From nobody Sun May 8 05:24:33 2016 Return-Path: X-Original-To: vot@ietfa.amsl.com Delivered-To: vot@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4F9212D09C for ; Sun, 8 May 2016 05:24:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.593 X-Spam-Level: X-Spam-Status: No, score=-4.593 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_IADB_DK=-0.095, RCVD_IN_IADB_LISTED=-0.001, RCVD_IN_IADB_RDNS=-0.235, RCVD_IN_IADB_SENDERID=-0.001, RCVD_IN_IADB_SPF=-0.059, RCVD_IN_IADB_UT_CPR_MAT=-0.001, RCVD_IN_IADB_VOUCHED=-2.2, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=geek.net.au Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QUNRqs_SpK63 for ; Sun, 8 May 2016 05:24:30 -0700 (PDT) Received: from srve.com (srve.com [208.69.183.6]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E44912B021 for ; Sun, 8 May 2016 05:24:30 -0700 (PDT) Received: from [192.168.39.214] (nsa.emsvr.com [120.151.160.158]) (authenticated bits=0) by srve.com (8.13.8/8.13.8/CWT/DCE) with ESMTP id u48COM1S029714 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Sun, 8 May 2016 12:24:24 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=geek.net.au; s=20131023; t=1462710265; bh=FtO43k7lH3U/7sv92mbfbXR3peP4BwuMp8bpm1YDYPU=; h=Date:From:To:Subject; b=NFOPHD5ovIbaNC5HRVDBjHHFkgcN/CmzJeQ3v6Wcg197ZETYEt+2z18S+M/rmsh8K r2JEQ2MxMUMi/+EcH53szL9dEqW5fnx1sbfUeORrxO0QSafhDo1uVmP8MkpLL4mS4T p3dBI2xWvVt/A0bM/3zLDW3c14DRmnWtYPxqrN1EU+Qy00ZrDti5nPhFui0FsU/W11 uPOU/hdXNUeAzDbg+fLTRhzc2RaSUR9qMVpxvutxdq+4lCR/tUKsAyp07TJhJwpOT0 S81ndyHQ+UxAW/SjcPFEKdBULKphJMjaKUoWvHdj5aO/Dn9wFPMjx+97lGfI5Ars9K 6viwX5oyt7P5w== Date: Sun, 8 May 2016 22:24:27 +1000 From: Chris X-Priority: 3 (Normal) Message-ID: <1523279479.20160508222427@CryptoPhoto.com> To: vot@ietf.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----------12616C0D522B73CB1" X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprJIsWRWlGSWpSXmKPExsVSMX3BPN2PevrhBndPyFucXr2b2aLh5wNW ByaPJUt+MnnsuvGYJYApijUzLym/IoE14+Zp4YLpGhVfW/6yNTA2KXUxcnIICSRL3F55j72L kYuDRWAKi8T2Rx3sIAkWARWJ298es4LYbAKyEtMbPjGD2BICYhIT1v0Cs3kFzCW+HlzMDjFI SeJu7wYwW0RAQKJn8Q8wWxioZn53NxtEvaDEyZlPWEBsZgEfidY/D1kmMHLPQpKahSQFYetI 7Nx6hw3ClpfY/nYOM4StLfHg/moU8QWMbKsYhcpyzRL1klOLSlJzEzNz9JLzczcxAoOqnoGB cQfjy6MehxgFOBiVeHgrqvTChVgTy4orcw8xSnIwKYnyujIChfiS8lMqMxKLM+KLSnNSiw8x ynBwKEnwcurrhwsJFqWmp1akZeYAowAmzcTBeYhRgoNHSYTXEaSGt7ggMbc4Mx0if4pRUkqc lx8kIQCSyCjNg+u9xCgqJcx7Vg0ox1OQWpSbWQIRf8UoDnShMK8TSBdPZl4J3LRXQIuYgBbJ sYEtKklESEk1ME51LHvR2HbqcsfKf/Lvd7x4/zcgs32Be+OlbV6moVmcx7kW5nF+vbJiqXD9 6QuvJq+23Vr72Ojm7inV6s+d9ggvKw0QC71z++iJq5UaDCtWVYnfvS391DX106ZHVjeSbC15 NviW/3TIelW36aWIlJD6jksi1uoN7X8WhBX5H9nRrh2gXub4RFWJpTgj0VCLuag4EQBuL4/r rAIAAA== Archived-At: Subject: [VoT] Security Problem with Primary Credential Usage X-BeenThere: vot@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Vectors of Trust discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 May 2016 12:24:32 -0000 ------------12616C0D522B73CB1 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Hi All, I think there is a critical flaw in section 3.2 of https://tools.ietf.org/html/draft-richer-vectors-of-trust-02 (Primary Credential Usage) Mutual-authentication is missing. When no provision is made to prevent man-in-the-middle, credential harvesting, spoof, phishing, malware, or other common threats, this renders all possible vectors C0, Ca, Cb, Cd, Ce, Cf, and others equally untrustworthy. We should consider inclusion either for the overall strength of the authentication process, or some breakdown of either all the techniques used or the strength of protection employed to thwart at least common attack scenarios. This problem gets tricky quite fast: Do we identify the authentication technology vendor? (if yes - who works out their resistance strength to common attacks? what about different modes?) Do we broadly identify the techniques (whos opinions count as to whether or not the technique is effective and against what threats?) Do we identify or classify the threats and indicate which ones were mitigated (who should be trusted to decide if these really were mitigated?) For example - tamper-proof hardware digital certificate devices with biometrics unlocks are totally useless, if the user paid no attention to a broken SSL warning, or has malware. They're also equally useless in most corporate environments that use deep-packet inspection firewalls - and "unexpected certificates" (eg. from DPI or malicious) carry their own privacy problems (eg: passwords are not as "protected" as you think). Much more common authentication "protection" of course, are two-step or sms one time codes - which are equally useless when an end user can be tricked into revealing them to spoof sites. 91% of successful break-ins start from phishing. Right now, every vector is pointing one way - we need at least one "Vector of Trust" to point back the other way! How about a 5th vector - "S" for "Security", which somehow allows an RP a level of confidence in the protection afforded to the user's actual authentication process, in terms of (or at least considering) a wide range of (and all common) modern threats. Chris. ------------12616C0D522B73CB1 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Security Problem with Primary Credential Usage Hi All,

I think there is a critical flaw in section 3.2 of
https://tools.ietf.org/html/draft-richer-vectors-of-trust-02 (Primary Credential Usage)

Mutual-authentication is missing.  When no provision is made to prevent man-in-the-middle, credential harvesting, spoof, phishing, malware, or other common threats, this renders all possible vectors C0, Ca, Cb, Cd, Ce, Cf, and others equally untrustworthy.

We should consider inclusion either for the overall strength of the authentication process, or some breakdown of either all the techniques used or the strength of protection employed to thwart at least common attack scenarios.

This problem gets tricky quite fast:

Do we identify the authentication technology vendor? (if yes - who works out their resistance strength to common attacks?  what about different modes?)
Do we broadly identify the techniques (whos opinions count as to whether or not the technique is effective and against what threats?)
Do we identify or classify the threats and indicate which ones were mitigated (who should be trusted to decide if these really were mitigated?)

For example - tamper-proof hardware digital certificate devices with biometrics unlocks are totally useless, if the user paid no attention to a broken SSL warning, or has malware.  They're also equally useless in most corporate environments that use deep-packet inspection firewalls - and "unexpected certificates" (eg. from DPI or malicious) carry their own privacy problems (eg: passwords are not as "protected" as you think).  Much more common authentication "protection" of course, are two-step or sms one time codes - which are equally useless when an end user can be tricked into revealing them to spoof sites.

91% of successful break-ins start from phishing.  Right now, every vector is pointing one way - we need at least one "Vector of Trust" to point back the other way!  

How about a 5th vector - "S" for "Security", which somehow allows an RP a level of confidence in the protection afforded to the user's actual authentication process, in terms of (or at least considering) a wide range of (and all common) modern threats.

Chris. ------------12616C0D522B73CB1-- From nobody Thu May 12 09:12:17 2016 Return-Path: X-Original-To: vot@ietfa.amsl.com Delivered-To: vot@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C37D212D1DF for ; Thu, 12 May 2016 09:12:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nu-d.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5OEumswzWQmM for ; Thu, 12 May 2016 09:12:12 -0700 (PDT) Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F049612D1B4 for ; Thu, 12 May 2016 09:12:11 -0700 (PDT) Received: by mail-wm0-x233.google.com with SMTP id g17so144486027wme.1 for ; Thu, 12 May 2016 09:12:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nu-d.com; s=nud; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=LmN1bQlBrWe3DbKC8SCpVplmIiG6FeoRmnd+UQZs2r4=; b=X34QqQR40ZWn9CAn1A8abFXJ5E+RQXIXlSEtlHeFdyfScdKq6qDYg9ekk9NXZhnP/a ETk3E38eKvwbUhB83hJ5cCCVmMkmLHUIAXknzMHi0A5jmo89pRugmuIDkMZoJrkgOpp0 THeq3Qc7ypeIYRoEGXsOsqWpLlkIbdnufYY+w= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=LmN1bQlBrWe3DbKC8SCpVplmIiG6FeoRmnd+UQZs2r4=; b=co1ei74FrNvQbWJLbOPqlNVZVxnPUBVN51yS8/yDjk0Gs5U2TLtF0m/L4gVvEJ9gjd xw3YnjBKc7a30fuvnTawD10E0Uo5m498do+30GgJ4n9gkZGJzOotgVATREuzDk84aRVD +B559htxBO7QFQWhB3sbMk6k9p+y1I1y10+SQLknD2jj8+avHCWARhw85U8mglBJwcIH mxFA9TUpbPDunTpTCaOBcTEERITD80NZDWd+TYKipc/IOfmGilPrysoVlmbmhOY1S+YS xr5fGzVtc+ZOqUgO6/AkQC5zsF3NG5JJhFYdgQTqjTlLdUT/IZAXlTeq/tHiySRKoL/h KGVQ== X-Gm-Message-State: AOPr4FUQnCgNPp2WgCZDUd9iPvcT1u1GhY8SDqGWGF6qkLFk/wcDWU/C6Q1BzEJ1HAm8UUUyGoa4pfq3W8uGjd4q X-Received: by 10.194.95.198 with SMTP id dm6mr11258692wjb.136.1463069530193; Thu, 12 May 2016 09:12:10 -0700 (PDT) MIME-Version: 1.0 Received: by 10.194.202.130 with HTTP; Thu, 12 May 2016 09:11:50 -0700 (PDT) In-Reply-To: <1523279479.20160508222427@CryptoPhoto.com> References: <1523279479.20160508222427@CryptoPhoto.com> From: Julian White Date: Thu, 12 May 2016 17:11:50 +0100 Message-ID: To: Chris Content-Type: multipart/mixed; boundary=047d7bb03a50a139220532a76b27 Archived-At: Cc: vot@ietf.org Subject: Re: [VoT] Security Problem with Primary Credential Usage X-BeenThere: vot@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Vectors of Trust discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 May 2016 16:12:16 -0000 --047d7bb03a50a139220532a76b27 Content-Type: multipart/alternative; boundary=047d7bb03a50a139200532a76b25 --047d7bb03a50a139200532a76b25 Content-Type: text/plain; charset=UTF-8 Hi, I have a number of comments and questions (see attached), many of which are related to the issues raised by Chris, some maybe my misunderstanding coming in half way through the drafting tho. I, like Chris, also think there needs to be something more explicit around the "security" of the IdP authentication which includes the measures to try and detect 'odd' things (like MITM). I would also go one step further in that I also want to know about the maturity of the IdP's "security", its of no use to me if they have really good credentials but store all the data in the clear on their website or have a load of administrative back-doors that could let anyone generate a valid authentication response. It feels like we need to do more work in this area. Regards, Julian. On 8 May 2016 at 13:24, Chris wrote: > Hi All, > > I think there is a critical flaw in section 3.2 of > https://tools.ietf.org/html/draft-richer-vectors-of-trust-02 (Primary > Credential Usage) > > Mutual-authentication is missing. When no provision is made to prevent > man-in-the-middle, credential harvesting, spoof, phishing, malware, or > other common threats, this renders all possible vectors C0, Ca, Cb, Cd, Ce, > Cf, and others *equally* untrustworthy. > > We should consider inclusion either for the overall strength of the > authentication process, or some breakdown of either all the techniques used > or the strength of protection employed to thwart at least common attack > scenarios. > > This problem gets tricky quite fast: > > Do we identify the authentication technology vendor? (if yes - who works > out their resistance strength to common attacks? what about different > modes?) > Do we broadly identify the techniques (whos opinions count as to whether > or not the technique is effective and against what threats?) > Do we identify or classify the threats and indicate which ones were > mitigated (who should be trusted to decide if these really were mitigated?) > > For example - tamper-proof hardware digital certificate devices with > biometrics unlocks are totally useless, if the user paid no attention to a > broken SSL warning, or has malware. They're also equally useless in most > corporate environments that use deep-packet inspection firewalls - and > "unexpected certificates" (eg. from DPI or malicious) carry their own > privacy problems (eg: passwords are not as "protected" as you think). Much > more common authentication "protection" of course, are two-step or sms one > time codes - which are equally useless when an end user can be tricked into > revealing them to spoof sites. > > 91% of successful break-ins start from phishing. Right now, every vector > is pointing one way - we need at least one "Vector of Trust" to point > *back* the other way! > > How about a 5th vector - "S" for "Security", which somehow allows an RP a > level of confidence in the protection afforded to the user's actual > authentication process, in terms of (or at least considering) a wide range > of (and all common) modern threats. > > Chris. > > _______________________________________________ > vot mailing list > vot@ietf.org > https://www.ietf.org/mailman/listinfo/vot > > --047d7bb03a50a139200532a76b25 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi,

I have a number of comments and que= stions (see attached), many of which are related to the issues raised by Ch= ris, some maybe my misunderstanding coming in half way through the drafting= tho.

I, like Chris, also think there needs to be = something more explicit around the "security" of the IdP authenti= cation which includes the measures to try and detect 'odd' things (= like MITM). I would also go one step further in that I also want to know ab= out the maturity of the IdP's "security", its of no use to me= if they have really good credentials but store all the data in the clear o= n their website or have a load of administrative back-doors that could let = anyone generate a valid authentication response.

I= t feels like we need to do more work in this area.

Regards,

Julian.

On 8 May 2016 at 13:24, Chris <cnd@geek= .net.au> wrote:
Hi All,

I think there is a critical flaw in section 3.2 of
https://tools.ietf.or= g/html/draft-richer-vectors-of-trust-02 (Primary Credential Usage)

Mutual-authentication is missing.=C2=A0 When no provision is made to preven= t man-in-the-middle, credential harvesting, spoof, phishing, malware, or ot= her common threats, this renders all possible vectors C0, Ca, Cb, Cd, Ce, C= f, and others equally untrustworthy.

We should consider inclusion either for the overall strength of the authent= ication process, or some breakdown of either all the techniques used or the= strength of protection employed to thwart at least common attack scenarios= .

This problem gets tricky quite fast:

Do we identify the authentication technology vendor? (if yes - who works ou= t their resistance strength to common attacks? =C2=A0what about different m= odes?)
Do we broadly identify the techniques (whos opinions count as to whether or= not the technique is effective and against what threats?)
Do we identify or classify the threats and indicate which ones were mitigat= ed (who should be trusted to decide if these really were mitigated?)

For example - tamper-proof hardware digital certificate devices with biomet= rics unlocks are totally useless, if the user paid no attention to a broken= SSL warning, or has malware.=C2=A0 They're also equally useless in mos= t corporate environments that use deep-packet inspection firewalls - and &q= uot;unexpected certificates" (eg. from DPI or malicious) carry their o= wn privacy problems (eg: passwords are not as "protected" as you = think).=C2=A0 Much more common authentication "protection" of cou= rse, are two-step or sms one time codes - which are equally useless when an= end user can be tricked into revealing them to spoof sites.

91% of successful break-ins start from phishing.=C2=A0 Right now, every vec= tor is pointing one way - we need at least one "Vector of Trust" = to point back the other way! =C2=A0

How about a 5th vector - "S" for "Security", which some= how allows an RP a level of confidence in the protection afforded to the us= er's actual authentication process, in terms of (or at least considerin= g) a wide range of (and all common) modern threats.<= font color=3D"#888888">

Chris.

______________________________________= _________
vot mailing list
vot@ietf.org
https://www.ietf.org/mailman/listinfo/vot


--047d7bb03a50a139200532a76b25-- --047d7bb03a50a139220532a76b27 Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document; name="draft-richer-vectors-of-trust-02.docx" Content-Disposition: attachment; filename="draft-richer-vectors-of-trust-02.docx" Content-Transfer-Encoding: base64 X-Attachment-Id: f_io4hkwod0 UEsDBBQABgAIAAAAIQBMCwvMdgEAALUGAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAAC AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0 lctqwzAQRfeF/oPRtthKuiilxMmij2UbaPoBijRORPVCUl5/3/GTUtK4NPHGYM/ce88IMZ7M9lol W/BBWpOTcTYiCRhuhTSrnHwsXtJ7koTIjGDKGsjJAQKZTa+vJouDg5Cg2oScrGN0D5QGvgbNQmYd GKwU1msW8dWvqGP8k62A3o5Gd5RbE8HENJYeZDp5goJtVEye9/i5JvGgAkke68YyKyfMOSU5i1in WyN+pKRNQobKqiespQs32EDo0YSy8ntAo3vDo/FSQDJnPr4yjV10Z72gwvKNRmV22uYIpy0KyaHT l27OWw4h4JlrlXUVzaRp+X/lCPGgIFyeovbtj4cYUTAEQOPci7CD5ftgFN/Me0G41aXJABSt858R qmsuQAyH0ib0IhUYvmBLBZdn6ax7IRxYNwRB7dsbH3EtQv0cnw1R2ZyKxM65ty7gbfD/mLndo6U6 xWkd+ChPr4IuEa3Png+am3Ukm1Y/nekXAAAA//8DAFBLAwQUAAYACAAAACEAHpEat+8AAABOAgAA CwAIAl9yZWxzLy5yZWxzIKIEAiigAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAKySwWrDMAxA74P9g9G9UdrBGKNOL2PQ2xjZBwhbSUwT29hq 1/79PNjYAl3pYUfL0tOT0HpznEZ14JRd8BqWVQ2KvQnW+V7DW/u8eACVhbylMXjWcOIMm+b2Zv3K I0kpyoOLWRWKzxoGkfiImM3AE+UqRPblpwtpIinP1GMks6OecVXX95h+M6CZMdXWakhbeweqPUW+ hh26zhl+CmY/sZczLZCPwt6yXcRU6pO4Mo1qKfUsGmwwLyWckWKsChrwvNHqeqO/p8WJhSwJoQmJ L/t8ZlwSWv7niuYZPzbvIVm0X+FvG5xdQfMBAAD//wMAUEsDBBQABgAIAAAAIQDB14BaLgEAAKwE AAAcAAgBd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVscyCiBAEooAABAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAKyUy07DMBBF90j8Q+Q9cVKgIFSnG0DqFsoHuPbkIeKH7AGav8e0hKYPLCSy nBn5nuOx5Nl8rdrkHZxvjGYkTzOSgBZGNrpi5GX5eHFLEo9cS94aDYx04Mm8OD+bPUHLMRzydWN9 ElK0Z6RGtHeUelGD4j41FnSYlMYpjqF0FbVcvPIK6CTLptQNM0ixl5ksJCNuIQN/2Vn4S7Ypy0bA vRFvCjSeQFAMZyEEclcBMrIpt808DWGEnna4HNPhA1bPgBgW7Hcmg2ZM5OYXEdUIZ7wpMRVGfTsE dp4fsC0Y2w4WsK1jxMmYV/dH9+47MYV8VAXsWhgKbOoYfjomvjQal3w1fIOfVkzi+p8PH6ZfSv5h jaAlyB3+cBKzuBpzFT34WKVXoHt/TPEJAAD//wMAUEsDBBQABgAIAAAAIQAqXlNfEoEAAJy5CAAR AAAAd29yZC9kb2N1bWVudC54bWzsfVlz20iW7vtEzH/I0MN0VYQkY188U5rAOq0KL7q2qyumO/oh CSZJtLGwAVCy+tffcxLgarIq3TWtBItpR9gSSVHJ/M6+/td/fykL8siaNq+rH670W+2KsCqrp3k1 /+Hqp0/pjXdF2o5WU1rUFfvh6pm1V/999+//9l9Pr6d1tipZ1RF4i6p9/bTMfrhadN3y9atXbbZg JW1vyzxr6raedbdZXb6qZ7M8Y6+e6mb6ytB0jX+1bOqMtS38vohWj7S9Gt4u+yL2btOGPsEP4xta r7IFbTr2Zfse+je/if3Kf+V9/UbGP/FG8AkN/fCtyq9vqV6yCp6c1U1JO/i2mb8qafN5tbyBd17S Lp/kRd49w5tqzvpt6h+uVk31eniLm81h8Ede94cZ/lv/RCPye/sfiQdk+W981bACzlBX7SJfbuAp /9l3gycX6zd5/KUP8VgW69c9LXXrt9FW3OOyfUOR4w9glkV/8l9+R10TQATfYvMTIkfY/53rk5Q0 r7a/+J+6mp3L1e1vewPjqzdwWvZtb2EPb/GqfS63rPG0nP82lP+nqVfL7bvlv+3d7qvPm/dC0fcN 7zVQyy4Ft7/tMB8XdAmsXGav7+dV3dBJAScC7AnARzgCBLnk6g4E86SePuP/S3jCer2kDb2f/nBl mKlu6pF+xR8FidTho+7wBx59DUpg+uGHK234s3noocEHE8/WHWvzYMxmdFV0+Iyru6Fhr5952Hkx P8VDw//72D0XcMjXj7T44eqhABL+BGe4eoVPNv1rmrSuuhZeQ9ssB/SietXkrCHv2BO++yKo2q8f zdr9h+ANXw3v+Gr47fj/1xfiulrieoGjLmS4EE03XdcP1YWsL8TyLCsxEvzo6kLwo+t2pAemblzg hcC3Rz/Lv/BXP73u7t6xDhTBZ/Iz/ANqgHAVR0T+/HhLPuSgapprkkxv8U27/q1PUrvm+34Sxgrc lwL3vupYU7HuBozJWffrkPI/IWuX9WdGkmqeV4w1QBUC4DqaE/q6cYmyXSK41ZRN0X3uVu1rknxZ AlroCdHiVzB+c0t+rBe0atu6EgBX94PIirxLNO3kgItW/et2STMwwpcNa1nzyK7uAOAcvnlN3tJn otvXBOx4ZxfWPSjHdPI94vv4xKZ5uyA/VTkPDHXPZNBCAqSo6Wka6LavSHE8gIr/eVc/snICv0c3 OPXaImaDE8eu5ZoXiPjxCzG9yLcsL1UXslZPke2mnqm8hvHKhD+xrKubltQz8qlZtZ0A37t27FuR pVAdH6pTdCduGu793Tz20N7Us5sOob3RDAF0jchKPTsMlBDbGDaRn0QJfiRF7i/iQAWTtmtoJiKL zMDXAyPCS1TUyqlV0xPLdvCjK2qVKpw/LfKWbFLlUzbLK9YSSkqWLegeaY/p4FXelmRWN3DgNmvy CYYeaTU99GCXTV3PkgbP3T0v4R3aJSuKjx1t1ljLEBxtPq9ocRgXO3XapJoOb3BMDVq2ryfRgdS3 EtsMnBTjLYqPXoiPWvbIGloQCqBl8Eu7Be0OyXHKCvgFOco//E101S1qOPqPqyKnFfl5kXcMH5/S Dt4dgzM3mn2jG58AWtt5rWl/7j/cL0EYswIfNBwTdM6/9i7g0yDYx2+ENox/+uFFO+oRHsGfzis8 DN4FJ9Pfehcv9aG7u5I+kwk7JRl3zjEe6jy0UODupQm/VcumpKtJRotsVQC6hFv9ZFnAqackr0D3 TPN53tHi8NjH7Ag/TbTEVnaEdPmXT8F+wFgs2MRVC2ZxXle3Agi6hutF9kX6LccvBAzjKLR1lSx5 MZH0gf19lTcMDeCWvKHVfEXn+wL+BOmmUZBGEQKgSJdbo76V2qkiXfnS+NOCkc/smWCRXkuu3v70 8dPVdf8/efeef/0h+X8/3X9IYvz64x+DN282X/SvEGAAx0qT2ItVzEk63gDc+5/eDFjiV1uU93CU c+y76P3bt8m7uCc2OBn5kOw99Db4X/gPHHgBotPTWDci/RKl7tiI7v3Dp/v374I3V2i2d3uBJPT/ wMqfMHiqYw38XAfWPW3XAZve1P+QRgKIm45v6VGgMjnSETd03Sd/AdTwi7/eiqiIUA/NKFFV3RuP NUlDJ7WUznwx5fOR17fx1DGKqLesrAUI104Sz/DTS6w2PUG4oZ9GnqrQlC+FORkf1ObCI+1qUuYd qlnQrLNVUZCsrnizVpXBxeXdAnS0iF+rhVGi+eYlkv7IkF429WOOra9cfIXRA3E9gnku/qUvooDd wLL1MFLVXjtNM14UWZd4ISOj7n0R1nKfAct4MZm7diQ44YPY2rz4G/sKjDA2YtNQvoN8rUXbzySt G9BF390nn9Lvb7GeF/M/mCmtAeOGzLF7qCWYYqNFW5Np3nbgLK46EbVl62nga06koJYN9ddMTA8N lva2D1IWgDCyeLZqGowbbF4lALhueaYT+6ECXDbggwAHIxRYeWgjn1LwuxqafWbNbc662XpkwR6w cj7HHRz21UBxr0SMKF3XNT8yVJJyY0TZlhH78SUWNI6M9Y4ZUby+ekf6wi3lU14uR0G3fsnLVYky t82/kBJOumgFWMDUgjDwPE8hLhtx9P/6IiSyWmJ91PSaNKyvn7kmAHI9aeuCx9snz4NhtaOJO3iD ZwHALcuJjdRWeRbpgHd5ycBcuudRnryiy2VTL5uc107VZNVunaONEGiBImYM9FsmYjkbYRilYapC e9KhLgFUQLZANsYiuZz7RwzE9X6bgZxj36EoAXetQgK74nMf8gqDVHP4DO3tlQCpaZEexLajwuqb +FzkBk6s+nbk896xsPpTXhSE8b55Uld7jfO3AtTuprET2anqUtukg2PXTm3rEi9EDrXfRfXyucnn iw6DbbmQOeDoNtz8RXbOHr8Q2zacMIlVQky6jN5S83fZ93wCBMFYct8UTtAzwlzBkjUt5sz6mvRZ 3lceiSU/rcC1tSBSA0KkY72tJeO9QRgxDkAbc/jRv+GvFJocprlGGMSuEmibYI4e+H7oKYdvHEbn htL7Ko6/saxD72+b79+j8VF9Ap6a3UjgP7TkDZsLdW7ZRqQZlpsoEpRNgg/bIpMPfJR2NUfq46iu Z2OLRYgtK7YMVVghHdHvhhQc76xkbJt+K8ABqFp2k1ez+nuM3bDZDIVNjeXbjGAwmdQzEe4NvSgx Y1XWuzEbXS0KTfcSzcYTFxJbiZZo6kI2F+K4sRU4qhJJrnjsZw6T/6Dl8j+3Q0zXk6mGEZknJ2SS r4ZkfjW0Y97QUvKEkZOK4S8ihx8Gjsg5+t0DnTOi/1VAB1mpHzpOoGoQXgibyZZMlgDS+slT8MAd xoGnqWbgF4KnoG33ASc6N2yKTBQ2jH7mn/aEPPil6d6HQ/nOZTbwZkCs4HBYR0+MOPIvsarl+IXY rml76UW2dB+/EDOKw8C2VahMOpcvVxPwX/mqr74pYCdydkvIQ8Foy0jDHnP2hO4sfLMpexIQBfDR jCBR1cTygc5ow7B/7fl6SNs8b7rGyTO83ToFgOke+Lmuyfm0obbvcYNHcAKbEOKxbkWOMiClI97V X7FzVE8Z/FMu64rXLcLN4LBVNiWzpi4Ppg2UK6GR0I7tRIF+kdp+ZIDnVVasAOCPebks8v2Io5yj 3mGWOPwYkzd9jJQgeXw1sOIj46KGWLeCgVLd9DQzdFRQXL6MWbChTICnqHbTHqhIsG6et9viShxU JPWqI0+0aWjVPQMdCGBt+q4VWRdZ2zgyrPd4FoEf5MwBj98KgGqlgWYnkSrh21hNjqPbvqP6Al5M M33Cbaro8kQ17uwS8macNEiCwFe7MjeKOIhNSzOV7SddOOu3Z5FEwfhoU09XvcFHbvGvyLGlpk9O XDo/vNBfQkwRS8e2TcdyVJGkdGZCdkKG+sSaMq/qop4/C+F8Dgw4nPV8mY4QS4CZ7NBMo9RUcytG wUwGlhlX5H49zvxtjVsbFDONgJlEEnomLgTwODsoZpLOTCYP5A4x3LNgk6DJcPVI1q0a9js2+sSY ydF9K7AOtwspZnp5ZkKttGWkGLd05X3O64QOGs/pjxOgUpmjUZl64umxbVziguSRcTnyOTpzG+Pz AWkN+zF+SZYrZnohZnIEmMm148AxQsVMo2AmVJsPTV7S5plEDeNsRYuz4JefWiyEPnemOfWXEFeA mWxH821bMdM4mAmduSPM9JZWQKm8DEdpJilMJsZMZmr4QXCRiexR4XVAZ+Nic+PWwvhnCw/xtNc5 8O8DfoKq6wuDf68KU5jLI8+PY7VYXT4vobr8U99Gw3fP8NKzewzbgNLcxnL+RItVvyp57Hy2G3U6 f5XpCTCTlqapm17k+LaRMROyk4qMnDUz2W4c26mpkgmjYKbfQWTk4KyjYokz5uZTf8W43AEn00ht 1e8wCi5XIZvRqkxfRGVqumfajrI/R8FMKjIy2siICDNZYWSniafKLKUzEzJSVJflquLt/ODE9XGS PhbSYjfwOXDXh4fzj4McYSZdE2AmzY5MLUlVE5hsZjogvZHxOYZs3vcdmD/jCoWzYGvGP8TvW22K cbnhGloUqhFeY7A/LR6yua/I+yWr7mPsBa1wdOsphPu/58Bww1nPl8WIrgswkwnOXOj7atrMKJgJ IyPATB+Dt29+hYUUO70sPGLMlPqW41uqMkw6M9nASB/Y38Fv2/XkzoFRBm/zvNnl4NwyJc6Jv0QX 6igPfVcLEmRdxdCStaPdp9qVqTlGU1OEmYzIC3RPjWcYBzMNfpsyNcdnaoowk+XFrhm6KgknnZkc YCReRlnS5rNipXPUTJql615iqCHL0pnpgNLGczYXaCnO26x+ZI3YLCPF5S/I5UJDWDTPDbwwUVwu m8u92/OYtRdkn6v6qWDTvizt95hY//qvGDPZqaObqatS7dKZyUdHLngXYEAEzsQaniHejmD5v0Lc 1KLQ1y1lJElHHDHHWNgQ1X6/buPa2UvwYX+p+Jg+wDxvuwMT6hx0wXDW85X9RBeZFKJFvh74qrh3 HFzOxz5Op0N7Y1eTH3/+RCK4lbI9k6qlgdvPnXm+VpkizGSFepSmoWouk85MunaLW1Lg57rnbzOU lG56gYi30AwBwwvcVFfFFfKZCYzPhyZ/pNnzWbDHAb//3nTR/l8xZtIc0w/dWOVi5TPTASGO53DG eSi/D2zGGlZlZ1809Wuc/e1c7qRWEqYqZDMGZ07vh6i+q5sS9NAjIzt0+3+HuBlqsR8EKscxDsT7 IpvZt2B+DiJ3OOv5CloxZtLN1IxdT02NkM5MwXLJqmn+hQSYhl/v1/1j3nb1Tij5gB5lssYJES40 3isKdNuyVUfOeKguBOySL7RcFufRLJp86ViFS2R/z+MVhJjJsIwoCTQVgZXPTKtuUTftH86j8GM6 hbO3F+NSEl1kVokT6IET+JcYgT1+Ibrhup5xkcnSE7ZLHBtx7Kj9vhuWiT3L1vVLnFVwgkKAX1LN UCyzKaTzYs9MY0Uh6wtxQx0O6V5i0PLEhZhaZPtefIEX8jQiY+pDni3g5f8BbuB/kh/rBa3aFj2s /k/yZZnDS8lb+kx0+5oYmu6snxv+iBiRkg3fk9b7X0QOL9UCvnvA+bvGwTmlnOSve4c4ztRmGFuu 6SvH9IVQmWxJdQmEsn7ypN2mOUYUWIaC52XgKWjbfWDVlDVsiowcNox+5p+2u7uvOtZUrLuJGzrr 9mXqY7/K4qae3XS8Bnr/z7v6kZUT+IUgjkVq3C0vdQxf2R7b+JkTGKadqAvZyG03DU0tVgnWF9Om /dSPrqmnqwwLuESUa+AlXhQjHIpqudfth3FiJ4pqX4pqTxrSnxZ5S6brDOYUlxeB10BJyTLwKPK2 JLO6ge9oC29dzQmtpr/qOLRLVhSyQ+ZtPq9oAUcWOu0Yg+Ute2QNLQTki20bgR85B0O7bUPXwGzE 4KdipxdiJwrUlHV8ldk0n+cdLUi+XsaErENX3QK/xYne4Kx3DXjtlKuRlnQL2h3y1pQVcJgcLR88 Ff54DR/zx1WR04r8vMg7ho9PaQcnQR//RrNvdOOTbr82/dea9uf+In4J7pgV+GBoulZg/2vvDT4N EsYdbXg74PrbLW3DI/i6vMJfi58aczu/+VO/1Mfr7kr6TCb7rY6v+Mc5yblJmEaucrvlc+6qZVPs aJuy7oAHZRzzjjUlaGJQxAVogQLlSe9P5jgnHOTEjuTg9iifHr4Er/VaQF+4ie05YaAmVkunOkCt YWRBHxnIDQYoPtUErqJhJeNKJNtbALGvPQSANnTDTtQ24zEAveVX4OGhAhd4VwBEywmiNNUu0Vk6 Ib7sSPctWzULSafqoCM1aKlBYl0TWhSEdl2TT1YdCLAMrLUJ2xFioGKf8m5BZqtCxK/RE8fWfVdl GqUDDV7zI6tolYFJgm5M29ZZzvHszRKcNZiPwW6q5u3tENWgSzg1zRbgSLPPOK1ARGG6XurFtrLH pVNc1jCgLzCAUVY830xxbgMXK9OthCHtc9uxEs32drVc1k0Hr64Gd7pdZQsR7eobsX+ZsdmRIU7b HWQnFP0xmmWsBT1SY7y9IN8FYRB9z/kbfu5rTSMAt2snTpTaqmtfOtxbh7vNAEbGPVgGygWeaK75 d5vQGaof7JjvH25Y8XwY2D2OtmmA86OpbTIjMCBo0z1fk7oh7HEMdgL62kBKe25Z17JiBtLl50Ve 9OS446nxsIuIBWH6vq0FqsdZvgXRex/sCz6KwobHzsAwLGsMq8MXeQVWxjSfFM8Y9qOAOqgckEBN PQGjlgsbEQsiDD1X09XKVPmI19gS9wU1Rj3jBiDYj4ONmGM8rQO2B12yyCc5738G9QNmZpH/gwmF TeNQj7RAmYrSgWaYZsspOAZgIjY1mIjtepjWtC7hYtAJvK+41smzVUHBcqAE/puDZTkG9bNqwLQB mhRRKK7pRV6our7l2zAFPDYlYAsMFmhPX+B+VAzUCHwP8gTEC/dZ0HxoGe0zwS2C2QkpE88NNNdV /ol0tHe8y6cFMGtJP/MczI6oARmEXc23ArhqkRsFkXmJRsIJsWYnnhFqSplKJ/Sg48KqxlzkOpQ/ JCZps46xDeUpWV0UdImxl6JPSgtZyLYTuU6YKp9oTEKtj+P35Up5BZoLJBsIOLioNqNgKpFH3Py4 hr0sV2Owm/osUitirZuh59iJrmpMpRMd+N3tqrwmi/qJlL1Ttht3Gfx0nkhi0z66S97df/xEBitf AGwjim3HTZTZJN9IXk2KdXmjp2k3jkn+8vHhpv/yrzsVxgX8D1IGhQ0jb4YqJwGodT1NTT3yFNTS DYe2XTU8J/zdgW4YZ0n4mzoQOqfcvtHvh2r7reqdcI4pgUpznPi0q8Mn9aoDTS7ANppj2E7qqzCC fHW4zmrt14TxJHYfsezNsANalUKMAynuJEWEYlaObbpR6qp2VenExvUt39dBnmhL6iaf5xUPnFa0 aeon+KLDsCjWVWCnD+2NrlmekZZ1YhrZ8PXEDFyVZZWO9hzXQVa8lWsFTnpGW/CVuHevFPS/+PJ7 O5Yul2DU9oUNE/4tGsMTJE+se6QiitoNbTv1VAmadG56Ak1NHin8WJ9QPGjeajMGMjSvMXxCpvmM j1LudhJQWIUoALht6Ynm+8qhkQ74AjQk1gDwYBiIniLfV39yjns3bApBEswrzHHDtyhSchxEAR+g GxaJCMdj9dQxEs1WoTHpFNfSso+3Ipo7QgQrHuFKQHnDyx9R6FTzHu96CeQwyQt0ICase2KsEkDc SC3H8FIVH5OOeMdLV9f48tjoMu/YwLx5w2PtwOyD54W23LqgfVPJIgC4qftxDHyuAJcNOC1aUCdN hz5VX7JS5GWO/tYU0ys11h1u/DKw4OH1rzEEkGH96yjUD49WCNAcnCcKDFcVwkmnOe42ocpoO1An c/A8eKkjuoND3B0rp4oaXsH9EiyDRJiBANc/IYC3ZVmG6SdKxkjHm1e2Kif/ZZx8DKigNu6tNmws qzciHUNoQ0MDsl9Jq2fMox8I8hMqOwwt3dNUV758ld13ocxWBQJacs+KVscD9zxJM61JVXdklvNS GhFV6Wp+YKaqMV861tuQ6R92zDDeIgB2d4oNKwfiSorU7Le9XCMZ0qqunst61aIOb3HOFRMRL7qb WLarrDP5JLegzfQJS+u6+jPb1L/wfrgcv0Ur7YnX3/XdbkCPT3VTTLcCSCwtE6dRYppqTIJ0wHkt +GryN5Z1iDaqCgD8c1U/VdfcZFgO24vRRK+r9ppMVn1R5tYwFwDc9gM7jtUs0BHY47yVcM3Zi3y+ wDzrToEbNp/x4A9vbaZtN+SHdtSRAOBWaMau6ykHTDrgDLTz/nwJOQe8e2Zs6JrvmxV2MsJ9+PB6 R7Xs6BPRzIGmp3rkKJ0iX8RU0/wxn664cbAC4wB7kIa08yBwuF89tLS2XVNXc3hwq1HErEbL1/0w QBwV4HKd0t4i4BmjLi/ZrQB6pq6FqeVcYtHfiQsxglhPQ/zoipylkjMW+f+p35aA6ucTHyN1HnXE f6o/CZ1Tdh0xm81wJNJ6/BWZ5djyQya04EXb4tlj0wkcNw5VgZ90rumzx3tTQidcp+OA0AOilEJ1 aHNOaUeHIRv7JezbynUBojMiU7ctT9UQSye63jvgc5nIbtfg8PhBWdxQ2jBUtAvPsHdDz4xCU1Wo SIeb932u+32PTPBsGWLWMXAmMEyV8zEbtChwVD0GMRgVGrynBbrrBNElmmIntGzqeJpxkdGc4xei W6YdhJZa9rRpq/FT3zCVjJQsI9XmzV87/Ag2b5oH55RyEpHNm7odeXakVju+FCrfuHnTMjxPs0Ml c18InpFs3nRdK/Wci9xQd4IPtNSz0kANsNrIbV23bVMNsJJvkvDJVeu0+mbqP3w9qbG2uaYNRi7A LskrTJGBvcbjFjsj5UUEQqAniW8ruKXDvTP/og8yYkwKp8ocwXh/ohV/+TWPUgggriVJ4HuqYE4+ 4ojkol4OE1HyDnmbksecN1ZP9puqx3T0Ps9Sz86jMH8YlJ33zYVCRx5jjT5IAwHmtr3Ec03F3PKZ +yx4Y5jqOzTejp837sAcui9xIw6tuuKZzwDBxOGiYaxfKcnTN6AvK5yOjTVgmdAYKccLTDOKVeOC dL6ZMFLiuBFe9IU5lx07eH9zBc7C7/NwBytzROSk7xhOqJYbjALvWV1MeZMAH1DRRzz40oO6YlWH lZ150Vd2Ds/t1SELoG2koZkEqar2k472HtT7jDqqk9LNDEhMDs/r5vkWB0PyUXb95KkhMLdZYSxC hpblRWai6o2kk+GmdqxfrYJ15Ne81bFhS9yGsDYs+uHhe6vuRcHWHS+NUxVYkQ92ybIFrfK25J0p yLt8Y8oOriyrhyEkvarp97INaxF4qEWEuz3XjdW4wBEAzit9eAPahwfO5YObcyvCtr5mef5FjmE+ fiF2Yjiumyjb6aXI+k6/1dHbYU2ZV3VRz4Vm1FixHoTOJaZzj1+IGwReaIXKoZcuje/XWvahGUUr Id+4+u0tGWOsZrq7nz4IfQ7ZLRvkV2fjSC+vOjUaZ1jFjRmaklZ0ztqt3bgTjRKQ0aZtBKapJuDK F0mYbQVXDtNtmGrDWEQLz2InIm9f38YYhzWM6DRUrHuqm88YbK5Xc5FMq5ECMlqsJh+NA/At3wYP 97ciDBvrUZJE8QXid/xC9EAz4JDKFxiPUSWiV2VbKR+HGTGYwTlXO2DJGiyG/w67xb4nrJrTeT+7 eG/ihIBQsUGo2ElwiRWYI+MhrMDZTry7JhPGEeVQznI2xRbU/UivJP7ZHWnShyYZ71gUMUEsx9dN W7nBY6C2HdICk7MfgrZduPwsYpI4ie4ZwUVG445fiKmZemQEKuouncAfmrykzXlYJNF2MPQ5GyUl A/XVT1hEXbWrJ9Zz+br9mNtxJgK2sDUzVEv0xqAlduYO8NDEHqxr9S+iK+zQiW0rUKmsDZlHtu37 vnJfpZN5CuIXZy1MlbZ4uWvvY5wY1eQPVnj9g9r4tY80imLls0h2nLj7QY5/2P8Ex8WUFaRabJqq c3oU2jgbR9byMAlRH9gJwyAjEbtANxNTN30V1t7YBb5r6a6rpr9KZ7gPQzzkAeMhv56jH4Nx8OHh 95LezuqqXeHovWP5bTJr6lJEedmhbek+co3iJenKq1KW3b/6orHMFLXvctUsa1xxcbBRF6TZtyhn 2w4Mw3EusWbghEDxAtdM00u0VkYmUPpZxuegk1M4A+N28vlq5mmdrfh+Axw8ClSHgmSyanHgbEua VYFzZ6spKdhcbImKaSWBpWbsjUIvZwVdoao4mNchiVtw0RvDQSMtWdRPO9uaMSuZoz2Iy7m+pcZB C9LE8GNFbGMgtt2tfiV9JvClkCFi+q5xmYOBjl+I4+t+7LiqfFc6UZ+DCcKNpZKetQnyyJp81k8j ol3H2q6PBPBgAe1rVsiCtjwp2de0zOqiqJ8EpIueWvC5kkuULiNjJtQQuJGvrtoOx4x1vQfb9zmT 2dqSFlEZpudFrn6RYxaOX4ibpGEUhqrWUzqVb8XxOSiPh3WR5+8jsJy3LW5eQHd1qF9pe91y8OGk 3PWw30NEZ0WRZZiRWks5Bp2FYddf441RxLa5HkXJs78c6NRxJY9XE2ADI/RjPbnISNLxC7FsP7I9 TbX5SZcL56Db++WAZ6zZSyDO/Aa9v34jGrgNq6xbNey6r0Tma3hRPINL8cgwnS+iW/3ES3VDlWCM QbfuNUBP6hV4+9XhOrSdqKKI0tA91/O08BLxPX4hjp4kSZqqxizpBD8I5HPQHdF6JiYh76uzrUPe mdvKo055t1pnm4b1fCX9zMhqSfZHoB9nJMNxfUv3VO/KGDRHPxRTSCFYsRWBUrhA2I5fiGXooR2m qvBnw9hJYKROdInB0+MXYkaJqTuJWqS5saGS1LAjQ7HM5kKMyIZTqgTMRqg6URrZvgrZvpRxcHSJ 6J45IOdcx40Wtd10NL5Cv93UEtksaoRxmJraJe5PloLNZEsmIptFTbjHyE1U8d8LwTOSzaKm7UVa 6qut5psCSt9MXdNW/sumGsYw/VDzVTXMi+lU/dbAtSXVdlzgW1wVKaJjA9P3LP8Si11PEG/op7Gf qKb8lyLe06VcOKN30x2Di3qwZxVrGPvqU2yU6ReoYhJy08s6oZicFBvUnLhOaBuq5Uw61hv0Zv3A GJ55ZNmiqveFmJxj39XznLWvBSjKCXXdsS+ydOz4hei2G1jGRe6rGBmL8a2Kh1PjvqNFW5PPVf1U gYTdNDB/PwKmO/FBcJZ729ZZzqdK4SpsIrQIUkts3dNtVXgyHlm/GXH7tMizBfarIbbrlgS+Bj1v pkP/SY0rIBe0mJF6v5z4hCB24zAO1VY2+XCvZUrPqw2b04a3EFGyNxQXJ5SV9PN2MjOu4VsPMtuP LB9H3PXcwPcucgriyBDvS8k2uB+OQB6BbrkTHcOsG2ZqpcYleoPHL8TQo9BzfFWFMwp7rmG0uHmq m2K63lvQMP6i3ZmPXxl9fPWNCPG7qWelporjScd6WYMmbNthGToFy6kfwZ1tB5aCzMWltQdjhNeQ T0SmORiRZgV+irgovEdmIn9X4yYIQucYC8NlxayefY8DO3BRNVDEE0Vmp/w5AagtP/WSIL7EsO/I oJ7kFV9APGHdE2P9lpkdtuabqHtJPwa7aa1tuGGHrrgArTmxbWMMSNGabFrbGAd9gBU32h/MnK9n 3ETv1yijTYENIhtTQgBszfdcM/ZUzcbZ6BAwGXiP9oGx2BOHiNVg2VoYGqrBZQTsfeAN3A5JNBTU RUEy2jTDuqvdJYmbKIuI3eAZvqZ5CmzpYB9bWNob/2OwE/ZDe1N43TAedb+7UMR68DTHdzzVdC2d 4r6xE9ROIy+2tEsUFccvxHTc0DENZRq9mBTSb01QgdtmyqDJFnnHeBO7AAWbju+ZhloLvDXu3UQP bV/VRkmXxRj87VhTDk3NfJRbP7YZbL11BRRXuCWFf7HHP1u34eIUBx5GFGAB10tTx7FVuF864n0V 9/WQK8fKOD7Kd8oz5mDN4xCuDCUdx37WT+9YwuXl1ZQtsWy82t9xewJwX0P/XQVr5ANOixVrRSwt w44100lVAfpGcadx4FhqzaV8Ig5AMoFMakaxXpuCCTivaV8v3GFghLvN8D94zhNa0CrrF2xVDGQo vqiFwxd5JjYM3fRsN0otJCZFdVKp7jsMO+TZqqBNwSvH+N4WHGQ1hLz3whPf95VJu8ALoK2HIbgH lopLSEebfcFv2/yR4coM7INpeVb0uufx3nDaMX257dTmczSekPGF8qVOGgaRq8wi6WgfKJJxzgLt DXEcqC503FEuka2mwFkdgzeEjyFihlqabmmmeYnlI8cvxA6iMPE01fsg3wzF7Nc6DMiDJajtHw+Y U4qoONROb3/6+Al0EgGbeVHP6wrM1ZwbMAIcaIe+5gdGpAhONsG1IDfRl6AdqWpCQcoPMbctGZ7F IML6kTUFPSzZPp9N6NjVtLn7qsaiBxE+spFfdFUdJ52PNtxyjXHOktc68noGrIgVNUwc09AMR1dN mdsLceBGXOW7vpgcxfEM2zxkjKH7XLSxyTI0ywtiZVdvLsS0ksSLVCJdunjm1WWoYPPZel54n5Zq yQzebdeI3ZrfrzelZyLEb1u2m1iXmIMfGdbr6uDrURSYHemAWbV0zq6P9caUtIKncIzItQDJ6Y4W 6qmnSE46yWEMalOdSnZr13llK3xLpnmJISrQpBvPmWHmlE8HEOp6sszI0c1UGfvS4caYzIeHIdzB 12HDRRxdUsgp4+Mf3//0JkbEQbdMsBZCAG1DSz3LUUV48tHmSTfuke/tIXlaMFxfzAcBrHHncmAF pkST/4OOIpUsWLucBl6gqVli8oltCiYqaolbAdRM09TiNFXhgk1NmK1FfuSpyRrSyfiIv8UHOK2d rr5mjJeuMJotdoLNPNHN93YJcICbxonmGSpxJR3wwRaiE7B8M9bbQmXdsA0RfGUZwU98ZLxJg2Dx +71I0admJqFuXeQ+57Hh3WI5C+DHp19hO/8+vHCMvCjWLZ1rG/matAx83C7PWhEH14m8JHUMBFbB Ld3BLelyybvjalKwOS3IGNYo3IGbveqGXc6TVYvapSXNqtjVLlzbiI2SsUzPMS33EityT4jcxPei 9CJbaY5fiO5iw6Bai7VNQmtB5BkqUiFZSh/bc6PWyewefgTrZGyRdTIacJRnqqz3S2Hzjetk3NTR TVtTVukLwTOSdTJWakaW76qF0Ru978Shr6uNHDt15U4UObGKTkg3B/ZjirykqWrZ33Grc/F8jXMp N31X67Yb9BEPjAgZH+mOkYxWpK6KZ7GGH8PTzVTzEkV0sokO6Y0261n/g/bZdL8PAdKWlptoWF8b gJlkrAgQwRrgs2JNpemkY71Cc6TteL4XB1/ievi8wmHxWVav+ql1X0W814UCOSaPwVsTMToc30nD i9ywPDLE6VpR4NwShnHQoZ2z5+26wcGFfL/TOoc1DKeE51uWrbCT91aEx30r8KJEmZmbC4m0yE0i VfYknQWS/UwtzmvkhYv7a07GdOj1EMnzaMadspI2Ge0O2vpPHXeMfUzYHpi3HYpHngJu4auD3uLj XO46jgdHV/M65Zs2yyUDKmwZCT5G9/ekYF3HsPStH0hBqzkjV38Jbv7816vBgFXM9TLY9HWkAsyk Jambuq4KREhnpobNCuzq5HXCtGPzunnu/cNhPBpXozt74oDNKKlot2r6doCKNSJWo+3HkWXESnxK R/wshGG8EYaHNRznIw3R19oZlbBuqmjYHAwQzBVgA+6UtVmTTzhjiVghehp7ZqQyb9LZ6OMBXUph k6E80efliVxQY+lavuSS+ljVWx/t6xtmeQGcAM0Zdmg5dqRmYci3fPkkDIC5lyGgqbt1xXJfxkqL /B+A/Fbq4OSuejUf9LgA2LoV6mlqKAEjHewPSfT+7dvkXZzEJwpYG3aDFMG+DA7tjrJ5wp0kj0Ij OrTQt+3QiRXishH/lkkcbpjoWmJcYlbtBBmbiZ+agUpESCdjjLj0Bc1oAVMyx3mSW+E0ArvpxNHR 7eXu7ZBIweFm60nwQ5ZUgDMt3bQS3VGxDemEOHkGs6dV0b+XCq0vgAMyDMXO6qKon9apjT7ETqb5 HIxQYCt8isdvBZjJsEIn1VLVPyedmX4p1q7d+PTmHzzcHvUxxJyhDYoBxAV9ZEILMnTfchzDusS8 8sigXkd3eckAOhbDfAh0NjgXg1vJQ8RXgAHtN6chU4Om5HpfxH41I9O2TVvFg6WjveXYA80zolP2 omRak6ruBonyFZVeo27pX4gFiv2rKgFSdKwodCJX6RjppEjLST5f1at2B9Qd2dMrH5xLv6Nl3gb/ y5+c1J1IvZoTapGdJiraIR3swZRo+YVgjWK14t0O/QO9A4kbvfssEICeYrfsF1ouCybSm21bkZea tqo7lo50n3MAO2KwF+g6WE2uWLnsnq8GtJEIsEF6vuZ00o6i4p2PyhWyaYzY8nW1LEk6xV3Rq2ty NcF/sisehqpwLFbxDavATM0O0uAi3ZHjFwK0rfmRpqhbOnV/YHPaTAucIzHsX8DIEH59oDX5lCJM AQ76lBfy8HU9AgxgGEEaub6ylKTj3dWHM6h46eoQpeZ1Je/e89oSgHdV9oUl4P+gJs0rzAQKLawE e8n3bU/l+aUDDt5PjpOel029xJGtPJg25FB4A9ewn573amGigs9+3En/CtUS2bYZJJ6vMmbyGRwF dM/N/Gks56kGVJ+AGFqwY/QrnobKZzPOz2TW1CW5MsDEmaw6kgsxeJr6fmQjMApwqYAjkhg7bzDW gU15XG73ZR6AKa/kKp7oM3ZycS8Znql6GsD8JM+oCgAO3m9qBmr+9gg4vKFVS3m13q0QcIGjRRdp e524kIQPVlQx2pei5DvjVkc1NOyXIA/DzgIB4tUcwzRMXXnOmwuJNUcPQ0W80sUwliZ9RdLbzQfr 6b/XBLe10aK4Jov6ibRdU1fz4llwd6CZOLodKT9KPtwt467yekkOoV3X5BM+jZOnBycMnCpAOp9h Hy6Gnx/R3Jru2N8ieHuGZ4aOKpmWjvfgK/ES+V2m7ltsWs7MRf6ZFVgYxrfVo8G9rlDkpQ1UpCPC DdwgihOFuHTEN6y9Y2CTrG7gNcu6mvbO1e4wpe8aRosbIJRi+r0A0rZl+oZxkWXWY0W6XU3+xrLu VgA9I0l03bvIptPjF6JFnmkESlWNwRLd01Ef/xi8eTOGdXDHD8zbVvm3Vb8NjIcsrx6uVHH1C1EM H+QlIPL0JI19i3Oi4nC5zgcve7/ZVsUX7JENFQjXoMX6BcxXDxpWKTzo8C/rMvA83tat0KYR3fD1 VA01lw90X97Ut1TvepvrNZ/9opGTVatCpUWG7seuYalyaelo851B2MWC5RdthxhiOm4DNtYeYyZ+ uSwwqID+R8UrMh7z6YoWPLQgALipmY7lKvYegRxHSX1gN8g44B22TLVD4OKr5nA69FftVs8Oa8qw /k1ExMS2rQVqVZl8iuPxq+1waBFpYbhGYF7kYO/jF+KC/LQMT+3A2QSyUj20jYtMSpxgGccMwiBW e7S2aVs9jQMdP5K6EH4h4ErHtqUoZMMyQRKlvq0KBuVaCGqP1q8dfgR7tByRPVqmZjimc5ELaqRg 8//Z+9rmtpEkzb+C0IcZO0KmUSgUXjwx2sDrjufGtkK2e3ajw3EBgiUJaxDgAKBk3cX996ssgCAJ kVLJ7VGBYvWHnbUtdycq3zOfzHziHS2T6I7rOioHfyb2jOSOlk1iG6NAgS/7yoCNI8tTu8bWD6Lb AYpihfCSGw4YE2NyL5pJy/mcFs0FwOt5EMP+5RkYc5kRQZXNk+ruAUpZxLKHTqAydLERbFO5JQJB 92+ifDYk5Y5t+CVfrumcvd48K8rqb/AR/dfc/5Mt8ldkrv7lm3SuPmU8MqEFzHkMhiMkcb2BCfev NXNkAk6HmH5oBeEx9m13P4hu6EQnroKqSNanFjS9aC2YlnLt4pK9BMm+j53+GcQ0Ij42fUeBFqTz egefu4amoJsl8tzs7o/q4d1C3ndIPhDveEbgxFvES/e+nM7xed8OGDZ46nGCwt7PzoXoHCEaTDzq tWQ+8GCEOSlE1k4gzzJD21EnRKX7AnDkNKkz7saTZssnlMt8Bl6hXjCVYcYVJtebMr8XeO+2skOp hG/1sW16ZFxWltMp08qeTQQ0xnC9wDTtY2zL7H4Qogc+ctExFvDkiOnTUO57wOQDyzGe7wgUyv25 JEYY5e45MfFCVYCVruGCKPeAL+Q7CDUKpuNXn7MnTws4bkhCtfZWvsIMpgXuFdT4sMB6zXWxWkWw mhwQsY6O4epGqJC80pm9OeUBUU5FtXlyxxMnuM7FmE7/tczYO8EIQZonNSC81ych24M0Ahy3HRIh glWxXDrHk+GZtnaXxKEMEbSLlwUkzgxIHOu6sjHyI7DdEx/DKQIWKrAHzhbsZ4c+R8Sl2I5tB56q ykln92XCwU787gFjN1SulgWs+2Vsr7M5e9WkoOWyzu/W4TdfHsrZ/ybmf11EwXFAdEfd05PPcW/J Ige465vw7SZMq0HHJ0JhQeT6hqGQbD3g1rEI8e1jnJOSI9RnxgQz19MBoDpwDvc8H5KCuR6ougsI soFt5CMHOKQEmZe4fd8krn+MDyJHkB9Dx2wJsSRdGyI35r2KbdTg07K4oXewIvwSTmJwl5JMy6WI GmI9MtzjnJkbmdRBx4T+WNAUwr48u6TpXZrzExDwJztQPFkBUcMp+980X84EF7nqJDB8fIy475Gx G87YTmGJBJSSqrLhassRFVpFb8o2MhRHhdjdG8owUrwluL5ksYEaFJBIy4uxE0XqRqh0idxEeD6A GuTFsHYNyhg85BRo3W48C0gdCvzINmLVPJEudYwjzd0u9MCG5E0TqICxqOZ7Ud7mdHa1cosCnCbI jFAQqjq6dE5vxK5dULNmca0ljcKZ/loq2zbFFl4TCsgCOoMD3zRDVSiUrzPiK69Bears6rrRFrSC 5QFCnLYChP1Q3Q8agR9s/R/smxt4v+4yWDbbdneSrEq/CPGGEVRNBiTtBgcPkxOgFq7F45GNYHA6 H1IXMyCYGI7C5faeArsosLGyH9Ltx1NwuR8U/PW5GCMKf7U9F8eRp8AX0hVJEP76gcNfP8BB6ifB NpHnBr6uCu4jiK33wjY3MtVfgN3UHewZlq58pHSOr7GbzXW5vLru8JtdYXMx9DIyaD/rQ1LwHO11 4AzSuSltbqnYiVA3RNizVUVdurxxnwF9Wa0u50zOsipdzusmYeytN0CkDwM4BThueH7IWKMwMNI5 3oJtRQGcIsoMO499X2Wc6/gptlzbVR3sZ/NIxsRkxsqra7hbzzzReZtP8ga1SPiDDIx9cowrF/eo dOw5vhHDJykJllwzoXvkes8SpFvKIn8ooYieazdJZOmeo3gtnddbzJJD21l3jhRK+W0Zvcs8thD/ SVqVNR8t0woW85fVdz40JgbnM4gRmUhXnbuxyds+3JbTvY0McdzEi+Y0+c57T6XGJLFoYGfvrL2y SrcbifuaPMMv4TKGUYDdre+Q3uThdEo1Ay3Kr1Pqdt8Oe3qeEAqouO05CLtYVYqlq/g9aMXTL1SL hBCeHRDHVAmPdH7fc9+3Sc3cdbNMcsZcmPSuui4bcHcMAQfcQN88Xsh79gIyh2JiOjFSoDnpMgdV o9U1+42D6MxZ/PM6Y2/Ezc6mI2e/zJPqCsxNklc0mW3vqN7Nb93TEcYBcFbxWyq/AeFarBr1F+fQ akw0RhzV6OUlTTl0kilySmvoU2pwiHKl360BgikCAY5bvhEYuqUSBekcHwQOGZwghabjDa3uoHJ8 uczbae9OIir6ryWtG5CLvLwS2iWCrAiHiKjdWtKZ/eoz5fZbI681ngQMMOxjIrcPYntMYrJIplme QUoIdogZnwHxLwKuvVuHcBBhC0fKRY5Hh+zXI9AdoX2uNsvhbMc9xl0rezySaXiWi1X4IV2bnoIb 9RRu9LkYw3GjLfRQwL5gDxlREKtdTtLVaQgT9ThM1NuGiQ6hh33mJsBqHSMnjMNj7CjufhArMGPL UTd918YgtJCDnWMsGO+REKTrvq8g15Kt4x86cjxw5OP5qh3EqevLv5T09vqyLXJ92TaxiV2i+hbP xJsnXl9GhmOHnqVamc/EnpFcX9b1EFu2cYyIhd0PYrqGY4aOox6kH2DA2AgdZbelhwNd0aftJT82 /NYPVK2HWUTMgWMR5gY8xWzZzOaDR6ePrY5/cJpFgN/YcQ3PtoAvit9y+f2UySMrhBup4TGq6Z4H Qa7tWLFyUs8lx2ewZ/o3iEW3xFUSMRUv1X7h8fB7KN4y/xf0Sy9/49YxXNd1RRxhaOiBe5SwjD2e IgxdR1cnreR7Ct4VrBc0zS5XRwpWc1DQCbws87y8BVzIFS0gJHyzWFaLsuajLK1GCMg/CQBzGB1j GjQydm/0o0612+ssvV4dI+HBHoefJdq8rOA8cCsUWk0hbBRgs+k6TmxHqjkpnc3LIrlJsjyZ5nTC px83FXa1rSCpoPnfzczMYHlBchhdf16qmifVdyFqHwR7GZbrWYatUpYRWKYBN6WI1so6dk6QI2J+ /72D7pbpkq8K+nrxD+3bt4mARdR9P46Jpzq0fSQQmbrvGgoOJl3f3vNaUAK3qbIFn0dut8tuX0CE n5itQ4Fksci7MBGSJAENsBm/Q+KrmEA6w7kN2470edm3tXQQ7WeVBjMpw0ChrfnyCrCIySPI0G0T WKsYLpfhJRwVZAp7yUcCV5NEzKNdnO8vBvcGYAzuuDVCAlKHYi8MPTXXNoY4bo14TFmKcbmEmdnO yNzLQTh8crXW/A5SEgFmW74XBbF3jIuGRsbs+bKbiaY/0nxZZzeU+YnDSCLr5bRezhcNo1mI3jFi x7POLYOpT27KbAZgfsqDuRbZIaBMRmChwInVyKB0ZeqNYw11uIpqi5J5bCjhCLARR5aDPV+Bo/sH iT3D8fl3Krl+FouKJwhShdWU+jmYUbFjhcT1fcswjrHhuvtBdNNnpB+lNssR3gc3B24uVuEivRHH 8gNXLI9q/S2PcwfhhBRd7KqY/WyfUJda1x2Cj1ILRyZ0WZFWNOHZep1WyyYrWAa1BPwdb8r2Ythl 9czq/i27gpELPkbIOzsiVtezXBb5KX5L5/dqj8/AcqjE6d/15Mxq5+VtrzDdGCevQ5ycGwcy/Hy5 zC+zPB8ubfyZLqhtRp7KAUdgCWDnT1bxiyQ1h96enKNuoljEg8c+cSKkdsj3iBSMHE8PVaVQumAP jNS+Lbnu2FzFua59LNcRF4v0HzO3I5gBPZux5GR7OdweQsfonGdJk8BDwzzK1ZJpctHQ9gw53O6h jMq6EcMdGkYYh56r/Jp09R/zWHe3h72G/qggnlsPDRLbamKiVzTkEYcE8ElK0aQq2jnSvKapsumy 6SCeNc0v36x3Fi8bLWVS3tpQPuenNdmcnmqLEn4ng3aegApYlu7aYaCKB/JNq6YtarpkLv9uXi7F VvgPwyzOJkOPYrz1FVuPLGOFP6fzITFExPCwZ6l9e/2DMDJt8yh3Ao1ML88N0aQH6RJThb5fd53U LMCmRZvsMFdBM372ICt40F0C1kCr6Jy5iRz2FYu19hBxPZj4V/I4Aj/BsX2Ms3OaXidFVs9r7dVq gV1dpjDouMp0tzeu7uYtsd2QhX3ARWV8ebnJI0aMj3L768iE/RxD55ZFv4Bx16ZZMYPqzcAeS7G3 Fc1b/Px1tljd+uVdvXvnO7SkmAlooeUTWw9sFYmPwsL2jLzMurNadxs2Nrsq6OxtUTLnn/0f9uer kaJa5JKDzmwtNg0V2o2B0QNTsje0QxJDOzpf5OUdH1mraArXqx6gep0c3gtHgeIY64ExsgNvLaFS rflwMf2eFx1KAdfREZ7Mawl90NsYRmxbWEH1+iAYhbAvRpU+n03n8MSYsAivyuZJdacFFeX+luUu X+vkSgT4hELXt2xyjNDgPUodhjZyjvJB5Mjwg3DTRSfZ6VqylyDZD6NOW8SngPRbcRD4JgkVs2Uz e43O1WZZvd3QlkPqWVakjQbnqa/Kqjv+tEMcOVBuY2+MiM31sW4SXWWp0qWuKa/oqrALFweLK/Yw mxcnBbhpkBDHgaOAZn0UqDu+FZpKvKWL98CK7k3MjUFK9pxWNuCgsg2Dylw52FHtrZYUXR9XWyyn Od++Vd1k6RBqvSfPHH4UfFIcmHZMtj5Jfp7JCX3Iwuhx5JvOUe4S22dhiO27Hny6sjBSLUyQaJ9h rwZAazhkjAXm5XeIll7dZs014BavodtA85oKtdF020OmumvUP4htWW4Ux8co6nskxDXswPdV0W2N PvMjjGN1V6EPyN0QFgyrpF6ud/j5y1eD+G48n7SbPnX56peS3l6+ckQuX+mR5btqNcCz8eaJl6/M OMB67KmRk2diz1guX7k4RPZRsn3Pg9gBihA5xrbo7gfBOArj0Fd9YunhwGPRwCiG+4OpEJljnN/8 XwVskZ3Re2XLPR4zMDw3jo9xRnv3gyDPdEwSqlxubJZiby8ByzQUqfb5OmHRj1bTtKJNf5E+gZZC VSRzOOgHUNS6vi2rGaAIplnBMcgC2mkhL4iJpbSzN1fYjKPjrNaOTDuDmRZUd4umZOn74jpL29kV gCx8p3d8eWZXnuezSlrdagn7MxGx92LLOc7x1t0PwnJaV8cRfLoSe7liT1diP3BPMqg8E1K9pL5j nrOp2A8Kqp+h20SdpNwsK8VE95FaZDS2mHCk2eP2aZZ9ZI4xe/xMk5y5aeasZ7ewvqIpv9NCeysc i5tj+6LV0O00Kzsb+MCnbGB5hh/CdXuMMyOcUKlO6K325fzDm2mSfm8DPME5p2HaBgTHvu0jfWQv zAl9yF/qlm9HoQdmXPlL+HTiGqZtqbt+z6eDeAJHnHdM5XxIiuSKb7Tc0srdfLOsCJmm2mC5mYiG sW+ofqL0wG/PaM68F+9fNJ9jBK7rO46Ckkvn+GA+ZzUbMwgupFjbjfmcDQHcnMvhS954W1xE5nTT jmzHVTInW+ZqCjzhK5ZKuOv0x2d1dOR4RhRGR8jbPcIeYtNDPnzn8Qn73ryZjC1vZsrwIdE+b22v vO9/a+0VtLm09Losa2YQ+zOmAppBbMP3HLW1VD6j2T+bLIV+5XxZN1pVNswWtovnbsrv/ErtHDwe vzr4WnurFaUAo009tkyiZmdGwehkNuOhMIudb2i1PkY8LFnKoPuMSdqOGD+r62UC9Rihi4qmEXph oFbjjkLauAURhToQ7Ia+Girp/WMcWq6BVdNJfiA01S745tW1KQIfuRJu5gdZEATJINTAlwu+7gs2 e284VRHDRXzT92KVBY7BcPVLA+k8ybZdJcQ9M5pTznreZKcQIP1rSe8tEdnT+RgG+/DFRqRjZG99 sfzOByf0QZlFNvEjV2W3vdEOUeSGpup8yDfaD3Z6t5Jva2zJd7zMc8E+9ZB2oBzpBIfRyGwJJ3T1 MTKe+qw/I9WdeZvxE280YYZ+n1+HvLe1+gIO3PYck2ADtFzpvmwHztgnqv62PPU/q5f1Iksz2DgD NeWbrNkG6O3V+yHRQHIcmsHYboi0hD4SQ1hxTNQCjr5lEBqxj0ys7MhzaSGemBNN83idGwz/edt4 FDb8rq8jRBT+p38QwyWhR9TZEemeEGATbf8G5LprqLfRza/BS9huZBHTUayWzuo9eIkNrMJaEG6v MyhvVFS7iIJPHz5EH8Mo1BqRbg4yTRL6KsOVz/Bu/WuLThhEjep4/b/r3edJUbCfh0uOGzt4O6zI 4KukPDKtJgJqTKzY9Yl5jN333Q9imp4f+ET1DaXbNS/pjn43lMOsoL9StMd7mLoxp1Vp/ZGfal2p T1YLIQWkXw89HBBHjRFLZzZgT/j+ztaN3dKpNq3KW/YDQss7ozDyI6IA6z26zsBOyMzYUQr23gqf M7ooglm5qfa5tWlQc24bjMk030jXTvnWCIgtrqtyeXXNz5vxbmNyJTbPYXu2HRlI+bQxmLlXT7Rt lmk4Xqy2rK6dth1j17GU05Zvu9In266Eg2NGcQMUru8WNBdQQcM2fDeMjhGSs/tBzJiQwD7Km8Nj U8HZRr+CFinsJOFlCB4lVDS/g04341sDxT/YCwKqmixnGTTnRGTfCULDI6oLNYbYoUuGB9Nk2xHv RnN4GO9yJlk61oOtb5DfHOaEPhgEoTB0TKwOkfRBkGcQK7JUxtuXAFzdiR21+3ftox3shIatgpb+ QawoNoOjnDjcY1QJCSN13WmzjOgHOo6VDeklJIxR4ONQPciqksbIDMyjPLx9O6Jo+OcvvHT/DOJn dUjll5LeHlJxhQ6pIMe1jrNzI4U3TzykgnTiOfZRHpCQwp6RHFKxA90y3fAYiz579MAxfcNUU8nr ByFBALu5lWF4Lp8K0PSgnA+cvxRS5suCD8EWV9pvLVb4tyRfwt6XUrs4FxlyJmEY26Ya9lhnWrqj m7qupvyfS4j3d1RW+HeAw3NfmtXajHbAMybhG3hb6LGkjDT2VBxYXQiIPsYGCS3nGLeqj4zTLXqw WbXEGDPZL7s9OBvr3U6h7XKTzcDcZcVlWc3bH0mm5VIEfWOGnoljrBguneFDddUuKYu0E2iYrnd0 TNppmc4IwN4/ynhOtYLSGXg4ERVHyLOjQM1GSOc4s9UckDJg26io5GtC511MtdOvwC93iaqAKFq6 HSEHg9ApUZTrbTiuOblr98OymKJuqrK4yu805keKHrKxHs7qB7nA8bA/EuM2jmKsqmnSub3Tswhw kHheEFmB6uv3vtRCETLiY2xSjkykv2zMBl8nzH7RGybi+WqNCgB7ar5KhWVHIqKOvcB1Y08BFHrr jeMotoJjBCiMTNS3pPd2lO3Bs1LTvHw7BNxD6RjHZ5PFImfxLsTmnUnp9xC0m4dv2opiMfhAKU9N +8JPe7ZVaJu/aZshMrHaiCBdm3nwzfjX7+5vJU7ER9lYD23TVn2f3kdZ2NMjS20nVT5KwHCWvJZ2 qD5q5ZiS4l6NJkmrsuZ3DrRbFvtqy2Ja8ROJzHUJmBUSmHZgqu7pKHzDsuDFfijs05mIUzAd4uiu qZxC7yVNy4mJFSlxVk7hUdoPPHG5n61AYwjSgwp2hBcs1JxlN9mM30bRkpskyyHLOdWKUmhU33UD 2wtVBXcMnuEkLfM8WdR0djLMICA7FfEVOjaQ5cbHCBjf/SAYR55uqP1KylcI+orDTyBWyAHIIvoJ Xt7mhbgza0TsCMaW7dm6mtVaPYjh2VHIiFd2RNmRn6S9vEf73s1RrkQb+LIMIN9QUTKCF9dZymPk 3fAHAZtIIj0mvqlqkWOIldtVwtkKLZtW2ZSFyg/o18aeiqF2wQeN8ngJJ3T1MVKMgUisoEdGGOsk PEK92P0gCFte5FgKjyndUDC9q2Et0QZiJKfJTFty9zDjG+eLK55nzxfszeqmYr9+M01qoZ6rblsG ihxVV5fO6B682GLlOxBrD6pOYCc9b6tkRToGbO5ZtShbvN5t1lxzrGaxhJFJkTjEw57jeMq8SJc6 Jmaz7JI77UbLu5NdLZ4EEu8yLfOaM7hcNtrlsgJ0P2xNK2G4Q8S1IsN19RCp1k//IKZrx76tZP/Z DJU5QRNN+9QOCfwTms8XW7ZWQIoN4lo28hTIuJdi2zUCQlQmOYYAcRUlfPj6+QtECH0oAbgL2O+/ oFVWzt7UFNgHv/vqz5M/v9byrG6YBxCQf9v0XM9XQzHy2X2vm3rK3bNWlFq9oCkcW9bKakarycZg Lvz0FpflfNRZezULKnAiNjdAnhk4x5iUj0zm4FxPmabLSpuzF8wgzWyyOW0DQx75b8FEO4nk92F7 ORVguG7HtmM4yqdIZ/jaUUzvOudRM3vyYcX9DmoOoyvJxjk8OIuWsvQh49t4BDiOQ2LbJFLVB+kc T1jydwXtBc37GPbFB85m7kh638J/r50FH7oiAYaTmGDPUHXFEdh0iBU/fvqyMuwwsN9cJ/eOP8sg msUJaXfWaHv+AKJdPgp8Ct2TXCiKsBw3tIlaEyNd4k4GkvXopcVR4muCdBIMl8k/coNxhOsmT6Dp mIAxz+AMSRu1PZlB0hiQPo0B8p64KIWwSggh21GDvRsDA3EUxYYNn6SstlSr3a2r20Bvd8dby3nW QIZwWZXzPhicwOZM7brM+e4n/u9jaiCiAUHooMhWyb50huf0smkzu6Ln8TDSZ2x+vysDEOO14SHL CgK13ks6rzv+nm62mpnXmiffBw5WBtVnYEKKUksZh+ZcItsu+IYQ8gUbzB4JCB12iUP0ozzdMDKh Y75jltVNVqTNynn01YW1JWnrDDV06PgyJ8b5jVKTAMP1wMB+iFXiJ53htwkPhPkOUJFomBgoNgIf eKSi4TY90LEZ+6pMOpZouKt/r/qtW4PuA885ziQ6yUuIz7PZo0B5+Zn0HmbwEvRBPDbfiTxPqmFQ 9eBb77YEpo0sNyKg4MoSSLUELfK23XxcalfZDZTPuSlY5cndOtLNPvzNYAOpJIFkgVUH6RPwxqYb mBh76ni0dJFb7bdlOc9B2L1lwehKaV3DOP/4/czZqdYe5eaHYVoFb6dO1wjZjgUiVQ7dimPPd47R VO9+EORaWHd8NZC7xrsQRHxDTR31iZ9tYDuM1CoPua7mj94KfMzUq1OBf8hN8VOBSBe6FWh7KCRH eTRICnOeeCvQshxM7CBS7Hke9ozkViBjeUDiUEWG/YNYjunqrlr51DerLM+LvVjZbenxAECaoXcx YzFP2uR32hB6NB5qyzmID+wHT9h/7rrscdoTTQv7DPax+GZcFdPtRHsfuQ+WTIlj+YF1lJdZR6ZL AByq6JtlvVEm3aij1tqrrEjzJYcONdc0W/VZXp9qSZ6Xt8PtKHtsp+vbDj7K7uHI+A1MTqoMcsfy cmPL59bhgnYt9Kqu1o+atwsvxDhOdNMM4qPc9DZCjue0ge3eLMium6TgygytujxnbmnBfGjddu7W 3REYYGV2fQR+9WwhtL3C9gKLhIaaU5Mub11/oZOxegkDh2BP3qxaJV2jPmNCt2wY1W2Trk7LBZ9h aq7FAItWrIe+odDI0hm+AorxvQ0TAdbpCOHA9lRq2decojDSg0iFR9JlOS4rjf5IwGNuAXBb5OPA He7bs2noEtO0k3O0rYO3Y53ZGkNwMfGmIo8le2qJr1jOk4byBXMni5ouZ2VxNy+X9amAwSXM2Mae q4LxMQRHLMSBuOg6qehM+07vHjAq6+Wi90wKf3yMAifY+pStl5axXLQlVKpOn2p1dgUokWlV3rKn f7OAdbwAIqlYmMLX79Ttdt4WXFKIHEO3A2S5WB1Dl69C7ejJPIG8YQwupLxNqs37yIy0Irnia0Hh 3sb9K+hC6Y3uGnHoOiq9GVd68+cOg7Yqjn5m4SHATfHrrmiyFS8KrfHSfd8h5lFmQyPj9IHM2k8n H9LJY6SOIsQfEDkty+/QQNrKlUDu3xUJhBr/+z9LP0m/txSvfngjBkISv2U28Z644OAQEonvRXlb MIt2k6Us371c5nkboULxrltvDUOeAlYMuy4mFrdDyopJtWJZXS8TCMghtq3Kdp3q6fbFinUesihZ MFzX3XbrhOUlAymXIqiQGwkInWVaFsJIYbWkCx3LY9dpF7Phb9LrpCho/kDStRXI8yBaxMx4sWO6 SA0QyzczPN1p7nqH0Sc7NXPmfStRRIsN5BLbOMbVE7sfRGc2LSSuEvJn8zfmxID1KYX2aUGL96EW lMx4pSKTeFYcBqbvqQGavlCGzMgJkIJJSrfQ98RZ+7399be2tbUl3bcjzXbfz86F6BzjNDxfRVBT OAu3rgzx3e/tQSAR8xJahu2GqnMjXZu6tdrAycOoE90MLnWPUnPOTrRXnWJAbRwgxq8HVI9ICtqM pZMCZleb8jst2sKvgC7bBGg/yjh3ZLp8EPr7UxtKRvXQfXfEet0tC1ss8qwtPUIbbHgiBa6jcP9Y iHjGwI780AK9UdokVZv+9uXL+Wft68U/VpbxQPxjMz8o/9hOOYJBeN05IqZGjOQbQNB25RYBvSEE E6QjVaiXrjfdrehuSa+IyYt9ywtMNaO6ehAzjL041NUOPumyfA83Oy1nd7yjVPSBcmu1oLW4DWDU RnEGq2uICagh1gPPY/KhpE621K1BlI80n7j87Wg8iRhdx0OB6yl/OQJ/+RDSLi2X+UzLy/K7lmff YaaIJRh///zpo1ZO/0eslm+gALk6Vu1k6axeJHd5mcxWN6/6UosAE5Eb2AShYxwt3/0gemRHuqH2 DcmX6v8rIr7YCANdHWOTzy345zAqGVn9pJUckqg8eaedXDfNon739m02W0y6dGGSlvO3J0JTTCH2 XDdSI97jUI16OQWW/k9ZzEqKDGwKMdEIjNj2QhVOK/smbDluBlRKIeIwuqlMIQ9m/lcAUT8CyLyI UcOmY0eGoSpCyqiJG7XDaD9tBG19Q7oP3crq6u1BPPYB9dLPhsHxtjjvNkDEjwMrcFVUJd0A/T8B btlhGJlE9fHW4osR9nRDoRyliy+MMK9ad5uVV9jW1XVYoIlSLgDXk+T5nUYLPlnG/mAJO78ExB8b MTY8FS3J5/bfP32OTgFxtaBwyJMO8eLbm700zb/TFsumO/6ocLC/NNASURziEcdDoCJKcaQqDthA lWb8m9/5ZLUpcvABUt4xY3+n21S58olbC+JAIrKmX5qrJZUIuMDwvJjERAGYpGt03VRlccXimWm5 hIGdFpt3SWe04hdEN1AHFeV/s4Dfnt51IiHCbDPyUGyrKFc6s4XBBKYZEEQC5whZtvtBiB0hy7MU RObZHI85we1o8mfvwz8ERNYO/SDU7WMsBe3R4dglMQrVfi3pZrcTYpZxrqKmDAKmjTvdfPjnMMaz vCVz/CwgaJPjoA37QprmF3QbRDzKiPtMyPtZlhfAhlGlOZI1pz9WzRRmEH6yX1xmP7KByEmRqeKK pUB8UJoHxcuqEBAy3cMksvxQCZlsIXuq2R0lrIAJ3buMNo+aYPnIAq4Bh9ADfvf7Fz/8BinxZVnN mfPmewK/XnwUnnwneoQcom4IH56OSxG4vaEVEyf4nfHrzL79EWXFfrEo2wtMTKES7Sq7ocWGd08E 1Mm2Qs8L4mPEiO9+EBwZHgr4Kln1IPzTdQdyXiUha+y465NAP8ZC3u2ILKC6Yj/qkLS9Yo9Ertgb gWE5MVbLjJ6JOdO1nIhcsScRI8kwVa/pmdjzh6/YD4yDFPW/fNPumNn+52N5Q+dT9jeYOSYClsHG GNtEP8Yxrd0PghwUBoHab7yuK3tGhCKi0MrSY5LHQhJVDvh3vj/N+e4KjhliQgg1gaRgUXBDCzjI IGBrLcuMLDdQbl66Jq14ybsfG7fUOxx1V+DZAR26LPO8vBXcBuziACOsGnLS2f1fH/6h1SyXnSfv BPhmEux6vq7qU+uGgGUYdnSM9akdDmoMfbM/5c1f/oNJ+2POVHqRYo9K3tAKfCaLtidMWGiRllBj /+vJ1y/xG+fkP/501fxFxMDqHiK6o3blPKvcPSZzB9F4/lG/ax2C0NcIXYnbLaOG7QZWoB+n7RyR xTmU9In9569o8zGZb3fqJVHD3/FpKiKFzr8+ebxHwWH+EKUHBofpjL3Q2J4VOUFsHONGQjksOnCD zagv6nc/DmGn21/5cpB3b9/e3t5ObjFfCGLoOnrL8uPPwgqCAhKb3lHiWUamIC8pGu8qck/TooPJ d9uL2b/xsuKJ1tJ6ENatJfkLI+gA7NuJYN1AjwKfuKYqzMp38S/LiCVF0V3wPnQ7diaoSoZnhJal lrCPQpVemDbNynQJMcHLUagvcOWg7yry06K0gaZj13BcdyInwMjD2Nb3xzg1buPmOwYO1CzyWOKE JyvEaAOFwYdIoePoghWbmLpleirul67PL0qZX0jpQlSLTMPCyMGgL0qLVP1PKZEAr9r6X7AK7w+q BNhT/cKqgFbkmYGjqzH3sUT3L8WUHV8V0DRcz/EsdetpDKqkqoAHVwUclv9U9W8ERg2HfuBHJpgv ZdRU9U8FCH9Al/QgDByiNmfL1yVVeTtgLTJiMwgc1WwfhRa9FCWCqDOnP55e3Tmw6ttT+SWFHxxv N6BUCiEvDvNnEkc31azgaKL5l2I+a/qvJS2eOiV1uEEIjn3sGuqmxCgUSTUBDygMqegl/K2+BzjP ik9puqzYvwudHMaw0zz50ZJ8AJHBX0+WBT8PRRkVoj1BWyeWaakoYSxRwospVRxbmEDMyItcFCpN UhU/Vaz4Q5pkxGGEQqVJo9AkpUiq6vfL+fFSIXa2HkR+aINFUqZLFd1+nfVKmqbKpsvmZdsu+L8n 2rJm/2/F0oesYpmsKCKPZbFWHKvRtTFo3gtTPvZ1TPvSZhRXDA8fQ7NHcqYJ6P1TZUaWTIBEDJYi jzR0ES0FIttEZqAs6Ghil5cD/3spwYt4yxAjy3fV9SGVBihNegrD2jSAie3yZ/MAi8Ru6KqRd5UH /BvzABWDjyIGz4qGXtHqabyQQqxwEI5DQ7ctWy3jVUG4Ch32fIzoMitkBZEeKVWSrkqqIX/YmmQ5 cWBYlloc8XyMeVFIsF98d2bcymIExEPIBHE/NmXZ/SDIIgR5sYKYSvfDcVlpWVE3SZHSzbOP52jy mHaOwZQE6cRLRQgdY2a9uQGjv64pYE6IG7u2YauujHTteao7lqIje48RX9BHjyzJr5PsefuvFx+f /PqjtGDq3NWvJ7Q9d8VcGHcP2qtyux64x6oizzFiz1dW9dCsqtLro9JrptRMtZleszB1Mpm81m6v sxQumFdMiBZlMau1phQMpXCAXSdACpwrXen7o/IHHlQxwTqQFXAiZ+B1y4/1wHWOUD92P4jlESNC BAg/PoMxSkerzsBzRXVc33JjBS97VrlTrkqm5hzE6/8YRtZSqMiLw9hWIWLEx5DZlUmdPfqiI0jt ADxZv2vSd5+9D/94Z0z0d0kqPD4V4tAkSBVEpOdG4GqiHw0tIFAQX0evx26oWmzSufeSEK83ZfOu PYf8NHdyuL17Mwoiz7NUYD0GPXppqtTvPDh0bXpwduP8ROPjG7DiTXgJmWsFTuAYSu2U2im1+ym1 C3q1S4XVTjeJjYmroCVK7ZTa/ZzaeT+hdobuRR5GoGBK7caQrL0MoPXxZWuW5WMbeeoIn3RF4lr0 1KKVHqLAJEgl28+nVwdzZG+jjTWgVwo5h4r6EN38o7vYi3wF/OhNU+AZTmAcY0Fi94MQI7K8wDjG rRq7H8S2LDv2DNVxkRt7XGTpNfvxPyXzxV+0v5fXSVHXZbFKqKMfi4z9qPYhudMQOdUMHVl9ts3/ ecyGjyCw3xt0/S5CvFz/c55cUQ0Z3wR8kB7GJMSxWvr9TMzJk7q5oMWMVnQGbPIrmnznXztdS9CC /cHqr+1jnOGFhhm5xzjvOjLGNWfvWYxaFbR5E1bJZbNt6tpZz/pNefmmqZb14E+1j+UNnU/Zf5AZ SSKgrxZCoenpKiLopwt8L3ItXz1I/yA4dBmZahOb9EjBOwz05G/lFyE6FTz1Jx+Y2/15Un0/2Gf+ evF+OPuVFFpS18uKLzVIadVklx36GX5awJNhLzQtwz/OKY9R2akZvcwKOhsq03hoTFImfDCxAYL3 ++/al0/hJ+3Nhvw9plhjaBRt68h2braHZLlZ5LcJS+WT9FpAl3U99B0cqxFP6brc5hjgbLT6ulzm M21KtYpeZXUDmYs2VKWLOPgv9o/27dtEiM8Wwl50jNWC3Q9ihCjCJlIQumezSoRZpQu4cVk3IMVt 6137DdAg28Miuxlme4FuRf4xWqrdD2JiC5uur+pI0k33+0KryznVshm0YJs7jcUETZmWeX3Kt4Zd nGspi7phMzsTfvZbSaMxLjZZusyTqis0CagAwXpseqaaOZLOcdhpysF6NXjpZLHIM+aiIbnSrkZx 9OiGFmtxbFisXSd8DTuzwV9rHkQIbQDRAw/FrqEgJ9Ilrk6Yganviib5wdKnPvPLCu0z5ZzVzAk6 1ZiZ6axNVswgZYG9hczcZNuwkN3cxkGk24aj8GHSuT2jNW/EbniJpF4wRnN7021FBOaDe0m2Rtgn ImrtulZg68qRSGf0eVWmtOYWOSnuFXLGWRW9XOaXWZ7Pn4xVH9HLl5egOjVk2Dwoq7WkoiuFWiyr m4zesh8S0CXbIZHrYqVL0nUJWHcQCvR+dn6wigNWajagXsoj0ibJ8lZty2XD/uvthuY6LRe0Ve+s 1sBn9qVbEc9o6YZLfB30VlUZ2jqZS2LXPEaoqyTBJhM04TWFTwtavA+1oCwKFvmJCG/oOLHvKETF GmJi2AgfJSxZjvA+VCLbFmft9/bX39oSWZpnkNF88P67L5MlWk0bsRjMIohESPFZPp+TNKWLJpnm BxKKHTKEhg/Ssv9S1lxzHTqMM4Q3zUHcH9Redbc+IJTkrdnOLr1mtirJtvfW7bZKCFuerweqQSPd KvUupa2oddn/qhupfZr+D+P15N50gxTJ+wJnZkCz+yTmMqP5DO6hJIWA1NmxHiA3UEsq5PvCqkru gIt///zpowaXcIur+lSjSXrd/apr0VzetfW/Te8pHPvokWnGth4pfsvmd+cw1r1BZlFAm/vf2PTY WdEKQveXoIxxEO7b+xjSYf3nQQe+R2qtwHJwrMoK0qW2Ka9oAzOBt9dZ3tXQKLCpWZ07a4tsByGd ny6eJpyj4sWKE5P28Bz9kcDh1FMRH+AEyLaxyn/l+3wtz1hEOZBBKbrAAo+V/nZ9rcuymmsnv5/A 7afp5DE9GcsFw6kIoZKzxdMDSb4DKvCeY0i/v51AwlM3CWBFRSwg0i3bwArHLj+eALgRzXhIwY3O Ms+7bEZjlkdjAeRhxBLBASjKHi7AGwcp/x9veqLV2ZwJc1LQclnndwLaZMXEJrandgtI16ZPF11E 3upPQPcwlYfoG+UDfuONWdCLbaTBHuNpBr7jOqqEIJ3dLEJr+bYJ2RXhYGw5PrHUeE/f+Y2ZULuh grJKF+luzmdVgu9KYB+8gXOVQfPZf2vlPGs2KnanK9h0C5FnkUxS3LU0C2ghJoFuBTGIlxI6qUIH zZK1M2ytarLBaA2Q8VdldSdiXLFh6HGMjnF12Z4HsSIHEaLCQ+lyDu2FOU2vkyKr59r0rrv2q5Cw z/D6ixa6z5yZAl/8WipPNEAZz5MFPC0z200pYKV13XEsWx1kk2+U7s8kbaYzB7Hyg2XTImSOcrJl yUsF9SYOXkR9/MjBOFKwEenq8/SZBQt5MfbwEbJu94NgrCPP8I/xQeTI8hmZGO3MAlxSFRFZPfCt 8Cjnync/iG0bdqirirt889sJsfZqPVePX2/OKGyu8ljNKLx03PtuoTVDO7QtT/UNpAttV1Wd3mlZ kebLdk0Yhx6uVj/C7xyEZG5cMtm+InJBt+GwPyWyFsJR6KgVF/JF9uvFe1hHugIfwhBL8nhyOF4R DfKkrp8oo6NiybatEKq5mFgnUYCUA5CuTWDsNzZIvjoIPUoPV1mmNC9vX3cA/64SPPiY8VAL+lwt c8qBoL//fhhGFoJwMLRF0Pz4436fEJMZFctSlkq2pfr2je/LE+q8ItNy/JgcY01/z4MgB/nhUd7M kCPGZxbY+J1nAHZzCLvEcWysirFrHTZtxyFqNkW65f0nS1q0dkFkRVOa3bCAIOnbDatJxMuqnMNP HUSQcBD4gbNTLWu0gtIZv78xT75TLRHxfrZJrMhTmiNdc2ZMReBQM4dV8ywL8q1OYbpp3g1NStuK wAQOCfEfF2A2CX1DxxiYopgtldmXVTKntyXLoqHSz+zJDeyWq5fpNeNxx9pTLclZAgiJVU6vknyg z5LsTDHTpss6K4a56B7zgjCKbVftdpYucW1uzmzLFfPJ2i3Nrq4B9HRIXvjPw+rHAdU9YZ0P7Go4 kKtvh3+UDNDZzHtWzFlCx1TAVpnm/2fv2nrbRpb0XyH8cJ4SD5t9IZkDBGg22dgMTmYCx7OLRXCw oCnK5loiBVK2x2ex/327SV0sWYLb2bGaNEu5IJHspNlV9dW9ShJfEgjfWMeqVlo0OClN2PaTt0sP npg+6wp7nRRfGUsbjfqhVaMG9PY9gQOXjpHehy+EIiSpSyCs8CTOwqQkY7SXj3BIGETCx5CLswuR F0Wm89l/S+eLvzu/Vjdp2TTKcVy9kj8X7V6Hr+mjg+gHvTuarT/rXi8p9R5URx/VDT9MDm83FKMX gDsI7y5xPCxQzGO+0kNjbPuyQpyrLZ8sFJXWHx5VAJQLkgQQHTsReWZps7zIy4leRqmlKKrz9LZ9 2iOA8KVc5nWZLz/GdTpdHsG3XuGXs57h13ysph8723X39Vt1n8+v1L+qgJsaYIiXEMFFPEalfPhC SBK6fhjBhWyD/GFEIQrXA+lPt1EJvVjtyS5HHQDWU/l0rc9LJg6EiP4ScmRVeZ8/dq216tA6nGAA tzj2BZUCuiisC1PLgQ9VrVNjeaMk60r3JXZdFDrc6ugO37Rp9Gr1qmyceTrJdfk6dK7/pac0GR6q vBwsJYPAgXWh2e3dWKWXi2WTz6bnJoQMUISoD3NKtlFkREI3hGo565wNltPJLvvrH98v26XU92kx 60VZQjuCaVVV9m+Xl9++O39c/MNpzztZ63zTMhkUSsG5hDIZ6yK9LZPZ85DaEhl9jPX+Ek3tdjxl twjjx4UUPqKhSQzWjbGPY6IJBuS2Su5Jld3pjb/bdVPTal0C1S6oaT6ZiG+EGZItRcBEaRmc0SRR 1jcwuG0Gf6150su5RcVkMVjDRSuPlw7f16FLRdPcqa/Xmm61W+xZ/HA1ykwrxNeymhVW+ilL+AjI YS+gcpTTifslYfq1yOulugFdb9oabIofW5dhni6zm14sLnk+uGIlXl3tWVEaGBo4SVCQCPAT+sBy O3i4rG7zsisE1CkX/dneZuBhjNIsnjV89zEAfNYZ5ytJNxAclnjSRQmM0eyD4GxiOU8CJ+cGRESC hUEYwyL4bZY95oEMoVhocG6WFdTc2L7/9dJx++D0rT2M/qujUXh+w+LwwTLNjl9toBMxE15IEkhz 98GwaaVGG//vOhrSp3tfJWc0TnV7bQZ173tntXKUYTdcTvNldpNP2kSsAVoyFAde7MOczN64gY2W xG32DYIkf2WQRMNiuyRZS8qTgMkTD9xAaHBMqY8keJl9EJrXBUw8FyHqwzz6bZ8GR5wEsELBOiu/ hJ99iEB8cxxe1+nuauEjZ+3lzpypUq91UV43bfWS4rY26/QkhVtN9Tv33Zh1vU9ws2jNAF08jpHn +VDk0Qe98Dwxf5M2SsXr2Xh6m1ujjOS2OWGhvyCfmKgPzF0cSzFGa/mI+kBcSNcPgONBfbx49s/i vaiPvQewcpk7KmxRF/O0fnSyOm9hL505d40egbDVZCb6yws9VxDYDdcH/bXd8PoWmoz6iYhDDI7Q RrUTyliAoAIdNJkB+H59l47QAS0yT0ulRtqGgE6VGGCLjxIcIgxGYR/UyI4P+yaqhHiESZrADL+N KvEpISHTjw7832tVMoheD270FL2s93mHOnIzy0J/mJfXy5tn0UIDzMR+6Io4gQxSH1TkmynGEPue ILDVaFNsQHjk+Rj6g6xzPZ9MCg1iysJfjR/ZDnRewdk6Iz4rmqWek9VuvijmxSw1CSUh6sYEJRBK sk7qadrcaHWlF0a0A2eKehglYZNcOaNZutwLXfbSAPpsog9wwKkbRWOEv8MX4iXCRSiE4gPrICGV Bsj/TOeLWf6hG/qwJ3P9Oe1mGsUgQOzd1N+vJ/iY6P6QSTdKYByXdbHecN/5SrjPq/raUb/SsvhX u9S83dFadFuJOj9o8fRrDahNiRcihiFxYp3az3xYk0k9xCeUJ3KMhvoRfvYpxSKAIi7r/Pw/Buzr R1IKEcPyBuvUcobSqjCE0Umfzz45ZzfL5aL59Msvezr5lzOTab9IMhx6BNogQTAMWW7bDL+2HwYm JwetXTNpIaF0Az8Epd8HafmmiPrj7Jt79kH9GZ3904SAXhQkLIzADugDAUVLQNESUKT690EAoLga AuAZiQNSTBvKEJzyPojD11Ycvl6ZkY4knHLGYFFQH0jHW9LxK41hPDszGWVNcJK4wofSDuv0+18T oEyYSxiDfbubGo3EDySL9HMC+1plX146F9+ch6K5aRP3lZPd5Nnt091K62VKaQm7lN6aHpm65Ha2 imESDKNQRLELFph1OSra/fVdtqtdTwLD2052+5tqym4v3IOeSLUCL9gAd4L7NxsFTF2BklGq/MMX gmLXw0yMsYHp8IUok1BQScbo0xy+EJfEkqlbGeGFPNhB4YtCmb+187d0vvi782t1k5ZNoxT66pX8 uShqXbT8rN3ExmGPgDGiH/Q+cbY+dPd6Sbf0oAXpqGn1w+TwduOleoW9g4jRErIwJIE7yvpcK8S5 2vLJQlFp/eEx8ngIRaEPgbVTkWeWNsuLvFTWez7RUhTVeXrbPq2yictlXpf58mNcp9PlLqB1DSXN x2r6sXVgdj91fqvu8/mV+g8VFFIDqcQ8iIU7ygl1hy+ERUiZYgis0w0whNgPkQchS+v2QKpr8/OJ DlbO09u8G7WaO9OiVjCwmKlvcHQTpTITMr0sXn02d9Isq2q9/Wn22M2uNsAEioWPBZRr2Kf4xTfn K/9PJ0szvdxXF5A/ibbV+fJOaYluGDWE3U5HF9NpuDETiHFoUN7gCuMJlRg6V6zjyuWe7PXncArF 5nlaNjrxth2so3BwkmfFJG9WbwLSnTTB0DjFsmt3MppQxYOAkkhLNMi5VTkvGkcnhvSslaxa6GXj etGPeldxXFZMi2zVpaasRvXmdV7mtTIyH/VElmlxfadcUwNy08hjcYSgpMo6uVe0vlL0NDFQfBG5 zA0hM7Udq+FTP+BQVWDfQLmp7q5vnHnVrPSOcnLSef5Q1bfqBMVstlZNTqoBrZ58VDRcPir/aJIv dFStNFlmpgxSZaRzWM9jnd73eb1VR/rtIuu0VbZnO/Xn1OuJPs0HByrE3p5HdBzkRsNBof6/6qE0 EG8URkQKDGlk6+I9COl4D8sJdybNpApJZ9OPWmryCdDgNMz+UN3NJs6sqm6dWXGbGw2JkFj5Twj2 jG9KBYRwfdcbY+S0V7xsNiSCxGEUIwGFHdapBUMi/spT/r+HRLBYCCUBMKUTBMOQ5QY/JOKn5IQG rkSSQoVJH+TkZ8ZDUB8jj+AECNgDAsJ4iDeEur0zWjmE2YgKTALswcSWXojk60ZUUCykoh0seOoD 6X5iRAXliTL6R1lB3DP6mYyo8KOE+wnWtwrBt85rlQEnEhpBTqbQ/XPHiYsmq+7zerfB7gjLsljE FI3R3D5i7KhTijgGlrWOuJcwduDtr1mnwvXeIN0Qouu9dEY8vU+LWXo1G1oTwG496ZCokDaOrjla EcAAtkniiYiBS2YfpSZrZetMquxOr9/94DR32Y2mqS43/32Rl19iR1RlmWfLrW5uK5P2YrKHae0R FnEaa6oCra3Sel3K3JWWremtLK4vunuu6LZPqrv5AMB5KuDcO7mVe6yfrN4zkGfqCpoQWFthX541 Pg8smTcAUf185uSzbhF912C12snbtGspy2vFfL9+//0358eFFD6ioVEczIuFIAh0oHWZqa7+W9kx Xf+3c5s/NtpobZVfS9TuYyetoYP4RCRZZ/edomnujAxKn9Mo9MkYw5Q9E6Y/Lv6hULGctJrovtvm uxanJ5LUDpKtavWdi6rUAxjesWwdZlmPCd8LXCh/6gfLbno/B8GHg4jPGe0lJoiygIQwBmKDC9Lj Lhegyk7Gpkar/ngiXAZpP/toPST3du+kVg4yDE9Al8kadVNEMVayCHJoXw67CqAX9t+9uCFvOMI8 EEF6XmRuIFZuhBI3gl6MHoiV0eIgzsMIwSSO00mVWa0ccoM4gdmoG2VNPVeGFFofT8amwbnj8Oy2 rB5m+eS6zViY1F6g2I0wi8eYvzt8IdQjmEqYjWFfH+qcTHq3vKnqZj08oLjN9ZDf5U1adhvJ5u1M 71WcOXf+vZsBrv96+cwLOwLdMQ9jHEOLlnV6z9NiptMBbQXfaoTzl+RStgFaXZl01zS6VGWHqHae 4bNOc0zzfHKVZrdO1Z01q8osXxjxnI9RLDm4stZ5TtNxW+q2Tl7tocqX77+LDk/ar/iih6gVy0dn madzzZwGFCeSxtSFIKJ9iiuCFrXT3C0WVb08NyFdKH3iJmM0CA5fiBcHnqQcNObJtE2oqzL5b1wX 3ja6PKKt2TQy7wlSBg6DCUob1et5GAkC9YrWgfjy+bjlrM7Tpa4aKXOnzq+VHVjrLcOT1V+0Sm7y ez2KeVVfYgLfgevyJIIhzNYJXpTKdUtLJ/9T0VIb+msSm2hhGuNIklHO0jp8Icz1IuoHY4zbH0H2 UAQxHmUi44idFjDiS6KfEy5EPzr2fC8kEoLSp1IF3fbUHXS3c5DDOslkrStsT7XBN932VGrSTOG7 ggfMh1H1JyLO1ZZPjLankpAKEkI65UTk6cn2VM/lJOajXFR++EKYZIglo6ztPXwhrp9gXyKIiNu1 B8JzdO6s8qZDsGo+/z7tvflyxPLqMkhisx7FuVjFPwzwFMdBErgcfLlNYDtJQpyE4MtZZuquTGOF H+uyi0NMvm2c1inVST4tyqLNYvQin1/tosphnvMpwgIRUFnWea6zVhVLbdhslbovaidVnnxWpIPZ 7DLJ52mdpdr6Njpv/xv7EEpCieQYXfLDF0KZJEHMMQCHbeB4ScJ6G7erBrIrLN6g2evAbDBW/PfH +VU1++TsdmEfMRiShPuBB1GQjdNPEAoDqh8dgBCA8CWj3HHivMnqYqEdBZMT27WNPm1LQ9vTFeW1 AUhgz42lhBKtrbWUuIIzXz8SgASAhAFIrAq4h4AQP350s2bWRefOP02SnB6jPHTJGPXm4QvxI6rT SxD+A4z42bODR9UTHlp7VMIACCn2AumKMUZSDl8IIzykLByj9dgrJgaP6m3spW91oeDvUbcGtL5V OnPumvR6t6jwsGgQ5VT5wof5cpvoi5QuIwxK5QArDLFiaI7V3kGtHOXVzh0iJBCJhNqObcsW9oNg lNN07PAsOHe2wGI0zt1XEyCkQSRj2Di5TQ0wPw4JhboBAEIDLHkXzt08LdNuepkBYLg8cl2Kx9jb fQRBY0EJR5A6A8AwBIx3nzrDJPI5R1CMuAFN6lISwgZGwIifPjt4Vz3hobV3xU2AkCWJnyTgXW1q CFjA4niUmqFXTAze1dvYS7xRN9zO1Wovu1y2Q7YMkMJLYiGxhMTZJskeBwGPMSTZe48U+2ZHP6Hk ddZInwgwglJLyXjM4zE2eR6+EIxoGLBRBtkssW547ullDpPJqkG6F8vEKufX/7h0hLr/+asmF1DP l5i4EKPduB1ECiwiyG5bNyYOTKBNJ5NuQMG0ms2qBz2l9L7bZNyuncifCIEB77uRokecQJW6dVKv AevcBLGI4K4nYZnTtsY4cWMyygn4PWPjPUOgr4GSFiBNztpHH6dM5/mnYcS376sXHTGDbfQupcog gf7TbRkSoUhIWBEAcGcGdwOLC+8P62oN3J2DH5EL3yexH0ACaePJBb4QCSSQ+g8UEBZ+WwK8/7Aw YzIK1A8Av7WXrA6NCZQagpX002eHMqKe8NC6jGgQ1LhfvhhaeNnpxTGJhDfKNXCHLwQlLIjjUQ7s 75UogtP7Vk7v3imtnGPX8W5/V6rldudoRwArcAP9EwBrfSEh9jlGCQAWANbLgjeSKXF+GEZ4jC7Z kQvxCE5wAHWbgBE/e3bwUXvCQwPzUV9FhiPohfwYcwg5bkOOAkccUf2ccCHtozMeMD7KScmHLwQz NxCSQ7HptgIRYT9kULxtV3u1e5Bh3fDxw9t1uLp1w8zEx3KpRwPivp8iiP8DAAD//+xdbXPjNpL+ Kyh/yCZVsgyA4JtzcS0JghvPjWdctmerrlL5QIuQhAxFaknKGu+vP4B6szRSBpO6NekjlKrYQ9ES 2N14+ulGo/GBL8/A8nJU/XJGi0UpeAk+yEsXV/91sbwsb8vm51z9lP+UN5aVSO9uy1/OIGSejRxy 1ryzviEu8rqSdyXVSIj9T5RXp0FefX31T756efmovrN+nvNfzubJhG/eXI1K3TAHS0Qu50mZXKdy UCFxHIvAs+Zqzb/U6qq7fqlva8avRr96bS/tPdLmYsTHySKr1TsuckNsb965PXj+tYDm9/VzxuU9 T0n2y9ltloj8QY5Bjfo/JqNW1ZMlVX3H85SXPL2V+glLnnxunra+us5rXua8Po/KZFyDvdcTH9VF WZ0X4/O6XFQH74IPxROfPcovxBDZ6uvqP1c7duyAQKYU3De1HxeIE7teEAeBEcgGGKzYZRGKDTC8 DjDU4Mssu6zmyUghd8krXj7xsys5t/emsxxiWRRjVqohrmB+Uiaz+zopN8JpYexXBQARr0blwVhb GYuY16LIdaTG8rRFmV2CfzagDooxeGgw/Y7/a8GrWgO/bd+GDsYGvzcCccMIE2r1Eb/bMd+/DFfV nGfZC7zqJp5pPUWr+HFKAVExWsx4vo8iHQXA334D9VRUIF2PGfz+uwb4kYhadgAtA34bbxA4MMYW MuD3WqaL4BCAez6SN9TPgBbyI2RIlyjiUem4b2J5yEPMWPAm2nAhRoGtBm4suFX3/TDl62SD4qWr XIOUyoKDm0/3D+CRg1H5PK8L6T7mUzFKsuwZSN9Syz/hKRC5hvW7TugxizpG2W0ruy4T+Wn14JC0 jYqZcsd3ST7hDRWTXyFU2gh3je8sKpFPwMP7e5BIGqFCUPHY2CH4LaS3yLd/H35FSV8+nWRAp56t sT8PYZ/tPdme9dD1R/ExL3k+atKth08vZ9RMjnkm8qL8VT34VgJfv7P3yJtxbj58b6Cbh2lDFVdH QEJj3mMGXUyJmfetz/t9QE/2KUuXxloVI5Eox7IU9RQk3x1ctjI7mvkwS8rPWqPtYhCpBs/LAUgk OtZyrtfLYmMtGvPcIVZgIxubed72PB8lpfwTqcNiwqUeS+UXkyME7rFYSE3P+Gia5KKagWoxmiqH muigOiXMt5DJvLWu7UpMcsV9UkkaVFiaVPI9FZJKChRs3v045/l1pELWXDpwIH99KD7zvJnqOuq2 I4ehiCmFGXV3Qd33wc37narlVJaOcrzIxiJb5dZK/q+FKLlikkMt8HYjnwVRD/V7XCAEWxGOXFMh 8Wr8CSEJWLfdWEt8SkZ/Ib9HICSM2n1MyB4XCHJZENqxbyZR214jfFZpEuk6BsfTfNWbqDcYyY9M DpKNJ4baxfhK5OOinDVwAhJJvmsVZWngCsa2FUbILPS0Po0W8te/yQBpIRUn2fZorUtFoqtV0kK5 CqnWpJZRWK7SLLMk5UrPJa8LHSYGkedDggzTbl3ZD0ppcsbyAZDhstTwXCJnpYAz+QpE18gE5kWt DEOF1zq6hg6zUC+XtDum63nZcL7zissPrcUTfwnWB/6mQwNXyLPJ504WSZlyhURNIkeSafYkI3yt tTnE7IA5cWgMsW1DVHnX5LFqFn4kuijMEWMxAkldl+JxUUumtqIOSeOMBuBzXiwznk6Uk0m0GQW0 w5j4Bng6wSjAVM7ZRy4n61RMpquV9WIsp7L0MKKqFmpSg6oui3wC6iZtNyoWWapue5IBqo6jwRS7 zOpjeqdj+p5JPnE8EFiZgpzEOVhKexB5rTaMpBLHr2tpBuCO0Y83N+xDxCINjbuBiwKfmNC7bY13 lzw0/qJ6rmo+U+YGJjznZZIpO2zscSZyMVvMNpuQQDKfZzLkeZR6rQt1h9hP1p0wRNv1iEWVyRlD bNvVyKC0UvAjPUuqwKaQPoQ/qRJckSfpEy9V9LIHT6moRllRLUo+1OEViEYIxV4PlX1cILZludh1 +1jy2Y71XyEsPea2eEonbQ/tGDNMqTHajdGi2CIRMWzxNY1WrX59WMHuE/8+A3Yj5jss7KOLPSEQ Gds6gSlFap9z/LZnvstOLisdH/yqYub3/6utbe3uubpPPksqX+5X+px6lHaHOgAfhgMQlkma8ecB eDdc1SPeDMG7IufVAJzt1zJp4KPFPBh52KyftQwHB9bXKaDavajK0KAhPBvs9dcgQw1Lc+IYEtrL ldoTnhgGFopds8OrfU98F1OMkP9mHfLv3++J2xj8lXJdOT+sY/uGq+0gZxiAe+l7z/6bP4NlUaYV GBdlk0MSOZC2VKns0XWeqiIInSUIi8ZBhE1Q2SVX17QeWVcJg/f8iWeV9HohvQWIDJSSgUKMgYZ2 3cjBgd3Lrc3d1W708RogOEQu8dyLNfwPwE1SjqYA+b6ro1hCHduxrT4mx7qr2B+y+udpXc8vLy6W y+WwHI/OeSrqohwW5eRCpe8v5LUDD9TGw1wpk/thUv+sRZ495vsB7GPl2wmByMnnecyksTpBnl1k vwXyrHiypKD75YcdJZgPkmCyVLFMtbX8XfKU3I9KMa/Bx8c/1Da1D0W9WoX88d39xw8/gSiptfYm xi7D2DVUs0s+q2lzqnaaTjiIm3WOsxXFVPNq8BVXWV1tuIqGxhGJIxZFpmi6SxpXSbOBJldR6tbm CdT3feb0cWvecYHY1I5oYJlqzldzXQgPVZnB9aZQ5ntXbJGNcUxwH3uiHBeI68URtnu5/7gdEz5N dVUDpT0T7tIAffuvrMi2ghH3Uz4ef28euDuSHoD/GX7VIaybkv61yP7dfTFLid6tF7Nvh+BeQkx9 HuRpyXXScBj7oeS4Zgm7SwT37I6vmrWl632faoWkaQ/Kwaeq2b/zoFrtzYuyBu+T5wMwOK5pK7QR taDZitUlTW97vv748P7+p2YOq1yEyqEcqnh7r4auSRAS4oSmiVKXdP1jpHS8WQfz7XWWwsb2kSxF c/XmINt2XNkQwQBFltmR0wllH/CFzo1PneijlTx5HM2lkermTlwKYxo4ytxM4NnMShIR2s8m6ics BOHA9UKTXdttD3HU0QNmFa5dXLwTI9XK8odkNv8ZvCumknRVRb5x2uzLXMhblSsGCjglfDr7bv0A 8N9O3RvQrKJvN7hVp9oB5Ooc5AF9B6IYm8WaV1LOd54NSVzflTGJCUpeST0dORsSuTDAtJeV2ieI ELU9y4r6mIg5LhCb0cCGvdzc3Qow/AkfuL899yA8dywdf4uwjxCEBtBb19uLlw6ja3tdZQD2lya6 SDxPyHqw/k9lagfgjB08RyvizKTDLotcjECw3z/yHwuR8kzk/ExnKcjBWE5ny8Bwl6ZzsJgoCia5 ljXU0CH2XQ8TS2nLcItVchxhSM1KyOuhUTCfy6BDfAHBcHd6KPhVVDKo0FnOkLECi1nQx7TYcYEg Foe2g00VXuu4fA6xjgGHmGAG+3jU/QmBONANImwWKFs34D3rXXb0rGzVKSFvWsalOuPtYpRAB+Bm FSMEm2MQ6qLZ45zxuualaotY1TxJVSlPvlDpNHVJA1xg7AXUaWaNmUttk3T+JZnNM14NNRRn+4x6 Ti/bVR4XiIPi0LGCPrrJjlnyG/EKn+apOrvzrfqE5mA16QWajtuLUb0oebpBENCETPkEjBfqOlio Rz140FbErodtkGCKwl52fT8uEBkCBL7nm6pqg2162CY1LPK3i22ThUgTdbKEKlRfTnl+SHefquEL ngtUa5+JXjoIURyGtjmjqhOEdxXL6LgE26JRzHp5jO8JlwD9ANHQbEQ0LuHbY1cu4Y5LnihGb5jx blD+bWz2S/ksKeWQi3J/o/Wp8XZR4srrzue8bE5jUOmnbfJJC7JJRIKwj3vHO6XE5pUVyxdqTMVE 1Hp+17U8GMdKXcbvrvgj9Z3INWkm43e/PXbldwN1GtEbdrpZUorxs0omrXZ0iSQDq/ZIFRiXxQxk ojlXVO0v1sMU13EDG1LD5beV7JEbEMu0nG0fU84B3O8pclxhjuMSSqkpud7ViTHkQtPZyXhFXa+Y pm/XJ14HHwJQ8ol0fDIaVTlK6f7mRa7rAInnB5JUm5K03WK2g31sG/gw8NED+JC/ZmIm8kSCR7Vp 2DIq5OenvFx36FFR+vqsdw1AsWyfOCEyW79bnz/yta9JHX+A/Ig6qJeHEpywZ8dznDAwi3TGH3x7 7Mof3M8zcVjg8mb8wdmo5KnaZpVk4FE0hTtn6lj1Asi7xEy5iRd3LCq1N145CA1ksaMopAwaYtUF x3BMm7Mkl+pUqbMzHU9hEze0oDlBdec6beiFzO6jQDpm4OcAQg0LlsYb0DBQejAW3AgEMuzGfh8F 0jELfiNch5b88HzcVobyhitJRC4a73vNHmKQqpY1PAWPSSX/X+SqnjpZSscsA/BiXlTyvlRUo0VV HTzwiflMCXEgMx6pC5RLavNbNtqJYqF/Fg9a4+ziZFLrvzrc1XKIg4Nenm59QiCUBrHvmH2sxvNr QMRbz3Ks2sDtVspAqvYoiFW6u8l21FMuSlAsc5UVbxrOqO1NWVYsNdDFRjSGuJeFah2bTEBtZK25 /ESpQbWOUTzxshQp13ESMAqRat7WQzUeF4hrITt2nD6uDXTMrt+KkygykYrxGy45/Na4O8HYm1am s6T8rDXaLoo53fRS2jliHYTG1A8p7eURlicQGsIocKDZ59CuPW/7hIVD1WZ9tQ/+YHK2ghRsQ4Y0 JpftBC7ysaE/20pby41iYppItk9/HooVrU9VnPan0dxA9aSY85EkIevGoTef7vfzWyeQFEPGkGfK PlpX9qq4Vf6NkN84kt+rSlvVTnupew1FWrHUo8v6mNk6RZqkWUeROUd3ayHEihzay44mJwRiuUHo BoZWbzNBNrMiYixkV+oiJeKQXh6tekoghDlBFPVQIMsO0QVz4NU3Bt+FA688nQM4cOg4thsrwzcT 6hWU87izE50DryTe+TggJtH0Sur5Tx54dYAbrSDDdxy65SDmusicMbVjpy50KaKGrm/3tMYBItgz fVFebfqqw3kkzPxNbYaUnKTi+32mjqvJ9TzLdonpvbFDttALWGzKr1/Lbk9y6XfSVYocrMOJH1fd Zn7SsGloIwojbOLA1lUY8mpefOaA5RORc16KfKKhPwwtjJjfR/0dF4gV0Qi7jln0at2g2SwR2SUQ vB7//Y8Gn4Zlg0/DotQxbYidyHPtPlZvnTBtxljkBdQIZMM/wjiEXmT4R+tz/T0X413+UmNyI89j MPTNWYCtq+5+KdliNQWfcvHE5ajqZ/nX9bI4qM47oUZqx9TBZga2rsY9ZS07Wvj5MF1kfJLUyT5E nBpuFys/kU6PQ4wIdGLHRFXto1tdjD5Pi2w/aXxca1Ycxw5FfeRXXdPaUjX50FAZIcyyAmZqg7ZF sNR2Hat5JGPDXQh/M8mM//h7tch5Pax06v9Q7FEW9jLs7ZgGP91dX8of07qeX15cLJfLYaPGA+rS xpCv9EzJpZhhD5uEwXZuIeohYg7H2/lPiwbIxX3Mlh4XiCQTLrY90154Syig79Col6T4xJQhxHXj 0JSS7pYQ48BlsQHVrdu1GYlIbNbktnl6h4aMEWMhWy/jedCBvdz2elwgOI6hz4jxMlsLobHtk+bR jUAagRAS2cw2bncby0jaDuWsMQLZuF0nsn1qyvN2Agkjn2JqgrstD6EIuzYxGLLFkBD7OPaMhWwF 4iBEiGmh9YKYOTQIsGGqOy9DPYtZauBGICsvA107Jn0sATnhZUjEEDMnlL2Idm0HMdO8dpdTDSgL XJMPeZFTjS3fZib83wokpqEdhX1cBD4hEDfysIfVoxuBNAIJPB/7oWGq22WIEFkObR7dCKQRiGWR CPZya9dxgSCKcYwC9UhGICsL8SnziRHIlqnaQeQhbFKIW6ZKCWR+L1tInnC7yIpju5er/0vTN6n9 BwdvqG+Sr9M3iUQU2RbVYSn7M+T/D8KoEztut3rSfNJ7+UeHjzS5/7d8d6nqHP2muOByqlLansTv 5nnmk5ukMZNiLq+TJmd3WYrJVH4Sspqc5uVjUdfFbPd2xserd5tvnvIk5XI0LlQu4XJcFPWLf04W dfNPuPq6UZEpqa1tWN3TXE6L0T9KkarPFjm/FfVoqg44av7oYiON5tfHIn1uftm0W7/6XwAAAP// AwBQSwMEFAAGAAgAAAAhABu58D52FQAAK1IAABEAAAB3b3JkL2NvbW1lbnRzLnhtbNRa227jOBJ9 X2D/gfBTN5COdfEdEzd8iQcZoIGgO4sB9o2RaJsbSdSQVBy/9WfsALs/11+yVaQsy46jSPHMItNI J7ZEVRXrcupC/fT5KY7II5OKi+Sq5V46LcKSQIQ8WV21/nG3+DRoEaVpEtJIJOyqtWWq9Xn897/9 tBkFIo5ZohUBEokabdLgqrXWOh212ypYs5iqy5gHUiix1JewuC2WSx6w9kbIsO05rmM+pVIETCng N6PJI1WtnFzwVI9aKOkGHkaCnXawplKzpz0NtzGRbnvYHjwn5L2BEOzQc49Jxc+1JFKWwM2lkDHV 8FWu2jGVD1n6CSinVPN7HnG9BaJOb0dGXLUymYxyEp8KYfCRkRUm/7N7Qtbhax+ZiyBD0xqObcki kEEkas3TwjzxW6nBzfWOyGPVJh7jaLduk7qd83xrbu2yJ1hH/NyYcWQlr6boOjUsgiSKJ+qIcMhz J0lMebJn/CbVlJTrdpsR8J4R6CnWjEQ3J9FW23gfGpt0dZ6Vf5YiS/fU+HnUbpKHghZCXwNaubeU PVidJ8y3NU0hlONgdLNKhKT3EUgEtidgPmIsQDBKWuM9MJPNiIdXrU4LPtBMrwUgwC9ZxGlCfl1z zfB6SDXQAX69T073k+veuf6o444c5594lydccxqB6L/8aiinwKozSqmkN0DZ94fz/sKft8xVwDiN VzvXnf68P8erI0gr4derluPMh743M5KYS3O2pFmkS3cM9Vtp/nzT2wi2M3qk0VVrZjdzB9Rb7fFP 7WKZ/ZV/PvXIV7ZkEpIZy5/L19IkEdoAGizI7xT09PiGhCL58f13TSL+wIheM5KBcsXSfESjkFRy wOctAbsEjHBNeJxGnCn8yJ6CKAvhs2LyEQyqyIbrNYlht/zTkgZaSBJIFoJ8qNkLslnzYI1PhoIp w/iSTCIl8FJMH4BAjGyTkElYSzWh5BsL4DtKMCsoEa4uyS+ZAjpSpEbWH9//k0v64/t/yVKK2FxG O13sqcOHIGJUAnmNutAljZQt2B2486m1kx6jHPzZcnMPHX6kUhqAX6WSoRpYawyboImy/NfgzqjT kADSEfRM3EJgTIL6AJeEgsToVV0e8EDjm9+5hz939m4zZ3dG3rCmszuLYW8485FBydm7Tre36Jir e1UNe323Oznl7IOJNxss3o2zn7bVjTHRA/5WpMolpn13MJxalzhNyoRLAzeJ+WqtyT0jMVfglFiF 5lGGnnNECMBRLK8liqS3KdBRKYuibxrKLVRCEdFReFvryeskLD/3giODThB8iRZYNvPlFgJSaRGx pFJXPriOby3/AuU9KtggIDdkQ8GxgdFDIjbkAwXOCfl6+xFl0LjiTUp5SarxTWM9NdsgWcMOjM44 xD7Kvt8y7CwEuwOKPhpEhU2DF9yzAirut+YJbtZrwN7s/l8s0OQDQIhBWLjLJcAvIHEABFImwYew q/l4WduJx1/oFtgqEeeAT9EZofFZAU4mRoAEQhOwPcCQqiI7cVxAiyp1XBAQPTYMTaShBpDDUkSR wNJyxwZ4ggIo5COto2cGP9yM3+9MuvlmYiHZeSKCPCLDiKT3ItPWK0FEcHkeo4lCFkNboCXgKn5F 6b/eNoXsXgPI9u7c7qjj1a1PvGu/N/eHh5DtDIb9way7OIDsXHEnINvtut35m+uTlyAWnesVdHV8 dwayV1DZ+QcQspECSVZlsogWKFseOHgVuPJrgb2SNH4JJMqCjPVaMmhO6tA7jROvbwtFT7B6KcFD puiKYRlTVEmEpimULTlSoOtJkzw0Bn4iIrHaXpKf+SOzccueKBRpWO8kxL/0EGMUY7EqPQ8cUXhU 154z8jQ4sBUZgSoJEUbakrypo/eb1ibduoW46y+6017POapNZs5kMe3ODhw9h+kTjl4C8HdWiJfK EfyxBrXWTiNwnrrw/oK7AQxXUfAmTr/v7jAV8bpq9dzxp7NZJb/a2chUyxwx3yQjjk3FPiMY15Vs GWEa3BX2BEGf0CDIEJSj7TGvCrkuyd0azFQp3mLo9d08ZYwxGhSW6jQ60wKmJchrmhWErK1ziJbQ z1wS92O5UIj4kgVbaFkuiPextrCnGaPWQKWZxIoiptp+yFu91yCusrA6UNR5hdXr27ggfrUmDrwq ZDr3ItgoJThihNaQY5FVakzPUyyBcgFWF23zPVU8wEJOgsemQmpgFglVySXvoqq4fCha9JRuDdIG FBoOtVUaoX1NH49jtVHie12CBmo/zBaNUmaNCPrjnPV69af6ah7aG5FFoTEQ+MEGZw8Y64jt9Fkf 9Y4jz0LWA2MpDlIMPkumTY6CzMQTA8kQaZRs2L15Rl6SLzQpQKYEbPtAzJHQaGeNZU4C4SJZAAuj bf1cRavL/xq7MzOjVECCTCUFzADRjt34RfYvkJzA3q2tbZTuUxkOtTU1HhDuqiyjVLN8A6ABWQKu XRC+PNtLDhTVfEDQcNNYtBKls5SH+GeJ8ptmDzIoZPVEQKe/NQ0VX5pSCRxCY/urNyyvX/+cNHWg hpswfbWuP08PprA3DeSGR9Dzw3+ovaFVDxhk/TCvxdlvGdzZQtIIq5ztYCB56JbtV2vxQYs0aTp7 IyjHazadg4Uzd92jOaHr9Ga+N5kigeNWaHepVIuXmqR3UYvf2eITk6pJuaCtLMFPYKa86UTjQYI3 ni3ZCvJwhAFsZwLW3maMZYYIMQPNhzZDg8nBK8yQZ1P4R5aA82DNDwQVuA9Kls/F99MZhM9tqgVk znQN9QV46660Mfwsdh7XIgU9ch8J4GFH7Zu81wD/2433ApEsucShOU7dAbfAxJoHWURxhI+MiQDf NVozsy2zEWhaUAlbjOgPQPhfiHW7NhwQDAHNjs+JWudZEMX82NSFjePUbyfdUWdQ04U7Q3/eXwyO 2snOoj9x5n0zrtm7sOdcL/yTLmzvvBcXrjHqhh80eYa9PfqSWOIH9Ge4q4XkAc4ptZb8PtOQCckN uJDQayg6MWcDihcPASn0g4vKZD1ze97CyQEMEO94bRWS8sSeEqPrAddH8O8QuSo8inpWI9SdlCsW LfP4YMfYe8bM/MKqieJck6SKZaCbbSwytRvnctRmlaqGHW/uz6tyi+1dQQMMMihgwCNCU7LPqMFB Oo1Ns1uCguJ07Kx0WhbzzKri9R3v4KOMWFTKbdlbAQboBWEUTxgTLKbQwAXsAPYCEFNchH4Nq2wO RgVZkNIgX4Hha7BenAGpws03iEagvWOwNBR3g/N8MHw8uX9m8DNUfVbPUkPTVa55veh2nX7V44DL e0d7yWgx5rzicCRhG8yscMd8o7HNq7Do1t8foQCLR45hhAuO9GnzxzGyA97M/Nk1AnYJ2fv5vwNk z/d1AtlLO37LRHxss7g51YsYxKkyc1VF+a4A/PH9328FsOxeZXGK4f/HwRfUBZi7bZ+aS2wTRn7s X8yHAzB1YPKQjS5ql0NErtbY467h/q1jyxxYL0kI4ceBXAB3Vmz3LoCyJ/IGwOxoDzNMLQN3ek5n 5l7j4fOBgaE27wwOU/fCd2beyeozv/NWA7+QarHGyl3fDCmh4ltmEZrc6KpupjxNHesdiLI9njVI pru6cJfZzxQln0+fFGBcoCAK2bTic7Eia1DyeSO3bsnX9/uD4XCIZwXlE4T5fDLrdA3bP91v/m8l 3+5YAfoZY6kTJcKtZ/D21jd1wtYW8QcHTkWnXuktnYEzm3rWW8bPYe1w7dSbDYpjNpx5AMTHDKGB q7hyVHrE5ve6bF5IdxAExXAiP2uD7meV8ZCikrDbgVLAnP8G2FjlLZ2RtIr13O13nV3Ohi0Z3DdY sNuuQUiBvLG8zgGDylWGlrKHz3i8gcdwgL1iC+vMsiquQ98bXu/ecUB6dvxk+e75GYOb3jLvW6k5 g1QiwOHcruTB48APBUxTzGSI0SGDmyz8WHv3jUPfbRD6dmBR95S8O534/a6HZ4Ll0PcH03nPIs5f cGBxHOWmg8+dxqhVsgDfTQIjmtfkCus2NozXFJO9Xt1JUm/Q8WYTZFAyjHfdXfQ96w97TJ51+ouT ry/kd96PYcAoRyFtWm9rLBwGs/ACGzcco8CdlcBGAzE344gFZkwesSfTuJsb7CmvnoCvuWZfVsm/ HdrzKCRfT+ZgSloqXDBdSPZbxiUzPmBeYLRnlXgW+1vGVH4R3So04IBSFC9gnju3PpgZnHe68frm LwgO9iLzLsk2V4LJhAh5AU5vUdF5f/cetzX+3DSam7wsbWG2UzuaJyDc8Gio1u+4nT6E6F8UZk10 2PeIoeHnkD2hhg6KdA6BYDoY+/UzaBIKX0E2JlbtuxvGd/DNG7sGA6UcYGayKsMNpnwtHliikOjd 7RfV2LRmStnkPfhut+68dDab4mnxkWlPddWLaX9aSqploLZ33pFpsdSyJ1doVwOtZvgP1notPo9P 1S1JhHTN41pn8vVexg0ElJ+PnJJvX76h6wRYv5kGjKvPb52C3rz+eluD94XNqw/mPIsStf4fAAAA ///UWdtuGzkS/RXCTwngyK277Ixt6Lqj3R3ASIwNsG90N6Um3Gr2kGwrestn7AK7P5cv2VPF1s2R J1KCAbxBIMu8FMmqw1OnaGlVIpyKrfLn4qH0Yql9KqRwqbFeZHqmhCtkLmSeiNLJuRKxKXMv3pSu lFm2EvV3beH1Qrm3NTEVPtX5I306gf8SgxcLk4tCeq9sLpwRS1NmiXhQ4klmpXzIlPBG6DzOygRL mYVKzbL2y8Xyyt/Qp+XP4uYXfIhlvXVVSCunyfVZezLujOqtxhm3evXZU2u3+ofWK+t08uH6LIom g+6gHm2aRmomy8zv9LD1O8s/PvoV9rS8wvauz4bYvsr9PayfXYSd0LDDO+p26+3WIGrt76jZr3f7 vUbzz90RO4p8NoKHlcgVogq/qs+FVQ6ByFcUmbmQDwYxhosxKssQKOMQUWAANrXMnDCFstIrRCRE EYfzOi4zaUWiisysaPVbcZ8qqzjEudCLItOx9kI6Vy4Krw3NlfhdpNImS2kpxo8qF8aK+7vfaNqD IkDQsJzAZmY+DAkYNDmApWfoVmyimp5KmqjCioo2glNqNqBypwlLS7kiGMYw+1CuxINMyNLOcLbk zsVcP5E/aIUPd7Aww+EV21HCzOhGlFb71SEk4pNgDXvk8uor4qMR7XqbgipLONZen/21zDR28inV XlF7As9enzWieudd1H5Xb9zXO1fN3lUU/ZN6da45Bpj3KQBgD16NYety1G8/g1e72b1s9DpbLBGI GuOoWd/egR14VT0/CC9bfT805YOaARJ5rKp51ViZ58ZLwgQGVD1buIrPi+wK/BLDLYRUZZ/U2Q3A hSgkJv/65d8eoVAL8AgC7Dw7mghKyTgVBtGz75k0GKcujAXuQS8B6RTfr1/+9Tu4CtGEPQouNW4x L3RN1RgxEgwHUMap0bEi8rKyKFYw7dzS2OScSZAXrZYjZId1gP4lQZ5MWxWbJ2Ux0ZqYbp92NVwY HbbnaH+xyTJZOCJBq03pAL/YG+v42hngHz2KWs7J4uamPb9g7Aqg25oNmL93WPyaV2dYr/nGlXAm 7tZ642/DwTKwdTCucPZlqjEK+yCDEsbWxovSFsQi1a97FwbwscbMxtYCLX5VIMyuAPF89PAfAWXD W/8w90fNHOdJNW8X8PWo3RyNGdYvYKomVG1eCx77TYIiFnIlnNcgwVQ+KaEWUmdwutUzHTNeOdpr l9TEr+DMxCgn/mLMHOifIeQVSbJzMudhlW01Jn3ioNSQW8gnaDg/3TEvHfBGe/en+krgyiLSrgxJ ZKHehzuCo4BSNdwicaTQJZAtCEzM5CBVRVeBe27F1IuZUhlBBmDlKxuyEMQFiQB2Fg4jzDIX2Toj AJ+BwMGsWCx4MPTy/ZBE8sHkQj4qulVE2lgTcz7cnczYnVMZu908lrHH9W69Oxk8EwS9Qb8zGFPr N0E5wNg74XoNjH2zCWqmHzk2gZ2IhENwkdqXlKS/fvlPDgJh4vFMhmaG/q9f/ss3C92zErdvp/19 ZW5Dk0TjYi6LXZtexWluMjOn7O7U9ope2GrbtAImY+yixKVMjNhbSMwgQw5OWlNcyDtWzTJwcJAY VoE7SQ2fDC9Ow0fCq34PnESNI+HVbjUmw07jGbzag8GwM+z19/XmqDWcbCXort4MPa9dEIR6gpjg kfiHcw3FcgoycGIOdmB1SyxjM61sDT6WFHsVZv1gVpomdycy7R/RKpAIXCYKEPaUqF3pCghnyv9I xRCknLRvT0VY72SEtY5EWNRr9YaX/ck+wjqXw9ZgFLHS3SAs6kTNaHgIYVXPqyGwA+oSsg8UQRKo qgeWpAsec6R8LoIc6lPmulXIWWAPhVSXVHLPFYYykNPzHG0gtwswDPZlVwXog7QfJrLJshIEd3+b rqFgFyHHkUjsQ3KdV6tpj/3Rhkj6OUBoK/voJjA5hhUvNkuF7On5gFReA/zrSpBGK48fYL+QdKvt 7m61Ups8hE9LaZiLsXUhyetzF/CrUVHlCelMLEDm1jsJulCuMiOT96Bw5mzIqkwwKlh7LZQMx3l2 wfa0yhDVSj9Uwy9dKv2NgT++guq5dnpxwZv8oOUbxk2K0oBKUrNUT0G2BI9zLmRZ6ehFZc+fhKyY 0Sm8pdTEwQ3TUPb+pCPCwwrj05tTfKJzcFi8qV0Csqvo/dyeqBR3ZcHlQcAT75GgwhpgFy4boQDG ktz7Q7z9YjB/rsA4wv+8b6eIO73KVuElI9AH6xnAvcxzRRWhRHFI8iNVMjlZUFyerFc7R9J9px+N h80uvSXs0H3U7TeHwxG9O/w/6tX9wpsqBtGstQD0pMwT1LFbchcMRkM3eG64njacsskAacYF1b0r Kj7QsOA7TbeYaZdfD2ZaAd2heCGyxXx6FGCCmAa9HCQriBzSGDkflXrQpaeioMEPPieh4PJIFHT7 nVGrO36W9OudaDAadal1i4Jusz7sHUz6Vc9rQcHhKztMmK1TSW/g3yOHuZWLbwXio1qdHzPzOIE4 jHc2FB7lD6eg8OgVJPC6Xtl5Ils/3qrPkp4+xdXFqfCiZ/WTNGXz2KK405lMLpuDZ/CKJsNxa9DZ J5moV29cHiSZqufVkMz+qzulUz1bVfXkTsGq6Y3t91JTeEkY3IrpjP8mwgNBE440Hoqb+79/3B0c Xh6X6T43PSpVhDiXBXMVvdtDw1Z2KOMku6vHYKm5crfiE2XhABop4swQJeWosI19rP78k4vp3cfx UHjKWNmm/MYQKB7n6Rke+zCUwU05T2l1wJ7rmupZzEqg0Ys39CRUyVZ+ONwoWZK19MK4Uc3ErG+/ V/xsv7ub/wEAAP//AwBQSwMEFAAGAAgAAAAhAAe3QKokBgAAjxoAABUAAAB3b3JkL3RoZW1lL3Ro ZW1lMS54bWzsWU2LGzcYvhf6H4a5Ox7bM/5Y4g3jsZ202U1CdpOSozwjzyjWjIwk764JgZKceikU 0tJDA731UEoDDTT00h+zkNCmP6KSxmOPbLlLug6E0jWs9fG8rx69r/RI47l67SzF1gmkDJGsa9eu OLYFs5BEKIu79r3jYaVtW4yDLAKYZLBrzyGzr+1//NFVsMcTmEJL2GdsD3TthPPpXrXKQtEM2BUy hZnoGxOaAi6qNK5GFJwKvymu1h2nWU0BymwrA6lwe3s8RiG0jqVLe79wPsDiX8aZbAgxPZKuoWah sNGkJr/YnAWYWicAd20xTkROj+EZty0MGBcdXdtRf3Z1/2p1aYT5FtuS3VD9LewWBtGkruxoPFoa uq7nNv2lfwXAfBM3aA2ag+bSnwKAMBQzzbmUsV6v0+t7C2wJlBcNvvutfqOm4Uv+Gxt435MfDa9A edHdwA+HwSqGJVBe9AwxadUDV8MrUF5sbuBbjt93WxpegRKMsskG2vGajaCY7RIyJviGEd7x3GGr voCvUNXS6srtM75traXgIaFDAVDJBRxlFp9P4RiEAhcAjEYUWQcoTsTCm4KMMNHs1J2h0xD/5cdV JRURsAdByTpvCtlGk+RjsZCiKe/anwqvdgny+tWr8ycvz5/8ev706fmTnxdjb9rdAFlctnv7w1d/ Pf/c+vOX798++9qMZ2X8m5++ePPb7//knmu0vnnx5uWL199++cePzwxwn4JRGX6MUsisW/DUuktS MUHDAHBE383iOAGobOFnMQMZkDYG9IAnGvrWHGBgwPWgHsf7VMiFCXh99lAjfJTQGUcG4M0k1YCH hOAeocY53ZRjlaMwy2Lz4HRWxt0F4MQ0drCW5cFsKtY9MrkMEqjRvINFykEMM8gt2UcmEBrMHiCk xfUQhZQwMubWA2T1ADKG5BiNtNW0MrqBUpGXuYmgyLcWm8P7Vo9gk/s+PNGRYm8AbHIJsRbG62DG QWpkDFJcRh4AnphIHs1pqAWccZHpGGJiDSLImMnmNp1rdG8KmTGn/RDPUx1JOZqYkAeAkDKyTyZB AtKpkTPKkjL2EzYRSxRYdwg3kiD6DpF1kQeQbU33fQS1dF+8t+8JGTIvENkzo6YtAYm+H+d4DKBy Xl3T9RRlF4r8mrx770/ehYi+/u65WXN3IOlm4GXE3KfIuJvWJXwbbl24A0Ij9OHrdh/MsjtQbBUD 9H/Z/l+2//OyvW0/716sV/qsLvLFdV25Sbfe3ccI4yM+x/CAKWVnYnrRUDSqijJaPipME1FcDKfh YgpU2aKEf4Z4cpSAqRimpkaI2cJ1zKwpYeJsUM1G37IDz9JDEuWttVrxdCoMAF+1i7OlaBcnEc9b m63VY9jSvarF6nG5ICBt34VEaTCdRMNAolU0XkBCzWwnLDoGFm3pfisL9bXIith/FpA/bHhuzkis N4BhJPOU2xfZ3XmmtwVTn3bdML2O5LqbTGskSstNJ1FahgmI4HrzjnPdWaVUoydDsUmj1X4fuZYi sqYNONNr1qnYcw1PuAnBtGuPxa1QFNOp8MekbgIcZ1075ItA/xtlmVLG+4AlOUx15fNPEYfUwigV a72cBpytuNXqLTnHD5Rcx/nwIqe+ykmG4zEM+ZaWVVX05U6MvZcEywqZCdJHSXRqjfCM3gUiUF6r JgMYIcaX0YwQLS3uVRTX5GqxFbVfzVZbFOBpAhYnSlnMc7gqL+mU5qGYrs9Kry8mM4plki596l5s JDtKornlAJGnplk/3t8hX2K10n2NVS7d61rXKbRu2ylx+QOhRG01mEZNMjZQW7Xq1HZ4ISgNt1ya 286IXZ8G66tWHhDFvVLVNl5PkNFDsfL74ro6w5wpqvBMPCMExQ/LuRKo1kJdzrg1o6hrP3I83w3q XlBx2t6g4jZcp9L2/EbF97xGbeDVnH6v/lgEhSdpzcvHHornGTxfvH1R7RtvYNLimn0lJGmVqHtw VRmrNzC1+vY3MBYSkXnUrA87jU6vWek0/GHF7ffalU7Q7FX6zaDVH/YDr90ZPratEwV2/UbgNgft SrMWBBW36Uj67U6l5dbrvtvy2wPXf7yItZh58V2EV/Ha/xsAAP//AwBQSwMEFAAGAAgAAAAhABOb RdG6BAAA1g0AABEAAAB3b3JkL3NldHRpbmdzLnhtbLRX627bNhT+P2DvYOj3HOsuWahbWJLVpojX Ic4egJJom4gkCiRlxy327juixNhxuCJdUSBAqPOdG8+Nx+8+PNXV5IAZJ7RZGNaNaUxwU9CSNLuF 8fdDNg2NCReoKVFFG7wwTpgbH97//tu7Y8SxEMDGJ6Ci4VFdLIy9EG00m/Fij2vEb2iLGwC3lNVI wCfbzWrEHrt2WtC6RYLkpCLiNLNN0zdGNXRhdKyJRhXTmhSMcroVvUhEt1tS4PGfkmBvsTuIpLTo atwIaXHGcAU+0IbvScuVtvr/agNwr5QcvneJQ10pvqNlvuG6R8rKZ4m3uNcLtIwWmHNIUF0pB0lz Nuy+UvRs+wZsj1eUqkDcMuXp0nPvxxTYrxT4HP+YCm9UMeOnGj8pRbx6S0gG6I7kDLGh4MZ41EV0 u2soQ3kF7kBcJnC1ifTOeA9V/pXSenKMWswKSDW0iG0bsx6AANPtRiCBAeYtrirZM0WFEag9RjuG aqh2RZEygqHi8R4fSN9uXJJKvEVdJR5QvhG0BbkDggsFtjlIFHsEMgKzTYsKMJDQRjBaKb6S/klF As3EINejhGyt82kztClINKiGK75ovTUtce9sx8jbc9ELSOuWd2ny2hCFscJIiR/60G7EqcIZOL8h X/GyKT93XBDQKBvwJzz4ngO46S1/gWJ4OLU4w0h0EKZfZExmIqtIuyaMUXbblFAuv8wY2W4xAwME ym8N5UMYPco4f8KohGn+k3Znl2UEb0PJ1eGeUqFYoYl8x0qXg6c9ekZM21xljhZxrMSZaxHfdMxE i4SWPV/pEMv0nFSPeJaXujrE9h1nqfXAXppBMEb+ClmB34EOcTw/cVMtkjiek+kQNzSTeJwjV0hs J6HWNy+00lh7n//OQmAFsT026RUCWQi1sQ7mLqROh4RL8E2LzB1Ijx5x7dTRRmfuB5an9XppWvNE WzuxE7hL7X3iwArnsRZJTGepzRwA1nKcs1eI5duZFklNJ060cUutwDO1N00hPIk2c6vQs3w9knme qfU6gx6xtRWSze3A0sYti4PY0t4nS9wg00Y0S91k6ODZAMEMqKN+y/mLqVM/0Cf1IJGgOmcETdb9 HjTrOXL2GJNG4TmG9xhfIpsuV+B0OgC8RlWVwYunAOl0HZWEtyneynO1Rmx31jtyMC0VXtfPz7r6 Bxyzj4x27YAeGWqHQa1YLNcdJUkj7kit6LzLN0qqgQ3iAuqa8suByTidwwNPPQxc+eDdITm4JS9u ph/HIi0qtumHMl6jth1me76zFkZFdnth9eNYwFcJ67L8yHf2iNkSswdMfqCivxlwj4czzVa0Cz5H 0ZwzzVU090zzFM0703xF83vaHl5VBlvPIzwz6tjTt7Sq6BGXn874K9IQBL5HLU6HDQjKiw6EcSXi k0OEn2DlwiUR8CukJWWNniBHMMB78ZG7QifaiRe8PdYzty81lEgg9cC9EJYlfuVLv5kVBMpxc6rz 88J1MzheEQ6Pcgu7maBMYX9IzHKjkha30ElwknQ3WbkBDIEB9uROJx76VRDyfo+3MeK4HDEl6g2i 39x5HAbJypxmnm9P3TA1p3N37k99d5mEwQr+/OCfsUnVD7L3/wIAAP//AwBQSwMEFAAGAAgAAAAh AD7+LL8qAgAAXAgAABIAAAB3b3JkL2ZvbnRUYWJsZS54bWzElNFu2jAUhu8n7R0i35c4IdCCGqqW gVRp2sXWPoAxTmIttiOfQODtdxwHtilFg010IKLwH/uL/ec/vn/YqTLYCgvS6JREA0oCoblZS52n 5PVleXNHAqiZXrPSaJGSvQDyMPv44b6ZZkbXEOB8DVPFU1LUdTUNQ+CFUAwGphIai5mxitX41+ah Yvb7prrhRlWslitZynofxpSOSYex51BMlkkuPhm+UULX7fzQihKJRkMhKzjQmnNojbHryhouAHDP qvQ8xaQ+YqKkB1KSWwMmqwe4mW5FLQqnR7S9U+VPwOgyQNwDjEFchhh1iBD2SuxIoPj0OdfGslWJ JNxSgKsKWjCZdS8zaKaaKSzPWSlXVraFimkDIsLalpUpoTFd0hFe3TehQ3cloRvIC2ZBOIgfSL2c MSXL/UGFRgL4QiVrXhz0LbPSLc2XQOZY2MCKpmRB8RMvl8QrUUoSFB7nRyV2z2o/UacMjwp1Cm85 fsSkncVbznEMPjP0DvSceJFKQPBFNMFXo5g+4UhMx+jECP1wzgwvcsS23EsdiRe/OjJH5fYuGfYc mfzZEc8535E5NpkpGZyw4gmtmPxlOJRZC/uWF5ncifU50XDC8p2i8U3kRgSvzyeNcFlIuh+m4rpd kryViUVy27fiKpnYWCms65MTbtxiGHwsvCvXjsV/7A9/dgafZV7UJ09Q1xrvdYI+uiWjIb+foPhO nnp+tLv/xzbpbmD2AwAA//8DAFBLAwQUAAYACAAAACEAk3bWSRgBAABAAgAAFAAAAHdvcmQvd2Vi U2V0dGluZ3MueG1slNHBSgMxEAbgu+A7hNzbbIstsnRbEKl4EUF9gDSdbYOZTMikbuvTO65VES/t LZNkPuZnZos9BvUGmT3FRo+GlVYQHa193DT65Xk5uNaKi41rGyhCow/AejG/vJh1dQerJyhFfrIS JXKNrtHbUlJtDLstoOUhJYjy2FJGW6TMG4M2v+7SwBEmW/zKB18OZlxVU31k8ikKta13cEtuhxBL 328yBBEp8tYn/ta6U7SO8jplcsAseTB8eWh9/GFGV/8g9C4TU1uGEuY4UU9J+6jqTxh+gcl5wPgf MGU4j5gcCcMHhL1W6Or7TaRsV0EkiaRkKtXDei4rpVQ8+ndYUr7J1DFk83ltQ6Du8eFOCvNn7/MP AAAA//8DAFBLAwQUAAYACAAAACEAysg7oegBAADoAwAAEAAIAWRvY1Byb3BzL2FwcC54bWwgogQB KKAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACcU01v2zAMvQ/YfzB0bxQnafMBRcWQYuhh WwPEbc+aTCfCZEmQ1KDZrx9lN56y9VSfHh/ppyeSYrevrS6O4IOyZk3K0ZgUYKStldmvyWP19WpB ihCFqYW2BtbkBIHc8s+f2NZbBz4qCAVKmLAmhxjditIgD9CKMMK0wUxjfSsihn5PbdMoCXdWvrRg Ip2MxzcUXiOYGuorNwiSXnF1jB8Vra1M/sJTdXKox1kFrdMiAv+R/tSj2saW0YFllY1CV6oFXi7m Y8wMMduKPQQ+QbJH7Nn6OvDr5WzKaI/Z5iC8kBHbyKfTxaJkNGPYF+e0kiJii/l3Jb0NtonFQ+e7 SAqM5iUM77ID+eJVPHE8Ng/ZN2WSm8WE0R6iPy/2XrhD4PNlMjmEbCeFhg02gjdCB2D0L8HuQaQh b4VKFo9xdQQZrS+C+o1jnpDipwiQ2rcmR+GVMJH0ZX3QYe1C9LxSUaP2EHcwL8uxmvGyK0BwWdgF nQfEl+66E8JDg3eL75gtc7Odh95qZid3dj7jH9WNbZ0w2GI6IOzwr/DoKnuXluSth5dkNvpnFQ87 JyQOZbqcz67zJchybIcs1DjVYSoDwe7xDl6nE/Bfs4f6XPN/Iq3VU/9weXkzGuPX7dGZw1UYXhT/ AwAA//8DAFBLAwQUAAYACAAAACEAMv6uvHYBAADwAgAAEQAIAWRvY1Byb3BzL2NvcmUueG1sIKIE ASigAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAjJJRT8IwFIXfTfwPS99HVwhIljESNTwY SUzEYHyr7QUqW9e0Fwb/3m6D4ZQH3+7tOffb3WmT6SHPgj1Ypwo9IawXkQC0KKTS6wl5W8zCMQkc ci15VmiYkCM4Mk1vbxJhYlFYeLGFAYsKXOBJ2sXCTMgG0cSUOrGBnLued2gvrgqbc/StXVPDxZav gfajaERzQC45cloBQ9MSyQkpRYs0O5vVACkoZJCDRkdZj9GLF8Hm7upArfxw5gqPBq5az2LrPjjV Gsuy7JWD2ur3Z/R9/vxa/2qodJWVAJImUsSoMIM0oZfSV273+QUCm+O28bWwwLGw6dMuU1wHy41C qE1noYp8C8eysNL58U7nbRKcsMqgv8gG3jnw7ow7nPubXSmQ98df3/mrVyMW9qp6GSm7qy1tn5xy bpYDGfh84ibNs7IcPDwuZiTtR2wURsOQsUU0jocsjqKPar/O/AWYnzb4D7G/YCOP6xLPgCai7htN vwEAAP//AwBQSwMEFAAGAAgAAAAhAOnZyUuUDAAA3nsAAA8AAAB3b3JkL3N0eWxlcy54bWzMnV1z 27oRhu870//A0VV7kcjyZ5I5zhnbsY89jROfyGmuIRKyUJOESlKx3V9fACQlUEtQXHDj9soWpX0A 7u67APj52+/PSRz85FkuZHo6mrzdGwU8DWUk0ofT0ff7qzfvRkFesDRisUz56eiF56PfP/71L789 fciLl5jngQKk+YckPB0timL5YTzOwwVPWP5WLnmqvpzLLGGF+pg9jBOWPa6Wb0KZLFkhZiIWxct4 f2/veFRhsj4UOZ+LkH+S4SrhaWHsxxmPFVGm+UIs85r21If2JLNomcmQ57na6SQueQkT6RozOQSg RISZzOW8eKt2puqRQSnzyZ75L4k3gCMcYB8AjnOOQxxViHH+kvDnUZCEH24eUpmxWaxIapcC1avA gEcfVTQjGX7ic7aKi1x/zO6y6mP1yfy5kmmRB08fWB4Kca96oVCJUNTrszQXI/UNZ3lxlgvW+uVC /9P6TZgX1uZzEYnRWLeY/0d9+ZPFp6P9/XrLhe5BY1vM0od6G0/f/HFu98Rs+j7Vm2aKezpi2Zvp mTYcVztW/rV2d7n9yTS8ZKEw7bB5wVWiTo73NDQWWhf7R+/rD99W2sNsVciqEQMo/66xY+Bxlb8q m6elqNS3fP5Zho88mhbqi9ORaUtt/H5zlwmZKeGcjt6bNtXGKU/EtYginlo/TBci4j8WPP2e82iz /c8rk/zVhlCuUvX/wcm+yYI4jy6fQ77UUlLfpkzH5Is2iPWvV2LTuDH/dw2bVJFos19wputJMNlG mO6jEPvaIrf2tp252tp38ytUQwev1dDhazV09FoNHb9WQyev1dC712rIYH5lQyKN+HMpRNgMoO7i ONSI5jjEhuY4tITmOKSC5jiUgOY4Eh3NceQxmuNIUwSnkKErC61kP3Bkezd39xjhx909JPhxd48A ftzdBd+Pu7u++3F3l3M/7u7q7cfdXazx3HKqFdwomaXFYJXNpSxSWfCg4M/DaSxVLLPIouHpQY9n JDtJgCkrWzUQD6aFzHzenSFGpP7jeaGXc4GcB3PxsMrU2nxox3n6k8dqlRywKFI8QmDGi1Xm8IhP Tmd8zjOehpwysemgeiUYpKtkRpCbS/ZAxuJpROy+mkhSFNYJrdbPCy0SQZDUCQszObxrkpHVh88i H+4rDQnOV3HMiVhfaFLMsIavDQxm+NLAYIavDAxm+MLAihmViyoakacqGpHDKhqR38r8pPJbRSPy W0Uj8ltFG+63e1HEpsTbs45J/2N3F7HUh8UH92MqHlKmJgDDh5vqmGlwxzL2kLHlItBHpdux9j5j 2zmX0UtwTzGmrUlU83qTIhdqr0W6Gu7QBo1KXGsekbzWPCKBrXnDJXarpsl6gnZNs56ZrmZFq2gN qZdopyxelRPa4WpjxfAM2wjgSmQ5mQzasQQZ/EVPZ3U4KSrfppfDO7ZhDZfVdlUi7V6FJOhlLMNH mjJ8/bLkmVqWPQ4mXck4lk88oiNOi0yWuWZLft+EpJfkL5PlguXCrJUaiP5DfX1CPbhly8E7dBcz kdLE7fJNwkQc0M0gru9vPwf3cqmXmdoxNMBzWRQyIWNWRwL/9oPP/k7TwTO1CE5fiPb2jOjwkIFd CIJBpiTJiIikppkiFSRjqOH9g7/MJMsiGtpdxstrWApORJyyZFlOOgi0perik6o/BLMhw/sny4Q+ LjSYZh3py1ezf/FweHX6IgOSgzlfV4U5ZGhmp8aaDjd8ZG/gho/q9+Yo31TolCPY2QZu+M42cFQ7 exGzPBfOs57ePKrdrXnU+zt8vVbxZCyz+Sqmc2ANJPNgDSRzoYxXSZpT7rHhEe6w4VHvL2HKGB7B UTTD+yMTEVkwDIwqEgZGFQYDo4qBgZEGYPhFNRZs+JU1Fmz45TUljGgKYMGo8ox0+Cc6MWPBqPLM wKjyzMCo8szAqPLs4FPA53M1CaYbYiwkVc5ZSLqBJi14spQZy16IkJcxf2AExzRL2l0m5/p+BJmW 110TIPVh5Zhwsl3iqIL8g8/IuqZZBMcyWRxLSXQIazNIGMvmJWJus7uYhXwh44hnjn64bdW6dFre sbDdpOl9ryOCn8XDogimi/WBcBtzvLfTsl4YN8x2N9jmp+P6Vo82s1seiVVSdxTeZ3B80N/YZE7D +HC38WbEblge9bSEbR7vttzMRhuWJz0tYZvvelqaKtyw7MrhTyx7bE2Ek678Wa+lHMl30pVFa+PW ZrsSaW3ZloInXVnUkEpwFob6QDqMTj/NuO37icdtj1GRm4KRk5vSW1duRJfAvvGfQo+gmKJp2ltf WABqtZms9qqcf65keUi7cS6m//1ON2qCkuY8aOUc9D+n06gybj/2LjduRO+640b0LkBuRK9K5DRH lSQ3pXdtciN6Fyk3Al2t4IiAq1bQHletoL1PtYIUn2o1YBbgRvSeDrgRaKFCBFqoA2YKbgRKqMDc S6iQghYqRKCFChFoocIJGE6o0B4nVGjvI1RI8REqpKCFChFooUIEWqgQgRYqRKCF6jm3d5p7CRVS 0EKFCLRQIQItVDNfHCBUaI8TKrT3ESqk+AgVUtBChQi0UCECLVSIQAsVItBChQiUUIG5l1AhBS1U iEALFSLQQi3vwvMXKrTHCRXa+wgVUnyECilooUIEWqgQgRYqRKCFChFooUIESqjA3EuokIIWKkSg hQoRaKGak3IDhArtcUKF9j5ChRQfoUIKWqgQgRYqRKCFChFooUIEWqgQgRIqMPcSKqSghQoRaKFC RFd+VqcCXVegT/BHPZ0Xs/c/dVV16pt9l7ONOuiPqnvlZvW/TP9cyseg9Z68A7Pe6AcRs1hIc4ja cfra5ppLD1AnK79edN/8YtMHPo+ouk3AnB4F8MO+luCYymFXytuWYJF32JXptiWYdR52VV/bEgyD h11F1+iyvvhDDUfAuKvMWMYTh3lXtbbMoYu7arRlCD3cVZktQ+jgrnpsGR4FujhvWx/19NPx+jpO QOhKR4tw4iZ0pSWMVV2OoTD6Bs1N6Bs9N6FvGN0EVDydGHxg3Sh0hN0ov1BDmWFD7S9UNwEbakjw CjXA+IcaorxDDVF+oYaFERtqSMCG2r84uwleoQYY/1BDlHeoIcov1HAow4YaErChhgRsqAcOyE6M f6ghyjvUEOUXaji5w4YaErChhgRsqCHBK9QA4x9qiPIONUT5hRqsktGhhgRsqCEBG2pI8Ao1wPiH GqK8Qw1RXaE2R1EaoUZF2DLHTcIsQ9yAbBniirNl6LFasqw9V0sWwXO1BGNVxxy3WrKD5ib0jZ6b 0DeMbgIqnk4MPrBuFDrCbpRfqHGrpbZQ+wvVTcCGGrdacoYat1rqDDVutdQZatxqyR1q3GqpLdS4 1VJbqP2Ls5vgFWrcaqkz1LjVUmeocasld6hxq6W2UONWS22hxq2W2kI9cEB2YvxDjVstdYYat1py hxq3WmoLNW611BZq3GqpLdS41ZIz1LjVUmeocaulzlDjVkvuUONWS22hxq2W2kKNWy21hRq3WnKG Grda6gw1brXUGWrcaulWmQjM05HGT413HGmweYWY+n3xsuT6MdfWjTdR+ZjPCmh+eBOt30WkjXU3 guqtT9Vm09vqxGPZojGETYUL1VZYPaDI0VT1oNH17UDmMaPbDTueRmo6snFl/esqNBt/lb9reKuz 34UOXUefTWg7fVRG39XB91U67+qh6s8sLt+Lpf65SSMFeKreCVX2NHpmJUp9f8Hj+JaVv5ZL909j Pi/Kbyd75ib3re9n5SPWnPaZKThOwLjZmfJj9W4uh7/Lh65XZ8KdKalV1eJuc1nGUE+7+9aQy7o3 5kyzuVl4u0PWI/lKbzLVwlctaCAh/UzDhpm2ulCa2bU3LYmS5UJnh/nZ3t7lu6NJfZ2S68Vq9mvV Dtcf2l+r5ng3nb6wJc1lzMw1JOa9c9am0vGbV8vVsrRfLVeXrPoNcX0KSbjKVX6a8radJE0vukMT bLy8FZ/WcuSO1q5IucPyf+TQtfsuZKIfTbm5BGfbg63vcMC5cUg1bHrz5P3h3uVVw5sb50yqeY/t nHLbbue0S75yTqvot1/aglG+xe2j/SFeAqUAK38r+aqpVCP5zDY6NW97Ztvr1fckiraji4sAIimH OK0zKafVYxY78rJ+EmObi8DOp9qjri9b3Fa1/6vzt3LorNyHi/xXZJu9K66Eq37jzrlWTbv9Rp1x toN+bf5Vz29pLYqNZ7u0eclVES3oq1dEysnRlD9IHny/scZye1OYW5+3IjWplsyN4ctso0v4bTd3 xW9oebXzhDjZ/0der//LP/4XAAD//wMAUEsDBBQABgAIAAAAIQBm/86v4QEAAGEGAAAPAAAAd29y ZC9wZW9wbGUueG1spJVfb5swFMXfJ+07IL8nhjR0LQrpQ6tNmfa2VX12zCVYxb6WbSD59jMJf7pF qkjyBOj6/s6xj21WT3tZBjUYK1ClJJqHJADFMRNql5LXP99nDySwjqmMlaggJQew5Gn99cuqieJE A+oSAo9QNmk0T0nhnE4otbwAyexcCm7QYu7mHCXFPBccaIMmo4swCo9v2iAHa73eM1M1s6TD8f00 WmZY45tb4JLyghkH+5ERXQyJ6SN9OActrgD5GS6i/1HyfJVQg/LFHI1kzn+aHZXMvFd65smaObEV pXAHDw3vewympDIq6RCzwUzbkpzMdI++w0zRPbW8IK8kKHdUpAZK7wGVLYQe4pHX0nyx6CH1Z5Oo ZdmPa3S0vG1vvZxyGYFT7HdhyvLk/HNiFE5IpEUMHVMs/KvZO5FMqFH4qqX5sLhRfBlgcQa4t3AZ Iu4Q1B7keDQavbst5R8GKz3SxG20jXofWO3VdwGr2y0fd7C9zczvgml/lCVPNjuFhm1L78hnH/j4 gmMCQXtKyLq7mI1F1dYSVrkC/dn/WZWCqeCtEA76UQasv+xho3I8jvVytcjAbLKUvAmVYWODX6L2 um21sqfKN7aM+SPnd1mY58stELpe0VF1+Gj/Deu/AAAA//8DAFBLAwQUAAYACAAAACEAZeSSSzgC AAB9CQAAGQAAAHdvcmQvY29tbWVudHNFeHRlbmRlZC54bWykltmOmzAYhe8r9R2Q7xPb7KAhI8JS zXWnD+ABEtBgG9kkJG9fk5CljRTFyRWLOd9//B/b4u19R1tjWwnZcBYBPEfAqFjBy4atI/DnM5/5 wJA9YSVpOasisK8keF/8/PE2YCcsOKUV62W2MxSGyXDoigjUfd+FEMqiriiRc9oUgku+6ufqc8hX q6ao4MBFCU2E0eGuE7yopFQ1E8K2RIIJV+weo5WCDEo8Am1Y1ET01e7CwNoQBwbQvwWZT4DUDE38 P4redol3FVODKy4o6dWjWENKxPemmylyR/rmq2mbfq+gyD1heAQ2goUTYnY2M0rCo5npclKIR+oe JSkvNmO4h4pQVK3ywJmsm+4cD32WpgbrE2R7bxJb2p6+Gzpsv7a20mMuF+Aj9qcwaXt0fp+I0QOJ jIiz4hEL/9Y8OaGkYZfCT7XmqrnY0QOYNwBXVnoIZ0JAuaeXrTF069dS/iX4prvQmtdoH+z7zBqP Pw3WtFquV7B8zczvmnRqK9Mi/FgzLshXqxyp7A0Vn3FIwBh3CVhcH87qbB6fOiLIRxkBywpSL7dS cHhbHs50BOA9CcoDN0gsR0NimZnlplagIcFW7ixdF+lU8XOUYqxjzHaRneAs1pB4lucHQZBoSJxl bHmOmevMxfVtM4lNLUmMUBLodMzzsGMvka0hMRM7SGNHS5JhD3v5UqdjtpknrqkjQb7tJ0Gs02TV sCyxPK2OxW5qe5lWFTfPA2t5K4FXGvXPtPgLAAD//wMAUEsBAi0AFAAGAAgAAAAhAEwLC8x2AQAA tQYAABMAAAAAAAAAAAAAAAAAAAAAAFtDb250ZW50X1R5cGVzXS54bWxQSwECLQAUAAYACAAAACEA HpEat+8AAABOAgAACwAAAAAAAAAAAAAAAACvAwAAX3JlbHMvLnJlbHNQSwECLQAUAAYACAAAACEA wdeAWi4BAACsBAAAHAAAAAAAAAAAAAAAAADPBgAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVs c1BLAQItABQABgAIAAAAIQAqXlNfEoEAAJy5CAARAAAAAAAAAAAAAAAAAD8JAAB3b3JkL2RvY3Vt ZW50LnhtbFBLAQItABQABgAIAAAAIQAbufA+dhUAACtSAAARAAAAAAAAAAAAAAAAAICKAAB3b3Jk L2NvbW1lbnRzLnhtbFBLAQItABQABgAIAAAAIQAHt0CqJAYAAI8aAAAVAAAAAAAAAAAAAAAAACWg AAB3b3JkL3RoZW1lL3RoZW1lMS54bWxQSwECLQAUAAYACAAAACEAE5tF0boEAADWDQAAEQAAAAAA AAAAAAAAAAB8pgAAd29yZC9zZXR0aW5ncy54bWxQSwECLQAUAAYACAAAACEAPv4svyoCAABcCAAA EgAAAAAAAAAAAAAAAABlqwAAd29yZC9mb250VGFibGUueG1sUEsBAi0AFAAGAAgAAAAhAJN21kkY AQAAQAIAABQAAAAAAAAAAAAAAAAAv60AAHdvcmQvd2ViU2V0dGluZ3MueG1sUEsBAi0AFAAGAAgA AAAhAMrIO6HoAQAA6AMAABAAAAAAAAAAAAAAAAAACa8AAGRvY1Byb3BzL2FwcC54bWxQSwECLQAU AAYACAAAACEAMv6uvHYBAADwAgAAEQAAAAAAAAAAAAAAAAAnsgAAZG9jUHJvcHMvY29yZS54bWxQ SwECLQAUAAYACAAAACEA6dnJS5QMAADeewAADwAAAAAAAAAAAAAAAADUtAAAd29yZC9zdHlsZXMu eG1sUEsBAi0AFAAGAAgAAAAhAGb/zq/hAQAAYQYAAA8AAAAAAAAAAAAAAAAAlcEAAHdvcmQvcGVv cGxlLnhtbFBLAQItABQABgAIAAAAIQBl5JJLOAIAAH0JAAAZAAAAAAAAAAAAAAAAAKPDAAB3b3Jk L2NvbW1lbnRzRXh0ZW5kZWQueG1sUEsFBgAAAAAOAA4AhAMAABLGAAAAAA== --047d7bb03a50a139220532a76b27-- From nobody Thu May 12 11:45:47 2016 Return-Path: X-Original-To: vot@ietfa.amsl.com Delivered-To: vot@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08A0D12D0BE for ; Thu, 12 May 2016 11:45:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.196 X-Spam-Level: X-Spam-Status: No, score=-5.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EHb93pJ1umBe for ; Thu, 12 May 2016 11:45:43 -0700 (PDT) Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAFA012B04A for ; Thu, 12 May 2016 11:45:42 -0700 (PDT) X-AuditID: 1209190c-11bff7000000490a-85-5734cf558eda Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id CD.1C.18698.55FC4375; Thu, 12 May 2016 14:45:41 -0400 (EDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id u4CIjeI7007602; Thu, 12 May 2016 14:45:41 -0400 Received: from [172.25.194.232] ([199.244.219.64]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u4CIjWxg004886 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 12 May 2016 14:45:38 -0400 Content-Type: multipart/alternative; boundary="Apple-Mail=_C1F6B59A-6985-4711-A2F2-025E3F3205CD" Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) From: Justin Richer In-Reply-To: Date: Thu, 12 May 2016 13:45:29 -0500 Message-Id: <753DBE1F-3891-4BB6-811B-5B8682A81A28@mit.edu> References: <1523279479.20160508222427@CryptoPhoto.com> To: Julian White X-Mailer: Apple Mail (2.3124) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupjleLIzCtJLcpLzFFi42IR4hTV1g09bxJusOaipMXKT98ZLdavP8Vo 0fDzAasDs8elbROYPZYs+cnk0fKhgy2AOYrLJiU1J7MstUjfLoEr49LZpWwFRyMrnl3byt7A eN+7i5GTQ0LARGLvzk2sXYxcHEICbUwSZ363sEM4Gxklnna+YYFw1jNJ/OzbyAbSwiyQILGh ewmYzSugJ7Fp/VsmEFtYwFHif/MJdhCbTUBVYvqaFqA4BwenQKDE0iZBkDALUHj1l9dQYzQl zk2eygwxxkrixPwlrCC2kECNxIn3/xhBbBEBJYmz3StZIS6VlXhychHLBEb+WUiumIXkCoi4 tsSyha+ZZ0Gt2N+9nAVTXEOi89tE1gWMbKsYZVNyq3RzEzNzilOTdYuTE/PyUot0DfVyM0v0 UlNKNzGCg12SZwfjmTdehxgFOBiVeHg9HhqHC7EmlhVX5h5ilORgUhLlrd5hEi7El5SfUpmR WJwRX1Sak1p8iFGCg1lJhJfjJFCONyWxsiq1KB8mJc3BoiTOW7j/dJiQQHpiSWp2ampBahFM VoaDQ0mC1+YcUKNgUWp6akVaZk4JQpqJgxNkOA/QcB2QGt7igsTc4sx0iPwpRkUpcd6tZ4ES AiCJjNI8uF5QMjr+5bbDK0ZxoFeEefNB2nmAiQyu+xXQYCagwdXXjUAGlyQipKQaGNl3Hdo4 79eLzfcTpUv4zmtd/tXJd5UhcMmsiDqHZUyqJ/6yfVww+VCp5elPcZvu3Di4QZkjLFdiqbfy bPEcyZqujNsaYjZL1vPdCVlkpzdBymLSbO8VW6ZOSD5R9rbagP9Cx4t47qptppOD3b35bPRC l5nt3LJF/bMa06aXUdxbXMtjGR0fPFRiKc5INNRiLipOBADWAhZqIQMAAA== Archived-At: Cc: Chris , vot@ietf.org Subject: Re: [VoT] Security Problem with Primary Credential Usage X-BeenThere: vot@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Vectors of Trust discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 May 2016 18:45:46 -0000 --Apple-Mail=_C1F6B59A-6985-4711-A2F2-025E3F3205CD Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 We explicitly left those kinds of things out of the vector as they=E2=80=99= d really be related to the IdP itself and not the authentication = transaction to which the VoT refers. In other words, the security of the = IdP is related to the trust framework and assessment of the IdP and it = can be published as part of the IdP=E2=80=99s discovery documents and = associated trust marks. This is information that is going to remain the = same regardless of the transaction.=20 This is also part of why you need to have a trustmark context to = interpret the VoT in. =E2=80=94 Justin > On May 12, 2016, at 11:11 AM, Julian White wrote: >=20 > Hi, >=20 > I have a number of comments and questions (see attached), many of = which are related to the issues raised by Chris, some maybe my = misunderstanding coming in half way through the drafting tho. >=20 > I, like Chris, also think there needs to be something more explicit = around the "security" of the IdP authentication which includes the = measures to try and detect 'odd' things (like MITM). I would also go one = step further in that I also want to know about the maturity of the IdP's = "security", its of no use to me if they have really good credentials but = store all the data in the clear on their website or have a load of = administrative back-doors that could let anyone generate a valid = authentication response. >=20 > It feels like we need to do more work in this area. >=20 > Regards, >=20 > Julian. >=20 > On 8 May 2016 at 13:24, Chris > wrote: > Hi All, >=20 > I think there is a critical flaw in section 3.2 of = https://tools.ietf.org/html/draft-richer-vectors-of-trust-02 = (Primary = Credential Usage) >=20 > Mutual-authentication is missing. When no provision is made to = prevent man-in-the-middle, credential harvesting, spoof, phishing, = malware, or other common threats, this renders all possible vectors C0, = Ca, Cb, Cd, Ce, Cf, and others equally untrustworthy. >=20 > We should consider inclusion either for the overall strength of the = authentication process, or some breakdown of either all the techniques = used or the strength of protection employed to thwart at least common = attack scenarios. >=20 > This problem gets tricky quite fast: >=20 > Do we identify the authentication technology vendor? (if yes - who = works out their resistance strength to common attacks? what about = different modes?) > Do we broadly identify the techniques (whos opinions count as to = whether or not the technique is effective and against what threats?) > Do we identify or classify the threats and indicate which ones were = mitigated (who should be trusted to decide if these really were = mitigated?) >=20 > For example - tamper-proof hardware digital certificate devices with = biometrics unlocks are totally useless, if the user paid no attention to = a broken SSL warning, or has malware. They're also equally useless in = most corporate environments that use deep-packet inspection firewalls - = and "unexpected certificates" (eg. from DPI or malicious) carry their = own privacy problems (eg: passwords are not as "protected" as you = think). Much more common authentication "protection" of course, are = two-step or sms one time codes - which are equally useless when an end = user can be tricked into revealing them to spoof sites. >=20 > 91% of successful break-ins start from phishing. Right now, every = vector is pointing one way - we need at least one "Vector of Trust" to = point back the other way! =20 >=20 > How about a 5th vector - "S" for "Security", which somehow allows an = RP a level of confidence in the protection afforded to the user's actual = authentication process, in terms of (or at least considering) a wide = range of (and all common) modern threats. >=20 > Chris. >=20 > _______________________________________________ > vot mailing list > vot@ietf.org > https://www.ietf.org/mailman/listinfo/vot = >=20 >=20 > = ___________________________________= ____________ > vot mailing list > vot@ietf.org > https://www.ietf.org/mailman/listinfo/vot --Apple-Mail=_C1F6B59A-6985-4711-A2F2-025E3F3205CD Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 We explicitly left those kinds of things out of the vector as = they=E2=80=99d really be related to the IdP itself and not the = authentication transaction to which the VoT refers. In other words, the = security of the IdP is related to the trust framework and assessment of = the IdP and it can be published as part of the IdP=E2=80=99s discovery = documents and associated trust marks. This is information that is going = to remain the same regardless of the transaction. 
This is also part of why you need to = have a trustmark context to interpret the VoT in.

 =E2=80=94 = Justin

On May 12, 2016, at 11:11 AM, Julian White = <jwhite@nu-d.com> = wrote:

Hi,

I have a number of comments and = questions (see attached), many of which are related to the issues raised = by Chris, some maybe my misunderstanding coming in half way through the = drafting tho.

I,= like Chris, also think there needs to be something more explicit around = the "security" of the IdP authentication which includes the measures to = try and detect 'odd' things (like MITM). I would also go one step = further in that I also want to know about the maturity of the IdP's = "security", its of no use to me if they have really good credentials but = store all the data in the clear on their website or have a load of = administrative back-doors that could let anyone generate a valid = authentication response.

It feels like we need to do more work in this area.

Regards,

Julian.

On 8 May = 2016 at 13:24, Chris <cnd@geek.net.au> wrote:
Hi = All,

I think there is a critical flaw in section 3.2 of
https://tools.ietf.org/html/draft-richer-vectors-of-trust-02 = (Primary Credential Usage)

Mutual-authentication is missing.  When no provision is made to = prevent man-in-the-middle, credential harvesting, spoof, phishing, = malware, or other common threats, this renders all possible vectors C0, = Ca, Cb, Cd, Ce, Cf, and others equally = untrustworthy.

We should consider inclusion either for the overall strength of the = authentication process, or some breakdown of either all the techniques = used or the strength of protection employed to thwart at least common = attack scenarios.

This problem gets tricky quite fast:

Do we identify the authentication technology vendor? (if yes - who works = out their resistance strength to common attacks?  what about = different modes?)
Do we broadly identify the techniques (whos opinions count as to whether = or not the technique is effective and against what threats?)
Do we identify or classify the threats and indicate which ones were = mitigated (who should be trusted to decide if these really were = mitigated?)

For example - tamper-proof hardware digital certificate devices with = biometrics unlocks are totally useless, if the user paid no attention to = a broken SSL warning, or has malware.  They're also equally useless = in most corporate environments that use deep-packet inspection firewalls = - and "unexpected certificates" (eg. from DPI or malicious) carry their = own privacy problems (eg: passwords are not as "protected" as you = think).  Much more common authentication "protection" of course, = are two-step or sms one time codes - which are equally useless when an = end user can be tricked into revealing them to spoof sites.
=
91% of successful break-ins start from phishing.  Right now, every = vector is pointing one way - we need at least one "Vector of Trust" to = point back the other way!  

How about a 5th vector - "S" for "Security", which somehow allows an RP = a level of confidence in the protection afforded to the user's actual = authentication process, in terms of (or at least considering) a wide = range of (and all common) modern threats.

Chris.

_______________________________________________
vot mailing list
vot@ietf.org
= https://www.ietf.org/mailman/listinfo/vot


<draft-ri= cher-vectors-of-trust-02.docx>__________________________________= _____________
vot mailing list
vot@ietf.org
https://www.ietf.org/mailman/listinfo/vot

= --Apple-Mail=_C1F6B59A-6985-4711-A2F2-025E3F3205CD-- From nobody Thu May 12 11:49:22 2016 Return-Path: X-Original-To: vot@ietfa.amsl.com Delivered-To: vot@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF30A12B04A for ; Thu, 12 May 2016 11:49:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nu-d.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id upnDUVFvGMaT for ; Thu, 12 May 2016 11:49:19 -0700 (PDT) Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EC0412D0BE for ; Thu, 12 May 2016 11:49:18 -0700 (PDT) Received: by mail-wm0-x232.google.com with SMTP id e201so270014794wme.0 for ; Thu, 12 May 2016 11:49:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nu-d.com; s=nud; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=jkxNcaMrXYhBsovXV9wcTz9g8239yrDmdgm2lqEJ4/Y=; b=DzEljVDhDR1+55iAjNYJrSIhNHzUuaObGPt205hdTNnjK8WEXtVqml3adaIFXar4ng fTT9qE4bc+mOLNqDwBdbjxP5FUAEumSwCgRQxTgdZTmMOS/x/XSmVnmwgZUAx77giVcd Gp0U4f5TRTZcpGEwaRJwLo8lQtQrfz4m1gw9Y= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=jkxNcaMrXYhBsovXV9wcTz9g8239yrDmdgm2lqEJ4/Y=; b=MgB0qAJFXYOlKn1vbtzOFu9AfYu3dMRtuSs4heXlunF2GISZ+nbW51NJ5b4Pv5HdAE kxJyGMIJUkH5zUNc/Z1rEXwcfkYWYNjJbpYfbMWh0n8S5u9uviuaMhnaFPYgcTfkFIma mZYFm1p1+7FLjUGpOAPX3LFIGlCLAo676mtTiTnZh6DqgXP8FT8rMh85VRLVfm3I6jPy 5dSD4vAgo8cnbuXaj149KY9ASuyfNJ+Bja/jT23oUonY1UA6X2zj6iDWbcLqjzsF53ZF KuMJR3i4C02Hr/XimYVuC+EOOkK1JeSwaZAdFXOhios3XB7UTFOi39qjCc6XDM/YIH2h ZMaQ== X-Gm-Message-State: AOPr4FUFUKBq1o8Vc25lRIyYoRcaB8M/wyyP6lPNcaoPfqD/U8NANBetjk2T7omV/AE0RE0L/XQAC35NAJznWm1o MIME-Version: 1.0 X-Received: by 10.28.150.211 with SMTP id y202mr12388683wmd.41.1463078956903; Thu, 12 May 2016 11:49:16 -0700 (PDT) Received: by 10.194.202.130 with HTTP; Thu, 12 May 2016 11:49:16 -0700 (PDT) Received: by 10.194.202.130 with HTTP; Thu, 12 May 2016 11:49:16 -0700 (PDT) In-Reply-To: <753DBE1F-3891-4BB6-811B-5B8682A81A28@mit.edu> References: <1523279479.20160508222427@CryptoPhoto.com> <753DBE1F-3891-4BB6-811B-5B8682A81A28@mit.edu> Date: Thu, 12 May 2016 19:49:16 +0100 Message-ID: From: Julian White To: Justin Richer Content-Type: multipart/alternative; boundary=001a114b2d188185bf0532a99dd8 Archived-At: Cc: Chris , vot@ietf.org Subject: Re: [VoT] Security Problem with Primary Credential Usage X-BeenThere: vot@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Vectors of Trust discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 May 2016 18:49:22 -0000 --001a114b2d188185bf0532a99dd8 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable That makes sense, tho that didn't come across in the description of the trustmark. Julian On 12 May 2016 19:45, "Justin Richer" wrote: > We explicitly left those kinds of things out of the vector as they=E2=80= =99d > really be related to the IdP itself and not the authentication transactio= n > to which the VoT refers. In other words, the security of the IdP is relat= ed > to the trust framework and assessment of the IdP and it can be published = as > part of the IdP=E2=80=99s discovery documents and associated trust marks.= This is > information that is going to remain the same regardless of the transactio= n. > > This is also part of why you need to have a trustmark context to interpre= t > the VoT in. > > =E2=80=94 Justin > > On May 12, 2016, at 11:11 AM, Julian White wrote: > > Hi, > > I have a number of comments and questions (see attached), many of which > are related to the issues raised by Chris, some maybe my misunderstanding > coming in half way through the drafting tho. > > I, like Chris, also think there needs to be something more explicit aroun= d > the "security" of the IdP authentication which includes the measures to t= ry > and detect 'odd' things (like MITM). I would also go one step further in > that I also want to know about the maturity of the IdP's "security", its = of > no use to me if they have really good credentials but store all the data = in > the clear on their website or have a load of administrative back-doors th= at > could let anyone generate a valid authentication response. > > It feels like we need to do more work in this area. > > Regards, > > Julian. > > On 8 May 2016 at 13:24, Chris wrote: > >> Hi All, >> >> I think there is a critical flaw in section 3.2 of >> https://tools.ietf.org/html/draft-richer-vectors-of-trust-02 (Primary >> Credential Usage) >> >> Mutual-authentication is missing. When no provision is made to prevent >> man-in-the-middle, credential harvesting, spoof, phishing, malware, or >> other common threats, this renders all possible vectors C0, Ca, Cb, Cd, = Ce, >> Cf, and others *equally* untrustworthy. >> >> We should consider inclusion either for the overall strength of the >> authentication process, or some breakdown of either all the techniques u= sed >> or the strength of protection employed to thwart at least common attack >> scenarios. >> >> This problem gets tricky quite fast: >> >> Do we identify the authentication technology vendor? (if yes - who works >> out their resistance strength to common attacks? what about different >> modes?) >> Do we broadly identify the techniques (whos opinions count as to whether >> or not the technique is effective and against what threats?) >> Do we identify or classify the threats and indicate which ones were >> mitigated (who should be trusted to decide if these really were mitigate= d?) >> >> For example - tamper-proof hardware digital certificate devices with >> biometrics unlocks are totally useless, if the user paid no attention to= a >> broken SSL warning, or has malware. They're also equally useless in mos= t >> corporate environments that use deep-packet inspection firewalls - and >> "unexpected certificates" (eg. from DPI or malicious) carry their own >> privacy problems (eg: passwords are not as "protected" as you think). M= uch >> more common authentication "protection" of course, are two-step or sms o= ne >> time codes - which are equally useless when an end user can be tricked i= nto >> revealing them to spoof sites. >> >> 91% of successful break-ins start from phishing. Right now, every vecto= r >> is pointing one way - we need at least one "Vector of Trust" to point >> *back* the other way! >> >> How about a 5th vector - "S" for "Security", which somehow allows an RP = a >> level of confidence in the protection afforded to the user's actual >> authentication process, in terms of (or at least considering) a wide ran= ge >> of (and all common) modern threats. >> >> Chris. >> >> _______________________________________________ >> vot mailing list >> vot@ietf.org >> https://www.ietf.org/mailman/listinfo/vot >> >> > > _______________________________________________ > vot mailing list > vot@ietf.org > https://www.ietf.org/mailman/listinfo/vot > > > --001a114b2d188185bf0532a99dd8 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

That makes sense, tho that didn't come across in the des= cription of the trustmark.

Julian

On 12 May 2016 19:45, "Justin Richer" = <jricher@mit.edu> wrote:
We explicitly left those kinds of things out of the vector as th= ey=E2=80=99d really be related to the IdP itself and not the authentication= transaction to which the VoT refers. In other words, the security of the I= dP is related to the trust framework and assessment of the IdP and it can b= e published as part of the IdP=E2=80=99s discovery documents and associated= trust marks. This is information that is going to remain the same regardle= ss of the transaction.=C2=A0

This is also part of why yo= u need to have a trustmark context to interpret the VoT in.

=C2=A0=E2=80=94 Justin

On May 12, 2016, at 11:11 AM, Julian White <jwhite@nu-d.com> wrote:

Hi,

I have a number of comments and qu= estions (see attached), many of which are related to the issues raised by C= hris, some maybe my misunderstanding coming in half way through the draftin= g tho.

I, like Chris, also think there needs to be= something more explicit around the "security" of the IdP authent= ication which includes the measures to try and detect 'odd' things = (like MITM). I would also go one step further in that I also want to know a= bout the maturity of the IdP's "security", its of no use to m= e if they have really good credentials but store all the data in the clear = on their website or have a load of administrative back-doors that could let= anyone generate a valid authentication response.

= It feels like we need to do more work in this area.

Regards,

Julian.

On 8 May 2016 at 13:24, Chris <cnd@gee= k.net.au> wrote:
Hi All,

I think there is a critical flaw in section 3.2 of
https://tools.ietf.or= g/html/draft-richer-vectors-of-trust-02 (Primary Credential Usage)

Mutual-authentication is missing.=C2=A0 When no provision is made to preven= t man-in-the-middle, credential harvesting, spoof, phishing, malware, or ot= her common threats, this renders all possible vectors C0, Ca, Cb, Cd, Ce, C= f, and others equally untrustworthy.

We should consider inclusion either for the overall strength of the authent= ication process, or some breakdown of either all the techniques used or the= strength of protection employed to thwart at least common attack scenarios= .

This problem gets tricky quite fast:

Do we identify the authentication technology vendor? (if yes - who works ou= t their resistance strength to common attacks? =C2=A0what about different m= odes?)
Do we broadly identify the techniques (whos opinions count as to whether or= not the technique is effective and against what threats?)
Do we identify or classify the threats and indicate which ones were mitigat= ed (who should be trusted to decide if these really were mitigated?)

For example - tamper-proof hardware digital certificate devices with biomet= rics unlocks are totally useless, if the user paid no attention to a broken= SSL warning, or has malware.=C2=A0 They're also equally useless in mos= t corporate environments that use deep-packet inspection firewalls - and &q= uot;unexpected certificates" (eg. from DPI or malicious) carry their o= wn privacy problems (eg: passwords are not as "protected" as you = think).=C2=A0 Much more common authentication "protection" of cou= rse, are two-step or sms one time codes - which are equally useless when an= end user can be tricked into revealing them to spoof sites.

91% of successful break-ins start from phishing.=C2=A0 Right now, every vec= tor is pointing one way - we need at least one "Vector of Trust" = to point back the other way! =C2=A0

How about a 5th vector - "S" for "Security", which some= how allows an RP a level of confidence in the protection afforded to the us= er's actual authentication process, in terms of (or at least considerin= g) a wide range of (and all common) modern threats.

Chris.

______________________________________= _________
vot mailing list
vot@ietf.org
https://www.ietf.org/mailman/listinfo/vot


<draft-richer-vectors-of-trust-02.docx>_________________= ______________________________
vot mailing list
vot@ietf.org
https://www.ietf.org/mailman/= listinfo/vot

--001a114b2d188185bf0532a99dd8-- From nobody Thu May 12 17:57:53 2016 Return-Path: X-Original-To: vot@ietfa.amsl.com Delivered-To: vot@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AF8512B02F for ; Thu, 12 May 2016 17:57:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.593 X-Spam-Level: X-Spam-Status: No, score=-4.593 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_IADB_DK=-0.095, RCVD_IN_IADB_LISTED=-0.001, RCVD_IN_IADB_RDNS=-0.235, RCVD_IN_IADB_SENDERID=-0.001, RCVD_IN_IADB_SPF=-0.059, RCVD_IN_IADB_UT_CPR_MAT=-0.001, RCVD_IN_IADB_VOUCHED=-2.2, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=geek.net.au Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xO9tLzXQuY_m for ; Thu, 12 May 2016 17:57:50 -0700 (PDT) Received: from srve.com (srve.com [208.69.183.6]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 763E912B009 for ; Thu, 12 May 2016 17:57:50 -0700 (PDT) Received: from [172.22.0.125] (nsa.emsvr.com [120.151.160.158]) (authenticated bits=0) by srve.com (8.13.8/8.13.8/CWT/DCE) with ESMTP id u4D0vaJq023928 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Fri, 13 May 2016 00:57:39 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=geek.net.au; s=20131023; t=1463101061; bh=IV/5Yh5Z3IpXFIRxgb7xN2lVBP1aOf8paGOiIT4/NSM=; h=Date:From:To:CC:Subject:In-Reply-To:References; b=Rj6INKL1hKPCZWWWWuHPu+b7nT/v+Y9CWq+j/KeJyRJdsYCvr1omlFBV/OcT1X1uT I6viFJEoSAdEppWvUMoFYRTkrk4ZF13l9FVUYh65TmZTjMkA+o4GQ4g0sT5R4LKezz 1yDdhsHLpwYGKLvHTILtFtUODx08Jm10Ae2ftA8uHNOfsA9BYZbC5mfdwV5CHl1doU 3qMrRsy/1neKnkhInndZY6QBo/58tPDnOn6+Wtavty6H7B+LVTsKfmgnwPAeBzo3rU +rgY6/1s2dO6l/Nw56ojf5NeK7LdPthyTRYsw2XGAHpCD2tSbOyg1FoPMVrZDKoo+G 0FZirgXr+OSeA== Date: Fri, 13 May 2016 10:57:43 +1000 From: Chris X-Priority: 3 (Normal) Message-ID: <1437417178.20160513105743@CryptoPhoto.com> To: Julian White In-Reply-To: References: <1523279479.20160508222427@CryptoPhoto.com> <753DBE1F-3891-4BB6-811B-5B8682A81A28@mit.edu> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----------00F127190360078A7" X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrIIsWRWlGSWpSXmKPExsVSMX3BPN1MVdNwgzm/LCxOr97NbLHh2ktW i/XrTzFaNPx8wOrA4rFkyU8mj6YzR5k9Wj50sHnsuvGYJYAlijUzLym/IoE1492DdraCXVEV f2f9Zm5gXOvTxcjJISSQLHFyw0rmLkYuDhaBdSwSr7s/M4IkWARUJRa8OsoKYrMJyEpMb/jE DGJLCIhJTFj3C8zmFTCXaFy2jx1ikJLE3d4NYLYIkH22eyVYL7OAocSN821gcWEBR4n/zSeA bA4OToFAiZOXgkH2Cgl8Z5Q4uvAAE8RMQYmTM5+wQPT6SFzdfJ5xAiPfLCSpWUhSELa6xJ95 l5ghbHmJ5q2zgWwOIFtNYlmrErLwAka2VYxCZblmiXrJqUUlqbmJmTl6yfm5mxiBQVzPwMC4 g/HlUY9DjAIcjEo8vAlKpuFCrIllxZW5hxglOZiURHltP5iEC/El5adUZiQWZ8QXleakFh9i lOHgUJLgrQXGjpBgUWp6akVaZg4w6mDSTBychxglOHiURHibQWp4iwsSc4sz0yHypxglpcR5 z6gAJQRAEhmleXC9lxhFpYR5J0sB5XgKUotyM0sg4q8YxYEuFObtABnHk5lXAjftFdAiJqBF 1deNQBaVJCKkpBoY47Y0HnfMk16n8FLrkuKji6kZ66uDpivYrPopuHVqR2Jx+KGAKR03omZe Zahuvfe2M/W6lM6PXplJc7N0PXl3iPEwdURnaTJKdj5133K93jd1xa2Y3qUR7B9ZjKZfbZd3 z6pcEh0uo5ERH8KxwNR1rbFl4kMVxY/LVthm/5wz2VpauWmzq4kSS3FGoqEWc1FxIgArQl0t 5AIAAA== Archived-At: Cc: vot@ietf.org, Justin Richer Subject: Re: [VoT] Security Problem with Primary Credential Usage X-BeenThere: vot@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Vectors of Trust discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2016 00:57:52 -0000 ------------00F127190360078A7 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Hi All, I think this is unreasonable. Trust is a two-way street. The standard will be more-or-less useless to everyone when half of the necessary trust system is excluded/out-of-scope. Decisions related to trust need technical data. If I'm relying on an IdP - it makes a difference if the user typed a 4 digit PIN over HTTP, as opposed to using a biometric multi-factor auth over TLS with HSTS & Pinning with included anti-spoof and anti-malware protection. "What went on" absolutely needs technical inclusion. Kind Regards, Chris Drake Friday, May 13, 2016, 4:49:16 AM, you wrote: That makes sense, tho that didn't come across in the description of the trustmark. Julian On 12 May 2016 19:45, "Justin Richer" wrote: We explicitly left those kinds of things out of the vector as they’d really be related to the IdP itself and not the authentication transaction to which the VoT refers. In other words, the security of the IdP is related to the trust framework and assessment of the IdP and it can be published as part of the IdP’s discovery documents and associated trust marks. This is information that is going to remain the same regardless of the transaction. This is also part of why you need to have a trustmark context to interpret the VoT in. — Justin On May 12, 2016, at 11:11 AM, Julian White wrote: Hi, I have a number of comments and questions (see attached), many of which are related to the issues raised by Chris, some maybe my misunderstanding coming in half way through the drafting tho. I, like Chris, also think there needs to be something more explicit around the "security" of the IdP authentication which includes the measures to try and detect 'odd' things (like MITM). I would also go one step further in that I also want to know about the maturity of the IdP's "security", its of no use to me if they have really good credentials but store all the data in the clear on their website or have a load of administrative back-doors that could let anyone generate a valid authentication response. It feels like we need to do more work in this area. Regards, Julian. On 8 May 2016 at 13:24, Chris wrote: Hi All, I think there is a critical flaw in section 3.2 of https://tools.ietf.org/html/draft-richer-vectors-of-trust-02 (Primary Credential Usage) Mutual-authentication is missing. When no provision is made to prevent man-in-the-middle, credential harvesting, spoof, phishing, malware, or other common threats, this renders all possible vectors C0, Ca, Cb, Cd, Ce, Cf, and others equally untrustworthy. We should consider inclusion either for the overall strength of the authentication process, or some breakdown of either all the techniques used or the strength of protection employed to thwart at least common attack scenarios. This problem gets tricky quite fast: Do we identify the authentication technology vendor? (if yes - who works out their resistance strength to common attacks? what about different modes?) Do we broadly identify the techniques (whos opinions count as to whether or not the technique is effective and against what threats?) Do we identify or classify the threats and indicate which ones were mitigated (who should be trusted to decide if these really were mitigated?) For example - tamper-proof hardware digital certificate devices with biometrics unlocks are totally useless, if the user paid no attention to a broken SSL warning, or has malware. They're also equally useless in most corporate environments that use deep-packet inspection firewalls - and "unexpected certificates" (eg. from DPI or malicious) carry their own privacy problems (eg: passwords are not as "protected" as you think). Much more common authentication "protection" of course, are two-step or sms one time codes - which are equally useless when an end user can be tricked into revealing them to spoof sites. 91% of successful break-ins start from phishing. Right now, every vector is pointing one way - we need at least one "Vector of Trust" to point back the other way! How about a 5th vector - "S" for "Security", which somehow allows an RP a level of confidence in the protection afforded to the user's actual authentication process, in terms of (or at least considering) a wide range of (and all common) modern threats. Chris. _______________________________________________ vot mailing list vot@ietf.org https://www.ietf.org/mailman/listinfo/vot _______________________________________________ vot mailing list vot@ietf.org https://www.ietf.org/mailman/listinfo/vot ------------00F127190360078A7 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit Re: [VoT] Security Problem with Primary Credential Usage Hi All,

I think this is unreasonable.

Trust is a two-way street.

The standard will be more-or-less useless to everyone when half of the necessary trust system is excluded/out-of-scope.

Decisions related to trust need technical data.  If I'm relying on an IdP - it makes a difference if the user typed a 4 digit PIN over HTTP, as opposed to using a biometric multi-factor auth over TLS with HSTS & Pinning with included anti-spoof and anti-malware protection.  "What went on" absolutely needs technical inclusion.

Kind Regards,
Chris Drake


Friday, May 13, 2016, 4:49:16 AM, you wrote:


That makes sense, tho that didn't come across in the description of the trustmark.
Julian
On 12 May 2016 19:45, "Justin Richer" <
jricher@mit.edu> wrote:
We explicitly left those kinds of things out of the vector as they’d really be related to the IdP itself and not the authentication transaction to which the VoT refers. In other words, the security of the IdP is related to the trust framework and assessment of the IdP and it can be published as part of the IdP’s discovery documents and associated trust marks. This is information that is going to remain the same regardless of the transaction.

This is also part of why you need to have a trustmark context to interpret the VoT in.

— Justin

On May 12, 2016, at 11:11 AM, Julian White <
jwhite@nu-d.com> wrote:

Hi,

I have a number of comments and questions (see attached), many of which are related to the issues raised by Chris, some maybe my misunderstanding coming in half way through the drafting tho.

I, like Chris, also think there needs to be something more explicit around the "security" of the IdP authentication which includes the measures to try and detect 'odd' things (like MITM). I would also go one step further in that I also want to know about the maturity of the IdP's "security", its of no use to me if they have really good credentials but store all the data in the clear on their website or have a load of administrative back-doors that could let anyone generate a valid authentication response.

It feels like we need to do more work in this area.

Regards,

Julian.

On 8 May 2016 at 13:24, Chris <
cnd@geek.net.au> wrote:
Hi All,

I think there is a critical flaw in section 3.2 of
https://tools.ietf.org/html/draft-richer-vectors-of-trust-02 (Primary Credential Usage)

Mutual-authentication is missing.  When no provision is made to prevent man-in-the-middle, credential harvesting, spoof, phishing, malware, or other common threats, this renders all possible vectors C0, Ca, Cb, Cd, Ce, Cf, and others equally untrustworthy.

We should consider inclusion either for the overall strength of the authentication process, or some breakdown of either all the techniques used or the strength of protection employed to thwart at least common attack scenarios.

This problem gets tricky quite fast:

Do we identify the authentication technology vendor? (if yes - who works out their resistance strength to common attacks?  what about different modes?)
Do we broadly identify the techniques (whos opinions count as to whether or not the technique is effective and against what threats?)
Do we identify or classify the threats and indicate which ones were mitigated (who should be trusted to decide if these really were mitigated?)

For example - tamper-proof hardware digital certificate devices with biometrics unlocks are totally useless, if the user paid no attention to a broken SSL warning, or has malware.  They're also equally useless in most corporate environments that use deep-packet inspection firewalls - and "unexpected certificates" (eg. from DPI or malicious) carry their own privacy problems (eg: passwords are not as "protected" as you think).  Much more common authentication "protection" of course, are two-step or sms one time codes - which are equally useless when an end user can be tricked into revealing them to spoof sites.

91% of successful break-ins start from phishing.  Right now, every vector is pointing one way - we need at least one "Vector of Trust" to point back the other way!  

How about a 5th vector - "S" for "Security", which somehow allows an RP a level of confidence in the protection afforded to the user's actual authentication process, in terms of (or at least considering) a wide range of (and all common) modern threats.

Chris.

_______________________________________________
vot mailing list
vot@ietf.org
https://www.ietf.org/mailman/listinfo/vot

<draft-richer-vectors-of-trust-02.docx>_______________________________________________
vot mailing list
vot@ietf.org
https://www.ietf.org/mailman/listinfo/vot



------------00F127190360078A7-- From nobody Thu May 12 20:16:05 2016 Return-Path: X-Original-To: vot@ietfa.amsl.com Delivered-To: vot@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5051A12D09A for ; Thu, 12 May 2016 20:16:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.216 X-Spam-Level: X-Spam-Status: No, score=-5.216 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WgrrJ4NhtyDD for ; Thu, 12 May 2016 20:15:59 -0700 (PDT) Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DFB612B05D for ; Thu, 12 May 2016 20:15:56 -0700 (PDT) X-AuditID: 12074424-363ff70000005c1f-9d-573546eb8af6 Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 2B.67.23583.BE645375; Thu, 12 May 2016 23:15:55 -0400 (EDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id u4D3Fs3Q027344; Thu, 12 May 2016 23:15:55 -0400 Received: from [IPv6:2607:fb90:445d:c3b9:b54b:a0bd:44e0:a8ef] ([172.58.105.194]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u4D3FpW2012068 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 12 May 2016 23:15:53 -0400 Date: Thu, 12 May 2016 22:15:48 -0500 Message-ID: <9f0l9pjqwg761iv3j87gea9x.1463109348211@email.android.com> Importance: normal From: Justin Richer To: Chris , Julian White MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--_com.samsung.android.email_522018482281290" X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupmleLIzCtJLcpLzFFi42IRYrdT0X3tZhpu8O+VosXKT98ZLdavP8Vo 0fDzAasDs8elbROYPZYs+cnk0fKhgy2AOYrLJiU1J7MstUjfLoErY/mB6WwF33sYK+5f+Mzc wDixk7GLkZNDQsBEYuLL5yxdjFwcQgJtTBLNC9YwQjgbGSW6X+xkg3DOMkmc3L6JHaSFRUBV onPnY7B2YQFHif/NJ8DivAJuEt+aVjB1MXJwcAoISXTtkgAJswGVT1/TwgRiiwhYS1z8cAWs lVlAQGLuoWlMEK2CEidnPmGBiMdI9L2Zwz6BkXcWktQsJCkIW13iz7xLzBC2osSU7odAcQ4g W01iWasSsvACRrZVjLIpuVW6uYmZOcWpybrFyYl5ealFuuZ6uZkleqkppZsYweHrorKDsbvH +xCjAAejEg9vgpJpuBBrYllxZe4hRkkOJiVR3hRdoBBfUn5KZUZicUZ8UWlOavEhRgkOZiUR 3i2OQDnelMTKqtSifJiUNAeLkjgvIwMDg5BAemJJanZqakFqEUxWhoNDSYL3jhNQo2BRanpq RVpmTglCmomDE2Q4D9BwcWeQ4cUFibnFmekQ+VOMplLivDIgzQIgiYzSPLheJSEhATX23xNc Yg/v3Oq9YK/LgxXvQWlojVXmoVeM4kDvCfPKgYzkAaYwuImvgJYxAS2rvm4EsqwkESEl1cAY L/7vjrJdk+HpqHUeetM/OKhKZ7w8+nWKVEByt0XRN72Npzh9r1hPlbBYtvw671sTRsHLVgpb 1ae89tN8/72tcVZxs8Ifb05RH57ZYu4TLS+s0pMR/lH33XUFC9uuoHtCgkor1n97Vix4t4tj s1v2Wlfh20FCgac3NG30qDp/jbUlMSjos6sSS3FGoqEWc1FxIgBaEwNCHgMAAA== Archived-At: Cc: vot@ietf.org Subject: Re: [VoT] Security Problem with Primary Credential Usage X-BeenThere: vot@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Vectors of Trust discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2016 03:16:03 -0000 ----_com.samsung.android.email_522018482281290 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 SSBhZ3JlZSBpdCdzIG5lY2Vzc2FyeSwgd2hpY2ggaXMgd2h5IEl0IGlzIGluY2x1ZGVkLCBidXQg aW4gdGhlIHRydXN0bWFyayBhbmQgbm90IHRoZSB2ZWN0b3IuIFRoaXMgaXMgaW5mb3JtYXRpb24g dGhhdCBuZWVkcyB0byBiZSBiYWNrZWQgYnkgYSB2ZXJpZmllZCBzb3VyY2UgYW5kIG5vdCBqdXN0 IHRoZSB3b3JkIG9mIHRoZSBpZHAuwqAKSXQganVzdCBkb2Vzbid0IG1ha2Ugc2Vuc2UgdG8gaW5j bHVkZSBpdCBpbiBldmVyeSB0cmFuc2FjdGlvbiBpZiB5b3UgYXNrIG1lLiBIb3dldmVyLCB5b3Un cmUgZnJlZSB0byBkZWZpbmUgYSB2ZWN0b3IgY29tcG9uZW50IHRoYXQgY2FycmllcyB0aGlzLsKg Ci0tSnVzdGluCsKgU2VudCBmcm9tIG15IHBob25lCi0tLS0tLS0tIE9yaWdpbmFsIG1lc3NhZ2Ug LS0tLS0tLS1Gcm9tOiBDaHJpcyA8Y25kQGdlZWsubmV0LmF1PiBEYXRlOiA1LzEyLzE2ICA3OjU3 IFBNICAoR01ULTA2OjAwKSBUbzogSnVsaWFuIFdoaXRlIDxqd2hpdGVAbnUtZC5jb20+IENjOiBK dXN0aW4gUmljaGVyIDxqcmljaGVyQG1pdC5lZHU+LCB2b3RAaWV0Zi5vcmcgU3ViamVjdDogUmU6 IFtWb1RdIFNlY3VyaXR5IFByb2JsZW0gd2l0aCBQcmltYXJ5IENyZWRlbnRpYWwgVXNhZ2UgCgpI aSBBbGwsCgoKCkkgdGhpbmsgdGhpcyBpcyB1bnJlYXNvbmFibGUuCgoKClRydXN0IGlzIGEgdHdv LXdheSBzdHJlZXQuCgoKClRoZSBzdGFuZGFyZCB3aWxsIGJlIG1vcmUtb3ItbGVzcyB1c2VsZXNz IHRvIGV2ZXJ5b25lIHdoZW4gaGFsZiBvZiB0aGUgbmVjZXNzYXJ5IHRydXN0IHN5c3RlbSBpcyBl eGNsdWRlZC9vdXQtb2Ytc2NvcGUuCgoKCkRlY2lzaW9ucyByZWxhdGVkIHRvIHRydXN0IG5lZWQg dGVjaG5pY2FsIGRhdGEuIMKgSWYgSSdtIHJlbHlpbmcgb24gYW4gSWRQIC0gaXQgbWFrZXMgYSBk aWZmZXJlbmNlIGlmIHRoZSB1c2VyIHR5cGVkIGEgNCBkaWdpdCBQSU4gb3ZlciBIVFRQLCBhcyBv cHBvc2VkIHRvIHVzaW5nIGEgYmlvbWV0cmljIG11bHRpLWZhY3RvciBhdXRoIG92ZXIgVExTIHdp dGggSFNUUyAmIFBpbm5pbmcgd2l0aCBpbmNsdWRlZCBhbnRpLXNwb29mIGFuZCBhbnRpLW1hbHdh cmUgcHJvdGVjdGlvbi4gwqAiV2hhdCB3ZW50IG9uIiBhYnNvbHV0ZWx5IG5lZWRzIHRlY2huaWNh bCBpbmNsdXNpb24uCgoKCktpbmQgUmVnYXJkcywKCkNocmlzIERyYWtlCgoKCgoKRnJpZGF5LCBN YXkgMTMsIDIwMTYsIDQ6NDk6MTYgQU0sIHlvdSB3cm90ZToKCgoKCgoKCgpUaGF0IG1ha2VzIHNl bnNlLCB0aG8gdGhhdCBkaWRuJ3QgY29tZSBhY3Jvc3MgaW4gdGhlIGRlc2NyaXB0aW9uIG9mIHRo ZSB0cnVzdG1hcmsuCgpKdWxpYW4KCk9uIDEyIE1heSAyMDE2IDE5OjQ1LCAiSnVzdGluIFJpY2hl ciIgPGpyaWNoZXJAbWl0LmVkdT4gd3JvdGU6CgpXZSBleHBsaWNpdGx5IGxlZnQgdGhvc2Uga2lu ZHMgb2YgdGhpbmdzIG91dCBvZiB0aGUgdmVjdG9yIGFzIHRoZXnigJlkIHJlYWxseSBiZSByZWxh dGVkIHRvIHRoZSBJZFAgaXRzZWxmIGFuZCBub3QgdGhlIGF1dGhlbnRpY2F0aW9uIHRyYW5zYWN0 aW9uIHRvIHdoaWNoIHRoZSBWb1QgcmVmZXJzLiBJbiBvdGhlciB3b3JkcywgdGhlIHNlY3VyaXR5 IG9mIHRoZSBJZFAgaXMgcmVsYXRlZCB0byB0aGUgdHJ1c3QgZnJhbWV3b3JrIGFuZCBhc3Nlc3Nt ZW50IG9mIHRoZSBJZFAgYW5kIGl0IGNhbiBiZSBwdWJsaXNoZWQgYXMgcGFydCBvZiB0aGUgSWRQ 4oCZcyBkaXNjb3ZlcnkgZG9jdW1lbnRzIGFuZCBhc3NvY2lhdGVkIHRydXN0IG1hcmtzLiBUaGlz IGlzIGluZm9ybWF0aW9uIHRoYXQgaXMgZ29pbmcgdG8gcmVtYWluIHRoZSBzYW1lIHJlZ2FyZGxl c3Mgb2YgdGhlIHRyYW5zYWN0aW9uLiAKCgoKVGhpcyBpcyBhbHNvIHBhcnQgb2Ygd2h5IHlvdSBu ZWVkIHRvIGhhdmUgYSB0cnVzdG1hcmsgY29udGV4dCB0byBpbnRlcnByZXQgdGhlIFZvVCBpbi4K CgoKIOKAlCBKdXN0aW4KCgoKT24gTWF5IDEyLCAyMDE2LCBhdCAxMToxMSBBTSwgSnVsaWFuIFdo aXRlIDxqd2hpdGVAbnUtZC5jb20+IHdyb3RlOgoKCgpIaSwKCgoKSSBoYXZlIGEgbnVtYmVyIG9m IGNvbW1lbnRzIGFuZCBxdWVzdGlvbnMgKHNlZSBhdHRhY2hlZCksIG1hbnkgb2Ygd2hpY2ggYXJl IHJlbGF0ZWQgdG8gdGhlIGlzc3VlcyByYWlzZWQgYnkgQ2hyaXMsIHNvbWUgbWF5YmUgbXkgbWlz dW5kZXJzdGFuZGluZyBjb21pbmcgaW4gaGFsZiB3YXkgdGhyb3VnaCB0aGUgZHJhZnRpbmcgdGhv LgoKCgpJLCBsaWtlIENocmlzLCBhbHNvIHRoaW5rIHRoZXJlIG5lZWRzIHRvIGJlIHNvbWV0aGlu ZyBtb3JlIGV4cGxpY2l0IGFyb3VuZCB0aGUgInNlY3VyaXR5IiBvZiB0aGUgSWRQIGF1dGhlbnRp Y2F0aW9uIHdoaWNoIGluY2x1ZGVzIHRoZSBtZWFzdXJlcyB0byB0cnkgYW5kIGRldGVjdCAnb2Rk JyB0aGluZ3MgKGxpa2UgTUlUTSkuIEkgd291bGQgYWxzbyBnbyBvbmUgc3RlcCBmdXJ0aGVyIGlu IHRoYXQgSSBhbHNvIHdhbnQgdG8ga25vdyBhYm91dCB0aGUgbWF0dXJpdHkgb2YgdGhlIElkUCdz ICJzZWN1cml0eSIsIGl0cyBvZiBubyB1c2UgdG8gbWUgaWYgdGhleSBoYXZlIHJlYWxseSBnb29k IGNyZWRlbnRpYWxzIGJ1dCBzdG9yZSBhbGwgdGhlIGRhdGEgaW4gdGhlIGNsZWFyIG9uIHRoZWly IHdlYnNpdGUgb3IgaGF2ZSBhIGxvYWQgb2YgYWRtaW5pc3RyYXRpdmUgYmFjay1kb29ycyB0aGF0 IGNvdWxkIGxldCBhbnlvbmUgZ2VuZXJhdGUgYSB2YWxpZCBhdXRoZW50aWNhdGlvbiByZXNwb25z ZS4KCgoKSXQgZmVlbHMgbGlrZSB3ZSBuZWVkIHRvIGRvIG1vcmUgd29yayBpbiB0aGlzIGFyZWEu CgoKClJlZ2FyZHMsCgoKCkp1bGlhbi4KCgoKT24gOCBNYXkgMjAxNiBhdCAxMzoyNCwgQ2hyaXMg PGNuZEBnZWVrLm5ldC5hdT4gd3JvdGU6CgpIaSBBbGwsCgoKCkkgdGhpbmsgdGhlcmUgaXMgYSBj cml0aWNhbCBmbGF3IGluIHNlY3Rpb24gMy4yIG9mIGh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRt bC9kcmFmdC1yaWNoZXItdmVjdG9ycy1vZi10cnVzdC0wMiAoUHJpbWFyeSBDcmVkZW50aWFsIFVz YWdlKQoKCgpNdXR1YWwtYXV0aGVudGljYXRpb24gaXMgbWlzc2luZy4gwqBXaGVuIG5vIHByb3Zp c2lvbiBpcyBtYWRlIHRvIHByZXZlbnQgbWFuLWluLXRoZS1taWRkbGUsIGNyZWRlbnRpYWwgaGFy dmVzdGluZywgc3Bvb2YsIHBoaXNoaW5nLCBtYWx3YXJlLCBvciBvdGhlciBjb21tb24gdGhyZWF0 cywgdGhpcyByZW5kZXJzIGFsbCBwb3NzaWJsZSB2ZWN0b3JzIEMwLCBDYSwgQ2IsIENkLCBDZSwg Q2YsIGFuZCBvdGhlcnMgZXF1YWxseSB1bnRydXN0d29ydGh5LgoKCgpXZSBzaG91bGQgY29uc2lk ZXIgaW5jbHVzaW9uIGVpdGhlciBmb3IgdGhlIG92ZXJhbGwgc3RyZW5ndGggb2YgdGhlIGF1dGhl bnRpY2F0aW9uIHByb2Nlc3MsIG9yIHNvbWUgYnJlYWtkb3duIG9mIGVpdGhlciBhbGwgdGhlIHRl Y2huaXF1ZXMgdXNlZCBvciB0aGUgc3RyZW5ndGggb2YgcHJvdGVjdGlvbiBlbXBsb3llZCB0byB0 aHdhcnQgYXQgbGVhc3QgY29tbW9uIGF0dGFjayBzY2VuYXJpb3MuCgoKClRoaXMgcHJvYmxlbSBn ZXRzIHRyaWNreSBxdWl0ZSBmYXN0OgoKCgpEbyB3ZSBpZGVudGlmeSB0aGUgYXV0aGVudGljYXRp b24gdGVjaG5vbG9neSB2ZW5kb3I/IChpZiB5ZXMgLSB3aG8gd29ya3Mgb3V0IHRoZWlyIHJlc2lz dGFuY2Ugc3RyZW5ndGggdG8gY29tbW9uIGF0dGFja3M/IMKgd2hhdCBhYm91dCBkaWZmZXJlbnQg bW9kZXM/KQoKRG8gd2UgYnJvYWRseSBpZGVudGlmeSB0aGUgdGVjaG5pcXVlcyAod2hvcyBvcGlu aW9ucyBjb3VudCBhcyB0byB3aGV0aGVyIG9yIG5vdCB0aGUgdGVjaG5pcXVlIGlzIGVmZmVjdGl2 ZSBhbmQgYWdhaW5zdCB3aGF0IHRocmVhdHM/KQoKRG8gd2UgaWRlbnRpZnkgb3IgY2xhc3NpZnkg dGhlIHRocmVhdHMgYW5kIGluZGljYXRlIHdoaWNoIG9uZXMgd2VyZSBtaXRpZ2F0ZWQgKHdobyBz aG91bGQgYmUgdHJ1c3RlZCB0byBkZWNpZGUgaWYgdGhlc2UgcmVhbGx5IHdlcmUgbWl0aWdhdGVk PykKCgoKRm9yIGV4YW1wbGUgLSB0YW1wZXItcHJvb2YgaGFyZHdhcmUgZGlnaXRhbCBjZXJ0aWZp Y2F0ZSBkZXZpY2VzIHdpdGggYmlvbWV0cmljcyB1bmxvY2tzIGFyZSB0b3RhbGx5IHVzZWxlc3Ms IGlmIHRoZSB1c2VyIHBhaWQgbm8gYXR0ZW50aW9uIHRvIGEgYnJva2VuIFNTTCB3YXJuaW5nLCBv ciBoYXMgbWFsd2FyZS4gwqBUaGV5J3JlIGFsc28gZXF1YWxseSB1c2VsZXNzIGluIG1vc3QgY29y cG9yYXRlIGVudmlyb25tZW50cyB0aGF0IHVzZSBkZWVwLXBhY2tldCBpbnNwZWN0aW9uIGZpcmV3 YWxscyAtIGFuZCAidW5leHBlY3RlZCBjZXJ0aWZpY2F0ZXMiIChlZy4gZnJvbSBEUEkgb3IgbWFs aWNpb3VzKSBjYXJyeSB0aGVpciBvd24gcHJpdmFjeSBwcm9ibGVtcyAoZWc6IHBhc3N3b3JkcyBh cmUgbm90IGFzICJwcm90ZWN0ZWQiIGFzIHlvdSB0aGluaykuIMKgTXVjaCBtb3JlIGNvbW1vbiBh dXRoZW50aWNhdGlvbiAicHJvdGVjdGlvbiIgb2YgY291cnNlLCBhcmUgdHdvLXN0ZXAgb3Igc21z IG9uZSB0aW1lIGNvZGVzIC0gd2hpY2ggYXJlIGVxdWFsbHkgdXNlbGVzcyB3aGVuIGFuIGVuZCB1 c2VyIGNhbiBiZSB0cmlja2VkIGludG8gcmV2ZWFsaW5nIHRoZW0gdG8gc3Bvb2Ygc2l0ZXMuCgoK CjkxJSBvZiBzdWNjZXNzZnVsIGJyZWFrLWlucyBzdGFydCBmcm9tIHBoaXNoaW5nLiDCoFJpZ2h0 IG5vdywgZXZlcnkgdmVjdG9yIGlzIHBvaW50aW5nIG9uZSB3YXkgLSB3ZSBuZWVkIGF0IGxlYXN0 IG9uZSAiVmVjdG9yIG9mIFRydXN0IiB0byBwb2ludCBiYWNrIHRoZSBvdGhlciB3YXkhIMKgCgoK CkhvdyBhYm91dCBhIDV0aCB2ZWN0b3IgLSAiUyIgZm9yICJTZWN1cml0eSIsIHdoaWNoIHNvbWVo b3cgYWxsb3dzIGFuIFJQIGEgbGV2ZWwgb2YgY29uZmlkZW5jZSBpbiB0aGUgcHJvdGVjdGlvbiBh ZmZvcmRlZCB0byB0aGUgdXNlcidzIGFjdHVhbCBhdXRoZW50aWNhdGlvbiBwcm9jZXNzLCBpbiB0 ZXJtcyBvZiAob3IgYXQgbGVhc3QgY29uc2lkZXJpbmcpIGEgd2lkZSByYW5nZSBvZiAoYW5kIGFs bCBjb21tb24pIG1vZGVybiB0aHJlYXRzLgoKCgpDaHJpcy4KCgoKX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX18KCnZvdCBtYWlsaW5nIGxpc3QKCnZvdEBpZXRm Lm9yZwoKaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby92b3QKCgoKPGRyYWZ0 LXJpY2hlci12ZWN0b3JzLW9mLXRydXN0LTAyLmRvY3g+X19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX18KCnZvdCBtYWlsaW5nIGxpc3QKCnZvdEBpZXRmLm9yZwoK aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby92b3QKCgoKCgoKCg== ----_com.samsung.android.email_522018482281290 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: base64 PGh0bWw+PGhlYWQ+PG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0 L2h0bWw7IGNoYXJzZXQ9VVRGLTgiPjwvaGVhZD48Ym9keT48ZGl2PkkgYWdyZWUgaXQncyBuZWNl c3NhcnksIHdoaWNoIGlzIHdoeSBJdCBpcyBpbmNsdWRlZCwgYnV0IGluIHRoZSB0cnVzdG1hcmsg YW5kIG5vdCB0aGUgdmVjdG9yLiBUaGlzIGlzIGluZm9ybWF0aW9uIHRoYXQgbmVlZHMgdG8gYmUg YmFja2VkIGJ5IGEgdmVyaWZpZWQgc291cmNlIGFuZCBub3QganVzdCB0aGUgd29yZCBvZiB0aGUg aWRwLiZuYnNwOzwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+SXQganVzdCBkb2Vzbid0IG1ha2Ug c2Vuc2UgdG8gaW5jbHVkZSBpdCBpbiBldmVyeSB0cmFuc2FjdGlvbiBpZiB5b3UgYXNrIG1lLiBI b3dldmVyLCB5b3UncmUgZnJlZSB0byBkZWZpbmUgYSB2ZWN0b3IgY29tcG9uZW50IHRoYXQgY2Fy cmllcyB0aGlzLiZuYnNwOzwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXYgaWQ9ImNvbXBvc2VyX3Np Z25hdHVyZSI+PG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0 bWw7IGNoYXJzZXQ9VVRGLTgiPjxkaXYgc3R5bGU9ImZvbnQtc2l6ZTo4NSU7Y29sb3I6IzU3NTc1 NyI+LS1KdXN0aW48L2Rpdj48ZGl2IHN0eWxlPSJmb250LXNpemU6ODUlO2NvbG9yOiM1NzU3NTci Pjxicj48L2Rpdj48ZGl2IHN0eWxlPSJmb250LXNpemU6ODUlO2NvbG9yOiM1NzU3NTciPiZuYnNw OzxpPlNlbnQgZnJvbSBteSBwaG9uZTwvaT48L2Rpdj48L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2 IHN0eWxlPSJmb250LXNpemU6MTAwJTtjb2xvcjojMDAwMDAwIj48IS0tIG9yaWdpbmFsTWVzc2Fn ZSAtLT48ZGl2Pi0tLS0tLS0tIE9yaWdpbmFsIG1lc3NhZ2UgLS0tLS0tLS08L2Rpdj48ZGl2PkZy b206IENocmlzICZsdDtjbmRAZ2Vlay5uZXQuYXUmZ3Q7IDwvZGl2PjxkaXY+RGF0ZTogNS8xMi8x NiAgNzo1NyBQTSAgKEdNVC0wNjowMCkgPC9kaXY+PGRpdj5UbzogSnVsaWFuIFdoaXRlICZsdDtq d2hpdGVAbnUtZC5jb20mZ3Q7IDwvZGl2PjxkaXY+Q2M6IEp1c3RpbiBSaWNoZXIgJmx0O2pyaWNo ZXJAbWl0LmVkdSZndDssIHZvdEBpZXRmLm9yZyA8L2Rpdj48ZGl2PlN1YmplY3Q6IFJlOiBbVm9U XSBTZWN1cml0eSBQcm9ibGVtIHdpdGggUHJpbWFyeSBDcmVkZW50aWFsIFVzYWdlIDwvZGl2Pjxk aXY+PGJyPjwvZGl2PjwvZGl2Pgo8c3BhbiBzdHlsZT0iIGZvbnQtZmFtaWx5OidDYWxpYnJpJzsg Zm9udC1zaXplOiAxMnB0OyI+SGkgQWxsLDxicj4KPGJyPgpJIHRoaW5rIHRoaXMgaXMgdW5yZWFz b25hYmxlLjxicj4KPGJyPgpUcnVzdCBpcyBhIHR3by13YXkgc3RyZWV0Ljxicj4KPGJyPgpUaGUg c3RhbmRhcmQgd2lsbCBiZSBtb3JlLW9yLWxlc3MgdXNlbGVzcyB0byBldmVyeW9uZSB3aGVuIGhh bGYgb2YgdGhlIG5lY2Vzc2FyeSB0cnVzdCBzeXN0ZW0gaXMgZXhjbHVkZWQvb3V0LW9mLXNjb3Bl Ljxicj4KPGJyPgpEZWNpc2lvbnMgcmVsYXRlZCB0byB0cnVzdCBuZWVkIHRlY2huaWNhbCBkYXRh LiAmbmJzcDtJZiBJJ20gcmVseWluZyBvbiBhbiBJZFAgLSBpdCBtYWtlcyBhIGRpZmZlcmVuY2Ug aWYgdGhlIHVzZXIgdHlwZWQgYSA0IGRpZ2l0IFBJTiBvdmVyIEhUVFAsIGFzIG9wcG9zZWQgdG8g dXNpbmcgYSBiaW9tZXRyaWMgbXVsdGktZmFjdG9yIGF1dGggb3ZlciBUTFMgd2l0aCBIU1RTICZh bXA7IFBpbm5pbmcgd2l0aCBpbmNsdWRlZCBhbnRpLXNwb29mIGFuZCBhbnRpLW1hbHdhcmUgcHJv dGVjdGlvbi4gJm5ic3A7IldoYXQgd2VudCBvbiIgYWJzb2x1dGVseSBuZWVkcyB0ZWNobmljYWwg aW5jbHVzaW9uLjxicj4KPGJyPgpLaW5kIFJlZ2FyZHMsPGJyPgpDaHJpcyBEcmFrZTxicj4KPGJy Pgo8YnI+CkZyaWRheSwgTWF5IDEzLCAyMDE2LCA0OjQ5OjE2IEFNLCB5b3Ugd3JvdGU6PGJyPgo8 YnI+Cjwvc3Bhbj48dGFibGU+Cjx0Ym9keT48dHI+Cjx0ZCB3aWR0aD0iMiIgYmdjb2xvcj0iIzAw MDBmZiI+PGJyPgo8L3RkPgo8dGQ+PHNwYW4gc3R5bGU9IiBmb250LWZhbWlseTonY2FsaWJyaSc7 IGZvbnQtc2l6ZTogMTJwdDsiPlRoYXQgbWFrZXMgc2Vuc2UsIHRobyB0aGF0IGRpZG4ndCBjb21l IGFjcm9zcyBpbiB0aGUgZGVzY3JpcHRpb24gb2YgdGhlIHRydXN0bWFyay48YnI+Ckp1bGlhbjxi cj4KT24gMTIgTWF5IDIwMTYgMTk6NDUsICJKdXN0aW4gUmljaGVyIiAmbHQ7PC9zcGFuPjxhIHN0 eWxlPSIgZm9udC1mYW1pbHk6J2NhbGlicmknOyBmb250LXNpemU6IDEycHQ7IiBocmVmPSJtYWls dG86anJpY2hlckBtaXQuZWR1Ij5qcmljaGVyQG1pdC5lZHU8L2E+PHNwYW4gc3R5bGU9IiBmb250 LWZhbWlseTonY2FsaWJyaSc7IGZvbnQtc2l6ZTogMTJwdDsiPiZndDsgd3JvdGU6PGJyPgpXZSBl eHBsaWNpdGx5IGxlZnQgdGhvc2Uga2luZHMgb2YgdGhpbmdzIG91dCBvZiB0aGUgdmVjdG9yIGFz IHRoZXnigJlkIHJlYWxseSBiZSByZWxhdGVkIHRvIHRoZSBJZFAgaXRzZWxmIGFuZCBub3QgdGhl IGF1dGhlbnRpY2F0aW9uIHRyYW5zYWN0aW9uIHRvIHdoaWNoIHRoZSBWb1QgcmVmZXJzLiBJbiBv dGhlciB3b3JkcywgdGhlIHNlY3VyaXR5IG9mIHRoZSBJZFAgaXMgcmVsYXRlZCB0byB0aGUgdHJ1 c3QgZnJhbWV3b3JrIGFuZCBhc3Nlc3NtZW50IG9mIHRoZSBJZFAgYW5kIGl0IGNhbiBiZSBwdWJs aXNoZWQgYXMgcGFydCBvZiB0aGUgSWRQ4oCZcyBkaXNjb3ZlcnkgZG9jdW1lbnRzIGFuZCBhc3Nv Y2lhdGVkIHRydXN0IG1hcmtzLiBUaGlzIGlzIGluZm9ybWF0aW9uIHRoYXQgaXMgZ29pbmcgdG8g cmVtYWluIHRoZSBzYW1lIHJlZ2FyZGxlc3Mgb2YgdGhlIHRyYW5zYWN0aW9uLiA8YnI+Cjxicj4K VGhpcyBpcyBhbHNvIHBhcnQgb2Ygd2h5IHlvdSBuZWVkIHRvIGhhdmUgYSB0cnVzdG1hcmsgY29u dGV4dCB0byBpbnRlcnByZXQgdGhlIFZvVCBpbi48YnI+Cjxicj4KIOKAlCBKdXN0aW48YnI+Cjxi cj4KT24gTWF5IDEyLCAyMDE2LCBhdCAxMToxMSBBTSwgSnVsaWFuIFdoaXRlICZsdDs8L3NwYW4+ PGEgc3R5bGU9IiBmb250LWZhbWlseTonY2FsaWJyaSc7IGZvbnQtc2l6ZTogMTJwdDsiIGhyZWY9 Im1haWx0bzpqd2hpdGVAbnUtZC5jb20iPmp3aGl0ZUBudS1kLmNvbTwvYT48c3BhbiBzdHlsZT0i IGZvbnQtZmFtaWx5OidjYWxpYnJpJzsgZm9udC1zaXplOiAxMnB0OyI+Jmd0OyB3cm90ZTo8YnI+ Cjxicj4KSGksPGJyPgo8YnI+CkkgaGF2ZSBhIG51bWJlciBvZiBjb21tZW50cyBhbmQgcXVlc3Rp b25zIChzZWUgYXR0YWNoZWQpLCBtYW55IG9mIHdoaWNoIGFyZSByZWxhdGVkIHRvIHRoZSBpc3N1 ZXMgcmFpc2VkIGJ5IENocmlzLCBzb21lIG1heWJlIG15IG1pc3VuZGVyc3RhbmRpbmcgY29taW5n IGluIGhhbGYgd2F5IHRocm91Z2ggdGhlIGRyYWZ0aW5nIHRoby48YnI+Cjxicj4KSSwgbGlrZSBD aHJpcywgYWxzbyB0aGluayB0aGVyZSBuZWVkcyB0byBiZSBzb21ldGhpbmcgbW9yZSBleHBsaWNp dCBhcm91bmQgdGhlICJzZWN1cml0eSIgb2YgdGhlIElkUCBhdXRoZW50aWNhdGlvbiB3aGljaCBp bmNsdWRlcyB0aGUgbWVhc3VyZXMgdG8gdHJ5IGFuZCBkZXRlY3QgJ29kZCcgdGhpbmdzIChsaWtl IE1JVE0pLiBJIHdvdWxkIGFsc28gZ28gb25lIHN0ZXAgZnVydGhlciBpbiB0aGF0IEkgYWxzbyB3 YW50IHRvIGtub3cgYWJvdXQgdGhlIG1hdHVyaXR5IG9mIHRoZSBJZFAncyAic2VjdXJpdHkiLCBp dHMgb2Ygbm8gdXNlIHRvIG1lIGlmIHRoZXkgaGF2ZSByZWFsbHkgZ29vZCBjcmVkZW50aWFscyBi dXQgc3RvcmUgYWxsIHRoZSBkYXRhIGluIHRoZSBjbGVhciBvbiB0aGVpciB3ZWJzaXRlIG9yIGhh dmUgYSBsb2FkIG9mIGFkbWluaXN0cmF0aXZlIGJhY2stZG9vcnMgdGhhdCBjb3VsZCBsZXQgYW55 b25lIGdlbmVyYXRlIGEgdmFsaWQgYXV0aGVudGljYXRpb24gcmVzcG9uc2UuPGJyPgo8YnI+Ckl0 IGZlZWxzIGxpa2Ugd2UgbmVlZCB0byBkbyBtb3JlIHdvcmsgaW4gdGhpcyBhcmVhLjxicj4KPGJy PgpSZWdhcmRzLDxicj4KPGJyPgpKdWxpYW4uPGJyPgo8YnI+Ck9uIDggTWF5IDIwMTYgYXQgMTM6 MjQsIENocmlzICZsdDs8L3NwYW4+PGEgc3R5bGU9IiBmb250LWZhbWlseTonY2FsaWJyaSc7IGZv bnQtc2l6ZTogMTJwdDsiIGhyZWY9Im1haWx0bzpjbmRAZ2Vlay5uZXQuYXUiPmNuZEBnZWVrLm5l dC5hdTwvYT48c3BhbiBzdHlsZT0iIGZvbnQtZmFtaWx5OidjYWxpYnJpJzsgZm9udC1zaXplOiAx MnB0OyI+Jmd0OyB3cm90ZTo8YnI+CkhpIEFsbCw8YnI+Cjxicj4KSSB0aGluayB0aGVyZSBpcyBh IGNyaXRpY2FsIGZsYXcgaW4gc2VjdGlvbiAzLjIgb2YgPC9zcGFuPjxhIHN0eWxlPSIgZm9udC1m YW1pbHk6J2NhbGlicmknOyBmb250LXNpemU6IDEycHQ7IiBocmVmPSJodHRwczovL3Rvb2xzLmll dGYub3JnL2h0bWwvZHJhZnQtcmljaGVyLXZlY3RvcnMtb2YtdHJ1c3QtMDIiPmh0dHBzOi8vdG9v bHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1yaWNoZXItdmVjdG9ycy1vZi10cnVzdC0wMjwvYT48c3Bh biBzdHlsZT0iIGZvbnQtZmFtaWx5OidjYWxpYnJpJzsgZm9udC1zaXplOiAxMnB0OyI+IChQcmlt YXJ5IENyZWRlbnRpYWwgVXNhZ2UpPGJyPgo8YnI+Ck11dHVhbC1hdXRoZW50aWNhdGlvbiBpcyBt aXNzaW5nLiAmbmJzcDtXaGVuIG5vIHByb3Zpc2lvbiBpcyBtYWRlIHRvIHByZXZlbnQgbWFuLWlu LXRoZS1taWRkbGUsIGNyZWRlbnRpYWwgaGFydmVzdGluZywgc3Bvb2YsIHBoaXNoaW5nLCBtYWx3 YXJlLCBvciBvdGhlciBjb21tb24gdGhyZWF0cywgdGhpcyByZW5kZXJzIGFsbCBwb3NzaWJsZSB2 ZWN0b3JzIEMwLCBDYSwgQ2IsIENkLCBDZSwgQ2YsIGFuZCBvdGhlcnMgPGI+ZXF1YWxseTwvYj4g dW50cnVzdHdvcnRoeS48YnI+Cjxicj4KV2Ugc2hvdWxkIGNvbnNpZGVyIGluY2x1c2lvbiBlaXRo ZXIgZm9yIHRoZSBvdmVyYWxsIHN0cmVuZ3RoIG9mIHRoZSBhdXRoZW50aWNhdGlvbiBwcm9jZXNz LCBvciBzb21lIGJyZWFrZG93biBvZiBlaXRoZXIgYWxsIHRoZSB0ZWNobmlxdWVzIHVzZWQgb3Ig dGhlIHN0cmVuZ3RoIG9mIHByb3RlY3Rpb24gZW1wbG95ZWQgdG8gdGh3YXJ0IGF0IGxlYXN0IGNv bW1vbiBhdHRhY2sgc2NlbmFyaW9zLjxicj4KPGJyPgpUaGlzIHByb2JsZW0gZ2V0cyB0cmlja3kg cXVpdGUgZmFzdDo8YnI+Cjxicj4KRG8gd2UgaWRlbnRpZnkgdGhlIGF1dGhlbnRpY2F0aW9uIHRl Y2hub2xvZ3kgdmVuZG9yPyAoaWYgeWVzIC0gd2hvIHdvcmtzIG91dCB0aGVpciByZXNpc3RhbmNl IHN0cmVuZ3RoIHRvIGNvbW1vbiBhdHRhY2tzPyAmbmJzcDt3aGF0IGFib3V0IGRpZmZlcmVudCBt b2Rlcz8pPGJyPgpEbyB3ZSBicm9hZGx5IGlkZW50aWZ5IHRoZSB0ZWNobmlxdWVzICh3aG9zIG9w aW5pb25zIGNvdW50IGFzIHRvIHdoZXRoZXIgb3Igbm90IHRoZSB0ZWNobmlxdWUgaXMgZWZmZWN0 aXZlIGFuZCBhZ2FpbnN0IHdoYXQgdGhyZWF0cz8pPGJyPgpEbyB3ZSBpZGVudGlmeSBvciBjbGFz c2lmeSB0aGUgdGhyZWF0cyBhbmQgaW5kaWNhdGUgd2hpY2ggb25lcyB3ZXJlIG1pdGlnYXRlZCAo d2hvIHNob3VsZCBiZSB0cnVzdGVkIHRvIGRlY2lkZSBpZiB0aGVzZSByZWFsbHkgd2VyZSBtaXRp Z2F0ZWQ/KTxicj4KPGJyPgpGb3IgZXhhbXBsZSAtIHRhbXBlci1wcm9vZiBoYXJkd2FyZSBkaWdp dGFsIGNlcnRpZmljYXRlIGRldmljZXMgd2l0aCBiaW9tZXRyaWNzIHVubG9ja3MgYXJlIHRvdGFs bHkgdXNlbGVzcywgaWYgdGhlIHVzZXIgcGFpZCBubyBhdHRlbnRpb24gdG8gYSBicm9rZW4gU1NM IHdhcm5pbmcsIG9yIGhhcyBtYWx3YXJlLiAmbmJzcDtUaGV5J3JlIGFsc28gZXF1YWxseSB1c2Vs ZXNzIGluIG1vc3QgY29ycG9yYXRlIGVudmlyb25tZW50cyB0aGF0IHVzZSBkZWVwLXBhY2tldCBp bnNwZWN0aW9uIGZpcmV3YWxscyAtIGFuZCAidW5leHBlY3RlZCBjZXJ0aWZpY2F0ZXMiIChlZy4g ZnJvbSBEUEkgb3IgbWFsaWNpb3VzKSBjYXJyeSB0aGVpciBvd24gcHJpdmFjeSBwcm9ibGVtcyAo ZWc6IHBhc3N3b3JkcyBhcmUgbm90IGFzICJwcm90ZWN0ZWQiIGFzIHlvdSB0aGluaykuICZuYnNw O011Y2ggbW9yZSBjb21tb24gYXV0aGVudGljYXRpb24gInByb3RlY3Rpb24iIG9mIGNvdXJzZSwg YXJlIHR3by1zdGVwIG9yIHNtcyBvbmUgdGltZSBjb2RlcyAtIHdoaWNoIGFyZSBlcXVhbGx5IHVz ZWxlc3Mgd2hlbiBhbiBlbmQgdXNlciBjYW4gYmUgdHJpY2tlZCBpbnRvIHJldmVhbGluZyB0aGVt IHRvIHNwb29mIHNpdGVzLjxicj4KPGJyPgo5MSUgb2Ygc3VjY2Vzc2Z1bCBicmVhay1pbnMgc3Rh cnQgZnJvbSBwaGlzaGluZy4gJm5ic3A7UmlnaHQgbm93LCBldmVyeSB2ZWN0b3IgaXMgcG9pbnRp bmcgb25lIHdheSAtIHdlIG5lZWQgYXQgbGVhc3Qgb25lICJWZWN0b3Igb2YgVHJ1c3QiIHRvIHBv aW50IDxiPmJhY2s8L2I+IHRoZSBvdGhlciB3YXkhICZuYnNwOzxicj4KPGJyPgpIb3cgYWJvdXQg YSA1dGggdmVjdG9yIC0gIlMiIGZvciAiU2VjdXJpdHkiLCB3aGljaCBzb21laG93IGFsbG93cyBh biBSUCBhIGxldmVsIG9mIGNvbmZpZGVuY2UgaW4gdGhlIHByb3RlY3Rpb24gYWZmb3JkZWQgdG8g dGhlIHVzZXIncyBhY3R1YWwgYXV0aGVudGljYXRpb24gcHJvY2VzcywgaW4gdGVybXMgb2YgKG9y IGF0IGxlYXN0IGNvbnNpZGVyaW5nKSBhIHdpZGUgcmFuZ2Ugb2YgKGFuZCBhbGwgY29tbW9uKSBt b2Rlcm4gdGhyZWF0cy48YnI+Cjxicj4KPHNwYW4gc3R5bGU9IiBjb2xvcjogIzg4ODg4ODsiPkNo cmlzLjxicj4KPGJyPgo8c3BhbiBzdHlsZT0iIGNvbG9yOiAjMDAwMDAwOyI+X19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+CnZvdCBtYWlsaW5nIGxpc3Q8 YnI+Cjwvc3Bhbj48L3NwYW4+PC9zcGFuPjxhIHN0eWxlPSIgZm9udC1mYW1pbHk6J2NhbGlicmkn OyBmb250LXNpemU6IDEycHQ7IiBocmVmPSJtYWlsdG86dm90QGlldGYub3JnIj52b3RAaWV0Zi5v cmc8L2E+PGJyPgo8YSBzdHlsZT0iIGZvbnQtZmFtaWx5OidjYWxpYnJpJzsgZm9udC1zaXplOiAx MnB0OyIgaHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby92b3QiPmh0 dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vdm90PC9hPjxicj4KPGJyPgo8c3Bh biBzdHlsZT0iIGZvbnQtZmFtaWx5OidjYWxpYnJpJzsgZm9udC1zaXplOiAxMnB0OyI+Jmx0O2Ry YWZ0LXJpY2hlci12ZWN0b3JzLW9mLXRydXN0LTAyLmRvY3gmZ3Q7X19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+CnZvdCBtYWlsaW5nIGxpc3Q8YnI+Cjwv c3Bhbj48YSBzdHlsZT0iIGZvbnQtZmFtaWx5OidjYWxpYnJpJzsgZm9udC1zaXplOiAxMnB0OyIg aHJlZj0ibWFpbHRvOnZvdEBpZXRmLm9yZyI+dm90QGlldGYub3JnPC9hPjxicj4KPGEgc3R5bGU9 IiBmb250LWZhbWlseTonY2FsaWJyaSc7IGZvbnQtc2l6ZTogMTJwdDsiIGhyZWY9Imh0dHBzOi8v d3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vdm90Ij5odHRwczovL3d3dy5pZXRmLm9yZy9t YWlsbWFuL2xpc3RpbmZvL3ZvdDwvYT48L3RkPgo8L3RyPgo8L3Rib2R5PjwvdGFibGU+Cjxicj48 YnI+Cjxicj4KPC9ib2R5PjwvaHRtbD4= ----_com.samsung.android.email_522018482281290-- From nobody Fri May 13 00:53:21 2016 Return-Path: X-Original-To: vot@ietfa.amsl.com Delivered-To: vot@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C7B412D0E9 for ; Fri, 13 May 2016 00:53:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nu-d.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gQTwG1R7S9cm for ; Fri, 13 May 2016 00:53:17 -0700 (PDT) Received: from mail-wm0-x229.google.com (mail-wm0-x229.google.com [IPv6:2a00:1450:400c:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEE0212D0E6 for ; Fri, 13 May 2016 00:53:16 -0700 (PDT) Received: by mail-wm0-x229.google.com with SMTP id g17so15776764wme.1 for ; Fri, 13 May 2016 00:53:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nu-d.com; s=nud; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=6RORb0DYnSBJNzOdTLb6sr1ZvTuJq7Izca782DuAoU8=; b=TRyLYx1C0g55PSrikZ/Wtk7dS37wPQTPnV47SEQfp7M9yY9LrY38qtdIGVf4qn3Yve drUVfjoYNc4yVR8Ggr7idyjUoub+dw86k2G1B1fd70DdzSHZAWTbYMk7XEbkvCnTSa34 2qeWP91THnc87VOuymOH9KKwch68AHLzbZJ7s= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=6RORb0DYnSBJNzOdTLb6sr1ZvTuJq7Izca782DuAoU8=; b=FFscqPasckStmG3xIrUkeRvoI8WHQWAkeWPiHHyrbWm9r023Akf3TU8IEEVVmRs+rH sDqaiBbdA95uKl679Z6ijPE3Py2D+nldficKEfA9RPRc9NNVabTZlrQAjNV+NJJ3rwv/ uwk52E4gi8IrA2UvyaIKyL4bib9gJ3dNXtwx+kJb0fwVhcM7IPAo1b6jRbpByrWgpxRz x8TuRAwxUPH+5xqxAYnjL2fRR7qCPY2hWw/9VI9ggaQpK6gDa2jmVjWnojnV3QMuDHQb ho4yi0CvnUOAWB69zCvBNwicJt5T9TygwT2c7KBAoBUIFtRSZIXt0GKkk2lQ0ZX0qm84 BIRQ== X-Gm-Message-State: AOPr4FWTPjGDxPNi1Mmlb5kxBApzwZDlxNHCT9BKQlf//hL2GXzf5lUXF9DnAExZVjZAFvOmecH74/PclP7qlUYn X-Received: by 10.194.223.41 with SMTP id qr9mr14081115wjc.61.1463125995497; Fri, 13 May 2016 00:53:15 -0700 (PDT) MIME-Version: 1.0 Received: by 10.194.202.130 with HTTP; Fri, 13 May 2016 00:52:55 -0700 (PDT) In-Reply-To: References: <1523279479.20160508222427@CryptoPhoto.com> <753DBE1F-3891-4BB6-811B-5B8682A81A28@mit.edu> From: Julian White Date: Fri, 13 May 2016 08:52:55 +0100 Message-ID: To: Justin Richer Content-Type: multipart/alternative; boundary=001a11c3a52a3941690532b491b3 Archived-At: Cc: Chris , vot@ietf.org Subject: Re: [VoT] Security Problem with Primary Credential Usage X-BeenThere: vot@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Vectors of Trust discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2016 07:53:20 -0000 --001a11c3a52a3941690532b491b3 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Justin, For my own clarity, can the RP pass a request for a specific trustmark, or list of trustmarks that it will accept? The text seems to imply that they will get whatever trustmark the IdP sends and have to make a decision based on that each time. In reality, since the evaluation of the trustmark is a cumbersome manual process I suspect RP's will whitelist trustmarks that they will accept so then it seems inefficient for and IdP to return a response under a trustmark the RP won't accept. Thanks, Julian. On 12 May 2016 at 19:49, Julian White wrote: > That makes sense, tho that didn't come across in the description of the > trustmark. > > Julian > On 12 May 2016 19:45, "Justin Richer" wrote: > >> We explicitly left those kinds of things out of the vector as they=E2=80= =99d >> really be related to the IdP itself and not the authentication transacti= on >> to which the VoT refers. In other words, the security of the IdP is rela= ted >> to the trust framework and assessment of the IdP and it can be published= as >> part of the IdP=E2=80=99s discovery documents and associated trust marks= . This is >> information that is going to remain the same regardless of the transacti= on. >> >> This is also part of why you need to have a trustmark context to >> interpret the VoT in. >> >> =E2=80=94 Justin >> >> On May 12, 2016, at 11:11 AM, Julian White wrote: >> >> Hi, >> >> I have a number of comments and questions (see attached), many of which >> are related to the issues raised by Chris, some maybe my misunderstandin= g >> coming in half way through the drafting tho. >> >> I, like Chris, also think there needs to be something more explicit >> around the "security" of the IdP authentication which includes the measu= res >> to try and detect 'odd' things (like MITM). I would also go one step >> further in that I also want to know about the maturity of the IdP's >> "security", its of no use to me if they have really good credentials but >> store all the data in the clear on their website or have a load of >> administrative back-doors that could let anyone generate a valid >> authentication response. >> >> It feels like we need to do more work in this area. >> >> Regards, >> >> Julian. >> >> On 8 May 2016 at 13:24, Chris wrote: >> >>> Hi All, >>> >>> I think there is a critical flaw in section 3.2 of >>> https://tools.ietf.org/html/draft-richer-vectors-of-trust-02 (Primary >>> Credential Usage) >>> >>> Mutual-authentication is missing. When no provision is made to prevent >>> man-in-the-middle, credential harvesting, spoof, phishing, malware, or >>> other common threats, this renders all possible vectors C0, Ca, Cb, Cd,= Ce, >>> Cf, and others *equally* untrustworthy. >>> >>> We should consider inclusion either for the overall strength of the >>> authentication process, or some breakdown of either all the techniques = used >>> or the strength of protection employed to thwart at least common attack >>> scenarios. >>> >>> This problem gets tricky quite fast: >>> >>> Do we identify the authentication technology vendor? (if yes - who work= s >>> out their resistance strength to common attacks? what about different >>> modes?) >>> Do we broadly identify the techniques (whos opinions count as to whethe= r >>> or not the technique is effective and against what threats?) >>> Do we identify or classify the threats and indicate which ones were >>> mitigated (who should be trusted to decide if these really were mitigat= ed?) >>> >>> For example - tamper-proof hardware digital certificate devices with >>> biometrics unlocks are totally useless, if the user paid no attention t= o a >>> broken SSL warning, or has malware. They're also equally useless in mo= st >>> corporate environments that use deep-packet inspection firewalls - and >>> "unexpected certificates" (eg. from DPI or malicious) carry their own >>> privacy problems (eg: passwords are not as "protected" as you think). = Much >>> more common authentication "protection" of course, are two-step or sms = one >>> time codes - which are equally useless when an end user can be tricked = into >>> revealing them to spoof sites. >>> >>> 91% of successful break-ins start from phishing. Right now, every >>> vector is pointing one way - we need at least one "Vector of Trust" to >>> point *back* the other way! >>> >>> How about a 5th vector - "S" for "Security", which somehow allows an RP >>> a level of confidence in the protection afforded to the user's actual >>> authentication process, in terms of (or at least considering) a wide ra= nge >>> of (and all common) modern threats. >>> >>> Chris. >>> >>> _______________________________________________ >>> vot mailing list >>> vot@ietf.org >>> https://www.ietf.org/mailman/listinfo/vot >>> >>> >> >> _______________________________________________ >> vot mailing list >> vot@ietf.org >> https://www.ietf.org/mailman/listinfo/vot >> >> >> --001a11c3a52a3941690532b491b3 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Justin,

For my own clarity, can the RP = pass a request for a specific trustmark, or list of trustmarks that it will= accept? The text seems to imply that they will get whatever trustmark the = IdP sends and have to make a decision based on that each time. In reality, = since the evaluation of the trustmark is a cumbersome manual process I susp= ect RP's will whitelist trustmarks that they will accept so then it see= ms inefficient for and IdP to return a response under a trustmark the RP wo= n't accept.

Thanks,

J= ulian.

On 12 May 2016 at 19:49, Julian White <jwhite@nu-d.com> wrote= :

That makes sense, tho th= at didn't come across in the description of the trustmark.

Julian

On 12 May 2016 19:45, "Justin Richer" = <jricher@mit.edu> wrote:
We explicitly left those kinds of things out o= f the vector as they=E2=80=99d really be related to the IdP itself and not = the authentication transaction to which the VoT refers. In other words, the= security of the IdP is related to the trust framework and assessment of th= e IdP and it can be published as part of the IdP=E2=80=99s discovery docume= nts and associated trust marks. This is information that is going to remain= the same regardless of the transaction.=C2=A0

This is a= lso part of why you need to have a trustmark context to interpret the VoT i= n.

=C2=A0=E2=80=94 Justin


Hi,

I have a number = of comments and questions (see attached), many of which are related to the = issues raised by Chris, some maybe my misunderstanding coming in half way t= hrough the drafting tho.

I, like Chris, also think= there needs to be something more explicit around the "security" = of the IdP authentication which includes the measures to try and detect = 9;odd' things (like MITM). I would also go one step further in that I a= lso want to know about the maturity of the IdP's "security", = its of no use to me if they have really good credentials but store all the = data in the clear on their website or have a load of administrative back-do= ors that could let anyone generate a valid authentication response.

It feels like we need to do more work in this area.
=

Regards,

Julian.

On 8 May 2016 at 13= :24, Chris <cnd@geek.net.au> wrote:
Hi All,

I think there is a critical flaw in section 3.2 of
https://tools.ietf.or= g/html/draft-richer-vectors-of-trust-02 (Primary Credential Usage)

Mutual-authentication is missing.=C2=A0 When no provision is made to preven= t man-in-the-middle, credential harvesting, spoof, phishing, malware, or ot= her common threats, this renders all possible vectors C0, Ca, Cb, Cd, Ce, C= f, and others equally untrustworthy.

We should consider inclusion either for the overall strength of the authent= ication process, or some breakdown of either all the techniques used or the= strength of protection employed to thwart at least common attack scenarios= .

This problem gets tricky quite fast:

Do we identify the authentication technology vendor? (if yes - who works ou= t their resistance strength to common attacks? =C2=A0what about different m= odes?)
Do we broadly identify the techniques (whos opinions count as to whether or= not the technique is effective and against what threats?)
Do we identify or classify the threats and indicate which ones were mitigat= ed (who should be trusted to decide if these really were mitigated?)

For example - tamper-proof hardware digital certificate devices with biomet= rics unlocks are totally useless, if the user paid no attention to a broken= SSL warning, or has malware.=C2=A0 They're also equally useless in mos= t corporate environments that use deep-packet inspection firewalls - and &q= uot;unexpected certificates" (eg. from DPI or malicious) carry their o= wn privacy problems (eg: passwords are not as "protected" as you = think).=C2=A0 Much more common authentication "protection" of cou= rse, are two-step or sms one time codes - which are equally useless when an= end user can be tricked into revealing them to spoof sites.

91% of successful break-ins start from phishing.=C2=A0 Right now, every vec= tor is pointing one way - we need at least one "Vector of Trust" = to point back the other way! =C2=A0

How about a 5th vector - "S" for "Security", which some= how allows an RP a level of confidence in the protection afforded to the us= er's actual authentication process, in terms of (or at least considerin= g) a wide range of (and all common) modern threats.

Chris.

______________________________________= _________
vot mailing list
vot@ietf.org
https://www.ietf.org/mailman/listinfo/vot


<draft-richer-vectors-of-trust-02.docx>_________________= ______________________________
vot mailing list
vot@ietf.org
https://www.ietf.org/mailman/= listinfo/vot


--001a11c3a52a3941690532b491b3-- From nobody Fri May 13 02:48:32 2016 Return-Path: X-Original-To: vot@ietfa.amsl.com Delivered-To: vot@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CE8112D0CC for ; Fri, 13 May 2016 02:48:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.593 X-Spam-Level: X-Spam-Status: No, score=-4.593 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_IADB_DK=-0.095, RCVD_IN_IADB_LISTED=-0.001, RCVD_IN_IADB_RDNS=-0.235, RCVD_IN_IADB_SENDERID=-0.001, RCVD_IN_IADB_SPF=-0.059, RCVD_IN_IADB_UT_CPR_MAT=-0.001, RCVD_IN_IADB_VOUCHED=-2.2, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=geek.net.au Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R6kis9No4A8b for ; Fri, 13 May 2016 02:48:28 -0700 (PDT) Received: from srve.com (srve.com [208.69.183.6]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8FF112D0A9 for ; Fri, 13 May 2016 02:48:28 -0700 (PDT) Received: from [172.22.0.125] (nsa.emsvr.com [120.151.160.158]) (authenticated bits=0) by srve.com (8.13.8/8.13.8/CWT/DCE) with ESMTP id u4D9mI8S030555 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Fri, 13 May 2016 09:48:22 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=geek.net.au; s=20131023; t=1463132904; bh=/F8oFw6vh+gjpc6G8hhbGMj2msfPQlAmjhUEIEgPwrM=; h=Date:From:To:CC:Subject:In-Reply-To:References; b=rSDRuOrz8eo0Nzh2bRxiHOc0HIqvu6h4+IZ6632Q1zKAqpnU8brjFyn6IHJN50740 dZu06rr4SQijFUl69oHSx4yjBmyiBY+hJSPKQmPeRESbih8TZtdiUIBvQ1MCK1DsiU RS7Cp/HaVi2kg2hlZa0uufTt/xmmiUsi6w6H/F/Jx+poyXA/rTTOfCJ2NSpwsAtVL1 EDvGHoPOmPzpmcPTtE4hFSJzEO+v2uTDktf/Qcpd3LgnzZmtwy6XqOBDVNjhmkbUhD D9oxOJqGGmsRWKN4JRjBrGfn/DNNxYB8nr5nSkaEZ4xg9UThELrujxSALaVfcYI+w1 /AB+59kEwSXZw== Date: Fri, 13 May 2016 19:48:21 +1000 From: Chris X-Priority: 3 (Normal) Message-ID: <329351357.20160513194821@CryptoPhoto.com> To: Julian White In-Reply-To: References: <1523279479.20160508222427@CryptoPhoto.com> <753DBE1F-3891-4BB6-811B-5B8682A81A28@mit.edu> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----------06E0D81C21D2396DB" X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrIIsWRWlGSWpSXmKPExsVSMX3BPN1jC03DDU5+U7M4vXo3s8WGay9Z LdavP8Vo0fDzAasDi8eSJT+ZPJrOHGX2aPnQweax68ZjlgCWKNbMvKT8igTWjKu75zAWPEyp OPZiInMD4+OQLkZODiGBZImmE1NZuhi5OFgE1rFIvP12lRkkwSKgKtH/+hqYzSYgKzG94ROY LSEgJjFh3S8wm1fATOJHx1xmiEFKEnd7N7CD2CJA9tnulawgNrOAocSN821gcWEBR4n/zSeA bA4OToFAiZsfmUD2CgnsY5LY1bqBFWKmoMTJmU9YIHp9JHZO2co4gZFvFpLULCQpCFtd4s+8 S8wQtrxE89bZQDYHkK0msaxVCVl4ASPbKkahslyzRL3k1KKS1NzEzBy95PzcTYzAIK5nYGDc wfjyqMchRgEORiUe3gQl03Ah1sSy4srcQ4ySHExKorxZ04BCfEn5KZUZicUZ8UWlOanFhxhl ODiUJHhDgLEjJFiUmp5akZaZA4w6mDQTB+chRgkOHiUR3mSQGt7igsTc4sx0iPwpRkkpcd6C BUAJAZBERmkeXO8lRlEpYd78eUA5noLUotzMEoj4K0ZxoAuFeVeBjOPJzCuBm/YKaBET0KLq 60Ygi0oSEVJSDYwFiYeYv25WPdMeu/2RyUGjV0rn2rs2JmqoFb67Ylaz15ppZsOLS5Uv3DZu N7kX3bu/UP5B1dT4CkaLCSubGK5wPz7p2yfoNvmSRNbhX8e9v+82/nfqhlWe1yHlQ0K613MO Sr24LCi/TPXIU34bZYcTFjsjVnx+OCm4mueRx8W9hiZf3VLfiHkpsRRnJBpqMRcVJwIAhfC/ 0eQCAAA= Archived-At: Cc: vot@ietf.org, Justin Richer Subject: Re: [VoT] Security Problem with Primary Credential Usage X-BeenThere: vot@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Vectors of Trust discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2016 09:48:31 -0000 ------------06E0D81C21D2396DB Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Hi Julian, It is like I said at the start. The entirety of the trustmark idea evaluates to one single strength - everything is equally untrustworthy, because it's all only unidirectional. You can't solve trust without fixing BOTH ends. It is a two-way street. For as long as a user and proxy are indistinguishable, C0 == Ca == Cb == Cd == Ce == Cf. I know it sounds like a little problem, but so was the debris on that last Concorde's runway. This is the show stopper. Chris. Friday, May 13, 2016, 5:52:55 PM, you wrote: Justin, For my own clarity, can the RP pass a request for a specific trustmark, or list of trustmarks that it will accept? The text seems to imply that they will get whatever trustmark the IdP sends and have to make a decision based on that each time. In reality, since the evaluation of the trustmark is a cumbersome manual process I suspect RP's will whitelist trustmarks that they will accept so then it seems inefficient for and IdP to return a response under a trustmark the RP won't accept. Thanks, Julian. On 12 May 2016 at 19:49, Julian White wrote: That makes sense, tho that didn't come across in the description of the trustmark. Julian On 12 May 2016 19:45, "Justin Richer" wrote: We explicitly left those kinds of things out of the vector as they’d really be related to the IdP itself and not the authentication transaction to which the VoT refers. In other words, the security of the IdP is related to the trust framework and assessment of the IdP and it can be published as part of the IdP’s discovery documents and associated trust marks. This is information that is going to remain the same regardless of the transaction. This is also part of why you need to have a trustmark context to interpret the VoT in. — Justin On May 12, 2016, at 11:11 AM, Julian White wrote: Hi, I have a number of comments and questions (see attached), many of which are related to the issues raised by Chris, some maybe my misunderstanding coming in half way through the drafting tho. I, like Chris, also think there needs to be something more explicit around the "security" of the IdP authentication which includes the measures to try and detect 'odd' things (like MITM). I would also go one step further in that I also want to know about the maturity of the IdP's "security", its of no use to me if they have really good credentials but store all the data in the clear on their website or have a load of administrative back-doors that could let anyone generate a valid authentication response. It feels like we need to do more work in this area. Regards, Julian. On 8 May 2016 at 13:24, Chris wrote: Hi All, I think there is a critical flaw in section 3.2 of https://tools.ietf.org/html/draft-richer-vectors-of-trust-02 (Primary Credential Usage) Mutual-authentication is missing. When no provision is made to prevent man-in-the-middle, credential harvesting, spoof, phishing, malware, or other common threats, this renders all possible vectors C0, Ca, Cb, Cd, Ce, Cf, and others equally untrustworthy. We should consider inclusion either for the overall strength of the authentication process, or some breakdown of either all the techniques used or the strength of protection employed to thwart at least common attack scenarios. This problem gets tricky quite fast: Do we identify the authentication technology vendor? (if yes - who works out their resistance strength to common attacks? what about different modes?) Do we broadly identify the techniques (whos opinions count as to whether or not the technique is effective and against what threats?) Do we identify or classify the threats and indicate which ones were mitigated (who should be trusted to decide if these really were mitigated?) For example - tamper-proof hardware digital certificate devices with biometrics unlocks are totally useless, if the user paid no attention to a broken SSL warning, or has malware. They're also equally useless in most corporate environments that use deep-packet inspection firewalls - and "unexpected certificates" (eg. from DPI or malicious) carry their own privacy problems (eg: passwords are not as "protected" as you think). Much more common authentication "protection" of course, are two-step or sms one time codes - which are equally useless when an end user can be tricked into revealing them to spoof sites. 91% of successful break-ins start from phishing. Right now, every vector is pointing one way - we need at least one "Vector of Trust" to point back the other way! How about a 5th vector - "S" for "Security", which somehow allows an RP a level of confidence in the protection afforded to the user's actual authentication process, in terms of (or at least considering) a wide range of (and all common) modern threats. Chris. _______________________________________________ vot mailing list vot@ietf.org https://www.ietf.org/mailman/listinfo/vot _______________________________________________ vot mailing list vot@ietf.org https://www.ietf.org/mailman/listinfo/vot ------------06E0D81C21D2396DB Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit Re: [VoT] Security Problem with Primary Credential Usage Hi Julian,

It is like I said at the start.  The entirety of the trustmark idea evaluates to one single strength - everything is equally untrustworthy, because it's all only unidirectional.

You can't solve trust without fixing BOTH ends.  It is a two-way street.  For as long as a user and proxy are indistinguishable, C0 == Ca == Cb == Cd == Ce == Cf.

I know it sounds like a little problem, but so was the debris on that last Concorde's runway.  This is the show stopper.

Chris.


Friday, May 13, 2016, 5:52:55 PM, you wrote:


Justin,

For my own clarity, can the RP pass a request for a specific trustmark, or list of trustmarks that it will accept? The text seems to imply that they will get whatever trustmark the IdP sends and have to make a decision based on that each time. In reality, since the evaluation of the trustmark is a cumbersome manual process I suspect RP's will whitelist trustmarks that they will accept so then it seems inefficient for and IdP to return a response under a trustmark the RP won't accept.

Thanks,

Julian.

On 12 May 2016 at 19:49, Julian White <
jwhite@nu-d.com> wrote:
That makes sense, tho that didn't come across in the description of the trustmark.
Julian
On 12 May 2016 19:45, "Justin Richer" <
jricher@mit.edu> wrote:
We explicitly left those kinds of things out of the vector as they’d really be related to the IdP itself and not the authentication transaction to which the VoT refers. In other words, the security of the IdP is related to the trust framework and assessment of the IdP and it can be published as part of the IdP’s discovery documents and associated trust marks. This is information that is going to remain the same regardless of the transaction.

This is also part of why you need to have a trustmark context to interpret the VoT in.

— Justin

On May 12, 2016, at 11:11 AM, Julian White <
jwhite@nu-d.com> wrote:

Hi,

I have a number of comments and questions (see attached), many of which are related to the issues raised by Chris, some maybe my misunderstanding coming in half way through the drafting tho.

I, like Chris, also think there needs to be something more explicit around the "security" of the IdP authentication which includes the measures to try and detect 'odd' things (like MITM). I would also go one step further in that I also want to know about the maturity of the IdP's "security", its of no use to me if they have really good credentials but store all the data in the clear on their website or have a load of administrative back-doors that could let anyone generate a valid authentication response.

It feels like we need to do more work in this area.

Regards,

Julian.

On 8 May 2016 at 13:24, Chris <
cnd@geek.net.au> wrote:
Hi All,

I think there is a critical flaw in section 3.2 of
https://tools.ietf.org/html/draft-richer-vectors-of-trust-02 (Primary Credential Usage)

Mutual-authentication is missing.  When no provision is made to prevent man-in-the-middle, credential harvesting, spoof, phishing, malware, or other common threats, this renders all possible vectors C0, Ca, Cb, Cd, Ce, Cf, and others equally untrustworthy.

We should consider inclusion either for the overall strength of the authentication process, or some breakdown of either all the techniques used or the strength of protection employed to thwart at least common attack scenarios.

This problem gets tricky quite fast:

Do we identify the authentication technology vendor? (if yes - who works out their resistance strength to common attacks?  what about different modes?)
Do we broadly identify the techniques (whos opinions count as to whether or not the technique is effective and against what threats?)
Do we identify or classify the threats and indicate which ones were mitigated (who should be trusted to decide if these really were mitigated?)

For example - tamper-proof hardware digital certificate devices with biometrics unlocks are totally useless, if the user paid no attention to a broken SSL warning, or has malware.  They're also equally useless in most corporate environments that use deep-packet inspection firewalls - and "unexpected certificates" (eg. from DPI or malicious) carry their own privacy problems (eg: passwords are not as "protected" as you think).  Much more common authentication "protection" of course, are two-step or sms one time codes - which are equally useless when an end user can be tricked into revealing them to spoof sites.

91% of successful break-ins start from phishing.  Right now, every vector is pointing one way - we need at least one "Vector of Trust" to point back the other way!  

How about a 5th vector - "S" for "Security", which somehow allows an RP a level of confidence in the protection afforded to the user's actual authentication process, in terms of (or at least considering) a wide range of (and all common) modern threats.

Chris.

_______________________________________________
vot mailing list
vot@ietf.org
https://www.ietf.org/mailman/listinfo/vot

<draft-richer-vectors-of-trust-02.docx>_______________________________________________
vot mailing list
vot@ietf.org
https://www.ietf.org/mailman/listinfo/vot



------------06E0D81C21D2396DB-- From nobody Fri May 13 04:07:23 2016 Return-Path: X-Original-To: vot@ietfa.amsl.com Delivered-To: vot@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED33B12D146 for ; Fri, 13 May 2016 04:07:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=safe-biopharma-org.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hahtNrzPPsDx for ; Fri, 13 May 2016 04:07:18 -0700 (PDT) Received: from mail-pa0-x22e.google.com (mail-pa0-x22e.google.com [IPv6:2607:f8b0:400e:c03::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4623B12D0A6 for ; Fri, 13 May 2016 04:07:18 -0700 (PDT) Received: by mail-pa0-x22e.google.com with SMTP id xk12so40250235pac.0 for ; Fri, 13 May 2016 04:07:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=safe-biopharma-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to; bh=SsbAzC5nMGBqjYlX0kKNdTuMGBkJdX714ySqaaj3IHQ=; b=p3szX983yug694BUxwDf6/H7RUa6e+7squZoAjGLTY+PvqLb24TqFwQGqY2rY6LuEO shY1TMCrjuvXPNouMWTJh6ZqRdPSGw8KFwS3ihmcg/dwN7/AkNa0tjDRWZTHz3xxmCht K0Skf2EzVl1qRd6+IDbVROdECV8BlkSU8z/kUUMJfHOUg6jnTjqjbvn9HTepotUJR+ea 3YeITrbn2hneRzB3UHJI5P2E9ywkzgighodY1L4WXBfSV2VKWgPzK1c6OWmTU0EBfeiq HF67uIaumUBfPNULU35lKg1RBAtqicGI2bkOLuAlPsbZT74HV1VaY30tAto+6U/G2aBb +r3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to; bh=SsbAzC5nMGBqjYlX0kKNdTuMGBkJdX714ySqaaj3IHQ=; b=Q7TZurBv2vGP9XRGeh633seUDUwX8hgZYzgQYO0bBnDNfHDCdhnUarnyzwMw22jEsu 2i0k0q7xpUQEXY7Fl31hDrEojQisEZVE/h/vMvUHQ90luoC9AmnEmvbrkN1q4+yDnX53 qeQcWBo1HXVR/BMcJi7/7nwef1KaVGb9AMUv1SCkojL8Zv5Vcz9dHKi2LiUihKyqRYay pJxjaEWY+FKVapq9EWpjLdmxdZkXhIho2BG6pUNz+0UPdewIANkQS5VE5fObhR16OJgW FWpd4w1Bm43GDbnvztlyCcaXUapI9p3U7orCSJqZ0xbCq3Jz0AwuRkVNqtV67R5t3bgC //6g== X-Gm-Message-State: AOPr4FX/ZnhJIoc/nBVzS2YWKk/sJDWbvtXOdsUkc7V3r1/XhLigxex7c+6JQqsBrdnJyw6jLPk4+ov1/yeqm/YD MIME-Version: 1.0 X-Received: by 10.66.160.133 with SMTP id xk5mr21902482pab.71.1463137637652; Fri, 13 May 2016 04:07:17 -0700 (PDT) Received: by 10.66.12.202 with HTTP; Fri, 13 May 2016 04:07:17 -0700 (PDT) Received: by 10.66.12.202 with HTTP; Fri, 13 May 2016 04:07:17 -0700 (PDT) In-Reply-To: References: Date: Fri, 13 May 2016 07:07:17 -0400 Message-ID: From: Peter Alterman To: vot@ietf.org Content-Type: multipart/alternative; boundary=047d7b6d96f6267b9a0532b747af Archived-At: Subject: Re: [VoT] vot Digest, Vol 14, Issue 5 X-BeenThere: vot@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Vectors of Trust discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2016 11:07:21 -0000 --047d7b6d96f6267b9a0532b747af Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable That raises the issue of what kind of machine readable metadata should represent the trustmark? Peter On May 13, 2016 5:48 AM, wrote: > Send vot mailing list submissions to > vot@ietf.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.ietf.org/mailman/listinfo/vot > or, via email, send a message with subject or body 'help' to > vot-request@ietf.org > > You can reach the person managing the list at > vot-owner@ietf.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of vot digest..." > > Today's Topics: > > 1. Re: Security Problem with Primary Credential Usage (Julian White) > 2. Re: Security Problem with Primary Credential Usage (Chris) > > > ---------- Forwarded message ---------- > From: Julian White > To: Justin Richer > Cc: Chris , vot@ietf.org > Date: Fri, 13 May 2016 08:52:55 +0100 > Subject: Re: [VoT] Security Problem with Primary Credential Usage > Justin, > > For my own clarity, can the RP pass a request for a specific trustmark, o= r > list of trustmarks that it will accept? The text seems to imply that they > will get whatever trustmark the IdP sends and have to make a decision bas= ed > on that each time. In reality, since the evaluation of the trustmark is a > cumbersome manual process I suspect RP's will whitelist trustmarks that > they will accept so then it seems inefficient for and IdP to return a > response under a trustmark the RP won't accept. > > Thanks, > > Julian. > > On 12 May 2016 at 19:49, Julian White wrote: > >> That makes sense, tho that didn't come across in the description of the >> trustmark. >> >> Julian >> On 12 May 2016 19:45, "Justin Richer" wrote: >> >>> We explicitly left those kinds of things out of the vector as they=E2= =80=99d >>> really be related to the IdP itself and not the authentication transact= ion >>> to which the VoT refers. In other words, the security of the IdP is rel= ated >>> to the trust framework and assessment of the IdP and it can be publishe= d as >>> part of the IdP=E2=80=99s discovery documents and associated trust mark= s. This is >>> information that is going to remain the same regardless of the transact= ion. >>> >>> This is also part of why you need to have a trustmark context to >>> interpret the VoT in. >>> >>> =E2=80=94 Justin >>> >>> On May 12, 2016, at 11:11 AM, Julian White wrote: >>> >>> Hi, >>> >>> I have a number of comments and questions (see attached), many of which >>> are related to the issues raised by Chris, some maybe my misunderstandi= ng >>> coming in half way through the drafting tho. >>> >>> I, like Chris, also think there needs to be something more explicit >>> around the "security" of the IdP authentication which includes the meas= ures >>> to try and detect 'odd' things (like MITM). I would also go one step >>> further in that I also want to know about the maturity of the IdP's >>> "security", its of no use to me if they have really good credentials bu= t >>> store all the data in the clear on their website or have a load of >>> administrative back-doors that could let anyone generate a valid >>> authentication response. >>> >>> It feels like we need to do more work in this area. >>> >>> Regards, >>> >>> Julian. >>> >>> On 8 May 2016 at 13:24, Chris wrote: >>> >>>> Hi All, >>>> >>>> I think there is a critical flaw in section 3.2 of >>>> https://tools.ietf.org/html/draft-richer-vectors-of-trust-02 (Primary >>>> Credential Usage) >>>> >>>> Mutual-authentication is missing. When no provision is made to preven= t >>>> man-in-the-middle, credential harvesting, spoof, phishing, malware, or >>>> other common threats, this renders all possible vectors C0, Ca, Cb, Cd= , Ce, >>>> Cf, and others *equally* untrustworthy. >>>> >>>> We should consider inclusion either for the overall strength of the >>>> authentication process, or some breakdown of either all the techniques= used >>>> or the strength of protection employed to thwart at least common attac= k >>>> scenarios. >>>> >>>> This problem gets tricky quite fast: >>>> >>>> Do we identify the authentication technology vendor? (if yes - who >>>> works out their resistance strength to common attacks? what about >>>> different modes?) >>>> Do we broadly identify the techniques (whos opinions count as to >>>> whether or not the technique is effective and against what threats?) >>>> Do we identify or classify the threats and indicate which ones were >>>> mitigated (who should be trusted to decide if these really were mitiga= ted?) >>>> >>>> For example - tamper-proof hardware digital certificate devices with >>>> biometrics unlocks are totally useless, if the user paid no attention = to a >>>> broken SSL warning, or has malware. They're also equally useless in m= ost >>>> corporate environments that use deep-packet inspection firewalls - and >>>> "unexpected certificates" (eg. from DPI or malicious) carry their own >>>> privacy problems (eg: passwords are not as "protected" as you think). = Much >>>> more common authentication "protection" of course, are two-step or sms= one >>>> time codes - which are equally useless when an end user can be tricked= into >>>> revealing them to spoof sites. >>>> >>>> 91% of successful break-ins start from phishing. Right now, every >>>> vector is pointing one way - we need at least one "Vector of Trust" to >>>> point *back* the other way! >>>> >>>> How about a 5th vector - "S" for "Security", which somehow allows an R= P >>>> a level of confidence in the protection afforded to the user's actual >>>> authentication process, in terms of (or at least considering) a wide r= ange >>>> of (and all common) modern threats. >>>> >>>> Chris. >>>> >>>> _______________________________________________ >>>> vot mailing list >>>> vot@ietf.org >>>> https://www.ietf.org/mailman/listinfo/vot >>>> >>>> >>> >>> _______________________________________________ >>> vot mailing list >>> vot@ietf.org >>> https://www.ietf.org/mailman/listinfo/vot >>> >>> >>> > > > ---------- Forwarded message ---------- > From: Chris > To: Julian White > Cc: vot@ietf.org, Justin Richer > Date: Fri, 13 May 2016 19:48:21 +1000 > Subject: Re: [VoT] Security Problem with Primary Credential Usage > Hi Julian, > > It is like I said at the start. The entirety of the trustmark idea > evaluates to one single strength - everything is equally untrustworthy, > because it's all only unidirectional. > > You can't solve trust without fixing BOTH ends. It is a *two-way *street= . > For as long as a user and proxy are indistinguishable, C0 =3D=3D Ca =3D= =3D Cb =3D=3D Cd > =3D=3D Ce =3D=3D Cf. > > I know it sounds like a little problem, but so was the debris on that las= t > Concorde's runway. This is the show stopper. > > Chris. > > > Friday, May 13, 2016, 5:52:55 PM, you wrote: > > > Justin, > > For my own clarity, can the RP pass a request for a specific trustmark, o= r > list of trustmarks that it will accept? The text seems to imply that they > will get whatever trustmark the IdP sends and have to make a decision bas= ed > on that each time. In reality, since the evaluation of the trustmark is a > cumbersome manual process I suspect RP's will whitelist trustmarks that > they will accept so then it seems inefficient for and IdP to return a > response under a trustmark the RP won't accept. > > Thanks, > > Julian. > > On 12 May 2016 at 19:49, Julian White wrote: > That makes sense, tho that didn't come across in the description of the > trustmark. > Julian > On 12 May 2016 19:45, "Justin Richer" wrote: > We explicitly left those kinds of things out of the vector as they=E2=80= =99d > really be related to the IdP itself and not the authentication transactio= n > to which the VoT refers. In other words, the security of the IdP is relat= ed > to the trust framework and assessment of the IdP and it can be published = as > part of the IdP=E2=80=99s discovery documents and associated trust marks.= This is > information that is going to remain the same regardless of the transactio= n. > > This is also part of why you need to have a trustmark context to interpre= t > the VoT in. > > =E2=80=94 Justin > > On May 12, 2016, at 11:11 AM, Julian White wrote: > > Hi, > > I have a number of comments and questions (see attached), many of which > are related to the issues raised by Chris, some maybe my misunderstanding > coming in half way through the drafting tho. > > I, like Chris, also think there needs to be something more explicit aroun= d > the "security" of the IdP authentication which includes the measures to t= ry > and detect 'odd' things (like MITM). I would also go one step further in > that I also want to know about the maturity of the IdP's "security", its = of > no use to me if they have really good credentials but store all the data = in > the clear on their website or have a load of administrative back-doors th= at > could let anyone generate a valid authentication response. > > It feels like we need to do more work in this area. > > Regards, > > Julian. > > On 8 May 2016 at 13:24, Chris wrote: > Hi All, > > I think there is a critical flaw in section 3.2 of > https://tools.ietf.org/html/draft-richer-vectors-of-trust-02 (Primary > Credential Usage) > > Mutual-authentication is missing. When no provision is made to prevent > man-in-the-middle, credential harvesting, spoof, phishing, malware, or > other common threats, this renders all possible vectors C0, Ca, Cb, Cd, C= e, > Cf, and others *equally* untrustworthy. > > We should consider inclusion either for the overall strength of the > authentication process, or some breakdown of either all the techniques us= ed > or the strength of protection employed to thwart at least common attack > scenarios. > > This problem gets tricky quite fast: > > Do we identify the authentication technology vendor? (if yes - who works > out their resistance strength to common attacks? what about different > modes?) > Do we broadly identify the techniques (whos opinions count as to whether > or not the technique is effective and against what threats?) > Do we identify or classify the threats and indicate which ones were > mitigated (who should be trusted to decide if these really were mitigated= ?) > > For example - tamper-proof hardware digital certificate devices with > biometrics unlocks are totally useless, if the user paid no attention to = a > broken SSL warning, or has malware. They're also equally useless in most > corporate environments that use deep-packet inspection firewalls - and > "unexpected certificates" (eg. from DPI or malicious) carry their own > privacy problems (eg: passwords are not as "protected" as you think). Mu= ch > more common authentication "protection" of course, are two-step or sms on= e > time codes - which are equally useless when an end user can be tricked in= to > revealing them to spoof sites. > > 91% of successful break-ins start from phishing. Right now, every vector > is pointing one way - we need at least one "Vector of Trust" to point > *back* the other way! > > How about a 5th vector - "S" for "Security", which somehow allows an RP a > level of confidence in the protection afforded to the user's actual > authentication process, in terms of (or at least considering) a wide rang= e > of (and all common) modern threats. > > Chris. > > _______________________________________________ > vot mailing list > vot@ietf.org > https://www.ietf.org/mailman/listinfo/vot > > > __________________________________= _____________ > vot mailing list > vot@ietf.org > https://www.ietf.org/mailman/listinfo/vot > > > > _______________________________________________ > vot mailing list > vot@ietf.org > https://www.ietf.org/mailman/listinfo/vot > > --047d7b6d96f6267b9a0532b747af Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

That raises the issue of what kind of machine readable metad= ata should represent the trustmark?
Peter

On May 13, 2016 5:48 AM, <vot-request@ietf.org> wrote:
Send vot mailing list submissions to<= br> =C2=A0 =C2=A0 =C2=A0 =C2=A0 vot@ietf.org

To subscribe or unsubscribe via the World Wide Web, visit
=C2=A0 =C2=A0 =C2=A0 =C2=A0
https://www.ietf.org/mailman/li= stinfo/vot
or, via email, send a message with subject or body 'help' to
=C2=A0 =C2=A0 =C2=A0 =C2=A0 vot-req= uest@ietf.org

You can reach the person managing the list at
=C2=A0 =C2=A0 =C2=A0 =C2=A0 vot-owner= @ietf.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of vot digest..."

Today's Topics:

=C2=A0 =C2=A01. Re: Security Problem with Primary Credential Usage (Julian = White)
=C2=A0 =C2=A02. Re: Security Problem with Primary Credential Usage (Chris)<= br>

---------- Forwarded message ----------
From:=C2=A0Julian White = <jwhite@nu-d.com>
To:=C2=A0= Justin Richer <jricher@mit.edu>= ;
Cc:=C2=A0Chris <cnd@geek.net.au<= /a>>, vot@ietf.org
Date:=C2=A0Fri= , 13 May 2016 08:52:55 +0100
Subject:=C2=A0Re: [VoT] Security Problem wi= th Primary Credential Usage
Justin,

= For my own clarity, can the RP pass a request for a specific trustmark, or = list of trustmarks that it will accept? The text seems to imply that they w= ill get whatever trustmark the IdP sends and have to make a decision based = on that each time. In reality, since the evaluation of the trustmark is a c= umbersome manual process I suspect RP's will whitelist trustmarks that = they will accept so then it seems inefficient for and IdP to return a respo= nse under a trustmark the RP won't accept.

Tha= nks,

Julian.

On 12 May 2016 at 19:49, Julian White <jwhit= e@nu-d.com> wrote:

That makes sense, tho that didn't come across in the descripti= on of the trustmark.

Julian

On 12 May 2016 19:45, "Justin Richer" = <jricher@mit.edu> wrote:
We explicitly left those kinds of things out o= f the vector as they=E2=80=99d really be related to the IdP itself and not = the authentication transaction to which the VoT refers. In other words, the= security of the IdP is related to the trust framework and assessment of th= e IdP and it can be published as part of the IdP=E2=80=99s discovery docume= nts and associated trust marks. This is information that is going to remain= the same regardless of the transaction.=C2=A0

This is a= lso part of why you need to have a trustmark context to interpret the VoT i= n.

=C2=A0=E2=80=94 Justin


Hi,

I have a number = of comments and questions (see attached), many of which are related to the = issues raised by Chris, some maybe my misunderstanding coming in half way t= hrough the drafting tho.

I, like Chris, also think= there needs to be something more explicit around the "security" = of the IdP authentication which includes the measures to try and detect = 9;odd' things (like MITM). I would also go one step further in that I a= lso want to know about the maturity of the IdP's "security", = its of no use to me if they have really good credentials but store all the = data in the clear on their website or have a load of administrative back-do= ors that could let anyone generate a valid authentication response.

It feels like we need to do more work in this area.
=

Regards,

Julian.

On 8 May 2016 at 13= :24, Chris <cnd@geek.net.au> wrote:
Hi All,

I think there is a critical flaw in section 3.2 of
https://tools.ietf.or= g/html/draft-richer-vectors-of-trust-02 (Primary Credential Usage)

Mutual-authentication is missing.=C2=A0 When no provision is made to preven= t man-in-the-middle, credential harvesting, spoof, phishing, malware, or ot= her common threats, this renders all possible vectors C0, Ca, Cb, Cd, Ce, C= f, and others equally untrustworthy.

We should consider inclusion either for the overall strength of the authent= ication process, or some breakdown of either all the techniques used or the= strength of protection employed to thwart at least common attack scenarios= .

This problem gets tricky quite fast:

Do we identify the authentication technology vendor? (if yes - who works ou= t their resistance strength to common attacks? =C2=A0what about different m= odes?)
Do we broadly identify the techniques (whos opinions count as to whether or= not the technique is effective and against what threats?)
Do we identify or classify the threats and indicate which ones were mitigat= ed (who should be trusted to decide if these really were mitigated?)

For example - tamper-proof hardware digital certificate devices with biomet= rics unlocks are totally useless, if the user paid no attention to a broken= SSL warning, or has malware.=C2=A0 They're also equally useless in mos= t corporate environments that use deep-packet inspection firewalls - and &q= uot;unexpected certificates" (eg. from DPI or malicious) carry their o= wn privacy problems (eg: passwords are not as "protected" as you = think).=C2=A0 Much more common authentication "protection" of cou= rse, are two-step or sms one time codes - which are equally useless when an= end user can be tricked into revealing them to spoof sites.

91% of successful break-ins start from phishing.=C2=A0 Right now, every vec= tor is pointing one way - we need at least one "Vector of Trust" = to point back the other way! =C2=A0

How about a 5th vector - "S" for "Security", which some= how allows an RP a level of confidence in the protection afforded to the us= er's actual authentication process, in terms of (or at least considerin= g) a wide range of (and all common) modern threats.

Chris.

______________________________________= _________
vot mailing list
vot@ietf.org
https://www.ietf.org/mailman/listinfo/vot


<draft-richer-vectors-of-trust-02.docx>_________________= ______________________________
vot mailing list
vot@ietf.org
https://www.ietf.org/mailman/= listinfo/vot




---------- Forwarded message ----------
From:=C2=A0Chris <cnd@geek.net.au>
To:=C2=A0Julian = White <jwhite@nu-d.com>
Cc:= =C2=A0vot@ietf.org, Justin Richer <<= a href=3D"mailto:jricher@mit.edu">jricher@mit.edu>
Date:=C2=A0Fri= , 13 May 2016 19:48:21 +1000
Subject:=C2=A0Re: [VoT] Security Problem wi= th Primary Credential Usage
Hi Julian,

It is like I said at the start.=C2=A0 The entirety of the trustmark idea ev= aluates to one single strength - everything is equally untrustworthy, becau= se it's all only unidirectional.

You can't solve trust without fixing BOTH ends.=C2=A0 It is a two-wa= y street.=C2=A0 For as long as a user and proxy are indistinguishable, = C0 =3D=3D Ca =3D=3D Cb =3D=3D Cd =3D=3D Ce =3D=3D Cf.

I know it sounds like a little problem, but so was the debris on that last = Concorde's runway.=C2=A0 This is the show stopper.

Chris.


Friday, May 13, 2016, 5:52:55 PM, you wrote:


Justin,
For my own clarity, can the RP pass a request for a specific trustmark, or = list of trustmarks that it will accept? The text seems to imply that they w= ill get whatever trustmark the IdP sends and have to make a decision based = on that each time. In reality, since the evaluation of the trustmark is a c= umbersome manual process I suspect RP's will whitelist trustmarks that = they will accept so then it seems inefficient for and IdP to return a respo= nse under a trustmark the RP won't accept.

Thanks,

Julian.

On 12 May 2016 at 19:49, Julian White <
jwhite@nu-d.com> wrote:
That makes sense, tho that didn't come across in the description of the= trustmark.
Julian
On 12 May 2016 19:45, "Justin Richer&quo= t; <
jricher@mit.ed= u> wrot= e:
We explicitly left those kinds of things out of the vector as they=E2=80=99= d really be related to the IdP itself and not the authentication transactio= n to which the VoT refers. In other words, the security of the IdP is relat= ed to the trust framework and assessment of the IdP and it can be published= as part of the IdP=E2=80=99s discovery documents and associated trust mark= s. This is information that is going to remain the same regardless of the t= ransaction.

This is also part of why you need to have a trustmark context to interpret = the VoT in.

=E2=80=94 Justin

On May 12, 2016, at 11:11 AM, Julian White <
jwhite@nu-d.com> wrote:

Hi,

I have a number of comments and questions (see attached), many of which are= related to the issues raised by Chris, some maybe my misunderstanding comi= ng in half way through the drafting tho.

I, like Chris, also think there needs to be something more explicit around = the "security" of the IdP authentication which includes the measu= res to try and detect 'odd' things (like MITM). I would also go one= step further in that I also want to know about the maturity of the IdP'= ;s "security", its of no use to me if they have really good crede= ntials but store all the data in the clear on their website or have a load = of administrative back-doors that could let anyone generate a valid authent= ication response.

It feels like we need to do more work in this area.

Regards,

Julian.

On 8 May 2016 at 13:24, Chris <
c= nd@geek.net.au> wrote:
Hi All,

I think there is a critical flaw in section 3.2 of
https://tools.ietf.or= g/html/draft-richer-vectors-of-trust-02 (Primary Credential Usage)

Mutual-authentication is missing.=C2=A0 When no provision is made to preven= t man-in-the-middle, credential harvesting, spoof, phishing, malware, or ot= her common threats, this renders all possible vectors C0, Ca, Cb, Cd, Ce, C= f, and others equally untrustworthy.

We should consider inclusion either for the overall strength of the authent= ication process, or some breakdown of either all the techniques used or the= strength of protection employed to thwart at least common attack scenarios= .

This problem gets tricky quite fast:

Do we identify the authentication technology vendor? (if yes - who works ou= t their resistance strength to common attacks? =C2=A0what about different m= odes?)
Do we broadly identify the techniques (whos opinions count as to whether or= not the technique is effective and against what threats?)
Do we identify or classify the threats and indicate which ones were mitigat= ed (who should be trusted to decide if these really were mitigated?)

For example - tamper-proof hardware digital certificate devices with biomet= rics unlocks are totally useless, if the user paid no attention to a broken= SSL warning, or has malware.=C2=A0 They're also equally useless in mos= t corporate environments that use deep-packet inspection firewalls - and &q= uot;unexpected certificates" (eg. from DPI or malicious) carry their o= wn privacy problems (eg: passwords are not as "protected" as you = think).=C2=A0 Much more common authentication "protection" of cou= rse, are two-step or sms one time codes - which are equally useless when an= end user can be tricked into revealing them to spoof sites.

91% of successful break-ins start from phishing.=C2=A0 Right now, every vec= tor is pointing one way - we need at least one "Vector of Trust" = to point back the other way! =C2=A0

How about a 5th vector - "S" for "Security", which some= how allows an RP a level of confidence in the protection afforded to the us= er's actual authentication process, in terms of (or at least considerin= g) a wide range of (and all common) modern threats.

Chris.

_____________________________________________= __
vot mailing list
vot@ietf.org
https://www.ietf.org/ma= ilman/listinfo/vot

<draft-rich= er-vectors-of-trust-02.docx>____________________________________________= ___
vot mailing list
vot@ietf.org
https://www.ietf.org/ma= ilman/listinfo/vot




_______________________________________________
vot mailing list
vot@ietf.org
https://www.ietf.org/mailman/listinfo/vot

--047d7b6d96f6267b9a0532b747af-- From nobody Fri May 13 04:12:41 2016 Return-Path: X-Original-To: vot@ietfa.amsl.com Delivered-To: vot@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28BCF12B01C for ; Fri, 13 May 2016 04:12:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nu-d.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Y6IBWI7cjOe for ; Fri, 13 May 2016 04:12:36 -0700 (PDT) Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECEA812B063 for ; Fri, 13 May 2016 04:12:35 -0700 (PDT) Received: by mail-wm0-x235.google.com with SMTP id e201so18173262wme.0 for ; Fri, 13 May 2016 04:12:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nu-d.com; s=nud; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=VAcA0Fa1GtqxwFEDzJpAVRdEV/cXPJi54wxa+vgq5gI=; b=LAlykvajPxYVaAXUPCgFPZWALfkw4B9ir7LdZdxJoeLGVUos6QPa3cH7Tr45HQkQRZ idy9tLYENnMXDHyTfDVEewmKvxGzL+zCun7hYZdw05BMep0F2NVq6WkhgG4DN/Ch3CbJ g1cQrlMyRqaZ6JmUs7kIRg+Bcv4u4YOhipDqU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=VAcA0Fa1GtqxwFEDzJpAVRdEV/cXPJi54wxa+vgq5gI=; b=OIynN1BiVGxvrmS76CDIi0jzuQGdLIH6Q3TirksE+SD0gCRNieF9dioG4ag837P0N6 pQlL2s+HmQcdYE+ZKTXg9EhHFveK6XDMT0/ayk0yOLKXQIP06xPmdIsV8X6r3othkSV9 yd/7luIBVANoF5QK+vU6CNSE1OlWSjYFeuLArTb5kJ8foDTpkSN/DvzMbNL6lMs0S5xl Z/W38oMpzU9ncGtWjVFamYvlCTjZcm/r7q2iuA9ofMjr8UIn4d1VGSB7mP8nKShJpYo2 n95U0Xst4Qx3tdjgCkwmKINuc091hXPXb2xosK8pdx7izTOgLRIsMdaWaMKyIYOe47rV Eb7Q== X-Gm-Message-State: AOPr4FXiHXa5TOpJDqKIHxgJ41Epg4t8nPNYC3Xr+v/MA/0COhqvWn7SRMLK1tOBc8KLxPSMd19ozLvZacECVZW3 X-Received: by 10.28.94.12 with SMTP id s12mr3152036wmb.54.1463137954287; Fri, 13 May 2016 04:12:34 -0700 (PDT) MIME-Version: 1.0 Received: by 10.194.202.130 with HTTP; Fri, 13 May 2016 04:12:14 -0700 (PDT) In-Reply-To: <329351357.20160513194821@CryptoPhoto.com> References: <1523279479.20160508222427@CryptoPhoto.com> <753DBE1F-3891-4BB6-811B-5B8682A81A28@mit.edu> <329351357.20160513194821@CryptoPhoto.com> From: Julian White Date: Fri, 13 May 2016 12:12:14 +0100 Message-ID: To: Chris Content-Type: multipart/alternative; boundary=001a11468d3005fe5c0532b75a89 Archived-At: Cc: vot@ietf.org, Justin Richer Subject: Re: [VoT] Security Problem with Primary Credential Usage X-BeenThere: vot@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Vectors of Trust discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2016 11:12:39 -0000 --001a11468d3005fe5c0532b75a89 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Chris, Yes I see your point, so the RP should assert with which trustmarks it complies too? Regards, On 13 May 2016 at 10:48, Chris wrote: > Hi Julian, > > It is like I said at the start. The entirety of the trustmark idea > evaluates to one single strength - everything is equally untrustworthy, > because it's all only unidirectional. > > You can't solve trust without fixing BOTH ends. It is a *two-way *street= . > For as long as a user and proxy are indistinguishable, C0 =3D=3D Ca =3D= =3D Cb =3D=3D Cd > =3D=3D Ce =3D=3D Cf. > > I know it sounds like a little problem, but so was the debris on that las= t > Concorde's runway. This is the show stopper. > > Chris. > > > > Friday, May 13, 2016, 5:52:55 PM, you wrote: > > > Justin, > > For my own clarity, can the RP pass a request for a specific trustmark, o= r > list of trustmarks that it will accept? The text seems to imply that they > will get whatever trustmark the IdP sends and have to make a decision bas= ed > on that each time. In reality, since the evaluation of the trustmark is a > cumbersome manual process I suspect RP's will whitelist trustmarks that > they will accept so then it seems inefficient for and IdP to return a > response under a trustmark the RP won't accept. > > Thanks, > > Julian. > > On 12 May 2016 at 19:49, Julian White wrote: > That makes sense, tho that didn't come across in the description of the > trustmark. > Julian > On 12 May 2016 19:45, "Justin Richer" wrote: > We explicitly left those kinds of things out of the vector as they=E2=80= =99d > really be related to the IdP itself and not the authentication transactio= n > to which the VoT refers. In other words, the security of the IdP is relat= ed > to the trust framework and assessment of the IdP and it can be published = as > part of the IdP=E2=80=99s discovery documents and associated trust marks.= This is > information that is going to remain the same regardless of the transactio= n. > > This is also part of why you need to have a trustmark context to interpre= t > the VoT in. > > =E2=80=94 Justin > > On May 12, 2016, at 11:11 AM, Julian White wrote: > > Hi, > > I have a number of comments and questions (see attached), many of which > are related to the issues raised by Chris, some maybe my misunderstanding > coming in half way through the drafting tho. > > I, like Chris, also think there needs to be something more explicit aroun= d > the "security" of the IdP authentication which includes the measures to t= ry > and detect 'odd' things (like MITM). I would also go one step further in > that I also want to know about the maturity of the IdP's "security", its = of > no use to me if they have really good credentials but store all the data = in > the clear on their website or have a load of administrative back-doors th= at > could let anyone generate a valid authentication response. > > It feels like we need to do more work in this area. > > Regards, > > Julian. > > On 8 May 2016 at 13:24, Chris wrote: > Hi All, > > I think there is a critical flaw in section 3.2 of > https://tools.ietf.org/html/draft-richer-vectors-of-trust-02 (Primary > Credential Usage) > > Mutual-authentication is missing. When no provision is made to prevent > man-in-the-middle, credential harvesting, spoof, phishing, malware, or > other common threats, this renders all possible vectors C0, Ca, Cb, Cd, C= e, > Cf, and others *equally* untrustworthy. > > We should consider inclusion either for the overall strength of the > authentication process, or some breakdown of either all the techniques us= ed > or the strength of protection employed to thwart at least common attack > scenarios. > > This problem gets tricky quite fast: > > Do we identify the authentication technology vendor? (if yes - who works > out their resistance strength to common attacks? what about different > modes?) > Do we broadly identify the techniques (whos opinions count as to whether > or not the technique is effective and against what threats?) > Do we identify or classify the threats and indicate which ones were > mitigated (who should be trusted to decide if these really were mitigated= ?) > > For example - tamper-proof hardware digital certificate devices with > biometrics unlocks are totally useless, if the user paid no attention to = a > broken SSL warning, or has malware. They're also equally useless in most > corporate environments that use deep-packet inspection firewalls - and > "unexpected certificates" (eg. from DPI or malicious) carry their own > privacy problems (eg: passwords are not as "protected" as you think). Mu= ch > more common authentication "protection" of course, are two-step or sms on= e > time codes - which are equally useless when an end user can be tricked in= to > revealing them to spoof sites. > > 91% of successful break-ins start from phishing. Right now, every vector > is pointing one way - we need at least one "Vector of Trust" to point > *back* the other way! > > How about a 5th vector - "S" for "Security", which somehow allows an RP a > level of confidence in the protection afforded to the user's actual > authentication process, in terms of (or at least considering) a wide rang= e > of (and all common) modern threats. > > Chris. > > _______________________________________________ > vot mailing list > vot@ietf.org > https://www.ietf.org/mailman/listinfo/vot > > > __________________________________= _____________ > vot mailing list > vot@ietf.org > https://www.ietf.org/mailman/listinfo/vot > > > > _______________________________________________ > vot mailing list > vot@ietf.org > https://www.ietf.org/mailman/listinfo/vot > > --001a11468d3005fe5c0532b75a89 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Chris,

Yes I see your point, so the RP = should assert with which trustmarks it complies too?

Regards,

On 13 May 2016 at 10:48, Chris <cnd@geek.net.au> wrote:<= br>
Hi Julian,

It is like I said at the start.=C2=A0 The entirety of the trustmark idea ev= aluates to one single strength - everything is equally untrustworthy, becau= se it's all only unidirectional.

You can't solve trust without fixing BOTH ends.=C2=A0 It is a two-wa= y street.=C2=A0 For as long as a user and proxy are indistinguishable, = C0 =3D=3D Ca =3D=3D Cb =3D=3D Cd =3D=3D Ce =3D=3D Cf.

I know it sounds like a little problem, but so was the debris on that last = Concorde's runway.=C2=A0 This is the show stopper.

Chris.



Friday, May 13, 2016, 5:52:55 PM, you wrote:


Justin,
For my own clarity, can the RP pass a request for a specific trustmark, or = list of trustmarks that it will accept? The text seems to imply that they w= ill get whatever trustmark the IdP sends and have to make a decision based = on that each time. In reality, since the evaluation of the trustmark is a c= umbersome manual process I suspect RP's will whitelist trustmarks that = they will accept so then it seems inefficient for and IdP to return a respo= nse under a trustmark the RP won't accept.

Thanks,

Julian.

On 12 May 2016 at 19:49, Julian White <
jwhite@nu-d.com> wrote:
That makes sense, tho that didn't come across in the description of the= trustmark.
Julian
On 12 May 2016 19:45, "Justin Richer&quo= t; <
jricher@mit.ed= u> wrot= e:
We explicitly left those kinds of things out of the vector as they=E2=80=99= d really be related to the IdP itself and not the authentication transactio= n to which the VoT refers. In other words, the security of the IdP is relat= ed to the trust framework and assessment of the IdP and it can be published= as part of the IdP=E2=80=99s discovery documents and associated trust mark= s. This is information that is going to remain the same regardless of the t= ransaction.

This is also part of why you need to have a trustmark context to interpret = the VoT in.

=E2=80=94 Justin

On May 12, 2016, at 11:11 AM, Julian White <
jwhite@nu-d.com> wrote:

Hi,

I have a number of comments and questions (see attached), many of which are= related to the issues raised by Chris, some maybe my misunderstanding comi= ng in half way through the drafting tho.

I, like Chris, also think there needs to be something more explicit around = the "security" of the IdP authentication which includes the measu= res to try and detect 'odd' things (like MITM). I would also go one= step further in that I also want to know about the maturity of the IdP'= ;s "security", its of no use to me if they have really good crede= ntials but store all the data in the clear on their website or have a load = of administrative back-doors that could let anyone generate a valid authent= ication response.

It feels like we need to do more work in this area.

Regards,

Julian.

On 8 May 2016 at 13:24, Chris <
c= nd@geek.net.au> wrote:
Hi All,

I think there is a critical flaw in section 3.2 of
https://tools.ietf.or= g/html/draft-richer-vectors-of-trust-02 (Primary Credential Usage)

Mutual-authentication is missing.=C2=A0 When no provision is made to preven= t man-in-the-middle, credential harvesting, spoof, phishing, malware, or ot= her common threats, this renders all possible vectors C0, Ca, Cb, Cd, Ce, C= f, and others equally untrustworthy.

We should consider inclusion either for the overall strength of the authent= ication process, or some breakdown of either all the techniques used or the= strength of protection employed to thwart at least common attack scenarios= .

This problem gets tricky quite fast:

Do we identify the authentication technology vendor? (if yes - who works ou= t their resistance strength to common attacks? =C2=A0what about different m= odes?)
Do we broadly identify the techniques (whos opinions count as to whether or= not the technique is effective and against what threats?)
Do we identify or classify the threats and indicate which ones were mitigat= ed (who should be trusted to decide if these really were mitigated?)

For example - tamper-proof hardware digital certificate devices with biomet= rics unlocks are totally useless, if the user paid no attention to a broken= SSL warning, or has malware.=C2=A0 They're also equally useless in mos= t corporate environments that use deep-packet inspection firewalls - and &q= uot;unexpected certificates" (eg. from DPI or malicious) carry their o= wn privacy problems (eg: passwords are not as "protected" as you = think).=C2=A0 Much more common authentication "protection" of cou= rse, are two-step or sms one time codes - which are equally useless when an= end user can be tricked into revealing them to spoof sites.

91% of successful break-ins start from phishing.=C2=A0 Right now, every vec= tor is pointing one way - we need at least one "Vector of Trust" = to point back the other way! =C2=A0

How about a 5th vector - "S" for "Security", which some= how allows an RP a level of confidence in the protection afforded to the us= er's actual authentication process, in terms of (or at least considerin= g) a wide range of (and all common) modern threats.

Chris.

_____________________________________________= __
vot mailing list
vot@ietf.org
https://www.ietf.org/ma= ilman/listinfo/vot

<draft-rich= er-vectors-of-trust-02.docx>____________________________________________= ___
vot mailing list
vot@ietf.org
https://www.ietf.org/ma= ilman/listinfo/vot




_______________________________________________
vot mailing list
vot@ietf.org
https://www.ietf.org/mailman/listinfo/vot


--001a11468d3005fe5c0532b75a89-- From nobody Fri May 13 04:26:44 2016 Return-Path: X-Original-To: vot@ietfa.amsl.com Delivered-To: vot@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E8DB12D192 for ; Fri, 13 May 2016 04:26:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.11 X-Spam-Level: X-Spam-Status: No, score=-4.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=jisc365.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ay-KRKlB1Cos for ; Fri, 13 May 2016 04:26:25 -0700 (PDT) Received: from eu-smtp-delivery-189.mimecast.com (eu-smtp-delivery-189.mimecast.com [207.82.80.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43D6112D17A for ; Fri, 13 May 2016 04:26:24 -0700 (PDT) Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1lrp0010.outbound.protection.outlook.com [213.199.154.10]) (Using TLS) by eu-smtp-1.mimecast.com with ESMTP id uk-mta-18-DwxbaBitQL-Lxoc-pTTK4Q-1; Fri, 13 May 2016 12:26:15 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jisc365.onmicrosoft.com; s=selector1-jisc-ac-uk; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=WArIKTE83hJoGjxesSsvbjWAnZgVvFEJgo82xaVlIkU=; b=iPElDc4CgupMQqvaqVRTiMJVOY6SFQ/plOo3eIJhx0leYGd+g6Gk48+iSeyiPz0Y6+fv+PcCyd77abQDx2EFHOZI+YhYEBZnQ1OigMlEOPXGAOrX5yNykzpoQA6qxgAeqREee4TQT+E33TKqqQqFZMtgs2rOO0XAF4khHuzLP2Y= Received: from VI1PR07MB1581.eurprd07.prod.outlook.com (10.165.239.15) by VI1PR07MB1582.eurprd07.prod.outlook.com (10.165.239.16) with Microsoft SMTP Server (TLS) id 15.1.492.11; Fri, 13 May 2016 11:26:14 +0000 Received: from VI1PR07MB1581.eurprd07.prod.outlook.com ([10.165.239.15]) by VI1PR07MB1581.eurprd07.prod.outlook.com ([10.165.239.15]) with mapi id 15.01.0492.019; Fri, 13 May 2016 11:26:14 +0000 From: Josh Howlett To: Julian White , Chris Thread-Topic: [VoT] Security Problem with Primary Credential Usage Thread-Index: AQHRqSSZNX95Tb3iV0+BTBvWy0upq5+1f7EAgAAq7oCAAAEPAIAA2vOAgAAgQICAABdwAIAAA64A Date: Fri, 13 May 2016 11:26:14 +0000 Message-ID: References: <1523279479.20160508222427@CryptoPhoto.com> <753DBE1F-3891-4BB6-811B-5B8682A81A28@mit.edu> <329351357.20160513194821@CryptoPhoto.com> In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [86.177.159.161] x-ms-office365-filtering-correlation-id: 8a9ae810-2380-4c45-4741-08d37b216492 x-microsoft-exchange-diagnostics: 1; VI1PR07MB1582; 5:CPRRtxtY7KIoQbuKf8RqlzTYBmB7r9MCd4iLORDftN5Py6pPlMe6yYTrv2e39va3cA6DUIhp5lI0iF0mFs/VwaHrJyByLT19TBx/XSUBZsYpU83HN3aizxEy9y4BNhWq0pa9j8tfgm1N1pCHND5sSw==; 24:T/PiiDDJ0savDb+QI7trQ3zHpZ2nQwsiLAKYOAXO/nnjNR8tK6i1FVkK/v9PWDvewpCj4yjhiaKKENNlaGhcOPdeivUqJ7kpfpay6ByofuQ=; 7:+CcOFxd5tAM7k7Df1c00oGr8YYvFbXDxag3xbRkfWiO2hNHLi5cRVdyXp1ohRK5u+jUfHUhxb1hkB5ige0lwRuaTnuwUyrh4wA7jZhdNaj+aVcXWuo+yUPe5VPaTAHbgzWCkNTMcPHHQW8E33xWgFZaHNElwa7u+FF/5nyqyRvW8OmGLhN4zMPCaquwA+vA+; 20:ZRgGQNdEbx89V2QbohEWmW5NAez1tyMuI7yYYIureIILCqskdlQxNgfiA2k074sxRXCWj/5VBK6u4arimfTq2PdVRsbrecMRfqveHo6exN19VEkLkgQpIELTWW6Xk2ZWduHsiM5TkYJKxoKGeQFODQyRZbYzZ7G6hTPHl2fKHQY= x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:VI1PR07MB1582; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(220618547472400); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046); SRVR:VI1PR07MB1582; BCL:0; PCL:0; RULEID:; SRVR:VI1PR07MB1582; x-forefront-prvs: 0941B96580 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(377454003)(53754006)(24454002)(86362001)(4326007)(74482002)(1220700001)(5890100001)(92566002)(93886004)(15975445007)(15650500001)(5003600100002)(8936002)(122556002)(77096005)(5001770100001)(5002640100001)(50986999)(19617315012)(76176999)(2420400007)(54356999)(11100500001)(10710500007)(2906002)(106116001)(3280700002)(5004730100002)(3660700001)(790700001)(551934003)(33656002)(87936001)(5008740100001)(7110500001)(16236675004)(9686002)(66066001)(10400500002)(19625215002)(6116002)(3846002)(102836003)(76576001)(81166006)(19580395003)(19300405004)(19580405001)(2950100001)(189998001)(586003)(551544002)(2900100001)(8676002)(74316001); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB1582; H:VI1PR07MB1581.eurprd07.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: jisc.ac.uk X-MS-Exchange-CrossTenant-originalarrivaltime: 13 May 2016 11:26:14.0192 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 48f9394d-8a14-4d27-82a6-f35f12361205 X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB1582 X-MC-Unique: DwxbaBitQL-Lxoc-pTTK4Q-1 Content-Type: multipart/alternative; boundary="_000_VI1PR07MB1581074E9D3A21A52322C9E7BC740VI1PR07MB1581eurp_" Archived-At: Cc: "vot@ietf.org" , Justin Richer Subject: Re: [VoT] Security Problem with Primary Credential Usage X-BeenThere: vot@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Vectors of Trust discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2016 11:26:36 -0000 --_000_VI1PR07MB1581074E9D3A21A52322C9E7BC740VI1PR07MB1581eurp_ Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: base64 SG93IGRvZXMgdGhlIElkUCB2ZXJpZnkgdGhlIFJQ4oCZcyBhdXRob3JpdHkgdG8gY2xhaW0gY29t cGxpYW5jZT8NCg0KRnJvbTogdm90IFttYWlsdG86dm90LWJvdW5jZXNAaWV0Zi5vcmddIE9uIEJl aGFsZiBPZiBKdWxpYW4gV2hpdGUNClNlbnQ6IDEzIE1heSAyMDE2IDEyOjEyDQpUbzogQ2hyaXMg PGNuZEBnZWVrLm5ldC5hdT4NCkNjOiB2b3RAaWV0Zi5vcmc7IEp1c3RpbiBSaWNoZXIgPGpyaWNo ZXJAbWl0LmVkdT4NClN1YmplY3Q6IFJlOiBbVm9UXSBTZWN1cml0eSBQcm9ibGVtIHdpdGggUHJp bWFyeSBDcmVkZW50aWFsIFVzYWdlDQoNCkNocmlzLA0KDQpZZXMgSSBzZWUgeW91ciBwb2ludCwg c28gdGhlIFJQIHNob3VsZCBhc3NlcnQgd2l0aCB3aGljaCB0cnVzdG1hcmtzIGl0IGNvbXBsaWVz IHRvbz8NCg0KUmVnYXJkcywNCg0KT24gMTMgTWF5IDIwMTYgYXQgMTA6NDgsIENocmlzIDxjbmRA Z2Vlay5uZXQuYXU8bWFpbHRvOmNuZEBnZWVrLm5ldC5hdT4+IHdyb3RlOg0KSGkgSnVsaWFuLA0K DQpJdCBpcyBsaWtlIEkgc2FpZCBhdCB0aGUgc3RhcnQuICBUaGUgZW50aXJldHkgb2YgdGhlIHRy dXN0bWFyayBpZGVhIGV2YWx1YXRlcyB0byBvbmUgc2luZ2xlIHN0cmVuZ3RoIC0gZXZlcnl0aGlu ZyBpcyBlcXVhbGx5IHVudHJ1c3R3b3J0aHksIGJlY2F1c2UgaXQncyBhbGwgb25seSB1bmlkaXJl Y3Rpb25hbC4NCg0KWW91IGNhbid0IHNvbHZlIHRydXN0IHdpdGhvdXQgZml4aW5nIEJPVEggZW5k cy4gIEl0IGlzIGEgdHdvLXdheSBzdHJlZXQuICBGb3IgYXMgbG9uZyBhcyBhIHVzZXIgYW5kIHBy b3h5IGFyZSBpbmRpc3Rpbmd1aXNoYWJsZSwgQzAgPT0gQ2EgPT0gQ2IgPT0gQ2QgPT0gQ2UgPT0g Q2YuDQoNCkkga25vdyBpdCBzb3VuZHMgbGlrZSBhIGxpdHRsZSBwcm9ibGVtLCBidXQgc28gd2Fz IHRoZSBkZWJyaXMgb24gdGhhdCBsYXN0IENvbmNvcmRlJ3MgcnVud2F5LiAgVGhpcyBpcyB0aGUg c2hvdyBzdG9wcGVyLg0KDQpDaHJpcy4NCg0KDQoNCkZyaWRheSwgTWF5IDEzLCAyMDE2LCA1OjUy OjU1IFBNLCB5b3Ugd3JvdGU6DQoNCkp1c3RpbiwNCg0KRm9yIG15IG93biBjbGFyaXR5LCBjYW4g dGhlIFJQIHBhc3MgYSByZXF1ZXN0IGZvciBhIHNwZWNpZmljIHRydXN0bWFyaywgb3IgbGlzdCBv ZiB0cnVzdG1hcmtzIHRoYXQgaXQgd2lsbCBhY2NlcHQ/IFRoZSB0ZXh0IHNlZW1zIHRvIGltcGx5 IHRoYXQgdGhleSB3aWxsIGdldCB3aGF0ZXZlciB0cnVzdG1hcmsgdGhlIElkUCBzZW5kcyBhbmQg aGF2ZSB0byBtYWtlIGEgZGVjaXNpb24gYmFzZWQgb24gdGhhdCBlYWNoIHRpbWUuIEluIHJlYWxp dHksIHNpbmNlIHRoZSBldmFsdWF0aW9uIG9mIHRoZSB0cnVzdG1hcmsgaXMgYSBjdW1iZXJzb21l IG1hbnVhbCBwcm9jZXNzIEkgc3VzcGVjdCBSUCdzIHdpbGwgd2hpdGVsaXN0IHRydXN0bWFya3Mg dGhhdCB0aGV5IHdpbGwgYWNjZXB0IHNvIHRoZW4gaXQgc2VlbXMgaW5lZmZpY2llbnQgZm9yIGFu ZCBJZFAgdG8gcmV0dXJuIGEgcmVzcG9uc2UgdW5kZXIgYSB0cnVzdG1hcmsgdGhlIFJQIHdvbid0 IGFjY2VwdC4NCg0KVGhhbmtzLA0KDQpKdWxpYW4uDQoNCk9uIDEyIE1heSAyMDE2IGF0IDE5OjQ5 LCBKdWxpYW4gV2hpdGUgPGp3aGl0ZUBudS1kLmNvbTxtYWlsdG86andoaXRlQG51LWQuY29tPj4g d3JvdGU6DQpUaGF0IG1ha2VzIHNlbnNlLCB0aG8gdGhhdCBkaWRuJ3QgY29tZSBhY3Jvc3MgaW4g dGhlIGRlc2NyaXB0aW9uIG9mIHRoZSB0cnVzdG1hcmsuDQpKdWxpYW4NCk9uIDEyIE1heSAyMDE2 IDE5OjQ1LCAiSnVzdGluIFJpY2hlciIgPGpyaWNoZXJAbWl0LmVkdTxtYWlsdG86anJpY2hlckBt aXQuZWR1Pj4gd3JvdGU6DQpXZSBleHBsaWNpdGx5IGxlZnQgdGhvc2Uga2luZHMgb2YgdGhpbmdz IG91dCBvZiB0aGUgdmVjdG9yIGFzIHRoZXnigJlkIHJlYWxseSBiZSByZWxhdGVkIHRvIHRoZSBJ ZFAgaXRzZWxmIGFuZCBub3QgdGhlIGF1dGhlbnRpY2F0aW9uIHRyYW5zYWN0aW9uIHRvIHdoaWNo IHRoZSBWb1QgcmVmZXJzLiBJbiBvdGhlciB3b3JkcywgdGhlIHNlY3VyaXR5IG9mIHRoZSBJZFAg aXMgcmVsYXRlZCB0byB0aGUgdHJ1c3QgZnJhbWV3b3JrIGFuZCBhc3Nlc3NtZW50IG9mIHRoZSBJ ZFAgYW5kIGl0IGNhbiBiZSBwdWJsaXNoZWQgYXMgcGFydCBvZiB0aGUgSWRQ4oCZcyBkaXNjb3Zl cnkgZG9jdW1lbnRzIGFuZCBhc3NvY2lhdGVkIHRydXN0IG1hcmtzLiBUaGlzIGlzIGluZm9ybWF0 aW9uIHRoYXQgaXMgZ29pbmcgdG8gcmVtYWluIHRoZSBzYW1lIHJlZ2FyZGxlc3Mgb2YgdGhlIHRy YW5zYWN0aW9uLg0KDQpUaGlzIGlzIGFsc28gcGFydCBvZiB3aHkgeW91IG5lZWQgdG8gaGF2ZSBh IHRydXN0bWFyayBjb250ZXh0IHRvIGludGVycHJldCB0aGUgVm9UIGluLg0KDQrigJQgSnVzdGlu DQoNCk9uIE1heSAxMiwgMjAxNiwgYXQgMTE6MTEgQU0sIEp1bGlhbiBXaGl0ZSA8andoaXRlQG51 LWQuY29tPG1haWx0bzpqd2hpdGVAbnUtZC5jb20+PiB3cm90ZToNCg0KSGksDQoNCkkgaGF2ZSBh IG51bWJlciBvZiBjb21tZW50cyBhbmQgcXVlc3Rpb25zIChzZWUgYXR0YWNoZWQpLCBtYW55IG9m IHdoaWNoIGFyZSByZWxhdGVkIHRvIHRoZSBpc3N1ZXMgcmFpc2VkIGJ5IENocmlzLCBzb21lIG1h eWJlIG15IG1pc3VuZGVyc3RhbmRpbmcgY29taW5nIGluIGhhbGYgd2F5IHRocm91Z2ggdGhlIGRy YWZ0aW5nIHRoby4NCg0KSSwgbGlrZSBDaHJpcywgYWxzbyB0aGluayB0aGVyZSBuZWVkcyB0byBi ZSBzb21ldGhpbmcgbW9yZSBleHBsaWNpdCBhcm91bmQgdGhlICJzZWN1cml0eSIgb2YgdGhlIElk UCBhdXRoZW50aWNhdGlvbiB3aGljaCBpbmNsdWRlcyB0aGUgbWVhc3VyZXMgdG8gdHJ5IGFuZCBk ZXRlY3QgJ29kZCcgdGhpbmdzIChsaWtlIE1JVE0pLiBJIHdvdWxkIGFsc28gZ28gb25lIHN0ZXAg ZnVydGhlciBpbiB0aGF0IEkgYWxzbyB3YW50IHRvIGtub3cgYWJvdXQgdGhlIG1hdHVyaXR5IG9m IHRoZSBJZFAncyAic2VjdXJpdHkiLCBpdHMgb2Ygbm8gdXNlIHRvIG1lIGlmIHRoZXkgaGF2ZSBy ZWFsbHkgZ29vZCBjcmVkZW50aWFscyBidXQgc3RvcmUgYWxsIHRoZSBkYXRhIGluIHRoZSBjbGVh ciBvbiB0aGVpciB3ZWJzaXRlIG9yIGhhdmUgYSBsb2FkIG9mIGFkbWluaXN0cmF0aXZlIGJhY2st ZG9vcnMgdGhhdCBjb3VsZCBsZXQgYW55b25lIGdlbmVyYXRlIGEgdmFsaWQgYXV0aGVudGljYXRp b24gcmVzcG9uc2UuDQoNCkl0IGZlZWxzIGxpa2Ugd2UgbmVlZCB0byBkbyBtb3JlIHdvcmsgaW4g dGhpcyBhcmVhLg0KDQpSZWdhcmRzLA0KDQpKdWxpYW4uDQoNCk9uIDggTWF5IDIwMTYgYXQgMTM6 MjQsIENocmlzIDxjbmRAZ2Vlay5uZXQuYXU8bWFpbHRvOmNuZEBnZWVrLm5ldC5hdT4+IHdyb3Rl Og0KSGkgQWxsLA0KDQpJIHRoaW5rIHRoZXJlIGlzIGEgY3JpdGljYWwgZmxhdyBpbiBzZWN0aW9u IDMuMiBvZiBodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtcmljaGVyLXZlY3RvcnMt b2YtdHJ1c3QtMDIgKFByaW1hcnkgQ3JlZGVudGlhbCBVc2FnZSkNCg0KTXV0dWFsLWF1dGhlbnRp Y2F0aW9uIGlzIG1pc3NpbmcuICBXaGVuIG5vIHByb3Zpc2lvbiBpcyBtYWRlIHRvIHByZXZlbnQg bWFuLWluLXRoZS1taWRkbGUsIGNyZWRlbnRpYWwgaGFydmVzdGluZywgc3Bvb2YsIHBoaXNoaW5n LCBtYWx3YXJlLCBvciBvdGhlciBjb21tb24gdGhyZWF0cywgdGhpcyByZW5kZXJzIGFsbCBwb3Nz aWJsZSB2ZWN0b3JzIEMwLCBDYSwgQ2IsIENkLCBDZSwgQ2YsIGFuZCBvdGhlcnMgZXF1YWxseSB1 bnRydXN0d29ydGh5Lg0KDQpXZSBzaG91bGQgY29uc2lkZXIgaW5jbHVzaW9uIGVpdGhlciBmb3Ig dGhlIG92ZXJhbGwgc3RyZW5ndGggb2YgdGhlIGF1dGhlbnRpY2F0aW9uIHByb2Nlc3MsIG9yIHNv bWUgYnJlYWtkb3duIG9mIGVpdGhlciBhbGwgdGhlIHRlY2huaXF1ZXMgdXNlZCBvciB0aGUgc3Ry ZW5ndGggb2YgcHJvdGVjdGlvbiBlbXBsb3llZCB0byB0aHdhcnQgYXQgbGVhc3QgY29tbW9uIGF0 dGFjayBzY2VuYXJpb3MuDQoNClRoaXMgcHJvYmxlbSBnZXRzIHRyaWNreSBxdWl0ZSBmYXN0Og0K DQpEbyB3ZSBpZGVudGlmeSB0aGUgYXV0aGVudGljYXRpb24gdGVjaG5vbG9neSB2ZW5kb3I/IChp ZiB5ZXMgLSB3aG8gd29ya3Mgb3V0IHRoZWlyIHJlc2lzdGFuY2Ugc3RyZW5ndGggdG8gY29tbW9u IGF0dGFja3M/ICB3aGF0IGFib3V0IGRpZmZlcmVudCBtb2Rlcz8pDQpEbyB3ZSBicm9hZGx5IGlk ZW50aWZ5IHRoZSB0ZWNobmlxdWVzICh3aG9zIG9waW5pb25zIGNvdW50IGFzIHRvIHdoZXRoZXIg b3Igbm90IHRoZSB0ZWNobmlxdWUgaXMgZWZmZWN0aXZlIGFuZCBhZ2FpbnN0IHdoYXQgdGhyZWF0 cz8pDQpEbyB3ZSBpZGVudGlmeSBvciBjbGFzc2lmeSB0aGUgdGhyZWF0cyBhbmQgaW5kaWNhdGUg d2hpY2ggb25lcyB3ZXJlIG1pdGlnYXRlZCAod2hvIHNob3VsZCBiZSB0cnVzdGVkIHRvIGRlY2lk ZSBpZiB0aGVzZSByZWFsbHkgd2VyZSBtaXRpZ2F0ZWQ/KQ0KDQpGb3IgZXhhbXBsZSAtIHRhbXBl ci1wcm9vZiBoYXJkd2FyZSBkaWdpdGFsIGNlcnRpZmljYXRlIGRldmljZXMgd2l0aCBiaW9tZXRy aWNzIHVubG9ja3MgYXJlIHRvdGFsbHkgdXNlbGVzcywgaWYgdGhlIHVzZXIgcGFpZCBubyBhdHRl bnRpb24gdG8gYSBicm9rZW4gU1NMIHdhcm5pbmcsIG9yIGhhcyBtYWx3YXJlLiAgVGhleSdyZSBh bHNvIGVxdWFsbHkgdXNlbGVzcyBpbiBtb3N0IGNvcnBvcmF0ZSBlbnZpcm9ubWVudHMgdGhhdCB1 c2UgZGVlcC1wYWNrZXQgaW5zcGVjdGlvbiBmaXJld2FsbHMgLSBhbmQgInVuZXhwZWN0ZWQgY2Vy dGlmaWNhdGVzIiAoZWcuIGZyb20gRFBJIG9yIG1hbGljaW91cykgY2FycnkgdGhlaXIgb3duIHBy aXZhY3kgcHJvYmxlbXMgKGVnOiBwYXNzd29yZHMgYXJlIG5vdCBhcyAicHJvdGVjdGVkIiBhcyB5 b3UgdGhpbmspLiAgTXVjaCBtb3JlIGNvbW1vbiBhdXRoZW50aWNhdGlvbiAicHJvdGVjdGlvbiIg b2YgY291cnNlLCBhcmUgdHdvLXN0ZXAgb3Igc21zIG9uZSB0aW1lIGNvZGVzIC0gd2hpY2ggYXJl IGVxdWFsbHkgdXNlbGVzcyB3aGVuIGFuIGVuZCB1c2VyIGNhbiBiZSB0cmlja2VkIGludG8gcmV2 ZWFsaW5nIHRoZW0gdG8gc3Bvb2Ygc2l0ZXMuDQoNCjkxJSBvZiBzdWNjZXNzZnVsIGJyZWFrLWlu cyBzdGFydCBmcm9tIHBoaXNoaW5nLiAgUmlnaHQgbm93LCBldmVyeSB2ZWN0b3IgaXMgcG9pbnRp bmcgb25lIHdheSAtIHdlIG5lZWQgYXQgbGVhc3Qgb25lICJWZWN0b3Igb2YgVHJ1c3QiIHRvIHBv aW50IGJhY2sgdGhlIG90aGVyIHdheSENCg0KSG93IGFib3V0IGEgNXRoIHZlY3RvciAtICJTIiBm b3IgIlNlY3VyaXR5Iiwgd2hpY2ggc29tZWhvdyBhbGxvd3MgYW4gUlAgYSBsZXZlbCBvZiBjb25m aWRlbmNlIGluIHRoZSBwcm90ZWN0aW9uIGFmZm9yZGVkIHRvIHRoZSB1c2VyJ3MgYWN0dWFsIGF1 dGhlbnRpY2F0aW9uIHByb2Nlc3MsIGluIHRlcm1zIG9mIChvciBhdCBsZWFzdCBjb25zaWRlcmlu ZykgYSB3aWRlIHJhbmdlIG9mIChhbmQgYWxsIGNvbW1vbikgbW9kZXJuIHRocmVhdHMuDQoNCkNo cmlzLg0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0K dm90IG1haWxpbmcgbGlzdA0Kdm90QGlldGYub3JnPG1haWx0bzp2b3RAaWV0Zi5vcmc+DQpodHRw czovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3ZvdA0KDQo8ZHJhZnQtcmljaGVyLXZl Y3RvcnMtb2YtdHJ1c3QtMDIuZG9jeD5fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fXw0Kdm90IG1haWxpbmcgbGlzdA0Kdm90QGlldGYub3JnPG1haWx0bzp2b3RA aWV0Zi5vcmc+DQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3ZvdA0KDQoN Cg0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0Kdm90 IG1haWxpbmcgbGlzdA0Kdm90QGlldGYub3JnPG1haWx0bzp2b3RAaWV0Zi5vcmc+DQpodHRwczov L3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3ZvdA0KDQpKaXNjIGlzIGEgcmVnaXN0ZXJl ZCBjaGFyaXR5IChudW1iZXIgMTE0OTc0MCkgYW5kIGEgY29tcGFueSBsaW1pdGVkIGJ5IGd1YXJh bnRlZSB3aGljaCBpcyByZWdpc3RlcmVkIGluIEVuZ2xhbmQgdW5kZXIgQ29tcGFueSBOby4gNTc0 NzMzOSwgVkFUIE5vLiBHQiAxOTcgMDYzMiA4Ni4gSmlzY+KAmXMgcmVnaXN0ZXJlZCBvZmZpY2Ug aXM6IE9uZSBDYXN0bGVwYXJrLCBUb3dlciBIaWxsLCBCcmlzdG9sLCBCUzIgMEpBLiBUIDAyMDMg Njk3IDU4MDAuDQoNCkppc2MgU2VydmljZXMgTGltaXRlZCBpcyBhIHdob2xseSBvd25lZCBKaXNj IHN1YnNpZGlhcnkgYW5kIGEgY29tcGFueSBsaW1pdGVkIGJ5IGd1YXJhbnRlZSB3aGljaCBpcyBy ZWdpc3RlcmVkIGluIEVuZ2xhbmQgdW5kZXIgY29tcGFueSBudW1iZXIgMjg4MTAyNCwgVkFUIG51 bWJlciBHQiAxOTcgMDYzMiA4Ni4gVGhlIHJlZ2lzdGVyZWQgb2ZmaWNlIGlzOiBPbmUgQ2FzdGxl IFBhcmssIFRvd2VyIEhpbGwsIEJyaXN0b2wgQlMyIDBKQS4gVCAwMjAzIDY5NyA1ODAwLiAgDQo= --_000_VI1PR07MB1581074E9D3A21A52322C9E7BC740VI1PR07MB1581eurp_ Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBjbTsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ Zm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIixzZXJpZjt9 DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCglj b2xvcjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFu Lk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpw dXJwbGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpzcGFuLmhvZW56Yg0KCXttc28t c3R5bGUtbmFtZTpob2VuemI7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTgNCgl7bXNvLXN0eWxlLXR5cGU6 cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29s b3I6IzFGNDk3RDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25s eTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgltc28tZmFyZWFzdC1sYW5n dWFnZTpFTi1VUzt9DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo2MTIuMHB0IDc5Mi4wcHQ7 DQoJbWFyZ2luOjcyLjBwdCA3Mi4wcHQgNzIuMHB0IDcyLjBwdDt9DQpkaXYuV29yZFNlY3Rpb24x DQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4 bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94 bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2 OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFw ZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLUdCIiBs aW5rPSJibHVlIiB2bGluaz0icHVycGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZh bWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RDttc28tZmFy ZWFzdC1sYW5ndWFnZTpFTi1VUyI+SG93IGRvZXMgdGhlIElkUCB2ZXJpZnkgdGhlIFJQ4oCZcyBh dXRob3JpdHkgdG8gY2xhaW0gY29tcGxpYW5jZT88bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48YSBuYW1lPSJfTWFpbEVuZENvbXBvc2UiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJp Zjtjb2xvcjojMUY0OTdEO21zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj48bzpwPiZuYnNwOzwv bzpwPjwvc3Bhbj48L2E+PC9wPg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6 c29saWQgYmx1ZSAxLjVwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDQuMHB0Ij4NCjxkaXY+DQo8ZGl2 IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNFMUUxRTEgMS4wcHQ7cGFkZGlu ZzozLjBwdCAwY20gMGNtIDBjbSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBsYW5n PSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJy aSZxdW90OyxzYW5zLXNlcmlmIj5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gbGFuZz0iRU4tVVMiIHN0 eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fu cy1zZXJpZiI+IHZvdCBbbWFpbHRvOnZvdC1ib3VuY2VzQGlldGYub3JnXQ0KPGI+T24gQmVoYWxm IE9mIDwvYj5KdWxpYW4gV2hpdGU8YnI+DQo8Yj5TZW50OjwvYj4gMTMgTWF5IDIwMTYgMTI6MTI8 YnI+DQo8Yj5Ubzo8L2I+IENocmlzICZsdDtjbmRAZ2Vlay5uZXQuYXUmZ3Q7PGJyPg0KPGI+Q2M6 PC9iPiB2b3RAaWV0Zi5vcmc7IEp1c3RpbiBSaWNoZXIgJmx0O2pyaWNoZXJAbWl0LmVkdSZndDs8 YnI+DQo8Yj5TdWJqZWN0OjwvYj4gUmU6IFtWb1RdIFNlY3VyaXR5IFByb2JsZW0gd2l0aCBQcmlt YXJ5IENyZWRlbnRpYWwgVXNhZ2U8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+Q2hyaXMsPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj5ZZXMgSSBzZWUgeW91ciBwb2ludCwgc28gdGhlIFJQIHNob3VsZCBhc3Nl cnQgd2l0aCB3aGljaCB0cnVzdG1hcmtzIGl0IGNvbXBsaWVzIHRvbz88bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+UmVnYXJkcyw8bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4m bmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+T24gMTMgTWF5IDIw MTYgYXQgMTA6NDgsIENocmlzICZsdDs8YSBocmVmPSJtYWlsdG86Y25kQGdlZWsubmV0LmF1IiB0 YXJnZXQ9Il9ibGFuayI+Y25kQGdlZWsubmV0LmF1PC9hPiZndDsgd3JvdGU6PG86cD48L286cD48 L3A+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0ND Q0NDQyAxLjBwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21h cmdpbi1yaWdodDowY20iPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPkhpIEp1bGlhbiw8 YnI+DQo8YnI+DQpJdCBpcyBsaWtlIEkgc2FpZCBhdCB0aGUgc3RhcnQuJm5ic3A7IFRoZSBlbnRp cmV0eSBvZiB0aGUgdHJ1c3RtYXJrIGlkZWEgZXZhbHVhdGVzIHRvIG9uZSBzaW5nbGUgc3RyZW5n dGggLSBldmVyeXRoaW5nIGlzIGVxdWFsbHkgdW50cnVzdHdvcnRoeSwgYmVjYXVzZSBpdCdzIGFs bCBvbmx5IHVuaWRpcmVjdGlvbmFsLjxicj4NCjxicj4NCllvdSBjYW4ndCBzb2x2ZSB0cnVzdCB3 aXRob3V0IGZpeGluZyBCT1RIIGVuZHMuJm5ic3A7IEl0IGlzIGEgPGI+dHdvLXdheSA8L2I+c3Ry ZWV0LiZuYnNwOyBGb3IgYXMgbG9uZyBhcyBhIHVzZXIgYW5kIHByb3h5IGFyZSBpbmRpc3Rpbmd1 aXNoYWJsZSwgQzAgPT0gQ2EgPT0gQ2IgPT0gQ2QgPT0gQ2UgPT0gQ2YuPGJyPg0KPGJyPg0KSSBr bm93IGl0IHNvdW5kcyBsaWtlIGEgbGl0dGxlIHByb2JsZW0sIGJ1dCBzbyB3YXMgdGhlIGRlYnJp cyBvbiB0aGF0IGxhc3QgQ29uY29yZGUncyBydW53YXkuJm5ic3A7IFRoaXMgaXMgdGhlIHNob3cg c3RvcHBlci48c3BhbiBzdHlsZT0iY29sb3I6Izg4ODg4OCI+PGJyPg0KPGJyPg0KPHNwYW4gY2xh c3M9ImhvZW56YiI+Q2hyaXMuPC9zcGFuPjwvc3Bhbj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEy LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1z ZXJpZiI+PGJyPg0KPGJyPg0KPGJyPg0KRnJpZGF5LCBNYXkgMTMsIDIwMTYsIDU6NTI6NTUgUE0s IHlvdSB3cm90ZTo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4N CjxkaXY+DQo8dGFibGUgY2xhc3M9Ik1zb05vcm1hbFRhYmxlIiBib3JkZXI9IjAiIGNlbGxzcGFj aW5nPSIzIiBjZWxscGFkZGluZz0iMCI+DQo8dGJvZHk+DQo8dHI+DQo8dGQgd2lkdGg9IjIiIHN0 eWxlPSJ3aWR0aDoxLjBwdDtiYWNrZ3JvdW5kOmJsdWU7cGFkZGluZzouNzVwdCAuNzVwdCAuNzVw dCAuNzVwdCI+DQo8L3RkPg0KPHRkIHN0eWxlPSJwYWRkaW5nOi43NXB0IC43NXB0IC43NXB0IC43 NXB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVv dDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPkp1c3Rpbiw8YnI+DQo8YnI+DQpGb3IgbXkgb3du IGNsYXJpdHksIGNhbiB0aGUgUlAgcGFzcyBhIHJlcXVlc3QgZm9yIGEgc3BlY2lmaWMgdHJ1c3Rt YXJrLCBvciBsaXN0IG9mIHRydXN0bWFya3MgdGhhdCBpdCB3aWxsIGFjY2VwdD8gVGhlIHRleHQg c2VlbXMgdG8gaW1wbHkgdGhhdCB0aGV5IHdpbGwgZ2V0IHdoYXRldmVyIHRydXN0bWFyayB0aGUg SWRQIHNlbmRzIGFuZCBoYXZlIHRvIG1ha2UgYSBkZWNpc2lvbiBiYXNlZCBvbiB0aGF0IGVhY2gg dGltZS4gSW4gcmVhbGl0eSwgc2luY2UNCiB0aGUgZXZhbHVhdGlvbiBvZiB0aGUgdHJ1c3RtYXJr IGlzIGEgY3VtYmVyc29tZSBtYW51YWwgcHJvY2VzcyBJIHN1c3BlY3QgUlAncyB3aWxsIHdoaXRl bGlzdCB0cnVzdG1hcmtzIHRoYXQgdGhleSB3aWxsIGFjY2VwdCBzbyB0aGVuIGl0IHNlZW1zIGlu ZWZmaWNpZW50IGZvciBhbmQgSWRQIHRvIHJldHVybiBhIHJlc3BvbnNlIHVuZGVyIGEgdHJ1c3Rt YXJrIHRoZSBSUCB3b24ndCBhY2NlcHQuPGJyPg0KPGJyPg0KVGhhbmtzLDxicj4NCjxicj4NCkp1 bGlhbi48YnI+DQo8YnI+DQpPbiAxMiBNYXkgMjAxNiBhdCAxOTo0OSwgSnVsaWFuIFdoaXRlICZs dDs8L3NwYW4+PGEgaHJlZj0ibWFpbHRvOmp3aGl0ZUBudS1kLmNvbSIgdGFyZ2V0PSJfYmxhbmsi PjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYi Pmp3aGl0ZUBudS1kLmNvbTwvc3Bhbj48L2E+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90 O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+Jmd0OyB3cm90ZTo8YnI+DQpUaGF0IG1ha2VzIHNl bnNlLCB0aG8gdGhhdCBkaWRuJ3QgY29tZSBhY3Jvc3MgaW4gdGhlIGRlc2NyaXB0aW9uIG9mIHRo ZSB0cnVzdG1hcmsuPGJyPg0KPHNwYW4gc3R5bGU9ImNvbG9yOiM4ODg4ODgiPkp1bGlhbjxicj4N Cjwvc3Bhbj48c3BhbiBzdHlsZT0iY29sb3I6YmxhY2siPk9uIDEyIE1heSAyMDE2IDE5OjQ1LCAm cXVvdDtKdXN0aW4gUmljaGVyJnF1b3Q7ICZsdDs8L3NwYW4+PC9zcGFuPjxhIGhyZWY9Im1haWx0 bzpqcmljaGVyQG1pdC5lZHUiIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0iZm9udC1mYW1p bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5qcmljaGVyQG1pdC5lZHU8L3NwYW4+ PC9hPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2Vy aWYiPiZndDsNCiB3cm90ZTo8YnI+DQpXZSBleHBsaWNpdGx5IGxlZnQgdGhvc2Uga2luZHMgb2Yg dGhpbmdzIG91dCBvZiB0aGUgdmVjdG9yIGFzIHRoZXnigJlkIHJlYWxseSBiZSByZWxhdGVkIHRv IHRoZSBJZFAgaXRzZWxmIGFuZCBub3QgdGhlIGF1dGhlbnRpY2F0aW9uIHRyYW5zYWN0aW9uIHRv IHdoaWNoIHRoZSBWb1QgcmVmZXJzLiBJbiBvdGhlciB3b3JkcywgdGhlIHNlY3VyaXR5IG9mIHRo ZSBJZFAgaXMgcmVsYXRlZCB0byB0aGUgdHJ1c3QgZnJhbWV3b3JrIGFuZCBhc3Nlc3NtZW50DQog b2YgdGhlIElkUCBhbmQgaXQgY2FuIGJlIHB1Ymxpc2hlZCBhcyBwYXJ0IG9mIHRoZSBJZFDigJlz IGRpc2NvdmVyeSBkb2N1bWVudHMgYW5kIGFzc29jaWF0ZWQgdHJ1c3QgbWFya3MuIFRoaXMgaXMg aW5mb3JtYXRpb24gdGhhdCBpcyBnb2luZyB0byByZW1haW4gdGhlIHNhbWUgcmVnYXJkbGVzcyBv ZiB0aGUgdHJhbnNhY3Rpb24uDQo8YnI+DQo8YnI+DQpUaGlzIGlzIGFsc28gcGFydCBvZiB3aHkg eW91IG5lZWQgdG8gaGF2ZSBhIHRydXN0bWFyayBjb250ZXh0IHRvIGludGVycHJldCB0aGUgVm9U IGluLjxicj4NCjxicj4NCuKAlCBKdXN0aW48YnI+DQo8YnI+DQpPbiBNYXkgMTIsIDIwMTYsIGF0 IDExOjExIEFNLCBKdWxpYW4gV2hpdGUgJmx0Ozwvc3Bhbj48YSBocmVmPSJtYWlsdG86andoaXRl QG51LWQuY29tIiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90 O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+andoaXRlQG51LWQuY29tPC9zcGFuPjwvYT48c3Bh biBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj4mZ3Q7 IHdyb3RlOjxicj4NCjxicj4NCkhpLDxicj4NCjxicj4NCkkgaGF2ZSBhIG51bWJlciBvZiBjb21t ZW50cyBhbmQgcXVlc3Rpb25zIChzZWUgYXR0YWNoZWQpLCBtYW55IG9mIHdoaWNoIGFyZSByZWxh dGVkIHRvIHRoZSBpc3N1ZXMgcmFpc2VkIGJ5IENocmlzLCBzb21lIG1heWJlIG15IG1pc3VuZGVy c3RhbmRpbmcgY29taW5nIGluIGhhbGYgd2F5IHRocm91Z2ggdGhlIGRyYWZ0aW5nIHRoby48YnI+ DQo8YnI+DQpJLCBsaWtlIENocmlzLCBhbHNvIHRoaW5rIHRoZXJlIG5lZWRzIHRvIGJlIHNvbWV0 aGluZyBtb3JlIGV4cGxpY2l0IGFyb3VuZCB0aGUgJnF1b3Q7c2VjdXJpdHkmcXVvdDsgb2YgdGhl IElkUCBhdXRoZW50aWNhdGlvbiB3aGljaCBpbmNsdWRlcyB0aGUgbWVhc3VyZXMgdG8gdHJ5IGFu ZCBkZXRlY3QgJ29kZCcgdGhpbmdzIChsaWtlIE1JVE0pLiBJIHdvdWxkIGFsc28gZ28gb25lIHN0 ZXAgZnVydGhlciBpbiB0aGF0IEkgYWxzbyB3YW50IHRvIGtub3cgYWJvdXQgdGhlDQogbWF0dXJp dHkgb2YgdGhlIElkUCdzICZxdW90O3NlY3VyaXR5JnF1b3Q7LCBpdHMgb2Ygbm8gdXNlIHRvIG1l IGlmIHRoZXkgaGF2ZSByZWFsbHkgZ29vZCBjcmVkZW50aWFscyBidXQgc3RvcmUgYWxsIHRoZSBk YXRhIGluIHRoZSBjbGVhciBvbiB0aGVpciB3ZWJzaXRlIG9yIGhhdmUgYSBsb2FkIG9mIGFkbWlu aXN0cmF0aXZlIGJhY2stZG9vcnMgdGhhdCBjb3VsZCBsZXQgYW55b25lIGdlbmVyYXRlIGEgdmFs aWQgYXV0aGVudGljYXRpb24gcmVzcG9uc2UuPGJyPg0KPGJyPg0KSXQgZmVlbHMgbGlrZSB3ZSBu ZWVkIHRvIGRvIG1vcmUgd29yayBpbiB0aGlzIGFyZWEuPGJyPg0KPGJyPg0KUmVnYXJkcyw8YnI+ DQo8YnI+DQpKdWxpYW4uPGJyPg0KPGJyPg0KT24gOCBNYXkgMjAxNiBhdCAxMzoyNCwgQ2hyaXMg Jmx0Ozwvc3Bhbj48YSBocmVmPSJtYWlsdG86Y25kQGdlZWsubmV0LmF1IiB0YXJnZXQ9Il9ibGFu ayI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJp ZiI+Y25kQGdlZWsubmV0LmF1PC9zcGFuPjwvYT48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1 b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj4mZ3Q7IHdyb3RlOjxicj4NCkhpIEFsbCw8YnI+ DQo8YnI+DQpJIHRoaW5rIHRoZXJlIGlzIGEgY3JpdGljYWwgZmxhdyBpbiBzZWN0aW9uIDMuMiBv ZiA8L3NwYW4+PGEgaHJlZj0iaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LXJpY2hl ci12ZWN0b3JzLW9mLXRydXN0LTAyIiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9ImZvbnQt ZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+aHR0cHM6Ly90b29scy5pZXRm Lm9yZy9odG1sL2RyYWZ0LXJpY2hlci12ZWN0b3JzLW9mLXRydXN0LTAyPC9zcGFuPjwvYT48c3Bh biBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj4NCiAo UHJpbWFyeSBDcmVkZW50aWFsIFVzYWdlKTxicj4NCjxicj4NCk11dHVhbC1hdXRoZW50aWNhdGlv biBpcyBtaXNzaW5nLiZuYnNwOyBXaGVuIG5vIHByb3Zpc2lvbiBpcyBtYWRlIHRvIHByZXZlbnQg bWFuLWluLXRoZS1taWRkbGUsIGNyZWRlbnRpYWwgaGFydmVzdGluZywgc3Bvb2YsIHBoaXNoaW5n LCBtYWx3YXJlLCBvciBvdGhlciBjb21tb24gdGhyZWF0cywgdGhpcyByZW5kZXJzIGFsbCBwb3Nz aWJsZSB2ZWN0b3JzIEMwLCBDYSwgQ2IsIENkLCBDZSwgQ2YsIGFuZCBvdGhlcnMNCjxiPmVxdWFs bHk8L2I+IHVudHJ1c3R3b3J0aHkuPGJyPg0KPGJyPg0KV2Ugc2hvdWxkIGNvbnNpZGVyIGluY2x1 c2lvbiBlaXRoZXIgZm9yIHRoZSBvdmVyYWxsIHN0cmVuZ3RoIG9mIHRoZSBhdXRoZW50aWNhdGlv biBwcm9jZXNzLCBvciBzb21lIGJyZWFrZG93biBvZiBlaXRoZXIgYWxsIHRoZSB0ZWNobmlxdWVz IHVzZWQgb3IgdGhlIHN0cmVuZ3RoIG9mIHByb3RlY3Rpb24gZW1wbG95ZWQgdG8gdGh3YXJ0IGF0 IGxlYXN0IGNvbW1vbiBhdHRhY2sgc2NlbmFyaW9zLjxicj4NCjxicj4NClRoaXMgcHJvYmxlbSBn ZXRzIHRyaWNreSBxdWl0ZSBmYXN0Ojxicj4NCjxicj4NCkRvIHdlIGlkZW50aWZ5IHRoZSBhdXRo ZW50aWNhdGlvbiB0ZWNobm9sb2d5IHZlbmRvcj8gKGlmIHllcyAtIHdobyB3b3JrcyBvdXQgdGhl aXIgcmVzaXN0YW5jZSBzdHJlbmd0aCB0byBjb21tb24gYXR0YWNrcz8gJm5ic3A7d2hhdCBhYm91 dCBkaWZmZXJlbnQgbW9kZXM/KTxicj4NCkRvIHdlIGJyb2FkbHkgaWRlbnRpZnkgdGhlIHRlY2hu aXF1ZXMgKHdob3Mgb3BpbmlvbnMgY291bnQgYXMgdG8gd2hldGhlciBvciBub3QgdGhlIHRlY2hu aXF1ZSBpcyBlZmZlY3RpdmUgYW5kIGFnYWluc3Qgd2hhdCB0aHJlYXRzPyk8YnI+DQpEbyB3ZSBp ZGVudGlmeSBvciBjbGFzc2lmeSB0aGUgdGhyZWF0cyBhbmQgaW5kaWNhdGUgd2hpY2ggb25lcyB3 ZXJlIG1pdGlnYXRlZCAod2hvIHNob3VsZCBiZSB0cnVzdGVkIHRvIGRlY2lkZSBpZiB0aGVzZSBy ZWFsbHkgd2VyZSBtaXRpZ2F0ZWQ/KTxicj4NCjxicj4NCkZvciBleGFtcGxlIC0gdGFtcGVyLXBy b29mIGhhcmR3YXJlIGRpZ2l0YWwgY2VydGlmaWNhdGUgZGV2aWNlcyB3aXRoIGJpb21ldHJpY3Mg dW5sb2NrcyBhcmUgdG90YWxseSB1c2VsZXNzLCBpZiB0aGUgdXNlciBwYWlkIG5vIGF0dGVudGlv biB0byBhIGJyb2tlbiBTU0wgd2FybmluZywgb3IgaGFzIG1hbHdhcmUuJm5ic3A7IFRoZXkncmUg YWxzbyBlcXVhbGx5IHVzZWxlc3MgaW4gbW9zdCBjb3Jwb3JhdGUgZW52aXJvbm1lbnRzIHRoYXQg dXNlIGRlZXAtcGFja2V0DQogaW5zcGVjdGlvbiBmaXJld2FsbHMgLSBhbmQgJnF1b3Q7dW5leHBl Y3RlZCBjZXJ0aWZpY2F0ZXMmcXVvdDsgKGVnLiBmcm9tIERQSSBvciBtYWxpY2lvdXMpIGNhcnJ5 IHRoZWlyIG93biBwcml2YWN5IHByb2JsZW1zIChlZzogcGFzc3dvcmRzIGFyZSBub3QgYXMgJnF1 b3Q7cHJvdGVjdGVkJnF1b3Q7IGFzIHlvdSB0aGluaykuJm5ic3A7IE11Y2ggbW9yZSBjb21tb24g YXV0aGVudGljYXRpb24gJnF1b3Q7cHJvdGVjdGlvbiZxdW90OyBvZiBjb3Vyc2UsIGFyZSB0d28t c3RlcCBvciBzbXMgb25lIHRpbWUgY29kZXMNCiAtIHdoaWNoIGFyZSBlcXVhbGx5IHVzZWxlc3Mg d2hlbiBhbiBlbmQgdXNlciBjYW4gYmUgdHJpY2tlZCBpbnRvIHJldmVhbGluZyB0aGVtIHRvIHNw b29mIHNpdGVzLjxicj4NCjxicj4NCjkxJSBvZiBzdWNjZXNzZnVsIGJyZWFrLWlucyBzdGFydCBm cm9tIHBoaXNoaW5nLiZuYnNwOyBSaWdodCBub3csIGV2ZXJ5IHZlY3RvciBpcyBwb2ludGluZyBv bmUgd2F5IC0gd2UgbmVlZCBhdCBsZWFzdCBvbmUgJnF1b3Q7VmVjdG9yIG9mIFRydXN0JnF1b3Q7 IHRvIHBvaW50DQo8Yj5iYWNrPC9iPiB0aGUgb3RoZXIgd2F5ISAmbmJzcDs8YnI+DQo8YnI+DQpI b3cgYWJvdXQgYSA1dGggdmVjdG9yIC0gJnF1b3Q7UyZxdW90OyBmb3IgJnF1b3Q7U2VjdXJpdHkm cXVvdDssIHdoaWNoIHNvbWVob3cgYWxsb3dzIGFuIFJQIGEgbGV2ZWwgb2YgY29uZmlkZW5jZSBp biB0aGUgcHJvdGVjdGlvbiBhZmZvcmRlZCB0byB0aGUgdXNlcidzIGFjdHVhbCBhdXRoZW50aWNh dGlvbiBwcm9jZXNzLCBpbiB0ZXJtcyBvZiAob3IgYXQgbGVhc3QgY29uc2lkZXJpbmcpIGEgd2lk ZSByYW5nZSBvZiAoYW5kIGFsbCBjb21tb24pIG1vZGVybiB0aHJlYXRzLjxicj4NCjxicj4NCjxz cGFuIHN0eWxlPSJjb2xvcjojODg4ODg4Ij5DaHJpcy48YnI+DQo8YnI+DQo8L3NwYW4+PHNwYW4g c3R5bGU9ImNvbG9yOmJsYWNrIj5fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fXzxicj4NCnZvdCBtYWlsaW5nIGxpc3Q8YnI+DQo8L3NwYW4+PC9zcGFuPjxhIGhy ZWY9Im1haWx0bzp2b3RAaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0iZm9u dC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj52b3RAaWV0Zi5vcmc8L3Nw YW4+PC9hPjxicj4NCjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGlu Zm8vdm90IiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0Nh bGlicmkmcXVvdDssc2Fucy1zZXJpZiI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0 aW5mby92b3Q8L3NwYW4+PC9hPjxicj4NCjxicj4NCjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTom cXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPiZsdDtkcmFmdC1yaWNoZXItdmVjdG9ycy1v Zi10cnVzdC0wMi5kb2N4Jmd0O19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fPGJyPg0Kdm90IG1haWxpbmcgbGlzdDxicj4NCjwvc3Bhbj48YSBocmVmPSJtYWls dG86dm90QGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5 OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+dm90QGlldGYub3JnPC9zcGFuPjwvYT48 YnI+DQo8YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3ZvdCIg dGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LHNhbnMtc2VyaWYiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vdm90 PC9zcGFuPjwvYT48bzpwPjwvbzpwPjwvcD4NCjwvdGQ+DQo8L3RyPg0KPC90Ym9keT4NCjwvdGFi bGU+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQiPjxi cj4NCjxicj4NCjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij48YnI+DQpfX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzxicj4NCnZvdCBtYWlsaW5n IGxpc3Q8YnI+DQo8YSBocmVmPSJtYWlsdG86dm90QGlldGYub3JnIj52b3RAaWV0Zi5vcmc8L2E+ PGJyPg0KPGEgaHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby92b3Qi IHRhcmdldD0iX2JsYW5rIj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3Zv dDwvYT48bzpwPjwvbzpwPjwvcD4NCjwvYmxvY2txdW90ZT4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8 Zm9udCBzaXplPSIxIj4gPGZvbnQgZmFjZT0iQ29yYmVsIj4gICA8YnIgLz4NCkppc2MgaXMgYSBy ZWdpc3RlcmVkIGNoYXJpdHkgKG51bWJlciAxMTQ5NzQwKSBhbmQgYSBjb21wYW55IGxpbWl0ZWQg YnkgZ3VhcmFudGVlIHdoaWNoIGlzIHJlZ2lzdGVyZWQgaW4gRW5nbGFuZCB1bmRlciBDb21wYW55 IE5vLiA1NzQ3MzM5LCBWQVQgTm8uIEdCIDE5NyAwNjMyIDg2LiBKaXNj4oCZcyByZWdpc3RlcmVk IG9mZmljZSBpczogT25lIENhc3RsZXBhcmssIFRvd2VyIEhpbGwsIEJyaXN0b2wsIEJTMiAwSkEu IFQgMDIwMyA2OTcgNTgwMC48YnIgLz48YnIgLz4NCiANCkppc2MgU2VydmljZXMgTGltaXRlZCBp cyBhIHdob2xseSBvd25lZCBKaXNjIHN1YnNpZGlhcnkgYW5kIGEgY29tcGFueSBsaW1pdGVkIGJ5 IGd1YXJhbnRlZSB3aGljaCBpcyByZWdpc3RlcmVkIGluIEVuZ2xhbmQgdW5kZXIgY29tcGFueSBu dW1iZXIgMjg4MTAyNCwgVkFUIG51bWJlciBHQiAxOTcgMDYzMiA4Ni4gVGhlIHJlZ2lzdGVyZWQg b2ZmaWNlIGlzOiBPbmUgQ2FzdGxlIFBhcmssIFRvd2VyIEhpbGwsIEJyaXN0b2wgQlMyIDBKQS4g VCAwMjAzIDY5NyA1ODAwLg0KIA0KICAgIA0KPC9mb250PjwvZm9udD48L2JvZHk+DQo8L2h0bWw+ DQo= --_000_VI1PR07MB1581074E9D3A21A52322C9E7BC740VI1PR07MB1581eurp_-- From nobody Fri May 13 05:43:44 2016 Return-Path: X-Original-To: vot@ietfa.amsl.com Delivered-To: vot@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B675112D1D4 for ; Fri, 13 May 2016 05:43:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nu-d.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id msJe4qF68wrt for ; Fri, 13 May 2016 05:43:38 -0700 (PDT) Received: from mail-wm0-x22d.google.com (mail-wm0-x22d.google.com [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9783612B01D for ; Fri, 13 May 2016 05:43:37 -0700 (PDT) Received: by mail-wm0-x22d.google.com with SMTP id e201so21149651wme.0 for ; Fri, 13 May 2016 05:43:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nu-d.com; s=nud; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=X3TC66StdZ0gvc+k2eestk3OeizIEPyLuOx3ycyoAuo=; b=UmtGzz5aq+CcbnlCkWzoOMRRnmsgQyxCzt2C8ZT6F/4F2xO1yekuPgqIFOsgAjNPC1 SqD4uTOnpQT90kMumH119pN+5BBLJcMWpMNgy7QrRskatohj7a6P4BLG8kU/APmTvdYK BI6CsDPCq4rE9P38CRpiDxTIrubUVoVjVyiMQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=X3TC66StdZ0gvc+k2eestk3OeizIEPyLuOx3ycyoAuo=; b=V/RZ3ixiPiX4AHepoDCa7q9AZ36umiAlDav+JzUZDgxQOnfeqyHYsf2F6+zqTmvqYf SXVA7b1I/ut/AliAhDgdGxZ/8G69uvye9Zydo90P9R9rpmHaxrbemJOG/BZ2UrzrB9AS Sc5AxlYQYVjlJBlXGEsRh/Wkw2Fy9jhP8v/g8zd8RusQGZAY408FDo6CoWk1i6iswTe1 kZ3XE1y5cMNoGjPXkNaS7yXEb+yCrPp4p9QY9Mvl6df1Okvm+ioe+lQOaxRHrIjVq3Zj XrCf33qT9Vo3b6fSG4fi9RsQS4dQuVSk4aElPAFPLOcXQwz5bomJzlviKzKrtkTZ0748 s3aA== X-Gm-Message-State: AOPr4FUmM8asIyAZXjY6hX5WgglHyLW2peTt2hogtYi0fZeZjAAJ/RVKzWFt9ixVMd97wTE8Zops6nZqeoQZqa7n X-Received: by 10.194.95.198 with SMTP id dm6mr16326523wjb.136.1463143415968; Fri, 13 May 2016 05:43:35 -0700 (PDT) MIME-Version: 1.0 Received: by 10.194.202.130 with HTTP; Fri, 13 May 2016 05:43:16 -0700 (PDT) In-Reply-To: References: <1523279479.20160508222427@CryptoPhoto.com> <753DBE1F-3891-4BB6-811B-5B8682A81A28@mit.edu> <329351357.20160513194821@CryptoPhoto.com> From: Julian White Date: Fri, 13 May 2016 13:43:16 +0100 Message-ID: To: Josh Howlett Content-Type: multipart/alternative; boundary=047d7bb03a5090ce530532b89f32 Archived-At: Cc: Chris , "vot@ietf.org" , Justin Richer Subject: Re: [VoT] Security Problem with Primary Credential Usage X-BeenThere: vot@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Vectors of Trust discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2016 12:43:44 -0000 --047d7bb03a5090ce530532b89f32 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Josh, That is a good question, and equally applicable to how would an RP verify the claim of an IdP? I think there are only a few usable options; 1) There is a direct relationship between the parties that assures the trustworthiness between themselves outside of the assertion and will only accept requests/responses from each other (via some means not defined here) - this kind of makes the VoT value superfluous since the answer is already known. 2) The trust schemes operate some sort of registry that the VoT links too - but then there also needs to be something that makes it impossible for me to impersonate a member of that scheme in the VoT, this is slightly more challenging. Does that make sense? Julian On 13 May 2016 at 12:26, Josh Howlett wrote: > How does the IdP verify the RP=E2=80=99s authority to claim compliance? > > > > *From:* vot [mailto:vot-bounces@ietf.org] *On Behalf Of *Julian White > *Sent:* 13 May 2016 12:12 > *To:* Chris > *Cc:* vot@ietf.org; Justin Richer > *Subject:* Re: [VoT] Security Problem with Primary Credential Usage > > > > Chris, > > > > Yes I see your point, so the RP should assert with which trustmarks it > complies too? > > > > Regards, > > > > On 13 May 2016 at 10:48, Chris wrote: > > Hi Julian, > > It is like I said at the start. The entirety of the trustmark idea > evaluates to one single strength - everything is equally untrustworthy, > because it's all only unidirectional. > > You can't solve trust without fixing BOTH ends. It is a *two-way *street= . > For as long as a user and proxy are indistinguishable, C0 =3D=3D Ca =3D= =3D Cb =3D=3D Cd > =3D=3D Ce =3D=3D Cf. > > I know it sounds like a little problem, but so was the debris on that las= t > Concorde's runway. This is the show stopper. > > Chris. > > > > > Friday, May 13, 2016, 5:52:55 PM, you wrote: > > Justin, > > For my own clarity, can the RP pass a request for a specific trustmark, o= r > list of trustmarks that it will accept? The text seems to imply that they > will get whatever trustmark the IdP sends and have to make a decision bas= ed > on that each time. In reality, since the evaluation of the trustmark is a > cumbersome manual process I suspect RP's will whitelist trustmarks that > they will accept so then it seems inefficient for and IdP to return a > response under a trustmark the RP won't accept. > > Thanks, > > Julian. > > On 12 May 2016 at 19:49, Julian White wrote: > That makes sense, tho that didn't come across in the description of the > trustmark. > Julian > On 12 May 2016 19:45, "Justin Richer" wrote: > We explicitly left those kinds of things out of the vector as they=E2=80= =99d > really be related to the IdP itself and not the authentication transactio= n > to which the VoT refers. In other words, the security of the IdP is relat= ed > to the trust framework and assessment of the IdP and it can be published = as > part of the IdP=E2=80=99s discovery documents and associated trust marks.= This is > information that is going to remain the same regardless of the transactio= n. > > This is also part of why you need to have a trustmark context to interpre= t > the VoT in. > > =E2=80=94 Justin > > On May 12, 2016, at 11:11 AM, Julian White wrote: > > Hi, > > I have a number of comments and questions (see attached), many of which > are related to the issues raised by Chris, some maybe my misunderstanding > coming in half way through the drafting tho. > > I, like Chris, also think there needs to be something more explicit aroun= d > the "security" of the IdP authentication which includes the measures to t= ry > and detect 'odd' things (like MITM). I would also go one step further in > that I also want to know about the maturity of the IdP's "security", its = of > no use to me if they have really good credentials but store all the data = in > the clear on their website or have a load of administrative back-doors th= at > could let anyone generate a valid authentication response. > > It feels like we need to do more work in this area. > > Regards, > > Julian. > > On 8 May 2016 at 13:24, Chris wrote: > Hi All, > > I think there is a critical flaw in section 3.2 of > https://tools.ietf.org/html/draft-richer-vectors-of-trust-02 (Primary > Credential Usage) > > Mutual-authentication is missing. When no provision is made to prevent > man-in-the-middle, credential harvesting, spoof, phishing, malware, or > other common threats, this renders all possible vectors C0, Ca, Cb, Cd, C= e, > Cf, and others *equally* untrustworthy. > > We should consider inclusion either for the overall strength of the > authentication process, or some breakdown of either all the techniques us= ed > or the strength of protection employed to thwart at least common attack > scenarios. > > This problem gets tricky quite fast: > > Do we identify the authentication technology vendor? (if yes - who works > out their resistance strength to common attacks? what about different > modes?) > Do we broadly identify the techniques (whos opinions count as to whether > or not the technique is effective and against what threats?) > Do we identify or classify the threats and indicate which ones were > mitigated (who should be trusted to decide if these really were mitigated= ?) > > For example - tamper-proof hardware digital certificate devices with > biometrics unlocks are totally useless, if the user paid no attention to = a > broken SSL warning, or has malware. They're also equally useless in most > corporate environments that use deep-packet inspection firewalls - and > "unexpected certificates" (eg. from DPI or malicious) carry their own > privacy problems (eg: passwords are not as "protected" as you think). Mu= ch > more common authentication "protection" of course, are two-step or sms on= e > time codes - which are equally useless when an end user can be tricked in= to > revealing them to spoof sites. > > 91% of successful break-ins start from phishing. Right now, every vector > is pointing one way - we need at least one "Vector of Trust" to point > *back* the other way! > > How about a 5th vector - "S" for "Security", which somehow allows an RP a > level of confidence in the protection afforded to the user's actual > authentication process, in terms of (or at least considering) a wide rang= e > of (and all common) modern threats. > > Chris. > > _______________________________________________ > vot mailing list > vot@ietf.org > https://www.ietf.org/mailman/listinfo/vot > > > __________________________________= _____________ > vot mailing list > vot@ietf.org > https://www.ietf.org/mailman/listinfo/vot > > > > > _______________________________________________ > vot mailing list > vot@ietf.org > https://www.ietf.org/mailman/listinfo/vot > > > > Jisc is a registered charity (number 1149740) and a company limited by > guarantee which is registered in England under Company No. 5747339, VAT N= o. > GB 197 0632 86. Jisc=E2=80=99s registered office is: One Castlepark, Towe= r Hill, > Bristol, BS2 0JA. T 0203 697 5800. > > Jisc Services Limited is a wholly owned Jisc subsidiary and a company > limited by guarantee which is registered in England under company number > 2881024, VAT number GB 197 0632 86. The registered office is: One Castle > Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800. > --047d7bb03a5090ce530532b89f32 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

Josh,

That is a good que= stion, and equally applicable to how would an RP verify the claim of an IdP= ?

I think there are only a few usable options;=C2= =A0

1) There is a direct relationship between the = parties that assures the trustworthiness between themselves=C2=A0outside of= the assertion=C2=A0and will only accept requests/responses from each other= (via some means not defined here) - this kind of makes the VoT value super= fluous since the answer is already known.=C2=A0

2)= The trust schemes operate some sort of registry that the VoT links too - b= ut then there also needs to be something that makes it impossible for me to= impersonate a member of that scheme in the VoT, this is slightly more chal= lenging.

Does that make sense?

Julian

On 13 May 2016 at 12:26, Josh Howlett <Josh.Howlett@jisc.ac.= uk> wrote:

How does the IdP verify the RP=E2=80= =99s authority to claim compliance?

=C2=A0

From: = vot [mailto:vot-b= ounces@ietf.org] On Behalf Of Julian White
Sent: 13 May 2016 12:12
To: Chris <c= nd@geek.net.au>
Cc: vot@ietf.org; Justin Richer <= jricher@mit.edu>
Subject: Re: [VoT] Security Problem with Primary Credential Usage=

=C2=A0

Chris,

=C2=A0

Yes I see your point, so the RP should assert with w= hich trustmarks it complies too?

=C2=A0

Regards,

=C2=A0

On 13 May 2016 at 10:48, Chris <cnd@geek.net.au> wrote:

Hi Julian,

It is like I said at the start.=C2=A0 The entirety of the trustmark idea ev= aluates to one single strength - everything is equally untrustworthy, becau= se it's all only unidirectional.

You can't solve trust without fixing BOTH ends.=C2=A0 It is a two-wa= y street.=C2=A0 For as long as a user and proxy are indistinguishable, = C0 =3D=3D Ca =3D=3D Cb =3D=3D Cd =3D=3D Ce =3D=3D Cf.

I know it sounds like a little problem, but so was the debris on that last = Concorde's runway.=C2=A0 This is the show stopper.

Chris.




Friday, May 13, 2016, 5:52:55 PM, you wrote:

Justin,

For my own clarity, can the RP pass a request for a specific trustmark, or = list of trustmarks that it will accept? The text seems to imply that they w= ill get whatever trustmark the IdP sends and have to make a decision based = on that each time. In reality, since the evaluation of the trustmark is a cumbersome manual process I suspect R= P's will whitelist trustmarks that they will accept so then it seems in= efficient for and IdP to return a response under a trustmark the RP won'= ;t accept.

Thanks,

Julian.

On 12 May 2016 at 19:49, Julian White <
jwhite@nu-d.com> wrote:
That makes sense, tho that didn't come across in the description of the= trustmark.
Julian
On 12 May 2016 19:45, "Justin Riche= r" <
jricher@mit.= edu&g= t; wrote:
We explicitly left those kinds of things out of the vector as they=E2=80=99= d really be related to the IdP itself and not the authentication transactio= n to which the VoT refers. In other words, the security of the IdP is relat= ed to the trust framework and assessment of the IdP and it can be published as part of the IdP=E2=80=99s discovery = documents and associated trust marks. This is information that is going to = remain the same regardless of the transaction.

This is also part of why you need to have a trustmark context to interpret = the VoT in.

=E2=80=94 Justin

On May 12, 2016, at 11:11 AM, Julian White <
jwhite@nu-d.com> wrote:

Hi,

I have a number of comments and questions (see attached), many of which are= related to the issues raised by Chris, some maybe my misunderstanding comi= ng in half way through the drafting tho.

I, like Chris, also think there needs to be something more explicit around = the "security" of the IdP authentication which includes the measu= res to try and detect 'odd' things (like MITM). I would also go one= step further in that I also want to know about the maturity of the IdP's "security", its of no use to me if the= y have really good credentials but store all the data in the clear on their= website or have a load of administrative back-doors that could let anyone = generate a valid authentication response.

It feels like we need to do more work in this area.

Regards,

Julian.

On 8 May 2016 at 13:24, Chris <
cnd@geek.net.au> wrote:
Hi All,

I think there is a critical flaw in section 3.2 of
<= span style=3D"font-family:"Calibri",sans-serif">https://tools.iet= f.org/html/draft-richer-vectors-of-trust-02 (Primary Credential Usage)

Mutual-authentication is missing.=C2=A0 When no provision is made to preven= t man-in-the-middle, credential harvesting, spoof, phishing, malware, or ot= her common threats, this renders all possible vectors C0, Ca, Cb, Cd, Ce, C= f, and others equally untrustworthy.

We should consider inclusion either for the overall strength of the authent= ication process, or some breakdown of either all the techniques used or the= strength of protection employed to thwart at least common attack scenarios= .

This problem gets tricky quite fast:

Do we identify the authentication technology vendor? (if yes - who works ou= t their resistance strength to common attacks? =C2=A0what about different m= odes?)
Do we broadly identify the techniques (whos opinions count as to whether or= not the technique is effective and against what threats?)
Do we identify or classify the threats and indicate which ones were mitigat= ed (who should be trusted to decide if these really were mitigated?)

For example - tamper-proof hardware digital certificate devices with biomet= rics unlocks are totally useless, if the user paid no attention to a broken= SSL warning, or has malware.=C2=A0 They're also equally useless in mos= t corporate environments that use deep-packet inspection firewalls - and "unexpected certificates" (eg. from D= PI or malicious) carry their own privacy problems (eg: passwords are not as= "protected" as you think).=C2=A0 Much more common authentication= "protection" of course, are two-step or sms one time codes - which are equally useless when an end user can be tricked into revealing= them to spoof sites.

91% of successful break-ins start from phishing.=C2=A0 Right now, every vec= tor is pointing one way - we need at least one "Vector of Trust" = to point back the other way! =C2=A0

How about a 5th vector - "S" for "Security", which some= how allows an RP a level of confidence in the protection afforded to the us= er's actual authentication process, in terms of (or at least considerin= g) a wide range of (and all common) modern threats.

Chris.

________________________________________= _______
vot mailing list
vot@ietf.org
https://www.ietf.or= g/mailman/listinfo/vot

<draft-richer= -vectors-of-trust-02.docx>______________________________________________= _
vot mailing list
vot@ietf.org
https://www.ietf.or= g/mailman/listinfo/vot




_______________________________________________
vot mailing list
vot@ietf.org
htt= ps://www.ietf.org/mailman/listinfo/vot

=C2=A0


Jisc is a registered charity (number 1149740) and a company limited by guar= antee which is registered in England under Company No. 5747339, VAT No. GB = 197 0632 86. Jisc=E2=80=99s registered office is: One Castlepark, Tower Hil= l, Bristol, BS2 0JA. T 0203 697 5800.

=20 Jisc Services Limited is a wholly owned Jisc subsidiary and a company limit= ed by guarantee which is registered in England under company number 2881024= , VAT number GB 197 0632 86. The registered office is: One Castle Park, Tow= er Hill, Bristol BS2 0JA. T 0203 697 5800. =20 =20

--047d7bb03a5090ce530532b89f32-- From nobody Fri May 13 07:57:32 2016 Return-Path: X-Original-To: vot@ietfa.amsl.com Delivered-To: vot@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE3F412D545 for ; Fri, 13 May 2016 07:57:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.11 X-Spam-Level: X-Spam-Status: No, score=-4.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=jisc365.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sGZF7cxXfzMg for ; Fri, 13 May 2016 07:57:27 -0700 (PDT) Received: from eu-smtp-delivery-189.mimecast.com (eu-smtp-delivery-189.mimecast.com [146.101.78.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A57F127058 for ; Fri, 13 May 2016 07:57:26 -0700 (PDT) Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01lp0182.outbound.protection.outlook.com [213.199.154.182]) (Using TLS) by eu-smtp-1.mimecast.com with ESMTP id uk-mta-3-icnpGxyPTamIjhzg5B8YgA-1; Fri, 13 May 2016 15:57:19 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jisc365.onmicrosoft.com; s=selector1-jisc-ac-uk; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=2d/DW+3NaR8CAFEz6KT0S2u3qgUmfCulIGOyRn9/IgM=; b=gk48oyIzlRUgeNzkzdu1XMIvBtsAuuIdLPweAKP88C1VeXYq7NaONDd076jbCVeDRgU96n3UF5bGjV1xAlxdx/agyzKmHG8NRa1jIh7v9aE/8UQoZLsuPeW13nx7T+7FEND5n2rj3aOvu/aOF9N92ZPh2PXrD5WDLfNLrcZGE+M= Received: from VI1PR07MB1581.eurprd07.prod.outlook.com (10.165.239.15) by VI1PR07MB1582.eurprd07.prod.outlook.com (10.165.239.16) with Microsoft SMTP Server (TLS) id 15.1.492.11; Fri, 13 May 2016 14:57:17 +0000 Received: from VI1PR07MB1581.eurprd07.prod.outlook.com ([10.165.239.15]) by VI1PR07MB1581.eurprd07.prod.outlook.com ([10.165.239.15]) with mapi id 15.01.0492.019; Fri, 13 May 2016 14:57:17 +0000 From: Josh Howlett To: Julian White Thread-Topic: [VoT] Security Problem with Primary Credential Usage Thread-Index: AQHRqSSZNX95Tb3iV0+BTBvWy0upq5+1f7EAgAAq7oCAAAEPAIAA2vOAgAAgQICAABdwAIAAA64AgAAVwQCAAAG3kA== Date: Fri, 13 May 2016 14:57:17 +0000 Message-ID: References: <1523279479.20160508222427@CryptoPhoto.com> <753DBE1F-3891-4BB6-811B-5B8682A81A28@mit.edu> <329351357.20160513194821@CryptoPhoto.com> In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [86.177.159.161] x-ms-office365-filtering-correlation-id: 9fb14452-705c-4bf9-0c5c-08d37b3ee0b2 x-microsoft-exchange-diagnostics: 1; VI1PR07MB1582; 5:QhMhD0QCbqfFnSEX38ihhdsV+XMXwFj/m7SfkHjGf8gGnZOiwwWjl3wLpgM8UZ2bWQCU6mPFqM+kBxc5m6M9adYFp81l5DZBrdZKRa9+9dQwGJjq050sxGNXly9v2bPyDY+eeB1WOySlgCG3ENjxjQ==; 24:yIvimKz6563rsEwA5YiQT8cl9jXdMqgz9SOHztmAFiOxD7vvcy0tvlgeJeV+p1yY3Ubl6AbFOymaA26tGvqP71attHcZGxn4NiXjvx/OC7M=; 7:bhIaiaDFy4XRs4gjzBNE13Q94wcAuE9MBh2NFWdMvWfYBiSiES/dLWX/RxRGyh07XbD2rCqHkHrtd9V3FDQzh4cgHP4jAA/vQb9Lhd16olvObJgN45v/ANdk2CykGtUkX1JA+/Pc6MEQr17d+IXUVzkkFt+iS7pO6oYzB0EYoUwyVwijLf6sqStMr++nFSxD; 20:BvJM5Gcwe2k1Eea6L4etYSMlb8dmw44b28smysbwIuAVL3eSdEWgtFPtjREQWUP6DR6SrLGBVIQedtusyoFt69djwrRG9pXrUcnpKI9SPA33WaCN3X6vbVlQgc8egkhSCkJuxpafCEjfbsVg3fhjfBQ4BIl/AN527dNzhUE9Ni0= x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:VI1PR07MB1582; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(220618547472400); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046); SRVR:VI1PR07MB1582; BCL:0; PCL:0; RULEID:; SRVR:VI1PR07MB1582; x-forefront-prvs: 0941B96580 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(377454003)(53754006)(24454002)(86362001)(4326007)(74482002)(1220700001)(5890100001)(92566002)(93886004)(15975445007)(15650500001)(5003600100002)(77096005)(8936002)(122556002)(5002640100001)(50986999)(19617315012)(76176999)(2420400007)(11100500001)(54356999)(10710500007)(2906002)(106116001)(3280700002)(5004730100002)(3660700001)(790700001)(551934003)(87936001)(33656002)(7110500001)(5008740100001)(16236675004)(9686002)(66066001)(6116002)(3846002)(102836003)(10400500002)(19625215002)(110136002)(76576001)(81166006)(19580395003)(19300405004)(19580405001)(2950100001)(189998001)(2900100001)(551544002)(8676002)(74316001)(586003); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB1582; H:VI1PR07MB1581.eurprd07.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: jisc.ac.uk X-MS-Exchange-CrossTenant-originalarrivaltime: 13 May 2016 14:57:17.6388 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 48f9394d-8a14-4d27-82a6-f35f12361205 X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB1582 X-MC-Unique: icnpGxyPTamIjhzg5B8YgA-1 Content-Type: multipart/alternative; boundary="_000_VI1PR07MB15810CFDA10B2E5B0F3B4E88BC740VI1PR07MB1581eurp_" Archived-At: Cc: Chris , "vot@ietf.org" , Justin Richer Subject: Re: [VoT] Security Problem with Primary Credential Usage X-BeenThere: vot@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Vectors of Trust discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2016 14:57:31 -0000 --_000_VI1PR07MB15810CFDA10B2E5B0F3B4E88BC740VI1PR07MB1581eurp_ Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: base64 SnVsaWFuLA0KDQpZZXMsIGJ1dCBub3RlIHRoYXQgKDIpIGlzIGFjdHVhbGx5IGFuIGluc3RhbmNl IG9mICgxKSwgYnV0IHdoZXJlIHRoZSBudW1iZXIgb2YgcGFydGllcyBoYXBwZW5zIHRvIGJlIGdy ZWF0ZXIgdGhhbiB0d28uIFRoZSBjaG9pY2Ugb2Ygd2hldGhlciB0byB1c2UgYW4gaW50ZXJuYWwg b3IgZXh0ZXJuYWwgcmVnaXN0cnkgaXMganVzdCBhbiBvcGVyYXRpb25hbCBxdWVzdGlvbi4gSG93 ZXZlciwgSSBkb27igJl0IHRoaW5rIHRoaXMgbWFrZXMgVm9UIHN1cGVyZmx1b3VzOiBpdCBzdGls bCBoYXMgdmFsdWUgYXMgYSB3YXkgb2Ygc2lnbmFsbGluZyBhbHRlcm5hdGUgc2VtYW50aWNzIGRl ZmluZWQgd2l0aGluIHRoZSB0cnVzdG1hcmsgYWdyZWVtZW50Lg0KDQpUaGlzIGRvZXMsIGhvd2V2 ZXIsIHN1Z2dlc3QgdG8gbWUgdGhhdCBWb1QgaGFzIGxpbWl0ZWQgdXRpbGl0eSB3aGVuIHdvcmtp bmcgYWNyb3NzIGFyYml0cmFyeSB0cnVzdG1hcmsgYWdyZWVtZW50cy4gQW5kIHNvIHRvIGJlIGNh bmRpZCwgYW5kIHdpdGhvdXQgd2lzaGluZyB0byBzb3VuZCBkaXNwaXJpdGluZywgSSBzdXNwZWN0 IHRoYXQgd29ya2luZyBvbiB0aGUgdGVjaG5pY2FsIHNpZ25hbGxpbmcgd2l0aG91dCB1bmRlcnN0 YW5kaW5nIGhvdyB0aGVzZSBhZ3JlZW1lbnRzIGNhbiBiZSBib3VuZCB0b2dldGhlciBpcyBwb3Nz aWJseSBwcmVtYXR1cmU7IGF0IGxlYXN0IGlmIHlvdSB3YW50IHNvbWV0aGluZyBvZiBnZW5lcmFs IHV0aWxpdHkuIE1vcmUgYXR0ZW50aW9uIGlzIG5lZWRlZCBvbiBjb21wb3NhYmxlIHBvbGljeSBm cmFtZXdvcmtzIGhhdmluZyBjb21wYXRpYmxlIHNlbWFudGljcywgbGlua2VkIHRvIGFuIHVuZGVy bHlpbmcgbGVnYWwgYXJjaGl0ZWN0dXJlIHRoYXQgd29ya3MgdHJhbnNpdGl2ZWx5IGFjcm9zcyB0 aG9zZSBhZ3JlZW1lbnRzLiBCZWluZyB0aGUgSUVURiwgSSB1bmRlcnN0YW5kIHRoYXQgdGhpcyBw cm9iYWJseSBpc27igJl0IHRoZSB2ZW51ZSBmb3IgdGhhdCBkaXNjdXNzaW9uIOKYug0KDQpKb3No Lg0KDQpGcm9tOiBKdWxpYW4gV2hpdGUgW21haWx0bzpqd2hpdGVAbnUtZC5jb21dDQpTZW50OiAx MyBNYXkgMjAxNiAxMzo0Mw0KVG86IEpvc2ggSG93bGV0dCA8Sm9zaC5Ib3dsZXR0QGppc2MuYWMu dWs+DQpDYzogQ2hyaXMgPGNuZEBnZWVrLm5ldC5hdT47IHZvdEBpZXRmLm9yZzsgSnVzdGluIFJp Y2hlciA8anJpY2hlckBtaXQuZWR1Pg0KU3ViamVjdDogUmU6IFtWb1RdIFNlY3VyaXR5IFByb2Js ZW0gd2l0aCBQcmltYXJ5IENyZWRlbnRpYWwgVXNhZ2UNCg0KDQpKb3NoLA0KDQpUaGF0IGlzIGEg Z29vZCBxdWVzdGlvbiwgYW5kIGVxdWFsbHkgYXBwbGljYWJsZSB0byBob3cgd291bGQgYW4gUlAg dmVyaWZ5IHRoZSBjbGFpbSBvZiBhbiBJZFA/DQoNCkkgdGhpbmsgdGhlcmUgYXJlIG9ubHkgYSBm ZXcgdXNhYmxlIG9wdGlvbnM7DQoNCjEpIFRoZXJlIGlzIGEgZGlyZWN0IHJlbGF0aW9uc2hpcCBi ZXR3ZWVuIHRoZSBwYXJ0aWVzIHRoYXQgYXNzdXJlcyB0aGUgdHJ1c3R3b3J0aGluZXNzIGJldHdl ZW4gdGhlbXNlbHZlcyBvdXRzaWRlIG9mIHRoZSBhc3NlcnRpb24gYW5kIHdpbGwgb25seSBhY2Nl cHQgcmVxdWVzdHMvcmVzcG9uc2VzIGZyb20gZWFjaCBvdGhlciAodmlhIHNvbWUgbWVhbnMgbm90 IGRlZmluZWQgaGVyZSkgLSB0aGlzIGtpbmQgb2YgbWFrZXMgdGhlIFZvVCB2YWx1ZSBzdXBlcmZs dW91cyBzaW5jZSB0aGUgYW5zd2VyIGlzIGFscmVhZHkga25vd24uDQoNCjIpIFRoZSB0cnVzdCBz Y2hlbWVzIG9wZXJhdGUgc29tZSBzb3J0IG9mIHJlZ2lzdHJ5IHRoYXQgdGhlIFZvVCBsaW5rcyB0 b28gLSBidXQgdGhlbiB0aGVyZSBhbHNvIG5lZWRzIHRvIGJlIHNvbWV0aGluZyB0aGF0IG1ha2Vz IGl0IGltcG9zc2libGUgZm9yIG1lIHRvIGltcGVyc29uYXRlIGEgbWVtYmVyIG9mIHRoYXQgc2No ZW1lIGluIHRoZSBWb1QsIHRoaXMgaXMgc2xpZ2h0bHkgbW9yZSBjaGFsbGVuZ2luZy4NCg0KRG9l cyB0aGF0IG1ha2Ugc2Vuc2U/DQoNCkp1bGlhbg0KDQpPbiAxMyBNYXkgMjAxNiBhdCAxMjoyNiwg Sm9zaCBIb3dsZXR0IDxKb3NoLkhvd2xldHRAamlzYy5hYy51azxtYWlsdG86Sm9zaC5Ib3dsZXR0 QGppc2MuYWMudWs+PiB3cm90ZToNCkhvdyBkb2VzIHRoZSBJZFAgdmVyaWZ5IHRoZSBSUOKAmXMg YXV0aG9yaXR5IHRvIGNsYWltIGNvbXBsaWFuY2U/DQoNCkZyb206IHZvdCBbbWFpbHRvOnZvdC1i b3VuY2VzQGlldGYub3JnPG1haWx0bzp2b3QtYm91bmNlc0BpZXRmLm9yZz5dIE9uIEJlaGFsZiBP ZiBKdWxpYW4gV2hpdGUNClNlbnQ6IDEzIE1heSAyMDE2IDEyOjEyDQpUbzogQ2hyaXMgPGNuZEBn ZWVrLm5ldC5hdTxtYWlsdG86Y25kQGdlZWsubmV0LmF1Pj4NCkNjOiB2b3RAaWV0Zi5vcmc8bWFp bHRvOnZvdEBpZXRmLm9yZz47IEp1c3RpbiBSaWNoZXIgPGpyaWNoZXJAbWl0LmVkdTxtYWlsdG86 anJpY2hlckBtaXQuZWR1Pj4NClN1YmplY3Q6IFJlOiBbVm9UXSBTZWN1cml0eSBQcm9ibGVtIHdp dGggUHJpbWFyeSBDcmVkZW50aWFsIFVzYWdlDQoNCkNocmlzLA0KDQpZZXMgSSBzZWUgeW91ciBw b2ludCwgc28gdGhlIFJQIHNob3VsZCBhc3NlcnQgd2l0aCB3aGljaCB0cnVzdG1hcmtzIGl0IGNv bXBsaWVzIHRvbz8NCg0KUmVnYXJkcywNCg0KT24gMTMgTWF5IDIwMTYgYXQgMTA6NDgsIENocmlz IDxjbmRAZ2Vlay5uZXQuYXU8bWFpbHRvOmNuZEBnZWVrLm5ldC5hdT4+IHdyb3RlOg0KSGkgSnVs aWFuLA0KDQpJdCBpcyBsaWtlIEkgc2FpZCBhdCB0aGUgc3RhcnQuICBUaGUgZW50aXJldHkgb2Yg dGhlIHRydXN0bWFyayBpZGVhIGV2YWx1YXRlcyB0byBvbmUgc2luZ2xlIHN0cmVuZ3RoIC0gZXZl cnl0aGluZyBpcyBlcXVhbGx5IHVudHJ1c3R3b3J0aHksIGJlY2F1c2UgaXQncyBhbGwgb25seSB1 bmlkaXJlY3Rpb25hbC4NCg0KWW91IGNhbid0IHNvbHZlIHRydXN0IHdpdGhvdXQgZml4aW5nIEJP VEggZW5kcy4gIEl0IGlzIGEgdHdvLXdheSBzdHJlZXQuICBGb3IgYXMgbG9uZyBhcyBhIHVzZXIg YW5kIHByb3h5IGFyZSBpbmRpc3Rpbmd1aXNoYWJsZSwgQzAgPT0gQ2EgPT0gQ2IgPT0gQ2QgPT0g Q2UgPT0gQ2YuDQoNCkkga25vdyBpdCBzb3VuZHMgbGlrZSBhIGxpdHRsZSBwcm9ibGVtLCBidXQg c28gd2FzIHRoZSBkZWJyaXMgb24gdGhhdCBsYXN0IENvbmNvcmRlJ3MgcnVud2F5LiAgVGhpcyBp cyB0aGUgc2hvdyBzdG9wcGVyLg0KDQpDaHJpcy4NCg0KDQoNCkZyaWRheSwgTWF5IDEzLCAyMDE2 LCA1OjUyOjU1IFBNLCB5b3Ugd3JvdGU6DQoNCkp1c3RpbiwNCg0KRm9yIG15IG93biBjbGFyaXR5 LCBjYW4gdGhlIFJQIHBhc3MgYSByZXF1ZXN0IGZvciBhIHNwZWNpZmljIHRydXN0bWFyaywgb3Ig bGlzdCBvZiB0cnVzdG1hcmtzIHRoYXQgaXQgd2lsbCBhY2NlcHQ/IFRoZSB0ZXh0IHNlZW1zIHRv IGltcGx5IHRoYXQgdGhleSB3aWxsIGdldCB3aGF0ZXZlciB0cnVzdG1hcmsgdGhlIElkUCBzZW5k cyBhbmQgaGF2ZSB0byBtYWtlIGEgZGVjaXNpb24gYmFzZWQgb24gdGhhdCBlYWNoIHRpbWUuIElu IHJlYWxpdHksIHNpbmNlIHRoZSBldmFsdWF0aW9uIG9mIHRoZSB0cnVzdG1hcmsgaXMgYSBjdW1i ZXJzb21lIG1hbnVhbCBwcm9jZXNzIEkgc3VzcGVjdCBSUCdzIHdpbGwgd2hpdGVsaXN0IHRydXN0 bWFya3MgdGhhdCB0aGV5IHdpbGwgYWNjZXB0IHNvIHRoZW4gaXQgc2VlbXMgaW5lZmZpY2llbnQg Zm9yIGFuZCBJZFAgdG8gcmV0dXJuIGEgcmVzcG9uc2UgdW5kZXIgYSB0cnVzdG1hcmsgdGhlIFJQ IHdvbid0IGFjY2VwdC4NCg0KVGhhbmtzLA0KDQpKdWxpYW4uDQoNCk9uIDEyIE1heSAyMDE2IGF0 IDE5OjQ5LCBKdWxpYW4gV2hpdGUgPGp3aGl0ZUBudS1kLmNvbTxtYWlsdG86andoaXRlQG51LWQu Y29tPj4gd3JvdGU6DQpUaGF0IG1ha2VzIHNlbnNlLCB0aG8gdGhhdCBkaWRuJ3QgY29tZSBhY3Jv c3MgaW4gdGhlIGRlc2NyaXB0aW9uIG9mIHRoZSB0cnVzdG1hcmsuDQpKdWxpYW4NCk9uIDEyIE1h eSAyMDE2IDE5OjQ1LCAiSnVzdGluIFJpY2hlciIgPGpyaWNoZXJAbWl0LmVkdTxtYWlsdG86anJp Y2hlckBtaXQuZWR1Pj4gd3JvdGU6DQpXZSBleHBsaWNpdGx5IGxlZnQgdGhvc2Uga2luZHMgb2Yg dGhpbmdzIG91dCBvZiB0aGUgdmVjdG9yIGFzIHRoZXnigJlkIHJlYWxseSBiZSByZWxhdGVkIHRv IHRoZSBJZFAgaXRzZWxmIGFuZCBub3QgdGhlIGF1dGhlbnRpY2F0aW9uIHRyYW5zYWN0aW9uIHRv IHdoaWNoIHRoZSBWb1QgcmVmZXJzLiBJbiBvdGhlciB3b3JkcywgdGhlIHNlY3VyaXR5IG9mIHRo ZSBJZFAgaXMgcmVsYXRlZCB0byB0aGUgdHJ1c3QgZnJhbWV3b3JrIGFuZCBhc3Nlc3NtZW50IG9m IHRoZSBJZFAgYW5kIGl0IGNhbiBiZSBwdWJsaXNoZWQgYXMgcGFydCBvZiB0aGUgSWRQ4oCZcyBk aXNjb3ZlcnkgZG9jdW1lbnRzIGFuZCBhc3NvY2lhdGVkIHRydXN0IG1hcmtzLiBUaGlzIGlzIGlu Zm9ybWF0aW9uIHRoYXQgaXMgZ29pbmcgdG8gcmVtYWluIHRoZSBzYW1lIHJlZ2FyZGxlc3Mgb2Yg dGhlIHRyYW5zYWN0aW9uLg0KDQpUaGlzIGlzIGFsc28gcGFydCBvZiB3aHkgeW91IG5lZWQgdG8g aGF2ZSBhIHRydXN0bWFyayBjb250ZXh0IHRvIGludGVycHJldCB0aGUgVm9UIGluLg0KDQrigJQg SnVzdGluDQoNCk9uIE1heSAxMiwgMjAxNiwgYXQgMTE6MTEgQU0sIEp1bGlhbiBXaGl0ZSA8ando aXRlQG51LWQuY29tPG1haWx0bzpqd2hpdGVAbnUtZC5jb20+PiB3cm90ZToNCg0KSGksDQoNCkkg aGF2ZSBhIG51bWJlciBvZiBjb21tZW50cyBhbmQgcXVlc3Rpb25zIChzZWUgYXR0YWNoZWQpLCBt YW55IG9mIHdoaWNoIGFyZSByZWxhdGVkIHRvIHRoZSBpc3N1ZXMgcmFpc2VkIGJ5IENocmlzLCBz b21lIG1heWJlIG15IG1pc3VuZGVyc3RhbmRpbmcgY29taW5nIGluIGhhbGYgd2F5IHRocm91Z2gg dGhlIGRyYWZ0aW5nIHRoby4NCg0KSSwgbGlrZSBDaHJpcywgYWxzbyB0aGluayB0aGVyZSBuZWVk cyB0byBiZSBzb21ldGhpbmcgbW9yZSBleHBsaWNpdCBhcm91bmQgdGhlICJzZWN1cml0eSIgb2Yg dGhlIElkUCBhdXRoZW50aWNhdGlvbiB3aGljaCBpbmNsdWRlcyB0aGUgbWVhc3VyZXMgdG8gdHJ5 IGFuZCBkZXRlY3QgJ29kZCcgdGhpbmdzIChsaWtlIE1JVE0pLiBJIHdvdWxkIGFsc28gZ28gb25l IHN0ZXAgZnVydGhlciBpbiB0aGF0IEkgYWxzbyB3YW50IHRvIGtub3cgYWJvdXQgdGhlIG1hdHVy aXR5IG9mIHRoZSBJZFAncyAic2VjdXJpdHkiLCBpdHMgb2Ygbm8gdXNlIHRvIG1lIGlmIHRoZXkg aGF2ZSByZWFsbHkgZ29vZCBjcmVkZW50aWFscyBidXQgc3RvcmUgYWxsIHRoZSBkYXRhIGluIHRo ZSBjbGVhciBvbiB0aGVpciB3ZWJzaXRlIG9yIGhhdmUgYSBsb2FkIG9mIGFkbWluaXN0cmF0aXZl IGJhY2stZG9vcnMgdGhhdCBjb3VsZCBsZXQgYW55b25lIGdlbmVyYXRlIGEgdmFsaWQgYXV0aGVu dGljYXRpb24gcmVzcG9uc2UuDQoNCkl0IGZlZWxzIGxpa2Ugd2UgbmVlZCB0byBkbyBtb3JlIHdv cmsgaW4gdGhpcyBhcmVhLg0KDQpSZWdhcmRzLA0KDQpKdWxpYW4uDQoNCk9uIDggTWF5IDIwMTYg YXQgMTM6MjQsIENocmlzIDxjbmRAZ2Vlay5uZXQuYXU8bWFpbHRvOmNuZEBnZWVrLm5ldC5hdT4+ IHdyb3RlOg0KSGkgQWxsLA0KDQpJIHRoaW5rIHRoZXJlIGlzIGEgY3JpdGljYWwgZmxhdyBpbiBz ZWN0aW9uIDMuMiBvZiBodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtcmljaGVyLXZl Y3RvcnMtb2YtdHJ1c3QtMDIgKFByaW1hcnkgQ3JlZGVudGlhbCBVc2FnZSkNCg0KTXV0dWFsLWF1 dGhlbnRpY2F0aW9uIGlzIG1pc3NpbmcuICBXaGVuIG5vIHByb3Zpc2lvbiBpcyBtYWRlIHRvIHBy ZXZlbnQgbWFuLWluLXRoZS1taWRkbGUsIGNyZWRlbnRpYWwgaGFydmVzdGluZywgc3Bvb2YsIHBo aXNoaW5nLCBtYWx3YXJlLCBvciBvdGhlciBjb21tb24gdGhyZWF0cywgdGhpcyByZW5kZXJzIGFs bCBwb3NzaWJsZSB2ZWN0b3JzIEMwLCBDYSwgQ2IsIENkLCBDZSwgQ2YsIGFuZCBvdGhlcnMgZXF1 YWxseSB1bnRydXN0d29ydGh5Lg0KDQpXZSBzaG91bGQgY29uc2lkZXIgaW5jbHVzaW9uIGVpdGhl ciBmb3IgdGhlIG92ZXJhbGwgc3RyZW5ndGggb2YgdGhlIGF1dGhlbnRpY2F0aW9uIHByb2Nlc3Ms IG9yIHNvbWUgYnJlYWtkb3duIG9mIGVpdGhlciBhbGwgdGhlIHRlY2huaXF1ZXMgdXNlZCBvciB0 aGUgc3RyZW5ndGggb2YgcHJvdGVjdGlvbiBlbXBsb3llZCB0byB0aHdhcnQgYXQgbGVhc3QgY29t bW9uIGF0dGFjayBzY2VuYXJpb3MuDQoNClRoaXMgcHJvYmxlbSBnZXRzIHRyaWNreSBxdWl0ZSBm YXN0Og0KDQpEbyB3ZSBpZGVudGlmeSB0aGUgYXV0aGVudGljYXRpb24gdGVjaG5vbG9neSB2ZW5k b3I/IChpZiB5ZXMgLSB3aG8gd29ya3Mgb3V0IHRoZWlyIHJlc2lzdGFuY2Ugc3RyZW5ndGggdG8g Y29tbW9uIGF0dGFja3M/ICB3aGF0IGFib3V0IGRpZmZlcmVudCBtb2Rlcz8pDQpEbyB3ZSBicm9h ZGx5IGlkZW50aWZ5IHRoZSB0ZWNobmlxdWVzICh3aG9zIG9waW5pb25zIGNvdW50IGFzIHRvIHdo ZXRoZXIgb3Igbm90IHRoZSB0ZWNobmlxdWUgaXMgZWZmZWN0aXZlIGFuZCBhZ2FpbnN0IHdoYXQg dGhyZWF0cz8pDQpEbyB3ZSBpZGVudGlmeSBvciBjbGFzc2lmeSB0aGUgdGhyZWF0cyBhbmQgaW5k aWNhdGUgd2hpY2ggb25lcyB3ZXJlIG1pdGlnYXRlZCAod2hvIHNob3VsZCBiZSB0cnVzdGVkIHRv IGRlY2lkZSBpZiB0aGVzZSByZWFsbHkgd2VyZSBtaXRpZ2F0ZWQ/KQ0KDQpGb3IgZXhhbXBsZSAt IHRhbXBlci1wcm9vZiBoYXJkd2FyZSBkaWdpdGFsIGNlcnRpZmljYXRlIGRldmljZXMgd2l0aCBi aW9tZXRyaWNzIHVubG9ja3MgYXJlIHRvdGFsbHkgdXNlbGVzcywgaWYgdGhlIHVzZXIgcGFpZCBu byBhdHRlbnRpb24gdG8gYSBicm9rZW4gU1NMIHdhcm5pbmcsIG9yIGhhcyBtYWx3YXJlLiAgVGhl eSdyZSBhbHNvIGVxdWFsbHkgdXNlbGVzcyBpbiBtb3N0IGNvcnBvcmF0ZSBlbnZpcm9ubWVudHMg dGhhdCB1c2UgZGVlcC1wYWNrZXQgaW5zcGVjdGlvbiBmaXJld2FsbHMgLSBhbmQgInVuZXhwZWN0 ZWQgY2VydGlmaWNhdGVzIiAoZWcuIGZyb20gRFBJIG9yIG1hbGljaW91cykgY2FycnkgdGhlaXIg b3duIHByaXZhY3kgcHJvYmxlbXMgKGVnOiBwYXNzd29yZHMgYXJlIG5vdCBhcyAicHJvdGVjdGVk IiBhcyB5b3UgdGhpbmspLiAgTXVjaCBtb3JlIGNvbW1vbiBhdXRoZW50aWNhdGlvbiAicHJvdGVj dGlvbiIgb2YgY291cnNlLCBhcmUgdHdvLXN0ZXAgb3Igc21zIG9uZSB0aW1lIGNvZGVzIC0gd2hp Y2ggYXJlIGVxdWFsbHkgdXNlbGVzcyB3aGVuIGFuIGVuZCB1c2VyIGNhbiBiZSB0cmlja2VkIGlu dG8gcmV2ZWFsaW5nIHRoZW0gdG8gc3Bvb2Ygc2l0ZXMuDQoNCjkxJSBvZiBzdWNjZXNzZnVsIGJy ZWFrLWlucyBzdGFydCBmcm9tIHBoaXNoaW5nLiAgUmlnaHQgbm93LCBldmVyeSB2ZWN0b3IgaXMg cG9pbnRpbmcgb25lIHdheSAtIHdlIG5lZWQgYXQgbGVhc3Qgb25lICJWZWN0b3Igb2YgVHJ1c3Qi IHRvIHBvaW50IGJhY2sgdGhlIG90aGVyIHdheSENCg0KSG93IGFib3V0IGEgNXRoIHZlY3RvciAt ICJTIiBmb3IgIlNlY3VyaXR5Iiwgd2hpY2ggc29tZWhvdyBhbGxvd3MgYW4gUlAgYSBsZXZlbCBv ZiBjb25maWRlbmNlIGluIHRoZSBwcm90ZWN0aW9uIGFmZm9yZGVkIHRvIHRoZSB1c2VyJ3MgYWN0 dWFsIGF1dGhlbnRpY2F0aW9uIHByb2Nlc3MsIGluIHRlcm1zIG9mIChvciBhdCBsZWFzdCBjb25z aWRlcmluZykgYSB3aWRlIHJhbmdlIG9mIChhbmQgYWxsIGNvbW1vbikgbW9kZXJuIHRocmVhdHMu DQoNCkNocmlzLg0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fXw0Kdm90IG1haWxpbmcgbGlzdA0Kdm90QGlldGYub3JnPG1haWx0bzp2b3RAaWV0Zi5vcmc+ DQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3ZvdA0KDQo8ZHJhZnQtcmlj aGVyLXZlY3RvcnMtb2YtdHJ1c3QtMDIuZG9jeD5fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fXw0Kdm90IG1haWxpbmcgbGlzdA0Kdm90QGlldGYub3JnPG1haWx0 bzp2b3RAaWV0Zi5vcmc+DQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3Zv dA0KDQoNCg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18N CnZvdCBtYWlsaW5nIGxpc3QNCnZvdEBpZXRmLm9yZzxtYWlsdG86dm90QGlldGYub3JnPg0KaHR0 cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby92b3QNCg0KDQpKaXNjIGlzIGEgcmVn aXN0ZXJlZCBjaGFyaXR5IChudW1iZXIgMTE0OTc0MCkgYW5kIGEgY29tcGFueSBsaW1pdGVkIGJ5 IGd1YXJhbnRlZSB3aGljaCBpcyByZWdpc3RlcmVkIGluIEVuZ2xhbmQgdW5kZXIgQ29tcGFueSBO by4gNTc0NzMzOSwgVkFUIE5vLiBHQiAxOTcgMDYzMiA4Ni4gSmlzY+KAmXMgcmVnaXN0ZXJlZCBv ZmZpY2UgaXM6IE9uZSBDYXN0bGVwYXJrLCBUb3dlciBIaWxsLCBCcmlzdG9sLCBCUzIgMEpBLiBU IDAyMDMgNjk3IDU4MDAuDQoNCkppc2MgU2VydmljZXMgTGltaXRlZCBpcyBhIHdob2xseSBvd25l ZCBKaXNjIHN1YnNpZGlhcnkgYW5kIGEgY29tcGFueSBsaW1pdGVkIGJ5IGd1YXJhbnRlZSB3aGlj aCBpcyByZWdpc3RlcmVkIGluIEVuZ2xhbmQgdW5kZXIgY29tcGFueSBudW1iZXIgMjg4MTAyNCwg VkFUIG51bWJlciBHQiAxOTcgMDYzMiA4Ni4gVGhlIHJlZ2lzdGVyZWQgb2ZmaWNlIGlzOiBPbmUg Q2FzdGxlIFBhcmssIFRvd2VyIEhpbGwsIEJyaXN0b2wgQlMyIDBKQS4gVCAwMjAzIDY5NyA1ODAw Lg0KDQo= --_000_VI1PR07MB15810CFDA10B2E5B0F3B4E88BC740VI1PR07MB1581eurp_ Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 V2luZ2RpbmdzOw0KCXBhbm9zZS0xOjUgMCAwIDAgMCAwIDAgMCAwIDA7fQ0KQGZvbnQtZmFjZQ0K CXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2IDMg MiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1 IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNvcmJlbDsNCglw YW5vc2UtMToyIDExIDUgMyAyIDIgNCAyIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0K cC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGNtOw0K CW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5 OiJUaW1lcyBOZXcgUm9tYW4iLHNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7 bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVu ZGVybGluZTt9DQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0 eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOnB1cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJs aW5lO30NCnNwYW4uRW1haWxTdHlsZTE3DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5 Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOiMxRjQ5N0Q7fQ0K Lk1zb0NocERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1zaXpl OjEwLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgltc28tZmFyZWFz dC1sYW5ndWFnZTpFTi1VUzt9DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo2MTIuMHB0IDc5 Mi4wcHQ7DQoJbWFyZ2luOjcyLjBwdCA3Mi4wcHQgNzIuMHB0IDcyLjBwdDt9DQpkaXYuV29yZFNl Y3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNv IDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAv Pg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxh eW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwv bzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVO LUdCIiBsaW5rPSJibHVlIiB2bGluaz0icHVycGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9u MSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RDtt c28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+SnVsaWFuLDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMUY0OTdEO21zby1m YXJlYXN0LWxhbmd1YWdlOkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RDttc28tZmFyZWFz dC1sYW5ndWFnZTpFTi1VUyI+WWVzLCBidXQgbm90ZSB0aGF0ICgyKSBpcyBhY3R1YWxseSBhbiBp bnN0YW5jZSBvZiAoMSksIGJ1dCB3aGVyZSB0aGUgbnVtYmVyIG9mIHBhcnRpZXMgaGFwcGVucyB0 byBiZSBncmVhdGVyIHRoYW4gdHdvLiBUaGUgY2hvaWNlIG9mDQogd2hldGhlciB0byB1c2UgYW4g aW50ZXJuYWwgb3IgZXh0ZXJuYWwgcmVnaXN0cnkgaXMganVzdCBhbiBvcGVyYXRpb25hbCBxdWVz dGlvbi4gSG93ZXZlciwgSSBkb27igJl0IHRoaW5rIHRoaXMgbWFrZXMgVm9UIHN1cGVyZmx1b3Vz OiBpdCBzdGlsbCBoYXMgdmFsdWUgYXMgYSB3YXkgb2Ygc2lnbmFsbGluZyBhbHRlcm5hdGUgc2Vt YW50aWNzIGRlZmluZWQgd2l0aGluIHRoZSB0cnVzdG1hcmsgYWdyZWVtZW50LjxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjoj MUY0OTdEO21zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3 RDttc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+VGhpcyBkb2VzLCBob3dldmVyLCBzdWdnZXN0 IHRvIG1lIHRoYXQgVm9UIGhhcyBsaW1pdGVkIHV0aWxpdHkgd2hlbiB3b3JraW5nIGFjcm9zcyBh cmJpdHJhcnkgdHJ1c3RtYXJrIGFncmVlbWVudHMuIEFuZCBzbyB0byBiZSBjYW5kaWQsDQogYW5k IHdpdGhvdXQgd2lzaGluZyB0byBzb3VuZCBkaXNwaXJpdGluZywgSSBzdXNwZWN0IHRoYXQgd29y a2luZyBvbiB0aGUgdGVjaG5pY2FsIHNpZ25hbGxpbmcgd2l0aG91dCB1bmRlcnN0YW5kaW5nIGhv dyB0aGVzZSBhZ3JlZW1lbnRzIGNhbiBiZSBib3VuZCB0b2dldGhlciBpcyBwb3NzaWJseSBwcmVt YXR1cmU7IGF0IGxlYXN0IGlmIHlvdSB3YW50IHNvbWV0aGluZyBvZiBnZW5lcmFsIHV0aWxpdHku IE1vcmUgYXR0ZW50aW9uIGlzIG5lZWRlZA0KIG9uIGNvbXBvc2FibGUgcG9saWN5IGZyYW1ld29y a3MgaGF2aW5nIGNvbXBhdGlibGUgc2VtYW50aWNzLCBsaW5rZWQgdG8gYW4gdW5kZXJseWluZyBs ZWdhbCBhcmNoaXRlY3R1cmUgdGhhdCB3b3JrcyB0cmFuc2l0aXZlbHkgYWNyb3NzIHRob3NlIGFn cmVlbWVudHMuIEJlaW5nIHRoZSBJRVRGLCBJIHVuZGVyc3RhbmQgdGhhdCB0aGlzIHByb2JhYmx5 IGlzbuKAmXQgdGhlIHZlbnVlIGZvciB0aGF0IGRpc2N1c3Npb24NCjwvc3Bhbj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTpXaW5nZGluZ3M7Y29sb3I6IzFGNDk3RDtt c28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+Sjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6 IzFGNDk3RDttc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+PG86cD48L286cD48L3NwYW4+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGEgbmFtZT0iX01haWxFbmRDb21wb3NlIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNh bnMtc2VyaWY7Y29sb3I6IzFGNDk3RDttc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+PG86cD4m bmJzcDs8L286cD48L3NwYW4+PC9hPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fu cy1zZXJpZjtjb2xvcjojMUY0OTdEO21zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj5Kb3NoLjxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJp Zjtjb2xvcjojMUY0OTdEO21zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj48bzpwPiZuYnNwOzwv bzpwPjwvc3Bhbj48L3A+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xp ZCBibHVlIDEuNXB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4wcHQiPg0KPGRpdj4NCjxkaXYgc3R5 bGU9ImJvcmRlcjpub25lO2JvcmRlci10b3A6c29saWQgI0UxRTFFMSAxLjBwdDtwYWRkaW5nOjMu MHB0IDBjbSAwY20gMGNtIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiPjxzcGFuIGxhbmc9IkVO LVVTIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LHNhbnMtc2VyaWYiPkZyb206PC9zcGFuPjwvYj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNl cmlmIj4gSnVsaWFuIFdoaXRlIFttYWlsdG86andoaXRlQG51LWQuY29tXQ0KPGJyPg0KPGI+U2Vu dDo8L2I+IDEzIE1heSAyMDE2IDEzOjQzPGJyPg0KPGI+VG86PC9iPiBKb3NoIEhvd2xldHQgJmx0 O0pvc2guSG93bGV0dEBqaXNjLmFjLnVrJmd0Ozxicj4NCjxiPkNjOjwvYj4gQ2hyaXMgJmx0O2Nu ZEBnZWVrLm5ldC5hdSZndDs7IHZvdEBpZXRmLm9yZzsgSnVzdGluIFJpY2hlciAmbHQ7anJpY2hl ckBtaXQuZWR1Jmd0Ozxicj4NCjxiPlN1YmplY3Q6PC9iPiBSZTogW1ZvVF0gU2VjdXJpdHkgUHJv YmxlbSB3aXRoIFByaW1hcnkgQ3JlZGVudGlhbCBVc2FnZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwv cD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48 L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkpvc2gsPG86cD48L286cD48L3A+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5UaGF0IGlzIGEgZ29vZCBxdWVzdGlvbiwgYW5k IGVxdWFsbHkgYXBwbGljYWJsZSB0byBob3cgd291bGQgYW4gUlAgdmVyaWZ5IHRoZSBjbGFpbSBv ZiBhbiBJZFA/PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPkkgdGhpbmsgdGhlcmUgYXJlIG9ubHkgYSBmZXcgdXNhYmxlIG9wdGlvbnM7Jm5ic3A7 PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpw PiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjEp IFRoZXJlIGlzIGEgZGlyZWN0IHJlbGF0aW9uc2hpcCBiZXR3ZWVuIHRoZSBwYXJ0aWVzIHRoYXQg YXNzdXJlcyB0aGUgdHJ1c3R3b3J0aGluZXNzIGJldHdlZW4gdGhlbXNlbHZlcyZuYnNwO291dHNp ZGUgb2YgdGhlIGFzc2VydGlvbiZuYnNwO2FuZCB3aWxsIG9ubHkgYWNjZXB0IHJlcXVlc3RzL3Jl c3BvbnNlcyBmcm9tIGVhY2ggb3RoZXIgKHZpYSBzb21lIG1lYW5zIG5vdCBkZWZpbmVkIGhlcmUp IC0gdGhpcyBraW5kIG9mDQogbWFrZXMgdGhlIFZvVCB2YWx1ZSBzdXBlcmZsdW91cyBzaW5jZSB0 aGUgYW5zd2VyIGlzIGFscmVhZHkga25vd24uJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjIpIFRoZSB0cnVzdCBzY2hlbWVzIG9wZXJh dGUgc29tZSBzb3J0IG9mIHJlZ2lzdHJ5IHRoYXQgdGhlIFZvVCBsaW5rcyB0b28gLSBidXQgdGhl biB0aGVyZSBhbHNvIG5lZWRzIHRvIGJlIHNvbWV0aGluZyB0aGF0IG1ha2VzIGl0IGltcG9zc2li bGUgZm9yIG1lIHRvIGltcGVyc29uYXRlIGEgbWVtYmVyIG9mIHRoYXQgc2NoZW1lIGluIHRoZSBW b1QsIHRoaXMgaXMgc2xpZ2h0bHkgbW9yZSBjaGFsbGVuZ2luZy48bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+RG9lcyB0aGF0IG1ha2Ugc2Vuc2U/ PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpw PiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkp1 bGlhbjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij5PbiAxMyBNYXkgMjAxNiBhdCAxMjoyNiwgSm9zaCBIb3dsZXR0ICZsdDs8YSBocmVmPSJtYWls dG86Sm9zaC5Ib3dsZXR0QGppc2MuYWMudWsiIHRhcmdldD0iX2JsYW5rIj5Kb3NoLkhvd2xldHRA amlzYy5hYy51azwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPGJsb2NrcXVvdGUgc3R5 bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNDQ0NDQ0MgMS4wcHQ7cGFkZGluZzow Y20gMGNtIDBjbSA2LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJnaW4tdG9wOjUuMHB0O21hcmdp bi1yaWdodDowY207bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJv dHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPkhvdyBkb2VzIHRo ZSBJZFAgdmVyaWZ5IHRoZSBSUOKAmXMgYXV0aG9yaXR5IHRvIGNsYWltIGNvbXBsaWFuY2U/PC9z cGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJn aW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48YSBuYW1lPSJtXzUx NDg2MDY0MzMzNzI3NDM4MV9fTWFpbEVuZENvbXBvc2UiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjoj MUY0OTdEIj4mbmJzcDs8L3NwYW4+PC9hPjxvOnA+PC9vOnA+PC9wPg0KPGRpdiBzdHlsZT0iYm9y ZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgYmx1ZSAxLjVwdDtwYWRkaW5nOjBjbSAwY20gMGNt IDQuMHB0Ij4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlk ICNFMUUxRTEgMS4wcHQ7cGFkZGluZzozLjBwdCAwY20gMGNtIDBjbSI+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20t YWx0OmF1dG8iPjxiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPkZyb206PC9zcGFuPjwv Yj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj4gdm90DQogW21haWx0bzo8L3NwYW4+PGEg aHJlZj0ibWFpbHRvOnZvdC1ib3VuY2VzQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4g bGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Nh bGlicmkmcXVvdDssc2Fucy1zZXJpZiI+dm90LWJvdW5jZXNAaWV0Zi5vcmc8L3NwYW4+PC9hPjxz cGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv dDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPl0NCjxiPk9uIEJlaGFsZiBPZiA8L2I+SnVsaWFu IFdoaXRlPGJyPg0KPGI+U2VudDo8L2I+IDEzIE1heSAyMDE2IDEyOjEyPGJyPg0KPGI+VG86PC9i PiBDaHJpcyAmbHQ7PC9zcGFuPjxhIGhyZWY9Im1haWx0bzpjbmRAZ2Vlay5uZXQuYXUiIHRhcmdl dD0iX2JsYW5rIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5jbmRAZ2Vlay5uZXQuYXU8 L3NwYW4+PC9hPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250 LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPiZndDs8YnI+DQo8Yj5DYzo8 L2I+IDwvc3Bhbj48YSBocmVmPSJtYWlsdG86dm90QGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+ PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+dm90QGlldGYub3JnPC9zcGFuPjwvYT48c3Bh biBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj47IEp1c3RpbiBSaWNoZXINCiAmbHQ7PC9zcGFuPjxh IGhyZWY9Im1haWx0bzpqcmljaGVyQG1pdC5lZHUiIHRhcmdldD0iX2JsYW5rIj48c3BhbiBsYW5n PSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJy aSZxdW90OyxzYW5zLXNlcmlmIj5qcmljaGVyQG1pdC5lZHU8L3NwYW4+PC9hPjxzcGFuIGxhbmc9 IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp JnF1b3Q7LHNhbnMtc2VyaWYiPiZndDs8YnI+DQo8Yj5TdWJqZWN0OjwvYj4gUmU6IFtWb1RdIFNl Y3VyaXR5IFByb2JsZW0gd2l0aCBQcmltYXJ5IENyZWRlbnRpYWwgVXNhZ2U8L3NwYW4+PG86cD48 L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1z by1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8 bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1h cmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPkNocmlzLDxvOnA+ PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4m bmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0 byI+WWVzIEkgc2VlIHlvdXIgcG9pbnQsIHNvIHRoZSBSUCBzaG91bGQgYXNzZXJ0IHdpdGggd2hp Y2ggdHJ1c3RtYXJrcyBpdCBjb21wbGllcyB0b28/PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87 bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDph dXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5SZWdhcmRzLDxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdp bi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJv dHRvbS1hbHQ6YXV0byI+T24gMTMgTWF5IDIwMTYgYXQgMTA6NDgsIENocmlzICZsdDs8YSBocmVm PSJtYWlsdG86Y25kQGdlZWsubmV0LmF1IiB0YXJnZXQ9Il9ibGFuayI+Y25kQGdlZWsubmV0LmF1 PC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVy Om5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0NDQyAxLjBwdDtwYWRkaW5nOjBjbSAwY20gMGNt IDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBj bTttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxz cGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPkhp IEp1bGlhbiw8YnI+DQo8YnI+DQpJdCBpcyBsaWtlIEkgc2FpZCBhdCB0aGUgc3RhcnQuJm5ic3A7 IFRoZSBlbnRpcmV0eSBvZiB0aGUgdHJ1c3RtYXJrIGlkZWEgZXZhbHVhdGVzIHRvIG9uZSBzaW5n bGUgc3RyZW5ndGggLSBldmVyeXRoaW5nIGlzIGVxdWFsbHkgdW50cnVzdHdvcnRoeSwgYmVjYXVz ZSBpdCdzIGFsbCBvbmx5IHVuaWRpcmVjdGlvbmFsLjxicj4NCjxicj4NCllvdSBjYW4ndCBzb2x2 ZSB0cnVzdCB3aXRob3V0IGZpeGluZyBCT1RIIGVuZHMuJm5ic3A7IEl0IGlzIGEgPGI+dHdvLXdh eSA8L2I+c3RyZWV0LiZuYnNwOyBGb3IgYXMgbG9uZyBhcyBhIHVzZXIgYW5kIHByb3h5IGFyZSBp bmRpc3Rpbmd1aXNoYWJsZSwgQzAgPT0gQ2EgPT0gQ2IgPT0gQ2QgPT0gQ2UgPT0gQ2YuPGJyPg0K PGJyPg0KSSBrbm93IGl0IHNvdW5kcyBsaWtlIGEgbGl0dGxlIHByb2JsZW0sIGJ1dCBzbyB3YXMg dGhlIGRlYnJpcyBvbiB0aGF0IGxhc3QgQ29uY29yZGUncyBydW53YXkuJm5ic3A7IFRoaXMgaXMg dGhlIHNob3cgc3RvcHBlci48c3BhbiBzdHlsZT0iY29sb3I6Izg4ODg4OCI+PGJyPg0KPGJyPg0K Q2hyaXMuPC9zcGFuPjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21hcmdpbi1ib3R0 b206MTIuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90Oyxz YW5zLXNlcmlmIj48YnI+DQo8YnI+DQo8YnI+DQpGcmlkYXksIE1heSAxMywgMjAxNiwgNTo1Mjo1 NSBQTSwgeW91IHdyb3RlOjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8 ZGl2Pg0KPGRpdj4NCjx0YWJsZSBjbGFzcz0iTXNvTm9ybWFsVGFibGUiIGJvcmRlcj0iMCIgY2Vs bHNwYWNpbmc9IjMiIGNlbGxwYWRkaW5nPSIwIj4NCjx0Ym9keT4NCjx0cj4NCjx0ZCB3aWR0aD0i MiIgc3R5bGU9IndpZHRoOjEuMHB0O2JhY2tncm91bmQ6Ymx1ZTtwYWRkaW5nOi43NXB0IC43NXB0 IC43NXB0IC43NXB0Ij4NCjwvdGQ+DQo8dGQgc3R5bGU9InBhZGRpbmc6Ljc1cHQgLjc1cHQgLjc1 cHQgLjc1cHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFs dDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1mYW1p bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO21zby1mYXJlYXN0LWxhbmd1YWdlOkVO LVVTIj5KdXN0aW4sPGJyPg0KPGJyPg0KRm9yIG15IG93biBjbGFyaXR5LCBjYW4gdGhlIFJQIHBh c3MgYSByZXF1ZXN0IGZvciBhIHNwZWNpZmljIHRydXN0bWFyaywgb3IgbGlzdCBvZiB0cnVzdG1h cmtzIHRoYXQgaXQgd2lsbCBhY2NlcHQ/IFRoZSB0ZXh0IHNlZW1zIHRvIGltcGx5IHRoYXQgdGhl eSB3aWxsIGdldCB3aGF0ZXZlciB0cnVzdG1hcmsgdGhlIElkUCBzZW5kcyBhbmQgaGF2ZSB0byBt YWtlIGEgZGVjaXNpb24gYmFzZWQgb24gdGhhdCBlYWNoIHRpbWUuIEluIHJlYWxpdHksIHNpbmNl DQogdGhlIGV2YWx1YXRpb24gb2YgdGhlIHRydXN0bWFyayBpcyBhIGN1bWJlcnNvbWUgbWFudWFs IHByb2Nlc3MgSSBzdXNwZWN0IFJQJ3Mgd2lsbCB3aGl0ZWxpc3QgdHJ1c3RtYXJrcyB0aGF0IHRo ZXkgd2lsbCBhY2NlcHQgc28gdGhlbiBpdCBzZWVtcyBpbmVmZmljaWVudCBmb3IgYW5kIElkUCB0 byByZXR1cm4gYSByZXNwb25zZSB1bmRlciBhIHRydXN0bWFyayB0aGUgUlAgd29uJ3QgYWNjZXB0 Ljxicj4NCjxicj4NClRoYW5rcyw8YnI+DQo8YnI+DQpKdWxpYW4uPGJyPg0KPGJyPg0KT24gMTIg TWF5IDIwMTYgYXQgMTk6NDksIEp1bGlhbiBXaGl0ZSAmbHQ7PC9zcGFuPjxzcGFuIHN0eWxlPSJt c28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+PGEgaHJlZj0ibWFpbHRvOmp3aGl0ZUBudS1kLmNv bSIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJp JnF1b3Q7LHNhbnMtc2VyaWYiPmp3aGl0ZUBudS1kLmNvbTwvc3Bhbj48L2E+PC9zcGFuPjxzcGFu IHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7bXNvLWZh cmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPiZndDsNCiB3cm90ZTo8YnI+DQpUaGF0IG1ha2VzIHNlbnNl LCB0aG8gdGhhdCBkaWRuJ3QgY29tZSBhY3Jvc3MgaW4gdGhlIGRlc2NyaXB0aW9uIG9mIHRoZSB0 cnVzdG1hcmsuPGJyPg0KPHNwYW4gc3R5bGU9ImNvbG9yOiM4ODg4ODgiPkp1bGlhbjxicj4NCjwv c3Bhbj48c3BhbiBzdHlsZT0iY29sb3I6YmxhY2siPk9uIDEyIE1heSAyMDE2IDE5OjQ1LCAmcXVv dDtKdXN0aW4gUmljaGVyJnF1b3Q7ICZsdDs8L3NwYW4+PC9zcGFuPjxzcGFuIHN0eWxlPSJtc28t ZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+PGEgaHJlZj0ibWFpbHRvOmpyaWNoZXJAbWl0LmVkdSIg dGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LHNhbnMtc2VyaWYiPmpyaWNoZXJAbWl0LmVkdTwvc3Bhbj48L2E+PC9zcGFuPjxzcGFuIHN0 eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7bXNvLWZhcmVh c3QtbGFuZ3VhZ2U6RU4tVVMiPiZndDsNCiB3cm90ZTo8YnI+DQpXZSBleHBsaWNpdGx5IGxlZnQg dGhvc2Uga2luZHMgb2YgdGhpbmdzIG91dCBvZiB0aGUgdmVjdG9yIGFzIHRoZXnigJlkIHJlYWxs eSBiZSByZWxhdGVkIHRvIHRoZSBJZFAgaXRzZWxmIGFuZCBub3QgdGhlIGF1dGhlbnRpY2F0aW9u IHRyYW5zYWN0aW9uIHRvIHdoaWNoIHRoZSBWb1QgcmVmZXJzLiBJbiBvdGhlciB3b3JkcywgdGhl IHNlY3VyaXR5IG9mIHRoZSBJZFAgaXMgcmVsYXRlZCB0byB0aGUgdHJ1c3QgZnJhbWV3b3JrIGFu ZCBhc3Nlc3NtZW50DQogb2YgdGhlIElkUCBhbmQgaXQgY2FuIGJlIHB1Ymxpc2hlZCBhcyBwYXJ0 IG9mIHRoZSBJZFDigJlzIGRpc2NvdmVyeSBkb2N1bWVudHMgYW5kIGFzc29jaWF0ZWQgdHJ1c3Qg bWFya3MuIFRoaXMgaXMgaW5mb3JtYXRpb24gdGhhdCBpcyBnb2luZyB0byByZW1haW4gdGhlIHNh bWUgcmVnYXJkbGVzcyBvZiB0aGUgdHJhbnNhY3Rpb24uDQo8YnI+DQo8YnI+DQpUaGlzIGlzIGFs c28gcGFydCBvZiB3aHkgeW91IG5lZWQgdG8gaGF2ZSBhIHRydXN0bWFyayBjb250ZXh0IHRvIGlu dGVycHJldCB0aGUgVm9UIGluLjxicj4NCjxicj4NCuKAlCBKdXN0aW48YnI+DQo8YnI+DQpPbiBN YXkgMTIsIDIwMTYsIGF0IDExOjExIEFNLCBKdWxpYW4gV2hpdGUgJmx0Ozwvc3Bhbj48c3BhbiBz dHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPjxhIGhyZWY9Im1haWx0bzpqd2hpdGVA bnUtZC5jb20iIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7 Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5qd2hpdGVAbnUtZC5jb208L3NwYW4+PC9hPjwvc3Bh bj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlm O21zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj4mZ3Q7DQogd3JvdGU6PGJyPg0KPGJyPg0KSGks PGJyPg0KPGJyPg0KSSBoYXZlIGEgbnVtYmVyIG9mIGNvbW1lbnRzIGFuZCBxdWVzdGlvbnMgKHNl ZSBhdHRhY2hlZCksIG1hbnkgb2Ygd2hpY2ggYXJlIHJlbGF0ZWQgdG8gdGhlIGlzc3VlcyByYWlz ZWQgYnkgQ2hyaXMsIHNvbWUgbWF5YmUgbXkgbWlzdW5kZXJzdGFuZGluZyBjb21pbmcgaW4gaGFs ZiB3YXkgdGhyb3VnaCB0aGUgZHJhZnRpbmcgdGhvLjxicj4NCjxicj4NCkksIGxpa2UgQ2hyaXMs IGFsc28gdGhpbmsgdGhlcmUgbmVlZHMgdG8gYmUgc29tZXRoaW5nIG1vcmUgZXhwbGljaXQgYXJv dW5kIHRoZSAmcXVvdDtzZWN1cml0eSZxdW90OyBvZiB0aGUgSWRQIGF1dGhlbnRpY2F0aW9uIHdo aWNoIGluY2x1ZGVzIHRoZSBtZWFzdXJlcyB0byB0cnkgYW5kIGRldGVjdCAnb2RkJyB0aGluZ3Mg KGxpa2UgTUlUTSkuIEkgd291bGQgYWxzbyBnbyBvbmUgc3RlcCBmdXJ0aGVyIGluIHRoYXQgSSBh bHNvIHdhbnQgdG8ga25vdyBhYm91dCB0aGUNCiBtYXR1cml0eSBvZiB0aGUgSWRQJ3MgJnF1b3Q7 c2VjdXJpdHkmcXVvdDssIGl0cyBvZiBubyB1c2UgdG8gbWUgaWYgdGhleSBoYXZlIHJlYWxseSBn b29kIGNyZWRlbnRpYWxzIGJ1dCBzdG9yZSBhbGwgdGhlIGRhdGEgaW4gdGhlIGNsZWFyIG9uIHRo ZWlyIHdlYnNpdGUgb3IgaGF2ZSBhIGxvYWQgb2YgYWRtaW5pc3RyYXRpdmUgYmFjay1kb29ycyB0 aGF0IGNvdWxkIGxldCBhbnlvbmUgZ2VuZXJhdGUgYSB2YWxpZCBhdXRoZW50aWNhdGlvbiByZXNw b25zZS48YnI+DQo8YnI+DQpJdCBmZWVscyBsaWtlIHdlIG5lZWQgdG8gZG8gbW9yZSB3b3JrIGlu IHRoaXMgYXJlYS48YnI+DQo8YnI+DQpSZWdhcmRzLDxicj4NCjxicj4NCkp1bGlhbi48YnI+DQo8 YnI+DQpPbiA4IE1heSAyMDE2IGF0IDEzOjI0LCBDaHJpcyAmbHQ7PC9zcGFuPjxzcGFuIHN0eWxl PSJtc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+PGEgaHJlZj0ibWFpbHRvOmNuZEBnZWVrLm5l dC5hdSIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxp YnJpJnF1b3Q7LHNhbnMtc2VyaWYiPmNuZEBnZWVrLm5ldC5hdTwvc3Bhbj48L2E+PC9zcGFuPjxz cGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7bXNv LWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPiZndDsNCiB3cm90ZTo8YnI+DQpIaSBBbGwsPGJyPg0K PGJyPg0KSSB0aGluayB0aGVyZSBpcyBhIGNyaXRpY2FsIGZsYXcgaW4gc2VjdGlvbiAzLjIgb2Yg PC9zcGFuPjxzcGFuIHN0eWxlPSJtc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+PGEgaHJlZj0i aHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LXJpY2hlci12ZWN0b3JzLW9mLXRydXN0 LTAyIiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NhbGli cmkmcXVvdDssc2Fucy1zZXJpZiI+aHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LXJp Y2hlci12ZWN0b3JzLW9mLXRydXN0LTAyPC9zcGFuPjwvYT48L3NwYW4+PHNwYW4gc3R5bGU9ImZv bnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjttc28tZmFyZWFzdC1sYW5n dWFnZTpFTi1VUyI+DQogKFByaW1hcnkgQ3JlZGVudGlhbCBVc2FnZSk8YnI+DQo8YnI+DQpNdXR1 YWwtYXV0aGVudGljYXRpb24gaXMgbWlzc2luZy4mbmJzcDsgV2hlbiBubyBwcm92aXNpb24gaXMg bWFkZSB0byBwcmV2ZW50IG1hbi1pbi10aGUtbWlkZGxlLCBjcmVkZW50aWFsIGhhcnZlc3Rpbmcs IHNwb29mLCBwaGlzaGluZywgbWFsd2FyZSwgb3Igb3RoZXIgY29tbW9uIHRocmVhdHMsIHRoaXMg cmVuZGVycyBhbGwgcG9zc2libGUgdmVjdG9ycyBDMCwgQ2EsIENiLCBDZCwgQ2UsIENmLCBhbmQg b3RoZXJzDQo8Yj5lcXVhbGx5PC9iPiB1bnRydXN0d29ydGh5Ljxicj4NCjxicj4NCldlIHNob3Vs ZCBjb25zaWRlciBpbmNsdXNpb24gZWl0aGVyIGZvciB0aGUgb3ZlcmFsbCBzdHJlbmd0aCBvZiB0 aGUgYXV0aGVudGljYXRpb24gcHJvY2Vzcywgb3Igc29tZSBicmVha2Rvd24gb2YgZWl0aGVyIGFs bCB0aGUgdGVjaG5pcXVlcyB1c2VkIG9yIHRoZSBzdHJlbmd0aCBvZiBwcm90ZWN0aW9uIGVtcGxv eWVkIHRvIHRod2FydCBhdCBsZWFzdCBjb21tb24gYXR0YWNrIHNjZW5hcmlvcy48YnI+DQo8YnI+ DQpUaGlzIHByb2JsZW0gZ2V0cyB0cmlja3kgcXVpdGUgZmFzdDo8YnI+DQo8YnI+DQpEbyB3ZSBp ZGVudGlmeSB0aGUgYXV0aGVudGljYXRpb24gdGVjaG5vbG9neSB2ZW5kb3I/IChpZiB5ZXMgLSB3 aG8gd29ya3Mgb3V0IHRoZWlyIHJlc2lzdGFuY2Ugc3RyZW5ndGggdG8gY29tbW9uIGF0dGFja3M/ ICZuYnNwO3doYXQgYWJvdXQgZGlmZmVyZW50IG1vZGVzPyk8YnI+DQpEbyB3ZSBicm9hZGx5IGlk ZW50aWZ5IHRoZSB0ZWNobmlxdWVzICh3aG9zIG9waW5pb25zIGNvdW50IGFzIHRvIHdoZXRoZXIg b3Igbm90IHRoZSB0ZWNobmlxdWUgaXMgZWZmZWN0aXZlIGFuZCBhZ2FpbnN0IHdoYXQgdGhyZWF0 cz8pPGJyPg0KRG8gd2UgaWRlbnRpZnkgb3IgY2xhc3NpZnkgdGhlIHRocmVhdHMgYW5kIGluZGlj YXRlIHdoaWNoIG9uZXMgd2VyZSBtaXRpZ2F0ZWQgKHdobyBzaG91bGQgYmUgdHJ1c3RlZCB0byBk ZWNpZGUgaWYgdGhlc2UgcmVhbGx5IHdlcmUgbWl0aWdhdGVkPyk8YnI+DQo8YnI+DQpGb3IgZXhh bXBsZSAtIHRhbXBlci1wcm9vZiBoYXJkd2FyZSBkaWdpdGFsIGNlcnRpZmljYXRlIGRldmljZXMg d2l0aCBiaW9tZXRyaWNzIHVubG9ja3MgYXJlIHRvdGFsbHkgdXNlbGVzcywgaWYgdGhlIHVzZXIg cGFpZCBubyBhdHRlbnRpb24gdG8gYSBicm9rZW4gU1NMIHdhcm5pbmcsIG9yIGhhcyBtYWx3YXJl LiZuYnNwOyBUaGV5J3JlIGFsc28gZXF1YWxseSB1c2VsZXNzIGluIG1vc3QgY29ycG9yYXRlIGVu dmlyb25tZW50cyB0aGF0IHVzZSBkZWVwLXBhY2tldA0KIGluc3BlY3Rpb24gZmlyZXdhbGxzIC0g YW5kICZxdW90O3VuZXhwZWN0ZWQgY2VydGlmaWNhdGVzJnF1b3Q7IChlZy4gZnJvbSBEUEkgb3Ig bWFsaWNpb3VzKSBjYXJyeSB0aGVpciBvd24gcHJpdmFjeSBwcm9ibGVtcyAoZWc6IHBhc3N3b3Jk cyBhcmUgbm90IGFzICZxdW90O3Byb3RlY3RlZCZxdW90OyBhcyB5b3UgdGhpbmspLiZuYnNwOyBN dWNoIG1vcmUgY29tbW9uIGF1dGhlbnRpY2F0aW9uICZxdW90O3Byb3RlY3Rpb24mcXVvdDsgb2Yg Y291cnNlLCBhcmUgdHdvLXN0ZXAgb3Igc21zIG9uZSB0aW1lIGNvZGVzDQogLSB3aGljaCBhcmUg ZXF1YWxseSB1c2VsZXNzIHdoZW4gYW4gZW5kIHVzZXIgY2FuIGJlIHRyaWNrZWQgaW50byByZXZl YWxpbmcgdGhlbSB0byBzcG9vZiBzaXRlcy48YnI+DQo8YnI+DQo5MSUgb2Ygc3VjY2Vzc2Z1bCBi cmVhay1pbnMgc3RhcnQgZnJvbSBwaGlzaGluZy4mbmJzcDsgUmlnaHQgbm93LCBldmVyeSB2ZWN0 b3IgaXMgcG9pbnRpbmcgb25lIHdheSAtIHdlIG5lZWQgYXQgbGVhc3Qgb25lICZxdW90O1ZlY3Rv ciBvZiBUcnVzdCZxdW90OyB0byBwb2ludA0KPGI+YmFjazwvYj4gdGhlIG90aGVyIHdheSEgJm5i c3A7PGJyPg0KPGJyPg0KSG93IGFib3V0IGEgNXRoIHZlY3RvciAtICZxdW90O1MmcXVvdDsgZm9y ICZxdW90O1NlY3VyaXR5JnF1b3Q7LCB3aGljaCBzb21laG93IGFsbG93cyBhbiBSUCBhIGxldmVs IG9mIGNvbmZpZGVuY2UgaW4gdGhlIHByb3RlY3Rpb24gYWZmb3JkZWQgdG8gdGhlIHVzZXIncyBh Y3R1YWwgYXV0aGVudGljYXRpb24gcHJvY2VzcywgaW4gdGVybXMgb2YgKG9yIGF0IGxlYXN0IGNv bnNpZGVyaW5nKSBhIHdpZGUgcmFuZ2Ugb2YgKGFuZCBhbGwgY29tbW9uKSBtb2Rlcm4gdGhyZWF0 cy48YnI+DQo8YnI+DQo8c3BhbiBzdHlsZT0iY29sb3I6Izg4ODg4OCI+Q2hyaXMuPGJyPg0KPGJy Pg0KPC9zcGFuPjxzcGFuIHN0eWxlPSJjb2xvcjpibGFjayI+X19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX188YnI+DQp2b3QgbWFpbGluZyBsaXN0PGJyPg0KPC9z cGFuPjwvc3Bhbj48c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPjxhIGhy ZWY9Im1haWx0bzp2b3RAaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0iZm9u dC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj52b3RAaWV0Zi5vcmc8L3Nw YW4+PC9hPjxicj4NCjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGlu Zm8vdm90IiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0Nh bGlicmkmcXVvdDssc2Fucy1zZXJpZiI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0 aW5mby92b3Q8L3NwYW4+PC9hPjxicj4NCjxicj4NCjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1m YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO21zby1mYXJlYXN0LWxhbmd1YWdl OkVOLVVTIj4mbHQ7ZHJhZnQtcmljaGVyLXZlY3RvcnMtb2YtdHJ1c3QtMDIuZG9jeCZndDtfX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzxicj4NCnZvdCBtYWls aW5nIGxpc3Q8YnI+DQo8L3NwYW4+PHNwYW4gc3R5bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVO LVVTIj48YSBocmVmPSJtYWlsdG86dm90QGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4g c3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+dm90QGll dGYub3JnPC9zcGFuPjwvYT48YnI+DQo8YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWls bWFuL2xpc3RpbmZvL3ZvdCIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJmb250LWZhbWls eTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPmh0dHBzOi8vd3d3LmlldGYub3JnL21h aWxtYW4vbGlzdGluZm8vdm90PC9zcGFuPjwvYT48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L3Rk Pg0KPC90cj4NCjwvdGJvZHk+DQo8L3RhYmxlPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21hcmdpbi1ib3R0b206MTIuMHB0Ij48bzpwPiZuYnNw OzwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttYXJnaW4tYm90dG9tOjEyLjBwdCI+PGJy Pg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+DQp2 b3QgbWFpbGluZyBsaXN0PGJyPg0KPGEgaHJlZj0ibWFpbHRvOnZvdEBpZXRmLm9yZyIgdGFyZ2V0 PSJfYmxhbmsiPnZvdEBpZXRmLm9yZzwvYT48YnI+DQo8YSBocmVmPSJodHRwczovL3d3dy5pZXRm Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3ZvdCIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vd3d3Lmll dGYub3JnL21haWxtYW4vbGlzdGluZm8vdm90PC9hPjxvOnA+PC9vOnA+PC9wPg0KPC9ibG9ja3F1 b3RlPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3At YWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6Ny41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q29y YmVsJnF1b3Q7LHNhbnMtc2VyaWYiPjxicj4NCkppc2MgaXMgYSByZWdpc3RlcmVkIGNoYXJpdHkg KG51bWJlciAxMTQ5NzQwKSBhbmQgYSBjb21wYW55IGxpbWl0ZWQgYnkgZ3VhcmFudGVlIHdoaWNo IGlzIHJlZ2lzdGVyZWQgaW4gRW5nbGFuZCB1bmRlciBDb21wYW55IE5vLiA1NzQ3MzM5LCBWQVQg Tm8uIEdCIDE5NyAwNjMyIDg2LiBKaXNj4oCZcyByZWdpc3RlcmVkIG9mZmljZSBpczogT25lIENh c3RsZXBhcmssIFRvd2VyIEhpbGwsIEJyaXN0b2wsIEJTMiAwSkEuIFQgMDIwMyA2OTcgNTgwMC48 YnI+DQo8YnI+DQpKaXNjIFNlcnZpY2VzIExpbWl0ZWQgaXMgYSB3aG9sbHkgb3duZWQgSmlzYyBz dWJzaWRpYXJ5IGFuZCBhIGNvbXBhbnkgbGltaXRlZCBieSBndWFyYW50ZWUgd2hpY2ggaXMgcmVn aXN0ZXJlZCBpbiBFbmdsYW5kIHVuZGVyIGNvbXBhbnkgbnVtYmVyIDI4ODEwMjQsIFZBVCBudW1i ZXIgR0IgMTk3IDA2MzIgODYuIFRoZSByZWdpc3RlcmVkIG9mZmljZSBpczogT25lIENhc3RsZSBQ YXJrLCBUb3dlciBIaWxsLCBCcmlzdG9sIEJTMiAwSkEuIFQgMDIwMw0KIDY5NyA1ODAwLiA8L3Nw YW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjwvZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9k aXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_VI1PR07MB15810CFDA10B2E5B0F3B4E88BC740VI1PR07MB1581eurp_-- From nobody Fri May 13 08:14:41 2016 Return-Path: X-Original-To: vot@ietfa.amsl.com Delivered-To: vot@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02DFD12D565 for ; Fri, 13 May 2016 08:14:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.449 X-Spam-Level: X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xTZ4Hcu6opGc for ; Fri, 13 May 2016 08:14:35 -0700 (PDT) Received: from mail-vk0-x22b.google.com (mail-vk0-x22b.google.com [IPv6:2607:f8b0:400c:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 208D612D55F for ; Fri, 13 May 2016 08:14:35 -0700 (PDT) Received: by mail-vk0-x22b.google.com with SMTP id m188so140908177vka.1 for ; Fri, 13 May 2016 08:14:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=gA6H++Yw6FPgP1/7ul7aFM1eumB/L5S3U9nXO9/fYfM=; b=seyI8FTCPP+AfJsWdS0U6b29E7gSoNC0fk+KBcogDi8eN04pTSn5ZSHrFdQmZ0TaKa aQ53C6RkjjmOheaTTX5j6bl2DH6mxwGdpyvMQWb7D6KBj5scL9W04xi8t5ApaMLUsoeS gS30Ns31LNYp/D8JIu5T8rltGK0SEEMtfXM7ewm2OtmsMhR+bcckB+C6KNhAaoEvY7lg E0QYZ8OhoGS2OVI+50ZTb4/qpcxm20Skr+CkuoeMu6VEq5NbSlTMOb5SsxspVIJkEPhq maBPL3+xSh9GYFlj8CD+uvB3jUs5i+fl7PGDBwibG62PgC3FmuIjbDgB/jxJvODmpZXN tCwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=gA6H++Yw6FPgP1/7ul7aFM1eumB/L5S3U9nXO9/fYfM=; b=U2kV0m1HO4SZuddUsybj2WB+3LI1P1dH9n0AKInV9xLEa5Vk4NRsgiAK8CEIdVhHsj MP63R1FdfbExB77gSnHj8Z2UFesL8TqBkp2ky8X7ANnAl7zSI31YtLzMXXmJUxsdeZpe QOv8XyFCg1y0MHC4xAYWrtlu65P24SIu0XfNUDyAdqqZYEaeq+f8NVxYTJaOvljMYSeD SUZfYPyGCFoaAGoGrT3pR2uYLyP8B5KJtQPVFqFVcdrLLqiy4YMZO/oselRFFrk2r8zG Zjv2nhfsQvtcJRD+9Phy4urU3jMXb+AiFLZxzLpBkPd41ZYPHuiHbPS9CdYNuPoYZ/uh GPtw== X-Gm-Message-State: AOPr4FX++kyGIZZItus482l9l7OTfIuGxTzmeyVFuTww6eIR3wQZAPFHU7iE8b3MArmumWX7imokYscdTv0Xyg== MIME-Version: 1.0 X-Received: by 10.176.69.66 with SMTP id r60mr8060291uar.120.1463152473978; Fri, 13 May 2016 08:14:33 -0700 (PDT) Received: by 10.159.33.37 with HTTP; Fri, 13 May 2016 08:14:33 -0700 (PDT) In-Reply-To: References: <1523279479.20160508222427@CryptoPhoto.com> <753DBE1F-3891-4BB6-811B-5B8682A81A28@mit.edu> <329351357.20160513194821@CryptoPhoto.com> Date: Fri, 13 May 2016 08:14:33 -0700 Message-ID: From: Andrew Hughes To: Josh Howlett Content-Type: multipart/alternative; boundary=001a114d5e3276c0760532babbe7 Archived-At: Cc: Chris , Julian White , Justin Richer , "vot@ietf.org" Subject: Re: [VoT] Security Problem with Primary Credential Usage X-BeenThere: vot@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Vectors of Trust discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2016 15:14:39 -0000 --001a114d5e3276c0760532babbe7 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Josh: the discussion about compatible policy frameworks does already take place, typically under the names: trust framework, federation agreements, inter-federation. You see elements of this in national schemes in NZ, US, UK, EU, CA and others - perhaps less so right now on the 'open internet' , but there's work happening in a number of pockets on this (R&E is quite advanced). The semantic compatibility is coming soon-ish. There's a convergence underway on standardization of descriptions for roles, responsibilities, business functions and business processes for identification, authentication, authorization and access control systems ("Identity Systems"). I'm contributing to diacc.ca and kantarainitiative.org along these lines, and starting to learn what ISO/IEC JTC 1 SC 27 WG 5 (Identity and Privacy) is developing. andrew. *Andrew Hughes *CISM CISSP Independent Consultant *In Turn Information Management Consulting* o +1 650.209.7542 m +1 250.888.9474 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com ca.linkedin.com/pub/andrew-hughes/a/58/682/ *Identity Management | IT Governance | Information Security * On Fri, May 13, 2016 at 7:57 AM, Josh Howlett wrote: > Julian, > > > > Yes, but note that (2) is actually an instance of (1), but where the > number of parties happens to be greater than two. The choice of whether t= o > use an internal or external registry is just an operational question. > However, I don=E2=80=99t think this makes VoT superfluous: it still has v= alue as a > way of signalling alternate semantics defined within the trustmark > agreement. > > > > This does, however, suggest to me that VoT has limited utility when > working across arbitrary trustmark agreements. And so to be candid, and > without wishing to sound dispiriting, I suspect that working on the > technical signalling without understanding how these agreements can be > bound together is possibly premature; at least if you want something of > general utility. More attention is needed on composable policy frameworks > having compatible semantics, linked to an underlying legal architecture > that works transitively across those agreements. Being the IETF, I > understand that this probably isn=E2=80=99t the venue for that discussion= J > > > > Josh. > > > > *From:* Julian White [mailto:jwhite@nu-d.com] > *Sent:* 13 May 2016 13:43 > *To:* Josh Howlett > *Cc:* Chris ; vot@ietf.org; Justin Richer < > jricher@mit.edu> > > *Subject:* Re: [VoT] Security Problem with Primary Credential Usage > > > > > > Josh, > > > > That is a good question, and equally applicable to how would an RP verify > the claim of an IdP? > > > > I think there are only a few usable options; > > > > 1) There is a direct relationship between the parties that assures the > trustworthiness between themselves outside of the assertion and will only > accept requests/responses from each other (via some means not defined her= e) > - this kind of makes the VoT value superfluous since the answer is alread= y > known. > > > > 2) The trust schemes operate some sort of registry that the VoT links too > - but then there also needs to be something that makes it impossible for = me > to impersonate a member of that scheme in the VoT, this is slightly more > challenging. > > > > Does that make sense? > > > > Julian > > > > On 13 May 2016 at 12:26, Josh Howlett wrote: > > How does the IdP verify the RP=E2=80=99s authority to claim compliance? > > > > *From:* vot [mailto:vot-bounces@ietf.org] *On Behalf Of *Julian White > *Sent:* 13 May 2016 12:12 > *To:* Chris > *Cc:* vot@ietf.org; Justin Richer > *Subject:* Re: [VoT] Security Problem with Primary Credential Usage > > > > Chris, > > > > Yes I see your point, so the RP should assert with which trustmarks it > complies too? > > > > Regards, > > > > On 13 May 2016 at 10:48, Chris wrote: > > Hi Julian, > > It is like I said at the start. The entirety of the trustmark idea > evaluates to one single strength - everything is equally untrustworthy, > because it's all only unidirectional. > > You can't solve trust without fixing BOTH ends. It is a *two-way *street= . > For as long as a user and proxy are indistinguishable, C0 =3D=3D Ca =3D= =3D Cb =3D=3D Cd > =3D=3D Ce =3D=3D Cf. > > I know it sounds like a little problem, but so was the debris on that las= t > Concorde's runway. This is the show stopper. > > Chris. > > > > > Friday, May 13, 2016, 5:52:55 PM, you wrote: > > Justin, > > For my own clarity, can the RP pass a request for a specific trustmark, o= r > list of trustmarks that it will accept? The text seems to imply that they > will get whatever trustmark the IdP sends and have to make a decision bas= ed > on that each time. In reality, since the evaluation of the trustmark is a > cumbersome manual process I suspect RP's will whitelist trustmarks that > they will accept so then it seems inefficient for and IdP to return a > response under a trustmark the RP won't accept. > > Thanks, > > Julian. > > On 12 May 2016 at 19:49, Julian White wrote: > That makes sense, tho that didn't come across in the description of the > trustmark. > Julian > On 12 May 2016 19:45, "Justin Richer" wrote: > We explicitly left those kinds of things out of the vector as they=E2=80= =99d > really be related to the IdP itself and not the authentication transactio= n > to which the VoT refers. In other words, the security of the IdP is relat= ed > to the trust framework and assessment of the IdP and it can be published = as > part of the IdP=E2=80=99s discovery documents and associated trust marks.= This is > information that is going to remain the same regardless of the transactio= n. > > This is also part of why you need to have a trustmark context to interpre= t > the VoT in. > > =E2=80=94 Justin > > On May 12, 2016, at 11:11 AM, Julian White wrote: > > Hi, > > I have a number of comments and questions (see attached), many of which > are related to the issues raised by Chris, some maybe my misunderstanding > coming in half way through the drafting tho. > > I, like Chris, also think there needs to be something more explicit aroun= d > the "security" of the IdP authentication which includes the measures to t= ry > and detect 'odd' things (like MITM). I would also go one step further in > that I also want to know about the maturity of the IdP's "security", its = of > no use to me if they have really good credentials but store all the data = in > the clear on their website or have a load of administrative back-doors th= at > could let anyone generate a valid authentication response. > > It feels like we need to do more work in this area. > > Regards, > > Julian. > > On 8 May 2016 at 13:24, Chris wrote: > Hi All, > > I think there is a critical flaw in section 3.2 of > https://tools.ietf.org/html/draft-richer-vectors-of-trust-02 (Primary > Credential Usage) > > Mutual-authentication is missing. When no provision is made to prevent > man-in-the-middle, credential harvesting, spoof, phishing, malware, or > other common threats, this renders all possible vectors C0, Ca, Cb, Cd, C= e, > Cf, and others *equally* untrustworthy. > > We should consider inclusion either for the overall strength of the > authentication process, or some breakdown of either all the techniques us= ed > or the strength of protection employed to thwart at least common attack > scenarios. > > This problem gets tricky quite fast: > > Do we identify the authentication technology vendor? (if yes - who works > out their resistance strength to common attacks? what about different > modes?) > Do we broadly identify the techniques (whos opinions count as to whether > or not the technique is effective and against what threats?) > Do we identify or classify the threats and indicate which ones were > mitigated (who should be trusted to decide if these really were mitigated= ?) > > For example - tamper-proof hardware digital certificate devices with > biometrics unlocks are totally useless, if the user paid no attention to = a > broken SSL warning, or has malware. They're also equally useless in most > corporate environments that use deep-packet inspection firewalls - and > "unexpected certificates" (eg. from DPI or malicious) carry their own > privacy problems (eg: passwords are not as "protected" as you think). Mu= ch > more common authentication "protection" of course, are two-step or sms on= e > time codes - which are equally useless when an end user can be tricked in= to > revealing them to spoof sites. > > 91% of successful break-ins start from phishing. Right now, every vector > is pointing one way - we need at least one "Vector of Trust" to point > *back* the other way! > > How about a 5th vector - "S" for "Security", which somehow allows an RP a > level of confidence in the protection afforded to the user's actual > authentication process, in terms of (or at least considering) a wide rang= e > of (and all common) modern threats. > > Chris. > > _______________________________________________ > vot mailing list > vot@ietf.org > https://www.ietf.org/mailman/listinfo/vot > > > __________________________________= _____________ > vot mailing list > vot@ietf.org > https://www.ietf.org/mailman/listinfo/vot > > > > > _______________________________________________ > vot mailing list > vot@ietf.org > https://www.ietf.org/mailman/listinfo/vot > > > > > Jisc is a registered charity (number 1149740) and a company limited by > guarantee which is registered in England under Company No. 5747339, VAT N= o. > GB 197 0632 86. Jisc=E2=80=99s registered office is: One Castlepark, Towe= r Hill, > Bristol, BS2 0JA. T 0203 697 5800. > > Jisc Services Limited is a wholly owned Jisc subsidiary and a company > limited by guarantee which is registered in England under company number > 2881024, VAT number GB 197 0632 86. The registered office is: One Castle > Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800. > > > > _______________________________________________ > vot mailing list > vot@ietf.org > https://www.ietf.org/mailman/listinfo/vot > > --001a114d5e3276c0760532babbe7 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Josh: the discussion about compatible policy frameworks do= es already take place, typically under the names: trust framework, federati= on agreements, inter-federation. You see elements of this in national schem= es in NZ, US, UK, EU, CA and others - perhaps less so right now on the '= ;open internet' , but there's work happening in a number of pockets= on this=C2=A0(R&E is quite advanced).

The semantic = compatibility is coming soon-ish. There's a convergence underway on sta= ndardization of descriptions for roles, responsibilities, business function= s and business processes for identification, authentication, authorization = and access control systems ("Identity Systems"). I'm contribu= ting to diacc.ca and kantarainitiative.org along these lines, and startin= g to learn what ISO/IEC JTC 1 SC 27 WG 5 (Identity and Privacy) is developi= ng.

andrew.
=

Andrew Hughes=C2=A0CISM CISSP= =C2=A0
Independent Consultant
In Turn Information Ma= nagement Consulting

o =C2=A0+1 650.209.7542
m= +1 250.888.9474
1249 Palmer Road,
Victoria, BC V8P 2H8

AndrewHughe= s3000@gmail.com=C2=A0
ca.linkedin.com/pub/andrew-hughes/a/58/682/=
Identity Management | IT Governance | Inform= ation Security=C2=A0


On Fri, May 13, 2016 at 7:57 AM, Josh Howlet= t <Josh.Howlett@jisc.ac.uk> wrote:

Julian,

=C2=A0

Yes, but note that (2) is actually an= instance of (1), but where the number of parties happens to be greater tha= n two. The choice of whether to use an internal or external registry is just an operational que= stion. However, I don=E2=80=99t think this makes VoT superfluous: it still = has value as a way of signalling alternate semantics defined within the tru= stmark agreement.

=C2=A0

This does, however, suggest to me tha= t VoT has limited utility when working across arbitrary trustmark agreement= s. And so to be candid, and without wishing to sound dispiriting, I suspect that working on the te= chnical signalling without understanding how these agreements can be bound = together is possibly premature; at least if you want something of general u= tility. More attention is needed on composable policy frameworks having compatible semantics, linked to an = underlying legal architecture that works transitively across those agreemen= ts. Being the IETF, I understand that this probably isn=E2=80=99t the venue= for that discussion J

=C2=A0

Josh.

=C2=A0

From: = Julian White [mailto:j= white@nu-d.com]
Sent: 13 May 2016 13:43
To: Josh Howlett <Josh.Howlett@jisc.ac.uk>
Cc: Chris <c= nd@geek.net.au>; v= ot@ietf.org; Justin Richer <jricher@mit.edu>


Subject: Re: [VoT] Security Problem with Primary Credential Usage=

=C2=A0

=C2=A0

Josh,

=C2=A0

That is a good question, and equally applicable to h= ow would an RP verify the claim of an IdP?

=C2=A0

I think there are only a few usable options;=C2=A0

=C2=A0

1) There is a direct relationship between the partie= s that assures the trustworthiness between themselves=C2=A0outside of the a= ssertion=C2=A0and will only accept requests/responses from each other (via = some means not defined here) - this kind of makes the VoT value superfluous since the answer is already known.=C2=A0

=C2=A0

2) The trust schemes operate some sort of registry t= hat the VoT links too - but then there also needs to be something that make= s it impossible for me to impersonate a member of that scheme in the VoT, t= his is slightly more challenging.

=C2=A0

Does that make sense?

=C2=A0

Julian

=C2=A0

On 13 May 2016 at 12:26, Josh Howlett <Josh.Howlett@jisc.ac.uk<= /a>> wrote:

How does the IdP verify the RP=E2=80= =99s authority to claim compliance?

=C2=A0

From: = vot [mailto:<= span lang=3D"EN-US" style=3D"font-size:11.0pt;font-family:"Calibri&quo= t;,sans-serif">vot-bounces@ietf.org] On Behalf Of Julian White
Sent: 13 May 2016 12:12
To: Chris <
cnd@geek.net.au>
Cc:
vot@ietf.org; Justin Richer <jricher@mit.edu>
Subject: Re: [VoT] Security Problem with Primary Credential Usage

=C2=A0

Chris,

=C2=A0

Yes I see your point, so the RP should assert with w= hich trustmarks it complies too?

=C2=A0

Regards,

=C2=A0

On 13 May 2016 at 10:48, Chris <cnd@geek.net.au> wrote:

Hi Julian,

It is like I said at the start.=C2=A0 The entirety of the trustmark idea ev= aluates to one single strength - everything is equally untrustworthy, becau= se it's all only unidirectional.

You can't solve trust without fixing BOTH ends.=C2=A0 It is a two-wa= y street.=C2=A0 For as long as a user and proxy are indistinguishable, = C0 =3D=3D Ca =3D=3D Cb =3D=3D Cd =3D=3D Ce =3D=3D Cf.

I know it sounds like a little problem, but so was the debris on that last = Concorde's runway.=C2=A0 This is the show stopper.

Chris.




Friday, May 13, 2016, 5:52:55 PM, you wrote:

Justin,

For my own clarity, can the RP pass a request for a specific trustmark, or = list of trustmarks that it will accept? The text seems to imply that they w= ill get whatever trustmark the IdP sends and have to make a decision based = on that each time. In reality, since the evaluation of the trustmark is a cumbersome manual process I suspect R= P's will whitelist trustmarks that they will accept so then it seems in= efficient for and IdP to return a response under a trustmark the RP won'= ;t accept.

Thanks,

Julian.

On 12 May 2016 at 19:49, Julian White <
jwhite@nu-d.com> wrote:
That makes sense, tho that didn't come across in the description of the= trustmark.
Julian
On 12 May 2016 19:45, "Justin Riche= r" <
jric= her@mit.edu> wrote:
We explicitly left those kinds of things out of the vector as they=E2=80=99= d really be related to the IdP itself and not the authentication transactio= n to which the VoT refers. In other words, the security of the IdP is relat= ed to the trust framework and assessment of the IdP and it can be published as part of the IdP=E2=80=99s discovery = documents and associated trust marks. This is information that is going to = remain the same regardless of the transaction.

This is also part of why you need to have a trustmark context to interpret = the VoT in.

=E2=80=94 Justin

On May 12, 2016, at 11:11 AM, Julian White <
jwhite@nu-d.com> wrote:

Hi,

I have a number of comments and questions (see attached), many of which are= related to the issues raised by Chris, some maybe my misunderstanding comi= ng in half way through the drafting tho.

I, like Chris, also think there needs to be something more explicit around = the "security" of the IdP authentication which includes the measu= res to try and detect 'odd' things (like MITM). I would also go one= step further in that I also want to know about the maturity of the IdP's "security", its of no use to me if the= y have really good credentials but store all the data in the clear on their= website or have a load of administrative back-doors that could let anyone = generate a valid authentication response.

It feels like we need to do more work in this area.

Regards,

Julian.

On 8 May 2016 at 13:24, Chris <
cnd@geek.net.au> wrote:
Hi All,

I think there is a critical flaw in section 3.2 of
https://too= ls.ietf.org/html/draft-richer-vectors-of-trust-02 (Primary Credential Usage)

Mutual-authentication is missing.=C2=A0 When no provision is made to preven= t man-in-the-middle, credential harvesting, spoof, phishing, malware, or ot= her common threats, this renders all possible vectors C0, Ca, Cb, Cd, Ce, C= f, and others equally untrustworthy.

We should consider inclusion either for the overall strength of the authent= ication process, or some breakdown of either all the techniques used or the= strength of protection employed to thwart at least common attack scenarios= .

This problem gets tricky quite fast:

Do we identify the authentication technology vendor? (if yes - who works ou= t their resistance strength to common attacks? =C2=A0what about different m= odes?)
Do we broadly identify the techniques (whos opinions count as to whether or= not the technique is effective and against what threats?)
Do we identify or classify the threats and indicate which ones were mitigat= ed (who should be trusted to decide if these really were mitigated?)

For example - tamper-proof hardware digital certificate devices with biomet= rics unlocks are totally useless, if the user paid no attention to a broken= SSL warning, or has malware.=C2=A0 They're also equally useless in mos= t corporate environments that use deep-packet inspection firewalls - and "unexpected certificates" (eg. from D= PI or malicious) carry their own privacy problems (eg: passwords are not as= "protected" as you think).=C2=A0 Much more common authentication= "protection" of course, are two-step or sms one time codes - which are equally useless when an end user can be tricked into revealing= them to spoof sites.

91% of successful break-ins start from phishing.=C2=A0 Right now, every vec= tor is pointing one way - we need at least one "Vector of Trust" = to point back the other way! =C2=A0

How about a 5th vector - "S" for "Security", which some= how allows an RP a level of confidence in the protection afforded to the us= er's actual authentication process, in terms of (or at least considerin= g) a wide range of (and all common) modern threats.

Chris.

________________________________________= _______
vot mailing list
vot@ietf.org
https://www.ietf.or= g/mailman/listinfo/vot

<draft= -richer-vectors-of-trust-02.docx>_______________________________________= ________
vot mailing list
vot@ietf.org
https://www.ietf.or= g/mailman/listinfo/vot

=C2=A0<= /p>


_______________________________________________
vot mailing list
vot@ietf.org
htt= ps://www.ietf.org/mailman/listinfo/vot

=C2=A0


Jisc is a registered charity (number 1149740) and a company limited by guar= antee which is registered in England under Company No. 5747339, VAT No. GB = 197 0632 86. Jisc=E2=80=99s registered office is: One Castlepark, Tower Hil= l, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limit= ed by guarantee which is registered in England under company number 2881024= , VAT number GB 197 0632 86. The registered office is: One Castle Park, Tow= er Hill, Bristol BS2 0JA. T 0203 697 5800.

=C2=A0


_______________________________________________
vot mailing list
vot@ietf.org
https://www.ietf.org/mailman/listinfo/vot


--001a114d5e3276c0760532babbe7-- From nobody Fri May 13 09:13:49 2016 Return-Path: X-Original-To: vot@ietfa.amsl.com Delivered-To: vot@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4B8012D187 for ; Fri, 13 May 2016 09:13:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.11 X-Spam-Level: X-Spam-Status: No, score=-4.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=jisc365.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ON_O_ukujDad for ; Fri, 13 May 2016 09:13:36 -0700 (PDT) Received: from eu-smtp-delivery-189.mimecast.com (eu-smtp-delivery-189.mimecast.com [146.101.78.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 020E612D5B1 for ; Fri, 13 May 2016 09:13:34 -0700 (PDT) Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1lrp0017.outbound.protection.outlook.com [213.199.154.17]) (Using TLS) by eu-smtp-1.mimecast.com with ESMTP id uk-mta-59-qwhJ_QurTBKoFsTOSEvq3g-1; Fri, 13 May 2016 17:13:28 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jisc365.onmicrosoft.com; s=selector1-jisc-ac-uk; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=sqOufKWvR/f1xN4KVmUzQx/xOS8PuDDjh0KDzqqPm9A=; b=gZLeaxH0C+Rb7sRbDDYcFemSQFPMZDNovfd4UcMU6K8r9HvuEtW9vz6fYxJRTb7MrF07SF8KqcPEfOgElHNx/SHqxWWIWc3js0Jp/hqqzIFIYzYc3aRsSbQinUicwHTJGlYVQf4G8CZqZxnhOM+9glcuJ5UryuKqVmhJjQX7Q1c= Received: from VI1PR07MB1581.eurprd07.prod.outlook.com (10.165.239.15) by VI1PR07MB1583.eurprd07.prod.outlook.com (10.165.239.17) with Microsoft SMTP Server (TLS) id 15.1.492.11; Fri, 13 May 2016 16:13:25 +0000 Received: from VI1PR07MB1581.eurprd07.prod.outlook.com ([10.165.239.15]) by VI1PR07MB1581.eurprd07.prod.outlook.com ([10.165.239.15]) with mapi id 15.01.0492.019; Fri, 13 May 2016 16:13:25 +0000 From: Josh Howlett To: Andrew Hughes Thread-Topic: [VoT] Security Problem with Primary Credential Usage Thread-Index: AQHRqSSZNX95Tb3iV0+BTBvWy0upq5+1f7EAgAAq7oCAAAEPAIAA2vOAgAAgQICAABdwAIAAA64AgAAVwQCAAAG3kIAAKI6AgAACMHA= Date: Fri, 13 May 2016 16:13:25 +0000 Message-ID: References: <1523279479.20160508222427@CryptoPhoto.com> <753DBE1F-3891-4BB6-811B-5B8682A81A28@mit.edu> <329351357.20160513194821@CryptoPhoto.com> In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [86.177.159.161] x-ms-office365-filtering-correlation-id: d8a70ab8-bba4-44b0-ec11-08d37b498353 x-microsoft-exchange-diagnostics: 1; VI1PR07MB1583; 5:R5NhinLEBpXO4Xj7nVqzz+XBWULqUPUtNqCpGS2qcV1BqgcU6KJysfbIUqScrLl0AXv/icXl+EYaInpfZMiShAnrONwYh+fvrPnv0ZlRkCdVQqnDH5+ZRJJ48rSBhphSZ1Dtm0+R2najmkKqTYydUw==; 24:hSm6j/wzLN183ikzCg/fhIgEtmo/hdyqxuEd6SrFIFGBOcoFkg63YvNhBJdO7vqU7wN0hoUjebkBmXh+UCt1LI4FljmXm4HaPm9qfbhP2Ck=; 7:sZ9gi1MWS51zeL03qb4FywC+zSZc707CeHVazzCXp7Bhg1mFViEhpB7VN1hGXpLXYTLvjT5le2QnqR1xAPt/DXxFbU4W4mrkEGsQnzH5AUgX4l+/BjH4Vn91FA6zPozoxcJ5+fslUOQTAPqlxiHkBbq8qocM4eugvsJrXXJiOX1jlsKxrK9en3ELK5x+zEqz; 20:IzByuoEZQHkw4f9EMEibC4ya2qIrgAJ7EmXhqpN53R+E0bXJS/ubVWLHtlnr6Lc26D50BBTWgRBcAvunlF0ARFneeAh4H+cr2jIZQyMyn8RLCORNSt155VdHU7OjobbXKd6G0NWy7d7S/7zbdk6NoZWVDC423Zw0ha7pLbZsiQo= x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:VI1PR07MB1583; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(220618547472400); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046); SRVR:VI1PR07MB1583; BCL:0; PCL:0; RULEID:; SRVR:VI1PR07MB1583; x-forefront-prvs: 0941B96580 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(53754006)(377454003)(24454002)(76576001)(5004730100002)(790700001)(3846002)(102836003)(93886004)(6116002)(86362001)(76176999)(54356999)(50986999)(106116001)(11100500001)(586003)(66066001)(1220700001)(1411001)(2950100001)(2900100001)(87936001)(92566002)(3660700001)(2906002)(110136002)(5008740100001)(189998001)(7110500001)(15975445007)(74316001)(15650500001)(3280700002)(4326007)(77096005)(19300405004)(16236675004)(2420400007)(1680700002)(19617315012)(81166006)(33656002)(8936002)(19625215002)(551544002)(5002640100001)(5890100001)(122556002)(19580395003)(5003600100002)(74482002)(551934003)(8676002)(19580405001)(9686002)(16601075003); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB1583; H:VI1PR07MB1581.eurprd07.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: jisc.ac.uk X-MS-Exchange-CrossTenant-originalarrivaltime: 13 May 2016 16:13:25.4266 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 48f9394d-8a14-4d27-82a6-f35f12361205 X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB1583 X-MC-Unique: qwhJ_QurTBKoFsTOSEvq3g-1 Content-Type: multipart/alternative; boundary="_000_VI1PR07MB15811A0CAFF132D7B52B21E1BC740VI1PR07MB1581eurp_" Archived-At: Cc: Chris , Julian White , Justin Richer , "vot@ietf.org" Subject: Re: [VoT] Security Problem with Primary Credential Usage X-BeenThere: vot@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Vectors of Trust discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2016 16:13:48 -0000 --_000_VI1PR07MB15811A0CAFF132D7B52B21E1BC740VI1PR07MB1581eurp_ Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: base64 QW5kcmV3LA0KDQpJIHdhcyByZXNwb25zaWJsZSBmb3IgdGhlIGFjdGl2aXR5IHRoYXQgZGV2ZWxv cGVkIGVkdUdBSU4sIHdob3NlIHBvbGljeSBmcmFtZXdvcmsgaW50ZXJjb25uZWN0cyB0aGUgUiZF IGZlZGVyYXRpb25zLCBhbmQgc28gSeKAmW0gcHJldHR5IGZhbWlsaWFyIHRoZSBSJkUgc3BhY2Ug YXQgbGVhc3Qg4pi6LiBBbmQgc28gd2UgZG8gaGF2ZSB0aGVzZSBleGFtcGxlcywgYXMgeW91IHJp Z2h0bHkgcG9pbnQgb3V0LCB3aGVyZSBkaXNjdXNzaW9ucyBkbyBoYXBwZW4gYnV0IHRoZXNlIHRl bmQgdG8gaGFwcGVuIHdpdGhpbiB0aGUgKHR5cGljYWxseSBzZWN0b3Itc3BlY2lmaWMpIHBvY2tl dHMgb2Ygb3BlcmF0b3JzLCBzdWNoIFImRSwgYW5kIG5vdCBiZXR3ZWVuIHRoZW0uIFRoYXTigJlz IHRoZSBmb3J1bSB3ZSBuZWVkIGlmIHdl4oCZcmUgZXZlciBnb2luZyB0byBzZXJ2ZSB0aGUg4oCc b3BlbiBpbnRlcm5ldOKAnS4NCg0KSm9zaC4NCg0KRnJvbTogQW5kcmV3IEh1Z2hlcyBbbWFpbHRv OmFuZHJld2h1Z2hlczMwMDBAZ21haWwuY29tXQ0KU2VudDogMTMgTWF5IDIwMTYgMTY6MTUNClRv OiBKb3NoIEhvd2xldHQgPEpvc2guSG93bGV0dEBqaXNjLmFjLnVrPg0KQ2M6IEp1bGlhbiBXaGl0 ZSA8andoaXRlQG51LWQuY29tPjsgQ2hyaXMgPGNuZEBnZWVrLm5ldC5hdT47IHZvdEBpZXRmLm9y ZzsgSnVzdGluIFJpY2hlciA8anJpY2hlckBtaXQuZWR1Pg0KU3ViamVjdDogUmU6IFtWb1RdIFNl Y3VyaXR5IFByb2JsZW0gd2l0aCBQcmltYXJ5IENyZWRlbnRpYWwgVXNhZ2UNCg0KSm9zaDogdGhl IGRpc2N1c3Npb24gYWJvdXQgY29tcGF0aWJsZSBwb2xpY3kgZnJhbWV3b3JrcyBkb2VzIGFscmVh ZHkgdGFrZSBwbGFjZSwgdHlwaWNhbGx5IHVuZGVyIHRoZSBuYW1lczogdHJ1c3QgZnJhbWV3b3Jr LCBmZWRlcmF0aW9uIGFncmVlbWVudHMsIGludGVyLWZlZGVyYXRpb24uIFlvdSBzZWUgZWxlbWVu dHMgb2YgdGhpcyBpbiBuYXRpb25hbCBzY2hlbWVzIGluIE5aLCBVUywgVUssIEVVLCBDQSBhbmQg b3RoZXJzIC0gcGVyaGFwcyBsZXNzIHNvIHJpZ2h0IG5vdyBvbiB0aGUgJ29wZW4gaW50ZXJuZXQn ICwgYnV0IHRoZXJlJ3Mgd29yayBoYXBwZW5pbmcgaW4gYSBudW1iZXIgb2YgcG9ja2V0cyBvbiB0 aGlzIChSJkUgaXMgcXVpdGUgYWR2YW5jZWQpLg0KDQpUaGUgc2VtYW50aWMgY29tcGF0aWJpbGl0 eSBpcyBjb21pbmcgc29vbi1pc2guIFRoZXJlJ3MgYSBjb252ZXJnZW5jZSB1bmRlcndheSBvbiBz dGFuZGFyZGl6YXRpb24gb2YgZGVzY3JpcHRpb25zIGZvciByb2xlcywgcmVzcG9uc2liaWxpdGll cywgYnVzaW5lc3MgZnVuY3Rpb25zIGFuZCBidXNpbmVzcyBwcm9jZXNzZXMgZm9yIGlkZW50aWZp Y2F0aW9uLCBhdXRoZW50aWNhdGlvbiwgYXV0aG9yaXphdGlvbiBhbmQgYWNjZXNzIGNvbnRyb2wg c3lzdGVtcyAoIklkZW50aXR5IFN5c3RlbXMiKS4gSSdtIGNvbnRyaWJ1dGluZyB0byBkaWFjYy5j YTxodHRwOi8vZGlhY2MuY2E+IGFuZCBrYW50YXJhaW5pdGlhdGl2ZS5vcmc8aHR0cDovL2thbnRh cmFpbml0aWF0aXZlLm9yZz4gYWxvbmcgdGhlc2UgbGluZXMsIGFuZCBzdGFydGluZyB0byBsZWFy biB3aGF0IElTTy9JRUMgSlRDIDEgU0MgMjcgV0cgNSAoSWRlbnRpdHkgYW5kIFByaXZhY3kpIGlz IGRldmVsb3BpbmcuDQoNCmFuZHJldy4NCg0KDQpBbmRyZXcgSHVnaGVzIENJU00gQ0lTU1ANCklu ZGVwZW5kZW50IENvbnN1bHRhbnQNCkluIFR1cm4gSW5mb3JtYXRpb24gTWFuYWdlbWVudCBDb25z dWx0aW5nDQoNCm8gICsxIDY1MC4yMDkuNzU0Mg0KbSArMSAyNTAuODg4Ljk0NzQNCjEyNDkgUGFs bWVyIFJvYWQsDQpWaWN0b3JpYSwgQkMgVjhQIDJIOA0KQW5kcmV3SHVnaGVzMzAwMEBnbWFpbC5j b208bWFpbHRvOkFuZHJld0h1Z2hlczMwMDBAZ21haWwuY29tPg0KY2EubGlua2VkaW4uY29tL3B1 Yi9hbmRyZXctaHVnaGVzL2EvNTgvNjgyLzxodHRwOi8vY2EubGlua2VkaW4uY29tL3B1Yi9hbmRy ZXctaHVnaGVzL2EvNTgvNjgyLz4NCklkZW50aXR5IE1hbmFnZW1lbnQgfCBJVCBHb3Zlcm5hbmNl IHwgSW5mb3JtYXRpb24gU2VjdXJpdHkNCg0KT24gRnJpLCBNYXkgMTMsIDIwMTYgYXQgNzo1NyBB TSwgSm9zaCBIb3dsZXR0IDxKb3NoLkhvd2xldHRAamlzYy5hYy51azxtYWlsdG86Sm9zaC5Ib3ds ZXR0QGppc2MuYWMudWs+PiB3cm90ZToNCkp1bGlhbiwNCg0KWWVzLCBidXQgbm90ZSB0aGF0ICgy KSBpcyBhY3R1YWxseSBhbiBpbnN0YW5jZSBvZiAoMSksIGJ1dCB3aGVyZSB0aGUgbnVtYmVyIG9m IHBhcnRpZXMgaGFwcGVucyB0byBiZSBncmVhdGVyIHRoYW4gdHdvLiBUaGUgY2hvaWNlIG9mIHdo ZXRoZXIgdG8gdXNlIGFuIGludGVybmFsIG9yIGV4dGVybmFsIHJlZ2lzdHJ5IGlzIGp1c3QgYW4g b3BlcmF0aW9uYWwgcXVlc3Rpb24uIEhvd2V2ZXIsIEkgZG9u4oCZdCB0aGluayB0aGlzIG1ha2Vz IFZvVCBzdXBlcmZsdW91czogaXQgc3RpbGwgaGFzIHZhbHVlIGFzIGEgd2F5IG9mIHNpZ25hbGxp bmcgYWx0ZXJuYXRlIHNlbWFudGljcyBkZWZpbmVkIHdpdGhpbiB0aGUgdHJ1c3RtYXJrIGFncmVl bWVudC4NCg0KVGhpcyBkb2VzLCBob3dldmVyLCBzdWdnZXN0IHRvIG1lIHRoYXQgVm9UIGhhcyBs aW1pdGVkIHV0aWxpdHkgd2hlbiB3b3JraW5nIGFjcm9zcyBhcmJpdHJhcnkgdHJ1c3RtYXJrIGFn cmVlbWVudHMuIEFuZCBzbyB0byBiZSBjYW5kaWQsIGFuZCB3aXRob3V0IHdpc2hpbmcgdG8gc291 bmQgZGlzcGlyaXRpbmcsIEkgc3VzcGVjdCB0aGF0IHdvcmtpbmcgb24gdGhlIHRlY2huaWNhbCBz aWduYWxsaW5nIHdpdGhvdXQgdW5kZXJzdGFuZGluZyBob3cgdGhlc2UgYWdyZWVtZW50cyBjYW4g YmUgYm91bmQgdG9nZXRoZXIgaXMgcG9zc2libHkgcHJlbWF0dXJlOyBhdCBsZWFzdCBpZiB5b3Ug d2FudCBzb21ldGhpbmcgb2YgZ2VuZXJhbCB1dGlsaXR5LiBNb3JlIGF0dGVudGlvbiBpcyBuZWVk ZWQgb24gY29tcG9zYWJsZSBwb2xpY3kgZnJhbWV3b3JrcyBoYXZpbmcgY29tcGF0aWJsZSBzZW1h bnRpY3MsIGxpbmtlZCB0byBhbiB1bmRlcmx5aW5nIGxlZ2FsIGFyY2hpdGVjdHVyZSB0aGF0IHdv cmtzIHRyYW5zaXRpdmVseSBhY3Jvc3MgdGhvc2UgYWdyZWVtZW50cy4gQmVpbmcgdGhlIElFVEYs IEkgdW5kZXJzdGFuZCB0aGF0IHRoaXMgcHJvYmFibHkgaXNu4oCZdCB0aGUgdmVudWUgZm9yIHRo YXQgZGlzY3Vzc2lvbiDimLoNCg0KSm9zaC4NCg0KRnJvbTogSnVsaWFuIFdoaXRlIFttYWlsdG86 andoaXRlQG51LWQuY29tPG1haWx0bzpqd2hpdGVAbnUtZC5jb20+XQ0KU2VudDogMTMgTWF5IDIw MTYgMTM6NDMNClRvOiBKb3NoIEhvd2xldHQgPEpvc2guSG93bGV0dEBqaXNjLmFjLnVrPG1haWx0 bzpKb3NoLkhvd2xldHRAamlzYy5hYy51az4+DQpDYzogQ2hyaXMgPGNuZEBnZWVrLm5ldC5hdTxt YWlsdG86Y25kQGdlZWsubmV0LmF1Pj47IHZvdEBpZXRmLm9yZzxtYWlsdG86dm90QGlldGYub3Jn PjsgSnVzdGluIFJpY2hlciA8anJpY2hlckBtaXQuZWR1PG1haWx0bzpqcmljaGVyQG1pdC5lZHU+ Pg0KDQpTdWJqZWN0OiBSZTogW1ZvVF0gU2VjdXJpdHkgUHJvYmxlbSB3aXRoIFByaW1hcnkgQ3Jl ZGVudGlhbCBVc2FnZQ0KDQoNCkpvc2gsDQoNClRoYXQgaXMgYSBnb29kIHF1ZXN0aW9uLCBhbmQg ZXF1YWxseSBhcHBsaWNhYmxlIHRvIGhvdyB3b3VsZCBhbiBSUCB2ZXJpZnkgdGhlIGNsYWltIG9m IGFuIElkUD8NCg0KSSB0aGluayB0aGVyZSBhcmUgb25seSBhIGZldyB1c2FibGUgb3B0aW9uczsN Cg0KMSkgVGhlcmUgaXMgYSBkaXJlY3QgcmVsYXRpb25zaGlwIGJldHdlZW4gdGhlIHBhcnRpZXMg dGhhdCBhc3N1cmVzIHRoZSB0cnVzdHdvcnRoaW5lc3MgYmV0d2VlbiB0aGVtc2VsdmVzIG91dHNp ZGUgb2YgdGhlIGFzc2VydGlvbiBhbmQgd2lsbCBvbmx5IGFjY2VwdCByZXF1ZXN0cy9yZXNwb25z ZXMgZnJvbSBlYWNoIG90aGVyICh2aWEgc29tZSBtZWFucyBub3QgZGVmaW5lZCBoZXJlKSAtIHRo aXMga2luZCBvZiBtYWtlcyB0aGUgVm9UIHZhbHVlIHN1cGVyZmx1b3VzIHNpbmNlIHRoZSBhbnN3 ZXIgaXMgYWxyZWFkeSBrbm93bi4NCg0KMikgVGhlIHRydXN0IHNjaGVtZXMgb3BlcmF0ZSBzb21l IHNvcnQgb2YgcmVnaXN0cnkgdGhhdCB0aGUgVm9UIGxpbmtzIHRvbyAtIGJ1dCB0aGVuIHRoZXJl IGFsc28gbmVlZHMgdG8gYmUgc29tZXRoaW5nIHRoYXQgbWFrZXMgaXQgaW1wb3NzaWJsZSBmb3Ig bWUgdG8gaW1wZXJzb25hdGUgYSBtZW1iZXIgb2YgdGhhdCBzY2hlbWUgaW4gdGhlIFZvVCwgdGhp cyBpcyBzbGlnaHRseSBtb3JlIGNoYWxsZW5naW5nLg0KDQpEb2VzIHRoYXQgbWFrZSBzZW5zZT8N Cg0KSnVsaWFuDQoNCk9uIDEzIE1heSAyMDE2IGF0IDEyOjI2LCBKb3NoIEhvd2xldHQgPEpvc2gu SG93bGV0dEBqaXNjLmFjLnVrPG1haWx0bzpKb3NoLkhvd2xldHRAamlzYy5hYy51az4+IHdyb3Rl Og0KSG93IGRvZXMgdGhlIElkUCB2ZXJpZnkgdGhlIFJQ4oCZcyBhdXRob3JpdHkgdG8gY2xhaW0g Y29tcGxpYW5jZT8NCg0KRnJvbTogdm90IFttYWlsdG86dm90LWJvdW5jZXNAaWV0Zi5vcmc8bWFp bHRvOnZvdC1ib3VuY2VzQGlldGYub3JnPl0gT24gQmVoYWxmIE9mIEp1bGlhbiBXaGl0ZQ0KU2Vu dDogMTMgTWF5IDIwMTYgMTI6MTINClRvOiBDaHJpcyA8Y25kQGdlZWsubmV0LmF1PG1haWx0bzpj bmRAZ2Vlay5uZXQuYXU+Pg0KQ2M6IHZvdEBpZXRmLm9yZzxtYWlsdG86dm90QGlldGYub3JnPjsg SnVzdGluIFJpY2hlciA8anJpY2hlckBtaXQuZWR1PG1haWx0bzpqcmljaGVyQG1pdC5lZHU+Pg0K U3ViamVjdDogUmU6IFtWb1RdIFNlY3VyaXR5IFByb2JsZW0gd2l0aCBQcmltYXJ5IENyZWRlbnRp YWwgVXNhZ2UNCg0KQ2hyaXMsDQoNClllcyBJIHNlZSB5b3VyIHBvaW50LCBzbyB0aGUgUlAgc2hv dWxkIGFzc2VydCB3aXRoIHdoaWNoIHRydXN0bWFya3MgaXQgY29tcGxpZXMgdG9vPw0KDQpSZWdh cmRzLA0KDQpPbiAxMyBNYXkgMjAxNiBhdCAxMDo0OCwgQ2hyaXMgPGNuZEBnZWVrLm5ldC5hdTxt YWlsdG86Y25kQGdlZWsubmV0LmF1Pj4gd3JvdGU6DQpIaSBKdWxpYW4sDQoNCkl0IGlzIGxpa2Ug SSBzYWlkIGF0IHRoZSBzdGFydC4gIFRoZSBlbnRpcmV0eSBvZiB0aGUgdHJ1c3RtYXJrIGlkZWEg ZXZhbHVhdGVzIHRvIG9uZSBzaW5nbGUgc3RyZW5ndGggLSBldmVyeXRoaW5nIGlzIGVxdWFsbHkg dW50cnVzdHdvcnRoeSwgYmVjYXVzZSBpdCdzIGFsbCBvbmx5IHVuaWRpcmVjdGlvbmFsLg0KDQpZ b3UgY2FuJ3Qgc29sdmUgdHJ1c3Qgd2l0aG91dCBmaXhpbmcgQk9USCBlbmRzLiAgSXQgaXMgYSB0 d28td2F5IHN0cmVldC4gIEZvciBhcyBsb25nIGFzIGEgdXNlciBhbmQgcHJveHkgYXJlIGluZGlz dGluZ3Vpc2hhYmxlLCBDMCA9PSBDYSA9PSBDYiA9PSBDZCA9PSBDZSA9PSBDZi4NCg0KSSBrbm93 IGl0IHNvdW5kcyBsaWtlIGEgbGl0dGxlIHByb2JsZW0sIGJ1dCBzbyB3YXMgdGhlIGRlYnJpcyBv biB0aGF0IGxhc3QgQ29uY29yZGUncyBydW53YXkuICBUaGlzIGlzIHRoZSBzaG93IHN0b3BwZXIu DQoNCkNocmlzLg0KDQoNCg0KRnJpZGF5LCBNYXkgMTMsIDIwMTYsIDU6NTI6NTUgUE0sIHlvdSB3 cm90ZToNCg0KSnVzdGluLA0KDQpGb3IgbXkgb3duIGNsYXJpdHksIGNhbiB0aGUgUlAgcGFzcyBh IHJlcXVlc3QgZm9yIGEgc3BlY2lmaWMgdHJ1c3RtYXJrLCBvciBsaXN0IG9mIHRydXN0bWFya3Mg dGhhdCBpdCB3aWxsIGFjY2VwdD8gVGhlIHRleHQgc2VlbXMgdG8gaW1wbHkgdGhhdCB0aGV5IHdp bGwgZ2V0IHdoYXRldmVyIHRydXN0bWFyayB0aGUgSWRQIHNlbmRzIGFuZCBoYXZlIHRvIG1ha2Ug YSBkZWNpc2lvbiBiYXNlZCBvbiB0aGF0IGVhY2ggdGltZS4gSW4gcmVhbGl0eSwgc2luY2UgdGhl IGV2YWx1YXRpb24gb2YgdGhlIHRydXN0bWFyayBpcyBhIGN1bWJlcnNvbWUgbWFudWFsIHByb2Nl c3MgSSBzdXNwZWN0IFJQJ3Mgd2lsbCB3aGl0ZWxpc3QgdHJ1c3RtYXJrcyB0aGF0IHRoZXkgd2ls bCBhY2NlcHQgc28gdGhlbiBpdCBzZWVtcyBpbmVmZmljaWVudCBmb3IgYW5kIElkUCB0byByZXR1 cm4gYSByZXNwb25zZSB1bmRlciBhIHRydXN0bWFyayB0aGUgUlAgd29uJ3QgYWNjZXB0Lg0KDQpU aGFua3MsDQoNCkp1bGlhbi4NCg0KT24gMTIgTWF5IDIwMTYgYXQgMTk6NDksIEp1bGlhbiBXaGl0 ZSA8andoaXRlQG51LWQuY29tPG1haWx0bzpqd2hpdGVAbnUtZC5jb20+PiB3cm90ZToNClRoYXQg bWFrZXMgc2Vuc2UsIHRobyB0aGF0IGRpZG4ndCBjb21lIGFjcm9zcyBpbiB0aGUgZGVzY3JpcHRp b24gb2YgdGhlIHRydXN0bWFyay4NCkp1bGlhbg0KT24gMTIgTWF5IDIwMTYgMTk6NDUsICJKdXN0 aW4gUmljaGVyIiA8anJpY2hlckBtaXQuZWR1PG1haWx0bzpqcmljaGVyQG1pdC5lZHU+PiB3cm90 ZToNCldlIGV4cGxpY2l0bHkgbGVmdCB0aG9zZSBraW5kcyBvZiB0aGluZ3Mgb3V0IG9mIHRoZSB2 ZWN0b3IgYXMgdGhleeKAmWQgcmVhbGx5IGJlIHJlbGF0ZWQgdG8gdGhlIElkUCBpdHNlbGYgYW5k IG5vdCB0aGUgYXV0aGVudGljYXRpb24gdHJhbnNhY3Rpb24gdG8gd2hpY2ggdGhlIFZvVCByZWZl cnMuIEluIG90aGVyIHdvcmRzLCB0aGUgc2VjdXJpdHkgb2YgdGhlIElkUCBpcyByZWxhdGVkIHRv IHRoZSB0cnVzdCBmcmFtZXdvcmsgYW5kIGFzc2Vzc21lbnQgb2YgdGhlIElkUCBhbmQgaXQgY2Fu IGJlIHB1Ymxpc2hlZCBhcyBwYXJ0IG9mIHRoZSBJZFDigJlzIGRpc2NvdmVyeSBkb2N1bWVudHMg YW5kIGFzc29jaWF0ZWQgdHJ1c3QgbWFya3MuIFRoaXMgaXMgaW5mb3JtYXRpb24gdGhhdCBpcyBn b2luZyB0byByZW1haW4gdGhlIHNhbWUgcmVnYXJkbGVzcyBvZiB0aGUgdHJhbnNhY3Rpb24uDQoN ClRoaXMgaXMgYWxzbyBwYXJ0IG9mIHdoeSB5b3UgbmVlZCB0byBoYXZlIGEgdHJ1c3RtYXJrIGNv bnRleHQgdG8gaW50ZXJwcmV0IHRoZSBWb1QgaW4uDQoNCuKAlCBKdXN0aW4NCg0KT24gTWF5IDEy LCAyMDE2LCBhdCAxMToxMSBBTSwgSnVsaWFuIFdoaXRlIDxqd2hpdGVAbnUtZC5jb208bWFpbHRv Omp3aGl0ZUBudS1kLmNvbT4+IHdyb3RlOg0KDQpIaSwNCg0KSSBoYXZlIGEgbnVtYmVyIG9mIGNv bW1lbnRzIGFuZCBxdWVzdGlvbnMgKHNlZSBhdHRhY2hlZCksIG1hbnkgb2Ygd2hpY2ggYXJlIHJl bGF0ZWQgdG8gdGhlIGlzc3VlcyByYWlzZWQgYnkgQ2hyaXMsIHNvbWUgbWF5YmUgbXkgbWlzdW5k ZXJzdGFuZGluZyBjb21pbmcgaW4gaGFsZiB3YXkgdGhyb3VnaCB0aGUgZHJhZnRpbmcgdGhvLg0K DQpJLCBsaWtlIENocmlzLCBhbHNvIHRoaW5rIHRoZXJlIG5lZWRzIHRvIGJlIHNvbWV0aGluZyBt b3JlIGV4cGxpY2l0IGFyb3VuZCB0aGUgInNlY3VyaXR5IiBvZiB0aGUgSWRQIGF1dGhlbnRpY2F0 aW9uIHdoaWNoIGluY2x1ZGVzIHRoZSBtZWFzdXJlcyB0byB0cnkgYW5kIGRldGVjdCAnb2RkJyB0 aGluZ3MgKGxpa2UgTUlUTSkuIEkgd291bGQgYWxzbyBnbyBvbmUgc3RlcCBmdXJ0aGVyIGluIHRo YXQgSSBhbHNvIHdhbnQgdG8ga25vdyBhYm91dCB0aGUgbWF0dXJpdHkgb2YgdGhlIElkUCdzICJz ZWN1cml0eSIsIGl0cyBvZiBubyB1c2UgdG8gbWUgaWYgdGhleSBoYXZlIHJlYWxseSBnb29kIGNy ZWRlbnRpYWxzIGJ1dCBzdG9yZSBhbGwgdGhlIGRhdGEgaW4gdGhlIGNsZWFyIG9uIHRoZWlyIHdl YnNpdGUgb3IgaGF2ZSBhIGxvYWQgb2YgYWRtaW5pc3RyYXRpdmUgYmFjay1kb29ycyB0aGF0IGNv dWxkIGxldCBhbnlvbmUgZ2VuZXJhdGUgYSB2YWxpZCBhdXRoZW50aWNhdGlvbiByZXNwb25zZS4N Cg0KSXQgZmVlbHMgbGlrZSB3ZSBuZWVkIHRvIGRvIG1vcmUgd29yayBpbiB0aGlzIGFyZWEuDQoN ClJlZ2FyZHMsDQoNCkp1bGlhbi4NCg0KT24gOCBNYXkgMjAxNiBhdCAxMzoyNCwgQ2hyaXMgPGNu ZEBnZWVrLm5ldC5hdTxtYWlsdG86Y25kQGdlZWsubmV0LmF1Pj4gd3JvdGU6DQpIaSBBbGwsDQoN CkkgdGhpbmsgdGhlcmUgaXMgYSBjcml0aWNhbCBmbGF3IGluIHNlY3Rpb24gMy4yIG9mIGh0dHBz Oi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1yaWNoZXItdmVjdG9ycy1vZi10cnVzdC0wMiAo UHJpbWFyeSBDcmVkZW50aWFsIFVzYWdlKQ0KDQpNdXR1YWwtYXV0aGVudGljYXRpb24gaXMgbWlz c2luZy4gIFdoZW4gbm8gcHJvdmlzaW9uIGlzIG1hZGUgdG8gcHJldmVudCBtYW4taW4tdGhlLW1p ZGRsZSwgY3JlZGVudGlhbCBoYXJ2ZXN0aW5nLCBzcG9vZiwgcGhpc2hpbmcsIG1hbHdhcmUsIG9y IG90aGVyIGNvbW1vbiB0aHJlYXRzLCB0aGlzIHJlbmRlcnMgYWxsIHBvc3NpYmxlIHZlY3RvcnMg QzAsIENhLCBDYiwgQ2QsIENlLCBDZiwgYW5kIG90aGVycyBlcXVhbGx5IHVudHJ1c3R3b3J0aHku DQoNCldlIHNob3VsZCBjb25zaWRlciBpbmNsdXNpb24gZWl0aGVyIGZvciB0aGUgb3ZlcmFsbCBz dHJlbmd0aCBvZiB0aGUgYXV0aGVudGljYXRpb24gcHJvY2Vzcywgb3Igc29tZSBicmVha2Rvd24g b2YgZWl0aGVyIGFsbCB0aGUgdGVjaG5pcXVlcyB1c2VkIG9yIHRoZSBzdHJlbmd0aCBvZiBwcm90 ZWN0aW9uIGVtcGxveWVkIHRvIHRod2FydCBhdCBsZWFzdCBjb21tb24gYXR0YWNrIHNjZW5hcmlv cy4NCg0KVGhpcyBwcm9ibGVtIGdldHMgdHJpY2t5IHF1aXRlIGZhc3Q6DQoNCkRvIHdlIGlkZW50 aWZ5IHRoZSBhdXRoZW50aWNhdGlvbiB0ZWNobm9sb2d5IHZlbmRvcj8gKGlmIHllcyAtIHdobyB3 b3JrcyBvdXQgdGhlaXIgcmVzaXN0YW5jZSBzdHJlbmd0aCB0byBjb21tb24gYXR0YWNrcz8gIHdo YXQgYWJvdXQgZGlmZmVyZW50IG1vZGVzPykNCkRvIHdlIGJyb2FkbHkgaWRlbnRpZnkgdGhlIHRl Y2huaXF1ZXMgKHdob3Mgb3BpbmlvbnMgY291bnQgYXMgdG8gd2hldGhlciBvciBub3QgdGhlIHRl Y2huaXF1ZSBpcyBlZmZlY3RpdmUgYW5kIGFnYWluc3Qgd2hhdCB0aHJlYXRzPykNCkRvIHdlIGlk ZW50aWZ5IG9yIGNsYXNzaWZ5IHRoZSB0aHJlYXRzIGFuZCBpbmRpY2F0ZSB3aGljaCBvbmVzIHdl cmUgbWl0aWdhdGVkICh3aG8gc2hvdWxkIGJlIHRydXN0ZWQgdG8gZGVjaWRlIGlmIHRoZXNlIHJl YWxseSB3ZXJlIG1pdGlnYXRlZD8pDQoNCkZvciBleGFtcGxlIC0gdGFtcGVyLXByb29mIGhhcmR3 YXJlIGRpZ2l0YWwgY2VydGlmaWNhdGUgZGV2aWNlcyB3aXRoIGJpb21ldHJpY3MgdW5sb2NrcyBh cmUgdG90YWxseSB1c2VsZXNzLCBpZiB0aGUgdXNlciBwYWlkIG5vIGF0dGVudGlvbiB0byBhIGJy b2tlbiBTU0wgd2FybmluZywgb3IgaGFzIG1hbHdhcmUuICBUaGV5J3JlIGFsc28gZXF1YWxseSB1 c2VsZXNzIGluIG1vc3QgY29ycG9yYXRlIGVudmlyb25tZW50cyB0aGF0IHVzZSBkZWVwLXBhY2tl dCBpbnNwZWN0aW9uIGZpcmV3YWxscyAtIGFuZCAidW5leHBlY3RlZCBjZXJ0aWZpY2F0ZXMiIChl Zy4gZnJvbSBEUEkgb3IgbWFsaWNpb3VzKSBjYXJyeSB0aGVpciBvd24gcHJpdmFjeSBwcm9ibGVt cyAoZWc6IHBhc3N3b3JkcyBhcmUgbm90IGFzICJwcm90ZWN0ZWQiIGFzIHlvdSB0aGluaykuICBN dWNoIG1vcmUgY29tbW9uIGF1dGhlbnRpY2F0aW9uICJwcm90ZWN0aW9uIiBvZiBjb3Vyc2UsIGFy ZSB0d28tc3RlcCBvciBzbXMgb25lIHRpbWUgY29kZXMgLSB3aGljaCBhcmUgZXF1YWxseSB1c2Vs ZXNzIHdoZW4gYW4gZW5kIHVzZXIgY2FuIGJlIHRyaWNrZWQgaW50byByZXZlYWxpbmcgdGhlbSB0 byBzcG9vZiBzaXRlcy4NCg0KOTElIG9mIHN1Y2Nlc3NmdWwgYnJlYWstaW5zIHN0YXJ0IGZyb20g cGhpc2hpbmcuICBSaWdodCBub3csIGV2ZXJ5IHZlY3RvciBpcyBwb2ludGluZyBvbmUgd2F5IC0g d2UgbmVlZCBhdCBsZWFzdCBvbmUgIlZlY3RvciBvZiBUcnVzdCIgdG8gcG9pbnQgYmFjayB0aGUg b3RoZXIgd2F5IQ0KDQpIb3cgYWJvdXQgYSA1dGggdmVjdG9yIC0gIlMiIGZvciAiU2VjdXJpdHki LCB3aGljaCBzb21laG93IGFsbG93cyBhbiBSUCBhIGxldmVsIG9mIGNvbmZpZGVuY2UgaW4gdGhl IHByb3RlY3Rpb24gYWZmb3JkZWQgdG8gdGhlIHVzZXIncyBhY3R1YWwgYXV0aGVudGljYXRpb24g cHJvY2VzcywgaW4gdGVybXMgb2YgKG9yIGF0IGxlYXN0IGNvbnNpZGVyaW5nKSBhIHdpZGUgcmFu Z2Ugb2YgKGFuZCBhbGwgY29tbW9uKSBtb2Rlcm4gdGhyZWF0cy4NCg0KQ2hyaXMuDQoNCl9fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQp2b3QgbWFpbGluZyBs aXN0DQp2b3RAaWV0Zi5vcmc8bWFpbHRvOnZvdEBpZXRmLm9yZz4NCmh0dHBzOi8vd3d3LmlldGYu b3JnL21haWxtYW4vbGlzdGluZm8vdm90DQoNCjxkcmFmdC1yaWNoZXItdmVjdG9ycy1vZi10cnVz dC0wMi5kb2N4Pl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f DQp2b3QgbWFpbGluZyBsaXN0DQp2b3RAaWV0Zi5vcmc8bWFpbHRvOnZvdEBpZXRmLm9yZz4NCmh0 dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vdm90DQoNCg0KDQpfX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0Kdm90IG1haWxpbmcgbGlzdA0K dm90QGlldGYub3JnPG1haWx0bzp2b3RAaWV0Zi5vcmc+DQpodHRwczovL3d3dy5pZXRmLm9yZy9t YWlsbWFuL2xpc3RpbmZvL3ZvdA0KDQoNCkppc2MgaXMgYSByZWdpc3RlcmVkIGNoYXJpdHkgKG51 bWJlciAxMTQ5NzQwKSBhbmQgYSBjb21wYW55IGxpbWl0ZWQgYnkgZ3VhcmFudGVlIHdoaWNoIGlz IHJlZ2lzdGVyZWQgaW4gRW5nbGFuZCB1bmRlciBDb21wYW55IE5vLiA1NzQ3MzM5LCBWQVQgTm8u IEdCIDE5NyAwNjMyIDg2LiBKaXNj4oCZcyByZWdpc3RlcmVkIG9mZmljZSBpczogT25lIENhc3Rs ZXBhcmssIFRvd2VyIEhpbGwsIEJyaXN0b2wsIEJTMiAwSkEuIFQgMDIwMyA2OTcgNTgwMC4NCg0K SmlzYyBTZXJ2aWNlcyBMaW1pdGVkIGlzIGEgd2hvbGx5IG93bmVkIEppc2Mgc3Vic2lkaWFyeSBh bmQgYSBjb21wYW55IGxpbWl0ZWQgYnkgZ3VhcmFudGVlIHdoaWNoIGlzIHJlZ2lzdGVyZWQgaW4g RW5nbGFuZCB1bmRlciBjb21wYW55IG51bWJlciAyODgxMDI0LCBWQVQgbnVtYmVyIEdCIDE5NyAw NjMyIDg2LiBUaGUgcmVnaXN0ZXJlZCBvZmZpY2UgaXM6IE9uZSBDYXN0bGUgUGFyaywgVG93ZXIg SGlsbCwgQnJpc3RvbCBCUzIgMEpBLiBUIDAyMDMgNjk3IDU4MDAuDQoNCg0KX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCnZvdCBtYWlsaW5nIGxpc3QNCnZv dEBpZXRmLm9yZzxtYWlsdG86dm90QGlldGYub3JnPg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFp bG1hbi9saXN0aW5mby92b3QNCg0K --_000_VI1PR07MB15811A0CAFF132D7B52B21E1BC740VI1PR07MB1581eurp_ Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 SGVsdmV0aWNhOw0KCXBhbm9zZS0xOjIgMTEgNiA0IDIgMiAyIDIgMiA0O30NCkBmb250LWZhY2UN Cgl7Zm9udC1mYW1pbHk6V2luZ2RpbmdzOw0KCXBhbm9zZS0xOjUgMCAwIDAgMCAwIDAgMCAwIDA7 fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToy IDQgNSAzIDUgNCA2IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsN CglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFt aWx5OkNvcmJlbDsNCglwYW5vc2UtMToyIDExIDUgMyAyIDIgNCAyIDIgNDt9DQovKiBTdHlsZSBE ZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0K CXttYXJnaW46MGNtOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0 Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLHNlcmlmO30NCmE6bGluaywgc3Bhbi5N c29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4 dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9s bG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOnB1cnBsZTsNCgl0ZXh0LWRl Y29yYXRpb246dW5kZXJsaW5lO30NCnANCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1t YXJnaW4tdG9wLWFsdDphdXRvOw0KCW1hcmdpbi1yaWdodDowY207DQoJbXNvLW1hcmdpbi1ib3R0 b20tYWx0OmF1dG87DQoJbWFyZ2luLWxlZnQ6MGNtOw0KCWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9u dC1mYW1pbHk6IlRpbWVzIE5ldyBSb21hbiIsc2VyaWY7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTgNCgl7 bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNh bnMtc2VyaWY7DQoJY29sb3I6IzFGNDk3RDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUt dHlwZTpleHBvcnQtb25seTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCglt c28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUzt9DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo2 MTIuMHB0IDc5Mi4wcHQ7DQoJbWFyZ2luOjcyLjBwdCA3Mi4wcHQgNzIuMHB0IDcyLjBwdDt9DQpk aXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+PCEtLVtp ZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4 PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8 bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0i MSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4NCjxib2R5 IGxhbmc9IkVOLUdCIiBsaW5rPSJibHVlIiB2bGluaz0icHVycGxlIj4NCjxkaXYgY2xhc3M9Ildv cmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6 IzFGNDk3RDttc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+QW5kcmV3LDxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMUY0 OTdEO21zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RDtt c28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+SSB3YXMgcmVzcG9uc2libGUgZm9yIHRoZSBhY3Rp dml0eSB0aGF0IGRldmVsb3BlZCBlZHVHQUlOLCB3aG9zZSBwb2xpY3kgZnJhbWV3b3JrIGludGVy Y29ubmVjdHMgdGhlIFImYW1wO0UgZmVkZXJhdGlvbnMsIGFuZCBzbyBJ4oCZbSBwcmV0dHkNCiBm YW1pbGlhciA8YSBuYW1lPSJfTWFpbEVuZENvbXBvc2UiPnRoZSBSJmFtcDtFIHNwYWNlIGF0IGxl YXN0IDwvYT48L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 V2luZ2RpbmdzO2NvbG9yOiMxRjQ5N0Q7bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPko8L3Nw YW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJy aSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0Q7bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4t VVMiPi4NCiBBbmQgc28gd2UgZG8gaGF2ZSB0aGVzZSBleGFtcGxlcywgYXMgeW91IHJpZ2h0bHkg cG9pbnQgb3V0LCB3aGVyZSBkaXNjdXNzaW9ucyBkbyBoYXBwZW4gYnV0IHRoZXNlIHRlbmQgdG8g aGFwcGVuIHdpdGhpbiB0aGUgKHR5cGljYWxseSBzZWN0b3Itc3BlY2lmaWMpIHBvY2tldHMgb2Yg b3BlcmF0b3JzLCBzdWNoIFImYW1wO0UsIGFuZCBub3QgYmV0d2VlbiB0aGVtLiBUaGF04oCZcyB0 aGUgZm9ydW0gd2UgbmVlZCBpZiB3ZeKAmXJlIGV2ZXIgZ29pbmcgdG8gc2VydmUNCiB0aGUg4oCc b3BlbiBpbnRlcm5ldOKAnS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxp YnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RDttc28tZmFyZWFzdC1sYW5ndWFnZTpF Ti1VUyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZx dW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0Q7bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMi Pkpvc2guPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90Oyxz YW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0Q7bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1s ZWZ0OnNvbGlkIGJsdWUgMS41cHQ7cGFkZGluZzowY20gMGNtIDBjbSA0LjBwdCI+DQo8ZGl2Pg0K PGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjRTFFMUUxIDEuMHB0O3Bh ZGRpbmc6My4wcHQgMGNtIDBjbSAwY20iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4g bGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Nh bGlicmkmcXVvdDssc2Fucy1zZXJpZiI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIGxhbmc9IkVOLVVT IiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7 LHNhbnMtc2VyaWYiPiBBbmRyZXcgSHVnaGVzIFttYWlsdG86YW5kcmV3aHVnaGVzMzAwMEBnbWFp bC5jb21dDQo8YnI+DQo8Yj5TZW50OjwvYj4gMTMgTWF5IDIwMTYgMTY6MTU8YnI+DQo8Yj5Ubzo8 L2I+IEpvc2ggSG93bGV0dCAmbHQ7Sm9zaC5Ib3dsZXR0QGppc2MuYWMudWsmZ3Q7PGJyPg0KPGI+ Q2M6PC9iPiBKdWxpYW4gV2hpdGUgJmx0O2p3aGl0ZUBudS1kLmNvbSZndDs7IENocmlzICZsdDtj bmRAZ2Vlay5uZXQuYXUmZ3Q7OyB2b3RAaWV0Zi5vcmc7IEp1c3RpbiBSaWNoZXIgJmx0O2pyaWNo ZXJAbWl0LmVkdSZndDs8YnI+DQo8Yj5TdWJqZWN0OjwvYj4gUmU6IFtWb1RdIFNlY3VyaXR5IFBy b2JsZW0gd2l0aCBQcmltYXJ5IENyZWRlbnRpYWwgVXNhZ2U8bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48 L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Sm9zaDogdGhlIGRpc2N1c3Npb24gYWJv dXQgY29tcGF0aWJsZSBwb2xpY3kgZnJhbWV3b3JrcyBkb2VzIGFscmVhZHkgdGFrZSBwbGFjZSwg dHlwaWNhbGx5IHVuZGVyIHRoZSBuYW1lczogdHJ1c3QgZnJhbWV3b3JrLCBmZWRlcmF0aW9uIGFn cmVlbWVudHMsIGludGVyLWZlZGVyYXRpb24uIFlvdSBzZWUgZWxlbWVudHMgb2YgdGhpcyBpbiBu YXRpb25hbCBzY2hlbWVzIGluIE5aLCBVUywgVUssIEVVLCBDQSBhbmQNCiBvdGhlcnMgLSBwZXJo YXBzIGxlc3Mgc28gcmlnaHQgbm93IG9uIHRoZSAnb3BlbiBpbnRlcm5ldCcgLCBidXQgdGhlcmUn cyB3b3JrIGhhcHBlbmluZyBpbiBhIG51bWJlciBvZiBwb2NrZXRzIG9uIHRoaXMmbmJzcDsoUiZh bXA7RSBpcyBxdWl0ZSBhZHZhbmNlZCkuPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj5UaGUgc2VtYW50aWMgY29tcGF0aWJpbGl0eSBpcyBjb21pbmcgc29vbi1p c2guIFRoZXJlJ3MgYSBjb252ZXJnZW5jZSB1bmRlcndheSBvbiBzdGFuZGFyZGl6YXRpb24gb2Yg ZGVzY3JpcHRpb25zIGZvciByb2xlcywgcmVzcG9uc2liaWxpdGllcywgYnVzaW5lc3MgZnVuY3Rp b25zIGFuZCBidXNpbmVzcyBwcm9jZXNzZXMgZm9yIGlkZW50aWZpY2F0aW9uLCBhdXRoZW50aWNh dGlvbiwgYXV0aG9yaXphdGlvbiBhbmQNCiBhY2Nlc3MgY29udHJvbCBzeXN0ZW1zICgmcXVvdDtJ ZGVudGl0eSBTeXN0ZW1zJnF1b3Q7KS4gSSdtIGNvbnRyaWJ1dGluZyB0byA8YSBocmVmPSJodHRw Oi8vZGlhY2MuY2EiPg0KZGlhY2MuY2E8L2E+IGFuZCA8YSBocmVmPSJodHRwOi8va2FudGFyYWlu aXRpYXRpdmUub3JnIj5rYW50YXJhaW5pdGlhdGl2ZS5vcmc8L2E+IGFsb25nIHRoZXNlIGxpbmVz LCBhbmQgc3RhcnRpbmcgdG8gbGVhcm4gd2hhdCBJU08vSUVDIEpUQyAxIFNDIDI3IFdHIDUgKElk ZW50aXR5IGFuZCBQcml2YWN5KSBpcyBkZXZlbG9waW5nLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5hbmRyZXcuPG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiciBjbGVhcj0iYWxs Ij4NCjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8 cD48Yj5BbmRyZXcgSHVnaGVzJm5ic3A7PC9iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6Ny41cHQi PkNJU00gQ0lTU1AmbmJzcDs8YnI+DQo8L3NwYW4+SW5kZXBlbmRlbnQgQ29uc3VsdGFudDxicj4N CjxiPkluIFR1cm4gSW5mb3JtYXRpb24gTWFuYWdlbWVudCBDb25zdWx0aW5nPC9iPjxvOnA+PC9v OnA+PC9wPg0KPHA+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzIxMjEyMSI+byAmbmJzcDsmIzQz OzEgNjUwLjIwOS43NTQyPGJyPg0KPC9zcGFuPm0gJiM0MzsxIDI1MC44ODguOTQ3NDxicj4NCjxz cGFuIHN0eWxlPSJmb250LXNpemU6Ny41cHQiPjEyNDkgUGFsbWVyIFJvYWQsPGJyPg0KVmljdG9y aWEsIEJDIFY4UCAySDg8L3NwYW4+PGJyPg0KPGEgaHJlZj0ibWFpbHRvOkFuZHJld0h1Z2hlczMw MDBAZ21haWwuY29tIiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo3LjVw dCI+QW5kcmV3SHVnaGVzMzAwMEBnbWFpbC5jb208L3NwYW4+PC9hPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6Ny41cHQiPiZuYnNwOzwvc3Bhbj48YnI+DQo8c3BhbiBzdHlsZT0iZm9udC1zaXplOjcu NXB0Ij48YSBocmVmPSJodHRwOi8vY2EubGlua2VkaW4uY29tL3B1Yi9hbmRyZXctaHVnaGVzL2Ev NTgvNjgyLyIgdGFyZ2V0PSJfYmxhbmsiPmNhLmxpbmtlZGluLmNvbS9wdWIvYW5kcmV3LWh1Z2hl cy9hLzU4LzY4Mi88L2E+PGJyPg0KPGI+SWRlbnRpdHkgTWFuYWdlbWVudCB8IElUIEdvdmVybmFu Y2UgfCBJbmZvcm1hdGlvbiBTZWN1cml0eSZuYnNwOzwvYj48L3NwYW4+PG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ T24gRnJpLCBNYXkgMTMsIDIwMTYgYXQgNzo1NyBBTSwgSm9zaCBIb3dsZXR0ICZsdDs8YSBocmVm PSJtYWlsdG86Sm9zaC5Ib3dsZXR0QGppc2MuYWMudWsiIHRhcmdldD0iX2JsYW5rIj5Kb3NoLkhv d2xldHRAamlzYy5hYy51azwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPGJsb2NrcXVv dGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNDQ0NDQ0MgMS4wcHQ7cGFk ZGluZzowY20gMGNtIDBjbSA2LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJnaW4tcmlnaHQ6MGNt Ij4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t dG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7 Y29sb3I6IzFGNDk3RCI+SnVsaWFuLDwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRv bS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48 bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRv cC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2Nv bG9yOiMxRjQ5N0QiPlllcywgYnV0IG5vdGUgdGhhdCAoMikgaXMgYWN0dWFsbHkgYW4gaW5zdGFu Y2Ugb2YgKDEpLCBidXQgd2hlcmUgdGhlIG51bWJlciBvZiBwYXJ0aWVzIGhhcHBlbnMgdG8gYmUN CiBncmVhdGVyIHRoYW4gdHdvLiBUaGUgY2hvaWNlIG9mIHdoZXRoZXIgdG8gdXNlIGFuIGludGVy bmFsIG9yIGV4dGVybmFsIHJlZ2lzdHJ5IGlzIGp1c3QgYW4gb3BlcmF0aW9uYWwgcXVlc3Rpb24u IEhvd2V2ZXIsIEkgZG9u4oCZdCB0aGluayB0aGlzIG1ha2VzIFZvVCBzdXBlcmZsdW91czogaXQg c3RpbGwgaGFzIHZhbHVlIGFzIGEgd2F5IG9mIHNpZ25hbGxpbmcgYWx0ZXJuYXRlIHNlbWFudGlj cyBkZWZpbmVkIHdpdGhpbiB0aGUgdHJ1c3RtYXJrIGFncmVlbWVudC48L3NwYW4+PG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1 dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMUY0 OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8i PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkm cXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMUY0OTdEIj5UaGlzIGRvZXMsIGhvd2V2ZXIsIHN1Z2dl c3QgdG8gbWUgdGhhdCBWb1QgaGFzIGxpbWl0ZWQgdXRpbGl0eSB3aGVuIHdvcmtpbmcgYWNyb3Nz IGFyYml0cmFyeSB0cnVzdG1hcmsNCiBhZ3JlZW1lbnRzLiBBbmQgc28gdG8gYmUgY2FuZGlkLCBh bmQgd2l0aG91dCB3aXNoaW5nIHRvIHNvdW5kIGRpc3Bpcml0aW5nLCBJIHN1c3BlY3QgdGhhdCB3 b3JraW5nIG9uIHRoZSB0ZWNobmljYWwgc2lnbmFsbGluZyB3aXRob3V0IHVuZGVyc3RhbmRpbmcg aG93IHRoZXNlIGFncmVlbWVudHMgY2FuIGJlIGJvdW5kIHRvZ2V0aGVyIGlzIHBvc3NpYmx5IHBy ZW1hdHVyZTsgYXQgbGVhc3QgaWYgeW91IHdhbnQgc29tZXRoaW5nIG9mIGdlbmVyYWwNCiB1dGls aXR5LiBNb3JlIGF0dGVudGlvbiBpcyBuZWVkZWQgb24gY29tcG9zYWJsZSBwb2xpY3kgZnJhbWV3 b3JrcyBoYXZpbmcgY29tcGF0aWJsZSBzZW1hbnRpY3MsIGxpbmtlZCB0byBhbiB1bmRlcmx5aW5n IGxlZ2FsIGFyY2hpdGVjdHVyZSB0aGF0IHdvcmtzIHRyYW5zaXRpdmVseSBhY3Jvc3MgdGhvc2Ug YWdyZWVtZW50cy4gQmVpbmcgdGhlIElFVEYsIEkgdW5kZXJzdGFuZCB0aGF0IHRoaXMgcHJvYmFi bHkgaXNu4oCZdCB0aGUgdmVudWUgZm9yIHRoYXQNCiBkaXNjdXNzaW9uIDwvc3Bhbj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTpXaW5nZGluZ3M7Y29sb3I6IzFGNDk3 RCI+Sjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PGEgbmFt ZT0ibV80Mzc0NTE4MDQ5MDgwMzUyMDY4X19NYWlsRW5kQ29tcG9zZSI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlm O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48L2E+PG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1i b3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMUY0OTdEIj5Kb3NoLjwvc3Bh bj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2lu LXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlm O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxkaXYgc3R5bGU9 ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkIGJsdWUgMS41cHQ7cGFkZGluZzowY20gMGNt IDBjbSA0LjBwdCI+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpz b2xpZCAjRTFFMUUxIDEuMHB0O3BhZGRpbmc6My4wcHQgMGNtIDBjbSAwY20iPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90 dG9tLWFsdDphdXRvIj48Yj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5Gcm9tOjwvc3Bh bj48L2I+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+IEp1bGlhbg0KIFdoaXRlIFttYWls dG86PGEgaHJlZj0ibWFpbHRvOmp3aGl0ZUBudS1kLmNvbSIgdGFyZ2V0PSJfYmxhbmsiPmp3aGl0 ZUBudS1kLmNvbTwvYT5dDQo8YnI+DQo8Yj5TZW50OjwvYj4gMTMgTWF5IDIwMTYgMTM6NDM8YnI+ DQo8Yj5Ubzo8L2I+IEpvc2ggSG93bGV0dCAmbHQ7PGEgaHJlZj0ibWFpbHRvOkpvc2guSG93bGV0 dEBqaXNjLmFjLnVrIiB0YXJnZXQ9Il9ibGFuayI+Sm9zaC5Ib3dsZXR0QGppc2MuYWMudWs8L2E+ Jmd0Ozxicj4NCjxiPkNjOjwvYj4gQ2hyaXMgJmx0OzxhIGhyZWY9Im1haWx0bzpjbmRAZ2Vlay5u ZXQuYXUiIHRhcmdldD0iX2JsYW5rIj5jbmRAZ2Vlay5uZXQuYXU8L2E+Jmd0OzsNCjxhIGhyZWY9 Im1haWx0bzp2b3RAaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj52b3RAaWV0Zi5vcmc8L2E+OyBK dXN0aW4gUmljaGVyICZsdDs8YSBocmVmPSJtYWlsdG86anJpY2hlckBtaXQuZWR1IiB0YXJnZXQ9 Il9ibGFuayI+anJpY2hlckBtaXQuZWR1PC9hPiZndDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8 ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxicj4NCjxiPlN1YmplY3Q6PC9iPiBS ZTogW1ZvVF0gU2VjdXJpdHkgUHJvYmxlbSB3aXRoIFByaW1hcnkgQ3JlZGVudGlhbCBVc2FnZTxv OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bztt c28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8ZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0 bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bztt c28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Sm9zaCw8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h cmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21z by1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5UaGF0IGlzIGEgZ29vZCBxdWVzdGlvbiwgYW5kIGVx dWFsbHkgYXBwbGljYWJsZSB0byBob3cgd291bGQgYW4gUlAgdmVyaWZ5IHRoZSBjbGFpbSBvZiBh biBJZFA/PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1 dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFs dDphdXRvIj5JIHRoaW5rIHRoZXJlIGFyZSBvbmx5IGEgZmV3IHVzYWJsZSBvcHRpb25zOyZuYnNw OzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4m bmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0 byI+MSkgVGhlcmUgaXMgYSBkaXJlY3QgcmVsYXRpb25zaGlwIGJldHdlZW4gdGhlIHBhcnRpZXMg dGhhdCBhc3N1cmVzIHRoZSB0cnVzdHdvcnRoaW5lc3MgYmV0d2VlbiB0aGVtc2VsdmVzJm5ic3A7 b3V0c2lkZSBvZiB0aGUgYXNzZXJ0aW9uJm5ic3A7YW5kIHdpbGwgb25seSBhY2NlcHQgcmVxdWVz dHMvcmVzcG9uc2VzIGZyb20gZWFjaA0KIG90aGVyICh2aWEgc29tZSBtZWFucyBub3QgZGVmaW5l ZCBoZXJlKSAtIHRoaXMga2luZCBvZiBtYWtlcyB0aGUgVm9UIHZhbHVlIHN1cGVyZmx1b3VzIHNp bmNlIHRoZSBhbnN3ZXIgaXMgYWxyZWFkeSBrbm93bi4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1h bHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10 b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjIpIFRoZSB0cnVzdCBzY2hl bWVzIG9wZXJhdGUgc29tZSBzb3J0IG9mIHJlZ2lzdHJ5IHRoYXQgdGhlIFZvVCBsaW5rcyB0b28g LSBidXQgdGhlbiB0aGVyZSBhbHNvIG5lZWRzIHRvIGJlIHNvbWV0aGluZyB0aGF0IG1ha2VzIGl0 IGltcG9zc2libGUgZm9yIG1lIHRvIGltcGVyc29uYXRlIGEgbWVtYmVyIG9mDQogdGhhdCBzY2hl bWUgaW4gdGhlIFZvVCwgdGhpcyBpcyBzbGlnaHRseSBtb3JlIGNoYWxsZW5naW5nLjxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1t YXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpw PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+RG9lcyB0 aGF0IG1ha2Ugc2Vuc2U/PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0 b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4t Ym90dG9tLWFsdDphdXRvIj5KdWxpYW48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv LW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPk9uIDEzIE1heSAyMDE2IGF0IDEyOjI2LCBKb3NoIEhv d2xldHQgJmx0OzxhIGhyZWY9Im1haWx0bzpKb3NoLkhvd2xldHRAamlzYy5hYy51ayIgdGFyZ2V0 PSJfYmxhbmsiPkpvc2guSG93bGV0dEBqaXNjLmFjLnVrPC9hPiZndDsgd3JvdGU6PG86cD48L286 cD48L3A+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQg I0NDQ0NDQyAxLjBwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0 O21hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBjbTttYXJnaW4tYm90dG9tOjUuMHB0Ij4N CjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9w LWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29s b3I6IzFGNDk3RCI+SG93IGRvZXMgdGhlIElkUCB2ZXJpZnkgdGhlIFJQ4oCZcyBhdXRob3JpdHkg dG8gY2xhaW0gY29tcGxpYW5jZT88L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20t YWx0OmF1dG8iPjxhIG5hbWU9Im1fNDM3NDUxODA0OTA4MDM1MjA2OF9tXzUxNDg2MDY0MzMzNzI3 NDMiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGli cmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PC9hPjxvOnA+ PC9vOnA+PC9wPg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgYmx1 ZSAxLjVwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDQuMHB0Ij4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJi b3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNFMUUxRTEgMS4wcHQ7cGFkZGluZzozLjBwdCAw Y20gMGNtIDBjbSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3At YWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxiPjxzcGFuIGxhbmc9IkVOLVVT IiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7 LHNhbnMtc2VyaWYiPkZyb206PC9zcGFuPjwvYj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlm Ij4gdm90DQogW21haWx0bzo8L3NwYW4+PGEgaHJlZj0ibWFpbHRvOnZvdC1ib3VuY2VzQGlldGYu b3JnIiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+dm90LWJv dW5jZXNAaWV0Zi5vcmc8L3NwYW4+PC9hPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1z aXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPl0N CjxiPk9uIEJlaGFsZiBPZiA8L2I+SnVsaWFuIFdoaXRlPGJyPg0KPGI+U2VudDo8L2I+IDEzIE1h eSAyMDE2IDEyOjEyPGJyPg0KPGI+VG86PC9iPiBDaHJpcyAmbHQ7PC9zcGFuPjxhIGhyZWY9Im1h aWx0bzpjbmRAZ2Vlay5uZXQuYXUiIHRhcmdldD0iX2JsYW5rIj48c3BhbiBsYW5nPSJFTi1VUyIg c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90Oyxz YW5zLXNlcmlmIj5jbmRAZ2Vlay5uZXQuYXU8L3NwYW4+PC9hPjxzcGFuIGxhbmc9IkVOLVVTIiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNh bnMtc2VyaWYiPiZndDs8YnI+DQo8Yj5DYzo8L2I+IDwvc3Bhbj48YSBocmVmPSJtYWlsdG86dm90 QGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+ dm90QGlldGYub3JnPC9zcGFuPjwvYT48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj47IEp1 c3RpbiBSaWNoZXINCiAmbHQ7PC9zcGFuPjxhIGhyZWY9Im1haWx0bzpqcmljaGVyQG1pdC5lZHUi IHRhcmdldD0iX2JsYW5rIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5qcmljaGVyQG1p dC5lZHU8L3NwYW4+PC9hPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPiZndDs8YnI+DQo8 Yj5TdWJqZWN0OjwvYj4gUmU6IFtWb1RdIFNlY3VyaXR5IFByb2JsZW0gd2l0aCBQcmltYXJ5IENy ZWRlbnRpYWwgVXNhZ2U8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJn aW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1i b3R0b20tYWx0OmF1dG8iPkNocmlzLDxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21z by1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0 bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+WWVzIEkgc2VlIHlvdXIgcG9pbnQsIHNvIHRo ZSBSUCBzaG91bGQgYXNzZXJ0IHdpdGggd2hpY2ggdHJ1c3RtYXJrcyBpdCBjb21wbGllcyB0b28/ PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZu YnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRv Ij5SZWdhcmRzLDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+ DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1h cmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+ PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2lu LXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+T24gMTMgTWF5IDIwMTYg YXQgMTA6NDgsIENocmlzICZsdDs8YSBocmVmPSJtYWlsdG86Y25kQGdlZWsubmV0LmF1IiB0YXJn ZXQ9Il9ibGFuayI+Y25kQGdlZWsubmV0LmF1PC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+ DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0ND QyAxLjBwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdp bi10b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBjbTttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv LW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtD YWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPkhpIEp1bGlhbiw8YnI+DQo8YnI+DQpJdCBpcyBsaWtl IEkgc2FpZCBhdCB0aGUgc3RhcnQuJm5ic3A7IFRoZSBlbnRpcmV0eSBvZiB0aGUgdHJ1c3RtYXJr IGlkZWEgZXZhbHVhdGVzIHRvIG9uZSBzaW5nbGUgc3RyZW5ndGggLSBldmVyeXRoaW5nIGlzIGVx dWFsbHkgdW50cnVzdHdvcnRoeSwgYmVjYXVzZSBpdCdzIGFsbCBvbmx5IHVuaWRpcmVjdGlvbmFs Ljxicj4NCjxicj4NCllvdSBjYW4ndCBzb2x2ZSB0cnVzdCB3aXRob3V0IGZpeGluZyBCT1RIIGVu ZHMuJm5ic3A7IEl0IGlzIGEgPGI+dHdvLXdheSA8L2I+c3RyZWV0LiZuYnNwOyBGb3IgYXMgbG9u ZyBhcyBhIHVzZXIgYW5kIHByb3h5IGFyZSBpbmRpc3Rpbmd1aXNoYWJsZSwgQzAgPT0gQ2EgPT0g Q2IgPT0gQ2QgPT0gQ2UgPT0gQ2YuPGJyPg0KPGJyPg0KSSBrbm93IGl0IHNvdW5kcyBsaWtlIGEg bGl0dGxlIHByb2JsZW0sIGJ1dCBzbyB3YXMgdGhlIGRlYnJpcyBvbiB0aGF0IGxhc3QgQ29uY29y ZGUncyBydW53YXkuJm5ic3A7IFRoaXMgaXMgdGhlIHNob3cgc3RvcHBlci48c3BhbiBzdHlsZT0i Y29sb3I6Izg4ODg4OCI+PGJyPg0KPGJyPg0KQ2hyaXMuPC9zcGFuPjwvc3Bhbj48bzpwPjwvbzpw PjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJn aW4tdG9wLWFsdDphdXRvO21hcmdpbi1ib3R0b206MTIuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1m YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj48YnI+DQo8YnI+DQo8YnI+DQpG cmlkYXksIE1heSAxMywgMjAxNiwgNTo1Mjo1NSBQTSwgeW91IHdyb3RlOjwvc3Bhbj48bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjx0YWJsZSBjbGFzcz0iTXNv Tm9ybWFsVGFibGUiIGJvcmRlcj0iMCIgY2VsbHNwYWNpbmc9IjMiIGNlbGxwYWRkaW5nPSIwIj4N Cjx0Ym9keT4NCjx0cj4NCjx0ZCB3aWR0aD0iMiIgc3R5bGU9IndpZHRoOjEuMHB0O2JhY2tncm91 bmQ6Ymx1ZTtwYWRkaW5nOi43NXB0IC43NXB0IC43NXB0IC43NXB0Ij4NCjwvdGQ+DQo8dGQgc3R5 bGU9InBhZGRpbmc6Ljc1cHQgLjc1cHQgLjc1cHQgLjc1cHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDph dXRvIj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNl cmlmIj5KdXN0aW4sPGJyPg0KPGJyPg0KRm9yIG15IG93biBjbGFyaXR5LCBjYW4gdGhlIFJQIHBh c3MgYSByZXF1ZXN0IGZvciBhIHNwZWNpZmljIHRydXN0bWFyaywgb3IgbGlzdCBvZiB0cnVzdG1h cmtzIHRoYXQgaXQgd2lsbCBhY2NlcHQ/IFRoZSB0ZXh0IHNlZW1zIHRvIGltcGx5IHRoYXQgdGhl eSB3aWxsIGdldCB3aGF0ZXZlciB0cnVzdG1hcmsgdGhlIElkUCBzZW5kcyBhbmQgaGF2ZSB0byBt YWtlIGEgZGVjaXNpb24gYmFzZWQgb24gdGhhdCBlYWNoIHRpbWUuIEluIHJlYWxpdHksIHNpbmNl DQogdGhlIGV2YWx1YXRpb24gb2YgdGhlIHRydXN0bWFyayBpcyBhIGN1bWJlcnNvbWUgbWFudWFs IHByb2Nlc3MgSSBzdXNwZWN0IFJQJ3Mgd2lsbCB3aGl0ZWxpc3QgdHJ1c3RtYXJrcyB0aGF0IHRo ZXkgd2lsbCBhY2NlcHQgc28gdGhlbiBpdCBzZWVtcyBpbmVmZmljaWVudCBmb3IgYW5kIElkUCB0 byByZXR1cm4gYSByZXNwb25zZSB1bmRlciBhIHRydXN0bWFyayB0aGUgUlAgd29uJ3QgYWNjZXB0 Ljxicj4NCjxicj4NClRoYW5rcyw8YnI+DQo8YnI+DQpKdWxpYW4uPGJyPg0KPGJyPg0KT24gMTIg TWF5IDIwMTYgYXQgMTk6NDksIEp1bGlhbiBXaGl0ZSAmbHQ7PC9zcGFuPjxhIGhyZWY9Im1haWx0 bzpqd2hpdGVAbnUtZC5jb20iIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0iZm9udC1mYW1p bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5qd2hpdGVAbnUtZC5jb208L3NwYW4+ PC9hPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2Vy aWYiPiZndDsgd3JvdGU6PGJyPg0KVGhhdCBtYWtlcyBzZW5zZSwgdGhvIHRoYXQgZGlkbid0IGNv bWUgYWNyb3NzIGluIHRoZSBkZXNjcmlwdGlvbiBvZiB0aGUgdHJ1c3RtYXJrLjxicj4NCjxzcGFu IHN0eWxlPSJjb2xvcjojODg4ODg4Ij5KdWxpYW48YnI+DQo8L3NwYW4+PHNwYW4gc3R5bGU9ImNv bG9yOmJsYWNrIj5PbiAxMiBNYXkgMjAxNiAxOTo0NSwgJnF1b3Q7SnVzdGluIFJpY2hlciZxdW90 OyAmbHQ7PC9zcGFuPjwvc3Bhbj48YSBocmVmPSJtYWlsdG86anJpY2hlckBtaXQuZWR1IiB0YXJn ZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDss c2Fucy1zZXJpZiI+anJpY2hlckBtaXQuZWR1PC9zcGFuPjwvYT48c3BhbiBzdHlsZT0iZm9udC1m YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj4mZ3Q7DQogd3JvdGU6PGJyPg0K V2UgZXhwbGljaXRseSBsZWZ0IHRob3NlIGtpbmRzIG9mIHRoaW5ncyBvdXQgb2YgdGhlIHZlY3Rv ciBhcyB0aGV54oCZZCByZWFsbHkgYmUgcmVsYXRlZCB0byB0aGUgSWRQIGl0c2VsZiBhbmQgbm90 IHRoZSBhdXRoZW50aWNhdGlvbiB0cmFuc2FjdGlvbiB0byB3aGljaCB0aGUgVm9UIHJlZmVycy4g SW4gb3RoZXIgd29yZHMsIHRoZSBzZWN1cml0eSBvZiB0aGUgSWRQIGlzIHJlbGF0ZWQgdG8gdGhl IHRydXN0IGZyYW1ld29yayBhbmQgYXNzZXNzbWVudA0KIG9mIHRoZSBJZFAgYW5kIGl0IGNhbiBi ZSBwdWJsaXNoZWQgYXMgcGFydCBvZiB0aGUgSWRQ4oCZcyBkaXNjb3ZlcnkgZG9jdW1lbnRzIGFu ZCBhc3NvY2lhdGVkIHRydXN0IG1hcmtzLiBUaGlzIGlzIGluZm9ybWF0aW9uIHRoYXQgaXMgZ29p bmcgdG8gcmVtYWluIHRoZSBzYW1lIHJlZ2FyZGxlc3Mgb2YgdGhlIHRyYW5zYWN0aW9uLg0KPGJy Pg0KPGJyPg0KVGhpcyBpcyBhbHNvIHBhcnQgb2Ygd2h5IHlvdSBuZWVkIHRvIGhhdmUgYSB0cnVz dG1hcmsgY29udGV4dCB0byBpbnRlcnByZXQgdGhlIFZvVCBpbi48YnI+DQo8YnI+DQrigJQgSnVz dGluPGJyPg0KPGJyPg0KT24gTWF5IDEyLCAyMDE2LCBhdCAxMToxMSBBTSwgSnVsaWFuIFdoaXRl ICZsdDs8L3NwYW4+PGEgaHJlZj0ibWFpbHRvOmp3aGl0ZUBudS1kLmNvbSIgdGFyZ2V0PSJfYmxh bmsiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2Vy aWYiPmp3aGl0ZUBudS1kLmNvbTwvc3Bhbj48L2E+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZx dW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+Jmd0OyB3cm90ZTo8YnI+DQo8YnI+DQpIaSw8 YnI+DQo8YnI+DQpJIGhhdmUgYSBudW1iZXIgb2YgY29tbWVudHMgYW5kIHF1ZXN0aW9ucyAoc2Vl IGF0dGFjaGVkKSwgbWFueSBvZiB3aGljaCBhcmUgcmVsYXRlZCB0byB0aGUgaXNzdWVzIHJhaXNl ZCBieSBDaHJpcywgc29tZSBtYXliZSBteSBtaXN1bmRlcnN0YW5kaW5nIGNvbWluZyBpbiBoYWxm IHdheSB0aHJvdWdoIHRoZSBkcmFmdGluZyB0aG8uPGJyPg0KPGJyPg0KSSwgbGlrZSBDaHJpcywg YWxzbyB0aGluayB0aGVyZSBuZWVkcyB0byBiZSBzb21ldGhpbmcgbW9yZSBleHBsaWNpdCBhcm91 bmQgdGhlICZxdW90O3NlY3VyaXR5JnF1b3Q7IG9mIHRoZSBJZFAgYXV0aGVudGljYXRpb24gd2hp Y2ggaW5jbHVkZXMgdGhlIG1lYXN1cmVzIHRvIHRyeSBhbmQgZGV0ZWN0ICdvZGQnIHRoaW5ncyAo bGlrZSBNSVRNKS4gSSB3b3VsZCBhbHNvIGdvIG9uZSBzdGVwIGZ1cnRoZXIgaW4gdGhhdCBJIGFs c28gd2FudCB0byBrbm93IGFib3V0IHRoZQ0KIG1hdHVyaXR5IG9mIHRoZSBJZFAncyAmcXVvdDtz ZWN1cml0eSZxdW90OywgaXRzIG9mIG5vIHVzZSB0byBtZSBpZiB0aGV5IGhhdmUgcmVhbGx5IGdv b2QgY3JlZGVudGlhbHMgYnV0IHN0b3JlIGFsbCB0aGUgZGF0YSBpbiB0aGUgY2xlYXIgb24gdGhl aXIgd2Vic2l0ZSBvciBoYXZlIGEgbG9hZCBvZiBhZG1pbmlzdHJhdGl2ZSBiYWNrLWRvb3JzIHRo YXQgY291bGQgbGV0IGFueW9uZSBnZW5lcmF0ZSBhIHZhbGlkIGF1dGhlbnRpY2F0aW9uIHJlc3Bv bnNlLjxicj4NCjxicj4NCkl0IGZlZWxzIGxpa2Ugd2UgbmVlZCB0byBkbyBtb3JlIHdvcmsgaW4g dGhpcyBhcmVhLjxicj4NCjxicj4NClJlZ2FyZHMsPGJyPg0KPGJyPg0KSnVsaWFuLjxicj4NCjxi cj4NCk9uIDggTWF5IDIwMTYgYXQgMTM6MjQsIENocmlzICZsdDs8L3NwYW4+PGEgaHJlZj0ibWFp bHRvOmNuZEBnZWVrLm5ldC5hdSIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJmb250LWZh bWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPmNuZEBnZWVrLm5ldC5hdTwvc3Bh bj48L2E+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1z ZXJpZiI+Jmd0OyB3cm90ZTo8YnI+DQpIaSBBbGwsPGJyPg0KPGJyPg0KSSB0aGluayB0aGVyZSBp cyBhIGNyaXRpY2FsIGZsYXcgaW4gc2VjdGlvbiAzLjIgb2YgPC9zcGFuPjxhIGhyZWY9Imh0dHBz Oi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1yaWNoZXItdmVjdG9ycy1vZi10cnVzdC0wMiIg dGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LHNhbnMtc2VyaWYiPmh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1yaWNoZXIt dmVjdG9ycy1vZi10cnVzdC0wMjwvc3Bhbj48L2E+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZx dW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+DQogKFByaW1hcnkgQ3JlZGVudGlhbCBVc2Fn ZSk8YnI+DQo8YnI+DQpNdXR1YWwtYXV0aGVudGljYXRpb24gaXMgbWlzc2luZy4mbmJzcDsgV2hl biBubyBwcm92aXNpb24gaXMgbWFkZSB0byBwcmV2ZW50IG1hbi1pbi10aGUtbWlkZGxlLCBjcmVk ZW50aWFsIGhhcnZlc3RpbmcsIHNwb29mLCBwaGlzaGluZywgbWFsd2FyZSwgb3Igb3RoZXIgY29t bW9uIHRocmVhdHMsIHRoaXMgcmVuZGVycyBhbGwgcG9zc2libGUgdmVjdG9ycyBDMCwgQ2EsIENi LCBDZCwgQ2UsIENmLCBhbmQgb3RoZXJzDQo8Yj5lcXVhbGx5PC9iPiB1bnRydXN0d29ydGh5Ljxi cj4NCjxicj4NCldlIHNob3VsZCBjb25zaWRlciBpbmNsdXNpb24gZWl0aGVyIGZvciB0aGUgb3Zl cmFsbCBzdHJlbmd0aCBvZiB0aGUgYXV0aGVudGljYXRpb24gcHJvY2Vzcywgb3Igc29tZSBicmVh a2Rvd24gb2YgZWl0aGVyIGFsbCB0aGUgdGVjaG5pcXVlcyB1c2VkIG9yIHRoZSBzdHJlbmd0aCBv ZiBwcm90ZWN0aW9uIGVtcGxveWVkIHRvIHRod2FydCBhdCBsZWFzdCBjb21tb24gYXR0YWNrIHNj ZW5hcmlvcy48YnI+DQo8YnI+DQpUaGlzIHByb2JsZW0gZ2V0cyB0cmlja3kgcXVpdGUgZmFzdDo8 YnI+DQo8YnI+DQpEbyB3ZSBpZGVudGlmeSB0aGUgYXV0aGVudGljYXRpb24gdGVjaG5vbG9neSB2 ZW5kb3I/IChpZiB5ZXMgLSB3aG8gd29ya3Mgb3V0IHRoZWlyIHJlc2lzdGFuY2Ugc3RyZW5ndGgg dG8gY29tbW9uIGF0dGFja3M/ICZuYnNwO3doYXQgYWJvdXQgZGlmZmVyZW50IG1vZGVzPyk8YnI+ DQpEbyB3ZSBicm9hZGx5IGlkZW50aWZ5IHRoZSB0ZWNobmlxdWVzICh3aG9zIG9waW5pb25zIGNv dW50IGFzIHRvIHdoZXRoZXIgb3Igbm90IHRoZSB0ZWNobmlxdWUgaXMgZWZmZWN0aXZlIGFuZCBh Z2FpbnN0IHdoYXQgdGhyZWF0cz8pPGJyPg0KRG8gd2UgaWRlbnRpZnkgb3IgY2xhc3NpZnkgdGhl IHRocmVhdHMgYW5kIGluZGljYXRlIHdoaWNoIG9uZXMgd2VyZSBtaXRpZ2F0ZWQgKHdobyBzaG91 bGQgYmUgdHJ1c3RlZCB0byBkZWNpZGUgaWYgdGhlc2UgcmVhbGx5IHdlcmUgbWl0aWdhdGVkPyk8 YnI+DQo8YnI+DQpGb3IgZXhhbXBsZSAtIHRhbXBlci1wcm9vZiBoYXJkd2FyZSBkaWdpdGFsIGNl cnRpZmljYXRlIGRldmljZXMgd2l0aCBiaW9tZXRyaWNzIHVubG9ja3MgYXJlIHRvdGFsbHkgdXNl bGVzcywgaWYgdGhlIHVzZXIgcGFpZCBubyBhdHRlbnRpb24gdG8gYSBicm9rZW4gU1NMIHdhcm5p bmcsIG9yIGhhcyBtYWx3YXJlLiZuYnNwOyBUaGV5J3JlIGFsc28gZXF1YWxseSB1c2VsZXNzIGlu IG1vc3QgY29ycG9yYXRlIGVudmlyb25tZW50cyB0aGF0IHVzZSBkZWVwLXBhY2tldA0KIGluc3Bl Y3Rpb24gZmlyZXdhbGxzIC0gYW5kICZxdW90O3VuZXhwZWN0ZWQgY2VydGlmaWNhdGVzJnF1b3Q7 IChlZy4gZnJvbSBEUEkgb3IgbWFsaWNpb3VzKSBjYXJyeSB0aGVpciBvd24gcHJpdmFjeSBwcm9i bGVtcyAoZWc6IHBhc3N3b3JkcyBhcmUgbm90IGFzICZxdW90O3Byb3RlY3RlZCZxdW90OyBhcyB5 b3UgdGhpbmspLiZuYnNwOyBNdWNoIG1vcmUgY29tbW9uIGF1dGhlbnRpY2F0aW9uICZxdW90O3By b3RlY3Rpb24mcXVvdDsgb2YgY291cnNlLCBhcmUgdHdvLXN0ZXAgb3Igc21zIG9uZSB0aW1lIGNv ZGVzDQogLSB3aGljaCBhcmUgZXF1YWxseSB1c2VsZXNzIHdoZW4gYW4gZW5kIHVzZXIgY2FuIGJl IHRyaWNrZWQgaW50byByZXZlYWxpbmcgdGhlbSB0byBzcG9vZiBzaXRlcy48YnI+DQo8YnI+DQo5 MSUgb2Ygc3VjY2Vzc2Z1bCBicmVhay1pbnMgc3RhcnQgZnJvbSBwaGlzaGluZy4mbmJzcDsgUmln aHQgbm93LCBldmVyeSB2ZWN0b3IgaXMgcG9pbnRpbmcgb25lIHdheSAtIHdlIG5lZWQgYXQgbGVh c3Qgb25lICZxdW90O1ZlY3RvciBvZiBUcnVzdCZxdW90OyB0byBwb2ludA0KPGI+YmFjazwvYj4g dGhlIG90aGVyIHdheSEgJm5ic3A7PGJyPg0KPGJyPg0KSG93IGFib3V0IGEgNXRoIHZlY3RvciAt ICZxdW90O1MmcXVvdDsgZm9yICZxdW90O1NlY3VyaXR5JnF1b3Q7LCB3aGljaCBzb21laG93IGFs bG93cyBhbiBSUCBhIGxldmVsIG9mIGNvbmZpZGVuY2UgaW4gdGhlIHByb3RlY3Rpb24gYWZmb3Jk ZWQgdG8gdGhlIHVzZXIncyBhY3R1YWwgYXV0aGVudGljYXRpb24gcHJvY2VzcywgaW4gdGVybXMg b2YgKG9yIGF0IGxlYXN0IGNvbnNpZGVyaW5nKSBhIHdpZGUgcmFuZ2Ugb2YgKGFuZCBhbGwgY29t bW9uKSBtb2Rlcm4gdGhyZWF0cy48YnI+DQo8YnI+DQo8c3BhbiBzdHlsZT0iY29sb3I6Izg4ODg4 OCI+Q2hyaXMuPGJyPg0KPGJyPg0KPC9zcGFuPjxzcGFuIHN0eWxlPSJjb2xvcjpibGFjayI+X19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+DQp2b3QgbWFp bGluZyBsaXN0PGJyPg0KPC9zcGFuPjwvc3Bhbj48YSBocmVmPSJtYWlsdG86dm90QGlldGYub3Jn IiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkm cXVvdDssc2Fucy1zZXJpZiI+dm90QGlldGYub3JnPC9zcGFuPjwvYT48YnI+DQo8YSBocmVmPSJo dHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3ZvdCIgdGFyZ2V0PSJfYmxhbmsi PjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYi Pmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vdm90PC9zcGFuPjwvYT48YnI+ DQo8YnI+DQo8c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5z LXNlcmlmIj4mbHQ7ZHJhZnQtcmljaGVyLXZlY3RvcnMtb2YtdHJ1c3QtMDIuZG9jeCZndDtfX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzxicj4NCnZvdCBtYWls aW5nIGxpc3Q8YnI+DQo8L3NwYW4+PGEgaHJlZj0ibWFpbHRvOnZvdEBpZXRmLm9yZyIgdGFyZ2V0 PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNh bnMtc2VyaWYiPnZvdEBpZXRmLm9yZzwvc3Bhbj48L2E+PGJyPg0KPGEgaHJlZj0iaHR0cHM6Ly93 d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby92b3QiIHRhcmdldD0iX2JsYW5rIj48c3BhbiBz dHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5odHRwczov L3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3ZvdDwvc3Bhbj48L2E+PG86cD48L286cD48 L3A+DQo8L3RkPg0KPC90cj4NCjwvdGJvZHk+DQo8L3RhYmxlPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21hcmdpbi1ib3R0b206MTIuMHB0Ij4m bmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttYXJnaW4tYm90dG9tOjEy LjBwdCI+PGJyPg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X188YnI+DQp2b3QgbWFpbGluZyBsaXN0PGJyPg0KPGEgaHJlZj0ibWFpbHRvOnZvdEBpZXRmLm9y ZyIgdGFyZ2V0PSJfYmxhbmsiPnZvdEBpZXRmLm9yZzwvYT48YnI+DQo8YSBocmVmPSJodHRwczov L3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3ZvdCIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBz Oi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vdm90PC9hPjxvOnA+PC9vOnA+PC9wPg0K PC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1h cmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu LWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo3LjVwdDtmb250LWZhbWls eTomcXVvdDtDb3JiZWwmcXVvdDssc2Fucy1zZXJpZiI+PGJyPg0KSmlzYyBpcyBhIHJlZ2lzdGVy ZWQgY2hhcml0eSAobnVtYmVyIDExNDk3NDApIGFuZCBhIGNvbXBhbnkgbGltaXRlZCBieSBndWFy YW50ZWUgd2hpY2ggaXMgcmVnaXN0ZXJlZCBpbiBFbmdsYW5kIHVuZGVyIENvbXBhbnkgTm8uIDU3 NDczMzksIFZBVCBOby4gR0IgMTk3IDA2MzIgODYuIEppc2PigJlzIHJlZ2lzdGVyZWQgb2ZmaWNl IGlzOiBPbmUgQ2FzdGxlcGFyaywgVG93ZXIgSGlsbCwgQnJpc3RvbCwgQlMyIDBKQS4gVCAwMjAz IDY5NyA1ODAwLjxicj4NCjxicj4NCkppc2MgU2VydmljZXMgTGltaXRlZCBpcyBhIHdob2xseSBv d25lZCBKaXNjIHN1YnNpZGlhcnkgYW5kIGEgY29tcGFueSBsaW1pdGVkIGJ5IGd1YXJhbnRlZSB3 aGljaCBpcyByZWdpc3RlcmVkIGluIEVuZ2xhbmQgdW5kZXIgY29tcGFueSBudW1iZXIgMjg4MTAy NCwgVkFUIG51bWJlciBHQiAxOTcgMDYzMiA4Ni4gVGhlIHJlZ2lzdGVyZWQgb2ZmaWNlIGlzOiBP bmUgQ2FzdGxlIFBhcmssIFRvd2VyIEhpbGwsIEJyaXN0b2wgQlMyIDBKQS4gVCAwMjAzDQogNjk3 IDU4MDAuIDwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9k aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87 bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij48YnI+DQpfX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzxicj4NCnZvdCBtYWlsaW5nIGxpc3Q8YnI+ DQo8YSBocmVmPSJtYWlsdG86dm90QGlldGYub3JnIj52b3RAaWV0Zi5vcmc8L2E+PGJyPg0KPGEg aHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby92b3QiIHRhcmdldD0i X2JsYW5rIj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3ZvdDwvYT48bzpw PjwvbzpwPjwvcD4NCjwvYmxvY2txdW90ZT4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8 L2h0bWw+DQo= --_000_VI1PR07MB15811A0CAFF132D7B52B21E1BC740VI1PR07MB1581eurp_-- From nobody Fri May 13 15:39:27 2016 Return-Path: X-Original-To: vot@ietfa.amsl.com Delivered-To: vot@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3F6A12D620 for ; Fri, 13 May 2016 15:39:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.216 X-Spam-Level: X-Spam-Status: No, score=-5.216 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yslr6O8rbROy for ; Fri, 13 May 2016 15:39:23 -0700 (PDT) Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76E1612D171 for ; Fri, 13 May 2016 15:39:23 -0700 (PDT) X-AuditID: 1209190d-fdbff700000076cb-88-573657993f1c Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 32.D3.30411.99756375; Fri, 13 May 2016 18:39:21 -0400 (EDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id u4DMdLmB025433; Fri, 13 May 2016 18:39:21 -0400 Received: from [192.168.1.80] (104-13-170-63.lightspeed.austtx.sbcglobal.net [104.13.170.63]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u4DMdGe3029940 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 13 May 2016 18:39:19 -0400 Content-Type: multipart/alternative; boundary="Apple-Mail=_F783372A-7191-40A3-9F48-ACB23E3C33A4" Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) From: Justin Richer In-Reply-To: Date: Fri, 13 May 2016 17:39:16 -0500 Message-Id: <6C12DA4D-839A-4C1A-813D-988E8318220C@mit.edu> References: <1523279479.20160508222427@CryptoPhoto.com> <753DBE1F-3891-4BB6-811B-5B8682A81A28@mit.edu> To: Julian White X-Mailer: Apple Mail (2.3124) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupnleLIzCtJLcpLzFFi42IR4hRV1p0ZbhZu0PjSxmLlp++MFuvXn2K0 aPj5gNWB2ePStgnMHkuW/GTyaPnQwRbAHMVlk5Kak1mWWqRvl8CVcfb7WcaCqZUVK26/ZWtg vJvWxcjJISFgInHw3VymLkYuDiGBNiaJzncP2SGcjYwSi5c3MkM4t5gk/hzbwgrSwiyQILFp wntGEJtXQE9i0/q3TCC2sICjxP/mE+wgNpuAqsT0NS1AcQ4OToFAiZsfwUpYgMLfV/9lhBij KbFrejM7xBgridvz1rNC7NrKJLGm7TkbSEJEQEnibPdKVohTZSWenFzEMoGRfxaSM2YhOQMi ri2xbOFr5llQO/Z3L2fBFNeQ6Pw2kXUBI9sqRtmU3Crd3MTMnOLUZN3i5MS8vNQiXSO93MwS vdSU0k2M4HCX5N3B+O+u1yFGAQ5GJR7eBCXTcCHWxLLiytxDjJIcTEqivOkmZuFCfEn5KZUZ icUZ8UWlOanFhxglOJiVRHjTw4ByvCmJlVWpRfkwKWkOFiVx3pibR8OEBNITS1KzU1MLUotg sjIcHEoSvBEgjYJFqempFWmZOSUIaSYOTpDhPEDD40NBhhcXJOYWZ6ZD5E8xKkqJ8+qANAuA JDJK8+B6Qekog3eV/StGcaBXhHnPgVTxAFMZXPcroMFMQIOrrxuBDC5JREhJNTAyfsnnOWWi NV1EobLZKKx4fuWPEMFLLFz+8bIiej9uXcvqUF10VvrKifMLPwgWHWvwmZm4M2L55pdhbpsy TJSd5BSPHEhi/Vl18pjI05pVPW2Pk9Ye/L2t6MvjUl22b/HXHb0/3fm76+U/+R9TFH4fYplw nFGjj40hvbUyae7l4pti7Y1b9x1SYinOSDTUYi4qTgQAbMXTviIDAAA= Archived-At: Cc: Chris , vot@ietf.org Subject: Re: [VoT] Security Problem with Primary Credential Usage X-BeenThere: vot@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Vectors of Trust discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2016 22:39:27 -0000 --Apple-Mail=_F783372A-7191-40A3-9F48-ACB23E3C33A4 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 That seems like a reasonable mechanism, though this is the first it=E2=80=99= s been brought up. It was only in the last revision or so that we really = tied the vector tightly to the trustmark concept, which itself needs to = be more fully defined outside of the VoT concept. =E2=80=94 Justin > On May 13, 2016, at 2:52 AM, Julian White wrote: >=20 > Justin, >=20 > For my own clarity, can the RP pass a request for a specific = trustmark, or list of trustmarks that it will accept? The text seems to = imply that they will get whatever trustmark the IdP sends and have to = make a decision based on that each time. In reality, since the = evaluation of the trustmark is a cumbersome manual process I suspect = RP's will whitelist trustmarks that they will accept so then it seems = inefficient for and IdP to return a response under a trustmark the RP = won't accept. >=20 > Thanks, >=20 > Julian. >=20 > On 12 May 2016 at 19:49, Julian White > wrote: > That makes sense, tho that didn't come across in the description of = the trustmark. >=20 > Julian >=20 > On 12 May 2016 19:45, "Justin Richer" > wrote: > We explicitly left those kinds of things out of the vector as they=E2=80= =99d really be related to the IdP itself and not the authentication = transaction to which the VoT refers. In other words, the security of the = IdP is related to the trust framework and assessment of the IdP and it = can be published as part of the IdP=E2=80=99s discovery documents and = associated trust marks. This is information that is going to remain the = same regardless of the transaction.=20 >=20 > This is also part of why you need to have a trustmark context to = interpret the VoT in. >=20 > =E2=80=94 Justin >=20 >> On May 12, 2016, at 11:11 AM, Julian White > wrote: >>=20 >> Hi, >>=20 >> I have a number of comments and questions (see attached), many of = which are related to the issues raised by Chris, some maybe my = misunderstanding coming in half way through the drafting tho. >>=20 >> I, like Chris, also think there needs to be something more explicit = around the "security" of the IdP authentication which includes the = measures to try and detect 'odd' things (like MITM). I would also go one = step further in that I also want to know about the maturity of the IdP's = "security", its of no use to me if they have really good credentials but = store all the data in the clear on their website or have a load of = administrative back-doors that could let anyone generate a valid = authentication response. >>=20 >> It feels like we need to do more work in this area. >>=20 >> Regards, >>=20 >> Julian. >>=20 >> On 8 May 2016 at 13:24, Chris > wrote: >> Hi All, >>=20 >> I think there is a critical flaw in section 3.2 of = https://tools.ietf.org/html/draft-richer-vectors-of-trust-02 = (Primary = Credential Usage) >>=20 >> Mutual-authentication is missing. When no provision is made to = prevent man-in-the-middle, credential harvesting, spoof, phishing, = malware, or other common threats, this renders all possible vectors C0, = Ca, Cb, Cd, Ce, Cf, and others equally untrustworthy. >>=20 >> We should consider inclusion either for the overall strength of the = authentication process, or some breakdown of either all the techniques = used or the strength of protection employed to thwart at least common = attack scenarios. >>=20 >> This problem gets tricky quite fast: >>=20 >> Do we identify the authentication technology vendor? (if yes - who = works out their resistance strength to common attacks? what about = different modes?) >> Do we broadly identify the techniques (whos opinions count as to = whether or not the technique is effective and against what threats?) >> Do we identify or classify the threats and indicate which ones were = mitigated (who should be trusted to decide if these really were = mitigated?) >>=20 >> For example - tamper-proof hardware digital certificate devices with = biometrics unlocks are totally useless, if the user paid no attention to = a broken SSL warning, or has malware. They're also equally useless in = most corporate environments that use deep-packet inspection firewalls - = and "unexpected certificates" (eg. from DPI or malicious) carry their = own privacy problems (eg: passwords are not as "protected" as you = think). Much more common authentication "protection" of course, are = two-step or sms one time codes - which are equally useless when an end = user can be tricked into revealing them to spoof sites. >>=20 >> 91% of successful break-ins start from phishing. Right now, every = vector is pointing one way - we need at least one "Vector of Trust" to = point back the other way! =20 >>=20 >> How about a 5th vector - "S" for "Security", which somehow allows an = RP a level of confidence in the protection afforded to the user's actual = authentication process, in terms of (or at least considering) a wide = range of (and all common) modern threats. >>=20 >> Chris. >>=20 >> _______________________________________________ >> vot mailing list >> vot@ietf.org >> https://www.ietf.org/mailman/listinfo/vot = >>=20 >>=20 >> = ___________________________________= ____________ >> vot mailing list >> vot@ietf.org >> https://www.ietf.org/mailman/listinfo/vot = >=20 >=20 --Apple-Mail=_F783372A-7191-40A3-9F48-ACB23E3C33A4 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 That seems like a reasonable mechanism, though this is the = first it=E2=80=99s been brought up. It was only in the last revision or = so that we really tied the vector tightly to the trustmark concept, = which itself needs to be more fully defined outside of the VoT = concept.

 =E2=80=94= Justin

On May 13, 2016, at 2:52 AM, Julian White = <jwhite@nu-d.com> = wrote:

Justin,

For my own clarity, can the RP pass a = request for a specific trustmark, or list of trustmarks that it will = accept? The text seems to imply that they will get whatever trustmark = the IdP sends and have to make a decision based on that each time. In = reality, since the evaluation of the trustmark is a cumbersome manual = process I suspect RP's will whitelist trustmarks that they will accept = so then it seems inefficient for and IdP to return a response under a = trustmark the RP won't accept.

Thanks,

Julian.

On 12 = May 2016 at 19:49, Julian White <jwhite@nu-d.com> wrote:

That makes sense, tho = that didn't come across in the description of the trustmark.

Julian

On 12 May 2016 19:45, "Justin Richer" <jricher@mit.edu> wrote:
We explicitly left those kinds = of things out of the vector as they=E2=80=99d really be related to the = IdP itself and not the authentication transaction to which the VoT = refers. In other words, the security of the IdP is related to the trust = framework and assessment of the IdP and it can be published as part of = the IdP=E2=80=99s discovery documents and associated trust marks. This = is information that is going to remain the same regardless of the = transaction. 

This is also part of why you need to have a trustmark context = to interpret the VoT in.

 =E2=80=94 Justin

On May 12, 2016, at 11:11 AM, Julian White = <jwhite@nu-d.com> wrote:

Hi,

I have a number of comments and = questions (see attached), many of which are related to the issues raised = by Chris, some maybe my misunderstanding coming in half way through the = drafting tho.

I,= like Chris, also think there needs to be something more explicit around = the "security" of the IdP authentication which includes the measures to = try and detect 'odd' things (like MITM). I would also go one step = further in that I also want to know about the maturity of the IdP's = "security", its of no use to me if they have really good credentials but = store all the data in the clear on their website or have a load of = administrative back-doors that could let anyone generate a valid = authentication response.

It feels like we need to do more work in this area.

Regards,

Julian.

On 8 May = 2016 at 13:24, Chris <cnd@geek.net.au> wrote:
Hi = All,

I think there is a critical flaw in section 3.2 of
https://tools.ietf.org/html/draft-richer-vectors-of-trust-02 = (Primary Credential Usage)

Mutual-authentication is missing.  When no provision is made to = prevent man-in-the-middle, credential harvesting, spoof, phishing, = malware, or other common threats, this renders all possible vectors C0, = Ca, Cb, Cd, Ce, Cf, and others equally = untrustworthy.

We should consider inclusion either for the overall strength of the = authentication process, or some breakdown of either all the techniques = used or the strength of protection employed to thwart at least common = attack scenarios.

This problem gets tricky quite fast:

Do we identify the authentication technology vendor? (if yes - who works = out their resistance strength to common attacks?  what about = different modes?)
Do we broadly identify the techniques (whos opinions count as to whether = or not the technique is effective and against what threats?)
Do we identify or classify the threats and indicate which ones were = mitigated (who should be trusted to decide if these really were = mitigated?)

For example - tamper-proof hardware digital certificate devices with = biometrics unlocks are totally useless, if the user paid no attention to = a broken SSL warning, or has malware.  They're also equally useless = in most corporate environments that use deep-packet inspection firewalls = - and "unexpected certificates" (eg. from DPI or malicious) carry their = own privacy problems (eg: passwords are not as "protected" as you = think).  Much more common authentication "protection" of course, = are two-step or sms one time codes - which are equally useless when an = end user can be tricked into revealing them to spoof sites.
=
91% of successful break-ins start from phishing.  Right now, every = vector is pointing one way - we need at least one "Vector of Trust" to = point back the other way!  

How about a 5th vector - "S" for "Security", which somehow allows an RP = a level of confidence in the protection afforded to the user's actual = authentication process, in terms of (or at least considering) a wide = range of (and all common) modern threats.

Chris.

_______________________________________________
vot mailing list
vot@ietf.org
https://www.ietf.org/mailman/listinfo/vot


<draft-richer-vectors-of-trust-02.docx>___________= ____________________________________
vot mailing list
vot@ietf.org
https://www.ietf.org/mailman/listinfo/vot



= --Apple-Mail=_F783372A-7191-40A3-9F48-ACB23E3C33A4--