkaW5nIHRoZSBmb2xsb3dp bmcgdG8gNTI4MCAoYSBzbGlnaHQgbW9kaWZpY2F0aW9uIHRvIHdoYXQgRGVuaXMgaGFzOg0KDQpJ ZiBhbiBhcHBsaWNhdGlvbiBjYW5ub3QgcHJvY2VzcyBhIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0 aGUgY3JsRW50cnlFeHRlbnNpb25zIGZpZWxkIG9mIGFuIGVudHJ5IHRoYXQgYWZmZWN0cyBvbmx5 IHRoZSBjZXJ0aWZpY2F0ZSBzcGVjaWZpZWQgaW4gdGhhdCBlbnRyeSwgYXMgaW5kaWNhdGVkIGJ5 IHRoZSBhYnNlbmNlIG9mIGEgcmVsYXRlZCBjcml0aWNhbCBleHRlbnNpb24gaW4gdGhlIGNybEV4 dGVuc2lvbnMgZmllbGQsIHRoZW4gdGhlIGNlcnRpZmljYXRlIGlkZW50aWZpZWQgYnkgdGhlIENS TCBlbnRyeSBzaGFsbCBiZSBjb25zaWRlcmVkIHJldm9rZWQuDQoNCkZyb206IHBraXgtYm91bmNl c0BpZXRmLm9yZzxtYWlsdG86cGtpeC1ib3VuY2VzQGlldGYub3JnPiBbbWFpbHRvOnBraXgtYm91 bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxmIE9mIGRlbmlzLnBpbmthc0BidWxsLm5ldDxtYWlsdG86 ZGVuaXMucGlua2FzQGJ1bGwubmV0Pg0KU2VudDogTW9uZGF5LCBTZXB0ZW1iZXIgMTcsIDIwMTIg Mzo0NyBBTQ0KVG86IG1yZXhAc2FwLmNvbTxtYWlsdG86bXJleEBzYXAuY29tPjsgUGl5dXNoIEph aW4NCkNjOiBwa2l4DQpTdWJqZWN0OiBSZTogW3BraXhdIDUyODBiaXMsIHYtMDkNCg0KR29vZCBj YXRjaCBNYXJ0aW4sDQoNCllvdSBjYW1lIGJhY2sgZnJvbSB2YWNhdGlvbiBqdXN0IGluIHRpbWUu IDotKQ0KDQpJIHByb3Bvc2UgdGhlIGZvbGxvd2luZzoNCg0KUmVwbGFjZToNCg0KfCAgICAgSWYg YSBDUkwgY29udGFpbnMgYSBjcml0aWNhbCBDUkwgZW50cnkgZXh0ZW5zaW9uDQp8ICAgICB0aGF0 IHRoZSBhcHBsaWNhdGlvbiBjYW5ub3QgcHJvY2VzcywgdGhlbiB0aGUgYXBwbGljYXRpb24gTVVT VA0KfCAgICAgTk9UIHVzZSB0aGF0IENSTCB0byBkZXRlcm1pbmUgdGhlIHN0YXR1cyBvZiBhbnkg Y2VydGlmaWNhdGVzLg0KDQp3aXRoDQoNCnwgICAgIElmIGEgQ1JMIGNvbnRhaW5zIGluIGEgQ1JM IGVudHJ5IGEgY3JpdGljYWwgQ1JMIGVudHJ5IGV4dGVuc2lvbg0KfCAgICAgdGhhdCB0aGUgYXBw bGljYXRpb24gY2Fubm90IHByb2Nlc3MsIHRoZW4gdGhlIGFwcGxpY2F0aW9uIE1VU1QNCnwgICAg IGNvbnNpZGVyIHRoYXQgdGhlIGNlcnRpZmljYXRlIGlkZW50aWZpZWQgaW4gdGhhdCBDUkwgZW50 cnkgaXMNCnwgICAgIHJldm9rZWQuDQoNCkluIG9yZGVyIHRvIGFuc3dlciB0byBQaXl1c2gsIEkg YmVsaWV2ZSB0aGF0IOKAnHVua25vd27igJ0gc2hvdWxkIGJlIHVzZWQgcmF0aGVyIHRoYW4g4oCc cmV2b2tlZOKAnS4NCg0KVGhlIGZvbGxvd2luZyBleGFtcGxlIGlzIGFuIGlsbHVzdHJhdGlvbjoN Cg0KVGhlIHN0YXR1cyBvZiBhIGdpdmVuIGNlcnRpZmljYXRlIGlzIGluZGljYXRlZCBhcyDigJxn b29k4oCdLCBidXQgdGhlcmUgaXMgYSBDUkwgZW50cnkgd2l0aCBhIGNyaXRpY2FsDQpDUkwgZW50 cnkgZXh0ZW5zaW9uLiBUaGlzIGVudHJ5IG1lYW5zIChmb3IgdGhlIGFwcGxpY2F0aW9ucyB3aGlj aCB1bmRlcnN0YW5kIGl0KSA6DQoNCiJUaGUgc3RhdHVzIHdoaWNoIGlzIHVzdWFsbHkgb2J0YWlu ZWQgdXNpbmcgYSBkYXRhYmFzZSBvZiBpc3N1ZWQgY2VydGlmaWNhdGVzIGhhcyBiZWVuIG9idGFp bmVkIGZyb20gQ1JMcy4NCklmIHlvdSByZWFsbHkgbmVlZCB0byB0YWtlIGEgZGVjaXNpb24gbm93 LCBpdCBpcyBhdCB5b3VyIG93biByaXNrLiBJZiB5b3UgY2FuIHdhaXQsIHlvdSBoYWQgYmV0dGVy IHRvIHRyeSBhZ2FpbiBsYXRlciBvbiIuDQoNCllvdXIgbmV4dCBxdWVzdGlvbiB3aWxsIGNlcnRh aW5seSBiZTogc28gd2h5IGRvbuKAmXQgeW91IHVzZSB0aGUgcHJvcG9zZWQgY2VydEluZm8gZXh0 ZW5zaW9uID8NCg0KRm9yIGFwcGxpY2F0aW9ucyB3aGljaCBkbyBub3QgdW5kZXJzdGFuZCB0aGlz IGNyaXRpY2FsIENSTCBlbnRyeSBleHRlbnNpb24sIHRoZXJlIGlzIG5vIGRpZmZlcmVuY2UuDQpU aGV5IGdldCBhbiAidW5rbm93biIgc3RhdHVzIGluIGJvdGggY2FzZXMuDQoNCkZvciBhcHBsaWNh dGlvbnMgd2hpY2ggdW5kZXJzdGFuZCB0aGlzIGNyaXRpY2FsIENSTCBlbnRyeSBleHRlbnNpb24g aXQgcHJvdmlkZXMgbGVzcyBiZW5lZml0cw0KdGhhbiB0aGUgcHJvcG9zZWQgY2VydEluZm8gZXh0 ZW5zaW9uLCBidXQgaXQgbWlnaHQgYmUgcXVpY2tlciB0byBpbXBsZW1lbnQgYW5kIGl0IGVuZm9y Y2VzIGEgcG9saWN5Lg0KDQpEZW5pcw0KDQoNCj4gSSBvYmplY3QgdG8gdGhlIHByb3Bvc2VkIG5l dyB0ZXh0IGFib3V0IENSTEVudHJ5RXh0ZW5zaW9ucw0KPiBpbiB0aGUgY2xhcmlmaWNhdGlvbiBk b2N1bWVudCwgYmVjYXVzZSBhcyBpcywgd291bGQgc2lnbmlmaWNhbnRseQ0KPiB3b3JzZW4gdGhl IGRpZmZlcmVuY2UgYmV0d2VlbiBQS0lYIGFuZCBYLjUwOSBhbmQgbWFrZSB0aGluZ3MNCj4gY2xl YXJseSBpbmNvbXBhdGlibGUgcmF0aGVyIHRoYW4gc2xpZ2h0bHkgbGVzcyBlZmZpY2llbnQuDQo+ DQo+IElmIGFueXRoaW5nLCB0aGUgZ2FwIHNob3VsZCBiZSByZWR1Y2VkLCBjb21wYXRpYmlsaXR5 IGJldHdlZW4NCj4gUEtJWCBhbmQgWC41MDkgaW1wcm92ZWQgYW5kIHRoZSBvcmlnaW5hbCBhcmNo aXRlY3R1cmUgbm90IHZpb2xhdGVkLg0KPg0KPiBQbGVhc2UgcmVjYWxsIHRoZSBvcmlnaW5hbCBO T1RFIDQgJiA1IHRoYXQgSSBxdW90ZWQgZnJvbQ0KPiBJVFUtVCBSZWMuIFguNTA5ICgwOC8yMDA1 KSwgU2VjdGlvbiA3LjMsIHRvcCBvZiBwYWdlIDE4Og0KPiAoZ2V0IHRoZW0gaGVyZSBodHRwOi8v d3d3Lml0dS5pbnQvcmVjL1QtUkVDLVguNTA5KToNCj4NCj4gYT4gIE5PVEUgNCAtLSBXaGVuIGFu IGltcGxlbWVudGF0aW9uIHByb2Nlc3NpbmcgYSBjZXJ0aWZpY2F0ZSByZXZvY2F0aW9uDQo+IGE+ ICBsaXN0IGRvZXMgbm90IHJlY29nbml6ZSBhIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUgY3Js RW50cnlFeHRlbnNpb25zDQo+IGE+ICBmaWVsZCwgaXQgc2hhbGwgYXNzdW1lIHRoYXQsIGF0IGEg bWluaW11bSwgdGhlIGlkZW50aWZpZWQgY2VydGlmaWNhdGUNCj4gYT4gIGhhcyBiZWVuIHJldm9r ZWQgYW5kIGlzIG5vIGxvbmdlciB2YWxpZCBhbmQgcGVyZm9ybSBhZGRpdGlvbmFsIGFjdGlvbnMN Cj4gYT4gIGNvbmNlcm5pbmcgdGhhdCByZXZva2VkIGNlcnRpZmljYXRlIGFzIGRpY3RhdGVkIGJ5 IGxvY2FsIHBvbGljeS4NCj4NCj4gYj4gIFdoZW4gYW4gaW1wbGVtZW50YXRpb24gZG9lcyBub3Qg cmVjb2duaXplIGEgY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZQ0KPiBiPiAgY3JsRXh0ZW5zaW9u cyBmaWVsZCwgaXQgc2hhbGwgYXNzdW1lIHRoYXQgaWRlbnRpZmllZCBjZXJ0aWZpY2F0ZXMNCj4g Yj4gIGhhdmUgYmVlbiByZXZva2VkIGFuZCBhcmUgbm8gbG9uZ2VyIHZhbGlkLg0KPg0KPiBjPiAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhvd2V2ZXIgaW4gdGhl IGxhdHRlciBjYXNlLA0KPiBjPiAgc2luY2UgdGhlIGxpc3QgbWF5IG5vdCBiZSBjb21wbGV0ZSwg Y2VydGlmaWNhdGVzIHRoYXQgaGF2ZSBub3QgYmVlbg0KPiBjPiAgaWRlbnRpZmllZCBhcyBiZWlu ZyByZXZva2VkIGNhbm5vdCBiZSBhc3N1bWVkIHRvIGJlIHZhbGlkLiBJbiB0aGlzIGNhc2UNCj4g Yz4gIGxvY2FsIHBvbGljeSBzaGFsbCBkaWN0YXRlIHRoZSBhY3Rpb24gdG8gYmUgdGFrZW4uIElu IGFueSBjYXNlIGxvY2FsDQo+IGM+ICBwb2xpY3kgbWF5IGRpY3RhdGUgYWN0aW9ucyBpbiBhZGRp dGlvbiB0byBhbmQvb3Igc3Ryb25nZXIgdGhhbiB0aG9zZQ0KPiBjPiAgc3RhdGVkIGluIHRoaXMg U3BlY2lmaWNhdGlvbi4NCj4NCj4gZD4gIE5PVEUgNSAtLSBJZiBhbiBleHRlbnNpb24gYWZmZWN0 cyB0aGUgdHJlYXRtZW50IG9mIHRoZSBsaXN0DQo+IGQ+ICAoZS5nLiwgbXVsdGlwbGUgQ1JMcyBu ZWVkIHRvIGJlIHNjYW5uZWQgdG8gZXhhbWluZSB0aGUgZW50aXJlIGxpc3Qgb2YNCj4gZD4gIHJl dm9rZWQgY2VydGlmaWNhdGVzLCBvciBhbiBlbnRyeSBtYXkgcmVwcmVzZW50IGEgcmFuZ2Ugb2Yg Y2VydGlmaWNhdGVzKSwNCj4gZD4gIHRoZW4gdGhhdCBleHRlbnNpb24gc2hhbGwgYmUgaW5kaWNh dGVkIGFzIGNyaXRpY2FsIGluIHRoZSBjcmxFeHRlbnNpb25zDQo+IGQ+ICBmaWVsZCByZWdhcmRs ZXNzIG9mIHdoZXJlIHRoZSBleHRlbnNpb24gaXMgcGxhY2VkIGluIHRoZSBDUkwuDQo+DQo+IGU+ ICBBbiBleHRlbnNpb24gaW5kaWNhdGVkIGluIHRoZSBjcmxFbnRyeUV4dGVuc2lvbnMgZmllbGQg b2YgYW4gZW50cnkgc2hhbGwNCj4gZT4gIGJlIHBsYWNlZCBpbiB0aGF0IGVudHJ5IGFuZCBzaGFs bCBhZmZlY3Qgb25seSB0aGUgY2VydGlmaWNhdGUocykNCj4gZT4gIHNwZWNpZmllZCBpbiB0aGF0 IGVudHJ5Lg0KPg0KPg0KPiAoSSBpbnNlcnRlZCBibGFuayBsaW5lcyBhYm92ZSBmb3IgdmlzdWFs IGNsYXJpdHkgb2YgdGhlIFguNTA5IHJlcXVpcmVtZW50cykuDQo+DQo+IHR3byBvcHRpb25zLCBh bGwgY29tYmluYXRpb25zOg0KPg0KPiAgKDEpIGNlcnQgICAgIG9uIENSTCwgQ1JMIHdpdGggTk8g dW5yZWNvZ25pemVkIGNyaXRpY2FsIENSTEVudHJ5RXh0ZW5zaW9ucw0KPiAgKDIpIGNlcnQgTk9U IG9uIENSTCwgQ1JMIHdpdGggTk8gdW5yZWNvZ25pemVkIGNyaXRpY2FsIENSTEVudHJ5RXh0ZW5z aW9ucw0KPiAgKDMpIGNlcnQgICAgIG9uIENSTCwgQ1JMIHdpdGggICAgdW5yZWNvZ25pemVkIGNy aXRpY2FsIENSTEVudHJ5RXh0ZW5zaW9uDQo+ICAoNCkgY2VydCBOT1Qgb24gQ1JMLCBDUkwgd2l0 aCAgICB1bnJlY29nbml6ZWQgY3JpdGljYWwgQ1JMRW50cnlFeHRlbnNpb24NCj4NCj4NCj4gSSBo b3BlIHdlIGFncmVlIHRoYXQgWC41MDkgYW5kIHJmYzUyODAgYWdyZWUgb24gKDEpIGFuZCAoMikg cmVzdWx0cw0KPiBmb3IgQ1JMIGNoZWNraW5nLg0KPg0KPiByZmM1MjgwIGN1cnJlbnRseSBzYXlz IHRoYXQgZm9yICgzKSsoNCkgdGhlIGVudGlyZSBDUkwgb3VnaHQgdG8gYmUgaWdub3JlZA0KPiBh bmQgb3RoZXIgQ1JMcyBuZWVkIHRvIGJlIGV2YWx1YXRlZCAiVU5ERVRFUk1JTkVEIg0KPg0KPiBY LjUwOSBzYXlzIGluIChhPikgdGhhdCBmb3IgKDMpIHRoZSBzdGF0dXMgb2YgdGhlIGNlcnQgaXMg ZGVmaW5pdGVseSByZXZva2VkDQo+IGFuZCBzYXlzIGluIChjPikgZm9yICg0KSB0aGF0IHRoZSBD Ukwgb3VnaHQgdG8gYmUgaWdub3JlZCBhbmQgb3RoZXIgQ1JMcyBuZWVkDQo+IHRvIGJlIGV2YWx1 YXRlZCAiVU5ERVRFUk1JTkVEIg0KPg0KPiBXaGlsZSBib3RoIFguNTA5IGFuZCByZmM1MjgwIGFn cmVlIG9uIHRoZSByZXN1bHQgZm9yICg0KSAiVU5ERVRFUk1JTkVEIiwNCj4gdGhlcmUgaXMgdGhl IHN1cGVyZmljaWFsIGFwcGVhcmFuY2Ugb2YgYSBkaWZmZXJlbmNlIGZvciBhIGNhc3VhbA0KPiBp bXBsZW1lbnRlciBmb3IgY2FzZSAoMykgYmV0d2VlbiBYLjUwOSAiUkVWT0tFRCIgYW5kIHJmYzUy ODAgIlVOREVURVJNSU5FRCINCj4gdGhhdCBtaWdodCBsZWFkIHRvIGEgc2xpZ2h0bHkgbGVzcyBl ZmZpY2llbnQgcHJvY2Vzc2luZyBDUkxzLg0KPg0KPg0KPiBUaGUgbmV3bHkgcHJvcG9zZWQgdGV4 dCAoaW4gLTA5KToNCj4NCj4gfCAgICAgSWYgYSBDUkwgY29udGFpbnMgYSBjcml0aWNhbCBDUkwg ZW50cnkgZXh0ZW5zaW9uDQo+IHwgICAgIHRoYXQgdGhlIGFwcGxpY2F0aW9uIGNhbm5vdCBwcm9j ZXNzLCB0aGVuIHRoZSBhcHBsaWNhdGlvbiBNVVNUDQo+IHwgICAgIE5PVCB1c2UgdGhhdCBDUkwg dG8gZGV0ZXJtaW5lIHRoZSBzdGF0dXMgb2YgdGhlIGNlcnRpZmljYXRlDQo+IHwgICAgIHJlcHJl c2VudGVkIGJ5IHRoZSBDUkwgZW50cnkuDQo+DQo+IGNyZWF0ZXMgYSBzaWduaWZpY2FudGx5IGRp c3RpbmN0IGJlaGF2aW91ciBmb3IgY2FzZSAoNCkgd2hlcmUgWC41MDkNCj4gYW5kIHJmYzUyODAg YWdyZWVkIG9uICJVTkRFVEVSTUlORUQiLCBieSByZWRlZmluaW5nIHRoZSByZXN1bHQgdG8NCj4g YmUgIlVOUkVWT0tFRCIsIGFuZCBwb3RlbnRpYWxseSBjcmVhdGVzIGEgc2VjdXJpdHkgcHJvYmxl bSwgYW5kIGENCj4gbmV3LCBiYWNrd2FyZHMtaW5jb21wYXRpYmxlIGJlaGF2aW91ciBmb3IgYSBz aXR1YXRpb24gd2hlcmUNCj4gWC41MDkgYW5kIHJmYzUyODAgdXNlZCB0byBhZ3JlZS4gU3RpbGws IHRoZSBuZXcgdGV4dCBkb2VzIG5vdCBkbw0KPiBhbnl0aGluZyBhYm91dCBjYXNlICgzKSwgdGhl IG9ubHkgY2FzZSB3aGVyZSBYLjUwOSBhbmQgcmZjNTI4MA0KPiBhcHBlYXIgdG8gZGlmZmVyIChp biBhIG1vc3RseSBtYXJnaW5hbCBmYXNoaW9uKS4NCj4NCj4NCj4gQSBjYXJlZnVsIGltcGxlbWVu dG9yLCB0aGF0IGFuYWx5emVzIE5PVEUgNCBhbmQgTk9URSA1IGZyb20gWC41MDkNCj4gcXVvdGVk IGFib3ZlIGluIGl0cyBlbnRpcmV0eSwgc2hvdWxkIHJlYWxpemUgdGhhdCB0aGUgc2l0dWF0aW9u DQo+IHdoZXJlIFguNTA5IGFuZCByZmM1MjgwIGRpZmZlciBpcyBtYXJnaW5hbC4NCj4NCj4gVGhp cyBpcyBiZWNhdXNlIChkPikgaW4gTk9URSA1IGFib3ZlIHJlcXVpcmVzICgic2hhbGwiKSB0aGF0 IGENCj4gY3JpdGljYWwgY3JsRW50cnlFeHRlbnNpb24gd2l0aCBhIHNlbWFudGljIGJleW9uZCAi dGhpcyBjZXJ0IGlzDQo+IHJldm9rZWQiKSwgTVVTVCBiZSBhZGRpdGlvbmFsbHkgaW5jbHVkZWQg YXMgYSBjcml0aWNhbCBjcmxFeHRlbnNpb24sDQo+IHdpdGggdGhlIGVmZmVjdCB0aGF0IHRoZSBl bnRpcmUgQ1JMIHdpbGwgaGF2ZSB0byBiZSBpZ25vcmVkIGJ5DQo+IGJvdGggWC41MDkgYW5kIHJm YzUyODAgaW1wbGVtZW50YXRpb25zIHRoYXQgZG8gbm90IHJlY29nbml6ZQ0KPiB0aGUgY3JsRXh0 ZW5zaW9uLiAgU28gYWxsIGNvbXBsaWFudCBDUkxzIHdpdGggYSAiZmFuY3kiDQo+IHVucmVjb2du aXplZCBjcml0aWNhbCBjcmxFbnRyeUV4dGVuc2lvbiwgdGhlIGFjY29tcGFueWluZw0KPiB1bnJl Y29nbml6ZWQgY3JpdGljYWwgY3JsRXh0ZW5zaW9uIHdpbGwgY2F1c2UgWC41MDkgYW5kIHJmYzUy ODANCj4gdG8gYWdyZWUgb24gKDMpIHRvIHJldHVybiAiVU5ERVRFUk1JTkVEIiBhbmQgcmVxdWly ZSBvdGhlcg0KPiBDUkxzIHRvIGJlIGNoZWNrZWQuDQo+DQo+DQo+IC1NYXJ0aW4NCj4gX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCj4gcGtpeCBtYWlsaW5n IGxpc3QNCj4gcGtpeEBpZXRmLm9yZzxtYWlsdG86cGtpeEBpZXRmLm9yZz4NCj4gaHR0cHM6Ly93 d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9wa2l4DQo= --_000_AA6BA445CBFDB84785CC1C45DAAE4C792CEC217FCH1PRD0610MB393_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPCEtLVtp ZiAhbXNvXT48c3R5bGU+dlw6KiB7YmVoYXZpb3I6dXJsKCNkZWZhdWx0I1ZNTCk7fQ0Kb1w6KiB7 YmVoYXZpb3I6dXJsKCNkZWZhdWx0I1ZNTCk7fQ0Kd1w6KiB7YmVoYXZpb3I6dXJsKCNkZWZhdWx0 I1ZNTCk7fQ0KLnNoYXBlIHtiZWhhdmlvcjp1cmwoI2RlZmF1bHQjVk1MKTt9DQo8L3N0eWxlPjwh W2VuZGlmXS0tPjxzdHlsZT48IS0tDQovKiBGb250IERlZmluaXRpb25zICovDQpAZm9udC1mYWNl DQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAyIDQ7 fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpUYWhvbWE7DQoJcGFub3NlLTE6MiAxMSA2IDQg MyA1IDQgNCAyIDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5N c29Ob3JtYWwsIGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4w MDAxcHQ7DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFu Iiwic2VyaWYiO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXByaW9y aXR5Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQphOnZp c2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5 Ow0KCWNvbG9yOnB1cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnNwYW4uRW1h aWxTdHlsZTE3DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5 OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7DQoJY29sb3I6IzFGNDk3RDt9DQouTXNvQ2hwRGVmYXVs dA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIs InNhbnMtc2VyaWYiO30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsN CgltYXJnaW46MS4waW4gMS4waW4gMS4waW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtw YWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0K PG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwh W2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9 ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlv dXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0i Ymx1ZSIgdmxpbms9InB1cnBsZSI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0Qi PkRlbmlzLDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDss JnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVv dDs7Y29sb3I6IzFGNDk3RCI+VGhhbmtzIGZvciB0aGUgbGl0dGxlIHByaW1lciBvbiBJU08gc3Rh bmRhcmRzLg0KPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90 OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkkganVzdCBhc3N1bWVkIHRo YXQgU0hBTEwgaW4gdGhlIG5vdGUgaW1wbGllcyB0aGF0IHRoZSB0ZXh0IGluIG5vcm1hdGl2ZS48 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9y OiMxRjQ5N0QiPkNvbXBsZXRlbHkgYWdyZWUgdGhhdCB0aGUgZGlmZmVyZW5jZSBpcyB0ZW51b3Vz LiBBcyBJIHNhaWQsIG15IG9ubHkgcmVhc29uIGZvciBwcm9wb3Npbmcg4oCYcmV2b2tlZOKAmSB3 YXMgdG8gc3RheSBhbGlnbmVkIHdpdGggWC41MDkgYmVjYXVzZSBhIGRldmlhdGlvbiBtaWdodA0K IGNhdXNlIGltcGxlbWVudGVycyB0byB3b25kZXIgYWJvdXQgdGhlIHJlYXNvbnMgd2h5IDUyODAg Y2hvc2UgdG8gZGV2aWF0ZSBmcm9tIFguNTA5Lg0KPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5 N0QiPkkgZG8gbm90IHRoaW5rIHRoYXQgdGhpcyBpcyBhIHN0cm9uZyByZWFzb24gc28gSSBkbyBu b3QgaGF2ZSBhbnkgb2JqZWN0aW9uIHRvIG9wdGlvbiBCIHRoYXQgeW91IHByb3Bvc2VkIGJlbG93 LjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7 c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29s b3I6IzFGNDk3RCI+LVBpeXVzaDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Nh bGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZu YnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVm dDpzb2xpZCBibHVlIDEuNXB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNC4wcHQiPg0KPGRpdj4NCjxk aXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci10b3A6c29saWQgI0I1QzRERiAxLjBwdDtwYWRk aW5nOjMuMHB0IDBpbiAwaW4gMGluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVv dDtzYW5zLXNlcmlmJnF1b3Q7Ij5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYm cXVvdDsiPiBkZW5pcy5waW5rYXNAYnVsbC5uZXQgW21haWx0bzpkZW5pcy5waW5rYXNAYnVsbC5u ZXRdDQo8YnI+DQo8Yj5TZW50OjwvYj4gTW9uZGF5LCBTZXB0ZW1iZXIgMTcsIDIwMTIgMTI6NTcg UE08YnI+DQo8Yj5Ubzo8L2I+IFBpeXVzaCBKYWluPGJyPg0KPGI+Q2M6PC9iPiBtcmV4QHNhcC5j b207IHBraXg7IFNhbnRvc2ggQ2hva2hhbmk8YnI+DQo8Yj5TdWJqZWN0OjwvYj4gUkU6IFtwa2l4 XSA1MjgwYmlzLCB2LTA5PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJp YWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+UGl5dXNoLDwvc3Bhbj4NCjxicj4NCjxi cj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFs JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPkkgaGF2ZSBiZWVuIGludm9sdmVkIGluIHRo ZSB3cml0aW5nIG9mIElTTyBzdGFuZGFyZHMsIGluY2x1ZGluZyBYLjUwOS4NCjxicj4NCjwvc3Bh bj48YnI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtB cmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5TaGFyb24gaGFzIGJlZW4gZXZlbiBt b3JlIGludm9sdmVkIHRoYW4gbXlzZWxmLCBzaW5jZSBzaGUgaGFzIGJlZW4NCjxicj4NCnRoZSBl ZGl0b3IgZHVyaW5nIHNvbWUgcGVyaW9kIG9mIHRpbWUgLjwvc3Bhbj4gPGJyPg0KPGJyPg0KPHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDss JnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+VGhlcmUgaXMgc29tZXRoaW5nIGltcG9ydGFudCB0byBr bm93IGFib3V0IElTTyBzdGFuZGFyZHM6PC9zcGFuPg0KPGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJp ZiZxdW90OyI+Jm5ic3A7PGJyPg0KPGI+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDAwRTAiPlRoZSB0 ZXh0IHBsYWNlZCB1bmRlciBhIE5PVEUgaXMgKm5vdCogbm9ybWF0aXZlLjwvc3Bhbj48L2I+PC9z cGFuPg0KPGJyPg0KPGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+SSBjb3BpZWQgYW5k IHBhc3RlZCB0aGUgdGV4dCBmcm9tIFguNTA5IGFuZCB3ZSBoYXZlIHRoZSBmb2xsb3dpbmc6PC9z cGFuPg0KPGJyPg0KPGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+Tk9URSA0IOKAkyBX aGVuIGFuIGltcGxlbWVudGF0aW9uIHByb2Nlc3NpbmcgYSBjZXJ0aWZpY2F0ZSByZXZvY2F0aW9u IGxpc3QgZG9lcyBub3QgcmVjb2duaXplIGEgY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZTwvc3Bh bj4NCjxicj4NCjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPmNybEVudHJ5RXh0ZW5zaW9u cw0KPC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTom cXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5maWVsZCwgaXQgc2hhbGwg YXNzdW1lIHRoYXQsIGF0IGEgbWluaW11bSwgdGhlIGlkZW50aWZpZWQgY2VydGlmaWNhdGUgaGFz IGJlZW4gcmV2b2tlZCBhbmQgaXMgbm8gbG9uZ2VyIHZhbGlkPC9zcGFuPg0KPGJyPg0KPHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1 b3Q7c2Fucy1zZXJpZiZxdW90OyI+YW5kIHBlcmZvcm0gYWRkaXRpb25hbCBhY3Rpb25zIGNvbmNl cm5pbmcgdGhhdCByZXZva2VkIGNlcnRpZmljYXRlIGFzIGRpY3RhdGVkIGJ5IGxvY2FsIHBvbGlj eS4gV2hlbiBhbiBpbXBsZW1lbnRhdGlvbiBkb2VzIG5vdDwvc3Bhbj4NCjxicj4NCjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90 O3NhbnMtc2VyaWYmcXVvdDsiPnJlY29nbml6ZSBhIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUN CjxiPmNybEV4dGVuc2lvbnMgPC9iPmZpZWxkLCBpdCBzaGFsbCBhc3N1bWUgdGhhdCBpZGVudGlm aWVkIGNlcnRpZmljYXRlcyBoYXZlIGJlZW4gcmV2b2tlZCBhbmQgYXJlPC9zcGFuPg0KPGJyPg0K PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVv dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+bm8gbG9uZ2VyIHZhbGlkLiBIb3dldmVyIGluIHRo ZSBsYXR0ZXIgY2FzZSwgc2luY2UgdGhlIGxpc3QgbWF5IG5vdCBiZSBjb21wbGV0ZSwgY2VydGlm aWNhdGVzIHRoYXQgaGF2ZSBub3QgYmVlbiBpZGVudGlmaWVkIGFzIGJlaW5nPC9zcGFuPg0KPGJy Pg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwm cXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+cmV2b2tlZCBjYW5ub3QgYmUgYXNzdW1lZCB0 byBiZSB2YWxpZC4gSW4gdGhpcyBjYXNlIGxvY2FsIHBvbGljeSBzaGFsbCBkaWN0YXRlIHRoZSBh Y3Rpb24gdG8gYmUgdGFrZW4uIEluIGFueSBjYXNlIGxvY2FsIHBvbGljeSBtYXk8L3NwYW4+DQo8 YnI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlh bCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5kaWN0YXRlIGFjdGlvbnMgaW4gYWRkaXRp b24gdG8gYW5kL29yIHN0cm9uZ2VyIHRoYW4gdGhvc2Ugc3RhdGVkIGluIHRoaXMgU3BlY2lmaWNh dGlvbi48L3NwYW4+DQo8YnI+DQo8YnI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtm b250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5TbyB0 aGlzIHRleHQgaXMgbm90IG5vcm1hdGl2ZS4gJm5ic3A7V2UgY2FuIHNheSBzb21ldGhpbmcgZGlm ZmVyZW50IGluIFJGQyA1MjgwIGFuZCB0aGlzIHdpbGwgKm5vdCogYmUgYSBjb250cmFkaWN0aW9u Ljwvc3Bhbj4NCjxicj4NCjxicj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPlNvIHRoZSBy ZWFsIHF1ZXN0aW9uIGlzIHNpbXBseSA6IHdoYXQgbWFrZXMgc2Vuc2UgdG8gc2F5IGFib3V0IHRo ZSB0cmVhdG1lbnQgb2YgdGhlDQo8Yj5jcmxFbnRyeUV4dGVuc2lvbnMgPC9iPmZpZWxkID88L3Nw YW4+IDxicj4NCjxicj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPkkgYmVsaWV2ZSAob3Ig SSBob3BlKSB3ZSBhcmUgY2xvc2UgdG8gYSBhZ3JlZW1lbnQsIGV4Y2VwdCB3aGV0aGVyIHdlIHNo b3VsZCB1c2UgdGhlIHdvcmQgJnF1b3Q7cmV2b2tlZCZxdW90OyBvciAmcXVvdDt1bmtub3duJnF1 b3Q7DQo8YnI+DQppbiB0aGUgbGFzdCB3b3JkIG9uIHRoZSBzZW50ZW5jZSBwcm9wb3NlZCB0b2Rh eS48L3NwYW4+IDxicj4NCjxicj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPlNvIHRoZSB0 d28gb3B0aW9ucyBhcmU6PC9zcGFuPg0KPGJyPg0KPGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZx dW90OyI+QSkgJm5ic3A7SWYgYW4gYXBwbGljYXRpb24gY2Fubm90IHByb2Nlc3MgYSBjcml0aWNh bCBleHRlbnNpb24gaW4gdGhlDQo8Yj5jcmxFbnRyeUV4dGVuc2lvbnM8L2I+IGZpZWxkIG9mIGFu IGVudHJ5IDxicj4NCnRoYXQgYWZmZWN0cyBvbmx5IHRoZSBjZXJ0aWZpY2F0ZSBzcGVjaWZpZWQg aW4gdGhhdCBlbnRyeSwgYXMgaW5kaWNhdGVkIGJ5IHRoZSBhYnNlbmNlIG9mIGEgcmVsYXRlZA0K PGJyPg0KY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSA8Yj5jcmxFeHRlbnNpb25zPC9iPiBmaWVs ZCwgdGhlbiB0aGUgPGI+c3RhdHVzIG9mIDwvYj5jZXJ0aWZpY2F0ZSBpZGVudGlmaWVkIGJ5IHRo ZSBDUkwgZW50cnkNCjxicj4NCnNoYWxsIGJlIGNvbnNpZGVyZWQgPGI+PHNwYW4gc3R5bGU9ImNv bG9yOiMwMDIwQzIiPmFzIHVua293bjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImNvbG9yOiMxMDQx NjAiPi48L3NwYW4+PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0Ij4NCjwvc3Bh bj48YnI+DQo8YnI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTom cXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5CKSBJZiBhbiBhcHBsaWNh dGlvbiBjYW5ub3QgcHJvY2VzcyBhIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUNCjxiPmNybEVu dHJ5RXh0ZW5zaW9uczwvYj4gZmllbGQgb2YgYW4gZW50cnkgPGJyPg0KdGhhdCBhZmZlY3RzIG9u bHkgdGhlIGNlcnRpZmljYXRlIHNwZWNpZmllZCBpbiB0aGF0IGVudHJ5LCBhcyBpbmRpY2F0ZWQg YnkgdGhlIGFic2VuY2Ugb2YgYSByZWxhdGVkDQo8YnI+DQpjcml0aWNhbCBleHRlbnNpb24gaW4g dGhlIDxiPmNybEV4dGVuc2lvbnM8L2I+IGZpZWxkLCB0aGVuIHRoZSA8Yj5zdGF0dXMgb2YgPC9i PmNlcnRpZmljYXRlIGlkZW50aWZpZWQgYnkgdGhlIENSTCBlbnRyeQ0KPGJyPg0Kc2hhbGwgYmUg Y29uc2lkZXJlZCA8Yj48c3BhbiBzdHlsZT0iY29sb3I6IzAwMjBDMiI+YXMgcmV2b2tlZDwvc3Bh bj48L2I+PHNwYW4gc3R5bGU9ImNvbG9yOiMxMDQxNjAiPi48L3NwYW4+PC9zcGFuPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTAuMHB0Ij4NCjwvc3Bhbj48YnI+DQo8YnI+DQo8c3BhbiBzdHlsZT0i Zm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5z LXNlcmlmJnF1b3Q7Ij5JIGJlbGlldmUgdGhhdCBBKSBpcyBiZXR0ZXIsIGJ1dCB0aGUgZGlmZmVy ZW5jZSBpcyB0ZW51b3VzLiBTZWUgYSBuZXcgZXhhbXBsZSBiZWxvdy4NCjwvc3Bhbj48YnI+DQo8 YnI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlh bCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5XaGF0IGRvIHlvdSAoYW5kIG90aGVycykg dGhpbmsgPzwvc3Bhbj4NCjxicj4NCjxicj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPkRl bmlzPC9zcGFuPiA8YnI+DQo8YnI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250 LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij49PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PTwvc3Bhbj4NCjxicj4NCjxicj4NCjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2Vy aWYmcXVvdDsiPlRoZSBzdGF0dXMgb2YgYSBnaXZlbiBjZXJ0aWZpY2F0ZSBpcyBpbmRpY2F0ZWQg YXMg4oCcZ29vZOKAnSwgYnV0IHRoZXJlIGlzIGEgQ1JMIGVudHJ5IHdpdGggYSBjcml0aWNhbA0K PGJyPg0KQ1JMIGVudHJ5IGV4dGVuc2lvbi4gPC9zcGFuPjxicj4NCjxicj4NCjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDsiPldoYXRldmVyLCB0aGlzIDxiPg0KY3JsRW50cnlFeHRlbnNpb248L2I+ IG1lYW5zLCBpZiBhbiBhcHBsaWNhdGlvbiBjb25zaWRlcnMgdGhhdCB0aGUgc3RhdHVzIG9mIHRo ZSBjZXJ0aWZpY2F0ZSBmb3IgdGhlIGVudHJ5DQo8YnI+DQppcyAmbmJzcDsmcXVvdDt1bmtub3du JnF1b3Q7LCBpdCBjYW4gYXR0ZW1wdCB0byB1c2UgYW4gT0NTUCBzZXJ2aWNlLCBpZiBhdmFpbGFi bGU7IGJ1dCBpZiBhbiBhcHBsaWNhdGlvbiBjb25zaWRlcnMgdGhhdCB0aGUgc3RhdHVzIG9mDQo8 YnI+DQp0aGUgY2VydGlmaWNhdGUgZm9yIHRoZSBlbnRyeSBpcyAmcXVvdDtyZXZva2VkICZxdW90 OywgaXQgd2lsbCBub3QgYXR0ZW1wdCB0byBjYWxsIGl0Ljwvc3Bhbj4NCjxicj4NCjxicj4NCjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7 LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPkFzIGFuIGV4YW1wbGUsIHRoaXMgY3JpdGljYWwgQ1JM IGVudHJ5IGV4dGVuc2lvbiBtZWFucyAob25seSBmb3IgYXBwbGljYXRpb25zIHdoaWNoIHVuZGVy c3RhbmQgaXQpIDoNCjxicj4NCjxicj4NCiZxdW90O1RoZSBDUkwgaXNzdWVyIG9mIHRoaXMgQ1JM IGhhcyBub3QgYmVlbiBhYmxlIHRvIG9idGFpbiBpbiByZWFsIHRpbWUgdGhlIHN0YXR1cyBvZiB0 aGUgY2VydGlmaWNhdGVzIHVzaW5nIGEgZGF0YWJhc2UNCjxicj4NCm9mIGlzc3VlZCBjZXJ0aWZp Y2F0ZXMuIFJhdGhlciB0aGFuIG5vdCBpc3N1aW5nIHRoZSBDUkwgYW5kIGNyZWF0aW5nIGEgZGVu aWFsIG9mIHNlcnZpY2UgZm9yIGFsbCB2ZXJpZmllcnMsIHRoaXMgQ1JMIGhhcw0KPGJyPg0KYmVl biBpc3N1ZWQsICZuYnNwO2J1dCBpcyBub3QgJnF1b3Q7ZnJlc2gmcXVvdDsuIElmIHlvdSByZWFs bHkgbmVlZCB0byB0YWtlIGEgZGVjaXNpb24gbm93LCB5b3UgY2FuIHVzZSB0aGlzIENSTCBidXQg YXQgeW91ciBvd24gcmlzay4NCjxicj4NCklmIHlvdSBjYW4gYWNjZXNzIGFuIE9DU1Agc2VydmVy LCB5b3UgbWlnaHQgYmUgYWJsZSB0byBnZXQgYSBmcmVzaGVyIHN0YXR1cy4gT3RoZXJ3aXNlLCBp ZiB5b3UgY2FuIHdhaXQsIHlvdSBjYW4NCjxicj4NCnRyeSBhZ2FpbiBsYXRlciBvbiZxdW90Oy4g PGJyPg0KPC9zcGFuPjxicj4NCjxicj4NCjxicj4NCjxicj4NCjxzcGFuIHN0eWxlPSJmb250LXNp emU6Ny41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZx dW90Oztjb2xvcjojNUY1RjVGIj5EZSA6ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOzwvc3Bh bj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjcuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPlBpeXVzaCBKYWluICZsdDs8YSBocmVmPSJtYWls dG86cGl5dXNoQGlkZW50aWNhdGUuY29tIj5waXl1c2hAaWRlbnRpY2F0ZS5jb208L2E+Jmd0Ozwv c3Bhbj4NCjxicj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6Ny41cHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojNUY1RjVGIj5BIDog Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 Ny41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90 OyI+U2FudG9zaCBDaG9raGFuaSAmbHQ7PGEgaHJlZj0ibWFpbHRvOlNDaG9raGFuaUBjeWduYWNv bS5jb20iPlNDaG9raGFuaUBjeWduYWNvbS5jb208L2E+Jmd0OywgJnF1b3Q7PGEgaHJlZj0ibWFp bHRvOmRlbmlzLnBpbmthc0BidWxsLm5ldCI+ZGVuaXMucGlua2FzQGJ1bGwubmV0PC9hPiZxdW90 Ow0KICZsdDs8YSBocmVmPSJtYWlsdG86ZGVuaXMucGlua2FzQGJ1bGwubmV0Ij5kZW5pcy5waW5r YXNAYnVsbC5uZXQ8L2E+Jmd0Ozwvc3Bhbj4gPGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo3 LjVwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7 O2NvbG9yOiM1RjVGNUYiPkNjJm5ic3A7OiAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDs8L3Nw YW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo3LjVwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZx dW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4mcXVvdDs8YSBocmVmPSJtYWlsdG86bXJleEBz YXAuY29tIj5tcmV4QHNhcC5jb208L2E+JnF1b3Q7ICZsdDs8YSBocmVmPSJtYWlsdG86bXJleEBz YXAuY29tIj5tcmV4QHNhcC5jb208L2E+Jmd0OywNCiBwa2l4ICZsdDs8YSBocmVmPSJtYWlsdG86 cGtpeEBpZXRmLm9yZyI+cGtpeEBpZXRmLm9yZzwvYT4mZ3Q7PC9zcGFuPiA8YnI+DQo8c3BhbiBz dHlsZT0iZm9udC1zaXplOjcuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90 O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzVGNUY1RiI+RGF0ZSA6ICZuYnNwOyAmbmJzcDsgJm5i c3A7ICZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjcuNXB0O2ZvbnQtZmFtaWx5 OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPjE3LzA5LzIwMTIgMTc6 MDY8L3NwYW4+DQo8YnI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOjcuNXB0O2ZvbnQtZmFtaWx5 OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzVGNUY1RiI+ T2JqZXQgOiAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZTo3LjVwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNl cmlmJnF1b3Q7Ij5SRTogW3BraXhdIDUyODBiaXMsIHYtMDk8L3NwYW4+DQo8bzpwPjwvbzpwPjwv cD4NCjxkaXYgY2xhc3M9Ik1zb05vcm1hbCIgYWxpZ249ImNlbnRlciIgc3R5bGU9InRleHQtYWxp Z246Y2VudGVyIj4NCjxociBzaXplPSIyIiB3aWR0aD0iMTAwJSIgbm9zaGFkZT0iIiBzdHlsZT0i Y29sb3I6I0EwQTBBMCIgYWxpZ249ImNlbnRlciI+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxicj4NCjxicj4NCjxicj4NCjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlh bCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMwMDQwODAiPk15IHJlY29tbWVu ZGF0aW9uIHdvdWxkIGJlIHRvIGdvIHdpdGgg4oCYcmV2b2tlZOKAmSBvbiB0aGlzIHVubGVzcyB3 ZSBjYW4gZXhwbGljaXRseSBzcGVsbCBvdXQgd2h5IHdlIGNob3NlIOKAmHVua25vd27igJkgdG8g b3ZlcnJpZGUgWC41MDkuPC9zcGFuPg0KPGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZx dW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzAwNDA4MCI+Jm5i c3A7PC9zcGFuPiA8YnI+DQo8c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVv dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMDA0MDgwIj5JIGp1c3Qgd2FudCB0byBh dm9pZCB0aGUgc2l0dWF0aW9uIHdoZXJlIHNvbWVvbmUgcmFpc2VzIHRoaXMgaXNzdWUgYWdhaW4g aW4gYSBmZXcgeWVhcnMgdGhhdCA1MjgwIGlzIGluY29uc2lzdGVudCB3aXRoIFguNTA5IHdpdGhv dXQgYW55IGFwcGFyZW50IHJlYXNvbi48L3NwYW4+DQo8YnI+DQo8c3BhbiBzdHlsZT0iZm9udC1m YW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMDA0 MDgwIj4mbmJzcDs8L3NwYW4+IDxicj4NCjxiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVv dDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+RnJvbTo8L3NwYW4+PC9iPjxz cGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJp ZiZxdW90OyI+IFNhbnRvc2ggQ2hva2hhbmkgWzwvc3Bhbj48YSBocmVmPSJtYWlsdG86U0Nob2to YW5pQGN5Z25hY29tLmNvbSI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZx dW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5tYWlsdG86U0Nob2toYW5pQGN5Z25hY29tLmNv bTwvc3Bhbj48L2E+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90Oywm cXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5dDQo8Yj48YnI+DQpTZW50OjwvYj4gTW9uZGF5LCBTZXB0 ZW1iZXIgMTcsIDIwMTIgNzo0OCBBTTxiPjxicj4NClRvOjwvYj4gPGEgaHJlZj0ibWFpbHRvOmRl bmlzLnBpbmthc0BidWxsLm5ldCI+ZGVuaXMucGlua2FzQGJ1bGwubmV0PC9hPjxiPjxicj4NCkNj OjwvYj4gPGEgaHJlZj0ibWFpbHRvOm1yZXhAc2FwLmNvbSI+bXJleEBzYXAuY29tPC9hPjsgUGl5 dXNoIEphaW47IHBraXg8Yj48YnI+DQpTdWJqZWN0OjwvYj4gUkU6IFtwa2l4XSA1MjgwYmlzLCB2 LTA5PC9zcGFuPiA8YnI+DQombmJzcDsgPGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZx dW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzAwNDA4MCI+RGVu aXMsPC9zcGFuPiA8YnI+DQo8c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVv dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMDA0MDgwIj4mbmJzcDs8L3NwYW4+IDxi cj4NCjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5z LXNlcmlmJnF1b3Q7O2NvbG9yOiMwMDQwODAiPkkgYW0gb2sgZWl0aGVyIHdheSAodW5rbm93biBv ciByZXZva2VkKS4gJm5ic3A7VGhlIGdvb2QgdGhpbmcgaXMgdGhhdCB0aGUgbmV3IHRleHQgc3Bl bGxzIHRoaW5ncyBvdXQgbW9yZSBjbGVhcmx5Ljwvc3Bhbj4NCjxicj4NCjxzcGFuIHN0eWxlPSJm b250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9y OiMwMDQwODAiPiZuYnNwOzwvc3Bhbj4gPGJyPg0KPGI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5 OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5Gcm9tOjwvc3Bhbj48 L2I+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5z LXNlcmlmJnF1b3Q7Ij4NCjwvc3Bhbj48YSBocmVmPSJtYWlsdG86ZGVuaXMucGlua2FzQGJ1bGwu bmV0Ij48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDsiPmRlbmlzLnBpbmthc0BidWxsLm5ldDwvc3Bhbj48L2E+PHNwYW4gc3R5 bGU9ImZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7 Ij4NCjwvc3Bhbj48YSBocmVmPSJtYWlsdG86W21haWx0bzpkZW5pcy5waW5rYXNAYnVsbC5uZXRd Ij48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMt c2VyaWYmcXVvdDsiPlttYWlsdG86ZGVuaXMucGlua2FzQGJ1bGwubmV0XTwvc3Bhbj48L2E+PHNw YW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlm JnF1b3Q7Ij4NCjxiPjxicj4NClNlbnQ6PC9iPiBNb25kYXksIFNlcHRlbWJlciAxNywgMjAxMiAx MDo0MiBBTTxiPjxicj4NClRvOjwvYj4gU2FudG9zaCBDaG9raGFuaTxiPjxicj4NCkNjOjwvYj4g PC9zcGFuPjxhIGhyZWY9Im1haWx0bzptcmV4QHNhcC5jb20iPjxzcGFuIHN0eWxlPSJmb250LWZh bWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+bXJleEBzYXAu Y29tPC9zcGFuPjwvYT48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7 LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPjsgUGl5dXNoIEphaW47IHBraXg8Yj48YnI+DQpTdWJq ZWN0OjwvYj4gUkU6IFtwa2l4XSA1MjgwYmlzLCB2LTA5PC9zcGFuPiA8YnI+DQombmJzcDsgPGJy Pg0KPHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMt c2VyaWYmcXVvdDsiPlNhbnRvc2gsIFBpeXVzaCBhbmQgTWFydGluLDwvc3Bhbj4NCjxicj4NCjxz cGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlm JnF1b3Q7Ij48YnI+DQpTb3JyeSwgSSBtYWRlIGEgbWlzdGFrZSB3aGVuIG1ha2luZyBteSBwcm9w b3NhbCB0aGlzIG1vcm5pbmcuIDxicj4NCkkgd3JvdGUgJnF1b3Q7cmV2b2tlZCZxdW90OywgYnV0 IHdhcyBhZHZvY2F0aW5nICZxdW90O3Vua25vd24mcXVvdDsuPC9zcGFuPiA8YnI+DQo8c3BhbiBz dHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90 OyI+PGJyPg0KQmFzZWQgb24gdGhlIGxhdGVzdCB0ZXh0IHByb3Bvc2VkIGZyb20gU2FudG9zaCwg SSB3b3VsZCByYXRoZXIgcHJlZmVyOjwvc3Bhbj4gPGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQtZmFt aWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzEwNDE2 MCI+PGJyPg0KSWYgYW4gYXBwbGljYXRpb24gY2Fubm90IHByb2Nlc3MgYSBjcml0aWNhbCBleHRl bnNpb24gaW4gdGhlIDxiPmNybEVudHJ5RXh0ZW5zaW9uczwvYj4gZmllbGQgb2YgYW4gZW50cnkN Cjxicj4NCnRoYXQgYWZmZWN0cyBvbmx5IHRoZSBjZXJ0aWZpY2F0ZSBzcGVjaWZpZWQgaW4gdGhh dCBlbnRyeSwgYXMgaW5kaWNhdGVkIGJ5IHRoZSBhYnNlbmNlIG9mIGEgcmVsYXRlZA0KPGJyPg0K Y3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSA8Yj5jcmxFeHRlbnNpb25zPC9iPiBmaWVsZCwgdGhl biB0aGUgPC9zcGFuPjxiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90 OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMwMDAwRTAiPnN0YXR1cyBvZjwvc3Bhbj48 L2I+PGI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDs7Y29sb3I6Ymx1ZSI+DQo8L3NwYW4+PC9iPjxzcGFuIHN0eWxlPSJmb250 LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMx MDQxNjAiPmNlcnRpZmljYXRlIGlkZW50aWZpZWQgYnkgdGhlIENSTCBlbnRyeQ0KPGJyPg0Kc2hh bGwgYmUgY29uc2lkZXJlZCA8L3NwYW4+PGI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90 O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzAwMjBDMiI+dW5rb3du PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1 b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMTA0MTYwIj4uPC9zcGFuPg0KPGJyPg0KPHNwYW4g c3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVv dDsiPjxicj4NCmluc3RlYWQgb2YgOjwvc3Bhbj4gPGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQtZmFt aWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzEwNDE2 MCI+PGJyPg0KSWYgYW4gYXBwbGljYXRpb24gY2Fubm90IHByb2Nlc3MgYSBjcml0aWNhbCBleHRl bnNpb24gaW4gdGhlIDxiPmNybEVudHJ5RXh0ZW5zaW9uczwvYj4gZmllbGQgb2YgYW4gZW50cnkN Cjxicj4NCnRoYXQgYWZmZWN0cyBvbmx5IHRoZSBjZXJ0aWZpY2F0ZSBzcGVjaWZpZWQgaW4gdGhh dCBlbnRyeSwgYXMgaW5kaWNhdGVkIGJ5IHRoZSBhYnNlbmNlIG9mIGEgcmVsYXRlZA0KPGJyPg0K Y3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSA8Yj5jcmxFeHRlbnNpb25zPC9iPiBmaWVsZCwgdGhl biB0aGUgY2VydGlmaWNhdGUgaWRlbnRpZmllZCBieSB0aGUgQ1JMIGVudHJ5DQo8YnI+DQpzaGFs bCBiZSBjb25zaWRlcmVkIHJldm9rZWQuPC9zcGFuPiA8YnI+DQo8c3BhbiBzdHlsZT0iZm9udC1m YW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+PGJyPg0KRGVu aXM8L3NwYW4+IDxicj4NCjxicj4NCjxicj4NCjxicj4NCjxicj4NCjxicj4NCjxicj4NCjxicj4N Cjxicj4NCjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiM1RjVGNUYiPjxicj4NCkRlIDogJm5ic3A7ICZuYnNwOyAm bmJzcDsgJm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZx dW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5TYW50b3NoIENob2toYW5pICZsdDs8L3NwYW4+ PGEgaHJlZj0ibWFpbHRvOlNDaG9raGFuaUBjeWduYWNvbS5jb20iPjxzcGFuIHN0eWxlPSJmb250 LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5TQ2hva2hh bmlAY3lnbmFjb20uY29tPC9zcGFuPjwvYT48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7 QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+Jmd0Ozwvc3Bhbj4NCjxzcGFuIHN0 eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7 O2NvbG9yOiM1RjVGNUYiPjxicj4NCkEgOiAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDs8L3Nw YW4+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMt c2VyaWYmcXVvdDsiPiZxdW90Ozwvc3Bhbj48YSBocmVmPSJtYWlsdG86ZGVuaXMucGlua2FzQGJ1 bGwubmV0Ij48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7 c2Fucy1zZXJpZiZxdW90OyI+ZGVuaXMucGlua2FzQGJ1bGwubmV0PC9zcGFuPjwvYT48c3BhbiBz dHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90 OyI+JnF1b3Q7ICZsdDs8L3NwYW4+PGEgaHJlZj0ibWFpbHRvOmRlbmlzLnBpbmthc0BidWxsLm5l dCI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMt c2VyaWYmcXVvdDsiPmRlbmlzLnBpbmthc0BidWxsLm5ldDwvc3Bhbj48L2E+PHNwYW4gc3R5bGU9 ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiZn dDssDQogJnF1b3Q7PC9zcGFuPjxhIGhyZWY9Im1haWx0bzptcmV4QHNhcC5jb20iPjxzcGFuIHN0 eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7 Ij5tcmV4QHNhcC5jb208L3NwYW4+PC9hPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtB cmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4mcXVvdDsgJmx0Ozwvc3Bhbj48YSBo cmVmPSJtYWlsdG86bXJleEBzYXAuY29tIj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7 QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+bXJleEBzYXAuY29tPC9zcGFuPjwv YT48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90OyI+Jmd0OywNCiBQaXl1c2ggSmFpbiAmbHQ7PC9zcGFuPjxhIGhyZWY9Im1haWx0 bzpwaXl1c2hAaWRlbnRpY2F0ZS5jb20iPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtB cmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5waXl1c2hAaWRlbnRpY2F0ZS5jb208 L3NwYW4+PC9hPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVv dDtzYW5zLXNlcmlmJnF1b3Q7Ij4mZ3Q7PC9zcGFuPg0KPHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5 OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzVGNUY1RiI+ PGJyPg0KQ2MgOiAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9 ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPnBr aXggJmx0Ozwvc3Bhbj48YSBocmVmPSJtYWlsdG86cGtpeEBpZXRmLm9yZyI+PHNwYW4gc3R5bGU9 ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPnBr aXhAaWV0Zi5vcmc8L3NwYW4+PC9hPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlh bCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4mZ3Q7PC9zcGFuPg0KPHNwYW4gc3R5bGU9 ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29s b3I6IzVGNUY1RiI+PGJyPg0KRGF0ZSA6ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOzwvc3Bh bj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90OyI+MTcvMDkvMjAxMiAxNjoyMTwvc3Bhbj4NCjxzcGFuIHN0eWxlPSJmb250LWZh bWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiM1RjVG NUYiPjxicj4NCk9iamV0IDogJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7PC9zcGFuPjxzcGFu IHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1 b3Q7Ij5SRTogW3BraXhdIDUyODBiaXMsIHYtMDk8L3NwYW4+DQo8bzpwPjwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIGFsaWduPSJjZW50ZXIiIHN0eWxlPSJ0ZXh0LWFsaWduOmNlbnRl ciI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2IGNsYXNzPSJNc29Ob3JtYWwiIGFsaWduPSJj ZW50ZXIiIHN0eWxlPSJ0ZXh0LWFsaWduOmNlbnRlciI+DQo8aHIgc2l6ZT0iMiIgd2lkdGg9IjEw MCUiIG5vc2hhZGU9IiIgc3R5bGU9ImNvbG9yOiNBMEEwQTAiIGFsaWduPSJjZW50ZXIiPg0KPC9k aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48YnI+DQo8YnI+DQo8YnI+DQo8c3BhbiBzdHlsZT0i Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xv cjojMDA0MDgwIj48YnI+DQpUaGlzIGFsc28gcmVsYXRlcyB0byBlYXJsaWVyIHBvc3QgSSBtYWRl IGluIHJlc3BvbnNlIHRvIFBpeXVzaC48L3NwYW4+IDxzcGFuIHN0eWxlPSJmb250LWZhbWlseTom cXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMwMDQwODAiPg0K PGJyPg0KPC9zcGFuPiZuYnNwOzxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZx dW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMwMDQwODAiPjxicj4NCkkgYXNzdW1l IHdlIGFyZSBhZGRpbmcgdGhlIGZvbGxvd2luZyB0byB0aGUgUkZDIOKAnDwvc3Bhbj48c3BhbiBz dHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90 Oztjb2xvcjojMTA0MTYwIj5BIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUNCjxiPmNybEVudHJ5 RXh0ZW5zaW9uczwvYj4gZmllbGQgb2YgYW4gZW50cnkgc2hhbGwgYWZmZWN0IG9ubHkgdGhlIGNl cnRpZmljYXRlIHNwZWNpZmllZCBpbiB0aGF0IGVudHJ5LCB1bmxlc3MgdGhlcmUgaXMgYSByZWxh dGVkIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGUNCjxiPmNybEV4dGVuc2lvbnM8L2I+IGZpZWxk IHRoYXQgYWR2ZXJ0aXNlcyBhIHNwZWNpYWwgdHJlYXRtZW50IGZvciBpdC7igJ0gJm5ic3A7SW4g b3JkZXIgdG8gdXNlIHN1Y2ggQ1JMLCB0aGUgcmVseWluZyBwYXJ0eSBtdXN0IGJlIGFibGUgdG8g cHJvY2VzcyBib3RoIHRoZQ0KPGI+Y3JsRW50cnlFeHRlbnNpb24gPC9iPmFuZCB0aGUgcmVsYXRl ZCA8Yj5jcmxFeHRlbnNpb24u4oCdPC9iPjwvc3Bhbj4gPGI+PHNwYW4gc3R5bGU9ImZvbnQtZmFt aWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzEwNDE2 MCI+PGJyPg0KPC9zcGFuPjwvYj4mbmJzcDs8c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7 QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMTA0MTYwIj48YnI+DQpJ biB0aGF0IGNhc2UsIEkgZG8gbm90IG1pbmQgYWRkaW5nIHRoZSBmb2xsb3dpbmcgdG8gNTI4MCAo YSBzbGlnaHQgbW9kaWZpY2F0aW9uIHRvIHdoYXQgRGVuaXMgaGFzOjwvc3Bhbj4NCjxzcGFuIHN0 eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7 O2NvbG9yOiMxMDQxNjAiPjxicj4NCjwvc3Bhbj4mbmJzcDs8c3BhbiBzdHlsZT0iZm9udC1mYW1p bHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMTA0MTYw Ij48YnI+DQpJZiBhbiBhcHBsaWNhdGlvbiBjYW5ub3QgcHJvY2VzcyBhIGNyaXRpY2FsIGV4dGVu c2lvbiBpbiB0aGUgPGI+Y3JsRW50cnlFeHRlbnNpb25zPC9iPiBmaWVsZCBvZiBhbiBlbnRyeSB0 aGF0IGFmZmVjdHMgb25seSB0aGUgY2VydGlmaWNhdGUgc3BlY2lmaWVkIGluIHRoYXQgZW50cnks IGFzIGluZGljYXRlZCBieSB0aGUgYWJzZW5jZSBvZiBhIHJlbGF0ZWQgY3JpdGljYWwgZXh0ZW5z aW9uIGluIHRoZQ0KPGI+Y3JsRXh0ZW5zaW9uczwvYj4gZmllbGQsIHRoZW4gdGhlIGNlcnRpZmlj YXRlIGlkZW50aWZpZWQgYnkgdGhlIENSTCBlbnRyeSBzaGFsbCBiZSBjb25zaWRlcmVkIHJldm9r ZWQuPC9zcGFuPg0KPHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZx dW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzAwNDA4MCI+PGJyPg0KPC9zcGFuPiZuYnNwOzxi PjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90OyI+PGJyPg0KRnJvbTo8L3NwYW4+PC9iPjxzcGFuIHN0eWxlPSJmb250LWZhbWls eTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+IDwvc3Bhbj48YSBo cmVmPSJtYWlsdG86cGtpeC1ib3VuY2VzQGlldGYub3JnIj48c3BhbiBzdHlsZT0iZm9udC1mYW1p bHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPnBraXgtYm91bmNl c0BpZXRmLm9yZzwvc3Bhbj48L2E+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O1RhaG9t YSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4gWzwvc3Bhbj48YSBocmVmPSJtYWlsdG86 cGtpeC1ib3VuY2VzQGlldGYub3JnIj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7VGFo b21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPm1haWx0bzpwa2l4LWJvdW5jZXNAaWV0 Zi5vcmc8L3NwYW4+PC9hPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVv dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+XQ0KPGI+T24gQmVoYWxmIE9mIDwvYj48L3NwYW4+ PGEgaHJlZj0ibWFpbHRvOmRlbmlzLnBpbmthc0BidWxsLm5ldCI+PHNwYW4gc3R5bGU9ImZvbnQt ZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5kZW5pcy5w aW5rYXNAYnVsbC5uZXQ8L3NwYW4+PC9hPjxiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVv dDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+PGJyPg0KU2VudDo8L3NwYW4+ PC9iPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fu cy1zZXJpZiZxdW90OyI+IE1vbmRheSwgU2VwdGVtYmVyIDE3LCAyMDEyIDM6NDcgQU08Yj48YnI+ DQpUbzo8L2I+IDwvc3Bhbj48YSBocmVmPSJtYWlsdG86bXJleEBzYXAuY29tIj48c3BhbiBzdHls ZT0iZm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsi Pm1yZXhAc2FwLmNvbTwvc3Bhbj48L2E+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O1Rh aG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij47IFBpeXVzaCBKYWluPGI+PGJyPg0K Q2M6PC9iPiBwa2l4PGI+PGJyPg0KU3ViamVjdDo8L2I+IFJlOiBbcGtpeF0gNTI4MGJpcywgdi0w OTwvc3Bhbj4gPGJyPg0KJm5ic3A7PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFs JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPjxicj4NCkdvb2QgY2F0Y2ggTWFydGluLDwv c3Bhbj4gPHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDsiPjxicj4NCjxicj4NCllvdSBjYW1lIGJhY2sgZnJvbSB2YWNhdGlvbiBq dXN0IGluIHRpbWUuIDotKTwvc3Bhbj4gPHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0Fy aWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPg0KPGJyPg0KPGJyPg0KSSBwcm9wb3Nl IHRoZSBmb2xsb3dpbmc6PC9zcGFuPiA8c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q291 cmllciBOZXcmcXVvdDsiPjxicj4NCjxicj4NClJlcGxhY2U6PC9zcGFuPiA8c3BhbiBzdHlsZT0i Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDsiPjxicj4NCjxicj4NCnwgJm5ic3A7 ICZuYnNwOyBJZiBhIENSTCBjb250YWlucyBhIGNyaXRpY2FsIENSTCBlbnRyeSBleHRlbnNpb24g PGJyPg0KfCAmbmJzcDsgJm5ic3A7IHRoYXQgdGhlIGFwcGxpY2F0aW9uIGNhbm5vdCBwcm9jZXNz LCB0aGVuIHRoZSBhcHBsaWNhdGlvbiBNVVNUIDxicj4NCnwgJm5ic3A7ICZuYnNwOyBOT1QgdXNl IHRoYXQgQ1JMIHRvIGRldGVybWluZSB0aGUgc3RhdHVzIG9mIGFueSBjZXJ0aWZpY2F0ZXMuPC9z cGFuPiA8c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDsiPg0K PGJyPg0KPGJyPg0Kd2l0aDwvc3Bhbj4gPHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0Nv dXJpZXIgTmV3JnF1b3Q7Ij48YnI+DQo8YnI+DQp8ICZuYnNwOyAmbmJzcDsgSWYgYSBDUkwgY29u dGFpbnMgaW4gYSBDUkwgZW50cnkgYSBjcml0aWNhbCBDUkwgZW50cnkgZXh0ZW5zaW9uIDxicj4N CnwgJm5ic3A7ICZuYnNwOyB0aGF0IHRoZSBhcHBsaWNhdGlvbiBjYW5ub3QgcHJvY2VzcywgdGhl biB0aGUgYXBwbGljYXRpb24gTVVTVCA8YnI+DQp8ICZuYnNwOyAmbmJzcDsgY29uc2lkZXIgdGhh dCB0aGUgY2VydGlmaWNhdGUgaWRlbnRpZmllZCBpbiB0aGF0IENSTCBlbnRyeSBpcyA8YnI+DQp8 ICZuYnNwOyAmbmJzcDsgcmV2b2tlZC4gJm5ic3A7PC9zcGFuPiA8c3BhbiBzdHlsZT0iZm9udC1m YW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+PGJyPg0KPGJy Pg0KSW4gb3JkZXIgdG8gYW5zd2VyIHRvIFBpeXVzaCwgSSBiZWxpZXZlIHRoYXQg4oCcdW5rbm93 buKAnSBzaG91bGQgYmUgdXNlZCByYXRoZXIgdGhhbiDigJxyZXZva2Vk4oCdLjwvc3Bhbj4NCjxz cGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlm JnF1b3Q7Ij48YnI+DQo8YnI+DQpUaGUgZm9sbG93aW5nIGV4YW1wbGUgaXMgYW4gaWxsdXN0cmF0 aW9uOjwvc3Bhbj4gPHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZx dW90O3NhbnMtc2VyaWYmcXVvdDsiPg0KPGJyPg0KPGJyPg0KVGhlIHN0YXR1cyBvZiBhIGdpdmVu IGNlcnRpZmljYXRlIGlzIGluZGljYXRlZCBhcyDigJxnb29k4oCdLCBidXQgdGhlcmUgaXMgYSBD UkwgZW50cnkgd2l0aCBhIGNyaXRpY2FsDQo8YnI+DQpDUkwgZW50cnkgZXh0ZW5zaW9uLiBUaGlz IGVudHJ5IG1lYW5zIChmb3IgdGhlIGFwcGxpY2F0aW9ucyB3aGljaCB1bmRlcnN0YW5kIGl0KSA6 DQo8YnI+DQo8YnI+DQomcXVvdDtUaGUgc3RhdHVzIHdoaWNoIGlzIHVzdWFsbHkgb2J0YWluZWQg dXNpbmcgYSBkYXRhYmFzZSBvZiBpc3N1ZWQgY2VydGlmaWNhdGVzIGhhcyBiZWVuIG9idGFpbmVk IGZyb20gQ1JMcy4NCjxicj4NCklmIHlvdSByZWFsbHkgbmVlZCB0byB0YWtlIGEgZGVjaXNpb24g bm93LCBpdCBpcyBhdCB5b3VyIG93biByaXNrLiBJZiB5b3UgY2FuIHdhaXQsIHlvdSBoYWQgYmV0 dGVyIHRvIHRyeSBhZ2FpbiBsYXRlciBvbiZxdW90Oy48L3NwYW4+DQo8c3BhbiBzdHlsZT0iZm9u dC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+PGJyPg0K PGJyPg0KWW91ciBuZXh0IHF1ZXN0aW9uIHdpbGwgY2VydGFpbmx5IGJlOiBzbyB3aHkgZG9u4oCZ dCB5b3UgdXNlIHRoZSBwcm9wb3NlZCBjZXJ0SW5mbyBleHRlbnNpb24gPzwvc3Bhbj4NCjxzcGFu IHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1 b3Q7Ij48YnI+DQo8YnI+DQpGb3IgYXBwbGljYXRpb25zIHdoaWNoIGRvIG5vdCB1bmRlcnN0YW5k IHRoaXMgY3JpdGljYWwgQ1JMIGVudHJ5IGV4dGVuc2lvbiwgdGhlcmUgaXMgbm8gZGlmZmVyZW5j ZS48L3NwYW4+DQo8c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1 b3Q7c2Fucy1zZXJpZiZxdW90OyI+PGJyPg0KVGhleSBnZXQgYW4gJnF1b3Q7dW5rbm93biZxdW90 OyBzdGF0dXMgaW4gYm90aCBjYXNlcy48L3NwYW4+IDxzcGFuIHN0eWxlPSJmb250LWZhbWlseTom cXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4NCjxicj4NCjxicj4NCkZv ciBhcHBsaWNhdGlvbnMgd2hpY2ggdW5kZXJzdGFuZCB0aGlzIGNyaXRpY2FsIENSTCBlbnRyeSBl eHRlbnNpb24gaXQgcHJvdmlkZXMgbGVzcyBiZW5lZml0cw0KPGJyPg0KdGhhbiB0aGUgcHJvcG9z ZWQgY2VydEluZm8gZXh0ZW5zaW9uLCBidXQgaXQgbWlnaHQgYmUgcXVpY2tlciB0byBpbXBsZW1l bnQgYW5kIGl0IGVuZm9yY2VzIGEgcG9saWN5Ljwvc3Bhbj4NCjxzcGFuIHN0eWxlPSJmb250LWZh bWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij48YnI+DQo8YnI+ DQpEZW5pczwvc3Bhbj4gPHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3 JnF1b3Q7Ij48YnI+DQo8YnI+DQo8YnI+DQomZ3Q7IEkgb2JqZWN0IHRvIHRoZSBwcm9wb3NlZCBu ZXcgdGV4dCBhYm91dCBDUkxFbnRyeUV4dGVuc2lvbnM8YnI+DQomZ3Q7IGluIHRoZSBjbGFyaWZp Y2F0aW9uIGRvY3VtZW50LCBiZWNhdXNlIGFzIGlzLCB3b3VsZCBzaWduaWZpY2FudGx5PGJyPg0K Jmd0OyB3b3JzZW4gdGhlIGRpZmZlcmVuY2UgYmV0d2VlbiBQS0lYIGFuZCBYLjUwOSBhbmQgbWFr ZSB0aGluZ3M8YnI+DQomZ3Q7IGNsZWFybHkgaW5jb21wYXRpYmxlIHJhdGhlciB0aGFuIHNsaWdo dGx5IGxlc3MgZWZmaWNpZW50Ljxicj4NCiZndDsgPGJyPg0KJmd0OyBJZiBhbnl0aGluZywgdGhl IGdhcCBzaG91bGQgYmUgcmVkdWNlZCwgY29tcGF0aWJpbGl0eSBiZXR3ZWVuPGJyPg0KJmd0OyBQ S0lYIGFuZCBYLjUwOSBpbXByb3ZlZCBhbmQgdGhlIG9yaWdpbmFsIGFyY2hpdGVjdHVyZSBub3Qg dmlvbGF0ZWQuPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IFBsZWFzZSByZWNhbGwgdGhlIG9yaWdpbmFs IE5PVEUgNCAmYW1wOyA1IHRoYXQgSSBxdW90ZWQgZnJvbTxicj4NCiZndDsgSVRVLVQgUmVjLiBY LjUwOSAoMDgvMjAwNSksIFNlY3Rpb24gNy4zLCB0b3Agb2YgcGFnZSAxODo8YnI+DQomZ3Q7IChn ZXQgdGhlbSBoZXJlIDwvc3Bhbj48YSBocmVmPSJodHRwOi8vd3d3Lml0dS5pbnQvcmVjL1QtUkVD LVguNTA5Ij48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDsi Pmh0dHA6Ly93d3cuaXR1LmludC9yZWMvVC1SRUMtWC41MDk8L3NwYW4+PC9hPjxzcGFuIHN0eWxl PSJmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90OyI+KTo8YnI+DQomZ3Q7IDxicj4N CiZndDsgYSZndDsgJm5ic3A7Tk9URSA0IC0tIFdoZW4gYW4gaW1wbGVtZW50YXRpb24gcHJvY2Vz c2luZyBhIGNlcnRpZmljYXRlIHJldm9jYXRpb248YnI+DQomZ3Q7IGEmZ3Q7ICZuYnNwO2xpc3Qg ZG9lcyBub3QgcmVjb2duaXplIGEgY3JpdGljYWwgZXh0ZW5zaW9uIGluIHRoZSBjcmxFbnRyeUV4 dGVuc2lvbnM8YnI+DQomZ3Q7IGEmZ3Q7ICZuYnNwO2ZpZWxkLCBpdCBzaGFsbCBhc3N1bWUgdGhh dCwgYXQgYSBtaW5pbXVtLCB0aGUgaWRlbnRpZmllZCBjZXJ0aWZpY2F0ZTxicj4NCiZndDsgYSZn dDsgJm5ic3A7aGFzIGJlZW4gcmV2b2tlZCBhbmQgaXMgbm8gbG9uZ2VyIHZhbGlkIGFuZCBwZXJm b3JtIGFkZGl0aW9uYWwgYWN0aW9uczxicj4NCiZndDsgYSZndDsgJm5ic3A7Y29uY2VybmluZyB0 aGF0IHJldm9rZWQgY2VydGlmaWNhdGUgYXMgZGljdGF0ZWQgYnkgbG9jYWwgcG9saWN5Ljxicj4N CiZndDsgPGJyPg0KJmd0OyBiJmd0OyAmbmJzcDtXaGVuIGFuIGltcGxlbWVudGF0aW9uIGRvZXMg bm90IHJlY29nbml6ZSBhIGNyaXRpY2FsIGV4dGVuc2lvbiBpbiB0aGU8YnI+DQomZ3Q7IGImZ3Q7 ICZuYnNwO2NybEV4dGVuc2lvbnMgZmllbGQsIGl0IHNoYWxsIGFzc3VtZSB0aGF0